From 843644393dde53d888e60c767059667fd018b59b Mon Sep 17 00:00:00 2001
From: Andrew Gunnerson <chillermillerlong@hotmail.com>
Date: Tue, 25 Feb 2020 08:43:47 -0500
Subject: [PATCH 0001/3088] phpDynDNS.inc: Fix missing break statement in
 switch case for Linode

Commit ab0ccc3be92ff4b716296d0d683cc0e1c8975030 seems to have mistakenly
removed the `break` statement for the `switch` case for Linode. This
commit adds it back, which fixes dynamic DNS updates for Linode.

Signed-off-by: Andrew Gunnerson <chillermillerlong@hotmail.com>
---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 5173554fbe..afa798a595 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -97,8 +97,8 @@
  *  dynv6 v6            - Last Tested: 25 June 2019
  *  DigitalOcean        - Last Tested: 25 June 2019
  *  Azure DNS           - Last Tested: 16 October 2019
- *  Linode              - Last Tested: 12 November 2019
- *  Linode v6           - Last Tested: 12 November 2019
+ *  Linode              - Last Tested: 25 February 2020
+ *  Linode v6           - Last Tested: 25 February 2020
  * +====================================================+
  *
  * @author    E.Kristensen
@@ -990,6 +990,7 @@ class updatedns
                 } else {
                     log_error("Dynamic DNS($fqdn): No zone found for domain");
                 }
+                break;
             case 'azurev6':
             case 'azure':
                 $hostname = "{$this->_dnsHost}";

From 8b1441958787e3842fdbfe2c5537ec43d42daf12 Mon Sep 17 00:00:00 2001
From: Johan Pramming <johanpramming@outlook.com>
Date: Sun, 26 Jan 2020 16:48:05 +0100
Subject: [PATCH 0002/3088] GratisDNS URL updated

---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index afa798a595..5a2784c5a5 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -82,7 +82,7 @@
  *  CloudFlare          - Last Tested: 16 April 2019
  *  CloudFlare IPv6     - Last Tested: 16 April 2019
  *  Eurodns             - Last Tested: 25 July 2018
- *  GratisDNS           - Last Tested: 15 August 2012
+ *  GratisDNS           - Last Tested: 26 January 2020
  *  OVH DynHOST         - Last Tested: NEVER
  *  City Network        - Last Tested: 13 November 2013
  *  Duck DNS            - Last Tested: 04 March 2015
@@ -818,10 +818,10 @@ class updatedns
                 curl_setopt($ch, CURLOPT_URL, $server . $port . '?hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP);
                 break;
             case 'gratisdns':
-                $server = "https://ssl.gratisdns.dk/ddns.phtml";
+                $server = "https://admin.gratisdns.com/ddns.php";
                 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
                 list($hostname, $domain) = explode(".", $this->_dnsHost, 2);
-                curl_setopt($ch, CURLOPT_URL, $server . '?u=' . urlencode($this->_dnsUser) . '&p=' . $this->_dnsPass . '&h=' . $this->_dnsHost . '&d=' . $domain);
+                curl_setopt($ch, CURLOPT_URL, $server . '?u=' . urlencode($this->_dnsUser) . '&p=' . $this->_dnsPass . '&h=' . $this->_dnsHost . '&d=' . $domain . '&i=' . $this->_dnsIP);
                 break;
             case 'ovh-dynhost':
                 if (isset($this->_dnsWildcard) && $this->_dnsWildcard != "OFF") {

From 7ceecaadbaface1df6aadd8d85cb808400941677 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 Feb 2020 10:07:20 +0100
Subject: [PATCH 0003/3088] dns/dyndns: bump revision for changes

---
 dns/dyndns/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index 4f03fc2899..da86abedac 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		dyndns
 PLUGIN_VERSION=		1.19
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 

From 2a034326a80c81bef7fafe92d9e96448819c8680 Mon Sep 17 00:00:00 2001
From: NOYB <1977521+NOYB@users.noreply.github.com>
Date: Wed, 26 Feb 2020 04:22:54 -0800
Subject: [PATCH 0004/3088] DynDNS Custom Updater: Un-restrict Verify Peer &
 IPv4 Resolve

Verify peer and IP resolve have value aside from authentication.  For cases where authentication is not used it can still be desirable to confirm identity and prevent MITM.
---
 .../etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc   | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 5a2784c5a5..1b0c7b698b 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -733,15 +733,15 @@ class updatedns
                 break;
             case 'custom':
             case 'custom-v6':
+                if ($this->_curlIpresolveV4) {
+                    curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
+                }
+                if ($this->_curlSslVerifypeer) {
+                    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+                } else {
+                    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+                }
                 if ($this->_dnsUser != '') {
-                    if ($this->_curlIpresolveV4) {
-                        curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
-                    }
-                    if ($this->_curlSslVerifypeer) {
-                        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                    } else {
-                        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-                    }
                     curl_setopt($ch, CURLOPT_USERPWD, "{$this->_dnsUser}:{$this->_dnsPass}");
                 }
                 $server = str_replace("%IP%", $this->_dnsIP, $this->_dnsUpdateURL);

From 56d3a991cb46a71508e4d608986bbf053a4d67d8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 28 Feb 2020 10:22:02 +0100
Subject: [PATCH 0005/3088] LICENSE: sync

---
 LICENSE | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index b1f3e57416..0b7a99dd6c 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2015-2019 Ad Schellevis <ad@opnsense.org>
+Copyright (c) 2015-2020 Ad Schellevis <ad@opnsense.org>
 Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
 Copyright (c) 2011 Dan Myers
@@ -26,6 +26,7 @@ Copyright (c) 2017-2019 Smart-Soft
 Copyright (c) 2013 Stanley P. Miller \ stan-qaz
 Copyright (c) 2010 Yehuda Katz
 Copyright (c) 2015 YoungJoo.Kim <vozltx@gmail.com>
+Copyright (c) 2020 devNan0 <nan0@nan0.dev>
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

From e72efeead133a685e99ec495fb7617df39a7739d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 28 Feb 2020 10:22:17 +0100
Subject: [PATCH 0006/3088] Framework: allow diff and mfc targets for subdirs

---
 Makefile       | 36 ------------------------------------
 Mk/defaults.mk | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 36 deletions(-)

diff --git a/Makefile b/Makefile
index f5b95c2e5a..8e31ab3a0e 100644
--- a/Makefile
+++ b/Makefile
@@ -51,42 +51,6 @@ ${TARGET}:
 .  endfor
 .endfor
 
-ARGS=	diff mfc
-
-# handle argument expansion for required targets
-.for TARGET in ${.TARGETS}
-_TARGET=		${TARGET:C/\-.*//}
-.if ${_TARGET} != ${TARGET}
-.for ARGUMENT in ${ARGS}
-.if ${_TARGET} == ${ARGUMENT}
-${_TARGET}_ARGS+=	${TARGET:C/^[^\-]*(\-|\$)//:S/,/ /g}
-${TARGET}: ${_TARGET}
-.endif
-.endfor
-${_TARGET}_ARG=		${${_TARGET}_ARGS:[0]}
-.endif
-.endfor
-
-diff:
-	@git diff --stat -p stable/${PLUGIN_ABI} ${.CURDIR}/${diff_ARGS:[1]}
-
-mfc:
-.for MFC in ${mfc_ARGS}
-.if exists(${MFC})
-	@git diff --stat -p stable/${PLUGIN_ABI} ${.CURDIR}/${MFC} > /tmp/mfc.diff
-	@git checkout stable/${PLUGIN_ABI}
-	@git apply /tmp/mfc.diff
-	@git add ${.CURDIR}
-	@if ! git diff --quiet HEAD; then \
-		git commit -m "${MFC}: sync with master"; \
-	fi
-.else
-	@git checkout stable/${PLUGIN_ABI}
-	@git cherry-pick -x ${MFC}
-.endif
-	@git checkout master
-.endfor
-
 license:
 	@${.CURDIR}/Scripts/license . > ${.CURDIR}/LICENSE
 
diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index be747ef1b8..1368f70ff3 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -48,3 +48,39 @@ SED_REPLACE=	# empty
 .for REPLACEMENT in ${REPLACEMENTS}
 SED_REPLACE+=	-e "s=%%${REPLACEMENT}%%=${${REPLACEMENT}}=g"
 .endfor
+
+ARGS=	diff mfc
+
+# handle argument expansion for required targets
+.for TARGET in ${.TARGETS}
+_TARGET=		${TARGET:C/\-.*//}
+.if ${_TARGET} != ${TARGET}
+.for ARGUMENT in ${ARGS}
+.if ${_TARGET} == ${ARGUMENT}
+${_TARGET}_ARGS+=	${TARGET:C/^[^\-]*(\-|\$)//:S/,/ /g}
+${TARGET}: ${_TARGET}
+.endif
+.endfor
+${_TARGET}_ARG=		${${_TARGET}_ARGS:[0]}
+.endif
+.endfor
+
+diff:
+	@git diff --stat -p stable/${PLUGIN_ABI} ${.CURDIR}/${diff_ARGS:[1]}
+
+mfc:
+.for MFC in ${mfc_ARGS}
+.if exists(${MFC})
+	@git diff --stat -p stable/${PLUGIN_ABI} ${.CURDIR}/${MFC} > /tmp/mfc.diff
+	@git checkout stable/${PLUGIN_ABI}
+	@git apply /tmp/mfc.diff
+	@git add ${.CURDIR}
+	@if ! git diff --quiet HEAD; then \
+		git commit -m "${MFC}: sync with master"; \
+	fi
+.else
+	@git checkout stable/${PLUGIN_ABI}
+	@git cherry-pick -x ${MFC}
+.endif
+	@git checkout master
+.endfor

From 4d6bb2d44252d2cbda9d5e2203920f8f16f6a7b6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 28 Feb 2020 10:24:38 +0100
Subject: [PATCH 0007/3088] dns/dyndns: warrants version bump now

---
 dns/dyndns/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index da86abedac..5d6d6b59c7 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		dyndns
-PLUGIN_VERSION=		1.19
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.20
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 

From 58c43a9802ec0d05204ec5f957b76ff8baf882e4 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 3 Mar 2020 13:40:00 +0100
Subject: [PATCH 0008/3088] security/maltrail: switch python version (#1727)

---
 security/maltrail/Makefile                             | 2 +-
 security/maltrail/pkg-descr                            | 4 ++++
 security/maltrail/src/etc/rc.d/opnsense-maltrailsensor | 2 +-
 security/maltrail/src/etc/rc.d/opnsense-maltrailserver | 2 +-
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/security/maltrail/Makefile b/security/maltrail/Makefile
index 69197eb50c..e688bcf70b 100644
--- a/security/maltrail/Makefile
+++ b/security/maltrail/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		maltrail
-PLUGIN_VERSION=		1.3
+PLUGIN_VERSION=		1.4
 PLUGIN_COMMENT=		Malicious traffic detection system
 PLUGIN_DEPENDS=		maltrail
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/maltrail/pkg-descr b/security/maltrail/pkg-descr
index ed7cf39a49..c84a0a8efa 100644
--- a/security/maltrail/pkg-descr
+++ b/security/maltrail/pkg-descr
@@ -11,6 +11,10 @@ WWW: https://github.com/stamparm/maltrail
 Changelog
 ---------
 
+1.4
+
+* Switch Python to version 3
+
 1.3
 
 * Fix a typo in model labeling preventing to use remote server logging
diff --git a/security/maltrail/src/etc/rc.d/opnsense-maltrailsensor b/security/maltrail/src/etc/rc.d/opnsense-maltrailsensor
index 852046b29a..b064c35b4d 100755
--- a/security/maltrail/src/etc/rc.d/opnsense-maltrailsensor
+++ b/security/maltrail/src/etc/rc.d/opnsense-maltrailsensor
@@ -14,7 +14,7 @@ name=maltrailsensor
 rcvar=maltrailsensor_enable
 pidfile=/var/run/${name}.pid
 command=/usr/sbin/daemon
-command_args="-f -P /var/run/maltrailsensor.pid python2.7 /usr/local/share/maltrail/sensor.py"
+command_args="-f -P /var/run/maltrailsensor.pid python3 /usr/local/share/maltrail/sensor.py"
 
 load_rc_config opnsense-maltrailsensor
 
diff --git a/security/maltrail/src/etc/rc.d/opnsense-maltrailserver b/security/maltrail/src/etc/rc.d/opnsense-maltrailserver
index 23cd811af0..aa3de2883a 100755
--- a/security/maltrail/src/etc/rc.d/opnsense-maltrailserver
+++ b/security/maltrail/src/etc/rc.d/opnsense-maltrailserver
@@ -14,7 +14,7 @@ name=maltrailserver
 rcvar=maltrailserver_enable
 pidfile=/var/run/${name}.pid
 command=/usr/sbin/daemon
-command_args="-f -P /var/run/maltrailserver.pid python2.7 /usr/local/share/maltrail/server.py"
+command_args="-f -P /var/run/maltrailserver.pid python3 /usr/local/share/maltrail/server.py"
 
 load_rc_config opnsense-maltrailserver
 

From 3e02ddc2ca2352d0780978bc213c7a2f6752189c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 4 Mar 2020 09:26:10 +0100
Subject: [PATCH 0009/3088] dns/dnscrypt-proxy: _var_script only if enabled

---
 .../service/templates/OPNsense/Dnscryptproxy/dnscrypt_proxy     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt_proxy b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt_proxy
index 6cee01a3b4..96c051b26a 100644
--- a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt_proxy
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt_proxy
@@ -1,4 +1,5 @@
 {% if helpers.exists('OPNsense.dnscryptproxy.general.enabled') and OPNsense.dnscryptproxy.general.enabled == '1' %}
+dnscrypt_proxy_var_script="/usr/local/opnsense/scripts/OPNsense/Dnscryptproxy/setup.sh"
 dnscrypt_proxy_enable="YES"
 {%   if helpers.exists('OPNsense.dnscryptproxy.general.allowprivileged') and OPNsense.dnscryptproxy.general.allowprivileged == '1' %}
 dnscrypt_proxy_suexec="YES"
@@ -11,4 +12,3 @@ dnscrypt_proxy_dnsbl="{{ OPNsense.dnscryptproxy.dnsbl.type }}"
 {% else %}
 dnscrypt_proxy_enable="NO"
 {% endif %}
-dnscrypt_proxy_var_script="/usr/local/opnsense/scripts/OPNsense/Dnscryptproxy/setup.sh"

From b1e26a5d845ca1c164b4c37b0d8c17c58c8a9aae Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 4 Mar 2020 09:29:43 +0100
Subject: [PATCH 0010/3088] net-mgmt/nrpe: register setup.sh for _var_script

---
 net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe b/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe
index d1afd25d21..256738cbb8 100644
--- a/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe
+++ b/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe
@@ -1,4 +1,5 @@
 {% if helpers.exists('OPNsense.nrpe.general.enabled') and OPNsense.nrpe.general.enabled == '1' %}
+nrpe3_var_script="/usr/local/opnsense/scripts/OPNsense/Nrpe/setup.sh"
 nrpe3_enable="YES"
 {% else %}
 nrpe3_enable="NO"

From 169927ac045d01dcc7fc14ae264695ebc16a9987 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 4 Mar 2020 09:31:57 +0100
Subject: [PATCH 0011/3088] net-mgmt/telegraf: whitespace nit

---
 net-mgmt/telegraf/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 5d25b2c7a1..3f381da7ea 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 ================
 
 1.7.7
+
 * Fix log not properly parsed
 
 1.7.6

From 86b0a81fab2539688c2b9bbb67eb1e64dda54b19 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 4 Mar 2020 09:32:36 +0100
Subject: [PATCH 0012/3088] net/freeradius: whitespace nit

---
 net/freeradius/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 4d00cdad0e..efb4406873 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -16,6 +16,7 @@ Plugin Changelog
 ================
 
 1.9.6
+
 * Fix log not properly parsed
 
 1.9.5

From c58730761de22a2c2988a5f0af2f4ff935b56475 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 4 Mar 2020 09:34:37 +0100
Subject: [PATCH 0013/3088] security/tinc: latest change warrants a version
 bump

---
 security/tinc/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index ce034c019a..fe9f6ac4be 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		tinc
-PLUGIN_VERSION=		1.4
-PLUGIN_REVISION=	5
+PLUGIN_VERSION=		1.5
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 8f6a9a66ba8da0878cef4c821023fccc20e3ef1b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 6 Mar 2020 12:31:34 +0100
Subject: [PATCH 0014/3088] Framework: accept selected build-time flavour

---
 Mk/defaults.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 1368f70ff3..0f6f3b1c3d 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -37,7 +37,7 @@ ARCH!=		uname -p
 
 PLUGIN_ABI?=	20.1
 PLUGIN_ARCH?=	${ARCH}
-PLUGIN_FLAVOUR=	${FLAVOUR}
+PLUGIN_FLAVOUR?=${FLAVOUR}
 
 REPLACEMENTS=	PLUGIN_ABI \
 		PLUGIN_ARCH \

From 156be04aae6c8615c1cd8294f9eff2c97a4a5d74 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Mar 2020 10:53:11 +0100
Subject: [PATCH 0015/3088] sysutils/munin-node: release 1.0 \o/

---
 sysutils/munin-node/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/sysutils/munin-node/Makefile b/sysutils/munin-node/Makefile
index fafe82704e..4540d03cc2 100644
--- a/sysutils/munin-node/Makefile
+++ b/sysutils/munin-node/Makefile
@@ -1,8 +1,7 @@
 PLUGIN_NAME=		munin-node
-PLUGIN_VERSION=		0.1
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		Munin monitorin agent
 PLUGIN_DEPENDS=		munin-node
-PLUGIN_DEVEL=		yes
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
 .include "../../Mk/plugins.mk"

From 48bcb85124b4e5b6187a4151be06b1d4bce0035f Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 10 Mar 2020 13:17:53 +0100
Subject: [PATCH 0016/3088] net/tayga: add interface commands to rc.conf
 (#1700)

---
 net/tayga/Makefile                            |  2 +-
 net/tayga/src/etc/rc.d/opnsense-tayga         | 12 +++++++++++
 .../OPNsense/Tayga/forms/general.xml          | 20 +++++++++++++++----
 .../mvc/app/models/OPNsense/Tayga/General.xml | 17 +++++++++++-----
 .../service/templates/OPNsense/Tayga/tayga    |  5 +++++
 5 files changed, 46 insertions(+), 10 deletions(-)

diff --git a/net/tayga/Makefile b/net/tayga/Makefile
index b29b67d690..f57fd502f9 100644
--- a/net/tayga/Makefile
+++ b/net/tayga/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		tayga
-PLUGIN_VERSION=		0.1
+PLUGIN_VERSION=		0.2
 PLUGIN_DEVEL=		yes
 PLUGIN_COMMENT=		Tayga IPv6 64NAT
 PLUGIN_DEPENDS=		tayga
diff --git a/net/tayga/src/etc/rc.d/opnsense-tayga b/net/tayga/src/etc/rc.d/opnsense-tayga
index 78ed736fc6..0bc0834d74 100755
--- a/net/tayga/src/etc/rc.d/opnsense-tayga
+++ b/net/tayga/src/etc/rc.d/opnsense-tayga
@@ -11,6 +11,7 @@
 
 name=tayga
 
+start_cmd=tayga_start
 stop_cmd=tayga_stop
 rcvar=tayga_enable
 
@@ -21,6 +22,17 @@ command_args="-p ${pidfile}"
 
 [ -z "$tayga_enable" ] && tayga_enable="NO"
 
+tayga_start()
+{
+        echo "starting tayga"
+        ${command} ${command_args}
+        sleep 1
+        ifconfig nat64 inet ${tayga_v4destination}/32 ${tayga_v4address}
+        ifconfig nat64 inet6 ${tayga_v6estination}/128
+        route -6 add ${tayga_v6prefix} -interface nat64
+        route -4 add ${tayga_v4pool} -interface nat64
+}
+
 tayga_stop()
 {
         if [ -n "$rc_pid" ]; then
diff --git a/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/forms/general.xml b/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/forms/general.xml
index e75b05a161..14a6c52724 100644
--- a/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/forms/general.xml
+++ b/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/forms/general.xml
@@ -9,24 +9,36 @@
         <id>general.v4address</id>
         <label>IPv4 Address</label>
         <type>text</type>
-        <help>This is not your router's IPv4 address. Tayga requires its own address because it acts as an IPv4 and IPv6 router, and needs to be able to send ICMP messages. This address can safely be located inside the dynamic-pool prefix.</help>
+        <help>Should be located in Tayga's IPv4 pool. Tayga requires its own IPv4 address because it acts as a router and needs to be able to send ICMP messages. Tayga will also respond to ICMPv4 echo requests at this address.</help>
+    </field>
+    <field>
+        <id>general.v4destination</id>
+        <label>IPv4 NAT64 Interface Address</label>
+        <type>text</type>
+        <help>IPv4 address of the NAT64 interface. Must not be located in Tayga's IPv4 pool. Only used for ICMP.</help>
     </field>
     <field>
         <id>general.v6address</id>
         <label>IPv6 Address</label>
         <type>text</type>
-        <help>This is not your routers IPv6 address. Tayga requires its own address because it acts as an IPv4 and IPv6 router, and needs to be able to send ICMP messages. Tayga will also respond to ICMP echo requests (ping6) at this address. You can leave it unspecified and Tayga will construct its IPv6 address using IPv4 address and the NAT64 prefix.</help>
+        <help>If left unspecified, Tayga will construct its IPv6 address by using its IPv4 address and the IPv6 prefix (default). Tayga requires its own IPv6 address because it acts as a router and needs to be able to send ICMP messages. Tayga will also respond to ICMPv6 echo requests at this address.</help>
+    </field>
+    <field>
+        <id>general.v6destination</id>
+        <label>IPv6 NAT64 Interface Address</label>
+        <type>text</type>
+        <help>IPv6 address of the NAT64 interface. Must not have Tayga's IPv6 prefix. Only used for ICMP.</help>
     </field>
     <field>
         <id>general.v6prefix</id>
         <label>IPv6 Prefix</label>
         <type>text</type>
-        <help>This must be a prefix selected from your organizations IPv6 address space or the Well-Known Prefix 64:ff9b::/96. The IPv4 address space is mapped into the IPv6 address space by prepending this prefix to the IPv4 address.</help>
+        <help>This must be a /96 prefix selected from your organization's IPv6 address space or the Well-Known Prefix 64:ff9b::/96. The IPv4 address space is mapped into the IPv6 address space by prepending this prefix to the IPv4 address.</help>
     </field>
     <field>
         <id>general.v4pool</id>
         <label>IPv4 Pool</label>
         <type>text</type>
-        <help>Dynamic pool prefix. IPv6 hosts which send traffic through Tayga will be assigned an IPv4 address from the dynamic pool.</help>
+        <help>IPv6 hosts which send traffic through Tayga will be dynamically assigned an IPv4 address from this pool. Can be any size, but each IPv6 host requires one address.</help>
     </field>
 </form>
diff --git a/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
index 5f9ff3d26a..63fdb0c3dd 100644
--- a/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
+++ b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/tayga/general</mount>
     <description>Tayga configuration</description>
-    <version>0.0.2</version>
+    <version>0.0.4</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -9,19 +9,26 @@
         </enabled>
         <v4address type="NetworkField">
             <default>192.168.255.1</default>
-            <Required>N</Required>
+            <Required>Y</Required>
         </v4address>
+        <v4destination type="NetworkField">
+            <default>192.168.254.1</default>
+            <Required>Y</Required>
+        </v4destination>
         <v6address type="NetworkField">
-            <default>2001:db8:1::2</default>
             <Required>N</Required>
         </v6address>
+        <v6destination type="NetworkField">
+            <default>2001:db8:1:ffff::1</default>
+            <Required>Y</Required>
+        </v6destination>        
         <v6prefix type="NetworkField">
             <default>2001:db8:1:ffff::/96</default>
-            <Required>N</Required>
+            <Required>Y</Required>
         </v6prefix>
         <v4pool type="NetworkField">
             <default>192.168.255.0/24</default>
-            <Required>N</Required>
+            <Required>Y</Required>
         </v4pool>
     </items>
 </model>
diff --git a/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga b/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga
index 45e40deac0..cc5d8c68c1 100644
--- a/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga
+++ b/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga
@@ -1,6 +1,11 @@
 {% if helpers.exists('OPNsense.tayga.general.enabled') and OPNsense.tayga.general.enabled == '1' %}
 tayga_var_script="/usr/local/opnsense/scripts/OPNsense/Tayga/setup.sh"
 tayga_enable="YES"
+tayga_v4address={{ OPNsense.tayga.general.v4address }}
+tayga_v4destination={{ OPNsense.tayga.general.v4destination }}
+tayga_v4pool={{ OPNsense.tayga.general.v4pool }}
+tayga_v6prefix={{ OPNsense.tayga.general.v6prefix }}
+tayga_v6address={{ OPNsense.tayga.general.v6address }}
 {% else %}
 tayga_enable="NO"
 {% endif %}

From aca3e2b4db9bf1a427b1d2d7ef250e812947213a Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 10 Mar 2020 13:23:30 +0100
Subject: [PATCH 0017/3088] mail/postfix: add more antispam features (#1723)

---
 mail/postfix/Makefile                         |  2 +-
 mail/postfix/pkg-descr                        |  3 ++
 .../OPNsense/Postfix/forms/general.xml        | 30 +++++++++++++++++++
 .../app/models/OPNsense/Postfix/General.xml   | 24 +++++++++++++++
 .../templates/OPNsense/Postfix/main.cf        | 28 +++++++++++++++++
 5 files changed, 86 insertions(+), 1 deletion(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index ca8860ddb5..a86fe025c4 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		postfix
-PLUGIN_VERSION=		1.13
+PLUGIN_VERSION=		1.14
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix-sasl
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index b319d42372..38f254a7de 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -6,6 +6,9 @@ is completely different.
 Plugin Changelog
 ================
 
+1.14
+
+* Add more anti-spam features into postfix itself
 
 1.13
 
diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
index 2432b7b13f..008bd8eabe 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
@@ -150,6 +150,36 @@
         <advanced>true</advanced>
         <help>If you enable this, every entry in Recipients will be checked against. When there is no match mail will be rejected. Be aware that it does not matter if the action is "OK" or "REJECT". This setup allows you to run postfix in front of an internal system and already rejecting unsolicited mail at the border.</help>
     </field>
+    <field>
+        <id>general.extensive_helo_restrictions</id>
+        <label>Advanced HELO Restrictions</label>
+        <type>checkbox</type>
+    </field>
+    <field>
+        <id>general.extensive_sender_restrictions</id>
+        <label>Advanced Sender Restrictions</label>
+        <type>checkbox</type>
+    </field>
+    <field>
+        <id>general.reject_unknown_client_hostname</id>
+        <label>Reject Unkown Client Hostname</label>
+        <type>checkbox</type>
+    </field>
+    <field>
+        <id>general.reject_non_fqdn_helo_hostname</id>
+        <label>Reject Non-FQDN HELO Hostname</label>
+        <type>checkbox</type>
+    </field>
+    <field>
+        <id>general.reject_invalid_helo_hostname</id>
+        <label>Reject Invalid HELO Hostname</label>
+        <type>checkbox</type>
+    </field>
+     <field>
+        <id>general.reject_unknown_helo_hostname</id>
+        <label>Reject Unkown HELO Hostname</label>
+        <type>checkbox</type>
+    </field>
     <field>
         <id>general.reject_unauth_pipelining</id>
         <label>Reject Unauthenticated Pipelining</label>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
index e2d2a99e59..4a0bd65e4e 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
@@ -111,6 +111,30 @@
             <default>0</default>
             <Required>Y</Required>
         </enforce_recipient_check>
+        <extensive_helo_restrictions type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </extensive_helo_restrictions>
+        <extensive_sender_restrictions type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </extensive_sender_restrictions>
+        <reject_unknown_client_hostname type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </reject_unknown_client_hostname>
+        <reject_non_fqdn_helo_hostname type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </reject_non_fqdn_helo_hostname>
+        <reject_invalid_helo_hostname type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </reject_invalid_helo_hostname>
+        <reject_unknown_helo_hostname type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </reject_unknown_helo_hostname>
         <reject_unauth_pipelining type="BooleanField">
             <default>1</default>
             <Required>Y</Required>
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index fed2225dbf..d744346027 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -134,6 +134,18 @@ relay_recipient_maps = hash:/usr/local/etc/postfix/recipient_access
 {% if helpers.exists('OPNsense.postfix.recipient.recipients.recipient') %}
 {% do smtpd_recipient_restrictions.append('check_recipient_access hash:/usr/local/etc/postfix/recipient_access') %}
 {% endif %}
+{% if helpers.exists('OPNsense.postfix.general.reject_unknown_client_hostname') and OPNsense.postfix.general.reject_unknown_client_hostname == '1' %}
+{% do smtpd_recipient_restrictions.append('reject_unknown_client_hostname') %}
+{% endif %}
+{% if helpers.exists('OPNsense.postfix.general.reject_non_fqdn_helo_hostname') and OPNsense.postfix.general.reject_non_fqdn_helo_hostname == '1' %}
+{% do smtpd_recipient_restrictions.append('reject_non_fqdn_helo_hostname') %}
+{% endif %}
+{% if helpers.exists('OPNsense.postfix.general.reject_invalid_helo_hostname') and OPNsense.postfix.general.reject_invalid_helo_hostname == '1' %}
+{% do smtpd_recipient_restrictions.append('reject_invalid_helo_hostname') %}
+{% endif %}
+{% if helpers.exists('OPNsense.postfix.general.reject_unknown_helo_hostname') and OPNsense.postfix.general.reject_unknown_helo_hostname == '1' %}
+{% do smtpd_recipient_restrictions.append('reject_unknown_helo_hostname') %}
+{% endif %}
 {% if helpers.exists('OPNsense.postfix.general.reject_unauth_pipelining') and OPNsense.postfix.general.reject_unauth_pipelining == '1' %}
 {% do smtpd_recipient_restrictions.append('reject_unauth_pipelining') %}
 {% endif %}
@@ -168,6 +180,22 @@ smtpd_recipient_restrictions = {{ smtpd_recipient_restrictions | join(', ') }}
 
 smtpd_helo_required = yes
 
+{% if helpers.exists('OPNsense.postfix.general.extensive_helo_restrictions') and OPNsense.postfix.general.extensive_helo_restrictions == '1' %}
+smtpd_helo_restrictions =
+        permit_mynetworks,
+        permit_sasl_authenticated,
+        reject_invalid_helo_hostname,
+        reject_non_fqdn_hostname,
+        reject_unknown_hostname
+{% endif %}
+{% if helpers.exists('OPNsense.postfix.general.extensive_sender_restrictions') and OPNsense.postfix.general.extensive_sender_restrictions == '1' %}
+smtpd_sender_restrictions =
+        permit_mynetworks,
+        permit_sasl_authenticated,
+        reject_unknown_reverse_client_hostname,
+        reject_unknown_sender_domain,
+        reject_non_fqdn_sender
+{% endif %}
 syslog_facility = mail
 syslog_name = postfix
 

From 81f254b878725cd1d04d47ce4221cc5d5448837f Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 27 Feb 2020 18:42:23 +0100
Subject: [PATCH 0018/3088] Firewall: add boilerplate for
 https://github.com/opnsense/plugins/issues/1720

---
 net/firewall/Makefile                         |  6 ++
 net/firewall/pkg-descr                        |  4 ++
 .../Firewall/Api/FilterController.php         | 66 +++++++++++++++++++
 .../OPNsense/Firewall/FilterController.php    | 38 +++++++++++
 .../Firewall/forms/dialogFilterRule.xml       | 18 +++++
 .../app/models/OPNsense/Firewall/Filter.php   | 35 ++++++++++
 .../app/models/OPNsense/Firewall/Filter.xml   | 28 ++++++++
 .../models/OPNsense/Firewall/Menu/Menu.xml    |  7 ++
 .../app/views/OPNsense/Firewall/filter.volt   | 46 +++++++++++++
 9 files changed, 248 insertions(+)
 create mode 100644 net/firewall/Makefile
 create mode 100644 net/firewall/pkg-descr
 create mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
 create mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
 create mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
 create mode 100644 net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
 create mode 100644 net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
 create mode 100644 net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
 create mode 100644 net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt

diff --git a/net/firewall/Makefile b/net/firewall/Makefile
new file mode 100644
index 0000000000..3f314e675d
--- /dev/null
+++ b/net/firewall/Makefile
@@ -0,0 +1,6 @@
+PLUGIN_NAME=		firewall
+PLUGIN_VERSION=		0.1
+PLUGIN_COMMENT=	    Firewall API supplemental package
+PLUGIN_MAINTAINER=	ad@opnsense.org
+
+.include "../../Mk/plugins.mk"
diff --git a/net/firewall/pkg-descr b/net/firewall/pkg-descr
new file mode 100644
index 0000000000..30776806e4
--- /dev/null
+++ b/net/firewall/pkg-descr
@@ -0,0 +1,4 @@
+This package extends the standard OPNsense firewall system with endpoints for machine to machine management tasks.
+Gui components are initially only intended to ease testing and to explain current functionality.
+
+In the long term this might replace the default firewall in OPNsense.
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
new file mode 100644
index 0000000000..27a684b60c
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
@@ -0,0 +1,66 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+namespace OPNsense\Firewall\Api;
+
+use \OPNsense\Base\ApiMutableModelControllerBase;
+
+class FilterController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'filter';
+    protected static $internalModelClass = 'OPNsense\Firewall\Filter';
+
+    public function searchItemAction()
+    {
+        return $this->searchBase("rules.rule", array('enabled', 'sequence', 'description'), "sequence");
+    }
+
+    public function setItemAction($uuid)
+    {
+        return $this->setBase("rule", "rules.rule", $uuid);
+    }
+
+    public function addItemAction()
+    {
+        return $this->addBase("rule", "rules.rule");
+    }
+
+    public function getItemAction($uuid = null)
+    {
+        return $this->getBase("rule", "rules.rule", $uuid);
+    }
+
+    public function delItemAction($uuid)
+    {
+        return $this->delBase("rules.rule", $uuid);
+    }
+
+    public function toggleItemAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("rules.rule", $uuid, $enabled);
+    }
+}
\ No newline at end of file
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
new file mode 100644
index 0000000000..f236de95fe
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+namespace OPNsense\Firewall;
+
+
+class FilterController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/Firewall/filter');
+        $this->view->formDialogFilterRule = $this->getForm("dialogFilterRule");
+    }
+}
\ No newline at end of file
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
new file mode 100644
index 0000000000..8f9b870571
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
@@ -0,0 +1,18 @@
+<form>
+    <field>
+        <id>rule.enabled</id>
+        <label>enabled</label>
+        <type>checkbox</type>
+        <help>Enable this rule</help>
+    </field>
+    <field>
+        <id>rule.sequence</id>
+        <label>Sequence</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>rule.description</id>
+        <label>Description</label>
+        <type>text</type>
+    </field>
+</form>
\ No newline at end of file
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
new file mode 100644
index 0000000000..ebe4b7394a
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Firewall;
+
+use OPNsense\Base\BaseModel;
+
+class Filter extends BaseModel
+{
+}
\ No newline at end of file
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
new file mode 100644
index 0000000000..ac824f219d
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -0,0 +1,28 @@
+<model>
+    <mount>//OPNsense/Firewall/FilterRule</mount>
+    <description>
+        OPNsense firewall filter rules
+    </description>
+    <items>
+        <rules>
+            <rule type="ArrayField">
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <sequence type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>1000000</MaximumValue>
+                    <ValidationMessage>provide a valid sequence for sorting</ValidationMessage>
+                    <Required>Y</Required>
+                    <default>1</default>
+                </sequence>
+                <description type="TextField">
+                    <Required>N</Required>
+                    <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){0,255}$/u</mask>
+                    <ValidationMessage>Description should be a string between 1 and 255 characters</ValidationMessage>
+                </description>
+            </rule>
+        </rules>
+    </items>
+</model>
\ No newline at end of file
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
new file mode 100644
index 0000000000..1348a80d5f
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
@@ -0,0 +1,7 @@
+<menu>
+    <Firewall>
+        <Automation order="1000" cssClass="fa fa-gear">
+            <Filter order="50" url="/ui/firewall/filter/"/>
+        </Automation>
+    </Firewall>
+</menu>
\ No newline at end of file
diff --git a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
new file mode 100644
index 0000000000..beb717c6ca
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
@@ -0,0 +1,46 @@
+<script>
+    $( document ).ready(function() {
+        $("#grid-rules").UIBootgrid({
+            search:'/api/firewall/filter/searchItem/',
+            get:'/api/firewall/filter/getItem/',
+            set:'/api/firewall/filter/setItem/',
+            add:'/api/firewall/filter/addItem/',
+            del:'/api/firewall/filter/delItem/',
+            toggle:'/api/firewall/filter/toggleItem/'
+        });
+    });
+</script>
+
+
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#rules">{{ lang._('Rules') }}</a></li>
+</ul>
+<div class="tab-content content-box">
+    <div id="rules" class="tab-pane fade in active">
+        <!-- tab page "filter rules" -->
+        <table id="grid-rules" class="table table-condensed table-hover table-striped" data-editDialog="DialogFilterRule">
+            <thead>
+                <tr>
+                    <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="sequence" data-type="string">{{ lang._('Sequence') }}</th>
+                    <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogFilterRule,'id':'DialogFilterRule','label':lang._('Edit rule')])}}

From 09c84d7ceb4b2726d3f6eff651bea0ab41c1fc86 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 28 Feb 2020 16:14:29 +0100
Subject: [PATCH 0019/3088] firewall: add fields to model and mark todo's for
 https://github.com/opnsense/plugins/issues/1720

---
 .../Firewall/forms/dialogFilterRule.xml       | 90 ++++++++++++++++++
 .../app/models/OPNsense/Firewall/Filter.xml   | 95 +++++++++++++++++++
 2 files changed, 185 insertions(+)

diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
index 8f9b870571..6dfcb8ab12 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
@@ -10,6 +10,96 @@
         <label>Sequence</label>
         <type>text</type>
     </field>
+    <field>
+        <id>rule.action</id>
+        <label>Action</label>
+        <type>dropdown</type>
+        <help>Choose what to do with packets that match the criteria specified below.
+            Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded.
+        </help>
+    </field>
+    <field>
+        <id>rule.quick</id>
+        <label>Quick</label>
+        <type>checkbox</type>
+        <help>
+            If a packet matches a rule specifying quick, then that rule is considered the last matching rule and the specified action is taken.
+            When a rule does not have quick enabled, the last matching rule wins.
+        </help>
+    </field>
+    <field>
+        <id>rule.interface</id>
+        <label>Interface</label>
+        <type>select_multiple</type>
+    </field>
+    <field>
+        <id>rule.direction</id>
+        <label>Direction</label>
+        <type>dropdown</type>
+        <help>
+            Direction of the traffic. The default policy is to filter inbound traffic, which sets the policy to the interface originally receiving the traffic.
+        </help>
+    </field>
+    <field>
+        <id>rule.ipprotocol</id>
+        <label>TCP/IP Version</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>rule.protocol</id>
+        <label>Protocol</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>rule.source_net</id>
+        <label>Source</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>rule.source_port</id>
+        <label>Source port</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Source port number or well known name (imap, imaps, http, https, ...), for ranges use a dash</help>
+    </field>
+    <field>
+        <id>rule.source_not</id>
+        <label>Source / Invert</label>
+        <type>checkbox</type>
+        <help>Use this option to invert the sense of the match.</help>
+    </field>
+    <field>
+        <id>rule.destination_net</id>
+        <label>Destination</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>rule.destination_not</id>
+        <label>Destination / Invert</label>
+        <type>checkbox</type>
+        <help>Use this option to invert the sense of the match.</help>
+    </field>
+    <field>
+        <id>rule.destination_port</id>
+        <label>Destination port</label>
+        <type>text</type>
+        <help>Destination port number or well known name (imap, imaps, http, https, ...), for ranges use a dash</help>
+    </field>
+    <field>
+        <id>rule.gateway</id>
+        <label>Gateway</label>
+        <type>dropdown</type>
+        <help>
+            Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.
+        </help>
+    </field>
+    <field>
+        <id>rule.log</id>
+        <label>Log</label>
+        <type>checkbox</type>
+        <help>Log packets that are handled by this rule</help>
+    </field>
+
     <field>
         <id>rule.description</id>
         <label>Description</label>
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index ac824f219d..73469f9e53 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -17,6 +17,101 @@
                     <Required>Y</Required>
                     <default>1</default>
                 </sequence>
+                <action type="OptionField">
+                    <Required>Y</Required>
+                    <default>pass</default>
+                    <OptionValues>
+                        <pass>Pass</pass>
+                        <block>Block</block>
+                        <reject>Reject</reject>
+                    </OptionValues>
+                </action>
+                <quick type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </quick>
+                <interface type="InterfaceField">
+                    <Required>Y</Required>
+                    <multiple>Y</multiple>
+                    <default>lan</default>
+                </interface>
+                <direction type="OptionField">
+                    <Required>Y</Required>
+                    <default>in</default>
+                    <OptionValues>
+                        <in>In</in>
+                        <out>Out</out>
+                    </OptionValues>
+                </direction>
+                <ipprotocol type="OptionField">
+                    <Required>Y</Required>
+                    <default>inet</default>
+                    <OptionValues>
+                        <inet>IPv4</inet>
+                        <inet6>IPv6</inet6>
+                    </OptionValues>
+                </ipprotocol>
+                <!--
+                        XXX: needs new field type
+                -->
+                <protocol type="OptionField">
+                    <Required>Y</Required>
+                    <default>any</default>
+                    <OptionValues>
+                        <any>any</any>
+                        <tcp>TCP</tcp>
+                        <udp>UDP</udp>
+                    </OptionValues>
+                </protocol>
+                <!--
+                        XXX: needs a new field type to validate aliases as well
+                             should map internally to  'source' => array('network' => $source_net, "not" => true|false),
+                -->
+                <source_net type="NetworkField">
+                    <default>any</default>
+                    <Required>Y</Required>
+                </source_net>
+                <source_not type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </source_not>
+                <!-- XXX: known limitation, aliases not supported by PortField -->
+                <source_port type="PortField">
+                    <Required>N</Required>
+                    <EnableWellKnown>Y</EnableWellKnown>
+                    <EnableRanges>Y</EnableRanges>
+                    <ValidationMessage>Please specify a valid port number, range or known service name</ValidationMessage>
+                </source_port>
+                <!--
+                        XXX: needs a new field type to validate aliases as well
+                             should map internally to  'source' => array('destination' => destination_net, "not" => true|false),
+                -->
+                <destination_net type="NetworkField">
+                    <default>any</default>
+                    <Required>Y</Required>
+                </destination_net>
+                <destination_not type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </destination_not>
+                <!-- XXX: known limitation, aliases not supported by PortField -->
+                <destination_port type="PortField">
+                    <Required>N</Required>
+                    <EnableWellKnown>Y</EnableWellKnown>
+                    <EnableRanges>Y</EnableRanges>
+                    <ValidationMessage>Please specify a valid port number, range or known service name</ValidationMessage>
+                </destination_port>
+                <gateway type="JsonKeyValueStoreField">
+                    <Required>N</Required>
+                    <ConfigdPopulateAct>interface gateways list</ConfigdPopulateAct>
+                    <SourceFile>/tmp/gateway_list.json</SourceFile>
+                    <ConfigdPopulateTTL>20</ConfigdPopulateTTL>
+                    <ValidationMessage>Specify a valid gateway from the list matching the networks ip protocol.</ValidationMessage>
+                </gateway>
+                <log type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </log>
                 <description type="TextField">
                     <Required>N</Required>
                     <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){0,255}$/u</mask>

From 831e51855b54be46a7939e8f5125a63bdff77f7a Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 28 Feb 2020 17:15:16 +0100
Subject: [PATCH 0020/3088] firewall: switch protocol field for
 https://github.com/opnsense/plugins/issues/1720

---
 .../mvc/app/models/OPNsense/Firewall/Filter.xml        | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index 73469f9e53..ef6ff5c469 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -51,17 +51,9 @@
                         <inet6>IPv6</inet6>
                     </OptionValues>
                 </ipprotocol>
-                <!--
-                        XXX: needs new field type
-                -->
-                <protocol type="OptionField">
+                <protocol type="ProtocolField">
                     <Required>Y</Required>
                     <default>any</default>
-                    <OptionValues>
-                        <any>any</any>
-                        <tcp>TCP</tcp>
-                        <udp>UDP</udp>
-                    </OptionValues>
                 </protocol>
                 <!--
                         XXX: needs a new field type to validate aliases as well

From 455518faa0d2a05c1994b9c5d6f2397eb9d1db84 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 3 Mar 2020 17:15:57 +0100
Subject: [PATCH 0021/3088] firewall: add protocol validations and switch to
 NetworkAliasField type for https://github.com/opnsense/plugins/issues/1720

---
 .../app/models/OPNsense/Firewall/Filter.php   | 51 +++++++++++++++++++
 .../app/models/OPNsense/Firewall/Filter.xml   | 16 ++----
 2 files changed, 55 insertions(+), 12 deletions(-)

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index ebe4b7394a..51390347c1 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -28,8 +28,59 @@
 
 namespace OPNsense\Firewall;
 
+use Phalcon\Validation\Message;
 use OPNsense\Base\BaseModel;
+use OPNsense\Firewall\Util;
 
 class Filter extends BaseModel
 {
+    /**
+     * @inheritDoc
+     */
+    public function performValidation($validateFullModel = false)
+    {
+        // standard model validations
+        $messages = parent::performValidation($validateFullModel);
+        foreach ($this->rules->rule->iterateItems() as $rule) {
+            // validate changed rules
+            $rule_changed = false;
+            foreach($rule->iterateItems() as $field) {
+                $rule_changed = $rule_changed ? $rule_changed : $field->isFieldChanged();
+            }
+            if ($validateFullModel || $rule_changed) {
+                // port / protocol validation
+                if (!empty((string)$rule->source_port) && !in_array( $rule->protocol, ['TCP', 'UDP'])) {
+                    $messages->appendMessage(new Message(
+                        gettext("Source ports are only valid for tcp or udp type rules."),
+                        $rule->source_port->__reference
+                    ));
+                }
+                if (!empty((string)$rule->destination_port) && !in_array( $rule->protocol, ['TCP', 'UDP'])) {
+                    $messages->appendMessage(new Message(
+                        gettext("Destination ports are only valid for tcp or udp type rules."),
+                        $rule->destination_port->__reference
+                    ));
+                }
+                // validate protocol family
+                $dest_is_addr = Util::isSubnet($rule->destination_net) || Util::isIpAddress($rule->destination_net);
+                $dest_proto = strpos($rule->destination_net, ':') === false ? "inet" : "inet6";
+                if ($dest_is_addr && $dest_proto != $rule->ipprotocol) {
+                    $messages->appendMessage(new Message(
+                        gettext("Destination address type should match selected TCP/IP protocol version."),
+                        $rule->destination_net->__reference
+                    ));
+                }
+                $src_is_addr = Util::isSubnet($rule->source_net) || Util::isIpAddress($rule->source_net);
+                $src_proto = strpos($rule->source_net, ':') === false ? "inet" : "inet6";
+                if ($src_is_addr && $src_proto != $rule->ipprotocol) {
+                    $messages->appendMessage(new Message(
+                        gettext("Source address type should match selected TCP/IP protocol version."),
+                        $rule->source_net->__reference
+                    ));
+                }
+
+            }
+        }
+        return $messages;
+    }
 }
\ No newline at end of file
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index ef6ff5c469..0404af5dd1 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -55,11 +55,8 @@
                     <Required>Y</Required>
                     <default>any</default>
                 </protocol>
-                <!--
-                        XXX: needs a new field type to validate aliases as well
-                             should map internally to  'source' => array('network' => $source_net, "not" => true|false),
-                -->
-                <source_net type="NetworkField">
+                <!-- XXX: should map internally to  'source' => array('network' => $source_net, "not" => true|false) -->
+                <source_net type="NetworkAliasField">
                     <default>any</default>
                     <Required>Y</Required>
                 </source_net>
@@ -72,13 +69,9 @@
                     <Required>N</Required>
                     <EnableWellKnown>Y</EnableWellKnown>
                     <EnableRanges>Y</EnableRanges>
-                    <ValidationMessage>Please specify a valid port number, range or known service name</ValidationMessage>
                 </source_port>
-                <!--
-                        XXX: needs a new field type to validate aliases as well
-                             should map internally to  'source' => array('destination' => destination_net, "not" => true|false),
-                -->
-                <destination_net type="NetworkField">
+                <!-- XXX: should map internally to  'source' => array('destination' => destination_net, "not" => true|false) -->
+                <destination_net type="NetworkAliasField">
                     <default>any</default>
                     <Required>Y</Required>
                 </destination_net>
@@ -91,7 +84,6 @@
                     <Required>N</Required>
                     <EnableWellKnown>Y</EnableWellKnown>
                     <EnableRanges>Y</EnableRanges>
-                    <ValidationMessage>Please specify a valid port number, range or known service name</ValidationMessage>
                 </destination_port>
                 <gateway type="JsonKeyValueStoreField">
                     <Required>N</Required>

From 00e242f0683a44cf257573c39701a515f0f35e7d Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 3 Mar 2020 18:08:20 +0100
Subject: [PATCH 0022/3088] firewall: open dialog with uuid link, for
 https://github.com/opnsense/plugins/issues/1720

---
 .../opnsense/mvc/app/models/OPNsense/Firewall/Filter.php | 1 -
 .../opnsense/mvc/app/views/OPNsense/Firewall/filter.volt | 9 ++++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index 51390347c1..d474928636 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -78,7 +78,6 @@ public function performValidation($validateFullModel = false)
                         $rule->source_net->__reference
                     ));
                 }
-
             }
         }
         return $messages;
diff --git a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
index beb717c6ca..5976c1cf2d 100644
--- a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
+++ b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
@@ -1,6 +1,6 @@
 <script>
     $( document ).ready(function() {
-        $("#grid-rules").UIBootgrid({
+        let grid = $("#grid-rules").UIBootgrid({
             search:'/api/firewall/filter/searchItem/',
             get:'/api/firewall/filter/getItem/',
             set:'/api/firewall/filter/setItem/',
@@ -8,6 +8,13 @@
             del:'/api/firewall/filter/delItem/',
             toggle:'/api/firewall/filter/toggleItem/'
         });
+
+        // open edit dialog when opened with a uuid reference
+        if (window.location.hash !== "" && window.location.hash.split("-").length >= 4) {
+            grid.on('loaded.rs.jquery.bootgrid', function(){
+                $(".command-edit:eq(0)").clone(true).data('row-id', window.location.hash).click();
+            });
+        }
     });
 </script>
 

From 2ef75761fdf6867bccd4118d05683c0752bb4b59 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 4 Mar 2020 18:49:17 +0100
Subject: [PATCH 0023/3088] firewall: add custom ArrayField type to contain
 rules and add serializer to internal firewall format.

Example usage:

```
$mdlFilter = new OPNsense\Firewall\Filter();

foreach ($mdlFilter->rules->rule->iterateItems() as $key => $rule) {
    print_r($rule->serialize());
}
```

for https://github.com/opnsense/plugins/issues/1720
---
 .../Firewall/FieldTypes/FilterRuleField.php   | 103 ++++++++++++++++++
 .../app/models/OPNsense/Firewall/Filter.xml   |   4 +-
 2 files changed, 105 insertions(+), 2 deletions(-)
 create mode 100644 net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
new file mode 100644
index 0000000000..5f989c56cc
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
@@ -0,0 +1,103 @@
+<?php
+
+/**
+ *    Copyright (C) 2020 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Firewall\FieldTypes;
+
+use OPNsense\Base\FieldTypes\ArrayField;
+use OPNsense\Base\FieldTypes\ContainerField;
+
+/**
+ * Class FilterRuleContainerField
+ * @package OPNsense\Firewall\FieldTypes
+ */
+class FilterRuleContainerField extends ContainerField
+{
+    /**
+     * map rules
+     * @return array
+     */
+    public function serialize()
+    {
+        $result = array();
+        $map_manual = ['source_net', 'source_not', 'source_port', 'destination_net', 'destination_not',
+            'destination_port', 'enabled', 'description', 'sequence', 'action'];
+        // 1-on-1 map (with type conversion if needed)
+        foreach ($this->iterateItems() as $key => $node) {
+            if (!in_array($key, $map_manual)) {
+                if (is_a($node, "OPNsense\\Base\\FieldTypes\\BooleanField")) {
+                    $result[$key] = !empty((string)$node);
+                } else {
+                    $result[$key] = (string)$node;
+                }
+            }
+        }
+        // source / destination mapping
+        $result['source'] = array();
+        if (!empty((string)$this->source_net)) {
+            $result['source']['network'] = (string)$this->source_net;
+            $result['source']['not'] = !empty((string)$this->source_not);
+            if (!empty((string)$this->source_port)) {
+                $result['source']['port'] = (string)$this->source_port;
+            }
+        }
+        $result['destination'] = array();
+        if (!empty((string)$this->destination_net)) {
+            $result['destination']['network'] = (string)$this->destination_net;
+            $result['destination']['not'] = !empty((string)$this->destination_not);
+            if (!empty((string)$this->source_port)) {
+                $result['destination']['port'] = (string)$this->destination_port;
+            }
+        }
+        // swap enabled
+        $result['disabled'] = empty((string)$this->enabled);
+        //
+        $result['descr'] = (string)$this->description;
+        $result['type'] = (string)$this->action;
+        return $result;
+    }
+}
+
+/**
+ * Class FilterRuleField
+ * @package OPNsense\Firewall\FieldTypes
+ */
+class FilterRuleField extends ArrayField
+{
+    /**
+     * @inheritDoc
+     */
+    public function newContainerField($ref, $tagname)
+    {
+        $container_node = new FilterRuleContainerField($ref, $tagname);
+        $parentmodel = $this->getParentModel();
+        $container_node->setParentModel($parentmodel);
+        return $container_node;
+    }
+}
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index 0404af5dd1..0c07fe8557 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -5,14 +5,14 @@
     </description>
     <items>
         <rules>
-            <rule type="ArrayField">
+            <rule type=".\FilterRuleField">
                 <enabled type="BooleanField">
                     <default>1</default>
                     <Required>Y</Required>
                 </enabled>
                 <sequence type="IntegerField">
                     <MinimumValue>1</MinimumValue>
-                    <MaximumValue>1000000</MaximumValue>
+                    <MaximumValue>99999</MaximumValue>
                     <ValidationMessage>provide a valid sequence for sorting</ValidationMessage>
                     <Required>Y</Required>
                     <default>1</default>

From 4d5aea8e63378f0c0f0e9224342446e5d0cb31a0 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 5 Mar 2020 15:10:23 +0100
Subject: [PATCH 0024/3088] firewall: add priority method similar to the legacy
 priority choices and allow dynamic type interfaces

for https://github.com/opnsense/plugins/issues/1720
---
 .../Firewall/FieldTypes/FilterRuleField.php   | 28 +++++++++++++++++++
 .../app/models/OPNsense/Firewall/Filter.xml   |  1 +
 2 files changed, 29 insertions(+)

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
index 5f989c56cc..4a73c35fcf 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
@@ -30,6 +30,7 @@
 
 namespace OPNsense\Firewall\FieldTypes;
 
+use OPNsense\Core\Config;
 use OPNsense\Base\FieldTypes\ArrayField;
 use OPNsense\Base\FieldTypes\ContainerField;
 
@@ -80,8 +81,35 @@ public function serialize()
         //
         $result['descr'] = (string)$this->description;
         $result['type'] = (string)$this->action;
+        if (strpos((string)$this->interface, ",") !== false) {
+            $result['floating'] = true;
+        }
         return $result;
     }
+
+    /**
+     * rule priority is threaded equally to the legacy rules, first "floating" then groups and single interface
+     * rules are handled last
+     * @return int priority in the ruleset, sequence should determine sort order.
+     */
+    public function getPriority()
+    {
+        $configObj = Config::getInstance()->object();
+        $interface = (string)$this->interface;
+        if (strpos($interface, ",") !== false) {
+            // floating (multiple interfaces involved)
+            return 1000;
+        } elseif (!empty($configObj->interfaces) &&
+            !empty($configObj->interfaces->$interface) &&
+            !empty($configObj->interfaces->$interface->type) &&
+            $configObj->interfaces->$interface->type == 'group') {
+            // group type
+            return 2000;
+        } else {
+            // default
+            return 3000;
+        }
+    }
 }
 
 /**
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index 0c07fe8557..0dcced43c2 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -34,6 +34,7 @@
                     <Required>Y</Required>
                     <multiple>Y</multiple>
                     <default>lan</default>
+                    <AllowDynamic>Y</AllowDynamic>
                 </interface>
                 <direction type="OptionField">
                     <Required>Y</Required>

From 01543474a9ceb0ca8b5d79a11b0011dbcab3f527 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 5 Mar 2020 17:22:42 +0100
Subject: [PATCH 0025/3088] os-firewall: fix open with uuid
 (https://github.com/opnsense/plugins/issues/1720)

---
 .../src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
index 5976c1cf2d..213d54746b 100644
--- a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
+++ b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
@@ -12,7 +12,7 @@
         // open edit dialog when opened with a uuid reference
         if (window.location.hash !== "" && window.location.hash.split("-").length >= 4) {
             grid.on('loaded.rs.jquery.bootgrid', function(){
-                $(".command-edit:eq(0)").clone(true).data('row-id', window.location.hash).click();
+                $(".command-edit:eq(0)").clone(true).data('row-id', window.location.hash.substr(1)).click();
             });
         }
     });

From 66e2b7a340ffd0345721f9b84dd938a8dc9d531e Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 5 Mar 2020 17:26:32 +0100
Subject: [PATCH 0026/3088] os-firewall: hook in rules and minor changes to
 FilterRuleField (https://github.com/opnsense/plugins/issues/1720)

---
 .../src/etc/inc/plugins.inc.d/pfplugin.inc    | 41 +++++++++++++++++++
 .../Firewall/FieldTypes/FilterRuleField.php   |  7 +++-
 2 files changed, 46 insertions(+), 2 deletions(-)
 create mode 100644 net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc

diff --git a/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc b/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc
new file mode 100644
index 0000000000..a9c1948066
--- /dev/null
+++ b/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc
@@ -0,0 +1,41 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+
+ /**
+  * @param $fw
+  */
+ function pfplugin_firewall($fw)
+ {
+     $mdlFilter = new OPNsense\Firewall\Filter();
+     foreach ($mdlFilter->rules->rule->sortedBy(["sequence"]) as $key => $rule) {
+          $content = $rule->serialize();
+          $content["#ref"] = "ui/firewall/filter#" . (string)$rule->getAttributes()['uuid'];
+          $fw->registerFilterRule($rule->getPriority(), $content);
+     }
+ }
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
index 4a73c35fcf..6556ae488e 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
@@ -54,6 +54,10 @@ public function serialize()
             if (!in_array($key, $map_manual)) {
                 if (is_a($node, "OPNsense\\Base\\FieldTypes\\BooleanField")) {
                     $result[$key] = !empty((string)$node);
+                } elseif (is_a($node, "OPNsense\\Base\\FieldTypes\\ProtocolField")) {
+                    if ((string)$node != 'any') {
+                        $result[$key] = (string)$node;
+                    }
                 } else {
                     $result[$key] = (string)$node;
                 }
@@ -76,9 +80,8 @@ public function serialize()
                 $result['destination']['port'] = (string)$this->destination_port;
             }
         }
-        // swap enabled
+        // field mappings and differences
         $result['disabled'] = empty((string)$this->enabled);
-        //
         $result['descr'] = (string)$this->description;
         $result['type'] = (string)$this->action;
         if (strpos((string)$this->interface, ",") !== false) {

From 8d53eece0b855c40342d953570f6b255ce96bfcd Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 5 Mar 2020 17:39:28 +0100
Subject: [PATCH 0027/3088] os-firewall: only use uuid reference on initial
 load (https://github.com/opnsense/plugins/issues/1720)

---
 .../opnsense/mvc/app/views/OPNsense/Firewall/filter.volt    | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
index 213d54746b..fb9809b3a0 100644
--- a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
+++ b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
@@ -1,5 +1,6 @@
 <script>
     $( document ).ready(function() {
+        let initial_load = true;
         let grid = $("#grid-rules").UIBootgrid({
             search:'/api/firewall/filter/searchItem/',
             get:'/api/firewall/filter/getItem/',
@@ -12,7 +13,10 @@
         // open edit dialog when opened with a uuid reference
         if (window.location.hash !== "" && window.location.hash.split("-").length >= 4) {
             grid.on('loaded.rs.jquery.bootgrid', function(){
-                $(".command-edit:eq(0)").clone(true).data('row-id', window.location.hash.substr(1)).click();
+                if (initial_load) {
+                    $(".command-edit:eq(0)").clone(true).data('row-id', window.location.hash.substr(1)).click();
+                    initial_load = false;
+                }
             });
         }
     });

From efeb8c1b6f6faf7fa004adfe2684f3399b06e3f2 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 5 Mar 2020 17:59:06 +0100
Subject: [PATCH 0028/3088] os-firewall: fix menu for
 https://github.com/opnsense/plugins/issues/1720

---
 .../opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
index 1348a80d5f..3667041201 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
@@ -1,7 +1,9 @@
 <menu>
     <Firewall>
         <Automation order="1000" cssClass="fa fa-gear">
-            <Filter order="50" url="/ui/firewall/filter/"/>
+            <Filter order="50" url="/ui/firewall/filter/">
+                <FilterRef url="/ui/firewall/filter#*"/>
+            </Filter>
         </Automation>
     </Firewall>
-</menu>
\ No newline at end of file
+</menu>

From 8ab96059614c6d802108729e6cb9bfbe3287a69d Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 6 Mar 2020 19:09:43 +0100
Subject: [PATCH 0029/3088] os-firewall: add apply action and assign an acl for
 this controller. for https://github.com/opnsense/plugins/issues/1720

---
 .../OPNsense/Firewall/Api/FilterController.php  | 14 ++++++++++++--
 .../app/models/OPNsense/Firewall/ACL/ACL.xml    |  9 +++++++++
 .../mvc/app/views/OPNsense/Firewall/filter.volt | 17 ++++++++++++++++-
 3 files changed, 37 insertions(+), 3 deletions(-)
 create mode 100644 net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/ACL/ACL.xml

diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
index 27a684b60c..d2ed30745c 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
@@ -27,7 +27,8 @@
  */
 namespace OPNsense\Firewall\Api;
 
-use \OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
 
 class FilterController extends ApiMutableModelControllerBase
 {
@@ -63,4 +64,13 @@ public function toggleItemAction($uuid, $enabled = null)
     {
         return $this->toggleBase("rules.rule", $uuid, $enabled);
     }
-}
\ No newline at end of file
+
+    public function applyAction()
+    {
+        if ($this->request->isPost()) {
+            return array("status" => (new Backend())->configdRun('filter reload'));
+        } else {
+            return array("status" => "error");
+        }
+    }
+}
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/ACL/ACL.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/ACL/ACL.xml
new file mode 100644
index 0000000000..e063715bdf
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+    <page-filter-api>
+        <name>Firewall: Rules: API</name>
+        <patterns>
+            <pattern>ui/firewall/filter/*</pattern>
+            <pattern>api/firewall/filter/*</pattern>
+        </patterns>
+    </page-filter-api>
+</acl>
diff --git a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
index fb9809b3a0..1e3389e9f9 100644
--- a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
+++ b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
@@ -19,6 +19,8 @@
                 }
             });
         }
+
+        $("#reconfigureAct").SimpleActionButton();
     });
 </script>
 
@@ -29,7 +31,7 @@
 <div class="tab-content content-box">
     <div id="rules" class="tab-pane fade in active">
         <!-- tab page "filter rules" -->
-        <table id="grid-rules" class="table table-condensed table-hover table-striped" data-editDialog="DialogFilterRule">
+        <table id="grid-rules" class="table table-condensed table-hover table-striped" data-editDialog="DialogFilterRule" data-editAlert="FilterRuleChangeMessage">
             <thead>
                 <tr>
                     <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
@@ -51,6 +53,19 @@
                 </tr>
             </tfoot>
         </table>
+        <div class="col-md-12">
+        <div id="FilterRuleChangeMessage" class="alert alert-info" style="display: none" role="alert">
+            {{ lang._('After changing settings, please remember to apply them with the button below') }}
+        </div>
+        <hr/>
+        <button class="btn btn-primary" id="reconfigureAct"
+                data-endpoint='/api/firewall/filter/apply'
+                data-label="{{ lang._('Apply') }}"
+                data-error-title="{{ lang._('Filter load error') }}"
+                type="button"
+        ></button>
+        <br/><br/>
+    </div>
     </div>
 </div>
 

From 9f7954b24897ceb066f7757320deb22951a4eb6d Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 9 Mar 2020 18:40:24 +0100
Subject: [PATCH 0030/3088] os-firewall: add savepoint / revert actions
 including simple ui test calls

for https://github.com/opnsense/plugins/issues/1720
---
 .../Firewall/Api/FilterController.php         | 34 ++++++++++++
 .../app/models/OPNsense/Firewall/Filter.php   | 23 ++++++++
 .../app/views/OPNsense/Firewall/filter.volt   | 53 +++++++++++++++++++
 3 files changed, 110 insertions(+)

diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
index d2ed30745c..4c06d3e392 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
@@ -29,6 +29,7 @@
 
 use OPNsense\Base\ApiMutableModelControllerBase;
 use OPNsense\Core\Backend;
+use OPNsense\Core\Config;
 
 class FilterController extends ApiMutableModelControllerBase
 {
@@ -73,4 +74,37 @@ public function applyAction()
             return array("status" => "error");
         }
     }
+
+    public function savepointAction()
+    {
+        if ($this->request->isPost()) {
+            // trigger a save, so we know revision->time matches our running config
+            Config::getInstance()->save();
+            return array(
+                "status" => "ok",
+                "retention" => (string)Config::getInstance()->backupCount(),
+                "revision" => (string)Config::getInstance()->object()->revision->time
+            );
+        } else {
+            return array("status" => "error");
+        }
+    }
+
+    public function revertAction($revision)
+    {
+        if ($this->request->isPost()) {
+            Config::getInstance()->lock();
+            $filename = Config::getInstance()->getBackupFilename($revision);
+            if (!$filename) {
+                Config::getInstance()->unlock();
+                return ["status" => gettext("unknown (or removed) savepoint")];
+            }
+            $this->getModel()->rollback($revision);
+            Config::getInstance()->unlock();
+            (new Backend())->configdRun('filter reload');
+            return ["status" => "ok"];
+        } else {
+            return array("status" => "error");
+        }
+    }
 }
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index d474928636..5294bb4d44 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -28,6 +28,7 @@
 
 namespace OPNsense\Firewall;
 
+use OPNsense\Core\Config;
 use Phalcon\Validation\Message;
 use OPNsense\Base\BaseModel;
 use OPNsense\Firewall\Util;
@@ -82,4 +83,26 @@ public function performValidation($validateFullModel = false)
         }
         return $messages;
     }
+
+    /**
+     * Rollback this model to a previous version.
+     * Make sure to remove this object afterwards, since its contents won't be updated.
+     * @param $revision float|string revision number
+     */
+    public function rollback($revision)
+    {
+        $filename = Config::getInstance()->getBackupFilename($revision);
+        if ($filename) {
+            // fiddle with the dom, copy OPNsense->Firewall->FilterRule from backup to current config
+            $sourcexml = simplexml_load_file($filename);
+            if ($sourcexml->OPNsense->Firewall->FilterRule) {
+                $sourcedom = dom_import_simplexml($sourcexml->OPNsense->Firewall->FilterRule);
+                $targetxml = Config::getInstance()->object();
+                $targetdom = dom_import_simplexml($targetxml->OPNsense->Firewall->FilterRule);
+                $node = $targetdom->ownerDocument->importNode($sourcedom, TRUE);
+                $targetdom->parentNode->replaceChild($node, $targetdom);
+                Config::getInstance()->save();
+            }
+        }
+    }
 }
\ No newline at end of file
diff --git a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
index 1e3389e9f9..e6191dba6b 100644
--- a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
+++ b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
@@ -21,6 +21,47 @@
         }
 
         $("#reconfigureAct").SimpleActionButton();
+        $("#savepointAct").SimpleActionButton({
+            onAction: function(data, status){
+                stdDialogInform(
+                    "{{ lang._('Savepoint created') }}",
+                    data['revision'],
+                    "{{ lang._('Close') }}"
+                );
+            }
+        });
+
+        $("#revertAction").on('click', function(){
+            BootstrapDialog.show({
+                type: BootstrapDialog.TYPE_DEFAULT,
+                title: "{{ lang._('Revert to savepoint') }}",
+                message: "<p>{{ lang._('Enter a savepoint to rollback to.') }}</p>" +
+                    '<div class="form-group" style="display: block;">' +
+                    '<input id="revertToTime" type="text" class="form-control"/>' +
+                    '<span class="error text-danger" id="revertToTimeError"></span>'+
+                    '</div>',
+                buttons: [{
+                    label: "{{ lang._('Revert') }}",
+                    cssClass: 'btn-primary',
+                    action: function(dialogRef) {
+                        ajaxCall("/api/firewall/filter/revert/" + $("#revertToTime").val(), {}, function (data, status) {
+                            if (data.status !== "ok") {
+                                $("#revertToTime").parent().addClass("has-error");
+                                $("#revertToTimeError").html(data.status);
+                            } else {
+                                std_bootgrid_reload("grid-rules");
+                                dialogRef.close();
+                            }
+                        });
+                    }
+                }],
+                onshown: function(dialogRef) {
+                    $("#revertToTime").parent().removeClass("has-error");
+                    $("#revertToTimeError").html("");
+                    $("#revertToTime").val("");
+                }
+            });
+        });
     });
 </script>
 
@@ -64,6 +105,18 @@
                 data-error-title="{{ lang._('Filter load error') }}"
                 type="button"
         ></button>
+
+        <div class="pull-right">
+            <button class="btn" id="savepointAct"
+                    data-endpoint='/api/firewall/filter/savepoint'
+                    data-label="{{ lang._('Savepoint') }}"
+                    data-error-title="{{ lang._('snapshot error') }}"
+                    type="button"
+            ></button>
+            <button  class="btn" id="revertAction">
+                {{ lang._('Revert') }}
+            </button>
+        </div>
         <br/><br/>
     </div>
     </div>

From 1652bc6935b2210c6283d475e21483a95e4e3577 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 10 Mar 2020 14:48:10 +0100
Subject: [PATCH 0031/3088] os-firewall: add support for "cancelation tokens"
 apply endpoint can request a rollback point, which will be reverted to if
 there's no call on cancelRollback with the same timestamp within 60 seconds.

for https://github.com/opnsense/plugins/issues/1720
---
 .../Firewall/Api/FilterController.php         | 15 +++++-
 .../app/models/OPNsense/Firewall/Filter.php   |  5 +-
 .../opnsense/scripts/pfplugin/rollback_cancel | 40 ++++++++++++++
 .../opnsense/scripts/pfplugin/rollback_timer  | 54 +++++++++++++++++++
 .../conf/actions.d/actions_pfplugin.conf      | 11 ++++
 5 files changed, 123 insertions(+), 2 deletions(-)
 create mode 100755 net/firewall/src/opnsense/scripts/pfplugin/rollback_cancel
 create mode 100755 net/firewall/src/opnsense/scripts/pfplugin/rollback_timer
 create mode 100644 net/firewall/src/opnsense/service/conf/actions.d/actions_pfplugin.conf

diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
index 4c06d3e392..62116a88de 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
@@ -66,15 +66,28 @@ public function toggleItemAction($uuid, $enabled = null)
         return $this->toggleBase("rules.rule", $uuid, $enabled);
     }
 
-    public function applyAction()
+    public function applyAction($rollback_revision = null)
     {
         if ($this->request->isPost()) {
+            if ($rollback_revision != null) {
+                // background rollback timer
+                (new Backend())->configdpRun('pfplugin rollback_timer', [$rollback_revision], true);
+            }
             return array("status" => (new Backend())->configdRun('filter reload'));
         } else {
             return array("status" => "error");
         }
     }
 
+    public function cancelRollbackAction($rollback_revision)
+    {
+        if ($this->request->isPost()) {
+            return array("status" => (new Backend())->configdpRun('pfplugin cancel_rollback', [$rollback_revision]));
+        } else {
+            return array("status" => "error");
+        }
+    }
+
     public function savepointAction()
     {
         if ($this->request->isPost()) {
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index 5294bb4d44..ccaa644ed8 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -88,6 +88,7 @@ public function performValidation($validateFullModel = false)
      * Rollback this model to a previous version.
      * Make sure to remove this object afterwards, since its contents won't be updated.
      * @param $revision float|string revision number
+     * @return bool action performed (backup revision existed)
      */
     public function rollback($revision)
     {
@@ -102,7 +103,9 @@ public function rollback($revision)
                 $node = $targetdom->ownerDocument->importNode($sourcedom, TRUE);
                 $targetdom->parentNode->replaceChild($node, $targetdom);
                 Config::getInstance()->save();
+                return true;
             }
         }
+        return false;
     }
-}
\ No newline at end of file
+}
diff --git a/net/firewall/src/opnsense/scripts/pfplugin/rollback_cancel b/net/firewall/src/opnsense/scripts/pfplugin/rollback_cancel
new file mode 100755
index 0000000000..c47f74b074
--- /dev/null
+++ b/net/firewall/src/opnsense/scripts/pfplugin/rollback_cancel
@@ -0,0 +1,40 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ *    Copyright (C) 2020 Deciso B.V.
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+if (count($argv) >= 2) {
+    $revision = preg_replace("/[^0-9.]/", "", $argv[1]);
+    if (!empty($revision)) {
+        $lckfile = "/tmp/pfplugin_{$revision}.lock";
+        if (file_exists($lckfile)) {
+            unlink($lckfile);
+            exit(0);
+        }
+    }
+}
+exit(1);
diff --git a/net/firewall/src/opnsense/scripts/pfplugin/rollback_timer b/net/firewall/src/opnsense/scripts/pfplugin/rollback_timer
new file mode 100755
index 0000000000..819a1f12cf
--- /dev/null
+++ b/net/firewall/src/opnsense/scripts/pfplugin/rollback_timer
@@ -0,0 +1,54 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ *    Copyright (C) 2020 Deciso B.V.
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once('script/load_phalcon.php');
+
+if (count($argv) >= 2) {
+    $revision = preg_replace("/[^0-9.]/", "", $argv[1]);
+    if (!empty($revision)) {
+        $lckfile = "/tmp/pfplugin_{$revision}.lock";
+        file_put_contents($lckfile, "");
+        // give the api 60 seconds to callback
+        for ($i=0; $i < 60 ; ++$i) {
+            if (!file_exists($lckfile)) {
+                // got feedback
+                exit(0);
+            }
+            sleep(1);
+        }
+        @unlink($lckfile);
+        // no feedback, revert
+        $mdlFilter = new OPNsense\Firewall\Filter();
+        if ($mdlFilter->rollback($revision)) {
+            (new OPNsense\Core\Backend())->configdRun('filter reload');
+        } else {
+            syslog(LOG_WARNING, "unable to revert to unexisting revision : {$revision}");
+        }
+    }
+}
diff --git a/net/firewall/src/opnsense/service/conf/actions.d/actions_pfplugin.conf b/net/firewall/src/opnsense/service/conf/actions.d/actions_pfplugin.conf
new file mode 100644
index 0000000000..61a13f477a
--- /dev/null
+++ b/net/firewall/src/opnsense/service/conf/actions.d/actions_pfplugin.conf
@@ -0,0 +1,11 @@
+[rollback_timer]
+command:/usr/local/bin/flock -n -E 0 -o /tmp/pfplugin_rollback_timer.lock /usr/local/opnsense/scripts/pfplugin/rollback_timer
+parameters: %s
+type:script
+message:wait for api feedback or revert to previous filter plugin config
+
+[cancel_rollback]
+command: /usr/local/opnsense/scripts/pfplugin/rollback_cancel
+parameters: %s
+type:script_output
+message:cancel pfplugin rollback

From cf05d85eb3351b48583589484f507ca6de4e7288 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Mar 2020 15:24:26 +0100
Subject: [PATCH 0032/3088] net/firewall: sync

---
 LICENSE                                                         | 2 +-
 README.md                                                       | 1 +
 .../mvc/app/controllers/OPNsense/Firewall/FilterController.php  | 2 +-
 .../controllers/OPNsense/Firewall/forms/dialogFilterRule.xml    | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml    | 2 +-
 5 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/LICENSE b/LICENSE
index 0b7a99dd6c..b47b3f8908 100644
--- a/LICENSE
+++ b/LICENSE
@@ -3,7 +3,7 @@ Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
 Copyright (c) 2011 Dan Myers
 Copyright (c) 2017-2018 David Harrigan
-Copyright (c) 2014-2019 Deciso B.V.
+Copyright (c) 2014-2020 Deciso B.V.
 Copyright (c) 2008 Donovan Schonknecht
 Copyright (c) 2016-2019 EURO-LOG AG
 Copyright (c) 2006 Eric Friesen
diff --git a/README.md b/README.md
index 5464e9a951..71e43f862f 100644
--- a/README.md
+++ b/README.md
@@ -53,6 +53,7 @@ net-mgmt/nrpe -- Execute nagios plugins
 net-mgmt/telegraf -- Agent for collecting metrics and data
 net-mgmt/zabbix-agent -- Zabbix monitoring agent
 net-mgmt/zabbix4-proxy -- Zabbix Proxy enables decentralized monitoring
+net/firewall -- Firewall API supplemental package
 net/freeradius -- RADIUS Authentication, Authorization and Accounting Server
 net/frr -- The FRRouting Protocol Suite
 net/ftp-proxy -- Control ftp-proxy processes
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
index f236de95fe..789f32a499 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
@@ -35,4 +35,4 @@ public function indexAction()
         $this->view->pick('OPNsense/Firewall/filter');
         $this->view->formDialogFilterRule = $this->getForm("dialogFilterRule");
     }
-}
\ No newline at end of file
+}
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
index 6dfcb8ab12..f299cc1c42 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
@@ -105,4 +105,4 @@
         <label>Description</label>
         <type>text</type>
     </field>
-</form>
\ No newline at end of file
+</form>
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index 0dcced43c2..3e4ac83737 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -105,4 +105,4 @@
             </rule>
         </rules>
     </items>
-</model>
\ No newline at end of file
+</model>

From 8609dfb8e8c124ef20f0ad82cfb7e552af57c34c Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 11 Mar 2020 12:36:29 +0100
Subject: [PATCH 0033/3088] os-firewall: rename endpoints for
 https://github.com/opnsense/plugins/issues/1720

---
 .../OPNsense/Firewall/Api/FilterController.php       | 12 ++++++------
 .../mvc/app/views/OPNsense/Firewall/filter.volt      | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
index 62116a88de..8bc560b126 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
@@ -36,32 +36,32 @@ class FilterController extends ApiMutableModelControllerBase
     protected static $internalModelName = 'filter';
     protected static $internalModelClass = 'OPNsense\Firewall\Filter';
 
-    public function searchItemAction()
+    public function searchRuleAction()
     {
         return $this->searchBase("rules.rule", array('enabled', 'sequence', 'description'), "sequence");
     }
 
-    public function setItemAction($uuid)
+    public function setRuleAction($uuid)
     {
         return $this->setBase("rule", "rules.rule", $uuid);
     }
 
-    public function addItemAction()
+    public function addRuleAction()
     {
         return $this->addBase("rule", "rules.rule");
     }
 
-    public function getItemAction($uuid = null)
+    public function getRuleAction($uuid = null)
     {
         return $this->getBase("rule", "rules.rule", $uuid);
     }
 
-    public function delItemAction($uuid)
+    public function delRuleAction($uuid)
     {
         return $this->delBase("rules.rule", $uuid);
     }
 
-    public function toggleItemAction($uuid, $enabled = null)
+    public function toggleRuleAction($uuid, $enabled = null)
     {
         return $this->toggleBase("rules.rule", $uuid, $enabled);
     }
diff --git a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
index e6191dba6b..b498372440 100644
--- a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
+++ b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
@@ -2,12 +2,12 @@
     $( document ).ready(function() {
         let initial_load = true;
         let grid = $("#grid-rules").UIBootgrid({
-            search:'/api/firewall/filter/searchItem/',
-            get:'/api/firewall/filter/getItem/',
-            set:'/api/firewall/filter/setItem/',
-            add:'/api/firewall/filter/addItem/',
-            del:'/api/firewall/filter/delItem/',
-            toggle:'/api/firewall/filter/toggleItem/'
+            search:'/api/firewall/filter/searchRule/',
+            get:'/api/firewall/filter/getRule/',
+            set:'/api/firewall/filter/setRule/',
+            add:'/api/firewall/filter/addRule/',
+            del:'/api/firewall/filter/delRule/',
+            toggle:'/api/firewall/filter/toggleRule/'
         });
 
         // open edit dialog when opened with a uuid reference

From 64f3ed99e88493412c97b75dd78493beb1f6781e Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 11 Mar 2020 17:29:46 +0100
Subject: [PATCH 0034/3088] os-firewall: style cleanup for
 https://github.com/opnsense/plugins/issues/1720

---
 .../controllers/OPNsense/Firewall/Api/FilterController.php    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
index 8bc560b126..2ab47ee699 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
@@ -82,7 +82,9 @@ public function applyAction($rollback_revision = null)
     public function cancelRollbackAction($rollback_revision)
     {
         if ($this->request->isPost()) {
-            return array("status" => (new Backend())->configdpRun('pfplugin cancel_rollback', [$rollback_revision]));
+            return array(
+                "status" => (new Backend())->configdpRun('pfplugin cancel_rollback', [$rollback_revision])
+            );
         } else {
             return array("status" => "error");
         }

From f2baaedd11e78259b977c133255bb18e3766c57b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 12 Mar 2020 10:47:49 +0100
Subject: [PATCH 0035/3088] os-firewall: parse error on invert options. "not"
 is treated being set or unset in core.

https://github.com/opnsense/plugins/issues/1720
---
 .../OPNsense/Firewall/FieldTypes/FilterRuleField.php      | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
index 6556ae488e..06afc60f63 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
@@ -67,7 +67,9 @@ public function serialize()
         $result['source'] = array();
         if (!empty((string)$this->source_net)) {
             $result['source']['network'] = (string)$this->source_net;
-            $result['source']['not'] = !empty((string)$this->source_not);
+            if (!empty((string)$this->source_not)) {
+                $result['source']['not'] = true;
+            }
             if (!empty((string)$this->source_port)) {
                 $result['source']['port'] = (string)$this->source_port;
             }
@@ -75,7 +77,9 @@ public function serialize()
         $result['destination'] = array();
         if (!empty((string)$this->destination_net)) {
             $result['destination']['network'] = (string)$this->destination_net;
-            $result['destination']['not'] = !empty((string)$this->destination_not);
+            if (!empty((string)$this->destination_not)) {
+                $result['destination']['not'] = true;
+            }
             if (!empty((string)$this->source_port)) {
                 $result['destination']['port'] = (string)$this->destination_port;
             }

From b4cb311bdba45574443897875abb3bbae23169ba Mon Sep 17 00:00:00 2001
From: Maurice <mail@maurice-walker.com>
Date: Fri, 13 Mar 2020 08:12:16 +0100
Subject: [PATCH 0036/3088] net/tayga: bugfixes for TUN interface and Tayga
 IPv6 addresses (#1738)

---
 net/tayga/src/etc/rc.d/opnsense-tayga                           | 2 +-
 net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga   | 1 +
 .../src/opnsense/service/templates/OPNsense/Tayga/tayga.conf    | 2 ++
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/tayga/src/etc/rc.d/opnsense-tayga b/net/tayga/src/etc/rc.d/opnsense-tayga
index 0bc0834d74..d86a7dca3e 100755
--- a/net/tayga/src/etc/rc.d/opnsense-tayga
+++ b/net/tayga/src/etc/rc.d/opnsense-tayga
@@ -28,7 +28,7 @@ tayga_start()
         ${command} ${command_args}
         sleep 1
         ifconfig nat64 inet ${tayga_v4destination}/32 ${tayga_v4address}
-        ifconfig nat64 inet6 ${tayga_v6estination}/128
+        ifconfig nat64 inet6 ${tayga_v6destination}/128
         route -6 add ${tayga_v6prefix} -interface nat64
         route -4 add ${tayga_v4pool} -interface nat64
 }
diff --git a/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga b/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga
index cc5d8c68c1..c84c7881d7 100644
--- a/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga
+++ b/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga
@@ -6,6 +6,7 @@ tayga_v4destination={{ OPNsense.tayga.general.v4destination }}
 tayga_v4pool={{ OPNsense.tayga.general.v4pool }}
 tayga_v6prefix={{ OPNsense.tayga.general.v6prefix }}
 tayga_v6address={{ OPNsense.tayga.general.v6address }}
+tayga_v6destination={{ OPNsense.tayga.general.v6destination }}
 {% else %}
 tayga_enable="NO"
 {% endif %}
diff --git a/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga.conf b/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga.conf
index ae027a4074..2c8a3bd580 100644
--- a/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga.conf
+++ b/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga.conf
@@ -4,7 +4,9 @@ tun-device nat64
 data-dir /var/db/tayga
 
 ipv4-addr {{ OPNsense.tayga.general.v4address }}
+{% if helpers.exists('OPNsense.tayga.general.v6address') and OPNsense.tayga.general.v6address != '' %}
 ipv6-addr {{ OPNsense.tayga.general.v6address }}
+{% endif %}
 prefix {{ OPNsense.tayga.general.v6prefix }}
 dynamic-pool {{ OPNsense.tayga.general.v4pool }}
 

From b7497011938f926433082e2ab5b1e7521813b728 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 13 Mar 2020 08:27:10 +0100
Subject: [PATCH 0037/3088] net: style sweep

---
 .../src/etc/inc/plugins.inc.d/pfplugin.inc     | 18 +++++++++---------
 .../OPNsense/Firewall/FilterController.php     |  1 -
 .../Firewall/FieldTypes/FilterRuleField.php    |  6 ++++--
 .../app/models/OPNsense/Firewall/Filter.php    |  8 ++++----
 .../mvc/app/models/OPNsense/Tayga/General.xml  |  2 +-
 5 files changed, 18 insertions(+), 17 deletions(-)

diff --git a/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc b/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc
index a9c1948066..8f68a6b131 100644
--- a/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc
+++ b/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc
@@ -30,12 +30,12 @@
  /**
   * @param $fw
   */
- function pfplugin_firewall($fw)
- {
-     $mdlFilter = new OPNsense\Firewall\Filter();
-     foreach ($mdlFilter->rules->rule->sortedBy(["sequence"]) as $key => $rule) {
-          $content = $rule->serialize();
-          $content["#ref"] = "ui/firewall/filter#" . (string)$rule->getAttributes()['uuid'];
-          $fw->registerFilterRule($rule->getPriority(), $content);
-     }
- }
+function pfplugin_firewall($fw)
+{
+    $mdlFilter = new OPNsense\Firewall\Filter();
+    foreach ($mdlFilter->rules->rule->sortedBy(["sequence"]) as $key => $rule) {
+         $content = $rule->serialize();
+         $content["#ref"] = "ui/firewall/filter#" . (string)$rule->getAttributes()['uuid'];
+         $fw->registerFilterRule($rule->getPriority(), $content);
+    }
+}
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
index 789f32a499..a3b711e8f5 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
@@ -27,7 +27,6 @@
  */
 namespace OPNsense\Firewall;
 
-
 class FilterController extends \OPNsense\Base\IndexController
 {
     public function indexAction()
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
index 06afc60f63..e49d452d6e 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
@@ -106,10 +106,12 @@ public function getPriority()
         if (strpos($interface, ",") !== false) {
             // floating (multiple interfaces involved)
             return 1000;
-        } elseif (!empty($configObj->interfaces) &&
+        } elseif (
+            !empty($configObj->interfaces) &&
             !empty($configObj->interfaces->$interface) &&
             !empty($configObj->interfaces->$interface->type) &&
-            $configObj->interfaces->$interface->type == 'group') {
+            $configObj->interfaces->$interface->type == 'group'
+        ) {
             // group type
             return 2000;
         } else {
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index ccaa644ed8..90cf019d95 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -45,18 +45,18 @@ public function performValidation($validateFullModel = false)
         foreach ($this->rules->rule->iterateItems() as $rule) {
             // validate changed rules
             $rule_changed = false;
-            foreach($rule->iterateItems() as $field) {
+            foreach ($rule->iterateItems() as $field) {
                 $rule_changed = $rule_changed ? $rule_changed : $field->isFieldChanged();
             }
             if ($validateFullModel || $rule_changed) {
                 // port / protocol validation
-                if (!empty((string)$rule->source_port) && !in_array( $rule->protocol, ['TCP', 'UDP'])) {
+                if (!empty((string)$rule->source_port) && !in_array($rule->protocol, ['TCP', 'UDP'])) {
                     $messages->appendMessage(new Message(
                         gettext("Source ports are only valid for tcp or udp type rules."),
                         $rule->source_port->__reference
                     ));
                 }
-                if (!empty((string)$rule->destination_port) && !in_array( $rule->protocol, ['TCP', 'UDP'])) {
+                if (!empty((string)$rule->destination_port) && !in_array($rule->protocol, ['TCP', 'UDP'])) {
                     $messages->appendMessage(new Message(
                         gettext("Destination ports are only valid for tcp or udp type rules."),
                         $rule->destination_port->__reference
@@ -100,7 +100,7 @@ public function rollback($revision)
                 $sourcedom = dom_import_simplexml($sourcexml->OPNsense->Firewall->FilterRule);
                 $targetxml = Config::getInstance()->object();
                 $targetdom = dom_import_simplexml($targetxml->OPNsense->Firewall->FilterRule);
-                $node = $targetdom->ownerDocument->importNode($sourcedom, TRUE);
+                $node = $targetdom->ownerDocument->importNode($sourcedom, true);
                 $targetdom->parentNode->replaceChild($node, $targetdom);
                 Config::getInstance()->save();
                 return true;
diff --git a/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
index 63fdb0c3dd..8ce7919d6d 100644
--- a/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
+++ b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
@@ -21,7 +21,7 @@
         <v6destination type="NetworkField">
             <default>2001:db8:1:ffff::1</default>
             <Required>Y</Required>
-        </v6destination>        
+        </v6destination>
         <v6prefix type="NetworkField">
             <default>2001:db8:1:ffff::/96</default>
             <Required>Y</Required>

From 5ec04f9e54b6e4413983a50b561943ee122ae410 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 13 Mar 2020 16:54:23 +0100
Subject: [PATCH 0038/3088] os-firewall: fix typo in
 https://github.com/opnsense/plugins/issues/1720 leading to missing
 destination ports

---
 .../app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
index e49d452d6e..70996125ed 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
@@ -80,7 +80,7 @@ public function serialize()
             if (!empty((string)$this->destination_not)) {
                 $result['destination']['not'] = true;
             }
-            if (!empty((string)$this->source_port)) {
+            if (!empty((string)$this->destination_port)) {
                 $result['destination']['port'] = (string)$this->destination_port;
             }
         }

From a5ecf3c098aa04c118f23f151756afef0e1e0bef Mon Sep 17 00:00:00 2001
From: Mikael Falkvidd <github@mjo.se>
Date: Mon, 16 Mar 2020 10:38:02 +0100
Subject: [PATCH 0039/3088] net/wol: add validation message + support for
 uppercase hex (#1741)

---
 net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/Wol.xml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/Wol.xml b/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/Wol.xml
index 544b6c147f..d4fb195305 100644
--- a/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/Wol.xml
+++ b/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/Wol.xml
@@ -15,8 +15,9 @@
         <mac type="TextField">
             <Required>Y</Required>
             <multiple>N</multiple>
-            <mask>/^((?:[a-f0-9]{2}:){5}(?:[a-f0-9]{2}))$/</mask>
+            <mask>/^((?:[a-fA-F0-9]{2}:){5}(?:[a-fA-F0-9]{2}))$/</mask>
             <default>00:00:00:00:00:00</default>
+            <ValidationMessage>Should be 6 groups of 2 hex characters (a-fA-F0-9) separated by ':'</ValidationMessage>
         </mac>
         <descr type="TextField">
             <Required>N</Required>

From 4e1c83bf8fe78bdb4e24edf58f4b9a559da88079 Mon Sep 17 00:00:00 2001
From: Kyle <KYLE-HILL@users.noreply.github.com>
Date: Tue, 17 Mar 2020 23:36:44 -0500
Subject: [PATCH 0040/3088] Update Github  Link to Reflect Repo rename

Updated Github Web Link to Reflect Github Repository rebrand/rename from: https://github.com/Neilpang/acme.sh to https://github.com/acmesh-official/acme.sh
---
 security/acme-client/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index f99ecd5da6..78dc22cf21 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -3,4 +3,4 @@ acme.sh project.  Acording to the authors, it's probably "the easiest
 and smallest and smartest shell script" to automatically issue and renew
 the free certificates from Let's Encrypt.
 
-WWW: https://github.com/Neilpang/acme.sh
+WWW: https://github.com/acmesh-official/acme.sh

From 25a124a8f1091386e7ff89d914b1df0c41f10eb4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 18 Mar 2020 07:45:52 +0100
Subject: [PATCH 0041/3088] net/firewall: prep for first dev release

---
 net/firewall/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index 3f314e675d..bf15b18205 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -1,6 +1,7 @@
 PLUGIN_NAME=		firewall
 PLUGIN_VERSION=		0.1
-PLUGIN_COMMENT=	    Firewall API supplemental package
+PLUGIN_COMMENT=		Firewall API supplemental package
 PLUGIN_MAINTAINER=	ad@opnsense.org
+PLUGIN_DEVEL=		yes
 
 .include "../../Mk/plugins.mk"

From 15b5864828dcb54a3afdfdf61bef54fba9ea65c1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 18 Mar 2020 08:04:24 +0100
Subject: [PATCH 0042/3088] security/acme-client: bump revision for minor
 release

---
 security/acme-client/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index d3fbada38b..86732ea088 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		acme-client
 PLUGIN_VERSION=		1.29
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From a91c65f2fe4bdb6beeb5b44e27e0dfaa110ada75 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 18 Mar 2020 08:11:52 +0100
Subject: [PATCH 0043/3088] net/wol: bump revision

---
 net/wol/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wol/Makefile b/net/wol/Makefile
index 87e6d0c593..e4184ba927 100644
--- a/net/wol/Makefile
+++ b/net/wol/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		wol
 PLUGIN_VERSION=		2.2
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		wol
 PLUGIN_COMMENT=		Wake on LAN Service
 PLUGIN_MAINTAINER=	franco@opnsense.org

From 3254979038832f742d35b2a9ccb9e34ed92ff2eb Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 18 Mar 2020 19:43:35 +0100
Subject: [PATCH 0044/3088] www/nginx: add NAXSI rule ID to volt  (#1737)

* Update Makefile
* Update pkg-descr
* Update SettingsController.php
* Update index.volt
---
 www/nginx/Makefile                                            | 2 +-
 www/nginx/pkg-descr                                           | 4 ++++
 .../app/controllers/OPNsense/Nginx/Api/SettingsController.php | 2 +-
 .../src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt      | 1 +
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 283a6d312f..ae386bc6cb 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.18
+PLUGIN_VERSION=		1.19
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 6855dab0ca..a23083ed2a 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -8,6 +8,10 @@ reuse, SSL offload and HTTP media streaming.
 Plugin Changelog
 ================
 
+1.19
+
+* Display NAXSI rule ID in volt
+
 1.18
 
 * Add proxy header for CloudFlare
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
index ffaf56d35f..4bec574e9e 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
@@ -266,7 +266,7 @@ public function setstreamserverAction($uuid)
     // naxsi rules
     public function searchnaxsiruleAction()
     {
-        return $this->searchBase('naxsi_rule', array('description', 'ruletype', 'message'));
+        return $this->searchBase('naxsi_rule', array('description', 'identifier', 'ruletype', 'message'));
     }
 
     public function getnaxsiruleAction($uuid = null)
diff --git a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
index e95fbaf3d1..b46e20485d 100644
--- a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
+++ b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
@@ -439,6 +439,7 @@
                 <tr>
                     <th data-column-id="description" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
                     <th data-column-id="ruletype" data-type="boolean" data-sortable="true" data-visible="true">{{ lang._('Rule Type') }}</th>
+                    <th data-column-id="identifier" data-type="string" data-sortable="true" data-visible="true">{{ lang._('ID') }}</th>
                     <th data-column-id="message" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Message') }}</th>
                     <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>

From b706df5e97a66a6629e8566a1ce88f22bc9c94ea Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 19 Mar 2020 11:05:26 +0100
Subject: [PATCH 0045/3088] dns/bind: update plugin to version 9.16 (#1746)

---
 dns/bind/Makefile  | 4 ++--
 dns/bind/pkg-descr | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 3b6ed1adc2..0cf5b7689e 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.12
+PLUGIN_VERSION=		1.13
 PLUGIN_COMMENT=		BIND domain name service
-PLUGIN_DEPENDS=		bind914
+PLUGIN_DEPENDS=		bind916
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
 .include "../../Mk/plugins.mk"
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index bb0f46fb27..99d74dce55 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -8,6 +8,10 @@ necessary for asking and answering name service questions.
 Plugin Changelog
 ================
 
+1.13
+
+* Update BIND to 9.16
+
 1.12
 
 * Add checkbox to disable prefetch option

From 0186f548f8d116ce171179f602a659cd14211ae4 Mon Sep 17 00:00:00 2001
From: Fabian Franz BSc <fabianfrz@users.noreply.github.com>
Date: Sun, 22 Mar 2020 11:02:45 +0100
Subject: [PATCH 0046/3088] www/nginx: SNI proxying (#1747)

---
 www/nginx/pkg-descr                                      | 1 +
 .../app/controllers/OPNsense/Nginx/forms/location.xml    | 7 +++++++
 .../src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml | 6 +++++-
 .../service/templates/OPNsense/Nginx/location.conf       | 9 +++++++--
 4 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index a23083ed2a..71fe052e54 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,7 @@ Plugin Changelog
 
 1.19
 
+* Add possibility to configure SNI proxying.
 * Display NAXSI rule ID in volt
 
 1.18
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
index b4b76dd605..05adce9381 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
@@ -242,6 +242,13 @@
     <advanced>true</advanced>
     <help>Enter a custom timout between data received from the client after which the connection is closed.</help>
   </field>
+  <field>
+    <id>location.proxy_ssl_server_name</id>
+    <label>TLS SNI Forwarding</label>
+    <type>checkbox</type>
+    <advanced>true</advanced>
+    <help>Check this box, if you want the client SNI header to be used instead of your backend hostname. This settings overrides the configured hostname in the upstream configuration.</help>
+  </field>
   <field>
     <id>location.proxy_buffer_size</id>
     <label>Proxy Buffer Size (kB)</label>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 06a471a39b..f81fbcdcf6 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.17.0</version>
+  <version>1.19.0</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>
@@ -460,6 +460,10 @@
         <Required>N</Required>
         <MinimumValue>0</MinimumValue>
       </proxy_max_temp_file_size>
+      <proxy_ssl_server_name type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </proxy_ssl_server_name>
     </location>
 
     <custom_policy type="ArrayField">
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 197cde8ceb..b4482c5370 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -174,9 +174,14 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
     proxy_ssl_certificate_key /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.key;
     proxy_ssl_certificate /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.pem;
 {%     endif %}
-{%     if upstream.tls_name_override is defined and upstream.tls_name_override != '' %}
+{%     if location.proxy_ssl_server_name is defined and location.proxy_ssl_server_name == '1' %}
+    proxy_ssl_server_name on;
+{%     else %}
+    proxy_ssl_server_name off;
+{%         if upstream.tls_name_override is defined and upstream.tls_name_override != '' %}
     proxy_ssl_name {{ upstream.tls_name_override }};
-{%     endif %}
+{%         endif %}
+{%     endif%}
 {%     if upstream.tls_protocol_versions is defined and upstream.tls_protocol_versions != '' %}
     proxy_ssl_protocols {{ upstream.tls_protocol_versions.replace(',', ' ') }};
 {%     endif %}

From f9e8a166d736be45bcd3d992f54118ad05580109 Mon Sep 17 00:00:00 2001
From: Johann Richard <189003+johannrichard@users.noreply.github.com>
Date: Sun, 22 Mar 2020 19:51:53 +0100
Subject: [PATCH 0047/3088] Add usernames for admin and monitor users to help

Add the correct usernames for the two users with `admin` and `monitoring` rights in the help text.
---
 .../mvc/app/controllers/OPNsense/Nut/forms/settings.xml       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/forms/settings.xml b/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/forms/settings.xml
index d581b2c179..444cb42a59 100644
--- a/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/forms/settings.xml
+++ b/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/forms/settings.xml
@@ -33,13 +33,13 @@
                 <id>nut.account.admin_password</id>
                 <label>Admin Password</label>
                 <type>text</type>
-                <help>Set the admin password.</help>
+                <help>Set the password for admin user "admin".</help>
             </field>
             <field>
                 <id>nut.account.mon_password</id>
                 <label>Monitor Password</label>
                 <type>text</type>
-                <help>Set the monitor password.</help>
+                <help>Set the password for monitoring user "monuser".</help>
             </field>
         </subtab>
     </tab>

From 1c952b3f7ca2baae8712fdee0fa23116f9fe6676 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 25 Mar 2020 15:14:08 +0100
Subject: [PATCH 0048/3088] os-firewall: move mountpoint for
 https://github.com/opnsense/plugins/issues/1749

It's probably better to keep (filter)rules and source nat rules combined, so we can stick to the same rollback pattern and guarantee a consistent set when performing a rollback.
---
 .../app/models/OPNsense/Firewall/Filter.xml   |  4 +-
 .../OPNsense/Firewall/Migrations/MFP1_0_0.php | 57 +++++++++++++++++++
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index 3e4ac83737..378926025b 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -1,5 +1,7 @@
 <model>
-    <mount>//OPNsense/Firewall/FilterRule</mount>
+    <mount>//OPNsense/Firewall/Filter</mount>
+    <version>1.0.0</version>
+    <migration_prefix>MFP</migration_prefix>
     <description>
         OPNsense firewall filter rules
     </description>
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php
new file mode 100644
index 0000000000..d6118f1e51
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php
@@ -0,0 +1,57 @@
+<?php
+
+/**
+ *    Copyright (C) 2020 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Firewall\Migrations;
+
+use OPNsense\Core\Config;
+use OPNsense\Base\BaseModelMigration;
+
+class MFP1_0_0 extends BaseModelMigration
+{
+    public function post($model)
+    {
+        // Move OPNsense->Firewall->FilterRule ---> OPNsense->Firewall->Filter
+        $cfgObj = Config::getInstance()->object();
+        if (!empty($cfgObj->OPNsense) && !empty($cfgObj->OPNsense->Firewall)
+                && !empty($cfgObj->OPNsense->Firewall->FilterRule)) {
+            // model migration created a new, empty rules section
+            if (empty($cfgObj->OPNsense->Firewall->Filter->rules)) {
+                unset($cfgObj->OPNsense->Firewall->Filter->rules);
+                $targetdom = dom_import_simplexml($cfgObj->OPNsense->Firewall->Filter);
+                foreach ($cfgObj->OPNsense->Firewall->FilterRule->children() as $child) {
+                    $sourcedom = dom_import_simplexml($child);
+                    $targetdom->appendChild($sourcedom);
+                }
+                unset($cfgObj->OPNsense->Firewall->FilterRule);
+                Config::getInstance()->save();
+            }
+        }
+    }
+}
\ No newline at end of file

From 53ac1c7e60c2ae66ab668a285efb5914e56ee10c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 27 Mar 2020 09:50:23 +0100
Subject: [PATCH 0049/3088] dns/unbound-plus: ready for release

---
 dns/unbound-plus/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dns/unbound-plus/Makefile b/dns/unbound-plus/Makefile
index 1d12ddf601..e49cf95d91 100644
--- a/dns/unbound-plus/Makefile
+++ b/dns/unbound-plus/Makefile
@@ -1,7 +1,6 @@
 PLUGIN_NAME=		unbound-plus
-PLUGIN_VERSION=		0.5
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		Unbound additions
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_DEVEL=		yes
 
 .include "../../Mk/plugins.mk"

From 5e760e16960159d9d8943bc87b65d278031a4647 Mon Sep 17 00:00:00 2001
From: Bjorn Peeters <tech@peeters.io>
Date: Sat, 28 Mar 2020 12:54:40 +0100
Subject: [PATCH 0050/3088] letsencrypt/upload_sftp

add export of fullchain.pem
---
 .../opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php   | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
index 70c62cdf72..8f3a80a74a 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
@@ -66,7 +66,7 @@
         "options" => [
             "host::", "port::", "host-key::", "user::", "identity-type::", "remote-path::",
             "certificates::", "files::", "chgrp::", "chmod::", "chmod-key::",
-            "cert-name::", "key-name::", "ca-name::"],
+            "cert-name::", "key-name::", "ca-name::", "fullchain-name::"],
         "implementation" => "commandUpload",
         "default" => true,
     ],
@@ -119,6 +119,8 @@
     "cert" => ["default" => "{{name}}/cert.pem", "option" => "cert-name"],
     "key" => ["default" => "{{name}}/key.pem", "option" => "key-name"],
     "ca" => ["default" => "{{name}}/ca.pem", "option" => "ca-name"],
+    "fullchain" => ["default" => "{{name}}/fullchain.pem", "option" => "fullchain-name"],
+
 ];
 
 // Exit codes
@@ -420,6 +422,7 @@ function getOptionsById($automation_id, $silent = false)
                 "cert-name" => trim((string)$action->sftp_filename_cert),
                 "key-name" => trim((string)$action->sftp_filename_key),
                 "ca-name" => trim((string)$action->sftp_filename_ca),
+                "fullchain-name" => trim((string)$action->sftp_filename_fullchain),
                 "certificates" => "", // defaults to all (= empty), may be overridden via CLI
             ];
         } elseif (!$silent) {
@@ -582,6 +585,8 @@ function exportCertificates(array $cert_refids)
             if (!empty((string)$cert->caref)) {
                 $cert = (array)$cert;
                 $item["ca"] = ca_chain($cert);
+            // combine files to export a fullchain.pem
+                $item["fullchain"] = $item["cert"].$item["ca"];
             }
             $result[$refid] = $item;
         }

From 05a4ff8a0c6dd9d8ebbe720668bf318e02305ea0 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 30 Mar 2020 13:00:00 +0200
Subject: [PATCH 0051/3088] security/acme-client: style fixes, refs #1753

---
 .../src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
index 8f3a80a74a..b18596edc4 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
@@ -585,8 +585,8 @@ function exportCertificates(array $cert_refids)
             if (!empty((string)$cert->caref)) {
                 $cert = (array)$cert;
                 $item["ca"] = ca_chain($cert);
-            // combine files to export a fullchain.pem
-                $item["fullchain"] = $item["cert"].$item["ca"];
+                // combine files to export a fullchain.pem
+                $item["fullchain"] = $item["cert"] . $item["ca"];
             }
             $result[$refid] = $item;
         }

From f1042b463bade3290dbb7e0e3eaf25227e58c1c8 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 30 Mar 2020 13:00:29 +0200
Subject: [PATCH 0052/3088] security/acme-client: bump bersion

---
 security/acme-client/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 86732ea088..b7b4b5cf0f 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		1.29
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.30
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From df5934d4d29b42a44f6b7026d9c743c67961a0c0 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 30 Mar 2020 14:24:17 +0200
Subject: [PATCH 0053/3088] net/haproxy: override "graceful" restart if
 required, fixes #1745

---
 .../src/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh    | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh
index 3ade2075d4..017581fc6c 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh
@@ -19,6 +19,13 @@ reload)
         rcprefix="hard"
     fi
     ;;
+restart)
+    # The RC script always performs a "graceful" stop when using the
+    # "restart" command. This behaviour cannot be altered. So we have to
+    # manually perform a "hardstop" now.
+    if [ "${haproxy_hardstop}" == "YES" ]; then
+        /usr/local/etc/rc.d/haproxy hardstop
+    fi
 esac
 
 /usr/local/etc/rc.d/haproxy ${rcprefix}${1}

From 78bf26c045f7e092dd2c9338cba1745e84c6c3e2 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 30 Mar 2020 14:35:50 +0200
Subject: [PATCH 0054/3088] net/haproxy: bump version

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 2ed4ea9f88..eee2f29f11 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		2.20
+PLUGIN_VERSION=		2.21
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy
 PLUGIN_MAINTAINER=	opnsense@moov.de

From 98362e395ed0769a5278a5324ab763073bde3c9e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 30 Mar 2020 15:20:05 +0200
Subject: [PATCH 0055/3088] net/tayga: ready for release

---
 net/tayga/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/tayga/Makefile b/net/tayga/Makefile
index f57fd502f9..b499deb846 100644
--- a/net/tayga/Makefile
+++ b/net/tayga/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		tayga
-PLUGIN_VERSION=		0.2
-PLUGIN_DEVEL=		yes
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		Tayga IPv6 64NAT
 PLUGIN_DEPENDS=		tayga
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From cbd04067d127b8ad6b2b5dfe97bf6972e1155b4a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 30 Mar 2020 15:28:35 +0200
Subject: [PATCH 0056/3088] net/firewall: whitespace sweep

---
 .../mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php
index d6118f1e51..d3db9e86f2 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php
@@ -54,4 +54,4 @@ public function post($model)
             }
         }
     }
-}
\ No newline at end of file
+}

From 13978ece6478442f7b2da76c1080492034bbdec7 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 30 Mar 2020 19:00:01 +0200
Subject: [PATCH 0057/3088] os-firewall: initial wireframe for
 https://github.com/opnsense/plugins/issues/1749

- reuse filter template, link endpoint to selected controller (filter/snat)
- push shared code to FilterBaseController
---
 .../Firewall/Api/FilterBaseController.php     | 99 +++++++++++++++++++
 .../Firewall/Api/FilterController.php         | 65 +-----------
 .../Firewall/Api/SourceNatController.php      | 62 ++++++++++++
 .../OPNsense/Firewall/FilterController.php    |  1 +
 .../OPNsense/Firewall/SourceNatController.php | 38 +++++++
 .../Firewall/forms/dialogSNatRule.xml         | 88 +++++++++++++++++
 .../app/models/OPNsense/Firewall/ACL/ACL.xml  |  7 ++
 .../app/models/OPNsense/Firewall/Filter.xml   | 75 ++++++++++++++
 .../models/OPNsense/Firewall/Menu/Menu.xml    |  3 +
 .../app/views/OPNsense/Firewall/filter.volt   | 20 ++--
 10 files changed, 384 insertions(+), 74 deletions(-)
 create mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php
 create mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php
 create mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/SourceNatController.php
 create mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml

diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php
new file mode 100644
index 0000000000..d939a990d5
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php
@@ -0,0 +1,99 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+namespace OPNsense\Firewall\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
+use OPNsense\Core\Config;
+
+/**
+ * Class FilterBaseController implements actions for various types
+ * @package OPNsense\Firewall\Api
+ */
+class FilterBaseController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'filter';
+    protected static $internalModelClass = 'OPNsense\Firewall\Filter';
+
+    public function applyAction($rollback_revision = null)
+    {
+        if ($this->request->isPost()) {
+            if ($rollback_revision != null) {
+                // background rollback timer
+                (new Backend())->configdpRun('pfplugin rollback_timer', [$rollback_revision], true);
+            }
+            return array("status" => (new Backend())->configdRun('filter reload'));
+        } else {
+            return array("status" => "error");
+        }
+    }
+
+    public function cancelRollbackAction($rollback_revision)
+    {
+        if ($this->request->isPost()) {
+            return array(
+                "status" => (new Backend())->configdpRun('pfplugin cancel_rollback', [$rollback_revision])
+            );
+        } else {
+            return array("status" => "error");
+        }
+    }
+
+    public function savepointAction()
+    {
+        if ($this->request->isPost()) {
+            // trigger a save, so we know revision->time matches our running config
+            Config::getInstance()->save();
+            return array(
+                "status" => "ok",
+                "retention" => (string)Config::getInstance()->backupCount(),
+                "revision" => (string)Config::getInstance()->object()->revision->time
+            );
+        } else {
+            return array("status" => "error");
+        }
+    }
+
+    public function revertAction($revision)
+    {
+        if ($this->request->isPost()) {
+            Config::getInstance()->lock();
+            $filename = Config::getInstance()->getBackupFilename($revision);
+            if (!$filename) {
+                Config::getInstance()->unlock();
+                return ["status" => gettext("unknown (or removed) savepoint")];
+            }
+            $this->getModel()->rollback($revision);
+            Config::getInstance()->unlock();
+            (new Backend())->configdRun('filter reload');
+            return ["status" => "ok"];
+        } else {
+            return array("status" => "error");
+        }
+    }
+}
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
index 2ab47ee699..28e4151a78 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
@@ -27,15 +27,9 @@
  */
 namespace OPNsense\Firewall\Api;
 
-use OPNsense\Base\ApiMutableModelControllerBase;
-use OPNsense\Core\Backend;
-use OPNsense\Core\Config;
 
-class FilterController extends ApiMutableModelControllerBase
+class FilterController extends FilterBaseController
 {
-    protected static $internalModelName = 'filter';
-    protected static $internalModelClass = 'OPNsense\Firewall\Filter';
-
     public function searchRuleAction()
     {
         return $this->searchBase("rules.rule", array('enabled', 'sequence', 'description'), "sequence");
@@ -65,61 +59,4 @@ public function toggleRuleAction($uuid, $enabled = null)
     {
         return $this->toggleBase("rules.rule", $uuid, $enabled);
     }
-
-    public function applyAction($rollback_revision = null)
-    {
-        if ($this->request->isPost()) {
-            if ($rollback_revision != null) {
-                // background rollback timer
-                (new Backend())->configdpRun('pfplugin rollback_timer', [$rollback_revision], true);
-            }
-            return array("status" => (new Backend())->configdRun('filter reload'));
-        } else {
-            return array("status" => "error");
-        }
-    }
-
-    public function cancelRollbackAction($rollback_revision)
-    {
-        if ($this->request->isPost()) {
-            return array(
-                "status" => (new Backend())->configdpRun('pfplugin cancel_rollback', [$rollback_revision])
-            );
-        } else {
-            return array("status" => "error");
-        }
-    }
-
-    public function savepointAction()
-    {
-        if ($this->request->isPost()) {
-            // trigger a save, so we know revision->time matches our running config
-            Config::getInstance()->save();
-            return array(
-                "status" => "ok",
-                "retention" => (string)Config::getInstance()->backupCount(),
-                "revision" => (string)Config::getInstance()->object()->revision->time
-            );
-        } else {
-            return array("status" => "error");
-        }
-    }
-
-    public function revertAction($revision)
-    {
-        if ($this->request->isPost()) {
-            Config::getInstance()->lock();
-            $filename = Config::getInstance()->getBackupFilename($revision);
-            if (!$filename) {
-                Config::getInstance()->unlock();
-                return ["status" => gettext("unknown (or removed) savepoint")];
-            }
-            $this->getModel()->rollback($revision);
-            Config::getInstance()->unlock();
-            (new Backend())->configdRun('filter reload');
-            return ["status" => "ok"];
-        } else {
-            return array("status" => "error");
-        }
-    }
 }
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php
new file mode 100644
index 0000000000..f55640e989
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php
@@ -0,0 +1,62 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+namespace OPNsense\Firewall\Api;
+
+
+class SourceNatController extends FilterBaseController
+{
+    public function searchRuleAction()
+    {
+        return $this->searchBase("snatrules.rule", array('enabled', 'sequence', 'description'), "sequence");
+    }
+
+    public function setRuleAction($uuid)
+    {
+        return $this->setBase("rule", "snatrules.rule", $uuid);
+    }
+
+    public function addRuleAction()
+    {
+        return $this->addBase("rule", "snatrules.rule");
+    }
+
+    public function getRuleAction($uuid = null)
+    {
+        return $this->getBase("rule", "snatrules.rule", $uuid);
+    }
+
+    public function delRuleAction($uuid)
+    {
+        return $this->delBase("snatrules.rule", $uuid);
+    }
+
+    public function toggleRuleAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("snatrules.rule", $uuid, $enabled);
+    }
+}
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
index a3b711e8f5..74c0479b3b 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
@@ -32,6 +32,7 @@ class FilterController extends \OPNsense\Base\IndexController
     public function indexAction()
     {
         $this->view->pick('OPNsense/Firewall/filter');
+        $this->view->ruleController = "filter";
         $this->view->formDialogFilterRule = $this->getForm("dialogFilterRule");
     }
 }
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/SourceNatController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/SourceNatController.php
new file mode 100644
index 0000000000..5b5927a064
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/SourceNatController.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+namespace OPNsense\Firewall;
+
+class SourceNatController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/Firewall/filter');
+        $this->view->ruleController = "source_nat";
+        $this->view->formDialogFilterRule = $this->getForm("dialogSNatRule");
+    }
+}
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml
new file mode 100644
index 0000000000..48e1b9a5f1
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml
@@ -0,0 +1,88 @@
+<form>
+    <field>
+        <id>rule.enabled</id>
+        <label>enabled</label>
+        <type>checkbox</type>
+        <help>Enable this rule</help>
+    </field>
+    <field>
+        <id>rule.sequence</id>
+        <label>Sequence</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>rule.interface</id>
+        <label>Interface</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>rule.ipprotocol</id>
+        <label>TCP/IP Version</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>rule.protocol</id>
+        <label>Protocol</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>rule.source_net</id>
+        <label>Source</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>rule.source_port</id>
+        <label>Source port</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Source port number or well known name (imap, imaps, http, https, ...), for ranges use a dash</help>
+    </field>
+    <field>
+        <id>rule.source_not</id>
+        <label>Source / Invert</label>
+        <type>checkbox</type>
+        <help>Use this option to invert the sense of the match.</help>
+    </field>
+    <field>
+        <id>rule.destination_net</id>
+        <label>Destination</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>rule.destination_not</id>
+        <label>Destination / Invert</label>
+        <type>checkbox</type>
+        <help>Use this option to invert the sense of the match.</help>
+    </field>
+    <field>
+        <id>rule.destination_port</id>
+        <label>Destination port</label>
+        <type>text</type>
+        <help>Destination port number or well known name (imap, imaps, http, https, ...), for ranges use a dash</help>
+    </field>
+    <field>
+        <id>rule.target</id>
+        <label>Translation / target</label>
+        <type>text</type>
+        <help>
+            Packets matching this rule will be mapped to the IP address given here.
+        </help>
+    </field>
+    <field>
+        <id>rule.target_port</id>
+        <label>Translation port</label>
+        <type>text</type>
+        <help>Destination port number or well known name (imap, imaps, http, https, ...)</help>
+    </field>
+    <field>
+        <id>rule.log</id>
+        <label>Log</label>
+        <type>checkbox</type>
+        <help>Log packets that are handled by this rule</help>
+    </field>
+    <field>
+        <id>rule.description</id>
+        <label>Description</label>
+        <type>text</type>
+    </field>
+</form>
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/ACL/ACL.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/ACL/ACL.xml
index e063715bdf..070ce99e95 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/ACL/ACL.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/ACL/ACL.xml
@@ -6,4 +6,11 @@
             <pattern>api/firewall/filter/*</pattern>
         </patterns>
     </page-filter-api>
+    <page-filter-snat-api>
+        <name>Firewall: SourceNat: API</name>
+        <patterns>
+            <pattern>ui/firewall/source_nat/*</pattern>
+            <pattern>api/firewall/source_nat/*</pattern>
+        </patterns>
+    </page-filter-snat-api>
 </acl>
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index 378926025b..a9961b45a0 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -106,5 +106,80 @@
                 </description>
             </rule>
         </rules>
+        <snatrules>
+            <rule type="ArrayField">
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <sequence type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>99999</MaximumValue>
+                    <ValidationMessage>provide a valid sequence for sorting</ValidationMessage>
+                    <Required>Y</Required>
+                    <default>1</default>
+                </sequence>
+                <interface type="InterfaceField">
+                    <Required>Y</Required>
+                    <default>lan</default>
+                    <AllowDynamic>Y</AllowDynamic>
+                </interface>
+                <ipprotocol type="OptionField">
+                    <Required>Y</Required>
+                    <default>inet</default>
+                    <OptionValues>
+                        <inet>IPv4</inet>
+                        <inet6>IPv6</inet6>
+                    </OptionValues>
+                </ipprotocol>
+                <protocol type="ProtocolField">
+                    <Required>Y</Required>
+                    <default>any</default>
+                </protocol>
+                <source_net type="NetworkAliasField">
+                    <default>any</default>
+                    <Required>Y</Required>
+                </source_net>
+                <source_not type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </source_not>
+                <source_port type="PortField">
+                    <Required>N</Required>
+                    <EnableWellKnown>Y</EnableWellKnown>
+                    <EnableRanges>Y</EnableRanges>
+                </source_port>
+                <destination_net type="NetworkAliasField">
+                    <default>any</default>
+                    <Required>Y</Required>
+                </destination_net>
+                <destination_not type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </destination_not>
+                <destination_port type="PortField">
+                    <Required>N</Required>
+                    <EnableWellKnown>Y</EnableWellKnown>
+                    <EnableRanges>Y</EnableRanges>
+                </destination_port>
+                <target type="NetworkAliasField">
+                    <default>wanip</default>
+                    <Required>Y</Required>
+                </target>
+                <target_port type="PortField">
+                    <Required>N</Required>
+                    <EnableWellKnown>Y</EnableWellKnown>
+                </target_port>
+                <log type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </log>
+                <description type="TextField">
+                    <Required>N</Required>
+                    <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){0,255}$/u</mask>
+                    <ValidationMessage>Description should be a string between 1 and 255 characters</ValidationMessage>
+                </description>
+            </rule>
+        </snatrules>
     </items>
 </model>
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
index 3667041201..a551652542 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
@@ -4,6 +4,9 @@
             <Filter order="50" url="/ui/firewall/filter/">
                 <FilterRef url="/ui/firewall/filter#*"/>
             </Filter>
+            <SourceNat order="100" VisibleName="Source NAT" url="/ui/firewall/source_nat/">
+                <FilterRef url="/ui/firewall/source_nat#*"/>
+            </SourceNat>
         </Automation>
     </Firewall>
 </menu>
diff --git a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
index b498372440..567eff3362 100644
--- a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
+++ b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
@@ -2,12 +2,12 @@
     $( document ).ready(function() {
         let initial_load = true;
         let grid = $("#grid-rules").UIBootgrid({
-            search:'/api/firewall/filter/searchRule/',
-            get:'/api/firewall/filter/getRule/',
-            set:'/api/firewall/filter/setRule/',
-            add:'/api/firewall/filter/addRule/',
-            del:'/api/firewall/filter/delRule/',
-            toggle:'/api/firewall/filter/toggleRule/'
+            search:'/api/firewall/{{ruleController}}/searchRule/',
+            get:'/api/firewall/{{ruleController}}/getRule/',
+            set:'/api/firewall/{{ruleController}}/setRule/',
+            add:'/api/firewall/{{ruleController}}/addRule/',
+            del:'/api/firewall/{{ruleController}}/delRule/',
+            toggle:'/api/firewall/{{ruleController}}/toggleRule/'
         });
 
         // open edit dialog when opened with a uuid reference
@@ -44,7 +44,7 @@
                     label: "{{ lang._('Revert') }}",
                     cssClass: 'btn-primary',
                     action: function(dialogRef) {
-                        ajaxCall("/api/firewall/filter/revert/" + $("#revertToTime").val(), {}, function (data, status) {
+                        ajaxCall("/api/firewall/{{ruleController}}/revert/" + $("#revertToTime").val(), {}, function (data, status) {
                             if (data.status !== "ok") {
                                 $("#revertToTime").parent().addClass("has-error");
                                 $("#revertToTimeError").html(data.status);
@@ -71,7 +71,7 @@
 </ul>
 <div class="tab-content content-box">
     <div id="rules" class="tab-pane fade in active">
-        <!-- tab page "filter rules" -->
+        <!-- tab page "rules" -->
         <table id="grid-rules" class="table table-condensed table-hover table-striped" data-editDialog="DialogFilterRule" data-editAlert="FilterRuleChangeMessage">
             <thead>
                 <tr>
@@ -100,7 +100,7 @@
         </div>
         <hr/>
         <button class="btn btn-primary" id="reconfigureAct"
-                data-endpoint='/api/firewall/filter/apply'
+                data-endpoint='/api/firewall/{{ruleController}}/apply'
                 data-label="{{ lang._('Apply') }}"
                 data-error-title="{{ lang._('Filter load error') }}"
                 type="button"
@@ -108,7 +108,7 @@
 
         <div class="pull-right">
             <button class="btn" id="savepointAct"
-                    data-endpoint='/api/firewall/filter/savepoint'
+                    data-endpoint='/api/firewall/{{ruleController}}/savepoint'
                     data-label="{{ lang._('Savepoint') }}"
                     data-error-title="{{ lang._('snapshot error') }}"
                     type="button"

From 00092f3154a3b50a4ccc4fac4d01799d8af8c073 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 31 Mar 2020 10:20:26 +0200
Subject: [PATCH 0058/3088] net/firewall: ch-ch-changes, turn and face the
 strange...

---
 net/firewall/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index bf15b18205..5898e58862 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		firewall
-PLUGIN_VERSION=		0.1
+PLUGIN_VERSION=		0.2
 PLUGIN_COMMENT=		Firewall API supplemental package
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEVEL=		yes

From 754be3be83a48f85d88568a78d2436b779dacbbb Mon Sep 17 00:00:00 2001
From: "D. Domig" <x@jokay.ch>
Date: Tue, 31 Mar 2020 09:18:30 +0200
Subject: [PATCH 0059/3088] Fix typo

---
 .../mvc/app/controllers/OPNsense/Netsnmp/forms/general.xml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/net-snmp/src/opnsense/mvc/app/controllers/OPNsense/Netsnmp/forms/general.xml b/net-mgmt/net-snmp/src/opnsense/mvc/app/controllers/OPNsense/Netsnmp/forms/general.xml
index 93c370f17a..46df7feb72 100644
--- a/net-mgmt/net-snmp/src/opnsense/mvc/app/controllers/OPNsense/Netsnmp/forms/general.xml
+++ b/net-mgmt/net-snmp/src/opnsense/mvc/app/controllers/OPNsense/Netsnmp/forms/general.xml
@@ -31,7 +31,7 @@
     </field>
     <field>
         <id>general.versionoid</id>
-        <label>Display Verion in OID</label>
+        <label>Display Version in OID</label>
         <type>checkbox</type>
         <help>This let you fetch the current installed version via .1.3.6.1.4.1.8072.1.3.2.3.1.2.7.118.101.114.115.105.111.110</help>
     </field>

From 0e77afcfb1d19c40851a7160430c2e30dac04391 Mon Sep 17 00:00:00 2001
From: Petr Kejval <petr.kejval6@gmail.com>
Date: Wed, 1 Apr 2020 20:11:36 +0200
Subject: [PATCH 0060/3088] Fix issue #1759 - dnsbl.py

Fix for https://github.com/opnsense/plugins/issues/1759

* Restrict download timeout to 5 seconds and 2 retries. Parse only if HTTP response status is 200 OK.
* "Whitelist" (exclude) domains which aren't starting with alphanumeric char causing Unbound not to start.
---
 .../opnsense/scripts/OPNsense/Unboundplus/dnsbl.py   | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py b/dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py
index 054b731491..811a6ebc13 100755
--- a/dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py
+++ b/dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py
@@ -86,11 +86,12 @@ def process_url(url):
     print(f"Processing BL items from: {url}")
 
     try:
-        http = urllib3.PoolManager()
-        r = http.request('GET', url)
+        http = urllib3.PoolManager(timeout=5.0)
+        r = http.request('GET', url, retries=2)
 
-        for line in str(r.data).split('\\n'):
-            parse_line(line)
+        if r.status == 200:
+            for line in str(r.data).split('\\n'):
+                parse_line(line)
     except Exception as e:
         print(str(e))
 
@@ -135,7 +136,8 @@ def load_whitelist():
     print("Loading whitelist")
     global re_whitelist
     wl = load_list('/var/unbound/etc/whitelist.inc', ',')
-    wl.add('.*localhost$')
+    wl.add(r'.*localhost$')
+    wl.add(r'^(?![a-zA-Z\d]).*') # Exclude domains NOT starting with alphanumeric char
     print(f"Loaded {len(wl)} whitelist items")
 
     try:

From 693bd6f9d188da428f6b89b3a1db02b3ca770556 Mon Sep 17 00:00:00 2001
From: sjjh <2787214+sjjh@users.noreply.github.com>
Date: Fri, 3 Apr 2020 09:57:22 +0200
Subject: [PATCH 0061/3088] removed typo "upstremModel"

Looks like a typo to me, but please may some once double check that I didn't break anything.
---
 www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/vts.volt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/vts.volt b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/vts.volt
index 69d8dd58d1..e76b581cc8 100644
--- a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/vts.volt
+++ b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/vts.volt
@@ -68,12 +68,12 @@
         this.msec.period = time - this.msec.last;
         this.msec.last = time;
     };
-    const UpstremModel = Backbone.Model.extend({
+    const UpstreamModel = Backbone.Model.extend({
         idAttribute: 'uuid'
     });
     const UpstreamCollection = Backbone.Collection.extend({
         url: '/api/nginx/settings/searchupstream',
-        model: UpstremModel,
+        model: UpstreamModel,
         parse: function(response) {
             return response.rows;
         },

From 42158500df147c290a16536ff37dcb9c9fb5679e Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 3 Apr 2020 10:56:01 +0200
Subject: [PATCH 0062/3088] os-firewall: add serialize rule logic for 
 https://github.com/opnsense/plugins/issues/1749

---
 .../FieldTypes/SourceNatRuleField.php         | 114 ++++++++++++++++++
 .../app/models/OPNsense/Firewall/Filter.xml   |   2 +-
 2 files changed, 115 insertions(+), 1 deletion(-)
 create mode 100644 net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
new file mode 100644
index 0000000000..06329f0776
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
@@ -0,0 +1,114 @@
+<?php
+
+/**
+ *    Copyright (C) 2020 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+
+namespace OPNsense\Firewall\FieldTypes;
+
+use OPNsense\Base\FieldTypes\ArrayField;
+use OPNsense\Base\FieldTypes\ContainerField;
+
+/**
+ * Class SourceNatRuleContainerField
+ * @package OPNsense\Firewall\FieldTypes
+ */
+class SourceNatRuleContainerField extends ContainerField
+{
+    /**
+     * map source nat rules
+     * @return array
+     */
+    public function serialize()
+    {
+        $result = array();
+        $source_mapper = [
+            'enabled' => false,
+            'source_net' => false,
+            'source_not' => false,
+            'source_port' => 'sourceport',
+            'destination_net' => false,
+            'destination_not' => false,
+            'destination_port' => 'dstport',
+            'target_port' => 'natport',
+            'description' => 'descr'
+        ];
+        // 1-on-1 map (with type conversion if needed)
+        foreach ($this->iterateItems() as $key => $node) {
+            $target_fieldname = isset($source_mapper[$key]) ? $source_mapper[$key] : $key;
+            if ($target_fieldname) {
+                if (is_a($node, "OPNsense\\Base\\FieldTypes\\BooleanField")) {
+                    $result[$target_fieldname] = !empty((string)$node);
+                } elseif (is_a($node, "OPNsense\\Base\\FieldTypes\\ProtocolField")) {
+                    if ((string)$node != 'any') {
+                        $result[$target_fieldname] = (string)$node;
+                    }
+                } else {
+                    $result[$target_fieldname] = (string)$node;
+                }
+            }
+        }
+
+        $result['disabled'] = empty((string)$this->enabled);
+        // source / destination mapping, doesn't use port construct like it would for rules.
+        $result['source'] = array();
+        if (!empty((string)$this->source_net)) {
+            $result['source']['network'] = (string)$this->source_net;
+            if (!empty((string)$this->source_not)) {
+                $result['source']['not'] = true;
+            }
+        }
+        $result['destination'] = array();
+        if (!empty((string)$this->destination_net)) {
+            $result['destination']['network'] = (string)$this->destination_net;
+            if (!empty((string)$this->destination_not)) {
+                $result['destination']['not'] = true;
+            }
+        }
+
+        return $result;
+    }
+}
+
+/**
+ * Class SourceNatRuleField
+ * @package OPNsense\Firewall\FieldTypes
+ */
+class SourceNatRuleField extends ArrayField
+{
+    /**
+     * @inheritDoc
+     */
+    public function newContainerField($ref, $tagname)
+    {
+        $container_node = new SourceNatRuleContainerField($ref, $tagname);
+        $parentmodel = $this->getParentModel();
+        $container_node->setParentModel($parentmodel);
+        return $container_node;
+    }
+}
\ No newline at end of file
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index a9961b45a0..c870569f73 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -107,7 +107,7 @@
             </rule>
         </rules>
         <snatrules>
-            <rule type="ArrayField">
+            <rule type=".\SourceNatRuleField">
                 <enabled type="BooleanField">
                     <default>1</default>
                     <Required>Y</Required>

From 1a06985c08d2e8ef55d91851b6b75cc64b5b5eec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCrgen=20Kellerer?= <juergen@k123.eu>
Date: Sat, 4 Apr 2020 21:44:53 +0200
Subject: [PATCH 0063/3088] Applied USER_WHITELIST config syntax change

Fixes the whitelist config feature in maltrail sensor.
USER_WHITELIST was changed from comma separated list to whitelist file in recent maltrail versions.
---
 .../opnsense/service/templates/OPNsense/Maltrail/+TARGETS | 1 +
 .../service/templates/OPNsense/Maltrail/maltrail.conf     | 2 +-
 .../templates/OPNsense/Maltrail/user_whitelist.txt        | 8 ++++++++
 3 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/user_whitelist.txt

diff --git a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/+TARGETS b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/+TARGETS
index 66a7ec29d4..41dd65eb15 100644
--- a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/+TARGETS
+++ b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/+TARGETS
@@ -1,3 +1,4 @@
 maltrailsensor:/etc/rc.conf.d/opnsense-maltrailsensor
 maltrailserver:/etc/rc.conf.d/opnsense-maltrailserver
 maltrail.conf:/usr/local/share/maltrail/maltrail.conf
+user_whitelist.txt:/usr/local/share/maltrail/misc/user_whitelist.txt
diff --git a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
index 21f6c96b5a..29cbe74f08 100644
--- a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
+++ b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
@@ -39,7 +39,7 @@ USE_HEURISTICS false
 {% endif %}
 CHECK_MISSING_HOST false
 {% if helpers.exists('OPNsense.maltrail.general.whitelist') and OPNsense.maltrail.general.whitelist != '' %}
-USER_WHITELIST {{ OPNsense.maltrail.general.whitelist }}
+USER_WHITELIST /usr/local/share/maltrail/misc/user_whitelist.txt
 {% endif %}
 CHECK_HOST_DOMAINS false
 SHOW_DEBUG false
diff --git a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/user_whitelist.txt b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/user_whitelist.txt
new file mode 100644
index 0000000000..9e8200773e
--- /dev/null
+++ b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/user_whitelist.txt
@@ -0,0 +1,8 @@
+#
+# Autogenerated user whitelist (find list-format in "misc/whitelist.txt")
+#
+{% if helpers.exists('OPNsense.maltrail.general.whitelist') and OPNsense.maltrail.general.whitelist != '' %}
+{%   for item in OPNsense.maltrail.general.whitelist.split(',') %}
+{{     item|trim }}
+{%   endfor %}
+{% endif %}

From b8531b77d94b6ce0dee27bf857568a2a2d96fab9 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 5 Apr 2020 21:16:17 +0200
Subject: [PATCH 0064/3088] os-firewall: hook in source nat registration code
 for https://github.com/opnsense/plugins/issues/1749

---
 net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc b/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc
index 8f68a6b131..cdb25a5de4 100644
--- a/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc
+++ b/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc
@@ -38,4 +38,8 @@ function pfplugin_firewall($fw)
          $content["#ref"] = "ui/firewall/filter#" . (string)$rule->getAttributes()['uuid'];
          $fw->registerFilterRule($rule->getPriority(), $content);
     }
+
+    foreach ($mdlFilter->snatrules->rule->sortedBy(["sequence"]) as $key => $rule) {
+         $fw->registerSNatRule(50, $rule->serialize());
+    }
 }

From f00eba92f131268a0cbee84310c32974e2e2c143 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 6 Apr 2020 14:50:01 +0200
Subject: [PATCH 0065/3088] Framework: annotate development-only plugins

PR: https://forum.opnsense.org/index.php?topic=10177.0
---
 Makefile      | 3 ++-
 Mk/plugins.mk | 3 ++-
 README.md     | 6 +++---
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index 8e31ab3a0e..cf1ed5acee 100644
--- a/Makefile
+++ b/Makefile
@@ -38,7 +38,8 @@ PLUGIN_DIRS+=	${_${CATEGORY}}
 
 list:
 .for PLUGIN_DIR in ${PLUGIN_DIRS}
-	@echo ${PLUGIN_DIR} -- $$(${MAKE} -C ${PLUGIN_DIR} -V PLUGIN_COMMENT)
+	@echo ${PLUGIN_DIR} -- $$(${MAKE} -C ${PLUGIN_DIR} -V PLUGIN_COMMENT) \
+	    $$(if [ -n "$$(${MAKE} -C ${PLUGIN_DIR} -V PLUGIN_DEVEL _PLUGIN_DEVEL=)" ]; then echo "(development only)"; fi)
 .endfor
 
 # shared targets that are sane to run from the root directory
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index d95dba8ed2..7cb8dea6f1 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -51,7 +51,8 @@ check:
 .  endif
 .endfor
 
-PLUGIN_DEVEL?=		yes
+_PLUGIN_DEVEL?=		yes
+PLUGIN_DEVEL?:=		${_PLUGIN_DEVEL}
 
 PLUGIN_PREFIX?=		os-
 PLUGIN_SUFFIX?=		-devel
diff --git a/README.md b/README.md
index 71e43f862f..514ce14fcf 100644
--- a/README.md
+++ b/README.md
@@ -53,7 +53,7 @@ net-mgmt/nrpe -- Execute nagios plugins
 net-mgmt/telegraf -- Agent for collecting metrics and data
 net-mgmt/zabbix-agent -- Zabbix monitoring agent
 net-mgmt/zabbix4-proxy -- Zabbix Proxy enables decentralized monitoring
-net/firewall -- Firewall API supplemental package
+net/firewall -- Firewall API supplemental package (development only)
 net/freeradius -- RADIUS Authentication, Authorization and Accounting Server
 net/frr -- The FRRouting Protocol Suite
 net/ftp-proxy -- Control ftp-proxy processes
@@ -82,11 +82,11 @@ security/intrusion-detection-content-pt-open -- IDS PT Research ruleset (only fo
 security/intrusion-detection-content-snort-vrt -- IDS Snort VRT ruleset (needs registration or subscription)
 security/maltrail -- Malicious traffic detection system
 security/openconnect -- OpenConnect Client
-security/softether -- Cross-platform Multi-protocol VPN Program
+security/softether -- Cross-platform Multi-protocol VPN Program (development only)
 security/tinc -- Tinc VPN
 security/tor -- The Onion Router
 sysutils/api-backup -- Provide the functionality to download the config.xml
-sysutils/apuled -- PC Engine APU LED control
+sysutils/apuled -- PC Engine APU LED control (development only)
 sysutils/boot-delay -- Apply a persistent 10 second boot delay
 sysutils/dmidecode -- Display hardware information on the dashboard
 sysutils/lcdproc-sdeclcd -- LCDProc for SDEC LCD devices

From 08c86edd9d3d5f1132d480aa41fdf46feda2461d Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 6 Apr 2020 18:16:17 +0200
Subject: [PATCH 0066/3088] security/maltrail: disable alienvault, update
 changelog (#1769)

---
 security/maltrail/Makefile                                   | 2 +-
 security/maltrail/pkg-descr                                  | 5 +++++
 .../service/templates/OPNsense/Maltrail/maltrail.conf        | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/security/maltrail/Makefile b/security/maltrail/Makefile
index e688bcf70b..85365371a4 100644
--- a/security/maltrail/Makefile
+++ b/security/maltrail/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		maltrail
-PLUGIN_VERSION=		1.4
+PLUGIN_VERSION=		1.5
 PLUGIN_COMMENT=		Malicious traffic detection system
 PLUGIN_DEPENDS=		maltrail
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/maltrail/pkg-descr b/security/maltrail/pkg-descr
index c84a0a8efa..e7ef830a11 100644
--- a/security/maltrail/pkg-descr
+++ b/security/maltrail/pkg-descr
@@ -11,6 +11,11 @@ WWW: https://github.com/stamparm/maltrail
 Changelog
 ---------
 
+1.5
+
+* Change whitelisting format (by @jkellerer)
+* Add alienvault to disabled feeds
+
 1.4
 
 * Switch Python to version 3
diff --git a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
index 29cbe74f08..05a193e62e 100644
--- a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
+++ b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
@@ -29,7 +29,7 @@ CUSTOM_TRAILS_DIR /usr/local/maltrail/trails/custom/
 PROCESS_COUNT $CPU_CORES
 DISABLE_CPU_AFFINITY false
 USE_FEED_UPDATES true
-DISABLED_FEEDS turris, ciarmy, policeman, myip
+DISABLED_FEEDS turris, ciarmy, policeman, myip, alienvault
 UPDATE_PERIOD {{ OPNsense.maltrail.general.updateperiod }}
 USE_SERVER_UPDATE_TRAILS false
 {% if helpers.exists('OPNsense.maltrail.general.heuristics') and OPNsense.maltrail.general.heuristics == '1' %}

From e3f6aad349ab922530931f477ad260800f074e88 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 6 Apr 2020 18:18:36 +0200
Subject: [PATCH 0067/3088] net/firewall: whitespace sweep

---
 .../models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
index 06329f0776..7d7b6df4b9 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
@@ -111,4 +111,4 @@ public function newContainerField($ref, $tagname)
         $container_node->setParentModel($parentmodel);
         return $container_node;
     }
-}
\ No newline at end of file
+}

From f39d5683cf9df6b4070c8fe91365c263bd4d6e26 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 7 Apr 2020 02:29:38 +0200
Subject: [PATCH 0068/3088] Framework: fix standard development annotation (as
 used for package name)

---
 Mk/plugins.mk | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 7cb8dea6f1..bb6942c55a 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -51,8 +51,11 @@ check:
 .  endif
 .endfor
 
-_PLUGIN_DEVEL?=		yes
+.if defined(_PLUGIN_DEVEL)
 PLUGIN_DEVEL?:=		${_PLUGIN_DEVEL}
+.else
+PLUGIN_DEVEL?=		yes
+.endif
 
 PLUGIN_PREFIX?=		os-
 PLUGIN_SUFFIX?=		-devel

From b9aef7223f4a8d880fd7663b12f961db43e735ef Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 6 Apr 2020 08:41:50 +0200
Subject: [PATCH 0069/3088] os-firewall: change FilterBaseController to
 abstract, it shouldn't be possible to call api/firewall/filter_base endpoints
 directly, for https://github.com/opnsense/plugins/issues/1749

---
 .../controllers/OPNsense/Firewall/Api/FilterBaseController.php  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php
index d939a990d5..789ae9a89e 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php
@@ -35,7 +35,7 @@
  * Class FilterBaseController implements actions for various types
  * @package OPNsense\Firewall\Api
  */
-class FilterBaseController extends ApiMutableModelControllerBase
+abstract class FilterBaseController extends ApiMutableModelControllerBase
 {
     protected static $internalModelName = 'filter';
     protected static $internalModelClass = 'OPNsense\Firewall\Filter';

From f5021e1e48267d3087a562516d1ec329909e4a87 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 7 Apr 2020 22:26:50 +0200
Subject: [PATCH 0070/3088] os-firewall: support ranges in target port (align
 with src/dst), for https://github.com/opnsense/plugins/issues/1749

---
 .../src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index c870569f73..3fa4cfc8cf 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -169,6 +169,7 @@
                 <target_port type="PortField">
                     <Required>N</Required>
                     <EnableWellKnown>Y</EnableWellKnown>
+                    <EnableRanges>Y</EnableRanges>
                 </target_port>
                 <log type="BooleanField">
                     <default>0</default>

From daacf6b7ceea4ace8edb20ca66121eddb9328b2d Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 8 Apr 2020 11:47:19 +0200
Subject: [PATCH 0071/3088] os-firewall: add cross field validations for
 https://github.com/opnsense/plugins/issues/1749

since filter rules and source nat rules share source and destination constructions, we can easily loop over the types and detect if source nat fields exists when  validating.
---
 .../app/models/OPNsense/Firewall/Filter.php   | 89 +++++++++++--------
 1 file changed, 54 insertions(+), 35 deletions(-)

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index 90cf019d95..3eff2d05eb 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -42,42 +42,61 @@ public function performValidation($validateFullModel = false)
     {
         // standard model validations
         $messages = parent::performValidation($validateFullModel);
-        foreach ($this->rules->rule->iterateItems() as $rule) {
-            // validate changed rules
-            $rule_changed = false;
-            foreach ($rule->iterateItems() as $field) {
-                $rule_changed = $rule_changed ? $rule_changed : $field->isFieldChanged();
-            }
-            if ($validateFullModel || $rule_changed) {
-                // port / protocol validation
-                if (!empty((string)$rule->source_port) && !in_array($rule->protocol, ['TCP', 'UDP'])) {
-                    $messages->appendMessage(new Message(
-                        gettext("Source ports are only valid for tcp or udp type rules."),
-                        $rule->source_port->__reference
-                    ));
-                }
-                if (!empty((string)$rule->destination_port) && !in_array($rule->protocol, ['TCP', 'UDP'])) {
-                    $messages->appendMessage(new Message(
-                        gettext("Destination ports are only valid for tcp or udp type rules."),
-                        $rule->destination_port->__reference
-                    ));
-                }
-                // validate protocol family
-                $dest_is_addr = Util::isSubnet($rule->destination_net) || Util::isIpAddress($rule->destination_net);
-                $dest_proto = strpos($rule->destination_net, ':') === false ? "inet" : "inet6";
-                if ($dest_is_addr && $dest_proto != $rule->ipprotocol) {
-                    $messages->appendMessage(new Message(
-                        gettext("Destination address type should match selected TCP/IP protocol version."),
-                        $rule->destination_net->__reference
-                    ));
+        foreach ([$this->rules->rule, $this->snatrules->rule] as $rules) {
+            foreach ($rules->iterateItems() as $rule) {
+                // validate changed rules
+                $rule_changed = false;
+                foreach ($rule->iterateItems() as $field) {
+                    $rule_changed = $rule_changed ? $rule_changed : $field->isFieldChanged();
                 }
-                $src_is_addr = Util::isSubnet($rule->source_net) || Util::isIpAddress($rule->source_net);
-                $src_proto = strpos($rule->source_net, ':') === false ? "inet" : "inet6";
-                if ($src_is_addr && $src_proto != $rule->ipprotocol) {
-                    $messages->appendMessage(new Message(
-                        gettext("Source address type should match selected TCP/IP protocol version."),
-                        $rule->source_net->__reference
-                    ));
+                if ($validateFullModel || $rule_changed) {
+                    // port / protocol validation
+                    if (!empty((string)$rule->source_port) && !in_array($rule->protocol, ['TCP', 'UDP'])) {
+                        $messages->appendMessage(new Message(
+                            gettext("Source ports are only valid for tcp or udp type rules."),
+                            $rule->source_port->__reference
+                        ));
+                    }
+                    if (!empty((string)$rule->destination_port) && !in_array($rule->protocol, ['TCP', 'UDP'])) {
+                        $messages->appendMessage(new Message(
+                            gettext("Destination ports are only valid for tcp or udp type rules."),
+                            $rule->destination_port->__reference
+                        ));
+                    }
+                    // validate protocol family
+                    $dest_is_addr = Util::isSubnet($rule->destination_net) || Util::isIpAddress($rule->destination_net);
+                    $dest_proto = strpos($rule->destination_net, ':') === false ? "inet" : "inet6";
+                    if ($dest_is_addr && $dest_proto != $rule->ipprotocol) {
+                        $messages->appendMessage(new Message(
+                            gettext("Destination address type should match selected TCP/IP protocol version."),
+                            $rule->destination_net->__reference
+                        ));
+                    }
+                    $src_is_addr = Util::isSubnet($rule->source_net) || Util::isIpAddress($rule->source_net);
+                    $src_proto = strpos($rule->source_net, ':') === false ? "inet" : "inet6";
+                    if ($src_is_addr && $src_proto != $rule->ipprotocol) {
+                        $messages->appendMessage(new Message(
+                            gettext("Source address type should match selected TCP/IP protocol version."),
+                            $rule->source_net->__reference
+                        ));
+                    }
+                    // Additional source nat validations
+                    if ($rule->target !== null) {
+                        $target_is_addr = Util::isSubnet($rule->target) || Util::isIpAddress($rule->target);
+                        $target_proto = strpos($rule->target, ':') === false ? "inet" : "inet6";
+                        if ($target_is_addr && $target_proto != $rule->ipprotocol) {
+                            $messages->appendMessage(new Message(
+                                gettext("Target address type should match selected TCP/IP protocol version."),
+                                $rule->target->__reference
+                            ));
+                        }
+                        if (!empty((string)$rule->target_port) && !in_array($rule->protocol, ['TCP', 'UDP'])) {
+                            $messages->appendMessage(new Message(
+                                gettext("Target ports are only valid for tcp or udp type rules."),
+                                $rule->target_port->__reference
+                            ));
+                        }
+                    }
                 }
             }
         }

From 362edb68ad7fcb1c7c83741b868e997f774623dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCrgen=20Kellerer?= <juergen@k123.eu>
Date: Sat, 11 Apr 2020 17:36:09 +0200
Subject: [PATCH 0072/3088] security/acme-client: Added fullchain.pem
 filename-template to model & dialog

---
 .../OPNsense/AcmeClient/forms/dialogAction.xml           | 9 +++++++++
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml    | 6 ++++++
 .../opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php | 1 -
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index 5d89e439f2..db41ea6485 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -133,6 +133,15 @@
             Leave blank to use default "{{name}}/ca.pem".</help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>action.sftp_filename_fullchain</id>
+        <label>Naming "fullchain.pem"</label>
+        <type>text</type>
+        <help>Name template for the public certificate fullchain file (cert + ca).
+            Placeholders "{{name}}" and "%s" are replaced by the name of the certificate being uploaded.
+            Leave blank to use default "{{name}}/fullchain.pem".</help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <label>Required Parameters</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 5cd40331c7..052bdd530a 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -959,6 +959,12 @@
                     <ValidationMessage>Should be a string between 1 and 255 characters.
                                        Characters are limited to [a-z], [0-9] and [{}@./-_%] and the string must neither begin nor end with '/'.</ValidationMessage>
                 </sftp_filename_ca>
+                <sftp_filename_fullchain type="TextField">
+                    <Required>N</Required>
+                    <mask>/^(?![\/\\])[\w\d_\-@.\/{}%]{1,255}(?&lt;![\/\\])$/ui</mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.
+                                       Characters are limited to [a-z], [0-9] and [{}@./-_%] and the string must neither begin nor end with '/'.</ValidationMessage>
+                </sftp_filename_fullchain>
                 <configd type="ConfigdActionsField">
                     <filters>
                         <description>/^(?!.*(Let\'s\ Encrypt|acme|[fF]irmware))([\S\s]{1,255})/</description>
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
index b18596edc4..ede2859817 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
@@ -120,7 +120,6 @@
     "key" => ["default" => "{{name}}/key.pem", "option" => "key-name"],
     "ca" => ["default" => "{{name}}/ca.pem", "option" => "ca-name"],
     "fullchain" => ["default" => "{{name}}/fullchain.pem", "option" => "fullchain-name"],
-
 ];
 
 // Exit codes

From fd6016a9303e4b1821cea72a31ec23576e2b07e6 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 14 Apr 2020 21:53:29 +0200
Subject: [PATCH 0073/3088] net/haproxy: fix label of src_sess_cnt, closes
 #1780

---
 .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index d70ebc8232..e06699a610 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1388,7 +1388,7 @@
                         <src_http_req_cnt>Source IP: number of HTTP requests</src_http_req_cnt>
                         <src_http_req_rate>Source IP: rate of HTTP requests</src_http_req_rate>
                         <!-- <src_inc_gpc0>Source IP: increment the first General Purpose Counter</src_inc_gpc0> -->
-                        <src_sess_cnt>Source IP: cumulative number of connections</src_sess_cnt>
+                        <src_sess_cnt>Source IP: cumulative number of sessions</src_sess_cnt>
                         <src_sess_rate>Source IP: session rate</src_sess_rate>
                         <nbsrv>Minimum number of usable servers in backend</nbsrv>
                         <traffic_is_http>Traffic is HTTP</traffic_is_http>

From edf3633b9467ea83b17bb8b0d3bf4a33e212a5b3 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 14 Apr 2020 22:08:42 +0200
Subject: [PATCH 0074/3088] securiy/acme-client: add support for SchlundTech,
 closes #1728

---
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 21 ++++++++++++-------
 .../OPNsense/AcmeClient/certhelper.php        |  4 ++++
 3 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index b0f82aada1..4174763c9f 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1019,4 +1019,19 @@
         <type>password</type>
         <help>You need to obtain your API key from variomedia's customer support.</help>
     </field>
+    <field>
+        <label>SchlundTech</label>
+        <type>header</type>
+        <style>table_dns table_dns_schlundtech</style>
+    </field>
+    <field>
+        <id>validation.dns_schlundtech_user</id>
+        <label>User</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_schlundtech_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 052bdd530a..6e2c500410 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -405,6 +405,7 @@
                         <dns_ovh>OVH, kimsufi, soyoustart and runabove API</dns_ovh>
                         <dns_pdns>PowerDNS.com API</dns_pdns>
                         <dns_pleskxml>Plesk XML API</dns_pleskxml>
+                        <dns_schlundtech>SchlundTech</dns_schlundtech>
                         <dns_selectel>selectel.com / selectel.ru domain API</dns_selectel>
                         <dns_servercow>Servercow API v1</dns_servercow>
                         <dns_unoeuro>UnoEuro API</dns_unoeuro>
@@ -827,26 +828,32 @@
                     <Required>N</Required>
                 </dns_zm_key>
                 <dns_gdnsdk_user type="TextField">
-                   <Required>N</Required>
+                    <Required>N</Required>
                 </dns_gdnsdk_user>
                 <dns_gdnsdk_password type="TextField">
-                   <Required>N</Required>
+                    <Required>N</Required>
                 </dns_gdnsdk_password>
                 <dns_acmedns_user type="TextField">
-                   <Required>N</Required>
+                    <Required>N</Required>
                 </dns_acmedns_user>
                 <dns_acmedns_password type="TextField">
-                   <Required>N</Required>
+                    <Required>N</Required>
                 </dns_acmedns_password>
                 <dns_acmedns_subdomain type="TextField">
-                   <Required>N</Required>
+                    <Required>N</Required>
                 </dns_acmedns_subdomain>
                 <dns_acmedns_updateurl type="TextField">
-                   <Required>N</Required>
+                    <Required>N</Required>
                 </dns_acmedns_updateurl>
                 <dns_variomedia_key type="TextField">
-                   <Required>N</Required>
+                    <Required>N</Required>
                 </dns_variomedia_key>
+                <dns_schlundtech_user type="TextField">
+                    <Required>N</Required>
+                </dns_schlundtech_user>
+                <dns_schlundtech_password type="TextField">
+                    <Required>N</Required>
+                </dns_schlundtech_password>
             </validation>
         </validations>
         <actions>
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index 9101fd6395..d6704a42ef 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -909,6 +909,10 @@ function run_acme_validation($certObj, $valObj, $acctObj)
                 $proc_env['pleskxml_pass'] = (string)$valObj->dns_pleskxml_pass;
                 $proc_env['pleskxml_uri'] = (string)$valObj->dns_pleskxml_uri;
                 break;
+            case 'dns_schlundtech':
+                $proc_env['SCHLUNDTECH_USER'] = (string)$valObj->dns_schlundtech_user;
+                $proc_env['SCHLUNDTECH_PASSWORD'] = (string)$valObj->dns_schlundtech_password;
+                break;
             case 'dns_selectel':
                 $proc_env['SL_Key'] = (string)$valObj->dns_sl_key;
                 break;

From b539d1ff7546b06ad57358a0ccda9f4ad8038d03 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 14 Apr 2020 22:20:46 +0200
Subject: [PATCH 0075/3088] securiy/acme-client: add support for EUserv, closes
 #1779

---
 .../AcmeClient/forms/dialogValidation.xml         | 15 +++++++++++++++
 .../app/models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++++++
 .../scripts/OPNsense/AcmeClient/certhelper.php    |  4 ++++
 3 files changed, 26 insertions(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 4174763c9f..a037b8e004 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1034,4 +1034,19 @@
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>EUserv</label>
+        <type>header</type>
+        <style>table_dns table_dns_euserv</style>
+    </field>
+    <field>
+        <id>validation.dns_euserv_user</id>
+        <label>User</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_euserv_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 6e2c500410..bb1fb209aa 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -378,6 +378,7 @@
                         <dns_duckdns>DuckDNS API</dns_duckdns>
                         <dns_dyn>Dyn Managed DNS API</dns_dyn>
                         <dns_dynu>Dynu API</dns_dynu>
+                        <dns_euserv>EUserv</dns_euserv>
                         <dns_freedns>FreeDNS API</dns_freedns>
                         <dns_gandi_livedns>Gandi LiveDNS API</dns_gandi_livedns>
                         <dns_gd>GoDaddy.com API</dns_gd>
@@ -854,6 +855,12 @@
                 <dns_schlundtech_password type="TextField">
                     <Required>N</Required>
                 </dns_schlundtech_password>
+                <dns_euserv_user type="TextField">
+                    <Required>N</Required>
+                </dns_euserv_user>
+                <dns_euserv_password type="TextField">
+                    <Required>N</Required>
+                </dns_euserv_password>
             </validation>
         </validations>
         <actions>
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index d6704a42ef..eeb35243ae 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -732,6 +732,10 @@ function run_acme_validation($certObj, $valObj, $acctObj)
                 $proc_env['Dynu_ClientId'] = (string)$valObj->dns_dynu_clientid;
                 $proc_env['Dynu_Secret'] = (string)$valObj->dns_dynu_secret;
                 break;
+            case 'dns_euserv':
+                $proc_env['EUSERV_Username'] = (string)$valObj->dns_euserv_user;
+                $proc_env['EUSERV_Password'] = (string)$valObj->dns_euserv_password;
+                break;
             case 'dns_freedns':
                 $proc_env['FREEDNS_User'] = (string)$valObj->dns_freedns_user;
                 $proc_env['FREEDNS_Password'] = (string)$valObj->dns_freedns_password;

From 83ae82d92926721ca4009e30e65202c430fadaea Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 14 Apr 2020 22:28:34 +0200
Subject: [PATCH 0076/3088] securiy/acme-client: add support for Leaseweb,
 closes #1670

---
 .../OPNsense/AcmeClient/forms/dialogValidation.xml     | 10 ++++++++++
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml  |  4 ++++
 .../scripts/OPNsense/AcmeClient/certhelper.php         |  3 +++
 3 files changed, 17 insertions(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index a037b8e004..3b2f618ef2 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1049,4 +1049,14 @@
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Leaseweb</label>
+        <type>header</type>
+        <style>table_dns table_dns_leaseweb</style>
+    </field>
+    <field>
+        <id>validation.dns_leaseweb_key</id>
+        <label>API Key</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index bb1fb209aa..3ac2719109 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -391,6 +391,7 @@
                         <dns_ispconfig>ISPConfig 3.1+ API</dns_ispconfig>
                         <dns_kinghost>KingHost DNS API</dns_kinghost>
                         <dns_knot>Knot (knsupdate) DNS API</dns_knot>
+                        <dns_leaseweb>LeaseWeb API</dns_leaseweb>
                         <dns_lexicon>lexicon DNS API</dns_lexicon>
                         <dns_linode>Linode API</dns_linode>
                         <dns_loopia>Loopia API</dns_loopia>
@@ -861,6 +862,9 @@
                 <dns_euserv_password type="TextField">
                     <Required>N</Required>
                 </dns_euserv_password>
+                <dns_leaseweb_key type="TextField">
+                    <Required>N</Required>
+                </dns_leaseweb_key>
             </validation>
         </validations>
         <actions>
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index eeb35243ae..f9a648ee52 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -817,6 +817,9 @@ function run_acme_validation($certObj, $valObj, $acctObj)
                 $proc_env['KNOT_SERVER'] = (string)$valObj->dns_knot_server;
                 $proc_env['KNOT_KEY'] = (string)$valObj->dns_knot_key;
                 break;
+            case 'dns_leaseweb':
+                $proc_env['LSW_Key'] = (string)$valObj->dns_leaseweb_key;
+                break;
             case 'dns_lexicon':
                 $proc_env['PROVIDER'] = (string)$valObj->dns_lexicon_provider;
                 $proc_env['LEXICON_' . strtoupper($proc_env['PROVIDER']) . '_USERNAME'] = (string)$valObj->dns_lexicon_user;

From 0b835f251088d8376af1330356aad4d4864b7e37 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 14 Apr 2020 22:34:55 +0200
Subject: [PATCH 0077/3088] securiy/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index b7b4b5cf0f..32c1cd94f0 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		1.30
+PLUGIN_VERSION=		1.31
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 744f17a10cb35f0d14c3bd34f5cc55c94f237716 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 14 Apr 2020 23:24:27 +0200
Subject: [PATCH 0078/3088] net/haproxy: allow to enable SSL verification from
 health checks, refs #1761

---
 .../templates/OPNsense/HAProxy/haproxy.conf   | 25 ++++++++++++-------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index ba75856406..40e9478756 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1383,6 +1383,22 @@ backend {{backend.name}}
 {#             # server ssl communication #}
 {%             if server_data.ssl|default("") == '1' %}
 {%               do server_options.append('ssl') %}
+{#               # HTTP/2 #}
+{%               if backend.http2Enabled|default("") == '1' and backend.ba_advertised_protocols|default("") != "" %}
+{#                 # convert protocols to HAProxy-compatible format #}
+{%                 set alpn_options = backend.ba_advertised_protocols|replace('http10', 'http/1.0')|replace('http11', 'http/1.1') %}
+{%                 do server_options.append('alpn ' ~ alpn_options) %}
+{%               endif %}
+{#             # HTTP/2 without TLS #}
+{%             elif backend.http2Enabled|default("") == '1' and backend.http2Enabled_nontls|default("") == '1' %}
+{%               do server_options.append('proto h2') %}
+{%             endif %}
+{#             # ssl verification can be enabled for two reasons: #}
+{#             # 1. in server settings: to verify *all* communication to this server #}
+{#             # 2. in health checks: to verify *only* health check communication to this server #}
+{#             # When 1. is enabled, health checks are automatically secured. #}
+{#             # Use-case for 2: when using TCP for server communication, but HTTPS for health checks. #}
+{%             if server_data.ssl|default("") == '1' or (healthcheck_enabled == '1' and healthcheck_data.force_ssl|default('') == '1') %}
 {#               # get status of ssl verification #}
 {%               set ssl_verify_enabled = '0' %}
 {%               if helpers.exists('OPNsense.HAProxy.general.tuning.sslServerVerify') and OPNsense.HAProxy.general.tuning.sslServerVerify|default("") != 'ignore' %}
@@ -1410,15 +1426,6 @@ backend {{backend.name}}
 {%               else %}
 {%                 do server_options.append('verify none') %}
 {%               endif %}
-{#               # HTTP/2 #}
-{%               if backend.http2Enabled|default("") == '1' and backend.ba_advertised_protocols|default("") != "" %}
-{#                 # convert protocols to HAProxy-compatible format #}
-{%                 set alpn_options = backend.ba_advertised_protocols|replace('http10', 'http/1.0')|replace('http11', 'http/1.1') %}
-{%                 do server_options.append('alpn ' ~ alpn_options) %}
-{%               endif %}
-{#             # HTTP/2 without TLS #}
-{%             elif backend.http2Enabled|default("") == '1' and backend.http2Enabled_nontls|default("") == '1' %}
-{%               do server_options.append('proto h2') %}
 {%             endif %}
 {#             # source address #}
 {%             if backend.source|default("") != "" %}

From 25c3c1ffab9024c11591fed525d673339c4d824d Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 14 Apr 2020 23:31:46 +0200
Subject: [PATCH 0079/3088] net/haproxy: fallback to system CA certs for SSL
 verification, refs #1761

---
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 40e9478756..0574f0a454 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1414,6 +1414,9 @@ backend {{backend.name}}
 {#                 # check for SSL CA #}
 {%                 if server_data.sslCA|default("") != "" %}
 {%                   do server_options.append('ca-file /tmp/haproxy/ssl/' ~ server_data.id ~ '.calist') %}
+{%                 else %}
+{#                   # fallback to system CA Root Certificates #}
+{%                   do server_options.append('ca-file /etc/ssl/cert.pem') %}
 {%                 endif %}
 {#                 # check for SSL CRL #}
 {%                 if server_data.sslCRL|default("") != "" %}

From cf179b19ad71c919f6c69c99e4e7b00d8236d9c9 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 14 Apr 2020 23:53:17 +0200
Subject: [PATCH 0080/3088] net/haproxy: fix invalid use of option httplog

This resolves the infamous warning:
'option httplog' not usable with frontend (needs 'mode http')
---
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 0574f0a454..1e47bd478d 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1119,7 +1119,7 @@ frontend {{frontend.name}}
 {%       endif %}
 {%       if frontend.logging_detailedLog=='1' %}
 {#         # automatically select the best-suited log type #}
-{%         if frontend.mode == 'tcp' %}
+{%         if frontend.mode == 'tcp' or frontend.mode == 'ssl' %}
     option tcplog
 {%         else %}
     option httplog

From ceb08f9334d4210e3ef03dd876442e069c20213e Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 14 Apr 2020 23:58:41 +0200
Subject: [PATCH 0081/3088] net/haproxy: fix invalid use of option forwardfor

This resolves another infamous warning during config test:
'option forwardfor' ignored for frontend as it requires HTTP mode
---
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 1e47bd478d..d3d4296893 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1087,7 +1087,7 @@ frontend {{frontend.name}}
     http-request replace-header Cookie '^(.*?; )?({{backend_data.persistence_cookiename}}=)"([^;"]*)"(;.*)?$' \1\2\3\4
 {%         endif %}
 {%       endif %}
-{%       if frontend.forwardFor == '1' %}
+{%       if frontend.forwardFor == '1' and frontend.mode == 'http' %}
     option forwardfor
 {%       endif %}
     # tuning options

From c5f72d30bff4e94555b1ee54416f447ba542c498 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 15 Apr 2020 08:08:58 +0200
Subject: [PATCH 0082/3088] dns/unbound-plus: add DoT support (#1777)

---
 dns/unbound-plus/Makefile                            |  2 +-
 dns/unbound-plus/pkg-descr                           | 12 ++++++++++++
 .../OPNsense/Unboundplus/forms/miscellaneous.xml     |  8 ++++++++
 .../models/OPNsense/Unboundplus/Miscellaneous.xml    |  6 +++++-
 .../service/templates/OPNsense/Unboundplus/+TARGETS  |  1 +
 .../service/templates/OPNsense/Unboundplus/dot.conf  | 10 ++++++++++
 6 files changed, 37 insertions(+), 2 deletions(-)
 create mode 100644 dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/dot.conf

diff --git a/dns/unbound-plus/Makefile b/dns/unbound-plus/Makefile
index e49cf95d91..c0ffdf6ec0 100644
--- a/dns/unbound-plus/Makefile
+++ b/dns/unbound-plus/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		unbound-plus
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Unbound additions
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
diff --git a/dns/unbound-plus/pkg-descr b/dns/unbound-plus/pkg-descr
index a93c1a94c0..908838464a 100644
--- a/dns/unbound-plus/pkg-descr
+++ b/dns/unbound-plus/pkg-descr
@@ -2,3 +2,15 @@ Unbound-Plus is a collecion of additional features to Unbound,
 including DNSBL and DNS-over-TLS support.
 
 WWW: https://github.com/opnsense/plugins/
+
+Plugin Changelog
+----------------
+
+1.1
+
+* Add DNS over TLS (DoT) support
+
+1.0
+
+* Add DNSBL feature
+* Allow to set private domains
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/forms/miscellaneous.xml b/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/forms/miscellaneous.xml
index 3945c34051..899ceb3901 100644
--- a/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/forms/miscellaneous.xml
+++ b/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/forms/miscellaneous.xml
@@ -7,4 +7,12 @@
         <allownew>true</allownew>
         <help>List of domains to mark as private. You only need this for some DNSBL lists which resolve to private addresses.</help>
     </field>
+    <field>
+        <id>miscellaneous.dotservers</id>
+        <label>DNS over TLS Servers</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>List of nameservers to use for DoT. Use syntax ip@port like 9.9.9.9@853</help>
+    </field>
 </form>
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Miscellaneous.xml b/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Miscellaneous.xml
index 5a3b3e8583..3a4e3cb4fb 100644
--- a/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Miscellaneous.xml
+++ b/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Miscellaneous.xml
@@ -1,10 +1,14 @@
 <model>
     <mount>//OPNsense/unboundplus/miscellaneous</mount>
     <description>Unbound Miscellaneous configuration</description>
-    <version>0.0.1</version>
+    <version>0.0.2</version>
     <items>
         <privatedomain type="CSVListField">
             <Required>N</Required>
         </privatedomain>
+        <dotservers type="CSVListField">
+            <Required>N</Required>
+            <mask>/^[a-fA-F0-9\.\@]{1,46}$/</mask>
+        </dotservers>
     </items>
 </model>
diff --git a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/+TARGETS b/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/+TARGETS
index d7f6d3cbb7..1166df58a0 100644
--- a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/+TARGETS
+++ b/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/+TARGETS
@@ -1,4 +1,5 @@
 dnsbl.inc:/var/unbound/etc/dnsbl.inc
 whitelist.inc:/var/unbound/etc/whitelist.inc
 miscellaneous.conf:/var/unbound/etc/miscellaneous.conf
+dot.conf:/var/unbound/etc/dot.conf
 lists.inc:/var/unbound/etc/lists.inc
diff --git a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/dot.conf b/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/dot.conf
new file mode 100644
index 0000000000..ae59c336b8
--- /dev/null
+++ b/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/dot.conf
@@ -0,0 +1,10 @@
+{% if helpers.exists('OPNsense.unboundplus.miscellaneous.dotservers') and OPNsense.unboundplus.miscellaneous.dotservers != '' %}
+server:
+  tls-cert-bundle: /etc/ssl/cert.pem
+forward-zone:
+  name: "."
+  forward-ssl-upstream: yes
+{%   for dot in OPNsense.unboundplus.miscellaneous.dotservers.split(',') %}
+  forward-addr: {{ dot }}
+{%   endfor %}
+{% endif %}

From 55cffd5bafe4433a6f992b793b13025dafe5a038 Mon Sep 17 00:00:00 2001
From: Martin Wasley <mjwasley@queens-park.com>
Date: Wed, 15 Apr 2020 13:26:11 +0100
Subject: [PATCH 0083/3088] net/udpbroadcastrelay plugin - Initial commit
 (#1677)

---
 net/udpbroadcastrelay/Makefile                |   8 +
 net/udpbroadcastrelay/pkg-descr               |  29 ++
 .../inc/plugins.inc.d/udpbroadcastrelay.inc   |  83 ++++
 .../src/etc/rc.d/os-udpbroadcastrelay         | 170 +++++++++
 .../Api/ServiceController.php                 | 174 +++++++++
 .../Api/SettingsController.php                | 353 ++++++++++++++++++
 .../UDPBroadcastRelay/IndexController.php     |  47 +++
 .../UDPBroadcastRelay/forms/dialogEdit.xml    |  52 +++
 .../OPNsense/UDPBroadcastRelay/ACL/ACL.xml    |   9 +
 .../OPNsense/UDPBroadcastRelay/Menu/Menu.xml  |   5 +
 .../UDPBroadcastRelay/UDPBroadcastRelay.php   |  39 ++
 .../UDPBroadcastRelay/UDPBroadcastRelay.xml   |  60 +++
 .../OPNsense/UDPBroadcastRelay/index.volt     | 118 ++++++
 .../actions.d/actions_udpbroadcastrelay.conf  |  29 ++
 .../OPNsense/UDPBroadcastRelay/+TARGETS       |   1 +
 .../OPNsense/UDPBroadcastRelay/rc.conf.d      |  37 ++
 16 files changed, 1214 insertions(+)
 create mode 100644 net/udpbroadcastrelay/Makefile
 create mode 100644 net/udpbroadcastrelay/pkg-descr
 create mode 100644 net/udpbroadcastrelay/src/etc/inc/plugins.inc.d/udpbroadcastrelay.inc
 create mode 100644 net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay
 create mode 100644 net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/ServiceController.php
 create mode 100644 net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/SettingsController.php
 create mode 100644 net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/IndexController.php
 create mode 100644 net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/forms/dialogEdit.xml
 create mode 100644 net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/ACL/ACL.xml
 create mode 100644 net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/Menu/Menu.xml
 create mode 100644 net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.php
 create mode 100644 net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.xml
 create mode 100644 net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
 create mode 100644 net/udpbroadcastrelay/src/opnsense/service/conf/actions.d/actions_udpbroadcastrelay.conf
 create mode 100644 net/udpbroadcastrelay/src/opnsense/service/templates/OPNsense/UDPBroadcastRelay/+TARGETS
 create mode 100644 net/udpbroadcastrelay/src/opnsense/service/templates/OPNsense/UDPBroadcastRelay/rc.conf.d

diff --git a/net/udpbroadcastrelay/Makefile b/net/udpbroadcastrelay/Makefile
new file mode 100644
index 0000000000..22783a4894
--- /dev/null
+++ b/net/udpbroadcastrelay/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		os-udpbroadcastrelay
+PLUGIN_VERSION=		0.7
+PLUGIN_DEVEL=         YES
+PLUGIN_COMMENT=		Control ubpbroadcastrelay processes
+PLUGIN_DEPENDS=		udpbroadcastrelay
+PLUGIN_MAINTAINER=	mjwasley@gmail.com
+
+.include "../../Mk/plugins.mk"
diff --git a/net/udpbroadcastrelay/pkg-descr b/net/udpbroadcastrelay/pkg-descr
new file mode 100644
index 0000000000..1a1c37af0a
--- /dev/null
+++ b/net/udpbroadcastrelay/pkg-descr
@@ -0,0 +1,29 @@
+udbproadcastrelay is a UDP multicast relayer. Its intended use is to
+rebroadbcast udp packets on a specific port across interfaces, be those
+interfaces physical or VLAN. 
+
+It is used where devices such as Sonos or Sky are spread accross 
+different subnets and are not able to detect the servers or devices.
+
+Examples of different devices and the ports are as follows:
+
+Syncthing discovery 
+udp_vars="--id 1 --port 21027 --dev igb1 --dev igb2"
+
+mDNS / Broadcast DNS (Chromecast Discovery + Bonjour + More)
+udp_vars="--id 1 --port 5353 --dev eth0 --dev eth1 --multicast 224.0.0.251 -s 1.1.1.1"
+
+(Chromecast requires broadcasts to originate from an address on its subnet) use
+the rebroadbcast address option.
+
+SSDP (Sonos Roku Discovery + More)
+udp_vars="--id 1 --port 1900 --dev eth0 --dev eth1 --multicast 239.255.255.250"
+
+Lifx Bulb Discovery
+udp_vars=" --id 1 --port 56700 --dev eth0 --dev eth1"
+
+Broadlink IR Emitter Discovery
+udp_vars=" --id 1 --port 80 --dev eth0 --dev eth1"
+
+Warcraft 3 Server Discovery
+udp_vars=" --id 1 --port 6112 --dev eth0 --dev eth1"
diff --git a/net/udpbroadcastrelay/src/etc/inc/plugins.inc.d/udpbroadcastrelay.inc b/net/udpbroadcastrelay/src/etc/inc/plugins.inc.d/udpbroadcastrelay.inc
new file mode 100644
index 0000000000..1a3b3aa821
--- /dev/null
+++ b/net/udpbroadcastrelay/src/etc/inc/plugins.inc.d/udpbroadcastrelay.inc
@@ -0,0 +1,83 @@
+<?php
+
+/*
+ *    Copyright (C) 2020 Martin Wasley
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+ 
+function udpbroadcastrelay_enabled()
+{
+    $model = new \OPNsense\UDPBroadcastRelay\UDPBroadcastRelay();
+
+    foreach ($model->udpbroadcastrelay->iterateItems() as $server) {
+        if ($server->enabled == '1') {
+            return true;
+        }
+    }
+
+    return false;
+}
+
+function udpbroadcastrelay_firewall($fw)
+{
+    if (!udpbroadcastrelay_enabled()) {
+        return;
+    }
+}
+
+function udpbroadcastrelay_services()
+{
+    $services = array();
+
+    if (!udpbroadcastrelay_enabled()) {
+        return $services;
+    }
+    
+    $model = new \OPNsense\UDPBroadcastRelay\UDPBroadcastRelay();
+
+    foreach ($model->udpbroadcastrelay->iterateItems() as $server) {
+     
+        if ($server->enabled == '0'){
+            continue;
+        }
+
+        $services[] = array(
+            
+            'description' => $server->description,
+            'id' =>  $server->InstanceID,
+            'pidfile' => "/var/run/udpbroadcastrelay_{$server->InstanceID}.pid",
+            'configd' => array(
+                'restart' => array('udpbroadcastrelay restart '.$server->InstanceID),
+                'start' => array('udpbroadcastrelay start '.$server->InstanceID),
+                'stop' => array('udpbroadcastrelay stop '.$server->InstanceID),
+               
+            ),
+            
+            'name' => 'udpbroadcastrelay',
+        );
+
+    }
+    
+    return $services;
+}
diff --git a/net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay b/net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay
new file mode 100644
index 0000000000..d076d6901d
--- /dev/null
+++ b/net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay
@@ -0,0 +1,170 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: osudpbroadcastrelay
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+
+name="osudpbroadcastrelay"
+rcvar="osudpbroadcastrelay_enable"
+command="/usr/local/sbin/udpbroadcastrelay"
+extra_commands="reload"
+reload_cmd="udpbroadcastrelay_reload"
+
+
+load_rc_config $name
+
+if [ -n "$2" ]; then
+   eval osudpbroadcastrelay_flags=\$osudpbroadcastrelay_${2}
+   pidfile="/var/run/udpbroadcastrelay_$2.pid"
+fi
+
+
+udpbroadcastrelay_start () {
+   udpbroadcastrelay_status
+   if [ $? -eq 0 ]; then # already running
+      return 0
+   fi
+   run_rc_command "start"
+   if [ $? -eq 0 ]; then
+      cmd_string=`basename ${procname:-${command}}`
+      cmd="ps ax -o pid= -o command= | grep $cmd_string | grep -e "$osudpbroadcastrelay_flags" | grep -v grep | awk '{ print $1 }"
+      ps_pid=$cmd
+      if [ -z "$ps_pid" ]; then
+         err 1 "Cannot get pid for $cmd_string $osudpbroadcastrelay_flags"
+      fi
+      return $?
+   fi
+   return 1
+}
+
+udpbroadcastrelay_stop () {
+   udpbroadcastrelay_status
+   if [ $? -eq 1 ]; then # already stopped
+      return 0
+   fi
+   run_rc_command "stop"
+   if [ $? -ne 0 ]; then
+      err 1 "Cannot stop udpbroadcastrelay with pid from $pidfile"
+   fi
+   rm -f $pidfile
+   return $?
+}
+
+udpbroadcastrelay_restart () {
+   udpbroadcastrelay_stop
+   if [ $? -ne 0 ]; then
+      return $?
+   fi
+   udpbroadcastrelay_start
+   return $?
+}
+
+udpbroadcastrelay_status () {
+   if [ -z "$pidfile" ]; then
+      err 1 "Instance name unknown"
+   fi
+   run_rc_command "status"
+   return $?
+}
+
+udpbroadcastrelay_reload () {
+   osudpbroadcastrelay_flags=""
+   pidfile=""
+   # get running instances
+   ps ax -o pid= -o command= | grep "udpbroadcastrelay" | grep -v grep | while read line; do
+      # get instance name
+      instance=`echo $line | awk '{printf "%s", $4 }' | sed 's/\./_/g'`
+      # get instance flags
+      instance_flags="${line#*udpbroadcastrelay}"
+      # check if it should run
+      echo 
+      eval osudpbroadcastrelay_flags=\$osudpbroadcastrelay_${instance}
+
+      if [ -n "$osudpbroadcastrelay_flags" -a "$osudpbroadcastrelay_flags" = "$instance_flags" ]; then
+         echo "running instance $instance match config"
+         continue
+      fi
+      echo "running instance $instance not configured"
+      osudpbroadcastrelay_flags=$instance_flags
+      pidfile="/var/run/udpbroadcastrelay_$instance.pid"
+      udpbroadcastrelay_stop
+   done
+   # start configured instances
+  
+   if [ -n "$osudpbroadcastrelay_instances" ]; then
+ 
+      for i in $osudpbroadcastrelay_instances; do
+         eval osudpbroadcastrelay_flags=\$osudpbroadcastrelay_${i}
+         pidfile="/var/run/udpbroadcastrelay_$i.pid"
+         run_rc_command "start"
+      done
+   fi
+   return 0
+}
+
+case $1 in
+   start)
+      if [ -z "$osudpbroadcastrelay_flags=\$osudpbroadcastrelay_${i}" -o -z "$pidfile" ]; then
+         if [ -n "$osudpbroadcastrelay_instances" ]; then
+            for i in $osudpbroadcastrelay_instances; do
+               eval osudpbroadcastrelay_flags=\$osudpbroadcastrelay_${i}
+               pidfile="/var/run/udpbroadcastrelay_$i.pid"
+               udpbroadcastrelay_start
+            done
+         fi
+      else
+         udpbroadcastrelay_start
+      fi
+      exit $?
+      ;;
+   stop)
+      if [ -z "$osudpbroadcastrelay_flags" -o -z "$pidfile" ]; then
+         if [ -n "$osudpbroadcastrelay_instances" ]; then
+            for i in $osudpbroadcastrelay_instances; do
+               eval osudpbroadcastrelay_flags=\$osudpbroadcastrelay_${i}
+               pidfile="/var/run/udpbroadcastrelay_$i.pid"
+               udpbroadcastrelay_stop
+            done
+         fi
+      else
+         udpbroadcastrelay_stop
+      fi
+      exit $?
+      ;;
+   restart)
+      if [ -z "$osudpbroadcastrelay_flags" -o -z "$pidfile" ]; then
+         if [ -n "$osudpbroadcastrelay_instances" ]; then
+            for i in $osudpbroadcastrelay_instances; do
+               eval osudpbroadcastrelay_flags=\$osudpbroadcastrelay_${i}
+               pidfile="/var/run/udpbroadcastrelay_$i.pid"
+               udpbroadcastrelay_restart
+            done
+         fi
+      else
+         udpbroadcastrelay_restart
+      fi
+      exit $?
+      ;;
+   status)
+      if [ -z "$osudpbroadcastrelay_flags" -a -z "$pidfile" ]; then
+         if [ -n "$osudpbroadcastrelay_instances" ]; then
+            for i in $osudpbroadcastrelay_instances; do
+               eval osudpbroadcastrelay_flags=\$osudpbroadcastrelay_${i}
+               pidfile="/var/run/udpbroadcastrelay_$i.pid"
+               udpbroadcastrelay_status
+            done
+         fi
+      else
+         udpbroadcastrelay_status
+      fi
+      exit $?
+      ;;
+   reload)
+      udpbroadcastrelay_reload;
+      exit $?
+      ;;
+esac
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/ServiceController.php b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/ServiceController.php
new file mode 100644
index 0000000000..d14f101f46
--- /dev/null
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/ServiceController.php
@@ -0,0 +1,174 @@
+<?php
+
+/*
+ *    Copyright (C) 2020 Martin Wasley
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\UDPBroadcastRelay\Api;
+use \OPNsense\Base\ApiMutableModelControllerBase;
+use \OPNsense\UDPBroadcastRelay\UDPBroadcastRelay;
+use \OPNsense\Core\Backend;
+
+/**
+ * Class ServiceController Handles settings related API actions for the UDPBroadcastRelay
+ * @package OPNsense\UDPBroadcastRelay
+ */
+class ServiceController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'udpbroadcastrelay';
+    protected static $internalModelClass = '\OPNsense\\UDPBroadcastRelay\\UDPBroadcastRelay';
+    protected static $internalModelUseSafeDelete = true;
+
+    public function statusAction($uuid)
+    {
+        $result = array("result" => "failed", "function" => "status");
+        if ($this->request->isPost()) {
+            $this->sessionClose();
+        }
+        if ($uuid != null) {
+            $mdlUDPBroadcastRelay = new UDPBroadcastRelay();
+            $node = $mdlUDPBroadcastRelay->getNodeByReference('udpbroadcastrelay.' . $uuid);
+            if ($node != null) {
+                $result['result'] = $this->callBackend('status', $node);
+            }
+        }
+        return $result;
+    }
+
+    /**
+     * start a udpbroadcastrelay process
+     * @param $uuid item unique id
+     * @return array
+     */
+    public function startAction($uuid)
+    {
+        $result = array("result" => "failed", "function" => "start");
+        if ($this->request->isPost()) {
+            $this->sessionClose();
+        }
+        if ($uuid != null) {
+            $mdlUDPBroadcastRelay = new UDPBroadcastRelay();
+            $node = $mdlUDPBroadcastRelay->getNodeByReference('udpbroadcastrelay.' . $uuid);
+            if ($node != null) {
+                $result['result'] = $this->callBackend('start', $node);
+            }
+        }
+        return $result;
+    }
+
+    /**
+     * stop a udpbroadcastrelay process
+     * @param $uuid item unique id
+     * @return array
+     */
+    public function stopAction($uuid)
+    {
+        $result = array("result" => "failed", "function" => "stop");
+        if ($this->request->isPost()) {
+            $this->sessionClose();
+        }
+        if ($uuid != null) {
+            $mdlUDPBroadcastRelay = new UDPBroadcastRelay();
+            $node = $mdlUDPBroadcastRelay->getNodeByReference('udpbroadcastrelay.' . $uuid);
+            if ($node != null) {
+                $result['result'] = $this->callBackend('stop', $node);
+            }
+        }
+        return $result;
+    }
+
+    /**
+     * restart a udpbroadcastrelay process
+     * @param $uuid item unique id
+     * @return array
+     */
+    public function restartAction($uuid)
+    {
+        if ($this->request->isPost()) {
+            $this->sessionClose();
+        }
+        if ($uuid != null) {
+            $mdlUDPBroadcastRelay = new UDPBroadcastRelay();
+            $node = $mdlUDPBroadcastRelay->getNodeByReference('udpbroadcastrelay.' . $uuid);
+            if ($node != null) {
+                $result['result'] = $this->callBackend('restart', $node);
+            }
+        }
+        return $result;
+    }
+
+    /**
+     * recreate configuration file from template
+     * @return array
+     */
+    public function configAction()
+    {
+        $result = array("result" => "failed", "function" => "config");
+        if ($this->request->isPost()) {
+            $this->sessionClose();
+        }
+        $result['result'] = $this->callBackend('template');
+        return $result;
+    }
+
+    /**
+     * reload configuration
+     * @return array
+     */
+    public function reloadAction()
+    {
+        if ($this->request->isPost()) {
+            $this->sessionClose();
+        }
+        $result = $this->configAction();
+        if ($result['result'] == 'OK') {
+            $result['function'] = "reload";
+            $result['result'] = $this->callBackend('reload');
+        }
+        return $result;
+    }
+
+    /**
+     * call backend
+     * @param action, node
+     * @return string
+     */
+    protected function callBackend($action, &$node = null)
+    {
+        $backend = new Backend();
+        if ($node != null) {
+            $instance = preg_replace("/\./", "_", $node->InstanceID->__toString());
+            return trim($backend->configdpRun('udpbroadcastrelay', array($action, $instance)));
+        }
+        if ($action == 'template') {
+            return trim($backend->configdRun('template reload OPNsense/UDPBroadcastRelay'));
+        }
+        if ($action == 'reload') {
+            return trim($backend->configdRun('udpbroadcastrelay reload'));
+
+        }
+        return "Wrong action defined";
+    }
+}
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/SettingsController.php b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/SettingsController.php
new file mode 100644
index 0000000000..8f08921d31
--- /dev/null
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/SettingsController.php
@@ -0,0 +1,353 @@
+<?php
+
+/*
+ *    Copyright (C) 2020 Martin Wasley
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\UDPBroadcastRelay\Api;
+
+
+use \OPNsense\Base\ApiMutableModelControllerBase;
+use \OPNsense\Core\Config;
+use \OPNsense\UDPBroadcastRelay\UDPBroadcastRelay;
+use \OPNsense\Base\UIModelGrid;
+/**
+ * Class SettingsController Handles settings related API actions for the UDPBroadcastRelay
+ * @package OPNsense\UDPBroadcastRelay
+ */
+class SettingsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'udpbroadcastrelay';
+    protected static $internalModelClass = '\OPNsense\UDPBroadcastRelay\UDPBroadcastRelay;';
+    protected static $internalModelUseSafeDelete = true;
+
+
+/**
+ * Class SettingsController
+ * @package OPNsense\UDPBroadcastRelay
+ */
+
+    /**
+     * retrieve udpbroadcastrelay settings or return defaults
+     * @param $uuid item unique id
+     * @return array
+     */
+    public function getRelayAction($uuid = null)
+    {
+        $mdlUDPBroadcastRelay = new UDPBroadcastRelay();
+        if ($uuid != null) {
+            $node = $mdlUDPBroadcastRelay->getNodeByReference('udpbroadcastrelay.' . $uuid);
+            if ($node != null) {
+                // return node
+                return array("udpbroadcastrelay" => $node->getNodes());
+            }
+        } else {
+            // generate new node, but don't save to disc
+            $node = $mdlUDPBroadcastRelay->udpbroadcastrelay->Add();
+            return array("udpbroadcastrelay" => $node->getNodes());
+        }
+        return array();
+    }
+
+    /**
+     * update udpbroadcastrelay with given properties
+     * @param $uuid item unique id
+     * @return array
+     */
+    public function setRelayAction($uuid)
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost() && $this->request->hasPost("udpbroadcastrelay")) {
+            $mdlUDPBroadcastRelay = new UDPBroadcastRelay();
+            // keep a list to detect duplicates later
+            $CurrentProxies =  $mdlUDPBroadcastRelay->getNodes();
+            if ($uuid != null) {
+                $node = $mdlUDPBroadcastRelay->getNodeByReference('udpbroadcastrelay.' . $uuid);
+                if ($node != null) {
+                    $Enabled = $node->enabled->__toString();
+                    $result = array("result" => "failed", "validations" => array());
+                    $relayInfo = $this->request->getPost("udpbroadcastrelay");
+
+                    $node->setNodes($relayInfo);
+                    $valMsgs = $mdlUDPBroadcastRelay->performValidation();
+                    foreach ($valMsgs as $field => $msg) {
+                        $fieldnm = str_replace($node->__reference, "udpbroadcastrelay", $msg->getField());
+                        $result["validations"][$fieldnm] = $msg->getMessage();
+                    }
+
+                    if (count($result['validations']) == 0) {
+                        // check for duplicates
+                        
+                        foreach ($CurrentProxies['udpbroadcastrelay'] as $CurrentUUID => &$CurrentRelay) {
+                            if (
+                                $node->InstanceID->__toString() == $CurrentRelay['InstanceID'] &&
+                                $node->listenport->__toString() == $CurrentRelay['listenport'] &&
+                                $uuid != $CurrentUUID
+                            ) {
+                                return array(
+                                          "result" => "failed",
+                                          "validations" => array(
+                                             "udpbroadcastrelay.InstanceID" => "Instance ID already in use.",
+                                             "udpbroadcastrelay.listenport" => "Listen port already in use."
+                                          )
+                                       );
+                            }
+                            if (
+                               $node->listenport->__toString() == $CurrentRelay['listenport'] &&
+                                $uuid != $CurrentUUID
+                            ) {
+                                return array(
+                                          "result" => "failed",
+                                          "validations" => array(
+                                             "udpbroadcastrelay.listenport" => "Listen Port already in use."
+                                           )
+                                       );
+                            }
+                            if (
+                                $node->InstanceID->__toString() == $CurrentRelay['InstanceID'] &&
+                                $uuid != $CurrentUUID
+                            ) {
+                                return array(
+                                          "result" => "failed",
+                                          "validations" => array(
+                                             "udpbroadcastrelay.InstanceID" => "Instance ID already In use."
+                                           )
+                                       );
+                            }  
+                            $result = count(explode(',',$node->interfaces));
+                            if (
+                                $result < 2 &&
+                                $uuid != $CurrentUUID
+                            ) {
+                                return array(
+                                          "result" => "failed",
+                                          "validations" => array(
+                                             "udpbroadcastrelay.interfaces" => "At least two interfaces must be selected."
+                                           )
+                                       );
+                            }  
+                        }
+                        
+                        // save config if validated correctly
+                        $mdlUDPBroadcastRelay->serializeToConfig();
+                        Config::getInstance()->save();
+                        // reload config
+                        $svcUDPBroadcastRelay = new ServiceController();
+                        $result = $svcUDPBroadcastRelay->reloadAction();
+                    }
+                }
+            }
+        }
+        return $result;
+    }
+
+    /**
+     * add new udpbroadcastrelay and set with attributes from post
+     * @return array
+     */
+    public function addRelayAction()
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost() && $this->request->hasPost("udpbroadcastrelay")) {
+            $result = array("result" => "failed", "validations" => array());
+            $mdlUDPBroadcastRelay = new UDPBroadcastRelay();
+            // keep a list to detect duplicates later
+            $CurrentProxies =  $mdlUDPBroadcastRelay->getNodes();
+            $node = $mdlUDPBroadcastRelay->udpbroadcastrelay->Add();
+            $node->setNodes($this->request->getPost("udpbroadcastrelay"));
+
+            $valMsgs = $mdlUDPBroadcastRelay->performValidation();
+
+            foreach ($valMsgs as $field => $msg) {
+                $fieldnm = str_replace($node->__reference, "udpbroadcastrelay", $msg->getField());
+                $result["validations"][$fieldnm] = $msg->getMessage();
+            }
+
+            if (count($result['validations']) == 0) {
+                foreach ($CurrentProxies['udpbroadcastrelay'] as &$CurrentRelay) {
+                    if (
+                            $node->InstanceID->__toString() == $CurrentRelay['InstanceID'] &&
+                            $node->listenport->__toString() == $CurrentRelay['listenport'] 
+                        ) {
+                            return array(
+                                      "result" => "failed",
+                                      "validations" => array(
+                                         "udpbroadcastrelay.InstanceID" => "Instance ID already in use.",
+                                         "udpbroadcastrelay.listenport" => "Listen port already in use."
+                                      )
+                                );
+                           }
+                    if (
+                       $node->listenport->__toString() == $CurrentRelay['listenport']
+                    ) {
+                        return array(
+                                  "result" => "failed",
+                                  "validations" => array(
+                                     "udpbroadcastrelay.listenport" => "Listen Port already in use."
+                                   )
+                               );
+                    }
+                    if (
+                        $node->InstanceID->__toString() == $CurrentRelay['InstanceID']
+                    ) {
+                        return array(
+                                  "result" => "failed",
+                                  "validations" => array(
+                                     "udpbroadcastrelay.InstanceID" => "Instance ID already In use."
+                                   )
+                               );
+                    }
+                    
+                    $result = count(explode(',',$node->interfaces));
+                    if ( 
+                        $result < 2
+                    ) {
+                        return array(
+                                  "result" => "failed",
+                                  "validations" => array(
+                                     "udpbroadcastrelay.interfaces" => "At least two interfaces must be selected."
+                                   )
+                               );
+                    }
+                }
+
+                // save config if validated correctly
+                $mdlUDPBroadcastRelay->serializeToConfig();
+                Config::getInstance()->save();
+                // reload config
+                $svcUDPBroadcastRelay = new ServiceController();
+                $result = $svcUDPBroadcastRelay->reloadAction();
+            }
+        }
+        return $result;
+    }
+
+    /**
+     * delete udpbroadcastrelay by uuid
+     * @param $uuid item unique id
+     * @return array status
+     */
+    public function delRelayAction($uuid)
+    {
+
+        $result = array("result" => "failed");
+        if ($this->request->isPost()) {
+            $mdlUDPBroadcastRelay = new UDPBroadcastRelay();
+            if ($uuid != null) {
+                $node = $mdlUDPBroadcastRelay->getNodeByReference('udpbroadcastrelay.' . $uuid);
+                if ($node != null) {
+                    if ($mdlUDPBroadcastRelay->udpbroadcastrelay->del($uuid) == true) {
+                        // if item is removed, serialize to config and save
+                        $mdlUDPBroadcastRelay->serializeToConfig();
+                        Config::getInstance()->save();
+                        // reload config
+                        $svcUDPBroadcastRelay = new ServiceController();
+                        $result = $svcUDPBroadcastRelay->reloadAction();
+                    }
+                } else {
+                    $result['result'] = 'not found';
+                }
+            }
+        }
+        return $result;
+    }
+
+    /**
+     * toggle udpbroadcastrelay by uuid (enable/disable)
+     * @param $uuid item unique id
+     * @return array status
+     */
+    public function toggleRelayAction($uuid)
+    {
+
+        $result = array("result" => "failed");
+        if ($this->request->isPost()) {
+            $mdlUDPBroadcastRelay = new UDPBroadcastRelay();
+            if ($uuid != null) {
+                $node = $mdlUDPBroadcastRelay->getNodeByReference('udpbroadcastrelay.' . $uuid);
+                if ($node != null) {
+                    if ($node->enabled->__toString() == "1") {
+                        $node->enabled = "0";
+                    } else {
+                        $node->enabled = "1";
+                    }
+                    // if item has toggled, serialize to config and save
+                    $mdlUDPBroadcastRelay->serializeToConfig();
+                    Config::getInstance()->save();
+                    // reload config
+                    $svcUDPBroadcastRelay = new ServiceController();
+                    $result = $svcUDPBroadcastRelay->reloadAction();
+                }
+            }
+        }
+        return $result;
+    }
+
+    /**
+     *
+     * search udpbroadcastrelay
+     * @return array
+     */
+    public function searchRelayAction()
+    {
+        $this->sessionClose();
+        $fields = array(
+                "enabled",
+                "interfaces",
+                "multicastaddress",
+                "sourceaddress",
+                "listenport",
+                "InstanceID",
+                "RevertTTL",
+                "description"
+        );
+        $mdlUDPBroadcastRelay = new UDPBroadcastRelay();
+
+        $grid = new UIModelGrid($mdlUDPBroadcastRelay->udpbroadcastrelay);
+        $response = $grid->fetchBindRequest(
+            $this->request,
+            $fields,
+            "InstanceID"
+        );
+        $svcUDPBroadcastRelay = new ServiceController();
+        foreach ($response['rows'] as &$row) {
+            $result = $svcUDPBroadcastRelay->statusAction($row['uuid']);
+            if ($result['result'] == 'OK') {
+                $row['status'] = 0;
+                continue;
+            }
+            $node = $mdlUDPBroadcastRelay->getNodeByReference('udpbroadcastrelay.' . $row['uuid']);
+            if ($node != null) {
+                if ($node->enabled->__toString() == "1") {
+                    $row['status'] = 2;
+                } else {
+                    $row['status'] = 5;
+                }
+            }
+        }
+
+        return $response;
+    }
+}
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/IndexController.php b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/IndexController.php
new file mode 100644
index 0000000000..6301a81bcd
--- /dev/null
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/IndexController.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ *    Copyright (C) 2020 Martin Wasley
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\UDPBroadcastRelay;
+
+/**
+ * Class IndexController
+ * @package OPNsense\UDPBroadcastRelay
+ */
+class IndexController extends \OPNsense\Base\IndexController
+{
+    /**
+     * udpbroadcastrelay index page
+     * @throws \Exception
+     */
+    public function indexAction()
+    {
+        // include dialog form definitions
+        $this->view->formDialogEdit = $this->getForm("dialogEdit");
+        $this->view->pick('OPNsense/UDPBroadcastRelay/index');
+    }
+}
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/forms/dialogEdit.xml b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/forms/dialogEdit.xml
new file mode 100644
index 0000000000..f39ae51118
--- /dev/null
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/forms/dialogEdit.xml
@@ -0,0 +1,52 @@
+<form>
+   <field>
+      <id>udpbroadcastrelay.enabled</id>
+      <label>enabled</label>
+      <type>checkbox</type>
+      <help><![CDATA[Enable or disable this udp relay.]]></help>
+   </field>
+   <field>
+      <id>udpbroadcastrelay.listenport</id>
+      <label>Relay Port</label>
+      <type>text</type>
+      <help><![CDATA[Port where the relay will listen for packets to relay. e.g. Sonos is Port 1900.]]></help>
+   </field>
+   <field>
+      <id>udpbroadcastrelay.interfaces</id>
+      <label>Relay Interfaces</label>
+      <type>select_multiple</type>
+      <help>At least two interfaces must be selected.</help>
+   </field>
+   <field>
+      <id>udpbroadcastrelay.multicastaddress</id>
+      <label>Broadcast Address</label>
+      <type>select_multiple</type>
+      <allownew>true</allownew>   
+      <style>tokenize</style>      
+      <help><![CDATA[Multicast addresses to use on this port when relaying multicast packets. e.g Sonos is 239.255.255.250, you may enter multiple addresses.]]></help>
+   </field>
+   <field>
+      <id>udpbroadcastrelay.sourceaddress</id>
+      <label>Source Address</label>
+      <type>text</type>
+      <help><![CDATA[The relay will use this as the source address for packets leaving the interface. The special values of "1.1.1.1" and "1.1.1.2" mean for the relayed packet to use the outgoing interface's address as the source IP address. "1.1.1.1" also means use the original packet's destination port as the new source port for the relayed packet. "1.1.1.2" means keep the source port unaltered from the original. Chromecast users should use 1.1.1.1.]]></help>
+   </field>
+   <field>
+      <id>udpbroadcastrelay.InstanceID</id>
+      <label>Instance ID</label>
+      <type>text</type>
+      <help><![CDATA[Each Relay instance requires a unique ID. Valid values are 1 - 63]]></help>
+   </field>
+   <field>
+      <id>udpbroadcastrelay.RevertTTL</id>
+      <label>Use TTL for ID</label>
+      <type>checkbox</type>
+      <help><![CDATA[Use the ID to set the TTL Value of the packet (Original method) rather than DSCP, default is not ticked]]></help>
+   </field>
+   <field>
+      <id>udpbroadcastrelay.description</id>
+      <label>Description</label>
+      <type>text</type>
+      <help><![CDATA[Brief description of this udp relay]]></help>
+   </field>
+</form>
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/ACL/ACL.xml b/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/ACL/ACL.xml
new file mode 100644
index 0000000000..051ea7fe9c
--- /dev/null
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+   <page-services-udpbroadcastrelay>
+      <name>Services: UDP Broadcast Relay</name>
+      <patterns>
+         <pattern>ui/udpbroadcastrelay/*</pattern>
+         <pattern>api/udpbroadcastrelay/*</pattern>
+      </patterns>
+   </page-services-udpbroadcastrelay>
+</acl>
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/Menu/Menu.xml b/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/Menu/Menu.xml
new file mode 100644
index 0000000000..1ae4758387
--- /dev/null
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/Menu/Menu.xml
@@ -0,0 +1,5 @@
+<menu>
+   <Services>
+      <UDPBroadcastRelay VisibleName="UDP Broadcast Relay" cssClass="fa fa-bolt fa-fw" url="/ui/udpbroadcastrelay"/>
+   </Services>
+</menu>
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.php b/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.php
new file mode 100644
index 0000000000..b9b7640fca
--- /dev/null
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.php
@@ -0,0 +1,39 @@
+<?php
+
+/*
+ *    Copyright (C) 2020 Martin Wasley
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\UDPBroadcastRelay;
+
+use OPNsense\Base\BaseModel;
+
+/**
+ * Class UDPBroadcastRelay
+ * @package OPNsense\UDPBroadcastRelay
+ */
+class UDPBroadcastRelay extends BaseModel
+{
+}
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.xml b/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.xml
new file mode 100644
index 0000000000..20638487e7
--- /dev/null
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.xml
@@ -0,0 +1,60 @@
+<model>
+   <mount>//OPNsense/udpbroadcastrelays</mount>
+   <version>1.0.0</version>
+   <description>UDP Broadcast Relay settings</description>
+   <items>
+      <udpbroadcastrelay type="ArrayField">
+         <enabled type="BooleanField">
+            <default>1</default>
+            <Required>Y</Required>
+         </enabled>
+            <interfaces type="InterfaceField">
+            <default>lan</default>
+            <Required>Y</Required>
+            <multiple>Y</multiple>
+            </interfaces>
+         <multicastaddress type="CSVListField">
+            <Required>N</Required>
+            <default></default>
+            <multiple>Y</multiple>
+            <mask>/^([\/0-9.,])*/u</mask>
+            <ValidationMessage>Broadcast address must be a valid IPv4 address</ValidationMessage>
+         </multicastaddress>
+         <sourceaddress  type="TextField">
+            <Required>N</Required>
+            <default></default>
+            <mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</mask>
+            <ValidationMessage>Source address must be a valid IPv4 address</ValidationMessage>
+         </sourceaddress>
+         <listenport type="IntegerField">
+            <default></default>
+            <Required>Y</Required>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>65535</MaximumValue>
+            <ValidationMessage>Listen port needs to be an integer value between 1 and 65535</ValidationMessage>
+         </listenport>
+         <sourceaddress  type="TextField">
+            <Required>N</Required>
+            <default></default>
+            <mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</mask>
+            <ValidationMessage>Source address must be a valid IPv4 address</ValidationMessage>
+         </sourceaddress>
+         <InstanceID type="IntegerField">
+            <default>0</default>
+            <Required>Y</Required>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>63</MaximumValue>
+            <ValidationMessage>InstanceID needs to be an integer value between 1 and 63</ValidationMessage>
+         </InstanceID>
+         <RevertTTL type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+         </RevertTTL>
+         <description type="TextField">
+            <Required>N</Required>
+            <mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</mask>
+            <ValidationMessage>Enter a description.</ValidationMessage>
+         </description>
+      </udpbroadcastrelay>
+   </items>
+</model>
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt b/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
new file mode 100644
index 0000000000..1904a31459
--- /dev/null
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
@@ -0,0 +1,118 @@
+{#
+
+OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+Copyright (C) 2020 Martin Wasley
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+    this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+    this list of conditions and the following disclaimer in the documentation
+    and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+<script>
+
+    $( document ).ready(function() {
+        /**
+         * inline open dialog, go back to previous page on exit
+         */
+        function openDialog(uuid) {
+            var editDlg = "DialogEdit";
+            var setUrl = "/api/udpbroadcastrelay/settings/setRelay/";
+            var getUrl = "/api/udpbroadcastrelay/settings/getRelay/";
+            var urlMap = {};
+            urlMap['frm_' + editDlg] = getUrl + uuid;
+            mapDataToFormUI(urlMap).done(function () {
+                // update selectors
+                $('.selectpicker').selectpicker('refresh');
+                // clear validation errors (if any)
+                clearFormValidation('frm_' + editDlg);
+                // show
+                $('#'+editDlg).modal({backdrop: 'static', keyboard: false});
+                $('#'+editDlg).on('hidden.bs.modal', function () {
+                    // go back to previous page on exit
+                    parent.history.back();
+                });
+            });
+        }
+        /*************************************************************************************************************
+         * link grid actions
+         *************************************************************************************************************/
+
+        $("#grid-proxies").UIBootgrid(
+                {   'search':'/api/udpbroadcastrelay/settings/searchRelay',
+                    'get':'/api/udpbroadcastrelay/settings/getRelay/',
+                    'set':'/api/udpbroadcastrelay/settings/setRelay/',
+                    'add':'/api/udpbroadcastrelay/settings/addRelay/',
+                    'del':'/api/udpbroadcastrelay/settings/delRelay/',
+                    'toggle':'/api/udpbroadcastrelay/settings/toggleRelay/',
+                    'options':{selection:false, multiSelect:false}
+                }
+        );
+
+        {% if (selected_uuid|default("") != "") %}
+            openDialog(uuid='{{selected_uuid}}');
+        {% endif %}
+
+        /*************************************************************************************************************
+         * Commands
+         *************************************************************************************************************/
+
+    });
+
+</script>
+
+
+<!-- <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#grid-proxies">{{ lang._('UDPBroadcastRelays') }}</a></li>
+</ul> -->
+<div class="tab-content content-box tab-content">
+    <div id="udpbroadcastrelays" class="tab-pane fade in active">
+        <!-- tab page "udpbroadcastrelay items" -->
+        <table id="grid-proxies" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogEdit">
+            <thead>
+            <tr>
+                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="interfaces" data-width="10em" data-type="string" data-visible="true">{{ lang._('Interfaces') }}</th>
+                <th data-column-id="multicastaddress" data-width="15em" data-type="string" data-visible="true">{{ lang._('Multicast Addresses') }}</th>
+                <th data-column-id="sourceaddress"  data-width="11em" data-type="string" data-visible="true">{{ lang._('Source Address') }}</th>
+                <th data-column-id="listenport" data-width="8em" data-type="string" data-visible="true">{{ lang._('Listen Port') }}</th>              
+                <th data-column-id="InstanceID" data-width="6em" data-type="string" data-visible="true">{{ lang._('ID') }}</th>
+                <th data-column-id="description" data-width="15em" data-type="string">{{ lang._('Description') }}</th>
+                <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                <th data-column-id="RevertTTL" data-width="10em" data-type="string"  data-visible="true" data-formatter="boolean">{{ lang._('Use ID as TTL') }}</th>
+                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+            </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+    </div>
+</div>
+
+{# include dialog #}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEdit,'id':'DialogEdit','label':lang._('Edit Relay')])}}
diff --git a/net/udpbroadcastrelay/src/opnsense/service/conf/actions.d/actions_udpbroadcastrelay.conf b/net/udpbroadcastrelay/src/opnsense/service/conf/actions.d/actions_udpbroadcastrelay.conf
new file mode 100644
index 0000000000..0ec66ac4ae
--- /dev/null
+++ b/net/udpbroadcastrelay/src/opnsense/service/conf/actions.d/actions_udpbroadcastrelay.conf
@@ -0,0 +1,29 @@
+[start]
+command:/usr/local/etc/rc.d/os-udpbroadcastrelay start
+parameters:%s
+type:script
+message:starting udpbroadcastrelay instance
+
+[stop]
+command:/usr/local/etc/rc.d/os-udpbroadcastrelay stop
+parameters:%s
+type:script
+message:stopping udpbroadcastrelay instance
+
+[status]
+command:/usr/local/etc/rc.d/os-udpbroadcastrelay status
+parameters:%s
+type:script
+message:get udpbroadcastrelay instance status
+
+[restart]
+command:/usr/local/etc/rc.d/os-udpbroadcastrelay restart
+parameters:%s
+type:script
+message:restarting udpbroadcastrelay instance
+
+[reload]
+command:/usr/local/etc/rc.d/os-udpbroadcastrelay reload
+parameters:%s
+type:script
+message:reload udpbroadcastrelay
diff --git a/net/udpbroadcastrelay/src/opnsense/service/templates/OPNsense/UDPBroadcastRelay/+TARGETS b/net/udpbroadcastrelay/src/opnsense/service/templates/OPNsense/UDPBroadcastRelay/+TARGETS
new file mode 100644
index 0000000000..9377f1753e
--- /dev/null
+++ b/net/udpbroadcastrelay/src/opnsense/service/templates/OPNsense/UDPBroadcastRelay/+TARGETS
@@ -0,0 +1 @@
+rc.conf.d:/etc/rc.conf.d/osudpbroadcastrelay
diff --git a/net/udpbroadcastrelay/src/opnsense/service/templates/OPNsense/UDPBroadcastRelay/rc.conf.d b/net/udpbroadcastrelay/src/opnsense/service/templates/OPNsense/UDPBroadcastRelay/rc.conf.d
new file mode 100644
index 0000000000..918016c811
--- /dev/null
+++ b/net/udpbroadcastrelay/src/opnsense/service/templates/OPNsense/UDPBroadcastRelay/rc.conf.d
@@ -0,0 +1,37 @@
+{% if helpers.exists('OPNsense.udpbroadcastrelays.udpbroadcastrelay') %}
+{% from 'OPNsense/Macros/interface.macro' import physical_interface %}
+osudpbroadcastrelay_enable="YES"
+{% set Instances=[] %}
+{%  for osudpbroadcastrelay in helpers.toList('OPNsense.udpbroadcastrelays.udpbroadcastrelay') %}
+{%   if osudpbroadcastrelay.enabled|default('0') == '1' %}
+{%    set Parameters=[] %}
+{%    if osudpbroadcastrelay.InstanceID %}
+{%     do Parameters.append("--id " ~ osudpbroadcastrelay.InstanceID) %}
+{%    endif %}
+{%    set osifnames = osudpbroadcastrelay.interfaces.split(',') %}
+{%    set interface_list=[] %}
+{%    for i in osifnames %}
+{%    do interface_list.append(physical_interface(i)) %}
+{%    do Parameters.append("--dev " ~ physical_interface(i)) %}
+{%    endfor %}
+{%    do Parameters.append("--port " ~ osudpbroadcastrelay.listenport) %}
+{%    if osudpbroadcastrelay.multicastaddress %}
+{%    set osmcastaddresses = osudpbroadcastrelay.multicastaddress.split(',') %}
+{%    for mcastaddress in osmcastaddresses %}
+{%     do Parameters.append("--multicast " ~ mcastaddress) %}
+{%    endfor %}
+{%    endif %}
+{%    if osudpbroadcastrelay.sourceaddress %}
+{%     do Parameters.append("-s " ~ osudpbroadcastrelay.sourceaddress) %}
+{%    endif %}
+{%    if osudpbroadcastrelay.RevertTTL|default('0') == '1' %}
+{%     do Parameters.append("-t ") %}
+{%    endif %}
+{%     do Parameters.append("-f") %}
+{%    set Instance=osudpbroadcastrelay.InstanceID %}
+osudpbroadcastrelay_{{Instance}}="{% for Parameter in Parameters %} {{Parameter}}{% endfor %}"
+{%     do Instances.append(Instance) %}
+{%   endif %}
+{%  endfor %}
+osudpbroadcastrelay_instances="{% for Instance in Instances %} {{Instance}}{% endfor %}"
+{% endif %}

From d9c01dbf222ef0350c17f3254c8add2fc8338ea6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 15 Apr 2020 14:28:19 +0200
Subject: [PATCH 0084/3088] net/udpbroadcastdelay: style sweep, align Makefile

---
 LICENSE                                            |  1 +
 README.md                                          |  1 +
 net/udpbroadcastrelay/Makefile                     |  6 +++---
 net/udpbroadcastrelay/pkg-descr                    |  6 +++---
 .../etc/inc/plugins.inc.d/udpbroadcastrelay.inc    | 14 +++++++-------
 .../src/etc/rc.d/os-udpbroadcastrelay              |  6 +++---
 .../UDPBroadcastRelay/Api/SettingsController.php   | 14 +++++++-------
 .../UDPBroadcastRelay/forms/dialogEdit.xml         |  4 ++--
 .../views/OPNsense/UDPBroadcastRelay/index.volt    |  2 +-
 9 files changed, 28 insertions(+), 26 deletions(-)

diff --git a/LICENSE b/LICENSE
index b47b3f8908..6da3cfdf3f 100644
--- a/LICENSE
+++ b/LICENSE
@@ -18,6 +18,7 @@ Copyright (c) 2015 Jos Schellevis
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>
 Copyright (c) 2019 Juergen Kellerer
 Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>
+Copyright (c) 2020 Martin Wasley
 Copyright (c) 2017-2020 Michael Muenz <m.muenz@gmail.com>
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
 Copyright (c) 2010-2012 Seth Mos <seth.mos@dds.nl>
diff --git a/README.md b/README.md
index 514ce14fcf..199d6918bf 100644
--- a/README.md
+++ b/README.md
@@ -69,6 +69,7 @@ net/relayd -- Relayd Load Balancer
 net/shadowsocks -- Secure socks5 proxy
 net/siproxd -- Siproxd is a proxy daemon for the SIP protocol
 net/tayga -- Tayga IPv6 64NAT
+net/udpbroadcastrelay -- Control ubpbroadcastrelay processes (development only)
 net/upnp -- Universal Plug and Play Service
 net/vnstat -- vnStat is a console-based network traffic monitor
 net/wireguard -- WireGuard VPN service
diff --git a/net/udpbroadcastrelay/Makefile b/net/udpbroadcastrelay/Makefile
index 22783a4894..b90f1cfd0b 100644
--- a/net/udpbroadcastrelay/Makefile
+++ b/net/udpbroadcastrelay/Makefile
@@ -1,6 +1,6 @@
-PLUGIN_NAME=		os-udpbroadcastrelay
-PLUGIN_VERSION=		0.7
-PLUGIN_DEVEL=         YES
+PLUGIN_NAME=		udpbroadcastrelay
+PLUGIN_VERSION=		0.1
+PLUGIN_DEVEL=		yes
 PLUGIN_COMMENT=		Control ubpbroadcastrelay processes
 PLUGIN_DEPENDS=		udpbroadcastrelay
 PLUGIN_MAINTAINER=	mjwasley@gmail.com
diff --git a/net/udpbroadcastrelay/pkg-descr b/net/udpbroadcastrelay/pkg-descr
index 1a1c37af0a..684ef947f6 100644
--- a/net/udpbroadcastrelay/pkg-descr
+++ b/net/udpbroadcastrelay/pkg-descr
@@ -1,13 +1,13 @@
 udbproadcastrelay is a UDP multicast relayer. Its intended use is to
 rebroadbcast udp packets on a specific port across interfaces, be those
-interfaces physical or VLAN. 
+interfaces physical or VLAN.
 
-It is used where devices such as Sonos or Sky are spread accross 
+It is used where devices such as Sonos or Sky are spread accross
 different subnets and are not able to detect the servers or devices.
 
 Examples of different devices and the ports are as follows:
 
-Syncthing discovery 
+Syncthing discovery
 udp_vars="--id 1 --port 21027 --dev igb1 --dev igb2"
 
 mDNS / Broadcast DNS (Chromecast Discovery + Bonjour + More)
diff --git a/net/udpbroadcastrelay/src/etc/inc/plugins.inc.d/udpbroadcastrelay.inc b/net/udpbroadcastrelay/src/etc/inc/plugins.inc.d/udpbroadcastrelay.inc
index 1a3b3aa821..d859316fc6 100644
--- a/net/udpbroadcastrelay/src/etc/inc/plugins.inc.d/udpbroadcastrelay.inc
+++ b/net/udpbroadcastrelay/src/etc/inc/plugins.inc.d/udpbroadcastrelay.inc
@@ -25,7 +25,7 @@
  *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  *    POSSIBILITY OF SUCH DAMAGE.
  */
- 
+
 function udpbroadcastrelay_enabled()
 {
     $model = new \OPNsense\UDPBroadcastRelay\UDPBroadcastRelay();
@@ -53,17 +53,17 @@ function udpbroadcastrelay_services()
     if (!udpbroadcastrelay_enabled()) {
         return $services;
     }
-    
+
     $model = new \OPNsense\UDPBroadcastRelay\UDPBroadcastRelay();
 
     foreach ($model->udpbroadcastrelay->iterateItems() as $server) {
-     
+
         if ($server->enabled == '0'){
             continue;
         }
 
         $services[] = array(
-            
+
             'description' => $server->description,
             'id' =>  $server->InstanceID,
             'pidfile' => "/var/run/udpbroadcastrelay_{$server->InstanceID}.pid",
@@ -71,13 +71,13 @@ function udpbroadcastrelay_services()
                 'restart' => array('udpbroadcastrelay restart '.$server->InstanceID),
                 'start' => array('udpbroadcastrelay start '.$server->InstanceID),
                 'stop' => array('udpbroadcastrelay stop '.$server->InstanceID),
-               
+
             ),
-            
+
             'name' => 'udpbroadcastrelay',
         );
 
     }
-    
+
     return $services;
 }
diff --git a/net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay b/net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay
index d076d6901d..e16cab0c38 100644
--- a/net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay
+++ b/net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay
@@ -81,7 +81,7 @@ udpbroadcastrelay_reload () {
       # get instance flags
       instance_flags="${line#*udpbroadcastrelay}"
       # check if it should run
-      echo 
+      echo
       eval osudpbroadcastrelay_flags=\$osudpbroadcastrelay_${instance}
 
       if [ -n "$osudpbroadcastrelay_flags" -a "$osudpbroadcastrelay_flags" = "$instance_flags" ]; then
@@ -94,9 +94,9 @@ udpbroadcastrelay_reload () {
       udpbroadcastrelay_stop
    done
    # start configured instances
-  
+
    if [ -n "$osudpbroadcastrelay_instances" ]; then
- 
+
       for i in $osudpbroadcastrelay_instances; do
          eval osudpbroadcastrelay_flags=\$osudpbroadcastrelay_${i}
          pidfile="/var/run/udpbroadcastrelay_$i.pid"
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/SettingsController.php b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/SettingsController.php
index 8f08921d31..48c76094e2 100644
--- a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/SettingsController.php
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/SettingsController.php
@@ -99,7 +99,7 @@ public function setRelayAction($uuid)
 
                     if (count($result['validations']) == 0) {
                         // check for duplicates
-                        
+
                         foreach ($CurrentProxies['udpbroadcastrelay'] as $CurrentUUID => &$CurrentRelay) {
                             if (
                                 $node->InstanceID->__toString() == $CurrentRelay['InstanceID'] &&
@@ -135,7 +135,7 @@ public function setRelayAction($uuid)
                                              "udpbroadcastrelay.InstanceID" => "Instance ID already In use."
                                            )
                                        );
-                            }  
+                            }
                             $result = count(explode(',',$node->interfaces));
                             if (
                                 $result < 2 &&
@@ -147,9 +147,9 @@ public function setRelayAction($uuid)
                                              "udpbroadcastrelay.interfaces" => "At least two interfaces must be selected."
                                            )
                                        );
-                            }  
+                            }
                         }
-                        
+
                         // save config if validated correctly
                         $mdlUDPBroadcastRelay->serializeToConfig();
                         Config::getInstance()->save();
@@ -189,7 +189,7 @@ public function addRelayAction()
                 foreach ($CurrentProxies['udpbroadcastrelay'] as &$CurrentRelay) {
                     if (
                             $node->InstanceID->__toString() == $CurrentRelay['InstanceID'] &&
-                            $node->listenport->__toString() == $CurrentRelay['listenport'] 
+                            $node->listenport->__toString() == $CurrentRelay['listenport']
                         ) {
                             return array(
                                       "result" => "failed",
@@ -219,9 +219,9 @@ public function addRelayAction()
                                    )
                                );
                     }
-                    
+
                     $result = count(explode(',',$node->interfaces));
-                    if ( 
+                    if (
                         $result < 2
                     ) {
                         return array(
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/forms/dialogEdit.xml b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/forms/dialogEdit.xml
index f39ae51118..f8e5a0cdd9 100644
--- a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/forms/dialogEdit.xml
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/forms/dialogEdit.xml
@@ -21,8 +21,8 @@
       <id>udpbroadcastrelay.multicastaddress</id>
       <label>Broadcast Address</label>
       <type>select_multiple</type>
-      <allownew>true</allownew>   
-      <style>tokenize</style>      
+      <allownew>true</allownew>
+      <style>tokenize</style>
       <help><![CDATA[Multicast addresses to use on this port when relaying multicast packets. e.g Sonos is 239.255.255.250, you may enter multiple addresses.]]></help>
    </field>
    <field>
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt b/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
index 1904a31459..f8c106948f 100644
--- a/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
@@ -91,7 +91,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 <th data-column-id="interfaces" data-width="10em" data-type="string" data-visible="true">{{ lang._('Interfaces') }}</th>
                 <th data-column-id="multicastaddress" data-width="15em" data-type="string" data-visible="true">{{ lang._('Multicast Addresses') }}</th>
                 <th data-column-id="sourceaddress"  data-width="11em" data-type="string" data-visible="true">{{ lang._('Source Address') }}</th>
-                <th data-column-id="listenport" data-width="8em" data-type="string" data-visible="true">{{ lang._('Listen Port') }}</th>              
+                <th data-column-id="listenport" data-width="8em" data-type="string" data-visible="true">{{ lang._('Listen Port') }}</th>
                 <th data-column-id="InstanceID" data-width="6em" data-type="string" data-visible="true">{{ lang._('ID') }}</th>
                 <th data-column-id="description" data-width="15em" data-type="string">{{ lang._('Description') }}</th>
                 <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>

From 152b6e1ffe2762ef4508f8bdce01b29543a7b6a5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 15 Apr 2020 14:32:10 +0200
Subject: [PATCH 0085/3088] net/udpbroadcastrelay: style sweep while here

---
 .../inc/plugins.inc.d/udpbroadcastrelay.inc   | 12 ++++-------
 .../Api/ServiceController.php                 | 10 +++++-----
 .../Api/SettingsController.php                | 20 +++++++++----------
 3 files changed, 19 insertions(+), 23 deletions(-)

diff --git a/net/udpbroadcastrelay/src/etc/inc/plugins.inc.d/udpbroadcastrelay.inc b/net/udpbroadcastrelay/src/etc/inc/plugins.inc.d/udpbroadcastrelay.inc
index d859316fc6..bb8a14f9f0 100644
--- a/net/udpbroadcastrelay/src/etc/inc/plugins.inc.d/udpbroadcastrelay.inc
+++ b/net/udpbroadcastrelay/src/etc/inc/plugins.inc.d/udpbroadcastrelay.inc
@@ -57,26 +57,22 @@ function udpbroadcastrelay_services()
     $model = new \OPNsense\UDPBroadcastRelay\UDPBroadcastRelay();
 
     foreach ($model->udpbroadcastrelay->iterateItems() as $server) {
-
-        if ($server->enabled == '0'){
+        if ($server->enabled == '0') {
             continue;
         }
 
         $services[] = array(
-
             'description' => $server->description,
             'id' =>  $server->InstanceID,
             'pidfile' => "/var/run/udpbroadcastrelay_{$server->InstanceID}.pid",
             'configd' => array(
-                'restart' => array('udpbroadcastrelay restart '.$server->InstanceID),
-                'start' => array('udpbroadcastrelay start '.$server->InstanceID),
-                'stop' => array('udpbroadcastrelay stop '.$server->InstanceID),
+                'restart' => array('udpbroadcastrelay restart ' . $server->InstanceID),
+                'start' => array('udpbroadcastrelay start ' . $server->InstanceID),
+                'stop' => array('udpbroadcastrelay stop ' . $server->InstanceID),
 
             ),
-
             'name' => 'udpbroadcastrelay',
         );
-
     }
 
     return $services;
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/ServiceController.php b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/ServiceController.php
index d14f101f46..b64d378d5f 100644
--- a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/ServiceController.php
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/ServiceController.php
@@ -27,9 +27,10 @@
  */
 
 namespace OPNsense\UDPBroadcastRelay\Api;
-use \OPNsense\Base\ApiMutableModelControllerBase;
-use \OPNsense\UDPBroadcastRelay\UDPBroadcastRelay;
-use \OPNsense\Core\Backend;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\UDPBroadcastRelay\UDPBroadcastRelay;
+use OPNsense\Core\Backend;
 
 /**
  * Class ServiceController Handles settings related API actions for the UDPBroadcastRelay
@@ -38,7 +39,7 @@
 class ServiceController extends ApiMutableModelControllerBase
 {
     protected static $internalModelName = 'udpbroadcastrelay';
-    protected static $internalModelClass = '\OPNsense\\UDPBroadcastRelay\\UDPBroadcastRelay';
+    protected static $internalModelClass = '\OPNsense\UDPBroadcastRelay\UDPBroadcastRelay';
     protected static $internalModelUseSafeDelete = true;
 
     public function statusAction($uuid)
@@ -167,7 +168,6 @@ protected function callBackend($action, &$node = null)
         }
         if ($action == 'reload') {
             return trim($backend->configdRun('udpbroadcastrelay reload'));
-
         }
         return "Wrong action defined";
     }
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/SettingsController.php b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/SettingsController.php
index 48c76094e2..4f63375ccb 100644
--- a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/SettingsController.php
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/SettingsController.php
@@ -28,11 +28,11 @@
 
 namespace OPNsense\UDPBroadcastRelay\Api;
 
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Config;
+use OPNsense\UDPBroadcastRelay\UDPBroadcastRelay;
+use OPNsense\Base\UIModelGrid;
 
-use \OPNsense\Base\ApiMutableModelControllerBase;
-use \OPNsense\Core\Config;
-use \OPNsense\UDPBroadcastRelay\UDPBroadcastRelay;
-use \OPNsense\Base\UIModelGrid;
 /**
  * Class SettingsController Handles settings related API actions for the UDPBroadcastRelay
  * @package OPNsense\UDPBroadcastRelay
@@ -115,7 +115,7 @@ public function setRelayAction($uuid)
                                        );
                             }
                             if (
-                               $node->listenport->__toString() == $CurrentRelay['listenport'] &&
+                                $node->listenport->__toString() == $CurrentRelay['listenport'] &&
                                 $uuid != $CurrentUUID
                             ) {
                                 return array(
@@ -136,7 +136,7 @@ public function setRelayAction($uuid)
                                            )
                                        );
                             }
-                            $result = count(explode(',',$node->interfaces));
+                            $result = count(explode(',', $node->interfaces));
                             if (
                                 $result < 2 &&
                                 $uuid != $CurrentUUID
@@ -190,7 +190,7 @@ public function addRelayAction()
                     if (
                             $node->InstanceID->__toString() == $CurrentRelay['InstanceID'] &&
                             $node->listenport->__toString() == $CurrentRelay['listenport']
-                        ) {
+                    ) {
                             return array(
                                       "result" => "failed",
                                       "validations" => array(
@@ -198,9 +198,9 @@ public function addRelayAction()
                                          "udpbroadcastrelay.listenport" => "Listen port already in use."
                                       )
                                 );
-                           }
+                    }
                     if (
-                       $node->listenport->__toString() == $CurrentRelay['listenport']
+                        $node->listenport->__toString() == $CurrentRelay['listenport']
                     ) {
                         return array(
                                   "result" => "failed",
@@ -220,7 +220,7 @@ public function addRelayAction()
                                );
                     }
 
-                    $result = count(explode(',',$node->interfaces));
+                    $result = count(explode(',', $node->interfaces));
                     if (
                         $result < 2
                     ) {

From 83f2841fba509bfbd7be41f9e44d248d690a09fb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 15 Apr 2020 18:36:32 +0200
Subject: [PATCH 0086/3088] net/firewall: bump version after changes

---
 net/firewall/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index 5898e58862..b77fe65064 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		firewall
-PLUGIN_VERSION=		0.2
+PLUGIN_VERSION=		0.3
 PLUGIN_COMMENT=		Firewall API supplemental package
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEVEL=		yes

From f8bd08e12c699e877b739185d7e29d8dbe4e150d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 15 Apr 2020 20:02:43 +0200
Subject: [PATCH 0087/3088] Framework: deploy same package logic as core.git
 has now

The idea was to have a shared default.mk between both repositories,
but for the time being this has an issue with the different prefixes
used by core.git and plugins.git, namely CORE_ and PLUGIN_.
---
 Mk/defaults.mk | 37 ++++++++++++++++++++++++++++++-------
 Mk/plugins.mk  |  8 ++------
 2 files changed, 32 insertions(+), 13 deletions(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 0f6f3b1c3d..815b7c4060 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -26,18 +26,41 @@
 LOCALBASE?=	/usr/local
 PAGER?=		less
 
+PKG!=		which pkg || echo true
+GIT!=		which git || echo true
+
+_PLUGIN_ARCH!=	uname -p
+PLUGIN_ARCH?=	${_PLUGIN_ARCH}
+
 OPENSSL?=	${LOCALBASE}/bin/openssl
 
-_FLAVOUR!=	if [ -f ${OPENSSL} ]; then ${OPENSSL} version; fi
-FLAVOUR?=	${_FLAVOUR:[1]}
+.if ! defined(PLUGIN_FLAVOUR)
+.if exists(${OPENSSL})
+_PLUGIN_FLAVOUR!=	${OPENSSL} version
+PLUGIN_FLAVOUR?=	${_PLUGIN_FLAVOUR:[1]}
+.else
+.warning "Detected 'Base' flavour is not currently supported"
+PLUGIN_FLAVOUR?=	Base
+.endif
+.endif
+
+PHPBIN=		${LOCALBASE}/bin/php
 
-PKG!=		which pkg || echo true
-GIT!=		which git || echo true
-ARCH!=		uname -p
+.if exists(${PHPBIN})
+_PLUGIN_PHP!=	${PHPBIN} -v
+PLUGIN_PHP?=	${_PLUGIN_PHP:[2]:S/./ /g:[1..2]:tW:S/ //}
+.endif
+
+PYTHONLINK=	${LOCALBASE}/bin/python3
+
+.if exists(${PYTHONLINK})
+_PLUGIN_PYTHON!=${PYTHONLINK} -V
+PLUGIN_PYTHON?=	${_PLUGIN_PYTHON:[2]:S/./ /g:[1..2]:tW:S/ //}
+.endif
 
 PLUGIN_ABI?=	20.1
-PLUGIN_ARCH?=	${ARCH}
-PLUGIN_FLAVOUR?=${FLAVOUR}
+PLUGIN_PHP?=	72
+PLUGIN_PYTHON?=	37
 
 REPLACEMENTS=	PLUGIN_ABI \
 		PLUGIN_ARCH \
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index bb6942c55a..6722b8727e 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -27,10 +27,6 @@ all: check
 
 .include "defaults.mk"
 
-PLUGIN_ARCH?=		${ARCH}
-PLUGIN_PHP?=		72
-PLUGIN_PYTHON?=		37
-
 PLUGIN_DESC=		pkg-descr
 PLUGIN_SCRIPTS=		+PRE_INSTALL +POST_INSTALL \
 			+PRE_DEINSTALL +POST_DEINSTALL
@@ -236,10 +232,10 @@ package: check
 	@if ! ${PKG} info ${DEP} > /dev/null; then ${PKG} install -yA ${DEP}; fi
 .endfor
 	@echo -n ">>> Generating metadata for ${PLUGIN_PKGNAME}-${PLUGIN_PKGVERSION}..."
-	@${MAKE} DESTDIR=${WRKSRC} FLAVOUR=${FLAVOUR} metadata
+	@${MAKE} DESTDIR=${WRKSRC} metadata
 	@echo " done"
 	@echo -n ">>> Staging files for ${PLUGIN_PKGNAME}-${PLUGIN_PKGVERSION}..."
-	@${MAKE} DESTDIR=${WRKSRC} FLAVOUR=${FLAVOUR} install
+	@${MAKE} DESTDIR=${WRKSRC} install
 	@echo " done"
 	@echo ">>> Packaging files for ${PLUGIN_PKGNAME}-${PLUGIN_PKGVERSION}:"
 	@${PKG} create -v -m ${WRKSRC} -r ${WRKSRC} \

From b10ffbaceb22267559ca541b2c45c4b1601097f9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 15 Apr 2020 20:11:02 +0200
Subject: [PATCH 0088/3088] Framework: small output for directory change

---
 Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Makefile b/Makefile
index cf1ed5acee..2b9da252c5 100644
--- a/Makefile
+++ b/Makefile
@@ -48,6 +48,7 @@ TARGETS=	clean lint style style-fix style-python sweep test
 .for TARGET in ${TARGETS}
 ${TARGET}:
 .  for PLUGIN_DIR in ${PLUGIN_DIRS}
+	@echo ">>> Entering ${PLUGIN_DIR}"
 	@${MAKE} -C ${PLUGIN_DIR} ${TARGET}
 .  endfor
 .endfor

From 61391097b30072fd1167f8ebcd3bddb8038f7eee Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 16 Apr 2020 00:00:58 +0200
Subject: [PATCH 0089/3088] net/haproxy: bump version

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index eee2f29f11..9cd8c47016 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		2.21
+PLUGIN_VERSION=		2.22
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy
 PLUGIN_MAINTAINER=	opnsense@moov.de

From f1b7285b0666558e8e67269945b330ba70a2b8fb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 16 Apr 2020 13:03:39 +0200
Subject: [PATCH 0090/3088] net/udpbroadcastrelay: fix permission

---
 net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay

diff --git a/net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay b/net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay
old mode 100644
new mode 100755

From adb0dcad2076b2b33ab7b4bb9050170e36068f13 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 16 Apr 2020 14:40:55 +0200
Subject: [PATCH 0091/3088] dns/unbound-plus: small change to parse copyright

---
 LICENSE                                                         | 1 +
 .../src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py          | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index 6da3cfdf3f..d4dd30ef24 100644
--- a/LICENSE
+++ b/LICENSE
@@ -20,6 +20,7 @@ Copyright (c) 2019 Juergen Kellerer
 Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>
 Copyright (c) 2020 Martin Wasley
 Copyright (c) 2017-2020 Michael Muenz <m.muenz@gmail.com>
+Copyright (c) 2020 Petr Kejval <petr.kejval6@gmail.com>
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
 Copyright (c) 2010-2012 Seth Mos <seth.mos@dds.nl>
 Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
diff --git a/dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py b/dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py
index 811a6ebc13..f933ad6877 100755
--- a/dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py
+++ b/dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py
@@ -1,7 +1,7 @@
 #!/usr/local/bin/python3
 
 # DNS BL script
-# Copyright 2020 Petr Kejval <petr.kejval6@gmail.com>
+# Copyright (c) 2020 Petr Kejval <petr.kejval6@gmail.com>
 
 # Downloads blacklisted domains from user specified URLs and "compile" them into unbound.conf compatible file
 

From 65abab88daf5c7dc2bea8824419e396ccdf38cf2 Mon Sep 17 00:00:00 2001
From: prunkster <falcon4u@gmx.net>
Date: Thu, 16 Apr 2020 23:10:48 +0200
Subject: [PATCH 0092/3088] security/acme-client: add support for dnsapi
 "Euserv.eu"

- added option "--insecure"
- increased maximum dns sleep time
---
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml         | 4 ++--
 .../src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php   | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 3ac2719109..4bf12717fd 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -420,9 +420,9 @@
                 </dns_service>
                 <dns_sleep type="IntegerField">
                     <MinimumValue>1</MinimumValue>
-                    <MaximumValue>10000</MaximumValue>
+                    <MaximumValue>84600</MaximumValue>
                     <default>120</default>
-                    <ValidationMessage>Please specify a value between 1 and 10000.</ValidationMessage>
+                    <ValidationMessage>Please specify a value between 1 and 84600.</ValidationMessage>
                     <Required>Y</Required>
                 </dns_sleep>
                 <dns_ad_key type="TextField">
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index f9a648ee52..9abdd32e8e 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -735,6 +735,7 @@ function run_acme_validation($certObj, $valObj, $acctObj)
             case 'dns_euserv':
                 $proc_env['EUSERV_Username'] = (string)$valObj->dns_euserv_user;
                 $proc_env['EUSERV_Password'] = (string)$valObj->dns_euserv_password;
+                $acme_hook_options[] = "--insecure";
                 break;
             case 'dns_freedns':
                 $proc_env['FREEDNS_User'] = (string)$valObj->dns_freedns_user;

From d380ee2df14014276c6ea5e18fef4a12cc8e9296 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 20 Apr 2020 14:37:18 +0200
Subject: [PATCH 0093/3088] net/firewall: version 1.0

---
 README.md             | 2 +-
 net/firewall/Makefile | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 199d6918bf..31cc612ce8 100644
--- a/README.md
+++ b/README.md
@@ -53,7 +53,7 @@ net-mgmt/nrpe -- Execute nagios plugins
 net-mgmt/telegraf -- Agent for collecting metrics and data
 net-mgmt/zabbix-agent -- Zabbix monitoring agent
 net-mgmt/zabbix4-proxy -- Zabbix Proxy enables decentralized monitoring
-net/firewall -- Firewall API supplemental package (development only)
+net/firewall -- Firewall API supplemental package
 net/freeradius -- RADIUS Authentication, Authorization and Accounting Server
 net/frr -- The FRRouting Protocol Suite
 net/ftp-proxy -- Control ftp-proxy processes
diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index b77fe65064..5c667b1ee0 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -1,7 +1,6 @@
 PLUGIN_NAME=		firewall
-PLUGIN_VERSION=		0.3
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		Firewall API supplemental package
 PLUGIN_MAINTAINER=	ad@opnsense.org
-PLUGIN_DEVEL=		yes
 
 .include "../../Mk/plugins.mk"

From df2628338888087308344be766d0f52723049135 Mon Sep 17 00:00:00 2001
From: Gauss23 <gauss@gmx.de>
Date: Mon, 20 Apr 2020 10:33:34 +0200
Subject: [PATCH 0094/3088] wake_on_lan widget: find macs case-insensitive
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Find mac addresses case-insensitive. When mac addresses are added, they are saved like the users enters them. If the user used upper-case letters, this results in showing the host offline in the dashboard, although it´s online. Other fix would be to make all mac inputs lowercase while saving.
---
 net/wol/src/www/widgets/widgets/wake_on_lan.widget.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wol/src/www/widgets/widgets/wake_on_lan.widget.php b/net/wol/src/www/widgets/widgets/wake_on_lan.widget.php
index 8d77e89696..adef5d97a5 100644
--- a/net/wol/src/www/widgets/widgets/wake_on_lan.widget.php
+++ b/net/wol/src/www/widgets/widgets/wake_on_lan.widget.php
@@ -45,7 +45,7 @@
   <tbody>
 <?php
     foreach ($wol->wolentry->iterateItems() as $wolent):
-      $is_active = exec("/usr/sbin/arp -an |/usr/bin/grep {$wolent->mac}| /usr/bin/wc -l|/usr/bin/awk '{print $1;}'");?>
+      $is_active = exec("/usr/sbin/arp -an |/usr/bin/grep -i {$wolent->mac}| /usr/bin/wc -l|/usr/bin/awk '{print $1;}'");?>
     <tr>
         <td><?= !empty((string)$wolent->descr) ? $wolent->descr : gettext('Unnamed entry') ?><br/><?= $wolent->mac ?></td>
         <td><?=htmlspecialchars(convert_friendly_interface_to_friendly_descr((string)$wolent->interface));?></td>

From 6a58d19c49e12008960e5a78870652256666335b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 22 Apr 2020 13:24:29 +0200
Subject: [PATCH 0095/3088] net/wol: next version

---
 net/wol/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/wol/Makefile b/net/wol/Makefile
index e4184ba927..bbae997f3f 100644
--- a/net/wol/Makefile
+++ b/net/wol/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		wol
-PLUGIN_VERSION=		2.2
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		2.3
 PLUGIN_DEPENDS=		wol
 PLUGIN_COMMENT=		Wake on LAN Service
 PLUGIN_MAINTAINER=	franco@opnsense.org

From 7178da958bcd56f14a63bdc1d65f9127708c707c Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 29 Apr 2020 11:37:20 +0200
Subject: [PATCH 0096/3088] dns/unbound-plus: fix DoT validations (#1803)

---
 .../mvc/app/models/OPNsense/Unboundplus/Miscellaneous.xml       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Miscellaneous.xml b/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Miscellaneous.xml
index 3a4e3cb4fb..1ae1f590ae 100644
--- a/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Miscellaneous.xml
+++ b/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Miscellaneous.xml
@@ -8,7 +8,7 @@
         </privatedomain>
         <dotservers type="CSVListField">
             <Required>N</Required>
-            <mask>/^[a-fA-F0-9\.\@]{1,46}$/</mask>
+            <mask>/^[a-fA-F0-9\.\,\:\@]{1,512}$/</mask>
         </dotservers>
     </items>
 </model>

From 4c07622fbde1c39d378f49dd05187311edb44fce Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Apr 2020 11:38:33 +0200
Subject: [PATCH 0097/3088] dns/unbound-plus: advertise fix

---
 dns/unbound-plus/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/unbound-plus/Makefile b/dns/unbound-plus/Makefile
index c0ffdf6ec0..b12f8cf3db 100644
--- a/dns/unbound-plus/Makefile
+++ b/dns/unbound-plus/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		unbound-plus
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Unbound additions
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 

From 930995ba3a18667830b046adef6c69ac6d419a17 Mon Sep 17 00:00:00 2001
From: Johann Richard <189003+johannrichard@users.noreply.github.com>
Date: Tue, 5 May 2020 07:25:34 +0200
Subject: [PATCH 0098/3088] Make doc for password more explicit, group options
 logically  (#1765)

It may be obvious to some, but I think there's some value in making it more explicit that the password required here is for the *remote* shadowsocks server. Furthermore, I would suggest moving the password in the form closer to the remove server info.
---
 .../controllers/OPNsense/Shadowsocks/forms/local.xml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/shadowsocks/src/opnsense/mvc/app/controllers/OPNsense/Shadowsocks/forms/local.xml b/net/shadowsocks/src/opnsense/mvc/app/controllers/OPNsense/Shadowsocks/forms/local.xml
index fd8d43bbd4..1030a427cd 100644
--- a/net/shadowsocks/src/opnsense/mvc/app/controllers/OPNsense/Shadowsocks/forms/local.xml
+++ b/net/shadowsocks/src/opnsense/mvc/app/controllers/OPNsense/Shadowsocks/forms/local.xml
@@ -17,6 +17,12 @@
         <type>text</type>
         <help>Port of the remote server.</help>
     </field>
+    <field>
+        <id>local.password</id>
+        <label>Password</label>
+        <type>text</type>
+        <help>Password to authenticate against the remote server.</help>
+    </field>
     <field>
         <id>local.localaddress</id>
         <label>Local Address</label>
@@ -29,12 +35,6 @@
         <type>text</type>
         <help>The local port of the daemon, default is fine.</help>
     </field>
-    <field>
-        <id>local.password</id>
-        <label>Password</label>
-        <type>text</type>
-        <help>Password to authenticate against the server.</help>
-    </field>
     <field>
         <id>local.cipher</id>
         <label>Cipher</label>

From dc7980a3e063992f7500b9ab33c7eae9564681d4 Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Sun, 3 May 2020 01:13:41 +0100
Subject: [PATCH 0099/3088] unboundplus: Use 'forward-tls-upstream' config key

While 'forward-ssl-upstream' is indeed an alias/alternative syntax for the '*tls*' option, therefore it's more a cosmetic thing - specially because it's called DNS over TLS. Just to be consistent with terms used.
---
 .../opnsense/service/templates/OPNsense/Unboundplus/dot.conf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/dot.conf b/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/dot.conf
index ae59c336b8..8837f8fd76 100644
--- a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/dot.conf
+++ b/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/dot.conf
@@ -3,7 +3,7 @@ server:
   tls-cert-bundle: /etc/ssl/cert.pem
 forward-zone:
   name: "."
-  forward-ssl-upstream: yes
+  forward-tls-upstream: yes
 {%   for dot in OPNsense.unboundplus.miscellaneous.dotservers.split(',') %}
   forward-addr: {{ dot }}
 {%   endfor %}

From f2db771984ac5b5ce4c5c4fa11121bb4476e4d93 Mon Sep 17 00:00:00 2001
From: vnxme <46669194+vnxme@users.noreply.github.com>
Date: Tue, 12 May 2020 13:49:01 +0300
Subject: [PATCH 0100/3088] security/tinc: Fix switch mode (#1733)

* security/tinc: Allow empty subnet for switch mode

A Host class with empty self._payload['subnet'] is considered invalid (lines 38-39). Thus, we can remove self._payload['subnet'] = None from __init__() and add a check for existance to config_text().

* security/tinc: Allow empty subnet for switch mode

Set network.subnet.required and host.subnet.required to N, add a required constraint for network.subnet if network.mode is router.

* security/tinc: Trigger configctl on tinc-up

In order to support various dual-stack configs (primary IPv4/v6 assigned by VPN/Tinc and any combination of alias IPv4/v6 assigned by Firewall/VIP) we need to trigger configctl:
- Primary IPv4: /usr/local/opnsense/service/configd_ctl.py interface newip $interface
- Primary IPv6: /usr/local/opnsense/service/configd_ctl.py interface newipv6 $interface

* security/tinc: Destroy tun/tap interface on stop

Destroying tun/tap interface each time Tinc daemon stops/restarts resolves the issue of losing IPv6 network routes (see #3972).

* security/Tinc: Add a missing reference constraint

The network.mode field is now linked to the network.subnet field.

* security/Tinc: Refactor tincd.py
---
 .../mvc/app/models/OPNsense/Tinc/Tinc.xml       | 17 +++++++++++++++--
 .../scripts/OPNsense/Tinc/lib/objects.py        |  8 ++++----
 .../src/opnsense/scripts/OPNsense/Tinc/tincd.py | 11 +++++++++--
 3 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
index 9741c5d3b8..e8abbc0c0c 100644
--- a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
+++ b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
@@ -37,10 +37,18 @@
                     <WildcardEnabled>N</WildcardEnabled>
                 </intaddress>
                 <subnet type="NetworkField">
-                    <Required>Y</Required>
+                    <Required>N</Required>
                     <WildcardEnabled>N</WildcardEnabled>
                     <NetMaskRequired>Y</NetMaskRequired>
                     <FieldSeparator>,</FieldSeparator>
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>Subnet field must be set in router mode.</ValidationMessage>
+                            <type>SetIfConstraint</type>
+                            <field>mode</field>
+                            <check>router</check>
+                        </check001>
+                    </Constraints>
                 </subnet>
                 <pingtimeout type="IntegerField">
                     <Required>Y</Required>
@@ -69,6 +77,11 @@
                       <router>router</router>
                       <switch>switch</switch>
                   </OptionValues>
+                  <Constraints>
+                      <check001>
+                          <reference>subnet.check001</reference>
+                      </check001>
+                  </Constraints>
                 </mode>
                 <PMTUDiscovery type="BooleanField">
                     <default>1</default>
@@ -123,7 +136,7 @@
                     <mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</mask>
                 </extaddress>
                 <subnet type="NetworkField">
-                    <Required>Y</Required>
+                    <Required>N</Required>
                     <WildcardEnabled>N</WildcardEnabled>
                     <NetMaskRequired>Y</NetMaskRequired>
                     <FieldSeparator>,</FieldSeparator>
diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
index 81cb8e563d..6b9ccfcd3c 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
@@ -123,7 +123,6 @@ class Host(NetwConfObject):
     def __init__(self):
         super(Host, self).__init__()
         self._connectTo = "0"
-        self._payload['subnet'] = None
         self._payload['pubkey'] = None
         self._payload['cipher'] = None
 
@@ -139,9 +138,10 @@ def set_connectto(self, value):
     def config_text(self):
         result = list()
         result.append('Address=%(address)s %(port)s'%self._payload)
-        networks = self._payload['subnet'].split(',')
-        for network in networks:
-            result.append('Subnet=%s' % network)
+        if 'subnet' in self._payload:
+            networks = self._payload['subnet'].split(',')
+            for network in networks:
+                result.append('Subnet=%s' % network)
         result.append('Cipher=%(cipher)s'%self._payload)
         result.append('Digest=sha256')
         result.append(self._payload['pubkey'])
diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
index f34ae87eff..3f5f887f49 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
@@ -86,11 +86,14 @@ def deploy(config_filename):
 
         # write tinc-up file
         interface_address = network.get_local_address()
-        interface_family = "inet6" if ipaddress.ip_network(interface_address, False).version == 6 else "inet"
+        interface_network = ipaddress.ip_network(interface_address, False)
+        interface_family = "inet6" if interface_network.version == 6 else "inet"
+        interface_configd = "newipv6" if interface_network.version == 6 else "newip"
 
         if_up = list()
         if_up.append("#!/bin/sh")
-        if_up.append("ifconfig %s %s %s " % (interface_name, interface_family, pipes.quote(interface_address)))
+        if_up.append("ifconfig %s %s %s" % (interface_name, interface_family, pipes.quote(interface_address)))
+        if_up.append("configctl interface %s %s" % (interface_configd, interface_name))
         write_file("%s/tinc-up" % network.get_basepath(), '\n'.join(if_up) + "\n", 0o700)
 
         # configure and rename new tun device, place all in group "tinc" symlink associated tun device
@@ -108,6 +111,10 @@ def deploy(config_filename):
     if sys.argv[1] == 'stop':
         for instance in glob.glob('/usr/local/etc/tinc/*'):
             subprocess.run(['/usr/local/sbin/tincd','-n',instance.split('/')[-1], '-k'])
+            if os.path.exists('%s/tinc.conf' % instance):
+                interface_name  = open('%s/tinc.conf' % instance).read().split('Device=')[-1].split()[0].split('/')[-1]
+                if interface_name.startswith('tinc'):
+                    subprocess.run(['/sbin/ifconfig',interface_name,'destroy'])
     elif sys.argv[1] == 'start':
         for netwrk in deploy('/usr/local/etc/tinc_deploy.xml'):
             subprocess.run(['/usr/local/sbin/tincd','-n',netwrk.get_network(), '-R', '-d', netwrk.get_debuglevel()])

From faa23ffae97eb6e3a57e4a9a06c5778d11da19d4 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 12 May 2020 13:55:27 +0200
Subject: [PATCH 0101/3088] Syslog-NG: add templates for
 https://github.com/opnsense/core/issues/4068

---
 .../service/templates/OPNsense/Syslog/local/postfix.conf    | 6 ++++++
 .../service/templates/OPNsense/Syslog/local/haproxy.conf    | 6 ++++++
 .../service/templates/OPNsense/Syslog/local/tinc.conf       | 6 ++++++
 3 files changed, 18 insertions(+)
 create mode 100644 mail/postfix/src/opnsense/service/templates/OPNsense/Syslog/local/postfix.conf
 create mode 100644 net/haproxy/src/opnsense/service/templates/OPNsense/Syslog/local/haproxy.conf
 create mode 100644 security/tinc/src/opnsense/service/templates/OPNsense/Syslog/local/tinc.conf

diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Syslog/local/postfix.conf b/mail/postfix/src/opnsense/service/templates/OPNsense/Syslog/local/postfix.conf
new file mode 100644
index 0000000000..2e8e746c5a
--- /dev/null
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Syslog/local/postfix.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [postfix].
+###################################################################
+filter f_local_postfix {
+    program("postfix");
+};
\ No newline at end of file
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/Syslog/local/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/Syslog/local/haproxy.conf
new file mode 100644
index 0000000000..73f07d402e
--- /dev/null
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/Syslog/local/haproxy.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [haproxy].
+###################################################################
+filter f_local_haproxy {
+    program("haproxy");
+};
\ No newline at end of file
diff --git a/security/tinc/src/opnsense/service/templates/OPNsense/Syslog/local/tinc.conf b/security/tinc/src/opnsense/service/templates/OPNsense/Syslog/local/tinc.conf
new file mode 100644
index 0000000000..a29f98756a
--- /dev/null
+++ b/security/tinc/src/opnsense/service/templates/OPNsense/Syslog/local/tinc.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [tinc].
+###################################################################
+filter f_local_tinc {
+    program("tinc.*");
+};
\ No newline at end of file

From c6de3851f55912aee11e40e1c3f49febcf59cfe8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 13 May 2020 08:42:51 +0200
Subject: [PATCH 0102/3088] plugins: style sweep

---
 .../service/templates/OPNsense/Syslog/local/postfix.conf        | 2 +-
 .../service/templates/OPNsense/Syslog/local/haproxy.conf        | 2 +-
 .../opnsense/service/templates/OPNsense/Syslog/local/tinc.conf  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Syslog/local/postfix.conf b/mail/postfix/src/opnsense/service/templates/OPNsense/Syslog/local/postfix.conf
index 2e8e746c5a..caf523956a 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Syslog/local/postfix.conf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Syslog/local/postfix.conf
@@ -3,4 +3,4 @@
 ###################################################################
 filter f_local_postfix {
     program("postfix");
-};
\ No newline at end of file
+};
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/Syslog/local/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/Syslog/local/haproxy.conf
index 73f07d402e..a2691d2c18 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/Syslog/local/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/Syslog/local/haproxy.conf
@@ -3,4 +3,4 @@
 ###################################################################
 filter f_local_haproxy {
     program("haproxy");
-};
\ No newline at end of file
+};
diff --git a/security/tinc/src/opnsense/service/templates/OPNsense/Syslog/local/tinc.conf b/security/tinc/src/opnsense/service/templates/OPNsense/Syslog/local/tinc.conf
index a29f98756a..48fd37a414 100644
--- a/security/tinc/src/opnsense/service/templates/OPNsense/Syslog/local/tinc.conf
+++ b/security/tinc/src/opnsense/service/templates/OPNsense/Syslog/local/tinc.conf
@@ -3,4 +3,4 @@
 ###################################################################
 filter f_local_tinc {
     program("tinc.*");
-};
\ No newline at end of file
+};

From 0c67e9db298649fba190d2fddbf69e7dd5c1923e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=83=84?= <1109954+Xeroxxx@users.noreply.github.com>
Date: Fri, 15 May 2020 11:19:53 +0200
Subject: [PATCH 0103/3088] snort-vrt: Update rulesfile (#1835)

Update rulesfile.
2990 does not exist anymore.
29151 works best with suricata 4.1.8 and 5.0.3
---
 .../src/opnsense/scripts/suricata/metadata/rules/snort-vrt.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/intrusion-detection-content-snort-vrt/src/opnsense/scripts/suricata/metadata/rules/snort-vrt.xml b/security/intrusion-detection-content-snort-vrt/src/opnsense/scripts/suricata/metadata/rules/snort-vrt.xml
index d1a9ab81ba..699ef07494 100644
--- a/security/intrusion-detection-content-snort-vrt/src/opnsense/scripts/suricata/metadata/rules/snort-vrt.xml
+++ b/security/intrusion-detection-content-snort-vrt/src/opnsense/scripts/suricata/metadata/rules/snort-vrt.xml
@@ -123,6 +123,6 @@
 	</files>
 	<properties>
 		<property name="snort_vrt.oinkcode" default=""/>
-		<property name="snort_vrt.rulesfile" default="snortrules-snapshot-2990.tar.gz"/>
+		<property name="snort_vrt.rulesfile" default="snortrules-snapshot-29151.tar.gz"/>
 	</properties>
 </ruleset>

From 4c79d89c8f07b78eb2bca955b67ead727c67406f Mon Sep 17 00:00:00 2001
From: Maarten den Braber <m@mdbraber.com>
Date: Sat, 16 May 2020 23:36:37 +0200
Subject: [PATCH 0104/3088] Add Acmeproxy DNS provider dialogs

---
 .../AcmeClient/forms/dialogValidation.xml     | 20 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 12 ++++++++++-
 .../OPNsense/AcmeClient/certhelper.php        |  7 ++++++-
 3 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 3b2f618ef2..25d472bfb9 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1008,6 +1008,26 @@
         <type>text</type>
         <help>Specify the custom ACME DNS Update URL, i.e. https://auth.acme-dns.io/update (optional)</help>
     </field>
+    <field>
+        <label>acmeproxy</label>
+        <type>header</type>
+        <style>table_dns table_dns_acmeproxy</style>
+    </field>
+    <field>
+        <id>validation.dns_acmeproxy_endpoint</id>
+        <label>Endpoint</label>
+        <type>text</type>
+        <help>Specify the acmeproxy endpoint URL, i.e. https://acmeproxy.examp
+    </field>                                                                      <field>
+        <id>validation.dns_acmeproxy_username</id>
+        <label>User</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_acmeproxy_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
     <field>
         <label>Variomedia</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 4bf12717fd..3b4228b3a0 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -358,6 +358,7 @@
                     <default>dns_nsupdate</default>
                     <OptionValues>
                         <dns_acmedns>ACME DNS API</dns_acmedns>
+                        <dns_acmeproxy>Acmeproxy API</dns_acmeproxy>
                         <dns_ad>Alwaysdata.com API</dns_ad>
                         <dns_ali>aliyun.com API</dns_ali>
                         <dns_autodns>AutoDNS (InterNetX) API</dns_autodns>
@@ -847,7 +848,16 @@
                 <dns_acmedns_updateurl type="TextField">
                     <Required>N</Required>
                 </dns_acmedns_updateurl>
-                <dns_variomedia_key type="TextField">
+                <dns_acmeproxy_endpoint type="TextField">
+                    <Required>N</Required>
+                </dns_acmeproxy_endpoint>
+                <dns_acmeproxy_username type="TextField">
+                    <Required>N</Required>
+                </dns_acmeproxy_username>
+                <dns_acmeproxy_password type="TextField">
+                    <Required>N</Required>
+                </dns_acmeproxy_password>
+		<dns_variomedia_key type="TextField">
                     <Required>N</Required>
                 </dns_variomedia_key>
                 <dns_schlundtech_user type="TextField">
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index 9abdd32e8e..d297b4ade2 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -653,7 +653,12 @@ function run_acme_validation($certObj, $valObj, $acctObj)
                 $proc_env['ACMEDNS_SUBDOMAIN'] = (string)$valObj->dns_acmedns_subdomain;
                 $proc_env['ACMEDNS_UPDATE_URL'] = (string)$valObj->dns_acmedns_updateurl;
                 break;
-            case 'dns_ad':
+            case 'dns_acmeproxy':
+                $proc_env['ACMEPROXY_ENDPOINT'] = (string)$valObj->dns_acmeproxy_endpoint;
+                $proc_env['ACMEPROXY_USERNAME'] = (string)$valObj->dns_acmeproxy_username;
+                $proc_env['ACMEPROXY_PASSWORD'] = (string)$valObj->dns_acmeproxy_password;
+                break;
+	    case 'dns_ad':
                 $proc_env['AD_API_KEY'] = (string)$valObj->dns_ad_key;
                 break;
             case 'dns_ali':

From ce5c6be647bc171fffa65c03b50b28650f656f6c Mon Sep 17 00:00:00 2001
From: Maarten den Braber <m@mdbraber.com>
Date: Sat, 16 May 2020 23:38:14 +0200
Subject: [PATCH 0105/3088] Fix formatting issue

---
 .../src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index d297b4ade2..e5a2657ff1 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -658,7 +658,7 @@ function run_acme_validation($certObj, $valObj, $acctObj)
                 $proc_env['ACMEPROXY_USERNAME'] = (string)$valObj->dns_acmeproxy_username;
                 $proc_env['ACMEPROXY_PASSWORD'] = (string)$valObj->dns_acmeproxy_password;
                 break;
-	    case 'dns_ad':
+            case 'dns_ad':
                 $proc_env['AD_API_KEY'] = (string)$valObj->dns_ad_key;
                 break;
             case 'dns_ali':

From 6628f93fc11570cb0c5b35b24651fb738bba3274 Mon Sep 17 00:00:00 2001
From: Maarten den Braber <m@mdbraber.com>
Date: Sat, 16 May 2020 23:39:28 +0200
Subject: [PATCH 0106/3088] Tabs to spaces

---
 .../opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 3b4228b3a0..e093a34948 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -857,7 +857,7 @@
                 <dns_acmeproxy_password type="TextField">
                     <Required>N</Required>
                 </dns_acmeproxy_password>
-		<dns_variomedia_key type="TextField">
+                <dns_variomedia_key type="TextField">
                     <Required>N</Required>
                 </dns_variomedia_key>
                 <dns_schlundtech_user type="TextField">

From cf1828bc028017d66c57a876eebfe899fac7f4da Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 18 May 2020 09:49:50 +0200
Subject: [PATCH 0107/3088] post merge fixes for #1838

---
 .../OPNsense/AcmeClient/forms/dialogValidation.xml         | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 25d472bfb9..c45394a474 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1009,7 +1009,7 @@
         <help>Specify the custom ACME DNS Update URL, i.e. https://auth.acme-dns.io/update (optional)</help>
     </field>
     <field>
-        <label>acmeproxy</label>
+        <label>Acmeproxy</label>
         <type>header</type>
         <style>table_dns table_dns_acmeproxy</style>
     </field>
@@ -1017,8 +1017,9 @@
         <id>validation.dns_acmeproxy_endpoint</id>
         <label>Endpoint</label>
         <type>text</type>
-        <help>Specify the acmeproxy endpoint URL, i.e. https://acmeproxy.examp
-    </field>                                                                      <field>
+        <help>Specify the acmeproxy endpoint URL, i.e. https://acmeproxy.example.com/</help>
+    </field>
+    <field>
         <id>validation.dns_acmeproxy_username</id>
         <label>User</label>
         <type>text</type>

From 8611398aaa8340439bcd9514346195a329e9285a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 18 May 2020 09:50:05 +0200
Subject: [PATCH 0108/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 32c1cd94f0..f85e6913ac 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		1.31
+PLUGIN_VERSION=		1.32
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 2a8b0a58edbd9386b8951b6201e1fa913fe88a4c Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Mon, 18 May 2020 15:31:18 +0200
Subject: [PATCH 0109/3088] stunnel: initial release  (#1840)

* stunnel: boilerplate for https://github.com/opnsense/plugins/issues/1829

* stunnel: work in progress for https://github.com/opnsense/plugins/issues/1829

* stunnel: add service control and acl for https://github.com/opnsense/plugins/issues/1829

* stunnel: add cipher selection for https://github.com/opnsense/plugins/issues/1829

Since stunnel uses different parameter pairs for TLSv1.[1,2] and TLSv1.3, we'll try to sort them out in our config template.
When no TLSv1.3 ciphers are allowed, we should limit the sslVersionMax parameter as well as it seems.

* stunnel: set TLS1.2 as minimum

* stunnel: disable rc conf when no services are active https://github.com/opnsense/plugins/issues/1829

* stunnel: CRL support for https://github.com/opnsense/plugins/issues/1829

* stunnel: simplify cert creation, combine cert+key in one file. for https://github.com/opnsense/plugins/issues/1829

* stunnel: syslog and log viewer for https://github.com/opnsense/plugins/issues/1829

* stunnel: add hasync anchor, for https://github.com/opnsense/plugins/issues/1829
---
 security/stunnel/Makefile                     |   8 ++
 security/stunnel/pkg-descr                    |   2 +
 .../src/etc/inc/plugins.inc.d/stunnel.inc     | 107 ++++++++++++++++++
 .../Stunnel/Api/ServiceController.php         |  42 +++++++
 .../Stunnel/Api/ServicesController.php        |  80 +++++++++++++
 .../OPNsense/Stunnel/ServicesController.php   |  39 +++++++
 .../OPNsense/Stunnel/forms/dialogService.xml  |  69 +++++++++++
 .../app/models/OPNsense/Stunnel/ACL/ACL.xml   |   9 ++
 .../app/models/OPNsense/Stunnel/Menu/Menu.xml |   8 ++
 .../app/models/OPNsense/Stunnel/Stunnel.php   |  35 ++++++
 .../app/models/OPNsense/Stunnel/Stunnel.xml   |  73 ++++++++++++
 .../app/views/OPNsense/Stunnel/services.volt  |  89 +++++++++++++++
 .../scripts/stunnel/generate_certs.php        |  82 ++++++++++++++
 .../conf/actions.d/actions_stunnel.conf       |  29 +++++
 .../templates/OPNsense/Stunnel/+TARGETS       |   2 +
 .../templates/OPNsense/Stunnel/rc.conf.d      |  12 ++
 .../templates/OPNsense/Stunnel/stunnel.conf   |  44 +++++++
 .../OPNsense/Syslog/local/stunnel.conf        |   6 +
 18 files changed, 736 insertions(+)
 create mode 100644 security/stunnel/Makefile
 create mode 100644 security/stunnel/pkg-descr
 create mode 100644 security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
 create mode 100644 security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServiceController.php
 create mode 100644 security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
 create mode 100644 security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/ServicesController.php
 create mode 100644 security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
 create mode 100644 security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/ACL/ACL.xml
 create mode 100644 security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Menu/Menu.xml
 create mode 100644 security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.php
 create mode 100644 security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
 create mode 100644 security/stunnel/src/opnsense/mvc/app/views/OPNsense/Stunnel/services.volt
 create mode 100755 security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
 create mode 100644 security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf
 create mode 100644 security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/+TARGETS
 create mode 100644 security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/rc.conf.d
 create mode 100644 security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf
 create mode 100644 security/stunnel/src/opnsense/service/templates/OPNsense/Syslog/local/stunnel.conf

diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
new file mode 100644
index 0000000000..d2a57c52b5
--- /dev/null
+++ b/security/stunnel/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		stunnel
+PLUGIN_VERSION=		0.1
+PLUGIN_COMMENT=		stunnel TLS proxy
+PLUGIN_MAINTAINER=	ad@opnsense.org
+PLUGIN_DEPENDS=     stunnel
+PLUGIN_DEVEL=		yes
+
+.include "../../Mk/plugins.mk"
diff --git a/security/stunnel/pkg-descr b/security/stunnel/pkg-descr
new file mode 100644
index 0000000000..c25f04950c
--- /dev/null
+++ b/security/stunnel/pkg-descr
@@ -0,0 +1,2 @@
+Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code.
+(https://www.stunnel.org/)
diff --git a/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc b/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
new file mode 100644
index 0000000000..822abd73db
--- /dev/null
+++ b/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
@@ -0,0 +1,107 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function stunnel_configure()
+{
+   return array(
+       'crl' => array('stunnel_refresh_crls')
+   );
+}
+
+function stunnel_refresh_crls()
+{
+    $stunnel = new OPNsense\Stunnel\Stunnel();
+    $configObj = OPNsense\Core\Config::getInstance()->object();
+    foreach ($stunnel->services->service->__items as $service) {
+        if (!empty((string)$service->enabled) && !empty((string)$service->enableCRL)) {
+            foreach (explode(",", (string)$service->cacert) as $cacert) {
+                $this_ca = null;
+                if (!empty($configObj->ca)) {
+                    foreach ($configObj->ca as $ca) {
+                        if ((string)$ca->refid == $cacert && !empty((string)$ca->prv)) {
+                            $this_ca = $ca;
+                        }
+                    }
+                }
+                if ($this_ca) {
+                    $ca_hash = null;
+                    $ca_crt = base64_decode((string)$this_ca->crt);
+                    $ca_key = base64_decode((string)$this_ca->prv);
+                    $process = proc_open("openssl x509 -hash -noout", [["pipe", "r"], ["pipe", "w"]], $pipes);
+                    if (is_resource($process)) {
+                        fwrite($pipes[0], $ca_crt);
+                        fclose($pipes[0]);
+                        $ca_hash = trim(stream_get_contents($pipes[1]));
+                        fclose($pipes[1]);
+                        proc_close($process);
+                    }
+                    if ($ca_hash) {
+                        $crlres = openssl_crl_new($ca_crt, 0, 9999);
+                        if (!empty($configObj->crl)) {
+                            foreach ($configObj->crl as $crl) {
+                                if ($crl->caref == $cacert && !empty((string)$crl->cert)) {
+                                    foreach ($crl->cert as $cert) {
+                                        openssl_crl_revoke_cert(
+                                            $crlres,
+                                            base64_decode((string)$cert->crt),
+                                            (string)$cert->revoke_time,
+                                            (string)$cert->reason
+                                        );
+                                    }
+                                }
+                            }
+                        }
+                        $crl_text = "";
+                        openssl_crl_export($crlres, $crl_text, $ca_key);
+                        file_put_contents("/var/run/stunnel/certs/{$ca_hash}.r0", $crl_text);
+                    }
+                }
+            }
+        }
+    }
+}
+
+function stunnel_syslog()
+{
+    $logfacilities = array();
+    $logfacilities['stunnel'] = array(
+        'facility' => array('stunnel')
+    );
+    return $logfacilities;
+}
+
+function stunnel_xmlrpc_sync()
+{
+    $result = array();
+    $result[] = array(
+        'description' => gettext('Stunnel'),
+        'section' => 'OPNsense.Stunnel',
+        'id' => 'stunnel',
+    );
+    return $result;
+}
diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServiceController.php b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServiceController.php
new file mode 100644
index 0000000000..dc1ba13c9e
--- /dev/null
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServiceController.php
@@ -0,0 +1,42 @@
+<?php
+
+/*
+ * Copyright (c) 2020 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Stunnel\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+
+/**
+ * {@inheritdoc}
+ */
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Stunnel\Stunnel';
+    protected static $internalServiceEnabled = 'general.enabled';
+    protected static $internalServiceTemplate = 'OPNsense/Stunnel';
+    protected static $internalServiceName = 'stunnel';
+}
diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
new file mode 100644
index 0000000000..30a0047b99
--- /dev/null
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
@@ -0,0 +1,80 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Stunnel\Api;
+
+use \OPNsense\Base\ApiMutableModelControllerBase;
+
+class ServicesController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'stunnel';
+    protected static $internalModelClass = 'OPNsense\Stunnel\Stunnel';
+
+    protected function save()
+    {
+        // hook service enable status on enabled tunnels
+        $this->getModel()->general->enabled = "0";
+        foreach ($this->getModel()->services->service->__items as $service) {
+            if ((string)$service->enabled == "1") {
+                $this->getModel()->general->enabled = "1";
+                break;
+            }
+        }
+        parent::save();
+    }
+
+    public function searchItemAction()
+    {
+        return $this->searchBase("services.service", array('enabled', 'description'), "description");
+    }
+
+    public function setItemAction($uuid)
+    {
+        return $this->setBase("service", "services.service", $uuid);
+    }
+
+    public function addItemAction()
+    {
+        return $this->addBase("service", "services.service");
+    }
+
+    public function getItemAction($uuid = null)
+    {
+        return $this->getBase("service", "services.service", $uuid);
+    }
+
+    public function delItemAction($uuid)
+    {
+        return $this->delBase("services.service", $uuid);
+    }
+
+    public function toggleItemAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("services.service", $uuid, $enabled);
+    }
+}
diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/ServicesController.php b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/ServicesController.php
new file mode 100644
index 0000000000..dfb898991b
--- /dev/null
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/ServicesController.php
@@ -0,0 +1,39 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Stunnel;
+use OPNsense\Base\{IndexController};
+
+class ServicesController extends IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/Stunnel/services');
+        $this->view->formDialogService = $this->getForm("dialogService");
+    }
+}
diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
new file mode 100644
index 0000000000..9d32302804
--- /dev/null
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
@@ -0,0 +1,69 @@
+<form>
+    <field>
+        <id>service.enabled</id>
+        <label>enabled</label>
+        <type>checkbox</type>
+        <help>Enable this rule</help>
+    </field>
+    <field>
+        <id>service.accept_address</id>
+        <label>Listen address</label>
+        <type>text</type>
+        <help>If possible, a loopback address is the safest choice here, you can forward traffic to it using the firewall.</help>
+    </field>
+    <field>
+        <id>service.accept_port</id>
+        <label>Listen port</label>
+        <type>text</type>
+        <help>The port on which connections will be accepted.</help>
+    </field>
+    <field>
+        <id>service.connect_address</id>
+        <label>Target hostname</label>
+        <type>text</type>
+        <help>The other end of this tunnel.</help>
+    </field>
+    <field>
+        <id>service.connect_port</id>
+        <label>Target port</label>
+        <type>text</type>
+        <help>The port to forward traffic to.</help>
+    </field>
+    <field>
+        <id>service.servercert</id>
+        <label>Certificate</label>
+        <type>dropdown</type>
+        <help><![CDATA[Select a certificate to use for this service.]]></help>
+    </field>
+    <field>
+        <id>service.cacert</id>
+        <label>CA to validate connections to</label>
+        <type>select_multiple</type>
+        <help><![CDATA[Select a Certificate Authority to validate connections to. To create a CA, go to <a href="/system_camanager.php">CA Manager</a>.]]></help>
+    </field>
+    <field>
+        <id>service.enableCRL</id>
+        <label>enable CRL</label>
+        <type>checkbox</type>
+        <help><![CDATA[
+            Enable certificate revocation lists, when selected a CRL with the format XXXXXXXX.r0 is required in the chroot (/var/run/stunnel/certs/).
+            When certificates are managed from this machine, the attached CRLs will be generated automatically.
+            For more information about this option, see CRLpath in stunnels manual.
+
+            If configured and a valid CRL is not available, all connections will be denied.
+            Additions may need a restart of stunnel (when the certificate was already used).
+            ]]></help>
+    </field>
+    <field>
+        <id>service.ciphers</id>
+        <label>Ciphers</label>
+        <type>select_multiple</type>
+        <help><![CDATA[Select all accepted TLS ciphers.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>service.description</id>
+        <label>Description</label>
+        <type>text</type>
+    </field>
+</form>
diff --git a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/ACL/ACL.xml b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/ACL/ACL.xml
new file mode 100644
index 0000000000..8193662ca0
--- /dev/null
+++ b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+    <page-services-stunnel>
+        <name>Services: Stunnel</name>
+        <patterns>
+            <pattern>ui/stunnel/*</pattern>
+            <pattern>api/stunnel/*</pattern>
+        </patterns>
+    </page-services-stunnel>
+</acl>
diff --git a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Menu/Menu.xml b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Menu/Menu.xml
new file mode 100644
index 0000000000..6cd50fa8c7
--- /dev/null
+++ b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Menu/Menu.xml
@@ -0,0 +1,8 @@
+<menu>
+    <VPN>
+        <Stunnel cssClass="fa fa-dot-circle-o fa-fw"  order="110">
+            <Configuration url="/ui/stunnel/services/"/>
+            <LogFile VisibleName="Log File" url="/ui/diagnostics/log/core/stunnel"/>
+        </Stunnel>
+    </VPN>
+</menu>
diff --git a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.php b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.php
new file mode 100644
index 0000000000..b4075e267a
--- /dev/null
+++ b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Stunnel;
+
+use OPNsense\Base\BaseModel;
+
+class Stunnel extends BaseModel
+{
+}
diff --git a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
new file mode 100644
index 0000000000..b17406bbb4
--- /dev/null
+++ b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
@@ -0,0 +1,73 @@
+<model>
+    <mount>//OPNsense/Stunnel</mount>
+    <version>1.0.0</version>
+    <migration_prefix>MFP</migration_prefix>
+    <description>
+        OPNsense firewall filter rules
+    </description>
+    <items>
+        <general>
+            <enabled type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </enabled>
+        </general>
+        <services>
+            <service type="ArrayField">
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <accept_port type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>65535</MaximumValue>
+                    <ValidationMessage>port needs to be an integer value between 1 and 65535</ValidationMessage>
+                    <Required>Y</Required>
+                </accept_port>
+                <accept_address type="NetworkField">
+                    <Required>Y</Required>
+                    <NetMaskAllowed>N</NetMaskAllowed>
+                    <default>127.0.0.1</default>
+                </accept_address>
+                <connect_address type="HostnameField">
+                    <Required>Y</Required>
+                </connect_address>
+                <connect_port type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>65535</MaximumValue>
+                    <ValidationMessage>port needs to be an integer value between 1 and 65535</ValidationMessage>
+                    <Required>Y</Required>
+                </connect_port>
+                <cacert type="CertificateField">
+                    <Required>N</Required>
+                    <multiple>Y</multiple>
+                    <Type>ca</Type>
+                    <ValidationMessage>Please select a valid certificate from the list</ValidationMessage>
+                </cacert>
+                <enableCRL type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </enableCRL>
+                <ciphers type="JsonKeyValueStoreField">
+                    <default>TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-GCM-SHA384</default>
+                    <Required>Y</Required>
+                    <multiple>Y</multiple>
+                    <ConfigdPopulateAct>stunnel ssl ciphers</ConfigdPopulateAct>
+                    <SourceFile>/tmp/stunnel_ciphers_list.json</SourceFile>
+                    <ConfigdPopulateTTL>360</ConfigdPopulateTTL>
+                    <ValidationMessage>Please specify valid tls ciphers.</ValidationMessage>
+                </ciphers>
+                <servercert type="CertificateField">
+                    <Required>Y</Required>
+                    <Type>cert</Type>
+                    <ValidationMessage>Please select a valid certificate from the list</ValidationMessage>
+                </servercert>
+                <description type="TextField">
+                    <Required>N</Required>
+                    <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){0,255}$/u</mask>
+                    <ValidationMessage>Description should be a string between 1 and 255 characters</ValidationMessage>
+                </description>
+            </service>
+        </services>
+    </items>
+</model>
diff --git a/security/stunnel/src/opnsense/mvc/app/views/OPNsense/Stunnel/services.volt b/security/stunnel/src/opnsense/mvc/app/views/OPNsense/Stunnel/services.volt
new file mode 100644
index 0000000000..fd6ba46c47
--- /dev/null
+++ b/security/stunnel/src/opnsense/mvc/app/views/OPNsense/Stunnel/services.volt
@@ -0,0 +1,89 @@
+{#
+ # Copyright (c) 2020 Deciso B.V.
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script>
+    $( document ).ready(function() {
+        $("#grid-services").UIBootgrid(
+            {   search:'/api/stunnel/services/searchItem/',
+                get:'/api/stunnel/services/getItem/',
+                set:'/api/stunnel/services/setItem/',
+                add:'/api/stunnel/services/addItem/',
+                del:'/api/stunnel/services/delItem/',
+                toggle:'/api/stunnel/services/toggleItem/'
+            }
+        );
+        $("#reconfigureAct").SimpleActionButton();
+        updateServiceControlUI('stunnel');
+    });
+</script>
+
+
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" id="destinations" href="#tab_services">{{ lang._('Services') }}</a></li>
+</ul>
+<div class="tab-content content-box">
+    <div id="tab_services" class="tab-pane fade in active">
+        <!-- tab page "services" -->
+        <table id="grid-services" class="table table-condensed table-hover table-striped" data-editDialog="DialogService" data-editAlert="stunnelChangeMessage">
+            <thead>
+            <tr>
+                <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+            </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+    </div>
+    <div class="col-md-12">
+        <div id="stunnelChangeMessage" class="alert alert-info" style="display: none" role="alert">
+            {{ lang._('After changing settings, please remember to apply them with the button below') }}
+        </div>
+        <hr/>
+        <button class="btn btn-primary" id="reconfigureAct"
+                data-endpoint='/api/stunnel/service/reconfigure'
+                data-label="{{ lang._('Apply') }}"
+                data-service-widget="stunnel"
+                data-error-title="{{ lang._('Error reconfiguring stunnel') }}"
+                type="button"
+        ></button>
+        <br/><br/>
+    </div>
+</div>
+
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogService, 'id':'DialogService','label':lang._('Edit Service')])}}
diff --git a/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php b/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
new file mode 100755
index 0000000000..b84979a964
--- /dev/null
+++ b/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
@@ -0,0 +1,82 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ *    Copyright (C) 2020 Deciso B.V.
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once('plugins.inc');
+require_once("legacy_bindings.inc");
+
+use OPNsense\Stunnel\Stunnel;
+use OPNsense\Core\Config;
+
+$base_path = "/usr/local/etc/stunnel/certs";
+$stunnel = new Stunnel();
+$configObj = Config::getInstance()->object();
+$all_certs = [];
+foreach ($stunnel->services->service->__items as $service) {
+    if (!empty((string)$service->enabled)) {
+        $this_uuid = $service->getAttributes()['uuid'];
+        $srv_certid = (string)$service->servercert;
+        foreach ($configObj->cert as $cert) {
+            if ($srv_certid == (string)$cert->refid) {
+                $all_certs["{$base_path}/{$this_uuid}.crt"] =
+                    base64_decode((string)$cert->crt) . "\n" . base64_decode((string)$cert->prv);
+            }
+        }
+        if (!empty((string)$service->cacert)) {
+            $all_certs["{$base_path}/{$this_uuid}.ca"] = "";
+            foreach (explode(",", (string)$service->cacert) as $caid) {
+                foreach ($configObj->ca as $ca) {
+                    if ((string)$ca->refid == $caid) {
+                        $all_certs["{$base_path}/{$this_uuid}.ca"] .= base64_decode((string)$ca->crt)."\n";
+                    }
+                }
+            }
+        }
+    }
+}
+
+if (!is_dir("/usr/local/etc/stunnel/certs")) {
+    mkdir("/usr/local/etc/stunnel/certs", 0700, true);
+    chown("/usr/local/etc/stunnel/certs", "stunnel");
+    chgrp("/usr/local/etc/stunnel/certs", "stunnel");
+}
+
+// cleanup stunnel cert directory
+foreach (glob("{$base_path}/*") as $filename) {
+    if (!isset($all_certs[$filename])) {
+        unlink($filename);
+    }
+}
+
+foreach($all_certs as $filename => $content) {
+    file_put_contents($filename, $content);
+    chown($filename, "stunnel");
+}
+
+// trigger certificate revocation lists update
+plugins_configure('crl');
diff --git a/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf b/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf
new file mode 100644
index 0000000000..ac583ea670
--- /dev/null
+++ b/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf
@@ -0,0 +1,29 @@
+[ssl.ciphers]
+command:/usr/local/opnsense/scripts/system/ssl_ciphers.py  --format=key_value
+parameters:
+type:script_output
+message:List SSL ciphers
+
+[start]
+command:/usr/local/etc/rc.d/stunnel start
+parameters:
+type:script
+message:stunnel service start
+
+[stop]
+command:/usr/local/etc/rc.d/stunnel stop
+parameters:
+type:script
+message:stunnel service stop
+
+[restart]
+command:/usr/local/etc/rc.d/stunnel restart
+parameters:
+type:script
+message:stunnel service restart
+
+[status]
+command:/usr/local/etc/rc.d/stunnel status; exit 0
+parameters:
+type:script_output
+message:stunnel status
diff --git a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/+TARGETS b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/+TARGETS
new file mode 100644
index 0000000000..177c36ce4a
--- /dev/null
+++ b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/+TARGETS
@@ -0,0 +1,2 @@
+stunnel.conf:/usr/local/etc/stunnel/stunnel.conf
+rc.conf.d:/etc/rc.conf.d/stunnel
diff --git a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/rc.conf.d b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/rc.conf.d
new file mode 100644
index 0000000000..874ae1b74d
--- /dev/null
+++ b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/rc.conf.d
@@ -0,0 +1,12 @@
+{% if not helpers.empty('OPNsense.Stunnel.general.enabled') %}
+stunnel_enable="YES"
+stunnel_pidfile="/var/run/stunnel/stunnel.pid"
+
+mkdir -p /var/run/stunnel/certs
+chown -R stunnel:stunnel /var/run/stunnel
+chmod -R 700 /var/run/stunnel
+
+/usr/local/opnsense/scripts/stunnel/generate_certs.php > /dev/null 2>&1
+{% else %}
+stunnel_enable="NO"
+{% endif %}
diff --git a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf
new file mode 100644
index 0000000000..4f89d541e7
--- /dev/null
+++ b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf
@@ -0,0 +1,44 @@
+setuid = stunnel
+setgid = stunnel
+chroot = /var/run/stunnel
+pid = /stunnel.pid
+debug = info
+logId = unique
+
+
+{% if helpers.exists('OPNsense.Stunnel.services.service') %}
+{%   for service in helpers.toList('OPNsense.Stunnel.services.service') %}
+{%     if service.enabled|default('0') == '1' %}
+
+
+; **************************************************************************
+; * {{ service.description }}
+; **************************************************************************
+[{{service['@uuid']}}]
+accept = {% if service.accept_address %}{{service.accept_address}}:{% endif %}{{service.accept_port}}
+connect = {% if service.connect_address.find(":") > -1 %}[{{service.connect_address}}]{% else %}{{service.connect_address}}{% endif %}:{{service.connect_port}}
+cert = /usr/local/etc/stunnel/certs/{{service['@uuid']}}.crt
+{%       if service.cacert|default('') != '' %}
+CAfile = /usr/local/etc/stunnel/certs/{{service['@uuid']}}.ca
+requireCert = yes
+verifyChain = yes
+{%         if service.enableCRL|default('0') == '1' %}
+CRLpath = /certs/
+{%         endif %}
+{%       endif %}
+{%       set ciphers =[] %}
+{%       set ciphersuites =[] %}
+{%       for cipher in service.ciphers.split(',') %}
+{%         if cipher.startswith('TLS') %}
+{%           do ciphersuites.append(cipher) %}
+{%         else %}
+{%           do ciphers.append(cipher) %}
+{%         endif %}
+{%       endfor %}
+ciphers = {{ ciphers|join(':') }}
+ciphersuites = {{ ciphersuites|join(':') }}
+sslVersionMin=TLSv1.2
+sslVersionMax={% if ciphersuites %}TLSv1.3{% else %}TLSv1.2{% endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
diff --git a/security/stunnel/src/opnsense/service/templates/OPNsense/Syslog/local/stunnel.conf b/security/stunnel/src/opnsense/service/templates/OPNsense/Syslog/local/stunnel.conf
new file mode 100644
index 0000000000..96af65e4d1
--- /dev/null
+++ b/security/stunnel/src/opnsense/service/templates/OPNsense/Syslog/local/stunnel.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [stunnel].
+###################################################################
+filter f_local_stunnel {
+    program("stunnel");
+};

From 1a791fb9986a31ed19bd2c8f3becc16615240c6d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 18 May 2020 16:38:36 +0200
Subject: [PATCH 0110/3088] net/firewall: style update

---
 .../controllers/OPNsense/Firewall/Api/FilterController.php  | 1 -
 .../OPNsense/Firewall/Api/SourceNatController.php           | 1 -
 .../OPNsense/Firewall/FieldTypes/SourceNatRuleField.php     | 1 -
 .../app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php    | 6 ++++--
 4 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
index 28e4151a78..225a07b723 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
@@ -27,7 +27,6 @@
  */
 namespace OPNsense\Firewall\Api;
 
-
 class FilterController extends FilterBaseController
 {
     public function searchRuleAction()
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php
index f55640e989..151bf14db6 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php
@@ -27,7 +27,6 @@
  */
 namespace OPNsense\Firewall\Api;
 
-
 class SourceNatController extends FilterBaseController
 {
     public function searchRuleAction()
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
index 7d7b6df4b9..f00fb1c980 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
@@ -28,7 +28,6 @@
  *
  */
 
-
 namespace OPNsense\Firewall\FieldTypes;
 
 use OPNsense\Base\FieldTypes\ArrayField;
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php
index d3db9e86f2..2e33d2f7c4 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php
@@ -39,8 +39,10 @@ public function post($model)
     {
         // Move OPNsense->Firewall->FilterRule ---> OPNsense->Firewall->Filter
         $cfgObj = Config::getInstance()->object();
-        if (!empty($cfgObj->OPNsense) && !empty($cfgObj->OPNsense->Firewall)
-                && !empty($cfgObj->OPNsense->Firewall->FilterRule)) {
+        if (
+            !empty($cfgObj->OPNsense) && !empty($cfgObj->OPNsense->Firewall)
+                && !empty($cfgObj->OPNsense->Firewall->FilterRule)
+        ) {
             // model migration created a new, empty rules section
             if (empty($cfgObj->OPNsense->Firewall->Filter->rules)) {
                 unset($cfgObj->OPNsense->Firewall->Filter->rules);

From 7f90141b600b3fd3e8597816d83bb686cf959834 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 18 May 2020 16:40:47 +0200
Subject: [PATCH 0111/3088] security/stunnel: style and sync

---
 README.md                                                     | 1 +
 security/stunnel/Makefile                                     | 2 +-
 security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc        | 4 ++--
 .../controllers/OPNsense/Stunnel/Api/ServicesController.php   | 2 +-
 .../app/controllers/OPNsense/Stunnel/ServicesController.php   | 1 +
 .../stunnel/src/opnsense/scripts/stunnel/generate_certs.php   | 4 ++--
 6 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 31cc612ce8..809eb8cc35 100644
--- a/README.md
+++ b/README.md
@@ -84,6 +84,7 @@ security/intrusion-detection-content-snort-vrt -- IDS Snort VRT ruleset (needs r
 security/maltrail -- Malicious traffic detection system
 security/openconnect -- OpenConnect Client
 security/softether -- Cross-platform Multi-protocol VPN Program (development only)
+security/stunnel -- stunnel TLS proxy (development only)
 security/tinc -- Tinc VPN
 security/tor -- The Onion Router
 sysutils/api-backup -- Provide the functionality to download the config.xml
diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index d2a57c52b5..25f1769de3 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		stunnel
 PLUGIN_VERSION=		0.1
 PLUGIN_COMMENT=		stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
-PLUGIN_DEPENDS=     stunnel
+PLUGIN_DEPENDS=		stunnel
 PLUGIN_DEVEL=		yes
 
 .include "../../Mk/plugins.mk"
diff --git a/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc b/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
index 822abd73db..364caa028d 100644
--- a/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
+++ b/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
@@ -28,9 +28,9 @@
 
 function stunnel_configure()
 {
-   return array(
+    return array(
        'crl' => array('stunnel_refresh_crls')
-   );
+    );
 }
 
 function stunnel_refresh_crls()
diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
index 30a0047b99..c0ed5b2dbb 100644
--- a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
@@ -28,7 +28,7 @@
 
 namespace OPNsense\Stunnel\Api;
 
-use \OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Base\ApiMutableModelControllerBase;
 
 class ServicesController extends ApiMutableModelControllerBase
 {
diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/ServicesController.php b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/ServicesController.php
index dfb898991b..caf2b73be1 100644
--- a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/ServicesController.php
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/ServicesController.php
@@ -27,6 +27,7 @@
  */
 
 namespace OPNsense\Stunnel;
+
 use OPNsense\Base\{IndexController};
 
 class ServicesController extends IndexController
diff --git a/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php b/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
index b84979a964..b1166611ec 100755
--- a/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
+++ b/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
@@ -52,7 +52,7 @@
             foreach (explode(",", (string)$service->cacert) as $caid) {
                 foreach ($configObj->ca as $ca) {
                     if ((string)$ca->refid == $caid) {
-                        $all_certs["{$base_path}/{$this_uuid}.ca"] .= base64_decode((string)$ca->crt)."\n";
+                        $all_certs["{$base_path}/{$this_uuid}.ca"] .= base64_decode((string)$ca->crt) . "\n";
                     }
                 }
             }
@@ -73,7 +73,7 @@
     }
 }
 
-foreach($all_certs as $filename => $content) {
+foreach ($all_certs as $filename => $content) {
     file_put_contents($filename, $content);
     chown($filename, "stunnel");
 }

From 5c004cae08daaa7f2ac743eade1dbe2c1372528d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 19 May 2020 08:55:21 +0200
Subject: [PATCH 0112/3088] security/tinc: bump revision after changes

---
 security/tinc/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index fe9f6ac4be..b624156459 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		tinc
 PLUGIN_VERSION=		1.5
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 85329069be8fda10412be2f730a1b04a522671e9 Mon Sep 17 00:00:00 2001
From: Maurice Walker <maurice@walker.earth>
Date: Wed, 20 May 2020 10:48:11 +0200
Subject: [PATCH 0113/3088] net/tayga, register virtual interface (#1826)

---
 net/tayga/Makefile                               |  4 ++--
 net/tayga/pkg-descr                              |  4 ++++
 net/tayga/src/etc/inc/plugins.inc.d/tayga.inc    | 16 ++++++++++++++++
 .../mvc/app/models/OPNsense/Tayga/General.xml    |  2 +-
 4 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/net/tayga/Makefile b/net/tayga/Makefile
index b499deb846..6945498327 100644
--- a/net/tayga/Makefile
+++ b/net/tayga/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		tayga
-PLUGIN_VERSION=		1.0
-PLUGIN_COMMENT=		Tayga IPv6 64NAT
+PLUGIN_VERSION=		1.1
+PLUGIN_COMMENT=		Tayga NAT64
 PLUGIN_DEPENDS=		tayga
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
diff --git a/net/tayga/pkg-descr b/net/tayga/pkg-descr
index 712b410c67..0ba5d319c5 100644
--- a/net/tayga/pkg-descr
+++ b/net/tayga/pkg-descr
@@ -7,6 +7,10 @@ networks where dedicated NAT64 hardware would be overkill.
 Plugin Changelog
 ================
 
+1.1
+
+* Register Tayga virtual interface
+
 1.0
 
 * Support for IPv6 prefix and IPv4 pool
diff --git a/net/tayga/src/etc/inc/plugins.inc.d/tayga.inc b/net/tayga/src/etc/inc/plugins.inc.d/tayga.inc
index 9938b03cf6..88f8e5bcda 100644
--- a/net/tayga/src/etc/inc/plugins.inc.d/tayga.inc
+++ b/net/tayga/src/etc/inc/plugins.inc.d/tayga.inc
@@ -61,3 +61,19 @@ function tayga_xmlrpc_sync()
     $result['description'] = gettext('Tayga');
     return array($result);
 }
+
+function tayga_interfaces()
+{
+    $interfaces = array();
+    if (!tayga_enabled()) {
+        return $interfaces;
+    }
+    $oic = array('enable' => true);
+    $oic['if'] = 'nat64';
+    $oic['descr'] = 'Tayga';
+    $oic['type'] = 'none';
+    $oic['virtual'] = true;
+    $oic['networks'] = array();
+    $interfaces['tayga'] = $oic;
+    return $interfaces;
+}
diff --git a/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
index 8ce7919d6d..63680a3dbb 100644
--- a/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
+++ b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
@@ -23,7 +23,7 @@
             <Required>Y</Required>
         </v6destination>
         <v6prefix type="NetworkField">
-            <default>2001:db8:1:ffff::/96</default>
+            <default>64:ff9b::/96</default>
             <Required>Y</Required>
         </v6prefix>
         <v4pool type="NetworkField">

From ee799d8c75f7aaffaee97439c95fd98263eb1b38 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 22 May 2020 09:16:47 +0200
Subject: [PATCH 0114/3088] security/acme-client: fix #1844

---
 .../scripts/OPNsense/AcmeClient/certhelper.php        |  6 +++---
 .../scripts/OPNsense/AcmeClient/upload_sftp.php       | 11 ++++++-----
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index e5a2657ff1..997b7fb3c2 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -1418,14 +1418,14 @@ function run_restart_actions($certlist, $modelObj)
                     if (empty((string)$action->configd)) {
                         log_error("AcmeClient: no configd command specified for automation: " . $action->name);
                         $result = '1';
-                        continue; // Continue with next action.
+                    } else {
+                        $response = $backend->configdRun((string)$action->configd);
                     }
-                    $response = $backend->configdRun((string)$action->configd);
                     break;
                 default:
                     log_error("AcmeClient: an invalid automation was specified: " . (string)$action->type);
                     $return = 1;
-                    continue; // Continue with next action.
+                    break;
             }
         }
     }
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
index ede2859817..e7899a4364 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
@@ -296,16 +296,17 @@ function uploadCertificatesToHost(array $options): int
                 Utils::log()->error("Failed on " . json_encode($uploader->current(), JSON_UNESCAPED_SLASHES));
 
                 switch ($result) {
-                    case SftpUploader::UPLOAD_ERROR_CHGRP_FAILED:
-                    case SftpUploader::UPLOAD_ERROR_CHMOD_FAILED:
-                    case SftpUploader::UPLOAD_ERROR_NO_OVERWRITE:
-                        continue;
-
                     case SftpUploader::UPLOAD_ERROR_NO_PERMISSION:
                         return EXITCODE_ERROR_NO_PERMISSION;
 
                     case SftpUploader::UPLOAD_ERROR:
                         return EXITCODE_ERROR;
+
+                    case SftpUploader::UPLOAD_ERROR_CHGRP_FAILED:
+                    case SftpUploader::UPLOAD_ERROR_CHMOD_FAILED:
+                    case SftpUploader::UPLOAD_ERROR_NO_OVERWRITE:
+                    default:
+                        break;
                 }
             } else {
                 break;

From aa8ff3e50869a1c37ad8d056a7d210c5f3aaf4f6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 22 May 2020 09:18:24 +0200
Subject: [PATCH 0115/3088] security/acme-client: also bump revision

---
 security/acme-client/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index f85e6913ac..b0a5d54064 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		acme-client
 PLUGIN_VERSION=		1.32
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 3d4416cf260d40112afca1996db139932342ec5a Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Fri, 22 May 2020 13:12:28 +0200
Subject: [PATCH 0116/3088] Stunnel: add identd (#1845)

stunnel: add identd service and plumbing
---
 .../src/etc/inc/plugins.inc.d/stunnel.inc     |  35 +++-
 security/stunnel/src/etc/rc.d/identd_stunnel  |  55 ++++++
 .../Stunnel/Api/ServicesController.php        |  11 +-
 .../OPNsense/Stunnel/ServicesController.php   |   1 +
 .../OPNsense/Stunnel/forms/general.xml        |  21 ++
 .../app/models/OPNsense/Stunnel/Stunnel.xml   |   8 +
 .../app/views/OPNsense/Stunnel/services.volt  |  22 ++-
 .../scripts/stunnel/identd_stunnel.py         | 183 ++++++++++++++++++
 .../conf/actions.d/actions_stunnel.conf       |   8 +-
 .../templates/OPNsense/Stunnel/+TARGETS       |   2 +
 .../OPNsense/Stunnel/identd.rc.conf.d         |   6 +
 .../templates/OPNsense/Stunnel/rc.conf.d      |   1 +
 .../templates/OPNsense/Stunnel/stunnel.conf   |   6 +-
 .../Stunnel/syslog-ng-stunnel-ident.conf      |  22 +++
 14 files changed, 372 insertions(+), 9 deletions(-)
 create mode 100755 security/stunnel/src/etc/rc.d/identd_stunnel
 create mode 100644 security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/general.xml
 create mode 100755 security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py
 create mode 100644 security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/identd.rc.conf.d
 create mode 100644 security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/syslog-ng-stunnel-ident.conf

diff --git a/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc b/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
index 364caa028d..faa26282eb 100644
--- a/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
+++ b/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
@@ -33,6 +33,39 @@ function stunnel_configure()
     );
 }
 
+function stunnel_services()
+{
+    $services = array();
+    $mdl = new \OPNsense\Stunnel\Stunnel();
+    if ($mdl->general->enabled == '1') {
+        $services[] = array(
+            'description' => gettext('Stunnel'),
+            'stunnel' => array(
+                'restart' => array('stunnel restart'),
+                'start' => array('stunnel start'),
+                'stop' => array('stunnel stop'),
+            ),
+            'name' => 'stunnel',
+            'pidfile' => '/var/run/stunnel/stunnel.pid',
+        );
+        if ($mdl->general->enable_ident_server == '1') {
+            // only report status from identd seperately, control is combined with stunnel
+            $services[] = array(
+                'description' => gettext('Identd (stunnel)'),
+                'stunnel' => array(
+                    'restart' => array('stunnel restart'),
+                    'start' => array('stunnel start'),
+                    'stop' => array('stunnel stop'),
+                ),
+                'name' => 'identd_stunnel',
+                'pidfile' => '/var/run/stunnel_identd.pid',
+            );
+        }
+    }
+    return $services;
+}
+
+
 function stunnel_refresh_crls()
 {
     $stunnel = new OPNsense\Stunnel\Stunnel();
@@ -90,7 +123,7 @@ function stunnel_syslog()
 {
     $logfacilities = array();
     $logfacilities['stunnel'] = array(
-        'facility' => array('stunnel')
+        'facility' => array('stunnel', 'identd_stunnel')
     );
     return $logfacilities;
 }
diff --git a/security/stunnel/src/etc/rc.d/identd_stunnel b/security/stunnel/src/etc/rc.d/identd_stunnel
new file mode 100755
index 0000000000..003c2c3c4a
--- /dev/null
+++ b/security/stunnel/src/etc/rc.d/identd_stunnel
@@ -0,0 +1,55 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+# PROVIDE: identd_stunnel
+# REQUIRE: SERVERS
+# KEYWORD: shutdown
+#
+
+. /etc/rc.subr
+
+name=identd_stunnel
+rcvar=identd_stunnel_enable
+command=/usr/local/opnsense/scripts/stunnel/identd_stunnel.py
+command_interpreter=/usr/local/bin/python3
+pidfile="/var/run/${name}.pid"
+load_rc_config $name
+
+# Set defaults
+: ${identd_stunnel_enable:=NO}
+
+stop_cmd=identd_stunnel_stop
+
+# kill configd
+identd_stunnel_stop()
+{
+    if [ -z "$rc_pid" ]; then
+      [ -n "$rc_fast" ] && return 0
+      _run_rc_notrunning
+      return 1
+    fi
+
+    echo -n "Stopping ${name}."
+    # first ask gently to exit
+    kill -15 ${rc_pid}
+
+    # wait max 5 seconds for gentle exit
+    for i in $(seq 1 50);
+    do
+        if [ -z "`/bin/ps -ax | /usr/bin/awk '{print $1;}' | /usr/bin/grep "^${rc_pid}"`" ]; then
+            break
+        fi
+        sleep 0.1
+    done
+
+    # kill any remaining identd_stunnel processes (if still running)
+    for identd_stunnel_pid in `/bin/ps -ax | grep 'identd_stunnel.py' | /usr/bin/awk '{print $1;}' `
+    do
+       kill -9 $identd_stunnel_pid >/dev/null 2>&1
+    done
+
+    echo  "..done"
+}
+
+run_rc_command $1
diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
index c0ed5b2dbb..c84ae5cfb1 100644
--- a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
@@ -45,7 +45,7 @@ protected function save()
                 break;
             }
         }
-        parent::save();
+        return parent::save();
     }
 
     public function searchItemAction()
@@ -77,4 +77,13 @@ public function toggleItemAction($uuid, $enabled = null)
     {
         return $this->toggleBase("services.service", $uuid, $enabled);
     }
+
+  public function getAction()
+    {
+        $result = array();
+        $result[static::$internalModelName] = [
+            "general" => $this->getModel()->general->getNodes()
+        ];
+        return $result;
+    }
 }
diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/ServicesController.php b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/ServicesController.php
index caf2b73be1..e693259d31 100644
--- a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/ServicesController.php
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/ServicesController.php
@@ -36,5 +36,6 @@ public function indexAction()
     {
         $this->view->pick('OPNsense/Stunnel/services');
         $this->view->formDialogService = $this->getForm("dialogService");
+        $this->view->formGeneral = $this->getForm("general");
     }
 }
diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/general.xml b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/general.xml
new file mode 100644
index 0000000000..958e5a830a
--- /dev/null
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/general.xml
@@ -0,0 +1,21 @@
+<form>
+    <field>
+        <id>stunnel.general.chroot</id>
+        <label>chroot service</label>
+        <type>checkbox</type>
+        <help>Start stunnel in it a chroot, although this is a more secure option there are small points of attention before
+          using this. Since system logging is detached after startup, stunnel seems to have difficulties handing syslog configuration changes
+          which need a service restart. If this happens, you need to restart stunnel manually as well.
+        </help>
+    </field>
+    <field>
+        <id>stunnel.general.enable_ident_server</id>
+        <label>enable ident protocol</label>
+        <type>checkbox</type>
+        <help>Enable internal ident service (rfc1413), which tracks authenticated tcp sessions and returns the associated user
+          of the certificate used by stunnel (cn part). When enabled, this service listens on port tcp/113 and accepts port pairs as defined by rfc1413.
+          Make sure you deny untrusted clients access to this facility, usually it only makes sense to allow access from this
+          firewall (allowed by default).
+        </help>
+    </field>
+</form>
diff --git a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
index b17406bbb4..b76adc6c5a 100644
--- a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
+++ b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
@@ -11,6 +11,14 @@
                 <default>1</default>
                 <Required>Y</Required>
             </enabled>
+            <chroot type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </chroot>
+            <enable_ident_server type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </enable_ident_server>
         </general>
         <services>
             <service type="ArrayField">
diff --git a/security/stunnel/src/opnsense/mvc/app/views/OPNsense/Stunnel/services.volt b/security/stunnel/src/opnsense/mvc/app/views/OPNsense/Stunnel/services.volt
index fd6ba46c47..fe9967c40c 100644
--- a/security/stunnel/src/opnsense/mvc/app/views/OPNsense/Stunnel/services.volt
+++ b/security/stunnel/src/opnsense/mvc/app/views/OPNsense/Stunnel/services.volt
@@ -35,14 +35,30 @@
                 toggle:'/api/stunnel/services/toggleItem/'
             }
         );
-        $("#reconfigureAct").SimpleActionButton();
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/stunnel/services/set", 'frm_general_settings', function(){
+                    dfObj.resolve();
+                });
+                return dfObj;
+            }
+        });
         updateServiceControlUI('stunnel');
+
+        let data_get_map = {'frm_general_settings':"/api/stunnel/services/get"};
+        mapDataToFormUI(data_get_map).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+        });
+
     });
 </script>
 
 
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li class="active"><a data-toggle="tab" id="destinations" href="#tab_services">{{ lang._('Services') }}</a></li>
+    <li><a data-toggle="tab" id="general" href="#tab_general">{{ lang._('General') }}</a></li>
 </ul>
 <div class="tab-content content-box">
     <div id="tab_services" class="tab-pane fade in active">
@@ -69,6 +85,10 @@
             </tfoot>
         </table>
     </div>
+    <div id="tab_general" class="tab-pane">
+        <!-- tab page "general" -->
+          {{ partial("layout_partials/base_form",['fields':formGeneral,'id':'frm_general_settings'])}}
+    </div>
     <div class="col-md-12">
         <div id="stunnelChangeMessage" class="alert alert-info" style="display: none" role="alert">
             {{ lang._('After changing settings, please remember to apply them with the button below') }}
diff --git a/security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py b/security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py
new file mode 100755
index 0000000000..179103aeb7
--- /dev/null
+++ b/security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py
@@ -0,0 +1,183 @@
+#!/usr/local/bin/python3
+
+import os
+import sys
+import argparse
+import syslog
+import socketserver
+import glob
+import time
+import traceback
+sys.path.insert(0, "/usr/local/opnsense/site-python")
+from daemonize import Daemonize
+
+class StunnelLog:
+    # ident log file location
+    base_log_path = "/var/run/stunnel/logs"
+    # maximum session length (after detect) in seconds
+    session_max_ttl = 600
+    # number of seconds after receiving "Connection closed" to remove session from cache
+    session_grace_period = 60
+    # amount of time in ms to wait before concluding a user is not found.
+    # generally intened to prevent syslog latency leading to false access denied statements
+    log_flush_grace_period_ms = 250
+    # time in ms to wait between polls (when initial fetch didn't result in an authenticated session)
+    log_flush_poll_interval_ms = 0.5
+
+    def __init__(self):
+        self._filename = None
+        self._fhandle = None
+        self._last_pos = None
+        self._local_cache = dict()
+        self._open()
+
+    def _open(self):
+        """ open last log file, also responsible for log rotate
+        """
+        filenames = sorted(glob.glob("%s/stunnel_ident_*.log" % self.base_log_path), reverse=True)
+        if len(filenames) > 0 and self._filename != filenames[0]:
+            self._filename = filenames[0]
+            self._last_pos = None
+            try:
+                self._fhandle = open(self._filename, 'r')
+            except IOError:
+                self._fhandle = None
+
+            # cleanup after rotate
+            if len(filenames) > 1:
+                for filename in filenames[1:]:
+                    os.remove(filename)
+
+    def parse(self, search_key):
+        """ parse log file and detect new connected clients and the ones leaving (connection closed).
+            Accounts connections in self._local_cache (in address:source_port format)
+            :param search_key: when search_key isn't found, execute another pass to detect log-rotates
+        """
+        # we might need another pass
+        for i in range(2):
+            current_timestamp = time.time()
+            if self._fhandle is not None:
+                if self._last_pos is not None:
+                    self._fhandle.seek(self._last_pos)
+
+                while True:
+                    line = self._fhandle.readline()
+                    if line:
+                        # track session id's, which ease debugging (see logId setting in stunnel)
+                        session_id = None
+                        if line.find('[') > -1:
+                            session_id = line.split('[')[1].split(']')[0]
+                        if line.find('IDENT Service') > -1:
+                            # Ident log line, username (CN=) is currently returned when an ident call is made
+                            cert_subject = line.split('-->')[1].strip()
+                            username = cert_subject[cert_subject.find('CN=')+3:].strip()
+                            src = line.split(' from ')[1].split()[0]
+                            self._local_cache[src] = {
+                                'username': username,
+                                'cn': cert_subject,
+                                'session_id': session_id,
+                                'expire': current_timestamp + self.session_max_ttl
+                            }
+                        elif line.find('Connection closed') > -1 and line.find('[') > -1:
+                            # Connection closed lines are used to trigger cleanups in two stages
+                            # 1. push expire to now() + session_grace_period
+                            # 2. when expired, delete from cache
+                            for src in list(self._local_cache):
+                                is_expired = current_timestamp > self._local_cache[src]['expire']
+                                if session_id == self._local_cache[src]['session_id']:
+                                    self._local_cache[src]['expire'] = current_timestamp + self.session_grace_period
+                                elif is_expired:
+                                    del self._local_cache[src]
+                    else:
+                        break
+                self._last_pos = self._fhandle.tell()
+            if search_key in self._local_cache:
+                break
+            else:
+                # possible log rotate (new file)
+                self._open()
+
+
+    def whois(self, src_port, dst_port, address):
+        """ try to resolve user at src_port:address:dst_port for max log_flush_grace_period_ms time
+            :param src_port: source port
+            :param dst_port: destination port
+            :param address: address, usually the address stunnel connected to (target hostname)
+            :return: username or False if not found
+        """
+        search_key = "%s:%s" % (address, src_port)
+        start_time = time.time()
+        while True:
+            self.parse(search_key)
+            if search_key in self._local_cache:
+                return self._local_cache[search_key]['username']
+            elif (time.time() - start_time) * 1000.0 > self.log_flush_grace_period_ms:
+                break
+            else:
+                time.sleep(self.log_flush_poll_interval_ms/1000.0)
+
+        return False
+
+
+class RequestHandler(socketserver.StreamRequestHandler):
+    _stunnel_log = None
+
+    @staticmethod
+    def stunnel_ident(src_port, dst_port, address):
+        if RequestHandler._stunnel_log is None:
+            RequestHandler._stunnel_log = StunnelLog()
+
+        return RequestHandler._stunnel_log.whois(src_port, dst_port, address)
+
+    def handle(self):
+        """ connection handler, strip src/dst port pairs, resolve and return
+        """
+        start_time = time.time()
+        src_port, dst_port = [0, 0]
+        try:
+            req_data = self.rfile.readline().decode().strip()
+            src_port, dst_port = [ int(x.strip()) for x in req_data.split(',') ]
+            if  src_port < 1 or  src_port > 65535 or dst_port < 1 or  dst_port > 65535:
+                syslog.syslog(syslog.LOG_WARNING, 'INVALID-PORT %d,%s,%d.' % (
+                    src_port, self.client_address[0], dst_port
+                ))
+                self.wfile.write('{}, {} : ERROR : INVALID-PORT\r\n'.format(src_port, dst_port).encode())
+            else:
+                username = self.stunnel_ident(src_port, dst_port, self.client_address[0])
+                req_latency_ms = (time.time() - start_time) * 1000.0
+                if not username:
+                    syslog.syslog(syslog.LOG_WARNING, 'NO-USER %d,%s,%d (%0.05f ms).' % (
+                        src_port, self.client_address[0], dst_port, req_latency_ms
+                    ))
+                    self.wfile.write('{}, {} : ERROR : NO-USER\r\n'.format(src_port, dst_port).encode())
+                else:
+                    syslog.syslog(syslog.LOG_NOTICE, 'USERID %d,%s,%d = %s (%0.05f ms).' % (
+                        src_port, self.client_address[0], dst_port, username, req_latency_ms
+                    ))
+                    self.wfile.write('{}, {} : USERID : OTHER : {}\r\n'.format(src_port, dst_port, username).encode())
+        except:
+            self.wfile.write('{}, {} : ERROR : UNKNOWN-ERROR\r\n'.format(src_port, dst_port).encode())
+            syslog.syslog(syslog.LOG_ERR, traceback.format_exc().replace('\n', ' '))
+
+
+def run_listener():
+    server = socketserver.TCPServer(('0.0.0.0', 113), RequestHandler, bind_and_activate=False)
+    server.allow_reuse_address = True
+    server.server_bind()
+    server.server_activate()
+    server.serve_forever()
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser()
+    parser.add_argument('--foreground', help='run in forground', default=False, action='store_true')
+    inputargs = parser.parse_args()
+
+    syslog.openlog('identd_stunnel', logoption=syslog.LOG_DAEMON, facility=syslog.LOG_LOCAL4)
+
+    if inputargs.foreground:
+        run_listener()
+    else:
+        syslog.syslog(syslog.LOG_NOTICE, 'daemonize stunnel_identd.')
+        daemon = Daemonize(app="identd_stunnel", pid='/var/run/identd_stunnel.pid', action=run_listener)
+        daemon.start()
diff --git a/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf b/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf
index ac583ea670..e0dc8de69e 100644
--- a/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf
+++ b/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf
@@ -5,25 +5,25 @@ type:script_output
 message:List SSL ciphers
 
 [start]
-command:/usr/local/etc/rc.d/stunnel start
+command:/usr/local/etc/rc.d/stunnel start; /usr/local/etc/rc.d/identd_stunnel start; exit 0
 parameters:
 type:script
 message:stunnel service start
 
 [stop]
-command:/usr/local/etc/rc.d/stunnel stop
+command:/usr/local/etc/rc.d/stunnel stop; /usr/local/etc/rc.d/identd_stunnel stop; exit 0
 parameters:
 type:script
 message:stunnel service stop
 
 [restart]
-command:/usr/local/etc/rc.d/stunnel restart
+command:/usr/local/etc/rc.d/stunnel restart; /usr/local/etc/rc.d/identd_stunnel restart; exit 0
 parameters:
 type:script
 message:stunnel service restart
 
 [status]
-command:/usr/local/etc/rc.d/stunnel status; exit 0
+command:/usr/local/etc/rc.d/stunnel status; /usr/local/etc/rc.d/identd_stunnel onestatus; exit 0
 parameters:
 type:script_output
 message:stunnel status
diff --git a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/+TARGETS b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/+TARGETS
index 177c36ce4a..771bf9bab5 100644
--- a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/+TARGETS
+++ b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/+TARGETS
@@ -1,2 +1,4 @@
 stunnel.conf:/usr/local/etc/stunnel/stunnel.conf
 rc.conf.d:/etc/rc.conf.d/stunnel
+identd.rc.conf.d:/etc/rc.conf.d/identd_stunnel
+syslog-ng-stunnel-ident.conf:/usr/local/etc/syslog-ng.conf.d/syslog-ng-stunnel-ident.conf
diff --git a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/identd.rc.conf.d b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/identd.rc.conf.d
new file mode 100644
index 0000000000..8596cfe5b2
--- /dev/null
+++ b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/identd.rc.conf.d
@@ -0,0 +1,6 @@
+{% if not helpers.empty('OPNsense.Stunnel.general.enabled') and
+      not helpers.empty('OPNsense.Stunnel.general.enable_ident_server') %}
+identd_stunnel_enable="YES"
+{% else %}
+identd_stunnel_enable="NO"
+{% endif %}
diff --git a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/rc.conf.d b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/rc.conf.d
index 874ae1b74d..9c3da50ff6 100644
--- a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/rc.conf.d
+++ b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/rc.conf.d
@@ -3,6 +3,7 @@ stunnel_enable="YES"
 stunnel_pidfile="/var/run/stunnel/stunnel.pid"
 
 mkdir -p /var/run/stunnel/certs
+mkdir -p /var/run/stunnel/logs
 chown -R stunnel:stunnel /var/run/stunnel
 chmod -R 700 /var/run/stunnel
 
diff --git a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf
index 4f89d541e7..1179e6bf1a 100644
--- a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf
+++ b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf
@@ -1,7 +1,9 @@
 setuid = stunnel
 setgid = stunnel
+{% if not helpers.empty('OPNsense.Stunnel.general.chroot') %}
 chroot = /var/run/stunnel
-pid = /stunnel.pid
+{% endif %}
+pid = {% if helpers.empty('OPNsense.Stunnel.general.chroot') %}/var/run/stunnel{% endif %}/stunnel.pid
 debug = info
 logId = unique
 
@@ -23,7 +25,7 @@ CAfile = /usr/local/etc/stunnel/certs/{{service['@uuid']}}.ca
 requireCert = yes
 verifyChain = yes
 {%         if service.enableCRL|default('0') == '1' %}
-CRLpath = /certs/
+CRLpath = {% if helpers.empty('OPNsense.Stunnel.general.chroot') %}/var/run/stunnel{% endif %}/certs/
 {%         endif %}
 {%       endif %}
 {%       set ciphers =[] %}
diff --git a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/syslog-ng-stunnel-ident.conf b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/syslog-ng-stunnel-ident.conf
new file mode 100644
index 0000000000..7e9c4b723f
--- /dev/null
+++ b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/syslog-ng-stunnel-ident.conf
@@ -0,0 +1,22 @@
+destination d_stunnel_ident {
+    file(
+        "/var/run/stunnel/logs/stunnel_ident_${YEAR}${MONTH}${DAY}.log"
+        flush-lines(0)
+    );
+};
+
+filter f_stunnel_ident {
+    program("stunnel")
+      and (
+        message(".*IDENT.*")
+        or
+        message(".*Connection closed.*")
+    );
+};
+
+
+log {
+    source(s_all);
+    filter(f_stunnel_ident);
+    destination(d_stunnel_ident);
+};

From 9510a17266877af26465d9f754e90d9e868cc489 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 20 May 2020 00:34:04 +0200
Subject: [PATCH 0117/3088] whitespace

---
 .../app/controllers/OPNsense/Stunnel/Api/ServicesController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
index c84ae5cfb1..edad2be838 100644
--- a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
@@ -78,7 +78,7 @@ public function toggleItemAction($uuid, $enabled = null)
         return $this->toggleBase("services.service", $uuid, $enabled);
     }
 
-  public function getAction()
+    public function getAction()
     {
         $result = array();
         $result[static::$internalModelName] = [

From 84585d959b63d201a7e07e20ce2fc0621b2e2172 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 20 May 2020 00:57:15 +0200
Subject: [PATCH 0118/3088] stunnel: minor cleanups and versioning, closes
 https://github.com/opnsense/plugins/issues/1829

---
 security/stunnel/Makefile                                    | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index 25f1769de3..fbb353411c 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		stunnel
-PLUGIN_VERSION=		0.1
+PLUGIN_VERSION=		0.2
 PLUGIN_COMMENT=		stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel
diff --git a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
index b76adc6c5a..7c8fea7155 100644
--- a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
+++ b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
@@ -1,9 +1,8 @@
 <model>
     <mount>//OPNsense/Stunnel</mount>
-    <version>1.0.0</version>
-    <migration_prefix>MFP</migration_prefix>
+    <version>1.0.1</version>
     <description>
-        OPNsense firewall filter rules
+        Stunnel TLS encryption proxy
     </description>
     <items>
         <general>

From e845256b1ad1143207de6b03eae22efcb66ad558 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 20 May 2020 06:11:29 +0200
Subject: [PATCH 0119/3088] stunnel: minor bug fixes

- used wrong pid for ident status
- reload syslog on service start
- missing condition in syslog template (hence the service reload)

for https://github.com/opnsense/plugins/issues/1829
---
 .../src/etc/inc/plugins.inc.d/stunnel.inc       |  4 ++--
 .../service/conf/actions.d/actions_stunnel.conf | 17 ++++++++++++++---
 .../templates/OPNsense/Stunnel/rc.conf.d        |  1 +
 .../Stunnel/syslog-ng-stunnel-ident.conf        |  4 ++++
 4 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc b/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
index faa26282eb..335e708021 100644
--- a/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
+++ b/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
@@ -52,13 +52,13 @@ function stunnel_services()
             // only report status from identd seperately, control is combined with stunnel
             $services[] = array(
                 'description' => gettext('Identd (stunnel)'),
-                'stunnel' => array(
+                'identd_stunnel' => array(
                     'restart' => array('stunnel restart'),
                     'start' => array('stunnel start'),
                     'stop' => array('stunnel stop'),
                 ),
                 'name' => 'identd_stunnel',
-                'pidfile' => '/var/run/stunnel_identd.pid',
+                'pidfile' => '/var/run/identd_stunnel.pid',
             );
         }
     }
diff --git a/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf b/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf
index e0dc8de69e..2ab897d8d6 100644
--- a/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf
+++ b/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf
@@ -5,19 +5,30 @@ type:script_output
 message:List SSL ciphers
 
 [start]
-command:/usr/local/etc/rc.d/stunnel start; /usr/local/etc/rc.d/identd_stunnel start; exit 0
+command:
+  /usr/local/etc/rc.d/stunnel start;
+  /usr/local/etc/rc.d/identd_stunnel start;
+  /usr/local/etc/rc.d/syslog-ng reload;
+  exit 0
 parameters:
 type:script
 message:stunnel service start
 
 [stop]
-command:/usr/local/etc/rc.d/stunnel stop; /usr/local/etc/rc.d/identd_stunnel stop; exit 0
+command:
+    /usr/local/etc/rc.d/stunnel stop;
+    /usr/local/etc/rc.d/identd_stunnel stop;
+    exit 0
 parameters:
 type:script
 message:stunnel service stop
 
 [restart]
-command:/usr/local/etc/rc.d/stunnel restart; /usr/local/etc/rc.d/identd_stunnel restart; exit 0
+command:
+    /usr/local/etc/rc.d/stunnel restart;
+    /usr/local/etc/rc.d/identd_stunnel restart;
+    /usr/local/etc/rc.d/syslog-ng reload;
+    exit 0
 parameters:
 type:script
 message:stunnel service restart
diff --git a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/rc.conf.d b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/rc.conf.d
index 9c3da50ff6..80fccca16d 100644
--- a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/rc.conf.d
+++ b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/rc.conf.d
@@ -8,6 +8,7 @@ chown -R stunnel:stunnel /var/run/stunnel
 chmod -R 700 /var/run/stunnel
 
 /usr/local/opnsense/scripts/stunnel/generate_certs.php > /dev/null 2>&1
+
 {% else %}
 stunnel_enable="NO"
 {% endif %}
diff --git a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/syslog-ng-stunnel-ident.conf b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/syslog-ng-stunnel-ident.conf
index 7e9c4b723f..4bb708db2e 100644
--- a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/syslog-ng-stunnel-ident.conf
+++ b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/syslog-ng-stunnel-ident.conf
@@ -1,3 +1,5 @@
+{% if not helpers.empty('OPNsense.Stunnel.general.enabled') and
+      not helpers.empty('OPNsense.Stunnel.general.enable_ident_server') %}
 destination d_stunnel_ident {
     file(
         "/var/run/stunnel/logs/stunnel_ident_${YEAR}${MONTH}${DAY}.log"
@@ -20,3 +22,5 @@ log {
     filter(f_stunnel_ident);
     destination(d_stunnel_ident);
 };
+
+{% endif %}

From 1f7654103d599d52f8f76930149c5c8d419f60ef Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 20 May 2020 06:13:59 +0200
Subject: [PATCH 0120/3088] stunnel: new revision

---
 security/stunnel/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index fbb353411c..ee61a98645 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		stunnel
 PLUGIN_VERSION=		0.2
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel

From 98dca4b0f08d001898e0c1bd769dd2586a0a4077 Mon Sep 17 00:00:00 2001
From: Martin Wasley <martin@queens-park.com>
Date: Mon, 18 May 2020 12:45:44 +0100
Subject: [PATCH 0121/3088] Update services_dyndns_edit.php

---
 dns/dyndns/src/www/services_dyndns_edit.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/dyndns/src/www/services_dyndns_edit.php b/dns/dyndns/src/www/services_dyndns_edit.php
index df29a8eae6..bb327f5d3f 100644
--- a/dns/dyndns/src/www/services_dyndns_edit.php
+++ b/dns/dyndns/src/www/services_dyndns_edit.php
@@ -364,6 +364,7 @@ function is_dyndns_username($uname)
                         <br /><?= gettext('dynv6: Leave blank.') ?>
                         <br /><?= gettext('Azure: client secret of the AD application') ?>
                         <br /><?= gettext('Linode: Enter your Personal Access Token.') ?>
+                        <br /><?= gettext('Cloudflare: Enter Global API Key.') ?>
                       </div>
                     </td>
                   </tr>

From 9001b6941bf76225859e87c46db79f9cc36eecf9 Mon Sep 17 00:00:00 2001
From: "Joey \"JojoXD\" Vos" <joeyvos@outlook.com>
Date: Tue, 26 May 2020 13:12:54 +0200
Subject: [PATCH 0122/3088] Added Telegraf InfluxDB v2 Output Support (#1849)

---
 net-mgmt/telegraf/Makefile                    |  2 +-
 net-mgmt/telegraf/pkg-descr                   |  4 +++
 .../OPNsense/Telegraf/forms/output.xml        | 30 +++++++++++++++++++
 .../app/models/OPNsense/Telegraf/Output.xml   | 22 +++++++++++++-
 .../templates/OPNsense/Telegraf/telegraf.conf | 16 ++++++++++
 5 files changed, 72 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index 166769c9bc..2c0dd9078f 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.7.7
+PLUGIN_VERSION=		1.8.0
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 3f381da7ea..01c12dea54 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -11,6 +11,10 @@ Kafka, MQTT, NSQ, and many others.
 Plugin Changelog
 ================
 
+1.8.0
+
+* Add InfluxDB v2 output support
+
 1.7.7
 
 * Fix log not properly parsed
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
index f338190c97..4594818aec 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
@@ -35,6 +35,36 @@
         <type>text</type>
         <help>Set the password for authentication.</help>
     </field>
+    <field>
+        <id>output.influx_v2_enable</id>
+        <label>Enable Influx v2 Output</label>
+        <type>checkbox</type>
+        <help>This will enable InfluxDB v2 as output. Format is without square brackets, just like http://192.168.0.1:9999.</help>
+    </field>
+    <field>
+        <id>output.influx_v2_url</id>
+        <label>Influx v2 URL</label>
+        <type>text</type>
+        <help>Set the URL where metrics shoud be sent to.</help>
+    </field>
+    <field>
+        <id>output.influx_v2_token</id>
+        <label>Influx v2 Token</label>
+        <type>text</type>
+        <help>Influx v2 authentication token.</help>
+    </field>
+    <field>
+        <id>output.influx_v2_organization</id>
+        <label>Influx v2 Organization</label>
+        <type>text</type>
+        <help>Set the name of the organization in Influx v2.</help>
+    </field>
+    <field>
+        <id>output.influx_v2_bucket</id>
+        <label>Influx v2 Bucket</label>
+        <type>text</type>
+        <help>Set the name of the bucket in Influx v2.</help>
+    </field>
     <field>
         <id>output.graphite_enable</id>
         <label>Enable Graphite Output</label>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index f50f3755e7..bd48099a43 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/telegraf/output</mount>
     <description>Telegraf outputs configuration</description>
-    <version>1.3.1</version>
+    <version>1.4.0</version>
     <items>
         <influx_enable type="BooleanField">
             <default>0</default>
@@ -85,5 +85,25 @@
             <default>1</default>
             <Required>N</Required>
         </prometheus_stringaslabel>
+        <influx_v2_enable type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </influx_v2_enable>
+        <influx_v2_url type="TextField">
+            <default></default>
+            <Required>N</Required>
+        </influx_v2_url>
+        <influx_v2_token type="TextField">
+            <default></default>
+            <Required>N</Required>
+        </influx_v2_token>
+        <influx_v2_organization type="TextField">
+            <default></default>
+            <Required>N</Required>
+        </influx_v2_organization>
+        <influx_v2_bucket type="TextField">
+            <default></default>
+            <Required>N</Required>
+        </influx_v2_bucket>
     </items>
 </model>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index f8d01fab7f..08f6938033 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -129,6 +129,22 @@
 {%   endif %}
 {% endif %}
 
+{% if helpers.exists('OPNsense.telegraf.output.influx_v2_enable') and OPNsense.telegraf.output.influx_v2_enable == '1' %}
+[[outputs.influxdb_v2]]
+{%   if helpers.exists('OPNsense.telegraf.output.influx_v2_url') and OPNsense.telegraf.output.influx_v2_url != '' %}
+  urls = ["{{ OPNsense.telegraf.output.influx_v2_url }}"]
+{%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.influx_v2_token') and OPNsense.telegraf.output.influx_v2_token != '' %}
+  token = "{{ OPNsense.telegraf.output.influx_v2_token }}"
+{%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.influx_v2_organization') and OPNsense.telegraf.output.influx_v2_organization != '' %}
+  organization = "{{ OPNsense.telegraf.output.influx_v2_organization }}"
+{%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.influx_v2_bucket') and OPNsense.telegraf.output.influx_v2_bucket != '' %}
+  bucket = "{{ OPNsense.telegraf.output.influx_v2_bucket }}"
+{%   endif %}
+{% endif %}
+
 {% if helpers.exists('OPNsense.telegraf.input.cpu') and OPNsense.telegraf.input.cpu == '1' %}
 [[inputs.cpu]]
 {%   if helpers.exists('OPNsense.telegraf.input.cpu_percpu') and OPNsense.telegraf.input.cpu_percpu == '1' %}

From 72980508a726d10cf39f2065259d315a04338f29 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 26 May 2020 21:02:37 +0200
Subject: [PATCH 0123/3088] security/stunnel prepare release version

---
 security/stunnel/Makefile | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index ee61a98645..c308ced566 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,9 +1,7 @@
 PLUGIN_NAME=		stunnel
-PLUGIN_VERSION=		0.2
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel
-PLUGIN_DEVEL=		yes
 
 .include "../../Mk/plugins.mk"

From c46695c0301af79e02a2e376a6e005fa239ebbfa Mon Sep 17 00:00:00 2001
From: Bill Gertz <bill.gertz@blockfish.net>
Date: Thu, 28 May 2020 15:21:08 +0200
Subject: [PATCH 0124/3088] security/acme-client: Add NSUPDATE_ZONE support to
 nsupdate DNS-01 Service (#1851)

Add NSUPDATE_ZONE nsupdate support

Adds new validation.dns_nsudate_zone field to implement support for NSUPDATE_ZONE. See https://github.com/acmesh-official/acme.sh/pull/1963 for more information.
---
 .../OPNsense/AcmeClient/forms/dialogValidation.xml          | 6 ++++++
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml       | 3 +++
 .../src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php | 1 +
 3 files changed, 10 insertions(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index c45394a474..fd36767e09 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -772,6 +772,12 @@
         <label>Server (FQDN)</label>
         <type>text</type>
     </field>
+    <field>
+        <id>validation.dns_nsupdate_zone</id>
+        <label>Zone</label>
+        <type>text</type>
+        <help>Set hosted zone (e.g. example.com) as some DNS Providers require, like dyn.com's 'Standard DNS'.</help>
+    </field>
     <field>
         <id>validation.dns_nsupdate_key</id>
         <label>Secret Key</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index e093a34948..2ec2e16b26 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -751,6 +751,9 @@
                 <dns_nsupdate_server type="TextField">
                     <Required>N</Required>
                 </dns_nsupdate_server>
+                <dns_nsupdate_zone type="TextField">
+                    <Required>N</Required>
+                </dns_nsupdate_zone>
                 <!-- TODO: maybe we should base64encode this field? -->
                 <dns_nsupdate_key type="TextField">
                     <Required>N</Required>
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index 997b7fb3c2..8e482c39d4 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -893,6 +893,7 @@ function run_acme_validation($certObj, $valObj, $acctObj)
                 file_put_contents($secret_key_filename, $secret_key_data);
                 $proc_env['NSUPDATE_KEY'] = $secret_key_filename;
                 $proc_env['NSUPDATE_SERVER'] = (string)$valObj->dns_nsupdate_server;
+                $proc_env['NSUPDATE_ZONE'] = (string)$valObj->dns_nsupdate_zone;
                 break;
             case 'dns_opnsense':
                 # BIND plugin must be installed.

From 2dfe7674d5dcdf7f29b3ec00133de556d24a4310 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 28 May 2020 15:23:59 +0200
Subject: [PATCH 0125/3088] security/acme-client: move optional field to the
 bottom, refs #1851

---
 .../OPNsense/AcmeClient/forms/dialogValidation.xml   | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index fd36767e09..2724e0ad7c 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -772,18 +772,18 @@
         <label>Server (FQDN)</label>
         <type>text</type>
     </field>
-    <field>
-        <id>validation.dns_nsupdate_zone</id>
-        <label>Zone</label>
-        <type>text</type>
-        <help>Set hosted zone (e.g. example.com) as some DNS Providers require, like dyn.com's 'Standard DNS'.</help>
-    </field>
     <field>
         <id>validation.dns_nsupdate_key</id>
         <label>Secret Key</label>
         <type>textbox</type>
         <help>Requires the whole key file in a format that is compatible with nsupdate.</help>
     </field>
+    <field>
+        <id>validation.dns_nsupdate_zone</id>
+        <label>Zone</label>
+        <type>text</type>
+        <help>Optionally set the name of the hosted zone (e.g. example.com) as some DNS Providers require, like dyn.com's 'Standard DNS'.</help>
+    </field>
     <field>
         <label>opnsense</label>
         <type>header</type>

From e1c15a1b20261c22d38fba860b0f39e3b2bf690a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 28 May 2020 15:24:15 +0200
Subject: [PATCH 0126/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index b0a5d54064..2e65ae4bcb 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		1.32
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.33
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From c47fc41b2759659929d51f862da87b58731955d6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 2 Jun 2020 10:18:49 +0200
Subject: [PATCH 0127/3088] net/frr: use FRR 7 #1768

---
 net/frr/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 3a47f7843a..a808735a4a 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.14
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
-PLUGIN_DEPENDS=		frr6 ruby
+PLUGIN_DEPENDS=		frr7 ruby
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 
 .include "../../Mk/plugins.mk"

From 5988514f0813c4ba95d7d6add23fd40ea561fede Mon Sep 17 00:00:00 2001
From: chris42 <list-christian@web.de>
Date: Sun, 7 Jun 2020 13:30:28 +0200
Subject: [PATCH 0128/3088] Add core-networks API option

---
 .../AcmeClient/forms/dialogValidation.xml         | 15 +++++++++++++++
 .../app/models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++++++
 .../scripts/OPNsense/AcmeClient/certhelper.php    |  4 ++++
 3 files changed, 26 insertions(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 2724e0ad7c..e29dde206e 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1086,4 +1086,19 @@
         <label>API Key</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Core-Networks API</label>
+        <type>header</type>
+        <style>table_dns table_dns_cn</style>
+    </field>
+    <field>
+        <id>validation.dns_cn_user</id>
+        <label>API User</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_cn_password</id>
+        <label>API Password</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 2ec2e16b26..f80753ae0d 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -366,6 +366,7 @@
                         <dns_azure>Azure DNS API</dns_azure>
                         <dns_cf>CloudFlare.com API</dns_cf>
                         <dns_cloudns>ClouDNS API</dns_cloudns>
+                        <dns_cn>Core-Networks API</dns_cn>
                         <dns_cx>CloudXNS.com API</dns_cx>
                         <dns_cyon>cyon.ch API</dns_cyon>
                         <dns_da>DirectAdmin API</dns_da>
@@ -878,6 +879,12 @@
                 <dns_leaseweb_key type="TextField">
                     <Required>N</Required>
                 </dns_leaseweb_key>
+                <dns_cn_user type="TextField">
+                    <Required>N</Required>
+                </dns_cn_user>
+                <dns_cn_password type="TextField">
+                    <Required>N</Required>
+                </dns_cn_password>
             </validation>
         </validations>
         <actions>
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index 8e482c39d4..73c02c2fa3 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -693,6 +693,10 @@ function run_acme_validation($certObj, $valObj, $acctObj)
                 $proc_env['CLOUDNS_SUB_AUTH_ID'] = (string)$valObj->dns_cloudns_sub_auth_id;
                 $proc_env['CLOUDNS_AUTH_PASSWORD'] = (string)$valObj->dns_cloudns_auth_password;
                 break;
+            case 'dns_cn':
+                $proc_env['CN_User'] = (string)$valObj->dns_cn_user;
+                $proc_env['CN_Password'] = (string)$valObj->dns_cn_password;
+                break;
             case 'dns_cx':
                 $proc_env['CX_Key'] = (string)$valObj->dns_cx_key;
                 $proc_env['CX_Secret'] = (string)$valObj->dns_cx_secret;

From 543209b661a47bf2402c00acb247b015ad226fb6 Mon Sep 17 00:00:00 2001
From: chris42 <list-christian@web.de>
Date: Sun, 7 Jun 2020 13:58:45 +0200
Subject: [PATCH 0129/3088] Order by name not tag

---
 .../opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index f80753ae0d..804f3c9d81 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -366,8 +366,8 @@
                         <dns_azure>Azure DNS API</dns_azure>
                         <dns_cf>CloudFlare.com API</dns_cf>
                         <dns_cloudns>ClouDNS API</dns_cloudns>
-                        <dns_cn>Core-Networks API</dns_cn>
                         <dns_cx>CloudXNS.com API</dns_cx>
+                        <dns_cn>Core-Networks API</dns_cn>
                         <dns_cyon>cyon.ch API</dns_cyon>
                         <dns_da>DirectAdmin API</dns_da>
                         <dns_dgon>DigitalOcean API</dns_dgon>

From 734642abea2765d8d62268e234a79ec770a618cb Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 8 Jun 2020 14:28:01 +0200
Subject: [PATCH 0130/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 2e65ae4bcb..7e359a146f 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		1.33
+PLUGIN_VERSION=		1.34
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From a15bf04c202499c781088441a23059d9f32f617a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 8 Jun 2020 14:34:28 +0200
Subject: [PATCH 0131/3088] security/acme-client: add support for ArvanCloud,
 closes #1834

---
 .../OPNsense/AcmeClient/forms/dialogValidation.xml     | 10 ++++++++++
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml  |  6 +++++-
 .../scripts/OPNsense/AcmeClient/certhelper.php         |  3 +++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index e29dde206e..9cdc8c369f 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1101,4 +1101,14 @@
         <label>API Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>ArvanCloud API</label>
+        <type>header</type>
+        <style>table_dns table_dns_arvan</style>
+    </field>
+    <field>
+        <id>validation.dns_arvan_token</id>
+        <label>API Token</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 804f3c9d81..0369e4ce1c 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>1.6.0</version>
+    <version>1.6.1</version>
     <description>A secure Let's Encrypt plugin</description>
     <items>
         <settings>
@@ -361,6 +361,7 @@
                         <dns_acmeproxy>Acmeproxy API</dns_acmeproxy>
                         <dns_ad>Alwaysdata.com API</dns_ad>
                         <dns_ali>aliyun.com API</dns_ali>
+                        <dns_arvan>ArvanCloud API</dns_arvan>
                         <dns_autodns>AutoDNS (InterNetX) API</dns_autodns>
                         <dns_aws>AWS Route 53</dns_aws>
                         <dns_azure>Azure DNS API</dns_azure>
@@ -885,6 +886,9 @@
                 <dns_cn_password type="TextField">
                     <Required>N</Required>
                 </dns_cn_password>
+                <dns_arvan_token type="TextField">
+                    <Required>N</Required>
+                </dns_arvan_token>
             </validation>
         </validations>
         <actions>
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index 73c02c2fa3..fc8cc6a442 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -665,6 +665,9 @@ function run_acme_validation($certObj, $valObj, $acctObj)
                 $proc_env['Ali_Key'] = (string)$valObj->dns_ali_key;
                 $proc_env['Ali_Secret'] = (string)$valObj->dns_ali_secret;
                 break;
+            case 'dns_arvan':
+                $proc_env['Arvan_Token'] = (string)$valObj->dns_arvan_token;
+                break;
             case 'dns_autodns':
                 $proc_env['AUTODNS_USER'] = (string)$valObj->dns_autodns_user;
                 $proc_env['AUTODNS_PASSWORD'] = (string)$valObj->dns_autodns_password;

From 0dbff80fef21140e9725b312183b60ccc1338a7c Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 8 Jun 2020 14:37:20 +0200
Subject: [PATCH 0132/3088] security/acme-client: restore alnum sorting in DNS
 API list

---
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 0369e4ce1c..66a93286de 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -365,13 +365,13 @@
                         <dns_autodns>AutoDNS (InterNetX) API</dns_autodns>
                         <dns_aws>AWS Route 53</dns_aws>
                         <dns_azure>Azure DNS API</dns_azure>
-                        <dns_cf>CloudFlare.com API</dns_cf>
                         <dns_cloudns>ClouDNS API</dns_cloudns>
+                        <dns_cf>CloudFlare.com API</dns_cf>
                         <dns_cx>CloudXNS.com API</dns_cx>
                         <dns_cn>Core-Networks API</dns_cn>
                         <dns_cyon>cyon.ch API</dns_cyon>
-                        <dns_da>DirectAdmin API</dns_da>
                         <dns_dgon>DigitalOcean API</dns_dgon>
+                        <dns_da>DirectAdmin API</dns_da>
                         <dns_dnsimple>DNSimple API</dns_dnsimple>
                         <dns_me>DNSMadeEasy.com API</dns_me>
                         <dns_dp>DNSPod.cn API</dns_dp>

From f3d517cc65ac030871b5c6e7638bb9457081f103 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 8 Jun 2020 14:43:25 +0200
Subject: [PATCH 0133/3088] security/acme-client: add support for Hetzner DNS
 API, closes #1870

---
 .../OPNsense/AcmeClient/forms/dialogValidation.xml     | 10 ++++++++++
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml  |  4 ++++
 .../scripts/OPNsense/AcmeClient/certhelper.php         |  3 +++
 3 files changed, 17 insertions(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 9cdc8c369f..8ad18f5a3e 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1111,4 +1111,14 @@
         <label>API Token</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Hetzner DNS API</label>
+        <type>header</type>
+        <style>table_dns table_dns_hetzner</style>
+    </field>
+    <field>
+        <id>validation.dns_hetzner_token</id>
+        <label>API Token</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 66a93286de..2880e11619 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -387,6 +387,7 @@
                         <dns_gd>GoDaddy.com API</dns_gd>
                         <dns_gcloud>Google Cloud DNS API</dns_gcloud>
                         <dns_gdnsdk>GratisDNS.dk</dns_gdnsdk>
+                        <dns_hetzner>Hetzner DNS API</dns_hetzner>
                         <dns_hostingde>hosting.de API</dns_hostingde>
                         <dns_he>Hurricane Electric</dns_he>
                         <dns_infoblox>Infoblox API</dns_infoblox>
@@ -889,6 +890,9 @@
                 <dns_arvan_token type="TextField">
                     <Required>N</Required>
                 </dns_arvan_token>
+                <dns_hetzner_token type="TextField">
+                    <Required>N</Required>
+                </dns_hetzner_token>
             </validation>
         </validations>
         <actions>
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index fc8cc6a442..7c7a6109cb 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -800,6 +800,9 @@ function run_acme_validation($certObj, $valObj, $acctObj)
                 $proc_env['GDNSDK_Username'] = (string)$valObj->dns_gdnsdk_user;
                 $proc_env['GDNSDK_Password'] = (string)$valObj->dns_gdnsdk_password;
                 break;
+            case 'dns_hetzner':
+                $proc_env['HETZNER_Token'] = (string)$valObj->dns_hetzner_token;
+                break;
             case 'dns_hostingde':
                 $proc_env['HOSTINGDE_ENDPOINT'] = (string)$valObj->dns_hostingde_server;
                 $proc_env['HOSTINGDE_APIKEY'] = (string)$valObj->dns_hostingde_apiKey;

From df8b86460ce38e023c00ca3068fc1e692baa39a0 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 9 Jun 2020 09:35:20 +0200
Subject: [PATCH 0134/3088] mail/postfix: add description to restart action
 (#1881)

mail/postfix: add description to restart action, closes #1874
---
 mail/postfix/Makefile                                            | 1 +
 .../src/opnsense/service/conf/actions.d/actions_postfix.conf     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index a86fe025c4..4f5fea0439 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		postfix
 PLUGIN_VERSION=		1.14
+PLUGIN_REVISION= 	 	1
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix-sasl
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/src/opnsense/service/conf/actions.d/actions_postfix.conf b/mail/postfix/src/opnsense/service/conf/actions.d/actions_postfix.conf
index 1c5f54ab70..6fcd216fa5 100644
--- a/mail/postfix/src/opnsense/service/conf/actions.d/actions_postfix.conf
+++ b/mail/postfix/src/opnsense/service/conf/actions.d/actions_postfix.conf
@@ -15,6 +15,7 @@ command:/usr/local/opnsense/scripts/OPNsense/Postfix/setup.sh;/usr/local/etc/rc.
 parameters:
 type:script
 message:restarting Postfix
+description:Restart Postfix service
 
 [status]
 command:/usr/local/etc/rc.d/postfix status;exit 0

From ac9093e450b354d9393cf51eed64075e4dc81eb3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robin=20M=C3=BCller?= <robin.mueller@outlook.de>
Date: Wed, 10 Jun 2020 01:40:21 +0200
Subject: [PATCH 0135/3088] net/haproxy: add missing acl SNI regex text field

---
 .../app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml    | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
index ee8bb02837..63c55655fb 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
@@ -478,6 +478,12 @@
         <type>text</type>
         <help><![CDATA[The value of the Server Name TLS extension sent by a client ends with the specified string (suffix match).]]></help>
     </field>
+    <field>
+        <id>acl.ssl_sni_reg</id>
+        <label>SNI Regex</label>
+        <type>text</type>
+        <help><![CDATA[The value of the Server Name TLS extension sent by a client matches with the specified regular expression.]]></help>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>

From 407627cd49df0c140ebc23a609d700398a59d962 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Jun 2020 07:57:09 +0200
Subject: [PATCH 0136/3088] mail/postfix: fix whitespace

---
 mail/postfix/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index 4f5fea0439..522d394a0d 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		postfix
 PLUGIN_VERSION=		1.14
-PLUGIN_REVISION= 	 	1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix-sasl
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From a3913891d57f16b0a8fa0852cc50c3d5a2244a7a Mon Sep 17 00:00:00 2001
From: Andreas Rupper <61623186+andreas-rupper@users.noreply.github.com>
Date: Sat, 13 Jun 2020 22:32:41 +0200
Subject: [PATCH 0137/3088] Updated Cloudflare to use token auth and update ttl
 (#1726)

---
 .../src/etc/inc/plugins.inc.d/dyndns.inc      |   6 +-
 .../inc/plugins.inc.d/dyndns/phpDynDNS.inc    | 133 +++++++++++-------
 dns/dyndns/src/www/services_dyndns_edit.php   |  23 ++-
 3 files changed, 106 insertions(+), 56 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
index 02847b288c..68b1292802 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
@@ -100,8 +100,10 @@ function dyndns_list()
         'azure' => 'Azure DNS',
         'azurev6' => 'Azure DNS (v6)',
         'citynetwork' => 'City Network',
-        'cloudflare' => 'CloudFlare',
-        'cloudflare-v6' => 'CloudFlare (v6)',
+        'cloudflare' => 'Cloudflare',
+        'cloudflare-v6' => 'Cloudflare (v6)',
+		'cloudflare-token' => 'Cloudflare w/API token',
+        'cloudflare-token-v6' => 'Cloudflare w/API token (v6)',
         'custom' => 'Custom',
         'custom-v6' => 'Custom (v6)',
         'dhs' => 'DHS',
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 1b0c7b698b..7623744b89 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -26,8 +26,10 @@
  *    - DNS-O-Matic (dnsomatic.com)
  *    - Custom dynamic DNS (any URL)
  *    - Custom dynamic DNS IPv6 (any URL)
- *    - CloudFlare (www.cloudflare.com)
- *    - CloudFlare IPv6 (www.cloudflare.com)
+ *    - Cloudflare (www.cloudflare.com)
+ *    - Cloudflare IPv6 (www.cloudflare.com)
+ *    - Cloudflare API token (www.cloudflare.com)
+ *    - Cloudflare API token IPv6 (www.cloudflare.com)
  *    - Eurodns (eurodns.com)
  *    - GratisDNS (gratisdns.dk)
  *    - City Network (citynetwork.se)
@@ -58,47 +60,49 @@
  *    - _debug()
  *    - _checkIP()
  * +----------------------------------------------------+
- *  DynDNS Dynamic      - Last Tested: 12 July 2005
- *  DynDNS Static       - Last Tested: NEVER
- *  DynDNS Custom       - Last Tested: NEVER
- *  No-IP               - Last Tested: 20 July 2008
- *  HN.org              - Last Tested: 12 July 2005
- *  EasyDNS             - Last Tested: 20 July 2008
- *  DHS                 - Last Tested: 12 July 2005
- *  ZoneEdit            - Last Tested: NEVER
- *  Dyns                - Last Tested: NEVER
- *  ODS                 - Last Tested: 02 August 2005
- *  FreeDNS             - Last Tested: 23 Feb 2011
- *  Loopia              - Last Tested: NEVER
- *  StaticCling         - Last Tested: 27 April 2006
- *  DNSexit             - Last Tested: 20 July 2008
- *  Namecheap           - Last Tested: 31 August 2010
- *  HE.net              - Last Tested: 7 July 2013
- *  HE.net IPv6         - Last Tested: 7 July 2013
- *  HE.net Tunnel       - Last Tested: 28 June 2011
- *  SelfHost            - Last Tested: 26 December 2011
- *  Amazon Route53      - Last Tested: 01 April 2012
- *  DNS-O-Matic         - Last Tested: 9 September 2010
- *  CloudFlare          - Last Tested: 16 April 2019
- *  CloudFlare IPv6     - Last Tested: 16 April 2019
- *  Eurodns             - Last Tested: 25 July 2018
- *  GratisDNS           - Last Tested: 26 January 2020
- *  OVH DynHOST         - Last Tested: NEVER
- *  City Network        - Last Tested: 13 November 2013
- *  Duck DNS            - Last Tested: 04 March 2015
- *  Google Domains      - Last Tested: 20 February 2017
- *  STRATO              - Last Tested: 09 May 2017
- *  3322                - Last Tested: 26 May 2017
- *  Oray                - Last Tested: 26 May 2017
- *  regfish             - Last Tested: 15 August 2017
- *  regfish v6          - Last Tested: 15 August 2017
- *  Amazon Route53 v6   - Last Tested: 19 November 2017
- *  dynv6               - Last Tested: 25 June 2019
- *  dynv6 v6            - Last Tested: 25 June 2019
- *  DigitalOcean        - Last Tested: 25 June 2019
- *  Azure DNS           - Last Tested: 16 October 2019
- *  Linode              - Last Tested: 25 February 2020
- *  Linode v6           - Last Tested: 25 February 2020
+ *  DynDNS Dynamic              - Last Tested: 12 July 2005
+ *  DynDNS Static               - Last Tested: NEVER
+ *  DynDNS Custom               - Last Tested: NEVER
+ *  No-IP                       - Last Tested: 20 July 2008
+ *  HN.org                      - Last Tested: 12 July 2005
+ *  EasyDNS                     - Last Tested: 20 July 2008
+ *  DHS                         - Last Tested: 12 July 2005
+ *  ZoneEdit                    - Last Tested: NEVER
+ *  Dyns                        - Last Tested: NEVER
+ *  ODS                         - Last Tested: 02 August 2005
+ *  FreeDNS                     - Last Tested: 23 Feb 2011
+ *  Loopia                      - Last Tested: NEVER
+ *  StaticCling                 - Last Tested: 27 April 2006
+ *  DNSexit                     - Last Tested: 20 July 2008
+ *  Namecheap                   - Last Tested: 31 August 2010
+ *  HE.net                      - Last Tested: 7 July 2013
+ *  HE.net IPv6                 - Last Tested: 7 July 2013
+ *  HE.net Tunnel               - Last Tested: 28 June 2011
+ *  SelfHost                    - Last Tested: 26 December 2011
+ *  Amazon Route53              - Last Tested: 01 April 2012
+ *  DNS-O-Matic                 - Last Tested: 9 September 2010
+ *  Cloudflare                  - Last Tested: 16 April 2019
+ *  Cloudflare IPv6             - Last Tested: 16 April 2019
+ *  Cloudflare w/API token      - Last Tested: 13 June 2020
+ *  Cloudflare w/API token v6   - Last Tested: NEVER
+ *  Eurodns                     - Last Tested: 25 July 2018
+ *  GratisDNS                   - Last Tested: 26 January 2020
+ *  OVH DynHOST                 - Last Tested: NEVER
+ *  City Network                - Last Tested: 13 November 2013
+ *  Duck DNS                    - Last Tested: 04 March 2015
+ *  Google Domains              - Last Tested: 20 February 2017
+ *  STRATO                      - Last Tested: 09 May 2017
+ *  3322                        - Last Tested: 26 May 2017
+ *  Oray                        - Last Tested: 26 May 2017
+ *  regfish                     - Last Tested: 15 August 2017
+ *  regfish v6                  - Last Tested: 15 August 2017
+ *  Amazon Route53 v6           - Last Tested: 19 November 2017
+ *  dynv6                       - Last Tested: 25 June 2019
+ *  dynv6 v6                    - Last Tested: 25 June 2019
+ *  DigitalOcean                - Last Tested: 25 June 2019
+ *  Azure DNS                   - Last Tested: 16 October 2019
+ *  Linode                      - Last Tested: 25 February 2020
+ *  Linode v6                   - Last Tested: 25 February 2020
  * +====================================================+
  *
  * @author    E.Kristensen
@@ -251,6 +255,16 @@ class updatedns
                     $this->_error(9);
                 }
                 break;
+            case 'cloudflare-token':
+            case 'cloudflare-token-v6':
+                if (!$dnsPass) {
+                    $this->_error(4);
+                } elseif (!$dnsHost) {
+                    $this->_error(5);
+                } elseif (!$dnsTTL) {
+                    $this->_error(9);
+                }
+                break;
             default:
                 if (!$dnsUser) {
                     $this->_error(3);
@@ -271,6 +285,7 @@ class updatedns
             case 'linode-v6':
             case 'regfish-v6':
             case 'route53-v6':
+            case 'cloudflare-token-v6':
                 $this->_useIPv6 = true;
                 break;
             default:
@@ -319,6 +334,8 @@ class updatedns
                 case 'citynetwork':
                 case 'cloudflare':
                 case 'cloudflare-v6':
+                case 'cloudflare-token':
+                case 'cloudflare-token-v6':
                 case 'custom':
                 case 'custom-v6':
                 case 'dhs':
@@ -749,21 +766,35 @@ class updatedns
                 break;
             case 'cloudflare':
             case 'cloudflare-v6':
+            case 'cloudflare-token':
+            case 'cloudflare-token-v6':
                 $baseUrl = 'https://api.cloudflare.com/client/v4';
                 $fqdn = str_replace(' ', '', $this->_dnsHost);
                 $recordType = ($this->_useIPv6) ? 'AAAA' : 'A';
+                $ttlData = intval($this->_dnsTTL) < 1 ? 1 : intval($this->_dnsTTL);
                 $hostData = array(
                     "content" => "{$this->_dnsIP}",
                     "type" => $recordType,
-                    "name" => $fqdn
+                    "name" => $fqdn,
+                    "ttl" => $ttlData
                 );
 
+                // Determine if service is token based or user/password based and define appropriate header
+                if (strpos($this->_dnsService, 'token') !== false) {
+                    $headerAuth = array(
+                        "Authorization: Bearer {$this->_dnsPass}",
+                        'Content-Type: application/json'
+                    );
+                } else {
+                    $headerAuth = array(
+                        "X-Auth-Email: {$this->_dnsUser}",
+                        "X-Auth-Key: {$this->_dnsPass}",
+                        'Content-Type: application/json'
+                    );
+                }
+
                 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
-                curl_setopt($ch, CURLOPT_HTTPHEADER, array(
-                    "X-Auth-Email: {$this->_dnsUser}",
-                    "X-Auth-Key: {$this->_dnsPass}",
-                    'Content-Type: application/json'
-                ));
+                curl_setopt($ch, CURLOPT_HTTPHEADER, $headerAuth);
 
                 // Get all zone info
                 $zonesUrl = "$baseUrl/zones";
@@ -1322,12 +1353,14 @@ class updatedns
                 break;
             case 'cloudflare':
             case 'cloudflare-v6':
+            case 'cloudflare-token':
+            case 'cloudflare-token-v6':
                 $output = json_decode($data);
                 if ($output->result->content === $this->_dnsIP) {
                     $status = "Dynamic DNS: (Success) {$this->_dnsHost} updated to {$this->_dnsIP}";
                     $successful_update = true;
                 } elseif ($output->errors[0]->code === 9103) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): ERROR - Invalid Credentials! Don't forget to use API Key for password field with CloudFlare.";
+                    $status = "Dynamic DNS ({$this->_dnsHost}): ERROR - Invalid Credentials! Don't forget to use API Key for password field with Cloudflare.";
                 } elseif (($output->success) && (!$output->result[0]->id)) {
                     $status = "Dynamic DNS ({$this->_dnsHost}): ERROR - Zone ID was not found.";
                 } else {
diff --git a/dns/dyndns/src/www/services_dyndns_edit.php b/dns/dyndns/src/www/services_dyndns_edit.php
index bb327f5d3f..bf3d92e871 100644
--- a/dns/dyndns/src/www/services_dyndns_edit.php
+++ b/dns/dyndns/src/www/services_dyndns_edit.php
@@ -75,7 +75,7 @@ function is_dyndns_username($uname)
     }
     $input_errors = array();
     $pconfig = $_POST;
-    if(($pconfig['type'] == "freedns" || $pconfig['type'] == "linode" || $pconfig['type'] == "linode-v6" || $pconfig['type'] == "namecheap") && $pconfig['username'] == "") {
+    if(($pconfig['type'] == "freedns" || $pconfig['type'] == "linode" || $pconfig['type'] == "linode-v6" || $pconfig['type'] == "namecheap" || $pconfig['type'] == "cloudflare-token" || $pconfig['type'] == "cloudflare-token-v6") && $pconfig['username'] == "") {
         $pconfig['username'] = "none";
     }
 
@@ -114,6 +114,8 @@ function is_dyndns_username($uname)
         switch ($pconfig['type']) {
             case 'cloudflare':
             case 'cloudflare-v6':
+            case 'cloudflare-token':
+            case 'cloudflare-token-v6':
             case 'eurodns':
             case 'googledomains':
             case 'linode':
@@ -137,6 +139,9 @@ function is_dyndns_username($uname)
         $input_errors[] = gettext("The username contains invalid characters.");
     }
 
+    if ((string)((int)$pconfig['ttl']) != $pconfig['ttl']) {
+        $input_errors[] = gettext("The TTL value needs to be a valid integer number.");
+    }
 
     if (count($input_errors) == 0) {
         $dyndns = array();
@@ -212,6 +217,15 @@ function is_dyndns_username($uname)
               case "azurev6":
                 $(".type_azure").show();
                 break;
+              case 'cloudflare':
+              case 'cloudflare-v6':
+                $(".type_default").show();
+                $(".type_cloudflare").show();
+                break;
+              case 'cloudflare-token':
+              case 'cloudflare-token-v6':
+                $(".type_cloudflare").show();
+                break;
               default:
                 $(".type_default").show();
                 break;
@@ -339,7 +353,7 @@ function is_dyndns_username($uname)
                       <?= gettext("Verify SSL peer") ?>
                     </td>
                   </tr>
-                  <tr>
+                  <tr class ="opt_field type_custom type_route53 type_azure type_default">
                     <td><a id="help_for_username" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Username") ?></td>
                     <td>
                       <input name="username" type="text" id="username" value="<?= $pconfig['username'] ?>" />
@@ -364,7 +378,7 @@ function is_dyndns_username($uname)
                         <br /><?= gettext('dynv6: Leave blank.') ?>
                         <br /><?= gettext('Azure: client secret of the AD application') ?>
                         <br /><?= gettext('Linode: Enter your Personal Access Token.') ?>
-                        <br /><?= gettext('Cloudflare: Enter Global API Key.') ?>
+                        <br /><?= gettext('Cloudflare: Enter your API token or Global API key.') ?>
                       </div>
                     </td>
                   </tr>
@@ -414,12 +428,13 @@ function is_dyndns_username($uname)
                       </div>
                     </td>
                   </tr>
-                  <tr class="opt_field type_route53  type_azure">
+                  <tr class="opt_field type_route53 type_azure type_cloudflare">
                     <td><a id="help_for_ttl" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("TTL");?></td>
                     <td>
                       <input name="ttl" type="text" id="ttl" value="<?= $pconfig['ttl'] ?>" />
                       <div class="hidden" data-for="help_for_ttl">
                         <?= gettext("Choose TTL for your dns record.") ?>
+                        <br /><?= gettext('Cloudflare: value "1" means "Auto". Anything below 1 will be updated with value 1/Auto.') ?>
                       </div>
                     </td>
                   </tr>

From 8df04c75d1210a898154c022623c6157d4a4a96b Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 16 Jun 2020 09:37:51 +0200
Subject: [PATCH 0138/3088] net/freeradius: fix Login-Time validation (#1887)

* Update User.xml

* Update Makefile

* Update pkg-descr
---
 net/freeradius/Makefile                                       | 2 +-
 net/freeradius/pkg-descr                                      | 4 ++++
 .../src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml  | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 2d667aa9e1..2178cd8749 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.6
+PLUGIN_VERSION=		1.9.7
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index efb4406873..bedbd33dad 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,10 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.7
+
+* Fix Login-Time validation
+
 1.9.6
 
 * Fix log not properly parsed
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
index c98c2e3157..c2432ab0b0 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
@@ -42,7 +42,7 @@
                 </vlan>
                 <logintime type="TextField">
                     <Required>N</Required>
-                    <mask>/^([0-9a-zA-Z\-]){1,128}$/u</mask>
+                    <mask>/^([0-9a-zA-Z\-\,]){1,128}$/u</mask>
                 </logintime>
                 <simuse type="IntegerField">
                     <Required>N</Required>

From 910d8ac7618b0a9e6e4fc31b97d73ca1d7bcf0a4 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 18 Jun 2020 09:22:24 +0200
Subject: [PATCH 0139/3088] net/haproxy: add missing header, refs #1883

---
 .../mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
index 63c55655fb..a0a7a5b7c7 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
@@ -478,6 +478,11 @@
         <type>text</type>
         <help><![CDATA[The value of the Server Name TLS extension sent by a client ends with the specified string (suffix match).]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_ssl_sni_reg</style>
+    </field>
     <field>
         <id>acl.ssl_sni_reg</id>
         <label>SNI Regex</label>

From 28930cd881266819c7c58713c24ba48b67f15eb6 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 18 Jun 2020 10:03:46 +0200
Subject: [PATCH 0140/3088] net/haproxy: bump version

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 9cd8c47016..b07f11984d 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		2.22
+PLUGIN_VERSION=		2.23
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy
 PLUGIN_MAINTAINER=	opnsense@moov.de

From ff2bbcc41ebcd287c7fd1d133ee230fa3cbe0ac8 Mon Sep 17 00:00:00 2001
From: "J.Townsend" <L1ghtn1ng@users.noreply.github.com>
Date: Mon, 22 Jun 2020 14:22:05 +0100
Subject: [PATCH 0141/3088] DNS/Dnscrypt-proxy remove discontinued feeds
 (#1886)

---
 dns/dnscrypt-proxy/Makefile                   |  3 +-
 dns/dnscrypt-proxy/pkg-descr                  |  4 +
 .../models/OPNsense/Dnscryptproxy/Dnsbl.xml   |  9 --
 .../scripts/OPNsense/Dnscryptproxy/dnsbl.sh   | 93 -------------------
 4 files changed, 5 insertions(+), 104 deletions(-)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index 0ab7f039e9..2203e70541 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		dnscrypt-proxy
-PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.8
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index a5b69a78c9..1728cf52fe 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -5,6 +5,10 @@ such as DNSCrypt v2 and DNS-over-HTTPS.
 Plugin Changelog
 ================
 
+1.8
+
+* Remove 8 discontinued DNSBL lists and 2 that are not updated any more
+
 1.7
 
 * Add comment field to whitelist section
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Dnsbl.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Dnsbl.xml
index 35c6c5eca9..95a89c1288 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Dnsbl.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Dnsbl.xml
@@ -16,19 +16,10 @@
                 <bla>Blocklist.site Ads</bla>
                 <blf>Blocklist.site Fraud</blf>
                 <blp>Blocklist.site Phishing</blp>
-                <ca>Cameleon List</ca>
                 <el>Easy List</el>
-                <emd>EMD Malicious Domains List</emd>
                 <ep>Easyprivacy List</ep>
-                <hpa>hpHosts Ads</hpa>
-                <hpf>hpHosts FSA</hpf>
-                <hpp>hpHosts PSH</hpp>
-                <hup>hpHosts PUP</hup>
-                <ht>Hbbtv List</ht>
-                <mw>Malwaredomain List</mw>
                 <nc>NoCoin List</nc>
                 <pt>PornTop1M List</pt>
-                <rw>Ransomware Tracker List</rw>
                 <sa>Simple Ad List</sa>
                 <st>Simple Tracker List</st>
                 <sb>Steven Black List</sb>
diff --git a/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh b/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh
index 44c72135ca..b32d90be87 100755
--- a/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh
+++ b/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh
@@ -63,13 +63,6 @@ porntop() {
 	rm ${WORKDIR}/porntop-raw
 }
 
-emdlist() {
-	# EMD
-	${FETCH} https://hosts-file.net/emd.txt -o ${WORKDIR}/emdlist-raw
-	sed "/\.$/d" ${WORKDIR}/emdlist-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/emdlist
-	rm ${WORKDIR}/emdlist-raw
-}
-
 adguard() {
 	# AdGuard
 	${FETCH} https://justdomains.github.io/blocklists/lists/adguarddns-justdomains.txt -o ${WORKDIR}/adguard-raw
@@ -84,20 +77,6 @@ nocoin() {
 	rm ${WORKDIR}/nocoin-raw
 }
 
-rwtracker() {
-	# RansomWare Tracker abuse.ch
-	${FETCH} https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt -o ${WORKDIR}/rwtracker-raw
-	sed "/\.$/d" ${WORKDIR}/rwtracker-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/rwtracker
-	rm ${WORKDIR}/rwtracker-raw
-}
-
-mwdomains() {
-	# MalwareDomains
-	${FETCH} http://malwaredomains.lehigh.edu/files/justdomains -o ${WORKDIR}/malwaredomains-raw
-	sed "/\.$/d" ${WORKDIR}/malwaredomains-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/malwaredomains
-	rm ${WORKDIR}/malwaredomains-raw
-}
-
 windowsspyblockerspy() {
 	# WindowsSpyBlocker (spy)
 	${FETCH} https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt -o ${WORKDIR}/windowsspyblockerspy-raw
@@ -119,13 +98,6 @@ windowsspyblockerextra() {
 	rm ${WORKDIR}/windowsspyblockerextra-raw
 }
 
-cameleon() {
-	# Cameleon List
-	${FETCH} http://sysctl.org/cameleon/hosts -o ${WORKDIR}/cameleon-raw
-	sed "/\.$/d" ${WORKDIR}/cameleon-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/cameleon
-	rm ${WORKDIR}/cameleon-raw
-}
-
 adaway() {
 	# AdAway List
 	${FETCH} https://adaway.org/hosts.txt -o ${WORKDIR}/adaway-raw
@@ -168,41 +140,6 @@ blocklistphishing() {
         rm ${WORKDIR}/blocklistphishing-raw
 }
 
-hphosts-ads() {
-        # hphosts-ads
-        ${FETCH} https://hosts-file.net/ad_servers.txt -o ${WORKDIR}/hphosts-ads-raw
-        sed "/\.$/d" ${WORKDIR}/hphosts-ads-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/hphosts-ads
-        rm ${WORKDIR}/hphosts-ads-raw
-}
-
-hphosts-fsa() {
-        # hphosts-fsa
-        ${FETCH} https://hosts-file.net/fsa.txt -o ${WORKDIR}/hphosts-fsa-raw
-        sed "/\.$/d" ${WORKDIR}/hphosts-fsa-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/hphosts-fsa
-        rm ${WORKDIR}/hphosts-fsa-raw
-}
-
-hphosts-psh() {
-        # hphosts-psh
-        ${FETCH} https://hosts-file.net/psh.txt -o ${WORKDIR}/hphosts-psh-raw
-        sed "/\.$/d" ${WORKDIR}/hphosts-psh-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/hphosts-psh
-        rm ${WORKDIR}/hphosts-psh-raw
-}
-
-hphosts-pup() {
-        # hphosts-pup
-        ${FETCH} https://hosts-file.net/pup.txt -o ${WORKDIR}/hphosts-pup-raw
-        sed "/\.$/d" ${WORKDIR}/hphosts-pup-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/hphosts-pup
-        rm ${WORKDIR}/hphosts-pup-raw
-}
-
-hbbtv() {
-	# HBBTV List
-	${FETCH} https://raw.githubusercontent.com/Akamaru/Pi-Hole-Lists/master/hbbtv.txt -o ${WORKDIR}/hbbtv-raw
-	sed "/\.$/d" ${WORKDIR}/hbbtv-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/hbbtv
-	rm ${WORKDIR}/hbbtv-raw
-}
-
 simplead() {
 	# Simple Ad List
 	${FETCH} https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt -o ${WORKDIR}/simplead-raw
@@ -252,45 +189,15 @@ for CAT in $(echo ${DNSBL} | tr ',' ' '); do
 	blp)
 		blocklistphishing
 		;;
-	ca)
-		cameleon
-		;;
 	el)
 		easylist
 		;;
 	ep)
 		easyprivacy
 		;;
-	emd)
-		emdlist
-		;;
-	hpa)
-		hphosts-ads
-		;;
-	hpf)
-		hphosts-fsa
-		;;
-	hpp)
-		hphosts-psh
-		;;
-	hup)
-		hphosts-pup
-		;;
-	ht)
-		hbbtv
-		;;
 	nc)
 		nocoin
 		;;
-	rw)
-		rwtracker
-		;;
-	mw)
-		mwdomains
-		;;
-	pa)
-		#pornall
-		;;
 	pt)
 		porntop
 		;;

From a2095b9455873b7c6fd1fde0006303cb3f25c3f0 Mon Sep 17 00:00:00 2001
From: Martin Wasley <mjwasley@queens-park.com>
Date: Tue, 23 Jun 2020 15:36:13 +0100
Subject: [PATCH 0142/3088] Correct colours in text-info and circle::before
 (#1892)

Colours incorrect on firewall.
---
 .../opnsense/www/themes/rebellion/assets/stylesheets/main.scss | 3 +--
 .../src/opnsense/www/themes/rebellion/build/css/main.css       | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
index 7c32510561..0966e503c7 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
@@ -1534,7 +1534,7 @@ a.text-success:hover {
 }
 
 .text-info {
-  color: #ffffff;
+  color: #00ffff;
 }
 
 a.text-info:hover {
@@ -9073,7 +9073,6 @@ textarea#update_status {
 
 .fa-times-circle::before {
   content: "";
-  color: #B13116;
 }
 
 .fa-refresh::before {
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
index 20f7b8761e..5d86521dff 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
@@ -1441,7 +1441,7 @@ a.text-success:hover {
 }
 
 .text-info {
-  color: #ffffff;
+  color: #00ffff;
 }
 
 a.text-info:hover {
@@ -7647,7 +7647,6 @@ textarea#update_status:hover {
 
 .fa-times-circle::before {
   content: "";
-  color: #B13116;
 }
 
 .fa-refresh::before {

From c912d0257b3b29a8622e370c5527186725b25cb8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 24 Jun 2020 10:12:40 +0200
Subject: [PATCH 0143/3088] misc/theme-rebellion: bump revision

---
 misc/theme-rebellion/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/theme-rebellion/Makefile b/misc/theme-rebellion/Makefile
index 0fe8c84e2a..8e35cc6d81 100644
--- a/misc/theme-rebellion/Makefile
+++ b/misc/theme-rebellion/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-rebellion
-PLUGIN_VERSION=		1.8.3
+PLUGIN_VERSION=		1.8.4
 PLUGIN_COMMENT=		A suitably dark theme
 PLUGIN_MAINTAINER=	team-rebellion@queens-park.com
 

From 666e4d4166119e3394ad6daa3c77103cff592a3a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 24 Jun 2020 10:13:21 +0200
Subject: [PATCH 0144/3088] README: sync

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 809eb8cc35..6d6a923032 100644
--- a/README.md
+++ b/README.md
@@ -68,7 +68,7 @@ net/pptp -- End of life, no replacement
 net/relayd -- Relayd Load Balancer
 net/shadowsocks -- Secure socks5 proxy
 net/siproxd -- Siproxd is a proxy daemon for the SIP protocol
-net/tayga -- Tayga IPv6 64NAT
+net/tayga -- Tayga NAT64
 net/udpbroadcastrelay -- Control ubpbroadcastrelay processes (development only)
 net/upnp -- Universal Plug and Play Service
 net/vnstat -- vnStat is a console-based network traffic monitor
@@ -84,7 +84,7 @@ security/intrusion-detection-content-snort-vrt -- IDS Snort VRT ruleset (needs r
 security/maltrail -- Malicious traffic detection system
 security/openconnect -- OpenConnect Client
 security/softether -- Cross-platform Multi-protocol VPN Program (development only)
-security/stunnel -- stunnel TLS proxy (development only)
+security/stunnel -- stunnel TLS proxy
 security/tinc -- Tinc VPN
 security/tor -- The Onion Router
 sysutils/api-backup -- Provide the functionality to download the config.xml

From 2f9a887a1b22e9b94ac38914526c95dae7d6a722 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 24 Jun 2020 11:03:20 +0200
Subject: [PATCH 0145/3088] dns/dyndns: style and naming

---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
index 68b1292802..182091996d 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
@@ -102,8 +102,8 @@ function dyndns_list()
         'citynetwork' => 'City Network',
         'cloudflare' => 'Cloudflare',
         'cloudflare-v6' => 'Cloudflare (v6)',
-		'cloudflare-token' => 'Cloudflare w/API token',
-        'cloudflare-token-v6' => 'Cloudflare w/API token (v6)',
+        'cloudflare-token' => 'Cloudflare API token',
+        'cloudflare-token-v6' => 'Cloudflare API token (v6)',
         'custom' => 'Custom',
         'custom-v6' => 'Custom (v6)',
         'dhs' => 'DHS',

From 70b23426be3e276b44f0faf3545575bb530f3f76 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 24 Jun 2020 14:32:36 +0200
Subject: [PATCH 0146/3088] dns/dyndns: new version

---
 dns/dyndns/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index 5d6d6b59c7..1fd50c3137 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		dyndns
-PLUGIN_VERSION=		1.20
+PLUGIN_VERSION=		1.21
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 

From ae66c9361c6e6d3c3b432ef533a7e0456ca062f2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 24 Jun 2020 14:36:24 +0200
Subject: [PATCH 0147/3088] net/shadowsocks: bump revision

---
 net/shadowsocks/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/shadowsocks/Makefile b/net/shadowsocks/Makefile
index a49c85dff1..7a1b462f9a 100644
--- a/net/shadowsocks/Makefile
+++ b/net/shadowsocks/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		shadowsocks
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Secure socks5 proxy
 PLUGIN_DEPENDS=		shadowsocks-libev
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 5bd128a123d0ef60b16bbc17c514c8c381617925 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 24 Jun 2020 14:38:24 +0200
Subject: [PATCH 0148/3088] security/intrusion-detection-content-snort-vrt:
 bump version

---
 security/intrusion-detection-content-snort-vrt/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/intrusion-detection-content-snort-vrt/Makefile b/security/intrusion-detection-content-snort-vrt/Makefile
index 293c238d22..d4e31d8943 100644
--- a/security/intrusion-detection-content-snort-vrt/Makefile
+++ b/security/intrusion-detection-content-snort-vrt/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		intrusion-detection-content-snort-vrt
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		IDS Snort VRT ruleset (needs registration or subscription)
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://www.snort.org/downloads#rules

From 8d10ac6a0d6145a372fb60717c1e22071828a8de Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 26 Jun 2020 14:06:35 +0200
Subject: [PATCH 0149/3088] stunnel: missing copyright section

---
 .../scripts/stunnel/identd_stunnel.py         | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py b/security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py
index 179103aeb7..318ba9a62b 100755
--- a/security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py
+++ b/security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py
@@ -1,5 +1,31 @@
 #!/usr/local/bin/python3
 
+"""
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+
 import os
 import sys
 import argparse

From 8353a292a8842c56911cd7414f59bc2d9403e251 Mon Sep 17 00:00:00 2001
From: "D. Domig" <x-jokay@users.noreply.github.com>
Date: Wed, 1 Jul 2020 14:58:01 +0200
Subject: [PATCH 0150/3088] Add WireGuard widget (#1865)

---
 net/wireguard/Makefile                        |  2 +-
 net/wireguard/pkg-descr                       |  6 +-
 .../conf/actions.d/actions_wireguard.conf     |  6 ++
 .../src/www/widgets/include/wireguard.inc     |  3 +
 .../www/widgets/widgets/wireguard.widget.php  | 78 +++++++++++++++++++
 5 files changed, 93 insertions(+), 2 deletions(-)
 create mode 100644 net/wireguard/src/www/widgets/include/wireguard.inc
 create mode 100644 net/wireguard/src/www/widgets/widgets/wireguard.widget.php

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 6af950a802..a0b7242e52 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index fb5515de4b..848f48597a 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,12 +16,16 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+1.2
+
+* Dashboard widget (contributed by D. Domig)
+
 1.1
 
 * Allow adding interface route for PBR
 
 1.0
 
-* Support for most features like S2S, Roadwarror
+* Support for most features like S2S, Roadwarrior
 * DNS, MTU, PSK
 * Allow to disable setting routes for PBR
diff --git a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
index 22c8a042e9..eda045e381 100644
--- a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
+++ b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
@@ -39,3 +39,9 @@ command:/usr/local/bin/wg show all latest-handshakes
 parameters:
 type:script_output
 message:show Wireguard handshakes
+
+[widget]
+command:/usr/local/bin/wg show all latest-handshakes
+parameters:
+type:script_output
+message:show Wireguard handshakes for widget
diff --git a/net/wireguard/src/www/widgets/include/wireguard.inc b/net/wireguard/src/www/widgets/include/wireguard.inc
new file mode 100644
index 0000000000..78b33cc16e
--- /dev/null
+++ b/net/wireguard/src/www/widgets/include/wireguard.inc
@@ -0,0 +1,3 @@
+<?php
+
+$wireguard_title = gettext("WireGuard");
\ No newline at end of file
diff --git a/net/wireguard/src/www/widgets/widgets/wireguard.widget.php b/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
new file mode 100644
index 0000000000..7da094ebcc
--- /dev/null
+++ b/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
@@ -0,0 +1,78 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * Copyright (C) 2020 D. Domig
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("widgets/include/wireguard.inc");
+
+$data = trim(configd_run("wireguard widget"));
+
+$empty = strlen($data) == 0;
+?>
+
+<table class="table table-striped table-condensed">
+    <thead>
+        <tr>
+            <th><?= gettext("Interface") ?></th>
+            <th><?= gettext("Endpoint") ?></th>
+            <th><?= gettext("Latest Handshake") ?></th>
+        </tr>
+    </thead>
+    <tbody>
+
+<?php if (!$empty):
+    $handshakes = explode("\n", $data);
+
+    foreach ($handshakes as $handshake):
+        $item = explode("\t", $handshake);
+
+        $epoch = $item[2];
+        $latest = "-";
+        if ($epoch > 0):
+            $dt = new DateTime("@$epoch");
+            $latest = $dt->format(gettext("Y-m-d H:i:sP"));
+        endif; ?>
+
+    <tr>
+        <td><?= $item[0] ?></td>
+        <td><?= gettext(substr($item[1], 0, 10)) ?>...</td>
+        <td><?= $latest ?></td>
+    </tr>
+
+    <?php endforeach; ?>
+
+<?php else: ?>
+
+    <tr>
+        <td colspan="3"><?= gettext("No WireGuard instance defined or enabled.") ?></td>
+    </tr>
+
+<?php endif; ?>
+
+    </tbody>
+</table>

From 7f7791edca3d926da5092bd5314110ec786b45bb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 2 Jul 2020 05:42:01 +0200
Subject: [PATCH 0151/3088] net/wireguard: style sweep

---
 net/wireguard/src/www/widgets/include/wireguard.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireguard/src/www/widgets/include/wireguard.inc b/net/wireguard/src/www/widgets/include/wireguard.inc
index 78b33cc16e..4d93377615 100644
--- a/net/wireguard/src/www/widgets/include/wireguard.inc
+++ b/net/wireguard/src/www/widgets/include/wireguard.inc
@@ -1,3 +1,3 @@
 <?php
 
-$wireguard_title = gettext("WireGuard");
\ No newline at end of file
+$wireguard_title = gettext('WireGuard');

From 2f4514a3b243ea450d42de7ddbd940d64a2593e3 Mon Sep 17 00:00:00 2001
From: Andreas Rupper <61623186+andreas-rupper@users.noreply.github.com>
Date: Thu, 2 Jul 2020 06:53:36 +0200
Subject: [PATCH 0152/3088] dns/dyndns: added not empty validation (#1903)

---
 dns/dyndns/src/www/services_dyndns_edit.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/dyndns/src/www/services_dyndns_edit.php b/dns/dyndns/src/www/services_dyndns_edit.php
index bf3d92e871..d13e552120 100644
--- a/dns/dyndns/src/www/services_dyndns_edit.php
+++ b/dns/dyndns/src/www/services_dyndns_edit.php
@@ -139,7 +139,7 @@ function is_dyndns_username($uname)
         $input_errors[] = gettext("The username contains invalid characters.");
     }
 
-    if ((string)((int)$pconfig['ttl']) != $pconfig['ttl']) {
+    if (!empty($pconfig['ttl']) && (string)((int)$pconfig['ttl']) != $pconfig['ttl']) {
         $input_errors[] = gettext("The TTL value needs to be a valid integer number.");
     }
 

From 796114f4431ff62f4a59c375aca4c4c3e898b527 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 2 Jul 2020 06:56:18 +0200
Subject: [PATCH 0153/3088] dns/dyndns: bump revision after change

---
 dns/dyndns/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index 1fd50c3137..0684f27347 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		dyndns
 PLUGIN_VERSION=		1.21
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 

From c5f133d26fecfec49763344e21c0168742f46cb8 Mon Sep 17 00:00:00 2001
From: Jontron123 <jtz123@gmail.com>
Date: Thu, 9 Jul 2020 01:32:22 -0400
Subject: [PATCH 0154/3088] Telegraf: fix flush_interval option (#1917)

The Telegraf flush_interval option is not working correctly. The option was not being added to the telegraf.conf file. Add the missing flush_interval option to the template to fix this problem.
---
 .../opnsense/service/templates/OPNsense/Telegraf/telegraf.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index 08f6938033..afc552c6dc 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -28,6 +28,9 @@
 {% if helpers.exists('OPNsense.telegraf.general.collection_jitter') and OPNsense.telegraf.general.collection_jitter != '' %}
   collection_jitter = "{{ OPNsense.telegraf.general.collection_jitter }}s"
 {% endif %}
+{% if helpers.exists('OPNsense.telegraf.general.flush_interval') and OPNsense.telegraf.general.flush_interval != '' %}
+  flush_interval = "{{ OPNsense.telegraf.general.flush_interval }}s"
+{% endif %}
 {% if helpers.exists('OPNsense.telegraf.general.flush_jitter') and OPNsense.telegraf.general.flush_jitter != '' %}
   flush_jitter = "{{ OPNsense.telegraf.general.flush_jitter }}s"
 {% endif %}

From 16acd5fe7697c760787c7b2dae1eea3a7e0e05dc Mon Sep 17 00:00:00 2001
From: Micha M <github@i88.de>
Date: Thu, 9 Jul 2020 07:38:23 +0200
Subject: [PATCH 0155/3088] net-mgmt/telegraf: Fix TLS connect (#1821) (#1902)

As soon as

  insecure_skip_verify

is in the Telegraf config file, it will try to connect
using TLS to the Graphite Carbon cache server.

So this patch adds a switch to disable the default
TLS connection.

Signed-off-by: MichaM <contact-micha+github@posteo.de>
---
 .../app/controllers/OPNsense/Telegraf/forms/output.xml | 10 ++++++++--
 .../mvc/app/models/OPNsense/Telegraf/Output.xml        |  6 +++++-
 .../service/templates/OPNsense/Telegraf/telegraf.conf  |  6 ++++--
 3 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
index 4594818aec..0e726a008d 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
@@ -75,7 +75,7 @@
         <id>output.graphite_server</id>
         <label>Graphite Server</label>
         <type>text</type>
-        <help>Set the IP and port where metrics shoud be sent to.</help>
+        <help>Set the IP and port where metrics shoud be sent to. Format: IP:port.</help>
     </field>
     <field>
         <id>output.graphite_prefix</id>
@@ -91,10 +91,16 @@
     </field>
     <field>
         <id>output.graphite_verify</id>
-        <label>Graphite SSL Verification</label>
+        <label>Graphite SSL/TLS Verification</label>
         <type>checkbox</type>
         <help>This will enable verification of a secure connection to Graphite. Default is disabled for compatibility reasons.</help>
     </field>
+    <field>
+        <id>output.graphite_ssl_disable</id>
+        <label>Disable Graphite SSL/TLS</label>
+        <type>checkbox</type>
+        <help>This will disable SSL/TLS connection to Graphite host. Default is encrypted connection.</help>
+    </field>
     <field>
         <id>output.graphite_tagsupport</id>
         <label>Graphite Tag Support</label>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index bd48099a43..7b479f0c9c 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/telegraf/output</mount>
     <description>Telegraf outputs configuration</description>
-    <version>1.4.0</version>
+    <version>1.4.1</version>
     <items>
         <influx_enable type="BooleanField">
             <default>0</default>
@@ -40,6 +40,10 @@
         <graphite_template type="TextField">
             <Required>N</Required>
         </graphite_template>
+        <graphite_ssl_disable type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </graphite_ssl_disable>
         <graphite_verify type="BooleanField">
             <default>0</default>
             <Required>N</Required>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index afc552c6dc..84f994bc40 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -87,10 +87,12 @@
   template = "{{ OPNsense.telegraf.output.graphite_template }}"
 {%   endif %}
   timeout = 2
-{%   if helpers.exists('OPNsense.telegraf.output.graphite_verify') and OPNsense.telegraf.output.graphite_verify == '0' %}
+{%   if helpers.exists('OPNsense.telegraf.output.graphite_ssl_disable') and OPNsense.telegraf.output.graphite_ssl_disable != '1' %}
+{%     if helpers.exists('OPNsense.telegraf.output.graphite_verify') and OPNsense.telegraf.output.graphite_verify == '0' %}
   insecure_skip_verify = true
-{%   else %}
+{%     else %}
   insecure_skip_verify = false
+{%     endif %}
 {%   endif %}
 {%   if helpers.exists('OPNsense.telegraf.output.graphite_tagsupport') and OPNsense.telegraf.output.graphite_tagsupport == '1' %}
   graphite_tag_support = true

From 706ee10d42bdb723b7aee0ddff1efccc159c8490 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 9 Jul 2020 10:38:56 +0200
Subject: [PATCH 0156/3088] net-mgmt/telegraf: Version bump and credits (#1921)

---
 net-mgmt/telegraf/Makefile  | 2 +-
 net-mgmt/telegraf/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index 2c0dd9078f..dff3380731 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.8.0
+PLUGIN_VERSION=		1.8.1
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 01c12dea54..4765e48ad1 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -11,6 +11,11 @@ Kafka, MQTT, NSQ, and many others.
 Plugin Changelog
 ================
 
+1.8.1
+
+* Fix 'flush interval' templating by @Jontron123
+* Add ability to disable TLS for Graphite by @primemaster
+
 1.8.0
 
 * Add InfluxDB v2 output support

From 1ceaf85ed3b8e885c237add2895d83cb887d5e73 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 17 Jul 2020 09:52:10 +0200
Subject: [PATCH 0157/3088] dns/dyndns: adapt dnsexit changes; closes #1924

---
 dns/dyndns/Makefile                                       | 2 +-
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index 0684f27347..8597694285 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		dyndns
 PLUGIN_VERSION=		1.21
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 7623744b89..a136f37b04 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -580,7 +580,7 @@ class updatedns
                 curl_setopt($ch, CURLOPT_URL, 'https://freedns.afraid.org/dynamic/update.php?' . $this->_dnsPass);
                 break;
             case 'dnsexit':
-                curl_setopt($ch, CURLOPT_URL, 'https://www.dnsexit.com/RemoteUpdate.sv?login=' . urlencode($this->_dnsUser) . '&password=' . $this->_dnsPass . '&host=' . $this->_dnsHost . '&myip=' . $this->_dnsIP);
+                curl_setopt($ch, CURLOPT_URL, 'https://update.dnsexit.com/RemoteUpdate.sv?login=' . urlencode($this->_dnsUser) . '&password=' . $this->_dnsPass . '&host=' . $this->_dnsHost . '&myip=' . $this->_dnsIP);
                 break;
             case 'loopia':
                 $this->_dnsWildcard = (isset($this->_dnsWildcard) && $this->_dnsWildcard == true) ? 'ON' : 'OFF';
@@ -1265,7 +1265,7 @@ class updatedns
                 }
                 break;
             case 'dnsexit':
-                if (preg_match("/is the same/i", $data)) {
+                if (preg_match("/IP not changed/i", $data)) {
                     $status = "Dynamic DNS ({$this->_dnsHost}): (Success) No Change In IP Address";
                     $successful_update = true;
                 } elseif (preg_match("/Success/i", $data)) {

From f23ab6c6349473dbb95f5c76a592b3e9aa777acd Mon Sep 17 00:00:00 2001
From: Martin Wasley <mjwasley@queens-park.com>
Date: Fri, 17 Jul 2020 09:40:30 +0100
Subject: [PATCH 0158/3088] Fix jqtree color issue (#1919)

---
 misc/theme-rebellion/Makefile                 |   2 +-
 .../www/themes/rebellion/build/css/jqtree.css | 184 ++++++++++++++++++
 2 files changed, 185 insertions(+), 1 deletion(-)
 create mode 100644 misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/jqtree.css

diff --git a/misc/theme-rebellion/Makefile b/misc/theme-rebellion/Makefile
index 8e35cc6d81..d64b12ab93 100644
--- a/misc/theme-rebellion/Makefile
+++ b/misc/theme-rebellion/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-rebellion
-PLUGIN_VERSION=		1.8.4
+PLUGIN_VERSION=		1.8.6
 PLUGIN_COMMENT=		A suitably dark theme
 PLUGIN_MAINTAINER=	team-rebellion@queens-park.com
 
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/jqtree.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/jqtree.css
new file mode 100644
index 0000000000..f40b4203ab
--- /dev/null
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/jqtree.css
@@ -0,0 +1,184 @@
+ul.jqtree-tree {
+    list-style: none outside;
+    margin-left: 0;
+    margin-bottom: 0;
+    padding: 0;
+}
+
+    ul.jqtree-tree ul.jqtree_common {
+        list-style: none outside;
+        margin-left: 12px;
+        margin-right: 0;
+        margin-bottom: 0;
+        padding: 0;
+        display: block;
+    }
+
+    ul.jqtree-tree li.jqtree-closed > ul.jqtree_common {
+        display: none;
+    }
+
+    ul.jqtree-tree li.jqtree_common {
+        clear: both;
+        list-style-type: none;
+    }
+
+    ul.jqtree-tree .jqtree-toggler {
+        border-bottom: none;
+        color: #333;
+        text-decoration: none;
+        vertical-align: middle;
+    }
+
+    ul.jqtree-tree .jqtree-toggler:hover {
+            color: #000;
+            text-decoration: none;
+        }
+
+    ul.jqtree-tree .jqtree-toggler.jqtree-closed {
+            background-position: 0 0;
+        }
+
+    ul.jqtree-tree .jqtree-toggler.jqtree-toggler-left {
+            margin-right: 0.5em;
+        }
+
+    ul.jqtree-tree .jqtree-toggler.jqtree-toggler-right {
+            margin-left: 0.5em;
+        }
+
+    ul.jqtree-tree .jqtree-element {
+        cursor: pointer;
+        position: relative;
+        display: -webkit-box;
+        display: flex;
+    }
+
+    ul.jqtree-tree .jqtree-title {
+        color: #cccccc;
+        vertical-align: middle;
+        margin-left: 1.5em;
+    }
+
+    ul.jqtree-tree .jqtree-title.jqtree-title-folder {
+            margin-left: 0;
+        }
+
+    ul.jqtree-tree li.jqtree-folder {
+        margin-bottom: 4px;
+    }
+
+    ul.jqtree-tree li.jqtree-folder.jqtree-closed {
+            margin-bottom: 1px;
+        }
+
+    ul.jqtree-tree li.jqtree-ghost {
+        position: relative;
+        z-index: 10;
+        margin-right: 10px;
+    }
+
+    ul.jqtree-tree li.jqtree-ghost span {
+            display: block;
+        }
+
+    ul.jqtree-tree li.jqtree-ghost span.jqtree-circle {
+            border: solid 2px #0000ff;
+            border-radius: 100px;
+            height: 8px;
+            width: 8px;
+            position: absolute;
+            top: -4px;
+            left: -6px;
+            box-sizing: border-box;
+        }
+
+    ul.jqtree-tree li.jqtree-ghost span.jqtree-line {
+            background-color: #0000ff;
+            height: 2px;
+            padding: 0;
+            position: absolute;
+            top: -1px;
+            left: 2px;
+            width: 100%;
+        }
+
+    ul.jqtree-tree li.jqtree-ghost.jqtree-inside {
+            margin-left: 48px;
+        }
+
+    ul.jqtree-tree span.jqtree-border {
+        position: absolute;
+        display: block;
+        left: -2px;
+        top: 0;
+        border: solid 2px #0000ff;
+        border-radius: 6px;
+        margin: 0;
+        box-sizing: content-box;
+    }
+
+    ul.jqtree-tree li.jqtree-selected > .jqtree-element,
+    ul.jqtree-tree li.jqtree-selected > .jqtree-element:hover {
+        background-color: #97BDD6;
+        background: -webkit-gradient(linear, left top, left bottom, from(#BEE0F5), to(#89AFCA));
+        background: linear-gradient(#BEE0F5, #89AFCA);
+        text-shadow: 0 1px 0 rgba(255, 255, 255, 0.7);
+    }
+
+    ul.jqtree-tree .jqtree-moving > .jqtree-element .jqtree-title {
+        outline: dashed 1px #0000ff;
+    }
+
+ul.jqtree-tree.jqtree-rtl {
+    direction: rtl;
+}
+
+ul.jqtree-tree.jqtree-rtl ul.jqtree_common {
+        margin-left: 0;
+        margin-right: 12px;
+    }
+
+ul.jqtree-tree.jqtree-rtl .jqtree-toggler {
+        margin-left: 0.5em;
+        margin-right: 0;
+    }
+
+ul.jqtree-tree.jqtree-rtl .jqtree-title {
+        margin-left: 0;
+        margin-right: 1.5em;
+    }
+
+ul.jqtree-tree.jqtree-rtl .jqtree-title.jqtree-title-folder {
+            margin-right: 0;
+        }
+
+ul.jqtree-tree.jqtree-rtl li.jqtree-ghost {
+        margin-right: 0;
+        margin-left: 10px;
+    }
+
+ul.jqtree-tree.jqtree-rtl li.jqtree-ghost span.jqtree-circle {
+            right: -6px;
+        }
+
+ul.jqtree-tree.jqtree-rtl li.jqtree-ghost span.jqtree-line {
+            right: 2px;
+        }
+
+ul.jqtree-tree.jqtree-rtl li.jqtree-ghost.jqtree-inside {
+            margin-left: 0;
+            margin-right: 48px;
+        }
+
+ul.jqtree-tree.jqtree-rtl span.jqtree-border {
+        right: -2px;
+    }
+
+span.jqtree-dragging {
+    color: #fff;
+    background: #000;
+    opacity: 0.6;
+    cursor: pointer;
+    padding: 2px 8px;
+}

From 274739bc19dafa4204276979d49dea577b5b94da Mon Sep 17 00:00:00 2001
From: Yvan da Silva <yvan.m.silva@gmail.com>
Date: Fri, 17 Jul 2020 10:45:06 +0200
Subject: [PATCH 0159/3088] Add GoDaddy DynDNS API support (#1654)

Based on the following documentation https://developer.godaddy.com/
This adds support for GoDaddy DynDNS REST API.
---
 .../src/etc/inc/plugins.inc.d/dyndns.inc      |  2 +
 .../inc/plugins.inc.d/dyndns/phpDynDNS.inc    | 64 +++++++++++++++++++
 dns/dyndns/src/www/services_dyndns_edit.php   |  4 ++
 3 files changed, 70 insertions(+)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
index 182091996d..ac717b7477 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
@@ -120,6 +120,8 @@ function dyndns_list()
         'easydns' => 'easyDNS',
         'eurodns' => 'EuroDNS',
         'freedns' => 'freeDNS',
+        'godaddy' => 'GoDaddy',
+        'godaddy-v6' => 'GoDaddy (v6)',
         'googledomains' => 'Google Domains',
         'gratisdns' => 'GratisDNS',
         'he-net' => 'HE.net',
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index a136f37b04..bb4d96f3f1 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -45,6 +45,8 @@
  *    - Azure DNS (azure.microsoft.com)
  *    - Linode (linode.com)
  *    - Linode IPv6 (linode.com)
+ *    - GoDaddy (godaddy.com)
+ *    - GoDaddy IPv6 (godaddy.com)
  * +----------------------------------------------------+
  *  Requirements:
  *    - PHP version 4.0.2 or higher with the CURL Library and the PCRE Library
@@ -103,6 +105,8 @@
  *  Azure DNS                   - Last Tested: 16 October 2019
  *  Linode                      - Last Tested: 25 February 2020
  *  Linode v6                   - Last Tested: 25 February 2020
+ *  GoDaddy                     - Last Tested: 10 July 2020
+ *  GoDaddy v6                  - Last Tested: 10 July 2020
  * +====================================================+
  *
  * @author    E.Kristensen
@@ -282,6 +286,7 @@ class updatedns
             case 'custom-v6':
             case 'dynv6-v6':
             case 'he-net-v6':
+            case 'godaddy-v6':
             case 'linode-v6':
             case 'regfish-v6':
             case 'route53-v6':
@@ -352,6 +357,8 @@ class updatedns
                 case 'easydns':
                 case 'eurodns':
                 case 'freedns':
+                case 'godaddy':
+                case 'godaddy-v6':
                 case 'googledomains':
                 case 'gratisdns':
                 case 'he-net':
@@ -1090,6 +1097,46 @@ class updatedns
                 curl_setopt($ch, CURLOPT_HEADER, 1);
                 curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
                 break;
+            case 'godaddy':
+            case 'godaddy-v6':
+                /* Read https://developer.godaddy.com/ for API documentation */
+                $baseApiUrl = 'https://api.godaddy.com/v1/domains/';
+                $recordType = $this->_useIPv6 ? "AAAA" : "A";
+                $splitHost = explode('.', trim($this->_dnsHost));
+                $dnsDomain = '*';
+                if ($this->_dnsWildcard != 'ON') {
+                    $dnsDomain = array_shift($splitHost);
+                }
+                $dnsHost = implode('.', $splitHost);
+
+                $url = $baseApiUrl  . $dnsHost . '/records/' . $recordType . '/' . $dnsDomain;
+
+                /* body can contain multiple options (data, port, priority, service, ttl, weight) */
+                $data = array();
+                $data[] = array('data' => $this->_dnsIP);
+                if ($this->_dnsTTL) {
+                    $data[0]['ttl'] = $this->_dnsTTL;
+                } else {
+                    // minimum allowed by GoDaddy
+                    $data[0]['ttl'] = 600;
+                }
+                $jsonBody = json_encode($data);
+                if ($this->_dnsVerboseLog) {
+                    log_error("Dynamic DNS: calling $url with body: $jsonBody");
+                }
+
+                /* PUT JSON /v1/domains/{domain}/records/{type}/{name} */
+                curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+                curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "PUT");
+                curl_setopt($ch, CURLOPT_HTTPHEADER, array(
+                        'Accept: application/json',
+                        'Content-Type: application/json',
+                        'Authorization: sso-key ' . $this->_dnsUser . ':' . $this->_dnsPass
+                ));
+                curl_setopt($ch, CURLOPT_URL, $url);
+
+                curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonBody);
+                break;
             default:
                 break;
         }
@@ -1537,6 +1584,23 @@ class updatedns
                     $this->_debug($data);
                 }
                 break;
+            case 'godaddy':
+            case 'godaddy-v6':
+                /* See https://developer.godaddy.com/ for API documentation, not all codes are handled. */
+                $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+                $successful_update = false;
+                if ($http_code == 200) {
+                    $status = 'Dynamic DNS: (Success) IP Address Updated Successfully!';
+                    $successful_update = true;
+                } else if ($http_code == 401) {
+                    $status = 'Dynamic DNS: (Error) Authentication info not sent or invalid';
+                }else if ($http_code == 404) {
+                    $status = 'Dynamic DNS: (Error) Resource not found';
+                } else {
+                    $status = "Dynamic DNS: (Error) Repsonse not handled check the following: {$data}";
+                    log_error("Dynamic DNS: (Error) HTTPS Status: {$http_code} PAYLOAD: {$data}");
+                }
+                break;
             default:
                 break;
         }
diff --git a/dns/dyndns/src/www/services_dyndns_edit.php b/dns/dyndns/src/www/services_dyndns_edit.php
index d13e552120..3db2e4e0fb 100644
--- a/dns/dyndns/src/www/services_dyndns_edit.php
+++ b/dns/dyndns/src/www/services_dyndns_edit.php
@@ -117,6 +117,8 @@ function is_dyndns_username($uname)
             case 'cloudflare-token':
             case 'cloudflare-token-v6':
             case 'eurodns':
+            case 'godaddy':
+            case 'godaddy-v6':
             case 'googledomains':
             case 'linode':
             case 'linode-v6':
@@ -364,6 +366,7 @@ function is_dyndns_username($uname)
                         <br /><?= gettext('dynv6: Enter your Token.') ?>
                         <br /><?= gettext('Azure: Enter your Azure AD application ID.') ?>
                         <br /><?= gettext('For Custom Entries, Username and Password represent HTTP Authentication username and passwords.') ?>
+                        <br /><?= gettext('GoDaddy: Enter your API Key Token.') ?>
                       </div>
                     </td>
                   </tr>
@@ -379,6 +382,7 @@ function is_dyndns_username($uname)
                         <br /><?= gettext('Azure: client secret of the AD application') ?>
                         <br /><?= gettext('Linode: Enter your Personal Access Token.') ?>
                         <br /><?= gettext('Cloudflare: Enter your API token or Global API key.') ?>
+                        <br /><?= gettext('GoDaddy: Enter your API Secret Token.') ?>
                       </div>
                     </td>
                   </tr>

From ca59a6105778e361d575a6188e49f485fc675aeb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 17 Jul 2020 10:55:31 +0200
Subject: [PATCH 0160/3088] dns/dyndns: version 1.22 then

---
 dns/dyndns/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index 8597694285..7911cd8872 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		dyndns
-PLUGIN_VERSION=		1.21
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.22
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 

From 8b871922d5e4f0a1b5ebcc47843c3f4c09938880 Mon Sep 17 00:00:00 2001
From: "Patrick M. Hausen" <hausen@punkt.de>
Date: Mon, 20 Jul 2020 15:13:59 +0200
Subject: [PATCH 0161/3088] Add support for aggregation and Graphite Separate
 Instances to Collectd plugin, add 2 plugins to collectd (#1927)

* Fix indentation

* Make Graphite separate instances configurable

* Add configuration to send CPU aggregate values

* Remove superfluous blank lines

* Fix inconsistent capitalisation

* Add blank line between plugin sections

* Add option to send CPU metrics as percent values

* Fix inconsistent indentation

* Fix inconsistent indentation

* Add CPU temperature plugin

* Add disk I/O plugin, remove CPU temperature plugin - it's not available

* Add swap plugin

* Fix misplaced `endif` in jinja template
---
 .../OPNsense/Collectd/forms/general.xml       | 36 +++++++++++-
 .../app/models/OPNsense/Collectd/General.xml  | 44 +++++++++++----
 .../templates/OPNsense/Collectd/collectd.conf | 55 +++++++++++++++----
 3 files changed, 109 insertions(+), 26 deletions(-)

diff --git a/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/forms/general.xml b/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/forms/general.xml
index 3e588da00f..1b60bf26fa 100644
--- a/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/forms/general.xml
+++ b/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/forms/general.xml
@@ -85,16 +85,22 @@
     </field>
     <field>
         <id>general.p_graphite_prefix</id>
-        <label>Graphite Prefix</label>
+        <label>Graphite prefix</label>
         <type>text</type>
         <help>Prefix to set before the hostname. If it ends with a dot it creates an own directory.</help>
     </field>
     <field>
         <id>general.p_graphite_postfix</id>
-        <label>Graphite Postfix</label>
+        <label>Graphite postfix</label>
         <type>text</type>
         <help>String to set after the hostname. For compatibility reason default is collectd, but you can also simply remove it.</help>
     </field>
+    <field>
+        <id>general.p_graphite_separate_instances</id>
+        <label>Graphite separate instances</label>
+        <type>checkbox</type>
+        <help>Enabling sends the plugin instance and type instance to Graphite as separate path components: host.cpu.0.cpu.idle. Disabling sends the plugin and plugin instance as one path component and type and type instance as another component: host.cpu-0.cpu-idle.</help>
+    </field>
     <field>
         <id>general.p_contextswitch_enable</id>
         <label>Enable contextswitch plugin</label>
@@ -107,6 +113,24 @@
         <type>checkbox</type>
         <help>The CPU plugin collects the amount of time spent by the CPU in various states, most notably executing user code, executing system code, waiting for IO-operations and being idle.</help>
     </field>
+    <field>
+        <id>general.p_cpu_percent</id>
+        <label>Report cpu usage in percent</label>
+        <type>checkbox</type>
+        <help>When set, report CPU usage in percent instead of units of kernel time.</help>
+    </field>
+    <field>
+        <id>general.p_cpu_aggregates</id>
+        <label>Enable cpu aggregates</label>
+        <type>checkbox</type>
+        <help>Send aggregate values for CPU metrics in addition to values for individual cores.</help>
+    </field>
+    <field>
+        <id>general.p_disk_enable</id>
+        <label>Enable disk plugin</label>
+        <type>checkbox</type>
+        <help>The Disk plugin collects disk I/O information, i.e. read and write operations per second.</help>
+    </field>
     <field>
         <id>general.p_df_enable</id>
         <label>Enable df plugin</label>
@@ -129,7 +153,13 @@
         <id>general.p_memory_enable</id>
         <label>Enable memory plugin</label>
         <type>checkbox</type>
-        <help>The Memory plugin collects physical memory utilization (Used, buffered, cached and free).</help>
+        <help>The Memory plugin collects physical memory utilization (used, buffered, cached and free).</help>
+    </field>
+    <field>
+        <id>general.p_swap_enable</id>
+        <label>Enable swap plugin</label>
+        <type>checkbox</type>
+        <help>The Swap plugin collects swap space utilization (used and free).</help>
     </field>
     <field>
         <id>general.p_processes_enable</id>
diff --git a/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml b/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml
index 9dd07f44ab..960a6ed4eb 100644
--- a/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml
+++ b/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml
@@ -38,18 +38,18 @@
         </p_network_port>
         <p_network_username type="TextField">
             <default></default>
-	    <Required>N</Required>
-	    <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
-	</p_network_username>
-        <p_network_password type="TextField">
-            <default></default>
-	    <Required>N</Required>
-	    <mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=]){1,128}$/u</mask>
-	</p_network_password>
-        <p_network_encryption type="BooleanField">
-            <default>0</default>
-	    <Required>N</Required>
-	</p_network_encryption>
+            <Required>N</Required>
+            <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
+        </p_network_username>
+            <p_network_password type="TextField">
+                <default></default>
+            <Required>N</Required>
+            <mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=]){1,128}$/u</mask>
+        </p_network_password>
+            <p_network_encryption type="BooleanField">
+                <default>0</default>
+            <Required>N</Required>
+        </p_network_encryption>
         <p_graphite_enable type="BooleanField">
             <default>0</default>
             <Required>N</Required>
@@ -77,6 +77,10 @@
             <default>collectd</default>
             <Required>N</Required>
         </p_graphite_postfix>
+        <p_graphite_separate_instances type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </p_graphite_separate_instances>
         <p_contextswitch_enable type="BooleanField">
             <default>1</default>
             <Required>N</Required>
@@ -85,6 +89,18 @@
             <default>1</default>
             <Required>N</Required>
         </p_cpu_enable>
+        <p_cpu_percent type="BooleanField">
+            <default>1</default>
+            <Required>N</Required>
+        </p_cpu_percent>
+        <p_cpu_aggregates type="BooleanField">
+            <default>1</default>
+            <Required>N</Required>
+        </p_cpu_aggregates>
+        <p_disk_enable type="BooleanField">
+            <default>1</default>
+            <Required>N</Required>
+        </p_disk_enable>
         <p_df_enable type="BooleanField">
             <default>1</default>
             <Required>N</Required>
@@ -101,6 +117,10 @@
             <default>1</default>
             <Required>N</Required>
         </p_memory_enable>
+        <p_swap_enable type="BooleanField">
+            <default>1</default>
+            <Required>N</Required>
+        </p_swap_enable>
         <p_processes_enable type="BooleanField">
             <default>1</default>
             <Required>N</Required>
diff --git a/net-mgmt/collectd/src/opnsense/service/templates/OPNsense/Collectd/collectd.conf b/net-mgmt/collectd/src/opnsense/service/templates/OPNsense/Collectd/collectd.conf
index b91d93af72..15af1eae7b 100644
--- a/net-mgmt/collectd/src/opnsense/service/templates/OPNsense/Collectd/collectd.conf
+++ b/net-mgmt/collectd/src/opnsense/service/templates/OPNsense/Collectd/collectd.conf
@@ -1,5 +1,4 @@
 {% if helpers.exists('OPNsense.collectd.general.enabled') and OPNsense.collectd.general.enabled == '1' %}
-
 {% if helpers.exists('OPNsense.collectd.general.hostname') and OPNsense.collectd.general.hostname != '' %}
 Hostname    "{{ OPNsense.collectd.general.hostname }}"
 {% else %}
@@ -12,12 +11,9 @@ FQDNLookup    true
 Interval    {{ OPNsense.collectd.general.interval }}
 {% endif %}
 
-
-
-
 LoadPlugin syslog
 <Plugin syslog>
-       LogLevel err
+  LogLevel err
 </Plugin>
 
 {% if helpers.exists('OPNsense.collectd.general.p_contextswitch_enable') and OPNsense.collectd.general.p_contextswitch_enable == '1' %}
@@ -26,6 +22,12 @@ LoadPlugin contextswitch
 {% if helpers.exists('OPNsense.collectd.general.p_cpu_enable') and OPNsense.collectd.general.p_cpu_enable == '1' %}
 LoadPlugin cpu
 {% endif %}
+{% if helpers.exists('OPNsense.collectd.general.p_cpu_aggregates') and OPNsense.collectd.general.p_cpu_aggregates == '1' %}
+LoadPlugin aggregation
+{% endif %}
+{% if helpers.exists('OPNsense.collectd.general.p_disk_enable') and OPNsense.collectd.general.p_disk_enable == '1' %}
+LoadPlugin disk
+{% endif %}
 {% if helpers.exists('OPNsense.collectd.general.p_df_enable') and OPNsense.collectd.general.p_df_enable == '1' %}
 LoadPlugin df
 {% endif %}
@@ -38,6 +40,9 @@ LoadPlugin load
 {% if helpers.exists('OPNsense.collectd.general.p_memory_enable') and OPNsense.collectd.general.p_memory_enable == '1' %}
 LoadPlugin memory
 {% endif %}
+{% if helpers.exists('OPNsense.collectd.general.p_swap_enable') and OPNsense.collectd.general.p_swap_enable == '1' %}
+LoadPlugin swap
+{% endif %}
 {% if helpers.exists('OPNsense.collectd.general.p_network_enable') and OPNsense.collectd.general.p_network_enable == '1' %}
 LoadPlugin network
 {% endif %}
@@ -65,19 +70,19 @@ LoadPlugin write_graphite
 {%   if helpers.exists('OPNsense.collectd.general.p_network_host') and OPNsense.collectd.general.p_network_host != '' %}
 {%     if helpers.exists('OPNsense.collectd.general.p_network_port') and OPNsense.collectd.general.p_network_port != '' %}
 <Plugin network>
-        <Server "{{ OPNsense.collectd.general.p_network_host }}" "{{ OPNsense.collectd.general.p_network_port }}">
+  <Server "{{ OPNsense.collectd.general.p_network_host }}" "{{ OPNsense.collectd.general.p_network_port }}">
 {%       if helpers.exists('OPNsense.collectd.general.p_network_username') and OPNsense.collectd.general.p_network_username != '' %}
-                Username "{{ OPNsense.collectd.general.p_network_username }}"
+    Username "{{ OPNsense.collectd.general.p_network_username }}"
 {%       endif %}
 {%       if helpers.exists('OPNsense.collectd.general.p_network_password') and OPNsense.collectd.general.p_network_password != '' %}
-                Password "{{ OPNsense.collectd.general.p_network_password }}"
+    Password "{{ OPNsense.collectd.general.p_network_password }}"
 {%       endif %}
 {%       if helpers.exists('OPNsense.collectd.general.p_network_username') and OPNsense.collectd.general.p_network_username != '' %}
 {%         if helpers.exists('OPNsense.collectd.general.p_network_encryption') and OPNsense.collectd.general.p_network_encryption == '1' %}
-                SecurityLevel Encrypt
+    SecurityLevel Encrypt
 {%         endif %}
 {%       endif %}
-        </Server>
+  </Server>
 </Plugin>
 {%     endif %}
 {%   endif %}
@@ -101,11 +106,15 @@ LoadPlugin write_graphite
 {%     endif %}
 {%     if helpers.exists('OPNsense.collectd.general.p_graphite_postfix') and OPNsense.collectd.general.p_graphite_postfix != '' %}
     Postfix "{{ OPNsense.collectd.general.p_graphite_postfix }}"
+{%     endif %}
+{%     if helpers.exists('OPNsense.collectd.general.p_graphite_separate_instances') and OPNsense.collectd.general.p_graphite_separate_instances == '1' %}
+    SeparateInstances true
+{%     else %}
+    SeparateInstances false
 {%     endif %}
     StoreRates true
     AlwaysAppendDS false
     EscapeCharacter "_"
-    SeparateInstances false
     PreserveSeparator false
     DropDuplicateFields false
   </Node>
@@ -113,4 +122,28 @@ LoadPlugin write_graphite
 {%   endif %}
 {% endif %}
 
+<Plugin cpu>
+{% if helpers.exists('OPNsense.collectd.general.p_cpu_percent') and OPNsense.collectd.general.p_cpu_percent == '1' %}
+  ValuesPercentage true
+{% else %}
+  ValuesPercentage false
+{% endif %}
+</Plugin>
+
+{% if helpers.exists('OPNsense.collectd.general.p_cpu_aggregates') and OPNsense.collectd.general.p_cpu_aggregates == '1' %}
+<Plugin "aggregation">
+  <Aggregation>
+    Plugin "cpu"
+    Type "percent"
+    GroupBy "Host"
+    GroupBy "TypeInstance"
+    CalculateNum false
+    CalculateSum true
+    CalculateAverage true
+    CalculateMinimum false
+    CalculateMaximum false
+    CalculateStddev false
+  </Aggregation>
+</Plugin>
+{% endif %}
 {% endif %}

From 6a74c2d4f4b5d9af6bb70cefe90f7d08065d9467 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 20 Jul 2020 16:37:59 +0200
Subject: [PATCH 0162/3088] net-mgmt/collectd: bump version, add changelog and
 credits (#1929)

---
 net-mgmt/collectd/Makefile                    |  2 +-
 net-mgmt/collectd/pkg-descr                   | 25 +++++++++++++++++++
 .../OPNsense/Collectd/forms/general.xml       | 12 +++++++++
 .../app/models/OPNsense/Collectd/General.xml  |  2 +-
 4 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/collectd/Makefile b/net-mgmt/collectd/Makefile
index fa38e96c0d..a67fb72124 100644
--- a/net-mgmt/collectd/Makefile
+++ b/net-mgmt/collectd/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		collectd
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		Collect system and application performance metrics periodically
 PLUGIN_DEPENDS=		collectd5
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/collectd/pkg-descr b/net-mgmt/collectd/pkg-descr
index cfacb9279b..06744d71e5 100644
--- a/net-mgmt/collectd/pkg-descr
+++ b/net-mgmt/collectd/pkg-descr
@@ -3,4 +3,29 @@ performance metrics periodically and provides mechanisms
 to store the values in a variety of ways, for example
 in RRD files.
 
+
+Plugin Changelog
+================
+
+1.3
+
+* Add support for CPU aggregation (contributed by @pmhausen)
+* Make Graphite separate instances configurable (contributed by @pmhausen)
+* Add disk I/O plugin (contributed by @pmhausen)
+
+1.2 
+
+* Make Hostname optional
+
+1.1
+
+* Add prefix and postfix fields for Graphite
+
+1.0
+
+* Allow exporting to network
+* Allow exporting to Graphite
+* Allow usage of most important plugins
+
+
 WWW: http://www.collectd.org
diff --git a/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/forms/general.xml b/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/forms/general.xml
index 1b60bf26fa..6e05b7ca87 100644
--- a/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/forms/general.xml
+++ b/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/forms/general.xml
@@ -1,4 +1,8 @@
 <form>
+    <field>
+        <type>section_title</type>
+        <label>General</label>
+    </field>
     <field>
         <id>general.enabled</id>
         <label>Enable</label>
@@ -23,6 +27,10 @@
         <type>text</type>
         <help>Global interval when to fetch values in seconds.</help>
     </field>
+    <field>
+        <type>section_title</type>
+        <label>Output Plugins</label>
+    </field>
     <field>
         <id>general.p_network_enable</id>
         <label>Enable network plugin</label>
@@ -101,6 +109,10 @@
         <type>checkbox</type>
         <help>Enabling sends the plugin instance and type instance to Graphite as separate path components: host.cpu.0.cpu.idle. Disabling sends the plugin and plugin instance as one path component and type and type instance as another component: host.cpu-0.cpu-idle.</help>
     </field>
+    <field>
+        <type>section_title</type>
+        <label>Input Plugins</label>
+    </field>
     <field>
         <id>general.p_contextswitch_enable</id>
         <label>Enable contextswitch plugin</label>
diff --git a/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml b/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml
index 960a6ed4eb..b87d8f5ffb 100644
--- a/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml
+++ b/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/collectd/general</mount>
     <description>Collectd configuration</description>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>

From f34342da10109ea4e782f8758a448c7480b984c9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 Jul 2020 13:10:23 +0200
Subject: [PATCH 0163/3088] LICENSE: sync

---
 LICENSE | 1 +
 1 file changed, 1 insertion(+)

diff --git a/LICENSE b/LICENSE
index d4dd30ef24..b88f03b560 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,7 @@
 Copyright (c) 2015-2020 Ad Schellevis <ad@opnsense.org>
 Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
+Copyright (c) 2020 D. Domig
 Copyright (c) 2011 Dan Myers
 Copyright (c) 2017-2018 David Harrigan
 Copyright (c) 2014-2020 Deciso B.V.

From f978efa3a76dac1696a583a1c1112c7e05ce897a Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 22 Jul 2020 22:53:39 +0200
Subject: [PATCH 0164/3088] net/wireguard: remove beta warning (#1931)

---
 .../opnsense/mvc/app/views/OPNsense/Wireguard/general.volt    | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
index fdbdf9a9a0..fa720d7042 100644
--- a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
+++ b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
@@ -36,10 +36,6 @@ POSSIBILITY OF SUCH DAMAGE.
     <li><a data-toggle="tab" href="#showhandshake">{{ lang._('Handshakes') }}</a></li>
 </ul>
 
-<div class="alert alert-warning" role="alert" style="min-height:65px;">
-  <div style="margin-top: 8px;">{{ lang._('The WireGuard VPN software is still in experimental state, use with caution.') }}</div>
-</div>
-
 <div class="tab-content content-box tab-content">
     <div id="general" class="tab-pane fade in active">
         <div class="content-box" style="padding-bottom: 1.5em;">

From 44413f47f438574a91bf7cf8c86516991273d1c5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 23 Jul 2020 08:15:32 +0200
Subject: [PATCH 0165/3088] net-mgmt/collectd: lint fix

---
 net-mgmt/collectd/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/collectd/pkg-descr b/net-mgmt/collectd/pkg-descr
index 06744d71e5..a350d3e2bc 100644
--- a/net-mgmt/collectd/pkg-descr
+++ b/net-mgmt/collectd/pkg-descr
@@ -13,7 +13,7 @@ Plugin Changelog
 * Make Graphite separate instances configurable (contributed by @pmhausen)
 * Add disk I/O plugin (contributed by @pmhausen)
 
-1.2 
+1.2
 
 * Make Hostname optional
 

From 1685999b9dd5cc659d99901d2eada79a8fa98c16 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 24 Jul 2020 23:23:30 +0200
Subject: [PATCH 0166/3088] net/haproxy: honor sort order of all rules, fixes
 #1925, refs #999

This partially reverts 1f9250e15bdca9601535378b8a5b72fa3ab557f6.
---
 .../templates/OPNsense/HAProxy/haproxy.conf      | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index d3d4296893..bb61aa948d 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -44,7 +44,6 @@
 {#     # remember all ACLs to avoid duplicate declarations #}
 {%     set acls_seen = [] %}
 {%     set global_action_options = [] %}
-{%     set global_use_options = [] %}
 {%     for action in linkedData.split(",") %}
 {%       set action_data = helpers.getUUID(action) %}
 {#       # collect ACLs for this action #}
@@ -307,11 +306,10 @@
 {%       if acl_errors|int == 0 %}
 {%         set action_enabled = '1' %}
 {%         set action_options = [] %}
-{%         set use_options = [] %}
 {%         if action_data.type == 'use_backend' %}
 {%           if action_data.use_backend|default("") != "" %}
 {%             set acl_backend_data = helpers.getUUID(action_data.use_backend) %}
-{%             do use_options.append('use_backend ' ~ acl_backend_data.name) %}
+{%             do action_options.append('use_backend ' ~ acl_backend_data.name) %}
 {%           else %}
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
@@ -319,7 +317,7 @@
 {%         elif action_data.type == 'use_server' %}
 {%           if action_data.use_server|default("") != "" %}
 {%             set server_data = helpers.getUUID(action_data.use_server) %}
-{%             do use_options.append('use-server ' ~ server_data.name) %}
+{%             do action_options.append('use-server ' ~ server_data.name) %}
 {%           else %}
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
@@ -337,7 +335,7 @@
 {%               set defaultbackend_option = '' %}
 {%             endif %}
 {#             # Finally add map file to config #}
-{%             do use_options.append('use_backend %[req.hdr(host),lower,map_dom(' ~ mapfile_path ~ defaultbackend_option ~ ')]') %}
+{%             do action_options.append('use_backend %[req.hdr(host),lower,map_dom(' ~ mapfile_path ~ defaultbackend_option ~ ')]') %}
 {%           else %}
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
@@ -554,10 +552,6 @@
 {%             do global_action_options.append(comment_lines|join('\n')) %}
 {%             do global_action_options.append(([action_options|join(' '), acl_line]|join(' '))) %}
 {%           endif %}
-{%           if use_options|length > 0 %}
-{%             do global_use_options.append(comment_lines|join('\n')) %}
-{%             do global_use_options.append(([use_options|join(' '), acl_line]|join(' '))) %}
-{%           endif %}
 {%         else %}
     # ACTION INVALID: {{action_data.name}}
 {%         endif %}
@@ -569,10 +563,6 @@
 
 {%     if global_action_options|length > 0 %}
     {{global_action_options|join('\n' + '    ')}}
-
-{%     endif %}
-{%     if global_use_options|length > 0 %}
-    {{global_use_options|join('\n' + '    ')}}
 {%     endif %}
 {%   else %}
 # ERROR: AclsAndActions called with empty data

From d39344b88202a817006fd8210d1824145afa36f9 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sat, 25 Jul 2020 08:00:18 +0200
Subject: [PATCH 0167/3088] net-mgmt/zabbix5-proxy: move to v5 (#1932)

---
 net-mgmt/zabbix4-proxy/Makefile               |   1 +
 net-mgmt/zabbix5-proxy/Makefile               |   8 +
 net-mgmt/zabbix5-proxy/pkg-descr              |  26 ++++
 .../src/etc/inc/plugins.inc.d/zabbixproxy.inc |  49 ++++++
 .../Zabbixproxy/Api/GeneralController.php     |  39 +++++
 .../Zabbixproxy/Api/ServiceController.php     |  47 ++++++
 .../Zabbixproxy/GeneralController.php         |  38 +++++
 .../OPNsense/Zabbixproxy/forms/general.xml    | 145 ++++++++++++++++++
 .../models/OPNsense/Zabbixproxy/ACL/ACL.xml   |   9 ++
 .../models/OPNsense/Zabbixproxy/General.php   |  35 +++++
 .../models/OPNsense/Zabbixproxy/General.xml   | 107 +++++++++++++
 .../models/OPNsense/Zabbixproxy/Menu/Menu.xml |   5 +
 .../views/OPNsense/Zabbixproxy/general.volt   |  60 ++++++++
 .../scripts/OPNsense/Zabbixproxy/setup.sh     |  16 ++
 .../conf/actions.d/actions_zabbixproxy.conf   |  23 +++
 .../templates/OPNsense/Zabbixproxy/+TARGETS   |   3 +
 .../OPNsense/Zabbixproxy/zabbix_proxy         |   6 +
 .../OPNsense/Zabbixproxy/zabbix_proxy.conf    |  76 +++++++++
 .../OPNsense/Zabbixproxy/zabbix_proxy.psk     |   5 +
 19 files changed, 698 insertions(+)
 create mode 100644 net-mgmt/zabbix5-proxy/Makefile
 create mode 100644 net-mgmt/zabbix5-proxy/pkg-descr
 create mode 100644 net-mgmt/zabbix5-proxy/src/etc/inc/plugins.inc.d/zabbixproxy.inc
 create mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/GeneralController.php
 create mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/ServiceController.php
 create mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/GeneralController.php
 create mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
 create mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
 create mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.php
 create mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
 create mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
 create mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/views/OPNsense/Zabbixproxy/general.volt
 create mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh
 create mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf
 create mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS
 create mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy
 create mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
 create mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.psk

diff --git a/net-mgmt/zabbix4-proxy/Makefile b/net-mgmt/zabbix4-proxy/Makefile
index ed0fea33a0..ae1fd3930c 100644
--- a/net-mgmt/zabbix4-proxy/Makefile
+++ b/net-mgmt/zabbix4-proxy/Makefile
@@ -2,6 +2,7 @@ PLUGIN_NAME=		zabbix4-proxy
 PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		Zabbix Proxy enables decentralized monitoring
 PLUGIN_DEPENDS=		zabbix4-proxy
+PLUGIN_CONFLICTS=   zabbix5-proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
 .include "../../Mk/plugins.mk"
diff --git a/net-mgmt/zabbix5-proxy/Makefile b/net-mgmt/zabbix5-proxy/Makefile
new file mode 100644
index 0000000000..89d4d33dde
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		zabbix5-proxy
+PLUGIN_VERSION=		1.3
+PLUGIN_COMMENT=		Zabbix Proxy enables decentralized monitoring
+PLUGIN_DEPENDS=		zabbix5-proxy
+PLUGIN_CONFLICTS=   zabbix4-proxy
+PLUGIN_MAINTAINER=	m.muenz@gmail.com
+
+.include "../../Mk/plugins.mk"
diff --git a/net-mgmt/zabbix5-proxy/pkg-descr b/net-mgmt/zabbix5-proxy/pkg-descr
new file mode 100644
index 0000000000..c99e873c49
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/pkg-descr
@@ -0,0 +1,26 @@
+Zabbix is an enterprise-class open source distributed monitoring solution.
+
+Zabbix is software that monitors numerous parameters of a network and the
+health and integrity of servers. Zabbix uses a flexible notification
+mechanism that allows users to configure e-mail based alerts for virtually
+any event. This allows a fast reaction to server problems. Zabbix offers
+excellent reporting and data visualisation features based on the stored
+data. This makes Zabbix ideal for capacity planning.
+
+WWW: https://www.zabbix.com/
+
+Plugin Changelog
+----------------
+
+1.3
+
+* Switch to zabbix5-proxy
+
+1.2
+
+* Allow adding multiple listen addresses
+
+1.1
+
+* Add ProxyOfflineBuffer parameter
+* Switch to new service control UI
diff --git a/net-mgmt/zabbix5-proxy/src/etc/inc/plugins.inc.d/zabbixproxy.inc b/net-mgmt/zabbix5-proxy/src/etc/inc/plugins.inc.d/zabbixproxy.inc
new file mode 100644
index 0000000000..d26017268a
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/etc/inc/plugins.inc.d/zabbixproxy.inc
@@ -0,0 +1,49 @@
+<?php
+
+/*
+    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+function zabbixproxy_services()
+{
+    global $config;
+
+    $services = array();
+
+    if (isset($config['OPNsense']['zabbixproxy']['general']['enabled']) && $config['OPNsense']['zabbixproxy']['general']['enabled'] == 1) {
+        $services[] = array(
+            'description' => gettext('Zabbix Proxy'),
+            'configd' => array(
+                'restart' => array('zabbixproxy restart'),
+                'start' => array('zabbixproxy start'),
+                'stop' => array('zabbixproxy stop'),
+            ),
+            'name' => 'zabbixproxy',
+            'pidfile' => '/var/run/zabbix/zabbix_proxy.pid'
+        );
+    }
+
+    return $services;
+}
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/GeneralController.php b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/GeneralController.php
new file mode 100644
index 0000000000..7a930881dc
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/GeneralController.php
@@ -0,0 +1,39 @@
+<?php
+
+/**
+ *    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Zabbixproxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class GeneralController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelClass = '\OPNsense\Zabbixproxy\General';
+    protected static $internalModelName = 'general';
+}
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/ServiceController.php b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/ServiceController.php
new file mode 100644
index 0000000000..d94f2a1ced
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/ServiceController.php
@@ -0,0 +1,47 @@
+<?php
+
+/**
+ *    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Zabbixproxy\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Backend;
+use OPNsense\Zabbixproxy\General;
+
+/**
+ * Class ServiceController
+ * @package OPNsense\Zabbixproxy
+ */
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Zabbixproxy\General';
+    protected static $internalServiceTemplate = 'OPNsense/Zabbixproxy';
+    protected static $internalServiceEnabled = 'enabled';
+    protected static $internalServiceName = 'zabbixproxy';
+}
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/GeneralController.php b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/GeneralController.php
new file mode 100644
index 0000000000..56e2667c7f
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/GeneralController.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Zabbixproxy;
+
+class GeneralController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->generalForm = $this->getForm("general");
+        $this->view->pick('OPNsense/Zabbixproxy/general');
+    }
+}
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
new file mode 100644
index 0000000000..11de26c17b
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
@@ -0,0 +1,145 @@
+<form>
+    <field>
+        <id>general.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>This will activate the Zabbix Proxy service.</help>
+    </field>
+    <field>
+        <id>general.proxymode</id>
+        <label>Proxy Mode</label>
+        <type>checkbox</type>
+        <help>Active (default) or passive mode, only switch to passive if you know what you are doing.</help>
+    </field>
+    <field>
+        <id>general.server</id>
+        <label>Server</label>
+        <type>text</type>
+        <help>IP address or hostname of Zabbix server.</help>
+    </field>
+    <field>
+        <id>general.serverport</id>
+        <label>Server Port</label>
+        <type>text</type>
+        <help>Port of Zabbix trapper on Zabbix server. Default is fine for most scenarios.</help>
+    </field>
+    <field>
+        <id>general.hostname</id>
+        <label>Hostname</label>
+        <type>text</type>
+        <help>The name of this Zabbix instance. It has to match with the defined name in the central Zabbix server.</help>
+    </field>
+    <field>
+        <id>general.listenip</id>
+        <label>Listen IP</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>List of comma delimited IP addresses that the trapper should listen on. Trapper will listen on all network interfaces if this parameter is missing.</help>
+    </field>
+    <field>
+        <id>general.listenport</id>
+        <label>Listen Port</label>
+        <type>text</type>
+        <help>Listen port for trapper. Default is just fine.</help>
+    </field>
+    <field>
+        <id>general.sourceip</id>
+        <label>Source IP</label>
+        <type>text</type>
+        <help>Source IP address for outgoing connections.</help>
+    </field>
+    <field>
+        <id>general.startpollers</id>
+        <label>Start Pollers</label>
+        <type>text</type>
+        <help>Number of pre-forked instances of pollers.</help>
+    </field>
+    <field>
+        <id>general.startipmipollers</id>
+        <label>Start IPMI Pollers</label>
+        <type>text</type>
+        <help>Number of pre-forked instances of IPMI pollers.</help>
+    </field>
+    <field>
+        <id>general.startpollersunreachable</id>
+        <label>Start Pollers Unreachable</label>
+        <type>text</type>
+        <help>Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java).</help>
+    </field>
+    <field>
+        <id>general.starttrappers</id>
+        <label>Start Trappers</label>
+        <type>text</type>
+        <help>Number of pre-forked instances of trappers. Trappers accept incoming connections from Zabbix sender and active agents.</help>
+    </field>
+    <field>
+        <id>general.startpingers</id>
+        <label>Start Pingers</label>
+        <type>text</type>
+        <help>Number of pre-forked instances of ICMP pingers.</help>
+    </field>
+    <field>
+        <id>general.startdiscoverers</id>
+        <label>Start Discoverers</label>
+        <type>text</type>
+        <help>Number of pre-forked instances of discoverers.</help>
+    </field>
+    <field>
+        <id>general.starthttppollers</id>
+        <label>Start HTTP Pollers</label>
+        <type>text</type>
+        <help>Number of pre-forked instances of HTTP pollers.</help>
+    </field>
+    <field>
+        <id>general.cachesize</id>
+        <label>Cache Size</label>
+        <type>text</type>
+        <help>Size of configuration cache, in bytes. Shared memory size, for storing hosts and items data. Range: 128K-8G</help>
+    </field>
+    <field>
+        <id>general.historycachesize</id>
+        <label>History Cache Size</label>
+        <type>text</type>
+        <help>Size of history cache in bytes. Shared memory size for storing history data. Range: 128K-2G</help>
+    </field>
+    <field>
+        <id>general.historyindexcachesize</id>
+        <label>History Index Cache Size</label>
+        <type>text</type>
+        <help>Size of history index cache in bytes. Shared memory size for indexing history cache. Range: 128K-2G</help>
+    </field>
+    <field>
+        <id>general.proxyofflinebuffer</id>
+        <label>Proxy Offline Buffer</label>
+        <type>text</type>
+        <help>Set the time in hours how long the values will be buffered when the server is unreachable.</help>
+    </field>
+    <field>
+        <id>general.timeout</id>
+        <label>Timeout</label>
+        <type>text</type>
+        <help>Specifies how long we wait for agent, SNMP device or external check (in seconds).</help>
+    </field>
+    <field>
+        <id>general.encryption</id>
+        <label>PSK based encryption</label>
+        <type>checkbox</type>
+        <help>Enable PSK based encryption for communicating with the Zabbix server</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>general.encryptionidentity</id>
+        <label>PSK Identity</label>
+        <type>text</type>
+        <help>The PSK identity configured on the Zabbix server</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>general.encryptionpsk</id>
+        <label>PSK</label>
+        <type>text</type>
+        <help>The PSK configured on the Zabbix server</help>
+        <advanced>true</advanced>
+    </field>
+</form>
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
new file mode 100644
index 0000000000..6166a2c68d
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+   <page-services-zabbixproxy>
+      <name>Services: Zabbix Proxy</name>
+      <patterns>
+         <pattern>ui/zabbixproxy/*</pattern>
+         <pattern>api/zabbixproxy/*</pattern>
+      </patterns>
+   </page-services-zabbixproxy>
+</acl>
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.php b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.php
new file mode 100644
index 0000000000..351dbd9db5
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Zabbixproxy;
+
+use OPNsense\Base\BaseModel;
+
+class General extends BaseModel
+{
+}
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
new file mode 100644
index 0000000000..b4955e3c85
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
@@ -0,0 +1,107 @@
+<model>
+    <mount>//OPNsense/zabbixproxy/general</mount>
+    <description>Zabbix Proxy configuration</description>
+    <version>2.0.2</version>
+    <items>
+        <enabled type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enabled>
+        <proxymode type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </proxymode>
+        <server type="TextField">
+            <default></default>
+            <Required>N</Required>
+        </server>
+        <serverport type="TextField">
+            <default>10051</default>
+            <Required>N</Required>
+        </serverport>
+        <hostname type="TextField">
+            <default>Zabbix proxy</default>
+            <Required>Y</Required>
+        </hostname>
+        <listenport type="TextField">
+            <default>10051</default>
+            <Required>N</Required>
+        </listenport>
+        <listenip type="NetworkField">
+            <default></default>
+            <FieldSeparator>,</FieldSeparator>
+            <asList>Y</asList>
+            <Required>N</Required>
+        </listenip>
+        <sourceip type="NetworkField">
+            <default></default>
+            <Required>N</Required>
+        </sourceip>
+        <startpollers type="TextField">
+            <default>5</default>
+            <Required>N</Required>
+        </startpollers>
+        <startipmipollers type="IntegerField">
+            <default>0</default>
+            <Required>N</Required>
+        </startipmipollers>
+        <startpollersunreachable type="IntegerField">
+            <default>1</default>
+            <Required>N</Required>
+        </startpollersunreachable>
+        <starttrappers type="IntegerField">
+            <default>5</default>
+            <Required>N</Required>
+        </starttrappers>
+        <startpingers type="IntegerField">
+            <default>1</default>
+            <Required>N</Required>
+        </startpingers>
+        <startdiscoverers type="IntegerField">
+            <default>1</default>
+            <Required>N</Required>
+        </startdiscoverers>
+        <starthttppollers type="IntegerField">
+            <default>1</default>
+            <Required>N</Required>
+        </starthttppollers>
+        <cachesize type="TextField">
+            <default>8M</default>
+            <Required>N</Required>
+        </cachesize>
+        <historycachesize type="TextField">
+            <default>16M</default>
+            <Required>N</Required>
+        </historycachesize>
+        <historyindexcachesize type="TextField">
+            <default>4M</default>
+            <Required>N</Required>
+        </historyindexcachesize>
+        <proxyofflinebuffer type="IntegerField">
+            <Required>N</Required>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>720</MaximumValue>
+            <ValidationMessage>Set a number between 1 and 720.</ValidationMessage>
+        </proxyofflinebuffer>
+        <timeout type="IntegerField">
+            <default>4</default>
+            <Required>N</Required>
+        </timeout>
+        <encryption type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </encryption>
+        <encryptionidentity type="TextField">
+            <default></default>
+            <Required>N</Required>
+            <mask>/^.{1,128}$/</mask>
+            <ValidationMessage>Should be a string between 1 and 128 characters.</ValidationMessage>
+        </encryptionidentity>
+        <encryptionpsk type="TextField">
+            <default></default>
+            <Required>N</Required>
+            <mask>/^[A-Fa-f0-9]{32,512}$/</mask>
+            <ValidationMessage>Should be a hexadecimal string between 32 and 512 characters.</ValidationMessage>
+        </encryptionpsk>
+    </items>
+</model>
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
new file mode 100644
index 0000000000..7b53017433
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
@@ -0,0 +1,5 @@
+<menu>
+  <Services>
+    <Zabbixproxy VisibleName="Zabbix Proxy" cssClass="fa fa-eye" url="/ui/zabbixproxy/general/index" />
+  </Services>
+</menu>
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/views/OPNsense/Zabbixproxy/general.volt b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/views/OPNsense/Zabbixproxy/general.volt
new file mode 100644
index 0000000000..0d5bef3833
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/views/OPNsense/Zabbixproxy/general.volt
@@ -0,0 +1,60 @@
+{#
+
+OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+This file is Copyright © 2019 by Michael Muenz <m.muenz@gmail.com>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+    this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+    this list of conditions and the following disclaimer in the documentation
+    and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+<div class="content-box" style="padding-bottom: 1.5em;">
+    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
+    <div class="col-md-12">
+        <hr />
+        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
+    </div>
+</div>
+
+<script>
+    $( document ).ready(function() {
+        var data_get_map = {'frm_general_settings':"/api/zabbixproxy/general/get"};
+        mapDataToFormUI(data_get_map).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+        });
+
+        updateServiceControlUI('zabbixproxy');
+
+        // link save button to API set action
+        $("#saveAct").click(function(){
+            saveFormToEndpoint(url="/api/zabbixproxy/general/set", formid='frm_general_settings',callback_ok=function(){
+                $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+                ajaxCall(url="/api/zabbixproxy/service/reconfigure", sendData={}, callback=function(data,status) {
+                    ajaxCall(url="/api/zabbixproxy/service/status", sendData={}, callback=function(data,status) {
+                        updateServiceControlUI('zabbixproxy');
+                        });
+                        $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                });
+            });
+        });
+    });
+</script>
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh b/net-mgmt/zabbix5-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh
new file mode 100644
index 0000000000..ba95dc0f4c
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Setup database directory
+mkdir -p /var/db/zabbix
+chown -R zabbix:zabbix /var/db/zabbix
+chmod 755 /var/db/zabbix
+
+# Setup logging
+mkdir /var/log/zabbix
+chown -R zabbix:zabbix /var/log/zabbix
+chmod 770 /var/log/zabbix
+
+# Setup PID directory
+mkdir -p /var/run/zabbix
+chown -R zabbix:zabbix /var/run/zabbix
+chmod 755 /var/run/zabbix
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf b/net-mgmt/zabbix5-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf
new file mode 100644
index 0000000000..7904a14457
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf
@@ -0,0 +1,23 @@
+[start]
+command:/usr/local/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh;/usr/local/etc/rc.d/zabbix_proxy start
+parameters:
+type:script
+message:starting Zabbix Proxy
+
+[stop]
+command:/usr/local/etc/rc.d/zabbix_proxy stop; exit 0
+parameters:
+type:script
+message:stopping Zabbix Proxy
+
+[restart]
+command:/usr/local/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh;/usr/local/etc/rc.d/zabbix_proxy restart
+parameters:
+type:script
+message:restarting Zabbix Proxy
+
+[status]
+command:/usr/local/etc/rc.d/zabbix_proxy status;exit 0
+parameters:
+type:script_output
+message:request Zabbix Proxy status
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS b/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS
new file mode 100644
index 0000000000..b797902b6f
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS
@@ -0,0 +1,3 @@
+zabbix_proxy:/etc/rc.conf.d/zabbix_proxy
+zabbix_proxy.conf:/usr/local/etc/zabbix5/zabbix_proxy.conf
+zabbix_proxy.psk:/usr/local/etc/zabbix5/zabbix_proxy.psk
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy b/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy
new file mode 100644
index 0000000000..f9c1bb348a
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy
@@ -0,0 +1,6 @@
+{% if helpers.exists('OPNsense.zabbixproxy.general.enabled') and OPNsense.zabbixproxy.general.enabled == '1' %}
+zabbix_proxy_var_script="/usr/local/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh"
+zabbix_proxy_enable="YES"
+{% else %}
+zabbix_proxy_enable="NO"
+{% endif %}
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf b/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
new file mode 100644
index 0000000000..31e1e31edd
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
@@ -0,0 +1,76 @@
+{% if helpers.exists('OPNsense.zabbixproxy.general.enabled') and OPNsense.zabbixproxy.general.enabled == '1' %}
+
+{% if helpers.exists('OPNsense.zabbixproxy.general.proxymode') and OPNsense.zabbixproxy.general.proxymode == '1' %}
+ProxyMode=1
+{% else %}
+ProxyMode=0
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.server') and OPNsense.zabbixproxy.general.server != '' %}
+Server={{ OPNsense.zabbixproxy.general.server }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.serverport') and OPNsense.zabbixproxy.general.serverport != '' %}
+ServerPort={{ OPNsense.zabbixproxy.general.serverport }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.hostname') and OPNsense.zabbixproxy.general.hostname != '' %}
+Hostname={{ OPNsense.zabbixproxy.general.hostname }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.listenport') and OPNsense.zabbixproxy.general.listenport != '' %}
+ListenPort={{ OPNsense.zabbixproxy.general.listenport }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.sourceip') and OPNsense.zabbixproxy.general.sourceip != '' %}
+SourceIP={{ OPNsense.zabbixproxy.general.sourceip }}
+{% endif %}
+LogFile=/var/log/zabbix/zabbix_proxy.log
+PidFile=/var/run/zabbix/zabbix_proxy.pid
+DBName=/var/db/zabbix/zabbix_proxy.db
+{% if helpers.exists('OPNsense.zabbixproxy.general.proxyofflinebuffer') and OPNsense.zabbixproxy.general.proxyofflinebuffer != '' %}
+ProxyOfflineBuffer={{ OPNsense.zabbixproxy.general.proxyofflinebuffer }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.startpollers') and OPNsense.zabbixproxy.general.startpollers != '' %}
+StartPollers={{ OPNsense.zabbixproxy.general.startpollers }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.startipmipollers') and OPNsense.zabbixproxy.general.startipmipollers != '' %}
+StartIPMIPollers={{ OPNsense.zabbixproxy.general.startipmipollers }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.startpollersunreachable') and OPNsense.zabbixproxy.general.startpollersunreachable != '' %}
+StartPollersUnreachable={{ OPNsense.zabbixproxy.general.startpollersunreachable }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.starttrappers') and OPNsense.zabbixproxy.general.starttrappers != '' %}
+StartTrappers={{ OPNsense.zabbixproxy.general.starttrappers }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.startpingers') and OPNsense.zabbixproxy.general.startpingers != '' %}
+StartPingers={{ OPNsense.zabbixproxy.general.startpingers }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.startdiscoverers') and OPNsense.zabbixproxy.general.startdiscoverers != '' %}
+StartDiscoverers={{ OPNsense.zabbixproxy.general.startdiscoverers }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.starthttppollers') and OPNsense.zabbixproxy.general.starthttppollers != '' %}
+StartHTTPPollers={{ OPNsense.zabbixproxy.general.starthttppollers }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.listenip') and OPNsense.zabbixproxy.general.listenip != '' %}
+ListenIP={{ OPNsense.zabbixproxy.general.listenip }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.cachesize') and OPNsense.zabbixproxy.general.cachesize != '' %}
+CacheSize={{ OPNsense.zabbixproxy.general.cachesize }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.historycachesize') and OPNsense.zabbixproxy.general.historycachesize != '' %}
+HistoryCacheSize={{ OPNsense.zabbixproxy.general.historycachesize }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.historyindexcachesize') and OPNsense.zabbixproxy.general.historyindexcachesize != '' %}
+HistoryIndexCacheSize={{ OPNsense.zabbixproxy.general.historyindexcachesize }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.timeout') and OPNsense.zabbixproxy.general.timeout != '' %}
+Timeout={{ OPNsense.zabbixproxy.general.timeout }}
+{% endif %}
+FpingLocation=/usr/local/sbin/fping
+Fping6Location=/usr/local/sbin/fping6
+{% if helpers.exists('OPNsense.zabbixproxy.general.encryption') and OPNsense.zabbixproxy.general.encryption == '1' %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.proxymode') and OPNsense.zabbixproxy.general.proxymode == '1' %}
+TLSAccept=psk
+{% else %}
+TLSConnect=psk
+{% endif %}
+TLSPSKFile=/usr/local/etc/zabbix5/zabbix_proxy.psk
+TLSPSKIdentity={{ OPNsense.zabbixproxy.general.encryptionidentity }}
+{% endif %}
+{% endif %}
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.psk b/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.psk
new file mode 100644
index 0000000000..1e53053b50
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.psk
@@ -0,0 +1,5 @@
+{% if helpers.exists('OPNsense.zabbixproxy.general.enabled') and OPNsense.zabbixproxy.general.enabled == '1' %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.encryption') and OPNsense.zabbixproxy.general.encryption == '1' %}
+{{ OPNsense.zabbixproxy.general.encryptionpsk }}
+{% endif %}
+{% endif %}

From cf2f47d3c96b5920897f394ad330e4410dad8521 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sun, 26 Jul 2020 07:29:38 +0200
Subject: [PATCH 0168/3088] net/chrony: New plugin (#1871)

---
 net/chrony/Makefile                           |  8 +++
 net/chrony/pkg-descr                          | 14 +++++
 .../src/etc/inc/plugins.inc.d/chrony.inc      | 49 ++++++++++++++++
 .../OPNsense/Chrony/Api/GeneralController.php | 37 ++++++++++++
 .../OPNsense/Chrony/Api/ServiceController.php | 39 +++++++++++++
 .../OPNsense/Chrony/GeneralController.php     | 38 ++++++++++++
 .../OPNsense/Chrony/forms/general.xml         | 30 ++++++++++
 .../app/models/OPNsense/Chrony/ACL/ACL.xml    |  9 +++
 .../app/models/OPNsense/Chrony/General.php    | 35 +++++++++++
 .../app/models/OPNsense/Chrony/General.xml    | 26 +++++++++
 .../app/models/OPNsense/Chrony/Menu/Menu.xml  |  7 +++
 .../app/views/OPNsense/Chrony/general.volt    | 58 +++++++++++++++++++
 .../opnsense/scripts/OPNsense/Chrony/setup.sh |  5 ++
 .../conf/actions.d/actions_chrony.conf        | 23 ++++++++
 .../templates/OPNsense/Chrony/+TARGETS        |  2 +
 .../templates/OPNsense/Chrony/chrony.conf     | 19 ++++++
 .../service/templates/OPNsense/Chrony/chronyd |  7 +++
 17 files changed, 406 insertions(+)
 create mode 100644 net/chrony/Makefile
 create mode 100644 net/chrony/pkg-descr
 create mode 100644 net/chrony/src/etc/inc/plugins.inc.d/chrony.inc
 create mode 100644 net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/Api/GeneralController.php
 create mode 100644 net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/Api/ServiceController.php
 create mode 100644 net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/GeneralController.php
 create mode 100644 net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml
 create mode 100644 net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/ACL/ACL.xml
 create mode 100644 net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.php
 create mode 100644 net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
 create mode 100644 net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/Menu/Menu.xml
 create mode 100644 net/chrony/src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt
 create mode 100644 net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh
 create mode 100644 net/chrony/src/opnsense/service/conf/actions.d/actions_chrony.conf
 create mode 100644 net/chrony/src/opnsense/service/templates/OPNsense/Chrony/+TARGETS
 create mode 100644 net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
 create mode 100644 net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chronyd

diff --git a/net/chrony/Makefile b/net/chrony/Makefile
new file mode 100644
index 0000000000..2ca167d2e0
--- /dev/null
+++ b/net/chrony/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		chrony
+PLUGIN_VERSION=		0.1
+PLUGIN_COMMENT=		Chrony time synchronisation
+PLUGIN_DEPENDS=		chrony
+PLUGIN_MAINTAINER=	m.muenz@gmail.com
+PLUGIN_DEVEL=       yes
+
+.include "../../Mk/plugins.mk"
diff --git a/net/chrony/pkg-descr b/net/chrony/pkg-descr
new file mode 100644
index 0000000000..0fd3f4ae53
--- /dev/null
+++ b/net/chrony/pkg-descr
@@ -0,0 +1,14 @@
+An alternative to native ntpd daemon. In some edge cases chrony works 
+better in virtual environments. 
+
+Plugin Changelog
+----------------
+
+1.0
+
+* Allow to adjust the listening port
+* Allow setting of up to three peers
+* Use of allowed networks 
+
+
+WWW: https://chrony.tuxfamily.org/
diff --git a/net/chrony/src/etc/inc/plugins.inc.d/chrony.inc b/net/chrony/src/etc/inc/plugins.inc.d/chrony.inc
new file mode 100644
index 0000000000..36af05a37a
--- /dev/null
+++ b/net/chrony/src/etc/inc/plugins.inc.d/chrony.inc
@@ -0,0 +1,49 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function chrony_services()
+{
+    global $config;
+
+    $services = array();
+
+    if (isset($config['OPNsense']['chrony']['general']['enabled']) && $config['OPNsense']['chrony']['general']['enabled'] == 1) {
+        $services[] = array(
+            'description' => gettext('chrony daemon'),
+            'configd' => array(
+                'restart' => array('chrony restart'),
+                'start' => array('chrony start'),
+                'stop' => array('chrony stop'),
+            ),
+            'name' => 'chronyd',
+            'pidfile' => '/var/run/chrony/chronyd.pid'
+        );
+    }
+
+    return $services;
+}
diff --git a/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/Api/GeneralController.php b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/Api/GeneralController.php
new file mode 100644
index 0000000000..d96f5a1213
--- /dev/null
+++ b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/Api/GeneralController.php
@@ -0,0 +1,37 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Chrony\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class GeneralController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelClass = '\OPNsense\Chrony\General';
+    protected static $internalModelName = 'general';
+}
diff --git a/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/Api/ServiceController.php b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/Api/ServiceController.php
new file mode 100644
index 0000000000..d441d9dc68
--- /dev/null
+++ b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/Api/ServiceController.php
@@ -0,0 +1,39 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Chrony\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Chrony\General';
+    protected static $internalServiceTemplate = 'OPNsense/Chrony';
+    protected static $internalServiceEnabled = 'enabled';
+    protected static $internalServiceName = 'chrony';
+}
diff --git a/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/GeneralController.php b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/GeneralController.php
new file mode 100644
index 0000000000..faa214b6a0
--- /dev/null
+++ b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/GeneralController.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Chrony;
+
+class GeneralController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->generalForm = $this->getForm('general');
+        $this->view->pick('OPNsense/Chrony/general');
+    }
+}
diff --git a/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml
new file mode 100644
index 0000000000..ee8d8326c2
--- /dev/null
+++ b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml
@@ -0,0 +1,30 @@
+<form>
+    <field>
+        <id>general.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>Enable Chrony time daemon.</help>
+    </field>
+    <field>
+        <id>general.port</id>
+        <label>Listen Port</label>
+        <type>text</type>
+        <help>Set the port chrony listen to.</help>
+    </field>
+    <field>
+        <id>general.peers</id>
+        <label>NTP Peers</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>Set as many NTP peers you need.</help>
+    </field>
+    <field>
+        <id>general.allowednetworks</id>
+        <label>Allowed Networks</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>Set the networks allowed to synchronize time with this server. If this value is not set it will also not listen to the port and just synchronize the time for itself.</help>
+    </field>
+</form>
diff --git a/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/ACL/ACL.xml b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/ACL/ACL.xml
new file mode 100644
index 0000000000..ece3f4af8e
--- /dev/null
+++ b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+   <page-services-chrony>
+      <name>Services: Chrony</name>
+      <patterns>
+         <pattern>ui/chrony/*</pattern>
+         <pattern>api/chrony/*</pattern>
+      </patterns>
+   </page-services-chrony>
+</acl>
diff --git a/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.php b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.php
new file mode 100644
index 0000000000..ddbdd9413e
--- /dev/null
+++ b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Chrony;
+
+use OPNsense\Base\BaseModel;
+
+class General extends BaseModel
+{
+}
diff --git a/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
new file mode 100644
index 0000000000..30b99eb530
--- /dev/null
+++ b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
@@ -0,0 +1,26 @@
+<model>
+    <mount>//OPNsense/chrony/general</mount>
+    <description>Chrony configuration</description>
+    <version>0.0.1</version>
+    <items>
+        <enabled type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enabled>
+        <port type="PortField">
+            <default>323</default>
+            <Required>Y</Required>
+        </port>
+        <peers type="HostnameField">
+            <default>0.opnsense.pool.ntp.org</default>
+            <Required>Y</Required>
+            <FieldSeparator>,</FieldSeparator>
+            <asList>Y</asList>
+        </peers>
+        <allowednetworks type="NetworkField">
+            <Required>N</Required>
+            <FieldSeparator>,</FieldSeparator>
+            <asList>Y</asList>
+        </allowednetworks>
+    </items>
+</model>
diff --git a/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/Menu/Menu.xml b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/Menu/Menu.xml
new file mode 100644
index 0000000000..e11f5fe9cb
--- /dev/null
+++ b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/Menu/Menu.xml
@@ -0,0 +1,7 @@
+<menu>
+  <Services>
+    <Chrony cssClass="fa fa-clock-o">
+      <General url="/ui/chrony/general/index"/>
+    </Chrony>
+  </Services>
+</menu>
diff --git a/net/chrony/src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt b/net/chrony/src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt
new file mode 100644
index 0000000000..be8b75de22
--- /dev/null
+++ b/net/chrony/src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt
@@ -0,0 +1,58 @@
+{#
+ # Copyright (c) 2019 Deciso B.V.
+ # Copyright (c) 2020 Michael Muenz <m.muenz@gmail.com>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<div class="content-box" style="padding-bottom: 1.5em;">
+    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
+    <div class="col-md-12">
+        <hr />
+        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
+    </div>
+</div>
+
+<script>
+    $(function() {
+        var data_get_map = {'frm_general_settings':"/api/chrony/general/get"};
+        mapDataToFormUI(data_get_map).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+        });
+
+     updateServiceControlUI('chrony');
+
+        // link save button to API set action
+        $("#saveAct").click(function(){
+            saveFormToEndpoint(url="/api/chrony/general/set", formid='frm_general_settings',callback_ok=function(){
+                $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+                ajaxCall(url="/api/chrony/service/reconfigure", sendData={}, callback=function(data,status) {
+                    updateServiceControlUI('chrony');
+                    $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                });
+            });
+        });
+
+    });
+</script>
diff --git a/net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh b/net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh
new file mode 100644
index 0000000000..ddc03d6a0c
--- /dev/null
+++ b/net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+mkdir -p /var/db/chrony/ /var/run/chrony/
+chown -R chronyd:chronyd /var/db/chrony/ /var/run/chrony/
+chmod 750 /var/db/chrony/ /var/run/chrony/
diff --git a/net/chrony/src/opnsense/service/conf/actions.d/actions_chrony.conf b/net/chrony/src/opnsense/service/conf/actions.d/actions_chrony.conf
new file mode 100644
index 0000000000..dd50d41c47
--- /dev/null
+++ b/net/chrony/src/opnsense/service/conf/actions.d/actions_chrony.conf
@@ -0,0 +1,23 @@
+[start]
+command:/usr/local/opnsense/scripts/OPNsense/Chrony/setup.sh;/usr/local/etc/rc.d/chronyd start
+parameters:
+type:script
+message:starting chrony
+
+[stop]
+command:/usr/local/etc/rc.d/chronyd stop
+parameters:
+type:script
+message:stopping chrony
+
+[restart]
+command:/usr/local/opnsense/scripts/OPNsense/Chrony/setup.sh;/usr/local/etc/rc.d/chronyd restart
+parameters:
+type:script
+message:restarting chrony
+
+[status]
+command:/usr/local/etc/rc.d/chronyd status;exit 0
+parameters:
+type:script_output
+message:request chrony status
diff --git a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/+TARGETS b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/+TARGETS
new file mode 100644
index 0000000000..a0947f1901
--- /dev/null
+++ b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/+TARGETS
@@ -0,0 +1,2 @@
+chronyd:/etc/rc.conf.d/chronyd
+chrony.conf:/usr/local/etc/chrony.conf
diff --git a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
new file mode 100644
index 0000000000..38397c3a6f
--- /dev/null
+++ b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
@@ -0,0 +1,19 @@
+{% if helpers.exists('OPNsense.chrony.general.enabled') and OPNsense.chrony.general.enabled == '1' %}
+
+port {{ OPNsense.chrony.general.port }}
+driftfile /var/db/chrony/drift
+pidfile /var/run/chrony/chronyd.pid
+
+{%   if not helpers.empty('OPNsense.chrony.general.peers') %}
+{%     for peer in OPNsense.chrony.general.peers.split(',') %}
+server {{ peer }} iburst
+{%     endfor %}
+{%   endif %}
+
+{%   if not helpers.empty('OPNsense.chrony.general.allowednetworks') %}
+{%     for network in OPNsense.chrony.general.allowednetworks.split(',') %}
+allow {{ network }}
+{%     endfor %}
+{%   endif %}
+
+{% endif %}
diff --git a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chronyd b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chronyd
new file mode 100644
index 0000000000..2faa5b55bc
--- /dev/null
+++ b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chronyd
@@ -0,0 +1,7 @@
+{% if helpers.exists('OPNsense.chrony.general.enabled') and OPNsense.chrony.general.enabled == '1' %}
+chronyd_var_script="/usr/local/opnsense/scripts/OPNsense/Chrony/setup.sh"
+chronyd_enable="YES"
+{% else %}
+chronyd_enable="NO"
+{% endif %}
+chronyd_var_mfs="/var/db/chronyd /var/run/chronyd"

From 23dcff078a4ba0e40b98231b8fde23b75ee41daf Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 26 Jul 2020 07:30:52 +0200
Subject: [PATCH 0169/3088] net/chrony|net-mgmt/zabbix5-proxy: whitespace sweep
 and sync

---
 README.md                                                   | 2 ++
 .../src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh      | 0
 net/chrony/pkg-descr                                        | 6 +++---
 net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh    | 0
 4 files changed, 5 insertions(+), 3 deletions(-)
 mode change 100644 => 100755 net-mgmt/zabbix5-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh
 mode change 100644 => 100755 net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh

diff --git a/README.md b/README.md
index 6d6a923032..9ae4e6a7a7 100644
--- a/README.md
+++ b/README.md
@@ -53,6 +53,8 @@ net-mgmt/nrpe -- Execute nagios plugins
 net-mgmt/telegraf -- Agent for collecting metrics and data
 net-mgmt/zabbix-agent -- Zabbix monitoring agent
 net-mgmt/zabbix4-proxy -- Zabbix Proxy enables decentralized monitoring
+net-mgmt/zabbix5-proxy -- Zabbix Proxy enables decentralized monitoring
+net/chrony -- Chrony time synchronisation (development only)
 net/firewall -- Firewall API supplemental package
 net/freeradius -- RADIUS Authentication, Authorization and Accounting Server
 net/frr -- The FRRouting Protocol Suite
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh b/net-mgmt/zabbix5-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh
old mode 100644
new mode 100755
diff --git a/net/chrony/pkg-descr b/net/chrony/pkg-descr
index 0fd3f4ae53..de8195fad6 100644
--- a/net/chrony/pkg-descr
+++ b/net/chrony/pkg-descr
@@ -1,5 +1,5 @@
-An alternative to native ntpd daemon. In some edge cases chrony works 
-better in virtual environments. 
+An alternative to native ntpd daemon. In some edge cases chrony works
+better in virtual environments.
 
 Plugin Changelog
 ----------------
@@ -8,7 +8,7 @@ Plugin Changelog
 
 * Allow to adjust the listening port
 * Allow setting of up to three peers
-* Use of allowed networks 
+* Use of allowed networks
 
 
 WWW: https://chrony.tuxfamily.org/
diff --git a/net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh b/net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh
old mode 100644
new mode 100755

From d90832d346c023ebab34c8fd535f521c79811fe9 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 26 Jul 2020 17:09:43 +0200
Subject: [PATCH 0170/3088] net/haproxy: bump version

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index b07f11984d..13cc033de8 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		2.23
+PLUGIN_VERSION=		2.24
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy
 PLUGIN_MAINTAINER=	opnsense@moov.de

From 903e64c4481f0c4eae239d41f4dd91130a911684 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 26 Jul 2020 17:51:56 +0200
Subject: [PATCH 0171/3088] net/haproxy: add http-[request|response] set-var,
 refs #1796

---
 .../OPNsense/HAProxy/forms/dialogAction.xml   | 44 +++++++++++++++++++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 42 +++++++++++++++++-
 .../templates/OPNsense/HAProxy/haproxy.conf   | 14 ++++++
 3 files changed, 99 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index 5a7881def1..c10565e9f3 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -203,6 +203,28 @@
         <type>text</type>
         <help><![CDATA[Rewrites the request path. The query string, if any, is left intact. If a scheme and authority is found before the path, they are left intact as well.]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>type_table table_http-request_set-var</style>
+    </field>
+    <field>
+        <id>action.http_request_set_var_scope</id>
+        <label>Variable Scope</label>
+        <type>dropdown</type>
+        <help><![CDATA[The name of the variable starts with an indication about its scope.]]></help>
+    </field>
+    <field>
+        <id>action.http_request_set_var_name</id>
+        <label>Variable Name</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>action.http_request_set_var_expr</id>
+        <label>Expression</label>
+        <type>text</type>
+        <help><![CDATA[A standard HAProxy expression formed by a sample-fetch followed by some converters.]]></help>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>
@@ -310,6 +332,28 @@
         <type>text</type>
         <help><![CDATA[An optional custom reason text for the HTTP status code. If empty the default reason for the specified code will be used.]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>type_table table_http-response_set-var</style>
+    </field>
+    <field>
+        <id>action.http_response_set_var_scope</id>
+        <label>Variable Scope</label>
+        <type>dropdown</type>
+        <help><![CDATA[The name of the variable starts with an indication about its scope.]]></help>
+    </field>
+    <field>
+        <id>action.http_response_set_var_name</id>
+        <label>Variable Name</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>action.http_response_set_var_expr</id>
+        <label>Expression</label>
+        <type>text</type>
+        <help><![CDATA[A standard HAProxy expression formed by a sample-fetch followed by some converters.]]></help>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index e06699a610..d7968fcdf3 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1829,6 +1829,7 @@
                         <http-request_replace-header>http-request header replace</http-request_replace-header>
                         <http-request_replace-value>http-request header replace value</http-request_replace-value>
                         <http-request_set-path>http-request set-path</http-request_set-path>
+                        <http-request_set-var>http-request set-var</http-request_set-var>
                         <http-response_allow>http-response allow</http-response_allow>
                         <http-response_deny>http-response deny</http-response_deny>
                         <http-response_lua>http-response lua script</http-response_lua>
@@ -1837,7 +1838,8 @@
                         <http-response_del-header>http-response header delete</http-response_del-header>
                         <http-response_replace-header>http-response header replace</http-response_replace-header>
                         <http-response_replace-value>http-response header replace value</http-response_replace-value>
-                        <http-response_set-status>Set HTTP status code in response</http-response_set-status>
+                        <http-response_set-status>http-response set-status</http-response_set-status>
+                        <http-response_set-var>http-response set-var</http-response_set-var>
                         <tcp-request_connection_accept>tcp-request connection accept</tcp-request_connection_accept>
                         <tcp-request_connection_reject>tcp-request connection reject</tcp-request_connection_reject>
                         <tcp-request_content_accept>tcp-request content accept</tcp-request_content_accept>
@@ -1934,6 +1936,25 @@
                     <mask>/^.{1,4096}$/u</mask>
                     <Required>N</Required>
                 </http_request_set_path>
+                <http_request_set_var_scope type="OptionField">
+                    <Required>N</Required>
+                    <default>txn</default>
+                    <OptionValues>
+                        <proc>variable is shared with the whole process</proc>
+                        <sess>variable is shared with the whole session</sess>
+                        <txn>variable is shared with the transaction (request/response)</txn>
+                        <req>variable is shared only during request processing</req>
+                        <res>variable is shared only during response processing</res>
+                    </OptionValues>
+                </http_request_set_var_scope>
+                <http_request_set_var_name type="TextField">
+                    <mask>/^.{1,4096}$/u</mask>
+                    <Required>N</Required>
+                </http_request_set_var_name>
+                <http_request_set_var_expr type="TextField">
+                    <mask>/^.{1,4096}$/u</mask>
+                    <Required>N</Required>
+                </http_request_set_var_expr>
                 <http_response_lua type="TextField">
                     <mask>/^.{1,4096}$/u</mask>
                     <Required>N</Required>
@@ -1984,6 +2005,25 @@
                     <mask>/^.{1,4096}$/u</mask>
                     <Required>N</Required>
                 </http_response_set_status_reason>
+                <http_response_set_var_scope type="OptionField">
+                    <Required>N</Required>
+                    <default>txn</default>
+                    <OptionValues>
+                        <proc>variable is shared with the whole process</proc>
+                        <sess>variable is shared with the whole session</sess>
+                        <txn>variable is shared with the transaction (request/response)</txn>
+                        <req>variable is shared only during request processing</req>
+                        <res>variable is shared only during response processing</res>
+                    </OptionValues>
+                </http_response_set_var_scope>
+                <http_response_set_var_name type="TextField">
+                    <mask>/^.{1,4096}$/u</mask>
+                    <Required>N</Required>
+                </http_response_set_var_name>
+                <http_response_set_var_expr type="TextField">
+                    <mask>/^.{1,4096}$/u</mask>
+                    <Required>N</Required>
+                </http_response_set_var_expr>
                 <tcp_request_content_lua type="TextField">
                     <mask>/^.{1,4096}$/u</mask>
                     <Required>N</Required>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index bb61aa948d..f1abab9d01 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -415,6 +415,13 @@
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
 {%           endif %}
+{%         elif action_data.type == 'http-request_set-var' %}
+{%           if action_data.http_request_set_var_scope|default("") != "" and action_data.http_request_set_var_name|default("") != "" and action_data.http_request_set_var_expr|default("") != "" %}
+{%             do action_options.append('http-request set-var(' ~ action_data.http_request_set_var_scope ~ '.' ~ action_data.http_request_set_var_name ~ ') ' ~ action_data.http_request_set_var_expr) %}
+{%           else %}
+{%             set action_enabled = '0' %}
+    # ERROR: missing parameters
+{%           endif %}
 {%         elif action_data.type == 'http-response_allow' %}
 {%           do action_options.append('http-response allow') %}
 {%         elif action_data.type == 'http-response_deny' %}
@@ -473,6 +480,13 @@
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
 {%           endif %}
+{%         elif action_data.type == 'http-response_set-var' %}
+{%           if action_data.http_response_set_var_scope|default("") != "" and action_data.http_response_set_var_name|default("") != "" and action_data.http_response_set_var_expr|default("") != "" %}
+{%             do action_options.append('http-response set-var(' ~ action_data.http_response_set_var_scope ~ '.' ~ action_data.http_response_set_var_name ~ ') ' ~ action_data.http_response_set_var_expr) %}
+{%           else %}
+{%             set action_enabled = '0' %}
+    # ERROR: missing parameters
+{%           endif %}
 {%         elif action_data.type == 'tcp-request_connection_accept' %}
 {%           do action_options.append('tcp-request connection accept') %}
 {%         elif action_data.type == 'tcp-request_connection_reject' %}

From d7be04b57e2f4959e253510c4ba7e2634c06d8ef Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 26 Jul 2020 23:23:07 +0200
Subject: [PATCH 0172/3088] net/haproxy: allow to add groups as userlists, refs
 #1796

---
 .../OPNsense/HAProxy/forms/dialogGroup.xml    |  6 +++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   |  6 ++-
 .../templates/OPNsense/HAProxy/haproxy.conf   | 42 ++++++++++++++-----
 3 files changed, 42 insertions(+), 12 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogGroup.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogGroup.xml
index d868a472db..dd8956ffbd 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogGroup.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogGroup.xml
@@ -24,4 +24,10 @@
         <allownew>true</allownew>
         <hint>Type username or choose from list.</hint>
     </field>
+    <field>
+        <id>group.add_userlist</id>
+        <label>Add userlist</label>
+        <type>checkbox</type>
+        <help>Usually HAproxy userlists are created automatically in a context sensitive way. This option adds this group as userlist, so that it can be referenced in rules/conditions. All special and non-alphanumeric characters will be removed from the userlist name.</help>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index d7968fcdf3..584a74bba8 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/HAProxy</mount>
-    <version>2.8.0</version>
+    <version>2.9.0</version>
     <description>the HAProxy load balancer</description>
     <items>
         <general>
@@ -2219,6 +2219,10 @@
                     <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </members>
+                <add_userlist type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </add_userlist>
             </group>
         </groups>
         <users>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index f1abab9d01..ac4f9d2003 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -729,7 +729,7 @@
 {%       endif %}
 {%     endfor %}
 {%   else %}
-    # WARNING: UserlistAddUsers called with empty user data
+    # NOTE: UserlistAddUsers called with empty user data
 {%   endif %}
 {#   # process all group members #}
 {%   if linkedGroupData is defined %}
@@ -758,20 +758,32 @@
 {%       endif %}
 {%     endfor %}
 {%   else %}
-    # WARNING: UserlistAddUsers called with empty group data
+    # NOTE: UserlistAddUsers called with empty group data
 {%   endif %}
 {%- endmacro %}
 
-{# Macro expects a backend or frontend object. #}
-{% macro AddUserlist(proxy) -%}
-{%   if proxy is defined %}
-{%     if (proxy.enabled|default("") == '1' and proxy.mode|default("") == 'http' and proxy.basicAuthEnabled|default("") == '1') %}
+{# Macro expects a backend/frontend (type 1) or group object (type 2). #}
+{% macro AddUserlist(type,object) -%}
+{%   if (type == '1' and object is defined) %}
+{#     # frontend/backend object #}
+{%     if (object.enabled|default("") == '1' and object.mode|default("") == 'http' and object.basicAuthEnabled|default("") == '1') %}
 {#       # call macro to generate list of unique users #}
-{%       set userlist_result = UserlistAddUsers(proxy.basicAuthUsers,proxy.basicAuthGroups) %}
+{%       set userlist_result = UserlistAddUsers(object.basicAuthUsers,object.basicAuthGroups) %}
 {#       # check result, skip when empty #}
 {%       if (userlist_result is defined and userlist_result|default("") != "" )%}
-userlist list_{{proxy.id}}
-    # Origin: {{proxy.name}}
+userlist list_{{object.id}}
+    # Origin: {{object.name}}
+{{userlist_result}}
+{%       endif %}
+{%     endif %}
+{%   elif (type == '2' and object is defined) %}
+{#     # group object #}
+{%     if (object.enabled|default("") == '1' and object.add_userlist|default("") == '1') %}
+{#       # call macro to generate list of unique users #}
+{%       set userlist_result = UserlistAddUsers(object.members) %}
+{#       # check result, skip when empty #}
+{%       if (userlist_result is defined and userlist_result|default("") != "" ) %}
+userlist {{object.name | regex_replace ("[^A-Za-z0-9]","")}}
 {{userlist_result}}
 {%       endif %}
 {%     endif %}
@@ -951,17 +963,25 @@ userlist acl_{{acl.id}}
 {%   endfor %}
 {% endif %}
 
+{% if helpers.exists('OPNsense.HAProxy.groups') %}
+# userlists generated from groups
+{%   for group in helpers.toList('OPNsense.HAProxy.groups.group') %}
+{#     # call macro to generate userlist #}
+{{     AddUserlist('2',group) -}}
+{%   endfor %}
+{% endif %}
+
 # autogenerated entries for config in backends/frontends
 {% if helpers.exists('OPNsense.HAProxy.frontends') %}
 {%   for frontend in helpers.toList('OPNsense.HAProxy.frontends.frontend') %}
 {#     # call macro to generate userlist #}
-{{     AddUserlist(frontend) -}}
+{{     AddUserlist('1',frontend) -}}
 {%   endfor %}
 {% endif %}
 {% if helpers.exists('OPNsense.HAProxy.backends') %}
 {%   for backend in helpers.toList('OPNsense.HAProxy.backends.backend') %}
 {#     # call macro to generate userlist #}
-{{     AddUserlist(backend) -}}
+{{     AddUserlist('1',backend) -}}
 {%   endfor %}
 {% endif %}
 

From 03764dfc7419a2c69f5e79c74018e79519fc67e9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 28 Jul 2020 10:50:57 +0200
Subject: [PATCH 0173/3088] plugins: switch to 20.7 development

---
 LICENSE                                       |   3 +-
 Mk/defaults.mk                                |   2 +-
 README.md                                     |   4 -
 dns/unbound-plus/Makefile                     |   7 -
 dns/unbound-plus/pkg-descr                    |  16 -
 .../Unboundplus/Api/DnsblController.php       |  37 --
 .../Api/MiscellaneousController.php           |  37 --
 .../Unboundplus/Api/ServiceController.php     |  62 --
 .../OPNsense/Unboundplus/DnsblController.php  |  38 --
 .../Unboundplus/MiscellaneousController.php   |  38 --
 .../OPNsense/Unboundplus/forms/dnsbl.xml      |  30 -
 .../Unboundplus/forms/miscellaneous.xml       |  18 -
 .../models/OPNsense/Unboundplus/ACL/ACL.xml   |   9 -
 .../app/models/OPNsense/Unboundplus/Dnsbl.php |  35 --
 .../app/models/OPNsense/Unboundplus/Dnsbl.xml |  47 --
 .../models/OPNsense/Unboundplus/Menu/Menu.xml |   8 -
 .../OPNsense/Unboundplus/Miscellaneous.php    |  35 --
 .../OPNsense/Unboundplus/Miscellaneous.xml    |  14 -
 .../app/views/OPNsense/Unboundplus/dnsbl.volt |  54 --
 .../OPNsense/Unboundplus/miscellaneous.volt   |  54 --
 .../scripts/OPNsense/Unboundplus/dnsbl.py     | 197 ------
 .../conf/actions.d/actions_unboundplus.conf   |   6 -
 .../templates/OPNsense/Unboundplus/+TARGETS   |   5 -
 .../templates/OPNsense/Unboundplus/dnsbl.inc  |   5 -
 .../templates/OPNsense/Unboundplus/dot.conf   |  10 -
 .../templates/OPNsense/Unboundplus/lists.inc  |   5 -
 .../OPNsense/Unboundplus/miscellaneous.conf   |   6 -
 .../OPNsense/Unboundplus/whitelist.inc        |   5 -
 net/l2tp/Makefile                             |   7 -
 net/l2tp/pkg-descr                            |  16 -
 .../src/etc/inc/plugins.inc.d/if_l2tp.inc     | 279 ---------
 .../mvc/app/models/OPNsense/L2TP/ACL/ACL.xml  |  26 -
 .../app/models/OPNsense/L2TP/Menu/Menu.xml    |  13 -
 net/l2tp/src/www/diag_logs_template_l2tp.inc  | 117 ----
 net/l2tp/src/www/vpn_l2tp.php                 | 345 -----------
 net/l2tp/src/www/vpn_l2tp_log.inc             | 120 ----
 net/l2tp/src/www/vpn_l2tp_log.php             |  26 -
 net/l2tp/src/www/vpn_l2tp_users.php           | 141 -----
 net/l2tp/src/www/vpn_l2tp_users_edit.php      | 206 -------
 net/pppoe/Makefile                            |   7 -
 net/pppoe/pkg-descr                           |  16 -
 .../src/etc/inc/plugins.inc.d/if_pppoe.inc    | 328 ----------
 .../mvc/app/models/OPNsense/PPPoE/ACL/ACL.xml |  20 -
 .../app/models/OPNsense/PPPoE/Menu/Menu.xml   |  12 -
 .../src/www/diag_logs_template_pppoe.inc      | 117 ----
 net/pppoe/src/www/vpn_pppoe.php               | 153 -----
 net/pppoe/src/www/vpn_pppoe_edit.php          | 560 ------------------
 net/pppoe/src/www/vpn_pppoe_log.inc           | 120 ----
 net/pppoe/src/www/vpn_pppoe_log.php           |  24 -
 net/pptp/Makefile                             |   7 -
 net/pptp/pkg-descr                            |  16 -
 .../src/etc/inc/plugins.inc.d/if_pptp.inc     | 306 ----------
 .../mvc/app/models/OPNsense/PPTP/ACL/ACL.xml  |  26 -
 .../app/models/OPNsense/PPTP/Menu/Menu.xml    |  13 -
 net/pptp/src/www/diag_logs_template_pptp.inc  | 117 ----
 net/pptp/src/www/vpn_pptp.php                 | 418 -------------
 net/pptp/src/www/vpn_pptp_log.inc             | 120 ----
 net/pptp/src/www/vpn_pptp_log.php             |  26 -
 net/pptp/src/www/vpn_pptp_users.php           | 136 -----
 net/pptp/src/www/vpn_pptp_users_edit.php      | 212 -------
 60 files changed, 2 insertions(+), 4835 deletions(-)
 delete mode 100644 dns/unbound-plus/Makefile
 delete mode 100644 dns/unbound-plus/pkg-descr
 delete mode 100644 dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/Api/DnsblController.php
 delete mode 100644 dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/Api/MiscellaneousController.php
 delete mode 100644 dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/Api/ServiceController.php
 delete mode 100644 dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/DnsblController.php
 delete mode 100644 dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/MiscellaneousController.php
 delete mode 100644 dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/forms/dnsbl.xml
 delete mode 100644 dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/forms/miscellaneous.xml
 delete mode 100644 dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/ACL/ACL.xml
 delete mode 100644 dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Dnsbl.php
 delete mode 100644 dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Dnsbl.xml
 delete mode 100644 dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Menu/Menu.xml
 delete mode 100644 dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Miscellaneous.php
 delete mode 100644 dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Miscellaneous.xml
 delete mode 100644 dns/unbound-plus/src/opnsense/mvc/app/views/OPNsense/Unboundplus/dnsbl.volt
 delete mode 100644 dns/unbound-plus/src/opnsense/mvc/app/views/OPNsense/Unboundplus/miscellaneous.volt
 delete mode 100755 dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py
 delete mode 100644 dns/unbound-plus/src/opnsense/service/conf/actions.d/actions_unboundplus.conf
 delete mode 100644 dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/+TARGETS
 delete mode 100644 dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/dnsbl.inc
 delete mode 100644 dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/dot.conf
 delete mode 100644 dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/lists.inc
 delete mode 100644 dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/miscellaneous.conf
 delete mode 100644 dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/whitelist.inc
 delete mode 100644 net/l2tp/Makefile
 delete mode 100644 net/l2tp/pkg-descr
 delete mode 100644 net/l2tp/src/etc/inc/plugins.inc.d/if_l2tp.inc
 delete mode 100644 net/l2tp/src/opnsense/mvc/app/models/OPNsense/L2TP/ACL/ACL.xml
 delete mode 100644 net/l2tp/src/opnsense/mvc/app/models/OPNsense/L2TP/Menu/Menu.xml
 delete mode 100644 net/l2tp/src/www/diag_logs_template_l2tp.inc
 delete mode 100644 net/l2tp/src/www/vpn_l2tp.php
 delete mode 100644 net/l2tp/src/www/vpn_l2tp_log.inc
 delete mode 100644 net/l2tp/src/www/vpn_l2tp_log.php
 delete mode 100644 net/l2tp/src/www/vpn_l2tp_users.php
 delete mode 100644 net/l2tp/src/www/vpn_l2tp_users_edit.php
 delete mode 100644 net/pppoe/Makefile
 delete mode 100644 net/pppoe/pkg-descr
 delete mode 100644 net/pppoe/src/etc/inc/plugins.inc.d/if_pppoe.inc
 delete mode 100644 net/pppoe/src/opnsense/mvc/app/models/OPNsense/PPPoE/ACL/ACL.xml
 delete mode 100644 net/pppoe/src/opnsense/mvc/app/models/OPNsense/PPPoE/Menu/Menu.xml
 delete mode 100644 net/pppoe/src/www/diag_logs_template_pppoe.inc
 delete mode 100644 net/pppoe/src/www/vpn_pppoe.php
 delete mode 100644 net/pppoe/src/www/vpn_pppoe_edit.php
 delete mode 100644 net/pppoe/src/www/vpn_pppoe_log.inc
 delete mode 100644 net/pppoe/src/www/vpn_pppoe_log.php
 delete mode 100644 net/pptp/Makefile
 delete mode 100644 net/pptp/pkg-descr
 delete mode 100644 net/pptp/src/etc/inc/plugins.inc.d/if_pptp.inc
 delete mode 100644 net/pptp/src/opnsense/mvc/app/models/OPNsense/PPTP/ACL/ACL.xml
 delete mode 100644 net/pptp/src/opnsense/mvc/app/models/OPNsense/PPTP/Menu/Menu.xml
 delete mode 100644 net/pptp/src/www/diag_logs_template_pptp.inc
 delete mode 100644 net/pptp/src/www/vpn_pptp.php
 delete mode 100644 net/pptp/src/www/vpn_pptp_log.inc
 delete mode 100644 net/pptp/src/www/vpn_pptp_log.php
 delete mode 100644 net/pptp/src/www/vpn_pptp_users.php
 delete mode 100644 net/pptp/src/www/vpn_pptp_users_edit.php

diff --git a/LICENSE b/LICENSE
index b88f03b560..069d562f93 100644
--- a/LICENSE
+++ b/LICENSE
@@ -18,10 +18,9 @@ Copyright (c) 2010 Jim Pingle <jimp@pfsense.org>
 Copyright (c) 2015 Jos Schellevis
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>
 Copyright (c) 2019 Juergen Kellerer
-Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>
+Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>
 Copyright (c) 2020 Martin Wasley
 Copyright (c) 2017-2020 Michael Muenz <m.muenz@gmail.com>
-Copyright (c) 2020 Petr Kejval <petr.kejval6@gmail.com>
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
 Copyright (c) 2010-2012 Seth Mos <seth.mos@dds.nl>
 Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 815b7c4060..334c3b760a 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -58,7 +58,7 @@ _PLUGIN_PYTHON!=${PYTHONLINK} -V
 PLUGIN_PYTHON?=	${_PLUGIN_PYTHON:[2]:S/./ /g:[1..2]:tW:S/ //}
 .endif
 
-PLUGIN_ABI?=	20.1
+PLUGIN_ABI?=	20.7
 PLUGIN_PHP?=	72
 PLUGIN_PYTHON?=	37
 
diff --git a/README.md b/README.md
index 9ae4e6a7a7..b50db1add2 100644
--- a/README.md
+++ b/README.md
@@ -38,7 +38,6 @@ dns/bind -- BIND domain name service
 dns/dnscrypt-proxy -- Flexible DNS proxy supporting DNSCrypt and DoH
 dns/dyndns -- Dynamic DNS Support
 dns/rfc2136 -- RFC-2136 Support
-dns/unbound-plus -- Unbound additions
 mail/postfix -- SMTP mail relay
 mail/rspamd -- Protect your network from spam
 misc/theme-cicada -- The cicada theme - dark grey
@@ -62,11 +61,8 @@ net/ftp-proxy -- Control ftp-proxy processes
 net/google-cloud-sdk -- Google Cloud SDK
 net/haproxy -- Reliable, high performance TCP/HTTP load balancer
 net/igmp-proxy -- IGMP-Proxy Service
-net/l2tp -- End of life, no replacement
 net/mdns-repeater -- Proxy multicast DNS between networks
 net/ntopng -- Traffic Analysis and Flow Collection
-net/pppoe -- End of life, no replacement
-net/pptp -- End of life, no replacement
 net/relayd -- Relayd Load Balancer
 net/shadowsocks -- Secure socks5 proxy
 net/siproxd -- Siproxd is a proxy daemon for the SIP protocol
diff --git a/dns/unbound-plus/Makefile b/dns/unbound-plus/Makefile
deleted file mode 100644
index b12f8cf3db..0000000000
--- a/dns/unbound-plus/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-PLUGIN_NAME=		unbound-plus
-PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	1
-PLUGIN_COMMENT=		Unbound additions
-PLUGIN_MAINTAINER=	m.muenz@gmail.com
-
-.include "../../Mk/plugins.mk"
diff --git a/dns/unbound-plus/pkg-descr b/dns/unbound-plus/pkg-descr
deleted file mode 100644
index 908838464a..0000000000
--- a/dns/unbound-plus/pkg-descr
+++ /dev/null
@@ -1,16 +0,0 @@
-Unbound-Plus is a collecion of additional features to Unbound,
-including DNSBL and DNS-over-TLS support.
-
-WWW: https://github.com/opnsense/plugins/
-
-Plugin Changelog
-----------------
-
-1.1
-
-* Add DNS over TLS (DoT) support
-
-1.0
-
-* Add DNSBL feature
-* Allow to set private domains
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/Api/DnsblController.php b/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/Api/DnsblController.php
deleted file mode 100644
index e729939f6c..0000000000
--- a/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/Api/DnsblController.php
+++ /dev/null
@@ -1,37 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Unboundplus\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-
-class DnsblController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelClass = '\OPNsense\Unboundplus\Dnsbl';
-    protected static $internalModelName = 'dnsbl';
-}
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/Api/MiscellaneousController.php b/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/Api/MiscellaneousController.php
deleted file mode 100644
index 5e98788200..0000000000
--- a/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/Api/MiscellaneousController.php
+++ /dev/null
@@ -1,37 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Unboundplus\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-
-class MiscellaneousController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelClass = '\OPNsense\Unboundplus\Miscellaneous';
-    protected static $internalModelName = 'miscellaneous';
-}
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/Api/ServiceController.php b/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/Api/ServiceController.php
deleted file mode 100644
index 66fa748579..0000000000
--- a/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/Api/ServiceController.php
+++ /dev/null
@@ -1,62 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Unboundplus\Api;
-
-use OPNsense\Base\ApiMutableServiceControllerBase;
-use OPNsense\Core\Backend;
-use OPNsense\Unboundplus\Dnsbl;
-use OPNsense\Unboundplus\Miscellaneous;
-
-class ServiceController extends ApiMutableServiceControllerBase
-{
-    protected static $internalServiceClass = '\OPNsense\Unboundplus\Dnsbl';
-    protected static $internalServiceTemplate = 'OPNsense/Unboundplus';
-    protected static $internalServiceEnabled = 'enabled';
-    protected static $internalServiceName = 'unboundplus';
-
-    public function dnsblAction()
-    {
-        $this->sessionClose();
-        $mdl = new Dnsbl();
-        $backend = new Backend();
-        $backend->configdRun('template reload OPNsense/Unboundplus');
-        $response = $backend->configdpRun('unboundplus dnsbl', array((string)$mdl->type));
-        return array("response" => $response);
-    }
-
-    public function reloadunboundAction()
-    {
-        $this->sessionClose();
-        $mdl = new Miscellaneous();
-        $backend = new Backend();
-        $backend->configdRun('template reload OPNsense/Unboundplus');
-        $response = $backend->configdpRun('unbound reload', array((string)$mdl->type));
-        return array("response" => $response);
-    }
-}
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/DnsblController.php b/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/DnsblController.php
deleted file mode 100644
index 882e2aae9a..0000000000
--- a/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/DnsblController.php
+++ /dev/null
@@ -1,38 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Unboundplus;
-
-class DnsblController extends \OPNsense\Base\IndexController
-{
-    public function indexAction()
-    {
-        $this->view->dnsblForm = $this->getForm('dnsbl');
-        $this->view->pick('OPNsense/Unboundplus/dnsbl');
-    }
-}
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/MiscellaneousController.php b/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/MiscellaneousController.php
deleted file mode 100644
index 25bdb9e638..0000000000
--- a/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/MiscellaneousController.php
+++ /dev/null
@@ -1,38 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Unboundplus;
-
-class MiscellaneousController extends \OPNsense\Base\IndexController
-{
-    public function indexAction()
-    {
-        $this->view->miscellaneousForm = $this->getForm('miscellaneous');
-        $this->view->pick('OPNsense/Unboundplus/miscellaneous');
-    }
-}
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/forms/dnsbl.xml b/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/forms/dnsbl.xml
deleted file mode 100644
index 6fd6fc6077..0000000000
--- a/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/forms/dnsbl.xml
+++ /dev/null
@@ -1,30 +0,0 @@
-<form>
-    <field>
-        <id>dnsbl.enabled</id>
-        <label>Enable</label>
-        <type>checkbox</type>
-        <help>Enable the usage of DNS blocklists.</help>
-    </field>
-    <field>
-        <id>dnsbl.type</id>
-        <label>Type of DNSBL</label>
-        <type>select_multiple</type>
-        <help>Select which kind of DNSBL you want to use.</help>
-    </field>
-    <field>
-        <id>dnsbl.lists</id>
-        <label>URLs of Blacklists</label>
-        <type>select_multiple</type>
-        <style>tokenize</style>
-        <allownew>true</allownew>
-        <help>List of domains from where blacklist will be downloaded.</help>
-    </field>
-    <field>
-        <id>dnsbl.whitelists</id>
-        <label>Whitelist Domains</label>
-        <type>select_multiple</type>
-        <style>tokenize</style>
-        <allownew>true</allownew>
-        <help>List of domains to whitelist. You can use regular expressions.</help>
-    </field>
-</form>
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/forms/miscellaneous.xml b/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/forms/miscellaneous.xml
deleted file mode 100644
index 899ceb3901..0000000000
--- a/dns/unbound-plus/src/opnsense/mvc/app/controllers/OPNsense/Unboundplus/forms/miscellaneous.xml
+++ /dev/null
@@ -1,18 +0,0 @@
-<form>
-    <field>
-        <id>miscellaneous.privatedomain</id>
-        <label>Private Domains</label>
-        <type>select_multiple</type>
-        <style>tokenize</style>
-        <allownew>true</allownew>
-        <help>List of domains to mark as private. You only need this for some DNSBL lists which resolve to private addresses.</help>
-    </field>
-    <field>
-        <id>miscellaneous.dotservers</id>
-        <label>DNS over TLS Servers</label>
-        <type>select_multiple</type>
-        <style>tokenize</style>
-        <allownew>true</allownew>
-        <help>List of nameservers to use for DoT. Use syntax ip@port like 9.9.9.9@853</help>
-    </field>
-</form>
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/ACL/ACL.xml b/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/ACL/ACL.xml
deleted file mode 100644
index 181f635fd8..0000000000
--- a/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/ACL/ACL.xml
+++ /dev/null
@@ -1,9 +0,0 @@
-<acl>
-   <page-services-unbound>
-      <name>Services: Unbound DNSBL</name>
-      <patterns>
-         <pattern>ui/unboundplus/*</pattern>
-         <pattern>api/unboundplus/*</pattern>
-      </patterns>
-   </page-services-unbound>
-</acl>
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Dnsbl.php b/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Dnsbl.php
deleted file mode 100644
index b8bd973ef6..0000000000
--- a/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Dnsbl.php
+++ /dev/null
@@ -1,35 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Unboundplus;
-
-use OPNsense\Base\BaseModel;
-
-class Dnsbl extends BaseModel
-{
-}
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Dnsbl.xml b/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Dnsbl.xml
deleted file mode 100644
index 5b537c08fd..0000000000
--- a/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Dnsbl.xml
+++ /dev/null
@@ -1,47 +0,0 @@
-<model>
-    <mount>//OPNsense/unboundplus/dnsbl</mount>
-    <description>Unbound DNSBL configuration</description>
-    <version>0.0.1</version>
-    <items>
-        <enabled type="BooleanField">
-            <default>0</default>
-            <Required>Y</Required>
-        </enabled>
-        <type type="OptionField">
-            <Required>N</Required>
-            <Multiple>Y</Multiple>
-            <OptionValues>
-                <aa>AdAway List</aa>
-                <ag>AdGuard List</ag>
-                <bla>Blocklist.site Ads</bla>
-                <blf>Blocklist.site Fraud</blf>
-                <blp>Blocklist.site Phishing</blp>
-                <ca>Cameleon List</ca>
-                <el>Easy List</el>
-                <emd>EMD Malicious Domains List</emd>
-                <ep>Easyprivacy List</ep>
-                <hpa>hpHosts Ads</hpa>
-                <hpf>hpHosts FSA</hpf>
-                <hpp>hpHosts PSH</hpp>
-                <hup>hpHosts PUP</hup>
-                <mw>Malwaredomain List</mw>
-                <nc>NoCoin List</nc>
-                <pt>PornTop1M List</pt>
-                <rw>Ransomware Tracker List</rw>
-                <sa>Simple Ad List</sa>
-                <st>Simple Tracker List</st>
-                <sb>Steven Black List</sb>
-                <ws>WindowsSpyBlocker (spy)</ws>
-                <wsu>WindowsSpyBlocker (update)</wsu>
-                <wse>WindowsSpyBlocker (extra)</wse>
-                <yy>YoYo List</yy>
-            </OptionValues>
-        </type>
-        <lists type="CSVListField">
-            <Required>N</Required>
-        </lists>
-        <whitelists type="CSVListField">
-            <Required>N</Required>
-        </whitelists>
-    </items>
-</model>
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Menu/Menu.xml b/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Menu/Menu.xml
deleted file mode 100644
index 32261d1a24..0000000000
--- a/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Menu/Menu.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<menu>
-  <Services>
-    <Unbound>
-      <Blacklist order="50" url="/ui/unboundplus/dnsbl/index"/>
-      <Miscellaneous order="60" url="/ui/unboundplus/miscellaneous/index"/>
-    </Unbound>
-  </Services>
-</menu>
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Miscellaneous.php b/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Miscellaneous.php
deleted file mode 100644
index 9cc112378e..0000000000
--- a/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Miscellaneous.php
+++ /dev/null
@@ -1,35 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Unboundplus;
-
-use OPNsense\Base\BaseModel;
-
-class Miscellaneous extends BaseModel
-{
-}
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Miscellaneous.xml b/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Miscellaneous.xml
deleted file mode 100644
index 1ae1f590ae..0000000000
--- a/dns/unbound-plus/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Miscellaneous.xml
+++ /dev/null
@@ -1,14 +0,0 @@
-<model>
-    <mount>//OPNsense/unboundplus/miscellaneous</mount>
-    <description>Unbound Miscellaneous configuration</description>
-    <version>0.0.2</version>
-    <items>
-        <privatedomain type="CSVListField">
-            <Required>N</Required>
-        </privatedomain>
-        <dotservers type="CSVListField">
-            <Required>N</Required>
-            <mask>/^[a-fA-F0-9\.\,\:\@]{1,512}$/</mask>
-        </dotservers>
-    </items>
-</model>
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/views/OPNsense/Unboundplus/dnsbl.volt b/dns/unbound-plus/src/opnsense/mvc/app/views/OPNsense/Unboundplus/dnsbl.volt
deleted file mode 100644
index eb53cf0e64..0000000000
--- a/dns/unbound-plus/src/opnsense/mvc/app/views/OPNsense/Unboundplus/dnsbl.volt
+++ /dev/null
@@ -1,54 +0,0 @@
-{#
- # Copyright (c) 2019 Deciso B.V.
- # Copyright (c) 2019 Michael Muenz <m.muenz@gmail.com>
- # All rights reserved.
- #
- # Redistribution and use in source and binary forms, with or without modification,
- # are permitted provided that the following conditions are met:
- #
- # 1. Redistributions of source code must retain the above copyright notice,
- #    this list of conditions and the following disclaimer.
- #
- # 2. Redistributions in binary form must reproduce the above copyright notice,
- #    this list of conditions and the following disclaimer in the documentation
- #    and/or other materials provided with the distribution.
- #
- # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
- # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- # POSSIBILITY OF SUCH DAMAGE.
- #}
-
-<div class="content-box" style="padding-bottom: 1.5em;">
-    {{ partial("layout_partials/base_form",['fields':dnsblForm,'id':'frm_dnsbl_settings'])}}
-    <div class="col-md-12">
-        <hr />
-        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-    </div>
-</div>
-
-<script>
-    $(function() {
-        var data_get_map = {'frm_dnsbl_settings':"/api/unboundplus/dnsbl/get"};
-        mapDataToFormUI(data_get_map).done(function(data){
-            formatTokenizersUI();
-            $('.selectpicker').selectpicker('refresh');
-        });
-
-        // link save button to API set action
-        $("#saveAct").click(function(){
-            saveFormToEndpoint(url="/api/unboundplus/dnsbl/set", formid='frm_dnsbl_settings',callback_ok=function(){
-                $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-                ajaxCall(url="/api/unboundplus/service/dnsbl", sendData={}, callback=function(data,status) {
-                    $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-                });
-            });
-        });
-    });
-</script>
diff --git a/dns/unbound-plus/src/opnsense/mvc/app/views/OPNsense/Unboundplus/miscellaneous.volt b/dns/unbound-plus/src/opnsense/mvc/app/views/OPNsense/Unboundplus/miscellaneous.volt
deleted file mode 100644
index dda6369f25..0000000000
--- a/dns/unbound-plus/src/opnsense/mvc/app/views/OPNsense/Unboundplus/miscellaneous.volt
+++ /dev/null
@@ -1,54 +0,0 @@
-{#
- # Copyright (c) 2019 Deciso B.V.
- # Copyright (c) 2019 Michael Muenz <m.muenz@gmail.com>
- # All rights reserved.
- #
- # Redistribution and use in source and binary forms, with or without modification,
- # are permitted provided that the following conditions are met:
- #
- # 1. Redistributions of source code must retain the above copyright notice,
- #    this list of conditions and the following disclaimer.
- #
- # 2. Redistributions in binary form must reproduce the above copyright notice,
- #    this list of conditions and the following disclaimer in the documentation
- #    and/or other materials provided with the distribution.
- #
- # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
- # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- # POSSIBILITY OF SUCH DAMAGE.
- #}
-
-<div class="content-box" style="padding-bottom: 1.5em;">
-    {{ partial("layout_partials/base_form",['fields':miscellaneousForm,'id':'frm_miscellaneous_settings'])}}
-    <div class="col-md-12">
-        <hr />
-        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-    </div>
-</div>
-
-<script>
-    $(function() {
-        var data_get_map = {'frm_miscellaneous_settings':"/api/unboundplus/miscellaneous/get"};
-        mapDataToFormUI(data_get_map).done(function(data){
-            formatTokenizersUI();
-            $('.selectpicker').selectpicker('refresh');
-        });
-
-        // link save button to API set action
-        $("#saveAct").click(function(){
-            saveFormToEndpoint(url="/api/unboundplus/miscellaneous/set", formid='frm_miscellaneous_settings',callback_ok=function(){
-                $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-                ajaxCall(url="/api/unboundplus/service/reloadunbound", sendData={}, callback=function(data,status) {
-                    $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-                });
-            });
-        });
-    });
-</script>
diff --git a/dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py b/dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py
deleted file mode 100755
index f933ad6877..0000000000
--- a/dns/unbound-plus/src/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py
+++ /dev/null
@@ -1,197 +0,0 @@
-#!/usr/local/bin/python3
-
-# DNS BL script
-# Copyright (c) 2020 Petr Kejval <petr.kejval6@gmail.com>
-
-# Downloads blacklisted domains from user specified URLs and "compile" them into unbound.conf compatible file
-
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-# 1. Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-#
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in the
-#    documentation and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-
-import re, urllib3, threading, subprocess
-
-re_blacklist = re.compile(r'(^127\.0\.0\.1[\s]+|^0\.0\.0\.0[\s]+)([0-9a-z_.-]+)(?:\s|$)|^([0-9a-z_.-]+)(?:\s|$)', re.I)
-re_whitelist = re.compile(r'$^') # default - match nothing
-blacklist = set()
-urls = set()
-
-predefined_lists = {
-    "aa": "https://adaway.org/hosts.txt",
-    "ag": "https://justdomains.github.io/blocklists/lists/adguarddns-justdomains.txt",
-    "bla": "https://blocklist.site/app/dl/ads",
-    "blf": "https://blocklist.site/app/dl/fraud",
-    "blp": "https://blocklist.site/app/dl/phishing",
-    "ca": "http://sysctl.org/cameleon/hosts",
-    "el": "https://justdomains.github.io/blocklists/lists/easylist-justdomains.txt",
-    "ep": "https://justdomains.github.io/blocklists/lists/easyprivacy-justdomains.txt",
-    "emd": "https://hosts-file.net/emd.txt",
-    "hpa": "https://hosts-file.net/ad_servers.txt",
-    "hpf": "https://hosts-file.net/fsa.txt",
-    "hpp": "https://hosts-file.net/psh.txt",
-    "hup": "https://hosts-file.net/pup.txt",
-    "nc": "https://justdomains.github.io/blocklists/lists/nocoin-justdomains.txt",
-    "rw": "https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt",
-    "mw": "http://malwaredomains.lehigh.edu/files/justdomains",
-    "pa": "https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_all.list",
-    "pt": "https://raw.githubusercontent.com/chadmayfield/pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list",
-    "sa": "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt",
-    "sb": "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts",
-    "st": "https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt",
-    "ws": "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt",
-    "wsu": "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/update.txt",
-    "wse": "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/extra.txt",
-    "yy": "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext"
-}
-
-def add_to_blacklist(domain):
-    """ Checks if domain is present in whitelist. If not, domain is addded to BL set. """
-    match = re_whitelist.match(domain)
-    if not match:
-        blacklist.add(domain)
-
-def parse_line(line):
-    """ Checks if line matches re_blacklist. If so, tries add domain to BL set. """
-    global blacklist
-    line = line.replace('\\t', " ")
-    line = line.replace('\\r', "")
-    match = re_blacklist.match(line)
-    if match:
-        if match.group(2) != None:
-            add_to_blacklist(match.group(2))
-        elif match.group(3) != None:
-            add_to_blacklist(match.group(3))
-
-def process_url(url):
-    """ Reads and parses blacklisted domains from URL into BL set. """
-    print(f"Processing BL items from: {url}")
-
-    try:
-        http = urllib3.PoolManager(timeout=5.0)
-        r = http.request('GET', url, retries=2)
-
-        if r.status == 200:
-            for line in str(r.data).split('\\n'):
-                parse_line(line)
-    except Exception as e:
-        print(str(e))
-
-def save_config_file():
-    """ Saves blacklist in unbound.conf format """
-    print(f"Saving {len(blacklist)} blacklisted domains into dnsbl.conf")
-
-    try:
-        with open("/var/unbound/etc/dnsbl.conf", 'w') as file:
-            # No domains found or DNSBL is disabled
-            if (len(blacklist) == 0):
-                file.write("")
-            else:
-                file.write('server:\n')
-                for line in blacklist:
-                    #file.write('local-zone: "' + str(line) + '" static\n')
-                    file.write('local-data: "' + str(line) + ' A 0.0.0.0"\n')
-    except Exception as e:
-        print(str(e))
-        exit(1)
-
-def load_list(path, separator=None):
-    """ Reads file with specified path into set to ensure unique values.
-    Splits lines with defined separator. If sperator==None no split is performed. """
-    result = set()
-
-    try:
-        with open(path, 'r') as file:
-            for line in file.readlines():
-                if not separator == None:
-                    for element in line.split(separator):
-                        result.add(element.replace('\n', ''))
-                else:
-                    result.add(line.replace('\n', ''))
-    except Exception as e:
-        print(str(e))
-
-    return result
-
-def load_whitelist():
-    """ Loads user defined whitelist in regex format and compiles it. """
-    print("Loading whitelist")
-    global re_whitelist
-    wl = load_list('/var/unbound/etc/whitelist.inc', ',')
-    wl.add(r'.*localhost$')
-    wl.add(r'^(?![a-zA-Z\d]).*') # Exclude domains NOT starting with alphanumeric char
-    print(f"Loaded {len(wl)} whitelist items")
-
-    try:
-        re_whitelist = re.compile('|'.join(wl), re.I)
-    except Exception as e:
-        print(f"Whitelist regex compile failed: {str(e)}")
-
-def load_blacklists():
-    """ Loads user defined blacklists URLs. """
-    print("Loading blacklists URLs")
-    global urls
-    urls = load_list('/var/unbound/etc/lists.inc', ',')
-    print(f"Loaded {len(urls)} blacklists URLs")
-
-def load_predefined_lists():
-    """ Loads user chosen predefined lists """
-    print("Loading predefined lists URLs")
-    global urls
-    lists = load_list('/var/unbound/etc/dnsbl.inc')
-    types = set()
-
-    for first in lists:
-        first = str(first).split('=')[1]
-        first = str(first).replace('"', '').replace('\n', '')
-        first = first.split(',')
-        for type in first:
-            types.add(type)
-        break
-
-    print(f"Loaded {len(types)} predefined blacklists URLs")
-
-    for type in types:
-        try:
-            urls.add(predefined_lists[type])
-        except KeyError:
-            continue
-        except Exception as e:
-            print(str(e))
-
-if __name__ == "__main__":
-    # Prepare lists from config files
-    load_whitelist()
-    load_blacklists()
-    load_predefined_lists()
-
-    # Start processing BLs in threads
-    threads = [threading.Thread(target=process_url, args=(url,)) for url in urls]
-    for t in threads:
-        t.start()
-    for t in threads:
-        t.join()
-
-    save_config_file()
-
-    print("Restarting unbound service")
-    subprocess.Popen(["pluginctl", "-s", "unbound", "restart"])
-    exit(0)
diff --git a/dns/unbound-plus/src/opnsense/service/conf/actions.d/actions_unboundplus.conf b/dns/unbound-plus/src/opnsense/service/conf/actions.d/actions_unboundplus.conf
deleted file mode 100644
index e354a4e126..0000000000
--- a/dns/unbound-plus/src/opnsense/service/conf/actions.d/actions_unboundplus.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-[dnsbl]
-command:/usr/local/opnsense/scripts/OPNsense/Unboundplus/dnsbl.py
-parameters:
-type:script
-message:fetching and applying DNSBLs
-description: Download Unbound DNSBLs and restart
diff --git a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/+TARGETS b/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/+TARGETS
deleted file mode 100644
index 1166df58a0..0000000000
--- a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/+TARGETS
+++ /dev/null
@@ -1,5 +0,0 @@
-dnsbl.inc:/var/unbound/etc/dnsbl.inc
-whitelist.inc:/var/unbound/etc/whitelist.inc
-miscellaneous.conf:/var/unbound/etc/miscellaneous.conf
-dot.conf:/var/unbound/etc/dot.conf
-lists.inc:/var/unbound/etc/lists.inc
diff --git a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/dnsbl.inc b/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/dnsbl.inc
deleted file mode 100644
index a47edf32fe..0000000000
--- a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/dnsbl.inc
+++ /dev/null
@@ -1,5 +0,0 @@
-{% if helpers.exists('OPNsense.unboundplus.dnsbl.enabled') and OPNsense.unboundplus.dnsbl.enabled == '1' %}
-{%   if helpers.exists('OPNsense.unboundplus.dnsbl.type') and OPNsense.unboundplus.dnsbl.type != '' %}
-unbound_dnsbl="{{ OPNsense.unboundplus.dnsbl.type }}"
-{%   endif %}
-{% endif %}
diff --git a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/dot.conf b/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/dot.conf
deleted file mode 100644
index 8837f8fd76..0000000000
--- a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/dot.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-{% if helpers.exists('OPNsense.unboundplus.miscellaneous.dotservers') and OPNsense.unboundplus.miscellaneous.dotservers != '' %}
-server:
-  tls-cert-bundle: /etc/ssl/cert.pem
-forward-zone:
-  name: "."
-  forward-tls-upstream: yes
-{%   for dot in OPNsense.unboundplus.miscellaneous.dotservers.split(',') %}
-  forward-addr: {{ dot }}
-{%   endfor %}
-{% endif %}
diff --git a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/lists.inc b/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/lists.inc
deleted file mode 100644
index 947a527616..0000000000
--- a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/lists.inc
+++ /dev/null
@@ -1,5 +0,0 @@
-{%  if helpers.exists('OPNsense.unboundplus.dnsbl.enabled') and OPNsense.unboundplus.dnsbl.enabled == '1' %}
-{%      if helpers.exists('OPNsense.unboundplus.dnsbl.lists') and OPNsense.unboundplus.dnsbl.lists != '' %}
-{{ OPNsense.unboundplus.dnsbl.lists|default("") }}
-{%      endif %}
-{%  endif %}
diff --git a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/miscellaneous.conf b/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/miscellaneous.conf
deleted file mode 100644
index 849bf8b100..0000000000
--- a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/miscellaneous.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-{%   if helpers.exists('OPNsense.unboundplus.miscellaneous.privatedomain') and OPNsense.unboundplus.miscellaneous.privatedomain != '' %}
-server:
-{%     for privatedomain in OPNsense.unboundplus.miscellaneous.privatedomain.split(',') %}
-private-domain: {{ privatedomain }}
-{%     endfor %}
-{%   endif %}
diff --git a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/whitelist.inc b/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/whitelist.inc
deleted file mode 100644
index 925e665f7e..0000000000
--- a/dns/unbound-plus/src/opnsense/service/templates/OPNsense/Unboundplus/whitelist.inc
+++ /dev/null
@@ -1,5 +0,0 @@
-{%   if helpers.exists('OPNsense.unboundplus.dnsbl.enabled') and OPNsense.unboundplus.dnsbl.enabled == '1' %}
-{%     if helpers.exists('OPNsense.unboundplus.dnsbl.whitelists') and OPNsense.unboundplus.dnsbl.whitelists != '' %}
-{{ OPNsense.unboundplus.dnsbl.whitelists|default("") }}
-{%     endif %}
-{%   endif %}
diff --git a/net/l2tp/Makefile b/net/l2tp/Makefile
deleted file mode 100644
index 4a7c54423a..0000000000
--- a/net/l2tp/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-PLUGIN_NAME=		l2tp
-PLUGIN_VERSION=		1.9
-PLUGIN_DEPENDS=		clog mpd5
-PLUGIN_COMMENT=		End of life, no replacement
-PLUGIN_MAINTAINER=	franco@opnsense.org
-
-.include "../../Mk/plugins.mk"
diff --git a/net/l2tp/pkg-descr b/net/l2tp/pkg-descr
deleted file mode 100644
index adda8e3aa3..0000000000
--- a/net/l2tp/pkg-descr
+++ /dev/null
@@ -1,16 +0,0 @@
-Mpd is a netgraph(4) based implementation of the multi-link PPP
-protocol for FreeBSD.  It is designed to be both fast and flexible.
-It handles configuration and negotiation in user land, while routing
-all data packets strictly in the kernel.  It supports several of
-the numerous PPP sub-protocols and extensions, such as:
-
-      Multi-link PPP capability
-      PAP, CHAP, MS-CHAP and EAP authentication
-      PPP compression and encryption
-      IPCP and IPV6CP parameter negotiation
-
-This plugin has support for the following link type:
-
-      Layer Two Tunnelling Protocol (L2TP)
-
-WWW: http://www.sourceforge.net/projects/mpd
diff --git a/net/l2tp/src/etc/inc/plugins.inc.d/if_l2tp.inc b/net/l2tp/src/etc/inc/plugins.inc.d/if_l2tp.inc
deleted file mode 100644
index 66848b2f32..0000000000
--- a/net/l2tp/src/etc/inc/plugins.inc.d/if_l2tp.inc
+++ /dev/null
@@ -1,279 +0,0 @@
-<?php
-
-/*
- * Coypright (C) 2016-2018 Franco Fichtner <franco@opnsense.org>
- * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
- * Copyright (C) 2008 Ermal Luçi
- * Copyright (C) 2004 Scott Ullrich <sullrich@gmail.com>
- * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-function if_l2tp_configure()
-{
-    return array('bootup' => array('if_l2tp_configure_do'));
-}
-
-function if_l2tp_services()
-{
-    global $config;
-
-    $services = array();
-
-    if (isset($config['l2tp']['mode']) && $config['l2tp']['mode'] == 'server') {
-        $services[] = array(
-            'description' => gettext('L2TP Server'),
-            'pidfile' => '/var/run/l2tp-vpn.pid',
-            'php' => array(
-                'restart' => array('if_l2tp_configure_do'),
-                'start' => array('if_l2tp_configure_do'),
-            ),
-            'name' => 'l2tpd',
-        );
-    }
-
-    return $services;
-}
-
-/**
- * request syslog facilities for this plugin
- * @return array
- */
-function if_l2tp_syslog()
-{
-    $logfacilities = array();
-
-    $logfacilities['l2tps'] = array(
-        'facility' => array('l2tps'),
-        'remote' => 'vpn',
-    );
-
-    return $logfacilities;
-}
-
-function if_l2tp_link_scripts($rootdir, $logtype = 'l2tp')
-{
-    $up = <<<'EOD'
-#!/bin/sh
-
-/usr/bin/logger -p local3.info "login,%s,$4,$5"
-/sbin/ifconfig $1 group l2tp
-
-EOD;
-    $down = <<<'EOD'
-#!/bin/sh
-
-/usr/bin/logger -p local3.info "logout,%s,$4,$5"
-
-/sbin/pfctl -i $1 -Fs
-/sbin/pfctl -K $4/32
-
-EOD;
-
-    file_put_contents($rootdir . '/linkup', sprintf($up, $logtype));
-    file_put_contents($rootdir . '/linkdown', sprintf($down, $logtype));
-
-    chmod($rootdir . '/linkup', 0755);
-    chmod($rootdir . '/linkdown', 0755);
-}
-
-function if_l2tp_configure_do()
-{
-    global $config;
-
-    killbypid('/var/run/l2tp-vpn.pid', 'TERM', true);
-    mwexec('rm -rf /var/etc/l2tp-vpn');
-
-    $syscfg = $config['system'];
-    if (isset($config['l2tp'])) {
-        $l2tpcfg = $config['l2tp'];
-    } else {
-        return 0;
-    }
-
-    if (!isset($l2tpcfg['mode']) || $l2tpcfg['mode'] != 'server') {
-        return 0;
-    }
-
-    if (file_exists('/var/run/booting')) {
-        echo gettext('Configuring L2TP VPN service...');
-    }
-
-    switch ($l2tpcfg['mode']) {
-        case 'server':
-            @mkdir('/var/etc/l2tp-vpn');
-            if_l2tp_link_scripts('/var/etc/l2tp-vpn');
-
-            $fd = fopen("/var/etc/l2tp-vpn/mpd.conf", "w");
-            if (!$fd) {
-                printf(gettext("Error: cannot open mpd.conf in if_l2tp_configure().") . "\n");
-                return 1;
-            }
-
-            $selfip = get_interface_ip($l2tpcfg['interface']);
-
-            $iprange = $l2tpcfg['remoteip'] . ' ';
-            $iprange .= long2ip32(ip2long($l2tpcfg['remoteip']) + $l2tpcfg['n_l2tp_units'] - 1);
-
-            $iptype = "ippool pool1";
-            if (isset($l2tpcfg['radius']['enable']) && isset($l2tpcfg['radius']['radiusissueips'])) {
-                $iptype = "0.0.0.0/0";
-            }
-
-            $mpdconf = <<<EOD
-startup:
-
-l2tps:
-  set ippool add pool1 {$iprange}
-
-  create bundle template B
-  set iface disable on-demand
-  set iface enable proxy-arp
-  set iface up-script /var/etc/l2tp-vpn/linkup
-  set iface down-script /var/etc/l2tp-vpn/linkdown
-  set ipcp ranges {$l2tpcfg['localip']}/32 {$iptype}
-  set ipcp yes vjcomp
-
-EOD;
-
-            if (is_ipaddr($l2tpcfg['wins'])) {
-                $mpdconf .= "  set ipcp nbns {$l2tpcfg['wins']}\n";
-            }
-            if (is_ipaddr($l2tpcfg['dns1'])) {
-                $mpdconf .= "  set ipcp dns " . $l2tpcfg['dns1'];
-                if (is_ipaddr($l2tpcfg['dns2'])) {
-                    $mpdconf .= " " . $l2tpcfg['dns2'];
-                }
-                $mpdconf .= "\n";
-            } elseif (isset($config['dnsmasq']['enable']) || isset($config['unbound']['enable'])) {
-                $mpdconf .= "  set ipcp dns ${selfip}";
-                if (isset($syscfg['dnsserver'][0])) {
-                    $mpdconf .= " " . $syscfg['dnsserver'][0];
-                }
-                $mpdconf .= "\n";
-            } elseif (isset($syscfg['dnsserver'][0])) {
-                $mpdconf .= "  set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
-            }
-
-            if ($l2tpcfg['paporchap'] == "chap") {
-                $paporchap = "set link enable chap";
-            } else {
-                $paporchap = "set link enable pap";
-            }
-
-            $mpdconf .= <<<EOD
-
-  set bundle enable crypt-reqd
-  set bundle enable compression
-  set ccp yes mppc
-
-  create link template L l2tp
-  set link action bundle B
-  set link enable multilink
-  set link yes acfcomp protocomp
-  set link no pap chap eap
-  {$paporchap}
-  set link keep-alive 10 60
-  set link mtu 1460
-  set l2tp self ${selfip}
-  set link enable incoming
-
-EOD;
-
-            if (!empty($l2tpcfg['secret'])) {
-                $mpdconf .= "  set l2tp secret {$l2tpcfg['secret']}\n";
-            }
-
-            if (isset($l2tpcfg['radius']['enable'])) {
-                $mpdconf .= <<<EOD
-  set radius server {$l2tpcfg['radius']['server']} "{$l2tpcfg['radius']['secret']}"
-  set radius retries 3
-  set radius timeout 10
-  set auth enable radius-auth
-
-EOD;
-
-                if (isset($l2tpcfg['radius']['accounting'])) {
-                    $mpdconf .= <<<EOD
-  set auth enable radius-acct
-
-EOD;
-                }
-            }
-
-            fwrite($fd, $mpdconf);
-            fclose($fd);
-            unset($mpdconf);
-
-            $fd = fopen("/var/etc/l2tp-vpn/mpd.secret", "w");
-            if (!$fd) {
-                printf(gettext("Error: cannot open mpd.secret in if_l2tp_configure().") . "\n");
-                return 1;
-            }
-
-            $mpdsecret = "\n\n";
-
-            if (is_array($l2tpcfg['user'])) {
-                foreach ($l2tpcfg['user'] as $user) {
-                    $mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
-                }
-            }
-
-            fwrite($fd, $mpdsecret);
-            fclose($fd);
-            unset($mpdsecret);
-            chmod('/var/etc/l2tp-vpn/mpd.secret', 0600);
-
-            mwexec('/usr/local/sbin/mpd5 -b -d /var/etc/l2tp-vpn -p /var/run/l2tp-vpn.pid -s l2tps l2tps');
-
-            break;
-    }
-
-    if (file_exists('/var/run/booting')) {
-        echo gettext("done") . "\n";
-    }
-
-    return 0;
-}
-
-function if_l2tp_interfaces()
-{
-    global $config;
-
-    $interfaces = array();
-
-    if (isset($config['l2tp']['mode']) && $config['l2tp']['mode'] == 'server') {
-        $oic = array("enable" => true);
-        $oic['virtual'] = true;
-        $oic['networks'] =  array();
-        $oic['if'] = 'l2tp';
-        $oic['descr'] = 'L2TP';
-        $oic['type'] = 'group';
-        $mask = !empty($config['l2tp']['l2tp_subnet']) ? $config['l2tp']['l2tp_subnet'] : 32;
-        $oic['networks'][] = array("network" => gen_subnet($config['l2tp']['remoteip'], $mask), "mask" => $mask);
-        $interfaces['l2tp'] = $oic;
-    }
-
-    return $interfaces;
-}
diff --git a/net/l2tp/src/opnsense/mvc/app/models/OPNsense/L2TP/ACL/ACL.xml b/net/l2tp/src/opnsense/mvc/app/models/OPNsense/L2TP/ACL/ACL.xml
deleted file mode 100644
index 24ea3d3e1a..0000000000
--- a/net/l2tp/src/opnsense/mvc/app/models/OPNsense/L2TP/ACL/ACL.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<acl>
-    <page-diagnostics-logs-l2tp>
-        <name>Diagnostics: Logs: L2TP</name>
-        <patterns>
-            <pattern>vpn_l2tp_log.php*</pattern>
-        </patterns>
-    </page-diagnostics-logs-l2tp>
-    <page-vpn-vpnl2tp>
-        <name>VPN: L2TP</name>
-        <patterns>
-            <pattern>vpn_l2tp.php*</pattern>
-        </patterns>
-    </page-vpn-vpnl2tp>
-    <page-vpn-vpnl2tp-users-edit>
-        <name>VPN: L2TP: Users: Edit</name>
-        <patterns>
-            <pattern>vpn_l2tp_users_edit.php*</pattern>
-        </patterns>
-    </page-vpn-vpnl2tp-users-edit>
-    <page-vpn-vpnl2tp-users>
-        <name>VPN: L2TP: Users</name>
-        <patterns>
-            <pattern>vpn_l2tp_users.php*</pattern>
-        </patterns>
-    </page-vpn-vpnl2tp-users>
-</acl>
diff --git a/net/l2tp/src/opnsense/mvc/app/models/OPNsense/L2TP/Menu/Menu.xml b/net/l2tp/src/opnsense/mvc/app/models/OPNsense/L2TP/Menu/Menu.xml
deleted file mode 100644
index 5a548e1a10..0000000000
--- a/net/l2tp/src/opnsense/mvc/app/models/OPNsense/L2TP/Menu/Menu.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-<menu>
-    <VPN>
-        <L2TP cssClass="fa fa-unlock fa-fw" order="100">
-            <Settings order="10" url="/vpn_l2tp.php"/>
-            <Users order="20" url="/vpn_l2tp_users.php">
-                <Edit url="/vpn_l2tp_users_edit.php*" visibility="hidden"/>
-            </Users>
-            <LogFile order="30" VisibleName="Log File" url="/vpn_l2tp_log.php">
-                <Type url="/vpn_l2tp_log.php*" visibility="hidden"/>
-            </LogFile>
-        </L2TP>
-    </VPN>
-</menu>
diff --git a/net/l2tp/src/www/diag_logs_template_l2tp.inc b/net/l2tp/src/www/diag_logs_template_l2tp.inc
deleted file mode 100644
index 993181556e..0000000000
--- a/net/l2tp/src/www/diag_logs_template_l2tp.inc
+++ /dev/null
@@ -1,117 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2015 Deciso B.V.
- * Copyright (C) 2012 Seth Mos <seth.mos@dds.nl>
- * Copyright (C) 2004-2009 Scott Ullrich <sullrich@gmail.com>
- * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("guiconfig.inc");
-require_once("system.inc");
-require_once("interfaces.inc");
-
-/* expects $logfile to point to the system path */
-/* expects $logclog to be true or false */
-
-require_once 'diag_logs_common.inc';
-
-$filtertext = '';
-$nentries = 50;
-
-if (isset($config['syslog']['nentries'])) {
-    $nentries = $config['syslog']['nentries'];
-}
-
-if (!empty($_POST['clear'])) {
-    if ($logclog) {
-        system_clear_clog($logfile);
-    } else {
-        system_clear_log($logfile);
-    }
-}
-
-if (isset($_POST['filtertext'])) {
-    $filtertext = $_POST['filtertext'];
-}
-
-include("head.inc");
-?>
-
-<body>
-<?php include("fbegin.inc"); ?>
-  <section class="page-content-main">
-    <div class="container-fluid">
-      <div class="row">
-        <section class="col-xs-12">
-          <p>
-            <form method="post">
-              <div class="input-group">
-                <div class="input-group-addon"><i class="fa fa-search"></i></div>
-                <input type="text" class="form-control" id="filtertext" name="filtertext" placeholder="<?= html_safe(gettext('Search for a specific message...')) ?>" value="<?= html_safe($filtertext) ?>"/>
-              </div>
-            </form>
-          </p>
-          <div class="table-responsive content-box tab-content">
-            <table class="table table-striped">
-              <tr>
-                <th class="col-md-2 col-sm-3 col-xs-4"><?= gettext('Date') ?></th>
-                <th class="col-md-10 col-sm-9 col-xs-8"><?= gettext('Message') ?></th>
-              </tr>
-              <?php if (isset($logpills)): ?>
-              <tr>
-                <td colspan="2">
-                  <ul class="nav nav-pills" role="tablist">
-                    <?php foreach ($logpills as $pill): ?>
-                    <li role="presentation" <?php if (str_replace('amp;','', $pill[2]) == $_SERVER['REQUEST_URI']):?>class="active"<?php endif; ?>><a href="<?=$pill[2];?>"><?=$pill[0];?></a></li>
-                    <?php endforeach; ?>
-                  </ul>
-                </td>
-              </tr>
-              <?php endif; ?>
-              <?php
-                if ($logclog) {
-                    dump_clog($logfile, $nentries, $filtertext);
-                } else {
-                    dump_log($logfile, $nentries, $filtertext);
-                }
-              ?>
-              <tr>
-                <td colspan="2">
-                  <form method="post">
-<?php                   if (isset($mode)): ?>
-                    <input type="hidden" name="mode" id="mode" value="<?= html_safe($mode) ?>"/>
-<?php                   endif; ?>
-                    <input name="clear" type="submit" class="btn btn-primary" value="<?= html_safe(gettext('Clear log')) ?>"/>
-                  </form>
-                </td>
-              </tr>
-            </table>
-          </div>
-        </section>
-      </div>
-    </div>
-  </section>
-<?php include("foot.inc"); ?>
diff --git a/net/l2tp/src/www/vpn_l2tp.php b/net/l2tp/src/www/vpn_l2tp.php
deleted file mode 100644
index 7ebe7351c1..0000000000
--- a/net/l2tp/src/www/vpn_l2tp.php
+++ /dev/null
@@ -1,345 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2015 Deciso B.V.
- * Copyright (C) 2005 Scott Ullrich <sullrich@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("guiconfig.inc");
-require_once("interfaces.inc");
-require_once("system.inc");
-require_once("plugins.inc.d/if_l2tp.inc");
-
-$l2tpcfg = &config_read_array('l2tp');
-config_read_array('l2tp', 'radius');
-
-if ($_SERVER['REQUEST_METHOD'] === 'GET') {
-    $pconfig['remoteip'] = $l2tpcfg['remoteip'];
-    $pconfig['localip'] = $l2tpcfg['localip'];
-    $pconfig['mode'] = $l2tpcfg['mode'];
-    $pconfig['interface'] = $l2tpcfg['interface'];
-    $pconfig['l2tp_dns1'] = $l2tpcfg['dns1'];
-    $pconfig['l2tp_dns2'] = $l2tpcfg['dns2'];
-    $pconfig['wins'] = $l2tpcfg['wins'];
-    $pconfig['radiusenable'] = isset($l2tpcfg['radius']['enable']);
-    $pconfig['radacct_enable'] = isset($l2tpcfg['radius']['accounting']);
-    $pconfig['radiusserver'] = $l2tpcfg['radius']['server'];
-    $pconfig['radiussecret'] = $l2tpcfg['radius']['secret'];
-    $pconfig['radiusissueips'] = isset($l2tpcfg['radius']['radiusissueips']);
-    $pconfig['n_l2tp_units'] = $l2tpcfg['n_l2tp_units'];
-    $pconfig['paporchap'] = $l2tpcfg['paporchap'];
-    $pconfig['secret'] = $l2tpcfg['secret'];
-} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    $pconfig = $_POST;
-
-    /* input validation */
-    if ($_POST['mode'] == "server") {
-        $reqdfields = explode(" ", "localip remoteip");
-        $reqdfieldsn = array(gettext("Server address"),gettext("Remote start address"));
-
-        if ($_POST['radiusenable']) {
-            $reqdfields = array_merge($reqdfields, explode(" ", "radiusserver radiussecret"));
-            $reqdfieldsn = array_merge(
-                $reqdfieldsn,
-                array(gettext("RADIUS server address"),gettext("RADIUS shared secret"))
-            );
-        }
-
-        do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
-
-        if ($_POST['localip'] && !is_ipaddr($_POST['localip'])) {
-            $input_errors[] = gettext("A valid server address must be specified.");
-        }
-        if ($_POST['localip'] && !is_ipaddr($_POST['remoteip'])) {
-            $input_errors[] = gettext("A valid remote start address must be specified.");
-        }
-        if ($_POST['radiusserver'] && !is_ipaddr($_POST['radiusserver'])) {
-            $input_errors[] = gettext("A valid RADIUS server address must be specified.");
-        }
-
-        if (!$input_errors) {
-            $subnet_start = ip2ulong($_POST['remoteip']);
-            $subnet_end = ip2ulong($_POST['remoteip']) + $_POST['n_l2tp_units'] - 1;
-
-            if ((ip2ulong($_POST['localip']) >= $subnet_start) &&
-                (ip2ulong($_POST['localip']) <= $subnet_end)) {
-                $input_errors[] = gettext("The specified server address lies in the remote subnet.");
-            }
-        }
-    }
-
-    if (!$input_errors) {
-        $l2tpcfg['remoteip'] = $_POST['remoteip'];
-        $l2tpcfg['localip'] = $_POST['localip'];
-        $l2tpcfg['mode'] = $_POST['mode'];
-        $l2tpcfg['interface'] = $_POST['interface'];
-        $l2tpcfg['n_l2tp_units'] = $_POST['n_l2tp_units'];
-
-        $l2tpcfg['radius']['server'] = $_POST['radiusserver'];
-        $l2tpcfg['radius']['secret'] = $_POST['radiussecret'];
-        $l2tpcfg['secret'] = $_POST['secret'];
-
-        if ($_POST['wins']) {
-            $l2tpcfg['wins'] = $_POST['wins'];
-        } else {
-            unset($l2tpcfg['wins']);
-        }
-
-        $l2tpcfg['paporchap'] = $_POST['paporchap'];
-
-
-        if ($_POST['l2tp_dns1'] == "") {
-            if (isset($l2tpcfg['dns1'])) {
-                unset($l2tpcfg['dns1']);
-            }
-        } else {
-            $l2tpcfg['dns1'] = $_POST['l2tp_dns1'];
-        }
-
-        if ($_POST['l2tp_dns2'] == "") {
-            if (isset($l2tpcfg['dns2'])) {
-                unset($l2tpcfg['dns2']);
-            }
-        } else {
-            $l2tpcfg['dns2'] = $_POST['l2tp_dns2'];
-        }
-
-        if ($_POST['radiusenable'] == "yes") {
-            $l2tpcfg['radius']['enable'] = true;
-        } else {
-            unset($l2tpcfg['radius']['enable']);
-        }
-
-        if ($_POST['radacct_enable'] == "yes") {
-            $l2tpcfg['radius']['accounting'] = true;
-        } else {
-            unset($l2tpcfg['radius']['accounting']);
-        }
-
-        if ($_POST['radiusissueips'] == "yes") {
-            $l2tpcfg['radius']['radiusissueips'] = true;
-        } else {
-            unset($l2tpcfg['radius']['radiusissueips']);
-        }
-
-        write_config();
-        if_l2tp_configure_do();
-        header(url_safe('Location: /vpn_l2tp.php'));
-        exit;
-    }
-}
-
-$service_hook = 'l2tpd';
-legacy_html_escape_form_data($pconfig);
-include("head.inc");
-
-?>
-<body>
-<?php include("fbegin.inc"); ?>
-  <section class="page-content-main">
-    <div class="container-fluid">
-      <div class="row">
-        <?php if (isset($input_errors) && count($input_errors) > 0) {
-                  print_input_errors($input_errors);
-              }
-              if (isset($savemsg)) {
-                  print_info_box($savemsg);
-              }
-        ?>
-        <section class="col-xs-12">
-          <div class="tab-content content-box col-xs-12">
-            <form method="post" name="iform" id="iform">
-              <div class="table-responsive">
-                <table class="table table-striped opnsense_standard_table_form">
-                  <tr>
-                    <td style="width:22%"><b><?=gettext("L2TP settings"); ?></b></td>
-                    <td style="width:78%; text-align:right">
-                      <small><?=gettext("full help"); ?> </small>
-                      <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page"></i>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Mode");?></td>
-                    <td>
-                      <input name="mode" type="radio" value="off" <?=($pconfig['mode'] != 'server') ? 'checked="checked"' : '';?>/>
-                      <?=gettext("Off"); ?>
-                      &nbsp;
-                      <input type="radio" name="mode" value="server"  <?=$pconfig['mode'] == 'server' ? 'checked="checked"' : '';?>/>
-                      <?=gettext("Enable L2TP server"); ?></td>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Interface");?></td>
-                    <td>
-                      <select name="interface" class="form-control" id="interface">
-<?php
-                      foreach (get_configured_interface_with_descr() as $iface => $ifacename) :?>
-                        <option value="<?=$iface;?>" <?=$iface == $pconfig['interface'] ? "selected=\"selected\"" : "";?>>
-                          <?=htmlspecialchars($ifacename);?>
-                        </option>
-<?php
-                      endforeach; ?>
-                      </select>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_localip" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Server Address");?></td>
-                    <td>
-                      <input name="localip" type="text" id="localip" value="<?=$pconfig['localip'];?>" />
-                      <div class="hidden" data-for="help_for_localip">
-                        <?=gettext("Enter the IP address the L2TP server should give to clients for use as their \"gateway\"."); ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_remoteip" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Remote Address Range");?></td>
-                    <td>
-                      <input name="remoteip" type="text" id="remoteip" value="<?=$pconfig['remoteip'];?>" />
-                      <div class="hidden" data-for="help_for_remoteip">
-                        <?=gettext("Specify the starting address for the client IP address subnet.");?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Number of L2TP users"); ?></td>
-                    <td>
-                      <select id="n_l2tp_units" name="n_l2tp_units">
-                      <?php
-                                $toselect = ($pconfig['n_l2tp_units'] > 0) ? $pconfig['n_l2tp_units'] : 16;
-                                for ($x=1; $x<255; $x++) {
-                                    if ($x == $toselect) {
-                                           $SELECTED = " selected=\"selected\"";
-                                    } else {
-                                        $SELECTED = "";
-                                    }
-                                    echo "<option value=\"{$x}\"{$SELECTED}>{$x}</option>\n";
-                                }
-                                ?>
-                      </select>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_secret" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Secret");?></td>
-                    <td>
-                      <input type="password" name="secret" id="secret" value="<?=$pconfig['secret']; ?>" />
-                      <div class="hidden" data-for="help_for_secret">
-                        <?=gettext("Specify optional secret shared between peers. Required on some devices/setups.");?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_paporchap" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Authentication Type");?></td>
-                    <td>
-                      <select name="paporchap" id="paporchap">
-                        <option value='chap' <?=$pconfig['paporchap'] == "chap" ? " selected=\"selected\"" : "";?>>
-                          <?=gettext("CHAP"); ?>
-                        </option>
-                        <option value='pap' <?=$pconfig['paporchap'] == "pap" ?  " selected=\"selected\"" :"";?>>
-                          <?=gettext("PAP"); ?>
-                        </option>
-                      </select>
-                      <div class="hidden" data-for="help_for_paporchap">
-                        <?=gettext("Specifies which protocol to use for authentication.");?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_l2tp_dns" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("L2TP DNS Servers"); ?></td>
-                    <td>
-                      <input name="l2tp_dns1" type="text" id="l2tp_dns1" value="<?=$pconfig['l2tp_dns1'];?>" /><br/>
-                      <input name="l2tp_dns2" type="text" id="l2tp_dns2" value="<?=$pconfig['l2tp_dns2'];?>" />
-                      <div class="hidden" data-for="help_for_l2tp_dns">
-                        <?=gettext("primary and secondary DNS servers assigned to L2TP clients"); ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("WINS Server"); ?></td>
-                    <td>
-                      <input type="text" name="wins" id="wins" value="<?=$pconfig['wins'];?>" />
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_radius" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("RADIUS"); ?></td>
-                    <td>
-                      <input name="radiusenable" type="checkbox" id="radiusenable" value="yes" <?=($pconfig['radiusenable']) ? "checked=\"checked\"" : "";?>/>
-                      <strong> <?=gettext("Use a RADIUS server for authentication");?><br /></strong>
-                      <div class="hidden" data-for="help_for_radius">
-                        <?=gettext("When set, all users will be authenticated using the RADIUS server specified below. The local user database will not be used.");?>
-                      </div>
-                      <input name="radacct_enable" type="checkbox" id="radacct_enable" value="yes" <?=($pconfig['radacct_enable']) ? "checked=\"checked\"" : "";?>/>
-                      <strong><?=gettext("Enable RADIUS accounting");?></strong><br />
-                      <div class="hidden" data-for="help_for_radius">
-                        <?=gettext("Sends accounting packets to the RADIUS server.");?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_radiusserver" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("RADIUS Server");?></td>
-                    <td>
-                      <input name="radiusserver" type="text" id="radiusserver" value="<?=$pconfig['radiusserver'];?>" />
-                      <div class="hidden" data-for="help_for_radiusserver">
-                        <?=gettext("Enter the IP address of the RADIUS server.");?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_radiussecret" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("RADIUS Shared Secret");?></td>
-                    <td>
-                      <input name="radiussecret" type="password" class="form-control pwd" id="radiussecret" value="<?=$pconfig['radiussecret'];?>" />
-                      <div class="hidden" data-for="help_for_radiussecret">
-                        <?=gettext("Enter the shared secret that will be used to authenticate to the RADIUS server.");?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_radiusissueips" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("RADIUS Issued IP's");?></td>
-                    <td>
-                      <input name="radiusissueips" value="yes" type="checkbox" class="form-control" id="radiusissueips"<?=$pconfig['radiusissueips'] ? " checked=\"checked\"" : "";?>>
-                      <div class="hidden" data-for="help_for_radiusissueips">
-                        <?=gettext("Issue IP Addresses via RADIUS server.");?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td></td>
-                    <td style="width:78%">
-                      <input id="submit" name="Submit" type="submit" class="btn btn-primary" value="<?=gettext("Save"); ?>" />
-                    </td>
-                  </tr>
-                  <tr>
-                    <td colspan="2">
-                      <?=gettext("Don't forget to add a firewall rule to permit traffic from L2TP clients!");?>
-                    </td>
-                  </tr>
-                </table>
-              </div>
-            </form>
-          </div>
-        </section>
-      </div>
-    </div>
-  </section>
-<?php include("foot.inc");
diff --git a/net/l2tp/src/www/vpn_l2tp_log.inc b/net/l2tp/src/www/vpn_l2tp_log.inc
deleted file mode 100644
index 34594070cb..0000000000
--- a/net/l2tp/src/www/vpn_l2tp_log.inc
+++ /dev/null
@@ -1,120 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2016 Deciso B.V.
- * Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("guiconfig.inc");
-require_once("system.inc");
-require_once("interfaces.inc");
-
-if (empty($config['syslog']['nentries'])) {
-    $nentries = 50;
-} else {
-    $nentries = $config['syslog']['nentries'];
-}
-
-if ($_POST['clear']) {
-    system_clear_clog($logfile);
-}
-
-function dump_clog_vpn($file, $tail, $type)
-{
-    global $config;
-
-    $sort = isset($config['syslog']['reverse']) ? '-r' : '';
-    $logarr = array();
-
-    exec("/usr/local/sbin/clog " . escapeshellarg($file) . " | tail {$sort} -n " . escapeshellarg($tail), $logarr);
-
-    foreach ($logarr as $logent) {
-        $logent = preg_split('/\s+/', $logent, 6);
-        $llent = explode(',', $logent[5]);
-
-        if ($llent[1] !== $type) {
-            continue;
-        }
-
-        echo "<tr>\n";
-        echo "<td>" . htmlspecialchars(join(" ", array_slice($logent, 0, 3))) . "</td>\n";
-
-        if ($llent[0] == "login") {
-            echo "<td><span class=\"fa fa-arrow-right fa-fw\" aria-hidden=\"true\" alt=\"in\"></span></td>\n";
-        } else {
-            echo "<td><span class=\"fa fa-arrow-left fa-fw\" aria-hidden=\"true\" alt=\"out\"></span></td>\n";
-        }
-
-        echo "<td class=\"listr\">" . htmlspecialchars($llent[3]) . "</td>\n";
-        echo "<td class=\"listr\">" . htmlspecialchars($llent[2]) . "&nbsp;</td>\n";
-        echo "</tr>\n";
-    }
-}
-
-include("head.inc");
-?>
-
-<body>
-<?php include("fbegin.inc"); ?>
-
-<section class="page-content-main">
-  <div class="container-fluid">
-    <div class="row">
-      <section class="col-xs-12">
-        <div class="tab-content content-box col-xs-12">
-          <div class="table-responsive">
-            <table class="table table-striped table-sort">
-              <tr>
-                <td><?=gettext("Time");?></td>
-                <td><?=gettext("Action");?></td>
-                <td><?=gettext("User");?></td>
-                <td><?=gettext("IP address");?></td>
-              </tr>
-              <tr>
-                <td colspan="4">
-                  <ul class="nav nav-pills" role="tablist">
-                    <?php foreach ($logpills as $pill): ?>
-                      <li role="presentation" <?php if (str_replace('amp;','', $pill[2]) == $_SERVER['REQUEST_URI']):?>class="active"<?php endif; ?>><a href="<?=$pill[2];?>"><?=$pill[0];?></a></li>
-                      <?php endforeach; ?>
-                  </ul>
-                </td>
-              </tr>
-              <?php dump_clog_vpn($logfile, $nentries, $logtype); ?>
-              <tr>
-                <td colspan="4">
-                  <form method="post">
-                    <input type="hidden" name="mode" id="mode" value="<?= html_safe($mode) ?>"/>
-                    <input name="clear" type="submit" class="btn btn-primary" value="<?= html_safe(gettext('Clear log')) ?>"/>
-                  </form>
-                </td>
-              </tr>
-            </table>
-          </div>
-        </div>
-      </section>
-    </div>
-  </div>
-</section>
-<?php include("foot.inc"); ?>
diff --git a/net/l2tp/src/www/vpn_l2tp_log.php b/net/l2tp/src/www/vpn_l2tp_log.php
deleted file mode 100644
index da534b536e..0000000000
--- a/net/l2tp/src/www/vpn_l2tp_log.php
+++ /dev/null
@@ -1,26 +0,0 @@
-<?php
-
-if (htmlspecialchars($_POST['mode'])) {
-    $mode = htmlspecialchars($_POST['mode']);
-} elseif (htmlspecialchars($_GET['mode'])) {
-    $mode = htmlspecialchars($_GET['mode']);
-} else {
-    $mode = 'login';
-}
-
-$logtype = 'l2tp';
-$logclog = true;
-
-$logpills = array();
-$logpills[] = array(gettext('L2TP Logins'), $mode != 'raw', '/vpn_l2tp_log.php');
-$logpills[] = array(gettext('L2TP Raw'), $mode == 'raw', '/vpn_l2tp_log.php?mode=raw');
-
-$service_hook = 'l2tpd';
-
-if ($mode != 'raw') {
-    $logfile = '/var/log/vpn.log';
-    require_once 'vpn_l2tp_log.inc';
-} else {
-    $logfile = '/var/log/l2tps.log';
-    require_once 'diag_logs_template_l2tp.inc';
-}
diff --git a/net/l2tp/src/www/vpn_l2tp_users.php b/net/l2tp/src/www/vpn_l2tp_users.php
deleted file mode 100644
index 64f64446f0..0000000000
--- a/net/l2tp/src/www/vpn_l2tp_users.php
+++ /dev/null
@@ -1,141 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2016 Deciso B.V.
- * Copyright (C) 2005 Scott Ullrich <sullrich@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("guiconfig.inc");
-require_once("system.inc");
-require_once("plugins.inc.d/if_l2tp.inc");
-
-$a_secret = &config_read_array('l2tp', 'user');
-
-if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    // delete entry
-    if (isset($_POST['act']) && $_POST['act'] == "del" && isset($_POST['id'])) {
-        if (!empty($a_secret[$_POST['id']])) {
-            unset($a_secret[$_POST['id']]);
-            write_config();
-        }
-        exit;
-    } elseif (!empty($_POST['apply'])) {
-        if_l2tp_configure_do();
-        clear_subsystem_dirty('l2tpusers');
-        header(url_safe('Location: /vpn_l2tp_users.php'));
-        exit;
-    }
-}
-
-$service_hook = 'l2tpd';
-
-include("head.inc");
-$main_buttons = array(
-    array('label' => gettext('Add'), 'href' => 'vpn_l2tp_users_edit.php'),
-);
-
-?>
-<body>
-  <script>
-  $( document ).ready(function() {
-    // delete host action
-    $(".act_delete_user").click(function(event){
-      event.preventDefault();
-      var id = $(this).data("id");
-      // delete single
-      BootstrapDialog.show({
-        type:BootstrapDialog.TYPE_DANGER,
-        title: "<?=gettext("delete user"); ?>",
-        message: "<?=gettext("Do you really want to delete this user?");?>",
-        buttons: [{
-                  label: "<?= gettext("No");?>",
-                  action: function(dialogRef) {
-                      dialogRef.close();
-                  }}, {
-                  label: "<?= gettext("Yes");?>",
-                  action: function(dialogRef) {
-                    $.post(window.location, {act: 'del', id:id}, function(data) {
-                        location.reload();
-                    });
-                }
-              }]
-      });
-    });
-  });
-  </script>
-<?php include("fbegin.inc"); ?>
-  <section class="page-content-main">
-    <div class="container-fluid">
-      <div class="row">
-<?php
-      if (isset($savemsg)) {
-          print_info_box($savemsg);
-      }
-      if (isset($config['l2tp']['radius']['enable'])) {
-          print_info_box(gettext("Warning: RADIUS is enabled. The local user database will not be used."));
-      }
-      if (is_subsystem_dirty('l2tpusers')) :?><br/>
-        <?php print_info_box_apply(gettext("The l2tp user list has been modified") . ".<br />" . gettext("You must apply the changes in order for them to take effect") . ".<br /><b>" . gettext("Warning: this will terminate all current l2tp sessions!") . "</b>");?>
-        <?php
-      endif; ?>
-        <section class="col-xs-12">
-          <div class="tab-content content-box col-xs-12">
-            <form method="post" name="iform" id="iform">
-              <div class="table-responsive">
-                <table class="table table-striped">
-                  <tr>
-                    <td><?=gettext("Username");?></td>
-                    <td><?=gettext("IP address");?></td>
-                    <td class="text-nowrap"></td>
-                  </tr>
-<?php
-                  $i = 0;
-                  foreach ($a_secret as $secretent) :?>
-                  <tr>
-                    <td><?=htmlspecialchars($secretent['name']);?></td>
-                    <td>
-<?php
-                      if ($secretent['ip'] == "") {
-                              $secretent['ip'] = "Dynamic";
-                      } ?>
-                      <?=htmlspecialchars($secretent['ip']);?>&nbsp;
-                    </td>
-                    <td class="text-nowrap">
-                      <a href="vpn_l2tp_users_edit.php?id=<?=$i;?>" class="btn btn-xs btn-default"><i class="fa fa-pencil fa-fw"></i></a>
-                      <button data-id="<?=$i;?>" type="button" class="act_delete_user btn btn-xs btn-default"><i class="fa fa-trash fa-fw"></i></button>
-                    </td>
-                  </tr>
-<?php
-                  $i++;
-                  endforeach; ?>
-                </table>
-              </div>
-            </form>
-          </div>
-        </section>
-      </div>
-    </div>
-  </section>
-<?php include("foot.inc");
diff --git a/net/l2tp/src/www/vpn_l2tp_users_edit.php b/net/l2tp/src/www/vpn_l2tp_users_edit.php
deleted file mode 100644
index bee0e5f290..0000000000
--- a/net/l2tp/src/www/vpn_l2tp_users_edit.php
+++ /dev/null
@@ -1,206 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2016 Deciso B.V.
- * Copyright (C) 2006 Scott Ullrich <sullrich@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-function l2tpusercmp($a, $b)
-{
-    return  strcasecmp($a['name'], $b['name']);
-}
-
-function l2tp_users_sort()
-{
-    global  $config;
-
-    if (!is_array($config['l2tp']['user'])) {
-        return;
-    }
-
-    usort($config['l2tp']['user'], "l2tpusercmp");
-}
-
-require_once("guiconfig.inc");
-require_once("system.inc");
-require_once("plugins.inc.d/if_l2tp.inc");
-
-$a_secret = &config_read_array('l2tp', 'user');
-
-if ($_SERVER['REQUEST_METHOD'] === 'GET') {
-    if (isset($_GET['id']) && !empty($a_secret[$_GET['id']])) {
-        $id = $_GET['id'];
-    }
-    if (isset($id)) {
-        $pconfig['usernamefld'] = $a_secret[$id]['name'];
-        $pconfig['ip'] = $a_secret[$id]['ip'];
-    } else {
-        $pconfig['usernamefld'] = null;
-        $pconfig['ip'] = null;
-    }
-} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    if (isset($_POST['id']) && !empty($a_secret[$_POST['id']])) {
-        $id = $_POST['id'];
-    }
-    unset($input_errors);
-    $pconfig = $_POST;
-
-    /* input validation */
-    if (isset($id) && ($a_secret[$id])) {
-        $reqdfields = explode(" ", "usernamefld");
-        $reqdfieldsn = array(gettext("Username"));
-    } else {
-        $reqdfields = explode(" ", "usernamefld passwordfld");
-        $reqdfieldsn = array(gettext("Username"),gettext("Password"));
-    }
-
-    do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
-
-    if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['usernamefld'])) {
-        $input_errors[] = gettext("The username contains invalid characters.");
-    }
-
-    if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['passwordfld'])) {
-        $input_errors[] = gettext("The password contains invalid characters.");
-    }
-
-    if (($_POST['passwordfld']) && ($_POST['passwordfld'] != $_POST['password2'])) {
-        $input_errors[] = gettext("The passwords do not match.");
-    }
-    if (($_POST['ip'] && !is_ipaddr($_POST['ip']))) {
-        $input_errors[] = gettext("The IP address entered is not valid.");
-    }
-
-    if (!$input_errors && !(isset($id) && $a_secret[$id])) {
-        /* make sure there are no dupes */
-        foreach ($a_secret as $secretent) {
-            if ($secretent['name'] == $_POST['usernamefld']) {
-                $input_errors[] = gettext("Another entry with the same username already exists.");
-                break;
-            }
-        }
-    }
-
-    if (!$input_errors) {
-        if (isset($id) && $a_secret[$id]) {
-            $secretent = $a_secret[$id];
-        }
-
-        $secretent['name'] = $_POST['usernamefld'];
-        $secretent['ip'] = $_POST['ip'];
-
-        if ($_POST['passwordfld']) {
-            $secretent['password'] = $_POST['passwordfld'];
-        }
-
-        if (isset($id) && $a_secret[$id]) {
-            $a_secret[$id] = $secretent;
-        } else {
-            $a_secret[] = $secretent;
-        }
-
-        l2tp_users_sort();
-        write_config();
-        if_l2tp_configure_do();
-        header(url_safe('Location: /vpn_l2tp_users.php'));
-        exit;
-    }
-}
-
-$service_hook = 'l2tpd';
-legacy_html_escape_form_data($pconfig);
-include("head.inc");
-
-?>
-<body>
-<?php include("fbegin.inc"); ?>
-
-  <section class="page-content-main">
-    <div class="container-fluid">
-      <div class="row">
-
-<?php
-      if (isset($input_errors) && count($input_errors) > 0) {
-          print_input_errors($input_errors);
-      } ?>
-        <section class="col-xs-12">
-          <div class="tab-content content-box col-xs-12">
-              <form method="post" name="iform" id="iform">
-               <div class="table-responsive">
-                <table class="table table-striped opnsense_standard_table_form">
-                  <tr>
-                    <td style="width:22%">
-                      <strong><?=gettext("Edit User");?></strong>
-                    </td>
-                    <td style="width:78%; text-align:right">
-                      <small><?=gettext("full help"); ?> </small>
-                      <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page"></i>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Username");?></td>
-                    <td>
-                      <input name="usernamefld" type="text" value="<?=$pconfig['usernamefld'];?>" />
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Password");?></td>
-                    <td>
-                      <input name="passwordfld" type="password" /><br />
-                      <input name="password2" type="password" />
-                      &nbsp;(<?=gettext("confirmation");?>)
-                      <?php if (isset($id)):?><br />
-                      <div class="text-muted"><em><small><?=gettext("If you want to change the users password, enter it here twice.");?></small></em></div>
-                      <?php endif; ?>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_ip" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP address");?></td>
-                    <td>
-                      <input name="ip" type="text" value="<?=$pconfig['ip'];?>" />
-                      <div class="hidden" data-for="help_for_ip">
-                        <?=gettext("If you want the user to be assigned a specific IP address, enter it here.");?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td>&nbsp;</td>
-                    <td>
-                      <input id="submit" name="Submit" type="submit" class="btn btn-primary" value="<?=gettext('Save');?>" />
-                      <input type="button" class="btn btn-default" value="<?=gettext("Cancel");?>" onclick="window.location.href='<?=(isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/vpn_l2tp_users.php');?>'" />
-                      <?php if (isset($id)) :?>
-                      <input name="id" type="hidden" value="<?=$id;?>" />
-                      <?php endif; ?>
-                    </td>
-                  </tr>
-                </table>
-               </div>
-              </form>
-            </div>
-          </section>
-        </div>
-      </div>
-    </section>
-<?php include("foot.inc");
diff --git a/net/pppoe/Makefile b/net/pppoe/Makefile
deleted file mode 100644
index 8380382ea8..0000000000
--- a/net/pppoe/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-PLUGIN_NAME=		pppoe
-PLUGIN_VERSION=		1.8
-PLUGIN_DEPENDS=		clog mpd5
-PLUGIN_COMMENT=		End of life, no replacement
-PLUGIN_MAINTAINER=	franco@opnsense.org
-
-.include "../../Mk/plugins.mk"
diff --git a/net/pppoe/pkg-descr b/net/pppoe/pkg-descr
deleted file mode 100644
index 70522d68e9..0000000000
--- a/net/pppoe/pkg-descr
+++ /dev/null
@@ -1,16 +0,0 @@
-Mpd is a netgraph(4) based implementation of the multi-link PPP
-protocol for FreeBSD.  It is designed to be both fast and flexible.
-It handles configuration and negotiation in user land, while routing
-all data packets strictly in the kernel.  It supports several of
-the numerous PPP sub-protocols and extensions, such as:
-
-      Multi-link PPP capability
-      PAP, CHAP, MS-CHAP and EAP authentication
-      PPP compression and encryption
-      IPCP and IPV6CP parameter negotiation
-
-This plugin has support for the following link type:
-
-      PPP over Ethernet (PPPoE)
-
-WWW: http://www.sourceforge.net/projects/mpd
diff --git a/net/pppoe/src/etc/inc/plugins.inc.d/if_pppoe.inc b/net/pppoe/src/etc/inc/plugins.inc.d/if_pppoe.inc
deleted file mode 100644
index 845cdc27d8..0000000000
--- a/net/pppoe/src/etc/inc/plugins.inc.d/if_pppoe.inc
+++ /dev/null
@@ -1,328 +0,0 @@
-<?php
-
-/*
- * Coypright (C) 2016-2017 Franco Fichtner <franco@opnsense.org>
- * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
- * Copyright (C) 2008 Ermal Luçi
- * Copyright (C) 2004 Scott Ullrich <sullrich@gmail.com>
- * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-function if_pppoe_configure()
-{
-    return array('bootup' => array('if_pppoe_configure_do'));
-}
-
-function if_pppoe_services()
-{
-    global $config;
-
-    $services = array();
-
-    if (isset($config['pppoes']['pppoe'])) {
-        foreach ($config['pppoes']['pppoe'] as $pppoecfg) {
-            if (isset($pppoecfg['mode']) && $pppoecfg['mode'] == 'server') {
-                $services[] = array(
-                    /* XXX clean up name printing */
-                    'description' => gettext('PPPoE Server') . ': ' . htmlspecialchars($pppoecfg['descr']),
-                    'php' => array(
-                        'restart' => array('if_pppoe_configure_by_id'),
-                        'start' => array('if_pppoe_configure_by_id'),
-                        'args' => array('id'),
-                    ),
-                    'pidfile' => "/var/run/pppoe{$pppoecfg['pppoeid']}-vpn.pid",
-                    'id' => $pppoecfg['pppoeid'],
-                    'name' => 'pppoed',
-                );
-            }
-        }
-    }
-
-    return $services;
-}
-
-/**
- * request syslog facilities for this plugin
- * @return array
- */
-function if_pppoe_syslog()
-{
-    $logfacilities = array();
-
-    $logfacilities['poes'] = array(
-        'facility' => array('poes'),
-        'remote' => 'vpn',
-    );
-
-    return $logfacilities;
-}
-
-function if_pppoe_link_scripts($rootdir, $logtype = 'poes')
-{
-    $up = <<<'EOD'
-#!/bin/sh
-
-/usr/bin/logger -p local3.info "login,%s,$4,$5"
-/sbin/ifconfig $1 group pppoe
-
-EOD;
-    $down = <<<'EOD'
-#!/bin/sh
-
-/usr/bin/logger -p local3.info "logout,%s,$4,$5"
-
-/sbin/pfctl -i $1 -Fs
-/sbin/pfctl -K $4/32
-
-EOD;
-
-    file_put_contents($rootdir . '/linkup', sprintf($up, $logtype));
-    file_put_contents($rootdir . '/linkdown', sprintf($down, $logtype));
-
-    chmod($rootdir . '/linkup', 0755);
-    chmod($rootdir . '/linkdown', 0755);
-}
-
-function if_pppoe_configure_do()
-{
-    global $config;
-
-    if (isset($config['pppoes']['pppoe'])) {
-        foreach ($config['pppoes']['pppoe'] as $pppoe) {
-            if_pppoe_configure_single($pppoe);
-        }
-    }
-}
-
-function if_pppoe_configure_by_id($id)
-{
-    global $config;
-
-    $found = null;
-
-    if (isset($config['pppoes']['pppoe'])) {
-        foreach ($config['pppoes']['pppoe'] as $pppoe) {
-            if ($id != 0 && $id == $pppoe['pppoeid']) {
-                $found = $pppoe;
-                break;
-            }
-        }
-    }
-
-    if ($found == null) {
-        return;
-    }
-
-    if_pppoe_configure_single($found);
-}
-
-function if_pppoe_configure_single(&$pppoecfg)
-{
-    global $config;
-
-    $syscfg = $config['system'];
-
-    killbypid("/var/run/pppoe{$pppoecfg['pppoeid']}-vpn.pid", 'TERM', true);
-    mwexec("rm -rf /var/etc/pppoe{$pppoecfg['pppoeid']}-vpn");
-
-    if (!isset($pppoecfg['mode']) || $pppoecfg['mode'] != 'server') {
-        return 0;
-    }
-
-    if (file_exists('/var/run/booting')) {
-        echo gettext("Configuring PPPoE VPN service...");
-    }
-
-    switch ($pppoecfg['mode']) {
-        case 'server':
-            @mkdir("/var/etc/pppoe{$pppoecfg['pppoeid']}-vpn");
-            if_pppoe_link_scripts("/var/etc/pppoe{$pppoecfg['pppoeid']}-vpn");
-
-            $pppoe_interface = get_real_interface($pppoecfg['interface']);
-
-            $fd = fopen("/var/etc/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.conf", "w");
-            if (!$fd) {
-                printf(gettext("Error: cannot open mpd.conf in if_pppoe_configure().") . "\n");
-                return 1;
-            }
-
-            $iprange = $pppoecfg['remoteip'] . ' ';
-            $iprange .= long2ip32(ip2long($pppoecfg['remoteip']) + $pppoecfg['n_pppoe_units'] - 1);
-
-            $iptype = 'ippool pool1';
-            if (isset($pppoecfg['radius']['server']['enable']) && isset($pppoecfg['radius']['radiusissueips'])) {
-                $iptype = '0.0.0.0/0';
-            }
-
-            $mpdconf = <<<EOD
-startup:
-
-poes:
-  set ippool add pool1 {$iprange}
-  create bundle template B
-  set iface up-script /var/etc/pppoe{$pppoecfg['pppoeid']}-vpn/linkup
-  set iface down-script /var/etc/pppoe{$pppoecfg['pppoeid']}-vpn/linkdown
-  set iface idle 0
-  set iface disable on-demand
-  set iface disable proxy-arp
-  set iface enable tcpmssfix
-  set iface mtu 1500
-  set ipcp no vjcomp
-  set ipcp ranges {$pppoecfg['localip']}/32 {$iptype}
-
-EOD;
-
-            if (!empty($pppoecfg['dns1'])) {
-                $mpdconf .= "  set ipcp dns " . $pppoecfg['dns1'];
-                if (!empty($pppoecfg['dns2'])) {
-                    $mpdconf .= " " . $pppoecfg['dns2'];
-                }
-                $mpdconf .= "\n";
-            } elseif (isset($config['dnsmasq']['enable']) || isset($config['unbound']['enable'])) {
-                $mpdconf .= "  set ipcp dns " . get_interface_ip("lan");
-                if (isset($syscfg['dnsserver'][0])) {
-                    $mpdconf .= " " . $syscfg['dnsserver'][0];
-                }
-                $mpdconf .= "\n";
-            } elseif (isset($syscfg['dnsserver'][0])) {
-                $mpdconf .= "  set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
-            }
-
-            $mpdconf .= <<<EOD
-
-  set bundle enable compression
-  set ccp yes mppc
-  set mppc yes e40
-  set mppc yes e128
-  set mppc yes stateless
-
-  create link template L pppoe
-  set link action bundle B
-  set link no multilink
-  set link disable pap
-  set link disable eap
-  set link enable chap
-  set link keep-alive 10 60
-  set link max-redial -1
-  set link mtu 1492
-  set link mru 1492
-  set link latency 1
-  set pppoe service pppoe{$pppoecfg['pppoeid']}
-  set pppoe iface {$pppoe_interface}
-  set link enable incoming
-  set auth max-logins 1
-
-EOD;
-
-            if (isset($pppoecfg['radius']['server']['enable'])) {
-                $radiusport = "";
-                $radiusacctport = "";
-                if (isset($pppoecfg['radius']['server']['port'])) {
-                    $radiusport = $pppoecfg['radius']['server']['port'];
-                }
-                if (isset($pppoecfg['radius']['server']['acctport'])) {
-                    $radiusacctport = $pppoecfg['radius']['server']['acctport'];
-                }
-                $mpdconf .= <<<EOD
-  set radius server {$pppoecfg['radius']['server']['ip']} "{$pppoecfg['radius']['server']['secret']}" {$radiusport} {$radiusacctport}
-  set radius retries 3
-  set radius timeout 10
-  set auth enable radius-auth
-
-EOD;
-
-                if (isset($pppoecfg['radius']['accounting'])) {
-                    $mpdconf .= <<<EOD
-  set auth enable radius-acct
-
-EOD;
-                }
-            }
-
-            fwrite($fd, $mpdconf);
-            fclose($fd);
-            unset($mpdconf);
-
-            if ($pppoecfg['username']) {
-                $fd = fopen("/var/etc/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", "w");
-                if (!$fd) {
-                    printf(gettext("Error: cannot open mpd.secret in if_pppoe_configure().") . "\n");
-                    return 1;
-                }
-
-                $mpdsecret = "\n\n";
-
-                if (!empty($pppoecfg['username'])) {
-                    $item = explode(" ", $pppoecfg['username']);
-                    foreach ($item as $userdata) {
-                        $data = explode(":", $userdata);
-                        $mpdsecret .= "{$data[0]} \"" . base64_decode($data[1]) . "\" {$data[2]}\n";
-                    }
-                }
-
-                fwrite($fd, $mpdsecret);
-                fclose($fd);
-                unset($mpdsecret);
-                chmod("/var/etc/pppoe{$pppoecfg['pppoeid']}-vpn/mpd.secret", 0600);
-            }
-
-            mwexec("/usr/local/sbin/mpd5 -b -d /var/etc/pppoe{$pppoecfg['pppoeid']}-vpn -p /var/run/pppoe{$pppoecfg['pppoeid']}-vpn.pid -s poes poes");
-
-            break;
-    }
-
-    if (file_exists('/var/run/booting')) {
-        echo gettext("done") . "\n";
-    }
-
-    return 0;
-}
-
-function if_pppoe_interfaces()
-{
-    global $config;
-
-    $interfaces = array();
-
-    if (isset($config['pppoes']['pppoe'])) {
-        $pppoeifs = array('networks' => array());
-        foreach ($config['pppoes']['pppoe'] as $pppoe) {
-            if ($pppoe['mode'] == "server") {
-                $mask = !empty($pppoe['pppoe_subnet']) ?  $pppoe['pppoe_subnet'] : 32;
-                $pppoeifs['networks'][] = array("network" => gen_subnet($pppoe['remoteip'], $mask), "mask" => $mask);
-            }
-        }
-        if (count($pppoeifs['networks'])) {
-            $pppoeifs['enable'] = true;
-            $pppoeifs['virtual'] = true;
-            $pppoeifs['if'] = 'pppoe';
-            $pppoeifs['descr'] = 'pppoe';
-            $pppoeifs['type'] = 'group';
-            $interfaces['pppoe'] = $pppoeifs;
-        }
-    }
-
-    return $interfaces;
-}
diff --git a/net/pppoe/src/opnsense/mvc/app/models/OPNsense/PPPoE/ACL/ACL.xml b/net/pppoe/src/opnsense/mvc/app/models/OPNsense/PPPoE/ACL/ACL.xml
deleted file mode 100644
index 782e5c9d81..0000000000
--- a/net/pppoe/src/opnsense/mvc/app/models/OPNsense/PPPoE/ACL/ACL.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<acl>
-    <page-diagnostics-logs-poes>
-        <name>Diagnostics: Logs: PPPoE</name>
-        <patterns>
-            <pattern>vpn_pppoe_log.php*</pattern>
-        </patterns>
-    </page-diagnostics-logs-poes>
-    <page-services-pppoeserver>
-        <name>Services: PPPoE Server</name>
-        <patterns>
-            <pattern>vpn_pppoe.php*</pattern>
-        </patterns>
-    </page-services-pppoeserver>
-    <page-services-pppoeserver-edit>
-        <name>Services: PPPoE Server: Edit</name>
-        <patterns>
-            <pattern>vpn_pppoe_edit.php*</pattern>
-        </patterns>
-    </page-services-pppoeserver-edit>
-</acl>
diff --git a/net/pppoe/src/opnsense/mvc/app/models/OPNsense/PPPoE/Menu/Menu.xml b/net/pppoe/src/opnsense/mvc/app/models/OPNsense/PPPoE/Menu/Menu.xml
deleted file mode 100644
index e4f037a79d..0000000000
--- a/net/pppoe/src/opnsense/mvc/app/models/OPNsense/PPPoE/Menu/Menu.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<menu>
-    <VPN>
-        <PPPoE cssClass="fa fa-tty fa-fw" order="110">
-            <Settings order="10" url="/vpn_pppoe.php">
-                <Edit url="/vpn_pppoe_edit.php*" visibility="hidden"/>
-            </Settings>
-            <LogFile order="20" VisibleName="Log File" url="/vpn_pppoe_log.php">
-                <Type url="/vpn_pppoe_log.php*" visibility="hidden"/>
-            </LogFile>
-        </PPPoE>
-    </VPN>
-</menu>
diff --git a/net/pppoe/src/www/diag_logs_template_pppoe.inc b/net/pppoe/src/www/diag_logs_template_pppoe.inc
deleted file mode 100644
index 993181556e..0000000000
--- a/net/pppoe/src/www/diag_logs_template_pppoe.inc
+++ /dev/null
@@ -1,117 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2015 Deciso B.V.
- * Copyright (C) 2012 Seth Mos <seth.mos@dds.nl>
- * Copyright (C) 2004-2009 Scott Ullrich <sullrich@gmail.com>
- * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("guiconfig.inc");
-require_once("system.inc");
-require_once("interfaces.inc");
-
-/* expects $logfile to point to the system path */
-/* expects $logclog to be true or false */
-
-require_once 'diag_logs_common.inc';
-
-$filtertext = '';
-$nentries = 50;
-
-if (isset($config['syslog']['nentries'])) {
-    $nentries = $config['syslog']['nentries'];
-}
-
-if (!empty($_POST['clear'])) {
-    if ($logclog) {
-        system_clear_clog($logfile);
-    } else {
-        system_clear_log($logfile);
-    }
-}
-
-if (isset($_POST['filtertext'])) {
-    $filtertext = $_POST['filtertext'];
-}
-
-include("head.inc");
-?>
-
-<body>
-<?php include("fbegin.inc"); ?>
-  <section class="page-content-main">
-    <div class="container-fluid">
-      <div class="row">
-        <section class="col-xs-12">
-          <p>
-            <form method="post">
-              <div class="input-group">
-                <div class="input-group-addon"><i class="fa fa-search"></i></div>
-                <input type="text" class="form-control" id="filtertext" name="filtertext" placeholder="<?= html_safe(gettext('Search for a specific message...')) ?>" value="<?= html_safe($filtertext) ?>"/>
-              </div>
-            </form>
-          </p>
-          <div class="table-responsive content-box tab-content">
-            <table class="table table-striped">
-              <tr>
-                <th class="col-md-2 col-sm-3 col-xs-4"><?= gettext('Date') ?></th>
-                <th class="col-md-10 col-sm-9 col-xs-8"><?= gettext('Message') ?></th>
-              </tr>
-              <?php if (isset($logpills)): ?>
-              <tr>
-                <td colspan="2">
-                  <ul class="nav nav-pills" role="tablist">
-                    <?php foreach ($logpills as $pill): ?>
-                    <li role="presentation" <?php if (str_replace('amp;','', $pill[2]) == $_SERVER['REQUEST_URI']):?>class="active"<?php endif; ?>><a href="<?=$pill[2];?>"><?=$pill[0];?></a></li>
-                    <?php endforeach; ?>
-                  </ul>
-                </td>
-              </tr>
-              <?php endif; ?>
-              <?php
-                if ($logclog) {
-                    dump_clog($logfile, $nentries, $filtertext);
-                } else {
-                    dump_log($logfile, $nentries, $filtertext);
-                }
-              ?>
-              <tr>
-                <td colspan="2">
-                  <form method="post">
-<?php                   if (isset($mode)): ?>
-                    <input type="hidden" name="mode" id="mode" value="<?= html_safe($mode) ?>"/>
-<?php                   endif; ?>
-                    <input name="clear" type="submit" class="btn btn-primary" value="<?= html_safe(gettext('Clear log')) ?>"/>
-                  </form>
-                </td>
-              </tr>
-            </table>
-          </div>
-        </section>
-      </div>
-    </div>
-  </section>
-<?php include("foot.inc"); ?>
diff --git a/net/pppoe/src/www/vpn_pppoe.php b/net/pppoe/src/www/vpn_pppoe.php
deleted file mode 100644
index b6b0d2dfb3..0000000000
--- a/net/pppoe/src/www/vpn_pppoe.php
+++ /dev/null
@@ -1,153 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2014-2016 Deciso B.V.
-    Copyright (C) 2010 Ermal Luçi
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-require_once("guiconfig.inc");
-require_once("filter.inc");
-require_once("plugins.inc.d/if_pppoe.inc");
-require_once("interfaces.inc");
-
-$a_pppoes = &config_read_array('pppoes', 'pppoe');
-
-if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    if (!empty($_POST['apply'])) {
-        if (file_exists('/tmp/.vpn_pppoe.apply')) {
-            $toapplylist = unserialize(file_get_contents('/tmp/.vpn_pppoe.apply'));
-            foreach ($toapplylist as $pppoeid) {
-                if (!is_numeric($pppoeid)) {
-                    continue;
-                }
-                if (isset($config['pppoes']['pppoe'])) {
-                    foreach ($config['pppoes']['pppoe'] as $pppoe) {
-                        if ($pppoe['pppoeid'] == $pppoeid) {
-                            if_pppoe_configure_single($pppoe);
-                            break;
-                        }
-                    }
-                }
-            }
-            @unlink('/tmp/.vpn_pppoe.apply');
-        }
-
-        filter_configure();
-        clear_subsystem_dirty('vpnpppoe');
-        header(url_safe('Location: /vpn_pppoe.php'));
-        exit;
-    } elseif (!empty($_POST['act']) && $_POST['act'] == "del") {
-        if (!empty($a_pppoes[$_POST['id']])) {
-            killbypid("/var/run/pppoe{$a_pppoes[$_POST['id']]['pppoeid']}-vpn.pid");
-            mwexecf('/bin/rm -r %s', "/var/etc/pppoe{$a_pppoes[$_POST['id']]['pppoeid']}");
-            unset($a_pppoes[$_POST['id']]);
-            write_config();
-            exit;
-        }
-    }
-}
-
-include("head.inc");
-legacy_html_escape_form_data($a_pppoes);
-$main_buttons = array(
-    array('label' => gettext('Add'), 'href' => 'vpn_pppoe_edit.php'),
-);
-
-?>
-
-<body>
-  <script>
-  $( document ).ready(function() {
-    // delete pppoe action
-    $(".act_delete_pppoe").click(function(event){
-      event.preventDefault();
-      var id = $(this).data("id");
-      // delete single
-      BootstrapDialog.show({
-        type:BootstrapDialog.TYPE_DANGER,
-        title: "<?= gettext("PPPoE");?>",
-        message: "<?=gettext("Do you really want to delete this entry? All elements that still use it will become invalid (e.g. filter rules)!");?>",
-        buttons: [{
-                  label: "<?= gettext("No");?>",
-                  action: function(dialogRef) {
-                      dialogRef.close();
-                  }}, {
-                  label: "<?= gettext("Yes");?>",
-                  action: function(dialogRef) {
-                    $.post(window.location, {act: 'del', id:id}, function(data) {
-                        location.reload();
-                    });
-                }
-              }]
-      });
-    });
-  });
-  </script>
-  <?php include("fbegin.inc"); ?>
-  <section class="page-content-main">
-    <div class="container-fluid">
-      <div class="row">
-        <?php if (is_subsystem_dirty('vpnpppoe')) : ?><br/>
-        <?php print_info_box_apply(gettext("The PPPoE entry list has been changed") . ".<br />" . gettext("You must apply the changes in order for them to take effect."));?>
-        <?php endif; ?>
-        <section class="col-xs-12">
-          <div class="content-box">
-            <form method="post" name="iform" id="iform">
-              <div class="table-responsive">
-                <table class="table table-striped">
-                  <tr>
-                    <td><?=gettext("Interface");?></td>
-                    <td><?=gettext("Local IP");?></td>
-                    <td><?=gettext("Number of users");?></td>
-                    <td><?=gettext("Description");?></td>
-                    <td class="text-nowrap"></td>
-                  </tr>
-<?php
-                  $i = 0;
-                  foreach ($a_pppoes as $pppoe) :?>
-                  <tr>
-                    <td><?=strtoupper($pppoe['interface']);?></td>
-                    <td><?=$pppoe['localip'];?></td>
-                    <td><?=$pppoe['n_pppoe_units'];?></td>
-                    <td><?=$pppoe['descr'];?></td>
-                    <td class="text-nowrap">
-                      <a href="vpn_pppoe_edit.php?id=<?=$i;?>" title="<?=gettext("edit pppoe instance"); ?>" class="btn btn-default btn-xs">
-                        <i class="fa fa-pencil fa-fw"></i>
-                      </a>
-                      <button data-id="<?=$i;?>" type="button" class="act_delete_pppoe btn btn-xs btn-default"><i class="fa fa-trash fa-fw"></i></button>
-                    </td>
-                  </tr>
-<?php
-                  $i++;
-                  endforeach; ?>
-                </table>
-              </div>
-            </form>
-          </div>
-        </section>
-      </div>
-    </div>
-  </section>
-<?php include("foot.inc");
diff --git a/net/pppoe/src/www/vpn_pppoe_edit.php b/net/pppoe/src/www/vpn_pppoe_edit.php
deleted file mode 100644
index d99cfaad4a..0000000000
--- a/net/pppoe/src/www/vpn_pppoe_edit.php
+++ /dev/null
@@ -1,560 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2014-2016 Deciso B.V.
-    Copyright (C) 2005 Scott Ullrich <sullrich@gmail.com>
-    Copyright (C) 2010 Ermal Luçi
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-require_once("guiconfig.inc");
-require_once("interfaces.inc");
-
-function vpn_pppoe_get_id()
-{
-    global $config;
-
-    $vpnid = 1;
-
-    if (isset($config['pppoes']['pppoe'])) {
-        foreach ($config['pppoes']['pppoe'] as $pppoe) {
-            if ($vpnid == $pppoe['pppoeid']) {
-                $vpnid++;
-            } else {
-                return $vpnid;
-            }
-        }
-    }
-
-    return $vpnid;
-}
-
-$a_pppoes = &config_read_array('pppoes', 'pppoe');
-
-$copy_fields = array('remoteip', 'localip', 'mode', 'interface', 'n_pppoe_units', 'pppoe_subnet', 'dns1', 'dns2', 'descr', 'pppoeid');
-
-if ($_SERVER['REQUEST_METHOD'] === 'GET') {
-    if (isset($_GET['id']) && !empty($a_pppoes[$_GET['id']])) {
-        $id = $_GET['id'];
-    }
-    $pconfig = array();
-    foreach ($copy_fields as $fieldname) {
-        if (isset($id) && !empty($a_pppoes[$id][$fieldname])) {
-            $pconfig[$fieldname] = $a_pppoes[$id][$fieldname];
-        } else {
-            $pconfig[$fieldname] = null;
-        }
-    }
-    // split username / password
-    $pconfig['users_username'] = array();
-    $pconfig['users_password'] = array();
-    $pconfig['users_ip'] = array();
-    if (isset($id) && !empty($a_pppoes[$id]['username'])) {
-        foreach (explode(' ', $a_pppoes[$id]['username']) as $userinfo) {
-            $parts = explode(':', $userinfo);
-            $pconfig['users_username'][] = $parts[0];
-            $pconfig['users_password'][] = base64_decode($parts[1]);
-            $pconfig['users_ip'][] = !empty($parts[2]) ? $parts[2] : "";
-        }
-    }
-
-    // radius properties
-    $pconfig['radacct_enable'] = isset($id) && isset($a_pppoes[$id]['radius']['accounting']);
-    $pconfig['radiusissueips'] = isset($id) && isset($a_pppoes[$id]['radius']['radiusissueips']);
-    $pconfig['radiusenable'] = isset($id) && isset($a_pppoes[$id]['radius']['server']['enable']);
-    $pconfig['radiusserver'] = isset($id) && isset($a_pppoes[$id]['radius']['server']['ip']) ? $a_pppoes[$id]['radius']['server']['ip'] : null;
-    $pconfig['radiusserverport'] = isset($id) && isset($a_pppoes[$id]['radius']['server']['port']) ? $a_pppoes[$id]['radius']['server']['port'] : null;
-    $pconfig['radiusserveracctport'] = isset($id) && isset($a_pppoes[$id]['radius']['server']['acctport']) ? $a_pppoes[$id]['radius']['server']['acctport'] : null;
-    $pconfig['radiussecret'] = isset($id) && isset($a_pppoes[$id]['radius']['server']['secret']) ? $a_pppoes[$id]['radius']['server']['secret'] : null;
-    $pconfig['radiussecenable'] = isset($id) && isset($a_pppoes[$id]['radius']['server2']['enable']);
-    $pconfig['radiusserver2'] = isset($id) && isset($a_pppoes[$id]['radius']['server2']['ip']) ? $a_pppoes[$id]['radius']['server2']['ip'] : null;
-    $pconfig['radiusserver2port'] = isset($id) && isset($a_pppoes[$id]['radius']['server2']['port']) ? $a_pppoes[$id]['radius']['server2']['port'] : null;
-    $pconfig['radiusserver2acctport'] = isset($id) && isset($a_pppoes[$id]['radius']['server2']['acctport']) ? $a_pppoes[$id]['radius']['server2']['acctport'] : null;
-    $pconfig['radiussecret2'] = isset($id) && isset($a_pppoes[$id]['radius']['server2']['secret2']) ? $a_pppoes[$id]['radius']['server2']['secret2'] : null;
-    $pconfig['radius_nasip'] = isset($id) && isset($a_pppoes[$id]['radius']['nasip']) ? $a_pppoes[$id]['radius']['nasip'] : null;
-    $pconfig['radius_acct_update'] = isset($id) && isset($a_pppoes[$id]['radius']['acct_update']) ? $a_pppoes[$id]['radius']['acct_update'] : null;
-
-} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    if (isset($_POST['id']) && !empty($a_pppoes[$_POST['id']])) {
-        $id = $_POST['id'];
-    }
-    $input_errors = array();
-    $pconfig = $_POST;
-
-    /* input validation */
-    foreach ($pconfig['users_username'] as $item_idx => $usr) {
-        if (empty($pconfig['users_password'][$item_idx])) {
-            $input_errors[] = sprintf(gettext("No password specified for username %s"), $usr);
-        }
-        if ($pconfig['users_ip'][$item_idx] <> "" && !is_ipaddr($pconfig['users_ip'][$item_idx])) {
-            $input_errors[] = sprintf(gettext("Incorrect ip address specified for username %s"), $usr);
-        }
-    }
-
-    if ($pconfig['mode'] == "server") {
-        $reqdfields = explode(" ", "localip remoteip");
-        $reqdfieldsn = array(gettext("Server address"),gettext("Remote start address"));
-
-        if (!empty($pconfig['radiusenable'])) {
-            $reqdfields = array_merge($reqdfields, explode(" ", "radiusserver radiussecret"));
-            $reqdfieldsn = array_merge(
-                $reqdfieldsn,
-                array(gettext("RADIUS server address"),gettext("RADIUS shared secret"))
-            );
-        }
-
-        do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
-
-        if (!empty($pconfig['localip']) && !is_ipaddr($pconfig['localip'])) {
-            $input_errors[] = gettext("A valid server address must be specified.");
-        }
-        if (!empty($pconfig['pppoe_subnet']) && !is_ipaddr($pconfig['remoteip'])) {
-            $input_errors[] = gettext("A valid remote start address must be specified.");
-        }
-        if (!empty($pconfig['radiusserver']) && !is_ipaddr($pconfig['radiusserver'])) {
-            $input_errors[] = gettext("A valid RADIUS server address must be specified.");
-        }
-
-        $subnet_start = ip2ulong($pconfig['remoteip']);
-        $subnet_end = ip2ulong($pconfig['remoteip']) + $pconfig['pppoe_subnet'] - 1;
-        if ((ip2ulong($pconfig['localip']) >= $subnet_start) &&
-            (ip2ulong($pconfig['localip']) <= $subnet_end)) {
-            $input_errors[] = gettext("The specified server address lies in the remote subnet.");
-        }
-    }
-
-    if (!empty($pconfig['pppoeid']) && !is_numeric($_POST['pppoeid'])) {
-        $input_errors[] = gettext("Wrong data submitted");
-    }
-
-    if (count($input_errors) == 0) {
-        $pppoecfg = array();
-        // convert user/pass/ip combination
-        $pconfig['username'] = array();
-        foreach ($pconfig['users_username'] as $item_idx => $usr) {
-             $user_item = $usr . ":" . base64_encode($pconfig['users_password'][$item_idx]) ;
-             if (!empty($pconfig['users_ip'][$item_idx])) {
-                $user_item .= ":".$pconfig['users_ip'][$item_idx];
-             }
-             $pconfig['username'][] = $user_item ;
-        }
-        if (count($pconfig['username']) > 0) {
-            $pppoecfg['username'] = implode(' ', $pconfig['username']);
-        }
-
-        // copy simple fields
-        foreach ($copy_fields as $fieldname) {
-            if (isset($pconfig[$fieldname]) && $pconfig[$fieldname] != "") {
-                $pppoecfg[$fieldname] = $pconfig[$fieldname];
-            }
-        }
-
-        // radius settings (array)
-        if (!empty($pconfig['radiusserver']) || !empty($pconfig['radiusserver2'])) {
-            $pppoecfg['radius'] = array();
-            $pppoecfg['radius']['server']['enable'] = !empty($pconfig['radiusenable']);
-            $pppoecfg['radius']['server2']['enable'] = !empty($pconfig['radiussecenable']);
-            $pppoecfg['radius']['accounting'] = !empty($pconfig['radacct_enable']);
-            $pppoecfg['radius']['radiusissueips'] = !empty($pconfig['radiusissueips']);
-            $pppoecfg['radius']['nasip'] = $pconfig['radius_nasip'];
-            $pppoecfg['radius']['acct_update'] = $pconfig['radius_acct_update'];
-        }
-        if (!empty($pconfig['radiusserver'])) {
-            $pppoecfg['radius']['server'] = array();
-            $pppoecfg['radius']['server']['ip'] = $pconfig['radiusserver'];
-            $pppoecfg['radius']['server']['secret'] = $pconfig['radiussecret'];
-            $pppoecfg['radius']['server']['port'] = $pconfig['radiusserverport'];
-            $pppoecfg['radius']['server']['acctport'] = $pconfig['radiusserveracctport'];
-        }
-        if (!empty($pconfig['radiusserver2'])) {
-            $pppoecfg['radius']['server2'] = array();
-            $pppoecfg['radius']['server2']['ip'] = $pconfig['radiusserver2'];
-            $pppoecfg['radius']['server2']['secret2'] = $pconfig['radiussecret2'];
-            $pppoecfg['radius']['server2']['port'] = $pconfig['radiusserver2port'];
-            $pppoecfg['radius']['server2']['acctport'] = $pconfig['radiusserver2acctport'];
-        }
-
-        if (!isset($pconfig['pppoeid'])) {
-            $pppoecfg['pppoeid'] = vpn_pppoe_get_id();
-        }
-
-        if (file_exists('/tmp/.vpn_pppoe.apply')) {
-            $toapplylist = unserialize(file_get_contents('/tmp/.vpn_pppoe.apply'));
-        } else {
-            $toapplylist = array();
-        }
-
-        $toapplylist[] = $pppoecfg['pppoeid'];
-        if (!isset($id)) {
-            $a_pppoes[] = $pppoecfg;
-        } else {
-            $a_pppoes[$id] = $pppoecfg;
-        }
-
-        write_config();
-        mark_subsystem_dirty('vpnpppoe');
-        file_put_contents('/tmp/.vpn_pppoe.apply', serialize($toapplylist));
-        header(url_safe('Location: /vpn_pppoe.php'));
-        exit;
-    }
-}
-
-include("head.inc");
-legacy_html_escape_form_data($pconfig);
-?>
-
-<body>
-<?php include("fbegin.inc"); ?>
-<script>
-  $( document ).ready(function() {
-    /**
-     *  Aliases
-     */
-    function removeRow() {
-        if ( $('#users_table > tbody > tr').length == 1 ) {
-            $('#users_table > tbody > tr:last > td > input').each(function(){
-              $(this).val("");
-            });
-        } else {
-            $(this).parent().parent().remove();
-        }
-    }
-    // add new detail record
-    $("#addNew").click(function(){
-        // copy last row and reset values
-        $('#users_table > tbody').append('<tr>'+$('#users_table > tbody > tr:last').html()+'</tr>');
-        $('#users_table > tbody > tr:last > td > input').each(function(){
-          $(this).val("");
-        });
-        $(".act-removerow").click(removeRow);
-    });
-    $(".act-removerow").click(removeRow);
-  });
-</script>
-
-  <section class="page-content-main">
-    <div class="container-fluid">
-      <div class="row">
-<?php
-        if (isset($input_errors) && count($input_errors) > 0) {
-            print_input_errors($input_errors);
-        }?>
-        <section class="col-xs-12">
-          <div class="content-box">
-            <form method="post" name="iform" id="iform">
-              <div class="table-responsive">
-                <table class="table table-striped opnsense_standard_table_form">
-                  <tr>
-                    <td style="width:22%"><strong><?=gettext("PPPoE server configuration");?></strong></td>
-                    <td style="width:78%; text-align:right">
-                      <small><?=gettext("full help"); ?> </small>
-                      <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page"></i>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Mode");?></td>
-                    <td>
-                      <input name="mode" type="radio" value="off" <?=$pconfig['mode'] != 'server' ? 'checked="checked"' : '';?> />
-                      <?=gettext("Off"); ?>
-                      &nbsp;
-                      <input type="radio" name="mode" value="server" <?=$pconfig['mode'] == 'server' ? 'checked="checked"' : '';?>/>
-                      <?=gettext("Enable PPPoE server"); ?></td>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Interface"); ?></td>
-                    <td>
-                      <select name="interface" class="selectpicker" id="interface">
-<?php
-                      foreach (get_configured_interface_with_descr() as $iface => $ifacename) :?>
-                        <option value="<?=$iface;?>" <?= $iface == $pconfig['interface'] ? "selected=\"selected\"" : "";?>>
-                            <?=htmlspecialchars($ifacename);?>
-                        </option>
-<?php
-                      endforeach;?>
-                      </select>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_localip" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Server address"); ?></td>
-                    <td>
-                      <input name="localip" type="text" value="<?=$pconfig['localip'];?>" />
-                      <div class="hidden" data-for="help_for_localip">
-                        <?=gettext("Enter the IP address the PPPoE server should give to clients for use as their \"gateway\"."); ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_n_pppoe_units" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("No. PPPoE users"); ?></td>
-                    <td>
-                      <select id="n_pppoe_units" name="n_pppoe_units">
-<?php
-                      $toselect = ($pconfig['n_pppoe_units'] > 0) ? $pconfig['n_pppoe_units'] : 16;
-                      for ($x=1; $x<255; $x++):?>
-                        <option value="<?=$x;?>" <?=$x == $toselect ? "selected=\"selected\"" : "" ;?>>
-                            <?=$x;?>
-<?php
-                      endfor;?>
-                      </select>
-                      <div class="hidden" data-for="help_for_n_pppoe_units">
-                        <?=gettext("Hint: 10 is ten PPPoE clients"); ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_remoteip" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Remote address range"); ?></td>
-                    <td>
-                      <input name="remoteip" type="text" value="<?=$pconfig['remoteip'];?>" />
-                      <div class="hidden" data-for="help_for_remoteip">
-                        <?=gettext("Specify the starting address for the client IP address subnet."); ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_pppoe_subnet" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Subnet netmask"); ?></td>
-                    <td>
-                      <select id="pppoe_subnet" name="pppoe_subnet">
-<?php
-                      for ($x=0; $x<33; $x++):?>
-                        <option value="<?=$x;?>" <?=$x == $pconfig['pppoe_subnet'] ? "selected=\"selected\"" : "" ;?>>
-                            <?=$x;?>
-<?php
-                      endfor;?>
-                      </select>
-                      <div class="hidden" data-for="help_for_pppoe_subnet">
-                        <?=gettext("Hint: 24 is 255.255.255.0"); ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Description"); ?></td>
-                    <td>
-                      <input name="descr" type="text" value="<?=$pconfig['descr'];?>" />
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_dns" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("DNS servers"); ?></td>
-                    <td>
-                      <input name="dns1" type="text" value="<?=$pconfig['dns1'];?>" />
-                      <br />
-                      <input name="dns2" type="text" value="<?=$pconfig['dns2'];?>" />
-                      <div class="hidden" data-for="help_for_dns">
-                        <?=gettext("If entered they will be given to all PPPoE clients, else LAN DNS and one WAN DNS will go to all clients"); ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_radiusenable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("RADIUS"); ?></td>
-                    <td>
-                      <input name="radiusenable" type="checkbox" value="yes" <?=!empty($pconfig['radiusenable']) ? "checked=\"checked\"" : ""; ?>/>
-                      <strong><?=gettext("Use a RADIUS server for authentication"); ?></strong><br/>
-                      <div class="hidden" data-for="help_for_radiusenable">
-                        <?=gettext("When set, all users will be authenticated using " .
-                                    "the RADIUS server specified below. The local user database " .
-                                    "will not be used."); ?>
-                      </div>
-                      <input name="radacct_enable" type="checkbox" value="yes" <?=!empty($pconfig['radacct_enable']) ? "checked=\"checked\"" : "";?> />
-                      <strong><?=gettext("Enable RADIUS accounting"); ?> <br /></strong>
-                      <div class="hidden" data-for="help_for_radiusenable">
-                        <?=gettext("Sends accounting packets to the RADIUS server"); ?>.
-                      </div>
-                      <input name="radiussecenable" type="checkbox" value="yes" <?=!empty($pconfig['radiussecenable']) ? "checked=\"checked\"" : "";?> />
-                      <strong><?=gettext("Use Backup RADIUS Server"); ?></strong><br />
-                      <div class="hidden" data-for="help_for_radiusenable">
-                        <?=gettext("When set, if primary server fails all requests will be sent via backup server"); ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_radius_nasip" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("NAS IP Address"); ?></td>
-                    <td>
-                      <input name="radius_nasip" type="text" id="radius_nasip" value="<?=$pconfig['radius_nasip'];?>" />
-                      <div class="hidden" data-for="help_for_radius_nasip">
-                        <?=gettext("RADIUS server NAS IP Address"); ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_radius_acct_update" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("RADIUS Accounting Update"); ?></td>
-                    <td>
-                      <input name="radius_acct_update" type="text"  value="<?=$pconfig['radius_acct_update'];?>" />
-                      <div class="hidden" data-for="help_for_radius_acct_update">
-                        <?=gettext("RADIUS accounting update period in seconds"); ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_radiusissueips" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("RADIUS issued IPs"); ?></td>
-                    <td>
-                      <input name="radiusissueips" value="yes" type="checkbox" <?=!empty($pconfig['radiusissueips']) ? "checked=\"checked\"" : "";?> />
-                      <div class="hidden" data-for="help_for_radiusissueips">
-                        <?=gettext("Issue IP Addresses via RADIUS server."); ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_radiusserver" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("RADIUS server Primary"); ?></td>
-                    <td>
-                      <table class="table table-condensed">
-                        <thead>
-                          <tr>
-                            <th><?=gettext("Server");?></th>
-                            <th><?=gettext("Port");?></th>
-                            <th><?=gettext("AccPort");?></th>
-                          </tr>
-                        </thead>
-                        <tbody>
-                          <tr>
-                            <td><input name="radiusserver" type="text" value="<?=$pconfig['radiusserver'];?>" /></td>
-                            <td><input name="radiusserverport" type="text"  value="<?=$pconfig['radiusserverport'];?>" /></td>
-                            <td><input name="radiusserveracctport" type="text"  value="<?=$pconfig['radiusserveracctport'];?>" /></td>
-                          </tr>
-                        </tbody>
-                      </table>
-                      <div class="hidden" data-for="help_for_radiusserver">
-                        <?=gettext("Enter the IP address, authentication port and accounting port (optional) of the RADIUS server."); ?><br />
-                        <br /> <?=gettext("standard port 1812 and 1813 accounting"); ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_radiussecret" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("RADIUS primary shared secret"); ?></td>
-                    <td>
-                      <input name="radiussecret" type="password"  value="<?=$pconfig['radiussecret'];?>" />
-                      <div class="hidden" data-for="help_for_radiussecret">
-                        <?=gettext("Enter the shared secret that will be used to authenticate " .
-                                                "to the RADIUS server"); ?>.
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_radiusserver2" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("RADIUS server Secondary"); ?></td>
-                    <td>
-                      <table class="table table-condensed">
-                        <thead>
-                          <tr>
-                            <th><?=gettext("Server");?></th>
-                            <th><?=gettext("Port");?></th>
-                            <th><?=gettext("AccPort");?></th>
-                          </tr>
-                        </thead>
-                        <tbody>
-                          <tr>
-                            <td><input name="radiusserver2" type="text" value="<?=$pconfig['radiusserver2'];?>" /></td>
-                            <td><input name="radiusserver2port" type="text"  value="<?=$pconfig['radiusserver2port'];?>" /></td>
-                            <td><input name="radiusserver2acctport" type="text"  value="<?=$pconfig['radiusserver2acctport'];?>" /></td>
-                          </tr>
-                        </tbody>
-                      </table>
-                      <div class="hidden" data-for="help_for_radiusserver2">
-                        <?=gettext("Enter the IP address, authentication port and accounting port (optional) of the backup RADIUS server."); ?><br />
-                        <br /> <?=gettext("standard port 1812 and 1813 accounting"); ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_radiussecret2" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a><?=gettext("RADIUS secondary shared secret"); ?></td>
-                    <td>
-                      <input name="radiussecret2" type="password" id="radiussecret2" size="20" value="<?=htmlspecialchars($pconfig['radiussecret2']);?>" />
-                      <div class="hidden" data-for="help_for_radiussecret2">
-                        <?=gettext("Enter the shared secret that will be used to authenticate " ."to the RADIUS server"); ?>.
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("User (s)");?></td>
-                    <td>
-                      <table class="table table-striped table-condensed" id="users_table">
-                        <thead>
-                          <tr>
-                            <th></th>
-                            <th><?=gettext("Username");?></th>
-                            <th><?=gettext("Password");?></th>
-                            <th><?=gettext("IP");?></th>
-                          </tr>
-                        </thead>
-                        <tbody>
-<?php
-                        if (count($pconfig['users_username']) == 0 ) {
-                            $pconfig['users_username'][] = "";
-                            $pconfig['users_password'][] = "";
-                            $pconfig['users_ip'][] = "";
-                        }
-                        foreach($pconfig['users_username'] as $item_idx => $user):?>
-                          <tr>
-                            <td>
-                              <div style="cursor:pointer;" class="act-removerow btn btn-default btn-xs" alt="remove"><i class="fa fa-minus fa-fw"></i></div>
-                            </td>
-                            <td>
-                              <input name="users_username[]" type="text" value="<?=$user;?>" />
-                            </td>
-                            <td>
-                              <input name="users_password[]" type="password" value="<?=$pconfig['users_password'][$item_idx];?>" />
-                            </td>
-                            <td>
-                              <input name="users_ip[]" type="text" value="<?=$pconfig['users_ip'][$item_idx];?>" />
-                            </td>
-                          </tr>
-<?php
-                        endforeach;?>
-                        </tbody>
-                        <tfoot>
-                          <tr>
-                            <td colspan="4">
-                              <div id="addNew" style="cursor:pointer;" class="btn btn-default btn-xs" alt="add"><i class="fa fa-plus fa-fw"></i></div>
-                            </td>
-                          </tr>
-                        </tfoot>
-                      </table>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td style="width:22%; vertical-align:top">&nbsp;</td>
-                    <td style="width:78%">
-<?php
-                    if (isset($id)) {
-                        echo "<input type=\"hidden\" name=\"id\" id=\"id\" value=\"" . htmlspecialchars($id, ENT_QUOTES | ENT_HTML401) . "\" />";
-                    }
-                    if (!empty($pconfig['pppoeid'])) {
-                        echo "<input type=\"hidden\" name=\"pppoeid\" id=\"pppoeid\" value=\"{$pconfig['pppoeid']}\" />";
-                    }
-                    ?>
-                      <input name="Submit" type="submit" class="btn btn-primary" value="<?=gettext("Save"); ?>"   />
-                      <a href="vpn_pppoe.php"><input name="Cancel" type="button" class="btn btn-default" value="<?=gettext("Cancel"); ?>" /></a>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td colspan="2">
-                      <?=gettext("Don't forget to add a firewall rule to permit traffic from PPPoE clients."); ?>
-                    </td>
-                  </tr>
-                </table>
-              </div>
-            </form>
-          </div>
-        </section>
-      </div>
-    </div>
-  </section>
-<?php include("foot.inc");
diff --git a/net/pppoe/src/www/vpn_pppoe_log.inc b/net/pppoe/src/www/vpn_pppoe_log.inc
deleted file mode 100644
index 34594070cb..0000000000
--- a/net/pppoe/src/www/vpn_pppoe_log.inc
+++ /dev/null
@@ -1,120 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2016 Deciso B.V.
- * Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("guiconfig.inc");
-require_once("system.inc");
-require_once("interfaces.inc");
-
-if (empty($config['syslog']['nentries'])) {
-    $nentries = 50;
-} else {
-    $nentries = $config['syslog']['nentries'];
-}
-
-if ($_POST['clear']) {
-    system_clear_clog($logfile);
-}
-
-function dump_clog_vpn($file, $tail, $type)
-{
-    global $config;
-
-    $sort = isset($config['syslog']['reverse']) ? '-r' : '';
-    $logarr = array();
-
-    exec("/usr/local/sbin/clog " . escapeshellarg($file) . " | tail {$sort} -n " . escapeshellarg($tail), $logarr);
-
-    foreach ($logarr as $logent) {
-        $logent = preg_split('/\s+/', $logent, 6);
-        $llent = explode(',', $logent[5]);
-
-        if ($llent[1] !== $type) {
-            continue;
-        }
-
-        echo "<tr>\n";
-        echo "<td>" . htmlspecialchars(join(" ", array_slice($logent, 0, 3))) . "</td>\n";
-
-        if ($llent[0] == "login") {
-            echo "<td><span class=\"fa fa-arrow-right fa-fw\" aria-hidden=\"true\" alt=\"in\"></span></td>\n";
-        } else {
-            echo "<td><span class=\"fa fa-arrow-left fa-fw\" aria-hidden=\"true\" alt=\"out\"></span></td>\n";
-        }
-
-        echo "<td class=\"listr\">" . htmlspecialchars($llent[3]) . "</td>\n";
-        echo "<td class=\"listr\">" . htmlspecialchars($llent[2]) . "&nbsp;</td>\n";
-        echo "</tr>\n";
-    }
-}
-
-include("head.inc");
-?>
-
-<body>
-<?php include("fbegin.inc"); ?>
-
-<section class="page-content-main">
-  <div class="container-fluid">
-    <div class="row">
-      <section class="col-xs-12">
-        <div class="tab-content content-box col-xs-12">
-          <div class="table-responsive">
-            <table class="table table-striped table-sort">
-              <tr>
-                <td><?=gettext("Time");?></td>
-                <td><?=gettext("Action");?></td>
-                <td><?=gettext("User");?></td>
-                <td><?=gettext("IP address");?></td>
-              </tr>
-              <tr>
-                <td colspan="4">
-                  <ul class="nav nav-pills" role="tablist">
-                    <?php foreach ($logpills as $pill): ?>
-                      <li role="presentation" <?php if (str_replace('amp;','', $pill[2]) == $_SERVER['REQUEST_URI']):?>class="active"<?php endif; ?>><a href="<?=$pill[2];?>"><?=$pill[0];?></a></li>
-                      <?php endforeach; ?>
-                  </ul>
-                </td>
-              </tr>
-              <?php dump_clog_vpn($logfile, $nentries, $logtype); ?>
-              <tr>
-                <td colspan="4">
-                  <form method="post">
-                    <input type="hidden" name="mode" id="mode" value="<?= html_safe($mode) ?>"/>
-                    <input name="clear" type="submit" class="btn btn-primary" value="<?= html_safe(gettext('Clear log')) ?>"/>
-                  </form>
-                </td>
-              </tr>
-            </table>
-          </div>
-        </div>
-      </section>
-    </div>
-  </div>
-</section>
-<?php include("foot.inc"); ?>
diff --git a/net/pppoe/src/www/vpn_pppoe_log.php b/net/pppoe/src/www/vpn_pppoe_log.php
deleted file mode 100644
index 65a52c8524..0000000000
--- a/net/pppoe/src/www/vpn_pppoe_log.php
+++ /dev/null
@@ -1,24 +0,0 @@
-<?php
-
-if (htmlspecialchars($_POST['mode'])) {
-    $mode = htmlspecialchars($_POST['mode']);
-} elseif (htmlspecialchars($_GET['mode'])) {
-    $mode = htmlspecialchars($_GET['mode']);
-} else {
-    $mode = 'login';
-}
-
-$logtype = 'poes';
-$logclog = true;
-
-$logpills = array();
-$logpills[] = array(gettext('PPPoE Logins'), $mode != 'raw', '/vpn_pppoe_log.php');
-$logpills[] = array(gettext('PPPoE Raw'), $mode == 'raw', '/vpn_pppoe_log.php?mode=raw');
-
-if ($mode != 'raw') {
-    $logfile = '/var/log/vpn.log';
-    require_once 'vpn_pppoe_log.inc';
-} else {
-    $logfile = '/var/log/poes.log';
-    require_once 'diag_logs_template_pppoe.inc';
-}
diff --git a/net/pptp/Makefile b/net/pptp/Makefile
deleted file mode 100644
index 242b2c0873..0000000000
--- a/net/pptp/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-PLUGIN_NAME=		pptp
-PLUGIN_VERSION=		1.9
-PLUGIN_DEPENDS=		clog mpd5
-PLUGIN_COMMENT=		End of life, no replacement
-PLUGIN_MAINTAINER=	franco@opnsense.org
-
-.include "../../Mk/plugins.mk"
diff --git a/net/pptp/pkg-descr b/net/pptp/pkg-descr
deleted file mode 100644
index e50d6ab058..0000000000
--- a/net/pptp/pkg-descr
+++ /dev/null
@@ -1,16 +0,0 @@
-Mpd is a netgraph(4) based implementation of the multi-link PPP
-protocol for FreeBSD.  It is designed to be both fast and flexible.
-It handles configuration and negotiation in user land, while routing
-all data packets strictly in the kernel.  It supports several of
-the numerous PPP sub-protocols and extensions, such as:
-
-      Multi-link PPP capability
-      PAP, CHAP, MS-CHAP and EAP authentication
-      PPP compression and encryption
-      IPCP and IPV6CP parameter negotiation
-
-This plugin has support for the following link type:
-
-      Point-to-Point Tunnelling Protocol (PPTP)
-
-WWW: http://www.sourceforge.net/projects/mpd
diff --git a/net/pptp/src/etc/inc/plugins.inc.d/if_pptp.inc b/net/pptp/src/etc/inc/plugins.inc.d/if_pptp.inc
deleted file mode 100644
index 25075221a7..0000000000
--- a/net/pptp/src/etc/inc/plugins.inc.d/if_pptp.inc
+++ /dev/null
@@ -1,306 +0,0 @@
-<?php
-
-/*
- * Coypright (C) 2016-2018 Franco Fichtner <franco@opnsense.org>
- * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
- * Copyright (C) 2008 Ermal Luçi
- * Copyright (C) 2004 Scott Ullrich <sullrich@gmail.com>
- * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-function if_pptp_configure()
-{
-    return array('bootup' => array('if_pptp_configure_do'));
-}
-
-function if_pptp_services()
-{
-    global $config;
-
-    $services = array();
-
-    if (isset($config['pptpd']['mode']) && $config['pptpd']['mode'] == 'server') {
-        $services[] = array(
-            'description' => gettext('PPTP Server'),
-            'pidfile' => '/var/run/pptp-vpn.pid',
-            'php' => array(
-                'restart' => array('if_pptp_configure_do'),
-                'start' => array('if_pptp_configure_do'),
-            ),
-            'name' => 'pptpd',
-        );
-    }
-
-    return $services;
-}
-
-/**
- * request syslog facilities for this plugin
- * @return array
- */
-function if_pptp_syslog()
-{
-    $logfacilities = array();
-
-    $logfacilities['pptps'] = array(
-        'facility' => array('pptps'),
-        'remote' => 'vpn',
-    );
-
-    return $logfacilities;
-}
-
-function if_pptp_link_scripts($rootdir, $logtype = 'pptp')
-{
-    $up = <<<'EOD'
-#!/bin/sh
-
-/usr/bin/logger -p local3.info "login,%s,$4,$5"
-/sbin/ifconfig $1 group pptp
-
-EOD;
-    $down = <<<'EOD'
-#!/bin/sh
-
-/usr/bin/logger -p local3.info "logout,%s,$4,$5"
-
-/sbin/pfctl -i $1 -Fs
-/sbin/pfctl -K $4/32
-
-EOD;
-
-    file_put_contents($rootdir . '/linkup', sprintf($up, $logtype));
-    file_put_contents($rootdir . '/linkdown', sprintf($down, $logtype));
-
-    chmod($rootdir . '/linkup', 0755);
-    chmod($rootdir . '/linkdown', 0755);
-}
-
-function if_pptp_configure_do()
-{
-    global $config;
-
-    $syscfg = $config['system'];
-    $pptpdcfg = $config['pptpd'];
-
-    killbypid('/var/run/pptp-vpn.pid', 'TERM', true);
-    mwexec('rm -rf /var/etc/pptp-vpn');
-
-    if (!isset($pptpdcfg['mode']) || $pptpdcfg['mode'] != 'server') {
-        return 0;
-    }
-
-    if (file_exists('/var/run/booting')) {
-        echo gettext("Configuring PPTP VPN service...");
-    }
-
-    switch ($pptpdcfg['mode']) {
-        case 'server':
-            @mkdir('/var/etc/pptp-vpn');
-            if_pptp_link_scripts('/var/etc/pptp-vpn');
-
-            $fd = fopen('/var/etc/pptp-vpn/mpd.conf', 'w');
-            if (!$fd) {
-                printf(gettext("Error: cannot open mpd.conf in if_pptp_configure().") . "\n");
-                return 1;
-            }
-
-            $selfip = get_interface_ip($pptpdcfg['interface']);
-
-            $iprange = $pptpdcfg['remoteip'] . ' ';
-            $iprange .= long2ip32(ip2long($pptpdcfg['remoteip']) + $pptpdcfg['n_pptp_units'] - 1);
-
-            $mpdconf = <<<EOD
-startup:
-
-pptps:
-  set ippool add pool1 {$iprange}
-
-  create bundle template B
-  set iface disable on-demand
-  set iface enable proxy-arp
-  set iface enable tcpmssfix
-  set iface idle 1800
-  set iface up-script /var/etc/pptp-vpn/linkup
-  set iface down-script /var/etc/pptp-vpn/linkdown
-  set ipcp ranges {$pptpdcfg['localip']}/32 ippool pool1
-  set ipcp yes vjcomp
-
-EOD;
-
-            if (isset($pptpdcfg["wins"]) && $pptpdcfg['wins'] != "") {
-                $mpdconf  .=  "  set ipcp nbns {$pptpdcfg['wins']}\n";
-            }
-            if (!empty($pptpdcfg['dns1'])) {
-                $mpdconf .= "  set ipcp dns " . $pptpdcfg['dns1'];
-                if (!empty($pptpdcfg['dns2'])) {
-                    $mpdconf .= " " . $pptpdcfg['dns2'];
-                }
-                $mpdconf .= "\n";
-            } elseif (isset($config['dnsmasq']['enable']) || isset($config['unbound']['enable'])) {
-                $mpdconf .= "  set ipcp dns {$selfip}";
-                if (isset($syscfg['dnsserver'][0])) {
-                    $mpdconf .= " " . $syscfg['dnsserver'][0];
-                }
-                $mpdconf .= "\n";
-            } elseif (isset($syscfg['dnsserver'][0])) {
-                $mpdconf .= "  set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
-            }
-
-            $mpdconf .= <<<EOD
-
-  set bundle enable crypt-reqd
-  set bundle enable compression
-  set ccp yes mppc
-  set mppc yes e128
-  set mppc yes stateless
-
-EOD;
-
-            if (!isset($pptpdcfg['req128'])) {
-                $mpdconf .= <<<EOD
-  set mppc yes e40
-  set mppc yes e56
-
-EOD;
-            }
-
-            $mpdconf .= <<<EOD
-
-  create link template L pptp
-  set link action bundle B
-  set link enable multilink
-  set link yes acfcomp protocomp
-  set link no pap chap eap
-  set link enable chap-msv2
-  set link mtu 1460
-  set link keep-alive 10 60
-  set pptp self {$selfip}
-  set link enable incoming
-
-EOD;
-
-            if (isset($pptpdcfg['radius']['server']['enable'])) {
-                $authport = (isset($pptpdcfg['radius']['server']['port']) && strlen($pptpdcfg['radius']['server']['port']) > 1) ? $pptpdcfg['radius']['server']['port'] : 1812;
-                $acctport = $authport + 1;
-                $mpdconf .= <<<EOD
-  set radius server {$pptpdcfg['radius']['server']['ip']} "{$pptpdcfg['radius']['server']['secret']}" {$authport} {$acctport}
-
-EOD;
-                if (isset($pptpdcfg['radius']['server2']['enable'])) {
-                    $authport = (isset($pptpdcfg['radius']['server2']['port']) && strlen($pptpdcfg['radius']['server2']['port']) > 1) ? $pptpdcfg['radius']['server2']['port'] : 1812;
-                    $acctport = $authport + 1;
-                    $mpdconf .= <<<EOD
-  set radius server {$pptpdcfg['radius']['server2']['ip']} "{$pptpdcfg['radius']['server2']['secret2']}" {$authport} {$acctport}
-
-EOD;
-                }
-                $mpdconf .= <<<EOD
-  set radius retries 3
-  set radius timeout 10
-  set auth enable radius-auth
-
-EOD;
-
-                if (isset($pptpdcfg['radius']['accounting'])) {
-                    $mpdconf .= <<<EOD
-  set auth enable radius-acct
-  set radius acct-update 300
-
-EOD;
-                }
-            }
-
-            fwrite($fd, $mpdconf);
-            fclose($fd);
-            unset($mpdconf);
-
-            $fd = fopen('/var/etc/pptp-vpn/mpd.secret', 'w');
-            if (!$fd) {
-                printf(gettext("Error: cannot open mpd.secret in if_pptp_configure().") . "\n");
-                return 1;
-            }
-
-            $mpdsecret = "";
-
-            if (is_array($pptpdcfg['user'])) {
-                foreach ($pptpdcfg['user'] as $user) {
-                    $pass = str_replace('\\', '\\\\', $user['password']);
-                    $pass = str_replace('"', '\"', $pass);
-                    $mpdsecret .= "{$user['name']} \"{$pass}\" {$user['ip']}\n";
-                }
-            }
-
-            fwrite($fd, $mpdsecret);
-            fclose($fd);
-            unset($mpdsecret);
-            chmod('/var/etc/pptp-vpn/mpd.secret', 0600);
-
-            mwexec('/usr/local/sbin/mpd5 -b -d /var/etc/pptp-vpn -p /var/run/pptp-vpn.pid -s pptps pptps');
-
-            break;
-    }
-
-    if (file_exists('/var/run/booting')) {
-        echo gettext("done") . "\n";
-    }
-
-    return 0;
-}
-
-function if_pptp_interfaces()
-{
-    global $config;
-
-    $interfaces = array();
-
-    if (isset($config['pptpd']['mode']) && $config['pptpd']['mode'] == 'server') {
-        $oic = array("enable" => true);
-        $oic['networks'] =  array();
-        $oic['virtual'] = true;
-        $oic['if'] = 'pptp';
-        $oic['type'] = 'group';
-        $oic['descr'] = 'pptp';
-        $mask = !empty($config['pptpd']['pptp_subnet']) ? $config['pptpd']['pptp_subnet'] : 32;
-        if (isset($config['pptpd']['n_pptp_units']) && is_numeric($config['pptpd']['n_pptp_units'])) {
-            $pptp_subnets = ip_range_to_subnet_array(
-                $config['pptpd']['remoteip'],
-                long2ip32(ip2long($config['pptpd']['remoteip']) + ($config['pptpd']['n_pptp_units'] - 1))
-            );
-        } else {
-            $pptp_subnets = ip_range_to_subnet_array(
-                $config['pptpd']['remoteip'],
-                long2ip32(ip2long($config['pptpd']['remoteip']))
-            );
-        }
-        foreach ($pptp_subnets as $pptp_subnet) {
-            $snparts = explode("/", $pptp_subnet);
-            $oic['networks'][] = array("network" => $snparts[0], "mask" => $snparts[1]);
-        }
-        $interfaces['pptp'] = $oic;
-    }
-
-    return $interfaces;
-}
diff --git a/net/pptp/src/opnsense/mvc/app/models/OPNsense/PPTP/ACL/ACL.xml b/net/pptp/src/opnsense/mvc/app/models/OPNsense/PPTP/ACL/ACL.xml
deleted file mode 100644
index fc66ffa68e..0000000000
--- a/net/pptp/src/opnsense/mvc/app/models/OPNsense/PPTP/ACL/ACL.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<acl>
-    <page-diagnostics-logs-pptp>
-        <name>Diagnostics: Logs: PPTP</name>
-        <patterns>
-            <pattern>vpn_pptp_log.php*</pattern>
-        </patterns>
-    </page-diagnostics-logs-pptp>
-    <page-vpn-vpnpptp>
-        <name>VPN: PPTP</name>
-        <patterns>
-            <pattern>vpn_pptp.php*</pattern>
-        </patterns>
-    </page-vpn-vpnpptp>
-    <page-vpn-vpnpptp-user-edit>
-        <name>VPN: PPTP: User: Edit</name>
-        <patterns>
-            <pattern>vpn_pptp_users_edit.php*</pattern>
-        </patterns>
-    </page-vpn-vpnpptp-user-edit>
-    <page-vpn-vpnpptp-users>
-        <name>VPN: PPTP: Users</name>
-        <patterns>
-            <pattern>vpn_pptp_users.php*</pattern>
-        </patterns>
-    </page-vpn-vpnpptp-users>
-</acl>
diff --git a/net/pptp/src/opnsense/mvc/app/models/OPNsense/PPTP/Menu/Menu.xml b/net/pptp/src/opnsense/mvc/app/models/OPNsense/PPTP/Menu/Menu.xml
deleted file mode 100644
index 66e6d55d19..0000000000
--- a/net/pptp/src/opnsense/mvc/app/models/OPNsense/PPTP/Menu/Menu.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-<menu>
-    <VPN>
-        <PPTP cssClass="fa fa-unlock fa-fw" order="120">
-            <Settings order="10" url="/vpn_pptp.php"/>
-            <Users order="20" url="/vpn_pptp_users.php">
-                <Edit url="/vpn_pptp_users_edit.php*" visibility="hidden"/>
-            </Users>
-            <LogFile order="30" VisibleName="Log File" url="/vpn_pptp_log.php">
-                <Type url="/vpn_pptp_log.php*" visibility="hidden"/>
-            </LogFile>
-        </PPTP>
-    </VPN>
-</menu>
diff --git a/net/pptp/src/www/diag_logs_template_pptp.inc b/net/pptp/src/www/diag_logs_template_pptp.inc
deleted file mode 100644
index 993181556e..0000000000
--- a/net/pptp/src/www/diag_logs_template_pptp.inc
+++ /dev/null
@@ -1,117 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2015 Deciso B.V.
- * Copyright (C) 2012 Seth Mos <seth.mos@dds.nl>
- * Copyright (C) 2004-2009 Scott Ullrich <sullrich@gmail.com>
- * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("guiconfig.inc");
-require_once("system.inc");
-require_once("interfaces.inc");
-
-/* expects $logfile to point to the system path */
-/* expects $logclog to be true or false */
-
-require_once 'diag_logs_common.inc';
-
-$filtertext = '';
-$nentries = 50;
-
-if (isset($config['syslog']['nentries'])) {
-    $nentries = $config['syslog']['nentries'];
-}
-
-if (!empty($_POST['clear'])) {
-    if ($logclog) {
-        system_clear_clog($logfile);
-    } else {
-        system_clear_log($logfile);
-    }
-}
-
-if (isset($_POST['filtertext'])) {
-    $filtertext = $_POST['filtertext'];
-}
-
-include("head.inc");
-?>
-
-<body>
-<?php include("fbegin.inc"); ?>
-  <section class="page-content-main">
-    <div class="container-fluid">
-      <div class="row">
-        <section class="col-xs-12">
-          <p>
-            <form method="post">
-              <div class="input-group">
-                <div class="input-group-addon"><i class="fa fa-search"></i></div>
-                <input type="text" class="form-control" id="filtertext" name="filtertext" placeholder="<?= html_safe(gettext('Search for a specific message...')) ?>" value="<?= html_safe($filtertext) ?>"/>
-              </div>
-            </form>
-          </p>
-          <div class="table-responsive content-box tab-content">
-            <table class="table table-striped">
-              <tr>
-                <th class="col-md-2 col-sm-3 col-xs-4"><?= gettext('Date') ?></th>
-                <th class="col-md-10 col-sm-9 col-xs-8"><?= gettext('Message') ?></th>
-              </tr>
-              <?php if (isset($logpills)): ?>
-              <tr>
-                <td colspan="2">
-                  <ul class="nav nav-pills" role="tablist">
-                    <?php foreach ($logpills as $pill): ?>
-                    <li role="presentation" <?php if (str_replace('amp;','', $pill[2]) == $_SERVER['REQUEST_URI']):?>class="active"<?php endif; ?>><a href="<?=$pill[2];?>"><?=$pill[0];?></a></li>
-                    <?php endforeach; ?>
-                  </ul>
-                </td>
-              </tr>
-              <?php endif; ?>
-              <?php
-                if ($logclog) {
-                    dump_clog($logfile, $nentries, $filtertext);
-                } else {
-                    dump_log($logfile, $nentries, $filtertext);
-                }
-              ?>
-              <tr>
-                <td colspan="2">
-                  <form method="post">
-<?php                   if (isset($mode)): ?>
-                    <input type="hidden" name="mode" id="mode" value="<?= html_safe($mode) ?>"/>
-<?php                   endif; ?>
-                    <input name="clear" type="submit" class="btn btn-primary" value="<?= html_safe(gettext('Clear log')) ?>"/>
-                  </form>
-                </td>
-              </tr>
-            </table>
-          </div>
-        </section>
-      </div>
-    </div>
-  </section>
-<?php include("foot.inc"); ?>
diff --git a/net/pptp/src/www/vpn_pptp.php b/net/pptp/src/www/vpn_pptp.php
deleted file mode 100644
index 4c373668b9..0000000000
--- a/net/pptp/src/www/vpn_pptp.php
+++ /dev/null
@@ -1,418 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2016 Deciso B.V.
- * Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once('guiconfig.inc');
-require_once('interfaces.inc');
-require_once('filter.inc');
-require_once("system.inc");
-require_once('plugins.inc.d/if_pptp.inc');
-
-$pptpcfg = &config_read_array('pptpd');
-
-if ($_SERVER['REQUEST_METHOD'] === 'GET') {
-    $pconfig['remoteip'] = $pptpcfg['remoteip'];
-    $pconfig['localip'] = $pptpcfg['localip'];
-    $pconfig['mode'] = $pptpcfg['mode'];
-    $pconfig['wins'] = $pptpcfg['wins'];
-    $pconfig['req128'] = isset($pptpcfg['req128']);
-    $pconfig['n_pptp_units'] = $pptpcfg['n_pptp_units'];
-    $pconfig['interface'] = $pptpcfg['interface'];
-    $pconfig['pptp_dns1'] = $pptpcfg['dns1'];
-    $pconfig['pptp_dns2'] = $pptpcfg['dns2'];
-    $pconfig['radiusenable'] = isset($pptpcfg['radius']['server']['enable']);
-    $pconfig['radiusissueips'] = isset($pptpcfg['radius']['radiusissueips']);
-    $pconfig['radiussecenable'] = isset($pptpcfg['radius']['server2']['enable']);
-    $pconfig['radacct_enable'] = isset($pptpcfg['radius']['accounting']);
-    $pconfig['radiusserver'] = $pptpcfg['radius']['server']['ip'];
-    $pconfig['radiusserverport'] = $pptpcfg['radius']['server']['port'];
-    $pconfig['radiusserveracctport'] = $pptpcfg['radius']['server']['acctport'];
-    $pconfig['radiussecret'] = $pptpcfg['radius']['server']['secret'];
-    $pconfig['radiusserver2'] = $pptpcfg['radius']['server2']['ip'];
-    $pconfig['radiusserver2port'] = $pptpcfg['radius']['server2']['port'];
-    $pconfig['radiusserver2acctport'] = $pptpcfg['radius']['server2']['acctport'];
-    $pconfig['radiussecret2'] = $pptpcfg['radius']['server2']['secret2'];
-    $pconfig['radius_acct_update'] = $pptpcfg['radius']['acct_update'];
-    $pconfig['radius_nasip'] = $pptpcfg['radius']['nasip'];
-} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    $pconfig = $_POST;
-
-    /* input validation */
-    if ($_POST['mode'] == "server") {
-        $reqdfields = explode(" ", "localip remoteip");
-        $reqdfieldsn = array(gettext("Server address"),gettext("Remote start address"));
-
-        if ($_POST['radiusenable']) {
-            $reqdfields = array_merge($reqdfields, explode(" ", "radiusserver radiussecret"));
-            $reqdfieldsn = array_merge(
-                $reqdfieldsn,
-                array(gettext("RADIUS server address"),gettext("RADIUS shared secret"))
-            );
-        }
-
-        do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
-
-        if ($_POST['localip'] && !is_ipaddr($_POST['localip'])) {
-            $input_errors[] = gettext("A valid server address must be specified.");
-        }
-        if ($_POST['remoteip'] && !is_ipaddr($_POST['remoteip'])) {
-            $input_errors[] = gettext("A valid remote start address must be specified.");
-        }
-        if (($_POST['radiusserver'] && !is_ipaddr($_POST['radiusserver']))) {
-            $input_errors[] = gettext("A valid RADIUS server address must be specified.");
-        }
-
-        if (!$input_errors) {
-            $subnet_start = ip2ulong($_POST['remoteip']);
-            $subnet_end = ip2ulong($_POST['remoteip']) + $_POST['n_pptp_units'] - 1;
-
-            if ((ip2ulong($_POST['localip']) >= $subnet_start) &&
-                (ip2ulong($_POST['localip']) <= $subnet_end)) {
-                $input_errors[] = gettext("The specified server address lies in the remote subnet.");
-            }
-        }
-    } elseif (isset($config['pptpd']['mode'])) {
-        unset($config['pptpd']['mode']);
-    }
-
-    if (!$input_errors) {
-        $pptpcfg['remoteip'] = $_POST['remoteip'];
-        $pptpcfg['localip'] = $_POST['localip'];
-        $pptpcfg['mode'] = $_POST['mode'];
-        $pptpcfg['interface'] = $_POST['interface'];
-        $pptpcfg['wins'] = $_POST['wins'];
-        $pptpcfg['n_pptp_units'] = $_POST['n_pptp_units'];
-        $pptpcfg['radius']['server']['ip'] = $_POST['radiusserver'];
-        $pptpcfg['radius']['server']['port'] = $_POST['radiusserverport'];
-        $pptpcfg['radius']['server']['acctport'] = $_POST['radiusserveracctport'];
-        $pptpcfg['radius']['server']['secret'] = $_POST['radiussecret'];
-        $pptpcfg['radius']['server2']['ip'] = $_POST['radiusserver2'];
-        $pptpcfg['radius']['server2']['port'] = $_POST['radiusserver2port'];
-        $pptpcfg['radius']['server2']['acctport'] = $_POST['radiusserver2acctport'];
-        $pptpcfg['radius']['server2']['secret2'] = $_POST['radiussecret2'];
-        $pptpcfg['radius']['nasip'] = $_POST['radius_nasip'];
-        $pptpcfg['radius']['acct_update'] = $_POST['radius_acct_update'];
-
-        if ($_POST['pptp_dns1'] == "") {
-            if (isset($pptpcfg['dns1'])) {
-                unset($pptpcfg['dns1']);
-            }
-        } else {
-            $pptpcfg['dns1'] = $_POST['pptp_dns1'];
-        }
-
-        if ($_POST['pptp_dns2'] == "") {
-            if (isset($pptpcfg['dns2'])) {
-                unset($pptpcfg['dns2']);
-            }
-        } else {
-            $pptpcfg['dns2'] = $_POST['pptp_dns2'];
-        }
-
-        if ($_POST['req128'] == "yes") {
-            $pptpcfg['req128'] = true;
-        } elseif (isset($pptpcfg['req128'])) {
-            unset($pptpcfg['req128']);
-        }
-
-        if ($_POST['radiusenable'] == "yes") {
-            $pptpcfg['radius']['server']['enable'] = true;
-        } elseif (isset($pptpcfg['radius']['server']['enable'])) {
-            unset($pptpcfg['radius']['server']['enable']);
-        }
-
-        if ($_POST['radiussecenable'] == "yes") {
-            $pptpcfg['radius']['server2']['enable'] = true;
-        } elseif (isset($pptpcfg['radius']['server2']['enable'])) {
-            unset($pptpcfg['radius']['server2']['enable']);
-        }
-
-        if ($_POST['radacct_enable'] == "yes") {
-            $pptpcfg['radius']['accounting'] = true;
-        } elseif (isset($pptpcfg['radius']['accounting'])) {
-            unset($pptpcfg['radius']['accounting']);
-        }
-
-        if ($_POST['radiusissueips'] == "yes") {
-            $pptpcfg['radius']['radiusissueips'] = true;
-        } elseif (isset($pptpcfg['radius']['radiusissueips'])) {
-            unset($pptpcfg['radius']['radiusissueips']);
-        }
-
-        write_config();
-        $savemsg = get_std_save_message();
-        if_pptp_configure_do();
-        filter_configure();
-    }
-}
-
-$service_hook = 'pptpd';
-legacy_html_escape_form_data($pconfig);
-include("head.inc");
-
-?>
-
-<body>
-<?php include("fbegin.inc"); ?>
-    <section class="page-content-main">
-      <div class="container-fluid">
-        <div class="row">
-        <?php if (isset($input_errors) && count($input_errors) > 0) {
-                    print_input_errors($input_errors);
-} ?>
-        <?php if (isset($savemsg)) {
-                    print_info_box($savemsg);
-} ?>
-          <section class="col-xs-12">
-            <div class="tab-content content-box col-xs-12">
-              <form method="post" name="iform" id="iform">
-                <div class="table-responsive">
-                  <table class="table table-striped opnsense_standard_table_form">
-                    <tr>
-                      <td style="width:22%"><b><?=gettext("PPTP settings"); ?></b></td>
-                      <td style="width:78%; text-align:right">
-                        <small><?=gettext("full help"); ?> </small>
-                        <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page"></i>
-                      </td>
-                    </tr>
-                    <tr>
-                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Mode");?></td>
-                      <td>
-                        <input name="mode" type="radio" value="off" <?=($pconfig['mode'] != 'server') ? 'checked="checked"' : '';?>/>
-                        <?=gettext("Off"); ?>
-                        &nbsp;
-                        <input type="radio" name="mode" value="server"  <?=($pconfig['mode'] == 'server') ? 'checked="checked"' : '';?>/>
-                        <?=gettext("Enable PPTP server"); ?>
-                      </td>
-                    </tr>
-                    <tr>
-                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Interface");?></td>
-                      <td>
-                        <select name="interface" class="form-control" id="interface">
-<?php foreach (get_configured_interface_with_descr() as $iface => $ifacename): ?>
-                          <option value="<?=$iface;?>" <?=$iface == $pconfig['interface'] ? "selected=\"selected\"" : "";?>>
-                            <?=htmlspecialchars($ifacename);?>
-                          </option>
-<?php endforeach ?>
-                        </select>
-                      </td>
-                    </tr>
-                    <tr>
-                      <td><a id="help_for_localip" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Server address"); ?></td>
-                      <td>
-                        <input name="localip" type="text" id="localip" value="<?=$pconfig['localip'];?>" />
-                        <div class="hidden" data-for="help_for_localip">
-                          <?=gettext("Enter the IP address the PPTP server should give to clients for use as their \"gateway\"."); ?>
-                        </div>
-                      </td>
-                    </tr>
-                    <tr>
-                      <td><a id="help_for_remoteip" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Remote address range"); ?></td>
-                      <td>
-                        <input name="remoteip" type="text" id="remoteip" value="<?=htmlspecialchars($pconfig['remoteip']);?>" />
-                        <div class="hidden" data-for="help_for_remoteip">
-                          <?=gettext("Specify the starting address for the client IP address subnet."); ?>
-                        </div>
-                      </td>
-                    </tr>
-                    <tr>
-                      <td><i class="fa fa-info-circle text-muted"></i> <?= gettext('Number of PPTP users') ?></td>
-                      <td>
-                        <select id="n_pptp_units" name="n_pptp_units">
-<?php
-                          $toselect = ($pconfig['n_pptp_units'] > 0) ? $pconfig['n_pptp_units'] : 16;
-                          for ($x=1; $x<255; $x++) {
-                              if ($x == $toselect) {
-                                  $SELECTED = " selected=\"selected\"";
-                              } else {
-                                  $SELECTED = "";
-                              }
-                              echo "<option value=\"{$x}\"{$SELECTED}>{$x}</option>\n";
-                          }
-                          ?>
-                        </select>
-                      </td>
-                    </tr>
-                    <tr>
-                      <td><a id="help_for_pptp_dns" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("PPTP DNS Servers"); ?></td>
-                      <td>
-                        <input name="pptp_dns1" type="text" id="pptp_dns1" value="<?=$pconfig['pptp_dns1'];?>" /><br />
-                        <input name="pptp_dns2" type="text" id="pptp_dns2" value="<?=$pconfig['pptp_dns2'];?>" />
-                        <div class="hidden" data-for="help_for_pptp_dns">
-                          <?=gettext("primary and secondary DNS servers assigned to PPTP clients"); ?>
-                        </div>
-                      </td>
-                    </tr>
-                    <tr>
-                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("WINS Server"); ?></td>
-                      <td>
-                          <input name="wins" type="text" id="wins" value="<?=htmlspecialchars($pconfig['wins']);?>" />
-                      </td>
-                    </tr>
-                    <tr>
-                      <td><a id="help_for_radius" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("RADIUS"); ?></td>
-                      <td>
-                        <input name="radiusenable" type="checkbox" id="radiusenable" value="yes" <?=($pconfig['radiusenable']) ? "checked=\"checked\"" : "";?>/>
-                        <strong><?=gettext("Use a RADIUS server for authentication"); ?></strong><br/>
-                        <div class="hidden" data-for="help_for_radius">
-                          <?=gettext("When set, all users will be authenticated using " .
-                          "the RADIUS server specified below. The local user database " .
-                          "will not be used."); ?>
-                        </div>
-                        <input name="radacct_enable" type="checkbox" id="radacct_enable" value="yes" <?=($pconfig['radacct_enable']) ? "checked=\"checked\"" : "";?>/>
-                        <strong><?=gettext("Enable RADIUS accounting"); ?></strong><br/>
-                        <div class="hidden" data-for="help_for_radius">
-                          <?=gettext("Sends accounting packets to the RADIUS server."); ?>
-                        </div>
-                        <input name="radiussecenable" type="checkbox" id="radiussecenable" value="yes" <?=($pconfig['radiussecenable']) ? "checked=\"checked\"" : "";?>/>
-                        <strong><?=gettext("Secondary RADIUS server for failover authentication"); ?></strong><br />
-                        <div class="hidden" data-for="help_for_radius">
-                          <?=gettext("When set, all requests will go to the secondary server when primary fails"); ?>
-                        </div>
-                        <input name="radiusissueips" value="yes" type="checkbox" id="radiusissueips"<?=($pconfig['radiusissueips']) ? " checked=\"checked\"" : "";?>/>
-                        <strong><?=gettext("RADIUS issued IPs"); ?></strong>
-                        <div class="hidden" data-for="help_for_radius">
-                          <?=gettext("Issue IP addresses via RADIUS server."); ?>
-                        </div>
-                      </td>
-                    </tr>
-                    <tr>
-                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("RADIUS NAS IP"); ?></td>
-                      <td>
-                          <input name="radius_nasip" type="text" id="radius_nasip" value="<?=$pconfig['radius_nasip'];?>" />
-                      </td>
-                    </tr>
-                    <tr>
-                      <td><a id="help_for_radius_acct_update" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("RADIUS Accounting Update"); ?></td>
-                      <td>
-                          <input name="radius_acct_update" type="text" id="radius_acct_update" value="<?=$pconfig['radius_acct_update'];?>" />
-                          <div class="hidden" data-for="help_for_radius_acct_update">
-                            <?=gettext("RADIUS accounting update period in seconds"); ?>
-                          </div>
-                      </td>
-                    </tr>
-                    <tr>
-                      <td><a id="help_for_radiusserver" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("RADIUS server Primary"); ?></td>
-                      <td>
-                        <table class="table table-condensed">
-                          <thead>
-                            <tr>
-                              <th><?=gettext("Server");?></th>
-                              <th><?=gettext("Port");?></th>
-                              <th><?=gettext("AccPort");?></th>
-                            </tr>
-                          </thead>
-                          <tbody>
-                            <tr>
-                              <td><input name="radiusserver" type="text" value="<?=$pconfig['radiusserver'];?>" /></td>
-                              <td><input name="radiusserverport" type="text"  value="<?=$pconfig['radiusserverport'];?>" /></td>
-                              <td><input name="radiusserveracctport" type="text"  value="<?=$pconfig['radiusserveracctport'];?>" /></td>
-                            </tr>
-                          </tbody>
-                        </table>
-                        <div class="hidden" data-for="help_for_radiusserver">
-                          <?=gettext("Enter the IP address, authentication port and accounting port (optional) of the RADIUS server."); ?><br />
-                          <br /> <?=gettext("standard port 1812 and 1813 accounting"); ?>
-                        </div>
-                      </td>
-                    </tr>
-                    <tr>
-                      <td><a id="help_for_radiussecret" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("RADIUS primary shared secret"); ?></td>
-                      <td>
-                        <input name="radiussecret" type="password"  value="<?=$pconfig['radiussecret'];?>" />
-                        <div class="hidden" data-for="help_for_radiussecret">
-                          <?=gettext("Enter the shared secret that will be used to authenticate " .
-                                                  "to the RADIUS server"); ?>.
-                        </div>
-                      </td>
-                    </tr>
-                    <tr>
-                      <td><a id="help_for_radiusserver2" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("RADIUS server Secondary"); ?></td>
-                      <td>
-                        <table class="table table-condensed">
-                          <thead>
-                            <tr>
-                              <th><?=gettext("Server");?></th>
-                              <th><?=gettext("Port");?></th>
-                              <th><?=gettext("AccPort");?></th>
-                            </tr>
-                          </thead>
-                          <tbody>
-                            <tr>
-                              <td><input name="radiusserver2" type="text" value="<?=$pconfig['radiusserver2'];?>" /></td>
-                              <td><input name="radiusserver2port" type="text"  value="<?=$pconfig['radiusserver2port'];?>" /></td>
-                              <td><input name="radiusserver2acctport" type="text"  value="<?=$pconfig['radiusserver2acctport'];?>" /></td>
-                            </tr>
-                          </tbody>
-                        </table>
-                        <div class="hidden" data-for="help_for_radiusserver2">
-                          <?=gettext("Enter the IP address, authentication port and accounting port (optional) of the backup RADIUS server."); ?><br />
-                          <br /> <?=gettext("standard port 1812 and 1813 accounting"); ?>
-                        </div>
-                      </td>
-                    </tr>
-                    <tr>
-                      <td><a id="help_for_radiussecret2" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("RADIUS secondary shared secret"); ?></td>
-                      <td>
-                        <input name="radiussecret2" type="password" id="radiussecret2" size="20" value="<?=htmlspecialchars($pconfig['radiussecret2']);?>" />
-                        <div class="hidden" data-for="help_for_radiussecret2">
-                          <?=gettext("Enter the shared secret that will be used to authenticate " ."to the RADIUS server"); ?>.
-                        </div>
-                      </td>
-                    </tr>
-                    <tr>
-                      <td><a id="help_for_req128" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Security");?></td>
-                      <td>
-                        <input name="req128" type="checkbox" id="req128" value="yes" <?=($pconfig['req128']) ? "checked=\"checked\"" : "";?> />
-                        <strong><?=gettext("Require 128-bit encryption"); ?></strong>
-                        <div class="hidden" data-for="help_for_req128">
-                          <?=gettext("When set, only 128-bit encryption will be accepted. Otherwise " .
-                                    "40-bit and 56-bit encryption will be accepted as well. Note that " .
-                                    "encryption will always be forced on PPTP connections (i.e. " .
-                                    "unencrypted connections will not be accepted)."); ?>
-                        </div>
-                      </td>
-                    </tr>
-                    <tr>
-                      <td></td>
-                      <td>
-                        <input name="Submit" type="submit" class="btn btn-primary" value="<?=gettext("Save"); ?>" />
-                      </td>
-                    </tr>
-                    <tr>
-                      <td colspan="2"><?= gettext("Don't forget to add a firewall rule to permit traffic from PPTP clients.") ?></td>
-                    </tr>
-                  </table>
-                </div>
-              </form>
-            </div>
-          </section>
-        </div>
-      </div>
-    </section>
-<?php include("foot.inc");
diff --git a/net/pptp/src/www/vpn_pptp_log.inc b/net/pptp/src/www/vpn_pptp_log.inc
deleted file mode 100644
index 34594070cb..0000000000
--- a/net/pptp/src/www/vpn_pptp_log.inc
+++ /dev/null
@@ -1,120 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2016 Deciso B.V.
- * Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("guiconfig.inc");
-require_once("system.inc");
-require_once("interfaces.inc");
-
-if (empty($config['syslog']['nentries'])) {
-    $nentries = 50;
-} else {
-    $nentries = $config['syslog']['nentries'];
-}
-
-if ($_POST['clear']) {
-    system_clear_clog($logfile);
-}
-
-function dump_clog_vpn($file, $tail, $type)
-{
-    global $config;
-
-    $sort = isset($config['syslog']['reverse']) ? '-r' : '';
-    $logarr = array();
-
-    exec("/usr/local/sbin/clog " . escapeshellarg($file) . " | tail {$sort} -n " . escapeshellarg($tail), $logarr);
-
-    foreach ($logarr as $logent) {
-        $logent = preg_split('/\s+/', $logent, 6);
-        $llent = explode(',', $logent[5]);
-
-        if ($llent[1] !== $type) {
-            continue;
-        }
-
-        echo "<tr>\n";
-        echo "<td>" . htmlspecialchars(join(" ", array_slice($logent, 0, 3))) . "</td>\n";
-
-        if ($llent[0] == "login") {
-            echo "<td><span class=\"fa fa-arrow-right fa-fw\" aria-hidden=\"true\" alt=\"in\"></span></td>\n";
-        } else {
-            echo "<td><span class=\"fa fa-arrow-left fa-fw\" aria-hidden=\"true\" alt=\"out\"></span></td>\n";
-        }
-
-        echo "<td class=\"listr\">" . htmlspecialchars($llent[3]) . "</td>\n";
-        echo "<td class=\"listr\">" . htmlspecialchars($llent[2]) . "&nbsp;</td>\n";
-        echo "</tr>\n";
-    }
-}
-
-include("head.inc");
-?>
-
-<body>
-<?php include("fbegin.inc"); ?>
-
-<section class="page-content-main">
-  <div class="container-fluid">
-    <div class="row">
-      <section class="col-xs-12">
-        <div class="tab-content content-box col-xs-12">
-          <div class="table-responsive">
-            <table class="table table-striped table-sort">
-              <tr>
-                <td><?=gettext("Time");?></td>
-                <td><?=gettext("Action");?></td>
-                <td><?=gettext("User");?></td>
-                <td><?=gettext("IP address");?></td>
-              </tr>
-              <tr>
-                <td colspan="4">
-                  <ul class="nav nav-pills" role="tablist">
-                    <?php foreach ($logpills as $pill): ?>
-                      <li role="presentation" <?php if (str_replace('amp;','', $pill[2]) == $_SERVER['REQUEST_URI']):?>class="active"<?php endif; ?>><a href="<?=$pill[2];?>"><?=$pill[0];?></a></li>
-                      <?php endforeach; ?>
-                  </ul>
-                </td>
-              </tr>
-              <?php dump_clog_vpn($logfile, $nentries, $logtype); ?>
-              <tr>
-                <td colspan="4">
-                  <form method="post">
-                    <input type="hidden" name="mode" id="mode" value="<?= html_safe($mode) ?>"/>
-                    <input name="clear" type="submit" class="btn btn-primary" value="<?= html_safe(gettext('Clear log')) ?>"/>
-                  </form>
-                </td>
-              </tr>
-            </table>
-          </div>
-        </div>
-      </section>
-    </div>
-  </div>
-</section>
-<?php include("foot.inc"); ?>
diff --git a/net/pptp/src/www/vpn_pptp_log.php b/net/pptp/src/www/vpn_pptp_log.php
deleted file mode 100644
index 43ec426449..0000000000
--- a/net/pptp/src/www/vpn_pptp_log.php
+++ /dev/null
@@ -1,26 +0,0 @@
-<?php
-
-if (htmlspecialchars($_POST['mode'])) {
-    $mode = htmlspecialchars($_POST['mode']);
-} elseif (htmlspecialchars($_GET['mode'])) {
-    $mode = htmlspecialchars($_GET['mode']);
-} else {
-    $mode = 'login';
-}
-
-$logtype = 'pptp';
-$logclog = true;
-
-$logpills = array();
-$logpills[] = array(gettext('PPTP Logins'), $mode != 'raw', '/vpn_pptp_log.php');
-$logpills[] = array(gettext('PPTP Raw'), $mode == 'raw', '/vpn_pptp_log.php?mode=raw');
-
-$service_hook = 'pptpd';
-
-if ($mode != 'raw') {
-    $logfile = '/var/log/vpn.log';
-    require_once 'vpn_pptp_log.inc';
-} else {
-    $logfile = '/var/log/pptps.log';
-    require_once 'diag_logs_template_pptp.inc';
-}
diff --git a/net/pptp/src/www/vpn_pptp_users.php b/net/pptp/src/www/vpn_pptp_users.php
deleted file mode 100644
index 9057626df0..0000000000
--- a/net/pptp/src/www/vpn_pptp_users.php
+++ /dev/null
@@ -1,136 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2016 Deciso B.V.
- * Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once('guiconfig.inc');
-require_once("system.inc");
-require_once('plugins.inc.d/if_pptp.inc');
-
-$a_secret = &config_read_array('pptpd', 'user');
-
-if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    // delete entry
-    if (isset($_POST['act']) && $_POST['act'] == "del" && isset($_POST['id'])) {
-        if (!empty($a_secret[$_POST['id']])) {
-            unset($a_secret[$_POST['id']]);
-            mark_subsystem_dirty('pptpusers');
-            write_config();
-        }
-        exit;
-    } elseif (!empty($_POST['apply'])) {
-        if_pptp_configure_do();
-        clear_subsystem_dirty('pptpusers');
-        header(url_safe('Location: /vpn_pptp_users.php'));
-        exit;
-
-    }
-}
-
-$service_hook = 'pptpd';
-include("head.inc");
-$main_buttons = array(
-    array('label' => gettext('Add'), 'href' => 'vpn_pptp_users_edit.php'),
-);
-
-?>
-
-<body>
-  <script>
-  $( document ).ready(function() {
-    // delete host action
-    $(".act_delete_user").click(function(event){
-      event.preventDefault();
-      var id = $(this).data("id");
-      // delete single
-      BootstrapDialog.show({
-        type:BootstrapDialog.TYPE_DANGER,
-        title: "<?=gettext("delete user"); ?>",
-        message: "<?=gettext("Do you really want to delete this user?");?>",
-        buttons: [{
-                  label: "<?= gettext("No");?>",
-                  action: function(dialogRef) {
-                      dialogRef.close();
-                  }}, {
-                  label: "<?= gettext("Yes");?>",
-                  action: function(dialogRef) {
-                    $.post(window.location, {act: 'del', id:id}, function(data) {
-                        location.reload();
-                    });
-                }
-              }]
-      });
-    });
-  });
-  </script>
-<?php include("fbegin.inc"); ?>
-
-  <section class="page-content-main">
-    <div class="container-fluid">
-      <div class="row">
-<?php
-      if (isset($config['pptpd']['radius']['enable'])) {
-          print_info_box(gettext("Warning: RADIUS is enabled. The local user database will not be used."));
-      }
-      if (is_subsystem_dirty('pptpusers')) :?><br/>
-        <?php print_info_box_apply(gettext("The PPTP user list has been modified").".<br />".gettext("You must apply the changes in order for them to take effect").".<br /></b><b>".gettext("Warning: this will terminate all current PPTP sessions")."!");?></b><br />
-<?php
-      endif; ?>
-        <section class="col-xs-12">
-          <div class="tab-content content-box col-xs-12">
-              <form method="post" name="iform" id="iform">
-                <div class="table-responsive">
-                  <table class="table table-striped table-sort">
-                    <tr>
-                      <td><?=gettext("Username");?></td>
-                      <td><?=gettext("IP address");?></td>
-                      <td class="text-nowrap"></td>
-                    </tr>
-<?php
-                    $i = 0;
-                    foreach ($a_secret as $secretent) :?>
-                    <tr>
-                      <td><?=htmlspecialchars($secretent['name']);?></td>
-                      <td><?=htmlspecialchars($secretent['ip']);?></td>
-                      <td class="text-nowrap">
-                         <a href="vpn_pptp_users_edit.php?id=<?=$i;?>" class="btn btn-xs btn-default"><i class="fa fa-pencil fa-fw"></i></a>
-                         <button data-id="<?=$i;?>" type="button" class="act_delete_user btn btn-xs btn-default"><i class="fa fa-trash fa-fw"></i></button>
-                      </td>
-                    </tr>
-<?php
-                    $i++;
-                    endforeach; ?>
-                  </table>
-                </div>
-              </form>
-            </div>
-          </section>
-        </div>
-      </div>
-    </section>
-
-<?php include("foot.inc");
diff --git a/net/pptp/src/www/vpn_pptp_users_edit.php b/net/pptp/src/www/vpn_pptp_users_edit.php
deleted file mode 100644
index 9bb034b8d9..0000000000
--- a/net/pptp/src/www/vpn_pptp_users_edit.php
+++ /dev/null
@@ -1,212 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2016 Deciso B.V.
- * Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-function pptpusercmp($a, $b)
-{
-    return strcasecmp($a['name'], $b['name']);
-}
-
-function pptpd_users_sort()
-{
-    global $config;
-
-    if (!is_array($config['ppptpd']['user'])) {
-            return;
-    }
-
-    usort($config['pptpd']['user'], "pptpusercmp");
-}
-
-require_once('guiconfig.inc');
-require_once("system.inc");
-require_once('plugins.inc.d/if_pptp.inc');
-
-$a_secret = &config_read_array('pptpd', 'user');
-
-if ($_SERVER['REQUEST_METHOD'] === 'GET') {
-    if (isset($_GET['id']) && !empty($a_secret[$_GET['id']])) {
-        $id = $_GET['id'];
-    }
-    if (isset($id)) {
-        $pconfig['username'] = $a_secret[$id]['name'];
-        $pconfig['ip'] = $a_secret[$id]['ip'];
-    } else {
-        $pconfig['username'] = null;
-        $pconfig['ip'] = null;
-    }
-} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    if (isset($_POST['id']) && !empty($a_secret[$_POST['id']])) {
-        $id = $_POST['id'];
-    }
-    unset($input_errors);
-    $pconfig = $_POST;
-
-    /* input validation */
-    if (isset($id) && ($a_secret[$id])) {
-        $reqdfields = explode(" ", "username");
-        $reqdfieldsn = array(gettext("Username"));
-    } else {
-        $reqdfields = explode(" ", "username password");
-        $reqdfieldsn = array(gettext("Username"),gettext("Password"));
-    }
-
-    do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
-
-    if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['username'])) {
-        $input_errors[] = gettext("The username contains invalid characters.");
-    }
-
-    if (preg_match("/^!/", $_POST['password'])) {
-        $input_errors[] = gettext("The password cannot start with '!'.");
-    }
-
-    if (!preg_match("/^[\x20-\x7E]*$/", $_POST['password'])) {
-        $input_errors[] = gettext("The password contains invalid characters.");
-    }
-
-    if (($_POST['password']) && ($_POST['password'] != $_POST['password2'])) {
-        $input_errors[] = gettext("The passwords do not match.");
-    }
-    if (($_POST['ip'] && !is_ipaddr($_POST['ip']))) {
-        $input_errors[] = gettext("The IP address entered is not valid.");
-    }
-
-    if (!$input_errors && !(isset($id) && $a_secret[$id])) {
-        /* make sure there are no dupes */
-        foreach ($a_secret as $secretent) {
-            if ($secretent['name'] == $_POST['username']) {
-                $input_errors[] = gettext("Another entry with the same username already exists.");
-                break;
-            }
-        }
-    }
-
-    if (!$input_errors) {
-        if (isset($id) && $a_secret[$id]) {
-            $secretent = $a_secret[$id];
-        }
-
-        $secretent['name'] = $_POST['username'];
-        $secretent['ip'] = $_POST['ip'];
-
-        if ($_POST['password']) {
-            $secretent['password'] = $_POST['password'];
-        }
-
-        if (isset($id) && $a_secret[$id]) {
-            $a_secret[$id] = $secretent;
-        } else {
-            $a_secret[] = $secretent;
-        }
-
-        pptpd_users_sort();
-        write_config();
-        if_pptp_configure_do();
-        header(url_safe('Location: /vpn_pptp_users.php'));
-        exit;
-    }
-}
-
-
-$service_hook = 'pptpd';
-legacy_html_escape_form_data($pconfig);
-include("head.inc");
-?>
-
-<body>
-<?php include("fbegin.inc"); ?>
-  <section class="page-content-main">
-    <div class="container-fluid">
-      <div class="row">
-      <?php if (isset($input_errors) && count($input_errors) > 0) {
-              print_input_errors($input_errors);
-      } ?>
-        <section class="col-xs-12">
-          <div class="tab-content content-box col-xs-12">
-            <form method="post" name="iform" id="iform">
-              <div class="table-responsive">
-                <table class="table table-striped opnsense_standard_table_form">
-                  <tr>
-                    <td style="width:22%">
-                      <strong><?=gettext("Edit User");?></strong>
-                    </td>
-                    <td style="width:78%; text-align:right">
-                      <small><?=gettext("full help"); ?> </small>
-                      <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page"></i>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Username");?></td>
-                    <td>
-                      <input name="username" type="text" id="username" value="<?=$pconfig['username'];?>" />
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Password");?></td>
-                    <td>
-                      <input name="password" type="password" class="form-control pwd" id="password" />
-                      <br /><input name="password2" type="password" class="form-control pwd" id="password2" />
-                      &nbsp;(<?=gettext("confirmation");?>)
-<?php
-                      if (isset($id)) :?><br />
-                      <?=gettext("If you want to change the users' password, ".
-                                  "enter it here twice.");?>
-<?php
-                      endif; ?>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_ip" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP address");?></td>
-                    <td>
-                      <input name="ip" type="text" class="form-control unknown" id="ip" value="<?=htmlspecialchars($pconfig['ip']);?>" />
-                      <div class="hidden" data-for="help_for_ip">
-                        <?=gettext("If you want the user to be assigned a specific IP address, enter it here.");?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td>&nbsp;</td>
-                    <td>
-                      <input name="Submit" type="submit" class="btn btn-primary" value="<?=gettext("Save");?>" />
-<?php
-                      if (isset($id)) :?>
-                      <input name="id" type="hidden" value="<?=$id;?>" />
-<?php
-                      endif; ?>
-                    </td>
-                  </tr>
-                </table>
-              </div>
-            </form>
-          </div>
-        </section>
-      </div>
-    </div>
-  </section>
-<?php include("foot.inc");

From 3e4d9294c0c9c7a7f38dd5a75d7000969328538b Mon Sep 17 00:00:00 2001
From: Jeremy Fitzhardinge <jeremy@goop.org>
Date: Thu, 30 Jul 2020 00:34:28 -0700
Subject: [PATCH 0174/3088] acme-client: add support for Linode Cloud API

Resolves #1939
---
 .../OPNsense/AcmeClient/forms/dialogValidation.xml     | 10 ++++++++++
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml  |  4 ++++
 .../scripts/OPNsense/AcmeClient/certhelper.php         |  5 +++++
 3 files changed, 19 insertions(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 8ad18f5a3e..aa2173c5c6 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -613,6 +613,16 @@
         <label>Key</label>
         <type>text</type>
     </field>
+    <field>
+        <label>Linode Cloud API</label>
+        <type>header</type>
+        <style>table_dns table_dns_linode_v4</style>
+    </field>
+    <field>
+        <id>validation.dns_linode_v4_key</id>
+        <label>Key</label>
+        <type>text</type>
+    </field>
     <field>
         <label>Loopia</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 2880e11619..2363ab2470 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -398,6 +398,7 @@
                         <dns_leaseweb>LeaseWeb API</dns_leaseweb>
                         <dns_lexicon>lexicon DNS API</dns_lexicon>
                         <dns_linode>Linode API</dns_linode>
+                        <dns_linode_v4>Linode Cloud API</dns_linode_v4>
                         <dns_loopia>Loopia API</dns_loopia>
                         <dns_lua>LuaDNS.com API</dns_lua>
                         <dns_miab>MailinaBox API</dns_miab>
@@ -690,6 +691,9 @@
                 <dns_linode_key type="TextField">
                   <Required>N</Required>
                 </dns_linode_key>
+                <dns_linode_v4_key type="TextField">
+                  <Required>N</Required>
+                </dns_linode_v4_key>
                 <dns_loopia_api type="TextField">
                   <Required>N</Required>
                   <default>https://api.loopia.se/RPCSERV</default>
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index 7c7a6109cb..6775f33481 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -850,6 +850,11 @@ function run_acme_validation($certObj, $valObj, $acctObj)
                 // Linode can take up to 15 to update DNS records
                 $acme_hook_options[] = "--dnssleep 960";
                 break;
+            case 'dns_linode_v4':
+                $proc_env['LINODE_V4_API_KEY'] = (string)$valObj->dns_linode_v4_key;
+                // Linode can take up to 15 to update DNS records
+                $acme_hook_options[] = "--dnssleep 960";
+                break;
             case 'dns_loopia':
                 $proc_env['LOOPIA_Api'] = (string)$valObj->dns_loopia_api;
                 $proc_env['LOOPIA_User'] = (string)$valObj->dns_loopia_user;

From 34ce9605359b8137e6d9b87f0f0a36b2e09a85ef Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 31 Jul 2020 08:29:18 +0200
Subject: [PATCH 0175/3088] net/udpbroadcastrelay: release as is

---
 README.md                      | 2 +-
 net/udpbroadcastrelay/Makefile | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index b50db1add2..8c2f505049 100644
--- a/README.md
+++ b/README.md
@@ -67,7 +67,7 @@ net/relayd -- Relayd Load Balancer
 net/shadowsocks -- Secure socks5 proxy
 net/siproxd -- Siproxd is a proxy daemon for the SIP protocol
 net/tayga -- Tayga NAT64
-net/udpbroadcastrelay -- Control ubpbroadcastrelay processes (development only)
+net/udpbroadcastrelay -- Control ubpbroadcastrelay processes
 net/upnp -- Universal Plug and Play Service
 net/vnstat -- vnStat is a console-based network traffic monitor
 net/wireguard -- WireGuard VPN service
diff --git a/net/udpbroadcastrelay/Makefile b/net/udpbroadcastrelay/Makefile
index b90f1cfd0b..0977354b33 100644
--- a/net/udpbroadcastrelay/Makefile
+++ b/net/udpbroadcastrelay/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		udpbroadcastrelay
-PLUGIN_VERSION=		0.1
-PLUGIN_DEVEL=		yes
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		Control ubpbroadcastrelay processes
 PLUGIN_DEPENDS=		udpbroadcastrelay
 PLUGIN_MAINTAINER=	mjwasley@gmail.com

From 828815e72596a1406c736105931566c1d9adf755 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Fri, 31 Jul 2020 13:42:38 +0200
Subject: [PATCH 0176/3088] mail/postfix (#1941)

---
 mail/postfix/Makefile                                         | 3 +--
 mail/postfix/pkg-descr                                        | 4 ++++
 .../opnsense/mvc/app/models/OPNsense/Postfix/Menu/Menu.xml    | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index 522d394a0d..51aede1328 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		postfix
-PLUGIN_VERSION=		1.14
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.15
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix-sasl
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index 38f254a7de..7ebc7a2d43 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -6,6 +6,10 @@ is completely different.
 Plugin Changelog
 ================
 
+1.15
+
+* Fix Log viewer
+
 1.14
 
 * Add more anti-spam features into postfix itself
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Menu/Menu.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Menu/Menu.xml
index b93892062c..d8aa479891 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Menu/Menu.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Menu/Menu.xml
@@ -9,7 +9,7 @@
       <Senderbcc VisibleName="Sender BCC" url="/ui/postfix/senderbcc/index" order="45"/>
       <Sendercanonical VisibleName="Sender Canonical Rewriting" url="/ui/postfix/sendercanonical/index" order="48"/>
       <Address VisibleName="Address Rewriting" url="/ui/postfix/address/index" order="50"/>
-      <LogFile VisibleName="Log File" order="50" url="/ui/diagnostics/log/core/mail"/>
+      <LogFile VisibleName="Log File" order="50" url="/ui/diagnostics/log/core/postfix"/>
     </Postfix>
   </Services>
 </menu>

From 594ff4fbe0ae2290aefb6f01ff3971ee9bb89cb0 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Fri, 31 Jul 2020 14:21:54 +0200
Subject: [PATCH 0177/3088] mail/postfix: quick fix syslog (#1942)

---
 mail/postfix/src/etc/inc/plugins.inc.d/postfix.inc | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/mail/postfix/src/etc/inc/plugins.inc.d/postfix.inc b/mail/postfix/src/etc/inc/plugins.inc.d/postfix.inc
index b83b64bc5d..d486a07d21 100644
--- a/mail/postfix/src/etc/inc/plugins.inc.d/postfix.inc
+++ b/mail/postfix/src/etc/inc/plugins.inc.d/postfix.inc
@@ -52,10 +52,7 @@ function postfix_syslog()
 {
     $syslogconf = array();
 
-    $syslogconf['mail'] = array(
-        'facility' => array('postfix'),
-        'remote' => 'mail',
-    );
+    $syslogconf['postfix'] = array('facility' => array('postfix'));
 
     return $syslogconf;
 }

From e7c4d1189ab6038224ac2d649e8fd49715842a5a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 2 Aug 2020 11:57:48 +0200
Subject: [PATCH 0178/3088] security/acme-client: remove bundled version of
 dns_opnsense.sh, refs #1888

---
 .../OPNsense/AcmeClient/dns_opnsense.sh       | 262 ------------------
 .../scripts/OPNsense/AcmeClient/setup.sh      |   6 +-
 2 files changed, 4 insertions(+), 264 deletions(-)
 delete mode 100755 security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/dns_opnsense.sh

diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/dns_opnsense.sh b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/dns_opnsense.sh
deleted file mode 100755
index baa77125d5..0000000000
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/dns_opnsense.sh
+++ /dev/null
@@ -1,262 +0,0 @@
-#!/bin/sh
-
-#OPNsense Bind API
-#https://docs.opnsense.org/development/api.html
-#
-#OPNs_Host="opnsense.example.com"
-#OPNs_Port="443"
-#OPNs_Key="qocfU9RSbt8vTIBcnW8bPqCrpfAHMDvj5OzadE7Str+rbjyCyk7u6yMrSCHtBXabgDDXx/dY0POUp7ZA"
-#OPNs_Token="pZEQ+3ce8dDlfBBdg3N8EpqpF5I1MhFqdxX06le6Gl8YzyQvYCfCzNaFX9O9+IOSyAs7X71fwdRiZ+Lv"
-#OPNs_Api_Insecure=1     # Set 1 for insecure and 0 for secure -> difference is whether ssl cert is checked for validity (0) or whether it is just accepted (1)
-
-########  Public functions #####################
-#Usage: add _acme-challenge.www.domain.com "123456789ABCDEF0000000000000000000000000000000000000"
-#fulldomain
-#txtvalue
-dns_opnsense_add() {
-  fulldomain=$1
-  txtvalue=$2
-
-  _opns_check_auth || return 1
-
-  if ! set_record "$fulldomain" "$txtvalue"; then
-    return 1
-  fi
-
-  return 0
-}
-
-#fulldomain
-dns_opnsense_rm() {
-  fulldomain=$1
-  txtvalue=$2
-
-  _opns_check_auth || return 1
-
-  if ! rm_record "$fulldomain" "$txtvalue"; then
-    return 1
-  fi
-
-  return 0
-}
-
-set_record() {
-  _info "Adding record"
-  fulldomain=$1
-  new_challenge=$2
-
-  _debug "Detect root zone"
-  if ! _get_root "$fulldomain"; then
-    _err "invalid domain"
-    return 1
-  fi
-  _debug _domain "$_domain"
-  _debug _host "$_host"
-  _debug _domainid "$_domainid"
-  _return_str=""
-  _record_string=""
-  _build_record_string "$_domainid" "$_host" "$new_challenge"
-  _uuid=""
-  if _existingchallenge "$_domain" "$_host" "$new_challenge"; then
-    # Update
-    if _opns_rest "POST" "/record/setRecord/${_uuid}" "$_record_string"; then
-      _return_str="$response"
-    else
-      return 1
-    fi
-
-  else
-    #create
-    if _opns_rest "POST" "/record/addRecord" "$_record_string"; then
-      _return_str="$response"
-    else
-      return 1
-    fi
-  fi
-
-  if echo "$_return_str" | _egrep_o  "\"result\":\"saved\"" >/dev/null
-  then
-    _opns_rest "POST" "/service/reconfigure" "{}"
-    _debug "Record created"
-  else
-    _err "Error createing record $_record_string"
-    return 1
-  fi
-
-  return 0
-}
-
-rm_record() {
-  _info "Remove record"
-  fulldomain=$1
-  new_challenge="$2"
-
-  _debug "Detect root zone"
-  if ! _get_root "$fulldomain"; then
-    _err "invalid domain"
-    return 1
-  fi
-
-  _debug _domain "$_domain"
-  _debug _host "$_host"
-  _debug _domainid "$_domainid"
-  _uuid=""
-  if _existingchallenge "$_domain" "$_host" "$new_challenge"; then
-    # Delete
-    if _opns_rest "POST" "/record/delRecord/${_uuid}"  "\{\}"; then
-      if echo "$_return_str" | _egrep_o "result":"deleted" >/dev/null; then
-        _opns_rest "POST" "/service/reconfigure" "{}"
-        _debug "Record deleted"
-      else
-        _err "Error delteting record $fulldomain"
-        return 1
-      fi
-    else
-        _err "Error delteting record $fulldomain"
-        return 1
-    fi
-  else
-    _info "Record not found, nothing to remove"
-  fi
-
-  return 0
-}
-
-####################  Private functions below ##################################
-#_acme-challenge.www.domain.com
-#returns
-# _domainid=domid
- #_domain=domain.com
-_get_root() {
-  domain=$1
-  i=2
-  p=1
-  if _opns_rest "GET" "/domain/get"; then
-    _domain_response="$response"
-  else
-    return 1
-  fi
-
-  while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
-    if [ -z "$h" ]; then
-      #not valid
-      return 1
-    fi
-    _debug h "$h"
-    id=$(echo $_domain_response| _egrep_o "\"[^\"]*\":{\"enabled\":\"1\",\"type\":{\"master\":{\"value\":\"master\",\"selected\":1},\"slave\":{\"value\":\"slave\",\"selected\":0}},\"masterip\":\"[^\"]*\",\"domainname\":\"${h}\"" | cut -d ':'  -f 1  | cut -d '"' -f 2 )
-
-    if [ -n "$id" ];then
-      _debug id "$id"
-      _host=$(printf "%s" "$domain" | cut -d . -f 1-$p)
-      _domain="${h}"
-      _domainid="${id}"
-      return 0
-    fi
-    p=$i
-    i=$(_math $i + 1)
-  done
-  _debug "$domain not found"
-
-  return 1
-}
-
-_opns_rest() {
-  method=$1
-  ep=$2
-  data=$3
-  #Percent encode user and token
-  key=$(echo $OPNs_Key | tr -d "\n\r" | _url_encode )
-  token=$(echo $OPNs_Token| tr -d "\n\r" | _url_encode )
-
-  opnsense_url="https://${key}:${token}@${OPNs_Host}:${OPNs_Port}/api/bind${ep}"
-  export _H1="Content-Type: application/json"
-  if [ ! "$method" = "GET" ]; then
-    _debug data "$data"
-    export _H1="Content-Type: application/json"
-    response="$(_post "$data" "$opnsense_url" "" "$method")"
-  else
-    export _H1=""
-    response="$(_get "$opnsense_url")"
-  fi
-
-  if [ "$?" != "0" ]; then
-    _err "error $ep"
-    return 1
-  fi
-  _debug2 response "$response"
-
-  return 0
-}
-
-_build_record_string() {
-  _record_string="{\"record\":{\"enabled\":\"1\",\"domain\":\"$1\",\"name\":\"$2\",\"type\":\"TXT\",\"value\":\"$3\"}}"
-}
-
-_existingchallenge() {
-  if _opns_rest "GET" "/record/searchRecord"; then
-    _record_response="$response"
-  else
-    return 1
-  fi
-  _uuid=""
-  _uuid=$( echo $_record_response| _egrep_o "\"uuid\":\"[^\"]*\",\"enabled\":\"[01]\",\"domain\":\"$1\",\"name\":\"$2\",\"type\":\"TXT\",\"value\":\"$3\"" | cut -d ':'  -f 2  | cut -d '"' -f 2 )
-
-  if [ -n "$_uuid" ];then
-    _debug uuid "$_uuid"
-    return 0
-  fi
-  _debug "${2}.$1{1} record not found"
-
-  return 1
-}
-
-_opns_check_auth() {
-  OPNs_Host="${OPNs_Host:-$(_readaccountconf_mutable OPNs_Host)}"
-  OPNs_Port="${OPNs_Port:-$(_readaccountconf_mutable OPNs_Port)}"
-  OPNs_Key="${OPNs_Key:-$(_readaccountconf_mutable OPNs_Key)}"
-  OPNs_Token="${OPNs_Token:-$(_readaccountconf_mutable OPNs_Token)}"
-  OPNs_Api_Insecure="${OPNs_Api_Insecure:-$(_readaccountconf_mutable OPNs_Api_Insecure)}"
-
-  if [ -z "$OPNs_Host" ]; then
-    OPNs_Host="localhost"
-    _err "You don't specify OPNsense address."
-  fi
-
-  if [ -z "$OPNs_Port" ]; then
-    OPNs_Port="443"
-    _err "You don't specify OPNsense Port."
-  fi
-
-  if [ -z "$OPNs_Api_Insecure" ]; then
-    OPNs_Api_Insecure="0"
-  fi
-
-  if [ -z "$OPNs_Key" ]; then
-    OPNs_Key=""
-    _err "You don't specify OPNsense api key id."
-    _err "Please set you OPNs_Key and try again."
-    return 1
-  fi
-
-  if [ -z "$OPNs_Token" ]; then
-    OPNs_Token=""
-    _err "You don't specify OPNsense token."
-    _err "Please create you OPNs_Token and try again."
-    return 1
-  fi
-
-  #save the api addr and key to the account conf file.
-  _saveaccountconf_mutable OPNs_Host "$OPNs_Host"
-  _saveaccountconf_mutable OPNs_Port "$OPNs_Port"
-  _saveaccountconf_mutable OPNs_Key "$OPNs_Key"
-  _saveaccountconf_mutable OPNs_Token "$OPNs_Token"
-  _saveaccountconf_mutable OPNs_Api_Insecure "$OPNs_Api_Insecure"
-  export HTTPS_INSECURE="${OPNs_Api_Insecure}"
-
-  if ! _opns_rest "GET" "/general/get";then
-    _err "Can't Access OPNsense"
-    return 1
-  fi
-  return 0
-}
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh
index 0acda031ef..43140eea72 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh
@@ -10,8 +10,10 @@ for directory in ${ACME_DIRS}; do
     chmod -R 750 ${directory}
 done
 
-if [ ! -L /var/etc/acme-client/home/dns_opnsense.sh ]; then
-    ln -s /usr/local/opnsense/scripts/OPNsense/AcmeClient/dns_opnsense.sh /var/etc/acme-client/home/dns_opnsense.sh
+# Remove symlink in order to use upstream version
+# see https://github.com/opnsense/plugins/pull/1888
+if [ -L /var/etc/acme-client/home/dns_opnsense.sh ]; then
+    unlink /var/etc/acme-client/home/dns_opnsense.sh
 fi
 
 # Setting owner and mode for base and immediate children (non recursive)

From 00d5323b2351369f5afb08f2b1b740093e0dc262 Mon Sep 17 00:00:00 2001
From: Adrian Fedoreanu <adrian.fedoreanu@gmail.com>
Date: Sat, 1 Aug 2020 13:43:34 +0200
Subject: [PATCH 0179/3088] acme-client add support for 1984Hosting API

---
 security/acme-client/Makefile                     |  2 +-
 security/acme-client/pkg-descr                    |  2 +-
 .../AcmeClient/forms/dialogValidation.xml         | 15 +++++++++++++++
 .../app/models/OPNsense/AcmeClient/AcmeClient.xml |  9 ++++++++-
 .../scripts/OPNsense/AcmeClient/certhelper.php    |  4 ++++
 5 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 7e359a146f..de178737e4 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		1.34
+PLUGIN_VERSION=		1.35
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 78dc22cf21..666ea3bb6e 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -1,5 +1,5 @@
 This plugin contains a full ACME protocol implementation based on the
-acme.sh project.  Acording to the authors, it's probably "the easiest
+acme.sh project. According to the authors, it's probably "the easiest
 and smallest and smartest shell script" to automatically issue and renew
 the free certificates from Let's Encrypt.
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 8ad18f5a3e..bad2879405 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1121,4 +1121,19 @@
         <label>API Token</label>
         <type>password</type>
     </field>
+    <field>
+        <label>1984Hosting API</label>
+        <type>header</type>
+        <style>table_dns table_dns_1984hosting</style>
+    </field>
+    <field>
+        <id>validation.dns_1984hosting_user</id>
+        <label>API User</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_1984hosting_password</id>
+        <label>API Password</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 2880e11619..dd9853ec14 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>1.6.1</version>
+    <version>1.6.2</version>
     <description>A secure Let's Encrypt plugin</description>
     <items>
         <settings>
@@ -357,6 +357,7 @@
                     <Required>Y</Required>
                     <default>dns_nsupdate</default>
                     <OptionValues>
+                        <dns_1984hosting>1984Hosting API</dns_1984hosting>
                         <dns_acmedns>ACME DNS API</dns_acmedns>
                         <dns_acmeproxy>Acmeproxy API</dns_acmeproxy>
                         <dns_ad>Alwaysdata.com API</dns_ad>
@@ -893,6 +894,12 @@
                 <dns_hetzner_token type="TextField">
                     <Required>N</Required>
                 </dns_hetzner_token>
+                <dns_1984hosting_user type="TextField">
+                    <Required>N</Required>
+                </dns_1984hosting_user>
+                <dns_1984hosting_password type="TextField">
+                    <Required>N</Required>
+                </dns_1984hosting_password>
             </validation>
         </validations>
         <actions>
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index 7c7a6109cb..1d9e29f0e4 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -647,6 +647,10 @@ function run_acme_validation($certObj, $valObj, $acctObj)
         // Setup DNS hook:
         // Set required env variables, write secrets to files, etc.
         switch ((string)$valObj->dns_service) {
+            case 'dns_1984hosting':
+                $proc_env['One984HOSTING_Username'] = (string)$valObj->dns_1984hosting_user;
+                $proc_env['One984HOSTING_Password'] = (string)$valObj->dns_1984hosting_password;
+                break;
             case 'dns_acmedns':
                 $proc_env['ACMEDNS_USERNAME'] = (string)$valObj->dns_acmedns_user;
                 $proc_env['ACMEDNS_PASSWORD'] = (string)$valObj->dns_acmedns_password;

From 6b9cbc35606c223b6894bf85cbe4faf1db1dac9e Mon Sep 17 00:00:00 2001
From: Starkstromkonsument <it@starkstromkonsument.de>
Date: Mon, 3 Aug 2020 22:27:49 +0200
Subject: [PATCH 0180/3088] net-mgmt/zabbix-agent: add logformat file

---
 .../systemhealth/logformats/zabbix_agentd.py  | 56 +++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 net-mgmt/zabbix-agent/src/opnsense/scripts/systemhealth/logformats/zabbix_agentd.py

diff --git a/net-mgmt/zabbix-agent/src/opnsense/scripts/systemhealth/logformats/zabbix_agentd.py b/net-mgmt/zabbix-agent/src/opnsense/scripts/systemhealth/logformats/zabbix_agentd.py
new file mode 100644
index 0000000000..dbb5a327a8
--- /dev/null
+++ b/net-mgmt/zabbix-agent/src/opnsense/scripts/systemhealth/logformats/zabbix_agentd.py
@@ -0,0 +1,56 @@
+"""
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    Copyright (C) 2020 Starkstromkonsument <https://github.com/Starkstromkonsument>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import re
+import datetime
+from . import BaseLogFormat
+zabbix_timeformat = r'(\d*):(\d{4}\d{2}\d{2}:\d{2}\d{2}\d{2})\.\d{3}\s(.*)'
+
+
+class ZabbixLogFormat(BaseLogFormat):
+    def __init__(self, filename):
+        super(ZabbixLogFormat, self).__init__(filename)
+        self._priority = 100
+
+    def match(self, line):
+        return self._filename.find('zabbix_agentd') > -1 and re.match(zabbix_timeformat, line) is not  None
+
+    @staticmethod
+    def timestamp(line):
+        tmp = re.match(zabbix_timeformat, line)
+        grp = tmp.group(2)
+        return datetime.datetime.strptime(grp, "%Y%m%d:%H%M%S").isoformat()
+
+    @staticmethod
+    def process_name(line):
+        tmp = re.match(zabbix_timeformat, line)
+        return tmp.group(1)
+
+    @staticmethod
+    def line(line):
+        tmp = re.match(zabbix_timeformat, line)
+        return tmp.group(3)
+

From 5da0a72ecf79023745738d45e4fb6b012236cfb7 Mon Sep 17 00:00:00 2001
From: Starkstromkonsument <it@starkstromkonsument.de>
Date: Mon, 3 Aug 2020 22:29:20 +0200
Subject: [PATCH 0181/3088] net-mgmt/zabbix-agent: bump version and amend
 changelog

---
 net-mgmt/zabbix-agent/Makefile  |  2 +-
 net-mgmt/zabbix-agent/pkg-descr | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index 571461e96d..00142169a5 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		zabbix-agent
-PLUGIN_VERSION=		1.7
+PLUGIN_VERSION=		1.8
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_DEPENDS=		zabbix4-agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index d18a4485b0..4ba4ced181 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -7,4 +7,12 @@ any event. This allows a fast reaction to server problems. Zabbix offers
 excellent reporting and data visualisation features based on the stored
 data. This makes Zabbix ideal for capacity planning.
 
-WWW: http://www.zabbix.com/
+WWW: https://www.zabbix.com/
+
+Plugin Changelog
+----------------
+
+1.8
+
+* Add Changelog (Starkstromkonsument <https://github.com/Starkstromkonsument>)
+* Fix logformat (Starkstromkonsument <https://github.com/Starkstromkonsument>)

From f0c99df38d03a83e291e9d4fa3d4b4581fecdb99 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 6 Aug 2020 16:08:36 +0200
Subject: [PATCH 0182/3088] net/frr: Disable eBGP policies (#1953)

---
 net/frr/Makefile                                              | 2 +-
 net/frr/pkg-descr                                             | 4 ++++
 .../src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf  | 1 +
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index a808735a4a..b15d063124 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.14
+PLUGIN_VERSION=		1.15
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7 ruby
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 96f819dc9c..ffcad0a3a5 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -11,6 +11,10 @@ switching and routing, Internet access routers, and Internet peering.
 Plugin Changelog
 ================
 
+1.15
+
+* Disable eBGP policies introduced with FRR 7.4
+
 1.14
 
 * fix null route issue in parsing
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index da858e7c8d..a92bad0041 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -17,6 +17,7 @@ log syslog {{ OPNsense.quagga.general.sysloglevel }}
 !
 {% if helpers.exists('OPNsense.quagga.bgp.asnumber') and OPNsense.quagga.bgp.asnumber != '' %}
 router bgp {{ OPNsense.quagga.bgp.asnumber }}
+ no bgp ebgp-requires-policy
 {%   if helpers.exists('OPNsense.quagga.bgp.routerid') and OPNsense.quagga.bgp.routerid != '' %}
  bgp router-id {{ OPNsense.quagga.bgp.routerid }}
 {%   endif %}

From 38217a631fe2ff4d16f3d2c26d1e1d4ebd58beae Mon Sep 17 00:00:00 2001
From: Moritz Bunkus <moritz@bunkus.org>
Date: Sun, 9 Aug 2020 22:20:08 +0200
Subject: [PATCH 0183/3088] acme-client: add support for Joker API DNS
 validation

---
 .../AcmeClient/forms/dialogValidation.xml         | 15 +++++++++++++++
 .../app/models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++++++
 .../scripts/OPNsense/AcmeClient/certhelper.php    |  4 ++++
 3 files changed, 26 insertions(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 4e1c2f81be..6dc61e3f75 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -551,6 +551,21 @@
         <type>checkbox</type>
         <help>Uncheck this box if you have a valid SSL certificate for your ISPConfig installation.</help>
     </field>
+    <field>
+        <label>Joker</label>
+        <type>header</type>
+        <style>table_dns table_dns_joker</style>
+    </field>
+    <field>
+        <id>validation.dns_joker_username</id>
+        <label>Username</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_joker_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
     <field>
         <label>KingHost</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index b8b74d69cc..54a332d71c 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -394,6 +394,7 @@
                         <dns_infoblox>Infoblox API</dns_infoblox>
                         <dns_inwx>INWX XMLRPC API</dns_inwx>
                         <dns_ispconfig>ISPConfig 3.1+ API</dns_ispconfig>
+                        <dns_joker>Joker API</dns_joker>
                         <dns_kinghost>KingHost DNS API</dns_kinghost>
                         <dns_knot>Knot (knsupdate) DNS API</dns_knot>
                         <dns_leaseweb>LeaseWeb API</dns_leaseweb>
@@ -604,6 +605,12 @@
                     <Required>N</Required>
                     <default>1</default>
                 </dns_ispconfig_insecure>
+                <dns_joker_username type="TextField">
+                    <Required>N</Required>
+                </dns_joker_username>
+                <dns_joker_password type="TextField">
+                    <Required>N</Required>
+                </dns_joker_password>
                 <dns_kinghost_username type="TextField">
                     <Required>N</Required>
                 </dns_kinghost_username>
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index c2e53da2f3..44381d7088 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -829,6 +829,10 @@ function run_acme_validation($certObj, $valObj, $acctObj)
                 $proc_env['ISPC_Api'] = (string)$valObj->dns_ispconfig_api;
                 $proc_env['ISPC_Api_Insecure'] = (string)$valObj->dns_ispconfig_insecure;
                 break;
+            case 'dns_joker':
+                $proc_env['JOKER_USERNAME'] = (string)$valObj->dns_joker_username;
+                $proc_env['JOKER_PASSWORD'] = (string)$valObj->dns_joker_password;
+                break;
             case 'dns_kinghost':
                 $proc_env['KINGHOST_username'] = (string)$valObj->dns_kinghost_username;
                 $proc_env['KINGHOST_Password'] = (string)$valObj->dns_kinghost_password;

From 0be1cf4003fc700c01c660e75f20129e072a67bd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 11 Aug 2020 10:41:57 +0200
Subject: [PATCH 0184/3088] net/haproxy: switch to stable package

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index b07f11984d..e4f47a08c6 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		2.23
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
-PLUGIN_DEPENDS=		haproxy
+PLUGIN_DEPENDS=		haproxy20
 PLUGIN_MAINTAINER=	opnsense@moov.de
 
 .include "../../Mk/plugins.mk"

From cb361839797447e5750dbf1dd97ffae4a804481d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 12 Aug 2020 15:43:02 +0200
Subject: [PATCH 0185/3088] security/acme-client: typewriter style is not
 wrong..

---
 security/acme-client/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 666ea3bb6e..25a85e16d6 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -1,5 +1,5 @@
 This plugin contains a full ACME protocol implementation based on the
-acme.sh project. According to the authors, it's probably "the easiest
+acme.sh project.  According to the authors, it's probably "the easiest
 and smallest and smartest shell script" to automatically issue and renew
 the free certificates from Let's Encrypt.
 

From 54d70a667fd54facf7e42a0aa22b319509f52fcf Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 12 Aug 2020 16:40:41 +0200
Subject: [PATCH 0186/3088] security/acme-client: add ability to rerun
 automations, closes #1962

---
 .../AcmeClient/Api/CertificatesController.php | 22 ++++++++++++++++-
 .../OPNsense/AcmeClient/certificates.volt     | 24 ++++++++++++++++++-
 .../OPNsense/AcmeClient/certhelper.php        | 19 ++++++++++++++-
 .../conf/actions.d/actions_acmeclient.conf    |  6 +++++
 4 files changed, 68 insertions(+), 3 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
index 158ff96796..0159e46310 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2017-2019 Frank Wall
+ *    Copyright (C) 2017-2020 Frank Wall
  *    Copyright (C) 2015 Deciso B.V.
  *
  *    All rights reserved.
@@ -154,4 +154,24 @@ public function revokeAction($uuid)
         }
         return $result;
     }
+
+    /**
+     * rerun automation for the certificate by uuid
+     * @param $uuid item unique id
+     * @return array status
+     */
+    public function automationAction($uuid)
+    {
+        $result = array("result" => "failed");
+        $mdlAcme = new AcmeClient();
+        if ($uuid != null) {
+            $node = $mdlAcme->getNodeByReference('certificates.certificate.' . $uuid);
+            if ($node != null) {
+                $cert_id = $node->id;
+                $backend = new Backend();
+                $response = $backend->configdRun("acmeclient run-automation {$cert_id}");
+            }
+        }
+        return $result;
+    }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index c2e206bd6b..6db878d502 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -2,7 +2,7 @@
 
 (Partially duplicates code from opnsense_bootgrid_plugin.js.)
 
-Copyright (C) 2017 Frank Wall
+Copyright (C) 2017-2020 Frank Wall
 Copyright (C) 2015 Deciso B.V.
 OPNsense® is Copyright © 2014-2015 by Deciso B.V.
 All rights reserved.
@@ -48,6 +48,7 @@ POSSIBILITY OF SUCH DAMAGE.
             sign:'/api/acmeclient/certificates/sign/',
             revoke:'/api/acmeclient/certificates/revoke/',
             removekey:'/api/acmeclient/certificates/removekey/',
+            automation:'/api/acmeclient/certificates/automation/',
         };
 
         var gridopt = {
@@ -61,6 +62,7 @@ POSSIBILITY OF SUCH DAMAGE.
                     return "<button type=\"button\" class=\"btn btn-xs btn-default command-edit\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-pencil\"></span></button> " +
                         "<button type=\"button\" class=\"btn btn-xs btn-default command-copy\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-clone\"></span></button>" +
                         "<button type=\"button\" class=\"btn btn-xs btn-default command-sign\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-repeat\"></span></button>" +
+                        "<button type=\"button\" class=\"btn btn-xs btn-default command-automation\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-paper-plane\"></span></button>" +
                         "<button type=\"button\" class=\"btn btn-xs btn-default command-revoke\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-power-off\"></span></button>" +
                         "<button type=\"button\" class=\"btn btn-xs btn-default command-removekey\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-history\"></span></button>" +
                         "<button type=\"button\" class=\"btn btn-xs btn-default command-delete\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-trash-o\"></span></button>";
@@ -377,6 +379,26 @@ POSSIBILITY OF SUCH DAMAGE.
                 }
             });
 
+            // run automation
+            // TODO: this should block other acme.sh actions
+            grid_certificates.find(".command-automation").on("click", function(e)
+            {
+                if (gridParams['automation'] != undefined) {
+                    var uuid=$(this).data("row-id");
+                    stdDialogConfirm('{{ lang._('Confirmation Required') }}',
+                        '{{ lang._('Rerun all automations for the selected certificate?') }}',
+                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
+                        ajaxCall(url=gridParams['automation'] + uuid,
+                            sendData={},callback=function(data,status){
+                                // reload grid after sign
+                                $("#"+gridId).bootgrid("reload");
+                            });
+                    });
+                } else {
+                    console.log("[grid] action automation missing")
+                }
+            });
+
         });
 
         // Hide options that are irrelevant in this context.
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index 44381d7088..cb4d2be0a9 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -2,7 +2,7 @@
 <?php
 
 /*
- * Copyright (C) 2017-2019 Frank Wall
+ * Copyright (C) 2017-2020 Frank Wall
  * Copyright (C) 2015 Deciso B.V.
  * Copyright (C) 2010 Jim Pingle <jimp@pfsense.org>
  * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
@@ -96,6 +96,10 @@
         $result = cert_action_validator($options["c"]);
         echo json_encode(array('status' => $result));
         break;
+    case 'automation':
+        $result = cert_action_validator($options["c"]);
+        echo json_encode(array('status' => $result));
+        break;
     default:
         echo "ERROR: invalid argument specified\n";
         log_error("invalid argument specified");
@@ -219,6 +223,19 @@ function cert_action_validator($opt_cert_id)
                     }
                 }
 
+                // Only run certificate automation
+                if ($options["a"] == "automation") {
+                    // Check if the cert was successul issued
+                    if (!empty((string)$certObj->statusCode) and (string)$certObj->statusCode == '200') {
+                      log_error("AcmeClient: ready to run automation for certificate: " . (string)$certObj->name);
+                      $restart_certs[] = $certObj;
+                    } else {
+                        log_error("AcmeClient: failed to run automation, certificate status not OK: " . (string)$certObj->name);
+                        return(1);
+                    }
+                    break; // Stop after first match.
+                }
+
                 // Make sure we found the configured validation method
                 if ($ref_found == true) {
                     // Was a revocation requested?
diff --git a/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf b/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
index 1a335c89f9..6122512e0b 100644
--- a/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
+++ b/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
@@ -71,6 +71,12 @@ parameters:
 type:script
 message:signing or renewing a certificate
 
+[run-automation]
+command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php -a automation -c
+parameters:%s
+type:script
+message:running automations for a certificate
+
 [cron-auto-renew]
 command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php -a sign -A -C
 parameters:

From a2091befa8057fd6daf87e7a98ad28e14ea33c6e Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 12 Aug 2020 16:40:57 +0200
Subject: [PATCH 0187/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index de178737e4..9c9d25f782 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		1.35
+PLUGIN_VERSION=		1.36
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From cade24c50a247cfac95a89e418df4fba4b74f04a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 13 Aug 2020 12:14:26 +0200
Subject: [PATCH 0188/3088] net-mgmt/zabbix-agent: switch to 5.0 release;
 closes #1938

---
 net-mgmt/zabbix-agent/Makefile  | 2 +-
 net-mgmt/zabbix-agent/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index 00142169a5..148ae72c19 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		zabbix-agent
 PLUGIN_VERSION=		1.8
 PLUGIN_COMMENT=		Zabbix monitoring agent
-PLUGIN_DEPENDS=		zabbix4-agent
+PLUGIN_DEPENDS=		zabbix5-agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
 
 .include "../../Mk/plugins.mk"
diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index 4ba4ced181..3c687fcbc7 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -16,3 +16,4 @@ Plugin Changelog
 
 * Add Changelog (Starkstromkonsument <https://github.com/Starkstromkonsument>)
 * Fix logformat (Starkstromkonsument <https://github.com/Starkstromkonsument>)
+* Switch to Zabbix Agent 5.0

From 2071e23a61043524a603c6ce6e5b6691295db66c Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 13 Aug 2020 19:35:50 +0200
Subject: [PATCH 0189/3088] security/tinc: list_ciphers.py parse issue on 20.7.
 closes https://github.com/opnsense/plugins/issues/1976

---
 .../scripts/OPNsense/Tinc/list_ciphers.py         | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/list_ciphers.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/list_ciphers.py
index 244491048d..76e2c99812 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/list_ciphers.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/list_ciphers.py
@@ -1,7 +1,7 @@
 #!/usr/local/bin/python3
 
 """
-    Copyright (c) 2016-2019 Ad Schellevis <ad@opnsense.org>
+    Copyright (c) 2016-2020 Ad Schellevis <ad@opnsense.org>
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
@@ -28,19 +28,14 @@
     --------------------------------------------------------------------------------------
     list ciphers
 """
-from subprocess import Popen, PIPE
+import subprocess
 import ujson
 
 response = dict()
 
-p = Popen(['/usr/bin/openssl','enc', '-help'],stdin=PIPE, stdout=PIPE, stderr=PIPE, bufsize=-1)
-output, error = p.communicate()
-cipher_section = False
-for line in error.decode().split('\n'):
-    if line.find('Cipher Types') == 0:
-        cipher_section = True
-        continue
-    if cipher_section:
+p = subprocess.run(['/usr/local/bin/openssl', 'enc', '-ciphers'], capture_output=True, text=True)
+for line in p.stdout.split("\n"):
+    if not line.startswith('Supported'):
         for item in line.split():
             if len(item) > 1:
                 response[item[1:]] = item[1:]

From 7526053bfea0600e503090789728c40c1f534450 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 14 Aug 2020 09:04:07 +0200
Subject: [PATCH 0190/3088] net-mgmt/zabbix-agent: fix permission

---
 .../src/opnsense/scripts/systemhealth/logformats/zabbix_agentd.py | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 net-mgmt/zabbix-agent/src/opnsense/scripts/systemhealth/logformats/zabbix_agentd.py

diff --git a/net-mgmt/zabbix-agent/src/opnsense/scripts/systemhealth/logformats/zabbix_agentd.py b/net-mgmt/zabbix-agent/src/opnsense/scripts/systemhealth/logformats/zabbix_agentd.py
old mode 100644
new mode 100755

From 6ec1883fa68a019f70ec6ab4292e8aeed9b2d0cc Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 15 Aug 2020 14:48:10 +0200
Subject: [PATCH 0191/3088] security/tinc. list_ciphers compatibility with both
 libre and open ssl. closes https://github.com/opnsense/plugins/issues/1976

---
 .../opnsense/scripts/OPNsense/Tinc/list_ciphers.py | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/list_ciphers.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/list_ciphers.py
index 76e2c99812..893ac68cb0 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/list_ciphers.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/list_ciphers.py
@@ -34,11 +34,15 @@
 response = dict()
 
 p = subprocess.run(['/usr/local/bin/openssl', 'enc', '-ciphers'], capture_output=True, text=True)
-for line in p.stdout.split("\n"):
-    if not line.startswith('Supported'):
-        for item in line.split():
-            if len(item) > 1:
-                response[item[1:]] = item[1:]
+ciphers_start = False
+for f in [p.stdout, p.stderr]:
+    for line in f.split("\n"):
+        if line.startswith('Supported ciphers:') or line.startswith('Valid ciphername values:'):
+            ciphers_start = True
+        elif ciphers_start:
+            for item in line.split():
+                if len(item) > 1:
+                    response[item[1:]] = item[1:]
 
 response["none"] = "None"
 # output generated keys

From 4716fb18a20719de4342bd8b633c1354124a402f Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 17 Aug 2020 13:00:55 +0200
Subject: [PATCH 0192/3088] stunnel identd: increase request_queue_size,
 default 5 is quite low. While here, switch to threading tcp server to better
 cope with concurrent requests

---
 security/stunnel/Makefile                                      | 2 +-
 .../stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py     | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index c308ced566..c79e12bfb7 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		stunnel
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.0.1
 PLUGIN_COMMENT=		stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel
diff --git a/security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py b/security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py
index 318ba9a62b..115619d400 100755
--- a/security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py
+++ b/security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py
@@ -187,8 +187,9 @@ def handle(self):
 
 
 def run_listener():
-    server = socketserver.TCPServer(('0.0.0.0', 113), RequestHandler, bind_and_activate=False)
+    server = socketserver.ThreadingTCPServer(('0.0.0.0', 113), RequestHandler, bind_and_activate=False)
     server.allow_reuse_address = True
+    server.request_queue_size = 128
     server.server_bind()
     server.server_activate()
     server.serve_forever()

From dd34f01d112ae1e8e387a205b5937032c65b261b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 18 Aug 2020 11:45:23 +0200
Subject: [PATCH 0193/3088] LICENSE: sync

---
 LICENSE                                                        | 3 ++-
 .../opnsense/scripts/systemhealth/logformats/zabbix_agentd.py  | 3 +--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/LICENSE b/LICENSE
index 069d562f93..e240a4202e 100644
--- a/LICENSE
+++ b/LICENSE
@@ -12,7 +12,7 @@ Copyright (c) 2008-2010 Ermal Luçi
 Copyright (c) 2017-2019 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
 Copyright (c) 2014-2020 Franco Fichtner <franco@opnsense.org>
-Copyright (c) 2016-2019 Frank Wall
+Copyright (c) 2016-2020 Frank Wall
 Copyright (c) 2016 IT-assistans Sverige AB
 Copyright (c) 2010 Jim Pingle <jimp@pfsense.org>
 Copyright (c) 2015 Jos Schellevis
@@ -26,6 +26,7 @@ Copyright (c) 2010-2012 Seth Mos <seth.mos@dds.nl>
 Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
 Copyright (c) 2017-2019 Smart-Soft
 Copyright (c) 2013 Stanley P. Miller \ stan-qaz
+Copyright (c) 2020 Starkstromkonsument
 Copyright (c) 2010 Yehuda Katz
 Copyright (c) 2015 YoungJoo.Kim <vozltx@gmail.com>
 Copyright (c) 2020 devNan0 <nan0@nan0.dev>
diff --git a/net-mgmt/zabbix-agent/src/opnsense/scripts/systemhealth/logformats/zabbix_agentd.py b/net-mgmt/zabbix-agent/src/opnsense/scripts/systemhealth/logformats/zabbix_agentd.py
index dbb5a327a8..6376419491 100755
--- a/net-mgmt/zabbix-agent/src/opnsense/scripts/systemhealth/logformats/zabbix_agentd.py
+++ b/net-mgmt/zabbix-agent/src/opnsense/scripts/systemhealth/logformats/zabbix_agentd.py
@@ -1,6 +1,6 @@
 """
     Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
-    Copyright (C) 2020 Starkstromkonsument <https://github.com/Starkstromkonsument>
+    Copyright (C) 2020 Starkstromkonsument
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
@@ -53,4 +53,3 @@ def process_name(line):
     def line(line):
         tmp = re.match(zabbix_timeformat, line)
         return tmp.group(3)
-

From 89737ebe2c4a36ceb79a9ae48ec832452e983210 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 18 Aug 2020 17:40:21 +0200
Subject: [PATCH 0194/3088] net/haproxy: add support for resolvers, refs #1787

---
 .../HAProxy/Api/SettingsController.php        | 30 +++++++++
 .../OPNsense/HAProxy/IndexController.php      |  1 +
 .../OPNsense/HAProxy/forms/dialogBackend.xml  |  7 ++
 .../OPNsense/HAProxy/forms/dialogResolver.xml | 54 +++++++++++++++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 66 ++++++++++++++++++-
 .../app/models/OPNsense/HAProxy/Menu/Menu.xml |  1 +
 .../mvc/app/views/OPNsense/HAProxy/index.volt | 53 ++++++++++++++-
 .../templates/OPNsense/HAProxy/haproxy.conf   | 39 +++++++++++
 8 files changed, 249 insertions(+), 2 deletions(-)
 create mode 100644 net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
index 7779d14d56..ef5f8f65d4 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
@@ -379,4 +379,34 @@ public function searchUsersAction()
     {
         return $this->searchBase('users.user', array('enabled', 'name', 'description'), 'name');
     }
+
+    public function getresolverAction($uuid = null)
+    {
+        return $this->getBase('resolver', 'resolvers.resolver', $uuid);
+    }
+
+    public function setresolverAction($uuid)
+    {
+        return $this->setBase('resolver', 'resolvers.resolver', $uuid);
+    }
+
+    public function addresolverAction()
+    {
+        return $this->addBase('resolver', 'resolvers.resolver');
+    }
+
+    public function delresolverAction($uuid)
+    {
+        return $this->delBase('resolvers.resolver', $uuid);
+    }
+
+    public function toggleresolverAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase('resolvers.resolver', $uuid);
+    }
+
+    public function searchresolversAction()
+    {
+        return $this->searchBase('resolvers.resolver', array('enabled', 'name', 'nameservers'), 'name');
+    }
 }
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/IndexController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/IndexController.php
index 0203015213..1209f8ad00 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/IndexController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/IndexController.php
@@ -57,6 +57,7 @@ public function indexAction()
         $this->view->formDialogErrorfile = $this->getForm("dialogErrorfile");
         $this->view->formDialogMapfile = $this->getForm("dialogMapfile");
         $this->view->formDialogCpu = $this->getForm("dialogCpu");
+        $this->view->formDialogResolver = $this->getForm("dialogResolver");
         // set additional view parameters
         $mdlHAProxy = new \OPNsense\HAProxy\HAProxy();
         $this->view->showIntro = (string)$mdlHAProxy->general->showIntro;
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index 380bcd3654..8d4479ef5c 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -54,6 +54,13 @@
         <help><![CDATA[Add servers to this backend. Use TAB key to complete typing.]]></help>
         <hint>Type server name or choose from list.</hint>
     </field>
+    <field>
+        <id>backend.linkedResolver</id>
+        <label>Resolver</label>
+        <type>dropdown</type>
+        <help><![CDATA[Select the custom resolver configuration that should be used for all servers in this backend.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>backend.source</id>
         <label>Source address</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml
new file mode 100644
index 0000000000..a604d7d6fb
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml
@@ -0,0 +1,54 @@
+<form>
+    <field>
+        <id>resolver.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>Enable this resolver configuration.</help>
+    </field>
+    <field>
+        <id>resolver.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Choose a name for this resolver configuration.</help>
+    </field>
+    <field>
+        <id>resolver.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Choose a optional description for this resolver configuration.</help>
+    </field>
+    <field>
+        <id>resolver.nameservers</id>
+        <label>Nameservers</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <sortable>true</sortable>
+        <help><![CDATA[Add nameservers to this resolver configuration, i.e. 127.0.0.1:53 or 192.168.1.1:53. Use TAB key to complete typing.]]></help>
+        <hint>Enter ip:port here. Finish with TAB.</hint>
+    </field>
+    <field>
+        <id>resolver.parse_resolv_conf</id>
+        <label>Use resolv.conf</label>
+        <type>checkbox</type>
+        <help>Add all nameservers found in /etc/resolv.conf to this resolver configuration.</help>
+    </field>
+    <field>
+        <id>resolver.resolve_retries</id>
+        <label>Resolve Retries</label>
+        <type>text</type>
+        <help><![CDATA[This configures the number of queries to send to resolve a server name before giving up.]]></help>
+    </field>
+    <field>
+        <id>resolver.timeout_resolve</id>
+        <label>Resolve Timeout</label>
+        <type>text</type>
+        <help><![CDATA[This configures the default time to trigger name resolutions when no other time applied. Enter a number followed by one of the supported suffixes "d" (days), "h" (hour), "m" (minute), "s" (seconds), "ms" (miliseconds).]]></help>
+    </field>
+    <field>
+        <id>resolver.timeout_retry</id>
+        <label>Retry Timeout</label>
+        <type>text</type>
+        <help><![CDATA[This configures the default time between two DNS queries, when no valid response has been received. Enter a number followed by one of the supported suffixes "d" (days), "h" (hour), "m" (minute), "s" (seconds), "ms" (miliseconds).]]></help>
+    </field>
+</form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 584a74bba8..3628b1adc9 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/HAProxy</mount>
-    <version>2.9.0</version>
+    <version>2.10.0</version>
     <description>the HAProxy load balancer</description>
     <items>
         <general>
@@ -792,6 +792,18 @@
                     <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </linkedServers>
+                <linkedResolver type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.HAProxy.HAProxy</source>
+                            <items>resolvers.resolver</items>
+                            <display>name</display>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related resolver not found</ValidationMessage>
+                    <multiple>N</multiple>
+                    <Required>N</Required>
+                </linkedResolver>
                 <source type="TextField">
                     <mask>/^((([0-9a-zA-Z._\-\*:]+)))*/u</mask>
                     <ChangeCase>lower</ChangeCase>
@@ -2482,5 +2494,57 @@
                 </cpu_id>
             </cpu>
         </cpus>
+        <resolvers>
+            <resolver type="ArrayField">
+                <id type="UniqueIdField">
+                    <Required>Y</Required>
+                </id>
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <name type="TextField">
+                    <mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                    <Required>Y</Required>
+                </name>
+                <description type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,255}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                </description>
+                <nameservers type="CSVListField">
+                    <Required>N</Required>
+                    <Sorted>Y</Sorted>
+                    <multiple>Y</multiple>
+                    <mask>/^((([0-9a-zA-Z._\-\*:\[\]]+:[0-9]+(-[0-9]+)?)([,]){0,1}))*/u</mask>
+                    <ChangeCase>lower</ChangeCase>
+                    <ValidationMessage>Please provide a valid nameserver address, i.e. 127.0.0.1:53, [::1]:53 or 192.168.1.1:53.</ValidationMessage>
+                </nameservers>
+                <parse_resolv_conf type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </parse_resolv_conf>
+                <resolve_retries type="IntegerField">
+                    <default>3</default>
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>100000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 100000.</ValidationMessage>
+                    <Required>N</Required>
+                </resolve_retries>
+                <timeout_resolve type="TextField">
+                    <default>1s</default>
+                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
+                    <Required>N</Required>
+                </timeout_resolve>
+                <timeout_retry type="TextField">
+                    <default>1s</default>
+                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
+                    <Required>N</Required>
+                </timeout_retry>
+            </resolver>
+        </resolvers>
     </items>
 </model>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml
index 15829a646e..750fe00af6 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml
@@ -20,6 +20,7 @@
               <Luas VisibleName="Lua Scripts" url="/ui/haproxy#luas"/>
               <Errorfiles VisibleName="Error Files" url="/ui/haproxy#errorfiles"/>
               <Mapfiles VisibleName="Map Files" url="/ui/haproxy#mapfiles"/>
+              <Resolvers VisibleName="Resolvers" url="/ui/haproxy#resolvers"/>
           </Settings>
           <Statistics order="20" url="/ui/haproxy/statistics">
               <Overview VisibleName="Overview" url="/ui/haproxy/statistics#info"/>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 6cc4460973..3e4086172c 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -198,6 +198,19 @@ POSSIBILITY OF SUCH DAMAGE.
             }
         );
 
+        $("#grid-resolvers").UIBootgrid(
+            {   search:'/api/haproxy/settings/searchResolvers',
+                get:'/api/haproxy/settings/getResolver/',
+                set:'/api/haproxy/settings/setResolver/',
+                add:'/api/haproxy/settings/addResolver/',
+                del:'/api/haproxy/settings/delResolver/',
+                toggle:'/api/haproxy/settings/toggleResolver/',
+                options: {
+                    rowCount:[10,25,50,100,500,1000]
+                }
+            }
+        );
+
         // hook into on-show event for dialog to extend layout.
         $('#DialogAcl').on('shown.bs.modal', function (e) {
             $("#acl\\.expression").change(function(){
@@ -538,6 +551,7 @@ POSSIBILITY OF SUCH DAMAGE.
             <li><a data-toggle="tab" href="#luas">{{ lang._('Lua Scripts') }}</a></li>
             <li><a data-toggle="tab" href="#mapfiles">{{ lang._('Map Files') }}</a></li>
             <li><a data-toggle="tab" href="#cpus">{{ lang._('CPU Affinity Rules') }}</a></li>
+            <li><a data-toggle="tab" href="#resolvers">{{ lang._('Resolvers') }}</a></li>
         </ul>
     </li>
 </ul>
@@ -626,8 +640,9 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sLua scripts:%s Include your own Lua code/scripts to extend HAProxy's functionality. The Lua code can be used in certain %sRules%s, for example.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sMap Files:%s A map allows to map a data in input to an other one on output. For example, this makes it possible to map a large number of domains to backend pools without using the GUI. Map files need to be used in %sRules%s, otherwise they are ignored.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sCPU Affinity Rules:%s This feature makes it possible to bind HAProxy's processes/threads to a specific CPU (or a CPU set). Furthermore it is possible to select CPU Affinity Rules in %sPublic Services%s to restrict them to a certain set of processes/threads/CPUs.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
+              <li>{{ lang._("%sResolvers:%s This feature allows in-depth configuration of how HAProxy handles name resolution and interacts with name resolvers (DNS). Each resolver configuration can be used in %sBackend Pools%s to apply individual name resolution configurations.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s.") | format('<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#process" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#process" target="_blank">', '</a>','<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -1067,6 +1082,41 @@ POSSIBILITY OF SUCH DAMAGE.
             <br/>
         </div>
     </div>
+
+    <div id="resolvers" class="tab-pane fade">
+        <!-- tab page "resolvers" -->
+        <table id="grid-resolvers" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogResolver">
+            <thead>
+            <tr>
+                <th data-column-id="resolverid" data-type="number"  data-visible="false">{{ lang._('Resolver ID') }}</th>
+                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
+                <th data-column-id="nameservers" data-type="string">{{ lang._('Nameservers') }}</th>
+                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+        <!-- apply button -->
+        <div class="col-md-12">
+            <hr/>
+            <button class="btn btn-primary" id="reconfigureAct-resolvers" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
+            <button class="btn btn-primary" id="configtestAct-resolvers" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
+            <br/>
+            <br/>
+        </div>
+    </div>
 </div>
 
 {# include dialogs #}
@@ -1082,3 +1132,4 @@ POSSIBILITY OF SUCH DAMAGE.
 {{ partial("layout_partials/base_dialog",['fields':formDialogErrorfile,'id':'DialogErrorfile','label':lang._('Edit Error Message')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogMapfile,'id':'DialogMapfile','label':lang._('Edit Map File')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogCpu,'id':'DialogCpu','label':lang._('Edit CPU Affinity Rule')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogResolver,'id':'DialogResolver','label':lang._('Edit Resolver')])}}
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index ac4f9d2003..68f0533560 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -998,6 +998,40 @@ userlist stats_auth
 {%   endif %}
 {% endif %}
 
+{# ############################### #}
+{#             RESOLVERS           #}
+{# ############################### #}
+
+{% if helpers.exists('OPNsense.HAProxy.resolvers') %}
+{%   for resolver in helpers.toList('OPNsense.HAProxy.resolvers.resolver') %}
+{%     if resolver.enabled == '1' %}
+# Resolver: {{resolver.name}}
+resolvers {{resolver.id}}
+{%       if resolver.nameservers|default("") != "" %}
+{%         for nameserver in resolver.nameservers.split(",") %}
+    nameserver {{nameserver}} {{nameserver}}
+{%         endfor %}
+{%       endif %}
+{%       if resolver.parse_resolv_conf|default("") == "1" %}
+    parse-resolv-conf
+{%       endif %}
+{%       if resolver.resolve_retries|default("") != "" %}
+    resolve_retries {{resolver.resolve_retries}}
+{%       endif %}
+{%       if resolver.timeout_resolve|default("") != "" %}
+    timeout resolve {{resolver.timeout_resolve}}
+{%       endif %}
+{%       if resolver.timeout_retry|default("") != "" %}
+    timeout retry {{resolver.timeout_retry}}
+{%       endif %}
+
+{%     else %}
+# Resolver (DISABLED): {{resolver.name}}
+
+{%     endif %}
+{%   endfor %}
+{%- endif -%}
+
 {# ############################### #}
 {#             FRONTENDS           #}
 {# ############################### #}
@@ -1454,6 +1488,11 @@ backend {{backend.name}}
 {%                 do server_options.append('verify none') %}
 {%               endif %}
 {%             endif %}
+{#             # resolver #}
+{%             if backend.linkedResolver|default("") != "" %}
+{%               set resolver_data = helpers.getUUID(backend.linkedResolver) %}
+{%               do server_options.append('resolvers ' ~ resolver_data.id) %}
+{%             endif %}
 {#             # source address #}
 {%             if backend.source|default("") != "" %}
 {#               # prefer backend configuration #}

From 66608b9dc99c53fab85e25dfdb6a5015d73be007 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 18 Aug 2020 18:05:01 +0200
Subject: [PATCH 0195/3088] net/haproxy: add support for init-addr, fixes #1787

---
 .../app/controllers/OPNsense/HAProxy/forms/main.xml   |  8 ++++++++
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml       | 11 +++++++++++
 .../service/templates/OPNsense/HAProxy/haproxy.conf   |  3 +++
 3 files changed, 22 insertions(+)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml
index 15e2cbc434..c7145c7905 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml
@@ -227,6 +227,14 @@
                 <type>dropdown</type>
                 <help><![CDATA[Enable or disable session redistribution in case of connection failure.]]></help>
             </field>
+            <field>
+                <id>haproxy.general.defaults.init_addr</id>
+                <label>DNS Resolve Order</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <sortable>true</sortable>
+                <help><![CDATA[Indicates in which order server addresses should be resolved upon startup. Method "last" suggests to pick the address which appears in the state file. Method "libc" uses the libc's internal resolver. Method "none" specifically indicates that the server should start without any valid IP address in a down state. It can be useful to ignore some DNS issues upon startup, waiting for the situation to get fixed later. Defaults to "last,libc".]]></help>
+            </field>
             <field>
                 <id>haproxy.general.defaults.customOptions</id>
                 <label>Custom options</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 3628b1adc9..914f3b74d9 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -199,6 +199,17 @@
                         <x-3>redispatch on the 3rd retry prior to the last retry</x-3>
                     </OptionValues>
                 </redispatch>
+                <init_addr type="OptionField">
+                    <Required>N</Required>
+                    <default>last,libc</default>
+                    <Multiple>Y</Multiple>
+                    <Sorted>Y</Sorted>
+                    <OptionValues>
+                        <last>last</last>
+                        <libc>libc</libc>
+                        <none>none</none>
+                    </OptionValues>
+                </init_addr>
                 <customOptions type="TextField">
                     <Required>N</Required>
                 </customOptions>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 68f0533560..10dd9c4952 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -933,6 +933,9 @@ defaults
 {%   if OPNsense.HAProxy.general.defaults.retries|default("") != "" %}
     retries {{OPNsense.HAProxy.general.defaults.retries}}
 {%   endif %}
+{%   if OPNsense.HAProxy.general.defaults.init_addr|default("") != "" %}
+    default-server init-addr {{OPNsense.HAProxy.general.defaults.init_addr}}
+{%   endif %}
 {%   if OPNsense.HAProxy.general.defaults.customOptions|default("") != "" %}
     # WARNING: pass through options below this line
 {%     for customOpt in OPNsense.HAProxy.general.defaults.customOptions.split("\n") %}

From 890394928ad884debdd233312b2f28f3a646fc38 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 20 Aug 2020 00:06:44 +0200
Subject: [PATCH 0196/3088] net/haproxy: streamline "settings" page, improve
 inline help, add new button

---
 .../OPNsense/HAProxy/IndexController.php      |  24 +-
 .../OPNsense/HAProxy/forms/generalCache.xml   |  30 ++
 .../HAProxy/forms/generalDefaults.xml         |  63 ++++
 .../OPNsense/HAProxy/forms/generalLogging.xml |  31 ++
 .../OPNsense/HAProxy/forms/generalPeers.xml   |  56 +++
 .../HAProxy/forms/generalSettings.xml         |  30 ++
 .../OPNsense/HAProxy/forms/generalStats.xml   |  60 +++
 .../OPNsense/HAProxy/forms/generalTuning.xml  | 102 +++++
 .../OPNsense/HAProxy/forms/main.xml           | 356 ------------------
 .../mvc/app/views/OPNsense/HAProxy/index.volt | 303 ++++++++++-----
 10 files changed, 603 insertions(+), 452 deletions(-)
 create mode 100644 net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalCache.xml
 create mode 100644 net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalDefaults.xml
 create mode 100644 net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalLogging.xml
 create mode 100644 net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalPeers.xml
 create mode 100644 net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
 create mode 100644 net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalStats.xml
 create mode 100644 net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
 delete mode 100644 net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/IndexController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/IndexController.php
index 1209f8ad00..141fac3e51 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/IndexController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/IndexController.php
@@ -44,20 +44,26 @@ class IndexController extends \OPNsense\Base\IndexController
     public function indexAction()
     {
         // include form definitions
-        $this->view->mainForm = $this->getForm("main");
-        $this->view->formDialogFrontend = $this->getForm("dialogFrontend");
-        $this->view->formDialogBackend = $this->getForm("dialogBackend");
-        $this->view->formDialogServer = $this->getForm("dialogServer");
-        $this->view->formDialogHealthcheck = $this->getForm("dialogHealthcheck");
-        $this->view->formDialogAction = $this->getForm("dialogAction");
         $this->view->formDialogAcl = $this->getForm("dialogAcl");
-        $this->view->formDialogUser = $this->getForm("dialogUser");
+        $this->view->formDialogAction = $this->getForm("dialogAction");
+        $this->view->formDialogBackend = $this->getForm("dialogBackend");
+        $this->view->formDialogCpu = $this->getForm("dialogCpu");
+        $this->view->formDialogErrorfile = $this->getForm("dialogErrorfile");
+        $this->view->formDialogFrontend = $this->getForm("dialogFrontend");
         $this->view->formDialogGroup = $this->getForm("dialogGroup");
+        $this->view->formDialogHealthcheck = $this->getForm("dialogHealthcheck");
         $this->view->formDialogLua = $this->getForm("dialogLua");
-        $this->view->formDialogErrorfile = $this->getForm("dialogErrorfile");
         $this->view->formDialogMapfile = $this->getForm("dialogMapfile");
-        $this->view->formDialogCpu = $this->getForm("dialogCpu");
         $this->view->formDialogResolver = $this->getForm("dialogResolver");
+        $this->view->formDialogServer = $this->getForm("dialogServer");
+        $this->view->formDialogUser = $this->getForm("dialogUser");
+        $this->view->generalCacheForm = $this->getForm("generalCache");
+        $this->view->generalDefaultsForm = $this->getForm("generalDefaults");
+        $this->view->generalLoggingForm = $this->getForm("generalLogging");
+        $this->view->generalPeersForm = $this->getForm("generalPeers");
+        $this->view->generalSettingsForm = $this->getForm("generalSettings");
+        $this->view->generalStatsForm = $this->getForm("generalStats");
+        $this->view->generalTuningForm = $this->getForm("generalTuning");
         // set additional view parameters
         $mdlHAProxy = new \OPNsense\HAProxy\HAProxy();
         $this->view->showIntro = (string)$mdlHAProxy->general->showIntro;
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalCache.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalCache.xml
new file mode 100644
index 0000000000..d9fd948b39
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalCache.xml
@@ -0,0 +1,30 @@
+<form>
+    <field>
+        <label>Cache</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>haproxy.general.cache.enabled</id>
+        <label>Cache enabled</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable HAProxy's cache which was designed to perform cache on small objects (favicon, css...). This is a minimalist low-maintenance cache which runs in RAM.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.cache.totalMaxSize</id>
+        <label>Maximum Size of Cache (MB)</label>
+        <type>text</type>
+        <help><![CDATA[Define the size in RAM of the cache in megabytes. This size is split in blocks of 1kB which are used by the cache entries. Its maximum value is 4095.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.cache.maxAge</id>
+        <label>Maximum Object Age (sec)</label>
+        <type>text</type>
+        <help><![CDATA[Define the maximum expiration duration. Cache-Control response headers will be respected if they are less than this value. The default value is 60 seconds.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.cache.maxObjectSize</id>
+        <label>Maximum Object Size (bytes)</label>
+        <type>text</type>
+        <help><![CDATA[Define the maximum size of the objects to be cached. Must not be greater than an half of the maximum size of the cache. If not set, it equals to a 256th of the cache size. All objects with sizes larger than this value will not be cached.]]></help>
+    </field>
+</form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalDefaults.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalDefaults.xml
new file mode 100644
index 0000000000..4a44e0aee1
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalDefaults.xml
@@ -0,0 +1,63 @@
+<form>
+    <field>
+        <label>Default Parameters</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>haproxy.general.defaults.maxConnections</id>
+        <label>Max. Connections</label>
+        <type>text</type>
+        <help><![CDATA[Set the maximum number of concurrent connections for this frontend.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.defaults.timeoutClient</id>
+        <label>Client Timeout</label>
+        <type>text</type>
+        <help><![CDATA[Set the maximum inactivity time on the client side. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.defaults.timeoutConnect</id>
+        <label>Connection Timeout</label>
+        <type>text</type>
+        <help><![CDATA[Set the maximum time to wait for a connection attempt to a server to succeed. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.defaults.timeoutCheck</id>
+        <label>Check Timeout</label>
+        <type>text</type>
+        <help><![CDATA[Sets an additional read timeout for running health checks on a server. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.defaults.timeoutServer</id>
+        <label>Server Timeout</label>
+        <type>text</type>
+        <help><![CDATA[Set the maximum inactivity time on the server side. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.defaults.retries</id>
+        <label>Retries</label>
+        <type>text</type>
+        <help><![CDATA[Set the number of retries to perform on a server after a connection failure (default is 3).]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.defaults.redispatch</id>
+        <label>Session redistribution</label>
+        <type>dropdown</type>
+        <help><![CDATA[Enable or disable session redistribution in case of connection failure.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.defaults.init_addr</id>
+        <label>DNS Resolve Order</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <sortable>true</sortable>
+        <help><![CDATA[Indicates in which order server addresses should be resolved upon startup. Method "last" suggests to pick the address which appears in the state file. Method "libc" uses the libc's internal resolver. Method "none" specifically indicates that the server should start without any valid IP address in a down state. It can be useful to ignore some DNS issues upon startup, waiting for the situation to get fixed later. Defaults to "last,libc".]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.defaults.customOptions</id>
+        <label>Custom options</label>
+        <type>textbox</type>
+        <help><![CDATA[These lines will be added to the defaults settings of to the HAProxy configuration file.<br/><div class="text-info"><b>NOTE:</b> The syntax will not be checked, use at your own risk!</div>]]></help>
+        <advanced>true</advanced>
+    </field>
+</form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalLogging.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalLogging.xml
new file mode 100644
index 0000000000..cdc79ac14b
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalLogging.xml
@@ -0,0 +1,31 @@
+<form>
+    <field>
+        <label>Logging</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>haproxy.general.logging.host</id>
+        <label>Log Host</label>
+        <type>text</type>
+        <help><![CDATA[Indicates where to send the logs. Takes an IPv4 or IPv6 address optionally followed by a colon (':') and a UDP port, i.e. 127.0.0.1 or 10.0.0.1:514]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.logging.facility</id>
+        <label>Syslog facility</label>
+        <type>dropdown</type>
+        <help><![CDATA[Choose one of the 24 standard syslog facilities. The default value is local0.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.logging.level</id>
+        <label>Filter syslog level</label>
+        <type>dropdown</type>
+        <help><![CDATA[Can be specified to filter outgoing messages. By default, all messages are sent. If a level is specified, only messages with a severity at least as important as this level will be sent.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.logging.length</id>
+        <label>Max. line length</label>
+        <type>text</type>
+        <help><![CDATA[Specify an optional maximum line length in characters. Log lines larger than this value will be truncated before being sent. The reason is that syslog servers act differently on log line length. All servers support the default value of 1024 characters, but some servers simply drop larger lines while others do log them.]]></help>
+        <advanced>true</advanced>
+    </field>
+</form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalPeers.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalPeers.xml
new file mode 100644
index 0000000000..f1091f4f35
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalPeers.xml
@@ -0,0 +1,56 @@
+<form>
+    <field>
+        <label>Peers</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>haproxy.general.peers.enabled</id>
+        <label>Enable peers</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable or disable HAProxy peers. This will propagate entries of any data-types in stick-tables between several HAProxy instances over TCP connections in a multi-master fashion.]]></help>
+    </field>
+    <field>
+        <label>Peer 1 (this host)</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>haproxy.general.peers.name1</id>
+        <label>Peer name (FQDN)</label>
+        <type>text</type>
+        <help><![CDATA[The name of the peer. This is usually the full hostname to make it possible for HAProxy to recognize the local peer. If HAProxy is unable to find the local peer it will fail to start.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.peers.listen1</id>
+        <label>Listen address (IP)</label>
+        <type>text</type>
+        <help><![CDATA[The listen address of the local peer or the address of the remote peer.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.peers.port1</id>
+        <label>TCP Port</label>
+        <type>text</type>
+        <help><![CDATA[The TCP port that should be used for connections to this peer. It must not be used by any other service.]]></help>
+    </field>
+    <field>
+        <label>Peer 2 (remote host)</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>haproxy.general.peers.name2</id>
+        <label>Peer name (FQDN)</label>
+        <type>text</type>
+        <help><![CDATA[The name of the peer. This is usually the full hostname to make it possible for HAProxy to recognize the local peer. If HAProxy is unable to find the local peer it will fail to start.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.peers.listen2</id>
+        <label>Listen address (IP)</label>
+        <type>text</type>
+        <help><![CDATA[The listen address of the local peer or the address of the remote peer.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.peers.port2</id>
+        <label>TCP Port</label>
+        <type>text</type>
+        <help><![CDATA[The TCP port that should be used for connections to this peer. It must not be used by any other service.]]></help>
+    </field>
+</form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
new file mode 100644
index 0000000000..78d7ce4b2a
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
@@ -0,0 +1,30 @@
+<form>
+    <field>
+        <label>Service</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>haproxy.general.enabled</id>
+        <label>Enable HAProxy</label>
+        <type>checkbox</type>
+        <help>Enable or disable the HAProxy service.</help>
+    </field>
+    <field>
+        <id>haproxy.general.gracefulStop</id>
+        <label>Graceful stop</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable HAProxy's graceful stop mode. In this mode HAProxy will continue to process existing connections until they close. Note that this may severely slow down HAProxy's shutdown, depending on the configured timeout values. If graceful stop mode is not enabled, HAProxy will use the hard stop mode where it immediately quits and all established connections are closed. Hard stop mode is recommended.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.seamlessReload</id>
+        <label>Seamless reload</label>
+        <type>checkbox</type>
+        <help><![CDATA[HAProxy will handle service restarts in a way that no connections are dropped. This is the best restart mode, because it has no impact on user experience. That being said, there might be edge cases where seamless reloads lead to unexpected behaviour.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.showIntro</id>
+        <label>Show introduction pages</label>
+        <type>checkbox</type>
+        <help><![CDATA[Uncheck to hide all additional introduction pages. Requires a manual page reload for the change to take effect.]]></help>
+    </field>
+</form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalStats.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalStats.xml
new file mode 100644
index 0000000000..6832e1e173
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalStats.xml
@@ -0,0 +1,60 @@
+<form>
+    <field>
+        <label>Statistics</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>haproxy.general.stats.enabled</id>
+        <label>Stats enabled</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable HAProxy's statistics page.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.stats.port</id>
+        <label>Local stats TCP port</label>
+        <type>text</type>
+        <help><![CDATA[Choose a TCP port to be used for the local statistics page. The default value is 8822.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>haproxy.general.stats.remoteEnabled</id>
+        <label>Enable remote access</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable remote access to HAProxy's statistics page. <b>This may be a security risk if you do not enable authentication!</b> Note that you need to add appropiate firewall rules for this to work.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.stats.remoteBind</id>
+        <label>Remote listen addresses</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[Configure listen addresses for the statistics page to enable remote access, i.e. 10.0.0.1:8080 or haproxy.example.com:8999. Use TAB key to complete typing a listen address.]]></help>
+        <hint>Enter address:port here. Finish with TAB.</hint>
+    </field>
+    <field>
+        <id>haproxy.general.stats.authEnabled</id>
+        <label>Enable authentication</label>
+        <type>checkbox</type>
+    </field>
+    <field>
+        <id>haproxy.general.stats.allowedUsers</id>
+        <label>Allowed Users</label>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <hint>Type username or choose from list.</hint>
+    </field>
+    <field>
+        <id>haproxy.general.stats.allowedGroups</id>
+        <label>Allowed Groups</label>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <hint>Type group or choose from list.</hint>
+    </field>
+    <field>
+        <id>haproxy.general.stats.customOptions</id>
+        <label>Custom options</label>
+        <type>textbox</type>
+        <help><![CDATA[These lines will be added to the statistics settings of to the HAProxy configuration file.<br/><div class="text-info"><b>NOTE:</b> The syntax will not be checked, use at your own risk!</div>]]></help>
+        <advanced>true</advanced>
+    </field>
+</form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
new file mode 100644
index 0000000000..a5abb322c0
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -0,0 +1,102 @@
+<form>
+    <field>
+        <label>Global Parameters</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.root</id>
+        <label>Run as root</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable or disable HAProxy running as root.<br/><div class="text-info"><b>NOTE:</b> Enabling root could be a security issue but it's required by some feature.</div>]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.nbproc</id>
+        <label>HAProxy processes</label>
+        <type>text</type>
+        <help><![CDATA[Number of HAProxy processes to start.<br/><div class="text-info"><b>NOTE:</b> You may experience random issues in multi-process mode. For more information about the "nbproc" option please see the HAProxy Documentation.</div>]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.nbthread</id>
+        <label>HAProxy threads</label>
+        <type>text</type>
+        <help><![CDATA[Number of threads to create for each HAProxy process.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.maxConnections</id>
+        <label>Maximum connections</label>
+        <type>text</type>
+        <help><![CDATA[Sets the maximum number of concurrent connections per HAProxy process.<br/><div class="text-info"><b>NOTE:</b> HAProxy will not be able to allocate enough memory if you set this value too high. Consider raising the settings for kern.maxfiles and kern.maxfilesperproc if you need to specify a non-default value.</div>]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.sslServerVerify</id>
+        <label>Verify SSL Server Certificates</label>
+        <type>dropdown</type>
+        <help><![CDATA[This enforces a certain behavior for SSL verify on servers, ignoring per-server settings. If set to 'enforce verify', server certificates are verified. If set to 'disable verify', server certificates are not verified. The default is 'no preference' to only use per-server configurations and not enforce a global default for all servers.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.maxDHSize</id>
+        <label>Maximum SSL DH Size</label>
+        <type>text</type>
+        <help><![CDATA[Sets the maximum size of the Diffie-Hellman parameters used for generating the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange (default is 1024).<br/><div class="text-info"><b>NOTE:</b> Higher values will increase the CPU load. For more information about the "tune.ssl.default-dh-param" option please see the HAProxy Documentation.</div>]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.bufferSize</id>
+        <label>Buffer size</label>
+        <type>text</type>
+        <help><![CDATA[Change the buffer size (in bytes). Lower values allow more sessions to coexist in the same amount of RAM, and higher values allow some applications with very large cookies to work. The default value is 16384. <br/><div class="text-info"><b>NOTE:</b> It is strongly recommended not to change this from the default value, as very low values will break some services such as statistics, and values larger than default size will increase memory usage, possibly causing the system to run out of memory.</div>]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.checkBufferSize</id>
+        <label>Health check buffer size</label>
+        <type>text</type>
+        <help><![CDATA[Change the check buffer size (in bytes). Higher values may help find string or regex patterns in very large pages, though doing so may imply more memory and CPU usage. The default value is 16384.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.luaMaxMem</id>
+        <label>Maximum RAM per LUA process</label>
+        <type>text</type>
+        <help><![CDATA[Sets the maximum amount of RAM in megabytes per process usable by Lua. By default it is zero which means unlimited. It is important to set a limit to ensure that a bug in a script will not result in the system running out of memory.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.spreadChecks</id>
+        <label>Spread checks</label>
+        <type>text</type>
+        <help><![CDATA[Add some randomness in the check interval between 0 and +/- 50%. A value between 2 and 5 seems to show good results. The default value is 0 (disabled).]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.customOptions</id>
+        <label>Custom options</label>
+        <type>textbox</type>
+        <help><![CDATA[These lines will be added to the global settings of to the HAProxy configuration file.<br/><div class="text-info"><b>NOTE:</b> The syntax will not be checked, use at your own risk!</div>]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <label>SSL default settings</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.ssl_defaultsEnabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable global SSL default values.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.ssl_bindOptions</id>
+        <label>Bind options</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[Used to enforce or disable certain SSL options.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.ssl_cipherList</id>
+        <label>Cipher List</label>
+        <type>text</type>
+        <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake.]]></help>
+    </field>
+</form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml
deleted file mode 100644
index c7145c7905..0000000000
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml
+++ /dev/null
@@ -1,356 +0,0 @@
-<form>
-    <tab id="haproxy-general" description="Settings">
-        <subtab id="haproxy-general-settings" description="Service Settings">
-            <field>
-                <id>haproxy.general.enabled</id>
-                <label>Enable HAProxy</label>
-                <type>checkbox</type>
-                <help>Enable or disable the HAProxy service.</help>
-            </field>
-            <field>
-                <id>haproxy.general.gracefulStop</id>
-                <label>Graceful stop</label>
-                <type>checkbox</type>
-                <help><![CDATA[Enable HAProxy's graceful stop mode. In this mode HAProxy will continue to process existing connections until they close. Note that this may severely slow down HAProxy's shutdown, depending on the configured timeout values. If graceful stop mode is not enabled, HAProxy will use the hard stop mode where it immediately quits and all established connections are closed. Hard stop mode is recommended.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.seamlessReload</id>
-                <label>Seamless reload</label>
-                <type>checkbox</type>
-                <help><![CDATA[HAProxy will handle service restarts in a way that no connections are dropped. This is the best restart mode, because it has no impact on user experience. That being said, there might be edge cases where seamless reloads lead to unexpected behaviour.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.showIntro</id>
-                <label>Show introduction pages</label>
-                <type>checkbox</type>
-                <help><![CDATA[Uncheck to hide all additional introduction pages. Requires a manual page reload for the change to take effect.]]></help>
-            </field>
-        </subtab>
-        <subtab id="haproxy-general-peers" description="Peers / Session Sync">
-            <field>
-                <id>haproxy.general.peers.enabled</id>
-                <label>Enable peers</label>
-                <type>checkbox</type>
-                <help><![CDATA[Enable or disable HAProxy peers. This will propagate entries of any data-types in stick-tables between several HAProxy instances over TCP connections in a multi-master fashion.]]></help>
-            </field>
-            <field>
-                <label>Peer 1</label>
-                <type>header</type>
-            </field>
-            <field>
-                <id>haproxy.general.peers.name1</id>
-                <label>Peer name (FQDN)</label>
-                <type>text</type>
-                <help><![CDATA[The name of the peer. This is usually the full hostname to make it possible for HAProxy to recognize the local peer. If HAProxy is unable to find the local peer it will fail to start.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.peers.listen1</id>
-                <label>Listen address (IP)</label>
-                <type>text</type>
-                <help><![CDATA[The listen address of the local peer or the address of the remote peer.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.peers.port1</id>
-                <label>TCP Port</label>
-                <type>text</type>
-                <help><![CDATA[The TCP port that should be used for connections to this peer. It must not be used by any other service.]]></help>
-            </field>
-            <field>
-                <label>Peer 2</label>
-                <type>header</type>
-            </field>
-            <field>
-                <id>haproxy.general.peers.name2</id>
-                <label>Peer name (FQDN)</label>
-                <type>text</type>
-                <help><![CDATA[The name of the peer. This is usually the full hostname to make it possible for HAProxy to recognize the local peer. If HAProxy is unable to find the local peer it will fail to start.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.peers.listen2</id>
-                <label>Listen address (IP)</label>
-                <type>text</type>
-                <help><![CDATA[The listen address of the local peer or the address of the remote peer.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.peers.port2</id>
-                <label>TCP Port</label>
-                <type>text</type>
-                <help><![CDATA[The TCP port that should be used for connections to this peer. It must not be used by any other service.]]></help>
-            </field>
-        </subtab>
-        <subtab id="haproxy-general-global" description="Global Parameters">
-            <field>
-                <label>NOTE: Define global parameters for the HAProxy service. They cannot be overriden.</label>
-                <type>info</type>
-            </field>
-            <field>
-                <id>haproxy.general.tuning.root</id>
-                <label>Run as root</label>
-                <type>checkbox</type>
-                <help><![CDATA[Enable or disable HAProxy running as root.<br/><div class="text-info"><b>NOTE:</b> Enabling root could be a security issue but it's required by some feature.</div>]]></help>
-                <advanced>true</advanced>
-            </field>
-            <field>
-                <id>haproxy.general.tuning.nbproc</id>
-                <label>HAProxy processes</label>
-                <type>text</type>
-                <help><![CDATA[Number of HAProxy processes to start.<br/><div class="text-info"><b>NOTE:</b> You may experience random issues in multi-process mode. For more information about the "nbproc" option please see the HAProxy Documentation.</div>]]></help>
-                <advanced>true</advanced>
-            </field>
-            <field>
-                <id>haproxy.general.tuning.nbthread</id>
-                <label>HAProxy threads</label>
-                <type>text</type>
-                <help><![CDATA[Number of threads to create for each HAProxy process.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.tuning.maxConnections</id>
-                <label>Maximum connections</label>
-                <type>text</type>
-                <help><![CDATA[Sets the maximum number of concurrent connections per HAProxy process.<br/><div class="text-info"><b>NOTE:</b> HAProxy will not be able to allocate enough memory if you set this value too high. Consider raising the settings for kern.maxfiles and kern.maxfilesperproc if you need to specify a non-default value.</div>]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.tuning.sslServerVerify</id>
-                <label>Verify SSL Server Certificates</label>
-                <type>dropdown</type>
-                <help><![CDATA[This enforces a certain behavior for SSL verify on servers, ignoring per-server settings. If set to 'enforce verify', server certificates are verified. If set to 'disable verify', server certificates are not verified. The default is 'no preference' to only use per-server configurations and not enforce a global default for all servers.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.tuning.maxDHSize</id>
-                <label>Maximum SSL DH Size</label>
-                <type>text</type>
-                <help><![CDATA[Sets the maximum size of the Diffie-Hellman parameters used for generating the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange (default is 1024).<br/><div class="text-info"><b>NOTE:</b> Higher values will increase the CPU load. For more information about the "tune.ssl.default-dh-param" option please see the HAProxy Documentation.</div>]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.tuning.bufferSize</id>
-                <label>Buffer size</label>
-                <type>text</type>
-                <help><![CDATA[Change the buffer size (in bytes). Lower values allow more sessions to coexist in the same amount of RAM, and higher values allow some applications with very large cookies to work. The default value is 16384. <br/><div class="text-info"><b>NOTE:</b> It is strongly recommended not to change this from the default value, as very low values will break some services such as statistics, and values larger than default size will increase memory usage, possibly causing the system to run out of memory.</div>]]></help>
-                <advanced>true</advanced>
-            </field>
-            <field>
-                <id>haproxy.general.tuning.checkBufferSize</id>
-                <label>Health check buffer size</label>
-                <type>text</type>
-                <help><![CDATA[Change the check buffer size (in bytes). Higher values may help find string or regex patterns in very large pages, though doing so may imply more memory and CPU usage. The default value is 16384.]]></help>
-                <advanced>true</advanced>
-            </field>
-            <field>
-                <id>haproxy.general.tuning.luaMaxMem</id>
-                <label>Maximum RAM per LUA process</label>
-                <type>text</type>
-                <help><![CDATA[Sets the maximum amount of RAM in megabytes per process usable by Lua. By default it is zero which means unlimited. It is important to set a limit to ensure that a bug in a script will not result in the system running out of memory.]]></help>
-                <advanced>true</advanced>
-            </field>
-            <field>
-                <id>haproxy.general.tuning.spreadChecks</id>
-                <label>Spread checks</label>
-                <type>text</type>
-                <help><![CDATA[Add some randomness in the check interval between 0 and +/- 50%. A value between 2 and 5 seems to show good results. The default value is 0 (disabled).]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.tuning.customOptions</id>
-                <label>Custom options</label>
-                <type>textbox</type>
-                <help><![CDATA[These lines will be added to the global settings of to the HAProxy configuration file.<br/><div class="text-info"><b>NOTE:</b> The syntax will not be checked, use at your own risk!</div>]]></help>
-                <advanced>true</advanced>
-            </field>
-            <field>
-                <label>SSL default settings</label>
-                <type>header</type>
-            </field>
-            <field>
-                <id>haproxy.general.tuning.ssl_defaultsEnabled</id>
-                <label>Enabled</label>
-                <type>checkbox</type>
-                <help><![CDATA[Enable global SSL default values.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.tuning.ssl_bindOptions</id>
-                <label>Bind options</label>
-                <type>select_multiple</type>
-                <style>tokenize</style>
-                <allownew>true</allownew>
-                <help><![CDATA[Used to enforce or disable certain SSL options.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.tuning.ssl_cipherList</id>
-                <label>Cipher List</label>
-                <type>text</type>
-                <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake.]]></help>
-            </field>
-        </subtab>
-        <subtab id="haproxy-general-defaults" description="Default Parameters">
-            <field>
-                <label>NOTE: Define default parameters for ALL Public Services, Backend Pools and Servers here. They may still be overriden elsewhere.</label>
-                <type>info</type>
-            </field>
-            <field>
-                <id>haproxy.general.defaults.maxConnections</id>
-                <label>Max. Connections</label>
-                <type>text</type>
-                <help><![CDATA[Set the maximum number of concurrent connections for this frontend.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.defaults.timeoutClient</id>
-                <label>Client Timeout</label>
-                <type>text</type>
-                <help><![CDATA[Set the maximum inactivity time on the client side. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.defaults.timeoutConnect</id>
-                <label>Connection Timeout</label>
-                <type>text</type>
-                <help><![CDATA[Set the maximum time to wait for a connection attempt to a server to succeed. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.defaults.timeoutCheck</id>
-                <label>Check Timeout</label>
-                <type>text</type>
-                <help><![CDATA[Sets an additional read timeout for running health checks on a server. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.defaults.timeoutServer</id>
-                <label>Server Timeout</label>
-                <type>text</type>
-                <help><![CDATA[Set the maximum inactivity time on the server side. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.defaults.retries</id>
-                <label>Retries</label>
-                <type>text</type>
-                <help><![CDATA[Set the number of retries to perform on a server after a connection failure (default is 3).]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.defaults.redispatch</id>
-                <label>Session redistribution</label>
-                <type>dropdown</type>
-                <help><![CDATA[Enable or disable session redistribution in case of connection failure.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.defaults.init_addr</id>
-                <label>DNS Resolve Order</label>
-                <type>select_multiple</type>
-                <style>tokenize</style>
-                <sortable>true</sortable>
-                <help><![CDATA[Indicates in which order server addresses should be resolved upon startup. Method "last" suggests to pick the address which appears in the state file. Method "libc" uses the libc's internal resolver. Method "none" specifically indicates that the server should start without any valid IP address in a down state. It can be useful to ignore some DNS issues upon startup, waiting for the situation to get fixed later. Defaults to "last,libc".]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.defaults.customOptions</id>
-                <label>Custom options</label>
-                <type>textbox</type>
-                <help><![CDATA[These lines will be added to the defaults settings of to the HAProxy configuration file.<br/><div class="text-info"><b>NOTE:</b> The syntax will not be checked, use at your own risk!</div>]]></help>
-                <advanced>true</advanced>
-            </field>
-        </subtab>
-        <subtab id="haproxy-general-logging" description="Logging Configuration">
-            <field>
-                <id>haproxy.general.logging.host</id>
-                <label>Log Host</label>
-                <type>text</type>
-                <help><![CDATA[Indicates where to send the logs. Takes an IPv4 or IPv6 address optionally followed by a colon (':') and a UDP port, i.e. 127.0.0.1 or 10.0.0.1:514]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.logging.facility</id>
-                <label>Syslog facility</label>
-                <type>dropdown</type>
-                <help><![CDATA[Choose one of the 24 standard syslog facilities. The default value is local0.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.logging.level</id>
-                <label>Filter syslog level</label>
-                <type>dropdown</type>
-                <help><![CDATA[Can be specified to filter outgoing messages. By default, all messages are sent. If a level is specified, only messages with a severity at least as important as this level will be sent.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.logging.length</id>
-                <label>Max. line length</label>
-                <type>text</type>
-                <help><![CDATA[Specify an optional maximum line length in characters. Log lines larger than this value will be truncated before being sent. The reason is that syslog servers act differently on log line length. All servers support the default value of 1024 characters, but some servers simply drop larger lines while others do log them.]]></help>
-                <advanced>true</advanced>
-            </field>
-        </subtab>
-        <subtab id="haproxy-general-statistics" description="Statistics Configuration">
-            <field>
-                <id>haproxy.general.stats.enabled</id>
-                <label>Stats enabled</label>
-                <type>checkbox</type>
-                <help><![CDATA[Enable HAProxy's statistics page.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.stats.port</id>
-                <label>Local stats TCP port</label>
-                <type>text</type>
-                <help><![CDATA[Choose a TCP port to be used for the local statistics page. The default value is 8822.]]></help>
-                <advanced>true</advanced>
-            </field>
-            <field>
-                <id>haproxy.general.stats.remoteEnabled</id>
-                <label>Enable remote access</label>
-                <type>checkbox</type>
-                <help><![CDATA[Enable remote access to HAProxy's statistics page. <b>This may be a security risk if you do not enable authentication!</b> Note that you need to add appropiate firewall rules for this to work.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.stats.remoteBind</id>
-                <label>Remote listen addresses</label>
-                <type>select_multiple</type>
-                <style>tokenize</style>
-                <allownew>true</allownew>
-                <help><![CDATA[Configure listen addresses for the statistics page to enable remote access, i.e. 10.0.0.1:8080 or haproxy.example.com:8999. Use TAB key to complete typing a listen address.]]></help>
-                <hint>Enter address:port here. Finish with TAB.</hint>
-            </field>
-            <field>
-                <id>haproxy.general.stats.authEnabled</id>
-                <label>Enable authentication</label>
-                <type>checkbox</type>
-            </field>
-            <field>
-                <id>haproxy.general.stats.allowedUsers</id>
-                <label>Allowed Users</label>
-                <type>select_multiple</type>
-                <allownew>true</allownew>
-                <hint>Type username or choose from list.</hint>
-            </field>
-            <field>
-                <id>haproxy.general.stats.allowedGroups</id>
-                <label>Allowed Groups</label>
-                <type>select_multiple</type>
-                <allownew>true</allownew>
-                <hint>Type group or choose from list.</hint>
-            </field>
-            <field>
-                <id>haproxy.general.stats.customOptions</id>
-                <label>Custom options</label>
-                <type>textbox</type>
-                <help><![CDATA[These lines will be added to the statistics settings of to the HAProxy configuration file.<br/><div class="text-info"><b>NOTE:</b> The syntax will not be checked, use at your own risk!</div>]]></help>
-                <advanced>true</advanced>
-            </field>
-        </subtab>
-        <subtab id="haproxy-general-cache" description="Cache">
-            <field>
-                <id>haproxy.general.cache.enabled</id>
-                <label>Cache enabled</label>
-                <type>checkbox</type>
-                <help><![CDATA[Enable HAProxy's cache which was designed to perform cache on small objects (favicon, css...). This is a minimalist low-maintenance cache which runs in RAM.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.cache.totalMaxSize</id>
-                <label>Maximum Size of Cache (MB)</label>
-                <type>text</type>
-                <help><![CDATA[Define the size in RAM of the cache in megabytes. This size is split in blocks of 1kB which are used by the cache entries. Its maximum value is 4095.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.cache.maxAge</id>
-                <label>Maximum Object Age (sec)</label>
-                <type>text</type>
-                <help><![CDATA[Define the maximum expiration duration. Cache-Control response headers will be respected if they are less than this value. The default value is 60 seconds.]]></help>
-            </field>
-            <field>
-                <id>haproxy.general.cache.maxObjectSize</id>
-                <label>Maximum Object Size (bytes)</label>
-                <type>text</type>
-                <help><![CDATA[Define the maximum size of the objects to be cached. Must not be greater than an half of the maximum size of the cache. If not set, it equals to a 256th of the cache size. All objects with sizes larger than this value will not be cached.]]></help>
-            </field>
-        </subtab>
-    </tab>
-</form>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 3e4086172c..59adaa8923 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -31,6 +31,7 @@ POSSIBILITY OF SUCH DAMAGE.
 
     $( document ).ready(function() {
 
+        // get general HAProxy settings
         var data_get_map = {'frm_haproxy':"/api/haproxy/settings/get"};
 
         // load initial data
@@ -298,7 +299,7 @@ POSSIBILITY OF SUCH DAMAGE.
          * Commands
          **********************************************************************/
 
-        // Reconfigure haproxy - activate changes
+        // reconfigure haproxy to activate changes
         $('[id*="reconfigureAct"]').each(function(){
             $(this).click(function(){
 
@@ -366,7 +367,7 @@ POSSIBILITY OF SUCH DAMAGE.
             });
         });
 
-        // Test configuration file
+        // test configuration file
         $('[id*="configtestAct"]').each(function(){
             $(this).click(function(){
 
@@ -407,34 +408,115 @@ POSSIBILITY OF SUCH DAMAGE.
             });
         });
 
-        // form save event handlers for all defined forms
-        $('[id*="save_"]').each(function(){
+        // save general settings and perform a config test
+        $('[id*="saveAndTestAct"]').each(function(){
             $(this).click(function(){
-                var frm_id = $(this).closest("form").attr("id");
-                var frm_title = $(this).closest("form").attr("data-title");
+                // extract the form id from the button id
+                var frm_id = "frm_" + $(this).attr("id").split('_')[1]
 
-                // set progress animation
-                $("#"+frm_id+"_progress").addClass("fa fa-spinner fa-pulse");
-
-                // save data for tab
+                // save data for this tab
                 saveFormToEndpoint(url="/api/haproxy/settings/set",formid=frm_id,callback_ok=function(){
+                    // set progress animation
+                    $('[id*="saveAndTestAct_progress"]').each(function(){
+                        $(this).addClass("fa fa-spinner fa-pulse");
+                    });
 
-                    // on correct save, perform reconfigure
-                    ajaxCall(url="/api/haproxy/service/reconfigure", sendData={}, callback=function(data,status) {
-                        if (status != "success" || data['status'] != 'ok') {
+                    // on correct save, perform config test
+                    ajaxCall(url="/api/haproxy/service/configtest", sendData={}, callback=function(data,status) {
+                        if (data['result'].indexOf('ALERT') > -1) {
+                            BootstrapDialog.show({
+                                type: BootstrapDialog.TYPE_DANGER,
+                                title: "{{ lang._('HAProxy config contains critical errors') }}",
+                                message: data['result'],
+                                draggable: true
+                            });
+                        } else if (data['result'].indexOf('WARNING') > -1) {
                             BootstrapDialog.show({
                                 type: BootstrapDialog.TYPE_WARNING,
-                                title: "{{ lang._('Error reconfiguring HAProxy') }}",
-                                message: data['status'],
+                                title: "{{ lang._('HAProxy config contains minor errors') }}",
+                                message: data['result'],
                                 draggable: true
                             });
+                        }
+                        // when done, disable progress animation
+                        $('[id*="saveAndTestAct_progress"]').each(function(){
+                            $(this).removeClass("fa fa-spinner fa-pulse");
+                        });
+                    });
+                });
+            });
+        });
+
+        // save general settings and reconfigure HAProxy
+        $('[id*="saveAndReconfigureAct"]').each(function(){
+            $(this).click(function(){
+                // extract the form id from the button id
+                var frm_id = "frm_" + $(this).attr("id").split('_')[1]
+
+                // save data for this tab
+                saveFormToEndpoint(url="/api/haproxy/settings/set",formid=frm_id,callback_ok=function(){
+                    // set progress animation
+                    $('[id*="saveAndReconfigureAct_progress"]').each(function(){
+                        $(this).addClass("fa fa-spinner fa-pulse");
+                    });
+
+                    // on correct save, perform config test
+                    ajaxCall(url="/api/haproxy/service/configtest", sendData={}, callback=function(data,status) {
+                        // show warning in case of critical errors
+                        if (data['result'].indexOf('ALERT') > -1) {
+                            BootstrapDialog.show({
+                                type: BootstrapDialog.TYPE_DANGER,
+                                title: "{{ lang._('HAProxy config contains critical errors') }}",
+                                message: "{{ lang._('The HAProxy service may not be able to start due to critical errors. Try anyway?') }}",
+                                buttons: [{
+                                    label: '{{ lang._('Continue') }}',
+                                    cssClass: 'btn-primary',
+                                    action: function(dlg){
+                                        ajaxCall(url="/api/haproxy/service/reconfigure", sendData={}, callback=function(data,status) {
+                                            if (status != "success" || data['status'] != 'ok') {
+                                                BootstrapDialog.show({
+                                                    type: BootstrapDialog.TYPE_WARNING,
+                                                    title: "{{ lang._('Error reconfiguring HAProxy') }}",
+                                                    message: data['status'],
+                                                    draggable: true
+                                                });
+                                            }
+                                        });
+                                        // when done, disable progress animation
+                                        $('[id*="saveAndReconfigureAct_progress"]').each(function(){
+                                            $(this).removeClass("fa fa-spinner fa-pulse");
+                                        });
+                                        dlg.close();
+                                    }
+                                }, {
+                                    icon: 'fa fa-trash-o',
+                                    label: '{{ lang._('Abort') }}',
+                                    action: function(dlg){
+                                        // when done, disable progress animation
+                                        $('[id*="saveAndReconfigureAct_progress"]').each(function(){
+                                            $(this).removeClass("fa fa-spinner fa-pulse");
+                                        });
+                                        dlg.close();
+                                    }
+                                }]
+                            });
                         } else {
-                            ajaxCall(url="/api/haproxy/service/status", sendData={}, callback=function(data,status) {
-                                updateServiceStatusUI(data['status']);
+                            ajaxCall(url="/api/haproxy/service/reconfigure", sendData={}, callback=function(data,status) {
+                                if (status != "success" || data['status'] != 'ok') {
+                                    BootstrapDialog.show({
+                                        type: BootstrapDialog.TYPE_WARNING,
+                                        title: "{{ lang._('Error reconfiguring HAProxy') }}",
+                                        message: data['status'],
+                                        draggable: true
+                                    });
+                                }
+                                // when done, disable progress animation
+                                $('[id*="saveAndReconfigureAct_progress"]').each(function(){
+                                    $(this).removeClass("fa fa-spinner fa-pulse");
+                                });
                             });
                         }
-                        // when done, disable progress animation.
-                        $("#"+frm_id+"_progress").removeClass("fa fa-spinner fa-pulse");
+                    //});
                     });
 
                 });
@@ -513,30 +595,24 @@ POSSIBILITY OF SUCH DAMAGE.
         </ul>
     </li>
 
-    {# add automatically generated tabs #}
-    {% for tab in mainForm['tabs']|default([]) %}
-        {% if tab['subtabs']|default(false) %}
-        {# Tab with dropdown #}
-        <li role="presentation" class="dropdown">
-            <a data-toggle="dropdown" href="#" class="dropdown-toggle pull-right visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block" role="button">
-                <b><span class="caret"></span></b>
-            </a>
-            <a data-toggle="tab" onclick="$('#subtab_item_{{tab['subtabs'][0][0]}}').click();" class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block" style="border-right:0px;"><b>{{tab[1]}}</b></a>
-            <ul class="dropdown-menu" role="menu">
-                {% for subtab in tab['subtabs']|default({})%}
-                <li><a data-toggle="tab" id="subtab_item_{{subtab[0]}}" href="#subtab_{{subtab[0]}}">{{subtab[1]}}</a></li>
-                {% endfor %}
-            </ul>
-        </li>
-        {% else %}
-        {# Standard Tab #}
-        <li>
-                <a data-toggle="tab" href="#tab_{{tab[0]}}">
-                    <b>{{tab[1]}}</b>
-                </a>
-        </li>
-        {% endif %}
-    {% endfor %}
+    <li role="presentation" class="dropdown">
+        <a data-toggle="dropdown" href="#" class="dropdown-toggle pull-right visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block" role="button">
+            <b><span class="caret"></span></b>
+        </a>
+        <a data-toggle="tab" onclick="$('#{% if showIntro|default('0')=='1' %}general-introduction{% else %}settings-tab{% endif %}').click();" class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block" style="border-right:0px;"><b>{{ lang._('Settings') }}</b></a>
+        <ul class="dropdown-menu" role="menu">
+            {% if showIntro|default('0')=='1' %}
+            <li><a data-toggle="tab" id="general-introduction" href="#subtab_haproxy-general-introduction">{{ lang._('Introduction') }}</a></li>
+            {% endif %}
+            <li><a data-toggle="tab" id="general-settings-tab" href="#general-settings">{{ lang._('Service') }}</a></li>
+            <li><a data-toggle="tab" href="#general-tuning">{{ lang._('Global Parameters') }}</a></li>
+            <li><a data-toggle="tab" href="#general-defaults">{{ lang._('Default Parameters') }}</a></li>
+            <li><a data-toggle="tab" href="#general-logging">{{ lang._('Logging') }}</a></li>
+            <li><a data-toggle="tab" href="#general-stats">{{ lang._('Statistics') }}</a></li>
+            <li><a data-toggle="tab" href="#general-cache">{{ lang._('Cache') }}</a></li>
+            <li><a data-toggle="tab" href="#general-peers">{{ lang._('Peers') }}</a></li>
+        </ul>
+    </li>
 
     <li role="presentation" class="dropdown">
         <a data-toggle="dropdown" href="#" class="dropdown-toggle pull-right visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block" role="button">
@@ -566,7 +642,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('Add %sReal Servers:%s All physical or virtual servers that HAProxy should use to load balance between or proxy to.') | format('<b>', '</b>') }}</li>
               <li>{{ lang._('Add %sBackend Pools:%s Group the previously added servers to build a server farm. All servers in a group usually deliver the same content. The Backend Pool takes care of health monitoring and load distribution. A Backend Pool must be configured even if you only have a single server.') | format('<b>', '</b>')}}</li>
               <li>{{ lang._('Add %sPublic Services:%s The Public Service listens for client connections, optionally applies rules and forwards client request data to the selected Backend Pool for load balancing or proxying.') | format('<b>', '</b>') }}</li>
-              <li>{{ lang._('Lastly, enable HAProxy using the %sService Settings%s.') | format('<b>', '</b>') }}</li>
+              <li>{{ lang._('Lastly, enable HAProxy using the %sService%s settings page.') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Please be aware that you need to %smanually%s add the required firewall rules for all configured services.') | format('<b>', '</b>') }}</p>
             <p>{{ lang._('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="https://docs.opnsense.org/manual/how-tos/haproxy.html" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
@@ -631,6 +707,24 @@ POSSIBILITY OF SUCH DAMAGE.
         </div>
     </div>
 
+    <div id="subtab_haproxy-general-introduction" class="tab-pane fade">
+        <div class="col-md-12">
+            <h1>{{ lang._('Settings') }}</h1>
+            <p>{{ lang._("Manage HAProxy core configuration:") }}</p>
+            <ul>
+              <li>{{ lang._("%sService:%s Basic service management and options to control HAProxy's restart behaviour.") | format('<b>', '</b>') }}</li>
+              <li>{{ lang._("%sGlobal Parameters:%s Tuning parameters and global defaults that cannot be overriden elsewhere.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
+              <li>{{ lang._("%sDefault Parameters:%s Define default parameters for all %sPublic Services%s, %sBackend Pools%s and %sReal Servers%s here. They may be overriden elsewhere.") | format('<b>', '</b>', '<b>', '</b>', '<b>', '</b>', '<b>', '</b>', '<b>', '</b>', '<b>', '</b>') }}</li>
+              <li>{{ lang._("%sLogging:%s Configure HAProxy's logging behaviour and enable remote logging.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
+              <li>{{ lang._("%sStatistics:%s This manages HAProxy's internal statistics reporting.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
+              <li>{{ lang._("%sCache:%s HAProxy's cache which was designed to perform cache on small objects (favicon, css, etc.). This is a minimalist low-maintenance cache which runs in RAM.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
+              <li>{{ lang._("%sPeers:%s Configure a communication channel between two HAProxy instances. This will propagate entries of any data-types in stick-tables between these HAProxy instances over TCP connections in a multi-master fashion. Useful when aiming for a seamless failover in a HA setup.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
+            </ul>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#10" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#3.5" target="_blank">', '</a>') }}</p>
+            <br/>
+        </div>
+    </div>
+
     <div id="subtab_haproxy-advanced-introduction" class="tab-pane fade">
         <div class="col-md-12">
             <h1>{{ lang._('Advanced Features') }}</h1>
@@ -647,25 +741,7 @@ POSSIBILITY OF SUCH DAMAGE.
         </div>
     </div>
 
-    {# add automatically generated tabs #}
-    {% for tab in mainForm['tabs']|default([]) %}
-        {% if tab['subtabs']|default(false) %}
-            {# Tab with dropdown #}
-            {% for subtab in tab['subtabs']|default({})%}
-                <div id="subtab_{{subtab[0]}}" class="tab-pane fade{% if mainForm['activetab']|default("") == subtab[0] %} in active {% endif %}">
-                    {{ partial("layout_partials/base_form",['fields':subtab[2],'id':'frm_'~subtab[0],'data_title':subtab[1],'apply_btn_id':'save_'~subtab[0]])}}
-                </div>
-            {% endfor %}
-        {% endif %}
-        {% if tab['subtabs']|default(false)==false %}
-            <div id="tab_{{tab[0]}}" class="tab-pane fade{% if mainForm['activetab']|default("") == tab[0] %} in active {% endif %}">
-                {{ partial("layout_partials/base_form",['fields':tab[2],'id':'frm_'~tab[0],'apply_btn_id':'save_'~tab[0]])}}
-            </div>
-        {% endif %}
-    {% endfor %}
-
     <div id="frontends" class="tab-pane fade">
-        <!-- tab page "frontends" -->
         <table id="grid-frontends" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogFrontend">
             <thead>
             <tr>
@@ -689,7 +765,6 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <!-- apply button -->
         <div class="col-md-12">
             <hr/>
             <button class="btn btn-primary" id="reconfigureAct-frontends" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
@@ -700,7 +775,6 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 
     <div id="backends" class="tab-pane fade">
-        <!-- tab page "backends" -->
         <table id="grid-backends" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogBackend">
             <thead>
             <tr>
@@ -724,7 +798,6 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <!-- apply button -->
         <div class="col-md-12">
             <hr/>
             <button class="btn btn-primary" id="reconfigureAct-backends" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
@@ -735,7 +808,6 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 
     <div id="servers" class="tab-pane fade">
-        <!-- tab page "servers" -->
         <table id="grid-servers" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogServer">
             <thead>
             <tr>
@@ -761,7 +833,6 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <!-- apply button -->
         <div class="col-md-12">
             <hr/>
             <button class="btn btn-primary" id="reconfigureAct-servers" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
@@ -772,7 +843,6 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 
     <div id="healthchecks" class="tab-pane fade">
-        <!-- tab page "healthchecks" -->
         <table id="grid-healthchecks" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogHealthcheck">
             <thead>
             <tr>
@@ -795,7 +865,6 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <!-- apply button -->
         <div class="col-md-12">
             <hr/>
             <button class="btn btn-primary" id="reconfigureAct-healthchecks" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
@@ -806,7 +875,6 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 
     <div id="actions" class="tab-pane fade">
-        <!-- tab page "actions" -->
         <table id="grid-actions" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogAction">
             <thead>
             <tr>
@@ -829,7 +897,6 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <!-- apply button -->
         <div class="col-md-12">
             <hr/>
             <button class="btn btn-primary" id="reconfigureAct-actions" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
@@ -840,7 +907,6 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 
     <div id="acls" class="tab-pane fade">
-        <!-- tab page "acls" -->
         <table id="grid-acls" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogAcl">
             <thead>
             <tr>
@@ -863,7 +929,6 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <!-- apply button -->
         <div class="col-md-12">
             <hr/>
             <button class="btn btn-primary" id="reconfigureAct-acls" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
@@ -874,7 +939,6 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 
     <div id="users" class="tab-pane fade">
-        <!-- tab page "users" -->
         <table id="grid-users" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogUser">
             <thead>
             <tr>
@@ -898,7 +962,6 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <!-- apply button -->
         <div class="col-md-12">
             <hr/>
             <button class="btn btn-primary" id="reconfigureAct-users" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
@@ -909,7 +972,6 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 
     <div id="groups" class="tab-pane fade">
-        <!-- tab page "groups" -->
         <table id="grid-groups" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogGroup">
             <thead>
             <tr>
@@ -933,7 +995,6 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <!-- apply button -->
         <div class="col-md-12">
             <hr/>
             <button class="btn btn-primary" id="reconfigureAct-groups" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
@@ -944,7 +1005,6 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 
     <div id="luas" class="tab-pane fade">
-        <!-- tab page "luas" -->
         <table id="grid-luas" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogLua">
             <thead>
             <tr>
@@ -968,7 +1028,6 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <!-- apply button -->
         <div class="col-md-12">
             <hr/>
             <button class="btn btn-primary" id="reconfigureAct-luas" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
@@ -979,7 +1038,6 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 
     <div id="errorfiles" class="tab-pane fade">
-        <!-- tab page "errorfiles" -->
         <table id="grid-errorfiles" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogErrorfile">
             <thead>
             <tr>
@@ -1002,7 +1060,6 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <!-- apply button -->
         <div class="col-md-12">
             <hr/>
             <button class="btn btn-primary" id="reconfigureAct-errorfiles" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
@@ -1013,7 +1070,6 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 
     <div id="mapfiles" class="tab-pane fade">
-        <!-- tab page "mapfiles" -->
         <table id="grid-mapfiles" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogMapfile">
             <thead>
             <tr>
@@ -1036,7 +1092,6 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <!-- apply button -->
         <div class="col-md-12">
             <hr/>
             <button class="btn btn-primary" id="reconfigureAct-mapfiles" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
@@ -1047,7 +1102,6 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 
     <div id="cpus" class="tab-pane fade">
-        <!-- tab page "cpus" -->
         <table id="grid-cpus" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogCpu">
             <thead>
             <tr>
@@ -1073,7 +1127,6 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <!-- apply button -->
         <div class="col-md-12">
             <hr/>
             <button class="btn btn-primary" id="reconfigureAct-cpus" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
@@ -1084,7 +1137,6 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 
     <div id="resolvers" class="tab-pane fade">
-        <!-- tab page "resolvers" -->
         <table id="grid-resolvers" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogResolver">
             <thead>
             <tr>
@@ -1108,7 +1160,6 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <!-- apply button -->
         <div class="col-md-12">
             <hr/>
             <button class="btn btn-primary" id="reconfigureAct-resolvers" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
@@ -1117,6 +1168,84 @@ POSSIBILITY OF SUCH DAMAGE.
             <br/>
         </div>
     </div>
+
+    <!-- subtabs for general "Settings" tab below -->
+    <div id="general-settings" class="tab-pane fade">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            {{ partial("layout_partials/base_form",['fields':generalSettingsForm,'id':'frm_haproxy-general-settings'])}}
+            <div class="col-md-12">
+                <hr />
+                <button class="btn btn-primary" id="saveAndReconfigureAct_haproxy-general-settings" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAndReconfigureAct_progress"></i></button>
+                <button class="btn btn-primary" id="saveAndTestAct_haproxy-general-settings" type="button"><b>{{ lang._('Save & Test syntax') }}</b><i id="saveAndTestAct_progress" class=""></i></button>
+            </div>
+        </div>
+    </div>
+
+    <div id="general-tuning" class="tab-pane fade">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            {{ partial("layout_partials/base_form",['fields':generalTuningForm,'id':'frm_haproxy-general-tuning'])}}
+            <div class="col-md-12">
+                <hr />
+                <button class="btn btn-primary" id="saveAndReconfigureAct_haproxy-general-tuning" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAndReconfigureAct_progress"></i></button>
+                <button class="btn btn-primary" id="saveAndTestAct_haproxy-general-tuning" type="button"><b>{{ lang._('Save & Test syntax') }}</b><i id="saveAndTestAct_progress" class=""></i></button>
+            </div>
+        </div>
+    </div>
+
+    <div id="general-defaults" class="tab-pane fade">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            {{ partial("layout_partials/base_form",['fields':generalDefaultsForm,'id':'frm_haproxy-general-defaults'])}}
+            <div class="col-md-12">
+                <hr />
+                <button class="btn btn-primary" id="saveAndReconfigureAct_haproxy-general-defaults" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAndReconfigureAct_progress"></i></button>
+                <button class="btn btn-primary" id="saveAndTestAct_haproxy-general-defaults" type="button"><b>{{ lang._('Save & Test syntax') }}</b><i id="saveAndTestAct_progress" class=""></i></button>
+            </div>
+        </div>
+    </div>
+
+    <div id="general-logging" class="tab-pane fade">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            {{ partial("layout_partials/base_form",['fields':generalLoggingForm,'id':'frm_haproxy-general-logging'])}}
+            <div class="col-md-12">
+                <hr />
+                <button class="btn btn-primary" id="saveAndReconfigureAct_haproxy-general-logging" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAndReconfigureAct_progress"></i></button>
+                <button class="btn btn-primary" id="saveAndTestAct_haproxy-general-logging" type="button"><b>{{ lang._('Save & Test syntax') }}</b><i id="saveAndTestAct_progress" class=""></i></button>
+            </div>
+        </div>
+    </div>
+
+    <div id="general-stats" class="tab-pane fade">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            {{ partial("layout_partials/base_form",['fields':generalStatsForm,'id':'frm_haproxy-general-stats'])}}
+            <div class="col-md-12">
+                <hr />
+                <button class="btn btn-primary" id="saveAndReconfigureAct_haproxy-general-stats" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAndReconfigureAct_progress"></i></button>
+                <button class="btn btn-primary" id="saveAndTestAct_haproxy-general-stats" type="button"><b>{{ lang._('Save & Test syntax') }}</b><i id="saveAndTestAct_progress" class=""></i></button>
+            </div>
+        </div>
+    </div>
+
+    <div id="general-cache" class="tab-pane fade">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            {{ partial("layout_partials/base_form",['fields':generalCacheForm,'id':'frm_haproxy-general-cache'])}}
+            <div class="col-md-12">
+                <hr />
+                <button class="btn btn-primary" id="saveAndReconfigureAct_haproxy-general-cache" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAndReconfigureAct_progress"></i></button>
+                <button class="btn btn-primary" id="saveAndTestAct-haproxy-general-cache" type="button"><b>{{ lang._('Save & Test syntax') }}</b><i id="saveAndTestAct_progress" class=""></i></button>
+            </div>
+        </div>
+    </div>
+
+    <div id="general-peers" class="tab-pane fade">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            {{ partial("layout_partials/base_form",['fields':generalPeersForm,'id':'frm_haproxy-general-peers'])}}
+            <div class="col-md-12">
+                <hr />
+                <button class="btn btn-primary" id="saveAndReconfigureAct_haproxy-general-peers" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAndReconfigureAct_progress"></i></button>
+                <button class="btn btn-primary" id="saveAndTestAct_haproxy-general-peers" type="button"><b>{{ lang._('Save & Test syntax') }}</b><i id="saveAndTestAct_progress" class=""></i></button>
+            </div>
+        </div>
+    </div>
 </div>
 
 {# include dialogs #}

From 95b8cc6aa00e40e5a2edf11827561051ec4d4d34 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 20 Aug 2020 01:01:41 +0200
Subject: [PATCH 0197/3088] net/haproxy: add plugin changelog

---
 net/haproxy/pkg-descr | 242 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 241 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 5a41f6ad02..be9ec9837e 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -3,4 +3,244 @@ availability, load balancing, and proxying for TCP and HTTP-based
 applications. It is particularly suited for web sites crawling under
 very high loads while needing persistence or Layer7 processing.
 
-WWW: https://haproxy.org/
+Plugin Changelog
+================
+
+2.24
+
+Added:
+* add support for http-request set-var and http-response set-var (#1796)
+* add group as userlist to HAProxy config to make it usable in rules/conditions (#1796)
+* add support for resolvers to customize how HAProxy handles name resolution (#1787)
+* add support for init-addr to allow HAProxy to start when DNS does not resolve (#1787)
+
+Fixed:
+* honor sort order of all rules, remove special handling of "use_[backend|server]" options (#1925)
+
+Changed:
+* add "Save & Test syntax" button to all "Settings" pages
+* add "introduction" page for Settings tab
+* streamine "Settings" subtabs
+
+2.23
+
+Fixed:
+* add missing acl SNI regex text field (#1883)
+
+2.22
+
+Added:
+* enable SSL verification for a server when "Force SSL" is enabled in the associated health check (#1761)
+* use the systems local Root CA Certificates for SSL verification when no CA was selected (#1761)
+
+Fixed:
+* fix label of src_sess_cnt (#1780)
+* fix invalid use of option httplog (resolves a warning in config test)
+* fix invalid use of option forwardfor (resolves a warning in config test)
+
+2.21
+
+Fixed:
+* override "graceful" restart if required (#1745)
+
+2.20
+
+Changed:
+* update stats socket permission for easier (non-root) monitoring (#1232)
+
+2.19
+
+Added:
+* switch to HAProxy 2.0 release series (#1089)
+* add support for the "max-object-size" cache configuration option (#1458)
+* add end-to-end HTTP/2 support (details)
+* add support for the random balancing algorithm (details)
+
+Fixed:
+* fix IPv6 validation in frontends (#540)
+
+Changed:
+* add IPv6 example to listen address help text
+* update URLs to HAProxy 2.0 documentation
+* frontends: move HTTP/2 option to HTTP settings
+* change order of frontend options
+
+2.18
+
+Added:
+* add support for HAProxy cache (#1442)
+
+Changed:
+* change http-reuse default (align with HAProxy's default value, #1439)
+
+2.17
+
+Added:
+* allow backends without servers (#1304)
+* add support for deciphered SNI check in ACLs (#1365)
+* allow to force SSL for health checks (#1282)
+
+Changed:
+* improve wording for SNI conditions to differentiate between deciphered vs. not deciphered
+
+2.16
+
+Fixed:
+* allow hyphens in server, frontend and backend names (#1346)
+
+2.15
+
+Added:
+* rules can finally be sorted by using drag'n'drop (#582)
+* added "enabled" field to servers (#1208)
+* TCP inspection delays are supported in rules (#1188)
+
+Changed:
+* server option "mode" is always visible, no longer requires "advanced mode" (#1208)
+* most dropdown fields finally have alphanumeric sorting (#687, opnsense/core#3251)
+* rules: align indentation of comments in haproxy.conf
+
+2.14
+
+Fixed:
+* bulk deleting does not work (#1164)
+
+Changed:
+* migrate to mutable controller (required to fix #1164)
+
+2.13
+
+Added:
+* support multiple CAs for SSL verification for servers
+
+Fixed:
+* fix export of CAs (#1074)
+
+Changed:
+* export a frontend's default SSL certificate (#1088)
+* it is no longer required to add a default SSL certificate to a frontend's "certificates" list (#1088)
+* avoid duplicate entry in certlist file if a default SSL certificate is specified
+* always show "Default certificate" option in frontends, it's no longer an "advanced" option
+
+2.12
+
+Added:
+* add support for HTTP/2 (#1047)
+
+2.11
+
+Fixed:
+* fix warning: a 'http-request' rule placed after a 'use_backend' rule will still be processed before (#999)
+* fix wrong parameter name when using tcp-request content lua (#999)
+
+Changed:
+* internal: trim whitespace, remove empty lines in haproxy.conf (#999)
+
+2.10
+
+Added:
+* add support for multithreading (available as new option in Settings -> Global Parameters) (#1003)
+* add support for client certificate authentication (#426)
+* add support for HTTP Basic Auth to frontends/backends/ACLs (#300)
+* add basic user/group management functionality (supports Basic Auth as well as stats users)
+* add new CPU Affinity Rules feature (which is a combination of HAProxy's cpu-map, bind-process and process options) (see #1003 for a short explanation)
+
+Fixed:
+* function "http-request header-delete" generated a corrupted haproxy.conf (#882)
+
+Changed:
+* migrate all stats users from old (and cumbersome) username:password format to new user management feature
+* internal: use /tmp for autogenerated files (now they are automatically cleaned up on boot)
+* internal: change filename of cert lists from id.crtlist to id.certlist
+
+2.9
+
+Added:
+* add "http-reuse" option (#836)
+
+2.8
+
+Added:
+* support truly seamless reloads (#224)
+* add support for the "map" feature (#180)
+
+Fixed:
+* fix reload of service template in "reconfigure" action (#690; introduced in 7381101)
+* enabling "hard stop" mode resulted in an invalid "hardrestart" RC command
+
+Changed:
+* use "reload" instead of "restart" RC action
+* if "reload" fails, also issue a "restart" command (required when enabling seamless reloads)
+* start progress animation (spinner) earlier when applying settings
+
+2.7
+
+Added:
+* support rise/fall parameters in backends and health checks
+* support set-path in ACLs
+* support for cookie-based persistence (#680)
+
+Fixed:
+* fix X-Forwarded-For option disappeared (#647)
+* fix validation for source address fields (#695)
+
+2.6
+
+Added:
+* add support for http-response set-status in ACLs to manipulate HTTP status codes
+
+Fixed:
+* fix invalid backend name when using nbsrv in ACLs
+
+2.5
+
+Added:
+* add support for the PROXY protocol (i.e. in combination with postfix or dovecot)
+* switch to HAProxy 1.8.4
+
+2.4
+
+Added:
+* add support for "preload" and "includeSubDomains" HSTS options (#447)
+* support session sync / HAProxy peers (#165)
+* add new HTTP timeout options (to mitigate slowloris attacks) (#202)
+* allow tracking additional values in stick-tables (#202)
+* add stick-table config for frontends (optional, disabled by default) (#202)
+* add support for many new conditions (#202)
+* enable sticky counters for frontend stick-tables (required for new conditions) (#202)
+
+Changed:
+* relax validation masks for several "name" fields (to allow more "special" characters)
+* switch to new mutable service controller
+
+2.3
+
+Added:
+* new option to hide introduction pages (#340)
+
+Fixed:
+* fix wrong introduction for "Advanced" tab (regression introduced in 8cdcbda)
+
+2.2
+
+Fixed:
+* fix for rules parameters (values could not be saved, leading to invalid rules)
+
+2.1
+
+Fixed:
+* do not enable HSTS unconditionally (now works as described in #380)
+* enable HSTS only for HTTP frontends
+
+2.0
+
+Added:
+* new GUI to guide new users and improve general usability (#208)
+* make server port optional (#341)
+* new SSL settings for frontends (#380)
+* new global SSL default values (#380)
+* new option for HTTP Strict Transport Security (#380)
+
+Fixed:
+* rephrase text to make it clear that aliases cannot be used (#360)
+* rephrase text to make it clear that "use_server" will only work for backends (#361)

From 8daf9a122c9abe97953a350d1caa1052cd74039d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 20 Aug 2020 07:05:58 +0200
Subject: [PATCH 0198/3088] plugins: style sweep

---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc     | 4 ++--
 .../src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index bb4d96f3f1..a40a5bd410 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -1592,9 +1592,9 @@ class updatedns
                 if ($http_code == 200) {
                     $status = 'Dynamic DNS: (Success) IP Address Updated Successfully!';
                     $successful_update = true;
-                } else if ($http_code == 401) {
+                } elseif ($http_code == 401) {
                     $status = 'Dynamic DNS: (Error) Authentication info not sent or invalid';
-                }else if ($http_code == 404) {
+                } elseif ($http_code == 404) {
                     $status = 'Dynamic DNS: (Error) Resource not found';
                 } else {
                     $status = "Dynamic DNS: (Error) Repsonse not handled check the following: {$data}";
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index cb4d2be0a9..928961e391 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -227,8 +227,8 @@ function cert_action_validator($opt_cert_id)
                 if ($options["a"] == "automation") {
                     // Check if the cert was successul issued
                     if (!empty((string)$certObj->statusCode) and (string)$certObj->statusCode == '200') {
-                      log_error("AcmeClient: ready to run automation for certificate: " . (string)$certObj->name);
-                      $restart_certs[] = $certObj;
+                        log_error("AcmeClient: ready to run automation for certificate: " . (string)$certObj->name);
+                        $restart_certs[] = $certObj;
                     } else {
                         log_error("AcmeClient: failed to run automation, certificate status not OK: " . (string)$certObj->name);
                         return(1);

From 97e304b7b8792d03c631d22fa3de7ff35cb7236e Mon Sep 17 00:00:00 2001
From: Martin Wasley <mjwasley@queens-park.com>
Date: Sun, 23 Aug 2020 08:35:49 +0100
Subject: [PATCH 0199/3088] Minor colour corrections

Fix some colours
---
 .../opnsense/www/themes/rebellion/assets/stylesheets/main.scss  | 2 +-
 .../opnsense/www/themes/rebellion/build/css/jquery.bootgrid.css | 2 +-
 .../src/opnsense/www/themes/rebellion/build/css/main.css        | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
index 0966e503c7..92c6f2deee 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
@@ -5725,7 +5725,7 @@ tbody.collapse.in {
     }
   }
   .navbar-text {
-    color: #2B2B2B;
+    color: #AAAAAA;
   }
   .navbar-nav > {
     li > a {
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/jquery.bootgrid.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/jquery.bootgrid.css
index 5cac223c4a..7599c8f755 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/jquery.bootgrid.css
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/jquery.bootgrid.css
@@ -78,7 +78,7 @@
   outline: 0;
 }
 .bootgrid-table th > .column-header-anchor {
-    background-color: #929292;
+    background-color: #444444;
   color: #eee;
   cursor: not-allowed;
   display: block;
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
index 5d86521dff..c3520c56a3 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
@@ -4708,7 +4708,7 @@ tbody.collapse.in {
   background-color: transparent;
 }
 .navbar-default .navbar-text {
-  color: #2B2B2B;
+  color: #aaaaaa;
 }
 .navbar-default .navbar-nav > li > a {
   color: #C1C1c1;

From 5b91487ec2d8a51afbb17e66a704bc526b9dc1ef Mon Sep 17 00:00:00 2001
From: Adriano <vizion8-dan@users.noreply.github.com>
Date: Mon, 24 Aug 2020 14:15:16 +0200
Subject: [PATCH 0200/3088] dns/dyndns: Implementend a basic PoC for Gandi
 LiveDNS (#1916)

---
 .../src/etc/inc/plugins.inc.d/dyndns.inc      |  1 +
 .../inc/plugins.inc.d/dyndns/phpDynDNS.inc    | 43 +++++++++++++++++++
 dns/dyndns/src/www/services_dyndns_edit.php   |  5 ++-
 3 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
index ac717b7477..40744ebd5c 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
@@ -120,6 +120,7 @@ function dyndns_list()
         'easydns' => 'easyDNS',
         'eurodns' => 'EuroDNS',
         'freedns' => 'freeDNS',
+        'gandi-livedns' => 'Gandi LiveDNS',
         'godaddy' => 'GoDaddy',
         'godaddy-v6' => 'GoDaddy (v6)',
         'googledomains' => 'Google Domains',
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index a40a5bd410..7a423bd4ed 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -42,6 +42,7 @@
  *    - regfish IPv6 (regfish.de)
  *    - dynv6 IPv6 (dynv6.com)
  *    - DigitalOcean (digitalocean.com)
+ *    - Gandi LiveDNS (gandi.net)
  *    - Azure DNS (azure.microsoft.com)
  *    - Linode (linode.com)
  *    - Linode IPv6 (linode.com)
@@ -107,6 +108,7 @@
  *  Linode v6                   - Last Tested: 25 February 2020
  *  GoDaddy                     - Last Tested: 10 July 2020
  *  GoDaddy v6                  - Last Tested: 10 July 2020
+ *  Gandi LiveDNS               - Last Tested: 24 August 2020
  * +====================================================+
  *
  * @author    E.Kristensen
@@ -345,6 +347,7 @@ class updatedns
                 case 'custom-v6':
                 case 'dhs':
                 case 'digitalocean':
+                case 'gandi-livedns':
                 case 'dnsexit':
                 case 'dnsomatic':
                 case 'duckdns':
@@ -669,6 +672,28 @@ class updatedns
                 curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($hostData));
                 curl_setopt($ch, CURLOPT_URL, $server);
                 break;
+            case 'gandi-livedns':
+                /*
+                * https://github.com/vizion8-dan
+                * Tested on OPNsense 20.1.8_1-amd64 - IPv4 (A)
+                * dnsHost ("Hostname" field in OPNsense) should be the 2nd-level domain ("example.org") 
+                * dnsUser ("Username" field in OPNsense) should be the subdomain / A-record ("myrecord" in 2nd-level domain) 
+                * dnsPass should be the Gandi-API key
+                */
+                $server = "https://dns.api.gandi.net/api/v5/domains/". $this->_dnsHost . "/records/" . $this->_dnsUser . "/A";
+
+                $body = '{"rrset_ttl":"' . "300" . '", "rrset_values":["'. $this->_dnsIP . '"]}';
+
+                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+                curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
+                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+                curl_setopt($ch, CURLOPT_HTTPHEADER, array(
+                    "X-Api-Key: {$this->_dnsPass}",
+                    'Content-Type: application/json'
+                ));
+                curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
+                curl_setopt($ch, CURLOPT_URL, $server);
+                break;
             case 'selfhost':
                 if (isset($this->_dnsWildcard) && $this->_dnsWildcard != "OFF") {
                     $this->_dnsWildcard = "ON";
@@ -1425,6 +1450,24 @@ class updatedns
                     log_error("Dynamic DNS Record ID ({$this->_dnsUser}): PAYLOAD: {$data}");
                 }
                 break;
+            case 'gandi-livedns':
+                $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+                if ($http_code == 401) {
+                    $status = 'Dynamic DNS: (Error) Bad authentication attempt because of a wrong API Key.';    
+                } elseif ($http_code == 403) {
+                    $status = 'Dynamic DNS: (Error) Access to the resource is denied. Mainly due to a lack of permissions to access it!';
+                } elseif ($http_code == 201) {
+                    $status = 'Dynamic DNS: (Success) Record was created!';
+                    $successful_update = true;
+                } elseif ($http_code == 200) {
+                    $status = 'Dynamic DNS: (Success) Same record already exists. Nothing was changed!';
+                    $successful_update = true;
+                } else {
+                    $status = 'Dynamic DNS: (Error) "Unknown Response"';
+                    log_error("Dynamic DNS: HTTP Status: {$http_code}  PAYLOAD: {$data}");
+                    $this->_debug($data);
+                }
+                break;
             case 'gratisdns':
                 if (preg_match('/Forkerte værdier/i', $data)) {
                         $status = "Dynamic DNS: (Error) Wrong values - Update could not be completed.";
diff --git a/dns/dyndns/src/www/services_dyndns_edit.php b/dns/dyndns/src/www/services_dyndns_edit.php
index 3db2e4e0fb..b503bdbb16 100644
--- a/dns/dyndns/src/www/services_dyndns_edit.php
+++ b/dns/dyndns/src/www/services_dyndns_edit.php
@@ -317,7 +317,8 @@ function is_dyndns_username($uname)
                       <input name="host" type="text" id="host" value="<?= $pconfig['host'] ?>" />
                       <div class="hidden" data-for="help_for_host">
                         <?= gettext("Enter the complete host/domain name. example: myhost.dyndns.org") ?><br />
-                        <?= gettext("For he.net tunnelbroker, enter your tunnel ID") ?>
+                        <?= gettext("For he.net tunnelbroker, enter your tunnel ID") ?><br />
+                        <?= gettext('Gandi LiveDNS: Enter the 2nd-level domain ("example.org").') ?> 
                       </div>
                     </td>
                   </tr>
@@ -366,6 +367,7 @@ function is_dyndns_username($uname)
                         <br /><?= gettext('dynv6: Enter your Token.') ?>
                         <br /><?= gettext('Azure: Enter your Azure AD application ID.') ?>
                         <br /><?= gettext('For Custom Entries, Username and Password represent HTTP Authentication username and passwords.') ?>
+                        <br /><?= gettext('Gandi LiveDNS: The subdomain / record to update.') ?>
                         <br /><?= gettext('GoDaddy: Enter your API Key Token.') ?>
                       </div>
                     </td>
@@ -382,6 +384,7 @@ function is_dyndns_username($uname)
                         <br /><?= gettext('Azure: client secret of the AD application') ?>
                         <br /><?= gettext('Linode: Enter your Personal Access Token.') ?>
                         <br /><?= gettext('Cloudflare: Enter your API token or Global API key.') ?>
+                        <br /><?= gettext('Gandi LiveDNS: Enter your API token.') ?>
                         <br /><?= gettext('GoDaddy: Enter your API Secret Token.') ?>
                       </div>
                     </td>

From 3ee618ecdfc3dd20d7180676a89692882a7e5e6c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 24 Aug 2020 14:16:31 +0200
Subject: [PATCH 0201/3088] dns/dyndns: new version and whitespace swep

---
 dns/dyndns/Makefile                                       | 2 +-
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 6 +++---
 dns/dyndns/src/www/services_dyndns_edit.php               | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index 7911cd8872..2553b19f55 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		dyndns
-PLUGIN_VERSION=		1.22
+PLUGIN_VERSION=		1.23
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 7a423bd4ed..61d2f06b44 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -676,8 +676,8 @@ class updatedns
                 /*
                 * https://github.com/vizion8-dan
                 * Tested on OPNsense 20.1.8_1-amd64 - IPv4 (A)
-                * dnsHost ("Hostname" field in OPNsense) should be the 2nd-level domain ("example.org") 
-                * dnsUser ("Username" field in OPNsense) should be the subdomain / A-record ("myrecord" in 2nd-level domain) 
+                * dnsHost ("Hostname" field in OPNsense) should be the 2nd-level domain ("example.org")
+                * dnsUser ("Username" field in OPNsense) should be the subdomain / A-record ("myrecord" in 2nd-level domain)
                 * dnsPass should be the Gandi-API key
                 */
                 $server = "https://dns.api.gandi.net/api/v5/domains/". $this->_dnsHost . "/records/" . $this->_dnsUser . "/A";
@@ -1453,7 +1453,7 @@ class updatedns
             case 'gandi-livedns':
                 $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
                 if ($http_code == 401) {
-                    $status = 'Dynamic DNS: (Error) Bad authentication attempt because of a wrong API Key.';    
+                    $status = 'Dynamic DNS: (Error) Bad authentication attempt because of a wrong API Key.';
                 } elseif ($http_code == 403) {
                     $status = 'Dynamic DNS: (Error) Access to the resource is denied. Mainly due to a lack of permissions to access it!';
                 } elseif ($http_code == 201) {
diff --git a/dns/dyndns/src/www/services_dyndns_edit.php b/dns/dyndns/src/www/services_dyndns_edit.php
index b503bdbb16..388cbbcbe3 100644
--- a/dns/dyndns/src/www/services_dyndns_edit.php
+++ b/dns/dyndns/src/www/services_dyndns_edit.php
@@ -318,7 +318,7 @@ function is_dyndns_username($uname)
                       <div class="hidden" data-for="help_for_host">
                         <?= gettext("Enter the complete host/domain name. example: myhost.dyndns.org") ?><br />
                         <?= gettext("For he.net tunnelbroker, enter your tunnel ID") ?><br />
-                        <?= gettext('Gandi LiveDNS: Enter the 2nd-level domain ("example.org").') ?> 
+                        <?= gettext('Gandi LiveDNS: Enter the 2nd-level domain ("example.org").') ?>
                       </div>
                     </td>
                   </tr>

From 7ead9914dac7d402341733faf58be14ec362d669 Mon Sep 17 00:00:00 2001
From: nan0 <49376203+devNan0@users.noreply.github.com>
Date: Fri, 28 Aug 2020 10:02:05 +0200
Subject: [PATCH 0202/3088] net-mgmt/telegraf: Add ntpq input (#1965)

---
 net-mgmt/telegraf/Makefile                           |  2 +-
 net-mgmt/telegraf/pkg-descr                          |  4 ++++
 .../controllers/OPNsense/Telegraf/forms/input.xml    | 12 ++++++++++++
 .../mvc/app/models/OPNsense/Telegraf/Input.xml       | 10 +++++++++-
 .../templates/OPNsense/Telegraf/telegraf.conf        |  9 +++++++++
 5 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index dff3380731..6c5c508810 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.8.1
+PLUGIN_VERSION=		1.8.2
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 4765e48ad1..5dd3e3a581 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -11,6 +11,10 @@ Kafka, MQTT, NSQ, and many others.
 Plugin Changelog
 ================
 
+1.8.2
+
+* Add 'ntpq' input
+
 1.8.1
 
 * Fix 'flush interval' templating by @Jontron123
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
index a17f02e64b..2e1f41a096 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
@@ -111,4 +111,16 @@
         <type>checkbox</type>
         <help>Enable the collection of ZFS statistics.</help>
     </field>
+    <field>
+        <id>input.ntpq</id>
+        <label>NTPQ</label>
+        <type>checkbox</type>
+        <help>Enable the collection of NTP query metrics.</help>
+    </field>
+    <field>
+        <id>input.ntpq_dns_lookup</id>
+        <label>NTPQ DNS Lookup</label>
+        <type>checkbox</type>
+        <help>Can increase metric gather times.</help>
+    </field>
 </form>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
index b2860ed042..4dd827965f 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/telegraf/input</mount>
     <description>Telegraf inputs configuration</description>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <items>
         <cpu type="BooleanField">
             <default>1</default>
@@ -74,5 +74,13 @@
             <default>0</default>
             <Required>N</Required>
         </zfs>
+        <ntpq type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </ntpq>
+        <ntpq_dns_lookup type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </ntpq_dns_lookup>
     </items>
 </model>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index 84f994bc40..f9396633e3 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -224,4 +224,13 @@
   poolMetrics = true
 {% endif %}
 
+{% if helpers.exists('OPNsense.telegraf.input.ntpq') and OPNsense.telegraf.input.ntpq == '1' %}
+[[inputs.ntpq]]
+{%   if helpers.exists('OPNsense.telegraf.input.ntpq_dns_lookup') and OPNsense.telegraf.input.ntpq_dns_lookup == '1' %}
+  dns_lookup = true
+{%   else %}
+  dns_lookup = false
+{%   endif %}
+{% endif %}
+
 {% endif %}

From d96c8142c001a9d0d8322f05fb840f08b305b574 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 1 Sep 2020 14:00:22 +0200
Subject: [PATCH 0203/3088] security/tinc: fix cipher parsing revision bump

---
 security/tinc/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index b624156459..3b6a0356ec 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		tinc
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org

From cc5680ee90a17f374d7c8daa667ebc65a3ba9eb3 Mon Sep 17 00:00:00 2001
From: gap579137 <gap579137@gmail.com>
Date: Tue, 25 Aug 2020 07:18:47 -0500
Subject: [PATCH 0204/3088] Updated Project Block List URL

These links were updated to reflect the current hosting platform that allows for last-modified header.
---
 dns/bind/src/opnsense/scripts/OPNsense/Bind/dnsbl.sh        | 6 +++---
 .../src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh    | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/dns/bind/src/opnsense/scripts/OPNsense/Bind/dnsbl.sh b/dns/bind/src/opnsense/scripts/OPNsense/Bind/dnsbl.sh
index 4cef66ada6..aac1ad92ee 100755
--- a/dns/bind/src/opnsense/scripts/OPNsense/Bind/dnsbl.sh
+++ b/dns/bind/src/opnsense/scripts/OPNsense/Bind/dnsbl.sh
@@ -149,21 +149,21 @@ stevenblack() {
 
 blocklistads() {
         # Blocklist.site Ads
-        ${FETCH} https://blocklist.site/app/dl/ads -o ${WORKDIR}/blocklistads-raw
+        ${FETCH} https://blocklistproject.github.io/Lists/ads.txt -o ${WORKDIR}/blocklistads-raw
         sed "/\.$/d" ${WORKDIR}/blocklistads-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" > ${WORKDIR}/blocklistads
         rm ${WORKDIR}/blocklistads-raw
 }
 
 blocklistfraud() {
         # Blocklist.site Fraud
-        ${FETCH} https://blocklist.site/app/dl/fraud -o ${WORKDIR}/blocklistfraud-raw
+        ${FETCH} https://blocklistproject.github.io/Lists/fraud.txt -o ${WORKDIR}/blocklistfraud-raw
         sed "/\.$/d" ${WORKDIR}/blocklistfraud-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" > ${WORKDIR}/blocklistfraud
         rm ${WORKDIR}/blocklistfraud-raw
 }
 
 blocklistphishing() {
         # Blocklist.site Phishing
-        ${FETCH} https://blocklist.site/app/dl/phishing -o ${WORKDIR}/blocklistphishing-raw
+        ${FETCH} https://blocklistproject.github.io/Lists/phishing.txt -o ${WORKDIR}/blocklistphishing-raw
         sed "/\.$/d" ${WORKDIR}/blocklistphishing-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" > ${WORKDIR}/blocklistphishing
         rm ${WORKDIR}/blocklistphishing-raw
 }
diff --git a/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh b/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh
index b32d90be87..4142f556e7 100755
--- a/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh
+++ b/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh
@@ -121,21 +121,21 @@ stevenblack() {
 
 blocklistads() {
         # Blocklist.site Ads
-        ${FETCH} https://blocklist.site/app/dl/ads -o ${WORKDIR}/blocklistads-raw
+        ${FETCH} https://blocklistproject.github.io/Lists/ads.txt -o ${WORKDIR}/blocklistads-raw
         sed "/\.$/d" ${WORKDIR}/blocklistads-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" > ${WORKDIR}/blocklistads
         rm ${WORKDIR}/blocklistads-raw
 }
 
 blocklistfraud() {
         # Blocklist.site Fraud
-        ${FETCH} https://blocklist.site/app/dl/fraud -o ${WORKDIR}/blocklistfraud-raw
+        ${FETCH} https://blocklistproject.github.io/Lists/fraud.txt -o ${WORKDIR}/blocklistfraud-raw
         sed "/\.$/d" ${WORKDIR}/blocklistfraud-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" > ${WORKDIR}/blocklistfraud
         rm ${WORKDIR}/blocklistfraud-raw
 }
 
 blocklistphishing() {
         # Blocklist.site Phishing
-        ${FETCH} https://blocklist.site/app/dl/phishing -o ${WORKDIR}/blocklistphishing-raw
+        ${FETCH} https://blocklistproject.github.io/Lists/phishing.txt -o ${WORKDIR}/blocklistphishing-raw
         sed "/\.$/d" ${WORKDIR}/blocklistphishing-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" > ${WORKDIR}/blocklistphishing
         rm ${WORKDIR}/blocklistphishing-raw
 }

From 1365468284fc4234c7d54a889a1cbf6aa46792f5 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sat, 5 Sep 2020 10:02:23 +0200
Subject: [PATCH 0205/3088] Update dialogEditBindDomain.xml (#2016)

---
 .../controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
index f1f5adfc98..dfd13fd206 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
@@ -45,7 +45,7 @@
         <id>domain.allowtransfer</id>
         <label>Allow Transfer</label>
         <type>dropdown</type>
-        <help>Define an ACL where you allow which server can retrieve this zone.</help>
+        <help>Define an ACL where you allow which server can retrieve this zone. If this value is empty, domain transfers from everywhere are allowed.</help>
     </field>
     <field>
         <id>domain.allowquery</id>

From ca754248bf601fc1b637e2eaeec9a61744aef5d0 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sat, 5 Sep 2020 10:17:39 +0200
Subject: [PATCH 0206/3088] net/frr: fix ospf6 router-id changes with frr7
 (#2010)

---
 net/frr/Makefile                                            | 2 +-
 net/frr/pkg-descr                                           | 4 ++++
 .../opnsense/service/templates/OPNsense/Quagga/ospf6d.conf  | 6 +++---
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index b15d063124..5b6b4037be 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.15
+PLUGIN_VERSION=		1.16
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7 ruby
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index ffcad0a3a5..53558e2993 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -11,6 +11,10 @@ switching and routing, Internet access routers, and Internet peering.
 Plugin Changelog
 ================
 
+1.16
+
+* Fix templating for router IDs in OSPF3 daemon
+
 1.15
 
 * Disable eBGP policies introduced with FRR 7.4
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
index ec92113a02..607316523a 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
@@ -39,6 +39,9 @@ interface {{ physical_interface(interface.interfacename) }}
 {% endif %}
 !
 router ospf6
+{% if helpers.exists('OPNsense.quagga.ospf6.routerid') and OPNsense.quagga.ospf6.routerid != '' %}
+ ospf6 router-id {{ OPNsense.quagga.ospf6.routerid }}
+{% endif %}
 {% if helpers.exists('OPNsense.quagga.ospf6.redistribute') and OPNsense.quagga.ospf6.redistribute != '' %}
 {% for line in OPNsense.quagga.ospf6.redistribute.split(',') %}
  redistribute {{ line }}
@@ -50,9 +53,6 @@ router ospf6
 {%     endif %}
 {%   endfor %}
 {% endif %}
-{% if helpers.exists('OPNsense.quagga.ospf6.routerid') and OPNsense.quagga.ospf6.routerid != '' %}
- router-id {{ OPNsense.quagga.ospf6.routerid }}
-{% endif %}
 !
 line vty
 !

From 9078aea5150bf04f81622fdb1ec68f31b5071809 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 10 Sep 2020 15:46:28 +0200
Subject: [PATCH 0207/3088] mail/rspamd: add option to set a nameserver (#2025)

---
 mail/rspamd/Makefile                                     | 2 +-
 mail/rspamd/pkg-descr                                    | 4 ++++
 .../app/controllers/OPNsense/Rspamd/forms/settings.xml   | 9 +++++++++
 .../opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml   | 8 +++++++-
 .../opnsense/service/templates/OPNsense/Rspamd/+TARGETS  | 1 +
 .../service/templates/OPNsense/Rspamd/options.inc        | 7 +++++++
 6 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/options.inc

diff --git a/mail/rspamd/Makefile b/mail/rspamd/Makefile
index fef81f2f23..f19a4a45e1 100644
--- a/mail/rspamd/Makefile
+++ b/mail/rspamd/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		rspamd
-PLUGIN_VERSION=		1.9
+PLUGIN_VERSION=		1.10
 PLUGIN_COMMENT=		Protect your network from spam
 PLUGIN_DEPENDS=		rspamd
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/mail/rspamd/pkg-descr b/mail/rspamd/pkg-descr
index 32b7704d37..c2118b5256 100644
--- a/mail/rspamd/pkg-descr
+++ b/mail/rspamd/pkg-descr
@@ -5,6 +5,10 @@ lua.
 Plugin Changelog
 ----------------
 
+1.10
+
+* Add nameserver option
+
 1.9
 
 * Add History Rows field
diff --git a/mail/rspamd/src/opnsense/mvc/app/controllers/OPNsense/Rspamd/forms/settings.xml b/mail/rspamd/src/opnsense/mvc/app/controllers/OPNsense/Rspamd/forms/settings.xml
index b027f57b46..b37c8b7806 100644
--- a/mail/rspamd/src/opnsense/mvc/app/controllers/OPNsense/Rspamd/forms/settings.xml
+++ b/mail/rspamd/src/opnsense/mvc/app/controllers/OPNsense/Rspamd/forms/settings.xml
@@ -62,6 +62,15 @@
                 <advanced>true</advanced>
                 <help>Set the number of rows to be displayed in rspamd UI.</help>
             </field>
+            <field>
+                <id>rspamd.general.nameserver</id>
+                <label>Nameserver</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+                <help>Set the nameservers for resolving DNS requests.</help>
+            </field>
         </subtab>
         <subtab id="rspamd-general-multimap" description="Multimap Settings">
             <field>
diff --git a/mail/rspamd/src/opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml b/mail/rspamd/src/opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml
index 483d55d6ef..fccb94dfce 100644
--- a/mail/rspamd/src/opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml
+++ b/mail/rspamd/src/opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml
@@ -1,7 +1,7 @@
 <model>
   <mount>//OPNsense/Rspamd</mount>
   <description>rspamd anti spam filter</description>
-  <version>1.0.1</version>
+  <version>1.0.2</version>
   <items>
     <general>
       <enabled type="BooleanField">
@@ -126,6 +126,12 @@
         <MaximumValue>100000</MaximumValue>
         <ValidationMessage>Choose a value between 1 and 100000.</ValidationMessage>
       </historyrows>
+      <nameserver type="HostnameField">
+        <default>127.0.0.1</default>
+        <Required>Y</Required>
+        <FieldSeparator>,</FieldSeparator>
+        <asList>Y</asList>
+      </nameserver>
     </general>
 
     <milter_headers>
diff --git a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/+TARGETS b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/+TARGETS
index f4db33f7b9..ec5b4811a5 100644
--- a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/+TARGETS
+++ b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/+TARGETS
@@ -21,3 +21,4 @@ redis.conf:/usr/local/etc/rspamd/local.d/redis.conf
 spamtrap-map:/usr/local/etc/rspamd/maps.d/spamtrap.map
 classifier-bayes.conf:/usr/local/etc/rspamd/local.d/classifier-bayes.conf
 history_redis.conf:/usr/local/etc/rspamd/local.d/history_redis.conf
+options.inc:/usr/local/etc/rspamd/local.d/options.inc
diff --git a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/options.inc b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/options.inc
new file mode 100644
index 0000000000..eec227c1bc
--- /dev/null
+++ b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/options.inc
@@ -0,0 +1,7 @@
+# Please don't modify this file as your changes might be overwritten with
+# the next update.
+#
+
+dns {
+         nameserver = [{{ "'" + ("','".join(OPNsense.Rspamd.general.nameserver.split(','))) + "'" }}];
+}

From d6257b15791f2108c6c366283bd8a3a70a7d9f07 Mon Sep 17 00:00:00 2001
From: Starkstromkonsument <it@starkstromkonsument.de>
Date: Fri, 11 Sep 2020 09:28:12 +0200
Subject: [PATCH 0208/3088] mail/postfix: Add support for header_checks (#1897)

---
 mail/postfix/Makefile                         |  2 +-
 mail/postfix/pkg-descr                        |  4 +
 .../Postfix/Api/HeaderchecksController.php    | 67 +++++++++++++++
 .../Postfix/HeaderchecksController.php        | 38 ++++++++
 .../forms/dialogEditPostfixHeadercheck.xml    | 21 +++++
 .../models/OPNsense/Postfix/Headerchecks.php  | 31 +++++++
 .../models/OPNsense/Postfix/Headerchecks.xml  | 25 ++++++
 .../app/models/OPNsense/Postfix/Menu/Menu.xml |  1 +
 .../views/OPNsense/Postfix/headerchecks.volt  | 86 +++++++++++++++++++
 .../templates/OPNsense/Postfix/+TARGETS       |  2 +
 .../OPNsense/Postfix/header_checks_delivering |  9 ++
 .../OPNsense/Postfix/header_checks_receiving  |  9 ++
 .../templates/OPNsense/Postfix/main.cf        |  2 +
 13 files changed, 296 insertions(+), 1 deletion(-)
 create mode 100644 mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/Api/HeaderchecksController.php
 create mode 100644 mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/HeaderchecksController.php
 create mode 100644 mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/dialogEditPostfixHeadercheck.xml
 create mode 100644 mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Headerchecks.php
 create mode 100644 mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Headerchecks.xml
 create mode 100644 mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/headerchecks.volt
 create mode 100644 mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/header_checks_delivering
 create mode 100644 mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/header_checks_receiving

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index 51aede1328..a87fa354de 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		postfix
-PLUGIN_VERSION=		1.15
+PLUGIN_VERSION=		1.16
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix-sasl
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index 7ebc7a2d43..8188ee8b78 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -6,6 +6,10 @@ is completely different.
 Plugin Changelog
 ================
 
+1.16
+
+* Add support for header_checks (Starkstromkonsument <https://github.com/Starkstromkonsument>)
+
 1.15
 
 * Fix Log viewer
diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/Api/HeaderchecksController.php b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/Api/HeaderchecksController.php
new file mode 100644
index 0000000000..0ff6e04f94
--- /dev/null
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/Api/HeaderchecksController.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Starkstromkonsument <https://github.com/Starkstromkonsument>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Postfix\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class HeaderchecksController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'headerchecks';
+    protected static $internalModelClass = '\OPNsense\Postfix\Headerchecks';
+
+    public function searchHeaderchecksAction()
+    {
+        return $this->searchBase('headerchecks.headercheck', array("enabled", "expression", "filter"));
+    }
+
+    public function getHeadercheckAction($uuid = null)
+    {
+        return $this->getBase('headercheck', 'headerchecks.headercheck', $uuid);
+    }
+
+    public function addHeadercheckAction()
+    {
+        return $this->addBase('headercheck', 'headerchecks.headercheck');
+    }
+
+    public function delHeadercheckAction($uuid)
+    {
+        return $this->delBase('headerchecks.headercheck', $uuid);
+    }
+
+    public function setHeadercheckAction($uuid)
+    {
+        return $this->setBase('headercheck', 'headerchecks.headercheck', $uuid);
+    }
+
+    public function toggleHeadercheckAction($uuid)
+    {
+        return $this->toggleBase('headerchecks.headercheck', $uuid);
+    }
+}
diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/HeaderchecksController.php b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/HeaderchecksController.php
new file mode 100644
index 0000000000..8c42454d1e
--- /dev/null
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/HeaderchecksController.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Starkstromkonsument <https://github.com/Starkstromkonsument> 
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Postfix;
+
+class HeaderchecksController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->formDialogEditPostfixHeadercheck = $this->getForm("dialogEditPostfixHeadercheck");
+        $this->view->pick('OPNsense/Postfix/headerchecks');
+    }
+}
diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/dialogEditPostfixHeadercheck.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/dialogEditPostfixHeadercheck.xml
new file mode 100644
index 0000000000..bde023d7db
--- /dev/null
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/dialogEditPostfixHeadercheck.xml
@@ -0,0 +1,21 @@
+<form>
+    <field>
+        <id>headercheck.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will enable or disable the header_check rule.</help>
+    </field>
+    <field>
+        <id>headercheck.expression</id>
+        <label>Expression</label>
+        <type>text</type>
+        <help><![CDATA[Set a regexp (POSIX regular expression) and an action to process like <pre>/^\s*User-Agent/ IGNORE</pre>Note: The regexp is not validated by this form. Please test it carefully.]]></help>
+    </field>
+    <field>
+        <id>headercheck.filter</id>
+        <label>Process filter</label>
+        <type>dropdown</type>
+        <help><![CDATA[Set when the header_check should be processed.<br>See the <a href="http://www.postfix.org/header_checks.5.html" target="_blank">Postfix manual about header_checks(5)</a>]]></help>
+        <hint>RECEIVING = header_checks / DELIVERING =  smtp_header_checks</hint>
+    </field>
+</form>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Headerchecks.php b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Headerchecks.php
new file mode 100644
index 0000000000..c55a4646b0
--- /dev/null
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Headerchecks.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace OPNsense\Postfix;
+
+use OPNsense\Base\BaseModel;
+
+/*
+    Copyright (C) 2020 Starkstromkonsument <https://github.com/Starkstromkonsument>
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+class Headerchecks extends BaseModel
+{
+}
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Headerchecks.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Headerchecks.xml
new file mode 100644
index 0000000000..8e8b48377a
--- /dev/null
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Headerchecks.xml
@@ -0,0 +1,25 @@
+<model>
+    <mount>//OPNsense/postfix/headerchecks</mount>
+    <description>Postfix header_checks configuration</description>
+    <version>1.0.0</version>
+    <items>
+        <headerchecks>
+            <headercheck type="ArrayField">
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <expression type="TextField">
+                    <Required>Y</Required>
+                </expression>
+                <filter type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <WHILE_DELIVERING>while delivering mail</WHILE_DELIVERING>
+                        <WHILE_RECEIVING>while receiving mail</WHILE_RECEIVING>
+                    </OptionValues>
+                </filter>
+            </headercheck>
+        </headerchecks>
+    </items>
+</model>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Menu/Menu.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Menu/Menu.xml
index d8aa479891..9e88d86a1b 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Menu/Menu.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Menu/Menu.xml
@@ -8,6 +8,7 @@
       <Senders url="/ui/postfix/sender/index" order="40"/>
       <Senderbcc VisibleName="Sender BCC" url="/ui/postfix/senderbcc/index" order="45"/>
       <Sendercanonical VisibleName="Sender Canonical Rewriting" url="/ui/postfix/sendercanonical/index" order="48"/>
+      <Headerchecks VisibleName="Header Checks" url="/ui/postfix/headerchecks/index" order="49"/>
       <Address VisibleName="Address Rewriting" url="/ui/postfix/address/index" order="50"/>
       <LogFile VisibleName="Log File" order="50" url="/ui/diagnostics/log/core/postfix"/>
     </Postfix>
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/headerchecks.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/headerchecks.volt
new file mode 100644
index 0000000000..320fb4fa07
--- /dev/null
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/headerchecks.volt
@@ -0,0 +1,86 @@
+{#
+
+OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+Copyright (C) 2020 Starkstromkonsument <https://github.com/Starkstromkonsument>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<script>
+
+    $( document ).ready(function() {
+        /*************************************************************************************************************
+         * link grid actions
+         *************************************************************************************************************/
+
+        $("#grid-headerchecks").UIBootgrid(
+            {   'search':'/api/postfix/headerchecks/searchHeaderchecks',
+                'get':'/api/postfix/headerchecks/getHeadercheck/',
+                'set':'/api/postfix/headerchecks/setHeadercheck/',
+                'add':'/api/postfix/headerchecks/addHeadercheck/',
+                'del':'/api/postfix/headerchecks/delHeadercheck/',
+                'toggle':'/api/postfix/headerchecks/toggleHeadercheck/'
+            }
+        );
+
+    {% include 'OPNsense/Postfix/apply.volt' %}
+
+    });
+
+</script>
+
+<div class="tab-content content-box tab-content">
+    <div id="headerchecks" class="tab-pane fade in active">
+        <!-- tab page "headerchecks" -->
+        <table id="grid-headerchecks" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="dialogEditPostfixHeadercheck">
+            <thead>
+            <tr>
+                <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="expression" data-type="string" data-visible="true">{{ lang._('Expression') }}</th>
+                <th data-column-id="filter" data-type="string" data-visible="true">{{ lang._('Filter') }}</th>
+                <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+        <div class="col-md-12">
+            <hr/>
+            <button class="btn btn-primary" id="reconfigureAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="reconfigureAct_progress" class=""></i></button>
+            <br/><br/>
+        </div>
+    </div>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditPostfixHeadercheck,'id':'dialogEditPostfixHeadercheck','label':lang._('Edit header_check rule')])}}
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/+TARGETS b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/+TARGETS
index 9d7dca3cd9..a1de27fd61 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/+TARGETS
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/+TARGETS
@@ -9,3 +9,5 @@ senderbcc:/usr/local/etc/postfix/senderbcc
 recipientbcc:/usr/local/etc/postfix/recipientbcc
 smtp_auth:/usr/local/etc/postfix/smtp_auth
 sendercanonical:/usr/local/etc/postfix/sendercanonical
+header_checks_delivering:/usr/local/etc/postfix/header_checks_delivering
+header_checks_receiving:/usr/local/etc/postfix/header_checks_receiving
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/header_checks_delivering b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/header_checks_delivering
new file mode 100644
index 0000000000..0e53f977b6
--- /dev/null
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/header_checks_delivering
@@ -0,0 +1,9 @@
+{% if helpers.exists('OPNsense.postfix.general.enabled') and OPNsense.postfix.general.enabled == '1' %}
+{%   if helpers.exists('OPNsense.postfix.headerchecks.headerchecks.headercheck') %}
+{%     for headercheck_list in helpers.toList('OPNsense.postfix.headerchecks.headerchecks.headercheck') %}
+{%       if headercheck_list.enabled == '1' and headercheck_list.filter == 'WHILE_DELIVERING' %}
+{{ headercheck_list.expression }}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/header_checks_receiving b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/header_checks_receiving
new file mode 100644
index 0000000000..320e7300c3
--- /dev/null
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/header_checks_receiving
@@ -0,0 +1,9 @@
+{% if helpers.exists('OPNsense.postfix.general.enabled') and OPNsense.postfix.general.enabled == '1' %}
+{%   if helpers.exists('OPNsense.postfix.headerchecks.headerchecks.headercheck') %}
+{%     for headercheck_list in helpers.toList('OPNsense.postfix.headerchecks.headerchecks.headercheck') %}
+{%       if headercheck_list.enabled == '1' and headercheck_list.filter == 'WHILE_RECEIVING' %}
+{{ headercheck_list.expression }}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endif %}
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index d744346027..69f314b711 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -35,6 +35,8 @@ virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
 sender_bcc_maps = hash:/usr/local/etc/postfix/senderbcc
 recipient_bcc_maps = hash:/usr/local/etc/postfix/recipientbcc
 sender_canonical_maps = regexp:/usr/local/etc/postfix/sendercanonical
+header_checks = regexp:/usr/local/etc/postfix/header_checks_receiving
+smtp_header_checks = regexp:/usr/local/etc/postfix/header_checks_delivering
 ##########################
 # END SYSTEM DEFAULTS
 ##########################

From 8fe0f3a899e29c2ff684710c683450dbb6075add Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 27 Aug 2020 21:57:42 +0200
Subject: [PATCH 0209/3088] security/acme-client: release 2.0

---
 security/acme-client/Makefile                 |    2 +-
 security/acme-client/pkg-descr                |  318 ++++
 .../AcmeClient/Api/AccountsController.php     |   26 +-
 .../AcmeClient/Api/CertificatesController.php |   18 +-
 .../AcmeClient/Api/ServiceController.php      |    1 -
 .../AcmeClient/Api/SettingsController.php     |    4 +-
 .../AcmeClient/forms/dialogCertificate.xml    |    4 +-
 .../OPNsense/AcmeClient/forms/settings.xml    |    8 +-
 .../library/OPNsense/AcmeClient/LeAccount.php |  263 +++
 .../OPNsense/AcmeClient/LeAutomation/Base.php |   97 +
 .../AcmeClient/LeAutomation/Configd.php       |   51 +
 .../AcmeClient/LeAutomation/RestartGui.php    |   45 +
 .../LeAutomation/RestartHaproxy.php           |   44 +
 .../AcmeClient/LeAutomation/RestartNginx.php  |   44 +
 .../LeAutomation/UploadHighwinds.php          |   45 +
 .../AcmeClient/LeAutomation/UploadSftp.php    |   45 +
 .../AcmeClient/LeAutomationFactory.php        |   81 +
 .../AcmeClient/LeAutomationInterface.php      |   43 +
 .../OPNsense/AcmeClient/LeCertificate.php     |  650 +++++++
 .../library/OPNsense/AcmeClient/LeCommon.php  |  214 +++
 .../library/OPNsense/AcmeClient/LeUtils.php   |  189 ++
 .../OPNsense/AcmeClient/LeValidation/Base.php |  298 +++
 .../LeValidation/Dns1984hosting.php           |   45 +
 .../AcmeClient/LeValidation/DnsAcmedns.php    |   47 +
 .../AcmeClient/LeValidation/DnsAcmeproxy.php  |   46 +
 .../AcmeClient/LeValidation/DnsAd.php         |   44 +
 .../AcmeClient/LeValidation/DnsAli.php        |   45 +
 .../AcmeClient/LeValidation/DnsArvan.php      |   44 +
 .../AcmeClient/LeValidation/DnsAutodns.php    |   46 +
 .../AcmeClient/LeValidation/DnsAws.php        |   45 +
 .../AcmeClient/LeValidation/DnsAzure.php      |   47 +
 .../AcmeClient/LeValidation/DnsCf.php         |   49 +
 .../AcmeClient/LeValidation/DnsCloudns.php    |   46 +
 .../AcmeClient/LeValidation/DnsCn.php         |   45 +
 .../AcmeClient/LeValidation/DnsCx.php         |   45 +
 .../AcmeClient/LeValidation/DnsCyon.php       |   45 +
 .../AcmeClient/LeValidation/DnsDa.php         |   45 +
 .../AcmeClient/LeValidation/DnsDgon.php       |   44 +
 .../AcmeClient/LeValidation/DnsDnsimple.php   |   44 +
 .../AcmeClient/LeValidation/DnsDo.php         |   45 +
 .../AcmeClient/LeValidation/DnsDoapi.php      |   44 +
 .../AcmeClient/LeValidation/DnsDp.php         |   45 +
 .../AcmeClient/LeValidation/DnsDreamhost.php  |   44 +
 .../AcmeClient/LeValidation/DnsDuckdns.php    |   44 +
 .../AcmeClient/LeValidation/DnsDyn.php        |   46 +
 .../AcmeClient/LeValidation/DnsDynu.php       |   45 +
 .../AcmeClient/LeValidation/DnsEuserv.php     |   46 +
 .../AcmeClient/LeValidation/DnsFreedns.php    |   45 +
 .../LeValidation/DnsGandiLivedns.php          |   44 +
 .../AcmeClient/LeValidation/DnsGcloud.php     |   88 +
 .../AcmeClient/LeValidation/DnsGd.php         |   45 +
 .../AcmeClient/LeValidation/DnsGdnsdk.php     |   45 +
 .../AcmeClient/LeValidation/DnsHe.php         |   45 +
 .../AcmeClient/LeValidation/DnsHetzner.php    |   44 +
 .../AcmeClient/LeValidation/DnsHostingde.php  |   45 +
 .../AcmeClient/LeValidation/DnsInfoblox.php   |   45 +
 .../AcmeClient/LeValidation/DnsInwx.php       |   45 +
 .../AcmeClient/LeValidation/DnsIspconfig.php  |   47 +
 .../AcmeClient/LeValidation/DnsJoker.php      |   45 +
 .../AcmeClient/LeValidation/DnsKinghost.php   |   45 +
 .../AcmeClient/LeValidation/DnsKnot.php       |   45 +
 .../AcmeClient/LeValidation/DnsLeaseweb.php   |   44 +
 .../AcmeClient/LeValidation/DnsLexicon.php    |   55 +
 .../AcmeClient/LeValidation/DnsLinode.php     |   46 +
 .../AcmeClient/LeValidation/DnsLinodeV4.php   |   46 +
 .../AcmeClient/LeValidation/DnsLoopia.php     |   46 +
 .../AcmeClient/LeValidation/DnsLua.php        |   45 +
 .../AcmeClient/LeValidation/DnsMe.php         |   45 +
 .../AcmeClient/LeValidation/DnsMiab.php       |   46 +
 .../AcmeClient/LeValidation/DnsNamecheap.php  |   51 +
 .../AcmeClient/LeValidation/DnsNamecom.php    |   45 +
 .../AcmeClient/LeValidation/DnsNamesilo.php   |   46 +
 .../AcmeClient/LeValidation/DnsNetcup.php     |   48 +
 .../AcmeClient/LeValidation/DnsNsone.php      |   44 +
 .../AcmeClient/LeValidation/DnsNsupdate.php   |   52 +
 .../AcmeClient/LeValidation/DnsOpnsense.php   |   54 +
 .../AcmeClient/LeValidation/DnsOvh.php        |   47 +
 .../AcmeClient/LeValidation/DnsPdns.php       |   46 +
 .../AcmeClient/LeValidation/DnsPleskxml.php   |   46 +
 .../LeValidation/DnsSchlundtech.php           |   45 +
 .../AcmeClient/LeValidation/DnsSelectel.php   |   44 +
 .../AcmeClient/LeValidation/DnsServercow.php  |   45 +
 .../AcmeClient/LeValidation/DnsUnoeuro.php    |   45 +
 .../AcmeClient/LeValidation/DnsVariomedia.php |   44 +
 .../AcmeClient/LeValidation/DnsVscale.php     |   44 +
 .../AcmeClient/LeValidation/DnsYandex.php     |   44 +
 .../AcmeClient/LeValidation/DnsZilore.php     |   44 +
 .../AcmeClient/LeValidation/DnsZonomi.php     |   44 +
 .../AcmeClient/LeValidation/HttpOpnsense.php  |  140 ++
 .../AcmeClient/LeValidationFactory.php        |   90 +
 .../AcmeClient/LeValidationInterface.php      |   49 +
 .../models/OPNsense/AcmeClient/AcmeClient.xml |   18 +-
 .../models/OPNsense/AcmeClient/Menu/Menu.xml  |    4 +-
 .../OPNsense/AcmeClient/Migrations/M2_0_0.php |   54 +
 .../views/OPNsense/AcmeClient/accounts.volt   |  290 ++-
 .../OPNsense/AcmeClient/certificates.volt     |    7 +-
 .../views/OPNsense/AcmeClient/settings.volt   |    2 +-
 .../OPNsense/AcmeClient/validations.volt      |    4 +-
 .../OPNsense/AcmeClient/certhelper.php        | 1655 -----------------
 .../scripts/OPNsense/AcmeClient/lecert.php    |  193 ++
 .../conf/actions.d/actions_acmeclient.conf    |   22 +-
 101 files changed, 6363 insertions(+), 1710 deletions(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Configd.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartGui.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartHaproxy.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartNginx.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/UploadHighwinds.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/UploadSftp.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationFactory.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationInterface.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Dns1984hosting.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAcmedns.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAcmeproxy.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAd.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAli.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsArvan.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAutodns.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAws.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCf.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCloudns.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCn.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCx.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCyon.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDa.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDgon.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnsimple.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDo.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDoapi.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDp.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDreamhost.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDuckdns.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDyn.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDynu.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsEuserv.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsFreedns.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGandiLivedns.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGcloud.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGd.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGdnsdk.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHe.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHetzner.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHostingde.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInfoblox.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInwx.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsIspconfig.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsJoker.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsKinghost.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsKnot.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLeaseweb.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLexicon.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLinode.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLinodeV4.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLoopia.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLua.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMe.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMiab.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamecheap.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamecom.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamesilo.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNetcup.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsone.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsOpnsense.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsOvh.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsPdns.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsPleskxml.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSchlundtech.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsServercow.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsUnoeuro.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsVariomedia.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsVscale.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsYandex.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsZilore.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsZonomi.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationInterface.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M2_0_0.php
 delete mode 100755 security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
 create mode 100755 security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 9c9d25f782..97a5889dff 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		1.36
+PLUGIN_VERSION=		2.0
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 25a85e16d6..ad11ff7def 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -4,3 +4,321 @@ and smallest and smartest shell script" to automatically issue and renew
 the free certificates from Let's Encrypt.
 
 WWW: https://github.com/acmesh-official/acme.sh
+
+Plugin Changelog
+================
+
+2.0
+
+Added:
+* add new OOP backend to improve reliability and maintainability (#1398)
+* add status for accounts to backend and WebGUI
+* add button to manually trigger account registration
+* add plugin changelog
+
+Fixed:
+* fix bug where configuration could get lost (#1526)
+* fix Cyon DNS API (password not set)
+
+Changed:
+* now an Automation may run multiple times during bulk issue/renewal (previously only once)
+* rename "Validation Methods" to "Challenge Types" to adopt official LE wording
+* rename Menu entry "Automation" to "Automations"
+* specify python version for gcloud SDK
+* rephrase several log messages
+* add more detailed output when debug logging is enabled
+
+1.36
+
+Added:
+* add ability to rerun automations (#1962)
+
+1.35
+
+Added:
+* add support for Linode Cloud API (#1940)
+* add support for 1984Hosting API (#1945)
+
+Changed:
+* remove outdated bundled version of dns_opnsense.sh (#1888)
+
+1.34
+
+Added:
+* add support for dnsapi ArvanCloud (#1834)
+* add support for dnsapi Hetzner (#1870)
+
+Changed:
+* restore proper sorting in DNS API list
+
+1.33
+
+Added:
+* add NSUPDATE_ZONE support to nsupdate DNS-01 service (#1851)
+
+1.32
+
+Added:
+* add support for Acmeproxy DNS provider (#1838)
+
+Changed:
+* improve support for dnsapi Euserv.eu (#1790)
+
+1.31
+
+Added:
+* add support for dnsapi SchlundTech (#1728)
+* add support for dnsapi Euserv (#1779)
+* add support for dnsapi Leaseweb (#1670)
+
+Changed:
+* sftp export: make the "fullchain" filename configurable (#1776)
+
+1.30
+
+Changed:
+* update acme.sh GitHub link to new repo URL (#1744)
+
+1.29
+
+Added:
+* add support for CloudFlare token (#1625)
+* add support for MailinaBox DNS API (#1531)
+* add support for Plesk XML API (#1567)
+* add support for Variomedia DNS API
+
+Fixed:
+* fix IPv6 support for "automatic port forward" validation method (#1590)
+
+Changed:
+* validate IPv4 and IPv6 addresses before using them for "automatic port forward"
+* enable IPv6 support on local ACME webservice (when system.ipv6allow is enabled)
+
+1.28
+
+Changed:
+* correct minor spelling error (#1628)
+* log filename not compatible with new log view (#1593)
+
+1.27
+
+Added:
+* add support for Loopia DNS API (#1529)
+* automations can now restart Captive Portal or IPsec service after cert renewal (#1534)
+* add support for 60+ DNS APIs through Lexicon (#1524)
+
+Fixed:
+* don't break accounts when switching between stg/prod Let's Encrypt environments (#1528)
+
+Changed:
+* add py-dns-lexicon as plugin dependency to support it in DNS-01 out-of-the-box
+* support acme.sh debug log level 2 and 3 (#1546)
+
+1.26
+
+Added:
+* new automation: support cert upload via sftp (#1455)
+* add support for OPNsense's BIND plugin (#1491)
+* add support for DNS alias mode (#1492, #1301)
+
+Changed:
+* add headers for certificate options for the sake of clarity
+
+1.25
+
+Added:
+* add support for netcup DNS API (#1350)
+
+Fixed:
+* updating an existing cert in Highwinds API failed with a 404 error (wrong HTTP method)
+
+Changed:
+* fix "Use of undefined constant" PHP errors
+* treat certificate serial number as string not as integer
+* move "remove certificate" button to the end of the button list
+
+1.24
+
+Added:
+* add support for Domain-Offensive LetsEncrypt API dns_doapi (#1294)
+* add support for Namecheap API (dns_namecheap)
+* add support for Google Cloud DNS API dns_gcloud (#549)
+* run acme.sh --remove when a cert is removed from the GUI (#1380)
+* add a new button to remove the private key (#990)
+
+Fixed:
+* certificate status not correctly updated (#1307)
+
+Changed:
+* add log message when certificate status is updated (refs #1307)
+
+1.23
+
+Fixed:
+* renewal interval is ignored (#1221)
+
+1.22
+
+Added:
+* support DNS-01 with hosting.de API (#1234)
+
+Changed:
+* streamline log messages, use "AcmeClient" instead of "LE"
+
+1.21
+
+Added:
+* possible breaking change: the API endpoint to update individual certs/accounts/etc. has been renamed from "set" to "update"
+
+Fixed:
+* bulk deleting does not work (#1163)
+
+Changed:
+* migrate to mutable controller (required to fix #1163)
+
+1.20
+
+Added:
+* new button to reset all acme states, useful after importing a config backup to a new installation (#243)
+
+1.19
+
+Added:
+* new automation: automatically upload certificates to Highwinds CDN (proof-of-concept, support for other APIs possible)
+
+Changed:
+* rename "Restart Actions" to "Automation" (the old name has always been rather clumsy)
+* change "Automation" position in Menu (it's optional, the new position reflects this)
+
+1.18
+
+Added:
+* add support for GratisDNS.dk (#1042)
+* add support for ACME DNS
+
+1.17
+
+Fixed:
+* fix OCSP always enabled (#794)
+* fix acme operations when using multiple accounts (#789)
+
+1.16
+
+Added:
+* add support for OCSP Must Staple extension
+
+Fixed:
+* fix ecc certs renewal bug
+
+1.15
+
+Added:
+* add support to multiple dns api providers (#712)
+
+Changed:
+* mask passwords by using password fields (#707)
+
+1.14
+
+Added:
+* add support for ClouDNS (#574)
+
+1.13
+
+Added:
+* update acme.sh to 2.7.5 (#418)
+
+Changed:
+* fix missing fields for several DNS providers (#481)
+
+1.12
+
+Added:
+* compatibility with HAProxy plugin version 2.0 (refs #330)
+
+Fixed:
+* fix missing fields for Hurricane Electric (#334)
+
+1.11
+
+Fixed:
+* add missing field for DuckDNS (#287)
+
+1.9
+
+Added:
+* update acme.sh to version 2.7.2 (#210)
+* add support for new DNS API hooks (#225)
+
+Fixed:
+* Rename Certificate "Name" to "Common Name" for better clarity (#214)
+* Fix title in "Renew" and "Revoke" dialogs
+* Add dependency to BIND to fix nsupdate support
+* fix 'Compilation failed: number too big' (#227)
+
+1.8
+
+Added:
+* drop bundled acme.sh in favour of the FreeBSD port
+
+Fixed:
+* rename validation method "OPNsense Port Forward" to "OPNsense Web Service" to make it more clear that we're using an internal web service
+
+1.7
+
+Fixed:
+* fix $backend is not declared (#132)
+* fix null exception in api
+
+1.6
+
+Fixed:
+* fix broken translation strings
+
+1.5
+
+Fixed:
+* try to solve disconnection issue (mostly during auto-renewal) (#109)
+* try to fix "Node no longer exists"
+
+1.4
+
+Changed:
+* rename label "Validation Method" to "Challenge Type"
+
+1.3
+
+Changed:
+* remove support for custom restart actions (#100)
+* avoid log message on missing restart action
+* simplify JS code
+
+1.2
+
+Fixed:
+* properly import CA certificates (#84)
+* don't make sensitive data world-readable
+
+Changed:
+* hide params for restart actions when not selected
+* remove prefixes from validation name
+* hide http service entries when not selected
+* log acme status for each cert
+
+1.1
+
+Added:
+* add HAProxy integration
+
+Fixed:
+* avoid API exception when HAProxy integration is incomplete
+* avoid error message if no restart action was specified
+* do not run restart actions if cert was not changed
+
+Changed:
+* add hide() trickery to hide entries when not selected
+* relax fields validation (#70)
+
+1.0
+
+Initial release (#6)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php
index b8bcc901a0..ef6dfbf2d6 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php
@@ -33,6 +33,7 @@
 
 use OPNsense\Base\ApiMutableModelControllerBase;
 use OPNsense\Base\UIModelGrid;
+use OPNsense\Core\Backend;
 use OPNsense\Core\Config;
 use OPNsense\AcmeClient\AcmeClient;
 
@@ -73,6 +74,29 @@ public function toggleAction($uuid, $enabled = null)
 
     public function searchAction()
     {
-        return $this->searchBase('accounts.account', array('enabled', 'name', 'email'), 'name');
+        return $this->searchBase('accounts.account', array('enabled', 'name', 'email', 'statusCode', 'statusLastUpdate'), 'name');
+    }
+
+    /**
+     * register account by uuid
+     * @param $uuid item unique id
+     * @return array status
+     */
+    public function registerAction($uuid)
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost()) {
+            $mdlAcme = new AcmeClient();
+
+            if ($uuid != null) {
+                $node = $mdlAcme->getNodeByReference('accounts.account.' . $uuid);
+                if ($node != null) {
+                    $backend = new Backend();
+                    $response = $backend->configdRun("acmeclient register-account ${uuid}");
+                    return array("response" => $response);
+                }
+            }
+        }
+        return $result;
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
index 0159e46310..5a56a56a09 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
@@ -69,9 +69,11 @@ public function delAction($uuid)
         if ($uuid != null) {
             $node = $mdlAcme->getNodeByReference('certificates.certificate.' . $uuid);
             if ($node != null) {
-                $cert_id = $node->id;
                 $backend = new Backend();
-                $response = $backend->configdRun("acmeclient remove-cert {$cert_id}");
+                $response = $backend->configdRun("acmeclient remove-cert {$uuid}");
+                // Give configd some time to start this operation before the
+                // cert is removed from config.
+                sleep(2);
             }
         }
         return $this->delBase('certificates.certificate', $uuid);
@@ -101,9 +103,8 @@ public function signAction($uuid)
             if ($uuid != null) {
                 $node = $mdlAcme->getNodeByReference('certificates.certificate.' . $uuid);
                 if ($node != null) {
-                    $cert_id = $node->id;
                     $backend = new Backend();
-                    $response = $backend->configdRun("acmeclient sign-cert {$cert_id}");
+                    $response = $backend->configdRun("acmeclient sign-cert ${uuid}");
                     return array("response" => $response);
                 }
             }
@@ -123,9 +124,8 @@ public function removekeyAction($uuid)
         if ($uuid != null) {
             $node = $mdlAcme->getNodeByReference('certificates.certificate.' . $uuid);
             if ($node != null) {
-                $cert_id = $node->id;
                 $backend = new Backend();
-                $response = $backend->configdRun("acmeclient remove-key {$cert_id}");
+                $response = $backend->configdRun("acmeclient remove-key ${uuid}");
             }
         }
         return $result;
@@ -145,9 +145,8 @@ public function revokeAction($uuid)
             if ($uuid != null) {
                 $node = $mdlAcme->getNodeByReference('certificates.certificate.' . $uuid);
                 if ($node != null) {
-                    $cert_id = $node->id;
                     $backend = new Backend();
-                    $response = $backend->configdRun("acmeclient revoke-cert {$cert_id}");
+                    $response = $backend->configdRun("acmeclient revoke-cert ${uuid}");
                     return array("response" => $response);
                 }
             }
@@ -167,9 +166,8 @@ public function automationAction($uuid)
         if ($uuid != null) {
             $node = $mdlAcme->getNodeByReference('certificates.certificate.' . $uuid);
             if ($node != null) {
-                $cert_id = $node->id;
                 $backend = new Backend();
-                $response = $backend->configdRun("acmeclient run-automation {$cert_id}");
+                $response = $backend->configdRun("acmeclient run-automation ${uuid}");
             }
         }
         return $result;
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php
index 23264d2b53..d7de8f5f33 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php
@@ -182,7 +182,6 @@ public function configtestAction()
         // finally run the syntax check
         $response = $backend->configdRun("acmeclient configtest");
         return array("result" => $response);
-        // TODO: We may also want to check for duplicate cert names, etc.
     }
 
     /**
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
index f093bb840b..3dcd37d54c 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
@@ -384,7 +384,7 @@ public function fetchHAProxyIntegrationAction()
     }
 
     /**
-     * Check wether the Google Cloud plugin is installed.
+     * Check whether the Google Cloud plugin is installed.
      * @return array status action
      */
     public function getGcloudPluginStatusAction()
@@ -402,7 +402,7 @@ public function getGcloudPluginStatusAction()
     }
 
     /**
-     * Check wether the BIND plugin is installed.
+     * Check whether the BIND plugin is installed.
      * @return array status action
      */
     public function getBindPluginStatusAction()
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
index 303b5e5615..0fd183462d 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
@@ -42,9 +42,9 @@
     </field>
     <field>
         <id>certificate.validationMethod</id>
-        <label>Validation Method</label>
+        <label>Challenge Type</label>
         <type>dropdown</type>
-        <help><![CDATA[Set the Let's Encrypt validation method for this certificate.]]></help>
+        <help><![CDATA[Set the Let's Encrypt challenge type for this certificate.]]></help>
     </field>
     <field>
         <id>certificate.autoRenewal</id>
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
index 242f42010f..28cee3b6c3 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
@@ -9,19 +9,19 @@
         <id>acmeclient.settings.autoRenewal</id>
         <label>Auto Renewal</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable automatic renewal for certificates to prevent expiration. This will add a cronjob to the system. You may want to customize the cronjob schedule to your needs, because re-issueing a certificate may lead to a short downtime, depending on the selected validation method and service.]]></help>
+        <help><![CDATA[Enable automatic renewal for certificates to prevent expiration. This will add a cronjob to the system. You may want to customize the cronjob schedule to your needs, because re-issueing a certificate may lead to a short downtime, depending on the selected challenge type and service.]]></help>
     </field>
     <field>
         <id>acmeclient.settings.environment</id>
         <label>Let's Encrypt Environment</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose Let's Encrypts staging environment when using it for the first time or while testing new validation methods. The staging environment offers <a href="https://letsencrypt.org/docs/staging-environment/">relaxed rate limits</a>.<br/><div class="text-info"><b>NOTE:</b>Certificates signed by the staging environment are NOT valid. You need to forcefully re-sign (or delete and re-create) them after switching from staging to production environment.</div>]]></help>
+        <help><![CDATA[Choose Let's Encrypts staging environment when using it for the first time or while testing new challenge types. The staging environment offers <a href="https://letsencrypt.org/docs/staging-environment/">relaxed rate limits</a>.<br/><div class="text-info"><b>NOTE:</b>Certificates signed by the staging environment are NOT valid. You need to forcefully re-sign (or delete and re-create) them after switching from staging to production environment.</div>]]></help>
     </field>
     <field>
         <id>acmeclient.settings.haproxyIntegration</id>
         <label>HAProxy Integration</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable automatic integration with the OPNsense HAProxy plugin. <b>Requires that the OPNsense HAProxy plugin is installed.</b> This will automatically add the required backend, server, action and ACL for you. You just need to select your HAProxy frontend when configuration the certificate or validation method. <div class="text-info"><b>NOTE:</b>This will only work for HTTP-01 validation and HAProxy frontends running in <i>http</i> mode; TCP frontends are not supported.</div>]]></help>
+        <help><![CDATA[Enable automatic integration with the OPNsense HAProxy plugin. <b>Requires that the OPNsense HAProxy plugin is installed.</b> This will automatically add the required backend, server, action and ACL for you. You just need to select your HAProxy frontend when configuration the certificate or challenge type. <div class="text-info"><b>NOTE:</b>This will only work for HTTP-01 validation and HAProxy frontends running in <i>http</i> mode; TCP frontends are not supported.</div>]]></help>
     </field>
     <field>
         <id>acmeclient.settings.logLevel</id>
@@ -33,7 +33,7 @@
         <id>acmeclient.settings.challengePort</id>
         <label>Local HTTP Port</label>
         <type>text</type>
-        <help><![CDATA[When using HTTP-01 as validation method, a local webserver is used to provide acme challenge data to the Let's Encrypt servers. The local webserver is NOT directly exposed to the outside and should NOT use port 80 or any other well-known port. This setting allows you to change the local port of this webserver in case it interferes with another local service. Defaults to port 43580.]]></help>
+        <help><![CDATA[When using HTTP-01 as challenge type, a local webserver is used to provide acme challenge data to the Let's Encrypt servers. The local webserver is NOT directly exposed to the outside and should NOT use port 80 or any other well-known port. This setting allows you to change the local port of this webserver in case it interferes with another local service. Defaults to port 43580.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
new file mode 100644
index 0000000000..4f13e67a90
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
@@ -0,0 +1,263 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient;
+
+use OPNsense\Core\Config;
+
+/**
+ * Manage Let's Encrypt accounts with acme.sh
+ * @package OPNsense\AcmeClient
+ */
+class LeAccount extends LeCommon
+{
+    public const CONFIG_PATH = 'accounts.account';
+
+    /*
+     * create the object by collecting and storing all required data
+     * @param $uuid string the UUID of the configuration object
+     */
+    public function __construct(string $uuid)
+    {
+        // Store basic information
+        $this->uuid = $uuid;
+
+        // Get config object
+        $this->loadConfig(self::CONFIG_PATH, $this->uuid);
+
+        // Set log level
+        $this->setLoglevel();
+
+        // Set Let's Encrypt environment
+        $this->setEnvironment();
+
+        // Store acme filenames
+        $this->acme_args[] = '--home ' . self::ACME_HOME_DIR;
+    }
+
+    /**
+     * generate private key and ACME config for this account
+     */
+    public function generateKey()
+    {
+        // Collect account information
+        $account_conf_dir = self::ACME_BASE_ACCOUNT_DIR . '/' . (string)$this->config->id . '_' . $this->environment;
+        $account_conf_file = $account_conf_dir . '/account.conf';
+        $account_key_file = $account_conf_dir . '/account.key';
+        $account_json_file = $account_conf_dir . '/account.json';
+        $account_ca_file = $account_conf_dir . '/ca.conf';
+        $acme_conf = array();
+        $acme_conf[] = "CERT_HOME='" . self::ACME_HOME_DIR . "'";
+        $acme_conf[] = "LOG_FILE='" . self::ACME_LOG_FILE . "'";
+        $acme_conf[] = "ACCOUNT_KEY_PATH='" . $account_key_file . "'";
+        $acme_conf[] = "ACCOUNT_JSON_PATH='" . $account_json_file . "'";
+        $acme_conf[] = "CA_CONF='" . $account_ca_file . "'";
+        if (!empty((string)$this->config->email)) {
+            $acme_conf[] = "ACCOUNT_EMAIL='" . (string)$this->config->email . "'";
+        }
+
+        // Store some values for later re-use
+        $this->account_conf_file = $account_conf_file;
+
+        // Create account configuration file
+        if (!is_dir($account_conf_dir)) {
+            mkdir($account_conf_dir, 0700, true);
+        }
+        file_put_contents($account_conf_file, (string)implode("\n", $acme_conf) . "\n");
+        chmod($account_conf_file, 0600);
+
+        // Check if account key already exists both in filesystem and in config
+        if (!is_file($account_key_file) || empty((string)$this->config->key)) {
+            LeUtils::log_debug('creating account key for ' . (string)$this->config->name, $this->debug);
+
+            // Check if we have an account key in our configuration
+            if (!empty((string)$this->config->key)) {
+                LeUtils::log_debug('exporting existing account key to filesystem for ' . (string)$this->config->name, $this->debug);
+                // Write key to disk
+                file_put_contents($account_key_file, (string)base64_decode((string)$this->config->key));
+                chmod($account_key_file, 0600);
+                return true;
+            } else {
+                LeUtils::log_debug('generating a new account key for ' . (string)$this->config->name, $this->debug);
+                // Preparation to run acme client
+                $proc_env = $this->acme_env; // env variables for proc_open()
+                $proc_env['PATH'] = $this::ACME_ENV_PATH;
+                $proc_desc = array(  // descriptor array for proc_open()
+                    0 => array("pipe", "r"), // stdin
+                    1 => array("pipe", "w"), // stdout
+                    2 => array("pipe", "w")  // stderr
+                );
+                $proc_pipes = array();
+
+                // Run acme client to generate a account key
+                $acmecmd = '/usr/local/sbin/acme.sh '
+                  . '--createAccountKey '
+                  . implode(' ', $this->acme_args) . ' '
+                  . '--accountkeylength ' . self::ACME_ACCOUNT_KEY_LENGTH . ' '
+                  . "--accountconf ${account_conf_file}";
+                LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
+                $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
+
+                // Make sure the resource could be setup properly
+                if (is_resource($proc)) {
+                    // Close all pipes
+                    fclose($proc_pipes[0]);
+                    fclose($proc_pipes[1]);
+                    fclose($proc_pipes[2]);
+                    // Get exit code
+                    $result = proc_close($proc);
+                } else {
+                    LeUtils::log_error('unable to start acme client process');
+                    $this->setStatus(500);
+                    return false;
+                }
+
+                // Check exit code
+                if ($result) {
+                    LeUtils::log_error('failed to create a new account key for ' . (string)$this->config->name);
+                    $this->setStatus(300);
+                    return false;
+                }
+
+                // Read account key file
+                $account_key_content = @file_get_contents($account_key_file);
+                if (empty($account_key_content) || ($account_key_content == false)) {
+                    LeUtils::log_error("unable to read account key from file ${account_key_file}");
+                    $this->setStatus(500);
+                    return false;
+                }
+
+                // Reload to get most recent config
+                Config::getInstance()->forceReload();
+                $this->loadConfig(self::CONFIG_PATH, $this->uuid);
+
+                // Import account key into config
+                $this->config->key = base64_encode($account_key_content);
+
+                // Serialize to config and save
+                $this->model->serializeToConfig();
+                Config::getInstance()->save();
+
+                // Refresh config objects
+                Config::getInstance()->forceReload();
+                $this->loadConfig(self::CONFIG_PATH, $this->uuid);
+
+                if (empty((string)$this->config->key)) {
+                    $this->setStatus(500);
+                    LeUtils::log_error('failed to save account key for ' . (string)$this->config->name);
+                    return false;
+                }
+                LeUtils::log_debug('successfully created account key for ' . (string)$this->config->name, $this->debug);
+                return true;
+            }
+        }
+        return true;
+    }
+
+    /**
+     * check if account is already registered
+     * @return bool
+     */
+    public function isRegistered()
+    {
+        if (!empty((string)$this->config->statusLastUpdate) and !empty((string)$this->config->key) and ((string)$this->config->statusCode == '200')) {
+            return true;
+        }
+        return false;
+    }
+
+    /**
+     * register account with Let's Encrypt
+     * @return bool
+     */
+    public function register()
+    {
+        if (!($this->isEnabled())) {
+            LeUtils::log('ignoring disabled account: ' . (string)$this->config->name);
+            return false;
+        }
+
+        // Make sure a private already exists
+        if (!($this->generateKey())) {
+            LeUtils::log_error('aborting registration due to issues with account key: ' . (string)$this->config->name);
+            return false;
+        }
+
+        // Check if account is already registered
+        if (!($this->isRegistered())) {
+            LeUtils::log_debug('starting account registration for ' . (string)$this->config->name, $this->debug);
+
+            // Preparation to run acme client
+            $proc_env = $this->acme_env; // env variables for proc_open()
+            $proc_env['PATH'] = $this::ACME_ENV_PATH;
+            $proc_desc = array(  // descriptor array for proc_open()
+                0 => array("pipe", "r"), // stdin
+                1 => array("pipe", "w"), // stdout
+                2 => array("pipe", "w")  // stderr
+            );
+            $proc_pipes = array();
+
+            // Run acme client
+            $acmecmd = '/usr/local/sbin/acme.sh '
+              . '--registeraccount '
+              . implode(' ', $this->acme_args) . ' '
+              . '--accountconf ' . $this->account_conf_file;
+            LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
+            $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
+
+            // Make sure the resource could be setup properly
+            if (is_resource($proc)) {
+                // Close all pipes
+                fclose($proc_pipes[0]);
+                fclose($proc_pipes[1]);
+                fclose($proc_pipes[2]);
+                // Get exit code
+                $result = proc_close($proc);
+            } else {
+                LeUtils::log_error('unable to start acme client process');
+                $this->setStatus(500);
+                return false;
+            }
+
+            // Check validation result
+            if ($result) {
+                LeUtils::log_error('account registration failed for ' . $this->config->name);
+                $this->setStatus(400);
+                return false;
+            }
+
+            // Update account status.
+            LeUtils::log_error('account registration successful for ' . $this->config->name);
+            $this->setStatus(200);
+        } else {
+            LeUtils::log_debug('account already registered: ' . (string)$this->config->name, $this->debug);
+        }
+
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
new file mode 100644
index 0000000000..cb4ad40f12
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
@@ -0,0 +1,97 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall (derived from OPNsense\Backup)
+ * Copyright (C) 2018 Deciso B.V.
+ * Copyright (C) 2018 Franco Fichtner <franco@opnsense.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\Core\Backend;
+use OPNsense\Core\Config;
+use OPNsense\AcmeClient\LeAccount;
+use OPNsense\AcmeClient\LeUtils;
+
+/**
+ * LeAutomation stub file, contains shared logic for all automations.
+ * @package OPNsense\AcmeClient
+ */
+abstract class Base extends \OPNsense\AcmeClient\LeCommon
+{
+    public const CONFIG_PATH = 'actions.action';
+
+    /**
+     * Initialize LeAutomation object by adding the required configuration.
+     * @return boolean
+     */
+    public function init(string $certid, string $accountuuid)
+    {
+        // Get config object
+        $this->loadConfig(self::CONFIG_PATH, $this->uuid);
+
+        // Get account object to query ID
+        $account = new LeAccount($accountuuid);
+
+        // Store auxiliary information (required to glue stuff together)
+        $this->cert_id = $certid;
+        $this->account_id = (string)$account->id;
+        $this->account_uuid = (string)$account->uuid;
+
+        // Set log level
+        $this->setLoglevel();
+
+        // Set Let's Encrypt environment
+        $this->setEnvironment();
+
+        return true;
+    }
+
+    /**
+     * run all tasks related to this automation
+     * @return boolean
+     */
+    public function run()
+    {
+        if (!($this->isEnabled())) {
+            LeUtils::log('ignoring disabled automation: ' . (string)$this->config->name);
+            return true; // not an error
+        }
+
+        LeUtils::log('running automation: ' . $this->config->name);
+        $backend = new \OPNsense\Core\Backend();
+        $response = $backend->configdRun((string)$this->command, $this->command_args);
+        return true;
+    }
+
+    /**
+     * get automation type from configuration
+     * @return string
+     */
+    public function getType()
+    {
+        return $this->config->type;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Configd.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Configd.php
new file mode 100644
index 0000000000..810fafab54
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Configd.php
@@ -0,0 +1,51 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+use OPNsense\AcmeClient\LeUtils;
+
+/**
+ * Run selected configd command
+ * @package OPNsense\AcmeClient
+ */
+class Configd extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        // Make sure a configd command was specified.
+        if (empty((string)$this->config->configd)) {
+            LeUtils::log_error('no configd command specified for automation: ' . $this->config->name);
+            return false;
+        }
+
+        $this->command = (string)$this->config->configd;
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartGui.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartGui.php
new file mode 100644
index 0000000000..e63cf479e5
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartGui.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Restart OPNsense WebGUI
+ * @package OPNsense\AcmeClient
+ */
+class RestartGui extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $this->command = 'webgui restart 2';
+        $this->command_args = true;
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartHaproxy.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartHaproxy.php
new file mode 100644
index 0000000000..c40e9fce7c
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartHaproxy.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Restart local HAProxy service
+ * @package OPNsense\AcmeClient
+ */
+class RestartHaproxy extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $this->command = 'haproxy restart';
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartNginx.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartNginx.php
new file mode 100644
index 0000000000..fc803e78ad
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartNginx.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Restart local Nginx service
+ * @package OPNsense\AcmeClient
+ */
+class RestartNginx extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $this->command = 'nginx restart';
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/UploadHighwinds.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/UploadHighwinds.php
new file mode 100644
index 0000000000..1e9bfdcba3
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/UploadHighwinds.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Upload certificate to Highwinds CDN API
+ * @package OPNsense\AcmeClient
+ */
+class UploadHighwinds extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $command = 'acmeclient upload_highwinds ' . $this->cert_id . ' ' . $this->config->id;
+        $this->command = $command;
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/UploadSftp.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/UploadSftp.php
new file mode 100644
index 0000000000..11770c8f5e
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/UploadSftp.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Upload certificate via SFTP to arbitrary hosts
+ * @package OPNsense\AcmeClient
+ */
+class UploadSftp extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $command = 'acmeclient upload-sftp ' . $this->cert_id . ' ' . $this->config->id;
+        $this->command = $command;
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationFactory.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationFactory.php
new file mode 100644
index 0000000000..5c6b531777
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationFactory.php
@@ -0,0 +1,81 @@
+<?php
+
+/**
+ * Copyright (C) 2020 Frank Wall (derived from OPNsense/Auth)
+ * Copyright (C) 2018 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient;
+
+use \OPNsense\AcmeClient\AcmeClient;
+
+/**
+* Class LeAutomationFactory
+* @package OPNsense\AcmeClient
+*/
+class LeAutomationFactory
+{
+    public const CONFIG_PATH = 'actions.action';
+
+    /**
+     * create an automation object from a UUID
+     * @param $uuid string UUID of the automation object
+     * @return LeAutomation object or null if not found
+     */
+    public function getAutomation(string $uuid)
+    {
+        // Ensure that the automation can be found in config.
+        $model = new \OPNsense\AcmeClient\AcmeClient();
+        $obj = $model->getNodeByReference(self::CONFIG_PATH . '.' . $uuid);
+        if ($obj == null) {
+            LeUtils::log_error("automation not found: ${uuid}");
+            return null;
+        }
+
+        // Convert to PascalCase, required to find the class name.
+        $auto_name = str_replace(' ', '', ucwords(str_replace(array('-', '_'), ' ', (string)$obj->type)));
+
+        // Search class name
+        foreach (glob(__DIR__ . "/LeAutomation/*.php") as $filename) {
+            $file_found = basename($filename, '.php');
+            try {
+                $reflClass = new \ReflectionClass("OPNsense\\AcmeClient\\LeAutomation\\{$file_found}");
+            } catch (\ReflectionException $e) {
+                break;
+            }
+            if ($reflClass->implementsInterface('OPNsense\\AcmeClient\\LeAutomationInterface')) {
+                if ($file_found == $auto_name) {
+                    // Create new object
+                    $objAuto = $reflClass->newInstance();
+                    $objAuto->setUuid($uuid);
+                    return $objAuto;
+                }
+            }
+        }
+
+        LeUtils::log_error("automation not supported: " . (string)$obj->type . " (${uuid})");
+        return null;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationInterface.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationInterface.php
new file mode 100644
index 0000000000..6fb9b1f883
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationInterface.php
@@ -0,0 +1,43 @@
+<?php
+
+/**
+ * Copyright (C) 2020 Frank Wall (derived from OPNsense\Backup)
+ * Copyright (C) 2018 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient;
+
+/**
+ * Interface for Let's Encrypt automations
+ * @package OPNsense\AcmeClient
+ */
+interface LeAutomationInterface
+{
+    /**
+     * add configuration that is required only for this specific automation
+     * @return bool
+     */
+    public function prepare();
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
new file mode 100644
index 0000000000..36ac2aa4bb
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -0,0 +1,650 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient;
+
+// Load legacy functions for import()
+require_once("certs.inc");
+
+use OPNsense\Core\Config;
+use OPNsense\AcmeClient\LeAccount;
+use OPNsense\AcmeClient\LeAutomationFactory;
+use OPNsense\AcmeClient\LeValidationFactory;
+
+/**
+ * Manage Let's Encrypt certificates with acme.sh
+ * @package OPNsense\AcmeClient
+ */
+class LeCertificate extends LeCommon
+{
+    public const CONFIG_PATH = 'certificates.certificate';
+
+    /*
+     * create the object by collecting and storing all required data
+     * @param $uuid string the UUID of the configuration object
+     */
+    public function __construct(string $uuid, bool $force = false)
+    {
+        // Store basic information
+        $this->uuid = $uuid;
+        $this->force = $force;
+
+        // Get config object
+        $this->loadConfig(self::CONFIG_PATH, $this->uuid);
+
+        // Get account object to query ID
+        $account = new LeAccount((string)$this->config->account);
+        if (empty($account) || $account == null) {
+            LeUtils::log_error('unable to load account information: ' . (string)$this->config->account);
+            return false;
+        }
+
+        // Store auxiliary information (required to glue stuff together)
+        $this->account_id = (string)$account->getId();
+        $this->account_uuid = (string)$account->getUuid();
+
+        // Set log level
+        $this->setLoglevel();
+
+        // Set Let's Encrypt environment
+        $this->setEnvironment();
+
+        // Handle special key types
+        if ($this->config->keyLength == 'key_ec256' || $this->config->keyLength == 'key_ec384') {
+            // Pass --ecc to acme client to locate the correct cert directory
+            $this->acme_args[] = '--ecc';
+        }
+
+        // Store cert filenames
+        $this->cert_file = (string)sprintf(self::ACME_CERT_FILE, $this->config->id);
+        $this->cert_key_file = (string)sprintf(self::ACME_KEY_FILE, $this->config->id);
+        $this->cert_chain_file = (string)sprintf(self::ACME_CHAIN_FILE, $this->config->id);
+        $this->cert_fullchain_file = (string)sprintf(self::ACME_FULLCHAIN_FILE, $this->config->id);
+
+        // Store acme filenames
+        $this->acme_args[] = '--home ' . self::ACME_HOME_DIR;
+        $this->acme_args[] = '--certpath ' . $this->cert_file;
+        $this->acme_args[] = '--keypath ' . $this->cert_key_file;
+        $this->acme_args[] = '--capath ' . $this->cert_chain_file;
+        $this->acme_args[] = '--fullchainpath ' . $this->cert_fullchain_file;
+    }
+
+    /**
+     * Import the certificate into OPNsense's trust storage.
+     * @param bool $skip_validation try to import even if some checks fail
+     * @return bool
+     */
+    public function import(bool $skip_validation = false)
+    {
+        if (!($this->isEnabled())) {
+            LeUtils::log("ignoring disabled certificate: " . (string)$this->config->name);
+            return false;
+        }
+
+        // Cannot import if certificate was not issued yet.
+        // NOTE: When the certificate was just issued, then the cert status
+        // does not reflect this yet and must be ignored by setting $skip_validation.
+        if (!($this->isIssued()) && !($skip_validation)) {
+            LeUtils::log('ignoring import request for certificate ' . (string)$this->config->name . ' (not issued or revoked)');
+            return false;
+        }
+
+        // Reload to get most recent config
+        Config::getInstance()->forceReload();
+        $this->loadConfig(self::CONFIG_PATH, $this->uuid);
+
+        // Check if certificate files can be found
+        clearstatcache(); // don't let the cache fool us
+        foreach (array($this->cert_file, $this->cert_key_file, $this->cert_chain_file, $this->cert_fullchain_file) as $file) {
+            if (!is_file($file)) {
+                LeUtils::log_error("unable to import certificate " . $this->config->name . ", file not found: ${file}");
+                Config::getInstance()->unlock();
+                return false;
+            }
+        }
+
+        /**
+         * Step 1: import CA
+         */
+
+        // Read contents from CA file
+        $ca_content = @file_get_contents($this->cert_chain_file);
+        if ($ca_content != false) {
+            $ca_subject = cert_get_subject($ca_content, false);
+            $ca_serial  = cert_get_serial($ca_content, false);
+            $ca_cn      = LeUtils::local_cert_get_cn($ca_content, false);
+            $ca_issuer  = cert_get_issuer($ca_content, false);
+            $ca_purpose = cert_get_purpose($ca_content, false);
+        } else {
+            LeUtils::log_error('unable to read CA certificate content from file');
+            Config::getInstance()->unlock();
+            return false;
+        }
+
+        // Prepare CA for import in Cert Manager
+        $ca = array();
+        $ca['crt'] = base64_encode($ca_content);
+        $ca['refid'] = uniqid();
+        $ca_found = false;
+
+        // Check if CA was previously imported
+        foreach (Config::getInstance()->object()->ca as $cacrt) {
+            $cacrt_subject = cert_get_subject($cacrt->crt, true);
+            $cacrt_issuer = cert_get_issuer($cacrt->crt, true);
+            if (($ca_subject == $cacrt_subject) and ($ca_issuer == $cacrt_issuer)) {
+                // Use old refid instead of generating a new one
+                $ca['refid'] = (string)$cacrt->refid;
+                $ca_found = true;
+                break;
+            }
+        }
+
+        // Collect required CA information
+        $ca_cn = LeUtils::local_cert_get_cn($ca_content, false);
+        $ca['descr'] = (string)$ca_cn . ' (Let\'s Encrypt)';
+
+        // Prepare CA for import
+        LeUtils::local_ca_import($ca, $ca_content);
+
+        // Check if CA was found in config
+        if ($ca_found == true) {
+            // Update existing CA
+            foreach (Config::getInstance()->object()->ca as $cacrt) {
+                if ((string)$cacrt->refid == $ca['refid']) {
+                    $cacrt->crt = $ca['crt'];
+                    $cacrt->descr = $ca['descr'];
+                    break;
+                }
+            }
+        } else {
+            // Create new CA
+            LeUtils::log("importing Let's Encrypt CA: ${ca_cn}");
+            $newca = Config::getInstance()->object()->addChild('ca');
+            foreach (array_keys($ca) as $cacfg) {
+                $newca->addChild($cacfg, (string)$ca[$cacfg]);
+            }
+        }
+
+        /**
+         * Step 2: import certificate
+         */
+
+        // Read contents from certificate file
+        $cert_content = @file_get_contents($this->cert_file);
+        if ($cert_content != false) {
+            $cert_subject = cert_get_subject($cert_content, false);
+            $cert_serial  = cert_get_serial($cert_content, false);
+            $cert_cn      = LeUtils::local_cert_get_cn($cert_content, false);
+            $cert_issuer  = cert_get_issuer($cert_content, false);
+            $cert_purpose = cert_get_purpose($cert_content, false);
+        } else {
+            LeUtils::log_error('unable to read certificate content from file');
+            Config::getInstance()->unlock();
+            $this->setStatus(500);
+            return false;
+        }
+
+        // Prepare certificate for import in Cert Manager
+        $cert = array();
+        $cert_refid = uniqid();
+        $cert['refid'] = $cert_refid;
+        $cert['caref'] = (string)$ca['refid'];
+        $import_log_message = 'imported';
+        $cert_found = false;
+
+        // Check if cert was previously imported
+        if (!empty((string)$this->config->certRefId)) {
+            // Check if the previously imported certificate can still be found
+            foreach (Config::getInstance()->object()->ca as $cfgCert) {
+                // Check if IDs match
+                if ((string)$this->config->certRefId == (string)$cfgCert->refid) {
+                    $cert_found = true;
+                    break;
+                }
+            }
+            // Existing cert?
+            if ($cert_found) {
+                // Use old refid instead of generating a new one
+                $cert_refid = (string)$this->config->certRefId;
+                $import_log_message = 'updated';
+            }
+        } else {
+            // Not found. Just import as new cert.
+        }
+
+        // Read private key
+        $key_content = @file_get_contents($this->cert_key_file);
+        if ($key_content == false) {
+            LeUtils::log_error('unable to read private key from file: ' . $this->cert_key_file);
+            Config::getInstance()->unlock();
+            $this->setStatus(500);
+            return false;
+        }
+
+        // Collect required cert information
+        $cert_cn = LeUtils::local_cert_get_cn($cert_content, false);
+        $cert['descr'] = (string)$cert_cn . ' (Let\'s Encrypt)';
+        $cert['refid'] = $cert_refid;
+
+        // Prepare certificate for import
+        cert_import($cert, $cert_content, $key_content);
+
+        // Check if cert was found in config
+        if ($cert_found == true) {
+            // Update existing cert
+            foreach (Config::getInstance()->object()->cert as $cfgCert) {
+                if ((string)$cfgCert->refid == $cert['refid']) {
+                    $cfgCert->crt = $cert['crt'];
+                    $cfgCert->prv = $cert['prv'];
+                    $cfgCert->descr = $cert['descr'];
+                    break;
+                }
+            }
+        } else {
+            // Create new cert
+            $newcert = Config::getInstance()->object()->addChild('cert');
+            foreach (array_keys($cert) as $certcfg) {
+                $newcert->addChild($certcfg, (string)$cert[$certcfg]);
+            }
+        }
+        LeUtils::log("${import_log_message} Let's Encrypt X.509 certificate: ${cert_cn}");
+
+        /**
+         * Step 3: update configuration
+         */
+
+        // Add refid to certObj
+        $this->config->certRefId = $cert_refid;
+        // Set update/create time
+        $this->config->lastUpdate = time();
+
+        // Serialize to config and save
+        $this->model->serializeToConfig();
+        Config::getInstance()->save();
+
+        // Reload to get most recent config
+        Config::getInstance()->forceReload();
+        $this->loadConfig(self::CONFIG_PATH, $this->uuid);
+
+        return true;
+    }
+
+    /**
+     * check if certificate is already issued by Let's Encrypt
+     * @return bool
+     */
+    public function isIssued()
+    {
+        return (string)$this->config->statusCode == 200 ? true : false;
+    }
+
+    /**
+     * issue or renew the certificate
+     * @return bool
+     */
+    public function issue()
+    {
+        if (!($this->isEnabled())) {
+            LeUtils::log('ignoring disabled certificate: ' . (string)$this->config->name);
+            return false;
+        }
+
+        // Issue or renew?
+        if (!empty((string)$this->config->lastUpdate) and !($this->force)) {
+            $acme_action = "renew";
+            $renew = true;
+        } else {
+            // Default: Issue a new certificate.
+            // If "force" is specified, forcefully re-issue the cert, no matter if it's required.
+            // NOTE: This is useful when switching from acme staging to production servers.
+            $acme_action = "issue";
+            $renew = false;
+        }
+
+        // Decide whether or not to continue.
+        if (!($this->needsRenewal()) and !($this->force)) {
+            // Renewal not required. Do nothing.
+            LeUtils::log("issue/renewal not required for certificate: " . (string)$this->config->name);
+            return false;
+        }
+        LeUtils::log("${acme_action} certificate: " . (string)$this->config->name);
+
+        // Ensure that account is registered.
+        if (!($this->setAccount())) {
+            return false;
+        }
+
+        // Setup ACME environment for this certificate.
+        $certdir = (string)sprintf(self::ACME_CERT_DIR, (string)$this->config->id);
+        $keydir = (string)sprintf(self::ACME_KEY_DIR, (string)$this->config->id);
+        $configdir = (string)sprintf(self::ACME_CONFIG_DIR, (string)$this->config->id);
+        foreach (array($certdir, $keydir, $configdir) as $dir) {
+            if (!is_dir($dir)) {
+                LeUtils::log_debug("creating directory: ${dir}", $this->debug);
+                mkdir($dir, 0700, true);
+            }
+        }
+
+        // Perform preparation tasks
+        if (!($this->setValidation())) {
+            $this->setStatus(300);
+            return false; // validation method is invalid
+        }
+
+        // Let's start certificate validation...
+        if ($this->validation->run($renew)) {
+            LeUtils::log('successfully issued/renewed certificate: ' . (string)$this->config->name);
+        } else {
+            LeUtils::log_error('validation for certificate failed: ' . (string)$this->config->name);
+            $this->setStatus(400);
+            return false;
+        }
+
+        // Import certificate.
+        if (!($this->import(true))) {
+            LeUtils::log_error('failed to import certificate: ' . (string)$this->config->name);
+            $this->setStatus(500);
+            return false;
+        }
+
+        // Run referenced automations.
+        $this->runAutomations();
+
+        // Update cert status.
+        $this->setStatus(200);
+
+        return true;
+    }
+
+    /**
+     * calculate next renewal date for this certificate
+     * @return bool
+     */
+    public function needsRenewal()
+    {
+        $return = false;
+
+        // Collect required information
+        $last_update = !empty((string)$this->config->lastUpdate) ? (string)$this->config->lastUpdate : 0;
+        $current_time = new \DateTime();
+        $last_update_time = new \DateTime();
+        $last_update_time->setTimestamp($last_update);
+        $renew_interval = (string)$this->config->renewInterval;
+        $next_update = $last_update_time->add(new \DateInterval('P' . $renew_interval . 'D'));
+
+        // Do the math
+        if ($current_time >= $next_update) {
+            LeUtils::log('certificate must be issued/renewed: ' . (string)$this->config->name);
+            $return = true;
+        }
+
+        return $return;
+    }
+
+    /**
+     * completely remove the certificate and all related configuration from filesystem
+     * @return bool
+     */
+    public function remove()
+    {
+        // NOTE:
+        // Removal is allowed even if the cert is disabled.
+
+        // Cannot remove if certificate was not issued yet.
+        if (empty((string)$this->config->lastUpdate)) {
+            LeUtils::log('ignoring removal request for certificate ' . (string)$this->config->name . ' (not issued yet)');
+            return false;
+        }
+        LeUtils::log('wiping certificate config: ' . (string)$this->config->name);
+
+        // Preparation to run acme client
+        $proc_env = $this->acme_env; // env variables for proc_open()
+        $proc_env['PATH'] = $this::ACME_ENV_PATH;
+        $proc_desc = array(  // descriptor array for proc_open()
+            0 => array("pipe", "r"), // stdin
+            1 => array("pipe", "w"), // stdout
+            2 => array("pipe", "w")  // stderr
+        );
+        $proc_pipes = array();
+
+        // Run acme client to remove certificate and related config
+        $acmecmd = '/usr/local/sbin/acme.sh '
+          . '--remove '
+          . implode(' ', $this->acme_args) . ' '
+          . '--domain ' . (string)$this->config->name;
+        LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
+        $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
+
+        // Make sure the resource could be setup properly
+        if (is_resource($proc)) {
+            // Close all pipes
+            fclose($proc_pipes[0]);
+            fclose($proc_pipes[1]);
+            fclose($proc_pipes[2]);
+            // Get exit code
+            $result = proc_close($proc);
+        } else {
+            LeUtils::log_error('unable to start acme client process');
+            return false;
+        }
+
+        // Check exit code
+        if ($result) {
+            LeUtils::log_error('error removing certificate ' . (string)$this->config->name);
+            return false;
+        }
+
+        // Remove all certificate files (just to be sure)
+        // NOTE: This also resets the cert status.
+        $this->reset();
+
+        return true;
+    }
+
+    /**
+     * reset the certificate by removing only it's private key and the signed certificate
+     * @return bool
+     */
+    public function reset()
+    {
+        // NOTE: Reset is allowed even if the cert is disabled.
+        LeUtils::log('removing certificate files: ' . (string)$this->config->name);
+        $cert_files = [
+            $this->cert_file,
+            $this->cert_key_file,
+            $this->cert_chain_file,
+            $this->cert_fullchain_file,
+        ];
+        foreach ($cert_files as $_file) {
+            if (file_exists($_file)) {
+                unlink($_file);
+            }
+        }
+
+        // Reset cert status
+        $this->setStatus(100);
+        return true;
+    }
+
+    /**
+     * revoke the certificate
+     * @return bool
+     */
+    public function revoke()
+    {
+        // NOTE: Revocation is allowed even if the cert is disabled.
+
+        // Revocation will fail if additional domain names were added
+        // to the certificate after issue/renewal.
+
+        // Cannot revoke if certificate was not issued yet.
+        if (!($this->isIssued())) {
+            LeUtils::log('ignoring revocation request for certificate ' . (string)$this->config->name . ' (not issued yet)');
+            return false;
+        }
+        LeUtils::log('revoking certificate: ' . (string)$this->config->name);
+
+        // Collect account information
+        $account_conf_dir = self::ACME_BASE_ACCOUNT_DIR . '/' . $this->account_id . '_' . $this->environment;
+        $account_conf_file = $account_conf_dir . '/account.conf';
+
+        // Preparation to run acme client
+        $proc_env = $this->acme_env; // env variables for proc_open()
+        $proc_env['PATH'] = $this::ACME_ENV_PATH;
+        $proc_desc = array(  // descriptor array for proc_open()
+            0 => array("pipe", "r"), // stdin
+            1 => array("pipe", "w"), // stdout
+            2 => array("pipe", "w")  // stderr
+        );
+        $proc_pipes = array();
+
+        // Run acme client to revoke certificate
+        $acmecmd = '/usr/local/sbin/acme.sh '
+          . '--revoke '
+          . implode(' ', $this->acme_args) . ' '
+          . '--domain ' . (string)$this->config->name . ' '
+          . "--accountconf ${account_conf_file}";
+        LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
+        $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
+
+        // Make sure the resource could be setup properly
+        if (is_resource($proc)) {
+            // Close all pipes
+            fclose($proc_pipes[0]);
+            fclose($proc_pipes[1]);
+            fclose($proc_pipes[2]);
+            // Get exit code
+            $result = proc_close($proc);
+        } else {
+            LeUtils::log_error('unable to start acme client process');
+            return false;
+        }
+
+        // Check exit code
+        if ($result) {
+            LeUtils::log_error('failed to revoke certificate ' . (string)$this->config->name);
+            $this->setStatus(400);
+            return false;
+        }
+        LeUtils::log('successfully revoked certificate: ' . (string)$this->config->name);
+
+        // Reset cert status
+        $this->setStatus(250);
+        return true;
+    }
+
+    /**
+     * run all automations for this certificate
+     * @return bool
+     */
+    public function runAutomations()
+    {
+        if (!($this->isEnabled())) {
+            LeUtils::log('ignoring disabled certificate: ' . (string)$this->config->name);
+            return false;
+        }
+
+        // Check if any automations are configured for this cert
+        if (empty((string)$this->config->restartActions)) {
+            return true; // no automations, no error
+        }
+
+        // Walk through all linked automations.
+        LeUtils::log('running automations for certificate: ' . (string)$this->config->name);
+        $automations = explode(',', (string)$this->config->restartActions);
+        foreach ($automations as $auto_uuid) {
+            $autoFactory = new LeAutomationFactory();
+            $automation = $autoFactory->getAutomation($auto_uuid);
+            $automation->init($this->getId(), (string)$this->config->account);
+            // Ignore invalid automations.
+            if ($automation->prepare()) {
+                $automation->run();
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * configure and register the referenced account
+     * @return bool
+     */
+    public function setAccount()
+    {
+        // Ensure that account is registered.
+        $account = new LeAccount((string)$this->config->account);
+        if (empty($account)) {
+            $this->setStatus(300); // update cert status
+            return false; // account invalid or it was deleted
+        } elseif (!($account->isRegistered())) {
+            $account->generateKey();
+            if (!($account->register())) {
+                $this->setStatus(400); // update cert status
+                return false; // account registration failed
+            }
+            // Refresh config objects, account may have modified the configuration.
+            Config::getInstance()->forceReload();
+            $this->loadConfig(self::CONFIG_PATH, $this->uuid);
+        }
+        LeUtils::log('account is registered: ' . (string)$account->config->name);
+        return true;
+    }
+
+    /**
+     * configure the validation method
+     * @return bool
+     */
+    public function setValidation()
+    {
+        if (empty((string)$this->validation)) {
+            // Setup new validation object
+            $valFactory = new LeValidationFactory();
+            $val = $valFactory->getValidation((string)$this->config->validationMethod);
+            if (!isset($val) or empty($val)) {
+                LeUtils::log_error('invalid challenge type for certificate: ' . (string)$this->config->name);
+                return false;
+            }
+            if (!$val->init((string)$this->config->id, (string)$this->config->account)) {
+                LeUtils::log_error('failed to initialize validation for certificate: ' . (string)$this->config->name);
+                return false;
+            }
+
+            // Configure validation object
+            $val->setNames($this->config->name, $this->config->altNames);
+            $val->setRenewal((int)$this->config->renewInterval);
+            $val->setForce($this->force);
+            // strip prefix from key value
+            $val->setKey(substr($this->config->keyLength, 4));
+            $val->prepare();
+
+            // Store validation object
+            $this->validation = $val;
+        }
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
new file mode 100644
index 0000000000..3ae1da0218
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
@@ -0,0 +1,214 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient;
+
+use OPNsense\Core\Config;
+use OPNsense\AcmeClient\LeUtils;
+
+/**
+ * Common constants and functions for all Let's Encrypt classes
+ * @package OPNsense\AcmeClient
+ */
+abstract class LeCommon
+{
+    // Static acme.sh directories and files
+    public const ACME_BASE_ACCOUNT_DIR = '/var/etc/acme-client/accounts';
+    public const ACME_BASE_CERT_DIR = '/var/etc/acme-client/certs';
+    public const ACME_BASE_CONFIG_DIR = '/var/etc/acme-client/configs';
+    public const ACME_HOME_DIR = '/var/etc/acme-client/home';
+    public const ACME_LOG_FILE = '/var/log/acme.sh.log';
+
+    // Defaults for acme.sh
+    public const ACME_ACCOUNT_KEY_LENGTH = 4096;
+    public const ACME_ENV_PATH = '/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin';
+
+    // Filenames for certs, configs, ...
+    public const ACME_CERT_DIR = '/var/etc/acme-client/certs/%s/';
+    public const ACME_CERT_FILE = '/var/etc/acme-client/certs/%s/cert.pem';
+    public const ACME_CHAIN_FILE = '/var/etc/acme-client/certs/%s/chain.pem';
+    public const ACME_CONFIG_DIR = '/var/etc/acme-client/configs/%s/';
+    public const ACME_FULLCHAIN_FILE = '/var/etc/acme-client/certs/%s/fullchain.pem';
+    public const ACME_KEY_DIR = '/var/etc/acme-client/keys/%s/';
+    public const ACME_KEY_FILE = '/var/etc/acme-client/keys/%s/private.key';
+
+    // Runtime parameters for acme.sh
+    protected $acme_args = array(); # command line arguments to be passed to acme.sh
+    protected $acme_env = array();  # environment variables to be used when running acme.sh
+    protected $acme_keylength;      # private key length in acme.sh compatible format
+
+    // Certificate details and configuration
+    protected $cert_id;             # AcmeClient certificate object ID
+    protected $cert_name;           # certificate name
+    protected $cert_altnames;       # certificate altNames
+    protected $cert_aliasmode;      # AcmeClient certificate object aliasmode
+    protected $cert_domainalias;    # AcmeClient certificate object domain alias
+    protected $cert_challengealias; # AcmeClient certificate object challenge alias
+    protected $cert_keylength;      # Private key length
+
+    // Account details
+    protected $account_id;          # AcmeClient account object ID
+    protected $account_uuid;        # AcmeClient account object UUID
+
+    // Automation details and configuration
+    protected $command;             # configd command to run
+    protected $command_args;        # optional args for configdRun()
+
+    // Basic object information
+    protected $config;              # AcmeClient config object
+    protected $debug;               # Debug logging (bool)
+    protected $environment;         # Let's Encrypt environment (uses shortnames)
+    protected $force;               # Force operation
+    protected $model;               # AcmeClient model object
+    protected $uuid;                # AcmeClient config object uuid
+    protected $validation;          # LeValidation object
+
+    /**
+     * get ID from auxiliary configuration object
+     * @return string
+     */
+    public function getId()
+    {
+        return (string)$this->config->id;
+    }
+
+    /**
+     * get UUID from auxiliary configuration object
+     * @return string
+     */
+    public function getUuid()
+    {
+        return (string)$this->config->uuid;
+    }
+
+    /**
+     * load config object from configuration
+     * @return bool
+     */
+    public function loadConfig(string $path, string $uuid)
+    {
+        // Get config object
+        $model = new \OPNsense\AcmeClient\AcmeClient();
+        $obj = $model->getNodeByReference("${path}.${uuid}");
+        if ($obj == null) {
+            LeUtils::log_error("config of type ${path} not found: ${uuid}");
+            return false;
+        }
+        // Store config objects
+        $this->config = $obj;
+        $this->model = $model;
+        return true;
+    }
+
+    /**
+     * check if object is enabled in configuration
+     * @return bool
+     */
+    public function isEnabled()
+    {
+        return (string)$this->config->enabled == 1 ? true : false;
+    }
+
+    /**
+     * set Let's Encrypt environment for acme.sh
+     */
+    public function setEnvironment()
+    {
+        $this->environment = (string)$this->model->getNodeByReference('settings.environment');
+        $this->acme_args[] = $this->environment == 'stg' ? '--staging' : null;
+    }
+
+    /**
+     * set log level for acme.sh and configure optional debug logging
+     */
+    public function setLoglevel()
+    {
+        $loglevel = (string)$this->model->getNodeByReference('settings.logLevel');
+
+        switch ($loglevel) {
+            case 'extended':
+                $this->acme_args[] = '--log-level 2';
+                $this->debug = false;
+                break;
+            case 'debug':
+                $this->acme_args[] = '--debug';
+                $this->debug = true;
+                break;
+            case 'debug2':
+                $this->acme_args[] = '--debug 2';
+                $this->debug = true;
+                break;
+            case 'debug3':
+                $this->acme_args[] = '--debug 3';
+                $this->debug = true;
+                break;
+            default:
+                $this->acme_args[] = '--log-level 1';
+                $this->debug = false;
+                break;
+        }
+    }
+
+    /**
+     * update status information to reflect the result of the last operation
+     * Supported status codes are:
+     *   100     pending
+     *   200     cert issued / acct registered
+     *   250     cert revoked / acct deactivated
+     *   300     configuration error
+     *   400     issue/renew/registration failed
+     *   500     internal error (code issues, bad luck, unexpected errors, ...)
+     * Feel free to add more status codes to support new use-cases.
+     * @return bool
+     */
+    public function setStatus(int $statusCode)
+    {
+        // Update attributes.
+        $this->config->statusCode = $statusCode;
+        $this->config->statusLastUpdate = time();
+
+        // Serialize to config and save
+        Config::getInstance()->unlock();
+        $this->model->serializeToConfig();
+        Config::getInstance()->save();
+
+        // Reload to get most recent config
+        Config::getInstance()->forceReload();
+        $this->loadConfig($this::CONFIG_PATH, $this->uuid);
+
+        return true;
+    }
+
+    /**
+     * set UUID of auxiliary configuration object
+     */
+    public function setUuid(string $uuid)
+    {
+        $this->uuid = $uuid;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
new file mode 100644
index 0000000000..dd5ce0ff39
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
@@ -0,0 +1,189 @@
+<?php
+
+/*
+ * Copyright (C) 2017-2020 Frank Wall (derived from certhelper.php)
+ * Copyright (C) 2015 Deciso B.V.
+ * Copyright (C) 2010 Jim Pingle <jimp@pfsense.org>
+ * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient;
+
+use OPNsense\Core\Config;
+
+/**
+ * Helper functions for LeAcme
+ * @package OPNsense\AcmeClient
+ */
+class LeUtils
+{
+    public static function base64url_decode($str)
+    {
+        return base64_decode(str_pad(strtr($str, '-_', '+/'), strlen($str) % 4, '=', STR_PAD_RIGHT));
+    }
+
+    public static function base64url_encode($str)
+    {
+        return rtrim(strtr(base64_encode($str), '+/', '-_'), '=');
+    }
+
+    // Copied from system_camanager.php.
+    public static function local_ca_import(&$ca, $str, $key = "", $serial = 0)
+    {
+        // Get config object.
+        $config = Config::getInstance()->object();
+
+        $ca['crt'] = base64_encode($str);
+        if (!empty($key)) {
+            $ca['prv'] = base64_encode($key);
+        }
+        if (!empty($serial)) {
+            $ca['serial'] = $serial;
+        }
+        $subject = cert_get_subject($str, false);
+        $issuer = cert_get_issuer($str, false);
+
+        // Find my issuer unless self-signed
+        if ($issuer != $subject) {
+            $issuer_crt =& lookup_ca_by_subject($issuer);
+            if ($issuer_crt) {
+                $ca['caref'] = $issuer_crt['refid'];
+            }
+        }
+
+        /* Correct if child certificate was loaded first */
+        if (is_array($config['ca'])) {
+            foreach ($config['ca'] as & $oca) {
+                $issuer = cert_get_issuer($oca['crt']);
+                if ($ca['refid'] != $oca['refid'] && $issuer == $subject) {
+                    $oca['caref'] = $ca['refid'];
+                }
+            }
+        }
+        if (is_array($config['cert'])) {
+            foreach ($config['cert'] as & $cert) {
+                $issuer = cert_get_issuer($cert['crt']);
+                if ($issuer == $subject) {
+                    $cert['caref'] = $ca['refid'];
+                }
+            }
+        }
+        return true;
+    }
+
+    // copied from certs.inc
+    public static function local_cert_get_cn($crt, $decode = true)
+    {
+        $sub = self::local_cert_get_subject_array($crt, $decode);
+        if (is_array($sub)) {
+            foreach ($sub as $s) {
+                if (strtoupper($s['a']) == "CN") {
+                    return $s['v'];
+                }
+            }
+        }
+        return "";
+    }
+
+    // copied from certs.inc
+    public static function local_cert_get_subject_array($str_crt, $decode = true)
+    {
+        if ($decode) {
+            $str_crt = base64_decode($str_crt);
+        }
+        $inf_crt = openssl_x509_parse($str_crt);
+        $components = $inf_crt['subject'];
+
+        if (!is_array($components)) {
+            return;
+        }
+
+        $subject_array = array();
+
+        foreach ($components as $a => $v) {
+            $subject_array[] = array('a' => $a, 'v' => $v);
+        }
+
+        return $subject_array;
+    }
+
+    /**
+     * log runtime information
+     */
+    public static function log($msg)
+    {
+        syslog(LOG_NOTICE, "AcmeClient: ${msg}");
+    }
+
+    /**
+     * log additional debug output
+     */
+    public static function log_debug($msg, bool $debug = false)
+    {
+        if ($debug) {
+            syslog(LOG_NOTICE, "AcmeClient: ${msg}");
+        }
+    }
+
+    /**
+     * log error messages
+     */
+    public static function log_error($msg)
+    {
+        syslog(LOG_ERR, "AcmeClient: ${msg}");
+    }
+
+    /**
+     * run arbitrary shell commands and log the result
+     * @param $proc_cmd string the command that should be run
+     * @param $proc_env array optional environment variables that should be used
+     * @return bool
+     */
+    public static function run_shell_command($proc_cmd, $proc_env = array())
+    {
+        $proc_desc = array(  // descriptor array for proc_open()
+            0 => array("pipe", "r"), // stdin
+            1 => array("pipe", "w"), // stdout
+            2 => array("pipe", "w")  // stderr
+        );
+        $proc_pipes = array();
+        $proc = proc_open($proc_cmd, $proc_desc, $proc_pipes, null, $proc_env);
+
+        // Make sure the resource could be setup properly
+        if (is_resource($proc)) {
+            // Close all pipes
+            fclose($proc_pipes[0]);
+            fclose($proc_pipes[1]);
+            fclose($proc_pipes[2]);
+            // Get exit code
+            $result = proc_close($proc);
+            log_error(sprintf("AcmeClient: The shell command '%s' returned exit code '%d'", $proc_cmd, $result));
+            return($result);
+        } else {
+            log_error(sprintf("AcmeClient: Unable to prepare shell command '%s'", $proc_cmd));
+            return false;
+        }
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
new file mode 100644
index 0000000000..d47d5e73cd
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -0,0 +1,298 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall (derived from OPNsense\Backup)
+ * Copyright (C) 2018 Deciso B.V.
+ * Copyright (C) 2018 Franco Fichtner <franco@opnsense.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\Core\Config;
+use OPNsense\AcmeClient\LeAccount;
+use OPNsense\AcmeClient\LeUtils;
+
+/**
+ * LeValidation stub file, contains shared logic for all validation methods.
+ * @package OPNsense\AcmeClient
+ */
+abstract class Base extends \OPNsense\AcmeClient\LeCommon
+{
+    public const CONFIG_PATH = 'validations.validation';
+
+    /**
+     * The validation method cannot be properly initialized without the required
+     * configuration. LeValidation returns a more or less uninitialized object
+     * that first needs to be configured, and finally initialized by this function.
+     * @param $certid string the ID of the certificate object
+     * @param $accountuuid string the UUID of the account object
+     * @return bool
+     */
+    public function init(string $certid, string $accountuuid)
+    {
+        // Get config object
+        $this->loadConfig(self::CONFIG_PATH, $this->uuid);
+
+        // Get account object to query ID
+        $account = new LeAccount($accountuuid);
+        if (empty($account) || $account == null) {
+            LeUtils::log_error("unable to load account information: ${accountuuid}");
+            return false;
+        }
+
+        // Store auxiliary information (required to glue stuff together)
+        $this->cert_id = $certid;
+        $this->account_id = (string)$account->getId();
+        $this->account_uuid = (string)$account->getUuid();
+
+        // Teach acme.sh about DNS API hook location
+        $this->acme_env['_SCRIPT_HOME'] = '/usr/local/share/examples/acme.sh';
+
+        // Set log level
+        $this->setLoglevel();
+
+        // Set Let's Encrypt environment
+        $this->setEnvironment();
+
+        // Store acme hook
+        switch ((string)$this->config->method) {
+            case 'dns01':
+                $this->acme_args[] = '--dns ' . (string)$this->config->dns_service;
+                $this->acme_args[] = '--dnssleep ' . (string)$this->config->dns_sleep;
+                break;
+            case 'http01':
+                $this->acme_args[] = '--webroot /var/etc/acme-client/challenges';
+                break;
+        }
+
+        // Store acme filenames
+        $this->acme_args[] = '--home ' . self::ACME_HOME_DIR;
+        $this->acme_args[] = '--certpath ' . sprintf(self::ACME_CERT_FILE, $this->cert_id);
+        $this->acme_args[] = '--keypath ' . sprintf(self::ACME_KEY_FILE, $this->cert_id);
+        $this->acme_args[] = '--capath ' . sprintf(self::ACME_CHAIN_FILE, $this->cert_id);
+        $this->acme_args[] = '--fullchainpath ' . sprintf(self::ACME_FULLCHAIN_FILE, $this->cert_id);
+
+        return true;
+    }
+
+    /**
+     * cleanup tasks that should run after performing the certificate validation
+     * @return bool
+     */
+    public function cleanup()
+    {
+        // Dummy; no default cleanup tasks.
+        return true;
+    }
+
+    /**
+     * get the configured validation method (HTTP-01 or DNS-01)
+     * @return string validation method
+     */
+    public function getMethod()
+    {
+        return $this->config->method;
+    }
+
+    /**
+     * perform preparation tasks and run acme client
+     * @param $renew optional parameter to specify if a renewal is required
+     * @return bool
+     */
+    public function run(bool $renew = false)
+    {
+        if (!($this->isEnabled())) {
+            LeUtils::log('ignoring disabled challenge type: ' . (string)$this->config->name);
+            return false;
+        }
+
+        LeUtils::log('using challenge type: ' . (string)$this->config->name);
+
+        // Issue or renew
+        $acme_action = $renew == true ? 'renew' : 'issue';
+
+        // Handle special key types
+        if ($this->cert_keylength == 'ec256' || $this->cert_keylength == 'ec384') {
+            if ($renew == true) {
+                // If it's a renew then pass --ecc to acme client to locate the correct cert directory
+                $acme_args[] = '--ecc';
+            }
+        }
+
+        // Use individual account config for each environment
+        $account_conf_dir = self::ACME_BASE_ACCOUNT_DIR . '/' . $this->account_id . '_' . $this->environment;
+        $account_conf_file = $account_conf_dir . '/account.conf';
+
+        // Preparation to run acme client
+        $proc_env = $this->acme_env; // env variables for proc_open()
+        $proc_env['PATH'] = $this::ACME_ENV_PATH;
+        $proc_desc = array(  // descriptor array for proc_open()
+            0 => array("pipe", "r"), // stdin
+            1 => array("pipe", "w"), // stdout
+            2 => array("pipe", "w")  // stderr
+        );
+        $proc_pipes = array();
+
+        // Run acme client
+        // NOTE: We "export" certificates to our own directory, so we don't have to deal
+        // with domain names in filesystem, but instead can use the ID of our certObj, which
+        // will never change.
+        $acmecmd = '/usr/local/sbin/acme.sh '
+          . "--${acme_action} "
+          . implode(' ', $this->acme_args) . ' '
+          . "--accountconf ${account_conf_file}";
+        LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
+        $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
+
+        // Make sure the resource could be setup properly
+        if (is_resource($proc)) {
+            // Close all pipes
+            fclose($proc_pipes[0]);
+            fclose($proc_pipes[1]);
+            fclose($proc_pipes[2]);
+            // Get exit code
+            $result = proc_close($proc);
+        } else {
+            LeUtils::log_error('unable to start acme client process');
+            return false;
+        }
+
+        // Run optional cleanup tasks.
+        $this->cleanup();
+
+        // Check validation result
+        if ($result) {
+            LeUtils::log_error('domain validation failed (' . $this->getMethod() . ')');
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * add config to force certificate renewal
+     * @param $force bool indicate whether force should be enabled or not
+     */
+    public function setForce(bool $force = false)
+    {
+        $this->acme_args[] = $force == true ? '--force' : null;
+    }
+
+    /**
+     * set key length
+     * @param $length key length
+     */
+    public function setKey(string $length = '4096')
+    {
+        if ($length == 'ec256' || $length == 'ec384') {
+            $key_length = substr_replace($length, '-', 2, 0);
+        } else {
+            $key_length = $length;
+        }
+
+        $this->acme_args[] = '--keylength ' . $key_length;
+        $this->cert_keylength = $length;
+    }
+
+    /**
+     * configure certificate common name, altNames and DNS alias mode
+     */
+    public function setNames(string $certname, string $altnames = '', string $aliasmode = '', string $domainalias = '', string $challengealias = '')
+    {
+        // Store basic certificate information
+        $this->cert_name = $certname;
+        $this->cert_altnames = $altnames;
+        $this->cert_aliasmode = $aliasmode;
+        $this->cert_domainalias = $domainalias;
+        $this->cert_challengealias = $challengealias;
+
+        // Main domain for acme
+        $this->acme_args[] = '--domain ' . $certname;
+
+        // Main domain: Use DNS alias mode for domain validation?
+        // https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
+        if ($this->getMethod() == 'dns01') {
+            switch ((string)$aliasmode) {
+                case 'automatic':
+                    $name = '_acme-challenge.' . ltrim((string)$this->cert_name, '*.');
+                    if ($dst = dns_get_record($name, DNS_CNAME)) {
+                        $this->acme_args[] = '--domain-alias ' . $dst[0]['target'];
+                    }
+                    break;
+                case 'domain':
+                    $this->acme_args[] = '--domain-alias ' . (string)$this->cert_domainalias;
+                    break;
+                case 'challenge':
+                    $this->acme_args[] = '--challenge-alias ' . (string)$this->cert_challengealias;
+                    break;
+            }
+        }
+
+        // altNames
+        if (!empty((string)$this->cert_altnames)) {
+            foreach (explode(",", (string)$this->cert_altnames) as $altname) {
+                $this->acme_args[] = "--domain ${altname}";
+
+                // altNames: Use DNS alias mode for domain validation?
+                // https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
+                if ($this->getMethod() == 'dns01') {
+                    switch ((string)$this->cert_aliasmode) {
+                        case 'automatic':
+                            $name = "_acme-challenge." . ltrim($altname, '*.');
+                            if ($dst = dns_get_record($name, DNS_CNAME)) {
+                                $this->acme_args[] = '--domain-alias ' . $dst[0]['target'];
+                            }
+                            break;
+                        case 'domain':
+                            $this->acme_args[] = '--domain-alias ' . (string)$this->cert_domainalias;
+                            break;
+                        case 'challenge':
+                            $this->acme_args[] = '--challenge-alias ' . (string)$this->cert_challengealias;
+                            break;
+                    }
+                }
+            }
+        }
+    }
+
+    /**
+     * enable OCSP extension
+     * @param $ocsp bool whether ocsp extension should be enabled or not
+     */
+    public function setOcsp(bool $ocsp = false)
+    {
+        // if OCSP extension is turned on pass --ocsp parameter to acme client
+        $this->acme_args[] = $ocsp == true ? '--ocsp' : null;
+    }
+
+    /**
+     * set renewal interval
+     * @param $interval int specifies the renewal interval in days
+     */
+    public function setRenewal(int $interval = 60)
+    {
+        $this->acme_args[] = '--days ' . (string)$interval;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Dns1984hosting.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Dns1984hosting.php
new file mode 100644
index 0000000000..9569797ac6
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Dns1984hosting.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * 1984hosting DNS API
+ * @package OPNsense\AcmeClient
+ */
+class Dns1984hosting extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['One984HOSTING_Username'] = (string)$this->config->dns_1984hosting_user;
+        $this->acme_env['One984HOSTING_Password'] = (string)$this->config->dns_1984hosting_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAcmedns.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAcmedns.php
new file mode 100644
index 0000000000..4ccefe4e3e
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAcmedns.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Acme DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsAcmedns extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['ACMEDNS_USERNAME'] = (string)$this->config->dns_acmedns_user;
+        $this->acme_env['ACMEDNS_PASSWORD'] = (string)$this->config->dns_acmedns_password;
+        $this->acme_env['ACMEDNS_SUBDOMAIN'] = (string)$this->config->dns_acmedns_subdomain;
+        $this->acme_env['ACMEDNS_UPDATE_URL'] = (string)$this->config->dns_acmedns_updateurl;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAcmeproxy.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAcmeproxy.php
new file mode 100644
index 0000000000..f2207332ad
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAcmeproxy.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Acmeproxy API
+ * @package OPNsense\AcmeClient
+ */
+class DnsAcmeproxy extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['ACMEPROXY_ENDPOINT'] = (string)$this->config->dns_acmeproxy_endpoint;
+        $this->acme_env['ACMEPROXY_USERNAME'] = (string)$this->config->dns_acmeproxy_username;
+        $this->acme_env['ACMEPROXY_PASSWORD'] = (string)$this->config->dns_acmeproxy_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAd.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAd.php
new file mode 100644
index 0000000000..e468dadf6e
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAd.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * AD DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsAd extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['AD_API_KEY'] = (string)$this->config->dns_ad_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAli.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAli.php
new file mode 100644
index 0000000000..357757c6be
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAli.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Ali DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsAli extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['Ali_Key'] = (string)$this->config->dns_ali_key;
+        $this->acme_env['Ali_Secret'] = (string)$this->config->dns_ali_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsArvan.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsArvan.php
new file mode 100644
index 0000000000..786f2e3953
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsArvan.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Arvan DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsArvan extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['Arvan_Token'] = (string)$this->config->dns_arvan_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAutodns.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAutodns.php
new file mode 100644
index 0000000000..597d737a30
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAutodns.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * AutoDNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsAutodns extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['AUTODNS_USER'] = (string)$this->config->dns_autodns_user;
+        $this->acme_env['AUTODNS_PASSWORD'] = (string)$this->config->dns_autodns_password;
+        $this->acme_env['AUTODNS_CONTEXT'] = (string)$this->config->dns_autodns_context;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAws.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAws.php
new file mode 100644
index 0000000000..c4e96479cc
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAws.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Amazon AWS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsAws extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['AWS_ACCESS_KEY_ID'] = (string)$this->config->dns_aws_id;
+        $this->acme_env['AWS_SECRET_ACCESS_KEY'] = (string)$this->config->dns_aws_secret;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php
new file mode 100644
index 0000000000..1b2acc9dcc
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Azure DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsAzure extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['AZUREDNS_SUBSCRIPTIONID'] = (string)$this->config->dns_azuredns_subscriptionid;
+        $this->acme_env['AZUREDNS_TENANTID'] = (string)$this->config->dns_azuredns_tenantid;
+        $this->acme_env['AZUREDNS_APPID'] = (string)$this->config->dns_azuredns_appid;
+        $this->acme_env['AZUREDNS_CLIENTSECRET'] = (string)$this->config->dns_azuredns_clientsecret;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCf.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCf.php
new file mode 100644
index 0000000000..3f6f735e01
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCf.php
@@ -0,0 +1,49 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * CF DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsCf extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        // Global API key (insecure)
+        $this->acme_env['CF_Key'] = (string)$this->config->dns_cf_key;
+        $this->acme_env['CF_Email'] = (string)$this->config->dns_cf_email;
+        // Restricted API token (recommended)
+        $this->acme_env['CF_Token'] = (string)$this->config->dns_cf_token;
+        $this->acme_env['CF_Account_ID'] = (string)$this->config->dns_cf_account_id;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCloudns.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCloudns.php
new file mode 100644
index 0000000000..fcd5b66257
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCloudns.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * ClouDNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsCloudns extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['CLOUDNS_AUTH_ID'] = (string)$this->config->dns_cloudns_auth_id;
+        $this->acme_env['CLOUDNS_SUB_AUTH_ID'] = (string)$this->config->dns_cloudns_sub_auth_id;
+        $this->acme_env['CLOUDNS_AUTH_PASSWORD'] = (string)$this->config->dns_cloudns_auth_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCn.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCn.php
new file mode 100644
index 0000000000..93706440b9
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCn.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * CN DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsCn extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['CN_User'] = (string)$this->config->dns_cn_user;
+        $this->acme_env['CN_Password'] = (string)$this->config->dns_cn_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCx.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCx.php
new file mode 100644
index 0000000000..c81e7b0c0b
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCx.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * CX DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsCx extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['CX_Key'] = (string)$this->config->dns_cx_key;
+        $this->acme_env['CX_Secret'] = (string)$this->config->dns_cx_secret;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCyon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCyon.php
new file mode 100644
index 0000000000..ed753b90ec
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCyon.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Cyon DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsCyon extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['CY_Username'] = (string)$this->config->dns_cyon_user;
+        $this->acme_env['CY_Password'] = (string)$this->config->dns_cyon_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDa.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDa.php
new file mode 100644
index 0000000000..9f6600c42f
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDa.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * DA DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDa extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DA_Api'] = (string)$this->config->dns_da_key;
+        $this->acme_env['DA_Api_Insecure'] = (string)$this->config->dns_da_insecure;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDgon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDgon.php
new file mode 100644
index 0000000000..d8039ccbab
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDgon.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * DO DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDgon extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DO_API_KEY'] = (string)$this->config->dns_dgon_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnsimple.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnsimple.php
new file mode 100644
index 0000000000..e15c23d415
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnsimple.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * DNSimple API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDnsimple extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DNSimple_OAUTH_TOKEN'] = (string)$this->config->dns_dnsimple_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDo.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDo.php
new file mode 100644
index 0000000000..1afc8521cd
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDo.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * DO DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDo extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DO_PID'] = (string)$this->config->dns_do_pid;
+        $this->acme_env['DO_PW'] = (string)$this->config->dns_do_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDoapi.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDoapi.php
new file mode 100644
index 0000000000..9dd29d2eea
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDoapi.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * DO API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDoapi extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DO_LETOKEN'] = (string)$this->config->dns_doapi_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDp.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDp.php
new file mode 100644
index 0000000000..c118c2ecfe
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDp.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * DP DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDp extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DP_Id'] = (string)$this->config->dns_dp_id;
+        $this->acme_env['DP_Key'] = (string)$this->config->dns_dp_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDreamhost.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDreamhost.php
new file mode 100644
index 0000000000..9fd3e7750d
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDreamhost.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Dreamhost DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDreamhost extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DH_API_KEY'] = (string)$this->config->dns_dh_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDuckdns.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDuckdns.php
new file mode 100644
index 0000000000..0bf4c174ba
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDuckdns.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * DuckDNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDuckdns extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DuckDNS_Token'] = (string)$this->config->dns_duckdns_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDyn.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDyn.php
new file mode 100644
index 0000000000..d11e003d4c
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDyn.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Dyn DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDyn extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DYN_Customer'] = (string)$this->config->dns_dyn_customer;
+        $this->acme_env['DYN_Username'] = (string)$this->config->dns_dyn_user;
+        $this->acme_env['DYN_Password'] = (string)$this->config->dns_dyn_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDynu.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDynu.php
new file mode 100644
index 0000000000..7a24ebe701
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDynu.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Dynu DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDynu extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['Dynu_ClientId'] = (string)$this->config->dns_dynu_clientid;
+        $this->acme_env['Dynu_Secret'] = (string)$this->config->dns_dynu_secret;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsEuserv.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsEuserv.php
new file mode 100644
index 0000000000..3dd2a82d96
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsEuserv.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * euserv DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsEuserv extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['EUSERV_Username'] = (string)$this->config->dns_euserv_user;
+        $this->acme_env['EUSERV_Password'] = (string)$this->config->dns_euserv_password;
+        $this->acme_args[] = '--insecure';
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsFreedns.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsFreedns.php
new file mode 100644
index 0000000000..d7e4d5fe29
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsFreedns.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * FreeDNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsFreedns extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['FREEDNS_User'] = (string)$this->config->dns_freedns_user;
+        $this->acme_env['FREEDNS_Password'] = (string)$this->config->dns_freedns_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGandiLivedns.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGandiLivedns.php
new file mode 100644
index 0000000000..afebc94825
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGandiLivedns.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Gandi LiveDNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsGandiLivedns extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['GANDI_LIVEDNS_KEY'] = (string)$this->config->dns_gandi_livedns_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGcloud.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGcloud.php
new file mode 100644
index 0000000000..045363b7c3
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGcloud.php
@@ -0,0 +1,88 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\AcmeClient\LeUtils;
+use OPNsense\Core\Config;
+
+/**
+ * Google Cloud DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsGcloud extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        // Google Cloud SDK must be installed.
+        if ((string)$this->model->isPluginInstalled('google-cloud-sdk') != '1') {
+            LeUtils::log_error('Google Cloud SDK plugin is NOT installed. Please install os-google-cloud-sdk and try again.');
+            return false;
+        }
+
+        // A valid Google Cloud JSON key is required.
+        if (!empty((string)$this->config->dns_gcloud_key)) {
+            # Extract the gcloud project from the key data.
+            $_gcloud_data = json_decode((string)$this->config->dns_gcloud_key);
+            $gcloud_project = $_gcloud_data->project_id;
+            $gcloud_account = $_gcloud_data->client_email;
+            if (empty($gcloud_project)) {
+                LeUtils::log_error('unable to extract project name from Google Cloud DNS JSON key');
+                return false;
+            } else {
+                LeUtils::log("Google Cloud DNS project name: ${gcloud_project}");
+            }
+        } else {
+            LeUtils::log('no key for Google Cloud DNS was specified');
+            return false;
+        }
+
+        // Preparations to run gcloud CLI.
+        $val_id = (string)$this->config->id;
+        $gcloud_config = "acme-${val_id}";
+        $gcloud_key_file = '/tmp/acme_' . (string)$this->config->dns_service . "_${val_id}.json";
+        file_put_contents($gcloud_key_file, (string)$this->config->dns_gcloud_key);
+        chmod($gcloud_key_file, 0600);
+        $proc_env['CLOUDSDK_PYTHON'] = '/usr/local/bin/python3';
+        $proc_env['CLOUDSDK_ACTIVE_CONFIG_NAME'] = $gcloud_config;
+        $proc_env['CLOUDSDK_CORE_PROJECT'] = $gcloud_project;
+
+        // Ensure that a working gcloud config exists.
+        LeUtils::run_shell_command("/usr/local/bin/gcloud config configurations create ${gcloud_config}", $proc_env);
+        LeUtils::run_shell_command("/usr/local/bin/gcloud config configurations activate ${gcloud_config}", $proc_env);
+        LeUtils::run_shell_command("/usr/local/bin/gcloud auth activate-service-account --key-file=${gcloud_key_file}", $proc_env);
+        LeUtils::run_shell_command("/usr/local/bin/gcloud config set account ${gcloud_account}", $proc_env);
+        LeUtils::run_shell_command("/usr/local/bin/gcloud config set project ${gcloud_project}", $proc_env);
+
+        // Save config for acme client.
+        $this->acme_env['CLOUDSDK_PYTHON'] = '/usr/local/bin/python3';
+        $this->acme_env['CLOUDSDK_ACTIVE_CONFIG_NAME'] = $gcloud_config;
+        $this->acme_env['CLOUDSDK_CORE_PROJECT'] = $gcloud_project;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGd.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGd.php
new file mode 100644
index 0000000000..64a5983d78
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGd.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * GD DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsGd extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['GD_Key'] = (string)$this->config->dns_gd_key;
+        $this->acme_env['GD_Secret'] = (string)$this->config->dns_gd_secret;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGdnsdk.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGdnsdk.php
new file mode 100644
index 0000000000..034eb168c9
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGdnsdk.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * GDNSDK API
+ * @package OPNsense\AcmeClient
+ */
+class DnsGdnsdk extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['GDNSDK_Username'] = (string)$this->config->dns_gdnsdk_user;
+        $this->acme_env['GDNSDK_Password'] = (string)$this->config->dns_gdnsdk_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHe.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHe.php
new file mode 100644
index 0000000000..17c17dc5bd
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHe.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * HE DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsHe extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['HE_Username'] = (string)$this->config->dns_he_user;
+        $this->acme_env['HE_Password'] = (string)$this->config->dns_he_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHetzner.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHetzner.php
new file mode 100644
index 0000000000..00f755e2a0
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHetzner.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Hetzner DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsHetzner extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['HETZNER_Token'] = (string)$this->config->dns_hetzner_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHostingde.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHostingde.php
new file mode 100644
index 0000000000..8b8b0f6d08
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHostingde.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * hosting.de DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsHostingde extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['HOSTINGDE_ENDPOINT'] = (string)$this->config->dns_hostingde_server;
+        $this->acme_env['HOSTINGDE_APIKEY'] = (string)$this->config->dns_hostingde_apiKey;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInfoblox.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInfoblox.php
new file mode 100644
index 0000000000..7cef05a447
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInfoblox.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Infoblox DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsInfoblox extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['Infoblox_Creds'] = (string)$this->config->dns_infoblox_credentials;
+        $this->acme_env['Infoblox_Server'] = (string)$this->config->dns_infoblox_server;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInwx.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInwx.php
new file mode 100644
index 0000000000..f4e0533fb6
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInwx.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * INWX DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsInwx extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['INWX_User'] = (string)$this->config->dns_inwx_user;
+        $this->acme_env['INWX_Password'] = (string)$this->config->dns_inws_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsIspconfig.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsIspconfig.php
new file mode 100644
index 0000000000..ea5d8df203
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsIspconfig.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * ISPConfig API
+ * @package OPNsense\AcmeClient
+ */
+class DnsIspconfig extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['ISPC_User'] = (string)$this->config->dns_ispconfig_user;
+        $this->acme_env['ISPC_Password'] = (string)$this->config->dns_ispconfig_password;
+        $this->acme_env['ISPC_Api'] = (string)$this->config->dns_ispconfig_api;
+        $this->acme_env['ISPC_Api_Insecure'] = (string)$this->config->dns_ispconfig_insecure;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsJoker.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsJoker.php
new file mode 100644
index 0000000000..da74585fbc
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsJoker.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Joker DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsJoker extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['JOKER_USERNAME'] = (string)$this->config->dns_joker_username;
+        $this->acme_env['JOKER_PASSWORD'] = (string)$this->config->dns_joker_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsKinghost.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsKinghost.php
new file mode 100644
index 0000000000..d21df40ef7
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsKinghost.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Kinghost DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsKinghost extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['KINGHOST_username'] = (string)$this->config->dns_kinghost_username;
+        $this->acme_env['KINGHOST_Password'] = (string)$this->config->dns_kinghost_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsKnot.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsKnot.php
new file mode 100644
index 0000000000..a58c93ca1c
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsKnot.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Knot DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsKnot extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['KNOT_SERVER'] = (string)$this->config->dns_knot_server;
+        $this->acme_env['KNOT_KEY'] = (string)$this->config->dns_knot_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLeaseweb.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLeaseweb.php
new file mode 100644
index 0000000000..967b3190e9
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLeaseweb.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Leaseweb DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsLeaseweb extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['LSW_Key'] = (string)$this->config->dns_leaseweb_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLexicon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLexicon.php
new file mode 100644
index 0000000000..2ffc6d1ec4
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLexicon.php
@@ -0,0 +1,55 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Lexicon DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsLexicon extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $provider = (string)$this->config->dns_lexicon_provider;
+        $env_user = 'LEXICON_' . strtoupper($provider) . '_USERNAME';
+        $env_token = 'LEXICON_' . strtoupper($provider) . '_TOKEN';
+
+        $this->acme_env['PROVIDER'] = $provider;
+        $this->acme_env[$env_user] = (string)$this->config->dns_lexicon_user;
+        $this->acme_env[$env_token] = (string)$this->config->dns_lexicon_token;
+
+        if ((string)$this->config->dns_lexicon_provider == 'namesilo') {
+            // Namesilo applies changes to DNS records only every 15 minutes.
+            $this->acme_args[] = '--dnssleep 960';
+        }
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLinode.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLinode.php
new file mode 100644
index 0000000000..2b2453b8bd
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLinode.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Linode DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsLinode extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['LINODE_API_KEY'] = (string)$this->config->dns_linode_key;
+        // Linode can take up to 15 to update DNS records
+        $this->acme_args[] = '--dnssleep 960';
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLinodeV4.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLinodeV4.php
new file mode 100644
index 0000000000..c69293a243
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLinodeV4.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Linode v4 DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsLinodeV4 extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['LINODE_V4_API_KEY'] = (string)$this->config->dns_linode_v4_key;
+        // Linode can take up to 15 to update DNS records
+        $this->acme_args[] = '--dnssleep 960';
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLoopia.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLoopia.php
new file mode 100644
index 0000000000..2c5affae53
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLoopia.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Loopia DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsLoopia extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['LOOPIA_Api'] = (string)$this->config->dns_loopia_api;
+        $this->acme_env['LOOPIA_User'] = (string)$this->config->dns_loopia_user;
+        $this->acme_env['LOOPIA_Password'] = (string)$this->config->dns_loopia_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLua.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLua.php
new file mode 100644
index 0000000000..70d5419e5e
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLua.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Lua DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsLua extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['LUA_Key'] = (string)$this->config->dns_lua_key;
+        $this->acme_env['LUA_Email'] = (string)$this->config->dns_lua_email;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMe.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMe.php
new file mode 100644
index 0000000000..c177f24a21
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMe.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * ME DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsMe extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['ME_Key'] = (string)$this->config->dns_me_key;
+        $this->acme_env['ME_Secret'] = (string)$this->config->dns_me_secret;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMiab.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMiab.php
new file mode 100644
index 0000000000..f75b188fb2
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMiab.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * MIAB DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsMiab extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['MIAB_Username'] = (string)$this->config->dns_miab_user;
+        $this->acme_env['MIAB_Password'] = (string)$this->config->dns_miab_password;
+        $this->acme_env['MIAB_Server'] = (string)$this->config->dns_miab_server;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamecheap.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamecheap.php
new file mode 100644
index 0000000000..5d252d3e98
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamecheap.php
@@ -0,0 +1,51 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Namecheap DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsNamecheap extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['NAMECHEAP_USERNAME'] = (string)$this->config->dns_namecheap_user;
+        $this->acme_env['NAMECHEAP_API_KEY'] = (string)$this->config->dns_namecheap_api;
+        if (!empty((string)$this->config->dns_namecheap_sourceip)) {
+            $this->acme_env['NAMECHEAP_SOURCEIP'] = (string)$this->config->dns_namecheap_sourceip;
+        } else {
+            // Use a public service to get our source IP for Namecheap API
+            $this->acme_env['NAMECHEAP_SOURCEIP'] = 'https://ifconfig.co/ip';
+        }
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamecom.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamecom.php
new file mode 100644
index 0000000000..f011500b70
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamecom.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Namecom DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsNamecom extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['Namecom_Username'] = (string)$this->config->dns_namecom_user;
+        $this->acme_env['Namecom_Token'] = (string)$this->config->dns_namecom_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamesilo.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamesilo.php
new file mode 100644
index 0000000000..1cfa7f3267
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamesilo.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Namesilo DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsNamesilo extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['Namesilo_Key'] = (string)$this->config->dns_namesilo_key;
+        // Namesilo applies changes to DNS records only every 15 minutes.
+        $this->acme_args[] = '--dnssleep 960';
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNetcup.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNetcup.php
new file mode 100644
index 0000000000..b4afca6cb5
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNetcup.php
@@ -0,0 +1,48 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Netcup DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsNetcup extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['NC_CID'] = (string)$this->config->dns_netcup_cid;
+        $this->acme_env['NC_Apikey'] = (string)$this->config->dns_netcup_key;
+        $this->acme_env['NC_Apipw'] = (string)$this->config->dns_netcup_pw;
+        // netcup applies changes to DNS records only every 10 minutes.
+        $this->acme_args[] = '--dnssleep 600';
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsone.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsone.php
new file mode 100644
index 0000000000..c1df9f7adc
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsone.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * NS1 API
+ * @package OPNsense\AcmeClient
+ */
+class DnsNsone extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['NS1_Key'] = (string)$this->config->dns_nsone_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php
new file mode 100644
index 0000000000..5fe117e5e5
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php
@@ -0,0 +1,52 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * BIND nsupdate
+ * @package OPNsense\AcmeClient
+ */
+class DnsNsupdate extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $configdir = (string)sprintf(self::ACME_CONFIG_DIR, $this->cert_uuid);
+        $secret_key_filename = "${configdir}/secret.key";
+        $secret_key_data = (string)$this->config->dns_nsupdate_key . '\n';
+        file_put_contents($secret_key_filename, $secret_key_data);
+
+        // Add env variables
+        $this->acme_env['NSUPDATE_KEY'] = $secret_key_filename;
+        $this->acme_env['NSUPDATE_SERVER'] = (string)$this->config->dns_nsupdate_server;
+        $this->acme_env['NSUPDATE_ZONE'] = (string)$this->config->dns_nsupdate_zone;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsOpnsense.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsOpnsense.php
new file mode 100644
index 0000000000..fcb33a7026
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsOpnsense.php
@@ -0,0 +1,54 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\AcmeClient\LeUtils;
+use OPNsense\Core\Config;
+
+/**
+ * OPNsense BIND DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsOpnsense extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        # BIND plugin must be installed.
+        if ((string)$this->model->isPluginInstalled('bind') != '1') {
+            LeUtils::log_error('BIND plugin is NOT installed. Please install os-bind and try again.');
+            return false;
+        }
+        $this->acme_env['OPNs_Host'] = (string)$this->config->dns_opnsense_host;
+        $this->acme_env['OPNs_Port'] = (string)$this->config->dns_opnsense_port;
+        $this->acme_env['OPNs_Key'] = (string)$this->config->dns_opnsense_key;
+        $this->acme_env['OPNs_Token'] = (string)$this->config->dns_opnsense_token;
+        $this->acme_env['OPNs_Api_Insecure'] = (string)$this->config->dns_opnsense_insecure;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsOvh.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsOvh.php
new file mode 100644
index 0000000000..8d9896924a
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsOvh.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * OVH DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsOvh extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['OVH_AK'] = (string)$this->config->dns_ovh_app_key;
+        $this->acme_env['OVH_AS'] = (string)$this->config->dns_ovh_app_secret;
+        $this->acme_env['OVH_CK'] = (string)$this->config->dns_ovh_consumer_key;
+        $this->acme_env['OVH_END_POINT'] = (string)$this->config->dns_ovh_endpoint;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsPdns.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsPdns.php
new file mode 100644
index 0000000000..7029fed794
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsPdns.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * PDNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsPdns extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['PDNS_Url'] = (string)$this->config->dns_pdns_url;
+        $this->acme_env['PDNS_ServerId'] = (string)$this->config->dns_pdns_serverid;
+        $this->acme_env['PDNS_Token'] = (string)$this->config->dns_pdns_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsPleskxml.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsPleskxml.php
new file mode 100644
index 0000000000..5b71dcd534
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsPleskxml.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Plesk XML API
+ * @package OPNsense\AcmeClient
+ */
+class DnsPleskxml extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['pleskxml_user'] = (string)$this->config->dns_pleskxml_user;
+        $this->acme_env['pleskxml_pass'] = (string)$this->config->dns_pleskxml_pass;
+        $this->acme_env['pleskxml_uri'] = (string)$this->config->dns_pleskxml_uri;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSchlundtech.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSchlundtech.php
new file mode 100644
index 0000000000..c287c1d60f
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSchlundtech.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Schlundtech DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsSchlundtech extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['SCHLUNDTECH_USER'] = (string)$this->config->dns_schlundtech_user;
+        $this->acme_env['SCHLUNDTECH_PASSWORD'] = (string)$this->config->dns_schlundtech_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php
new file mode 100644
index 0000000000..56e3112666
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Selectel DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsSelectel extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['SL_Key'] = (string)$this->config->dns_sl_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsServercow.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsServercow.php
new file mode 100644
index 0000000000..1ab91b2d2e
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsServercow.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Servercow DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsServercow extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['SERVERCOW_API_Username'] = (string)$this->config->dns_servercow_username;
+        $this->acme_env['SERVERCOW_API_Password'] = (string)$this->config->dns_servercow_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsUnoeuro.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsUnoeuro.php
new file mode 100644
index 0000000000..79dd3a0546
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsUnoeuro.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * unoeuro DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsUnoeuro extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['UNO_Key'] = (string)$this->config->dns_uno_key;
+        $this->acme_env['UNO_User'] = (string)$this->config->dns_uno_user;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsVariomedia.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsVariomedia.php
new file mode 100644
index 0000000000..e519d4a85b
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsVariomedia.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Variomedia DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsVariomedia extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['VARIOMEDIA_API_TOKEN'] = (string)$this->config->dns_variomedia_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsVscale.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsVscale.php
new file mode 100644
index 0000000000..566611aae6
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsVscale.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * VSCALE DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsVscale extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['VSCALE_API_KEY'] = (string)$this->config->dns_vscale_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsYandex.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsYandex.php
new file mode 100644
index 0000000000..73891677e5
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsYandex.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Yandex DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsYandex extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['PDD_Token'] = (string)$this->config->dns_yandex_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsZilore.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsZilore.php
new file mode 100644
index 0000000000..854724c651
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsZilore.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Zilore DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsZilore extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['Zilore_Key'] = (string)$this->config->dns_zilore_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsZonomi.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsZonomi.php
new file mode 100644
index 0000000000..ffe93baaa5
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsZonomi.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Zonomi DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsZonomi extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['ZM_Key'] = (string)$this->config->dns_zm_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
new file mode 100644
index 0000000000..32f6d31385
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
@@ -0,0 +1,140 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+require_once("interfaces.inc");
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\AcmeClient\LeUtils;
+use OPNsense\Core\Config;
+
+/**
+ * Use internal OPNsense webserver for HTTP-01 validation
+ * @package OPNsense\AcmeClient
+ */
+class HttpOpnsense extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        // Get configured HTTP port for local lighttpd server.
+        $configObj = Config::getInstance()->object();
+        $local_http_port = $configObj->OPNsense->AcmeClient->settings->challengePort;
+
+        // Collect all IP addresses here, automatic port forward will be applied for each IP
+        $iplist = array();
+
+        // Add IP addresses from auto-discovery feature
+        if ($this->config->http_opn_autodiscovery == 1) {
+            $dnslist = explode(',', $this->cert_altnames);
+            $dnslist[] = $this->cert_name;
+            foreach ($dnslist as $fqdn) {
+                // NOTE: This may take some time.
+                $ip_found = gethostbyname("${fqdn}.");
+                if (!empty($ip_found)) {
+                    $iplist[] = (string)$ip_found;
+                }
+            }
+        }
+
+        // Add IP addresses from user input
+        $additional_ip = (string)$this->config->http_opn_ipaddresses;
+        if (!empty($additional_ip)) {
+            foreach (explode(',', $additional_ip) as $ip) {
+                $iplist[] = $ip;
+            }
+        }
+
+        // Add IP address from chosen interface
+        if (!empty((string)$this->config->http_opn_interface)) {
+            $interface_ip = get_interface_ip((string)$this->config->http_opn_interface);
+            if (!empty($interface_ip)) {
+                $iplist[] = $interface_ip;
+            }
+        }
+
+        // Check if IPv6 support is enabled
+        if (isset($configObj->system->ipv6allow) && ($configObj->system->ipv6allow == '1')) {
+            $_ipv6_enabled = true;
+        } else {
+            $_ipv6_enabled = false;
+        }
+
+        // Generate rules for all IP addresses
+        $anchor_rules = "";
+        if (!empty($iplist)) {
+            $dedup_iplist = array_unique($iplist);
+            // Add one rule for every IP
+            foreach ($dedup_iplist as $ip) {
+                if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+                    // IPv4
+                    $_dst = '127.0.0.1';
+                    $_family = 'inet';
+                    LeUtils::log("using IPv4 address: ${ip}");
+                } elseif (($_ipv6_enabled == true) && (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))) {
+                    // IPv6
+                    $_dst = '::1';
+                    $_family = 'inet6';
+                    LeUtils::log("using IPv6 address: ${ip}");
+                } else {
+                    continue; // skip broken entries
+                }
+                $anchor_rules .= "rdr pass ${_family} proto tcp from any to ${ip} port 80 -> ${_dst} port ${local_http_port}\n";
+            }
+        } else {
+            LeUtils::log_error("no IP addresses found to setup port forward");
+            return false;
+        }
+
+        // Abort if no rules were generated
+        if (empty($anchor_rules)) {
+            LeUtils::log_error("unable to setup a port forward (empty ruleset)");
+            return false;
+        }
+
+        // Create temporary port forward to allow acme challenges to get through
+        $anchor_setup = "rdr-anchor \"acme-client\"\n";
+        file_put_contents("${configdir}/acme_anchor_setup", $anchor_setup);
+        chmod("${configdir}/acme_anchor_setup", 0600);
+        mwexec("/sbin/pfctl -f ${configdir}/acme_anchor_setup");
+        file_put_contents("${configdir}/acme_anchor_rules", $anchor_rules);
+        chmod("${configdir}/acme_anchor_rules", 0600);
+        mwexec("/sbin/pfctl -a acme-client -f ${configdir}/acme_anchor_rules");
+    }
+
+    public function cleanup()
+    {
+        // Flush OPNsense port forward rules.
+        mwexec('/sbin/pfctl -a acme-client -F all');
+
+        // Workaround to solve disconnection issues reported by some users.
+        $backend = new \OPNsense\Core\Backend();
+        $response = $backend->configdRun('filter reload');
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
new file mode 100644
index 0000000000..f8113483ef
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
@@ -0,0 +1,90 @@
+<?php
+
+/**
+ * Copyright (C) 2020 Frank Wall (derived from OPNsense/Auth)
+ * Copyright (C) 2018 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient;
+
+use \OPNsense\AcmeClient\AcmeClient;
+
+/**
+* Class LeValidationFactory
+* @package OPNsense\AcmeClient
+*/
+class LeValidationFactory
+{
+    public const CONFIG_PATH = 'validations.validation';
+
+    /**
+     * create a LeValidation object from UUID
+     * @param $uuid string UUID of configuration object
+     * @return LeValidation|null LeValidation object or null if not found
+     */
+    public function getValidation(string $uuid)
+    {
+        // Ensure that the validation method can be found in config.
+        $model = new \OPNsense\AcmeClient\AcmeClient();
+        $obj = $model->getNodeByReference(self::CONFIG_PATH . '.' . $uuid);
+        if ($obj == null) {
+            LeUtils::log_error("challenge type not found: ${uuid}");
+            return null;
+        }
+
+        // Get type of validation to find the required class name.
+        switch ((string)$obj->method) {
+            case 'dns01':
+                $search_name = $obj->dns_service;
+                break;
+            case 'http01':
+                $search_name = "http_" . $obj->http_service;
+                break;
+        }
+
+        // Convert to PascalCase
+        $val_name = str_replace(' ', '', ucwords(str_replace(array('-', '_'), ' ', $search_name)));
+
+        // Search class name
+        foreach (glob(__DIR__ . "/LeValidation/*.php") as $filename) {
+            $srv_found = basename($filename, '.php');
+            try {
+                $reflClass = new \ReflectionClass("OPNsense\\AcmeClient\\LeValidation\\{$srv_found}");
+            } catch (\ReflectionException $e) {
+                break;
+            }
+            if ($reflClass->implementsInterface('OPNsense\\AcmeClient\\LeValidationInterface')) {
+                if ($srv_found == $val_name) {
+                    // Create new object
+                    $objVal = $reflClass->newInstance();
+                    $objVal->setUuid($uuid);
+                    return $objVal;
+                }
+            }
+        }
+        LeUtils::log_error("challenge type not supported: " . (string)$objVal->method . " (${uuid})");
+        return null;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationInterface.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationInterface.php
new file mode 100644
index 0000000000..f5836672e6
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationInterface.php
@@ -0,0 +1,49 @@
+<?php
+
+/**
+ * Copyright (C) 2020 Frank Wall (derived from OPNsense\Backup)
+ * Copyright (C) 2018 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient;
+
+/**
+ * Interface for Let's Encrypt validation methods
+ * @package OPNsense\Backup
+ */
+interface LeValidationInterface
+{
+    /**
+     * add configuration that is required only for this specific validation method
+     * @return bool
+     */
+    public function prepare();
+
+    /**
+     * cleanup tasks that should run after performing the certificate validation
+     * @return bool
+     */
+    public function cleanup();
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 54a332d71c..2179a1cdd9 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>1.6.2</version>
+    <version>2.0.0</version>
     <description>A secure Let's Encrypt plugin</description>
     <items>
         <settings>
@@ -143,10 +143,21 @@
                 <key type="TextField">
                     <Required>N</Required>
                 </key>
-                <!-- hidden field; last update of this account (unixtime) -->
+                <!-- TODO: old value that was migrated to statusLastUpdate, should be removed -->
                 <lastUpdate type="IntegerField">
                     <Required>N</Required>
                 </lastUpdate>
+                <!-- hidden field; status of last operation -->
+                <statusCode type="IntegerField">
+                    <Required>N</Required>
+                    <default>100</default>
+                    <MinimumValue>100</MinimumValue>
+                    <MaximumValue>1000</MaximumValue>
+                </statusCode>
+                <!-- hidden field; timestamp for statusCode -->
+                <statusLastUpdate type="IntegerField">
+                    <Required>N</Required>
+                </statusLastUpdate>
             </account>
         </accounts>
         <certificates>
@@ -272,8 +283,7 @@
                 <!-- hidden field; status of last operation -->
                 <statusCode type="IntegerField">
                     <Required>N</Required>
-                    <!-- XXX: enable once data migration is working -->
-                    <!-- <default>100</default> -->
+                    <default>100</default>
                     <MinimumValue>100</MinimumValue>
                     <MaximumValue>1000</MaximumValue>
                 </statusCode>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Menu/Menu.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Menu/Menu.xml
index 472b15b89a..79a8f7cf87 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Menu/Menu.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Menu/Menu.xml
@@ -6,9 +6,9 @@
               <General url="/ui/acmeclient#general-settings"/>
           </Settings>
           <Accounts VisibleName="Accounts" order="20" url="/ui/acmeclient/accounts"/>
-          <Validations VisibleName="Validation Methods" order="30" url="/ui/acmeclient/validations"/>
+          <Validations VisibleName="Challenge Types" order="30" url="/ui/acmeclient/validations"/>
           <Certificates order="40" url="/ui/acmeclient/certificates"/>
-          <Automation VisibleName="Automation" order="50" url="/ui/acmeclient/actions"/>
+          <Automations VisibleName="Automations" order="50" url="/ui/acmeclient/actions"/>
           <LogFile VisibleName="Log File" order="60" url="/diag_logs_acmeclient.php"/>
       </LEAcmeClient>
     </Services>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M2_0_0.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M2_0_0.php
new file mode 100644
index 0000000000..3bd34fe877
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M2_0_0.php
@@ -0,0 +1,54 @@
+<?php
+
+/**
+ *    Copyright (C) 2019 Frank Wall
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\AcmeClient\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M2_0_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        // Search accounts
+        foreach ($model->getNodeByReference('accounts.account')->iterateItems() as $account) {
+            if (!empty((string)$account->lastUpdate) && empty((string)$account->statusLastUpdate)) {
+                $account->statusLastUpdate = (string)$account->lastUpdate;
+                // Account is already registered.
+                $account->statusCode = '200';
+                $account->lastUpdate = null; // clear old value
+            } elseif (!empty((string)$account->statusLastUpdate) || !empty((string)$account->statusCode)) {
+                // Ignore accounts that already use M2_0_0 fields.
+            } else {
+                // Account registration is pending.
+                $account->statusCode = '100';
+            }
+        }
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
index f6d6e8ed30..7a95eef4b1 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
@@ -35,18 +35,284 @@ POSSIBILITY OF SUCH DAMAGE.
          * link grid actions
          **********************************************************************/
 
-        $("#grid-accounts").UIBootgrid(
-            {   search:'/api/acmeclient/accounts/search',
-                get:'/api/acmeclient/accounts/get/',
-                set:'/api/acmeclient/accounts/update/',
-                add:'/api/acmeclient/accounts/add/',
-                del:'/api/acmeclient/accounts/del/',
-                toggle:'/api/acmeclient/accounts/toggle/',
-                options: {
-                    rowCount:[10,25,50,100,500,1000]
+        var gridParams = {
+            search:'/api/acmeclient/accounts/search',
+            get:'/api/acmeclient/accounts/get/',
+            set:'/api/acmeclient/accounts/update/',
+            add:'/api/acmeclient/accounts/add/',
+            del:'/api/acmeclient/accounts/del/',
+            toggle:'/api/acmeclient/accounts/toggle/',
+            register:'/api/acmeclient/accounts/register/',
+        };
+
+        var gridopt = {
+            ajax: true,
+            selection: true,
+            multiSelect: true,
+            rowCount:[10,25,50,100,500,1000],
+            url: '/api/acmeclient/accounts/search',
+            formatters: {
+                "commands": function (column, row) {
+                    return "<button type=\"button\" class=\"btn btn-xs btn-default command-edit\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-pencil\"></span></button> " +
+                        "<button type=\"button\" class=\"btn btn-xs btn-default command-copy\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-clone\"></span></button>" +
+                        "<button type=\"button\" class=\"btn btn-xs btn-default command-register\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-address-book-o\"></span></button>" +
+                        "<button type=\"button\" class=\"btn btn-xs btn-default command-delete\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-trash-o\"></span></button>";
+                },
+                "rowtoggle": function (column, row) {
+                    if (parseInt(row[column.id], 2) == 1) {
+                        return "<span style=\"cursor: pointer;\" class=\"fa fa-check-square-o command-toggle\" data-value=\"1\" data-row-id=\"" + row.uuid + "\"></span>";
+                    } else {
+                        return "<span style=\"cursor: pointer;\" class=\"fa fa-square-o command-toggle\" data-value=\"0\" data-row-id=\"" + row.uuid + "\"></span>";
+                    }
+                },
+                "accountstatus": function (column, row) {
+                    if (row.statusCode == "" || row.statusCode == undefined) {
+                        // fallback to lastUpdate value (unset if account was not registered)
+                        if (row.statusLastUpdate == "" || row.statusLastUpdate == undefined) {
+                            return "{{ lang._('not registered') }}";
+                        } else {
+                            return "{{ lang._('OK') }}";
+                        }
+                    } else if (row.statusCode == "100") {
+                        return "{{ lang._('not registered') }}";
+                    } else if (row.statusCode == "200") {
+                        return "{{ lang._('OK (registered)') }}";
+                    } else if (row.statusCode == "250") {
+                        return "{{ lang._('deactivated') }}";
+                    } else if (row.statusCode == "300") {
+                        return "{{ lang._('configuration error') }}";
+                    } else if (row.statusCode == "400") {
+                        return "{{ lang._('registration failed') }}";
+                    } else if (row.statusCode == "500") {
+                        return "{{ lang._('internal error') }}";
+                    } else {
+                        return "{{ lang._('unknown') }}";
+                    }
+                },
+                "acmestatusdate": function (column, row) {
+                    if (row.statusLastUpdate == "" || row.statusCode == undefined) {
+                        return "{{ lang._('unknown') }}";
+                    } else {
+                        var statusdate = new Date(row.statusLastUpdate*1000);
+                        return statusdate.toLocaleString();
+                    }
+                }
+            },
+        };
+
+        /**
+         * reload bootgrid, return to current selected page
+         */
+        function std_bootgrid_reload(gridId) {
+            var currentpage = $("#"+gridId).bootgrid("getCurrentPage");
+            $("#"+gridId).bootgrid("reload");
+            // absolutely not perfect, bootgrid.reload doesn't seem to support when().done()
+            setTimeout(function(){
+                $('#'+gridId+'-footer  a[data-page="'+currentpage+'"]').click();
+            }, 400);
+        }
+
+        /**
+         * copy actions for selected items from opnsense_bootgrid_plugin.js
+         */
+        var grid_accounts = $("#grid-accounts").bootgrid(gridopt).on("loaded.rs.jquery.bootgrid", function (e)
+        {
+            // scale footer on resize
+            $(this).find("tfoot td:first-child").attr('colspan',$(this).find("th").length - 1);
+            $(this).find('tr[data-row-id]').each(function(){
+                if ($(this).find('[class*="command-toggle"]').first().data("value") == "0") {
+                    $(this).addClass("text-muted");
+                }
+            });
+
+            // edit dialog id to use
+            var editDlg = $(this).attr('data-editDialog');
+            var gridId = $(this).attr('id');
+
+            // link Add new to child button with data-action = add
+            $(this).find("*[data-action=add]").click(function(){
+                if ( gridParams['get'] != undefined && gridParams['add'] != undefined) {
+                    var urlMap = {};
+                    urlMap['frm_' + editDlg] = gridParams['get'];
+                    mapDataToFormUI(urlMap).done(function(){
+                        // update selectors
+                        formatTokenizersUI();
+                        $('.selectpicker').selectpicker('refresh');
+                        // clear validation errors (if any)
+                        clearFormValidation('frm_' + editDlg);
+                    });
+
+                    // show dialog for edit
+                    $('#'+editDlg).modal({backdrop: 'static', keyboard: false});
+                    //
+                    $("#btn_"+editDlg+"_save").unbind('click').click(function(){
+                        saveFormToEndpoint(url=gridParams['add'],
+                            formid='frm_' + editDlg, callback_ok=function(){
+                                $("#"+editDlg).modal('hide');
+                                $("#"+gridId).bootgrid("reload");
+                            }, true);
+                    });
+                }  else {
+                    console.log("[grid] action add missing")
+                }
+            });
+
+            // link delete selected items action
+            $(this).find("*[data-action=deleteSelected]").click(function(){
+                if ( gridParams['del'] != undefined) {
+                    stdDialogConfirm('{{ lang._('Confirm removal') }}',
+                        '{{ lang._('Do you want to remove the selected item?') }}',
+                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function () {
+                        var rows =$("#"+gridId).bootgrid('getSelectedRows');
+                        if (rows != undefined){
+                            var deferreds = [];
+                            $.each(rows, function(key,uuid){
+                                deferreds.push(ajaxCall(url=gridParams['del'] + uuid, sendData={},null));
+                            });
+                            // refresh after load
+                            $.when.apply(null, deferreds).done(function(){
+                                std_bootgrid_reload(gridId);
+                            });
+                        }
+                    });
+                } else {
+                    console.log("[grid] action del missing")
+                }
+            });
+
+        });
+
+        /**
+         * copy actions for items from opnsense_bootgrid_plugin.js
+         */
+        grid_accounts.on("loaded.rs.jquery.bootgrid", function(){
+
+            // edit dialog id to use
+            var editDlg = $(this).attr('data-editDialog');
+            var gridId = $(this).attr('id');
+
+            // edit item
+            grid_accounts.find(".command-edit").on("click", function(e)
+            {
+                if (editDlg != undefined && gridParams['get'] != undefined) {
+                    var uuid = $(this).data("row-id");
+                    var urlMap = {};
+                    urlMap['frm_' + editDlg] = gridParams['get'] + uuid;
+                    mapDataToFormUI(urlMap).done(function () {
+                        // update selectors
+                        formatTokenizersUI();
+                        $('.selectpicker').selectpicker('refresh');
+                        // clear validation errors (if any)
+                        clearFormValidation('frm_' + editDlg);
+                    });
+
+                    // show dialog for pipe edit
+                    $('#'+editDlg).modal({backdrop: 'static', keyboard: false});
+                    // define save action
+                    $("#btn_"+editDlg+"_save").unbind('click').click(function(){
+                        if (gridParams['set'] != undefined) {
+                            saveFormToEndpoint(url=gridParams['set']+uuid,
+                                formid='frm_' + editDlg, callback_ok=function(){
+                                    $("#"+editDlg).modal('hide');
+                                    std_bootgrid_reload(gridId);
+                                }, true);
+                        } else {
+                            console.log("[grid] action set missing")
+                        }
+                    });
+                } else {
+                    console.log("[grid] action get or data-editDialog missing")
                 }
-            }
-        );
+            });
+
+            // copy item, save as new
+            grid_accounts.find(".command-copy").on("click", function(e)
+            {
+                if (editDlg != undefined && gridParams['get'] != undefined) {
+                    var uuid = $(this).data("row-id");
+                    var urlMap = {};
+                    urlMap['frm_' + editDlg] = gridParams['get'] + uuid;
+                    mapDataToFormUI(urlMap).done(function () {
+                        // update selectors
+                        formatTokenizersUI();
+                        $('.selectpicker').selectpicker('refresh');
+                        // clear validation errors (if any)
+                        clearFormValidation('frm_' + editDlg);
+                    });
+
+                    // show dialog for pipe edit
+                    $('#'+editDlg).modal({backdrop: 'static', keyboard: false});
+                    // define save action
+                    $("#btn_"+editDlg+"_save").unbind('click').click(function(){
+                        if (gridParams['add'] != undefined) {
+                            saveFormToEndpoint(url=gridParams['add'],
+                                formid='frm_' + editDlg, callback_ok=function(){
+                                    $("#"+editDlg).modal('hide');
+                                    std_bootgrid_reload(gridId);
+                                }, true);
+                        } else {
+                            console.log("[grid] action add missing")
+                        }
+                    });
+                } else {
+                    console.log("[grid] action get or data-editDialog missing")
+                }
+            });
+
+            // delete item
+            grid_accounts.find(".command-delete").on("click", function(e)
+            {
+                if (gridParams['del'] != undefined) {
+                    var uuid=$(this).data("row-id");
+                    stdDialogConfirm('{{ lang._('Confirm removal') }}',
+                        '{{ lang._('Do you want to remove the selected item?') }}',
+                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function () {
+                        ajaxCall(url=gridParams['del'] + uuid,
+                            sendData={},callback=function(data,status){
+                                // reload grid after delete
+                                $("#"+gridId).bootgrid("reload");
+                            });
+                    });
+                } else {
+                    console.log("[grid] action del missing")
+                }
+            });
+
+            // toggle item
+            grid_accounts.find(".command-toggle").on("click", function(e)
+            {
+                if (gridParams['toggle'] != undefined) {
+                    var uuid=$(this).data("row-id");
+                    $(this).addClass("fa-spinner fa-pulse");
+                    ajaxCall(url=gridParams['toggle'] + uuid,
+                        sendData={},callback=function(data,status){
+                            // reload grid after toggle
+                            std_bootgrid_reload(gridId);
+                        });
+                } else {
+                    console.log("[grid] action toggle missing")
+                }
+            });
+
+            // register account
+            grid_accounts.find(".command-register").on("click", function(e)
+            {
+                if (gridParams['register'] != undefined) {
+                    var uuid=$(this).data("row-id");
+                    stdDialogConfirm('{{ lang._('Confirmation Required') }}',
+                        '{{ lang._('Register the selected account with Lets Encrypt?') }}',
+                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
+                        ajaxCall(url=gridParams['register'] + uuid,sendData={},callback=function(data,status){
+                            // reload grid afterwards
+                            $("#"+gridId).bootgrid("reload");
+                        });
+                    });
+                } else {
+                    console.log("[grid] action register missing")
+                }
+            });
+
+        });
 
     });
 
@@ -64,6 +330,8 @@ POSSIBILITY OF SUCH DAMAGE.
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                 <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
                 <th data-column-id="email" data-type="string">{{ lang._('E-Mail') }}</th>
+                <th data-column-id="statusCode" data-type="string" data-formatter="accountstatus">{{ lang._('Status') }}</th>
+                <th data-column-id="statusLastUpdate" data-type="string" data-formatter="acmestatusdate">{{ lang._('Registration Date') }}</th>
                 <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
             </tr>
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index 6db878d502..2d172eb017 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -318,13 +318,12 @@ POSSIBILITY OF SUCH DAMAGE.
             });
 
             // sign cert
-            // TODO: this should block other acme.sh actions
             grid_certificates.find(".command-sign").on("click", function(e)
             {
                 if (gridParams['sign'] != undefined) {
                     var uuid=$(this).data("row-id");
                     stdDialogConfirm('{{ lang._('Confirmation Required') }}',
-                        '{{ lang._('Forcefully (re-)issue the selected certificate?') }}',
+                        '{{ lang._('Forcefully issue or renew the selected certificate?') }}',
                         '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
                         // Handle HAProxy integration (no-op if not applicable)
                         ajaxCall(url="/api/acmeclient/settings/fetchHAProxyIntegration", sendData={}, callback=function(data,status) {
@@ -340,7 +339,6 @@ POSSIBILITY OF SUCH DAMAGE.
             });
 
             // revoke cert
-            // TODO: this should block other acme.sh actions
             grid_certificates.find(".command-revoke").on("click", function(e)
             {
                 if (gridParams['revoke'] != undefined) {
@@ -360,7 +358,6 @@ POSSIBILITY OF SUCH DAMAGE.
             });
 
             // remove private key
-            // TODO: this should block other acme.sh actions
             grid_certificates.find(".command-removekey").on("click", function(e)
             {
                 if (gridParams['removekey'] != undefined) {
@@ -380,7 +377,6 @@ POSSIBILITY OF SUCH DAMAGE.
             });
 
             // run automation
-            // TODO: this should block other acme.sh actions
             grid_certificates.find(".command-automation").on("click", function(e)
             {
                 if (gridParams['automation'] != undefined) {
@@ -417,7 +413,6 @@ POSSIBILITY OF SUCH DAMAGE.
 
         /**
          * Sign or renew ALL certificates
-         * TODO: this should block other acme.sh actions
          */
         $("#signallcertsAct").click(function(){
             //$("#signallcertsAct_progress").addClass("fa fa-spinner fa-pulse");
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
index 08d8932b85..bb67c87c0f 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
@@ -241,7 +241,7 @@ POSSIBILITY OF SUCH DAMAGE.
         <br/>
     </div>
     <div class="col-md-12">
-        <b>{{ lang._("Please read the official %sLet's Encrypt documentation%s before using this plugin. Otherwise you will easily hit its %srate limits%s and thus all your attempts to issue a certificate will fail.") | format('<a href="https://letsencrypt.org/how-it-works/">', '</a>', '<a href="https://letsencrypt.org/docs/rate-limits/">', '</a>') }}</b>{{ lang._("Please use Let's Encrypt's %sstaging servers%s when using this plugin for the first time or while testing a new validation method. You will have to reissue your certificates when switching from staging to production servers to get valid certificates.") | format('<a href="https://letsencrypt.org/docs/staging-environment/">', '</a>') }}
+        <b>{{ lang._("Please read the official %sLet's Encrypt documentation%s before using this plugin. Otherwise you will easily hit its %srate limits%s and thus all your attempts to issue a certificate will fail.") | format('<a href="https://letsencrypt.org/how-it-works/">', '</a>', '<a href="https://letsencrypt.org/docs/rate-limits/">', '</a>') }}</b>{{ lang._("Please use Let's Encrypt's %sstaging servers%s when using this plugin for the first time or while testing a new challenge type. You will have to reissue your certificates when switching from staging to production servers to get valid certificates.") | format('<a href="https://letsencrypt.org/docs/staging-environment/">', '</a>') }}
         <br/>
         {{ lang._('Please use the %sissue tracker%s to report bugs or request new features.') | format('<a href="https://github.com/opnsense/plugins/issues">', '</a>') }}
         <br/>
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
index cb94acec00..6ece1b0aa7 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
@@ -91,7 +91,7 @@ POSSIBILITY OF SUCH DAMAGE.
 </script>
 
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#validations">{{ lang._('Validation Methods') }}</a></li>
+    <li class="active"><a data-toggle="tab" href="#validations">{{ lang._('Challenge Types') }}</a></li>
 </ul>
 
 <div class="tab-content content-box tab-content">
@@ -122,4 +122,4 @@ POSSIBILITY OF SUCH DAMAGE.
 </div>
 
 {# include dialogs #}
-{{ partial("layout_partials/base_dialog",['fields':formDialogValidation,'id':'DialogValidation','label':lang._('Edit Validation Method')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogValidation,'id':'DialogValidation','label':lang._('Edit Challenge Type')])}}
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
deleted file mode 100755
index 928961e391..0000000000
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ /dev/null
@@ -1,1655 +0,0 @@
-#!/usr/local/bin/php
-<?php
-
-/*
- * Copyright (C) 2017-2020 Frank Wall
- * Copyright (C) 2015 Deciso B.V.
- * Copyright (C) 2010 Jim Pingle <jimp@pfsense.org>
- * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-// Hello. I am the spaghetti monster. Yummy.
-
-// Use legacy code to manage certificates.
-require_once("config.inc");
-require_once("certs.inc");
-require_once("legacy_bindings.inc");
-require_once("interfaces.inc");
-require_once("util.inc");
-
-// Some stuff requires the almighty MVC framework.
-use OPNsense\Core\Backend;
-use OPNsense\Core\Config;
-use OPNsense\Base;
-use OPNsense\AcmeClient\AcmeClient;
-
-$postponed_updates = array();
-
-/* CLI arguments:
- *  -a (action)
- *  -c (certificate id, NOT the uuid)
- *  -A (all certificates)
- *  -C (cron, special rules apply when running as cronjob)
- *  -F (force, rewew/recreate)
- *  -S (staging)
- */
-$options = getopt("a:c:ACFS");
-
-// Simple validation
-if (!isset($options["a"]) or (!isset($options["c"]) and !isset($options["A"]))) {
-    // ALL actions require either a certificate ID or the -A switch
-    echo "ERROR: not enough arguments\n";
-    exit(1);
-}
-if (($options["a"] == 'revoke') and !isset($options["c"])) {
-    echo "ERROR: option revoke requires a certificate ID\n";
-    exit(1);
-}
-
-// Cron mode
-if (isset($options["C"])) {
-    // Automatically work on ALL certificates
-    $options["A"] = "";
-}
-
-// Run the specified action
-switch ($options["a"]) {
-    case 'sign':
-        $result = cert_action_validator($options["c"]);
-        echo json_encode(array('status' => $result));
-        break;
-    case 'renew':
-        $result = cert_action_validator($options["c"]);
-        echo json_encode(array('status' => $result));
-        break;
-    case 'remove':
-        $result = cert_action_validator($options["c"]);
-        echo json_encode(array('status' => $result));
-        break;
-    case 'removekey':
-        $result = cert_action_validator($options["c"]);
-        echo json_encode(array('status' => $result));
-        break;
-    case 'revoke':
-        $result = cert_action_validator($options["c"]);
-        echo json_encode(array('status' => $result));
-        break;
-    case 'automation':
-        $result = cert_action_validator($options["c"]);
-        echo json_encode(array('status' => $result));
-        break;
-    default:
-        echo "ERROR: invalid argument specified\n";
-        log_error("invalid argument specified");
-        exit(1);
-}
-
-// Write certificate status updates to configuration
-dump_postponed_updates();
-
-// ALL certificate work starts here. First we do some common validation and
-// make sure that everything is prepared for acme client to run.
-// The actual issue/renew/revoke work is done by separate functions.
-function cert_action_validator($opt_cert_id)
-{
-    global $options;
-
-    $modelObj = new OPNsense\AcmeClient\AcmeClient();
-
-    // Store certs here after successful issue/renewal. Required for automations.
-    $restart_certs = array();
-
-    // Search for cert ID in configuration
-    $configObj = Config::getInstance()->object();
-    if (isset($configObj->OPNsense->AcmeClient->certificates) && $configObj->OPNsense->AcmeClient->certificates->count() > 0) {
-        foreach ($configObj->OPNsense->AcmeClient->certificates->children() as $certObj) {
-            // Extract cert ID
-            $cert_id = (string)$certObj->id;
-            if (empty($cert_id)) {
-                continue; // Cert is invalid, skip it.
-            }
-
-            // Either work with ALL certificates or check if cert ID matches
-            if (isset($options["A"]) or ((string)$cert_id == (string)$opt_cert_id)) {
-                // Ignore disabled certificates
-                if ($certObj->enabled == 0) {
-                    // Always ignore disabled certs when working on ALL certs.
-                    if (isset($options["A"])) {
-                        continue; // skip to next item
-                    }
-                    // Allow only "revoke", "remove" and "removekey" for disabled certs.
-                    if (!in_array($options["a"], ['remove','removekey','revoke'])) {
-                        return(1); // Cert is disabled, skip it.
-                    }
-                }
-
-                // Extract Account from referenced obj
-                $acctRef = (string)$certObj->account;
-                $acctObj = null;
-                $acctref_found = false;
-                foreach ($modelObj->getNodeByReference('accounts.account')->iterateItems() as $node) {
-                    if ((string)$node->getAttributes()["uuid"] == $acctRef) {
-                        $acctref_found = true;
-                        $acctObj = $node;
-                        break; // Match! Go ahead.
-                    }
-                }
-
-                // Make sure we found the configured account
-                if ($acctref_found == true) {
-                    // Ensure that this account was properly setup and registered.
-                    $acct_result = run_acme_account_registration($acctObj, $certObj, $modelObj);
-                    if (!$acct_result) {
-                        // account registration OK
-                    } else {
-                        log_error("AcmeClient: account registration failed");
-                        log_cert_acme_status($certObj, $modelObj, '400');
-                        if (isset($options["A"])) {
-                            continue; // skip to next item
-                        }
-                        return(1);
-                    }
-                } else {
-                    log_error("AcmeClient: account not found");
-                    log_cert_acme_status($certObj, $modelObj, '300');
-                    if (isset($options["A"])) {
-                        continue; // skip to next item
-                    }
-                    return(1);
-                }
-
-                // Extract Validation Method from referenced obj
-                $valRef = (string)$certObj->validationMethod;
-                $valObj = null;
-                $ref_found = false;
-                foreach ($modelObj->getNodeByReference('validations.validation')->iterateItems() as $node) {
-                    if ((string)$node->getAttributes()["uuid"] == $valRef) {
-                        $ref_found = true;
-                        $valObj = $node;
-                        break; // Match! Go ahead.
-                    }
-                }
-
-                // Cert is being removed from the GUI, delete all traces.
-                if ($options["a"] == "remove") {
-                    // Start acme client to remove the certificate
-                    $rev_result = remove_cert($certObj);
-                    if (!$rev_result) {
-                        log_error("AcmeClient: successfully removed acme.sh certificate configuration for " . (string)$certObj->name);
-                        return(0); // Success!
-                    } else {
-                        log_error("AcmeClient: failed to remove acme.sh certificate configuration for " . (string)$certObj->name);
-                        return(1);
-                    }
-                }
-
-                // Remove private key
-                // NOTE: Although the user requested to remove the private key,
-                // we simply perform a full cert removal because without the
-                // matching private key the cert is useless.
-                if ($options["a"] == "removekey") {
-                    // Start acme client to remove the certificate
-                    $rev_result = remove_cert($certObj);
-                    if (!$rev_result) {
-                        log_error("AcmeClient: successfully removed the private key and reset certificate " . (string)$certObj->name);
-                        // Reset certificate state, treat it like a new certificate.
-                        log_cert_acme_status($certObj, $modelObj, '100');
-                        return(0); // Success!
-                    } else {
-                        log_error("AcmeClient: failed to remove the private key and reset certificate " . (string)$certObj->name);
-                        return(1);
-                    }
-                }
-
-                // Only run certificate automation
-                if ($options["a"] == "automation") {
-                    // Check if the cert was successul issued
-                    if (!empty((string)$certObj->statusCode) and (string)$certObj->statusCode == '200') {
-                        log_error("AcmeClient: ready to run automation for certificate: " . (string)$certObj->name);
-                        $restart_certs[] = $certObj;
-                    } else {
-                        log_error("AcmeClient: failed to run automation, certificate status not OK: " . (string)$certObj->name);
-                        return(1);
-                    }
-                    break; // Stop after first match.
-                }
-
-                // Make sure we found the configured validation method
-                if ($ref_found == true) {
-                    // Was a revocation requested?
-                    // NOTE: Revocation is not even considered when some elements have already been
-                    //       deleted from the GUI. It's likely that it would fail anyway.
-                    if ($options["a"] == "revoke") {
-                        // Start acme client to revoke the certificate
-                        $rev_result = revoke_cert($certObj, $valObj, $acctObj);
-                        if (!$rev_result) {
-                            log_cert_acme_status($certObj, $modelObj, '250');
-                            return(0); // Success!
-                        } else {
-                            // Revocation failure
-                            log_error("AcmeClient: revocation for certificate failed");
-                            log_cert_acme_status($certObj, $modelObj, '400');
-                            if (isset($options["A"])) {
-                                continue; // skip to next item
-                            }
-                            return(1);
-                        }
-                    }
-
-                    // Which validation method?
-                    if ((string)$valObj->method == 'http01' or ((string)$valObj->method == 'dns01')) {
-                        // Start acme client to issue or renew certificate
-                        $val_result = run_acme_validation($certObj, $valObj, $acctObj);
-                        if (!$val_result) {
-                            log_error("AcmeClient: successfully issued/renewed certificate: " . (string)$certObj->name);
-                            // Import certificate to Cert Manager
-                            if (!import_certificate($certObj, $modelObj)) {
-                                // Prepare certificate for automation
-                                $restart_certs[] = $certObj;
-                                log_cert_acme_status($certObj, $modelObj, '200');
-                            } else {
-                                log_error("AcmeClient: unable to import certificate: " . (string)$certObj->name);
-                                log_cert_acme_status($certObj, $modelObj, '500');
-                                if (isset($options["A"])) {
-                                    continue; // skip to next item
-                                }
-                                return(1);
-                            }
-                        } elseif ($val_result == '99') {
-                            // Renewal not required. Do nothing.
-                        } else {
-                            // validation failure
-                            log_error("AcmeClient: validation for certificate failed: " . (string)$certObj->name);
-                            log_cert_acme_status($certObj, $modelObj, '400');
-                            if (isset($options["A"])) {
-                                continue; // skip to next item
-                            }
-                            return(1);
-                        }
-                    } else {
-                        log_error("AcmeClient: invalid validation method specified: " . (string)$valObj->method);
-                        log_cert_acme_status($certObj, $modelObj, '300');
-                        if (isset($options["A"])) {
-                            continue; // skip to next item
-                        }
-                        return(1);
-                    }
-                } else {
-                    log_error("AcmeClient: validation method not found for cert " . $certObj->name);
-                    log_cert_acme_status($certObj, $modelObj, '300');
-                    if (isset($options["A"])) {
-                        continue; // skip to next item
-                    }
-                    return(1);
-                }
-
-                // Work on ALL certificates?
-                if (!isset($options["A"])) {
-                    break; // Stop after first match.
-                }
-            }
-        }
-    } else {
-        log_error("AcmeClient: no LE certificates found in configuration");
-        return(1);
-    }
-
-    // Run automations if an operation was successful.
-    if (!empty($restart_certs)) {
-        // Execute automations.
-        if (!run_restart_actions($restart_certs, $modelObj)) {
-            # Success.
-        } else {
-            log_error("AcmeClient: failed to execute some automations");
-        }
-    }
-
-    return(0);
-}
-
-// Prepare optional parameters for acme client
-function eval_optional_acme_args()
-{
-    global $options;
-    $configObj = Config::getInstance()->object();
-
-    $acme_args = array();
-
-    // Force certificate renewal?
-    $acme_args[] = isset($options["F"]) ? "--force" : null;
-
-    // Use LE staging environment?
-    $acme_args[] = $configObj->OPNsense->AcmeClient->settings->environment == "stg" ? "--staging" : null;
-    $acme_args[] = isset($options["S"]) ? "--staging" : null; // for debug purpose
-
-    // Set log level
-    switch ($configObj->OPNsense->AcmeClient->settings->logLevel) {
-        case "extended":
-            $acme_args[] = "--log-level 2";
-        case "debug":
-            $acme_args[] = "--debug";
-        case "debug2":
-            $acme_args[] = "--debug 2";
-        case "debug3":
-            $acme_args[] = "--debug 3";
-        default:
-            $acme_args[] = "--log-level 1";
-    }
-
-    // Remove empty and duplicate elements from array
-    return(array_unique(array_filter($acme_args)));
-}
-
-// Create account keys and register accounts, export/import them from/to filesystem/config.xml
-function run_acme_account_registration($acctObj, $certObj, $modelObj)
-{
-    global $options;
-
-    // Prepare optional parameters for acme-client
-    $acme_args = eval_optional_acme_args();
-
-    // Collect account information
-    $acme_env = (string)$modelObj->settings->environment;
-    $account_conf_dir = "/var/etc/acme-client/accounts/" . $acctObj->id . "_${acme_env}";
-    $account_conf_file = $account_conf_dir . "/account.conf";
-    $account_key_file = $account_conf_dir . "/account.key";
-    $account_json_file = $account_conf_dir . "/account.json";
-    $account_ca_file = $account_conf_dir . "/ca.conf";
-    $acme_conf = array();
-    $acme_conf[] = "CERT_HOME='/var/etc/acme-client/home'";
-    $acme_conf[] = "LOG_FILE='/var/log/acme.sh.log'";
-    $acme_conf[] = "ACCOUNT_KEY_PATH='" . $account_key_file . "'";
-    $acme_conf[] = "ACCOUNT_JSON_PATH='" . $account_json_file . "'";
-    $acme_conf[] = "CA_CONF='" . $account_ca_file . "'";
-    if (!empty((string)$acctObj->email)) {
-        $acme_conf[] = "ACCOUNT_EMAIL='" . (string)$acctObj->email . "'";
-    }
-
-    // Create account configuration file
-    if (!is_dir($account_conf_dir)) {
-        mkdir($account_conf_dir, 0700, true);
-    }
-    file_put_contents($account_conf_file, (string)implode("\n", $acme_conf) . "\n");
-    chmod($account_conf_file, 0600);
-
-    // Check if account key already exists
-    if (is_file($account_key_file)) {
-        // account key found
-    } else {
-        // Check if we have an account key in our configuration
-        if (!empty((string)$acctObj->key)) {
-            // Write key to disk
-            file_put_contents($account_key_file, (string)base64_decode((string)$acctObj->key));
-            chmod($account_key_file, 0600);
-        } else {
-            // Do not generate new key if a revocation was requested.
-            if ($options["a"] == "revoke") {
-                log_error("AcmeClient: account key not found, but a revocation was requested");
-                return(1);
-            }
-
-            // Let acme client generate a new account key
-            $acmecmd = "/usr/local/sbin/acme.sh "
-              . implode(" ", $acme_args) . " "
-              . "--createAccountKey "
-              . "--accountkeylength 4096 "
-              . "--home /var/etc/acme-client/home "
-              . "--accountconf " . $account_conf_file;
-            $result = mwexec($acmecmd);
-
-            // Check exit code
-            if (!($result)) {
-                // created a new account key
-            } else {
-                log_error("AcmeClient: failed to create a new account key");
-                return(1);
-            }
-
-            // Read account key
-            $account_key_content = @file_get_contents($account_key_file);
-            if ($account_key_content == false) {
-                log_error("AcmeClient: unable to read account key from file");
-                return(1);
-            }
-
-            // Import account key into config
-            $acctObj->key = base64_encode($account_key_content);
-            // serialize to config and save
-            $modelObj->serializeToConfig();
-            Config::getInstance()->save();
-            Config::getInstance()->forceReload();
-        }
-    }
-
-    // Check if account was already registered
-    if (!empty((string)$acctObj->lastUpdate)) {
-        // account key already registered
-    } else {
-        // Do not register new account if a revocation was requested.
-        if ($options["a"] == "revoke") {
-            log_error("AcmeClient: account not registered, but a revocation was requested");
-            return(1);
-        }
-
-        // Run acme client to register the account
-        $acmecmd = "/usr/local/sbin/acme.sh "
-          . implode(" ", $acme_args) . " "
-          . "--registeraccount "
-          . "--home /var/etc/acme-client/home "
-          . "--accountconf " . $account_conf_file;
-        $result = mwexec($acmecmd);
-
-        // Check exit code
-        if (!($result)) {
-            // registered a new account key
-        } else {
-            log_error("AcmeClient: failed to register a new account key");
-            return(1);
-        }
-
-        // Set update/create time in config
-        $acctObj->lastUpdate = time();
-        // serialize to config and save
-        $modelObj->serializeToConfig();
-        Config::getInstance()->save();
-        Config::getInstance()->forceReload();
-    }
-
-    return;
-}
-
-// Run acme client with HTTP-01 or DNS-01 validation to issue/renew certificate
-function run_acme_validation($certObj, $valObj, $acctObj)
-{
-    global $options;
-
-    // Required to run pre-defined commands.
-    $backend = new Backend();
-    $modelObj = new OPNsense\AcmeClient\AcmeClient();
-
-    // Collect account information
-    $acme_env = (string)$modelObj->settings->environment;
-    $account_conf_dir = "/var/etc/acme-client/accounts/" . $acctObj->id . "_${acme_env}";
-    $account_conf_file = $account_conf_dir . "/account.conf";
-
-    // Generate certificate filenames
-    $cert_id = (string)$certObj->id;
-    $cert_filename = "/var/etc/acme-client/certs/${cert_id}/cert.pem";
-    $cert_chain_filename = "/var/etc/acme-client/certs/${cert_id}/chain.pem";
-    $cert_fullchain_filename = "/var/etc/acme-client/certs/${cert_id}/fullchain.pem";
-    $key_filename = "/var/etc/acme-client/keys/${cert_id}/private.key";
-
-    // Setup our own ACME environment
-    $certdir = "/var/etc/acme-client/certs/${cert_id}";
-    $keydir = "/var/etc/acme-client/keys/${cert_id}";
-    $configdir = "/var/etc/acme-client/configs/${cert_id}";
-    foreach (array($certdir, $keydir, $configdir) as $dir) {
-        if (!is_dir($dir)) {
-            mkdir($dir, 0700, true);
-        }
-    }
-
-    // Preparation to run acme client
-    $acme_args = eval_optional_acme_args();
-    $proc_env = array(); // env variables for proc_open()
-    $proc_env['PATH'] = '/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin';
-    $proc_desc = array(  // descriptor array for proc_open()
-        0 => array("pipe", "r"), // stdin
-        1 => array("pipe", "w"), // stdout
-        2 => array("pipe", "w")  // stderr
-    );
-    $proc_pipes = array();
-
-    // Do we need to issue or renew the certificate?
-    if (!empty((string)$certObj->lastUpdate) and !isset($options["F"])) {
-        $acme_action = "renew";
-    } else {
-        // Default: Issue a new certificate.
-        // If "-F" is specified, forcefully re-issue the cert, no matter if it's required.
-        // NOTE: This is useful if altNames were changed or when switching
-        // from acme staging to acme production servers.
-        $acme_action = "issue";
-    }
-
-    // Calculate next renewal date
-    $last_update = !empty((string)$certObj->lastUpdate) ? (string)$certObj->lastUpdate : 0;
-    $renew_cert = false;
-    $current_time = new \DateTime();
-    $last_update_time = new \DateTime();
-    $last_update_time->setTimestamp($last_update);
-    $renew_interval = (string)$certObj->renewInterval;
-    $next_update = $last_update_time->add(new \DateInterval('P' . $renew_interval . 'D'));
-
-    // Check if it's time to renew the cert.
-    if (isset($options["F"]) or ($current_time >= $next_update)) {
-        $renew_cert = true;
-    } else {
-        // Renewal not yet required, report special code
-        return(99);
-    }
-
-    // Try HTTP-01 or DNS-01 validation?
-    $val_method = (string)$valObj->method;
-    $acme_validation = "";        // val.method as argument for acme.sh
-    $acme_hook_options = array(); // store addition arguments for acme.sh here
-    switch ($val_method) {
-        case 'http01':
-            $acme_validation = "--webroot /var/etc/acme-client/challenges ";
-            break;
-        case 'dns01':
-            $acme_validation = "--dns " . (string)$valObj->dns_service . " ";
-            break;
-        default:
-            log_error("AcmeClient: invalid validation method specified: " . (string)$valObj->method);
-            return(1);
-    }
-
-    // HTTP-01: setup OPNsense internal port forward
-    if (($val_method == 'http01') and ((string)$valObj->http_service == 'opnsense')) {
-        // Get configured HTTP port for local lighttpd server
-        $configObj = Config::getInstance()->object();
-        $local_http_port = $configObj->OPNsense->AcmeClient->settings->challengePort;
-
-        // Collect all IP addresses here, automatic port forward will be applied for each IP
-        $iplist = array();
-
-        // Add IP addresses from auto-discovery feature
-        if ($valObj->http_opn_autodiscovery == 1) {
-            $dnslist = explode(',', $certObj->altNames);
-            $dnslist[] = $certObj->name;
-            foreach ($dnslist as $fqdn) {
-                // NOTE: This may take some time.
-                $ip_found = gethostbyname("${fqdn}.");
-                if (!empty($ip_found)) {
-                    $iplist[] = (string)$ip_found;
-                }
-            }
-        }
-
-        // Add IP addresses from user input
-        $additional_ip = (string)$valObj->http_opn_ipaddresses;
-        if (!empty($additional_ip)) {
-            foreach (explode(',', $additional_ip) as $ip) {
-                $iplist[] = $ip;
-            }
-        }
-
-        // Add IP address from chosen interface
-        if (!empty((string)$valObj->http_opn_interface)) {
-            $interface_ip = get_interface_ip((string)$valObj->http_opn_interface);
-            if (!empty($interface_ip)) {
-                $iplist[] = $interface_ip;
-            }
-        }
-
-        // Check wether IPv6 support is enabled
-        $configObj = Config::getInstance()->object();
-        if (isset($configObj->system->ipv6allow) && ($configObj->system->ipv6allow == "1")) {
-            $_ipv6_enabled = true;
-        } else {
-            $_ipv6_enabled = false;
-        }
-
-        // Generate rules for all IP addresses
-        $anchor_rules = "";
-        if (!empty($iplist)) {
-            $dedup_iplist = array_unique($iplist);
-            // Add one rule for every IP
-            foreach ($dedup_iplist as $ip) {
-                if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
-                    // IPv4
-                    $_dst = '127.0.0.1';
-                    $_family = 'inet';
-                    log_error("AcmeClient: using IPv4 address: ${ip}");
-                } elseif (($_ipv6_enabled == true) && (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))) {
-                    // IPv6
-                    $_dst = '::1';
-                    $_family = 'inet6';
-                    log_error("AcmeClient: using IPv6 address: ${ip}");
-                } else {
-                    continue; // skip broken entries
-                }
-                $anchor_rules .= "rdr pass ${_family} proto tcp from any to ${ip} port 80 -> ${_dst} port ${local_http_port}\n";
-            }
-        } else {
-            log_error("AcmeClient: no IP addresses found to setup port forward");
-            return(1);
-        }
-
-        // Abort if no rules were generated
-        if (empty($anchor_rules)) {
-            log_error("AcmeClient: unable to setup a port forward (empty ruleset)");
-            return(1);
-        }
-
-        // Create temporary port forward to allow acme challenges to  get through
-        $anchor_setup = "rdr-anchor \"acme-client\"\n";
-        file_put_contents("${configdir}/acme_anchor_setup", $anchor_setup);
-        chmod("${configdir}/acme_anchor_setup", 0600);
-        mwexec("/sbin/pfctl -f ${configdir}/acme_anchor_setup");
-        file_put_contents("${configdir}/acme_anchor_rules", $anchor_rules);
-        chmod("${configdir}/acme_anchor_rules", 0600);
-        mwexec("/sbin/pfctl -a acme-client -f ${configdir}/acme_anchor_rules");
-    }
-
-    // Prepare DNS-01 hooks
-    if ($val_method == 'dns01') {
-        // Some common stuff
-        $val_id = preg_replace("/[^a-zA-Z0-9]/", "", (string)$valObj->id);
-        $secret_key_filename = "${configdir}/secret.key";
-        $acme_args[] = '--dnssleep ' . $valObj->dns_sleep;
-
-        // Setup DNS hook:
-        // Set required env variables, write secrets to files, etc.
-        switch ((string)$valObj->dns_service) {
-            case 'dns_1984hosting':
-                $proc_env['One984HOSTING_Username'] = (string)$valObj->dns_1984hosting_user;
-                $proc_env['One984HOSTING_Password'] = (string)$valObj->dns_1984hosting_password;
-                break;
-            case 'dns_acmedns':
-                $proc_env['ACMEDNS_USERNAME'] = (string)$valObj->dns_acmedns_user;
-                $proc_env['ACMEDNS_PASSWORD'] = (string)$valObj->dns_acmedns_password;
-                $proc_env['ACMEDNS_SUBDOMAIN'] = (string)$valObj->dns_acmedns_subdomain;
-                $proc_env['ACMEDNS_UPDATE_URL'] = (string)$valObj->dns_acmedns_updateurl;
-                break;
-            case 'dns_acmeproxy':
-                $proc_env['ACMEPROXY_ENDPOINT'] = (string)$valObj->dns_acmeproxy_endpoint;
-                $proc_env['ACMEPROXY_USERNAME'] = (string)$valObj->dns_acmeproxy_username;
-                $proc_env['ACMEPROXY_PASSWORD'] = (string)$valObj->dns_acmeproxy_password;
-                break;
-            case 'dns_ad':
-                $proc_env['AD_API_KEY'] = (string)$valObj->dns_ad_key;
-                break;
-            case 'dns_ali':
-                $proc_env['Ali_Key'] = (string)$valObj->dns_ali_key;
-                $proc_env['Ali_Secret'] = (string)$valObj->dns_ali_secret;
-                break;
-            case 'dns_arvan':
-                $proc_env['Arvan_Token'] = (string)$valObj->dns_arvan_token;
-                break;
-            case 'dns_autodns':
-                $proc_env['AUTODNS_USER'] = (string)$valObj->dns_autodns_user;
-                $proc_env['AUTODNS_PASSWORD'] = (string)$valObj->dns_autodns_password;
-                $proc_env['AUTODNS_CONTEXT'] = (string)$valObj->dns_autodns_context;
-                break;
-            case 'dns_aws':
-                $proc_env['AWS_ACCESS_KEY_ID'] = (string)$valObj->dns_aws_id;
-                $proc_env['AWS_SECRET_ACCESS_KEY'] = (string)$valObj->dns_aws_secret;
-                break;
-            case 'dns_azure':
-                $proc_env['AZUREDNS_SUBSCRIPTIONID'] = (string)$valObj->dns_azuredns_subscriptionid;
-                $proc_env['AZUREDNS_TENANTID'] = (string)$valObj->dns_azuredns_tenantid;
-                $proc_env['AZUREDNS_APPID'] = (string)$valObj->dns_azuredns_appid;
-                $proc_env['AZUREDNS_CLIENTSECRET'] = (string)$valObj->dns_azuredns_clientsecret;
-                break;
-            case 'dns_cf':
-                // Global API key (insecure)
-                $proc_env['CF_Key'] = (string)$valObj->dns_cf_key;
-                $proc_env['CF_Email'] = (string)$valObj->dns_cf_email;
-                // Restricted API token (recommended)
-                $proc_env['CF_Token'] = (string)$valObj->dns_cf_token;
-                $proc_env['CF_Account_ID'] = (string)$valObj->dns_cf_account_id;
-                break;
-            case 'dns_cloudns':
-                $proc_env['CLOUDNS_AUTH_ID'] = (string)$valObj->dns_cloudns_auth_id;
-                $proc_env['CLOUDNS_SUB_AUTH_ID'] = (string)$valObj->dns_cloudns_sub_auth_id;
-                $proc_env['CLOUDNS_AUTH_PASSWORD'] = (string)$valObj->dns_cloudns_auth_password;
-                break;
-            case 'dns_cn':
-                $proc_env['CN_User'] = (string)$valObj->dns_cn_user;
-                $proc_env['CN_Password'] = (string)$valObj->dns_cn_password;
-                break;
-            case 'dns_cx':
-                $proc_env['CX_Key'] = (string)$valObj->dns_cx_key;
-                $proc_env['CX_Secret'] = (string)$valObj->dns_cx_secret;
-                break;
-            case 'dns_cyon':
-                $proc_env['CY_Username'] = (string)$valObj->dns_cyon_user;
-                $proc_env['CY_Password'] = (string)$valObj->dns_cyon_user;
-                break;
-            case 'dns_da':
-                $proc_env['DA_Api'] = (string)$valObj->dns_da_key;
-                $proc_env['DA_Api_Insecure'] = (string)$valObj->dns_da_insecure;
-                break;
-            case 'dns_dgon':
-                $proc_env['DO_API_KEY'] = (string)$valObj->dns_dgon_key;
-                break;
-            case 'dns_dnsimple':
-                $proc_env['DNSimple_OAUTH_TOKEN'] = (string)$valObj->dns_dnsimple_token;
-                break;
-            case 'dns_do':
-                $proc_env['DO_PID'] = (string)$valObj->dns_do_pid;
-                $proc_env['DO_PW'] = (string)$valObj->dns_do_password;
-                break;
-            case 'dns_doapi':
-                $proc_env['DO_LETOKEN'] = (string)$valObj->dns_doapi_token;
-                break;
-            case 'dns_dp':
-                $proc_env['DP_Id'] = (string)$valObj->dns_dp_id;
-                $proc_env['DP_Key'] = (string)$valObj->dns_dp_key;
-                break;
-            case 'dns_dreamhost':
-                $proc_env['DH_API_KEY'] = (string)$valObj->dns_dh_key;
-                break;
-            case 'dns_duckdns':
-                $proc_env['DuckDNS_Token'] = (string)$valObj->dns_duckdns_token;
-                break;
-            case 'dns_dyn':
-                $proc_env['DYN_Customer'] = (string)$valObj->dns_dyn_customer;
-                $proc_env['DYN_Username'] = (string)$valObj->dns_dyn_user;
-                $proc_env['DYN_Password'] = (string)$valObj->dns_dyn_password;
-                break;
-            case 'dns_dynu':
-                $proc_env['Dynu_ClientId'] = (string)$valObj->dns_dynu_clientid;
-                $proc_env['Dynu_Secret'] = (string)$valObj->dns_dynu_secret;
-                break;
-            case 'dns_euserv':
-                $proc_env['EUSERV_Username'] = (string)$valObj->dns_euserv_user;
-                $proc_env['EUSERV_Password'] = (string)$valObj->dns_euserv_password;
-                $acme_hook_options[] = "--insecure";
-                break;
-            case 'dns_freedns':
-                $proc_env['FREEDNS_User'] = (string)$valObj->dns_freedns_user;
-                $proc_env['FREEDNS_Password'] = (string)$valObj->dns_freedns_password;
-                break;
-            case 'dns_gandi_livedns':
-                $proc_env['GANDI_LIVEDNS_KEY'] = (string)$valObj->dns_gandi_livedns_key;
-                break;
-            case 'dns_gcloud':
-                # Google Cloud SDK must be installed.
-                if ((string)$modelObj->isPluginInstalled('google-cloud-sdk') != "1") {
-                    log_error("AcmeClient: Google Cloud SDK plugin is NOT installed. Please install os-google-cloud-sdk.");
-                    return(1);
-                }
-                # We need a valid Google Cloud JSON key.
-                if (!empty((string)$valObj->dns_gcloud_key)) {
-                    # Extract the gcloud project from the key data.
-                    $_gcloud_data = json_decode((string)$valObj->dns_gcloud_key);
-                    $gcloud_project = $_gcloud_data->project_id;
-                    $gcloud_account = $_gcloud_data->client_email;
-                    if (empty($gcloud_project)) {
-                        log_error("AcmeClient: unable to extract project name from Google Cloud DNS JSON key");
-                        return(1);
-                    } else {
-                        log_error("AcmeClient: Google Cloud DNS project name: ${gcloud_project}");
-                    }
-                } else {
-                    log_error("AcmeClient: no key for Google Cloud DNS was specified");
-                    return(1);
-                }
-                # Preparations for gcloud CLI.
-                $gcloud_config = "acme-${val_id}";
-                $gcloud_key_file = "/tmp/acme_" . (string)$valObj->dns_service . "_${val_id}.json";
-                file_put_contents($gcloud_key_file, (string)$valObj->dns_gcloud_key);
-                chmod($gcloud_key_file, 0600);
-                $proc_env['CLOUDSDK_ACTIVE_CONFIG_NAME'] = $gcloud_config;
-                $proc_env['CLOUDSDK_CORE_PROJECT'] = $gcloud_project;
-                # Ensure that a working gcloud config exists.
-                run_shell_command("/usr/local/bin/gcloud config configurations create ${gcloud_config}", $proc_env);
-                run_shell_command("/usr/local/bin/gcloud config configurations activate ${gcloud_config}", $proc_env);
-                run_shell_command("/usr/local/bin/gcloud auth activate-service-account --key-file=${gcloud_key_file}", $proc_env);
-                run_shell_command("/usr/local/bin/gcloud config set account ${gcloud_account}", $proc_env);
-                run_shell_command("/usr/local/bin/gcloud config set project ${gcloud_project}", $proc_env);
-                break;
-            case 'dns_gd':
-                $proc_env['GD_Key'] = (string)$valObj->dns_gd_key;
-                $proc_env['GD_Secret'] = (string)$valObj->dns_gd_secret;
-                break;
-            case 'dns_gdnsdk':
-                $proc_env['GDNSDK_Username'] = (string)$valObj->dns_gdnsdk_user;
-                $proc_env['GDNSDK_Password'] = (string)$valObj->dns_gdnsdk_password;
-                break;
-            case 'dns_hetzner':
-                $proc_env['HETZNER_Token'] = (string)$valObj->dns_hetzner_token;
-                break;
-            case 'dns_hostingde':
-                $proc_env['HOSTINGDE_ENDPOINT'] = (string)$valObj->dns_hostingde_server;
-                $proc_env['HOSTINGDE_APIKEY'] = (string)$valObj->dns_hostingde_apiKey;
-                break;
-            case 'dns_he':
-                $proc_env['HE_Username'] = (string)$valObj->dns_he_user;
-                $proc_env['HE_Password'] = (string)$valObj->dns_he_password;
-                break;
-            case 'dns_infoblox':
-                $proc_env['Infoblox_Creds'] = (string)$valObj->dns_infoblox_credentials;
-                $proc_env['Infoblox_Server'] = (string)$valObj->dns_infoblox_server;
-                break;
-            case 'dns_inwx':
-                $proc_env['INWX_User'] = (string)$valObj->dns_inwx_user;
-                $proc_env['INWX_Password'] = (string)$valObj->dns_inws_password;
-                break;
-            case 'dns_ispconfig':
-                $proc_env['ISPC_User'] = (string)$valObj->dns_ispconfig_user;
-                $proc_env['ISPC_Password'] = (string)$valObj->dns_ispconfig_password;
-                $proc_env['ISPC_Api'] = (string)$valObj->dns_ispconfig_api;
-                $proc_env['ISPC_Api_Insecure'] = (string)$valObj->dns_ispconfig_insecure;
-                break;
-            case 'dns_joker':
-                $proc_env['JOKER_USERNAME'] = (string)$valObj->dns_joker_username;
-                $proc_env['JOKER_PASSWORD'] = (string)$valObj->dns_joker_password;
-                break;
-            case 'dns_kinghost':
-                $proc_env['KINGHOST_username'] = (string)$valObj->dns_kinghost_username;
-                $proc_env['KINGHOST_Password'] = (string)$valObj->dns_kinghost_password;
-                break;
-            case 'dns_knot':
-                $proc_env['KNOT_SERVER'] = (string)$valObj->dns_knot_server;
-                $proc_env['KNOT_KEY'] = (string)$valObj->dns_knot_key;
-                break;
-            case 'dns_leaseweb':
-                $proc_env['LSW_Key'] = (string)$valObj->dns_leaseweb_key;
-                break;
-            case 'dns_lexicon':
-                $proc_env['PROVIDER'] = (string)$valObj->dns_lexicon_provider;
-                $proc_env['LEXICON_' . strtoupper($proc_env['PROVIDER']) . '_USERNAME'] = (string)$valObj->dns_lexicon_user;
-                $proc_env['LEXICON_' . strtoupper($proc_env['PROVIDER']) . '_TOKEN'] = (string)$valObj->dns_lexicon_token;
-                if ((string)$valObj->dns_lexicon_provider == 'namesilo') {
-                    // Namesilo applies changes to DNS records only every 15 minutes.
-                    $acme_hook_options[] = "--dnssleep 960";
-                }
-                break;
-            case 'dns_linode':
-                $proc_env['LINODE_API_KEY'] = (string)$valObj->dns_linode_key;
-                // Linode can take up to 15 to update DNS records
-                $acme_hook_options[] = "--dnssleep 960";
-                break;
-            case 'dns_linode_v4':
-                $proc_env['LINODE_V4_API_KEY'] = (string)$valObj->dns_linode_v4_key;
-                // Linode can take up to 15 to update DNS records
-                $acme_hook_options[] = "--dnssleep 960";
-                break;
-            case 'dns_loopia':
-                $proc_env['LOOPIA_Api'] = (string)$valObj->dns_loopia_api;
-                $proc_env['LOOPIA_User'] = (string)$valObj->dns_loopia_user;
-                $proc_env['LOOPIA_Password'] = (string)$valObj->dns_loopia_password;
-                break;
-            case 'dns_lua':
-                $proc_env['LUA_Key'] = (string)$valObj->dns_lua_key;
-                $proc_env['LUA_Email'] = (string)$valObj->dns_lua_email;
-                break;
-            case 'dns_me':
-                $proc_env['ME_Key'] = (string)$valObj->dns_me_key;
-                $proc_env['ME_Secret'] = (string)$valObj->dns_me_secret;
-                break;
-            case 'dns_miab':
-                $proc_env['MIAB_Username'] = (string)$valObj->dns_miab_user;
-                $proc_env['MIAB_Password'] = (string)$valObj->dns_miab_password;
-                $proc_env['MIAB_Server'] = (string)$valObj->dns_miab_server;
-                break;
-            case 'dns_namecheap':
-                $proc_env['NAMECHEAP_USERNAME'] = (string)$valObj->dns_namecheap_user;
-                $proc_env['NAMECHEAP_API_KEY'] = (string)$valObj->dns_namecheap_api;
-                if (!empty((string)$valObj->dns_namecheap_sourceip)) {
-                    $proc_env['NAMECHEAP_SOURCEIP'] = (string)$valObj->dns_namecheap_sourceip;
-                } else {
-                    // Use a public service to get our source IP for Namecheap API
-                    $proc_env['NAMECHEAP_SOURCEIP'] = 'https://ifconfig.co/ip';
-                }
-                break;
-            case 'dns_namecom':
-                $proc_env['Namecom_Username'] = (string)$valObj->dns_namecom_user;
-                $proc_env['Namecom_Token'] = (string)$valObj->dns_namecom_token;
-                break;
-            case 'dns_namesilo':
-                $proc_env['Namesilo_Key'] = (string)$valObj->dns_namesilo_key;
-                // Namesilo applies changes to DNS records only every 15 minutes.
-                $acme_hook_options[] = "--dnssleep 960";
-                break;
-            case 'dns_netcup':
-                $proc_env['NC_CID'] = (string)$valObj->dns_netcup_cid;
-                $proc_env['NC_Apikey'] = (string)$valObj->dns_netcup_key;
-                $proc_env['NC_Apipw'] = (string)$valObj->dns_netcup_pw;
-                // netcup applies changes to DNS records only every 10 minutes.
-                $acme_hook_options[] = "--dnssleep 600";
-                break;
-            case 'dns_nsone':
-                $proc_env['NS1_Key'] = (string)$valObj->dns_nsone_key;
-                break;
-            case 'dns_nsupdate':
-                // Write secret key to filesystem
-                $secret_key_data = (string)$valObj->dns_nsupdate_key . "\n";
-                file_put_contents($secret_key_filename, $secret_key_data);
-                $proc_env['NSUPDATE_KEY'] = $secret_key_filename;
-                $proc_env['NSUPDATE_SERVER'] = (string)$valObj->dns_nsupdate_server;
-                $proc_env['NSUPDATE_ZONE'] = (string)$valObj->dns_nsupdate_zone;
-                break;
-            case 'dns_opnsense':
-                # BIND plugin must be installed.
-                if ((string)$modelObj->isPluginInstalled('bind') != "1") {
-                    log_error("AcmeClient: BIND plugin is NOT installed. Please install os-bind.");
-                    return(1);
-                }
-                $proc_env['OPNs_Host'] = (string)$valObj->dns_opnsense_host;
-                $proc_env['OPNs_Port'] = (string)$valObj->dns_opnsense_port;
-                $proc_env['OPNs_Key'] = (string)$valObj->dns_opnsense_key;
-                $proc_env['OPNs_Token'] = (string)$valObj->dns_opnsense_token;
-                $proc_env['OPNs_Api_Insecure'] = (string)$valObj->dns_opnsense_insecure;
-                break;
-            case 'dns_ovh':
-                $proc_env['OVH_AK'] = (string)$valObj->dns_ovh_app_key;
-                $proc_env['OVH_AS'] = (string)$valObj->dns_ovh_app_secret;
-                $proc_env['OVH_CK'] = (string)$valObj->dns_ovh_consumer_key;
-                $proc_env['OVH_END_POINT'] = (string)$valObj->dns_ovh_endpoint;
-                break;
-            case 'dns_pdns':
-                $proc_env['PDNS_Url'] = (string)$valObj->dns_pdns_url;
-                $proc_env['PDNS_ServerId'] = (string)$valObj->dns_pdns_serverid;
-                $proc_env['PDNS_Token'] = (string)$valObj->dns_pdns_token;
-                break;
-            case 'dns_pleskxml':
-                $proc_env['pleskxml_user'] = (string)$valObj->dns_pleskxml_user;
-                $proc_env['pleskxml_pass'] = (string)$valObj->dns_pleskxml_pass;
-                $proc_env['pleskxml_uri'] = (string)$valObj->dns_pleskxml_uri;
-                break;
-            case 'dns_schlundtech':
-                $proc_env['SCHLUNDTECH_USER'] = (string)$valObj->dns_schlundtech_user;
-                $proc_env['SCHLUNDTECH_PASSWORD'] = (string)$valObj->dns_schlundtech_password;
-                break;
-            case 'dns_selectel':
-                $proc_env['SL_Key'] = (string)$valObj->dns_sl_key;
-                break;
-            case 'dns_servercow':
-                $proc_env['SERVERCOW_API_Username'] = (string)$valObj->dns_servercow_username;
-                $proc_env['SERVERCOW_API_Password'] = (string)$valObj->dns_servercow_password;
-                break;
-            case 'dns_unoeuro':
-                $proc_env['UNO_Key'] = (string)$valObj->dns_uno_key;
-                $proc_env['UNO_User'] = (string)$valObj->dns_uno_user;
-                break;
-            case 'dns_variomedia':
-                $proc_env['VARIOMEDIA_API_TOKEN'] = (string)$valObj->dns_variomedia_key;
-                break;
-            case 'dns_vscale':
-                $proc_env['VSCALE_API_KEY'] = (string)$valObj->dns_vscale_key;
-                break;
-            case 'dns_yandex':
-                $proc_env['PDD_Token'] = (string)$valObj->dns_yandex_token;
-                break;
-            case 'dns_zilore':
-                $proc_env['Zilore_Key'] = (string)$valObj->dns_zilore_key;
-                break;
-            case 'dns_zonomi':
-                $proc_env['ZM_Key'] = (string)$valObj->dns_zm_key;
-                break;
-            default:
-                log_error("AcmeClient: invalid DNS-01 service specified: " . (string)$valObj->dns_service);
-                return(1);
-        }
-    }
-
-    // Prepare altNames
-    $altnames = "";
-
-    // Main domain: Use DNS alias mode for domain validation?
-    // https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
-    if ($val_method == 'dns01') {
-        switch ((string)$certObj->aliasmode) {
-            case 'automatic':
-                $name = "_acme-challenge." . ltrim((string)$certObj->name, '*.');
-                if ($dst = dns_get_record($name, DNS_CNAME)) {
-                    $altnames .= "--domain-alias " . $dst[0]['target'] . " ";
-                }
-                break;
-            case 'domain':
-                $altnames .= "--domain-alias " . (string)$certObj->domainalias . " ";
-                break;
-            case 'challenge':
-                $altnames .= "--challenge-alias " . (string)$certObj->challengealias . " ";
-                break;
-        }
-    }
-
-    if (!empty((string)$certObj->altNames)) {
-        $_altnames = explode(",", (string)$certObj->altNames);
-        foreach (explode(",", (string)$certObj->altNames) as $altname) {
-            $altnames .= "--domain ${altname} ";
-
-            // altNames: Use DNS alias mode for domain validation?
-            // https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
-            if ($val_method == 'dns01') {
-                switch ((string)$certObj->aliasmode) {
-                    case 'automatic':
-                        $name = "_acme-challenge." . ltrim($altname, '*.');
-                        if ($dst = dns_get_record($name, DNS_CNAME)) {
-                            $altnames .= "--domain-alias " . $dst[0]['target'] . " ";
-                        }
-                        break;
-                    case 'domain':
-                        $altnames .= "--domain-alias " . (string)$certObj->domainalias . " ";
-                        break;
-                    case 'challenge':
-                        $altnames .= "--challenge-alias " . (string)$certObj->challengealias . " ";
-                        break;
-                }
-            }
-        }
-    }
-
-    // Teach acme.sh about DNS API hook location
-    $proc_env['_SCRIPT_HOME'] = '/usr/local/share/examples/acme.sh';
-
-    // Get the chosen key length from xml and trim the parameter before passing to acme client
-    $key_length = (string) $certObj->keyLength;
-    $key_length = substr($key_length, 4);
-
-    if ($key_length == 'ec256' || $key_length == 'ec384') {
-        if ($acme_action == "renew") {
-            // if it's renew then pass --ecc to acme client to locate the correct cert directory
-            $acme_args[] = "--ecc";
-        }
-        $key_length = substr_replace($key_length, '-', 2, 0);
-    }
-
-    // if OCSP Extension is turned on pass --ocsp parameter to acme client
-    if (isset($certObj->ocsp) and ($certObj->ocsp == 1)) {
-        $acme_args[] = "--ocsp";
-    }
-
-    // Run acme client
-    // NOTE: We "export" certificates to our own directory, so we don't have to deal
-    // with domain names in filesystem, but instead can use the ID of our certObj.
-    $acmecmd = "/usr/local/sbin/acme.sh "
-      . implode(" ", $acme_args) . " "
-      . "--${acme_action} "
-      . "--days " . (string)$certObj->renewInterval . " "
-      . "--domain " . (string)$certObj->name . " "
-      . $altnames
-      . $acme_validation . " "
-      . "--home /var/etc/acme-client/home "
-      . "--keylength " . $key_length . " "
-      . "--accountconf " . $account_conf_file . " "
-      . "--certpath ${cert_filename} "
-      . "--keypath ${key_filename} "
-      . "--capath ${cert_chain_filename} "
-      . "--fullchainpath ${cert_fullchain_filename} "
-      . implode(" ", $acme_hook_options);
-    $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
-
-    // Make sure the resource could be setup properly
-    if (is_resource($proc)) {
-        // Close all pipes
-        fclose($proc_pipes[0]);
-        fclose($proc_pipes[1]);
-        fclose($proc_pipes[2]);
-        // Get exit code
-        $result = proc_close($proc);
-    } else {
-        log_error("AcmeClient: unable to start acme client process");
-        return(1);
-    }
-
-    // HTTP-01: flush OPNsense port forward rules
-    if (($val_method == 'http01') and ((string)$valObj->http_service == 'opnsense')) {
-        mwexec('/sbin/pfctl -a acme-client -F all');
-        // XXX: workaround to solve disconnection issues reported by some users
-        $response = $backend->configdRun('filter reload');
-    }
-
-    // Check validation result
-    if ($result) {
-        log_error("AcmeClient: domain validation failed");
-        return(1);
-    }
-
-    // Simply return acme clients exit code
-    return($result);
-}
-
-// Revoke a certificate.
-function revoke_cert($certObj, $valObj, $acctObj)
-{
-    // NOTE: Revocation will fail if additional domain names were added
-    // to the certificate after issue/renewal.
-
-    // Prepare optional parameters for acme-client
-    $acme_args = eval_optional_acme_args();
-
-    // Collect account information
-    $acme_env = (string)$modelObj->settings->environment;
-    $account_conf_dir = "/var/etc/acme-client/accounts/" . $acctObj->id . "_${acme_env}";
-    $account_conf_file = $account_conf_dir . "/account.conf";
-
-    // Generate certificate filenames
-    $cert_id = (string)$certObj->id;
-
-    // Check if EC certificate is used, if yes add the --ecc parameter to acme client
-    $key_length = (string) $certObj->keyLength;
-    $ecc_param =  " ";
-    if ($key_length == 'key_ec256' || $key_length == 'key_ec384') {
-        $ecc_param =  "--ecc";
-    }
-
-    // Run acme client
-    // NOTE: We "export" certificates to our own directory, so we don't have to deal
-    // with domain names in filesystem, but instead can use the ID of our certObj.
-    $acmecmd = "/usr/local/sbin/acme.sh "
-      . implode(" ", $acme_args) . " "
-      . "--revoke "
-      . "--domain " . (string)$certObj->name . " "
-      . "--home /var/etc/acme-client/home "
-      . "--accountconf " . $account_conf_file . " "
-      . $ecc_param;
-    $result = mwexec($acmecmd);
-
-    // Simply return acme clients exit code
-    return($result);
-}
-
-// Remove a cert from list of certs known to acme.sh.
-function remove_cert($certObj)
-{
-    // Prepare optional parameters for acme-client
-    $acme_args = eval_optional_acme_args();
-
-    // Generate certificate filenames
-    $cert_id = (string)$certObj->id;
-
-    // Check if EC certificate is used, if yes add the --ecc parameter to acme client
-    $key_length = (string) $certObj->keyLength;
-    $ecc_param =  " ";
-    if ($key_length == 'key_ec256' || $key_length == 'key_ec384') {
-        $ecc_param =  "--ecc";
-    }
-
-    // Run acme client
-    $acmecmd = "/usr/local/sbin/acme.sh "
-      . implode(" ", $acme_args) . " "
-      . "--remove "
-      . "--domain " . (string)$certObj->name . " "
-      . "--home /var/etc/acme-client/home "
-      . $ecc_param;
-    $result = mwexec($acmecmd);
-
-    $cert_files = [
-        "/var/etc/acme-client/keys/${cert_id}/private.key",
-        "/var/etc/acme-client/certs/${cert_id}/cert.pem",
-        "/var/etc/acme-client/certs/${cert_id}/chain.pem",
-        "/var/etc/acme-client/certs/${cert_id}/fullchain.pem",
-    ];
-
-    foreach ($cert_files as $_file) {
-        if (file_exists($_file)) {
-            unlink($_file);
-        }
-    }
-
-    // Simply return acme clients exit code
-    return($result);
-}
-
-function import_certificate($certObj, $modelObj)
-{
-    global $config;
-
-    $cert_id = (string)$certObj->id;
-    $cert_filename = "/var/etc/acme-client/certs/${cert_id}/cert.pem";
-    $cert_chain_filename = "/var/etc/acme-client/certs/${cert_id}/chain.pem";
-    $cert_fullchain_filename = "/var/etc/acme-client/certs/${cert_id}/fullchain.pem";
-    $key_filename = "/var/etc/acme-client/keys/${cert_id}/private.key";
-
-    // Check if certificate files can be found
-    clearstatcache(); // don't let the cache fool us
-    foreach (array($cert_filename, $key_filename, $cert_chain_filename, $cert_fullchain_filename) as $file) {
-        if (is_file($file)) {
-            // certificate file found
-        } else {
-            log_error("AcmeClient: unable to import certificate, file not found: ${file}");
-            return(1);
-        }
-    }
-
-    /*
-     * Step 1: import CA
-     */
-
-    // Read contents from CA file
-    $ca_content = @file_get_contents($cert_chain_filename);
-    if ($ca_content != false) {
-        $ca_subject = cert_get_subject($ca_content, false);
-        $ca_serial  = cert_get_serial($ca_content, false);
-        $ca_cn      = local_cert_get_cn($ca_content, false);
-        $ca_issuer  = cert_get_issuer($ca_content, false);
-        $ca_purpose = cert_get_purpose($ca_content, false);
-    } else {
-        log_error("AcmeClient: unable to read CA certificate content from file");
-        return(1);
-    }
-
-    // Prepare CA for import in Cert Manager
-    $ca = array();
-    $ca['crt'] = base64_encode($ca_content);
-    $ca['refid'] = uniqid();
-    $ca_found = false;
-
-    // Check if CA was previously imported
-    $cacnt = 0;
-    foreach ($config['ca'] as $cacrt) {
-        $cacrt_subject = cert_get_subject($cacrt['crt'], true);
-        $cacrt_issuer = cert_get_issuer($cacrt['crt'], true);
-        if (($ca_subject == $cacrt_subject) and ($ca_issuer == $cacrt_issuer)) {
-            // Use old refid instead of generating a new one
-            $ca['refid'] = (string)$cacrt['refid'];
-            $ca_found = true;
-            break;
-        }
-        $cacnt++;
-    }
-
-    // Collect required CA information
-    $ca_cn = local_cert_get_cn($ca_content, false);
-    $ca['descr'] = (string)$ca_cn . ' (Let\'s Encrypt)';
-
-    // Prepare CA for import
-    local_ca_import($ca, $ca_content);
-
-    // Update existing CA?
-    if ($ca_found == true) {
-        $config['ca'][$cacnt] = $ca;
-    } else {
-        // Create new CA item
-        $config['ca'][] = $ca;
-        log_error("AcmeClient: importing Let's Encrypt CA: ${ca_cn}");
-    }
-
-    /*
-     * Step 2: import certificate
-     */
-
-    // Read contents from certificate file
-    $cert_content = @file_get_contents($cert_filename);
-    if ($cert_content != false) {
-        $cert_subject = cert_get_subject($cert_content, false);
-        $cert_serial  = cert_get_serial($cert_content, false);
-        $cert_cn      = local_cert_get_cn($cert_content, false);
-        $cert_issuer  = cert_get_issuer($cert_content, false);
-        $cert_purpose = cert_get_purpose($cert_content, false);
-    } else {
-        log_error("AcmeClient: unable to read certificate content from file");
-        return(1);
-    }
-
-    // Prepare certificate for import in Cert Manager
-    $cert = array();
-    $cert_refid = uniqid();
-    $cert['refid'] = $cert_refid;
-    $cert['caref'] = (string)$ca['refid'];
-    $import_log_message = 'Imported';
-    $cert_found = false;
-
-    // Check if cert was previously imported
-    if (isset($certObj->certRefId)) {
-        // Check if the imported certificate can still be found
-        $configObj = Config::getInstance()->object();
-        foreach ($configObj->cert as $cfgCert) {
-            // Check if the IDs matches
-            if ((string)$certObj->certRefId == (string)$cfgCert->refid) {
-                $cert_found = true;
-                break;
-            }
-        }
-        // Existing cert?
-        if ($cert_found == true) {
-            // Use old refid instead of generating a new one
-            $cert_refid = (string)$certObj->certRefId;
-            $import_log_message = 'Updated';
-        }
-    } else {
-        // Not found. Just import as new cert.
-    }
-
-    // Read private key
-    $key_content = @file_get_contents($key_filename);
-    if ($key_content == false) {
-        log_error("AcmeClient: unable to read private key from file: ${key_filename}");
-        return(1);
-    }
-
-    // Collect required cert information
-    $cert_cn = local_cert_get_cn($cert_content, false);
-    $cert['descr'] = (string)$cert_cn . ' (Let\'s Encrypt)';
-    $cert['refid'] = $cert_refid;
-
-    // Prepare certificate for import
-    cert_import($cert, $cert_content, $key_content);
-
-    // Update existing certificate?
-    if ($cert_found == true) {
-        // FIXME: Do legacy configs really depend on counters?
-        $cnt = 0;
-        foreach ($config['cert'] as $crt) {
-            if ($crt['refid'] == $cert_refid) {
-                $config['cert'][$cnt] = $cert;
-                break;
-            }
-            $cnt++;
-        }
-    } else {
-        // Create new certificate item
-        $config['cert'][] = $cert;
-    }
-
-    /*
-     * Step 3: update configuration
-     */
-
-    // Write changes to config
-    // TODO: Legacy code, should be replaced with code from OPNsense framework
-    write_config("${import_log_message} Let's Encrypt X.509 certificate: ${cert_cn}");
-    log_error("AcmeClient: ${import_log_message} Let's Encrypt X.509 certificate: ${cert_cn}");
-
-    // Update (acme) certificate object (through MVC framework)
-    $uuid = $certObj->attributes()->uuid;
-    $node = $modelObj->getNodeByReference('certificates.certificate.' . $uuid);
-    if ($node != null) {
-        // Add refid to certObj
-        $node->certRefId = $cert_refid;
-        // Set update/create time
-        $node->lastUpdate = time();
-        // if node was found, serialize to config and save
-        $modelObj->serializeToConfig();
-        Config::getInstance()->save();
-        Config::getInstance()->forceReload();
-    } else {
-        log_error("AcmeClient: unable to update LE certificate object");
-        return(1);
-    }
-
-    return(0);
-}
-
-function run_restart_actions($certlist, $modelObj)
-{
-    global $config;
-    $return = 0;
-    $configObj = Config::getInstance()->object();
-
-    // Required to run pre-defined commands.
-    $backend = new Backend();
-
-    // NOTE: Do NOT run any automation twice, collect duplicates first.
-    $restart_actions = array();
-
-    // Check if there's something to do.
-    if (!empty($certlist) and is_array($certlist)) {
-        // Extract cert object
-        foreach ($certlist as $certObj) {
-            // Make sure the object is functional.
-            if (empty($certObj->id)) {
-                log_error("AcmeClient: failed to query certificate for automation");
-                continue;
-            }
-            // Extract automations
-            if (empty((string)$certObj->restartActions)) {
-                // No automations configured.
-                continue;
-            }
-            $_actions = explode(',', $certObj->restartActions);
-            // Walk through all linked automations.
-            foreach ($_actions as $_action) {
-                // Extract automations
-                $action = $modelObj->getByActionID($_action);
-                // Make sure the object is functional.
-                if ($action === null) {
-                    log_error("AcmeClient: failed to retrieve automations from certificate");
-                } else {
-                    // Ignore disabled automations (even if they are still
-                    // linked to a certificated).
-                    if ((string)$action->enabled === "0") {
-                        continue;
-                    }
-                    // Store by UUID, automatically eliminates duplicates.
-                    $_data = array();
-                    $_data['obj'] = $action;
-                    $_data['cert_id'] = $certObj->id;
-                    $restart_actions[$_action] = $_data;
-                }
-            }
-        }
-    }
-
-    // Run the collected automations.
-    if (!empty($restart_actions) and is_array($restart_actions)) {
-        // Extract cert object
-        foreach ($restart_actions as $_action) {
-            $action = $_action['obj'];
-            $cert_id = $_action['cert_id'];
-            $action_id = $action->id;
-            // Run pre-defined or custom command?
-            log_error("AcmeClient: running automation: " . $action->name);
-            switch ((string)$action->type) {
-                case 'restart_gui':
-                    $response = $backend->configdRun('webgui restart 2', true);
-                    break;
-                case 'restart_haproxy':
-                    $response = $backend->configdRun("haproxy restart");
-                    break;
-                case 'restart_nginx':
-                    $response = $backend->configdRun("nginx restart");
-                    break;
-                case 'upload_highwinds':
-                    $response = $backend->configdRun("acmeclient upload_highwinds ${cert_id} ${action_id}");
-                    break;
-                case 'upload_sftp':
-                    $response = $backend->configdRun("acmeclient upload-sftp ${cert_id} ${action_id}");
-                    break;
-                case 'configd':
-                    // Make sure a configd command was specified.
-                    if (empty((string)$action->configd)) {
-                        log_error("AcmeClient: no configd command specified for automation: " . $action->name);
-                        $result = '1';
-                    } else {
-                        $response = $backend->configdRun((string)$action->configd);
-                    }
-                    break;
-                default:
-                    log_error("AcmeClient: an invalid automation was specified: " . (string)$action->type);
-                    $return = 1;
-                    break;
-            }
-        }
-    }
-
-    return($return);
-}
-
-/* Update certificate object to log the status of the current acme run.
- * Supported status codes are:
- *   100     pending
- *   200     issue/renew OK
- *   250     certificate revoked
- *   300     configuration error (validation method, account, ...)
- *   400     issue/renew failed
- *   500     internal error (code issues, bad luck, unexpected errors, ...)
- * Feel free to add more status codes to make it more useful.
-*/
-function log_cert_acme_status($certObj, $modelObj, $statusCode)
-{
-    global $postponed_updates;
-
-    $uuid = $certObj->attributes()->uuid;
-    $node = $modelObj->getNodeByReference('certificates.certificate.' . $uuid);
-    if ($node != null) {
-        $postponed_updates[] = array(
-          'uuid' => (string)$uuid,
-          'statusCode' => $statusCode,
-          'statusLastUpdate' => time());
-    } else {
-        log_error("AcmeClient: unable to update acme status for certificate " . (string)$certObj->name);
-        return(1);
-    }
-}
-
-/* Write postponed certificate status updates to the configuration.
- * This workaround seems to fix the "Node no longer exists" error
- * that haunted us for quite some time.
-*/
-function dump_postponed_updates()
-{
-    global $postponed_updates;
-
-    $status_descr = [
-        100 => 'unknown',
-        200 => 'OK',
-        250 => 'cert revoked',
-        300 => 'configuration error',
-        400 => 'validation failed',
-        500 => 'internal error',
-    ];
-
-    $modelObj = new OPNsense\AcmeClient\AcmeClient();
-
-    foreach ($postponed_updates as $pupdate) {
-        $_statusCode = $pupdate['statusCode'];
-        $_uuid = $pupdate['uuid'];
-        $node = $modelObj->getNodeByReference('certificates.certificate.' . $_uuid);
-        if ($node != null) {
-            log_error("AcmeClient: storing status '" . $status_descr[$_statusCode] . "' for cert " . (string)$node->name);
-            $node->statusCode = $_statusCode;
-            $node->statusLastUpdate = $pupdate['statusLastUpdate'];
-            // serialize to config and save
-            $modelObj->serializeToConfig();
-            Config::getInstance()->save();
-            Config::getInstance()->forceReload();
-        } else {
-            log_error(sprintf("AcmeClient: failed to store status '%s' for cert %s: node not found", $status_descr[$_statusCode], $_uuid));
-        }
-    }
-}
-
-function run_shell_command($proc_cmd, $proc_env = array())
-{
-    $proc_desc = array(  // descriptor array for proc_open()
-        0 => array("pipe", "r"), // stdin
-        1 => array("pipe", "w"), // stdout
-        2 => array("pipe", "w")  // stderr
-    );
-    $proc_pipes = array();
-    $proc = proc_open($proc_cmd, $proc_desc, $proc_pipes, null, $proc_env);
-
-    // Make sure the resource could be setup properly
-    if (is_resource($proc)) {
-        // Close all pipes
-        fclose($proc_pipes[0]);
-        fclose($proc_pipes[1]);
-        fclose($proc_pipes[2]);
-        // Get exit code
-        $result = proc_close($proc);
-        log_error(sprintf("AcmeClient: The shell command '%s' returned exit code '%d'", $proc_cmd, $result));
-        return($result);
-    } else {
-        log_error(sprintf("AcmeClient: Unable to prepare shell command '%s'", $proc_cmd));
-        return(1);
-    }
-}
-
-// taken from certs.inc
-function local_cert_get_subject_array($str_crt, $decode = true)
-{
-    if ($decode) {
-        $str_crt = base64_decode($str_crt);
-    }
-    $inf_crt = openssl_x509_parse($str_crt);
-    $components = $inf_crt['subject'];
-
-    if (!is_array($components)) {
-        return;
-    }
-
-    $subject_array = array();
-
-    foreach ($components as $a => $v) {
-        $subject_array[] = array('a' => $a, 'v' => $v);
-    }
-
-    return $subject_array;
-}
-
-// taken from certs.inc
-function local_cert_get_cn($crt, $decode = true)
-{
-    $sub = local_cert_get_subject_array($crt, $decode);
-    if (is_array($sub)) {
-        foreach ($sub as $s) {
-            if (strtoupper($s['a']) == "CN") {
-                return $s['v'];
-            }
-        }
-    }
-    return "";
-}
-
-// taken from system_camanager.php
-function local_ca_import(&$ca, $str, $key = "", $serial = 0)
-{
-    global $config;
-
-    $ca['crt'] = base64_encode($str);
-    if (!empty($key)) {
-        $ca['prv'] = base64_encode($key);
-    }
-    if (!empty($serial)) {
-        $ca['serial'] = $serial;
-    }
-    $subject = cert_get_subject($str, false);
-    $issuer = cert_get_issuer($str, false);
-
-    // Find my issuer unless self-signed
-    if ($issuer != $subject) {
-        $issuer_crt =& lookup_ca_by_subject($issuer);
-        if ($issuer_crt) {
-            $ca['caref'] = $issuer_crt['refid'];
-        }
-    }
-
-    /* Correct if child certificate was loaded first */
-    if (is_array($config['ca'])) {
-        foreach ($config['ca'] as & $oca) {
-            $issuer = cert_get_issuer($oca['crt']);
-            if ($ca['refid'] != $oca['refid'] && $issuer == $subject) {
-                $oca['caref'] = $ca['refid'];
-            }
-        }
-    }
-    if (is_array($config['cert'])) {
-        foreach ($config['cert'] as & $cert) {
-            $issuer = cert_get_issuer($cert['crt']);
-            if ($issuer == $subject) {
-                $cert['caref'] = $ca['refid'];
-            }
-        }
-    }
-    return true;
-}
-
-function base64url_encode($str)
-{
-    return rtrim(strtr(base64_encode($str), '+/', '-_'), '=');
-}
-function base64url_decode($str)
-{
-    return base64_decode(str_pad(strtr($str, '-_', '+/'), strlen($str) % 4, '=', STR_PAD_RIGHT));
-}
-
-exit;
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
new file mode 100755
index 0000000000..0b47d933d3
--- /dev/null
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
@@ -0,0 +1,193 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall (derived from upload_sftp.php)
+ * Copyright (C) 2019 Juergen Kellerer
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+// Import legacy code
+@include_once('config.inc');
+@include_once('certs.inc');
+@include_once('util.inc');
+
+// Import classes
+use OPNsense\AcmeClient\LeAccount;
+use OPNsense\AcmeClient\LeCertificate;
+
+// Summary that will be displayed in usage information.
+const ABOUT = <<<TXT
+
+This script acts as a bridge between the OPNsense WebGUI/API and the
+acme.sh Let's Encrypt client.
+
+TXT;
+
+// Supported modes and their help text
+const MODES = [
+    'issue' => [
+        'description' => 'issue or renew certificates',
+    ],
+    'import' => [
+        'description' => 're-import certificate into trust store',
+    ],
+    'revoke' => [
+        'description' => 'revoke the specified certificate',
+    ],
+    'remove' => [
+        'description' => 'remove all files and configuration for the specified certificate',
+    ],
+    'reset' => [
+        'description' => 'reset the specified certificate by removing it\'s private key',
+    ],
+    'automation' => [
+        'description' => 'run automations for the specified certificate',
+    ],
+    'register' => [
+        'description' => 'register the specified account with Lets Encrypt',
+    ],
+];
+
+// Supported command line options and their usage information.
+const STATIC_OPTIONS = <<<TXT
+-h, --help          Print commandline help
+--mode              Specify the mode of operation
+--cert              The certificate UUID when working with a single certificate
+--all               Work with ALL enabled certificates
+--account           The account UUID when working with an Lets Encrypt account
+--force             Force certain operations (i.e. renew)
+TXT;
+
+// Examples that will be display in usage information.
+const EXAMPLES = <<<TXT
+- Sign or renew the specified certificate
+  lecert.php --mode issue --cert 00000000-0000-0000-0000-000000000000
+
+- Sign or renew all certificates
+  lecert.php --mode issue --all
+
+- Run automations for a certificate
+  lecert.php --mode automation --cert 00000000-0000-0000-0000-000000000000
+
+- Re-import a certificate from filesystem if it was removed from Trust Store
+  lecert.php --mode import --cert 00000000-0000-0000-0000-000000000000
+
+- Completely remove a certificate (keeping the copy in Trust Store untouched)
+  lecert.php --mode remove --cert 00000000-0000-0000-0000-000000000000
+
+- When registering a new account with Lets Encrypt
+  lecert.php --mode register --account 00000000-0000-0000-0000-000000000000
+TXT;
+
+/**
+ * print help and usage information
+ */
+function help()
+{
+    echo ABOUT . PHP_EOL
+        . "Usage: " . basename($GLOBALS["argv"][0]) . " --mode MODE [options]" . PHP_EOL
+        . PHP_EOL . STATIC_OPTIONS . PHP_EOL;
+
+    echo PHP_EOL . 'Available modes:' . PHP_EOL;
+    foreach (MODES as $name => $options) {
+        echo "\"$name\" - {$options["description"]}" . PHP_EOL;
+    }
+
+    echo PHP_EOL . "Examples:" . PHP_EOL
+        . str_replace('/\r\n|\n|\r/g', PHP_EOL, EXAMPLES)
+        . PHP_EOL . PHP_EOL;
+}
+
+/**
+ * check if the specified mode is supported
+ */
+function validateMode($mode)
+{
+    $return = false;
+    foreach (MODES as $name => $options) {
+        if ($mode === $name) {
+            $return = true;
+            break;
+        }
+    }
+    return $return;
+}
+
+function main()
+{
+    // Parse command line arguments
+    $options = getopt('h', ['account:', 'all', 'cert:', 'force', 'help', 'mode:']);
+    $force = isset($options['force']) ? true : false;
+
+    // Verify mode and arguments
+    if (empty($options) || isset($options['h']) || isset($options['help']) ||
+        (isset($options['mode']) and !validateMode($options['mode']))) {
+         // Not enough or invalid arguments specified.
+         help();
+    } elseif (($options['mode'] === 'issue') && (isset($options['cert']) || isset($options['all']))) {
+        // Work on all or only on a single certificate
+        if (isset($options['all'])) {
+            // Iterate over all certificates
+            $config = OPNsense\Core\Config::getInstance()->object();
+            $acme = $config->OPNsense->AcmeClient;
+
+            // Iterate over all certificates
+            foreach ($acme->certificates->children() as $certCfg) {
+                $cert_uuid = (string)$certCfg->attributes()['uuid'];
+                $cert = new LeCertificate($cert_uuid, $force);
+                // NOTE: Disabled certificates are automatically ignored by LeCertificate.
+                $cert->issue();
+            }
+        } else {
+            // NOTE: Disabled certificates are automatically ignored by LeCertificate.
+            $cert = new LeCertificate($options['cert'], $force);
+            $cert->issue();
+        }
+    } elseif ($options['mode'] === 'import' && isset($options['cert'])) {
+        $cert = new LeCertificate($options['cert']);
+        $cert->import();
+    } elseif ($options['mode'] === 'revoke' && isset($options['cert'])) {
+        $cert = new LeCertificate($options['cert']);
+        $cert->revoke();
+    } elseif ($options['mode'] === 'remove' && isset($options['cert'])) {
+        $cert = new LeCertificate($options['cert']);
+        $cert->remove();
+    } elseif ($options['mode'] === 'reset' && isset($options['cert'])) {
+        $cert = new LeCertificate($options['cert']);
+        $cert->reset();
+    } elseif ($options['mode'] === 'automation' && isset($options['cert'])) {
+        $cert = new LeCertificate($options['cert']);
+        $cert->runAutomations();
+    } elseif ($options['mode'] === 'register' && isset($options['account'])) {
+        $account = new LeAccount($options['account']);
+        $account->register();
+    } else {
+        // Fallback to help
+        help();
+    }
+}
+
+// Run!
+main();
diff --git a/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf b/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
index 6122512e0b..1b90696405 100644
--- a/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
+++ b/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
@@ -42,48 +42,54 @@ message:testing acme_http_challenge configuration
 ##########################################
 
 [sign-cert]
-command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php -F -a sign -c
+command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode issue --force --cert
 parameters:%s
 type:script
 message:signing or renewing a certificate
 
 [revoke-cert]
-command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php -a revoke -c
+command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode revoke --cert
 parameters:%s
 type:script
 message:revoking a certificate
 
 [remove-cert]
-command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php -a remove -c
+command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode remove --cert
 parameters:%s
 type:script
 message:removing a certificate
 
 [remove-key]
-command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php -a removekey -c
+command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode reset --cert
 parameters:%s
 type:script
 message:removing a certificate private key
 
 [sign-all-certs]
-command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php -a sign -A
+command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode issue --all
 parameters:
 type:script
-message:signing or renewing a certificate
+message:signing or renewing all certificates
 
 [run-automation]
-command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php -a automation -c
+command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode automation --cert
 parameters:%s
 type:script
 message:running automations for a certificate
 
 [cron-auto-renew]
-command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php -a sign -A -C
+command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode issue --all
 parameters:
 type:script
 message:cronjob running to sign or renew certificates
 description:Renew Let's Encrypt certificates
 
+[register-account]
+command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode register --account
+parameters:%s
+type:script
+message:registering an account
+
 [upload_highwinds]
 command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_highwinds.php
 parameters:-c %s -a %s

From bacea2cdc82437920fe50b065787aac14a77dbb4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 14 Sep 2020 11:59:52 +0200
Subject: [PATCH 0210/3088] mail/postfix: as discussed

E-Mail address is welcome, real name also... GitHub link not good
for direct communication.
---
 .../Postfix/Api/HeaderchecksController.php    |  2 +-
 .../Postfix/HeaderchecksController.php        |  2 +-
 .../models/OPNsense/Postfix/Headerchecks.php  | 47 ++++++++--------
 .../views/OPNsense/Postfix/headerchecks.volt  | 53 +++++++++----------
 4 files changed, 53 insertions(+), 51 deletions(-)

diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/Api/HeaderchecksController.php b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/Api/HeaderchecksController.php
index 0ff6e04f94..25e1f49b7e 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/Api/HeaderchecksController.php
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/Api/HeaderchecksController.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Starkstromkonsument <https://github.com/Starkstromkonsument>
+ * Copyright (C) 2020 Starkstromkonsument
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/HeaderchecksController.php b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/HeaderchecksController.php
index 8c42454d1e..ba4e6e7dd6 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/HeaderchecksController.php
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/HeaderchecksController.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Starkstromkonsument <https://github.com/Starkstromkonsument> 
+ * Copyright (C) 2020 Starkstromkonsument
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Headerchecks.php b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Headerchecks.php
index c55a4646b0..be9da069a9 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Headerchecks.php
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Headerchecks.php
@@ -1,31 +1,34 @@
 <?php
 
+/*
+ * Copyright (C) 2020 Starkstromkonsument
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+  *ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
 namespace OPNsense\Postfix;
 
 use OPNsense\Base\BaseModel;
 
-/*
-    Copyright (C) 2020 Starkstromkonsument <https://github.com/Starkstromkonsument>
-    All rights reserved.
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
 class Headerchecks extends BaseModel
 {
 }
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/headerchecks.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/headerchecks.volt
index 320fb4fa07..c33b317d44 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/headerchecks.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/headerchecks.volt
@@ -1,31 +1,30 @@
 {#
-
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
-Copyright (C) 2020 Starkstromkonsument <https://github.com/Starkstromkonsument>
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-this list of conditions and the following disclaimer in the documentation
-and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
+ #
+ # Copyright (C) 2014-2017 Deciso B.V.
+ # Copyright (C) 2020 Starkstromkonsument
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
 
 <script>
 

From 7adcd3103504ea4aaf52987955e5012816546c98 Mon Sep 17 00:00:00 2001
From: fhloston <fhloston@users.noreply.github.com>
Date: Fri, 18 Sep 2020 12:17:11 +0200
Subject: [PATCH 0211/3088] =?UTF-8?q?Posfix:=20enable=20smtpd=5Fsasl=5Faut?=
 =?UTF-8?q?h=20when=20permit=5Fsasl=5Fauthenticated=20is=20sele=E2=80=A6?=
 =?UTF-8?q?=20(#1957)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../mvc/app/controllers/OPNsense/Postfix/forms/general.xml    | 1 +
 .../src/opnsense/service/templates/OPNsense/Postfix/main.cf   | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
index 008bd8eabe..7c76486158 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
@@ -212,6 +212,7 @@
         <id>general.permit_sasl_authenticated</id>
         <label>Permit SASL Authenticated</label>
         <type>checkbox</type>
+        <help>Allow SASL authenticated senders to relay. Will also enable smtpd_sasl_auth.</help>
     </field>
     <field>
         <id>general.permit_tls_clientcerts</id>
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index 69f314b711..604fe9cc16 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -116,6 +116,10 @@ smtp_sasl_password_maps = hash:/usr/local/etc/postfix/smtp_auth
 smtp_sasl_security_options =
 {% endif %}
 
+{% if helpers.exists('OPNsense.postfix.general.permit_sasl_authenticated') and OPNsense.postfix.general.permit_sasl_authenticated == '1' %}
+smtpd_sasl_auth_enable = yes
+{% endif %}
+
 {% if helpers.exists('OPNsense.postfix.antispam.enable_rspamd') and OPNsense.postfix.antispam.enable_rspamd == '1' %}
 smtpd_milters = inet:localhost:11332
 non_smtpd_milters = inet:localhost:11332

From fbc46e1a1309ca0100fadd95b0f00abc9f3a6460 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Mon, 21 Sep 2020 08:35:06 +0200
Subject: [PATCH 0212/3088] Cicada/Vicuna Theme Updates (#2037)

---
 misc/theme-cicada/Makefile                    |  2 +-
 .../cicada/assets/stylesheets/main.scss       | 32 ++++++++++++++++-
 .../www/themes/cicada/build/css/main.css      | 30 +++++++++++++++-
 misc/theme-vicuna/Makefile                    |  2 +-
 .../vicuna/assets/stylesheets/main.scss       | 35 +++++++++++++++++--
 .../www/themes/vicuna/build/css/main.css      | 31 +++++++++++++++-
 6 files changed, 125 insertions(+), 7 deletions(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index e277f567ad..87ec5ec72f 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.24
+PLUGIN_VERSION=		1.25
 PLUGIN_COMMENT=		The cicada theme - dark grey
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index a5500f15d5..d301372af2 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -10577,7 +10577,7 @@ h3 {
   border: 1px solid #191919;
 }
 
-/*additional extensions for sensei*/
+/*additional extensions for sensei and more*/
 
 .preloader-wrapper {
   background-color: #202020 !important;
@@ -10732,3 +10732,33 @@ label.btn.au-target {
 .metric-table tbody > tr:last-child > td, .list-table tbody > tr:last-child > td {
   border-bottom: 1px solid #555 !important;
 }
+
+.phase1_tr td {
+  background-color: #262626 !important;
+}
+
+ul.jqtree-tree {
+  .jqtree-toggler {
+    &:hover {
+      color: #dd630d !important;
+    }
+
+    color: #fff !important;
+  }
+
+  .jqtree-title {
+    color: #9d9d9d !important;
+  }
+}
+
+.interface-table {
+  background-color: #242424 !important;
+}
+
+.modal-side-settings {
+  background-color: #2f2f2f !important;
+}
+
+[role="listbox"] {
+  border: 1px solid #191919 !important;
+}
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index 5106d03a87..b7b43ef406 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -6462,7 +6462,7 @@ h3:hover, h3:focus {
   border: 1px solid #191919;
 }
 
-  /*additional extensions for sensei*/
+  /*additional extensions for sensei and more*/
 
 .preloader-wrapper {
   background-color: #202020 !important;
@@ -6587,3 +6587,31 @@ label.btn.au-target {
 .metric-table tbody > tr:last-child > td, .list-table tbody > tr:last-child > td {
   border-bottom: 1px solid #555 !important;
 }
+
+.phase1_tr td {
+  background-color: #262626 !important;
+}
+
+ul.jqtree-tree .jqtree-toggler:hover {
+  color:#dd630d !important;
+}
+
+ul.jqtree-tree .jqtree-toggler {
+  color:#fff !important;
+}
+
+ul.jqtree-tree .jqtree-title {
+  color:#9d9d9d !important;
+}
+
+.interface-table {
+  background-color: #242424 !important;
+}
+
+.modal-side-settings {
+  background-color: #2f2f2f !important;
+}
+
+[role="listbox"] {
+  border: 1px solid #191919 !important;
+}
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index 7eb95b2e89..54ad416050 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		The vicuna theme - dark anthrazit
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
index 895ae74150..3b9c0f3c00 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
@@ -6202,7 +6202,7 @@ a:focus {
     }
 
     &.active > a {
-      color: #FFF;
+      color: #D77610;
       background-color: #393939;
       border-bottom-color: transparent;
       cursor: pointer;
@@ -6210,7 +6210,7 @@ a:focus {
       filter: alpha(opacity = 100);
 
       &:hover, &:focus {
-        color: #FFF;
+        color: #D77610;
         background-color: #393939;
         border-bottom-color: transparent;
         cursor: pointer;
@@ -10724,3 +10724,34 @@ label.btn.au-target {
 .ui-resizable-e {
   border-right: 1px solid #191919 !important;
 }
+
+.phase1_tr td {
+  background-color: #315a71 !important;
+}
+
+ul.jqtree-tree {
+  .jqtree-toggler {
+    &:hover {
+      color: #dd630d !important;
+    }
+
+    color: #fff !important;
+  }
+
+  .jqtree-title {
+    color: #9d9d9d !important;
+  }
+}
+
+.interface-table {
+  background-color: #172229 !important;
+  border: 0.1px solid #191919 !important;
+}
+
+.modal-side-settings {
+  background-color: #172229 !important;
+}
+
+[role="listbox"] {
+  border: 1px solid #191919 !important;
+}
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
index 5b774ffc69..26f7ddf241 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
@@ -3605,7 +3605,7 @@ tbody.collapse.in {
 	  cursor:pointer;}
 	.nav-tabs > li > a:hover {opacity: 0.8; filter: alpha(opacity=80);}
     .nav-tabs > li.active > a, .nav-tabs > li.active > a:hover, .nav-tabs > li.active > a:focus {
-      color: #FFF;
+      color: #D77610;
       background-color: #393939;
       border-bottom-color: transparent;
       cursor: pointer;
@@ -6543,3 +6543,32 @@ label.btn.au-target {
 .ui-resizable-e {
   border-right: 1px solid #191919 !important;
 }
+
+.phase1_tr td {
+  background-color: #315a71 !important;
+}
+
+ul.jqtree-tree .jqtree-toggler:hover {
+  color:#dd630d !important;
+}
+
+ul.jqtree-tree .jqtree-toggler {
+  color:#fff !important;
+}
+
+ul.jqtree-tree .jqtree-title {
+  color:#9d9d9d !important;
+}
+
+.interface-table {
+  background-color: #172229 !important;
+  border: 0.1px solid #191919 !important;
+}
+
+.modal-side-settings {
+  background-color: #172229 !important;
+}
+
+[role="listbox"] {
+  border: 1px solid #191919 !important;
+}

From 16e23ec856ff7f56e3f4ee9f40e561778d352fe2 Mon Sep 17 00:00:00 2001
From: Mark Keisler <mark@mitsein.net>
Date: Mon, 21 Sep 2020 03:13:42 -0500
Subject: [PATCH 0213/3088] Dnscryptproxy dnsbl.sh helper script fix for
 blocklistproject sites (#2039)

blocklistproject sites are formatted in two columns, the first column is
0.0.0.0 and teh second column is the domain to block.  Added an awk to
just get the list of sites.
---
 .../src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh b/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh
index 4142f556e7..7f6153c238 100755
--- a/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh
+++ b/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh
@@ -122,21 +122,21 @@ stevenblack() {
 blocklistads() {
         # Blocklist.site Ads
         ${FETCH} https://blocklistproject.github.io/Lists/ads.txt -o ${WORKDIR}/blocklistads-raw
-        sed "/\.$/d" ${WORKDIR}/blocklistads-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" > ${WORKDIR}/blocklistads
+        sed "/\.$/d" ${WORKDIR}/blocklistads-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | awk '{print $2}' > ${WORKDIR}/blocklistads
         rm ${WORKDIR}/blocklistads-raw
 }
 
 blocklistfraud() {
         # Blocklist.site Fraud
         ${FETCH} https://blocklistproject.github.io/Lists/fraud.txt -o ${WORKDIR}/blocklistfraud-raw
-        sed "/\.$/d" ${WORKDIR}/blocklistfraud-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" > ${WORKDIR}/blocklistfraud
+        sed "/\.$/d" ${WORKDIR}/blocklistfraud-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" |awk '{print $2}' > ${WORKDIR}/blocklistfraud
         rm ${WORKDIR}/blocklistfraud-raw
 }
 
 blocklistphishing() {
         # Blocklist.site Phishing
         ${FETCH} https://blocklistproject.github.io/Lists/phishing.txt -o ${WORKDIR}/blocklistphishing-raw
-        sed "/\.$/d" ${WORKDIR}/blocklistphishing-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" > ${WORKDIR}/blocklistphishing
+        sed "/\.$/d" ${WORKDIR}/blocklistphishing-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | awk '{print $2}' > ${WORKDIR}/blocklistphishing
         rm ${WORKDIR}/blocklistphishing-raw
 }
 

From c657592fa7feb3b968835cb2afc5c701ec73ad61 Mon Sep 17 00:00:00 2001
From: Steve Buzonas <steve@fancyguy.com>
Date: Tue, 22 Sep 2020 08:21:48 -0400
Subject: [PATCH 0214/3088] update bgp as-path command (#2032)

---
 .../src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index a92bad0041..9c75e0d822 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -175,7 +175,7 @@ ipv6 prefix-list {{ prefixlist.name }} seq {{ prefixlist.seqnumber }} {{ prefixl
 {%   if helpers.exists('OPNsense.quagga.bgp.aspaths.aspath') %}
 {%     for aspath in helpers.sortDictList(OPNsense.quagga.bgp.aspaths.aspath, 'number' ) %}
 {%       if aspath.enabled == '1' %}
-ip as-path access-list {{ aspath.number }} {{ aspath.action }} {{ aspath.as }}
+bgp as-path access-list {{ aspath.number }} {{ aspath.action }} {{ aspath.as }}
 {%       endif %}
 {%     endfor %}
 {%   endif %}

From 424f8ab78a6d94a2a7236414ea75c2f473d95481 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Tue, 22 Sep 2020 14:50:14 +0200
Subject: [PATCH 0215/3088] Tukan Theme Updates (#2038)

---
 misc/theme-tukan/Makefile                     |     2 +-
 .../themes/tukan/assets/stylesheets/main.scss | 11501 +++++++++++-----
 .../www/themes/tukan/build/css/main.css       |    29 +-
 3 files changed, 7860 insertions(+), 3672 deletions(-)

diff --git a/misc/theme-tukan/Makefile b/misc/theme-tukan/Makefile
index 9862d84c2d..ef96f6a111 100644
--- a/misc/theme-tukan/Makefile
+++ b/misc/theme-tukan/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-tukan
-PLUGIN_VERSION=		1.22
+PLUGIN_VERSION=		1.23
 PLUGIN_COMMENT=		The tukan theme - blue/white
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
index db752ab72c..fffb043fd8 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
@@ -1,4 +1,5 @@
 @charset "UTF-8";
+
 .widgetdiv .content-box-head {
   background: #294c5f !important;
   color: #FFF !important;
@@ -7,289 +8,350 @@
   padding-right: 1px !important;
   padding-left: 5px !important;
   min-height: 25px !important;
-  border: 1px solid #fff; }
+  border: 1px solid #fff;
 
-  .widgetdiv .content-box-head .btn-group .btn {
+  .btn-group .btn {
     color: #FFFFFF !important;
     background: none;
-    border: 0px; }
-    .widgetdiv .content-box-head .btn-group .btn .glyphicon {
-      color: #FFFFFF !important; }
-  .widgetdiv .content-box-head .list-inline li > h3 {
-    padding-top: 4px; }
+    border: 0px;
+
+    .glyphicon {
+      color: #FFFFFF !important;
+    }
+  }
+
+  .list-inline li > h3 {
+    padding-top: 4px;
+  }
+}
 
 @font-face {
   font-family: 'SourceSansProBold';
-  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.ttf") format("truetype"); }
+  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.ttf") format("truetype");
+}
+
 @font-face {
   font-family: 'SourceSansProSemibold';
-  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.ttf") format("truetype"); }
+  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.ttf") format("truetype");
+}
+
 @font-face {
   font-family: 'SourceSansProRegular';
-  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf") format("truetype"); }
+  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf") format("truetype");
+}
+
 /*! normalize.css v3.0.1 | MIT License | git.io/normalize */
-table
-html {
+
+table html {
   font-family: sans-serif;
   -ms-text-size-adjust: 100%;
-  -webkit-text-size-adjust: 100%; }
+  -webkit-text-size-adjust: 100%;
+}
 
 body {
-  margin: 0; }
-
-article,
-aside,
-details,
-figcaption,
-figure,
-footer,
-header,
-hgroup,
-main,
-nav,
-section,
-summary {
-  display: block; }
-
-audio,
-canvas,
-progress,
-video {
+  margin: 0;
+}
+
+article, aside, details, figcaption, figure, footer, header, hgroup, main, nav, section, summary {
+  display: block;
+}
+
+audio, canvas, progress, video {
   display: inline-block;
-  vertical-align: baseline; }
+  vertical-align: baseline;
+}
 
 audio:not([controls]) {
   display: none;
-  height: 0; }
+  height: 0;
+}
 
-[hidden],
-template {
-  display: none; }
+[hidden], template {
+  display: none;
+}
 
 a {
   color: #FF6C06;
   text-decoration: none;
   background: transparent;
-  outline: 0;  }
+  outline: 0;
 
-  a:link, a:active {
-	outline: 0; }
+  &:link, &:active {
+    outline: 0;
+  }
 
-  a:hover, a:focus {
+  &:hover, &:focus {
     color: #FF6C06;
-    text-decoration: underline; }
+    text-decoration: underline;
+  }
+}
 
 abbr[title] {
-  border-bottom: 1px dotted; }
+  border-bottom: 1px dotted;
+}
 
-b,
-strong {
-  font-weight: bold; }
+b, strong {
+  font-weight: bold;
+}
 
 dfn {
-  font-style: italic; }
+  font-style: italic;
+}
 
 h1 {
   font-size: 2em;
-  margin: 0.67em 0; }
+  margin: 0.67em 0;
+}
 
 mark {
   background: #ff0;
-  color: #000; }
+  color: #000;
+}
 
 small {
-  font-size: 80%; }
+  font-size: 80%;
+}
 
-sub,
-sup {
+sub {
   font-size: 75%;
   line-height: 0;
   position: relative;
-  vertical-align: baseline; }
+  vertical-align: baseline;
+}
 
 sup {
-  top: -0.5em; }
+  font-size: 75%;
+  line-height: 0;
+  position: relative;
+  vertical-align: baseline;
+  top: -0.5em;
+}
 
 sub {
-  bottom: -0.25em; }
+  bottom: -0.25em;
+}
 
 img {
-  border: 0; }
+  border: 0;
+}
 
 svg:not(:root) {
-  overflow: hidden; }
+  overflow: hidden;
+}
 
 figure {
-  margin: 1em 40px; }
+  margin: 1em 40px;
+}
 
 hr {
   -moz-box-sizing: content-box;
   box-sizing: content-box;
-  height: 0; }
+  height: 0;
+}
 
 pre {
-  overflow: auto; }
+  overflow: auto;
+}
 
-code,
-kbd,
-pre,
-samp {
+code, kbd, pre, samp {
   font-family: monospace, monospace;
-  font-size: 1em; }
+  font-size: 1em;
+}
 
-button,
-input,
-optgroup,
-select,
-textarea {
+button, input, optgroup, select, textarea {
   color: inherit;
   font: inherit;
-  margin: 0; }
+  margin: 0;
+}
 
 button {
-  overflow: visible; }
+  overflow: visible;
+  text-transform: none;
+}
 
-button,
 select {
-  text-transform: none; }
+  text-transform: none;
+}
 
-button,
-html input[type="button"],
-input[type="reset"],
-input[type="submit"] {
+button, html input[type="button"] {
   -webkit-appearance: button;
-  cursor: pointer; }
+  cursor: pointer;
+}
+
+input {
+  &[type="reset"], &[type="submit"] {
+    -webkit-appearance: button;
+    cursor: pointer;
+  }
+}
 
-button[disabled],
-html input[disabled] {
-  cursor: default; }
+button[disabled], html input[disabled] {
+  cursor: default;
+}
 
-button::-moz-focus-inner,
-input::-moz-focus-inner {
+button::-moz-focus-inner {
   border: 0;
-  padding: 0; }
+  padding: 0;
+}
 
 input {
-  line-height: normal; }
-
-input[type="checkbox"],
-input[type="radio"] {
-  box-sizing: border-box;
-  padding: 0; }
+  &::-moz-focus-inner {
+    border: 0;
+    padding: 0;
+  }
 
-input[type="number"]::-webkit-inner-spin-button,
-input[type="number"]::-webkit-outer-spin-button {
-  height: auto; }
+  line-height: normal;
 
-input[type="search"] {
-  -webkit-appearance: textfield;
-  -moz-box-sizing: content-box;
-  -webkit-box-sizing: content-box;
-  box-sizing: content-box; }
+  &[type="checkbox"], &[type="radio"] {
+    box-sizing: border-box;
+    padding: 0;
+  }
 
-input[type="search"]::-webkit-search-cancel-button,
-input[type="search"]::-webkit-search-decoration {
-  -webkit-appearance: none; }
+  &[type="number"] {
+    &::-webkit-inner-spin-button, &::-webkit-outer-spin-button {
+      height: auto;
+    }
+  }
+
+  &[type="search"] {
+    -webkit-appearance: textfield;
+    -moz-box-sizing: content-box;
+    -webkit-box-sizing: content-box;
+    box-sizing: content-box;
+
+    &::-webkit-search-cancel-button, &::-webkit-search-decoration {
+      -webkit-appearance: none;
+    }
+  }
+}
 
 fieldset {
   border: 1px solid #c0c0c0;
   margin: 0 2px;
-  padding: 0.35em 0.625em 0.75em; }
+  padding: 0.35em 0.625em 0.75em;
+}
 
 legend {
   border: 0;
-  padding: 0; }
+  padding: 0;
+}
 
 textarea {
-  overflow: auto; }
+  overflow: auto;
+}
 
 optgroup {
-  font-weight: bold; }
+  font-weight: bold;
+}
 
 table {
   border-collapse: none;
   border-spacing: 0;
   color: #000;
   background-color: #F0F0F0;
-  width: 100%; }
+  width: 100%;
+}
 
-td,
-th {
-  padding: 0;  }
+td, th {
+  padding: 0;
+}
 
 @media print {
   * {
     text-shadow: none !important;
     color: #000 !important;
     background: transparent !important;
-    box-shadow: none !important; }
+    box-shadow: none !important;
+  }
+
+  a {
+    text-decoration: underline;
 
-  a,
-  a:visited {
-    text-decoration: underline; }
+    &:visited {
+      text-decoration: underline;
+    }
 
-  a[href]:after {
-    content: " (" attr(href) ")"; }
+    &[href]:after {
+      content: " (" attr(href) ")";
+    }
+  }
 
   abbr[title]:after {
-    content: " (" attr(title) ")"; }
+    content: " (" attr(title) ")";
+  }
 
-  a[href^="javascript:"]:after,
-  a[href^="#"]:after {
-    content: ""; }
+  a {
+    &[href^="javascript:"]:after, &[href^="#"]:after {
+      content: "";
+    }
+  }
 
-  pre,
-  blockquote {
+  pre, blockquote {
     border: 1px solid #999;
-    page-break-inside: avoid; }
+    page-break-inside: avoid;
+  }
 
   thead {
-    display: table-header-group; }
+    display: table-header-group;
+  }
 
-  tr,
-  img {
-    page-break-inside: avoid; }
+  tr {
+    page-break-inside: avoid;
+  }
 
   img {
-    max-width: 100% !important; }
+    page-break-inside: avoid;
+    max-width: 100% !important;
+  }
 
-  p,
-  h2,
-  h3 {
+  p, h2, h3 {
     orphans: 3;
-    widows: 3; }
+    widows: 3;
+  }
 
-  h2,
-  h3 {
-    page-break-after: avoid; }
+  h2, h3 {
+    page-break-after: avoid;
+  }
 
   select {
-    background: #fff !important; }
+    background: #fff !important;
+  }
 
   .navbar {
-    display: none; }
+    display: none;
+  }
 
-  .table td,
-  .table th {
-    background-color: #fff !important; }
+  .table {
+    td, th {
+      background-color: #fff !important;
+    }
+  }
 
-  .btn > .caret,
-  .dropup > .btn > .caret {
-    border-top-color: #000 !important; }
+  .btn > .caret, .dropup > .btn > .caret {
+    border-top-color: #000 !important;
+  }
 
   .label {
-    border: 1px solid #000; }
+    border: 1px solid #000;
+  }
 
   .table {
-    border-collapse: collapse !important; }
+    border-collapse: collapse !important;
+  }
+
+  .table-bordered {
+    th, td {
+      border: 1px solid #ddd !important;
+    }
+  }
+}
 
-  .table-bordered th,
-  .table-bordered td {
-    border: 1px solid #ddd !important; } }
 @font-face {
   font-family: 'Glyphicons Halflings';
   src: url("../fonts/bootstrap/glyphicons-halflings-regular.eot");
-  src: url("../fonts/bootstrap/glyphicons-halflings-regular.eot?#iefix") format("embedded-opentype"), url("../fonts/bootstrap/glyphicons-halflings-regular.woff") format("woff"), url("../fonts/bootstrap/glyphicons-halflings-regular.ttf") format("truetype"), url("../fonts/bootstrap/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") format("svg"); }
+  src: url("../fonts/bootstrap/glyphicons-halflings-regular.eot?#iefix") format("embedded-opentype"), url("../fonts/bootstrap/glyphicons-halflings-regular.woff") format("woff"), url("../fonts/bootstrap/glyphicons-halflings-regular.ttf") format("truetype"), url("../fonts/bootstrap/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") format("svg");
+}
+
 .glyphicon {
   position: relative;
   top: 1px;
@@ -299,628 +361,831 @@ th {
   font-weight: normal;
   line-height: 1;
   -webkit-font-smoothing: antialiased;
-  -moz-osx-font-smoothing: grayscale; }
+  -moz-osx-font-smoothing: grayscale;
+}
 
 .glyphicon-asterisk:before {
-  content: "\2a"; }
+  content: "\2a";
+}
 
 .glyphicon-plus:before {
-  content: "\2b"; }
+  content: "\2b";
+}
 
 .glyphicon-euro:before {
-  content: "\20ac"; }
+  content: "\20ac";
+}
 
 .glyphicon-minus:before {
-  content: "\2212"; }
+  content: "\2212";
+}
 
 .glyphicon-cloud:before {
-  content: "\2601"; }
+  content: "\2601";
+}
 
 .glyphicon-envelope:before {
-  content: "\2709"; }
+  content: "\2709";
+}
 
 .glyphicon-pencil:before {
-  content: "\270f"; }
+  content: "\270f";
+}
 
 .glyphicon-glass:before {
-  content: "\e001"; }
+  content: "\e001";
+}
 
 .glyphicon-music:before {
-  content: "\e002"; }
+  content: "\e002";
+}
 
 .icon.glyphicon.input-group-addon.glyphicon-search:before, .glyphicon-search:before {
   content: "\e003";
-  color: #FFF !important; }
+  color: #FFF !important;
+}
 
 .glyphicon-heart:before {
-  content: "\e005"; }
+  content: "\e005";
+}
 
 .glyphicon-star:before {
-  content: "\e006"; }
+  content: "\e006";
+}
 
 .glyphicon-star-empty:before {
-  content: "\e007"; }
+  content: "\e007";
+}
 
 .glyphicon-user:before {
-  content: "\e008"; }
+  content: "\e008";
+}
 
 .glyphicon-film:before {
-  content: "\e009"; }
+  content: "\e009";
+}
 
 .glyphicon-th-large:before {
-  content: "\e010"; }
+  content: "\e010";
+}
 
 .glyphicon-th:before {
-  content: "\e011"; }
+  content: "\e011";
+}
 
 .glyphicon-th-list:before {
-  content: "\e012"; }
+  content: "\e012";
+}
 
 .glyphicon-ok:before {
-  content: "\e013"; }
+  content: "\e013";
+}
 
 .glyphicon-remove:before {
-  content: "\e014"; }
+  content: "\e014";
+}
 
 .glyphicon-zoom-in:before {
-  content: "\e015"; }
+  content: "\e015";
+}
 
 .glyphicon-zoom-out:before {
-  content: "\e016"; }
+  content: "\e016";
+}
 
 .glyphicon-off:before {
-  content: "\e017"; }
+  content: "\e017";
+}
 
 .glyphicon-signal:before {
-  content: "\e018"; }
+  content: "\e018";
+}
 
 .glyphicon-cog:before {
-  content: "\e019"; }
+  content: "\e019";
+}
 
 .glyphicon-trash:before {
-  content: "\e020"; }
+  content: "\e020";
+}
 
 .glyphicon-home:before {
-  content: "\e021"; }
+  content: "\e021";
+}
 
 .glyphicon-file:before {
-  content: "\e022"; }
+  content: "\e022";
+}
 
 .glyphicon-time:before {
-  content: "\e023"; }
+  content: "\e023";
+}
 
 .glyphicon-road:before {
-  content: "\e024"; }
+  content: "\e024";
+}
 
 .glyphicon-download-alt:before {
-  content: "\e025"; }
+  content: "\e025";
+}
 
 .glyphicon-download:before {
-  content: "\e026"; }
+  content: "\e026";
+}
 
 .glyphicon-upload:before {
-  content: "\e027"; }
+  content: "\e027";
+}
 
 .glyphicon-inbox:before {
-  content: "\e028"; }
+  content: "\e028";
+}
 
 .glyphicon-play-circle:before {
-  content: "\e029"; }
+  content: "\e029";
+}
 
 .glyphicon-repeat:before {
-  content: "\e030"; }
+  content: "\e030";
+}
 
 .glyphicon-refresh:before {
-  content: "\e031"; }
+  content: "\e031";
+}
 
 .glyphicon-list-alt:before {
-  content: "\e032"; }
+  content: "\e032";
+}
 
 .glyphicon-lock:before {
-  content: "\e033"; }
+  content: "\e033";
+}
 
 .glyphicon-flag:before {
-  content: "\e034"; }
+  content: "\e034";
+}
 
 .glyphicon-headphones:before {
-  content: "\e035"; }
+  content: "\e035";
+}
 
 .glyphicon-volume-off:before {
-  content: "\e036"; }
+  content: "\e036";
+}
 
 .glyphicon-volume-down:before {
-  content: "\e037"; }
+  content: "\e037";
+}
 
 .glyphicon-volume-up:before {
-  content: "\e038"; }
+  content: "\e038";
+}
 
 .glyphicon-qrcode:before {
-  content: "\e039"; }
+  content: "\e039";
+}
 
 .glyphicon-barcode:before {
-  content: "\e040"; }
+  content: "\e040";
+}
 
 .glyphicon-tag:before {
-  content: "\e041"; }
+  content: "\e041";
+}
 
 .glyphicon-tags:before {
-  content: "\e042"; }
+  content: "\e042";
+}
 
 .glyphicon-book:before {
-  content: "\e043"; }
+  content: "\e043";
+}
 
 .glyphicon-bookmark:before {
-  content: "\e044"; }
+  content: "\e044";
+}
 
 .glyphicon-print:before {
-  content: "\e045"; }
+  content: "\e045";
+}
 
 .glyphicon-camera:before {
-  content: "\e046"; }
+  content: "\e046";
+}
 
 .glyphicon-font:before {
-  content: "\e047"; }
+  content: "\e047";
+}
 
 .glyphicon-bold:before {
-  content: "\e048"; }
+  content: "\e048";
+}
 
 .glyphicon-italic:before {
-  content: "\e049"; }
+  content: "\e049";
+}
 
 .glyphicon-text-height:before {
-  content: "\e050"; }
+  content: "\e050";
+}
 
 .glyphicon-text-width:before {
-  content: "\e051"; }
+  content: "\e051";
+}
 
 .glyphicon-align-left:before {
-  content: "\e052"; }
+  content: "\e052";
+}
 
 .glyphicon-align-center:before {
-  content: "\e053"; }
+  content: "\e053";
+}
 
 .glyphicon-align-right:before {
-  content: "\e054"; }
+  content: "\e054";
+}
 
 .glyphicon-align-justify:before {
-  content: "\e055"; }
+  content: "\e055";
+}
 
 .glyphicon-list:before {
-  content: "\e056"; }
+  content: "\e056";
+}
 
 .glyphicon-indent-left:before {
-  content: "\e057"; }
+  content: "\e057";
+}
 
 .glyphicon-indent-right:before {
-  content: "\e058"; }
+  content: "\e058";
+}
 
 .glyphicon-facetime-video:before {
-  content: "\e059"; }
+  content: "\e059";
+}
 
 .glyphicon-picture:before {
-  content: "\e060"; }
+  content: "\e060";
+}
 
 .glyphicon-map-marker:before {
-  content: "\e062"; }
+  content: "\e062";
+}
 
 .glyphicon-adjust:before {
-  content: "\e063"; }
+  content: "\e063";
+}
 
 .glyphicon-tint:before {
-  color:#3F0;
-  content: "\e064"; }
+  color: #3F0;
+  content: "\e064";
+}
 
 .glyphicon-edit:before {
-  content: "\e065"; }
+  content: "\e065";
+}
 
 .glyphicon-share:before {
-  content: "\e066"; }
+  content: "\e066";
+}
 
 .glyphicon-check:before {
-  content: "\e067"; }
+  content: "\e067";
+}
 
 .glyphicon-move:before {
-  content: "\e068"; }
+  content: "\e068";
+}
 
 .glyphicon-step-backward:before {
-  content: "\e069"; }
+  content: "\e069";
+}
 
 .glyphicon-fast-backward:before {
-  content: "\e070"; }
+  content: "\e070";
+}
 
 .glyphicon-backward:before {
-  content: "\e071"; }
+  content: "\e071";
+}
 
 .glyphicon-play:before {
-  content: "\e072"; }
+  content: "\e072";
+}
 
 .glyphicon-pause:before {
-  content: "\e073"; }
+  content: "\e073";
+}
 
 .glyphicon-stop:before {
-  content: "\e074"; }
+  content: "\e074";
+}
 
 .glyphicon-forward:before {
-  content: "\e075"; }
+  content: "\e075";
+}
 
 .glyphicon-fast-forward:before {
-  content: "\e076"; }
+  content: "\e076";
+}
 
 .glyphicon-step-forward:before {
-  content: "\e077"; }
+  content: "\e077";
+}
 
 .glyphicon-eject:before {
-  content: "\e078"; }
+  content: "\e078";
+}
 
 .glyphicon-chevron-left:before {
-  content: "\e079"; }
+  content: "\e079";
+}
 
 .glyphicon-chevron-right:before {
-  content: "\e080"; }
+  content: "\e080";
+}
 
 .glyphicon-plus-sign:before {
-  content: "\e081"; }
+  content: "\e081";
+}
 
 .glyphicon-minus-sign:before {
-  content: "\e082"; }
+  content: "\e082";
+}
 
 .glyphicon-remove-sign:before {
-  content: "\e083"; }
+  content: "\e083";
+}
 
 .glyphicon-ok-sign:before {
-  content: "\e084"; }
+  content: "\e084";
+}
 
 .glyphicon-question-sign:before {
-  content: "\e085"; }
+  content: "\e085";
+}
 
 .glyphicon-info-sign:before {
-  content: "\e086"; }
+  content: "\e086";
+}
 
 .glyphicon-screenshot:before {
-  content: "\e087"; }
+  content: "\e087";
+}
 
 .glyphicon-remove-circle:before {
-  content: "\e088"; }
+  content: "\e088";
+}
 
 .glyphicon-ok-circle:before {
-  content: "\e089"; }
+  content: "\e089";
+}
 
 .glyphicon-ban-circle:before {
-  content: "\e090"; }
+  content: "\e090";
+}
 
 .glyphicon-arrow-left:before {
-  content: "\e091"; }
+  content: "\e091";
+}
 
 .glyphicon-arrow-right:before {
-  content: "\e092"; }
+  content: "\e092";
+}
 
 .glyphicon-arrow-up:before {
   content: "\e093";
-  color: #4FB654 !important; }
+  color: #4FB654 !important;
+}
 
 .glyphicon-arrow-down:before {
   content: "\e094";
-  color: #FF5E3B !important; }
+  color: #FF5E3B !important;
+}
 
 .glyphicon-share-alt:before {
-  content: "\e095"; }
+  content: "\e095";
+}
 
 .glyphicon-resize-full:before {
-  content: "\e096"; }
+  content: "\e096";
+}
 
 .glyphicon-resize-small:before {
-  content: "\e097"; }
+  content: "\e097";
+}
 
 .glyphicon-exclamation-sign:before {
-  content: "\e101"; }
+  content: "\e101";
+}
 
 .glyphicon-gift:before {
-  content: "\e102"; }
+  content: "\e102";
+}
 
 .glyphicon-leaf:before {
-  content: "\e103"; }
+  content: "\e103";
+}
 
 .glyphicon-fire:before {
-  content: "\e104"; }
+  content: "\e104";
+}
 
 .glyphicon-eye-open:before {
-  content: "\e105"; }
+  content: "\e105";
+}
 
 .glyphicon-eye-close:before {
-  content: "\e106"; }
+  content: "\e106";
+}
 
 .glyphicon-warning-sign:before {
-  content: "\e107"; }
+  content: "\e107";
+}
 
 .glyphicon-plane:before {
-  content: "\e108"; }
+  content: "\e108";
+}
 
 .glyphicon-calendar:before {
-  content: "\e109"; }
+  content: "\e109";
+}
 
 .glyphicon-random:before {
-  content: "\e110"; }
+  content: "\e110";
+}
 
 .glyphicon-comment:before {
-  content: "\e111"; }
+  content: "\e111";
+}
 
 .glyphicon-magnet:before {
-  content: "\e112"; }
+  content: "\e112";
+}
 
 .glyphicon-chevron-up:before {
-  content: "\e113"; }
+  content: "\e113";
+}
 
 .glyphicon-chevron-down:before {
-  content: "\e114"; }
+  content: "\e114";
+}
 
 .glyphicon-retweet:before {
-  content: "\e115"; }
+  content: "\e115";
+}
 
 .glyphicon-shopping-cart:before {
-  content: "\e116"; }
+  content: "\e116";
+}
 
 .glyphicon-folder-close:before {
-  content: "\e117"; }
+  content: "\e117";
+}
 
 .glyphicon-folder-open:before {
-  content: "\e118"; }
+  content: "\e118";
+}
 
 .glyphicon-resize-vertical:before {
-  content: "\e119"; }
+  content: "\e119";
+}
 
 .glyphicon-resize-horizontal:before {
-  content: "\e120"; }
+  content: "\e120";
+}
 
 .glyphicon-hdd:before {
-  content: "\e121"; }
+  content: "\e121";
+}
 
 .glyphicon-bullhorn:before {
-  content: "\e122"; }
+  content: "\e122";
+}
 
 .glyphicon-bell:before {
-  content: "\e123"; }
+  content: "\e123";
+}
 
 .glyphicon-certificate:before {
-  content: "\e124"; }
+  content: "\e124";
+}
 
 .glyphicon-thumbs-up:before {
-  content: "\e125"; }
+  content: "\e125";
+}
 
 .glyphicon-thumbs-down:before {
-  content: "\e126"; }
+  content: "\e126";
+}
 
 .glyphicon-hand-right:before {
-  content: "\e127"; }
+  content: "\e127";
+}
 
 .glyphicon-hand-left:before {
-  content: "\e128"; }
+  content: "\e128";
+}
 
 .glyphicon-hand-up:before {
-  content: "\e129"; }
+  content: "\e129";
+}
 
 .glyphicon-hand-down:before {
-  content: "\e130"; }
+  content: "\e130";
+}
 
 .glyphicon-circle-arrow-right:before {
-  content: "\e131"; }
+  content: "\e131";
+}
 
 .glyphicon-circle-arrow-left:before {
-  content: "\e132"; }
+  content: "\e132";
+}
 
 .glyphicon-circle-arrow-up:before {
-  content: "\e133"; }
+  content: "\e133";
+}
 
 .glyphicon-circle-arrow-down:before {
-  content: "\e134"; }
+  content: "\e134";
+}
 
 .glyphicon-globe:before {
-  content: "\e135"; }
+  content: "\e135";
+}
 
 .glyphicon-wrench:before {
-  content: "\e136"; }
+  content: "\e136";
+}
 
 .glyphicon-tasks:before {
-  content: "\e137"; }
+  content: "\e137";
+}
 
 .glyphicon-filter:before {
-  content: "\e138"; }
+  content: "\e138";
+}
 
 .glyphicon-briefcase:before {
-  content: "\e139"; }
+  content: "\e139";
+}
 
 .glyphicon-fullscreen:before {
-  content: "\e140"; }
+  content: "\e140";
+}
 
 .glyphicon-dashboard:before {
-  content: "\e141"; }
+  content: "\e141";
+}
 
 .glyphicon-paperclip:before {
-  content: "\e142"; }
+  content: "\e142";
+}
 
 .glyphicon-heart-empty:before {
-  content: "\e143"; }
+  content: "\e143";
+}
 
 .glyphicon-link:before {
-  content: "\e144"; }
+  content: "\e144";
+}
 
 .glyphicon-phone:before {
-  content: "\e145"; }
+  content: "\e145";
+}
 
 .glyphicon-pushpin:before {
-  content: "\e146"; }
+  content: "\e146";
+}
 
 .glyphicon-usd:before {
-  content: "\e148"; }
+  content: "\e148";
+}
 
 .glyphicon-gbp:before {
-  content: "\e149"; }
+  content: "\e149";
+}
 
 .glyphicon-sort:before {
-  content: "\e150"; }
+  content: "\e150";
+}
 
 .glyphicon-sort-by-alphabet:before {
-  content: "\e151"; }
+  content: "\e151";
+}
 
 .glyphicon-sort-by-alphabet-alt:before {
-  content: "\e152"; }
+  content: "\e152";
+}
 
 .glyphicon-sort-by-order:before {
-  content: "\e153"; }
+  content: "\e153";
+}
 
 .glyphicon-sort-by-order-alt:before {
-  content: "\e154"; }
+  content: "\e154";
+}
 
 .glyphicon-sort-by-attributes:before {
-  content: "\e155"; }
+  content: "\e155";
+}
 
 .glyphicon-sort-by-attributes-alt:before {
-  content: "\e156"; }
+  content: "\e156";
+}
 
 .glyphicon-unchecked:before {
-  content: "\e157"; }
+  content: "\e157";
+}
 
 .glyphicon-expand:before {
-  content: "\e158"; }
+  content: "\e158";
+}
 
 .glyphicon-collapse-down:before {
-  content: "\e159"; }
+  content: "\e159";
+}
 
 .glyphicon-collapse-up:before {
-  content: "\e160"; }
+  content: "\e160";
+}
 
 .glyphicon-log-in:before {
-  content: "\e161"; }
+  content: "\e161";
+}
 
 .glyphicon-flash:before {
-  content: "\e162"; }
+  content: "\e162";
+}
 
 .glyphicon-log-out:before {
-  content: "\e163"; }
+  content: "\e163";
+}
 
 .glyphicon-new-window:before {
-  content: "\e164"; }
+  content: "\e164";
+}
 
 .glyphicon-record:before {
-  content: "\e165"; }
+  content: "\e165";
+}
 
 .glyphicon-save:before {
-  content: "\e166"; }
+  content: "\e166";
+}
 
 .glyphicon-open:before {
-  content: "\e167"; }
+  content: "\e167";
+}
 
 .glyphicon-saved:before {
-  content: "\e168"; }
+  content: "\e168";
+}
 
 .glyphicon-import:before {
-  content: "\e169"; }
+  content: "\e169";
+}
 
 .glyphicon-export:before {
-  content: "\e170"; }
+  content: "\e170";
+}
 
 .glyphicon-send:before {
-  content: "\e171"; }
+  content: "\e171";
+}
 
 .glyphicon-floppy-disk:before {
-  content: "\e172"; }
+  content: "\e172";
+}
 
 .glyphicon-floppy-saved:before {
-  content: "\e173"; }
+  content: "\e173";
+}
 
 .glyphicon-floppy-remove:before {
-  content: "\e174"; }
+  content: "\e174";
+}
 
 .glyphicon-floppy-save:before {
-  content: "\e175"; }
+  content: "\e175";
+}
 
 .glyphicon-floppy-open:before {
-  content: "\e176"; }
+  content: "\e176";
+}
 
 .glyphicon-credit-card:before {
-  content: "\e177"; }
+  content: "\e177";
+}
 
 .glyphicon-transfer:before {
   content: "\e178";
-  color:#4FB654 !important; }
+  color: #4FB654 !important;
+}
 
 .glyphicon-cutlery:before {
-  content: "\e179"; }
+  content: "\e179";
+}
 
 .glyphicon-header:before {
-  content: "\e180"; }
+  content: "\e180";
+}
 
 .glyphicon-compressed:before {
-  content: "\e181"; }
+  content: "\e181";
+}
 
 .glyphicon-earphone:before {
-  content: "\e182"; }
+  content: "\e182";
+}
 
 .glyphicon-phone-alt:before {
-  content: "\e183"; }
+  content: "\e183";
+}
 
 .glyphicon-tower:before {
-  content: "\e184"; }
+  content: "\e184";
+}
 
 .glyphicon-stats:before {
-  content: "\e185"; }
+  content: "\e185";
+}
 
 .glyphicon-sd-video:before {
-  content: "\e186"; }
+  content: "\e186";
+}
 
 .glyphicon-hd-video:before {
-  content: "\e187"; }
+  content: "\e187";
+}
 
 .glyphicon-subtitles:before {
-  content: "\e188"; }
+  content: "\e188";
+}
 
 .glyphicon-sound-stereo:before {
-  content: "\e189"; }
+  content: "\e189";
+}
 
 .glyphicon-sound-dolby:before {
-  content: "\e190"; }
+  content: "\e190";
+}
 
 .glyphicon-sound-5-1:before {
-  content: "\e191"; }
+  content: "\e191";
+}
 
 .glyphicon-sound-6-1:before {
-  content: "\e192"; }
+  content: "\e192";
+}
 
 .glyphicon-sound-7-1:before {
-  content: "\e193"; }
+  content: "\e193";
+}
 
 .glyphicon-copyright-mark:before {
-  content: "\e194"; }
+  content: "\e194";
+}
 
 .glyphicon-registration-mark:before {
-  content: "\e195"; }
+  content: "\e195";
+}
 
 .glyphicon-cloud-download:before {
-  content: "\e197"; }
+  content: "\e197";
+}
 
 .glyphicon-cloud-upload:before {
-  content: "\e198"; }
+  content: "\e198";
+}
 
 .glyphicon-tree-conifer:before {
-  content: "\e199"; }
+  content: "\e199";
+}
 
 .glyphicon-tree-deciduous:before {
-  content: "\e200"; }
+  content: "\e200";
+}
 
 * {
   -webkit-box-sizing: border-box;
   -moz-box-sizing: border-box;
   box-sizing: border-box;
-  text-decoration:none;}
+  text-decoration: none;
 
-*:before,
-*:after {
-  -webkit-box-sizing: border-box;
-  -moz-box-sizing: border-box;
-  box-sizing: border-box; }
+  &:before, &:after {
+    -webkit-box-sizing: border-box;
+    -moz-box-sizing: border-box;
+    box-sizing: border-box;
+  }
+}
 
 html {
   font-size: 10px;
-  -webkit-tap-highlight-color: transparent; }
+  -webkit-tap-highlight-color: transparent;
+}
 
 body {
   font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
@@ -929,28 +1194,30 @@ body {
   color: #000;
 }
 
-input,
-button,
-select,
-textarea {
+input, button, select, textarea {
   font-family: inherit;
   font-size: inherit;
-  line-height: inherit; }
+  line-height: inherit;
+}
 
 figure {
-  margin: 0; }
+  margin: 0;
+}
 
 img {
-  vertical-align: middle; }
+  vertical-align: middle;
+}
 
 .img-responsive {
   display: block;
   width: 100% \9;
   max-width: 100%;
-  height: auto; }
+  height: auto;
+}
 
 .img-rounded {
-  border-radius: 6px; }
+  border-radius: 6px;
+}
 
 .img-thumbnail {
   padding: 4px;
@@ -964,16 +1231,19 @@ img {
   display: inline-block;
   width: 100% \9;
   max-width: 100%;
-  height: auto; }
+  height: auto;
+}
 
 .img-circle {
-  border-radius: 50%; }
+  border-radius: 50%;
+}
 
 hr {
   margin-top: 20px;
   margin-bottom: 20px;
   border: 0;
-  border-top: 1px solid #eeeeee; }
+  border-top: 1px solid #eeeeee;
+}
 
 .sr-only {
   position: absolute;
@@ -983,335 +1253,553 @@ hr {
   padding: 0;
   overflow: hidden;
   clip: rect(0, 0, 0, 0);
-  border: 0; }
-
-.sr-only-focusable:active, .sr-only-focusable:focus {
-  position: static;
-  width: auto;
-  height: auto;
-  margin: 0;
-  overflow: visible;
-  clip: auto; }
+  border: 0;
+}
 
+.sr-only-focusable {
+  &:active, &:focus {
+    position: static;
+    width: auto;
+    height: auto;
+    margin: 0;
+    overflow: visible;
+    clip: auto;
+  }
+}
 
-h1, h2, h3, h4, h5, h6,
-.h1, .h2, .h3, .h4, .h5, .h6 {
+h1, h2, h3, h4, h5, h6, .h1, .h2, .h3, .h4, .h5, .h6 {
   font-family: "SourceSansProSemiBold";
   font-weight: 100;
   line-height: 1.4;
-  color: inherit; }
-  h1 small,
-  h1 .small, h2 small,
-  h2 .small, h3 small,
-  h3 .small, h4 small,
-  h4 .small, h5 small,
-  h5 .small, h6 small,
-  h6 .small,
-  .h1 small,
-  .h1 .small, .h2 small,
-  .h2 .small, .h3 small,
-  .h3 .small, .h4 small,
-  .h4 .small, .h5 small,
-  .h5 .small, .h6 small,
-  .h6 .small {
+  color: inherit;
+}
+
+h1 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+h2 {
+  small, .small {
     font-weight: normal;
     line-height: 1;
-    color: #b6b6b6; }
+    color: #b6b6b6;
+  }
+}
 
-h1, .h1,
-h2, .h2,
-h3, .h3 {
+h3 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+h4 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+h5 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+h6 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+.h1 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+.h2 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+.h3 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+.h4 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+.h5 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+.h6 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+h1, .h1, h2, .h2, h3, .h3 {
   margin-top: 20px;
-  margin-bottom: 10px; }
-  h1 small,
-  h1 .small, .h1 small,
-  .h1 .small,
-  h2 small,
-  h2 .small, .h2 small,
-  .h2 .small,
-  h3 small,
-  h3 .small, .h3 small,
-  .h3 .small {
-    font-size: 65%; }
-
-h4, .h4,
-h5, .h5,
-h6, .h6 {
+  margin-bottom: 10px;
+}
+
+h1 {
+  small, .small {
+    font-size: 65%;
+  }
+}
+
+.h1 {
+  small, .small {
+    font-size: 65%;
+  }
+}
+
+h2 {
+  small, .small {
+    font-size: 65%;
+  }
+}
+
+.h2 {
+  small, .small {
+    font-size: 65%;
+  }
+}
+
+h3 {
+  small, .small {
+    font-size: 65%;
+  }
+}
+
+.h3 {
+  small, .small {
+    font-size: 65%;
+  }
+}
+
+h4, .h4, h5, .h5, h6, .h6 {
   margin-top: 10px;
-  margin-bottom: 10px; }
-  h4 small,
-  h4 .small, .h4 small,
-  .h4 .small,
-  h5 small,
-  h5 .small, .h5 small,
-  .h5 .small,
-  h6 small,
-  h6 .small, .h6 small,
-  .h6 .small {
-    font-size: 75%; }
+  margin-bottom: 10px;
+}
+
+h4 {
+  small, .small {
+    font-size: 75%;
+  }
+}
+
+.h4 {
+  small, .small {
+    font-size: 75%;
+  }
+}
+
+h5 {
+  small, .small {
+    font-size: 75%;
+  }
+}
+
+.h5 {
+  small, .small {
+    font-size: 75%;
+  }
+}
+
+h6 {
+  small, .small {
+    font-size: 75%;
+  }
+}
+
+.h6 {
+  small, .small {
+    font-size: 75%;
+  }
+}
 
 h1, .h1 {
-  font-size: 23px; }
+  font-size: 23px;
+}
 
 h2, .h2 {
-  font-size: 16px; }
+  font-size: 16px;
+}
 
 h3, .h3 {
-  font-size: 14px; }
+  font-size: 14px;
+}
 
 h4, .h4 {
-  font-size: 18px; }
+  font-size: 18px;
+}
 
 h5, .h5 {
-  font-size: 14px; }
+  font-size: 14px;
+}
 
 h6, .h6 {
-  font-size: 12px; }
+  font-size: 12px;
+}
 
 p {
-  margin: 0 0 10px; }
+  margin: 0 0 10px;
+}
 
 .lead {
   margin-bottom: 20px;
   font-size: 16px;
   font-weight: 300;
-  line-height: 1.4; }
-  @media (min-width: 768px) {
-    .lead {
-      font-size: 21px; } }
+  line-height: 1.4;
+}
+
+@media (min-width: 768px) {
+  .lead {
+    font-size: 21px;
+  }
+}
 
-small,
-.small {
-  font-size: 85%; }
+small, .small {
+  font-size: 85%;
+}
 
 cite {
-  font-style: normal; }
+  font-style: normal;
+}
 
-mark,
-.mark {
+mark, .mark {
   background-color: #fcf8e3;
-  padding: .2em; }
+  padding: .2em;
+}
 
 .text-left {
-  text-align: left; }
+  text-align: left;
+}
 
 .text-right {
-  text-align: right; }
+  text-align: right;
+}
 
 .text-center {
-  text-align: center; }
+  text-align: center;
+}
 
 .text-justify {
-  text-align: justify; }
+  text-align: justify;
+}
 
 .text-nowrap {
-  white-space: nowrap; }
+  white-space: nowrap;
+}
 
 .text-lowercase {
-  text-transform: lowercase; }
+  text-transform: lowercase;
+}
 
 .text-uppercase {
-  text-transform: uppercase; }
+  text-transform: uppercase;
+}
 
 .text-capitalize {
-  text-transform: capitalize; }
+  text-transform: capitalize;
+}
 
 .text-muted {
-  color: inherit; }
+  color: inherit;
+}
 
 .text-primary {
-  color: #FF8B00; }
+  color: #FF8B00;
+}
 
 a.text-primary:hover {
-  color: #b85904; }
+  color: #b85904;
+}
 
 .text-success {
-  color: #4FB654; }
+  color: #4FB654;
+}
 
 a.text-success:hover {
-  color: #7fc54f; }
+  color: #7fc54f;
+}
 
 .text-info {
-  color: #47809f; }
+  color: #47809f;
+}
 
 a.text-info:hover {
-  color: #245269; }
+  color: #245269;
+}
 
 .text-warning {
-  color: #f0ad4e; }
+  color: #f0ad4e;
+}
 
 a.text-warning:hover {
-  color: #ec971f; }
+  color: #ec971f;
+}
 
 .text-danger {
-  color: #CB4326; }
+  color: #CB4326;
+}
 
 a.text-danger:hover {
-  color: #D8482A; }
-
-.bg-primary {
-  color: #fff; }
+  color: #D8482A;
+}
 
 .bg-primary {
-  background-color: #FF8B00; }
+  color: #fff;
+  background-color: #FF8B00;
+}
 
 a.bg-primary:hover {
-  background-color: #b85904; }
+  background-color: #b85904;
+}
 
 .bg-success {
-  background-color: #9BD275; }
+  background-color: #9BD275;
+}
 
 a.bg-success:hover {
-  background-color: #7fc54f; }
+  background-color: #7fc54f;
+}
 
 .bg-info {
-  background-color: #d9edf7; }
+  background-color: #d9edf7;
+}
 
 a.bg-info:hover {
-  background-color: #afd9ee; }
+  background-color: #afd9ee;
+}
 
 .bg-warning {
-  background-color: #fcf8e3; }
+  background-color: #fcf8e3;
+}
 
 a.bg-warning:hover {
-  background-color: #f7ecb5; }
+  background-color: #f7ecb5;
+}
 
 .bg-danger {
-  background-color: #F05050; }
+  background-color: #F05050;
+}
 
 a.bg-danger:hover {
-  background-color: #ec2121; }
+  background-color: #ec2121;
+}
 
 .page-header {
   padding-bottom: 9px;
   margin: 40px 0 20px;
-  border-bottom: 1px solid #eeeeee; }
+  border-bottom: 1px solid #eeeeee;
+}
 
-ul,
-ol {
+ul, ol {
   margin-top: 0;
-  margin-bottom: 10px; }
-  ul ul,
-  ul ol,
-  ol ul,
-  ol ol {
-    margin-bottom: 0; }
-
-.list-unstyled, .list-inline {
+  margin-bottom: 10px;
+}
+
+ul {
+  ul, ol {
+    margin-bottom: 0;
+  }
+}
+
+ol {
+  ul, ol {
+    margin-bottom: 0;
+  }
+}
+
+.list-unstyled {
   padding-left: 0;
-  list-style: none; }
+  list-style: none;
+}
 
 .list-inline {
-  margin-left: -5px; }
-  .list-inline > li {
+  padding-left: 0;
+  list-style: none;
+  margin-left: -5px;
+
+  > li {
     float: left;
     padding-left: 5px;
-    padding-right: 5px; }
+    padding-right: 5px;
+  }
+}
 
 dl {
   margin-top: 0;
-  margin-bottom: 20px; }
+  margin-bottom: 20px;
+}
 
-dt,
-dd {
-  line-height: 1.428571429; }
+dt, dd {
+  line-height: 1.428571429;
+}
 
 dt {
-  font-weight: bold; }
+  font-weight: bold;
+}
 
 dd {
-  margin-left: 0; }
+  margin-left: 0;
+}
+
+.dl-horizontal dd {
+  &:before {
+    content: " ";
+    display: table;
+  }
+
+  &:after {
+    content: " ";
+    display: table;
+    clear: both;
+  }
+}
 
-.dl-horizontal dd:before, .dl-horizontal dd:after {
-  content: " ";
-  display: table; }
-.dl-horizontal dd:after {
-  clear: both; }
 @media (min-width: 768px) {
-  .dl-horizontal dt {
-    float: left;
-    width: 160px;
-    clear: left;
-    text-align: right;
-    overflow: hidden;
-    text-overflow: ellipsis;
-    white-space: nowrap; }
-  .dl-horizontal dd {
-    margin-left: 180px; } }
+  .dl-horizontal {
+    dt {
+      float: left;
+      width: 160px;
+      clear: left;
+      text-align: right;
+      overflow: hidden;
+      text-overflow: ellipsis;
+      white-space: nowrap;
+    }
+
+    dd {
+      margin-left: 180px;
+    }
+  }
+}
 
-abbr[title],
-abbr[data-original-title] {
-  cursor: help;
-  border-bottom: 1px dotted #777777; }
+abbr {
+  &[title], &[data-original-title] {
+    cursor: help;
+    border-bottom: 1px dotted #777777;
+  }
+}
 
 .initialism {
   font-size: 90%;
-  text-transform: uppercase; }
+  text-transform: uppercase;
+}
 
 blockquote {
   padding: 10px 20px;
   margin: 0 0 20px;
   font-size: 17.5px;
-  border-left: 5px solid #eeeeee; }
-  blockquote p:last-child,
-  blockquote ul:last-child,
-  blockquote ol:last-child {
-    margin-bottom: 0; }
-  blockquote footer,
-  blockquote small,
-  blockquote .small {
+  border-left: 5px solid #eeeeee;
+
+  p:last-child, ul:last-child, ol:last-child {
+    margin-bottom: 0;
+  }
+
+  footer, small, .small {
     display: block;
     font-size: 80%;
     line-height: 1.428571429;
-    color: #777777; }
-    blockquote footer:before,
-    blockquote small:before,
-    blockquote .small:before {
-      content: '\2014 \00A0'; }
+    color: #777777;
+  }
 
-.blockquote-reverse,
-blockquote.pull-right {
+  footer:before, small:before, .small:before {
+    content: '\2014 \00A0';
+  }
+}
+
+.blockquote-reverse, blockquote.pull-right {
   padding-right: 15px;
   padding-left: 0;
   border-right: 5px solid #eeeeee;
   border-left: 0;
-  text-align: right; }
-  .blockquote-reverse footer:before,
-  .blockquote-reverse small:before,
-  .blockquote-reverse .small:before,
-  blockquote.pull-right footer:before,
-  blockquote.pull-right small:before,
-  blockquote.pull-right .small:before {
-    content: ''; }
-  .blockquote-reverse footer:after,
-  .blockquote-reverse small:after,
-  .blockquote-reverse .small:after,
-  blockquote.pull-right footer:after,
-  blockquote.pull-right small:after,
-  blockquote.pull-right .small:after {
-    content: '\00A0 \2014'; }
-
-blockquote:before,
-blockquote:after {
-  content: ""; }
+  text-align: right;
+}
+
+.blockquote-reverse {
+  footer:before, small:before, .small:before {
+    content: '';
+  }
+}
+
+blockquote.pull-right {
+  footer:before, small:before, .small:before {
+    content: '';
+  }
+}
+
+.blockquote-reverse {
+  footer:after, small:after, .small:after {
+    content: '\00A0 \2014';
+  }
+}
+
+blockquote {
+  &.pull-right {
+    footer:after, small:after, .small:after {
+      content: '\00A0 \2014';
+    }
+  }
+
+  &:before, &:after {
+    content: "";
+  }
+}
 
 address {
   margin-bottom: 20px;
   font-style: normal;
-  line-height: 1.428571429; }
+  line-height: 1.428571429;
+}
 
-code,
-kbd,
-pre,
-samp {
-  font-family: Menlo, Monaco, Consolas, "Courier New", monospace; }
+code, kbd, pre, samp {
+  font-family: Menlo, Monaco, Consolas, "Courier New", monospace;
+}
 
 code {
   padding: 2px 4px;
   font-size: 90%;
   color: #c7254e;
   background-color: #f9f2f4;
-  border-radius: 3px; }
+  border-radius: 3px;
+}
 
 kbd {
   padding: 2px 4px;
@@ -1319,11 +1807,14 @@ kbd {
   color: #fff;
   background-color: #2d2d2d;
   border-radius: 3px;
-  box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.25); }
-  kbd kbd {
+  box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.25);
+
+  kbd {
     padding: 0;
     font-size: 100%;
-    box-shadow: none; }
+    box-shadow: none;
+  }
+}
 
 pre {
   display: block;
@@ -1336,844 +1827,1356 @@ pre {
   color: #000;
   background-color: inherit;
   border: inherit;
-  border-radius: 3px; }
-  pre code {
+  border-radius: 3px;
+
+  code {
     padding: 0;
     font-size: inherit;
     color: inherit;
     white-space: pre-wrap;
     background-color: transparent;
-    border-radius: 0; }
+    border-radius: 0;
+  }
+}
 
 .pre-scrollable {
   max-height: 340px;
-  overflow-y: scroll; }
+  overflow-y: scroll;
+}
 
-.container {
+.container, .container-fluid {
   margin-right: auto;
   margin-left: auto;
   padding-left: 20px;
-  padding-right: 20px; }
-  .container:before, .container:after {
+  padding-right: 20px;
+
+  &:before {
     content: " ";
-    display: table; }
-  .container:after {
-    clear: both; }
-  @media (min-width: 768px) {
-    .container {
-      width: 760px; } }
-  @media (min-width: 992px) {
-    .container {
-      width: 980px; } }
-  @media (min-width: 1200px) {
-    .container {
-      width: 1180px; } }
-
-.container-fluid {
-  margin-right: auto;
-  margin-left: auto;
-  padding-left: 20px;
-  padding-right: 20px; }
-  .container-fluid:before, .container-fluid:after {
+    display: table;
+  }
+
+  &:after {
     content: " ";
-    display: table; }
-  .container-fluid:after {
-    clear: both; }
+    display: table;
+    clear: both;
+  }
+}
+
+@media (min-width: 768px) {
+  .container {
+    width: 760px;
+  }
+}
+
+@media (min-width: 992px) {
+  .container {
+    width: 980px;
+  }
+}
+
+@media (min-width: 1200px) {
+  .container {
+    width: 1180px;
+  }
+}
 
 .row {
   margin-left: -20px;
-  margin-right: -20px; }
-  .row:before, .row:after {
+  margin-right: -20px;
+
+  &:before {
+    content: " ";
+    display: table;
+  }
+
+  &:after {
     content: " ";
-    display: table; }
-  .row:after {
-    clear: both; }
+    display: table;
+    clear: both;
+  }
+}
 
 .col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12 {
   position: relative;
   min-height: 1px;
   padding-left: 20px;
-  padding-right: 20px; }
+  padding-right: 20px;
+}
 
 .col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12 {
-  float: left; }
+  float: left;
+}
 
 .col-xs-1 {
-  width: 8.33333%; }
+  width: 8.33333%;
+}
 
 .col-xs-2 {
-  width: 16.66667%; }
+  width: 16.66667%;
+}
 
 .col-xs-3 {
-  width: 25%; }
+  width: 25%;
+}
 
 .col-xs-4 {
-  width: 33.33333%; }
+  width: 33.33333%;
+}
 
 .col-xs-5 {
-  width: 41.66667%; }
+  width: 41.66667%;
+}
 
 .col-xs-6 {
-  width: 50%; }
+  width: 50%;
+}
 
 .col-xs-7 {
-  width: 58.33333%; }
+  width: 58.33333%;
+}
 
 .col-xs-8 {
-  width: 66.66667%; }
+  width: 66.66667%;
+}
 
 .col-xs-9 {
-  width: 75%; }
+  width: 75%;
+}
 
 .col-xs-10 {
-  width: 83.33333%; }
+  width: 83.33333%;
+}
 
 .col-xs-11 {
-  width: 91.66667%; }
+  width: 91.66667%;
+}
 
 .col-xs-12 {
-  width: 100%; }
+  width: 100%;
+}
 
 .col-xs-pull-0 {
-  right: auto; }
+  right: auto;
+}
 
 .col-xs-pull-1 {
-  right: 8.33333%; }
+  right: 8.33333%;
+}
 
 .col-xs-pull-2 {
-  right: 16.66667%; }
+  right: 16.66667%;
+}
 
 .col-xs-pull-3 {
-  right: 25%; }
+  right: 25%;
+}
 
 .col-xs-pull-4 {
-  right: 33.33333%; }
+  right: 33.33333%;
+}
 
 .col-xs-pull-5 {
-  right: 41.66667%; }
+  right: 41.66667%;
+}
 
 .col-xs-pull-6 {
-  right: 50%; }
+  right: 50%;
+}
 
 .col-xs-pull-7 {
-  right: 58.33333%; }
+  right: 58.33333%;
+}
 
 .col-xs-pull-8 {
-  right: 66.66667%; }
+  right: 66.66667%;
+}
 
 .col-xs-pull-9 {
-  right: 75%; }
+  right: 75%;
+}
 
 .col-xs-pull-10 {
-  right: 83.33333%; }
+  right: 83.33333%;
+}
 
 .col-xs-pull-11 {
-  right: 91.66667%; }
+  right: 91.66667%;
+}
 
 .col-xs-pull-12 {
-  right: 100%; }
+  right: 100%;
+}
 
 .col-xs-push-0 {
-  left: auto; }
+  left: auto;
+}
 
 .col-xs-push-1 {
-  left: 8.33333%; }
+  left: 8.33333%;
+}
 
 .col-xs-push-2 {
-  left: 16.66667%; }
+  left: 16.66667%;
+}
 
 .col-xs-push-3 {
-  left: 25%; }
+  left: 25%;
+}
 
 .col-xs-push-4 {
-  left: 33.33333%; }
+  left: 33.33333%;
+}
 
 .col-xs-push-5 {
-  left: 41.66667%; }
+  left: 41.66667%;
+}
 
 .col-xs-push-6 {
-  left: 50%; }
+  left: 50%;
+}
 
 .col-xs-push-7 {
-  left: 58.33333%; }
+  left: 58.33333%;
+}
 
 .col-xs-push-8 {
-  left: 66.66667%; }
+  left: 66.66667%;
+}
 
 .col-xs-push-9 {
-  left: 75%; }
+  left: 75%;
+}
 
 .col-xs-push-10 {
-  left: 83.33333%; }
+  left: 83.33333%;
+}
 
 .col-xs-push-11 {
-  left: 91.66667%; }
+  left: 91.66667%;
+}
 
 .col-xs-push-12 {
-  left: 100%; }
+  left: 100%;
+}
 
 .col-xs-offset-0 {
-  margin-left: 0%; }
+  margin-left: 0%;
+}
 
 .col-xs-offset-1 {
-  margin-left: 8.33333%; }
+  margin-left: 8.33333%;
+}
 
 .col-xs-offset-2 {
-  margin-left: 16.66667%; }
+  margin-left: 16.66667%;
+}
 
 .col-xs-offset-3 {
-  margin-left: 25%; }
+  margin-left: 25%;
+}
 
 .col-xs-offset-4 {
-  margin-left: 33.33333%; }
+  margin-left: 33.33333%;
+}
 
 .col-xs-offset-5 {
-  margin-left: 41.66667%; }
+  margin-left: 41.66667%;
+}
 
 .col-xs-offset-6 {
-  margin-left: 50%; }
+  margin-left: 50%;
+}
 
 .col-xs-offset-7 {
-  margin-left: 58.33333%; }
+  margin-left: 58.33333%;
+}
 
 .col-xs-offset-8 {
-  margin-left: 66.66667%; }
+  margin-left: 66.66667%;
+}
 
 .col-xs-offset-9 {
-  margin-left: 75%; }
+  margin-left: 75%;
+}
 
 .col-xs-offset-10 {
-  margin-left: 83.33333%; }
+  margin-left: 83.33333%;
+}
 
 .col-xs-offset-11 {
-  margin-left: 91.66667%; }
+  margin-left: 91.66667%;
+}
 
 .col-xs-offset-12 {
-  margin-left: 100%; }
+  margin-left: 100%;
+}
 
 @media (min-width: 768px) {
   .col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12 {
-    float: left; }
+    float: left;
+  }
 
   .col-sm-1 {
-    width: 8.33333%; }
+    width: 8.33333%;
+  }
 
   .col-sm-2 {
-    width: 16.66667%; }
+    width: 16.66667%;
+  }
 
   .col-sm-3 {
-    width: 25%; }
+    width: 25%;
+  }
 
   .col-sm-4 {
-    width: 33.33333%; }
+    width: 33.33333%;
+  }
 
   .col-sm-5 {
-    width: 41.66667%; }
+    width: 41.66667%;
+  }
 
   .col-sm-6 {
-    width: 50%; }
+    width: 50%;
+  }
 
   .col-sm-7 {
-    width: 58.33333%; }
+    width: 58.33333%;
+  }
 
   .col-sm-8 {
-    width: 66.66667%; }
+    width: 66.66667%;
+  }
 
   .col-sm-9 {
-    width: 75%; }
+    width: 75%;
+  }
 
   .col-sm-10 {
-    width: 83.33333%; }
+    width: 83.33333%;
+  }
 
   .col-sm-11 {
-    width: 91.66667%; }
+    width: 91.66667%;
+  }
 
   .col-sm-12 {
-    width: 100%; }
+    width: 100%;
+  }
 
   .col-sm-pull-0 {
-    right: auto; }
+    right: auto;
+  }
 
   .col-sm-pull-1 {
-    right: 8.33333%; }
+    right: 8.33333%;
+  }
 
   .col-sm-pull-2 {
-    right: 16.66667%; }
+    right: 16.66667%;
+  }
 
   .col-sm-pull-3 {
-    right: 25%; }
+    right: 25%;
+  }
 
   .col-sm-pull-4 {
-    right: 33.33333%; }
+    right: 33.33333%;
+  }
 
   .col-sm-pull-5 {
-    right: 41.66667%; }
+    right: 41.66667%;
+  }
 
   .col-sm-pull-6 {
-    right: 50%; }
+    right: 50%;
+  }
 
   .col-sm-pull-7 {
-    right: 58.33333%; }
+    right: 58.33333%;
+  }
 
   .col-sm-pull-8 {
-    right: 66.66667%; }
+    right: 66.66667%;
+  }
 
   .col-sm-pull-9 {
-    right: 75%; }
+    right: 75%;
+  }
 
   .col-sm-pull-10 {
-    right: 83.33333%; }
+    right: 83.33333%;
+  }
 
   .col-sm-pull-11 {
-    right: 91.66667%; }
+    right: 91.66667%;
+  }
 
   .col-sm-pull-12 {
-    right: 100%; }
+    right: 100%;
+  }
 
   .col-sm-push-0 {
-    left: auto; }
+    left: auto;
+  }
 
   .col-sm-push-1 {
-    left: 8.33333%; }
+    left: 8.33333%;
+  }
 
   .col-sm-push-2 {
-    left: 16.66667%; }
+    left: 16.66667%;
+  }
 
   .col-sm-push-3 {
-    left: 25%; }
+    left: 25%;
+  }
 
   .col-sm-push-4 {
-    left: 33.33333%; }
+    left: 33.33333%;
+  }
 
   .col-sm-push-5 {
-    left: 41.66667%; }
+    left: 41.66667%;
+  }
 
   .col-sm-push-6 {
-    left: 50%; }
+    left: 50%;
+  }
 
   .col-sm-push-7 {
-    left: 58.33333%; }
+    left: 58.33333%;
+  }
 
   .col-sm-push-8 {
-    left: 66.66667%; }
+    left: 66.66667%;
+  }
 
   .col-sm-push-9 {
-    left: 75%; }
+    left: 75%;
+  }
 
   .col-sm-push-10 {
-    left: 83.33333%; }
+    left: 83.33333%;
+  }
 
   .col-sm-push-11 {
-    left: 91.66667%; }
+    left: 91.66667%;
+  }
 
   .col-sm-push-12 {
-    left: 100%; }
+    left: 100%;
+  }
 
   .col-sm-offset-0 {
-    margin-left: 0%; }
+    margin-left: 0%;
+  }
 
   .col-sm-offset-1 {
-    margin-left: 8.33333%; }
+    margin-left: 8.33333%;
+  }
 
   .col-sm-offset-2 {
-    margin-left: 16.66667%; }
+    margin-left: 16.66667%;
+  }
 
   .col-sm-offset-3 {
-    margin-left: 25%; }
+    margin-left: 25%;
+  }
 
   .col-sm-offset-4 {
-    margin-left: 33.33333%; }
+    margin-left: 33.33333%;
+  }
 
   .col-sm-offset-5 {
-    margin-left: 41.66667%; }
+    margin-left: 41.66667%;
+  }
 
   .col-sm-offset-6 {
-    margin-left: 50%; }
+    margin-left: 50%;
+  }
 
   .col-sm-offset-7 {
-    margin-left: 58.33333%; }
+    margin-left: 58.33333%;
+  }
 
   .col-sm-offset-8 {
-    margin-left: 66.66667%; }
+    margin-left: 66.66667%;
+  }
 
   .col-sm-offset-9 {
-    margin-left: 75%; }
+    margin-left: 75%;
+  }
 
   .col-sm-offset-10 {
-    margin-left: 83.33333%; }
+    margin-left: 83.33333%;
+  }
 
   .col-sm-offset-11 {
-    margin-left: 91.66667%; }
+    margin-left: 91.66667%;
+  }
 
   .col-sm-offset-12 {
-    margin-left: 100%; } }
+    margin-left: 100%;
+  }
+}
+
 @media (min-width: 992px) {
   .col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12 {
-    float: left; }
+    float: left;
+  }
 
   .col-md-1 {
-    width: 8.33333%; }
+    width: 8.33333%;
+  }
 
   .col-md-2 {
-    width: 16.66667%; }
+    width: 16.66667%;
+  }
 
   .col-md-3 {
-    width: 25%; }
+    width: 25%;
+  }
 
   .col-md-4 {
-    width: 33.33333%; }
+    width: 33.33333%;
+  }
 
   .col-md-5 {
-    width: 41.66667%; }
+    width: 41.66667%;
+  }
 
   .col-md-6 {
-    width: 50%; }
+    width: 50%;
+  }
 
   .col-md-7 {
-    width: 58.33333%; }
+    width: 58.33333%;
+  }
 
   .col-md-8 {
-    width: 66.66667%; }
+    width: 66.66667%;
+  }
 
   .col-md-9 {
-    width: 75%; }
+    width: 75%;
+  }
 
   .col-md-10 {
-    width: 83.33333%; }
+    width: 83.33333%;
+  }
 
   .col-md-11 {
-    width: 91.66667%; }
+    width: 91.66667%;
+  }
 
   .col-md-12 {
-    width: 100%; }
+    width: 100%;
+  }
 
   .col-md-pull-0 {
-    right: auto; }
+    right: auto;
+  }
 
   .col-md-pull-1 {
-    right: 8.33333%; }
+    right: 8.33333%;
+  }
 
   .col-md-pull-2 {
-    right: 16.66667%; }
+    right: 16.66667%;
+  }
 
   .col-md-pull-3 {
-    right: 25%; }
+    right: 25%;
+  }
 
   .col-md-pull-4 {
-    right: 33.33333%; }
+    right: 33.33333%;
+  }
 
   .col-md-pull-5 {
-    right: 41.66667%; }
+    right: 41.66667%;
+  }
 
   .col-md-pull-6 {
-    right: 50%; }
+    right: 50%;
+  }
 
   .col-md-pull-7 {
-    right: 58.33333%; }
+    right: 58.33333%;
+  }
 
   .col-md-pull-8 {
-    right: 66.66667%; }
+    right: 66.66667%;
+  }
 
   .col-md-pull-9 {
-    right: 75%; }
+    right: 75%;
+  }
 
   .col-md-pull-10 {
-    right: 83.33333%; }
+    right: 83.33333%;
+  }
 
   .col-md-pull-11 {
-    right: 91.66667%; }
+    right: 91.66667%;
+  }
 
   .col-md-pull-12 {
-    right: 100%; }
+    right: 100%;
+  }
 
   .col-md-push-0 {
-    left: auto; }
+    left: auto;
+  }
 
   .col-md-push-1 {
-    left: 8.33333%; }
+    left: 8.33333%;
+  }
 
   .col-md-push-2 {
-    left: 16.66667%; }
+    left: 16.66667%;
+  }
 
   .col-md-push-3 {
-    left: 25%; }
+    left: 25%;
+  }
 
   .col-md-push-4 {
-    left: 33.33333%; }
+    left: 33.33333%;
+  }
 
   .col-md-push-5 {
-    left: 41.66667%; }
+    left: 41.66667%;
+  }
 
   .col-md-push-6 {
-    left: 50%; }
+    left: 50%;
+  }
 
   .col-md-push-7 {
-    left: 58.33333%; }
+    left: 58.33333%;
+  }
 
   .col-md-push-8 {
-    left: 66.66667%; }
+    left: 66.66667%;
+  }
 
   .col-md-push-9 {
-    left: 75%; }
+    left: 75%;
+  }
 
   .col-md-push-10 {
-    left: 83.33333%; }
+    left: 83.33333%;
+  }
 
   .col-md-push-11 {
-    left: 91.66667%; }
+    left: 91.66667%;
+  }
 
   .col-md-push-12 {
-    left: 100%; }
+    left: 100%;
+  }
 
   .col-md-offset-0 {
-    margin-left: 0%; }
+    margin-left: 0%;
+  }
 
   .col-md-offset-1 {
-    margin-left: 8.33333%; }
+    margin-left: 8.33333%;
+  }
 
   .col-md-offset-2 {
-    margin-left: 16.66667%; }
+    margin-left: 16.66667%;
+  }
 
   .col-md-offset-3 {
-    margin-left: 25%; }
+    margin-left: 25%;
+  }
 
   .col-md-offset-4 {
-    margin-left: 33.33333%; }
+    margin-left: 33.33333%;
+  }
 
   .col-md-offset-5 {
-    margin-left: 41.66667%; }
+    margin-left: 41.66667%;
+  }
 
   .col-md-offset-6 {
-    margin-left: 50%; }
+    margin-left: 50%;
+  }
 
   .col-md-offset-7 {
-    margin-left: 58.33333%; }
+    margin-left: 58.33333%;
+  }
 
   .col-md-offset-8 {
-    margin-left: 66.66667%; }
+    margin-left: 66.66667%;
+  }
 
   .col-md-offset-9 {
-    margin-left: 75%; }
+    margin-left: 75%;
+  }
 
   .col-md-offset-10 {
-    margin-left: 83.33333%; }
+    margin-left: 83.33333%;
+  }
 
   .col-md-offset-11 {
-    margin-left: 91.66667%; }
+    margin-left: 91.66667%;
+  }
 
   .col-md-offset-12 {
-    margin-left: 100%; } }
+    margin-left: 100%;
+  }
+}
+
 @media (min-width: 1200px) {
   .col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12 {
-    float: left; }
+    float: left;
+  }
 
   .col-lg-1 {
-    width: 8.33333%; }
+    width: 8.33333%;
+  }
 
   .col-lg-2 {
-    width: 16.66667%; }
+    width: 16.66667%;
+  }
 
   .col-lg-3 {
-    width: 25%; }
+    width: 25%;
+  }
 
   .col-lg-4 {
-    width: 33.33333%; }
+    width: 33.33333%;
+  }
 
   .col-lg-5 {
-    width: 41.66667%; }
+    width: 41.66667%;
+  }
 
   .col-lg-6 {
-    width: 50%; }
+    width: 50%;
+  }
 
   .col-lg-7 {
-    width: 58.33333%; }
+    width: 58.33333%;
+  }
 
   .col-lg-8 {
-    width: 66.66667%; }
+    width: 66.66667%;
+  }
 
   .col-lg-9 {
-    width: 75%; }
+    width: 75%;
+  }
 
   .col-lg-10 {
-    width: 83.33333%; }
+    width: 83.33333%;
+  }
 
   .col-lg-11 {
-    width: 91.66667%; }
+    width: 91.66667%;
+  }
 
   .col-lg-12 {
-    width: 100%; }
+    width: 100%;
+  }
 
   .col-lg-pull-0 {
-    right: auto; }
+    right: auto;
+  }
 
   .col-lg-pull-1 {
-    right: 8.33333%; }
+    right: 8.33333%;
+  }
 
   .col-lg-pull-2 {
-    right: 16.66667%; }
+    right: 16.66667%;
+  }
 
   .col-lg-pull-3 {
-    right: 25%; }
+    right: 25%;
+  }
 
   .col-lg-pull-4 {
-    right: 33.33333%; }
+    right: 33.33333%;
+  }
 
   .col-lg-pull-5 {
-    right: 41.66667%; }
+    right: 41.66667%;
+  }
 
   .col-lg-pull-6 {
-    right: 50%; }
+    right: 50%;
+  }
 
   .col-lg-pull-7 {
-    right: 58.33333%; }
+    right: 58.33333%;
+  }
 
   .col-lg-pull-8 {
-    right: 66.66667%; }
+    right: 66.66667%;
+  }
 
   .col-lg-pull-9 {
-    right: 75%; }
+    right: 75%;
+  }
 
   .col-lg-pull-10 {
-    right: 83.33333%; }
+    right: 83.33333%;
+  }
 
   .col-lg-pull-11 {
-    right: 91.66667%; }
+    right: 91.66667%;
+  }
 
   .col-lg-pull-12 {
-    right: 100%; }
+    right: 100%;
+  }
 
   .col-lg-push-0 {
-    left: auto; }
+    left: auto;
+  }
 
   .col-lg-push-1 {
-    left: 8.33333%; }
+    left: 8.33333%;
+  }
 
   .col-lg-push-2 {
-    left: 16.66667%; }
+    left: 16.66667%;
+  }
 
   .col-lg-push-3 {
-    left: 25%; }
+    left: 25%;
+  }
 
   .col-lg-push-4 {
-    left: 33.33333%; }
+    left: 33.33333%;
+  }
 
   .col-lg-push-5 {
-    left: 41.66667%; }
+    left: 41.66667%;
+  }
 
   .col-lg-push-6 {
-    left: 50%; }
+    left: 50%;
+  }
 
   .col-lg-push-7 {
-    left: 58.33333%; }
+    left: 58.33333%;
+  }
 
   .col-lg-push-8 {
-    left: 66.66667%; }
+    left: 66.66667%;
+  }
 
   .col-lg-push-9 {
-    left: 75%; }
+    left: 75%;
+  }
 
   .col-lg-push-10 {
-    left: 83.33333%; }
+    left: 83.33333%;
+  }
 
   .col-lg-push-11 {
-    left: 91.66667%; }
+    left: 91.66667%;
+  }
 
   .col-lg-push-12 {
-    left: 100%; }
+    left: 100%;
+  }
 
   .col-lg-offset-0 {
-    margin-left: 0%; }
+    margin-left: 0%;
+  }
 
   .col-lg-offset-1 {
-    margin-left: 8.33333%; }
+    margin-left: 8.33333%;
+  }
 
   .col-lg-offset-2 {
-    margin-left: 16.66667%; }
+    margin-left: 16.66667%;
+  }
 
   .col-lg-offset-3 {
-    margin-left: 25%; }
+    margin-left: 25%;
+  }
 
   .col-lg-offset-4 {
-    margin-left: 33.33333%; }
+    margin-left: 33.33333%;
+  }
 
   .col-lg-offset-5 {
-    margin-left: 41.66667%; }
+    margin-left: 41.66667%;
+  }
 
   .col-lg-offset-6 {
-    margin-left: 50%; }
+    margin-left: 50%;
+  }
 
   .col-lg-offset-7 {
-    margin-left: 58.33333%; }
+    margin-left: 58.33333%;
+  }
 
   .col-lg-offset-8 {
-    margin-left: 66.66667%; }
+    margin-left: 66.66667%;
+  }
 
   .col-lg-offset-9 {
-    margin-left: 75%; }
+    margin-left: 75%;
+  }
 
   .col-lg-offset-10 {
-    margin-left: 83.33333%; }
+    margin-left: 83.33333%;
+  }
 
   .col-lg-offset-11 {
-    margin-left: 91.66667%; }
+    margin-left: 91.66667%;
+  }
 
   .col-lg-offset-12 {
-    margin-left: 100%; } }
+    margin-left: 100%;
+  }
+}
 
 th {
-  text-align: left; }
+  text-align: left;
+}
 
 .table {
   width: 100%;
   max-width: 100%;
-  margin-bottom: 20px; }
-  .table > thead > tr > th,
-  .table > thead > tr > td,
-  .table > tbody > tr > th,
-  .table > tbody > tr > td,
-  .table > tfoot > tr > th,
-  .table > tfoot > tr > td {
-    padding: 10px 0px 10px 20px;
-    line-height: 1.428571429;
-    vertical-align: top;
-	border-top: 1px solid #e3e3e3; }
-  .table > thead > tr > th {
-    vertical-align: bottom;  }
-  .table > caption + thead > tr:first-child > th,
-  .table > caption + thead > tr:first-child > td,
-  .table > colgroup + thead > tr:first-child > th,
-  .table > colgroup + thead > tr:first-child > td,
-  .table > thead:first-child > tr:first-child > th,
-  .table > thead:first-child > tr:first-child > td {
-    border-top: 0;
-    font-family: 'SourceSansProSemibold';
-    font-weight: normal;
-	border-bottom: 1px solid #bdbdbd;
-	background-color: #e3e3e3;}
-  .table > tbody + tbody {
-    border-top: 2px solid #eee; }
-  .table .table {
-    background-color: none; }
-
-.table-condensed > thead > tr > th,
-.table-condensed > thead > tr > td,
-.table-condensed > tbody > tr > th,
-.table-condensed > tbody > tr > td,
-.table-condensed > tfoot > tr > th,
-.table-condensed > tfoot > tr > td {
-  padding: 5px; }
+  margin-bottom: 20px;
+
+  > {
+    thead > tr > {
+      th, td {
+        padding: 10px 0px 10px 20px;
+        line-height: 1.428571429;
+        vertical-align: top;
+        border-top: 1px solid #e3e3e3;
+      }
+    }
+
+    tbody > tr > {
+      th, td {
+        padding: 10px 0px 10px 20px;
+        line-height: 1.428571429;
+        vertical-align: top;
+        border-top: 1px solid #e3e3e3;
+      }
+    }
+
+    tfoot > tr > {
+      th, td {
+        padding: 10px 0px 10px 20px;
+        line-height: 1.428571429;
+        vertical-align: top;
+        border-top: 1px solid #e3e3e3;
+      }
+    }
+
+    thead > tr > th {
+      vertical-align: bottom;
+    }
+
+    caption + thead > tr:first-child > {
+      th, td {
+        border-top: 0;
+        font-family: 'SourceSansProSemibold';
+        font-weight: normal;
+        border-bottom: 1px solid #bdbdbd;
+        background-color: #e3e3e3;
+      }
+    }
+
+    colgroup + thead > tr:first-child > {
+      th, td {
+        border-top: 0;
+        font-family: 'SourceSansProSemibold';
+        font-weight: normal;
+        border-bottom: 1px solid #bdbdbd;
+        background-color: #e3e3e3;
+      }
+    }
+
+    thead:first-child > tr:first-child > {
+      th, td {
+        border-top: 0;
+        font-family: 'SourceSansProSemibold';
+        font-weight: normal;
+        border-bottom: 1px solid #bdbdbd;
+        background-color: #e3e3e3;
+      }
+    }
+
+    tbody + tbody {
+      border-top: 2px solid #eee;
+    }
+  }
+
+  .table {
+    background-color: none;
+  }
+}
+
+.table-condensed > {
+  thead > tr > {
+    th, td {
+      padding: 5px;
+    }
+  }
+
+  tbody > tr > {
+    th, td {
+      padding: 5px;
+    }
+  }
+
+  tfoot > tr > {
+    th, td {
+      padding: 5px;
+    }
+  }
+}
 
 .table-bordered {
-  border: 1px solid #dbdbdb; }
-  .table-bordered > thead > tr > th,
-  .table-bordered > thead > tr > td,
-  .table-bordered > tbody > tr > th,
-  .table-bordered > tbody > tr > td,
-  .table-bordered > tfoot > tr > th,
-  .table-bordered > tfoot > tr > td {
-    border: 1px solid #dbdbdb; }
-  .table-bordered > thead > tr > th,
-  .table-bordered > thead > tr > td {
-    border-bottom-width: 2px; }
-
-.table-striped > tbody > tr:nth-child(odd) > td,
-.table-striped > tbody > tr:nth-child(odd) > th {
-  background-color: #fbfbfb; }
-
-.table-hover > tbody > tr:hover > td,
-.table-hover > tbody > tr:hover > th {
-  background-color:#f2fafe; }
-
-table col[class*="col-"] {
-  position: static;
-  float: none;
-  display: table-column; }
+  border: 1px solid #dbdbdb;
+
+  > {
+    thead > tr > {
+      th, td {
+        border: 1px solid #dbdbdb;
+      }
+    }
+
+    tbody > tr > {
+      th, td {
+        border: 1px solid #dbdbdb;
+      }
+    }
+
+    tfoot > tr > {
+      th, td {
+        border: 1px solid #dbdbdb;
+      }
+    }
+
+    thead > tr > {
+      th, td {
+        border-bottom-width: 2px;
+      }
+    }
+  }
+}
 
-table td[class*="col-"],
-table th[class*="col-"] {
-  position: static;
-  float: none;
-  display: table-cell; }
-
-.table > thead > tr > td.active,
-.table > thead > tr > th.active, .table > thead > tr.active > td, .table > thead > tr.active > th,
-.table > tbody > tr > td.active,
-.table > tbody > tr > th.active,
-.table > tbody > tr.active > td,
-.table > tbody > tr.active > th,
-.table > tfoot > tr > td.active,
-.table > tfoot > tr > th.active,
-.table > tfoot > tr.active > td,
-.table > tfoot > tr.active > th {
-  background-color: #E2F5FF; }
-
-.table-hover > tbody > tr > td.active:hover,
-.table-hover > tbody > tr > th.active:hover, .table-hover > tbody > tr.active:hover > td, .table-hover > tbody > tr:hover > .active, .table-hover > tbody > tr.active:hover > th {
-  background-color: #FF8B00; }
-
-.table > thead > tr > td.success,
-.table > thead > tr > th.success, .table > thead > tr.success > td, .table > thead > tr.success > th,
-.table > tbody > tr > td.success,
-.table > tbody > tr > th.success,
-.table > tbody > tr.success > td,
-.table > tbody > tr.success > th,
-.table > tfoot > tr > td.success,
-.table > tfoot > tr > th.success,
-.table > tfoot > tr.success > td,
-.table > tfoot > tr.success > th {
-  background-color: #9BD275; }
-
-.table-hover > tbody > tr > td.success:hover,
-.table-hover > tbody > tr > th.success:hover, .table-hover > tbody > tr.success:hover > td, .table-hover > tbody > tr:hover > .success, .table-hover > tbody > tr.success:hover > th {
-  background-color: #8dcc62; }
-
-.table > thead > tr > td.info,
-.table > thead > tr > th.info, .table > thead > tr.info > td, .table > thead > tr.info > th,
-.table > tbody > tr > td.info,
-.table > tbody > tr > th.info,
-.table > tbody > tr.info > td,
-.table > tbody > tr.info > th,
-.table > tfoot > tr > td.info,
-.table > tfoot > tr > th.info,
-.table > tfoot > tr.info > td,
-.table > tfoot > tr.info > th {
-  background-color: #d9edf7; }
-
-.table-hover > tbody > tr > td.info:hover,
-.table-hover > tbody > tr > th.info:hover, .table-hover > tbody > tr.info:hover > td, .table-hover > tbody > tr:hover > .info, .table-hover > tbody > tr.info:hover > th {
-  background-color: #c4e3f3; }
-
-.table > thead > tr > td.warning,
-.table > thead > tr > th.warning, .table > thead > tr.warning > td, .table > thead > tr.warning > th,
-.table > tbody > tr > td.warning,
-.table > tbody > tr > th.warning,
-.table > tbody > tr.warning > td,
-.table > tbody > tr.warning > th,
-.table > tfoot > tr > td.warning,
-.table > tfoot > tr > th.warning,
-.table > tfoot > tr.warning > td,
-.table > tfoot > tr.warning > th {
-  background-color: #fcf8e3; }
-
-.table-hover > tbody > tr > td.warning:hover,
-.table-hover > tbody > tr > th.warning:hover, .table-hover > tbody > tr.warning:hover > td, .table-hover > tbody > tr:hover > .warning, .table-hover > tbody > tr.warning:hover > th {
-  background-color: #faf2cc; }
-
-.table > thead > tr > td.danger,
-.table > thead > tr > th.danger, .table > thead > tr.danger > td, .table > thead > tr.danger > th,
-.table > tbody > tr > td.danger,
-.table > tbody > tr > th.danger,
-.table > tbody > tr.danger > td,
-.table > tbody > tr.danger > th,
-.table > tfoot > tr > td.danger,
-.table > tfoot > tr > th.danger,
-.table > tfoot > tr.danger > td,
-.table > tfoot > tr.danger > th {
-  background-color: #F05050; }
-
-.table-hover > tbody > tr > td.danger:hover,
-.table-hover > tbody > tr > th.danger:hover, .table-hover > tbody > tr.danger:hover > td, .table-hover > tbody > tr:hover > .danger, .table-hover > tbody > tr.danger:hover > th {
-  background-color: #ee3939; }
+.table-striped > tbody > tr:nth-child(odd) > {
+  td, th {
+    background-color: #fbfbfb;
+  }
+}
+
+.table-hover > tbody > tr:hover > {
+  td, th {
+    background-color: #f2fafe;
+  }
+}
+
+table {
+  col[class*="col-"] {
+    position: static;
+    float: none;
+    display: table-column;
+  }
+
+  td[class*="col-"], th[class*="col-"] {
+    position: static;
+    float: none;
+    display: table-cell;
+  }
+}
+
+.table > {
+  thead > tr {
+    > {
+      td.active, th.active {
+        background-color: #E2F5FF;
+      }
+    }
+
+    &.active > {
+      td, th {
+        background-color: #E2F5FF;
+      }
+    }
+  }
+
+  tbody > tr {
+    > {
+      td.active, th.active {
+        background-color: #E2F5FF;
+      }
+    }
+
+    &.active > {
+      td, th {
+        background-color: #E2F5FF;
+      }
+    }
+  }
+
+  tfoot > tr {
+    > {
+      td.active, th.active {
+        background-color: #E2F5FF;
+      }
+    }
+
+    &.active > {
+      td, th {
+        background-color: #E2F5FF;
+      }
+    }
+  }
+}
+
+.table-hover > tbody > tr {
+  > {
+    td.active:hover, th.active:hover {
+      background-color: #FF8B00;
+    }
+  }
+
+  &.active:hover > td, &:hover > .active, &.active:hover > th {
+    background-color: #FF8B00;
+  }
+}
+
+.table > {
+  thead > tr {
+    > {
+      td.success, th.success {
+        background-color: #9BD275;
+      }
+    }
+
+    &.success > {
+      td, th {
+        background-color: #9BD275;
+      }
+    }
+  }
+
+  tbody > tr {
+    > {
+      td.success, th.success {
+        background-color: #9BD275;
+      }
+    }
+
+    &.success > {
+      td, th {
+        background-color: #9BD275;
+      }
+    }
+  }
+
+  tfoot > tr {
+    > {
+      td.success, th.success {
+        background-color: #9BD275;
+      }
+    }
+
+    &.success > {
+      td, th {
+        background-color: #9BD275;
+      }
+    }
+  }
+}
+
+.table-hover > tbody > tr {
+  > {
+    td.success:hover, th.success:hover {
+      background-color: #8dcc62;
+    }
+  }
+
+  &.success:hover > td, &:hover > .success, &.success:hover > th {
+    background-color: #8dcc62;
+  }
+}
+
+.table > {
+  thead > tr {
+    > {
+      td.info, th.info {
+        background-color: #d9edf7;
+      }
+    }
+
+    &.info > {
+      td, th {
+        background-color: #d9edf7;
+      }
+    }
+  }
+
+  tbody > tr {
+    > {
+      td.info, th.info {
+        background-color: #d9edf7;
+      }
+    }
+
+    &.info > {
+      td, th {
+        background-color: #d9edf7;
+      }
+    }
+  }
+
+  tfoot > tr {
+    > {
+      td.info, th.info {
+        background-color: #d9edf7;
+      }
+    }
+
+    &.info > {
+      td, th {
+        background-color: #d9edf7;
+      }
+    }
+  }
+}
+
+.table-hover > tbody > tr {
+  > {
+    td.info:hover, th.info:hover {
+      background-color: #c4e3f3;
+    }
+  }
+
+  &.info:hover > td, &:hover > .info, &.info:hover > th {
+    background-color: #c4e3f3;
+  }
+}
+
+.table > {
+  thead > tr {
+    > {
+      td.warning, th.warning {
+        background-color: #fcf8e3;
+      }
+    }
+
+    &.warning > {
+      td, th {
+        background-color: #fcf8e3;
+      }
+    }
+  }
+
+  tbody > tr {
+    > {
+      td.warning, th.warning {
+        background-color: #fcf8e3;
+      }
+    }
+
+    &.warning > {
+      td, th {
+        background-color: #fcf8e3;
+      }
+    }
+  }
+
+  tfoot > tr {
+    > {
+      td.warning, th.warning {
+        background-color: #fcf8e3;
+      }
+    }
+
+    &.warning > {
+      td, th {
+        background-color: #fcf8e3;
+      }
+    }
+  }
+}
+
+.table-hover > tbody > tr {
+  > {
+    td.warning:hover, th.warning:hover {
+      background-color: #faf2cc;
+    }
+  }
+
+  &.warning:hover > td, &:hover > .warning, &.warning:hover > th {
+    background-color: #faf2cc;
+  }
+}
+
+.table > {
+  thead > tr {
+    > {
+      td.danger, th.danger {
+        background-color: #F05050;
+      }
+    }
+
+    &.danger > {
+      td, th {
+        background-color: #F05050;
+      }
+    }
+  }
+
+  tbody > tr {
+    > {
+      td.danger, th.danger {
+        background-color: #F05050;
+      }
+    }
+
+    &.danger > {
+      td, th {
+        background-color: #F05050;
+      }
+    }
+  }
+
+  tfoot > tr {
+    > {
+      td.danger, th.danger {
+        background-color: #F05050;
+      }
+    }
+
+    &.danger > {
+      td, th {
+        background-color: #F05050;
+      }
+    }
+  }
+}
+
+.table-hover > tbody > tr {
+  > {
+    td.danger:hover, th.danger:hover {
+      background-color: #ee3939;
+    }
+  }
+
+  &.danger:hover > td, &:hover > .danger, &.danger:hover > th {
+    background-color: #ee3939;
+  }
+}
 
 @media screen and (max-width: 767px) {
   .table-responsive {
@@ -2182,44 +3185,98 @@ table th[class*="col-"] {
     overflow-y: hidden;
     overflow-x: auto;
     -ms-overflow-style: -ms-autohiding-scrollbar;
+
     /*     border: 1px solid $table-border-color; */
-    -webkit-overflow-scrolling: touch; }
-    .table-responsive > .table {
-      margin-bottom: 0; }
-      .table-responsive > .table > thead > tr > th,
-      .table-responsive > .table > thead > tr > td,
-      .table-responsive > .table > tbody > tr > th,
-      .table-responsive > .table > tbody > tr > td,
-      .table-responsive > .table > tfoot > tr > th,
-      .table-responsive > .table > tfoot > tr > td {
-        white-space: nowrap; }
-    .table-responsive > .table-bordered {
-      border: 0; }
-      .table-responsive > .table-bordered > thead > tr > th:first-child,
-      .table-responsive > .table-bordered > thead > tr > td:first-child,
-      .table-responsive > .table-bordered > tbody > tr > th:first-child,
-      .table-responsive > .table-bordered > tbody > tr > td:first-child,
-      .table-responsive > .table-bordered > tfoot > tr > th:first-child,
-      .table-responsive > .table-bordered > tfoot > tr > td:first-child {
-        border-left: 0; }
-      .table-responsive > .table-bordered > thead > tr > th:last-child,
-      .table-responsive > .table-bordered > thead > tr > td:last-child,
-      .table-responsive > .table-bordered > tbody > tr > th:last-child,
-      .table-responsive > .table-bordered > tbody > tr > td:last-child,
-      .table-responsive > .table-bordered > tfoot > tr > th:last-child,
-      .table-responsive > .table-bordered > tfoot > tr > td:last-child {
-        border-right: 0; }
-      .table-responsive > .table-bordered > tbody > tr:last-child > th,
-      .table-responsive > .table-bordered > tbody > tr:last-child > td,
-      .table-responsive > .table-bordered > tfoot > tr:last-child > th,
-      .table-responsive > .table-bordered > tfoot > tr:last-child > td {
-        border-bottom: 0; } }
+    -webkit-overflow-scrolling: touch;
+
+    > {
+      .table {
+        margin-bottom: 0;
+
+        > {
+          thead > tr > {
+            th, td {
+              white-space: nowrap;
+            }
+          }
+
+          tbody > tr > {
+            th, td {
+              white-space: nowrap;
+            }
+          }
+
+          tfoot > tr > {
+            th, td {
+              white-space: nowrap;
+            }
+          }
+        }
+      }
+
+      .table-bordered {
+        border: 0;
+
+        > {
+          thead > tr > {
+            th:first-child, td:first-child {
+              border-left: 0;
+            }
+          }
+
+          tbody > tr > {
+            th:first-child, td:first-child {
+              border-left: 0;
+            }
+          }
+
+          tfoot > tr > {
+            th:first-child, td:first-child {
+              border-left: 0;
+            }
+          }
+
+          thead > tr > {
+            th:last-child, td:last-child {
+              border-right: 0;
+            }
+          }
+
+          tbody > tr > {
+            th:last-child, td:last-child {
+              border-right: 0;
+            }
+          }
+
+          tfoot > tr > {
+            th:last-child, td:last-child {
+              border-right: 0;
+            }
+          }
+
+          tbody > tr:last-child > {
+            th, td {
+              border-bottom: 0;
+            }
+          }
+
+          tfoot > tr:last-child > {
+            th, td {
+              border-bottom: 0;
+            }
+          }
+        }
+      }
+    }
+  }
+}
 
 fieldset {
   padding: 0;
   margin: 0;
   border: 0;
-  min-width: 0; }
+  min-width: 0;
+}
 
 legend {
   display: block;
@@ -2230,68 +3287,62 @@ legend {
   line-height: inherit;
   color: #2d2d2d;
   border: 0;
-  border-bottom: 1px solid #e5e5e5; }
+  border-bottom: 1px solid #e5e5e5;
+}
 
 label {
   display: inline-block;
   max-width: 100%;
   margin-bottom: 5px;
-  font-weight: normal; }
-
-input[type="search"] {
-  -webkit-box-sizing: border-box;
-  -moz-box-sizing: border-box;
-  box-sizing: border-box; }
-
-input[type="radio"],
-input[type="checkbox"] {
-  margin: 4px 0 0;
-  margin-top: 1px \9;
-  line-height: normal; }
-
-input[type="file"] {
-  display: block; }
+  font-weight: normal;
+}
 
-input[type="range"] {
-  display: block;
-  width: 100%; }
+input {
+  &[type="search"] {
+    -webkit-box-sizing: border-box;
+    -moz-box-sizing: border-box;
+    box-sizing: border-box;
+  }
+
+  &[type="radio"], &[type="checkbox"] {
+    margin: 4px 0 0;
+    margin-top: 1px \9;
+    line-height: normal;
+  }
+
+  &[type="file"] {
+    display: block;
+  }
 
-select[multiple],
-select[size] {
-  height: auto; }
+  &[type="range"] {
+    display: block;
+    width: 100%;
+  }
+}
 
-input[type="file"]:focus,
-input[type="radio"]:focus,
-input[type="checkbox"]:focus {
-  outline: none;
-  outline: 5px auto -webkit-focus-ring-color;
-  outline-offset: -2px; }
+select {
+  &[multiple], &[size] {
+    height: auto;
+  }
+}
 
+input {
+  &[type="file"]:focus, &[type="radio"]:focus, &[type="checkbox"]:focus {
+    outline: none;
+    outline: 5px auto -webkit-focus-ring-color;
+    outline-offset: -2px;
+  }
+}
 
 output {
   display: block;
   padding-top: 7px;
   font-size: 14px;
   line-height: 1.428571429;
-  color: #000; }
-
-select,
-textarea,
-input[type="text"],
-input[type="password"],
-input[type="datetime"],
-input[type="datetime-local"],
-input[type="date"],
-input[type="month"],
-input[type="time"],
-input[type="week"],
-input[type="number"],
-input[type="email"],
-input[type="url"],
-input[type="search"],
-input[type="tel"],
-input[type="color"]
- {
+  color: #000;
+}
+
+select, textarea {
   display: block;
   width: 100%;
   height: 34px;
@@ -2307,398 +3358,1172 @@ input[type="color"]
   max-width: 348px;
   -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
   -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
-  transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s; }
-
-  select:hover,
-  textarea:hover,
-  input[type="text"]:hover,
-  input[type="password"]:hover,
-  input[type="datetime"]:hover,
-  input[type="datetime-local"]:hover,
-  input[type="date"]:hover,
-  input[type="month"]:hover,
-  input[type="time"]:hover,
-  input[type="week"]:hover,
-  input[type="number"]:hover,
-  input[type="email"]:hover,
-  input[type="url"]:hover,
-  input[type="search"]:hover,
-  input[type="tel"]:hover,
-  input[type="color"]:hover
-   {
-	color: #000;
-	background-color: none;
-    border-color: #00A7FF;
-	outline: 0; }
-
-  select:focus,
-  textarea:focus,
-  input[type="text"]:focus,
-  input[type="password"]:focus,
-  input[type="datetime"]:focus,
-  input[type="datetime-local"]:focus,
-  input[type="date"]:focus,
-  input[type="month"]:focus,
-  input[type="time"]:focus,
-  input[type="week"]:focus,
-  input[type="number"]:focus,
-  input[type="email"]:focus,
-  input[type="url"]:focus,
-  input[type="search"]:focus,
-  input[type="tel"]:focus,
-  input[type="color"]:focus
-
-   {
+  transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
+}
+
+input {
+  &[type="text"], &[type="password"], &[type="datetime"], &[type="datetime-local"], &[type="date"], &[type="month"], &[type="time"], &[type="week"], &[type="number"], &[type="email"], &[type="url"], &[type="search"], &[type="tel"], &[type="color"] {
+    display: block;
+    width: 100%;
+    height: 34px;
+    padding: 6px 12px;
+    font-size: 14px;
+    line-height: 1.428571429;
     color: #000;
-	border-color: #00A7FF;
-	background-color: none;
-	outline: 0; }
-
-  select::-moz-placeholder,
-  textarea::-moz-placeholder,
-  input[type="text"]::-moz-placeholder,
-  input[type="password"]::-moz-placeholder,
-  input[type="datetime"]::-moz-placeholder,
-  input[type="datetime-local"]::-moz-placeholder,
-  input[type="date"]::-moz-placeholder,
-  input[type="month"]::-moz-placeholder,
-  input[type="time"]::-moz-placeholder,
-  input[type="week"]::-moz-placeholder,
-  input[type="number"]::-moz-placeholder,
-  input[type="email"]::-moz-placeholder,
-  input[type="url"]::-moz-placeholder,
-  input[type="search"]::-moz-placeholder,
-  input[type="tel"]::-moz-placeholder,
-  input[type="color"]::-moz-placeholder
-   {
-    color: #b7b7b7;
-    opacity: 1;
-	filter: alpha(opacity=100);	}
-
-  select:-ms-input-placeholder,
-  textarea:-ms-input-placeholder,
-  input[type="text"]:-ms-input-placeholder,
-  input[type="password"]:-ms-input-placeholder,
-  input[type="datetime"]:-ms-input-placeholder,
-  input[type="datetime-local"]:-ms-input-placeholder,
-  input[type="date"]:-ms-input-placeholder,
-  input[type="month"]:-ms-input-placeholder,
-  input[type="time"]:-ms-input-placeholder,
-  input[type="week"]:-ms-input-placeholder,
-  input[type="number"]:-ms-input-placeholder,
-  input[type="email"]:-ms-input-placeholder,
-  input[type="url"]:-ms-input-placeholder,
-  input[type="search"]:-ms-input-placeholder,
-  input[type="tel"]:-ms-input-placeholder,
-  input[type="color"]:-ms-input-placeholder
-   {
-    color: #777777; }
-
-  select::-webkit-input-placeholder,
-  textarea::-webkit-input-placeholder,
-  input[type="text"]::-webkit-input-placeholder,
-  input[type="password"]::-webkit-input-placeholder,
-  input[type="datetime"]::-webkit-input-placeholder,
-  input[type="datetime-local"]::-webkit-input-placeholder,
-  input[type="date"]::-webkit-input-placeholder,
-  input[type="month"]::-webkit-input-placeholder,
-  input[type="time"]::-webkit-input-placeholder,
-  input[type="week"]::-webkit-input-placeholder,
-  input[type="number"]::-webkit-input-placeholder,
-  input[type="email"]::-webkit-input-placeholder,
-  input[type="url"]::-webkit-input-placeholder,
-  input[type="search"]::-webkit-input-placeholder,
-  input[type="tel"]::-webkit-input-placeholder,
-  input[type="color"]::-webkit-input-placeholder
-   {
-    color: #777777; }
-
-  select[disabled], select[readonly], fieldset[disabled] select,
-  textarea[disabled],
-  textarea[readonly], fieldset[disabled]
-  textarea,
-  input[type="text"][disabled],
-  input[type="text"][readonly], fieldset[disabled]
-  input[type="text"],
-  input[type="password"][disabled],
-  input[type="password"][readonly], fieldset[disabled]
-  input[type="password"],
-  input[type="datetime"][disabled],
-  input[type="datetime"][readonly], fieldset[disabled]
-  input[type="datetime"],
-  input[type="datetime-local"][disabled],
-  input[type="datetime-local"][readonly], fieldset[disabled]
-  input[type="datetime-local"],
-  input[type="date"][disabled],
-  input[type="date"][readonly], fieldset[disabled]
-  input[type="date"],
-  input[type="month"][disabled],
-  input[type="month"][readonly], fieldset[disabled]
-  input[type="month"],
-  input[type="time"][disabled],
-  input[type="time"][readonly], fieldset[disabled]
-  input[type="time"],
-  input[type="week"][disabled],
-  input[type="week"][readonly], fieldset[disabled]
-  input[type="week"],
-  input[type="number"][disabled],
-  input[type="number"][readonly], fieldset[disabled]
-  input[type="number"],
-  input[type="email"][disabled],
-  input[type="email"][readonly], fieldset[disabled]
-  input[type="email"],
-  input[type="url"][disabled],
-  input[type="url"][readonly], fieldset[disabled]
-  input[type="url"],
-  input[type="search"][disabled],
-  input[type="search"][readonly], fieldset[disabled]
-  input[type="search"],
-  input[type="tel"][disabled],
-  input[type="tel"][readonly], fieldset[disabled]
-  input[type="tel"],
-  input[type="color"][disabled],
-  input[type="color"][readonly], fieldset[disabled]
-  input[type="color"]
-{
-	cursor: not-allowed;
-	background-color: #f0f0f0;
-	opacity: 1.0;
-	filter: alpha(opacity=100);
-	border-color: #4d83a1;
-	color:#a8a8a8;}
-
-  select[disabled]:hover, select[readonly]:hover, fieldset[disabled]:hover,
-  textarea[disabled]:hover,
-  textarea[readonly]:hover, fieldset[disabled]:hover
-  textarea:hover,
-  input[type="text"][disabled]:hover,
-  input[type="text"][readonly]:hover, fieldset[disabled]:hover
-  input[type="text"]:hover,
-  input[type="password"][disabled]:hover,
-  input[type="password"][readonly]:hover, fieldset[disabled]:hover
-  input[type="password"]:hover,
-  input[type="datetime"][disabled]:hover,
-  input[type="datetime"][readonly]:hover, fieldset[disabled]:hover
-  input[type="datetime"]:hover,
-  input[type="datetime-local"][disabled]:hover,
-  input[type="datetime-local"][readonly]:hover, fieldset[disabled]:hover
-  input[type="datetime-local"]:hover,
-  input[type="date"][disabled]:hover,
-  input[type="date"][readonly]:hover, fieldset[disabled]:hover
-  input[type="date"]:hover,
-  input[type="month"][disabled]:hover,
-  input[type="month"][readonly]:hover, fieldset[disabled]:hover
-  input[type="month"]:hover,
-  input[type="time"][disabled]:hover,
-  input[type="time"][readonly]:hover, fieldset[disabled]:hover
-  input[type="time"]:hover,
-  input[type="week"][disabled]:hover,
-  input[type="week"][readonly]:hover, fieldset[disabled]:hover
-  input[type="week"]:hover,
-  input[type="number"][disabled]:hover,
-  input[type="number"][readonly]:hover, fieldset[disabled]:hover
-  input[type="number"]:hover,
-  input[type="email"][disabled]:hover,
-  input[type="email"][readonly]:hover, fieldset[disabled]:hover
-  input[type="email"]:hover,
-  input[type="url"][disabled]:hover,
-  input[type="url"][readonly]:hover, fieldset[disabled]:hover
-  input[type="url"]:hover,
-  input[type="search"][disabled]:hover,
-  input[type="search"][readonly]:hover, fieldset[disabled]:hover
-  input[type="search"]:hover,
-  input[type="tel"][disabled]:hover,
-  input[type="tel"][readonly]:hover, fieldset[disabled]:hover
-  input[type="tel"]:hover,
-  input[type="color"][disabled]:hover,
-  input[type="color"][readonly]:hover, fieldset[disabled]:hover
-  input[type="color"]:hover
-
-   {
-	cursor: not-allowed;
-	background-color: #f0f0f0;
-	color:#a8a8a8;
-	opacity: 1.0;
-	filter: alpha(opacity=100);
-	-webkit-box-shadow: none;
-	box-shadow: none; }
+    background-color: #FFF;
+    background-image: none;
+    border: 1px solid #4d83a1;
+    border-radius: 3px;
+    text-overflow: ellipsis;
+    max-width: 348px;
+    -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
+    -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
+    transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
+  }
+}
 
-textarea {
-  height: auto; }
+select:hover, textarea:hover {
+  color: #000;
+  background-color: none;
+  border-color: #00A7FF;
+  outline: 0;
+}
 
-input[type="search"] {
-  -webkit-appearance: none; }
+input {
+  &[type="text"]:hover, &[type="password"]:hover, &[type="datetime"]:hover, &[type="datetime-local"]:hover, &[type="date"]:hover, &[type="month"]:hover, &[type="time"]:hover, &[type="week"]:hover, &[type="number"]:hover, &[type="email"]:hover, &[type="url"]:hover, &[type="search"]:hover, &[type="tel"]:hover, &[type="color"]:hover {
+    color: #000;
+    background-color: none;
+    border-color: #00A7FF;
+    outline: 0;
+  }
+}
 
-input[type="date"],
-input[type="time"],
-input[type="datetime-local"],
-input[type="month"] {
-  line-height: 34px;
-  line-height: 1.42857 \0; }
-  input[type="date"].input-sm, .form-horizontal .form-group-sm input[type="date"].form-control, .input-group-sm > input[type="date"].form-control,
-  .input-group-sm > input[type="date"].input-group-addon,
-  .input-group-sm > .input-group-btn > input[type="date"].btn,
-  input[type="time"].input-sm,
-  .form-horizontal .form-group-sm input[type="time"].form-control,
-  .input-group-sm > input[type="time"].form-control,
-  .input-group-sm > input[type="time"].input-group-addon,
-  .input-group-sm > .input-group-btn > input[type="time"].btn,
-  input[type="datetime-local"].input-sm,
-  .form-horizontal .form-group-sm input[type="datetime-local"].form-control,
-  .input-group-sm > input[type="datetime-local"].form-control,
-  .input-group-sm > input[type="datetime-local"].input-group-addon,
-  .input-group-sm > .input-group-btn > input[type="datetime-local"].btn,
-  input[type="month"].input-sm,
-  .form-horizontal .form-group-sm input[type="month"].form-control,
-  .input-group-sm > input[type="month"].form-control,
-  .input-group-sm > input[type="month"].input-group-addon,
-  .input-group-sm > .input-group-btn > input[type="month"].btn {
-    line-height: 30px; }
-  input[type="date"].input-lg, .form-horizontal .form-group-lg input[type="date"].form-control, .input-group-lg > input[type="date"].form-control,
-  .input-group-lg > input[type="date"].input-group-addon,
-  .input-group-lg > .input-group-btn > input[type="date"].btn,
-  input[type="time"].input-lg,
-  .form-horizontal .form-group-lg input[type="time"].form-control,
-  .input-group-lg > input[type="time"].form-control,
-  .input-group-lg > input[type="time"].input-group-addon,
-  .input-group-lg > .input-group-btn > input[type="time"].btn,
-  input[type="datetime-local"].input-lg,
-  .form-horizontal .form-group-lg input[type="datetime-local"].form-control,
-  .input-group-lg > input[type="datetime-local"].form-control,
-  .input-group-lg > input[type="datetime-local"].input-group-addon,
-  .input-group-lg > .input-group-btn > input[type="datetime-local"].btn,
-  input[type="month"].input-lg,
-  .form-horizontal .form-group-lg input[type="month"].form-control,
-  .input-group-lg > input[type="month"].form-control,
-  .input-group-lg > input[type="month"].input-group-addon,
-  .input-group-lg > .input-group-btn > input[type="month"].btn {
-    line-height: 46px; }
+select:focus, textarea:focus {
+  color: #000;
+  border-color: #00A7FF;
+  background-color: none;
+  outline: 0;
+}
+
+input {
+  &[type="text"]:focus, &[type="password"]:focus, &[type="datetime"]:focus, &[type="datetime-local"]:focus, &[type="date"]:focus, &[type="month"]:focus, &[type="time"]:focus, &[type="week"]:focus, &[type="number"]:focus, &[type="email"]:focus, &[type="url"]:focus, &[type="search"]:focus, &[type="tel"]:focus, &[type="color"]:focus {
+    color: #000;
+    border-color: #00A7FF;
+    background-color: none;
+    outline: 0;
+  }
+}
+
+select::-moz-placeholder, textarea::-moz-placeholder {
+  color: #b7b7b7;
+  opacity: 1;
+  filter: alpha(opacity = 100);
+}
+
+input {
+  &[type="text"]::-moz-placeholder, &[type="password"]::-moz-placeholder, &[type="datetime"]::-moz-placeholder, &[type="datetime-local"]::-moz-placeholder, &[type="date"]::-moz-placeholder, &[type="month"]::-moz-placeholder, &[type="time"]::-moz-placeholder, &[type="week"]::-moz-placeholder, &[type="number"]::-moz-placeholder, &[type="email"]::-moz-placeholder, &[type="url"]::-moz-placeholder, &[type="search"]::-moz-placeholder, &[type="tel"]::-moz-placeholder, &[type="color"]::-moz-placeholder {
+    color: #b7b7b7;
+    opacity: 1;
+    filter: alpha(opacity = 100);
+  }
+}
+
+select:-ms-input-placeholder, textarea:-ms-input-placeholder {
+  color: #777777;
+}
+
+input {
+  &[type="text"]:-ms-input-placeholder, &[type="password"]:-ms-input-placeholder, &[type="datetime"]:-ms-input-placeholder, &[type="datetime-local"]:-ms-input-placeholder, &[type="date"]:-ms-input-placeholder, &[type="month"]:-ms-input-placeholder, &[type="time"]:-ms-input-placeholder, &[type="week"]:-ms-input-placeholder, &[type="number"]:-ms-input-placeholder, &[type="email"]:-ms-input-placeholder, &[type="url"]:-ms-input-placeholder, &[type="search"]:-ms-input-placeholder, &[type="tel"]:-ms-input-placeholder, &[type="color"]:-ms-input-placeholder {
+    color: #777777;
+  }
+}
+
+select::-webkit-input-placeholder, textarea::-webkit-input-placeholder {
+  color: #777777;
+}
+
+input {
+  &[type="text"]::-webkit-input-placeholder, &[type="password"]::-webkit-input-placeholder, &[type="datetime"]::-webkit-input-placeholder, &[type="datetime-local"]::-webkit-input-placeholder, &[type="date"]::-webkit-input-placeholder, &[type="month"]::-webkit-input-placeholder, &[type="time"]::-webkit-input-placeholder, &[type="week"]::-webkit-input-placeholder, &[type="number"]::-webkit-input-placeholder, &[type="email"]::-webkit-input-placeholder, &[type="url"]::-webkit-input-placeholder, &[type="search"]::-webkit-input-placeholder, &[type="tel"]::-webkit-input-placeholder, &[type="color"]::-webkit-input-placeholder {
+    color: #777777;
+  }
+}
+
+select {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #4d83a1;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] select {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #4d83a1;
+  color: #a8a8a8;
+}
+
+textarea {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #4d83a1;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] textarea {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #4d83a1;
+  color: #a8a8a8;
+}
+
+input[type="text"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #4d83a1;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="text"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #4d83a1;
+  color: #a8a8a8;
+}
+
+input[type="password"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #4d83a1;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="password"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #4d83a1;
+  color: #a8a8a8;
+}
+
+input[type="datetime"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #4d83a1;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="datetime"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #4d83a1;
+  color: #a8a8a8;
+}
+
+input[type="datetime-local"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #4d83a1;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="datetime-local"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #4d83a1;
+  color: #a8a8a8;
+}
+
+input[type="date"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #4d83a1;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="date"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #4d83a1;
+  color: #a8a8a8;
+}
+
+input[type="month"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #4d83a1;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="month"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #4d83a1;
+  color: #a8a8a8;
+}
+
+input[type="time"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #4d83a1;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="time"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #4d83a1;
+  color: #a8a8a8;
+}
+
+input[type="week"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #4d83a1;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="week"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #4d83a1;
+  color: #a8a8a8;
+}
+
+input[type="number"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #4d83a1;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="number"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #4d83a1;
+  color: #a8a8a8;
+}
+
+input[type="email"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #4d83a1;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="email"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #4d83a1;
+  color: #a8a8a8;
+}
+
+input[type="url"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #4d83a1;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="url"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #4d83a1;
+  color: #a8a8a8;
+}
+
+input[type="search"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #4d83a1;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="search"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #4d83a1;
+  color: #a8a8a8;
+}
+
+input[type="tel"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #4d83a1;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="tel"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #4d83a1;
+  color: #a8a8a8;
+}
+
+input[type="color"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #4d83a1;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="color"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #4d83a1;
+  color: #a8a8a8;
+}
+
+select {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+textarea {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover textarea:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="text"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="text"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="password"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="password"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="datetime"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="datetime"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="datetime-local"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="datetime-local"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="date"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="date"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="month"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="month"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="time"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="time"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="week"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="week"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="number"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="number"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="email"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="email"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="url"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="url"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="search"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="search"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="tel"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="tel"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="color"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="color"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+textarea {
+  height: auto;
+}
+
+input {
+  &[type="search"] {
+    -webkit-appearance: none;
+  }
+
+  &[type="date"], &[type="time"], &[type="datetime-local"], &[type="month"] {
+    line-height: 34px;
+    line-height: 1.42857 \0;
+  }
+
+  &[type="date"].input-sm {
+    line-height: 30px;
+  }
+}
+
+.form-horizontal .form-group-sm input[type="date"].form-control {
+  line-height: 30px;
+}
+
+.input-group-sm > {
+  input[type="date"] {
+    &.form-control, &.input-group-addon {
+      line-height: 30px;
+    }
+  }
+
+  .input-group-btn > input[type="date"].btn {
+    line-height: 30px;
+  }
+}
+
+input[type="time"].input-sm, .form-horizontal .form-group-sm input[type="time"].form-control {
+  line-height: 30px;
+}
+
+.input-group-sm > {
+  input[type="time"] {
+    &.form-control, &.input-group-addon {
+      line-height: 30px;
+    }
+  }
+
+  .input-group-btn > input[type="time"].btn {
+    line-height: 30px;
+  }
+}
+
+input[type="datetime-local"].input-sm, .form-horizontal .form-group-sm input[type="datetime-local"].form-control {
+  line-height: 30px;
+}
+
+.input-group-sm > {
+  input[type="datetime-local"] {
+    &.form-control, &.input-group-addon {
+      line-height: 30px;
+    }
+  }
+
+  .input-group-btn > input[type="datetime-local"].btn {
+    line-height: 30px;
+  }
+}
+
+input[type="month"].input-sm, .form-horizontal .form-group-sm input[type="month"].form-control {
+  line-height: 30px;
+}
+
+.input-group-sm > {
+  input[type="month"] {
+    &.form-control, &.input-group-addon {
+      line-height: 30px;
+    }
+  }
+
+  .input-group-btn > input[type="month"].btn {
+    line-height: 30px;
+  }
+}
+
+input[type="date"].input-lg, .form-horizontal .form-group-lg input[type="date"].form-control {
+  line-height: 46px;
+}
+
+.input-group-lg > {
+  input[type="date"] {
+    &.form-control, &.input-group-addon {
+      line-height: 46px;
+    }
+  }
+
+  .input-group-btn > input[type="date"].btn {
+    line-height: 46px;
+  }
+}
+
+input[type="time"].input-lg, .form-horizontal .form-group-lg input[type="time"].form-control {
+  line-height: 46px;
+}
+
+.input-group-lg > {
+  input[type="time"] {
+    &.form-control, &.input-group-addon {
+      line-height: 46px;
+    }
+  }
+
+  .input-group-btn > input[type="time"].btn {
+    line-height: 46px;
+  }
+}
+
+input[type="datetime-local"].input-lg, .form-horizontal .form-group-lg input[type="datetime-local"].form-control {
+  line-height: 46px;
+}
+
+.input-group-lg > {
+  input[type="datetime-local"] {
+    &.form-control, &.input-group-addon {
+      line-height: 46px;
+    }
+  }
+
+  .input-group-btn > input[type="datetime-local"].btn {
+    line-height: 46px;
+  }
+}
+
+input[type="month"].input-lg, .form-horizontal .form-group-lg input[type="month"].form-control {
+  line-height: 46px;
+}
+
+.input-group-lg > {
+  input[type="month"] {
+    &.form-control, &.input-group-addon {
+      line-height: 46px;
+    }
+  }
+
+  .input-group-btn > input[type="month"].btn {
+    line-height: 46px;
+  }
+}
 
 .form-group {
-  margin-bottom: 15px; }
+  margin-bottom: 15px;
+}
 
-.radio,
-.checkbox {
+.radio, .checkbox {
   position: relative;
   display: block;
   min-height: 20px;
   margin-top: 10px;
-  margin-bottom: 10px; }
-  .radio label,
-  .checkbox label {
-    padding-left: 20px;
-    margin-bottom: 0;
-    font-weight: normal;
-    cursor: pointer; }
+  margin-bottom: 10px;
+}
 
-.radio input[type="radio"],
-.radio-inline input[type="radio"],
-.checkbox input[type="checkbox"],
-.checkbox-inline input[type="checkbox"] {
+.radio label, .checkbox label {
+  padding-left: 20px;
+  margin-bottom: 0;
+  font-weight: normal;
+  cursor: pointer;
+}
+
+.radio input[type="radio"], .radio-inline input[type="radio"], .checkbox input[type="checkbox"], .checkbox-inline input[type="checkbox"] {
   position: absolute;
   margin-left: -20px;
-  margin-top: 4px \9; }
+  margin-top: 4px \9;
+}
 
-.radio + .radio,
-.checkbox + .checkbox {
-  margin-top: -5px; }
+.radio + .radio, .checkbox + .checkbox {
+  margin-top: -5px;
+}
 
-.radio-inline,
-.checkbox-inline {
+.radio-inline, .checkbox-inline {
   display: inline-block;
   padding-left: 20px;
   margin-bottom: 0;
   vertical-align: middle;
   font-weight: normal;
-  cursor: pointer; }
+  cursor: pointer;
+}
 
-.radio-inline + .radio-inline,
-.checkbox-inline + .checkbox-inline {
+.radio-inline + .radio-inline, .checkbox-inline + .checkbox-inline {
   margin-top: 0;
-  margin-left: 10px; }
+  margin-left: 10px;
+}
 
-input[type="radio"][disabled], input[type="radio"].disabled, fieldset[disabled] input[type="radio"],
-input[type="checkbox"][disabled],
-input[type="checkbox"].disabled, fieldset[disabled]
-input[type="checkbox"] {
-  cursor: not-allowed; }
+input[type="radio"] {
+  &[disabled], &.disabled {
+    cursor: not-allowed;
+  }
+}
 
-.radio-inline.disabled, fieldset[disabled] .radio-inline,
-.checkbox-inline.disabled, fieldset[disabled]
-.checkbox-inline {
-  cursor: not-allowed; }
+fieldset[disabled] input[type="radio"] {
+  cursor: not-allowed;
+}
 
-.radio.disabled label, fieldset[disabled] .radio label,
-.checkbox.disabled label, fieldset[disabled]
-.checkbox label {
-  cursor: not-allowed; }
+input[type="checkbox"] {
+  &[disabled], &.disabled {
+    cursor: not-allowed;
+  }
+}
+
+fieldset[disabled] input[type="checkbox"], .radio-inline.disabled, fieldset[disabled] .radio-inline, .checkbox-inline.disabled, fieldset[disabled] .checkbox-inline, .radio.disabled label, fieldset[disabled] .radio label, .checkbox.disabled label, fieldset[disabled] .checkbox label {
+  cursor: not-allowed;
+}
 
 .form-control-static {
   padding-top: 7px;
   padding-bottom: 7px;
-  margin-bottom: 0; }
-  .form-control-static.input-lg, .form-horizontal .form-group-lg .form-control-static.form-control, .input-group-lg > .form-control-static.form-control,
-  .input-group-lg > .form-control-static.input-group-addon,
-  .input-group-lg > .input-group-btn > .form-control-static.btn, .form-control-static.input-sm, .form-horizontal .form-group-sm .form-control-static.form-control, .input-group-sm > .form-control-static.form-control,
-  .input-group-sm > .form-control-static.input-group-addon,
-  .input-group-sm > .input-group-btn > .form-control-static.btn {
+  margin-bottom: 0;
+
+  &.input-lg {
+    padding-left: 0;
+    padding-right: 0;
+  }
+}
+
+.form-horizontal .form-group-lg .form-control-static.form-control {
+  padding-left: 0;
+  padding-right: 0;
+}
+
+.input-group-lg > {
+  .form-control-static {
+    &.form-control, &.input-group-addon {
+      padding-left: 0;
+      padding-right: 0;
+    }
+  }
+
+  .input-group-btn > .form-control-static.btn {
+    padding-left: 0;
+    padding-right: 0;
+  }
+}
+
+.form-control-static.input-sm, .form-horizontal .form-group-sm .form-control-static.form-control {
+  padding-left: 0;
+  padding-right: 0;
+}
+
+.input-group-sm > {
+  .form-control-static {
+    &.form-control, &.input-group-addon {
+      padding-left: 0;
+      padding-right: 0;
+    }
+  }
+
+  .input-group-btn > .form-control-static.btn {
     padding-left: 0;
-    padding-right: 0; }
+    padding-right: 0;
+  }
+}
 
-.input-sm, .form-horizontal .form-group-sm .form-control, .input-group-sm > .form-control,
-.input-group-sm > .input-group-addon,
-.input-group-sm > .input-group-btn > .btn {
+.input-sm, .form-horizontal .form-group-sm .form-control {
   height: 30px;
   padding: 5px 10px;
   font-size: 12px;
   line-height: 1.5;
-  border-radius: 3px; }
+  border-radius: 3px;
+}
 
-select.input-sm, .form-horizontal .form-group-sm select.form-control, .input-group-sm > select.form-control,
-.input-group-sm > select.input-group-addon,
-.input-group-sm > .input-group-btn > select.btn {
+.input-group-sm > {
+  .form-control, .input-group-addon, .input-group-btn > .btn {
+    height: 30px;
+    padding: 5px 10px;
+    font-size: 12px;
+    line-height: 1.5;
+    border-radius: 3px;
+  }
+}
+
+select.input-sm, .form-horizontal .form-group-sm select.form-control {
   height: 30px;
-  line-height: 30px; }
-
-textarea.input-sm, .form-horizontal .form-group-sm textarea.form-control, .input-group-sm > textarea.form-control,
-.input-group-sm > textarea.input-group-addon,
-.input-group-sm > .input-group-btn > textarea.btn,
-select[multiple].input-sm,
-.form-horizontal .form-group-sm select[multiple].form-control,
-.input-group-sm > select[multiple].form-control,
-.input-group-sm > select[multiple].input-group-addon,
-.input-group-sm > .input-group-btn > select[multiple].btn {
-  height: auto; }
-
-.input-lg, .form-horizontal .form-group-lg .form-control, .input-group-lg > .form-control,
-.input-group-lg > .input-group-addon,
-.input-group-lg > .input-group-btn > .btn {
+  line-height: 30px;
+}
+
+.input-group-sm > {
+  select {
+    &.form-control, &.input-group-addon {
+      height: 30px;
+      line-height: 30px;
+    }
+  }
+
+  .input-group-btn > select.btn {
+    height: 30px;
+    line-height: 30px;
+  }
+}
+
+textarea.input-sm, .form-horizontal .form-group-sm textarea.form-control {
+  height: auto;
+}
+
+.input-group-sm > {
+  textarea {
+    &.form-control, &.input-group-addon {
+      height: auto;
+    }
+  }
+
+  .input-group-btn > textarea.btn {
+    height: auto;
+  }
+}
+
+select[multiple].input-sm, .form-horizontal .form-group-sm select[multiple].form-control {
+  height: auto;
+}
+
+.input-group-sm > {
+  select[multiple] {
+    &.form-control, &.input-group-addon {
+      height: auto;
+    }
+  }
+
+  .input-group-btn > select[multiple].btn {
+    height: auto;
+  }
+}
+
+.input-lg, .form-horizontal .form-group-lg .form-control {
   height: 46px;
   padding: 10px 16px;
   font-size: 18px;
   line-height: 1.33;
-  border-radius: 6px; }
+  border-radius: 6px;
+}
+
+.input-group-lg > {
+  .form-control, .input-group-addon, .input-group-btn > .btn {
+    height: 46px;
+    padding: 10px 16px;
+    font-size: 18px;
+    line-height: 1.33;
+    border-radius: 6px;
+  }
+}
 
-select.input-lg, .form-horizontal .form-group-lg select.form-control, .input-group-lg > select.form-control,
-.input-group-lg > select.input-group-addon,
-.input-group-lg > .input-group-btn > select.btn {
+select.input-lg, .form-horizontal .form-group-lg select.form-control {
   height: 46px;
-  line-height: 46px; }
-
-textarea.input-lg, .form-horizontal .form-group-lg textarea.form-control, .input-group-lg > textarea.form-control,
-.input-group-lg > textarea.input-group-addon,
-.input-group-lg > .input-group-btn > textarea.btn,
-select[multiple].input-lg,
-.form-horizontal .form-group-lg select[multiple].form-control,
-.input-group-lg > select[multiple].form-control,
-.input-group-lg > select[multiple].input-group-addon,
-.input-group-lg > .input-group-btn > select[multiple].btn {
-  height: auto; }
+  line-height: 46px;
+}
+
+.input-group-lg > {
+  select {
+    &.form-control, &.input-group-addon {
+      height: 46px;
+      line-height: 46px;
+    }
+  }
+
+  .input-group-btn > select.btn {
+    height: 46px;
+    line-height: 46px;
+  }
+}
+
+textarea.input-lg, .form-horizontal .form-group-lg textarea.form-control {
+  height: auto;
+}
+
+.input-group-lg > {
+  textarea {
+    &.form-control, &.input-group-addon {
+      height: auto;
+    }
+  }
+
+  .input-group-btn > textarea.btn {
+    height: auto;
+  }
+}
+
+select[multiple].input-lg, .form-horizontal .form-group-lg select[multiple].form-control {
+  height: auto;
+}
+
+.input-group-lg > {
+  select[multiple] {
+    &.form-control, &.input-group-addon {
+      height: auto;
+    }
+  }
+
+  .input-group-btn > select[multiple].btn {
+    height: auto;
+  }
+}
 
 .has-feedback {
-  position: relative; }
-  .has-feedback .form-control {
-    padding-right: 42.5px; }
+  position: relative;
+
+  .form-control {
+    padding-right: 42.5px;
+  }
+}
 
 .form-control-feedback {
   position: absolute;
@@ -2709,173 +4534,236 @@ select[multiple].input-lg,
   width: 34px;
   height: 34px;
   line-height: 34px;
-  text-align: center; }
+  text-align: center;
+}
 
-.input-lg + .form-control-feedback, .form-horizontal .form-group-lg .form-control + .form-control-feedback, .input-group-lg > .form-control + .form-control-feedback,
-.input-group-lg > .input-group-addon + .form-control-feedback,
-.input-group-lg > .input-group-btn > .btn + .form-control-feedback {
+.input-lg + .form-control-feedback, .form-horizontal .form-group-lg .form-control + .form-control-feedback {
   width: 46px;
   height: 46px;
-  line-height: 46px; }
+  line-height: 46px;
+}
+
+.input-group-lg > {
+  .form-control + .form-control-feedback, .input-group-addon + .form-control-feedback, .input-group-btn > .btn + .form-control-feedback {
+    width: 46px;
+    height: 46px;
+    line-height: 46px;
+  }
+}
 
-.input-sm + .form-control-feedback, .form-horizontal .form-group-sm .form-control + .form-control-feedback, .input-group-sm > .form-control + .form-control-feedback,
-.input-group-sm > .input-group-addon + .form-control-feedback,
-.input-group-sm > .input-group-btn > .btn + .form-control-feedback {
+.input-sm + .form-control-feedback, .form-horizontal .form-group-sm .form-control + .form-control-feedback {
   width: 30px;
   height: 30px;
-  line-height: 30px; }
-
-.has-success .help-block,
-.has-success .control-label,
-.has-success .radio,
-.has-success .checkbox,
-.has-success .radio-inline,
-.has-success .checkbox-inline {
-  color: #9BD275; }
-.has-success .form-control {
-  border-color: #9BD275;
-  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); }
-  .has-success .form-control:focus {
-    border-color: #7fc54f;
-    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #d3ebc2;
-    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #d3ebc2; }
-
-.has-success .input-group-addon {
-  color: #9BD275;
-  border-color: #9BD275;
-  background-color: #9BD275; }
-.has-success .form-control-feedback {
-  color: #9BD275; }
-
-.has-warning .help-block,
-.has-warning .control-label,
-.has-warning .radio,
-.has-warning .checkbox,
-.has-warning .radio-inline,
-.has-warning .checkbox-inline {
-  color: #f0ad4e; }
-.has-warning .form-control {
-  border-color: #f0ad4e;
-  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); }
-  .has-warning .form-control:focus {
-    border-color: #ec971f;
-    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac;
-    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac; }
-.has-warning .input-group-addon {
-  color: #f0ad4e;
-  border-color: #f0ad4e;
-  background-color: #fcf8e3; }
-.has-warning .form-control-feedback {
-  color: #f0ad4e; }
-
-.has-error .help-block,
-.has-error .control-label,
-.has-error .radio,
-.has-error .checkbox,
-.has-error .radio-inline,
-.has-error .checkbox-inline {
-  color: #FC3803; }
-.has-error .form-control {
-  border-color: #FC3803;
-  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); }
-  .has-error .form-control:focus {
-    border-color: #FC2E03;
-    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae;
-    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae; }
-
-.has-error .input-group-addon {
-  color: #F05050;
-  border-color: #F05050;
-  background-color: #F05050; }
-.has-error .form-control-feedback {
-  color: #F05050; }
+  line-height: 30px;
+}
+
+.input-group-sm > {
+  .form-control + .form-control-feedback, .input-group-addon + .form-control-feedback, .input-group-btn > .btn + .form-control-feedback {
+    width: 30px;
+    height: 30px;
+    line-height: 30px;
+  }
+}
+
+.has-success {
+  .help-block, .control-label, .radio, .checkbox, .radio-inline, .checkbox-inline {
+    color: #9BD275;
+  }
+
+  .form-control {
+    border-color: #9BD275;
+    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+
+    &:focus {
+      border-color: #7fc54f;
+      -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #d3ebc2;
+      box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #d3ebc2;
+    }
+  }
+
+  .input-group-addon {
+    color: #9BD275;
+    border-color: #9BD275;
+    background-color: #9BD275;
+  }
+
+  .form-control-feedback {
+    color: #9BD275;
+  }
+}
+
+.has-warning {
+  .help-block, .control-label, .radio, .checkbox, .radio-inline, .checkbox-inline {
+    color: #f0ad4e;
+  }
+
+  .form-control {
+    border-color: #f0ad4e;
+    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+
+    &:focus {
+      border-color: #ec971f;
+      -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac;
+      box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac;
+    }
+  }
+
+  .input-group-addon {
+    color: #f0ad4e;
+    border-color: #f0ad4e;
+    background-color: #fcf8e3;
+  }
+
+  .form-control-feedback {
+    color: #f0ad4e;
+  }
+}
+
+.has-error {
+  .help-block, .control-label, .radio, .checkbox, .radio-inline, .checkbox-inline {
+    color: #FC3803;
+  }
+
+  .form-control {
+    border-color: #FC3803;
+    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+
+    &:focus {
+      border-color: #FC2E03;
+      -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae;
+      box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae;
+    }
+  }
+
+  .input-group-addon {
+    color: #F05050;
+    border-color: #F05050;
+    background-color: #F05050;
+  }
+
+  .form-control-feedback {
+    color: #F05050;
+  }
+}
 
 .has-feedback label.sr-only ~ .form-control-feedback {
-  top: 0; }
+  top: 0;
+}
 
 .help-block {
   display: block;
   margin-top: 5px;
   margin-bottom: 10px;
-  color: #7c7c7a; }
+  color: #7c7c7a;
+}
 
 @media (min-width: 768px) {
   .form-inline .form-group, .navbar-form .form-group {
     display: inline-block;
     margin-bottom: 0;
-    vertical-align: middle; }
+    vertical-align: middle;
+  }
+
   .form-inline .form-control, .navbar-form .form-control {
     display: inline-block;
     width: auto;
-    vertical-align: middle; }
+    vertical-align: middle;
+  }
+
   .form-inline .input-group, .navbar-form .input-group {
     display: inline-table;
-    vertical-align: middle; }
-    .form-inline .input-group .input-group-addon, .navbar-form .input-group .input-group-addon,
-    .form-inline .input-group .input-group-btn,
-    .navbar-form .input-group .input-group-btn,
-    .form-inline .input-group .form-control,
-    .navbar-form .input-group .form-control {
-      width: auto; }
+    vertical-align: middle;
+  }
+
+  .form-inline .input-group .input-group-addon, .navbar-form .input-group .input-group-addon, .form-inline .input-group .input-group-btn, .navbar-form .input-group .input-group-btn, .form-inline .input-group .form-control, .navbar-form .input-group .form-control {
+    width: auto;
+  }
+
   .form-inline .input-group > .form-control, .navbar-form .input-group > .form-control {
-    width: 100%; }
+    width: 100%;
+  }
+
   .form-inline .control-label, .navbar-form .control-label {
     margin-bottom: 0;
-    vertical-align: middle; }
-  .form-inline .radio, .navbar-form .radio,
-  .form-inline .checkbox,
-  .navbar-form .checkbox {
+    vertical-align: middle;
+  }
+
+  .form-inline .radio, .navbar-form .radio, .form-inline .checkbox, .navbar-form .checkbox {
     display: inline-block;
     margin-top: 0;
     margin-bottom: 0;
-    vertical-align: middle; }
-    .form-inline .radio label, .navbar-form .radio label,
-    .form-inline .checkbox label,
-    .navbar-form .checkbox label {
-      padding-left: 0; }
-  .form-inline .radio input[type="radio"], .navbar-form .radio input[type="radio"],
-  .form-inline .checkbox input[type="checkbox"],
-  .navbar-form .checkbox input[type="checkbox"] {
+    vertical-align: middle;
+  }
+
+  .form-inline .radio label, .navbar-form .radio label, .form-inline .checkbox label, .navbar-form .checkbox label {
+    padding-left: 0;
+  }
+
+  .form-inline .radio input[type="radio"], .navbar-form .radio input[type="radio"], .form-inline .checkbox input[type="checkbox"], .navbar-form .checkbox input[type="checkbox"] {
     position: relative;
-    margin-left: 0; }
+    margin-left: 0;
+  }
+
   .form-inline .has-feedback .form-control-feedback, .navbar-form .has-feedback .form-control-feedback {
-    top: 0; } }
+    top: 0;
+  }
+}
+
+.form-horizontal {
+  .radio, .checkbox, .radio-inline, .checkbox-inline {
+    margin-top: 0;
+    margin-bottom: 0;
+    padding-top: 7px;
+  }
+
+  .radio, .checkbox {
+    min-height: 27px;
+  }
+
+  .form-group {
+    margin-left: -20px;
+    margin-right: -20px;
+
+    &:before {
+      content: " ";
+      display: table;
+    }
+
+    &:after {
+      content: " ";
+      display: table;
+      clear: both;
+    }
+  }
+
+  .has-feedback control-feedback {
+    top: 0;
+    right: 20px;
+  }
+}
 
-.form-horizontal .radio,
-.form-horizontal .checkbox,
-.form-horizontal .radio-inline,
-.form-horizontal .checkbox-inline {
-  margin-top: 0;
-  margin-bottom: 0;
-  padding-top: 7px; }
-.form-horizontal .radio,
-.form-horizontal .checkbox {
-  min-height: 27px; }
-.form-horizontal .form-group {
-  margin-left: -20px;
-  margin-right: -20px; }
-  .form-horizontal .form-group:before, .form-horizontal .form-group:after {
-    content: " ";
-    display: table; }
-  .form-horizontal .form-group:after {
-    clear: both; }
 @media (min-width: 768px) {
   .form-horizontal .control-label {
     text-align: right;
     margin-bottom: 0;
-    padding-top: 7px; } }
-.form-horizontal .has-feedback control-feedback {
-  top: 0;
-  right: 20px; }
+    padding-top: 7px;
+  }
+}
+
 @media (min-width: 768px) {
   .form-horizontal .form-group-lg .control-label {
-    padding-top: 14.3px; } }
+    padding-top: 14.3px;
+  }
+}
+
 @media (min-width: 768px) {
   .form-horizontal .form-group-sm .control-label {
-    padding-top: 6px; } }
+    padding-top: 6px;
+  }
+}
 
 .btn {
   display: inline-block;
@@ -2897,232 +4785,639 @@ select[multiple].input-lg,
   color: #FFFFFF;
   background-color: #457995;
   border: 1px solid #1b4257;
-  outline:0; }
-.btn:active, .btn.active, .open > .btn.dropdown-toggle {
-   color: #FFF;
+  outline: 0;
+
+  &:active, &.active {
+    color: #FFF;
     background-color: #30596f;
-	outline:0;
+    outline: 0;
     border-color: #1d1d1d;
-	text-decoration: none; }
-.btn:hover, .btn:focus {
-	background-color: #315a71;
-	color: #FFF;
-	border-radius: 3px;
-	border: 1px solid #1b4257;
-	text-decoration: none;}
-
-  .btn:active, .btn.active, .open > .btn.dropdown-toggle {
+    text-decoration: none;
+  }
+}
+
+.open > .btn.dropdown-toggle {
+  color: #FFF;
+  background-color: #30596f;
+  outline: 0;
+  border-color: #1d1d1d;
+  text-decoration: none;
+}
+
+.btn {
+  &:hover, &:focus {
+    background-color: #315a71;
+    color: #FFF;
+    border-radius: 3px;
+    border: 1px solid #1b4257;
+    text-decoration: none;
+  }
+
+  &:active, &.active {
     background-image: none;
-	outline:0; }
-  .btn.disabled, .btn.disabled:hover, .btn.disabled:focus, .btn.disabled:active, .btn.disabled.active, .btn[disabled], .btn[disabled]:hover, .btn[disabled]:focus, .btn[disabled]:active, .btn[disabled].active, fieldset[disabled] .btn, fieldset[disabled] .btn:hover, fieldset[disabled] .btn:focus, fieldset[disabled] .btn:active, fieldset[disabled] .btn.active {
+    outline: 0;
+  }
+}
+
+.open > .btn.dropdown-toggle {
+  background-image: none;
+  outline: 0;
+}
+
+.btn {
+  &.disabled {
+    background-color: #FFFFFF;
+    border-color: #1d1d1d;
+    outline: 0;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #FFFFFF;
+      border-color: #1d1d1d;
+      outline: 0;
+    }
+  }
+
+  &[disabled] {
+    background-color: #FFFFFF;
+    border-color: #1d1d1d;
+    outline: 0;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #FFFFFF;
+      border-color: #1d1d1d;
+      outline: 0;
+    }
+  }
+}
+
+fieldset[disabled] .btn {
+  background-color: #FFFFFF;
+  border-color: #1d1d1d;
+  outline: 0;
+
+  &:hover, &:focus, &:active, &.active {
     background-color: #FFFFFF;
     border-color: #1d1d1d;
-	outline:0; }
+    outline: 0;
+  }
+}
 
-  .btn .badge {
+.btn {
+  .badge {
     color: #FFFFFF;
-    background-color: #3e3e3e; }
-  .btn:focus, .btn:active:focus, .btn.active:focus {
+    background-color: #3e3e3e;
+  }
+
+  &:focus, &:active:focus, &.active:focus {
     outline: thin dotted;
     outline: 5px auto -webkit-focus-ring-color;
     outline-offset: -2px;
-	outline:0; }
+    outline: 0;
+  }
+
+  &:active, &.active {
+    outline: 0;
+  }
 
-  .btn:active, .btn.active {
-    outline: 0;  }
-  .btn.disabled, .btn[disabled], fieldset[disabled] .btn {
+  &.disabled, &[disabled] {
     cursor: not-allowed;
     pointer-events: none;
     opacity: 0.30;
-    filter: alpha(opacity=30);
+    filter: alpha(opacity = 30);
     -webkit-box-shadow: none;
-    box-shadow: none; }
+    box-shadow: none;
+  }
+}
 
-.act_flush:hover, .act_flush:focus {
-  color: #FFF;
-  background-color: #336480;
-  border-color: 1px solid #1d1d1d;
-  outline:0; }
+fieldset[disabled] .btn {
+  cursor: not-allowed;
+  pointer-events: none;
+  opacity: 0.30;
+  filter: alpha(opacity = 30);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+.act_flush {
+  &:hover, &:focus {
+    color: #FFF;
+    background-color: #336480;
+    border-color: 1px solid #1d1d1d;
+    outline: 0;
+  }
+}
 
-  .btn-default:active, .btn-default.active, .open > .btn-default.dropdown-toggle {
+.btn-default {
+  &:active, &.active {
     background-image: none;
-    outline:0; }
-  .btn-default.disabled, .btn-default.disabled:hover, .btn-default.disabled:focus, .btn-default.disabled:active, .btn-default.disabled.active, .btn-default[disabled], .btn-default[disabled]:hover, .btn-default[disabled]:focus, .btn-default[disabled]:active, .btn-default[disabled].active, fieldset[disabled] .btn-default, fieldset[disabled] .btn-default:hover, fieldset[disabled] .btn-default:focus, fieldset[disabled] .btn-default:active, fieldset[disabled] .btn-default.active {
+    outline: 0;
+  }
+}
+
+.open > .btn-default.dropdown-toggle {
+  background-image: none;
+  outline: 0;
+}
+
+.btn-default {
+  &.disabled {
     background-color: #FFFFFF;
     border-color: 1px solid #1d1d1d;
-    outline:0; }
-  .btn-default .badge {
-    color: #FFFFFF;
-    background-color: #3e3e3e;
-    outline:0; }
+    outline: 0;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #FFFFFF;
+      border-color: 1px solid #1d1d1d;
+      outline: 0;
+    }
+  }
+
+  &[disabled] {
+    background-color: #FFFFFF;
+    border-color: 1px solid #1d1d1d;
+    outline: 0;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #FFFFFF;
+      border-color: 1px solid #1d1d1d;
+      outline: 0;
+    }
+  }
+}
+
+fieldset[disabled] .btn-default {
+  background-color: #FFFFFF;
+  border-color: 1px solid #1d1d1d;
+  outline: 0;
+
+  &:hover, &:focus, &:active, &.active {
+    background-color: #FFFFFF;
+    border-color: 1px solid #1d1d1d;
+    outline: 0;
+  }
+}
+
+.btn-default .badge {
+  color: #FFFFFF;
+  background-color: #3e3e3e;
+  outline: 0;
+}
 
 .btn-primary {
   color: #fff !important;
   background-color: #FF7E25;
   border: 1px solid #6c6c6c;
-  outline:0;   }
-  .btn-primary:hover, .btn-primary:focus, .btn-primary:active, .btn-primary.active, .open > .btn-primary.dropdown-toggle {
+  outline: 0;
+
+  &:hover, &:focus, &:active, &.active {
     color: #fff;
     background-color: #EC7726;
     border-color: 1px solid #6c6c6c;
-    outline:0; }
+    outline: 0;
+  }
+}
+
+.open > .btn-primary.dropdown-toggle {
+  color: #fff;
+  background-color: #EC7726;
+  border-color: 1px solid #6c6c6c;
+  outline: 0;
+}
+
+.btn-primary {
+  &:active, &.active {
+    background-image: none;
+  }
+}
+
+.open > .btn-primary.dropdown-toggle {
+  background-image: none;
+}
+
+.btn-primary {
+  &.disabled {
+    background-color: #FF7E25;
+    border-color: #6c6c6c;
+    outline: 0;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #FF7E25;
+      border-color: #6c6c6c;
+      outline: 0;
+    }
+  }
 
-  .btn-primary:active, .btn-primary.active, .open > .btn-primary.dropdown-toggle {
-    background-image: none; }
-  .btn-primary.disabled, .btn-primary.disabled:hover, .btn-primary.disabled:focus, .btn-primary.disabled:active, .btn-primary.disabled.active, .btn-primary[disabled], .btn-primary[disabled]:hover, .btn-primary[disabled]:focus, .btn-primary[disabled]:active, .btn-primary[disabled].active, fieldset[disabled] .btn-primary, fieldset[disabled] .btn-primary:hover, fieldset[disabled] .btn-primary:focus, fieldset[disabled] .btn-primary:active, fieldset[disabled] .btn-primary.active {
+  &[disabled] {
     background-color: #FF7E25;
     border-color: #6c6c6c;
-    outline:0; }
+    outline: 0;
 
-  .btn-primary .badge {
-    color: #FF8B00;
-    background-color: #fff; }
+    &:hover, &:focus, &:active, &.active {
+      background-color: #FF7E25;
+      border-color: #6c6c6c;
+      outline: 0;
+    }
+  }
+}
+
+fieldset[disabled] .btn-primary {
+  background-color: #FF7E25;
+  border-color: #6c6c6c;
+  outline: 0;
+
+  &:hover, &:focus, &:active, &.active {
+    background-color: #FF7E25;
+    border-color: #6c6c6c;
+    outline: 0;
+  }
+}
+
+.btn-primary .badge {
+  color: #FF8B00;
+  background-color: #fff;
+}
 
 .btn-success {
   color: #fff;
   background-color: #85ce53;
-  border-color: #323232; }
-  .btn-success:hover, .btn-success:focus, .btn-success:active, .btn-success.active, .open > .btn-success.dropdown-toggle {
+  border-color: #323232;
+
+  &:hover, &:focus, &:active, &.active {
     color: #fff;
     background-color: #7fc54f;
     border-color: #323232;
-	outline:0; }
-  .btn-success:active, .btn-success.active, .open > .btn-success.dropdown-toggle {
-    background-image: none; }
-  .btn-success.disabled, .btn-success.disabled:hover, .btn-success.disabled:focus, .btn-success.disabled:active, .btn-success.disabled.active, .btn-success[disabled], .btn-success[disabled]:hover, .btn-success[disabled]:focus, .btn-success[disabled]:active, .btn-success[disabled].active, fieldset[disabled] .btn-success, fieldset[disabled] .btn-success:hover, fieldset[disabled] .btn-success:focus, fieldset[disabled] .btn-success:active, fieldset[disabled] .btn-success.active {
+    outline: 0;
+  }
+}
+
+.open > .btn-success.dropdown-toggle {
+  color: #fff;
+  background-color: #7fc54f;
+  border-color: #323232;
+  outline: 0;
+}
+
+.btn-success {
+  &:active, &.active {
+    background-image: none;
+  }
+}
+
+.open > .btn-success.dropdown-toggle {
+  background-image: none;
+}
+
+.btn-success {
+  &.disabled {
     background-color: #9BD275;
     border-color: #8dcc62;
-	outline:0; }
+    outline: 0;
 
-  .btn-success .badge {
-    color: #9BD275;
-    background-color: #fff; }
+    &:hover, &:focus, &:active, &.active {
+      background-color: #9BD275;
+      border-color: #8dcc62;
+      outline: 0;
+    }
+  }
+
+  &[disabled] {
+    background-color: #9BD275;
+    border-color: #8dcc62;
+    outline: 0;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #9BD275;
+      border-color: #8dcc62;
+      outline: 0;
+    }
+  }
+}
+
+fieldset[disabled] .btn-success {
+  background-color: #9BD275;
+  border-color: #8dcc62;
+  outline: 0;
+
+  &:hover, &:focus, &:active, &.active {
+    background-color: #9BD275;
+    border-color: #8dcc62;
+    outline: 0;
+  }
+}
+
+.btn-success .badge {
+  color: #9BD275;
+  background-color: #fff;
+}
 
 .btn-info {
   color: #fff;
   background-color: #B0CDDB;
-  border-color: #9ec2d3; }
-  .btn-info:hover, .btn-info:focus, .btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
+  border-color: #9ec2d3;
+
+  &:hover, &:focus, &:active, &.active {
     color: #fff;
     background-color: #8db7cb;
-    border-color: #74a7c0; }
+    border-color: #74a7c0;
+  }
+}
 
-  .btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
-    background-image: none; }
-  .btn-info.disabled, .btn-info.disabled:hover, .btn-info.disabled:focus, .btn-info.disabled:active, .btn-info.disabled.active, .btn-info[disabled], .btn-info[disabled]:hover, .btn-info[disabled]:focus, .btn-info[disabled]:active, .btn-info[disabled].active, fieldset[disabled] .btn-info, fieldset[disabled] .btn-info:hover, fieldset[disabled] .btn-info:focus, fieldset[disabled] .btn-info:active, fieldset[disabled] .btn-info.active {
+.open > .btn-info.dropdown-toggle {
+  color: #fff;
+  background-color: #8db7cb;
+  border-color: #74a7c0;
+}
+
+.btn-info {
+  &:active, &.active {
+    background-image: none;
+  }
+}
+
+.open > .btn-info.dropdown-toggle {
+  background-image: none;
+}
+
+.btn-info {
+  &.disabled {
+    background-color: #B0CDDB;
+    border-color: #9ec2d3;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #B0CDDB;
+      border-color: #9ec2d3;
+    }
+  }
+
+  &[disabled] {
+    background-color: #B0CDDB;
+    border-color: #9ec2d3;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #B0CDDB;
+      border-color: #9ec2d3;
+    }
+  }
+}
+
+fieldset[disabled] .btn-info {
+  background-color: #B0CDDB;
+  border-color: #9ec2d3;
+
+  &:hover, &:focus, &:active, &.active {
     background-color: #B0CDDB;
-    border-color: #9ec2d3; }
+    border-color: #9ec2d3;
+  }
+}
 
-  .btn-info .badge {
-    color: #B0CDDB;
-    background-color: #fff; }
+.btn-info .badge {
+  color: #B0CDDB;
+  background-color: #fff;
+}
 
 .btn-warning {
   color: #fff;
   background-color: #FF7E25;
-  border-color: #1b4257; }
-  .btn-warning:hover, .btn-warning:focus, .btn-warning:active, .btn-warning.active, .open > .btn-warning.dropdown-toggle {
+  border-color: #1b4257;
+
+  &:hover, &:focus, &:active, &.active {
     color: #fff;
     background-color: #EC7726;
-    border-color: #1b4257; }
+    border-color: #1b4257;
+  }
+}
+
+.open > .btn-warning.dropdown-toggle {
+  color: #fff;
+  background-color: #EC7726;
+  border-color: #1b4257;
+}
+
+.btn-warning {
+  &:active, &.active {
+    background-image: none;
+  }
+}
 
-  .btn-warning:active, .btn-warning.active, .open > .btn-warning.dropdown-toggle {
-    background-image: none; }
-  .btn-warning.disabled, .btn-warning.disabled:hover, .btn-warning.disabled:focus, .btn-warning.disabled:active, .btn-warning.disabled.active, .btn-warning[disabled], .btn-warning[disabled]:hover, .btn-warning[disabled]:focus, .btn-warning[disabled]:active, .btn-warning[disabled].active, fieldset[disabled] .btn-warning, fieldset[disabled] .btn-warning:hover, fieldset[disabled] .btn-warning:focus, fieldset[disabled] .btn-warning:active, fieldset[disabled] .btn-warning.active {
+.open > .btn-warning.dropdown-toggle {
+  background-image: none;
+}
+
+.btn-warning {
+  &.disabled {
     background-color: #f0ad4e;
-    border-color: #eea236; }
+    border-color: #eea236;
 
-  .btn-warning .badge {
-    color: #f0ad4e;
-    background-color: #fff; }
+    &:hover, &:focus, &:active, &.active {
+      background-color: #f0ad4e;
+      border-color: #eea236;
+    }
+  }
+
+  &[disabled] {
+    background-color: #f0ad4e;
+    border-color: #eea236;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #f0ad4e;
+      border-color: #eea236;
+    }
+  }
+}
+
+fieldset[disabled] .btn-warning {
+  background-color: #f0ad4e;
+  border-color: #eea236;
+
+  &:hover, &:focus, &:active, &.active {
+    background-color: #f0ad4e;
+    border-color: #eea236;
+  }
+}
+
+.btn-warning .badge {
+  color: #f0ad4e;
+  background-color: #fff;
+}
 
 .btn-danger {
   color: #fff;
   background-color: #CB4326;
-  border-color: #1B4257; }
-  .btn-danger:hover, .btn-danger:focus, .btn-danger:active, .btn-danger.active, .open > .btn-danger.dropdown-toggle {
+  border-color: #1B4257;
+
+  &:hover, &:focus, &:active, &.active {
     color: #fff;
     background-color: #B63B21;
-    border-color: #1B4257; }
-  .btn-danger:active, .btn-danger.active, .open > .btn-danger.dropdown-toggle {
-    background-image: none; }
-  .btn-danger.disabled, .btn-danger.disabled:hover, .btn-danger.disabled:focus, .btn-danger.disabled:active, .btn-danger.disabled.active, .btn-danger[disabled], .btn-danger[disabled]:hover, .btn-danger[disabled]:focus, .btn-danger[disabled]:active, .btn-danger[disabled].active, fieldset[disabled] .btn-danger, fieldset[disabled] .btn-danger:hover, fieldset[disabled] .btn-danger:focus, fieldset[disabled] .btn-danger:active, fieldset[disabled] .btn-danger.active {
+    border-color: #1B4257;
+  }
+}
+
+.open > .btn-danger.dropdown-toggle {
+  color: #fff;
+  background-color: #B63B21;
+  border-color: #1B4257;
+}
+
+.btn-danger {
+  &:active, &.active {
+    background-image: none;
+  }
+}
+
+.open > .btn-danger.dropdown-toggle {
+  background-image: none;
+}
+
+.btn-danger {
+  &.disabled {
     background-color: #F05050;
-    border-color: #ee3939; }
-  .btn-danger .badge {
-    color: #F05050;
-    background-color: #fff; }
+    border-color: #ee3939;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #F05050;
+      border-color: #ee3939;
+    }
+  }
+
+  &[disabled] {
+    background-color: #F05050;
+    border-color: #ee3939;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #F05050;
+      border-color: #ee3939;
+    }
+  }
+}
+
+fieldset[disabled] .btn-danger {
+  background-color: #F05050;
+  border-color: #ee3939;
+
+  &:hover, &:focus, &:active, &.active {
+    background-color: #F05050;
+    border-color: #ee3939;
+  }
+}
+
+.btn-danger .badge {
+  color: #F05050;
+  background-color: #fff;
+}
 
 .btn-link {
   color: #FF8B00;
   font-weight: normal;
   cursor: pointer;
-  border-radius: 0; }
-  .btn-link, .btn-link:active, .btn-link[disabled], fieldset[disabled] .btn-link {
+  border-radius: 0;
+  background-color: transparent;
+  -webkit-box-shadow: none;
+  box-shadow: none;
+
+  &:active, &[disabled] {
     background-color: transparent;
     -webkit-box-shadow: none;
-    box-shadow: none; }
-  .btn-link, .btn-link:hover, .btn-link:focus, .btn-link:active {
-    border-color: transparent; }
-  .btn-link:hover, .btn-link:focus {
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled] .btn-link {
+  background-color: transparent;
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+.btn-link {
+  border-color: transparent;
+
+  &:hover, &:focus, &:active {
+    border-color: transparent;
+  }
+
+  &:hover, &:focus {
     color: #9f4d03;
     text-decoration: underline;
-    background-color: transparent; }
+    background-color: transparent;
+  }
 
-  .btn-link[disabled]:hover, .btn-link[disabled]:focus, fieldset[disabled] .btn-link:hover, fieldset[disabled] .btn-link:focus {
-    color: #777777;
-    text-decoration: none; }
+  &[disabled] {
+    &:hover, &:focus {
+      color: #777777;
+      text-decoration: none;
+    }
+  }
+}
 
+fieldset[disabled] .btn-link {
+  &:hover, &:focus {
+    color: #777777;
+    text-decoration: none;
+  }
+}
 
 .btn-lg, .btn-group-lg > .btn {
   padding: 9px 12px;
   font-size: 18px;
-  line-height: 1.33; }
+  line-height: 1.33;
+}
 
 .btn-sm, .btn-group-sm > .btn {
   padding: 5px 10px;
   font-size: 12px;
   line-height: 1.5;
-  border-radius: 3px; }
+  border-radius: 3px;
+}
 
 .btn-xs, .btn-group-xs > .btn {
   padding: 1px 4px;
   font-size: 12px;
   line-height: 1.5;
-  border-radius: 3px; }
+  border-radius: 3px;
+}
 
 .btn-block {
   display: block;
-  width: 100%; }
+  width: 100%;
 
-.btn-block + .btn-block {
-  margin-top: 5px; }
+  + .btn-block {
+    margin-top: 5px;
+  }
+}
 
-input[type="submit"].btn-block,
-input[type="reset"].btn-block,
-input[type="button"].btn-block {
-  width: 100%; }
+input {
+  &[type="submit"].btn-block, &[type="reset"].btn-block, &[type="button"].btn-block {
+    width: 100%;
+  }
+}
 
 .fade {
   opacity: 0;
-  filter: alpha(opacity=0);
+  filter: alpha(opacity = 0);
   -webkit-transition: opacity 0.15s linear;
   -o-transition: opacity 0.15s linear;
-  transition: opacity 0.15s linear; }
-  .fade.in {
-    opacity: 1; filter: alpha(opacity=100); }
+  transition: opacity 0.15s linear;
 
+  &.in {
+    opacity: 1;
+    filter: alpha(opacity = 100);
+  }
+}
 
 .collapse {
-  display: none; }
-  .collapse.in {
-    display: block; }
+  display: none;
+
+  &.in {
+    display: block;
+  }
+}
 
 tr.collapse.in {
-  display: table-row; }
+  display: table-row;
+}
 
 tbody.collapse.in {
-  display: table-row-group; }
+  display: table-row-group;
+}
 
 .collapsing {
   position: relative;
@@ -3130,7 +5425,8 @@ tbody.collapse.in {
   overflow: hidden;
   -webkit-transition: height 0.35s ease;
   -o-transition: height 0.35s ease;
-  transition: height 0.35s ease; }
+  transition: height 0.35s ease;
+}
 
 .caret {
   display: inline-block;
@@ -3140,14 +5436,16 @@ tbody.collapse.in {
   vertical-align: middle;
   border-top: 4px solid;
   border-right: 4px solid transparent;
-  border-left: 4px solid transparent; }
+  border-left: 4px solid transparent;
+}
 
 .dropdown {
-  position: relative; }
-
+  position: relative;
+}
 
 .dropdown-toggle:focus {
-  outline: 0; }
+  outline: 0;
+}
 
 .dropdown-menu {
   position: absolute;
@@ -3171,65 +5469,93 @@ tbody.collapse.in {
   -webkit-box-shadow: 0 6px 12px rgba(0, 0, 0, 0.175);
   box-shadow: 0 6px 12px rgba(0, 0, 0, 0.175);
   background-clip: padding-box;
-  -webkit-box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.60);
-  -moz-box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.60);
-  box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.60);
-  opacity: 0.97; }
+  -webkit-box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.6);
+  -moz-box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.6);
+  box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.6);
+  opacity: 0.97;
 
-  .dropdown-menu.pull-right {
+  &.pull-right {
     right: 0;
     left: auto;
-    background-color: #e5e5e5; }
+    background-color: #e5e5e5;
+  }
 
-  .dropdown-menu .divider {
+  .divider {
     height: 1px;
     margin: 9px 0;
     overflow: hidden;
-    background-color: #e5e5e5; }
-  .dropdown-menu > li > a {
-    display: block;
-    padding: 3px 20px;
-    clear: both;
-    font-weight: normal;
-    line-height: 1.428571429;
-    color: #fff;
-    white-space: nowrap;
-	outline:0;}
+    background-color: #e5e5e5;
+  }
 
-.dropdown-menu > li > a:hover, .dropdown-menu > li > a:focus {
-  text-decoration: none;
-  color: #FFFFFF;
-  background-color: #FF7E25; }
+  > {
+    li > a {
+      display: block;
+      padding: 3px 20px;
+      clear: both;
+      font-weight: normal;
+      line-height: 1.428571429;
+      color: #fff;
+      white-space: nowrap;
+      outline: 0;
 
-.dropdown-menu > .active > a, .dropdown-menu > .active > a:hover, .dropdown-menu > .active > a:focus {
-  color: #fff;
-  text-decoration: none;
-  outline: 0;
-  background-color: #FF7E25; }
+      &:hover, &:focus {
+        text-decoration: none;
+        color: #FFFFFF;
+        background-color: #FF7E25;
+      }
+    }
 
-.dropdown-menu > .disabled > a, .dropdown-menu > .disabled > a:hover, .dropdown-menu > .disabled > a:focus {
-  color: #777777; }
+    .active > a {
+      color: #fff;
+      text-decoration: none;
+      outline: 0;
+      background-color: #FF7E25;
 
-.dropdown-menu > .disabled > a:hover, .dropdown-menu > .disabled > a:focus {
-  text-decoration: none;
-  background-color: transparent;
-  background-image: none;
-  filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
-  cursor: not-allowed; }
+      &:hover, &:focus {
+        color: #fff;
+        text-decoration: none;
+        outline: 0;
+        background-color: #FF7E25;
+      }
+    }
+
+    .disabled > a {
+      color: #777777;
+
+      &:hover, &:focus {
+        color: #777777;
+      }
+
+      &:hover, &:focus {
+        text-decoration: none;
+        background-color: transparent;
+        background-image: none;
+        filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
+        cursor: not-allowed;
+      }
+    }
+  }
+}
 
+.open > {
+  .dropdown-menu {
+    display: block;
+  }
 
-.open > .dropdown-menu {
-  display: block; }
-.open > a {
-  outline: 0; }
+  a {
+    outline: 0;
+  }
+}
 
 .dropdown-menu-right {
   left: auto;
-  right: 0; }
+  right: 0;
+}
 
 .dropdown-menu-left {
   left: 0;
-  right: auto; }
+  right: auto;
+}
 
 .dropdown-header {
   display: block;
@@ -3237,7 +5563,8 @@ tbody.collapse.in {
   font-size: 12px;
   line-height: 1.428571429;
   color: #b0b0b0;
-  white-space: nowrap; }
+  white-space: nowrap;
+}
 
 .dropdown-backdrop {
   position: fixed;
@@ -3245,226 +5572,373 @@ tbody.collapse.in {
   right: 0;
   bottom: 0;
   top: 0;
-  z-index: 990; }
+  z-index: 990;
+}
 
 .pull-right > .dropdown-menu {
   right: 0;
-  left: auto; }
+  left: auto;
+}
 
-.dropup .caret,
-.navbar-fixed-bottom .dropdown .caret {
+.dropup .caret, .navbar-fixed-bottom .dropdown .caret {
   border-top: 0;
   border-bottom: 4px solid;
-  content: ""; }
-.dropup .dropdown-menu,
-.navbar-fixed-bottom .dropdown .dropdown-menu {
+  content: "";
+}
+
+.dropup .dropdown-menu, .navbar-fixed-bottom .dropdown .dropdown-menu {
   top: auto;
   bottom: 100%;
-  margin-bottom: 1px; }
+  margin-bottom: 1px;
+}
 
 @media (min-width: 768px) {
-  .navbar-right .dropdown-menu {
-    right: 0;
-    left: auto; }
-  .navbar-right .dropdown-menu-left {
-    left: 0;
-    right: auto; } }
-.btn-group,
-.btn-group-vertical {
+  .navbar-right {
+    .dropdown-menu {
+      right: 0;
+      left: auto;
+    }
+
+    .dropdown-menu-left {
+      left: 0;
+      right: auto;
+    }
+  }
+}
+
+.btn-group, .btn-group-vertical {
   position: relative;
   display: inline-block;
-  vertical-align: middle; }
-  .btn-group > .btn,
-  .btn-group-vertical > .btn {
-    position: relative;
-    float: left; }
-    .btn-group > .btn:hover, .btn-group > .btn:focus, .btn-group > .btn:active, .btn-group > .btn.active,
-    .btn-group-vertical > .btn:hover,
-    .btn-group-vertical > .btn:focus,
-    .btn-group-vertical > .btn:active,
-    .btn-group-vertical > .btn.active {
-      z-index: 2;
-	  -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
-	  -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
-	  transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important; }
-    .btn-group > .btn:focus,
-    .btn-group-vertical > .btn:focus {
-      outline: 0; }
-
-.btn-group .btn + .btn,
-.btn-group .btn + .btn-group,
-.btn-group .btn-group + .btn,
-.btn-group .btn-group + .btn-group {
-  margin-left: -1px; }
+  vertical-align: middle;
+}
+
+.btn-group > .btn, .btn-group-vertical > .btn {
+  position: relative;
+  float: left;
+}
+
+.btn-group > .btn {
+  &:hover, &:focus, &:active, &.active {
+    z-index: 2;
+    -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
+    -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
+    transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
+  }
+}
+
+.btn-group-vertical > .btn {
+  &:hover, &:focus, &:active, &.active {
+    z-index: 2;
+    -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
+    -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
+    transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
+  }
+}
+
+.btn-group > .btn:focus, .btn-group-vertical > .btn:focus {
+  outline: 0;
+}
+
+.btn-group {
+  .btn + {
+    .btn, .btn-group {
+      margin-left: -1px;
+    }
+  }
+
+  .btn-group + {
+    .btn, .btn-group {
+      margin-left: -1px;
+    }
+  }
+}
 
 .btn-toolbar {
-  margin-left: -5px; }
-  .btn-toolbar:before, .btn-toolbar:after {
+  margin-left: -5px;
+
+  &:before {
     content: " ";
-    display: table; }
-  .btn-toolbar:after {
-    clear: both; }
-  .btn-toolbar .btn-group,
-  .btn-toolbar .input-group {
-    float: left; }
-  .btn-toolbar > .btn,
-  .btn-toolbar > .btn-group,
-  .btn-toolbar > .input-group {
-    margin-left: 5px; }
-
-.btn-group > .btn:not(:first-child):not(:last-child):not(.dropdown-toggle) {
-  border-radius: 0; }
-
-.btn-group > .btn:first-child {
-  margin-left: 0; }
-  .btn-group > .btn:first-child:not(:last-child):not(.dropdown-toggle) {
-    border-bottom-right-radius: 0;
-    border-top-right-radius: 0; }
-
-.btn-group > .btn:last-child:not(:first-child),
-.btn-group > .dropdown-toggle:not(:first-child) {
-  border-bottom-left-radius: 0;
-  border-top-left-radius: 0; }
+    display: table;
+  }
 
-.btn-group > .btn-group {
-  float: left; }
+  &:after {
+    content: " ";
+    display: table;
+    clear: both;
+  }
 
-.btn-group > .btn-group:not(:first-child):not(:last-child) > .btn {
-  border-radius: 0; }
+  .btn-group, .input-group {
+    float: left;
+  }
 
-.btn-group > .btn-group:first-child > .btn:last-child,
-.btn-group > .btn-group:first-child > .dropdown-toggle {
-  border-bottom-right-radius: 0;
-  border-top-right-radius: 0; }
+  > {
+    .btn, .btn-group, .input-group {
+      margin-left: 5px;
+    }
+  }
+}
 
-.btn-group > .btn-group:last-child > .btn:first-child {
-  border-bottom-left-radius: 0;
-  border-top-left-radius: 0; }
+.btn-group {
+  > {
+    .btn {
+      &:not(:first-child):not(:last-child):not(.dropdown-toggle) {
+        border-radius: 0;
+      }
+
+      &:first-child {
+        margin-left: 0;
+
+        &:not(:last-child):not(.dropdown-toggle) {
+          border-bottom-right-radius: 0;
+          border-top-right-radius: 0;
+        }
+      }
+
+      &:last-child:not(:first-child) {
+        border-bottom-left-radius: 0;
+        border-top-left-radius: 0;
+      }
+    }
+
+    .dropdown-toggle:not(:first-child) {
+      border-bottom-left-radius: 0;
+      border-top-left-radius: 0;
+    }
+
+    .btn-group {
+      float: left;
 
-.btn-group .dropdown-toggle:active, .btn-group .dropdown-toggle:hover, .btn-group.open .dropdown-toggle {
-  outline: 0;
-  color: #FFFFFF;
-  background-color: none;
-  border-color: #000; }
+      &:not(:first-child):not(:last-child) > .btn {
+        border-radius: 0;
+      }
+
+      &:first-child > {
+        .btn:last-child, .dropdown-toggle {
+          border-bottom-right-radius: 0;
+          border-top-right-radius: 0;
+        }
+      }
+
+      &:last-child > .btn:first-child {
+        border-bottom-left-radius: 0;
+        border-top-left-radius: 0;
+      }
+    }
+  }
+
+  .dropdown-toggle {
+    &:active, &:hover {
+      outline: 0;
+      color: #FFFFFF;
+      background-color: none;
+      border-color: #000;
+    }
+  }
 
-.btn-group > .btn + .dropdown-toggle {
-  padding-left: 8px;
-  padding-right: 8px; }
+  &.open .dropdown-toggle {
+    outline: 0;
+    color: #FFFFFF;
+    background-color: none;
+    border-color: #000;
+  }
+
+  > {
+    .btn + .dropdown-toggle {
+      padding-left: 8px;
+      padding-right: 8px;
+    }
+
+    .btn-lg + .dropdown-toggle {
+      padding-left: 12px;
+      padding-right: 12px;
+    }
+  }
+}
 
-.btn-group > .btn-lg + .dropdown-toggle, .btn-group-lg.btn-group > .btn + .dropdown-toggle {
+.btn-group-lg.btn-group > .btn + .dropdown-toggle {
   padding-left: 12px;
-  padding-right: 12px; }
+  padding-right: 12px;
+}
 
-.btn-group.open .dropdown-toggle {}
-  .btn-group.open .dropdown-toggle.btn-link {
-    -webkit-box-shadow: none;
-    box-shadow: none; }
+.btn-group.open .dropdown-toggle.btn-link {
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
 
 .btn .caret {
-  margin-left: 0; }
+  margin-left: 0;
+}
 
 .btn-lg .caret, .btn-group-lg > .btn .caret {
   border-width: 5px 5px 0;
-  border-bottom-width: 0; }
+  border-bottom-width: 0;
+}
 
-.dropup .btn-lg .caret, .dropup .btn-group-lg > .btn .caret {
-  border-width: 0 5px 5px; }
+.dropup {
+  .btn-lg .caret, .btn-group-lg > .btn .caret {
+    border-width: 0 5px 5px;
+  }
+}
 
-.btn-group-vertical > .btn,
-.btn-group-vertical > .btn-group,
-.btn-group-vertical > .btn-group > .btn {
-  display: block;
-  float: none;
-  width: 100%;
-  max-width: 100%; }
-.btn-group-vertical > .btn-group:before, .btn-group-vertical > .btn-group:after {
-  content: " ";
-  display: table; }
-.btn-group-vertical > .btn-group:after {
-  clear: both; }
-.btn-group-vertical > .btn-group > .btn {
-  float: none; }
-.btn-group-vertical > .btn + .btn,
-.btn-group-vertical > .btn + .btn-group,
-.btn-group-vertical > .btn-group + .btn,
-.btn-group-vertical > .btn-group + .btn-group {
-  margin-top: -1px;
-  margin-left: 0; }
+.btn-group-vertical > {
+  .btn {
+    display: block;
+    float: none;
+    width: 100%;
+    max-width: 100%;
+  }
 
-.btn-group-vertical > .btn:not(:first-child):not(:last-child) {
-  border-radius: 0; }
-.btn-group-vertical > .btn:first-child:not(:last-child) {
-  border-top-right-radius: 3px;
-  border-bottom-right-radius: 0;
-  border-bottom-left-radius: 0; }
-.btn-group-vertical > .btn:last-child:not(:first-child) {
-  border-bottom-left-radius: 3px;
-  border-top-right-radius: 0;
-  border-top-left-radius: 0; }
+  .btn-group {
+    display: block;
+    float: none;
+    width: 100%;
+    max-width: 100%;
+
+    > .btn {
+      display: block;
+      float: none;
+      width: 100%;
+      max-width: 100%;
+    }
 
-.btn-group-vertical > .btn-group:not(:first-child):not(:last-child) > .btn {
-  border-radius: 0; }
+    &:before {
+      content: " ";
+      display: table;
+    }
 
-.btn-group-vertical > .btn-group:first-child:not(:last-child) > .btn:last-child,
-.btn-group-vertical > .btn-group:first-child:not(:last-child) > .dropdown-toggle {
-  border-bottom-right-radius: 0;
-  border-bottom-left-radius: 0; }
+    &:after {
+      content: " ";
+      display: table;
+      clear: both;
+    }
 
-.btn-group-vertical > .btn-group:last-child:not(:first-child) > .btn:first-child {
-  border-top-right-radius: 0;
-  border-top-left-radius: 0; }
+    > .btn {
+      float: none;
+    }
+  }
+
+  .btn + {
+    .btn, .btn-group {
+      margin-top: -1px;
+      margin-left: 0;
+    }
+  }
+
+  .btn-group + {
+    .btn, .btn-group {
+      margin-top: -1px;
+      margin-left: 0;
+    }
+  }
+
+  .btn {
+    &:not(:first-child):not(:last-child) {
+      border-radius: 0;
+    }
+
+    &:first-child:not(:last-child) {
+      border-top-right-radius: 3px;
+      border-bottom-right-radius: 0;
+      border-bottom-left-radius: 0;
+    }
+
+    &:last-child:not(:first-child) {
+      border-bottom-left-radius: 3px;
+      border-top-right-radius: 0;
+      border-top-left-radius: 0;
+    }
+  }
+
+  .btn-group {
+    &:not(:first-child):not(:last-child) > .btn {
+      border-radius: 0;
+    }
+
+    &:first-child:not(:last-child) > {
+      .btn:last-child, .dropdown-toggle {
+        border-bottom-right-radius: 0;
+        border-bottom-left-radius: 0;
+      }
+    }
+
+    &:last-child:not(:first-child) > .btn:first-child {
+      border-top-right-radius: 0;
+      border-top-left-radius: 0;
+    }
+  }
+}
 
 .btn-group-justified {
   display: table;
   width: 100%;
   table-layout: fixed;
-  border-collapse: separate; }
-  .btn-group-justified > .btn,
-  .btn-group-justified > .btn-group {
-    float: none;
-    display: table-cell;
-    width: 1%; }
-  .btn-group-justified > .btn-group .btn {
-    width: 100%; }
-  .btn-group-justified > .btn-group .dropdown-menu {
-    left: auto; }
-
-[data-toggle="buttons"] > .btn > input[type="radio"],
-[data-toggle="buttons"] > .btn > input[type="checkbox"] {
-  position: absolute;
-  z-index: -1;
-  opacity: 0;
-  filter: alpha(opacity=0); }
+  border-collapse: separate;
+
+  > {
+    .btn {
+      float: none;
+      display: table-cell;
+      width: 1%;
+    }
+
+    .btn-group {
+      float: none;
+      display: table-cell;
+      width: 1%;
+
+      .btn {
+        width: 100%;
+      }
+
+      .dropdown-menu {
+        left: auto;
+      }
+    }
+  }
+}
+
+[data-toggle="buttons"] > .btn > input {
+  &[type="radio"], &[type="checkbox"] {
+    position: absolute;
+    z-index: -1;
+    opacity: 0;
+    filter: alpha(opacity = 0);
+  }
+}
 
 .input-group {
   position: relative;
   display: table;
-  border-collapse: separate; }
-  .input-group[class*="col-"] {
+  border-collapse: separate;
+
+  &[class*="col-"] {
     float: none;
     padding-left: 0;
-    padding-right: 0; }
-  .input-group .form-control {
+    padding-right: 0;
+  }
+
+  .form-control {
     position: relative;
     z-index: 2;
     float: left;
     width: 100%;
-    margin-bottom: 0; }
-
-.input-group-addon,
-.input-group-btn,
-.input-group .form-control {
-  display: table-cell; }
-  .input-group-addon:not(:first-child):not(:last-child),
-  .input-group-btn:not(:first-child):not(:last-child),
-  .input-group .form-control:not(:first-child):not(:last-child) {
-    border-radius: 0; }
-
-.input-group-addon,
-.input-group-btn {
+    margin-bottom: 0;
+  }
+}
+
+.input-group-addon, .input-group-btn, .input-group .form-control {
+  display: table-cell;
+}
+
+.input-group-addon:not(:first-child):not(:last-child), .input-group-btn:not(:first-child):not(:last-child), .input-group .form-control:not(:first-child):not(:last-child) {
+  border-radius: 0;
+}
+
+.input-group-addon, .input-group-btn {
   width: 1%;
   white-space: nowrap;
-  vertical-align: middle; }
+  vertical-align: middle;
+}
 
 .input-group-addon {
   padding: 6px 12px;
@@ -3475,237 +5949,428 @@ tbody.collapse.in {
   text-align: center;
   background-color: #eeeeee;
   border: 1px solid #ccc;
-  border-radius: 3px; }
-  .input-group-addon.input-sm, .form-horizontal .form-group-sm .input-group-addon.form-control,
-  .input-group-sm > .input-group-addon,
-  .input-group-sm > .input-group-btn > .input-group-addon.btn {
+  border-radius: 3px;
+
+  &.input-sm {
+    padding: 5px 10px;
+    font-size: 12px;
+    border-radius: 3px;
+  }
+}
+
+.form-horizontal .form-group-sm .input-group-addon.form-control {
+  padding: 5px 10px;
+  font-size: 12px;
+  border-radius: 3px;
+}
+
+.input-group-sm > {
+  .input-group-addon, .input-group-btn > .input-group-addon.btn {
     padding: 5px 10px;
     font-size: 12px;
-    border-radius: 3px; }
-  .input-group-addon.input-lg, .form-horizontal .form-group-lg .input-group-addon.form-control,
-  .input-group-lg > .input-group-addon,
-  .input-group-lg > .input-group-btn > .input-group-addon.btn {
+    border-radius: 3px;
+  }
+}
+
+.input-group-addon.input-lg, .form-horizontal .form-group-lg .input-group-addon.form-control {
+  padding: 10px 16px;
+  font-size: 18px;
+  border-radius: 6px;
+}
+
+.input-group-lg > {
+  .input-group-addon, .input-group-btn > .input-group-addon.btn {
     padding: 10px 16px;
     font-size: 18px;
-    border-radius: 6px; }
-  .input-group-addon input[type="radio"],
-  .input-group-addon input[type="checkbox"] {
-    margin-top: 0; }
-
-.input-group .form-control:first-child,
-.input-group-addon:first-child,
-.input-group-btn:first-child > .btn,
-.input-group-btn:first-child > .btn-group > .btn,
-.input-group-btn:first-child > .dropdown-toggle,
-.input-group-btn:last-child > .btn:not(:last-child):not(.dropdown-toggle),
-.input-group-btn:last-child > .btn-group:not(:last-child) > .btn {
+    border-radius: 6px;
+  }
+}
+
+.input-group-addon input {
+  &[type="radio"], &[type="checkbox"] {
+    margin-top: 0;
+  }
+}
+
+.input-group .form-control:first-child, .input-group-addon:first-child {
   border-bottom-right-radius: 0;
-  border-top-right-radius: 0; }
+  border-top-right-radius: 0;
+}
+
+.input-group-btn {
+  &:first-child > {
+    .btn, .btn-group > .btn, .dropdown-toggle {
+      border-bottom-right-radius: 0;
+      border-top-right-radius: 0;
+    }
+  }
+
+  &:last-child > {
+    .btn:not(:last-child):not(.dropdown-toggle), .btn-group:not(:last-child) > .btn {
+      border-bottom-right-radius: 0;
+      border-top-right-radius: 0;
+    }
+  }
+}
 
 .input-group-addon:first-child {
-  border-right: 0; }
-
-.input-group .form-control:last-child,
-.input-group-addon:last-child,
-.input-group-btn:last-child > .btn,
-.input-group-btn:last-child > .btn-group > .btn,
-.input-group-btn:last-child > .dropdown-toggle,
-.input-group-btn:first-child > .btn:not(:first-child),
-.input-group-btn:first-child > .btn-group:not(:first-child) > .btn {
+  border-right: 0;
+}
+
+.input-group .form-control:last-child, .input-group-addon:last-child {
   border-bottom-left-radius: 0;
-  border-top-left-radius: 0; }
+  border-top-left-radius: 0;
+}
+
+.input-group-btn {
+  &:last-child > {
+    .btn, .btn-group > .btn, .dropdown-toggle {
+      border-bottom-left-radius: 0;
+      border-top-left-radius: 0;
+    }
+  }
+
+  &:first-child > {
+    .btn:not(:first-child), .btn-group:not(:first-child) > .btn {
+      border-bottom-left-radius: 0;
+      border-top-left-radius: 0;
+    }
+  }
+}
 
 .input-group-addon:last-child {
-  border-left: 0; }
+  border-left: 0;
+}
 
 .input-group-btn {
   position: relative;
   font-size: 0;
-  white-space: nowrap; }
-  .input-group-btn > .btn {
-    position: relative; }
-    .input-group-btn > .btn + .btn {
-      margin-left: -1px; }
-    .input-group-btn > .btn:hover, .input-group-btn > .btn:focus, .input-group-btn > .btn:active {
-      z-index: 2; }
-  .input-group-btn:first-child > .btn,
-  .input-group-btn:first-child > .btn-group {
-    margin-right: -1px; }
-  .input-group-btn:last-child > .btn,
-  .input-group-btn:last-child > .btn-group {
-    margin-left: -1px; }
+  white-space: nowrap;
+
+  > .btn {
+    position: relative;
+
+    + .btn {
+      margin-left: -1px;
+    }
+
+    &:hover, &:focus, &:active {
+      z-index: 2;
+    }
+  }
+
+  &:first-child > {
+    .btn, .btn-group {
+      margin-right: -1px;
+    }
+  }
+
+  &:last-child > {
+    .btn, .btn-group {
+      margin-left: -1px;
+    }
+  }
+}
+
+.nav {
+  margin-bottom: 0;
+  padding-left: 0;
+  list-style: none;
+
+  &:before {
+    content: " ";
+    display: table;
+  }
+
+  &:after {
+    content: " ";
+    display: table;
+    clear: both;
+  }
+
+  > li {
+    position: relative;
+    display: block;
+
+    > a {
+      position: relative;
+      display: block;
+      padding: 10px 15px;
+      color: #FFF;
+      border-radius: 0px;
+      border-top-right-radius: 10px;
+      margin-right: 0px;
+      background-color: #315a71;
+      opacity: 0.6;
+      filter: alpha(opacity = 50);
+    }
+  }
+}
+
+.nav-tabs > li > a {
+  position: relative;
+  display: block;
+  padding: 10px 15px;
+  color: #FFF;
+  border-radius: 0px;
+  border-top-right-radius: 10px;
+  margin-right: 0px;
+  background-color: #315a71;
+  opacity: 0.6;
+  filter: alpha(opacity = 50);
+}
 
-.nav {
-  margin-bottom: 0;
-  padding-left: 0;
-  list-style: none; }
-  .nav:before, .nav:after {
-    content: " ";
-    display: table; }
-  .nav:after {
-    clear: both; }
-  .nav > li {
-    position: relative;
-    display: block; }
-    .nav > li > a, .nav-tabs > li > a {
-		position: relative;
-		display: block;
-		padding: 10px 15px;
-		color: #FFF;
-		border-radius: 0px;
-		border-top-right-radius: 10px;
-		margin-right: 0px;
-		background-color: #315a71;
-		opacity: 0.6;
-		filter: alpha(opacity=50);}
-	.nav > li#menu_messages > a {
+.nav > li {
+  &#menu_messages {
+    > a {
       position: relative;
       display: block;
       padding: none;
-	  color:#FF7E25;
-	  background-color:transparent;
-	  margin-right: 10px;
-	  border:none;
-	  opacity: 1.0;}
-      .nav > li > a:hover, .nav > li > a:focus {
-        text-decoration: none;
-        background-color: #315a71;
-		color: #FFF;
-		opacity: 0.8; }
-		.nav > li#menu_messages > a:hover, a:focus {
-		text-decoration: underline; }
-
-    .nav > li.disabled > a {
-		color: #fff; }
-      .nav > li.disabled > a:hover, .nav > li.disabled > a:focus {
-		  color: #fff;
-		  text-decoration: none;
-		  background-color: #839caa;
-		  opacity:0.9;
-		  cursor: not-allowed; }
-
-  .nav .open > a, .nav .open > a:hover, .nav .open > a:focus {
+      color: #FF7E25;
+      background-color: transparent;
+      margin-right: 10px;
+      border: none;
+      opacity: 1.0;
+    }
+
+    > a:hover {
+      text-decoration: underline;
+    }
+  }
+
+  > a {
+    &:hover, &:focus {
+      text-decoration: none;
+      background-color: #315a71;
+      color: #FFF;
+      opacity: 0.8;
+    }
+  }
+}
+
+a:focus {
+  text-decoration: underline;
+}
+
+.nav {
+  > li.disabled > a {
+    color: #fff;
+
+    &:hover, &:focus {
+      color: #fff;
+      text-decoration: none;
+      background-color: #839caa;
+      opacity: 0.9;
+      cursor: not-allowed;
+    }
+  }
+
+  .open > a {
     background-color: #336480;
-	cursor:pointer; }
+    cursor: pointer;
+
+    &:hover, &:focus {
+      background-color: #336480;
+      cursor: pointer;
+    }
+  }
 
-  .nav .nav-divider {
+  .nav-divider {
     height: 1px;
     margin: 9px 0;
     overflow: hidden;
-    background-color: #e5e5e5; }
-  .nav > li > a > img {
-    max-width: none; }
+    background-color: #e5e5e5;
+  }
+
+  > li > a > img {
+    max-width: none;
+  }
+}
 
 .nav-tabs {
-  margin-right: 1px; }
-  .nav-tabs > li {
-    float: left; }
-    .nav-tabs > li > a {
+  margin-right: 1px;
+
+  > li {
+    float: left;
+
+    > a {
       line-height: 1.428571429;
-	  border:none;
-	  cursor:pointer;}
-	.nav-tabs > li > a:hover {opacity: 0.8; filter: alpha(opacity=80);}
-    .nav-tabs > li.active > a, .nav-tabs > li.active > a:hover, .nav-tabs > li.active > a:focus {
+      border: none;
+      cursor: pointer;
+
+      &:hover {
+        opacity: 0.8;
+        filter: alpha(opacity = 80);
+      }
+    }
+
+    &.active > a {
       color: #FFF;
       background-color: #393939;
       border-bottom-color: transparent;
       cursor: pointer;
-	  opacity: 1;
-	  filter: alpha(opacity=100);}
-
-	  .nav-pills > li {
-  float: left; }
-  .nav-pills > li > a {
-    border-radius: 0; }
-  .nav-pills > li.active > a, .nav-pills > li.active > a:hover, .nav-pills > li.active > a:focus {
+      opacity: 1;
+      filter: alpha(opacity = 100);
+
+      &:hover, &:focus {
+        color: #FFF;
+        background-color: #393939;
+        border-bottom-color: transparent;
+        cursor: pointer;
+        opacity: 1;
+        filter: alpha(opacity = 100);
+      }
+    }
+  }
+}
+
+.nav-pills > li {
+  float: left;
+
+  > a {
+    border-radius: 0;
+  }
+
+  &.active > a {
     color: #fff;
     background-color: #1b4257;
-	opacity: 1.0; }
+    opacity: 1.0;
+
+    &:hover, &:focus {
+      color: #fff;
+      background-color: #1b4257;
+      opacity: 1.0;
+    }
+  }
+}
 
 .nav-stacked > li {
-  float: none; }
-  .nav-stacked > li + li {
+  float: none;
+
+  + li {
     margin-top: 2px;
-    margin-left: 0; }
+    margin-left: 0;
+  }
+}
 
 .nav-justified, .nav-tabs.nav-justified {
-  width: 100%; }
+  width: 100%;
+}
+
+.nav-justified > li, .nav-tabs.nav-justified > li {
+  float: none;
+}
+
+.nav-justified > li > a, .nav-tabs.nav-justified > li > a {
+  text-align: left;
+  margin-bottom: 5px;
+}
+
+.nav-justified > .dropdown .dropdown-menu {
+  top: auto;
+  left: auto;
+}
+
+@media (min-width: 768px) {
   .nav-justified > li, .nav-tabs.nav-justified > li {
-    float: none; }
-    .nav-justified > li > a, .nav-tabs.nav-justified > li > a {
-      text-align: left;
-      margin-bottom: 5px; }
-  .nav-justified > .dropdown .dropdown-menu {
-    top: auto;
-    left: auto; }
-  @media (min-width: 768px) {
-    .nav-justified > li, .nav-tabs.nav-justified > li {
-      display: table-cell;
-      width: 1%; }
-      .nav-justified > li > a, .nav-tabs.nav-justified > li > a {
-        margin-bottom: 0; } }
+    display: table-cell;
+    width: 1%;
+  }
+
+  .nav-justified > li > a, .nav-tabs.nav-justified > li > a {
+    margin-bottom: 0;
+  }
+}
 
 .nav-tabs-justified, .nav-tabs.nav-justified {
-  border-bottom: 0; }
+  border-bottom: 0;
+}
+
+.nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
+  margin-right: 0;
+  border-radius: 3px;
+}
+
+.nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a, .nav-tabs-justified > .active > a:hover, .nav-tabs.nav-justified > .active > a:hover, .nav-tabs-justified > .active > a:focus, .nav-tabs.nav-justified > .active > a:focus {
+  border: 1px solid #656565;
+}
+
+@media (min-width: 768px) {
   .nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
-    margin-right: 0;
-    border-radius: 3px; }
-  .nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a,
-  .nav-tabs-justified > .active > a:hover,
-  .nav-tabs.nav-justified > .active > a:hover,
-  .nav-tabs-justified > .active > a:focus,
-  .nav-tabs.nav-justified > .active > a:focus {
-    border: 1px solid #656565; }
-  @media (min-width: 768px) {
-    .nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
-      border-bottom: 1px solid #656565;
-      border-radius: 3px 3px 0 0; }
-    .nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a,
-    .nav-tabs-justified > .active > a:hover,
-    .nav-tabs.nav-justified > .active > a:hover,
-    .nav-tabs-justified > .active > a:focus,
-    .nav-tabs.nav-justified > .active > a:focus {
-      border-bottom-color: transparent; } }
-
-.tab-content > .tab-pane {
-  display: none; }
-  .tab-content > .active {
-  display: block; }
+    border-bottom: 1px solid #656565;
+    border-radius: 3px 3px 0 0;
+  }
+
+  .nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a, .nav-tabs-justified > .active > a:hover, .nav-tabs.nav-justified > .active > a:hover, .nav-tabs-justified > .active > a:focus, .nav-tabs.nav-justified > .active > a:focus {
+    border-bottom-color: transparent;
+  }
+}
+
+.tab-content > {
+  .tab-pane {
+    display: none;
+  }
+
+  .active {
+    display: block;
+  }
+}
 
 .tab-pane .content-box {
-  border:none !important;
+  border: none !important;
   box-shadow: none;
-  -webkit-box-shadow: none; }
+  -webkit-box-shadow: none;
+}
 
 .nav-tabs .dropdown-menu {
   margin-top: -1px;
   border-top-right-radius: 0;
   border-top-left-radius: 0;
-  cursor:pointer;}
-
+  cursor: pointer;
+}
 
 .navbar {
   position: relative;
   min-height: 50px;
   margin-bottom: 0;
-  border: 1px solid transparent; }
-  .navbar:before, .navbar:after {
+  border: 1px solid transparent;
+
+  &:before {
     content: " ";
-    display: table; }
-  .navbar:after {
-    clear: both; }
-  @media (min-width: 768px) {
-    .navbar {
-      border-radius: 0; } }
-
-.navbar-header:before, .navbar-header:after {
-  content: " ";
-  display: table; }
-.navbar-header:after {
-  clear: both; }
+    display: table;
+  }
+
+  &:after {
+    content: " ";
+    display: table;
+    clear: both;
+  }
+}
+
+@media (min-width: 768px) {
+  .navbar {
+    border-radius: 0;
+  }
+}
+
+.navbar-header {
+  &:before {
+    content: " ";
+    display: table;
+  }
+
+  &:after {
+    content: " ";
+    display: table;
+    clear: both;
+  }
+}
+
 @media (min-width: 768px) {
   .navbar-header {
-    float: left; } }
+    float: left;
+  }
+}
 
 .navbar-collapse {
   overflow-x: visible;
@@ -3713,92 +6378,143 @@ tbody.collapse.in {
   padding-left: 20px;
   border-top: 1px solid transparent;
   box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1);
-  -webkit-overflow-scrolling: touch; }
-  .navbar-collapse:before, .navbar-collapse:after {
+  -webkit-overflow-scrolling: touch;
+
+  &:before {
     content: " ";
-    display: table; }
-  .navbar-collapse:after {
-    clear: both; }
-  .navbar-collapse.in {
-    overflow-y: auto; }
-  @media (min-width: 768px) {
-    .navbar-collapse {
-      width: auto;
-      border-top: 0;
-      box-shadow: none; }
-      .navbar-collapse.collapse {
-        display: block !important;
-        height: auto !important;
-        padding-bottom: 0;
-        overflow: visible !important; }
-      .navbar-collapse.in {
-        overflow-y: visible; }
-      .navbar-fixed-top .navbar-collapse, .navbar-static-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
-        padding-left: 0;
-        padding-right: 0; } }
-
-.navbar-fixed-top .navbar-collapse,
-.navbar-fixed-bottom .navbar-collapse {
-  max-height: 340px; }
-  @media (max-width: 480px) and (orientation: landscape) {
-    .navbar-fixed-top .navbar-collapse,
-    .navbar-fixed-bottom .navbar-collapse {
-      max-height: 200px; } }
-
-.container > .navbar-header,
-.container > .navbar-collapse,
-.container-fluid > .navbar-header,
-.container-fluid > .navbar-collapse {
-  margin-right: -20px;
-  margin-left: -20px; }
-  @media (min-width: 768px) {
-    .container > .navbar-header,
-    .container > .navbar-collapse,
-    .container-fluid > .navbar-header,
-    .container-fluid > .navbar-collapse {
+    display: table;
+  }
+
+  &:after {
+    content: " ";
+    display: table;
+    clear: both;
+  }
+
+  &.in {
+    overflow-y: auto;
+  }
+}
+
+@media (min-width: 768px) {
+  .navbar-collapse {
+    width: auto;
+    border-top: 0;
+    box-shadow: none;
+
+    &.collapse {
+      display: block !important;
+      height: auto !important;
+      padding-bottom: 0;
+      overflow: visible !important;
+    }
+
+    &.in {
+      overflow-y: visible;
+    }
+  }
+
+  .navbar-fixed-top .navbar-collapse, .navbar-static-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
+    padding-left: 0;
+    padding-right: 0;
+  }
+}
+
+.navbar-fixed-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
+  max-height: 340px;
+}
+
+@media (max-width: 480px) and (orientation: landscape) {
+  .navbar-fixed-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
+    max-height: 200px;
+  }
+}
+
+.container > {
+  .navbar-header, .navbar-collapse {
+    margin-right: -20px;
+    margin-left: -20px;
+  }
+}
+
+.container-fluid > {
+  .navbar-header, .navbar-collapse {
+    margin-right: -20px;
+    margin-left: -20px;
+  }
+}
+
+@media (min-width: 768px) {
+  .container > {
+    .navbar-header, .navbar-collapse {
+      margin-right: 0;
+      margin-left: 0;
+    }
+  }
+
+  .container-fluid > {
+    .navbar-header, .navbar-collapse {
       margin-right: 0;
-      margin-left: 0; } }
+      margin-left: 0;
+    }
+  }
+}
 
 .navbar-static-top {
   z-index: 1000;
-  border-width: 0 0 1px; }
-  @media (min-width: 768px) {
-    .navbar-static-top {
-      border-radius: 0; } }
+  border-width: 0 0 1px;
+}
 
-.navbar-fixed-top,
-.navbar-fixed-bottom {
+@media (min-width: 768px) {
+  .navbar-static-top {
+    border-radius: 0;
+  }
+}
+
+.navbar-fixed-top, .navbar-fixed-bottom {
   position: fixed;
   right: 0;
   left: 0;
   z-index: 1030;
   -webkit-transform: translate3d(0, 0, 0);
-  transform: translate3d(0, 0, 0); }
-  @media (min-width: 768px) {
-    .navbar-fixed-top,
-    .navbar-fixed-bottom {
-      border-radius: 0; } }
+  transform: translate3d(0, 0, 0);
+}
+
+@media (min-width: 768px) {
+  .navbar-fixed-top, .navbar-fixed-bottom {
+    border-radius: 0;
+  }
+}
 
 .navbar-fixed-top {
   top: 0;
-  border-width: 0 0 1px; }
+  border-width: 0 0 1px;
+}
 
 .navbar-fixed-bottom {
   bottom: 0;
   margin-bottom: 0;
-  border-width: 1px 0 0; }
+  border-width: 1px 0 0;
+}
 
 .navbar-brand {
   float: left;
   padding: 15px 20px;
   font-size: 18px;
-  height: 50px; }
-  .navbar-brand:hover, .navbar-brand:focus {
-    text-decoration: none; }
+  height: 50px;
 
-  @media (min-width: 768px) {
-    .navbar > .container .navbar-brand, .navbar > .container-fluid .navbar-brand {
-      margin-left: -20px; } }
+  &:hover, &:focus {
+    text-decoration: none;
+  }
+}
+
+@media (min-width: 768px) {
+  .navbar > {
+    .container .navbar-brand, .container-fluid .navbar-brand {
+      margin-left: -20px;
+    }
+  }
+}
 
 .navbar-toggle {
   position: relative;
@@ -3810,60 +6526,94 @@ tbody.collapse.in {
   background-color: transparent;
   background-image: none;
   border: 1px solid transparent;
-  border-radius: 3px; }
-  .navbar-toggle:focus {
-    outline: 0; }
-  .navbar-toggle .icon-bar {
+  border-radius: 3px;
+
+  &:focus {
+    outline: 0;
+  }
+
+  .icon-bar {
     display: block;
     width: 22px;
     height: 2px;
-    border-radius: 1px; }
-  .navbar-toggle .icon-bar + .icon-bar {
-    margin-top: 4px; }
-  @media (min-width: 768px) {
-    .navbar-toggle {
-      display: none; } }
+    border-radius: 1px;
+
+    + .icon-bar {
+      margin-top: 4px;
+    }
+  }
+}
+
+@media (min-width: 768px) {
+  .navbar-toggle {
+    display: none;
+  }
+}
 
 .navbar-nav {
-  margin: 7.5px -20px; }
-  .navbar-nav > li > a {
+  margin: 7.5px -20px;
+
+  > li > a {
     padding-top: 10px;
     padding-bottom: 10px;
-    line-height: 20px; }
-  @media (max-width: 767px) {
-    .navbar-nav .open .dropdown-menu {
-      position: static;
-      float: none;
-      width: auto;
-      margin-top: 0;
-      background-color: transparent;
-      border: 0;
-      box-shadow: none; }
-      .navbar-nav .open .dropdown-menu > li > a,
-      .navbar-nav .open .dropdown-menu .dropdown-header {
-        padding: 5px 15px 5px 25px; }
-      .navbar-nav .open .dropdown-menu > li > a {
-        line-height: 20px; }
-        .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-nav .open .dropdown-menu > li > a:focus {
-          background-image: none; } }
-  @media (min-width: 768px) {
-    .navbar-nav {
+    line-height: 20px;
+  }
+}
+
+@media (max-width: 767px) {
+  .navbar-nav .open .dropdown-menu {
+    position: static;
+    float: none;
+    width: auto;
+    margin-top: 0;
+    background-color: transparent;
+    border: 0;
+    box-shadow: none;
+
+    > li > a, .dropdown-header {
+      padding: 5px 15px 5px 25px;
+    }
+
+    > li > a {
+      line-height: 20px;
+
+      &:hover, &:focus {
+        background-image: none;
+      }
+    }
+  }
+}
+
+@media (min-width: 768px) {
+  .navbar-nav {
+    float: left;
+    margin: 0;
+
+    > li {
       float: left;
-      margin: 0; }
-      .navbar-nav > li {
-        float: left; }
-        .navbar-nav > li > a {
-          padding-top: 15px;
-          padding-bottom: 15px; }
-      .navbar-nav.navbar-right:last-child {
-        margin-right: -20px; } }
+
+      > a {
+        padding-top: 15px;
+        padding-bottom: 15px;
+      }
+    }
+
+    &.navbar-right:last-child {
+      margin-right: -20px;
+    }
+  }
+}
 
 @media (min-width: 768px) {
   .navbar-left {
-    float: left !important; }
+    float: left !important;
+  }
 
   .navbar-right {
-    float: right !important; } }
+    float: right !important;
+  }
+}
+
 .navbar-form {
   margin-left: -20px;
   margin-right: -20px;
@@ -3873,306 +6623,613 @@ tbody.collapse.in {
   -webkit-box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1), 0 1px 0 rgba(255, 255, 255, 0.1);
   box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1), 0 1px 0 rgba(255, 255, 255, 0.1);
   margin-top: 8px;
-  margin-bottom: 8px; }
-  @media (max-width: 767px) {
-    .navbar-form .form-group {
-      margin-bottom: 5px; } }
-  @media (min-width: 768px) {
-    .navbar-form {
-      width: auto;
-      border: 0;
-      margin-left: 0;
-      margin-right: 0;
-      padding-top: 0;
-      padding-bottom: 0;
-      -webkit-box-shadow: none;
-      box-shadow: none; }
-      .navbar-form.navbar-right:last-child {
-        margin-right: -20px; } }
+  margin-bottom: 8px;
+}
+
+@media (max-width: 767px) {
+  .navbar-form .form-group {
+    margin-bottom: 5px;
+  }
+}
+
+@media (min-width: 768px) {
+  .navbar-form {
+    width: auto;
+    border: 0;
+    margin-left: 0;
+    margin-right: 0;
+    padding-top: 0;
+    padding-bottom: 0;
+    -webkit-box-shadow: none;
+    box-shadow: none;
+
+    &.navbar-right:last-child {
+      margin-right: -20px;
+    }
+  }
+}
 
 .navbar-nav > li > .dropdown-menu {
   margin-top: 0;
   border-top-right-radius: 0;
-  border-top-left-radius: 0; }
+  border-top-left-radius: 0;
+}
+
+.navbar-fixed-bottom .navbar-nav > li > .dropdown-menu {
+  border-bottom-right-radius: 0;
+  border-bottom-left-radius: 0;
+}
+
+.navbar-btn {
+  margin-top: 8px;
+  margin-bottom: 8px;
+
+  &.btn-sm {
+    margin-top: 10px;
+    margin-bottom: 10px;
+  }
+}
+
+.btn-group-sm > .navbar-btn.btn {
+  margin-top: 10px;
+  margin-bottom: 10px;
+}
+
+.navbar-btn.btn-xs, .btn-group-xs > .navbar-btn.btn {
+  margin-top: 14px;
+  margin-bottom: 14px;
+}
+
+.navbar-text {
+  margin-top: 15px;
+  margin-bottom: 15px;
+}
+
+@media (min-width: 768px) {
+  .navbar-text {
+    float: left;
+    margin-left: 20px;
+    margin-right: 20px;
+
+    &.navbar-right:last-child {
+      margin-right: 0;
+    }
+  }
+}
+
+.navbar-default {
+  background-color: transparent;
+  border-color: none;
+
+  .navbar-brand {
+    color: #F7F7F7;
+
+    &:hover, &:focus {
+      color: #dedede;
+      background-color: transparent;
+    }
+  }
+
+  .navbar-text {
+    color: #F7F7F7;
+  }
+
+  .navbar-nav > {
+    li > a {
+      color: #F7F7F7;
+
+      &:hover, &:focus {
+        color: #FF7E25;
+        background-color: transparent;
+      }
+    }
+
+    .active > a {
+      color: #555;
+      background-color: #2b2b2b;
+
+      &:hover, &:focus {
+        color: #555;
+        background-color: #2b2b2b;
+      }
+    }
+
+    .disabled > a {
+      color: #ccc;
+      background-color: transparent;
 
-.navbar-fixed-bottom .navbar-nav > li > .dropdown-menu {
-  border-bottom-right-radius: 0;
-  border-bottom-left-radius: 0; }
+      &:hover, &:focus {
+        color: #ccc;
+        background-color: transparent;
+      }
+    }
+  }
 
-.navbar-btn {
-  margin-top: 8px;
-  margin-bottom: 8px; }
-  .navbar-btn.btn-sm, .btn-group-sm > .navbar-btn.btn {
-    margin-top: 10px;
-    margin-bottom: 10px; }
-  .navbar-btn.btn-xs, .btn-group-xs > .navbar-btn.btn {
-    margin-top: 14px;
-    margin-bottom: 14px; }
+  .navbar-toggle {
+    border-color: #FFF;
 
-.navbar-text {
-  margin-top: 15px;
-  margin-bottom: 15px; }
-  @media (min-width: 768px) {
-    .navbar-text {
-      float: left;
-      margin-left: 20px;
-      margin-right: 20px; }
-      .navbar-text.navbar-right:last-child {
-        margin-right: 0; } }
+    &:hover, &:focus {
+      background-color: #555;
+    }
 
-.navbar-default {
-  background-color: transparent;
-  border-color: none; }
-  .navbar-default .navbar-brand {
-    color: #F7F7F7; }
-    .navbar-default .navbar-brand:hover, .navbar-default .navbar-brand:focus {
-      color: #dedede;
-      background-color: transparent; }
-  .navbar-default .navbar-text {
-    color: #F7F7F7; }
-  .navbar-default .navbar-nav > li > a {
-    color: #F7F7F7; }
-    .navbar-default .navbar-nav > li > a:hover, .navbar-default .navbar-nav > li > a:focus {
-      color: #FF7E25;
-      background-color: transparent; }
+    .icon-bar {
+      background-color: #FFF;
+    }
+  }
 
-  .navbar-default .navbar-nav > .active > a, .navbar-default .navbar-nav > .active > a:hover, .navbar-default .navbar-nav > .active > a:focus {
-    color: #555;
-    background-color: #2b2b2b; }
-  .navbar-default .navbar-nav > .disabled > a, .navbar-default .navbar-nav > .disabled > a:hover, .navbar-default .navbar-nav > .disabled > a:focus {
-    color: #ccc;
-    background-color: transparent; }
-  .navbar-default .navbar-toggle {
-    border-color: #FFF; }
-    .navbar-default .navbar-toggle:hover, .navbar-default .navbar-toggle:focus {
-      background-color: #555; }
-    .navbar-default .navbar-toggle .icon-bar {
-      background-color: #FFF; }
-	.navbar-default .navbar-nav > .open > a, .navbar-default .navbar-nav > .open > a:hover, .navbar-default .navbar-nav > .open > a:focus {
+  .navbar-nav > .open > a {
     background-color: #2b2b2b;
-    color: #555; }
-  @media (max-width: 767px) {
-    .navbar-default .navbar-nav .open .dropdown-menu > li > a {
-      color: #F7F7F7; }
-      .navbar-default .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > li > a:focus {
+    color: #555;
+
+    &:hover, &:focus {
+      background-color: #2b2b2b;
+      color: #555;
+    }
+  }
+
+  .navbar-link {
+    color: #F7F7F7;
+
+    &:hover {
+      color: #FF8B00;
+    }
+  }
+
+  .btn-link {
+    color: #F7F7F7;
+
+    &:hover, &:focus {
+      color: #FF8B00;
+    }
+
+    &[disabled] {
+      &:hover, &:focus {
+        color: #ccc;
+      }
+    }
+  }
+}
+
+@media (max-width: 767px) {
+  .navbar-default .navbar-nav .open .dropdown-menu > {
+    li > a {
+      color: #F7F7F7;
+
+      &:hover, &:focus {
         color: #FF8B00;
-        background-color: transparent; }
- .navbar-default .navbar-nav .open .dropdown-menu > .active > a, .navbar-default .navbar-nav .open .dropdown-menu > .active > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > .active > a:focus {
+        background-color: transparent;
+      }
+    }
+
+    .active > a {
       color: #555;
-      background-color: #2b2b2b; }
-    .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a, .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:focus {
+      background-color: #2b2b2b;
+
+      &:hover, &:focus {
+        color: #555;
+        background-color: #2b2b2b;
+      }
+    }
+
+    .disabled > a {
       color: #ccc;
-      background-color: transparent; } }
-  .navbar-default .navbar-link {
-    color: #F7F7F7; }
-    .navbar-default .navbar-link:hover {
-      color: #FF8B00; }
-  .navbar-default .btn-link {
-    color: #F7F7F7; }
-    .navbar-default .btn-link:hover, .navbar-default .btn-link:focus {
-      color: #FF8B00; }
-    .navbar-default .btn-link[disabled]:hover, .navbar-default .btn-link[disabled]:focus, fieldset[disabled] .navbar-default .btn-link:hover, fieldset[disabled] .navbar-default .btn-link:focus {
-      color: #ccc; }
+      background-color: transparent;
+
+      &:hover, &:focus {
+        color: #ccc;
+        background-color: transparent;
+      }
+    }
+  }
+}
+
+fieldset[disabled] .navbar-default .btn-link {
+  &:hover, &:focus {
+    color: #ccc;
+  }
+}
 
 .navbar-inverse {
   background-color: #222;
-  border-color: #090909; }
-  .navbar-inverse .navbar-brand {
-    color: #777777; }
-    .navbar-inverse .navbar-brand:hover, .navbar-inverse .navbar-brand:focus {
-      color: #fff;
-      background-color: transparent; }
+  border-color: #090909;
+
+  .navbar-brand {
+    color: #777777;
 
-  .navbar-inverse .navbar-text {
-    color: #777777; }
-  .navbar-inverse .navbar-nav > li > a {
-    color: #777777; }
-    .navbar-inverse .navbar-nav > li > a:hover, .navbar-inverse .navbar-nav > li > a:focus {
+    &:hover, &:focus {
       color: #fff;
-      background-color: transparent; }
-  .navbar-inverse .navbar-nav > .active > a, .navbar-inverse .navbar-nav > .active > a:hover, .navbar-inverse .navbar-nav > .active > a:focus {
-    color: #fff;
-    background-color: #090909; }
-  .navbar-inverse .navbar-nav > .disabled > a, .navbar-inverse .navbar-nav > .disabled > a:hover, .navbar-inverse .navbar-nav > .disabled > a:focus {
-    color: #3e3e3e;
-    background-color: transparent; }
-  .navbar-inverse .navbar-toggle {
-    border-color: #2d2d2d; }
-    .navbar-inverse .navbar-toggle:hover, .navbar-inverse .navbar-toggle:focus {
-      background-color: #2d2d2d; }
-
-    .navbar-inverse .navbar-toggle .icon-bar {
-      background-color: #fff; }
-  .navbar-inverse .navbar-collapse,
-  .navbar-inverse .navbar-form {
-    border-color: #101010; }
-  .navbar-inverse .navbar-nav > .open > a, .navbar-inverse .navbar-nav > .open > a:hover, .navbar-inverse .navbar-nav > .open > a:focus {
-    background-color: #090909;
-    color: #fff; }
-  @media (max-width: 767px) {
-    .navbar-inverse .navbar-nav .open .dropdown-menu > .dropdown-header {
-      border-color: #090909; }
-    .navbar-inverse .navbar-nav .open .dropdown-menu .divider {
-      background-color: #090909; }
-    .navbar-inverse .navbar-nav .open .dropdown-menu > li > a {
-      color: #777777; }
-      .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:focus {
+      background-color: transparent;
+    }
+  }
+
+  .navbar-text {
+    color: #777777;
+  }
+
+  .navbar-nav > {
+    li > a {
+      color: #777777;
+
+      &:hover, &:focus {
         color: #fff;
-        background-color: transparent; }
+        background-color: transparent;
+      }
+    }
 
- .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a, .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:focus {
+    .active > a {
       color: #fff;
-      background-color: #090909; }
+      background-color: #090909;
+
+      &:hover, &:focus {
+        color: #fff;
+        background-color: #090909;
+      }
+    }
 
-    .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a, .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:focus {
+    .disabled > a {
       color: #3e3e3e;
-      background-color: transparent; } }
+      background-color: transparent;
+
+      &:hover, &:focus {
+        color: #3e3e3e;
+        background-color: transparent;
+      }
+    }
+  }
+
+  .navbar-toggle {
+    border-color: #2d2d2d;
+
+    &:hover, &:focus {
+      background-color: #2d2d2d;
+    }
+
+    .icon-bar {
+      background-color: #fff;
+    }
+  }
+
+  .navbar-collapse, .navbar-form {
+    border-color: #101010;
+  }
+
+  .navbar-nav > .open > a {
+    background-color: #090909;
+    color: #fff;
+
+    &:hover, &:focus {
+      background-color: #090909;
+      color: #fff;
+    }
+  }
+
+  .navbar-link {
+    color: #777777;
+
+    &:hover {
+      color: #fff;
+    }
+  }
+
+  .btn-link {
+    color: #777777;
+
+    &:hover, &:focus {
+      color: #fff;
+    }
+
+    &[disabled] {
+      &:hover, &:focus {
+        color: #3e3e3e;
+      }
+    }
+  }
+}
 
-  .navbar-inverse .navbar-link {
-    color: #777777; }
-    .navbar-inverse .navbar-link:hover {
-      color: #fff; }
-  .navbar-inverse .btn-link {
-    color: #777777; }
-    .navbar-inverse .btn-link:hover, .navbar-inverse .btn-link:focus {
-      color: #fff; }
+@media (max-width: 767px) {
+  .navbar-inverse .navbar-nav .open .dropdown-menu {
+    > .dropdown-header {
+      border-color: #090909;
+    }
+
+    .divider {
+      background-color: #090909;
+    }
+
+    > {
+      li > a {
+        color: #777777;
+
+        &:hover, &:focus {
+          color: #fff;
+          background-color: transparent;
+        }
+      }
+
+      .active > a {
+        color: #fff;
+        background-color: #090909;
+
+        &:hover, &:focus {
+          color: #fff;
+          background-color: #090909;
+        }
+      }
+
+      .disabled > a {
+        color: #3e3e3e;
+        background-color: transparent;
+
+        &:hover, &:focus {
+          color: #3e3e3e;
+          background-color: transparent;
+        }
+      }
+    }
+  }
+}
 
-    .navbar-inverse .btn-link[disabled]:hover, .navbar-inverse .btn-link[disabled]:focus, fieldset[disabled] .navbar-inverse .btn-link:hover, fieldset[disabled] .navbar-inverse .btn-link:focus {
-      color: #3e3e3e; }
+fieldset[disabled] .navbar-inverse .btn-link {
+  &:hover, &:focus {
+    color: #3e3e3e;
+  }
+}
 
 .breadcrumb {
   padding: 8px 15px;
   margin-bottom: 20px;
   list-style: none;
   background-color: #f5f5f5;
-  border-radius: 3px; }
-  .breadcrumb > li {
-    display: inline-block; }
-    .breadcrumb > li + li:before {
-      content: "/ ";
-      padding: 0 5px;
-      color: #ccc; }
-  .breadcrumb > .active {
-    color: #777777; }
+  border-radius: 3px;
+
+  > {
+    li {
+      display: inline-block;
+
+      + li:before {
+        content: "/ ";
+        padding: 0 5px;
+        color: #ccc;
+      }
+    }
+
+    .active {
+      color: #777777;
+    }
+  }
+}
 
 .pagination {
   display: inline-block;
   padding-left: 0;
   margin: 20px 0;
-  border-radius: 3px; }
-  .pagination > li {
-    display: inline; }
-    .pagination > li > a,
-    .pagination > li > span {
-      position: relative;
-      float: left;
-      padding: 6px 12px;
-      line-height: 1.428571429;
-      text-decoration: none;
-      color: #FFFFFF;
-      background-color: #427795;
-      border: 1px solid rgba(23, 44, 56, 0.4);
-      margin-left: -1px;
-      cursor: pointer; }
-    .pagination > li:first-child > a,
-    .pagination > li:first-child > span {
-      margin-left: 0;
-      border-bottom-left-radius: 3px;
-      border-top-left-radius: 3px; }
-    .pagination > li:last-child > a,
-    .pagination > li:last-child > span {
-      border-bottom-right-radius: 3px;
-      border-top-right-radius: 3px; }
-  .pagination > li > a:hover, .pagination > li > a:focus,
-  .pagination > li > span:hover,
-  .pagination > li > span:focus {
-    color: #FFFFFF;
-    background-color: #FF7E25; }
+  border-radius: 3px;
 
-  .pagination > .active > a, .pagination > .active > a:hover, .pagination > .active > a:focus,
-  .pagination > .active > span,
-  .pagination > .active > span:hover,
-  .pagination > .active > span:focus {
-    z-index: 2;
-    color: #FFFFFF;
-    background-color: #FF7E25;
-    cursor: default; }
-
-  .pagination > .disabled > span,
-  .pagination > .disabled > span:hover,
-  .pagination > .disabled > span:focus,
-  .pagination > .disabled > a,
-  .pagination > .disabled > a:hover,
-  .pagination > .disabled > a:focus {
-    color: #000;
-    background-color: #e3e3e3;
-    cursor: not-allowed; }
+  > {
+    li {
+      display: inline;
+
+      > {
+        a, span {
+          position: relative;
+          float: left;
+          padding: 6px 12px;
+          line-height: 1.428571429;
+          text-decoration: none;
+          color: #FFFFFF;
+          background-color: #427795;
+          border: 1px solid rgba(23, 44, 56, 0.4);
+          margin-left: -1px;
+          cursor: pointer;
+        }
+      }
+
+      &:first-child > {
+        a, span {
+          margin-left: 0;
+          border-bottom-left-radius: 3px;
+          border-top-left-radius: 3px;
+        }
+      }
+
+      &:last-child > {
+        a, span {
+          border-bottom-right-radius: 3px;
+          border-top-right-radius: 3px;
+        }
+      }
+
+      > {
+        a {
+          &:hover, &:focus {
+            color: #FFFFFF;
+            background-color: #FF7E25;
+          }
+        }
+
+        span {
+          &:hover, &:focus {
+            color: #FFFFFF;
+            background-color: #FF7E25;
+          }
+        }
+      }
+    }
+
+    .active > {
+      a {
+        z-index: 2;
+        color: #FFFFFF;
+        background-color: #FF7E25;
+        cursor: default;
+
+        &:hover, &:focus {
+          z-index: 2;
+          color: #FFFFFF;
+          background-color: #FF7E25;
+          cursor: default;
+        }
+      }
+
+      span {
+        z-index: 2;
+        color: #FFFFFF;
+        background-color: #FF7E25;
+        cursor: default;
+
+        &:hover, &:focus {
+          z-index: 2;
+          color: #FFFFFF;
+          background-color: #FF7E25;
+          cursor: default;
+        }
+      }
+    }
+
+    .disabled > {
+      span {
+        color: #000;
+        background-color: #e3e3e3;
+        cursor: not-allowed;
+
+        &:hover, &:focus {
+          color: #000;
+          background-color: #e3e3e3;
+          cursor: not-allowed;
+        }
+      }
+
+      a {
+        color: #000;
+        background-color: #e3e3e3;
+        cursor: not-allowed;
+
+        &:hover, &:focus {
+          color: #000;
+          background-color: #e3e3e3;
+          cursor: not-allowed;
+        }
+      }
+    }
+  }
+}
 
+.pagination-lg > li {
+  > {
+    a, span {
+      padding: 10px 16px;
+      font-size: 18px;
+    }
+  }
+
+  &:first-child > {
+    a, span {
+      border-bottom-left-radius: 6px;
+      border-top-left-radius: 6px;
+    }
+  }
+
+  &:last-child > {
+    a, span {
+      border-bottom-right-radius: 6px;
+      border-top-right-radius: 6px;
+    }
+  }
+}
 
-.pagination-lg > li > a,
-.pagination-lg > li > span {
-  padding: 10px 16px;
-  font-size: 18px; }
-.pagination-lg > li:first-child > a,
-.pagination-lg > li:first-child > span {
-  border-bottom-left-radius: 6px;
-  border-top-left-radius: 6px; }
-.pagination-lg > li:last-child > a,
-.pagination-lg > li:last-child > span {
-  border-bottom-right-radius: 6px;
-  border-top-right-radius: 6px; }
-
-.pagination-sm > li > a,
-.pagination-sm > li > span {
-  padding: 5px 10px;
-  font-size: 12px; }
-.pagination-sm > li:first-child > a,
-.pagination-sm > li:first-child > span {
-  border-bottom-left-radius: 3px;
-  border-top-left-radius: 3px; }
-.pagination-sm > li:last-child > a,
-.pagination-sm > li:last-child > span {
-  border-bottom-right-radius: 3px;
-  border-top-right-radius: 3px; }
+.pagination-sm > li {
+  > {
+    a, span {
+      padding: 5px 10px;
+      font-size: 12px;
+    }
+  }
+
+  &:first-child > {
+    a, span {
+      border-bottom-left-radius: 3px;
+      border-top-left-radius: 3px;
+    }
+  }
+
+  &:last-child > {
+    a, span {
+      border-bottom-right-radius: 3px;
+      border-top-right-radius: 3px;
+    }
+  }
+}
 
 .pager {
   padding-left: 0;
   margin: 20px 0;
   list-style: none;
-  text-align: center; }
-  .pager:before, .pager:after {
+  text-align: center;
+
+  &:before {
     content: " ";
-    display: table; }
-  .pager:after {
-    clear: both; }
-  .pager li {
-    display: inline; }
-    .pager li > a,
-    .pager li > span {
-      display: inline-block;
-      padding: 5px 14px;
+    display: table;
+  }
+
+  &:after {
+    content: " ";
+    display: table;
+    clear: both;
+  }
+
+  li {
+    display: inline;
+
+    > {
+      a, span {
+        display: inline-block;
+        padding: 5px 14px;
+        background-color: #fff;
+        border: 1px solid #ddd;
+        border-radius: 15px;
+      }
+
+      a {
+        &:hover, &:focus {
+          text-decoration: none;
+          background-color: #eeeeee;
+        }
+      }
+    }
+  }
+
+  .next > {
+    a, span {
+      float: right;
+    }
+  }
+
+  .previous > {
+    a, span {
+      float: left;
+    }
+  }
+
+  .disabled > {
+    a {
+      color: #777777;
       background-color: #fff;
-      border: 1px solid #ddd;
-      border-radius: 15px; }
-    .pager li > a:hover,
-    .pager li > a:focus {
-      text-decoration: none;
-      background-color: #eeeeee; }
-
-  .pager .next > a,
-  .pager .next > span {
-    float: right; }
-  .pager .previous > a,
-  .pager .previous > span {
-    float: left; }
-  .pager .disabled > a,
-  .pager .disabled > a:hover,
-  .pager .disabled > a:focus,
-  .pager .disabled > span {
-    color: #777777;
-    background-color: #fff;
-    cursor: not-allowed; }
+      cursor: not-allowed;
+
+      &:hover, &:focus {
+        color: #777777;
+        background-color: #fff;
+        cursor: not-allowed;
+      }
+    }
 
+    span {
+      color: #777777;
+      background-color: #fff;
+      cursor: not-allowed;
+    }
+  }
+}
 
 .label {
   display: inline;
@@ -4184,60 +7241,91 @@ tbody.collapse.in {
   text-align: center;
   white-space: nowrap;
   vertical-align: baseline;
-  border-radius: .25em; }
-  .label:empty {
-    display: none; }
-  .btn .label {
-    position: relative;
-    top: -1px; }
+  border-radius: .25em;
 
-a.label:hover, a.label:focus {
-  color: #fff;
-  text-decoration: none;
-  cursor: pointer; }
+  &:empty {
+    display: none;
+  }
+}
+
+.btn .label {
+  position: relative;
+  top: -1px;
+}
 
+a.label {
+  &:hover, &:focus {
+    color: #fff;
+    text-decoration: none;
+    cursor: pointer;
+  }
+}
 
 .label-default {
-  background-color: #777777; }
-  .label-default[href]:hover, .label-default[href]:focus {
-    background-color: #5e5e5e;
-	border-color: #323232;}
+  background-color: #777777;
 
+  &[href] {
+    &:hover, &:focus {
+      background-color: #5e5e5e;
+      border-color: #323232;
+    }
+  }
+}
 
 .label-primary {
-  background-color: #FF8B00; }
-  .label-primary[href]:hover, .label-primary[href]:focus {
-    background-color: #b85904; }
+  background-color: #FF8B00;
 
+  &[href] {
+    &:hover, &:focus {
+      background-color: #b85904;
+    }
+  }
+}
 
 .label-success {
   background-color: #4FB654;
-  border-color: #323232;}
-  .label-success[href]:hover, .label-success[href]:focus {
-    background-color: #7fc54f;
-	border-color: #323232;	}
-
+  border-color: #323232;
+
+  &[href] {
+    &:hover, &:focus {
+      background-color: #7fc54f;
+      border-color: #323232;
+    }
+  }
+}
 
 .label-info {
-  background-color: #B0CDDB; }
-  .label-info[href]:hover, .label-info[href]:focus {
-    background-color: #8db7cb;
-	border-color: #323232;	}
+  background-color: #B0CDDB;
 
+  &[href] {
+    &:hover, &:focus {
+      background-color: #8db7cb;
+      border-color: #323232;
+    }
+  }
+}
 
 .label-warning {
-  background-color: #f0ad4e; }
-  .label-warning[href]:hover, .label-warning[href]:focus {
-    background-color: #ec971f;
-	border-color: #323232;}
-
+  background-color: #f0ad4e;
+
+  &[href] {
+    &:hover, &:focus {
+      background-color: #ec971f;
+      border-color: #323232;
+    }
+  }
+}
 
 .label-danger {
-  background-color: #DA4829; }
-  .label-danger[href]:hover, .label-danger[href]:focus {
-    background-color: #ec2121;
-	border-color: #323232;}
-
+  background-color: #DA4829;
+
+  &[href] {
+    &:hover, &:focus {
+      background-color: #ec2121;
+      border-color: #323232;
+    }
+  }
+}
 
 .badge {
   display: inline-block;
@@ -4251,55 +7339,93 @@ a.label:hover, a.label:focus {
   white-space: nowrap;
   text-align: center;
   background-color: #777777;
-  border-radius: 10px; }
-  .badge:empty {
-    display: none; }
-  .btn .badge {
-    position: relative;
-    top: -1px; }
-  .btn-xs .badge, .btn-group-xs > .btn .badge {
-    top: 0;
-    padding: 1px 5px; }
-  a.list-group-item.active > .badge, .nav-pills > .active > a > .badge {
+  border-radius: 10px;
+
+  &:empty {
+    display: none;
+  }
+}
+
+.btn .badge {
+  position: relative;
+  top: -1px;
+}
+
+.btn-xs .badge, .btn-group-xs > .btn .badge {
+  top: 0;
+  padding: 1px 5px;
+}
+
+a.list-group-item.active > .badge {
+  color: #FF8B00;
+  background-color: #fff;
+}
+
+.nav-pills > {
+  .active > a > .badge {
     color: #FF8B00;
-    background-color: #fff; }
-  .nav-pills > li > a > .badge {
-    margin-left: 3px; }
+    background-color: #fff;
+  }
 
-a.badge:hover, a.badge:focus {
-  color: #fff;
-  text-decoration: none;
-  cursor: pointer; }
+  li > a > .badge {
+    margin-left: 3px;
+  }
+}
 
+a.badge {
+  &:hover, &:focus {
+    color: #fff;
+    text-decoration: none;
+    cursor: pointer;
+  }
+}
 
 .jumbotron {
   padding: 30px;
   margin-bottom: 30px;
   color: inherit;
-  background-color: #eeeeee; }
-  .jumbotron h1,
-  .jumbotron .h1 {
-    color: inherit; }
-  .jumbotron p {
+  background-color: #eeeeee;
+
+  h1, .h1 {
+    color: inherit;
+  }
+
+  p {
     margin-bottom: 15px;
     font-size: 21px;
-    font-weight: 200; }
-  .jumbotron > hr {
-    border-top-color: #d5d5d5; }
+    font-weight: 200;
+  }
+
+  > hr {
+    border-top-color: #d5d5d5;
+  }
+}
+
+.container .jumbotron {
+  border-radius: 6px;
+}
+
+.jumbotron .container {
+  max-width: 100%;
+}
+
+@media screen and (min-width: 768px) {
+  .jumbotron {
+    padding-top: 48px;
+    padding-bottom: 48px;
+  }
+
   .container .jumbotron {
-    border-radius: 6px; }
-  .jumbotron .container {
-    max-width: 100%; }
-  @media screen and (min-width: 768px) {
-    .jumbotron {
-      padding-top: 48px;
-      padding-bottom: 48px; }
-      .container .jumbotron {
-        padding-left: 60px;
-        padding-right: 60px; }
-      .jumbotron h1,
-      .jumbotron .h1 {
-        font-size: 63px; } }
+    padding-left: 60px;
+    padding-right: 60px;
+  }
+
+  .jumbotron {
+    h1, .h1 {
+      font-size: 63px;
+    }
+  }
+}
 
 .thumbnail {
   display: block;
@@ -4311,96 +7437,145 @@ a.badge:hover, a.badge:focus {
   border-radius: 3px;
   -webkit-transition: all 0.2s ease-in-out;
   -o-transition: all 0.2s ease-in-out;
-  transition: all 0.2s ease-in-out; }
-  .thumbnail > img,
-  .thumbnail a > img {
+  transition: all 0.2s ease-in-out;
+
+  > img, a > img {
     display: block;
     width: 100% \9;
     max-width: 100%;
     height: auto;
     margin-left: auto;
-    margin-right: auto; }
-  .thumbnail .caption {
-    padding: 9px;
-    color: #3C3C3B; }
+    margin-right: auto;
+  }
 
-a.thumbnail:hover,
-a.thumbnail:focus,
-a.thumbnail.active {
-  border-color: #FF8B00; }
+  .caption {
+    padding: 9px;
+    color: #3C3C3B;
+  }
+}
 
+a.thumbnail {
+  &:hover, &:focus, &.active {
+    border-color: #FF8B00;
+  }
+}
 
 .alert {
   padding: 15px;
   margin-bottom: 20px;
   border: 1px solid #b0b0b0;
-  border-radius: 3px; }
-  .alert h4 {
+  border-radius: 3px;
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+
+  h4 {
     margin-top: 0;
-    color: inherit; }
-  .alert .alert-link {
-    font-weight: bold; }
-  .alert > p,
-  .alert > ul {
-    margin-bottom: 0; }
-  .alert > p + p {
-    margin-top: 5px; }
-
-.alert-dismissable,
-.alert-dismissible {
-  padding-right: 35px; }
-  .alert-dismissable .close,
-  .alert-dismissible .close {
-    position: relative;
-    top: -2px;
-    right: -21px;
-    color: inherit; }
+    color: inherit;
+  }
+
+  .alert-link {
+    font-weight: bold;
+  }
+
+  > {
+    p, ul {
+      margin-bottom: 0;
+    }
+
+    p + p {
+      margin-top: 5px;
+    }
+  }
+}
+
+.alert-dismissable, .alert-dismissible {
+  padding-right: 35px;
+}
+
+.alert-dismissable .close, .alert-dismissible .close {
+  position: relative;
+  top: -2px;
+  right: -21px;
+  color: inherit;
+}
 
 .alert-success {
-	background-color: #fbfbfb;
-	border-color: #a5a5a5;
-	color: #000; }
-  .alert-success hr {
-    border-top-color: #8dcc62; }
-  .alert-success .alert-link {
-    color: #72bd3e; }
+  background-color: #fbfbfb;
+  border-color: #a5a5a5;
+  color: #000;
+
+  hr {
+    border-top-color: #8dcc62;
+  }
+
+  .alert-link {
+    color: #72bd3e;
+  }
+}
 
 .alert-info {
-	background-color: #fbfbfb;
-	border-color: #a5a5a5;
-	color: #000;}
-  .alert-info hr {
-    border-top-color: #DA4829; }
-  .alert-info .alert-link {
-    color: #DA4829; }
+  background-color: #fbfbfb;
+  border-color: #a5a5a5;
+  color: #000;
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+
+  hr {
+    border-top-color: #DA4829;
+  }
+
+  .alert-link {
+    color: #DA4829;
+  }
+}
 
 .alert-warning {
-	background-color: #fff;
-	border: 1px solid #d12d0a;
-	color: #000;}
-  .alert-warning hr {
-    border-top-color: #f7e1b5; }
-  .alert-warning .alert-link {
-    color: #df8a13; }
+  background-color: #fff;
+  border: 1px solid #d12d0a;
+  color: #000;
+
+  hr {
+    border-top-color: #f7e1b5;
+  }
+
+  .alert-link {
+    color: #df8a13;
+  }
+}
 
 .alert-danger {
-	background-color: #30596f;
-	border-color: #b0b0b0; }
-  .alert-danger hr {
-    border-top-color: #DA4829; }
-  .alert-danger .alert-link {
-    color: #DA4829; }
+  background-color: #30596f;
+  border-color: #b0b0b0;
+
+  hr {
+    border-top-color: #DA4829;
+  }
+
+  .alert-link {
+    color: #DA4829;
+  }
+}
 
 @-webkit-keyframes progress-bar-stripes {
   from {
-    background-position: 40px 0; }
+    background-position: 40px 0;
+  }
+
   to {
-    background-position: 0 0; } }
+    background-position: 0 0;
+  }
+}
+
 @keyframes progress-bar-stripes {
   from {
-    background-position: 40px 0; }
+    background-position: 40px 0;
+  }
+
   to {
-    background-position: 0 0; } }
+    background-position: 0 0;
+  }
+}
+
 .progress {
   margin-bottom: 3px;
   color: #000;
@@ -4410,7 +7585,8 @@ a.thumbnail.active {
   border-radius: 3px;
   position: relative;
   -webkit-box-shadow: inset 0px 1px 2px 1px rgb(172, 172, 172);
-	box-shadow: inset inset 0px 1px 2px 1px rgb(172, 172, 172); }
+  box-shadow: inset inset 0px 1px 2px 1px rgb(172, 172, 172);
+}
 
 .progress-bar {
   float: left;
@@ -4431,512 +7607,945 @@ a.thumbnail.active {
   margin: 1px 0 0 0 !important;
 }
 
-.progress-striped .progress-bar,
-.progress-bar-striped {
+.progress-striped .progress-bar, .progress-bar-striped {
+  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-size: 40px 40px;
+}
+
+.progress.active .progress-bar {
+  -webkit-animation: progress-bar-stripes 2s linear infinite;
+  -o-animation: progress-bar-stripes 2s linear infinite;
+  animation: progress-bar-stripes 2s linear infinite;
+}
+
+.progress-bar {
+  &.active {
+    -webkit-animation: progress-bar-stripes 2s linear infinite;
+    -o-animation: progress-bar-stripes 2s linear infinite;
+    animation: progress-bar-stripes 2s linear infinite;
+  }
+
+  &[aria-valuenow="1"], &[aria-valuenow="2"] {
+    min-width: 30px;
+  }
+
+  &[aria-valuenow="0"] {
+    color: #777777;
+    min-width: 30px;
+    background-color: transparent;
+    background-image: none;
+    box-shadow: none;
+  }
+}
+
+.progress-bar-success {
+  background-color: #4FB654;
+}
+
+.progress-striped .progress-bar-success {
+  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+}
+
+.progress-bar-info {
+  background-color: #038CCF;
+}
+
+.progress-striped .progress-bar-info {
   background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
   background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
   background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-  background-size: 40px 40px; }
-
-.progress.active .progress-bar,
-.progress-bar.active {
-  -webkit-animation: progress-bar-stripes 2s linear infinite;
-  -o-animation: progress-bar-stripes 2s linear infinite;
-  animation: progress-bar-stripes 2s linear infinite; }
-
-.progress-bar[aria-valuenow="1"], .progress-bar[aria-valuenow="2"] {
-  min-width: 30px; }
-.progress-bar[aria-valuenow="0"] {
-  color: #777777;
-  min-width: 30px;
-  background-color: transparent;
-  background-image: none;
-  box-shadow: none; }
-
-.progress-bar-success {
-  background-color: #4FB654; }
-  .progress-striped .progress-bar-success {
-    background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-    background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-    background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
-
-.progress-bar-info {
-  background-color: #038CCF; }
-  .progress-striped .progress-bar-info {
-    background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-    background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-    background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
+}
 
 .progress-bar-warning {
   background-color: #CCB60F;
-  color: #FFFFFF !important; }
-  .progress-striped .progress-bar-warning {
-    background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-    background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-    background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
+  color: #FFFFFF !important;
+}
+
+.progress-striped .progress-bar-warning {
+  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+}
 
 .progress-bar-danger {
-  background-color: #CC2400; }
-  .progress-striped .progress-bar-danger {
-    background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-    background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-    background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
-
-.media,
-.media-body {
+  background-color: #CC2400;
+}
+
+.progress-striped .progress-bar-danger {
+  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+}
+
+.media, .media-body {
   overflow: hidden;
-  zoom: 1; }
+  zoom: 1;
+}
+
+.media {
+  margin-top: 15px;
 
-.media,
-.media .media {
-  margin-top: 15px; }
+  .media {
+    margin-top: 15px;
+  }
 
-.media:first-child {
-  margin-top: 0; }
+  &:first-child {
+    margin-top: 0;
+  }
+}
 
 .media-object {
-  display: block; }
+  display: block;
+}
 
 .media-heading {
-  margin: 0 0 5px; }
+  margin: 0 0 5px;
+}
+
+.media > {
+  .pull-left {
+    margin-right: 10px;
+  }
 
-.media > .pull-left {
-  margin-right: 10px; }
-.media > .pull-right {
-  margin-left: 10px; }
+  .pull-right {
+    margin-left: 10px;
+  }
+}
 
 .media-list {
   padding-left: 0;
-  list-style: none; }
+  list-style: none;
+}
 
 .list-group {
   margin-bottom: 20px;
-  padding-left: 0; }
+  padding-left: 0;
+}
 
 .list-group-item {
   position: relative;
   display: block;
   padding: 6px 8px;
   margin-bottom: -1px;
-  background-color: #294c5f; }
-  .list-group-item:last-child {
-    margin-bottom: 0; }
-  .list-group-item > .badge {
-    float: right; }
-  .list-group-item > .badge + .badge {
-    margin-right: 5px; }
+  background-color: #294c5f;
+
+  &:last-child {
+    margin-bottom: 0;
+  }
+
+  > .badge {
+    float: right;
+
+    + .badge {
+      margin-right: 5px;
+    }
+  }
+}
 
 a.list-group-item {
   color: #FFFFFF;
   border-radius: 0;
-  outline:0; }
+  outline: 0;
+
+  .list-group-item-heading {
+    color: #2d2d2d;
+  }
 
-  a.list-group-item .list-group-item-heading {
-    color: #2d2d2d; }
-  a.list-group-item:hover, a.list-group-item:focus {
+  &:hover, &:focus {
     text-decoration: none;
     color: #000;
-    background-color: #FFF; }
-
-    a.list-group-item:hover:before, a.list-group-item:focus:before {
-      background: #FFFFFF;
-      content: "";
-      height: 42px;
-      left: 0;
-      position: absolute;
-      top: 0;
-      width: 3px; }
-
-.list-group-item.disabled, .list-group-item.disabled:hover, .list-group-item.disabled:focus {
-  background-color: #eeeeee;
-  color: #777777; }
-
-  .list-group-item.disabled .list-group-item-heading, .list-group-item.disabled:hover .list-group-item-heading, .list-group-item.disabled:focus .list-group-item-heading {
-    color: inherit; }
-
-  .list-group-item.disabled .list-group-item-text, .list-group-item.disabled:hover .list-group-item-text, .list-group-item.disabled:focus .list-group-item-text {
-    color: #777777; }
+    background-color: #FFF;
+  }
 
-.list-group-item.active, .list-group-item.active:hover, .list-group-item.active:focus {
-  z-index: 2; }
-  .list-group-item.active:before, .list-group-item.active:hover:before, .list-group-item.active:focus:before {
-    background: #ff8b00;
+  &:hover:before, &:focus:before {
+    background: #FFFFFF;
     content: "";
     height: 42px;
     left: 0;
     position: absolute;
-    top: 0px;
-    width: 3px; }
-
-  .list-group-item.active .list-group-item-heading,
-  .list-group-item.active .list-group-item-heading > small,
-  .list-group-item.active .list-group-item-heading > .small, .list-group-item.active:hover .list-group-item-heading,
-  .list-group-item.active:hover .list-group-item-heading > small,
-  .list-group-item.active:hover .list-group-item-heading > .small, .list-group-item.active:focus .list-group-item-heading,
-  .list-group-item.active:focus .list-group-item-heading > small,
-  .list-group-item.active:focus .list-group-item-heading > .small {
-    color: inherit; }
-  .list-group-item.active .list-group-item-text, .list-group-item.active:hover .list-group-item-text, .list-group-item.active:focus .list-group-item-text {
-    color: #fedcbd; }
-  .list-group-item.active + .collapse > .list-group-item:before, .list-group-item.active:hover + .collapse > .list-group-item:before, .list-group-item.active:focus + .collapse > .list-group-item:before {
-    background: #FF8B00;
-    content: "";
-    height: 42px;
-    left: 0;
-    position: absolute;
-    top: 0px;
-    width: 3px; }
+    top: 0;
+    width: 3px;
+  }
+}
+
+.list-group-item {
+  &.disabled {
+    background-color: #eeeeee;
+    color: #777777;
+
+    &:hover, &:focus {
+      background-color: #eeeeee;
+      color: #777777;
+    }
+
+    .list-group-item-heading, &:hover .list-group-item-heading, &:focus .list-group-item-heading {
+      color: inherit;
+    }
+
+    .list-group-item-text, &:hover .list-group-item-text, &:focus .list-group-item-text {
+      color: #777777;
+    }
+  }
+
+  &.active {
+    z-index: 2;
+
+    &:hover, &:focus {
+      z-index: 2;
+    }
+
+    &:before, &:hover:before, &:focus:before {
+      background: #ff8b00;
+      content: "";
+      height: 42px;
+      left: 0;
+      position: absolute;
+      top: 0px;
+      width: 3px;
+    }
+
+    .list-group-item-heading {
+      color: inherit;
+
+      > {
+        small, .small {
+          color: inherit;
+        }
+      }
+    }
+
+    &:hover .list-group-item-heading {
+      color: inherit;
+
+      > {
+        small, .small {
+          color: inherit;
+        }
+      }
+    }
+
+    &:focus .list-group-item-heading {
+      color: inherit;
+
+      > {
+        small, .small {
+          color: inherit;
+        }
+      }
+    }
+
+    .list-group-item-text, &:hover .list-group-item-text, &:focus .list-group-item-text {
+      color: #fedcbd;
+    }
+
+    + .collapse > .list-group-item:before, &:hover + .collapse > .list-group-item:before, &:focus + .collapse > .list-group-item:before {
+      background: #FF8B00;
+      content: "";
+      height: 42px;
+      left: 0;
+      position: absolute;
+      top: 0px;
+      width: 3px;
+    }
+  }
+}
 
 .list-group-item-success {
   color: #9BD275;
-  background-color: #9BD275; }
+  background-color: #9BD275;
+}
 
 a.list-group-item-success {
-  color: #9BD275; }
-  a.list-group-item-success .list-group-item-heading {
-    color: inherit; }
-  a.list-group-item-success:hover, a.list-group-item-success:focus {
+  color: #9BD275;
+
+  .list-group-item-heading {
+    color: inherit;
+  }
+
+  &:hover, &:focus {
     color: #9BD275;
-    background-color: #8dcc62; }
-  a.list-group-item-success.active, a.list-group-item-success.active:hover, a.list-group-item-success.active:focus {
+    background-color: #8dcc62;
+  }
+
+  &.active {
     color: #fff;
     background-color: #9BD275;
-    border-color: #9BD275; }
+    border-color: #9BD275;
+
+    &:hover, &:focus {
+      color: #fff;
+      background-color: #9BD275;
+      border-color: #9BD275;
+    }
+  }
+}
 
 .list-group-item-info {
   color: #31708f;
-  background-color: #d9edf7; }
+  background-color: #d9edf7;
+}
 
 a.list-group-item-info {
-  color: #31708f; }
-  a.list-group-item-info .list-group-item-heading {
-    color: inherit; }
-  a.list-group-item-info:hover, a.list-group-item-info:focus {
+  color: #31708f;
+
+  .list-group-item-heading {
+    color: inherit;
+  }
+
+  &:hover, &:focus {
     color: #31708f;
-    background-color: #c4e3f3; }
-  a.list-group-item-info.active, a.list-group-item-info.active:hover, a.list-group-item-info.active:focus {
+    background-color: #c4e3f3;
+  }
+
+  &.active {
     color: #fff;
     background-color: #31708f;
-    border-color: #31708f; }
+    border-color: #31708f;
+
+    &:hover, &:focus {
+      color: #fff;
+      background-color: #31708f;
+      border-color: #31708f;
+    }
+  }
+}
 
 .list-group-item-warning {
   color: #f0ad4e;
-  background-color: #fcf8e3; }
+  background-color: #fcf8e3;
+}
 
 a.list-group-item-warning {
-  color: #f0ad4e; }
-  a.list-group-item-warning .list-group-item-heading {
-    color: inherit; }
-  a.list-group-item-warning:hover, a.list-group-item-warning:focus {
+  color: #f0ad4e;
+
+  .list-group-item-heading {
+    color: inherit;
+  }
+
+  &:hover, &:focus {
     color: #f0ad4e;
-    background-color: #faf2cc; }
-  a.list-group-item-warning.active, a.list-group-item-warning.active:hover, a.list-group-item-warning.active:focus {
+    background-color: #faf2cc;
+  }
+
+  &.active {
     color: #fff;
     background-color: #f0ad4e;
-    border-color: #f0ad4e; }
+    border-color: #f0ad4e;
+
+    &:hover, &:focus {
+      color: #fff;
+      background-color: #f0ad4e;
+      border-color: #f0ad4e;
+    }
+  }
+}
 
 .list-group-item-danger {
   color: #F05050;
-  background-color: #F05050; }
+  background-color: #F05050;
+}
 
 a.list-group-item-danger {
-  color: #F05050; }
-  a.list-group-item-danger .list-group-item-heading {
-    color: inherit; }
-  a.list-group-item-danger:hover, a.list-group-item-danger:focus {
+  color: #F05050;
+
+  .list-group-item-heading {
+    color: inherit;
+  }
+
+  &:hover, &:focus {
     color: #F05050;
-    background-color: #ee3939; }
-  a.list-group-item-danger.active, a.list-group-item-danger.active:hover, a.list-group-item-danger.active:focus {
+    background-color: #ee3939;
+  }
+
+  &.active {
     color: #fff;
     background-color: #F05050;
-    border-color: #F05050; }
+    border-color: #F05050;
+
+    &:hover, &:focus {
+      color: #fff;
+      background-color: #F05050;
+      border-color: #F05050;
+    }
+  }
+}
 
 .list-group-item-heading {
   margin-top: 0;
-  margin-bottom: 5px; }
+  margin-bottom: 5px;
+}
 
 .list-group-item-text {
   margin-bottom: 0;
-  line-height: 1.3; }
+  line-height: 1.3;
+}
 
 .panel {
   border: 1px solid #b0b0b0;
-  margin-bottom: 20px; }
+  margin-bottom: 20px;
+}
 
 .panel-body {
   padding: 15px;
-  background-color: #F0F0F0;}
-  .panel-body:before, .panel-body:after {
+  background-color: #F0F0F0;
+
+  &:before {
+    content: " ";
+    display: table;
+  }
+
+  &:after {
     content: " ";
-    display: table; }
-  .panel-body:after {
-    clear: both; }
+    display: table;
+    clear: both;
+  }
+}
 
 .panel-heading {
   padding: 10px 15px;
   border-bottom: 1px solid #b0b0b0;
   border-top-right-radius: 2px;
   border-top-left-radius: 2px;
-  background-color: #30596f; }
+  background-color: #30596f;
 
-  .panel-heading > .dropdown .dropdown-toggle {
-    color: inherit; }
+  > .dropdown .dropdown-toggle {
+    color: inherit;
+  }
+}
 
 .panel-title {
   margin-top: 0;
   margin-bottom: 0;
   font-size: 16px;
-  color: inherit; }
-  .panel-title > a {
-    color: inherit; }
+  color: inherit;
+
+  > a {
+    color: inherit;
+  }
+}
 
 .panel-footer {
   padding: 10px 15px;
   background-color: #f5f5f5;
   border-top: 1px solid #ddd;
   border-bottom-right-radius: 2px;
-  border-bottom-left-radius: 2px; }
+  border-bottom-left-radius: 2px;
+}
 
 .panel > .list-group {
-  margin-bottom: 0; }
-  .panel > .list-group .list-group-item {
+  margin-bottom: 0;
+
+  .list-group-item {
     border-width: 1px 0;
-    border-radius: 0; }
-  .panel > .list-group:first-child .list-group-item:first-child {
-    border-top: 0; }
-  .panel > .list-group:last-child .list-group-item:last-child {
-    border-bottom: 0; }
-
-.panel-heading + .list-group .list-group-item:first-child {
-  border-top-width: 0; }
-
-.list-group + .panel-footer {
-  border-top-width: 0; }
-
-.panel > .table,
-.panel > .table-responsive > .table,
-.panel > .panel-collapse > .table {
-  margin-bottom: 0; }
-.panel > .table:first-child,
-.panel > .table-responsive:first-child > .table:first-child {
-  border-top-right-radius: 2px;
-  border-top-left-radius: 2px; }
-  .panel > .table:first-child > thead:first-child > tr:first-child td:first-child,
-  .panel > .table:first-child > thead:first-child > tr:first-child th:first-child,
-  .panel > .table:first-child > tbody:first-child > tr:first-child td:first-child,
-  .panel > .table:first-child > tbody:first-child > tr:first-child th:first-child,
-  .panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:first-child,
-  .panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:first-child,
-  .panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:first-child,
-  .panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:first-child {
-    border-top-left-radius: 2px; }
-  .panel > .table:first-child > thead:first-child > tr:first-child td:last-child,
-  .panel > .table:first-child > thead:first-child > tr:first-child th:last-child,
-  .panel > .table:first-child > tbody:first-child > tr:first-child td:last-child,
-  .panel > .table:first-child > tbody:first-child > tr:first-child th:last-child,
-  .panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:last-child,
-  .panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:last-child,
-  .panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:last-child,
-  .panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:last-child {
-    border-top-right-radius: 2px; }
-.panel > .table:last-child,
-.panel > .table-responsive:last-child > .table:last-child {
-  border-bottom-right-radius: 2px;
-  border-bottom-left-radius: 2px; }
-  .panel > .table:last-child > tbody:last-child > tr:last-child td:first-child,
-  .panel > .table:last-child > tbody:last-child > tr:last-child th:first-child,
-  .panel > .table:last-child > tfoot:last-child > tr:last-child td:first-child,
-  .panel > .table:last-child > tfoot:last-child > tr:last-child th:first-child,
-  .panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:first-child,
-  .panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:first-child,
-  .panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:first-child,
-  .panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:first-child {
-    border-bottom-left-radius: 2px; }
-  .panel > .table:last-child > tbody:last-child > tr:last-child td:last-child,
-  .panel > .table:last-child > tbody:last-child > tr:last-child th:last-child,
-  .panel > .table:last-child > tfoot:last-child > tr:last-child td:last-child,
-  .panel > .table:last-child > tfoot:last-child > tr:last-child th:last-child,
-  .panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:last-child,
-  .panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:last-child,
-  .panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:last-child,
-  .panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:last-child {
-    border-bottom-right-radius: 2px; }
-.panel > .panel-body + .table,
-.panel > .panel-body + .table-responsive {
-  border-top: 1px solid #eee; }
-.panel > .table > tbody:first-child > tr:first-child th,
-.panel > .table > tbody:first-child > tr:first-child td {
-  border-top: 0; }
-.panel > .table-bordered,
-.panel > .table-responsive > .table-bordered {
-  border: 0; }
-  .panel > .table-bordered > thead > tr > th:first-child,
-  .panel > .table-bordered > thead > tr > td:first-child,
-  .panel > .table-bordered > tbody > tr > th:first-child,
-  .panel > .table-bordered > tbody > tr > td:first-child,
-  .panel > .table-bordered > tfoot > tr > th:first-child,
-  .panel > .table-bordered > tfoot > tr > td:first-child,
-  .panel > .table-responsive > .table-bordered > thead > tr > th:first-child,
-  .panel > .table-responsive > .table-bordered > thead > tr > td:first-child,
-  .panel > .table-responsive > .table-bordered > tbody > tr > th:first-child,
-  .panel > .table-responsive > .table-bordered > tbody > tr > td:first-child,
-  .panel > .table-responsive > .table-bordered > tfoot > tr > th:first-child,
-  .panel > .table-responsive > .table-bordered > tfoot > tr > td:first-child {
-    border-left: 0; }
-  .panel > .table-bordered > thead > tr > th:last-child,
-  .panel > .table-bordered > thead > tr > td:last-child,
-  .panel > .table-bordered > tbody > tr > th:last-child,
-  .panel > .table-bordered > tbody > tr > td:last-child,
-  .panel > .table-bordered > tfoot > tr > th:last-child,
-  .panel > .table-bordered > tfoot > tr > td:last-child,
-  .panel > .table-responsive > .table-bordered > thead > tr > th:last-child,
-  .panel > .table-responsive > .table-bordered > thead > tr > td:last-child,
-  .panel > .table-responsive > .table-bordered > tbody > tr > th:last-child,
-  .panel > .table-responsive > .table-bordered > tbody > tr > td:last-child,
-  .panel > .table-responsive > .table-bordered > tfoot > tr > th:last-child,
-  .panel > .table-responsive > .table-bordered > tfoot > tr > td:last-child {
-    border-right: 0; }
-  .panel > .table-bordered > thead > tr:first-child > td,
-  .panel > .table-bordered > thead > tr:first-child > th,
-  .panel > .table-bordered > tbody > tr:first-child > td,
-  .panel > .table-bordered > tbody > tr:first-child > th,
-  .panel > .table-responsive > .table-bordered > thead > tr:first-child > td,
-  .panel > .table-responsive > .table-bordered > thead > tr:first-child > th,
-  .panel > .table-responsive > .table-bordered > tbody > tr:first-child > td,
-  .panel > .table-responsive > .table-bordered > tbody > tr:first-child > th {
-    border-bottom: 0; }
-  .panel > .table-bordered > tbody > tr:last-child > td,
-  .panel > .table-bordered > tbody > tr:last-child > th,
-  .panel > .table-bordered > tfoot > tr:last-child > td,
-  .panel > .table-bordered > tfoot > tr:last-child > th,
-  .panel > .table-responsive > .table-bordered > tbody > tr:last-child > td,
-  .panel > .table-responsive > .table-bordered > tbody > tr:last-child > th,
-  .panel > .table-responsive > .table-bordered > tfoot > tr:last-child > td,
-  .panel > .table-responsive > .table-bordered > tfoot > tr:last-child > th {
-    border-bottom: 0; }
-.panel > .table-responsive {
-  border: 0;
-  margin-bottom: 0; }
+    border-radius: 0;
+  }
+
+  &:first-child .list-group-item:first-child {
+    border-top: 0;
+  }
+
+  &:last-child .list-group-item:last-child {
+    border-bottom: 0;
+  }
+}
+
+.panel-heading + .list-group .list-group-item:first-child, .list-group + .panel-footer {
+  border-top-width: 0;
+}
+
+.panel > {
+  .table, .table-responsive > .table, .panel-collapse > .table {
+    margin-bottom: 0;
+  }
+
+  .table:first-child, .table-responsive:first-child > .table:first-child {
+    border-top-right-radius: 2px;
+    border-top-left-radius: 2px;
+  }
+
+  .table:first-child > {
+    thead:first-child > tr:first-child {
+      td:first-child, th:first-child {
+        border-top-left-radius: 2px;
+      }
+    }
+
+    tbody:first-child > tr:first-child {
+      td:first-child, th:first-child {
+        border-top-left-radius: 2px;
+      }
+    }
+  }
+
+  .table-responsive:first-child > .table:first-child > {
+    thead:first-child > tr:first-child {
+      td:first-child, th:first-child {
+        border-top-left-radius: 2px;
+      }
+    }
+
+    tbody:first-child > tr:first-child {
+      td:first-child, th:first-child {
+        border-top-left-radius: 2px;
+      }
+    }
+  }
+
+  .table:first-child > {
+    thead:first-child > tr:first-child {
+      td:last-child, th:last-child {
+        border-top-right-radius: 2px;
+      }
+    }
+
+    tbody:first-child > tr:first-child {
+      td:last-child, th:last-child {
+        border-top-right-radius: 2px;
+      }
+    }
+  }
+
+  .table-responsive:first-child > .table:first-child > {
+    thead:first-child > tr:first-child {
+      td:last-child, th:last-child {
+        border-top-right-radius: 2px;
+      }
+    }
+
+    tbody:first-child > tr:first-child {
+      td:last-child, th:last-child {
+        border-top-right-radius: 2px;
+      }
+    }
+  }
+
+  .table:last-child, .table-responsive:last-child > .table:last-child {
+    border-bottom-right-radius: 2px;
+    border-bottom-left-radius: 2px;
+  }
+
+  .table:last-child > {
+    tbody:last-child > tr:last-child {
+      td:first-child, th:first-child {
+        border-bottom-left-radius: 2px;
+      }
+    }
+
+    tfoot:last-child > tr:last-child {
+      td:first-child, th:first-child {
+        border-bottom-left-radius: 2px;
+      }
+    }
+  }
+
+  .table-responsive:last-child > .table:last-child > {
+    tbody:last-child > tr:last-child {
+      td:first-child, th:first-child {
+        border-bottom-left-radius: 2px;
+      }
+    }
+
+    tfoot:last-child > tr:last-child {
+      td:first-child, th:first-child {
+        border-bottom-left-radius: 2px;
+      }
+    }
+  }
+
+  .table:last-child > {
+    tbody:last-child > tr:last-child {
+      td:last-child, th:last-child {
+        border-bottom-right-radius: 2px;
+      }
+    }
+
+    tfoot:last-child > tr:last-child {
+      td:last-child, th:last-child {
+        border-bottom-right-radius: 2px;
+      }
+    }
+  }
+
+  .table-responsive:last-child > .table:last-child > {
+    tbody:last-child > tr:last-child {
+      td:last-child, th:last-child {
+        border-bottom-right-radius: 2px;
+      }
+    }
+
+    tfoot:last-child > tr:last-child {
+      td:last-child, th:last-child {
+        border-bottom-right-radius: 2px;
+      }
+    }
+  }
+
+  .panel-body + {
+    .table, .table-responsive {
+      border-top: 1px solid #eee;
+    }
+  }
+
+  .table > tbody:first-child > tr:first-child {
+    th, td {
+      border-top: 0;
+    }
+  }
+
+  .table-bordered, .table-responsive > .table-bordered {
+    border: 0;
+  }
+
+  .table-bordered > {
+    thead > tr > {
+      th:first-child, td:first-child {
+        border-left: 0;
+      }
+    }
+
+    tbody > tr > {
+      th:first-child, td:first-child {
+        border-left: 0;
+      }
+    }
+
+    tfoot > tr > {
+      th:first-child, td:first-child {
+        border-left: 0;
+      }
+    }
+  }
+
+  .table-responsive > .table-bordered > {
+    thead > tr > {
+      th:first-child, td:first-child {
+        border-left: 0;
+      }
+    }
+
+    tbody > tr > {
+      th:first-child, td:first-child {
+        border-left: 0;
+      }
+    }
+
+    tfoot > tr > {
+      th:first-child, td:first-child {
+        border-left: 0;
+      }
+    }
+  }
+
+  .table-bordered > {
+    thead > tr > {
+      th:last-child, td:last-child {
+        border-right: 0;
+      }
+    }
+
+    tbody > tr > {
+      th:last-child, td:last-child {
+        border-right: 0;
+      }
+    }
+
+    tfoot > tr > {
+      th:last-child, td:last-child {
+        border-right: 0;
+      }
+    }
+  }
+
+  .table-responsive > .table-bordered > {
+    thead > tr > {
+      th:last-child, td:last-child {
+        border-right: 0;
+      }
+    }
+
+    tbody > tr > {
+      th:last-child, td:last-child {
+        border-right: 0;
+      }
+    }
+
+    tfoot > tr > {
+      th:last-child, td:last-child {
+        border-right: 0;
+      }
+    }
+  }
+
+  .table-bordered > {
+    thead > tr:first-child > {
+      td, th {
+        border-bottom: 0;
+      }
+    }
+
+    tbody > tr:first-child > {
+      td, th {
+        border-bottom: 0;
+      }
+    }
+  }
+
+  .table-responsive > .table-bordered > {
+    thead > tr:first-child > {
+      td, th {
+        border-bottom: 0;
+      }
+    }
+
+    tbody > tr:first-child > {
+      td, th {
+        border-bottom: 0;
+      }
+    }
+  }
+
+  .table-bordered > {
+    tbody > tr:last-child > {
+      td, th {
+        border-bottom: 0;
+      }
+    }
+
+    tfoot > tr:last-child > {
+      td, th {
+        border-bottom: 0;
+      }
+    }
+  }
+
+  .table-responsive {
+    > .table-bordered > {
+      tbody > tr:last-child > {
+        td, th {
+          border-bottom: 0;
+        }
+      }
+
+      tfoot > tr:last-child > {
+        td, th {
+          border-bottom: 0;
+        }
+      }
+    }
+
+    border: 0;
+    margin-bottom: 0;
+  }
+}
 
 .panel-group {
-  margin-bottom: 20px; }
-  .panel-group .panel {
+  margin-bottom: 20px;
+
+  .panel {
     margin-bottom: 0;
-    border-radius: 3px; }
-    .panel-group .panel + .panel {
-      margin-top: 5px; }
-  .panel-group .panel-heading {
-    border-bottom: 0; }
-    .panel-group .panel-heading + .panel-collapse > .panel-body {
-      border-top: 1px solid #ddd; }
-  .panel-group .panel-footer {
-    border-top: 0; }
-    .panel-group .panel-footer + .panel-collapse .panel-body {
-      border-bottom: 1px solid #ddd; }
-  .panel-default {
-	-webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-    box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
-  .panel-default > .panel-heading {
-	color: #fff;
-	border-color: #b0b0b0; }
-    .panel-default > .panel-heading + .panel-collapse > .panel-body {
-      border-top-color: #b0b0b0; }
-    .panel-default > .panel-heading .badge {
-      color: #f5f5f5;
-      background-color: #2d2d2d; }
-  .panel-default > .panel-footer + .panel-collapse > .panel-body {
-    border-bottom-color: #b0b0b0; }
-  .panel-primary {
-	-webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-    box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
-  .panel-primary > .panel-heading {
-    color: #FFF;
-    border-color: #b0b0b0; }
-    .panel-primary > .panel-heading + .panel-collapse > .panel-body {
-      border-top-color: #FF8B00; }
-    .panel-primary > .panel-heading .badge {
-      color: #FF8B00;
-      background-color: #fff; }
-  .panel-primary > .panel-footer + .panel-collapse > .panel-body {
-    border-bottom-color: #FF8B00; }
+    border-radius: 3px;
+
+    + .panel {
+      margin-top: 5px;
+    }
+  }
+
+  .panel-heading {
+    border-bottom: 0;
+
+    + .panel-collapse > .panel-body {
+      border-top: 1px solid #ddd;
+    }
+  }
+
+  .panel-footer {
+    border-top: 0;
+
+    + .panel-collapse .panel-body {
+      border-bottom: 1px solid #ddd;
+    }
+  }
+}
+
+.panel-default {
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+
+  > {
+    .panel-heading {
+      color: #fff;
+      border-color: #b0b0b0;
+
+      + .panel-collapse > .panel-body {
+        border-top-color: #b0b0b0;
+      }
+
+      .badge {
+        color: #f5f5f5;
+        background-color: #2d2d2d;
+      }
+    }
+
+    .panel-footer + .panel-collapse > .panel-body {
+      border-bottom-color: #b0b0b0;
+    }
+  }
+}
+
+.panel-primary {
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+
+  > {
+    .panel-heading {
+      color: #FFF;
+      border-color: #b0b0b0;
+
+      + .panel-collapse > .panel-body {
+        border-top-color: #FF8B00;
+      }
+
+      .badge {
+        color: #FF8B00;
+        background-color: #fff;
+      }
+    }
+
+    .panel-footer + .panel-collapse > .panel-body {
+      border-bottom-color: #FF8B00;
+    }
+  }
+}
 
 .panel-success {
-  border-color: #9BD275; }
-  .panel-success > .panel-heading {
-    color: #9BD275;
-    background-color: #9BD275;
-    border-color: #9BD275; }
-    .panel-success > .panel-heading + .panel-collapse > .panel-body {
-      border-top-color: #9BD275; }
-    .panel-success > .panel-heading .badge {
+  border-color: #9BD275;
+
+  > {
+    .panel-heading {
       color: #9BD275;
-      background-color: #9BD275; }
-  .panel-success > .panel-footer + .panel-collapse > .panel-body {
-    border-bottom-color: #9BD275; }
+      background-color: #9BD275;
+      border-color: #9BD275;
+
+      + .panel-collapse > .panel-body {
+        border-top-color: #9BD275;
+      }
+
+      .badge {
+        color: #9BD275;
+        background-color: #9BD275;
+      }
+    }
+
+    .panel-footer + .panel-collapse > .panel-body {
+      border-bottom-color: #9BD275;
+    }
+  }
+}
 
 .panel-info {
-  border-color: #b0b0b0; }
-  .panel-info > .panel-heading {
-    color: #31708f;
-    background-color: #d9edf7;
-    border-color: #b0b0b0; }
-    .panel-info > .panel-heading + .panel-collapse > .panel-body {
-      border-top-color: #b0b0b0; }
-    .panel-info > .panel-heading .badge {
-      color: #d9edf7;
-      background-color: #31708f; }
-  .panel-info > .panel-footer + .panel-collapse > .panel-body {
-    border-bottom-color: #b0b0b0; }
+  border-color: #b0b0b0;
+
+  > {
+    .panel-heading {
+      color: #31708f;
+      background-color: #d9edf7;
+      border-color: #b0b0b0;
+
+      + .panel-collapse > .panel-body {
+        border-top-color: #b0b0b0;
+      }
+
+      .badge {
+        color: #d9edf7;
+        background-color: #31708f;
+      }
+    }
+
+    .panel-footer + .panel-collapse > .panel-body {
+      border-bottom-color: #b0b0b0;
+    }
+  }
+}
 
 .panel-warning {
-  border-color: #faebcc; }
-  .panel-warning > .panel-heading {
-    color: #f0ad4e;
-    background-color: #fcf8e3;
-    border-color: #faebcc; }
-    .panel-warning > .panel-heading + .panel-collapse > .panel-body {
-      border-top-color: #faebcc; }
-    .panel-warning > .panel-heading .badge {
-      color: #fcf8e3;
-      background-color: #f0ad4e; }
-  .panel-warning > .panel-footer + .panel-collapse > .panel-body {
-    border-bottom-color: #faebcc; }
+  border-color: #faebcc;
+
+  > {
+    .panel-heading {
+      color: #f0ad4e;
+      background-color: #fcf8e3;
+      border-color: #faebcc;
+
+      + .panel-collapse > .panel-body {
+        border-top-color: #faebcc;
+      }
+
+      .badge {
+        color: #fcf8e3;
+        background-color: #f0ad4e;
+      }
+    }
+
+    .panel-footer + .panel-collapse > .panel-body {
+      border-bottom-color: #faebcc;
+    }
+  }
+}
 
 .panel-danger {
-  border-color: #F05050; }
-  .panel-danger > .panel-heading {
-    color: #F05050;
-    background-color: #F05050;
-    border-color: #F05050; }
-    .panel-danger > .panel-heading + .panel-collapse > .panel-body {
-      border-top-color: #F05050; }
-    .panel-danger > .panel-heading .badge {
+  border-color: #F05050;
+
+  > {
+    .panel-heading {
       color: #F05050;
-      background-color: #F05050; }
-  .panel-danger > .panel-footer + .panel-collapse > .panel-body {
-    border-bottom-color: #F05050; }
+      background-color: #F05050;
+      border-color: #F05050;
+
+      + .panel-collapse > .panel-body {
+        border-top-color: #F05050;
+      }
+
+      .badge {
+        color: #F05050;
+        background-color: #F05050;
+      }
+    }
+
+    .panel-footer + .panel-collapse > .panel-body {
+      border-bottom-color: #F05050;
+    }
+  }
+}
 
 .embed-responsive {
   position: relative;
   display: block;
   height: 0;
   padding: 0;
-  overflow: hidden; }
-  .embed-responsive .embed-responsive-item,
-  .embed-responsive iframe,
-  .embed-responsive embed,
-  .embed-responsive object {
+  overflow: hidden;
+
+  .embed-responsive-item, iframe, embed, object {
     position: absolute;
     top: 0;
     left: 0;
     bottom: 0;
     height: 100%;
     width: 100%;
-    border: 0; }
-  .embed-responsive.embed-responsive-16by9 {
-    padding-bottom: 56.25%; }
-  .embed-responsive.embed-responsive-4by3 {
-    padding-bottom: 75%; }
+    border: 0;
+  }
+
+  &.embed-responsive-16by9 {
+    padding-bottom: 56.25%;
+  }
+
+  &.embed-responsive-4by3 {
+    padding-bottom: 75%;
+  }
+}
 
 .well {
   min-height: 20px;
@@ -4944,44 +8553,54 @@ a.list-group-item-danger {
   margin-bottom: 20px;
   background-color: none;
   border: none;
-  border-radius: none; }
-  .well blockquote {
+  border-radius: none;
+
+  blockquote {
     border-color: #ddd;
-    border-color: rgba(0, 0, 0, 0.15); }
+    border-color: rgba(0, 0, 0, 0.15);
+  }
+}
 
 .well-lg {
   padding: 24px;
-  border-radius: 6px; }
+  border-radius: 6px;
+}
 
 .well-sm {
   padding: 9px;
-  border-radius: 3px; }
+  border-radius: 3px;
+}
 
 .close {
-  float:right;
+  float: right;
   font-size: 21px;
   font-weight: bold;
   line-height: 1;
   color: #FFFFFF;
   text-shadow: 0 1px 0 #000;
   opacity: 1;
-  filter: alpha(opacity=100); }
-  .close:hover, .close:focus {
+  filter: alpha(opacity = 100);
+
+  &:hover, &:focus {
     color: #000;
     text-decoration: none;
     cursor: pointer;
     opacity: 1;
-    filter: alpha(opacity=100); }
+    filter: alpha(opacity = 100);
+  }
+}
 
 button.close {
   padding: 0;
   cursor: pointer;
   background: transparent;
   border: 0;
-  -webkit-appearance: none; }
+  -webkit-appearance: none;
+}
 
 .modal-open {
-  overflow: hidden; }
+  overflow: hidden;
+}
 
 .modal {
   display: none;
@@ -4993,27 +8612,34 @@ button.close {
   left: 0;
   z-index: 1050;
   -webkit-overflow-scrolling: touch;
-  outline: 0; }
-  .modal.fade .modal-dialog {
+  outline: 0;
+
+  &.fade .modal-dialog {
     -webkit-transform: translate3d(0, -25%, 0);
     transform: translate3d(0, -25%, 0);
     -webkit-transition: -webkit-transform 0.3s ease-out;
     -moz-transition: -moz-transform 0.3s ease-out;
     -o-transition: -o-transform 0.3s ease-out;
-    transition: transform 0.3s ease-out; }
-  .modal.in .modal-dialog {
+    transition: transform 0.3s ease-out;
+  }
+
+  &.in .modal-dialog {
     -webkit-transform: translate3d(0, 0, 0);
-    transform: translate3d(0, 0, 0); }
+    transform: translate3d(0, 0, 0);
+  }
+}
 
 .modal-open .modal {
   overflow-x: hidden;
-  overflow-y: auto; }
+  overflow-y: auto;
+}
 
 .modal-dialog {
   position: relative;
   width: auto;
   margin: 62px 10px 10px 10px;
-  border: 1px solid #7a7a7a;}
+  border: 1px solid #7a7a7a;
+}
 
 .modal-content {
   position: relative;
@@ -5023,7 +8649,8 @@ button.close {
   -webkit-box-shadow: 0 5px 15px rgb(30, 30, 30);
   box-shadow: 0 5px 15px rgb(5, 5, 5);
   background-clip: padding-box;
-  outline: 0; }
+  outline: 0;
+}
 
 .modal-backdrop {
   position: fixed;
@@ -5032,79 +8659,113 @@ button.close {
   bottom: 0;
   left: 0;
   z-index: 1040;
-  background-color: #000; }
-  .modal-backdrop.fade {
+  background-color: #000;
+
+  &.fade {
     opacity: 0;
-    filter: alpha(opacity=0); }
-  .modal-backdrop.in {
+    filter: alpha(opacity = 0);
+  }
+
+  &.in {
     opacity: 0.5;
-    filter: alpha(opacity=50); }
+    filter: alpha(opacity = 50);
+  }
+}
 
 .modal-header {
-  padding-left:10px;
-  padding-right:10px;
-  padding-top:3px;
-  padding-bottom:1px;
+  padding-left: 10px;
+  padding-right: 10px;
+  padding-top: 3px;
+  padding-bottom: 1px;
   border-bottom: 1px solid #4a4a4a;
   min-height: 16.42857px;
   background-color: #427795;
-  color: #FFF; }
+  color: #FFF;
 
-.modal-header .close {
-  margin-top: -2px; }
+  .close {
+    margin-top: -2px;
+  }
+}
 
 .modal-title {
   margin: 0;
-  line-height: 1.428571429; }
+  line-height: 1.428571429;
+}
 
 .modal-body {
   position: relative;
   padding: 5px;
-  background-color: #FFF;}
-.modal-body .table-hover > tbody > tr:hover > td,
-.modal-body .table-hover > tbody > tr:hover > th {
-  background-color: #336480;
-  color: #FFF; }
+  background-color: #FFF;
+
+  .table-hover > tbody > tr:hover > {
+    td, th {
+      background-color: #336480;
+      color: #FFF;
+    }
+  }
+}
 
 .modal-footer {
   padding: 5px;
   text-align: right;
   background-color: #f0f0f0;
-  border-top: 1px solid inherit; }
-  .modal-footer:before, .modal-footer:after {
+  border-top: 1px solid inherit;
+
+  &:before {
+    content: " ";
+    display: table;
+  }
+
+  &:after {
     content: " ";
-    display: table; }
-  .modal-footer:after {
-    clear: both; }
-  .modal-footer .btn + .btn {
+    display: table;
+    clear: both;
+  }
+
+  .btn + .btn {
     margin-left: 5px;
-    margin-bottom: 0; }
-  .modal-footer .btn-group .btn + .btn {
-    margin-left: -1px; }
-  .modal-footer .btn-block + .btn-block {
-    margin-left: 0; }
+    margin-bottom: 0;
+  }
+
+  .btn-group .btn + .btn {
+    margin-left: -1px;
+  }
+
+  .btn-block + .btn-block {
+    margin-left: 0;
+  }
+}
 
 .modal-scrollbar-measure {
   position: absolute;
   top: -9999px;
   width: 50px;
   height: 50px;
-  overflow: scroll; }
+  overflow: scroll;
+}
 
 @media (min-width: 768px) {
   .modal-dialog {
     width: 600px;
-    margin: 82px auto 30px auto; }
+    margin: 82px auto 30px auto;
+  }
 
   .modal-content {
     -webkit-box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5);
-    box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5); }
+    box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5);
+  }
 
   .modal-sm {
-    width: 300px; } }
+    width: 300px;
+  }
+}
+
 @media (min-width: 992px) {
   .modal-lg {
-    width: 900px; } }
+    width: 900px;
+  }
+}
+
 .tooltip {
   position: absolute;
   z-index: 1070;
@@ -5113,22 +8774,33 @@ button.close {
   font-size: 12px;
   line-height: 1.4;
   opacity: 0;
-  filter: alpha(opacity=0); }
-  .tooltip.in {
+  filter: alpha(opacity = 0);
+
+  &.in {
     opacity: 0.9;
-    filter: alpha(opacity=90); }
-  .tooltip.top {
+    filter: alpha(opacity = 90);
+  }
+
+  &.top {
     margin-top: -3px;
-    padding: 5px 0; }
-  .tooltip.right {
+    padding: 5px 0;
+  }
+
+  &.right {
     margin-left: 3px;
-    padding: 0 5px; }
-  .tooltip.bottom {
+    padding: 0 5px;
+  }
+
+  &.bottom {
     margin-top: 3px;
-    padding: 5px 0; }
-  .tooltip.left {
+    padding: 5px 0;
+  }
+
+  &.left {
     margin-left: -3px;
-    padding: 0 5px; }
+    padding: 0 5px;
+  }
+}
 
 .tooltip-inner {
   max-width: 200px;
@@ -5137,59 +8809,78 @@ button.close {
   text-align: center;
   text-decoration: none;
   background-color: #000;
-  border-radius: 3px; }
+  border-radius: 3px;
+}
 
 .tooltip-arrow {
   position: absolute;
   width: 0;
   height: 0;
   border-color: transparent;
-  border-style: solid; }
+  border-style: solid;
+}
 
-.tooltip.top .tooltip-arrow {
-  bottom: 0;
-  left: 50%;
-  margin-left: -5px;
-  border-width: 5px 5px 0;
-  border-top-color: #000; }
-.tooltip.top-left .tooltip-arrow {
-  bottom: 0;
-  left: 5px;
-  border-width: 5px 5px 0;
-  border-top-color: #000; }
-.tooltip.top-right .tooltip-arrow {
-  bottom: 0;
-  right: 5px;
-  border-width: 5px 5px 0;
-  border-top-color: #000; }
-.tooltip.right .tooltip-arrow {
-  top: 50%;
-  left: 0;
-  margin-top: -5px;
-  border-width: 5px 5px 5px 0;
-  border-right-color: #000; }
-.tooltip.left .tooltip-arrow {
-  top: 50%;
-  right: 0;
-  margin-top: -5px;
-  border-width: 5px 0 5px 5px;
-  border-left-color: #000; }
-.tooltip.bottom .tooltip-arrow {
-  top: 0;
-  left: 50%;
-  margin-left: -5px;
-  border-width: 0 5px 5px;
-  border-bottom-color: #000; }
-.tooltip.bottom-left .tooltip-arrow {
-  top: 0;
-  left: 5px;
-  border-width: 0 5px 5px;
-  border-bottom-color: #000; }
-.tooltip.bottom-right .tooltip-arrow {
-  top: 0;
-  right: 5px;
-  border-width: 0 5px 5px;
-  border-bottom-color: #000; }
+.tooltip {
+  &.top .tooltip-arrow {
+    bottom: 0;
+    left: 50%;
+    margin-left: -5px;
+    border-width: 5px 5px 0;
+    border-top-color: #000;
+  }
+
+  &.top-left .tooltip-arrow {
+    bottom: 0;
+    left: 5px;
+    border-width: 5px 5px 0;
+    border-top-color: #000;
+  }
+
+  &.top-right .tooltip-arrow {
+    bottom: 0;
+    right: 5px;
+    border-width: 5px 5px 0;
+    border-top-color: #000;
+  }
+
+  &.right .tooltip-arrow {
+    top: 50%;
+    left: 0;
+    margin-top: -5px;
+    border-width: 5px 5px 5px 0;
+    border-right-color: #000;
+  }
+
+  &.left .tooltip-arrow {
+    top: 50%;
+    right: 0;
+    margin-top: -5px;
+    border-width: 5px 0 5px 5px;
+    border-left-color: #000;
+  }
+
+  &.bottom .tooltip-arrow {
+    top: 0;
+    left: 50%;
+    margin-left: -5px;
+    border-width: 0 5px 5px;
+    border-bottom-color: #000;
+  }
+
+  &.bottom-left .tooltip-arrow {
+    top: 0;
+    left: 5px;
+    border-width: 0 5px 5px;
+    border-bottom-color: #000;
+  }
+
+  &.bottom-right .tooltip-arrow {
+    top: 0;
+    right: 5px;
+    border-width: 0 5px 5px;
+    border-bottom-color: #000;
+  }
+}
 
 .popover {
   position: absolute;
@@ -5203,19 +8894,28 @@ button.close {
   background-color: #fff;
   background-clip: padding-box;
   border: 1px solid #ccc;
-  border: 1px solid rgba(0, 0, 0, 0.30);
+  border: 1px solid rgba(0, 0, 0, 0.3);
   border-radius: 6px;
-  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-  white-space: normal; }
-  .popover.top {
-    margin-top: -10px; }
-  .popover.right {
-    margin-left: 10px; }
-  .popover.bottom {
-    margin-top: 10px; }
-  .popover.left {
-    margin-left: -10px; }
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  white-space: normal;
+
+  &.top {
+    margin-top: -10px;
+  }
+
+  &.right {
+    margin-left: 10px;
+  }
+
+  &.bottom {
+    margin-top: 10px;
+  }
+
+  &.left {
+    margin-left: -10px;
+  }
+}
 
 .popover-title {
   margin: 0;
@@ -5225,121 +8925,170 @@ button.close {
   line-height: 18px;
   background-color: #f7f7f7;
   border-bottom: 1px solid #ebebeb;
-  border-radius: 5px 5px 0 0; }
+  border-radius: 5px 5px 0 0;
+}
 
 .popover-content {
-  padding: 9px 14px; }
+  padding: 9px 14px;
+}
 
-.popover > .arrow, .popover > .arrow:after {
-  position: absolute;
-  display: block;
-  width: 0;
-  height: 0;
-  border-color: transparent;
-  border-style: solid; }
+.popover {
+  > .arrow {
+    position: absolute;
+    display: block;
+    width: 0;
+    height: 0;
+    border-color: transparent;
+    border-style: solid;
 
-.popover > .arrow {
-  border-width: 11px; }
+    &:after {
+      position: absolute;
+      display: block;
+      width: 0;
+      height: 0;
+      border-color: transparent;
+      border-style: solid;
+      border-width: 10px;
+      content: "";
+    }
 
-.popover > .arrow:after {
-  border-width: 10px;
-  content: ""; }
+    border-width: 11px;
+  }
 
-.popover.top > .arrow {
-  left: 50%;
-  margin-left: -11px;
-  border-bottom-width: 0;
-  border-top-color: #999999;
-  border-top-color: rgba(0, 0, 0, 0.25);
-  bottom: -11px; }
-  .popover.top > .arrow:after {
-    content: " ";
-    bottom: 1px;
-    margin-left: -10px;
+  &.top > .arrow {
+    left: 50%;
+    margin-left: -11px;
     border-bottom-width: 0;
-    border-top-color: #fff; }
-.popover.right > .arrow {
-  top: 50%;
-  left: -11px;
-  margin-top: -11px;
-  border-left-width: 0;
-  border-right-color: #999999;
-  border-right-color: rgba(0, 0, 0, 0.25); }
-  .popover.right > .arrow:after {
-    content: " ";
-    left: 1px;
-    bottom: -10px;
+    border-top-color: #999999;
+    border-top-color: rgba(0, 0, 0, 0.25);
+    bottom: -11px;
+
+    &:after {
+      content: " ";
+      bottom: 1px;
+      margin-left: -10px;
+      border-bottom-width: 0;
+      border-top-color: #fff;
+    }
+  }
+
+  &.right > .arrow {
+    top: 50%;
+    left: -11px;
+    margin-top: -11px;
     border-left-width: 0;
-    border-right-color: #fff; }
-.popover.bottom > .arrow {
-  left: 50%;
-  margin-left: -11px;
-  border-top-width: 0;
-  border-bottom-color: #999999;
-  border-bottom-color: rgba(0, 0, 0, 0.25);
-  top: -11px; }
-  .popover.bottom > .arrow:after {
-    content: " ";
-    top: 1px;
-    margin-left: -10px;
+    border-right-color: #999999;
+    border-right-color: rgba(0, 0, 0, 0.25);
+
+    &:after {
+      content: " ";
+      left: 1px;
+      bottom: -10px;
+      border-left-width: 0;
+      border-right-color: #fff;
+    }
+  }
+
+  &.bottom > .arrow {
+    left: 50%;
+    margin-left: -11px;
     border-top-width: 0;
-    border-bottom-color: #fff; }
-.popover.left > .arrow {
-  top: 50%;
-  right: -11px;
-  margin-top: -11px;
-  border-right-width: 0;
-  border-left-color: #999999;
-  border-left-color: rgba(0, 0, 0, 0.25); }
-  .popover.left > .arrow:after {
-    content: " ";
-    right: 1px;
+    border-bottom-color: #999999;
+    border-bottom-color: rgba(0, 0, 0, 0.25);
+    top: -11px;
+
+    &:after {
+      content: " ";
+      top: 1px;
+      margin-left: -10px;
+      border-top-width: 0;
+      border-bottom-color: #fff;
+    }
+  }
+
+  &.left > .arrow {
+    top: 50%;
+    right: -11px;
+    margin-top: -11px;
     border-right-width: 0;
-    border-left-color: #fff;
-    bottom: -10px; }
+    border-left-color: #999999;
+    border-left-color: rgba(0, 0, 0, 0.25);
+
+    &:after {
+      content: " ";
+      right: 1px;
+      border-right-width: 0;
+      border-left-color: #fff;
+      bottom: -10px;
+    }
+  }
+}
 
 .carousel {
-  position: relative; }
+  position: relative;
+}
 
 .carousel-inner {
   position: relative;
   overflow: hidden;
-  width: 100%; }
-  .carousel-inner > .item {
-    display: none;
-    position: relative;
-    -webkit-transition: 0.6s ease-in-out left;
-    -o-transition: 0.6s ease-in-out left;
-    transition: 0.6s ease-in-out left; }
-    .carousel-inner > .item > img,
-    .carousel-inner > .item > a > img {
+  width: 100%;
+
+  > {
+    .item {
+      display: none;
+      position: relative;
+      -webkit-transition: 0.6s ease-in-out left;
+      -o-transition: 0.6s ease-in-out left;
+      transition: 0.6s ease-in-out left;
+
+      > {
+        img, a > img {
+          display: block;
+          width: 100% \9;
+          max-width: 100%;
+          height: auto;
+          line-height: 1;
+        }
+      }
+    }
+
+    .active, .next, .prev {
       display: block;
-      width: 100% \9;
-      max-width: 100%;
-      height: auto;
-      line-height: 1; }
-  .carousel-inner > .active,
-  .carousel-inner > .next,
-  .carousel-inner > .prev {
-    display: block; }
-  .carousel-inner > .active {
-    left: 0; }
-  .carousel-inner > .next,
-  .carousel-inner > .prev {
-    position: absolute;
-    top: 0;
-    width: 100%; }
-  .carousel-inner > .next {
-    left: 100%; }
-  .carousel-inner > .prev {
-    left: -100%; }
-  .carousel-inner > .next.left,
-  .carousel-inner > .prev.right {
-    left: 0; }
-  .carousel-inner > .active.left {
-    left: -100%; }
-  .carousel-inner > .active.right {
-    left: 100%; }
+    }
+
+    .active {
+      left: 0;
+    }
+
+    .next, .prev {
+      position: absolute;
+      top: 0;
+      width: 100%;
+    }
+
+    .next {
+      left: 100%;
+    }
+
+    .prev {
+      left: -100%;
+    }
+
+    .next.left, .prev.right {
+      left: 0;
+    }
+
+    .active {
+      &.left {
+        left: -100%;
+      }
+
+      &.right {
+        left: 100%;
+      }
+    }
+  }
+}
 
 .carousel-control {
   position: absolute;
@@ -5348,57 +9097,70 @@ button.close {
   bottom: 0;
   width: 15%;
   opacity: 0.5;
-  filter: alpha(opacity=50);
+  filter: alpha(opacity = 50);
   font-size: 20px;
   color: #fff;
   text-align: center;
-  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6); }
-  .carousel-control.left {
+  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6);
+
+  &.left {
     background-image: -webkit-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
     background-image: -o-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
     background-image: linear-gradient(to right, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
     background-repeat: repeat-x;
-    filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1); }
-  .carousel-control.right {
+    filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);
+  }
+
+  &.right {
     left: auto;
     right: 0;
     background-image: -webkit-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);
     background-image: -o-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);
     background-image: linear-gradient(to right, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);
     background-repeat: repeat-x;
-    filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1); }
-  .carousel-control:hover, .carousel-control:focus {
+    filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);
+  }
+
+  &:hover, &:focus {
     outline: 0;
     color: #fff;
     text-decoration: none;
     opacity: 0.9;
-    filter: alpha(opacity=90); }
-  .carousel-control .icon-prev,
-  .carousel-control .icon-next,
-  .carousel-control .glyphicon-chevron-left,
-  .carousel-control .glyphicon-chevron-right {
+    filter: alpha(opacity = 90);
+  }
+
+  .icon-prev, .icon-next, .glyphicon-chevron-left, .glyphicon-chevron-right {
     position: absolute;
     top: 50%;
     z-index: 5;
-    display: inline-block; }
-  .carousel-control .icon-prev,
-  .carousel-control .glyphicon-chevron-left {
+    display: inline-block;
+  }
+
+  .icon-prev, .glyphicon-chevron-left {
     left: 50%;
-    margin-left: -10px; }
-  .carousel-control .icon-next,
-  .carousel-control .glyphicon-chevron-right {
+    margin-left: -10px;
+  }
+
+  .icon-next, .glyphicon-chevron-right {
     right: 50%;
-    margin-right: -10px; }
-  .carousel-control .icon-prev,
-  .carousel-control .icon-next {
+    margin-right: -10px;
+  }
+
+  .icon-prev, .icon-next {
     width: 20px;
     height: 20px;
     margin-top: -10px;
-    font-family: serif; }
-  .carousel-control .icon-prev:before {
-    content: '\2039'; }
-  .carousel-control .icon-next:before {
-    content: '\203a'; }
+    font-family: serif;
+  }
+
+  .icon-prev:before {
+    content: '\2039';
+  }
+
+  .icon-next:before {
+    content: '\203a';
+  }
+}
 
 .carousel-indicators {
   position: absolute;
@@ -5409,8 +9171,9 @@ button.close {
   margin-left: -30%;
   padding-left: 0;
   list-style: none;
-  text-align: center; }
-  .carousel-indicators li {
+  text-align: center;
+
+  li {
     display: inline-block;
     width: 10px;
     height: 10px;
@@ -5420,12 +9183,16 @@ button.close {
     border-radius: 10px;
     cursor: pointer;
     background-color: #000 \9;
-    background-color: transparent; }
-  .carousel-indicators .active {
+    background-color: transparent;
+  }
+
+  .active {
     margin: 0;
     width: 12px;
     height: 12px;
-    background-color: #fff; }
+    background-color: #fff;
+  }
+}
 
 .carousel-caption {
   position: absolute;
@@ -5437,255 +9204,330 @@ button.close {
   padding-bottom: 20px;
   color: #fff;
   text-align: center;
-  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6); }
-  .carousel-caption .btn {
-    text-shadow: none; }
+  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6);
+
+  .btn {
+    text-shadow: none;
+  }
+}
 
 @media screen and (min-width: 768px) {
-  .carousel-control .glyphicon-chevron-left,
-  .carousel-control .glyphicon-chevron-right,
-  .carousel-control .icon-prev,
-  .carousel-control .icon-next {
-    width: 30px;
-    height: 30px;
-    margin-top: -15px;
-    font-size: 30px; }
-  .carousel-control .glyphicon-chevron-left,
-  .carousel-control .icon-prev {
-    margin-left: -15px; }
-  .carousel-control .glyphicon-chevron-right,
-  .carousel-control .icon-next {
-    margin-right: -15px; }
+  .carousel-control {
+    .glyphicon-chevron-left, .glyphicon-chevron-right, .icon-prev, .icon-next {
+      width: 30px;
+      height: 30px;
+      margin-top: -15px;
+      font-size: 30px;
+    }
+
+    .glyphicon-chevron-left, .icon-prev {
+      margin-left: -15px;
+    }
+
+    .glyphicon-chevron-right, .icon-next {
+      margin-right: -15px;
+    }
+  }
 
   .carousel-caption {
     left: 20%;
     right: 20%;
-    padding-bottom: 30px; }
+    padding-bottom: 30px;
+  }
 
   .carousel-indicators {
-    bottom: 20px; } }
+    bottom: 20px;
+  }
+}
+
 .clearfix:before, .content-box:before, .clearfix:after, .content-box:after {
   content: " ";
-  display: table; }
+  display: table;
+}
+
 .clearfix:after, .content-box:after {
-  clear: both; }
+  clear: both;
+}
 
 .center-block {
   display: block;
   margin-left: auto;
-  margin-right: auto; }
+  margin-right: auto;
+}
 
 .pull-right {
   float: right !important;
-  margin-top: 0px;}
+  margin-top: 0px;
+}
 
 .pull-left {
   float: left !important;
-  margin-top: 0px;}
+  margin-top: 0px;
+}
 
 .hide {
-  display: none !important; }
+  display: none !important;
+}
 
 .show {
   display: block !important;
-  color:#757575;}
+  color: #757575;
+}
 
 .invisible {
-  visibility: hidden; }
+  visibility: hidden;
+}
 
 .text-hide {
   font: 0/0 a;
   color: transparent;
   text-shadow: none;
   background-color: transparent;
-  border: 0; }
+  border: 0;
+}
 
 .hidden {
   display: none !important;
-  visibility: hidden !important; }
+  visibility: hidden !important;
+}
 
 .affix {
   position: fixed;
   -webkit-transform: translate3d(0, 0, 0);
-  transform: translate3d(0, 0, 0); }
+  transform: translate3d(0, 0, 0);
+}
 
 @-ms-viewport {
-  width: device-width; }
-.visible-xs, .visible-sm, .visible-md, .visible-lg {
-  display: none !important; }
-
-.visible-xs-block,
-.visible-xs-inline,
-.visible-xs-inline-block,
-.visible-sm-block,
-.visible-sm-inline,
-.visible-sm-inline-block,
-.visible-md-block,
-.visible-md-inline,
-.visible-md-inline-block,
-.visible-lg-block,
-.visible-lg-inline,
-.visible-lg-inline-block {
-  display: none !important; }
+  width: device-width;
+}
+
+.visible-xs, .visible-sm, .visible-md, .visible-lg, .visible-xs-block, .visible-xs-inline, .visible-xs-inline-block, .visible-sm-block, .visible-sm-inline, .visible-sm-inline-block, .visible-md-block, .visible-md-inline, .visible-md-inline-block, .visible-lg-block, .visible-lg-inline, .visible-lg-inline-block, .visible-print, .visible-print-block, .visible-print-inline, .visible-print-inline-block {
+  display: none !important;
+}
 
 @media (max-width: 767px) {
   .visible-xs {
-    display: block !important; }
+    display: block !important;
+  }
 
   table.visible-xs {
-    display: table; }
+    display: table;
+  }
 
   tr.visible-xs {
-    display: table-row !important; }
+    display: table-row !important;
+  }
+
+  th.visible-xs, td.visible-xs {
+    display: table-cell !important;
+  }
+}
 
-  th.visible-xs,
-  td.visible-xs {
-    display: table-cell !important; } }
 @media (max-width: 767px) {
   .visible-xs-block {
-    display: block !important; } }
+    display: block !important;
+  }
+}
 
 @media (max-width: 767px) {
   .visible-xs-inline {
-    display: inline !important; } }
+    display: inline !important;
+  }
+}
 
 @media (max-width: 767px) {
   .visible-xs-inline-block {
-    display: inline-block !important; } }
+    display: inline-block !important;
+  }
+}
 
 @media (min-width: 768px) and (max-width: 991px) {
   .visible-sm {
-    display: block !important; }
+    display: block !important;
+  }
 
   table.visible-sm {
-    display: table; }
+    display: table;
+  }
 
   tr.visible-sm {
-    display: table-row !important; }
+    display: table-row !important;
+  }
+
+  th.visible-sm, td.visible-sm {
+    display: table-cell !important;
+  }
+}
 
-  th.visible-sm,
-  td.visible-sm {
-    display: table-cell !important; } }
 @media (min-width: 768px) and (max-width: 991px) {
   .visible-sm-block {
-    display: block !important; } }
+    display: block !important;
+  }
+}
 
 @media (min-width: 768px) and (max-width: 991px) {
   .visible-sm-inline {
-    display: inline !important; } }
+    display: inline !important;
+  }
+}
 
 @media (min-width: 768px) and (max-width: 991px) {
   .visible-sm-inline-block {
-    display: inline-block !important; } }
+    display: inline-block !important;
+  }
+}
 
 @media (min-width: 992px) and (max-width: 1199px) {
   .visible-md {
-    display: block !important; }
+    display: block !important;
+  }
 
   table.visible-md {
-    display: table; }
+    display: table;
+  }
 
   tr.visible-md {
-    display: table-row !important; }
+    display: table-row !important;
+  }
+
+  th.visible-md, td.visible-md {
+    display: table-cell !important;
+  }
+}
 
-  th.visible-md,
-  td.visible-md {
-    display: table-cell !important; } }
 @media (min-width: 992px) and (max-width: 1199px) {
   .visible-md-block {
-    display: block !important; } }
+    display: block !important;
+  }
+}
 
 @media (min-width: 992px) and (max-width: 1199px) {
   .visible-md-inline {
-    display: inline !important; } }
+    display: inline !important;
+  }
+}
 
 @media (min-width: 992px) and (max-width: 1199px) {
   .visible-md-inline-block {
-    display: inline-block !important; } }
+    display: inline-block !important;
+  }
+}
 
 @media (min-width: 1200px) {
   .visible-lg {
-    display: block !important; }
+    display: block !important;
+  }
 
   table.visible-lg {
-    display: table; }
+    display: table;
+  }
 
   tr.visible-lg {
-    display: table-row !important; }
+    display: table-row !important;
+  }
+
+  th.visible-lg, td.visible-lg {
+    display: table-cell !important;
+  }
+}
 
-  th.visible-lg,
-  td.visible-lg {
-    display: table-cell !important; } }
 @media (min-width: 1200px) {
   .visible-lg-block {
-    display: block !important; } }
+    display: block !important;
+  }
+}
 
 @media (min-width: 1200px) {
   .visible-lg-inline {
-    display: inline !important; } }
+    display: inline !important;
+  }
+}
 
 @media (min-width: 1200px) {
   .visible-lg-inline-block {
-    display: inline-block !important; } }
+    display: inline-block !important;
+  }
+}
 
 @media (max-width: 767px) {
   .hidden-xs, .page-side {
-    display: none !important; } }
+    display: none !important;
+  }
+}
+
 @media (min-width: 768px) and (max-width: 991px) {
   .hidden-sm {
-    display: none !important; } }
+    display: none !important;
+  }
+}
+
 /* COLLAPSE SIDEBAR @media*/
 @media (max-width: 768px), (max-height: 669px) {
   .toggle-sidebar {
-    display: none !important; } }
+    display: none !important;
+  }
+}
+
 /* COLLAPSE SIDEBAR @media END*/
 @media (min-width: 992px) and (max-width: 1199px) {
   .hidden-md {
-    display: none !important; } }
+    display: none !important;
+  }
+}
+
 @media (min-width: 1200px) {
   .hidden-lg {
-    display: none !important; } }
-.visible-print {
-  display: none !important; }
+    display: none !important;
+  }
+}
 
 @media print {
   .visible-print {
-    display: block !important; }
+    display: block !important;
+  }
 
   table.visible-print {
-    display: table; }
+    display: table;
+  }
 
   tr.visible-print {
-    display: table-row !important; }
-
-  th.visible-print,
-  td.visible-print {
-    display: table-cell !important; } }
-.visible-print-block {
-  display: none !important; }
-  @media print {
-    .visible-print-block {
-      display: block !important; } }
-
-.visible-print-inline {
-  display: none !important; }
-  @media print {
-    .visible-print-inline {
-      display: inline !important; } }
-
-.visible-print-inline-block {
-  display: none !important; }
-  @media print {
-    .visible-print-inline-block {
-      display: inline-block !important; } }
+    display: table-row !important;
+  }
+
+  th.visible-print, td.visible-print {
+    display: table-cell !important;
+  }
+}
+
+@media print {
+  .visible-print-block {
+    display: block !important;
+  }
+}
+
+@media print {
+  .visible-print-inline {
+    display: inline !important;
+  }
+}
+
+@media print {
+  .visible-print-inline-block {
+    display: inline-block !important;
+  }
+}
 
 @media print {
   .hidden-print {
-    display: none !important; } }
+    display: none !important;
+  }
+}
+
 * {
-  -webkit-font-smoothing: antialiased; }
+  -webkit-font-smoothing: antialiased;
+}
 
-html, body {
+html {
   height: 100%;
   font-family: 'SourceSansProRegular';
   scrollbar-width: thin;
@@ -5694,12 +9536,18 @@ html, body {
 }
 
 body {
+  height: 100%;
+  font-family: 'SourceSansProRegular';
+  scrollbar-width: thin;
+  scrollbar-color: #315a71 #e3e3e3;
+  background-color: #fff;
   touch-action: manipulation;
   min-width: 320px;
 }
 
 .widget-sort-handle {
-  touch-action: none; }
+  touch-action: none;
+}
 
 .page-head {
   top: 0;
@@ -5707,7 +9555,7 @@ body {
   position: fixed;
   width: 100%;
   z-index: 2;
-  background-color:#172c38;
+  background-color: #172c38;
   border-bottom: 1px solid #171717;
 }
 
@@ -5715,38 +9563,55 @@ body {
   height: calc(100% - 52px);
   padding-top: 52px;
   position: relative;
-  z-index: 1; }
-  .page-content > .row {
-    height: 100%; }
-.page-content-head .container-fluid {
-  background-color: #FBFBFB;
-  margin-left: 20px;
-  margin-right: 20px;
-  border: 1px solid #b0b0b0;
-  border-radius: 3px;
-  min-height: 51px;
-  height:auto;
-  padding: 8px 20px 7px 20px;
-  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
-
-.page-content-head, .content-box-head {
-  padding-bottom: 10px;
-  padding-top: 17px;
-  color:#000;}
-  .page-content-head .navbar-nav, .content-box-head .navbar-nav {
-    width: 100%; }
-  .page-content-head h1, .content-box-head h1, .page-content-head h2, .content-box-head h2, .page-content-head h3, .content-box-head h3 {
-	line-height: inherit;
-    margin: 0; }
+  z-index: 1;
+
+  > .row {
+    height: 100%;
+  }
+}
+
+.page-content-head {
+  .container-fluid {
+    background-color: #FBFBFB;
+    margin-left: 20px;
+    margin-right: 20px;
+    border: 1px solid #b0b0b0;
+    border-radius: 0px;
+    min-height: 47px;
+    height: auto;
+    padding: 6px 14px 5px 14px;
+    -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+    box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  }
+
+  padding-bottom: 2px;
+  padding-top: 10px;
+  color: #000;
+}
+
+.content-box-head {
+  padding-bottom: 2px;
+  padding-top: 10px;
+  color: #000;
+}
+
+.page-content-head .navbar-nav, .content-box-head .navbar-nav {
+  width: 100%;
+}
+
+.page-content-head h1, .content-box-head h1, .page-content-head h2, .content-box-head h2, .page-content-head h3, .content-box-head h3 {
+  line-height: inherit;
+  margin: 0;
+}
 
 .page-content-main {
   min-height: calc(100% - 64px);
-  padding: 15px 0 21px; }
+  padding: 9px 0px 21px 0px;
+}
 
 .page-side {
   background: #172c38;
-  border:none;
+  border: none;
   height: 100% !important;
   height: calc(100% - 52px) !important;
   left: 0;
@@ -5754,11 +9619,13 @@ body {
   margin-top: 52px;
   position: fixed;
   top: 0;
-  z-index: 3; }
+  z-index: 3;
+}
 
 .page-side-nav--active {
   background: #F7F7F7;
-  border-left: 3px solid #FF8B00; }
+  border-left: 3px solid #FF8B00;
+}
 
 .page-foot {
   bottom: 0;
@@ -5769,7 +9636,7 @@ body {
   position: fixed;
   height: 20px;
   background: #172c38;
-  color:#FFF;
+  color: #FFF;
   border-top: 1px solid #162b36;
 }
 
@@ -5778,386 +9645,564 @@ body {
   margin: 0px 0px;
   background: none;
   border: 1px solid #b0b0b0;
-  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
-.content-box hr {
-	border:none; }
-  .content-box-main {
-    padding-bottom: 15px;
-    padding-top: 15px; }
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+
+  hr {
+    border: none;
+  }
+}
+
+.content-box-main {
+  padding-bottom: 15px;
+  padding-top: 15px;
+}
+
 .tab-content {
-   padding: 0px 0px;
-   margin: 0px 0px; }
-  .tab-content > .tab-content {
-    padding: 0 15px; }
-  .tab-content .tab-content:last-child {
-    margin-bottom: 0; }
+  padding: 0px 0px;
+  margin: 0px 0px;
+
+  > .tab-content {
+    padding: 0 15px;
+  }
+
+  .tab-content:last-child {
+    margin-bottom: 0;
+  }
+}
 
 .page-content-main section[class^="col-"] + section[class^="col-"] {
-  padding-top: 20px; }
+  padding-top: 20px;
+}
 
 .brand-logo {
-  display: none; }
-  @media (min-width: 768px) {
-    .brand-logo {
-      display: inline-block; } }
+  display: none;
+}
+
+@media (min-width: 768px) {
+  .brand-logo {
+    display: inline-block;
+  }
+}
 
 .brand-icon {
-  display: inline-block; }
-  @media (min-width: 768px) {
-    .brand-icon {
-      display: none; } }
+  display: inline-block;
+}
+
+@media (min-width: 768px) {
+  .brand-icon {
+    display: none;
+  }
+}
 
 @media (min-width: 768px) {
   .col-sm-disable-spacer {
-    padding-top: 0 !important; } }
+    padding-top: 0 !important;
+  }
+}
 
 @media (min-width: 992px) {
   .col-md-disable-spacer {
-    padding-top: 0 !important; } }
+    padding-top: 0 !important;
+  }
+}
 
 @media (min-width: 1200px) {
   .col-lg-disable-spacer {
-    padding-top: 0 !important; } }
+    padding-top: 0 !important;
+  }
+}
 
 .page-login {
-  background: #172c38; }
-  .page-login .container {
+  background: #172c38;
+
+  .container {
     min-height: 100%;
-    margin-bottom: -60px; }
-    .page-login .container:after {
-      height: 60px; }
-.page-login .login-foot {color:#FFF;}
+    margin-bottom: -60px;
+
+    &:after {
+      height: 60px;
+    }
+  }
+
+  .login-foot {
+    color: #FFF;
+  }
+}
 
 .login-foot {
-  font-size: 12px; }
+  font-size: 12px;
+}
 
 .login-modal-container {
-  color:#FFF;
+  color: #FFF;
   border: 1px solid #fff;
   max-width: 400px;
-  margin: 100px auto 15px auto; }
+  margin: 100px auto 15px auto;
+}
+
 .login-modal-head {
   height: 75px;
-  padding: 0 20px; }
+  padding: 0 20px;
+}
+
 .login-modal-content {
-  padding: 20px 20px 20px 20px; }
+  padding: 20px 20px 20px 20px;
+}
+
 .login-modal-foot {
   border-top: 1px solid #E5E5E5;
   height: 60px;
-  padding: 20px 20px 0 20px; }
-  .login-modal-foot a {
+  padding: 20px 20px 0 20px;
+
+  a {
     color: #7D7D7D;
-    text-decoration: none; }
-    .login-modal-foot a:hover {
+    text-decoration: none;
+
+    &:hover {
       color: #646464;
-      text-decoration: underline; }
+      text-decoration: underline;
+    }
+  }
+}
 
 @media (min-width: 768px) {
   .list-inline .btn-group-container {
-    float: right;} }
+    float: right;
+  }
+}
 
 .btn.btn-fixed {
   max-width: 174px;
-  width: 100%; }
+  width: 100%;
+}
 
 .progress-bar-placeholder {
   font-size: 12px;
   position: absolute;
   text-align: center;
   width: 100%;
-  z-index: 1; }
+  z-index: 1;
+}
 
 /* BOOTSTRAP EDIT */
+
 .list-group-item {
   border-left: none;
-  border-right: none; }
-  .list-group-item.collapsed .caret {
+  border-right: none;
+
+  &.collapsed .caret {
     border-bottom: 4px solid green;
-    border-top: 0; }
+    border-top: 0;
+  }
+}
+
 /* BOOTSTRAP EDIT END */
 
 /* COLLAPSE SIDEBAR */
+
 main.page-content.col-lg-12 {
   padding-left: 90px;
 }
 
 #navigation.col-sidebar-left {
-  width:70px;
+  width: 70px;
   background-color: transparent !important;
   overflow: hidden;
-}
-
-#navigation.col-sidebar-left > div.row {
-  height:100% !important;
-}
-
-#navigation.col-sidebar-left > div.row > nav.page-side-nav {
-  width:70px;
-  background-color:#172c38 !important;
-  height:100% !important;
-  border-right: 1px solid #162b36;
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item {
-  font-size:14px;
-  text-align:center;
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.fa,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.glyphicon {
-  visibility: visible;
-  font-size:20px;
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.__iconspacer {
-  width:50px;
-  height:25px;
-  padding:0px;
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item {
-  width: 70px;
-  height: 70px;
-  padding-left: 0px;
-  padding-right: 0px;
-  padding-top:15px;
-  border-bottom:2px solid #1b313e;
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsing > a.list-group-item {
-  padding-left: 10px !important;
-  font-size: 14px !important;
-  display: block !important;
-  position: absolute !important;
-  left: 70px !important;
-}
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapsing > a.list-group-item {
-  padding-left: 10px !important;
-  font-size: 14px !important;
-  display: block !important;
-  position: absolute !important;
-  left: 166px !important;
+  > div {
+    &.row {
+      height: 100% !important;
+
+      > nav.page-side-nav {
+        width: 70px;
+        background-color: #172c38 !important;
+        height: 100% !important;
+        border-right: 1px solid #162b36;
+      }
+    }
+
+    > nav > #mainmenu > div > {
+      a.list-group-item {
+        font-size: 14px;
+        text-align: center;
+
+        > span {
+          &.fa, &.glyphicon {
+            visibility: visible;
+            font-size: 20px;
+          }
+
+          &.__iconspacer {
+            width: 50px;
+            height: 25px;
+            padding: 0px;
+          }
+        }
+
+        width: 70px;
+        height: 70px;
+        padding-left: 0px;
+        padding-right: 0px;
+        padding-top: 15px;
+        border-bottom: 2px solid #1b313e;
+      }
+
+      div {
+        &.collapsing > a.list-group-item {
+          padding-left: 10px !important;
+          font-size: 14px !important;
+          display: block !important;
+          position: absolute !important;
+          left: 70px !important;
+        }
+
+        &.collapse.in > div.collapsing > a.list-group-item {
+          padding-left: 10px !important;
+          font-size: 14px !important;
+          display: block !important;
+          position: absolute !important;
+          left: 166px !important;
+        }
+      }
+
+      a.list-group-item.active-menu-title {
+        color: #000 !important;
+        background-color: #FFF !important;
+      }
+    }
+  }
 }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item.active-menu-title, a.list-group-item.active-menu-title.collapsed,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item[aria-expanded="true"],
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item[aria-expanded="true"],
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item.menu-level-3-item.active {
+a.list-group-item.active-menu-title.collapsed {
   color: #000 !important;
   background-color: #FFF !important;
 }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > a.list-group-item,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item {
-  padding-left: 10px !important;
-  font-size: 14px !important;
-  background-color: #294c5f !important;
-  opacity: 0.98;
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > {
+  a.list-group-item[aria-expanded="true"] {
+    color: #000 !important;
+    background-color: #FFF !important;
+  }
+
+  div {
+    &.collapse {
+      &.in {
+        > {
+          a.list-group-item[aria-expanded="true"], div.collapse.in > a.list-group-item.menu-level-3-item.active {
+            color: #000 !important;
+            background-color: #FFF !important;
+          }
+        }
+
+        > div.collapse.in > a.list-group-item {
+          padding-left: 10px !important;
+          font-size: 14px !important;
+          background-color: #294c5f !important;
+          opacity: 0.98;
+        }
+      }
+
+      > a.list-group-item {
+        padding-left: 10px !important;
+        font-size: 14px !important;
+        background-color: #294c5f !important;
+        opacity: 0.98;
+      }
+
+      > div.collapse > a.list-group-item {
+        padding-left: 10px !important;
+        font-size: 14px !important;
+      }
+    }
+
+    &.collapsed > a.list-group-item {
+      padding-left: 10px !important;
+      font-size: 14px !important;
+    }
+
+    &.collapse {
+      > {
+        a.list-group-item, div.collapse > a.list-group-item {
+          padding: 3px 8px !important;
+        }
+      }
+
+      &.in > div.collapse.in > a.list-group-item:hover {
+        text-decoration: none !important;
+        color: #000 !important;
+        background-color: #FFF !important;
+      }
+    }
+  }
 }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > div.collapse > a.list-group-item,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsed > a.list-group-item {
-  padding-left: 10px !important;
-  font-size: 14px !important;
+a.list-group-item:focus {
+  text-decoration: none !important;
+  color: #000 !important;
+  background-color: #FFF !important;
 }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > a.list-group-item,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > div.collapse > a.list-group-item {
-  padding: 3px 8px !important;
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item {
+  &.active-menu-title, &:hover {
+    color: #000 !important;
+    background-color: #FFF !important;
+  }
 }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item:hover, a.list-group-item:focus {
-  text-decoration: none !important;
+a.list-group-item:focus {
   color: #000 !important;
   background-color: #FFF !important;
 }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item.active-menu-title,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item:hover, a.list-group-item:focus,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item.collapsed:focus,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item:focus,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.active-menu.collapse.in >a.list-group-item.active {
-  color: #000 !important;
-  background-color: #FFF !important;
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div {
+  &.collapse.in > a.list-group-item {
+    &.collapsed:focus, &:focus {
+      color: #000 !important;
+      background-color: #FFF !important;
+    }
+  }
+
+  &.active-menu.collapse.in > a.list-group-item.active {
+    color: #000 !important;
+    background-color: #FFF !important;
+  }
+
+  &.collapse.in {
+    width: 168px;
+    font-size: 14px;
+    z-index: 10;
+    position: absolute;
+    left: 70px;
+    margin-top: -70px;
+    border: 1px solid #1f3a4a;
+    -webkit-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
+    -moz-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
+    box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
+
+    > div.collapse.in {
+      width: 168px;
+      font-size: 14px;
+      z-index: 10;
+      position: absolute;
+      left: 166px;
+      margin-top: -26px;
+      border: 1px solid #1f3a4a;
+      -webkit-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
+      -moz-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
+      box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
+    }
+  }
+
+  &.collapsing, &.collapse.in > div.collapsing {
+    display: none;
+  }
 }
 
 /* Sub Level One */
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in {
-  width:168px;
-  font-size:14px;
-  z-index: 10;
-  position: absolute;
-  left: 70px;
-  margin-top:-70px;
-  border:1px solid #1f3a4a;
-  -webkit-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
-  -moz-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
-  box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
-}
 
 /* Sub Level Two */
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in {
-  width:168px;
-  font-size:14px;
-  z-index: 10;
-  position: absolute;
-  left: 166px;
-  margin-top:-26px;
-  border:1px solid #1f3a4a;
-  -webkit-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
-  -moz-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
-  box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsing,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapsing {
-  display:none;
-}
 
 button.toggle-sidebar {
-  color:#FFF;
-  background-color:transparent;
-  font-size:14px;
-  border:none;
+  color: #FFF;
+  background-color: transparent;
+  font-size: 14px;
+  border: none;
   margin-top: 18px;
-  float:left;
-  outline:none;
+  float: left;
+  outline: none;
 }
 
 /* COLLAPSE SIDEBAR END*/
 
 #navigation.collapse.in {
-  display: block !important; }
+  display: block !important;
+}
 
-.list-group-submenu .list-group-item:last-child,
-.collapse .list-group-item:last-child {
-  border-bottom: none; }
+.list-group-submenu .list-group-item:last-child, .collapse .list-group-item:last-child {
+  border-bottom: none;
+}
 
-.dropdown-menu > li > a,
-.dropdown-header {
-  padding: 3px 10px; }
+.dropdown-menu > li > a, .dropdown-header {
+  padding: 3px 10px;
+}
 
-.nav-tabs > li {
-  border-radius: 0px;
-  border-top-right-radius: 10px;
-  margin-right: 2px; }
+.nav-tabs {
+  > {
+    li {
+      border-radius: 0px;
+      border-top-right-radius: 10px;
+      margin-right: 2px;
+
+      > a {
+        border-radius: 0px;
+        border-top-right-radius: 10px;
+        margin-right: 0px;
+        -webkit-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
+        -moz-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
+        box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
+      }
+    }
+
+    .dropdown > a {
+      -webkit-box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.6);
+      -moz-box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.6);
+      box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.6);
+
+      &.pull-right {
+        -webkit-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
+        -moz-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
+        box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
+      }
+    }
+
+    li {
+      > a {
+        outline: 0;
+
+        &:hover, &:focus {
+          outline: 0;
+        }
+      }
+
+      &.active > a {
+        background: #315a71 !important;
+        outline: 0;
+      }
+
+      > a.visible-lg-inline-block {
+        &:not(.pull-right) {
+          border-top-right-radius: 0px !important;
+          padding-left: 10px !important;
+          padding-right: 5px !important;
+        }
+
+        &.pull-right {
+          border-left: 0px !important;
+          padding-left: 5px !important;
+          padding-right: 10px !important;
+        }
+      }
+    }
+  }
+
+  &.nav-justified {
+    border-right: 1px solid #656565;
+
+    > li {
+      border-bottom: 1px solid #656565;
+      border-top: 1px solid #656565;
+      border-left: 1px solid #656565;
+      border-radius: 0px;
+      background: #818180;
+
+      > a {
+        color: #FFFFFF;
+        font-family: 'SourceSansProSemibold';
+      }
+    }
+  }
+}
 
-.nav-tabs > li > a {
-  border-radius: 0px;
-  border-top-right-radius: 10px;
-  margin-right: 0px;
-  -webkit-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60);
-  -moz-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60);
-  box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60); }
-
-.nav-tabs > .dropdown > a {
-  -webkit-box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.60);
-  -moz-box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.60);
-  box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.60); }
-
-.nav-tabs > .dropdown > a.pull-right {
-  -webkit-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60);
-  -moz-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60);
-  box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60); }
-
-.nav-tabs > li > a,
-.nav-tabs > li > a:hover,
-.nav-tabs > li > a:focus {
- outline:0; }
-
-.nav-tabs > li.active > a {
-  background: #315a71 !important;
-  outline:0; }
-
-.nav-tabs > li > a.visible-lg-inline-block:not(.pull-right) {
-  border-top-right-radius: 0px !important;
-  padding-left: 10px !important;
-  padding-right: 5px !important; }
-
-.nav-tabs > li > a.visible-lg-inline-block.pull-right {
-  border-left: 0px !important;
-  padding-left: 5px !important;
-  padding-right: 10px !important; }
+@media (min-width: 768px) {
+  .nav-tabs.nav-justified > li > a {
+    border-bottom: 1px solid transparent;
+  }
+}
 
-.nav-tabs.nav-justified {
-  border-right: 1px solid #656565; }
-  .nav-tabs.nav-justified > li {
-    border-bottom: 1px solid #656565;
-    border-top: 1px solid #656565;
-    border-left: 1px solid #656565;
-    border-radius: 0px;
-    background: #818180; }
-    .nav-tabs.nav-justified > li > a {
-      color: #FFFFFF;
-      font-family: 'SourceSansProSemibold'; }
-      @media (min-width: 768px) {
-        .nav-tabs.nav-justified > li > a {
-          border-bottom: 1px solid transparent; } }
-  @media (max-width: 767px) {
-    .nav-tabs.nav-justified > li.active > a {
-      border-right: 0 !important; } }
+@media (max-width: 767px) {
+  .nav-tabs.nav-justified > li.active > a {
+    border-right: 0 !important;
+  }
+}
 
 @media (min-width: 768px) {
   > li.active + li > a {
-    border-left: 1px solid transparent; } }
+    border-left: 1px solid transparent;
+  }
+}
 
 > li:last-child > a {
-  border-right: 1px solid transparent !important; }
-  @media (max-width: 767px) {
-    > li:last-child > a {
-      margin-bottom: 0; } }
+  border-right: 1px solid transparent !important;
+}
+
+@media (max-width: 767px) {
+  > li:last-child > a {
+    margin-bottom: 0;
+  }
+}
 
 .btn .glyphicon {
-  vertical-align: -1px; }
-.table { width:100%; }
+  vertical-align: -1px;
+}
+
 .table {
-  margin-bottom: 0px !important; }
+  width: 100%;
+  margin-bottom: 0px !important;
+}
 
-.nav-tabs-justified .nav-tabs.nav-justified > .active > a:focus, .nav-tabs.nav-justified .nav-tabs.nav-justified > .active > a:focus, .nav-tabs.nav-justified .nav-tabs.nav-justified > .active > a:focus {
-  border: 0px !important; }
+.nav-tabs-justified .nav-tabs.nav-justified > .active > a:focus, .nav-tabs.nav-justified .nav-tabs.nav-justified > .active > a:focus {
+  border: 0px !important;
+}
 
 .table th, strong, b {
   font-family: 'SourceSansProSemibold';
-  font-weight: normal; }
+  font-weight: normal;
+}
 
 .table > tbody > tr > td:last-child {
-padding-right: 15px; }
+  padding-right: 15px;
+}
 
 /* helpers */
+
 .__nowrap {
-  white-space: nowrap; }
+  white-space: nowrap;
+}
 
 .__nomb {
-  margin-bottom: 0; }
+  margin-bottom: 0;
+}
 
 .__mb {
-  margin-bottom: 15px; }
+  margin-bottom: 15px;
+}
 
 .__mt {
-  margin-top: 15px; }
+  margin-top: 15px;
+}
 
 .__ml {
-  margin-left: 15px; }
+  margin-left: 15px;
+}
 
 .__mr {
-  margin-right: 15px; }
+  margin-right: 15px;
+}
 
 .__iconspacer {
-  padding-right: 10px; }
+  padding-right: 10px;
+}
 
 #mainmenu .glyphicon {
-  vertical-align: -2px; }
+  vertical-align: -2px;
+}
 
 .list-group-item {
   overflow: hidden;
-  text-overflow: ellipsis; }
-  .list-group-item + div.collapse {
-    margin-bottom: -1px; }
-  .list-group-item + div > a {
-    padding-left: 44px; }
-  .list-group-item:before {
+  text-overflow: ellipsis;
+
+  + div {
+    &.collapse {
+      margin-bottom: -1px;
+    }
+
+    > a {
+      padding-left: 44px;
+    }
+  }
+
+  &:before {
     background: #FF8B00;
     content: "";
     height: 42px;
@@ -6169,32 +10214,51 @@ padding-right: 15px; }
     -webkit-transition: width .2s;
     -moz-transition: width .2s;
     -o-transition: width .2s;
-    transition: width .2s; }
+    transition: width .2s;
+  }
+}
 
 .list-group-submenu a {
-  padding-left: 56px; }
+  padding-left: 56px;
+}
 
 .active-menu-title, .active-menu a {
   text-decoration: none;
   position: relative;
-  background-color: #30596F; }
-  .active-menu-title:before, .active-menu a:before {
-    width: 3px; }
-  .active-menu-title.active, .active-menu a.active {
-	background-color: #fff;
-	color: #000; }
+  background-color: #30596F;
+}
+
+.active-menu-title:before, .active-menu a:before {
+  width: 3px;
+}
+
+.active-menu-title.active {
+  background-color: #fff;
+  color: #000;
+}
 
-.active-menu a:before {
-  background: #FF8B00; }
+.active-menu a {
+  &.active {
+    background-color: #fff;
+    color: #000;
+  }
+
+  &:before {
+    background: #FF8B00;
+  }
+}
 
 .alert.alert-danger {
-  color: #FFF !important; }
+  color: #FFF !important;
+}
 
-.nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a, .nav-tabs.nav-justified > li > a {
-  border-radius: 0 !important; }
+.nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
+  border-radius: 0 !important;
+}
 
 .navbar-brand {
-  padding: 10px 20px; }
+  padding: 10px 20px;
+}
 
 .label-opnsense {
   /* emulates btn */
@@ -6203,41 +10267,50 @@ padding-right: 15px; }
   font-size: 12px;
   line-height: 1.5;
   border-radius: 3px;
-  border-color: #323232;}
+  border-color: #323232;
+}
 
 .label-opnsense-sm {
   /* emulates btn-sm */
   padding: 6px 11px;
-  border-color: #323232;}
+  border-color: #323232;
+}
 
 .label-opnsense-xs {
   /* emulates btn-xs */
   padding: 2px 5px;
-  border-color: #323232;}
+  border-color: #323232;
+}
 
 ::-webkit-scrollbar {
-  width: 8px; }
+  width: 8px;
+}
 
 ::-webkit-scrollbar-button {
   width: 8px;
-  height: 0px; }
+  height: 0px;
+}
 
 ::-webkit-scrollbar-track {
   background: #e3e3e3;
   box-shadow: 0px 0px 0px;
-  border-radius: 0; }
+  border-radius: 0;
+}
 
 ::-webkit-scrollbar-thumb {
   background: #315a71;
   border: thin solid #e5e5e5;
-  border-radius: 0px; }
+  border-radius: 0px;
 
-::-webkit-scrollbar-thumb:hover {
-  background: #ec6d12; }
+  &:hover {
+    background: #ec6d12;
+  }
+}
 
 .widgetdiv {
   padding-top: 0px !important;
-  padding-bottom: 20px; }
+  padding-bottom: 20px;
+}
 
 select {
   overflow: hidden;
@@ -6250,63 +10323,94 @@ select {
   cursor: pointer;
   background-repeat: no-repeat;
   background-position: right;
-  background-image: url(/ui/themes/tukan/build/images/caret.png) !important; }
+  background-image: url(/ui/themes/tukan/build/images/caret.png) !important;
 
-select:hover, select:active, select:focus {
-  overflow: hidden;
-  border: 1px solid #1d1d1d;
-  background-color: #336480;
-  color: #FFF;
-  -webkit-appearance: none;
-  -moz-appearance: none;
-  appearance: none;
-  cursor: pointer;
-  background-repeat: no-repeat;
-  background-position: right;
-  background-image: url(/ui/themes/tukan/build/images/caret.png) !important; }
+  &:hover, &:active, &:focus {
+    overflow: hidden;
+    border: 1px solid #1d1d1d;
+    background-color: #336480;
+    color: #FFF;
+    -webkit-appearance: none;
+    -moz-appearance: none;
+    appearance: none;
+    cursor: pointer;
+    background-repeat: no-repeat;
+    background-position: right;
+    background-image: url(/ui/themes/tukan/build/images/caret.png) !important;
+  }
+}
 
-option:hover, option:active, option:focus {
-    background-color:#FF7E25;
-	}
+option {
+  &:hover, &:active, &:focus {
+    background-color: #FF7E25;
+  }
+}
+
+#grid-log th[data-column-id="__timestamp__"], #filter-log-entries th[data-column-id="__timestamp__"] {
+  min-width: 3.5em;
+}
 
-#grid-log th[data-column-id="__timestamp__"],
-#filter-log-entries th[data-column-id="__timestamp__"] {
-  min-width: 3.5em; }
 #grid-top {
-    -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-    box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+}
 
 @media screen and (max-width: 767px) {
   .table-responsive {
-    margin-bottom: 0; }
-    .table-responsive > .table > thead > tr > th,
-    .table-responsive > .table > thead > tr > td,
-    .table-responsive > .table > tbody > tr > th,
-    .table-responsive > .table > tbody > tr > td,
-    .table-responsive > .table > tfoot > tr > th,
-    .table-responsive > .table > tfoot > tr > td {
-      white-space: normal; } }
-
-label > input[type="checkbox"],
-label > input[type="radio"] {
-  margin-right: .4em;
-  float: left; }
-
-#log-settings label[for^="act"] {
-  margin-right: 1.5em; }
-
-#log-settings table>tbody>tr>td {
-  vertical-align: middle; }
-
-#log-settings select#filterlogentries,
-#log-settings select#filterlogentriesupdateinterval {
-  width: 5em; }
-
-#log-settings select#filterlogentriesinterfaces {
-  min-width: 100%;
-  max-width: 100%; }
+    margin-bottom: 0;
+
+    > .table > {
+      thead > tr > {
+        th, td {
+          white-space: normal;
+        }
+      }
+
+      tbody > tr > {
+        th, td {
+          white-space: normal;
+        }
+      }
+
+      tfoot > tr > {
+        th, td {
+          white-space: normal;
+        }
+      }
+    }
+  }
+}
+
+label > input {
+  &[type="checkbox"], &[type="radio"] {
+    margin-right: .4em;
+    float: left;
+  }
+}
+
+#log-settings {
+  label[for^="act"] {
+    margin-right: 1.5em;
+  }
+
+  table > tbody > tr > td {
+    vertical-align: middle;
+  }
+
+  select {
+    &#filterlogentries, &#filterlogentriesupdateinterval {
+      width: 5em;
+    }
+
+    &#filterlogentriesinterfaces {
+      min-width: 100%;
+      max-width: 100%;
+    }
+  }
+}
 
 /* fields in firewall schedule */
+
 [data-state="lightcoral"] {
   background-color: #ffe83e;
 }
@@ -6319,50 +10423,64 @@ label > input[type="radio"] {
   background-color: #ffe83e;
 }
 
-#ipsec #ipsec-mobile, #ipsec #ipsec-tunnel, #ipsec #ipsec-overview {
-	background-color: #f0f0f0 !important;
-}
+#ipsec {
+  #ipsec-mobile, #ipsec-tunnel, #ipsec-overview {
+    background-color: #f0f0f0 !important;
+  }
 
-#ipsec .ipsec-tab {
-	background-color: #839caa !important;
-	color: #FFF !important;
-}
+  .ipsec-tab {
+    background-color: #839caa !important;
+    color: #FFF !important;
 
-#ipsec .ipsec-tab.activetab {
-	background-color: #315a71 !important;
-	color: #FFF !important;
+    &.activetab {
+      background-color: #315a71 !important;
+      color: #FFF !important;
+    }
+  }
 }
+
 .fw_pass {
   background-color: #295f2b !important;
-  color:#FFF;
+  color: #FFF;
 }
+
 .fw_block {
   background-color: #CB4326 !important;
-  color:#FFF;
+  color: #FFF;
 }
+
 .fw_nat {
   background-color: #CBA026 !important;
-  color:#FFF;
+  color: #FFF;
 }
-  /*additional extensions for theme-tukan*/
+
+/*additional extensions for theme-tukan*/
 
 #tab_1 #maintabs {
   border-bottom: 1px solid #b0b0b0;
 }
 
-textarea#update_status, textarea#update_status:hover {
-  color:inherit !important;
-  -webkit-box-shadow:none !important;
-  box-shadow:none !important;
-  border:none !important;
+textarea#update_status {
+  color: inherit !important;
+  -webkit-box-shadow: none !important;
+  box-shadow: none !important;
+  border: none !important;
+
+  &:hover {
+    color: inherit !important;
+    -webkit-box-shadow: none !important;
+    box-shadow: none !important;
+    border: none !important;
+  }
 }
 
 .fa-toggle-off::before {
-  color:#FF8B00 !important;
-  outline:none !important; }
+  color: #FF8B00 !important;
+  outline: none !important;
+}
 
 .fa-toggle-on::before {
-  outline:none !important;
+  outline: none !important;
 }
 
 .fa-search::before, .glyphicon-search::before {
@@ -6370,7 +10488,7 @@ textarea#update_status, textarea#update_status:hover {
 }
 
 .glyphicon.glyphicon-search::before {
-  color:#000 !important;
+  color: #000 !important;
 }
 
 .fa-times-circle::before {
@@ -6382,30 +10500,42 @@ textarea#update_status, textarea#update_status:hover {
   content: "\f059";
   cursor: pointer;
 }
+
 .fa-refresh::before {
   content: "\f021";
 }
 
-.bootgrid-header .search .glyphicon, .bootgrid-footer .search .glyphicon,.input-group-addon {
+.bootgrid-header .search .glyphicon, .bootgrid-footer .search .glyphicon, .input-group-addon {
   top: 0;
   background-color: #FF7E25 !important;
   border: 1px solid #FF7E25 !important;
 }
 
-div.container-fluid >.fa-search::before, div.container-fluid >.fa-refresh::before {
-  color: #FFFFFF !important; }
+div.container-fluid > {
+  .fa-search::before, .fa-refresh::before {
+    color: #FFFFFF !important;
+  }
+}
 
-.panel-heading h3:hover, h3:focus {
+.panel-heading h3:hover {
   color: #FFFFFF;
   text-decoration: none;
 }
 
-h3:link {
-  color:#FFFFFF;text-decoration: underline;
-}
+h3 {
+  &:focus {
+    color: #FFFFFF;
+    text-decoration: none;
+  }
 
-h3:hover, h3:focus {
-  text-decoration: underline;
+  &:link {
+    color: #FFFFFF;
+    text-decoration: underline;
+  }
+
+  &:hover, &:focus {
+    text-decoration: underline;
+  }
 }
 
 #grid-log {
@@ -6413,32 +10543,67 @@ h3:hover, h3:focus {
 }
 
 .table-condensed.table-hover {
-    border: 1px solid #bdbdbd;
+  border: 1px solid #bdbdbd;
 }
 
 #rules.table-condensed.table-hover {
-    border: none;
+  border: none;
 }
 
-.btn-group.bootstrap-select.open, .btn-group.bootstrap-select:hover {
-  border-color: #323232 !important;
-  color:#FFFFFF !important;
+.btn-group.bootstrap-select {
+  &.open, &:hover {
+    border-color: #323232 !important;
+    color: #FFFFFF !important;
+  }
 }
 
-.glyphicon.glyphicon-play.text-muted, .glyphicon.glyphicon-remove.text-muted, .glyphicon.glyphicon-remove-sign.text-muted, .glyphicon.glyphicon-info-sign.text-muted,.fa.fa-exclamation.fa-fw.text-muted,.fa.fa-arrows-h.fa-fw.text-muted,.fa.fa-long-arrow-left,.fa.fa-long-arrow-left::before,.fa.fa-info-circle.text-muted,.fa.fa-times-circle.text-muted,.fa.fa-times-circle.text-muted::before,.fa.fa-times.text-muted,.fa.fa-times.text-muted::before,.fa.fa-play.text-muted::before {
-  color: #000 !important;
+.glyphicon {
+  &.glyphicon-play.text-muted, &.glyphicon-remove.text-muted, &.glyphicon-remove-sign.text-muted, &.glyphicon-info-sign.text-muted {
+    color: #000 !important;
+  }
+}
+
+.fa {
+  &.fa-exclamation.fa-fw.text-muted, &.fa-arrows-h.fa-fw.text-muted {
+    color: #000 !important;
+  }
+
+  &.fa-long-arrow-left {
+    color: #000 !important;
+
+    &::before {
+      color: #000 !important;
+    }
+  }
+
+  &.fa-info-circle.text-muted {
+    color: #000 !important;
+  }
+
+  &.fa-times-circle.text-muted, &.fa-times.text-muted {
+    color: #000 !important;
+
+    &::before {
+      color: #000 !important;
+    }
+  }
+
+  &.fa-play.text-muted::before {
+    color: #000 !important;
+  }
 }
 
 #system_log-widgets.content-box {
-  border:none; box-shadow: none;
+  border: none;
+  box-shadow: none;
 }
 
-#chart,#chart_intf_in,#chart_intf_out,#chart_top_ports,#chart_top_sources,#traffic_graph_widget_chart_in,#traffic_graph_widget_chart_out {
+#chart, #chart_intf_in, #chart_intf_out, #chart_top_ports, #chart_top_sources, #traffic_graph_widget_chart_in, #traffic_graph_widget_chart_out {
   background-color: #FFF;
   border: 1px solid #b0b0b0;
 }
 
-  /*additional extensions for sensei*/
+/*additional extensions for sensei*/
 
 .preloader-wrapper {
   background-color: #e3e3e3 !important;
@@ -6454,38 +10619,50 @@ h3:hover, h3:focus {
   box-shadow: none !important;
 }
 
-input[type="checkbox"].checkbox-switch + i::before, input[type="checkbox"].checkbox-icon + i::before, input[type="checkbox"].checkbox-switch + i::before {
-  color: #CB4326 !important;
-}
-
-input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox"].checkbox-icon:checked + i::before, input[type="checkbox"].checkbox-icon-2:checked + i::before {
-  color: #4FB654 !important;
+input[type="checkbox"] {
+  &.checkbox-switch + i::before, &.checkbox-icon + i::before {
+    color: #CB4326 !important;
+  }
+
+  &.checkbox-switch {
+    + i::before {
+      color: #CB4326 !important;
+    }
+
+    &:checked + i::before {
+      color: #4FB654 !important;
+    }
+  }
+
+  &.checkbox-icon:checked + i::before, &.checkbox-icon-2:checked + i::before {
+    color: #4FB654 !important;
+  }
 }
 
 .modal-header > span {
   color: #000;
 }
 
-.bootstrap-datetimepicker-widget table td span:hover {
-    background: none !important;
-}
-
 .bootstrap-datetimepicker-widget {
-  background-color:#FF7E25 !important;
-}
+  table td span:hover {
+    background: none !important;
+  }
 
-.modal-side > .p-15 {
-  padding-left: 10px;
-  padding-right: 10px;
-  padding-top: 3px;
-  padding-bottom: 1px;
-  border-bottom: 1px solid #4a4a4a;
-  min-height: 16.42857px;
-  background-color: #427795;
-  color: #FFF;
+  background-color: #FF7E25 !important;
 }
 
 .modal-side {
+  > .p-15 {
+    padding-left: 10px;
+    padding-right: 10px;
+    padding-top: 3px;
+    padding-bottom: 1px;
+    border-bottom: 1px solid #4a4a4a;
+    min-height: 16.42857px;
+    background-color: #427795;
+    color: #FFF;
+  }
+
   margin: 62px 10px 10px 10px;
   background-color: #f0f0f0 !important;
 }
@@ -6495,7 +10672,7 @@ input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox
 }
 
 .alert-primary {
-  background-color:none !important;
+  background-color: none !important;
   color: #000 !important;
 }
 
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
index db752ab72c..36f2577243 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
@@ -4334,7 +4334,11 @@ a.thumbnail.active {
   padding: 15px;
   margin-bottom: 20px;
   border: 1px solid #b0b0b0;
-  border-radius: 3px; }
+  border-radius: 3px;
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
+}
+
   .alert h4 {
     margin-top: 0;
     color: inherit; }
@@ -4368,7 +4372,11 @@ a.thumbnail.active {
 .alert-info {
 	background-color: #fbfbfb;
 	border-color: #a5a5a5;
-	color: #000;}
+	color: #000;
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
+}
+
   .alert-info hr {
     border-top-color: #DA4829; }
   .alert-info .alert-link {
@@ -5723,17 +5731,19 @@ body {
   margin-left: 20px;
   margin-right: 20px;
   border: 1px solid #b0b0b0;
-  border-radius: 3px;
-  min-height: 51px;
+  border-radius: 0px;
+  min-height: 47px;
   height:auto;
-  padding: 8px 20px 7px 20px;
+  padding: 6px 14px 5px 14px;
   -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
   box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
 
 .page-content-head, .content-box-head {
-  padding-bottom: 10px;
-  padding-top: 17px;
-  color:#000;}
+  padding-bottom: 2px;
+  padding-top: 10px;
+  color:#000;
+}
+
   .page-content-head .navbar-nav, .content-box-head .navbar-nav {
     width: 100%; }
   .page-content-head h1, .content-box-head h1, .page-content-head h2, .content-box-head h2, .page-content-head h3, .content-box-head h3 {
@@ -5742,7 +5752,8 @@ body {
 
 .page-content-main {
   min-height: calc(100% - 64px);
-  padding: 15px 0 21px; }
+  padding: 9px 0px 21px 0px;
+}
 
 .page-side {
   background: #172c38;

From 272c922e15acea72ea5f0a86dd167105c5163650 Mon Sep 17 00:00:00 2001
From: tafros <68539722+tafros@users.noreply.github.com>
Date: Wed, 23 Sep 2020 05:22:04 -0400
Subject: [PATCH 0216/3088] Allow hyphen / minus sign (-) as a valid hostname
 character (#2030)

---
 net/wireguard/Makefile                                      | 2 +-
 net/wireguard/pkg-descr                                     | 4 ++++
 .../opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml   | 6 ++----
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index a0b7242e52..09f28f5957 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 848f48597a..0becbd029f 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,10 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+1.3
+
+* Client/peer name validation to use HostnameField
+
 1.2
 
 * Dashboard widget (contributed by D. Domig)
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
index 1ae8c87e65..e25a3a2fa0 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/wireguard/client</mount>
     <description>Wireguard Client configuration</description>
-    <version>0.0.4</version>
+    <version>0.0.5</version>
     <items>
         <clients>
             <client type="ArrayField">
@@ -9,11 +9,9 @@
                     <default>1</default>
                     <Required>Y</Required>
                 </enabled>
-                <name type="TextField">
+                <name type="HostnameField">
                     <default></default>
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z]){1,32}$/u</mask>
-                    <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9a-zA-Z</ValidationMessage>
                 </name>
                 <pubkey type="TextField">
                     <Required>N</Required>

From bdd9ccb2b5991489a41433bebbe571c2c18162f4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 23 Sep 2020 11:56:36 +0200
Subject: [PATCH 0217/3088] net/chrony: release 1.0

---
 README.md           | 2 +-
 net/chrony/Makefile | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 8c2f505049..1615e0cb7c 100644
--- a/README.md
+++ b/README.md
@@ -53,7 +53,7 @@ net-mgmt/telegraf -- Agent for collecting metrics and data
 net-mgmt/zabbix-agent -- Zabbix monitoring agent
 net-mgmt/zabbix4-proxy -- Zabbix Proxy enables decentralized monitoring
 net-mgmt/zabbix5-proxy -- Zabbix Proxy enables decentralized monitoring
-net/chrony -- Chrony time synchronisation (development only)
+net/chrony -- Chrony time synchronisation
 net/firewall -- Firewall API supplemental package
 net/freeradius -- RADIUS Authentication, Authorization and Accounting Server
 net/frr -- The FRRouting Protocol Suite
diff --git a/net/chrony/Makefile b/net/chrony/Makefile
index 2ca167d2e0..39c87599ff 100644
--- a/net/chrony/Makefile
+++ b/net/chrony/Makefile
@@ -1,8 +1,7 @@
 PLUGIN_NAME=		chrony
-PLUGIN_VERSION=		0.1
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		Chrony time synchronisation
 PLUGIN_DEPENDS=		chrony
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_DEVEL=       yes
 
 .include "../../Mk/plugins.mk"

From 64ea50da4d632df053c316f591b669c13cac88ea Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 23 Sep 2020 12:00:07 +0200
Subject: [PATCH 0218/3088] dns: bump revisions for later release

---
 dns/bind/Makefile           | 1 +
 dns/dnscrypt-proxy/Makefile | 1 +
 2 files changed, 2 insertions(+)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 0cf5b7689e..3323aea673 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.13
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind916
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index 2203e70541..e120fa9126 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		dnscrypt-proxy
 PLUGIN_VERSION=		1.8
+PLUGIN_REVISIOM=	1
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From b150e90351e4c23eb1f737b79385ab72c4d3e912 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 23 Sep 2020 12:14:31 +0200
Subject: [PATCH 0219/3088] mail/postfix: bump version (#2043)

---
 mail/postfix/Makefile  | 2 +-
 mail/postfix/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index a87fa354de..18112fb894 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		postfix
-PLUGIN_VERSION=		1.16
+PLUGIN_VERSION=		1.17
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix-sasl
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index 8188ee8b78..d20dc9dd59 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -6,6 +6,10 @@ is completely different.
 Plugin Changelog
 ================
 
+1.17
+
+* Add smtpd_sasl_auth_enable to configuration (by @fhloston)
+
 1.16
 
 * Add support for header_checks (Starkstromkonsument <https://github.com/Starkstromkonsument>)

From caf52376d756e10ee5f63a16f9b4e5ae899799b6 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 23 Sep 2020 12:14:52 +0200
Subject: [PATCH 0220/3088] net/frr: bump version (#2042)

---
 net/frr/Makefile  | 2 +-
 net/frr/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 5b6b4037be..f107421c02 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.16
+PLUGIN_VERSION=		1.17
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7 ruby
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 53558e2993..0523621f5a 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -11,6 +11,10 @@ switching and routing, Internet access routers, and Internet peering.
 Plugin Changelog
 ================
 
+1.17
+
+* Fix templating for BGP AS-Path Lists (by Steve Buzonas)
+
 1.16
 
 * Fix templating for router IDs in OSPF3 daemon

From 9f16b9ea860fc5bfd36fb4775a2d45d16c91ea83 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 23 Sep 2020 12:21:57 +0200
Subject: [PATCH 0221/3088] security/acme-client: prevent shell command
 injection

---
 .../OPNsense/AcmeClient/LeCertificate.php     |  9 +++++----
 .../OPNsense/AcmeClient/LeValidation/Base.php | 19 +++++++++++--------
 2 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 36ac2aa4bb..62513a7187 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -28,8 +28,9 @@
 
 namespace OPNsense\AcmeClient;
 
-// Load legacy functions for import()
-require_once("certs.inc");
+// Load legacy functions
+require_once("certs.inc"); // used in import()
+require_once("util.inc"); // for exec_safe()
 
 use OPNsense\Core\Config;
 use OPNsense\AcmeClient\LeAccount;
@@ -436,7 +437,7 @@ public function remove()
         $acmecmd = '/usr/local/sbin/acme.sh '
           . '--remove '
           . implode(' ', $this->acme_args) . ' '
-          . '--domain ' . (string)$this->config->name;
+          . exec_safe('--domain %s', (string)$this->config->name);
         LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
         $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
 
@@ -527,7 +528,7 @@ public function revoke()
         $acmecmd = '/usr/local/sbin/acme.sh '
           . '--revoke '
           . implode(' ', $this->acme_args) . ' '
-          . '--domain ' . (string)$this->config->name . ' '
+          . exec_safe('--domain %s', (string)$this->config->name) . ' '
           . "--accountconf ${account_conf_file}";
         LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
         $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index d47d5e73cd..da0f5f390c 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -34,6 +34,9 @@
 use OPNsense\AcmeClient\LeAccount;
 use OPNsense\AcmeClient\LeUtils;
 
+// Load legacy functions
+require_once("util.inc"); // for exec_safe()
+
 /**
  * LeValidation stub file, contains shared logic for all validation methods.
  * @package OPNsense\AcmeClient
@@ -229,7 +232,7 @@ public function setNames(string $certname, string $altnames = '', string $aliasm
         $this->cert_challengealias = $challengealias;
 
         // Main domain for acme
-        $this->acme_args[] = '--domain ' . $certname;
+        $this->acme_args[] = exec_safe('--domain %s', $certname);
 
         // Main domain: Use DNS alias mode for domain validation?
         // https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
@@ -238,14 +241,14 @@ public function setNames(string $certname, string $altnames = '', string $aliasm
                 case 'automatic':
                     $name = '_acme-challenge.' . ltrim((string)$this->cert_name, '*.');
                     if ($dst = dns_get_record($name, DNS_CNAME)) {
-                        $this->acme_args[] = '--domain-alias ' . $dst[0]['target'];
+                        $this->acme_args[] = exec_safe('--domain-alias %s', $dst[0]['target']);
                     }
                     break;
                 case 'domain':
-                    $this->acme_args[] = '--domain-alias ' . (string)$this->cert_domainalias;
+                    $this->acme_args[] = exec_safe('--domain-alias %s', (string)$this->cert_domainalias);
                     break;
                 case 'challenge':
-                    $this->acme_args[] = '--challenge-alias ' . (string)$this->cert_challengealias;
+                    $this->acme_args[] = exec_safe('--challenge-alias %s', (string)$this->cert_challengealias);
                     break;
             }
         }
@@ -253,7 +256,7 @@ public function setNames(string $certname, string $altnames = '', string $aliasm
         // altNames
         if (!empty((string)$this->cert_altnames)) {
             foreach (explode(",", (string)$this->cert_altnames) as $altname) {
-                $this->acme_args[] = "--domain ${altname}";
+                $this->acme_args[] = exec_safe('--domain %s', $altname);
 
                 // altNames: Use DNS alias mode for domain validation?
                 // https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
@@ -262,14 +265,14 @@ public function setNames(string $certname, string $altnames = '', string $aliasm
                         case 'automatic':
                             $name = "_acme-challenge." . ltrim($altname, '*.');
                             if ($dst = dns_get_record($name, DNS_CNAME)) {
-                                $this->acme_args[] = '--domain-alias ' . $dst[0]['target'];
+                                $this->acme_args[] = exec_safe('--domain-alias %s', $dst[0]['target']);
                             }
                             break;
                         case 'domain':
-                            $this->acme_args[] = '--domain-alias ' . (string)$this->cert_domainalias;
+                            $this->acme_args[] = exec_safe('--domain-alias %s', (string)$this->cert_domainalias);
                             break;
                         case 'challenge':
-                            $this->acme_args[] = '--challenge-alias ' . (string)$this->cert_challengealias;
+                            $this->acme_args[] = exec_safe('--challenge-alias %s', (string)$this->cert_challengealias);
                             break;
                     }
                 }

From a56b2acd3e671a2392ce3db97c8ee930f0f5d9f9 Mon Sep 17 00:00:00 2001
From: fhloston <fhloston@users.noreply.github.com>
Date: Thu, 24 Sep 2020 17:00:15 +0200
Subject: [PATCH 0222/3088] stunnel: add protocol support to stunnel (#2022)

---
 security/stunnel/Makefile                              |  2 +-
 .../OPNsense/Stunnel/forms/dialogService.xml           |  6 ++++++
 .../mvc/app/models/OPNsense/Stunnel/Stunnel.xml        | 10 +++++++++-
 .../service/templates/OPNsense/Stunnel/stunnel.conf    |  3 +++
 4 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index c79e12bfb7..ed8d72bbbb 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		stunnel
-PLUGIN_VERSION=		1.0.1
+PLUGIN_VERSION=		1.0.2
 PLUGIN_COMMENT=		stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel
diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
index 9d32302804..368810bf79 100644
--- a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
@@ -29,6 +29,12 @@
         <type>text</type>
         <help>The port to forward traffic to.</help>
     </field>
+    <field>
+        <id>service.protocol</id>
+        <label>Protocol</label>
+        <type>dropdown</type>
+        <help>The application protocol to negotiate TLS.</help>
+    </field>
     <field>
         <id>service.servercert</id>
         <label>Certificate</label>
diff --git a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
index 7c8fea7155..4f5689ae84 100644
--- a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
+++ b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/Stunnel</mount>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <description>
         Stunnel TLS encryption proxy
     </description>
@@ -45,6 +45,14 @@
                     <ValidationMessage>port needs to be an integer value between 1 and 65535</ValidationMessage>
                     <Required>Y</Required>
                 </connect_port>
+                <protocol type="OptionField">
+                    <OptionValues>
+                        <imap>IMAP</imap>
+                        <pop3>POP3</pop3>
+                        <smtp>SMTP</smtp>
+                    </OptionValues>
+                    <Required>N</Required>
+                </protocol>
                 <cacert type="CertificateField">
                     <Required>N</Required>
                     <multiple>Y</multiple>
diff --git a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf
index 1179e6bf1a..d9f28b339b 100644
--- a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf
+++ b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf
@@ -19,6 +19,9 @@ logId = unique
 [{{service['@uuid']}}]
 accept = {% if service.accept_address %}{{service.accept_address}}:{% endif %}{{service.accept_port}}
 connect = {% if service.connect_address.find(":") > -1 %}[{{service.connect_address}}]{% else %}{{service.connect_address}}{% endif %}:{{service.connect_port}}
+{% if service.protocol %}
+protocol = {{service.protocol}}
+{% endif %}
 cert = /usr/local/etc/stunnel/certs/{{service['@uuid']}}.crt
 {%       if service.cacert|default('') != '' %}
 CAfile = /usr/local/etc/stunnel/certs/{{service['@uuid']}}.ca

From 032a94ab10d669416f0a80bf5978047133f9f929 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 25 Sep 2020 22:50:29 +0200
Subject: [PATCH 0223/3088] security/acme-client: fix HAProxy plugin support
 (regression)

---
 .../AcmeClient/LeValidation/HttpHaproxy.php   | 45 +++++++++++++++++++
 .../AcmeClient/LeValidationFactory.php        |  2 +-
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpHaproxy.php

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpHaproxy.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpHaproxy.php
new file mode 100644
index 0000000000..0cac1c5621
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpHaproxy.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * OPNsense HAProxy plugin integration
+ * @package OPNsense\AcmeClient
+ */
+class HttpHaproxy extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        // This is just a dummy class. No additional acme.sh configuration required.
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
index f8113483ef..822b64ed66 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
@@ -84,7 +84,7 @@ public function getValidation(string $uuid)
                 }
             }
         }
-        LeUtils::log_error("challenge type not supported: " . (string)$objVal->method . " (${uuid})");
+        LeUtils::log_error("challenge type not supported: " . (string)$search_name . " (${uuid})");
         return null;
     }
 }

From a08317ab0ce990909dfaf05224f82893b6254273 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 25 Sep 2020 22:57:24 +0200
Subject: [PATCH 0224/3088] security/acme-client: fix update of existing cert
 (regression)

---
 .../mvc/app/library/OPNsense/AcmeClient/LeCertificate.php       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 62513a7187..8928ba462d 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -221,7 +221,7 @@ public function import(bool $skip_validation = false)
         // Check if cert was previously imported
         if (!empty((string)$this->config->certRefId)) {
             // Check if the previously imported certificate can still be found
-            foreach (Config::getInstance()->object()->ca as $cfgCert) {
+            foreach (Config::getInstance()->object()->cert as $cfgCert) {
                 // Check if IDs match
                 if ((string)$this->config->certRefId == (string)$cfgCert->refid) {
                     $cert_found = true;

From 8f84e74c8d4a9cf95d768db4c4c7799c0fc3b3d4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 4 Oct 2020 10:25:29 +0200
Subject: [PATCH 0225/3088] security/acme-client: fix copyright headers,
 unbreak sync

---
 .../mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php | 2 +-
 .../app/library/OPNsense/AcmeClient/LeAutomationFactory.php   | 4 ++--
 .../app/library/OPNsense/AcmeClient/LeAutomationInterface.php | 4 ++--
 .../opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php  | 2 +-
 .../mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php | 2 +-
 .../app/library/OPNsense/AcmeClient/LeValidationFactory.php   | 4 ++--
 .../app/library/OPNsense/AcmeClient/LeValidationInterface.php | 4 ++--
 .../src/opnsense/scripts/OPNsense/AcmeClient/lecert.php       | 2 +-
 8 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
index cb4ad40f12..b6a07a7275 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall (derived from OPNsense\Backup)
+ * Copyright (C) 2020 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * Copyright (C) 2018 Franco Fichtner <franco@opnsense.org>
  * All rights reserved.
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationFactory.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationFactory.php
index 5c6b531777..82a8e857df 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationFactory.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationFactory.php
@@ -1,7 +1,7 @@
 <?php
 
-/**
- * Copyright (C) 2020 Frank Wall (derived from OPNsense/Auth)
+/*
+ * Copyright (C) 2020 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * All rights reserved.
  *
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationInterface.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationInterface.php
index 6fb9b1f883..707b65affd 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationInterface.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationInterface.php
@@ -1,7 +1,7 @@
 <?php
 
-/**
- * Copyright (C) 2020 Frank Wall (derived from OPNsense\Backup)
+/*
+ * Copyright (C) 2020 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * All rights reserved.
  *
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
index dd5ce0ff39..cdc6423467 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2017-2020 Frank Wall (derived from certhelper.php)
+ * Copyright (C) 2017-2020 Frank Wall
  * Copyright (C) 2015 Deciso B.V.
  * Copyright (C) 2010 Jim Pingle <jimp@pfsense.org>
  * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index da0f5f390c..1e5e2247da 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall (derived from OPNsense\Backup)
+ * Copyright (C) 2020 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * Copyright (C) 2018 Franco Fichtner <franco@opnsense.org>
  * All rights reserved.
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
index 822b64ed66..5786a8f332 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
@@ -1,7 +1,7 @@
 <?php
 
-/**
- * Copyright (C) 2020 Frank Wall (derived from OPNsense/Auth)
+/*
+ * Copyright (C) 2020 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * All rights reserved.
  *
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationInterface.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationInterface.php
index f5836672e6..903486ffac 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationInterface.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationInterface.php
@@ -1,7 +1,7 @@
 <?php
 
-/**
- * Copyright (C) 2020 Frank Wall (derived from OPNsense\Backup)
+/*
+ * Copyright (C) 2020 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * All rights reserved.
  *
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
index 0b47d933d3..a01df9d55b 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
@@ -2,7 +2,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall (derived from upload_sftp.php)
+ * Copyright (C) 2020 Frank Wall
  * Copyright (C) 2019 Juergen Kellerer
  * All rights reserved.
  *

From 3284a2b895c792bdbe754d4c804cfee07007c305 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 4 Oct 2020 22:43:01 +0200
Subject: [PATCH 0226/3088] security/acme-client: prevent shell command
 injection, as discussed in #2028

---
 .../library/OPNsense/AcmeClient/LeAccount.php |  8 ++++----
 .../OPNsense/AcmeClient/LeCertificate.php     | 12 +++++------
 .../OPNsense/AcmeClient/LeValidation/Base.php | 20 +++++++++----------
 3 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
index 4f13e67a90..41fac04f7a 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
@@ -57,7 +57,7 @@ public function __construct(string $uuid)
         $this->setEnvironment();
 
         // Store acme filenames
-        $this->acme_args[] = '--home ' . self::ACME_HOME_DIR;
+        $this->acme_args[] = exec_safe('--home %s', self::ACME_HOME_DIR);
     }
 
     /**
@@ -118,8 +118,8 @@ public function generateKey()
                 $acmecmd = '/usr/local/sbin/acme.sh '
                   . '--createAccountKey '
                   . implode(' ', $this->acme_args) . ' '
-                  . '--accountkeylength ' . self::ACME_ACCOUNT_KEY_LENGTH . ' '
-                  . "--accountconf ${account_conf_file}";
+                  . exec_safe('--accountkeylength %s', self::ACME_ACCOUNT_KEY_LENGTH) . ' '
+                  . exec_safe('--accountconf %s', $account_conf_file);
                 LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
                 $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
 
@@ -226,7 +226,7 @@ public function register()
             $acmecmd = '/usr/local/sbin/acme.sh '
               . '--registeraccount '
               . implode(' ', $this->acme_args) . ' '
-              . '--accountconf ' . $this->account_conf_file;
+              . exec_safe('--accountconf %s', $this->account_conf_file);
             LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
             $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 8928ba462d..b3251989f9 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -88,11 +88,11 @@ public function __construct(string $uuid, bool $force = false)
         $this->cert_fullchain_file = (string)sprintf(self::ACME_FULLCHAIN_FILE, $this->config->id);
 
         // Store acme filenames
-        $this->acme_args[] = '--home ' . self::ACME_HOME_DIR;
-        $this->acme_args[] = '--certpath ' . $this->cert_file;
-        $this->acme_args[] = '--keypath ' . $this->cert_key_file;
-        $this->acme_args[] = '--capath ' . $this->cert_chain_file;
-        $this->acme_args[] = '--fullchainpath ' . $this->cert_fullchain_file;
+        $this->acme_args[] = exec_safe('--home %s', self::ACME_HOME_DIR);
+        $this->acme_args[] = exec_safe('--certpath %s', $this->cert_file);
+        $this->acme_args[] = exec_safe('--keypath %s', $this->cert_key_file);
+        $this->acme_args[] = exec_safe('--capath %s', $this->cert_chain_file);
+        $this->acme_args[] = exec_safe('--fullchainpath %s', $this->cert_fullchain_file);
     }
 
     /**
@@ -529,7 +529,7 @@ public function revoke()
           . '--revoke '
           . implode(' ', $this->acme_args) . ' '
           . exec_safe('--domain %s', (string)$this->config->name) . ' '
-          . "--accountconf ${account_conf_file}";
+          . exec_safe('--accountconf %s', $account_conf_file);
         LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
         $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index 1e5e2247da..8e0af7c361 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -82,8 +82,8 @@ public function init(string $certid, string $accountuuid)
         // Store acme hook
         switch ((string)$this->config->method) {
             case 'dns01':
-                $this->acme_args[] = '--dns ' . (string)$this->config->dns_service;
-                $this->acme_args[] = '--dnssleep ' . (string)$this->config->dns_sleep;
+                $this->acme_args[] = exec_safe('--dns %s', (string)$this->config->dns_service);
+                $this->acme_args[] = exec_safe('--dnssleep %s', (string)$this->config->dns_sleep);
                 break;
             case 'http01':
                 $this->acme_args[] = '--webroot /var/etc/acme-client/challenges';
@@ -91,11 +91,11 @@ public function init(string $certid, string $accountuuid)
         }
 
         // Store acme filenames
-        $this->acme_args[] = '--home ' . self::ACME_HOME_DIR;
-        $this->acme_args[] = '--certpath ' . sprintf(self::ACME_CERT_FILE, $this->cert_id);
-        $this->acme_args[] = '--keypath ' . sprintf(self::ACME_KEY_FILE, $this->cert_id);
-        $this->acme_args[] = '--capath ' . sprintf(self::ACME_CHAIN_FILE, $this->cert_id);
-        $this->acme_args[] = '--fullchainpath ' . sprintf(self::ACME_FULLCHAIN_FILE, $this->cert_id);
+        $this->acme_args[] = exec_safe('--home %s', self::ACME_HOME_DIR);
+        $this->acme_args[] = exec_safe('--certpath %s', sprintf(self::ACME_CERT_FILE, $this->cert_id));
+        $this->acme_args[] = exec_safe('--keypath %s', sprintf(self::ACME_KEY_FILE, $this->cert_id));
+        $this->acme_args[] = exec_safe('--capath %s', sprintf(self::ACME_CHAIN_FILE, $this->cert_id));
+        $this->acme_args[] = exec_safe('--fullchainpath %s', sprintf(self::ACME_FULLCHAIN_FILE, $this->cert_id));
 
         return true;
     }
@@ -165,7 +165,7 @@ public function run(bool $renew = false)
         $acmecmd = '/usr/local/sbin/acme.sh '
           . "--${acme_action} "
           . implode(' ', $this->acme_args) . ' '
-          . "--accountconf ${account_conf_file}";
+          . exec_safe('--accountconf %s', $account_conf_file);
         LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
         $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
 
@@ -215,7 +215,7 @@ public function setKey(string $length = '4096')
             $key_length = $length;
         }
 
-        $this->acme_args[] = '--keylength ' . $key_length;
+        $this->acme_args[] = exec_safe('--keylength %s', $key_length);
         $this->cert_keylength = $length;
     }
 
@@ -296,6 +296,6 @@ public function setOcsp(bool $ocsp = false)
      */
     public function setRenewal(int $interval = 60)
     {
-        $this->acme_args[] = '--days ' . (string)$interval;
+        $this->acme_args[] = exec_safe('--days %s', (string)$interval);
     }
 }

From 66d51168cfbd1e4d4580f60a8f46d41bd2a4539d Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 4 Oct 2020 22:59:10 +0200
Subject: [PATCH 0227/3088] security/acme-client: do not depend on legacy code,
 as discussed in #2028

---
 .../library/OPNsense/AcmeClient/LeAccount.php |  8 ++--
 .../OPNsense/AcmeClient/LeCertificate.php     | 17 ++++----
 .../library/OPNsense/AcmeClient/LeUtils.php   | 25 ++++++++++++
 .../OPNsense/AcmeClient/LeValidation/Base.php | 39 +++++++++----------
 4 files changed, 55 insertions(+), 34 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
index 41fac04f7a..dc8f0d33f8 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
@@ -57,7 +57,7 @@ public function __construct(string $uuid)
         $this->setEnvironment();
 
         // Store acme filenames
-        $this->acme_args[] = exec_safe('--home %s', self::ACME_HOME_DIR);
+        $this->acme_args[] = LeUtils::execSafe('--home %s', self::ACME_HOME_DIR);
     }
 
     /**
@@ -118,8 +118,8 @@ public function generateKey()
                 $acmecmd = '/usr/local/sbin/acme.sh '
                   . '--createAccountKey '
                   . implode(' ', $this->acme_args) . ' '
-                  . exec_safe('--accountkeylength %s', self::ACME_ACCOUNT_KEY_LENGTH) . ' '
-                  . exec_safe('--accountconf %s', $account_conf_file);
+                  . LeUtils::execSafe('--accountkeylength %s', self::ACME_ACCOUNT_KEY_LENGTH) . ' '
+                  . LeUtils::execSafe('--accountconf %s', $account_conf_file);
                 LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
                 $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
 
@@ -226,7 +226,7 @@ public function register()
             $acmecmd = '/usr/local/sbin/acme.sh '
               . '--registeraccount '
               . implode(' ', $this->acme_args) . ' '
-              . exec_safe('--accountconf %s', $this->account_conf_file);
+              . LeUtils::execSafe('--accountconf %s', $this->account_conf_file);
             LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
             $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index b3251989f9..ac238c2beb 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -30,7 +30,6 @@
 
 // Load legacy functions
 require_once("certs.inc"); // used in import()
-require_once("util.inc"); // for exec_safe()
 
 use OPNsense\Core\Config;
 use OPNsense\AcmeClient\LeAccount;
@@ -88,11 +87,11 @@ public function __construct(string $uuid, bool $force = false)
         $this->cert_fullchain_file = (string)sprintf(self::ACME_FULLCHAIN_FILE, $this->config->id);
 
         // Store acme filenames
-        $this->acme_args[] = exec_safe('--home %s', self::ACME_HOME_DIR);
-        $this->acme_args[] = exec_safe('--certpath %s', $this->cert_file);
-        $this->acme_args[] = exec_safe('--keypath %s', $this->cert_key_file);
-        $this->acme_args[] = exec_safe('--capath %s', $this->cert_chain_file);
-        $this->acme_args[] = exec_safe('--fullchainpath %s', $this->cert_fullchain_file);
+        $this->acme_args[] = LeUtils::execSafe('--home %s', self::ACME_HOME_DIR);
+        $this->acme_args[] = LeUtils::execSafe('--certpath %s', $this->cert_file);
+        $this->acme_args[] = LeUtils::execSafe('--keypath %s', $this->cert_key_file);
+        $this->acme_args[] = LeUtils::execSafe('--capath %s', $this->cert_chain_file);
+        $this->acme_args[] = LeUtils::execSafe('--fullchainpath %s', $this->cert_fullchain_file);
     }
 
     /**
@@ -437,7 +436,7 @@ public function remove()
         $acmecmd = '/usr/local/sbin/acme.sh '
           . '--remove '
           . implode(' ', $this->acme_args) . ' '
-          . exec_safe('--domain %s', (string)$this->config->name);
+          . LeUtils::execSafe('--domain %s', (string)$this->config->name);
         LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
         $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
 
@@ -528,8 +527,8 @@ public function revoke()
         $acmecmd = '/usr/local/sbin/acme.sh '
           . '--revoke '
           . implode(' ', $this->acme_args) . ' '
-          . exec_safe('--domain %s', (string)$this->config->name) . ' '
-          . exec_safe('--accountconf %s', $account_conf_file);
+          . LeUtils::execSafe('--domain %s', (string)$this->config->name) . ' '
+          . LeUtils::execSafe('--accountconf %s', $account_conf_file);
         LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
         $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
index cdc6423467..f0542f3d64 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
@@ -4,7 +4,11 @@
  * Copyright (C) 2017-2020 Frank Wall
  * Copyright (C) 2015 Deciso B.V.
  * Copyright (C) 2010 Jim Pingle <jimp@pfsense.org>
+ * Copyright (C) 2010 Ermal Luçi
  * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
+ * Copyright (C) 2005-2006 Colin Smith <ethethlay@gmail.com>
+ * Copyright (C) 2004-2007 Scott Ullrich <sullrich@gmail.com>
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -49,6 +53,27 @@ public static function base64url_encode($str)
         return rtrim(strtr(base64_encode($str), '+/', '-_'), '=');
     }
 
+    /**
+     * Properly escape arguments to prevent shell command injection.
+     * This is a copy of the exec_safe() legacy function.
+     * @param string $format The format string to use.
+     * @param string $args The arguments to escape.
+     * @return array|string The formatted and escaped arguments.
+     */
+    public static function execSafe($format, $args = array())
+    {
+        if (!is_array($args)) {
+            /* just in case there's only one argument */
+            $args = array($args);
+        }
+
+        foreach ($args as $id => $arg) {
+            $args[$id] = escapeshellarg($arg);
+        }
+
+        return vsprintf($format, $args);
+    }
+
     // Copied from system_camanager.php.
     public static function local_ca_import(&$ca, $str, $key = "", $serial = 0)
     {
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index 8e0af7c361..5f2eb9169e 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -34,9 +34,6 @@
 use OPNsense\AcmeClient\LeAccount;
 use OPNsense\AcmeClient\LeUtils;
 
-// Load legacy functions
-require_once("util.inc"); // for exec_safe()
-
 /**
  * LeValidation stub file, contains shared logic for all validation methods.
  * @package OPNsense\AcmeClient
@@ -82,8 +79,8 @@ public function init(string $certid, string $accountuuid)
         // Store acme hook
         switch ((string)$this->config->method) {
             case 'dns01':
-                $this->acme_args[] = exec_safe('--dns %s', (string)$this->config->dns_service);
-                $this->acme_args[] = exec_safe('--dnssleep %s', (string)$this->config->dns_sleep);
+                $this->acme_args[] = LeUtils::execSafe('--dns %s', (string)$this->config->dns_service);
+                $this->acme_args[] = LeUtils::execSafe('--dnssleep %s', (string)$this->config->dns_sleep);
                 break;
             case 'http01':
                 $this->acme_args[] = '--webroot /var/etc/acme-client/challenges';
@@ -91,11 +88,11 @@ public function init(string $certid, string $accountuuid)
         }
 
         // Store acme filenames
-        $this->acme_args[] = exec_safe('--home %s', self::ACME_HOME_DIR);
-        $this->acme_args[] = exec_safe('--certpath %s', sprintf(self::ACME_CERT_FILE, $this->cert_id));
-        $this->acme_args[] = exec_safe('--keypath %s', sprintf(self::ACME_KEY_FILE, $this->cert_id));
-        $this->acme_args[] = exec_safe('--capath %s', sprintf(self::ACME_CHAIN_FILE, $this->cert_id));
-        $this->acme_args[] = exec_safe('--fullchainpath %s', sprintf(self::ACME_FULLCHAIN_FILE, $this->cert_id));
+        $this->acme_args[] = LeUtils::execSafe('--home %s', self::ACME_HOME_DIR);
+        $this->acme_args[] = LeUtils::execSafe('--certpath %s', sprintf(self::ACME_CERT_FILE, $this->cert_id));
+        $this->acme_args[] = LeUtils::execSafe('--keypath %s', sprintf(self::ACME_KEY_FILE, $this->cert_id));
+        $this->acme_args[] = LeUtils::execSafe('--capath %s', sprintf(self::ACME_CHAIN_FILE, $this->cert_id));
+        $this->acme_args[] = LeUtils::execSafe('--fullchainpath %s', sprintf(self::ACME_FULLCHAIN_FILE, $this->cert_id));
 
         return true;
     }
@@ -165,7 +162,7 @@ public function run(bool $renew = false)
         $acmecmd = '/usr/local/sbin/acme.sh '
           . "--${acme_action} "
           . implode(' ', $this->acme_args) . ' '
-          . exec_safe('--accountconf %s', $account_conf_file);
+          . LeUtils::execSafe('--accountconf %s', $account_conf_file);
         LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
         $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
 
@@ -215,7 +212,7 @@ public function setKey(string $length = '4096')
             $key_length = $length;
         }
 
-        $this->acme_args[] = exec_safe('--keylength %s', $key_length);
+        $this->acme_args[] = LeUtils::execSafe('--keylength %s', $key_length);
         $this->cert_keylength = $length;
     }
 
@@ -232,7 +229,7 @@ public function setNames(string $certname, string $altnames = '', string $aliasm
         $this->cert_challengealias = $challengealias;
 
         // Main domain for acme
-        $this->acme_args[] = exec_safe('--domain %s', $certname);
+        $this->acme_args[] = LeUtils::execSafe('--domain %s', $certname);
 
         // Main domain: Use DNS alias mode for domain validation?
         // https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
@@ -241,14 +238,14 @@ public function setNames(string $certname, string $altnames = '', string $aliasm
                 case 'automatic':
                     $name = '_acme-challenge.' . ltrim((string)$this->cert_name, '*.');
                     if ($dst = dns_get_record($name, DNS_CNAME)) {
-                        $this->acme_args[] = exec_safe('--domain-alias %s', $dst[0]['target']);
+                        $this->acme_args[] = LeUtils::execSafe('--domain-alias %s', $dst[0]['target']);
                     }
                     break;
                 case 'domain':
-                    $this->acme_args[] = exec_safe('--domain-alias %s', (string)$this->cert_domainalias);
+                    $this->acme_args[] = LeUtils::execSafe('--domain-alias %s', (string)$this->cert_domainalias);
                     break;
                 case 'challenge':
-                    $this->acme_args[] = exec_safe('--challenge-alias %s', (string)$this->cert_challengealias);
+                    $this->acme_args[] = LeUtils::execSafe('--challenge-alias %s', (string)$this->cert_challengealias);
                     break;
             }
         }
@@ -256,7 +253,7 @@ public function setNames(string $certname, string $altnames = '', string $aliasm
         // altNames
         if (!empty((string)$this->cert_altnames)) {
             foreach (explode(",", (string)$this->cert_altnames) as $altname) {
-                $this->acme_args[] = exec_safe('--domain %s', $altname);
+                $this->acme_args[] = LeUtils::execSafe('--domain %s', $altname);
 
                 // altNames: Use DNS alias mode for domain validation?
                 // https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
@@ -265,14 +262,14 @@ public function setNames(string $certname, string $altnames = '', string $aliasm
                         case 'automatic':
                             $name = "_acme-challenge." . ltrim($altname, '*.');
                             if ($dst = dns_get_record($name, DNS_CNAME)) {
-                                $this->acme_args[] = exec_safe('--domain-alias %s', $dst[0]['target']);
+                                $this->acme_args[] = LeUtils::execSafe('--domain-alias %s', $dst[0]['target']);
                             }
                             break;
                         case 'domain':
-                            $this->acme_args[] = exec_safe('--domain-alias %s', (string)$this->cert_domainalias);
+                            $this->acme_args[] = LeUtils::execSafe('--domain-alias %s', (string)$this->cert_domainalias);
                             break;
                         case 'challenge':
-                            $this->acme_args[] = exec_safe('--challenge-alias %s', (string)$this->cert_challengealias);
+                            $this->acme_args[] = LeUtils::execSafe('--challenge-alias %s', (string)$this->cert_challengealias);
                             break;
                     }
                 }
@@ -296,6 +293,6 @@ public function setOcsp(bool $ocsp = false)
      */
     public function setRenewal(int $interval = 60)
     {
-        $this->acme_args[] = exec_safe('--days %s', (string)$interval);
+        $this->acme_args[] = LeUtils::execSafe('--days %s', (string)$interval);
     }
 }

From be4e8c4bc284ce8546d3e3dd07c235bf9f1993f4 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 5 Oct 2020 15:20:57 +0200
Subject: [PATCH 0228/3088] security/acme-client: fix copyright, see ffc1703
 334aa32, refs #2055

---
 .../opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php  | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
index f0542f3d64..ab4d46c85b 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
@@ -4,11 +4,7 @@
  * Copyright (C) 2017-2020 Frank Wall
  * Copyright (C) 2015 Deciso B.V.
  * Copyright (C) 2010 Jim Pingle <jimp@pfsense.org>
- * Copyright (C) 2010 Ermal Luçi
  * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
- * Copyright (C) 2005-2006 Colin Smith <ethethlay@gmail.com>
- * Copyright (C) 2004-2007 Scott Ullrich <sullrich@gmail.com>
- * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

From 1d765d50bc257fe1fe874532139ec5f05ec828e0 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 5 Oct 2020 18:37:48 +0200
Subject: [PATCH 0229/3088] Git backup: work in progress for
 https://github.com/opnsense/plugins/issues/2049

---
 sysutils/git-backup/Makefile                  |   6 +
 sysutils/git-backup/pkg-descr                 |   3 +
 .../mvc/app/library/OPNsense/Backup/Git.php   | 127 ++++++++++++++++++
 .../models/OPNsense/Backup/GitSettings.php    |  39 ++++++
 .../models/OPNsense/Backup/GitSettings.xml    |  49 +++++++
 5 files changed, 224 insertions(+)
 create mode 100644 sysutils/git-backup/Makefile
 create mode 100644 sysutils/git-backup/pkg-descr
 create mode 100644 sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
 create mode 100644 sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.php
 create mode 100644 sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml

diff --git a/sysutils/git-backup/Makefile b/sysutils/git-backup/Makefile
new file mode 100644
index 0000000000..4ef79984b9
--- /dev/null
+++ b/sysutils/git-backup/Makefile
@@ -0,0 +1,6 @@
+PLUGIN_NAME=		git-backup
+PLUGIN_VERSION=		0.1
+PLUGIN_COMMENT=		Track config changes using git
+PLUGIN_MAINTAINER=	ad@opnsense.org
+
+.include "../../Mk/plugins.mk"
\ No newline at end of file
diff --git a/sysutils/git-backup/pkg-descr b/sysutils/git-backup/pkg-descr
new file mode 100644
index 0000000000..8aa28fb79b
--- /dev/null
+++ b/sysutils/git-backup/pkg-descr
@@ -0,0 +1,3 @@
+This package adds a backup option using git version control. 
+
+Due to the sensitive nature of the data being send to the backup, we strongly advise to not use a public service to send backups to.
diff --git a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
new file mode 100644
index 0000000000..7bf0d47f1a
--- /dev/null
+++ b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
@@ -0,0 +1,127 @@
+<?php
+
+/**
+ *    Copyright (C) 2020 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Backup;
+
+use OPNsense\Core\Config;
+use OPNsense\Backup\GitSettings;
+
+/**
+ * Class Git backup
+ * @package OPNsense\Backup
+ */
+class Git extends Base implements IBackupProvider
+{
+
+    /**
+     * @inheritdoc
+     */
+    public function getConfigurationFields()
+    {
+        $fields = [
+           [
+              "name" => "enabled",
+              "type" => "checkbox",
+              "label" => gettext("Enable"),
+              "value" => null
+           ],
+           [
+             "name" => "url",
+             "type" => "text",
+             "label" => gettext("URL"),
+             "help" => gettext("Target location, which defined transport protocol, such as ssh://server/project.git or https://server/project.git."),
+             "value" => null
+           ],
+           [
+             "name" => "privkey",
+             "type" => "textarea",
+             "label" => gettext("SSH private key"),
+             "help" => gettext("When provided, ssh based authentication will be used."),
+             "value" => null
+           ],
+           [
+             "name" => "user",
+             "type" => "text",
+             "label" => gettext("User Name"),
+             "value" => null
+           ],
+           [
+             "name" => "password",
+             "type" => "password",
+             "label" => gettext("Password"),
+             "value" => null
+           ]
+        ];
+        $mdl = new GitSettings();
+        foreach ($fields as &$field) {
+            $field['value'] = (string)$mdl->getNodeByReference($field['name']);
+        }
+        return $fields;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function getName()
+    {
+        return gettext("Git");
+    }
+
+    /**
+     * @inheritdoc
+     */
+     public function setConfiguration($conf)
+     {
+         $mdl = new GitSettings();
+         $this->setModelProperties($mdl, $conf);
+         $validation_messages = $this->validateModel($mdl);
+         if (empty($validation_messages)) {
+             $mdl->serializeToConfig();
+             Config::getInstance()->save();
+         }
+         return $validation_messages;
+     }
+
+    /**
+     * @inheritdoc
+     */
+    public function backup()
+    {
+        return ['config.xml'];
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function isEnabled()
+    {
+        return (string)(new GitSettings())->enabled === "1";
+    }
+}
diff --git a/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.php b/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.php
new file mode 100644
index 0000000000..a1627abcdd
--- /dev/null
+++ b/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.php
@@ -0,0 +1,39 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Backup;
+
+use OPNsense\Base\BaseModel;
+
+/**
+ * Class GitSettings
+ * @package Backup
+ */
+class GitSettings extends BaseModel
+{
+}
diff --git a/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml b/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
new file mode 100644
index 0000000000..84f9f0fc42
--- /dev/null
+++ b/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
@@ -0,0 +1,49 @@
+<model>
+    <mount>//system/backup/git</mount>
+    <version>1.0.0</version>
+    <description>OPNsense Git Backup Settings</description>
+    <items>
+        <enabled type="BooleanField">
+          <default>0</default>
+          <Required>Y</Required>
+          <Constraints>
+              <check001>
+                  <reference>user.check001</reference>
+              </check001>
+              <check002>
+                  <reference>url.check001</reference>
+              </check002>
+          </Constraints>
+        </enabled>
+        <url type="TextField">
+            <Required>N</Required>
+            <mask>/^((https)|(ssh))?:\/\/.*[^\/]$/</mask>
+            <ValidationMessage>A valid git location must be provided. e.g. ssh://server/project.git, https://server/project.git</ValidationMessage>
+            <Constraints>
+                <check001>
+                    <ValidationMessage>A backup location (url) is required.</ValidationMessage>
+                    <type>DependConstraint</type>
+                    <addFields>
+                        <field1>enabled</field1>
+                    </addFields>
+                </check001>
+            </Constraints>
+        </url>
+        <privkey type="TextField">
+            <Required>N</Required>
+        </privkey>
+        <user type="TextField">
+          <Constraints>
+              <check001>
+                  <ValidationMessage>A username is required.</ValidationMessage>
+                  <type>DependConstraint</type>
+                  <addFields>
+                      <field1>enabled</field1>
+                  </addFields>
+              </check001>
+          </Constraints>
+        </user>
+        <password type="TextField">
+        </password>
+    </items>
+</model>

From 2b9a5eb0025597683491060d8e0517384a5e8820 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Oct 2020 10:25:55 +0200
Subject: [PATCH 0230/3088] README: sync

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 1615e0cb7c..ff0ae9493a 100644
--- a/README.md
+++ b/README.md
@@ -89,6 +89,7 @@ sysutils/api-backup -- Provide the functionality to download the config.xml
 sysutils/apuled -- PC Engine APU LED control (development only)
 sysutils/boot-delay -- Apply a persistent 10 second boot delay
 sysutils/dmidecode -- Display hardware information on the dashboard
+sysutils/git-backup -- Track config changes using git
 sysutils/lcdproc-sdeclcd -- LCDProc for SDEC LCD devices
 sysutils/mail-backup -- Send configuration file backup by e-mail
 sysutils/munin-node -- Munin monitorin agent

From 23bca983e6971ac743bd065d404b4e48aaf146f5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Oct 2020 10:38:19 +0200
Subject: [PATCH 0231/3088] sysutils/git-backup: small style updates

---
 README.md                     | 2 +-
 sysutils/git-backup/Makefile  | 3 ++-
 sysutils/git-backup/pkg-descr | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index ff0ae9493a..66e8a5f892 100644
--- a/README.md
+++ b/README.md
@@ -89,7 +89,7 @@ sysutils/api-backup -- Provide the functionality to download the config.xml
 sysutils/apuled -- PC Engine APU LED control (development only)
 sysutils/boot-delay -- Apply a persistent 10 second boot delay
 sysutils/dmidecode -- Display hardware information on the dashboard
-sysutils/git-backup -- Track config changes using git
+sysutils/git-backup -- Track config changes using git (development only)
 sysutils/lcdproc-sdeclcd -- LCDProc for SDEC LCD devices
 sysutils/mail-backup -- Send configuration file backup by e-mail
 sysutils/munin-node -- Munin monitorin agent
diff --git a/sysutils/git-backup/Makefile b/sysutils/git-backup/Makefile
index 4ef79984b9..6b4d6919fc 100644
--- a/sysutils/git-backup/Makefile
+++ b/sysutils/git-backup/Makefile
@@ -2,5 +2,6 @@ PLUGIN_NAME=		git-backup
 PLUGIN_VERSION=		0.1
 PLUGIN_COMMENT=		Track config changes using git
 PLUGIN_MAINTAINER=	ad@opnsense.org
+PLUGIN_DEVEL=		yes
 
-.include "../../Mk/plugins.mk"
\ No newline at end of file
+.include "../../Mk/plugins.mk"
diff --git a/sysutils/git-backup/pkg-descr b/sysutils/git-backup/pkg-descr
index 8aa28fb79b..58fcb26dc5 100644
--- a/sysutils/git-backup/pkg-descr
+++ b/sysutils/git-backup/pkg-descr
@@ -1,3 +1,3 @@
-This package adds a backup option using git version control. 
+This package adds a backup option using git version control.
 
 Due to the sensitive nature of the data being send to the backup, we strongly advise to not use a public service to send backups to.

From c73274fc6446a1ce5830dd5e5e9e3edd7113d2d0 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 6 Oct 2020 18:00:54 +0200
Subject: [PATCH 0232/3088] Git backup: work in progress for
 https://github.com/opnsense/plugins/issues/2049

o add missing dependancy in Makefile
o add branch in Model
o implement backup() method, which is responsible for setting up a git repo and pushing it upstream. The actual "git add+commit" is a responsibility of the syshook config event (todo)

sponsored by : Modirum (https://www.modirum.com/)
---
 sysutils/git-backup/Makefile                  | 10 +--
 .../mvc/app/library/OPNsense/Backup/Git.php   | 74 ++++++++++++++++++-
 .../models/OPNsense/Backup/GitSettings.xml    |  4 +
 3 files changed, 81 insertions(+), 7 deletions(-)

diff --git a/sysutils/git-backup/Makefile b/sysutils/git-backup/Makefile
index 6b4d6919fc..8ac82dd76f 100644
--- a/sysutils/git-backup/Makefile
+++ b/sysutils/git-backup/Makefile
@@ -1,7 +1,7 @@
-PLUGIN_NAME=		git-backup
-PLUGIN_VERSION=		0.1
-PLUGIN_COMMENT=		Track config changes using git
-PLUGIN_MAINTAINER=	ad@opnsense.org
-PLUGIN_DEVEL=		yes
+PLUGIN_NAME=        git-backup
+PLUGIN_VERSION=     0.1
+PLUGIN_COMMENT=     Track config changes using git
+PLUGIN_DEPENDS=     git
+PLUGIN_MAINTAINER=  ad@opnsense.org
 
 .include "../../Mk/plugins.mk"
diff --git a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
index 7bf0d47f1a..f093a3b82b 100644
--- a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
+++ b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
@@ -30,6 +30,7 @@
 
 namespace OPNsense\Backup;
 
+use OPNsense\Core\Backend;
 use OPNsense\Core\Config;
 use OPNsense\Backup\GitSettings;
 
@@ -59,6 +60,13 @@ public function getConfigurationFields()
              "help" => gettext("Target location, which defined transport protocol, such as ssh://server/project.git or https://server/project.git."),
              "value" => null
            ],
+           [
+             "name" => "branch",
+             "type" => "text",
+             "label" => gettext("Branch"),
+             "help" => gettext("Target branch to push to."),
+             "value" => null
+           ],
            [
              "name" => "privkey",
              "type" => "textarea",
@@ -110,11 +118,73 @@ public function setConfiguration($conf)
      }
 
     /**
-     * @inheritdoc
+     * Backup is responsible for initialising the local repo and pusing it to upstream.
+     * To ensure initial content, we should trigger a 'system event config_changed' which should enforce a
+     * add + commit in our (newly created) repo.
+     *
+     * Since our backup method is also called from the userinterface directly, we should try to prevent the need
+     * for elevated rights. Since all actions are concentrated within the config directory, we only need read/exec
+     * access on git. (detaching this further would deviate the implementation from the existing ones)
+     *
+     * @return array filelist
      */
     public function backup()
     {
-        return ['config.xml'];
+        $targetdir = "/conf/backup/git";
+        $git = "/usr/local/bin/git";
+        $mdl = new GitSettings();
+        if (!is_dir($targetdir)) {
+            mkdir($targetdir);
+        }
+        if (!is_dir('{$targetdir}/.git')) {
+            exec("{$git} init {$targetdir}");
+        }
+        // XXX: since our git backup is plain text and already contains the private key, it doesn't really matter
+        //      to keep the same key in the git directory (we're not going to push it)
+        $ident_file = "{$targetdir}/identity";
+        $privkey = trim(str_replace("\r", "", (string)$mdl->privkey)) . "\n";
+        file_put_contents($ident_file, $privkey);
+        chmod("{$targetdir}/identity", 0600);
+        // When there are unprocessed config backups, flush them out.
+        (new Backend())->configdRun("system event config_changed");
+        // configure upstream
+        exec("cd {$targetdir} && ".
+            "{$git} config core.sshCommand ".
+            "\"ssh -i {$ident_file} -o StrictHostKeyChecking=accept-new -o PasswordAuthentication=no\""
+        );
+        $url = (string)$mdl->url;
+        $pos = strpos($url, '//');
+        // inject credentials in url (either username or username:password, depending on transport)
+        if (stripos(trim((string)$mdl->$url),'http')) {
+            $cred = urlencode((string)$mdl->user) . ":" . urlencode((string)$mdl->password);
+            $url = substr($url,0, $pos+2) . "{$cred}@" . substr($url, $pos+2);
+        } else {
+            $url = substr($url,0, $pos+2) . urlencode((string)$mdl->user) . "@" . substr($url, $pos+2);
+        }
+        exec("cd {$targetdir} && git remote remove origin");
+        exec("cd {$targetdir} && git remote add origin ". escapeshellarg($url));
+        $pushtxt = shell_exec(
+            "(cd {$targetdir} && git push origin " . escapeshellarg("master:{$mdl->branch}") .
+            " && echo '__exit_ok__') 2>&1"
+        );
+        if (strpos($pushtxt, '__exit_ok__')) {
+            $error_type = null;
+        } elseif (strpos($pushtxt, 'Permission denied')) {
+            $error_type = "authentication failure";
+        } elseif (strpos($pushtxt, 'WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED')) {
+            $error_type = "ssh hostkey changed";
+        } elseif (strpos($pushtxt, "remote contains work that you do")) {
+            $error_type = "git out of sync";
+        } else {
+            $error_type = "unknown error, check log for details";
+        }
+        if (!empty($error_type)) {
+            syslog(LOG_ERR, "git-backup {$error_type} (".str_replace("\n", " ", $pushtxt).")");
+            throw new \Exception($error_type);
+        } else {
+            // return filelist in git
+            return explode("\n", shell_exec("cd {$targetdir} && git ls-files"));
+        }
     }
 
     /**
diff --git a/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml b/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
index 84f9f0fc42..52c88d582a 100644
--- a/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
+++ b/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
@@ -29,6 +29,10 @@
                 </check001>
             </Constraints>
         </url>
+        <branch type="TextField">
+          <default>master</default>
+          <Required>Y</Required>
+        </branch>
         <privkey type="TextField">
             <Required>N</Required>
         </privkey>

From ff2eba73db26f31e6894c78f17dab319c3287d0b Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 6 Oct 2020 22:38:36 +0200
Subject: [PATCH 0233/3088] security/acme-client: add support for All-Inkl.com
 domain API, closes #1130

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 20 ++++++++
 .../AcmeClient/LeValidation/DnsKas.php        | 46 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 14 ++++++
 4 files changed, 81 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsKas.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index ad11ff7def..9e90b9e385 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -14,6 +14,7 @@ Added:
 * add new OOP backend to improve reliability and maintainability (#1398)
 * add status for accounts to backend and WebGUI
 * add button to manually trigger account registration
+* add support for All-Inkl.com domain API (#1130)
 * add plugin changelog
 
 Fixed:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 6dc61e3f75..10ec7609c1 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1161,4 +1161,24 @@
         <label>API Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>All-Inkl.com domain API</label>
+        <type>header</type>
+        <style>table_dns table_dns_kas</style>
+    </field>
+    <field>
+        <id>validation.dns_kas_login</id>
+        <label>KAS Login</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_kas_authdata</id>
+        <label>KAS Authdata</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_kas_authtype</id>
+        <label>KAS Authtype</label>
+        <type>dropdown</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsKas.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsKas.php
new file mode 100644
index 0000000000..8dc7ff1264
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsKas.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * All-Inkl.com domain API
+ * @package OPNsense\AcmeClient
+ */
+class DnsKas extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['KAS_Login'] = (string)$this->config->dns_kas_login;
+        $this->acme_env['KAS_Authdata'] = (string)$this->config->dns_kas_authdata;
+        $this->acme_env['KAS_Authtype'] = (string)$this->config->dns_kas_authtype;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 2179a1cdd9..9f7b7f6337 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -372,6 +372,7 @@
                         <dns_acmeproxy>Acmeproxy API</dns_acmeproxy>
                         <dns_ad>Alwaysdata.com API</dns_ad>
                         <dns_ali>aliyun.com API</dns_ali>
+                        <dns_kas>All-Inkl.com domain API</dns_kas>
                         <dns_arvan>ArvanCloud API</dns_arvan>
                         <dns_autodns>AutoDNS (InterNetX) API</dns_autodns>
                         <dns_aws>AWS Route 53</dns_aws>
@@ -921,6 +922,19 @@
                 <dns_1984hosting_password type="TextField">
                     <Required>N</Required>
                 </dns_1984hosting_password>
+                <dns_kas_login type="TextField">
+                    <Required>N</Required>
+                </dns_kas_login>
+                <dns_kas_authdata type="TextField">
+                    <Required>N</Required>
+                </dns_kas_authdata>
+                <dns_kas_authtype type="OptionField">
+                    <Required>N</Required>
+                    <default>sha1</default>
+                    <OptionValues>
+                        <sha1>SHA1</sha1>
+                    </OptionValues>
+                </dns_kas_authtype>
             </validation>
         </validations>
         <actions>

From 625291d0f04d731db7e9eae7605ba5110676e48c Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 6 Oct 2020 23:32:56 +0200
Subject: [PATCH 0234/3088] net/haproxy: add support for TLSv1.3, closes #790

---
 .../OPNsense/HAProxy/forms/dialogFrontend.xml | 20 ++++++-
 .../OPNsense/HAProxy/forms/generalTuning.xml  | 20 ++++++-
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 52 +++++++++++++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf   | 22 +++++++-
 4 files changed, 111 insertions(+), 3 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 32e200eb92..754bd8b038 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -98,11 +98,29 @@
         <sortable>true</sortable>
         <help><![CDATA[Used to enforce or disable certain SSL options.]]></help>
     </field>
+    <field>
+        <id>frontend.ssl_minVersion</id>
+        <label>Minimum SSL Version</label>
+        <type>dropdown</type>
+        <help><![CDATA[This option enforces use of the specified version (or higher) on SSL connections.]]></help>
+    </field>
+    <field>
+        <id>frontend.ssl_maxVersion</id>
+        <label>Maximum SSL Version</label>
+        <type>dropdown</type>
+        <help><![CDATA[This option enforces use of the specified version (or lower) on SSL connections.]]></help>
+    </field>
     <field>
         <id>frontend.ssl_cipherList</id>
         <label>Cipher List</label>
         <type>text</type>
-        <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake.]]></help>
+        <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake up to TLSv1.2.]]></help>
+    </field>
+    <field>
+        <id>frontend.ssl_cipherSuites</id>
+        <label>Cipher Suites</label>
+        <type>text</type>
+        <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake for TLSv1.3.]]></help>
     </field>
     <field>
         <id>frontend.ssl_hstsEnabled</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
index a5abb322c0..33081d5766 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -93,10 +93,28 @@
         <allownew>true</allownew>
         <help><![CDATA[Used to enforce or disable certain SSL options.]]></help>
     </field>
+    <field>
+        <id>haproxy.general.tuning.ssl_minVersion</id>
+        <label>Minimum SSL Version</label>
+        <type>dropdown</type>
+        <help><![CDATA[This option enforces use of the specified version (or higher) on SSL connections.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.ssl_maxVersion</id>
+        <label>Maximum SSL Version</label>
+        <type>dropdown</type>
+        <help><![CDATA[This option enforces use of the specified version (or lower) on SSL connections.]]></help>
+    </field>
     <field>
         <id>haproxy.general.tuning.ssl_cipherList</id>
         <label>Cipher List</label>
         <type>text</type>
-        <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake.]]></help>
+        <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake up to TLSv1.2.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.ssl_cipherSuites</id>
+        <label>Cipher Suites</label>
+        <type>text</type>
+        <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake for TLSv1.3.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 914f3b74d9..87f42e7f9a 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -136,18 +136,44 @@
                         <no-tlsv10>no-tlsv10</no-tlsv10>
                         <no-tlsv11>no-tlsv11</no-tlsv11>
                         <no-tlsv12>no-tlsv12</no-tlsv12>
+                        <no-tlsv13>no-tlsv13</no-tlsv13>
                         <no-tls-tickets>no-tls-tickets</no-tls-tickets>
                         <force-sslv3>force-sslv3</force-sslv3>
                         <force-tlsv10>force-tlsv10</force-tlsv10>
                         <force-tlsv11>force-tlsv11</force-tlsv11>
                         <force-tlsv12>force-tlsv12</force-tlsv12>
+                        <force-tlsv13>force-tlsv13</force-tlsv13>
                         <strict-sni>strict-sni</strict-sni>
                     </OptionValues>
                 </ssl_bindOptions>
+                <ssl_minVersion type="OptionField">
+                    <Required>N</Required>
+                    <OptionValues>
+                        <SSLv3>SSLv3</SSLv3>
+                        <TLSv1.0>TLSv1.0</TLSv1.0>
+                        <TLSv1.1>TLSv1.1</TLSv1.1>
+                        <TLSv1.2>TLSv1.2</TLSv1.2>
+                        <TLSv1.3>TLSv1.3</TLSv1.3>
+                    </OptionValues>
+                </ssl_minVersion>
+                <ssl_maxVersion type="OptionField">
+                    <Required>N</Required>
+                    <OptionValues>
+                        <SSLv3>SSLv3</SSLv3>
+                        <TLSv1.0>TLSv1.0</TLSv1.0>
+                        <TLSv1.1>TLSv1.1</TLSv1.1>
+                        <TLSv1.2>TLSv1.2</TLSv1.2>
+                        <TLSv1.3>TLSv1.3</TLSv1.3>
+                    </OptionValues>
+                </ssl_maxVersion>
                 <ssl_cipherList type="TextField">
                     <default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256</default>
                     <Required>N</Required>
                 </ssl_cipherList>
+                <ssl_cipherSuites type="TextField">
+                    <default>TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</default>
+                    <Required>N</Required>
+                </ssl_cipherSuites>
             </tuning>
             <defaults>
                 <maxConnections type="IntegerField">
@@ -442,18 +468,44 @@
                         <no-tlsv10>no-tlsv10</no-tlsv10>
                         <no-tlsv11>no-tlsv11</no-tlsv11>
                         <no-tlsv12>no-tlsv12</no-tlsv12>
+                        <no-tlsv13>no-tlsv13</no-tlsv13>
                         <no-tls-tickets>no-tls-tickets</no-tls-tickets>
                         <force-sslv3>force-sslv3</force-sslv3>
                         <force-tlsv10>force-tlsv10</force-tlsv10>
                         <force-tlsv11>force-tlsv11</force-tlsv11>
                         <force-tlsv12>force-tlsv12</force-tlsv12>
+                        <force-tlsv13>force-tlsv13</force-tlsv13>
                         <strict-sni>strict-sni</strict-sni>
                     </OptionValues>
                 </ssl_bindOptions>
+                <ssl_minVersion type="OptionField">
+                    <Required>N</Required>
+                    <OptionValues>
+                        <SSLv3>SSLv3</SSLv3>
+                        <TLSv1.0>TLSv1.0</TLSv1.0>
+                        <TLSv1.1>TLSv1.1</TLSv1.1>
+                        <TLSv1.2>TLSv1.2</TLSv1.2>
+                        <TLSv1.3>TLSv1.3</TLSv1.3>
+                    </OptionValues>
+                </ssl_minVersion>
+                <ssl_maxVersion type="OptionField">
+                    <Required>N</Required>
+                    <OptionValues>
+                        <SSLv3>SSLv3</SSLv3>
+                        <TLSv1.0>TLSv1.0</TLSv1.0>
+                        <TLSv1.1>TLSv1.1</TLSv1.1>
+                        <TLSv1.2>TLSv1.2</TLSv1.2>
+                        <TLSv1.3>TLSv1.3</TLSv1.3>
+                    </OptionValues>
+                </ssl_maxVersion>
                 <ssl_cipherList type="TextField">
                     <default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256</default>
                     <Required>N</Required>
                 </ssl_cipherList>
+                <ssl_cipherSuites type="TextField">
+                    <default>TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</default>
+                    <Required>N</Required>
+                </ssl_cipherSuites>
                 <ssl_hstsEnabled type="BooleanField">
                     <default>1</default>
                     <Required>Y</Required>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 10dd9c4952..1796018a48 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -869,16 +869,27 @@ global
 {% endif %}
 {# # ssl default settings #}
 {% if OPNsense.HAProxy.general.tuning.ssl_defaultsEnabled|default("") == '1' %}
+{%   set bindopts = [] %}
 {%   if OPNsense.HAProxy.general.tuning.ssl_bindOptions|default("") != "" %}
-{%     set bindopts = [] %}
 {%     for bindopt in OPNsense.HAProxy.general.tuning.ssl_bindOptions.split(",") %}
 {%       do bindopts.append(bindopt) %}
 {%     endfor %}
+{%   endif %}
+{%   if OPNsense.HAProxy.general.tuning.ssl_minVersion|default("") != "" %}
+{%     do bindopts.append('ssl-min-ver ' ~ OPNsense.HAProxy.general.tuning.ssl_minVersion) %}
+{%   endif %}
+{%   if OPNsense.HAProxy.general.tuning.ssl_maxVersion|default("") != "" %}
+{%     do bindopts.append('ssl-max-ver ' ~ OPNsense.HAProxy.general.tuning.ssl_maxVersion) %}
+{%   endif %}
+{%   if (bindopts is defined and bindopts|default("") != "" )%}
     ssl-default-bind-options {{ bindopts|join(' ') }}
 {%   endif %}
 {%   if OPNsense.HAProxy.general.tuning.ssl_cipherList|default("") != "" %}
     ssl-default-bind-ciphers {{ OPNsense.HAProxy.general.tuning.ssl_cipherList }}
 {%   endif %}
+{%   if OPNsense.HAProxy.general.tuning.ssl_cipherSuites|default("") != "" %}
+    ssl-default-bind-ciphersuites {{ OPNsense.HAProxy.general.tuning.ssl_cipherSuites }}
+{%   endif %}
 {% endif %}
 {# # pass-through options #}
 {% if OPNsense.HAProxy.general.tuning.customOptions|default("") != "" %}
@@ -1064,9 +1075,18 @@ frontend {{frontend.name}}
 {%               do ssl_options.append(bindopt) %}
 {%             endfor %}
 {%           endif %}
+{%           if frontend.ssl_minVersion|default("") != "" %}
+{%             do ssl_options.append('ssl-min-ver ' ~ frontend.ssl_minVersion) %}
+{%           endif %}
+{%           if frontend.ssl_maxVersion|default("") != "" %}
+{%             do ssl_options.append('ssl-max-ver ' ~ frontend.ssl_maxVersion) %}
+{%           endif %}
 {%           if frontend.ssl_cipherList|default("") != "" %}
 {%             do ssl_options.append('ciphers ' ~ frontend.ssl_cipherList) %}
 {%           endif %}
+{%           if frontend.ssl_cipherSuites|default("") != "" %}
+{%             do ssl_options.append('ciphersuites ' ~ frontend.ssl_cipherSuites) %}
+{%           endif %}
 {#           # HSTS #}
 {%           if frontend.ssl_hstsEnabled|default("") == '1' and frontend.mode == 'http' %}
 {%             set hsts_options = [] %}

From ff730a64033bd909a1372241cf1a0b5908e807c2 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 6 Oct 2020 23:47:31 +0200
Subject: [PATCH 0235/3088] net/haproxy: bump version, update changelog

---
 net/haproxy/Makefile  | 2 +-
 net/haproxy/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index a27f039622..65767a88aa 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		2.24
+PLUGIN_VERSION=		2.25
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy20
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index be9ec9837e..0f76d393a1 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+2.25
+
+Added:
+* add support for TLSv1.3 (#790)
+
 2.24
 
 Added:

From d12b1fc72a5c31c8bc4faba420e10bed33606ded Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 7 Oct 2020 15:11:35 +0200
Subject: [PATCH 0236/3088] Git backup: work in progress for
 https://github.com/opnsense/plugins/issues/2049

o add config change event hook

sponsored by : Modirum (https://www.modirum.com/)
---
 .../src/etc/rc.syshook.d/config/10-git-backup | 75 +++++++++++++++++++
 1 file changed, 75 insertions(+)
 create mode 100755 sysutils/git-backup/src/etc/rc.syshook.d/config/10-git-backup

diff --git a/sysutils/git-backup/src/etc/rc.syshook.d/config/10-git-backup b/sysutils/git-backup/src/etc/rc.syshook.d/config/10-git-backup
new file mode 100755
index 0000000000..0cdd8eaf17
--- /dev/null
+++ b/sysutils/git-backup/src/etc/rc.syshook.d/config/10-git-backup
@@ -0,0 +1,75 @@
+#!/usr/local/bin/python3
+"""
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import datetime
+import os
+import subprocess
+import sys
+import xml.etree.ElementTree as ET
+
+
+if len(sys.argv) > 1:
+    commit_msg =  "unknown change"
+    try:
+        tree = ET.parse(sys.argv[1])
+        xmlroot = tree.getroot()
+    except (FileNotFoundError, ET.ParseError):
+        xmlroot = None
+
+    if xmlroot:
+        # extract configuration revision data
+        metadata_fields = {
+            './system/hostname': 'localhost',
+            './system/domain': 'localdomain',
+            './revision/description': '',
+            './revision/username': 'unknown',
+            './revision/time': '0',
+        }
+        metadata = dict()
+        for key in metadata_fields:
+            metadata[key] = xmlroot.findall(key)[0].text if xmlroot.findall(key) else metadata_fields[key]
+
+        if metadata['./revision/time'].replace('.', '').isdigit():
+            revdate = datetime.datetime.fromtimestamp(float(metadata['./revision/time'])).isoformat()
+        else:
+            revdate = "-"
+
+        username = metadata['./revision/username'].split('@')[0]
+        fullname = username
+        user_email = "%s@%s.%s" % (username, metadata['./system/hostname'], metadata['./system/domain'])
+        for user in xmlroot.findall('./system/user'):
+            try:
+                if user.find('name').text == username:
+                    if user.find('email') is not None:
+                        user_email = user.find('email').text
+                    if user.find('descr') is not None:
+                        fullname = user.find('descr').text
+                    break
+            except AttributeError:
+                pass
+
+        # snapshot provided config.xml into git staging and commit with extracted data
+        os.chdir('/conf/backup/git/')
+        subprocess.run(['cp', sys.argv[1], '/conf/backup/git/config.xml'])
+        subprocess.run(['/usr/local/bin/git', 'add', 'config.xml'])
+        message = "%s @ %s (%s)" % (metadata['./revision/description'], revdate, metadata['./revision/username'])
+        subprocess.run(['/usr/local/bin/git', 'commit', '--author', "%s<%s>" % (fullname, user_email), '-m', message])

From e725cc6737d85ce3730e97f67487a0d17a3e0da8 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 8 Oct 2020 09:52:49 +0200
Subject: [PATCH 0237/3088] Git backup: fix minor regressions for
 https://github.com/opnsense/plugins/issues/2049

---
 .../src/opnsense/mvc/app/library/OPNsense/Backup/Git.php      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
index f093a3b82b..6a2fdc0ec8 100644
--- a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
+++ b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
@@ -155,7 +155,7 @@ public function backup()
         $url = (string)$mdl->url;
         $pos = strpos($url, '//');
         // inject credentials in url (either username or username:password, depending on transport)
-        if (stripos(trim((string)$mdl->$url),'http')) {
+        if (stripos(trim((string)$mdl->url),'http') === 0) {
             $cred = urlencode((string)$mdl->user) . ":" . urlencode((string)$mdl->password);
             $url = substr($url,0, $pos+2) . "{$cred}@" . substr($url, $pos+2);
         } else {
@@ -169,7 +169,7 @@ public function backup()
         );
         if (strpos($pushtxt, '__exit_ok__')) {
             $error_type = null;
-        } elseif (strpos($pushtxt, 'Permission denied')) {
+        } elseif (strpos($pushtxt, 'Permission denied') || strpos($pushtxt, 'Authentication failed ')) {
             $error_type = "authentication failure";
         } elseif (strpos($pushtxt, 'WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED')) {
             $error_type = "ssh hostkey changed";

From 87c4c96fe1d1dc881f72f91ee67b6a84c9dea42a Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 8 Oct 2020 09:53:57 +0200
Subject: [PATCH 0238/3088] Git backup: change version to prepare for initial
 release.

for https://github.com/opnsense/plugins/issues/2049

sponsored by : Modirum (https://www.modirum.com/)
---
 sysutils/git-backup/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/git-backup/Makefile b/sysutils/git-backup/Makefile
index 8ac82dd76f..2948e1fb12 100644
--- a/sysutils/git-backup/Makefile
+++ b/sysutils/git-backup/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=        git-backup
-PLUGIN_VERSION=     0.1
+PLUGIN_VERSION=     1.0
 PLUGIN_COMMENT=     Track config changes using git
 PLUGIN_DEPENDS=     git
 PLUGIN_MAINTAINER=  ad@opnsense.org

From 752ed06eaf516896520bfa7e76af96c63778c9ba Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 8 Oct 2020 10:01:10 +0200
Subject: [PATCH 0239/3088] README: sync

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 66e8a5f892..ff0ae9493a 100644
--- a/README.md
+++ b/README.md
@@ -89,7 +89,7 @@ sysutils/api-backup -- Provide the functionality to download the config.xml
 sysutils/apuled -- PC Engine APU LED control (development only)
 sysutils/boot-delay -- Apply a persistent 10 second boot delay
 sysutils/dmidecode -- Display hardware information on the dashboard
-sysutils/git-backup -- Track config changes using git (development only)
+sysutils/git-backup -- Track config changes using git
 sysutils/lcdproc-sdeclcd -- LCDProc for SDEC LCD devices
 sysutils/mail-backup -- Send configuration file backup by e-mail
 sysutils/munin-node -- Munin monitorin agent

From ba2cb35235322a54ca817457c018fbedd96b9108 Mon Sep 17 00:00:00 2001
From: cordelster <cordelster@gmail.com>
Date: Wed, 14 Oct 2020 00:40:06 -0700
Subject: [PATCH 0240/3088] Update mods-enabled-ldap (#2061)

Add NT-Password entry for FreeIPA compatibility. FreeIPA requires looking for ipaNTHash.
---
 .../service/templates/OPNsense/Freeradius/mods-enabled-ldap      | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap
index 30b5f8d293..cd80e84f29 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap
@@ -28,6 +28,7 @@ ldap {
                 control:LM-Password             := 'sambaLmPassword'
                 control:NT-Password             := 'sambaNtPassword'
                 control:LM-Password             := 'dBCSPwd'
+                control:NT-Password             := 'ipaNTHash'
                 control:Password-With-Header    += 'userPassword'
                 control:SMB-Account-CTRL-TEXT   := 'acctFlags'
                 control:Expiration              := 'radiusExpiration'

From df263e5fa1c4f1ef0200a95c080f39b2eb6c9aa6 Mon Sep 17 00:00:00 2001
From: schreibubi <schreibubi@users.noreply.github.com>
Date: Wed, 14 Oct 2020 13:41:02 +0200
Subject: [PATCH 0241/3088] Freeradius TLS (#1900)

* net/freeradius: Allow '@' as part of the username

Freeradius allows to have e-mail addresses as usernames.

* net/freeradius: Add option to enforce that user-name and certificate common-name are identical

* net/freeradius: Allow '/' as part of the username

Windows authenticates machines with host/ prefixed to the username, thus need to
allow specifying usernames containing '/'.

* net/freeradius: Allow selection of TLS for default EAP type

* net/freeradius: Bump version number to 1.9.8 and update pkg-descr
---
 net/freeradius/Makefile                       |   2 +-
 net/freeradius/pkg-descr                      |   6 +
 .../forms/dialogEditFreeRADIUSUser.xml        |   2 +-
 .../OPNsense/Freeradius/forms/eap.xml         |   6 +
 .../app/models/OPNsense/Freeradius/Eap.xml    |   5 +
 .../app/models/OPNsense/Freeradius/User.xml   |   2 +-
 .../templates/OPNsense/Freeradius/+TARGETS    |   1 +
 .../OPNsense/Freeradius/mods-enabled-eap      |   6 +-
 .../Freeradius/sites-enabled-check-eap-tls    | 137 ++++++++++++++++++
 9 files changed, 163 insertions(+), 4 deletions(-)
 create mode 100644 net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-check-eap-tls

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 2178cd8749..ca1e699b54 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.7
+PLUGIN_VERSION=		1.9.8
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index bedbd33dad..3c64880be9 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,12 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.8
+
+* Add support for checking TLS certificate names
+* Allow / and @ as part of the user-names
+* Allow TLS as the default EAP type
+
 1.9.7
 
 * Fix Login-Time validation
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
index 1f1cc7ec81..a859a6396d 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
@@ -9,7 +9,7 @@
         <id>user.username</id>
         <label>Username</label>
         <type>text</type>
-        <help>Set the unique username for the user. Allowed characters are 0-9, a-z, A-Z, and ._-</help>
+        <help>Set the unique username for the user. Allowed characters are 0-9, a-z, A-Z, and ._-@/</help>
     </field>
     <field>
         <id>user.password</id>
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
index c13503bed9..531cc4fde8 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
@@ -29,4 +29,10 @@
         <type>dropdown</type>
         <help>This enables CRL checking, please restart this service with every change to the CRL.</help>
     </field>
+    <field>
+        <id>eap.check_tls_names</id>
+        <label>Check TLS Common-Name</label>
+        <type>checkbox</type>
+        <help>Checks that the username given by the user matches the Common-Name of the certificate.</help>
+    </field>
 </form>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index 005d63707f..f2b451bea4 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -11,6 +11,7 @@
                 <md5>MD5</md5>
                 <mschapv2>MSCHAPv2</mschapv2>
                 <peap>PEAP</peap>
+                <tls>TLS</tls>
                 <ttls>TTLS</ttls>
             </OptionValues>
         </default_eap_type>
@@ -30,5 +31,9 @@
             <Type>crl</Type>
             <Required>N</Required>
         </crl>
+        <check_tls_names type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </check_tls_names>
     </items>
 </model>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
index c2432ab0b0..f56b97050c 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
@@ -11,7 +11,7 @@
                 </enabled>
                 <username type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
+                    <mask>/^([0-9a-zA-Z@._\-\/]){1,128}$/u</mask>
                 </username>
                 <password type="TextField">
                     <Required>Y</Required>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/+TARGETS b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/+TARGETS
index 083726a5da..4de8793c1a 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/+TARGETS
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/+TARGETS
@@ -14,4 +14,5 @@ radiusd.conf:/usr/local/etc/raddb/radiusd.conf
 sites-enabled-default:/usr/local/etc/raddb/sites-enabled/default
 sites-enabled-dhcp:/usr/local/etc/raddb/sites-enabled/dhcp
 sites-enabled-inner-tunnel:/usr/local/etc/raddb/sites-enabled/inner-tunnel
+sites-enabled-check-eap-tls:/usr/local/etc/raddb/sites-enabled/check-eap-tls
 users:/usr/local/etc/raddb/mods-config/files/authorize
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
index f5fa439da8..d1ec223d21 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@@ -593,7 +593,11 @@ eap {
                 # virtual server has access to these attributes, and can
                 # be used to accept or reject the request.
                 #
-        #       virtual_server = check-eap-tls
+{% if helpers.exists('OPNsense.freeradius.eap.enable_client_cert') and OPNsense.freeradius.eap.enable_client_cert == '1' %}
+{%   if helpers.exists('OPNsense.freeradius.eap.check_tls_names') and OPNsense.freeradius.eap.check_tls_names == '1' %}
+                virtual_server = check-eap-tls
+{%   endif %}
+{% endif %}	
         }
 
 
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-check-eap-tls b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-check-eap-tls
new file mode 100644
index 0000000000..bc74ab5b67
--- /dev/null
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-check-eap-tls
@@ -0,0 +1,137 @@
+# This virtual server allows EAP-TLS to reject access requests
+# based on some attributes of the certificates involved.
+#
+# To use this virtual server, you must enable it in the tls
+# section of mods-enabled/eap as well as adding a link to this
+# file in sites-enabled/.
+#
+#
+# Value-pairs that are available for checking include:
+#
+#   TLS-Client-Cert-Subject
+#   TLS-Client-Cert-Issuer
+#   TLS-Client-Cert-Common-Name
+#   TLS-Client-Cert-Subject-Alt-Name-Email
+#
+# To see a full list of attributes, run the server in debug mode
+# with this virtual server configured, and look at the attributes
+# passed in to this virtual server.
+#
+#
+# This virtual server is also useful when using EAP-TLS as it is
+# only called once, just before the final Accept is about to be
+# returned from eap, whereas the outer authorize section is called
+# multiple times for each challenge / response. For this reason,
+# here may be a good location to put authentication logging, and
+# modules that check for further authorization, especially if they
+# hit external services such as sql or ldap.
+
+
+server check-eap-tls {
+
+
+# Authorize - this is the only section required.
+#
+# To accept the access request, set Auth-Type = Accept, otherwise
+# set it to Reject.
+
+authorize {
+
+	#
+	# By default, we just accept the request:
+	#
+	update config {
+		&Auth-Type := Accept
+	}
+
+
+	#
+	# Check the client certificate matches a string, and reject otherwise
+	#
+
+#	if ("%{TLS-Client-Cert-Common-Name}" == 'client.example.com') {
+#		update config {
+#			&Auth-Type := Accept
+#		}
+#	}
+#	else {
+#		update config {
+#			&Auth-Type := Reject
+#		}
+#		update reply {
+#			&Reply-Message := "Your certificate is not valid."
+#		}
+#	}
+
+
+	#
+	# Check the client certificate common name against the supplied User-Name
+	#
+	if (&User-Name == &TLS-Client-Cert-Common-Name || &User-Name == "host/%{TLS-Client-Cert-Common-Name}") {
+		update config {
+			&Auth-Type := Accept
+		}
+	}
+	else {
+		update config {
+			&Auth-Type := Reject
+		}
+	}
+
+
+	#
+	# This is a convenient place to call LDAP, for example, when using
+	# EAP-TLS, as it will only be called once, after all certificates as
+	# part of the EAP-TLS challenge process have been verified.
+	#
+	# An example could be to use LDAP to check that the connecting host, as
+	# well as presenting a valid certificate, is also in a group based on
+	# the User-Name (assuming this contains the service principal name).
+	# Settings such as the following could be used in the ldap module
+	# configuration:
+	#
+	# basedn = "dc=example, dc=com"
+	# filter = "(servicePrincipalName=%{User-Name})"
+	# base_filter = "(objectClass=computer)"
+	# groupname_attribute = cn
+	# groupmembership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))"
+
+#	ldap
+
+	# Now let's test membership of an LDAP group (the ldap bind user will
+	# need permission to read this group membership):
+
+#	if (!(Ldap-Group == "Permitted-Laptops")) {
+#		update config {
+#			&Auth-Type := Reject
+#		}
+#	}
+
+	# or, to be more specific, you could use the group's full DN:
+	# if (!(Ldap-Group == "CN=Permitted-Laptops,OU=Groups,DC=example,DC=org")) {
+
+
+	#
+	# This may be a better place to call the files modules when using
+	# EAP-TLS, as it will only be called once, after the challenge-response
+	# iteration has completed.
+	#
+
+	files
+
+	expiration
+	logintime
+
+	#
+	# Log all request attributes, plus TLS certificate details, to the
+	# auth_log file. Again, this is just once per connection request, so
+	# may be preferable than in the outer authorize section. It is
+	# suggested that 'auth_log' also be in the outer post-auth and
+	# Post-Auth REJECT sections to log reply packet details, too.
+	#
+
+	#auth_log
+
+}
+}
+

From 949b7e3f56f833f6148e0bd910407f89a38f5de2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 21 Oct 2020 07:36:08 +0200
Subject: [PATCH 0242/3088] net/freeradius: whitespace sweep

---
 .../service/templates/OPNsense/Freeradius/mods-enabled-eap      | 2 +-
 .../templates/OPNsense/Freeradius/sites-enabled-check-eap-tls   | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
index d1ec223d21..5dc3b327fd 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@@ -597,7 +597,7 @@ eap {
 {%   if helpers.exists('OPNsense.freeradius.eap.check_tls_names') and OPNsense.freeradius.eap.check_tls_names == '1' %}
                 virtual_server = check-eap-tls
 {%   endif %}
-{% endif %}	
+{% endif %}
         }
 
 
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-check-eap-tls b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-check-eap-tls
index bc74ab5b67..fbea17959b 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-check-eap-tls
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-check-eap-tls
@@ -134,4 +134,3 @@ authorize {
 
 }
 }
-

From 8db3b0e5eca43e4aa485fb06a539dd8c6d06e802 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 21 Oct 2020 07:42:38 +0200
Subject: [PATCH 0243/3088] plugins: style sweep

---
 .../inc/plugins.inc.d/dyndns/phpDynDNS.inc    |  4 +-
 .../AcmeClient/LeAutomationFactory.php        |  2 +-
 .../AcmeClient/LeValidationFactory.php        |  2 +-
 .../scripts/OPNsense/AcmeClient/lecert.php    |  6 ++-
 .../mvc/app/library/OPNsense/Backup/Git.php   | 39 +++++++++----------
 5 files changed, 27 insertions(+), 26 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 61d2f06b44..c21cab989a 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -680,9 +680,9 @@ class updatedns
                 * dnsUser ("Username" field in OPNsense) should be the subdomain / A-record ("myrecord" in 2nd-level domain)
                 * dnsPass should be the Gandi-API key
                 */
-                $server = "https://dns.api.gandi.net/api/v5/domains/". $this->_dnsHost . "/records/" . $this->_dnsUser . "/A";
+                $server = "https://dns.api.gandi.net/api/v5/domains/" . $this->_dnsHost . "/records/" . $this->_dnsUser . "/A";
 
-                $body = '{"rrset_ttl":"' . "300" . '", "rrset_values":["'. $this->_dnsIP . '"]}';
+                $body = '{"rrset_ttl":"' . "300" . '", "rrset_values":["' . $this->_dnsIP . '"]}';
 
                 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
                 curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationFactory.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationFactory.php
index 82a8e857df..044b5d8400 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationFactory.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationFactory.php
@@ -29,7 +29,7 @@
 
 namespace OPNsense\AcmeClient;
 
-use \OPNsense\AcmeClient\AcmeClient;
+use OPNsense\AcmeClient\AcmeClient;
 
 /**
 * Class LeAutomationFactory
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
index 5786a8f332..1a2611d219 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
@@ -29,7 +29,7 @@
 
 namespace OPNsense\AcmeClient;
 
-use \OPNsense\AcmeClient\AcmeClient;
+use OPNsense\AcmeClient\AcmeClient;
 
 /**
 * Class LeValidationFactory
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
index a01df9d55b..3b3d61bdae 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
@@ -142,8 +142,10 @@ function main()
     $force = isset($options['force']) ? true : false;
 
     // Verify mode and arguments
-    if (empty($options) || isset($options['h']) || isset($options['help']) ||
-        (isset($options['mode']) and !validateMode($options['mode']))) {
+    if (
+        empty($options) || isset($options['h']) || isset($options['help']) ||
+        (isset($options['mode']) and !validateMode($options['mode']))
+    ) {
          // Not enough or invalid arguments specified.
          help();
     } elseif (($options['mode'] === 'issue') && (isset($options['cert']) || isset($options['all']))) {
diff --git a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
index 6a2fdc0ec8..b9626d2119 100644
--- a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
+++ b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
@@ -105,17 +105,17 @@ public function getName()
     /**
      * @inheritdoc
      */
-     public function setConfiguration($conf)
-     {
-         $mdl = new GitSettings();
-         $this->setModelProperties($mdl, $conf);
-         $validation_messages = $this->validateModel($mdl);
-         if (empty($validation_messages)) {
-             $mdl->serializeToConfig();
-             Config::getInstance()->save();
-         }
-         return $validation_messages;
-     }
+    public function setConfiguration($conf)
+    {
+        $mdl = new GitSettings();
+        $this->setModelProperties($mdl, $conf);
+        $validation_messages = $this->validateModel($mdl);
+        if (empty($validation_messages)) {
+            $mdl->serializeToConfig();
+            Config::getInstance()->save();
+        }
+        return $validation_messages;
+    }
 
     /**
      * Backup is responsible for initialising the local repo and pusing it to upstream.
@@ -148,21 +148,20 @@ public function backup()
         // When there are unprocessed config backups, flush them out.
         (new Backend())->configdRun("system event config_changed");
         // configure upstream
-        exec("cd {$targetdir} && ".
-            "{$git} config core.sshCommand ".
-            "\"ssh -i {$ident_file} -o StrictHostKeyChecking=accept-new -o PasswordAuthentication=no\""
-        );
+        exec("cd {$targetdir} && " .
+            "{$git} config core.sshCommand " .
+            "\"ssh -i {$ident_file} -o StrictHostKeyChecking=accept-new -o PasswordAuthentication=no\"");
         $url = (string)$mdl->url;
         $pos = strpos($url, '//');
         // inject credentials in url (either username or username:password, depending on transport)
-        if (stripos(trim((string)$mdl->url),'http') === 0) {
+        if (stripos(trim((string)$mdl->url), 'http') === 0) {
             $cred = urlencode((string)$mdl->user) . ":" . urlencode((string)$mdl->password);
-            $url = substr($url,0, $pos+2) . "{$cred}@" . substr($url, $pos+2);
+            $url = substr($url, 0, $pos + 2) . "{$cred}@" . substr($url, $pos + 2);
         } else {
-            $url = substr($url,0, $pos+2) . urlencode((string)$mdl->user) . "@" . substr($url, $pos+2);
+            $url = substr($url, 0, $pos + 2) . urlencode((string)$mdl->user) . "@" . substr($url, $pos + 2);
         }
         exec("cd {$targetdir} && git remote remove origin");
-        exec("cd {$targetdir} && git remote add origin ". escapeshellarg($url));
+        exec("cd {$targetdir} && git remote add origin " . escapeshellarg($url));
         $pushtxt = shell_exec(
             "(cd {$targetdir} && git push origin " . escapeshellarg("master:{$mdl->branch}") .
             " && echo '__exit_ok__') 2>&1"
@@ -179,7 +178,7 @@ public function backup()
             $error_type = "unknown error, check log for details";
         }
         if (!empty($error_type)) {
-            syslog(LOG_ERR, "git-backup {$error_type} (".str_replace("\n", " ", $pushtxt).")");
+            syslog(LOG_ERR, "git-backup {$error_type} (" . str_replace("\n", " ", $pushtxt) . ")");
             throw new \Exception($error_type);
         } else {
             // return filelist in git

From 2871ba1546e28cd5bfe55d0debcbd218280cc070 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 21 Oct 2020 13:01:17 +0200
Subject: [PATCH 0244/3088] net/frr: add description fields to BGP (#2054)

---
 net/frr/Makefile                               |  2 +-
 net/frr/pkg-descr                              |  4 ++++
 .../OPNsense/Quagga/Api/BgpController.php      |  7 ++++---
 .../Quagga/forms/dialogEditBGPASPath.xml       |  6 ++++++
 .../Quagga/forms/dialogEditBGPNeighbor.xml     |  6 ++++++
 .../Quagga/forms/dialogEditBGPPrefixLists.xml  |  6 ++++++
 .../Quagga/forms/dialogEditBGPRouteMaps.xml    |  6 ++++++
 .../mvc/app/models/OPNsense/Quagga/BGP.xml     | 18 +++++++++++++++++-
 .../mvc/app/views/OPNsense/Quagga/bgp.volt     |  8 ++++----
 9 files changed, 54 insertions(+), 9 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index f107421c02..69b1b0e236 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.17
+PLUGIN_VERSION=		1.18
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7 ruby
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 0523621f5a..76a1e094ee 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -11,6 +11,10 @@ switching and routing, Internet access routers, and Internet peering.
 Plugin Changelog
 ================
 
+1.18
+
+* Add description fields to BGP tabs
+
 1.17
 
 * Fix templating for BGP AS-Path Lists (by Steve Buzonas)
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
index 033d494c22..27a9278dc9 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
@@ -44,6 +44,7 @@ public function searchNeighborAction()
         return $this->searchBase(
             'neighbors.neighbor',
             array("enabled",
+                  "description",
                   "address",
                   "remoteas",
                   "updatesource",
@@ -82,7 +83,7 @@ public function searchAspathAction()
     {
         return $this->searchBase(
             'aspaths.aspath',
-            array("enabled", "number", "action", "as" )
+            array("enabled", "description", "number", "action", "as" )
         );
     }
 
@@ -111,7 +112,7 @@ public function searchPrefixlistAction()
     {
         return $this->searchBase(
             'prefixlists.prefixlist',
-            array("enabled", "name", "seqnumber", "action", "network" )
+            array("enabled", "description", "name", "seqnumber", "action", "network" )
         );
     }
     public function getPrefixlistAction($uuid = null)
@@ -139,7 +140,7 @@ public function searchRoutemapAction()
     {
         return $this->searchBase(
             'routemaps.routemap',
-            array("enabled", "name", "action", "id", "match", "match2", "set")
+            array("enabled", "description", "name", "action", "id", "match", "match2", "set")
         );
     }
 
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml
index d195d60814..f68295e77d 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml
@@ -5,6 +5,12 @@
     <type>checkbox</type>
     <help>Enable / Disable</help>
   </field>
+  <field>
+    <id>aspath.description</id>
+    <label>Description</label>
+    <type>text</type>
+    <help>Add an optional description for this AS-Path list.</help>
+  </field>
   <field>
     <id>aspath.number</id>
     <label>Number</label>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 255a644db5..6476f9ee9f 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -4,6 +4,12 @@
     <label>Enabled</label>
     <type>checkbox</type>
   </field>
+  <field>
+    <id>neighbor.description</id>
+    <label>Description</label>
+    <type>text</type>
+    <help>Set an optional description for this neighbor.</help>
+  </field>
   <field>
     <id>neighbor.address</id>
     <label>Peer-IP</label>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml
index a919f082ff..115e015de8 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml
@@ -4,6 +4,12 @@
     <label>Enabled</label>
     <type>checkbox</type>
     <help>Enable / Disable</help>
+  </field>
+    <field>
+    <id>prefixlist.description</id>
+    <label>Description</label>
+    <type>text</type>
+    <help>Add an optional description for this Prefix-List.</help>
   </field>
   <field>
     <id>prefixlist.name</id>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml
index bd4e8380f8..31fe3b5c69 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml
@@ -5,6 +5,12 @@
     <type>checkbox</type>
     <help>Enable / Disable</help>
   </field>
+  <field>
+    <id>routemap.description</id>
+    <label>Description</label>
+    <type>text</type>
+    <help>Add an optional description for this route-map.</help>
+  </field>
   <field>
     <id>routemap.name</id>
     <label>Name</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index eb30efc701..4d11fa76d3 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/bgp</mount>
     <description>BGP Routing configuration</description>
-    <version>1.0.3</version>
+    <version>1.0.4</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -39,6 +39,10 @@
                                 <default>1</default>
                                 <Required>Y</Required>
                         </enabled>
+                        <description type="TextField">
+                                <default></default>
+                                <Required>N</Required>
+                        </description>
                         <address type="NetworkField">
                                 <default></default>
                                 <Required>Y</Required>
@@ -130,6 +134,10 @@
                                 <default>1</default>
                                 <Required>Y</Required>
                         </enabled>
+                        <description type="TextField">
+                                <default></default>
+                                <Required>N</Required>
+                        </description>
                         <number type="IntegerField">
                                 <default></default>
                                 <Required>Y</Required>
@@ -156,6 +164,10 @@
                                 <default>1</default>
                                 <Required>Y</Required>
                         </enabled>
+                        <description type="TextField">
+                                <default></default>
+                                <Required>N</Required>
+                        </description>
                         <name type="TextField">
                                 <default></default>
                                 <Required>Y</Required>
@@ -196,6 +208,10 @@
                                 <default>1</default>
                                 <Required>Y</Required>
                         </enabled>
+                        <description type="TextField">
+                                <default></default>
+                                <Required>N</Required>
+                        </description>
                         <name type="TextField">
                                 <default></default>
                                 <Required>Y</Required>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
index 397a799fbd..635b21985c 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
@@ -50,12 +50,9 @@ POSSIBILITY OF SUCH DAMAGE.
             <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="description" data-type="string" data-visible="true">{{ lang._('Description') }}</th>
                     <th data-column-id="address" data-type="string" data-visible="true">{{ lang._('Neighbor Address') }}</th>
                     <th data-column-id="remoteas" data-type="string" data-visible="true">{{ lang._('Remote AS') }}</th>
-                    <th data-column-id="updatesource" data-type="string" data-visible="true">{{ lang._('Update Source Address') }}</th>
-                    <th data-column-id="nexthopself" data-type="string" data-formatter="rowtoggle">{{ lang._('Next Hop Self') }}</th>
-                    <th data-column-id="multihop" data-type="string" data-formatter="rowtoggle">{{ lang._('Multi Hop') }}</th>
-                    <th data-column-id="defaultoriginate" data-type="string" data-formatter="rowtoggle">{{ lang._('Default Originate') }}</th>
                     <th data-column-id="linkedPrefixlistIn" data-type="string" data-visible="true">{{ lang._('Prefix List inbound') }}</th>
                     <th data-column-id="linkedPrefixlistOut" data-type="string" data-visible="true">{{ lang._('Prefix List outbound') }}</th>
                     <th data-column-id="linkedRoutemapIn" data-type="string" data-visible="true">{{ lang._('Route Map inbound') }}</th>
@@ -83,6 +80,7 @@ POSSIBILITY OF SUCH DAMAGE.
             <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle" data-sortable="false">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="description" data-type="string" data-visible="true">{{ lang._('Description') }}</th>
                     <th data-column-id="number" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Number') }}</th>
                     <th data-column-id="action" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Action') }}</th>
                     <th data-column-id="as" data-type="string" data-visible="true" data-sortable="false">{{ lang._('AS Number') }}</th>
@@ -110,6 +108,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle" data-sortable="false">{{ lang._('Enabled') }}</th>
                     <th data-column-id="name" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Name') }}</th>
+                    <th data-column-id="description" data-type="string" data-visible="true">{{ lang._('Description') }}</th>
                     <th data-column-id="seqnumber" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Secquence Number') }}</th>
                     <th data-column-id="action" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Action') }}</th>
                     <th data-column-id="network" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Network') }}</th>
@@ -137,6 +136,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                     <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
+                    <th data-column-id="description" data-type="string" data-visible="true">{{ lang._('Description') }}</th>
                     <th data-column-id="action" data-type="string" data-visible="true">{{ lang._('Action') }}</th>
                     <th data-column-id="id" data-type="string" data-visible="true">{{ lang._('ID') }}</th>
                     <th data-column-id="match" data-type="string" data-visible="true">{{ lang._('AS Path List') }}</th>

From 02269d96af2f2415ba0fc1b761ed3c2effbce624 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 22 Oct 2020 09:19:32 +0200
Subject: [PATCH 0245/3088] sysutils/hw-probe: New plugin (#2075)

---
 sysutils/hw-probe/Makefile                    |  8 +++
 sysutils/hw-probe/pkg-descr                   |  1 +
 .../Hwprobe/Api/GeneralController.php         | 37 +++++++++++++
 .../Hwprobe/Api/ServiceController.php         | 51 ++++++++++++++++++
 .../OPNsense/Hwprobe/GeneralController.php    | 38 +++++++++++++
 .../OPNsense/Hwprobe/forms/general.xml        |  8 +++
 .../app/models/OPNsense/Hwprobe/ACL/ACL.xml   |  9 ++++
 .../app/models/OPNsense/Hwprobe/General.php   | 35 ++++++++++++
 .../app/models/OPNsense/Hwprobe/General.xml   | 11 ++++
 .../app/models/OPNsense/Hwprobe/Menu/Menu.xml |  7 +++
 .../app/views/OPNsense/Hwprobe/general.volt   | 54 +++++++++++++++++++
 .../conf/actions.d/actions_hwprobe.conf       |  5 ++
 12 files changed, 264 insertions(+)
 create mode 100644 sysutils/hw-probe/Makefile
 create mode 100644 sysutils/hw-probe/pkg-descr
 create mode 100644 sysutils/hw-probe/src/opnsense/mvc/app/controllers/OPNsense/Hwprobe/Api/GeneralController.php
 create mode 100644 sysutils/hw-probe/src/opnsense/mvc/app/controllers/OPNsense/Hwprobe/Api/ServiceController.php
 create mode 100644 sysutils/hw-probe/src/opnsense/mvc/app/controllers/OPNsense/Hwprobe/GeneralController.php
 create mode 100644 sysutils/hw-probe/src/opnsense/mvc/app/controllers/OPNsense/Hwprobe/forms/general.xml
 create mode 100644 sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/ACL/ACL.xml
 create mode 100644 sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/General.php
 create mode 100644 sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/General.xml
 create mode 100644 sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/Menu/Menu.xml
 create mode 100644 sysutils/hw-probe/src/opnsense/mvc/app/views/OPNsense/Hwprobe/general.volt
 create mode 100644 sysutils/hw-probe/src/opnsense/service/conf/actions.d/actions_hwprobe.conf

diff --git a/sysutils/hw-probe/Makefile b/sysutils/hw-probe/Makefile
new file mode 100644
index 0000000000..8ce8dff665
--- /dev/null
+++ b/sysutils/hw-probe/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		hw-probe
+PLUGIN_VERSION=		0.1
+PLUGIN_COMMENT=		Collect hardware diagnostics
+PLUGIN_DEPENDS=		hw-probe
+PLUGIN_MAINTAINER=	m.muenz@gmail.com
+PLUGIN_DEVEL=       yes
+
+.include "../../Mk/plugins.mk"
diff --git a/sysutils/hw-probe/pkg-descr b/sysutils/hw-probe/pkg-descr
new file mode 100644
index 0000000000..efb1be1a14
--- /dev/null
+++ b/sysutils/hw-probe/pkg-descr
@@ -0,0 +1 @@
+Send anonymized hardware diagnostics to https://bsd-hardware.info
\ No newline at end of file
diff --git a/sysutils/hw-probe/src/opnsense/mvc/app/controllers/OPNsense/Hwprobe/Api/GeneralController.php b/sysutils/hw-probe/src/opnsense/mvc/app/controllers/OPNsense/Hwprobe/Api/GeneralController.php
new file mode 100644
index 0000000000..41096f3bb8
--- /dev/null
+++ b/sysutils/hw-probe/src/opnsense/mvc/app/controllers/OPNsense/Hwprobe/Api/GeneralController.php
@@ -0,0 +1,37 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Hwprobe\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class GeneralController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelClass = '\OPNsense\Hwprobe\General';
+    protected static $internalModelName = 'general';
+}
diff --git a/sysutils/hw-probe/src/opnsense/mvc/app/controllers/OPNsense/Hwprobe/Api/ServiceController.php b/sysutils/hw-probe/src/opnsense/mvc/app/controllers/OPNsense/Hwprobe/Api/ServiceController.php
new file mode 100644
index 0000000000..8fd5e8d39f
--- /dev/null
+++ b/sysutils/hw-probe/src/opnsense/mvc/app/controllers/OPNsense/Hwprobe/Api/ServiceController.php
@@ -0,0 +1,51 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Hwprobe\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Backend;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Hwprobe\General';
+    protected static $internalServiceTemplate = 'OPNsense/Hwprobe';
+    protected static $internalServiceEnabled = 'enabled';
+    protected static $internalServiceName = 'hwprobe';
+
+    /**
+     * generate report
+     * @return array
+     */
+    public function reportAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun("hwprobe report");
+        return array("response" => $response);
+    }
+}
diff --git a/sysutils/hw-probe/src/opnsense/mvc/app/controllers/OPNsense/Hwprobe/GeneralController.php b/sysutils/hw-probe/src/opnsense/mvc/app/controllers/OPNsense/Hwprobe/GeneralController.php
new file mode 100644
index 0000000000..1c9c039da0
--- /dev/null
+++ b/sysutils/hw-probe/src/opnsense/mvc/app/controllers/OPNsense/Hwprobe/GeneralController.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Hwprobe;
+
+class GeneralController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->generalForm = $this->getForm('general');
+        $this->view->pick('OPNsense/Hwprobe/general');
+    }
+}
diff --git a/sysutils/hw-probe/src/opnsense/mvc/app/controllers/OPNsense/Hwprobe/forms/general.xml b/sysutils/hw-probe/src/opnsense/mvc/app/controllers/OPNsense/Hwprobe/forms/general.xml
new file mode 100644
index 0000000000..6b77826112
--- /dev/null
+++ b/sysutils/hw-probe/src/opnsense/mvc/app/controllers/OPNsense/Hwprobe/forms/general.xml
@@ -0,0 +1,8 @@
+<form>
+    <field>
+        <id>general.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>Enable HW-Probe.</help>
+    </field>
+</form>
diff --git a/sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/ACL/ACL.xml b/sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/ACL/ACL.xml
new file mode 100644
index 0000000000..6e3f606899
--- /dev/null
+++ b/sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+   <page-services-hwprobe>
+      <name>Services: HWProbe</name>
+      <patterns>
+         <pattern>ui/hwprobe/*</pattern>
+         <pattern>api/hwprobe/*</pattern>
+      </patterns>
+   </page-services-hwprobe>
+</acl>
diff --git a/sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/General.php b/sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/General.php
new file mode 100644
index 0000000000..769be9ab14
--- /dev/null
+++ b/sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/General.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Hwprobe;
+
+use OPNsense\Base\BaseModel;
+
+class General extends BaseModel
+{
+}
diff --git a/sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/General.xml b/sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/General.xml
new file mode 100644
index 0000000000..96efb0749d
--- /dev/null
+++ b/sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/General.xml
@@ -0,0 +1,11 @@
+<model>
+    <mount>//OPNsense/hwprobe/general</mount>
+    <description>HWProbe configuration</description>
+    <version>0.0.1</version>
+    <items>
+        <enabled type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enabled>
+    </items>
+</model>
diff --git a/sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/Menu/Menu.xml b/sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/Menu/Menu.xml
new file mode 100644
index 0000000000..33d99e72de
--- /dev/null
+++ b/sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/Menu/Menu.xml
@@ -0,0 +1,7 @@
+<menu>
+  <Services>
+    <HWProbe cssClass="fa fa-thermometer-half">
+      <General url="/ui/hwprobe/general/index"/>
+    </HWProbe>
+  </Services>
+</menu>
diff --git a/sysutils/hw-probe/src/opnsense/mvc/app/views/OPNsense/Hwprobe/general.volt b/sysutils/hw-probe/src/opnsense/mvc/app/views/OPNsense/Hwprobe/general.volt
new file mode 100644
index 0000000000..8e1a7d353c
--- /dev/null
+++ b/sysutils/hw-probe/src/opnsense/mvc/app/views/OPNsense/Hwprobe/general.volt
@@ -0,0 +1,54 @@
+{#
+ # Copyright (c) 2020 Deciso B.V.
+ # Copyright (c) 2020 Michael Muenz <m.muenz@gmail.com>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<div class="content-box" style="padding-bottom: 1.5em;">
+    <div class="col-md-12">
+        <hr />
+    </div>
+    <div id="hourly" class="tab-pane col-md-12 fade in">
+      <pre id="listreport"></pre>
+    </div>
+    <div class="col-md-12">
+        <hr />
+        <button class="btn btn-primary" id="reportAct" type="button"><b>{{ lang._('Generate') }}</b> <i id="reportAct_progress"></i></button>
+    </div>
+</div>
+
+<script>
+    $(function() {
+
+        // link save button to API set action
+        $("#reportAct").click(function(){
+                $("#reportAct_progress").addClass("fa fa-spinner fa-pulse");
+                ajaxCall(url="/api/hwprobe/service/report", sendData={}, callback=function(data,status) {
+                    $("#listreport").text(data['response']);
+                    $("#reportAct_progress").removeClass("fa fa-spinner fa-pulse");
+                });
+        });
+    });
+</script>
+
diff --git a/sysutils/hw-probe/src/opnsense/service/conf/actions.d/actions_hwprobe.conf b/sysutils/hw-probe/src/opnsense/service/conf/actions.d/actions_hwprobe.conf
new file mode 100644
index 0000000000..14c0771a83
--- /dev/null
+++ b/sysutils/hw-probe/src/opnsense/service/conf/actions.d/actions_hwprobe.conf
@@ -0,0 +1,5 @@
+[report]
+command:/usr/local/bin/hw-probe
+parameters:
+type:script_output
+message:collecting hardware diagnostics

From 870d67212d760b32c3c66527c116ad1f474f712f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 22 Oct 2020 09:20:51 +0200
Subject: [PATCH 0246/3088] sysutils/hw-probe: small post-merges update

---
 README.md                                                       | 1 +
 sysutils/hw-probe/pkg-descr                                     | 2 +-
 .../src/opnsense/mvc/app/views/OPNsense/Hwprobe/general.volt    | 1 -
 3 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index ff0ae9493a..3a2bd61496 100644
--- a/README.md
+++ b/README.md
@@ -90,6 +90,7 @@ sysutils/apuled -- PC Engine APU LED control (development only)
 sysutils/boot-delay -- Apply a persistent 10 second boot delay
 sysutils/dmidecode -- Display hardware information on the dashboard
 sysutils/git-backup -- Track config changes using git
+sysutils/hw-probe -- Collect hardware diagnostics (development only)
 sysutils/lcdproc-sdeclcd -- LCDProc for SDEC LCD devices
 sysutils/mail-backup -- Send configuration file backup by e-mail
 sysutils/munin-node -- Munin monitorin agent
diff --git a/sysutils/hw-probe/pkg-descr b/sysutils/hw-probe/pkg-descr
index efb1be1a14..b88c0c15f8 100644
--- a/sysutils/hw-probe/pkg-descr
+++ b/sysutils/hw-probe/pkg-descr
@@ -1 +1 @@
-Send anonymized hardware diagnostics to https://bsd-hardware.info
\ No newline at end of file
+Send anonymized hardware diagnostics to https://bsd-hardware.info
diff --git a/sysutils/hw-probe/src/opnsense/mvc/app/views/OPNsense/Hwprobe/general.volt b/sysutils/hw-probe/src/opnsense/mvc/app/views/OPNsense/Hwprobe/general.volt
index 8e1a7d353c..ea8530ea91 100644
--- a/sysutils/hw-probe/src/opnsense/mvc/app/views/OPNsense/Hwprobe/general.volt
+++ b/sysutils/hw-probe/src/opnsense/mvc/app/views/OPNsense/Hwprobe/general.volt
@@ -51,4 +51,3 @@
         });
     });
 </script>
-

From be4dde9ec5c182862419a84545b365e5de5e3fbf Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 23 Oct 2020 15:44:09 +0200
Subject: [PATCH 0247/3088] net/haproxy: fix typo

---
 net/haproxy/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 0f76d393a1..60f0f6ba29 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -25,7 +25,7 @@ Fixed:
 Changed:
 * add "Save & Test syntax" button to all "Settings" pages
 * add "introduction" page for Settings tab
-* streamine "Settings" subtabs
+* streamline "Settings" subtabs
 
 2.23
 

From fc8df54f5e8ea9fa32e32c363d248a8c224d4bc2 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 23 Oct 2020 22:37:36 +0200
Subject: [PATCH 0248/3088] net/haproxy: preserve sort order of default SSL
 bind options

---
 .../mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml | 1 +
 .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
index 33081d5766..add58fc535 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -91,6 +91,7 @@
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
+        <sortable>true</sortable>
         <help><![CDATA[Used to enforce or disable certain SSL options.]]></help>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 87f42e7f9a..3c7763fc7b 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -130,6 +130,7 @@
                 <ssl_bindOptions type="OptionField">
                     <Required>N</Required>
                     <default>no-sslv3,no-tlsv10,no-tls-tickets</default>
+                    <Sorted>Y</Sorted>
                     <Multiple>Y</Multiple>
                     <OptionValues>
                         <no-sslv3>no-sslv3</no-sslv3>

From 8e2e0e794097294903efffe7247572fab3b5b8e9 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 23 Oct 2020 22:38:12 +0200
Subject: [PATCH 0249/3088] net/haproxy: bump version

---
 net/haproxy/Makefile  | 2 +-
 net/haproxy/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 65767a88aa..98aea3903e 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		2.25
+PLUGIN_VERSION=		2.26
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy20
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 60f0f6ba29..af22b3790d 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+2.26
+
+Fixed:
+* preserve sort order of default SSL bind options
+
 2.25
 
 Added:

From 2abe16402c4267a997e9b6386b127035514115e5 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sat, 24 Oct 2020 14:11:33 +0200
Subject: [PATCH 0250/3088] net/frr: Update help-text in OSPF (#2081)

---
 .../OPNsense/Quagga/forms/dialogEditOSPFInterface.xml           | 2 +-
 .../controllers/OPNsense/Quagga/forms/dialogEditOSPFNetwork.xml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
index a325af7cf6..b7091f4f01 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
@@ -30,7 +30,7 @@
     <id>interface.area</id>
     <label>Area</label>
     <type>text</type>
-    <help>Area in wildcard mask style like 0.0.0.0 and no decimal 0</help>
+    <help>Area in wildcard mask style like 0.0.0.0 and no decimal 0. Only use Area in Interface tab or in Network tab once.</help>
   </field>
   <field>
     <id>interface.cost</id>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFNetwork.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFNetwork.xml
index 2ec7968e82..f15e330eb4 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFNetwork.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFNetwork.xml
@@ -18,7 +18,7 @@
     <id>network.area</id>
     <label>Area</label>
     <type>text</type>
-    <help>Area in wildcard mask style like 0.0.0.0 and no decimal 0</help>
+    <help>Area in wildcard mask style like 0.0.0.0 and no decimal 0. Only use Area in Interface tab or in Network tab once.</help>
   </field>
   <field>
     <id>network.arearange</id>

From 60a4dfc6c5a1ffa2cf0fff10810b7d40fb8f057f Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 28 Oct 2020 12:26:10 +0100
Subject: [PATCH 0251/3088] Update actions_hwprobe.conf (#2084)

---
 .../src/opnsense/service/conf/actions.d/actions_hwprobe.conf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/hw-probe/src/opnsense/service/conf/actions.d/actions_hwprobe.conf b/sysutils/hw-probe/src/opnsense/service/conf/actions.d/actions_hwprobe.conf
index 14c0771a83..b28e768009 100644
--- a/sysutils/hw-probe/src/opnsense/service/conf/actions.d/actions_hwprobe.conf
+++ b/sysutils/hw-probe/src/opnsense/service/conf/actions.d/actions_hwprobe.conf
@@ -1,5 +1,5 @@
 [report]
-command:/usr/local/bin/hw-probe
+command:/usr/local/bin/hw-probe -all -upload
 parameters:
 type:script_output
 message:collecting hardware diagnostics

From e0c09fa3570858bfd02bf391fb15f2ff0b8883b1 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 5 Nov 2020 09:26:24 +0100
Subject: [PATCH 0252/3088] net/chrony: add NTS peer mode (#2087)

---
 net/chrony/Makefile                                      | 2 +-
 net/chrony/pkg-descr                                     | 4 ++++
 .../app/controllers/OPNsense/Chrony/forms/general.xml    | 6 ++++++
 .../opnsense/mvc/app/models/OPNsense/Chrony/General.xml  | 4 ++++
 net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh | 6 +++---
 .../service/templates/OPNsense/Chrony/chrony.conf        | 9 ++++++++-
 6 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/net/chrony/Makefile b/net/chrony/Makefile
index 39c87599ff..0601f4f248 100644
--- a/net/chrony/Makefile
+++ b/net/chrony/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		chrony
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Chrony time synchronisation
 PLUGIN_DEPENDS=		chrony
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/chrony/pkg-descr b/net/chrony/pkg-descr
index de8195fad6..4464c2fa7a 100644
--- a/net/chrony/pkg-descr
+++ b/net/chrony/pkg-descr
@@ -4,6 +4,10 @@ better in virtual environments.
 Plugin Changelog
 ----------------
 
+1.1
+
+* Add NTS support
+
 1.0
 
 * Allow to adjust the listening port
diff --git a/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml
index ee8d8326c2..691a2b3b91 100644
--- a/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml
+++ b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml
@@ -11,6 +11,12 @@
         <type>text</type>
         <help>Set the port chrony listen to.</help>
     </field>
+    <field>
+        <id>general.ntsclient</id>
+        <label>NTS Client Support</label>
+        <type>checkbox</type>
+        <help>Enable NTS in client mode. This will add another layer of security for peers when OPNsense is the client. Every server in Peers has to support NTS.</help>
+    </field>
     <field>
         <id>general.peers</id>
         <label>NTP Peers</label>
diff --git a/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
index 30b99eb530..969b9fc178 100644
--- a/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
+++ b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
@@ -11,6 +11,10 @@
             <default>323</default>
             <Required>Y</Required>
         </port>
+        <ntsclient type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </ntsclient>
         <peers type="HostnameField">
             <default>0.opnsense.pool.ntp.org</default>
             <Required>Y</Required>
diff --git a/net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh b/net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh
index ddc03d6a0c..ad9060012e 100755
--- a/net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh
+++ b/net/chrony/src/opnsense/scripts/OPNsense/Chrony/setup.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
 
-mkdir -p /var/db/chrony/ /var/run/chrony/
-chown -R chronyd:chronyd /var/db/chrony/ /var/run/chrony/
-chmod 750 /var/db/chrony/ /var/run/chrony/
+mkdir -p /var/db/chrony /var/lib/chrony /var/run/chrony
+chown -R chronyd:chronyd /var/db/chrony /var/lib/chrony /var/run/chrony
+chmod 750 /var/db/chrony /var/lib/chrony /var/run/chrony
diff --git a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
index 38397c3a6f..e800d636df 100644
--- a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
+++ b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
@@ -4,9 +4,16 @@ port {{ OPNsense.chrony.general.port }}
 driftfile /var/db/chrony/drift
 pidfile /var/run/chrony/chronyd.pid
 
+{%   if helpers.exists('OPNsense.chrony.general.ntsclient') and OPNsense.chrony.general.ntsclient == '1' %}
+ntsdumpdir /var/lib/chrony
+ntstrustedcerts /etc/ssl/cert.pem
+nosystemcert
+{%   endif %}
+
 {%   if not helpers.empty('OPNsense.chrony.general.peers') %}
 {%     for peer in OPNsense.chrony.general.peers.split(',') %}
-server {{ peer }} iburst
+server {{ peer }} iburst {% if helpers.exists('OPNsense.chrony.general.ntsclient') and OPNsense.chrony.general.ntsclient == '1' %}nts{% endif %}
+
 {%     endfor %}
 {%   endif %}
 

From 33cf9b513c2bc3fdf63469ea769f65ddd793a485 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 9 Nov 2020 11:37:21 +0100
Subject: [PATCH 0253/3088] net/frr: add community-lists to BGP (#2078)

---
 net/frr/pkg-descr                             |  1 +
 .../OPNsense/Quagga/Api/BgpController.php     | 30 +++++++++++-
 .../OPNsense/Quagga/BgpController.php         |  3 +-
 .../forms/dialogEditBGPCommunityLists.xml     | 38 ++++++++++++++
 .../Quagga/forms/dialogEditBGPRouteMaps.xml   |  8 +++
 .../mvc/app/models/OPNsense/Quagga/BGP.xml    | 49 +++++++++++++++++++
 .../mvc/app/views/OPNsense/Quagga/bgp.volt    | 43 +++++++++++++++-
 .../templates/OPNsense/Quagga/bgpd.conf       | 16 ++++++
 8 files changed, 185 insertions(+), 3 deletions(-)
 create mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 76a1e094ee..4ded6be649 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -14,6 +14,7 @@ Plugin Changelog
 1.18
 
 * Add description fields to BGP tabs
+* Add BGP community-lists
 
 1.17
 
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
index 27a9278dc9..3edbe1627e 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
@@ -3,7 +3,7 @@
 /**
  *    Copyright (C) 2015 - 2017 Deciso B.V.
  *    Copyright (C) 2017 Fabian Franz
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ *    Copyright (C) 2017 - 2020 Michael Muenz <m.muenz@gmail.com>
  *
  *    All rights reserved.
  *
@@ -136,6 +136,34 @@ public function setPrefixlistAction($uuid)
         return $this->setBase('prefixlist', 'prefixlists.prefixlist', $uuid);
     }
 
+    public function searchCommunitylistAction()
+    {
+        return $this->searchBase(
+            'communitylists.communitylist',
+            array("enabled", "description", "number", "seqnumber", "action", "community" )
+        );
+    }
+    public function getCommunitylistAction($uuid = null)
+    {
+        $this->sessionClose();
+        return $this->getBase('communitylist', 'communitylists.communitylist', $uuid);
+    }
+
+    public function addCommunitylistAction()
+    {
+        return $this->addBase('communitylist', 'communitylists.communitylist');
+    }
+
+    public function delCommunitylistAction($uuid)
+    {
+        return $this->delBase('communitylists.communitylist', $uuid);
+    }
+
+    public function setCommunitylistAction($uuid)
+    {
+        return $this->setBase('communitylist', 'communitylists.communitylist', $uuid);
+    }
+
     public function searchRoutemapAction()
     {
         return $this->searchBase(
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
index 9b5ed53343..aaf3110635 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
@@ -2,7 +2,7 @@
 
 /*
     Copyright (C) 2017 Fabian Franz
-    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+    Copyright (C) 2017 - 2020 Michael Muenz <m.muenz@gmail.com>
     All rights reserved.
     Redistribution and use in source and binary forms, with or without
     modification, are permitted provided that the following conditions are met:
@@ -33,6 +33,7 @@ public function indexAction()
         $this->view->formDialogEditBGPNeighbor = $this->getForm("dialogEditBGPNeighbor");
         $this->view->formDialogEditBGPASPaths = $this->getForm("dialogEditBGPASPath");
         $this->view->formDialogEditBGPPrefixLists = $this->getForm("dialogEditBGPPrefixLists");
+        $this->view->formDialogEditBGPCommunityLists = $this->getForm("dialogEditBGPCommunityLists");
         $this->view->formDialogEditBGPRouteMaps = $this->getForm("dialogEditBGPRouteMaps");
         $this->view->pick('OPNsense/Quagga/bgp');
     }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml
new file mode 100644
index 0000000000..a2755510a8
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml
@@ -0,0 +1,38 @@
+<form>
+  <field>
+    <id>communitylist.enabled</id>
+    <label>Enabled</label>
+    <type>checkbox</type>
+    <help>Enable / Disable</help>
+  </field>
+    <field>
+    <id>communitylist.description</id>
+    <label>Description</label>
+    <type>text</type>
+    <help>Add an optional description for this Community-List.</help>
+  </field>
+  <field>
+    <id>communitylist.number</id>
+    <label>Number</label>
+    <type>text</type>
+    <help>Set the number of your Community-List. 1-99 are stardard lists while 100-500 are expanded lists.</help>
+  </field>
+  <field>
+    <id>communitylist.seqnumber</id>
+    <label>Sequence Number</label>
+    <type>text</type>
+    <help>The ACL sequence number (10-99)</help>
+  </field>
+  <field>
+    <id>communitylist.action</id>
+    <label>Action</label>
+    <type>select_multiple</type>
+    <help>Set permit for match or deny to negate the rule.</help>
+  </field>
+  <field>
+    <id>communitylist.community</id>
+    <label>Community</label>
+    <type>text</type>
+    <help>The community you want to match. You can also regex and it is not validated so please be careful.</help>
+  </field>
+</form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml
index 31fe3b5c69..8922641212 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml
@@ -44,6 +44,14 @@
     <style>tokenize</style>
     <allownew>true</allownew>
     <help>Select the Prefix List.</help>
+  </field>
+  <field>
+    <id>routemap.match3</id>
+    <label>Community List</label>
+    <type>select_multiple</type>
+    <style>tokenize</style>
+    <allownew>true</allownew>
+    <help>Select the Community List.</help>
   </field>
     <field>
     <id>routemap.set</id>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 4d11fa76d3..0abecfd3b3 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -202,6 +202,43 @@
                         </network>
                 </prefixlist>
         </prefixlists>
+        <communitylists>
+                <communitylist type="ArrayField">
+                        <enabled type="BooleanField">
+                                <default>1</default>
+                                <Required>Y</Required>
+                        </enabled>
+                        <description type="TextField">
+                                <default></default>
+                                <Required>N</Required>
+                        </description>
+                        <number type="IntegerField">
+                                <default></default>
+                                <Required>Y</Required>
+                                <MinimumValue>1</MinimumValue>
+                                <MaximumValue>500</MaximumValue>
+                                <ValidationMessage>Set a number between 1 and 500.</ValidationMessage>
+                        </number>
+                        <seqnumber type="IntegerField">
+                                <default></default>
+                                <Required>Y</Required>
+                                <MinimumValue>10</MinimumValue>
+                                <MaximumValue>99</MaximumValue>
+                        </seqnumber>
+                        <action type="OptionField">
+                                <default></default>
+                                <Required>Y</Required>
+                                <OptionValues>
+                                        <permit>Permit</permit>
+                                        <deny>Deny</deny>
+                                </OptionValues>
+                        </action>
+                        <community type="TextField">
+                                <default></default>
+                                <Required>Y</Required>
+                        </community>
+                </communitylist>
+        </communitylists>
         <routemaps>
                 <routemap type="ArrayField">
                         <enabled type="BooleanField">
@@ -256,6 +293,18 @@
                                 <Multiple>N</Multiple>
                                 <Required>N</Required>
                         </match2>
+                        <match3 type="ModelRelationField">
+                                <Model>
+                                        <template>
+                                                <source>OPNsense.quagga.bgp</source>
+                                                <items>communitylists.communitylist</items>
+                                                <display>number</display>
+                                        </template>
+                                </Model>
+                                <ValidationMessage>Related item not found</ValidationMessage>
+                                <Multiple>N</Multiple>
+                                <Required>N</Required>
+                        </match3>
                         <set type="TextField">
                                 <Required>N</Required>
                         </set>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
index 635b21985c..461ea62a71 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
@@ -2,7 +2,7 @@
 
 OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
 Copyright (C) 2017 Fabian Franz
-Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+Copyright (C) 2017 - 2020 Michael Muenz <m.muenz@gmail.com>
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification,
@@ -33,6 +33,7 @@ POSSIBILITY OF SUCH DAMAGE.
     <li><a data-toggle="tab" href="#neighbors">{{ lang._('Neighbors') }}</a></li>
     <li><a data-toggle="tab" href="#aspaths">{{ lang._('AS Path Lists') }}</a></li>
     <li><a data-toggle="tab" href="#prefixlists">{{ lang._('Prefix Lists') }}</a></li>
+    <li><a data-toggle="tab" href="#communitylists">{{ lang._('Community Lists') }}</a></li>
     <li><a data-toggle="tab" href="#routemaps">{{ lang._('Route Maps') }}</a></li>
 </ul>
 <div class="tab-content content-box tab-content">
@@ -130,6 +131,34 @@ POSSIBILITY OF SUCH DAMAGE.
             </tfoot>
         </table>
     </div>
+    <div id="communitylists" class="tab-pane fade in">
+        <table id="grid-communitylists" class="table table-responsive" data-editDialog="DialogEditBGPCommunityLists">
+            <thead>
+                <tr>
+                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle" data-sortable="false">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="number" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Number') }}</th>
+                    <th data-column-id="description" data-type="string" data-visible="true">{{ lang._('Description') }}</th>
+                    <th data-column-id="seqnumber" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Secquence Number') }}</th>
+                    <th data-column-id="action" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Action') }}</th>
+                    <th data-column-id="community" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Community') }}</th>
+                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td colspan="5"></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
+                    <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
     <div id="routemaps" class="tab-pane fade in">
         <table id="grid-routemaps" class="table table-responsive" data-editDialog="DialogEditBGPRouteMaps">
             <thead>
@@ -141,6 +170,7 @@ POSSIBILITY OF SUCH DAMAGE.
                     <th data-column-id="id" data-type="string" data-visible="true">{{ lang._('ID') }}</th>
                     <th data-column-id="match" data-type="string" data-visible="true">{{ lang._('AS Path List') }}</th>
                     <th data-column-id="match2" data-type="string" data-visible="true">{{ lang._('Prefix List') }}</th>
+                    <th data-column-id="match3" data-type="string" data-visible="true">{{ lang._('Community List') }}</th>
                     <th data-column-id="set" data-type="string" data-visible="true">{{ lang._('Set') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
@@ -225,6 +255,16 @@ $(document).ready(function() {
       'options':{selection:false, multiSelect:false}
     }
   );
+  $("#grid-communitylists").UIBootgrid(
+    { 'search':'/api/quagga/bgp/searchCommunitylist',
+      'get':'/api/quagga/bgp/getCommunitylist/',
+      'set':'/api/quagga/bgp/setCommunitylist/',
+      'add':'/api/quagga/bgp/addCommunitylist/',
+      'del':'/api/quagga/bgp/delCommunitylist/',
+      'toggle':'/api/quagga/bgp/toggleCommunitylist/',
+      'options':{selection:false, multiSelect:false}
+    }
+  );
   $("#grid-routemaps").UIBootgrid(
     { 'search':'/api/quagga/bgp/searchRoutemap',
       'get':'/api/quagga/bgp/getRoutemap/',
@@ -241,4 +281,5 @@ $(document).ready(function() {
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPNeighbor,'id':'DialogEditBGPNeighbor','label':lang._('Edit Neighbor')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPASPaths,'id':'DialogEditBGPASPaths','label':lang._('Edit AS Paths')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPPrefixLists,'id':'DialogEditBGPPrefixLists','label':lang._('Edit Prefix Lists')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPCommunityLists,'id':'DialogEditBGPCommunityLists','label':lang._('Edit Community Lists')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPRouteMaps,'id':'DialogEditBGPRouteMaps','label':lang._('Edit Route Maps')])}}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 9c75e0d822..abdf1f8d9c 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -180,6 +180,14 @@ bgp as-path access-list {{ aspath.number }} {{ aspath.action }} {{ aspath.as }}
 {%     endfor %}
 {%   endif %}
 !
+{%   if helpers.exists('OPNsense.quagga.bgp.communitylists.communitylist') %}
+{%     for communitylist in helpers.sortDictList(OPNsense.quagga.bgp.communitylists.communitylist, 'number' ) %}
+{%       if communitylist.enabled == '1' %}
+bgp community-list {{ communitylist.number }} seq {{ communitylist.seqnumber }} {{ communitylist.action }} {{ communitylist.community }}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+!
 {%   if helpers.exists('OPNsense.quagga.bgp.routemaps.routemap') %}
 {%     for routemap in helpers.sortDictList(OPNsense.quagga.bgp.routemaps.routemap, 'name', 'id' ) %}
 {%       if routemap.enabled == '1' %}
@@ -205,6 +213,14 @@ route-map {{ routemap.name }} {{ routemap.action }} {{ routemap.id }}
 {%             endif %}
 {%           endfor %}
 {%         endif %}
+{%         if routemap.match3|default("") != "" %}
+{%           for communitylist in routemap.match3.split(",") %}
+{%             set communitylist_data = helpers.getUUID(communitylist) %}
+{%             if 'match3' in routemap and routemap.match3 != '' %}
+ match community {{ communitylist_data.number }}
+{%             endif %}
+{%           endfor %}
+{%         endif %}
 {%         if routemap.set|default("") != '' and routemap.match2|default("") != '' %}
  set {{ routemap.set }}
 {%         endif %}

From acb6e18e4ae22ae14f1f2601268e74dd30c2b373 Mon Sep 17 00:00:00 2001
From: Max <foxikmax@users.noreply.github.com>
Date: Mon, 9 Nov 2020 13:37:52 +0300
Subject: [PATCH 0254/3088] Update mods-enabled-ldap (#2076)

Add ldap reply Mikrotik-Wireless-VLANID and Mikrotik-Wireless-VLANID-type
---
 .../service/templates/OPNsense/Freeradius/mods-enabled-ldap     | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap
index cd80e84f29..7836acffe7 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap
@@ -64,6 +64,8 @@ ldap {
                 reply:Tunnel-Type               := 'radiusTunnelType'
                 reply:Tunnel-Medium-Type        := 'radiusTunnelMediumType'
                 reply:Tunnel-Private-Group-Id   := 'radiusTunnelPrivateGroupId'
+                reply:Mikrotik-Wireless-VLANID  := 'radiusTunnelPrivateGroupId'
+                reply:Mikrotik-Wireless-VLANID-type   := 'radiusTunnelType'
                 control:                        += 'radiusControlAttribute'
                 request:                        += 'radiusRequestAttribute'
                 reply:                          += 'radiusReplyAttribute'

From 7f12477cc39597a86795e38facb85fdc572b6d81 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 9 Nov 2020 12:02:35 +0100
Subject: [PATCH 0255/3088] plugins: small reformat

---
 .../Collectd/Api/GeneralController.php        | 44 +++++++++---------
 .../Collectd/Api/ServiceController.php        | 44 +++++++++---------
 .../OPNsense/Lldpd/Api/GeneralController.php  | 44 +++++++++---------
 .../OPNsense/Lldpd/Api/ServiceController.php  | 44 +++++++++---------
 .../Telegraf/Api/GeneralController.php        | 44 +++++++++---------
 .../OPNsense/Telegraf/Api/InputController.php | 44 +++++++++---------
 .../Telegraf/Api/OutputController.php         | 44 +++++++++---------
 .../Telegraf/Api/ServiceController.php        | 44 +++++++++---------
 .../Freeradius/Api/ClientController.php       | 44 +++++++++---------
 .../Freeradius/Api/DhcpController.php         | 44 +++++++++---------
 .../OPNsense/Freeradius/Api/EapController.php | 44 +++++++++---------
 .../Freeradius/Api/GeneralController.php      | 44 +++++++++---------
 .../Freeradius/Api/LdapController.php         | 44 +++++++++---------
 .../Freeradius/Api/LeaseController.php        | 44 +++++++++---------
 .../Freeradius/Api/ServiceController.php      |  2 +-
 .../Freeradius/Api/UserController.php         | 44 +++++++++---------
 .../OPNsense/Quagga/Api/BgpController.php     | 46 +++++++++----------
 .../OPNsense/Quagga/Api/GeneralController.php | 44 +++++++++---------
 .../OPNsense/Quagga/Api/ServiceController.php | 44 +++++++++---------
 .../OPNsense/Quagga/BgpController.php         | 45 +++++++++---------
 .../OPNsense/Siproxd/Api/DomainController.php | 44 +++++++++---------
 .../Siproxd/Api/GeneralController.php         | 44 +++++++++---------
 .../Siproxd/Api/ServiceController.php         | 44 +++++++++---------
 .../OPNsense/Siproxd/Api/UserController.php   | 44 +++++++++---------
 .../OPNsense/ClamAV/Api/GeneralController.php | 44 +++++++++---------
 .../OPNsense/Tor/Api/ServiceController.php    | 44 +++++++++---------
 26 files changed, 530 insertions(+), 575 deletions(-)

diff --git a/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/Api/GeneralController.php b/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/Api/GeneralController.php
index c8e3648b7e..be3333a1cd 100644
--- a/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/Api/GeneralController.php
+++ b/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/Api/GeneralController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Collectd\Api;
diff --git a/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/Api/ServiceController.php b/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/Api/ServiceController.php
index b449936790..2d00ae3116 100644
--- a/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/Api/ServiceController.php
+++ b/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/Api/ServiceController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Collectd\Api;
diff --git a/net-mgmt/lldpd/src/opnsense/mvc/app/controllers/OPNsense/Lldpd/Api/GeneralController.php b/net-mgmt/lldpd/src/opnsense/mvc/app/controllers/OPNsense/Lldpd/Api/GeneralController.php
index 4dddfc38b0..a7803bb78c 100644
--- a/net-mgmt/lldpd/src/opnsense/mvc/app/controllers/OPNsense/Lldpd/Api/GeneralController.php
+++ b/net-mgmt/lldpd/src/opnsense/mvc/app/controllers/OPNsense/Lldpd/Api/GeneralController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Lldpd\Api;
diff --git a/net-mgmt/lldpd/src/opnsense/mvc/app/controllers/OPNsense/Lldpd/Api/ServiceController.php b/net-mgmt/lldpd/src/opnsense/mvc/app/controllers/OPNsense/Lldpd/Api/ServiceController.php
index f3dbbe97e1..48121f98f5 100644
--- a/net-mgmt/lldpd/src/opnsense/mvc/app/controllers/OPNsense/Lldpd/Api/ServiceController.php
+++ b/net-mgmt/lldpd/src/opnsense/mvc/app/controllers/OPNsense/Lldpd/Api/ServiceController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Lldpd\Api;
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/GeneralController.php b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/GeneralController.php
index ea1f8bcbad..ae4cc64269 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/GeneralController.php
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/GeneralController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Telegraf\Api;
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/InputController.php b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/InputController.php
index 9349d15b0b..f16a61746c 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/InputController.php
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/InputController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Telegraf\Api;
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/OutputController.php b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/OutputController.php
index baa511a50b..aba3256b30 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/OutputController.php
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/OutputController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Telegraf\Api;
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/ServiceController.php b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/ServiceController.php
index ea26e27a39..22c4800cf6 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/ServiceController.php
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/ServiceController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Telegraf\Api;
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ClientController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ClientController.php
index 787e9f66fa..f00443fb1b 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ClientController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ClientController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Freeradius\Api;
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/DhcpController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/DhcpController.php
index 153b7849c2..fb1dd5ebdc 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/DhcpController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/DhcpController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Freeradius\Api;
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/EapController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/EapController.php
index ac63bea73e..40bf830e7d 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/EapController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/EapController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Freeradius\Api;
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/GeneralController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/GeneralController.php
index 33c34ec7da..f863050345 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/GeneralController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/GeneralController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Freeradius\Api;
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LdapController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LdapController.php
index 8cfc713add..9374dd6281 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LdapController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LdapController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Freeradius\Api;
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LeaseController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LeaseController.php
index d2693837b1..3cff21e0eb 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LeaseController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LeaseController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Freeradius\Api;
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ServiceController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ServiceController.php
index 5943bda142..777f14d5de 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ServiceController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ServiceController.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2015 - 2017 Deciso B.V.
+ * Copyright (C) 2015-2017 Deciso B.V.
  * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
  * All rights reserved.
  *
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/UserController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/UserController.php
index da4aa7fea9..b6638e2c2c 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/UserController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/UserController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Freeradius\Api;
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
index 3edbe1627e..0f926cf221 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
@@ -1,33 +1,31 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Fabian Franz
- *    Copyright (C) 2017 - 2020 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Fabian Franz
+ * Copyright (C) 2017-2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Quagga\Api;
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/GeneralController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/GeneralController.php
index 703d41181e..e27efec61e 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/GeneralController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/GeneralController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Fabian Franz
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Fabian Franz
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Quagga\Api;
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/ServiceController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/ServiceController.php
index 33f5dec72f..a9935cfb59 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/ServiceController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/ServiceController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Fabian Franz
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Fabian Franz
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Quagga\Api;
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
index aaf3110635..373d4bea4c 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
@@ -1,27 +1,30 @@
 <?php
 
 /*
-    Copyright (C) 2017 Fabian Franz
-    Copyright (C) 2017 - 2020 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2017 Fabian Franz
+ * Copyright (C) 2017-2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 namespace OPNsense\Quagga;
 
diff --git a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/DomainController.php b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/DomainController.php
index 56a74a9e03..20c57f8efb 100644
--- a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/DomainController.php
+++ b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/DomainController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Siproxd\Api;
diff --git a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/GeneralController.php b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/GeneralController.php
index dc0d4d961c..9c14268ab6 100644
--- a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/GeneralController.php
+++ b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/GeneralController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Siproxd\Api;
diff --git a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/ServiceController.php b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/ServiceController.php
index 876255b3be..e1634191fd 100644
--- a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/ServiceController.php
+++ b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/ServiceController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Siproxd\Api;
diff --git a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/UserController.php b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/UserController.php
index babe9391c6..76645935ce 100644
--- a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/UserController.php
+++ b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/UserController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Siproxd\Api;
diff --git a/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/Api/GeneralController.php b/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/Api/GeneralController.php
index 1cace827b9..082a67e78b 100644
--- a/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/Api/GeneralController.php
+++ b/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/Api/GeneralController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\ClamAV\Api;
diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php
index 158416e6f0..7ccba0c222 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2015 - 2017 Deciso B.V.
- *    Copyright (C) 2017 Fabian Franz
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Fabian Franz
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Tor\Api;

From 7ead4a1b2a028f601c6b41712f69745d088face4 Mon Sep 17 00:00:00 2001
From: jeremiah-rs <42019310+jeremiah-rs@users.noreply.github.com>
Date: Mon, 9 Nov 2020 20:29:13 -0500
Subject: [PATCH 0256/3088] Minor update to Server.xml

Minor edit to make error message clearer.
---
 .../src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
index 01bae78842..1915fcd29a 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
@@ -13,7 +13,7 @@
                     <default></default>
                     <Required>Y</Required>
                     <mask>/^([0-9a-zA-Z]){1,32}$/u</mask>
-                    <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9a-zA-Z</ValidationMessage>
+                    <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9, a-z, and A-Z</ValidationMessage>
                 </name>
                 <instance type="AutoNumberField">
                     <MinimumValue>0</MinimumValue>

From 64f29b2fc6b63b52a88bbf39efb9948b79e72de0 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 12 Nov 2020 16:02:31 +0100
Subject: [PATCH 0257/3088] FRR: uniform logging, ditch old file log. closes
 https://github.com/opnsense/plugins/issues/2104

---
 .../Quagga/Api/DiagnosticsController.php      |  4 --
 .../OPNsense/Quagga/DiagnosticsController.php |  4 --
 .../OPNsense/Quagga/forms/general.xml         | 16 +-----
 .../app/models/OPNsense/Quagga/ACL/ACL.xml    |  1 +
 .../app/models/OPNsense/Quagga/General.xml    | 23 +-------
 .../app/models/OPNsense/Quagga/Menu/Menu.xml  |  2 +-
 .../OPNsense/Quagga/Migrations/M1_0_2.php     | 53 +++++++++++++++++++
 .../mvc/app/views/OPNsense/Quagga/log.volt    | 27 ----------
 net/frr/src/opnsense/scripts/quagga/quagga.rb | 11 ----
 .../conf/actions.d/actions_quagga.conf        |  6 ---
 .../templates/OPNsense/Quagga/bgpd.conf       |  3 --
 .../templates/OPNsense/Quagga/ospf6d.conf     |  3 --
 .../templates/OPNsense/Quagga/ospfd.conf      |  3 --
 .../templates/OPNsense/Quagga/ripd.conf       |  3 --
 .../templates/OPNsense/Quagga/zebra.conf      |  3 --
 .../OPNsense/Syslog/local/routing_frr.conf    |  6 +++
 16 files changed, 65 insertions(+), 103 deletions(-)
 create mode 100644 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Migrations/M1_0_2.php
 delete mode 100644 net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/log.volt
 create mode 100644 net/frr/src/opnsense/service/templates/OPNsense/Syslog/local/routing_frr.conf

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
index 6dd944141c..a6d8da8f42 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
@@ -129,10 +129,6 @@ public function generalroutesAction()
     {
         return $this->get_general_information('routes');
     }
-    public function logAction()
-    {
-        return $this->get_general_information('log')['response']['general_log'];
-    }
     public function generalroutes6Action()
     {
         return $this->get_general_information('routes6');
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
index 0c0ccd21b5..4b74311840 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
@@ -44,8 +44,4 @@ public function generalAction()
     {
         $this->view->pick('OPNsense/Quagga/diagnosticsgeneral');
     }
-    public function logAction()
-    {
-        $this->view->pick('OPNsense/Quagga/log');
-    }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
index fbb34f3960..2fcfbc2b9b 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
@@ -11,27 +11,15 @@
         <type>checkbox</type>
         <help>This will activate the routing service only on the master device.</help>
     </field>
-    <field>
-        <id>general.enablelogfile</id>
-        <label>Create a logfile</label>
-        <type>checkbox</type>
-        <help>If you check this, a log file will be written to disk.</help>
-    </field>
-    <field>
-        <id>general.logfilelevel</id>
-        <label>Logfile level</label>
-        <type>dropdown</type>
-        <help>This is the detail level of the log. A higher level means more data is logged.</help>
-    </field>
     <field>
         <id>general.enablesyslog</id>
-        <label>Send log messages to syslog</label>
+        <label>Enable logging</label>
         <type>checkbox</type>
         <help>Syslog is a service which is made to collect log messages from different software and maybe to a central logging server. Check this box if you have such a setup.</help>
     </field>
     <field>
         <id>general.sysloglevel</id>
-        <label>Syslog level</label>
+        <label>log level</label>
         <type>dropdown</type>
         <help>This is the detail level of the log. A higher level means more data is logged.</help>
     </field>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/ACL/ACL.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/ACL/ACL.xml
index 3fa7a13e5b..a99328b131 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/ACL/ACL.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/ACL/ACL.xml
@@ -4,6 +4,7 @@
       <patterns>
          <pattern>ui/quagga/*</pattern>
          <pattern>api/quagga/*</pattern>
+         <pattern>ui/diagnostics/log/routing/frr</pattern>
       </patterns>
    </page-routing>
 </acl>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
index dc5530304a..80d9576ebf 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/general</mount>
     <description>Quagga Routing configuration</description>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -11,27 +11,8 @@
             <default>0</default>
             <Required>Y</Required>
         </enablecarp>
-        <enablelogfile type="BooleanField">
-            <default>0</default>
-            <Required>Y</Required>
-        </enablelogfile>
-        <logfilelevel type="OptionField">
-            <Required>Y</Required>
-            <multiple>N</multiple>
-            <default>notifications</default>
-            <OptionValues>
-                <critical>Critical</critical>
-                <emergencies>Emergencies</emergencies>
-                <errors>Errors</errors>
-                <alerts>Alerts</alerts>
-                <warnings>Warnings</warnings>
-                <notifications>Notifications</notifications>
-                <informational>Informational</informational>
-                <debugging>Debugging</debugging>
-            </OptionValues>
-        </logfilelevel>
         <enablesyslog type="BooleanField">
-            <default>0</default>
+            <default>1</default>
             <Required>Y</Required>
         </enablesyslog>
         <sysloglevel type="OptionField">
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
index d7da7259a8..03dca32ded 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
@@ -11,7 +11,7 @@
       <OSPF VisibleName="OSPF" url="/ui/quagga/diagnostics/ospf" order="20" />
       <OSPFv3 VisibleName="OSPFv3" url="/ui/quagga/diagnostics/ospfv3" order="25" />
       <BGP VisibleName="BGPv4" url="/ui/quagga/diagnostics/bgp" order="40" />
-      <LOG VisibleName="Log" url="/ui/quagga/diagnostics/log" order="100" />
+      <LOG VisibleName="Log" url="/ui/diagnostics/log/routing/frr" order="100" />
     </Diagnostics>
   </Routing>
 </menu>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Migrations/M1_0_2.php b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Migrations/M1_0_2.php
new file mode 100644
index 0000000000..f977352884
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Migrations/M1_0_2.php
@@ -0,0 +1,53 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Quagga\Migrations;
+
+use OPNsense\Core\Config;
+use OPNsense\Base\BaseModelMigration;
+use OPNSense\Quagga\General;
+
+class M1_0_2 extends BaseModelMigration
+{
+    /**
+     * @param Quagga $model
+     */
+    public function run($model)
+    {
+        // XXX: since migrations act per (general) version, we need to check which sub model is calling us.
+        if ($model instanceof General) {
+            $cfgObj = Config::getInstance()->object();
+            if (!empty($cfgObj->OPNsense->quagga->general->enablelogfile)) {
+                if ((string)$model->enablesyslog != "1") {
+                    $model->sysloglevel = (string)$cfgObj->OPNsense->quagga->general->logfilelevel;
+                }
+                $model->enablesyslog = "1";
+            }
+        }
+    }
+}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/log.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/log.volt
deleted file mode 100644
index 6f129beb97..0000000000
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/log.volt
+++ /dev/null
@@ -1,27 +0,0 @@
-<div class="content-box">
-<table id="logtable" class="table table-condensed table-hover table-striped" style="table-layout: initial;">
-    <thead>
-        <tr>
-            <th data-column-id="date" data-sortable="false" data-type="string">{{ lang._('Date') }}</th>
-            <th data-column-id="time" data-sortable="false" data-type="string">{{ lang._('Time') }}</th>
-            <th data-column-id="service" data-sortable="false" data-type="string">{{ lang._('Service') }}</th>
-            <th data-column-id="message" data-sortable="false" data-type="string">{{ lang._('Message') }}</th>
-        </tr>
-    </thead>
-</table>
-</div>
-
-<script>
-$(document).ready(function() {
-    updateServiceControlUI('quagga');
-});
-
-$("#logtable").bootgrid({
-    ajax: true,
-    navigation: 0,
-    url: "/api/quagga/diagnostics/log",
-    ajaxSettings: { "method": "GET", cache: true },
-    responseHandler: function(resp) { return {"rows": resp}; },
-    sortable: false
-});
-</script>
diff --git a/net/frr/src/opnsense/scripts/quagga/quagga.rb b/net/frr/src/opnsense/scripts/quagga/quagga.rb
index e8881a4d06..a594278552 100755
--- a/net/frr/src/opnsense/scripts/quagga/quagga.rb
+++ b/net/frr/src/opnsense/scripts/quagga/quagga.rb
@@ -129,14 +129,6 @@ def routes6
     routes(true)
   end
 
-  def log
-    File.read('/var/log/frr.log').lines.select {|l| l.strip.length > 10}.map do |line|
-      date, time, service, message = line.split(' ', 4)
-      date = date.split('/').reverse.join(".") # format dd.mm.yyyy
-      service = service.split(':').first if service
-      {date: date, time:time, service: service, message: message }
-    end
-  end
 end
 
 class OSPF
@@ -709,9 +701,6 @@ def database_qta(lines)
   opts.on("-6", "--general-routes6", "Print Routing Table (IPv6)") do |od|
     options[:general_routes6] = od
   end
-  opts.on("-l", "--general-log", "Print Logs") do |od|
-    options[:general_log] = od
-  end
   ### BGP
   opts.on("-B", "--bgp-overview", "Print an overview of BGP") do |od|
     options[:bgp_overview] = od
diff --git a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
index 66a793e04a..1b3075f56f 100644
--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@@ -106,12 +106,6 @@ parameters:
 type:script_output
 message: Print IPv6 Routing Table
 
-[general-log]
-command:/usr/local/opnsense/scripts/quagga/quagga.rb --general-log
-parameters:
-type:script_output
-message: Show Quagga logs
-
 [general-runningconfig]
 command:/usr/local/bin/vtysh -c "show run"
 parameters:
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index abdf1f8d9c..e5d05085b2 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -5,9 +5,6 @@
 !   2017/03/03 20:21:04
 !
 {% if helpers.exists('OPNsense.quagga.general') %}
-{%   if helpers.exists('OPNsense.quagga.general.enablelogfile') and OPNsense.quagga.general.enablelogfile == '1' %}
-log file /var/log/frr.log {{ OPNsense.quagga.general.logfilelevel }}
-{%   endif %}
 {%   if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
 log syslog {{ OPNsense.quagga.general.sysloglevel }}
 {%   endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
index 607316523a..b58d95986e 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
@@ -8,9 +8,6 @@
 !   2017/03/03 20:21:04
 !
 {% if helpers.exists('OPNsense.quagga.general') %}
-{%   if helpers.exists('OPNsense.quagga.general.enablelogfile') and OPNsense.quagga.general.enablelogfile == '1' %}
-log file /var/log/frr.log {{ OPNsense.quagga.general.logfilelevel }}
-{%   endif %}
 {%   if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
 log syslog {{ OPNsense.quagga.general.sysloglevel }}
 {%   endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
index 8b7729c0e7..72c880d873 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
@@ -8,9 +8,6 @@
 !   2017/03/03 20:21:04
 !
 {% if helpers.exists('OPNsense.quagga.general') %}
-{%   if helpers.exists('OPNsense.quagga.general.enablelogfile') and OPNsense.quagga.general.enablelogfile == '1' %}
-log file /var/log/frr.log {{ OPNsense.quagga.general.logfilelevel }}
-{%   endif %}
 {%   if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
 log syslog {{ OPNsense.quagga.general.sysloglevel }}
 {%   endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ripd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ripd.conf
index 6c5756f02a..ffb74650e5 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ripd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ripd.conf
@@ -5,9 +5,6 @@
 !   2017/03/26 22:40:16
 !
 {% if helpers.exists('OPNsense.quagga.general') %}
-{%   if helpers.exists('OPNsense.quagga.general.enablelogfile') and OPNsense.quagga.general.enablelogfile == '1' %}
-log file /var/log/frr.log {{ OPNsense.quagga.general.logfilelevel }}
-{%   endif %}
 {%   if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
 log syslog {{ OPNsense.quagga.general.sysloglevel }}
 {%   endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/zebra.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/zebra.conf
index 13d12b88c7..01a97a6f4f 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/zebra.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/zebra.conf
@@ -3,9 +3,6 @@
 ! Zebra configuration saved from vty
 !   2017/03/03 20:21:04
 !
-{% if helpers.exists('OPNsense.quagga.general.enablelogfile') and OPNsense.quagga.general.enablelogfile == '1' %}
-log file /var/log/frr.log {{ OPNsense.quagga.general.logfilelevel }}
-{% endif %}
 {% if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
 log syslog {{ OPNsense.quagga.general.sysloglevel }}
 {% endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Syslog/local/routing_frr.conf b/net/frr/src/opnsense/service/templates/OPNsense/Syslog/local/routing_frr.conf
new file mode 100644
index 0000000000..84bcfee810
--- /dev/null
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Syslog/local/routing_frr.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [FRR].
+###################################################################
+filter f_local_routing_frr {
+     program("bgpd") or program("ospfd") or program("ospf6d") or program("ripd") or program("zebra");
+};

From 7b0659d5dd3004fc987f328c42d4f89aa3b37601 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 12 Nov 2020 22:32:48 +0100
Subject: [PATCH 0258/3088] dns/bind: reject built-in ACL names

---
 dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
index 6466c00332..51eb974220 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
@@ -12,8 +12,8 @@
                 <name type="TextField">
                     <default></default>
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z]){1,32}$/u</mask>
-                    <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9a-zA-Z</ValidationMessage>
+                    <mask>/^(?!any$|localhost$|localnets$|none$)[0-9a-zA-Z]{1,32}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9a-zA-Z. Built-in ACL names must not be used: any, localhost, localnets, none.</ValidationMessage>
                 </name>
                 <networks type="NetworkField">
                     <default></default>

From 449fc4990180f0e3f779085fe215d5ed94095a95 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 12 Nov 2020 22:42:30 +0100
Subject: [PATCH 0259/3088] dns/bind: fix small UI glitch (truncated
 checkboxes)

---
 .../src/opnsense/mvc/app/views/OPNsense/Bind/general.volt   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index 60d74b68c6..455bee71f3 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -55,7 +55,7 @@ POSSIBILITY OF SUCH DAMAGE.
         </div>
     </div>
     <div id="acls" class="tab-pane fade in">
-        <table id="grid-acls" class="table table-responsive" data-editDialog="dialogEditBindAcl">
+        <table id="grid-acls" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="dialogEditBindAcl">
             <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
@@ -86,7 +86,7 @@ POSSIBILITY OF SUCH DAMAGE.
         <div class="alert alert-warning" role="alert" style="min-height:65px;">
             <div style="margin-top: 8px;">{{ lang._('Zone management is still in experimental state, use with caution.') }}</div>
         </div>
-        <table id="grid-domains" class="table table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindDomain">
+        <table id="grid-domains" class="table table-condensed table-hover table-striped table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindDomain">
             <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
@@ -117,7 +117,7 @@ POSSIBILITY OF SUCH DAMAGE.
             <h2>{{ lang._('Records') }}</h2>
         </div>
         <div id="record-area">
-            <table id="grid-records" class="table table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindRecord">
+            <table id="grid-records" class="table table-condensed table-hover table-striped table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindRecord">
                 <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>

From 4f39145eaf3d4bbe56417d93aaebbbf59c109c00 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 12 Nov 2020 22:50:44 +0100
Subject: [PATCH 0260/3088] dns/bind: add button to delete selected items

---
 .../src/opnsense/mvc/app/views/OPNsense/Bind/general.volt    | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index 455bee71f3..e42640843c 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -72,6 +72,7 @@ POSSIBILITY OF SUCH DAMAGE.
                     <td colspan="5"></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -108,6 +109,7 @@ POSSIBILITY OF SUCH DAMAGE.
                     <td colspan="5"></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -136,6 +138,7 @@ POSSIBILITY OF SUCH DAMAGE.
                     <td colspan="5"></td>
                     <td>
                         <button id="recordAddBtn" data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button id="recordDelBtn" data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
                 </tfoot>
@@ -219,9 +222,11 @@ $( document ).ready(function() {
                 if (ids.length > 0) {
                     request['domain'] = ids[0];
                     $("#recordAddBtn").show();
+                    $("#recordDelBtn").show();
                     $("#record-area").show();
                 } else {
                     $("#recordAddBtn").hide();
+                    $("#recordDelBtn").hide();
                     $("#record-area").hide();
                 }
                 return request;

From e703a8d19b0a855c0188dc10c9b5a2e24ff51af7 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 12 Nov 2020 22:51:24 +0100
Subject: [PATCH 0261/3088] dns/bind: bump version

---
 dns/bind/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 3323aea673..48b788c2ae 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.14
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind916
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From f6a694c1a20e03de71c147511c063d7a0a71f8da Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 12 Nov 2020 22:58:21 +0100
Subject: [PATCH 0262/3088] dns/bind: update changelog

---
 dns/bind/pkg-descr | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 99d74dce55..545d1b6b60 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -8,6 +8,12 @@ necessary for asking and answering name service questions.
 Plugin Changelog
 ================
 
+1.14
+
+* Reject built-in ACL names
+* Fix truncated checkboxes
+* Add button to delete selected items
+
 1.13
 
 * Update BIND to 9.16

From ff83e858d9269db01b70c863dff1dc699d03c184 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 12 Nov 2020 23:08:42 +0100
Subject: [PATCH 0263/3088] dns/bind: relax ACL name mask

---
 dns/bind/pkg-descr                                         | 1 +
 dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 545d1b6b60..4c59d1e865 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 * Reject built-in ACL names
 * Fix truncated checkboxes
 * Add button to delete selected items
+* Relax ACL name mask (allow underscores and hyphens)
 
 1.13
 
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
index 51eb974220..6abff3a73a 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
@@ -12,8 +12,8 @@
                 <name type="TextField">
                     <default></default>
                     <Required>Y</Required>
-                    <mask>/^(?!any$|localhost$|localnets$|none$)[0-9a-zA-Z]{1,32}$/u</mask>
-                    <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9a-zA-Z. Built-in ACL names must not be used: any, localhost, localnets, none.</ValidationMessage>
+                    <mask>/^(?!any$|localhost$|localnets$|none$)[0-9a-zA-Z_\-]{1,32}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9a-zA-Z_-. Built-in ACL names must not be used: any, localhost, localnets, none.</ValidationMessage>
                 </name>
                 <networks type="NetworkField">
                     <default></default>

From a3d383b2825cb18907ec9082cb4cbdcc1d3025cd Mon Sep 17 00:00:00 2001
From: ElNounch <ElNounch@users.noreply.github.com>
Date: Sat, 14 Nov 2020 18:04:00 +0100
Subject: [PATCH 0264/3088] Enable usage of no, one or several addresses per
 hosts

---
 .../controllers/OPNsense/Tinc/forms/dialogHost.xml    |  2 +-
 .../controllers/OPNsense/Tinc/forms/dialogNetwork.xml |  2 +-
 .../opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml    |  4 ++--
 .../src/opnsense/scripts/OPNsense/Tinc/lib/objects.py | 11 ++++++++---
 4 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogHost.xml b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogHost.xml
index b2fda29f2f..232e97fa5c 100644
--- a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogHost.xml
+++ b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogHost.xml
@@ -21,7 +21,7 @@
         <id>host.extaddress</id>
         <label>Ext. Address</label>
         <type>text</type>
-        <help>This machines external address to use</help>
+        <help>This machines external addresses to use (separated by comma)</help>
     </field>
     <field>
         <id>host.extport</id>
diff --git a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
index e2d9697f80..4fec66b52a 100644
--- a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
+++ b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
@@ -69,7 +69,7 @@
         <id>network.extaddress</id>
         <label>Ext. Address</label>
         <type>text</type>
-        <help>This machines external address to use</help>
+        <help>This machines external addresses to use (separated by comma)</help>
     </field>
     <field>
         <id>network.extport</id>
diff --git a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
index e8abbc0c0c..89dc220e47 100644
--- a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
+++ b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
@@ -22,7 +22,7 @@
                     <ValidationMessage>Please specify a valid hostname.</ValidationMessage>
                 </hostname>
                 <extaddress type="TextField">
-                    <Required>Y</Required>
+                    <Required>N</Required>
                     <mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</mask>
                 </extaddress>
                 <extport type="IntegerField">
@@ -132,7 +132,7 @@
                     <ValidationMessage>Port number must be between 1...65535</ValidationMessage>
                 </extport>
                 <extaddress type="TextField">
-                    <Required>Y</Required>
+                    <Required>N</Required>
                     <mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</mask>
                 </extaddress>
                 <subnet type="NetworkField">
diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
index 6b9ccfcd3c..cece619f48 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
@@ -30,8 +30,6 @@ def __init__(self):
         self._payload = dict()
         self._payload['hostname'] = None
         self._payload['network'] = None
-        self._payload['address'] = None
-        self._payload['port'] = None
 
     def is_valid(self):
         for key in self._payload:
@@ -97,6 +95,10 @@ def set_PMTUDiscovery(self, value):
     def config_text(self):
         result = list()
         result.append('AddressFamily=any')
+        if 'address' in self._payload:
+            addresses = self._payload['address'].split(',')
+            for address in addresses:
+                result.append('Address=%s %s' % (address, self._payload['port']))
         result.append('Mode=%(mode)s' % self._payload)
         result.append('PMTUDiscovery=%(PMTUDiscovery)s' % self._payload)
         result.append('Port=%(port)s' % self._payload)
@@ -137,7 +139,10 @@ def set_connectto(self, value):
 
     def config_text(self):
         result = list()
-        result.append('Address=%(address)s %(port)s'%self._payload)
+        if 'address' in self._payload:
+            addresses = self._payload['address'].split(',')
+            for address in addresses:
+                result.append('Address=%s %s' % (address, self._payload['port']))
         if 'subnet' in self._payload:
             networks = self._payload['subnet'].split(',')
             for network in networks:

From 151bc98f3ece2f9fa78be97ff9657001ea90ddbc Mon Sep 17 00:00:00 2001
From: ElNounch <ElNounch@users.noreply.github.com>
Date: Sun, 15 Nov 2020 17:56:28 +0100
Subject: [PATCH 0265/3088] Using list view for both external addresses and
 hosted subnets Every generated config files last line ends with a newline

---
 .../OPNsense/Tinc/forms/dialogHost.xml        | 10 ++++--
 .../OPNsense/Tinc/forms/dialogNetwork.xml     | 10 ++++--
 .../mvc/app/models/OPNsense/Tinc/Tinc.xml     | 27 ++++++++++++---
 .../scripts/OPNsense/Tinc/lib/objects.py      | 34 +++++++++++--------
 4 files changed, 56 insertions(+), 25 deletions(-)

diff --git a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogHost.xml b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogHost.xml
index 232e97fa5c..0e5bc3c348 100644
--- a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogHost.xml
+++ b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogHost.xml
@@ -20,8 +20,10 @@
     <field>
         <id>host.extaddress</id>
         <label>Ext. Address</label>
-        <type>text</type>
-        <help>This machines external addresses to use (separated by comma)</help>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>External address of selected machine</help>
     </field>
     <field>
         <id>host.extport</id>
@@ -32,7 +34,9 @@
     <field>
         <id>host.subnet</id>
         <label>Subnet</label>
-        <type>text</type>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
         <help>This machines part of the network</help>
     </field>
     <field>
diff --git a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
index 4fec66b52a..1c2224c4d8 100644
--- a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
+++ b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
@@ -68,8 +68,10 @@
     <field>
         <id>network.extaddress</id>
         <label>Ext. Address</label>
-        <type>text</type>
-        <help>This machines external addresses to use (separated by comma)</help>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>External addresses of this machine</help>
     </field>
     <field>
         <id>network.extport</id>
@@ -80,7 +82,9 @@
     <field>
         <id>network.subnet</id>
         <label>Subnet</label>
-        <type>text</type>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
         <help>This machines part of the network</help>
     </field>
     <field>
diff --git a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
index 89dc220e47..e9ebf4b97e 100644
--- a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
+++ b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
@@ -21,9 +21,11 @@
                     <mask>/^([0-9a-zA-Z\_]){1,1024}$/u</mask>
                     <ValidationMessage>Please specify a valid hostname.</ValidationMessage>
                 </hostname>
-                <extaddress type="TextField">
+                <extaddress type="HostnameField">
                     <Required>N</Required>
-                    <mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</mask>
+                    <IpAllowed>1</IpAllowed>
+                    <FieldSeparator>,</FieldSeparator>
+                    <AsList>Y</AsList>
                 </extaddress>
                 <extport type="IntegerField">
                     <Required>Y</Required>
@@ -41,6 +43,7 @@
                     <WildcardEnabled>N</WildcardEnabled>
                     <NetMaskRequired>Y</NetMaskRequired>
                     <FieldSeparator>,</FieldSeparator>
+                    <AsList>Y</AsList>
                     <Constraints>
                         <check001>
                             <ValidationMessage>Subnet field must be set in router mode.</ValidationMessage>
@@ -131,15 +134,26 @@
                     <MaximumValue>65535</MaximumValue>
                     <ValidationMessage>Port number must be between 1...65535</ValidationMessage>
                 </extport>
-                <extaddress type="TextField">
+                <extaddress type="HostnameField">
                     <Required>N</Required>
-                    <mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</mask>
+                    <IpAllowed>1</IpAllowed>
+                    <FieldSeparator>,</FieldSeparator>
+                    <AsList>Y</AsList>
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>Need external address if you intend to "Connect To" this host</ValidationMessage>
+                            <type>SetIfConstraint</type>
+                            <field>connectTo</field>
+                            <check>1</check>
+                        </check001>
+                    </Constraints>
                 </extaddress>
                 <subnet type="NetworkField">
                     <Required>N</Required>
                     <WildcardEnabled>N</WildcardEnabled>
                     <NetMaskRequired>Y</NetMaskRequired>
                     <FieldSeparator>,</FieldSeparator>
+                    <AsList>Y</AsList>
                 </subnet>
                 <pubkey type="TextField">
                     <Required>Y</Required>
@@ -154,6 +168,11 @@
                 <connectTo type="BooleanField">
                     <default>1</default>
                     <Required>Y</Required>
+                    <Constraints>
+                        <check001>
+                            <reference>extaddress.check001</reference>
+                        </check001>
+                    </Constraints>
                 </connectTo>
                 <enabled type="BooleanField">
                     <default>1</default>
diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
index cece619f48..a0031d9b07 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
@@ -30,6 +30,8 @@ def __init__(self):
         self._payload = dict()
         self._payload['hostname'] = None
         self._payload['network'] = None
+        self._payload['address'] = ''
+        self._payload['port'] = None
 
     def is_valid(self):
         for key in self._payload:
@@ -53,6 +55,11 @@ def get_network(self):
     def get_basepath(self):
         return '/usr/local/etc/tinc/%(network)s' % self._payload
 
+    def get_addresses(self):
+        if not self._payload['address']:
+            return
+        yield from self._payload['address'].split(',')
+
 class Network(NetwConfObject):
     def __init__(self):
         super(Network, self).__init__()
@@ -95,10 +102,6 @@ def set_PMTUDiscovery(self, value):
     def config_text(self):
         result = list()
         result.append('AddressFamily=any')
-        if 'address' in self._payload:
-            addresses = self._payload['address'].split(',')
-            for address in addresses:
-                result.append('Address=%s %s' % (address, self._payload['port']))
         result.append('Mode=%(mode)s' % self._payload)
         result.append('PMTUDiscovery=%(PMTUDiscovery)s' % self._payload)
         result.append('Port=%(port)s' % self._payload)
@@ -108,7 +111,7 @@ def config_text(self):
                 result.append('ConnectTo = %s' % (host.get_hostname(),))
         result.append('Device=/dev/tinc%(id)s' % self._payload)
         result.append('Name=%(hostname)s' % self._payload)
-        return '\n'.join(result)
+        return '\n'.join(result) + '\n'
 
     def filename(self):
         return self.get_basepath() + '/tinc.conf'
@@ -129,7 +132,7 @@ def __init__(self):
         self._payload['cipher'] = None
 
     def connect_to_this_host(self):
-        if self.is_valid() and self._connectTo == "1":
+        if self.is_valid() and self._payload['address'] and self._connectTo == "1":
             return True
         else:
             return False
@@ -137,20 +140,21 @@ def connect_to_this_host(self):
     def set_connectto(self, value):
         self._connectTo = value.text
 
+    def get_subnets(self):
+        if not self._payload['subnet']:
+            return
+        yield from self._payload['subnet'].split(',')
+
     def config_text(self):
         result = list()
-        if 'address' in self._payload:
-            addresses = self._payload['address'].split(',')
-            for address in addresses:
-                result.append('Address=%s %s' % (address, self._payload['port']))
-        if 'subnet' in self._payload:
-            networks = self._payload['subnet'].split(',')
-            for network in networks:
-                result.append('Subnet=%s' % network)
+        for address in self.get_addresses():
+            result.append('Address=%s %s' % (address, self._payload['port']))
+        for network in self.get_subnets():
+            result.append('Subnet=%s' % network)
         result.append('Cipher=%(cipher)s'%self._payload)
         result.append('Digest=sha256')
         result.append(self._payload['pubkey'])
-        return '\n'.join(result)
+        return '\n'.join(result) + '\n'
 
     def filename(self):
         return '%s/hosts/%s' % (self.get_basepath(), self._payload['hostname'])

From 5dc2478cd7e31069b6a5fadb8750a1fc6cfb20b8 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 15 Nov 2020 19:48:52 +0100
Subject: [PATCH 0266/3088] Tinc: upgrade model version for
 https://github.com/opnsense/plugins/pull/2110

---
 .../tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
index e9ebf4b97e..f6a077d558 100644
--- a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
+++ b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/Tinc</mount>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <description>
         OPNsense Tinc VPN
     </description>

From d4d0449dc98ea0d9d84001698327e15e7d84696e Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 9 Nov 2020 16:56:37 +0100
Subject: [PATCH 0267/3088] FRR: add ui fields for
 https://github.com/opnsense/plugins/issues/2091 and basic template to store
 carp setting into (to be unsed in the event handler)

---
 .../Quagga/forms/dialogEditOSPFInterface.xml         | 12 ++++++++++++
 .../opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml | 11 +++++++++++
 .../service/templates/OPNsense/Quagga/+TARGETS       |  1 +
 .../templates/OPNsense/Quagga/ospfd_carp.conf        | 11 +++++++++++
 4 files changed, 35 insertions(+)
 create mode 100644 net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd_carp.conf

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
index b7091f4f01..1413f214f7 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
@@ -37,6 +37,18 @@
     <label>Cost</label>
     <type>text</type>
   </field>
+  <field>
+    <id>interface.cost_demoted</id>
+    <label>Cost (when demoted)</label>
+    <type>text</type>
+  </field>
+  <field>
+    <id>interface.carp_depend_on</id>
+    <label>Depend on (carp)</label>
+    <type>dropdown</type>
+    <help>The carp VHID to depend on, when this virtual address is not in master state,
+      the interface cost will be set to the demoted cost (specified above).</help>
+  </field>
   <field>
     <id>interface.hellointerval</id>
     <label>Hello Interval</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index ef022849ad..445f2786a4 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -165,6 +165,17 @@
                                 <MaximumValue>4294967295</MaximumValue>
                                 <ValidationMessage>Cost must be between 0 and 4294967295.</ValidationMessage>
                         </cost>
+                        <cost_demoted type="IntegerField">
+                                <default></default>
+                                <MinimumValue>0</MinimumValue>
+                                <Required>N</Required>
+                                <MaximumValue>4294967295</MaximumValue>
+                                <ValidationMessage>Cost must be between 0 and 4294967295.</ValidationMessage>
+                        </cost_demoted>
+                        <carp_depend_on type="VirtualIPField">
+                            <type>carp</type>
+                            <Required>N</Required>
+                        </carp_depend_on>
                         <hellointerval type="IntegerField">
                                 <default></default>
                                 <MinimumValue>0</MinimumValue>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
index b01f28018f..a09b88d86a 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
@@ -1,5 +1,6 @@
 bgpd.conf:/usr/local/etc/frr/bgpd.conf
 ospfd.conf:/usr/local/etc/frr/ospfd.conf
+ospfd_carp.conf:/usr/local/etc/frr/ospfd_carp.conf
 ospf6d.conf:/usr/local/etc/frr/ospf6d.conf
 ripd.conf:/usr/local/etc/frr/ripd.conf
 frr:/etc/rc.conf.d/frr
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd_carp.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd_carp.conf
new file mode 100644
index 0000000000..90e2149e26
--- /dev/null
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd_carp.conf
@@ -0,0 +1,11 @@
+{% if helpers.exists('OPNsense.quagga.ospf.interfaces.interface') %}
+{%   for interface in helpers.toList('OPNsense.quagga.ospf.interfaces.interface') %}
+{%     if interface.enabled == '1' %}
+[interface_interface.interfacename]
+interface={{interface.interfacename}}
+default_cost={{interface.cost|default('10')}}
+demoted_cost={{interface.cost_demoted|default('')}}
+carp_depend_on={{interface.carp_depend_on|default('')}}
+{%     endif %}
+{%   endfor %}
+{% endif %}

From 7a3eafbba7937403f1b73e9db5ee2c91118ebf48 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 10 Nov 2020 10:54:30 +0100
Subject: [PATCH 0268/3088] FRR: OSPF interface form, align form with model.
 for https://github.com/opnsense/plugins/issues/2098

---
 .../OPNsense/Quagga/forms/dialogEditOSPFInterface.xml       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
index 1413f214f7..34842de349 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
@@ -7,13 +7,13 @@
   <field>
     <id>interface.interfacename</id>
     <label>Interface</label>
-    <type>select_multiple</type>
+    <type>dropdown</type>
     <help>Select an interface where this settings apply to.</help>
   </field>
   <field>
     <id>interface.authtype</id>
     <label>Authentication Type</label>
-    <type>select_multiple</type>
+    <type>dropdown</type>
   </field>
   <field>
     <id>interface.authkey</id>
@@ -77,6 +77,6 @@
   <field>
     <id>interface.networktype</id>
     <label>Network Type</label>
-    <type>select_multiple</type>
+    <type>dropdown</type>
   </field>
 </form>

From cedb08e92e9bc64dc787529c00dc844da1d44f2e Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 10 Nov 2020 15:08:54 +0100
Subject: [PATCH 0269/3088] FRR: ospf interface cost boundaries as defined in
 http://docs.frrouting.org/en/latest/ospfd.html#interfaces (1-65535)

---
 .../opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index 445f2786a4..83ade2b6ff 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -160,17 +160,17 @@
                         </area>
                         <cost type="IntegerField">
                                 <default></default>
-                                <MinimumValue>0</MinimumValue>
+                                <MinimumValue>1</MinimumValue>
                                 <Required>N</Required>
-                                <MaximumValue>4294967295</MaximumValue>
-                                <ValidationMessage>Cost must be between 0 and 4294967295.</ValidationMessage>
+                                <MaximumValue>65535</MaximumValue>
+                                <ValidationMessage>Cost must be between 1 and 65535.</ValidationMessage>
                         </cost>
                         <cost_demoted type="IntegerField">
                                 <default></default>
-                                <MinimumValue>0</MinimumValue>
+                                <MinimumValue>1</MinimumValue>
                                 <Required>N</Required>
-                                <MaximumValue>4294967295</MaximumValue>
-                                <ValidationMessage>Cost must be between 0 and 4294967295.</ValidationMessage>
+                                <MaximumValue>65535</MaximumValue>
+                                <ValidationMessage>Cost must be between 1 and 65535.</ValidationMessage>
                         </cost_demoted>
                         <carp_depend_on type="VirtualIPField">
                             <type>carp</type>

From b49b29bc9da22d40061da991c48117bf0a5be067 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 10 Nov 2020 17:59:57 +0100
Subject: [PATCH 0270/3088] FRR: work in progress event handler for
 https://github.com/opnsense/plugins/issues/2091

Initial boilerplate code to extract interface address (vhid) status and control vtysh for status and configuration.
The code in carp_event_handler is only intended to test some callouts, the general idea is to hook InterfaceStatus() and VtySH() objects into an event handler object inherited from baseEventHandler(),
which is responsible for detecting the changes and reconfiguring the daemon.
---
 .../opnsense/scripts/frr/carp_event_handler   |  39 +++++++
 .../src/opnsense/scripts/frr/lib/__init__.py  | 109 ++++++++++++++++++
 net/frr/src/opnsense/scripts/frr/lib/base.py  |  38 ++++++
 3 files changed, 186 insertions(+)
 create mode 100755 net/frr/src/opnsense/scripts/frr/carp_event_handler
 create mode 100644 net/frr/src/opnsense/scripts/frr/lib/__init__.py
 create mode 100644 net/frr/src/opnsense/scripts/frr/lib/base.py

diff --git a/net/frr/src/opnsense/scripts/frr/carp_event_handler b/net/frr/src/opnsense/scripts/frr/carp_event_handler
new file mode 100755
index 0000000000..ba490b1b18
--- /dev/null
+++ b/net/frr/src/opnsense/scripts/frr/carp_event_handler
@@ -0,0 +1,39 @@
+#!/usr/local/bin/python3
+"""
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+"""
+from lib import InterfaceStatus, VtySH
+
+
+if __name__ == '__main__':
+    ifstatus = InterfaceStatus()
+    vtysh = VtySH()
+    if vtysh.is_active:
+        print (ifstatus.address_status('10.111.112.113'))
+        if vtysh.is_running('ospfd'):
+            ospf_interfaces = vtysh.execute('show ip ospf interface json')
+            vtysh.execute(['interface le1', 'ip ospf cost 65535'], translate=None, configure=True)
+            print(ospf_interfaces)
diff --git a/net/frr/src/opnsense/scripts/frr/lib/__init__.py b/net/frr/src/opnsense/scripts/frr/lib/__init__.py
new file mode 100644
index 0000000000..85753b0df2
--- /dev/null
+++ b/net/frr/src/opnsense/scripts/frr/lib/__init__.py
@@ -0,0 +1,109 @@
+"""
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+"""
+import time
+import subprocess
+import ujson
+
+class InterfaceStatus:
+    def __init__(self):
+        self._carp_addresses = dict()
+        self.parse()
+
+    def parse(self):
+        """ parse ifconfig output
+        """
+        carp_statuses = dict()
+        carp_addresses = dict()
+        current_if = None
+        for line in subprocess.run(['/sbin/ifconfig', '-a'], capture_output=True, text=True).stdout.split('\n'):
+            parts = line.split()
+            if not line.startswith('\t'):
+                current_if = line.split(':')[0]
+            elif line.startswith('\tcarp: '):
+                carp_statuses[parts[3]] = parts[1]
+            elif line.find('vhid') > -1:
+                carp_addresses[parts[1]] = {'vhid': parts[-1], 'status': 'none'}
+
+        for address in carp_addresses:
+            if carp_addresses[address]['vhid'] in carp_statuses:
+                carp_addresses[address]['status'] = carp_statuses[carp_addresses[address]['vhid']].strip().lower()
+
+        self._carp_addresses = carp_addresses
+
+    def address_status(self, address):
+        if address in self._carp_addresses:
+            return self._carp_addresses[address]['status']
+        return 'none'
+
+
+class VtySHExecError(Exception):
+    pass
+
+class VtySH:
+    def __init__(self):
+        self._daemons = []
+        self.init()
+
+    def init(self):
+        # wait maximum 30 seconds for daemon to startup
+        for i in range(30):
+            try:
+                self._daemons = self.execute('show daemons', lambda x: x.decode().split())
+                break
+            except VtySHExecError:
+                time.sleep(1)
+
+    def is_running(self, daemon):
+        return daemon in self._daemons
+
+    @property
+    def is_active(self):
+        return len(self._daemons) > 0
+
+    def execute(self, command, translate=ujson.loads, configure=False):
+        args = ['/usr/local/bin/vtysh']
+        if configure:
+            args = args + ['-c', 'configure terminal']
+        else:
+            args.append('-u')
+
+        if type(command) is list:
+            for cmd in command:
+                args = args + ['-c', cmd]
+        else:
+            args = args + ['-c', command]
+
+        response = subprocess.run(args, capture_output=True)
+        if response.stderr:
+            raise VtySHExecError(response.stderr)
+        if translate:
+            try:
+                return translate(response.stdout)
+            except ValueError:
+                raise ValueError(response.stdout)
+        else:
+            return response.stdout
diff --git a/net/frr/src/opnsense/scripts/frr/lib/base.py b/net/frr/src/opnsense/scripts/frr/lib/base.py
new file mode 100644
index 0000000000..c584bcc0f5
--- /dev/null
+++ b/net/frr/src/opnsense/scripts/frr/lib/base.py
@@ -0,0 +1,38 @@
+"""
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+"""
+
+class baseEventHandler:
+    def __init__(self, ifstatus, vtysh):
+        self.ifstatus = ifstatus
+        self.vtysh = vtysh
+
+    @property
+    def should_run(self):
+        return False
+
+    def execute(self):
+        pass

From f29d8ddf0b4efdea9ab7a115695f2642bf6262ff Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 11 Nov 2020 18:04:34 +0100
Subject: [PATCH 0271/3088] FRR: work in progress carp event handler + ospfd
 implementation for https://github.com/opnsense/plugins/issues/2091

---
 .../opnsense/scripts/frr/carp_event_handler   | 18 ++--
 .../src/opnsense/scripts/frr/lib/__init__.py  |  4 +-
 net/frr/src/opnsense/scripts/frr/lib/base.py  |  2 +-
 .../scripts/frr/lib/events/__init__.py        | 44 +++++++++
 .../opnsense/scripts/frr/lib/events/ospfd.py  | 96 +++++++++++++++++++
 .../templates/OPNsense/Quagga/ospfd_carp.conf |  8 +-
 6 files changed, 160 insertions(+), 12 deletions(-)
 create mode 100644 net/frr/src/opnsense/scripts/frr/lib/events/__init__.py
 create mode 100644 net/frr/src/opnsense/scripts/frr/lib/events/ospfd.py

diff --git a/net/frr/src/opnsense/scripts/frr/carp_event_handler b/net/frr/src/opnsense/scripts/frr/carp_event_handler
index ba490b1b18..3256478b8b 100755
--- a/net/frr/src/opnsense/scripts/frr/carp_event_handler
+++ b/net/frr/src/opnsense/scripts/frr/carp_event_handler
@@ -25,15 +25,21 @@
     POSSIBILITY OF SUCH DAMAGE.
 
 """
+import sys
+import syslog
+import lib.events
 from lib import InterfaceStatus, VtySH
 
-
 if __name__ == '__main__':
+    syslog.openlog('frr_carp', logoption=syslog.LOG_DAEMON, facility=syslog.LOG_LOCAL1)
+    syslog.syslog(syslog.LOG_NOTICE, 'FRR received carp configuration event.')
     ifstatus = InterfaceStatus()
     vtysh = VtySH()
     if vtysh.is_active:
-        print (ifstatus.address_status('10.111.112.113'))
-        if vtysh.is_running('ospfd'):
-            ospf_interfaces = vtysh.execute('show ip ospf interface json')
-            vtysh.execute(['interface le1', 'ip ospf cost 65535'], translate=None, configure=True)
-            print(ospf_interfaces)
+        for event in lib.events.get_events():
+            event_object = event(ifstatus=ifstatus, vtysh=vtysh)
+            if event_object.should_run:
+                syslog.syslog(syslog.LOG_NOTICE, 'FRR trigger %s event.' % event_object.__class__.__name__)
+                event_object.execute()
+    else:
+        syslog.syslog(syslog.LOG_ERR, 'no frr deamons active.')
diff --git a/net/frr/src/opnsense/scripts/frr/lib/__init__.py b/net/frr/src/opnsense/scripts/frr/lib/__init__.py
index 85753b0df2..bada445eca 100644
--- a/net/frr/src/opnsense/scripts/frr/lib/__init__.py
+++ b/net/frr/src/opnsense/scripts/frr/lib/__init__.py
@@ -69,8 +69,8 @@ def __init__(self):
         self.init()
 
     def init(self):
-        # wait maximum 30 seconds for daemon to startup
-        for i in range(30):
+        # wait a maximum of 5 seconds for daemon to startup
+        for i in range(5):
             try:
                 self._daemons = self.execute('show daemons', lambda x: x.decode().split())
                 break
diff --git a/net/frr/src/opnsense/scripts/frr/lib/base.py b/net/frr/src/opnsense/scripts/frr/lib/base.py
index c584bcc0f5..76efb5db8d 100644
--- a/net/frr/src/opnsense/scripts/frr/lib/base.py
+++ b/net/frr/src/opnsense/scripts/frr/lib/base.py
@@ -25,7 +25,7 @@
 
 """
 
-class baseEventHandler:
+class BaseEventHandler:
     def __init__(self, ifstatus, vtysh):
         self.ifstatus = ifstatus
         self.vtysh = vtysh
diff --git a/net/frr/src/opnsense/scripts/frr/lib/events/__init__.py b/net/frr/src/opnsense/scripts/frr/lib/events/__init__.py
new file mode 100644
index 0000000000..b9dfe7d8b0
--- /dev/null
+++ b/net/frr/src/opnsense/scripts/frr/lib/events/__init__.py
@@ -0,0 +1,44 @@
+"""
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+"""
+import glob
+import importlib
+import sys
+import os
+from ..base import BaseEventHandler
+
+
+def get_events():
+    """ iterate event handlers
+    """
+    for filename in glob.glob("%s/*.py" % os.path.dirname(__file__)):
+        importlib.import_module(".%s" % os.path.splitext(os.path.basename(filename))[0], __name__)
+
+    for module_name in dir(sys.modules[__name__]):
+        for attribute_name in dir(getattr(sys.modules[__name__], module_name)):
+            cls = getattr(getattr(sys.modules[__name__], module_name), attribute_name)
+            if isinstance(cls, type) and issubclass(cls, BaseEventHandler) and cls != BaseEventHandler:
+                yield cls
diff --git a/net/frr/src/opnsense/scripts/frr/lib/events/ospfd.py b/net/frr/src/opnsense/scripts/frr/lib/events/ospfd.py
new file mode 100644
index 0000000000..d692747088
--- /dev/null
+++ b/net/frr/src/opnsense/scripts/frr/lib/events/ospfd.py
@@ -0,0 +1,96 @@
+"""
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+"""
+import os
+import syslog
+from configparser import ConfigParser
+from ..base import BaseEventHandler
+
+
+class OspfdEventHandler(BaseEventHandler):
+    _config = '/usr/local/etc/frr/ospfd_carp.conf'
+
+    @property
+    def should_run(self):
+        return self.vtysh.is_running('ospfd')
+
+    def _read_config(self):
+        result = dict()
+        if os.path.isfile(self._config):
+            cnf = ConfigParser()
+            cnf.read(self._config)
+            not_empty = lambda x, y: cnf.has_option(x, y) and cnf.get(x, y) != '' and cnf.get(x, y) != '0'
+            for section in cnf.sections():
+                if not_empty(section, 'interface') and not_empty(section, 'interface') \
+                        and not_empty(section, 'demoted_cost') and not_empty(section, 'carp_depend_on'):
+                    default_cost = cnf.getint(section, 'default_cost') if not_empty(section, 'default_cost') else None
+                    result[cnf.get(section, 'interface')] = {
+                        'demoted_cost': cnf.getint(section, 'demoted_cost'),
+                        'carp_depend_on': cnf.get(section, 'carp_depend_on'),
+                        'default_cost': default_cost,
+                    }
+
+        return result
+
+    def execute(self):
+        if os.path.isfile(self._config):
+            ospf_interfaces = self.vtysh.execute('show ip ospf interface json')
+            config_interfaces = self._read_config()
+            cnf = ConfigParser()
+            cnf.read(self._config)
+            for intf in config_interfaces:
+                if 'interfaces' in ospf_interfaces and intf in ospf_interfaces['interfaces']:
+                    ospf_intf_cost = ospf_interfaces['interfaces'][intf]['cost']
+                    is_intf_master = self.ifstatus.address_status(config_interfaces[intf]['carp_depend_on']) == 'master'
+                    is_ospf_dem = ospf_intf_cost == config_interfaces[intf]['demoted_cost']
+                    if is_intf_master and is_ospf_dem:
+                        # promote ospf interface
+                        conf_cost = config_interfaces[intf]['default_cost']
+                        if conf_cost is None:
+                            syslog.syslog(
+                                syslog.LOG_NOTICE, 'ospfd promote interface %s (no default cost configured).' % intf
+                            )
+                            self.vtysh.execute(
+                                ['interface %s' % intf, 'no ip ospf cost'], translate=None, configure=True
+                            )
+                        elif conf_cost != ospf_intf_cost:
+                            syslog.syslog(
+                                syslog.LOG_NOTICE, 'ospfd promote interface %s (cost %d).' % (intf, conf_cost)
+                            )
+                            self.vtysh.execute(
+                                ['interface %s' % intf, 'ip ospf cost %d' % conf_cost],
+                                translate=None, configure=True
+                            )
+                    elif not is_intf_master and not is_ospf_dem:
+                        # demote ospf interface
+                        conf_cost = config_interfaces[intf]['demoted_cost']
+                        syslog.syslog(
+                            syslog.LOG_NOTICE, 'ospfd demote interface %s (cost %d).' % (intf, conf_cost)
+                        )
+                        self.vtysh.execute(
+                            ['interface %s' % intf, 'ip ospf cost %d' % conf_cost],
+                            translate=None, configure=True
+                        )
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd_carp.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd_carp.conf
index 90e2149e26..724d7cb3c1 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd_carp.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd_carp.conf
@@ -1,9 +1,11 @@
+{% from 'OPNsense/Macros/interface.macro' import physical_interface %}
 {% if helpers.exists('OPNsense.quagga.ospf.interfaces.interface') %}
 {%   for interface in helpers.toList('OPNsense.quagga.ospf.interfaces.interface') %}
 {%     if interface.enabled == '1' %}
-[interface_interface.interfacename]
-interface={{interface.interfacename}}
-default_cost={{interface.cost|default('10')}}
+[{{ interface['@uuid'] }}]
+enabled={{interface.enabled|default('0')}}
+interface={{physical_interface(interface.interfacename)}}
+default_cost={{interface.cost|default('')}}
 demoted_cost={{interface.cost_demoted|default('')}}
 carp_depend_on={{interface.carp_depend_on|default('')}}
 {%     endif %}

From 1965e0197142947e2d372347fbc9dc9115cb7a68 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 12 Nov 2020 16:47:28 +0100
Subject: [PATCH 0272/3088] FRR: hook carp_event_handler logging to standard
 sysog handler for https://github.com/opnsense/plugins/issues/2091

---
 .../service/templates/OPNsense/Syslog/local/routing_frr.conf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Syslog/local/routing_frr.conf b/net/frr/src/opnsense/service/templates/OPNsense/Syslog/local/routing_frr.conf
index 84bcfee810..ad0869d3c7 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Syslog/local/routing_frr.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Syslog/local/routing_frr.conf
@@ -2,5 +2,5 @@
 # Local syslog-ng configuration filter definition [FRR].
 ###################################################################
 filter f_local_routing_frr {
-     program("bgpd") or program("ospfd") or program("ospf6d") or program("ripd") or program("zebra");
+     program("bgpd") or program("ospfd") or program("ospf6d") or program("ripd") or program("zebra") or program("frr_carp");
 };

From c9cfd6021e6b997b7f5a2eae9b0179b5c83fc64a Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 12 Nov 2020 18:41:42 +0100
Subject: [PATCH 0273/3088] FRR: trigger carp event handler on service start
 for https://github.com/opnsense/plugins/issues/2091

---
 net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
index e2b5da14dc..f119450b6a 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
@@ -12,6 +12,7 @@ if helpers.exists('OPNsense.quagga.ospf6.enabled') and OPNsense.quagga.ospf6.ena
 if helpers.exists('OPNsense.quagga.ripng.enabled') and OPNsense.quagga.ripng.enabled == '1' %} ripngd{% endif %}{%
 if helpers.exists('OPNsense.quagga.isis.enabled') and OPNsense.quagga.isis.enabled == '1' %} isisd{% endif %}"
 frr_carp_demote="{% if not helpers.empty('OPNsense.quagga.ospf.carp_demote') %} ospfd{% endif %}"
+start_postcmd="/usr/local/opnsense/scripts/frr/carp_event_handler"
 {% else %}
 frr_enable="NO"
 {% endif %}

From 76c8c7eba1b49b1a98e16b2cc8f5305f0bc9fda6 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 13 Nov 2020 17:05:31 +0100
Subject: [PATCH 0274/3088] FRR: change existing carp event to signal frr carp
 event handler when not using the start/stop carp option (only active when in
 master mode). for https://github.com/opnsense/plugins/issues/2091

---
 net/frr/src/etc/rc.syshook.d/carp/50-frr | 46 ++++++++++++------------
 1 file changed, 24 insertions(+), 22 deletions(-)

diff --git a/net/frr/src/etc/rc.syshook.d/carp/50-frr b/net/frr/src/etc/rc.syshook.d/carp/50-frr
index 0c9841529e..05c8c0e8d3 100755
--- a/net/frr/src/etc/rc.syshook.d/carp/50-frr
+++ b/net/frr/src/etc/rc.syshook.d/carp/50-frr
@@ -32,29 +32,31 @@ require_once('config.inc');
 require_once('util.inc');
 require_once('plugins.inc.d/frr.inc');
 
-if (!frr_carp_enabled()) {
-    /* nothing to do */
-    exit(0);
-}
-
-$subsystem = !empty($argv[1]) ? $argv[1] : '';
-$type = !empty($argv[2]) ? $argv[2] : '';
+if (frr_carp_enabled()) {
+    // XXX: carp enable/disable mode
+    $subsystem = !empty($argv[1]) ? $argv[1] : '';
+    $type = !empty($argv[2]) ? $argv[2] : '';
 
-if ($type != 'MASTER' && $type != 'BACKUP') {
-    log_error("Carp '$type' event unknown from source '{$subsystem}'");
-    exit(1);
-}
+    if ($type != 'MASTER' && $type != 'BACKUP') {
+        log_error("Carp '$type' event unknown from source '{$subsystem}'");
+        exit(1);
+    }
 
-if (!strstr($subsystem, '@')) {
-    log_error("Carp '$type' event triggered from wrong source '{$subsystem}'");
-    exit(1);
-}
+    if (!strstr($subsystem, '@')) {
+        log_error("Carp '$type' event triggered from wrong source '{$subsystem}'");
+        exit(1);
+    }
 
-switch ($type) {
-    case 'MASTER':
-        shell_exec('/usr/local/etc/rc.d/frr start');
-        break;
-    case 'BACKUP':
-        shell_exec('/usr/local/etc/rc.d/frr stop');
-        break;
+    switch ($type) {
+        case 'MASTER':
+            shell_exec('/usr/local/etc/rc.d/frr start');
+            break;
+        case 'BACKUP':
+            shell_exec('/usr/local/etc/rc.d/frr stop');
+            break;
+    }
+} elseif (frr_enabled()) {
+    // XXX: when not toggling between active and disabled, pass event so underlaying protocols can
+    //      determine which actions to perform when reaching a certain state.
+    shell_exec('/usr/local/opnsense/scripts/frr/carp_event_handler');
 }

From 3c988330e29f3bed803886f01b4ae7a5f77dcd23 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 16 Nov 2020 21:29:47 +0100
Subject: [PATCH 0275/3088] FRR: change version tag after adding
 https://github.com/opnsense/plugins/issues/2091

---
 net/frr/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 69b1b0e236..02c92992a5 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.18
+PLUGIN_VERSION=		1.19
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7 ruby
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 713ed181628ff6225599b23c57744da318f5d3c1 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 16 Nov 2020 21:52:50 +0100
Subject: [PATCH 0276/3088] FRR: carp_event_handler annotate function
 parameters

---
 net/frr/src/opnsense/scripts/frr/lib/base.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/scripts/frr/lib/base.py b/net/frr/src/opnsense/scripts/frr/lib/base.py
index 76efb5db8d..075bf0032b 100644
--- a/net/frr/src/opnsense/scripts/frr/lib/base.py
+++ b/net/frr/src/opnsense/scripts/frr/lib/base.py
@@ -24,9 +24,11 @@
     POSSIBILITY OF SUCH DAMAGE.
 
 """
+from . import InterfaceStatus, VtySH
+
 
 class BaseEventHandler:
-    def __init__(self, ifstatus, vtysh):
+    def __init__(self, ifstatus: InterfaceStatus, vtysh: VtySH):
         self.ifstatus = ifstatus
         self.vtysh = vtysh
 

From 1f1ed62a6dd1916e708c874b002ffc4677ca2310 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 17 Nov 2020 10:09:26 +0100
Subject: [PATCH 0277/3088] FRR: carp_event_handler annotate function
 parameters (2)

---
 net/frr/src/opnsense/scripts/frr/lib/__init__.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/frr/src/opnsense/scripts/frr/lib/__init__.py b/net/frr/src/opnsense/scripts/frr/lib/__init__.py
index bada445eca..21ef2ce233 100644
--- a/net/frr/src/opnsense/scripts/frr/lib/__init__.py
+++ b/net/frr/src/opnsense/scripts/frr/lib/__init__.py
@@ -27,6 +27,8 @@
 import time
 import subprocess
 import ujson
+from collections.abc import Callable
+
 
 class InterfaceStatus:
     def __init__(self):
@@ -54,7 +56,7 @@ def parse(self):
 
         self._carp_addresses = carp_addresses
 
-    def address_status(self, address):
+    def address_status(self, address: str):
         if address in self._carp_addresses:
             return self._carp_addresses[address]['status']
         return 'none'
@@ -77,14 +79,14 @@ def init(self):
             except VtySHExecError:
                 time.sleep(1)
 
-    def is_running(self, daemon):
+    def is_running(self, daemon: str):
         return daemon in self._daemons
 
     @property
     def is_active(self):
         return len(self._daemons) > 0
 
-    def execute(self, command, translate=ujson.loads, configure=False):
+    def execute(self, command: str, translate: Callable=ujson.loads, configure: bool=False):
         args = ['/usr/local/bin/vtysh']
         if configure:
             args = args + ['-c', 'configure terminal']

From c462b0e40f378ef7db2618401268ff56e5d8e020 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Nov 2020 14:13:06 +0100
Subject: [PATCH 0278/3088] security/tinc: ok to bump version

---
 security/tinc/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index 3b6a0356ec..b85f2f0211 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		tinc
-PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.6
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org

From e809b8cc61b3d862a33b846f1cf89b689d856294 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Nov 2020 14:16:54 +0100
Subject: [PATCH 0279/3088] net/frr: extend changelog

---
 net/frr/pkg-descr | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 4ded6be649..d8b7cb4958 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -11,6 +11,10 @@ switching and routing, Internet access routers, and Internet peering.
 Plugin Changelog
 ================
 
+1.19
+
+* OSPF influence interface cost via carp
+
 1.18
 
 * Add description fields to BGP tabs

From 0e9c1a1bcfeb0cefd4d4785bfe765d587cac0098 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Nov 2020 14:19:05 +0100
Subject: [PATCH 0280/3088] net/frr: this as well

---
 net/frr/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index d8b7cb4958..01e0a13c62 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -14,6 +14,7 @@ Plugin Changelog
 1.19
 
 * OSPF influence interface cost via carp
+* Uniform logging
 
 1.18
 

From 828ced9afaafd0991204020495502b0b84315d08 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Nov 2020 14:22:44 +0100
Subject: [PATCH 0281/3088] net/frr: fix lint pass

---
 net/frr/src/opnsense/scripts/frr/lib/__init__.py        | 0
 net/frr/src/opnsense/scripts/frr/lib/base.py            | 0
 net/frr/src/opnsense/scripts/frr/lib/events/__init__.py | 0
 net/frr/src/opnsense/scripts/frr/lib/events/ospfd.py    | 0
 4 files changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 net/frr/src/opnsense/scripts/frr/lib/__init__.py
 mode change 100644 => 100755 net/frr/src/opnsense/scripts/frr/lib/base.py
 mode change 100644 => 100755 net/frr/src/opnsense/scripts/frr/lib/events/__init__.py
 mode change 100644 => 100755 net/frr/src/opnsense/scripts/frr/lib/events/ospfd.py

diff --git a/net/frr/src/opnsense/scripts/frr/lib/__init__.py b/net/frr/src/opnsense/scripts/frr/lib/__init__.py
old mode 100644
new mode 100755
diff --git a/net/frr/src/opnsense/scripts/frr/lib/base.py b/net/frr/src/opnsense/scripts/frr/lib/base.py
old mode 100644
new mode 100755
diff --git a/net/frr/src/opnsense/scripts/frr/lib/events/__init__.py b/net/frr/src/opnsense/scripts/frr/lib/events/__init__.py
old mode 100644
new mode 100755
diff --git a/net/frr/src/opnsense/scripts/frr/lib/events/ospfd.py b/net/frr/src/opnsense/scripts/frr/lib/events/ospfd.py
old mode 100644
new mode 100755

From 078257cdb3daff37bdad9b94cd26c9914640aaf3 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 22 Nov 2020 00:03:40 +0100
Subject: [PATCH 0282/3088] security/acme-client: fix creation of nsupdate
 secrets file

---
 security/acme-client/pkg-descr                               | 5 +++++
 .../library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 9e90b9e385..788a21e8a4 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+2.1
+
+Fixed:
+* fix creation of nsupdate secrets file
+
 2.0
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php
index 5fe117e5e5..4d6f349d58 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php
@@ -39,9 +39,9 @@ class DnsNsupdate extends Base implements LeValidationInterface
 {
     public function prepare()
     {
-        $configdir = (string)sprintf(self::ACME_CONFIG_DIR, $this->cert_uuid);
+        $configdir = (string)sprintf(self::ACME_CONFIG_DIR, $this->cert_id);
         $secret_key_filename = "${configdir}/secret.key";
-        $secret_key_data = (string)$this->config->dns_nsupdate_key . '\n';
+        $secret_key_data = (string)$this->config->dns_nsupdate_key . "\n";
         file_put_contents($secret_key_filename, $secret_key_data);
 
         // Add env variables

From 12a34717ea445b15ef0ab3cf565e25e7d9e21ff3 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 22 Nov 2020 00:03:58 +0100
Subject: [PATCH 0283/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 97a5889dff..b38548cc80 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		2.0
+PLUGIN_VERSION=		2.1
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From db1d677bbe8b455cd43082367b29ac7e7f294f32 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 22 Nov 2020 00:49:24 +0100
Subject: [PATCH 0284/3088] security/acme-client: fix typo, improve wording

---
 security/acme-client/pkg-descr | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 788a21e8a4..2593a7e784 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -23,13 +23,13 @@ Added:
 * add plugin changelog
 
 Fixed:
-* fix bug where configuration could get lost (#1526)
+* fix bug where configuration changes could get lost (#1526)
 * fix Cyon DNS API (password not set)
 
 Changed:
 * now an Automation may run multiple times during bulk issue/renewal (previously only once)
 * rename "Validation Methods" to "Challenge Types" to adopt official LE wording
-* rename Menu entry "Automation" to "Automations"
+* rename menu entry "Automation" to "Automations"
 * specify python version for gcloud SDK
 * rephrase several log messages
 * add more detailed output when debug logging is enabled

From 2953b022372348e5695628ea8be2431f68f87151 Mon Sep 17 00:00:00 2001
From: Boris <ich+github.com@bstaehe.li>
Date: Tue, 24 Nov 2020 10:49:10 +0100
Subject: [PATCH 0285/3088] security/acme-client: add support for deSEC.io API
 (#2120)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* security/acme-client: add support for deSEC.io API

Co-authored-by: Boris Stäheli <Boris.Staeheli@SwissSalary.ch>
---
 security/acme-client/pkg-descr                |  3 ++
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsDedyn.php      | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 33 ++++++++------
 4 files changed, 83 insertions(+), 13 deletions(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDedyn.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 2593a7e784..a7e1a22ee6 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,6 +10,9 @@ Plugin Changelog
 
 2.1
 
+Added:
+* add support for deSEC.io domain API (#2120)
+
 Fixed:
 * fix creation of nsupdate secrets file
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 10ec7609c1..7866682af6 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1181,4 +1181,19 @@
         <label>KAS Authtype</label>
         <type>dropdown</type>
     </field>
+    <field>
+        <label>deSEC.io API</label>
+        <type>header</type>
+        <style>table_dns table_dns_desec</style>
+    </field>
+    <field>
+        <id>validation.dns_desec_token</id>
+        <label>deSEC token</label>
+        <type>password</type>
+    </field>
+    <field>
+        <id>validation.dns_desec_name</id>
+        <label>deSEC domain</label>
+        <type>text</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDedyn.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDedyn.php
new file mode 100644
index 0000000000..8c27dc4705
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDedyn.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * deSEC API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDesec extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DEDYN_TOKEN'] = (string)$this->config->dns_desec_token;
+        $this->acme_env['DEDYN_NAME'] = (string)$this->config->dns_desec_name;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 9f7b7f6337..b87b20dbc1 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -382,6 +382,7 @@
                         <dns_cx>CloudXNS.com API</dns_cx>
                         <dns_cn>Core-Networks API</dns_cn>
                         <dns_cyon>cyon.ch API</dns_cyon>
+                        <dns_desec>deSEC.io API</dns_desec>
                         <dns_dgon>DigitalOcean API</dns_dgon>
                         <dns_da>DirectAdmin API</dns_da>
                         <dns_dnsimple>DNSimple API</dns_dnsimple>
@@ -507,10 +508,10 @@
                     <Required>N</Required>
                 </dns_cx_secret>
                 <dns_cyon_user type="TextField">
-                  <Required>N</Required>
+                    <Required>N</Required>
                 </dns_cyon_user>
                 <dns_cyon_password type="TextField">
-                  <Required>N</Required>
+                    <Required>N</Required>
                 </dns_cyon_password>
                 <dns_da_key type="TextField">
                     <Required>N</Required>
@@ -520,19 +521,19 @@
                     <default>1</default>
                 </dns_da_insecure>
                 <dns_dgon_key type="TextField">
-                  <Required>N</Required>
+                    <Required>N</Required>
                 </dns_dgon_key>
                 <dns_dnsimple_token type="TextField">
-                  <Required>N</Required>
+                    <Required>N</Required>
                 </dns_dnsimple_token>
                 <dns_doapi_token type="TextField">
-                  <Required>N</Required>
+                    <Required>N</Required>
                 </dns_doapi_token>
                 <dns_do_pid type="TextField">
-                  <Required>N</Required>
+                    <Required>N</Required>
                 </dns_do_pid>
                 <dns_do_password type="TextField">
-                  <Required>N</Required>
+                    <Required>N</Required>
                 </dns_do_password>
                 <dns_dp_id type="TextField">
                     <Required>N</Required>
@@ -708,20 +709,20 @@
                     <Required>N</Required>
                 </dns_lexicon_token>
                 <dns_linode_key type="TextField">
-                  <Required>N</Required>
+                    <Required>N</Required>
                 </dns_linode_key>
                 <dns_linode_v4_key type="TextField">
-                  <Required>N</Required>
+                    <Required>N</Required>
                 </dns_linode_v4_key>
                 <dns_loopia_api type="TextField">
-                  <Required>N</Required>
-                  <default>https://api.loopia.se/RPCSERV</default>
+                    <Required>N</Required>
+                    <default>https://api.loopia.se/RPCSERV</default>
                 </dns_loopia_api>
                 <dns_loopia_user type="TextField">
-                  <Required>N</Required>
+                    <Required>N</Required>
                 </dns_loopia_user>
                 <dns_loopia_password type="TextField">
-                  <Required>N</Required>
+                    <Required>N</Required>
                 </dns_loopia_password>
                 <dns_lua_email type="TextField">
                     <Required>N</Required>
@@ -935,6 +936,12 @@
                         <sha1>SHA1</sha1>
                     </OptionValues>
                 </dns_kas_authtype>
+                <dns_desec_token type="TextField">
+                    <Required>N</Required>
+                </dns_desec_token>
+                <dns_desec_name type="TextField">
+                    <Required>N</Required>
+                </dns_desec_name>
             </validation>
         </validations>
         <actions>

From b16c30c9fb4a1a706c5d2796e35a0671c51742de Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 24 Nov 2020 10:50:58 +0100
Subject: [PATCH 0286/3088] security/acme-client: post-merge fix for #2120

---
 .../AcmeClient/LeValidation/{DnsDedyn.php => DnsDesec.php}        | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/{DnsDedyn.php => DnsDesec.php} (100%)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDedyn.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDesec.php
similarity index 100%
rename from security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDedyn.php
rename to security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDesec.php

From f44af645e98798b92640a60e4cfbfdc9e4a8f6a4 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 3 Dec 2020 15:47:42 +0100
Subject: [PATCH 0287/3088] security/acme-client: fix certificate chain when CA
 changes, closes #2126

---
 security/acme-client/pkg-descr                                  | 1 +
 .../mvc/app/library/OPNsense/AcmeClient/LeCertificate.php       | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index a7e1a22ee6..f96250468e 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -15,6 +15,7 @@ Added:
 
 Fixed:
 * fix creation of nsupdate secrets file
+* fix certificate chain when existing cert was signed by a new CA (#2126)
 
 2.0
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index ac238c2beb..d19bc71c3c 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -262,6 +262,8 @@ public function import(bool $skip_validation = false)
                     $cfgCert->crt = $cert['crt'];
                     $cfgCert->prv = $cert['prv'];
                     $cfgCert->descr = $cert['descr'];
+                    // Update CA ref, because it may be signed by a different CA.
+                    $cfgCert->caref = $cert['caref'];
                     break;
                 }
             }

From 7e71ab69deccedff216b58d90443362172741022 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sat, 5 Dec 2020 09:13:40 +0100
Subject: [PATCH 0288/3088] net/frr: Add BGP neighbor timers and graceful
 restart (#2112)

---
 net/frr/pkg-descr                             |  2 ++
 .../OPNsense/Quagga/Api/BgpController.php     |  3 +++
 .../controllers/OPNsense/Quagga/forms/bgp.xml |  7 ++++++
 .../Quagga/forms/dialogEditBGPNeighbor.xml    | 23 ++++++++++++++++++-
 .../mvc/app/models/OPNsense/Quagga/BGP.xml    | 21 ++++++++++++++++-
 .../templates/OPNsense/Quagga/bgpd.conf       | 11 +++++++++
 6 files changed, 65 insertions(+), 2 deletions(-)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 01e0a13c62..efddc98aea 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -20,6 +20,8 @@ Plugin Changelog
 
 * Add description fields to BGP tabs
 * Add BGP community-lists
+* Add option for BGP graceful restart
+* Allow to set BGP neighbor timers
 
 1.17
 
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
index 0f926cf221..68fb8c75ba 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
@@ -48,6 +48,9 @@ public function searchNeighborAction()
                   "updatesource",
                   "nexthopself",
                   "multihop",
+                  "keepalive",
+                  "holddown",
+                  "connecttimer",
                   "defaultoriginate",
                   "linkedPrefixlistIn",
                   "linkedPrefixlistOut",
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
index b0128e5ff2..d3bc6cca5d 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
@@ -18,6 +18,13 @@
         <advanced>true</advanced>
         <help>In some cases it might be clearer to set a fixed router-id.</help>
     </field>
+    <field>
+        <id>bgp.graceful</id>
+        <label>Graceful Restart</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>BGP graceful restart functionality as defined in RFC-4724 defines the mechanisms that allows BGP speaker to continue to forward data packets along known routes while the routing protocol information is being restored.</help>
+    </field>
     <field>
         <id>bgp.networks</id>
         <label>Network</label>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 6476f9ee9f..7f170a4cb1 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -38,7 +38,28 @@
     <label>Multi-Hop</label>
     <type>checkbox</type>
   </field>
-    <field>
+  <field>
+    <id>neighbor.keepalive</id>
+    <label>Keepalive</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Keepalive timer to check if the neighbor is still up. Default when unset is 60 seconds.</help>
+  </field>
+  <field>
+    <id>neighbor.holddown</id>
+    <label>Hold Down Time</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>The time in seconds when a neighbor is considered dead. This is usually 3 times the keeplive timer and when unset 180 seconds.</help>
+  </field>
+  <field>
+    <id>neighbor.connecttimer</id>
+    <label>Connect Timer</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>The time in seconds how fast a neighbor tries to reconnect.</help>
+  </field>  
+  <field>
     <id>neighbor.defaultoriginate</id>
     <label>Send Defaultroute</label>
     <type>checkbox</type>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 0abecfd3b3..e1106e13e1 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/bgp</mount>
     <description>BGP Routing configuration</description>
-    <version>1.0.4</version>
+    <version>1.0.5</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -17,6 +17,10 @@
             <Required>N</Required>
             <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
         </routerid>
+        <graceful type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </graceful>
         <networks type="CSVListField">
             <default></default>
             <Required>N</Required>
@@ -70,6 +74,21 @@
                                 <default>0</default>
                                 <Required>N</Required>
                         </multihop>
+                        <keepalive type="IntegerField">
+                                <Required>N</Required>
+                                <MinimumValue>1</MinimumValue>
+                                <MaximumValue>1000</MaximumValue>
+                        </keepalive>
+                        <holddown type="IntegerField">
+                                <Required>N</Required>
+                                <MinimumValue>3</MinimumValue>
+                                <MaximumValue>3000</MaximumValue>
+                        </holddown>
+                        <connecttimer type="IntegerField">
+                                <Required>N</Required>
+                                <MinimumValue>1</MinimumValue>
+                                <MaximumValue>65000</MaximumValue>
+                        </connecttimer>
                         <defaultoriginate type="BooleanField">
                                 <default>0</default>
                                 <Required>N</Required>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index e5d05085b2..86a75860ad 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -15,6 +15,9 @@ log syslog {{ OPNsense.quagga.general.sysloglevel }}
 {% if helpers.exists('OPNsense.quagga.bgp.asnumber') and OPNsense.quagga.bgp.asnumber != '' %}
 router bgp {{ OPNsense.quagga.bgp.asnumber }}
  no bgp ebgp-requires-policy
+{%   if helpers.exists('OPNsense.quagga.bgp.graceful') and OPNsense.quagga.bgp.graceful == '1' %}
+ bgp graceful-restart
+{%   endif %}
 {%   if helpers.exists('OPNsense.quagga.bgp.routerid') and OPNsense.quagga.bgp.routerid != '' %}
  bgp router-id {{ OPNsense.quagga.bgp.routerid }}
 {%   endif %}
@@ -28,6 +31,14 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%         if 'multihop' in neighbor and neighbor.multihop == '1' %}
  neighbor {{ neighbor.address }} ebgp-multihop
 {%         endif %}
+{%         if 'keepalive' in neighbor and neighbor.keepalive != '' %}
+{%           if 'holddown' in neighbor and neighbor.holddown != '' %}
+ neighbor {{ neighbor.address }} timers {{ neighbor.keepalive }} {{ neighbor.holddown }}
+{%           endif %}
+{%         endif %}
+{%         if 'connecttimer' in neighbor and neighbor.connecttimer != '' %}
+ neighbor {{ neighbor.address }} timers connect {{ neighbor.connecttimer }}
+{%         endif %}
 {%       endif %}
 {%     endfor %}
 {%   endif %}

From 19c74251e03cd3eeabb403baac41987e4a8616b8 Mon Sep 17 00:00:00 2001
From: Kjeld Schouten-Lebbing <kjeld@schouten-lebbing.nl>
Date: Sat, 5 Dec 2020 09:18:28 +0100
Subject: [PATCH 0289/3088] [Freeradius] Create option to set EAP-TTLS-GTC for
 FreeRadius (#2089)

Creates an option to set freeradius to use EAP-TTLS-GTC.
This can, for example, be used to connect to LDAP databases with hashed passwords.

Signed-off-by: Kjeld Schouten-Lebbing <kjeld@schouten-lebbing.nl>
---
 .../src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml  | 1 +
 .../service/templates/OPNsense/Freeradius/mods-enabled-eap   | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index f2b451bea4..9ec71ef013 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -13,6 +13,7 @@
                 <peap>PEAP</peap>
                 <tls>TLS</tls>
                 <ttls>TTLS</ttls>
+                <ttls-gtc>TTLS-GTC</ttls-gtc>
             </OptionValues>
         </default_eap_type>
         <enable_client_cert type="BooleanField">
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
index 5dc3b327fd..8093143e8b 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@@ -628,8 +628,11 @@ eap {
                 #  EAP conversation, then this configuration entry is
                 #  ignored.
                 #
+                {% if helpers.exists('OPNsense.freeradius.eap.default_eap_type') and OPNsense.freeradius.eap.default_eap_type == 'ttls-gtc' %}
+                default_eap_type = gtc
+                {% else %}
                 default_eap_type = md5
-
+                {% endif %}
                 #  The tunneled authentication request does not usually
                 #  contain useful attributes like 'Calling-Station-Id',
                 #  etc.  These attributes are outside of the tunnel,

From a3ce3c356c72e6392ad235e171b16899b7bb9a84 Mon Sep 17 00:00:00 2001
From: chrissyn <62061776+chrissyn@users.noreply.github.com>
Date: Sat, 5 Dec 2020 19:06:02 +0100
Subject: [PATCH 0290/3088] Update LeCertificate.php

fixes #2128
---
 .../mvc/app/library/OPNsense/AcmeClient/LeCertificate.php       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index d19bc71c3c..20ca634476 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -637,7 +637,7 @@ public function setValidation()
             }
 
             // Configure validation object
-            $val->setNames($this->config->name, $this->config->altNames);
+            $val->setNames($this->config->name, $this->config->altNames, $this->config->aliasmode, $this->config->domainalias, $this->config->challengealias);
             $val->setRenewal((int)$this->config->renewInterval);
             $val->setForce($this->force);
             // strip prefix from key value

From 8a72865e007cd157f0cbf6eace34a67971525c46 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 6 Dec 2020 22:46:00 +0100
Subject: [PATCH 0291/3088] net/frr: style sweep

---
 .../controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 7f170a4cb1..146dff7db0 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -58,7 +58,7 @@
     <type>text</type>
     <advanced>true</advanced>
     <help>The time in seconds how fast a neighbor tries to reconnect.</help>
-  </field>  
+  </field>
   <field>
     <id>neighbor.defaultoriginate</id>
     <label>Send Defaultroute</label>

From 02c79ea0fb909fa343a0049da380758bad55d0cd Mon Sep 17 00:00:00 2001
From: Alexander Korinek <noles@a3k.net>
Date: Fri, 11 Dec 2020 07:18:31 +0100
Subject: [PATCH 0292/3088] wireguard - add IPv6 gateway support for PBR
 (#2136)

---
 .../templates/OPNsense/Wireguard/wireguard-server.conf        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
index f3452f629f..0d07a5ff3e 100644
--- a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
+++ b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
@@ -18,8 +18,8 @@ PrivateKey = {{ server_list.privkey }}
 Table = off
 {%         endif %}
 {%         if server_list.disableroutes == '1' and server_list.gateway|default('') != '' %}
-PostUp = route add {{ server_list.gateway }} -iface %i
-PostDown = route del {{ server_list.gateway }} -iface %i
+PostUp = route {{- ' -6' if ':' in server_list.gateway }} add {{ server_list.gateway }} -iface %i
+PostDown = route {{- ' -6' if ':' in server_list.gateway }} del {{ server_list.gateway }} -iface %i
 {%         endif %}
 {%         if server_list.peers|default('') != '' %}
 {%           for peerlist in server_list.peers.split(",") %}

From 46196b9e24ec5add0f0a561ef70fa0944f37cffc Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Fri, 11 Dec 2020 08:30:03 +0100
Subject: [PATCH 0293/3088] net/wireguard: bump version (#2140)

---
 net/wireguard/Makefile  | 2 +-
 net/wireguard/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 09f28f5957..d6b8f09d22 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		1.3
+PLUGIN_VERSION=		1.4
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 0becbd029f..ff1299e523 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,10 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+1.4
+
+* Add IPv6 gateway support (contributed by Alexander Korinek)
+
 1.3
 
 * Client/peer name validation to use HostnameField

From 73cabd03e579eedda0991cace307386ada818793 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sun, 13 Dec 2020 07:47:20 +0100
Subject: [PATCH 0294/3088] net/frr: add IntegerField for auto-cost calculation
 (#2144)

---
 net/frr/Makefile                                           | 2 +-
 net/frr/pkg-descr                                          | 4 ++++
 .../mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml     | 7 +++++++
 .../src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml   | 6 ++++++
 .../opnsense/service/templates/OPNsense/Quagga/ospfd.conf  | 3 +++
 5 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 02c92992a5..1cad170a05 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.19
+PLUGIN_VERSION=		1.20
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7 ruby
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index efddc98aea..087fcf1367 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -11,6 +11,10 @@ switching and routing, Internet access routers, and Internet peering.
 Plugin Changelog
 ================
 
+1.20
+
+* Allow to adjust reference cost for OSPF calculation
+
 1.19
 
 * OSPF influence interface cost via carp
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml
index 0305f58910..ba766ee930 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml
@@ -22,6 +22,13 @@
         <advanced>true</advanced>
         <help>If you have a CARP setup, you may want to configure a router id in case of a conflict.</help>
     </field>
+    <field>
+        <id>ospf.costreference</id>
+        <label>Reference Cost</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Here you can adjust the reference cost in Mbps for path calculation. Mostly needed when you bundle interfaces to higher bandwidth.</help>
+    </field>
     <field>
         <id>ospf.passiveinterfaces</id>
         <label>Passive Interfaces</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index 83ade2b6ff..56b7ebaf3f 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -16,6 +16,12 @@
             <Required>N</Required>
             <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
         </routerid>
+        <costreference type="IntegerField">
+            <Required>N</Required>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>4294967</MaximumValue>
+            <ValidationMessage>Must be a number between 1 and 4294967.</ValidationMessage>
+        </costreference>
         <originate type="BooleanField">
             <default>0</default>
             <Required>Y</Required>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
index 72c880d873..ff4acea718 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
@@ -38,6 +38,9 @@ interface {{ physical_interface(interface.interfacename) }}
 {% endif %}
 !
 router ospf
+{% if helpers.exists('OPNsense.quagga.ospf.costreference') and OPNsense.quagga.ospf.costreference != '' %}
+ auto-cost reference-bandwidth {{ OPNsense.quagga.ospf.costreference }}
+{% endif %}
 {% if helpers.exists('OPNsense.quagga.ospf.routerid') and OPNsense.quagga.ospf.routerid != '' %}
  ospf router-id {{ OPNsense.quagga.ospf.routerid }}
 {% endif %}

From bcda3348297d3f86630b13a463aa30cd77eb5b97 Mon Sep 17 00:00:00 2001
From: Marc Leuser <marcquark@users.noreply.github.com>
Date: Sun, 13 Dec 2020 08:36:04 +0100
Subject: [PATCH 0295/3088] net/frr: Add FRR profile selection (defaults
 directive) (#2131)

---
 net/frr/pkg-descr                                        | 1 +
 .../app/controllers/OPNsense/Quagga/forms/general.xml    | 7 +++++++
 .../opnsense/mvc/app/models/OPNsense/Quagga/General.xml  | 9 +++++++++
 .../opnsense/service/templates/OPNsense/Quagga/bgpd.conf | 3 +++
 .../service/templates/OPNsense/Quagga/ospf6d.conf        | 3 +++
 .../service/templates/OPNsense/Quagga/ospfd.conf         | 3 +++
 .../opnsense/service/templates/OPNsense/Quagga/ripd.conf | 3 +++
 .../service/templates/OPNsense/Quagga/zebra.conf         | 3 +++
 8 files changed, 32 insertions(+)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 087fcf1367..5b865aa850 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -19,6 +19,7 @@ Plugin Changelog
 
 * OSPF influence interface cost via carp
 * Uniform logging
+* Add configuration profile selection
 
 1.18
 
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
index 2fcfbc2b9b..29c3e7bd71 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
@@ -5,6 +5,13 @@
         <type>checkbox</type>
         <help>This will activate the routing service.</help>
     </field>
+    <field>
+        <id>general.profile</id>
+        <label>Profile</label>
+        <type>dropdown</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Control FRR's default profile. "traditional" is the default, "datacenter" is more aggressive. Please refer to the <a href="http://docs.frrouting.org/en/latest/basic.html#profiles">FRR documentation</a> for more information.]]></help>
+    </field>
     <field>
         <id>general.enablecarp</id>
         <label>Enable CARP Failover</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
index 80d9576ebf..de9a496bde 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
@@ -7,6 +7,15 @@
             <default>0</default>
             <Required>Y</Required>
         </enabled>
+        <profile type="OptionField">
+            <Required>Y</Required>
+            <multiple>N</multiple>
+            <default>traditional</default>
+            <OptionValues>
+                <traditional>Traditional</traditional>
+                <datacenter>Datacenter</datacenter>
+            </OptionValues>
+        </profile>
         <enablecarp type="BooleanField">
             <default>0</default>
             <Required>Y</Required>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 86a75860ad..4bd7d7ef60 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -8,6 +8,9 @@
 {%   if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
 log syslog {{ OPNsense.quagga.general.sysloglevel }}
 {%   endif %}
+{%   if helpers.exists('OPNsense.quagga.general.profile') %}
+frr defaults {{ OPNsense.quagga.general.profile }}
+{%   endif %}
 {% endif %}
 !
 !
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
index b58d95986e..603950f669 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
@@ -11,6 +11,9 @@
 {%   if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
 log syslog {{ OPNsense.quagga.general.sysloglevel }}
 {%   endif %}
+{%   if helpers.exists('OPNsense.quagga.general.profile') %}
+frr defaults {{ OPNsense.quagga.general.profile }}
+{%   endif %}
 {% endif %}
 !
 !
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
index ff4acea718..dda33b080a 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
@@ -11,6 +11,9 @@
 {%   if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
 log syslog {{ OPNsense.quagga.general.sysloglevel }}
 {%   endif %}
+{%   if helpers.exists('OPNsense.quagga.general.profile') %}
+frr defaults {{ OPNsense.quagga.general.profile }}
+{%   endif %}
 {% endif %}
 !
 !
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ripd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ripd.conf
index ffb74650e5..70532d4f1a 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ripd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ripd.conf
@@ -8,6 +8,9 @@
 {%   if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
 log syslog {{ OPNsense.quagga.general.sysloglevel }}
 {%   endif %}
+{%   if helpers.exists('OPNsense.quagga.general.profile') %}
+frr defaults {{ OPNsense.quagga.general.profile }}
+{%   endif %}
 {% endif %}
 !
 router rip
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/zebra.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/zebra.conf
index 01a97a6f4f..06de1506be 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/zebra.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/zebra.conf
@@ -3,6 +3,9 @@
 ! Zebra configuration saved from vty
 !   2017/03/03 20:21:04
 !
+{% if helpers.exists('OPNsense.quagga.general.profile') %}
+frr defaults {{ OPNsense.quagga.general.profile }}
+{% endif %}
 {% if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
 log syslog {{ OPNsense.quagga.general.sysloglevel }}
 {% endif %}

From 2af12712c68dc529e23764815df3be9fc33f31ca Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 13 Dec 2020 08:38:04 +0100
Subject: [PATCH 0296/3088] net/frr: fix previous

---
 net/frr/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 5b865aa850..a25daaa3e0 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -14,12 +14,12 @@ Plugin Changelog
 1.20
 
 * Allow to adjust reference cost for OSPF calculation
+* Add configuration profile selection
 
 1.19
 
 * OSPF influence interface cost via carp
 * Uniform logging
-* Add configuration profile selection
 
 1.18
 

From a37538b636fba7b8cfd4bd3a676dc86abf61b2f5 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 13 Dec 2020 12:36:56 +0100
Subject: [PATCH 0297/3088] security/acme-client: use configured DNS sleep time
 for Namesilo, fixes #2121

---
 security/acme-client/pkg-descr                               | 5 +++++
 .../OPNsense/AcmeClient/forms/dialogValidation.xml           | 5 +++++
 .../library/OPNsense/AcmeClient/LeValidation/DnsNamesilo.php | 2 --
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index f96250468e..df3044f386 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+2.2
+
+Changed:
+* BREAKING: use configured DNS sleep time for Namesilo instead of hardcoded value (#2121)
+
 2.1
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 7866682af6..4ad41e7ea0 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -752,6 +752,11 @@
         <type>header</type>
         <style>table_dns table_dns_namesilo</style>
     </field>
+    <field>
+        <label>NOTE: A DNS sleep time of at least 1000 is recommended.</label>
+        <type>header</type>
+        <style>table_dns table_dns_namesilo</style>
+    </field>
     <field>
         <id>validation.dns_namesilo_key</id>
         <label>Key</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamesilo.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamesilo.php
index 1cfa7f3267..98eca7ccfb 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamesilo.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamesilo.php
@@ -40,7 +40,5 @@ class DnsNamesilo extends Base implements LeValidationInterface
     public function prepare()
     {
         $this->acme_env['Namesilo_Key'] = (string)$this->config->dns_namesilo_key;
-        // Namesilo applies changes to DNS records only every 15 minutes.
-        $this->acme_args[] = '--dnssleep 960';
     }
 }

From 0fe2422fa0a76248ba7c358cb170d31a7c894c65 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 13 Dec 2020 12:53:06 +0100
Subject: [PATCH 0298/3088] security/acme-client: remove all hardcoded DNS
 sleep times

The report in #2121 made it clear that it was never a good idea to use a
hardcoded value in the first place. It is very likely a breaking change for
some users, so I've added notes to the GUI and the plugin changelog.
---
 security/acme-client/pkg-descr                |  4 ++++
 .../AcmeClient/forms/dialogValidation.xml     | 20 +++++++++++++++++++
 .../AcmeClient/LeValidation/DnsLexicon.php    |  5 -----
 .../AcmeClient/LeValidation/DnsLinode.php     |  2 --
 .../AcmeClient/LeValidation/DnsLinodeV4.php   |  2 --
 .../AcmeClient/LeValidation/DnsNetcup.php     |  2 --
 6 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index df3044f386..5496892288 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -12,6 +12,10 @@ Plugin Changelog
 
 Changed:
 * BREAKING: use configured DNS sleep time for Namesilo instead of hardcoded value (#2121)
+* BREAKING: use configured DNS sleep time for Lexicon/Namesilo instead of hardcoded value
+* BREAKING: use configured DNS sleep time for Linode instead of hardcoded value
+* BREAKING: use configured DNS sleep time for Linode v4 instead of hardcoded value
+* BREAKING: use configured DNS sleep time for Netcup instead of hardcoded value
 
 2.1
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 4ad41e7ea0..00ca5e203d 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -603,6 +603,11 @@
         <type>header</type>
         <style>table_dns table_dns_lexicon</style>
     </field>
+    <field>
+        <label>NOTE: A DNS sleep time of at least 1000 may be required.</label>
+        <type>header</type>
+        <style>table_dns table_dns_lexicon</style>
+    </field>
     <field>
         <id>validation.dns_lexicon_provider</id>
         <label>Provider</label>
@@ -623,6 +628,11 @@
         <type>header</type>
         <style>table_dns table_dns_linode</style>
     </field>
+    <field>
+        <label>NOTE: A DNS sleep time of at least 1000 is recommended.</label>
+        <type>header</type>
+        <style>table_dns table_dns_linode</style>
+    </field>
     <field>
         <id>validation.dns_linode_key</id>
         <label>Key</label>
@@ -633,6 +643,11 @@
         <type>header</type>
         <style>table_dns table_dns_linode_v4</style>
     </field>
+    <field>
+        <label>NOTE: A DNS sleep time of at least 1000 is recommended.</label>
+        <type>header</type>
+        <style>table_dns table_dns_linode_v4</style>
+    </field>
     <field>
         <id>validation.dns_linode_v4_key</id>
         <label>Key</label>
@@ -767,6 +782,11 @@
         <type>header</type>
         <style>table_dns table_dns_netcup</style>
     </field>
+    <field>
+        <label>NOTE: A DNS sleep time of at least 600 is recommended.</label>
+        <type>header</type>
+        <style>table_dns table_dns_netcup</style>
+    </field>
     <field>
         <id>validation.dns_netcup_cid</id>
         <label>Customer number</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLexicon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLexicon.php
index 2ffc6d1ec4..0173baa30a 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLexicon.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLexicon.php
@@ -46,10 +46,5 @@ public function prepare()
         $this->acme_env['PROVIDER'] = $provider;
         $this->acme_env[$env_user] = (string)$this->config->dns_lexicon_user;
         $this->acme_env[$env_token] = (string)$this->config->dns_lexicon_token;
-
-        if ((string)$this->config->dns_lexicon_provider == 'namesilo') {
-            // Namesilo applies changes to DNS records only every 15 minutes.
-            $this->acme_args[] = '--dnssleep 960';
-        }
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLinode.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLinode.php
index 2b2453b8bd..e641fa4832 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLinode.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLinode.php
@@ -40,7 +40,5 @@ class DnsLinode extends Base implements LeValidationInterface
     public function prepare()
     {
         $this->acme_env['LINODE_API_KEY'] = (string)$this->config->dns_linode_key;
-        // Linode can take up to 15 to update DNS records
-        $this->acme_args[] = '--dnssleep 960';
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLinodeV4.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLinodeV4.php
index c69293a243..2bad2738a1 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLinodeV4.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLinodeV4.php
@@ -40,7 +40,5 @@ class DnsLinodeV4 extends Base implements LeValidationInterface
     public function prepare()
     {
         $this->acme_env['LINODE_V4_API_KEY'] = (string)$this->config->dns_linode_v4_key;
-        // Linode can take up to 15 to update DNS records
-        $this->acme_args[] = '--dnssleep 960';
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNetcup.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNetcup.php
index b4afca6cb5..3c9955edaf 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNetcup.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNetcup.php
@@ -42,7 +42,5 @@ public function prepare()
         $this->acme_env['NC_CID'] = (string)$this->config->dns_netcup_cid;
         $this->acme_env['NC_Apikey'] = (string)$this->config->dns_netcup_key;
         $this->acme_env['NC_Apipw'] = (string)$this->config->dns_netcup_pw;
-        // netcup applies changes to DNS records only every 10 minutes.
-        $this->acme_args[] = '--dnssleep 600';
     }
 }

From 9c25ef44a5866986856c6b631cae821d562e6178 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 13 Dec 2020 13:06:26 +0100
Subject: [PATCH 0299/3088] security/acme-client: update changelog, refs #2130

---
 security/acme-client/pkg-descr | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 5496892288..67271d4430 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,6 +10,9 @@ Plugin Changelog
 
 2.2
 
+Fixed:
+* fix DNS challenge alias mode (#2128, #2130)
+
 Changed:
 * BREAKING: use configured DNS sleep time for Namesilo instead of hardcoded value (#2121)
 * BREAKING: use configured DNS sleep time for Lexicon/Namesilo instead of hardcoded value

From 7bae0539c4f2f7190082f3f7f6694af00adb7079 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 13 Dec 2020 13:20:16 +0100
Subject: [PATCH 0300/3088] security/acme-client: add support for hexonet.com
 DNS API, closes #2134

---
 security/acme-client/pkg-descr                |  3 ++
 .../AcmeClient/forms/dialogValidation.xml     | 16 +++++++
 .../AcmeClient/LeValidation/DnsHexonet.php    | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 4 files changed, 71 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHexonet.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 67271d4430..b559755f7b 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,6 +10,9 @@ Plugin Changelog
 
 2.2
 
+Added:
+* add support for hexonet.com DNS API (#2134)
+
 Fixed:
 * fix DNS challenge alias mode (#2128, #2130)
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 00ca5e203d..e6999e3a99 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1221,4 +1221,20 @@
         <label>deSEC domain</label>
         <type>text</type>
     </field>
+    <field>
+        <label>hexonet.com DNS API</label>
+        <type>header</type>
+        <style>table_dns table_dns_hexonet</style>
+    </field>
+    <field>
+        <id>validation.dns_hexonet_login</id>
+        <label>Login</label>
+        <type>text</type>
+        <help>This should be a combination of the username and role ID. For example, when the username is "myuser" and role ID is "testrole", then "myuser!testrole" must be used here.</help>
+    </field>
+    <field>
+        <id>validation.dns_hexonet_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHexonet.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHexonet.php
new file mode 100644
index 0000000000..570b59dbfc
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHexonet.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Hexonet DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsHexonet extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['Hexonet_Login'] = (string)$this->config->dns_hexonet_login;
+        $this->acme_env['Hexonet_Password'] = (string)$this->config->dns_hexonet_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index b87b20dbc1..02722c751e 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -401,6 +401,7 @@
                         <dns_gcloud>Google Cloud DNS API</dns_gcloud>
                         <dns_gdnsdk>GratisDNS.dk</dns_gdnsdk>
                         <dns_hetzner>Hetzner DNS API</dns_hetzner>
+                        <dns_hexonet>hexonet.com DNS API</dns_hexonet>
                         <dns_hostingde>hosting.de API</dns_hostingde>
                         <dns_he>Hurricane Electric</dns_he>
                         <dns_infoblox>Infoblox API</dns_infoblox>
@@ -917,6 +918,12 @@
                 <dns_hetzner_token type="TextField">
                     <Required>N</Required>
                 </dns_hetzner_token>
+                <dns_hexonet_login type="TextField">
+                    <Required>N</Required>
+                </dns_hexonet_login>
+                <dns_hexonet_password type="TextField">
+                    <Required>N</Required>
+                </dns_hexonet_password>
                 <dns_1984hosting_user type="TextField">
                     <Required>N</Required>
                 </dns_1984hosting_user>

From 449342dd771ff0c4937b72d844b697fbf1b645d4 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 13 Dec 2020 13:25:07 +0100
Subject: [PATCH 0301/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index b38548cc80..c64e3b48a7 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		2.1
+PLUGIN_VERSION=		2.2
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 43b93e7bd98960b4743a1c9e80dfa6863f71ba26 Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Sat, 12 Dec 2020 22:57:07 +0100
Subject: [PATCH 0302/3088] rip out legacy code

---
 net/frr/Makefile                              |   2 +-
 .../src/opnsense/scripts/quagga/diag-bgp.sh   |  20 -
 net/frr/src/opnsense/scripts/quagga/quagga.rb | 757 ------------------
 .../conf/actions.d/actions_quagga.conf        | 188 +++--
 4 files changed, 143 insertions(+), 824 deletions(-)
 delete mode 100755 net/frr/src/opnsense/scripts/quagga/diag-bgp.sh
 delete mode 100755 net/frr/src/opnsense/scripts/quagga/quagga.rb

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 1cad170a05..ae31d1269d 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.20
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
-PLUGIN_DEPENDS=		frr7 ruby
+PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 
 .include "../../Mk/plugins.mk"
diff --git a/net/frr/src/opnsense/scripts/quagga/diag-bgp.sh b/net/frr/src/opnsense/scripts/quagga/diag-bgp.sh
deleted file mode 100755
index 4d6e81f268..0000000000
--- a/net/frr/src/opnsense/scripts/quagga/diag-bgp.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/sh
-
-case "$1" in
-  bgp)
-    vtysh -d bgpd -c "show ip bgp"
-    ;;
-  summary)
-    vtysh -d bgpd -c "show bgp summary"
-    ;;
-  neighbor)
-    vtysh -d bgpd -c "show ip bgp neighbors $2"
-    ;;
-  neighbor-adv)
-    vtysh -d bgpd -c "show ip bgp neighbors $2 advertised-routes"
-    ;;
-  *)
-    echo "Usage: $0 bgp|summary|neighbor <ip>|neighbor-adv <ip>"
-    exit 1
-esac
-exit 0
diff --git a/net/frr/src/opnsense/scripts/quagga/quagga.rb b/net/frr/src/opnsense/scripts/quagga/quagga.rb
deleted file mode 100755
index a594278552..0000000000
--- a/net/frr/src/opnsense/scripts/quagga/quagga.rb
+++ /dev/null
@@ -1,757 +0,0 @@
-#!/usr/local/bin/ruby
-=begin
-Copyright 2017 Fabian Franz
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright notice,
-   this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright notice,
-   this list of conditions and the following disclaimer in the documentation and/or
-   other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
-EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
-INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
-OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
-USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-=end
-
-require 'json'
-require 'shellwords'
-require 'pp'
-
-$QUAGGA_DEBUG = false
-
-class VTYSH
-  def initialize(path = '/usr/local/bin/vtysh')
-    @path = path
-  end
-
-  def execute(param)
-    o = `#{@path} -c #{param.shellescape}`
-    raise "error" if o.length <= 2
-    raise "command error - command: #{param}" if o.include? "% Unknown command"
-    o
-  end
-
-  #def execute(param)
-  #  fn = param.sub("show","sh").gsub(" ","_")
-  #  File.read(fn)
-  #end
-end
-
-class QuaggaTableReader
-  attr_accessor :headers
-  def initialize(headers = [])
-    @headers = headers
-  end
-  def read_headline(line, start_without_header = false, start_without_header_name = 'status')
-    # get begin of header (number of the first char of the string)
-    header = line
-    header_offset = {}
-    header_offset[0] = start_without_header_name if start_without_header
-    @headers.map do |x|
-      header_offset[header.index(x)] = x.strip
-    end
-
-
-    # make ranges: this will make a range of the first char of the sting until
-    # the the char befor the next heading begins
-    ranges = []
-    0.upto (header_offset.keys.length - 2) do |i|
-      ranges << ((header_offset.keys[i])...(header_offset.keys[i + 1]))
-    end
-    # the last one has no next heading - this will go to the end of the line
-    ranges.push ((header_offset.keys.last)..-1) # path
-    @header_offset = header_offset
-    @ranges = ranges
-    nil
-  end
-
-  def read_entry(line, expand_fields = {})
-    raise "heading missing" unless @ranges
-    tmp = {}
-    return tmp unless line&.strip.length > 2
-
-    @ranges.each do |r|
-      # the string starts here
-      b = r.begin
-      # get the heading starting where the string starts
-      n = @header_offset[b]
-      # get the data or return an empty string
-      tmp[n] = line[r]&.strip || ""
-    end
-    # replace characters by the meaning
-    expand_fields.keys.each do |key|
-      tmp[key] = tmp[key].split("").map {|x| {dn: expand_fields[key][x], abb: x} } if tmp[key]
-    end
-    tmp
-  end
-end
-
-class General
-  def initialize(vtysh)
-    @vtysh = vtysh
-  end
-  def routes(ipv6 = false)
-    lines = @vtysh.execute("show ip#{ipv6 ? 'v6' : ''} route").lines
-
-    # headers
-    meanings = {}
-    while (line = lines.shift.strip) != ''
-      line = line.gsub('Codes: ','')
-      line.split(",").each do |meaning|
-        short, long = meaning.strip.split(" - ")
-        meanings[short] = long
-      end
-    end
-
-    # you don't have to understand this regex ;)
-    entry_regex = /(\S+?)\s+?(\S+?)(?: \[(\d+)\/(\d+)\])? (?:(?:via (\S+?)|is ([^,]+?)|), ([^,\n]+)|(unreachable \(blackhole\)))(?:, (\S+))?/
-    entries = []
-    while (line = lines.shift&.strip)
-      if line.length > 10
-        code, network, ad, metric, via, direct, interface, unreachable, time = line.scan(entry_regex).first
-        code = code.split('').map {|c| {short: c, long: meanings[c]}}
-        entries << {code: code, network: (network || direct), ad: ad, via: via || unreachable, metric: metric, interface: interface, time: time }
-      end
-    end
-    entries
-  end
-
-  def routes6
-    routes(true)
-  end
-
-end
-
-class OSPF
-  def initialize(vtysh)
-    @vtysh = vtysh
-  end
-  def neighbors
-    qta = QuaggaTableReader.new(["Neighbor ID", "Pri", "State", "Dead Time", "Address", "Interface", "RXmtL", "RqstL", "DBsmL"])
-    lines = @vtysh.execute("show ip ospf neighbor").lines
-    lines.shift # empty line
-    data = []
-    qta.read_headline(lines.shift)
-    while (line = lines.shift) && (line.length > 2)
-      data << qta.read_entry(line)
-    end
-    data
-  end
-
-  def interface
-    lines = @vtysh.execute("show ip ospf interface").lines
-    interfaces = {}
-    current_if = ''
-    while line = lines.shift
-      next if line.strip.length <= 1
-      if line[0] != ' ' # we are in a heading
-        current_if = line.split(" ").first
-        interfaces[current_if] = {}
-        current_if = interfaces[current_if]
-        current_if[:enabled] = true
-        lines.shift
-      else
-        line.strip!
-        case line
-        when 'OSPF not enabled on this interface'
-          current_if[:enabled] = false
-        when /Internet Address ([^,]+?), Broadcast ([^,]+?), Area (.*)/
-          current_if[:address] = $1
-          current_if[:broadcast] = $2
-          current_if[:area] = $3
-        when /MTU mismatch detection:(.*)/
-          current_if[:mtu_mismatch_detection] = ($1 == 'enabled')
-        when /Router ID ([^,]+?), Network Type ([^,]+?), Cost: (\d+)/
-          current_if[:router_id] = $1
-          current_if[:network_type] = $2
-          current_if[:cost] = $3.to_i
-        when /Transmit Delay is (\d+) sec, State ([^,]+?), Priority (\d+)/
-          current_if[:transmit_delay] = $1.to_i
-          current_if[:state] = $2
-          current_if[:priority] = $3.to_i
-        when "No designated router on this network"
-          current_if[:designated_router] = nil
-        when /Designated Router \(ID\) ([^,]+?), Interface Address (.*)/
-          current_if[:designated_router] = $1
-          current_if[:designated_router_interface_address] = $2
-        when "No backup designated router on this network"
-          current_if[:backup_designated_router] = nil
-        when /Timer intervals configured, Hello (\d+)s, Dead (\d+)s, Wait (\d+)s, Retransmit (\d+)/
-          current_if[:intervals] = {hello: $1.to_i, dead: $2.to_i, wait: $3.to_i, retransmit: $4.to_i}
-        when /Multicast group memberships: (.*)/
-          current_if[:multicast_group_memberships] = $1.split(" ")
-        when /Hello due in ([\d\.]+|inactive)s?/
-          current_if[:hello_due_in] = $1 == 'inactive' ? $1 : $1.to_f
-        when /Neighbor Count is (\d+), Adjacent neighbor count is (\d+)/
-          current_if[:neighbor_count] = $1.to_i
-          current_if[:adjacent_neighbor_count] = $2.to_i
-        else
-          # make sure there is an array to write in
-          current_if[:unparsed] ||= []
-          current_if[:unparsed] << line
-          puts line if $QUAGGA_DEBUG
-        end
-      end
-    end
-    interfaces
-  end
-
-  def database
-    lines = @vtysh.execute("show ip ospf database").lines
-    db = {}
-    heading = ''
-    router = ''
-    router_link_states_area = ''
-    mode = :none
-    qta = nil
-    while line = lines.shift
-      next if line == ''
-      if line[0] == ' ' # heading
-        heading = line.strip
-        case heading
-        when /OSPF Router with ID \(([\.\d]+)\)/
-          router = $1
-          db[router] ||= {}
-          mode = :router
-        when /Router Link States \(Area ([\.\d]+)\)/
-          router_link_states_area = $1
-          db[router]['router_link_state_area'] ||= {}
-          db[router]['router_link_state_area'][$1] ||= []
-          mode = :router_link_state
-          qta = nil
-        when /Net Link States \(Area ([\.\d]+)\)/
-          net_link_states_area = $1
-          db[router]['net_link_state_area'] ||= {}
-          db[router]['net_link_state_area'][$1] ||= []
-          mode = :net_link_state
-          qta = nil
-        when 'AS External Link States'
-          mode = :states
-          db[router]['external_states'] ||= []
-          qta = nil
-        else
-          puts "unknown heading" if $QUAGGA_DEBUG
-        end
-      else
-        if qta == nil
-          case mode
-          when :router_link_state
-            qta = QuaggaTableReader.new(["Link ID", "ADV Router", "Age", "Seq#", "CkSum", "Link count"])
-          when :net_link_state
-            qta = QuaggaTableReader.new(["Link ID", "ADV Router", "Age", "Seq#", "CkSum"])
-          when :states
-            qta = QuaggaTableReader.new(["Link ID", "ADV Router", "Age", "Seq#", "CkSum", "Route\n"])
-          else
-            next
-          end
-          headline = lines.shift
-          qta.read_headline(headline,true)
-        else
-          entry = qta.read_entry(line)
-          case mode
-          when :router_link_state
-            db[router]['router_link_state_area'][router_link_states_area] << entry
-          when :net_link_state
-            db[router]['net_link_state_area'][net_link_states_area] << entry
-          when :states
-            db[router]['external_states'] << entry
-          end
-        end
-      end
-      # table
-    end
-    db
-  end
-
-  def route
-    lines = @vtysh.execute("show ip ospf route").lines
-    heading = ''
-    route = {}
-    last_line = []
-    while line = lines.shift
-      if line[0] == "=" #heading
-        heading = line.scan(/=* ([^=]*) =*/).first.first
-        route[heading] = []
-      else # data
-        case line.strip
-        when /N\s+([\d\.\/]+)\s+\[(\d+)\]\s+area:\s(.*)/
-          last_line = {network: $1, cost: $2.to_i, area: $3, type: 'N'}
-          route[heading] << last_line
-        when /N (E(?:\d+) (?:\S+))\s+\[([\d\/]+)\] tag: (\d+)/
-          last_line = {network: $1, cost: $2, tag: $3.to_i, type: 'N'}
-          route[heading] << last_line
-        when /(?:(directly attached) to|via ([^,]+),) (.*)/
-          last_line[:via] = $1 || $2
-          last_line[:via_interface] = $3
-        when /R\s+(\S+)\s+\[(\d+)\] area: ([^,]+)(, ASBR)/
-          last_line = {ip: $1, cost: $2.to_i, area: $3, asbr: (", ASBR" == $4), type: 'R'}
-          route[heading] << last_line
-        else
-          puts line if $QUAGGA_DEBUG
-        end
-      end
-    end
-    route
-  end
-
-  def overview
-    lines = @vtysh.execute("show ip ospf").lines
-    overview = {rfc2328_conform: false, asbr: false}
-    while line = lines.shift&.strip
-      case line
-      when /OSPF Routing Process, Router ID: ([\d\.]+)/
-        overview[:router_id] = $1
-      when "This implementation conforms to RFC2328"
-        overview[:rfc2328_conform] = true
-      when /OpaqueCapability flag is (\S+)/
-        overview[:opaque_capability] = ($1 == 'enabled')
-      when /Initial SPF scheduling delay (\d+) millisec\(s\)/
-        overview[:initial_spf_scheduling_delay] = $1.to_i
-      when /(Min|Max)imum hold time between consecutive SPFs (\d+) millisec\(s\)/
-        overview[:hold_time] ||= {}
-        overview[:hold_time][$1.downcase] = $2.to_i
-      when "This router is an ASBR (injecting external routing information)"
-        overview[:asbr] = true
-      when /Number of external LSA (\d+). Checksum Sum ([x\d]+)/
-        overview[:external_lsa] = {count: $1.to_i, checksum: $2}
-      when /Number of opaque AS LSA (\d+). Checksum Sum ([x\d]+)/
-        overview[:opaque_as_lsa] = {count: $1.to_i, checksum: $2}
-      when /Refresh timer (\d+) secs/
-        overview[:refresh_timer] = $1.to_i
-      when /Number of areas attached to this router: (\d+)/
-        overview[:areas_attached_count] = $1.to_i
-      when /Hold time multiplier is currently (\d+)/
-        overview[:current_hold_time_multipier] = $1.to_i
-      when /RFC1583Compatibility flag is (\S+)/
-        overview[:rfc1583_compatibility] = ($1 == 'enabled')
-      when /SPF timer is (.*)/
-        overview[:spf_timer] = $1
-      when ""
-        break
-      else
-        puts line if $QUAGGA_DEBUG
-      end
-    end
-    # general overview has ended - now the area overviews come
-    overview[:areas] = {}
-    current_area = {}
-    while line = lines.shift&.strip
-      case line
-      when /Area ID: (.*)/
-        current_area = {}
-        overview[:areas][$1] = current_area
-      when /Number of interfaces in this area: Total: (\d+), Active: (\d+)/
-        current_area[:interfaces] = {total: $1.to_i,active:  $2.to_i}
-      when /Number of (router|network|summary) LSA (\d+). Checksum Sum ([\da-fx]+)/
-        current_area[:lsa] ||= {}
-        current_area[:lsa][$1] = {count: $2.to_i, checksum: $3}
-      when /Number of LSA (\d+)/
-        current_area[:lsa] ||= {}
-        current_area[:lsa][:count] = $1.to_i
-      when /Number of (opaque (?:area|link)|NSSA|ASBR summary) LSA (\d+). Checksum Sum ([\da-fx]+)/
-        current_area[:lsa] ||= {}
-        current_area[:lsa][$1] = {count: $2.to_i, checksum: $3}
-      when /Number of fully adjacent neighbors in this area: (\d+)/
-        current_area[:fully_adjacent_neighbor_count] = $1.to_i
-      when /SPF algorithm executed (\d) times/
-        current_area[:spf_exec_count] = $1.to_i
-      when "Area has no authentication"
-        current_area[:auth] = "none"
-      else
-        puts line if $QUAGGA_DEBUG
-      end
-    end
-    overview
-  end
-end
-
-class BGP
-  def initialize(sh)
-    @vtysh = sh
-  end
-
-  def overview
-    output = @vtysh.execute('show ip bgp')
-    return {} if output.include? "No BGP process is configured"
-    return {} unless output.include? 'version' # we get an empty output if quagga is not running
-    output = output.split("\n")
-    bgp = {}
-
-    # Process the header/definitions
-    while line = output.shift&.rstrip
-      case line
-      when /^BGP table version/
-        x,y = line.scan(/.*?version is (\d+).*?ID is ([0-9\.]+).*/).first
-        bgp['table_version'] = x
-        bgp['local_router_id'] = y
-      when /^Status codes/
-        # find out, what the status abbreviations mean
-        status_codes = {}
-        line.split(":").last.strip.split(",").each do |x|
-          k,v = x.strip.split(" ")
-          status_codes[k] = v
-        end
-        while line.end_with? ","
-          line = output.shift
-          line.strip.split(",").each do |x|
-            k,v = x.strip.split(" ")
-            status_codes[k] = v
-          end
-        end
-      when /^Origin codes/
-        # same like before but for the origin codes
-        origin_codes = {}
-        line.split(":").last.strip.split(",").each do |x|
-          k,v = x.strip.split(" - ")
-          origin_codes[k] = v
-        end
-      when /^Nexthop codes/
-        # Just eat this line, nothing to do with it
-      when ""
-        # Found the end of the header, reached the table
-        break
-      else
-        # eat all other (unexpected) lines
-        puts line if $QUAGGA_DEBUG
-      end
-    end
-
-    # Process the tabular data
-    bgp['output'] = []
-    qta = QuaggaTableReader.new(["Network", "Next Hop", "Metric", "LocPrf", "Weight", "Path"])
-    qta.read_headline(output.shift,true)
-    while line = output.shift&.strip
-      break if line == ''
-      data = qta.read_entry(line)
-      data['status'] = data['status'].split("").map {|x| {dn: status_codes[x], abb: x} }
-      data['Path'] = data['Path'].split("").map {|x| {dn: origin_codes[x], abb: x} }
-      bgp['output'] << data
-    end
-    bgp
-  end
-end
-
-class OSPFv3
-  def initialize(sh)
-    @vtysh = sh
-  end
-
-  def overview
-    lines = @vtysh.execute("show ipv6 ospf6").lines
-    overview = {}
-    while line = lines.shift&.strip
-      case line
-      when /OSPFv3 Routing Process \((\d+)\) with Router-ID ([\d\.]+)/
-        overview[:router_id] = $2
-        overview[:routing_process] = $1.to_i
-      when /Initial SPF scheduling delay (\d+) millisec\(s\)/
-        overview[:initial_spf_scheduling_delay] = $1.to_i
-      # this line contains a typo in the output - I made it to work with and without
-      # this typo
-      when /(Min|Max)imum hold time between consecutive SPFs (\d+) milli?second\(s\)/
-        overview[:hold_time] ||= {}
-        overview[:hold_time][$1.downcase] = $2.to_i
-      when "This router is an ASBR (injecting external routing information)"
-        overview[:asbr] = true
-      when /SPF timer is (.*)/
-        overview[:spf_timer] = $1
-      when /Running (.*)/
-        overview[:running_time] = $1
-      when /Number of AS scoped LSAs is (\d+)/
-        overview[:number_as_scoped] = $1.to_i
-      when /Hold time multiplier is currently (\d+)/
-        overview[:current_hold_time_multipier] = $1.to_i
-      when /Number of areas in this router is (\d+)/
-        overview[:number_of_areas] = $1.to_i
-      when ""
-        break
-      else
-        # debug
-        puts line if $QUAGGA_DEBUG
-      end
-    end
-    # general overview has ended - now the area overviews come
-    overview[:areas] = {}
-    current_area = {}
-    while line = lines.shift&.strip
-      case line
-      when /^Area ([\d\.]*)/
-        current_area = {}
-        overview[:areas][$1] = current_area
-      when /Interface attached to this area: (.*)/
-        current_area[:interfaces] = $1.split(" ")
-      when /Number of Area scoped LSAs is (.*)/
-        current_area[:number_lsas] = $1.to_i
-      else
-        puts line if $QUAGGA_DEBUG
-      end
-    end
-    overview
-  end
-
-  def linkstate
-    lines = @vtysh.execute("show ipv6 ospf6 linkstate").lines
-    linkstate = {}
-
-    qta = nil
-    current_area = []
-    while line = lines.shift&.strip
-      case line
-      when /SPF Result in Area (.*)/
-        linkstate[$1] = current_area = []
-        qta = QuaggaTableReader.new(["Type","Router-ID", "Net-ID", "Rtr-Bits", "Options", "Cost"])
-        lines.shift
-        qta.read_headline(lines.shift)
-      else
-        if line.length > 10
-          current_area << qta.read_entry(line)
-        end
-      end
-    end
-    linkstate
-  end
-
-  def route
-    route = []
-    lines = @vtysh.execute("show ipv6 ospf6 route").lines
-
-    lines.each do |line|
-      f1, f2, network, gateway, interface, time = line.strip.split(/\s+/)
-      route << { f1: f1,
-                 f2: f2,
-                 network: network,
-                 gateway: gateway,
-                 interface: interface,
-                 time: time }
-    end
-    route
-  end
-
-  def neighbors
-    qta = QuaggaTableReader.new(["Neighbor ID","Pri", "DeadTime", "State/IfState", "Duration I/F[State]"])
-    neighbor = []
-    nb = @vtysh.execute("show ipv6 ospf6 neighbor").lines
-    qta.read_headline(nb.shift.strip)
-    while line = nb.shift&.strip
-      puts line
-      if line.length > 10
-        tmp = qta.read_entry(line)
-        tmp['Pri'] = tmp['Pri'].to_i
-        neighbor << tmp
-      end
-    end
-    neighbor
-  end
-  def database
-    lines = @vtysh.execute("show ipv6 ospf6 database").lines
-    database = {}
-    mode = :none
-    area = ''
-    qta = :none
-    while line = lines.shift&.strip
-      case line
-      when /Area Scoped Link State Database \(Area (.*)\)/
-        mode = :scoped_link_db
-        database[:scoped_link_db] ||= {}
-        database[:scoped_link_db][$1] = area = []
-        qta = database_qta(lines)
-      when /I\/F Scoped Link State Database \(I\/F (\S+) in Area (.*)\)/
-        mode = :if_scoped_link_state
-        database[:if_scoped_link_state] ||= {}
-        database[:if_scoped_link_state][$1] ||= {}
-        area = database[:if_scoped_link_state][$1][$2] ||= []
-        qta= database_qta(lines)
-      when "AS Scoped Link State Database"
-        mode = :as_scoped
-        area = database[:as_scoped] ||= []
-        qta=database_qta(lines)
-        # note: i have no data for this but i think it looks like the others
-      else
-        if line.length > 10
-          area << qta.read_entry(line)
-        end
-      end
-    end
-    database
-  end
-
-  def interface
-    lines = @vtysh.execute("show ipv6 ospf6 interface").lines
-    int = {}
-    current_if = {}
-    while line = lines.shift
-      if line.length > 5
-        case line.strip
-        when /(\S+) is (down|up), type ([A-Z]+)/
-          current_if =  int[$1] = {up: ($2 == "up" ? true : false),
-                                   type: $3,
-                                   enabled: true}
-        when /Interface ID: (\d+)/
-          current_if[:id] = $1.to_i
-        when /OSPF not enabled on this interface/
-          current_if[:enabled] = false
-        when /Instance ID (\d+), Interface MTU (\d+) \(autodetect: (\d+)\)/
-          current_if[:instance_id] = $1.to_i
-          current_if[:interface_mtu] = $2.to_i
-          current_if[:interface_mtu_autodetect] = $3.to_i
-        when "Internet Address:"
-          # ignore
-        when /(inet |inet6): (\S+)/
-          current_if[:IPv6] ||= []
-          current_if[:IPv4] ||= []
-          family = $1 == 'inet6' ? :IPv6 : :IPv4
-          address = $2
-          current_if[family] << address
-        when /MTU mismatch detection: (en|dis)abled/
-          current_if[:mtu_mismatch_detection] = $1 == 'en'
-        when /DR: (\S+) BDR: (\S+)/
-          current_if[:designated_router] = $1
-          current_if[:backup_designated_router] = $2
-        when /State (\S+), Transmit Delay (\d+) sec, Priority (\d+)/
-          current_if[:state] = $1
-          current_if[:transmit_delay] = $2.to_i
-          current_if[:priority] = $3.to_i
-        when /Number of I\/F scoped LSAs is (\d+)/
-          current_if[:number_if_scoped_lsas] = $1.to_i
-        when /(\d+) Pending LSAs for (\S+) in Time ([\d:]+)(?: (.*))/
-          current_if[:pending_lsas] ||= {}
-          current_if[:pending_lsas][$2] = {time: $3,
-                                           count: $1,
-                                           flags: $4}
-        when "Timer intervals configured:"
-          # ignore
-        when /Hello (\d+), Dead (\d+), Retransmit (\d+)/
-          current_if[:timers] = {hello: $1.to_i,
-                                 dead: $2.to_i,
-                                 retransmit: $3.to_i }
-        when /Area ID (\S+), Cost (\d+)/
-          current_if[:area_cost] ||= []
-          current_if[:area_cost] << {area: $1, cost: $2.to_i }
-        else
-          puts line if $QUAGGA_DEBUG
-        end
-      end
-    end
-    int
-  end
-
-  private
-  def database_qta(lines)
-    # DON'T REMOVE THE SPACES!!!
-    # For some reasons the fields are right aligned with the fields which makes it hard
-    # to parse. I don't know a better way to get the correct offset except automatically.
-    # (Detection of semantic of the fields)
-    qta = QuaggaTableReader.new(["Type", "LSId", "AdvRouter", "     Age", "  SeqNum","                       Payload"])
-    lines.shift
-    qta.read_headline(lines.shift)
-    qta
-  end
-end
-
-require 'optparse'
-options = {}
-
-OptionParser.new do |opts|
-  opts.banner = "Usage: #{__FILE__} -s section [section specific params]"
-  #### OSPFv2
-  opts.on("-d", "--ospf-database", "Prints the OSPF Database") do |od|
-    options[:ospf_database] = od
-  end
-  opts.on("-r", "--ospf-route", 'print OSPF routing table') do |od|
-    options[:ospf_route] = od
-  end
-  opts.on("-i", "--ospf-interface", 'print OSPF interface information') do |od|
-    options[:ospf_interface] = od
-  end
-  opts.on("-n", "--ospf-neighbor", 'Print OSPF neighbors') do |od|
-    options[:ospf_neighbors] = od
-  end
-  opts.on("-o", "--ospf-overview", "Print OSPF summary") do |od|
-    options[:ospf_overview] = od
-  end
-  #### OSPFv3
-    opts.on("-D", "--ospfv3-database", "Prints the OSPFv3 Database") do |od|
-    options[:ospfv3_database] = od
-  end
-  opts.on("-t", "--ospfv3-route", 'print OSPFv3 routing table') do |od|
-    options[:ospfv3_route] = od
-  end
-  opts.on("-I", "--ospfv3-interface", 'print OSPFv3 interface information') do |od|
-    options[:ospfv3_interface] = od
-  end
-  opts.on("-N", "--ospfv3-neighbor", 'Print OSPFv3 neighbors') do |od|
-    options[:ospfv3_neighbors] = od
-  end
-  opts.on("-O", "--ospfv3-overview", "Print OSPFv3 summary") do |od|
-    options[:ospfv3_overview] = od
-  end
-  #### general things about routing
-  opts.on("-R", "--general-routes", "Print Routing Table (IPv4)") do |od|
-    options[:general_routes] = od
-  end
-  opts.on("-6", "--general-routes6", "Print Routing Table (IPv6)") do |od|
-    options[:general_routes6] = od
-  end
-  ### BGP
-  opts.on("-B", "--bgp-overview", "Print an overview of BGP") do |od|
-    options[:bgp_overview] = od
-  end
-  ### program opts
-  opts.on("-H", "--human-readable", "Print the output human readable (not json)") do |od|
-    options[:human_readable] = od
-  end
-  opts.on("-X", "--debug", "Prints debug output") do |od|
-    $QUAGGA_DEBUG = true
-  end
-  opts.on("-h", "--help", "Prints this help") do
-    puts opts
-    exit
-  end
-end.parse!
-# use the lib
-sh = VTYSH.new
-ospf = OSPF.new sh
-ospfv3 = OSPFv3.new sh
-bgp = BGP.new sh
-general = General.new sh
-
-result = {}
-options.keys.each do |k|
-  # if it is true
-  if options[k]
-    begin
-      if k.to_s.include? 'ospf_'
-        cmd = k.to_s.split('_').last
-        result[k] = ospf.send(cmd)
-      elsif k.to_s.include? 'ospfv3'
-        cmd = k.to_s.split('_').last
-        result[k] = ospfv3.send(cmd)
-      elsif k.to_s.include? 'general'
-        cmd = k.to_s.split('_').last
-        result[k] = general.send(cmd)
-      elsif k.to_s.include? 'bgp'
-        cmd = k.to_s.split('_').last
-        result[k] = bgp.send(cmd)
-      end
-    rescue # do nothing on an error
-      result[k] = "error"
-      puts $! if $QUAGGA_DEBUG
-    end
-  end
-end
-
-# ospf.database, general.routes, ospf.interface, ospf.neighbors, ospf.route, ospf.overview
-if options[:human_readable]
-  pp result
-else
-  print result.to_json
-end
diff --git a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
index 1b3075f56f..9875177dad 100644
--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@@ -22,92 +22,188 @@ parameters:
 type:script_output
 message:request quagga
 
-[diag-bgp]
-command:/usr/local/opnsense/scripts/quagga/diag-bgp.sh
-parameters:%s
+[diagnostics.general_running-config]
+command:/usr/local/bin/vtysh -c "show running-config"
+parameters:
+type:script_output
+message:FRR diagnosticts "show running-config"
+
+[diagnostics.general_route]
+command:/usr/local/bin/vtysh -c "show ip route"
+parameters:
+type:script_output
+message:FRR diagnosticts "show ip route"
+
+[diagnostics.general_route_json]
+command:/usr/local/bin/vtysh -c "show ip route json"
+parameters:
+type:script_output
+message:FRR diagnosticts "show ip route json"
+
+[diagnostics.general_route6]
+command:/usr/local/bin/vtysh -c "show ipv6 route"
+parameters:
+type:script_output
+message:FRR diagnosticts "show ipv6 route"
+
+[diagnostics.general_route6_json]
+command:/usr/local/bin/vtysh -c "show ipv6 route json"
+parameters:
+type:script_output
+message:FRR diagnosticts "show ipv6 route json"
+
+[diagnostics.bgp_overview]
+command:/usr/local/bin/vtysh -c "show ip bgp"
+parameters:
+type:script_output
+message:FRR diagnostics "show ip bgp"
+
+[diagnostics.bgp_overview_json]
+command:/usr/local/bin/vtysh -c "show ip bgp json"
+parameters:
+type:script_output
+message:FRR diagnostics "show ip bgp json"
+
+[diagnostics.bgp_summary]
+command:/usr/local/bin/vtysh -c "show ip bgp summary"
+parameters:
+type:script_output
+message:FRR diagnostics "show ip bgp summary"
+
+[diagnostics.bgp_summary_json]
+command:/usr/local/bin/vtysh -c "show ip bgp summary json"
+parameters:
+type:script_output
+message:FRR diagnostics "show ip bgp summary json"
+
+[diagnostics.bgp_neighbors]
+command:/usr/local/bin/vtysh -c "show ip bgp neighbors"
+parameters:
+type:script_output
+message:FRR diagnostics "show ip bgp neighbors"
+
+[diagnostics.bgp_neighbors_json]
+command:/usr/local/bin/vtysh -c "show ip bgp neighbors json"
+parameters:
+type:script_output
+message:FRR diagnostics "show ip bgp neighbors json"
+
+[diagnostics.ospf_overview]
+command:/usr/local/bin/vtysh -c "show ip ospf"
+parameters:
+type:script_output
+message:FRR diagnostics "show ip ospf"
+
+[diagnostics.ospf_overview_json]
+command:/usr/local/bin/vtysh -c "show ip ospf json"
+parameters:
+type:script_output
+message:FRR diagnostics "show ip ospf json"
+
+[diagnostics.ospf_neighbor]
+command:/usr/local/bin/vtysh -c "show ip ospf neighbor"
+parameters:
+type:script_output
+message:FRR diagnostics "show ip ospf neighbor"
+
+[diagnostics.ospf_neighbor_json]
+command:/usr/local/bin/vtysh -c "show ip ospf neighbor json"
+parameters:
+type:script_output
+message:FRR diagnostics "show ip ospf neighbor json"
+
+[diagnostics.ospf_route]
+command:/usr/local/bin/vtysh -c "show ip ospf route"
+parameters:
+type:script_output
+message:FRR diagnostics "show ip ospf route"
+
+[diagnostics.ospf_route_json]
+command:/usr/local/bin/vtysh -c "show ip ospf route json"
+parameters:
 type:script_output
-message:bgp diagnostics
+message:FRR diagnostics "show ip ospf route json"
 
-[diag-bgp2]
-command:/usr/local/opnsense/scripts/quagga/quagga.rb --bgp-overview
+[diagnostics.ospf_database]
+command:/usr/local/bin/vtysh -c "show ip ospf database"
 parameters:
 type:script_output
-message:bgp diagnostics
+message:FRR diagnostics "show ip ospf database"
 
-[ospf-database]
-command:/usr/local/opnsense/scripts/quagga/quagga.rb --ospf-database
+[diagnostics.ospf_database_json]
+command:exit 1
 parameters:
 type:script_output
-message: Shows the OSPF database
+message:FRR diagnostics "show ip ospf database json" (not implemented)
 
-[ospf-route]
-command:/usr/local/opnsense/scripts/quagga/quagga.rb --ospf-route
+[diagnostics.ospf_interface]
+command:/usr/local/bin/vtysh -c "show ip ospf interface"
 parameters:
 type:script_output
-message: print OSPF routing table
+message:FRR diagnostics "show ip ospf interface"
 
-[ospf-interface]
-command:/usr/local/opnsense/scripts/quagga/quagga.rb --ospf-interface
+[diagnostics.ospf_interface_json]
+command:/usr/local/bin/vtysh -c "show ip ospf interface json"
 parameters:
 type:script_output
-message: print OSPF interface information
+message:FRR diagnostics "show ip ospf interface json"
 
-[ospf-neighbor]
-command:/usr/local/opnsense/scripts/quagga/quagga.rb --ospf-neighbor
+[diagnostics.ospfv3_overview]
+command:/usr/local/bin/vtysh -c "show ipv6 ospf6"
 parameters:
 type:script_output
-message: Print OSPF neighbors
+message:FRR diagnostics "show ipv6 ospf6"
 
-[ospf-overview]
-command:/usr/local/opnsense/scripts/quagga/quagga.rb --ospf-overview
+[diagnostics.ospfv3_overview_json]
+command:exit 1
 parameters:
 type:script_output
-message: Print OSPF summary
+message:FRR diagnostics "show ipv6 ospf6 json" (not implemented)
 
-[ospfv3-database]
-command:/usr/local/opnsense/scripts/quagga/quagga.rb --ospfv3-database
+[diagnostics.ospfv3_neighbor]
+command:/usr/local/bin/vtysh -c "show ipv6 ospf6 neighbor"
 parameters:
 type:script_output
-message: Shows the OSPF database
+message:FRR diagnostics "show ipv6 ospf6 neighbor"
 
-[ospfv3-route]
-command:/usr/local/opnsense/scripts/quagga/quagga.rb --ospfv3-route
+[diagnostics.ospfv3_neighbor_json]
+command:exit 1
 parameters:
 type:script_output
-message: print OSPF routing table
+message:FRR diagnostics "show ipv6 ospf6 neighbor json" (not implemented)
 
-[ospfv3-interface]
-command:/usr/local/opnsense/scripts/quagga/quagga.rb --ospfv3-interface
+[diagnostics.ospfv3_route]
+command:/usr/local/bin/vtysh -c "show ipv6 ospf6 route"
 parameters:
 type:script_output
-message: print OSPF interface information
+message:FRR diagnostics "show ipv6 ospf6 route"
 
-[ospfv3-neighbor]
-command:/usr/local/opnsense/scripts/quagga/quagga.rb --ospfv3-neighbor
+[diagnostics.ospfv3_route_json]
+command:exit 1
 parameters:
 type:script_output
-message: Print OSPF neighbors
+message:FRR diagnostics "show ipv6 ospf6 route json" (not implemented)
 
-[ospfv3-overview]
-command:/usr/local/opnsense/scripts/quagga/quagga.rb --ospfv3-overview
+[diagnostics.ospfv3_database]
+command:/usr/local/bin/vtysh -c "show ipv6 ospf6 database"
 parameters:
 type:script_output
-message: Print OSPF summary
+message:FRR diagnostics "show ipv6 ospf6 database"
 
-[general-routes]
-command:/usr/local/opnsense/scripts/quagga/quagga.rb --general-routes
+[diagnostics.ospfv3_database_json]
+command:exit 1
 parameters:
 type:script_output
-message: Print IPv4 Routing Table
+message:FRR diagnostics "show ipv6 ospf6 database json" (not implemented)
 
-[general-routes6]
-command:/usr/local/opnsense/scripts/quagga/quagga.rb --general-routes6
+[diagnostics.ospfv3_interface]
+command:/usr/local/bin/vtysh -c "show ipv6 ospf6 interface"
 parameters:
 type:script_output
-message: Print IPv6 Routing Table
+message:FRR diagnostics "show ipv6 ospf6 interface"
 
-[general-runningconfig]
-command:/usr/local/bin/vtysh -c "show run"
+[diagnostics.ospfv3_interface_json]
+command:exit 1
 parameters:
 type:script_output
-message: Show running configuration
+message:FRR diagnostics "show ipv6 ospf6 interface json" (not implemented)

From fb2c9f1af2aa32a980aa6836b2139e3d10ac725e Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Sat, 12 Dec 2020 22:57:47 +0100
Subject: [PATCH 0303/3088] rework and streamline API

---
 .../Quagga/Api/DiagnosticsController.php      | 108 +++++++++---------
 1 file changed, 51 insertions(+), 57 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
index a6d8da8f42..a4f3e358cb 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
@@ -41,96 +41,90 @@
  */
 class DiagnosticsController extends ApiControllerBase
 {
-    /**
-     * show ip bgp
-     * @return array
-     */
-    public function showipbgpAction()
+    private function getInformation(string $daemon, string $name, string $format): array
     {
         $backend = new Backend();
-        $response = json_decode(trim($backend->configdRun("quagga diag-bgp2")));
-        return array("response" => $response);
+        $response = $backend->configdRun("quagga diagnostics ".$daemon."_".$name.($format === "json" ? "_json" : ""));
+        return array("response" => ($format === "json" ? json_decode($response) : $response));
     }
-    /**
-     * show ip bgp summary
-     * @return array
-     */
-    public function showipbgpsummaryAction()
-    {
-        $backend = new Backend();
-        $response = $backend->configdRun("quagga diag-bgp summary");
-        return array("response" => $response);
-    }
-    public function showrunningconfigAction()
+
+    public function generalrunningconfigAction(): array
     {
-        $backend = new Backend();
-        $response = $backend->configdRun("quagga general-runningconfig");
-        return array("response" => $response);
+        return $this->getInformation("general", "running-config", "plain");
     }
-    private function get_ospf_information($name)
+
+    public function generalrouteAction($format = "json"): array
     {
-        $backend = new Backend();
-        return array("response" => json_decode(trim($backend->configdRun("quagga ospf-$name"))));
+        return $this->getInformation("general", "route", $format);
     }
-    private function get_ospf3_information($name)
+
+    public function generalroute6Action($format = "json"): array
     {
-        $backend = new Backend();
-        return array("response" => json_decode(trim($backend->configdRun("quagga ospfv3-$name"))));
+        return $this->getInformation("general", "route6", $format);
     }
-    // OSPFv2
-    public function ospfoverviewAction()
+
+    public function bgpoverviewAction($format = "json"): array
     {
-        return $this->get_ospf_information('overview');
+        return $this->getInformation("bgp", "overview", $format);
     }
-    public function ospfneighborAction()
+
+    public function bgpsummaryAction($format = "json"): array
     {
-        return $this->get_ospf_information('neighbor');
+        return $this->getInformation("bgp", "summary", $format);
     }
-    public function ospfrouteAction()
+
+    public function bgpneighborsAction($format = "json"): array
     {
-        return $this->get_ospf_information('route');
+        return $this->getInformation("bgp", "neighbors", $format);
     }
-    public function ospfdatabaseAction()
+
+    public function ospfoverviewAction($format = "json"): array
     {
-        return $this->get_ospf_information('database');
+        return $this->getInformation("ospf", "overview", $format);
     }
-    public function ospfinterfaceAction()
+
+    public function ospfneighborAction($format = "json"): array
     {
-        return $this->get_ospf_information('interface');
+        return $this->getInformation("ospf", "neighbor", $format);
     }
-    // OSPFv3
-    public function ospfv3overviewAction()
+
+    public function ospfrouteAction($format = "json"): array
     {
-        return $this->get_ospf3_information('overview');
+        return $this->getInformation("ospf", "route", $format);
     }
-    public function ospfv3neighborAction()
+
+    public function ospfdatabaseAction($format = "json"): array
     {
-        return $this->get_ospf3_information('neighbor');
+        return $this->getInformation("ospf", "database", $format);
     }
-    public function ospfv3routeAction()
+
+    public function ospfinterfaceAction($format = "json"): array
     {
-        return $this->get_ospf3_information('route');
+        return $this->getInformation("ospf", "interface", $format);
     }
-    public function ospfv3databaseAction()
+
+    public function ospfv3overviewAction($format = "json"): array
     {
-        return $this->get_ospf3_information('database');
+        return $this->getInformation("ospfv3", "overview", $format);
     }
-    public function ospfv3interfaceAction()
+
+    public function ospfv3neighborAction($format = "json"): array
     {
-        return $this->get_ospf3_information('interface');
+        return $this->getInformation("ospfv3", "neighbor", $format);
     }
-    // General
-    private function get_general_information($name)
+
+    public function ospfv3routeAction($format = "json"): array
     {
-        $backend = new Backend();
-        return array("response" => json_decode(trim($backend->configdRun("quagga general-$name")), true));
+        return $this->getInformation("ospfv3", "route", $format);
     }
-    public function generalroutesAction()
+
+    public function ospfv3databaseAction($format = "json"): array
     {
-        return $this->get_general_information('routes');
+        return $this->getInformation("ospfv3", "database", $format);
     }
-    public function generalroutes6Action()
+
+    public function ospfv3interfaceAction($format = "json"): array
     {
-        return $this->get_general_information('routes6');
+        return $this->getInformation("ospfv3", "interface", $format);
     }
 }

From 80a3b49c4f7996c9042bd1fa2a7b3afd00fa21bc Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Sat, 12 Dec 2020 23:21:04 +0100
Subject: [PATCH 0304/3088] start fixing frontend at least... something... is
 working

---
 .../opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt  | 2 +-
 .../mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
index 06818b0cd4..4e4479dcfd 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
@@ -91,7 +91,7 @@ $(document).ready(function() {
       $('#overview').html(content)
   });
 
-  ajaxCall(url="/api/quagga/diagnostics/showipbgpsummary", sendData={}, callback=function(data,status) {
+  ajaxCall(url="/api/quagga/diagnostics/bgpsummary/plain", sendData={}, callback=function(data,status) {
       $("#summarycontent").text(data['response']);
   });
 });
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
index 4e15ea266f..9728e15364 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
@@ -110,7 +110,7 @@ $(document).ready(function() {
     $('#routing6').html(content)
     //$('#routing6 table').bootgrid({converters: dataconverters})
   });
-  ajaxCall(url="/api/quagga/diagnostics/showrunningconfig", sendData={}, callback=function(data,status) {
+  ajaxCall(url="/api/quagga/diagnostics/generalrunningconfig", sendData={}, callback=function(data,status) {
       $("#runningconfig").text(data['response']);
   });
 

From 01348b31a53d4db18f05b6714480bd24c7427898 Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Sun, 13 Dec 2020 16:17:19 +0100
Subject: [PATCH 0305/3088] fix OSPF diagnostics page (wip) database not yet
 implemented tooltip for route type doesn't work

---
 .../OPNsense/Quagga/diagnosticsospf.volt      | 303 +++++++++---------
 1 file changed, 155 insertions(+), 148 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
index 0ac926d068..856dced2a3 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
@@ -33,51 +33,47 @@ POSSIBILITY OF SUCH DAMAGE.
 <tbody>
   <tr>
     <td>{{ lang._('RFC2328 Conform') }}</td>
-    <td><%= checkmark(ospf_overview['rfc2328_conform']) %></td>
+    <td><%= checkmark(rfc2328Conform) %></td>
   </tr>
   <tr>
     <td>{{ lang._('ASBR') }}</td>
-    <td><%= checkmark(ospf_overview['asbr']) %></td>
+    <td><%= checkmark(asbrRouter == "injectingExternalRoutingInformation") %></td>
   </tr>
   <tr>
     <td>{{ lang._('Router ID') }}</td>
-    <td><%= ospf_overview['router_id'] %></td>
+    <td><%= routerId %></td>
   </tr>
   <tr>
     <td>{{ lang._('RFC1583 Compatibility') }}</td>
-    <td><%= checkmark(ospf_overview['rfc1583_compatibility']) %></td>
+    <td><%= checkmark(typeof rfc1583Compatibility != "undefined" && rfc1583Compatibility) %></td>
   </tr>
   <tr>
     <td>{{ lang._('Opaque Capability') }}</td>
-    <td><%= checkmark(ospf_overview['opaque_capability']) %></td>
+    <td><%= checkmark(typeof opaqueCapable != "undefined" && opaqueCapable) %></td>
   </tr>
   <tr>
     <td>{{ lang._('Initial SPF Scheduling Delay') }}</td>
-    <td><%= ospf_overview['initial_spf_scheduling_delay'] %></td>
+    <td><%= spfScheduleDelayMsecs %> {{ lang._('Milliseconds') }}</td>
   </tr>
   <tr>
     <td>{{ lang._('Minimum Hold Time') }}</td>
-    <td><%= ospf_overview['hold_time']['min'] %> {{ lang._('Milliseconds') }}</td>
+    <td><%= holdtimeMinMsecs %> {{ lang._('Milliseconds') }}</td>
   </tr>
   <tr>
     <td>{{ lang._('Maximum Hold Time') }}</td>
-    <td><%= ospf_overview['hold_time']['max'] %> {{ lang._('Milliseconds') }}</td>
+    <td><%= holdtimeMaxMsecs %> {{ lang._('Milliseconds') }}</td>
   </tr>
   <tr>
     <td>{{ lang._('Current Hold Time Multipier') }}</td>
-    <td><%= ospf_overview['current_hold_time_multipier'] %></td>
-  </tr>
-  <tr>
-    <td>{{ lang._('SPF Timer') }}</td>
-    <td><%= ospf_overview['spf_timer'] %></td>
+    <td><%= holdtimeMultplier %></td>
   </tr>
   <tr>
     <td>{{ lang._('Refresh Timer') }}</td>
-    <td><%= ospf_overview['refresh_timer'] %></td>
+    <td><%= refreshTimerMsecs %> {{ lang._('Milliseconds') }}</td>
   </tr>
   <tr>
     <td>{{ lang._('Areas Attached Count') }}</td>
-    <td><%= ospf_overview['areas_attached_count'] %></td>
+    <td><%= attachedAreaCounter %></td>
   </tr>
 </tbody>
 </table>
@@ -94,67 +90,98 @@ POSSIBILITY OF SUCH DAMAGE.
   <tbody>
     <tr>
       <td>{{ lang._('External LSA') }}</td>
-      <td><%= ospf_overview['external_lsa']['count'] %></td>
-      <td><%= ospf_overview['external_lsa']['checksum'] %></td>
+      <td><%= lsaExternalCounter %></td>
+      <td><%= lsaExternalChecksum %></td>
     </tr>
     <tr>
       <td>{{ lang._('Opaque AS LSA') }}</td>
-      <td><%= ospf_overview['opaque_as_lsa']['count'] %></td>
-      <td><%= ospf_overview['opaque_as_lsa']['checksum'] %></td>
+      <td><%= lsaAsopaqueCounter %></td>
+      <td><%= lsaAsOpaqueChecksum %></td>
     </tr>
   </tbody>
 </table>
 
 <h2>{{ lang._('Areas') }}</h2>
 
-<% if (ospf_overview['areas']) { %>
-  <% areas = ospf_overview['areas'] %>
-  <% _.each(_.keys(areas), function(areaname) { %>
-    <% area = areas[areaname] %>
-    <h3><%= areaname %></h3>
-     <table class="table table-striped">
+<% if (areas) { %>
+  <% _.forEach(areas, function(area, areaname) { %>
+    <br /> 
+    <table class="table table-striped">
+      <thead>
+        <tr>
+          <th><%= areaname %></th>
+          <th>{{ lang._('Count') }}</th>
+        </tr>
+      </thead>
       <tbody>
         <tr>
           <td>{{ lang._('Interfaces: Total') }}</td>
-          <td><%= area['interfaces']['total'] %></td>
+          <td><%= area['areaIfTotalCounter'] %></td>
         </tr>
         <tr>
           <td>{{ lang._('Interfaces: Active') }}</td>
-          <td><%= area['interfaces']['active'] %></td>
+          <td><%= area['areaIfActiveCounter'] %></td>
         </tr>
         <tr>
           <td>{{ lang._('Fully Adjacent Neighbor Count') }}</td>
-          <td><%= area['fully_adjacent_neighbor_count'] %></td>
+          <td><%= area['nbrFullAdjacentCounter'] %></td>
         </tr>
         <tr>
           <td>{{ lang._('SPF Execution Count') }}</td>
-          <td><%= area['spf_exec_count'] %></td>
+          <td><%= area['spfExecutedCounter'] %></td>
         </tr>
       </tbody>
     </table>
      <table class="table table-striped">
       <thead>
         <tr>
-          <th></th>
+          <th>{{ lang._('LSA Type') }}</th>
           <th>{{ lang._('Count') }}</th>
           <th>{{ lang._('Checksum') }}</th>
         </tr>
       </thead>
       <tbody>
-        <% _.each(_.keys(area['lsa']), function(lsaname) { %>
-        <% lsa = area['lsa'][lsaname] %>
           <tr>
-            <td><%= translate(lsaname) %></td>
-            <td><%= lsa['count'] %></td>
-            <td><%= lsa['checksum'] %></td>
+            <td>{{ lang._('Router') }}</td>
+            <td><%= area['lsaRouterNumber'] %></td>
+            <td><%= area['lsaRouterChecksum'] %></td>
+          </tr>
+          <tr>
+            <td>{{ lang._('Network') }}</td>
+            <td><%= area['lsaNetworkNumber'] %></td>
+            <td><%= area['lsaNetworkChecksum'] %></td>
+          </tr>
+          <tr>
+            <td>{{ lang._('Summary') }}</td>
+            <td><%= area['lsaSummaryNumber'] %></td>
+            <td><%= area['lsaSummaryChecksum'] %></td>
+          </tr>
+          <tr>
+            <td>{{ lang._('ASBR Summary') }}</td>
+            <td><%= area['lsaAsbrNumber'] %></td>
+            <td><%= area['lsaAsbrChecksum'] %></td>
+          </tr>
+          <tr>
+            <td>{{ lang._('NSSA') }}</td>
+            <td><%= area['lsaNssaNumber'] %></td>
+            <td><%= area['lsaNssaChecksum'] %></td>
+          </tr>
+          <tr>
+            <td>{{ lang._('Opaque Link') }}</td>
+            <td><%= area['lsaOpaqueLinkNumber'] %></td>
+            <td><%= area['lsaOpaqueLinkChecksum'] %></td>
+          </tr>
+          <tr>
+            <td>{{ lang._('Opaque Area') }}</td>
+            <td><%= area['lsaOpaqueAreaNumber'] %></td>
+            <td><%= area['lsaOpaqueAreaNumber'] %></td>
           </tr>
-        <% }) %>
       </tbody>
     </table>
   <% }) %>
 <% } %>
 </script>
-<script type="text/x-template" id="databasetpl">
+<!--<script type="text/x-template" id="databasetpl">
 <% _.each(_.keys(ospf_database), function(router_id) { %>
   <h1>{{ lang._('Router ID:')}} <%= router_id %></h1>
   <hr />
@@ -238,80 +265,50 @@ POSSIBILITY OF SUCH DAMAGE.
     </tbody>
   </table>
 <% }); %>
-</script>
+</script>-->
 <script type="text/x-template" id="routestpl">
-<h2>{{ lang._('Network Routing Table') }}</h2>
+<h2>{{ lang._('Routing Table') }}</h2>
  <table class="table table-striped">
   <thead>
     <tr>
-      <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
+      <th data-column-id="type" data-type="raw">{{ lang._('Type') }}</th>
       <th data-column-id="network" data-type="string">{{ lang._('Network') }}</th>
       <th data-column-id="cost" data-type="numeric">{{ lang._('Cost') }}</th>
-      <th data-column-id="area" data-type="numeric">{{ lang._('Area') }}</th>
-      <th data-column-id="via" data-type="string">{{ lang._('Via') }}</th>
-      <th data-column-id="viainterface" data-type="string">{{ lang._('Via interface') }}</th>
-    </tr>
-  </thead>
-  <tbody>
-    <% _.each(ospf_route['OSPF network routing table'], function(entry) { %>
-      <tr>
-        <td><%= entry["type"] %></td>
-        <td><%= entry["network"] %></td>
-        <td><%= entry["cost"] %></td>
-        <td><%= entry["area"] %></td>
-        <td><%= translate(entry["via"]) %></td>
-        <td><%= entry["via_interface"] %></td>
-      </tr>
-    <% }); %>
-  </tbody>
-</table>
-<h2>{{ lang._('Router Routing Table') }}</h2>
- <table class="table table-striped">
-  <thead>
-    <tr>
-      <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
-      <th data-column-id="cost" data-type="numeric">{{ lang._('Cost') }}</th>
       <th data-column-id="area" data-type="string">{{ lang._('Area') }}</th>
-      <th data-column-id="asbr" data-type="boolean">{{ lang._('ASBR') }}</th>
       <th data-column-id="via" data-type="string">{{ lang._('Via') }}</th>
       <th data-column-id="viainterface" data-type="string">{{ lang._('Via interface') }}</th>
     </tr>
   </thead>
   <tbody>
-    <% _.each(ospf_route['OSPF router routing table'], function(entry) { %>
+    <% _.forEach(routes, function(route, network) { %>
       <tr>
-        <td><%= entry["type"] %></td>
-        <td><%= entry["cost"] %></td>
-        <td><%= entry["area"] %></td>
-        <td><%= entry["asbr"] %></td>
-        <td><%= translate(entry["via"]) %></td>
-        <td><%= entry["via_interface"] %></td>
+        <td>
+          <% _.forEach(route['routeType'].split(' '), function(routeType) { %>
+            <% if(routeType == "") return; %>
+            <% if(translate(routeType) == routeType) { %>
+              <%= routeType %>
+            <% } else { %>
+              <% console.log('Y U NO WORK?!'); %>
+              <abbr title="<%= translate(routeType) %>"><%= routeType %></abbr>
+          <% } }); %>
+        </td>
+        <td><%= network %></td>
+        <td><%= route['cost'] %></td>
+        <td><%= route['area'] %></td>
+        <td><%= (typeof route['nexthops'][0]['via'] != "undefined" ? route['nexthops'][0]['ip'] : translate('directly attached')) %></td>
+        <td><%= (typeof route['nexthops'][0]['via'] != "undefined" ? route['nexthops'][0]['via'] : route['nexthops'][0]['directly attached to']) %></td>
       </tr>
-    <% }); %>
-  </tbody>
-</table>
-<h2>{{ lang._('External Routing Table') }}</h2>
- <table class="table table-striped">
-  <thead>
-    <tr>
-      <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
-      <th data-column-id="network" data-type="string">{{ lang._('Network') }}</th>
-      <th data-column-id="cost" data-type="string">{{ lang._('Cost') }}</th>
-      <th data-column-id="tag" data-type="string">{{ lang._('Tag') }}</th>
-      <th data-column-id="via" data-type="string">{{ lang._('Via') }}</th>
-      <th data-column-id="viainterface" data-type="string">{{ lang._('Via interface') }}</th>
-    </tr>
-  </thead>
-  <tbody>
-    <% _.each(ospf_route['OSPF external routing table'], function(entry) { %>
+      <% route['nexthops'].shift(); %>
+      <% _.forEach(route['nexthops'], function(nexthop) { %>
       <tr>
-        <td><%= entry["type"] %></td>
-        <td><%= entry["network"] %></td>
-        <td><%= entry["cost"] %></td>
-        <td><%= entry["tag"] %></td>
-        <td><%= translate(entry["via"]) %></td>
-        <td><%= entry["via_interface"] %></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td></td>
+        <td><%= (typeof nexthop['via'] != "undefined" ? nexthop['ip'] : translate('directly attached')) %></td>
+        <td><%= (typeof nexthop['via'] != "undefined" ? nexthop['via'] : nexthop['directly attached to']) %></td>
       </tr>
+      <% }); %>
     <% }); %>
   </tbody>
 </table>
@@ -323,50 +320,46 @@ POSSIBILITY OF SUCH DAMAGE.
         <th data-column-id="neighborid" data-type="string">{{ lang._('Neighbor ID') }}</th>
         <th data-column-id="priority" data-type="numeric">{{ lang._('Priority') }}</th>
         <th data-column-id="state" data-type="string">{{ lang._('State') }}</th>
-        <th data-column-id="deadtime" data-type="string">{{ lang._('Dead Time') }}</th>
+        <th data-column-id="deadtime" data-type="string">{{ lang._('Dead Time') }} &lsqb;ms&rsqb;</th>
         <th data-column-id="address" data-type="string">{{ lang._('Address') }}</th>
         <th data-column-id="interface" data-type="string">{{ lang._('Interface') }}</th>
-        <th data-column-id="rxmtl" data-type="numeric">RXmtL</th>
-        <th data-column-id="rqstl" data-type="numeric">RqstL</th>
-        <th data-column-id="dbsml" data-type="numeric">DBsmL</th>
+        <th data-column-id="rxmtl" data-type="numeric">{{ lang._('Retransmit Counter') }}</th>
+        <th data-column-id="rqstl" data-type="numeric">{{ lang._('Request Counter') }}</th>
+        <th data-column-id="dbsml" data-type="numeric">{{ lang._('DB Summary Counter') }}</th>
       </tr>
     </thead>
     <tbody>
-      <% _.each(ospf_neighbors, function(entry) { %>
-        <tr>
-          <td><%= entry["Neighbor ID"] %></td>
-          <td><%= entry["Pri"] %></td>
-          <td><%= translate(entry["State"]) %></td>
-          <td><%= entry["Dead Time"] %></td>
-          <td><%= entry["Address"] %></td>
-          <td><%= entry["Interface"] %></td>
-          <td><%= entry["RXmtL"] %></td>
-          <td><%= entry["RqstL"] %></td>
-          <td><%= entry["DBsmL"] %></td>
-        </tr>
+      <% _.forEach(neighbors, function(connections, neighborId) { %>
+        <% _.forEach(connections, function(connection) { %>
+          <tr>
+            <td><%= neighborId %></td>
+            <td><%= connection['priority'] %></td>
+            <td><%= translate(connection['state']) %></td>
+            <td><%= connection['deadTimeMsecs'] %></td>
+            <td><%= connection['address'] %></td>
+            <td><%= connection['ifaceName'] %></td>
+            <td><%= connection['retransmitCounter'] %></td>
+            <td><%= connection['requestCounter'] %></td>
+            <td><%= connection['dbSummaryCounter'] %></td>
+          </tr>
+        <% }); %>
       <% }); %>
     </tbody>
   </table>
 </script>
 <script type="text/x-template" id="interfacetpl">
-<% _.each(_.keys(ospf_interface), function(interfacename) { %>
-  <% int = ospf_interface[interfacename] %>
+<% _.forEach(interfaces, function(interface, interfacename) { %>
   <h2><%= interfacename %></h2>
    <table class="table table-striped">
     <tbody>
-      <% _.each(_.keys(int), function(propertyname) { %>
+      <% _.forEach(interface, function(propertyvalue, propertyname) { %>
         <tr>
           <td><%= translate(propertyname) %></td>
           <td>
-            <% if (int[propertyname] === false || int[propertyname] === true)  { %>
-              <%= checkmark(int[propertyname]) %>
-            <% } else if (propertyname == 'intervals')  { %>
-              {{ lang._('Hello Interval:') }} <%= int[propertyname]['hello'] %><br />
-              {{ lang._('Dead Interval:') }} <%= int[propertyname]['dead'] %><br />
-              {{ lang._('Wait Interval:') }} <%= int[propertyname]['wait'] %><br />
-              {{ lang._('Retransmit Interval:') }} <%= int[propertyname]['retransmit'] %>
+            <% if (typeof(propertyvalue) == "boolean")  { %>
+              <%= checkmark(propertyvalue) %>
             <% } else { %>
-              <%= int[propertyname] %>
+              <%= translate(propertyvalue) %>
             <% } %>
           </td>
         </tr>
@@ -381,33 +374,47 @@ POSSIBILITY OF SUCH DAMAGE.
 function translate(data)
 {
   tr = []
-  tr['count'] = '{{ lang._('Count') }}'
-  tr['router'] = '{{ lang._('Router') }}'
-  tr['network'] = '{{ lang._('Network') }}'
-  tr['summary'] = '{{ lang._('Summary') }}'
-  tr['ASBR summary'] = '{{ lang._('ASBR summary') }}'
-  tr['NSSA'] = '{{ lang._('NSSA') }}'
+  // routing table tab
+  tr['N'] = '{{ lang._('Network') }}'
+  tr['R'] = '{{ lang._('Router') }}'
+  tr['IA'] = '{{ lang._('OSPF inter area') }}'
+  tr['N1'] = '{{ lang._('OSPF NSSA external type 1') }}'
+  tr['N2'] = '{{ lang._('OSPF NSSA external type 2') }}'
+  tr['E1'] = '{{ lang._('OSPF external type 1') }}'
+  tr['E2'] = '{{ lang._('OSPF external type 2') }}'
   tr['directly attached'] = '{{ lang._('Directly Attached') }}'
+
+  // neighbor tab
   tr['Full/DR'] = '{{ lang._('Full (Designated Router)') }}'
-  tr['enabled'] = '{{ lang._('Enabled') }}'
-  tr['cost'] = '{{ lang._('Cost') }}'
-  tr['priority'] = '{{ lang._('Priority') }}'
-  tr['router_id'] = '{{ lang._('Router ID') }}'
-  tr['network_type'] = '{{ lang._('Network Type') }}'
+
+  // interfaces tab
+  tr['ifUp'] = '{{ lang._('Up') }}'
+  tr['ifIndex'] = '{{ lang._('Index') }}'
+  tr['mtuBytes'] = '{{ lang._('MTU') }} &lsqb;{{ lang._('Bytes') }}&rsqb;'
+  tr['bandwidthMbit'] = '{{ lang._('Bandwidth') }} &lsqb;Mbit/s&rsqb;'
+  tr['ifFlags'] = '{{ lang._('Flags') }}'
+  tr['ospfEnabled'] = '{{ lang._('OSPF Enabled') }}'
+  tr['ipAddress'] = '{{ lang._('Address') }}'
+  tr['ipAddressPrefixlen'] = '{{ lang._('Prefix Length') }}'
+  tr['ospfIfType'] = '{{ lang._('Type') }}'
+  tr['localIfUsed'] = '{{ lang._('Local Interface') }}'
   tr['area'] = '{{ lang._('Area') }}'
-  tr['transmit_delay'] = '{{ lang._('Transmit Delay') }}'
+  tr['routerId'] = '{{ lang._('Router ID') }}'
+  tr['networkType'] = '{{ lang._('Network Type') }}'
+  tr['cost'] = '{{ lang._('Cost') }}'
+  tr['transmitDelaySecs'] = '{{ lang._('Transmit Delay') }} &lsqb;s&rsqb;'
   tr['state'] = '{{ lang._('State') }}'
-  tr['broadcast'] = '{{ lang._('Broadcast') }}'
-  tr['mtu_mismatch_detection'] = '{{ lang._('MTU Mismatch Detection') }}'
-  tr['address'] = '{{ lang._('Address') }}'
-  tr['designated_router'] = '{{ lang._('Designated Router') }}'
-  tr['designated_router_interface_address'] = '{{ lang._('Designated Router Interface Address') }}'
-  tr['backup_designated_router'] = '{{ lang._('Backup Designated Router') }}'
-  tr['multicast_group_memberships'] = '{{ lang._('Multicast Group Memberships') }}'
-  tr['intervals'] = '{{ lang._('Intervals') }}'
-  tr['hello_due_in'] = '{{ lang._('Hello Due In') }}'
-  tr['neighbor_count'] = '{{ lang._('Neighbor Count') }}'
-  tr['adjacent_neighbor_count'] = '{{ lang._('Adjacent Neighbor Count') }}'
+  tr['priority'] = '{{ lang._('Priority') }}'
+  tr['mcastMemberOspfAllRouters'] = '{{ lang._('Multicast') }} {{ lang._('Group') }} {{ lang._('Member') }} OSPFAllRouters'
+  tr['timerMsecs'] = '{{ lang._('Hello Timer') }} &lsqb;ms&rsqb;'
+  tr['timerDeadSecs'] = '{{ lang._('Dead Timer') }} &lsqb;s&rsqb;'
+  tr['timerWaitSecs'] = '{{ lang._('Wait Timer') }} &lsqb;s&rsqb;'
+  tr['timerRetransmitSecs'] = '{{ lang._('Retransmit Timer') }} &lsqb;s&rsqb;'
+  tr['timerPassiveIface'] = '{{ lang._('Passive Interface') }}'
+  tr['timerHelloInMsecs'] = '{{ lang._('Hello Due In') }} &lsqb;ms&rsqb;'
+  tr['nbrCount'] = '{{ lang._('Neighbor Count') }}'
+  tr['nbrAdjacentCount'] = '{{ lang._('Adjacent Neighbor Count') }}'
+
   return _.has(tr,data) ? tr[data] : data
 }
 
@@ -434,13 +441,13 @@ $(document).ready(function() {
     content = _.template($('#overviewtpl').html())(data['response'])
     $('#overview').html(content)
   });
-  ajaxCall(url="/api/quagga/diagnostics/ospfdatabase", sendData={}, callback=function(data,status) {
+  /*ajaxCall(url="/api/quagga/diagnostics/ospfdatabase", sendData={}, callback=function(data,status) {
     content = _.template($('#databasetpl').html())(data['response'])
     $('#database').html(content)
     $('#database table').bootgrid()
-  });
+  });*/
   ajaxCall(url="/api/quagga/diagnostics/ospfroute", sendData={}, callback=function(data,status) {
-    content = _.template($('#routestpl').html())(data['response'])
+    content = _.template($('#routestpl').html())({routes: data['response']})
     $('#routing').html(content)
     $('#routing table').bootgrid({converters: dataconverters})
   });

From 51d80ac7f53417b33c240c7abc738631a5afe35e Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Sun, 13 Dec 2020 17:37:18 +0100
Subject: [PATCH 0306/3088] fix General diagnostics page

---
 .../OPNsense/Quagga/diagnosticsgeneral.volt   | 76 ++++++++++---------
 1 file changed, 41 insertions(+), 35 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
index 9728e15364..3a5a61ef4e 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
@@ -41,43 +41,49 @@ POSSIBILITY OF SUCH DAMAGE.
     </tr>
   </thead>
   <tbody>
-    <% _.each(general_routes, function(entry) { %>
-      <tr>
-        <td>
-          <% _.each(entry['code'], function(code) { %>
-            <abbr title="<%= translate(code['long']) %>"><%= (code['short']) %></abbr>
-          <% }); %>
-        </td>
-        <td><%= entry['network'] %></td>
-        <td><%= entry['ad'] %></td>
-        <td><%= entry['metric'] %></td>
-        <td><%= entry['interface'] %></td>
-        <td><%= entry['via'] %></td>
-        <td><%= entry['time'] %></td>
-      </tr>
+    <% _.forEach(routes, function(route_array, network) { %>
+      <% _.forEach(route_array, function(route) { %>
+        <% _.forEach(route['nexthops'], function(nexthop) { %>
+        <% let protocol = translateProtocol(route['protocol'], ipVersion); %>
+        <tr>
+          <td><% if(typeof(protocol) != "string") { %>
+            <abbr title="<%= protocol['long'] %>"><%= protocol['short'] %></abbr>
+            <% } else { %>
+            <%= route['protocol'] %>
+            <% } %>
+            <% if(typeof(route['selected']) != "undefined" && route['selected']) { %>
+            <abbr title="{{ lang._('Selected') }}">&gt;</abbr>
+            <% } %>
+            <% if(typeof(route['installed']) != "undefined" && route['installed']) { %>
+              <abbr title="{{ lang._('FIB') }}">&ast;</abbr>
+              <% } %>
+          </td>
+          <td><%= network %></td>
+          <td><%= route['distance'] %></td>
+          <td><%= route['metric'] %></td>
+          <td><%= nexthop['interfaceName'] %></td>
+          <td><%= (typeof(nexthop['ip']) != "undefined" ? nexthop['ip'] : '{{ lang._('Directly Attached') }}') %></td>
+          <td><%= route['uptime'] %></td>
+        </tr>
+        <% }); %>
+      <% }); %>
     <% }); %>
   </tbody>
 </table>
 </script>
 
 <script>
-function translate(content) {
-  tr = {};
-  tr['kernel route'] = '{{ lang._('Kernel Route') }}';
-  tr['FIB route'] = '{{ lang._('FIB Route') }}';
-  tr['connected'] = '{{ lang._('Connected') }}';
-  tr['selected route'] = '{{ lang._('Selected Route') }}';
-  tr['OSPF'] = '{{ lang._('OSPF') }}';
-  tr['RIP'] = '{{ lang._('RIP') }}';
-  tr['BGP'] = '{{ lang._('BGP') }}';
-  if (_.has(tr,content))
-  {
-    return tr[content];
-  }
-  else
-  {
-    return content;
-  }
+function translateProtocol(data, ipVersion)
+{
+  tr = []
+  // routing table tab
+  tr['kernel'] = {short: 'K', long: '{{ lang._('Kernel') }}'}
+  tr['connected'] = {short: 'C', long: '{{ lang._('Connected') }}'}
+  tr['bgp'] = {short: 'B', long: '{{ lang._('BGP') }}'}
+  tr['ospf'] = {short: 'O', long: '{{ lang._('OSPFv3') }}'}
+  if(ipVersion == 4) tr['ospf']['long'] = '{{ lang._('OSPF') }}'
+
+  return _.has(tr,data) ? tr[data] : data
 }
 
 dataconverters = {
@@ -100,13 +106,13 @@ dataconverters = {
 $(document).ready(function() {
   updateServiceControlUI('quagga');
 
-  ajaxCall(url="/api/quagga/diagnostics/generalroutes", sendData={}, callback=function(data,status) {
-    content = _.template($('#routestpl').html())(data['response'])
+  ajaxCall(url="/api/quagga/diagnostics/generalroute", sendData={}, callback=function(data,status) {
+    content = _.template($('#routestpl').html())({routes: data['response'], ipVersion: 4})
     $('#routing').html(content)
     //$('#routing table').bootgrid({converters: dataconverters})
   });
-  ajaxCall(url="/api/quagga/diagnostics/generalroutes6", sendData={}, callback=function(data,status) {
-    content = _.template($('#routestpl').html())({general_routes: data['response']['general_routes6']})
+  ajaxCall(url="/api/quagga/diagnostics/generalroute6", sendData={}, callback=function(data,status) {
+    content = _.template($('#routestpl').html())({routes: data['response'], ipVersion: 6})
     $('#routing6').html(content)
     //$('#routing6 table').bootgrid({converters: dataconverters})
   });

From 82c8311198c38b01ed66b742daa90e48b175e426 Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Sun, 13 Dec 2020 17:39:29 +0100
Subject: [PATCH 0307/3088] align route table display style

---
 .../mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
index 3a5a61ef4e..e7ae9264d4 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
@@ -28,7 +28,7 @@ POSSIBILITY OF SUCH DAMAGE.
 #}
 <script src="/ui/js/quagga/lodash.js"></script>
 <script type="text/x-template" id="routestpl">
-<table>
+<table class="table table-striped">
   <thead>
     <tr>
       <th data-column-id="code" data-type="raw">{{ lang._('Code') }}</th>

From 89f35c8554d367130ce7a2ac36843c0e349f10ce Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Sun, 13 Dec 2020 20:54:13 +0100
Subject: [PATCH 0308/3088] fix BGP diagnostics page

---
 .../views/OPNsense/Quagga/diagnosticsbgp.volt | 86 +++++++++++--------
 1 file changed, 50 insertions(+), 36 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
index 4e4479dcfd..f61562761e 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
@@ -33,62 +33,76 @@ POSSIBILITY OF SUCH DAMAGE.
 #}
 
 <script type="text/x-template" id="overviewtpl">
-  <table>
+  <table class="table table-striped">
     <tr>
       <td>{{ lang._('Table Version') }}</td>
-      <td><%= bgp_overview['table_version'] %></td>
+      <td><%= tableVersion %></td>
     </tr>
     <tr>
       <td>{{ lang._('Local Router ID') }}</td>
-      <td><%= bgp_overview['local_router_id'] %></td>
+      <td><%= routerId %></td>
+    </tr>
+    <tr>
+      <td>{{ lang._('Local AS') }}</td>
+      <td><%= localAS %></td>
     </tr>
   </table>
-  <table>
+</script>
+<script type="text/x-template" id="routestpl">
+  <table class="table table-striped">
     <thead>
       <tr>
-        <th>{{ lang._('Status') }}</th>
-        <th>{{ lang._('Network') }}</th>
-        <th>{{ lang._('Next Hop') }}</th>
-        <th>{{ lang._('Metric') }}</th>
-        <th>{{ lang._('LocPrf') }}</th>
-        <th>{{ lang._('Weight') }}</th>
-        <th>{{ lang._('Path') }}</th>
+        <th data-column-id="status" data-type="raw">{{ lang._('Status') }}</th>
+        <th data-column-id="network" data-type="string">{{ lang._('Network') }}</th>
+        <th data-column-id="nexthop" data-type="string">{{ lang._('Next Hop') }}</th>
+        <th data-column-id="metric" data-type="numeric">{{ lang._('Metric') }}</th>
+        <th data-column-id="locprf" data-type="numeric">{{ lang._('LocPrf') }}</th>
+        <th data-column-id="weight" data-type="numeric">{{ lang._('Weight') }}</th>
+        <th data-column-id="path" data-type="string">{{ lang._('Path') }}</th>
+        <th data-column-id="origin" data-type="string">{{ lang._('Origin') }}</th>
       </tr>
     </thead>
     <tbody>
-      <% _.each(bgp_overview['output'], function (row) { %>
-        <tr>
-          <td>
-            <% _.each(row['status'], function(element) { %>
-              <abbr title="<%= translate(element['dn']) %>"><%= element['abb'] %></abbr>
-            <% }) %>
-          </td>
-          <td><%= row['Network'] %></td>
-          <td><%= row['Next Hop'] %></td>
-          <td><%= row['Metric'] %></td>
-          <td><%= row['LocPrf'] %></td>
-          <td><%= row['Weight'] %></td>
-          <td>
-            <% _.each(row['Path'], function(element) { %>
-              <abbr title="<%= translate(element['dn']) %>"><%= element['abb'] %></abbr>
-            <% }) %>
-          </td>
-        </tr>
+      <% _.forEach(routes, function(route_array, network) { %>
+        <% _.forEach(route_array, function(route) { %>
+          <% _.forEach(route['nexthops'], function(nexthop) { %>
+            <tr>
+              <td>
+                <% if(typeof(route['valid']) != "undefined" && route['valid']) { %>
+                  <abbr title="{{ lang._('Valid') }}">&ast;</abbr>
+                <% } %>
+                <% if(typeof(route['bestpath']) != "undefined" && route['bestpath']) { %>
+                  <abbr title="{{ lang._('Best') }}">&gt;</abbr>
+                <% } %>
+                <% if(typeof(route['pathFrom']) != "undefined" && route['pathFrom'] == 'internal') { %>
+                  <abbr title="{{ lang._('Internal') }}">i</abbr>
+                <% } %>
+              </td>
+              <td><%= network %></td>
+              <td><%= nexthop['ip'] %></td>
+              <td><%= route['metric'] %></td>
+              <td><%= route['locPrf'] %></td>
+              <td><%= route['weight'] %></td>
+              <td><%= route['path'] %></td>
+              <td><%= route['origin'] %></td>
+            </tr>
+          <% }); %>
+        <% }); %>
       <% }); %>
     </tbody>
   </table>
 </script>
+
 <script src="/ui/js/quagga/lodash.js"></script>
 <script>
-function translate(x) {
-  return x;
-}
 $(document).ready(function() {
   updateServiceControlUI('quagga');
 
-  ajaxCall(url="/api/quagga/diagnostics/showipbgp", sendData={}, callback=function(data,status) {
+  ajaxCall(url="/api/quagga/diagnostics/bgpoverview", sendData={}, callback=function(data,status) {
       content = _.template($('#overviewtpl').html())(data['response'])
       $('#overview').html(content)
+      content = _.template($('#routestpl').html())(data['response'])
+      $('#routing').html(content)
   });
 
   ajaxCall(url="/api/quagga/diagnostics/bgpsummary/plain", sendData={}, callback=function(data,status) {
@@ -100,13 +114,13 @@ $(document).ready(function() {
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#overview">{{ lang._('Overview') }}</a></li>
+    <li><a data-toggle="tab" href="#routing">{{ lang._('Routing Table') }}</a></li>
     <li><a data-toggle="tab" href="#summary">{{ lang._('Summary') }}</a></li>
 </ul>
 
 <div class="tab-content content-box tab-content">
-    <div id="overview" class="tab-pane fade in active">
-      {{ lang._('loading...') }}
-    </div>
+    <div id="overview" class="tab-pane fade in active"></div>
+    <div id="routing" class="tab-pane fade in"></div>
     <div id="summary" class="tab-pane fade in">
       <pre id="summarycontent"></pre>
     </div>

From 904db0096db6d25988eca5a0c2985e468bf07bfe Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Sun, 13 Dec 2020 21:07:38 +0100
Subject: [PATCH 0309/3088] add bgp neighbors (plain text) quick & dirty to at
 least get it into the GUI

---
 .../mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt     | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
index f61562761e..c7dce30ce1 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
@@ -105,6 +105,10 @@ $(document).ready(function() {
       $('#routing').html(content)
   });
 
+  ajaxCall(url="/api/quagga/diagnostics/bgpneighbors/plain", sendData={}, callback=function(data,status) {
+      $('#neighborscontent').text(data['response'])
+  });
+
   ajaxCall(url="/api/quagga/diagnostics/bgpsummary/plain", sendData={}, callback=function(data,status) {
       $("#summarycontent").text(data['response']);
   });
@@ -115,12 +119,16 @@ $(document).ready(function() {
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#overview">{{ lang._('Overview') }}</a></li>
     <li><a data-toggle="tab" href="#routing">{{ lang._('Routing Table') }}</a></li>
+    <li><a data-toggle="tab" href="#neighbors">{{ lang._('Neighbors') }}</a></li>
     <li><a data-toggle="tab" href="#summary">{{ lang._('Summary') }}</a></li>
 </ul>
 
 <div class="tab-content content-box tab-content">
     <div id="overview" class="tab-pane fade in active"></div>
     <div id="routing" class="tab-pane fade in"></div>
+    <div id="neighbors" class="tab-pane fade in">
+      <pre id="neighborscontent"></pre>
+    </div>
     <div id="summary" class="tab-pane fade in">
       <pre id="summarycontent"></pre>
     </div>

From eece0332017c5357fe160258beec285c08bac5fd Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Sun, 13 Dec 2020 21:15:32 +0100
Subject: [PATCH 0310/3088] temporary workaround for OSPF database JSON support
 is already in FRR upstream use plaintext output until it's available in a
 package

---
 .../OPNsense/Quagga/diagnosticsospf.volt      | 21 +++++++------------
 1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
index 856dced2a3..bcde9bd051 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
@@ -441,11 +441,9 @@ $(document).ready(function() {
     content = _.template($('#overviewtpl').html())(data['response'])
     $('#overview').html(content)
   });
-  /*ajaxCall(url="/api/quagga/diagnostics/ospfdatabase", sendData={}, callback=function(data,status) {
-    content = _.template($('#databasetpl').html())(data['response'])
-    $('#database').html(content)
-    $('#database table').bootgrid()
-  });*/
+  ajaxCall(url="/api/quagga/diagnostics/ospfdatabase/plain", sendData={}, callback=function(data,status) {
+    $('#databasecontent').text(data['response'])
+  });
   ajaxCall(url="/api/quagga/diagnostics/ospfroute", sendData={}, callback=function(data,status) {
     content = _.template($('#routestpl').html())({routes: data['response']})
     $('#routing').html(content)
@@ -476,14 +474,11 @@ $(document).ready(function() {
 </ul>
 
 <div class="tab-content content-box tab-content">
-    <div id="overview" class="tab-pane fade in active">
-    </div>
-    <div id="routing" class="tab-pane fade in">
-    </div>
+    <div id="overview" class="tab-pane fade in active"></div>
+    <div id="routing" class="tab-pane fade in"></div>
     <div id="database" class="tab-pane fade in">
+      <pre id="databasecontent"></pre>
     </div>
-    <div id="neighbor" class="tab-pane fade in">
-    </div>
-    <div id="interface" class="tab-pane fade in">
-    </div>
+    <div id="neighbor" class="tab-pane fade in"></div>
+    <div id="interface" class="tab-pane fade in"></div>
 </div>

From 5eebe5d2e7415d6bf0bf6b62b49bdf79a355a947 Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Sun, 13 Dec 2020 22:50:35 +0100
Subject: [PATCH 0311/3088] make abbreviations work with bootgrid, cleanup

---
 .../OPNsense/Quagga/diagnosticsospf.volt      | 40 +++++++++----------
 1 file changed, 18 insertions(+), 22 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
index bcde9bd051..31d8824731 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
@@ -271,7 +271,7 @@ POSSIBILITY OF SUCH DAMAGE.
  <table class="table table-striped">
   <thead>
     <tr>
-      <th data-column-id="type" data-type="raw">{{ lang._('Type') }}</th>
+      <th data-column-id="type" data-type="string" data-formatter="route_type">{{ lang._('Type') }}</th>
       <th data-column-id="network" data-type="string">{{ lang._('Network') }}</th>
       <th data-column-id="cost" data-type="numeric">{{ lang._('Cost') }}</th>
       <th data-column-id="area" data-type="string">{{ lang._('Area') }}</th>
@@ -282,16 +282,7 @@ POSSIBILITY OF SUCH DAMAGE.
   <tbody>
     <% _.forEach(routes, function(route, network) { %>
       <tr>
-        <td>
-          <% _.forEach(route['routeType'].split(' '), function(routeType) { %>
-            <% if(routeType == "") return; %>
-            <% if(translate(routeType) == routeType) { %>
-              <%= routeType %>
-            <% } else { %>
-              <% console.log('Y U NO WORK?!'); %>
-              <abbr title="<%= translate(routeType) %>"><%= routeType %></abbr>
-          <% } }); %>
-        </td>
+        <td><%= route['routeType'] %></td>
         <td><%= network %></td>
         <td><%= route['cost'] %></td>
         <td><%= route['area'] %></td>
@@ -423,16 +414,21 @@ function checkmark(bin)
   return "<i class=\"fa " + (bin ? "fa-check-square" : "fa-square") + " text-muted\"></i>";
 }
 
-dataconverters = {
-    boolean: {
-        from: function (value) { return (value == 'true') || (value == true); },
-        to: function (value) { return checkmark(value) }
-    },
-    raw: {
-        from: function (value) { return value },
-        to: function (value) { return value }
-    }
-}
+dataformatters = {
+  route_type: function(column, row) {
+    let result = ''
+    _.forEach(row.type.split(' '), function(routeType) {
+      if(translate(routeType) == routeType) {
+        result += routeType;
+      }
+      else {
+        result += '<abbr title="' + translate(routeType) + '">' + routeType + '</abbr>';
+      }
+      result += ' ';
+    });
+    return result;
+  }
+};
 
 $(document).ready(function() {
   updateServiceControlUI('quagga');
@@ -447,7 +443,7 @@ $(document).ready(function() {
   ajaxCall(url="/api/quagga/diagnostics/ospfroute", sendData={}, callback=function(data,status) {
     content = _.template($('#routestpl').html())({routes: data['response']})
     $('#routing').html(content)
-    $('#routing table').bootgrid({converters: dataconverters})
+    $('#routing table').bootgrid({formatters: dataformatters})
   });
   ajaxCall(url="/api/quagga/diagnostics/ospfneighbor", sendData={}, callback=function(data,status) {
     content = _.template($('#neighbortpl').html())(data['response'])

From 1c8260d7a2922b59cfae3ed05e6a1bf2728ef0fa Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Mon, 14 Dec 2020 10:39:53 +0100
Subject: [PATCH 0312/3088] fix my own stupidity no need to handle OSPFv2 and
 v3 distinction manually in the code backend already serves it as ospf/ospf6

---
 .../views/OPNsense/Quagga/diagnosticsgeneral.volt    | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
index e7ae9264d4..16719e1f10 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
@@ -44,7 +44,7 @@ POSSIBILITY OF SUCH DAMAGE.
     <% _.forEach(routes, function(route_array, network) { %>
       <% _.forEach(route_array, function(route) { %>
         <% _.forEach(route['nexthops'], function(nexthop) { %>
-        <% let protocol = translateProtocol(route['protocol'], ipVersion); %>
+        <% let protocol = translateProtocol(route['protocol']); %>
         <tr>
           <td><% if(typeof(protocol) != "string") { %>
             <abbr title="<%= protocol['long'] %>"><%= protocol['short'] %></abbr>
@@ -73,15 +73,15 @@ POSSIBILITY OF SUCH DAMAGE.
 </script>
 
 <script>
-function translateProtocol(data, ipVersion)
+function translateProtocol(data)
 {
   tr = []
   // routing table tab
   tr['kernel'] = {short: 'K', long: '{{ lang._('Kernel') }}'}
   tr['connected'] = {short: 'C', long: '{{ lang._('Connected') }}'}
   tr['bgp'] = {short: 'B', long: '{{ lang._('BGP') }}'}
-  tr['ospf'] = {short: 'O', long: '{{ lang._('OSPFv3') }}'}
-  if(ipVersion == 4) tr['ospf']['long'] = '{{ lang._('OSPF') }}'
+  tr['ospf'] = {short: 'O', long: '{{ lang._('OSPF') }}'}
+  tr['ospf6'] = {short: 'O', long: '{{ lang._('OSPFv3') }}'}
 
   return _.has(tr,data) ? tr[data] : data
 }
@@ -107,12 +107,12 @@ $(document).ready(function() {
   updateServiceControlUI('quagga');
 
   ajaxCall(url="/api/quagga/diagnostics/generalroute", sendData={}, callback=function(data,status) {
-    content = _.template($('#routestpl').html())({routes: data['response'], ipVersion: 4})
+    content = _.template($('#routestpl').html())({routes: data['response']})
     $('#routing').html(content)
     //$('#routing table').bootgrid({converters: dataconverters})
   });
   ajaxCall(url="/api/quagga/diagnostics/generalroute6", sendData={}, callback=function(data,status) {
-    content = _.template($('#routestpl').html())({routes: data['response'], ipVersion: 6})
+    content = _.template($('#routestpl').html())({routes: data['response']})
     $('#routing6').html(content)
     //$('#routing6 table').bootgrid({converters: dataconverters})
   });

From 49c8933e69b98f785cd0976426298d3d4019db73 Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Mon, 14 Dec 2020 11:00:16 +0100
Subject: [PATCH 0313/3088] make general / routing tables work with bootgrid

---
 .../OPNsense/Quagga/diagnosticsgeneral.volt   | 63 ++++++++++---------
 1 file changed, 33 insertions(+), 30 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
index 16719e1f10..3e7569396a 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
@@ -31,7 +31,9 @@ POSSIBILITY OF SUCH DAMAGE.
 <table class="table table-striped">
   <thead>
     <tr>
-      <th data-column-id="code" data-type="raw">{{ lang._('Code') }}</th>
+      <th data-column-id="code" data-type="string" data-formatter="code">{{ lang._('Code') }}</th>
+      <th data-column-id="selected" data-type="boolean" data-visible="false">{{ lang._('Selected') }}</th>
+      <th data-column-id="installed" data-type="boolean" data-visible="false">{{ lang._('Installed') }}</th>
       <th data-column-id="network" data-type="string">{{ lang._('Network') }}</th>
       <th data-column-id="ad" data-type="numeric">{{ lang._('Administrative Distance') }}</th>
       <th data-column-id="metric" data-type="numeric">{{ lang._('Metric') }}</th>
@@ -44,20 +46,10 @@ POSSIBILITY OF SUCH DAMAGE.
     <% _.forEach(routes, function(route_array, network) { %>
       <% _.forEach(route_array, function(route) { %>
         <% _.forEach(route['nexthops'], function(nexthop) { %>
-        <% let protocol = translateProtocol(route['protocol']); %>
         <tr>
-          <td><% if(typeof(protocol) != "string") { %>
-            <abbr title="<%= protocol['long'] %>"><%= protocol['short'] %></abbr>
-            <% } else { %>
-            <%= route['protocol'] %>
-            <% } %>
-            <% if(typeof(route['selected']) != "undefined" && route['selected']) { %>
-            <abbr title="{{ lang._('Selected') }}">&gt;</abbr>
-            <% } %>
-            <% if(typeof(route['installed']) != "undefined" && route['installed']) { %>
-              <abbr title="{{ lang._('FIB') }}">&ast;</abbr>
-              <% } %>
-          </td>
+          <td><%= route['protocol'] %></td>
+          <td><%= (typeof(route['selected']) != "undefined" && route['selected']) %></td>
+          <td><%= (typeof(route['installed']) != "undefined" && route['installed']) %></td>
           <td><%= network %></td>
           <td><%= route['distance'] %></td>
           <td><%= route['metric'] %></td>
@@ -87,34 +79,45 @@ function translateProtocol(data)
 }
 
 dataconverters = {
-    boolean: {
-        from: function (value) { return (value == 'true') || (value == true); },
-        to: function (value) { return checkmark(value) }
-    },
-    raw: {
-        from: function (value) {
-            console.log(value)
-            return value
-        },
-        to: function (value) {
-            console.log(value);
-            return value
-        }
-    }
+  boolean: {
+      from: function (value) { return (value == 'true') || (value == true); },
+      to: function (value) { return value }
+  }
 }
 
+dataformatters = {
+  code: function(column, row) {
+    let result = row.code;
+    let protocol = translateProtocol(row.code);
+
+    if(typeof(protocol) != "string") { 
+      result = '<abbr title="' + protocol['long'] + '">' + protocol['short'] + '</abbr> ';
+    }
+
+    if(row.selected) {
+      result += '<abbr title="{{ lang._('Selected') }}">&gt;</abbr> ';
+    }
+
+    if(row.installed) {
+      result += '<abbr title="{{ lang._('FIB') }}">&ast;</abbr>';
+    }
+
+    return result;
+  }
+};
+
 $(document).ready(function() {
   updateServiceControlUI('quagga');
 
   ajaxCall(url="/api/quagga/diagnostics/generalroute", sendData={}, callback=function(data,status) {
     content = _.template($('#routestpl').html())({routes: data['response']})
     $('#routing').html(content)
-    //$('#routing table').bootgrid({converters: dataconverters})
+    $('#routing table').bootgrid({converters: dataconverters, formatters: dataformatters})
   });
   ajaxCall(url="/api/quagga/diagnostics/generalroute6", sendData={}, callback=function(data,status) {
     content = _.template($('#routestpl').html())({routes: data['response']})
     $('#routing6').html(content)
-    //$('#routing6 table').bootgrid({converters: dataconverters})
+    $('#routing6 table').bootgrid({converters: dataconverters, formatters: dataformatters})
   });
   ajaxCall(url="/api/quagga/diagnostics/generalrunningconfig", sendData={}, callback=function(data,status) {
       $("#runningconfig").text(data['response']);

From d757ce732a2ab1b86d6f452df563f05e85efbbfe Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Mon, 14 Dec 2020 11:05:39 +0100
Subject: [PATCH 0314/3088] heading consistency

---
 .../opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
index 31d8824731..f8dc9eee60 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
@@ -267,7 +267,6 @@ POSSIBILITY OF SUCH DAMAGE.
 <% }); %>
 </script>-->
 <script type="text/x-template" id="routestpl">
-<h2>{{ lang._('Routing Table') }}</h2>
  <table class="table table-striped">
   <thead>
     <tr>

From 4cf1e593d3a81281f7ee840650ed96855a28b777 Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Mon, 14 Dec 2020 11:47:39 +0100
Subject: [PATCH 0315/3088] style and formatting sweep yes i'm nitpicky,
 sorry...

---
 .../views/OPNsense/Quagga/diagnosticsbgp.volt |  66 +--
 .../OPNsense/Quagga/diagnosticsgeneral.volt   | 151 +++---
 .../OPNsense/Quagga/diagnosticsospf.volt      | 447 +++++++++---------
 3 files changed, 332 insertions(+), 332 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
index c7dce30ce1..fec0a295b7 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
@@ -34,18 +34,20 @@ POSSIBILITY OF SUCH DAMAGE.
 
 <script type="text/x-template" id="overviewtpl">
   <table class="table table-striped">
-    <tr>
-      <td>{{ lang._('Table Version') }}</td>
-      <td><%= tableVersion %></td>
-    </tr>
-    <tr>
-      <td>{{ lang._('Local Router ID') }}</td>
-      <td><%= routerId %></td>
-    </tr>
-    <tr>
-      <td>{{ lang._('Local AS') }}</td>
-      <td><%= localAS %></td>
-    </tr>
+    <tbody>
+      <tr>
+        <td>{{ lang._('Table Version') }}</td>
+        <td><%= tableVersion %></td>
+      </tr>
+      <tr>
+        <td>{{ lang._('Local Router ID') }}</td>
+        <td><%= routerId %></td>
+      </tr>
+      <tr>
+        <td>{{ lang._('Local AS') }}</td>
+        <td><%= localAS %></td>
+      </tr>
+    </tbody>
   </table>
 </script>
 <script type="text/x-template" id="routestpl">
@@ -98,18 +100,18 @@ POSSIBILITY OF SUCH DAMAGE.
 $(document).ready(function() {
   updateServiceControlUI('quagga');
 
-  ajaxCall(url="/api/quagga/diagnostics/bgpoverview", sendData={}, callback=function(data,status) {
-      content = _.template($('#overviewtpl').html())(data['response'])
-      $('#overview').html(content)
-      content = _.template($('#routestpl').html())(data['response'])
-      $('#routing').html(content)
+  ajaxCall(url="/api/quagga/diagnostics/bgpoverview", sendData={}, callback=function(data, status) {
+      let content = _.template($('#overviewtpl').html())(data['response']);
+      $('#overview').html(content);
+      content = _.template($('#routestpl').html())(data['response']);
+      $('#routing').html(content);
   });
 
-  ajaxCall(url="/api/quagga/diagnostics/bgpneighbors/plain", sendData={}, callback=function(data,status) {
-      $('#neighborscontent').text(data['response'])
+  ajaxCall(url="/api/quagga/diagnostics/bgpneighbors/plain", sendData={}, callback=function(data, status) {
+      $('#neighborscontent').text(data['response']);
   });
 
-  ajaxCall(url="/api/quagga/diagnostics/bgpsummary/plain", sendData={}, callback=function(data,status) {
+  ajaxCall(url="/api/quagga/diagnostics/bgpsummary/plain", sendData={}, callback=function(data, status) {
       $("#summarycontent").text(data['response']);
   });
 });
@@ -117,19 +119,19 @@ $(document).ready(function() {
 
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#overview">{{ lang._('Overview') }}</a></li>
-    <li><a data-toggle="tab" href="#routing">{{ lang._('Routing Table') }}</a></li>
-    <li><a data-toggle="tab" href="#neighbors">{{ lang._('Neighbors') }}</a></li>
-    <li><a data-toggle="tab" href="#summary">{{ lang._('Summary') }}</a></li>
+  <li class="active"><a data-toggle="tab" href="#overview">{{ lang._('Overview') }}</a></li>
+  <li><a data-toggle="tab" href="#routing">{{ lang._('Routing Table') }}</a></li>
+  <li><a data-toggle="tab" href="#neighbors">{{ lang._('Neighbors') }}</a></li>
+  <li><a data-toggle="tab" href="#summary">{{ lang._('Summary') }}</a></li>
 </ul>
 
 <div class="tab-content content-box tab-content">
-    <div id="overview" class="tab-pane fade in active"></div>
-    <div id="routing" class="tab-pane fade in"></div>
-    <div id="neighbors" class="tab-pane fade in">
-      <pre id="neighborscontent"></pre>
-    </div>
-    <div id="summary" class="tab-pane fade in">
-      <pre id="summarycontent"></pre>
-    </div>
+  <div id="overview" class="tab-pane fade in active"></div>
+  <div id="routing" class="tab-pane fade in"></div>
+  <div id="neighbors" class="tab-pane fade in">
+    <pre id="neighborscontent"></pre>
+  </div>
+  <div id="summary" class="tab-pane fade in">
+    <pre id="summarycontent"></pre>
+  </div>
 </div>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
index 3e7569396a..d14a398ebe 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
@@ -28,79 +28,71 @@ POSSIBILITY OF SUCH DAMAGE.
 #}
 <script src="/ui/js/quagga/lodash.js"></script>
 <script type="text/x-template" id="routestpl">
-<table class="table table-striped">
-  <thead>
-    <tr>
-      <th data-column-id="code" data-type="string" data-formatter="code">{{ lang._('Code') }}</th>
-      <th data-column-id="selected" data-type="boolean" data-visible="false">{{ lang._('Selected') }}</th>
-      <th data-column-id="installed" data-type="boolean" data-visible="false">{{ lang._('Installed') }}</th>
-      <th data-column-id="network" data-type="string">{{ lang._('Network') }}</th>
-      <th data-column-id="ad" data-type="numeric">{{ lang._('Administrative Distance') }}</th>
-      <th data-column-id="metric" data-type="numeric">{{ lang._('Metric') }}</th>
-      <th data-column-id="interface" data-type="string">{{ lang._('Interface') }}</th>
-      <th data-column-id="via" data-type="string">{{ lang._('Via') }}</th>
-      <th data-column-id="time" data-type="string">{{ lang._('Time') }}</th>
-    </tr>
-  </thead>
-  <tbody>
-    <% _.forEach(routes, function(route_array, network) { %>
-      <% _.forEach(route_array, function(route) { %>
-        <% _.forEach(route['nexthops'], function(nexthop) { %>
-        <tr>
-          <td><%= route['protocol'] %></td>
-          <td><%= (typeof(route['selected']) != "undefined" && route['selected']) %></td>
-          <td><%= (typeof(route['installed']) != "undefined" && route['installed']) %></td>
-          <td><%= network %></td>
-          <td><%= route['distance'] %></td>
-          <td><%= route['metric'] %></td>
-          <td><%= nexthop['interfaceName'] %></td>
-          <td><%= (typeof(nexthop['ip']) != "undefined" ? nexthop['ip'] : '{{ lang._('Directly Attached') }}') %></td>
-          <td><%= route['uptime'] %></td>
-        </tr>
+  <table class="table table-striped">
+    <thead>
+      <tr>
+        <th data-column-id="code" data-type="string" data-formatter="code">{{ lang._('Code') }}</th>
+        <th data-column-id="selected" data-type="boolean" data-visible="false">{{ lang._('Selected') }}</th>
+        <th data-column-id="installed" data-type="boolean" data-visible="false">{{ lang._('Installed') }}</th>
+        <th data-column-id="network" data-type="string">{{ lang._('Network') }}</th>
+        <th data-column-id="ad" data-type="numeric">{{ lang._('Administrative Distance') }}</th>
+        <th data-column-id="metric" data-type="numeric">{{ lang._('Metric') }}</th>
+        <th data-column-id="interface" data-type="string">{{ lang._('Interface') }}</th>
+        <th data-column-id="via" data-type="string">{{ lang._('Via') }}</th>
+        <th data-column-id="time" data-type="string">{{ lang._('Time') }}</th>
+      </tr>
+    </thead>
+    <tbody>
+      <% _.forEach(routes, function(route_array, network) { %>
+        <% _.forEach(route_array, function(route) { %>
+          <% _.forEach(route['nexthops'], function(nexthop) { %>
+            <tr>
+              <td><%= route['protocol'] %></td>
+              <td><%= (typeof(route['selected']) != "undefined" && route['selected']) %></td>
+              <td><%= (typeof(route['installed']) != "undefined" && route['installed']) %></td>
+              <td><%= network %></td>
+              <td><%= route['distance'] %></td>
+              <td><%= route['metric'] %></td>
+              <td><%= nexthop['interfaceName'] %></td>
+              <td><%= (typeof(nexthop['ip']) != "undefined" ? nexthop['ip'] : '{{ lang._('Directly Attached') }}') %></td>
+              <td><%= route['uptime'] %></td>
+            </tr>
+          <% }); %>
         <% }); %>
       <% }); %>
-    <% }); %>
-  </tbody>
-</table>
+    </tbody>
+  </table>
 </script>
 
-<script>
-function translateProtocol(data)
-{
-  tr = []
+<script type="text/javascript">
+function translateProtocol(data) {
+  let tr = [];
+
   // routing table tab
-  tr['kernel'] = {short: 'K', long: '{{ lang._('Kernel') }}'}
-  tr['connected'] = {short: 'C', long: '{{ lang._('Connected') }}'}
-  tr['bgp'] = {short: 'B', long: '{{ lang._('BGP') }}'}
-  tr['ospf'] = {short: 'O', long: '{{ lang._('OSPF') }}'}
-  tr['ospf6'] = {short: 'O', long: '{{ lang._('OSPFv3') }}'}
+  tr['kernel'] = {short: 'K', long: '{{ lang._('Kernel') }}'};
+  tr['connected'] = {short: 'C', long: '{{ lang._('Connected') }}'};
+  tr['bgp'] = {short: 'B', long: '{{ lang._('BGP') }}'};
+  tr['ospf'] = {short: 'O', long: '{{ lang._('OSPF') }}'};
+  tr['ospf6'] = {short: 'O', long: '{{ lang._('OSPFv3') }}'};
 
-  return _.has(tr,data) ? tr[data] : data
+  return _.has(tr,data) ? tr[data] : data;
 }
 
-dataconverters = {
+let dataconverters = {
   boolean: {
-      from: function (value) { return (value == 'true') || (value == true); },
-      to: function (value) { return value }
+    from: function (value) { return (value == 'true') || (value == true); },
+    to: function (value) { return value; }
   }
 }
 
-dataformatters = {
+let dataformatters = {
   code: function(column, row) {
     let result = row.code;
     let protocol = translateProtocol(row.code);
 
-    if(typeof(protocol) != "string") { 
-      result = '<abbr title="' + protocol['long'] + '">' + protocol['short'] + '</abbr> ';
-    }
-
-    if(row.selected) {
-      result += '<abbr title="{{ lang._('Selected') }}">&gt;</abbr> ';
-    }
-
-    if(row.installed) {
-      result += '<abbr title="{{ lang._('FIB') }}">&ast;</abbr>';
-    }
+    if(typeof(protocol) != "string") result = '<abbr title="' + protocol['long'] + '">' + protocol['short'] + '</abbr> ';
+    if(row.selected) result += '<abbr title="{{ lang._('Selected') }}">&gt;</abbr> ';
+    if(row.installed) result += '<abbr title="{{ lang._('FIB') }}">&ast;</abbr>';
 
     return result;
   }
@@ -109,34 +101,43 @@ dataformatters = {
 $(document).ready(function() {
   updateServiceControlUI('quagga');
 
-  ajaxCall(url="/api/quagga/diagnostics/generalroute", sendData={}, callback=function(data,status) {
-    content = _.template($('#routestpl').html())({routes: data['response']})
-    $('#routing').html(content)
-    $('#routing table').bootgrid({converters: dataconverters, formatters: dataformatters})
+  ajaxCall(url="/api/quagga/diagnostics/generalroute", sendData={}, callback=function(data, status) {
+    let content = _.template($('#routestpl').html())({
+      routes: data['response']
+    });
+    $('#routing').html(content);
+    $('#routing table').bootgrid({
+      converters: dataconverters,
+      formatters: dataformatters
+    });
   });
-  ajaxCall(url="/api/quagga/diagnostics/generalroute6", sendData={}, callback=function(data,status) {
-    content = _.template($('#routestpl').html())({routes: data['response']})
-    $('#routing6').html(content)
-    $('#routing6 table').bootgrid({converters: dataconverters, formatters: dataformatters})
+  ajaxCall(url="/api/quagga/diagnostics/generalroute6", sendData={}, callback=function(data, status) {
+    let content = _.template($('#routestpl').html())({
+      routes: data['response']
+    });
+    $('#routing6').html(content);
+    $('#routing6 table').bootgrid({
+      converters: dataconverters,
+      formatters: dataformatters
+    });
   });
-  ajaxCall(url="/api/quagga/diagnostics/generalrunningconfig", sendData={}, callback=function(data,status) {
+  ajaxCall(url="/api/quagga/diagnostics/generalrunningconfig", sendData={}, callback=function(data, status) {
       $("#runningconfig").text(data['response']);
   });
-
 });
 </script>
 
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#routing">{{ lang._('IPv4 Routes') }}</a></li>
-    <li><a data-toggle="tab" href="#routing6">{{ lang._('IPv6 Routes') }}</a></li>
-    <li><a data-toggle="tab" href="#showrun">{{ lang._('Running Configuration') }}</a></li>
+  <li class="active"><a data-toggle="tab" href="#routing">{{ lang._('IPv4 Routes') }}</a></li>
+  <li><a data-toggle="tab" href="#routing6">{{ lang._('IPv6 Routes') }}</a></li>
+  <li><a data-toggle="tab" href="#showrun">{{ lang._('Running Configuration') }}</a></li>
 </ul>
 
 <div class="tab-content content-box tab-content">
-    <div id="routing" class="tab-pane fade in active"></div>
-    <div id="routing6" class="tab-pane fade in"></div>
-    <div id="showrun" class="tab-pane fade in">
-      <pre id="runningconfig"></pre>
-    </div>
+  <div id="routing" class="tab-pane fade in active"></div>
+  <div id="routing6" class="tab-pane fade in"></div>
+  <div id="showrun" class="tab-pane fade in">
+    <pre id="runningconfig"></pre>
+  </div>
 </div>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
index f8dc9eee60..b27fc4a7fa 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
@@ -28,119 +28,118 @@ POSSIBILITY OF SUCH DAMAGE.
 #}
 
 <script type="text/x-template" id="overviewtpl">
-<h2>{{ lang._('General') }}</h2>
- <table class="table table-striped">
-<tbody>
-  <tr>
-    <td>{{ lang._('RFC2328 Conform') }}</td>
-    <td><%= checkmark(rfc2328Conform) %></td>
-  </tr>
-  <tr>
-    <td>{{ lang._('ASBR') }}</td>
-    <td><%= checkmark(asbrRouter == "injectingExternalRoutingInformation") %></td>
-  </tr>
-  <tr>
-    <td>{{ lang._('Router ID') }}</td>
-    <td><%= routerId %></td>
-  </tr>
-  <tr>
-    <td>{{ lang._('RFC1583 Compatibility') }}</td>
-    <td><%= checkmark(typeof rfc1583Compatibility != "undefined" && rfc1583Compatibility) %></td>
-  </tr>
-  <tr>
-    <td>{{ lang._('Opaque Capability') }}</td>
-    <td><%= checkmark(typeof opaqueCapable != "undefined" && opaqueCapable) %></td>
-  </tr>
-  <tr>
-    <td>{{ lang._('Initial SPF Scheduling Delay') }}</td>
-    <td><%= spfScheduleDelayMsecs %> {{ lang._('Milliseconds') }}</td>
-  </tr>
-  <tr>
-    <td>{{ lang._('Minimum Hold Time') }}</td>
-    <td><%= holdtimeMinMsecs %> {{ lang._('Milliseconds') }}</td>
-  </tr>
-  <tr>
-    <td>{{ lang._('Maximum Hold Time') }}</td>
-    <td><%= holdtimeMaxMsecs %> {{ lang._('Milliseconds') }}</td>
-  </tr>
-  <tr>
-    <td>{{ lang._('Current Hold Time Multipier') }}</td>
-    <td><%= holdtimeMultplier %></td>
-  </tr>
-  <tr>
-    <td>{{ lang._('Refresh Timer') }}</td>
-    <td><%= refreshTimerMsecs %> {{ lang._('Milliseconds') }}</td>
-  </tr>
-  <tr>
-    <td>{{ lang._('Areas Attached Count') }}</td>
-    <td><%= attachedAreaCounter %></td>
-  </tr>
-</tbody>
-</table>
-
-<h2>{{ lang._('Link State Area') }}</h2>
- <table class="table table-striped">
-  <thead>
-    <tr>
-      <th></th>
-      <th>{{ lang._('Count') }}</th>
-      <th>{{ lang._('Checksum') }}</th>
-    </tr>
-  </thead>
-  <tbody>
-    <tr>
-      <td>{{ lang._('External LSA') }}</td>
-      <td><%= lsaExternalCounter %></td>
-      <td><%= lsaExternalChecksum %></td>
-    </tr>
-    <tr>
-      <td>{{ lang._('Opaque AS LSA') }}</td>
-      <td><%= lsaAsopaqueCounter %></td>
-      <td><%= lsaAsOpaqueChecksum %></td>
-    </tr>
-  </tbody>
-</table>
+  <h2>{{ lang._('General') }}</h2>
+  <table class="table table-striped">
+    <tbody>
+      <tr>
+        <td>{{ lang._('RFC2328 Conform') }}</td>
+        <td><%= checkmark(rfc2328Conform) %></td>
+      </tr>
+      <tr>
+        <td>{{ lang._('ASBR') }}</td>
+        <td><%= checkmark(asbrRouter == "injectingExternalRoutingInformation") %></td>
+      </tr>
+      <tr>
+        <td>{{ lang._('Router ID') }}</td>
+        <td><%= routerId %></td>
+      </tr>
+      <tr>
+        <td>{{ lang._('RFC1583 Compatibility') }}</td>
+        <td><%= checkmark(typeof rfc1583Compatibility != "undefined" && rfc1583Compatibility) %></td>
+      </tr>
+      <tr>
+        <td>{{ lang._('Opaque Capability') }}</td>
+        <td><%= checkmark(typeof opaqueCapable != "undefined" && opaqueCapable) %></td>
+      </tr>
+      <tr>
+        <td>{{ lang._('Initial SPF Scheduling Delay') }}</td>
+        <td><%= spfScheduleDelayMsecs %> {{ lang._('Milliseconds') }}</td>
+      </tr>
+      <tr>
+        <td>{{ lang._('Minimum Hold Time') }}</td>
+        <td><%= holdtimeMinMsecs %> {{ lang._('Milliseconds') }}</td>
+      </tr>
+      <tr>
+        <td>{{ lang._('Maximum Hold Time') }}</td>
+        <td><%= holdtimeMaxMsecs %> {{ lang._('Milliseconds') }}</td>
+      </tr>
+      <tr>
+        <td>{{ lang._('Current Hold Time Multipier') }}</td>
+        <td><%= holdtimeMultplier %></td>
+      </tr>
+      <tr>
+        <td>{{ lang._('Refresh Timer') }}</td>
+        <td><%= refreshTimerMsecs %> {{ lang._('Milliseconds') }}</td>
+      </tr>
+      <tr>
+        <td>{{ lang._('Areas Attached Count') }}</td>
+        <td><%= attachedAreaCounter %></td>
+      </tr>
+    </tbody>
+  </table>
 
-<h2>{{ lang._('Areas') }}</h2>
+  <h2>{{ lang._('Link State Area') }}</h2>
+  <table class="table table-striped">
+    <thead>
+      <tr>
+        <th></th>
+        <th>{{ lang._('Count') }}</th>
+        <th>{{ lang._('Checksum') }}</th>
+      </tr>
+    </thead>
+    <tbody>
+      <tr>
+        <td>{{ lang._('External LSA') }}</td>
+        <td><%= lsaExternalCounter %></td>
+        <td><%= lsaExternalChecksum %></td>
+      </tr>
+      <tr>
+        <td>{{ lang._('Opaque AS LSA') }}</td>
+        <td><%= lsaAsopaqueCounter %></td>
+        <td><%= lsaAsOpaqueChecksum %></td>
+      </tr>
+    </tbody>
+  </table>
 
-<% if (areas) { %>
-  <% _.forEach(areas, function(area, areaname) { %>
-    <br /> 
-    <table class="table table-striped">
-      <thead>
-        <tr>
-          <th><%= areaname %></th>
-          <th>{{ lang._('Count') }}</th>
-        </tr>
-      </thead>
-      <tbody>
-        <tr>
-          <td>{{ lang._('Interfaces: Total') }}</td>
-          <td><%= area['areaIfTotalCounter'] %></td>
-        </tr>
-        <tr>
-          <td>{{ lang._('Interfaces: Active') }}</td>
-          <td><%= area['areaIfActiveCounter'] %></td>
-        </tr>
-        <tr>
-          <td>{{ lang._('Fully Adjacent Neighbor Count') }}</td>
-          <td><%= area['nbrFullAdjacentCounter'] %></td>
-        </tr>
-        <tr>
-          <td>{{ lang._('SPF Execution Count') }}</td>
-          <td><%= area['spfExecutedCounter'] %></td>
-        </tr>
-      </tbody>
-    </table>
-     <table class="table table-striped">
-      <thead>
-        <tr>
-          <th>{{ lang._('LSA Type') }}</th>
-          <th>{{ lang._('Count') }}</th>
-          <th>{{ lang._('Checksum') }}</th>
-        </tr>
-      </thead>
-      <tbody>
+  <% if (areas) { %>
+    <h2>{{ lang._('Areas') }}</h2>
+    <% _.forEach(areas, function(area, areaname) { %>
+      <br /> 
+      <table class="table table-striped">
+        <thead>
+          <tr>
+            <th><%= areaname %></th>
+            <th>{{ lang._('Count') }}</th>
+          </tr>
+        </thead>
+        <tbody>
+          <tr>
+            <td>{{ lang._('Interfaces: Total') }}</td>
+            <td><%= area['areaIfTotalCounter'] %></td>
+          </tr>
+          <tr>
+            <td>{{ lang._('Interfaces: Active') }}</td>
+            <td><%= area['areaIfActiveCounter'] %></td>
+          </tr>
+          <tr>
+            <td>{{ lang._('Fully Adjacent Neighbor Count') }}</td>
+            <td><%= area['nbrFullAdjacentCounter'] %></td>
+          </tr>
+          <tr>
+            <td>{{ lang._('SPF Execution Count') }}</td>
+            <td><%= area['spfExecutedCounter'] %></td>
+          </tr>
+        </tbody>
+      </table>
+      <table class="table table-striped">
+        <thead>
+          <tr>
+            <th>{{ lang._('LSA Type') }}</th>
+            <th>{{ lang._('Count') }}</th>
+            <th>{{ lang._('Checksum') }}</th>
+          </tr>
+        </thead>
+        <tbody>
           <tr>
             <td>{{ lang._('Router') }}</td>
             <td><%= area['lsaRouterNumber'] %></td>
@@ -176,10 +175,10 @@ POSSIBILITY OF SUCH DAMAGE.
             <td><%= area['lsaOpaqueAreaNumber'] %></td>
             <td><%= area['lsaOpaqueAreaNumber'] %></td>
           </tr>
-      </tbody>
-    </table>
-  <% }) %>
-<% } %>
+        </tbody>
+      </table>
+    <% }); %>
+  <% } %>
 </script>
 <!--<script type="text/x-template" id="databasetpl">
 <% _.each(_.keys(ospf_database), function(router_id) { %>
@@ -267,7 +266,7 @@ POSSIBILITY OF SUCH DAMAGE.
 <% }); %>
 </script>-->
 <script type="text/x-template" id="routestpl">
- <table class="table table-striped">
+  <table class="table table-striped">
   <thead>
     <tr>
       <th data-column-id="type" data-type="string" data-formatter="route_type">{{ lang._('Type') }}</th>
@@ -290,21 +289,21 @@ POSSIBILITY OF SUCH DAMAGE.
       </tr>
       <% route['nexthops'].shift(); %>
       <% _.forEach(route['nexthops'], function(nexthop) { %>
-      <tr>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td></td>
-        <td><%= (typeof nexthop['via'] != "undefined" ? nexthop['ip'] : translate('directly attached')) %></td>
-        <td><%= (typeof nexthop['via'] != "undefined" ? nexthop['via'] : nexthop['directly attached to']) %></td>
-      </tr>
+        <tr>
+          <td></td>
+          <td></td>
+          <td></td>
+          <td></td>
+          <td><%= (typeof nexthop['via'] != "undefined" ? nexthop['ip'] : translate('directly attached')) %></td>
+          <td><%= (typeof nexthop['via'] != "undefined" ? nexthop['via'] : nexthop['directly attached to']) %></td>
+        </tr>
       <% }); %>
     <% }); %>
   </tbody>
 </table>
 </script>
 <script type="text/x-template" id="neighbortpl">
-   <table class="table table-striped">
+  <table class="table table-striped">
     <thead>
       <tr>
         <th data-column-id="neighborid" data-type="string">{{ lang._('Neighbor ID') }}</th>
@@ -338,93 +337,88 @@ POSSIBILITY OF SUCH DAMAGE.
   </table>
 </script>
 <script type="text/x-template" id="interfacetpl">
-<% _.forEach(interfaces, function(interface, interfacename) { %>
-  <h2><%= interfacename %></h2>
-   <table class="table table-striped">
-    <tbody>
-      <% _.forEach(interface, function(propertyvalue, propertyname) { %>
-        <tr>
-          <td><%= translate(propertyname) %></td>
-          <td>
-            <% if (typeof(propertyvalue) == "boolean")  { %>
-              <%= checkmark(propertyvalue) %>
-            <% } else { %>
-              <%= translate(propertyvalue) %>
-            <% } %>
-          </td>
-        </tr>
-      <% }); %>
-    </tbody>
-  </table>
-<% }) %>
+  <% _.forEach(interfaces, function(interface, interfacename) { %>
+    <h2><%= interfacename %></h2>
+    <table class="table table-striped">
+      <tbody>
+        <% _.forEach(interface, function(propertyvalue, propertyname) { %>
+          <tr>
+            <td><%= translate(propertyname) %></td>
+            <td>
+              <% if (typeof(propertyvalue) == "boolean")  { %>
+                <%= checkmark(propertyvalue) %>
+              <% } else { %>
+                <%= translate(propertyvalue) %>
+              <% } %>
+            </td>
+          </tr>
+        <% }); %>
+      </tbody>
+    </table>
+  <% }); %>
 </script>
-<script src="/ui/js/quagga/lodash.js"></script>
-<script>
-
-function translate(data)
-{
-  tr = []
+<script type="text/javascript" src="/ui/js/quagga/lodash.js"></script>
+<script type="text/javascript">
+function translate(data) {
+  let tr = [];
   // routing table tab
-  tr['N'] = '{{ lang._('Network') }}'
-  tr['R'] = '{{ lang._('Router') }}'
-  tr['IA'] = '{{ lang._('OSPF inter area') }}'
-  tr['N1'] = '{{ lang._('OSPF NSSA external type 1') }}'
-  tr['N2'] = '{{ lang._('OSPF NSSA external type 2') }}'
-  tr['E1'] = '{{ lang._('OSPF external type 1') }}'
-  tr['E2'] = '{{ lang._('OSPF external type 2') }}'
-  tr['directly attached'] = '{{ lang._('Directly Attached') }}'
+  tr['N'] = '{{ lang._('Network') }}';
+  tr['R'] = '{{ lang._('Router') }}';
+  tr['IA'] = '{{ lang._('OSPF inter area') }}';
+  tr['N1'] = '{{ lang._('OSPF NSSA external type 1') }}';
+  tr['N2'] = '{{ lang._('OSPF NSSA external type 2') }}';
+  tr['E1'] = '{{ lang._('OSPF external type 1') }}';
+  tr['E2'] = '{{ lang._('OSPF external type 2') }}';
+  tr['directly attached'] = '{{ lang._('Directly Attached') }}';
 
   // neighbor tab
-  tr['Full/DR'] = '{{ lang._('Full (Designated Router)') }}'
+  tr['Full/DR'] = '{{ lang._('Full (Designated Router)') }}';
 
   // interfaces tab
-  tr['ifUp'] = '{{ lang._('Up') }}'
-  tr['ifIndex'] = '{{ lang._('Index') }}'
-  tr['mtuBytes'] = '{{ lang._('MTU') }} &lsqb;{{ lang._('Bytes') }}&rsqb;'
-  tr['bandwidthMbit'] = '{{ lang._('Bandwidth') }} &lsqb;Mbit/s&rsqb;'
-  tr['ifFlags'] = '{{ lang._('Flags') }}'
-  tr['ospfEnabled'] = '{{ lang._('OSPF Enabled') }}'
-  tr['ipAddress'] = '{{ lang._('Address') }}'
-  tr['ipAddressPrefixlen'] = '{{ lang._('Prefix Length') }}'
-  tr['ospfIfType'] = '{{ lang._('Type') }}'
-  tr['localIfUsed'] = '{{ lang._('Local Interface') }}'
-  tr['area'] = '{{ lang._('Area') }}'
-  tr['routerId'] = '{{ lang._('Router ID') }}'
-  tr['networkType'] = '{{ lang._('Network Type') }}'
-  tr['cost'] = '{{ lang._('Cost') }}'
-  tr['transmitDelaySecs'] = '{{ lang._('Transmit Delay') }} &lsqb;s&rsqb;'
-  tr['state'] = '{{ lang._('State') }}'
-  tr['priority'] = '{{ lang._('Priority') }}'
-  tr['mcastMemberOspfAllRouters'] = '{{ lang._('Multicast') }} {{ lang._('Group') }} {{ lang._('Member') }} OSPFAllRouters'
-  tr['timerMsecs'] = '{{ lang._('Hello Timer') }} &lsqb;ms&rsqb;'
-  tr['timerDeadSecs'] = '{{ lang._('Dead Timer') }} &lsqb;s&rsqb;'
-  tr['timerWaitSecs'] = '{{ lang._('Wait Timer') }} &lsqb;s&rsqb;'
-  tr['timerRetransmitSecs'] = '{{ lang._('Retransmit Timer') }} &lsqb;s&rsqb;'
-  tr['timerPassiveIface'] = '{{ lang._('Passive Interface') }}'
-  tr['timerHelloInMsecs'] = '{{ lang._('Hello Due In') }} &lsqb;ms&rsqb;'
-  tr['nbrCount'] = '{{ lang._('Neighbor Count') }}'
-  tr['nbrAdjacentCount'] = '{{ lang._('Adjacent Neighbor Count') }}'
+  tr['ifUp'] = '{{ lang._('Up') }}';
+  tr['ifIndex'] = '{{ lang._('Index') }}';
+  tr['mtuBytes'] = '{{ lang._('MTU') }} &lsqb;{{ lang._('Bytes') }}&rsqb;';
+  tr['bandwidthMbit'] = '{{ lang._('Bandwidth') }} &lsqb;Mbit/s&rsqb;';
+  tr['ifFlags'] = '{{ lang._('Flags') }}';
+  tr['ospfEnabled'] = '{{ lang._('OSPF Enabled') }}';
+  tr['ipAddress'] = '{{ lang._('Address') }}';
+  tr['ipAddressPrefixlen'] = '{{ lang._('Prefix Length') }}';
+  tr['ospfIfType'] = '{{ lang._('Type') }}';
+  tr['localIfUsed'] = '{{ lang._('Local Interface') }}';
+  tr['area'] = '{{ lang._('Area') }}';
+  tr['routerId'] = '{{ lang._('Router ID') }}';
+  tr['networkType'] = '{{ lang._('Network Type') }}';
+  tr['cost'] = '{{ lang._('Cost') }}';
+  tr['transmitDelaySecs'] = '{{ lang._('Transmit Delay') }} &lsqb;s&rsqb;';
+  tr['state'] = '{{ lang._('State') }}';
+  tr['priority'] = '{{ lang._('Priority') }}';
+  tr['mcastMemberOspfAllRouters'] = '{{ lang._('Multicast') }} {{ lang._('Group') }} {{ lang._('Member') }} OSPFAllRouters';
+  tr['timerMsecs'] = '{{ lang._('Hello Timer') }} &lsqb;ms&rsqb;';
+  tr['timerDeadSecs'] = '{{ lang._('Dead Timer') }} &lsqb;s&rsqb;';
+  tr['timerWaitSecs'] = '{{ lang._('Wait Timer') }} &lsqb;s&rsqb;';
+  tr['timerRetransmitSecs'] = '{{ lang._('Retransmit Timer') }} &lsqb;s&rsqb;';
+  tr['timerPassiveIface'] = '{{ lang._('Passive Interface') }}';
+  tr['timerHelloInMsecs'] = '{{ lang._('Hello Due In') }} &lsqb;ms&rsqb;';
+  tr['nbrCount'] = '{{ lang._('Neighbor Count') }}';
+  tr['nbrAdjacentCount'] = '{{ lang._('Adjacent Neighbor Count') }}';
 
-  return _.has(tr,data) ? tr[data] : data
+  return _.has(tr,data) ? tr[data] : data;
 }
 
-function checkmark(bin)
-{
+function checkmark(bin) {
   return "<i class=\"fa " + (bin ? "fa-check-square" : "fa-square") + " text-muted\"></i>";
 }
 
 dataformatters = {
   route_type: function(column, row) {
     let result = ''
+
     _.forEach(row.type.split(' '), function(routeType) {
-      if(translate(routeType) == routeType) {
-        result += routeType;
-      }
-      else {
-        result += '<abbr title="' + translate(routeType) + '">' + routeType + '</abbr>';
-      }
+      if(translate(routeType) == routeType) result += routeType;
+      else result += '<abbr title="' + translate(routeType) + '">' + routeType + '</abbr>';
       result += ' ';
     });
+
     return result;
   }
 };
@@ -432,48 +426,51 @@ dataformatters = {
 $(document).ready(function() {
   updateServiceControlUI('quagga');
 
-  ajaxCall(url="/api/quagga/diagnostics/ospfoverview", sendData={}, callback=function(data,status) {
-    content = _.template($('#overviewtpl').html())(data['response'])
-    $('#overview').html(content)
+  ajaxCall(url="/api/quagga/diagnostics/ospfoverview", sendData={}, callback=function(data, status) {
+    let content = _.template($('#overviewtpl').html())(data['response']);
+    $('#overview').html(content);
   });
-  ajaxCall(url="/api/quagga/diagnostics/ospfdatabase/plain", sendData={}, callback=function(data,status) {
-    $('#databasecontent').text(data['response'])
+  ajaxCall(url="/api/quagga/diagnostics/ospfdatabase/plain", sendData={}, callback=function(data, status) {
+    $('#databasecontent').text(data['response']);
   });
-  ajaxCall(url="/api/quagga/diagnostics/ospfroute", sendData={}, callback=function(data,status) {
-    content = _.template($('#routestpl').html())({routes: data['response']})
-    $('#routing').html(content)
-    $('#routing table').bootgrid({formatters: dataformatters})
+  ajaxCall(url="/api/quagga/diagnostics/ospfroute", sendData={}, callback=function(data, status) {
+    let content = _.template($('#routestpl').html())({
+      routes: data['response']
+    });
+    $('#routing').html(content);
+    $('#routing table').bootgrid({
+      formatters: dataformatters
+    });
   });
-  ajaxCall(url="/api/quagga/diagnostics/ospfneighbor", sendData={}, callback=function(data,status) {
-    content = _.template($('#neighbortpl').html())(data['response'])
-    $('#neighbor').html(content)
-    $('#neighbor table').bootgrid()
+  ajaxCall(url="/api/quagga/diagnostics/ospfneighbor", sendData={}, callback=function(data, status) {
+    let content = _.template($('#neighbortpl').html())(data['response']);
+    $('#neighbor').html(content);
+    $('#neighbor table').bootgrid({
+      formatters: dataformatters
+    });
   });
-  ajaxCall(url="/api/quagga/diagnostics/ospfinterface", sendData={}, callback=function(data,status) {
-    content = _.template($('#interfacetpl').html())(data['response'])
-    $('#interface').html(content)
+  ajaxCall(url="/api/quagga/diagnostics/ospfinterface", sendData={}, callback=function(data, status) {
+    let content = _.template($('#interfacetpl').html())(data['response']);
+    $('#interface').html(content);
   });
-
-
 });
 </script>
 
-
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#overview">{{ lang._('Overview') }}</a></li>
-    <li><a data-toggle="tab" href="#routing">{{ lang._('Routing Table') }}</a></li>
-    <li><a data-toggle="tab" href="#database">{{ lang._('Database') }}</a></li>
-    <li><a data-toggle="tab" href="#neighbor">{{ lang._('Neighbor') }}</a></li>
-    <li><a data-toggle="tab" href="#interface">{{ lang._('Interface') }}</a></li>
+  <li class="active"><a data-toggle="tab" href="#overview">{{ lang._('Overview') }}</a></li>
+  <li><a data-toggle="tab" href="#routing">{{ lang._('Routing Table') }}</a></li>
+  <li><a data-toggle="tab" href="#database">{{ lang._('Database') }}</a></li>
+  <li><a data-toggle="tab" href="#neighbor">{{ lang._('Neighbor') }}</a></li>
+  <li><a data-toggle="tab" href="#interface">{{ lang._('Interface') }}</a></li>
 </ul>
 
 <div class="tab-content content-box tab-content">
-    <div id="overview" class="tab-pane fade in active"></div>
-    <div id="routing" class="tab-pane fade in"></div>
-    <div id="database" class="tab-pane fade in">
-      <pre id="databasecontent"></pre>
-    </div>
-    <div id="neighbor" class="tab-pane fade in"></div>
-    <div id="interface" class="tab-pane fade in"></div>
+  <div id="overview" class="tab-pane fade in active"></div>
+  <div id="routing" class="tab-pane fade in"></div>
+  <div id="database" class="tab-pane fade in">
+    <pre id="databasecontent"></pre>
+  </div>
+  <div id="neighbor" class="tab-pane fade in"></div>
+  <div id="interface" class="tab-pane fade in"></div>
 </div>

From 124a54153c030a902e2a144987b29d097a20c18d Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Mon, 14 Dec 2020 11:54:19 +0100
Subject: [PATCH 0316/3088] heading and one more small style/format fix

---
 .../mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt        | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
index fec0a295b7..6e78fe80e0 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
@@ -33,6 +33,7 @@ POSSIBILITY OF SUCH DAMAGE.
 #}
 
 <script type="text/x-template" id="overviewtpl">
+  <h2>{{ lang._('General') }}</h2>
   <table class="table table-striped">
     <tbody>
       <tr>
@@ -95,8 +96,8 @@ POSSIBILITY OF SUCH DAMAGE.
   </table>
 </script>
 
-<script src="/ui/js/quagga/lodash.js"></script>
-<script>
+<script type="text/javascript" src="/ui/js/quagga/lodash.js"></script>
+<script type="text/javascript">
 $(document).ready(function() {
   updateServiceControlUI('quagga');
 

From b590f3167142f6c24b43912a9845e2afc42b6ca5 Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Mon, 14 Dec 2020 14:02:38 +0100
Subject: [PATCH 0317/3088] make BGP route table pretty and use bootgrid

---
 .../views/OPNsense/Quagga/diagnosticsbgp.volt | 67 ++++++++++++-------
 1 file changed, 41 insertions(+), 26 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
index 6e78fe80e0..2f26a136f2 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
@@ -55,14 +55,16 @@ POSSIBILITY OF SUCH DAMAGE.
   <table class="table table-striped">
     <thead>
       <tr>
-        <th data-column-id="status" data-type="raw">{{ lang._('Status') }}</th>
-        <th data-column-id="network" data-type="string">{{ lang._('Network') }}</th>
-        <th data-column-id="nexthop" data-type="string">{{ lang._('Next Hop') }}</th>
-        <th data-column-id="metric" data-type="numeric">{{ lang._('Metric') }}</th>
-        <th data-column-id="locprf" data-type="numeric">{{ lang._('LocPrf') }}</th>
-        <th data-column-id="weight" data-type="numeric">{{ lang._('Weight') }}</th>
-        <th data-column-id="path" data-type="string">{{ lang._('Path') }}</th>
-        <th data-column-id="origin" data-type="string">{{ lang._('Origin') }}</th>
+        <th data-column-id="valid" data-type="boolean" data-formatter="boolean" data-width="5%">{{ lang._('Valid') }}</th>
+        <th data-column-id="best" data-type="boolean" data-formatter="boolean" data-width="5%">{{ lang._('Best') }}</th>
+        <th data-column-id="internal" data-type="boolean" data-formatter="boolean" data-width="6%">{{ lang._('Internal') }}</th>
+        <th data-column-id="network" data-type="string" data-width="21%">{{ lang._('Network') }}</th>
+        <th data-column-id="nexthop" data-type="string" data-width="21%">{{ lang._('Next Hop') }}</th>
+        <th data-column-id="metric" data-type="numeric" data-width="5%">{{ lang._('Metric') }}</th>
+        <th data-column-id="locprf" data-type="numeric" data-width="5%">{{ lang._('LocPrf') }}</th>
+        <th data-column-id="weight" data-type="numeric" data-width="6%">{{ lang._('Weight') }}</th>
+        <th data-column-id="path" data-type="string" data-width="16%">{{ lang._('Path') }}</th>
+        <th data-column-id="origin" data-type="string" data-width="10%">{{ lang._('Origin') }}</th>
       </tr>
     </thead>
     <tbody>
@@ -70,23 +72,15 @@ POSSIBILITY OF SUCH DAMAGE.
         <% _.forEach(route_array, function(route) { %>
           <% _.forEach(route['nexthops'], function(nexthop) { %>
             <tr>
-              <td>
-                <% if(typeof(route['valid']) != "undefined" && route['valid']) { %>
-                  <abbr title="{{ lang._('Valid') }}">&ast;</abbr>
-                <% } %>
-                <% if(typeof(route['bestpath']) != "undefined" && route['bestpath']) { %>
-                  <abbr title="{{ lang._('Best') }}">&gt;</abbr>
-                <% } %>
-                <% if(typeof(route['pathFrom']) != "undefined" && route['pathFrom'] == 'internal') { %>
-                  <abbr title="{{ lang._('Internal') }}">i</abbr>
-                <% } %>
-              </td>
+              <td><%= (typeof(route['valid']) != "undefined" && route['valid']) %></td>
+              <td><%= (typeof(route['bestpath']) != "undefined" && route['bestpath']) %></td>
+              <td><%= (typeof(route['pathFrom']) != "undefined" && route['pathFrom'] == 'internal') %></td>
               <td><%= network %></td>
               <td><%= nexthop['ip'] %></td>
               <td><%= route['metric'] %></td>
               <td><%= route['locPrf'] %></td>
               <td><%= route['weight'] %></td>
-              <td><%= route['path'] %></td>
+              <td><%= (route['path'] == "" ? "{{ lang._('Internal') }}" : route['path']) %></td>
               <td><%= route['origin'] %></td>
             </tr>
           <% }); %>
@@ -98,22 +92,43 @@ POSSIBILITY OF SUCH DAMAGE.
 
 <script type="text/javascript" src="/ui/js/quagga/lodash.js"></script>
 <script type="text/javascript">
+let dataconverters = {
+  boolean: {
+    from: function (value) { return (value == 'true') || (value == true); },
+    to: function (value) { return value; }
+  }
+}
+
+let dataformatters = {
+  boolean: function (column, row) {
+    if (row[column.id]) {
+        return "<span class=\"fa fa-check\" data-value=\"1\" data-row-id=\"" + row.uuid + "\"></span>";
+    } else {
+        return "<span class=\"fa fa-times\" data-value=\"0\" data-row-id=\"" + row.uuid + "\"></span>";
+    }
+  }
+}
+
 $(document).ready(function() {
   updateServiceControlUI('quagga');
 
   ajaxCall(url="/api/quagga/diagnostics/bgpoverview", sendData={}, callback=function(data, status) {
-      let content = _.template($('#overviewtpl').html())(data['response']);
-      $('#overview').html(content);
-      content = _.template($('#routestpl').html())(data['response']);
-      $('#routing').html(content);
+    let content = _.template($('#overviewtpl').html())(data['response']);
+    $('#overview').html(content);
+    content = _.template($('#routestpl').html())(data['response']);
+    $('#routing').html(content);
+    $('#routing table').bootgrid({
+      converters: dataconverters,
+      formatters: dataformatters
+    });
   });
 
   ajaxCall(url="/api/quagga/diagnostics/bgpneighbors/plain", sendData={}, callback=function(data, status) {
-      $('#neighborscontent').text(data['response']);
+    $('#neighborscontent').text(data['response']);
   });
 
   ajaxCall(url="/api/quagga/diagnostics/bgpsummary/plain", sendData={}, callback=function(data, status) {
-      $("#summarycontent").text(data['response']);
+    $("#summarycontent").text(data['response']);
   });
 });
 </script>

From 41ec7749c6562a01da08f6fd11f820a0d16368aa Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Mon, 14 Dec 2020 21:50:13 +0100
Subject: [PATCH 0318/3088] BGP ipv6 support and clearer protocol distinction

---
 .../Quagga/Api/DiagnosticsController.php      |  23 +++-
 .../app/models/OPNsense/Quagga/Menu/Menu.xml  |   4 +-
 .../views/OPNsense/Quagga/diagnosticsbgp.volt |  39 +++----
 .../OPNsense/Quagga/diagnosticsgeneral.volt   |   9 +-
 .../conf/actions.d/actions_quagga.conf        | 104 +++++++++++++++---
 5 files changed, 130 insertions(+), 49 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
index a4f3e358cb..f19af0e86b 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
@@ -55,7 +55,14 @@ public function generalrunningconfigAction(): array
 
     public function generalrouteAction($format = "json"): array
     {
-        return $this->getInformation("general", "route", $format);
+        $routes4 = $this->getInformation("general", "route4", $format)['response'];
+        $routes6 = $this->getInformation("general", "route6", $format)['response'];
+        return array("response" => ($format === "json" ? array("ipv4" => $routes4, "ipv6" => $routes6) : $routes4.$routes6));
+    }
+
+    public function generalroute4Action($format = "json"): array
+    {
+        return $this->getInformation("general", "route4", $format);
     }
 
     public function generalroute6Action($format = "json"): array
@@ -63,9 +70,19 @@ public function generalroute6Action($format = "json"): array
         return $this->getInformation("general", "route6", $format);
     }
 
-    public function bgpoverviewAction($format = "json"): array
+    public function bgprouteAction($format = "json"): array
+    {
+        return $this->getInformation("bgp", "route", $format);
+    }
+
+    public function bgproute4Action($format = "json"): array
+    {
+        return $this->getInformation("bgp", "route4", $format);
+    }
+
+    public function bgproute6Action($format = "json"): array
     {
-        return $this->getInformation("bgp", "overview", $format);
+        return $this->getInformation("bgp", "route6", $format);
     }
 
     public function bgpsummaryAction($format = "json"): array
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
index 03dca32ded..e294cc1151 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
@@ -5,12 +5,12 @@
     <OSPF VisibleName="OSPF" cssClass="fa fa-map fa-fw" url="/ui/quagga/ospf/index" order="20" />
     <OSPFv3 VisibleName="OSPFv3" cssClass="fa fa-map fa-fw" url="/ui/quagga/ospf6/index" order="25" />
     <!--<ISIS VisibleName="IS-IS" cssClass="fa fa-bolt fa-fw" url="/ui/quagga/isis/index" order="30" />-->
-    <BGP VisibleName="BGPv4" cssClass="fa fa-globe fa-fw" url="/ui/quagga/bgp/index" order="40" />
+    <BGP VisibleName="BGP" cssClass="fa fa-globe fa-fw" url="/ui/quagga/bgp/index" order="40" />
     <Diagnostics VisibleName="Diagnostics" cssClass="fa fa-medkit fa-fw" order="50">
       <General VisibleName="General" url="/ui/quagga/diagnostics/general" order="1" />
       <OSPF VisibleName="OSPF" url="/ui/quagga/diagnostics/ospf" order="20" />
       <OSPFv3 VisibleName="OSPFv3" url="/ui/quagga/diagnostics/ospfv3" order="25" />
-      <BGP VisibleName="BGPv4" url="/ui/quagga/diagnostics/bgp" order="40" />
+      <BGP VisibleName="BGP" url="/ui/quagga/diagnostics/bgp" order="40" />
       <LOG VisibleName="Log" url="/ui/diagnostics/log/routing/frr" order="100" />
     </Diagnostics>
   </Routing>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
index 2f26a136f2..760745325f 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
@@ -34,24 +34,10 @@ POSSIBILITY OF SUCH DAMAGE.
 
 <script type="text/x-template" id="overviewtpl">
   <h2>{{ lang._('General') }}</h2>
-  <table class="table table-striped">
-    <tbody>
-      <tr>
-        <td>{{ lang._('Table Version') }}</td>
-        <td><%= tableVersion %></td>
-      </tr>
-      <tr>
-        <td>{{ lang._('Local Router ID') }}</td>
-        <td><%= routerId %></td>
-      </tr>
-      <tr>
-        <td>{{ lang._('Local AS') }}</td>
-        <td><%= localAS %></td>
-      </tr>
-    </tbody>
-  </table>
+  
 </script>
 <script type="text/x-template" id="routestpl">
+  <h2>{{ lang._('Table Version') }}: <%= tableVersion %></h2>
   <table class="table table-striped">
     <thead>
       <tr>
@@ -112,9 +98,7 @@ let dataformatters = {
 $(document).ready(function() {
   updateServiceControlUI('quagga');
 
-  ajaxCall(url="/api/quagga/diagnostics/bgpoverview", sendData={}, callback=function(data, status) {
-    let content = _.template($('#overviewtpl').html())(data['response']);
-    $('#overview').html(content);
+  ajaxCall(url="/api/quagga/diagnostics/bgproute4", sendData={}, callback=function(data, status) {
     content = _.template($('#routestpl').html())(data['response']);
     $('#routing').html(content);
     $('#routing table').bootgrid({
@@ -123,6 +107,15 @@ $(document).ready(function() {
     });
   });
 
+  ajaxCall(url="/api/quagga/diagnostics/bgproute6", sendData={}, callback=function(data, status) {
+    content = _.template($('#routestpl').html())(data['response']);
+    $('#routing6').html(content);
+    $('#routing6 table').bootgrid({
+      converters: dataconverters,
+      formatters: dataformatters
+    });
+  });
+
   ajaxCall(url="/api/quagga/diagnostics/bgpneighbors/plain", sendData={}, callback=function(data, status) {
     $('#neighborscontent').text(data['response']);
   });
@@ -135,15 +128,15 @@ $(document).ready(function() {
 
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-  <li class="active"><a data-toggle="tab" href="#overview">{{ lang._('Overview') }}</a></li>
-  <li><a data-toggle="tab" href="#routing">{{ lang._('Routing Table') }}</a></li>
+  <li class="active"><a data-toggle="tab" href="#routing">IPv4 {{ lang._('Routing Table') }}</a></li>
+  <li><a data-toggle="tab" href="#routing6">IPv6 {{ lang._('Routing Table') }}</a></li>
   <li><a data-toggle="tab" href="#neighbors">{{ lang._('Neighbors') }}</a></li>
   <li><a data-toggle="tab" href="#summary">{{ lang._('Summary') }}</a></li>
 </ul>
 
 <div class="tab-content content-box tab-content">
-  <div id="overview" class="tab-pane fade in active"></div>
-  <div id="routing" class="tab-pane fade in"></div>
+  <div id="routing" class="tab-pane fade in active"></div>
+  <div id="routing6" class="tab-pane fade in"></div>
   <div id="neighbors" class="tab-pane fade in">
     <pre id="neighborscontent"></pre>
   </div>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
index d14a398ebe..16c1470190 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
@@ -103,17 +103,15 @@ $(document).ready(function() {
 
   ajaxCall(url="/api/quagga/diagnostics/generalroute", sendData={}, callback=function(data, status) {
     let content = _.template($('#routestpl').html())({
-      routes: data['response']
+      routes: data['response']['ipv4']
     });
     $('#routing').html(content);
     $('#routing table').bootgrid({
       converters: dataconverters,
       formatters: dataformatters
     });
-  });
-  ajaxCall(url="/api/quagga/diagnostics/generalroute6", sendData={}, callback=function(data, status) {
-    let content = _.template($('#routestpl').html())({
-      routes: data['response']
+    content = _.template($('#routestpl').html())({
+      routes: data['response']['ipv6']
     });
     $('#routing6').html(content);
     $('#routing6 table').bootgrid({
@@ -121,6 +119,7 @@ $(document).ready(function() {
       formatters: dataformatters
     });
   });
+
   ajaxCall(url="/api/quagga/diagnostics/generalrunningconfig", sendData={}, callback=function(data, status) {
       $("#runningconfig").text(data['response']);
   });
diff --git a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
index 9875177dad..6b74fe1abf 100644
--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@@ -28,13 +28,13 @@ parameters:
 type:script_output
 message:FRR diagnosticts "show running-config"
 
-[diagnostics.general_route]
+[diagnostics.general_route4]
 command:/usr/local/bin/vtysh -c "show ip route"
 parameters:
 type:script_output
 message:FRR diagnosticts "show ip route"
 
-[diagnostics.general_route_json]
+[diagnostics.general_route4_json]
 command:/usr/local/bin/vtysh -c "show ip route json"
 parameters:
 type:script_output
@@ -52,41 +52,113 @@ parameters:
 type:script_output
 message:FRR diagnosticts "show ipv6 route json"
 
-[diagnostics.bgp_overview]
-command:/usr/local/bin/vtysh -c "show ip bgp"
+[diagnostics.bgp_route]
+command:exit 1
+parameters:
+type:script_output
+message:FRR diagnostics "show bgp all" (not implemented)
+
+[diagnostics.bgp_route_json]
+command:/usr/local/bin/vtysh -c "show bgp all json"
+parameters:
+type:script_output
+message:FRR diagnostics "show bgp all json" (not implemented)
+
+[diagnostics.bgp_route4]
+command:/usr/local/bin/vtysh -c "show bgp ipv4"
+parameters:
+type:script_output
+message:FRR diagnostics "show bgp ipv4"
+
+[diagnostics.bgp_route4_json]
+command:/usr/local/bin/vtysh -c "show bgp ipv4 json"
 parameters:
 type:script_output
-message:FRR diagnostics "show ip bgp"
+message:FRR diagnostics "show bgp ipv4 json"
 
-[diagnostics.bgp_overview_json]
-command:/usr/local/bin/vtysh -c "show ip bgp json"
+[diagnostics.bgp_route6]
+command:/usr/local/bin/vtysh -c "show bgp ipv6"
 parameters:
 type:script_output
-message:FRR diagnostics "show ip bgp json"
+message:FRR diagnostics "show bgp ipv6"
+
+[diagnostics.bgp_route6_json]
+command:/usr/local/bin/vtysh -c "show bgp ipv6 json"
+parameters:
+type:script_output
+message:FRR diagnostics "show bgp ipv6 json"
 
 [diagnostics.bgp_summary]
-command:/usr/local/bin/vtysh -c "show ip bgp summary"
+command:/usr/local/bin/vtysh -c "show bgp summary"
 parameters:
 type:script_output
-message:FRR diagnostics "show ip bgp summary"
+message:FRR diagnostics "show bgp summary"
 
 [diagnostics.bgp_summary_json]
-command:/usr/local/bin/vtysh -c "show ip bgp summary json"
+command:/usr/local/bin/vtysh -c "show bgp summary json"
+parameters:
+type:script_output
+message:FRR diagnostics "show bgp summary json"
+
+[diagnostics.bgp_summary4]
+command:/usr/local/bin/vtysh -c "show bgp ipv4 summary"
+parameters:
+type:script_output
+message:FRR diagnostics "show bgp ipv4 summary"
+
+[diagnostics.bgp_summary4_json]
+command:/usr/local/bin/vtysh -c "show bgp ipv4 summary json"
 parameters:
 type:script_output
-message:FRR diagnostics "show ip bgp summary json"
+message:FRR diagnostics "show bgp ipv4 summary json"
+
+[diagnostics.bgp_summary6]
+command:/usr/local/bin/vtysh -c "show bgp ipv6 summary"
+parameters:
+type:script_output
+message:FRR diagnostics "show bgp ipv6 summary"
+
+[diagnostics.bgp_summary6_json]
+command:/usr/local/bin/vtysh -c "show bgp ipv6 summary json"
+parameters:
+type:script_output
+message:FRR diagnostics "show bgp ipv6 summary json"
 
 [diagnostics.bgp_neighbors]
-command:/usr/local/bin/vtysh -c "show ip bgp neighbors"
+command:/usr/local/bin/vtysh -c "show bgp neighbors"
 parameters:
 type:script_output
-message:FRR diagnostics "show ip bgp neighbors"
+message:FRR diagnostics "show bgp neighbors"
 
 [diagnostics.bgp_neighbors_json]
-command:/usr/local/bin/vtysh -c "show ip bgp neighbors json"
+command:/usr/local/bin/vtysh -c "show bgp neighbors json"
+parameters:
+type:script_output
+message:FRR diagnostics "show bgp neighbors json"
+
+[diagnostics.bgp_neighbors4]
+command:/usr/local/bin/vtysh -c "show bgp ipv4 neighbors"
+parameters:
+type:script_output
+message:FRR diagnostics "show bgp ipv4 neighbors"
+
+[diagnostics.bgp_neighbors4_json]
+command:/usr/local/bin/vtysh -c "show bgp ipv4 neighbors json"
+parameters:
+type:script_output
+message:FRR diagnostics "show bgp ipv4 neighbors json"
+
+[diagnostics.bgp_neighbors6]
+command:/usr/local/bin/vtysh -c "show bgp ipv6 neighbors"
+parameters:
+type:script_output
+message:FRR diagnostics "show bgp ipv6 neighbors"
+
+[diagnostics.bgp_neighbors6_json]
+command:/usr/local/bin/vtysh -c "show bgp ipv6 neighbors json"
 parameters:
 type:script_output
-message:FRR diagnostics "show ip bgp neighbors json"
+message:FRR diagnostics "show bgp ipv6 neighbors json"
 
 [diagnostics.ospf_overview]
 command:/usr/local/bin/vtysh -c "show ip ospf"

From 1b54b19c3dda14234b780b5f6bc939f4f34e0551 Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Mon, 14 Dec 2020 22:17:23 +0100
Subject: [PATCH 0319/3088] add bgp origin formatter

---
 .../mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt        | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
index 760745325f..1bd81d7aa9 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
@@ -50,7 +50,7 @@ POSSIBILITY OF SUCH DAMAGE.
         <th data-column-id="locprf" data-type="numeric" data-width="5%">{{ lang._('LocPrf') }}</th>
         <th data-column-id="weight" data-type="numeric" data-width="6%">{{ lang._('Weight') }}</th>
         <th data-column-id="path" data-type="string" data-width="16%">{{ lang._('Path') }}</th>
-        <th data-column-id="origin" data-type="string" data-width="10%">{{ lang._('Origin') }}</th>
+        <th data-column-id="origin" data-type="string" data-formatter="origin" data-width="10%">{{ lang._('Origin') }}</th>
       </tr>
     </thead>
     <tbody>
@@ -92,6 +92,9 @@ let dataformatters = {
     } else {
         return "<span class=\"fa fa-times\" data-value=\"0\" data-row-id=\"" + row.uuid + "\"></span>";
     }
+  },
+  origin: function(column, row) {
+    return (row[column.id] === 'incomplete' ? '<abbr title="{{ lang._('Incomplete') }}">&quest;</abbr>' : row[column.id]);
   }
 }
 

From 32323d34b46223d4ceadbe1b61618e5bfa48d855 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 15 Dec 2020 09:20:16 +0100
Subject: [PATCH 0320/3088] net/freeradius: Fix DHCP support (#2135)

---
 net/freeradius/Makefile                       |  2 +-
 net/freeradius/pkg-descr                      |  4 +++
 .../templates/OPNsense/Freeradius/+TARGETS    |  1 +
 .../Freeradius/mods-enabled-dhcp_sqlippool    |  6 ++--
 .../OPNsense/Freeradius/mods-enabled-mac2ip   | 29 +++++++++++++++++++
 5 files changed, 38 insertions(+), 4 deletions(-)
 create mode 100644 net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-mac2ip

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index ca1e699b54..a473a81ae9 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.8
+PLUGIN_VERSION=		1.9.9
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 3c64880be9..994b2632de 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,10 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.9
+
+* Fix DHCP support
+
 1.9.8
 
 * Add support for checking TLS certificate names
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/+TARGETS b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/+TARGETS
index 4de8793c1a..815e084f25 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/+TARGETS
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/+TARGETS
@@ -5,6 +5,7 @@ mods-enabled-counter:/usr/local/etc/raddb/mods-enabled/counter
 mods-enabled-dhcp_sqlippool:/usr/local/etc/raddb/mods-enabled/dhcp_sqlippool
 mods-enabled-eap:/usr/local/etc/raddb/mods-enabled/eap
 mods-enabled-ldap:/usr/local/etc/raddb/mods-enabled/ldap
+mods-enabled-mac2ip:/usr/local/etc/raddb/mods-enabled/mac2ip
 mods-enabled-sql:/usr/local/etc/raddb/mods-enabled/sql
 mods-enabled-sqlippool:/usr/local/etc/raddb/mods-enabled/sqlippool
 queries.conf:/usr/local/etc/raddb/mods-config/sql/main/sqlite/queries.conf
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-dhcp_sqlippool b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-dhcp_sqlippool
index de614dcf2c..d3313e0a3a 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-dhcp_sqlippool
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-dhcp_sqlippool
@@ -24,13 +24,13 @@ sqlippool dhcp_sqlippool {
 
         sqlippool_log_exists = "DHCP: Existing IP: %{reply:Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
 
-        sqlippool_log_success = "DHCP: Allocated IP: %{reply:Framed-IP-Address} from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+        sqlippool_log_success = "DHCP: Allocated IP: %{reply:Framed-IP-Address} from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
 
         sqlippool_log_clear = "DHCP: Released IP %{Framed-IP-Address} (did %{Called-Station-Id} cli %{Calling-Station-Id} user %{User-Name})"
 
-        sqlippool_log_failed = "DHCP: IP Allocation FAILED from %{control:${..pool_name}} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+        sqlippool_log_failed = "DHCP: IP Allocation FAILED from %{control:Pool-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
 
-        sqlippool_log_nopool = "DHCP: No ${..pool_name} defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
+        sqlippool_log_nopool = "DHCP: No Pool-Name defined (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} user %{User-Name})"
 
 }
 
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-mac2ip b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-mac2ip
new file mode 100644
index 0000000000..de2620bb7f
--- /dev/null
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-mac2ip
@@ -0,0 +1,29 @@
+{% if helpers.exists('OPNsense.freeradius.general.dhcpenabled') and OPNsense.freeradius.general.dhcpenabled == '1' %}
+
+# -*- text -*-
+#
+#  $Id: a4ead1d64e8220344b483718ece4712bef5e9e36 $
+
+######################################################################
+#
+#  This next section is a sample configuration for the "passwd"
+#  module, that reads flat-text files.
+#
+#  The file is in the format <mac>,<ip>
+#
+#       00:01:02:03:04:05,192.0.2.100
+#       01:01:02:03:04:05,192.0.2.101
+#       02:01:02:03:04:05,192.0.2.102
+#
+#  This lets you perform simple static IP assignments from a flat-text
+#  file.  You will have to define lease times yourself.
+#
+######################################################################
+
+passwd mac2ip {
+        filename = ${modconfdir}/${.:name}/${.:instance}
+        format = "*DHCP-Client-Hardware-Address:=DHCP-Your-IP-Address"
+        delimiter = ","
+}
+
+{% endif %}

From c63c8605600347ddeb44d862323e71138cc1c8f9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Dec 2020 09:27:04 +0100
Subject: [PATCH 0321/3088] net/freeradius: update changelog

---
 net/freeradius/pkg-descr | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 994b2632de..76ee5794f7 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -17,6 +17,8 @@ Plugin Changelog
 
 1.9.9
 
+* Create option to set EAP-TTLS-GTC (contributed by Kjeld Schouten-Lebbing)
+* Add LDAP reply Mikrotik-Wireless-VLANID and Mikrotik-Wireless-VLANID-type (contributed by foxikmax)
 * Fix DHCP support
 
 1.9.8

From 4c7138d9d40ef4bfd467741901e5cf2006940d70 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 16 Dec 2020 00:32:46 +0100
Subject: [PATCH 0322/3088] dns/bind: add support for transfer-source[-v6]

---
 .../controllers/OPNsense/Bind/forms/general.xml    | 14 ++++++++++++++
 .../mvc/app/models/OPNsense/Bind/General.xml       | 10 ++++++++++
 .../service/templates/OPNsense/Bind/named.conf     |  8 ++++++++
 3 files changed, 32 insertions(+)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index 6b52705ab9..bd3bcc9519 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -33,6 +33,20 @@
         <type>text</type>
         <help>Set the port the service should listen to.</help>
     </field>
+    <field>
+        <id>general.transfersource</id>
+        <label>Transfer Source IP</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>This determines which local address is bound to IPv4 TCP connections used to fetch zones transferred inbound by the server.</help>
+    </field>
+    <field>
+        <id>general.transfersourcev6</id>
+        <label>Transfer Source IPv6</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>This determines which local address is bound to IPv6 TCP connections used to fetch zones transferred inbound by the server.</help>
+    </field>
     <field>
         <id>general.forwarders</id>
         <label>DNS Forwarders</label>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index 2411472f18..1d0dc3c7f0 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -27,6 +27,16 @@
             <Required>Y</Required>
             <asList>Y</asList>
         </listenv6>
+        <transfersource type="NetworkField">
+            <Required>N</Required>
+            <AddressFamily>ipv4</AddressFamily>
+            <NetMaskAllowed>N</NetMaskAllowed>
+        </transfersource>
+        <transfersourcev6 type="NetworkField">
+            <Required>N</Required>
+            <AddressFamily>ipv6</AddressFamily>
+            <NetMaskAllowed>N</NetMaskAllowed>
+        </transfersourcev6>
         <port type="PortField">
             <default>53530</default>
             <Required>Y</Required>
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 1a8de537af..72acb13531 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -22,6 +22,14 @@ options {
         listen-on-v6 port {{ OPNsense.bind.general.port }} { {{ OPNsense.bind.general.listenv6.replace(',', '; ') }}; };
 {% endif %}{% endif %}
 
+{% if helpers.exists('OPNsense.bind.general.transfersource') and OPNsense.bind.general.transfersource != '' %}
+        transfer-source {{ OPNsense.bind.general.transfersource }};
+{% endif -%}
+
+{% if helpers.exists('OPNsense.bind.general.transfersourcev6') and OPNsense.bind.general.transfersourcev6 != '' %}
+        transfer-source-v6 {{ OPNsense.bind.general.transfersourcev6 }};
+{% endif -%}
+
 {% if helpers.exists('OPNsense.bind.general.forwarders') and OPNsense.bind.general.forwarders != '' %}
         forwarders    { {{ OPNsense.bind.general.forwarders.replace(',', '; ') }}; };
 {% endif %}

From 9e54cff47c46f1b3cafaaea596c1c079be4884e6 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 16 Dec 2020 00:36:52 +0100
Subject: [PATCH 0323/3088] dns/bind: cleanup: simplify if-rule, fix indention

---
 .../service/templates/OPNsense/Bind/named.conf         | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 72acb13531..7196cf2c24 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -15,12 +15,12 @@ options {
         dump-file       "/var/dump/named_dump.db";
         statistics-file "/var/stats/named.stats";
 
-{% if helpers.exists('OPNsense.bind.general.listenv4') and OPNsense.bind.general.listenv4 != '' %} {% if helpers.exists('OPNsense.bind.general.port') and OPNsense.bind.general.port != '' %}
+{% if helpers.exists('OPNsense.bind.general.listenv4') and OPNsense.bind.general.listenv4 != '' and helpers.exists('OPNsense.bind.general.port') and OPNsense.bind.general.port != '' %}
         listen-on port {{ OPNsense.bind.general.port }} { {{ OPNsense.bind.general.listenv4.replace(',', '; ') }}; };
-{% endif %}{% endif %}
-{% if helpers.exists('OPNsense.bind.general.listenv6') and OPNsense.bind.general.listenv6 != '' %} {% if helpers.exists('OPNsense.bind.general.port') and OPNsense.bind.general.port != '' %}
+{% endif %}
+{% if helpers.exists('OPNsense.bind.general.listenv6') and OPNsense.bind.general.listenv6 != '' and helpers.exists('OPNsense.bind.general.port') and OPNsense.bind.general.port != '' %}
         listen-on-v6 port {{ OPNsense.bind.general.port }} { {{ OPNsense.bind.general.listenv6.replace(',', '; ') }}; };
-{% endif %}{% endif %}
+{% endif -%}
 
 {% if helpers.exists('OPNsense.bind.general.transfersource') and OPNsense.bind.general.transfersource != '' %}
         transfer-source {{ OPNsense.bind.general.transfersource }};
@@ -32,7 +32,7 @@ options {
 
 {% if helpers.exists('OPNsense.bind.general.forwarders') and OPNsense.bind.general.forwarders != '' %}
         forwarders    { {{ OPNsense.bind.general.forwarders.replace(',', '; ') }}; };
-{% endif %}
+{% endif -%}
 
 {% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
         response-policy { {% if helpers.exists('OPNsense.bind.dnsbl.type') and OPNsense.bind.dnsbl.type != '' %}zone "whitelist.localdomain"; zone "blacklist.localdomain";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafegoogle') and OPNsense.bind.dnsbl.forcesafegoogle == '1' %}zone "rpzgoogle";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeduckduckgo') and OPNsense.bind.dnsbl.forcesafeduckduckgo == '1' %}zone "rpzduckduckgo";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeyoutube') and OPNsense.bind.dnsbl.forcesafeyoutube == '1' %}zone "rpzyoutube";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcestrictbing') and OPNsense.bind.dnsbl.forcestrictbing == '1' %}zone "rpzbing";{% endif %} };

From d263cbcbeef29a1a1158804ca22d7ef84d710626 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 16 Dec 2020 00:37:11 +0100
Subject: [PATCH 0324/3088] dns/bind: bump version

---
 dns/bind/Makefile  | 2 +-
 dns/bind/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 48b788c2ae..0407be82f6 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.14
+PLUGIN_VERSION=		1.15
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind916
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 4c59d1e865..02fed8ac08 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -8,6 +8,10 @@ necessary for asking and answering name service questions.
 Plugin Changelog
 ================
 
+1.15
+
+* Add support for "Transfer Source [IP|IPv6]" options
+
 1.14
 
 * Reject built-in ACL names

From 3e8dedaedc66b59b66f060cb04b686c271d5f9ff Mon Sep 17 00:00:00 2001
From: Manuel <8191@users.noreply.github.com>
Date: Wed, 16 Dec 2020 20:17:04 +0100
Subject: [PATCH 0325/3088] Nginx: bugfixes and minor improvements (#1987)

---
 www/nginx/Makefile                            |  2 +-
 www/nginx/pkg-descr                           |  5 +++
 .../Nginx/forms/naxsi_custom_policy.xml       |  1 +
 .../OPNsense/Nginx/forms/naxsi_rule.xml       | 40 ++++++++++++-------
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml   |  9 ++---
 .../scripts/nginx/naxsi_rule_download.php     | 11 ++++-
 .../templates/OPNsense/Nginx/location.conf    |  1 +
 .../templates/OPNsense/Nginx/naxsirule.conf   |  3 ++
 8 files changed, 50 insertions(+), 22 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index ae386bc6cb..9300bbe93c 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.19
+PLUGIN_VERSION=		1.20
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 71fe052e54..7940a98286 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -8,6 +8,11 @@ reuse, SSL offload and HTTP media streaming.
 Plugin Changelog
 ================
 
+1.20
+
+* User interface improvements of NAXSI configuration (contributed by 8191)
+* Fixed missing certificate validation of upstreams (contributed by 8191)
+
 1.19
 
 * Add possibility to configure SNI proxying.
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_custom_policy.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_custom_policy.xml
index 26f6fe0260..af72115bcd 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_custom_policy.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_custom_policy.xml
@@ -15,6 +15,7 @@
         <id>custompolicy.value</id>
         <type>text</type>
         <label>Value</label>
+        <help>If the sum of scores of all matching rules exceed the configured value the policy's action will get triggered.</help>
     </field>
     <field>
         <id>custompolicy.operator</id>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_rule.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_rule.xml
index cdaec08a48..6a8232fc00 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_rule.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_rule.xml
@@ -8,6 +8,7 @@
         <id>naxsi_rule.message</id>
         <label>Message</label>
         <type>text</type>
+        <help>A string describing the pattern. This is mostly used for analyzing and to have some human-understandable text.</help>
     </field>
     <field>
         <id>naxsi_rule.negate</id>
@@ -19,6 +20,7 @@
         <id>naxsi_rule.identifier</id>
         <label>ID</label>
         <type>text</type>
+       <help>The unique numerical ID of the rule, that will be used in logs and in whitelists. IDs inferior to 1000 are reserved for Naxsi internal rules (protocol mismatch etc.)</help>
     </field>
     <field>
         <id>naxsi_rule.ruletype</id>
@@ -29,6 +31,7 @@
         <id>naxsi_rule.regex</id>
         <label>Use Regular Expressions</label>
         <type>checkbox</type>
+       <help>If enabled, the match value, the URL, named parameters and headers are matched using regular expressions; otherwise only exact matches trigger the rule.</help>
     </field>
     <field>
         <id>naxsi_rule.match_value</id>
@@ -43,68 +46,75 @@
     </field>
     <field>
         <id>naxsi_rule.args</id>
-        <label>Arguments</label>
+        <label>Search in any GET Argument</label>
         <type>checkbox</type>
+       <help>Search for matchs in a request's GET arguments.</help>
     </field>
     <field>
         <id>naxsi_rule.url</id>
-        <label>URL</label>
+        <label>Search in URL</label>
         <type>checkbox</type>
+        <help>Search for matchs in a request's URL (everything before ?).</help>
     </field>
     <field>
         <id>naxsi_rule.headers</id>
-        <label>Headers</label>
+        <label>Search in any HTTP Header</label>
         <type>checkbox</type>
+       <help>Search for matchs in a request's HTTP headers.</help>
     </field>
     <field>
         <id>naxsi_rule.body</id>
-        <label>Body</label>
+        <label>Search in any POST Argument and in Body</label>
         <type>checkbox</type>
+        <help>Search for matchs in a request's POST arguments and its raw (unparsed) body.</help>
     </field>
     <field>
         <id>naxsi_rule.name</id>
-        <label>Name</label>
+        <label>Match Name Instead of Value</label>
         <type>checkbox</type>
         <help>Check this box to match the variable name and not its content when matching any of the above checkboxes.</help>
     </field>
     <field>
         <id>naxsi_rule.file_extension</id>
-        <label>File Extension</label>
+        <label>Search in Filename</label>
         <type>checkbox</type>
+        <help>Search for matchs in a multipart POST request's filenames.</help>
     </field>
     <field>
         <id>naxsi_rule.raw_body</id>
-        <label>Raw Body</label>
+        <label>Search in Raw Body</label>
         <type>checkbox</type>
+        <help>Search for matchs in a request's raw unparsed body.</help>
     </field>
     <field>
         <id>naxsi_rule.dollar_url</id>
-        <label>URL or URL Pattern</label>
+        <label>Restrict to URL</label>
         <type>text</type>
-        <help>Enter the name of a parameter to match.</help>
+        <help>Restrict match to a specific URL (supports regular expressions if enabled for this rule).</help>
     </field>
     <field>
         <id>naxsi_rule.dollar_args_var</id>
-        <label>Named Argument</label>
+        <label>Search in specific GET Argument</label>
         <type>text</type>
-        <help>Enter the name of a parameter to match.</help>
+        <help>Enter the name of a GET parameter to restrict matches to (supports regular expressions if enabled for this rule).</help>
     </field>
     <field>
         <id>naxsi_rule.dollar_body_var</id>
-        <label>Named Body Variable</label>
+        <label>Search in specific POST Argument</label>
         <type>text</type>
-        <help>Enter the name of a variable in the HTTP body to match.</help>
+        <help>Enter the name of a POST parameter to restrict matches to (supports regular expressions if enabled for this rule).</help>
     </field>
     <field>
         <id>naxsi_rule.dollar_headers_var</id>
-        <label>Named Header</label>
+        <label>Search in specific HTTP Header</label>
         <type>text</type>
-        <help>Enter the name of an HTTP header to match.</help>
+        <help>Enter the name of a HTTP header to restrict matches to (supports regular expressions if enabled for this rule).</help>
     </field>
     <field>
         <id>naxsi_rule.score</id>
         <label>Score</label>
         <type>text</type>
+        <help>If the rule matches the counter of each policy containing the rule will increase. If a policy's counter exceeds the configured "value" (to be configured at the policy) the policy's action gets triggered.</help>
     </field>
 
 </form>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index f81fbcdcf6..7744d01ff6 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.19.0</version>
+  <version>1.20.0</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>
@@ -534,10 +534,6 @@
         <Required>Y</Required>
         <minValue>1000</minValue>
       </identifier>
-      <url type="TextField">
-        <Required>N</Required>
-        <pattern>/^[^"]+$/</pattern>
-      </url>
       <dollar_url type="TextField">
         <Required>N</Required>
         <pattern>/^[^"]+$/</pattern>
@@ -590,6 +586,9 @@
       <headers type="BooleanField">
         <Required>Y</Required>
       </headers>
+      <body type="BooleanField">
+        <Required>Y</Required>
+      </body>
       <dollar_args_var type="TextField">
         <pattern>/^[^"]+$/</pattern>
       </dollar_args_var>
diff --git a/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php b/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php
index 4840150f32..3eca0a62e0 100755
--- a/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php
+++ b/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php
@@ -70,7 +70,7 @@ function parse_rules($data)
 {
     $parsed = [];
     $tmp = null;
-    $description = array('rule', 'match_type', 'match', 'message', 'match_zone', 'variable', 'value', 'id');
+    $description = array('rule', 'match_type', 'match', 'message', 'match_zone', 'variable', 'score', 'id');
 
     foreach ($data as $line) {
         $line = trim($line);
@@ -113,9 +113,12 @@ function save_to_model($data)
             $rule_mdl->args = '0';
             $rule_mdl->headers = '0';
             $rule_mdl->name = '0';
+            $rule_mdl->body = '0';
+            $rule_mdl->url = '0';
             $rule_mdl->raw_body = '0';
             $rule_mdl->file_extension = '0';
             $rule_mdl->negate = '0';
+            $rule_mdl->score = $rule['score'];
             foreach ($rule['match_zone'] as $match_zone) {
                 if (stripos($match_zone, ':') === false) {
                     switch ($match_zone) {
@@ -128,6 +131,12 @@ function save_to_model($data)
                         case 'NAME':
                             $rule_mdl->name = '1';
                             break;
+                        case 'BODY':
+                            $rule_mdl->body = '1';
+                            break;
+                        case 'URL':
+                            $rule_mdl->url = '1';
+                            break;
                         case 'RAW_BODY':
                             $rule_mdl->raw_body = '1';
                             break;
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index b4482c5370..006a1b30d7 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -193,6 +193,7 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
 {%     else %}
     proxy_ssl_trusted_certificate /etc/ssl/cert.pem;
 {%     endif %}
+    proxy_ssl_verify {% if upstream.tls_verify == '1' %}on{% else %}off{% endif %};
 {%     if upstream.tls_verify_depth is defined and upstream.tls_verify_depth != '' %}
     proxy_ssl_verify_depth {{ upstream.tls_verify_depth }};
 {%     endif %}
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/naxsirule.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/naxsirule.conf
index 709283813f..a3410bc3d9 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/naxsirule.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/naxsirule.conf
@@ -4,6 +4,9 @@
 {%   if mz_helper_rule.regex is defined and mz_helper_rule.regex == '1' %}
 {%     set rx_suffix = '_X' %}
 {%   endif %}
+{%   if mz_helper_rule.body == '1' %}
+{%     do mz_matches.append('BODY')  %}
+{%   endif %}
 {%   if mz_helper_rule.args == '1' %}
 {%     do mz_matches.append('ARGS')  %}
 {%   endif %}

From 223c698dd104bc5c71e79b2bc3fbb2c39e44a270 Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Wed, 16 Dec 2020 20:27:32 +0100
Subject: [PATCH 0326/3088] wip python parser

---
 .../scripts/frr/legacy-diagnostics.py         | 225 ++++++++++++++++++
 .../conf/actions.d/actions_quagga.conf        |  24 +-
 2 files changed, 237 insertions(+), 12 deletions(-)
 create mode 100644 net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py

diff --git a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
new file mode 100644
index 0000000000..3056bccef3
--- /dev/null
+++ b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
@@ -0,0 +1,225 @@
+#!/usr/local/bin/python3
+
+import argparse
+from enum import Enum
+import ujson
+import re
+from typing import List,Dict
+from lib import VtySH
+
+class FRRTableReader:
+  def __init__(self, titles: List[str]=[]):
+    self.titles = titles
+
+  def read_header(self, line: str, start_without_title: bool=False, start_without_title_name: str='status'):
+    # we're going to create a list of columns. each entry contains title, start index and end index for easy parsing
+    self.columns = []
+
+    # the first column's title may sometimes be empty in FRR's output. we'll have to give it a name though
+    if start_without_title:
+      self.columns.append({
+        'title': start_without_title_name,
+        'start_index': 0,
+        'end_index': None
+      })
+
+    # fill the list with subsequent columns
+    for title in self.titles:
+      try:
+        # find the start index of the current title in the header
+        start_index = line.index(title)
+      except ValueError:
+        # just skip the column if it can't be found
+        continue
+
+      # last column's end index is this column's start index
+      if self.columns:
+        self.columns[-1]['end_index'] = start_index
+
+      # add the current column to the list
+      self.columns.append({
+        'title': title,
+        'start_index': start_index,
+        'end_index': None
+      })
+    
+  def read_line(self, line: str) -> List[Dict[str, str]]:
+    # parsing is relatively straightforward
+    result = {}
+
+    # sanity check: the line has to be long enough to contain all columns,
+    # so its length must be greater than the last column's start index
+    if len(line) > self.columns[-1]['start_index']:
+      for column in self.columns:
+        # use the column's name as dict key and just extract the data from start to end index
+        result[column['title']] = line[column['start_index']:column['end_index']].strip()
+
+    return result
+
+class DaemonError(Exception):
+  pass
+
+class Daemon:
+  def __init__(self, vtysh: VtySH):
+    self.vtysh = vtysh
+
+  def _show(self, suffix: str):
+    # execute the command and filter out empty lines so subsequent iterations don't have to  deal with them
+    return list(filter(None,vtysh.execute(command='show ' + suffix, translate=bytes.decode).split('\n')))
+
+class OSPF(Daemon):
+  RE_ROUTER = r'OSPF Router with ID \(([\.\d]+)\)'
+  RE_ROUTERLINKSTATES = r'Router Link States \(Area ([\.\d]+)\)'
+  RE_NETLINKSTATES = r'Net Link States \(Area ([\.\d]+)\)'
+  RE_SUMMARYLINKSTATES = r'Summary Link States \(Area ([\.\d]+)\)'
+  EXTERNALLINKSTATES = 'AS External Link States'
+
+  def _show(self, suffix: str):
+    return super()._show('ip ospf ' + suffix)
+
+  def database(self):
+    db = {}
+    # table reader for Route Link States
+    rltr = FRRTableReader(titles=["Link ID", "ADV Router", "Age", "Seq#", "CkSum", "Link count"])
+    # table reader for Net Link States
+    nltr = FRRTableReader(titles=["Link ID", "ADV Router", "Age", "Seq#", "CkSum"])
+    # table reader for Summary Link States
+    sltr = FRRTableReader(titles=["Link ID", "ADV Router", "Age", "Seq#", "CkSum", "Route\n"])
+    # table reader for AS External Link States (columns are identical to Summary Link States)
+    eltr = sltr
+
+    # get the FRR output
+    lines = self._show('database')
+
+    # placeholder for the active table reader for the coming line
+    tr = None
+    # whether or not the header for the current section has already been parsed
+    header_parsed = False
+    # the current router
+    router = None
+    # the current area
+    area = None
+    # the current mode
+    mode = None
+
+    for line in lines:
+      if line.startswith(' '):
+        # this is a heading
+        heading = line.strip()
+        header_parsed = False
+
+        # this is going to be dirty
+        match = re.search(self.RE_ROUTER, heading)
+        if match:
+           router = match.group(1)
+           if not router in db:
+            db[router] = {}
+           mode = 'router'
+           continue
+        match = re.search(self.RE_ROUTERLINKSTATES, heading)
+        if match:
+          mode = 'router_link_state_area'
+          area = match.group(1)
+          if not mode in db[router]:
+            db[router][mode] = {}
+          if not area in db[router][mode]:
+            db[router][mode][area] = []
+          tr = rltr
+          continue
+        match = re.search(self.RE_NETLINKSTATES, heading)
+        if match:
+          mode = 'net_link_state_area'
+          area = match.group(1)
+          if not mode in db[router]:
+            db[router][mode] = {}
+          if not area in db[router][mode]:
+            db[router][mode][area] = []
+          tr = nltr
+          continue
+        match = re.search(self.RE_SUMMARYLINKSTATES, heading)
+        if match:
+          mode = 'summary_link_state_area'
+          area = match.group(1)
+          if not mode in db[router]:
+            db[router][mode] = {}
+          if not area in db[router][mode]:
+            db[router][mode][area] = []
+          tr = sltr
+          continue
+        if heading == self.EXTERNALLINKSTATES:
+          mode = 'external_states'
+          if not mode in db[router]:
+            db[router][mode] = []
+          tr = eltr
+          continue
+
+        # told you.
+        raise DaemonError('failed to parse heading: ' + heading)
+      else:
+        if not header_parsed:
+          if mode in ['summary_link_state_area', 'external_states']:
+            # workaround because "Route" matches on "Router" and breaks the offset parsing logic
+            # stay consistent with the previous script, add a trailing newline
+            line += '\n'
+          tr.read_header(line)
+          header_parsed = True
+        else:
+          if mode == 'router':
+            raise DaemonError('attempting to parse a table row but the mode is \'router\'. please debug the FRR output:\n\n\n'+lines)
+          if mode == 'external_states':
+            db[router][mode].append(tr.read_line(line))
+          else:
+            db[router][mode][area].append(tr.read_line(line))
+    
+    return db
+
+class OSPFv3(Daemon):
+  def _show(self, suffix: str):
+    return super()._show('ipv6 ospf6 ' + suffix)
+
+  def database(self):
+    return {}
+
+  def route(self):
+    return {}
+
+  def interface(self):
+    return {}
+
+  def neighbor(self):
+    return {}
+
+  def overview(self):
+    return {}
+
+# le script
+if __name__ == '__main__':
+  parser = argparse.ArgumentParser(description='Python port of the OPNsense FRR output parser.')
+  parser.add_argument('-d', '--ospf-database', help='Prints the OSPF Database', action='store_true')
+  parser.add_argument('-D', '--ospfv3-database', help='Prints the OSPFv3 Database', action='store_true')
+  parser.add_argument('-t', '--ospfv3-route', help='Prints the OSPFv3 routing table', action='store_true')
+  parser.add_argument('-I', '--ospfv3-interface', help='Prints OSPFv3 interface information', action='store_true')
+  parser.add_argument('-N', '--ospfv3-neighbor', help='Prints OSPFv3 neighbor information', action='store_true')
+  parser.add_argument('-O', '--ospfv3-overview', help='Prints an OSPFv3 Summary', action='store_true')
+  args = parser.parse_args()
+
+  # initialize VtySH and parser objects
+  vtysh = VtySH()
+  ospf = OSPF(vtysh)
+  ospfv3 = OSPFv3(vtysh)
+
+  result = {}
+  if args.ospf_database:
+    result['ospf_database'] = ospf.database()
+  elif args.ospfv3_database:
+    result['ospfv3_database'] = ospfv3.database()
+  elif args.ospfv3_route:
+    result['ospfv3_route'] = ospfv3.route()
+  elif args.ospfv3_interface:
+    result['ospfv3_interface'] = ospfv3.interface()
+  elif args.ospfv3_neighbor:
+    result['ospfv3_neighbors'] = ospfv3.neighbor()
+  elif args.ospfv3_overview:
+    result['ospfv3_overview'] = ospfv3.overview()
+
+  print(ujson.dumps(result))
\ No newline at end of file
diff --git a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
index 6b74fe1abf..0544b9ab57 100644
--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@@ -203,10 +203,10 @@ type:script_output
 message:FRR diagnostics "show ip ospf database"
 
 [diagnostics.ospf_database_json]
-command:exit 1
+command:/usr/local/opnsense/scripts/frr/legacy-diagnostics.py --ospf-database
 parameters:
 type:script_output
-message:FRR diagnostics "show ip ospf database json" (not implemented)
+message:FRR diagnostics "show ip ospf database json"
 
 [diagnostics.ospf_interface]
 command:/usr/local/bin/vtysh -c "show ip ospf interface"
@@ -227,10 +227,10 @@ type:script_output
 message:FRR diagnostics "show ipv6 ospf6"
 
 [diagnostics.ospfv3_overview_json]
-command:exit 1
+command:/usr/local/opnsense/scripts/frr/legacy-diagnostics.py --ospfv3-overview
 parameters:
 type:script_output
-message:FRR diagnostics "show ipv6 ospf6 json" (not implemented)
+message:FRR diagnostics "show ipv6 ospf6 json"
 
 [diagnostics.ospfv3_neighbor]
 command:/usr/local/bin/vtysh -c "show ipv6 ospf6 neighbor"
@@ -239,10 +239,10 @@ type:script_output
 message:FRR diagnostics "show ipv6 ospf6 neighbor"
 
 [diagnostics.ospfv3_neighbor_json]
-command:exit 1
+command:/usr/local/opnsense/scripts/frr/legacy-diagnostics.py --ospfv3-neighbor
 parameters:
 type:script_output
-message:FRR diagnostics "show ipv6 ospf6 neighbor json" (not implemented)
+message:FRR diagnostics "show ipv6 ospf6 neighbor json"
 
 [diagnostics.ospfv3_route]
 command:/usr/local/bin/vtysh -c "show ipv6 ospf6 route"
@@ -251,10 +251,10 @@ type:script_output
 message:FRR diagnostics "show ipv6 ospf6 route"
 
 [diagnostics.ospfv3_route_json]
-command:exit 1
+command:/usr/local/opnsense/scripts/frr/legacy-diagnostics.py --ospfv3-route
 parameters:
 type:script_output
-message:FRR diagnostics "show ipv6 ospf6 route json" (not implemented)
+message:FRR diagnostics "show ipv6 ospf6 route json"
 
 [diagnostics.ospfv3_database]
 command:/usr/local/bin/vtysh -c "show ipv6 ospf6 database"
@@ -263,10 +263,10 @@ type:script_output
 message:FRR diagnostics "show ipv6 ospf6 database"
 
 [diagnostics.ospfv3_database_json]
-command:exit 1
+command:/usr/local/opnsense/scripts/frr/legacy-diagnostics.py --ospfv3-database
 parameters:
 type:script_output
-message:FRR diagnostics "show ipv6 ospf6 database json" (not implemented)
+message:FRR diagnostics "show ipv6 ospf6 database json"
 
 [diagnostics.ospfv3_interface]
 command:/usr/local/bin/vtysh -c "show ipv6 ospf6 interface"
@@ -275,7 +275,7 @@ type:script_output
 message:FRR diagnostics "show ipv6 ospf6 interface"
 
 [diagnostics.ospfv3_interface_json]
-command:exit 1
+command:/usr/local/opnsense/scripts/frr/legacy-diagnostics.py --ospfv3-interface
 parameters:
 type:script_output
-message:FRR diagnostics "show ipv6 ospf6 interface json" (not implemented)
+message:FRR diagnostics "show ipv6 ospf6 interface json"

From 4cc189d19a34870b27424f53a04295f346938afc Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Wed, 16 Dec 2020 20:32:46 +0100
Subject: [PATCH 0327/3088] re-enable database table seems buggy in a few
 instances, needs rework

---
 .../app/views/OPNsense/Quagga/diagnosticsospf.volt  | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
index b27fc4a7fa..5b446b5338 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
@@ -180,7 +180,7 @@ POSSIBILITY OF SUCH DAMAGE.
     <% }); %>
   <% } %>
 </script>
-<!--<script type="text/x-template" id="databasetpl">
+<script type="text/x-template" id="databasetpl">
 <% _.each(_.keys(ospf_database), function(router_id) { %>
   <h1>{{ lang._('Router ID:')}} <%= router_id %></h1>
   <hr />
@@ -264,7 +264,7 @@ POSSIBILITY OF SUCH DAMAGE.
     </tbody>
   </table>
 <% }); %>
-</script>-->
+</script>
 <script type="text/x-template" id="routestpl">
   <table class="table table-striped">
   <thead>
@@ -430,8 +430,9 @@ $(document).ready(function() {
     let content = _.template($('#overviewtpl').html())(data['response']);
     $('#overview').html(content);
   });
-  ajaxCall(url="/api/quagga/diagnostics/ospfdatabase/plain", sendData={}, callback=function(data, status) {
-    $('#databasecontent').text(data['response']);
+  ajaxCall(url="/api/quagga/diagnostics/ospfdatabase", sendData={}, callback=function(data, status) {
+    let content = _.template($('#databasetpl').html())(data['response']);
+    $('#database').html(content);
   });
   ajaxCall(url="/api/quagga/diagnostics/ospfroute", sendData={}, callback=function(data, status) {
     let content = _.template($('#routestpl').html())({
@@ -468,9 +469,7 @@ $(document).ready(function() {
 <div class="tab-content content-box tab-content">
   <div id="overview" class="tab-pane fade in active"></div>
   <div id="routing" class="tab-pane fade in"></div>
-  <div id="database" class="tab-pane fade in">
-    <pre id="databasecontent"></pre>
-  </div>
+  <div id="database" class="tab-pane fade in"></div>
   <div id="neighbor" class="tab-pane fade in"></div>
   <div id="interface" class="tab-pane fade in"></div>
 </div>

From fd216479f7c773980b781f782a2462e992d26529 Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Wed, 16 Dec 2020 21:13:41 +0100
Subject: [PATCH 0328/3088] strip colum title in table reader output

---
 net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
index 3056bccef3..f3ca574b91 100644
--- a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
+++ b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
@@ -52,7 +52,7 @@ def read_line(self, line: str) -> List[Dict[str, str]]:
     if len(line) > self.columns[-1]['start_index']:
       for column in self.columns:
         # use the column's name as dict key and just extract the data from start to end index
-        result[column['title']] = line[column['start_index']:column['end_index']].strip()
+        result[column['title'].strip()] = line[column['start_index']:column['end_index']].strip()
 
     return result
 

From 117104e4c2f27537f8cb3ec99847fc1872f8c8dd Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Wed, 16 Dec 2020 22:15:29 +0100
Subject: [PATCH 0329/3088] OSPFv3 neighbor and route

---
 .../scripts/frr/legacy-diagnostics.py         | 30 +++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
index f3ca574b91..7dd5dacf86 100644
--- a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
+++ b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
@@ -181,13 +181,39 @@ def database(self):
     return {}
 
   def route(self):
-    return {}
+    route = []
+    lines = self._show('route')
+
+    for line in lines:
+      columns = re.split(r'\s+', line.strip())
+      route.append({
+        'f1': columns[0],
+        'f2': columns[1],
+        'network': columns[2],
+        'gateway': columns[3],
+        'interface': columns[4],
+        'time': columns[5],
+      })
+
+    return route
 
   def interface(self):
     return {}
 
   def neighbor(self):
-    return {}
+    neighbors = []
+    lines = self._show('neighbor')
+
+    tr = FRRTableReader(titles=['Neighbor ID','Pri', 'DeadTime', r'State/IfState', r'Duration I/F[State]'])
+    ll = lines.pop(0)
+    tr.read_header(ll)
+
+    for line in lines:
+      neighbor = tr.read_line(line)
+      neighbor['Pri'] = int(neighbor['Pri'])
+      neighbors.append(neighbor)
+
+    return neighbors
 
   def overview(self):
     return {}

From 5fa93df2f4214b772ce2d3e961e72a34db8ea67d Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Wed, 16 Dec 2020 22:16:49 +0100
Subject: [PATCH 0330/3088] remain compatible with old format don't escape
 forward slash "/"

---
 net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
index 7dd5dacf86..2e7dc3247c 100644
--- a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
+++ b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
@@ -248,4 +248,4 @@ def overview(self):
   elif args.ospfv3_overview:
     result['ospfv3_overview'] = ospfv3.overview()
 
-  print(ujson.dumps(result))
\ No newline at end of file
+  print(ujson.dumps(result, escape_forward_slashes=False))
\ No newline at end of file

From 8c74ab5179b329937ccddaed567e4b28bd0da8ec Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Thu, 17 Dec 2020 09:57:09 +0100
Subject: [PATCH 0331/3088] use single quotes consistently

---
 net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
index 2e7dc3247c..ada219d99c 100644
--- a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
+++ b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
@@ -80,11 +80,11 @@ def _show(self, suffix: str):
   def database(self):
     db = {}
     # table reader for Route Link States
-    rltr = FRRTableReader(titles=["Link ID", "ADV Router", "Age", "Seq#", "CkSum", "Link count"])
+    rltr = FRRTableReader(titles=['Link ID', 'ADV Router', 'Age', 'Seq#', 'CkSum', 'Link count'])
     # table reader for Net Link States
-    nltr = FRRTableReader(titles=["Link ID", "ADV Router", "Age", "Seq#", "CkSum"])
+    nltr = FRRTableReader(titles=['Link ID', 'ADV Router', 'Age', 'Seq#', 'CkSum'])
     # table reader for Summary Link States
-    sltr = FRRTableReader(titles=["Link ID", "ADV Router", "Age", "Seq#", "CkSum", "Route\n"])
+    sltr = FRRTableReader(titles=['Link ID', 'ADV Router', 'Age', 'Seq#', 'CkSum', 'Route\n'])
     # table reader for AS External Link States (columns are identical to Summary Link States)
     eltr = sltr
 
@@ -198,7 +198,7 @@ def route(self):
     return route
 
   def interface(self):
-    return {}
+    lines = self._show('interface')
 
   def neighbor(self):
     neighbors = []

From 17fc6c6f3f15f2c028917ed1b814a1076839b5f4 Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Thu, 17 Dec 2020 10:17:18 +0100
Subject: [PATCH 0332/3088] fetch and strip lines in one go where possible also
 a slight cosmetic fix, don't need the "r" there

---
 .../opnsense/scripts/frr/legacy-diagnostics.py  | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
index ada219d99c..c53d0a9b69 100644
--- a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
+++ b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
@@ -182,10 +182,10 @@ def database(self):
 
   def route(self):
     route = []
-    lines = self._show('route')
+    lines = map(str.strip, self._show('route'))
 
     for line in lines:
-      columns = re.split(r'\s+', line.strip())
+      columns = re.split(r'\s+', line)
       route.append({
         'f1': columns[0],
         'f2': columns[1],
@@ -198,13 +198,17 @@ def route(self):
     return route
 
   def interface(self):
-    lines = self._show('interface')
+    interface = {}
+
+    lines = map(str.strip, self._show('interface'))
+
+    return interface
 
   def neighbor(self):
     neighbors = []
     lines = self._show('neighbor')
 
-    tr = FRRTableReader(titles=['Neighbor ID','Pri', 'DeadTime', r'State/IfState', r'Duration I/F[State]'])
+    tr = FRRTableReader(titles=['Neighbor ID','Pri', 'DeadTime', 'State/IfState', 'Duration I/F[State]'])
     ll = lines.pop(0)
     tr.read_header(ll)
 
@@ -216,7 +220,10 @@ def neighbor(self):
     return neighbors
 
   def overview(self):
-    return {}
+    overview = {}
+    lines = map(str.strip, self._show('overview'))
+
+    return overview
 
 # le script
 if __name__ == '__main__':

From 057096fecf6f2b2ec39c1e6191b8e784decac5a7 Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Thu, 17 Dec 2020 10:26:16 +0100
Subject: [PATCH 0333/3088] use helper class for regex matching hell

---
 .../scripts/frr/legacy-diagnostics.py         | 52 +++++++++++--------
 1 file changed, 30 insertions(+), 22 deletions(-)

diff --git a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
index c53d0a9b69..b3bcd4dac4 100644
--- a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
+++ b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
@@ -7,6 +7,22 @@
 from typing import List,Dict
 from lib import VtySH
 
+class Re(object):
+  """ Custom regex helper class
+
+  Use to conveniently build switch-case like constructs using if/elif
+  Kudos to https://stackoverflow.com/a/4980181
+  """
+
+  def __init__(self):
+    self.last_match = None
+  def match(self,pattern,text):
+    self.last_match = re.match(pattern,text)
+    return self.last_match
+  def search(self,pattern,text):
+    self.last_match = re.search(pattern,text)
+    return self.last_match
+
 class FRRTableReader:
   def __init__(self, titles: List[str]=[]):
     self.titles = titles
@@ -108,53 +124,45 @@ def database(self):
         heading = line.strip()
         header_parsed = False
 
+        myre = Re()
         # this is going to be dirty
-        match = re.search(self.RE_ROUTER, heading)
-        if match:
-           router = match.group(1)
-           if not router in db:
+        if myre.search(self.RE_ROUTER, heading):
+          router = myre.last_match.group(1)
+          if not router in db:
             db[router] = {}
-           mode = 'router'
-           continue
-        match = re.search(self.RE_ROUTERLINKSTATES, heading)
-        if match:
+          mode = 'router'
+        elif myre.search(self.RE_ROUTERLINKSTATES, heading):
           mode = 'router_link_state_area'
-          area = match.group(1)
+          area = myre.last_match.group(1)
           if not mode in db[router]:
             db[router][mode] = {}
           if not area in db[router][mode]:
             db[router][mode][area] = []
           tr = rltr
-          continue
-        match = re.search(self.RE_NETLINKSTATES, heading)
-        if match:
+        elif myre.search(self.RE_NETLINKSTATES, heading):
           mode = 'net_link_state_area'
-          area = match.group(1)
+          area = myre.last_match.group(1)
           if not mode in db[router]:
             db[router][mode] = {}
           if not area in db[router][mode]:
             db[router][mode][area] = []
           tr = nltr
-          continue
-        match = re.search(self.RE_SUMMARYLINKSTATES, heading)
-        if match:
+        elif myre.search(self.RE_SUMMARYLINKSTATES, heading):
           mode = 'summary_link_state_area'
-          area = match.group(1)
+          area = myre.last_match.group(1)
           if not mode in db[router]:
             db[router][mode] = {}
           if not area in db[router][mode]:
             db[router][mode][area] = []
           tr = sltr
-          continue
-        if heading == self.EXTERNALLINKSTATES:
+        elif heading == self.EXTERNALLINKSTATES:
           mode = 'external_states'
           if not mode in db[router]:
             db[router][mode] = []
           tr = eltr
-          continue
-
+        else:
+          raise DaemonError('failed to parse heading: ' + heading)
         # told you.
-        raise DaemonError('failed to parse heading: ' + heading)
       else:
         if not header_parsed:
           if mode in ['summary_link_state_area', 'external_states']:

From 2fa4518acdcefdab49d56eda8751cbf0c3c6239b Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Thu, 17 Dec 2020 12:51:07 +0100
Subject: [PATCH 0334/3088] add ospfv3 interface

---
 .../scripts/frr/legacy-diagnostics.py         | 65 ++++++++++++++++++-
 1 file changed, 64 insertions(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
index b3bcd4dac4..8facf9ba0c 100644
--- a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
+++ b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
@@ -207,9 +207,72 @@ def route(self):
 
   def interface(self):
     interface = {}
-
     lines = map(str.strip, self._show('interface'))
 
+    # the interface currently being parsed
+    current_if = ''
+
+    for line in lines:
+      myre = Re()
+      # here we go again...
+      if myre.search(r'(\S+) is (down|up), type ([A-Z]+)', line):
+        current_if = myre.last_match.group(1)
+        interface[current_if] = {
+          'up': True if myre.last_match.group(2) == 'up' else False,
+          'type': myre.last_match.group(3),
+          'enabled': True
+        }
+      elif myre.search(r'Interface ID: (\d+)', line):
+        interface[current_if]['id'] = myre.last_match.group(1)
+      elif myre.search(r'OSPF not enabled on this interface', line):
+        interface[current_if]['enabled'] = False
+      elif myre.search(r'Instance ID (\d+), Interface MTU (\d+) \(autodetect: (\d+)\)', line):
+        interface[current_if]['instance_id'] = int(myre.last_match.group(1))
+        interface[current_if]['interface_mtu'] = int(myre.last_match.group(2))
+        interface[current_if]['interface_mtu_autodetect'] = int(myre.last_match.group(3))
+      elif myre.search(r'(inet |inet6): (\S+)', line):
+        family = 'IPv6' if myre.last_match.group(1) == 'inet6' else 'IPv4'
+        if not family in interface[current_if]:
+          interface[current_if][family] = []
+        interface[current_if][family].append(myre.last_match.group(2))
+      elif myre.search(r'MTU mismatch detection: (en|dis)abled', line):
+        interface[current_if]['mtu_mismatch_detection'] = True if myre.last_match.group(1) == 'en' else False
+      elif myre.search(r'DR: (\S+) BDR: (\S+)', line):
+        interface[current_if]['designated_router'] = myre.last_match.group(1)
+        interface[current_if]['backup_designated_router'] = myre.last_match.group(2)
+      elif myre.search(r'State (\S+), Transmit Delay (\d+) sec, Priority (\d+)', line):
+        interface[current_if]['state'] = myre.last_match.group(1)
+        interface[current_if]['transmit_delay'] = int(myre.last_match.group(2))
+        interface[current_if]['priority'] = int(myre.last_match.group(3))
+      elif myre.search(r'Number of I\/F scoped LSAs is (\d+)', line):
+        interface[current_if]['number_if_scoped_lsas'] = int(myre.last_match.group(1))
+      elif myre.search(r'(\d+) Pending LSAs for (\S+) in Time ([\d:]+)(?: (.*))', line):
+        if not 'pending_lsas' in interface[current_if]:
+          interface[current_if]['pending_lsas'] = {}
+        interface[current_if]['pending_lsas'][myre.last_match.group(2)] = {
+          'time': myre.last_match.group(3),
+          'count': myre.last_match.group(1),
+          'flags': myre.last_match.group(4)
+        }
+      elif myre.search(r'Hello (\d+), Dead (\d+), Retransmit (\d+)', line):
+        interface[current_if]['timers'] = {
+          'hello': int(myre.last_match.group(1)),
+          'dead': int(myre.last_match.group(2)),
+          'retransmit': int(myre.last_match.group(3))
+        }
+      elif myre.search(r'Area ID (\S+), Cost (\d+)', line):
+        if not 'area_cost' in interface[current_if]:
+          interface[current_if]['area_cost'] = []
+        interface[current_if]['area_cost'].append({
+          'area': myre.last_match.group(1),
+          'cost': int(myre.last_match.group(2))
+        })
+      elif line in ['Internet Address:', 'Timer intervals configured:']:
+        # ignore these strings
+        pass
+      else:
+        raise DaemonError('failed to parse line: ' + line)
+
     return interface
 
   def neighbor(self):

From 3db7395ad7b51efe03a5ec710f2ba3bf998f2aee Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Thu, 17 Dec 2020 12:53:14 +0100
Subject: [PATCH 0335/3088] move parsing strings/regexes into functions
 improves readability, they're not reused anyway.

---
 .../opnsense/scripts/frr/legacy-diagnostics.py   | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
index 8facf9ba0c..deae900644 100644
--- a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
+++ b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
@@ -84,12 +84,6 @@ def _show(self, suffix: str):
     return list(filter(None,vtysh.execute(command='show ' + suffix, translate=bytes.decode).split('\n')))
 
 class OSPF(Daemon):
-  RE_ROUTER = r'OSPF Router with ID \(([\.\d]+)\)'
-  RE_ROUTERLINKSTATES = r'Router Link States \(Area ([\.\d]+)\)'
-  RE_NETLINKSTATES = r'Net Link States \(Area ([\.\d]+)\)'
-  RE_SUMMARYLINKSTATES = r'Summary Link States \(Area ([\.\d]+)\)'
-  EXTERNALLINKSTATES = 'AS External Link States'
-
   def _show(self, suffix: str):
     return super()._show('ip ospf ' + suffix)
 
@@ -126,12 +120,12 @@ def database(self):
 
         myre = Re()
         # this is going to be dirty
-        if myre.search(self.RE_ROUTER, heading):
+        if myre.search(r'OSPF Router with ID \(([\.\d]+)\)', heading):
           router = myre.last_match.group(1)
           if not router in db:
             db[router] = {}
           mode = 'router'
-        elif myre.search(self.RE_ROUTERLINKSTATES, heading):
+        elif myre.search(r'Router Link States \(Area ([\.\d]+)\)', heading):
           mode = 'router_link_state_area'
           area = myre.last_match.group(1)
           if not mode in db[router]:
@@ -139,7 +133,7 @@ def database(self):
           if not area in db[router][mode]:
             db[router][mode][area] = []
           tr = rltr
-        elif myre.search(self.RE_NETLINKSTATES, heading):
+        elif myre.search(r'Net Link States \(Area ([\.\d]+)\)', heading):
           mode = 'net_link_state_area'
           area = myre.last_match.group(1)
           if not mode in db[router]:
@@ -147,7 +141,7 @@ def database(self):
           if not area in db[router][mode]:
             db[router][mode][area] = []
           tr = nltr
-        elif myre.search(self.RE_SUMMARYLINKSTATES, heading):
+        elif myre.search(r'Summary Link States \(Area ([\.\d]+)\)', heading):
           mode = 'summary_link_state_area'
           area = myre.last_match.group(1)
           if not mode in db[router]:
@@ -155,7 +149,7 @@ def database(self):
           if not area in db[router][mode]:
             db[router][mode][area] = []
           tr = sltr
-        elif heading == self.EXTERNALLINKSTATES:
+        elif heading == 'AS External Link States':
           mode = 'external_states'
           if not mode in db[router]:
             db[router][mode] = []

From 4bfbbf159cc6a01f58510e9a1c073c7b3e492465 Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Thu, 17 Dec 2020 14:33:22 +0100
Subject: [PATCH 0336/3088] add ospfv3 database, initialize Re only once

---
 .../scripts/frr/legacy-diagnostics.py         | 154 ++++++++++++------
 1 file changed, 104 insertions(+), 50 deletions(-)

diff --git a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
index deae900644..88e7fda0be 100644
--- a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
+++ b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
@@ -78,6 +78,7 @@ class DaemonError(Exception):
 class Daemon:
   def __init__(self, vtysh: VtySH):
     self.vtysh = vtysh
+    self.myre = Re()
 
   def _show(self, suffix: str):
     # execute the command and filter out empty lines so subsequent iterations don't have to  deal with them
@@ -118,32 +119,31 @@ def database(self):
         heading = line.strip()
         header_parsed = False
 
-        myre = Re()
         # this is going to be dirty
-        if myre.search(r'OSPF Router with ID \(([\.\d]+)\)', heading):
-          router = myre.last_match.group(1)
+        if self.myre.search(r'OSPF Router with ID \(([\.\d]+)\)', heading):
+          router = self.myre.last_match.group(1)
           if not router in db:
             db[router] = {}
           mode = 'router'
-        elif myre.search(r'Router Link States \(Area ([\.\d]+)\)', heading):
+        elif self.myre.search(r'Router Link States \(Area ([\.\d]+)\)', heading):
           mode = 'router_link_state_area'
-          area = myre.last_match.group(1)
+          area = self.myre.last_match.group(1)
           if not mode in db[router]:
             db[router][mode] = {}
           if not area in db[router][mode]:
             db[router][mode][area] = []
           tr = rltr
-        elif myre.search(r'Net Link States \(Area ([\.\d]+)\)', heading):
+        elif self.myre.search(r'Net Link States \(Area ([\.\d]+)\)', heading):
           mode = 'net_link_state_area'
-          area = myre.last_match.group(1)
+          area = self.myre.last_match.group(1)
           if not mode in db[router]:
             db[router][mode] = {}
           if not area in db[router][mode]:
             db[router][mode][area] = []
           tr = nltr
-        elif myre.search(r'Summary Link States \(Area ([\.\d]+)\)', heading):
+        elif self.myre.search(r'Summary Link States \(Area ([\.\d]+)\)', heading):
           mode = 'summary_link_state_area'
-          area = myre.last_match.group(1)
+          area = self.myre.last_match.group(1)
           if not mode in db[router]:
             db[router][mode] = {}
           if not area in db[router][mode]:
@@ -168,7 +168,7 @@ def database(self):
         else:
           if mode == 'router':
             raise DaemonError('attempting to parse a table row but the mode is \'router\'. please debug the FRR output:\n\n\n'+lines)
-          if mode == 'external_states':
+          elif mode == 'external_states':
             db[router][mode].append(tr.read_line(line))
           else:
             db[router][mode][area].append(tr.read_line(line))
@@ -180,7 +180,61 @@ def _show(self, suffix: str):
     return super()._show('ipv6 ospf6 ' + suffix)
 
   def database(self):
-    return {}
+    database = {}
+    lines = map(str.strip, self._show('database'))
+
+    # table reader
+    tr = FRRTableReader(titles=["Type", "LSId", "AdvRouter", "     Age", "  SeqNum","                       Payload"])
+    # whether or not the header for the current section has already been parsed
+    header_parsed = False
+    # the current router
+    router = None
+    # the current area
+    area = None
+    # the current mode
+    mode = None
+
+    for line in lines:
+      # here we go again...
+      if self.myre.search(r'Area Scoped Link State Database \(Area (.*)\)', line):
+        header_parsed = False
+        mode = 'scoped_link_db'
+        area = self.myre.last_match.group(1)
+        if not mode in database:
+          database[mode] = {}
+        if not area in database[mode]:
+          database[mode][area] = []
+      elif self.myre.search(r'I\/F Scoped Link State Database \(I\/F (\S+) in Area (.*)\)', line):
+        header_parsed = False
+        mode = 'if_scoped_link_state'
+        interface = self.myre.last_match.group(1)
+        area = self.myre.last_match.group(2)
+        if not mode in database:
+          database[mode] = {}
+        if not interface in database[mode]:
+          database[mode][interface] = {}
+        if not area in database[mode][interface]:
+          database[mode][interface][area] = []
+      elif line == 'AS Scoped Link State Database':
+        header_parsed = False
+        mode = 'as_scoped'
+        if not mode in database:
+          database[mode] = []
+      else:
+        if not header_parsed:
+          tr.read_header(line)
+          header_parsed = True
+        else:
+          if mode == 'scoped_link_db':
+            database[mode][area].append(tr.read_line(line))
+          elif mode == 'if_scoped_link_state':
+            database[mode][interface][area].append(tr.read_line(line))
+          elif mode == 'as_scoped':
+            database[mode].append(tr.read_line(line))
+          else:
+            raise DaemonError('invalid mode, failed to parse line: ' + line)
+
+    return database
 
   def route(self):
     route = []
@@ -204,62 +258,62 @@ def interface(self):
     lines = map(str.strip, self._show('interface'))
 
     # the interface currently being parsed
-    current_if = ''
+    current_if = None
 
     for line in lines:
-      myre = Re()
+      self.myre = Re()
       # here we go again...
-      if myre.search(r'(\S+) is (down|up), type ([A-Z]+)', line):
-        current_if = myre.last_match.group(1)
+      if self.myre.search(r'(\S+) is (down|up), type ([A-Z]+)', line):
+        current_if = self.myre.last_match.group(1)
         interface[current_if] = {
-          'up': True if myre.last_match.group(2) == 'up' else False,
-          'type': myre.last_match.group(3),
+          'up': True if self.myre.last_match.group(2) == 'up' else False,
+          'type': self.myre.last_match.group(3),
           'enabled': True
         }
-      elif myre.search(r'Interface ID: (\d+)', line):
-        interface[current_if]['id'] = myre.last_match.group(1)
-      elif myre.search(r'OSPF not enabled on this interface', line):
+      elif self.myre.search(r'Interface ID: (\d+)', line):
+        interface[current_if]['id'] = self.myre.last_match.group(1)
+      elif self.myre.search(r'OSPF not enabled on this interface', line):
         interface[current_if]['enabled'] = False
-      elif myre.search(r'Instance ID (\d+), Interface MTU (\d+) \(autodetect: (\d+)\)', line):
-        interface[current_if]['instance_id'] = int(myre.last_match.group(1))
-        interface[current_if]['interface_mtu'] = int(myre.last_match.group(2))
-        interface[current_if]['interface_mtu_autodetect'] = int(myre.last_match.group(3))
-      elif myre.search(r'(inet |inet6): (\S+)', line):
-        family = 'IPv6' if myre.last_match.group(1) == 'inet6' else 'IPv4'
+      elif self.myre.search(r'Instance ID (\d+), Interface MTU (\d+) \(autodetect: (\d+)\)', line):
+        interface[current_if]['instance_id'] = int(self.myre.last_match.group(1))
+        interface[current_if]['interface_mtu'] = int(self.myre.last_match.group(2))
+        interface[current_if]['interface_mtu_autodetect'] = int(self.myre.last_match.group(3))
+      elif self.myre.search(r'(inet |inet6): (\S+)', line):
+        family = 'IPv6' if self.myre.last_match.group(1) == 'inet6' else 'IPv4'
         if not family in interface[current_if]:
           interface[current_if][family] = []
-        interface[current_if][family].append(myre.last_match.group(2))
-      elif myre.search(r'MTU mismatch detection: (en|dis)abled', line):
-        interface[current_if]['mtu_mismatch_detection'] = True if myre.last_match.group(1) == 'en' else False
-      elif myre.search(r'DR: (\S+) BDR: (\S+)', line):
-        interface[current_if]['designated_router'] = myre.last_match.group(1)
-        interface[current_if]['backup_designated_router'] = myre.last_match.group(2)
-      elif myre.search(r'State (\S+), Transmit Delay (\d+) sec, Priority (\d+)', line):
-        interface[current_if]['state'] = myre.last_match.group(1)
-        interface[current_if]['transmit_delay'] = int(myre.last_match.group(2))
-        interface[current_if]['priority'] = int(myre.last_match.group(3))
-      elif myre.search(r'Number of I\/F scoped LSAs is (\d+)', line):
-        interface[current_if]['number_if_scoped_lsas'] = int(myre.last_match.group(1))
-      elif myre.search(r'(\d+) Pending LSAs for (\S+) in Time ([\d:]+)(?: (.*))', line):
+        interface[current_if][family].append(self.myre.last_match.group(2))
+      elif self.myre.search(r'MTU mismatch detection: (en|dis)abled', line):
+        interface[current_if]['mtu_mismatch_detection'] = True if self.myre.last_match.group(1) == 'en' else False
+      elif self.myre.search(r'DR: (\S+) BDR: (\S+)', line):
+        interface[current_if]['designated_router'] = self.myre.last_match.group(1)
+        interface[current_if]['backup_designated_router'] = self.myre.last_match.group(2)
+      elif self.myre.search(r'State (\S+), Transmit Delay (\d+) sec, Priority (\d+)', line):
+        interface[current_if]['state'] = self.myre.last_match.group(1)
+        interface[current_if]['transmit_delay'] = int(self.myre.last_match.group(2))
+        interface[current_if]['priority'] = int(self.myre.last_match.group(3))
+      elif self.myre.search(r'Number of I\/F scoped LSAs is (\d+)', line):
+        interface[current_if]['number_if_scoped_lsas'] = int(self.myre.last_match.group(1))
+      elif self.myre.search(r'(\d+) Pending LSAs for (\S+) in Time ([\d:]+)(?: (.*))', line):
         if not 'pending_lsas' in interface[current_if]:
           interface[current_if]['pending_lsas'] = {}
-        interface[current_if]['pending_lsas'][myre.last_match.group(2)] = {
-          'time': myre.last_match.group(3),
-          'count': myre.last_match.group(1),
-          'flags': myre.last_match.group(4)
+        interface[current_if]['pending_lsas'][self.myre.last_match.group(2)] = {
+          'time': self.myre.last_match.group(3),
+          'count': self.myre.last_match.group(1),
+          'flags': self.myre.last_match.group(4)
         }
-      elif myre.search(r'Hello (\d+), Dead (\d+), Retransmit (\d+)', line):
+      elif self.myre.search(r'Hello (\d+), Dead (\d+), Retransmit (\d+)', line):
         interface[current_if]['timers'] = {
-          'hello': int(myre.last_match.group(1)),
-          'dead': int(myre.last_match.group(2)),
-          'retransmit': int(myre.last_match.group(3))
+          'hello': int(self.myre.last_match.group(1)),
+          'dead': int(self.myre.last_match.group(2)),
+          'retransmit': int(self.myre.last_match.group(3))
         }
-      elif myre.search(r'Area ID (\S+), Cost (\d+)', line):
+      elif self.myre.search(r'Area ID (\S+), Cost (\d+)', line):
         if not 'area_cost' in interface[current_if]:
           interface[current_if]['area_cost'] = []
         interface[current_if]['area_cost'].append({
-          'area': myre.last_match.group(1),
-          'cost': int(myre.last_match.group(2))
+          'area': self.myre.last_match.group(1),
+          'cost': int(self.myre.last_match.group(2))
         })
       elif line in ['Internet Address:', 'Timer intervals configured:']:
         # ignore these strings

From 2ca4f2d4c58a7e882580e6eb52d3514e0a4c9a34 Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Thu, 17 Dec 2020 14:35:16 +0100
Subject: [PATCH 0337/3088] fix width of Age in ospfv3 database header

---
 net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
index 88e7fda0be..f24f4c7fd9 100644
--- a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
+++ b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
@@ -184,7 +184,7 @@ def database(self):
     lines = map(str.strip, self._show('database'))
 
     # table reader
-    tr = FRRTableReader(titles=["Type", "LSId", "AdvRouter", "     Age", "  SeqNum","                       Payload"])
+    tr = FRRTableReader(titles=["Type", "LSId", "AdvRouter", " Age", "  SeqNum","                       Payload"])
     # whether or not the header for the current section has already been parsed
     header_parsed = False
     # the current router

From 279ed0b635e4ee4a4b5c7528233ef9c069e534df Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Thu, 17 Dec 2020 14:45:52 +0100
Subject: [PATCH 0338/3088] small ospfv3 UI fix interpret sequence number as
 string, numeric can sometimes render to NaN

---
 .../mvc/app/views/OPNsense/Quagga/diagnosticsospfv3.volt    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospfv3.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospfv3.volt
index 65c9d38664..4f4662dbb9 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospfv3.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospfv3.volt
@@ -130,7 +130,7 @@ POSSIBILITY OF SUCH DAMAGE.
             <th data-column-id="lsid" data-type="string">{{ lang._('LS ID') }}</th>
             <th data-column-id="advrouter" data-type="string">{{ lang._('Advertising Router') }}</th>
             <th data-column-id="age" data-type="numeric">{{ lang._('Age') }}</th>
-            <th data-column-id="seqnr" data-type="numeric">{{ lang._('Sequence Number') }}</th>
+            <th data-column-id="seqnr" data-type="string">{{ lang._('Sequence Number') }}</th>
             <th data-column-id="payload" data-type="string">{{ lang._('Payload') }}</th>
           </tr>
         </thead>
@@ -163,7 +163,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <th data-column-id="lsid" data-type="string">{{ lang._('LS ID') }}</th>
               <th data-column-id="advrouter" data-type="string">{{ lang._('Advertising Router') }}</th>
               <th data-column-id="age" data-type="numeric">{{ lang._('Age') }}</th>
-              <th data-column-id="seqnr" data-type="numeric">{{ lang._('Sequence Number') }}</th>
+              <th data-column-id="seqnr" data-type="string">{{ lang._('Sequence Number') }}</th>
               <th data-column-id="payload" data-type="string">{{ lang._('Payload') }}</th>
             </tr>
           </thead>
@@ -192,7 +192,7 @@ POSSIBILITY OF SUCH DAMAGE.
           <th data-column-id="lsid" data-type="string">{{ lang._('LS ID') }}</th>
           <th data-column-id="advrouter" data-type="string">{{ lang._('Advertising Router') }}</th>
           <th data-column-id="age" data-type="numeric">{{ lang._('Age') }}</th>
-          <th data-column-id="seqnr" data-type="numeric">{{ lang._('Sequence Number') }}</th>
+          <th data-column-id="seqnr" data-type="string">{{ lang._('Sequence Number') }}</th>
           <th data-column-id="payload" data-type="string">{{ lang._('Payload') }}</th>
         </tr>
       </thead>

From 89b1215cd78960d160df56429aa024b759dfa90c Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Thu, 17 Dec 2020 17:11:10 +0100
Subject: [PATCH 0339/3088] add ospfv3 overview

---
 .../scripts/frr/legacy-diagnostics.py         | 47 +++++++++++++++++--
 1 file changed, 44 insertions(+), 3 deletions(-)

diff --git a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
index f24f4c7fd9..9df81e8adc 100644
--- a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
+++ b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
@@ -261,7 +261,6 @@ def interface(self):
     current_if = None
 
     for line in lines:
-      self.myre = Re()
       # here we go again...
       if self.myre.search(r'(\S+) is (down|up), type ([A-Z]+)', line):
         current_if = self.myre.last_match.group(1)
@@ -339,8 +338,50 @@ def neighbor(self):
     return neighbors
 
   def overview(self):
-    overview = {}
-    lines = map(str.strip, self._show('overview'))
+    overview = {'areas': {}}
+    lines = map(str.strip, self._show(''))
+
+    current_area = None
+
+    for line in lines:
+      if self.myre.search(r'OSPFv3 Routing Process \((\d+)\) with Router-ID ([\d\.]+)', line):
+        overview['router_id'] = self.myre.last_match.group(2)
+        overview['routing_process'] = int(self.myre.last_match.group(1))
+      elif self.myre.search(r'Initial SPF scheduling delay (\d+) millisec\(s\)', line):
+        overview['initial_spf_scheduling_delay'] = int(self.myre.last_match.group(1))
+      elif self.myre.search(r'(Min|Max)imum hold time between consecutive SPFs (\d+) milli?second\(s\)', line):
+        if not 'hold_time' in overview:
+          overview['hold_time'] = {}
+        overview['hold_time'][self.myre.last_match.group(1).lower()] = int(self.myre.last_match.group(2))
+      elif line == 'This router is an ASBR (injecting external routing information)':
+        overview['asbr'] = True
+      elif self.myre.search(r'SPF timer is (.*)', line):
+        overview['spf_timer'] = self.myre.last_match.group(1)
+      elif self.myre.search(r'Running (.*)', line):
+        overview['running_time'] = self.myre.last_match.group(1)
+      elif self.myre.search(r'Number of AS scoped LSAs is (\d+)', line):
+        overview['number_as_scoped'] = int(self.myre.last_match.group(1))
+      elif self.myre.search(r'Hold time multiplier is currently (\d+)', line):
+        overview['current_hold_time_multipier'] = int(self.myre.last_match.group(1))
+      elif self.myre.search(r'Number of areas in this router is (\d+)', line):
+        overview['number_of_areas'] = int(self.myre.last_match.group(1))
+      elif self.myre.search(r'^Area ([\d\.]*)', line):
+        current_area = self.myre.last_match.group(1)
+        overview['areas'][current_area] = {}
+      elif self.myre.search(r'Interface attached to this area: (.*)', line):
+        overview['areas'][current_area]['interfaces'] = self.myre.last_match.group(1).split(' ')
+      elif self.myre.search(r'Number of Area scoped LSAs is (.*)', line):
+        overview['areas'][current_area]['number_lsas'] = int(self.myre.last_match.group(1))
+      elif (self.myre.search(r'LSA minimum arrival (.*)', line)
+        or self.myre.search(r'SPF algorithm last executed (.*)', line)
+        or self.myre.search(r'Last SPF duration (.*)', line)
+        or self.myre.search(r'SPF last executed (.*)', line)
+        or self.myre.search(r'Number of Area scoped LSAs is (.*)', line)
+        ):
+        # skip these lines
+        pass
+      else:
+        raise DaemonError('failed to parse line: ' + line)
 
     return overview
 

From 9c42a566090df3f6e3b87dc52dddce4b5a794a22 Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Thu, 17 Dec 2020 18:24:29 +0100
Subject: [PATCH 0340/3088] diagnostics/bgp cleanup

---
 .../mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt         | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
index 1bd81d7aa9..60c7d72f17 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
@@ -32,10 +32,6 @@ POSSIBILITY OF SUCH DAMAGE.
 {{ partial("layout_partials/base_form",['fields':diagnosticsForm,'id':'frm_diagnostics_settings'])}}
 #}
 
-<script type="text/x-template" id="overviewtpl">
-  <h2>{{ lang._('General') }}</h2>
-  
-</script>
 <script type="text/x-template" id="routestpl">
   <h2>{{ lang._('Table Version') }}: <%= tableVersion %></h2>
   <table class="table table-striped">

From e6b0c70d4a7ff0234b7a7ca371fa8c5f7c50c9ec Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Thu, 17 Dec 2020 18:28:23 +0100
Subject: [PATCH 0341/3088] changelog and version bump

---
 net/frr/Makefile  |  2 +-
 net/frr/pkg-descr | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index ae31d1269d..9c97041eae 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.20
+PLUGIN_VERSION=		1.21
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index a25daaa3e0..b5c428ad1d 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -11,6 +11,28 @@ switching and routing, Internet access routers, and Internet peering.
 Plugin Changelog
 ================
 
+1.21
+
+* Deprecate Ruby parser for FRR diagnostic output, remove Ruby dependency
+* Use FRR's json output where available
+* Introduce Python parser for FRR output where json is not (yet) available
+* Streamline diagnostic action names
+* Streamline diagnostic API endpoint names
+* Add diagnostic action and API endpoint for BGP neighbors
+* Webif Diagnostics/General: Fix routing tables
+* Webif Diagnostics/General: Align routing table style with other pages
+* Webif Diagnostics/OSPF: Correctly display areas in "Overview" tab
+* Webif Diagnostics/OSPF: Fix area rendering to "NaN" in "Route Table" tab
+* Webif Diagnostics/OSPF: Use only one table in "Route Table" tab
+* Webif Diagnostics/OSPF: Add mouseover hints to Type column in "Route Table" tab
+* Webif Diagnostics/OSPF: Slight presentation adjustments in "Neighbor" tab
+* Webif Diagnostics/OSPFv3: Fix age and sequence number rendering to "NaN" in "Database" tab
+* Webif Diagnostics/BGP: Rename page from "BGPv4" to just "BGP"
+* Webif Diagnostics/BGP: Replace "Overview" tab with distinct "IPv4 Routing Table" and "IPv6 Routing table" tabs
+* Webif Diagnostics/BGP: Align routing table style with other pages
+* Webif Diagnostics/BGP: Add Neighbors tab
+
+
 1.20
 
 * Allow to adjust reference cost for OSPF calculation

From 4dcd0c833e2f584f81b76454ff8d717e691e5473 Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Thu, 17 Dec 2020 18:54:57 +0100
Subject: [PATCH 0342/3088] changelog style fix

---
 net/frr/pkg-descr | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index b5c428ad1d..c0da556154 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -32,7 +32,6 @@ Plugin Changelog
 * Webif Diagnostics/BGP: Align routing table style with other pages
 * Webif Diagnostics/BGP: Add Neighbors tab
 
-
 1.20
 
 * Allow to adjust reference cost for OSPF calculation

From ff4218899409835372bca303c662ab45cf71e834 Mon Sep 17 00:00:00 2001
From: Manuel <8191@users.noreply.github.com>
Date: Sat, 19 Dec 2020 22:41:59 +0100
Subject: [PATCH 0343/3088]  Fix for #1987 to resolve migration issue (#2153)

* Nginx: allow to enable/disable proxy_ssl_verify for upstream server.

* www/nginx: fixed nginx model and naxsi rule import

nginx model missed naxsi_rule.body field and listed naxsi_rule.url
twice with different definition.

naxsi rule importer did not import per-rule score and missed BODY and
URL match zones.

* www/nginx: Enriched Naxsi help texts and parameter names

* Apply suggestions from code review

Typos and wrong indents fixed.

Co-authored-by: Fabian Franz BSc <fabianfrz@users.noreply.github.com>

* Bump version of nginx plugin

Increased nginx version to 1.20.

* Nginx: Updated model version

Pushed Nginx model to 1.20.0

* [www/nginx] Fixed issue with default value in model

* [www/nginx] revert accidential commit

* [www/nginx] Fixed issue with default value in model

Co-authored-by: Fabian Franz BSc <fabianfrz@users.noreply.github.com>
---
 www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 7744d01ff6..ab53840531 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -587,6 +587,7 @@
         <Required>Y</Required>
       </headers>
       <body type="BooleanField">
+        <default>0</default>
         <Required>Y</Required>
       </body>
       <dollar_args_var type="TextField">

From 4950385e953b2db0a2c0cedf42b0d0f03acf625c Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 20 Dec 2020 22:19:59 +0100
Subject: [PATCH 0344/3088] dns/bind: rephrase help text

Co-authored-by: Manuel <8191@users.noreply.github.com>
---
 .../mvc/app/controllers/OPNsense/Bind/forms/general.xml         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index bd3bcc9519..1889a6a477 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -38,7 +38,7 @@
         <label>Transfer Source IP</label>
         <type>text</type>
         <advanced>true</advanced>
-        <help>This determines which local address is bound to IPv4 TCP connections used to fetch zones transferred inbound by the server.</help>
+        <help>Specify the IPv4 address used as a source for zone transfers.</help>
     </field>
     <field>
         <id>general.transfersourcev6</id>

From 798ad7592192515e6b0c8a1cda158c91f692a327 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 21 Dec 2020 14:40:14 +0100
Subject: [PATCH 0345/3088] sysutils/hw-probe: release as 1.0

---
 README.md                  | 2 +-
 sysutils/hw-probe/Makefile | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 3a2bd61496..11d06a1e11 100644
--- a/README.md
+++ b/README.md
@@ -90,7 +90,7 @@ sysutils/apuled -- PC Engine APU LED control (development only)
 sysutils/boot-delay -- Apply a persistent 10 second boot delay
 sysutils/dmidecode -- Display hardware information on the dashboard
 sysutils/git-backup -- Track config changes using git
-sysutils/hw-probe -- Collect hardware diagnostics (development only)
+sysutils/hw-probe -- Collect hardware diagnostics
 sysutils/lcdproc-sdeclcd -- LCDProc for SDEC LCD devices
 sysutils/mail-backup -- Send configuration file backup by e-mail
 sysutils/munin-node -- Munin monitorin agent
diff --git a/sysutils/hw-probe/Makefile b/sysutils/hw-probe/Makefile
index 8ce8dff665..eaf0ab3b23 100644
--- a/sysutils/hw-probe/Makefile
+++ b/sysutils/hw-probe/Makefile
@@ -1,8 +1,7 @@
 PLUGIN_NAME=		hw-probe
-PLUGIN_VERSION=		0.1
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		Collect hardware diagnostics
 PLUGIN_DEPENDS=		hw-probe
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_DEVEL=       yes
 
 .include "../../Mk/plugins.mk"

From 6c40fb8448c2e215b63b96200b1e1a6b01e6ba0e Mon Sep 17 00:00:00 2001
From: Manuel <8191@users.noreply.github.com>
Date: Mon, 21 Dec 2020 14:47:10 +0100
Subject: [PATCH 0346/3088] dns/bind: Recording pagination fix (#2157)

---
 .../src/opnsense/mvc/app/views/OPNsense/Bind/general.volt    | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index e42640843c..cc3a15c292 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -195,6 +195,7 @@ $( document ).ready(function() {
             selection: true,
             multiSelect: false,
             rowSelect: true,
+            rowCount: [3,7,14,20,50,100,-1]
         }
     }).on("selected.rs.jquery.bootgrid", function(e, rows) {
         $("#grid-records").bootgrid('reload');
@@ -216,8 +217,7 @@ $( document ).ready(function() {
         'toggle':'/api/bind/record/toggleRecord/',
         options:{
             useRequestHandlerOnGet: true,
-            requestHandler: function() {
-                let request = {'domain': 'not_found'};
+            requestHandler: function(request) {
                 let ids = $("#grid-domains").bootgrid("getSelectedRows");
                 if (ids.length > 0) {
                     request['domain'] = ids[0];
@@ -225,6 +225,7 @@ $( document ).ready(function() {
                     $("#recordDelBtn").show();
                     $("#record-area").show();
                 } else {
+                    request['domain'] = 'not_found';
                     $("#recordAddBtn").hide();
                     $("#recordDelBtn").hide();
                     $("#record-area").hide();

From 4524a70c17f461d3c4f3f9bbe63b31fc8befc94f Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 22 Dec 2020 11:27:29 +0100
Subject: [PATCH 0347/3088] FRR: style fixes for
 https://github.com/opnsense/plugins/pull/2143

---
 .../Quagga/Api/DiagnosticsController.php      |   6 +-
 .../scripts/frr/legacy-diagnostics.py         | 815 +++++++++---------
 2 files changed, 426 insertions(+), 395 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
index f19af0e86b..7426a5f53e 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
@@ -57,7 +57,11 @@ public function generalrouteAction($format = "json"): array
     {
         $routes4 = $this->getInformation("general", "route4", $format)['response'];
         $routes6 = $this->getInformation("general", "route6", $format)['response'];
-        return array("response" => ($format === "json" ? array("ipv4" => $routes4, "ipv6" => $routes6) : $routes4.$routes6));
+        if ($format === "json") {
+            return array("response" => array("ipv4" => $routes4, "ipv6" => $routes6));
+        } else {
+            return array("response" => $routes4.$routes6);
+        }
     }
 
     public function generalroute4Action($format = "json"): array
diff --git a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
index 9df81e8adc..73cb70d5ef 100644
--- a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
+++ b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
@@ -1,418 +1,445 @@
 #!/usr/local/bin/python3
+"""
+    Copyright (c) 2020 Marc Leuser
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+"""
 
 import argparse
-from enum import Enum
 import ujson
 import re
-from typing import List,Dict
+from typing import List, Dict
 from lib import VtySH
 
-class Re(object):
-  """ Custom regex helper class
 
-  Use to conveniently build switch-case like constructs using if/elif
-  Kudos to https://stackoverflow.com/a/4980181
-  """
+class Re:
+    """ Custom regex helper class (source https://stackoverflow.com/a/4980181)
+        Use to conveniently build switch-case like constructs using if/elif
+    """
+
+    def __init__(self):
+        self.last_match = None
+
+    def match(self, pattern, text):
+        self.last_match = re.match(pattern, text)
+        return self.last_match
+
+    def search(self, pattern, text):
+        self.last_match = re.search(pattern, text)
+        return self.last_match
 
-  def __init__(self):
-    self.last_match = None
-  def match(self,pattern,text):
-    self.last_match = re.match(pattern,text)
-    return self.last_match
-  def search(self,pattern,text):
-    self.last_match = re.search(pattern,text)
-    return self.last_match
 
 class FRRTableReader:
-  def __init__(self, titles: List[str]=[]):
-    self.titles = titles
-
-  def read_header(self, line: str, start_without_title: bool=False, start_without_title_name: str='status'):
-    # we're going to create a list of columns. each entry contains title, start index and end index for easy parsing
-    self.columns = []
-
-    # the first column's title may sometimes be empty in FRR's output. we'll have to give it a name though
-    if start_without_title:
-      self.columns.append({
-        'title': start_without_title_name,
-        'start_index': 0,
-        'end_index': None
-      })
-
-    # fill the list with subsequent columns
-    for title in self.titles:
-      try:
-        # find the start index of the current title in the header
-        start_index = line.index(title)
-      except ValueError:
-        # just skip the column if it can't be found
-        continue
-
-      # last column's end index is this column's start index
-      if self.columns:
-        self.columns[-1]['end_index'] = start_index
-
-      # add the current column to the list
-      self.columns.append({
-        'title': title,
-        'start_index': start_index,
-        'end_index': None
-      })
-    
-  def read_line(self, line: str) -> List[Dict[str, str]]:
-    # parsing is relatively straightforward
-    result = {}
-
-    # sanity check: the line has to be long enough to contain all columns,
-    # so its length must be greater than the last column's start index
-    if len(line) > self.columns[-1]['start_index']:
-      for column in self.columns:
-        # use the column's name as dict key and just extract the data from start to end index
-        result[column['title'].strip()] = line[column['start_index']:column['end_index']].strip()
-
-    return result
+    def __init__(self, titles: List[str] = None):
+        self.titles = titles if titles is not None else list()
+        self.columns = list()
+
+    def read_header(self, line: str, start_without_title: bool = False, start_without_title_name: str = 'status'):
+        # we're going to create a list of columns. each entry contains title, start index and end index for easy parsing
+        self.columns = []
+
+        # the first column's title may sometimes be empty in FRR's output. we'll have to give it a name though
+        if start_without_title:
+            self.columns.append({
+                'title': start_without_title_name,
+                'start_index': 0,
+                'end_index': None
+            })
+
+        # fill the list with subsequent columns
+        for title in self.titles:
+            try:
+                # find the start index of the current title in the header
+                start_index = line.index(title)
+            except ValueError:
+                # just skip the column if it can't be found
+                continue
+
+            # last column's end index is this column's start index
+            if self.columns:
+                self.columns[-1]['end_index'] = start_index
+
+            # add the current column to the list
+            self.columns.append({
+                'title': title,
+                'start_index': start_index,
+                'end_index': None
+            })
+
+    def read_line(self, line: str) -> Dict[str, str]:
+        result = {}
+
+        # sanity check: the line has to be long enough to contain all columns,
+        # so its length must be greater than the last column's start index
+        if len(line) > self.columns[-1]['start_index']:
+            for column in self.columns:
+                # use the column's name as dict key and just extract the data from start to end index
+                result[column['title'].strip()] = line[column['start_index']:column['end_index']].strip()
+
+        return result
+
 
 class DaemonError(Exception):
-  pass
+    pass
+
 
 class Daemon:
-  def __init__(self, vtysh: VtySH):
-    self.vtysh = vtysh
-    self.myre = Re()
+    def __init__(self, vtysh: VtySH):
+        self.vtysh = vtysh
+        self.myre = Re()
+
+    def _show(self, suffix: str):
+        # execute the command and filter out empty lines so subsequent iterations don't have to  deal with them
+        return list(filter(None, self.vtysh.execute(command='show ' + suffix, translate=bytes.decode).split('\n')))
 
-  def _show(self, suffix: str):
-    # execute the command and filter out empty lines so subsequent iterations don't have to  deal with them
-    return list(filter(None,vtysh.execute(command='show ' + suffix, translate=bytes.decode).split('\n')))
 
 class OSPF(Daemon):
-  def _show(self, suffix: str):
-    return super()._show('ip ospf ' + suffix)
-
-  def database(self):
-    db = {}
-    # table reader for Route Link States
-    rltr = FRRTableReader(titles=['Link ID', 'ADV Router', 'Age', 'Seq#', 'CkSum', 'Link count'])
-    # table reader for Net Link States
-    nltr = FRRTableReader(titles=['Link ID', 'ADV Router', 'Age', 'Seq#', 'CkSum'])
-    # table reader for Summary Link States
-    sltr = FRRTableReader(titles=['Link ID', 'ADV Router', 'Age', 'Seq#', 'CkSum', 'Route\n'])
-    # table reader for AS External Link States (columns are identical to Summary Link States)
-    eltr = sltr
-
-    # get the FRR output
-    lines = self._show('database')
-
-    # placeholder for the active table reader for the coming line
-    tr = None
-    # whether or not the header for the current section has already been parsed
-    header_parsed = False
-    # the current router
-    router = None
-    # the current area
-    area = None
-    # the current mode
-    mode = None
-
-    for line in lines:
-      if line.startswith(' '):
-        # this is a heading
-        heading = line.strip()
+    def _show(self, suffix: str):
+        return super()._show('ip ospf ' + suffix)
+
+    def database(self):
+        db = {}
+        # table reader for Route Link States
+        rltr = FRRTableReader(titles=['Link ID', 'ADV Router', 'Age', 'Seq#', 'CkSum', 'Link count'])
+        # table reader for Net Link States
+        nltr = FRRTableReader(titles=['Link ID', 'ADV Router', 'Age', 'Seq#', 'CkSum'])
+        # table reader for Summary Link States
+        sltr = FRRTableReader(titles=['Link ID', 'ADV Router', 'Age', 'Seq#', 'CkSum', 'Route\n'])
+        # table reader for AS External Link States (columns are identical to Summary Link States)
+        eltr = sltr
+
+        # get the FRR output
+        lines = self._show('database')
+
+        # placeholder for the active table reader for the coming line
+        tr = None
+        # whether or not the header for the current section has already been parsed
         header_parsed = False
+        # the current router
+        router = None
+        # the current area
+        area = None
+        # the current mode
+        mode = None
+
+        for line in lines:
+            if line.startswith(' '):
+                # this is a heading
+                heading = line.strip()
+                header_parsed = False
+
+                # this is going to be dirty
+                if self.myre.search(r'OSPF Router with ID \(([\.\d]+)\)', heading):
+                    router = self.myre.last_match.group(1)
+                    if router not in db:
+                        db[router] = {}
+                    mode = 'router'
+                elif self.myre.search(r'Router Link States \(Area ([\.\d]+)\)', heading):
+                    mode = 'router_link_state_area'
+                    area = self.myre.last_match.group(1)
+                    if mode not in db[router]:
+                        db[router][mode] = {}
+                    if area not in db[router][mode]:
+                        db[router][mode][area] = []
+                    tr = rltr
+                elif self.myre.search(r'Net Link States \(Area ([\.\d]+)\)', heading):
+                    mode = 'net_link_state_area'
+                    area = self.myre.last_match.group(1)
+                    if mode not in db[router]:
+                        db[router][mode] = {}
+                    if area not in db[router][mode]:
+                        db[router][mode][area] = []
+                    tr = nltr
+                elif self.myre.search(r'Summary Link States \(Area ([\.\d]+)\)', heading):
+                    mode = 'summary_link_state_area'
+                    area = self.myre.last_match.group(1)
+                    if mode not in db[router]:
+                        db[router][mode] = {}
+                    if area not in db[router][mode]:
+                        db[router][mode][area] = []
+                    tr = sltr
+                elif heading == 'AS External Link States':
+                    mode = 'external_states'
+                    if mode not in db[router]:
+                        db[router][mode] = []
+                    tr = eltr
+                else:
+                    raise DaemonError('failed to parse heading: ' + heading)
+                # told you.
+            else:
+                if not header_parsed:
+                    if mode in ['summary_link_state_area', 'external_states']:
+                        # workaround because "Route" matches on "Router" and breaks the offset parsing logic
+                        # stay consistent with the previous script, add a trailing newline
+                        line += '\n'
+                    tr.read_header(line)
+                    header_parsed = True
+                else:
+                    if mode == 'router':
+                        raise DaemonError(
+                            'attempting to parse a table row but the mode is \'router\'. '
+                            'please debug the FRR output:\n\n\n' + line
+                        )
+                    elif mode == 'external_states':
+                        db[router][mode].append(tr.read_line(line))
+                    else:
+                        db[router][mode][area].append(tr.read_line(line))
+
+        return db
 
-        # this is going to be dirty
-        if self.myre.search(r'OSPF Router with ID \(([\.\d]+)\)', heading):
-          router = self.myre.last_match.group(1)
-          if not router in db:
-            db[router] = {}
-          mode = 'router'
-        elif self.myre.search(r'Router Link States \(Area ([\.\d]+)\)', heading):
-          mode = 'router_link_state_area'
-          area = self.myre.last_match.group(1)
-          if not mode in db[router]:
-            db[router][mode] = {}
-          if not area in db[router][mode]:
-            db[router][mode][area] = []
-          tr = rltr
-        elif self.myre.search(r'Net Link States \(Area ([\.\d]+)\)', heading):
-          mode = 'net_link_state_area'
-          area = self.myre.last_match.group(1)
-          if not mode in db[router]:
-            db[router][mode] = {}
-          if not area in db[router][mode]:
-            db[router][mode][area] = []
-          tr = nltr
-        elif self.myre.search(r'Summary Link States \(Area ([\.\d]+)\)', heading):
-          mode = 'summary_link_state_area'
-          area = self.myre.last_match.group(1)
-          if not mode in db[router]:
-            db[router][mode] = {}
-          if not area in db[router][mode]:
-            db[router][mode][area] = []
-          tr = sltr
-        elif heading == 'AS External Link States':
-          mode = 'external_states'
-          if not mode in db[router]:
-            db[router][mode] = []
-          tr = eltr
-        else:
-          raise DaemonError('failed to parse heading: ' + heading)
-        # told you.
-      else:
-        if not header_parsed:
-          if mode in ['summary_link_state_area', 'external_states']:
-            # workaround because "Route" matches on "Router" and breaks the offset parsing logic
-            # stay consistent with the previous script, add a trailing newline
-            line += '\n'
-          tr.read_header(line)
-          header_parsed = True
-        else:
-          if mode == 'router':
-            raise DaemonError('attempting to parse a table row but the mode is \'router\'. please debug the FRR output:\n\n\n'+lines)
-          elif mode == 'external_states':
-            db[router][mode].append(tr.read_line(line))
-          else:
-            db[router][mode][area].append(tr.read_line(line))
-    
-    return db
 
 class OSPFv3(Daemon):
-  def _show(self, suffix: str):
-    return super()._show('ipv6 ospf6 ' + suffix)
-
-  def database(self):
-    database = {}
-    lines = map(str.strip, self._show('database'))
-
-    # table reader
-    tr = FRRTableReader(titles=["Type", "LSId", "AdvRouter", " Age", "  SeqNum","                       Payload"])
-    # whether or not the header for the current section has already been parsed
-    header_parsed = False
-    # the current router
-    router = None
-    # the current area
-    area = None
-    # the current mode
-    mode = None
-
-    for line in lines:
-      # here we go again...
-      if self.myre.search(r'Area Scoped Link State Database \(Area (.*)\)', line):
-        header_parsed = False
-        mode = 'scoped_link_db'
-        area = self.myre.last_match.group(1)
-        if not mode in database:
-          database[mode] = {}
-        if not area in database[mode]:
-          database[mode][area] = []
-      elif self.myre.search(r'I\/F Scoped Link State Database \(I\/F (\S+) in Area (.*)\)', line):
-        header_parsed = False
-        mode = 'if_scoped_link_state'
-        interface = self.myre.last_match.group(1)
-        area = self.myre.last_match.group(2)
-        if not mode in database:
-          database[mode] = {}
-        if not interface in database[mode]:
-          database[mode][interface] = {}
-        if not area in database[mode][interface]:
-          database[mode][interface][area] = []
-      elif line == 'AS Scoped Link State Database':
+    def _show(self, suffix: str):
+        return super()._show('ipv6 ospf6 ' + suffix)
+
+    def database(self):
+        database = {}
+        lines = map(str.strip, self._show('database'))
+
+        # table reader
+        tr = FRRTableReader(titles=["Type", "LSId", "AdvRouter", " Age", "  SeqNum", "                       Payload"])
         header_parsed = False
-        mode = 'as_scoped'
-        if not mode in database:
-          database[mode] = []
-      else:
-        if not header_parsed:
-          tr.read_header(line)
-          header_parsed = True
-        else:
-          if mode == 'scoped_link_db':
-            database[mode][area].append(tr.read_line(line))
-          elif mode == 'if_scoped_link_state':
-            database[mode][interface][area].append(tr.read_line(line))
-          elif mode == 'as_scoped':
-            database[mode].append(tr.read_line(line))
-          else:
-            raise DaemonError('invalid mode, failed to parse line: ' + line)
-
-    return database
-
-  def route(self):
-    route = []
-    lines = map(str.strip, self._show('route'))
-
-    for line in lines:
-      columns = re.split(r'\s+', line)
-      route.append({
-        'f1': columns[0],
-        'f2': columns[1],
-        'network': columns[2],
-        'gateway': columns[3],
-        'interface': columns[4],
-        'time': columns[5],
-      })
-
-    return route
-
-  def interface(self):
-    interface = {}
-    lines = map(str.strip, self._show('interface'))
-
-    # the interface currently being parsed
-    current_if = None
-
-    for line in lines:
-      # here we go again...
-      if self.myre.search(r'(\S+) is (down|up), type ([A-Z]+)', line):
-        current_if = self.myre.last_match.group(1)
-        interface[current_if] = {
-          'up': True if self.myre.last_match.group(2) == 'up' else False,
-          'type': self.myre.last_match.group(3),
-          'enabled': True
-        }
-      elif self.myre.search(r'Interface ID: (\d+)', line):
-        interface[current_if]['id'] = self.myre.last_match.group(1)
-      elif self.myre.search(r'OSPF not enabled on this interface', line):
-        interface[current_if]['enabled'] = False
-      elif self.myre.search(r'Instance ID (\d+), Interface MTU (\d+) \(autodetect: (\d+)\)', line):
-        interface[current_if]['instance_id'] = int(self.myre.last_match.group(1))
-        interface[current_if]['interface_mtu'] = int(self.myre.last_match.group(2))
-        interface[current_if]['interface_mtu_autodetect'] = int(self.myre.last_match.group(3))
-      elif self.myre.search(r'(inet |inet6): (\S+)', line):
-        family = 'IPv6' if self.myre.last_match.group(1) == 'inet6' else 'IPv4'
-        if not family in interface[current_if]:
-          interface[current_if][family] = []
-        interface[current_if][family].append(self.myre.last_match.group(2))
-      elif self.myre.search(r'MTU mismatch detection: (en|dis)abled', line):
-        interface[current_if]['mtu_mismatch_detection'] = True if self.myre.last_match.group(1) == 'en' else False
-      elif self.myre.search(r'DR: (\S+) BDR: (\S+)', line):
-        interface[current_if]['designated_router'] = self.myre.last_match.group(1)
-        interface[current_if]['backup_designated_router'] = self.myre.last_match.group(2)
-      elif self.myre.search(r'State (\S+), Transmit Delay (\d+) sec, Priority (\d+)', line):
-        interface[current_if]['state'] = self.myre.last_match.group(1)
-        interface[current_if]['transmit_delay'] = int(self.myre.last_match.group(2))
-        interface[current_if]['priority'] = int(self.myre.last_match.group(3))
-      elif self.myre.search(r'Number of I\/F scoped LSAs is (\d+)', line):
-        interface[current_if]['number_if_scoped_lsas'] = int(self.myre.last_match.group(1))
-      elif self.myre.search(r'(\d+) Pending LSAs for (\S+) in Time ([\d:]+)(?: (.*))', line):
-        if not 'pending_lsas' in interface[current_if]:
-          interface[current_if]['pending_lsas'] = {}
-        interface[current_if]['pending_lsas'][self.myre.last_match.group(2)] = {
-          'time': self.myre.last_match.group(3),
-          'count': self.myre.last_match.group(1),
-          'flags': self.myre.last_match.group(4)
-        }
-      elif self.myre.search(r'Hello (\d+), Dead (\d+), Retransmit (\d+)', line):
-        interface[current_if]['timers'] = {
-          'hello': int(self.myre.last_match.group(1)),
-          'dead': int(self.myre.last_match.group(2)),
-          'retransmit': int(self.myre.last_match.group(3))
-        }
-      elif self.myre.search(r'Area ID (\S+), Cost (\d+)', line):
-        if not 'area_cost' in interface[current_if]:
-          interface[current_if]['area_cost'] = []
-        interface[current_if]['area_cost'].append({
-          'area': self.myre.last_match.group(1),
-          'cost': int(self.myre.last_match.group(2))
-        })
-      elif line in ['Internet Address:', 'Timer intervals configured:']:
-        # ignore these strings
-        pass
-      else:
-        raise DaemonError('failed to parse line: ' + line)
-
-    return interface
-
-  def neighbor(self):
-    neighbors = []
-    lines = self._show('neighbor')
-
-    tr = FRRTableReader(titles=['Neighbor ID','Pri', 'DeadTime', 'State/IfState', 'Duration I/F[State]'])
-    ll = lines.pop(0)
-    tr.read_header(ll)
-
-    for line in lines:
-      neighbor = tr.read_line(line)
-      neighbor['Pri'] = int(neighbor['Pri'])
-      neighbors.append(neighbor)
-
-    return neighbors
-
-  def overview(self):
-    overview = {'areas': {}}
-    lines = map(str.strip, self._show(''))
-
-    current_area = None
-
-    for line in lines:
-      if self.myre.search(r'OSPFv3 Routing Process \((\d+)\) with Router-ID ([\d\.]+)', line):
-        overview['router_id'] = self.myre.last_match.group(2)
-        overview['routing_process'] = int(self.myre.last_match.group(1))
-      elif self.myre.search(r'Initial SPF scheduling delay (\d+) millisec\(s\)', line):
-        overview['initial_spf_scheduling_delay'] = int(self.myre.last_match.group(1))
-      elif self.myre.search(r'(Min|Max)imum hold time between consecutive SPFs (\d+) milli?second\(s\)', line):
-        if not 'hold_time' in overview:
-          overview['hold_time'] = {}
-        overview['hold_time'][self.myre.last_match.group(1).lower()] = int(self.myre.last_match.group(2))
-      elif line == 'This router is an ASBR (injecting external routing information)':
-        overview['asbr'] = True
-      elif self.myre.search(r'SPF timer is (.*)', line):
-        overview['spf_timer'] = self.myre.last_match.group(1)
-      elif self.myre.search(r'Running (.*)', line):
-        overview['running_time'] = self.myre.last_match.group(1)
-      elif self.myre.search(r'Number of AS scoped LSAs is (\d+)', line):
-        overview['number_as_scoped'] = int(self.myre.last_match.group(1))
-      elif self.myre.search(r'Hold time multiplier is currently (\d+)', line):
-        overview['current_hold_time_multipier'] = int(self.myre.last_match.group(1))
-      elif self.myre.search(r'Number of areas in this router is (\d+)', line):
-        overview['number_of_areas'] = int(self.myre.last_match.group(1))
-      elif self.myre.search(r'^Area ([\d\.]*)', line):
-        current_area = self.myre.last_match.group(1)
-        overview['areas'][current_area] = {}
-      elif self.myre.search(r'Interface attached to this area: (.*)', line):
-        overview['areas'][current_area]['interfaces'] = self.myre.last_match.group(1).split(' ')
-      elif self.myre.search(r'Number of Area scoped LSAs is (.*)', line):
-        overview['areas'][current_area]['number_lsas'] = int(self.myre.last_match.group(1))
-      elif (self.myre.search(r'LSA minimum arrival (.*)', line)
-        or self.myre.search(r'SPF algorithm last executed (.*)', line)
-        or self.myre.search(r'Last SPF duration (.*)', line)
-        or self.myre.search(r'SPF last executed (.*)', line)
-        or self.myre.search(r'Number of Area scoped LSAs is (.*)', line)
-        ):
-        # skip these lines
-        pass
-      else:
-        raise DaemonError('failed to parse line: ' + line)
-
-    return overview
-
-# le script
+        interface = None
+        area = None
+        mode = None
+
+        for line in lines:
+            if self.myre.search(r'Area Scoped Link State Database \(Area (.*)\)', line):
+                header_parsed = False
+                mode = 'scoped_link_db'
+                area = self.myre.last_match.group(1)
+                if mode not in database:
+                    database[mode] = {}
+                if area not in database[mode]:
+                    database[mode][area] = []
+            elif self.myre.search(r'I\/F Scoped Link State Database \(I\/F (\S+) in Area (.*)\)', line):
+                header_parsed = False
+                mode = 'if_scoped_link_state'
+                interface = self.myre.last_match.group(1)
+                area = self.myre.last_match.group(2)
+                if mode not in database:
+                    database[mode] = {}
+                if interface not in database[mode]:
+                    database[mode][interface] = {}
+                if area not in database[mode][interface]:
+                    database[mode][interface][area] = []
+            elif line == 'AS Scoped Link State Database':
+                header_parsed = False
+                mode = 'as_scoped'
+                if mode not in database:
+                    database[mode] = []
+            else:
+                if not header_parsed:
+                    tr.read_header(line)
+                    header_parsed = True
+                else:
+                    if mode == 'scoped_link_db':
+                        database[mode][area].append(tr.read_line(line))
+                    elif mode == 'if_scoped_link_state':
+                        database[mode][interface][area].append(tr.read_line(line))
+                    elif mode == 'as_scoped':
+                        database[mode].append(tr.read_line(line))
+                    else:
+                        raise DaemonError('invalid mode, failed to parse line: ' + line)
+
+        return database
+
+    def route(self):
+        route = []
+        lines = map(str.strip, self._show('route'))
+
+        for line in lines:
+            columns = re.split(r'\s+', line)
+            route.append({
+                'f1': columns[0],
+                'f2': columns[1],
+                'network': columns[2],
+                'gateway': columns[3],
+                'interface': columns[4],
+                'time': columns[5],
+            })
+
+        return route
+
+    def interface(self):
+        interface = {}
+        lines = map(str.strip, self._show('interface'))
+
+        current_if = None
+        for line in lines:
+            if self.myre.search(r'(\S+) is (down|up), type ([A-Z]+)', line):
+                current_if = self.myre.last_match.group(1)
+                interface[current_if] = {
+                    'up': True if self.myre.last_match.group(2) == 'up' else False,
+                    'type': self.myre.last_match.group(3),
+                    'enabled': True
+                }
+            elif self.myre.search(r'Interface ID: (\d+)', line):
+                interface[current_if]['id'] = self.myre.last_match.group(1)
+            elif self.myre.search(r'OSPF not enabled on this interface', line):
+                interface[current_if]['enabled'] = False
+            elif self.myre.search(r'Instance ID (\d+), Interface MTU (\d+) \(autodetect: (\d+)\)', line):
+                interface[current_if]['instance_id'] = int(self.myre.last_match.group(1))
+                interface[current_if]['interface_mtu'] = int(self.myre.last_match.group(2))
+                interface[current_if]['interface_mtu_autodetect'] = int(self.myre.last_match.group(3))
+            elif self.myre.search(r'(inet |inet6): (\S+)', line):
+                family = 'IPv6' if self.myre.last_match.group(1) == 'inet6' else 'IPv4'
+                if family not in interface[current_if]:
+                    interface[current_if][family] = []
+                interface[current_if][family].append(self.myre.last_match.group(2))
+            elif self.myre.search(r'MTU mismatch detection: (en|dis)abled', line):
+                interface[current_if]['mtu_mismatch_detection'] = True if self.myre.last_match.group(
+                    1) == 'en' else False
+            elif self.myre.search(r'DR: (\S+) BDR: (\S+)', line):
+                interface[current_if]['designated_router'] = self.myre.last_match.group(1)
+                interface[current_if]['backup_designated_router'] = self.myre.last_match.group(2)
+            elif self.myre.search(r'State (\S+), Transmit Delay (\d+) sec, Priority (\d+)', line):
+                interface[current_if]['state'] = self.myre.last_match.group(1)
+                interface[current_if]['transmit_delay'] = int(self.myre.last_match.group(2))
+                interface[current_if]['priority'] = int(self.myre.last_match.group(3))
+            elif self.myre.search(r'Number of I\/F scoped LSAs is (\d+)', line):
+                interface[current_if]['number_if_scoped_lsas'] = int(self.myre.last_match.group(1))
+            elif self.myre.search(r'(\d+) Pending LSAs for (\S+) in Time ([\d:]+)(?: (.*))', line):
+                if 'pending_lsas' not in interface[current_if]:
+                    interface[current_if]['pending_lsas'] = {}
+                interface[current_if]['pending_lsas'][self.myre.last_match.group(2)] = {
+                    'time': self.myre.last_match.group(3),
+                    'count': self.myre.last_match.group(1),
+                    'flags': self.myre.last_match.group(4)
+                }
+            elif self.myre.search(r'Hello (\d+), Dead (\d+), Retransmit (\d+)', line):
+                interface[current_if]['timers'] = {
+                    'hello': int(self.myre.last_match.group(1)),
+                    'dead': int(self.myre.last_match.group(2)),
+                    'retransmit': int(self.myre.last_match.group(3))
+                }
+            elif self.myre.search(r'Area ID (\S+), Cost (\d+)', line):
+                if 'area_cost' not in interface[current_if]:
+                    interface[current_if]['area_cost'] = []
+                interface[current_if]['area_cost'].append({
+                    'area': self.myre.last_match.group(1),
+                    'cost': int(self.myre.last_match.group(2))
+                })
+            elif line in ['Internet Address:', 'Timer intervals configured:']:
+                # ignore these strings
+                pass
+            else:
+                raise DaemonError('failed to parse line: ' + line)
+
+        return interface
+
+    def neighbor(self):
+        neighbors = []
+        lines = self._show('neighbor')
+
+        tr = FRRTableReader(titles=['Neighbor ID', 'Pri', 'DeadTime', 'State/IfState', 'Duration I/F[State]'])
+        ll = lines.pop(0)
+        tr.read_header(ll)
+
+        for line in lines:
+            neighbor = tr.read_line(line)
+            neighbor['Pri'] = int(neighbor['Pri'])
+            neighbors.append(neighbor)
+
+        return neighbors
+
+    def overview(self):
+        overview = {'areas': {}}
+        lines = map(str.strip, self._show(''))
+
+        current_area = None
+
+        for line in lines:
+            if self.myre.search(r'OSPFv3 Routing Process \((\d+)\) with Router-ID ([\d\.]+)', line):
+                overview['router_id'] = self.myre.last_match.group(2)
+                overview['routing_process'] = int(self.myre.last_match.group(1))
+            elif self.myre.search(r'Initial SPF scheduling delay (\d+) millisec\(s\)', line):
+                overview['initial_spf_scheduling_delay'] = int(self.myre.last_match.group(1))
+            elif self.myre.search(r'(Min|Max)imum hold time between consecutive SPFs (\d+) milli?second\(s\)', line):
+                if 'hold_time' not in overview:
+                    overview['hold_time'] = {}
+                overview['hold_time'][self.myre.last_match.group(1).lower()] = int(self.myre.last_match.group(2))
+            elif line == 'This router is an ASBR (injecting external routing information)':
+                overview['asbr'] = True
+            elif self.myre.search(r'SPF timer is (.*)', line):
+                overview['spf_timer'] = self.myre.last_match.group(1)
+            elif self.myre.search(r'Running (.*)', line):
+                overview['running_time'] = self.myre.last_match.group(1)
+            elif self.myre.search(r'Number of AS scoped LSAs is (\d+)', line):
+                overview['number_as_scoped'] = int(self.myre.last_match.group(1))
+            elif self.myre.search(r'Hold time multiplier is currently (\d+)', line):
+                overview['current_hold_time_multipier'] = int(self.myre.last_match.group(1))
+            elif self.myre.search(r'Number of areas in this router is (\d+)', line):
+                overview['number_of_areas'] = int(self.myre.last_match.group(1))
+            elif self.myre.search(r'^Area ([\d\.]*)', line):
+                current_area = self.myre.last_match.group(1)
+                overview['areas'][current_area] = {}
+            elif self.myre.search(r'Interface attached to this area: (.*)', line):
+                overview['areas'][current_area]['interfaces'] = self.myre.last_match.group(1).split(' ')
+            elif self.myre.search(r'Number of Area scoped LSAs is (.*)', line):
+                overview['areas'][current_area]['number_lsas'] = int(self.myre.last_match.group(1))
+            elif self.myre.search(r'LSA minimum arrival (.*)', line) or \
+                    self.myre.search(r'SPF algorithm last executed (.*)', line) or \
+                    self.myre.search(r'Last SPF duration (.*)', line) or \
+                    self.myre.search(r'SPF last executed (.*)', line) or \
+                    self.myre.search(r'Number of Area scoped LSAs is (.*)', line):
+                # skip these lines
+                pass
+            else:
+                raise DaemonError('failed to parse line: ' + line)
+
+        return overview
+
+
 if __name__ == '__main__':
-  parser = argparse.ArgumentParser(description='Python port of the OPNsense FRR output parser.')
-  parser.add_argument('-d', '--ospf-database', help='Prints the OSPF Database', action='store_true')
-  parser.add_argument('-D', '--ospfv3-database', help='Prints the OSPFv3 Database', action='store_true')
-  parser.add_argument('-t', '--ospfv3-route', help='Prints the OSPFv3 routing table', action='store_true')
-  parser.add_argument('-I', '--ospfv3-interface', help='Prints OSPFv3 interface information', action='store_true')
-  parser.add_argument('-N', '--ospfv3-neighbor', help='Prints OSPFv3 neighbor information', action='store_true')
-  parser.add_argument('-O', '--ospfv3-overview', help='Prints an OSPFv3 Summary', action='store_true')
-  args = parser.parse_args()
-
-  # initialize VtySH and parser objects
-  vtysh = VtySH()
-  ospf = OSPF(vtysh)
-  ospfv3 = OSPFv3(vtysh)
-
-  result = {}
-  if args.ospf_database:
-    result['ospf_database'] = ospf.database()
-  elif args.ospfv3_database:
-    result['ospfv3_database'] = ospfv3.database()
-  elif args.ospfv3_route:
-    result['ospfv3_route'] = ospfv3.route()
-  elif args.ospfv3_interface:
-    result['ospfv3_interface'] = ospfv3.interface()
-  elif args.ospfv3_neighbor:
-    result['ospfv3_neighbors'] = ospfv3.neighbor()
-  elif args.ospfv3_overview:
-    result['ospfv3_overview'] = ospfv3.overview()
-
-  print(ujson.dumps(result, escape_forward_slashes=False))
\ No newline at end of file
+    parser = argparse.ArgumentParser(description='Python port of the OPNsense FRR output parser.')
+    parser.add_argument('-d', '--ospf-database', help='Prints the OSPF Database', action='store_true')
+    parser.add_argument('-D', '--ospfv3-database', help='Prints the OSPFv3 Database', action='store_true')
+    parser.add_argument('-t', '--ospfv3-route', help='Prints the OSPFv3 routing table', action='store_true')
+    parser.add_argument('-I', '--ospfv3-interface', help='Prints OSPFv3 interface information', action='store_true')
+    parser.add_argument('-N', '--ospfv3-neighbor', help='Prints OSPFv3 neighbor information', action='store_true')
+    parser.add_argument('-O', '--ospfv3-overview', help='Prints an OSPFv3 Summary', action='store_true')
+    args = parser.parse_args()
+
+    # initialize VtySH and parser objects
+    main_vtysh = VtySH()
+    ospf = OSPF(main_vtysh)
+    ospfv3 = OSPFv3(main_vtysh)
+
+    main_result = {}
+    if args.ospf_database:
+        main_result['ospf_database'] = ospf.database()
+    elif args.ospfv3_database:
+        main_result['ospfv3_database'] = ospfv3.database()
+    elif args.ospfv3_route:
+        main_result['ospfv3_route'] = ospfv3.route()
+    elif args.ospfv3_interface:
+        main_result['ospfv3_interface'] = ospfv3.interface()
+    elif args.ospfv3_neighbor:
+        main_result['ospfv3_neighbors'] = ospfv3.neighbor()
+    elif args.ospfv3_overview:
+        main_result['ospfv3_overview'] = ospfv3.overview()
+
+    print(ujson.dumps(main_result, escape_forward_slashes=False))

From b2d5d685e32968604feea055b8d6285211d4d0e1 Mon Sep 17 00:00:00 2001
From: "Julio Cesar Camargo (JCC)" <julio@cloudfence.com.br>
Date: Wed, 23 Dec 2020 06:42:52 -0300
Subject: [PATCH 0348/3088] FIX - Sensor not start without server enabled
 (#1650)

Sensor now starts even with local server disabled.
---
 .../opnsense/service/templates/OPNsense/Maltrail/maltrail.conf  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
index 05a193e62e..7f0715f68b 100644
--- a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
+++ b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
@@ -13,6 +13,8 @@ UDP_ADDRESS {{ OPNsense.maltrail.server.loglistenaddress }}
 {%   if helpers.exists('OPNsense.maltrail.server.loglistenport') and OPNsense.maltrail.server.loglistenport != '' %}
 UDP_PORT {{ OPNsense.maltrail.server.loglistenport }}
 {%   endif %}
+{% else %}
+HTTP_PORT {{ OPNsense.maltrail.server.listenport }}
 {% endif %}
 
 {% if helpers.exists('OPNsense.maltrail.sensor.enabled') and OPNsense.maltrail.sensor.enabled == '1' %}

From e6619cea7f6ab2ee9070e21f6557c0e2912f1831 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 8 Jan 2021 09:14:50 +0100
Subject: [PATCH 0349/3088] Framework: useful dev glue from core

---
 Mk/defaults.mk | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 334c3b760a..499d92f63a 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -1,4 +1,4 @@
-# Copyright (c) 2016-2020 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2016-2021 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -88,10 +88,15 @@ ${_TARGET}_ARG=		${${_TARGET}_ARGS:[0]}
 .endif
 .endfor
 
-diff:
+ensure-stable:
+	@if ! git show-ref --verify --quiet refs/heads/stable/${PLUGIN_ABI}; then \
+		git update-ref refs/heads/stable/${PLUGIN_ABI} refs/remotes/origin/stable/${PLUGIN_ABI}; \
+	fi
+
+diff: ensure-stable
 	@git diff --stat -p stable/${PLUGIN_ABI} ${.CURDIR}/${diff_ARGS:[1]}
 
-mfc:
+mfc: ensure-stable
 .for MFC in ${mfc_ARGS}
 .if exists(${MFC})
 	@git diff --stat -p stable/${PLUGIN_ABI} ${.CURDIR}/${MFC} > /tmp/mfc.diff
@@ -107,3 +112,9 @@ mfc:
 .endif
 	@git checkout master
 .endfor
+
+stable:
+	@git checkout stable/${PLUGIN_ABI}
+
+master:
+	@git checkout master

From a613e78cc6a11b5e4b9c1469e63ddcbf92a7c00a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 11 Jan 2021 09:14:50 +0100
Subject: [PATCH 0350/3088] Framework: PHP default changed a while back

---
 Mk/defaults.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 499d92f63a..8ae42c7a49 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -59,7 +59,7 @@ PLUGIN_PYTHON?=	${_PLUGIN_PYTHON:[2]:S/./ /g:[1..2]:tW:S/ //}
 .endif
 
 PLUGIN_ABI?=	20.7
-PLUGIN_PHP?=	72
+PLUGIN_PHP?=	73
 PLUGIN_PYTHON?=	37
 
 REPLACEMENTS=	PLUGIN_ABI \

From 6e406f06944da6fe55f6d3ded8c2f3ef970320fa Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 11 Jan 2021 09:23:09 +0100
Subject: [PATCH 0351/3088] Framework: properly ensure stable with upstream set

---
 Mk/defaults.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 8ae42c7a49..8c3a2696de 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -91,6 +91,8 @@ ${_TARGET}_ARG=		${${_TARGET}_ARGS:[0]}
 ensure-stable:
 	@if ! git show-ref --verify --quiet refs/heads/stable/${PLUGIN_ABI}; then \
 		git update-ref refs/heads/stable/${PLUGIN_ABI} refs/remotes/origin/stable/${PLUGIN_ABI}; \
+		git config branch.stable/${PLUGIN_ABI}.merge refs/heads/stable/${PLUGIN_ABI}; \
+		git config branch.stable/${PLUGIN_ABI}.remote origin; \
 	fi
 
 diff: ensure-stable

From 3f216a47e07f89c04f380903ab43e8bd6f48ba34 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 11 Jan 2021 09:55:13 +0100
Subject: [PATCH 0352/3088] security/maltrail: bump revision

---
 security/maltrail/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/maltrail/Makefile b/security/maltrail/Makefile
index 85365371a4..eec24cb786 100644
--- a/security/maltrail/Makefile
+++ b/security/maltrail/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		maltrail
 PLUGIN_VERSION=		1.5
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Malicious traffic detection system
 PLUGIN_DEPENDS=		maltrail
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 8e78daf64376572ea642c939280036ce573e22d8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 11 Jan 2021 09:58:17 +0100
Subject: [PATCH 0353/3088] LICENSE: sync

---
 LICENSE | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index e240a4202e..a5aba81354 100644
--- a/LICENSE
+++ b/LICENSE
@@ -11,7 +11,7 @@ Copyright (c) 2006 Eric Friesen
 Copyright (c) 2008-2010 Ermal Luçi
 Copyright (c) 2017-2019 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
-Copyright (c) 2014-2020 Franco Fichtner <franco@opnsense.org>
+Copyright (c) 2014-2021 Franco Fichtner <franco@opnsense.org>
 Copyright (c) 2016-2020 Frank Wall
 Copyright (c) 2016 IT-assistans Sverige AB
 Copyright (c) 2010 Jim Pingle <jimp@pfsense.org>
@@ -19,6 +19,7 @@ Copyright (c) 2015 Jos Schellevis
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>
 Copyright (c) 2019 Juergen Kellerer
 Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>
+Copyright (c) 2020 Marc Leuser
 Copyright (c) 2020 Martin Wasley
 Copyright (c) 2017-2020 Michael Muenz <m.muenz@gmail.com>
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>

From 330120ad14f8a67b6906398b9cad529eb02e6019 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 11 Jan 2021 10:00:24 +0100
Subject: [PATCH 0354/3088] net/frr: post-merge cleanups

---
 .../opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt | 2 +-
 net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py          | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 mode change 100644 => 100755 net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
index 5b446b5338..80cf75ff06 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
@@ -104,7 +104,7 @@ POSSIBILITY OF SUCH DAMAGE.
   <% if (areas) { %>
     <h2>{{ lang._('Areas') }}</h2>
     <% _.forEach(areas, function(area, areaname) { %>
-      <br /> 
+      <br />
       <table class="table table-striped">
         <thead>
           <tr>
diff --git a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
old mode 100644
new mode 100755

From e10be2971cad14e308c1647e1c491c2f18eb6111 Mon Sep 17 00:00:00 2001
From: John Keates <john@keates.nl>
Date: Tue, 12 Jan 2021 09:19:11 +0100
Subject: [PATCH 0355/3088] Update pkg-descr (#2179)

According to the SF website the project can now be found on github; not sure if the URL in here has to match something else but if not, this updates the url so it points to the current home of the igmpproxy.
---
 net/igmp-proxy/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/igmp-proxy/pkg-descr b/net/igmp-proxy/pkg-descr
index 540ef1d457..b45fd900bb 100644
--- a/net/igmp-proxy/pkg-descr
+++ b/net/igmp-proxy/pkg-descr
@@ -1,4 +1,4 @@
 Igmpproxy is a simple multicast routing daemon based on mrouted.
 It uses IGMP forwarding to dynamically route multicast traffic.
 
-WWW: http://igmpproxy.sourceforge.net/
+WWW: https://github.com/pali/igmpproxy

From 22d222a5dd056eb718484c222f36e8f8ce01c3ca Mon Sep 17 00:00:00 2001
From: vnxme <46669194+vnxme@users.noreply.github.com>
Date: Thu, 14 Jan 2021 15:43:16 +0300
Subject: [PATCH 0356/3088] security/tinc: Fix switch mode (after #2110)
 (#2186)

In switch mode the subnet field is empty, thus the 'subnet' key does not exist in the '_payload' dictionary.
---
 security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
index a0031d9b07..d35db341ac 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
@@ -141,7 +141,7 @@ def set_connectto(self, value):
         self._connectTo = value.text
 
     def get_subnets(self):
-        if not self._payload['subnet']:
+        if not 'subnet' in self._payload:
             return
         yield from self._payload['subnet'].split(',')
 

From 0160ec1e4dc50a3bf01d81205bf7374c8c6c6b41 Mon Sep 17 00:00:00 2001
From: vnxme <46669194+vnxme@users.noreply.github.com>
Date: Thu, 14 Jan 2021 15:44:59 +0300
Subject: [PATCH 0357/3088] security/tinc: Fix extaddress field validation
 (#2187)

It should be 'Y', since any different value is recognized as 'N'
---
 .../tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
index f6a077d558..f3aa3805cf 100644
--- a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
+++ b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
@@ -23,7 +23,7 @@
                 </hostname>
                 <extaddress type="HostnameField">
                     <Required>N</Required>
-                    <IpAllowed>1</IpAllowed>
+                    <IpAllowed>Y</IpAllowed>
                     <FieldSeparator>,</FieldSeparator>
                     <AsList>Y</AsList>
                 </extaddress>
@@ -136,7 +136,7 @@
                 </extport>
                 <extaddress type="HostnameField">
                     <Required>N</Required>
-                    <IpAllowed>1</IpAllowed>
+                    <IpAllowed>Y</IpAllowed>
                     <FieldSeparator>,</FieldSeparator>
                     <AsList>Y</AsList>
                     <Constraints>

From d07948cbb10fee231d95033dc0cda3dad9228ca8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 14 Jan 2021 14:32:14 +0100
Subject: [PATCH 0358/3088] security/tinc: update revision after fixes

---
 security/tinc/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index b85f2f0211..45b3c7279b 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		tinc
 PLUGIN_VERSION=		1.6
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 7d1048d281637c24966f2b85ae83bb547a073f39 Mon Sep 17 00:00:00 2001
From: Jacek Tomasiak <jacek.tomasiak@gmail.com>
Date: Thu, 14 Jan 2021 19:43:18 +0100
Subject: [PATCH 0359/3088] os-smart: Re-add descriptions for cron actions
 (#2117)

The "description" fields were removed to not flood the UI with duplicate
items but some of them are actually useful for cron.
Descriptions for actions related to tests were re-added with unique
content to enable periodic SMART tests via cron.
---
 .../src/opnsense/service/conf/actions.d/actions_smart.conf   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sysutils/smart/src/opnsense/service/conf/actions.d/actions_smart.conf b/sysutils/smart/src/opnsense/service/conf/actions.d/actions_smart.conf
index fb05a5e05d..104c227e4d 100644
--- a/sysutils/smart/src/opnsense/service/conf/actions.d/actions_smart.conf
+++ b/sysutils/smart/src/opnsense/service/conf/actions.d/actions_smart.conf
@@ -57,27 +57,32 @@ command:/usr/local/sbin/smartctl -t offline
 parameters:%s; exit 0
 type:script_output
 message:Testing device %s (offline)
+description:Run SMART test (offline)
 
 [test.short]
 command:/usr/local/sbin/smartctl -t short
 parameters:%s; exit 0
 type:script_output
 message:Testing device %s (short)
+description:Run SMART test (short)
 
 [test.long]
 command:/usr/local/sbin/smartctl -t long
 parameters:%s; exit 0
 type:script_output
 message:Testing device %s (long)
+description:Run SMART test (long)
 
 [test.conveyance]
 command:/usr/local/sbin/smartctl -t conveyance
 parameters:%s; exit 0
 type:script_output
 message:Testing device %s (conveyance)
+description:Run SMART test (conveyance)
 
 [abort]
 command:/usr/local/sbin/smartctl -X
 parameters:%s; exit 0
 type:script_output
 message:Abort test on device %s
+description:Abort SMART tests

From 2b0a70f3385439b5fc5a5c8e5be1cb4b4ac86d08 Mon Sep 17 00:00:00 2001
From: jkellerer <jkellerer@users.noreply.github.com>
Date: Thu, 14 Jan 2021 19:52:37 +0100
Subject: [PATCH 0360/3088] Maltrail/Sensor: Allow to configure capture buffer
 size. (#2063)

Made CAPTURE_BUFFER option configurable since the fixed default (10% of RAM) is very large for RAM sizes above 4GB and causes high RAM & swap usage.
---
 security/maltrail/Makefile                                | 3 +--
 security/maltrail/pkg-descr                               | 4 ++++
 .../app/controllers/OPNsense/Maltrail/forms/sensor.xml    | 6 ++++++
 .../opnsense/mvc/app/models/OPNsense/Maltrail/Sensor.xml  | 8 +++++++-
 .../service/templates/OPNsense/Maltrail/maltrail.conf     | 4 ++++
 5 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/security/maltrail/Makefile b/security/maltrail/Makefile
index eec24cb786..874f9d5de8 100644
--- a/security/maltrail/Makefile
+++ b/security/maltrail/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		maltrail
-PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.6
 PLUGIN_COMMENT=		Malicious traffic detection system
 PLUGIN_DEPENDS=		maltrail
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/maltrail/pkg-descr b/security/maltrail/pkg-descr
index e7ef830a11..8e22fe521c 100644
--- a/security/maltrail/pkg-descr
+++ b/security/maltrail/pkg-descr
@@ -11,6 +11,10 @@ WWW: https://github.com/stamparm/maltrail
 Changelog
 ---------
 
+1.6
+
+* Allow to set capture buffer size
+
 1.5
 
 * Change whitelisting format (by @jkellerer)
diff --git a/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml b/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml
index 24636d4a30..df6f7639a8 100644
--- a/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml
+++ b/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml
@@ -11,6 +11,12 @@
         <type>checkbox</type>
         <help>This will look into all IPv4 and IPv6 traffic. If disabled it will only look for traffic for icmp, udp, tcp syn packets and on known HTTP ports.</help>
     </field>
+    <field>
+        <id>sensor.capturebuffer</id>
+        <label>Capture Buffer Size</label>
+        <type>text</type>
+        <help>Size of the ring buffer (in MB) to memory-map into the sensor processes for sharing captured network traffic. An undersized buffer may reduce detection rates. Defaults to 10% of available RAM when left blank.</help>
+    </field>
     <field>
         <id>sensor.remoteserver</id>
         <label>Remote Server</label>
diff --git a/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Sensor.xml b/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Sensor.xml
index 3b1174b408..c1b87fcfe9 100644
--- a/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Sensor.xml
+++ b/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Sensor.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/maltrail/sensor</mount>
     <description>Maltrail sensor configuration</description>
-    <version>0.0.1</version>
+    <version>0.0.2</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -11,6 +11,12 @@
             <default>0</default>
             <Required>Y</Required>
         </captureall>
+        <capturebuffer type="IntegerField">
+            <MinimumValue>10</MinimumValue>
+            <MaximumValue>1000</MaximumValue>
+            <ValidationMessage>Please specify a buffer size between 10 and 1000 MB</ValidationMessage>
+            <Required>N</Required>
+        </capturebuffer>
         <remoteserver type="HostnameField">
             <Required>N</Required>
         </remoteserver>
diff --git a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
index 7f0715f68b..dde70dec88 100644
--- a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
+++ b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
@@ -55,7 +55,11 @@ MONITOR_INTERFACE {{ interfaces|join(',') }}
 {% else %}
 MONITOR_INTERFACE any
 {% endif %}
+{% if helpers.empty('OPNsense.maltrail.sensor.capturebuffer') %}
 CAPTURE_BUFFER 10%
+{% else %}
+CAPTURE_BUFFER {{OPNsense.maltrail.sensor.capturebuffer}}MB
+{% endif %}
 {% if helpers.exists('OPNsense.maltrail.sensor.captureall') and OPNsense.maltrail.sensor.captureall == '1' %}
 CAPTURE_FILTER ip or ip6
 {% else %}

From 9fad7f2f77786c3b1e6acc0d3d2676f509c76541 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 18 Jan 2021 16:22:33 +0100
Subject: [PATCH 0361/3088] FRR: OSPF influence interface cost via carp, set
 default demoted costs to follow ospfd's examples. for
 https://github.com/opnsense/plugins/issues/2091

sponsored by : Modirum (https://www.modirum.com/)
---
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index 56b7ebaf3f..1a676a02c7 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -172,7 +172,7 @@
                                 <ValidationMessage>Cost must be between 1 and 65535.</ValidationMessage>
                         </cost>
                         <cost_demoted type="IntegerField">
-                                <default></default>
+                                <default>65535</default>
                                 <MinimumValue>1</MinimumValue>
                                 <Required>N</Required>
                                 <MaximumValue>65535</MaximumValue>

From 6c20cd005454cb8a6fbcd54f2615b82886ae4fbd Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 20 Jan 2021 18:36:53 +0100
Subject: [PATCH 0362/3088] dns/bind: fix slave zone templating (#2193)

---
 dns/bind/Makefile                                             | 2 +-
 dns/bind/pkg-descr                                            | 4 ++++
 .../src/opnsense/service/templates/OPNsense/Bind/named.conf   | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 0407be82f6..96f13f860c 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.15
+PLUGIN_VERSION=		1.16
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind916
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 02fed8ac08..f449017325 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -8,6 +8,10 @@ necessary for asking and answering name service questions.
 Plugin Changelog
 ================
 
+1.16
+
+* Fix slave zone templating
+
 1.15
 
 * Add support for "Transfer Source [IP|IPv6]" options
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 7196cf2c24..9309033bca 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -120,7 +120,7 @@ zone "rpzbing" { type master; file "/usr/local/etc/namedb/master/bing.db"; notif
 {%     if domain.enabled == '1' %}
 {%     set allow_transfer = helpers.getUUID(domain.allowtransfer) %}
 {%     set allow_query = helpers.getUUID(domain.allowquery) %}
-zone "{{ domain.domainname }}" { type {{ domain.type }}; {% if domain.type == 'slave' %}masters { {{ domain.masterip }}; }; {% if domain.allownotifyslave != '' %} allow-notify { {{ domain.allownotifyslave.replace(',', '; ') }}; };{% endif %} file "/usr/local/etc/namedb/slave/{{ domain.domainname }}.db"; {% else %}file "/usr/local/etc/namedb/master/{{ domain.domainname }}.db"; {% endif %}{% if domain.allowtransfer is defined %} allow-transfer { {{ allow_transfer.name }}; };{% endif %}{% if domain.allowquery is defined %} allow-query { {{ allow_query.name }}; };{% endif %} };
+zone "{{ domain.domainname }}" { type {{ domain.type }}; {% if domain.type == 'slave' %}masters { {{ domain.masterip }}; }; {% if domain.allownotifyslave is defined %} allow-notify { {{ domain.allownotifyslave.replace(',', '; ') }}; };{% endif %} file "/usr/local/etc/namedb/slave/{{ domain.domainname }}.db"; {% else %}file "/usr/local/etc/namedb/master/{{ domain.domainname }}.db"; {% endif %}{% if domain.allowtransfer is defined %} allow-transfer { {{ allow_transfer.name }}; };{% endif %}{% if domain.allowquery is defined %} allow-query { {{ allow_query.name }}; };{% endif %} };
 {%     endif %}
 {%   endfor %}
 {% endif %}

From 6751020b8d08ef64d06fdce4b51e76e3837dd013 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 21 Jan 2021 00:12:38 +0100
Subject: [PATCH 0363/3088] security/acme-client: fix "auto renewal" options,
 closes #2178

---
 security/acme-client/pkg-descr                |  5 ++++
 .../OPNsense/AcmeClient/LeCertificate.php     | 26 +++++++++++++++----
 .../library/OPNsense/AcmeClient/LeCommon.php  |  3 ++-
 .../scripts/OPNsense/AcmeClient/lecert.php    |  8 +++---
 .../conf/actions.d/actions_acmeclient.conf    |  2 +-
 5 files changed, 34 insertions(+), 10 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index b559755f7b..2bfdd9b4f1 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+2.3
+
+Fixed:
+* fix "auto renewal" options not working in certificate and plugin settings (#2178)
+
 2.2
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 20ca634476..8e0be409ee 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -45,14 +45,17 @@ class LeCertificate extends LeCommon
     public const CONFIG_PATH = 'certificates.certificate';
 
     /*
-     * create the object by collecting and storing all required data
+     * Create the object by collecting and storing all required data
      * @param $uuid string the UUID of the configuration object
+     * @param $force bool whether to enforce issue/renewal of the cert
+     * @param $cron bool run from cron job
      */
-    public function __construct(string $uuid, bool $force = false)
+    public function __construct(string $uuid, bool $force = false, bool $cron = false)
     {
         // Store basic information
         $this->uuid = $uuid;
         $this->force = $force;
+        $this->cron = $cron;
 
         // Get config object
         $this->loadConfig(self::CONFIG_PATH, $this->uuid);
@@ -318,13 +321,13 @@ public function issue()
 
         // Issue or renew?
         if (!empty((string)$this->config->lastUpdate) and !($this->force)) {
-            $acme_action = "renew";
+            $acme_action = 'renew';
             $renew = true;
         } else {
             // Default: Issue a new certificate.
             // If "force" is specified, forcefully re-issue the cert, no matter if it's required.
             // NOTE: This is useful when switching from acme staging to production servers.
-            $acme_action = "issue";
+            $acme_action = 'issue';
             $renew = false;
         }
 
@@ -334,6 +337,19 @@ public function issue()
             LeUtils::log("issue/renewal not required for certificate: " . (string)$this->config->name);
             return false;
         }
+
+        // Get auto renewal plugin setting.
+        $configObj = Config::getInstance()->object();
+        $auto_renewal = $configObj->OPNsense->AcmeClient->settings->autoRenewal;
+
+        // Check if called by auto renewal process.
+        if (($acme_action == 'renew') and ($this->cron == 1) and ($auto_renewal == 0)) {
+          LeUtils::log('auto renewal is globally disabled, skipping certificate: ' . (string)$this->config->name);
+          return false;
+        } elseif (($acme_action == 'renew') and ($this->cron == 1) and ((string)$this->config->autoRenewal == 0)) {
+          LeUtils::log('auto renewal is disabled for certificate: ' . (string)$this->config->name);
+          return false;
+        }
         LeUtils::log("${acme_action} certificate: " . (string)$this->config->name);
 
         // Ensure that account is registered.
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
index 3ae1da0218..c3ae40817d 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -80,6 +80,7 @@ abstract class LeCommon
     protected $command_args;        # optional args for configdRun()
 
     // Basic object information
+    protected $cron;                # Run from cron job
     protected $config;              # AcmeClient config object
     protected $debug;               # Debug logging (bool)
     protected $environment;         # Let's Encrypt environment (uses shortnames)
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
index 3b3d61bdae..3558d44dce 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
@@ -2,7 +2,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * Copyright (C) 2019 Juergen Kellerer
  * All rights reserved.
  *
@@ -78,6 +78,7 @@
 --all               Work with ALL enabled certificates
 --account           The account UUID when working with an Lets Encrypt account
 --force             Force certain operations (i.e. renew)
+--cron              Special mode when running from cron (i.e. consider auto renew settings)
 TXT;
 
 // Examples that will be display in usage information.
@@ -138,8 +139,9 @@ function validateMode($mode)
 function main()
 {
     // Parse command line arguments
-    $options = getopt('h', ['account:', 'all', 'cert:', 'force', 'help', 'mode:']);
+    $options = getopt('h', ['account:', 'all', 'cert:', 'cron', 'force', 'help', 'mode:']);
     $force = isset($options['force']) ? true : false;
+    $cron = isset($options['cron']) ? true : false;
 
     // Verify mode and arguments
     if (
@@ -158,7 +160,7 @@ function main()
             // Iterate over all certificates
             foreach ($acme->certificates->children() as $certCfg) {
                 $cert_uuid = (string)$certCfg->attributes()['uuid'];
-                $cert = new LeCertificate($cert_uuid, $force);
+                $cert = new LeCertificate($cert_uuid, $force, $cron);
                 // NOTE: Disabled certificates are automatically ignored by LeCertificate.
                 $cert->issue();
             }
diff --git a/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf b/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
index 1b90696405..81a14363b1 100644
--- a/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
+++ b/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
@@ -78,7 +78,7 @@ type:script
 message:running automations for a certificate
 
 [cron-auto-renew]
-command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode issue --all
+command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode issue --all --cron
 parameters:
 type:script
 message:cronjob running to sign or renew certificates

From e2512a8fc29acbd7ef05f40b48d838e379a3c2e1 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 21 Jan 2021 01:09:43 +0100
Subject: [PATCH 0364/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index c64e3b48a7..86b2e519e1 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		2.2
+PLUGIN_VERSION=		2.3
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 85d6a3ac1aa6315e939ca3b176fc15c796674606 Mon Sep 17 00:00:00 2001
From: DasSkelett <dasskelett@gmail.com>
Date: Sat, 23 Jan 2021 10:03:55 +0100
Subject: [PATCH 0365/3088] net-mgmt/telegraf: Add ping6 input (#2029)

---
 net-mgmt/telegraf/Makefile                    |  2 +-
 .../OPNsense/Telegraf/forms/input.xml         | 22 +++++++++++++++----
 .../app/models/OPNsense/Telegraf/Input.xml    |  7 ++++++
 .../templates/OPNsense/Telegraf/telegraf.conf | 10 +++++++++
 4 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index 6c5c508810..32f0fd6027 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.8.2
+PLUGIN_VERSION=		1.8.3
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
index 2e1f41a096..d7ec44fbba 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
@@ -87,17 +87,31 @@
     </field>
     <field>
         <id>input.ping</id>
-        <label>Ping</label>
+        <label>Ping (IPv4)</label>
         <type>checkbox</type>
-        <help>Ping Hosts and measure the metrics.</help>
+        <help>Ping Hosts using IPv4 and measure the metrics.</help>
     </field>
     <field>
         <id>input.ping_hosts</id>
-        <label>Ping Hosts</label>
+        <label>Ping Hosts (IPv4)</label>
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
-        <help>Set the Hosts to ping in a CSV list.</help>
+        <help>Set the Hosts to ping using IPv4 in a CSV list.</help>
+    </field>
+    <field>
+        <id>input.ping6</id>
+        <label>Ping (IPv6)</label>
+        <type>checkbox</type>
+        <help>Ping Hosts using IPv6 and measure the metrics.</help>
+    </field>
+    <field>
+        <id>input.ping6_hosts</id>
+        <label>Ping Hosts (IPv6)</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>Set the Hosts to ping using IPv6 in a CSV list.</help>
     </field>
     <field>
         <id>input.haproxy</id>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
index 4dd827965f..bf4cd5d910 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
@@ -66,6 +66,13 @@
         <ping_hosts type="CSVListField">
             <Required>N</Required>
         </ping_hosts>
+        <ping6 type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </ping6>
+        <ping6_hosts type="CSVListField">
+            <Required>N</Required>
+        </ping6_hosts>
         <haproxy type="BooleanField">
             <default>0</default>
             <Required>N</Required>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index f9396633e3..f9e83ea4d7 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -209,11 +209,21 @@
 
 {% if helpers.exists('OPNsense.telegraf.input.ping') and OPNsense.telegraf.input.ping == '1' %}
 [[inputs.ping]]
+  method = "exec"
 {%   if helpers.exists('OPNsense.telegraf.input.ping_hosts') and OPNsense.telegraf.input.ping_hosts != '' %}
   urls = [{{ "'" + ("','".join(OPNsense.telegraf.input.ping_hosts.split(','))) + "'" }}]
 {%   endif %}
 {% endif %}
 
+{% if helpers.exists('OPNsense.telegraf.input.ping6') and OPNsense.telegraf.input.ping6 == '1' %}
+[[inputs.ping]]
+  method = "exec"
+  binary = "ping6"
+{%   if helpers.exists('OPNsense.telegraf.input.ping6_hosts') and OPNsense.telegraf.input.ping6_hosts != '' %}
+  urls = [{{ "'" + ("','".join(OPNsense.telegraf.input.ping6_hosts.split(','))) + "'" }}]
+{%   endif %}
+{% endif %}
+
 {% if helpers.exists('OPNsense.telegraf.input.haproxy') and OPNsense.telegraf.input.haproxy == '1' %}
 [[inputs.haproxy]]
   servers = ["socket:/var/run/haproxy.socket"]

From bee24227874e793eff3886605d536797b516db0f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 24 Jan 2021 21:43:47 +0100
Subject: [PATCH 0366/3088] security/acme-client: minor help text changes

---
 .../OPNsense/AcmeClient/forms/dialogCertificate.xml           | 4 ++--
 .../app/controllers/OPNsense/AcmeClient/forms/settings.xml    | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
index 0fd183462d..e387fc7866 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
@@ -7,7 +7,7 @@
         <id>certificate.enabled</id>
         <label>Enabled</label>
         <type>checkbox</type>
-        <help>Enable this certificate</help>
+        <help>Enable this certificate. When disabled, no attemps to issue or renew the certificate will be made.</help>
     </field>
     <field>
         <id>certificate.name</id>
@@ -50,7 +50,7 @@
         <id>certificate.autoRenewal</id>
         <label>Auto Renewal</label>
         <type>checkbox</type>
-        <help>Enable automatic renewal for this certificate to prevent expiration.</help>
+        <help>Enable automatic renewal for this certificate to prevent expiration. When disabled, the cron job will ignore this certificate. Note that it is still possible to renew the certificate from the GUI.</help>
     </field>
     <field>
         <id>certificate.renewInterval</id>
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
index 28cee3b6c3..ad0247d9e4 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
@@ -9,7 +9,7 @@
         <id>acmeclient.settings.autoRenewal</id>
         <label>Auto Renewal</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable automatic renewal for certificates to prevent expiration. This will add a cronjob to the system. You may want to customize the cronjob schedule to your needs, because re-issueing a certificate may lead to a short downtime, depending on the selected challenge type and service.]]></help>
+        <help><![CDATA[Enable automatic renewal for certificates to prevent expiration. This will add a cron job to the system. You may want to customize the cron job schedule to your needs, because re-issueing a certificate may lead to a short downtime, depending on the selected challenge type and service.]]></help>
     </field>
     <field>
         <id>acmeclient.settings.environment</id>

From 4850414eba70c0a95138c2daa58bde596f84dc57 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 24 Jan 2021 21:56:12 +0100
Subject: [PATCH 0367/3088] security/acme-client: add support for Infomaniak
 domain API, closes #2169

---
 security/acme-client/pkg-descr                |  3 ++
 .../AcmeClient/forms/dialogValidation.xml     | 10 +++++
 .../AcmeClient/LeValidation/DnsInfomaniak.php | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 4 files changed, 61 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInfomaniak.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 2bfdd9b4f1..a0893c9f5c 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,6 +10,9 @@ Plugin Changelog
 
 2.3
 
+Added:
+* add support for Infomaniak domain API (#2169)
+
 Fixed:
 * fix "auto renewal" options not working in certificate and plugin settings (#2178)
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index e6999e3a99..2bc5df97d8 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1237,4 +1237,14 @@
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Infomaniak DNS API</label>
+        <type>header</type>
+        <style>table_dns table_dns_infomaniak</style>
+    </field>
+    <field>
+        <id>validation.dns_infomaniak_token</id>
+        <label>API Token</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInfomaniak.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInfomaniak.php
new file mode 100644
index 0000000000..6fec5ea622
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInfomaniak.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Infomaniak DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsInfomaniak extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['INFOMANIAK_API_TOKEN'] = (string)$this->config->dns_infomaniak_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 02722c751e..edbcfdfcd1 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -405,6 +405,7 @@
                         <dns_hostingde>hosting.de API</dns_hostingde>
                         <dns_he>Hurricane Electric</dns_he>
                         <dns_infoblox>Infoblox API</dns_infoblox>
+                        <dns_infomaniak>Infomaniak API</dns_infomaniak>
                         <dns_inwx>INWX XMLRPC API</dns_inwx>
                         <dns_ispconfig>ISPConfig 3.1+ API</dns_ispconfig>
                         <dns_joker>Joker API</dns_joker>
@@ -949,6 +950,9 @@
                 <dns_desec_name type="TextField">
                     <Required>N</Required>
                 </dns_desec_name>
+                <dns_infomaniak_token type="TextField">
+                    <Required>N</Required>
+                </dns_infomaniak_token>
             </validation>
         </validations>
         <actions>

From 7c0b4717dc6f2ab863011250f5dc13c2712c4c57 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 24 Jan 2021 22:00:17 +0100
Subject: [PATCH 0368/3088] security/acme-client: fix Aliyun DNS API, closes
 #2200

---
 security/acme-client/pkg-descr                                  | 1 +
 .../mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAli.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index a0893c9f5c..ef9766b167 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -15,6 +15,7 @@ Added:
 
 Fixed:
 * fix "auto renewal" options not working in certificate and plugin settings (#2178)
+* fix Aliyun DNS API (#2200)
 
 2.2
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAli.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAli.php
index 357757c6be..5c5da84e6c 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAli.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAli.php
@@ -40,6 +40,6 @@ class DnsAli extends Base implements LeValidationInterface
     public function prepare()
     {
         $this->acme_env['Ali_Key'] = (string)$this->config->dns_ali_key;
-        $this->acme_env['Ali_Secret'] = (string)$this->config->dns_ali_key;
+        $this->acme_env['Ali_Secret'] = (string)$this->config->dns_ali_secret;
     }
 }

From 7474764777ff88db5c3e8a430294251f06ab92ea Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 25 Jan 2021 08:33:40 +0100
Subject: [PATCH 0369/3088] LICENSE: sync

---
 LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index a5aba81354..6e7b1da527 100644
--- a/LICENSE
+++ b/LICENSE
@@ -12,7 +12,7 @@ Copyright (c) 2008-2010 Ermal Luçi
 Copyright (c) 2017-2019 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
 Copyright (c) 2014-2021 Franco Fichtner <franco@opnsense.org>
-Copyright (c) 2016-2020 Frank Wall
+Copyright (c) 2016-2021 Frank Wall
 Copyright (c) 2016 IT-assistans Sverige AB
 Copyright (c) 2010 Jim Pingle <jimp@pfsense.org>
 Copyright (c) 2015 Jos Schellevis

From 0c1ef6e79d0000902f4d9a99a6d71038f87cce03 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 25 Jan 2021 08:35:52 +0100
Subject: [PATCH 0370/3088] sysutils/smart: bump revision after changes

---
 sysutils/smart/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysutils/smart/Makefile b/sysutils/smart/Makefile
index 812f9d2db5..1f10056065 100644
--- a/sysutils/smart/Makefile
+++ b/sysutils/smart/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		smart
 PLUGIN_VERSION=		2.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		SMART tools
 PLUGIN_DEPENDS=		smartmontools
 PLUGIN_MAINTAINER=	franco@opnsense.org

From 5f86518b4cc330aa988ad1ca7939484093c9a1dd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 25 Jan 2021 08:49:43 +0100
Subject: [PATCH 0371/3088] net/frr: bump revision after change

---
 net/frr/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 9c97041eae..880012ffc5 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.21
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 2ff11c5d062233362adb2767616a2e9deaf343a9 Mon Sep 17 00:00:00 2001
From: chadek <32199566+chadek@users.noreply.github.com>
Date: Wed, 27 Jan 2021 09:55:59 +0100
Subject: [PATCH 0372/3088] Check wg-public key format (#2056)

Adding a peer with a wrong public key format to a tunnel configuration makes the wall tunnel hang silently when trying to save configuration (and then restart the service). This should prevent wrong configuration but some checks may be done server side to, at least, log some error and display some warning.
---
 .../opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
index e25a3a2fa0..48a16ee266 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
@@ -13,12 +13,12 @@
                     <default></default>
                     <Required>Y</Required>
                 </name>
-                <pubkey type="TextField">
+                <pubkey type="Base64Field">
                     <Required>N</Required>
+                    <ValidationMessage>Should be a base64-encoded 32 byte string.</ValidationMessage>
                 </pubkey>
-                <psk type="TextField">
+                <psk type="Base64Field">
                     <Required>N</Required>
-                    <mask>/^[a-zA-Z0-9+\/]{43}=$/</mask>
                     <ValidationMessage>Should be a base64-encoded 32 byte string.</ValidationMessage>
                 </psk>
                 <tunneladdress type="NetworkField">

From 8f660333d6d7cf93bb1dcb3e037f9c8fc1d7afa8 Mon Sep 17 00:00:00 2001
From: Greelan <53196309+Greelan@users.noreply.github.com>
Date: Wed, 27 Jan 2021 22:19:25 +1100
Subject: [PATCH 0373/3088] Show handshake timestamp in system timezone (#2204)

This change shows each latest handshake time in the widget in the timezone of the system, rather than UTC as currently. The change is intended to implement this forum request: https://forum.opnsense.org/index.php?topic=20530.msg95463#msg95463.

As a disclaimer, I am by no means a PHP programmer, but this commit is based on my research. It works when I tested it.
---
 net/wireguard/src/www/widgets/widgets/wireguard.widget.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wireguard/src/www/widgets/widgets/wireguard.widget.php b/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
index 7da094ebcc..95bc8eab67 100644
--- a/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
+++ b/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
@@ -55,6 +55,7 @@
         $latest = "-";
         if ($epoch > 0):
             $dt = new DateTime("@$epoch");
+            $dt->setTimezone(new DateTimeZone(date_default_timezone_get()));
             $latest = $dt->format(gettext("Y-m-d H:i:sP"));
         endif; ?>
 

From 54b26b562d1190256faae6b3ae42cebebdc9741f Mon Sep 17 00:00:00 2001
From: ElJeffe <jeffgemail@gmail.com>
Date: Thu, 28 Jan 2021 16:22:02 -0500
Subject: [PATCH 0374/3088] net/wireguard: Make client Public Key required
 field (#2174)

Recent experience is that adding a client without a public key will break WireGuard and all connecting clients.  I'm not sure if this is the best place to do the check, but seems to make sense to just require the public key when creating the client.
---
 .../src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
index 48a16ee266..e547d80bd5 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/wireguard/client</mount>
     <description>Wireguard Client configuration</description>
-    <version>0.0.5</version>
+    <version>0.0.6</version>
     <items>
         <clients>
             <client type="ArrayField">
@@ -14,7 +14,7 @@
                     <Required>Y</Required>
                 </name>
                 <pubkey type="Base64Field">
-                    <Required>N</Required>
+                    <Required>Y</Required>
                     <ValidationMessage>Should be a base64-encoded 32 byte string.</ValidationMessage>
                 </pubkey>
                 <psk type="Base64Field">

From f2012d8307fe1fbc4852868c685fad1db7724ba6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 28 Jan 2021 22:23:27 +0100
Subject: [PATCH 0375/3088] net/wireguard: keep track of current changes with
 revision bump

---
 net/wireguard/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index d6b8f09d22..fe52b80fbf 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		1.4
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 2cb53ccf9046c54e14921c3d466b4e0b912b70f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Fri, 29 Jan 2021 09:30:01 +0100
Subject: [PATCH 0376/3088] Themes - Cicada/Vicuna fixes (#2208)

---
 misc/theme-cicada/Makefile                    |   2 +-
 .../cicada/assets/stylesheets/main.scss       |   5 +
 .../cicada/assets/stylesheets/tokenize2.scss  |   6 +-
 .../www/themes/cicada/build/css/main.css      |   6 +
 .../build/css/pick-a-color-1.2.3.min.css      |  88 ++++++++++
 .../www/themes/cicada/build/css/tokenize2.css | 164 +++++++++---------
 misc/theme-vicuna/Makefile                    |   2 +-
 .../vicuna/assets/stylesheets/main.scss       |   9 +-
 .../vicuna/assets/stylesheets/tokenizer2.scss |   2 +-
 .../www/themes/vicuna/build/css/main.css      |   9 +-
 .../build/css/pick-a-color-1.2.3.min.css      |  88 ++++++++++
 .../www/themes/vicuna/build/css/tokenize2.css | 137 ++++++++-------
 12 files changed, 356 insertions(+), 162 deletions(-)
 create mode 100644 misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/pick-a-color-1.2.3.min.css
 create mode 100644 misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/pick-a-color-1.2.3.min.css

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index 87ec5ec72f..c70fa8d5e1 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.25
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		The cicada theme - dark grey
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index d301372af2..8621584cdb 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -10762,3 +10762,8 @@ ul.jqtree-tree {
 [role="listbox"] {
   border: 1px solid #191919 !important;
 }
+
+.interface-table-tr td {
+  background-color: #d77610 !important;
+  color: #FFF !important;
+}
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/tokenize2.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/tokenize2.scss
index e6d500f9b9..05f8197dc1 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/tokenize2.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/tokenize2.scss
@@ -18,7 +18,7 @@
 
   &.focus > .tokens-container {
     outline: 0;
-    border-color: #5a5a5a;
+    border-color: #191919;
     background-color: #2a2a2a;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -88,10 +88,8 @@
     }
 
     &:focus, &:hover {
-      border-color: #dd630d;
+      border-color: #191919;
       background-color: #2a2a2a;
-      -webkit-box-shadow: inset 0 1px 1px rgb(0, 0, 0), 0 0 8px rgba(0, 0, 0, 0.6);
-      box-shadow: inset 0 1px 1px rgb(0, 0, 0), 0 0 8px rgba(0, 0, 0, 0.6);
     }
 
     > .token-search > input {
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index b7b43ef406..f3dc00e537 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -6615,3 +6615,9 @@ ul.jqtree-tree .jqtree-title {
 [role="listbox"] {
   border: 1px solid #191919 !important;
 }
+
+.interface-table-tr td {
+  background-color: #d77610 !important;
+  color: #FFF !important;
+}
+
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/pick-a-color-1.2.3.min.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/pick-a-color-1.2.3.min.css
new file mode 100644
index 0000000000..91c8033748
--- /dev/null
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/pick-a-color-1.2.3.min.css
@@ -0,0 +1,88 @@
+
+.pick-a-color-markup *{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}
+.pick-a-color-markup .hex-pound{padding-left:8px;padding-right:8px}@media screen and (max-width:991px){.pick-a-color-markup .hex-pound{padding:3px 5px 0px 5px;min-height:30px}}
+.pick-a-color-markup .pick-a-color{padding:5px}@media screen and (max-width:991px){.pick-a-color-markup .pick-a-color{width:100%;font-size:18px;padding:9px;min-width:222px;height:47px}}
+.pick-a-color-markup .input-group-btn .color-dropdown{padding:6px 5px}.pick-a-color-markup .input-group-btn .color-dropdown.no-hex{border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .input-group-btn .color-dropdown:focus{background-color:#dd630d}
+@media screen and (max-width:991px){.pick-a-color-markup .input-group-btn .color-dropdown{height:47px}}
+.pick-a-color-markup .color-preview{border:1px solid #191919;border-radius:4px;-webkit-box-shadow:inset 0 0 2px 2px rgba(0,0,0,0.075);box-shadow:inset 0 0 2px 2px rgba(0,0,0,0.075);height:1.429em;width:1.429em;display:inline-block;cursor:pointer;margin-right:5px}.pick-a-color-markup .color-preview.current-color{margin-bottom:-5px}
+@media screen and (max-width:991px){.pick-a-color-markup .color-preview{height:1.875em;width:1.875em}}
+.pick-a-color-markup .color-menu{text-align:left;padding:5px 0px;width:330px;font-size:14px;left:auto;}.pick-a-color-markup .color-menu.color-menu--inline{left:-285px}@media screen and (max-width:991px){.pick-a-color-markup .color-menu.color-menu--inline{left:-242px}}
+@media screen and (max-width:991px){.pick-a-color-markup .color-menu{left:-242px;width:293px}}.pick-a-color-markup .color-menu.small{width:100px}@media screen and (max-width:991px){.pick-a-color-markup .color-menu.small{left:-105px}}
+.pick-a-color-markup .color-menu.no-hex{left:0px}
+.pick-a-color-markup .color-menu ul{padding:0px;margin:0px}
+.pick-a-color-markup .color-menu li{list-style-type:none;padding:5px 0px;margin:0px}
+.pick-a-color-markup .color-menu .color-preview{vertical-align:middle;margin:0px}@media screen and (max-width:991px){.pick-a-color-markup .color-menu .color-preview{height:35px;width:35px}}.pick-a-color-markup .color-menu .color-preview.current-color,.pick-a-color-markup .color-menu .color-preview.white{background-color:#fff}
+.pick-a-color-markup .color-menu .color-preview.red{background-color:#f00}
+.pick-a-color-markup .color-menu .color-preview.orange{background-color:#f60}
+.pick-a-color-markup .color-menu .color-preview.yellow{background-color:#ff0}
+.pick-a-color-markup .color-menu .color-preview.green{background-color:#008000}
+.pick-a-color-markup .color-menu .color-preview.blue{background-color:#00f}
+.pick-a-color-markup .color-menu .color-preview.indigo{background-color:#4a0080}
+.pick-a-color-markup .color-menu .color-preview.violet{background-color:#ee81ee}
+.pick-a-color-markup .color-menu .color-preview.purple{background-color:#80007f}
+.pick-a-color-markup .color-menu .color-preview.black{background-color:#000}
+.pick-a-color-markup .color-menu .basicColors-content li>a,.pick-a-color-markup .color-menu .savedColors-content li>a{padding:5px 15px 3px 15px;cursor:default;min-height:25px;color:#fff}.pick-a-color-markup .color-menu .basicColors-content li>a:hover,.pick-a-color-markup .color-menu .savedColors-content li>a:hover{background-color:transparent}
+@media screen and (max-width:991px){.pick-a-color-markup .color-menu .basicColors-content li>a,.pick-a-color-markup .color-menu .savedColors-content li>a{min-height:40px}}
+.pick-a-color-markup .color-menu .basicColors-content li:hover a,.pick-a-color-markup .color-menu .savedColors-content li:hover a{color:#dd630d;background-image:none;filter:none;text-decoration:none;font-weight:bold}@media screen and (max-width:991px){.pick-a-color-markup .color-menu .basicColors-content li:hover a,.pick-a-color-markup .color-menu .savedColors-content li:hover a{background-color:#fff;font-weight:normal}}
+.pick-a-color-markup .color-menu .btn.color-select{margin:0px 5px;height:20px;padding:0px 5px;margin-top:0px;line-height:1.5px;border-radius:4px}@media screen and (max-width:991px){.pick-a-color-markup .color-menu .btn.color-select{height:35px}}
+.pick-a-color-markup .caret{margin-bottom:3px}
+.pick-a-color-markup .color-menu-instructions,.pick-a-color-markup .advanced-instructions{text-align:center;padding:0px 6px;margin:0px;font-size:14px;font-weight:normal}@media screen and (min-width:992px){.pick-a-color-markup .color-menu-instructions,.pick-a-color-markup .advanced-instructions{display:none}}
+.pick-a-color-markup .color-label{vertical-align:middle;margin:0px;margin-left:10px;cursor:pointer}@media screen and (max-width:991px){.pick-a-color-markup .color-label{margin-left:8px}}
+.pick-a-color-markup .color-box{height:20px;width:200px;position:absolute;left:115px;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 0 2px 2px rgba(0,0,0,0.075);box-shadow:inset 0 0 2px 2px rgba(0,0,0,0.075);cursor:pointer}@media screen and (max-width:991px){.pick-a-color-markup .color-box{width:160px;height:35px}}
+.pick-a-color-markup .black .highlight-band-stripe{background-color:#fff}
+.pick-a-color-markup .spectrum-white{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#fff), to(#808080));background-image:-webkit-linear-gradient(left, color-stop(#fff 0), color-stop(#808080 100%));background-image:-moz-linear-gradient(left, #fff 0, #808080 100%);background-image:linear-gradient(to right, #fff 0, #808080 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#ff808080', GradientType=1)}.pick-a-color-markup .spectrum-white .highlight-band{left:0px}
+.pick-a-color-markup .spectrum-red{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #fff), color-stop(.5, #f00), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #fff 0, #f00 50%, #000 100%);background-image:-webkit-linear-gradient(left, #fff 0, #f00 50%, #000 100%);background-image:-o-linear-gradient(left, #fff 0, #f00 50%, #000 100%);background-image:linear-gradient(to right, #fff 0, #f00 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-orange{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #fff), color-stop(.5, #f60), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #fff 0, #f60 50%, #000 100%);background-image:-webkit-linear-gradient(left, #fff 0, #f60 50%, #000 100%);background-image:-o-linear-gradient(left, #fff 0, #f60 50%, #000 100%);background-image:linear-gradient(to right, #fff 0, #f60 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-yellow{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #fff), color-stop(.5, #ff0), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #fff 0, #ff0 50%, #000 100%);background-image:-webkit-linear-gradient(left, #fff 0, #ff0 50%, #000 100%);background-image:-o-linear-gradient(left, #fff 0, #ff0 50%, #000 100%);background-image:linear-gradient(to right, #fff 0, #ff0 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-green{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #80ff80), color-stop(.5, #008000), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #80ff80 0, #008000 50%, #000 100%);background-image:-webkit-linear-gradient(left, #80ff80 0, #008000 50%, #000 100%);background-image:-o-linear-gradient(left, #80ff80 0, #008000 50%, #000 100%);background-image:linear-gradient(to right, #80ff80 0, #008000 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-blue{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #fff), color-stop(.5, #00f), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #fff 0, #00f 50%, #000 100%);background-image:-webkit-linear-gradient(left, #fff 0, #00f 50%, #000 100%);background-image:-o-linear-gradient(left, #fff 0, #00f 50%, #000 100%);background-image:linear-gradient(to right, #fff 0, #00f 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-purple{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #ff80ff), color-stop(.5, #80007f), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #ff80ff 0, #80007f 50%, #000 100%);background-image:-webkit-linear-gradient(left, #ff80ff 0, #80007f 50%, #000 100%);background-image:-o-linear-gradient(left, #ff80ff 0, #80007f 50%, #000 100%);background-image:linear-gradient(to right, #ff80ff 0, #80007f 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-black{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#000), to(#808080));background-image:-webkit-linear-gradient(left, color-stop(#000 0), color-stop(#808080 100%));background-image:-moz-linear-gradient(left, #000 0, #808080 100%);background-image:linear-gradient(to right, #000 0, #808080 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff000000', endColorstr='#ff808080', GradientType=1)}.pick-a-color-markup .spectrum-black .highlight-band{left:0px;border:1px solid #808080}
+.pick-a-color-markup .ie-spectrum{height:20px;width:100px;display:inline-block;top:-1}.pick-a-color-markup .ie-spectrum.hue{width:50.5px}@media screen and (max-width:991px){.pick-a-color-markup .ie-spectrum.hue{width:45.5px}}
+@media screen and (max-width:991px){.pick-a-color-markup .ie-spectrum{width:80px;height:35px}}
+.pick-a-color-markup .red-spectrum-0,.pick-a-color-markup .lightness-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#fff), to(#f00));background-image:-webkit-linear-gradient(left, color-stop(#fff 0), color-stop(#f00 100%));background-image:-moz-linear-gradient(left, #fff 0, #f00 100%);background-image:linear-gradient(to right, #fff 0, #f00 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#ffff0000', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .red-spectrum-1,.pick-a-color-markup .lightness-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#f00), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#f00 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #f00 0, #000 100%);background-image:linear-gradient(to right, #f00 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffff0000', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .lightness-spectrum-0,.pick-a-color-markup .lightness-spectrum-1{width:150px}@media screen and (max-width:991px){.pick-a-color-markup .lightness-spectrum-0,.pick-a-color-markup .lightness-spectrum-1{width:135px}}
+.pick-a-color-markup .orange-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#fff), to(#f60));background-image:-webkit-linear-gradient(left, color-stop(#fff 0), color-stop(#f60 100%));background-image:-moz-linear-gradient(left, #fff 0, #f60 100%);background-image:linear-gradient(to right, #fff 0, #f60 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#ffff6600', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .orange-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#f60), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#f60 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #f60 0, #000 100%);background-image:linear-gradient(to right, #f60 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffff6600', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .yellow-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#fff), to(#ff0));background-image:-webkit-linear-gradient(left, color-stop(#fff 0), color-stop(#ff0 100%));background-image:-moz-linear-gradient(left, #fff 0, #ff0 100%);background-image:linear-gradient(to right, #fff 0, #ff0 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#ffffff00', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .yellow-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#ff0), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#ff0 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #ff0 0, #000 100%);background-image:linear-gradient(to right, #ff0 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffff00', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .green-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#80ff80), to(#008000));background-image:-webkit-linear-gradient(left, color-stop(#80ff80 0), color-stop(#008000 100%));background-image:-moz-linear-gradient(left, #80ff80 0, #008000 100%);background-image:linear-gradient(to right, #80ff80 0, #008000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff80ff80', endColorstr='#ff008000', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .green-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#008000), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#008000 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #008000 0, #000 100%);background-image:linear-gradient(to right, #008000 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff008000', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .blue-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#fff), to(#00f));background-image:-webkit-linear-gradient(left, color-stop(#fff 0), color-stop(#00f 100%));background-image:-moz-linear-gradient(left, #fff 0, #00f 100%);background-image:linear-gradient(to right, #fff 0, #00f 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#ff0000ff', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .blue-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#00f), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#00f 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #00f 0, #000 100%);background-image:linear-gradient(to right, #00f 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff0000ff', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .purple-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#ff80ff), to(#80007f));background-image:-webkit-linear-gradient(left, color-stop(#ff80ff 0), color-stop(#80007f 100%));background-image:-moz-linear-gradient(left, #ff80ff 0, #80007f 100%);background-image:linear-gradient(to right, #ff80ff 0, #80007f 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffff80ff', endColorstr='#ff80007f', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .purple-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#80007f), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#80007f 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #80007f 0, #000 100%);background-image:linear-gradient(to right, #80007f 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff80007f', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .saturation-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#808080), to(#bf4040));background-image:-webkit-linear-gradient(left, color-stop(#808080 0), color-stop(#bf4040 100%));background-image:-moz-linear-gradient(left, #808080 0, #bf4040 100%);background-image:linear-gradient(to right, #808080 0, #bf4040 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff808080', endColorstr='#ffbf4040', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px;width:150px}@media screen and (max-width:991px){.pick-a-color-markup .saturation-spectrum-0{width:135px}}
+.pick-a-color-markup .saturation-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#bf4040), to(#f00));background-image:-webkit-linear-gradient(left, color-stop(#bf4040 0), color-stop(#f00 100%));background-image:-moz-linear-gradient(left, #bf4040 0, #f00 100%);background-image:linear-gradient(to right, #bf4040 0, #f00 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffbf4040', endColorstr='#ffff0000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px;width:150px}@media screen and (max-width:991px){.pick-a-color-markup .saturation-spectrum-1{width:135px}}
+.pick-a-color-markup .hue-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#f00), to(#ff0));background-image:-webkit-linear-gradient(left, color-stop(#f00 0), color-stop(#ff0 100%));background-image:-moz-linear-gradient(left, #f00 0, #ff0 100%);background-image:linear-gradient(to right, #f00 0, #ff0 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffff0000', endColorstr='#ffffff00', GradientType=1)}
+.pick-a-color-markup .hue-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#ff0), to(#0f0));background-image:-webkit-linear-gradient(left, color-stop(#ff0 0), color-stop(#0f0 100%));background-image:-moz-linear-gradient(left, #ff0 0, #0f0 100%);background-image:linear-gradient(to right, #ff0 0, #0f0 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffff00', endColorstr='#ff00ff00', GradientType=1)}
+.pick-a-color-markup .hue-spectrum-2{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#0f0), to(#0ff));background-image:-webkit-linear-gradient(left, color-stop(#0f0 0), color-stop(#0ff 100%));background-image:-moz-linear-gradient(left, #0f0 0, #0ff 100%);background-image:linear-gradient(to right, #0f0 0, #0ff 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff00ff00', endColorstr='#ff00ffff', GradientType=1);left:-1px;position:relative}
+.pick-a-color-markup .hue-spectrum-3{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#0ff), to(#00f));background-image:-webkit-linear-gradient(left, color-stop(#0ff 0), color-stop(#00f 100%));background-image:-moz-linear-gradient(left, #0ff 0, #00f 100%);background-image:linear-gradient(to right, #0ff 0, #00f 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff00ffff', endColorstr='#ff0000ff', GradientType=1);left:-1px;position:relative}
+.pick-a-color-markup .hue-spectrum-4{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#00f), to(#f0f));background-image:-webkit-linear-gradient(left, color-stop(#00f 0), color-stop(#f0f 100%));background-image:-moz-linear-gradient(left, #00f 0, #f0f 100%);background-image:linear-gradient(to right, #00f 0, #f0f 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff0000ff', endColorstr='#ffff00ff', GradientType=1);left:-1px;position:relative}
+.pick-a-color-markup .hue-spectrum-5{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#f0f), to(#f00));background-image:-webkit-linear-gradient(left, color-stop(#f0f 0), color-stop(#f00 100%));background-image:-moz-linear-gradient(left, #f0f 0, #f00 100%);background-image:linear-gradient(to right, #f0f 0, #f00 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffff00ff', endColorstr='#ffff0000', GradientType=1);left:-2px;position:relative}
+.pick-a-color-markup .highlight-band{border:1px solid #222;border-radius:2px;-webkit-box-shadow:1px 1px 1px #333;box-shadow:1px 1px 1px #333;height:19px;width:11px;display:inline-block;cursor:pointer;cursor:-webkit-grab;cursor:-moz-grab;position:absolute;top:-1px;left:94.5px;text-align:center}@media screen and (max-width:991px){.pick-a-color-markup .highlight-band{width:21px;left:69.5px;height:34px}}
+.pick-a-color-markup .highlight-band-stripe{min-height:80%;min-width:1px;background-color:#000;opacity:0.40;margin:2px 1px;display:inline-block;-webkit-box-shadow:1px 0 2px 0 #fff;box-shadow:1px 0 2px 0 #fff}@media screen and (max-width:991px){.pick-a-color-markup .highlight-band-stripe{margin:4px 2px}}
+.pick-a-color-markup .color-menu-tabs{padding:5px 3px 3px 10px;font-size:12px;color:#333;border-bottom:1px solid #191919;margin-bottom:5px}.pick-a-color-markup .color-menu-tabs .tab{padding:4px 5px;margin:5px;border-top: 1px solid #191919;border-left:1px solid #191919;border-right:1px solid #191919;cursor:pointer;background-color:#3a3a3a}.pick-a-color-markup .color-menu-tabs .tab:hover{border-top:1px solid #191919;border-right:1px solid #191919;border-left:1px solid #191919;border-top-right-radius:4px;border-top-left-radius:4px;background-color:#292929;}
+.pick-a-color-markup .color-menu-tabs a{color:#FFF;text-decoration:none}
+.pick-a-color-markup .color-menu-tabs a:hover {color: #dd630d}
+.pick-a-color-markup .color-menu-tabs .tab-active{border-bottom:transparent;padding-bottom:5px;border-top:1px solid #191919;border-right:1px solid #191919;border-left:1px solid #191919;border-top-right-radius:4px;border-top-left-radius:4px;background-color:#292929}
+.pick-a-color-markup .color-menu-tabs .tab-active a{color:#dd630d}
+.pick-a-color-markup .active-content{display:block}
+.pick-a-color-markup .inactive-content{display:none}
+.pick-a-color-markup .savedColors-content{padding:5px 15px;white-space:normal}.pick-a-color-markup .savedColors-content li.color-item>a{margin-left:7px;padding-left:8px;border-radius:4px}
+.pick-a-color-markup .saved-color-col{position:relative;left:-15px;float:left;width:149px}@media screen and (max-width:991px){.pick-a-color-markup .saved-color-col{width:130px}}
+.pick-a-color-markup .advanced-content ul{margin-top:10px}
+.pick-a-color-markup .advanced-content li{padding:5px 15px 3px 15px;cursor:default;min-height:25px;height:50px;position:relative}@media screen and (max-width:991px){.pick-a-color-markup .advanced-content li{min-height:70px}}
+.pick-a-color-markup .advanced-content .color-preview{height:50px;width:300px;float:left;margin:0px 0px 10px 0px;background-color:#f00;text-align:center}.pick-a-color-markup .advanced-content .color-preview .color-select.btn.advanced{margin-top:15px;display:none}@media screen and (max-width:991px){.pick-a-color-markup .advanced-content .color-preview .color-select.btn.advanced{display:inline;margin-top:7px}}
+.pick-a-color-markup .advanced-content .color-preview:hover .color-select.btn.advanced{display:inline}
+@media screen and (max-width:991px){.pick-a-color-markup .advanced-content .color-preview{width:270px;margin-left:-10px}}
+.pick-a-color-markup .advanced-content .spectrum-hue{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #f00), color-stop(17%, #ff0), color-stop(34%, #0f0), color-stop(51%, #0ff), color-stop(68%, #00f), color-stop(85%, #f0f), color-stop(100%, #f00));background-image:-moz-linear-gradient(left center, #f00 0, #ff0 17%, #0f0 24%, #0ff 51%, #00f 68%, #f0f 85%, #f00 100%);background-image:-webkit-linear-gradient(left, #f00 0, #ff0 17%, #0f0 24%, #0ff 51%, #00f 68%, #f0f 85%, #f00 100%);background-image:-o-linear-gradient(left, #f00 0, #ff0 17%, #0f0 24%, #0ff 51%, #00f 68%, #f0f 85%, #f00 100%);background-image:linear-gradient(to right, #f00 0, #ff0 17%, #0f0 24%, #0ff 51%, #00f 68%, #f0f 85%, #f00 100%);background-repeat:repeat-x}.pick-a-color-markup .advanced-content .spectrum-hue .highlight-band{left:0px}
+.pick-a-color-markup .advanced-content .spectrum-lightness{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #fff), color-stop(.5, #f00), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #fff 0, #f00 50%, #000 100%);background-image:-webkit-linear-gradient(left, #fff 0, #f00 50%, #000 100%);background-image:-o-linear-gradient(left, #fff 0, #f00 50%, #000 100%);background-image:linear-gradient(to right, #fff 0, #f00 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .advanced-content .spectrum-saturation{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #808080), color-stop(.5, #f00), color-stop(1, #f00));background-image:-moz-linear-gradient(left center, #808080 0, #f00 50%, #f00 100%);background-image:-webkit-linear-gradient(left, #808080 0, #f00 50%, #f00 100%);background-image:-o-linear-gradient(left, #808080 0, #f00 50%, #f00 100%);background-image:linear-gradient(to right, #808080 0, #f00 50%, #f00 100%);background-repeat:repeat-x}.pick-a-color-markup .advanced-content .spectrum-saturation .highlight-band{left:287px}@media screen and (max-width:991px){.pick-a-color-markup .advanced-content .spectrum-saturation .highlight-band{left:247px}}
+.pick-a-color-markup .advanced-content .spectrum-lightness .highlight-band{left:143.5px}@media screen and (max-width:991px){.pick-a-color-markup .advanced-content .spectrum-lightness .highlight-band{left:123.5px}}
+.pick-a-color-markup .advanced-content .lightness-text,.pick-a-color-markup .advanced-content .hue-text,.pick-a-color-markup .advanced-content .saturation-text,.pick-a-color-markup .advanced-content .preview-text{vertical-align:middle;text-align:center;display:block}
+.pick-a-color-markup .advanced-content .color-box{left:15px;top:25px;width:300px}@media screen and (max-width:991px){.pick-a-color-markup .advanced-content .color-box{width:270px;left:10px}}
+.pick-a-color-markup .advanced-content .preview-item{height:80px}
+@-moz-document url-prefix(){@media screen and (max-width:991px){div.pick-a-color-markup .color-menu{left:0px}}}
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/tokenize2.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/tokenize2.css
index 62370acf50..86a66906da 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/tokenize2.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/tokenize2.css
@@ -1,173 +1,173 @@
 .tokenize > .tokens-container {
-    position: relative;
-    list-style: none;
-    padding: 0 0 5px 5px;
-    height: auto;
-    min-height: 34px;
-    cursor: text;
-    border-radius: 3px;
-	border: 1px solid #191919;
-	background-color: #2a2a2a;
+  position: relative;
+  list-style: none;
+  padding: 0 0 5px 5px;
+  height: auto;
+  min-height: 34px;
+  cursor: text;
+  border-radius: 3px;
+  border: 1px solid #191919;
+  background-color: #2a2a2a;
 }
 
 .tokenize > .tokens-container.disabled {
-    background-color: #eee;
-    cursor: not-allowed;
+  background-color: #eee;
+  cursor: not-allowed;
 }
 
 .tokenize.focus > .tokens-container {
-    outline: 0;
-	border-color:#5a5a5a;
-	background-color:#2a2a2a;
-	-webkit-box-shadow: none;
-	box-shadow: none;
+  outline: 0;
+  border-color:#191919;
+  background-color:#2a2a2a;
+  -webkit-box-shadow: none;
+  box-shadow: none;
 }
 
 .tokenize > .tokens-container.input-sm {
-    padding: 0 0 4px 4px;
-    min-height: 30px;
+  padding: 0 0 4px 4px;
+  min-height: 30px;
 }
 
 .tokenize > .tokens-container.input-lg {
-    padding: 0 0 9px 9px;
-    min-height: 46px;
+  padding: 0 0 9px 9px;
+  min-height: 46px;
 }
 
 .tokenize > .tokens-container > .token {
-    padding: 0 1.2em 0 5px;
-	background-color: #ce671c;
-    -webkit-border-radius: 2px;
-       -moz-border-radius: 2px;
-            border-radius: 2px;
+  padding: 0 1.2em 0 5px;
+  background-color: #ce671c;
+  -webkit-border-radius: 2px;
+  -moz-border-radius: 2px;
+  border-radius: 2px;
 }
 
 .tokenize > .tokens-container > .token,
 .tokenize > .tokens-container > .placeholder,
 .tokenize > .tokens-container > .token-search {
-    display: inline-block;
-    margin: 5px 5px 0 0;
-    position: relative;
-    vertical-align: middle;
+  display: inline-block;
+  margin: 5px 5px 0 0;
+  position: relative;
+  vertical-align: middle;
 }
 
 .tokenize.sortable > .tokens-container > .token {
-    cursor: move;
+  cursor: move;
 }
 
 .tokenize.single > .tokens-container > .token {
-    display: block;
-    border-color: #fff;
-    background-color: transparent;
+  display: block;
+  border-color: #fff;
+  background-color: transparent;
 }
 
 .tokenize.sortable > .tokens-container > .token.shadow {
-    border-color: #ccc;
-    background-color: #ccc;
-    filter: alpha(opacity=50);
-    opacity: .2;
+  border-color: #ccc;
+  background-color: #ccc;
+  filter: alpha(opacity=50);
+  opacity: .2;
 }
 
 .tokenize > .tokens-container > .placeholder {
-	color:#6b6b6b;
-    padding: 0;
+  color:#6b6b6b;
+  padding: 0;
 }
+
 .tokenize > .tokens-container > .token-search {
-	color:#fff;
-    padding: 0;
+  color:#fff;
+  padding: 0;
 }
 
 .tokenize > .tokens-container:focus,
 .tokenize > .tokens-container:hover {
-	border-color:#dd630d;
-	background-color:#2a2a2a;
-	-webkit-box-shadow: inset 0 1px 1px rgb(0, 0, 0), 0 0 8px rgba(0, 0, 0, 0.6);
-	box-shadow: inset 0 1px 1px rgb(0, 0, 0), 0 0 8px rgba(0, 0, 0, 0.6);
+  border-color:#191919;
+  background-color:#2a2a2a;
 }
 
 .tokenize > .tokens-container > .token-search > input {
-    padding: 0;
-    margin: 0;
-    line-height: 1em;
-    background: transparent;
-	border:none;
-    outline: none;
-    width: 100%;
+  padding: 0;
+  margin: 0;
+  line-height: 1em;
+  background: transparent;
+  border:none;
+  outline: none;
+  width: 100%;
 }
 
 .tokenize > .tokens-container > .token-search > input::-ms-clear {
-    display: none;
+  display: none;
 }
 
 .tokenize > .tokens-container.input-sm > .placeholder,
 .tokenize > .tokens-container.input-sm > .token-search,
 .tokenize > .tokens-container.input-sm > .token {
-    margin: 4px 4px 0 0;
+  margin: 4px 4px 0 0;
 }
 
 .tokenize > .tokens-container.input-lg > .placeholder,
 .tokenize > .tokens-container.input-lg > .token-search,
 .tokenize > .tokens-container.input-lg > .token {
-    margin: 9px 9px 0 0;
+  margin: 9px 9px 0 0;
 }
 
 .tokenize > .tokens-container > .token.pending-delete {
-    background-color: #5b72a4;
-    border-color: #425c96;
-    color: #fff
+  background-color: #5b72a4;
+  border-color: #425c96;
+  color: #fff
 }
 
 .tokenize > .tokens-container > .token > .dismiss {
-    position: absolute;
-    right: 5px;
-    color: #a9b9d8;
-    text-decoration: none;
-    cursor: pointer;
+  position: absolute;
+  right: 5px;
+  color: #a9b9d8;
+  text-decoration: none;
+  cursor: pointer;
 }
 
 .tokenize > .tokens-container > .token > .dismiss:after {
-    content: "×";
-	color: #fff;
+  content: "×";
+  color: #fff;
 }
 
 .tokenize > .tokens-container > .token.pending-delete > .dismiss {
-    color: #fff;
+  color: #fff;
 }
 
 .tokenize-dropdown {
-    position: absolute;
-    display: none;
+  position: absolute;
+  display: none;
 }
 
 .tokenize-dropdown > .dropdown-menu {
-    min-height: 10px;
-    width: 100%;
-    display: block;
-    margin: -1px 0 0 0;
-    visibility: visible;
-    opacity: 1;
+  min-height: 10px;
+  width: 100%;
+  display: block;
+  margin: -1px 0 0 0;
+  visibility: visible;
+  opacity: 1;
 }
 
 .tokenize-dropdown > .dropdown-menu li {
-    cursor: pointer;
+  cursor: pointer;
 }
 
 .tokenize-dropdown > .dropdown-menu li > a .tokenize-highlight {
-    font-weight: bold;
+  font-weight: bold;
 }
 
 .tokenize-dropdown > .dropdown-menu li.locked {
-    padding: 3px 20px;
-    color: #333;
-    white-space: nowrap;
+  padding: 3px 20px;
+  color: #333;
+  white-space: nowrap;
 }
 
 .tokenize-dropdown > .dropdown-menu li.locked,
 .tokenize-dropdown > .dropdown-menu li > a {
-    text-overflow: ellipsis;
-    overflow-x: hidden;
+  text-overflow: ellipsis;
+  overflow-x: hidden;
 }
 
 .tokenize-dropdown > .dropdown-menu li:not(.active) a:hover,
 .tokenize-dropdown > .dropdown-menu li:not(.active) a:focus {
-    background-color: transparent;
+  background-color: transparent;
 }
+
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index 54ad416050..4f2a6fac81 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		The vicuna theme - dark anthrazit
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
index 3b9c0f3c00..4b118209c0 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
@@ -9639,7 +9639,7 @@ body {
   padding: 0px 0px;
   margin: 0px 0px;
   background-color: none;
-  border: 1px solid #191919;
+  border: 1px solid #111;
   -webkit-box-shadow: 0px 3px 3px rgba(17, 17, 17, 0.8);
   box-shadow: 0px 3px 3px rgba(17, 17, 17, 0.8);
 
@@ -9709,7 +9709,7 @@ body {
 }
 
 .page-login {
-  background: #172c38;
+  background: #131c22;
 
   .container {
     min-height: 100%;
@@ -10755,3 +10755,8 @@ ul.jqtree-tree {
 [role="listbox"] {
   border: 1px solid #191919 !important;
 }
+
+.interface-table-tr td {
+  background-color: #d77610 !important;
+  color: #FFF !important;
+}
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/tokenizer2.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/tokenizer2.scss
index 577a2f037e..4df1e1901d 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/tokenizer2.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/tokenizer2.scss
@@ -18,7 +18,7 @@
 
   &.focus > .tokens-container {
     outline: 0;
-    border-color: #4d83a1;
+    border-color: #191919;
     background-color: #21303A;
     -webkit-box-shadow: none;
     box-shadow: none;
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
index 26f7ddf241..f9406046cd 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
@@ -5778,7 +5778,7 @@ body {
   padding: 0px 0px;
   margin: 0px 0px;
   background-color: none;
-  border: 1px solid #191919;
+  border: 1px solid #111;
   -webkit-box-shadow: 0px 3px 3px rgba(17, 17, 17, 0.8);
   box-shadow: 0px 3px 3px rgba(17, 17, 17, 0.8); }
 .content-box hr {
@@ -5822,7 +5822,7 @@ body {
     padding-top: 0 !important; } }
 
 .page-login {
-  background: #172c38; }
+  background: #131c22; }
   .page-login .container {
     min-height: 100%;
     margin-bottom: -60px; }
@@ -6572,3 +6572,8 @@ ul.jqtree-tree .jqtree-title {
 [role="listbox"] {
   border: 1px solid #191919 !important;
 }
+
+.interface-table-tr td {
+  background-color: #d77610 !important;
+  color: #FFF !important;
+}
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/pick-a-color-1.2.3.min.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/pick-a-color-1.2.3.min.css
new file mode 100644
index 0000000000..74517c454e
--- /dev/null
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/pick-a-color-1.2.3.min.css
@@ -0,0 +1,88 @@
+
+.pick-a-color-markup *{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}
+.pick-a-color-markup .hex-pound{padding-left:8px;padding-right:8px}@media screen and (max-width:991px){.pick-a-color-markup .hex-pound{padding:3px 5px 0px 5px;min-height:30px}}
+.pick-a-color-markup .pick-a-color{padding:5px}@media screen and (max-width:991px){.pick-a-color-markup .pick-a-color{width:100%;font-size:18px;padding:9px;min-width:222px;height:47px}}
+.pick-a-color-markup .input-group-btn .color-dropdown{padding:6px 5px}.pick-a-color-markup .input-group-btn .color-dropdown.no-hex{border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .input-group-btn .color-dropdown:focus{background-color:#dd630d}
+@media screen and (max-width:991px){.pick-a-color-markup .input-group-btn .color-dropdown{height:47px}}
+.pick-a-color-markup .color-preview{border:1px solid #191919;border-radius:4px;-webkit-box-shadow:inset 0 0 2px 2px rgba(0,0,0,0.075);box-shadow:inset 0 0 2px 2px rgba(0,0,0,0.075);height:1.429em;width:1.429em;display:inline-block;cursor:pointer;margin-right:5px}.pick-a-color-markup .color-preview.current-color{margin-bottom:-5px}
+@media screen and (max-width:991px){.pick-a-color-markup .color-preview{height:1.875em;width:1.875em}}
+.pick-a-color-markup .color-menu{text-align:left;padding:5px 0px;width:330px;font-size:14px;left:auto;}.pick-a-color-markup .color-menu.color-menu--inline{left:-285px}@media screen and (max-width:991px){.pick-a-color-markup .color-menu.color-menu--inline{left:-242px}}
+@media screen and (max-width:991px){.pick-a-color-markup .color-menu{left:-242px;width:293px}}.pick-a-color-markup .color-menu.small{width:100px}@media screen and (max-width:991px){.pick-a-color-markup .color-menu.small{left:-105px}}
+.pick-a-color-markup .color-menu.no-hex{left:0px}
+.pick-a-color-markup .color-menu ul{padding:0px;margin:0px}
+.pick-a-color-markup .color-menu li{list-style-type:none;padding:5px 0px;margin:0px}
+.pick-a-color-markup .color-menu .color-preview{vertical-align:middle;margin:0px}@media screen and (max-width:991px){.pick-a-color-markup .color-menu .color-preview{height:35px;width:35px}}.pick-a-color-markup .color-menu .color-preview.current-color,.pick-a-color-markup .color-menu .color-preview.white{background-color:#fff}
+.pick-a-color-markup .color-menu .color-preview.red{background-color:#f00}
+.pick-a-color-markup .color-menu .color-preview.orange{background-color:#f60}
+.pick-a-color-markup .color-menu .color-preview.yellow{background-color:#ff0}
+.pick-a-color-markup .color-menu .color-preview.green{background-color:#008000}
+.pick-a-color-markup .color-menu .color-preview.blue{background-color:#00f}
+.pick-a-color-markup .color-menu .color-preview.indigo{background-color:#4a0080}
+.pick-a-color-markup .color-menu .color-preview.violet{background-color:#ee81ee}
+.pick-a-color-markup .color-menu .color-preview.purple{background-color:#80007f}
+.pick-a-color-markup .color-menu .color-preview.black{background-color:#000}
+.pick-a-color-markup .color-menu .basicColors-content li>a,.pick-a-color-markup .color-menu .savedColors-content li>a{padding:5px 15px 3px 15px;cursor:default;min-height:25px;color:#fff}.pick-a-color-markup .color-menu .basicColors-content li>a:hover,.pick-a-color-markup .color-menu .savedColors-content li>a:hover{background-color:transparent}
+@media screen and (max-width:991px){.pick-a-color-markup .color-menu .basicColors-content li>a,.pick-a-color-markup .color-menu .savedColors-content li>a{min-height:40px}}
+.pick-a-color-markup .color-menu .basicColors-content li:hover a,.pick-a-color-markup .color-menu .savedColors-content li:hover a{color:#dd630d;background-image:none;filter:none;text-decoration:none;font-weight:bold}@media screen and (max-width:991px){.pick-a-color-markup .color-menu .basicColors-content li:hover a,.pick-a-color-markup .color-menu .savedColors-content li:hover a{background-color:#fff;font-weight:normal}}
+.pick-a-color-markup .color-menu .btn.color-select{margin:0px 5px;height:20px;padding:0px 5px;margin-top:0px;line-height:1.5px;border-radius:4px}@media screen and (max-width:991px){.pick-a-color-markup .color-menu .btn.color-select{height:35px}}
+.pick-a-color-markup .caret{margin-bottom:3px}
+.pick-a-color-markup .color-menu-instructions,.pick-a-color-markup .advanced-instructions{text-align:center;padding:0px 6px;margin:0px;font-size:14px;font-weight:normal}@media screen and (min-width:992px){.pick-a-color-markup .color-menu-instructions,.pick-a-color-markup .advanced-instructions{display:none}}
+.pick-a-color-markup .color-label{vertical-align:middle;margin:0px;margin-left:10px;cursor:pointer}@media screen and (max-width:991px){.pick-a-color-markup .color-label{margin-left:8px}}
+.pick-a-color-markup .color-box{height:20px;width:200px;position:absolute;left:115px;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 0 2px 2px rgba(0,0,0,0.075);box-shadow:inset 0 0 2px 2px rgba(0,0,0,0.075);cursor:pointer}@media screen and (max-width:991px){.pick-a-color-markup .color-box{width:160px;height:35px}}
+.pick-a-color-markup .black .highlight-band-stripe{background-color:#fff}
+.pick-a-color-markup .spectrum-white{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#fff), to(#808080));background-image:-webkit-linear-gradient(left, color-stop(#fff 0), color-stop(#808080 100%));background-image:-moz-linear-gradient(left, #fff 0, #808080 100%);background-image:linear-gradient(to right, #fff 0, #808080 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#ff808080', GradientType=1)}.pick-a-color-markup .spectrum-white .highlight-band{left:0px}
+.pick-a-color-markup .spectrum-red{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #fff), color-stop(.5, #f00), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #fff 0, #f00 50%, #000 100%);background-image:-webkit-linear-gradient(left, #fff 0, #f00 50%, #000 100%);background-image:-o-linear-gradient(left, #fff 0, #f00 50%, #000 100%);background-image:linear-gradient(to right, #fff 0, #f00 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-orange{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #fff), color-stop(.5, #f60), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #fff 0, #f60 50%, #000 100%);background-image:-webkit-linear-gradient(left, #fff 0, #f60 50%, #000 100%);background-image:-o-linear-gradient(left, #fff 0, #f60 50%, #000 100%);background-image:linear-gradient(to right, #fff 0, #f60 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-yellow{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #fff), color-stop(.5, #ff0), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #fff 0, #ff0 50%, #000 100%);background-image:-webkit-linear-gradient(left, #fff 0, #ff0 50%, #000 100%);background-image:-o-linear-gradient(left, #fff 0, #ff0 50%, #000 100%);background-image:linear-gradient(to right, #fff 0, #ff0 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-green{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #80ff80), color-stop(.5, #008000), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #80ff80 0, #008000 50%, #000 100%);background-image:-webkit-linear-gradient(left, #80ff80 0, #008000 50%, #000 100%);background-image:-o-linear-gradient(left, #80ff80 0, #008000 50%, #000 100%);background-image:linear-gradient(to right, #80ff80 0, #008000 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-blue{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #fff), color-stop(.5, #00f), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #fff 0, #00f 50%, #000 100%);background-image:-webkit-linear-gradient(left, #fff 0, #00f 50%, #000 100%);background-image:-o-linear-gradient(left, #fff 0, #00f 50%, #000 100%);background-image:linear-gradient(to right, #fff 0, #00f 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-purple{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #ff80ff), color-stop(.5, #80007f), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #ff80ff 0, #80007f 50%, #000 100%);background-image:-webkit-linear-gradient(left, #ff80ff 0, #80007f 50%, #000 100%);background-image:-o-linear-gradient(left, #ff80ff 0, #80007f 50%, #000 100%);background-image:linear-gradient(to right, #ff80ff 0, #80007f 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-black{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#000), to(#808080));background-image:-webkit-linear-gradient(left, color-stop(#000 0), color-stop(#808080 100%));background-image:-moz-linear-gradient(left, #000 0, #808080 100%);background-image:linear-gradient(to right, #000 0, #808080 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff000000', endColorstr='#ff808080', GradientType=1)}.pick-a-color-markup .spectrum-black .highlight-band{left:0px;border:1px solid #808080}
+.pick-a-color-markup .ie-spectrum{height:20px;width:100px;display:inline-block;top:-1}.pick-a-color-markup .ie-spectrum.hue{width:50.5px}@media screen and (max-width:991px){.pick-a-color-markup .ie-spectrum.hue{width:45.5px}}
+@media screen and (max-width:991px){.pick-a-color-markup .ie-spectrum{width:80px;height:35px}}
+.pick-a-color-markup .red-spectrum-0,.pick-a-color-markup .lightness-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#fff), to(#f00));background-image:-webkit-linear-gradient(left, color-stop(#fff 0), color-stop(#f00 100%));background-image:-moz-linear-gradient(left, #fff 0, #f00 100%);background-image:linear-gradient(to right, #fff 0, #f00 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#ffff0000', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .red-spectrum-1,.pick-a-color-markup .lightness-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#f00), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#f00 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #f00 0, #000 100%);background-image:linear-gradient(to right, #f00 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffff0000', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .lightness-spectrum-0,.pick-a-color-markup .lightness-spectrum-1{width:150px}@media screen and (max-width:991px){.pick-a-color-markup .lightness-spectrum-0,.pick-a-color-markup .lightness-spectrum-1{width:135px}}
+.pick-a-color-markup .orange-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#fff), to(#f60));background-image:-webkit-linear-gradient(left, color-stop(#fff 0), color-stop(#f60 100%));background-image:-moz-linear-gradient(left, #fff 0, #f60 100%);background-image:linear-gradient(to right, #fff 0, #f60 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#ffff6600', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .orange-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#f60), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#f60 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #f60 0, #000 100%);background-image:linear-gradient(to right, #f60 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffff6600', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .yellow-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#fff), to(#ff0));background-image:-webkit-linear-gradient(left, color-stop(#fff 0), color-stop(#ff0 100%));background-image:-moz-linear-gradient(left, #fff 0, #ff0 100%);background-image:linear-gradient(to right, #fff 0, #ff0 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#ffffff00', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .yellow-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#ff0), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#ff0 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #ff0 0, #000 100%);background-image:linear-gradient(to right, #ff0 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffff00', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .green-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#80ff80), to(#008000));background-image:-webkit-linear-gradient(left, color-stop(#80ff80 0), color-stop(#008000 100%));background-image:-moz-linear-gradient(left, #80ff80 0, #008000 100%);background-image:linear-gradient(to right, #80ff80 0, #008000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff80ff80', endColorstr='#ff008000', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .green-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#008000), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#008000 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #008000 0, #000 100%);background-image:linear-gradient(to right, #008000 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff008000', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .blue-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#fff), to(#00f));background-image:-webkit-linear-gradient(left, color-stop(#fff 0), color-stop(#00f 100%));background-image:-moz-linear-gradient(left, #fff 0, #00f 100%);background-image:linear-gradient(to right, #fff 0, #00f 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#ff0000ff', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .blue-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#00f), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#00f 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #00f 0, #000 100%);background-image:linear-gradient(to right, #00f 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff0000ff', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .purple-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#ff80ff), to(#80007f));background-image:-webkit-linear-gradient(left, color-stop(#ff80ff 0), color-stop(#80007f 100%));background-image:-moz-linear-gradient(left, #ff80ff 0, #80007f 100%);background-image:linear-gradient(to right, #ff80ff 0, #80007f 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffff80ff', endColorstr='#ff80007f', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .purple-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#80007f), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#80007f 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #80007f 0, #000 100%);background-image:linear-gradient(to right, #80007f 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff80007f', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .saturation-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#808080), to(#bf4040));background-image:-webkit-linear-gradient(left, color-stop(#808080 0), color-stop(#bf4040 100%));background-image:-moz-linear-gradient(left, #808080 0, #bf4040 100%);background-image:linear-gradient(to right, #808080 0, #bf4040 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff808080', endColorstr='#ffbf4040', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px;width:150px}@media screen and (max-width:991px){.pick-a-color-markup .saturation-spectrum-0{width:135px}}
+.pick-a-color-markup .saturation-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#bf4040), to(#f00));background-image:-webkit-linear-gradient(left, color-stop(#bf4040 0), color-stop(#f00 100%));background-image:-moz-linear-gradient(left, #bf4040 0, #f00 100%);background-image:linear-gradient(to right, #bf4040 0, #f00 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffbf4040', endColorstr='#ffff0000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px;width:150px}@media screen and (max-width:991px){.pick-a-color-markup .saturation-spectrum-1{width:135px}}
+.pick-a-color-markup .hue-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#f00), to(#ff0));background-image:-webkit-linear-gradient(left, color-stop(#f00 0), color-stop(#ff0 100%));background-image:-moz-linear-gradient(left, #f00 0, #ff0 100%);background-image:linear-gradient(to right, #f00 0, #ff0 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffff0000', endColorstr='#ffffff00', GradientType=1)}
+.pick-a-color-markup .hue-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#ff0), to(#0f0));background-image:-webkit-linear-gradient(left, color-stop(#ff0 0), color-stop(#0f0 100%));background-image:-moz-linear-gradient(left, #ff0 0, #0f0 100%);background-image:linear-gradient(to right, #ff0 0, #0f0 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffff00', endColorstr='#ff00ff00', GradientType=1)}
+.pick-a-color-markup .hue-spectrum-2{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#0f0), to(#0ff));background-image:-webkit-linear-gradient(left, color-stop(#0f0 0), color-stop(#0ff 100%));background-image:-moz-linear-gradient(left, #0f0 0, #0ff 100%);background-image:linear-gradient(to right, #0f0 0, #0ff 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff00ff00', endColorstr='#ff00ffff', GradientType=1);left:-1px;position:relative}
+.pick-a-color-markup .hue-spectrum-3{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#0ff), to(#00f));background-image:-webkit-linear-gradient(left, color-stop(#0ff 0), color-stop(#00f 100%));background-image:-moz-linear-gradient(left, #0ff 0, #00f 100%);background-image:linear-gradient(to right, #0ff 0, #00f 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff00ffff', endColorstr='#ff0000ff', GradientType=1);left:-1px;position:relative}
+.pick-a-color-markup .hue-spectrum-4{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#00f), to(#f0f));background-image:-webkit-linear-gradient(left, color-stop(#00f 0), color-stop(#f0f 100%));background-image:-moz-linear-gradient(left, #00f 0, #f0f 100%);background-image:linear-gradient(to right, #00f 0, #f0f 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff0000ff', endColorstr='#ffff00ff', GradientType=1);left:-1px;position:relative}
+.pick-a-color-markup .hue-spectrum-5{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#f0f), to(#f00));background-image:-webkit-linear-gradient(left, color-stop(#f0f 0), color-stop(#f00 100%));background-image:-moz-linear-gradient(left, #f0f 0, #f00 100%);background-image:linear-gradient(to right, #f0f 0, #f00 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffff00ff', endColorstr='#ffff0000', GradientType=1);left:-2px;position:relative}
+.pick-a-color-markup .highlight-band{border:1px solid #222;border-radius:2px;-webkit-box-shadow:1px 1px 1px #333;box-shadow:1px 1px 1px #333;height:19px;width:11px;display:inline-block;cursor:pointer;cursor:-webkit-grab;cursor:-moz-grab;position:absolute;top:-1px;left:94.5px;text-align:center}@media screen and (max-width:991px){.pick-a-color-markup .highlight-band{width:21px;left:69.5px;height:34px}}
+.pick-a-color-markup .highlight-band-stripe{min-height:80%;min-width:1px;background-color:#000;opacity:0.40;margin:2px 1px;display:inline-block;-webkit-box-shadow:1px 0 2px 0 #fff;box-shadow:1px 0 2px 0 #fff}@media screen and (max-width:991px){.pick-a-color-markup .highlight-band-stripe{margin:4px 2px}}
+.pick-a-color-markup .color-menu-tabs{padding:5px 3px 3px 10px;font-size:12px;color:#333;border-bottom:1px solid #191919;margin-bottom:5px}.pick-a-color-markup .color-menu-tabs .tab{padding:4px 5px;margin:5px;border-top: 1px solid #191919;border-left:1px solid #191919;border-right:1px solid #191919;cursor:pointer;background-color:#202f3a}.pick-a-color-markup .color-menu-tabs .tab:hover{border-top:1px solid #191919;border-right:1px solid #191919;border-left:1px solid #191919;border-top-right-radius:4px;border-top-left-radius:4px;background-color:#202f3a;}
+.pick-a-color-markup .color-menu-tabs a{color:#FFF;text-decoration:none}
+.pick-a-color-markup .color-menu-tabs a:hover {color: #dd630d}
+.pick-a-color-markup .color-menu-tabs .tab-active{border-bottom:transparent;padding-bottom:5px;border-top:1px solid #191919;border-right:1px solid #191919;border-left:1px solid #191919;border-top-right-radius:4px;border-top-left-radius:4px;background-color:#202f3a}
+.pick-a-color-markup .color-menu-tabs .tab-active a{color:#dd630d}
+.pick-a-color-markup .active-content{display:block}
+.pick-a-color-markup .inactive-content{display:none}
+.pick-a-color-markup .savedColors-content{padding:5px 15px;white-space:normal}.pick-a-color-markup .savedColors-content li.color-item>a{margin-left:7px;padding-left:8px;border-radius:4px}
+.pick-a-color-markup .saved-color-col{position:relative;left:-15px;float:left;width:149px}@media screen and (max-width:991px){.pick-a-color-markup .saved-color-col{width:130px}}
+.pick-a-color-markup .advanced-content ul{margin-top:10px}
+.pick-a-color-markup .advanced-content li{padding:5px 15px 3px 15px;cursor:default;min-height:25px;height:50px;position:relative}@media screen and (max-width:991px){.pick-a-color-markup .advanced-content li{min-height:70px}}
+.pick-a-color-markup .advanced-content .color-preview{height:50px;width:300px;float:left;margin:0px 0px 10px 0px;background-color:#f00;text-align:center}.pick-a-color-markup .advanced-content .color-preview .color-select.btn.advanced{margin-top:15px;display:none}@media screen and (max-width:991px){.pick-a-color-markup .advanced-content .color-preview .color-select.btn.advanced{display:inline;margin-top:7px}}
+.pick-a-color-markup .advanced-content .color-preview:hover .color-select.btn.advanced{display:inline}
+@media screen and (max-width:991px){.pick-a-color-markup .advanced-content .color-preview{width:270px;margin-left:-10px}}
+.pick-a-color-markup .advanced-content .spectrum-hue{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #f00), color-stop(17%, #ff0), color-stop(34%, #0f0), color-stop(51%, #0ff), color-stop(68%, #00f), color-stop(85%, #f0f), color-stop(100%, #f00));background-image:-moz-linear-gradient(left center, #f00 0, #ff0 17%, #0f0 24%, #0ff 51%, #00f 68%, #f0f 85%, #f00 100%);background-image:-webkit-linear-gradient(left, #f00 0, #ff0 17%, #0f0 24%, #0ff 51%, #00f 68%, #f0f 85%, #f00 100%);background-image:-o-linear-gradient(left, #f00 0, #ff0 17%, #0f0 24%, #0ff 51%, #00f 68%, #f0f 85%, #f00 100%);background-image:linear-gradient(to right, #f00 0, #ff0 17%, #0f0 24%, #0ff 51%, #00f 68%, #f0f 85%, #f00 100%);background-repeat:repeat-x}.pick-a-color-markup .advanced-content .spectrum-hue .highlight-band{left:0px}
+.pick-a-color-markup .advanced-content .spectrum-lightness{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #fff), color-stop(.5, #f00), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #fff 0, #f00 50%, #000 100%);background-image:-webkit-linear-gradient(left, #fff 0, #f00 50%, #000 100%);background-image:-o-linear-gradient(left, #fff 0, #f00 50%, #000 100%);background-image:linear-gradient(to right, #fff 0, #f00 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .advanced-content .spectrum-saturation{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #808080), color-stop(.5, #f00), color-stop(1, #f00));background-image:-moz-linear-gradient(left center, #808080 0, #f00 50%, #f00 100%);background-image:-webkit-linear-gradient(left, #808080 0, #f00 50%, #f00 100%);background-image:-o-linear-gradient(left, #808080 0, #f00 50%, #f00 100%);background-image:linear-gradient(to right, #808080 0, #f00 50%, #f00 100%);background-repeat:repeat-x}.pick-a-color-markup .advanced-content .spectrum-saturation .highlight-band{left:287px}@media screen and (max-width:991px){.pick-a-color-markup .advanced-content .spectrum-saturation .highlight-band{left:247px}}
+.pick-a-color-markup .advanced-content .spectrum-lightness .highlight-band{left:143.5px}@media screen and (max-width:991px){.pick-a-color-markup .advanced-content .spectrum-lightness .highlight-band{left:123.5px}}
+.pick-a-color-markup .advanced-content .lightness-text,.pick-a-color-markup .advanced-content .hue-text,.pick-a-color-markup .advanced-content .saturation-text,.pick-a-color-markup .advanced-content .preview-text{vertical-align:middle;text-align:center;display:block}
+.pick-a-color-markup .advanced-content .color-box{left:15px;top:25px;width:300px}@media screen and (max-width:991px){.pick-a-color-markup .advanced-content .color-box{width:270px;left:10px}}
+.pick-a-color-markup .advanced-content .preview-item{height:80px}
+@-moz-document url-prefix(){@media screen and (max-width:991px){div.pick-a-color-markup .color-menu{left:0px}}}
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/tokenize2.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/tokenize2.css
index 77e13c3fb8..c2403aa472 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/tokenize2.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/tokenize2.css
@@ -1,79 +1,79 @@
 .tokenize > .tokens-container {
-    position: relative;
-    list-style: none;
-    padding: 0 0 5px 5px;
-    height: auto;
-    min-height: 34px;
-    cursor: text;
-    border-radius: 3px;
-    border: 1px solid #191919;
-    background-color: #21303a;
+  position: relative;
+  list-style: none;
+  padding: 0 0 5px 5px;
+  height: auto;
+  min-height: 34px;
+  cursor: text;
+  border-radius: 3px;
+  border: 1px solid #191919;
+  background-color: #21303a;
 }
 
 .tokenize > .tokens-container.disabled {
-    background-color: #eee;
-    cursor: not-allowed;
+  background-color: #eee;
+  cursor: not-allowed;
 }
 
 .tokenize.focus > .tokens-container {
   outline: 0;
-	border-color:#4d83a1;
-	background-color:#21303A;
-	-webkit-box-shadow: none;
-	box-shadow: none;
+  border-color:#191919;
+  background-color:#21303A;
+  -webkit-box-shadow: none;
+  box-shadow: none;
 }
 
 .tokenize > .tokens-container.input-sm {
-    padding: 0 0 4px 4px;
-    min-height: 30px;
+  padding: 0 0 4px 4px;
+  min-height: 30px;
 }
 
 .tokenize > .tokens-container.input-lg {
-    padding: 0 0 9px 9px;
-    min-height: 46px;
+  padding: 0 0 9px 9px;
+  min-height: 46px;
 }
 
 .tokenize > .tokens-container > .token {
   padding: 0 1.2em 0 5px;
-	background-color: #d7af10;
-    -webkit-border-radius: 2px;
-       -moz-border-radius: 2px;
-            border-radius: 2px;
-	border: 1px solid #191919;
+  background-color: #d7af10;
+  -webkit-border-radius: 2px;
+  -moz-border-radius: 2px;
+  border-radius: 2px;
+  border: 1px solid #191919;
 }
 
 .tokenize > .tokens-container > .token,
 .tokenize > .tokens-container > .placeholder,
 .tokenize > .tokens-container > .token-search {
-    display: inline-block;
-    margin: 5px 5px 0 0;
-    position: relative;
-    vertical-align: middle;
+  display: inline-block;
+  margin: 5px 5px 0 0;
+  position: relative;
+  vertical-align: middle;
 }
 
 .tokenize.sortable > .tokens-container > .token {
-    cursor: move;
+  cursor: move;
 }
 
 .tokenize.single > .tokens-container > .token {
-    display: block;
-    border-color: #191919;
+  display: block;
+  border-color: #191919;
 }
 
 .tokenize.sortable > .tokens-container > .token.shadow {
-    border-color: #191919;
-    background-color: #21303A;
-    filter: alpha(opacity=50);
-    opacity: .2;
+  border-color: #191919;
+  background-color: #21303A;
+  filter: alpha(opacity=50);
+  opacity: .2;
 }
 
 .tokenize > .tokens-container > .placeholder {
-	color:#c9c9c9;
+  color:#c9c9c9;
   padding: 0;
 }
 
 .tokenize > .tokens-container > .token-search {
-	color:#FFF;
+  color:#FFF;
   padding: 0;
 }
 
@@ -87,87 +87,86 @@
   padding: 0;
   margin: 0;
   line-height: 1em;
-	border:none;
+  border:none;
   outline: none;
   width: 100%;
   background-color: transparent;
 }
 
-
 .tokenize > .tokens-container > .token-search > input::-ms-clear {
-    display: none;
+  display: none;
 }
 
 .tokenize > .tokens-container.input-sm > .placeholder,
 .tokenize > .tokens-container.input-sm > .token-search,
 .tokenize > .tokens-container.input-sm > .token {
-    margin: 4px 4px 0 0;
+  margin: 4px 4px 0 0;
 }
 
 .tokenize > .tokens-container.input-lg > .placeholder,
 .tokenize > .tokens-container.input-lg > .token-search,
 .tokenize > .tokens-container.input-lg > .token {
-    margin: 9px 9px 0 0;
+  margin: 9px 9px 0 0;
 }
 
 .tokenize > .tokens-container > .token.pending-delete {
-    background-color: #5b72a4;
-    border-color: #425c96;
-    color: #fff;
+  background-color: #5b72a4;
+  border-color: #425c96;
+  color: #fff;
 }
 
 .tokenize > .tokens-container > .token > .dismiss {
-    position: absolute;
-    right: 5px;
-    color: #a9b9d8;
-    text-decoration: none;
-    cursor: pointer;
+  position: absolute;
+  right: 5px;
+  color: #a9b9d8;
+  text-decoration: none;
+  cursor: pointer;
 }
 
 .tokenize > .tokens-container > .token > .dismiss:after {
-    content: "×";
-	color: #FFF;
+  content: "×";
+  color: #FFF;
 }
 
 .tokenize > .tokens-container > .token.pending-delete > .dismiss {
-    color: #fff;
+  color: #fff;
 }
 
 .tokenize-dropdown {
-    position: absolute;
-    display: none;
+  position: absolute;
+  display: none;
 }
 
 .tokenize-dropdown > .dropdown-menu {
-    min-height: 10px;
-    width: 100%;
-    display: block;
-    margin: -1px 0 0 0;
-    visibility: visible;
-    opacity: 1;
+  min-height: 10px;
+  width: 100%;
+  display: block;
+  margin: -1px 0 0 0;
+  visibility: visible;
+  opacity: 1;
 }
 
 .tokenize-dropdown > .dropdown-menu li {
-    cursor: pointer;
+  cursor: pointer;
 }
 
 .tokenize-dropdown > .dropdown-menu li > a .tokenize-highlight {
-    font-weight: bold;
+  font-weight: bold;
 }
 
 .tokenize-dropdown > .dropdown-menu li.locked {
-    padding: 3px 20px;
-    color: #FFF;
-    white-space: nowrap;
+  padding: 3px 20px;
+  color: #FFF;
+  white-space: nowrap;
 }
 
 .tokenize-dropdown > .dropdown-menu li.locked,
 .tokenize-dropdown > .dropdown-menu li > a {
-    text-overflow: ellipsis;
-    overflow-x: hidden;
+  text-overflow: ellipsis;
+  overflow-x: hidden;
 }
 
 .tokenize-dropdown > .dropdown-menu li:not(.active) a:hover,
 .tokenize-dropdown > .dropdown-menu li:not(.active) a:focus {
-    background-color: transparent;
+  background-color: transparent;
 }

From fba42365c0441e8f43e794143640e53fd16f8b9c Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Sun, 31 Jan 2021 13:03:31 +0300
Subject: [PATCH 0377/3088] fix trusted CAs pem for upstream verify (#2198)

---
 www/nginx/src/opnsense/scripts/nginx/setup.php | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index e0db8c0aaf..8623106bd8 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -198,16 +198,15 @@ function find_ca($refid)
             }
             if (!empty($upstream['tls_trusted_certificate'])) {
                 $cas = array();
-                if (is_array($http_server['ca'])) {
-                    foreach ($http_server['ca'] as $caref) {
-                        $ca = find_ca($caref);
-                        if (isset($ca)) {
-                            $cas[] = $ca;
-                        }
-                    }
+                $carefs = explode(",", $upstream['tls_trusted_certificate']);
+                foreach ($carefs as $caref) {
+                   $ca = find_ca($caref);
+                   if (isset($ca)) {
+                       $cas[] = base64_decode($ca['crt']);
+                   }
                 }
                 export_pem_file(
-                    '/usr/local/etc/nginx/key/trust_upstream_' . $upstream_uuid . '.pem',
+                    '/usr/local/etc/nginx/key/trust_upstream_' . $upstream_uuid . '.pem','',
                     implode("\n", $cas)
                 );
             }

From b8f3df4db47389631315b52b79d8625fb71fea82 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 31 Jan 2021 14:50:09 +0100
Subject: [PATCH 0378/3088] Framework: default ABI to 21.1

---
 Mk/defaults.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 8c3a2696de..089cdc705f 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -58,7 +58,7 @@ _PLUGIN_PYTHON!=${PYTHONLINK} -V
 PLUGIN_PYTHON?=	${_PLUGIN_PYTHON:[2]:S/./ /g:[1..2]:tW:S/ //}
 .endif
 
-PLUGIN_ABI?=	20.7
+PLUGIN_ABI?=	21.1
 PLUGIN_PHP?=	73
 PLUGIN_PYTHON?=	37
 

From 8c13f081e57abee8da20b84f189cd733ef68d9e3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 31 Jan 2021 14:50:28 +0100
Subject: [PATCH 0379/3088] www/nginx: bump revision after bugfix

---
 www/nginx/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 9300bbe93c..94215b98eb 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.20
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 79ba4fcfb3c960d2285f26f2c6258c7f60b6f05c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 31 Jan 2021 14:51:22 +0100
Subject: [PATCH 0380/3088] misc/theme-cicada: wrong version, cannot go from 25
 to 3

---
 misc/theme-cicada/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index c70fa8d5e1..af5a7440ac 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.3
+PLUGIN_VERSION=		1.26
 PLUGIN_COMMENT=		The cicada theme - dark grey
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 

From 7bc45e2ce3c66912db8e8ce3513d9dee8760e68f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 31 Jan 2021 14:53:14 +0100
Subject: [PATCH 0381/3088] misc/theme-cicada: whitespace sweep

---
 .../src/opnsense/www/themes/cicada/build/css/main.css            | 1 -
 .../src/opnsense/www/themes/cicada/build/css/tokenize2.css       | 1 -
 2 files changed, 2 deletions(-)

diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index f3dc00e537..59211a51fa 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -6620,4 +6620,3 @@ ul.jqtree-tree .jqtree-title {
   background-color: #d77610 !important;
   color: #FFF !important;
 }
-
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/tokenize2.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/tokenize2.css
index 86a66906da..7c8c4b0b11 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/tokenize2.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/tokenize2.css
@@ -170,4 +170,3 @@
 .tokenize-dropdown > .dropdown-menu li:not(.active) a:focus {
   background-color: transparent;
 }
-

From 8acfa41254091865746073c8848b37245cfe7478 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 1 Feb 2021 13:46:22 +0100
Subject: [PATCH 0382/3088] Framework: do not hardcode CATEGORIES

---
 Makefile  |  4 ++--
 README.md | 18 +++++++++---------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/Makefile b/Makefile
index 2b9da252c5..6c21da0d95 100644
--- a/Makefile
+++ b/Makefile
@@ -28,8 +28,8 @@ all:
 
 .include "Mk/defaults.mk"
 
-CATEGORIES=	benchmarks databases devel dns mail misc net-mgmt \
-		net security sysutils vendor www
+CATEGORIES!=	ls -1d [a-z0-9]*
+CATEGORIES:=	${CATEGORIES:Nruleset.xml}
 
 .for CATEGORY in ${CATEGORIES}
 _${CATEGORY}!=	ls -1d ${CATEGORY}/*
diff --git a/README.md b/README.md
index 11d06a1e11..e970151c0e 100644
--- a/README.md
+++ b/README.md
@@ -44,15 +44,6 @@ misc/theme-cicada -- The cicada theme - dark grey
 misc/theme-rebellion -- A suitably dark theme
 misc/theme-tukan -- The tukan theme - blue/white
 misc/theme-vicuna -- The vicuna theme - dark anthrazit
-net-mgmt/collectd -- Collect system and application performance metrics periodically
-net-mgmt/lldpd -- LLDP allows you to know exactly on which port is a server
-net-mgmt/net-snmp -- Net-SNMP is a daemon for the SNMP protocol
-net-mgmt/netdata -- Real-time performance monitoring
-net-mgmt/nrpe -- Execute nagios plugins
-net-mgmt/telegraf -- Agent for collecting metrics and data
-net-mgmt/zabbix-agent -- Zabbix monitoring agent
-net-mgmt/zabbix4-proxy -- Zabbix Proxy enables decentralized monitoring
-net-mgmt/zabbix5-proxy -- Zabbix Proxy enables decentralized monitoring
 net/chrony -- Chrony time synchronisation
 net/firewall -- Firewall API supplemental package
 net/freeradius -- RADIUS Authentication, Authorization and Accounting Server
@@ -73,6 +64,15 @@ net/vnstat -- vnStat is a console-based network traffic monitor
 net/wireguard -- WireGuard VPN service
 net/wol -- Wake on LAN Service
 net/zerotier -- Virtual Networks That Just Work
+net-mgmt/collectd -- Collect system and application performance metrics periodically
+net-mgmt/lldpd -- LLDP allows you to know exactly on which port is a server
+net-mgmt/net-snmp -- Net-SNMP is a daemon for the SNMP protocol
+net-mgmt/netdata -- Real-time performance monitoring
+net-mgmt/nrpe -- Execute nagios plugins
+net-mgmt/telegraf -- Agent for collecting metrics and data
+net-mgmt/zabbix-agent -- Zabbix monitoring agent
+net-mgmt/zabbix4-proxy -- Zabbix Proxy enables decentralized monitoring
+net-mgmt/zabbix5-proxy -- Zabbix Proxy enables decentralized monitoring
 security/acme-client -- Let's Encrypt client
 security/clamav -- Antivirus engine for detecting malicious threats
 security/etpro-telemetry -- ET Pro Telemetry Edition

From d40fbc6125466c9c6b36acea886d0fe1436b5acd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 1 Feb 2021 14:04:37 +0100
Subject: [PATCH 0383/3088] gitignore: sort

---
 .gitignore | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 547c60c39e..3687d0f272 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
-/*/*/work
 *.pyc
 .idea
+/*/*/work

From 850e1c11a8d1ac10948b14ec961ce8b994e84c30 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 1 Feb 2021 14:44:59 +0100
Subject: [PATCH 0384/3088] Framework: exclude .md files

---
 Mk/plugins.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 6722b8727e..b1eff47759 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -296,7 +296,7 @@ lint-php: check
 	@find ${.CURDIR}/src \
 	    ! -name "*.xml" ! -name "*.xml.sample" ! -name "*.eot" \
 	    ! -name "*.svg" ! -name "*.woff" ! -name "*.woff2" \
-	    ! -name "*.otf" ! -name "*.png" ! -name "*.js" \
+	    ! -name "*.otf" ! -name "*.png" ! -name "*.js" ! -name "*.md" \
 	    ! -name "*.scss" ! -name "*.py" ! -name "*.ttf" \
 	    ! -name "*.tgz" ! -name "*.xml.dist" ! -name "*.sh" \
 	    -type f -print0 | xargs -0 -n1 php -l

From 20090ccdb98877aac00c4687571a395753d40ead Mon Sep 17 00:00:00 2001
From: windgmbh <49904312+windgmbh@users.noreply.github.com>
Date: Mon, 1 Feb 2021 21:17:12 +0100
Subject: [PATCH 0385/3088] mail/postfix: Duplicate Message Fix, Milter Default
 Action Choice and Recipient Address Verification (#2133)

* mail/postfix: Set 'milter_protocol' to version 6

* mail/postfix: Use default milter macros

* mail/postfix: Add milter_default_action choice

* mail/rspamd+postfix: Use Unix Sockets

* mail/postfix: Add Recipient Address Verification

* mail/postfix+rspamd: Update version information
---
 mail/postfix/Makefile                                |  2 +-
 mail/postfix/pkg-descr                               |  5 +++++
 .../controllers/OPNsense/Postfix/forms/antispam.xml  |  6 +++---
 .../controllers/OPNsense/Postfix/forms/general.xml   |  6 ++++++
 .../mvc/app/models/OPNsense/Postfix/Antispam.xml     | 12 ++++++------
 .../mvc/app/models/OPNsense/Postfix/General.xml      |  6 +++++-
 .../service/templates/OPNsense/Postfix/main.cf       | 12 +++++++-----
 mail/rspamd/Makefile                                 |  2 +-
 mail/rspamd/pkg-descr                                |  4 ++++
 .../service/templates/OPNsense/Rspamd/+TARGETS       |  2 ++
 .../templates/OPNsense/Rspamd/worker-normal.inc      |  3 +++
 .../templates/OPNsense/Rspamd/worker-proxy.inc       |  7 +++++++
 12 files changed, 50 insertions(+), 17 deletions(-)
 create mode 100644 mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/worker-normal.inc
 create mode 100644 mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/worker-proxy.inc

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index 18112fb894..54ec134638 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		postfix
-PLUGIN_VERSION=		1.17
+PLUGIN_VERSION=		1.18
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix-sasl
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index d20dc9dd59..92c04b7692 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -6,6 +6,11 @@ is completely different.
 Plugin Changelog
 ================
 
+1.18
+
+* Add 'milter_default_action' choice
+* Fix Milter Protocol
+
 1.17
 
 * Add smtpd_sasl_auth_enable to configuration (by @fhloston)
diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/antispam.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/antispam.xml
index 56385df57d..031fa2b2f9 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/antispam.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/antispam.xml
@@ -6,9 +6,9 @@
         <help>This will allow Postfix to connect to rspamd via milter protocol.</help>
     </field>
     <field>
-        <id>antispam.milter_rspamd</id>
-        <label>Milter IP Version</label>
+        <id>antispam.default_action</id>
+        <label>Milter Default Action</label>
         <type>dropdown</type>
-        <help>Select the IP version for connecting to rspamd.</help>
+        <help>What Postfix will do when Rspamd becomes temporarily unavailable.</help>
     </field>
 </form>
diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
index 7c76486158..97d2d23230 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
@@ -229,4 +229,10 @@
         <label>Reject Unauthenticated Destination</label>
         <type>checkbox</type>
     </field>
+    <field>
+        <id>general.reject_unverified_recipient</id>
+        <label>Reject Unverified Recipient</label>
+        <type>checkbox</type>
+        <help>Use Recipient Address Verification. Please keep in mind that this could put significant load onto the next server.</help>
+    </field>
 </form>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Antispam.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Antispam.xml
index 6e0e02587f..fdb3cac7fd 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Antispam.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Antispam.xml
@@ -1,19 +1,19 @@
 <model>
     <mount>//OPNsense/postfix/antispam</mount>
     <description>Postfix Antispam configuration</description>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <items>
         <enable_rspamd type="BooleanField">
             <default>0</default>
             <Required>Y</Required>
         </enable_rspamd>
-        <milter_rspamd type="OptionField">
-            <default>6</default>
+        <default_action type="OptionField">
+            <default>accept</default>
             <Required>Y</Required>
             <OptionValues>
-                <Option1 value="6">IPv6</Option1>
-                <Option2 value="4">IPv4</Option2>
+                <accept>accept</accept>
+                <tempfail>tempfail</tempfail>
             </OptionValues>
-        </milter_rspamd>
+        </default_action>
     </items>
 </model>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
index 4a0bd65e4e..f829a07afc 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/postfix/general</mount>
     <description>Postfix configuration</description>
-    <version>1.2.4</version>
+    <version>1.2.5</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -171,5 +171,9 @@
             <default>1</default>
             <Required>Y</Required>
         </reject_unauth_destination>
+        <reject_unverified_recipient type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </reject_unverified_recipient>
     </items>
 </model>
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index 604fe9cc16..8df295bb9e 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -121,11 +121,10 @@ smtpd_sasl_auth_enable = yes
 {% endif %}
 
 {% if helpers.exists('OPNsense.postfix.antispam.enable_rspamd') and OPNsense.postfix.antispam.enable_rspamd == '1' %}
-smtpd_milters = inet:localhost:11332
-non_smtpd_milters = inet:localhost:11332
-milter_protocol = {{ OPNsense.postfix.antispam.milter_rspamd }}
-milter_mail_macros =  i {mail_addr} {client_addr} {client_name} {auth_authen}
-milter_default_action = accept
+smtpd_milters = unix:/var/run/rspamd/milter.sock
+non_smtpd_milters = $smtpd_milters
+milter_protocol = 6
+milter_default_action = {{ OPNsense.postfix.antispam.default_action }}
 {% endif %}
 
 {% if helpers.exists('OPNsense.postfix.general.enforce_recipient_check') and OPNsense.postfix.general.enforce_recipient_check == '1' %}
@@ -179,6 +178,9 @@ relay_recipient_maps = hash:/usr/local/etc/postfix/recipient_access
 {% if helpers.exists('OPNsense.postfix.general.reject_unauth_destination') and OPNsense.postfix.general.reject_unauth_destination == '1' %}
 {% do smtpd_recipient_restrictions.append('reject_unauth_destination') %}
 {% endif %}
+{% if helpers.exists('OPNsense.postfix.general.reject_unverified_recipient') and OPNsense.postfix.general.reject_unverified_recipient == '1' %}
+{% do smtpd_recipient_restrictions.append('reject_unverified_recipient') %}
+{% endif %}
 
 {% if smtpd_recipient_restrictions|length >= 1 %}
 smtpd_recipient_restrictions = {{ smtpd_recipient_restrictions | join(', ') }}
diff --git a/mail/rspamd/Makefile b/mail/rspamd/Makefile
index f19a4a45e1..01016fdafc 100644
--- a/mail/rspamd/Makefile
+++ b/mail/rspamd/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		rspamd
-PLUGIN_VERSION=		1.10
+PLUGIN_VERSION=		1.11
 PLUGIN_COMMENT=		Protect your network from spam
 PLUGIN_DEPENDS=		rspamd
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/mail/rspamd/pkg-descr b/mail/rspamd/pkg-descr
index c2118b5256..183897120d 100644
--- a/mail/rspamd/pkg-descr
+++ b/mail/rspamd/pkg-descr
@@ -5,6 +5,10 @@ lua.
 Plugin Changelog
 ----------------
 
+1.11
+
+* Fix Milter Protocol by binding to Unix Sockets
+
 1.10
 
 * Add nameserver option
diff --git a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/+TARGETS b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/+TARGETS
index ec5b4811a5..6337a9b543 100644
--- a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/+TARGETS
+++ b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/+TARGETS
@@ -22,3 +22,5 @@ spamtrap-map:/usr/local/etc/rspamd/maps.d/spamtrap.map
 classifier-bayes.conf:/usr/local/etc/rspamd/local.d/classifier-bayes.conf
 history_redis.conf:/usr/local/etc/rspamd/local.d/history_redis.conf
 options.inc:/usr/local/etc/rspamd/local.d/options.inc
+worker-normal.inc:/usr/local/etc/rspamd/local.d/worker-normal.inc
+worker-proxy.inc:/usr/local/etc/rspamd/local.d/worker-proxy.inc
diff --git a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/worker-normal.inc b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/worker-normal.inc
new file mode 100644
index 0000000000..68e0849dca
--- /dev/null
+++ b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/worker-normal.inc
@@ -0,0 +1,3 @@
+{% if helpers.exists('OPNsense.Rspamd.general.enabled') and OPNsense.Rspamd.general.enabled == '1' %}
+bind_socket = "/var/run/rspamd/normal.sock mode=0666 owner=rspamd";
+{% endif %}
diff --git a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/worker-proxy.inc b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/worker-proxy.inc
new file mode 100644
index 0000000000..e6941245cf
--- /dev/null
+++ b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/worker-proxy.inc
@@ -0,0 +1,7 @@
+{% if helpers.exists('OPNsense.Rspamd.general.enabled') and OPNsense.Rspamd.general.enabled == '1' %}
+upstream "local" {
+  default = yes;
+  hosts = "/var/run/rspamd/normal.sock";
+}
+bind_socket = "/var/run/rspamd/milter.sock mode=0666 owner=rspamd";
+{% endif %}

From a971e25370a685fe9b57d07f77ca839ba8863a0c Mon Sep 17 00:00:00 2001
From: Fredrik Rambris <fredrik@rambris.com>
Date: Wed, 3 Feb 2021 10:32:15 +0100
Subject: [PATCH 0386/3088] Added fix for updating apex domains (mydomain.com)
 with gratisdns (#1806)

---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index c21cab989a..df3cb8ce1e 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -883,7 +883,12 @@ class updatedns
             case 'gratisdns':
                 $server = "https://admin.gratisdns.com/ddns.php";
                 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                list($hostname, $domain) = explode(".", $this->_dnsHost, 2);
+                if(substr_count($this->_dnsHost, ".") < 2) {
+                   $domain = $this->_dnsHost;
+                   $hostname = $this->_dnsHost;
+                } else {
+                   list($hostname, $domain) = explode(".", $this->_dnsHost, 2);
+                }
                 curl_setopt($ch, CURLOPT_URL, $server . '?u=' . urlencode($this->_dnsUser) . '&p=' . $this->_dnsPass . '&h=' . $this->_dnsHost . '&d=' . $domain . '&i=' . $this->_dnsIP);
                 break;
             case 'ovh-dynhost':

From aa194e874a19ed1820113631984f84c3138b06aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20St=C3=BCrz?= <as@andeman.de>
Date: Wed, 3 Feb 2021 14:22:51 +0100
Subject: [PATCH 0387/3088] net/haproxy: change server state and weight
 on-the-fly  (#2213)

* add Frontend Controller
add service with script

* set single server state
get haproxy server status list for jquery bootstrap

* set single server weight
add venv folder to .gitignore

* set bulk server weight
set bulk server state

* add copyrights

* set single server weight
add venv folder to .gitignore
---
 .gitignore                                    |   1 +
 .../HAProxy/Api/MaintenanceController.php     | 170 +++++++++++
 .../HAProxy/MaintenanceController.php         |  45 +++
 .../app/models/OPNsense/HAProxy/Menu/Menu.xml |   5 +-
 .../views/OPNsense/HAProxy/maintenance.volt   | 286 ++++++++++++++++++
 .../OPNsense/HAProxy/lib/haproxy/__init__.py  |   3 +
 .../OPNsense/HAProxy/lib/haproxy/cmds.py      | 237 +++++++++++++++
 .../OPNsense/HAProxy/lib/haproxy/conn.py      |  83 +++++
 .../OPNsense/HAProxy/lib/haproxy/const.py     |   7 +
 .../HAProxy/lib/haproxy/tests/__init__.py     |   0
 .../HAProxy/lib/haproxy/tests/test_cmds.py    |  73 +++++
 .../HAProxy/lib/haproxy/tests/test_conn.py    |  59 ++++
 .../scripts/OPNsense/HAProxy/socketCommand.py | 126 ++++++++
 .../conf/actions.d/actions_haproxy.conf       |  30 ++
 14 files changed, 1124 insertions(+), 1 deletion(-)
 create mode 100644 net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php
 create mode 100644 net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/MaintenanceController.php
 create mode 100644 net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
 create mode 100644 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/__init__.py
 create mode 100644 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
 create mode 100644 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/conn.py
 create mode 100644 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/const.py
 create mode 100644 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/__init__.py
 create mode 100644 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
 create mode 100644 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_conn.py
 create mode 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py

diff --git a/.gitignore b/.gitignore
index 3687d0f272..855a6c3936 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 *.pyc
 .idea
+venv
 /*/*/work
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php
new file mode 100644
index 0000000000..0a2e180da6
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php
@@ -0,0 +1,170 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Andreas Stuerz
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\HAProxy\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\Core\Backend;
+use OPNsense\HAProxy\HAProxy;
+
+/**
+ * Class MaintenanceController
+ * @package OPNsense\HAProxy
+ */
+class MaintenanceController extends ApiControllerBase
+{
+    /**
+     * jQuery bootstrap server list
+     * @return array|mixed
+     */
+    public function searchServerAction()
+    {
+        return $this->getData(
+            ["server_status_list"],
+            ["rowCount", "current", "searchPhrase", "sort"]
+        );
+    }
+
+    /**
+     * set server weight
+     * @return array|mixed
+     */
+    public function serverWeightAction()
+    {
+        return $this->saveData(
+            ["server_weight"],
+            ["backend", "server", "weight"]
+        );
+    }
+
+    /**
+     * set server administrative state
+     * @return array|mixed
+     */
+    public function serverStateAction()
+    {
+        return $this->saveData(
+            ["server_state"],
+            ["backend", "server", "state"]
+        );
+    }
+
+    /**
+     * set server administrative state for multiple servers
+     * @return array|mixed
+     */
+    public function serverStateBulkAction()
+    {
+        return $this->saveData(
+            ["server_state_bulk"],
+            ["server_ids", "state"]
+        );
+    }
+
+    /**
+     * set server weight for multiple servers
+     * @return array|mixed
+     */
+    public function serverWeightBulkAction()
+    {
+        return $this->saveData(
+            ["server_weight_bulk"],
+            ["server_ids", "weight"]
+        );
+    }
+
+    /**
+     * Execute a backend command securely
+     * @param array $command
+     * @param array $arguments
+     * @return string
+     */
+    protected function safeBackendCmd(array $command, array $arguments = [])
+    {
+        $backend = new Backend();
+
+        foreach ($arguments as $name) {
+            $val = $this->request->getPost($name);
+            if (is_array($val) and $name == 'sort') {
+                $sort =  key(array_slice($val, 0, 1));
+                $sort_dir = $val[$sort];
+                $command[] = $sort;
+                $command[] = $sort_dir;
+                continue;
+            }
+            $command[] = $val;
+        }
+
+        $command = array_map(function ($value) {
+            return escapeshellarg(empty($value = trim($value)) ? null : $value);
+        }, $command);
+
+        return trim($backend->configdRun("haproxy " . join(" ", $command)));
+    }
+
+    /**
+     * Executes a backend command to get data
+     * @param array $command
+     * @param array $arguments
+     * @return string|string[]
+     */
+    protected function getData(array $command, array $arguments = [])
+    {
+        if ($this->request->isPost()) {
+            return $this->safeBackendCmd($command, $arguments);
+        }
+        return ["status" => "unavailable"];
+    }
+
+    /**
+     * Executes a backend command to save data
+     * @param array $command
+     * @param array $arguments
+     * @return array|string[]
+     */
+    protected function saveData(array $command, array $arguments = [])
+    {
+        if ($this->request->isPost()) {
+            if ($error = $this->safeBackendCmd($command, $arguments)) {
+                return [
+                    "status" => "error",
+                    "message" => $error
+                ];
+            } else {
+                return ["status" => "ok"];
+            }
+        }
+        return [
+            "status" => 'unavailable',
+            "message" => 'only accept POST Requests.'
+        ];
+    }
+}
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/MaintenanceController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/MaintenanceController.php
new file mode 100644
index 0000000000..d5a073cc78
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/MaintenanceController.php
@@ -0,0 +1,45 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Andreas Stuerz
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\HAProxy;
+
+/**
+ * Class MaintenanceController
+ * @package OPNsense\HAProxy
+ */
+class MaintenanceController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        // choose template
+        $this->view->pick('OPNsense/HAProxy/maintenance');
+    }
+}
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml
index 750fe00af6..8d12e55ab8 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml
@@ -28,7 +28,10 @@
               <Counters VisibleName="Counters" url="/ui/haproxy/statistics#counters"/>
               <StickTables VisibleName="Stick Tables" url="/ui/haproxy/statistics#tables"/>
           </Statistics>
-          <Log VisibleName="Log File" order="30" url="/ui/diagnostics/log/core/haproxy"/>
+          <Maintenance VisibleName="Maintenance" order="30" url="/ui/haproxy/maintenance">
+              <Server VisibleName="Server" url="/ui/haproxy/maintenance#server"/>
+          </Maintenance>
+          <Log VisibleName="Log File" order="40" url="/ui/diagnostics/log/core/haproxy"/>
       </HAProxy>
     </Services>
 </menu>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
new file mode 100644
index 0000000000..33332c27b1
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
@@ -0,0 +1,286 @@
+{#
+
+Copyright (C) 2021 Andreas Stuerz
+OPNsense® is Copyright © 2014 – 2016 by Deciso B.V.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<script>
+    $( document ).ready(function() {
+        $("#grid-status").bootgrid('destroy');
+        var grid_status = $("#grid-status").UIBootgrid({
+            search: '/api/haproxy/maintenance/searchServer',
+            options: {
+                ajax: true,
+                selection: true,
+                multiSelect: true,
+                keepSelection: true,
+                rowCount:[10,25,50,100,500,1000],
+                searchSettings: {
+                    delay: 250,
+                    characters: 1
+                },
+                formatters: {
+                    "commands": function (column, row) {
+                        buttons = ""
+                        buttons += "<button type=\"button\" title=\"Set administrative state to ready. Puts the server in normal mode.\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"ready\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-check\"></span></button>"
+                        buttons += " <button type=\"button\" title=\"Set administrative state to drain. Removes the server from load balancing but still allows it to be health checked and to accept new persistent connections\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"drain\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-sort-amount-desc\"></span></button>"
+                        buttons += " <button type=\"button\" title=\"Set administrative state to maintenance. Disables any traffic to the server as well as any health checks.\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"maint\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-wrench\"></span></button>"
+                        buttons += " <button type=\"button\" title=\"Change a server's weight.\" class=\"btn btn-xs btn-default command-set-weight\" data-weight=\"" + row.weight + "\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-balance-scale\"></span></button>"
+                        return buttons;
+                    },
+                },
+            }
+        }).on("loaded.rs.jquery.bootgrid", function(){
+            // set single - server state
+            grid_status.find(".command-set-state").off().on("click", function(e) {
+                var uuid = $(this).data("row-id");
+                var backend = uuid.split("/")[0];
+                var server = uuid.split("/")[1];
+                var state = $(this).data("state");
+                var payload = {
+                  'backend': backend,
+                  'server': server,
+                  'state': state
+                };
+
+                question = '<b>{{ lang._('Server: ') }}' + uuid + '</b></br>';
+                question += '<b>{{ lang._('State: ') }}' + state + '</b></br></br>';
+                question += '{{ lang._('Set administrative state for this server?') }} </br></br>';
+
+                stdDialogConfirm('{{ lang._('Confirmation Required') }}',
+                    question,
+                    '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
+                        $.post('/api/haproxy/maintenance/serverState', payload, function(data) {
+                            if (data.status != 'ok') {
+                                BootstrapDialog.show({
+                                    type: BootstrapDialog.TYPE_DANGER,
+                                    title: "{{ lang._('Error setting HAProxy server administrative state') }}",
+                                    message: data.message,
+                                    buttons: [{
+                                        label: '{{ lang._('Close') }}',
+                                        action: function(dialog){
+                                          dialog.close();
+                                        }
+                                    }]
+                                });
+                            } else {
+                                $("#grid-status").bootgrid("reload");
+                            }
+                        });
+                });
+
+            });
+
+            // set single - server weight
+            grid_status.find(".command-set-weight").off().on("click", function(e) {
+                var uuid = $(this).data("row-id");
+                var backend = uuid.split("/")[0];
+                var server = uuid.split("/")[1];
+                var currentWeight = $(this).data("weight");
+
+                question = '<b>{{ lang._('Server: ') }}' + uuid + '</b></br></br>';
+                question += '<b>{{ lang._('Weight: ') }}</b>';
+                question += '<div class="form-group" style="display: block;">';
+                question += '<input class="form-control" id="newWeight" value="' + currentWeight  + '" type="text"/>';
+                question += '</div>';
+                question += '{{ lang._('Set weight for this server?') }} </br></br>';
+
+                stdDialogConfirm('{{ lang._('Confirmation Required') }}',
+                    question,
+                    '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
+
+                    var payload = {
+                      'backend': backend,
+                      'server': server,
+                      'weight': $("#newWeight").val()
+                    };
+
+                    $.post('/api/haproxy/maintenance/serverWeight', payload, function(data) {
+                        if (data.status != 'ok') {
+                            BootstrapDialog.show({
+                                type: BootstrapDialog.TYPE_DANGER,
+                                title: "{{ lang._('Error setting HAProxy server weight') }}",
+                                message: data.message,
+                                buttons: [{
+                                    label: '{{ lang._('Close') }}',
+                                    action: function(dialog){
+                                      dialog.close();
+                                    }
+                                }]
+                            });
+                        } else {
+                            $("#grid-status").bootgrid("reload");
+                        }
+                    });
+                });
+            });
+
+            // set bulk - server state
+            grid_status.find("*[data-action=setStateBulk]").off().on("click", function(e) {
+                var rows = $("#grid-status").bootgrid("getSelectedRows");
+                var server_ids = rows.join()
+                var state = $(this).data("state");
+                var payload = {
+                  'server_ids': server_ids,
+                  'state': state
+                };
+
+                if (rows != undefined && rows.length > 0) {
+                    question = '<b>{{ lang._('Selected server: ') }}</b></br>';
+                    question += '<ul>';
+                    $.each(rows, function(key, id){
+                        question += '<li>' + id + '</li>';
+                    });
+                    question += '</ul>';
+                    question += '<b>{{ lang._('State: ') }}' + state + '</b></br></br>';
+                    question += '{{ lang._('Set administrative state for all selected server?') }} </br></br>';
+
+                    stdDialogConfirm('{{ lang._('Confirmation Required') }}',
+                        question,
+                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
+                            $.post('/api/haproxy/maintenance/serverStateBulk', payload, function(data) {
+                                if (data.status != 'ok') {
+                                    BootstrapDialog.show({
+                                        type: BootstrapDialog.TYPE_DANGER,
+                                        title: "{{ lang._('Error setting HAProxy server administrative state') }}",
+                                        message: data.message,
+                                        buttons: [{
+                                            label: '{{ lang._('Close') }}',
+                                            action: function(dialog){
+                                              dialog.close();
+                                              // reload - because some are successfully executed
+                                              $("#grid-status").bootgrid("reload");
+                                            }
+                                        }]
+                                    });
+                                } else {
+                                    $("#grid-status").bootgrid("deselect");
+                                    $("#grid-status").bootgrid("reload");
+                                }
+                            });
+                    });
+                }
+            });
+
+            // set bulk - server weight
+            grid_status.find("*[data-action=setWeightBulk]").off().on("click", function(e) {
+                var rows = $("#grid-status").bootgrid("getSelectedRows");
+                var server_ids = rows.join()
+
+                if (rows != undefined && rows.length > 0) {
+                    question = '<b>{{ lang._('Selected server: ') }}</b></br>';
+                    question += '<ul>';
+                    $.each(rows, function(key, id){
+                        question += '<li>' + id + '</li>';
+                    });
+                    question += '</ul>';
+                    question += '<b>{{ lang._('Weight: ') }}</b>';
+                    question += '<div class="form-group" style="display: block;">';
+                    question += '<input class="form-control" id="newBulkWeight" value="" type="text"/>';
+                    question += '</div>';
+                    question += '{{ lang._('Set weight for all selected server?') }} </br></br>';
+
+                    stdDialogConfirm('{{ lang._('Confirmation Required') }}',
+                        question,
+                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
+                            var payload = {
+                              'server_ids': server_ids,
+                              'weight': $("#newBulkWeight").val()
+                            };
+
+                            $.post('/api/haproxy/maintenance/serverWeightBulk', payload, function(data) {
+                                if (data.status != 'ok') {
+                                    BootstrapDialog.show({
+                                        type: BootstrapDialog.TYPE_DANGER,
+                                        title: "{{ lang._('Error setting HAProxy server weight') }}",
+                                        message: data.message,
+                                        buttons: [{
+                                            label: '{{ lang._('Close') }}',
+                                            action: function(dialog){
+                                              dialog.close();
+                                              // reload - because some are successfully executed
+                                              $("#grid-status").bootgrid("reload");
+
+                                            }
+                                        }]
+                                    });
+                                } else {
+                                    $("#grid-status").bootgrid("deselect");
+                                    $("#grid-status").bootgrid("reload");
+                                }
+                            });
+                    });
+                }
+            });
+
+        });
+    });
+</script>
+
+<ul class="nav nav-tabs" role="tablist"  id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#server"><b>{{ lang._('Server') }}</b></a></li>
+</ul>
+
+<div class="content-box tab-content">
+    <div id="server" class="tab-pane fade in active">
+        <!-- tab page "server" -->
+        <table id="grid-status" class="table table-condensed table-hover table-striped table-responsive">
+            <thead>
+            <tr>
+                <th data-column-id="id" data-type="string" data-identifier="true" data-visible="false">{{ lang._('id') }}</th>
+                <th data-column-id="pxname" data-type="string">{{ lang._('Proxy') }}</th>
+                <th data-column-id="svname" data-type="string">{{ lang._('Server') }}</th>
+                <th data-column-id="addr" data-type="string">{{ lang._('Address') }}</th>
+                <th data-column-id="status" data-type="string">{{ lang._('Status') }}</th>
+                <th data-column-id="check_status" data-type="string">{{ lang._('Check Status') }}</th>
+                <th data-column-id="weight" data-type="string">{{ lang._('Weight') }}</th>
+                <th data-column-id="scur" data-type="string">{{ lang._('Sessions') }}</th>
+                <th data-column-id="bin" data-type="string">{{ lang._('Bytes in') }}</th>
+                <th data-column-id="bout" data-type="string">{{ lang._('Bytes out') }}</th>
+                <th data-column-id="act" data-type="string">{{ lang._('Active') }}</th>
+                <th data-column-id="downtime" data-type="string">{{ lang._('Downtime') }}</th>
+                <th data-column-id="lastchg" data-type="string">{{ lang._('Last Change') }}</th>
+                <th data-column-id="commands" data-width="8em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+            </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="setStateBulk" title="Set administrative state to ready for all selected items." data-state="ready" type="button" class="btn btn-xs btn-default"><span class="fa fa-check"></span></button>
+                    <button data-action="setStateBulk" title="Set administrative state to drain for all selected items." data-state="drain" type="button" class="btn btn-xs btn-default"><span class="fa fa-sort-amount-desc"></span></button>
+                    <button data-action="setStateBulk" title="Set administrative state to maintenance for all selected items." data-state="maint" type="button" class="btn btn-xs btn-default"><span class="fa fa-wrench"></span></button>
+                    <button data-action="setWeightBulk" data-weight="" type="button" class="btn btn-xs btn-default"><span class="fa fa-balance-scale"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+    </div>
+</div>
+
+{{ partial("layout_partials/base_dialog_processing") }}
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/__init__.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/__init__.py
new file mode 100644
index 0000000000..c7f37eafa1
--- /dev/null
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/__init__.py
@@ -0,0 +1,3 @@
+"""haproxy lib for socket commands.
+Based on: https://github.com/neurogeek/haproxyctl"""
+__version__ = "1.0"
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
new file mode 100644
index 0000000000..0316bd99ef
--- /dev/null
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
@@ -0,0 +1,237 @@
+# pylint: disable=locally-disabled, too-few-public-methods, no-self-use, invalid-name
+"""cmds.py - Implementations of the different HAProxy commands"""
+
+import re
+import csv
+import json
+from io import StringIO
+
+
+class Cmd():
+    """Cmd - Command base class"""
+    req_args = []
+    args = {}
+    cmdTxt = ""
+    helpTxt = ""
+
+    # pylint: disable=unused-argument
+    def __init__(self, *args, **kwargs):
+        """Argument to the command are given in kwargs only. We ignore *args."""
+        self.args = kwargs
+        valid_kwargs = [k for (k, v) in kwargs.items() if v is not None]
+
+        if not all([a in valid_kwargs for a in self.req_args]):
+            raise Exception(f"Wrong number of arguments. Required arguments are: {self.WhatArgs()}")
+
+    def WhatArgs(self):
+        """Returns a formatted string of arguments to this command."""
+        return ",".join(self.req_args)
+
+    @classmethod
+    def getHelp(cls):
+        """Get formatted help string for this command."""
+        txtArgs = ",".join(cls.req_args)
+
+        if not txtArgs:
+            txtArgs = "None"
+        return " ".join((cls.helpTxt, "Arguments: %s" % txtArgs))
+
+    def getCmd(self):
+        """Gets the command line for this command.
+        The default behavior is to apply the args dict to cmdTxt
+        """
+        return self.cmdTxt % self.args
+
+    def getResult(self, res):
+        """Returns raw results gathered from HAProxy"""
+        if res == '\n':
+            res = None
+        return res
+
+    def getResultObj(self, res):
+        """Returns refined output from HAProxy, packed inside a Python obj i.e. a dict()"""
+        return res
+
+
+class setServerAgent(Cmd):
+    """Set server agent command."""
+    cmdTxt = "set server %(backend)s/%(server)s agent %(value)s\r\n"
+    req_args = ['backend', 'server', 'value']
+    helpTxt = "Force a server's agent to a new state."
+
+
+class setServerHealth(Cmd):
+    """Set server health command."""
+    cmdTxt = "set server %(backend)s/%(server)s health %(value)s\r\n"
+    req_args = ['backend', 'server', 'value']
+    helpTxt = "Force a server's health to a new state."
+
+
+class setServerState(Cmd):
+    """Set server state command."""
+    cmdTxt = "set server %(backend)s/%(server)s state %(value)s\r\n"
+    req_args = ['backend', 'server', 'value']
+    helpTxt = "Force a server's administrative state to a new state."
+
+
+class setServerWeight(Cmd):
+    """Set server weight command."""
+    cmdTxt = "set server %(backend)s/%(server)s weight %(value)s\r\n"
+    req_args = ['backend', 'server', 'value']
+    helpTxt = "Force a server's weight to a new state."
+
+
+class showFBEnds(Cmd):
+    """Base class for getting a listing Frontends and Backends"""
+    switch = ""
+    cmdTxt = "show stat\r\n"
+
+    def getResult(self, res):
+        return "\n".join(self._getResult(res))
+
+    def getResultObj(self, res):
+        return self._getResult(res)
+
+    def _getResult(self, res):
+        """Show Frontend/Backends. To do this, we extract info from
+           the stat command and filter out by a specific
+           switch (FRONTEND/BACKEND)"""
+
+        if not self.switch:
+            raise Exception("No action specified")
+
+        result = []
+        lines = res.split('\n')
+        cl = re.compile("^[^,].+," + self.switch.upper() + ",.*$")
+
+        for e in lines:
+            me = re.match(cl, e)
+            if me:
+                result.append(e.split(",")[0])
+        return result
+
+
+class showFrontends(showFBEnds):
+    """Show frontends command."""
+    switch = "frontend"
+    helpTxt = "List all Frontends."
+
+
+class showBackends(showFBEnds):
+    """Show backends command."""
+    switch = "backend"
+    helpTxt = "List all Backends."
+
+
+class showInfo(Cmd):
+    """Show info HAProxy command"""
+    cmdTxt = "show info\r\n"
+    helpTxt = "Show info on HAProxy instance."
+
+    def getResultObj(self, res):
+        resDict = {}
+        for line in res.split('\n'):
+            k, v = line.split(':')
+            resDict[k] = v
+
+        return resDict
+
+
+class showSessions(Cmd):
+    """Show sess HAProxy command"""
+    cmdTxt = "show sess\r\n"
+    helpTxt = "Show HAProxy sessions."
+
+    def getResultObj(self, res):
+        return res.split('\n')
+
+
+class baseStat(Cmd):
+    """Base class for stats commands."""
+
+    def getDict(self, res):
+        # clean response
+        res = re.sub(r'^# ', '', res, re.MULTILINE)
+        res = re.sub(r',\n', '\n', res, re.MULTILINE)
+        res = re.sub(r',\n\n', '\n', res, re.MULTILINE)
+
+        csv_string = StringIO(res)
+        return csv.DictReader(csv_string, delimiter=',')
+
+    def getBootstrapOutput(self, **kwargs):
+        rows = kwargs['rows']
+        # search
+        if kwargs['search']:
+            filtered_rows = []
+            for row in rows:
+                def inner(row):
+                    for k, v in row.items():
+                        if kwargs['search'] in v:
+                            return row
+                    return None
+
+                match = inner(row)
+                if match:
+                    filtered_rows.append(match)
+            rows = filtered_rows
+
+        # sort
+        rows.sort(key=lambda k: k[kwargs['sort_col']], reverse=True if kwargs['sort_dir'] == 'desc' else False)
+
+        # pager
+        total = len(rows)
+        pages = [rows[i:i + kwargs['page_rows']] for i in range(0, total, kwargs['page_rows'])]
+        if pages and (kwargs['page'] > len(pages) or kwargs['page'] < 1):
+            raise KeyError(f"Current page {kwargs['page']} does not exist. Available pages: {len(pages)}")
+        page = pages[kwargs['page'] - 1] if pages else []
+
+        return json.dumps({
+            "rows": page,
+            "total": total,
+            "rowCount": kwargs['page_rows'],
+            "current": kwargs['page']
+        })
+
+
+class showServers(baseStat):
+    """Show all servers. If backend is given, show only servers for this backend. """
+    cmdTxt = "show stat\r\n"
+    helpTxt = "Lists all servers. Filter for servers in backend, if set."
+
+    def getResult(self, res):
+        if self.args['output'] == 'json':
+            return json.dumps(self.getResultObj(res))
+
+        if self.args['output'] == 'bootstrap':
+            rows = self.getResultObj(res)
+            args = {
+                "rows": rows,
+                "page": int(self.args['page']) if self.args['page'] != None else 1,
+                "page_rows": int(self.args['page_rows']) if self.args['page_rows'] != None else len(rows),
+                "search": self.args['search'],
+                "sort_col": self.args['sort_col'] if self.args['sort_col'] else 'id',
+                "sort_dir": self.args['sort_dir'],
+            }
+            return self.getBootstrapOutput(**args)
+
+        return self.getResultObj(res)
+
+    def getResultObj(self, res):
+        servers = []
+
+        reader = self.getDict(res)
+        for row in reader:
+            # show only server
+            if row['svname'] in ['BACKEND', 'FRONTEND']:
+                continue
+
+            # filter server for given backend
+            if self.args['backend'] and row['pxname'] != self.args['backend']:
+                continue
+
+            # add id
+            row['id'] = f"{row['pxname']}/{row['svname']}"
+            row.move_to_end('id', last=False)
+            servers.append(dict(row))
+
+        return servers
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/conn.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/conn.py
new file mode 100644
index 0000000000..962a15cf5e
--- /dev/null
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/conn.py
@@ -0,0 +1,83 @@
+# pylint: disable=locally-disabled, too-few-public-methods, no-self-use, invalid-name
+"""conn.py - Connection module."""
+import re
+from socket import socket, AF_INET, AF_UNIX, SOCK_STREAM
+from haproxy import const
+
+class HapError(Exception):
+    """Generic exception for haproxyctl."""
+    pass
+
+class HaPConn(object):
+    """HAProxy Socket object.
+       This class abstract the socket interface so
+       commands can be sent to HAProxy and results received and
+       parse by the command objects"""
+
+    def __init__(self, sfile, socket_module=socket):
+        """Initializes an HAProxy and opens a connection to it
+           (sfile, type) -> Path for the UNIX socket"""
+
+        self.sock = None
+        sfile = sfile.strip()
+        stype = AF_UNIX
+        self.socket_module = socket_module
+
+        mobj = re.match(
+            '(?P<proto>unix://|tcp://)(?P<addr>[^:]+):*(?P<port>[0-9]*)$', sfile)
+
+        if mobj:
+            proto = mobj.groupdict().get('proto', None)
+            addr = mobj.groupdict().get('addr', None)
+            port = mobj.groupdict().get('port', '')
+
+            if not addr or not proto:
+                raise HapError('Could not determine type of socket.')
+
+            if proto == const.HAP_TCP_PATH:
+                if not port:
+                    raise HapError('When using a tcp socket, a port is needed.')
+                stype = AF_INET
+                sfile = (addr, int(port))
+
+            if proto == const.HAP_UNIX_PATH:
+                stype = AF_UNIX
+                sfile = addr
+
+        # Fallback should be sfile/AF_UNIX by default
+        self.sfile = (sfile, stype)
+        self.open()
+
+    def open(self):
+        """Opens a connection for the socket.
+           This function should only be called if
+           self.closed() method was called"""
+
+        sfile, stype = self.sfile
+        self.sock = self.socket_module(stype, SOCK_STREAM)
+        self.sock.connect(sfile)
+
+    def sendCmd(self, cmd, objectify=False):
+        """Receives a command obj and sends it to the socket. Receives the output and passes it
+           through the command to parse it.
+           objectify -> Return an object instead of plain text"""
+
+        res = ""
+        try:
+            self.sock.send(cmd.getCmd())
+        except TypeError:
+            self.sock.send(bytearray(cmd.getCmd(), 'ASCII'))
+        output = self.sock.recv(const.HAP_BUFSIZE)
+
+        while output:
+            res += output.decode('ASCII')
+            output = self.sock.recv(const.HAP_BUFSIZE)
+
+        if objectify:
+            return cmd.getResultObj(res)
+
+        return cmd.getResult(res)
+
+    def close(self):
+        """Closes the socket"""
+        self.sock.close()
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/const.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/const.py
new file mode 100644
index 0000000000..ebd60d8c89
--- /dev/null
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/const.py
@@ -0,0 +1,7 @@
+"""const.py - Constants for haproxyctl."""
+HAP_OK = 1
+HAP_ERR = 2
+HAP_SOCK_ERR = 3
+HAP_BUFSIZE = 8192
+HAP_UNIX_PATH = 'unix://'
+HAP_TCP_PATH = 'tcp://'
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/__init__.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
new file mode 100644
index 0000000000..032954583d
--- /dev/null
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
@@ -0,0 +1,73 @@
+# pylint: disable=star-args, locally-disabled, too-few-public-methods, no-self-use, invalid-name
+"""test_cmds.py - Unittests related to command implementations."""
+import sys, os, unittest
+
+sys.path.append(os.path.join(os.path.dirname(__file__), '..', '..'))
+from haproxy import cmds
+
+class TestCommands(unittest.TestCase):
+    """Tests all of the  commands."""
+    def setUp(self):
+
+        self.Resp = {"disable" : "disable server redis-ro/redis-ro0",
+                     "set-server-agent" : "set server redis-ro/redis-ro0 agent up",
+                     "set-server-health" : "set server redis-ro/redis-ro0 health stopping",
+                     "set-server-state" : "set server redis-ro/redis-ro0 state drain",
+                     "set-server-weight" : "set server redis-ro/redis-ro0 weight 10",
+                     "frontends" : "show stat",
+                     "info" : "show info",
+                     "sessions" : "show sess",
+                     "servers" : "show stat",
+
+        }
+
+        self.Resp = dict([(k, v + "\r\n") for k, v in self.Resp.items()])
+
+    def test_setServerAgent(self):
+        """Test 'set server agent' command"""
+        args = {"backend": "redis-ro", "server" : "redis-ro0", "value": "up"}
+        cmdSetServerAgent = cmds.setServerAgent(**args).getCmd()
+        self.assertEqual(cmdSetServerAgent, self.Resp["set-server-agent"])
+
+    def test_setServerHealth(self):
+        """Test 'set server health' command"""
+        args = {"backend": "redis-ro", "server" : "redis-ro0", "value": "stopping"}
+        cmdSetServerHealth = cmds.setServerHealth(**args).getCmd()
+        self.assertEqual(cmdSetServerHealth, self.Resp["set-server-health"])
+
+    def test_setServerState(self):
+        """Test 'set server state' command"""
+        args = {"backend": "redis-ro", "server" : "redis-ro0", "value": "drain"}
+        cmdSetServerState = cmds.setServerState(**args).getCmd()
+        self.assertEqual(cmdSetServerState, self.Resp["set-server-state"])
+
+    def test_setServerWeight(self):
+        """Test 'set server weight' command"""
+        args = {"backend": "redis-ro", "server" : "redis-ro0", "value": "10"}
+        cmdSetServerState = cmds.setServerWeight(**args).getCmd()
+        self.assertEqual(cmdSetServerState, self.Resp["set-server-weight"])
+
+    def test_showFrontends(self):
+        """Test 'frontends/backends' commands"""
+        args = {}
+        cmdFrontends = cmds.showFrontends(**args).getCmd()
+        self.assertEqual(cmdFrontends, self.Resp["frontends"])
+
+    def test_showInfo(self):
+        """Test 'show info' command"""
+        cmdShowInfo = cmds.showInfo().getCmd()
+        self.assertEqual(cmdShowInfo, self.Resp["info"])
+
+    def test_showSessions(self):
+        """Test 'show info' command"""
+        cmdShowInfo = cmds.showSessions().getCmd()
+        self.assertEqual(cmdShowInfo, self.Resp["sessions"])
+
+    def test_showServers(self):
+        """Test 'show info' command"""
+        args = {"backend": "redis-ro"}
+        cmdShowInfo = cmds.showServers(**args).getCmd()
+        self.assertEqual(cmdShowInfo, self.Resp["servers"])
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_conn.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_conn.py
new file mode 100644
index 0000000000..fc6aac966b
--- /dev/null
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_conn.py
@@ -0,0 +1,59 @@
+# pylint: disable=locally-disabled, too-few-public-methods, no-self-use, invalid-name, broad-except
+"""test_conn.py - Unittests related to connections to HAProxy."""
+import sys, os
+sys.path.append(os.path.join(os.path.dirname(__file__), '..', '..'))
+from haproxy import conn
+import unittest
+from socket import AF_INET, AF_UNIX
+
+class SimpleConnMock(object):
+    """Simple socket mock."""
+    def __init__(self, stype, stream):
+        self.stype = stype
+        self.stream = stream
+
+    def connect(self, addr):
+        """Mocked socket.connect method."""
+        pass
+
+class TestConnection(unittest.TestCase):
+    """Tests different aspects of haproxyctl's connections to HAProxy."""
+
+    def testConnSimple(self):
+        """Tests that connection to non-protocol path works and fallsback to UNIX socket."""
+        sfile = "/some/path/to/socket.sock"
+        c = conn.HaPConn(sfile, socket_module=SimpleConnMock)
+        addr, stype = c.sfile
+        self.assertEqual(sfile, addr)
+        self.assertEqual(stype, AF_UNIX)
+
+    def testConnUnixString(self):
+        """Tests that unix:// protocol works and connects to a socket."""
+        sfile = "unix:///some/path/to/socket.socket"
+        c = conn.HaPConn(sfile, socket_module=SimpleConnMock)
+        addr, stype = c.sfile
+        self.assertEqual("/some/path/to/socket.socket", addr)
+        self.assertEqual(stype, AF_UNIX)
+
+    def testConnTCPString(self):
+        """Tests that tcp:// protocol works and connects to an IP."""
+        sfile = "tcp://1.2.3.4:8080"
+        c = conn.HaPConn(sfile, socket_module=SimpleConnMock)
+        addr, stype = c.sfile
+        ip, port = addr
+        self.assertEqual("1.2.3.4", ip)
+        self.assertEqual(8080, port)
+        self.assertEqual(stype, AF_INET)
+
+    def testConnTCPStringNoPort(self):
+        """Tests that passing a tcp:// address with no port, raises an Exception."""
+        sfile = "tcp://1.2.3.4"
+        # Not using assertRaises because we still support 2.6
+        try:
+            conn.HaPConn(sfile, socket_module=SimpleConnMock)
+            raise Exception('Connection should have thrown an exception')
+        except conn.HapError:
+            pass
+
+if __name__ == '__main__':
+    unittest.main()
\ No newline at end of file
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
new file mode 100755
index 0000000000..fc42c7c144
--- /dev/null
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
@@ -0,0 +1,126 @@
+#!/usr/bin/env python3
+import os
+import sys
+import argparse
+import traceback
+
+sys.path.append(os.path.join(os.path.dirname(__file__), 'lib'))
+from haproxy.conn import HaPConn
+from haproxy import cmds
+
+SOCKET = '/var/run/haproxy.socket'
+VALID_COMMANDS = {
+    "set-server-agent": cmds.setServerAgent,
+    "set-server-health": cmds.setServerHealth,
+    "set-server-state": cmds.setServerState,
+    "set-server-weight": cmds.setServerWeight,
+    "show-frontends": cmds.showFrontends,
+    "show-backends": cmds.showBackends,
+    "show-info": cmds.showInfo,
+    "show-sessions": cmds.showSessions,
+    "show-servers": cmds.showServers,
+}
+
+def get_args():
+    parser = argparse.ArgumentParser(description='Send haproxy commands via socket.')
+    parser.add_argument(
+        'command',
+        choices=list(VALID_COMMANDS),
+        help='The command to execute via haproxy socket'
+    )
+    parser.add_argument(
+        '--backend',
+        help='Attempt action on given backend.',
+        default=None
+    )
+    parser.add_argument(
+        '--server',
+        help='Attempt action on given server.',
+        default=None
+    )
+    parser.add_argument(
+        '--server-ids',
+        help='Attempt action on a list of server, specified as a comma seperated list e.g. back1/server1,back2/server3',
+        default=None
+    )
+    parser.add_argument(
+        '--value',
+        help='Specify value for a set command.',
+        default=None
+    )
+    parser.add_argument(
+        '--output',
+        help='Specify output format.',
+        choices=['json', 'bootstrap'],
+        default=None
+    )
+    parser.add_argument(
+        '--page-rows',
+        help='Limit output to the specified numbers of rows per page.',
+        default=None
+    )
+    parser.add_argument(
+        '--page',
+        help='Output page number.',
+        default=None
+    )
+    parser.add_argument(
+        '--search',
+        help='Search for string.',
+        default=None
+    )
+    parser.add_argument(
+        '--sort-col',
+        help='Sort output on this column.',
+        default=None
+    )
+    parser.add_argument(
+        '--sort-dir',
+        help='Sort output in this direction.',
+        default=None
+    )
+    parser.add_argument(
+        '--debug',
+        type=bool,
+        help='Show debug output.',
+        default=False
+    )
+
+    return parser.parse_args()
+
+args = get_args()
+command_class = VALID_COMMANDS.get(args.command, None)
+command_args = {key: val for key, val in vars(args).items() if key != "command"}
+
+try:
+    if args.server_ids:
+        # bulk
+        command_bulk_args = command_args
+        command_bulk_args.pop('server_ids', None)
+        for server_id in args.server_ids.split(","):
+            command_bulk_args.update({
+                'backend': server_id.split("/")[0],
+                'server': server_id.split("/")[1]
+            })
+            con = HaPConn(SOCKET)
+            if con:
+                result = con.sendCmd(command_class(**command_bulk_args), objectify=False)
+                if result:
+                    print(f"{server_id}: {result.strip()}")
+                con.close()
+
+    else:
+        # single
+        con = HaPConn(SOCKET)
+        if con:
+            result = con.sendCmd(command_class(**command_args), objectify=False)
+            if result:
+                print(result.strip())
+        else:
+            print(f"Could not open socket {SOCKET}")
+
+except Exception as exc:
+    print(f"While talking to {SOCKET}: {exc}")
+    if args['debug']:
+        tb = traceback.format_exc()
+        print(tb)
diff --git a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
index 02896ebe0b..ce1ef790b6 100644
--- a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
+++ b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
@@ -45,3 +45,33 @@ command:/usr/local/opnsense/scripts/OPNsense/HAProxy/queryStats.php
 parameters:%s
 type:script_output
 message:requesting haproxy statistics
+
+[server_status_list]
+command:/usr/local/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
+parameters: show-servers --output bootstrap --page-rows %s --page %s --search %s --sort-col %s --sort-dir %s
+type:script_output
+message:show server status list
+
+[server_state]
+command:/usr/local/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
+parameters: set-server-state --backend %s --server %s --value %s
+type:script_output
+message:change haproxy server state
+
+[server_weight]
+command:/usr/local/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
+parameters: set-server-weight --backend %s --server %s --value %s
+type:script_output
+message:change haproxy server weight
+
+[server_state_bulk]
+command:/usr/local/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
+parameters: set-server-state --server-ids %s --value %s
+type:script_output
+message:change haproxy state for multiple server
+
+[server_weight_bulk]
+command:/usr/local/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
+parameters: set-server-weight --server-ids %s --value %s
+type:script_output
+message:change haproxy weight for multiple server
\ No newline at end of file

From dd38b7d7a267e81bf59cb61a15e4f511e82ff799 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 4 Feb 2021 08:53:28 +0100
Subject: [PATCH 0388/3088] net/haproxy: lint pass et al, bump revision to
 denote changes

---
 LICENSE                                                         | 1 +
 net/haproxy/Makefile                                            | 1 +
 .../opnsense/scripts/OPNsense/HAProxy/lib/haproxy/__init__.py   | 0
 .../src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py   | 0
 .../src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/conn.py   | 0
 .../src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/const.py  | 0
 .../scripts/OPNsense/HAProxy/lib/haproxy/tests/__init__.py      | 0
 .../scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py     | 0
 .../scripts/OPNsense/HAProxy/lib/haproxy/tests/test_conn.py     | 2 +-
 .../src/opnsense/service/conf/actions.d/actions_haproxy.conf    | 2 +-
 10 files changed, 4 insertions(+), 2 deletions(-)
 mode change 100644 => 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/__init__.py
 mode change 100644 => 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
 mode change 100644 => 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/conn.py
 mode change 100644 => 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/const.py
 mode change 100644 => 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/__init__.py
 mode change 100644 => 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
 mode change 100644 => 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_conn.py

diff --git a/LICENSE b/LICENSE
index 6e7b1da527..e045225ed3 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,5 @@
 Copyright (c) 2015-2020 Ad Schellevis <ad@opnsense.org>
+Copyright (c) 2021 Andreas Stuerz
 Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
 Copyright (c) 2020 D. Domig
diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 98aea3903e..3fcb8e78a4 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		2.26
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy20
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/__init__.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/__init__.py
old mode 100644
new mode 100755
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
old mode 100644
new mode 100755
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/conn.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/conn.py
old mode 100644
new mode 100755
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/const.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/const.py
old mode 100644
new mode 100755
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/__init__.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/__init__.py
old mode 100644
new mode 100755
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
old mode 100644
new mode 100755
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_conn.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_conn.py
old mode 100644
new mode 100755
index fc6aac966b..ea8c15f607
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_conn.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_conn.py
@@ -56,4 +56,4 @@ def testConnTCPStringNoPort(self):
             pass
 
 if __name__ == '__main__':
-    unittest.main()
\ No newline at end of file
+    unittest.main()
diff --git a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
index ce1ef790b6..d286d73bff 100644
--- a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
+++ b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
@@ -74,4 +74,4 @@ message:change haproxy state for multiple server
 command:/usr/local/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
 parameters: set-server-weight --server-ids %s --value %s
 type:script_output
-message:change haproxy weight for multiple server
\ No newline at end of file
+message:change haproxy weight for multiple server

From d17f76185ad52e4271b3c71da7424c3c1794758d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 4 Feb 2021 09:01:23 +0100
Subject: [PATCH 0389/3088] dns/dyndns: bump revision after change

---
 dns/dyndns/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index 2553b19f55..71ce6cee70 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		dyndns
 PLUGIN_VERSION=		1.23
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 

From b3e2e8633a26ee57be11cc00414d1ec8bc6d81fe Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 4 Feb 2021 22:35:26 +0100
Subject: [PATCH 0390/3088] vendor/sunnyvalley: add proper PLUGIN_WWW

---
 vendor/sunnyvalley/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vendor/sunnyvalley/Makefile b/vendor/sunnyvalley/Makefile
index e2687ad998..58fc4cc315 100644
--- a/vendor/sunnyvalley/Makefile
+++ b/vendor/sunnyvalley/Makefile
@@ -2,6 +2,7 @@ PLUGIN_NAME=		sunnyvalley
 PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		Vendor repository for Sensei (Next Generation Firewall Extensions)
 PLUGIN_MAINTAINER=	opensource@sunnyvalley.io
+PLUGIN_WWW=		https://www.sunnyvalley.io
 PLUGIN_DEPENDS=		${PLUGIN_FLAVOUR:tl}
 
 .include "../../Mk/plugins.mk"

From e06826bf9e71e2a8f8825cc3dd0bc1e00ba8c2e4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 4 Feb 2021 22:58:17 +0100
Subject: [PATCH 0391/3088] Framework: support version meta data JSON file

---
 Mk/defaults.mk     | 15 +++++++++++++--
 Mk/plugins.mk      | 21 +++++++++++++++------
 Scripts/version.sh | 34 ++++++++++++++++++++++++++++++++++
 Templates/version  | 11 +++++++++++
 4 files changed, 73 insertions(+), 8 deletions(-)
 create mode 100755 Scripts/version.sh
 create mode 100644 Templates/version

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 089cdc705f..1ec722ffe0 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -26,9 +26,14 @@
 LOCALBASE?=	/usr/local
 PAGER?=		less
 
-PKG!=		which pkg || echo true
+PKG=		${LOCALBASE}/sbin/pkg
+.if ! exists(${PKG})
+PKG=		true
+.endif
 GIT!=		which git || echo true
 
+GITVERSION=	${SCRIPTSDIR}/version.sh
+
 _PLUGIN_ARCH!=	uname -p
 PLUGIN_ARCH?=	${_PLUGIN_ARCH}
 
@@ -64,7 +69,13 @@ PLUGIN_PYTHON?=	37
 
 REPLACEMENTS=	PLUGIN_ABI \
 		PLUGIN_ARCH \
-		PLUGIN_FLAVOUR
+		PLUGIN_FLAVOUR \
+		PLUGIN_HASH \
+		PLUGIN_MAINTAINER \
+		PLUGIN_NAME \
+		PLUGIN_PKGNAME \
+		PLUGIN_PKGVERSION \
+		PLUGIN_WWW
 
 SED_REPLACE=	# empty
 
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index b1eff47759..119380b033 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -27,13 +27,22 @@ all: check
 
 .include "defaults.mk"
 
+PLUGINSDIR=		${.CURDIR}/../..
+TEMPLATESDIR=		${PLUGINSDIR}/Templates
+SCRIPTSDIR=		${PLUGINSDIR}/Scripts
+
+.if exists(${GIT}) && exists(${GITVERSION})
+PLUGIN_COMMIT!=		${GITVERSION}
+.else
+PLUGIN_COMMIT=		unknown 0 undefined
+.endif
+
+PLUGIN_HASH?=		${PLUGIN_COMMIT:[3]}
+
 PLUGIN_DESC=		pkg-descr
 PLUGIN_SCRIPTS=		+PRE_INSTALL +POST_INSTALL \
 			+PRE_DEINSTALL +POST_DEINSTALL
 
-PLUGINSDIR=		${.CURDIR}/../..
-TEMPLATESDIR=		${PLUGINSDIR}/Templates
-
 PLUGIN_WWW?=		https://opnsense.org/
 PLUGIN_REVISION?=	0
 
@@ -183,7 +192,7 @@ install: check
 			mv "${DESTDIR}${LOCALBASE}/$${FILE}" "${DESTDIR}${LOCALBASE}/$${FILE%%.in}"; \
 		fi; \
 	done
-	@echo "${PLUGIN_PKGVERSION}" > "${DESTDIR}${LOCALBASE}/opnsense/version/${PLUGIN_NAME}"
+	cat ${TEMPLATESDIR}/version | sed ${SED_REPLACE} > "${DESTDIR}${LOCALBASE}/opnsense/version/${PLUGIN_NAME}"
 
 plist: check
 	@(cd ${.CURDIR}/src; find * -type f) | while read FILE; do \
@@ -312,9 +321,9 @@ sweep: check
 	fi
 	find ${.CURDIR}/src ! -name "*.min.*" ! -name "*.svg" \
 	    ! -name "*.ser" -type f -print0 | \
-	    xargs -0 -n1 ${.CURDIR}/../../Scripts/cleanfile
+	    xargs -0 -n1 ${SCRIPTSDIR}/cleanfile
 	find ${.CURDIR} -type f -depth 1 -print0 | \
-	    xargs -0 -n1 ${.CURDIR}/../../Scripts/cleanfile
+	    xargs -0 -n1 ${SCRIPTSDIRs/cleanfile
 
 STYLEDIRS?=	src/etc/inc src/opnsense
 
diff --git a/Scripts/version.sh b/Scripts/version.sh
new file mode 100755
index 0000000000..402d840839
--- /dev/null
+++ b/Scripts/version.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# Copyright (c) 2015 Franco Fichtner <franco@opnsense.org>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+set -e
+
+VERSION=$(git describe --abbrev=0 --always ${1})
+REVISION=$(git rev-list ${VERSION}.. --count)
+HASH=$(git rev-list HEAD --max-count=1 | cut -c1-9)
+
+echo ${VERSION} ${REVISION} ${HASH}
diff --git a/Templates/version b/Templates/version
new file mode 100644
index 0000000000..95baa8fe04
--- /dev/null
+++ b/Templates/version
@@ -0,0 +1,11 @@
+{
+    "product_abi": "%%PLUGIN_ABI%%",
+    "product_arch": "%%PLUGIN_ARCH%%",
+    "product_email": "%%PLUGIN_MAINTAINER%%",
+    "product_flavour": "%%PLUGIN_FLAVOUR%%",
+    "product_hash": "%%PLUGIN_HASH%%",
+    "product_id": "%%PLUGIN_PKGNAME%%",
+    "product_name": "%%PLUGIN_NAME%%",
+    "product_version": "%%PLUGIN_PKGVERSION%%",
+    "product_website": "%%PLUGIN_WWW%%"
+}

From 629eb160cef153831509d3d80b0d42ec64735420 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 4 Feb 2021 23:04:03 +0100
Subject: [PATCH 0392/3088] Framework: small tweaks on previous

---
 Mk/plugins.mk | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 119380b033..51de1e95e8 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -192,7 +192,7 @@ install: check
 			mv "${DESTDIR}${LOCALBASE}/$${FILE}" "${DESTDIR}${LOCALBASE}/$${FILE%%.in}"; \
 		fi; \
 	done
-	cat ${TEMPLATESDIR}/version | sed ${SED_REPLACE} > "${DESTDIR}${LOCALBASE}/opnsense/version/${PLUGIN_NAME}"
+	@cat ${TEMPLATESDIR}/version | sed ${SED_REPLACE} > "${DESTDIR}${LOCALBASE}/opnsense/version/${PLUGIN_NAME}"
 
 plist: check
 	@(cd ${.CURDIR}/src; find * -type f) | while read FILE; do \
@@ -246,6 +246,8 @@ package: check
 	@echo -n ">>> Staging files for ${PLUGIN_PKGNAME}-${PLUGIN_PKGVERSION}..."
 	@${MAKE} DESTDIR=${WRKSRC} install
 	@echo " done"
+	@echo ">>> Generated version info for ${PLUGIN_PKGNAME}-${PLUGIN_PKGVERSION}:"
+	@cat ${WRKSRC}/usr/local/opnsense/version/${PLUGIN_NAME}
 	@echo ">>> Packaging files for ${PLUGIN_PKGNAME}-${PLUGIN_PKGVERSION}:"
 	@${PKG} create -v -m ${WRKSRC} -r ${WRKSRC} \
 	    -p ${WRKSRC}/plist -o ${PKGDIR}

From 94493cb32ce5a55340952c08e95cbd37dddea6df Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 5 Feb 2021 09:30:40 +0100
Subject: [PATCH 0393/3088] Framework: exclude txz archives

---
 Mk/plugins.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 51de1e95e8..48bca3e95b 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -308,7 +308,7 @@ lint-php: check
 	    ! -name "*.xml" ! -name "*.xml.sample" ! -name "*.eot" \
 	    ! -name "*.svg" ! -name "*.woff" ! -name "*.woff2" \
 	    ! -name "*.otf" ! -name "*.png" ! -name "*.js" ! -name "*.md" \
-	    ! -name "*.scss" ! -name "*.py" ! -name "*.ttf" \
+	    ! -name "*.scss" ! -name "*.py" ! -name "*.ttf" ! -name "*.txz" \
 	    ! -name "*.tgz" ! -name "*.xml.dist" ! -name "*.sh" \
 	    -type f -print0 | xargs -0 -n1 php -l
 

From 8793d16effea39a8f05affb7f5b2a0437bd7668e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 5 Feb 2021 10:01:14 +0100
Subject: [PATCH 0394/3088] Framework: allow manual PLUGINSDIR and use it
 everywhere

---
 Mk/plugins.mk | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 48bca3e95b..ac202ae301 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -1,4 +1,4 @@
-# Copyright (c) 2015-2020 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2015-2021 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -27,9 +27,9 @@ all: check
 
 .include "defaults.mk"
 
-PLUGINSDIR=		${.CURDIR}/../..
-TEMPLATESDIR=		${PLUGINSDIR}/Templates
+PLUGINSDIR?=		${.CURDIR}/../..
 SCRIPTSDIR=		${PLUGINSDIR}/Scripts
+TEMPLATESDIR=		${PLUGINSDIR}/Templates
 
 .if exists(${GIT}) && exists(${GITVERSION})
 PLUGIN_COMMIT!=		${GITVERSION}
@@ -333,7 +333,7 @@ style: check
 	@: > ${.CURDIR}/.style.out
 .for STYLEDIR in ${STYLEDIRS}
 	@if [ -d ${.CURDIR}/${STYLEDIR} ]; then \
-		(phpcs --standard=${.CURDIR}/../../ruleset.xml \
+		(phpcs --standard=${PLUGINSDIR}/ruleset.xml \
 		    ${.CURDIR}/${STYLEDIR} || true) > \
 		    ${.CURDIR}/.style.out; \
 	fi
@@ -348,7 +348,7 @@ style: check
 style-fix: check
 .for STYLEDIR in ${STYLEDIRS}
 	@if [ -d ${.CURDIR}/${STYLEDIR} ]; then \
-		phpcbf --standard=${.CURDIR}/../../ruleset.xml \
+		phpcbf --standard=${PLUGINSDIR}/ruleset.xml \
 		    ${.CURDIR}/${STYLEDIR} || true; \
 	fi
 .endfor

From 3e72b0f5b7d9d10a62e1d29e5887abce1e9d8ef2 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 8 Feb 2021 22:52:00 +0100
Subject: [PATCH 0395/3088] security/acme-client: fix missing "--ecc"
 parameter, closes #2223

---
 security/acme-client/pkg-descr                               | 5 +++++
 .../app/library/OPNsense/AcmeClient/LeValidation/Base.php    | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index ef9766b167..72ac1d1b4e 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+2.4
+
+Fixed:
+* fix missing "--ecc" parameter when renewing ECC certs (#2223)
+
 2.3
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index 5f2eb9169e..a541584ac1 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -137,7 +137,7 @@ public function run(bool $renew = false)
         if ($this->cert_keylength == 'ec256' || $this->cert_keylength == 'ec384') {
             if ($renew == true) {
                 // If it's a renew then pass --ecc to acme client to locate the correct cert directory
-                $acme_args[] = '--ecc';
+                $this->acme_args[] = '--ecc';
             }
         }
 

From 4593ef3f9f6c248aa804181f4b09d5d62c8ffe61 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 8 Feb 2021 22:54:26 +0100
Subject: [PATCH 0396/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 86b2e519e1..86b992e8dc 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		2.3
+PLUGIN_VERSION=		2.4
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From ca98e9fdb2daa829100e55b6423b716899bcdb90 Mon Sep 17 00:00:00 2001
From: Andreas Stuerz <andreas.stuerz@markt.de>
Date: Tue, 9 Feb 2021 16:00:39 +0100
Subject: [PATCH 0397/3088] add yaml service template with configured haproxy
 ssl certificates in config.xml

---
 net/haproxy/Makefile                          |  2 +-
 .../templates/OPNsense/HAProxy/+TARGETS       |  1 +
 .../templates/OPNsense/HAProxy/sslCerts.yaml  | 61 +++++++++++++++++++
 3 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 98aea3903e..90228279f6 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		2.26
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
-PLUGIN_DEPENDS=		haproxy20
+PLUGIN_DEPENDS=		haproxy
 PLUGIN_MAINTAINER=	opnsense@moov.de
 
 .include "../../Mk/plugins.mk"
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS
index 6e4c913d20..a8fa7728cf 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS
@@ -1,2 +1,3 @@
 haproxy.conf:/usr/local/etc/haproxy.conf
 rc.conf.d:/etc/rc.conf.d/haproxy
+sslCerts.yaml:/usr/local/etc/haproxy/sslCerts.yaml
\ No newline at end of file
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml
new file mode 100644
index 0000000000..0b98ab5e15
--- /dev/null
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml
@@ -0,0 +1,61 @@
+#
+# Automatically generated configuration.
+# Do not edit this file manually.
+#
+# List all frontends with configured ssl certificates in config.xml
+{# ################## #}
+{# ##### Macros ##### #}
+{# ################## #}
+{%  macro getCA(refId) -%}
+{%    set result = '{}' %}
+{%    for data in helpers.getNodeByTag('ca') if data.refid == refId %}
+{{      data.crt -}}
+{%    else %}
+{{     "{}" }}
+{%    endfor %}
+{%- endmacro %}
+{%  macro getCert(refId, indent=4) -%}
+{%    for data in helpers.getNodeByTag('cert') if data.refid == refId %}
+{%      if data.caref %}
+{%        do data.update({'ca': getCA(data.caref)}) %}
+{%      else %}
+{%        do data.update({'ca': {} }) %}
+{%      endif %}
+crt: {{ data.crt }}
+key: {{ data.prv }}
+ca: {{ data.ca }}
+{%    endfor %}
+{%- endmacro %}
+{# ################## #}
+{# ##### Main ##### #}
+{# ################## #}
+{% set enabled_frontends = [] %}
+{% set crt_list_template = "/tmp/haproxy/ssl/%s.certlist" %}
+{% set cert_template = "/tmp/haproxy/ssl/%s.pem" %}
+{% for frontend in helpers.toList('OPNsense.HAProxy.frontends.frontend') %}
+{%  set certs = [] %}
+{%  for cert in frontend.get('ssl_default_certificate', '').split(',') + frontend.get('ssl_certificates', '').split(',') if cert %}
+{%    do certs.append(cert) %}
+{%  endfor %}
+{%  do frontend.update({'certs': certs}) %}
+{%  if frontend.enabled == '1' and frontend.ssl_enabled == '1' and frontend.certs|length > 0 %}
+{%    do enabled_frontends.append(frontend) %}
+{%  endif %}
+{% endfor %}
+{% if helpers.exists('OPNsense.HAProxy.frontends') and enabled_frontends|length > 0 %}
+frontends:
+{%  for frontend in enabled_frontends %}
+  "{{ frontend.id }}":
+    name: {{ frontend.name }}
+    crt_list_path: {{ cert_template % frontend.id }}
+    certs:
+{%    for cert_refid in frontend.certs %}
+      {{ cert_refid }}:
+        path: {{ cert_template % cert_refid }}
+        default: {{ "True" if frontend.ssl_default_certificate == cert_refid else "False" }}
+{{      getCert(cert_refid) | indent( width=8, indentfirst=True) -}}
+{%    endfor %}
+{%  endfor %}
+{% else %}
+frontends: {}
+{% endif %}
\ No newline at end of file

From 2cf5a36f7d3ef258b06aa9c9e9e14f1c46ee1a63 Mon Sep 17 00:00:00 2001
From: Andreas Stuerz <andreas.stuerz@markt.de>
Date: Tue, 9 Feb 2021 17:03:36 +0100
Subject: [PATCH 0398/3088] add unit tests for haproxy ssl commands

---
 .../HAProxy/lib/haproxy/tests/test_cmds.py    | 133 +++++++++++++++---
 1 file changed, 114 insertions(+), 19 deletions(-)

diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
index 032954583d..5786b67807 100644
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
@@ -18,7 +18,17 @@ def setUp(self):
                      "info" : "show info",
                      "sessions" : "show sess",
                      "servers" : "show stat",
-
+                     "show-all-ssl-crt-list" : "show ssl crt-list",
+                     "show-details-ssl-crt-list" : "show ssl crt-list /tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
+                     "show-all-ssl-certs" : "show ssl cert",
+                     "show-details-ssl-certs" : "show ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
+                     "add-to-crt-list" : "add ssl crt-list /tmp/haproxy/ssl/601a7392cc9984.99301413.certlist /tmp/haproxy/ssl/601a70e4844b0.pem",
+                     "del-from-crt-list" : "del ssl crt-list /tmp/haproxy/ssl/601a7392cc9984.99301413.certlist /tmp/haproxy/ssl/601a70e4844b0.pem",
+                     "add-ssl-cert" : "new ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
+                     "update-ssl-cert" : "set ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem <payload>",
+                     "del-ssl-cert" : "del ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
+                     "commit-ssl-cert" : "commit ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
+                     "abort-ssl-cert" : "abort ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
         }
 
         self.Resp = dict([(k, v + "\r\n") for k, v in self.Resp.items()])
@@ -26,48 +36,133 @@ def setUp(self):
     def test_setServerAgent(self):
         """Test 'set server agent' command"""
         args = {"backend": "redis-ro", "server" : "redis-ro0", "value": "up"}
-        cmdSetServerAgent = cmds.setServerAgent(**args).getCmd()
-        self.assertEqual(cmdSetServerAgent, self.Resp["set-server-agent"])
+        cmdOutput = cmds.setServerAgent(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["set-server-agent"])
 
     def test_setServerHealth(self):
         """Test 'set server health' command"""
         args = {"backend": "redis-ro", "server" : "redis-ro0", "value": "stopping"}
-        cmdSetServerHealth = cmds.setServerHealth(**args).getCmd()
-        self.assertEqual(cmdSetServerHealth, self.Resp["set-server-health"])
+        cmdOutput = cmds.setServerHealth(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["set-server-health"])
 
     def test_setServerState(self):
         """Test 'set server state' command"""
         args = {"backend": "redis-ro", "server" : "redis-ro0", "value": "drain"}
-        cmdSetServerState = cmds.setServerState(**args).getCmd()
-        self.assertEqual(cmdSetServerState, self.Resp["set-server-state"])
+        cmdOutput = cmds.setServerState(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["set-server-state"])
 
     def test_setServerWeight(self):
         """Test 'set server weight' command"""
         args = {"backend": "redis-ro", "server" : "redis-ro0", "value": "10"}
-        cmdSetServerState = cmds.setServerWeight(**args).getCmd()
-        self.assertEqual(cmdSetServerState, self.Resp["set-server-weight"])
+        cmdOutput = cmds.setServerWeight(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["set-server-weight"])
 
     def test_showFrontends(self):
         """Test 'frontends/backends' commands"""
         args = {}
-        cmdFrontends = cmds.showFrontends(**args).getCmd()
-        self.assertEqual(cmdFrontends, self.Resp["frontends"])
+        cmdOutput = cmds.showFrontends(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["frontends"])
 
     def test_showInfo(self):
         """Test 'show info' command"""
-        cmdShowInfo = cmds.showInfo().getCmd()
-        self.assertEqual(cmdShowInfo, self.Resp["info"])
+        cmdOutput = cmds.showInfo().getCmd()
+        self.assertEqual(cmdOutput, self.Resp["info"])
 
     def test_showSessions(self):
-        """Test 'show info' command"""
-        cmdShowInfo = cmds.showSessions().getCmd()
-        self.assertEqual(cmdShowInfo, self.Resp["sessions"])
+        """Test 'show sess' command"""
+        cmdOutput = cmds.showSessions().getCmd()
+        self.assertEqual(cmdOutput, self.Resp["sessions"])
 
     def test_showServers(self):
-        """Test 'show info' command"""
+        """Test 'show stat' command"""
         args = {"backend": "redis-ro"}
-        cmdShowInfo = cmds.showServers(**args).getCmd()
-        self.assertEqual(cmdShowInfo, self.Resp["servers"])
+        cmdOutput = cmds.showServers(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["servers"])
+
+    def test_showAllSslCrtList(self):
+        """Test 'show ssl crt-list' command"""
+        cmdOutput = cmds.showAllSslCrtList().getCmd()
+        self.assertEqual(cmdOutput, self.Resp["show-all-ssl-crt-list"])
+
+    def test_showDetailsSslCrtList(self):
+        """Test 'show ssl crt-list <filename>' command"""
+        args = {
+            "filename": "/tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
+        }
+        cmdOutput = cmds.test_showDetailsSslCrtList(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["show-details-ssl-crt-list"])
+
+    def test_showAllSslCerts(self):
+        """Test 'show ssl cert' command"""
+        cmdOutput = cmds.showAllSslCerts().getCmd()
+        self.assertEqual(cmdOutput, self.Resp["show-all-ssl-certs"])
+
+    def test_showDetailsSslCerts(self):
+        """Test 'show ssl cert <certfile>' command"""
+        args = {
+            "certfile" : "/tmp/haproxy/ssl/601a70e4844b0.pem"
+        }
+        cmdOutput = cmds.showDetailsSslCerts(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["show-details-ssl-certs"])
+
+    def test_addToSslCrtList(self):
+        """Test 'add ssl crt-list <filename> <certfile>' command"""
+        args = {
+            "filename": "/tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
+            "certfile" : "/tmp/haproxy/ssl/601a70e4844b0.pem"
+        }
+        cmdOutput = cmds.addToSslCrtList(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["add-to-crt-list"])
+
+    def test_delFromSslCrtList(self):
+        """Test 'del ssl crt-list <filename> <certfile>' command"""
+        args = {
+            "filename": "/tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
+            "certfile" : "/tmp/haproxy/ssl/601a70e4844b0.pem"
+        }
+        cmdOutput = cmds.delFromSslCrtList(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["del-from-crt-list"])
+
+    def test_addSslCrt(self):
+        """Test 'new ssl cert <certfile>' command"""
+        args = {
+            "certfile" : "/tmp/haproxy/ssl/601a70e4844b0.pem",
+        }
+        cmdOutput = cmds.addSslCrt(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["add-ssl-cert"])
+
+    def test_updateSslCrt(self):
+        """Test 'new ssl cert <certfile>' command"""
+        args = {
+            "certfile" : "/tmp/haproxy/ssl/601a70e4844b0.pem",
+            "payload" : "TODO"
+        }
+        cmdOutput = cmds.updateSslCrt(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["update-ssl-cert"])
+
+    def test_delSslCrt(self):
+        """Test 'del ssl cert <certfile>' command"""
+        args = {
+            "certfile" : "/tmp/haproxy/ssl/601a70e4844b0.pem",
+        }
+        cmdOutput = cmds.delSslCrt(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["del-ssl-cert"])
+
+    def test_commitSslCrt(self):
+        """Test 'commit ssl cert <certfile>' command"""
+        args = {
+            "certfile" : "/tmp/haproxy/ssl/601a70e4844b0.pem",
+        }
+        cmdOutput = cmds.commitSslCrt(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["commit-ssl-cert"])
+
+    def test_abortSslCrt(self):
+        """Test 'abort ssl cert <certfile>' command"""
+        args = {
+            "certfile" : "/tmp/haproxy/ssl/601a70e4844b0.pem",
+        }
+        cmdOutput = cmds.abortSslCrt(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["abort-ssl-cert"])
 
 if __name__ == '__main__':
     unittest.main()

From 7fafce17c13a20a0fb4915e6fd6eb24018a96449 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 11 Feb 2021 09:12:33 +0100
Subject: [PATCH 0399/3088] security/tor: close enough, eh?!

---
 security/tor/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/tor/Makefile b/security/tor/Makefile
index c1ae5fbb86..32b6d40eb2 100644
--- a/security/tor/Makefile
+++ b/security/tor/Makefile
@@ -3,6 +3,6 @@ PLUGIN_VERSION=		1.8
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The Onion Router
 PLUGIN_DEPENDS=		tor ruby
-PLUGIN_MAINTAINER=	ranz.fabian.94@gmail.com
+PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 
 .include "../../Mk/plugins.mk"

From 5897bee7bea103cedb15043ad354accce9c119cf Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 11 Feb 2021 10:40:50 +0100
Subject: [PATCH 0400/3088] security/acme-client: use mod_deflate

PR: https://forum.opnsense.org/index.php?topic=21432.0
---
 .../templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf
index d88517cada..c5746dddfe 100644
--- a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf
+++ b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf
@@ -10,7 +10,7 @@ server.network-backend = "writev"
 #server.use-ipv6 = "enable"
 
 # modules to load
-server.modules = ( "mod_access", "mod_expire", "mod_compress", "mod_redirect",
+server.modules = ( "mod_access", "mod_expire", "mod_deflate", "mod_redirect",
   "mod_alias", "mod_rewrite"
 )
 

From 4da0f2c25f40f4d9060649758ce3d88aa2d45c7b Mon Sep 17 00:00:00 2001
From: Andreas Stuerz <andreas.stuerz@markt.de>
Date: Thu, 11 Feb 2021 16:02:07 +0100
Subject: [PATCH 0401/3088] refactor output mode for socket cmds add ssl
 handling socket commands

---
 .../OPNsense/HAProxy/lib/haproxy/cmds.py      | 236 ++++++++++++------
 .../OPNsense/HAProxy/lib/haproxy/conn.py      |   2 +-
 .../HAProxy/lib/haproxy/tests/test_cmds.py    | 234 +++++++++++++----
 .../scripts/OPNsense/HAProxy/socketCommand.py |  34 +++
 4 files changed, 380 insertions(+), 126 deletions(-)

diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
index 0316bd99ef..3d13d42a82 100644
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
@@ -1,12 +1,9 @@
-# pylint: disable=locally-disabled, too-few-public-methods, no-self-use, invalid-name
 """cmds.py - Implementations of the different HAProxy commands"""
-
 import re
 import csv
 import json
 from io import StringIO
 
-
 class Cmd():
     """Cmd - Command base class"""
     req_args = []
@@ -42,44 +39,201 @@ def getCmd(self):
         """
         return self.cmdTxt % self.args
 
+    def getBootstrapOutput(self, resObj):
+        """ Returns results gathered from HAProxy as jquery bootstrap output """
+        args = {
+            "rows": resObj,
+            "page": int(self.args['page']) if self.args['page'] != None else 1,
+            "page_rows": int(self.args['page_rows']) if self.args['page_rows'] != None else len(rows),
+            "search": self.args['search'],
+            "sort_col": self.args['sort_col'] if self.args['sort_col'] else 'id',
+            "sort_dir": self.args['sort_dir'],
+        }
+        rows = args['rows']
+        # search
+        if args['search']:
+            filtered_rows = []
+            for row in rows:
+                def inner(row):
+                    for k, v in row.items():
+                        if args['search'] in v:
+                            return row
+                    return None
+
+                match = inner(row)
+                if match:
+                    filtered_rows.append(match)
+            rows = filtered_rows
+
+        # sort
+        rows.sort(key=lambda k: k[args['sort_col']], reverse=True if args['sort_dir'] == 'desc' else False)
+
+        # pager
+        total = len(rows)
+        pages = [rows[i:i + args['page_rows']] for i in range(0, total, args['page_rows'])]
+        if pages and (args['page'] > len(pages) or args['page'] < 1):
+            raise KeyError(f"Current page {args['page']} does not exist. Available pages: {len(pages)}")
+        page = pages[args['page'] - 1] if pages else []
+
+        return json.dumps({
+            "rows": page,
+            "total": total,
+            "rowCount": args['page_rows'],
+            "current": args['page']
+        })
+
+    def getJsonOutput(self, resObj):
+        """Returns results gathered from HAProxy as json"""
+        return json.dumps(resObj)
+
     def getResult(self, res):
         """Returns raw results gathered from HAProxy"""
         if res == '\n':
             res = None
+
+        if self.args['output'] == 'json':
+            return self.getJsonOutput(self.getResultObj(res))
+
+        if self.args['output'] == 'bootstrap':
+            return self.getBootstrapOutput(self.getResultObj(res))
+
         return res
 
     def getResultObj(self, res):
         """Returns refined output from HAProxy, packed inside a Python obj i.e. a dict()"""
         return res
 
-
 class setServerAgent(Cmd):
-    """Set server agent command."""
     cmdTxt = "set server %(backend)s/%(server)s agent %(value)s\r\n"
     req_args = ['backend', 'server', 'value']
     helpTxt = "Force a server's agent to a new state."
 
-
 class setServerHealth(Cmd):
-    """Set server health command."""
     cmdTxt = "set server %(backend)s/%(server)s health %(value)s\r\n"
     req_args = ['backend', 'server', 'value']
     helpTxt = "Force a server's health to a new state."
 
-
 class setServerState(Cmd):
-    """Set server state command."""
     cmdTxt = "set server %(backend)s/%(server)s state %(value)s\r\n"
     req_args = ['backend', 'server', 'value']
     helpTxt = "Force a server's administrative state to a new state."
 
-
 class setServerWeight(Cmd):
-    """Set server weight command."""
     cmdTxt = "set server %(backend)s/%(server)s weight %(value)s\r\n"
     req_args = ['backend', 'server', 'value']
     helpTxt = "Force a server's weight to a new state."
 
+class showSslCrtLists(Cmd):
+    cmdTxt = "show ssl crt-list\r\n"
+    helpTxt = "Show the list of crt-lists."
+
+    def getResultObj(self, res):
+        result = { "crt_lists": []}
+        for line in res.split("\n"):
+            if line.startswith('/'):
+                result["crt_lists"].append(line)
+        return result
+
+class showSslCrtList(Cmd):
+    cmdTxt = "show ssl crt-list %(crt_list)s\r\n"
+    req_args = ['crt_list']
+    helpTxt = "Show the the content of a crt-list."
+
+    def getResultObj(self, res):
+        result = {}
+        list_id = None
+        for line in res.split("\n"):
+            if line.startswith('# '):
+                list_id = line.split("# ")[1]
+                result[f"{list_id}"] = []
+
+            if list_id and line.startswith('/'):
+                result[f"{list_id}"].append(line)
+
+        if result:
+           return result
+
+        return {"error": res.strip()}
+
+class showSslCerts(Cmd):
+    cmdTxt = "show ssl cert\r\n"
+    helpTxt = "Display the SSL certificates used in memory."
+
+    def getResultObj(self, res):
+        result = {
+            "transaction": [],
+            "filename": []
+        }
+        for line in res.split("\n"):
+            if line.startswith('*'):
+                result['transaction'].append(line)
+            elif line.startswith('/'):
+                result['filename'].append(line)
+        return result
+
+class showSslCert(Cmd):
+    cmdTxt = "show ssl cert %(certfile)s\r\n"
+    req_args = ['certfile']
+    helpTxt = "Display the details of a SSL certificate used in memory."
+
+    def getResultObj(self, res):
+        result = {}
+        cert_id = None
+        for line in res.split("\n"):
+            if line:
+                key = line.split(":")[0]
+                val = line.split(":")[1].strip()
+
+                if key == 'Filename':
+                    cert_id = val
+                    result[f"{cert_id}"] = {}
+
+                if cert_id:
+                    result[f"{cert_id}"][key] = val
+
+        if result:
+            return result
+
+        return {"error": res.strip()}
+
+class addToSslCrtList(Cmd):
+    cmdTxt = "add ssl crt-list %(crt_list)s %(certfile)s\r\n"
+    req_args = ['crt_list', 'certfile']
+    helpTxt = "Add a ssl cert to a crt-list."
+
+class delFromSslCrtList(Cmd):
+    cmdTxt = "del ssl crt-list %(crt_list)s %(certfile)s\r\n"
+    req_args = ['crt_list', 'certfile']
+    helpTxt = "Delete a ssl cert from a crt-list."
+
+class newSslCrt(Cmd):
+    """" Create an empty slot for the certificate in HAProxy’s memory """
+    cmdTxt = "new ssl cert %(certfile)s\r\n"
+    req_args = ['certfile']
+    helpTxt = "Create a new certificate file to be used in a crt-list or a directory."
+
+class updateSslCrt(Cmd):
+    """" Begin a transaction to upload the certificate into a slot in HAProxy’s memory """
+    cmdTxt = "set ssl cert %(certfile)s <<\n%(payload)s\r\n"
+    req_args = ['certfile', 'payload']
+    helpTxt = "Replace a certificate file."
+
+class delSslCrt(Cmd):
+    """" Begin a transaction to remove the certificate from a slot in HAProxy’s memory """
+    cmdTxt = "del ssl cert %(certfile)s\r\n"
+    req_args = ['certfile']
+    helpTxt = "Delete delete an unused certificate file."
+
+class commitSslCrt(Cmd):
+    """ Commit the transaction so HAProxy detects the change. """
+    cmdTxt = "commit ssl cert %(certfile)s\r\n"
+    req_args = ['certfile']
+    helpTxt = "Commit a certificate file."
+
+class abortSslCrt(Cmd):
+    cmdTxt = "abort ssl cert %(certfile)s\r\n"
+    req_args = ['certfile']
+    helpTxt = "Abort a transaction for a certificate file."
 
 class showFBEnds(Cmd):
     """Base class for getting a listing Frontends and Backends"""
@@ -110,19 +264,16 @@ def _getResult(self, res):
                 result.append(e.split(",")[0])
         return result
 
-
 class showFrontends(showFBEnds):
     """Show frontends command."""
     switch = "frontend"
     helpTxt = "List all Frontends."
 
-
 class showBackends(showFBEnds):
     """Show backends command."""
     switch = "backend"
     helpTxt = "List all Backends."
 
-
 class showInfo(Cmd):
     """Show info HAProxy command"""
     cmdTxt = "show info\r\n"
@@ -136,7 +287,6 @@ def getResultObj(self, res):
 
         return resDict
 
-
 class showSessions(Cmd):
     """Show sess HAProxy command"""
     cmdTxt = "show sess\r\n"
@@ -145,7 +295,6 @@ class showSessions(Cmd):
     def getResultObj(self, res):
         return res.split('\n')
 
-
 class baseStat(Cmd):
     """Base class for stats commands."""
 
@@ -158,64 +307,11 @@ def getDict(self, res):
         csv_string = StringIO(res)
         return csv.DictReader(csv_string, delimiter=',')
 
-    def getBootstrapOutput(self, **kwargs):
-        rows = kwargs['rows']
-        # search
-        if kwargs['search']:
-            filtered_rows = []
-            for row in rows:
-                def inner(row):
-                    for k, v in row.items():
-                        if kwargs['search'] in v:
-                            return row
-                    return None
-
-                match = inner(row)
-                if match:
-                    filtered_rows.append(match)
-            rows = filtered_rows
-
-        # sort
-        rows.sort(key=lambda k: k[kwargs['sort_col']], reverse=True if kwargs['sort_dir'] == 'desc' else False)
-
-        # pager
-        total = len(rows)
-        pages = [rows[i:i + kwargs['page_rows']] for i in range(0, total, kwargs['page_rows'])]
-        if pages and (kwargs['page'] > len(pages) or kwargs['page'] < 1):
-            raise KeyError(f"Current page {kwargs['page']} does not exist. Available pages: {len(pages)}")
-        page = pages[kwargs['page'] - 1] if pages else []
-
-        return json.dumps({
-            "rows": page,
-            "total": total,
-            "rowCount": kwargs['page_rows'],
-            "current": kwargs['page']
-        })
-
-
 class showServers(baseStat):
     """Show all servers. If backend is given, show only servers for this backend. """
     cmdTxt = "show stat\r\n"
     helpTxt = "Lists all servers. Filter for servers in backend, if set."
 
-    def getResult(self, res):
-        if self.args['output'] == 'json':
-            return json.dumps(self.getResultObj(res))
-
-        if self.args['output'] == 'bootstrap':
-            rows = self.getResultObj(res)
-            args = {
-                "rows": rows,
-                "page": int(self.args['page']) if self.args['page'] != None else 1,
-                "page_rows": int(self.args['page_rows']) if self.args['page_rows'] != None else len(rows),
-                "search": self.args['search'],
-                "sort_col": self.args['sort_col'] if self.args['sort_col'] else 'id',
-                "sort_dir": self.args['sort_dir'],
-            }
-            return self.getBootstrapOutput(**args)
-
-        return self.getResultObj(res)
-
     def getResultObj(self, res):
         servers = []
 
@@ -234,4 +330,4 @@ def getResultObj(self, res):
             row.move_to_end('id', last=False)
             servers.append(dict(row))
 
-        return servers
+        return servers
\ No newline at end of file
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/conn.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/conn.py
index 962a15cf5e..0c38673c16 100644
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/conn.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/conn.py
@@ -70,7 +70,7 @@ def sendCmd(self, cmd, objectify=False):
         output = self.sock.recv(const.HAP_BUFSIZE)
 
         while output:
-            res += output.decode('ASCII')
+            res += output.decode('UTF-8')
             output = self.sock.recv(const.HAP_BUFSIZE)
 
         if objectify:
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
index 5786b67807..01887f583f 100644
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
@@ -5,55 +5,178 @@
 sys.path.append(os.path.join(os.path.dirname(__file__), '..', '..'))
 from haproxy import cmds
 
+
 class TestCommands(unittest.TestCase):
     """Tests all of the  commands."""
+
     def setUp(self):
+        self.maxDiff = None
+        self.pem_cert_content = """
+        -----BEGIN CERTIFICATE-----
+        MIIGNjCCBR6gAwIBAgITAPoWnilNUBNcAb8iJ2dgK1eXeTANBgkqhkiG9w0BAQsF
+        ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0yMTAyMDMw
+        ODQ2MTBaFw0yMTA1MDQwODQ2MTBaMBoxGDAWBgNVBAMTD3Rlc3QuYW5kZW1hbi5k
+        ZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL7DSlOfRdoKZdX825O4
+        Q+uEN85NYR/SJtSLDfaaRebanbDzxp90PEIHCqZyf0q7Zz5eF6qd2ycldtJSVk8b
+        lVOyJjPIOLUrUAeF6I07b/AOBO/8DU9G3lARSOQkPmC80ahGAW3F1eaccf08qncW
+        CGxKKXmeL9mbAsA4k6+6pIq8YRBqMCE2bkRQ/scAa8pL7ms5hceONWfqjHC12zIp
+        yavvnfNVZ6z7QlwHEh3Rajk1IaHLyE7+9+oQ3zXqFtM6sBvXlvVhwsizgkH3ZodN
+        81ycvHoP1MWqHGHX0klREQ9qRrHuSuqHsjJHX8gtbqI2Z9DVOUUEunbIkImTwqYj
+        e5tp7g4RQJUgAdsauyN02NTdeUeci+JDvA3FHJpAtA7tDXIeNcyPjRho17i4VUIc
+        Yasu5JDF0iSPDT/Srxt6EsDntDFDco1HXMsFqUhMbY2+gUWC3P0n98VWSO+BCtAd
+        Fbc4+N3QEM8RnQKI86WHR/vnVDoigOhALupXa6czjLGMjaSLDI0nyJ5M81r8ZuBZ
+        Wu2Q6HTikNmoWl3w6x+9WvY6TQd9OpCjQUu13UMVAco8CGEOj0ZqhhLTccX8dxPK
+        /01bXMtFRivJfe6vML+O0N54JbI5caXmaEdcEuazAVJWt1ZPGFTMjiw/O0S6Hb0V
+        YJKXqjJs9t95O5MpL9W4YvGxAgMBAAGjggJrMIICZzAOBgNVHQ8BAf8EBAMCBaAw
+        HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
+        VR0OBBYEFHQLXiD/GxQD11ocGiFauejS5RRmMB8GA1UdIwQYMBaAFMDMA0a5WCDM
+        XHJw8+EuyyCm9Wg6MHcGCCsGAQUFBwEBBGswaTAyBggrBgEFBQcwAYYmaHR0cDov
+        L29jc3Auc3RnLWludC14MS5sZXRzZW5jcnlwdC5vcmcwMwYIKwYBBQUHMAKGJ2h0
+        dHA6Ly9jZXJ0LnN0Zy1pbnQteDEubGV0c2VuY3J5cHQub3JnLzAaBgNVHREEEzAR
+        gg90ZXN0LmFuZGVtYW4uZGUwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC
+        3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcw
+        ggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQAW6GnB0ZXq18P4lxrj8HYB94zhtp0x
+        qFIYtoN/MagVCAAAAXdnSPbpAAAEAwBGMEQCICAST5iJD7DVrcKRvu9rvNVVnkOW
+        hAYUgihWr/1Gu6VdAiAcRcZYBP0hIHmFExM9ehJ+J7YmqM35SyiC7s0chsNdHQB2
+        AN2ZNPyl5ySAyVZofYE0mQhJskn3tWnYx7yrP1zB825kAAABd2dI+N0AAAQDAEcw
+        RQIgaaUndm8O3+nCl5OHTf6rOdi9VF9szVckdgDargdWKkgCIQCAjW4UvuMIv4Bt
+        c6auowPcpdqHjL8XRcztJA3XUGRGHTANBgkqhkiG9w0BAQsFAAOCAQEABza4/ocY
+        J/XwN8PP+Ane7fVerqL7mRfhzJhxz4mbCPfv4Drq3kUu9fnhR/vaGgdaNdnO83a9
+        PUBCm6FCPMcVwX0uKDJ9J4Xj+SVjnVu4+7uhS5LyygtaegoBZyMb5ppxWH1n5r47
+        10ug+KptERFf1datb8/jsEVF7rYCtPXBygjfGAbGuCxViakr4BNcOBPNL+MusfvP
+        qpH8kEyPAIwHX02XvvpLTy77qiyTpQSuFOusOJptNNqBUeBehqpf8FHn01fnKkcW
+        pKmFJ2e2VSnTZIBJvD58HMR+WNAEp7tHffHk2z/mPPtdRdxW5Zieoe5+6+HDtwgG
+        +VCAIWMkC36Dvg==
+        -----END CERTIFICATE-----
+        
+        -----BEGIN RSA PRIVATE KEY-----
+        MIIJKgIBAAKCAgEAvsNKU59F2gpl1fzbk7hD64Q3zk1hH9Im1IsN9ppF5tqdsPPG
+        n3Q8QgcKpnJ/SrtnPl4Xqp3bJyV20lJWTxuVU7ImM8g4tStQB4XojTtv8A4E7/wN
+        T0beUBFI5CQ+YLzRqEYBbcXV5pxx/TyqdxYIbEopeZ4v2ZsCwDiTr7qkirxhEGow
+        ITZuRFD+xwBrykvuazmFx441Z+qMcLXbMinJq++d81VnrPtCXAcSHdFqOTUhocvI
+        Tv736hDfNeoW0zqwG9eW9WHCyLOCQfdmh03zXJy8eg/UxaocYdfSSVERD2pGse5K
+        6oeyMkdfyC1uojZn0NU5RQS6dsiQiZPCpiN7m2nuDhFAlSAB2xq7I3TY1N15R5yL
+        4kO8DcUcmkC0Du0Nch41zI+NGGjXuLhVQhxhqy7kkMXSJI8NP9KvG3oSwOe0MUNy
+        jUdcywWpSExtjb6BRYLc/Sf3xVZI74EK0B0Vtzj43dAQzxGdAojzpYdH++dUOiKA
+        6EAu6ldrpzOMsYyNpIsMjSfInkzzWvxm4Fla7ZDodOKQ2ahaXfDrH71a9jpNB306
+        kKNBS7XdQxUByjwIYQ6PRmqGEtNxxfx3E8r/TVtcy0VGK8l97q8wv47Q3nglsjlx
+        peZoR1wS5rMBUla3Vk8YVMyOLD87RLodvRVgkpeqMmz233k7kykv1bhi8bECAwEA
+        AQKCAgEAswbSPXJPetahRdcdNyAKVgBq4ykJinSOTpAF1bZo/cOTlFrjwAe0+X5k
+        R1tTDQ6dURG7AjtNTgrB3Za6O1m2paqeYaB5X8U7QSQx4EG0xsRRa+vPjeQDhX8D
+        OmCtTdpGpLa2Zo/xM5EFBVUm4cYCt6ZOED4dyAnK5hzytUvjWfR6343Yh4LurxyY
+        TqidgGgMZALDA0n54wFjNe/lu8kt5Ddns9MmDlhrqbRVEzjSiMfNPWvjHAf7IGcf
+        JBkBvNDqL+b/XGCYDgUxrLkDNt44E2VhGOi8lZkVM9n5FyeGbEIgAKKTGlGpMbh8
+        MoA4wPFwMrO5IIXUfN+zjfnnBkZsnAomGQYDh/hrsQPwU7MoyfO0Wzw+RzLWK8JH
+        EnjR7O/Lgh+A2AdLhCLiRC5td2uuJ2yLRIRUlcQPsCsYnCCL6Ip9IwK1idmQySGw
+        bG83decXNSJUv5h3qF6f3fl+JPrHnAbviBzEJ67xAf1MdHbFxwYvRFVfEHj9RZ3W
+        z+cw7ofD8XVHTfXn0XipvYqI/bVsitMXI35pOt+/ZV8rjJlXopw+IV6U9/60cBkk
+        BXC7ONDyH2pNwxPbRgcLm2sEK0L9qhxRzCj0iD1WyOAiFJX4ytVbJhR7pt0goiun
+        i2XDh2l8hoK1lKZNS/yJ+VhnbX595mdqScmIXD8utlgK8f0bLfECggEBAORXimSK
+        gzegnsBjieTtzC6MmRRxxN46vnMZ2LCeLMxhs3vM7LBcBfsQYqbt/FVFtYBRpr+d
+        TGTmfPXqKuSqbtAbghxAMo/lECXzALa0nQSsz1fFhX8B7slFarsDmmCb1GmXF/kG
+        ku/Uoa7jmY3htBj5rjVHjDKPZFVetU+2wbuwlU17Bj4nlSzqud4NMlu56pm3FZ/1
+        BAhMxm3z6dLnOgqJzpN1QmKZHNkjLmi8fza/HQM5pP3DpQcPiyuLzywGIqHaO1qT
+        OIdpZfLEvNpMV7bJ2bagv5nX3TVRWWsBkh0HCAuH30qqaVPpQvkPem1zsM3x+D5q
+        +PhMIPGpbQiUyCUCggEBANXefd0ZcJymG15WJyO44eFwzgMz9ezfdB8INa+vCOiZ
+        Y7FtYDgEKu4uzBxtMjO4mQO6DCkfi7JwTJFN4ag3dJEJNGmrf7Xe84IAImJQk0Of
+        BojAXCFAuNf1Xl3prkvnvtzNirwQMHCUbv5wYzOqglgj2i/hjIj3/Wbt91riq5j+
+        4qQT4kkw/XgCtbQ27HohKIcC/mXbHchEi7NtXrGoM1xqmu1mGH1uul3LQ6p5VwHc
+        ZFiIAC0awsx9Qe9khZ5EGpZuS0tqJsREcv8ygYMvWcPJEv8aMQM7Nj4biA5rKEgo
+        L+66ibpntldvbz2qntEvJ2rKzGci0RDUQHy4sW8/d50CggEBAKCZaX7ZZPzk/YL2
+        /2+CSQ+cV7ZnZj2fN4Ag96UROxTsyp4SPY60yogQuDIMRGN9SfDcfNlcOvTkn5Me
+        hdiafqHkFxjjlixawYbPaPsYAS/ek156UDBKHbZ2GmE6YYP9VeKGIJhHpWUFOkqV
+        TdTaoB7IzVwv3E1bSQg6Om+8bHoj8n6yPmvMz0DuPpgM1BRrqLNAb/c3DwT/ari+
+        ywBJHSt4TVCtMmnCouWdtvB3U0ogFLnF+2N4DUPwDMQt6yJdllIb+Y706NdkrA2Z
+        jfJDq5WmVnf6i4gaqTzs4GVAj5HW9jOV9ti/DqGz+CTQXB1LN1lCDIVqG34XnTwb
+        G9LjQfkCggEAZwYAt4tTtgJGWNFDlW+wT/sZIm3bX7ncpD4+Ll0w+2s4nPXFTfaj
+        /4zHgkIP1t5rx2HODdlGYDS8jZpow7HDE0LN3sFgienWf5808QtDhWWLrkCLoPEe
+        mdl3FeJFtgby6EaTODjMPM8kEKlvACp5E6BhsIMEQc7EYNrtNvjOFKtj3go+DWfu
+        EeusQB3dGI/0h+UnS0WcOSbb7RkYbphJ9ZDdBNMTpQi7+ga6l9pP0XOrWwJYo2Gq
+        yPrl0j4oJ69C54hF+RQvjIg0pT5dKSacJTYtUnn5dkcFwDFe/yMbinbhcCynwAXJ
+        zqC9g4U3cCk44bbDdENPVr4IOox13NND+QKCAQEAilm2oMZoP3WGkBMTSzJl6OGd
+        F8NnE95noleknNFYuThhCT6T4Z1s28VpxXV7d0DTNOtXj+TzeZq4jrwkgOSZbif0
+        8ky4gRZmm0iFwvAu8ZXk1olHbhMZnCOfh0Qhd4bU2tSoWgWVIAQWEHUhDI7Q1rsX
+        s4sCjYHKuNMEKdfYvxtKeiunoFqdmT65hwM9o3TfvJfm/RChb7i/nVruXQ6IhPEM
+        9WYZS7hlKyqVBESJuonR15biy7Xov5ELl6A821cskZO3vTwtlBSeCDiqaeVLpKR3
+        aYwf5YZo7v+N8KBSLEdLNjoKK4PfXUdczD7uOUllbd4/MRgCn4EmFvmpljGiEQ==
+        -----END RSA PRIVATE KEY-----
+        
+        
+        -----BEGIN CERTIFICATE-----
+        MIIEqzCCApOgAwIBAgIRAIvhKg5ZRO08VGQx8JdhT+UwDQYJKoZIhvcNAQELBQAw
+        GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDUyMzIyMDc1OVoXDTM2
+        MDUyMzIyMDc1OVowIjEgMB4GA1UEAwwXRmFrZSBMRSBJbnRlcm1lZGlhdGUgWDEw
+        ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtWKySDn7rWZc5ggjz3ZB0
+        8jO4xti3uzINfD5sQ7Lj7hzetUT+wQob+iXSZkhnvx+IvdbXF5/yt8aWPpUKnPym
+        oLxsYiI5gQBLxNDzIec0OIaflWqAr29m7J8+NNtApEN8nZFnf3bhehZW7AxmS1m0
+        ZnSsdHw0Fw+bgixPg2MQ9k9oefFeqa+7Kqdlz5bbrUYV2volxhDFtnI4Mh8BiWCN
+        xDH1Hizq+GKCcHsinDZWurCqder/afJBnQs+SBSL6MVApHt+d35zjBD92fO2Je56
+        dhMfzCgOKXeJ340WhW3TjD1zqLZXeaCyUNRnfOmWZV8nEhtHOFbUCU7r/KkjMZO9
+        AgMBAAGjgeMwgeAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAw
+        HQYDVR0OBBYEFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHoGCCsGAQUFBwEBBG4wbDA0
+        BggrBgEFBQcwAYYoaHR0cDovL29jc3Auc3RnLXJvb3QteDEubGV0c2VuY3J5cHQu
+        b3JnLzA0BggrBgEFBQcwAoYoaHR0cDovL2NlcnQuc3RnLXJvb3QteDEubGV0c2Vu
+        Y3J5cHQub3JnLzAfBgNVHSMEGDAWgBTBJnSkikSg5vogKNhcI5pFiBh54DANBgkq
+        hkiG9w0BAQsFAAOCAgEABYSu4Il+fI0MYU42OTmEj+1HqQ5DvyAeyCA6sGuZdwjF
+        UGeVOv3NnLyfofuUOjEbY5irFCDtnv+0ckukUZN9lz4Q2YjWGUpW4TTu3ieTsaC9
+        AFvCSgNHJyWSVtWvB5XDxsqawl1KzHzzwr132bF2rtGtazSqVqK9E07sGHMCf+zp
+        DQVDVVGtqZPHwX3KqUtefE621b8RI6VCl4oD30Olf8pjuzG4JKBFRFclzLRjo/h7
+        IkkfjZ8wDa7faOjVXx6n+eUQ29cIMCzr8/rNWHS9pYGGQKJiY2xmVC9h12H99Xyf
+        zWE9vb5zKP3MVG6neX1hSdo7PEAb9fqRhHkqVsqUvJlIRmvXvVKTwNCP3eCjRCCI
+        PTAvjV+4ni786iXwwFYNz8l3PmPLCyQXWGohnJ8iBm+5nk7O2ynaPVW0U2W+pt2w
+        SVuvdDM5zGv2f9ltNWUiYZHJ1mmO97jSY/6YfdOUH66iRtQtDkHBRdkNBsMbD+Em
+        2TgBldtHNSJBfB3pm9FblgOcJ0FSWcUDWJ7vO0+NTXlgrRofRT6pVywzxVo6dND0
+        WzYlTWeUVsO40xJqhgUQRER9YLOLxJ0O6C8i0xFxAMKOtSdodMB3RIwt7RFQ0uyt
+        n5Z5MqkYhlMI3J1tPRTp1nEt9fyGspBOO05gi148Qasp+3N+svqKomoQglNoAxU=
+        -----END CERTIFICATE-----
+        """
 
-        self.Resp = {"disable" : "disable server redis-ro/redis-ro0",
-                     "set-server-agent" : "set server redis-ro/redis-ro0 agent up",
-                     "set-server-health" : "set server redis-ro/redis-ro0 health stopping",
-                     "set-server-state" : "set server redis-ro/redis-ro0 state drain",
-                     "set-server-weight" : "set server redis-ro/redis-ro0 weight 10",
-                     "frontends" : "show stat",
-                     "info" : "show info",
-                     "sessions" : "show sess",
-                     "servers" : "show stat",
-                     "show-all-ssl-crt-list" : "show ssl crt-list",
-                     "show-details-ssl-crt-list" : "show ssl crt-list /tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
-                     "show-all-ssl-certs" : "show ssl cert",
-                     "show-details-ssl-certs" : "show ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
-                     "add-to-crt-list" : "add ssl crt-list /tmp/haproxy/ssl/601a7392cc9984.99301413.certlist /tmp/haproxy/ssl/601a70e4844b0.pem",
-                     "del-from-crt-list" : "del ssl crt-list /tmp/haproxy/ssl/601a7392cc9984.99301413.certlist /tmp/haproxy/ssl/601a70e4844b0.pem",
-                     "add-ssl-cert" : "new ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
-                     "update-ssl-cert" : "set ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem <payload>",
-                     "del-ssl-cert" : "del ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
-                     "commit-ssl-cert" : "commit ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
-                     "abort-ssl-cert" : "abort ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
+        self.Resp = {
+            "disable": "disable server redis-ro/redis-ro0",
+            "set-server-agent": "set server redis-ro/redis-ro0 agent up",
+            "set-server-health": "set server redis-ro/redis-ro0 health stopping",
+            "set-server-state": "set server redis-ro/redis-ro0 state drain",
+            "set-server-weight": "set server redis-ro/redis-ro0 weight 10",
+            "frontends": "show stat",
+            "info": "show info",
+            "sessions": "show sess",
+            "servers": "show stat",
+            "show-ssl-crt-lists": "show ssl crt-list",
+            "show-ssl-crt-list": "show ssl crt-list /tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
+            "show-ssl-certs": "show ssl cert",
+            "show-ssl-cert": "show ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
+            "add-to-crt-list": "add ssl crt-list /tmp/haproxy/ssl/601a7392cc9984.99301413.certlist /tmp/haproxy/ssl/601a70e4844b0.pem",
+            "del-from-crt-list": "del ssl crt-list /tmp/haproxy/ssl/601a7392cc9984.99301413.certlist /tmp/haproxy/ssl/601a70e4844b0.pem",
+            "new-ssl-cert": "new ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
+            "update-ssl-cert": "set ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem <<\n%s" % self.pem_cert_content,
+            "del-ssl-cert": "del ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
+            "commit-ssl-cert": "commit ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
+            "abort-ssl-cert": "abort ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
         }
 
         self.Resp = dict([(k, v + "\r\n") for k, v in self.Resp.items()])
 
     def test_setServerAgent(self):
         """Test 'set server agent' command"""
-        args = {"backend": "redis-ro", "server" : "redis-ro0", "value": "up"}
+        args = {"backend": "redis-ro", "server": "redis-ro0", "value": "up"}
         cmdOutput = cmds.setServerAgent(**args).getCmd()
         self.assertEqual(cmdOutput, self.Resp["set-server-agent"])
 
     def test_setServerHealth(self):
         """Test 'set server health' command"""
-        args = {"backend": "redis-ro", "server" : "redis-ro0", "value": "stopping"}
+        args = {"backend": "redis-ro", "server": "redis-ro0", "value": "stopping"}
         cmdOutput = cmds.setServerHealth(**args).getCmd()
         self.assertEqual(cmdOutput, self.Resp["set-server-health"])
 
     def test_setServerState(self):
         """Test 'set server state' command"""
-        args = {"backend": "redis-ro", "server" : "redis-ro0", "value": "drain"}
+        args = {"backend": "redis-ro", "server": "redis-ro0", "value": "drain"}
         cmdOutput = cmds.setServerState(**args).getCmd()
         self.assertEqual(cmdOutput, self.Resp["set-server-state"])
 
     def test_setServerWeight(self):
         """Test 'set server weight' command"""
-        args = {"backend": "redis-ro", "server" : "redis-ro0", "value": "10"}
+        args = {"backend": "redis-ro", "server": "redis-ro0", "value": "10"}
         cmdOutput = cmds.setServerWeight(**args).getCmd()
         self.assertEqual(cmdOutput, self.Resp["set-server-weight"])
 
@@ -79,63 +202,63 @@ def test_showServers(self):
         cmdOutput = cmds.showServers(**args).getCmd()
         self.assertEqual(cmdOutput, self.Resp["servers"])
 
-    def test_showAllSslCrtList(self):
+    def test_showSslCrtLists(self):
         """Test 'show ssl crt-list' command"""
-        cmdOutput = cmds.showAllSslCrtList().getCmd()
-        self.assertEqual(cmdOutput, self.Resp["show-all-ssl-crt-list"])
+        cmdOutput = cmds.showSslCrtLists().getCmd()
+        self.assertEqual(cmdOutput, self.Resp["show-ssl-crt-lists"])
 
-    def test_showDetailsSslCrtList(self):
-        """Test 'show ssl crt-list <filename>' command"""
+    def test_showSslCrtList(self):
+        """Test 'show ssl crt-list <crt-list>' command"""
         args = {
-            "filename": "/tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
+            "crt_list": "/tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
         }
-        cmdOutput = cmds.test_showDetailsSslCrtList(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["show-details-ssl-crt-list"])
+        cmdOutput = cmds.showSslCrtList(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["show-ssl-crt-list"])
 
-    def test_showAllSslCerts(self):
+    def test_showSslCerts(self):
         """Test 'show ssl cert' command"""
-        cmdOutput = cmds.showAllSslCerts().getCmd()
-        self.assertEqual(cmdOutput, self.Resp["show-all-ssl-certs"])
+        cmdOutput = cmds.showSslCerts().getCmd()
+        self.assertEqual(cmdOutput, self.Resp["show-ssl-certs"])
 
-    def test_showDetailsSslCerts(self):
+    def test_showSslCert(self):
         """Test 'show ssl cert <certfile>' command"""
         args = {
-            "certfile" : "/tmp/haproxy/ssl/601a70e4844b0.pem"
+            "certfile": "/tmp/haproxy/ssl/601a70e4844b0.pem"
         }
-        cmdOutput = cmds.showDetailsSslCerts(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["show-details-ssl-certs"])
+        cmdOutput = cmds.showSslCert(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["show-ssl-cert"])
 
     def test_addToSslCrtList(self):
-        """Test 'add ssl crt-list <filename> <certfile>' command"""
+        """Test 'add ssl crt-list <crt-list> <certfile>' command"""
         args = {
-            "filename": "/tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
-            "certfile" : "/tmp/haproxy/ssl/601a70e4844b0.pem"
+            "crt_list": "/tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
+            "certfile": "/tmp/haproxy/ssl/601a70e4844b0.pem"
         }
         cmdOutput = cmds.addToSslCrtList(**args).getCmd()
         self.assertEqual(cmdOutput, self.Resp["add-to-crt-list"])
 
     def test_delFromSslCrtList(self):
-        """Test 'del ssl crt-list <filename> <certfile>' command"""
+        """Test 'del ssl crt-list <crt-list> <certfile>' command"""
         args = {
-            "filename": "/tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
-            "certfile" : "/tmp/haproxy/ssl/601a70e4844b0.pem"
+            "crt_list": "/tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
+            "certfile": "/tmp/haproxy/ssl/601a70e4844b0.pem"
         }
         cmdOutput = cmds.delFromSslCrtList(**args).getCmd()
         self.assertEqual(cmdOutput, self.Resp["del-from-crt-list"])
 
-    def test_addSslCrt(self):
+    def test_newSslCrt(self):
         """Test 'new ssl cert <certfile>' command"""
         args = {
-            "certfile" : "/tmp/haproxy/ssl/601a70e4844b0.pem",
+            "certfile": "/tmp/haproxy/ssl/601a70e4844b0.pem",
         }
-        cmdOutput = cmds.addSslCrt(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["add-ssl-cert"])
+        cmdOutput = cmds.newSslCrt(**args).getCmd()
+        self.assertEqual(cmdOutput, self.Resp["new-ssl-cert"])
 
     def test_updateSslCrt(self):
-        """Test 'new ssl cert <certfile>' command"""
+        """Test 'set ssl cert <certfile> <payload>' command"""
         args = {
-            "certfile" : "/tmp/haproxy/ssl/601a70e4844b0.pem",
-            "payload" : "TODO"
+            "certfile": "/tmp/haproxy/ssl/601a70e4844b0.pem",
+            "payload": "%s" % self.pem_cert_content
         }
         cmdOutput = cmds.updateSslCrt(**args).getCmd()
         self.assertEqual(cmdOutput, self.Resp["update-ssl-cert"])
@@ -143,7 +266,7 @@ def test_updateSslCrt(self):
     def test_delSslCrt(self):
         """Test 'del ssl cert <certfile>' command"""
         args = {
-            "certfile" : "/tmp/haproxy/ssl/601a70e4844b0.pem",
+            "certfile": "/tmp/haproxy/ssl/601a70e4844b0.pem",
         }
         cmdOutput = cmds.delSslCrt(**args).getCmd()
         self.assertEqual(cmdOutput, self.Resp["del-ssl-cert"])
@@ -151,7 +274,7 @@ def test_delSslCrt(self):
     def test_commitSslCrt(self):
         """Test 'commit ssl cert <certfile>' command"""
         args = {
-            "certfile" : "/tmp/haproxy/ssl/601a70e4844b0.pem",
+            "certfile": "/tmp/haproxy/ssl/601a70e4844b0.pem",
         }
         cmdOutput = cmds.commitSslCrt(**args).getCmd()
         self.assertEqual(cmdOutput, self.Resp["commit-ssl-cert"])
@@ -159,10 +282,11 @@ def test_commitSslCrt(self):
     def test_abortSslCrt(self):
         """Test 'abort ssl cert <certfile>' command"""
         args = {
-            "certfile" : "/tmp/haproxy/ssl/601a70e4844b0.pem",
+            "certfile": "/tmp/haproxy/ssl/601a70e4844b0.pem",
         }
         cmdOutput = cmds.abortSslCrt(**args).getCmd()
         self.assertEqual(cmdOutput, self.Resp["abort-ssl-cert"])
 
+
 if __name__ == '__main__':
     unittest.main()
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
index fc42c7c144..11a084f856 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
@@ -19,6 +19,17 @@
     "show-info": cmds.showInfo,
     "show-sessions": cmds.showSessions,
     "show-servers": cmds.showServers,
+    "show-ssl-crt-lists": cmds.showSslCrtLists,
+    "show-ssl-crt-list": cmds.showSslCrtList,
+    "show-ssl-certs": cmds.showSslCerts,
+    "show-ssl-cert": cmds.showSslCert,
+    "add-to-crt-list": cmds.addToSslCrtList,
+    "del-from-crt-list": cmds.delFromSslCrtList,
+    "new-ssl-cert": cmds.newSslCrt,
+    "update-ssl-cert": cmds.updateSslCrt,
+    "del-ssl-cert": cmds.delSslCrt,
+    "commit-ssl-cert": cmds.commitSslCrt,
+    "abort-ssl-cert": cmds.abortSslCrt,
 }
 
 def get_args():
@@ -48,6 +59,21 @@ def get_args():
         help='Specify value for a set command.',
         default=None
     )
+    parser.add_argument(
+        '--payload',
+        help='Specify payload for a update command. either string or filepath',
+        default=None
+    )
+    parser.add_argument(
+        '--crt-list',
+        help='Set a filepath for a crt-list.',
+        default=None
+    )
+    parser.add_argument(
+        '--certfile',
+        help='Set a filepath for a certificate.',
+        default=None
+    )
     parser.add_argument(
         '--output',
         help='Specify output format.',
@@ -89,6 +115,14 @@ def get_args():
     return parser.parse_args()
 
 args = get_args()
+if args.payload and os.path.isfile(args.payload):
+    with open(args.payload) as payload_file:
+        payload_content = ""
+        for line in payload_file:
+            if line.rstrip():
+                payload_content += line
+    args.payload = payload_content
+
 command_class = VALID_COMMANDS.get(args.command, None)
 command_args = {key: val for key, val in vars(args).items() if key != "command"}
 

From 3a029db4000584f51422b1f5e2d91c3bab5f64a8 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 12 Feb 2021 23:01:32 +0100
Subject: [PATCH 0402/3088] security/acme-client: fix log file location, closes
 #2227

---
 security/acme-client/pkg-descr                                  | 1 +
 .../opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php   | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 72ac1d1b4e..bacc33ad18 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 
 Fixed:
 * fix missing "--ecc" parameter when renewing ECC certs (#2223)
+* fix log file location (#2227)
 
 2.3
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
index c3ae40817d..0a6fbba495 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
@@ -123,6 +123,8 @@ public function loadConfig(string $path, string $uuid)
         // Store config objects
         $this->config = $obj;
         $this->model = $model;
+        // Set log file
+        $this->acme_args[] = LeUtils::execSafe('--log %s', self::ACME_LOG_FILE);
         return true;
     }
 

From 988829bdd0f98c59188cccefe1c4fdfe34f6fe80 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 15 Feb 2021 00:55:26 +0100
Subject: [PATCH 0403/3088] security/acme-client: revamp logs page

---
 security/acme-client/pkg-descr                |   9 ++
 .../src/etc/inc/plugins.inc.d/acmeclient.inc  |   9 ++
 .../OPNsense/AcmeClient/LogsController.php    |  45 ++++++
 .../library/OPNsense/AcmeClient/LeCommon.php  |  12 +-
 .../models/OPNsense/AcmeClient/Menu/Menu.xml  |   5 +-
 .../app/views/OPNsense/AcmeClient/logs.volt   | 130 ++++++++++++++++++
 .../systemhealth/logformats/acmeclient.py     |  63 +++++++++
 .../src/www/diag_logs_acmeclient.php          |   7 -
 .../www/diag_logs_template_acme-client.inc    | 117 ----------------
 9 files changed, 270 insertions(+), 127 deletions(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/LogsController.php
 create mode 100644 security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt
 create mode 100755 security/acme-client/src/opnsense/scripts/systemhealth/logformats/acmeclient.py
 delete mode 100644 security/acme-client/src/www/diag_logs_acmeclient.php
 delete mode 100644 security/acme-client/src/www/diag_logs_template_acme-client.inc

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index bacc33ad18..2d89753b0a 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,9 +10,18 @@ Plugin Changelog
 
 2.4
 
+Added:
+* add new page to show AcmeClient entries from system log
+
 Fixed:
 * fix missing "--ecc" parameter when renewing ECC certs (#2223)
 * fix log file location (#2227)
+* fix GUI log formatting (by using the syslog log)
+
+Changed:
+* let acme.sh log through syslog
+* revamp logs page, move acme.sh log to a sub tab
+* remove legacy logs page
 
 2.3
 
diff --git a/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc b/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc
index a210c2f85a..801a1fb076 100644
--- a/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc
+++ b/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc
@@ -71,6 +71,15 @@ function acmeclient_services()
     return $services;
 }
 
+function acmeclient_syslog()
+{
+    $logfacilities = array();
+    $logfacilities['acmeclient'] = array(
+        'facility' => array('acmeclient', 'acme.sh')
+    );
+    return $logfacilities;
+}
+
 /**
  *  NOTE: Does NOT support configuration sync (xmlrpc). The required acme.sh
  *        state files are missing on the secondary node and thus all attempts
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/LogsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/LogsController.php
new file mode 100644
index 0000000000..927e31f9dc
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/LogsController.php
@@ -0,0 +1,45 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Frank Wall
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\AcmeClient;
+
+/**
+ * Class LogsController
+ * @package OPNsense\AcmeClient
+ */
+class LogsController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        // choose template
+        $this->view->pick('OPNsense/AcmeClient/logs');
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
index 0a6fbba495..151445d0c7 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
@@ -123,8 +123,6 @@ public function loadConfig(string $path, string $uuid)
         // Store config objects
         $this->config = $obj;
         $this->model = $model;
-        // Set log file
-        $this->acme_args[] = LeUtils::execSafe('--log %s', self::ACME_LOG_FILE);
         return true;
     }
 
@@ -155,26 +153,36 @@ public function setLoglevel()
 
         switch ($loglevel) {
             case 'extended':
+                $this->acme_args[] = '--syslog 6';
                 $this->acme_args[] = '--log-level 2';
                 $this->debug = false;
                 break;
             case 'debug':
+                $this->acme_args[] = '--syslog 7';
                 $this->acme_args[] = '--debug';
                 $this->debug = true;
                 break;
             case 'debug2':
+                $this->acme_args[] = '--syslog 7';
                 $this->acme_args[] = '--debug 2';
                 $this->debug = true;
                 break;
             case 'debug3':
+                $this->acme_args[] = '--syslog 7';
                 $this->acme_args[] = '--debug 3';
                 $this->debug = true;
                 break;
             default:
+                $this->acme_args[] = '--syslog 6';
                 $this->acme_args[] = '--log-level 1';
                 $this->debug = false;
                 break;
         }
+
+        // Set log file
+        // NOTE: This log file is no longer exposed to the GUI. However, it may
+        // still turn out to be useful for debug purposes in rare egde cases.
+        $this->acme_args[] = LeUtils::execSafe('--log %s', self::ACME_LOG_FILE);
     }
 
     /**
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Menu/Menu.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Menu/Menu.xml
index 79a8f7cf87..33a92cfb5f 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Menu/Menu.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Menu/Menu.xml
@@ -9,7 +9,10 @@
           <Validations VisibleName="Challenge Types" order="30" url="/ui/acmeclient/validations"/>
           <Certificates order="40" url="/ui/acmeclient/certificates"/>
           <Automations VisibleName="Automations" order="50" url="/ui/acmeclient/actions"/>
-          <LogFile VisibleName="Log File" order="60" url="/diag_logs_acmeclient.php"/>
+          <Logs VisibleName="Log Files" order="60" url="/ui/acmeclient/logs">
+              <SystemLog VisibleName="System Log" order="10" url="/ui/acmeclient/logs"/>
+              <AcmeLog VisibleName="Acme Log" order="20" url="/ui/diagnostics/log/core/acmeclient"/>
+          </Logs>
       </LEAcmeClient>
     </Services>
 </menu>
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt
new file mode 100644
index 0000000000..ae057bc86f
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt
@@ -0,0 +1,130 @@
+{#
+ # Copyright (c) 2019 Deciso B.V.
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1.  Redistributions of source code must retain the above copyright notice,
+ #     this list of conditions and the following disclaimer.
+ #
+ # 2.  Redistributions in binary form must reproduce the above copyright notice,
+ #     this list of conditions and the following disclaimer in the documentation
+ #     and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script>
+    $( document ).ready(function() {
+      // get entries from system log for 'AcmeClient'
+      let grid_systemlog = $("#grid-systemlog").UIBootgrid({
+          options:{
+              // Hide nonfunctional search field
+              navigation:2,
+              sorting:false,
+              rowSelect: false,
+              selection: false,
+              rowCount:[20,50,100,200,500,1000,-1],
+              requestHandler: function(request){
+                  // Show only log entries that match 'AcmeClient'
+                  request['searchPhrase'] = 'AcmeClient';
+                  return request;
+              },
+          },
+          search:'/api/diagnostics/log/core/system'
+      });
+
+      // get entries from acmeclient.log
+      let grid_acmelog = $("#grid-acmelog").UIBootgrid({
+          options:{
+              sorting:false,
+              rowSelect: false,
+              selection: false,
+              rowCount:[20,50,100,200,500,1000,-1],
+          },
+          search:'/api/diagnostics/log/core/acmeclient'
+      });
+
+      grid_systemlog.on("loaded.rs.jquery.bootgrid", function(){
+          $(".action-page").click(function(event){
+              event.preventDefault();
+              $("#grid-systemlog").bootgrid("search",  "");
+              let new_page = parseInt((parseInt($(this).data('row-id')) / $("#grid-log").bootgrid("getRowCount")))+1;
+              $("input.search-field").val("");
+              // XXX: a bit ugly, but clearing the filter triggers a load event.
+              setTimeout(function(){
+                  $("ul.pagination > li:last > a").data('page', new_page).click();
+              }, 100);
+          });
+      });
+
+      grid_acmelog.on("loaded.rs.jquery.bootgrid", function(){
+          $(".action-page").click(function(event){
+              event.preventDefault();
+              $("#grid-acmelog").bootgrid("search",  "");
+              let new_page = parseInt((parseInt($(this).data('row-id')) / $("#grid-log").bootgrid("getRowCount")))+1;
+              $("input.search-field").val("");
+              // XXX: a bit ugly, but clearing the filter triggers a load event.
+              setTimeout(function(){
+                  $("ul.pagination > li:last > a").data('page', new_page).click();
+              }, 100);
+          });
+      });
+    });
+</script>
+
+
+<ul class="nav nav-tabs" role="tablist" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#systemlog"><b>{{ lang._('System Log') }}</b></a></li>
+    <li><a data-toggle="tab" href="#acmelog">{{ lang._('Acme Log') }}</a></li>
+</ul>
+
+<div class="content-box tab-content">
+
+    <div id="systemlog" class="tab-pane fade in active">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            <div  class="col-sm-12">
+                <table id="grid-systemlog" class="table table-condensed table-hover table-striped table-responsive" data-store-selection="true">
+                    <thead>
+                    <tr>
+                        <th data-column-id="timestamp" data-width="11em" data-type="string">{{ lang._('Date') }}</th>
+                        <th data-column-id="process_name" data-width="11em" data-type="string">{{ lang._('Process') }}</th>
+                        <th data-column-id="line" data-type="string">{{ lang._('Line') }}</th>
+                    </tr>
+                    </thead>
+                    <tbody>
+                    </tbody>
+                </table>
+            </div>
+        </div>
+    </div>
+
+    <div id="acmelog" class="tab-pane fade">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            <div  class="col-sm-12">
+                <table id="grid-acmelog" class="table table-condensed table-hover table-striped table-responsive" data-store-selection="true">
+                    <thead>
+                    <tr>
+                        <th data-column-id="timestamp" data-width="11em" data-type="string">{{ lang._('Date') }}</th>
+                        <th data-column-id="process_name" data-width="11em" data-type="string">{{ lang._('Process') }}</th>
+                        <th data-column-id="line" data-type="string">{{ lang._('Line') }}</th>
+                    </tr>
+                    </thead>
+                    <tbody>
+                    </tbody>
+                </table>
+            </div>
+        </div>
+    </div>
+
+</div>
diff --git a/security/acme-client/src/opnsense/scripts/systemhealth/logformats/acmeclient.py b/security/acme-client/src/opnsense/scripts/systemhealth/logformats/acmeclient.py
new file mode 100755
index 0000000000..a311773ecb
--- /dev/null
+++ b/security/acme-client/src/opnsense/scripts/systemhealth/logformats/acmeclient.py
@@ -0,0 +1,63 @@
+"""
+    Copyright (c) 2021 Frank Wall
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import re
+import datetime
+from . import BaseLogFormat
+
+class AcmeclientLogFormat(BaseLogFormat):
+    def __init__(self, filename):
+        super(AcmeclientLogFormat, self).__init__(filename)
+        # XXX This is ugly, but it's the only way to override the line() method.
+        self._priority = 1
+        self._startup_timestamp = datetime.datetime.now()
+
+    def match(self, line):
+        return self._filename.find('acmeclient') > -1 and len(line) > 15 and re.match(r'(?:[01]\d|2[0123]):(?:[012345]\d):(?:[012345]\d)', line[7:15])
+
+    def timestamp(self, line):
+        # syslog format, strip timestamp and return actual log data
+        ts = datetime.datetime.strptime("%s %s" % (self._startup_timestamp.year, line[0:15]), "%Y %b %d %H:%M:%S")
+        ts = ts.replace(year=self._startup_timestamp.year)
+        if (self._startup_timestamp - ts).days < 0:
+            # likely previous year, (month for this year not reached yet)
+            ts = ts.replace(year=ts.year - 1)
+        return ts.isoformat()
+
+    @staticmethod
+    def line(line):
+        # parse [date] [hostname] [process_name] [line] format
+        response = line[16:]
+        tmp = response.find(':')
+        pre = response[tmp+1:].strip() if tmp > -1 else response[response.find(' ')+1:].strip()
+        # strip the duplicate date from the line
+        return pre[30:].strip()
+
+    @staticmethod
+    def process_name(line):
+        response = line[16:]
+        tmp = response.find(':')
+        return response[:tmp].strip().split()[-1] if tmp > -1 else ""
diff --git a/security/acme-client/src/www/diag_logs_acmeclient.php b/security/acme-client/src/www/diag_logs_acmeclient.php
deleted file mode 100644
index e5d406e957..0000000000
--- a/security/acme-client/src/www/diag_logs_acmeclient.php
+++ /dev/null
@@ -1,7 +0,0 @@
-<?php
-
-$logfile = '/var/log/acme.sh.log';
-$logclog = false;
-$logsplit = 6;
-
-require_once 'diag_logs_template_acme-client.inc';
diff --git a/security/acme-client/src/www/diag_logs_template_acme-client.inc b/security/acme-client/src/www/diag_logs_template_acme-client.inc
deleted file mode 100644
index 993181556e..0000000000
--- a/security/acme-client/src/www/diag_logs_template_acme-client.inc
+++ /dev/null
@@ -1,117 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2015 Deciso B.V.
- * Copyright (C) 2012 Seth Mos <seth.mos@dds.nl>
- * Copyright (C) 2004-2009 Scott Ullrich <sullrich@gmail.com>
- * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("guiconfig.inc");
-require_once("system.inc");
-require_once("interfaces.inc");
-
-/* expects $logfile to point to the system path */
-/* expects $logclog to be true or false */
-
-require_once 'diag_logs_common.inc';
-
-$filtertext = '';
-$nentries = 50;
-
-if (isset($config['syslog']['nentries'])) {
-    $nentries = $config['syslog']['nentries'];
-}
-
-if (!empty($_POST['clear'])) {
-    if ($logclog) {
-        system_clear_clog($logfile);
-    } else {
-        system_clear_log($logfile);
-    }
-}
-
-if (isset($_POST['filtertext'])) {
-    $filtertext = $_POST['filtertext'];
-}
-
-include("head.inc");
-?>
-
-<body>
-<?php include("fbegin.inc"); ?>
-  <section class="page-content-main">
-    <div class="container-fluid">
-      <div class="row">
-        <section class="col-xs-12">
-          <p>
-            <form method="post">
-              <div class="input-group">
-                <div class="input-group-addon"><i class="fa fa-search"></i></div>
-                <input type="text" class="form-control" id="filtertext" name="filtertext" placeholder="<?= html_safe(gettext('Search for a specific message...')) ?>" value="<?= html_safe($filtertext) ?>"/>
-              </div>
-            </form>
-          </p>
-          <div class="table-responsive content-box tab-content">
-            <table class="table table-striped">
-              <tr>
-                <th class="col-md-2 col-sm-3 col-xs-4"><?= gettext('Date') ?></th>
-                <th class="col-md-10 col-sm-9 col-xs-8"><?= gettext('Message') ?></th>
-              </tr>
-              <?php if (isset($logpills)): ?>
-              <tr>
-                <td colspan="2">
-                  <ul class="nav nav-pills" role="tablist">
-                    <?php foreach ($logpills as $pill): ?>
-                    <li role="presentation" <?php if (str_replace('amp;','', $pill[2]) == $_SERVER['REQUEST_URI']):?>class="active"<?php endif; ?>><a href="<?=$pill[2];?>"><?=$pill[0];?></a></li>
-                    <?php endforeach; ?>
-                  </ul>
-                </td>
-              </tr>
-              <?php endif; ?>
-              <?php
-                if ($logclog) {
-                    dump_clog($logfile, $nentries, $filtertext);
-                } else {
-                    dump_log($logfile, $nentries, $filtertext);
-                }
-              ?>
-              <tr>
-                <td colspan="2">
-                  <form method="post">
-<?php                   if (isset($mode)): ?>
-                    <input type="hidden" name="mode" id="mode" value="<?= html_safe($mode) ?>"/>
-<?php                   endif; ?>
-                    <input name="clear" type="submit" class="btn btn-primary" value="<?= html_safe(gettext('Clear log')) ?>"/>
-                  </form>
-                </td>
-              </tr>
-            </table>
-          </div>
-        </section>
-      </div>
-    </div>
-  </section>
-<?php include("foot.inc"); ?>

From 82f54924915d8e71756f18cea795d6f130ed9dfc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Mon, 15 Feb 2021 08:47:44 +0100
Subject: [PATCH 0404/3088] Themes Cicada/Vicuna/Tukan updates (#2238)

a few color fixes for Cicada
a few color fixes and traffic widget color fix for vicuna
a few color fixes for sensei and "pick a color" fix for Tukan
---
 misc/theme-cicada/Makefile                    |   2 +-
 .../cicada/assets/stylesheets/main.scss       | 266 +++++-------------
 .../www/themes/cicada/build/css/main.css      |  18 +-
 .../build/css/pick-a-color-1.2.3.min.css      |   2 +-
 misc/theme-tukan/Makefile                     |   2 +-
 .../themes/tukan/assets/stylesheets/main.scss |   4 +
 .../www/themes/tukan/build/css/main.css       |   4 +
 .../build/css/pick-a-color-1.2.3.min.css      |  86 ++++++
 misc/theme-vicuna/Makefile                    |   2 +-
 .../vicuna/assets/stylesheets/main.scss       |  12 +-
 .../vicuna/assets/stylesheets/tokenizer2.scss |   2 +-
 .../www/themes/vicuna/build/css/main.css      |  12 +-
 .../www/themes/vicuna/build/css/nv.d3.css     |   5 -
 .../build/css/pick-a-color-1.2.3.min.css      |   2 +-
 .../www/themes/vicuna/build/css/tokenize2.css |   2 +-
 15 files changed, 199 insertions(+), 222 deletions(-)
 create mode 100644 misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/pick-a-color-1.2.3.min.css

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index af5a7440ac..bfe671f7dc 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.26
+PLUGIN_VERSION=		1.27
 PLUGIN_COMMENT=		The cicada theme - dark grey
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index 8621584cdb..2e4f3edf7a 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -3495,297 +3495,231 @@ input {
 select {
   &[disabled], &[readonly] {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none !important;
     border-color: #191919;
   }
 }
 
 fieldset[disabled] select {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none !important;
   border-color: #191919;
 }
 
 textarea {
   &[disabled], &[readonly] {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none !important;
     border-color: #191919;
   }
 }
 
 fieldset[disabled] textarea {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none !important;
   border-color: #191919;
 }
 
 input[type="text"] {
   &[disabled], &[readonly] {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none !important;
     border-color: #191919;
   }
 }
 
 fieldset[disabled] input[type="text"] {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none !important;
   border-color: #191919;
 }
 
 input[type="password"] {
   &[disabled], &[readonly] {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none !important;
     border-color: #191919;
   }
 }
 
 fieldset[disabled] input[type="password"] {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none !important;
   border-color: #191919;
 }
 
 input[type="datetime"] {
   &[disabled], &[readonly] {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none !important;
     border-color: #191919;
   }
 }
 
 fieldset[disabled] input[type="datetime"] {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none !important;
   border-color: #191919;
 }
 
 input[type="datetime-local"] {
   &[disabled], &[readonly] {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none !important;
     border-color: #191919;
   }
 }
 
 fieldset[disabled] input[type="datetime-local"] {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none !important;
   border-color: #191919;
 }
 
 input[type="date"] {
   &[disabled], &[readonly] {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none !important;
     border-color: #191919;
   }
 }
 
 fieldset[disabled] input[type="date"] {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none !important;
   border-color: #191919;
 }
 
 input[type="month"] {
   &[disabled], &[readonly] {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none !important;
     border-color: #191919;
   }
 }
 
 fieldset[disabled] input[type="month"] {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none !important;
   border-color: #191919;
 }
 
 input[type="time"] {
   &[disabled], &[readonly] {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none !important;
     border-color: #191919;
   }
 }
 
 fieldset[disabled] input[type="time"] {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none !important;
   border-color: #191919;
 }
 
 input[type="week"] {
   &[disabled], &[readonly] {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none !important;
     border-color: #191919;
   }
 }
 
 fieldset[disabled] input[type="week"] {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none !important;
   border-color: #191919;
 }
 
 input[type="number"] {
   &[disabled], &[readonly] {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none !important;
     border-color: #191919;
   }
 }
 
 fieldset[disabled] input[type="number"] {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none !important;
   border-color: #191919;
 }
 
 input[type="email"] {
   &[disabled], &[readonly] {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none !important;
     border-color: #191919;
   }
 }
 
 fieldset[disabled] input[type="email"] {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none !important;
   border-color: #191919;
 }
 
 input[type="url"] {
   &[disabled], &[readonly] {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none !important;
     border-color: #191919;
   }
 }
 
 fieldset[disabled] input[type="url"] {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none !important;
   border-color: #191919;
 }
 
 input[type="search"] {
   &[disabled], &[readonly] {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none !important;
     border-color: #191919;
   }
 }
 
 fieldset[disabled] input[type="search"] {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none !important;
   border-color: #191919;
 }
 
 input[type="tel"] {
   &[disabled], &[readonly] {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none !important;
     border-color: #191919;
   }
 }
 
 fieldset[disabled] input[type="tel"] {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none !important;
   border-color: #191919;
 }
 
 input[type="color"] {
   &[disabled], &[readonly] {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none !important;
     border-color: #191919;
   }
 }
 
 fieldset[disabled] input[type="color"] {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none !important;
   border-color: #191919;
 }
 
 select {
   &[disabled]:hover, &[readonly]:hover {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none;
     border: 1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -3794,9 +3728,7 @@ select {
 
 fieldset[disabled]:hover {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none;
   border: 1px solid #191919;
   -webkit-box-shadow: none;
   box-shadow: none;
@@ -3805,9 +3737,7 @@ fieldset[disabled]:hover {
 textarea {
   &[disabled]:hover, &[readonly]:hover {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none;
     border: 1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -3816,9 +3746,7 @@ textarea {
 
 fieldset[disabled]:hover textarea:hover {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none;
   border: 1px solid #191919;
   -webkit-box-shadow: none;
   box-shadow: none;
@@ -3827,9 +3755,7 @@ fieldset[disabled]:hover textarea:hover {
 input[type="text"] {
   &[disabled]:hover, &[readonly]:hover {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none;
     border: 1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -3838,9 +3764,7 @@ input[type="text"] {
 
 fieldset[disabled]:hover input[type="text"]:hover {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none;
   border: 1px solid #191919;
   -webkit-box-shadow: none;
   box-shadow: none;
@@ -3849,9 +3773,7 @@ fieldset[disabled]:hover input[type="text"]:hover {
 input[type="password"] {
   &[disabled]:hover, &[readonly]:hover {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none;
     border: 1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -3860,9 +3782,7 @@ input[type="password"] {
 
 fieldset[disabled]:hover input[type="password"]:hover {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none;
   border: 1px solid #191919;
   -webkit-box-shadow: none;
   box-shadow: none;
@@ -3871,9 +3791,7 @@ fieldset[disabled]:hover input[type="password"]:hover {
 input[type="datetime"] {
   &[disabled]:hover, &[readonly]:hover {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none;
     border: 1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -3882,9 +3800,7 @@ input[type="datetime"] {
 
 fieldset[disabled]:hover input[type="datetime"]:hover {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none;
   border: 1px solid #191919;
   -webkit-box-shadow: none;
   box-shadow: none;
@@ -3893,9 +3809,7 @@ fieldset[disabled]:hover input[type="datetime"]:hover {
 input[type="datetime-local"] {
   &[disabled]:hover, &[readonly]:hover {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none;
     border: 1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -3904,9 +3818,7 @@ input[type="datetime-local"] {
 
 fieldset[disabled]:hover input[type="datetime-local"]:hover {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none;
   border: 1px solid #191919;
   -webkit-box-shadow: none;
   box-shadow: none;
@@ -3915,9 +3827,7 @@ fieldset[disabled]:hover input[type="datetime-local"]:hover {
 input[type="date"] {
   &[disabled]:hover, &[readonly]:hover {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none;
     border: 1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -3926,9 +3836,7 @@ input[type="date"] {
 
 fieldset[disabled]:hover input[type="date"]:hover {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none;
   border: 1px solid #191919;
   -webkit-box-shadow: none;
   box-shadow: none;
@@ -3937,9 +3845,7 @@ fieldset[disabled]:hover input[type="date"]:hover {
 input[type="month"] {
   &[disabled]:hover, &[readonly]:hover {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none;
     border: 1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -3948,9 +3854,7 @@ input[type="month"] {
 
 fieldset[disabled]:hover input[type="month"]:hover {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none;
   border: 1px solid #191919;
   -webkit-box-shadow: none;
   box-shadow: none;
@@ -3959,9 +3863,7 @@ fieldset[disabled]:hover input[type="month"]:hover {
 input[type="time"] {
   &[disabled]:hover, &[readonly]:hover {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none;
     border: 1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -3970,9 +3872,7 @@ input[type="time"] {
 
 fieldset[disabled]:hover input[type="time"]:hover {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none;
   border: 1px solid #191919;
   -webkit-box-shadow: none;
   box-shadow: none;
@@ -3981,9 +3881,7 @@ fieldset[disabled]:hover input[type="time"]:hover {
 input[type="week"] {
   &[disabled]:hover, &[readonly]:hover {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none;
     border: 1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -3992,9 +3890,7 @@ input[type="week"] {
 
 fieldset[disabled]:hover input[type="week"]:hover {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none;
   border: 1px solid #191919;
   -webkit-box-shadow: none;
   box-shadow: none;
@@ -4003,9 +3899,7 @@ fieldset[disabled]:hover input[type="week"]:hover {
 input[type="number"] {
   &[disabled]:hover, &[readonly]:hover {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none;
     border: 1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -4014,9 +3908,7 @@ input[type="number"] {
 
 fieldset[disabled]:hover input[type="number"]:hover {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none;
   border: 1px solid #191919;
   -webkit-box-shadow: none;
   box-shadow: none;
@@ -4025,9 +3917,7 @@ fieldset[disabled]:hover input[type="number"]:hover {
 input[type="email"] {
   &[disabled]:hover, &[readonly]:hover {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none;
     border: 1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -4036,9 +3926,7 @@ input[type="email"] {
 
 fieldset[disabled]:hover input[type="email"]:hover {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none;
   border: 1px solid #191919;
   -webkit-box-shadow: none;
   box-shadow: none;
@@ -4047,9 +3935,7 @@ fieldset[disabled]:hover input[type="email"]:hover {
 input[type="url"] {
   &[disabled]:hover, &[readonly]:hover {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none;
     border: 1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -4058,9 +3944,7 @@ input[type="url"] {
 
 fieldset[disabled]:hover input[type="url"]:hover {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none;
   border: 1px solid #191919;
   -webkit-box-shadow: none;
   box-shadow: none;
@@ -4069,9 +3953,7 @@ fieldset[disabled]:hover input[type="url"]:hover {
 input[type="search"] {
   &[disabled]:hover, &[readonly]:hover {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none;
     border: 1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -4080,9 +3962,7 @@ input[type="search"] {
 
 fieldset[disabled]:hover input[type="search"]:hover {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none;
   border: 1px solid #191919;
   -webkit-box-shadow: none;
   box-shadow: none;
@@ -4091,9 +3971,7 @@ fieldset[disabled]:hover input[type="search"]:hover {
 input[type="tel"] {
   &[disabled]:hover, &[readonly]:hover {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none;
     border: 1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -4102,9 +3980,7 @@ input[type="tel"] {
 
 fieldset[disabled]:hover input[type="tel"]:hover {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none;
   border: 1px solid #191919;
   -webkit-box-shadow: none;
   box-shadow: none;
@@ -4113,9 +3989,7 @@ fieldset[disabled]:hover input[type="tel"]:hover {
 input[type="color"] {
   &[disabled]:hover, &[readonly]:hover {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity = 80);
+    background-color: none;
     border: 1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -4124,9 +3998,7 @@ input[type="color"] {
 
 fieldset[disabled]:hover input[type="color"]:hover {
   cursor: not-allowed;
-  background-color: #686868;
-  opacity: 0.8;
-  filter: alpha(opacity = 80);
+  background-color: none;
   border: 1px solid #191919;
   -webkit-box-shadow: none;
   box-shadow: none;
@@ -10411,10 +10283,10 @@ label > input {
 
   .ipsec-tab {
     background-color: #3a3a3a !important;
-    color: #928873 !important;
+    color: #FFF !important;
 
     &.activetab {
-      background-color: #262626 !important;
+      background-color: #2d2d2d !important;
       color: #dd630d !important;
     }
   }
@@ -10752,7 +10624,7 @@ ul.jqtree-tree {
 }
 
 .interface-table {
-  background-color: #242424 !important;
+  background-color: #191919 !important;
 }
 
 .modal-side-settings {
@@ -10767,3 +10639,7 @@ ul.jqtree-tree {
   background-color: #d77610 !important;
   color: #FFF !important;
 }
+
+.table.border {
+  border: 1px solid #191919 !important;
+}
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index 59211a51fa..919e308ea3 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -2472,9 +2472,7 @@ input[type="color"]
 
    {
     cursor: not-allowed;
-	background-color: #686868;
-	opacity: 0.8;
-	filter: alpha(opacity=80);
+	background-color: none !important;
 	border-color: #191919; }
 
   select[disabled]:hover, select[readonly]:hover, fieldset[disabled]:hover,
@@ -2526,9 +2524,7 @@ input[type="color"]
 
    {
     cursor: not-allowed;
-    background-color: #686868;
-    opacity: 0.8;
-    filter: alpha(opacity=80);
+    background-color: none;
     border:1px solid #191919;
     -webkit-box-shadow: none;
     box-shadow: none; }
@@ -6331,11 +6327,11 @@ label > input[type="radio"] {
 
 #ipsec .ipsec-tab {
 	background-color: #3a3a3a !important;
-	color: #928873 !important;
+	color: #FFF !important;
 }
 
 #ipsec .ipsec-tab.activetab {
-	background-color: #262626 !important;
+	background-color: #2d2d2d !important;
 	color: #dd630d !important;
 }
 .fw_pass {
@@ -6605,7 +6601,7 @@ ul.jqtree-tree .jqtree-title {
 }
 
 .interface-table {
-  background-color: #242424 !important;
+  background-color: #191919 !important;
 }
 
 .modal-side-settings {
@@ -6620,3 +6616,7 @@ ul.jqtree-tree .jqtree-title {
   background-color: #d77610 !important;
   color: #FFF !important;
 }
+
+.table.border {
+  border: 1px solid #191919 !important;
+}
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/pick-a-color-1.2.3.min.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/pick-a-color-1.2.3.min.css
index 91c8033748..8010d43e5c 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/pick-a-color-1.2.3.min.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/pick-a-color-1.2.3.min.css
@@ -22,7 +22,7 @@
 .pick-a-color-markup .color-menu .color-preview.violet{background-color:#ee81ee}
 .pick-a-color-markup .color-menu .color-preview.purple{background-color:#80007f}
 .pick-a-color-markup .color-menu .color-preview.black{background-color:#000}
-.pick-a-color-markup .color-menu .basicColors-content li>a,.pick-a-color-markup .color-menu .savedColors-content li>a{padding:5px 15px 3px 15px;cursor:default;min-height:25px;color:#fff}.pick-a-color-markup .color-menu .basicColors-content li>a:hover,.pick-a-color-markup .color-menu .savedColors-content li>a:hover{background-color:transparent}
+.pick-a-color-markup .color-menu .basicColors-content li>a,.pick-a-color-markup .color-menu .savedColors-content li>a{padding:5px 15px 3px 15px;cursor:default;min-height:25px;color:#fff}.pick-a-color-markup .color-menu .basicColors-content li>a:hover,.pick-a-color-markup .color-menu .savedColors-content li>a:hover{background-color:none}
 @media screen and (max-width:991px){.pick-a-color-markup .color-menu .basicColors-content li>a,.pick-a-color-markup .color-menu .savedColors-content li>a{min-height:40px}}
 .pick-a-color-markup .color-menu .basicColors-content li:hover a,.pick-a-color-markup .color-menu .savedColors-content li:hover a{color:#dd630d;background-image:none;filter:none;text-decoration:none;font-weight:bold}@media screen and (max-width:991px){.pick-a-color-markup .color-menu .basicColors-content li:hover a,.pick-a-color-markup .color-menu .savedColors-content li:hover a{background-color:#fff;font-weight:normal}}
 .pick-a-color-markup .color-menu .btn.color-select{margin:0px 5px;height:20px;padding:0px 5px;margin-top:0px;line-height:1.5px;border-radius:4px}@media screen and (max-width:991px){.pick-a-color-markup .color-menu .btn.color-select{height:35px}}
diff --git a/misc/theme-tukan/Makefile b/misc/theme-tukan/Makefile
index ef96f6a111..9408a172ae 100644
--- a/misc/theme-tukan/Makefile
+++ b/misc/theme-tukan/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-tukan
-PLUGIN_VERSION=		1.23
+PLUGIN_VERSION=		1.24
 PLUGIN_COMMENT=		The tukan theme - blue/white
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
index fffb043fd8..9319aaa62a 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
@@ -10679,3 +10679,7 @@ input[type="checkbox"] {
 label.btn.au-target {
   color: #FFF !important;
 }
+
+.table.border {
+  border: 1px solid #bdbdbd;
+}
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
index 36f2577243..df4a0ea045 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
@@ -6513,3 +6513,7 @@ input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox
 label.btn.au-target {
   color: #FFF !important;
 }
+
+.table.border {
+    border: 1px solid #bdbdbd;
+}
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/pick-a-color-1.2.3.min.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/pick-a-color-1.2.3.min.css
new file mode 100644
index 0000000000..0606f04c53
--- /dev/null
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/pick-a-color-1.2.3.min.css
@@ -0,0 +1,86 @@
+
+.pick-a-color-markup *{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}
+.pick-a-color-markup .hex-pound{padding-left:8px;padding-right:8px}@media screen and (max-width:991px){.pick-a-color-markup .hex-pound{padding:3px 5px 0px 5px;min-height:30px}}
+.pick-a-color-markup .pick-a-color{padding:5px}@media screen and (max-width:991px){.pick-a-color-markup .pick-a-color{width:100%;font-size:18px;padding:9px;min-width:222px;height:47px}}
+.pick-a-color-markup .input-group-btn .color-dropdown{padding:6px 5px}.pick-a-color-markup .input-group-btn .color-dropdown.no-hex{border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .input-group-btn .color-dropdown:focus{background-color:#fff}
+@media screen and (max-width:991px){.pick-a-color-markup .input-group-btn .color-dropdown{height:47px}}
+.pick-a-color-markup .color-preview{border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 0 2px 2px rgba(0,0,0,0.075);box-shadow:inset 0 0 2px 2px rgba(0,0,0,0.075);height:1.429em;width:1.429em;display:inline-block;cursor:pointer;margin-right:5px}.pick-a-color-markup .color-preview.current-color{margin-bottom:-5px}
+@media screen and (max-width:991px){.pick-a-color-markup .color-preview{height:1.875em;width:1.875em}}
+.pick-a-color-markup .color-menu{text-align:left;padding:5px 0px;width:330px;font-size:14px;left:auto;}.pick-a-color-markup .color-menu.color-menu--inline{left:-285px}@media screen and (max-width:991px){.pick-a-color-markup .color-menu.color-menu--inline{left:-242px}}
+@media screen and (max-width:991px){.pick-a-color-markup .color-menu{left:-242px;width:293px}}.pick-a-color-markup .color-menu.small{width:100px}@media screen and (max-width:991px){.pick-a-color-markup .color-menu.small{left:-105px}}
+.pick-a-color-markup .color-menu.no-hex{left:0px}
+.pick-a-color-markup .color-menu ul{padding:0px;margin:0px}
+.pick-a-color-markup .color-menu li{list-style-type:none;padding:5px 0px;margin:0px}
+.pick-a-color-markup .color-menu .color-preview{vertical-align:middle;margin:0px}@media screen and (max-width:991px){.pick-a-color-markup .color-menu .color-preview{height:35px;width:35px}}.pick-a-color-markup .color-menu .color-preview.current-color,.pick-a-color-markup .color-menu .color-preview.white{background-color:#fff}
+.pick-a-color-markup .color-menu .color-preview.red{background-color:#f00}
+.pick-a-color-markup .color-menu .color-preview.orange{background-color:#f60}
+.pick-a-color-markup .color-menu .color-preview.yellow{background-color:#ff0}
+.pick-a-color-markup .color-menu .color-preview.green{background-color:#008000}
+.pick-a-color-markup .color-menu .color-preview.blue{background-color:#00f}
+.pick-a-color-markup .color-menu .color-preview.indigo{background-color:#4a0080}
+.pick-a-color-markup .color-menu .color-preview.violet{background-color:#ee81ee}
+.pick-a-color-markup .color-menu .color-preview.purple{background-color:#80007f}
+.pick-a-color-markup .color-menu .color-preview.black{background-color:#000}
+.pick-a-color-markup .color-menu .basicColors-content li>a,.pick-a-color-markup .color-menu .savedColors-content li>a{padding:5px 15px 3px 15px;cursor:default;min-height:25px;color:#FFF}.pick-a-color-markup .color-menu .basicColors-content li>a:hover,.pick-a-color-markup .color-menu .savedColors-content li>a:hover{background-color:none}
+@media screen and (max-width:991px){.pick-a-color-markup .color-menu .basicColors-content li>a,.pick-a-color-markup .color-menu .savedColors-content li>a{min-height:40px}}
+.pick-a-color-markup .color-menu .basicColors-content li:hover a,.pick-a-color-markup .color-menu .savedColors-content li:hover a{color:#FFF;background-image:none;filter:none;text-decoration:none;font-weight:bold}@media screen and (max-width:991px){.pick-a-color-markup .color-menu .basicColors-content li:hover a,.pick-a-color-markup .color-menu .savedColors-content li:hover a{background-color:#fff;font-weight:normal}}
+.pick-a-color-markup .color-menu .btn.color-select{margin:0px 5px;height:20px;padding:0px 5px;margin-top:0px;line-height:1.5px;border-radius:4px}@media screen and (max-width:991px){.pick-a-color-markup .color-menu .btn.color-select{height:35px}}
+.pick-a-color-markup .caret{margin-bottom:3px;color: #000;}
+.pick-a-color-markup .color-menu-instructions,.pick-a-color-markup .advanced-instructions{text-align:center;padding:0px 6px;margin:0px;font-size:14px;font-weight:normal}@media screen and (min-width:992px){.pick-a-color-markup .color-menu-instructions,.pick-a-color-markup .advanced-instructions{display:none}}
+.pick-a-color-markup .color-label{vertical-align:middle;margin:0px;margin-left:10px;cursor:pointer}@media screen and (max-width:991px){.pick-a-color-markup .color-label{margin-left:8px}}
+.pick-a-color-markup .color-box{height:20px;width:200px;position:absolute;left:115px;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 0 2px 2px rgba(0,0,0,0.075);box-shadow:inset 0 0 2px 2px rgba(0,0,0,0.075);cursor:pointer}@media screen and (max-width:991px){.pick-a-color-markup .color-box{width:160px;height:35px}}
+.pick-a-color-markup .black .highlight-band-stripe{background-color:#fff}
+.pick-a-color-markup .spectrum-white{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#fff), to(#808080));background-image:-webkit-linear-gradient(left, color-stop(#fff 0), color-stop(#808080 100%));background-image:-moz-linear-gradient(left, #fff 0, #808080 100%);background-image:linear-gradient(to right, #fff 0, #808080 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#ff808080', GradientType=1)}.pick-a-color-markup .spectrum-white .highlight-band{left:0px}
+.pick-a-color-markup .spectrum-red{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #fff), color-stop(.5, #f00), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #fff 0, #f00 50%, #000 100%);background-image:-webkit-linear-gradient(left, #fff 0, #f00 50%, #000 100%);background-image:-o-linear-gradient(left, #fff 0, #f00 50%, #000 100%);background-image:linear-gradient(to right, #fff 0, #f00 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-orange{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #fff), color-stop(.5, #f60), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #fff 0, #f60 50%, #000 100%);background-image:-webkit-linear-gradient(left, #fff 0, #f60 50%, #000 100%);background-image:-o-linear-gradient(left, #fff 0, #f60 50%, #000 100%);background-image:linear-gradient(to right, #fff 0, #f60 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-yellow{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #fff), color-stop(.5, #ff0), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #fff 0, #ff0 50%, #000 100%);background-image:-webkit-linear-gradient(left, #fff 0, #ff0 50%, #000 100%);background-image:-o-linear-gradient(left, #fff 0, #ff0 50%, #000 100%);background-image:linear-gradient(to right, #fff 0, #ff0 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-green{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #80ff80), color-stop(.5, #008000), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #80ff80 0, #008000 50%, #000 100%);background-image:-webkit-linear-gradient(left, #80ff80 0, #008000 50%, #000 100%);background-image:-o-linear-gradient(left, #80ff80 0, #008000 50%, #000 100%);background-image:linear-gradient(to right, #80ff80 0, #008000 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-blue{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #fff), color-stop(.5, #00f), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #fff 0, #00f 50%, #000 100%);background-image:-webkit-linear-gradient(left, #fff 0, #00f 50%, #000 100%);background-image:-o-linear-gradient(left, #fff 0, #00f 50%, #000 100%);background-image:linear-gradient(to right, #fff 0, #00f 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-purple{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #ff80ff), color-stop(.5, #80007f), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #ff80ff 0, #80007f 50%, #000 100%);background-image:-webkit-linear-gradient(left, #ff80ff 0, #80007f 50%, #000 100%);background-image:-o-linear-gradient(left, #ff80ff 0, #80007f 50%, #000 100%);background-image:linear-gradient(to right, #ff80ff 0, #80007f 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .spectrum-black{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#000), to(#808080));background-image:-webkit-linear-gradient(left, color-stop(#000 0), color-stop(#808080 100%));background-image:-moz-linear-gradient(left, #000 0, #808080 100%);background-image:linear-gradient(to right, #000 0, #808080 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff000000', endColorstr='#ff808080', GradientType=1)}.pick-a-color-markup .spectrum-black .highlight-band{left:0px;border:1px solid #808080}
+.pick-a-color-markup .ie-spectrum{height:20px;width:100px;display:inline-block;top:-1}.pick-a-color-markup .ie-spectrum.hue{width:50.5px}@media screen and (max-width:991px){.pick-a-color-markup .ie-spectrum.hue{width:45.5px}}
+@media screen and (max-width:991px){.pick-a-color-markup .ie-spectrum{width:80px;height:35px}}
+.pick-a-color-markup .red-spectrum-0,.pick-a-color-markup .lightness-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#fff), to(#f00));background-image:-webkit-linear-gradient(left, color-stop(#fff 0), color-stop(#f00 100%));background-image:-moz-linear-gradient(left, #fff 0, #f00 100%);background-image:linear-gradient(to right, #fff 0, #f00 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#ffff0000', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .red-spectrum-1,.pick-a-color-markup .lightness-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#f00), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#f00 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #f00 0, #000 100%);background-image:linear-gradient(to right, #f00 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffff0000', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .lightness-spectrum-0,.pick-a-color-markup .lightness-spectrum-1{width:150px}@media screen and (max-width:991px){.pick-a-color-markup .lightness-spectrum-0,.pick-a-color-markup .lightness-spectrum-1{width:135px}}
+.pick-a-color-markup .orange-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#fff), to(#f60));background-image:-webkit-linear-gradient(left, color-stop(#fff 0), color-stop(#f60 100%));background-image:-moz-linear-gradient(left, #fff 0, #f60 100%);background-image:linear-gradient(to right, #fff 0, #f60 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#ffff6600', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .orange-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#f60), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#f60 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #f60 0, #000 100%);background-image:linear-gradient(to right, #f60 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffff6600', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .yellow-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#fff), to(#ff0));background-image:-webkit-linear-gradient(left, color-stop(#fff 0), color-stop(#ff0 100%));background-image:-moz-linear-gradient(left, #fff 0, #ff0 100%);background-image:linear-gradient(to right, #fff 0, #ff0 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#ffffff00', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .yellow-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#ff0), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#ff0 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #ff0 0, #000 100%);background-image:linear-gradient(to right, #ff0 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffff00', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .green-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#80ff80), to(#008000));background-image:-webkit-linear-gradient(left, color-stop(#80ff80 0), color-stop(#008000 100%));background-image:-moz-linear-gradient(left, #80ff80 0, #008000 100%);background-image:linear-gradient(to right, #80ff80 0, #008000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff80ff80', endColorstr='#ff008000', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .green-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#008000), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#008000 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #008000 0, #000 100%);background-image:linear-gradient(to right, #008000 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff008000', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .blue-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#fff), to(#00f));background-image:-webkit-linear-gradient(left, color-stop(#fff 0), color-stop(#00f 100%));background-image:-moz-linear-gradient(left, #fff 0, #00f 100%);background-image:linear-gradient(to right, #fff 0, #00f 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff', endColorstr='#ff0000ff', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .blue-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#00f), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#00f 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #00f 0, #000 100%);background-image:linear-gradient(to right, #00f 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff0000ff', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .purple-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#ff80ff), to(#80007f));background-image:-webkit-linear-gradient(left, color-stop(#ff80ff 0), color-stop(#80007f 100%));background-image:-moz-linear-gradient(left, #ff80ff 0, #80007f 100%);background-image:linear-gradient(to right, #ff80ff 0, #80007f 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffff80ff', endColorstr='#ff80007f', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .purple-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#80007f), to(#000));background-image:-webkit-linear-gradient(left, color-stop(#80007f 0), color-stop(#000 100%));background-image:-moz-linear-gradient(left, #80007f 0, #000 100%);background-image:linear-gradient(to right, #80007f 0, #000 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff80007f', endColorstr='#ff000000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px}
+.pick-a-color-markup .saturation-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#808080), to(#bf4040));background-image:-webkit-linear-gradient(left, color-stop(#808080 0), color-stop(#bf4040 100%));background-image:-moz-linear-gradient(left, #808080 0, #bf4040 100%);background-image:linear-gradient(to right, #808080 0, #bf4040 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff808080', endColorstr='#ffbf4040', GradientType=1);border-bottom-left-radius:4px;border-top-left-radius:4px;width:150px}@media screen and (max-width:991px){.pick-a-color-markup .saturation-spectrum-0{width:135px}}
+.pick-a-color-markup .saturation-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#bf4040), to(#f00));background-image:-webkit-linear-gradient(left, color-stop(#bf4040 0), color-stop(#f00 100%));background-image:-moz-linear-gradient(left, #bf4040 0, #f00 100%);background-image:linear-gradient(to right, #bf4040 0, #f00 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffbf4040', endColorstr='#ffff0000', GradientType=1);border-bottom-right-radius:4px;border-top-right-radius:4px;width:150px}@media screen and (max-width:991px){.pick-a-color-markup .saturation-spectrum-1{width:135px}}
+.pick-a-color-markup .hue-spectrum-0{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#f00), to(#ff0));background-image:-webkit-linear-gradient(left, color-stop(#f00 0), color-stop(#ff0 100%));background-image:-moz-linear-gradient(left, #f00 0, #ff0 100%);background-image:linear-gradient(to right, #f00 0, #ff0 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffff0000', endColorstr='#ffffff00', GradientType=1)}
+.pick-a-color-markup .hue-spectrum-1{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#ff0), to(#0f0));background-image:-webkit-linear-gradient(left, color-stop(#ff0 0), color-stop(#0f0 100%));background-image:-moz-linear-gradient(left, #ff0 0, #0f0 100%);background-image:linear-gradient(to right, #ff0 0, #0f0 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffff00', endColorstr='#ff00ff00', GradientType=1)}
+.pick-a-color-markup .hue-spectrum-2{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#0f0), to(#0ff));background-image:-webkit-linear-gradient(left, color-stop(#0f0 0), color-stop(#0ff 100%));background-image:-moz-linear-gradient(left, #0f0 0, #0ff 100%);background-image:linear-gradient(to right, #0f0 0, #0ff 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff00ff00', endColorstr='#ff00ffff', GradientType=1);left:-1px;position:relative}
+.pick-a-color-markup .hue-spectrum-3{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#0ff), to(#00f));background-image:-webkit-linear-gradient(left, color-stop(#0ff 0), color-stop(#00f 100%));background-image:-moz-linear-gradient(left, #0ff 0, #00f 100%);background-image:linear-gradient(to right, #0ff 0, #00f 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff00ffff', endColorstr='#ff0000ff', GradientType=1);left:-1px;position:relative}
+.pick-a-color-markup .hue-spectrum-4{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#00f), to(#f0f));background-image:-webkit-linear-gradient(left, color-stop(#00f 0), color-stop(#f0f 100%));background-image:-moz-linear-gradient(left, #00f 0, #f0f 100%);background-image:linear-gradient(to right, #00f 0, #f0f 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff0000ff', endColorstr='#ffff00ff', GradientType=1);left:-1px;position:relative}
+.pick-a-color-markup .hue-spectrum-5{background-image:-webkit-gradient(linear, 0 top, 100% top, from(#f0f), to(#f00));background-image:-webkit-linear-gradient(left, color-stop(#f0f 0), color-stop(#f00 100%));background-image:-moz-linear-gradient(left, #f0f 0, #f00 100%);background-image:linear-gradient(to right, #f0f 0, #f00 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffff00ff', endColorstr='#ffff0000', GradientType=1);left:-2px;position:relative}
+.pick-a-color-markup .highlight-band{border:1px solid #222;border-radius:2px;-webkit-box-shadow:1px 1px 1px #333;box-shadow:1px 1px 1px #333;height:19px;width:11px;display:inline-block;cursor:pointer;cursor:-webkit-grab;cursor:-moz-grab;position:absolute;top:-1px;left:94.5px;text-align:center}@media screen and (max-width:991px){.pick-a-color-markup .highlight-band{width:21px;left:69.5px;height:34px}}
+.pick-a-color-markup .highlight-band-stripe{min-height:80%;min-width:1px;background-color:#000;opacity:0.40;margin:2px 1px;display:inline-block;-webkit-box-shadow:1px 0 2px 0 #fff;box-shadow:1px 0 2px 0 #fff}@media screen and (max-width:991px){.pick-a-color-markup .highlight-band-stripe{margin:4px 2px}}
+.pick-a-color-markup .color-menu-tabs{padding:5px 3px 3px 10px;font-size:12px;color:#333;border-bottom:1px solid #ccc;margin-bottom:5px}.pick-a-color-markup .color-menu-tabs .tab{padding:4px 5px;margin:5px;border-left:1px solid #fff;border-right:1px solid #fff;cursor:pointer;background-color:#fff}.pick-a-color-markup .color-menu-tabs .tab:hover{padding-bottom:6px;border-top:1px solid #ccc;border-right:1px solid #ccc;border-left:1px solid #ccc;border-top-right-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .color-menu-tabs a{color:#333;text-decoration:none}
+.pick-a-color-markup .color-menu-tabs .tab-active{border-bottom:3px solid #fff;padding-bottom:5px;border-top:1px solid #ccc;border-right:1px solid #ccc;border-left:1px solid #ccc;border-top-right-radius:4px;border-top-left-radius:4px}
+.pick-a-color-markup .active-content{display:block}
+.pick-a-color-markup .inactive-content{display:none}
+.pick-a-color-markup .savedColors-content{padding:5px 15px;white-space:normal}.pick-a-color-markup .savedColors-content li.color-item>a{margin-left:7px;padding-left:8px;border-radius:4px}
+.pick-a-color-markup .saved-color-col{position:relative;left:-15px;float:left;width:149px}@media screen and (max-width:991px){.pick-a-color-markup .saved-color-col{width:130px}}
+.pick-a-color-markup .advanced-content ul{margin-top:10px}
+.pick-a-color-markup .advanced-content li{padding:5px 15px 3px 15px;cursor:default;min-height:25px;height:50px;position:relative}@media screen and (max-width:991px){.pick-a-color-markup .advanced-content li{min-height:70px}}
+.pick-a-color-markup .advanced-content .color-preview{height:50px;width:300px;float:left;margin:0px 0px 10px 0px;background-color:#f00;text-align:center}.pick-a-color-markup .advanced-content .color-preview .color-select.btn.advanced{margin-top:15px;display:none}@media screen and (max-width:991px){.pick-a-color-markup .advanced-content .color-preview .color-select.btn.advanced{display:inline;margin-top:7px}}
+.pick-a-color-markup .advanced-content .color-preview:hover .color-select.btn.advanced{display:inline}
+@media screen and (max-width:991px){.pick-a-color-markup .advanced-content .color-preview{width:270px;margin-left:-10px}}
+.pick-a-color-markup .advanced-content .spectrum-hue{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #f00), color-stop(17%, #ff0), color-stop(34%, #0f0), color-stop(51%, #0ff), color-stop(68%, #00f), color-stop(85%, #f0f), color-stop(100%, #f00));background-image:-moz-linear-gradient(left center, #f00 0, #ff0 17%, #0f0 24%, #0ff 51%, #00f 68%, #f0f 85%, #f00 100%);background-image:-webkit-linear-gradient(left, #f00 0, #ff0 17%, #0f0 24%, #0ff 51%, #00f 68%, #f0f 85%, #f00 100%);background-image:-o-linear-gradient(left, #f00 0, #ff0 17%, #0f0 24%, #0ff 51%, #00f 68%, #f0f 85%, #f00 100%);background-image:linear-gradient(to right, #f00 0, #ff0 17%, #0f0 24%, #0ff 51%, #00f 68%, #f0f 85%, #f00 100%);background-repeat:repeat-x}.pick-a-color-markup .advanced-content .spectrum-hue .highlight-band{left:0px}
+.pick-a-color-markup .advanced-content .spectrum-lightness{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #fff), color-stop(.5, #f00), color-stop(1, #000));background-image:-moz-linear-gradient(left center, #fff 0, #f00 50%, #000 100%);background-image:-webkit-linear-gradient(left, #fff 0, #f00 50%, #000 100%);background-image:-o-linear-gradient(left, #fff 0, #f00 50%, #000 100%);background-image:linear-gradient(to right, #fff 0, #f00 50%, #000 100%);background-repeat:repeat-x}
+.pick-a-color-markup .advanced-content .spectrum-saturation{background-image:-webkit-gradient(linear, left top, right top, color-stop(0, #808080), color-stop(.5, #f00), color-stop(1, #f00));background-image:-moz-linear-gradient(left center, #808080 0, #f00 50%, #f00 100%);background-image:-webkit-linear-gradient(left, #808080 0, #f00 50%, #f00 100%);background-image:-o-linear-gradient(left, #808080 0, #f00 50%, #f00 100%);background-image:linear-gradient(to right, #808080 0, #f00 50%, #f00 100%);background-repeat:repeat-x}.pick-a-color-markup .advanced-content .spectrum-saturation .highlight-band{left:287px}@media screen and (max-width:991px){.pick-a-color-markup .advanced-content .spectrum-saturation .highlight-band{left:247px}}
+.pick-a-color-markup .advanced-content .spectrum-lightness .highlight-band{left:143.5px}@media screen and (max-width:991px){.pick-a-color-markup .advanced-content .spectrum-lightness .highlight-band{left:123.5px}}
+.pick-a-color-markup .advanced-content .lightness-text,.pick-a-color-markup .advanced-content .hue-text,.pick-a-color-markup .advanced-content .saturation-text,.pick-a-color-markup .advanced-content .preview-text{vertical-align:middle;text-align:center;display:block}
+.pick-a-color-markup .advanced-content .color-box{left:15px;top:25px;width:300px}@media screen and (max-width:991px){.pick-a-color-markup .advanced-content .color-box{width:270px;left:10px}}
+.pick-a-color-markup .advanced-content .preview-item{height:80px}
+@-moz-document url-prefix(){@media screen and (max-width:991px){div.pick-a-color-markup .color-menu{left:0px}}}
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index 4f2a6fac81..7c1be4db2f 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		The vicuna theme - dark anthrazit
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
index 4b118209c0..3d05ec02f6 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
@@ -10434,12 +10434,14 @@ label > input {
   }
 
   .ipsec-tab {
-    background-color: #839caa !important;
+    background-color: #202f3a !important;
     color: #FFF !important;
+    opacity: 0.5;
 
     &.activetab {
-      background-color: #315a71 !important;
-      color: #FFF !important;
+      background-color: #202f3a !important;
+      color: #D77610 !important;
+      opacity: 1;
     }
   }
 }
@@ -10760,3 +10762,7 @@ ul.jqtree-tree {
   background-color: #d77610 !important;
   color: #FFF !important;
 }
+
+.table.border {
+  border: 1px solid #181818 !important;
+}
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/tokenizer2.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/tokenizer2.scss
index 4df1e1901d..789bae6c27 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/tokenizer2.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/tokenizer2.scss
@@ -38,7 +38,7 @@
     > {
       .token {
         padding: 0 1.2em 0 5px;
-        background-color: #d7af10;
+        background-color: #d77610;
         -webkit-border-radius: 2px;
         -moz-border-radius: 2px;
         border-radius: 2px;
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
index f9406046cd..8234f124a8 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
@@ -6333,13 +6333,15 @@ label > input[type="radio"] {
 }
 
 #ipsec .ipsec-tab {
-	background-color: #839caa !important;
+	background-color: #202f3a !important;
 	color: #FFF !important;
+  opacity: 0.5;
 }
 
 #ipsec .ipsec-tab.activetab {
-	background-color: #315a71 !important;
-	color: #FFF !important;
+	background-color: #202f3a !important;
+	color: #D77610 !important;
+  opacity: 1;
 }
 .fw_pass {
   background-color: #203a23 !important;
@@ -6577,3 +6579,7 @@ ul.jqtree-tree .jqtree-title {
   background-color: #d77610 !important;
   color: #FFF !important;
 }
+
+.table.border {
+  border: 1px solid #181818 !important;
+}
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/nv.d3.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/nv.d3.css
index 5f3eea0020..ea4b9f5e0e 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/nv.d3.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/nv.d3.css
@@ -335,11 +335,6 @@ svg.nvd3-svg {
     fill-opacity: .7;
 }
 
-circle.nv-legend-symbol {
-  fill: rgb(151, 151, 151) !important;
-  stroke: rgb(151, 151, 151) !important;
-}
-
 /**********
 *  Print
 */
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/pick-a-color-1.2.3.min.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/pick-a-color-1.2.3.min.css
index 74517c454e..8e3bcc16cc 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/pick-a-color-1.2.3.min.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/pick-a-color-1.2.3.min.css
@@ -22,7 +22,7 @@
 .pick-a-color-markup .color-menu .color-preview.violet{background-color:#ee81ee}
 .pick-a-color-markup .color-menu .color-preview.purple{background-color:#80007f}
 .pick-a-color-markup .color-menu .color-preview.black{background-color:#000}
-.pick-a-color-markup .color-menu .basicColors-content li>a,.pick-a-color-markup .color-menu .savedColors-content li>a{padding:5px 15px 3px 15px;cursor:default;min-height:25px;color:#fff}.pick-a-color-markup .color-menu .basicColors-content li>a:hover,.pick-a-color-markup .color-menu .savedColors-content li>a:hover{background-color:transparent}
+.pick-a-color-markup .color-menu .basicColors-content li>a,.pick-a-color-markup .color-menu .savedColors-content li>a{padding:5px 15px 3px 15px;cursor:default;min-height:25px;color:#fff}.pick-a-color-markup .color-menu .basicColors-content li>a:hover,.pick-a-color-markup .color-menu .savedColors-content li>a:hover{background-color:none}
 @media screen and (max-width:991px){.pick-a-color-markup .color-menu .basicColors-content li>a,.pick-a-color-markup .color-menu .savedColors-content li>a{min-height:40px}}
 .pick-a-color-markup .color-menu .basicColors-content li:hover a,.pick-a-color-markup .color-menu .savedColors-content li:hover a{color:#dd630d;background-image:none;filter:none;text-decoration:none;font-weight:bold}@media screen and (max-width:991px){.pick-a-color-markup .color-menu .basicColors-content li:hover a,.pick-a-color-markup .color-menu .savedColors-content li:hover a{background-color:#fff;font-weight:normal}}
 .pick-a-color-markup .color-menu .btn.color-select{margin:0px 5px;height:20px;padding:0px 5px;margin-top:0px;line-height:1.5px;border-radius:4px}@media screen and (max-width:991px){.pick-a-color-markup .color-menu .btn.color-select{height:35px}}
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/tokenize2.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/tokenize2.css
index c2403aa472..f1fbdbbca9 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/tokenize2.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/tokenize2.css
@@ -35,7 +35,7 @@
 
 .tokenize > .tokens-container > .token {
   padding: 0 1.2em 0 5px;
-  background-color: #d7af10;
+  background-color: #d77610;
   -webkit-border-radius: 2px;
   -moz-border-radius: 2px;
   border-radius: 2px;

From 4ab914ceaf4443bb222f72d14d69f930d13f6add Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 15 Feb 2021 09:52:10 +0100
Subject: [PATCH 0405/3088] Framework: add revision bump helper and fix a typo

---
 Makefile           |  2 +-
 Mk/plugins.mk      |  5 ++++-
 Scripts/revbump.sh | 16 ++++++++++++++++
 3 files changed, 21 insertions(+), 2 deletions(-)
 create mode 100755 Scripts/revbump.sh

diff --git a/Makefile b/Makefile
index 6c21da0d95..82aa061e95 100644
--- a/Makefile
+++ b/Makefile
@@ -43,7 +43,7 @@ list:
 .endfor
 
 # shared targets that are sane to run from the root directory
-TARGETS=	clean lint style style-fix style-python sweep test
+TARGETS=	clean lint revision style style-fix style-python sweep test
 
 .for TARGET in ${TARGETS}
 ${TARGET}:
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index ac202ae301..56ff42e2d8 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -325,7 +325,10 @@ sweep: check
 	    ! -name "*.ser" -type f -print0 | \
 	    xargs -0 -n1 ${SCRIPTSDIR}/cleanfile
 	find ${.CURDIR} -type f -depth 1 -print0 | \
-	    xargs -0 -n1 ${SCRIPTSDIRs/cleanfile
+	    xargs -0 -n1 ${SCRIPTSDIR}/cleanfile
+
+revision:
+	${SCRIPTSDIR}/revbump.sh ${.CURDIR}
 
 STYLEDIRS?=	src/etc/inc src/opnsense
 
diff --git a/Scripts/revbump.sh b/Scripts/revbump.sh
new file mode 100755
index 0000000000..135168df57
--- /dev/null
+++ b/Scripts/revbump.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+set -e
+
+DIR=${1}
+
+if [ -z "${DIR}" ]; then
+	DIR=.
+fi
+
+REV=$(make -C ${DIR} -V PLUGIN_REVISION)
+REV=$(expr ${REV} \+ 1)
+
+grep -v ^PLUGIN_REVISION ${DIR}/Makefile > ${DIR}/Makefile.tmp
+sed -e "s/^\(PLUGIN_VERSION.*\)/\1\nPLUGIN_REVISION=	${REV}/g" ${DIR}/Makefile.tmp > ${DIR}/Makefile
+rm -f ${DIR}/Makefile.tmp

From df1e33afa6f4f4659ca4d644cadb91acb8c27547 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 15 Feb 2021 09:55:38 +0100
Subject: [PATCH 0406/3088] Framework: mute script invoke

---
 Mk/plugins.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 56ff42e2d8..01a35264c1 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -328,7 +328,7 @@ sweep: check
 	    xargs -0 -n1 ${SCRIPTSDIR}/cleanfile
 
 revision:
-	${SCRIPTSDIR}/revbump.sh ${.CURDIR}
+	@${SCRIPTSDIR}/revbump.sh ${.CURDIR}
 
 STYLEDIRS?=	src/etc/inc src/opnsense
 

From 3e02a4c67c78c85b7583947841cee04583df6496 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 15 Feb 2021 10:10:07 +0100
Subject: [PATCH 0407/3088] Framework: tedious work on FreeBSD...

---
 Scripts/revbump.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Scripts/revbump.sh b/Scripts/revbump.sh
index 135168df57..120b0fce41 100755
--- a/Scripts/revbump.sh
+++ b/Scripts/revbump.sh
@@ -12,5 +12,6 @@ REV=$(make -C ${DIR} -V PLUGIN_REVISION)
 REV=$(expr ${REV} \+ 1)
 
 grep -v ^PLUGIN_REVISION ${DIR}/Makefile > ${DIR}/Makefile.tmp
-sed -e "s/^\(PLUGIN_VERSION.*\)/\1\nPLUGIN_REVISION=	${REV}/g" ${DIR}/Makefile.tmp > ${DIR}/Makefile
+sed -e "s/^\(PLUGIN_VERSION.*\)/\1%PLUGIN_REVISION=	${REV}/g" \
+    ${DIR}/Makefile.tmp | tr '%' '\n' > ${DIR}/Makefile
 rm -f ${DIR}/Makefile.tmp

From 96ffd1ec9071fce339e829fc5fa3b2dd2aaf8a9a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 15 Feb 2021 10:32:44 +0100
Subject: [PATCH 0408/3088] misc/theme-rebellion: revision bump

---
 misc/theme-rebellion/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/misc/theme-rebellion/Makefile b/misc/theme-rebellion/Makefile
index d64b12ab93..97bd1578d4 100644
--- a/misc/theme-rebellion/Makefile
+++ b/misc/theme-rebellion/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		theme-rebellion
 PLUGIN_VERSION=		1.8.6
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		A suitably dark theme
 PLUGIN_MAINTAINER=	team-rebellion@queens-park.com
 

From 2782d51eae2cd5829c1cea65c35308e9f070d144 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 15 Feb 2021 10:35:27 +0100
Subject: [PATCH 0409/3088] www: revision bump

---
 www/c-icap/Makefile            | 1 +
 www/cache/Makefile             | 1 +
 www/nginx/Makefile             | 2 +-
 www/web-proxy-sso/Makefile     | 2 +-
 www/web-proxy-useracl/Makefile | 2 +-
 5 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/www/c-icap/Makefile b/www/c-icap/Makefile
index ae60824d71..4d7407750a 100644
--- a/www/c-icap/Makefile
+++ b/www/c-icap/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		c-icap
 PLUGIN_VERSION=		1.7
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		c-icap connects the web proxy with a virus scanner
 PLUGIN_DEPENDS=		c-icap c-icap-modules
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/www/cache/Makefile b/www/cache/Makefile
index 65dbb3d28b..4cb74de418 100644
--- a/www/cache/Makefile
+++ b/www/cache/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		cache
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Webserver cache
 PLUGIN_DEPENDS=		php${PLUGIN_PHP}-opcache
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 94215b98eb..c9df402b35 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.20
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/web-proxy-sso/Makefile b/www/web-proxy-sso/Makefile
index dabf634498..7eb73383aa 100644
--- a/www/web-proxy-sso/Makefile
+++ b/www/web-proxy-sso/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		web-proxy-sso
 PLUGIN_VERSION=		2.2
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Kerberos authentication module
 PLUGIN_DEPENDS=		msktutil cyrus-sasl-gssapi
 PLUGIN_MAINTAINER=	evbevz@gmail.com
diff --git a/www/web-proxy-useracl/Makefile b/www/web-proxy-useracl/Makefile
index e80e2166c9..a2374138c9 100644
--- a/www/web-proxy-useracl/Makefile
+++ b/www/web-proxy-useracl/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		web-proxy-useracl
 PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Group and user ACL for the web proxy
 PLUGIN_MAINTAINER=	kekek2@ya.ru
 PLUGIN_WWW=		https://smart-soft.ru

From eccb081fc41bdb3f42835347c4b95788c24df5d1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 15 Feb 2021 10:36:25 +0100
Subject: [PATCH 0410/3088] vendor: revision bump

---
 vendor/sunnyvalley/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vendor/sunnyvalley/Makefile b/vendor/sunnyvalley/Makefile
index 58fc4cc315..6d082409e3 100644
--- a/vendor/sunnyvalley/Makefile
+++ b/vendor/sunnyvalley/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		sunnyvalley
 PLUGIN_VERSION=		1.2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Vendor repository for Sensei (Next Generation Firewall Extensions)
 PLUGIN_MAINTAINER=	opensource@sunnyvalley.io
 PLUGIN_WWW=		https://www.sunnyvalley.io

From 360eb16b0f445aa4caaa2cb5f4972ee86d077370 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 15 Feb 2021 10:38:02 +0100
Subject: [PATCH 0411/3088] sysutils: revision bump

---
 sysutils/api-backup/Makefile      |  1 +
 sysutils/apuled/Makefile          |  1 +
 sysutils/boot-delay/Makefile      |  1 +
 sysutils/dmidecode/Makefile       |  1 +
 sysutils/git-backup/Makefile      | 11 ++++++-----
 sysutils/hw-probe/Makefile        |  1 +
 sysutils/lcdproc-sdeclcd/Makefile |  1 +
 sysutils/mail-backup/Makefile     |  1 +
 sysutils/munin-node/Makefile      |  1 +
 sysutils/node_exporter/Makefile   |  1 +
 sysutils/nut/Makefile             |  1 +
 sysutils/smart/Makefile           |  2 +-
 sysutils/virtualbox/Makefile      |  1 +
 sysutils/vmware/Makefile          |  1 +
 sysutils/xen/Makefile             |  1 +
 15 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/sysutils/api-backup/Makefile b/sysutils/api-backup/Makefile
index 418499d5e0..d1a243984a 100644
--- a/sysutils/api-backup/Makefile
+++ b/sysutils/api-backup/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		api-backup
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Provide the functionality to download the config.xml
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 
diff --git a/sysutils/apuled/Makefile b/sysutils/apuled/Makefile
index 4ecabf7214..7dc896fa79 100644
--- a/sysutils/apuled/Makefile
+++ b/sysutils/apuled/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		apuled
 PLUGIN_VERSION=		0.2
+PLUGIN_REVISION=	1
 PLUGIN_DEVEL=		yes
 PLUGIN_COMMENT=		PC Engine APU LED control
 PLUGIN_MAINTAINER=	julio@cloudfence.com.br
diff --git a/sysutils/boot-delay/Makefile b/sysutils/boot-delay/Makefile
index be3331711f..38582b59c0 100644
--- a/sysutils/boot-delay/Makefile
+++ b/sysutils/boot-delay/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		boot-delay
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Apply a persistent 10 second boot delay
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
diff --git a/sysutils/dmidecode/Makefile b/sysutils/dmidecode/Makefile
index 55c0cc39e7..428d1621a2 100644
--- a/sysutils/dmidecode/Makefile
+++ b/sysutils/dmidecode/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		dmidecode
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Display hardware information on the dashboard
 PLUGIN_DEPENDS=		dmidecode
 PLUGIN_MAINTAINER=	evbevz@gmail.com
diff --git a/sysutils/git-backup/Makefile b/sysutils/git-backup/Makefile
index 2948e1fb12..da33116f5d 100644
--- a/sysutils/git-backup/Makefile
+++ b/sysutils/git-backup/Makefile
@@ -1,7 +1,8 @@
-PLUGIN_NAME=        git-backup
-PLUGIN_VERSION=     1.0
-PLUGIN_COMMENT=     Track config changes using git
-PLUGIN_DEPENDS=     git
-PLUGIN_MAINTAINER=  ad@opnsense.org
+PLUGIN_NAME=		git-backup
+PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
+PLUGIN_COMMENT=		Track config changes using git
+PLUGIN_DEPENDS=		git
+PLUGIN_MAINTAINER=	ad@opnsense.org
 
 .include "../../Mk/plugins.mk"
diff --git a/sysutils/hw-probe/Makefile b/sysutils/hw-probe/Makefile
index eaf0ab3b23..34b17c90bb 100644
--- a/sysutils/hw-probe/Makefile
+++ b/sysutils/hw-probe/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		hw-probe
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Collect hardware diagnostics
 PLUGIN_DEPENDS=		hw-probe
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/sysutils/lcdproc-sdeclcd/Makefile b/sysutils/lcdproc-sdeclcd/Makefile
index 94a4eabe55..a709853da7 100644
--- a/sysutils/lcdproc-sdeclcd/Makefile
+++ b/sysutils/lcdproc-sdeclcd/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		lcdproc-sdeclcd
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		LCDProc for SDEC LCD devices
 PLUGIN_DEPENDS=		lcdproc
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/sysutils/mail-backup/Makefile b/sysutils/mail-backup/Makefile
index 27fa1a4fa4..fc3e7b560e 100644
--- a/sysutils/mail-backup/Makefile
+++ b/sysutils/mail-backup/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		mail-backup
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Send configuration file backup by e-mail
 PLUGIN_DEPENDS=		gnupg phpmailer
 PLUGIN_MAINTAINER=	machadovilaca@gmail.com
diff --git a/sysutils/munin-node/Makefile b/sysutils/munin-node/Makefile
index 4540d03cc2..9012e10407 100644
--- a/sysutils/munin-node/Makefile
+++ b/sysutils/munin-node/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		munin-node
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Munin monitorin agent
 PLUGIN_DEPENDS=		munin-node
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/sysutils/node_exporter/Makefile b/sysutils/node_exporter/Makefile
index a6cc24adbb..0252194203 100644
--- a/sysutils/node_exporter/Makefile
+++ b/sysutils/node_exporter/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		node_exporter
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Prometheus exporter for machine metrics
 PLUGIN_DEPENDS=		node_exporter
 PLUGIN_MAINTAINER=	dharrigan@gmail.com
diff --git a/sysutils/nut/Makefile b/sysutils/nut/Makefile
index 2262b7e182..52fe1c9c98 100644
--- a/sysutils/nut/Makefile
+++ b/sysutils/nut/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		nut
 PLUGIN_VERSION=		1.7
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Network UPS Tools
 PLUGIN_DEPENDS=		nut
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/sysutils/smart/Makefile b/sysutils/smart/Makefile
index 1f10056065..a02589a0be 100644
--- a/sysutils/smart/Makefile
+++ b/sysutils/smart/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		smart
 PLUGIN_VERSION=		2.1
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		SMART tools
 PLUGIN_DEPENDS=		smartmontools
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/sysutils/virtualbox/Makefile b/sysutils/virtualbox/Makefile
index 54bfb253e4..19a947dbc8 100644
--- a/sysutils/virtualbox/Makefile
+++ b/sysutils/virtualbox/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		virtualbox
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		VirtualBox guest additions
 PLUGIN_DEPENDS=		virtualbox-ose-additions-nox11
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/sysutils/vmware/Makefile b/sysutils/vmware/Makefile
index cc2eda97b0..307d0f9bf7 100644
--- a/sysutils/vmware/Makefile
+++ b/sysutils/vmware/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		vmware
 PLUGIN_VERSION=		1.5
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		VMware tools
 PLUGIN_DEPENDS=		open-vm-tools-nox11
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/sysutils/xen/Makefile b/sysutils/xen/Makefile
index 8d73803559..a807b5b1c3 100644
--- a/sysutils/xen/Makefile
+++ b/sysutils/xen/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		xen
 PLUGIN_VERSION=		1.2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Xen guest utilities
 PLUGIN_DEPENDS=		xe-guest-utilities
 PLUGIN_MAINTAINER=	franco@opnsense.org

From ff935d691d2f3b194d9082b192d5c6fc2ffee205 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 15 Feb 2021 10:39:22 +0100
Subject: [PATCH 0412/3088] benchmarks|databases|devel: revision bump

---
 benchmarks/iperf/Makefile   | 1 +
 databases/redis/Makefile    | 1 +
 devel/debug/Makefile        | 1 +
 devel/grid_example/Makefile | 1 +
 devel/helloworld/Makefile   | 1 +
 5 files changed, 5 insertions(+)

diff --git a/benchmarks/iperf/Makefile b/benchmarks/iperf/Makefile
index e32555da33..4c72430699 100644
--- a/benchmarks/iperf/Makefile
+++ b/benchmarks/iperf/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		iperf
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Connection speed tester
 PLUGIN_DEPENDS=		iperf3 ruby
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/databases/redis/Makefile b/databases/redis/Makefile
index 35faf0478c..c633518201 100644
--- a/databases/redis/Makefile
+++ b/databases/redis/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		redis
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Redis DB
 PLUGIN_DEPENDS=		redis
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/devel/debug/Makefile b/devel/debug/Makefile
index 1f821dd593..13fe7f3d9b 100644
--- a/devel/debug/Makefile
+++ b/devel/debug/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		debug
 PLUGIN_VERSION=		1.3
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Debugging Tools
 PLUGIN_DEPENDS=		php${PLUGIN_PHP}-pear-PHP_CodeSniffer \
 			php${PLUGIN_PHP}-pecl-xdebug \
diff --git a/devel/grid_example/Makefile b/devel/grid_example/Makefile
index dfc4cf776d..3b7bda5db9 100644
--- a/devel/grid_example/Makefile
+++ b/devel/grid_example/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		grid_example
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		A sample framework application
 PLUGIN_MAINTAINER=	ad@opnsense.org
 
diff --git a/devel/helloworld/Makefile b/devel/helloworld/Makefile
index de639c35d5..bf22cc416b 100644
--- a/devel/helloworld/Makefile
+++ b/devel/helloworld/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		helloworld
 PLUGIN_VERSION=		1.3
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		A sample framework application
 PLUGIN_MAINTAINER=	ad@opnsense.org
 

From b6bbd6a32e60e55f6cddb62598853645ee644922 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 15 Feb 2021 21:57:56 +0100
Subject: [PATCH 0413/3088] security/acme-client: fix OCSP setting not honored,
 closes #2234

---
 security/acme-client/pkg-descr                  |   1 +
 .../OPNsense/AcmeClient/LeCertificate.php       |   1 +
 .../OPNsense/AcmeClient/.AcmeClient.xml.swp     | Bin 0 -> 16384 bytes
 3 files changed, 2 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/.AcmeClient.xml.swp

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 2d89753b0a..213eb1121d 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -17,6 +17,7 @@ Fixed:
 * fix missing "--ecc" parameter when renewing ECC certs (#2223)
 * fix log file location (#2227)
 * fix GUI log formatting (by using the syslog log)
+* fix OCSP setting not honored (#2234)
 
 Changed:
 * let acme.sh log through syslog
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 8e0be409ee..6855acb3b1 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -656,6 +656,7 @@ public function setValidation()
             $val->setNames($this->config->name, $this->config->altNames, $this->config->aliasmode, $this->config->domainalias, $this->config->challengealias);
             $val->setRenewal((int)$this->config->renewInterval);
             $val->setForce($this->force);
+            $val->setOcsp((string)$this->config->ocsp == 1 ? true : false);
             // strip prefix from key value
             $val->setKey(substr($this->config->keyLength, 4));
             $val->prepare();
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/.AcmeClient.xml.swp b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/.AcmeClient.xml.swp
new file mode 100644
index 0000000000000000000000000000000000000000..cb9344443839d7d3a58e6d925c166511fd93baf8
GIT binary patch
literal 16384
zcmeI3Uu+yl9mgk>HYu%B6hK1aWs)?FP2yeKu_ISZH*rj&B#N8JP9p`Man`$Y=Oz2+
zx;yJXO#@PqkZ6hu4^)*<A5Z}aq$;JYkSb{V1S(P?4}GINfQnGzkx*!$EqrHp*7tAk
zd}ldor0&We@7?@nXXp24{`}VKg`smNrs%jfOmKXfkiWm(cVS`M<6GYNEFtA(S-Ae;
zFLYP)>*Zy=;t0JQn%uwW=t0$wIDYi18&@1Z(j#ugp(9px)AIPB<vQFKdK6l<n%<J7
zo7JlB1vYmh{q&g!(-tOh!DL#$_EB5$-1U23)F>?Qaj`%jIWRIjB(>eWYbX88j)y)j
ziWhno7AP!GSfH>#VS&N|g#`)=6c#8f01JrfcJd9JKcTE~UY)lzo&TqfEMxdell(&^
zKdH*EHpxFw@-wRZMw9$~B|oOhPpA%L{rInvA6D`wo8<pd@^ealtx0}E$!C;&k5V{m
z|GlRBuQbX3t>kCb^{+O`|J5Ylaa&q3YyaJ*`<I*K|5Wm$s{NOn<kyw_kdlAcBv-}7
zsjxs{fx-fX1qurk7AP!GSfH>#VS&N|g#`)=<XXVA3Ar1RCuE|EzyD|X|9kfkat*uy
zV&H&tU_aOj{<NKt-+~{2C2$&yf-T^0eT2LLz6&mZ0k9SP4mbK4cmhP=Uhu(PguD%Y
z0iFaEa2(tL-ux6HFM_ARA~*#4z#r~JId}?iV1Vu5t!;$71fBvWVBmA$`c^_-0Y3(h
zgX7@y;GH|rPw*m`0|&u9;2*aW@-p}#_$HVDcY(J)Nyx9jv*0Ay4c<o{{zvdExB@(|
z54?-#1HT480p9_mpbz{NcK!{J_P!!*UU$&CgDslXFj!eVVp<ouZ%^|w6{}VLz^*Cz
z=EF31P2mLoF^9YME`!uvNSUrKo#EjU4{>FqT-IgN{NdOMxotei^tI0o%_P;l*cDFI
z<+9q^=hkZHOxLlK4o&eWGArCjI>>E$eBzAMf<{SSs2>Pg4r1TdnBIC(Yr}e?ZEOFN
z&f#?tsbG{ZPO8{WRCUc&!#6$7^z2*9ePmsEFh_7NGE}=-dS-fBN|Gu$zgQH+p~a2t
zWfV;*ot>GkD&)4n+G@dal+VIqCi892Q88i3z_~S|!c6+I$x)Fuy7^I|+SStY&5nw;
zT6BtviOjbfhziUpx57j*F?nj!<H5Zd!Qe)S1o!5LL0;!O$AI)?&jE147rYWCb9n1~
z+U;^-^RkH*!x+L`t3Ec&dD-k$cQe(|BSGMDv(0)I@<^DWIO}*kh()LFo$t7sO_?i>
z7kgNEVs4Bd934VG8_F6wD`$E(<@mKrhGqTwg4X((+6QIZ*_VcDtWg`Ke_|0H=C9}0
zqUpNaukbTLxLN8S92+|@)~os>qg@+d^uXA7TN5-W)QttWzvP60@8NyW9QW&|t8z_C
z{Mu%yvq)5o8DZiz(+WLWYYl5N1Pu;?+mnM~|79E4zSwcPOx0aRXO(Z~n4VN4>Y}w1
z>)a=n#fH4PO{B=SY9p_0XtO%wC|joY&JU)Cs@SRVNm#R0?b_WsZwp(uZrOg%Lc5zh
ze?J`an746jVj{ilxT51eFsT-V4!m#ZwfBQ{rmI3CYvdhl-L_e_tF(D!g-#NQ-ETF&
z7A!;>e)YbNNDpfA*E-wFcIL}nLu$dHBB_gP!;D2R&3(RXx}74bZTw2JuMLOcHe-R+
z-9>e+<C4LBbHPP=Lz<mh3-Rtc)OHS2cj(+1Z0?1?l%v8|<rhh(pz>P07!yd4@aj9K
zr?}V~VS=*4)vBQBd-2jFwW{gGGVj5ZXN+h=8oHQ$O@$sZEMe$*Z^t8zON4}ZGLJNf
z%>VZx2c49;DDwa8@5`?v$A1Pq0;a%y;5u^qYv89K1}DK6z*Xe-SHK(?0k?yz$nC!e
zEHDnXfgd5K{}wn42EYyE^4|v$cmV7GzeFByfme~YKMgD}4*raM{oCL#$j@H`SHJ~u
zC-^yX^Si-2$j6@pkAZ#QP2}MkxDEUsx%czn2-po?hrZ8%$AAmYgHu4-;RxvAkTy+h
zDPyf=AT#_kgIt}OX0WU{Cqi{A@XJmmCwP+^tflK6=jfzr>pVTfU2X|#QY-L0)3<3k
z3_L0pIdz>#beEN<YIZR()<v!U)&4^}wJ-J~zDs+fQWoKl%765DbhdnK&I!F`GvosU
z{j;T+QZ#pIc>l=Q*yRDt(Jj$0J5YbLpQM>Gr5dG^sbSMJDau<PWwV%2%c43D1u@1w
zK3|Sq7dsZL9i;xQ9X?MknjyT7F-oBmOzYthf=xw0XU)M!=JwOsp~3s-sI>p=rOSsk
zeQ<tH`c--&5~19scyT1C&m9znbb({-!onI-JPe}CD5QJ!y*>CVClnTg*tO9zqCwqq
zfs19%eL9?U4fdzdTWO-@D$hJKx@aWcoh|95(%isoX}M(2mj(}OCH>OnJ((l>58daA
zFYQ#7?$u)l!$w}4-)wh5&e}Lix%(_%5#2i3GV^<q<K@D;ABlG@a|3R@$X5%$w#4u)
zHEQ9a4LH`~d8u%VrfESjVn3P@3m<jwT5A#8sQI=7mbI>66Eyan6<Xz?=R|Tlyq}Iz
z8(E%+Xg}8~8Xdwjo`D`#Nwt~{CF}F01DCN*ZQ3%mreBXH$)CSAXpYfa%N)I!q7qiS
zHpNWc-o}qT9y%6Xl8^m*kA)-@_HAw;K$Y$_54jfzK3_G(;)e9k-P?@~kJRt&y83IJ
zoJ+HnL&N?YZEWfQsZ+Fj>o_)^3F2SI=jC5V+t{az=YxrE+{Tu7_<lp3nVuC8Db71s
v7@5ZO%mmZr2a;DsmN9PGkRP4=vaFhZ$*sK3Q^TaKUbe;!)=@@nd^q@jF`dwM

literal 0
HcmV?d00001


From fcecc897a2e3ca821e9b91dfdadbb17b6d8f0159 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 15 Feb 2021 22:11:16 +0100
Subject: [PATCH 0414/3088] security/acme-client: add tooltips for certificate
 command buttons, closes #2188

---
 security/acme-client/pkg-descr                     |  1 +
 .../views/OPNsense/AcmeClient/certificates.volt    | 14 +++++++-------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 213eb1121d..f830046bf5 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 
 Added:
 * add new page to show AcmeClient entries from system log
+* add tooltips for certificate command buttons (#2188)
 
 Fixed:
 * fix missing "--ecc" parameter when renewing ECC certs (#2223)
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index 2d172eb017..c30891a762 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -59,13 +59,13 @@ POSSIBILITY OF SUCH DAMAGE.
             url: '/api/acmeclient/certificates/search',
             formatters: {
                 "commands": function (column, row) {
-                    return "<button type=\"button\" class=\"btn btn-xs btn-default command-edit\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-pencil\"></span></button> " +
-                        "<button type=\"button\" class=\"btn btn-xs btn-default command-copy\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-clone\"></span></button>" +
-                        "<button type=\"button\" class=\"btn btn-xs btn-default command-sign\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-repeat\"></span></button>" +
-                        "<button type=\"button\" class=\"btn btn-xs btn-default command-automation\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-paper-plane\"></span></button>" +
-                        "<button type=\"button\" class=\"btn btn-xs btn-default command-revoke\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-power-off\"></span></button>" +
-                        "<button type=\"button\" class=\"btn btn-xs btn-default command-removekey\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-history\"></span></button>" +
-                        "<button type=\"button\" class=\"btn btn-xs btn-default command-delete\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-trash-o\"></span></button>";
+                    return "<button type=\"button\" title=\"{{ lang._('edit certificate') }}\" class=\"btn btn-xs btn-default command-edit\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-pencil\"></span></button> " +
+                        "<button type=\"button\" title=\"{{ lang._('copy certificate') }}\" class=\"btn btn-xs btn-default command-copy\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-clone\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('issue or renew certificate') }}\" class=\"btn btn-xs btn-default command-sign\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-repeat\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('run automations') }}\" class=\"btn btn-xs btn-default command-automation\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-paper-plane\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('revoke certificate') }}\" class=\"btn btn-xs btn-default command-revoke\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-power-off\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('reset certificate') }}\" class=\"btn btn-xs btn-default command-removekey\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-history\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('remove certificate') }}\" class=\"btn btn-xs btn-default command-delete\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-trash-o\"></span></button>";
                 },
                 "rowtoggle": function (column, row) {
                     if (parseInt(row[column.id], 2) == 1) {

From 429eda9b1c2c21cfd47ee7b50ed286b2d393b071 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 15 Feb 2021 22:25:22 +0100
Subject: [PATCH 0415/3088] security/acme-client: remove temp file

---
 .../OPNsense/AcmeClient/.AcmeClient.xml.swp     | Bin 16384 -> 0 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/.AcmeClient.xml.swp

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/.AcmeClient.xml.swp b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/.AcmeClient.xml.swp
deleted file mode 100644
index cb9344443839d7d3a58e6d925c166511fd93baf8..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 16384
zcmeI3Uu+yl9mgk>HYu%B6hK1aWs)?FP2yeKu_ISZH*rj&B#N8JP9p`Man`$Y=Oz2+
zx;yJXO#@PqkZ6hu4^)*<A5Z}aq$;JYkSb{V1S(P?4}GINfQnGzkx*!$EqrHp*7tAk
zd}ldor0&We@7?@nXXp24{`}VKg`smNrs%jfOmKXfkiWm(cVS`M<6GYNEFtA(S-Ae;
zFLYP)>*Zy=;t0JQn%uwW=t0$wIDYi18&@1Z(j#ugp(9px)AIPB<vQFKdK6l<n%<J7
zo7JlB1vYmh{q&g!(-tOh!DL#$_EB5$-1U23)F>?Qaj`%jIWRIjB(>eWYbX88j)y)j
ziWhno7AP!GSfH>#VS&N|g#`)=6c#8f01JrfcJd9JKcTE~UY)lzo&TqfEMxdell(&^
zKdH*EHpxFw@-wRZMw9$~B|oOhPpA%L{rInvA6D`wo8<pd@^ealtx0}E$!C;&k5V{m
z|GlRBuQbX3t>kCb^{+O`|J5Ylaa&q3YyaJ*`<I*K|5Wm$s{NOn<kyw_kdlAcBv-}7
zsjxs{fx-fX1qurk7AP!GSfH>#VS&N|g#`)=<XXVA3Ar1RCuE|EzyD|X|9kfkat*uy
zV&H&tU_aOj{<NKt-+~{2C2$&yf-T^0eT2LLz6&mZ0k9SP4mbK4cmhP=Uhu(PguD%Y
z0iFaEa2(tL-ux6HFM_ARA~*#4z#r~JId}?iV1Vu5t!;$71fBvWVBmA$`c^_-0Y3(h
zgX7@y;GH|rPw*m`0|&u9;2*aW@-p}#_$HVDcY(J)Nyx9jv*0Ay4c<o{{zvdExB@(|
z54?-#1HT480p9_mpbz{NcK!{J_P!!*UU$&CgDslXFj!eVVp<ouZ%^|w6{}VLz^*Cz
z=EF31P2mLoF^9YME`!uvNSUrKo#EjU4{>FqT-IgN{NdOMxotei^tI0o%_P;l*cDFI
z<+9q^=hkZHOxLlK4o&eWGArCjI>>E$eBzAMf<{SSs2>Pg4r1TdnBIC(Yr}e?ZEOFN
z&f#?tsbG{ZPO8{WRCUc&!#6$7^z2*9ePmsEFh_7NGE}=-dS-fBN|Gu$zgQH+p~a2t
zWfV;*ot>GkD&)4n+G@dal+VIqCi892Q88i3z_~S|!c6+I$x)Fuy7^I|+SStY&5nw;
zT6BtviOjbfhziUpx57j*F?nj!<H5Zd!Qe)S1o!5LL0;!O$AI)?&jE147rYWCb9n1~
z+U;^-^RkH*!x+L`t3Ec&dD-k$cQe(|BSGMDv(0)I@<^DWIO}*kh()LFo$t7sO_?i>
z7kgNEVs4Bd934VG8_F6wD`$E(<@mKrhGqTwg4X((+6QIZ*_VcDtWg`Ke_|0H=C9}0
zqUpNaukbTLxLN8S92+|@)~os>qg@+d^uXA7TN5-W)QttWzvP60@8NyW9QW&|t8z_C
z{Mu%yvq)5o8DZiz(+WLWYYl5N1Pu;?+mnM~|79E4zSwcPOx0aRXO(Z~n4VN4>Y}w1
z>)a=n#fH4PO{B=SY9p_0XtO%wC|joY&JU)Cs@SRVNm#R0?b_WsZwp(uZrOg%Lc5zh
ze?J`an746jVj{ilxT51eFsT-V4!m#ZwfBQ{rmI3CYvdhl-L_e_tF(D!g-#NQ-ETF&
z7A!;>e)YbNNDpfA*E-wFcIL}nLu$dHBB_gP!;D2R&3(RXx}74bZTw2JuMLOcHe-R+
z-9>e+<C4LBbHPP=Lz<mh3-Rtc)OHS2cj(+1Z0?1?l%v8|<rhh(pz>P07!yd4@aj9K
zr?}V~VS=*4)vBQBd-2jFwW{gGGVj5ZXN+h=8oHQ$O@$sZEMe$*Z^t8zON4}ZGLJNf
z%>VZx2c49;DDwa8@5`?v$A1Pq0;a%y;5u^qYv89K1}DK6z*Xe-SHK(?0k?yz$nC!e
zEHDnXfgd5K{}wn42EYyE^4|v$cmV7GzeFByfme~YKMgD}4*raM{oCL#$j@H`SHJ~u
zC-^yX^Si-2$j6@pkAZ#QP2}MkxDEUsx%czn2-po?hrZ8%$AAmYgHu4-;RxvAkTy+h
zDPyf=AT#_kgIt}OX0WU{Cqi{A@XJmmCwP+^tflK6=jfzr>pVTfU2X|#QY-L0)3<3k
z3_L0pIdz>#beEN<YIZR()<v!U)&4^}wJ-J~zDs+fQWoKl%765DbhdnK&I!F`GvosU
z{j;T+QZ#pIc>l=Q*yRDt(Jj$0J5YbLpQM>Gr5dG^sbSMJDau<PWwV%2%c43D1u@1w
zK3|Sq7dsZL9i;xQ9X?MknjyT7F-oBmOzYthf=xw0XU)M!=JwOsp~3s-sI>p=rOSsk
zeQ<tH`c--&5~19scyT1C&m9znbb({-!onI-JPe}CD5QJ!y*>CVClnTg*tO9zqCwqq
zfs19%eL9?U4fdzdTWO-@D$hJKx@aWcoh|95(%isoX}M(2mj(}OCH>OnJ((l>58daA
zFYQ#7?$u)l!$w}4-)wh5&e}Lix%(_%5#2i3GV^<q<K@D;ABlG@a|3R@$X5%$w#4u)
zHEQ9a4LH`~d8u%VrfESjVn3P@3m<jwT5A#8sQI=7mbI>66Eyan6<Xz?=R|Tlyq}Iz
z8(E%+Xg}8~8Xdwjo`D`#Nwt~{CF}F01DCN*ZQ3%mreBXH$)CSAXpYfa%N)I!q7qiS
zHpNWc-o}qT9y%6Xl8^m*kA)-@_HAw;K$Y$_54jfzK3_G(;)e9k-P?@~kJRt&y83IJ
zoJ+HnL&N?YZEWfQsZ+Fj>o_)^3F2SI=jC5V+t{az=YxrE+{Tu7_<lp3nVuC8Db71s
v7@5ZO%mmZr2a;DsmN9PGkRP4=vaFhZ$*sK3Q^TaKUbe;!)=@@nd^q@jF`dwM


From fdf21c8f458da79de3a47c43ce15fa21f488314e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 16 Feb 2021 15:17:29 +0100
Subject: [PATCH 0416/3088] plugins: style sweep

---
 .../src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc    |  8 ++++----
 .../OPNsense/Quagga/Api/DiagnosticsController.php     |  4 ++--
 .../app/library/OPNsense/AcmeClient/LeCertificate.php |  8 ++++----
 www/nginx/src/opnsense/scripts/nginx/setup.php        | 11 ++++++-----
 4 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index df3cb8ce1e..67c250a3a0 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -883,11 +883,11 @@ class updatedns
             case 'gratisdns':
                 $server = "https://admin.gratisdns.com/ddns.php";
                 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                if(substr_count($this->_dnsHost, ".") < 2) {
-                   $domain = $this->_dnsHost;
-                   $hostname = $this->_dnsHost;
+                if (substr_count($this->_dnsHost, ".") < 2) {
+                    $domain = $this->_dnsHost;
+                    $hostname = $this->_dnsHost;
                 } else {
-                   list($hostname, $domain) = explode(".", $this->_dnsHost, 2);
+                    list($hostname, $domain) = explode(".", $this->_dnsHost, 2);
                 }
                 curl_setopt($ch, CURLOPT_URL, $server . '?u=' . urlencode($this->_dnsUser) . '&p=' . $this->_dnsPass . '&h=' . $this->_dnsHost . '&d=' . $domain . '&i=' . $this->_dnsIP);
                 break;
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
index 7426a5f53e..a92a3d8e05 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
@@ -44,7 +44,7 @@ class DiagnosticsController extends ApiControllerBase
     private function getInformation(string $daemon, string $name, string $format): array
     {
         $backend = new Backend();
-        $response = $backend->configdRun("quagga diagnostics ".$daemon."_".$name.($format === "json" ? "_json" : ""));
+        $response = $backend->configdRun("quagga diagnostics " . $daemon . "_" . $name . ($format === "json" ? "_json" : ""));
         return array("response" => ($format === "json" ? json_decode($response) : $response));
     }
 
@@ -60,7 +60,7 @@ public function generalrouteAction($format = "json"): array
         if ($format === "json") {
             return array("response" => array("ipv4" => $routes4, "ipv6" => $routes6));
         } else {
-            return array("response" => $routes4.$routes6);
+            return array("response" => $routes4 . $routes6);
         }
     }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 6855acb3b1..97b4d2364e 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -344,11 +344,11 @@ public function issue()
 
         // Check if called by auto renewal process.
         if (($acme_action == 'renew') and ($this->cron == 1) and ($auto_renewal == 0)) {
-          LeUtils::log('auto renewal is globally disabled, skipping certificate: ' . (string)$this->config->name);
-          return false;
+            LeUtils::log('auto renewal is globally disabled, skipping certificate: ' . (string)$this->config->name);
+            return false;
         } elseif (($acme_action == 'renew') and ($this->cron == 1) and ((string)$this->config->autoRenewal == 0)) {
-          LeUtils::log('auto renewal is disabled for certificate: ' . (string)$this->config->name);
-          return false;
+            LeUtils::log('auto renewal is disabled for certificate: ' . (string)$this->config->name);
+            return false;
         }
         LeUtils::log("${acme_action} certificate: " . (string)$this->config->name);
 
diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index 8623106bd8..d8452c804b 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -200,13 +200,14 @@ function find_ca($refid)
                 $cas = array();
                 $carefs = explode(",", $upstream['tls_trusted_certificate']);
                 foreach ($carefs as $caref) {
-                   $ca = find_ca($caref);
-                   if (isset($ca)) {
-                       $cas[] = base64_decode($ca['crt']);
-                   }
+                    $ca = find_ca($caref);
+                    if (isset($ca)) {
+                        $cas[] = base64_decode($ca['crt']);
+                    }
                 }
                 export_pem_file(
-                    '/usr/local/etc/nginx/key/trust_upstream_' . $upstream_uuid . '.pem','',
+                    '/usr/local/etc/nginx/key/trust_upstream_' . $upstream_uuid . '.pem',
+                    '',
                     implode("\n", $cas)
                 );
             }

From 41147352172bcf3da69ffc291277fe7be6b94a1b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 16 Feb 2021 15:21:09 +0100
Subject: [PATCH 0417/3088] dns/dyndns: bump revision

---
 dns/dyndns/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index 71ce6cee70..451840d028 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		dyndns
 PLUGIN_VERSION=		1.23
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 

From 1cb7f4640b8e13e38a882db62bdedf13ab43d269 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 16 Feb 2021 15:22:23 +0100
Subject: [PATCH 0418/3088] LICENSE: sync

---
 LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index e045225ed3..7079730ae9 100644
--- a/LICENSE
+++ b/LICENSE
@@ -24,7 +24,7 @@ Copyright (c) 2020 Marc Leuser
 Copyright (c) 2020 Martin Wasley
 Copyright (c) 2017-2020 Michael Muenz <m.muenz@gmail.com>
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
-Copyright (c) 2010-2012 Seth Mos <seth.mos@dds.nl>
+Copyright (c) 2010 Seth Mos <seth.mos@dds.nl>
 Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
 Copyright (c) 2017-2019 Smart-Soft
 Copyright (c) 2013 Stanley P. Miller \ stan-qaz

From 70afeb30954aafa2c0c5600fa24cdde074a217d4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 16 Feb 2021 15:24:32 +0100
Subject: [PATCH 0419/3088] dns: bump revision

---
 dns/bind/Makefile           | 1 +
 dns/dnscrypt-proxy/Makefile | 2 +-
 dns/rfc2136/Makefile        | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 96f13f860c..e16959f8e3 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.16
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind916
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index e120fa9126..54b2cc4b25 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		dnscrypt-proxy
 PLUGIN_VERSION=		1.8
-PLUGIN_REVISIOM=	1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/rfc2136/Makefile b/dns/rfc2136/Makefile
index 39ebb08552..c186e4856d 100644
--- a/dns/rfc2136/Makefile
+++ b/dns/rfc2136/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		rfc2136
 PLUGIN_VERSION=		1.6
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		RFC-2136 Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_DEPENDS=		bind-tools

From c1f19dc659e1a6a5cbc454c6025ef9ce9a34808e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 16 Feb 2021 15:29:12 +0100
Subject: [PATCH 0420/3088] security/tor: bump revision

---
 security/tor/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/tor/Makefile b/security/tor/Makefile
index 32b6d40eb2..e13b2366cd 100644
--- a/security/tor/Makefile
+++ b/security/tor/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		tor
 PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		The Onion Router
 PLUGIN_DEPENDS=		tor ruby
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 33b855d5f51348e2c8ff63e9f7265ce7de05f096 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 16 Feb 2021 15:31:45 +0100
Subject: [PATCH 0421/3088] net/frr: bump revision

---
 net/frr/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 880012ffc5..9172a4a4ab 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.21
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From bd5817d5926ab94cab2c3a7f875538fbdc9b7122 Mon Sep 17 00:00:00 2001
From: Andreas Stuerz <andreas.stuerz@markt.de>
Date: Tue, 16 Feb 2021 17:28:25 +0100
Subject: [PATCH 0422/3088] get current state from local and remote

---
 .../OPNsense/HAProxy/lib/haproxy/cmds.py      |   8 +-
 .../scripts/OPNsense/HAProxy/socketCommand.py |   3 +-
 .../scripts/OPNsense/HAProxy/syncCerts.py     | 252 ++++++++++++++++++
 .../templates/OPNsense/HAProxy/sslCerts.yaml  |   2 +-
 4 files changed, 258 insertions(+), 7 deletions(-)
 create mode 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py

diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
index 3d13d42a82..81e8b3351a 100644
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
@@ -145,10 +145,10 @@ def getResultObj(self, res):
         for line in res.split("\n"):
             if line.startswith('# '):
                 list_id = line.split("# ")[1]
-                result[f"{list_id}"] = []
+                result["certs"] = []
 
             if list_id and line.startswith('/'):
-                result[f"{list_id}"].append(line)
+                result["certs"].append(line)
 
         if result:
            return result
@@ -186,10 +186,9 @@ def getResultObj(self, res):
 
                 if key == 'Filename':
                     cert_id = val
-                    result[f"{cert_id}"] = {}
 
                 if cert_id:
-                    result[f"{cert_id}"][key] = val
+                    result[key] = val
 
         if result:
             return result
@@ -261,6 +260,7 @@ def _getResult(self, res):
         for e in lines:
             me = re.match(cl, e)
             if me:
+                print(e)
                 result.append(e.split(",")[0])
         return result
 
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
index 11a084f856..fd9b438c0a 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
@@ -51,7 +51,7 @@ def get_args():
     )
     parser.add_argument(
         '--server-ids',
-        help='Attempt action on a list of server, specified as a comma seperated list e.g. back1/server1,back2/server3',
+        help='Attempt action on a list of server, specified as a comma separated list e.g. back1/server1,back2/server3',
         default=None
     )
     parser.add_argument(
@@ -142,7 +142,6 @@ def get_args():
                 if result:
                     print(f"{server_id}: {result.strip()}")
                 con.close()
-
     else:
         # single
         con = HaPConn(SOCKET)
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
new file mode 100755
index 0000000000..7b3d09bbc2
--- /dev/null
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
@@ -0,0 +1,252 @@
+#!/usr/bin/env python3
+# Sync ssl certificates from a yaml file into haproxy memory
+import os
+import sys
+import argparse
+import traceback
+import yaml
+import ssl
+from io import StringIO
+import base64
+import OpenSSL
+
+
+sys.path.append(os.path.join(os.path.dirname(__file__), 'lib'))
+from haproxy.conn import HaPConn
+from haproxy import cmds
+
+
+class Diff:
+    def __init__(self, local=None, remote=None):
+        if local is None:
+            local = []
+        if remote is None:
+            remote = []
+
+        self.local = local
+        self.remote = remote
+        self.state = str(self)
+
+    def show_state(self):
+        """ Shows current local and remote state """
+        print("## STATE ##")
+        print(str(self))
+
+    def show_diff(self):
+        """ Shows what will be synced to target """
+        print("## DIFF ##")
+        print("TODO: Show the diff")
+
+    def sync(self):
+        print("## SYNC ##")
+        print("TODO: Sync to target")
+
+    def __iter__(self):
+        return iter(self.local)
+
+    def __str__(self):
+        result = ""
+        for item in self:
+            result += f"{str(item)}\n"
+        return result
+
+
+class SyncWithTarget:
+    """ Base class for sync objects to a target """
+    def __init__(self, socket='/var/run/haproxy.socket'):
+        self.socket = socket
+
+    def execute_remote_cmd(self, command_class, **command_args):
+        con = HaPConn(self.socket)
+        if con:
+            result = con.sendCmd(command_class(**command_args), objectify=True)
+            con.close()
+            return result
+
+    def get_remote_state(self, command_class, **command_args):
+        return self.execute_remote_cmd(command_class, **command_args)
+
+
+class CertList(SyncWithTarget):
+    """ Represents a haproxy ssl-crt-list """
+    def __init__(self, path, certs=None):
+        super().__init__()
+        if certs is None:
+            certs = []
+        self.path = path
+        self.certs = certs
+        self.local = self.get_local_state()
+        self.remote = self.get_remote_state(cmds.showSslCrtList, crt_list=self.path)
+
+    def __iter__(self):
+        return iter(self.local)
+
+    def __str__(self):
+        result = f"CRT LIST: {self.path}\n"
+        result += f"  LOCAL:  {self.local}\n"
+        result += f"  REMOTE: {self.remote}\n"
+        for cert in self.certs:
+            result += f"\n{str(cert)}\n"
+        return result
+
+    def get_local_state(self):
+        return [f"{repr(cert)}" for cert in self.certs]
+
+    def get_remote_state(self, command_class, **command_args):
+        crt_list_data = super().get_remote_state(command_class, **command_args)
+        return crt_list_data.get('certs', {})
+
+
+class Cert(SyncWithTarget):
+    """ Represents a haproxy ssl-cert  """
+    def __init__(self, path, pem):
+        super().__init__()
+        self.path = path
+        self.pem = pem
+        self.local = self.get_local_state()
+        self.remote = self.get_remote_state(cmds.showSslCert, certfile=self.path)
+
+    def __repr__(self):
+        return self.path
+
+    def __str__(self):
+        result = f"    CERT: {self.path}"
+        result += f"\n      LOCAL:  {self.local}"
+        result += f"\n      REMOTE: {self.remote}"
+        return result
+
+    def get_cert_data(self, dump=False, encoding='utf-8'):
+        result = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, self.pem)
+        if dump:
+            result = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_TEXT, result).decode(encoding)
+        return result
+
+    def glue(self, components):
+        return "".join("/{0:s}={1:s}".format(name.decode(), value.decode()) for name, value in components)
+
+    def get_local_state(self):
+        cert_obj = self.get_cert_data()
+        return {
+            "Serial": '%.2x' % cert_obj.get_serial_number(),
+            "Subject": self.glue(cert_obj.get_subject().get_components()),
+            "Issuer": self.glue(cert_obj.get_issuer().get_components())
+        }
+
+    def get_remote_state(self, command_class, **command_args):
+        cert_data = super().get_remote_state(command_class, **command_args)
+        if 'error' in cert_data:
+            return {}
+        return {
+            "Serial": cert_data['Serial'],
+            "Subject": cert_data['Subject'],
+            "Issuer": cert_data['Issuer']
+        }
+
+def dict_from_yaml(path):
+    with open(path, 'r') as yaml_file:
+        data = yaml.load(yaml_file, Loader=yaml.SafeLoader)
+    return data
+
+
+def skip_frontend(frontend_id, frontend):
+    filter_frontend_names = list(filter(None, args.frontends.split(",")))
+    filter_frontend_ids = list(filter(None, args.frontend_ids.split(",")))
+
+    skip_id = False
+    if filter_frontend_names and frontend['name'] not in filter_frontend_names:
+        skip_id = True
+
+    skip_name = False
+    if filter_frontend_ids and frontend_id not in filter_frontend_ids:
+        skip_name = True
+
+    return skip_id and skip_name
+
+
+def get_cert_data(cert, dump=False, encoding='utf-8'):
+    if os.path.isfile(cert):
+        cert = open(cert).read()
+
+    cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)
+    if dump:
+        cert = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_TEXT, cert).decode(encoding)
+
+    return cert
+
+
+def base64_decode(base64_str, encoding='utf-8'):
+    if base64_str:
+        base64_bytes = base64_str.encode(encoding)
+        message_bytes = base64.b64decode(base64_bytes)
+        message = message_bytes.decode(encoding)
+        return message
+    return ''
+
+def get_args():
+    # noinspection PyTypeChecker
+    parser = argparse.ArgumentParser(
+        description="""
+        Sync ssl certificates into HAProxy’s memory with certificates read from a configfile. If no frontend filter is
+        given, all certificates will be synced.""",
+        formatter_class=argparse.ArgumentDefaultsHelpFormatter
+    )
+    parser.add_argument(
+        '--config',
+        help='Path to the ssl certificate information configfile.',
+        default="/usr/local/etc/haproxy/sslCerts.yaml"
+    )
+    parser.add_argument(
+        '--frontends',
+        help='Attempt action on a list of frontend names, specified as a comma separated list.',
+        default=""
+    )
+    parser.add_argument(
+        '--frontend_ids',
+        help='Attempt action on a list of frontend ids, specified as a comma separated list.',
+        default=""
+    )
+    parser.add_argument(
+        '--output',
+        help='Specify output format.',
+        choices=['json', 'raw'],
+        default="raw"
+    )
+    parser.add_argument(
+        '--debug',
+        type=bool,
+        help='Show debug output.',
+        default=False
+    )
+    return parser.parse_args()
+
+
+args = get_args()
+config = dict_from_yaml(args.config)
+
+""" Get ssl crt-list with certificates from configfile"""
+crt_lists = []
+for frontend_id, frontend in config['frontends'].items():
+    if skip_frontend(id, frontend_id):
+        continue
+
+    certs = []
+    for cert_id, cert_data in frontend['certs'].items():
+        crt = base64_decode(cert_data['crt'])
+        key = base64_decode(cert_data['key'])
+        ca = base64_decode(cert_data['ca'])
+        full_cert = crt + key + ca
+
+        certs.append(Cert(path=cert_data['path'], pem=full_cert))
+
+    crt_lists.append(CertList(path=frontend['crt_list_path'], certs=certs))
+
+""" Sync ssl certs from configfile to HaProxy """
+diff = Diff(local=crt_lists)
+diff.show_state()
+diff.show_diff()
+diff.sync()
+
+
+#print(crt_lists)
+#print(diff)
+#diff.sync()
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml
index 0b98ab5e15..56fed45739 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml
@@ -47,7 +47,7 @@ frontends:
 {%  for frontend in enabled_frontends %}
   "{{ frontend.id }}":
     name: {{ frontend.name }}
-    crt_list_path: {{ cert_template % frontend.id }}
+    crt_list_path: {{ crt_list_template % frontend.id }}
     certs:
 {%    for cert_refid in frontend.certs %}
       {{ cert_refid }}:

From c9e718f6c82b302f1d29cf38bc2c135fc7d3f555 Mon Sep 17 00:00:00 2001
From: jkellerer <jkellerer@users.noreply.github.com>
Date: Sun, 21 Feb 2021 23:05:42 +0100
Subject: [PATCH 0423/3088] Nginx: Refactored "ngx_autoblock" to reduce cpu
 consumption (#1773)

* Nginx/Autoblock: Refactored "ngx_autoblock.php" to reduce resource & cpu consumption.

Also fixed issues:
- $is_ten_minutes triggered always except every 10 minutes.
- IPs are not just added but also removed (fixes race conditions between UI and script-invocation).

* Nginx/Autoblock: Fixed errors caused by concurrent invocation.

Improved resilience against calling the script while another instance is still running.
---
 .../opnsense/scripts/nginx/ngx_autoblock.php  | 312 +++++++++++++-----
 1 file changed, 238 insertions(+), 74 deletions(-)

diff --git a/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php b/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
index 0cd6074992..4c7b712da9 100755
--- a/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
+++ b/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
@@ -42,6 +42,7 @@ function nginx_print_error($msg)
         array('status' => 'error', 'message' => $msg)
     );
 }
+
 function exec_hidden($command): void
 {
     $descriptorspec = array(
@@ -55,110 +56,273 @@ function exec_hidden($command): void
         proc_close($process);
     }
 }
-function add_to_blocklist($tablename, $ip)
+
+function modify_blocklist($tablename, array $allIps, $operation = "add"): void
 {
-    $escaped = escapeshellarg($ip);
-    exec_hidden("/sbin/pfctl -t ${tablename} -T add ${escaped}");
+    if (empty($allIps) || !in_array($operation, ["add", "delete"]))
+        return;
+
+    $tablename = escapeshellarg($tablename);
+    $operation = escapeshellarg($operation);
+
+    $longestIp = array_reduce($allIps, function ($length, $ip) {
+        return max($length, strlen(escapeshellarg($ip)));
+    }, 0);
+
+    $chunkSize = floor(4096 / ($longestIp + 1));
+    $chunkSize = min(128, max(4, $chunkSize));
+
+    foreach (array_chunk($allIps, $chunkSize) as $ips) {
+        $escapedIps = join(" ", array_map("escapeshellarg", $ips));
+
+        exec_hidden("/sbin/pfctl -t ${tablename} -T ${operation} ${escapedIps}");
+    }
 }
 
+function read_all_from_blocklist($tablename)
+{
+    $tablename = escapeshellarg($tablename);
+
+    $descriptorspec = [
+        1 => ['pipe', 'w'],
+        2 => ['file', "/dev/null", "w"],
+    ];
+
+    $process = proc_open("/sbin/pfctl -t ${tablename} -T show", $descriptorspec, $pipes);
+    if (is_resource($process)) {
+        $ips = [];
+        while ($ip = fgets($pipes[1], 96))
+            $ips[] = strtolower(trim($ip));
+
+        fclose($pipes[1]);
+        proc_close($process);
+
+        return $ips;
+    } else {
+        return false;
+    }
+}
+
+function get_files_lastmodified(array $files): array
+{
+    // Maps [file => filemtime]
+    // File times of special files:
+    // - Non existing => random mtime
+    // - No content => -1
+    $times = [];
+    foreach ($files as $file) {
+        $mtime = @filemtime($file) ?: rand();
+        $times[$file] = @filesize($file) === 0 ? -1 : $mtime;
+    }
+    return $times;
+}
 
 function reopen_logs()
 {
     exec_hidden('/usr/local/sbin/nginx -s reopen');
 }
 
-$permanent_ban_file = '/var/log/nginx/permanentban.access.log';
-$permanent_ban_file_work = $permanent_ban_file . '.work';
-$autoblock_alias_name = 'nginx_autoblock';
-define('CRON_RUN_TEN_MINUTES', 10);
-$is_ten_minutes = intval(date('i')) % CRON_RUN_TEN_MINUTES != 0;
+const STATE_FILE = '/tmp/ngx_autoblock.state.json';
+const CONFIG_FILE = '/conf/config.xml';
 
+const PERMANENT_BAN_FILE = '/var/log/nginx/permanentban.access.log';
+const PERMANENT_BAN_FILE_WORK = PERMANENT_BAN_FILE . '.work';
+
+const TLS_HANDSHAKE_FILE = '/var/log/nginx/tls_handshake.log';
+const TLS_HANDSHAKE_FILE_WORK = TLS_HANDSHAKE_FILE . '.work';
+const TLS_HANDSHAKE_PROCESSING_TASK = '/usr/local/opnsense/scripts/nginx/tls_ua_fingerprint.php';
+
+const AUTOBLOCK_ALIAS_NAME = 'nginx_autoblock';
+
+const CRON_RUN_TEN_MINUTES = 10;
+$is_ten_minutes = intval(date('i')) % CRON_RUN_TEN_MINUTES == 0;
+
+// Move log files and inform Nginx that we deleted them
+function create_work_files($include_tls_handshake)
+{
+    $mapping = [PERMANENT_BAN_FILE => PERMANENT_BAN_FILE_WORK];
+    if ($include_tls_handshake) {
+        $mapping[TLS_HANDSHAKE_FILE] = TLS_HANDSHAKE_FILE_WORK;
+    }
+
+    $existing_sources = array_filter(array_keys($mapping), "file_exists");
+    $work_files = [];
+
+    if (count($existing_sources) == count($mapping)) {
+        foreach ($mapping as $source => $target) {
+            // Check if we already processing $target in another process and skip it if not stale
+            if (file_exists($target)) {
+                if (time() - (@filemtime($target) ?: 0) > (5 * 60))
+                    @unlink($target);
+                else
+                    continue;
+            }
+
+            // Try to create work and log on failure
+            if (@rename($source, $target)) {
+                @touch($target);
+                $work_files[] = $target;
+            } else {
+                log_error("Failed renaming '$source' to '$target'. Skipping source for next run.");
+            }
+        }
+    } else {
+        //Concurrent invocation. Can be silently ignored since no work files are collected.
+        //log_error("Skipping processing. Missing: " . join(", ", array_diff(array_keys($mapping), $existing_sources)));
+    }
 
-if (!file_exists($permanent_ban_file)) {
-    nginx_print_error('No Log exists - nothing to do');
-    // let create it
     reopen_logs();
-    exit(0);
-}
+    register_shutdown_function("cleanup_work_files", $work_files);
 
-// move the file, and inform nginx that we deleted the file
-rename($permanent_ban_file, $permanent_ban_file_work);
-if ($is_ten_minutes) {
-    rename('/var/log/nginx/tls_handshake.log', '/var/log/nginx/tls_handshake.log.work');
+    return $work_files;
 }
-reopen_logs();
-if ($is_ten_minutes) {
-    mwexec_bg('/usr/local/opnsense/scripts/nginx/tls_ua_fingerprint.php');
+
+function cleanup_work_files($work_files)
+{
+    foreach ($work_files as $file)
+        @unlink($file);
 }
 
-$log_parser = new AccessLogParser($permanent_ban_file_work);
+// Checking if our sources are modified and create work files as needed (do nothing if sources are unchanged)
+$work_files = (function () use ($is_ten_minutes) {
+    $sources = get_files_lastmodified([CONFIG_FILE, PERMANENT_BAN_FILE]);
 
-$log_lines = $log_parser->get_result();
+    $state = @json_decode(@file_get_contents(STATE_FILE), true);
+    $changed = empty($state)
+        || !isset($state["sources"])
+        || $state["sources"] != $sources;
 
-$model = new Alias();
+    if ($changed || $is_ten_minutes) {
+        // Rename sources to ".work" and tell nginx to reopen logs.
+        // Triggering TLS-handshake processor every 10 minutes.
+        $work_files = create_work_files($is_ten_minutes);
 
-$blacklist_element = null;
-foreach ($model->aliases->alias->iterateItems() as $alias) {
-    if ((string)$alias->name == $autoblock_alias_name) {
-        if ((string)$alias->type != 'external') {
-            nginx_print_error('alias is misconfigured - exiting');
-            exit(0);
-        } else {
-            $blacklist_element = $alias;
-            break;
+        // Store state
+        if (!empty($work_files)) {
+            if (!is_array($state))
+                $state = [];
+            $state["sources"] = get_files_lastmodified(array_keys($sources));
+            @file_put_contents(STATE_FILE, json_encode($state));
         }
+
+        return $work_files;
+    } else {
+        // Sources are not modified, nothing to do when not in "$is_ten_minutes".
+        exit(0);
     }
-}
+})();
 
-// does not exist yet, create it
-if ($blacklist_element == null) {
-    $blacklist_element = $model->aliases->alias->Add();
-    $blacklist_element->name = $autoblock_alias_name;
-    $blacklist_element->type = "external";
-    $model->serializeToConfig();
+// Triggering TLS-handshake processor when corresponding work file exists.
+if (in_array(TLS_HANDSHAKE_FILE_WORK, $work_files)) {
+    mwexec(TLS_HANDSHAKE_PROCESSING_TASK);
 }
 
-$model = new Nginx();
-$alias_ips = [];
-foreach ($model->ban->iterateItems() as $entry) {
-    $alias_ips[] = (string)$entry->ip;
+// Abort if permanent ban file is missing
+if (!in_array(PERMANENT_BAN_FILE_WORK, $work_files)) {
+    nginx_print_error('No Log exists - nothing to do');
+    exit(0);
 }
 
-$new_ips = array_unique(
-    array_map(function ($row) {
-        if (stripos($row->remote_ip, '.') !== false) {
-            return $row->remote_ip;
+// Verifing autoblock fw-alias and adding it if missing
+(function () {
+    $model = new Alias();
+
+    $blacklist_element = null;
+    foreach ($model->aliases->alias->iterateItems() as $alias) {
+        if ((string)$alias->name == AUTOBLOCK_ALIAS_NAME) {
+            if ((string)$alias->type != 'external') {
+                nginx_print_error('alias is misconfigured - exiting');
+                exit(0);
+            } else {
+                $blacklist_element = $alias;
+                break;
+            }
         }
-        // in case of IPv6, we have to use the network address instead
-        // danger of DoS because the attacker should have at least 2 ** 64 IPs
-        return Net_IPv6::getNetmask($row->remote_ip, 64) . '/64';
-    }, $log_lines)
-);
-
-$change_required = false;
-
-foreach (array_diff($new_ips, $alias_ips) as $new_ip) {
-    $entry = $model->ban->Add();
-    $entry->ip = $new_ip;
-    $entry->time = time();
-    $change_required = true;
-}
+    }
 
-if ($change_required) {
-    $val_result = $model->performValidation(false);
-    if (count($val_result) !== 0) {
-        print_r($val_result);
-        exit(1);
+    // does not exist yet, create it
+    if ($blacklist_element == null) {
+        $blacklist_element = $model->aliases->alias->Add();
+        $blacklist_element->name = AUTOBLOCK_ALIAS_NAME;
+        $blacklist_element->type = "external";
+        $model->serializeToConfig();
     }
+})();
+
+// Getting new banned IPs list
+$banned_ips = (function () {
+    // Reading stored banned IPs from config
+    $model = new Nginx();
+    $alias_ips = [];
+    foreach ($model->ban->iterateItems() as $entry) {
+        $alias_ips[] = (string)$entry->ip;
+    }
+
+    // Collecting all new IPs from ban file not yet in $alias_ips.
+    $new_ips = (function () use ($alias_ips) {
+        // Read IPs from the log file
+        $log_parser = new AccessLogParser(PERMANENT_BAN_FILE_WORK);
+        $log_lines = $log_parser->get_result();
+        $new_ips = array_unique(
+            array_map(function ($row) {
+                if (stripos($row->remote_ip, '.') !== false) {
+                    return $row->remote_ip;
+                }
+                // in case of IPv6, we have to use the network address instead
+                // danger of DoS because the attacker should have at least 2 ** 64 IPs
+                return Net_IPv6::getNetmask($row->remote_ip, 64) . '/64';
+            }, $log_lines)
+        );
+
+        // Return only IPs not yet in $alias_ips
+        return array_diff($new_ips, $alias_ips);
+    })();
+
+    // Transfering new IPs into $alias_ips and store them permanently.
+    $new_and_alias_ips = (function () use ($model, $new_ips, $alias_ips) {
+        $change_required = false;
+
+        foreach ($new_ips as $new_ip) {
+            $alias_ips[] = $new_ip;
+
+            $entry = $model->ban->Add();
+            $entry->ip = $new_ip;
+            $entry->time = time();
+            $change_required = true;
+        }
+
+        if ($change_required) {
+            $val_result = $model->performValidation(false);
+            if (count($val_result) !== 0) {
+                print_r($val_result);
+                exit(1);
+            }
+
+            $model->serializeToConfig();
+            Config::getInstance()->save();
+        }
+
+        return $alias_ips;
+    })();
+
+    // Returning banned IPs (= combination of (new_ips + alias_ips))
+    return $new_and_alias_ips;
+})();
 
-    $model->serializeToConfig();
-    Config::getInstance()->save();
-}
 echo '{"status":"saved"}';
 
-// all ips are used because the others may not be set for some reason
-foreach ($model->ban->iterateItems() as $entry) {
-    add_to_blocklist($autoblock_alias_name, (string)$entry->ip);
-}
+// Updating PF table with banned IPs
+(function () use ($banned_ips) {
+    $ips_to_add = $banned_ips;
+    $ips_to_remove = [];
+
+    // Checking which IPs are in the table and apply changes
+    $ips_in_table = read_all_from_blocklist(AUTOBLOCK_ALIAS_NAME);
+    if (!empty($ips_in_table)) {
+        $ips_to_add = array_diff($banned_ips, $ips_in_table);
+        $ips_to_remove = array_diff($ips_in_table, $banned_ips);
+    }
 
-@unlink($permanent_ban_file_work);
+    modify_blocklist(AUTOBLOCK_ALIAS_NAME, $ips_to_add, "add");
+    modify_blocklist(AUTOBLOCK_ALIAS_NAME, $ips_to_remove, "delete");
+})();

From 4b7238cbc22e8e4985282918a83d61cce502c5fb Mon Sep 17 00:00:00 2001
From: Fabian Franz <franz.fabian.94@gmail.com>
Date: Sun, 21 Feb 2021 23:21:56 +0100
Subject: [PATCH 0424/3088] www/nginx: add release note for nginx autoban
 feature

---
 www/nginx/Makefile  | 2 +-
 www/nginx/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index c9df402b35..4964118c00 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.20
+PLUGIN_VERSION=		1.21
 PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 7940a98286..f4dc18e6a1 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -8,6 +8,10 @@ reuse, SSL offload and HTTP media streaming.
 Plugin Changelog
 ================
 
+1.21
+
+* fix performance issue with autoban feature (contributed by jkellerer)
+
 1.20
 
 * User interface improvements of NAXSI configuration (contributed by 8191)

From cdd4d15db74a0f4c9489e0c3b82d8fdd4f25cbd5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 22 Feb 2021 15:14:03 +0100
Subject: [PATCH 0425/3088] security: bump revision numbers

---
 security/clamav/Makefile                                | 1 +
 security/etpro-telemetry/Makefile                       | 2 +-
 security/intrusion-detection-content-et-pro/Makefile    | 1 +
 security/intrusion-detection-content-pt-open/Makefile   | 1 +
 security/intrusion-detection-content-snort-vrt/Makefile | 1 +
 security/maltrail/Makefile                              | 1 +
 security/openconnect/Makefile                           | 1 +
 security/softether/Makefile                             | 1 +
 security/stunnel/Makefile                               | 1 +
 security/tinc/Makefile                                  | 2 +-
 10 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/security/clamav/Makefile b/security/clamav/Makefile
index 0010bcb43b..668ca3fd0c 100644
--- a/security/clamav/Makefile
+++ b/security/clamav/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		clamav
 PLUGIN_VERSION=		1.7
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Antivirus engine for detecting malicious threats
 PLUGIN_DEPENDS=		clamav
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index 3a959c0848..6c41f6a7ca 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		etpro-telemetry
 PLUGIN_VERSION=		1.4
-PLUGIN_REVISION=        1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html
diff --git a/security/intrusion-detection-content-et-pro/Makefile b/security/intrusion-detection-content-et-pro/Makefile
index fafdd5cfd4..f9c5095c04 100644
--- a/security/intrusion-detection-content-et-pro/Makefile
+++ b/security/intrusion-detection-content-et-pro/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		intrusion-detection-content-et-pro
 PLUGIN_VERSION=		1.0.2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		IDS Proofpoint ET Pro ruleset (needs a valid subscription)
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://www.proofpoint.com/us/threat-insight/et-pro-ruleset
diff --git a/security/intrusion-detection-content-pt-open/Makefile b/security/intrusion-detection-content-pt-open/Makefile
index 8e7246d5fd..255baf5fe9 100644
--- a/security/intrusion-detection-content-pt-open/Makefile
+++ b/security/intrusion-detection-content-pt-open/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		intrusion-detection-content-pt-open
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		IDS PT Research ruleset (only for non-commercial use)
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://www.ptsecurity.com/ww-en/
diff --git a/security/intrusion-detection-content-snort-vrt/Makefile b/security/intrusion-detection-content-snort-vrt/Makefile
index d4e31d8943..a2f900e6b7 100644
--- a/security/intrusion-detection-content-snort-vrt/Makefile
+++ b/security/intrusion-detection-content-snort-vrt/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		intrusion-detection-content-snort-vrt
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		IDS Snort VRT ruleset (needs registration or subscription)
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://www.snort.org/downloads#rules
diff --git a/security/maltrail/Makefile b/security/maltrail/Makefile
index 874f9d5de8..9371d85122 100644
--- a/security/maltrail/Makefile
+++ b/security/maltrail/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		maltrail
 PLUGIN_VERSION=		1.6
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Malicious traffic detection system
 PLUGIN_DEPENDS=		maltrail
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/openconnect/Makefile b/security/openconnect/Makefile
index e922426b2c..afd5f9a200 100644
--- a/security/openconnect/Makefile
+++ b/security/openconnect/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		openconnect
 PLUGIN_VERSION=		1.4.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		OpenConnect Client
 PLUGIN_DEPENDS=		openconnect
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/softether/Makefile b/security/softether/Makefile
index 81341b10a7..e1e595bcc9 100644
--- a/security/softether/Makefile
+++ b/security/softether/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		softether
 PLUGIN_VERSION=		0.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Cross-platform Multi-protocol VPN Program
 PLUGIN_DEPENDS=		softether
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index ed8d72bbbb..4cbdf5bc41 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		stunnel
 PLUGIN_VERSION=		1.0.2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel
diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index 45b3c7279b..4e6a8afafe 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		tinc
 PLUGIN_VERSION=		1.6
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org

From a9d1b8b7417d966d63104837e11a6cc511b72b5d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 22 Feb 2021 15:22:40 +0100
Subject: [PATCH 0426/3088] net: revision bumps

---
 net/chrony/Makefile            |  1 +
 net/firewall/Makefile          |  1 +
 net/freeradius/Makefile        |  1 +
 net/ftp-proxy/Makefile         |  2 +-
 net/google-cloud-sdk/Makefile  |  1 +
 net/igmp-proxy/Makefile        |  1 +
 net/mdns-repeater/Makefile     | 11 ++++++-----
 net/ntopng/Makefile            |  1 +
 net/relayd/Makefile            |  1 +
 net/shadowsocks/Makefile       |  2 +-
 net/siproxd/Makefile           |  1 +
 net/tayga/Makefile             |  1 +
 net/udpbroadcastrelay/Makefile |  1 +
 net/upnp/Makefile              |  1 +
 net/vnstat/Makefile            |  1 +
 net/wireguard/Makefile         |  2 +-
 net/wol/Makefile               |  1 +
 net/zerotier/Makefile          |  2 +-
 18 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/net/chrony/Makefile b/net/chrony/Makefile
index 0601f4f248..a905579e2f 100644
--- a/net/chrony/Makefile
+++ b/net/chrony/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		chrony
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Chrony time synchronisation
 PLUGIN_DEPENDS=		chrony
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index 5c667b1ee0..4b40f0f05c 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		firewall
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Firewall API supplemental package
 PLUGIN_MAINTAINER=	ad@opnsense.org
 
diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index a473a81ae9..a62c2a0d52 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		freeradius
 PLUGIN_VERSION=		1.9.9
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/ftp-proxy/Makefile b/net/ftp-proxy/Makefile
index 20403a1da3..78c8fc10ba 100644
--- a/net/ftp-proxy/Makefile
+++ b/net/ftp-proxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ftp-proxy
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Control ftp-proxy processes
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com
 
diff --git a/net/google-cloud-sdk/Makefile b/net/google-cloud-sdk/Makefile
index 6e832d0562..c836863108 100644
--- a/net/google-cloud-sdk/Makefile
+++ b/net/google-cloud-sdk/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		google-cloud-sdk
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Google Cloud SDK
 PLUGIN_DEPENDS=		google-cloud-sdk
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/igmp-proxy/Makefile b/net/igmp-proxy/Makefile
index 4284a2b46b..d5546cdb17 100644
--- a/net/igmp-proxy/Makefile
+++ b/net/igmp-proxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		igmp-proxy
 PLUGIN_VERSION=		1.5
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		igmpproxy
 PLUGIN_COMMENT=		IGMP-Proxy Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/mdns-repeater/Makefile b/net/mdns-repeater/Makefile
index 3843c85d9e..2c17394c8d 100644
--- a/net/mdns-repeater/Makefile
+++ b/net/mdns-repeater/Makefile
@@ -1,7 +1,8 @@
-PLUGIN_NAME=       mdns-repeater
-PLUGIN_VERSION=    1.0
-PLUGIN_COMMENT=    Proxy multicast DNS between networks
-PLUGIN_MAINTAINER= franz.fabian.94@gmail.com
-PLUGIN_DEPENDS=    mdns-repeater
+PLUGIN_NAME=		mdns-repeater
+PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
+PLUGIN_COMMENT=		Proxy multicast DNS between networks
+PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
+PLUGIN_DEPENDS=		mdns-repeater
 
 .include "../../Mk/plugins.mk"
diff --git a/net/ntopng/Makefile b/net/ntopng/Makefile
index c31a997406..fdced159bb 100644
--- a/net/ntopng/Makefile
+++ b/net/ntopng/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ntopng
 PLUGIN_VERSION=		1.2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Traffic Analysis and Flow Collection
 PLUGIN_DEPENDS=		ntopng
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index 0a357bf307..c7bd04749f 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		relayd
 PLUGIN_VERSION=		2.4
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com
diff --git a/net/shadowsocks/Makefile b/net/shadowsocks/Makefile
index 7a1b462f9a..478086ece7 100644
--- a/net/shadowsocks/Makefile
+++ b/net/shadowsocks/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		shadowsocks
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Secure socks5 proxy
 PLUGIN_DEPENDS=		shadowsocks-libev
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/siproxd/Makefile b/net/siproxd/Makefile
index 79394e6b0f..d10bb8f394 100644
--- a/net/siproxd/Makefile
+++ b/net/siproxd/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		siproxd
 PLUGIN_VERSION=		1.3
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Siproxd is a proxy daemon for the SIP protocol
 PLUGIN_DEPENDS=		siproxd
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/tayga/Makefile b/net/tayga/Makefile
index 6945498327..33f54830ff 100644
--- a/net/tayga/Makefile
+++ b/net/tayga/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		tayga
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Tayga NAT64
 PLUGIN_DEPENDS=		tayga
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/udpbroadcastrelay/Makefile b/net/udpbroadcastrelay/Makefile
index 0977354b33..b8aa04860e 100644
--- a/net/udpbroadcastrelay/Makefile
+++ b/net/udpbroadcastrelay/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		udpbroadcastrelay
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Control ubpbroadcastrelay processes
 PLUGIN_DEPENDS=		udpbroadcastrelay
 PLUGIN_MAINTAINER=	mjwasley@gmail.com
diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index cd7ac42494..9dca9a4c47 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		upnp
 PLUGIN_VERSION=		1.4
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		miniupnpd
 PLUGIN_COMMENT=		Universal Plug and Play Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/vnstat/Makefile b/net/vnstat/Makefile
index 59374556bc..bd8388bee2 100644
--- a/net/vnstat/Makefile
+++ b/net/vnstat/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		vnstat
 PLUGIN_VERSION=		1.2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		vnStat is a console-based network traffic monitor
 PLUGIN_DEPENDS=		vnstat
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index fe52b80fbf..9a3654e78f 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		1.4
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wol/Makefile b/net/wol/Makefile
index bbae997f3f..7f29a872c1 100644
--- a/net/wol/Makefile
+++ b/net/wol/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		wol
 PLUGIN_VERSION=		2.3
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		wol
 PLUGIN_COMMENT=		Wake on LAN Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/zerotier/Makefile b/net/zerotier/Makefile
index 6efe44df93..bc69d92c72 100644
--- a/net/zerotier/Makefile
+++ b/net/zerotier/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		zerotier
 PLUGIN_VERSION=		1.3.2
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Virtual Networks That Just Work
 PLUGIN_DEPENDS=		zerotier
 PLUGIN_MAINTAINER=	dharrigan@gmail.com

From 5f70df6b3a633813c48c87a0203d698ce6421295 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 22 Feb 2021 15:24:06 +0100
Subject: [PATCH 0427/3088] net-mgmt: bump revision

---
 net-mgmt/collectd/Makefile      | 1 +
 net-mgmt/lldpd/Makefile         | 1 +
 net-mgmt/net-snmp/Makefile      | 1 +
 net-mgmt/netdata/Makefile       | 1 +
 net-mgmt/nrpe/Makefile          | 2 +-
 net-mgmt/telegraf/Makefile      | 1 +
 net-mgmt/zabbix-agent/Makefile  | 1 +
 net-mgmt/zabbix4-proxy/Makefile | 1 +
 net-mgmt/zabbix5-proxy/Makefile | 1 +
 9 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/collectd/Makefile b/net-mgmt/collectd/Makefile
index a67fb72124..d4a91d1854 100644
--- a/net-mgmt/collectd/Makefile
+++ b/net-mgmt/collectd/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		collectd
 PLUGIN_VERSION=		1.3
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Collect system and application performance metrics periodically
 PLUGIN_DEPENDS=		collectd5
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/lldpd/Makefile b/net-mgmt/lldpd/Makefile
index fe282e13e8..0b778bcae3 100644
--- a/net-mgmt/lldpd/Makefile
+++ b/net-mgmt/lldpd/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		lldpd
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		LLDP allows you to know exactly on which port is a server
 PLUGIN_DEPENDS=		lldpd
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/net-snmp/Makefile b/net-mgmt/net-snmp/Makefile
index bd26747faf..77c00a3b9d 100644
--- a/net-mgmt/net-snmp/Makefile
+++ b/net-mgmt/net-snmp/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		net-snmp
 PLUGIN_VERSION=		1.4
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Net-SNMP is a daemon for the SNMP protocol
 PLUGIN_DEPENDS=		net-snmp
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/netdata/Makefile b/net-mgmt/netdata/Makefile
index 0a4b8cf344..3c5fd6b740 100644
--- a/net-mgmt/netdata/Makefile
+++ b/net-mgmt/netdata/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		netdata
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Real-time performance monitoring
 PLUGIN_DEPENDS=		netdata
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/nrpe/Makefile b/net-mgmt/nrpe/Makefile
index e23a519ff7..b6c26d948a 100644
--- a/net-mgmt/nrpe/Makefile
+++ b/net-mgmt/nrpe/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nrpe
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Execute nagios plugins
 PLUGIN_DEPENDS=		nrpe3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index 32f0fd6027..284cc8f355 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		telegraf
 PLUGIN_VERSION=		1.8.3
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index 148ae72c19..af1be66116 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		zabbix-agent
 PLUGIN_VERSION=		1.8
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_DEPENDS=		zabbix5-agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net-mgmt/zabbix4-proxy/Makefile b/net-mgmt/zabbix4-proxy/Makefile
index ae1fd3930c..d9ece0f6f9 100644
--- a/net-mgmt/zabbix4-proxy/Makefile
+++ b/net-mgmt/zabbix4-proxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		zabbix4-proxy
 PLUGIN_VERSION=		1.2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Zabbix Proxy enables decentralized monitoring
 PLUGIN_DEPENDS=		zabbix4-proxy
 PLUGIN_CONFLICTS=   zabbix5-proxy
diff --git a/net-mgmt/zabbix5-proxy/Makefile b/net-mgmt/zabbix5-proxy/Makefile
index 89d4d33dde..fd8d3942b6 100644
--- a/net-mgmt/zabbix5-proxy/Makefile
+++ b/net-mgmt/zabbix5-proxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		zabbix5-proxy
 PLUGIN_VERSION=		1.3
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Zabbix Proxy enables decentralized monitoring
 PLUGIN_DEPENDS=		zabbix5-proxy
 PLUGIN_CONFLICTS=   zabbix4-proxy

From 9df5e84a381f1c333c5093e05adca15a9c4d8ed1 Mon Sep 17 00:00:00 2001
From: Andreas Stuerz <andreas.stuerz@markt.de>
Date: Tue, 23 Feb 2021 08:57:37 +0100
Subject: [PATCH 0428/3088] sync local changes to remote via socket

---
 .../OPNsense/HAProxy/lib/haproxy/cmds.py      |   4 +-
 .../HAProxy/lib/haproxy/tests/test_cmds.py    |   2 +-
 .../scripts/OPNsense/HAProxy/syncCerts.py     | 578 ++++++++++++++----
 3 files changed, 455 insertions(+), 129 deletions(-)

diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
index 81e8b3351a..391527d890 100644
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
@@ -135,7 +135,7 @@ def getResultObj(self, res):
         return result
 
 class showSslCrtList(Cmd):
-    cmdTxt = "show ssl crt-list %(crt_list)s\r\n"
+    cmdTxt = "show ssl crt-list -n %(crt_list)s\r\n"
     req_args = ['crt_list']
     helpTxt = "Show the the content of a crt-list."
 
@@ -330,4 +330,4 @@ def getResultObj(self, res):
             row.move_to_end('id', last=False)
             servers.append(dict(row))
 
-        return servers
\ No newline at end of file
+        return servers
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
index 01887f583f..18a175aeed 100644
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
@@ -142,7 +142,7 @@ def setUp(self):
             "sessions": "show sess",
             "servers": "show stat",
             "show-ssl-crt-lists": "show ssl crt-list",
-            "show-ssl-crt-list": "show ssl crt-list /tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
+            "show-ssl-crt-list": "show ssl crt-list -n /tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
             "show-ssl-certs": "show ssl cert",
             "show-ssl-cert": "show ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
             "add-to-crt-list": "add ssl crt-list /tmp/haproxy/ssl/601a7392cc9984.99301413.certlist /tmp/haproxy/ssl/601a70e4844b0.pem",
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
index 7b3d09bbc2..d8f3d72b06 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
@@ -3,145 +3,452 @@
 import os
 import sys
 import argparse
-import traceback
 import yaml
-import ssl
-from io import StringIO
 import base64
 import OpenSSL
-
+import json
+from typing import List
 
 sys.path.append(os.path.join(os.path.dirname(__file__), 'lib'))
 from haproxy.conn import HaPConn
 from haproxy import cmds
 
 
-class Diff:
-    def __init__(self, local=None, remote=None):
-        if local is None:
-            local = []
-        if remote is None:
-            remote = []
-
-        self.local = local
-        self.remote = remote
-        self.state = str(self)
-
-    def show_state(self):
-        """ Shows current local and remote state """
-        print("## STATE ##")
-        print(str(self))
-
-    def show_diff(self):
-        """ Shows what will be synced to target """
-        print("## DIFF ##")
-        print("TODO: Show the diff")
-
-    def sync(self):
-        print("## SYNC ##")
-        print("TODO: Sync to target")
-
-    def __iter__(self):
-        return iter(self.local)
-
-    def __str__(self):
-        result = ""
-        for item in self:
-            result += f"{str(item)}\n"
-        return result
-
-
 class SyncWithTarget:
     """ Base class for sync objects to a target """
+
     def __init__(self, socket='/var/run/haproxy.socket'):
         self.socket = socket
 
-    def execute_remote_cmd(self, command_class, **command_args):
+    def _execute_remote_cmd(self, command_class, **command_args):
         con = HaPConn(self.socket)
         if con:
-            result = con.sendCmd(command_class(**command_args), objectify=True)
+            command_obj = command_class(**command_args)
+            result = con.sendCmd(command_obj, objectify=True)
             con.close()
             return result
 
-    def get_remote_state(self, command_class, **command_args):
-        return self.execute_remote_cmd(command_class, **command_args)
+    def _calc_diff(self):
+        """ return needed operations to get remote object in sync """
+        raise Exception("need to be implemented!")
+
+    def diff_list(self, first: List, second: List):
+        second = set(second)
+        return [item for item in first if item not in second]
+
+
+class Diff(SyncWithTarget):
+    """ Represents a full diff to sync with remote """
+
+    def __init__(self, crt_lists=None):
+        super().__init__()
+        if crt_lists is None:
+            crt_lists = []
+        self._crt_lists = crt_lists
+        self._diff = self._calc_diff()
+        self._status = self._get_status()
+        self._transactions = self._get_transactions()
+
+    @property
+    def diff(self):
+        return self._diff
+
+    @property
+    def crt_lists(self):
+        return self._crt_lists
+
+    @property
+    def transactions(self):
+        return self._transactions
+
+    @property
+    def status(self):
+        return self._status
+
+    def _calc_diff(self):
+        result = {}
+        for crt_list in self:
+            result[crt_list.frontend_id] = crt_list.diff
+        return result
+
+    def abort(self, output_format):
+        """ Abort transactions"""
+        aborted = []
+        for certfile in self.transactions:
+            certfile = certfile.replace('*/', "/")
+
+            output = self._execute_remote_cmd(cmds.abortSslCrt, certfile=certfile)
+            aborted.append({
+                "cert": certfile,
+                "output": output,
+            })
+
+        if output_format == 'json':
+            print(json.dumps({'abort': aborted}))
+
+        if output_format == 'raw':
+            for item in aborted:
+                print(f"ABORT transaction: {item['cert']}")
+                print(f"  {repr(item['output'])}")
+
+    def _get_transactions(self):
+        """ get open transactions"""
+        return self._execute_remote_cmd(cmds.showSslCerts)['transaction']
+
+    def _get_status(self):
+        status = {}
+        crt_list: CertList
+        for crt_list in self.crt_lists:
+            status[crt_list.frontend_id] = {
+                "frontend_name": crt_list.frontend_name,
+                "path": crt_list.path,
+                "local_certs": crt_list.local,
+                "local_default": crt_list.local_default,
+                "remote_certs": crt_list.remote,
+                "remote_default": crt_list.remote_default,
+            }
+            cert: Cert
+            status[crt_list.frontend_id]['certs'] = {}
+            for cert in crt_list.certs:
+                status[crt_list.frontend_id]['certs'][cert.cert_id] = {
+                    'path': cert.path,
+                    'local': cert.local,
+                    'remote': cert.local,
+                }
+        return status
+
+    def show_status(self, output_format):
+        """ Shows current local and remote state """
+        if output_format == 'json':
+            print(json.dumps(self.status))
+
+        if output_format == 'raw':
+            print("## STATUS ##")
+            for frontend_id, crt_list in self.status.items():
+                print(f"CRT_LIST: {crt_list['path']}")
+                print(f"  FRONTEND NAME:  {crt_list['frontend_name']}")
+                print(f"  FRONTEND ID:    {frontend_id}")
+                print(f"  LOCAL CERTS:    {crt_list['local_certs']}")
+                print(f"  REMOTE CERTS:   {crt_list['remote_certs']}")
+                print(f"  LOCAL DEFAULT:  {crt_list['local_default']}")
+                print(f"  REMOTE DEFAULT: {crt_list['remote_default']}")
+
+                for cert_id, cert in crt_list['certs'].items():
+                    print()
+                    print(f"    CERT: {cert['path']}")
+                    print(f"      LOCAL:  {cert['local']}")
+                    print(f"      REMOTE: {cert['remote']}")
+                print()
+
+    def show_diff(self, output_format):
+        """ Shows what will be synced to target """
+        if output_format == 'json':
+            print(json.dumps(self.diff))
+
+        if output_format == 'raw':
+            print("## DIFF ##")
+            for frontend_id, diff in self.diff.items():
+                print(f"CRT LIST: {diff['path']}")
+                print(f"  FRONTEND NAME: {diff['frontend_name']}")
+                print(f"  FRONTEND ID: {diff['frontend_id']}")
+                for update in diff['update']:
+                    print(f"  CERT UPDATE:")
+                    print(f"     Cert:    {update['certfile']}")
+                    print(f"     Serial:  {update['meta']['Serial']}")
+                    print(f"     Issuer:  {update['meta']['Issuer']}")
+                    print(f"     Subject: {update['meta']['Subject']}")
+                else:
+                    if not diff['update']:
+                        print(f"  CERT UPDATE: []")
+                print(f"  CERT ADD :   {diff['add']}")
+                print(f"  CERT DEL :   {diff['del']}")
+
+    def show_transactions(self, output_format):
+
+        if output_format == 'json':
+            print(json.dumps({'transactions': self.transactions}))
+
+        if output_format == 'raw':
+            print("## OPEN TRANSACTIONS ##")
+            for cert in self.transactions:
+                print(cert)
+
+    def sync(self, output_format):
+        """ Sync to target """
+        sync = {}
+        certs_to_delete = []
+        for frontend_id, diff in self.diff.items():
+            sync[frontend_id] = {
+                'frontend_name': diff['frontend_name'],
+                'frontend_id': diff['frontend_id'],
+                'path': diff['path'],
+                'add': [],
+                'remove': [],
+                'update': [],
+                'del': []
+            }
+
+            # update cert content
+            for cert in diff['update']:
+                messages = []
+                if cert['certfile'] in diff['add']:
+                    output = self._execute_remote_cmd(cmds.newSslCrt, certfile=cert['certfile'])
+                    messages.append(output)
+
+                output = self._execute_remote_cmd(cmds.updateSslCrt, certfile=cert['certfile'], payload=cert['pem'])
+                messages.append(output)
+
+                output = self._execute_remote_cmd(cmds.commitSslCrt, certfile=cert['certfile'])
+                messages.append(output)
+
+                sync[frontend_id]['update'].append({
+                    'cert': cert['certfile'],
+                    'messages': messages
+                })
+
+            # add to crt-list
+            for cert in diff['add']:
+                messages = []
+                output = self._execute_remote_cmd(cmds.addToSslCrtList, crt_list=diff['path'], certfile=cert)
+                messages.append(output)
+                sync[frontend_id]['add'].append({
+                    'cert': cert,
+                    'messages': messages
+                })
+
+            # remove from crt-list
+            for cert in diff['del']:
+                messages = []
+                output = self._execute_remote_cmd(cmds.delFromSslCrtList, crt_list=diff['path'], certfile=cert)
+                messages.append(output)
+                certs_to_delete.append(cert.split(":")[0])
+                sync[frontend_id]['remove'].append({
+                    'cert': cert,
+                    'messages': messages
+                })
+
+        # delete unused certs operation - haproxy does not allow to delete certs in use
+        for cert in certs_to_delete:
+            messages = []
+            output = self._execute_remote_cmd(cmds.delSslCrt, certfile=cert)
+            messages.append(output)
+            sync[frontend_id]['del'].append({
+                'cert': cert,
+                'messages': messages
+            })
+
+        if output_format == 'json':
+            print(json.dumps(self.diff))
+
+        if output_format == 'raw':
+            print("## SYNC ##")
+            for frontend_id, crt_list in sync.items():
+                print(f"CRT-LIST: {crt_list['path']}")
+                print(f"  FRONTEND NAME: {crt_list['frontend_name']}")
+                print(f"  FRONTEND ID: {crt_list['frontend_id']}")
+                for cert in crt_list['update']:
+                    print(f"  UPDATE: {cert['cert']}")
+                    for message in cert['messages']:
+                        print("    " + repr(message))
+                for cert in crt_list['add']:
+                    print(f"  ADD: {cert['cert']}")
+                    for message in cert['messages']:
+                        print("    " + repr(message))
+
+                for cert in crt_list['remove']:
+                    print(f"  REMOVE: {cert['cert']}")
+                    for message in cert['messages']:
+                        print("    " + repr(message))
+
+                for cert in crt_list['del']:
+                    print(f"  DEL: {cert['cert']}")
+                    for message in cert['messages']:
+                        print("    " + repr(message))
+                print()
+
+    def __iter__(self):
+        return iter(self._crt_lists)
+
+    def __str__(self):
+        return self.status
 
 
 class CertList(SyncWithTarget):
     """ Represents a haproxy ssl-crt-list """
-    def __init__(self, path, certs=None):
+
+    def __init__(self, path, frontend_id=None, frontend_name=None, certs=None, default_cert=None):
         super().__init__()
         if certs is None:
             certs = []
-        self.path = path
-        self.certs = certs
-        self.local = self.get_local_state()
-        self.remote = self.get_remote_state(cmds.showSslCrtList, crt_list=self.path)
+        self._path = path
+        self._certs = certs
+        self._frontend_name = frontend_name
+        self._frontend_id = frontend_id
+        self._local_default = default_cert
+        self._local = self._get_local_state()
+        self._remote_ln = self._get_remote_state(cmds.showSslCrtList, crt_list=self._path)
+        self._remote = [cert_ln.split(":")[0] for cert_ln in self._remote_ln]
+        self._diff = self._calc_diff()
+
+    @property
+    def path(self):
+        return self._path
+
+    @property
+    def frontend_name(self):
+        return self._frontend_name
+
+    @property
+    def frontend_id(self):
+        return self._frontend_id
+
+    @property
+    def certs(self):
+        return self._certs
+
+    @property
+    def local_default(self):
+        return self._local_default
+
+    @property
+    def remote_default(self):
+        return next(iter(self._remote), None)
+
+    @property
+    def local(self):
+        return self._local
+
+    @property
+    def remote_ln(self):
+        """ Certs with line number"""
+        return self._remote_ln
+
+    @property
+    def remote(self):
+        """
+            if default certs are different return remote certs with line numbers, so they are deleted in the crt list.
+            This ensures that the default cert is always on top.
+        """
+        if self._local_default is not None and self.local_default != self.remote_default:
+            return self._remote_ln
+        return self._remote
+
+    @property
+    def diff(self):
+        return self._diff
+
+    def _calc_diff(self):
+        """ return needed operations to get remote object in sync """
+        diff = {
+            'frontend_name': self.frontend_name,
+            'frontend_id': self.frontend_id,
+            'path': self.path,
+            'add': [],
+            'del': [],
+            'update': []
+        }
+        # skip when there is no remote crt list
+        if self.remote is None:
+            return diff
 
-    def __iter__(self):
-        return iter(self.local)
+        # certs to add, delete and update on the remote target
+        diff['add'] = self.diff_list(self.local, self.remote)
+        diff['del'] = self.diff_list(self.remote, self.local)
+        diff['update'] = [cert.diff for cert in self.certs if cert.diff]
 
-    def __str__(self):
-        result = f"CRT LIST: {self.path}\n"
-        result += f"  LOCAL:  {self.local}\n"
-        result += f"  REMOTE: {self.remote}\n"
-        for cert in self.certs:
-            result += f"\n{str(cert)}\n"
-        return result
+        return diff
 
-    def get_local_state(self):
-        return [f"{repr(cert)}" for cert in self.certs]
+    def _get_local_state(self):
+        return [f"{repr(cert)}" for cert in self._certs]
 
-    def get_remote_state(self, command_class, **command_args):
-        crt_list_data = super().get_remote_state(command_class, **command_args)
-        return crt_list_data.get('certs', {})
+    def _get_remote_state(self, command_class, **command_args):
+        crt_list_data = self._execute_remote_cmd(command_class, **command_args)
+        return crt_list_data.get('certs', None)
+
+    def __iter__(self):
+        return iter(self._local)
 
 
 class Cert(SyncWithTarget):
     """ Represents a haproxy ssl-cert  """
-    def __init__(self, path, pem):
+
+    def __init__(self, path, pem, cert_id=None):
         super().__init__()
-        self.path = path
-        self.pem = pem
-        self.local = self.get_local_state()
-        self.remote = self.get_remote_state(cmds.showSslCert, certfile=self.path)
+        self._path = path
+        self._pem = pem
+        self._cert_id = cert_id
+        self._local = self._get_local_state()
+        self._remote = self._get_remote_state(cmds.showSslCert, certfile=self._path)
+        self._diff = self._calc_diff()
 
-    def __repr__(self):
-        return self.path
+    @property
+    def path(self):
+        return self._path
 
-    def __str__(self):
-        result = f"    CERT: {self.path}"
-        result += f"\n      LOCAL:  {self.local}"
-        result += f"\n      REMOTE: {self.remote}"
-        return result
+    @property
+    def cert_id(self):
+        return self._cert_id
 
-    def get_cert_data(self, dump=False, encoding='utf-8'):
+    @property
+    def pem(self):
+        return self._pem.replace("\n\n", "\n")
+
+    @property
+    def local(self):
+        return self._local
+
+    @property
+    def remote(self):
+        return self._remote
+
+    @property
+    def diff(self):
+        return self._diff
+
+    def __repr__(self):
+        return self._path
+
+    def _get_cert_data(self, dump=False, encoding='utf-8'):
         result = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, self.pem)
         if dump:
             result = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_TEXT, result).decode(encoding)
         return result
 
-    def glue(self, components):
+    def _glue(self, components):
         return "".join("/{0:s}={1:s}".format(name.decode(), value.decode()) for name, value in components)
 
-    def get_local_state(self):
-        cert_obj = self.get_cert_data()
+    def _get_local_state(self):
+        cert_obj = self._get_cert_data()
         return {
-            "Serial": '%.2x' % cert_obj.get_serial_number(),
-            "Subject": self.glue(cert_obj.get_subject().get_components()),
-            "Issuer": self.glue(cert_obj.get_issuer().get_components())
+            "Serial": '%.2x'.upper() % cert_obj.get_serial_number(),
+            "Subject": self._glue(cert_obj.get_subject().get_components()),
+            "Issuer": self._glue(cert_obj.get_issuer().get_components())
         }
 
-    def get_remote_state(self, command_class, **command_args):
-        cert_data = super().get_remote_state(command_class, **command_args)
+    def _get_remote_state(self, command_class, **command_args):
+        cert_data = self._execute_remote_cmd(command_class, **command_args)
+
         if 'error' in cert_data:
-            return {}
+            return cert_data
+
+        if cert_data['Status'] == 'Empty':
+            return {'Status': cert_data['Status']}
+
         return {
-            "Serial": cert_data['Serial'],
-            "Subject": cert_data['Subject'],
-            "Issuer": cert_data['Issuer']
+            "Serial": cert_data.get('Serial', None),
+            "Subject": cert_data.get('Subject', None),
+            "Issuer": cert_data.get('Issuer', None),
         }
 
+    def _calc_diff(self):
+        result = {}
+        if self._remote != self._local:
+            result['certfile'] = self.path
+            result['pem'] = self.pem
+            result['meta'] = self.local
+        return result
+
+
 def dict_from_yaml(path):
     with open(path, 'r') as yaml_file:
         data = yaml.load(yaml_file, Loader=yaml.SafeLoader)
@@ -152,15 +459,15 @@ def skip_frontend(frontend_id, frontend):
     filter_frontend_names = list(filter(None, args.frontends.split(",")))
     filter_frontend_ids = list(filter(None, args.frontend_ids.split(",")))
 
-    skip_id = False
-    if filter_frontend_names and frontend['name'] not in filter_frontend_names:
-        skip_id = True
+    if not filter_frontend_ids and not filter_frontend_names:
+        return False
 
-    skip_name = False
-    if filter_frontend_ids and frontend_id not in filter_frontend_ids:
-        skip_name = True
+    if filter_frontend_ids and frontend_id in filter_frontend_ids:
+        return False
+    if filter_frontend_names and frontend['name'] in filter_frontend_names:
+        return False
 
-    return skip_id and skip_name
+    return True
 
 
 def get_cert_data(cert, dump=False, encoding='utf-8'):
@@ -182,6 +489,7 @@ def base64_decode(base64_str, encoding='utf-8'):
         return message
     return ''
 
+
 def get_args():
     # noinspection PyTypeChecker
     parser = argparse.ArgumentParser(
@@ -190,6 +498,12 @@ def get_args():
         given, all certificates will be synced.""",
         formatter_class=argparse.ArgumentDefaultsHelpFormatter
     )
+    parser.add_argument(
+        'command',
+        choices=['status', 'diff', 'sync', 'transactions', 'abort'],
+        nargs='+',
+        help="Execute one or more operations."
+    )
     parser.add_argument(
         '--config',
         help='Path to the ssl certificate information configfile.',
@@ -201,7 +515,7 @@ def get_args():
         default=""
     )
     parser.add_argument(
-        '--frontend_ids',
+        '--frontend-ids',
         help='Attempt action on a list of frontend ids, specified as a comma separated list.',
         default=""
     )
@@ -211,42 +525,54 @@ def get_args():
         choices=['json', 'raw'],
         default="raw"
     )
-    parser.add_argument(
-        '--debug',
-        type=bool,
-        help='Show debug output.',
-        default=False
-    )
     return parser.parse_args()
 
 
-args = get_args()
-config = dict_from_yaml(args.config)
-
-""" Get ssl crt-list with certificates from configfile"""
-crt_lists = []
-for frontend_id, frontend in config['frontends'].items():
-    if skip_frontend(id, frontend_id):
-        continue
+def get_crt_lists_from_config(configfile):
+    """ Get ssl crt-list with certificates from configfile"""
+    config = dict_from_yaml(configfile)
+    crt_lists = []
+    for frontend_id, frontend in config['frontends'].items():
+        if skip_frontend(frontend_id, frontend):
+            continue
+
+        certs = []
+        default_cert = None
+        for cert_id, cert_data in frontend['certs'].items():
+            crt = base64_decode(cert_data['crt'])
+            key = base64_decode(cert_data['key'])
+            ca = base64_decode(cert_data['ca'])
+            full_cert = crt + key + ca
+
+            if cert_data['default']:
+                default_cert = cert_data['path']
+
+            certs.append(Cert(path=cert_data['path'], pem=full_cert, cert_id=cert_id))
+
+        params = {
+            'path': frontend['crt_list_path'],
+            'frontend_id': frontend_id,
+            'frontend_name': frontend['name'],
+            'certs': certs,
+            'default_cert': default_cert
+        }
+        crt_lists.append(CertList(**params))
 
-    certs = []
-    for cert_id, cert_data in frontend['certs'].items():
-        crt = base64_decode(cert_data['crt'])
-        key = base64_decode(cert_data['key'])
-        ca = base64_decode(cert_data['ca'])
-        full_cert = crt + key + ca
+    return crt_lists
 
-        certs.append(Cert(path=cert_data['path'], pem=full_cert))
 
-    crt_lists.append(CertList(path=frontend['crt_list_path'], certs=certs))
+args = get_args()
+crt_lists = get_crt_lists_from_config(args.config)
+diff = Diff(crt_lists=crt_lists)
 
 """ Sync ssl certs from configfile to HaProxy """
-diff = Diff(local=crt_lists)
-diff.show_state()
-diff.show_diff()
-diff.sync()
-
-
-#print(crt_lists)
-#print(diff)
-#diff.sync()
+if "status" in args.command:
+    diff.show_status(args.output)
+if "diff" in args.command:
+    diff.show_diff(args.output)
+if "abort" in args.command:
+    diff.abort(args.output)
+if "transactions" in args.command:
+    diff.show_transactions(args.output)
+if "sync" in args.command:
+    diff.sync(args.output)

From 7231fcfa0dc514619d0d0c3b2c9697a0722d25fa Mon Sep 17 00:00:00 2001
From: Andreas Stuerz <andreas.stuerz@markt.de>
Date: Tue, 23 Feb 2021 10:15:07 +0100
Subject: [PATCH 0429/3088] add config.d services

---
 .../scripts/OPNsense/HAProxy/syncCerts.py     |  1 -
 .../conf/actions.d/actions_haproxy.conf       | 26 ++++++++++++++++++-
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
index d8f3d72b06..87632bda09 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
@@ -164,7 +164,6 @@ def show_diff(self, output_format):
                 print(f"  CERT DEL :   {diff['del']}")
 
     def show_transactions(self, output_format):
-
         if output_format == 'json':
             print(json.dumps({'transactions': self.transactions}))
 
diff --git a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
index ce1ef790b6..7301e83e84 100644
--- a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
+++ b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
@@ -74,4 +74,28 @@ message:change haproxy state for multiple server
 command:/usr/local/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
 parameters: set-server-weight --server-ids %s --value %s
 type:script_output
-message:change haproxy weight for multiple server
\ No newline at end of file
+message:change haproxy weight for multiple server
+
+[cert_diff]
+command:/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
+parameters: diff --output json --frontends %s
+type:script_output
+message:Show diff between configured ssl certificates and certs from HAProxy memory for multiple frontends
+
+[cert_sync]
+command:/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
+parameters: sync --frontends %s --output json
+type:script_output
+message:Sync ssl certificates into HAProxy memory for multiple frontends
+
+[cert_diff_bulk]
+command:/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py diff --output json
+parameters:
+type:script_output
+message:Show diff between configured ssl certificates and certs from HAProxy memory for all frontends
+
+[cert_sync_bulk]
+command:/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py sync --output json
+parameters:
+type:script_output
+message:Sync ssl certificates into HAProxy memory for all frontends

From 1c5346467de9870019d26b5a4741656826a9cda4 Mon Sep 17 00:00:00 2001
From: Andreas Stuerz <andreas.stuerz@markt.de>
Date: Tue, 23 Feb 2021 16:36:02 +0100
Subject: [PATCH 0430/3088] fix status remote cert display add description for
 cert_sync_bulk

---
 .../src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py        | 4 ++--
 .../src/opnsense/service/conf/actions.d/actions_haproxy.conf  | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
index 87632bda09..0427b2e7ed 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
@@ -113,7 +113,7 @@ def _get_status(self):
                 status[crt_list.frontend_id]['certs'][cert.cert_id] = {
                     'path': cert.path,
                     'local': cert.local,
-                    'remote': cert.local,
+                    'remote': cert.remote,
                 }
         return status
 
@@ -260,7 +260,7 @@ def sync(self, output_format):
                         print("    " + repr(message))
 
                 for cert in crt_list['del']:
-                    print(f"  DEL: {cert['cert']}")
+                    print(f"\n DEL: {cert['cert']}")
                     for message in cert['messages']:
                         print("    " + repr(message))
                 print()
diff --git a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
index 7301e83e84..48bcc629d0 100644
--- a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
+++ b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
@@ -99,3 +99,4 @@ command:/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py sync --output
 parameters:
 type:script_output
 message:Sync ssl certificates into HAProxy memory for all frontends
+description:Sync ssl certificates changes into HAProxy memory

From 1a52a30246247d3ceba3075085580e3be87dd6c1 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 2 Feb 2021 15:38:02 +0100
Subject: [PATCH 0431/3088] net/haproxy: bump version

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index c37496e583..9ae44f3d7d 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		2.26
+PLUGIN_VERSION=		3.0
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy

From 666554593748340d165c0de70dff69ffa5046bc7 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 2 Feb 2021 15:39:19 +0100
Subject: [PATCH 0432/3088] net/haproxy: update changelog

---
 net/haproxy/pkg-descr | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index af22b3790d..8fd3de23c1 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+3.0
+
+Added:
+* new feature to change server state and weight on-the-fly (#2213)
+
 2.26
 
 Fixed:

From 43f984def679c4416124b4ce3ed061b22d9289b1 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 4 Feb 2021 21:09:56 +0100
Subject: [PATCH 0433/3088] net/haproxy: translate tooltips, refs #2213

---
 net/haproxy/Makefile                             |  1 -
 .../app/views/OPNsense/HAProxy/maintenance.volt  | 16 ++++++++--------
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 9ae44f3d7d..fa8508ba7a 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		3.0
-PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
index 33332c27b1..63c870e6df 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
@@ -45,10 +45,10 @@ POSSIBILITY OF SUCH DAMAGE.
                 formatters: {
                     "commands": function (column, row) {
                         buttons = ""
-                        buttons += "<button type=\"button\" title=\"Set administrative state to ready. Puts the server in normal mode.\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"ready\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-check\"></span></button>"
-                        buttons += " <button type=\"button\" title=\"Set administrative state to drain. Removes the server from load balancing but still allows it to be health checked and to accept new persistent connections\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"drain\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-sort-amount-desc\"></span></button>"
-                        buttons += " <button type=\"button\" title=\"Set administrative state to maintenance. Disables any traffic to the server as well as any health checks.\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"maint\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-wrench\"></span></button>"
-                        buttons += " <button type=\"button\" title=\"Change a server's weight.\" class=\"btn btn-xs btn-default command-set-weight\" data-weight=\"" + row.weight + "\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-balance-scale\"></span></button>"
+                        buttons += "<button type=\"button\" title=\"{{ lang._('Set administrative state to ready. Puts the server in normal mode.') }}\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"ready\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-check\"></span></button>"
+                        buttons += " <button type=\"button\" title=\"{{ lang._('Set administrative state to drain. Removes the server from load balancing but still allows it to be health checked and to accept new persistent connections') }}\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"drain\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-sort-amount-desc\"></span></button>"
+                        buttons += " <button type=\"button\" title=\"{{ lang._('Set administrative state to maintenance. Disables any traffic to the server as well as any health checks.') }}\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"maint\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-wrench\"></span></button>"
+                        buttons += " <button type=\"button\" title=\"{{ lang._('Change server weight.') }}\" class=\"btn btn-xs btn-default command-set-weight\" data-weight=\"" + row.weight + "\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-balance-scale\"></span></button>"
                         return buttons;
                     },
                 },
@@ -272,10 +272,10 @@ POSSIBILITY OF SUCH DAMAGE.
             <tr>
                 <td></td>
                 <td>
-                    <button data-action="setStateBulk" title="Set administrative state to ready for all selected items." data-state="ready" type="button" class="btn btn-xs btn-default"><span class="fa fa-check"></span></button>
-                    <button data-action="setStateBulk" title="Set administrative state to drain for all selected items." data-state="drain" type="button" class="btn btn-xs btn-default"><span class="fa fa-sort-amount-desc"></span></button>
-                    <button data-action="setStateBulk" title="Set administrative state to maintenance for all selected items." data-state="maint" type="button" class="btn btn-xs btn-default"><span class="fa fa-wrench"></span></button>
-                    <button data-action="setWeightBulk" data-weight="" type="button" class="btn btn-xs btn-default"><span class="fa fa-balance-scale"></span></button>
+                    <button data-action="setStateBulk" title="{{ lang._('Set administrative state to ready for all selected items.') }}" data-state="ready" type="button" class="btn btn-xs btn-default"><span class="fa fa-check"></span></button>
+                    <button data-action="setStateBulk" title="{{ lang._('Set administrative state to drain for all selected items.') }}" data-state="drain" type="button" class="btn btn-xs btn-default"><span class="fa fa-sort-amount-desc"></span></button>
+                    <button data-action="setStateBulk" title="{{ lang._('Set administrative state to maintenance for all selected items.') }}" data-state="maint" type="button" class="btn btn-xs btn-default"><span class="fa fa-wrench"></span></button>
+                    <button data-action="setWeightBulk" title="{{ lang._('Change server weight for all selected items.') }}" data-weight="" type="button" class="btn btn-xs btn-default"><span class="fa fa-balance-scale"></span></button>
                 </td>
             </tr>
             </tfoot>

From 436f5801f415d200426a842f1dbd32474e213e28 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 4 Feb 2021 22:29:14 +0100
Subject: [PATCH 0434/3088] net/haproxy: update default SSL settings

---
 net/haproxy/pkg-descr                          |  7 +++++++
 .../OPNsense/HAProxy/forms/dialogFrontend.xml  | 18 +++++++++---------
 .../OPNsense/HAProxy/forms/generalTuning.xml   | 18 +++++++++---------
 .../app/models/OPNsense/HAProxy/HAProxy.xml    | 18 +++++++++++-------
 4 files changed, 36 insertions(+), 25 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 8fd3de23c1..60f1c4d12a 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -10,6 +10,13 @@ Plugin Changelog
 
 Added:
 * new feature to change server state and weight on-the-fly (#2213)
+* add new SSL bind option: prefer-client-ciphers
+
+Changed:
+* change default SSL version to TLSv1.2 (ssl-min-ver)
+* remove weak ciphers from (default) SSL settings
+* remove default SSL bind options that would conflict with ssl-min-ver
+* move SSL bind options below other SSL settings, they are rarely used nowadays
 
 2.26
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 754bd8b038..4a12988a5c 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -89,15 +89,6 @@
         <type>header</type>
         <style>mode_table table_http table_ssl table_ssl_advanced table_ssl_advanced_true</style>
     </field>
-    <field>
-        <id>frontend.ssl_bindOptions</id>
-        <label>Bind options</label>
-        <type>select_multiple</type>
-        <style>tokenize</style>
-        <allownew>true</allownew>
-        <sortable>true</sortable>
-        <help><![CDATA[Used to enforce or disable certain SSL options.]]></help>
-    </field>
     <field>
         <id>frontend.ssl_minVersion</id>
         <label>Minimum SSL Version</label>
@@ -146,6 +137,15 @@
         <type>text</type>
         <help><![CDATA[Future requests to the domain should use only HTTPS for the specified time (in seconds): 15768000 = 6 months]]></help>
     </field>
+    <field>
+        <id>frontend.ssl_bindOptions</id>
+        <label>Bind options</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <sortable>true</sortable>
+        <help><![CDATA[Used to enforce or disable certain SSL options.]]></help>
+    </field>
     <field>
         <label>Client Certificate Auth</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
index add58fc535..f34ae4ee9a 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -85,15 +85,6 @@
         <type>checkbox</type>
         <help><![CDATA[Enable global SSL default values.]]></help>
     </field>
-    <field>
-        <id>haproxy.general.tuning.ssl_bindOptions</id>
-        <label>Bind options</label>
-        <type>select_multiple</type>
-        <style>tokenize</style>
-        <allownew>true</allownew>
-        <sortable>true</sortable>
-        <help><![CDATA[Used to enforce or disable certain SSL options.]]></help>
-    </field>
     <field>
         <id>haproxy.general.tuning.ssl_minVersion</id>
         <label>Minimum SSL Version</label>
@@ -118,4 +109,13 @@
         <type>text</type>
         <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake for TLSv1.3.]]></help>
     </field>
+    <field>
+        <id>haproxy.general.tuning.ssl_bindOptions</id>
+        <label>Bind options</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <sortable>true</sortable>
+        <help><![CDATA[Used to enforce or disable certain SSL options.]]></help>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 3c7763fc7b..a855cf6320 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/HAProxy</mount>
-    <version>2.10.0</version>
+    <version>3.0.0</version>
     <description>the HAProxy load balancer</description>
     <items>
         <general>
@@ -129,7 +129,7 @@
                 </ssl_defaultsEnabled>
                 <ssl_bindOptions type="OptionField">
                     <Required>N</Required>
-                    <default>no-sslv3,no-tlsv10,no-tls-tickets</default>
+                    <default>prefer-client-ciphers</default>
                     <Sorted>Y</Sorted>
                     <Multiple>Y</Multiple>
                     <OptionValues>
@@ -144,11 +144,13 @@
                         <force-tlsv11>force-tlsv11</force-tlsv11>
                         <force-tlsv12>force-tlsv12</force-tlsv12>
                         <force-tlsv13>force-tlsv13</force-tlsv13>
+                        <prefer-client-ciphers>prefer-client-ciphers</prefer-client-ciphers>
                         <strict-sni>strict-sni</strict-sni>
                     </OptionValues>
                 </ssl_bindOptions>
                 <ssl_minVersion type="OptionField">
                     <Required>N</Required>
+                    <default>TLSv1.2</default>
                     <OptionValues>
                         <SSLv3>SSLv3</SSLv3>
                         <TLSv1.0>TLSv1.0</TLSv1.0>
@@ -168,11 +170,11 @@
                     </OptionValues>
                 </ssl_maxVersion>
                 <ssl_cipherList type="TextField">
-                    <default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256</default>
+                    <default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256</default>
                     <Required>N</Required>
                 </ssl_cipherList>
                 <ssl_cipherSuites type="TextField">
-                    <default>TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</default>
+                    <default>TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256</default>
                     <Required>N</Required>
                 </ssl_cipherSuites>
             </tuning>
@@ -461,7 +463,7 @@
                 </ssl_advancedEnabled>
                 <ssl_bindOptions type="OptionField">
                     <Required>N</Required>
-                    <default>no-sslv3,no-tlsv10,no-tls-tickets</default>
+                    <default>prefer-client-ciphers</default>
                     <Sorted>Y</Sorted>
                     <Multiple>Y</Multiple>
                     <OptionValues>
@@ -476,11 +478,13 @@
                         <force-tlsv11>force-tlsv11</force-tlsv11>
                         <force-tlsv12>force-tlsv12</force-tlsv12>
                         <force-tlsv13>force-tlsv13</force-tlsv13>
+                        <prefer-client-ciphers>prefer-client-ciphers</prefer-client-ciphers>
                         <strict-sni>strict-sni</strict-sni>
                     </OptionValues>
                 </ssl_bindOptions>
                 <ssl_minVersion type="OptionField">
                     <Required>N</Required>
+                    <default>TLSv1.2</default>
                     <OptionValues>
                         <SSLv3>SSLv3</SSLv3>
                         <TLSv1.0>TLSv1.0</TLSv1.0>
@@ -500,11 +504,11 @@
                     </OptionValues>
                 </ssl_maxVersion>
                 <ssl_cipherList type="TextField">
-                    <default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256</default>
+                    <default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256</default>
                     <Required>N</Required>
                 </ssl_cipherList>
                 <ssl_cipherSuites type="TextField">
-                    <default>TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</default>
+                    <default>TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256</default>
                     <Required>N</Required>
                 </ssl_cipherSuites>
                 <ssl_hstsEnabled type="BooleanField">

From e1d1a8c7823a8db5a1d13d6091e5800de75dea3e Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 5 Feb 2021 00:25:37 +0100
Subject: [PATCH 0435/3088] net/haproxy: switch to HAProxy 2.2 release series,
 closes #2092

---
 net/haproxy/pkg-descr                          |  8 ++++++++
 .../OPNsense/HAProxy/forms/generalTuning.xml   |  6 ++++++
 .../app/models/OPNsense/HAProxy/HAProxy.xml    |  9 +++++++--
 .../scripts/OPNsense/HAProxy/socketCommand.py  |  2 +-
 .../templates/OPNsense/HAProxy/haproxy.conf    | 18 +++++++++++++-----
 5 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 60f1c4d12a..c739a02159 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -11,12 +11,20 @@ Plugin Changelog
 Added:
 * new feature to change server state and weight on-the-fly (#2213)
 * add new SSL bind option: prefer-client-ciphers
+* add global option to enable old buggy behaviour for PROXY v2 connections
+* add support for HTTP/2 in health checks
+
+Fixed:
+* fix maintenance page (python error: 'list' object has no attribute 'strip')
 
 Changed:
 * change default SSL version to TLSv1.2 (ssl-min-ver)
 * remove weak ciphers from (default) SSL settings
 * remove default SSL bind options that would conflict with ssl-min-ver
 * move SSL bind options below other SSL settings, they are rarely used nowadays
+* change default for tune.ssl.default-dh-param from 1024 to 2048
+* use new "http-check send" command for HTTP health checks
+* change default for spreadChecks from 0 to 2
 
 2.26
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
index f34ae4ee9a..0fd011d4db 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -68,6 +68,12 @@
         <type>text</type>
         <help><![CDATA[Add some randomness in the check interval between 0 and +/- 50%. A value between 2 and 5 seems to show good results. The default value is 0 (disabled).]]></help>
     </field>
+    <field>
+        <id>haproxy.general.tuning.bogusProxyEnabled</id>
+        <label>Enable old bogus PROXY v2 implementation</label>
+        <type>checkbox</type>
+        <help><![CDATA[A bug in the PROXY protocol v2 implementation was present in HAProxy up to version 2.1. Enabling this option reverts this old buggy behaviour.]]></help>
+    </field>
     <field>
         <id>haproxy.general.tuning.customOptions</id>
         <label>Custom options</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index a855cf6320..3cb8e5b2e4 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -86,7 +86,7 @@
                     </OptionValues>
                 </sslServerVerify>
                 <maxDHSize type="IntegerField">
-                    <default>1024</default>
+                    <default>2048</default>
                     <MinimumValue>1024</MinimumValue>
                     <MaximumValue>16384</MaximumValue>
                     <ValidationMessage>Please specify a value between 1024 and 16384.</ValidationMessage>
@@ -107,12 +107,16 @@
                     <Required>N</Required>
                 </checkBufferSize>
                 <spreadChecks type="IntegerField">
-                    <default>0</default>
+                    <default>2</default>
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>50</MaximumValue>
                     <ValidationMessage>Please specify a value between 0 and 50.</ValidationMessage>
                     <Required>Y</Required>
                 </spreadChecks>
+                <bogusProxyEnabled type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </bogusProxyEnabled>
                 <luaMaxMem type="IntegerField">
                     <default>0</default>
                     <MinimumValue>0</MinimumValue>
@@ -1322,6 +1326,7 @@
                     <OptionValues>
                         <http10>HTTP/1.0 [default]</http10>
                         <http11>HTTP/1.1</http11>
+                        <http2>HTTP/2</http2>
                     </OptionValues>
                 </http_version>
                 <http_host type="TextField">
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
index fd9b438c0a..554db684aa 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
@@ -148,7 +148,7 @@ def get_args():
         if con:
             result = con.sendCmd(command_class(**command_args), objectify=False)
             if result:
-                print(result.strip())
+                print(result)
         else:
             print(f"Could not open socket {SOCKET}")
 
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 1796018a48..8f3ce54f14 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -838,6 +838,9 @@ global
 {% if OPNsense.HAProxy.general.tuning.spreadChecks|default("") != "" %}
     spread-checks               {{OPNsense.HAProxy.general.tuning.spreadChecks}}
 {% endif %}
+{% if OPNsense.HAProxy.general.tuning.bogusProxyEnabled|default("") == '1' %}
+    pp2-never-send-local
+{% endif %}
 {% if OPNsense.HAProxy.general.tuning.checkBufferSize|default("") != "" %}
     tune.chksize                {{OPNsense.HAProxy.general.tuning.checkBufferSize}}
 {% endif %}
@@ -1285,15 +1288,20 @@ backend {{backend.name}}
 {%             endif %}
 {%           endif %}
 {%         elif healthcheck_data.type == 'http' %}
-{%           do healthcheck_options.append('httpchk') %}
+    option httpchk
 {#           # HTTP method must be uppercase #}
+{%           do healthcheck_options.append('send meth') %}
 {%           do healthcheck_options.append(healthcheck_data.http_method|upper) %}
+{%           do healthcheck_options.append('uri') %}
 {%           do healthcheck_options.append(healthcheck_data.http_uri) %}
-{%           do healthcheck_options.append('HTTP/1.0') if healthcheck_data.http_version == 'http10' %}
 {#           # HTTP Host header requires HTTP 1.1 #}
-{%           do healthcheck_options.append('HTTP/1.1') if healthcheck_data.http_version == 'http11' and healthcheck_data.http_host|default("") == "" %}
-{%           do healthcheck_options.append('HTTP/1.1\\r\\nHost:\ ' ~ healthcheck_data.http_host) if healthcheck_data.http_version == 'http11' and healthcheck_data.http_host|default("") != "" %}
-    option {{healthcheck_options|join(' ')}}
+{%           if (healthcheck_data.http_version == 'http11' or healthcheck_data.http_version == 'http2') and healthcheck_data.http_host|default('') != '' %}
+{%             do healthcheck_options.append('ver HTTP/1.1 hdr Host ' ~ healthcheck_data.http_host) if healthcheck_data.http_version == 'http11' %}
+{%             do healthcheck_options.append('ver HTTP/2 hdr Host ' ~ healthcheck_data.http_host) if healthcheck_data.http_version == 'http2' %}
+{%           elif healthcheck_data.http_version == 'http10' %}
+{%             do healthcheck_options.append('ver HTTP/1.0') %}
+{%           endif %}
+    http-check {{healthcheck_options|join(' ')}}
 {#           # custom HTTP health check option #}
 {%           if healthcheck_data.http_expressionEnabled|default("") == '1' %}
 {#             # validate options #}

From d6ea9600e089a9528a31fad50b2c9416d1a0bc0c Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 5 Feb 2021 23:51:39 +0100
Subject: [PATCH 0436/3088] net/haproxy: add config export, closes #2035

---
 net/haproxy/pkg-descr                         |  1 +
 .../OPNsense/HAProxy/Api/ExportController.php | 83 ++++++++++++++++++
 .../OPNsense/HAProxy/ExportController.php     | 45 ++++++++++
 .../app/models/OPNsense/HAProxy/Menu/Menu.xml |  1 +
 .../app/views/OPNsense/HAProxy/export.volt    | 86 +++++++++++++++++++
 .../conf/actions.d/actions_haproxy.conf       | 13 +++
 6 files changed, 229 insertions(+)
 create mode 100644 net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ExportController.php
 create mode 100644 net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/ExportController.php
 create mode 100644 net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index c739a02159..122f677897 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -13,6 +13,7 @@ Added:
 * add new SSL bind option: prefer-client-ciphers
 * add global option to enable old buggy behaviour for PROXY v2 connections
 * add support for HTTP/2 in health checks
+* add config export (#2035)
 
 Fixed:
 * fix maintenance page (python error: 'list' object has no attribute 'strip')
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ExportController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ExportController.php
new file mode 100644
index 0000000000..89f9df4ca1
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ExportController.php
@@ -0,0 +1,83 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Frank Wall
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\HAProxy\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\Core\Backend;
+use OPNsense\HAProxy\HAProxy;
+
+/**
+ * Class StatisticsController
+ * @package OPNsense\HAProxy
+ */
+class ExportController extends ApiControllerBase
+{
+    /**
+     * get config
+     * @return string
+     */
+    public function configAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun("haproxy showconf");
+        return array("response" => $response);
+    }
+
+    /**
+     * download config file or config archive
+     * @return array|mixed
+     */
+    public function downloadAction($type)
+    {               
+        $backend = new Backend();
+
+        if ($type == 'config') {
+          $result = $backend->configdRun("haproxy showconf");
+          $filename = 'haproxy.conf';
+          $filetype = 'text/plain';
+          $content = $result;
+        } else {
+          $result = $backend->configdRun("haproxy exportall");
+          $filename = 'haproxy_config_export.zip';
+          $filetype = 'application/zip';
+          $content = file_get_contents('/tmp/haproxy_config_export.zip');
+        }
+
+        $response = array(
+          'result' => $result,
+          'filename' => $filename,
+          'filetype' => $filetype,
+          'content' => base64_encode($content),
+        );
+        return $response;
+    }
+}
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/ExportController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/ExportController.php
new file mode 100644
index 0000000000..390adadede
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/ExportController.php
@@ -0,0 +1,45 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Frank Wall
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\HAProxy;
+
+/**
+ * Class ExportController
+ * @package OPNsense\HAProxy
+ */
+class ExportController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        // choose template
+        $this->view->pick('OPNsense/HAProxy/export');
+    }
+}
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml
index 8d12e55ab8..520fcc7c3d 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml
@@ -32,6 +32,7 @@
               <Server VisibleName="Server" url="/ui/haproxy/maintenance#server"/>
           </Maintenance>
           <Log VisibleName="Log File" order="40" url="/ui/diagnostics/log/core/haproxy"/>
+          <Export VisibleName="Config Export" order="50" url="/ui/haproxy/export"/>
       </HAProxy>
     </Services>
 </menu>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
new file mode 100644
index 0000000000..e9134da578
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
@@ -0,0 +1,86 @@
+{#
+
+Copyright (C) 2021 Frank Wall
+OPNsense® is Copyright © 2014 – 2016 by Deciso B.V.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<script>
+    $( document ).ready(function() {
+        /**
+         * show HAProxy config
+         */
+        function update_showconf() {
+            ajaxCall(url="/api/haproxy/export/config/", sendData={}, callback=function(data,status) {
+                $("#showconf").text(data['response']);
+            });
+        }
+        update_showconf();
+
+        /**
+         * download HAProxy config
+         */
+        $('[id*="exportbtn"]').each(function(){
+            $(this).click(function(){
+                var type = $(this).data("type");
+                ajaxGet("/api/haproxy/export/download/"+type+"/", {}, function(data, status){
+                    if (data.filename !== undefined) {
+                        var link = $('<a></a>')
+                            .attr('href','data:'+data.filetype+';base64,' + data.content)
+                            .attr('download', data.filename)
+                            .appendTo('body');
+
+                        link.ready(function() {
+                            link.get(0).click();
+                            link.empty();
+                        });
+                    }
+                });
+            });
+        });
+
+    });
+</script>
+
+<ul class="nav nav-tabs" role="tablist" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#export"><b>{{ lang._('Config Export') }}</b></a></li>
+</ul>
+
+<div class="content-box tab-content">
+
+    <div id="export" class="tab-pane fade in active">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            <pre id="showconf"></pre>
+            <div class="col-md-12">
+                <hr />
+                <button class="btn btn-primary" id="exportbtn" data-type="config" type="button"><b>{{ lang._('Download Config') }}</b></button>
+                <button class="btn btn-primary" id="exportbtn" data-type="all" type="button"><b>{{ lang._('Download All') }}</b></button>
+            </div>
+        </div>
+    </div>
+
+</div>
+
+{{ partial("layout_partials/base_dialog_processing") }}
diff --git a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
index 48bcc629d0..e23f091f61 100644
--- a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
+++ b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
@@ -100,3 +100,16 @@ parameters:
 type:script_output
 message:Sync ssl certificates into HAProxy memory for all frontends
 description:Sync ssl certificates changes into HAProxy memory
+
+[showconf]
+command:test -f /usr/local/etc/haproxy.conf && cat /usr/local/etc/haproxy.conf
+parameters:
+type:script_output
+message:show haproxy config
+
+[exportall]
+command:/usr/local/bin/zip -r /tmp/haproxy_config_export.zip /tmp/haproxy /usr/local/etc/haproxy.conf
+parameters:
+type:script_output
+message:show haproxy config
+

From 3852c59f4bfba181f59ab03920d3cfe9e1c59ab8 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 7 Feb 2021 21:53:38 +0100
Subject: [PATCH 0437/3088] net/haproxy: update URLs to HAProxy 2.2
 documentation, refs #2092

---
 .../OPNsense/HAProxy/forms/dialogAction.xml            | 10 +++++-----
 .../OPNsense/HAProxy/forms/dialogBackend.xml           | 10 +++++-----
 .../OPNsense/HAProxy/forms/dialogFrontend.xml          |  6 +++---
 .../OPNsense/HAProxy/forms/dialogMapfile.xml           |  2 +-
 .../opnsense/mvc/app/views/OPNsense/HAProxy/index.volt | 10 +++++-----
 5 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index c10565e9f3..1e86836371 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -89,7 +89,7 @@
         <id>action.http_request_redirect</id>
         <label>HTTP Redirect</label>
         <type>text</type>
-        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. See <a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. See <a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -128,7 +128,7 @@
         <id>action.http_request_add_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -145,7 +145,7 @@
         <id>action.http_request_set_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -251,7 +251,7 @@
         <id>action.http_response_add_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -268,7 +268,7 @@
         <id>action.http_response_set_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index 8d4479ef5c..4744fb03c6 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -28,7 +28,7 @@
         <id>backend.algorithm</id>
         <label>Balancing Algorithm</label>
         <type>dropdown</type>
-        <help><![CDATA[Define the load balancing algorithm to be used in a Backend Pool. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#balance">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Define the load balancing algorithm to be used in a Backend Pool. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#balance">HAProxy documentation</a> for a full description.]]></help>
         <hint>Choose a load balancing algorithm.</hint>
     </field>
     <field>
@@ -42,7 +42,7 @@
         <id>backend.proxyProtocol</id>
         <label>Proxy Protocol</label>
         <type>dropdown</type>
-        <help><![CDATA[Enforces use of the PROXY protocol over any connection established to the configured servers. The PROXY protocol informs the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the servers are not aware of the PROXY protocol. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#send-proxy">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Enforces use of the PROXY protocol over any connection established to the configured servers. The PROXY protocol informs the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the servers are not aware of the PROXY protocol. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#send-proxy">HAProxy documentation</a> for a full description.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
@@ -164,7 +164,7 @@
         <id>backend.persistence_cookiemode</id>
         <label>Cookie handling</label>
         <type>dropdown</type>
-        <help><![CDATA[Usually it is better to reuse an existing cookie. In this case HAProxy prefixes the cookie with the required information. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4.2-cookie">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Usually it is better to reuse an existing cookie. In this case HAProxy prefixes the cookie with the required information. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#4.2-cookie">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.persistence_cookiename</id>
@@ -186,14 +186,14 @@
         <id>backend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
+        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
         <hint>Choose a persistence type.</hint>
     </field>
     <field>
         <id>backend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.stickiness_expire</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 4a12988a5c..14e6448499 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -322,14 +322,14 @@
         <id>frontend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
+        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
         <hint>Choose a stick-table type.</hint>
     </field>
     <field>
         <id>frontend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>frontend.stickiness_expire</id>
@@ -356,7 +356,7 @@
         <id>frontend.stickiness_counter_key</id>
         <label>Sticky counter key</label>
         <type>text</type>
-        <help><![CDATA[It describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters. Defaults to "src" to track elements of the source IP. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#tcp-request connection">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[It describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters. Defaults to "src" to track elements of the source IP. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#tcp-request connection">HAProxy documentation</a> for a full description.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
index 49888d4e91..f571ce69c3 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
@@ -15,6 +15,6 @@
         <id>mapfile.content</id>
         <label>Content</label>
         <type>textbox</type>
-        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 59adaa8923..45d6749ef9 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -645,7 +645,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('Lastly, enable HAProxy using the %sService%s settings page.') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Please be aware that you need to %smanually%s add the required firewall rules for all configured services.') | format('<b>', '</b>') }}</p>
-            <p>{{ lang._('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="https://docs.opnsense.org/manual/how-tos/haproxy.html" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="https://docs.opnsense.org/manual/how-tos/haproxy.html" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -687,7 +687,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('%sConditions:%s HAProxy is capable of extracting data from requests, responses and other connection data and match it against predefined patterns. Use these powerful patterns to compose a condition that may be used in multiple Rules.') | format('<b>', '</b>') }}</li>
               <li>{{ lang._('%sRules:%s Perform a large set of actions if one or more %sConditions%s match. These Rules may be used in %sBackend Pools%s as well as %sPublic Services%s.') | format('<b>', '</b>', '<b>', '</b>', '<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#7" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#7" target="_blank">', '</a>') }}</p>
             <p>{{ lang._('Note that it is possible to directly add options to the HAProxy configuration by using the "option pass-through", a setting that is available for several configuration items. It allows you to implement configurations that are currently not officially supported by this plugin. It is strongly discouraged to rely on this feature. Please report missing features on our GitHub page!') | format('<b>', '</b>') }}</p>
             <br/>
         </div>
@@ -702,7 +702,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('%sGroup:%s A optional list containing one or more users. Groups usually make it easier to manage permissions for a large number of users') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Note that users and groups must be selected from the Backend Pool or Public Service configuration in order to be used for authentication. In addition to this users and groups may also be used in Rules/Conditions.') }}</p>
-            <p>{{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#3.4" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#3.4" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -720,7 +720,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sCache:%s HAProxy's cache which was designed to perform cache on small objects (favicon, css, etc.). This is a minimalist low-maintenance cache which runs in RAM.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sPeers:%s Configure a communication channel between two HAProxy instances. This will propagate entries of any data-types in stick-tables between these HAProxy instances over TCP connections in a multi-master fashion. Useful when aiming for a seamless failover in a HA setup.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#10" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#3.5" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#10" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#3.5" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -736,7 +736,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sCPU Affinity Rules:%s This feature makes it possible to bind HAProxy's processes/threads to a specific CPU (or a CPU set). Furthermore it is possible to select CPU Affinity Rules in %sPublic Services%s to restrict them to a certain set of processes/threads/CPUs.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sResolvers:%s This feature allows in-depth configuration of how HAProxy handles name resolution and interacts with name resolvers (DNS). Each resolver configuration can be used in %sBackend Pools%s to apply individual name resolution configurations.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#process" target="_blank">', '</a>','<a href="http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#process" target="_blank">', '</a>','<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>

From 470a8d204aa970f38ba5ffd4c143334c26b8f290 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 9 Feb 2021 23:32:59 +0100
Subject: [PATCH 0438/3088] net/haproxy: guard service against broken configs,
 add config diff

---
 net/haproxy/pkg-descr                         |  4 +++
 .../OPNsense/HAProxy/Api/ExportController.php | 11 ++++++
 .../app/views/OPNsense/HAProxy/export.volt    | 36 +++++++++++++++++++
 .../mvc/app/views/OPNsense/HAProxy/index.volt | 30 +++-------------
 .../scripts/OPNsense/HAProxy/setup.sh         | 10 ++++++
 .../conf/actions.d/actions_haproxy.conf       | 18 ++++++----
 .../templates/OPNsense/HAProxy/+TARGETS       |  2 +-
 7 files changed, 79 insertions(+), 32 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 122f677897..902dc499e7 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -14,9 +14,12 @@ Added:
 * add global option to enable old buggy behaviour for PROXY v2 connections
 * add support for HTTP/2 in health checks
 * add config export (#2035)
+* add config diff
+* guard against broken config by using a staging config file
 
 Fixed:
 * fix maintenance page (python error: 'list' object has no attribute 'strip')
+* prevent service outage by aborting "Apply" when configtest fails
 
 Changed:
 * change default SSL version to TLSv1.2 (ssl-min-ver)
@@ -26,6 +29,7 @@ Changed:
 * change default for tune.ssl.default-dh-param from 1024 to 2048
 * use new "http-check send" command for HTTP health checks
 * change default for spreadChecks from 0 to 2
+* no longer overwrite live config file when running a syntax check
 
 2.26
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ExportController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ExportController.php
index 89f9df4ca1..5a3cd58f9b 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ExportController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ExportController.php
@@ -52,6 +52,17 @@ public function configAction()
         return array("response" => $response);
     }
 
+    /**
+     * get config diff
+     * @return string
+     */
+    public function diffAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun("haproxy configdiff");
+        return array("response" => $response);
+    }
+
     /**
      * download config file or config archive
      * @return array|mixed
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
index e9134da578..ccfbb5f95d 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
@@ -39,6 +39,35 @@ POSSIBILITY OF SUCH DAMAGE.
         }
         update_showconf();
 
+        /**
+         * show HAProxy config diff
+         */
+        function update_showdiff() {
+            ajaxCall(url="/api/haproxy/export/diff/", sendData={}, callback=function(data,status) {
+                diff = '';
+                var lines = data['response'].split("\n");
+                $.each(lines, function(n, line) {
+                    switch(line.substring(0,1)) {
+                        case '+':
+                            color = '#3bbb33';
+                            break;
+                        case '-':
+                            color = '#c13928';
+                            break;
+                        case '@':
+                            color = '#3bb9c3';
+                            break;
+                        default:
+                            color = '#000000';
+                    }
+                    diff += '<span style="color: ' + color + '; white-space: pre-wrap; font-family: monospace;">' + line + '</span><br>';
+
+                });
+                $("#showdiff").append(diff);
+            });
+        }
+        update_showdiff();
+
         /**
          * download HAProxy config
          */
@@ -66,6 +95,7 @@ POSSIBILITY OF SUCH DAMAGE.
 
 <ul class="nav nav-tabs" role="tablist" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#export"><b>{{ lang._('Config Export') }}</b></a></li>
+    <li><a data-toggle="tab" href="#diff">{{ lang._('Config Diff') }}</a></li>
 </ul>
 
 <div class="content-box tab-content">
@@ -81,6 +111,12 @@ POSSIBILITY OF SUCH DAMAGE.
         </div>
     </div>
 
+    <div id="diff" class="tab-pane fade in">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            <div id="showdiff"></div>
+        </div>
+    </div>
+
 </div>
 
 {{ partial("layout_partials/base_dialog_processing") }}
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 45d6749ef9..fe86bf89c0 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -313,29 +313,9 @@ POSSIBILITY OF SUCH DAMAGE.
                 if (data['result'].indexOf('ALERT') > -1) {
                     BootstrapDialog.show({
                         type: BootstrapDialog.TYPE_DANGER,
-                        title: "{{ lang._('HAProxy config contains critical errors') }}",
-                        message: "{{ lang._('The HAProxy service may not be able to start due to critical errors. Try anyway?') }}",
+                        title: "{{ lang._('HAProxy configtest found critical errors') }}",
+                        message: "{{ lang._('The HAProxy service may not be able to start due to critical errors. Run syntax check for further details.') }}",
                         buttons: [{
-                            label: '{{ lang._('Continue') }}',
-                            cssClass: 'btn-primary',
-                            action: function(dlg){
-                                ajaxCall(url="/api/haproxy/service/reconfigure", sendData={}, callback=function(data,status) {
-                                    if (status != "success" || data['status'] != 'ok') {
-                                        BootstrapDialog.show({
-                                            type: BootstrapDialog.TYPE_WARNING,
-                                            title: "{{ lang._('Error reconfiguring HAProxy') }}",
-                                            message: data['status'],
-                                            draggable: true
-                                        });
-                                    }
-                                });
-                                // when done, disable progress animation
-                                $('[id*="reconfigureAct_progress"]').each(function(){
-                                    $(this).removeClass("fa fa-spinner fa-pulse");
-                                });
-                                dlg.close();
-                            }
-                        }, {
                             icon: 'fa fa-trash-o',
                             label: '{{ lang._('Abort') }}',
                             action: function(dlg){
@@ -385,21 +365,21 @@ POSSIBILITY OF SUCH DAMAGE.
                 if (data['result'].indexOf('ALERT') > -1) {
                     BootstrapDialog.show({
                         type: BootstrapDialog.TYPE_DANGER,
-                        title: "{{ lang._('HAProxy config contains critical errors') }}",
+                        title: "{{ lang._('HAProxy configtest found critical errors') }}",
                         message: data['result'],
                         draggable: true
                     });
                 } else if (data['result'].indexOf('WARNING') > -1) {
                     BootstrapDialog.show({
                         type: BootstrapDialog.TYPE_WARNING,
-                        title: "{{ lang._('HAProxy config contains minor errors') }}",
+                        title: "{{ lang._('HAProxy configtest found minor errors') }}",
                         message: data['result'],
                         draggable: true
                     });
                 } else {
                     BootstrapDialog.show({
                         type: BootstrapDialog.TYPE_WARNING,
-                        title: "{{ lang._('HAProxy config test result') }}",
+                        title: "{{ lang._('HAProxy configtest result') }}",
                         message: "{{ lang._('Your HAProxy config contains no errors.') }}",
                         draggable: true
                     });
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
index cb88ee64dc..ca8cd48dc8 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
@@ -18,4 +18,14 @@ find /var/haproxy -type d -exec chmod 550 {} \;
 /usr/local/opnsense/scripts/OPNsense/HAProxy/exportErrorFiles.php > /dev/null 2>&1
 /usr/local/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php > /dev/null 2>&1
 
+# deploy new config
+case "$1" in
+deploy)
+    # run syntax check against newly generated config
+    if /usr/local/sbin/haproxy -c -f /usr/local/etc/haproxy.conf.staging > /dev/null 2>&1; then
+        cp /usr/local/etc/haproxy.conf.staging /usr/local/etc/haproxy.conf
+    fi
+    ;;
+esac
+
 exit 0
diff --git a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
index e23f091f61..07341474e7 100644
--- a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
+++ b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
@@ -5,7 +5,7 @@ type:script_output
 message:setup haproxy service requirements
 
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh; /usr/local/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh start
+command:/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh deploy; /usr/local/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh start
 parameters:
 type:script
 message:starting haproxy
@@ -17,19 +17,19 @@ type:script
 message:stopping haproxy
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh; /usr/local/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh restart
+command:/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh deploy; /usr/local/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh restart
 parameters:
 type:script
 message:restarting haproxy
 
 [reload]
-command:/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh; /usr/local/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh reload || /usr/local/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh restart
+command:/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh deploy; /usr/local/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh reload || /usr/local/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh restart
 parameters:
 type:script
 message:reloading haproxy
 
 [configtest]
-command:/usr/local/etc/rc.d/haproxy configtest 2>&1 || exit 0
+command:/usr/local/sbin/haproxy -c -f /usr/local/etc/haproxy.conf.staging 2>&1 || exit 0
 parameters:
 type:script_output
 message:testing haproxy configuration
@@ -102,14 +102,20 @@ message:Sync ssl certificates into HAProxy memory for all frontends
 description:Sync ssl certificates changes into HAProxy memory
 
 [showconf]
-command:test -f /usr/local/etc/haproxy.conf && cat /usr/local/etc/haproxy.conf
+command:test -f /usr/local/etc/haproxy.conf.staging && cat /usr/local/etc/haproxy.conf.staging
 parameters:
 type:script_output
 message:show haproxy config
 
 [exportall]
-command:/usr/local/bin/zip -r /tmp/haproxy_config_export.zip /tmp/haproxy /usr/local/etc/haproxy.conf
+command:/usr/local/bin/zip -r /tmp/haproxy_config_export.zip /tmp/haproxy /usr/local/etc/haproxy.conf.staging
 parameters:
 type:script_output
 message:show haproxy config
 
+[configdiff]
+command:/usr/bin/diff -Naur /usr/local/etc/haproxy.conf /usr/local/etc/haproxy.conf.staging; exit 0
+parameters:
+type:script_output
+message:diff haproxy config
+
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS
index a8fa7728cf..389191f4d7 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS
@@ -1,3 +1,3 @@
-haproxy.conf:/usr/local/etc/haproxy.conf
+haproxy.conf:/usr/local/etc/haproxy.conf.staging
 rc.conf.d:/etc/rc.conf.d/haproxy
 sslCerts.yaml:/usr/local/etc/haproxy/sslCerts.yaml
\ No newline at end of file

From 9ae43dc1f8b14af6957893156eb8e3fc358d6ff3 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 10 Feb 2021 15:06:07 +0100
Subject: [PATCH 0439/3088] net/haproxy: add link to Config Diff page, fix
 direct tab links

---
 net/haproxy/pkg-descr                                 |  1 +
 .../mvc/app/views/OPNsense/HAProxy/export.volt        | 10 ++++++++++
 .../mvc/app/views/OPNsense/HAProxy/index.volt         |  2 +-
 .../mvc/app/views/OPNsense/HAProxy/statistics.volt    | 11 +++++++++++
 4 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 902dc499e7..511582ebec 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -20,6 +20,7 @@ Added:
 Fixed:
 * fix maintenance page (python error: 'list' object has no attribute 'strip')
 * prevent service outage by aborting "Apply" when configtest fails
+* fix direct links to individual statistics tabs
 
 Changed:
 * change default SSL version to TLSv1.2 (ssl-min-ver)
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
index ccfbb5f95d..9b4d7d0721 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
@@ -90,6 +90,16 @@ POSSIBILITY OF SUCH DAMAGE.
             });
         });
 
+        // update history on tab state and implement navigation
+        if(window.location.hash != "") {
+            $('a[href="' + window.location.hash + '"]').click()
+        }
+        $('.nav-tabs a').on('shown.bs.tab', function (e) {
+            history.pushState(null, null, e.target.hash);
+        });
+        $(window).on('hashchange', function(e) {
+            $('a[href="' + window.location.hash + '"]').click()
+        });
     });
 </script>
 
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index fe86bf89c0..e9fa6c2e09 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -314,7 +314,7 @@ POSSIBILITY OF SUCH DAMAGE.
                     BootstrapDialog.show({
                         type: BootstrapDialog.TYPE_DANGER,
                         title: "{{ lang._('HAProxy configtest found critical errors') }}",
-                        message: "{{ lang._('The HAProxy service may not be able to start due to critical errors. Run syntax check for further details.') }}",
+                        message: "{{ lang._('The HAProxy service may not be able to start due to critical errors. Run syntax check for further details or review the changes in the %sConfiguration Diff%s.')|format('<a href=\"/ui/haproxy/export#diff\">','</a>') }}",
                         buttons: [{
                             icon: 'fa fa-trash-o',
                             label: '{{ lang._('Abort') }}',
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/statistics.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/statistics.volt
index 52be520da7..1f2c4085dd 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/statistics.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/statistics.volt
@@ -157,6 +157,17 @@ POSSIBILITY OF SUCH DAMAGE.
         $("#update-status").click();
         $("#update-counters").click();
         $("#update-tables").click();
+
+        // update history on tab state and implement navigation
+        if(window.location.hash != "") {
+            $('a[href="' + window.location.hash + '"]').click()
+        }
+        $('.nav-tabs a').on('shown.bs.tab', function (e) {
+            history.pushState(null, null, e.target.hash);
+        });
+        $(window).on('hashchange', function(e) {
+            $('a[href="' + window.location.hash + '"]').click()
+        });
     });
 </script>
 

From d5b7a679b86f9af1e46bf6920c37a38aa15d0ec9 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 15 Feb 2021 23:44:28 +0100
Subject: [PATCH 0440/3088] net/haproxy: add basic OCSP stapling support,
 closes #1430

---
 net/haproxy/pkg-descr                         |  2 +
 .../HAProxy/forms/generalSettings.xml         |  6 ++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   |  4 ++
 .../scripts/OPNsense/HAProxy/exportCerts.php  |  6 ++
 .../scripts/OPNsense/HAProxy/setup.sh         |  9 +++
 .../scripts/OPNsense/HAProxy/updateOcsp.sh    | 70 +++++++++++++++++++
 .../conf/actions.d/actions_haproxy.conf       |  9 +++
 .../templates/OPNsense/HAProxy/rc.conf.d      |  5 ++
 8 files changed, 111 insertions(+)
 create mode 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 511582ebec..3c0d71c5f2 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -16,6 +16,7 @@ Added:
 * add config export (#2035)
 * add config diff
 * guard against broken config by using a staging config file
+* add basic OCSP stapling support (#1430)
 
 Fixed:
 * fix maintenance page (python error: 'list' object has no attribute 'strip')
@@ -31,6 +32,7 @@ Changed:
 * use new "http-check send" command for HTTP health checks
 * change default for spreadChecks from 0 to 2
 * no longer overwrite live config file when running a syntax check
+* make restart/reload commands usable in cron jobs
 
 2.26
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
index 78d7ce4b2a..5869a62e64 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
@@ -21,6 +21,12 @@
         <type>checkbox</type>
         <help><![CDATA[HAProxy will handle service restarts in a way that no connections are dropped. This is the best restart mode, because it has no impact on user experience. That being said, there might be edge cases where seamless reloads lead to unexpected behaviour.]]></help>
     </field>
+    <field>
+        <id>haproxy.general.storeOcsp</id>
+        <label>Store OCSP responses</label>
+        <type>checkbox</type>
+        <help><![CDATA[Retrieve OCSP data everytime when starting or restarting HAProxy. For every certificate, the OCSP response will be fetched and stored in filesystem, and automatically picked-up by HAProxy on startup. However, depending on the number of certificates and other circumstances, this may noticeably increase the time required to start/restart the HAProxy service. Note that this only updates the OCSP responses during start/restart, you need to setup a cron job to periodically update this data too.]]></help>
+    </field>
     <field>
         <id>haproxy.general.showIntro</id>
         <label>Show introduction pages</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 3cb8e5b2e4..89d711a031 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -16,6 +16,10 @@
                 <default>0</default>
                 <Required>Y</Required>
             </seamlessReload>
+            <storeOcsp type="BooleanField">
+                <default>0</default>
+                <Required>N</Required>
+            </storeOcsp>
             <showIntro type="BooleanField">
                 <default>1</default>
             </showIntro>
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
index ea4c086f55..7bfa268199 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
@@ -80,7 +80,13 @@
                                             if (!empty((string)$cert->caref)) {
                                                 $cert = (array)$cert;
                                                 $ca = ca_chain($cert);
+                                                // append the CA to the certificate data
                                                 $pem_content .= "\n" . $ca;
+                                                // additionally export CA to it's own file,
+                                                // not required for HAProxy, but makes OCSP handling easier
+                                                $output_ca_filename = $export_path . $cert_refid . ".issuer";
+                                                file_put_contents($output_ca_filename, $ca);
+                                                chmod($output_ca_filename, 0600);
                                             }
                                         }
                                         // generate pem file for individual certs
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
index ca8cd48dc8..8dc393461a 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
@@ -1,5 +1,9 @@
 #!/bin/sh
 
+if [ -f /etc/rc.conf.d/haproxy ]; then
+. /etc/rc.conf.d/haproxy
+fi
+
 # NOTE: Keep /var/haproxy on this list, see GH issue opnsense/plugins #39.
 HAPROXY_DIRS="/var/haproxy /var/haproxy/var/run /tmp/haproxy /tmp/haproxy/ssl /tmp/haproxy/lua /tmp/haproxy/errorfiles /tmp/haproxy/mapfiles"
 
@@ -18,6 +22,11 @@ find /var/haproxy -type d -exec chmod 550 {} \;
 /usr/local/opnsense/scripts/OPNsense/HAProxy/exportErrorFiles.php > /dev/null 2>&1
 /usr/local/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php > /dev/null 2>&1
 
+# update OCSP data
+if [ "${haproxy_ocsp}" == "YES" ]; then
+  /usr/local/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh > /dev/null 2>&1
+fi
+
 # deploy new config
 case "$1" in
 deploy)
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh
new file mode 100755
index 0000000000..12c4c8724e
--- /dev/null
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+# This file is based on:
+# https://github.com/acmesh-official/acme.sh/blob/master/deploy/haproxy.sh
+#
+# Copyright (C) 2021 Neil Pang
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+HAPROXY_DIR="/tmp/haproxy/ssl"
+
+for _pem in "$HAPROXY_DIR"/*.pem; do
+    cert_file="$(basename "$_pem")"
+    _issuer="${HAPROXY_DIR}/${cert_file%.pem}.issuer"
+    _ocsp="${_pem}.ocsp"
+    cert_cn="$(openssl x509 -in "$_pem" -noout -text | sed -nE 's/.*Subject:.*CN = ([^,]*)(,.*)?$/\1/p')"
+
+    if [ ! -f "$_issuer" ]; then
+        continue
+    fi
+
+    if [ -r "${_issuer}" ]; then
+        _ocsp_url="$(openssl x509 -noout -ocsp_uri -in "$_pem")"
+        if [ -n "$_ocsp_url" ]; then
+            _ocsp_host="$(echo "$_ocsp_url" | cut -d/ -f3)"
+            subjectdn="$(openssl x509 -in "$_issuer" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)"
+            issuerdn="$(openssl x509 -in "$_issuer" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)"
+            if [ "$subjectdn" = "$issuerdn" ]; then
+                _cafile_argument="-CAfile \"${_issuer}\""
+            else
+                _cafile_argument=""
+            fi
+            _openssl_version=$(openssl version | cut -d' ' -f2)
+            _openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1)
+            _openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2)
+            if [ "${_openssl_major}" -eq "1" ] && [ "${_openssl_minor}" -ge "1" ] || [ "${_openssl_major}" -ge "2" ]; then
+                _header_sep="="
+            else
+                _header_sep=" "
+            fi
+
+            _openssl_ocsp_cmd="openssl ocsp \
+                -issuer \"${_issuer}\" \
+                -cert \"${_pem}\" \
+                -url \"${_ocsp_url}\" \
+                -header Host${_header_sep}\"${_ocsp_host}\" \
+                -respout \"${_ocsp}\" \
+                -verify_other \"${_issuer}\" \
+                ${_cafile_argument} \
+                | grep -q \"${_pem}: good\""
+
+            eval "${_openssl_ocsp_cmd}"
+            _ret=$?
+
+            if [ "${_ret}" != "0" ]; then
+                echo "Updating OCSP stapling failed with return code ${_ret}"
+            fi
+        fi
+    fi
+done
diff --git a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
index 07341474e7..1e45bc9549 100644
--- a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
+++ b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
@@ -20,12 +20,14 @@ message:stopping haproxy
 command:/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh deploy; /usr/local/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh restart
 parameters:
 type:script
+description:Restart HAProxy service
 message:restarting haproxy
 
 [reload]
 command:/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh deploy; /usr/local/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh reload || /usr/local/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh restart
 parameters:
 type:script
+description:Reload HAProxy service
 message:reloading haproxy
 
 [configtest]
@@ -119,3 +121,10 @@ parameters:
 type:script_output
 message:diff haproxy config
 
+[update_ocsp]
+command:/usr/local/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh
+parameters:
+type:script_output
+description:Update HAProxy OCSP data
+message:update haproxy ocsp data
+
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d
index 50cee173c1..261881284a 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d
@@ -3,6 +3,11 @@ haproxy_enable=YES
 haproxy_var_script="/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh"
 haproxy_pidfile="/var/run/haproxy.pid"
 haproxy_config="/usr/local/etc/haproxy.conf"
+{% if helpers.exists('OPNsense.HAProxy.general.storeOcsp') and OPNsense.HAProxy.general.storeOcsp|default("0") == "1" %}
+haproxy_ocsp=YES
+{% else %}
+haproxy_ocsp=NO
+{% endif %}
 {% if helpers.exists('OPNsense.HAProxy.general.gracefulStop') and OPNsense.HAProxy.general.gracefulStop|default("0") == "1" %}
 haproxy_hardstop=NO
 {% else %}

From bf6a08d3381910515f0c1ca33220a4612ae9ea82 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 18 Feb 2021 21:46:46 +0100
Subject: [PATCH 0441/3088] net/haproxy: show a message when config files are
 identical

---
 .../app/views/OPNsense/HAProxy/export.volt    | 40 ++++++++++---------
 1 file changed, 22 insertions(+), 18 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
index 9b4d7d0721..160d93df9b 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
@@ -45,24 +45,28 @@ POSSIBILITY OF SUCH DAMAGE.
         function update_showdiff() {
             ajaxCall(url="/api/haproxy/export/diff/", sendData={}, callback=function(data,status) {
                 diff = '';
-                var lines = data['response'].split("\n");
-                $.each(lines, function(n, line) {
-                    switch(line.substring(0,1)) {
-                        case '+':
-                            color = '#3bbb33';
-                            break;
-                        case '-':
-                            color = '#c13928';
-                            break;
-                        case '@':
-                            color = '#3bb9c3';
-                            break;
-                        default:
-                            color = '#000000';
-                    }
-                    diff += '<span style="color: ' + color + '; white-space: pre-wrap; font-family: monospace;">' + line + '</span><br>';
-
-                });
+                if (data['response'] && data['response'].trim()) {
+                    var lines = data['response'].split("\n");
+                    $.each(lines, function(n, line) {
+                        switch(line.substring(0,1)) {
+                            case '+':
+                                color = '#3bbb33';
+                                break;
+                            case '-':
+                                color = '#c13928';
+                                break;
+                            case '@':
+                                color = '#3bb9c3';
+                                break;
+                            default:
+                                color = '#000000';
+                        }
+                        diff += '<span style="color: ' + color + '; white-space: pre-wrap; font-family: monospace;">' + line + '</span><br>';
+
+                    });
+                } else {
+                    diff = "<br><span style=\"color: #000000; white-space: pre-wrap; font-family: monospace;\"> {{ lang._('New and old config files are identical.') }}</span><br>";
+                }
                 $("#showdiff").append(diff);
             });
         }

From 8189ff71dff5c52f6bf4cd7f0c2d81a1229d3695 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 18 Feb 2021 23:24:44 +0100
Subject: [PATCH 0442/3088] net/haproxy: add support for e-mail alerts and
 mailers, closes #1669

---
 net/haproxy/pkg-descr                         |  1 +
 .../HAProxy/Api/SettingsController.php        | 30 ++++++++
 .../OPNsense/HAProxy/IndexController.php      |  1 +
 .../OPNsense/HAProxy/forms/dialogBackend.xml  |  6 ++
 .../OPNsense/HAProxy/forms/dialogMailer.xml   | 61 ++++++++++++++++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 71 +++++++++++++++++++
 .../app/models/OPNsense/HAProxy/Menu/Menu.xml |  1 +
 .../mvc/app/views/OPNsense/HAProxy/index.volt | 50 +++++++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf   | 40 +++++++++++
 9 files changed, 261 insertions(+)
 create mode 100644 net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMailer.xml

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 3c0d71c5f2..dab4836e58 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -17,6 +17,7 @@ Added:
 * add config diff
 * guard against broken config by using a staging config file
 * add basic OCSP stapling support (#1430)
+* add support for e-mail alerts and mailers (#1669)
 
 Fixed:
 * fix maintenance page (python error: 'list' object has no attribute 'strip')
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
index ef5f8f65d4..0cd365dc45 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
@@ -409,4 +409,34 @@ public function searchresolversAction()
     {
         return $this->searchBase('resolvers.resolver', array('enabled', 'name', 'nameservers'), 'name');
     }
+
+    public function getmailerAction($uuid = null)
+    {
+        return $this->getBase('mailer', 'mailers.mailer', $uuid);
+    }
+
+    public function setmailerAction($uuid)
+    {
+        return $this->setBase('mailer', 'mailers.mailer', $uuid);
+    }
+
+    public function addmailerAction()
+    {
+        return $this->addBase('mailer', 'mailers.mailer');
+    }
+
+    public function delmailerAction($uuid)
+    {
+        return $this->delBase('mailers.mailer', $uuid);
+    }
+
+    public function togglemailerAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase('mailers.mailer', $uuid);
+    }
+
+    public function searchmailersAction()
+    {
+        return $this->searchBase('mailers.mailer', array('enabled', 'name', 'mailservers', 'sender', 'recipient'), 'name');
+    }
 }
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/IndexController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/IndexController.php
index 141fac3e51..8e2b52f65b 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/IndexController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/IndexController.php
@@ -53,6 +53,7 @@ public function indexAction()
         $this->view->formDialogGroup = $this->getForm("dialogGroup");
         $this->view->formDialogHealthcheck = $this->getForm("dialogHealthcheck");
         $this->view->formDialogLua = $this->getForm("dialogLua");
+        $this->view->formDialogMailer = $this->getForm("dialogMailer");
         $this->view->formDialogMapfile = $this->getForm("dialogMapfile");
         $this->view->formDialogResolver = $this->getForm("dialogResolver");
         $this->view->formDialogServer = $this->getForm("dialogServer");
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index 4744fb03c6..a17a99b86c 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -119,6 +119,12 @@
         <help><![CDATA[The number of consecutive successful health checks before a server is considered as available.]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>backend.linkedMailer</id>
+        <label>E-Mail Alert</label>
+        <type>dropdown</type>
+        <help><![CDATA[Select an e-mail alert configuration. An e-mail is sent when the state of a server changes.]]></help>
+    </field>
     <field>
         <label>HTTP(S) settings</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMailer.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMailer.xml
new file mode 100644
index 0000000000..cbede5c7cc
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMailer.xml
@@ -0,0 +1,61 @@
+<form>
+    <field>
+        <id>mailer.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>Enable this mailer configuration.</help>
+    </field>
+    <field>
+        <id>mailer.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Choose a name for this mailer configuration.</help>
+    </field>
+    <field>
+        <id>mailer.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Choose a optional description for this mailer configuration.</help>
+    </field>
+    <field>
+        <id>mailer.mailservers</id>
+        <label>Mail Servers</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <sortable>true</sortable>
+        <help><![CDATA[Add mailservers to this mailer configuration, i.e. 192.168.1.1:25. Use TAB key to complete typing.]]></help>
+        <hint>Enter ip:port here. Finish with TAB.</hint>
+    </field>
+    <field>
+        <id>mailer.sender</id>
+        <label>Mail Sender</label>
+        <type>text</type>
+        <help><![CDATA[Declare the from email address to be used in both the envelope and header of email alerts.]]></help>
+    </field>
+    <field>
+        <id>mailer.recipient</id>
+        <label>Mail Recipient</label>
+        <type>text</type>
+        <help><![CDATA[Declare both the recipient address in the envelope and to address in the header of email alerts.]]></help>
+    </field>
+    <field>
+        <id>mailer.loglevel</id>
+        <label>Alert Log Level</label>
+        <type>dropdown</type>
+        <help><![CDATA[Declare the maximum log level of messages for which email alerts will be sent. This acts as a filter on the sending of email alerts.]]></help>
+    </field>
+    <field>
+        <id>mailer.timeout</id>
+        <label>Timeout</label>
+        <type>text</type>
+        <help><![CDATA[Defines the time (in seconds) available for a mail/connection to be made and send to the mail server.]]></help>
+    </field>
+    <field>
+        <id>mailer.hostname</id>
+        <label>Hostname</label>
+        <type>text</type>
+        <help><![CDATA[Declare the to hostname address to be used when communicating with mailers.]]></help>
+        <advanced>true</advanced>
+    </field>
+</form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 89d711a031..7e2086bd91 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -928,6 +928,18 @@
                     <ValidationMessage>Please specify a value between 1 and 100.</ValidationMessage>
                     <Required>N</Required>
                 </healthCheckRise>
+                <linkedMailer type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.HAProxy.HAProxy</source>
+                            <items>mailers.mailer</items>
+                            <display>name</display>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related mailer not found</ValidationMessage>
+                    <multiple>N</multiple>
+                    <Required>N</Required>
+                </linkedMailer>
                 <http2Enabled type="BooleanField">
                     <default>0</default>
                     <Required>N</Required>
@@ -2623,5 +2635,64 @@
                 </timeout_retry>
             </resolver>
         </resolvers>
+        <mailers>
+            <mailer type="ArrayField">
+                <id type="UniqueIdField">
+                    <Required>Y</Required>
+                </id>
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <name type="TextField">
+                    <mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                    <Required>Y</Required>
+                </name>
+                <description type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,255}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                </description>
+                <mailservers type="CSVListField">
+                    <Required>Y</Required>
+                    <Sorted>Y</Sorted>
+                    <multiple>Y</multiple>
+                    <mask>/^((([0-9a-zA-Z._\-\*:\[\]]+:[0-9]+(-[0-9]+)?)([,]){0,1}))*/u</mask>
+                    <ChangeCase>lower</ChangeCase>
+                    <ValidationMessage>Please provide mailserver addresses, i.e. 192.168.1.1:25.</ValidationMessage>
+                </mailservers>
+                <sender type="EmailField">
+                    <Required>Y</Required>
+                </sender>
+                <recipient type="EmailField">
+                    <Required>Y</Required>
+                </recipient>
+                <loglevel type="OptionField">
+                    <Required>Y</Required>
+                    <default>alert</default>
+                    <OptionValues>
+                        <emerg>emerg</emerg>
+                        <alert>alert</alert>
+                        <crit>crit</crit>
+                        <err>err</err>
+                        <warning>warning</warning>
+                        <notice>notice</notice>
+                        <info>info</info>
+                        <debug>debug</debug>
+                    </OptionValues>
+                </loglevel>
+                <timeout type="TextField">
+                    <default>30</default>
+                    <MinimumValue>4</MinimumValue>
+                    <MaximumValue>10000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 4 and 10000 seconds.</ValidationMessage>
+                    <Required>Y</Required>
+                </timeout>
+                <hostname type="HostnameField">
+                    <Required>N</Required>
+                </hostname>
+            </mailer>
+        </mailers>
     </items>
 </model>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml
index 520fcc7c3d..0d78bf3eb3 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml
@@ -21,6 +21,7 @@
               <Errorfiles VisibleName="Error Files" url="/ui/haproxy#errorfiles"/>
               <Mapfiles VisibleName="Map Files" url="/ui/haproxy#mapfiles"/>
               <Resolvers VisibleName="Resolvers" url="/ui/haproxy#resolvers"/>
+              <Mailers VisibleName="E-Mail Alerts" url="/ui/haproxy#mailers"/>
           </Settings>
           <Statistics order="20" url="/ui/haproxy/statistics">
               <Overview VisibleName="Overview" url="/ui/haproxy/statistics#info"/>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index e9fa6c2e09..bbb6586802 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -212,6 +212,19 @@ POSSIBILITY OF SUCH DAMAGE.
             }
         );
 
+        $("#grid-mailers").UIBootgrid(
+            {   search:'/api/haproxy/settings/searchMailers',
+                get:'/api/haproxy/settings/getMailer/',
+                set:'/api/haproxy/settings/setMailer/',
+                add:'/api/haproxy/settings/addMailer/',
+                del:'/api/haproxy/settings/delMailer/',
+                toggle:'/api/haproxy/settings/toggleMailer/',
+                options: {
+                    rowCount:[10,25,50,100,500,1000]
+                }
+            }
+        );
+
         // hook into on-show event for dialog to extend layout.
         $('#DialogAcl').on('shown.bs.modal', function (e) {
             $("#acl\\.expression").change(function(){
@@ -608,6 +621,7 @@ POSSIBILITY OF SUCH DAMAGE.
             <li><a data-toggle="tab" href="#mapfiles">{{ lang._('Map Files') }}</a></li>
             <li><a data-toggle="tab" href="#cpus">{{ lang._('CPU Affinity Rules') }}</a></li>
             <li><a data-toggle="tab" href="#resolvers">{{ lang._('Resolvers') }}</a></li>
+            <li><a data-toggle="tab" href="#mailers">{{ lang._('E-Mail Alerts') }}</a></li>
         </ul>
     </li>
 </ul>
@@ -715,6 +729,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sMap Files:%s A map allows to map a data in input to an other one on output. For example, this makes it possible to map a large number of domains to backend pools without using the GUI. Map files need to be used in %sRules%s, otherwise they are ignored.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sCPU Affinity Rules:%s This feature makes it possible to bind HAProxy's processes/threads to a specific CPU (or a CPU set). Furthermore it is possible to select CPU Affinity Rules in %sPublic Services%s to restrict them to a certain set of processes/threads/CPUs.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sResolvers:%s This feature allows in-depth configuration of how HAProxy handles name resolution and interacts with name resolvers (DNS). Each resolver configuration can be used in %sBackend Pools%s to apply individual name resolution configurations.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
+              <li>{{ lang._("%sE-Mail Alerts:%s It is possible to send email alerts when the state of servers changes. Each configuration can be used in %sBackend Pools%s to send e-mail alerts to the configured recipient.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#process" target="_blank">', '</a>','<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
             <br/>
@@ -1149,6 +1164,40 @@ POSSIBILITY OF SUCH DAMAGE.
         </div>
     </div>
 
+    <div id="mailers" class="tab-pane fade">
+        <table id="grid-mailers" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogMailer">
+            <thead>
+            <tr>
+                <th data-column-id="mailerid" data-type="number"  data-visible="false">{{ lang._('Mailer ID') }}</th>
+                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
+                <th data-column-id="Sender" data-type="string">{{ lang._('Sender') }}</th>
+                <th data-column-id="Recipient" data-type="string">{{ lang._('Recipient') }}</th>
+                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+        <div class="col-md-12">
+            <hr/>
+            <button class="btn btn-primary" id="reconfigureAct-mailers" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
+            <button class="btn btn-primary" id="configtestAct-mailers" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
+            <br/>
+            <br/>
+        </div>
+    </div>
+
     <!-- subtabs for general "Settings" tab below -->
     <div id="general-settings" class="tab-pane fade">
         <div class="content-box" style="padding-bottom: 1.5em;">
@@ -1242,3 +1291,4 @@ POSSIBILITY OF SUCH DAMAGE.
 {{ partial("layout_partials/base_dialog",['fields':formDialogMapfile,'id':'DialogMapfile','label':lang._('Edit Map File')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogCpu,'id':'DialogCpu','label':lang._('Edit CPU Affinity Rule')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogResolver,'id':'DialogResolver','label':lang._('Edit Resolver')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogMailer,'id':'DialogMailer','label':lang._('Edit E-Mail Alert')])}}
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 8f3ce54f14..64f07b7cb4 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1049,6 +1049,29 @@ resolvers {{resolver.id}}
 {%   endfor %}
 {%- endif -%}
 
+{# ############################### #}
+{#              MAILERS            #}
+{# ############################### #}
+
+{% if helpers.exists('OPNsense.HAProxy.mailers') %}
+{%   for mailer in helpers.toList('OPNsense.HAProxy.mailers.mailer') %}
+{%     if mailer.enabled == '1' %}
+# Mailer: {{mailer.name}}
+mailers {{mailer.id}}
+    timeout mail {{mailer.timeout}}s
+{%       if mailer.mailservers|default("") != "" %}
+{%         for mailserver in mailer.mailservers.split(",") %}
+    mailer {{mailserver}} {{mailserver}}
+{%         endfor %}
+{%       endif %}
+
+{%     else %}
+# Mailer (DISABLED): {{mailer.name}}
+
+{%     endif %}
+{%   endfor %}
+{%- endif -%}
+
 {# ############################### #}
 {#             FRONTENDS           #}
 {# ############################### #}
@@ -1353,6 +1376,23 @@ backend {{backend.name}}
     # health checking is DISABLED
 {%         set healthcheck_enabled = '0' %}
 {%       endif %}
+{# # mailer #}
+{%       if backend.linkedMailer|default("") != "" %}
+{%         set mailer_data = helpers.getUUID(backend.linkedMailer) %}
+{%         if mailer_data == {} %}
+# ERROR: mailer data not found ({{backend.linkedMailer}})
+{%         elif mailer_data.enabled == '0' %}
+# NOTE: specified mailer is disabled ({{mailer_data.name}})
+{%         else %}
+    email-alert mailers {{mailer_data.id}}
+    email-alert from {{mailer_data.sender}}
+    email-alert to {{mailer_data.recipient}}
+    email-alert level {{mailer_data.loglevel}}
+{%           if mailer_data.hostname|default("") != "" %}
+    email-alert myhostname {{mailer_data.hostname}}
+{%           endif %}
+{%         endif %}
+{%       endif %}
 {#       # NOTE: Usually the frontend and the backend are in the same mode,  #}
 {#       #       but we have no way to know what frontend uses this backend. #}
 {#       #       Hence we can't automatically set the mode and thus need a   #}

From 63dde5fc65ec670a3f698cf7609d38dc8d0cc289 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 19 Feb 2021 00:18:01 +0100
Subject: [PATCH 0443/3088] net/haproxy: add support for custom header checks,
 closes #1907

---
 net/haproxy/pkg-descr                         |  1 +
 .../OPNsense/HAProxy/forms/dialogAcl.xml      | 85 +++++++++++++++++++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 55 ++++++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf   | 35 ++++++++
 4 files changed, 176 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index dab4836e58..9ace5e7874 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -18,6 +18,7 @@ Added:
 * guard against broken config by using a staging config file
 * add basic OCSP stapling support (#1430)
 * add support for e-mail alerts and mailers (#1669)
+* add support for custom header checks (#1907)
 
 Fixed:
 * fix maintenance page (python error: 'list' object has no attribute 'strip')
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
index a0a7a5b7c7..3d5bb47cd4 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
@@ -148,6 +148,91 @@
         <type>text</type>
         <help><![CDATA[HTTP request URL path contains string (substring match)]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_cust_hdr_beg</style>
+    </field>
+    <field>
+        <id>acl.cust_hdr_beg_name</id>
+        <label>Header Name</label>
+        <type>text</type>
+        <help><![CDATA[The name of the HTTP Header.]]></help>
+    </field>
+    <field>
+        <id>acl.cust_hdr_beg</id>
+        <label>Header Prefix</label>
+        <type>text</type>
+        <help><![CDATA[HTTP Header starts with string (prefix match)]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_cust_hdr_end</style>
+    </field>
+    <field>
+        <id>acl.cust_hdr_end_name</id>
+        <label>Header Name</label>
+        <type>text</type>
+        <help><![CDATA[The name of the HTTP Header.]]></help>
+    </field>
+    <field>
+        <id>acl.cust_hdr_end</id>
+        <label>Header Suffix</label>
+        <type>text</type>
+        <help><![CDATA[HTTP Header ends with string (suffix match)]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_cust_hdr</style>
+    </field>
+    <field>
+        <id>acl.cust_hdr_name</id>
+        <label>Header Name</label>
+        <type>text</type>
+        <help><![CDATA[The name of the HTTP Header.]]></help>
+    </field>
+    <field>
+        <id>acl.cust_hdr</id>
+        <label>Header Matches</label>
+        <type>text</type>
+        <help><![CDATA[HTTP Header matches exact string]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_cust_hdr_reg</style>
+    </field>
+    <field>
+        <id>acl.cust_hdr_reg_name</id>
+        <label>Header Name</label>
+        <type>text</type>
+        <help><![CDATA[The name of the HTTP Header.]]></help>
+    </field>
+    <field>
+        <id>acl.cust_hdr_reg</id>
+        <label>Header Regex</label>
+        <type>text</type>
+        <help><![CDATA[HTTP Header matches regular expression]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_cust_hdr_sub</style>
+    </field>
+    <field>
+        <id>acl.cust_hdr_sub_name</id>
+        <label>Header Name</label>
+        <type>text</type>
+        <help><![CDATA[The name of the HTTP Header.]]></help>
+    </field>
+    <field>
+        <id>acl.cust_hdr_sub</id>
+        <label>Header Contains</label>
+        <type>text</type>
+        <help><![CDATA[HTTP Header contains string (substring match)]]></help>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 7e2086bd91..211350c1f4 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1466,6 +1466,11 @@
                         <path_reg>Path regex</path_reg>
                         <path_dir>Path contains subdir</path_dir>
                         <path_sub>Path contains string</path_sub>
+                        <cust_hdr_beg>HTTP Header starts with</cust_hdr_beg>
+                        <cust_hdr_end>HTTP Header ends with</cust_hdr_end>
+                        <cust_hdr>HTTP Header matches</cust_hdr>
+                        <cust_hdr_reg>HTTP Header regex</cust_hdr_reg>
+                        <cust_hdr_sub>HTTP Header contains</cust_hdr_sub>
                         <url_param>URL parameter contains</url_param>
                         <ssl_c_verify>SSL Client certificate is valid</ssl_c_verify>
                         <ssl_c_verify_code>SSL Client certificate verify error result</ssl_c_verify_code>
@@ -1563,6 +1568,56 @@
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </path_sub>
+                <cust_hdr_beg_name type="TextField">
+                    <mask>/^.{1,255}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </cust_hdr_beg_name>
+                <cust_hdr_beg type="TextField">
+                    <mask>/^.{1,255}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </cust_hdr_beg>
+                <cust_hdr_end_name type="TextField">
+                    <mask>/^.{1,255}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </cust_hdr_end_name>
+                <cust_hdr_end type="TextField">
+                    <mask>/^.{1,255}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </cust_hdr_end>
+                <cust_hdr_name type="TextField">
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </cust_hdr_name>
+                <cust_hdr type="TextField">
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </cust_hdr>
+                <cust_hdr_reg_name type="TextField">
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </cust_hdr_reg_name>
+                <cust_hdr_reg type="TextField">
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </cust_hdr_reg>
+                <cust_hdr_sub_name type="TextField">
+                    <mask>/^.{1,255}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </cust_hdr_sub_name>
+                <cust_hdr_sub type="TextField">
+                    <mask>/^.{1,255}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </cust_hdr_sub>
                 <url_param type="TextField">
                     <mask>/^.{1,4096}$/u</mask>
                     <Required>N</Required>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 64f07b7cb4..5dff7a2f7a 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -158,6 +158,41 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'cust_hdr_beg' %}
+{%               if acl_data.cust_hdr_beg|default("") != "" and acl_data.cust_hdr_beg_name|default("") != "" %}
+{%                 do acl_options.append('hdr_beg(' ~ acl_data.cust_hdr_beg_name ~ ') -i ' ~ acl_data.cust_hdr_beg) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'cust_hdr_end' %}
+{%               if acl_data.cust_hdr_end|default("") != "" and acl_data.cust_hdr_end_name|default("") %}
+{%                 do acl_options.append('hdr_end(' ~ acl_data.cust_hdr_end_name ~ ') -i ' ~ acl_data.cust_hdr_end) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'cust_hdr' %}
+{%               if acl_data.cust_hdr|default("") != "" and acl_data.cust_hdr_name|default("") != "" %}
+{%                 do acl_options.append('hdr(' ~ acl_data.cust_hdr_name ~ ') -i ' ~ acl_data.cust_hdr) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'cust_hdr_reg' %}
+{%               if acl_data.cust_hdr_reg|default("") != "" and acl_data.cust_hdr_reg_name|default("") != "" %}
+{%                 do acl_options.append('hdr_reg(' ~ acl_data.cust_hdr_reg_name ~ ') -i ' ~ acl_data.cust_hdr_reg) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'cust_hdr_sub' %}
+{%               if acl_data.cust_hdr_sub|default("") != "" and acl_data.cust_hdr_sub_name|default("") != "" %}
+{%                 do acl_options.append('hdr_sub(' ~ acl_data.cust_hdr_sub_name ~ ') -i ' ~ acl_data.cust_hdr_sub) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'url_param' %}
 {%               if acl_data.url_param_value|default("") != "" and acl_data.url_param|default("") != "" %}
 {%                 do acl_options.append('url_param(' ~ acl_data.url_param ~ ') -i ' ~ acl_data.url_param_value) %}

From 1f07481bc3fe1ec012bfd162ac303434c2300e70 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 20 Feb 2021 01:41:14 +0100
Subject: [PATCH 0444/3088] net/haproxy: add support for server templates,
 closes #1975

---
 net/haproxy/pkg-descr                         |   4 +
 .../HAProxy/Api/SettingsController.php        |   2 +-
 .../OPNsense/HAProxy/forms/dialogBackend.xml  |  16 +
 .../OPNsense/HAProxy/forms/dialogServer.xml   |  58 +++-
 .../app/models/OPNsense/HAProxy/HAProxy.xml   |  70 ++++-
 .../OPNsense/HAProxy/Migrations/M3_0_0.php    |  44 +++
 .../mvc/app/views/OPNsense/HAProxy/index.volt |  21 +-
 .../templates/OPNsense/HAProxy/haproxy.conf   | 274 ++++++++++--------
 8 files changed, 358 insertions(+), 131 deletions(-)
 create mode 100644 net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M3_0_0.php

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 9ace5e7874..a8d97d6955 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -19,6 +19,9 @@ Added:
 * add basic OCSP stapling support (#1430)
 * add support for e-mail alerts and mailers (#1669)
 * add support for custom header checks (#1907)
+* add support for server templates (#1975)
+* add support for additional resolver options (#1975)
+* add support for resolve-prefer option (#1975)
 
 Fixed:
 * fix maintenance page (python error: 'list' object has no attribute 'strip')
@@ -35,6 +38,7 @@ Changed:
 * change default for spreadChecks from 0 to 2
 * no longer overwrite live config file when running a syntax check
 * make restart/reload commands usable in cron jobs
+* relax GUI input validation for servers, move validation to jinja template (#1975)
 
 2.26
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
index 0cd365dc45..e899a083d2 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
@@ -132,7 +132,7 @@ public function toggleServerAction($uuid, $enabled = null)
 
     public function searchServersAction()
     {
-        return $this->searchBase('servers.server', array('enabled', 'name', 'address', 'port', 'description'), 'name');
+        return $this->searchBase('servers.server', array('enabled', 'name', 'type', 'address', 'port', 'description'), 'name');
     }
 
     public function getHealthcheckAction($uuid = null)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index a17a99b86c..31e0eda988 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -61,6 +61,22 @@
         <help><![CDATA[Select the custom resolver configuration that should be used for all servers in this backend.]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>backend.resolverOpts</id>
+        <label>Resolver Options</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[Add resolver options. Use TAB key to complete typing.]]></help>
+        <hint>Type option name or choose from list.</hint>
+    </field>
+    <field>
+        <id>backend.resolvePrefer</id>
+        <label>Prefer IP Family</label>
+        <type>dropdown</type>
+        <help><![CDATA[When DNS resolution is enabled for a server and multiple IP addresses from different families are returned, HAProxy will prefer using an IP address from the selected family.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>backend.source</id>
         <label>Source address</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
index 0eede8c31d..1436580cf5 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
@@ -7,9 +7,9 @@
     </field>
     <field>
         <id>server.name</id>
-        <label>Name</label>
+        <label>Name or Prefix</label>
         <type>text</type>
-        <help>Name to identify this server.</help>
+        <help>Name to identify a static server. When creating a server template, then this prefix is used for the server names to be built.</help>
     </field>
     <field>
         <id>server.description</id>
@@ -17,6 +17,17 @@
         <type>text</type>
         <help>Description for this server.</help>
     </field>
+    <field>
+        <id>server.type</id>
+        <label>Type</label>
+        <type>dropdown</type>
+        <help>Either configure a static server or a template to initialize multiple servers with shared parameters.</help>
+    </field>
+    <field>
+        <label>Static Server</label>
+        <type>header</type>
+        <style>table_server_type table_server_type_static</style>
+    </field>
     <field>
         <id>server.address</id>
         <label>FQDN or IP</label>
@@ -24,6 +35,42 @@
         <help><![CDATA[Provide either the FQDN or the IP address of this server.]]></help>
         <hint>Enter server address.</hint>
     </field>
+    <field>
+        <label>Server Template</label>
+        <type>header</type>
+        <style>table_server_type table_server_type_template</style>
+    </field>
+    <field>
+        <id>server.serviceName</id>
+        <label>Service Name or FQDN</label>
+        <type>text</type>
+        <help><![CDATA[Provide either the FQDN for all the servers this template initializes or a service name to discover the available services via DNS SRV records.]]></help>
+    </field>
+    <field>
+        <id>server.number</id>
+        <label>Number of Servers</label>
+        <type>text</type>
+        <help><![CDATA[The number of servers this template initializes, i.e. 5 or 1-5.]]></help>
+    </field>
+    <field>
+        <id>server.linkedResolver</id>
+        <label>Resolvers</label>
+        <type>dropdown</type>
+        <help><![CDATA[Specify the resolver that the server template should look at to discover available services via DNS.]]></help>
+    </field>
+    <field>
+        <id>server.resolverOpts</id>
+        <label>Resolver Options</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[Add resolver options. Use TAB key to complete typing.]]></help>
+        <hint>Type option name or choose from list.</hint>
+    </field>
+    <field>
+        <label>Common Options</label>
+        <type>header</type>
+    </field>
     <field>
         <id>server.port</id>
         <label>Port</label>
@@ -36,6 +83,13 @@
         <type>dropdown</type>
         <help><![CDATA[Sets the operation mode to use for this server.]]></help>
     </field>
+    <field>
+        <id>server.resolvePrefer</id>
+        <label>Prefer IP Family</label>
+        <type>dropdown</type>
+        <help><![CDATA[When DNS resolution is enabled for a server and multiple IP addresses from different families are returned, HAProxy will prefer using an IP address from the selected family.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>server.ssl</id>
         <label>SSL</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 211350c1f4..e889fb8f9f 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -880,6 +880,24 @@
                     <multiple>N</multiple>
                     <Required>N</Required>
                 </linkedResolver>
+                <resolverOpts type="OptionField">
+                    <Required>N</Required>
+                    <Sorted>Y</Sorted>
+                    <Multiple>Y</Multiple>
+                    <OptionValues>
+                        <allow-dup-ip>allow-dup-ip</allow-dup-ip>
+                        <ignore-weight>ignore-weight</ignore-weight>
+                        <prevent-dup-ip>prevent-dup-ip</prevent-dup-ip>
+                    </OptionValues>
+                </resolverOpts>
+                <resolvePrefer type="OptionField">
+                    <Required>N</Required>
+                    <Multiple>N</Multiple>
+                    <OptionValues>
+                        <ipv4>prefer IPv4</ipv4>
+                        <ipv6>prefer IPv6 [default]</ipv6>
+                    </OptionValues>
+                </resolvePrefer>
                 <source type="TextField">
                     <mask>/^((([0-9a-zA-Z._\-\*:]+)))*/u</mask>
                     <ChangeCase>lower</ChangeCase>
@@ -1197,7 +1215,7 @@
                 <address type="TextField">
                     <mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</mask>
                     <ValidationMessage>Please specify a valid servername or IP address.</ValidationMessage>
-                    <Required>Y</Required>
+                    <Required>N</Required>
                 </address>
                 <port type="IntegerField">
                     <MinimumValue>1</MinimumValue>
@@ -1213,7 +1231,7 @@
                     <Required>N</Required>
                 </checkport>
                 <mode type="OptionField">
-                    <Required>Y</Required>
+                    <Required>N</Required>
                     <default>active</default>
                     <OptionValues>
                         <active>active [default]</active>
@@ -1221,6 +1239,54 @@
                         <disabled>disabled</disabled>
                     </OptionValues>
                 </mode>
+                <type type="OptionField">
+                    <Required>Y</Required>
+                    <default>static</default>
+                    <OptionValues>
+                        <static>static</static>
+                        <template>template</template>
+                    </OptionValues>
+                </type>
+                <serviceName type="TextField">
+                    <mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</mask>
+                    <ValidationMessage>Please specify a valid service name.</ValidationMessage>
+                    <Required>N</Required>
+                </serviceName>
+                <number type="TextField">
+                    <mask>/^[0-9]+(-[0-9]+)?/u</mask>
+                    <ValidationMessage>Please specify a valid number or range.</ValidationMessage>
+                    <Required>N</Required>
+                </number>
+                <linkedResolver type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.HAProxy.HAProxy</source>
+                            <items>resolvers.resolver</items>
+                            <display>name</display>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related resolver not found</ValidationMessage>
+                    <multiple>N</multiple>
+                    <Required>N</Required>
+                </linkedResolver>
+                <resolverOpts type="OptionField">
+                    <Required>N</Required>
+                    <Sorted>Y</Sorted>
+                    <Multiple>Y</Multiple>
+                    <OptionValues>
+                        <allow-dup-ip>allow-dup-ip</allow-dup-ip>
+                        <ignore-weight>ignore-weight</ignore-weight>
+                        <prevent-dup-ip>prevent-dup-ip</prevent-dup-ip>
+                    </OptionValues>
+                </resolverOpts>
+                <resolvePrefer type="OptionField">
+                    <Required>N</Required>
+                    <Multiple>N</Multiple>
+                    <OptionValues>
+                        <ipv4>prefer IPv4</ipv4>
+                        <ipv6>prefer IPv6 [default]</ipv6>
+                    </OptionValues>
+                </resolvePrefer>
                 <ssl type="BooleanField">
                     <default>0</default>
                     <Required>Y</Required>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M3_0_0.php b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M3_0_0.php
new file mode 100644
index 0000000000..fff7515d3e
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M3_0_0.php
@@ -0,0 +1,44 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Frank Wall
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\HAProxy\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M3_0_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        // Servers have a 'type' field now
+        foreach ($model->getNodeByReference('servers.server')->iterateItems() as $server) {
+            $server->type = 'static';
+        }
+    }
+}
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index bbb6586802..63ff12973d 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -230,7 +230,6 @@ POSSIBILITY OF SUCH DAMAGE.
             $("#acl\\.expression").change(function(){
                 var service_id = 'table_' + $(this).val();
                 $(".expression_table").hide();
-                // $(".table_"+$(this).val()).show();
                 $("."+service_id).show();
             });
             $("#acl\\.expression").change();
@@ -241,7 +240,6 @@ POSSIBILITY OF SUCH DAMAGE.
             $("#action\\.type").change(function(){
                 var service_id = 'table_' + $(this).val();
                 $(".type_table").hide();
-                // $(".table_"+$(this).val()).show();
                 $("."+service_id).show();
             });
             $("#action\\.type").change();
@@ -308,6 +306,16 @@ POSSIBILITY OF SUCH DAMAGE.
             $("#healthcheck\\.type").change();
         })
 
+        // hook into on-show event for dialog to extend layout.
+        $('#DialogServer').on('shown.bs.modal', function (e) {
+            $("#server\\.type").change(function(){
+                var service_id = 'table_server_type_' + $(this).val();
+                $(".table_server_type").hide();
+                $("."+service_id).show();
+            });
+            $("#server\\.type").change();
+        })
+
         /***********************************************************************
          * Commands
          **********************************************************************/
@@ -647,12 +655,12 @@ POSSIBILITY OF SUCH DAMAGE.
     <div id="subtab_haproxy-real-servers-introduction" class="tab-pane fade">
         <div class="col-md-12">
             <h1>{{ lang._('Real Servers') }}</h1>
-            <p>{{ lang._('HAProxy needs to know which servers should be used to serve content. The following minimum information must be provided for each server:') }}</p>
+            <p>{{ lang._('HAProxy needs to know which servers should be used to serve content. Either add a static server configuration or use a template to initialize multiple servers at once. The latter one can also be used to discover the available services via DNS SRV records. The following minimum information must be provided for each server:') }}</p>
             <ul>
-              <li>{{ lang._('%sFQDN or IP:%s The IP address or fully-qualified domain name that should be used when communicating with your server.') | format('<b>', '</b>') }}</li>
-              <li>{{ lang._('%sPort:%s The TCP or UDP port that should be used. If unset, the same port the client connected to will be used.') | format('<b>', '</b>') }}</li>
+              <li>{{ lang._('%sStatic Servers:%s The IP address or fully-qualified domain name that should be used when communicating with your server. Additionally the TCP or UDP port that should be used. If unset, the same port the client connected to will be used.') | format('<b>', '</b>') }}</li>
+              <li>{{ lang._('%sServer Templates:%s A prefix is required to build the server names. Additionally a service name or FQDN is required to identify the servers this template initializes') | format('<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("Please note that advanced mode settings allow you to disable a certain server or to configure it as a backup server in a Backend Pool. Another neat option is the possibility to adjust a server's weight relative to other servers in the same Backend Pool.") }}</p>
+            <p>{{ lang._("Please note that advanced mode settings allow you to adjust a server's weight relative to other servers in the same Backend Pool, in addition to fine-grained health check options.") }}</p>
             <p>{{ lang._('Note that it is possible to directly add options to the HAProxy configuration by using the "option pass-through", a setting that is available for several configuration items. It allows you to implement configurations that are currently not officially supported by this plugin. It is strongly discouraged to rely on this feature. Please report missing features on our GitHub page!') | format('<b>', '</b>') }}</p>
             <br/>
         </div>
@@ -809,6 +817,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                 <th data-column-id="serverid" data-type="number"  data-visible="false">{{ lang._('Server ID') }}</th>
                 <th data-column-id="name" data-type="string">{{ lang._('Server Name') }}</th>
+                <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
                 <th data-column-id="address" data-type="string">{{ lang._('Server Address') }}</th>
                 <th data-column-id="port" data-type="string">{{ lang._('Server Port') }}</th>
                 <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 5dff7a2f7a..c0d06021a2 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1496,135 +1496,169 @@ backend {{backend.name}}
 {%           if server_data == {} %}
 # ERROR: server data not found ({{server}})
 {%           else %}
-{#             # collect optional server parameters #}
-{%             set server_options = [] %}
-{#             # check if health check is enabled #}
-{%             if healthcheck_enabled == '1' %}
-{%               do server_options.append('check') %}
-{#               # This can be configured in multiple places. #}
-{#               # Priority for which value is used: backend > server > health check #}
-{%               if backend.checkInterval|default("") != "" %}
-{%                 do server_options.append('inter ' ~ backend.checkInterval) %}
-{%               elif server_data.checkInterval|default("") != "" %}
-{%                 do server_options.append('inter ' ~ server_data.checkInterval) %}
-{%               elif healthcheck_data.interval|default("") != "" %}
-{%                 do server_options.append('inter ' ~ healthcheck_data.interval) %}
+{#             # check if all required server parameters are set #}
+{%             if (server_data.type|default("") == 'static' and server_data.address|default("") == '') or (server_data.type|default("") == 'template' and (server_data.serviceName|default("") == '' or server_data.number|default("") == '')) %}
+# ERROR: server is invalid, required parameters not set ({{server_data.name}})
+{%             else %}
+{#               # server type #}
+{%               set server_basics = [] %}
+{%               if server_data.type|default("") == 'static' %}
+{%                 do server_basics.append('server ' ~ server_data.name ~ ' ' ~ server_data.address) %}
+{%               else %}
+{%                 do server_basics.append('server-template ' ~ server_data.name ~ ' ' ~ server_data.number ~ ' ' ~ server_data.serviceName) %}
 {%               endif %}
-{#               # use a different interval when server is in DOWN state #}
-{%               if backend.checkDownInterval|default("") != "" %}
-{%                 do server_options.append('downinter ' ~ backend.checkDownInterval) %}
-{%               elif server_data.checkDownInterval|default("") != "" %}
-{%                 do server_options.append('downinter ' ~ server_data.checkDownInterval) %}
+{#               # collect optional server parameters #}
+{%               set server_options = [] %}
+{#               # check if health check is enabled #}
+{%               if healthcheck_enabled == '1' %}
+{%                 do server_options.append('check') %}
+{#                 # This can be configured in multiple places. #}
+{#                 # Priority for which value is used: backend > server > health check #}
+{%                 if backend.checkInterval|default("") != "" %}
+{%                   do server_options.append('inter ' ~ backend.checkInterval) %}
+{%                 elif server_data.checkInterval|default("") != "" %}
+{%                   do server_options.append('inter ' ~ server_data.checkInterval) %}
+{%                 elif healthcheck_data.interval|default("") != "" %}
+{%                   do server_options.append('inter ' ~ healthcheck_data.interval) %}
+{%                 endif %}
+{#                 # use a different interval when server is in DOWN state #}
+{%                 if backend.checkDownInterval|default("") != "" %}
+{%                   do server_options.append('downinter ' ~ backend.checkDownInterval) %}
+{%                 elif server_data.checkDownInterval|default("") != "" %}
+{%                   do server_options.append('downinter ' ~ server_data.checkDownInterval) %}
+{%                 endif %}
+{#                 # unhealthy threshold #}
+{%                 if backend.healthCheckFall|default("") != "" %}
+{%                   do server_options.append('fall ' ~ backend.healthCheckFall) %}
+{%                 endif %}
+{#                 # healthy threshold #}
+{%                 if backend.healthCheckRise|default("") != "" %}
+{%                   do server_options.append('rise ' ~ backend.healthCheckRise) %}
+{%                 endif %}
+{#                 # use a different port for health check #}
+{%                 if healthcheck_data.checkport|default("") != "" %}
+{#                   # prefer port from health check template #}
+{%                   do server_options.append('port ' ~ healthcheck_data.checkport) %}
+{%                 elif server_data.checkport|default("") != "" %}
+{%                   do server_options.append('port ' ~ server_data.checkport) %}
+{%                 endif %}
+{#                 # force SSL encryption for health checks #}
+{%                 if healthcheck_data.force_ssl|default('') == '1' %}
+{%                   do server_options.append('check-ssl ') %}
+{%                 endif %}
+{#                 # add all additions from healthchecks here #}
+{%                 do server_options.append(healthcheck_additions|join(' ')) if healthcheck_additions.length != '0' %}
 {%               endif %}
-{#               # unhealthy threshold #}
-{%               if backend.healthCheckFall|default("") != "" %}
-{%                 do server_options.append('fall ' ~ backend.healthCheckFall) %}
+{#               # server weight #}
+{%               do server_options.append('weight ' ~ server_data.weight) if server_data.weight|default("") != "" %}
+{#               # server role/mode #}
+{%               if server_data.mode|default("") != 'active' %}
+{%                 do server_options.append(server_data.mode) %}
 {%               endif %}
-{#               # healthy threshold #}
-{%               if backend.healthCheckRise|default("") != "" %}
-{%                 do server_options.append('rise ' ~ backend.healthCheckRise) %}
+{#               # server ssl communication #}
+{%               if server_data.ssl|default("") == '1' %}
+{%                 do server_options.append('ssl') %}
+{#                 # HTTP/2 #}
+{%                 if backend.http2Enabled|default("") == '1' and backend.ba_advertised_protocols|default("") != "" %}
+{#                   # convert protocols to HAProxy-compatible format #}
+{%                   set alpn_options = backend.ba_advertised_protocols|replace('http10', 'http/1.0')|replace('http11', 'http/1.1') %}
+{%                   do server_options.append('alpn ' ~ alpn_options) %}
+{%                 endif %}
+{#               # HTTP/2 without TLS #}
+{%               elif backend.http2Enabled|default("") == '1' and backend.http2Enabled_nontls|default("") == '1' %}
+{%                 do server_options.append('proto h2') %}
 {%               endif %}
-{#               # use a different port for health check #}
-{%               if healthcheck_data.checkport|default("") != "" %}
-{#                 # prefer port from health check template #}
-{%                 do server_options.append('port ' ~ healthcheck_data.checkport) %}
-{%               elif server_data.checkport|default("") != "" %}
-{%                 do server_options.append('port ' ~ server_data.checkport) %}
+{#               # ssl verification can be enabled for two reasons: #}
+{#               # 1. in server settings: to verify *all* communication to this server #}
+{#               # 2. in health checks: to verify *only* health check communication to this server #}
+{#               # When 1. is enabled, health checks are automatically secured. #}
+{#               # Use-case for 2: when using TCP for server communication, but HTTPS for health checks. #}
+{%               if server_data.ssl|default("") == '1' or (healthcheck_enabled == '1' and healthcheck_data.force_ssl|default('') == '1') %}
+{#                 # get status of ssl verification #}
+{%                 set ssl_verify_enabled = '0' %}
+{%                 if helpers.exists('OPNsense.HAProxy.general.tuning.sslServerVerify') and OPNsense.HAProxy.general.tuning.sslServerVerify|default("") != 'ignore' %}
+{#                   # NOTE: Global parameter overrides per-server configuration. #}
+{%                   set ssl_verify_enabled = '1' if OPNsense.HAProxy.general.tuning.sslServerVerify|default("") == 'required' %}
+{%                 elif server_data.sslVerify|default("") == '1' %}
+{%                   set ssl_verify_enabled = '1' %}
+{%                 endif %}
+{#                 # configure ssl verification #}
+{%                 if ssl_verify_enabled == '1' %}
+{#                   # enable SSL verification #}
+{%                   do server_options.append('verify required') %}
+{#                   # check for SSL CA #}
+{%                   if server_data.sslCA|default("") != "" %}
+{%                     do server_options.append('ca-file /tmp/haproxy/ssl/' ~ server_data.id ~ '.calist') %}
+{%                   else %}
+{#                     # fallback to system CA Root Certificates #}
+{%                     do server_options.append('ca-file /etc/ssl/cert.pem') %}
+{%                   endif %}
+{#                   # check for SSL CRL #}
+{%                   if server_data.sslCRL|default("") != "" %}
+{%                     do server_options.append('crl-file /tmp/haproxy/ssl/' ~ server_data.sslCRL ~ '.pem') %}
+{%                   endif %}
+{#                   # check for SSL client cert #}
+{%                   if server_data.sslClientCertificate|default("") != "" %}
+{%                     do server_options.append('crt /tmp/haproxy/ssl/' ~ server_data.sslClientCertificate ~ '.pem') %}
+{%                   endif %}
+{%                 else %}
+{%                   do server_options.append('verify none') %}
+{%                 endif %}
 {%               endif %}
-{#               # force SSL encryption for health checks #}
-{%               if healthcheck_data.force_ssl|default('') == '1' %}
-{%                 do server_options.append('check-ssl ') %}
+{#               # resolver #}
+{%               set resolver_id = '' %}
+{%               set resolver_opts  = '' %}
+{%               if backend.linkedResolver|default("") != "" %}
+{#                 # prefer backend configuration #}
+{%                 set resolver_id = backend.linkedResolver %}
+{%                 set resolver_opts = backend.resolverOpts %}
+{%               elif server_data.linkedResolver|default("") != "" and server_data.type|default("") == 'template' %}
+{#                 # use resolver for server template #}
+{%                 set resolver_id = server_data.linkedResolver %}
+{%                 set resolver_opts = server_data.resolverOpts %}
 {%               endif %}
-{#               # add all additions from healthchecks here #}
-{%               do server_options.append(healthcheck_additions|join(' ')) if healthcheck_additions.length != '0' %}
-{%             endif %}
-{#             # server weight #}
-{%             do server_options.append('weight ' ~ server_data.weight) if server_data.weight|default("") != "" %}
-{#             # server role/mode #}
-{%             if server_data.mode|default("") != 'active' %}
-{%               do server_options.append(server_data.mode) %}
-{%             endif %}
-{#             # server ssl communication #}
-{%             if server_data.ssl|default("") == '1' %}
-{%               do server_options.append('ssl') %}
-{#               # HTTP/2 #}
-{%               if backend.http2Enabled|default("") == '1' and backend.ba_advertised_protocols|default("") != "" %}
-{#                 # convert protocols to HAProxy-compatible format #}
-{%                 set alpn_options = backend.ba_advertised_protocols|replace('http10', 'http/1.0')|replace('http11', 'http/1.1') %}
-{%                 do server_options.append('alpn ' ~ alpn_options) %}
+{%               if resolver_id != '' %}
+{%                 set resolver_data = helpers.getUUID(resolver_id) %}
+{%                 do server_options.append('resolvers ' ~ resolver_data.id) %}
+{#                 # additional resolver options #}
+{%                 if resolver_opts != '' %}
+{%                   do server_options.append('resolve-opts ' ~ resolver_opts) %}
+{%                 endif %}
 {%               endif %}
-{#             # HTTP/2 without TLS #}
-{%             elif backend.http2Enabled|default("") == '1' and backend.http2Enabled_nontls|default("") == '1' %}
-{%               do server_options.append('proto h2') %}
-{%             endif %}
-{#             # ssl verification can be enabled for two reasons: #}
-{#             # 1. in server settings: to verify *all* communication to this server #}
-{#             # 2. in health checks: to verify *only* health check communication to this server #}
-{#             # When 1. is enabled, health checks are automatically secured. #}
-{#             # Use-case for 2: when using TCP for server communication, but HTTPS for health checks. #}
-{%             if server_data.ssl|default("") == '1' or (healthcheck_enabled == '1' and healthcheck_data.force_ssl|default('') == '1') %}
-{#               # get status of ssl verification #}
-{%               set ssl_verify_enabled = '0' %}
-{%               if helpers.exists('OPNsense.HAProxy.general.tuning.sslServerVerify') and OPNsense.HAProxy.general.tuning.sslServerVerify|default("") != 'ignore' %}
-{#                 # NOTE: Global parameter overrides per-server configuration. #}
-{%                 set ssl_verify_enabled = '1' if OPNsense.HAProxy.general.tuning.sslServerVerify|default("") == 'required' %}
-{%               elif server_data.sslVerify|default("") == '1' %}
-{%                 set ssl_verify_enabled = '1' %}
+{#               # prefer selected IP family for DNS resolution #}
+{%               if backend.resolvePrefer|default("") != "" %}
+{#                 # prefer backend configuration #}
+{%                 do server_options.append('resolve-prefer ' ~ backend.resolvePrefer) %}
+{%               elif server_data.linkedResolver|default("") != "" %}
+{%                 do server_options.append('resolve-prefer ' ~ server_data.resolvePrefer) %}
 {%               endif %}
-{#               # configure ssl verification #}
-{%               if ssl_verify_enabled == '1' %}
-{#                 # enable SSL verification #}
-{%                 do server_options.append('verify required') %}
-{#                 # check for SSL CA #}
-{%                 if server_data.sslCA|default("") != "" %}
-{%                   do server_options.append('ca-file /tmp/haproxy/ssl/' ~ server_data.id ~ '.calist') %}
-{%                 else %}
-{#                   # fallback to system CA Root Certificates #}
-{%                   do server_options.append('ca-file /etc/ssl/cert.pem') %}
-{%                 endif %}
-{#                 # check for SSL CRL #}
-{%                 if server_data.sslCRL|default("") != "" %}
-{%                   do server_options.append('crl-file /tmp/haproxy/ssl/' ~ server_data.sslCRL ~ '.pem') %}
-{%                 endif %}
-{#                 # check for SSL client cert #}
-{%                 if server_data.sslClientCertificate|default("") != "" %}
-{%                   do server_options.append('crt /tmp/haproxy/ssl/' ~ server_data.sslClientCertificate ~ '.pem') %}
-{%                 endif %}
-{%               else %}
-{%                 do server_options.append('verify none') %}
+{#               # source address #}
+{%               if backend.source|default("") != "" %}
+{#                 # prefer backend configuration #}
+{%                 do server_options.append('source ' ~ backend.source) %}
+{%               elif server_data.source|default("") != "" %}
+{%                 do server_options.append('source ' ~ server_data.source) %}
+{%               endif %}
+{#               # PROXY protocol #}
+{%               if backend.proxyProtocol|default("") == "v1" %}
+{%                 do server_options.append('send-proxy') %}
+{%                 do server_options.append('check-send-proxy') %}
+{%               elif backend.proxyProtocol|default("") == "v2" %}
+{%                 do server_options.append('send-proxy-v2') %}
+{%                 do server_options.append('check-send-proxy') %}
+{%               endif %}
+{#               # cookie-based persistence #}
+{%               if backend.persistence|default("") == "cookie" %}
+{%                 do server_options.append('cookie ' ~ server_data.id|replace(".", "")) %}
+{%               endif %}
+{#               # server advanced options #}
+{%               if server_data.advanced|default("") != "" %}
+{%                 do server_options.append(server_data.advanced) %}
+{%               endif %}
+{#               # server enabled? #}
+{%               if server_data.enabled == '1' %}
+    {{server_basics|join(' ')}}{% if backend.tuning_noport != '1' %}{% if server_data.port|default("") != "" %}:{{server_data.port}}{% endif %}{% endif %} {{server_options|join(' ')}}
 {%               endif %}
-{%             endif %}
-{#             # resolver #}
-{%             if backend.linkedResolver|default("") != "" %}
-{%               set resolver_data = helpers.getUUID(backend.linkedResolver) %}
-{%               do server_options.append('resolvers ' ~ resolver_data.id) %}
-{%             endif %}
-{#             # source address #}
-{%             if backend.source|default("") != "" %}
-{#               # prefer backend configuration #}
-{%               do server_options.append('source ' ~ backend.source) %}
-{%             elif server_data.source|default("") != "" %}
-{%               do server_options.append('source ' ~ server_data.source) %}
-{%             endif %}
-{#             # PROXY protocol #}
-{%             if backend.proxyProtocol|default("") == "v1" %}
-{%               do server_options.append('send-proxy') %}
-{%               do server_options.append('check-send-proxy') %}
-{%             elif backend.proxyProtocol|default("") == "v2" %}
-{%               do server_options.append('send-proxy-v2') %}
-{%               do server_options.append('check-send-proxy') %}
-{%             endif %}
-{#             # cookie-based persistence #}
-{%             if backend.persistence|default("") == "cookie" %}
-{%               do server_options.append('cookie ' ~ server_data.id|replace(".", "")) %}
-{%             endif %}
-{#             # server advanced options #}
-{%             if server_data.advanced|default("") != "" %}
-{%               do server_options.append(server_data.advanced) %}
-{%             endif %}
-{#             # server enabled? #}
-{%             if server_data.enabled == '1' %}
-    server {{server_data.name}} {{server_data.address}}:{% if backend.tuning_noport != '1' %}{% if server_data.port|default("") != "" %}{{server_data.port}}{% endif %}{% endif %} {{server_options|join(' ')}}
 {%             endif %}
 {%           endif %}
 {%         endfor %}

From f39b0c1648c227ce2984d3851921416a5f49b53e Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 21 Feb 2021 23:50:00 +0100
Subject: [PATCH 0445/3088] net/haproxy: ignore mailers that are not in use,
 refs #1669

---
 .../templates/OPNsense/HAProxy/haproxy.conf   | 24 +++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index c0d06021a2..091d1d4d06 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1091,15 +1091,31 @@ resolvers {{resolver.id}}
 {% if helpers.exists('OPNsense.HAProxy.mailers') %}
 {%   for mailer in helpers.toList('OPNsense.HAProxy.mailers.mailer') %}
 {%     if mailer.enabled == '1' %}
+{#       # check if mailer is configured in a backend #}
+{%       set ns = namespace(mailer_found=false) %}
+{%       if helpers.exists('OPNsense.HAProxy.backends') %}
+{%         for backend in helpers.toList('OPNsense.HAProxy.backends.backend') %}
+{#           # backend must be enabled #}
+{%           if backend.enabled == '1' and backend.linkedMailer|default('') == mailer['@uuid'] %}
+{%             set ns.mailer_found = True %}
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{#       # only add mailers that are in use to avoid config test warnings #}
+{%       if ns.mailer_found %}
 # Mailer: {{mailer.name}}
 mailers {{mailer.id}}
     timeout mail {{mailer.timeout}}s
-{%       if mailer.mailservers|default("") != "" %}
-{%         for mailserver in mailer.mailservers.split(",") %}
+{%             if mailer.mailservers|default("") != "" %}
+{%               for mailserver in mailer.mailservers.split(",") %}
     mailer {{mailserver}} {{mailserver}}
-{%         endfor %}
-{%       endif %}
+{%               endfor %}
+{%             endif %}
+
+{%       else %}
+# NOTE: Mailer {{mailer.name}} ignored: not configured in any backend
 
+{%       endif %}
 {%     else %}
 # Mailer (DISABLED): {{mailer.name}}
 

From 8433328437b2f82e4bfa88c77ba7ede91a93047d Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 22 Feb 2021 00:02:46 +0100
Subject: [PATCH 0446/3088] net/haproxy: show help text when no config file was
 found

---
 .../opnsense/mvc/app/views/OPNsense/HAProxy/export.volt  | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
index 160d93df9b..19c31de7a3 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
@@ -34,7 +34,13 @@ POSSIBILITY OF SUCH DAMAGE.
          */
         function update_showconf() {
             ajaxCall(url="/api/haproxy/export/config/", sendData={}, callback=function(data,status) {
-                $("#showconf").text(data['response']);
+                if (data['response'] && data['response'].trim()) {
+                    $("#showconf").text(data['response']);
+                } else {
+                    conf_help = "<br><span style=\"color: #000000; white-space: pre-wrap; font-family: monospace;\"> {{ lang._('Config file not found. Run a syntax check to create it.') }}</span><br>";
+                    $("#showconfempty").append(conf_help);
+                    $("#showconf").hide();
+                }
             });
         }
         update_showconf();
@@ -116,6 +122,7 @@ POSSIBILITY OF SUCH DAMAGE.
 
     <div id="export" class="tab-pane fade in active">
         <div class="content-box" style="padding-bottom: 1.5em;">
+            <div id="showconfempty"></div>
             <pre id="showconf"></pre>
             <div class="col-md-12">
                 <hr />

From 3c74cadb4121cc2f966e484ff26a4a9b363445e1 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 23 Feb 2021 17:04:53 +0100
Subject: [PATCH 0447/3088] net/haproxy: improve help text

---
 .../app/controllers/OPNsense/HAProxy/forms/generalSettings.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
index 5869a62e64..d0efde12b2 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
@@ -25,7 +25,7 @@
         <id>haproxy.general.storeOcsp</id>
         <label>Store OCSP responses</label>
         <type>checkbox</type>
-        <help><![CDATA[Retrieve OCSP data everytime when starting or restarting HAProxy. For every certificate, the OCSP response will be fetched and stored in filesystem, and automatically picked-up by HAProxy on startup. However, depending on the number of certificates and other circumstances, this may noticeably increase the time required to start/restart the HAProxy service. Note that this only updates the OCSP responses during start/restart, you need to setup a cron job to periodically update this data too.]]></help>
+        <help><![CDATA[Retrieve OCSP data everytime when starting or restarting HAProxy. For every certificate, the OCSP response will be fetched and stored in filesystem, and automatically picked-up by HAProxy on startup. However, depending on the number of certificates and other circumstances, this may noticeably increase the time required to start/restart the HAProxy service. Note that this only updates the OCSP responses once during start/restart, you need to setup a cron job to periodically update this data too.]]></help>
     </field>
     <field>
         <id>haproxy.general.showIntro</id>

From 4a88b924afbee46fb01655b049a5ed2f4b08e15d Mon Sep 17 00:00:00 2001
From: jkellerer <jkellerer@users.noreply.github.com>
Date: Tue, 23 Feb 2021 20:51:13 +0100
Subject: [PATCH 0448/3088] NodeExporter: Added ZFS toggle (defaults to off),
 fixes #1930 (#2071)

* NodeExporter: Added ZFS toggle (defaults to off), fixes #1930

This change also fixes toggles for collectors that are enabled by default: cpu, exec, filesystem, loadavg, meminfo, netdev, time.

* Update sysutils/node_exporter/Makefile

* Update sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml

* NodeExporter: Self-assigned plugin maintainer

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 sysutils/node_exporter/Makefile               |  5 ++-
 sysutils/node_exporter/pkg-descr              | 30 ++++++++++++++++
 .../OPNsense/NodeExporter/forms/general.xml   |  6 ++++
 .../models/OPNsense/NodeExporter/General.xml  |  4 +++
 .../OPNsense/NodeExporter/node_exporter       | 35 +++++++++++--------
 5 files changed, 62 insertions(+), 18 deletions(-)

diff --git a/sysutils/node_exporter/Makefile b/sysutils/node_exporter/Makefile
index 0252194203..985de5c2e2 100644
--- a/sysutils/node_exporter/Makefile
+++ b/sysutils/node_exporter/Makefile
@@ -1,8 +1,7 @@
 PLUGIN_NAME=		node_exporter
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Prometheus exporter for machine metrics
 PLUGIN_DEPENDS=		node_exporter
-PLUGIN_MAINTAINER=	dharrigan@gmail.com
+PLUGIN_MAINTAINER=	jkegh@k123.eu
 
 .include "../../Mk/plugins.mk"
diff --git a/sysutils/node_exporter/pkg-descr b/sysutils/node_exporter/pkg-descr
index 92c19ad602..16c736a183 100644
--- a/sysutils/node_exporter/pkg-descr
+++ b/sysutils/node_exporter/pkg-descr
@@ -2,3 +2,33 @@ Prometheus exporter for hardware and OS metrics exposed by *NIX kernels,
 written in Go with pluggable metric collectors.
 
 WWW: https://github.com/prometheus/node_exporter
+
+
+Changelog
+---------
+
+1.1
+
+* Allow to toggle the "zfs" collector
+* Fixed disabling collectors:
+    cpu
+    exec
+    filesystem
+    loadavg
+    meminfo
+    netdev
+    time
+
+1.0
+
+* Node exporter server
+* Allow to toggle collectors:
+    cpu
+    exec
+    filesystem
+    loadavg
+    meminfo
+    netdev
+    ntp
+    time
+    devstat
diff --git a/sysutils/node_exporter/src/opnsense/mvc/app/controllers/OPNsense/NodeExporter/forms/general.xml b/sysutils/node_exporter/src/opnsense/mvc/app/controllers/OPNsense/NodeExporter/forms/general.xml
index 97e4196c12..8269302b1a 100644
--- a/sysutils/node_exporter/src/opnsense/mvc/app/controllers/OPNsense/NodeExporter/forms/general.xml
+++ b/sysutils/node_exporter/src/opnsense/mvc/app/controllers/OPNsense/NodeExporter/forms/general.xml
@@ -77,4 +77,10 @@
     <type>checkbox</type>
     <help>Enable the NTP collector.</help>
   </field>
+  <field>
+    <id>general.zfs</id>
+    <label>ZFS Statistics</label>
+    <type>checkbox</type>
+    <help>Enable the ZFS collector.</help>
+  </field>
 </form>
diff --git a/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml b/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml
index a2884f82f8..c47915f10b 100644
--- a/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml
+++ b/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml
@@ -62,5 +62,9 @@
           <default>0</default>
           <Required>N</Required>
         </ntp>
+        <zfs type="BooleanField">
+          <default>0</default>
+          <Required>N</Required>
+        </zfs>
     </items>
 </model>
diff --git a/sysutils/node_exporter/src/opnsense/service/templates/OPNsense/NodeExporter/node_exporter b/sysutils/node_exporter/src/opnsense/service/templates/OPNsense/NodeExporter/node_exporter
index 0e74613f44..a5d3b02fcc 100644
--- a/sysutils/node_exporter/src/opnsense/service/templates/OPNsense/NodeExporter/node_exporter
+++ b/sysutils/node_exporter/src/opnsense/service/templates/OPNsense/NodeExporter/node_exporter
@@ -4,44 +4,49 @@
 {% if helpers.exists('OPNsense.NodeExporter.enabled') and OPNsense.NodeExporter.enabled == '1' %}
 
 {%- set collector = "--collector." -%}
+{%- set no_collector = "--no-collector." -%}
 
-{%- if OPNsense.NodeExporter.cpu == '1' -%}
-    {%- set cpu = collector + "cpu " -%}
+{%- if helpers.empty('OPNsense.NodeExporter.cpu') -%}
+    {%- set cpu = no_collector + "cpu " -%}
 {%- endif -%}
 
-{%- if OPNsense.NodeExporter.exec == '1' -%}
-    {%- set exec = collector + "exec " -%}
+{%- if helpers.empty('OPNsense.NodeExporter.exec') -%}
+    {%- set exec = no_collector + "exec " -%}
 {%- endif -%}
 
-{%- if OPNsense.NodeExporter.filesystem == '1' -%}
-    {%- set filesystem = collector + "filesystem " -%}
+{%- if helpers.empty('OPNsense.NodeExporter.filesystem') -%}
+    {%- set filesystem = no_collector + "filesystem " -%}
 {%- endif -%}
 
-{%- if OPNsense.NodeExporter.loadavg == '1' -%}
-    {%- set loadavg = collector + "loadavg " -%}
+{%- if helpers.empty('OPNsense.NodeExporter.loadavg') -%}
+    {%- set loadavg = no_collector + "loadavg " -%}
 {%- endif -%}
 
-{%- if OPNsense.NodeExporter.meminfo == '1' -%}
-    {%- set meminfo = collector + "meminfo " -%}
+{%- if helpers.empty('OPNsense.NodeExporter.meminfo') -%}
+    {%- set meminfo = no_collector + "meminfo " -%}
 {%- endif -%}
 
-{%- if OPNsense.NodeExporter.netdev == '1' -%}
-    {%- set netdev = collector + "netdev " -%}
+{%- if helpers.empty('OPNsense.NodeExporter.netdev') -%}
+    {%- set netdev = no_collector + "netdev " -%}
 {%- endif -%}
 
 {%- if OPNsense.NodeExporter.ntp == '1' -%}
     {%- set ntp = collector + "ntp " -%}
 {%- endif -%}
 
-{%- if OPNsense.NodeExporter.time == '1' -%}
-    {%- set time = collector + "time " -%}
+{%- if helpers.empty('OPNsense.NodeExporter.time') -%}
+    {%- set time = no_collector + "time " -%}
 {%- endif -%}
 
 {%- if OPNsense.NodeExporter.devstat == '1' -%}
     {%- set devstat = collector + "devstat " -%}
 {%- endif -%}
 
-node_exporter_args="{{ cpu }}{{ exec }}{{ filesystem }}{{ loadavg }}{{ meminfo }}{{ netdev }}{{ ntp }}{{ time }}{{ devstat }}"
+{%- if helpers.empty('OPNsense.NodeExporter.zfs') -%}
+    {%- set zfs = no_collector + "zfs " -%}
+{%- endif -%}
+
+node_exporter_args="{{ cpu }}{{ exec }}{{ filesystem }}{{ loadavg }}{{ meminfo }}{{ netdev }}{{ ntp }}{{ time }}{{ devstat }}{{ zfs }}"
 node_exporter_listen_address="{{ OPNsense.NodeExporter.listenaddress }}:{{ OPNsense.NodeExporter.listenport }}"
 node_exporter_enable="YES"
 

From 10b235e3d8fe267ed518f5a42c389a0929057ef4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 24 Feb 2021 10:22:22 +0100
Subject: [PATCH 0449/3088] Framework: use -v rather than -V for full expansion

---
 Makefile           | 4 ++--
 Scripts/revbump.sh | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 82aa061e95..76fc96735e 100644
--- a/Makefile
+++ b/Makefile
@@ -38,8 +38,8 @@ PLUGIN_DIRS+=	${_${CATEGORY}}
 
 list:
 .for PLUGIN_DIR in ${PLUGIN_DIRS}
-	@echo ${PLUGIN_DIR} -- $$(${MAKE} -C ${PLUGIN_DIR} -V PLUGIN_COMMENT) \
-	    $$(if [ -n "$$(${MAKE} -C ${PLUGIN_DIR} -V PLUGIN_DEVEL _PLUGIN_DEVEL=)" ]; then echo "(development only)"; fi)
+	@echo ${PLUGIN_DIR} -- $$(${MAKE} -C ${PLUGIN_DIR} -v PLUGIN_COMMENT) \
+	    $$(if [ -n "$$(${MAKE} -C ${PLUGIN_DIR} -v PLUGIN_DEVEL _PLUGIN_DEVEL=)" ]; then echo "(development only)"; fi)
 .endfor
 
 # shared targets that are sane to run from the root directory
diff --git a/Scripts/revbump.sh b/Scripts/revbump.sh
index 120b0fce41..31f1fa974f 100755
--- a/Scripts/revbump.sh
+++ b/Scripts/revbump.sh
@@ -8,7 +8,7 @@ if [ -z "${DIR}" ]; then
 	DIR=.
 fi
 
-REV=$(make -C ${DIR} -V PLUGIN_REVISION)
+REV=$(make -C ${DIR} -v PLUGIN_REVISION)
 REV=$(expr ${REV} \+ 1)
 
 grep -v ^PLUGIN_REVISION ${DIR}/Makefile > ${DIR}/Makefile.tmp

From a20b641219e0f03f14e7468ba1ba6374d3f70a78 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 24 Feb 2021 10:25:41 +0100
Subject: [PATCH 0450/3088] net/haproxy: whitespace cleanups

---
 .../controllers/OPNsense/HAProxy/Api/ExportController.php    | 2 +-
 .../scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py  | 5 ++---
 .../src/opnsense/service/conf/actions.d/actions_haproxy.conf | 1 -
 .../src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS | 2 +-
 .../service/templates/OPNsense/HAProxy/sslCerts.yaml         | 2 +-
 5 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ExportController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ExportController.php
index 5a3cd58f9b..dbf6ed9152 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ExportController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ExportController.php
@@ -68,7 +68,7 @@ public function diffAction()
      * @return array|mixed
      */
     public function downloadAction($type)
-    {               
+    {
         $backend = new Backend();
 
         if ($type == 'config') {
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
index 18a175aeed..3277871636 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
@@ -48,7 +48,7 @@ def setUp(self):
         pKmFJ2e2VSnTZIBJvD58HMR+WNAEp7tHffHk2z/mPPtdRdxW5Zieoe5+6+HDtwgG
         +VCAIWMkC36Dvg==
         -----END CERTIFICATE-----
-        
+
         -----BEGIN RSA PRIVATE KEY-----
         MIIJKgIBAAKCAgEAvsNKU59F2gpl1fzbk7hD64Q3zk1hH9Im1IsN9ppF5tqdsPPG
         n3Q8QgcKpnJ/SrtnPl4Xqp3bJyV20lJWTxuVU7ImM8g4tStQB4XojTtv8A4E7/wN
@@ -100,8 +100,7 @@ def setUp(self):
         9WYZS7hlKyqVBESJuonR15biy7Xov5ELl6A821cskZO3vTwtlBSeCDiqaeVLpKR3
         aYwf5YZo7v+N8KBSLEdLNjoKK4PfXUdczD7uOUllbd4/MRgCn4EmFvmpljGiEQ==
         -----END RSA PRIVATE KEY-----
-        
-        
+
         -----BEGIN CERTIFICATE-----
         MIIEqzCCApOgAwIBAgIRAIvhKg5ZRO08VGQx8JdhT+UwDQYJKoZIhvcNAQELBQAw
         GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDUyMzIyMDc1OVoXDTM2
diff --git a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
index 1e45bc9549..fcd742c0c1 100644
--- a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
+++ b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
@@ -127,4 +127,3 @@ parameters:
 type:script_output
 description:Update HAProxy OCSP data
 message:update haproxy ocsp data
-
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS
index 389191f4d7..b42f343eb9 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS
@@ -1,3 +1,3 @@
 haproxy.conf:/usr/local/etc/haproxy.conf.staging
 rc.conf.d:/etc/rc.conf.d/haproxy
-sslCerts.yaml:/usr/local/etc/haproxy/sslCerts.yaml
\ No newline at end of file
+sslCerts.yaml:/usr/local/etc/haproxy/sslCerts.yaml
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml
index 56fed45739..fd766e0025 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml
@@ -58,4 +58,4 @@ frontends:
 {%  endfor %}
 {% else %}
 frontends: {}
-{% endif %}
\ No newline at end of file
+{% endif %}

From 2f888b6092563b747ab84e0400eb8832437478ed Mon Sep 17 00:00:00 2001
From: Andreas Stuerz <andreas.stuerz@markt.de>
Date: Thu, 25 Feb 2021 17:02:55 +0100
Subject: [PATCH 0451/3088] add show diff single add apply diff single

---
 .../HAProxy/Api/MaintenanceController.php     |  74 +++++-
 .../views/OPNsense/HAProxy/maintenance.volt   | 138 +++++++++-
 .../scripts/OPNsense/HAProxy/syncCerts.py     | 250 ++++++++++++++----
 .../conf/actions.d/actions_haproxy.conf       |  16 +-
 4 files changed, 417 insertions(+), 61 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php
index 0a2e180da6..ce3977ecab 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php
@@ -41,6 +41,18 @@
  */
 class MaintenanceController extends ApiControllerBase
 {
+    /**
+     * jQuery bootstrap certificates diff list
+     * @return array|mixed
+     */
+    public function searchCertificateDiffAction()
+    {
+        return $this->getData(
+            ["cert_diff_list"],
+            ["rowCount", "current", "searchPhrase", "sort"]
+        );
+    }
+
     /**
      * jQuery bootstrap server list
      * @return array|mixed
@@ -53,6 +65,42 @@ public function searchServerAction()
         );
     }
 
+    /**
+     * sync certificate for frontends
+     * @return array|mixed
+     */
+    public function certSyncAction()
+    {
+        return $this->syncCerts(
+            ["cert_sync"],
+            ["frontend_ids"]
+        );
+    }
+
+    /**
+     * show certificate diff for frontends
+     * @return array|mixed
+     */
+    public function certDiffAction()
+    {
+        return $this->getData(
+            ["cert_diff"],
+            ["frontend_ids"]
+        );
+    }
+
+    /**
+     * show certificate actions for frontends
+     * @return array|mixed
+     */
+    public function certActionsAction()
+    {
+        return $this->getData(
+            ["cert_actions"],
+            ["frontend_ids"]
+        );
+    }
+
     /**
      * set server weight
      * @return array|mixed
@@ -145,7 +193,7 @@ protected function getData(array $command, array $arguments = [])
     }
 
     /**
-     * Executes a backend command to save data
+     * Executes a backend command which returns output on error
      * @param array $command
      * @param array $arguments
      * @return array|string[]
@@ -167,4 +215,28 @@ protected function saveData(array $command, array $arguments = [])
             "message" => 'only accept POST Requests.'
         ];
     }
+
+    /**
+     * Executes a ssl certificate sync
+     * @param array $command
+     * @param array $arguments
+     * @return array|string[]
+     */
+    protected function syncCerts(array $command, array $arguments = [])
+    {
+        if ($this->request->isPost()) {
+            $output = $this->safeBackendCmd($command, $arguments);
+            $result = json_decode($output, true);
+
+            return [
+                "status" => "ok",
+                "result" => $result,
+            ];
+        }
+        return [
+            "status" => 'unavailable',
+            "message" => 'only accept POST Requests.'
+        ];
+    }
+
 }
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
index 63c870e6df..30ac21b465 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
@@ -26,9 +26,114 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGE.
 
 #}
-
 <script>
     $( document ).ready(function() {
+        // grid-certificates
+        $("#grid-certificates").bootgrid('destroy');
+        var grid_certificates = $("#grid-certificates").UIBootgrid({
+            search: '/api/haproxy/maintenance/searchCertificateDiff',
+            options: {
+                ajax: true,
+                selection: true,
+                multiSelect: true,
+                keepSelection: true,
+                rowCount:[10,25,50,100,500,1000],
+                searchSettings: {
+                    delay: 250,
+                    characters: 1
+                },
+                formatters: {
+                    "commands": function (column, row) {
+                        buttons = ""
+                        buttons += "<button type=\"button\"  data-action=\"showDiff\" title=\"{{ lang._('Show diff between configured ssl certificates and certificates from HAProxy memory.') }}\" class=\"btn btn-xs btn-default\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-info-circle\"></span></button>"
+                        buttons += " <button type=\"button\" data-action=\"applyDiff\" title=\"{{ lang._('Apply diff and sync certificates into HAProxy memory.') }}\" class=\"btn btn-xs btn-default\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-refresh\"></span></button>"
+                        return buttons;
+                    },
+                },
+            }
+        }).on("loaded.rs.jquery.bootgrid", function(){
+            grid_certificates.find("*[data-action=showDiff]").off().on("click", function(e) {
+                var row_id = $(this).data("row-id");
+                var frontend_ids = row_id;
+                var payload = {
+                  'frontend_ids': frontend_ids,
+                };
+
+                $.post('/api/haproxy/maintenance/certDiff', payload, function(data) {
+                    BootstrapDialog.show({
+                        type: BootstrapDialog.TYPE_INFO,
+                        title: "{{ lang._('Diff between configured and remote ssl certificates') }}",
+                        message: `<pre>${data}</pre>`,
+                        buttons: [{
+                            label: '{{ lang._('Close') }}',
+                            action: function(dialog){
+                              dialog.close();
+                            }
+                        }]
+                    });
+                });
+
+            });
+
+            grid_certificates.find("*[data-action=applyDiff]").off().on("click", function(e) {
+                var row_id = $(this).data("row-id");
+                var rows = $("#grid-certificates").bootgrid("getCurrentRows");
+                var row =  rows.filter(function(row) {
+                	return row.id == row_id;
+                })[0];
+
+                var requested_count = row.total_count;
+                var frontend_ids = row.id
+                var payload = {
+                  'frontend_ids': frontend_ids,
+                };
+
+                $.post('/api/haproxy/maintenance/certActions', payload, function(data_actions) {
+                    question = ''
+                    question += `<pre>${data_actions}</pre>`;
+                    question += '<b>{{ lang._('Apply ssl certificates to HaProxy?') }}</b></br></br>';
+
+                    stdDialogConfirm('{{ lang._('Confirmation Required') }}',
+                        question,
+                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
+                        $.post('/api/haproxy/maintenance/certSync', payload, function(data) {
+                            modified_count = data.result.add_count + data.result.remove_count + data.result.update_count;
+                            if (requested_count != modified_count) {
+                                var error_msg = syncErrorMessage(data.result.modified, data.result.deleted);
+                                BootstrapDialog.show({
+                                    type: BootstrapDialog.TYPE_DANGER,
+                                    title: "{{ lang._('Error applying ssl certificates to HAProxy') }}",
+                                    message: error_msg,
+                                    buttons: [{
+                                        label: '{{ lang._('Close') }}',
+                                        action: function(dialog){
+                                          dialog.close();
+                                        }
+                                    }]
+                                });
+                            }
+                            $("#grid-certificates").bootgrid("reload");
+                        });
+                    });
+                });
+
+            });
+
+            grid_certificates.find("*[data-action=showDiffBulk]").off().on("click", function(e) {
+                var rows = $("#grid-certificates").bootgrid("getSelectedRows");
+                console.log('Show diff for multi')
+            });
+
+            grid_certificates.find("*[data-action=applyDiffBulk]").off().on("click", function(e) {
+                var rows = $("#grid-certificates").bootgrid("getSelectedRows");
+                console.log('Apply diff for multi')
+            });
+
+
+        });
+
+
+        // grid-status
         $("#grid-status").bootgrid('destroy');
         var grid_status = $("#grid-status").UIBootgrid({
             search: '/api/haproxy/maintenance/searchServer',
@@ -45,7 +150,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 formatters: {
                     "commands": function (column, row) {
                         buttons = ""
-                        buttons += "<button type=\"button\" title=\"{{ lang._('Set administrative state to ready. Puts the server in normal mode.') }}\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"ready\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-check\"></span></button>"
+                        buttons += "<button type=\"button\"  title=\"{{ lang._('Set administrative state to ready. Puts the server in normal mode.') }}\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"ready\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-check\"></span></button>"
                         buttons += " <button type=\"button\" title=\"{{ lang._('Set administrative state to drain. Removes the server from load balancing but still allows it to be health checked and to accept new persistent connections') }}\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"drain\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-sort-amount-desc\"></span></button>"
                         buttons += " <button type=\"button\" title=\"{{ lang._('Set administrative state to maintenance. Disables any traffic to the server as well as any health checks.') }}\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"maint\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-wrench\"></span></button>"
                         buttons += " <button type=\"button\" title=\"{{ lang._('Change server weight.') }}\" class=\"btn btn-xs btn-default command-set-weight\" data-weight=\"" + row.weight + "\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-balance-scale\"></span></button>"
@@ -91,7 +196,6 @@ POSSIBILITY OF SUCH DAMAGE.
                             }
                         });
                 });
-
             });
 
             // set single - server weight
@@ -242,6 +346,7 @@ POSSIBILITY OF SUCH DAMAGE.
 
 <ul class="nav nav-tabs" role="tablist"  id="maintabs">
     <li class="active"><a data-toggle="tab" href="#server"><b>{{ lang._('Server') }}</b></a></li>
+    <li><a data-toggle="tab" href="#ssl-certs"><b>{{ lang._('SSL Certificates') }}</b></a></li>
 </ul>
 
 <div class="content-box tab-content">
@@ -281,6 +386,33 @@ POSSIBILITY OF SUCH DAMAGE.
             </tfoot>
         </table>
     </div>
+
+    <div id="ssl-certs" class="tab-pane fade in">
+        <!-- tab page "ssl-certs" -->
+        <table id="grid-certificates" class="table table-condensed table-hover table-striped table-responsive">
+            <thead>
+            <tr>
+                <th data-column-id="id" data-type="string" data-identifier="true" data-visible="false">{{ lang._('id') }}</th>
+                <th data-column-id="frontend_name" data-type="string">{{ lang._('Public Service Name') }}</th>
+                <th data-column-id="update_count" data-type="string">{{ lang._('Update Certificates') }}</th>
+                <th data-column-id="add_count" data-type="string">{{ lang._('Add Certificates') }}</th>
+                <th data-column-id="remove_count" data-type="string">{{ lang._('Remove Certificates') }}</th>
+                <th data-column-id="commands" data-width="8em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+            </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="showDiff" title="{{ lang._('Show diff between configured ssl certificates and certificates from HAProxy memory.') }}" type="button" class="btn btn-xs btn-default"><span class="fa fa-info-circle"></span></button>
+                    <button data-action="applyDiff" title="{{ lang._('Apply diff and sync certificates into HAProxy memory.') }}" type="button" class="btn btn-xs btn-default"><span class="fa fa-refresh"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+    </div>
 </div>
 
 {{ partial("layout_partials/base_dialog_processing") }}
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
index 0427b2e7ed..b6ddd46172 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
@@ -17,7 +17,7 @@
 class SyncWithTarget:
     """ Base class for sync objects to a target """
 
-    def __init__(self, socket='/var/run/haproxy.socket'):
+    def __init__(self, socket='/var/run/haproxy.socket', **kwargs):
         self.socket = socket
 
     def _execute_remote_cmd(self, command_class, **command_args):
@@ -40,7 +40,7 @@ def diff_list(self, first: List, second: List):
 class Diff(SyncWithTarget):
     """ Represents a full diff to sync with remote """
 
-    def __init__(self, crt_lists=None):
+    def __init__(self, crt_lists=None, **kwargs):
         super().__init__()
         if crt_lists is None:
             crt_lists = []
@@ -49,6 +49,13 @@ def __init__(self, crt_lists=None):
         self._status = self._get_status()
         self._transactions = self._get_transactions()
 
+        self.output_format = kwargs['output']
+        self.page = kwargs['page']
+        self.page_rows = kwargs['page_rows']
+        self.search = kwargs['search']
+        self.sort_col = kwargs['sort_col']
+        self.sort_dir = kwargs['sort_dir']
+
     @property
     def diff(self):
         return self._diff
@@ -65,13 +72,53 @@ def transactions(self):
     def status(self):
         return self._status
 
+    def _get_bootgrid_output(self, rows):
+        """ Returns jquery bootgrid output """
+        args = {
+            "rows": rows,
+            "page": int(self.page) if self.page != None else 1,
+            "page_rows": int(self.page_rows) if self.page_rows != None else len(rows),
+            "search": self.search,
+            "sort_col": self.sort_col if self.sort_col else 'id',
+            "sort_dir": self.sort_dir,
+        }
+
+        # search
+        if args['search']:
+            filtered_rows = []
+            for row in rows:
+                def inner(row):
+                    for k, v in row.items():
+                        if args['search'] in v:
+                            return row
+                    return None
+
+                match = inner(row)
+                if match:
+                    filtered_rows.append(match)
+            rows = filtered_rows
+
+        # sort
+        rows.sort(key=lambda k: k[args['sort_col']], reverse=True if args['sort_dir'] == 'desc' else False)
+
+        # pager
+        total = len(rows)
+        pages = [rows[i:i + args['page_rows']] for i in range(0, total, args['page_rows'])]
+        if pages and (args['page'] > len(pages) or args['page'] < 1):
+            raise KeyError(f"Current page {args['page']} does not exist. Available pages: {len(pages)}")
+        page = pages[args['page'] - 1] if pages else []
+
+        return json.dumps({
+            "rows": page,
+            "total": total,
+            "rowCount": args['page_rows'],
+            "current": args['page']
+        })
+
     def _calc_diff(self):
-        result = {}
-        for crt_list in self:
-            result[crt_list.frontend_id] = crt_list.diff
-        return result
+        return [crt_list.diff for crt_list in self if crt_list.diff['total_count'] > 0]
 
-    def abort(self, output_format):
+    def abort(self):
         """ Abort transactions"""
         aborted = []
         for certfile in self.transactions:
@@ -83,10 +130,10 @@ def abort(self, output_format):
                 "output": output,
             })
 
-        if output_format == 'json':
+        if self.output_format == 'json':
             print(json.dumps({'abort': aborted}))
 
-        if output_format == 'raw':
+        if self.output_format == 'raw':
             for item in aborted:
                 print(f"ABORT transaction: {item['cert']}")
                 print(f"  {repr(item['output'])}")
@@ -117,12 +164,12 @@ def _get_status(self):
                 }
         return status
 
-    def show_status(self, output_format):
+    def show_diff(self):
         """ Shows current local and remote state """
-        if output_format == 'json':
+        if self.output_format == 'json':
             print(json.dumps(self.status))
 
-        if output_format == 'raw':
+        if self.output_format == 'raw':
             print("## STATUS ##")
             for frontend_id, crt_list in self.status.items():
                 print(f"CRT_LIST: {crt_list['path']}")
@@ -140,14 +187,17 @@ def show_status(self, output_format):
                     print(f"      REMOTE: {cert['remote']}")
                 print()
 
-    def show_diff(self, output_format):
+    def show_actions(self):
         """ Shows what will be synced to target """
-        if output_format == 'json':
+        if self.output_format == 'json':
             print(json.dumps(self.diff))
 
-        if output_format == 'raw':
+        if self.output_format == 'bootgrid':
+            print(self._get_bootgrid_output(self.diff))
+
+        if self.output_format == 'raw':
             print("## DIFF ##")
-            for frontend_id, diff in self.diff.items():
+            for diff in self.diff:
                 print(f"CRT LIST: {diff['path']}")
                 print(f"  FRONTEND NAME: {diff['frontend_name']}")
                 print(f"  FRONTEND ID: {diff['frontend_id']}")
@@ -157,34 +207,62 @@ def show_diff(self, output_format):
                     print(f"     Serial:  {update['meta']['Serial']}")
                     print(f"     Issuer:  {update['meta']['Issuer']}")
                     print(f"     Subject: {update['meta']['Subject']}")
+                    print()
                 else:
                     if not diff['update']:
                         print(f"  CERT UPDATE: []")
-                print(f"  CERT ADD :   {diff['add']}")
-                print(f"  CERT DEL :   {diff['del']}")
 
-    def show_transactions(self, output_format):
-        if output_format == 'json':
+                for add in diff['add']:
+                    print(f"  CERT ADD:")
+                    print(f"     Cert:    {add}")
+                    print()
+                else:
+                    if not diff['add']:
+                        print(f"  CERT ADD: []")
+
+                for remove in diff['remove']:
+                    print(f"  CERT REMOVE:")
+                    print(f"     Cert:    {remove['certfile']}")
+                    print(f"     Serial:  {remove['meta'].get('Serial', None)}")
+                    print(f"     Issuer:  {remove['meta'].get('Issuer', None)}")
+                    print(f"     Subject: {remove['meta'].get('Subject', None)}")
+                    print()
+                else:
+                    if not diff['remove']:
+                        print(f"  CERT REMOVE: []")
+
+
+    def show_transactions(self):
+        if self.output_format == 'json':
             print(json.dumps({'transactions': self.transactions}))
 
-        if output_format == 'raw':
+        if self.output_format == 'raw':
             print("## OPEN TRANSACTIONS ##")
             for cert in self.transactions:
                 print(cert)
 
-    def sync(self, output_format):
+    def sync(self):
         """ Sync to target """
-        sync = {}
+        sync = {
+            'modified': [],
+            'deleted': [],
+            'add_count': 0,
+            'remove_count': 0,
+            'update_count': 0,
+            'del_count': 0,
+        }
         certs_to_delete = []
-        for frontend_id, diff in self.diff.items():
-            sync[frontend_id] = {
+        for diff in self.diff:
+            sync_item = {
                 'frontend_name': diff['frontend_name'],
                 'frontend_id': diff['frontend_id'],
                 'path': diff['path'],
                 'add': [],
                 'remove': [],
                 'update': [],
-                'del': []
+                'add_count': 0,
+                'remove_count': 0,
+                'update_count': 0,
             }
 
             # update cert content
@@ -200,48 +278,60 @@ def sync(self, output_format):
                 output = self._execute_remote_cmd(cmds.commitSslCrt, certfile=cert['certfile'])
                 messages.append(output)
 
-                sync[frontend_id]['update'].append({
+                sync_item['update'].append({
                     'cert': cert['certfile'],
                     'messages': messages
                 })
+                sync['update_count'] += 1
+                sync_item['update_count'] += 1
 
             # add to crt-list
             for cert in diff['add']:
                 messages = []
                 output = self._execute_remote_cmd(cmds.addToSslCrtList, crt_list=diff['path'], certfile=cert)
                 messages.append(output)
-                sync[frontend_id]['add'].append({
+                sync_item['add'].append({
                     'cert': cert,
                     'messages': messages
                 })
+                sync['add_count'] += 1
+                sync_item['add_count'] += 1
 
             # remove from crt-list
-            for cert in diff['del']:
+            for cert in diff['remove']:
                 messages = []
-                output = self._execute_remote_cmd(cmds.delFromSslCrtList, crt_list=diff['path'], certfile=cert)
+                output = self._execute_remote_cmd(cmds.delFromSslCrtList, crt_list=diff['path'], certfile=cert['certfile'])
                 messages.append(output)
-                certs_to_delete.append(cert.split(":")[0])
-                sync[frontend_id]['remove'].append({
-                    'cert': cert,
+                certs_to_delete.append(cert['certfile'].split(":")[0])
+                sync_item['remove'].append({
+                    'cert': cert['certfile'],
                     'messages': messages
                 })
+                sync['remove_count'] += 1
+                sync_item['remove_count'] += 1
+
+            modified_items = sync_item['update_count'] + sync_item['add_count'] + sync_item['remove_count']
+            if modified_items:
+                sync['modified'].append(sync_item)
 
         # delete unused certs operation - haproxy does not allow to delete certs in use
         for cert in certs_to_delete:
             messages = []
             output = self._execute_remote_cmd(cmds.delSslCrt, certfile=cert)
             messages.append(output)
-            sync[frontend_id]['del'].append({
+            cert_item = {
                 'cert': cert,
                 'messages': messages
-            })
+            }
+            sync['del_count'] += 1
+            sync['deleted'].append(cert_item)
 
-        if output_format == 'json':
-            print(json.dumps(self.diff))
+        if self.output_format == 'json':
+            print(json.dumps(sync))
 
-        if output_format == 'raw':
+        if self.output_format == 'raw':
             print("## SYNC ##")
-            for frontend_id, crt_list in sync.items():
+            for crt_list in sync['modified']:
                 print(f"CRT-LIST: {crt_list['path']}")
                 print(f"  FRONTEND NAME: {crt_list['frontend_name']}")
                 print(f"  FRONTEND ID: {crt_list['frontend_id']}")
@@ -249,6 +339,7 @@ def sync(self, output_format):
                     print(f"  UPDATE: {cert['cert']}")
                     for message in cert['messages']:
                         print("    " + repr(message))
+
                 for cert in crt_list['add']:
                     print(f"  ADD: {cert['cert']}")
                     for message in cert['messages']:
@@ -259,10 +350,10 @@ def sync(self, output_format):
                     for message in cert['messages']:
                         print("    " + repr(message))
 
-                for cert in crt_list['del']:
-                    print(f"\n DEL: {cert['cert']}")
-                    for message in cert['messages']:
-                        print("    " + repr(message))
+            for cert in sync['deleted']:
+                print(f"\n  DEL: {cert['cert']}")
+                for message in cert['messages']:
+                    print("    " + repr(message))
                 print()
 
     def __iter__(self):
@@ -339,12 +430,17 @@ def diff(self):
     def _calc_diff(self):
         """ return needed operations to get remote object in sync """
         diff = {
+            'id': self.frontend_id,
             'frontend_name': self.frontend_name,
             'frontend_id': self.frontend_id,
             'path': self.path,
             'add': [],
-            'del': [],
-            'update': []
+            'add_count': 0,
+            'remove': [],
+            'remove_count': 0,
+            'update': [],
+            'update_count': 0,
+            'total_count': 0
         }
         # skip when there is no remote crt list
         if self.remote is None:
@@ -352,8 +448,26 @@ def _calc_diff(self):
 
         # certs to add, delete and update on the remote target
         diff['add'] = self.diff_list(self.local, self.remote)
-        diff['del'] = self.diff_list(self.remote, self.local)
+        diff['add_count'] = len(diff['add'])
+        #for certpath in self.diff_list(self.local, self.remote):
+        #    diff['add'].append({
+        #        "certfile": certpath,
+        #        "meta": self._execute_remote_cmd(cmds.showSslCert, certfile=certpath)
+        #    })
+        #diff['add_count'] = len(diff['add'])
+
+        # remove
+        for certpath in self.diff_list(self.remote, self.local):
+            diff['remove'].append({
+                "certfile": certpath,
+                "meta": self._execute_remote_cmd(cmds.showSslCert, certfile=certpath.split(":")[0])
+            })
+        diff['remove_count'] = len(diff['remove'])
+
         diff['update'] = [cert.diff for cert in self.certs if cert.diff]
+        diff['update_count'] = len(diff['update'])
+
+        diff['total_count'] = diff['add_count'] + diff['remove_count'] + diff['update_count']
 
         return diff
 
@@ -499,7 +613,7 @@ def get_args():
     )
     parser.add_argument(
         'command',
-        choices=['status', 'diff', 'sync', 'transactions', 'abort'],
+        choices=['diff', 'actions', 'sync', 'transactions', 'abort'],
         nargs='+',
         help="Execute one or more operations."
     )
@@ -520,10 +634,36 @@ def get_args():
     )
     parser.add_argument(
         '--output',
+        '-o',
         help='Specify output format.',
-        choices=['json', 'raw'],
+        choices=['json', 'raw', 'bootgrid'],
         default="raw"
     )
+    parser.add_argument(
+        '--page-rows',
+        help='Limit output to the specified numbers of rows per page.',
+        default=None
+    )
+    parser.add_argument(
+        '--page',
+        help='Output page number.',
+        default=None
+    )
+    parser.add_argument(
+        '--search',
+        help='Search for string.',
+        default=None
+    )
+    parser.add_argument(
+        '--sort-col',
+        help='Sort output on this column.',
+        default=None
+    )
+    parser.add_argument(
+        '--sort-dir',
+        help='Sort output in this direction.',
+        default=None
+    )
     return parser.parse_args()
 
 
@@ -562,16 +702,16 @@ def get_crt_lists_from_config(configfile):
 
 args = get_args()
 crt_lists = get_crt_lists_from_config(args.config)
-diff = Diff(crt_lists=crt_lists)
+diff = Diff(crt_lists=crt_lists, **vars(args))
 
 """ Sync ssl certs from configfile to HaProxy """
-if "status" in args.command:
-    diff.show_status(args.output)
 if "diff" in args.command:
-    diff.show_diff(args.output)
+    diff.show_diff()
+if "actions" in args.command:
+    diff.show_actions()
 if "abort" in args.command:
-    diff.abort(args.output)
+    diff.abort()
 if "transactions" in args.command:
-    diff.show_transactions(args.output)
+    diff.show_transactions()
 if "sync" in args.command:
-    diff.sync(args.output)
+    diff.sync()
diff --git a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
index 1e45bc9549..7d2630221c 100644
--- a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
+++ b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
@@ -78,15 +78,27 @@ parameters: set-server-weight --server-ids %s --value %s
 type:script_output
 message:change haproxy weight for multiple server
 
+[cert_diff_list]
+command:/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
+parameters: actions --output bootgrid --page-rows %s --page %s --search %s --sort-col %s --sort-dir %s
+type:script_output
+message:Show certificate diff list
+
 [cert_diff]
 command:/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
-parameters: diff --output json --frontends %s
+parameters: diff --frontend-ids %s --output raw
+type:script_output
+message:Show diff between configured ssl certificates and certs from HAProxy memory for multiple frontends
+
+[cert_actions]
+command:/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
+parameters: actions --frontend-ids %s --output raw
 type:script_output
 message:Show diff between configured ssl certificates and certs from HAProxy memory for multiple frontends
 
 [cert_sync]
 command:/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
-parameters: sync --frontends %s --output json
+parameters: sync --frontend-ids %s --output json
 type:script_output
 message:Sync ssl certificates into HAProxy memory for multiple frontends
 

From 593c84dbb257e2f788030fbd2057a6bbf9e22712 Mon Sep 17 00:00:00 2001
From: Andreas Stuerz <andreas.stuerz@markt.de>
Date: Fri, 26 Feb 2021 10:49:20 +0100
Subject: [PATCH 0452/3088] add error message on sync error

---
 .../views/OPNsense/HAProxy/maintenance.volt   | 30 ++++++++
 .../scripts/OPNsense/HAProxy/syncCerts.py     | 77 ++++++++++---------
 2 files changed, 71 insertions(+), 36 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
index 30ac21b465..7422f22a6e 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
@@ -29,6 +29,36 @@ POSSIBILITY OF SUCH DAMAGE.
 <script>
     $( document ).ready(function() {
         // grid-certificates
+        function syncErrorMessage(modified, deleted) {
+            message = ``;
+            modified.forEach(function(item) {
+                message += `<b>{{ lang._('Public Service Name:') }} ${item.frontend_name}</b></br></br>`;
+
+                item.update.forEach(function(update) {
+                    message += `<b>{{ lang._('UPDATE / NEW:') }} ${update.cert}:</b></br>`;
+                    message += `<pre>${update.messages.join("")}</pre>`;
+                });
+
+                item.add.forEach(function(add) {
+                    message += `<b>{{ lang._('ADD:') }} ${add.cert}:</b></br>`;
+                    message += `<pre>${add.messages.join("</br>")}</pre>`;
+                });
+
+                item.remove.forEach(function(remove) {
+                    message += `<b>{{ lang._('REMOVE:') }} ${remove.cert}:</b></br>`;
+                    message += `<pre>${remove.messages.join("</br>")}</pre>`;
+                });
+            });
+
+            deleted.forEach(function(del) {
+                message += `<b>{{ lang._('DELETE:') }} ${del.cert}:</b></br>`;
+                message += `<pre>${del.messages.join("</br>")}</pre>`;
+            });
+
+            return message;
+        }
+
+
         $("#grid-certificates").bootgrid('destroy');
         var grid_certificates = $("#grid-certificates").UIBootgrid({
             search: '/api/haproxy/maintenance/searchCertificateDiff',
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
index b6ddd46172..31484670e9 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
@@ -196,17 +196,13 @@ def show_actions(self):
             print(self._get_bootgrid_output(self.diff))
 
         if self.output_format == 'raw':
-            print("## DIFF ##")
             for diff in self.diff:
-                print(f"CRT LIST: {diff['path']}")
-                print(f"  FRONTEND NAME: {diff['frontend_name']}")
-                print(f"  FRONTEND ID: {diff['frontend_id']}")
+                print(f"FRONTEND: {diff['frontend_name']}")
                 for update in diff['update']:
-                    print(f"  CERT UPDATE:")
-                    print(f"     Cert:    {update['certfile']}")
-                    print(f"     Serial:  {update['meta']['Serial']}")
-                    print(f"     Issuer:  {update['meta']['Issuer']}")
-                    print(f"     Subject: {update['meta']['Subject']}")
+                    print(f"  CERT NEW / UPDATE:")
+                    print(f"     Serial:  {update['meta'].get('Serial', None)}")
+                    print(f"     Issuer:  {update['meta'].get('Issuer', None)}")
+                    print(f"     Subject: {update['meta'].get('Subject', None)}")
                     print()
                 else:
                     if not diff['update']:
@@ -214,7 +210,9 @@ def show_actions(self):
 
                 for add in diff['add']:
                     print(f"  CERT ADD:")
-                    print(f"     Cert:    {add}")
+                    print(f"     Serial:  {add['meta'].get('Serial', None)}")
+                    print(f"     Issuer:  {add['meta'].get('Issuer', None)}")
+                    print(f"     Subject: {add['meta'].get('Subject', None)}")
                     print()
                 else:
                     if not diff['add']:
@@ -222,7 +220,6 @@ def show_actions(self):
 
                 for remove in diff['remove']:
                     print(f"  CERT REMOVE:")
-                    print(f"     Cert:    {remove['certfile']}")
                     print(f"     Serial:  {remove['meta'].get('Serial', None)}")
                     print(f"     Issuer:  {remove['meta'].get('Issuer', None)}")
                     print(f"     Subject: {remove['meta'].get('Subject', None)}")
@@ -265,10 +262,10 @@ def sync(self):
                 'update_count': 0,
             }
 
-            # update cert content
+            # new cert / update cert
             for cert in diff['update']:
                 messages = []
-                if cert['certfile'] in diff['add']:
+                if any(add_cert['certfile'] == cert['certfile'] for add_cert in diff['add']):
                     output = self._execute_remote_cmd(cmds.newSslCrt, certfile=cert['certfile'])
                     messages.append(output)
 
@@ -277,25 +274,28 @@ def sync(self):
 
                 output = self._execute_remote_cmd(cmds.commitSslCrt, certfile=cert['certfile'])
                 messages.append(output)
-
                 sync_item['update'].append({
                     'cert': cert['certfile'],
                     'messages': messages
                 })
-                sync['update_count'] += 1
-                sync_item['update_count'] += 1
+
+                if "Success!" in output:
+                    sync['update_count'] += 1
+                    sync_item['update_count'] += 1
 
             # add to crt-list
             for cert in diff['add']:
                 messages = []
-                output = self._execute_remote_cmd(cmds.addToSslCrtList, crt_list=diff['path'], certfile=cert)
+                output = self._execute_remote_cmd(cmds.addToSslCrtList, crt_list=diff['path'], certfile=cert['certfile'])
                 messages.append(output)
                 sync_item['add'].append({
-                    'cert': cert,
+                    'cert': cert['certfile'],
                     'messages': messages
                 })
-                sync['add_count'] += 1
-                sync_item['add_count'] += 1
+
+                if "Success!" in output:
+                    sync['add_count'] += 1
+                    sync_item['add_count'] += 1
 
             # remove from crt-list
             for cert in diff['remove']:
@@ -307,12 +307,13 @@ def sync(self):
                     'cert': cert['certfile'],
                     'messages': messages
                 })
-                sync['remove_count'] += 1
-                sync_item['remove_count'] += 1
 
-            modified_items = sync_item['update_count'] + sync_item['add_count'] + sync_item['remove_count']
-            if modified_items:
-                sync['modified'].append(sync_item)
+                if "Success!" in output:
+                    sync['remove_count'] += 1
+                    sync_item['remove_count'] += 1
+
+            #modified_items = sync_item['update_count'] + sync_item['add_count'] + sync_item['remove_count']
+            sync['modified'].append(sync_item)
 
         # delete unused certs operation - haproxy does not allow to delete certs in use
         for cert in certs_to_delete:
@@ -330,13 +331,12 @@ def sync(self):
             print(json.dumps(sync))
 
         if self.output_format == 'raw':
-            print("## SYNC ##")
             for crt_list in sync['modified']:
                 print(f"CRT-LIST: {crt_list['path']}")
                 print(f"  FRONTEND NAME: {crt_list['frontend_name']}")
                 print(f"  FRONTEND ID: {crt_list['frontend_id']}")
                 for cert in crt_list['update']:
-                    print(f"  UPDATE: {cert['cert']}")
+                    print(f"  NEW / UPDATE: {cert['cert']}")
                     for message in cert['messages']:
                         print("    " + repr(message))
 
@@ -350,7 +350,7 @@ def sync(self):
                     for message in cert['messages']:
                         print("    " + repr(message))
 
-            for cert in sync['deleted']:
+            for cert in sync['delete']:
                 print(f"\n  DEL: {cert['cert']}")
                 for message in cert['messages']:
                     print("    " + repr(message))
@@ -446,15 +446,14 @@ def _calc_diff(self):
         if self.remote is None:
             return diff
 
-        # certs to add, delete and update on the remote target
-        diff['add'] = self.diff_list(self.local, self.remote)
+        # add
+        for cert_path in self.diff_list(self.local, self.remote):
+            cert_obj = self._get_local_cert_by_path(cert_path)
+            diff['add'].append({
+                "certfile": cert_path,
+                "meta": cert_obj.local
+            })
         diff['add_count'] = len(diff['add'])
-        #for certpath in self.diff_list(self.local, self.remote):
-        #    diff['add'].append({
-        #        "certfile": certpath,
-        #        "meta": self._execute_remote_cmd(cmds.showSslCert, certfile=certpath)
-        #    })
-        #diff['add_count'] = len(diff['add'])
 
         # remove
         for certpath in self.diff_list(self.remote, self.local):
@@ -464,6 +463,7 @@ def _calc_diff(self):
             })
         diff['remove_count'] = len(diff['remove'])
 
+        # update
         diff['update'] = [cert.diff for cert in self.certs if cert.diff]
         diff['update_count'] = len(diff['update'])
 
@@ -471,6 +471,11 @@ def _calc_diff(self):
 
         return diff
 
+    def _get_local_cert_by_path(self, path):
+        for cert in self._certs:
+            if cert.path == path:
+                return cert
+
     def _get_local_state(self):
         return [f"{repr(cert)}" for cert in self._certs]
 

From 1b96e4f16c7523f7e2fe95c59a24c55a8220aeb1 Mon Sep 17 00:00:00 2001
From: Andreas Stuerz <andreas.stuerz@markt.de>
Date: Tue, 2 Mar 2021 08:33:03 +0100
Subject: [PATCH 0453/3088] Add frontend for: show diff multi apply diff multi
 apply all

---
 .../HAProxy/Api/MaintenanceController.php     |  29 ++++
 .../views/OPNsense/HAProxy/maintenance.volt   | 160 ++++++++++++------
 .../scripts/OPNsense/HAProxy/syncCerts.py     |  41 +++--
 .../conf/actions.d/actions_haproxy.conf       |   4 +-
 4 files changed, 165 insertions(+), 69 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php
index ce3977ecab..c727e60176 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php
@@ -47,6 +47,9 @@ class MaintenanceController extends ApiControllerBase
      */
     public function searchCertificateDiffAction()
     {
+        $backend = new Backend();
+        $backend->configdRun('template reload OPNsense/HAProxy');
+
         return $this->getData(
             ["cert_diff_list"],
             ["rowCount", "current", "searchPhrase", "sort"]
@@ -59,6 +62,9 @@ public function searchCertificateDiffAction()
      */
     public function searchServerAction()
     {
+        $backend = new Backend();
+        $backend->configdRun('template reload OPNsense/HAProxy');
+
         return $this->getData(
             ["server_status_list"],
             ["rowCount", "current", "searchPhrase", "sort"]
@@ -71,18 +77,38 @@ public function searchServerAction()
      */
     public function certSyncAction()
     {
+        $backend = new Backend();
+        $backend->configdRun('template reload OPNsense/HAProxy');
+
         return $this->syncCerts(
             ["cert_sync"],
             ["frontend_ids"]
         );
     }
 
+    /**
+     * sync certificate for frontends
+     * @return array|mixed
+     */
+    public function certSyncBulkAction()
+    {
+        $backend = new Backend();
+        $backend->configdRun('template reload OPNsense/HAProxy');
+
+        return $this->syncCerts(
+            ["cert_sync_bulk"]
+        );
+    }
+
     /**
      * show certificate diff for frontends
      * @return array|mixed
      */
     public function certDiffAction()
     {
+        $backend = new Backend();
+        $backend->configdRun('template reload OPNsense/HAProxy');
+
         return $this->getData(
             ["cert_diff"],
             ["frontend_ids"]
@@ -95,6 +121,9 @@ public function certDiffAction()
      */
     public function certActionsAction()
     {
+        $backend = new Backend();
+        $backend->configdRun('template reload OPNsense/HAProxy');
+
         return $this->getData(
             ["cert_actions"],
             ["frontend_ids"]
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
index 7422f22a6e..a70204a4dd 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
@@ -48,8 +48,10 @@ POSSIBILITY OF SUCH DAMAGE.
                     message += `<b>{{ lang._('REMOVE:') }} ${remove.cert}:</b></br>`;
                     message += `<pre>${remove.messages.join("</br>")}</pre>`;
                 });
+                message += `</br>`;
             });
 
+            message += `<b>{{ lang._('CERTIFICATES:') }}</b></br></br>`;
             deleted.forEach(function(del) {
                 message += `<b>{{ lang._('DELETE:') }} ${del.cert}:</b></br>`;
                 message += `<pre>${del.messages.join("</br>")}</pre>`;
@@ -58,6 +60,53 @@ POSSIBILITY OF SUCH DAMAGE.
             return message;
         }
 
+        function showDiffDialog(payload) {
+            $.post('/api/haproxy/maintenance/certDiff', payload, function(data) {
+                BootstrapDialog.show({
+                    type: BootstrapDialog.TYPE_INFO,
+                    title: "{{ lang._('Diff between configured and remote ssl certificates') }}",
+                    message: `<pre>${data}</pre>`,
+                    buttons: [{
+                        label: '{{ lang._('Close') }}',
+                        action: function(dialog){
+                          dialog.close();
+                        }
+                    }]
+                });
+            });
+        }
+
+        function applyDiffDialog(payload, requested_count) {
+            $.post('/api/haproxy/maintenance/certActions', payload, function(data_actions) {
+                question = ''
+                question += `<pre>${data_actions}</pre>`;
+                question += '<b>{{ lang._('Apply ssl certificates to HaProxy?') }}</b></br></br>';
+
+                stdDialogConfirm('{{ lang._('Confirmation Required') }}',
+                    question,
+                    '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
+                    $.post('/api/haproxy/maintenance/certSync', payload, function(data) {
+                        modified_count = data.result.add_count + data.result.remove_count + data.result.update_count;
+
+                        if (requested_count != modified_count) {
+                            var error_msg = syncErrorMessage(data.result.modified, data.result.deleted);
+                            BootstrapDialog.show({
+                                type: BootstrapDialog.TYPE_DANGER,
+                                title: "{{ lang._('Error applying ssl certificates to HAProxy') }}",
+                                message: error_msg,
+                                buttons: [{
+                                    label: '{{ lang._('Close') }}',
+                                    action: function(dialog){
+                                      dialog.close();
+                                    }
+                                }]
+                            });
+                        }
+                        $("#grid-certificates").bootgrid("reload");
+                    });
+                });
+            });
+        }
 
         $("#grid-certificates").bootgrid('destroy');
         var grid_certificates = $("#grid-certificates").UIBootgrid({
@@ -88,21 +137,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 var payload = {
                   'frontend_ids': frontend_ids,
                 };
-
-                $.post('/api/haproxy/maintenance/certDiff', payload, function(data) {
-                    BootstrapDialog.show({
-                        type: BootstrapDialog.TYPE_INFO,
-                        title: "{{ lang._('Diff between configured and remote ssl certificates') }}",
-                        message: `<pre>${data}</pre>`,
-                        buttons: [{
-                            label: '{{ lang._('Close') }}',
-                            action: function(dialog){
-                              dialog.close();
-                            }
-                        }]
-                    });
-                });
-
+                showDiffDialog(payload);
             });
 
             grid_certificates.find("*[data-action=applyDiff]").off().on("click", function(e) {
@@ -111,58 +146,77 @@ POSSIBILITY OF SUCH DAMAGE.
                 var row =  rows.filter(function(row) {
                 	return row.id == row_id;
                 })[0];
-
                 var requested_count = row.total_count;
                 var frontend_ids = row.id
                 var payload = {
                   'frontend_ids': frontend_ids,
                 };
 
-                $.post('/api/haproxy/maintenance/certActions', payload, function(data_actions) {
-                    question = ''
-                    question += `<pre>${data_actions}</pre>`;
-                    question += '<b>{{ lang._('Apply ssl certificates to HaProxy?') }}</b></br></br>';
-
-                    stdDialogConfirm('{{ lang._('Confirmation Required') }}',
-                        question,
-                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
-                        $.post('/api/haproxy/maintenance/certSync', payload, function(data) {
-                            modified_count = data.result.add_count + data.result.remove_count + data.result.update_count;
-                            if (requested_count != modified_count) {
-                                var error_msg = syncErrorMessage(data.result.modified, data.result.deleted);
-                                BootstrapDialog.show({
-                                    type: BootstrapDialog.TYPE_DANGER,
-                                    title: "{{ lang._('Error applying ssl certificates to HAProxy') }}",
-                                    message: error_msg,
-                                    buttons: [{
-                                        label: '{{ lang._('Close') }}',
-                                        action: function(dialog){
-                                          dialog.close();
-                                        }
-                                    }]
-                                });
-                            }
-                            $("#grid-certificates").bootgrid("reload");
-                        });
-                    });
-                });
-
+                applyDiffDialog(payload, requested_count);
             });
 
             grid_certificates.find("*[data-action=showDiffBulk]").off().on("click", function(e) {
                 var rows = $("#grid-certificates").bootgrid("getSelectedRows");
-                console.log('Show diff for multi')
+                var payload = {
+                  'frontend_ids': rows.join()
+                };
+                if (rows != undefined && rows.length > 0) {
+                    showDiffDialog(payload);
+                }
             });
 
             grid_certificates.find("*[data-action=applyDiffBulk]").off().on("click", function(e) {
                 var rows = $("#grid-certificates").bootgrid("getSelectedRows");
-                console.log('Apply diff for multi')
+                var frontend_ids = rows.join();
+                var all_rows = $("#grid-certificates").bootgrid("getCurrentRows");
+                var requested_count = 0;
+                all_rows.forEach(function(row) {
+                    if (rows.indexOf(row.id) != -1) {
+                        requested_count = requested_count + row.total_count;
+                    }
+                });
+                var payload = {
+                  'frontend_ids': frontend_ids,
+                };
+                if (rows != undefined && rows.length > 0) {
+                    applyDiffDialog(payload, requested_count);
+                }
             });
+        });
 
+        // Apply all changes
+        $("*[data-action=applyDiffAll]").off().on("click", function(e) {
+            $('[id*="applyDiffAll_progress"]').each(function(){
+                $(this).addClass("fa fa-spinner fa-pulse");
+            });
+            var all_rows = $("#grid-certificates").bootgrid("getCurrentRows");
+            var requested_count = 0;
+            all_rows.forEach(function(row) {
+                requested_count = requested_count + row.total_count;
+            });
 
+            var payload = {};
+            $.post('/api/haproxy/maintenance/certSyncBulk', payload, function(data) {
+                modified_count = data.result.add_count + data.result.remove_count + data.result.update_count;
+                if (requested_count != modified_count) {
+                    var error_msg = syncErrorMessage(data.result.modified, data.result.deleted);
+                    BootstrapDialog.show({
+                        type: BootstrapDialog.TYPE_DANGER,
+                        title: "{{ lang._('Error applying ssl certificates to HAProxy') }}",
+                        message: error_msg,
+                        buttons: [{
+                            label: '{{ lang._('Close') }}',
+                            action: function(dialog){
+                              dialog.close();
+                            }
+                        }]
+                    });
+                }
+                $("#grid-certificates").bootgrid("reload");
+                $("#applyDiffAll_progress").removeClass("fa fa-spinner fa-pulse");
+            });
         });
 
-
         // grid-status
         $("#grid-status").bootgrid('destroy');
         var grid_status = $("#grid-status").UIBootgrid({
@@ -436,12 +490,18 @@ POSSIBILITY OF SUCH DAMAGE.
             <tr>
                 <td></td>
                 <td>
-                    <button data-action="showDiff" title="{{ lang._('Show diff between configured ssl certificates and certificates from HAProxy memory.') }}" type="button" class="btn btn-xs btn-default"><span class="fa fa-info-circle"></span></button>
-                    <button data-action="applyDiff" title="{{ lang._('Apply diff and sync certificates into HAProxy memory.') }}" type="button" class="btn btn-xs btn-default"><span class="fa fa-refresh"></span></button>
+                    <button data-action="showDiffBulk" title="{{ lang._('Show diff between configured ssl certificates and certificates from HAProxy memory for selected frontends.') }}" type="button" class="btn btn-xs btn-default"><span class="fa fa-info-circle"></span></button>
+                    <button data-action="applyDiffBulk" title="{{ lang._('Apply diff and sync certificates into HAProxy memory for selected frontends.') }}" type="button" class="btn btn-xs btn-default"><span class="fa fa-refresh"></span></button>
                 </td>
             </tr>
             </tfoot>
         </table>
+        <div class="col-md-12">
+            <hr/>
+            <button data-action="applyDiffAll" class="btn btn-primary" type="button"><b>{{ lang._('Apply') }}</b><i id="applyDiffAll_progress" class=""></i></button>
+            <br/>
+            <br/>
+        </div>
     </div>
 </div>
 
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
index 31484670e9..41df2cbba9 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
@@ -170,22 +170,24 @@ def show_diff(self):
             print(json.dumps(self.status))
 
         if self.output_format == 'raw':
-            print("## STATUS ##")
             for frontend_id, crt_list in self.status.items():
-                print(f"CRT_LIST: {crt_list['path']}")
-                print(f"  FRONTEND NAME:  {crt_list['frontend_name']}")
-                print(f"  FRONTEND ID:    {frontend_id}")
-                print(f"  LOCAL CERTS:    {crt_list['local_certs']}")
-                print(f"  REMOTE CERTS:   {crt_list['remote_certs']}")
-                print(f"  LOCAL DEFAULT:  {crt_list['local_default']}")
-                print(f"  REMOTE DEFAULT: {crt_list['remote_default']}")
-
+                print(f"FRONTEND NAME: {crt_list['frontend_name']}")
+                print(f"  CONFIG:")
                 for cert_id, cert in crt_list['certs'].items():
-                    print()
-                    print(f"    CERT: {cert['path']}")
-                    print(f"      LOCAL:  {cert['local']}")
-                    print(f"      REMOTE: {cert['remote']}")
-                print()
+                    if cert['path'] == crt_list['local_default']:
+                        print(f"    CERT (Default):")
+                    else:
+                        print(f"    CERT:")
+                    print(f"      Serial:  {cert['local']['Serial']}")
+                    print(f"      Issuer:  {cert['local']['Issuer']}")
+                    print(f"      Subject: {cert['local']['Subject']}")
+                print(f"  ACTIVE:")
+                for cert in crt_list['remote_certs']:
+                    meta = self._execute_remote_cmd(cmds.showSslCert, certfile=cert.split(":")[0])
+                    print(f"    CERT:")
+                    print(f"      Serial:  {meta['Serial']}")
+                    print(f"      Issuer:  {meta['Issuer']}")
+                    print(f"      Subject: {meta['Subject']}")
 
     def show_actions(self):
         """ Shows what will be synced to target """
@@ -198,18 +200,22 @@ def show_actions(self):
         if self.output_format == 'raw':
             for diff in self.diff:
                 print(f"FRONTEND: {diff['frontend_name']}")
+
+                print(f"  CRT-LIST: {diff['path']}")
                 for update in diff['update']:
                     print(f"  CERT NEW / UPDATE:")
+                    print(f"     Cert:    {update['certfile']}")
                     print(f"     Serial:  {update['meta'].get('Serial', None)}")
                     print(f"     Issuer:  {update['meta'].get('Issuer', None)}")
                     print(f"     Subject: {update['meta'].get('Subject', None)}")
                     print()
                 else:
                     if not diff['update']:
-                        print(f"  CERT UPDATE: []")
+                        print(f"  CERT NEW / UPDATE: []")
 
                 for add in diff['add']:
                     print(f"  CERT ADD:")
+                    print(f"     Cert:    {add['certfile']}")
                     print(f"     Serial:  {add['meta'].get('Serial', None)}")
                     print(f"     Issuer:  {add['meta'].get('Issuer', None)}")
                     print(f"     Subject: {add['meta'].get('Subject', None)}")
@@ -220,6 +226,7 @@ def show_actions(self):
 
                 for remove in diff['remove']:
                     print(f"  CERT REMOVE:")
+                    print(f"     Cert:    {remove['certfile']}")
                     print(f"     Serial:  {remove['meta'].get('Serial', None)}")
                     print(f"     Issuer:  {remove['meta'].get('Issuer', None)}")
                     print(f"     Subject: {remove['meta'].get('Subject', None)}")
@@ -227,6 +234,7 @@ def show_actions(self):
                 else:
                     if not diff['remove']:
                         print(f"  CERT REMOVE: []")
+                        print()
 
 
     def show_transactions(self):
@@ -308,11 +316,10 @@ def sync(self):
                     'messages': messages
                 })
 
-                if "Success!" in output:
+                if "deleted in crtlist" in output:
                     sync['remove_count'] += 1
                     sync_item['remove_count'] += 1
 
-            #modified_items = sync_item['update_count'] + sync_item['add_count'] + sync_item['remove_count']
             sync['modified'].append(sync_item)
 
         # delete unused certs operation - haproxy does not allow to delete certs in use
diff --git a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
index 7d2630221c..bb0ab73f60 100644
--- a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
+++ b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
@@ -97,7 +97,7 @@ type:script_output
 message:Show diff between configured ssl certificates and certs from HAProxy memory for multiple frontends
 
 [cert_sync]
-command:/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
+command:configctl template reload OPNsense/HAProxy 2 > /dev/null; /usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
 parameters: sync --frontend-ids %s --output json
 type:script_output
 message:Sync ssl certificates into HAProxy memory for multiple frontends
@@ -109,7 +109,7 @@ type:script_output
 message:Show diff between configured ssl certificates and certs from HAProxy memory for all frontends
 
 [cert_sync_bulk]
-command:/usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py sync --output json
+command:configctl template reload OPNsense/HAProxy 2 > /dev/null; /usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py sync --output json
 parameters:
 type:script_output
 message:Sync ssl certificates into HAProxy memory for all frontends

From ae79adb142d2cec8c287ea700bb4810ef7b82003 Mon Sep 17 00:00:00 2001
From: Andreas Stuerz <andreas.stuerz@markt.de>
Date: Tue, 2 Mar 2021 13:52:50 +0100
Subject: [PATCH 0454/3088] local cert serial hex numebr should contain leading
 zero to fill up the missing octet.

---
 .../src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py   | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
index 41df2cbba9..8d48a1e208 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
@@ -544,8 +544,15 @@ def _glue(self, components):
 
     def _get_local_state(self):
         cert_obj = self._get_cert_data()
+        serial = cert_obj.get_serial_number()
+        serial_hex = "%X" % serial
+
+        if len(serial_hex) % 2 != 0:
+            padding = len(serial_hex) + 1
+            serial_hex = f"%.{padding}X" % serial
+
         return {
-            "Serial": '%.2x'.upper() % cert_obj.get_serial_number(),
+            "Serial": serial_hex,
             "Subject": self._glue(cert_obj.get_subject().get_components()),
             "Issuer": self._glue(cert_obj.get_issuer().get_components())
         }

From e5207000bd5ad27d7523035378cc2abf7b178477 Mon Sep 17 00:00:00 2001
From: Andreas Stuerz <andreas.stuerz@markt.de>
Date: Tue, 2 Mar 2021 13:55:18 +0100
Subject: [PATCH 0455/3088] fix modal header text

---
 .../opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
index a70204a4dd..9e4b0bbd70 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
@@ -64,7 +64,7 @@ POSSIBILITY OF SUCH DAMAGE.
             $.post('/api/haproxy/maintenance/certDiff', payload, function(data) {
                 BootstrapDialog.show({
                     type: BootstrapDialog.TYPE_INFO,
-                    title: "{{ lang._('Diff between configured and remote ssl certificates') }}",
+                    title: "{{ lang._('Diff between configured and active ssl certificates') }}",
                     message: `<pre>${data}</pre>`,
                     buttons: [{
                         label: '{{ lang._('Close') }}',

From 1cdc7acfe2650e1c3476e08725a638b177dfe270 Mon Sep 17 00:00:00 2001
From: Andreas Stuerz <andreas.stuerz@markt.de>
Date: Tue, 2 Mar 2021 15:15:05 +0100
Subject: [PATCH 0456/3088] =?UTF-8?q?fix=20new=20certs=20could=20not=20be?=
 =?UTF-8?q?=20added=20if=20crt-list=20for=20frontend=20does=20not=20exits?=
 =?UTF-8?q?=20in=20HAProxy=C2=B4s=20memory.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
index 8d48a1e208..cf8ac67975 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
@@ -384,7 +384,7 @@ def __init__(self, path, frontend_id=None, frontend_name=None, certs=None, defau
         self._local_default = default_cert
         self._local = self._get_local_state()
         self._remote_ln = self._get_remote_state(cmds.showSslCrtList, crt_list=self._path)
-        self._remote = [cert_ln.split(":")[0] for cert_ln in self._remote_ln]
+        self._remote = [cert_ln.split(":")[0] for cert_ln in self._remote_ln] if self._remote_ln else []
         self._diff = self._calc_diff()
 
     @property
@@ -418,7 +418,7 @@ def local(self):
     @property
     def remote_ln(self):
         """ Certs with line number"""
-        return self._remote_ln
+        return self._remote_ln if self._remote_ln else []
 
     @property
     def remote(self):
@@ -427,7 +427,7 @@ def remote(self):
             This ensures that the default cert is always on top.
         """
         if self._local_default is not None and self.local_default != self.remote_default:
-            return self._remote_ln
+            return self.remote_ln
         return self._remote
 
     @property

From e3ad6447b3072f996b9f07a110aee583955391e4 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 23 Feb 2021 17:34:43 +0100
Subject: [PATCH 0457/3088] net/haproxy: strip warning from final config,
 improve help text

---
 .../app/controllers/OPNsense/HAProxy/forms/generalTuning.xml    | 2 +-
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
index 0fd011d4db..9fdeb1e63c 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -7,7 +7,7 @@
         <id>haproxy.general.tuning.root</id>
         <label>Run as root</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable or disable HAProxy running as root.<br/><div class="text-info"><b>NOTE:</b> Enabling root could be a security issue but it's required by some feature.</div>]]></help>
+        <help><![CDATA[Enable or disable HAProxy running as user root. Enabling this option is strongly discouraged.<br/><div class="text-info"><b>NOTE:</b> Running as user root could be a security issue but it may be required by some features.</div>]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 091d1d4d06..536ce0814b 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -836,8 +836,8 @@ userlist {{object.name | regex_replace ("[^A-Za-z0-9]","")}}
 {#- ############################### -#}
 
 global
+{#  # NOTE: Running as root could be a security issue, but is required for some features. #}
 {% if OPNsense.HAProxy.general.tuning.root != "1" %}
-    # NOTE: Could be a security issue, but required for some feature.
     uid                         80
 {% endif %}
     gid                         80

From 0f7cec57e4c6adaeaf448c6c21ae166b4cc1b01e Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 23 Feb 2021 17:36:51 +0100
Subject: [PATCH 0458/3088] net/haproxy: update plugin changelog

---
 net/haproxy/pkg-descr | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index a8d97d6955..92a2c6d133 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -9,7 +9,8 @@ Plugin Changelog
 3.0
 
 Added:
-* new feature to change server state and weight on-the-fly (#2213)
+* add new maintenance page to change server state and weight on-the-fly (#2213)
+* add new commands to update SSL certificates in runtime (#2244, #1882)
 * add new SSL bind option: prefer-client-ciphers
 * add global option to enable old buggy behaviour for PROXY v2 connections
 * add support for HTTP/2 in health checks
@@ -24,7 +25,6 @@ Added:
 * add support for resolve-prefer option (#1975)
 
 Fixed:
-* fix maintenance page (python error: 'list' object has no attribute 'strip')
 * prevent service outage by aborting "Apply" when configtest fails
 * fix direct links to individual statistics tabs
 

From db054b6f486bbf37f9023ab3209241c51de66f1a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 23 Feb 2021 23:34:38 +0100
Subject: [PATCH 0459/3088] net/haproxy: prevent the deletion of referenced
 items

---
 net/haproxy/pkg-descr                                            | 1 +
 .../app/controllers/OPNsense/HAProxy/Api/ServiceController.php   | 1 +
 .../app/controllers/OPNsense/HAProxy/Api/SettingsController.php  | 1 +
 3 files changed, 3 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 92a2c6d133..c27404a0d7 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -27,6 +27,7 @@ Added:
 Fixed:
 * prevent service outage by aborting "Apply" when configtest fails
 * fix direct links to individual statistics tabs
+* prevent the deletion of items that are still referenced elsewhere (core/#1897)
 
 Changed:
 * change default SSL version to TLSv1.2 (ssl-min-ver)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php
index 524597aef0..6c97f4132b 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php
@@ -45,6 +45,7 @@ class ServiceController extends ApiMutableServiceControllerBase
     protected static $internalServiceTemplate = 'OPNsense/HAProxy';
     protected static $internalServiceEnabled = 'general.enabled';
     protected static $internalServiceName = 'haproxy';
+    protected static $internalModelUseSafeDelete = true;
 
     /**
      * run syntax check for haproxy configuration
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
index e899a083d2..1b1d79b9ec 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
@@ -44,6 +44,7 @@ class SettingsController extends ApiMutableModelControllerBase
 {
     protected static $internalModelName = 'haproxy';
     protected static $internalModelClass = '\OPNsense\HAProxy\HAProxy';
+    protected static $internalModelUseSafeDelete = true;
 
     public function getFrontendAction($uuid = null)
     {

From 7308240cad0f398e365a53f711e0ecc00dbac50e Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 23 Feb 2021 23:39:40 +0100
Subject: [PATCH 0460/3088] net/haproxy: deprecate nbproc

---
 net/haproxy/pkg-descr                                         | 3 +++
 .../app/controllers/OPNsense/HAProxy/forms/generalTuning.xml  | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index c27404a0d7..4fc52805dc 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -41,6 +41,9 @@ Changed:
 * make restart/reload commands usable in cron jobs
 * relax GUI input validation for servers, move validation to jinja template (#1975)
 
+Deprecated:
+* nbproc is deprecated and will be removed in os-haproxy 4.0
+
 2.26
 
 Fixed:
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
index 9fdeb1e63c..ea55662de4 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -12,9 +12,9 @@
     </field>
     <field>
         <id>haproxy.general.tuning.nbproc</id>
-        <label>HAProxy processes</label>
+        <label>HAProxy processes (DEPRECATED)</label>
         <type>text</type>
-        <help><![CDATA[Number of HAProxy processes to start.<br/><div class="text-info"><b>NOTE:</b> You may experience random issues in multi-process mode. For more information about the "nbproc" option please see the HAProxy Documentation.</div>]]></help>
+        <help><![CDATA[Number of HAProxy processes to start.<br/><div class="text-info"><b>WARNING:</b> This option is deprecated and will be removed in a future version of HAProxy, threads should be used instead.</div>]]></help>
         <advanced>true</advanced>
     </field>
     <field>

From 3bbf3303ce2a50b4d2b072aa1a18d77bc12c865d Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 23 Feb 2021 23:43:13 +0100
Subject: [PATCH 0461/3088] net/haproxy: prefer the static server type, refs
 #1975

This could be useful for cases where the migration did not run as expected
and the "type" field is empty. In this case the old behaviour is enforced.

While here, fix indentation of other options.
---
 .../templates/OPNsense/HAProxy/haproxy.conf        | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 536ce0814b..2a41875e10 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1106,11 +1106,11 @@ resolvers {{resolver.id}}
 # Mailer: {{mailer.name}}
 mailers {{mailer.id}}
     timeout mail {{mailer.timeout}}s
-{%             if mailer.mailservers|default("") != "" %}
-{%               for mailserver in mailer.mailservers.split(",") %}
+{%         if mailer.mailservers|default("") != "" %}
+{%           for mailserver in mailer.mailservers.split(",") %}
     mailer {{mailserver}} {{mailserver}}
-{%               endfor %}
-{%             endif %}
+{%           endfor %}
+{%         endif %}
 
 {%       else %}
 # NOTE: Mailer {{mailer.name}} ignored: not configured in any backend
@@ -1518,10 +1518,10 @@ backend {{backend.name}}
 {%             else %}
 {#               # server type #}
 {%               set server_basics = [] %}
-{%               if server_data.type|default("") == 'static' %}
-{%                 do server_basics.append('server ' ~ server_data.name ~ ' ' ~ server_data.address) %}
-{%               else %}
+{%               if server_data.type|default("") == 'template' %}
 {%                 do server_basics.append('server-template ' ~ server_data.name ~ ' ' ~ server_data.number ~ ' ' ~ server_data.serviceName) %}
+{%               else %}
+{%                 do server_basics.append('server ' ~ server_data.name ~ ' ' ~ server_data.address) %}
 {%               endif %}
 {#               # collect optional server parameters #}
 {%               set server_options = [] %}

From 0a65d44c05ba9554e0cd1e033ee3443f50ff4d7f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 24 Feb 2021 12:14:17 +0100
Subject: [PATCH 0462/3088] net/haproxy: cleanup: remove unused parameter

---
 .../OPNsense/HAProxy/Api/StatisticsController.php           | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/StatisticsController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/StatisticsController.php
index 5864728ff0..d90f272fc4 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/StatisticsController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/StatisticsController.php
@@ -45,7 +45,7 @@ class StatisticsController extends ApiControllerBase
      * get info
      * @return array|mixed
      */
-    public function infoAction($zoneid = 0)
+    public function infoAction()
     {
         $backend = new Backend();
         $responseRaw = $backend->configdRun("haproxy statistics info");
@@ -57,7 +57,7 @@ public function infoAction($zoneid = 0)
      * get counters
      * @return array|mixed
      */
-    public function countersAction($zoneid = 0)
+    public function countersAction()
     {
         $backend = new Backend();
         $responseRaw = $backend->configdRun("haproxy statistics stat");
@@ -69,7 +69,7 @@ public function countersAction($zoneid = 0)
      * get tables
      * @return array|mixed
      */
-    public function tablesAction($zoneid = 0)
+    public function tablesAction()
     {
         $backend = new Backend();
         $responseRaw = $backend->configdRun("haproxy statistics table");

From b9e25ac40b2e0264e378c116fd2fb94c0c01b1c7 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 2 Mar 2021 12:19:26 +0100
Subject: [PATCH 0463/3088] net/haproxy: assorted optimizations, update
 copyright information

---
 .../OPNsense/HAProxy/Api/ServiceController.php            | 1 -
 .../OPNsense/HAProxy/Api/SettingsController.php           | 2 +-
 .../opnsense/mvc/app/views/OPNsense/HAProxy/index.volt    | 2 +-
 .../src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php | 2 +-
 .../service/templates/OPNsense/HAProxy/haproxy.conf       | 8 ++++++--
 5 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php
index 6c97f4132b..524597aef0 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php
@@ -45,7 +45,6 @@ class ServiceController extends ApiMutableServiceControllerBase
     protected static $internalServiceTemplate = 'OPNsense/HAProxy';
     protected static $internalServiceEnabled = 'general.enabled';
     protected static $internalServiceName = 'haproxy';
-    protected static $internalModelUseSafeDelete = true;
 
     /**
      * run syntax check for haproxy configuration
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
index 1b1d79b9ec..44ccd006c2 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2016 Frank Wall
+ *    Copyright (C) 2016-2021 Frank Wall
  *    Copyright (C) 2015 Deciso B.V.
  *
  *    All rights reserved.
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 63ff12973d..51f40d96a3 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -1,6 +1,6 @@
 {#
 
-Copyright (C) 2016-2017 Frank Wall
+Copyright (C) 2016-2021 Frank Wall
 OPNsense® is Copyright © 2014 – 2015 by Deciso B.V.
 All rights reserved.
 
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
index 7bfa268199..b28a84ecd4 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
@@ -2,7 +2,7 @@
 <?php
 
 /*
- * Copyright (C) 2016-2018 Frank Wall
+ * Copyright (C) 2016-2021 Frank Wall
  * Copyright (C) 2015 Deciso B.V.
  * All rights reserved.
  *
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 2a41875e10..a530b0a7a1 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1627,11 +1627,15 @@ backend {{backend.name}}
 {%               if backend.linkedResolver|default("") != "" %}
 {#                 # prefer backend configuration #}
 {%                 set resolver_id = backend.linkedResolver %}
-{%                 set resolver_opts = backend.resolverOpts %}
+{%                 if backend.resolverOpts|default("") != "" %}
+{%                   set resolver_opts = backend.resolverOpts %}
+{%                 endif %}
 {%               elif server_data.linkedResolver|default("") != "" and server_data.type|default("") == 'template' %}
 {#                 # use resolver for server template #}
 {%                 set resolver_id = server_data.linkedResolver %}
-{%                 set resolver_opts = server_data.resolverOpts %}
+{%                 if server_data.resolverOpts|default("") != "" %}
+{%                   set resolver_opts = server_data.resolverOpts %}
+{%                 endif %}
 {%               endif %}
 {%               if resolver_id != '' %}
 {%                 set resolver_data = helpers.getUUID(resolver_id) %}

From b39646a842ef01da20b6bc3da23441b2c2408aa6 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 2 Mar 2021 16:42:59 +0100
Subject: [PATCH 0464/3088] net/haproxy: fix direct links to individual
 maintenance tabs

---
 .../mvc/app/views/OPNsense/HAProxy/maintenance.volt   | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
index 9e4b0bbd70..9db0cab18b 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
@@ -425,6 +425,17 @@ POSSIBILITY OF SUCH DAMAGE.
             });
 
         });
+
+        // update history on tab state and implement navigation
+        if(window.location.hash != "") {
+            $('a[href="' + window.location.hash + '"]').click()
+        }
+        $('.nav-tabs a').on('shown.bs.tab', function (e) {
+            history.pushState(null, null, e.target.hash);
+        });
+        $(window).on('hashchange', function(e) {
+            $('a[href="' + window.location.hash + '"]').click()
+        });
     });
 </script>
 

From 5cb97e8110cb11c34da9379ea4d5f2000edaefdf Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 2 Mar 2021 17:02:36 +0100
Subject: [PATCH 0465/3088] net/haproxy: use a consistent wording throughout
 (GUI only, backend unchanged)

While here, improve visibility of important table data in maintenance page.
---
 .../views/OPNsense/HAProxy/maintenance.volt   | 26 +++++++++----------
 .../conf/actions.d/actions_haproxy.conf       |  2 +-
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
index 9db0cab18b..7934afc067 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
@@ -64,7 +64,7 @@ POSSIBILITY OF SUCH DAMAGE.
             $.post('/api/haproxy/maintenance/certDiff', payload, function(data) {
                 BootstrapDialog.show({
                     type: BootstrapDialog.TYPE_INFO,
-                    title: "{{ lang._('Diff between configured and active ssl certificates') }}",
+                    title: "{{ lang._('Diff between configured and active SSL certificates') }}",
                     message: `<pre>${data}</pre>`,
                     buttons: [{
                         label: '{{ lang._('Close') }}',
@@ -80,7 +80,7 @@ POSSIBILITY OF SUCH DAMAGE.
             $.post('/api/haproxy/maintenance/certActions', payload, function(data_actions) {
                 question = ''
                 question += `<pre>${data_actions}</pre>`;
-                question += '<b>{{ lang._('Apply ssl certificates to HaProxy?') }}</b></br></br>';
+                question += '<b>{{ lang._('Apply SSL certificates to HAProxy?') }}</b></br></br>';
 
                 stdDialogConfirm('{{ lang._('Confirmation Required') }}',
                     question,
@@ -92,7 +92,7 @@ POSSIBILITY OF SUCH DAMAGE.
                             var error_msg = syncErrorMessage(data.result.modified, data.result.deleted);
                             BootstrapDialog.show({
                                 type: BootstrapDialog.TYPE_DANGER,
-                                title: "{{ lang._('Error applying ssl certificates to HAProxy') }}",
+                                title: "{{ lang._('Error applying SSL certificates to HAProxy') }}",
                                 message: error_msg,
                                 buttons: [{
                                     label: '{{ lang._('Close') }}',
@@ -124,8 +124,8 @@ POSSIBILITY OF SUCH DAMAGE.
                 formatters: {
                     "commands": function (column, row) {
                         buttons = ""
-                        buttons += "<button type=\"button\"  data-action=\"showDiff\" title=\"{{ lang._('Show diff between configured ssl certificates and certificates from HAProxy memory.') }}\" class=\"btn btn-xs btn-default\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-info-circle\"></span></button>"
-                        buttons += " <button type=\"button\" data-action=\"applyDiff\" title=\"{{ lang._('Apply diff and sync certificates into HAProxy memory.') }}\" class=\"btn btn-xs btn-default\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-refresh\"></span></button>"
+                        buttons += "<button type=\"button\"  data-action=\"showDiff\" title=\"{{ lang._('Show diff between configured SSL certificates and certificates from running HAProxy service.') }}\" class=\"btn btn-xs btn-default\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-info-circle\"></span></button>"
+                        buttons += " <button type=\"button\" data-action=\"applyDiff\" title=\"{{ lang._('Apply diff and sync certificates into running HAProxy service.') }}\" class=\"btn btn-xs btn-default\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-refresh\"></span></button>"
                         return buttons;
                     },
                 },
@@ -202,7 +202,7 @@ POSSIBILITY OF SUCH DAMAGE.
                     var error_msg = syncErrorMessage(data.result.modified, data.result.deleted);
                     BootstrapDialog.show({
                         type: BootstrapDialog.TYPE_DANGER,
-                        title: "{{ lang._('Error applying ssl certificates to HAProxy') }}",
+                        title: "{{ lang._('Error applying SSL certificates to HAProxy') }}",
                         message: error_msg,
                         buttons: [{
                             label: '{{ lang._('Close') }}',
@@ -344,7 +344,7 @@ POSSIBILITY OF SUCH DAMAGE.
                     });
                     question += '</ul>';
                     question += '<b>{{ lang._('State: ') }}' + state + '</b></br></br>';
-                    question += '{{ lang._('Set administrative state for all selected server?') }} </br></br>';
+                    question += '{{ lang._('Set administrative state for all selected servers?') }} </br></br>';
 
                     stdDialogConfirm('{{ lang._('Confirmation Required') }}',
                         question,
@@ -389,7 +389,7 @@ POSSIBILITY OF SUCH DAMAGE.
                     question += '<div class="form-group" style="display: block;">';
                     question += '<input class="form-control" id="newBulkWeight" value="" type="text"/>';
                     question += '</div>';
-                    question += '{{ lang._('Set weight for all selected server?') }} </br></br>';
+                    question += '{{ lang._('Set weight for all selected servers?') }} </br></br>';
 
                     stdDialogConfirm('{{ lang._('Confirmation Required') }}',
                         question,
@@ -451,11 +451,11 @@ POSSIBILITY OF SUCH DAMAGE.
             <thead>
             <tr>
                 <th data-column-id="id" data-type="string" data-identifier="true" data-visible="false">{{ lang._('id') }}</th>
-                <th data-column-id="pxname" data-type="string">{{ lang._('Proxy') }}</th>
-                <th data-column-id="svname" data-type="string">{{ lang._('Server') }}</th>
+                <th data-column-id="pxname" data-width="9em" data-type="string">{{ lang._('Virtual Service') }}</th>
+                <th data-column-id="svname" data-width="9em" data-type="string">{{ lang._('Real Server') }}</th>
                 <th data-column-id="addr" data-type="string">{{ lang._('Address') }}</th>
                 <th data-column-id="status" data-type="string">{{ lang._('Status') }}</th>
-                <th data-column-id="check_status" data-type="string">{{ lang._('Check Status') }}</th>
+                <th data-column-id="check_status" data-width="8em" data-type="string">{{ lang._('Check Status') }}</th>
                 <th data-column-id="weight" data-type="string">{{ lang._('Weight') }}</th>
                 <th data-column-id="scur" data-type="string">{{ lang._('Sessions') }}</th>
                 <th data-column-id="bin" data-type="string">{{ lang._('Bytes in') }}</th>
@@ -501,8 +501,8 @@ POSSIBILITY OF SUCH DAMAGE.
             <tr>
                 <td></td>
                 <td>
-                    <button data-action="showDiffBulk" title="{{ lang._('Show diff between configured ssl certificates and certificates from HAProxy memory for selected frontends.') }}" type="button" class="btn btn-xs btn-default"><span class="fa fa-info-circle"></span></button>
-                    <button data-action="applyDiffBulk" title="{{ lang._('Apply diff and sync certificates into HAProxy memory for selected frontends.') }}" type="button" class="btn btn-xs btn-default"><span class="fa fa-refresh"></span></button>
+                    <button data-action="showDiffBulk" title="{{ lang._('Show diff between configured SSL certificates and certificates from running HAProxy service for selected Public Services.') }}" type="button" class="btn btn-xs btn-default"><span class="fa fa-info-circle"></span></button>
+                    <button data-action="applyDiffBulk" title="{{ lang._('Apply diff and sync certificates into running HAProxy service for selected Public Services.') }}" type="button" class="btn btn-xs btn-default"><span class="fa fa-refresh"></span></button>
                 </td>
             </tr>
             </tfoot>
diff --git a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
index ac6bd8336e..a9f3c5b25b 100644
--- a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
+++ b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
@@ -113,7 +113,7 @@ command:configctl template reload OPNsense/HAProxy 2 > /dev/null; /usr/local/opn
 parameters:
 type:script_output
 message:Sync ssl certificates into HAProxy memory for all frontends
-description:Sync ssl certificates changes into HAProxy memory
+description:Sync SSL certificate changes into running HAProxy service
 
 [showconf]
 command:test -f /usr/local/etc/haproxy.conf.staging && cat /usr/local/etc/haproxy.conf.staging

From 89534c805a9fe52755bdbbbfa599b39ea7018876 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 3 Mar 2021 16:17:48 +0100
Subject: [PATCH 0466/3088] add pre-defined cron jobs to maintenance page

---
 net/haproxy/pkg-descr                         |   1 +
 .../HAProxy/Api/MaintenanceController.php     | 104 +++++++++++++++++-
 .../HAProxy/MaintenanceController.php         |   1 +
 .../HAProxy/forms/maintenanceCronjobs.xml     |  46 ++++++++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   |  76 +++++++++++++
 .../views/OPNsense/HAProxy/maintenance.volt   |  84 +++++++++++++-
 6 files changed, 309 insertions(+), 3 deletions(-)
 create mode 100644 net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/maintenanceCronjobs.xml

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 4fc52805dc..4e83fe3062 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -23,6 +23,7 @@ Added:
 * add support for server templates (#1975)
 * add support for additional resolver options (#1975)
 * add support for resolve-prefer option (#1975)
+* add pre-defined cron jobs to maintenance page
 
 Fixed:
 * prevent service outage by aborting "Apply" when configtest fails
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php
index c727e60176..1aac6f4ec7 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php
@@ -31,16 +31,21 @@
 
 namespace OPNsense\HAProxy\Api;
 
-use OPNsense\Base\ApiControllerBase;
+use OPNsense\Base\ApiMutableModelControllerBase;
 use OPNsense\Core\Backend;
+use OPNsense\Core\Config;
+use OPNsense\Cron\Cron;
 use OPNsense\HAProxy\HAProxy;
 
 /**
  * Class MaintenanceController
  * @package OPNsense\HAProxy
  */
-class MaintenanceController extends ApiControllerBase
+class MaintenanceController extends ApiMutableModelControllerBase
 {
+    protected static $internalModelName = 'haproxy';
+    protected static $internalModelClass = '\OPNsense\HAProxy\HAProxy';
+
     /**
      * jQuery bootstrap certificates diff list
      * @return array|mixed
@@ -268,4 +273,99 @@ protected function syncCerts(array $command, array $arguments = [])
         ];
     }
 
+    /**
+     * create new cron job or return already available one
+     * @return array status action
+     */
+    public function fetchCronIntegrationAction()
+    {
+        $result = array("result" => "no change");
+
+        if ($this->request->isPost()) {
+            $mdlHaproxy = $this->getModel();
+            $backend = new Backend();
+
+            // Define possible cron jobs with their configd actions
+            $cronjobs = array(
+                'syncCerts' => 'cert_sync_bulk',
+                'updateOcsp' => 'update_ocsp',
+                'reloadService' => 'reload',
+                'restartService' => 'restart',
+            );
+
+            // Iterate over all possible cron jobs
+            foreach ($cronjobs as $cron => $cron_action) {
+
+                // Name of the item that holds the cron UUID
+                $cron_ref = "${cron}Cron";
+
+                // Check if the cron job is enabled or disabled
+                if ((string)$mdlHaproxy->maintenance->cronjobs->$cron == "1") {
+                    // Check if a cron job already exists
+                    if ((string)$mdlHaproxy->maintenance->cronjobs->$cron_ref == "") {
+
+                        // Create new cron job
+                        $mdlCron = new Cron();
+                        // NOTE: Only configd actions are valid commands for cronjobs
+                        //       and they *must* provide a description that is not empty.
+                        $cron_uuid = $mdlCron->newDailyJob(
+                            "HAProxy",
+                            "haproxy ${cron_action}",
+                            "Added by HAProxy plugin",
+                            "*",
+                            "1"
+                        );
+                        $mdlHaproxy->maintenance->cronjobs->$cron_ref = $cron_uuid;
+
+                        // Save updated configuration.
+                        if ($mdlCron->performValidation()->count() == 0) {
+                            $mdlCron->serializeToConfig();
+                            // save data to config, do not validate because the current in memory model doesn't know about the
+                            // cron item just created.
+                            $mdlHaproxy->serializeToConfig($validateFullModel = false, $disable_validation = true);
+                            Config::getInstance()->save();
+                            // Refresh the crontab
+                            $backend->configdRun('template reload OPNsense/Cron');
+                            // (res)start daemon
+                            $backend->configdRun("cron restart");
+                            $this->getLogger()->error("HAProxy: successfully created cron job $cron ($cron_uuid)");
+                            $result['result'] = "new";
+                            $result['uuid'] = $cron_uuid;
+                        } else {
+                            $this->getLogger()->error("HAProxy: unable to create cron job $cron");
+                            $result['result'] = "unable to add cron";
+                        }
+                    }
+                } else {
+                    // Check if a cron job exists
+                    if ((string)$mdlHaproxy->maintenance->cronjobs->$cron_ref != "") {
+
+                        // Clean existin entry
+                        $cron_uuid = (string)$mdlHaproxy->maintenance->cronjobs->$cron_ref;
+                        $mdlHaproxy->maintenance->cronjobs->$cron_ref = "";
+
+                        // Delete the cronjob item
+                        $mdlCron = new Cron();
+                        if ($mdlCron->jobs->job->del($cron_uuid)) {
+                            // If item is removed, serialize to config and save
+                            $mdlCron->serializeToConfig();
+                            $mdlHaproxy->serializeToConfig($validateFullModel = false, $disable_validation = true);
+                            Config::getInstance()->save();
+                            // Regenerate the crontab
+                            $backend->configdRun('template reload OPNsense/Cron');
+                            // (res)start daemon
+                            $backend->configdRun("cron restart");
+                            $this->getLogger()->error("HAProxy: successfully deleted cron job $cron ($cron_uuid)");
+                            $result['result'] = "deleted";
+                        } else {
+                            $this->getLogger()->error("HAProxy: unable to delete cron job $cron ($cron_uuid)");
+                            $result['result'] = "unable to delete cron";
+                        }
+                    }
+                }
+            }
+        }
+
+        return $result;
+    }
 }
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/MaintenanceController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/MaintenanceController.php
index d5a073cc78..92ef3a0511 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/MaintenanceController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/MaintenanceController.php
@@ -41,5 +41,6 @@ public function indexAction()
     {
         // choose template
         $this->view->pick('OPNsense/HAProxy/maintenance');
+        $this->view->maintenanceCronjobsForm = $this->getForm("maintenanceCronjobs");
     }
 }
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/maintenanceCronjobs.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/maintenanceCronjobs.xml
new file mode 100644
index 0000000000..f9c4edf83f
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/maintenanceCronjobs.xml
@@ -0,0 +1,46 @@
+<form>
+    <field>
+        <label>Sync SSL certificate changes</label>
+        <type>header</type>
+        <style>table_cron table_cron_syncCerts</style>
+    </field>
+    <field>
+        <id>haproxy.maintenance.cronjobs.syncCerts</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help><![CDATA[Periodically sync SSL certificate changes into the running HAProxy service. This is most useful when using short-lived Let's Encrypt certificates, but changes to other certificates will also be synced. Note that when using the Let's Encrypt plugin, it is also possible to use an <a target="_blank" href="/ui/acmeclient/actions">Automation</a> instead of this cron job.]]></help>
+    </field>
+    <field>
+        <label>Update OCSP data for SSL certificates</label>
+        <type>header</type>
+        <style>table_cron table_cron_updateOcsp</style>
+    </field>
+    <field>
+        <id>haproxy.maintenance.cronjobs.updateOcsp</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help><![CDATA[Periodically fetch OCSP data for all configured SSL certificates. Note that OCSP support needs to be enabled in <a target="_blank" href="/ui/haproxy#general-settings">HAProxy service settings</a>.]]></help>
+    </field>
+    <field>
+        <label>Reload HAProxy service</label>
+        <type>header</type>
+        <style>table_cron table_cron_reloadService</style>
+    </field>
+    <field>
+        <id>haproxy.maintenance.cronjobs.reloadService</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help><![CDATA[Periodically perform a reload of the HAProxy service. This may cause a minor service disruption, depending on the configuration. A nightly reload could be used to apply configuration changes outside of business hours, or to workaround a bug.]]></help>
+    </field>
+    <field>
+        <label>Restart HAProxy service</label>
+        <type>header</type>
+        <style>table_cron table_cron_restartService</style>
+    </field>
+    <field>
+        <id>haproxy.maintenance.cronjobs.restartService</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help><![CDATA[Periodically perform a full restart of the HAProxy service. This will cause a notable service disruption. A full restart is required in some cases where a reload does not work as expected (i.e. due to long-running connections and very high timeout values).]]></help>
+    </field>
+</form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index e889fb8f9f..8c172b6cfd 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2815,5 +2815,81 @@
                 </hostname>
             </mailer>
         </mailers>
+        <maintenance>
+            <cronjobs>
+                <syncCerts type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </syncCerts>
+                <syncCertsCron type="ModelRelationField">
+                    <Model>
+                        <queues>
+                            <source>OPNsense.Cron.Cron</source>
+                            <items>jobs.job</items>
+                            <display>description</display>
+                            <filters>
+                                <origin>/HAProxy/</origin>
+                            </filters>
+                        </queues>
+                    </Model>
+                    <ValidationMessage>Related cron not found.</ValidationMessage>
+                    <Required>N</Required>
+                </syncCertsCron>
+                <updateOcsp type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </updateOcsp>
+                <updateOcspCron type="ModelRelationField">
+                    <Model>
+                        <queues>
+                            <source>OPNsense.Cron.Cron</source>
+                            <items>jobs.job</items>
+                            <display>description</display>
+                            <filters>
+                                <origin>/HAProxy/</origin>
+                            </filters>
+                        </queues>
+                    </Model>
+                    <ValidationMessage>Related cron not found.</ValidationMessage>
+                    <Required>N</Required>
+                </updateOcspCron>
+                <reloadService type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </reloadService>
+                <reloadServiceCron type="ModelRelationField">
+                    <Model>
+                        <queues>
+                            <source>OPNsense.Cron.Cron</source>
+                            <items>jobs.job</items>
+                            <display>description</display>
+                            <filters>
+                                <origin>/HAProxy/</origin>
+                            </filters>
+                        </queues>
+                    </Model>
+                    <ValidationMessage>Related cron not found.</ValidationMessage>
+                    <Required>N</Required>
+                </reloadServiceCron>
+                <restartService type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </restartService>
+                <restartServiceCron type="ModelRelationField">
+                    <Model>
+                        <queues>
+                            <source>OPNsense.Cron.Cron</source>
+                            <items>jobs.job</items>
+                            <display>description</display>
+                            <filters>
+                                <origin>/HAProxy/</origin>
+                            </filters>
+                        </queues>
+                    </Model>
+                    <ValidationMessage>Related cron not found.</ValidationMessage>
+                    <Required>N</Required>
+                </restartServiceCron>
+            </cronjobs>
+        </maintenance>
     </items>
 </model>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
index 7934afc067..159a67159a 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
@@ -28,6 +28,72 @@ POSSIBILITY OF SUCH DAMAGE.
 #}
 <script>
     $( document ).ready(function() {
+
+        // Get cronjobs
+        var cronjobs_data_get_map = {'frm_cronjobs':"/api/haproxy/maintenance/get"};
+        // load initial data
+        mapDataToFormUI(cronjobs_data_get_map).done(function(data){
+            // Add link to cron job edit page: First iterate over all cron settings.
+            // FIXME: Oh boy, this is ugly. Should be refactored.
+            $.each(data.frm_cronjobs.haproxy.maintenance.cronjobs, function(key, value) {
+                // Check if cron setting is enabled.
+                if (value == 1) {
+                    // Find the matching cron job reference.
+                    cron_cfg = key + 'Cron';
+                    $.each(data.frm_cronjobs.haproxy.maintenance.cronjobs, function(cronkey, cronvalue) {
+                        // Check if it is the correct entry for this cron setting.
+                        if (cronkey == cron_cfg) {
+                            // Get the cron job UUID.
+                            $.each(cronvalue, function(refkey, refvalue) {
+                                // Only the "selected" item belongs to this entry.
+                                if (refvalue.selected == 1) {
+                                    // Find the correct container for this cron setting.
+                                    content_id = "[id=\"haproxy.maintenance.cronjobs." + key + "\"]";
+                                    $(content_id).each(function(){
+                                        // Finally add the link to the cron job edit page.
+                                        cron_link = "<br><a href=\"/ui/cron/item/open/" + refkey + "\">{{ lang._('Configure cron job') }}</a>";
+                                        $(this).closest("td").append(cron_link);
+                                    });
+                                };
+                            });
+                        };
+                    });
+                };
+            });
+
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+        });
+
+        // Save & reconfigure cron to activate changes
+        $('[id*="saveAndReconfigureAct"]').each(function(){
+            $(this).click(function(){
+                // set progress animation
+                $('[id*="saveAndReconfigureAct_progress"]').each(function(){
+                    $(this).addClass("fa fa-spinner fa-pulse");
+                });
+
+                // extract the form id from the button id
+                var frm_id = "frm_" + $(this).attr("id").split('_')[1]
+
+                // save data for this tab
+                saveFormToEndpoint(url="/api/haproxy/maintenance/set",formid=frm_id,callback_ok=function(){
+                    // Handle cron integration
+                    ajaxCall(url="/api/haproxy/maintenance/fetchCronIntegration", sendData={}, callback=function(data,status) {
+                    });
+
+                    // when done, disable progress animation
+                    $('[id*="saveAndReconfigureAct_progress"]').each(function(){
+                        $(this).removeClass("fa fa-spinner fa-pulse");
+                        // reload page to show or hide links to cron edit page
+                        setTimeout(function () {
+                            window.location.reload(true)
+                        }, 300);
+                    });
+                });
+            });
+        });
+
         // grid-certificates
         function syncErrorMessage(modified, deleted) {
             message = ``;
@@ -440,8 +506,9 @@ POSSIBILITY OF SUCH DAMAGE.
 </script>
 
 <ul class="nav nav-tabs" role="tablist"  id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#server"><b>{{ lang._('Server') }}</b></a></li>
+    <li class="active"><a data-toggle="tab" href="#server"><b>{{ lang._('Servers') }}</b></a></li>
     <li><a data-toggle="tab" href="#ssl-certs"><b>{{ lang._('SSL Certificates') }}</b></a></li>
+    <li><a data-toggle="tab" href="#cronjobs"><b>{{ lang._('Cron Jobs') }}</b></a></li>
 </ul>
 
 <div class="content-box tab-content">
@@ -514,6 +581,21 @@ POSSIBILITY OF SUCH DAMAGE.
             <br/>
         </div>
     </div>
+
+    <div id="cronjobs" class="tab-pane fade in">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            {{ partial("layout_partials/base_form",['fields':maintenanceCronjobsForm,'id':'frm_cronjobs'])}}
+            <div class="col-md-12">
+                <hr />
+                <button class="btn btn-primary" id="saveAndReconfigureAct_cronjobs" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAndReconfigureAct_progress"></i></button>
+            </div>
+            <div class="col-md-12">
+              <br/>
+              {{ lang._('%sNOTE:%s When enabling multiple cron jobs, please adjust them so that they do not run at the same time. Check the %scron settings page%s for more cron job details and additional customization options.') | format('<b>', '</b>', '<a href="/ui/cron">', '</a>') }}
+              <br/>
+            </div>
+        </div>
+    </div>
 </div>
 
 {{ partial("layout_partials/base_dialog_processing") }}

From e2feb5e5b858c2366d69e26de0209c1e2a79af1a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 5 Mar 2021 00:05:23 +0100
Subject: [PATCH 0467/3088] net/haproxy: add inline command help, shorten
 tooltips

---
 .../views/OPNsense/HAProxy/maintenance.volt   | 44 +++++++++++++------
 1 file changed, 31 insertions(+), 13 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
index 159a67159a..3ab54d181c 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
@@ -51,7 +51,7 @@ POSSIBILITY OF SUCH DAMAGE.
                                     content_id = "[id=\"haproxy.maintenance.cronjobs." + key + "\"]";
                                     $(content_id).each(function(){
                                         // Finally add the link to the cron job edit page.
-                                        cron_link = "<br><a href=\"/ui/cron/item/open/" + refkey + "\">{{ lang._('Configure cron job') }}</a>";
+                                        cron_link = "<br><a href=\"/ui/cron/item/open/" + refkey + "\"><span class=\"fa fa-pencil\"></span> {{ lang._('Configure cron job') }}</a>";
                                         $(this).closest("td").append(cron_link);
                                     });
                                 };
@@ -190,8 +190,8 @@ POSSIBILITY OF SUCH DAMAGE.
                 formatters: {
                     "commands": function (column, row) {
                         buttons = ""
-                        buttons += "<button type=\"button\"  data-action=\"showDiff\" title=\"{{ lang._('Show diff between configured SSL certificates and certificates from running HAProxy service.') }}\" class=\"btn btn-xs btn-default\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-info-circle\"></span></button>"
-                        buttons += " <button type=\"button\" data-action=\"applyDiff\" title=\"{{ lang._('Apply diff and sync certificates into running HAProxy service.') }}\" class=\"btn btn-xs btn-default\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-refresh\"></span></button>"
+                        buttons += "<button type=\"button\"  data-action=\"showDiff\" title=\"{{ lang._('Show diff') }}\" class=\"btn btn-xs btn-default\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-info-circle\"></span></button>"
+                        buttons += " <button type=\"button\" data-action=\"applyDiff\" title=\"{{ lang._('Apply changes') }}\" class=\"btn btn-xs btn-default\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-refresh\"></span></button>"
                         return buttons;
                     },
                 },
@@ -300,10 +300,10 @@ POSSIBILITY OF SUCH DAMAGE.
                 formatters: {
                     "commands": function (column, row) {
                         buttons = ""
-                        buttons += "<button type=\"button\"  title=\"{{ lang._('Set administrative state to ready. Puts the server in normal mode.') }}\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"ready\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-check\"></span></button>"
-                        buttons += " <button type=\"button\" title=\"{{ lang._('Set administrative state to drain. Removes the server from load balancing but still allows it to be health checked and to accept new persistent connections') }}\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"drain\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-sort-amount-desc\"></span></button>"
-                        buttons += " <button type=\"button\" title=\"{{ lang._('Set administrative state to maintenance. Disables any traffic to the server as well as any health checks.') }}\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"maint\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-wrench\"></span></button>"
-                        buttons += " <button type=\"button\" title=\"{{ lang._('Change server weight.') }}\" class=\"btn btn-xs btn-default command-set-weight\" data-weight=\"" + row.weight + "\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-balance-scale\"></span></button>"
+                        buttons += "<button type=\"button\"  title=\"{{ lang._('Set state to ready') }}\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"ready\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-check\"></span></button>"
+                        buttons += " <button type=\"button\" title=\"{{ lang._('Set state to drain') }}\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"drain\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-sort-amount-desc\"></span></button>"
+                        buttons += " <button type=\"button\" title=\"{{ lang._('Set state to maintenance') }}\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"maint\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-wrench\"></span></button>"
+                        buttons += " <button type=\"button\" title=\"{{ lang._('Change server weight') }}\" class=\"btn btn-xs btn-default command-set-weight\" data-weight=\"" + row.weight + "\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-balance-scale\"></span></button>"
                         return buttons;
                     },
                 },
@@ -539,14 +539,24 @@ POSSIBILITY OF SUCH DAMAGE.
             <tr>
                 <td></td>
                 <td>
-                    <button data-action="setStateBulk" title="{{ lang._('Set administrative state to ready for all selected items.') }}" data-state="ready" type="button" class="btn btn-xs btn-default"><span class="fa fa-check"></span></button>
-                    <button data-action="setStateBulk" title="{{ lang._('Set administrative state to drain for all selected items.') }}" data-state="drain" type="button" class="btn btn-xs btn-default"><span class="fa fa-sort-amount-desc"></span></button>
-                    <button data-action="setStateBulk" title="{{ lang._('Set administrative state to maintenance for all selected items.') }}" data-state="maint" type="button" class="btn btn-xs btn-default"><span class="fa fa-wrench"></span></button>
-                    <button data-action="setWeightBulk" title="{{ lang._('Change server weight for all selected items.') }}" data-weight="" type="button" class="btn btn-xs btn-default"><span class="fa fa-balance-scale"></span></button>
+                    <button data-action="setStateBulk" title="{{ lang._('Set state to ready (bulk)') }}" data-state="ready" type="button" class="btn btn-xs btn-default"><span class="fa fa-check"></span></button>
+                    <button data-action="setStateBulk" title="{{ lang._('Set state to drain (bulk)') }}" data-state="drain" type="button" class="btn btn-xs btn-default"><span class="fa fa-sort-amount-desc"></span></button>
+                    <button data-action="setStateBulk" title="{{ lang._('Set state to maintenance (bulk)') }}" data-state="maint" type="button" class="btn btn-xs btn-default"><span class="fa fa-wrench"></span></button>
+                    <button data-action="setWeightBulk" title="{{ lang._('Change server weight (bulk)') }}" data-weight="" type="button" class="btn btn-xs btn-default"><span class="fa fa-balance-scale"></span></button>
                 </td>
             </tr>
             </tfoot>
         </table>
+        <div class="col-md-12">
+          <p>{{ lang._("%sChoose a command to change a server's state in runtime:%s") | format('<b>', '</b>') }}</p>
+          <ul>
+            <li><span class="fa fa-check"></span> {{ lang._('%sSet state to ready:%s This puts the server in normal mode.') | format('<b>', '</b>') }}</li>
+            <li><span class="fa fa-sort-amount-desc"></span> {{ lang._('%sSet state to drain:%s This removes the server from load balancing. Health checks will continue to run and it still accepts new persistent connections.') | format('<b>', '</b>') }}</li>
+            <li><span class="fa fa-wrench"></span> {{ lang._('%sSet state to maintenance:%s This disables any traffic to the server. Health checks will also be disabled.') | format('<b>', '</b>') }}</li>
+            <li><span class="fa fa-balance-scale"></span> {{ lang._("%sChange server weight:%s Adjust the server's weight relative to other servers. Servers will receive a load proportional to their weight.") | format('<b>', '</b>') }}</li>
+          </ul>
+          <p>{{ lang._('%sNOTE:%s These changes will not be persisted across restarts of HAProxy.') | format('<b>', '</b>') }}</p>
+        </div>
     </div>
 
     <div id="ssl-certs" class="tab-pane fade in">
@@ -568,8 +578,8 @@ POSSIBILITY OF SUCH DAMAGE.
             <tr>
                 <td></td>
                 <td>
-                    <button data-action="showDiffBulk" title="{{ lang._('Show diff between configured SSL certificates and certificates from running HAProxy service for selected Public Services.') }}" type="button" class="btn btn-xs btn-default"><span class="fa fa-info-circle"></span></button>
-                    <button data-action="applyDiffBulk" title="{{ lang._('Apply diff and sync certificates into running HAProxy service for selected Public Services.') }}" type="button" class="btn btn-xs btn-default"><span class="fa fa-refresh"></span></button>
+                    <button data-action="showDiffBulk" title="{{ lang._('Show diff (bulk)') }}" type="button" class="btn btn-xs btn-default"><span class="fa fa-info-circle"></span></button>
+                    <button data-action="applyDiffBulk" title="{{ lang._('Apply changes (bulk)') }}" type="button" class="btn btn-xs btn-default"><span class="fa fa-refresh"></span></button>
                 </td>
             </tr>
             </tfoot>
@@ -580,6 +590,14 @@ POSSIBILITY OF SUCH DAMAGE.
             <br/>
             <br/>
         </div>
+        <div class="col-md-12">
+          <p>{{ lang._("%sApply SSL certificate changes in runtime:%s") | format('<b>', '</b>') }}</p>
+          <ul>
+            <li><span class="fa fa-info-circle"></span> {{ lang._('%sShow diff:%s Show difference between configured SSL certificates and SSL certificates from the running HAProxy service.') | format('<b>', '</b>') }}</li>
+            <li><span class="fa fa-refresh"></span> {{ lang._('%sApply changes:%s Apply all changes by syncing all shown SSL certificates into running HAProxy service.') | format('<b>', '</b>') }}</li>
+          </ul>
+          <p>{{ lang._('%sNOTE:%s Changes can only be applied for Public Services that already exist in the running HAProxy service. When adding or removing Public Services HAProxy must be reloaded or restarted.') | format('<b>', '</b>') }}</p>
+        </div>
     </div>
 
     <div id="cronjobs" class="tab-pane fade in">

From 40e943a2f1089ef1abbb3ac51512b8beeeae771c Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 5 Mar 2021 00:42:18 +0100
Subject: [PATCH 0468/3088] security/acme-client: quality of life improvements
 for cron handling, refs #2178

---
 security/acme-client/pkg-descr                         |  8 ++++++++
 .../OPNsense/AcmeClient/Api/SettingsController.php     |  6 +++++-
 .../mvc/app/views/OPNsense/AcmeClient/settings.volt    | 10 ++++++++--
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index f830046bf5..0be03d6644 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,14 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+2.5
+
+Fixed:
+* ensure that the auto renewal cron job is properly disabled (#2178)
+
+Changed:
+* reload settings page to show/hide cron tab
+
 2.4
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
index 3dcd37d54c..3dee7cfb25 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
@@ -86,6 +86,8 @@ public function fetchCronIntegrationAction()
                     Config::getInstance()->save();
                     // Refresh the crontab
                     $backend->configdRun('template reload OPNsense/Cron');
+                    // (res)start daemon
+                    $backend->configdRun("cron restart");
                     $result['result'] = "new";
                     $result['uuid'] = $cron_uuid;
                 } else {
@@ -99,7 +101,7 @@ public function fetchCronIntegrationAction()
             ) {
                 // Get UUID, clean existin entry
                 $cron_uuid = (string)$mdlAcme->settings->UpdateCron;
-                $mdlAcme->settings->UpdateCron = null;
+                $mdlAcme->settings->UpdateCron = "";
                 $mdlCron = new Cron();
                 // Delete the cronjob item
                 if ($mdlCron->jobs->job->del($cron_uuid)) {
@@ -109,6 +111,8 @@ public function fetchCronIntegrationAction()
                     Config::getInstance()->save();
                     // Regenerate the crontab
                     $backend->configdRun('template reload OPNsense/Cron');
+                    // (res)start daemon
+                    $backend->configdRun("cron restart");
                     $result['result'] = "deleted";
                 } else {
                     $result['result'] = "unable to delete cron";
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
index bb67c87c0f..2800f4cbef 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
@@ -54,8 +54,6 @@ POSSIBILITY OF SUCH DAMAGE.
 
         // Save & reconfigure acme-client to activate changes
         $("#reconfigureAct").click(function(){
-            // TODO: reload the page afterwards to show/hide the "Schedule" tab
-
             // set progress animation
             $('[id*="reconfigureAct_progress"]').each(function(){
                 $(this).addClass("fa fa-spinner fa-pulse");
@@ -99,6 +97,10 @@ POSSIBILITY OF SUCH DAMAGE.
                                 // when done, disable progress animation
                                 $('[id*="reconfigureAct_progress"]').each(function(){
                                     $(this).removeClass("fa fa-spinner fa-pulse");
+                                    // reload page to show or hide links to cron edit page
+                                    setTimeout(function () {
+                                        window.location.reload(true)
+                                    }, 300);
                                 });
                                 dlg.close();
                             }
@@ -132,6 +134,10 @@ POSSIBILITY OF SUCH DAMAGE.
                                 // when done, disable progress animation
                                 $('[id*="reconfigureAct_progress"]').each(function(){
                                     $(this).removeClass("fa fa-spinner fa-pulse");
+                                    // reload page to show or hide links to cron edit page
+                                    setTimeout(function () {
+                                        window.location.reload(true)
+                                    }, 300);
                                 });
                             });
                         });

From de3526057cdc5e13cf9412477fbda083bfe5296f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 5 Mar 2021 00:42:46 +0100
Subject: [PATCH 0469/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 86b992e8dc..790c3b15a9 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		2.4
+PLUGIN_VERSION=		2.5
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From ca30bb9ab60572bb78951f0250bc5a9204318e8d Mon Sep 17 00:00:00 2001
From: Nicola Bonavita <n.bonavita@ereg.it>
Date: Fri, 5 Mar 2021 11:12:06 +0100
Subject: [PATCH 0470/3088] security/stunnel: Add client mode option to
 services (#2166)

---
 .../controllers/OPNsense/Stunnel/forms/dialogService.xml    | 6 ++++++
 .../opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml    | 6 +++++-
 .../service/templates/OPNsense/Stunnel/stunnel.conf         | 3 +++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
index 368810bf79..2b7f7bb649 100644
--- a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
@@ -60,6 +60,12 @@
             Additions may need a restart of stunnel (when the certificate was already used).
             ]]></help>
     </field>
+    <field>
+        <id>service.clientmode</id>
+        <label>Client mode</label>
+        <type>checkbox</type>
+        <help><![CDATA[Use client mode for this tunnel. Connect to an SSL server, do not act as an SSL server.]]></help>
+    </field>
     <field>
         <id>service.ciphers</id>
         <label>Ciphers</label>
diff --git a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
index 4f5689ae84..13e2f02fd6 100644
--- a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
+++ b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/Stunnel</mount>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <description>
         Stunnel TLS encryption proxy
     </description>
@@ -63,6 +63,10 @@
                     <default>0</default>
                     <Required>Y</Required>
                 </enableCRL>
+                <clientmode type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </clientmode>
                 <ciphers type="JsonKeyValueStoreField">
                     <default>TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-GCM-SHA384</default>
                     <Required>Y</Required>
diff --git a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf
index d9f28b339b..8c3ee5ecca 100644
--- a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf
+++ b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf
@@ -31,6 +31,9 @@ verifyChain = yes
 CRLpath = {% if helpers.empty('OPNsense.Stunnel.general.chroot') %}/var/run/stunnel{% endif %}/certs/
 {%         endif %}
 {%       endif %}
+{% if service.clientmode|default('0') == '1' %}
+client = yes
+{% endif %}
 {%       set ciphers =[] %}
 {%       set ciphersuites =[] %}
 {%       for cipher in service.ciphers.split(',') %}

From 2267242449233888750d5df390e4bc21388927ea Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 5 Mar 2021 13:46:27 +0100
Subject: [PATCH 0471/3088] net/haproxy: style adjustments

---
 .../OPNsense/HAProxy/Api/ExportController.php    | 16 ++++++++--------
 .../HAProxy/Api/MaintenanceController.php        |  3 ---
 .../app/views/OPNsense/HAProxy/maintenance.volt  |  2 +-
 3 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ExportController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ExportController.php
index dbf6ed9152..71e1d39477 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ExportController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ExportController.php
@@ -72,15 +72,15 @@ public function downloadAction($type)
         $backend = new Backend();
 
         if ($type == 'config') {
-          $result = $backend->configdRun("haproxy showconf");
-          $filename = 'haproxy.conf';
-          $filetype = 'text/plain';
-          $content = $result;
+            $result = $backend->configdRun("haproxy showconf");
+            $filename = 'haproxy.conf';
+            $filetype = 'text/plain';
+            $content = $result;
         } else {
-          $result = $backend->configdRun("haproxy exportall");
-          $filename = 'haproxy_config_export.zip';
-          $filetype = 'application/zip';
-          $content = file_get_contents('/tmp/haproxy_config_export.zip');
+            $result = $backend->configdRun("haproxy exportall");
+            $filename = 'haproxy_config_export.zip';
+            $filetype = 'application/zip';
+            $content = file_get_contents('/tmp/haproxy_config_export.zip');
         }
 
         $response = array(
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php
index 1aac6f4ec7..e62d995273 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/MaintenanceController.php
@@ -295,7 +295,6 @@ public function fetchCronIntegrationAction()
 
             // Iterate over all possible cron jobs
             foreach ($cronjobs as $cron => $cron_action) {
-
                 // Name of the item that holds the cron UUID
                 $cron_ref = "${cron}Cron";
 
@@ -303,7 +302,6 @@ public function fetchCronIntegrationAction()
                 if ((string)$mdlHaproxy->maintenance->cronjobs->$cron == "1") {
                     // Check if a cron job already exists
                     if ((string)$mdlHaproxy->maintenance->cronjobs->$cron_ref == "") {
-
                         // Create new cron job
                         $mdlCron = new Cron();
                         // NOTE: Only configd actions are valid commands for cronjobs
@@ -339,7 +337,6 @@ public function fetchCronIntegrationAction()
                 } else {
                     // Check if a cron job exists
                     if ((string)$mdlHaproxy->maintenance->cronjobs->$cron_ref != "") {
-
                         // Clean existin entry
                         $cron_uuid = (string)$mdlHaproxy->maintenance->cronjobs->$cron_ref;
                         $mdlHaproxy->maintenance->cronjobs->$cron_ref = "";
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
index 3ab54d181c..ae75d8a20f 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
@@ -210,7 +210,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 var row_id = $(this).data("row-id");
                 var rows = $("#grid-certificates").bootgrid("getCurrentRows");
                 var row =  rows.filter(function(row) {
-                	return row.id == row_id;
+			return row.id == row_id;
                 })[0];
                 var requested_count = row.total_count;
                 var frontend_ids = row.id

From 83f0b8904918e2d9368c85f12039b5ee015a01c2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 5 Mar 2021 13:46:43 +0100
Subject: [PATCH 0472/3088] www/nginx: style adjustments

---
 .../opnsense/scripts/nginx/ngx_autoblock.php    | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php b/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
index 4c7b712da9..dd953087f7 100755
--- a/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
+++ b/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
@@ -59,8 +59,9 @@ function exec_hidden($command): void
 
 function modify_blocklist($tablename, array $allIps, $operation = "add"): void
 {
-    if (empty($allIps) || !in_array($operation, ["add", "delete"]))
+    if (empty($allIps) || !in_array($operation, ["add", "delete"])) {
         return;
+    }
 
     $tablename = escapeshellarg($tablename);
     $operation = escapeshellarg($operation);
@@ -91,8 +92,9 @@ function read_all_from_blocklist($tablename)
     $process = proc_open("/sbin/pfctl -t ${tablename} -T show", $descriptorspec, $pipes);
     if (is_resource($process)) {
         $ips = [];
-        while ($ip = fgets($pipes[1], 96))
+        while ($ip = fgets($pipes[1], 96)) {
             $ips[] = strtolower(trim($ip));
+        }
 
         fclose($pipes[1]);
         proc_close($process);
@@ -152,10 +154,11 @@ function create_work_files($include_tls_handshake)
         foreach ($mapping as $source => $target) {
             // Check if we already processing $target in another process and skip it if not stale
             if (file_exists($target)) {
-                if (time() - (@filemtime($target) ?: 0) > (5 * 60))
+                if (time() - (@filemtime($target) ?: 0) > (5 * 60)) {
                     @unlink($target);
-                else
+                } else {
                     continue;
+                }
             }
 
             // Try to create work and log on failure
@@ -179,8 +182,9 @@ function create_work_files($include_tls_handshake)
 
 function cleanup_work_files($work_files)
 {
-    foreach ($work_files as $file)
+    foreach ($work_files as $file) {
         @unlink($file);
+    }
 }
 
 // Checking if our sources are modified and create work files as needed (do nothing if sources are unchanged)
@@ -199,8 +203,9 @@ function cleanup_work_files($work_files)
 
         // Store state
         if (!empty($work_files)) {
-            if (!is_array($state))
+            if (!is_array($state)) {
                 $state = [];
+            }
             $state["sources"] = get_files_lastmodified(array_keys($sources));
             @file_put_contents(STATE_FILE, json_encode($state));
         }

From 7845166d0d3a32b2f9a63dda7341790c5376fab3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 5 Mar 2021 13:52:44 +0100
Subject: [PATCH 0473/3088] security/stunnel: new version

---
 security/stunnel/Makefile | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index 4cbdf5bc41..6ddef16665 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,7 +1,6 @@
 PLUGIN_NAME=		stunnel
-PLUGIN_VERSION=		1.0.2
-PLUGIN_REVISION=	1
-PLUGIN_COMMENT=		stunnel TLS proxy
+PLUGIN_VERSION=		1.0.3
+PLUGIN_COMMENT=		Stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel
 

From f0ec64d1304558295f1bfbea2cf97d619684a228 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 5 Mar 2021 13:56:05 +0100
Subject: [PATCH 0474/3088] README: sync

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index e970151c0e..b5698e1495 100644
--- a/README.md
+++ b/README.md
@@ -82,7 +82,7 @@ security/intrusion-detection-content-snort-vrt -- IDS Snort VRT ruleset (needs r
 security/maltrail -- Malicious traffic detection system
 security/openconnect -- OpenConnect Client
 security/softether -- Cross-platform Multi-protocol VPN Program (development only)
-security/stunnel -- stunnel TLS proxy
+security/stunnel -- Stunnel TLS proxy
 security/tinc -- Tinc VPN
 security/tor -- The Onion Router
 sysutils/api-backup -- Provide the functionality to download the config.xml

From 5b7b779e3f5cdb0cebdb98a67023029c4c348116 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 5 Mar 2021 23:50:44 +0100
Subject: [PATCH 0475/3088] security/acme-client: update acme.sh URLs to
 acmesh-official

---
 .../OPNsense/AcmeClient/forms/dialogCertificate.xml           | 4 ++--
 .../mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php | 4 ++--
 .../opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt  | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
index e387fc7866..ee0eb8dafe 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
@@ -101,7 +101,7 @@
         <id>certificate.domainalias</id>
         <label>Domain Alias</label>
         <type>text</type>
-        <help><![CDATA[When setting DNS alias mode to "Domain Alias", enter the domain name that should be used for certificate validation. Please refer to the <a href="https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode">acme.sh documentation</a> for further information.]]></help>
+        <help><![CDATA[When setting DNS alias mode to "Domain Alias", enter the domain name that should be used for certificate validation. Please refer to the <a href="https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode">acme.sh documentation</a> for further information.]]></help>
     </field>
     <field>
         <label>DNS Alias Mode</label>
@@ -112,6 +112,6 @@
         <id>certificate.challengealias</id>
         <label>Challenge Alias</label>
         <type>text</type>
-        <help><![CDATA[When setting DNS alias mode to "Challenge Alias", enter the domain name that should be used for certificate validation. Please refer to the <a href="https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode">acme.sh documentation</a> for further information.]]></help>
+        <help><![CDATA[When setting DNS alias mode to "Challenge Alias", enter the domain name that should be used for certificate validation. Please refer to the <a href="https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode">acme.sh documentation</a> for further information.]]></help>
     </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index a541584ac1..a694432288 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -232,7 +232,7 @@ public function setNames(string $certname, string $altnames = '', string $aliasm
         $this->acme_args[] = LeUtils::execSafe('--domain %s', $certname);
 
         // Main domain: Use DNS alias mode for domain validation?
-        // https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
+        // https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode
         if ($this->getMethod() == 'dns01') {
             switch ((string)$aliasmode) {
                 case 'automatic':
@@ -256,7 +256,7 @@ public function setNames(string $certname, string $altnames = '', string $aliasm
                 $this->acme_args[] = LeUtils::execSafe('--domain %s', $altname);
 
                 // altNames: Use DNS alias mode for domain validation?
-                // https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
+                // https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode
                 if ($this->getMethod() == 'dns01') {
                     switch ((string)$this->cert_aliasmode) {
                         case 'automatic':
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
index 2800f4cbef..2d1b034e74 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
@@ -252,7 +252,7 @@ POSSIBILITY OF SUCH DAMAGE.
         {{ lang._('Please use the %sissue tracker%s to report bugs or request new features.') | format('<a href="https://github.com/opnsense/plugins/issues">', '</a>') }}
         <br/>
         <br/>
-        <p>{{ lang._('This plugin includes code from the %s project.') | format('<a href="https://github.com/Neilpang/acme.sh">Neilpang/acme.sh</a>' ) }} {{ lang._('Licensed under GPLv3.') }}<br/>{{ lang._('Let"s Encrypt(tm) is a trademark of the Internet Security Research Group. All rights reserved.') }}</p>
+        <p>{{ lang._('This plugin includes code from the %s project.') | format('<a href="https://github.com/acmesh-official/acme.sh">acmesh-official/acme.sh</a>' ) }} {{ lang._('Licensed under GPLv3.') }}<br/>{{ lang._('Let"s Encrypt(tm) is a trademark of the Internet Security Research Group. All rights reserved.') }}</p>
         <br/>
     </div>
 </div>

From cea04d9795c8f00305ba785525f9f40265c96cc3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Wed, 10 Mar 2021 17:28:33 +0100
Subject: [PATCH 0476/3088] Theme Cicada/Vicuna little design update (#2251)

---
 misc/theme-cicada/Makefile                    |  2 +-
 .../cicada/assets/stylesheets/main.scss       | 25 +++++++++---
 .../www/themes/cicada/build/css/main.css      | 23 ++++++++---
 misc/theme-vicuna/Makefile                    |  2 +-
 .../vicuna/assets/stylesheets/main.scss       | 40 +++++++++++++------
 .../www/themes/vicuna/build/css/main.css      | 40 ++++++++++++-------
 6 files changed, 93 insertions(+), 39 deletions(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index bfe671f7dc..33e19692fc 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.27
+PLUGIN_VERSION=		1.28
 PLUGIN_COMMENT=		The cicada theme - dark grey
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index 2e4f3edf7a..bd810ace9d 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -1453,7 +1453,8 @@ h6 {
 }
 
 h1, .h1 {
-  font-size: 23px;
+  font-size: 22px;
+  text-transform: uppercase;
 }
 
 h2, .h2 {
@@ -9155,7 +9156,7 @@ button.close {
 
 .show {
   display: block !important;
-  color: #B3B3B3;
+  color: #22C400;
 }
 
 .invisible {
@@ -9465,7 +9466,7 @@ body {
     border-radius: 0;
     min-height: 47px;
     height: auto;
-    padding: 6px 14px 5px 14px;
+    padding: 7px 14px 5px 14px;
     -webkit-box-shadow: 0 3px 4px rgb(23, 23, 23);
     box-shadow: 0 3px 4px rgb(23, 23, 23);
   }
@@ -9490,7 +9491,7 @@ body {
 
 .page-content-main {
   min-height: calc(100% - 64px);
-  padding: 9px 0px 21px 0px;
+  padding: 7px 0px 21px 0px;
 }
 
 .page-side {
@@ -10026,7 +10027,7 @@ button.toggle-sidebar {
 }
 
 .table > tbody > tr > td:last-child {
-  padding-right: 15px;
+  padding-right: 5px;
 }
 
 /* helpers */
@@ -10643,3 +10644,17 @@ ul.jqtree-tree {
 .table.border {
   border: 1px solid #191919 !important;
 }
+
+.rule.text-muted > td {
+  &:nth-child(1n+3) {
+    text-decoration: line-through;
+  }
+
+  &:last-child {
+    text-decoration: none;
+  }
+}
+
+#reports-tab {
+  border-bottom: 1px solid #191919;
+}
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index 919e308ea3..41b44822a9 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -1050,7 +1050,8 @@ h6, .h6 {
     font-size: 75%; }
 
 h1, .h1 {
-  font-size: 23px; }
+  font-size: 22px;
+  text-transform: uppercase; }
 
 h2, .h2 {
   font-size: 16px; }
@@ -5505,7 +5506,7 @@ button.close {
 
 .show {
   display: block !important;
-  color:#B3B3B3;}
+  color: #22C400; }
 
 .invisible {
   visibility: hidden; }
@@ -5743,7 +5744,7 @@ body {
   border-radius: 0;
   min-height: 47px;
   height: auto;
-  padding: 6px 14px 5px 14px;
+  padding: 7px 14px 5px 14px;
   -webkit-box-shadow: 0 3px 4px rgb(23, 23, 23);
   box-shadow: 0 3px 4px rgb(23, 23, 23); }
 .page-content-head, .content-box-head {
@@ -5757,7 +5758,7 @@ body {
 
 .page-content-main {
   min-height: calc(100% - 64px);
-  padding: 9px 0px 21px 0px; }
+  padding: 7px 0px 21px 0px; }
 
 .page-side {
   background: #202020;
@@ -6144,7 +6145,7 @@ button.toggle-sidebar {
   font-weight: normal; }
 
 .table > tbody > tr > td:last-child {
-padding-right: 15px; }
+  padding-right: 5px; }
 
 /* helpers */
 .__nowrap {
@@ -6620,3 +6621,15 @@ ul.jqtree-tree .jqtree-title {
 .table.border {
   border: 1px solid #191919 !important;
 }
+
+.rule.text-muted > td:nth-child(1n+3) {
+  text-decoration: line-through;
+}
+
+.rule.text-muted > td:last-child {
+  text-decoration:none;
+}
+
+#reports-tab {
+    border-bottom: 1px solid #191919;
+}
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index 7c1be4db2f..0bfdb6476c 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.3
+PLUGIN_VERSION=		1.4
 PLUGIN_COMMENT=		The vicuna theme - dark anthrazit
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
index 3d05ec02f6..0ef531fdf7 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
@@ -8,7 +8,6 @@
   padding-right: 1px !important;
   padding-left: 5px !important;
   min-height: 25px !important;
-  border: 1px solid #191919;
 
   .btn-group .btn {
     color: #FFFFFF !important;
@@ -756,7 +755,7 @@ td, th {
 
 .glyphicon-arrow-up:before {
   content: "\e093";
-  color: #1d511c !important;
+  color: #196a18 !important;
 }
 
 .glyphicon-arrow-down:before {
@@ -1082,7 +1081,7 @@ td, th {
 
 .glyphicon-transfer:before {
   content: "\e178";
-  color: #1d511c !important;
+  color: #196a18 !important;
 }
 
 .glyphicon-cutlery:before {
@@ -1453,7 +1452,8 @@ h6 {
 }
 
 h1, .h1 {
-  font-size: 23px;
+  font-size: 22px;
+  text-transform: uppercase;
 }
 
 h2, .h2 {
@@ -1552,7 +1552,7 @@ a.text-primary:hover {
 }
 
 .text-success {
-  color: #027700;
+  color: #05a202;
 }
 
 a.text-success:hover {
@@ -7279,12 +7279,12 @@ a.label {
 }
 
 .label-success {
-  background-color: #1d511c;
+  background-color: #196a18;
   border-color: #191919;
 
   &[href] {
     &:hover, &:focus {
-      background-color: #1d511c;
+      background-color: #196a18;
       border-color: #191919;
     }
   }
@@ -7633,7 +7633,7 @@ a.thumbnail {
 }
 
 .progress-bar-success {
-  background-color: #1d511c;
+  background-color: #196a18;
 }
 
 .progress-striped .progress-bar-success {
@@ -9263,7 +9263,7 @@ button.close {
 
 .show {
   display: block !important;
-  color: #757575;
+  color: #22C400;
 }
 
 .invisible {
@@ -9571,10 +9571,10 @@ body {
     margin-left: 20px;
     margin-right: 20px;
     border-top: 1px solid #191919;
-    border-radius: 3px;
+    border-radius: 0;
     min-height: 47px;
     height: auto;
-    padding: 6px 14px 5px 14px;
+    padding: 7px 14px 5px 14px;
     -webkit-box-shadow: 0 3px 4px rgb(23, 23, 23);
     box-shadow: 0 3px 4px rgb(23, 23, 23);
   }
@@ -9601,7 +9601,7 @@ body {
 
 .page-content-main {
   min-height: calc(100% - 64px);
-  padding: 9px 0px 21px 0px;
+  padding: 10px 0px 21px 0px;
 }
 
 .page-side {
@@ -10156,7 +10156,7 @@ button.toggle-sidebar {
 }
 
 .table > tbody > tr > td:last-child {
-  padding-right: 15px;
+  padding-right: 5px;
 }
 
 /* helpers */
@@ -10766,3 +10766,17 @@ ul.jqtree-tree {
 .table.border {
   border: 1px solid #181818 !important;
 }
+
+.rule.text-muted > td {
+  &:nth-child(1n+3) {
+    text-decoration: line-through;
+  }
+
+  &:last-child {
+    text-decoration: none;
+  }
+}
+
+#reports-tab {
+  border-bottom: 1px solid #191919;
+}
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
index 8234f124a8..5fc68c4414 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
@@ -6,8 +6,7 @@
   padding-top: 1px !important;
   padding-right: 1px !important;
   padding-left: 5px !important;
-  min-height: 25px !important;
-  border: 1px solid #191919; }
+  min-height: 25px !important; }
 
   .widgetdiv .content-box-head .btn-group .btn {
     color: #FFFFFF !important;
@@ -596,7 +595,7 @@ th {
 
 .glyphicon-arrow-up:before {
   content: "\e093";
-  color: #1d511c !important; }
+  color: #196a18 !important; }
 
 .glyphicon-arrow-down:before {
   content: "\e094";
@@ -841,7 +840,7 @@ th {
 
 .glyphicon-transfer:before {
   content: "\e178";
-  color:#1d511c !important; }
+  color:#196a18 !important; }
 
 .glyphicon-cutlery:before {
   content: "\e179"; }
@@ -1051,7 +1050,8 @@ h6, .h6 {
     font-size: 75%; }
 
 h1, .h1 {
-  font-size: 23px; }
+  font-size: 22px;
+  text-transform: uppercase; }
 
 h2, .h2 {
   font-size: 16px; }
@@ -1127,7 +1127,7 @@ a.text-primary:hover {
   color: #b85904; }
 
 .text-success {
-  color: #027700; }
+  color: #05a202; }
 
 a.text-success:hover {
   color: #7fc54f; }
@@ -4209,10 +4209,10 @@ a.label:hover, a.label:focus {
 
 
 .label-success {
-  background-color: #1d511c;
+  background-color: #196a18;
   border-color: #191919;}
   .label-success[href]:hover, .label-success[href]:focus {
-    background-color: #1d511c;
+    background-color: #196a18;
     border-color: #191919;	}
 
 
@@ -4452,7 +4452,7 @@ a.thumbnail.active {
   box-shadow: none; }
 
 .progress-bar-success {
-  background-color: #1d511c; }
+  background-color: #196a18; }
   .progress-striped .progress-bar-success {
     background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
     background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
@@ -5486,7 +5486,7 @@ button.close {
 
 .show {
   display: block !important;
-  color:#757575;}
+  color: #22C400; }
 
 .invisible {
   visibility: hidden; }
@@ -5724,10 +5724,10 @@ body {
   margin-left: 20px;
   margin-right: 20px;
   border-top: 1px solid #191919;
-  border-radius: 3px;
+  border-radius: 0;
   min-height: 47px;
   height:auto;
-  padding: 6px 14px 5px 14px;
+  padding: 7px 14px 5px 14px;
   -webkit-box-shadow: 0 3px 4px rgb(23, 23, 23);
   box-shadow: 0 3px 4px rgb(23, 23, 23); }
 
@@ -5743,7 +5743,7 @@ body {
 
 .page-content-main {
   min-height: calc(100% - 64px);
-  padding: 9px 0px 21px 0px; }
+  padding: 10px 0px 21px 0px; }
 
 .page-side {
   background: #172229;
@@ -6132,7 +6132,7 @@ button.toggle-sidebar {
   font-weight: normal; }
 
 .table > tbody > tr > td:last-child {
-padding-right: 15px; }
+  padding-right: 5px; }
 
 /* helpers */
 .__nowrap {
@@ -6583,3 +6583,15 @@ ul.jqtree-tree .jqtree-title {
 .table.border {
   border: 1px solid #181818 !important;
 }
+
+.rule.text-muted > td:nth-child(1n+3) {
+  text-decoration: line-through;
+}
+
+.rule.text-muted > td:last-child {
+  text-decoration:none;
+}
+
+#reports-tab {
+    border-bottom: 1px solid #191919;
+}

From e7eed12d7b2c3fbcc71719e430a3382da6c4796f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Wed, 10 Mar 2021 17:33:16 +0100
Subject: [PATCH 0477/3088] Theme/Tukan - color redesign (#2249)

---
 misc/theme-tukan/Makefile                     |     2 +-
 .../stylesheets/bootstrap-select-1.13.3.scss  |    59 +-
 .../themes/tukan/assets/stylesheets/main.scss | 11667 +++++-----------
 .../tukan/assets/stylesheets/tokenizer2.scss  |    32 +-
 .../build/css/bootstrap-select-1.13.3.css     |     2 +-
 .../tukan/build/css/jquery.bootgrid.css       |     6 +-
 .../www/themes/tukan/build/css/main.css       |   297 +-
 .../build/css/pick-a-color-1.2.3.min.css      |     4 +-
 .../www/themes/tukan/build/css/tokenize2.css  |     8 +-
 .../www/themes/tukan/build/images/caret.png   |   Bin 1219 -> 2935 bytes
 10 files changed, 4024 insertions(+), 8053 deletions(-)

diff --git a/misc/theme-tukan/Makefile b/misc/theme-tukan/Makefile
index 9408a172ae..4d9f9cc95b 100644
--- a/misc/theme-tukan/Makefile
+++ b/misc/theme-tukan/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-tukan
-PLUGIN_VERSION=		1.24
+PLUGIN_VERSION=		1.25
 PLUGIN_COMMENT=		The tukan theme - blue/white
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/bootstrap-select-1.13.3.scss b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/bootstrap-select-1.13.3.scss
index 150b35e363..6d3fa13e9f 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/bootstrap-select-1.13.3.scss
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/bootstrap-select-1.13.3.scss
@@ -11,7 +11,9 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
 
 .bootstrap-select {
   width: 348px \0;
+
   /*IE9 and below*/
+
   > {
     .dropdown-toggle {
       position: relative;
@@ -19,16 +21,20 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
       z-index: 1;
       text-align: right;
       white-space: nowrap;
+
       &.bs-placeholder {
-        color: #fff;
+        color: #000;
+
         &:hover, &:focus, &:active {
-          color: #fff;
+          color: #000;
         }
+
         &.btn-primary, &.btn-secondary, &.btn-success, &.btn-danger, &.btn-info, &.btn-dark, &.btn-primary:hover, &.btn-secondary:hover, &.btn-success:hover, &.btn-danger:hover, &.btn-info:hover, &.btn-dark:hover, &.btn-primary:focus, &.btn-secondary:focus, &.btn-success:focus, &.btn-danger:focus, &.btn-info:focus, &.btn-dark:focus, &.btn-primary:active, &.btn-secondary:active, &.btn-success:active, &.btn-danger:active, &.btn-info:active, &.btn-dark:active {
           color: #ffffff;
         }
       }
     }
+
     select {
       position: absolute !important;
       bottom: 0;
@@ -39,6 +45,7 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
       padding: 0 !important;
       opacity: 0 !important;
       border: none;
+
       &.mobile-device {
         top: 0;
         left: 0;
@@ -62,9 +69,11 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
   &.fit-width {
     width: auto !important;
   }
+
   &:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn) {
     width: 348px;
   }
+
   &.form-control {
     margin-bottom: 0;
     padding: 0;
@@ -79,15 +88,18 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
 .bootstrap-select {
   &.form-control.input-group-btn {
     z-index: auto;
+
     &:not(:first-child):not(:last-child) > .btn {
       border-radius: 0;
     }
   }
+
   &:not(.input-group-btn), &[class*="col-"] {
     float: none;
     display: inline-block;
     margin-left: 0;
   }
+
   &.dropdown-menu-right, &[class*="col-"].dropdown-menu-right {
     float: right;
   }
@@ -118,9 +130,11 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
     line-height: inherit;
     border-radius: inherit;
   }
+
   &.form-control-sm .dropdown-toggle {
     padding: 0.25rem 0.5rem;
   }
+
   &.form-control-lg .dropdown-toggle {
     padding: 0.5rem 1rem;
   }
@@ -133,31 +147,38 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
 .bootstrap-select {
   &.disabled {
     cursor: not-allowed;
+
     &:focus {
       outline: none !important;
     }
   }
+
   > .disabled {
     cursor: not-allowed;
   }
+
   > .disabled:focus {
     outline: none !important;
   }
+
   &.bs-container {
     position: absolute;
     top: 0;
     left: 0;
     height: 0 !important;
     padding: 0 !important;
+
     .dropdown-menu {
       z-index: 1060;
     }
   }
+
   .dropdown-toggle {
     &:before {
       content: '';
       display: inline-block;
     }
+
     .filter-option {
       position: absolute;
       top: 0;
@@ -170,12 +191,15 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
       width: 100%;
       text-align: left;
     }
+
     .filter-option-inner {
       padding-right: inherit;
     }
+
     .filter-option-inner-inner {
       overflow: hidden;
     }
+
     .caret {
       position: absolute;
       top: 50%;
@@ -194,14 +218,17 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
   &[class*="col-"] .dropdown-toggle {
     width: 100%;
   }
+
   .dropdown-menu {
     min-width: 100%;
     -webkit-box-sizing: border-box;
     -moz-box-sizing: border-box;
     box-sizing: border-box;
+
     > .inner:focus {
       outline: none !important;
     }
+
     &.inner {
       position: static;
       float: none;
@@ -212,37 +239,46 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
       -webkit-box-shadow: none;
       box-shadow: none;
     }
+
     li {
       position: relative;
+
       &.active small {
         color: rgba(255, 255, 255, 0.5) !important;
       }
+
       &.disabled a {
         cursor: not-allowed;
       }
+
       a {
         cursor: pointer;
         -webkit-user-select: none;
         -moz-user-select: none;
         -ms-user-select: none;
         user-select: none;
+
         &.opt {
           position: relative;
           padding-left: 2.25em;
         }
+
         span {
           &.check-mark {
             display: none;
           }
+
           &.text {
             display: inline-block;
           }
         }
       }
+
       small {
         padding-left: 0.5em;
       }
     }
+
     .notify {
       position: absolute;
       bottom: 5px;
@@ -261,27 +297,32 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
       box-sizing: border-box;
     }
   }
+
   .no-results {
     padding: 3px;
     background: #f5f5f5;
     margin: 0 5px;
     white-space: nowrap;
   }
+
   &.fit-width .dropdown-toggle {
     .filter-option {
       position: static;
       display: inline;
       padding: 0;
     }
+
     .filter-option-inner, .filter-option-inner-inner {
       display: inline;
     }
+
     .caret {
       position: static;
       top: auto;
       margin-top: -1px;
     }
   }
+
   &.show-tick .dropdown-menu {
     .selected span.check-mark {
       position: absolute;
@@ -289,10 +330,12 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
       right: 15px;
       top: 5px;
     }
+
     li a span.text {
       margin-right: 34px;
     }
   }
+
   .bs-ok-default:after {
     content: '';
     display: block;
@@ -305,10 +348,12 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
     -o-transform: rotate(45deg);
     transform: rotate(45deg);
   }
+
   &.show-menu-arrow {
     &.open > .dropdown-toggle, &.show > .dropdown-toggle {
       z-index: 1061;
     }
+
     .dropdown-toggle .filter-option {
       &:before {
         content: '';
@@ -320,6 +365,7 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
         left: 9px;
         display: none;
       }
+
       &:after {
         content: '';
         border-left: 6px solid transparent;
@@ -331,6 +377,7 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
         display: none;
       }
     }
+
     &.dropup .dropdown-toggle .filter-option {
       &:before {
         bottom: auto;
@@ -338,6 +385,7 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
         border-top: 7px solid rgba(204, 204, 204, 0.2);
         border-bottom: 0;
       }
+
       &:after {
         bottom: auto;
         top: -4px;
@@ -345,16 +393,19 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
         border-bottom: 0;
       }
     }
+
     &.pull-right .dropdown-toggle .filter-option {
       &:before {
         right: 12px;
         left: auto;
       }
+
       &:after {
         right: 13px;
         left: auto;
       }
     }
+
     &.open > .dropdown-toggle .filter-option:before, &.show > .dropdown-toggle .filter-option:before, &.open > .dropdown-toggle .filter-option:after, &.show > .dropdown-toggle .filter-option:after {
       display: block;
     }
@@ -370,6 +421,7 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
   -webkit-box-sizing: border-box;
   -moz-box-sizing: border-box;
   box-sizing: border-box;
+
   .btn-group button {
     width: 50%;
   }
@@ -381,6 +433,7 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
   -webkit-box-sizing: border-box;
   -moz-box-sizing: border-box;
   box-sizing: border-box;
+
   .btn-group button {
     width: 100%;
   }
@@ -390,6 +443,7 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
   + .bs-actionsbox {
     padding: 0 8px 4px;
   }
+
   .form-control {
     margin-bottom: 0;
     width: 100%;
@@ -405,6 +459,7 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
   .dropdown-menu > li > a {
     padding: 3px 20px 3px 30px;
   }
+
   &.show-tick .dropdown-menu .selected span.check-mark {
     left: 10px;
   }
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
index 9319aaa62a..f99129bc81 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
@@ -1,357 +1,296 @@
 @charset "UTF-8";
-
 .widgetdiv .content-box-head {
-  background: #294c5f !important;
+  background: #354248 !important;
   color: #FFF !important;
   padding-bottom: 1px !important;
   padding-top: 1px !important;
   padding-right: 1px !important;
-  padding-left: 5px !important;
+  padding-left: 4px !important;
   min-height: 25px !important;
-  border: 1px solid #fff;
+  border: 1px solid #2f2f2f; }
 
-  .btn-group .btn {
+  .widgetdiv .content-box-head .btn-group .btn {
     color: #FFFFFF !important;
     background: none;
-    border: 0px;
-
-    .glyphicon {
-      color: #FFFFFF !important;
-    }
-  }
-
-  .list-inline li > h3 {
-    padding-top: 4px;
-  }
-}
+    border: 0px; }
+    .widgetdiv .content-box-head .btn-group .btn .glyphicon {
+      color: #FFFFFF !important; }
+  .widgetdiv .content-box-head .list-inline li > h3 {
+    padding-top: 4px; }
 
 @font-face {
   font-family: 'SourceSansProBold';
-  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.ttf") format("truetype");
-}
-
+  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.ttf") format("truetype"); }
 @font-face {
   font-family: 'SourceSansProSemibold';
-  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.ttf") format("truetype");
-}
-
+  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.ttf") format("truetype"); }
 @font-face {
   font-family: 'SourceSansProRegular';
-  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf") format("truetype");
-}
-
+  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf") format("truetype"); }
+  
 /*! normalize.css v3.0.1 | MIT License | git.io/normalize */
-
-table html {
+table
+html {
   font-family: sans-serif;
   -ms-text-size-adjust: 100%;
-  -webkit-text-size-adjust: 100%;
-}
+  -webkit-text-size-adjust: 100%; }
 
 body {
-  margin: 0;
-}
-
-article, aside, details, figcaption, figure, footer, header, hgroup, main, nav, section, summary {
-  display: block;
-}
-
-audio, canvas, progress, video {
+  margin: 0; }
+
+article,
+aside,
+details,
+figcaption,
+figure,
+footer,
+header,
+hgroup,
+main,
+nav,
+section,
+summary {
+  display: block; }
+
+audio,
+canvas,
+progress,
+video {
   display: inline-block;
-  vertical-align: baseline;
-}
+  vertical-align: baseline; }
 
 audio:not([controls]) {
   display: none;
-  height: 0;
-}
+  height: 0; }
 
-[hidden], template {
-  display: none;
-}
+[hidden],
+template {
+  display: none; }
 
 a {
-  color: #FF6C06;
+  color: #D95E04;
   text-decoration: none;
   background: transparent;
-  outline: 0;
+  outline: 0;  }
 
-  &:link, &:active {
-    outline: 0;
-  }
+  a:link, a:active {
+	outline: 0; }
 
-  &:hover, &:focus {
-    color: #FF6C06;
-    text-decoration: underline;
-  }
-}
+  a:hover, a:focus {
+    color: #D95E04;
+    text-decoration: underline; }
 
 abbr[title] {
-  border-bottom: 1px dotted;
-}
+  border-bottom: 1px dotted; }
 
-b, strong {
-  font-weight: bold;
-}
+b,
+strong {
+  font-weight: bold; }
 
 dfn {
-  font-style: italic;
-}
+  font-style: italic; }
 
 h1 {
-  font-size: 2em;
-  margin: 0.67em 0;
-}
+  font-size: 8em;
+  margin: 0.67em 0; }
 
 mark {
   background: #ff0;
-  color: #000;
-}
+  color: #000; }
 
 small {
-  font-size: 80%;
-}
+  font-size: 80%; }
 
-sub {
+sub,
+sup {
   font-size: 75%;
   line-height: 0;
   position: relative;
-  vertical-align: baseline;
-}
+  vertical-align: baseline; }
 
 sup {
-  font-size: 75%;
-  line-height: 0;
-  position: relative;
-  vertical-align: baseline;
-  top: -0.5em;
-}
+  top: -0.5em; }
 
 sub {
-  bottom: -0.25em;
-}
+  bottom: -0.25em; }
 
 img {
-  border: 0;
-}
+  border: 0; }
 
 svg:not(:root) {
-  overflow: hidden;
-}
+  overflow: hidden; }
 
 figure {
-  margin: 1em 40px;
-}
+  margin: 1em 40px; }
 
 hr {
   -moz-box-sizing: content-box;
   box-sizing: content-box;
-  height: 0;
-}
+  height: 0; }
 
 pre {
-  overflow: auto;
-}
+  overflow: auto; }
 
-code, kbd, pre, samp {
+code,
+kbd,
+pre,
+samp {
   font-family: monospace, monospace;
-  font-size: 1em;
-}
+  font-size: 1em; }
 
-button, input, optgroup, select, textarea {
+button,
+input,
+optgroup,
+select,
+textarea {
   color: inherit;
   font: inherit;
-  margin: 0;
-}
+  margin: 0; }
 
 button {
-  overflow: visible;
-  text-transform: none;
-}
+  overflow: visible; }
 
+button,
 select {
-  text-transform: none;
-}
+  text-transform: none; }
 
-button, html input[type="button"] {
+button,
+html input[type="button"],
+input[type="reset"],
+input[type="submit"] {
   -webkit-appearance: button;
-  cursor: pointer;
-}
-
-input {
-  &[type="reset"], &[type="submit"] {
-    -webkit-appearance: button;
-    cursor: pointer;
-  }
-}
+  cursor: pointer; }
 
-button[disabled], html input[disabled] {
-  cursor: default;
-}
+button[disabled],
+html input[disabled] {
+  cursor: default; }
 
-button::-moz-focus-inner {
+button::-moz-focus-inner,
+input::-moz-focus-inner {
   border: 0;
-  padding: 0;
-}
+  padding: 0; }
 
 input {
-  &::-moz-focus-inner {
-    border: 0;
-    padding: 0;
-  }
+  line-height: normal; }
 
-  line-height: normal;
+input[type="checkbox"],
+input[type="radio"] {
+  box-sizing: border-box;
+  padding: 0; }
 
-  &[type="checkbox"], &[type="radio"] {
-    box-sizing: border-box;
-    padding: 0;
-  }
+input[type="number"]::-webkit-inner-spin-button,
+input[type="number"]::-webkit-outer-spin-button {
+  height: auto; }
 
-  &[type="number"] {
-    &::-webkit-inner-spin-button, &::-webkit-outer-spin-button {
-      height: auto;
-    }
-  }
-
-  &[type="search"] {
-    -webkit-appearance: textfield;
-    -moz-box-sizing: content-box;
-    -webkit-box-sizing: content-box;
-    box-sizing: content-box;
-
-    &::-webkit-search-cancel-button, &::-webkit-search-decoration {
-      -webkit-appearance: none;
-    }
-  }
-}
+input[type="search"] {
+  -webkit-appearance: textfield;
+  -moz-box-sizing: content-box;
+  -webkit-box-sizing: content-box;
+  box-sizing: content-box; }
+
+input[type="search"]::-webkit-search-cancel-button,
+input[type="search"]::-webkit-search-decoration {
+  -webkit-appearance: none; }
 
 fieldset {
   border: 1px solid #c0c0c0;
   margin: 0 2px;
-  padding: 0.35em 0.625em 0.75em;
-}
+  padding: 0.35em 0.625em 0.75em; }
 
 legend {
   border: 0;
-  padding: 0;
-}
+  padding: 0; }
 
 textarea {
-  overflow: auto;
-}
+  overflow: auto; }
 
 optgroup {
-  font-weight: bold;
-}
+  font-weight: bold; }
 
 table {
   border-collapse: none;
   border-spacing: 0;
   color: #000;
-  background-color: #F0F0F0;
-  width: 100%;
-}
+  background-color: #fff;
+  width: 100%; }
 
-td, th {
-  padding: 0;
-}
+td,
+th {
+  padding: 0;  }
 
 @media print {
   * {
     text-shadow: none !important;
     color: #000 !important;
     background: transparent !important;
-    box-shadow: none !important;
-  }
-
-  a {
-    text-decoration: underline;
+    box-shadow: none !important; }
 
-    &:visited {
-      text-decoration: underline;
-    }
+  a,
+  a:visited {
+    text-decoration: underline; }
 
-    &[href]:after {
-      content: " (" attr(href) ")";
-    }
-  }
+  a[href]:after {
+    content: " (" attr(href) ")"; }
 
   abbr[title]:after {
-    content: " (" attr(title) ")";
-  }
+    content: " (" attr(title) ")"; }
 
-  a {
-    &[href^="javascript:"]:after, &[href^="#"]:after {
-      content: "";
-    }
-  }
+  a[href^="javascript:"]:after,
+  a[href^="#"]:after {
+    content: ""; }
 
-  pre, blockquote {
+  pre,
+  blockquote {
     border: 1px solid #999;
-    page-break-inside: avoid;
-  }
+    page-break-inside: avoid; }
 
   thead {
-    display: table-header-group;
-  }
+    display: table-header-group; }
 
-  tr {
-    page-break-inside: avoid;
-  }
+  tr,
+  img {
+    page-break-inside: avoid; }
 
   img {
-    page-break-inside: avoid;
-    max-width: 100% !important;
-  }
+    max-width: 100% !important; }
 
-  p, h2, h3 {
+  p,
+  h2,
+  h3 {
     orphans: 3;
-    widows: 3;
-  }
+    widows: 3; }
 
-  h2, h3 {
-    page-break-after: avoid;
-  }
+  h2,
+  h3 {
+    page-break-after: avoid; }
 
   select {
-    background: #fff !important;
-  }
+    background: #fff !important; }
 
   .navbar {
-    display: none;
-  }
+    display: none; }
 
-  .table {
-    td, th {
-      background-color: #fff !important;
-    }
-  }
+  .table td,
+  .table th {
+    background-color: #fff !important; }
 
-  .btn > .caret, .dropup > .btn > .caret {
-    border-top-color: #000 !important;
-  }
+  .btn > .caret,
+  .dropup > .btn > .caret {
+    border-top-color: #000 !important; }
 
   .label {
-    border: 1px solid #000;
-  }
+    border: 1px solid #000; }
 
   .table {
-    border-collapse: collapse !important;
-  }
-
-  .table-bordered {
-    th, td {
-      border: 1px solid #ddd !important;
-    }
-  }
-}
+    border-collapse: collapse !important; }
 
+  .table-bordered th,
+  .table-bordered td {
+    border: 1px solid #ddd !important; } }
 @font-face {
   font-family: 'Glyphicons Halflings';
   src: url("../fonts/bootstrap/glyphicons-halflings-regular.eot");
-  src: url("../fonts/bootstrap/glyphicons-halflings-regular.eot?#iefix") format("embedded-opentype"), url("../fonts/bootstrap/glyphicons-halflings-regular.woff") format("woff"), url("../fonts/bootstrap/glyphicons-halflings-regular.ttf") format("truetype"), url("../fonts/bootstrap/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") format("svg");
-}
-
+  src: url("../fonts/bootstrap/glyphicons-halflings-regular.eot?#iefix") format("embedded-opentype"), url("../fonts/bootstrap/glyphicons-halflings-regular.woff") format("woff"), url("../fonts/bootstrap/glyphicons-halflings-regular.ttf") format("truetype"), url("../fonts/bootstrap/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") format("svg"); }
 .glyphicon {
   position: relative;
   top: 1px;
@@ -361,863 +300,658 @@ td, th {
   font-weight: normal;
   line-height: 1;
   -webkit-font-smoothing: antialiased;
-  -moz-osx-font-smoothing: grayscale;
-}
+  -moz-osx-font-smoothing: grayscale; }
 
 .glyphicon-asterisk:before {
-  content: "\2a";
-}
+  content: "\2a"; }
 
 .glyphicon-plus:before {
-  content: "\2b";
-}
+  content: "\2b"; }
 
 .glyphicon-euro:before {
-  content: "\20ac";
-}
+  content: "\20ac"; }
 
 .glyphicon-minus:before {
-  content: "\2212";
-}
+  content: "\2212"; }
 
 .glyphicon-cloud:before {
-  content: "\2601";
-}
+  content: "\2601"; }
 
 .glyphicon-envelope:before {
-  content: "\2709";
-}
+  content: "\2709"; }
 
 .glyphicon-pencil:before {
-  content: "\270f";
-}
+  content: "\270f"; }
 
 .glyphicon-glass:before {
-  content: "\e001";
-}
+  content: "\e001"; }
 
 .glyphicon-music:before {
-  content: "\e002";
-}
+  content: "\e002"; }
 
 .icon.glyphicon.input-group-addon.glyphicon-search:before, .glyphicon-search:before {
   content: "\e003";
-  color: #FFF !important;
-}
+  color: #FFF !important; }
 
 .glyphicon-heart:before {
-  content: "\e005";
-}
+  content: "\e005"; }
 
 .glyphicon-star:before {
-  content: "\e006";
-}
+  content: "\e006"; }
 
 .glyphicon-star-empty:before {
-  content: "\e007";
-}
+  content: "\e007"; }
 
 .glyphicon-user:before {
-  content: "\e008";
-}
+  content: "\e008"; }
 
 .glyphicon-film:before {
-  content: "\e009";
-}
+  content: "\e009"; }
 
 .glyphicon-th-large:before {
-  content: "\e010";
-}
+  content: "\e010"; }
 
 .glyphicon-th:before {
-  content: "\e011";
-}
+  content: "\e011"; }
 
 .glyphicon-th-list:before {
-  content: "\e012";
-}
+  content: "\e012"; }
 
 .glyphicon-ok:before {
-  content: "\e013";
-}
+  content: "\e013"; }
 
 .glyphicon-remove:before {
-  content: "\e014";
-}
+  content: "\e014"; }
 
 .glyphicon-zoom-in:before {
-  content: "\e015";
-}
+  content: "\e015"; }
 
 .glyphicon-zoom-out:before {
-  content: "\e016";
-}
+  content: "\e016"; }
 
 .glyphicon-off:before {
-  content: "\e017";
-}
+  content: "\e017"; }
 
 .glyphicon-signal:before {
-  content: "\e018";
-}
+  content: "\e018"; }
 
 .glyphicon-cog:before {
-  content: "\e019";
-}
+  content: "\e019"; }
 
 .glyphicon-trash:before {
-  content: "\e020";
-}
+  content: "\e020"; }
 
 .glyphicon-home:before {
-  content: "\e021";
-}
+  content: "\e021"; }
 
 .glyphicon-file:before {
-  content: "\e022";
-}
+  content: "\e022"; }
 
 .glyphicon-time:before {
-  content: "\e023";
-}
+  content: "\e023"; }
 
 .glyphicon-road:before {
-  content: "\e024";
-}
+  content: "\e024"; }
 
 .glyphicon-download-alt:before {
-  content: "\e025";
-}
+  content: "\e025"; }
 
 .glyphicon-download:before {
-  content: "\e026";
-}
+  content: "\e026"; }
 
 .glyphicon-upload:before {
-  content: "\e027";
-}
+  content: "\e027"; }
 
 .glyphicon-inbox:before {
-  content: "\e028";
-}
+  content: "\e028"; }
 
 .glyphicon-play-circle:before {
-  content: "\e029";
-}
+  content: "\e029"; }
 
 .glyphicon-repeat:before {
-  content: "\e030";
-}
+  content: "\e030"; }
 
 .glyphicon-refresh:before {
-  content: "\e031";
-}
+  content: "\e031"; }
 
 .glyphicon-list-alt:before {
-  content: "\e032";
-}
+  content: "\e032"; }
 
 .glyphicon-lock:before {
-  content: "\e033";
-}
+  content: "\e033"; }
 
 .glyphicon-flag:before {
-  content: "\e034";
-}
+  content: "\e034"; }
 
 .glyphicon-headphones:before {
-  content: "\e035";
-}
+  content: "\e035"; }
 
 .glyphicon-volume-off:before {
-  content: "\e036";
-}
+  content: "\e036"; }
 
 .glyphicon-volume-down:before {
-  content: "\e037";
-}
+  content: "\e037"; }
 
 .glyphicon-volume-up:before {
-  content: "\e038";
-}
+  content: "\e038"; }
 
 .glyphicon-qrcode:before {
-  content: "\e039";
-}
+  content: "\e039"; }
 
 .glyphicon-barcode:before {
-  content: "\e040";
-}
+  content: "\e040"; }
 
 .glyphicon-tag:before {
-  content: "\e041";
-}
+  content: "\e041"; }
 
 .glyphicon-tags:before {
-  content: "\e042";
-}
+  content: "\e042"; }
 
 .glyphicon-book:before {
-  content: "\e043";
-}
+  content: "\e043"; }
 
 .glyphicon-bookmark:before {
-  content: "\e044";
-}
+  content: "\e044"; }
 
 .glyphicon-print:before {
-  content: "\e045";
-}
+  content: "\e045"; }
 
 .glyphicon-camera:before {
-  content: "\e046";
-}
+  content: "\e046"; }
 
 .glyphicon-font:before {
-  content: "\e047";
-}
+  content: "\e047"; }
 
 .glyphicon-bold:before {
-  content: "\e048";
-}
+  content: "\e048"; }
 
 .glyphicon-italic:before {
-  content: "\e049";
-}
+  content: "\e049"; }
 
 .glyphicon-text-height:before {
-  content: "\e050";
-}
+  content: "\e050"; }
 
 .glyphicon-text-width:before {
-  content: "\e051";
-}
+  content: "\e051"; }
 
 .glyphicon-align-left:before {
-  content: "\e052";
-}
+  content: "\e052"; }
 
 .glyphicon-align-center:before {
-  content: "\e053";
-}
+  content: "\e053"; }
 
 .glyphicon-align-right:before {
-  content: "\e054";
-}
+  content: "\e054"; }
 
 .glyphicon-align-justify:before {
-  content: "\e055";
-}
+  content: "\e055"; }
 
 .glyphicon-list:before {
-  content: "\e056";
-}
+  content: "\e056"; }
 
 .glyphicon-indent-left:before {
-  content: "\e057";
-}
+  content: "\e057"; }
 
 .glyphicon-indent-right:before {
-  content: "\e058";
-}
+  content: "\e058"; }
 
 .glyphicon-facetime-video:before {
-  content: "\e059";
-}
+  content: "\e059"; }
 
 .glyphicon-picture:before {
-  content: "\e060";
-}
+  content: "\e060"; }
 
 .glyphicon-map-marker:before {
-  content: "\e062";
-}
+  content: "\e062"; }
 
 .glyphicon-adjust:before {
-  content: "\e063";
-}
+  content: "\e063"; }
 
 .glyphicon-tint:before {
-  color: #3F0;
-  content: "\e064";
-}
+  color:#3F0;
+  content: "\e064"; }
 
 .glyphicon-edit:before {
-  content: "\e065";
-}
+  content: "\e065"; }
 
 .glyphicon-share:before {
-  content: "\e066";
-}
+  content: "\e066"; }
 
 .glyphicon-check:before {
-  content: "\e067";
-}
+  content: "\e067"; }
 
 .glyphicon-move:before {
-  content: "\e068";
-}
+  content: "\e068"; }
 
 .glyphicon-step-backward:before {
-  content: "\e069";
-}
+  content: "\e069"; }
 
 .glyphicon-fast-backward:before {
-  content: "\e070";
-}
+  content: "\e070"; }
 
 .glyphicon-backward:before {
-  content: "\e071";
-}
+  content: "\e071"; }
 
 .glyphicon-play:before {
-  content: "\e072";
-}
+  content: "\e072"; }
 
 .glyphicon-pause:before {
-  content: "\e073";
-}
+  content: "\e073"; }
 
 .glyphicon-stop:before {
-  content: "\e074";
-}
+  content: "\e074"; }
 
 .glyphicon-forward:before {
-  content: "\e075";
-}
+  content: "\e075"; }
 
 .glyphicon-fast-forward:before {
-  content: "\e076";
-}
+  content: "\e076"; }
 
 .glyphicon-step-forward:before {
-  content: "\e077";
-}
+  content: "\e077"; }
 
 .glyphicon-eject:before {
-  content: "\e078";
-}
+  content: "\e078"; }
 
 .glyphicon-chevron-left:before {
-  content: "\e079";
-}
+  content: "\e079"; }
 
 .glyphicon-chevron-right:before {
-  content: "\e080";
-}
+  content: "\e080"; }
 
 .glyphicon-plus-sign:before {
-  content: "\e081";
-}
+  content: "\e081"; }
 
 .glyphicon-minus-sign:before {
-  content: "\e082";
-}
+  content: "\e082"; }
 
 .glyphicon-remove-sign:before {
-  content: "\e083";
-}
+  content: "\e083"; }
 
 .glyphicon-ok-sign:before {
-  content: "\e084";
-}
+  content: "\e084"; }
 
 .glyphicon-question-sign:before {
-  content: "\e085";
-}
+  content: "\e085"; }
 
 .glyphicon-info-sign:before {
-  content: "\e086";
-}
+  content: "\e086"; }
 
 .glyphicon-screenshot:before {
-  content: "\e087";
-}
+  content: "\e087"; }
 
 .glyphicon-remove-circle:before {
-  content: "\e088";
-}
+  content: "\e088"; }
 
 .glyphicon-ok-circle:before {
-  content: "\e089";
-}
+  content: "\e089"; }
 
 .glyphicon-ban-circle:before {
-  content: "\e090";
-}
+  content: "\e090"; }
 
 .glyphicon-arrow-left:before {
-  content: "\e091";
-}
+  content: "\e091"; }
 
 .glyphicon-arrow-right:before {
-  content: "\e092";
-}
+  content: "\e092"; }
 
 .glyphicon-arrow-up:before {
   content: "\e093";
-  color: #4FB654 !important;
-}
+  color: #4FB654 !important; }
 
 .glyphicon-arrow-down:before {
   content: "\e094";
-  color: #FF5E3B !important;
-}
+  color: #FF5E3B !important; }
 
 .glyphicon-share-alt:before {
-  content: "\e095";
-}
+  content: "\e095"; }
 
 .glyphicon-resize-full:before {
-  content: "\e096";
-}
+  content: "\e096"; }
 
 .glyphicon-resize-small:before {
-  content: "\e097";
-}
+  content: "\e097"; }
 
 .glyphicon-exclamation-sign:before {
-  content: "\e101";
-}
+  content: "\e101"; }
 
 .glyphicon-gift:before {
-  content: "\e102";
-}
+  content: "\e102"; }
 
 .glyphicon-leaf:before {
-  content: "\e103";
-}
+  content: "\e103"; }
 
 .glyphicon-fire:before {
-  content: "\e104";
-}
+  content: "\e104"; }
 
 .glyphicon-eye-open:before {
-  content: "\e105";
-}
+  content: "\e105"; }
 
 .glyphicon-eye-close:before {
-  content: "\e106";
-}
+  content: "\e106"; }
 
 .glyphicon-warning-sign:before {
-  content: "\e107";
-}
+  content: "\e107"; }
 
 .glyphicon-plane:before {
-  content: "\e108";
-}
+  content: "\e108"; }
 
 .glyphicon-calendar:before {
-  content: "\e109";
-}
+  content: "\e109"; }
 
 .glyphicon-random:before {
-  content: "\e110";
-}
+  content: "\e110"; }
 
 .glyphicon-comment:before {
-  content: "\e111";
-}
+  content: "\e111"; }
 
 .glyphicon-magnet:before {
-  content: "\e112";
-}
+  content: "\e112"; }
 
 .glyphicon-chevron-up:before {
-  content: "\e113";
-}
+  content: "\e113"; }
 
 .glyphicon-chevron-down:before {
-  content: "\e114";
-}
+  content: "\e114"; }
 
 .glyphicon-retweet:before {
-  content: "\e115";
-}
+  content: "\e115"; }
 
 .glyphicon-shopping-cart:before {
-  content: "\e116";
-}
+  content: "\e116"; }
 
 .glyphicon-folder-close:before {
-  content: "\e117";
-}
+  content: "\e117"; }
 
 .glyphicon-folder-open:before {
-  content: "\e118";
-}
+  content: "\e118"; }
 
 .glyphicon-resize-vertical:before {
-  content: "\e119";
-}
+  content: "\e119"; }
 
 .glyphicon-resize-horizontal:before {
-  content: "\e120";
-}
+  content: "\e120"; }
 
 .glyphicon-hdd:before {
-  content: "\e121";
-}
+  content: "\e121"; }
 
 .glyphicon-bullhorn:before {
-  content: "\e122";
-}
+  content: "\e122"; }
 
 .glyphicon-bell:before {
-  content: "\e123";
-}
+  content: "\e123"; }
 
 .glyphicon-certificate:before {
-  content: "\e124";
-}
+  content: "\e124"; }
 
 .glyphicon-thumbs-up:before {
-  content: "\e125";
-}
+  content: "\e125"; }
 
 .glyphicon-thumbs-down:before {
-  content: "\e126";
-}
+  content: "\e126"; }
 
 .glyphicon-hand-right:before {
-  content: "\e127";
-}
+  content: "\e127"; }
 
 .glyphicon-hand-left:before {
-  content: "\e128";
-}
+  content: "\e128"; }
 
 .glyphicon-hand-up:before {
-  content: "\e129";
-}
+  content: "\e129"; }
 
 .glyphicon-hand-down:before {
-  content: "\e130";
-}
+  content: "\e130"; }
 
 .glyphicon-circle-arrow-right:before {
-  content: "\e131";
-}
+  content: "\e131"; }
 
 .glyphicon-circle-arrow-left:before {
-  content: "\e132";
-}
+  content: "\e132"; }
 
 .glyphicon-circle-arrow-up:before {
-  content: "\e133";
-}
+  content: "\e133"; }
 
 .glyphicon-circle-arrow-down:before {
-  content: "\e134";
-}
+  content: "\e134"; }
 
 .glyphicon-globe:before {
-  content: "\e135";
-}
+  content: "\e135"; }
 
 .glyphicon-wrench:before {
-  content: "\e136";
-}
+  content: "\e136"; }
 
 .glyphicon-tasks:before {
-  content: "\e137";
-}
+  content: "\e137"; }
 
 .glyphicon-filter:before {
-  content: "\e138";
-}
+  content: "\e138"; }
 
 .glyphicon-briefcase:before {
-  content: "\e139";
-}
+  content: "\e139"; }
 
 .glyphicon-fullscreen:before {
-  content: "\e140";
-}
+  content: "\e140"; }
 
 .glyphicon-dashboard:before {
-  content: "\e141";
-}
+  content: "\e141"; }
 
 .glyphicon-paperclip:before {
-  content: "\e142";
-}
+  content: "\e142"; }
 
 .glyphicon-heart-empty:before {
-  content: "\e143";
-}
+  content: "\e143"; }
 
 .glyphicon-link:before {
-  content: "\e144";
-}
+  content: "\e144"; }
 
 .glyphicon-phone:before {
-  content: "\e145";
-}
+  content: "\e145"; }
 
 .glyphicon-pushpin:before {
-  content: "\e146";
-}
+  content: "\e146"; }
 
 .glyphicon-usd:before {
-  content: "\e148";
-}
+  content: "\e148"; }
 
 .glyphicon-gbp:before {
-  content: "\e149";
-}
+  content: "\e149"; }
 
 .glyphicon-sort:before {
-  content: "\e150";
-}
+  content: "\e150"; }
 
 .glyphicon-sort-by-alphabet:before {
-  content: "\e151";
-}
+  content: "\e151"; }
 
 .glyphicon-sort-by-alphabet-alt:before {
-  content: "\e152";
-}
+  content: "\e152"; }
 
 .glyphicon-sort-by-order:before {
-  content: "\e153";
-}
+  content: "\e153"; }
 
 .glyphicon-sort-by-order-alt:before {
-  content: "\e154";
-}
+  content: "\e154"; }
 
 .glyphicon-sort-by-attributes:before {
-  content: "\e155";
-}
+  content: "\e155"; }
 
 .glyphicon-sort-by-attributes-alt:before {
-  content: "\e156";
-}
+  content: "\e156"; }
 
 .glyphicon-unchecked:before {
-  content: "\e157";
-}
+  content: "\e157"; }
 
 .glyphicon-expand:before {
-  content: "\e158";
-}
+  content: "\e158"; }
 
 .glyphicon-collapse-down:before {
-  content: "\e159";
-}
+  content: "\e159"; }
 
 .glyphicon-collapse-up:before {
-  content: "\e160";
-}
+  content: "\e160"; }
 
 .glyphicon-log-in:before {
-  content: "\e161";
-}
+  content: "\e161"; }
 
 .glyphicon-flash:before {
-  content: "\e162";
-}
+  content: "\e162"; }
 
 .glyphicon-log-out:before {
-  content: "\e163";
-}
+  content: "\e163"; }
 
 .glyphicon-new-window:before {
-  content: "\e164";
-}
+  content: "\e164"; }
 
 .glyphicon-record:before {
-  content: "\e165";
-}
+  content: "\e165"; }
 
 .glyphicon-save:before {
-  content: "\e166";
-}
+  content: "\e166"; }
 
 .glyphicon-open:before {
-  content: "\e167";
-}
+  content: "\e167"; }
 
 .glyphicon-saved:before {
-  content: "\e168";
-}
+  content: "\e168"; }
 
 .glyphicon-import:before {
-  content: "\e169";
-}
+  content: "\e169"; }
 
 .glyphicon-export:before {
-  content: "\e170";
-}
+  content: "\e170"; }
 
 .glyphicon-send:before {
-  content: "\e171";
-}
+  content: "\e171"; }
 
 .glyphicon-floppy-disk:before {
-  content: "\e172";
-}
+  content: "\e172"; }
 
 .glyphicon-floppy-saved:before {
-  content: "\e173";
-}
+  content: "\e173"; }
 
 .glyphicon-floppy-remove:before {
-  content: "\e174";
-}
+  content: "\e174"; }
 
 .glyphicon-floppy-save:before {
-  content: "\e175";
-}
+  content: "\e175"; }
 
 .glyphicon-floppy-open:before {
-  content: "\e176";
-}
+  content: "\e176"; }
 
 .glyphicon-credit-card:before {
-  content: "\e177";
-}
+  content: "\e177"; }
 
 .glyphicon-transfer:before {
   content: "\e178";
-  color: #4FB654 !important;
-}
+  color:#4FB654 !important; }
 
 .glyphicon-cutlery:before {
-  content: "\e179";
-}
+  content: "\e179"; }
 
 .glyphicon-header:before {
-  content: "\e180";
-}
+  content: "\e180"; }
 
 .glyphicon-compressed:before {
-  content: "\e181";
-}
+  content: "\e181"; }
 
 .glyphicon-earphone:before {
-  content: "\e182";
-}
+  content: "\e182"; }
 
 .glyphicon-phone-alt:before {
-  content: "\e183";
-}
+  content: "\e183"; }
 
 .glyphicon-tower:before {
-  content: "\e184";
-}
+  content: "\e184"; }
 
 .glyphicon-stats:before {
-  content: "\e185";
-}
+  content: "\e185"; }
 
 .glyphicon-sd-video:before {
-  content: "\e186";
-}
+  content: "\e186"; }
 
 .glyphicon-hd-video:before {
-  content: "\e187";
-}
+  content: "\e187"; }
 
 .glyphicon-subtitles:before {
-  content: "\e188";
-}
+  content: "\e188"; }
 
 .glyphicon-sound-stereo:before {
-  content: "\e189";
-}
+  content: "\e189"; }
 
 .glyphicon-sound-dolby:before {
-  content: "\e190";
-}
+  content: "\e190"; }
 
 .glyphicon-sound-5-1:before {
-  content: "\e191";
-}
+  content: "\e191"; }
 
 .glyphicon-sound-6-1:before {
-  content: "\e192";
-}
+  content: "\e192"; }
 
 .glyphicon-sound-7-1:before {
-  content: "\e193";
-}
+  content: "\e193"; }
 
 .glyphicon-copyright-mark:before {
-  content: "\e194";
-}
+  content: "\e194"; }
 
 .glyphicon-registration-mark:before {
-  content: "\e195";
-}
+  content: "\e195"; }
 
 .glyphicon-cloud-download:before {
-  content: "\e197";
-}
+  content: "\e197"; }
 
 .glyphicon-cloud-upload:before {
-  content: "\e198";
-}
+  content: "\e198"; }
 
 .glyphicon-tree-conifer:before {
-  content: "\e199";
-}
+  content: "\e199"; }
 
 .glyphicon-tree-deciduous:before {
-  content: "\e200";
-}
+  content: "\e200"; }
 
 * {
   -webkit-box-sizing: border-box;
   -moz-box-sizing: border-box;
   box-sizing: border-box;
-  text-decoration: none;
+  text-decoration:none;}
 
-  &:before, &:after {
-    -webkit-box-sizing: border-box;
-    -moz-box-sizing: border-box;
-    box-sizing: border-box;
-  }
-}
+*:before,
+*:after {
+  -webkit-box-sizing: border-box;
+  -moz-box-sizing: border-box;
+  box-sizing: border-box; }
 
 html {
   font-size: 10px;
-  -webkit-tap-highlight-color: transparent;
-}
+  -webkit-tap-highlight-color: transparent; }
 
 body {
   font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
-  font-size: 14px;
+  font-size:14px;
   line-height: 1.428571429;
   color: #000;
 }
 
-input, button, select, textarea {
+input,
+button,
+select,
+textarea {
   font-family: inherit;
   font-size: inherit;
-  line-height: inherit;
-}
+  line-height: inherit; }
 
 figure {
-  margin: 0;
-}
+  margin: 0; }
 
 img {
-  vertical-align: middle;
-}
+  vertical-align: middle; }
 
 .img-responsive {
   display: block;
   width: 100% \9;
   max-width: 100%;
-  height: auto;
-}
+  height: auto; }
 
 .img-rounded {
-  border-radius: 6px;
-}
+  border-radius: 6px; }
 
 .img-thumbnail {
   padding: 4px;
@@ -1231,19 +965,16 @@ img {
   display: inline-block;
   width: 100% \9;
   max-width: 100%;
-  height: auto;
-}
+  height: auto; }
 
 .img-circle {
-  border-radius: 50%;
-}
+  border-radius: 50%; }
 
 hr {
   margin-top: 20px;
   margin-bottom: 20px;
   border: 0;
-  border-top: 1px solid #eeeeee;
-}
+  border-top: 1px solid #eeeeee; }
 
 .sr-only {
   position: absolute;
@@ -1253,553 +984,338 @@ hr {
   padding: 0;
   overflow: hidden;
   clip: rect(0, 0, 0, 0);
-  border: 0;
-}
+  border: 0; }
+
+.sr-only-focusable:active, .sr-only-focusable:focus {
+  position: static;
+  width: auto;
+  height: auto;
+  margin: 0;
+  overflow: visible;
+  clip: auto; }
 
-.sr-only-focusable {
-  &:active, &:focus {
-    position: static;
-    width: auto;
-    height: auto;
-    margin: 0;
-    overflow: visible;
-    clip: auto;
-  }
-}
 
-h1, h2, h3, h4, h5, h6, .h1, .h2, .h3, .h4, .h5, .h6 {
-  font-family: "SourceSansProSemiBold";
+h1, h2, h3, h4, h5, h6,
+.h1, .h2, .h3, .h4, .h5, .h6 {
   font-weight: 100;
   line-height: 1.4;
-  color: inherit;
-}
-
-h1 {
-  small, .small {
-    font-weight: normal;
-    line-height: 1;
-    color: #b6b6b6;
-  }
-}
-
-h2 {
-  small, .small {
-    font-weight: normal;
-    line-height: 1;
-    color: #b6b6b6;
-  }
-}
-
-h3 {
-  small, .small {
-    font-weight: normal;
-    line-height: 1;
-    color: #b6b6b6;
-  }
-}
-
-h4 {
-  small, .small {
-    font-weight: normal;
-    line-height: 1;
-    color: #b6b6b6;
-  }
-}
-
-h5 {
-  small, .small {
-    font-weight: normal;
-    line-height: 1;
-    color: #b6b6b6;
-  }
-}
-
-h6 {
-  small, .small {
-    font-weight: normal;
-    line-height: 1;
-    color: #b6b6b6;
-  }
-}
-
-.h1 {
-  small, .small {
-    font-weight: normal;
-    line-height: 1;
-    color: #b6b6b6;
-  }
-}
-
-.h2 {
-  small, .small {
-    font-weight: normal;
-    line-height: 1;
-    color: #b6b6b6;
-  }
-}
-
-.h3 {
-  small, .small {
-    font-weight: normal;
-    line-height: 1;
-    color: #b6b6b6;
-  }
-}
-
-.h4 {
-  small, .small {
-    font-weight: normal;
-    line-height: 1;
-    color: #b6b6b6;
-  }
-}
-
-.h5 {
-  small, .small {
+  color: inherit; }
+  h1 small,
+  h1 .small, h2 small,
+  h2 .small, h3 small,
+  h3 .small, h4 small,
+  h4 .small, h5 small,
+  h5 .small, h6 small,
+  h6 .small,
+  .h1 small,
+  .h1 .small, .h2 small,
+  .h2 .small, .h3 small,
+  .h3 .small, .h4 small,
+  .h4 .small, .h5 small,
+  .h5 .small, .h6 small,
+  .h6 .small {
     font-weight: normal;
     line-height: 1;
-    color: #b6b6b6;
-  }
-}
-
-.h6 {
-  small, .small {
-    font-weight: normal;
-    line-height: 1;
-    color: #b6b6b6;
-  }
-}
+    color: #b6b6b6; }
 
-h1, .h1, h2, .h2, h3, .h3 {
+h1, .h1,
+h2, .h2,
+h3, .h3 {
   margin-top: 20px;
-  margin-bottom: 10px;
-}
-
-h1 {
-  small, .small {
-    font-size: 65%;
-  }
-}
-
-.h1 {
-  small, .small {
-    font-size: 65%;
-  }
-}
-
-h2 {
-  small, .small {
-    font-size: 65%;
-  }
-}
-
-.h2 {
-  small, .small {
-    font-size: 65%;
-  }
-}
-
-h3 {
-  small, .small {
-    font-size: 65%;
-  }
-}
-
-.h3 {
-  small, .small {
-    font-size: 65%;
-  }
-}
-
-h4, .h4, h5, .h5, h6, .h6 {
+  margin-bottom: 10px; }
+  h1 small,
+  h1 .small, .h1 small,
+  .h1 .small,
+  h2 small,
+  h2 .small, .h2 small,
+  .h2 .small,
+  h3 small,
+  h3 .small, .h3 small,
+  .h3 .small {
+    font-size: 65%; }
+
+h4, .h4,
+h5, .h5,
+h6, .h6 {
   margin-top: 10px;
-  margin-bottom: 10px;
-}
-
-h4 {
-  small, .small {
-    font-size: 75%;
-  }
-}
-
-.h4 {
-  small, .small {
-    font-size: 75%;
-  }
-}
-
-h5 {
-  small, .small {
-    font-size: 75%;
-  }
-}
-
-.h5 {
-  small, .small {
-    font-size: 75%;
-  }
-}
-
-h6 {
-  small, .small {
-    font-size: 75%;
-  }
-}
-
-.h6 {
-  small, .small {
-    font-size: 75%;
-  }
-}
+  margin-bottom: 10px; }
+  h4 small,
+  h4 .small, .h4 small,
+  .h4 .small,
+  h5 small,
+  h5 .small, .h5 small,
+  .h5 .small,
+  h6 small,
+  h6 .small, .h6 small,
+  .h6 .small {
+    font-size: 75%; }
 
 h1, .h1 {
-  font-size: 23px;
-}
+  font-size: 24px;
+  font-weight: bold;  }
 
 h2, .h2 {
-  font-size: 16px;
-}
+  font-size: 16px; }
 
 h3, .h3 {
-  font-size: 14px;
-}
+  font-size:14px; }
 
 h4, .h4 {
-  font-size: 18px;
-}
+  font-size: 18px; }
 
 h5, .h5 {
-  font-size: 14px;
-}
+  font-size:14px; }
 
 h6, .h6 {
-  font-size: 12px;
-}
+  font-size:12px; }
 
 p {
-  margin: 0 0 10px;
-}
+  margin: 0 0 10px; }
 
 .lead {
   margin-bottom: 20px;
   font-size: 16px;
   font-weight: 300;
-  line-height: 1.4;
-}
-
-@media (min-width: 768px) {
-  .lead {
-    font-size: 21px;
-  }
-}
+  line-height: 1.4; }
+  @media (min-width: 768px) {
+    .lead {
+      font-size: 21px; } }
 
-small, .small {
-  font-size: 85%;
-}
+small,
+.small {
+  font-size: 85%; }
 
 cite {
-  font-style: normal;
-}
+  font-style: normal; }
 
-mark, .mark {
+mark,
+.mark {
   background-color: #fcf8e3;
-  padding: .2em;
-}
+  padding: .2em; }
 
 .text-left {
-  text-align: left;
-}
+  text-align: left; }
 
 .text-right {
-  text-align: right;
-}
+  text-align: right; }
 
 .text-center {
-  text-align: center;
-}
+  text-align: center; }
 
 .text-justify {
-  text-align: justify;
-}
+  text-align: justify; }
 
 .text-nowrap {
-  white-space: nowrap;
-}
+  white-space: nowrap; }
 
 .text-lowercase {
-  text-transform: lowercase;
-}
+  text-transform: lowercase; }
 
 .text-uppercase {
-  text-transform: uppercase;
-}
+  text-transform: uppercase; }
 
 .text-capitalize {
-  text-transform: capitalize;
-}
+  text-transform: capitalize; }
 
 .text-muted {
-  color: inherit;
-}
+  color: inherit; }
 
 .text-primary {
-  color: #FF8B00;
-}
+  color: #FF8B00; }
 
 a.text-primary:hover {
-  color: #b85904;
-}
+  color: #b85904; }
 
 .text-success {
-  color: #4FB654;
-}
+  color: #4FB654; }
 
 a.text-success:hover {
-  color: #7fc54f;
-}
+  color: #7fc54f; }
 
 .text-info {
-  color: #47809f;
-}
+  color: #ff6e05; }
 
 a.text-info:hover {
-  color: #245269;
-}
+  color: #245269; }
 
 .text-warning {
-  color: #f0ad4e;
-}
+  color: #f0ad4e; }
 
 a.text-warning:hover {
-  color: #ec971f;
-}
+  color: #ec971f; }
 
 .text-danger {
-  color: #CB4326;
-}
+  color: #CB4326; }
 
 a.text-danger:hover {
-  color: #D8482A;
-}
+  color: #D8482A; }
 
 .bg-primary {
-  color: #fff;
-  background-color: #FF8B00;
-}
+  color: #fff; }
+
+.bg-primary {
+  background-color: #FF8B00; }
 
 a.bg-primary:hover {
-  background-color: #b85904;
-}
+  background-color: #b85904; }
 
 .bg-success {
-  background-color: #9BD275;
-}
+  background-color: #9BD275; }
 
 a.bg-success:hover {
-  background-color: #7fc54f;
-}
+  background-color: #7fc54f; }
 
 .bg-info {
-  background-color: #d9edf7;
-}
+  background-color: #d9edf7; }
 
 a.bg-info:hover {
-  background-color: #afd9ee;
-}
+  background-color: #afd9ee; }
 
 .bg-warning {
-  background-color: #fcf8e3;
-}
+  background-color: #fcf8e3; }
 
 a.bg-warning:hover {
-  background-color: #f7ecb5;
-}
+  background-color: #f7ecb5; }
 
 .bg-danger {
-  background-color: #F05050;
-}
+  background-color: #F05050; }
 
 a.bg-danger:hover {
-  background-color: #ec2121;
-}
+  background-color: #ec2121; }
+
+fa.fa-long-arrow-right {
+  color: #d951ff !important; }
 
 .page-header {
   padding-bottom: 9px;
   margin: 40px 0 20px;
-  border-bottom: 1px solid #eeeeee;
-}
-
-ul, ol {
-  margin-top: 0;
-  margin-bottom: 10px;
-}
-
-ul {
-  ul, ol {
-    margin-bottom: 0;
-  }
-}
+  border-bottom: 1px solid #eeeeee; }
 
+ul,
 ol {
-  ul, ol {
-    margin-bottom: 0;
-  }
-}
-
-.list-unstyled {
+  margin-top: 0;
+  margin-bottom: 10px; }
+  ul ul,
+  ul ol,
+  ol ul,
+  ol ol {
+    margin-bottom: 0; }
+
+.list-unstyled, .list-inline {
   padding-left: 0;
-  list-style: none;
-}
+  list-style: none; }
 
 .list-inline {
-  padding-left: 0;
-  list-style: none;
-  margin-left: -5px;
-
-  > li {
+  margin-left: -5px; }
+  .list-inline > li {
     float: left;
     padding-left: 5px;
-    padding-right: 5px;
-  }
-}
+    padding-right: 5px; }
 
 dl {
   margin-top: 0;
-  margin-bottom: 20px;
-}
+  margin-bottom: 20px; }
 
-dt, dd {
-  line-height: 1.428571429;
-}
+dt,
+dd {
+  line-height: 1.428571429; }
 
 dt {
-  font-weight: bold;
-}
+  font-weight: bold; }
 
 dd {
-  margin-left: 0;
-}
-
-.dl-horizontal dd {
-  &:before {
-    content: " ";
-    display: table;
-  }
-
-  &:after {
-    content: " ";
-    display: table;
-    clear: both;
-  }
-}
+  margin-left: 0; }
 
+.dl-horizontal dd:before, .dl-horizontal dd:after {
+  content: " ";
+  display: table; }
+.dl-horizontal dd:after {
+  clear: both; }
 @media (min-width: 768px) {
-  .dl-horizontal {
-    dt {
-      float: left;
-      width: 160px;
-      clear: left;
-      text-align: right;
-      overflow: hidden;
-      text-overflow: ellipsis;
-      white-space: nowrap;
-    }
-
-    dd {
-      margin-left: 180px;
-    }
-  }
-}
+  .dl-horizontal dt {
+    float: left;
+    width: 160px;
+    clear: left;
+    text-align: right;
+    overflow: hidden;
+    text-overflow: ellipsis;
+    white-space: nowrap; }
+  .dl-horizontal dd {
+    margin-left: 180px; } }
 
-abbr {
-  &[title], &[data-original-title] {
-    cursor: help;
-    border-bottom: 1px dotted #777777;
-  }
-}
+abbr[title],
+abbr[data-original-title] {
+  cursor: help;
+  border-bottom: 1px dotted #777777; }
 
 .initialism {
   font-size: 90%;
-  text-transform: uppercase;
-}
+  text-transform: uppercase; }
 
 blockquote {
   padding: 10px 20px;
   margin: 0 0 20px;
   font-size: 17.5px;
-  border-left: 5px solid #eeeeee;
-
-  p:last-child, ul:last-child, ol:last-child {
-    margin-bottom: 0;
-  }
-
-  footer, small, .small {
+  border-left: 5px solid #eeeeee; }
+  blockquote p:last-child,
+  blockquote ul:last-child,
+  blockquote ol:last-child {
+    margin-bottom: 0; }
+  blockquote footer,
+  blockquote small,
+  blockquote .small {
     display: block;
     font-size: 80%;
     line-height: 1.428571429;
-    color: #777777;
-  }
-
-  footer:before, small:before, .small:before {
-    content: '\2014 \00A0';
-  }
-}
+    color: #777777; }
+    blockquote footer:before,
+    blockquote small:before,
+    blockquote .small:before {
+      content: '\2014 \00A0'; }
 
-.blockquote-reverse, blockquote.pull-right {
+.blockquote-reverse,
+blockquote.pull-right {
   padding-right: 15px;
   padding-left: 0;
   border-right: 5px solid #eeeeee;
   border-left: 0;
-  text-align: right;
-}
-
-.blockquote-reverse {
-  footer:before, small:before, .small:before {
-    content: '';
-  }
-}
-
-blockquote.pull-right {
-  footer:before, small:before, .small:before {
-    content: '';
-  }
-}
-
-.blockquote-reverse {
-  footer:after, small:after, .small:after {
-    content: '\00A0 \2014';
-  }
-}
-
-blockquote {
-  &.pull-right {
-    footer:after, small:after, .small:after {
-      content: '\00A0 \2014';
-    }
-  }
-
-  &:before, &:after {
-    content: "";
-  }
-}
+  text-align: right; }
+  .blockquote-reverse footer:before,
+  .blockquote-reverse small:before,
+  .blockquote-reverse .small:before,
+  blockquote.pull-right footer:before,
+  blockquote.pull-right small:before,
+  blockquote.pull-right .small:before {
+    content: ''; }
+  .blockquote-reverse footer:after,
+  .blockquote-reverse small:after,
+  .blockquote-reverse .small:after,
+  blockquote.pull-right footer:after,
+  blockquote.pull-right small:after,
+  blockquote.pull-right .small:after {
+    content: '\00A0 \2014'; }
+
+blockquote:before,
+blockquote:after {
+  content: ""; }
 
 address {
   margin-bottom: 20px;
   font-style: normal;
-  line-height: 1.428571429;
-}
+  line-height: 1.428571429; }
 
-code, kbd, pre, samp {
-  font-family: Menlo, Monaco, Consolas, "Courier New", monospace;
-}
+code,
+kbd,
+pre,
+samp {
+  font-family: Menlo, Monaco, Consolas, "Courier New", monospace; }
 
 code {
   padding: 2px 4px;
   font-size: 90%;
   color: #c7254e;
   background-color: #f9f2f4;
-  border-radius: 3px;
-}
+  border-radius: 3px; }
 
 kbd {
   padding: 2px 4px;
@@ -1807,14 +1323,11 @@ kbd {
   color: #fff;
   background-color: #2d2d2d;
   border-radius: 3px;
-  box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.25);
-
-  kbd {
+  box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.25); }
+  kbd kbd {
     padding: 0;
     font-size: 100%;
-    box-shadow: none;
-  }
-}
+    box-shadow: none; }
 
 pre {
   display: block;
@@ -1827,1356 +1340,846 @@ pre {
   color: #000;
   background-color: inherit;
   border: inherit;
-  border-radius: 3px;
-
-  code {
+  border-radius: 3px; }
+  pre code {
     padding: 0;
     font-size: inherit;
     color: inherit;
     white-space: pre-wrap;
     background-color: transparent;
-    border-radius: 0;
-  }
-}
+    border-radius: 0; }
 
 .pre-scrollable {
   max-height: 340px;
-  overflow-y: scroll;
-}
+  overflow-y: scroll; }
 
-.container, .container-fluid {
+.container {
   margin-right: auto;
   margin-left: auto;
   padding-left: 20px;
-  padding-right: 20px;
-
-  &:before {
+  padding-right: 20px; }
+  .container:before, .container:after {
     content: " ";
-    display: table;
-  }
-
-  &:after {
+    display: table; }
+  .container:after {
+    clear: both; }
+  @media (min-width: 768px) {
+    .container {
+      width: 760px; } }
+  @media (min-width: 992px) {
+    .container {
+      width: 980px; } }
+  @media (min-width: 1200px) {
+    .container {
+      width: 1180px; } }
+
+.container-fluid {
+  margin-right: auto;
+  margin-left: auto;
+  padding-left: 20px;
+  padding-right: 20px; }
+  .container-fluid:before, .container-fluid:after {
     content: " ";
-    display: table;
-    clear: both;
-  }
-}
-
-@media (min-width: 768px) {
-  .container {
-    width: 760px;
-  }
-}
-
-@media (min-width: 992px) {
-  .container {
-    width: 980px;
-  }
-}
-
-@media (min-width: 1200px) {
-  .container {
-    width: 1180px;
-  }
-}
+    display: table; }
+  .container-fluid:after {
+    clear: both; }
 
 .row {
   margin-left: -20px;
-  margin-right: -20px;
-
-  &:before {
-    content: " ";
-    display: table;
-  }
-
-  &:after {
+  margin-right: -20px; }
+  .row:before, .row:after {
     content: " ";
-    display: table;
-    clear: both;
-  }
-}
+    display: table; }
+  .row:after {
+    clear: both; }
 
 .col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12 {
   position: relative;
   min-height: 1px;
   padding-left: 20px;
-  padding-right: 20px;
-}
+  padding-right: 20px; }
 
 .col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12 {
-  float: left;
-}
+  float: left; }
 
 .col-xs-1 {
-  width: 8.33333%;
-}
+  width: 8.33333%; }
 
 .col-xs-2 {
-  width: 16.66667%;
-}
+  width: 16.66667%; }
 
 .col-xs-3 {
-  width: 25%;
-}
+  width: 25%; }
 
 .col-xs-4 {
-  width: 33.33333%;
-}
+  width: 33.33333%; }
 
 .col-xs-5 {
-  width: 41.66667%;
-}
+  width: 41.66667%; }
 
 .col-xs-6 {
-  width: 50%;
-}
+  width: 50%; }
 
 .col-xs-7 {
-  width: 58.33333%;
-}
+  width: 58.33333%; }
 
 .col-xs-8 {
-  width: 66.66667%;
-}
+  width: 66.66667%; }
 
 .col-xs-9 {
-  width: 75%;
-}
+  width: 75%; }
 
 .col-xs-10 {
-  width: 83.33333%;
-}
+  width: 83.33333%; }
 
 .col-xs-11 {
-  width: 91.66667%;
-}
+  width: 91.66667%; }
 
 .col-xs-12 {
-  width: 100%;
-}
+  width: 100%; }
 
 .col-xs-pull-0 {
-  right: auto;
-}
+  right: auto; }
 
 .col-xs-pull-1 {
-  right: 8.33333%;
-}
+  right: 8.33333%; }
 
 .col-xs-pull-2 {
-  right: 16.66667%;
-}
+  right: 16.66667%; }
 
 .col-xs-pull-3 {
-  right: 25%;
-}
+  right: 25%; }
 
 .col-xs-pull-4 {
-  right: 33.33333%;
-}
+  right: 33.33333%; }
 
 .col-xs-pull-5 {
-  right: 41.66667%;
-}
+  right: 41.66667%; }
 
 .col-xs-pull-6 {
-  right: 50%;
-}
+  right: 50%; }
 
 .col-xs-pull-7 {
-  right: 58.33333%;
-}
+  right: 58.33333%; }
 
 .col-xs-pull-8 {
-  right: 66.66667%;
-}
+  right: 66.66667%; }
 
 .col-xs-pull-9 {
-  right: 75%;
-}
+  right: 75%; }
 
 .col-xs-pull-10 {
-  right: 83.33333%;
-}
+  right: 83.33333%; }
 
 .col-xs-pull-11 {
-  right: 91.66667%;
-}
+  right: 91.66667%; }
 
 .col-xs-pull-12 {
-  right: 100%;
-}
+  right: 100%; }
 
 .col-xs-push-0 {
-  left: auto;
-}
+  left: auto; }
 
 .col-xs-push-1 {
-  left: 8.33333%;
-}
+  left: 8.33333%; }
 
 .col-xs-push-2 {
-  left: 16.66667%;
-}
+  left: 16.66667%; }
 
 .col-xs-push-3 {
-  left: 25%;
-}
+  left: 25%; }
 
 .col-xs-push-4 {
-  left: 33.33333%;
-}
+  left: 33.33333%; }
 
 .col-xs-push-5 {
-  left: 41.66667%;
-}
+  left: 41.66667%; }
 
 .col-xs-push-6 {
-  left: 50%;
-}
+  left: 50%; }
 
 .col-xs-push-7 {
-  left: 58.33333%;
-}
+  left: 58.33333%; }
 
 .col-xs-push-8 {
-  left: 66.66667%;
-}
+  left: 66.66667%; }
 
 .col-xs-push-9 {
-  left: 75%;
-}
+  left: 75%; }
 
 .col-xs-push-10 {
-  left: 83.33333%;
-}
+  left: 83.33333%; }
 
 .col-xs-push-11 {
-  left: 91.66667%;
-}
+  left: 91.66667%; }
 
 .col-xs-push-12 {
-  left: 100%;
-}
+  left: 100%; }
 
 .col-xs-offset-0 {
-  margin-left: 0%;
-}
+  margin-left: 0%; }
 
 .col-xs-offset-1 {
-  margin-left: 8.33333%;
-}
+  margin-left: 8.33333%; }
 
 .col-xs-offset-2 {
-  margin-left: 16.66667%;
-}
+  margin-left: 16.66667%; }
 
 .col-xs-offset-3 {
-  margin-left: 25%;
-}
+  margin-left: 25%; }
 
 .col-xs-offset-4 {
-  margin-left: 33.33333%;
-}
+  margin-left: 33.33333%; }
 
 .col-xs-offset-5 {
-  margin-left: 41.66667%;
-}
+  margin-left: 41.66667%; }
 
 .col-xs-offset-6 {
-  margin-left: 50%;
-}
+  margin-left: 50%; }
 
 .col-xs-offset-7 {
-  margin-left: 58.33333%;
-}
+  margin-left: 58.33333%; }
 
 .col-xs-offset-8 {
-  margin-left: 66.66667%;
-}
+  margin-left: 66.66667%; }
 
 .col-xs-offset-9 {
-  margin-left: 75%;
-}
+  margin-left: 75%; }
 
 .col-xs-offset-10 {
-  margin-left: 83.33333%;
-}
+  margin-left: 83.33333%; }
 
 .col-xs-offset-11 {
-  margin-left: 91.66667%;
-}
+  margin-left: 91.66667%; }
 
 .col-xs-offset-12 {
-  margin-left: 100%;
-}
+  margin-left: 100%; }
 
 @media (min-width: 768px) {
   .col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12 {
-    float: left;
-  }
+    float: left; }
 
   .col-sm-1 {
-    width: 8.33333%;
-  }
+    width: 8.33333%; }
 
   .col-sm-2 {
-    width: 16.66667%;
-  }
+    width: 16.66667%; }
 
   .col-sm-3 {
-    width: 25%;
-  }
+    width: 25%; }
 
   .col-sm-4 {
-    width: 33.33333%;
-  }
+    width: 33.33333%; }
 
   .col-sm-5 {
-    width: 41.66667%;
-  }
+    width: 41.66667%; }
 
   .col-sm-6 {
-    width: 50%;
-  }
+    width: 50%; }
 
   .col-sm-7 {
-    width: 58.33333%;
-  }
+    width: 58.33333%; }
 
   .col-sm-8 {
-    width: 66.66667%;
-  }
+    width: 66.66667%; }
 
   .col-sm-9 {
-    width: 75%;
-  }
+    width: 75%; }
 
   .col-sm-10 {
-    width: 83.33333%;
-  }
+    width: 83.33333%; }
 
   .col-sm-11 {
-    width: 91.66667%;
-  }
+    width: 91.66667%; }
 
   .col-sm-12 {
-    width: 100%;
-  }
+    width: 100%; }
 
   .col-sm-pull-0 {
-    right: auto;
-  }
+    right: auto; }
 
   .col-sm-pull-1 {
-    right: 8.33333%;
-  }
+    right: 8.33333%; }
 
   .col-sm-pull-2 {
-    right: 16.66667%;
-  }
+    right: 16.66667%; }
 
   .col-sm-pull-3 {
-    right: 25%;
-  }
+    right: 25%; }
 
   .col-sm-pull-4 {
-    right: 33.33333%;
-  }
+    right: 33.33333%; }
 
   .col-sm-pull-5 {
-    right: 41.66667%;
-  }
+    right: 41.66667%; }
 
   .col-sm-pull-6 {
-    right: 50%;
-  }
+    right: 50%; }
 
   .col-sm-pull-7 {
-    right: 58.33333%;
-  }
+    right: 58.33333%; }
 
   .col-sm-pull-8 {
-    right: 66.66667%;
-  }
+    right: 66.66667%; }
 
   .col-sm-pull-9 {
-    right: 75%;
-  }
+    right: 75%; }
 
   .col-sm-pull-10 {
-    right: 83.33333%;
-  }
+    right: 83.33333%; }
 
   .col-sm-pull-11 {
-    right: 91.66667%;
-  }
+    right: 91.66667%; }
 
   .col-sm-pull-12 {
-    right: 100%;
-  }
+    right: 100%; }
 
   .col-sm-push-0 {
-    left: auto;
-  }
+    left: auto; }
 
   .col-sm-push-1 {
-    left: 8.33333%;
-  }
+    left: 8.33333%; }
 
   .col-sm-push-2 {
-    left: 16.66667%;
-  }
+    left: 16.66667%; }
 
   .col-sm-push-3 {
-    left: 25%;
-  }
+    left: 25%; }
 
   .col-sm-push-4 {
-    left: 33.33333%;
-  }
+    left: 33.33333%; }
 
   .col-sm-push-5 {
-    left: 41.66667%;
-  }
+    left: 41.66667%; }
 
   .col-sm-push-6 {
-    left: 50%;
-  }
+    left: 50%; }
 
   .col-sm-push-7 {
-    left: 58.33333%;
-  }
+    left: 58.33333%; }
 
   .col-sm-push-8 {
-    left: 66.66667%;
-  }
+    left: 66.66667%; }
 
   .col-sm-push-9 {
-    left: 75%;
-  }
+    left: 75%; }
 
   .col-sm-push-10 {
-    left: 83.33333%;
-  }
+    left: 83.33333%; }
 
   .col-sm-push-11 {
-    left: 91.66667%;
-  }
+    left: 91.66667%; }
 
   .col-sm-push-12 {
-    left: 100%;
-  }
+    left: 100%; }
 
   .col-sm-offset-0 {
-    margin-left: 0%;
-  }
+    margin-left: 0%; }
 
   .col-sm-offset-1 {
-    margin-left: 8.33333%;
-  }
+    margin-left: 8.33333%; }
 
   .col-sm-offset-2 {
-    margin-left: 16.66667%;
-  }
+    margin-left: 16.66667%; }
 
   .col-sm-offset-3 {
-    margin-left: 25%;
-  }
+    margin-left: 25%; }
 
   .col-sm-offset-4 {
-    margin-left: 33.33333%;
-  }
+    margin-left: 33.33333%; }
 
   .col-sm-offset-5 {
-    margin-left: 41.66667%;
-  }
+    margin-left: 41.66667%; }
 
   .col-sm-offset-6 {
-    margin-left: 50%;
-  }
+    margin-left: 50%; }
 
   .col-sm-offset-7 {
-    margin-left: 58.33333%;
-  }
+    margin-left: 58.33333%; }
 
   .col-sm-offset-8 {
-    margin-left: 66.66667%;
-  }
+    margin-left: 66.66667%; }
 
   .col-sm-offset-9 {
-    margin-left: 75%;
-  }
+    margin-left: 75%; }
 
   .col-sm-offset-10 {
-    margin-left: 83.33333%;
-  }
+    margin-left: 83.33333%; }
 
   .col-sm-offset-11 {
-    margin-left: 91.66667%;
-  }
+    margin-left: 91.66667%; }
 
   .col-sm-offset-12 {
-    margin-left: 100%;
-  }
-}
-
+    margin-left: 100%; } }
 @media (min-width: 992px) {
   .col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12 {
-    float: left;
-  }
+    float: left; }
 
   .col-md-1 {
-    width: 8.33333%;
-  }
+    width: 8.33333%; }
 
   .col-md-2 {
-    width: 16.66667%;
-  }
+    width: 16.66667%; }
 
   .col-md-3 {
-    width: 25%;
-  }
+    width: 25%; }
 
   .col-md-4 {
-    width: 33.33333%;
-  }
+    width: 33.33333%; }
 
   .col-md-5 {
-    width: 41.66667%;
-  }
+    width: 41.66667%; }
 
   .col-md-6 {
-    width: 50%;
-  }
+    width: 50%; }
 
   .col-md-7 {
-    width: 58.33333%;
-  }
+    width: 58.33333%; }
 
   .col-md-8 {
-    width: 66.66667%;
-  }
+    width: 66.66667%; }
 
   .col-md-9 {
-    width: 75%;
-  }
+    width: 75%; }
 
   .col-md-10 {
-    width: 83.33333%;
-  }
+    width: 83.33333%; }
 
   .col-md-11 {
-    width: 91.66667%;
-  }
+    width: 91.66667%; }
 
   .col-md-12 {
-    width: 100%;
-  }
+    width: 100%; }
 
   .col-md-pull-0 {
-    right: auto;
-  }
+    right: auto; }
 
   .col-md-pull-1 {
-    right: 8.33333%;
-  }
+    right: 8.33333%; }
 
   .col-md-pull-2 {
-    right: 16.66667%;
-  }
+    right: 16.66667%; }
 
   .col-md-pull-3 {
-    right: 25%;
-  }
+    right: 25%; }
 
   .col-md-pull-4 {
-    right: 33.33333%;
-  }
+    right: 33.33333%; }
 
   .col-md-pull-5 {
-    right: 41.66667%;
-  }
+    right: 41.66667%; }
 
   .col-md-pull-6 {
-    right: 50%;
-  }
+    right: 50%; }
 
   .col-md-pull-7 {
-    right: 58.33333%;
-  }
+    right: 58.33333%; }
 
   .col-md-pull-8 {
-    right: 66.66667%;
-  }
+    right: 66.66667%; }
 
   .col-md-pull-9 {
-    right: 75%;
-  }
+    right: 75%; }
 
   .col-md-pull-10 {
-    right: 83.33333%;
-  }
+    right: 83.33333%; }
 
   .col-md-pull-11 {
-    right: 91.66667%;
-  }
+    right: 91.66667%; }
 
   .col-md-pull-12 {
-    right: 100%;
-  }
+    right: 100%; }
 
   .col-md-push-0 {
-    left: auto;
-  }
+    left: auto; }
 
   .col-md-push-1 {
-    left: 8.33333%;
-  }
+    left: 8.33333%; }
 
   .col-md-push-2 {
-    left: 16.66667%;
-  }
+    left: 16.66667%; }
 
   .col-md-push-3 {
-    left: 25%;
-  }
+    left: 25%; }
 
   .col-md-push-4 {
-    left: 33.33333%;
-  }
+    left: 33.33333%; }
 
   .col-md-push-5 {
-    left: 41.66667%;
-  }
+    left: 41.66667%; }
 
   .col-md-push-6 {
-    left: 50%;
-  }
+    left: 50%; }
 
   .col-md-push-7 {
-    left: 58.33333%;
-  }
+    left: 58.33333%; }
 
   .col-md-push-8 {
-    left: 66.66667%;
-  }
+    left: 66.66667%; }
 
   .col-md-push-9 {
-    left: 75%;
-  }
+    left: 75%; }
 
   .col-md-push-10 {
-    left: 83.33333%;
-  }
+    left: 83.33333%; }
 
   .col-md-push-11 {
-    left: 91.66667%;
-  }
+    left: 91.66667%; }
 
   .col-md-push-12 {
-    left: 100%;
-  }
+    left: 100%; }
 
   .col-md-offset-0 {
-    margin-left: 0%;
-  }
+    margin-left: 0%; }
 
   .col-md-offset-1 {
-    margin-left: 8.33333%;
-  }
+    margin-left: 8.33333%; }
 
   .col-md-offset-2 {
-    margin-left: 16.66667%;
-  }
+    margin-left: 16.66667%; }
 
   .col-md-offset-3 {
-    margin-left: 25%;
-  }
+    margin-left: 25%; }
 
   .col-md-offset-4 {
-    margin-left: 33.33333%;
-  }
+    margin-left: 33.33333%; }
 
   .col-md-offset-5 {
-    margin-left: 41.66667%;
-  }
+    margin-left: 41.66667%; }
 
   .col-md-offset-6 {
-    margin-left: 50%;
-  }
+    margin-left: 50%; }
 
   .col-md-offset-7 {
-    margin-left: 58.33333%;
-  }
+    margin-left: 58.33333%; }
 
   .col-md-offset-8 {
-    margin-left: 66.66667%;
-  }
+    margin-left: 66.66667%; }
 
   .col-md-offset-9 {
-    margin-left: 75%;
-  }
+    margin-left: 75%; }
 
   .col-md-offset-10 {
-    margin-left: 83.33333%;
-  }
+    margin-left: 83.33333%; }
 
   .col-md-offset-11 {
-    margin-left: 91.66667%;
-  }
+    margin-left: 91.66667%; }
 
   .col-md-offset-12 {
-    margin-left: 100%;
-  }
-}
-
+    margin-left: 100%; } }
 @media (min-width: 1200px) {
   .col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12 {
-    float: left;
-  }
+    float: left; }
 
   .col-lg-1 {
-    width: 8.33333%;
-  }
+    width: 8.33333%; }
 
   .col-lg-2 {
-    width: 16.66667%;
-  }
+    width: 16.66667%; }
 
   .col-lg-3 {
-    width: 25%;
-  }
+    width: 25%; }
 
   .col-lg-4 {
-    width: 33.33333%;
-  }
+    width: 33.33333%; }
 
   .col-lg-5 {
-    width: 41.66667%;
-  }
+    width: 41.66667%; }
 
   .col-lg-6 {
-    width: 50%;
-  }
+    width: 50%; }
 
   .col-lg-7 {
-    width: 58.33333%;
-  }
+    width: 58.33333%; }
 
   .col-lg-8 {
-    width: 66.66667%;
-  }
+    width: 66.66667%; }
 
   .col-lg-9 {
-    width: 75%;
-  }
+    width: 75%; }
 
   .col-lg-10 {
-    width: 83.33333%;
-  }
+    width: 83.33333%; }
 
   .col-lg-11 {
-    width: 91.66667%;
-  }
+    width: 91.66667%; }
 
   .col-lg-12 {
-    width: 100%;
-  }
+    width: 100%; }
 
   .col-lg-pull-0 {
-    right: auto;
-  }
+    right: auto; }
 
   .col-lg-pull-1 {
-    right: 8.33333%;
-  }
+    right: 8.33333%; }
 
   .col-lg-pull-2 {
-    right: 16.66667%;
-  }
+    right: 16.66667%; }
 
   .col-lg-pull-3 {
-    right: 25%;
-  }
+    right: 25%; }
 
   .col-lg-pull-4 {
-    right: 33.33333%;
-  }
+    right: 33.33333%; }
 
   .col-lg-pull-5 {
-    right: 41.66667%;
-  }
+    right: 41.66667%; }
 
   .col-lg-pull-6 {
-    right: 50%;
-  }
+    right: 50%; }
 
   .col-lg-pull-7 {
-    right: 58.33333%;
-  }
+    right: 58.33333%; }
 
   .col-lg-pull-8 {
-    right: 66.66667%;
-  }
+    right: 66.66667%; }
 
   .col-lg-pull-9 {
-    right: 75%;
-  }
+    right: 75%; }
 
   .col-lg-pull-10 {
-    right: 83.33333%;
-  }
+    right: 83.33333%; }
 
   .col-lg-pull-11 {
-    right: 91.66667%;
-  }
+    right: 91.66667%; }
 
   .col-lg-pull-12 {
-    right: 100%;
-  }
+    right: 100%; }
 
   .col-lg-push-0 {
-    left: auto;
-  }
+    left: auto; }
 
   .col-lg-push-1 {
-    left: 8.33333%;
-  }
+    left: 8.33333%; }
 
   .col-lg-push-2 {
-    left: 16.66667%;
-  }
+    left: 16.66667%; }
 
   .col-lg-push-3 {
-    left: 25%;
-  }
+    left: 25%; }
 
   .col-lg-push-4 {
-    left: 33.33333%;
-  }
+    left: 33.33333%; }
 
   .col-lg-push-5 {
-    left: 41.66667%;
-  }
+    left: 41.66667%; }
 
   .col-lg-push-6 {
-    left: 50%;
-  }
+    left: 50%; }
 
   .col-lg-push-7 {
-    left: 58.33333%;
-  }
+    left: 58.33333%; }
 
   .col-lg-push-8 {
-    left: 66.66667%;
-  }
+    left: 66.66667%; }
 
   .col-lg-push-9 {
-    left: 75%;
-  }
+    left: 75%; }
 
   .col-lg-push-10 {
-    left: 83.33333%;
-  }
+    left: 83.33333%; }
 
   .col-lg-push-11 {
-    left: 91.66667%;
-  }
+    left: 91.66667%; }
 
   .col-lg-push-12 {
-    left: 100%;
-  }
+    left: 100%; }
 
   .col-lg-offset-0 {
-    margin-left: 0%;
-  }
+    margin-left: 0%; }
 
   .col-lg-offset-1 {
-    margin-left: 8.33333%;
-  }
+    margin-left: 8.33333%; }
 
   .col-lg-offset-2 {
-    margin-left: 16.66667%;
-  }
+    margin-left: 16.66667%; }
 
   .col-lg-offset-3 {
-    margin-left: 25%;
-  }
+    margin-left: 25%; }
 
   .col-lg-offset-4 {
-    margin-left: 33.33333%;
-  }
+    margin-left: 33.33333%; }
 
   .col-lg-offset-5 {
-    margin-left: 41.66667%;
-  }
+    margin-left: 41.66667%; }
 
   .col-lg-offset-6 {
-    margin-left: 50%;
-  }
+    margin-left: 50%; }
 
   .col-lg-offset-7 {
-    margin-left: 58.33333%;
-  }
+    margin-left: 58.33333%; }
 
   .col-lg-offset-8 {
-    margin-left: 66.66667%;
-  }
+    margin-left: 66.66667%; }
 
   .col-lg-offset-9 {
-    margin-left: 75%;
-  }
+    margin-left: 75%; }
 
   .col-lg-offset-10 {
-    margin-left: 83.33333%;
-  }
+    margin-left: 83.33333%; }
 
   .col-lg-offset-11 {
-    margin-left: 91.66667%;
-  }
+    margin-left: 91.66667%; }
 
   .col-lg-offset-12 {
-    margin-left: 100%;
-  }
-}
+    margin-left: 100%; } }
 
 th {
-  text-align: left;
-}
+  text-align: left; }
 
 .table {
   width: 100%;
   max-width: 100%;
-  margin-bottom: 20px;
-
-  > {
-    thead > tr > {
-      th, td {
-        padding: 10px 0px 10px 20px;
-        line-height: 1.428571429;
-        vertical-align: top;
-        border-top: 1px solid #e3e3e3;
-      }
-    }
-
-    tbody > tr > {
-      th, td {
-        padding: 10px 0px 10px 20px;
-        line-height: 1.428571429;
-        vertical-align: top;
-        border-top: 1px solid #e3e3e3;
-      }
-    }
-
-    tfoot > tr > {
-      th, td {
-        padding: 10px 0px 10px 20px;
-        line-height: 1.428571429;
-        vertical-align: top;
-        border-top: 1px solid #e3e3e3;
-      }
-    }
-
-    thead > tr > th {
-      vertical-align: bottom;
-    }
-
-    caption + thead > tr:first-child > {
-      th, td {
-        border-top: 0;
-        font-family: 'SourceSansProSemibold';
-        font-weight: normal;
-        border-bottom: 1px solid #bdbdbd;
-        background-color: #e3e3e3;
-      }
-    }
-
-    colgroup + thead > tr:first-child > {
-      th, td {
-        border-top: 0;
-        font-family: 'SourceSansProSemibold';
-        font-weight: normal;
-        border-bottom: 1px solid #bdbdbd;
-        background-color: #e3e3e3;
-      }
-    }
-
-    thead:first-child > tr:first-child > {
-      th, td {
-        border-top: 0;
-        font-family: 'SourceSansProSemibold';
-        font-weight: normal;
-        border-bottom: 1px solid #bdbdbd;
-        background-color: #e3e3e3;
-      }
-    }
-
-    tbody + tbody {
-      border-top: 2px solid #eee;
-    }
-  }
-
-  .table {
-    background-color: none;
-  }
-}
-
-.table-condensed > {
-  thead > tr > {
-    th, td {
-      padding: 5px;
-    }
-  }
-
-  tbody > tr > {
-    th, td {
-      padding: 5px;
-    }
-  }
-
-  tfoot > tr > {
-    th, td {
-      padding: 5px;
-    }
-  }
-}
+  margin-bottom: 20px; }
+  .table > thead > tr > th,
+  .table > thead > tr > td,
+  .table > tbody > tr > th,
+  .table > tbody > tr > td,
+  .table > tfoot > tr > th,
+  .table > tfoot > tr > td {
+    padding: 10px 0px 10px 20px;
+    line-height: 1.428571429;
+    vertical-align: top;
+    border-top: 1px solid #f0f0f0; }
+  .table > thead > tr > th {
+    vertical-align: bottom;  }
+  .table > caption + thead > tr:first-child > th,
+  .table > caption + thead > tr:first-child > td,
+  .table > colgroup + thead > tr:first-child > th,
+  .table > colgroup + thead > tr:first-child > td,
+  .table > thead:first-child > tr:first-child > th,
+  .table > thead:first-child > tr:first-child > td {
+    border-top: 0;
+    font-family: 'SourceSansProSemibold';
+    font-weight: normal;
+    border-bottom: 1px solid #5e5e5e;
+    background-color: #45565f;
+    color: #FFF;}
+  .table > tbody + tbody {
+    border-top: 2px solid #5e5e5e; }
+  .table .table {
+    background-color: none; }
+
+.table-condensed > thead > tr > th,
+.table-condensed > thead > tr > td,
+.table-condensed > tbody > tr > th,
+.table-condensed > tbody > tr > td,
+.table-condensed > tfoot > tr > th,
+.table-condensed > tfoot > tr > td {
+  padding: 5px; }
 
 .table-bordered {
-  border: 1px solid #dbdbdb;
-
-  > {
-    thead > tr > {
-      th, td {
-        border: 1px solid #dbdbdb;
-      }
-    }
-
-    tbody > tr > {
-      th, td {
-        border: 1px solid #dbdbdb;
-      }
-    }
-
-    tfoot > tr > {
-      th, td {
-        border: 1px solid #dbdbdb;
-      }
-    }
-
-    thead > tr > {
-      th, td {
-        border-bottom-width: 2px;
-      }
-    }
-  }
-}
-
-.table-striped > tbody > tr:nth-child(odd) > {
-  td, th {
-    background-color: #fbfbfb;
-  }
-}
-
-.table-hover > tbody > tr:hover > {
-  td, th {
-    background-color: #f2fafe;
-  }
-}
-
-table {
-  col[class*="col-"] {
-    position: static;
-    float: none;
-    display: table-column;
-  }
-
-  td[class*="col-"], th[class*="col-"] {
-    position: static;
-    float: none;
-    display: table-cell;
-  }
-}
-
-.table > {
-  thead > tr {
-    > {
-      td.active, th.active {
-        background-color: #E2F5FF;
-      }
-    }
-
-    &.active > {
-      td, th {
-        background-color: #E2F5FF;
-      }
-    }
-  }
-
-  tbody > tr {
-    > {
-      td.active, th.active {
-        background-color: #E2F5FF;
-      }
-    }
-
-    &.active > {
-      td, th {
-        background-color: #E2F5FF;
-      }
-    }
-  }
-
-  tfoot > tr {
-    > {
-      td.active, th.active {
-        background-color: #E2F5FF;
-      }
-    }
-
-    &.active > {
-      td, th {
-        background-color: #E2F5FF;
-      }
-    }
-  }
-}
-
-.table-hover > tbody > tr {
-  > {
-    td.active:hover, th.active:hover {
-      background-color: #FF8B00;
-    }
-  }
-
-  &.active:hover > td, &:hover > .active, &.active:hover > th {
-    background-color: #FF8B00;
-  }
-}
-
-.table > {
-  thead > tr {
-    > {
-      td.success, th.success {
-        background-color: #9BD275;
-      }
-    }
-
-    &.success > {
-      td, th {
-        background-color: #9BD275;
-      }
-    }
-  }
-
-  tbody > tr {
-    > {
-      td.success, th.success {
-        background-color: #9BD275;
-      }
-    }
-
-    &.success > {
-      td, th {
-        background-color: #9BD275;
-      }
-    }
-  }
-
-  tfoot > tr {
-    > {
-      td.success, th.success {
-        background-color: #9BD275;
-      }
-    }
-
-    &.success > {
-      td, th {
-        background-color: #9BD275;
-      }
-    }
-  }
-}
-
-.table-hover > tbody > tr {
-  > {
-    td.success:hover, th.success:hover {
-      background-color: #8dcc62;
-    }
-  }
-
-  &.success:hover > td, &:hover > .success, &.success:hover > th {
-    background-color: #8dcc62;
-  }
-}
-
-.table > {
-  thead > tr {
-    > {
-      td.info, th.info {
-        background-color: #d9edf7;
-      }
-    }
-
-    &.info > {
-      td, th {
-        background-color: #d9edf7;
-      }
-    }
-  }
-
-  tbody > tr {
-    > {
-      td.info, th.info {
-        background-color: #d9edf7;
-      }
-    }
-
-    &.info > {
-      td, th {
-        background-color: #d9edf7;
-      }
-    }
-  }
-
-  tfoot > tr {
-    > {
-      td.info, th.info {
-        background-color: #d9edf7;
-      }
-    }
-
-    &.info > {
-      td, th {
-        background-color: #d9edf7;
-      }
-    }
-  }
-}
-
-.table-hover > tbody > tr {
-  > {
-    td.info:hover, th.info:hover {
-      background-color: #c4e3f3;
-    }
-  }
-
-  &.info:hover > td, &:hover > .info, &.info:hover > th {
-    background-color: #c4e3f3;
-  }
-}
-
-.table > {
-  thead > tr {
-    > {
-      td.warning, th.warning {
-        background-color: #fcf8e3;
-      }
-    }
-
-    &.warning > {
-      td, th {
-        background-color: #fcf8e3;
-      }
-    }
-  }
-
-  tbody > tr {
-    > {
-      td.warning, th.warning {
-        background-color: #fcf8e3;
-      }
-    }
-
-    &.warning > {
-      td, th {
-        background-color: #fcf8e3;
-      }
-    }
-  }
-
-  tfoot > tr {
-    > {
-      td.warning, th.warning {
-        background-color: #fcf8e3;
-      }
-    }
-
-    &.warning > {
-      td, th {
-        background-color: #fcf8e3;
-      }
-    }
-  }
-}
-
-.table-hover > tbody > tr {
-  > {
-    td.warning:hover, th.warning:hover {
-      background-color: #faf2cc;
-    }
-  }
-
-  &.warning:hover > td, &:hover > .warning, &.warning:hover > th {
-    background-color: #faf2cc;
-  }
-}
-
-.table > {
-  thead > tr {
-    > {
-      td.danger, th.danger {
-        background-color: #F05050;
-      }
-    }
-
-    &.danger > {
-      td, th {
-        background-color: #F05050;
-      }
-    }
-  }
-
-  tbody > tr {
-    > {
-      td.danger, th.danger {
-        background-color: #F05050;
-      }
-    }
-
-    &.danger > {
-      td, th {
-        background-color: #F05050;
-      }
-    }
-  }
-
-  tfoot > tr {
-    > {
-      td.danger, th.danger {
-        background-color: #F05050;
-      }
-    }
-
-    &.danger > {
-      td, th {
-        background-color: #F05050;
-      }
-    }
-  }
-}
-
-.table-hover > tbody > tr {
-  > {
-    td.danger:hover, th.danger:hover {
-      background-color: #ee3939;
-    }
-  }
+  border: 1px solid #dbdbdb; }
+  .table-bordered > thead > tr > th,
+  .table-bordered > thead > tr > td,
+  .table-bordered > tbody > tr > th,
+  .table-bordered > tbody > tr > td,
+  .table-bordered > tfoot > tr > th,
+  .table-bordered > tfoot > tr > td {
+    border: 1px solid #dbdbdb; }
+  .table-bordered > thead > tr > th,
+  .table-bordered > thead > tr > td {
+    border-bottom-width: 2px; }
+
+.table-striped > tbody > tr:nth-child(odd) > td,
+.table-striped > tbody > tr:nth-child(odd) > th {
+  background-color: #fff; }
+
+.table-hover > tbody > tr:hover > td,
+.table-hover > tbody > tr:hover > th {
+  background-color: #738087;
+  color: #FFF; }
+
+table col[class*="col-"] {
+  position: static;
+  float: none;
+  display: table-column; }
 
-  &.danger:hover > td, &:hover > .danger, &.danger:hover > th {
-    background-color: #ee3939;
-  }
-}
+table td[class*="col-"],
+table th[class*="col-"] {
+  position: static;
+  float: none;
+  display: table-cell; }
+
+.table > thead > tr > td.active,
+.table > thead > tr > th.active, .table > thead > tr.active > td, .table > thead > tr.active > th,
+.table > tbody > tr > td.active,
+.table > tbody > tr > th.active,
+.table > tbody > tr.active > td,
+.table > tbody > tr.active > th,
+.table > tfoot > tr > td.active,
+.table > tfoot > tr > th.active,
+.table > tfoot > tr.active > td,
+.table > tfoot > tr.active > th {
+  background-color: #E2F5FF; }
+
+.table-hover > tbody > tr > td.active:hover,
+.table-hover > tbody > tr > th.active:hover, .table-hover > tbody > tr.active:hover > td, .table-hover > tbody > tr:hover > .active, .table-hover > tbody > tr.active:hover > th {
+  background-color: #FF8B00; }
+
+.table > thead > tr > td.success,
+.table > thead > tr > th.success, .table > thead > tr.success > td, .table > thead > tr.success > th,
+.table > tbody > tr > td.success,
+.table > tbody > tr > th.success,
+.table > tbody > tr.success > td,
+.table > tbody > tr.success > th,
+.table > tfoot > tr > td.success,
+.table > tfoot > tr > th.success,
+.table > tfoot > tr.success > td,
+.table > tfoot > tr.success > th {
+  background-color: #9BD275; }
+
+.table-hover > tbody > tr > td.success:hover,
+.table-hover > tbody > tr > th.success:hover, .table-hover > tbody > tr.success:hover > td, .table-hover > tbody > tr:hover > .success, .table-hover > tbody > tr.success:hover > th {
+  background-color: #8dcc62; }
+
+.table > thead > tr > td.info,
+.table > thead > tr > th.info, .table > thead > tr.info > td, .table > thead > tr.info > th,
+.table > tbody > tr > td.info,
+.table > tbody > tr > th.info,
+.table > tbody > tr.info > td,
+.table > tbody > tr.info > th,
+.table > tfoot > tr > td.info,
+.table > tfoot > tr > th.info,
+.table > tfoot > tr.info > td,
+.table > tfoot > tr.info > th {
+  background-color: #d9edf7; }
+
+.table-hover > tbody > tr > td.info:hover,
+.table-hover > tbody > tr > th.info:hover, .table-hover > tbody > tr.info:hover > td, .table-hover > tbody > tr:hover > .info, .table-hover > tbody > tr.info:hover > th {
+  background-color: #c4e3f3; }
+
+.table > thead > tr > td.warning,
+.table > thead > tr > th.warning, .table > thead > tr.warning > td, .table > thead > tr.warning > th,
+.table > tbody > tr > td.warning,
+.table > tbody > tr > th.warning,
+.table > tbody > tr.warning > td,
+.table > tbody > tr.warning > th,
+.table > tfoot > tr > td.warning,
+.table > tfoot > tr > th.warning,
+.table > tfoot > tr.warning > td,
+.table > tfoot > tr.warning > th {
+  background-color: #fcf8e3; }
+
+.table-hover > tbody > tr > td.warning:hover,
+.table-hover > tbody > tr > th.warning:hover, .table-hover > tbody > tr.warning:hover > td, .table-hover > tbody > tr:hover > .warning, .table-hover > tbody > tr.warning:hover > th {
+  background-color: #faf2cc; }
+
+.table > thead > tr > td.danger,
+.table > thead > tr > th.danger, .table > thead > tr.danger > td, .table > thead > tr.danger > th,
+.table > tbody > tr > td.danger,
+.table > tbody > tr > th.danger,
+.table > tbody > tr.danger > td,
+.table > tbody > tr.danger > th,
+.table > tfoot > tr > td.danger,
+.table > tfoot > tr > th.danger,
+.table > tfoot > tr.danger > td,
+.table > tfoot > tr.danger > th {
+  background-color: #F05050; }
+
+.table-hover > tbody > tr > td.danger:hover,
+.table-hover > tbody > tr > th.danger:hover, .table-hover > tbody > tr.danger:hover > td, .table-hover > tbody > tr:hover > .danger, .table-hover > tbody > tr.danger:hover > th {
+  background-color: #ee3939; }
 
 @media screen and (max-width: 767px) {
   .table-responsive {
@@ -3185,98 +2188,44 @@ table {
     overflow-y: hidden;
     overflow-x: auto;
     -ms-overflow-style: -ms-autohiding-scrollbar;
-
     /*     border: 1px solid $table-border-color; */
-    -webkit-overflow-scrolling: touch;
-
-    > {
-      .table {
-        margin-bottom: 0;
-
-        > {
-          thead > tr > {
-            th, td {
-              white-space: nowrap;
-            }
-          }
-
-          tbody > tr > {
-            th, td {
-              white-space: nowrap;
-            }
-          }
-
-          tfoot > tr > {
-            th, td {
-              white-space: nowrap;
-            }
-          }
-        }
-      }
-
-      .table-bordered {
-        border: 0;
-
-        > {
-          thead > tr > {
-            th:first-child, td:first-child {
-              border-left: 0;
-            }
-          }
-
-          tbody > tr > {
-            th:first-child, td:first-child {
-              border-left: 0;
-            }
-          }
-
-          tfoot > tr > {
-            th:first-child, td:first-child {
-              border-left: 0;
-            }
-          }
-
-          thead > tr > {
-            th:last-child, td:last-child {
-              border-right: 0;
-            }
-          }
-
-          tbody > tr > {
-            th:last-child, td:last-child {
-              border-right: 0;
-            }
-          }
-
-          tfoot > tr > {
-            th:last-child, td:last-child {
-              border-right: 0;
-            }
-          }
-
-          tbody > tr:last-child > {
-            th, td {
-              border-bottom: 0;
-            }
-          }
-
-          tfoot > tr:last-child > {
-            th, td {
-              border-bottom: 0;
-            }
-          }
-        }
-      }
-    }
-  }
-}
+    -webkit-overflow-scrolling: touch; }
+    .table-responsive > .table {
+      margin-bottom: 0; }
+      .table-responsive > .table > thead > tr > th,
+      .table-responsive > .table > thead > tr > td,
+      .table-responsive > .table > tbody > tr > th,
+      .table-responsive > .table > tbody > tr > td,
+      .table-responsive > .table > tfoot > tr > th,
+      .table-responsive > .table > tfoot > tr > td {
+        white-space: nowrap; }
+    .table-responsive > .table-bordered {
+      border: 0; }
+      .table-responsive > .table-bordered > thead > tr > th:first-child,
+      .table-responsive > .table-bordered > thead > tr > td:first-child,
+      .table-responsive > .table-bordered > tbody > tr > th:first-child,
+      .table-responsive > .table-bordered > tbody > tr > td:first-child,
+      .table-responsive > .table-bordered > tfoot > tr > th:first-child,
+      .table-responsive > .table-bordered > tfoot > tr > td:first-child {
+        border-left: 0; }
+      .table-responsive > .table-bordered > thead > tr > th:last-child,
+      .table-responsive > .table-bordered > thead > tr > td:last-child,
+      .table-responsive > .table-bordered > tbody > tr > th:last-child,
+      .table-responsive > .table-bordered > tbody > tr > td:last-child,
+      .table-responsive > .table-bordered > tfoot > tr > th:last-child,
+      .table-responsive > .table-bordered > tfoot > tr > td:last-child {
+        border-right: 0; }
+      .table-responsive > .table-bordered > tbody > tr:last-child > th,
+      .table-responsive > .table-bordered > tbody > tr:last-child > td,
+      .table-responsive > .table-bordered > tfoot > tr:last-child > th,
+      .table-responsive > .table-bordered > tfoot > tr:last-child > td {
+        border-bottom: 0; } }
 
 fieldset {
   padding: 0;
   margin: 0;
   border: 0;
-  min-width: 0;
-}
+  min-width: 0; }
 
 legend {
   display: block;
@@ -3287,1243 +2236,475 @@ legend {
   line-height: inherit;
   color: #2d2d2d;
   border: 0;
-  border-bottom: 1px solid #e5e5e5;
-}
+  border-bottom: 1px solid #e5e5e5; }
 
 label {
   display: inline-block;
   max-width: 100%;
   margin-bottom: 5px;
-  font-weight: normal;
-}
+  font-weight: normal; }
 
-input {
-  &[type="search"] {
-    -webkit-box-sizing: border-box;
-    -moz-box-sizing: border-box;
-    box-sizing: border-box;
-  }
-
-  &[type="radio"], &[type="checkbox"] {
-    margin: 4px 0 0;
-    margin-top: 1px \9;
-    line-height: normal;
-  }
-
-  &[type="file"] {
-    display: block;
-  }
+input[type="search"] {
+  -webkit-box-sizing: border-box;
+  -moz-box-sizing: border-box;
+  box-sizing: border-box; }
 
-  &[type="range"] {
-    display: block;
-    width: 100%;
-  }
-}
+input[type="radio"],
+input[type="checkbox"] {
+  margin: 4px 0 0;
+  margin-top: 1px \9;
+  line-height: normal; }
 
-select {
-  &[multiple], &[size] {
-    height: auto;
-  }
-}
+input[type="file"] {
+  display: block; }
+
+input[type="range"] {
+  display: block;
+  width: 100%; }
+
+select[multiple],
+select[size] {
+  height: auto; }
+
+input[type="file"]:focus,
+input[type="radio"]:focus,
+input[type="checkbox"]:focus {
+  outline: none;
+  outline: 5px auto -webkit-focus-ring-color;
+  outline-offset: -2px; }
 
-input {
-  &[type="file"]:focus, &[type="radio"]:focus, &[type="checkbox"]:focus {
-    outline: none;
-    outline: 5px auto -webkit-focus-ring-color;
-    outline-offset: -2px;
-  }
-}
 
 output {
   display: block;
   padding-top: 7px;
-  font-size: 14px;
+  font-size:14px;
   line-height: 1.428571429;
-  color: #000;
-}
-
-select, textarea {
+  color: #000; }
+
+select,
+textarea,
+input[type="text"],
+input[type="password"],
+input[type="datetime"],
+input[type="datetime-local"],
+input[type="date"],
+input[type="month"],
+input[type="time"],
+input[type="week"],
+input[type="number"],
+input[type="email"],
+input[type="url"],
+input[type="search"],
+input[type="tel"],
+input[type="color"]
+ {
   display: block;
   width: 100%;
   height: 34px;
   padding: 6px 12px;
-  font-size: 14px;
+  font-size:14px;
   line-height: 1.428571429;
   color: #000;
   background-color: #FFF;
   background-image: none;
-  border: 1px solid #4d83a1;
+  border: 1px solid #1b4257;
   border-radius: 3px;
   text-overflow: ellipsis;
   max-width: 348px;
   -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
   -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
-  transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
-}
+  transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s; }
+
+  select:hover,
+  textarea:hover,
+  input[type="text"]:hover,
+  input[type="password"]:hover,
+  input[type="datetime"]:hover,
+  input[type="datetime-local"]:hover,
+  input[type="date"]:hover,
+  input[type="month"]:hover,
+  input[type="time"]:hover,
+  input[type="week"]:hover,
+  input[type="number"]:hover,
+  input[type="email"]:hover,
+  input[type="url"]:hover,
+  input[type="search"]:hover,
+  input[type="tel"]:hover,
+  input[type="color"]:hover
+   {
+	color: #000;
+	background-color: none;
+  border-color: #ff6e05;
+	outline: 0; }
+
+  select:focus,
+  textarea:focus,
+  input[type="text"]:focus,
+  input[type="password"]:focus,
+  input[type="datetime"]:focus,
+  input[type="datetime-local"]:focus,
+  input[type="date"]:focus,
+  input[type="month"]:focus,
+  input[type="time"]:focus,
+  input[type="week"]:focus,
+  input[type="number"]:focus,
+  input[type="email"]:focus,
+  input[type="url"]:focus,
+  input[type="search"]:focus,
+  input[type="tel"]:focus,
+  input[type="color"]:focus
+
+   {
+     color: #000;
+     border-color: #FF6E05;
+     background-color: none;
+     outline: 0; }
+
+  select::-moz-placeholder,
+  textarea::-moz-placeholder,
+  input[type="text"]::-moz-placeholder,
+  input[type="password"]::-moz-placeholder,
+  input[type="datetime"]::-moz-placeholder,
+  input[type="datetime-local"]::-moz-placeholder,
+  input[type="date"]::-moz-placeholder,
+  input[type="month"]::-moz-placeholder,
+  input[type="time"]::-moz-placeholder,
+  input[type="week"]::-moz-placeholder,
+  input[type="number"]::-moz-placeholder,
+  input[type="email"]::-moz-placeholder,
+  input[type="url"]::-moz-placeholder,
+  input[type="search"]::-moz-placeholder,
+  input[type="tel"]::-moz-placeholder,
+  input[type="color"]::-moz-placeholder
+   {
+    color: #b7b7b7;
+    opacity: 1;
+	filter: alpha(opacity=100);	}
+
+  select:-ms-input-placeholder,
+  textarea:-ms-input-placeholder,
+  input[type="text"]:-ms-input-placeholder,
+  input[type="password"]:-ms-input-placeholder,
+  input[type="datetime"]:-ms-input-placeholder,
+  input[type="datetime-local"]:-ms-input-placeholder,
+  input[type="date"]:-ms-input-placeholder,
+  input[type="month"]:-ms-input-placeholder,
+  input[type="time"]:-ms-input-placeholder,
+  input[type="week"]:-ms-input-placeholder,
+  input[type="number"]:-ms-input-placeholder,
+  input[type="email"]:-ms-input-placeholder,
+  input[type="url"]:-ms-input-placeholder,
+  input[type="search"]:-ms-input-placeholder,
+  input[type="tel"]:-ms-input-placeholder,
+  input[type="color"]:-ms-input-placeholder
+   {
+    color: #777777; }
+
+  select::-webkit-input-placeholder,
+  textarea::-webkit-input-placeholder,
+  input[type="text"]::-webkit-input-placeholder,
+  input[type="password"]::-webkit-input-placeholder,
+  input[type="datetime"]::-webkit-input-placeholder,
+  input[type="datetime-local"]::-webkit-input-placeholder,
+  input[type="date"]::-webkit-input-placeholder,
+  input[type="month"]::-webkit-input-placeholder,
+  input[type="time"]::-webkit-input-placeholder,
+  input[type="week"]::-webkit-input-placeholder,
+  input[type="number"]::-webkit-input-placeholder,
+  input[type="email"]::-webkit-input-placeholder,
+  input[type="url"]::-webkit-input-placeholder,
+  input[type="search"]::-webkit-input-placeholder,
+  input[type="tel"]::-webkit-input-placeholder,
+  input[type="color"]::-webkit-input-placeholder
+   {
+    color: #777777; }
+
+  select[disabled], select[readonly], fieldset[disabled] select,
+  textarea[disabled],
+  textarea[readonly], fieldset[disabled]
+  textarea,
+  input[type="text"][disabled],
+  input[type="text"][readonly], fieldset[disabled]
+  input[type="text"],
+  input[type="password"][disabled],
+  input[type="password"][readonly], fieldset[disabled]
+  input[type="password"],
+  input[type="datetime"][disabled],
+  input[type="datetime"][readonly], fieldset[disabled]
+  input[type="datetime"],
+  input[type="datetime-local"][disabled],
+  input[type="datetime-local"][readonly], fieldset[disabled]
+  input[type="datetime-local"],
+  input[type="date"][disabled],
+  input[type="date"][readonly], fieldset[disabled]
+  input[type="date"],
+  input[type="month"][disabled],
+  input[type="month"][readonly], fieldset[disabled]
+  input[type="month"],
+  input[type="time"][disabled],
+  input[type="time"][readonly], fieldset[disabled]
+  input[type="time"],
+  input[type="week"][disabled],
+  input[type="week"][readonly], fieldset[disabled]
+  input[type="week"],
+  input[type="number"][disabled],
+  input[type="number"][readonly], fieldset[disabled]
+  input[type="number"],
+  input[type="email"][disabled],
+  input[type="email"][readonly], fieldset[disabled]
+  input[type="email"],
+  input[type="url"][disabled],
+  input[type="url"][readonly], fieldset[disabled]
+  input[type="url"],
+  input[type="search"][disabled],
+  input[type="search"][readonly], fieldset[disabled]
+  input[type="search"],
+  input[type="tel"][disabled],
+  input[type="tel"][readonly], fieldset[disabled]
+  input[type="tel"],
+  input[type="color"][disabled],
+  input[type="color"][readonly], fieldset[disabled]
+  input[type="color"]
+{
+	cursor: not-allowed;
+	background-color: #f0f0f0;
+	opacity: 1.0;
+	filter: alpha(opacity=100);
+	border-color: #a8a8a8;
+	color:#a8a8a8;}
+
+  select[disabled]:hover, select[readonly]:hover, fieldset[disabled]:hover,
+  textarea[disabled]:hover,
+  textarea[readonly]:hover, fieldset[disabled]:hover
+  textarea:hover,
+  input[type="text"][disabled]:hover,
+  input[type="text"][readonly]:hover, fieldset[disabled]:hover
+  input[type="text"]:hover,
+  input[type="password"][disabled]:hover,
+  input[type="password"][readonly]:hover, fieldset[disabled]:hover
+  input[type="password"]:hover,
+  input[type="datetime"][disabled]:hover,
+  input[type="datetime"][readonly]:hover, fieldset[disabled]:hover
+  input[type="datetime"]:hover,
+  input[type="datetime-local"][disabled]:hover,
+  input[type="datetime-local"][readonly]:hover, fieldset[disabled]:hover
+  input[type="datetime-local"]:hover,
+  input[type="date"][disabled]:hover,
+  input[type="date"][readonly]:hover, fieldset[disabled]:hover
+  input[type="date"]:hover,
+  input[type="month"][disabled]:hover,
+  input[type="month"][readonly]:hover, fieldset[disabled]:hover
+  input[type="month"]:hover,
+  input[type="time"][disabled]:hover,
+  input[type="time"][readonly]:hover, fieldset[disabled]:hover
+  input[type="time"]:hover,
+  input[type="week"][disabled]:hover,
+  input[type="week"][readonly]:hover, fieldset[disabled]:hover
+  input[type="week"]:hover,
+  input[type="number"][disabled]:hover,
+  input[type="number"][readonly]:hover, fieldset[disabled]:hover
+  input[type="number"]:hover,
+  input[type="email"][disabled]:hover,
+  input[type="email"][readonly]:hover, fieldset[disabled]:hover
+  input[type="email"]:hover,
+  input[type="url"][disabled]:hover,
+  input[type="url"][readonly]:hover, fieldset[disabled]:hover
+  input[type="url"]:hover,
+  input[type="search"][disabled]:hover,
+  input[type="search"][readonly]:hover, fieldset[disabled]:hover
+  input[type="search"]:hover,
+  input[type="tel"][disabled]:hover,
+  input[type="tel"][readonly]:hover, fieldset[disabled]:hover
+  input[type="tel"]:hover,
+  input[type="color"][disabled]:hover,
+  input[type="color"][readonly]:hover, fieldset[disabled]:hover
+  input[type="color"]:hover
+
+   {
+	cursor: not-allowed;
+	background-color: #f0f0f0;
+	color:#a8a8a8;
+	opacity: 1.0;
+	filter: alpha(opacity=100);
+	-webkit-box-shadow: none;
+	box-shadow: none; }
 
-input {
-  &[type="text"], &[type="password"], &[type="datetime"], &[type="datetime-local"], &[type="date"], &[type="month"], &[type="time"], &[type="week"], &[type="number"], &[type="email"], &[type="url"], &[type="search"], &[type="tel"], &[type="color"] {
-    display: block;
-    width: 100%;
-    height: 34px;
-    padding: 6px 12px;
-    font-size: 14px;
-    line-height: 1.428571429;
-    color: #000;
-    background-color: #FFF;
-    background-image: none;
-    border: 1px solid #4d83a1;
-    border-radius: 3px;
-    text-overflow: ellipsis;
-    max-width: 348px;
-    -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
-    -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
-    transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
-  }
-}
+textarea {
+  height: auto; }
 
-select:hover, textarea:hover {
-  color: #000;
-  background-color: none;
-  border-color: #00A7FF;
-  outline: 0;
-}
+input[type="search"] {
+  -webkit-appearance: none; }
 
-input {
-  &[type="text"]:hover, &[type="password"]:hover, &[type="datetime"]:hover, &[type="datetime-local"]:hover, &[type="date"]:hover, &[type="month"]:hover, &[type="time"]:hover, &[type="week"]:hover, &[type="number"]:hover, &[type="email"]:hover, &[type="url"]:hover, &[type="search"]:hover, &[type="tel"]:hover, &[type="color"]:hover {
-    color: #000;
-    background-color: none;
-    border-color: #00A7FF;
-    outline: 0;
-  }
-}
+input[type="date"],
+input[type="time"],
+input[type="datetime-local"],
+input[type="month"] {
+  line-height: 34px;
+  line-height: 1.42857 \0; }
+  input[type="date"].input-sm, .form-horizontal .form-group-sm input[type="date"].form-control, .input-group-sm > input[type="date"].form-control,
+  .input-group-sm > input[type="date"].input-group-addon,
+  .input-group-sm > .input-group-btn > input[type="date"].btn,
+  input[type="time"].input-sm,
+  .form-horizontal .form-group-sm input[type="time"].form-control,
+  .input-group-sm > input[type="time"].form-control,
+  .input-group-sm > input[type="time"].input-group-addon,
+  .input-group-sm > .input-group-btn > input[type="time"].btn,
+  input[type="datetime-local"].input-sm,
+  .form-horizontal .form-group-sm input[type="datetime-local"].form-control,
+  .input-group-sm > input[type="datetime-local"].form-control,
+  .input-group-sm > input[type="datetime-local"].input-group-addon,
+  .input-group-sm > .input-group-btn > input[type="datetime-local"].btn,
+  input[type="month"].input-sm,
+  .form-horizontal .form-group-sm input[type="month"].form-control,
+  .input-group-sm > input[type="month"].form-control,
+  .input-group-sm > input[type="month"].input-group-addon,
+  .input-group-sm > .input-group-btn > input[type="month"].btn {
+    line-height: 30px; }
+  input[type="date"].input-lg, .form-horizontal .form-group-lg input[type="date"].form-control, .input-group-lg > input[type="date"].form-control,
+  .input-group-lg > input[type="date"].input-group-addon,
+  .input-group-lg > .input-group-btn > input[type="date"].btn,
+  input[type="time"].input-lg,
+  .form-horizontal .form-group-lg input[type="time"].form-control,
+  .input-group-lg > input[type="time"].form-control,
+  .input-group-lg > input[type="time"].input-group-addon,
+  .input-group-lg > .input-group-btn > input[type="time"].btn,
+  input[type="datetime-local"].input-lg,
+  .form-horizontal .form-group-lg input[type="datetime-local"].form-control,
+  .input-group-lg > input[type="datetime-local"].form-control,
+  .input-group-lg > input[type="datetime-local"].input-group-addon,
+  .input-group-lg > .input-group-btn > input[type="datetime-local"].btn,
+  input[type="month"].input-lg,
+  .form-horizontal .form-group-lg input[type="month"].form-control,
+  .input-group-lg > input[type="month"].form-control,
+  .input-group-lg > input[type="month"].input-group-addon,
+  .input-group-lg > .input-group-btn > input[type="month"].btn {
+    line-height: 46px; }
 
-select:focus, textarea:focus {
-  color: #000;
-  border-color: #00A7FF;
-  background-color: none;
-  outline: 0;
-}
+.form-group {
+  margin-bottom: 15px; }
 
-input {
-  &[type="text"]:focus, &[type="password"]:focus, &[type="datetime"]:focus, &[type="datetime-local"]:focus, &[type="date"]:focus, &[type="month"]:focus, &[type="time"]:focus, &[type="week"]:focus, &[type="number"]:focus, &[type="email"]:focus, &[type="url"]:focus, &[type="search"]:focus, &[type="tel"]:focus, &[type="color"]:focus {
-    color: #000;
-    border-color: #00A7FF;
-    background-color: none;
-    outline: 0;
-  }
-}
-
-select::-moz-placeholder, textarea::-moz-placeholder {
-  color: #b7b7b7;
-  opacity: 1;
-  filter: alpha(opacity = 100);
-}
-
-input {
-  &[type="text"]::-moz-placeholder, &[type="password"]::-moz-placeholder, &[type="datetime"]::-moz-placeholder, &[type="datetime-local"]::-moz-placeholder, &[type="date"]::-moz-placeholder, &[type="month"]::-moz-placeholder, &[type="time"]::-moz-placeholder, &[type="week"]::-moz-placeholder, &[type="number"]::-moz-placeholder, &[type="email"]::-moz-placeholder, &[type="url"]::-moz-placeholder, &[type="search"]::-moz-placeholder, &[type="tel"]::-moz-placeholder, &[type="color"]::-moz-placeholder {
-    color: #b7b7b7;
-    opacity: 1;
-    filter: alpha(opacity = 100);
-  }
-}
-
-select:-ms-input-placeholder, textarea:-ms-input-placeholder {
-  color: #777777;
-}
-
-input {
-  &[type="text"]:-ms-input-placeholder, &[type="password"]:-ms-input-placeholder, &[type="datetime"]:-ms-input-placeholder, &[type="datetime-local"]:-ms-input-placeholder, &[type="date"]:-ms-input-placeholder, &[type="month"]:-ms-input-placeholder, &[type="time"]:-ms-input-placeholder, &[type="week"]:-ms-input-placeholder, &[type="number"]:-ms-input-placeholder, &[type="email"]:-ms-input-placeholder, &[type="url"]:-ms-input-placeholder, &[type="search"]:-ms-input-placeholder, &[type="tel"]:-ms-input-placeholder, &[type="color"]:-ms-input-placeholder {
-    color: #777777;
-  }
-}
-
-select::-webkit-input-placeholder, textarea::-webkit-input-placeholder {
-  color: #777777;
-}
-
-input {
-  &[type="text"]::-webkit-input-placeholder, &[type="password"]::-webkit-input-placeholder, &[type="datetime"]::-webkit-input-placeholder, &[type="datetime-local"]::-webkit-input-placeholder, &[type="date"]::-webkit-input-placeholder, &[type="month"]::-webkit-input-placeholder, &[type="time"]::-webkit-input-placeholder, &[type="week"]::-webkit-input-placeholder, &[type="number"]::-webkit-input-placeholder, &[type="email"]::-webkit-input-placeholder, &[type="url"]::-webkit-input-placeholder, &[type="search"]::-webkit-input-placeholder, &[type="tel"]::-webkit-input-placeholder, &[type="color"]::-webkit-input-placeholder {
-    color: #777777;
-  }
-}
-
-select {
-  &[disabled], &[readonly] {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    border-color: #4d83a1;
-    color: #a8a8a8;
-  }
-}
-
-fieldset[disabled] select {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  border-color: #4d83a1;
-  color: #a8a8a8;
-}
-
-textarea {
-  &[disabled], &[readonly] {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    border-color: #4d83a1;
-    color: #a8a8a8;
-  }
-}
-
-fieldset[disabled] textarea {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  border-color: #4d83a1;
-  color: #a8a8a8;
-}
-
-input[type="text"] {
-  &[disabled], &[readonly] {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    border-color: #4d83a1;
-    color: #a8a8a8;
-  }
-}
-
-fieldset[disabled] input[type="text"] {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  border-color: #4d83a1;
-  color: #a8a8a8;
-}
-
-input[type="password"] {
-  &[disabled], &[readonly] {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    border-color: #4d83a1;
-    color: #a8a8a8;
-  }
-}
-
-fieldset[disabled] input[type="password"] {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  border-color: #4d83a1;
-  color: #a8a8a8;
-}
-
-input[type="datetime"] {
-  &[disabled], &[readonly] {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    border-color: #4d83a1;
-    color: #a8a8a8;
-  }
-}
-
-fieldset[disabled] input[type="datetime"] {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  border-color: #4d83a1;
-  color: #a8a8a8;
-}
-
-input[type="datetime-local"] {
-  &[disabled], &[readonly] {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    border-color: #4d83a1;
-    color: #a8a8a8;
-  }
-}
-
-fieldset[disabled] input[type="datetime-local"] {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  border-color: #4d83a1;
-  color: #a8a8a8;
-}
-
-input[type="date"] {
-  &[disabled], &[readonly] {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    border-color: #4d83a1;
-    color: #a8a8a8;
-  }
-}
-
-fieldset[disabled] input[type="date"] {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  border-color: #4d83a1;
-  color: #a8a8a8;
-}
-
-input[type="month"] {
-  &[disabled], &[readonly] {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    border-color: #4d83a1;
-    color: #a8a8a8;
-  }
-}
-
-fieldset[disabled] input[type="month"] {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  border-color: #4d83a1;
-  color: #a8a8a8;
-}
-
-input[type="time"] {
-  &[disabled], &[readonly] {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    border-color: #4d83a1;
-    color: #a8a8a8;
-  }
-}
-
-fieldset[disabled] input[type="time"] {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  border-color: #4d83a1;
-  color: #a8a8a8;
-}
-
-input[type="week"] {
-  &[disabled], &[readonly] {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    border-color: #4d83a1;
-    color: #a8a8a8;
-  }
-}
-
-fieldset[disabled] input[type="week"] {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  border-color: #4d83a1;
-  color: #a8a8a8;
-}
-
-input[type="number"] {
-  &[disabled], &[readonly] {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    border-color: #4d83a1;
-    color: #a8a8a8;
-  }
-}
-
-fieldset[disabled] input[type="number"] {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  border-color: #4d83a1;
-  color: #a8a8a8;
-}
-
-input[type="email"] {
-  &[disabled], &[readonly] {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    border-color: #4d83a1;
-    color: #a8a8a8;
-  }
-}
-
-fieldset[disabled] input[type="email"] {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  border-color: #4d83a1;
-  color: #a8a8a8;
-}
-
-input[type="url"] {
-  &[disabled], &[readonly] {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    border-color: #4d83a1;
-    color: #a8a8a8;
-  }
-}
-
-fieldset[disabled] input[type="url"] {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  border-color: #4d83a1;
-  color: #a8a8a8;
-}
-
-input[type="search"] {
-  &[disabled], &[readonly] {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    border-color: #4d83a1;
-    color: #a8a8a8;
-  }
-}
-
-fieldset[disabled] input[type="search"] {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  border-color: #4d83a1;
-  color: #a8a8a8;
-}
-
-input[type="tel"] {
-  &[disabled], &[readonly] {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    border-color: #4d83a1;
-    color: #a8a8a8;
-  }
-}
-
-fieldset[disabled] input[type="tel"] {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  border-color: #4d83a1;
-  color: #a8a8a8;
-}
-
-input[type="color"] {
-  &[disabled], &[readonly] {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    border-color: #4d83a1;
-    color: #a8a8a8;
-  }
-}
-
-fieldset[disabled] input[type="color"] {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  border-color: #4d83a1;
-  color: #a8a8a8;
-}
-
-select {
-  &[disabled]:hover, &[readonly]:hover {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    color: #a8a8a8;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled]:hover {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  color: #a8a8a8;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-textarea {
-  &[disabled]:hover, &[readonly]:hover {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    color: #a8a8a8;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled]:hover textarea:hover {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  color: #a8a8a8;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-input[type="text"] {
-  &[disabled]:hover, &[readonly]:hover {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    color: #a8a8a8;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled]:hover input[type="text"]:hover {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  color: #a8a8a8;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-input[type="password"] {
-  &[disabled]:hover, &[readonly]:hover {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    color: #a8a8a8;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled]:hover input[type="password"]:hover {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  color: #a8a8a8;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-input[type="datetime"] {
-  &[disabled]:hover, &[readonly]:hover {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    color: #a8a8a8;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled]:hover input[type="datetime"]:hover {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  color: #a8a8a8;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-input[type="datetime-local"] {
-  &[disabled]:hover, &[readonly]:hover {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    color: #a8a8a8;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled]:hover input[type="datetime-local"]:hover {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  color: #a8a8a8;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-input[type="date"] {
-  &[disabled]:hover, &[readonly]:hover {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    color: #a8a8a8;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled]:hover input[type="date"]:hover {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  color: #a8a8a8;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-input[type="month"] {
-  &[disabled]:hover, &[readonly]:hover {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    color: #a8a8a8;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled]:hover input[type="month"]:hover {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  color: #a8a8a8;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-input[type="time"] {
-  &[disabled]:hover, &[readonly]:hover {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    color: #a8a8a8;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled]:hover input[type="time"]:hover {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  color: #a8a8a8;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-input[type="week"] {
-  &[disabled]:hover, &[readonly]:hover {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    color: #a8a8a8;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled]:hover input[type="week"]:hover {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  color: #a8a8a8;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-input[type="number"] {
-  &[disabled]:hover, &[readonly]:hover {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    color: #a8a8a8;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled]:hover input[type="number"]:hover {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  color: #a8a8a8;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-input[type="email"] {
-  &[disabled]:hover, &[readonly]:hover {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    color: #a8a8a8;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled]:hover input[type="email"]:hover {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  color: #a8a8a8;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-input[type="url"] {
-  &[disabled]:hover, &[readonly]:hover {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    color: #a8a8a8;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled]:hover input[type="url"]:hover {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  color: #a8a8a8;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-input[type="search"] {
-  &[disabled]:hover, &[readonly]:hover {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    color: #a8a8a8;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled]:hover input[type="search"]:hover {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  color: #a8a8a8;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-input[type="tel"] {
-  &[disabled]:hover, &[readonly]:hover {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    color: #a8a8a8;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled]:hover input[type="tel"]:hover {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  color: #a8a8a8;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-input[type="color"] {
-  &[disabled]:hover, &[readonly]:hover {
-    cursor: not-allowed;
-    background-color: #f0f0f0;
-    color: #a8a8a8;
-    opacity: 1.0;
-    filter: alpha(opacity = 100);
-    -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled]:hover input[type="color"]:hover {
-  cursor: not-allowed;
-  background-color: #f0f0f0;
-  color: #a8a8a8;
-  opacity: 1.0;
-  filter: alpha(opacity = 100);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-textarea {
-  height: auto;
-}
-
-input {
-  &[type="search"] {
-    -webkit-appearance: none;
-  }
-
-  &[type="date"], &[type="time"], &[type="datetime-local"], &[type="month"] {
-    line-height: 34px;
-    line-height: 1.42857 \0;
-  }
-
-  &[type="date"].input-sm {
-    line-height: 30px;
-  }
-}
-
-.form-horizontal .form-group-sm input[type="date"].form-control {
-  line-height: 30px;
-}
-
-.input-group-sm > {
-  input[type="date"] {
-    &.form-control, &.input-group-addon {
-      line-height: 30px;
-    }
-  }
-
-  .input-group-btn > input[type="date"].btn {
-    line-height: 30px;
-  }
-}
-
-input[type="time"].input-sm, .form-horizontal .form-group-sm input[type="time"].form-control {
-  line-height: 30px;
-}
-
-.input-group-sm > {
-  input[type="time"] {
-    &.form-control, &.input-group-addon {
-      line-height: 30px;
-    }
-  }
-
-  .input-group-btn > input[type="time"].btn {
-    line-height: 30px;
-  }
-}
-
-input[type="datetime-local"].input-sm, .form-horizontal .form-group-sm input[type="datetime-local"].form-control {
-  line-height: 30px;
-}
-
-.input-group-sm > {
-  input[type="datetime-local"] {
-    &.form-control, &.input-group-addon {
-      line-height: 30px;
-    }
-  }
-
-  .input-group-btn > input[type="datetime-local"].btn {
-    line-height: 30px;
-  }
-}
-
-input[type="month"].input-sm, .form-horizontal .form-group-sm input[type="month"].form-control {
-  line-height: 30px;
-}
-
-.input-group-sm > {
-  input[type="month"] {
-    &.form-control, &.input-group-addon {
-      line-height: 30px;
-    }
-  }
-
-  .input-group-btn > input[type="month"].btn {
-    line-height: 30px;
-  }
-}
-
-input[type="date"].input-lg, .form-horizontal .form-group-lg input[type="date"].form-control {
-  line-height: 46px;
-}
-
-.input-group-lg > {
-  input[type="date"] {
-    &.form-control, &.input-group-addon {
-      line-height: 46px;
-    }
-  }
-
-  .input-group-btn > input[type="date"].btn {
-    line-height: 46px;
-  }
-}
-
-input[type="time"].input-lg, .form-horizontal .form-group-lg input[type="time"].form-control {
-  line-height: 46px;
-}
-
-.input-group-lg > {
-  input[type="time"] {
-    &.form-control, &.input-group-addon {
-      line-height: 46px;
-    }
-  }
-
-  .input-group-btn > input[type="time"].btn {
-    line-height: 46px;
-  }
-}
-
-input[type="datetime-local"].input-lg, .form-horizontal .form-group-lg input[type="datetime-local"].form-control {
-  line-height: 46px;
-}
-
-.input-group-lg > {
-  input[type="datetime-local"] {
-    &.form-control, &.input-group-addon {
-      line-height: 46px;
-    }
-  }
-
-  .input-group-btn > input[type="datetime-local"].btn {
-    line-height: 46px;
-  }
-}
-
-input[type="month"].input-lg, .form-horizontal .form-group-lg input[type="month"].form-control {
-  line-height: 46px;
-}
-
-.input-group-lg > {
-  input[type="month"] {
-    &.form-control, &.input-group-addon {
-      line-height: 46px;
-    }
-  }
-
-  .input-group-btn > input[type="month"].btn {
-    line-height: 46px;
-  }
-}
-
-.form-group {
-  margin-bottom: 15px;
-}
-
-.radio, .checkbox {
+.radio,
+.checkbox {
   position: relative;
   display: block;
   min-height: 20px;
   margin-top: 10px;
-  margin-bottom: 10px;
-}
-
-.radio label, .checkbox label {
-  padding-left: 20px;
-  margin-bottom: 0;
-  font-weight: normal;
-  cursor: pointer;
-}
+  margin-bottom: 10px; }
+  .radio label,
+  .checkbox label {
+    padding-left: 20px;
+    margin-bottom: 0;
+    font-weight: normal;
+    cursor: pointer; }
 
-.radio input[type="radio"], .radio-inline input[type="radio"], .checkbox input[type="checkbox"], .checkbox-inline input[type="checkbox"] {
+.radio input[type="radio"],
+.radio-inline input[type="radio"],
+.checkbox input[type="checkbox"],
+.checkbox-inline input[type="checkbox"] {
   position: absolute;
   margin-left: -20px;
-  margin-top: 4px \9;
-}
+  margin-top: 4px \9; }
 
-.radio + .radio, .checkbox + .checkbox {
-  margin-top: -5px;
-}
+.radio + .radio,
+.checkbox + .checkbox {
+  margin-top: -5px; }
 
-.radio-inline, .checkbox-inline {
+.radio-inline,
+.checkbox-inline {
   display: inline-block;
   padding-left: 20px;
   margin-bottom: 0;
   vertical-align: middle;
   font-weight: normal;
-  cursor: pointer;
-}
+  cursor: pointer; }
 
-.radio-inline + .radio-inline, .checkbox-inline + .checkbox-inline {
+.radio-inline + .radio-inline,
+.checkbox-inline + .checkbox-inline {
   margin-top: 0;
-  margin-left: 10px;
-}
-
-input[type="radio"] {
-  &[disabled], &.disabled {
-    cursor: not-allowed;
-  }
-}
-
-fieldset[disabled] input[type="radio"] {
-  cursor: not-allowed;
-}
+  margin-left: 10px; }
 
+input[type="radio"][disabled], input[type="radio"].disabled, fieldset[disabled] input[type="radio"],
+input[type="checkbox"][disabled],
+input[type="checkbox"].disabled, fieldset[disabled]
 input[type="checkbox"] {
-  &[disabled], &.disabled {
-    cursor: not-allowed;
-  }
-}
+  cursor: not-allowed; }
 
-fieldset[disabled] input[type="checkbox"], .radio-inline.disabled, fieldset[disabled] .radio-inline, .checkbox-inline.disabled, fieldset[disabled] .checkbox-inline, .radio.disabled label, fieldset[disabled] .radio label, .checkbox.disabled label, fieldset[disabled] .checkbox label {
-  cursor: not-allowed;
-}
+.radio-inline.disabled, fieldset[disabled] .radio-inline,
+.checkbox-inline.disabled, fieldset[disabled]
+.checkbox-inline {
+  cursor: not-allowed; }
+
+.radio.disabled label, fieldset[disabled] .radio label,
+.checkbox.disabled label, fieldset[disabled]
+.checkbox label {
+  cursor: not-allowed; }
 
 .form-control-static {
   padding-top: 7px;
   padding-bottom: 7px;
-  margin-bottom: 0;
-
-  &.input-lg {
-    padding-left: 0;
-    padding-right: 0;
-  }
-}
-
-.form-horizontal .form-group-lg .form-control-static.form-control {
-  padding-left: 0;
-  padding-right: 0;
-}
-
-.input-group-lg > {
-  .form-control-static {
-    &.form-control, &.input-group-addon {
-      padding-left: 0;
-      padding-right: 0;
-    }
-  }
-
-  .input-group-btn > .form-control-static.btn {
-    padding-left: 0;
-    padding-right: 0;
-  }
-}
-
-.form-control-static.input-sm, .form-horizontal .form-group-sm .form-control-static.form-control {
-  padding-left: 0;
-  padding-right: 0;
-}
-
-.input-group-sm > {
-  .form-control-static {
-    &.form-control, &.input-group-addon {
-      padding-left: 0;
-      padding-right: 0;
-    }
-  }
-
-  .input-group-btn > .form-control-static.btn {
+  margin-bottom: 0; }
+  .form-control-static.input-lg, .form-horizontal .form-group-lg .form-control-static.form-control, .input-group-lg > .form-control-static.form-control,
+  .input-group-lg > .form-control-static.input-group-addon,
+  .input-group-lg > .input-group-btn > .form-control-static.btn, .form-control-static.input-sm, .form-horizontal .form-group-sm .form-control-static.form-control, .input-group-sm > .form-control-static.form-control,
+  .input-group-sm > .form-control-static.input-group-addon,
+  .input-group-sm > .input-group-btn > .form-control-static.btn {
     padding-left: 0;
-    padding-right: 0;
-  }
-}
+    padding-right: 0; }
 
-.input-sm, .form-horizontal .form-group-sm .form-control {
+.input-sm, .form-horizontal .form-group-sm .form-control, .input-group-sm > .form-control,
+.input-group-sm > .input-group-addon,
+.input-group-sm > .input-group-btn > .btn {
   height: 30px;
   padding: 5px 10px;
   font-size: 12px;
   line-height: 1.5;
-  border-radius: 3px;
-}
-
-.input-group-sm > {
-  .form-control, .input-group-addon, .input-group-btn > .btn {
-    height: 30px;
-    padding: 5px 10px;
-    font-size: 12px;
-    line-height: 1.5;
-    border-radius: 3px;
-  }
-}
+  border-radius: 3px; }
 
-select.input-sm, .form-horizontal .form-group-sm select.form-control {
+select.input-sm, .form-horizontal .form-group-sm select.form-control, .input-group-sm > select.form-control,
+.input-group-sm > select.input-group-addon,
+.input-group-sm > .input-group-btn > select.btn {
   height: 30px;
-  line-height: 30px;
-}
-
-.input-group-sm > {
-  select {
-    &.form-control, &.input-group-addon {
-      height: 30px;
-      line-height: 30px;
-    }
-  }
-
-  .input-group-btn > select.btn {
-    height: 30px;
-    line-height: 30px;
-  }
-}
-
-textarea.input-sm, .form-horizontal .form-group-sm textarea.form-control {
-  height: auto;
-}
-
-.input-group-sm > {
-  textarea {
-    &.form-control, &.input-group-addon {
-      height: auto;
-    }
-  }
-
-  .input-group-btn > textarea.btn {
-    height: auto;
-  }
-}
-
-select[multiple].input-sm, .form-horizontal .form-group-sm select[multiple].form-control {
-  height: auto;
-}
-
-.input-group-sm > {
-  select[multiple] {
-    &.form-control, &.input-group-addon {
-      height: auto;
-    }
-  }
-
-  .input-group-btn > select[multiple].btn {
-    height: auto;
-  }
-}
-
-.input-lg, .form-horizontal .form-group-lg .form-control {
+  line-height: 30px; }
+
+textarea.input-sm, .form-horizontal .form-group-sm textarea.form-control, .input-group-sm > textarea.form-control,
+.input-group-sm > textarea.input-group-addon,
+.input-group-sm > .input-group-btn > textarea.btn,
+select[multiple].input-sm,
+.form-horizontal .form-group-sm select[multiple].form-control,
+.input-group-sm > select[multiple].form-control,
+.input-group-sm > select[multiple].input-group-addon,
+.input-group-sm > .input-group-btn > select[multiple].btn {
+  height: auto; }
+
+.input-lg, .form-horizontal .form-group-lg .form-control, .input-group-lg > .form-control,
+.input-group-lg > .input-group-addon,
+.input-group-lg > .input-group-btn > .btn {
   height: 46px;
   padding: 10px 16px;
   font-size: 18px;
   line-height: 1.33;
-  border-radius: 6px;
-}
-
-.input-group-lg > {
-  .form-control, .input-group-addon, .input-group-btn > .btn {
-    height: 46px;
-    padding: 10px 16px;
-    font-size: 18px;
-    line-height: 1.33;
-    border-radius: 6px;
-  }
-}
+  border-radius: 6px; }
 
-select.input-lg, .form-horizontal .form-group-lg select.form-control {
+select.input-lg, .form-horizontal .form-group-lg select.form-control, .input-group-lg > select.form-control,
+.input-group-lg > select.input-group-addon,
+.input-group-lg > .input-group-btn > select.btn {
   height: 46px;
-  line-height: 46px;
-}
-
-.input-group-lg > {
-  select {
-    &.form-control, &.input-group-addon {
-      height: 46px;
-      line-height: 46px;
-    }
-  }
-
-  .input-group-btn > select.btn {
-    height: 46px;
-    line-height: 46px;
-  }
-}
-
-textarea.input-lg, .form-horizontal .form-group-lg textarea.form-control {
-  height: auto;
-}
-
-.input-group-lg > {
-  textarea {
-    &.form-control, &.input-group-addon {
-      height: auto;
-    }
-  }
-
-  .input-group-btn > textarea.btn {
-    height: auto;
-  }
-}
-
-select[multiple].input-lg, .form-horizontal .form-group-lg select[multiple].form-control {
-  height: auto;
-}
-
-.input-group-lg > {
-  select[multiple] {
-    &.form-control, &.input-group-addon {
-      height: auto;
-    }
-  }
-
-  .input-group-btn > select[multiple].btn {
-    height: auto;
-  }
-}
+  line-height: 46px; }
+
+textarea.input-lg, .form-horizontal .form-group-lg textarea.form-control, .input-group-lg > textarea.form-control,
+.input-group-lg > textarea.input-group-addon,
+.input-group-lg > .input-group-btn > textarea.btn,
+select[multiple].input-lg,
+.form-horizontal .form-group-lg select[multiple].form-control,
+.input-group-lg > select[multiple].form-control,
+.input-group-lg > select[multiple].input-group-addon,
+.input-group-lg > .input-group-btn > select[multiple].btn {
+  height: auto; }
 
 .has-feedback {
-  position: relative;
-
-  .form-control {
-    padding-right: 42.5px;
-  }
-}
+  position: relative; }
+  .has-feedback .form-control {
+    padding-right: 42.5px; }
 
 .form-control-feedback {
   position: absolute;
@@ -4534,890 +2715,421 @@ select[multiple].input-lg, .form-horizontal .form-group-lg select[multiple].form
   width: 34px;
   height: 34px;
   line-height: 34px;
-  text-align: center;
-}
+  text-align: center; }
 
-.input-lg + .form-control-feedback, .form-horizontal .form-group-lg .form-control + .form-control-feedback {
+.input-lg + .form-control-feedback, .form-horizontal .form-group-lg .form-control + .form-control-feedback, .input-group-lg > .form-control + .form-control-feedback,
+.input-group-lg > .input-group-addon + .form-control-feedback,
+.input-group-lg > .input-group-btn > .btn + .form-control-feedback {
   width: 46px;
   height: 46px;
-  line-height: 46px;
-}
-
-.input-group-lg > {
-  .form-control + .form-control-feedback, .input-group-addon + .form-control-feedback, .input-group-btn > .btn + .form-control-feedback {
-    width: 46px;
-    height: 46px;
-    line-height: 46px;
-  }
-}
+  line-height: 46px; }
 
-.input-sm + .form-control-feedback, .form-horizontal .form-group-sm .form-control + .form-control-feedback {
+.input-sm + .form-control-feedback, .form-horizontal .form-group-sm .form-control + .form-control-feedback, .input-group-sm > .form-control + .form-control-feedback,
+.input-group-sm > .input-group-addon + .form-control-feedback,
+.input-group-sm > .input-group-btn > .btn + .form-control-feedback {
   width: 30px;
   height: 30px;
-  line-height: 30px;
-}
-
-.input-group-sm > {
-  .form-control + .form-control-feedback, .input-group-addon + .form-control-feedback, .input-group-btn > .btn + .form-control-feedback {
-    width: 30px;
-    height: 30px;
-    line-height: 30px;
-  }
-}
-
-.has-success {
-  .help-block, .control-label, .radio, .checkbox, .radio-inline, .checkbox-inline {
-    color: #9BD275;
-  }
-
-  .form-control {
-    border-color: #9BD275;
-    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-
-    &:focus {
-      border-color: #7fc54f;
-      -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #d3ebc2;
-      box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #d3ebc2;
-    }
-  }
-
-  .input-group-addon {
-    color: #9BD275;
-    border-color: #9BD275;
-    background-color: #9BD275;
-  }
-
-  .form-control-feedback {
-    color: #9BD275;
-  }
-}
-
-.has-warning {
-  .help-block, .control-label, .radio, .checkbox, .radio-inline, .checkbox-inline {
-    color: #f0ad4e;
-  }
-
-  .form-control {
-    border-color: #f0ad4e;
-    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-
-    &:focus {
-      border-color: #ec971f;
-      -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac;
-      box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac;
-    }
-  }
-
-  .input-group-addon {
-    color: #f0ad4e;
-    border-color: #f0ad4e;
-    background-color: #fcf8e3;
-  }
-
-  .form-control-feedback {
-    color: #f0ad4e;
-  }
-}
-
-.has-error {
-  .help-block, .control-label, .radio, .checkbox, .radio-inline, .checkbox-inline {
-    color: #FC3803;
-  }
-
-  .form-control {
-    border-color: #FC3803;
-    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-
-    &:focus {
-      border-color: #FC2E03;
-      -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae;
-      box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae;
-    }
-  }
-
-  .input-group-addon {
-    color: #F05050;
-    border-color: #F05050;
-    background-color: #F05050;
-  }
-
-  .form-control-feedback {
-    color: #F05050;
-  }
-}
+  line-height: 30px; }
+
+.has-success .help-block,
+.has-success .control-label,
+.has-success .radio,
+.has-success .checkbox,
+.has-success .radio-inline,
+.has-success .checkbox-inline {
+  color: #9BD275; }
+.has-success .form-control {
+  border-color: #9BD275;
+  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); }
+  .has-success .form-control:focus {
+    border-color: #7fc54f;
+    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #d3ebc2;
+    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #d3ebc2; }
+
+.has-success .input-group-addon {
+  color: #9BD275;
+  border-color: #9BD275;
+  background-color: #9BD275; }
+.has-success .form-control-feedback {
+  color: #9BD275; }
+
+.has-warning .help-block,
+.has-warning .control-label,
+.has-warning .radio,
+.has-warning .checkbox,
+.has-warning .radio-inline,
+.has-warning .checkbox-inline {
+  color: #f0ad4e; }
+.has-warning .form-control {
+  border-color: #f0ad4e;
+  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); }
+  .has-warning .form-control:focus {
+    border-color: #ec971f;
+    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac;
+    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac; }
+.has-warning .input-group-addon {
+  color: #f0ad4e;
+  border-color: #f0ad4e;
+  background-color: #fcf8e3; }
+.has-warning .form-control-feedback {
+  color: #f0ad4e; }
+
+.has-error .help-block,
+.has-error .control-label,
+.has-error .radio,
+.has-error .checkbox,
+.has-error .radio-inline,
+.has-error .checkbox-inline {
+  color: #FC3803; }
+.has-error .form-control {
+  border-color: #FC3803;
+  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); }
+  .has-error .form-control:focus {
+    border-color: #FC2E03;
+    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae;
+    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae; }
+
+.has-error .input-group-addon {
+  color: #F05050;
+  border-color: #F05050;
+  background-color: #F05050; }
+.has-error .form-control-feedback {
+  color: #F05050; }
 
 .has-feedback label.sr-only ~ .form-control-feedback {
-  top: 0;
-}
+  top: 0; }
 
 .help-block {
   display: block;
   margin-top: 5px;
   margin-bottom: 10px;
-  color: #7c7c7a;
-}
+  color: #7c7c7a; }
 
 @media (min-width: 768px) {
   .form-inline .form-group, .navbar-form .form-group {
     display: inline-block;
     margin-bottom: 0;
-    vertical-align: middle;
-  }
-
+    vertical-align: middle; }
   .form-inline .form-control, .navbar-form .form-control {
     display: inline-block;
     width: auto;
-    vertical-align: middle;
-  }
-
+    vertical-align: middle; }
   .form-inline .input-group, .navbar-form .input-group {
     display: inline-table;
-    vertical-align: middle;
-  }
-
-  .form-inline .input-group .input-group-addon, .navbar-form .input-group .input-group-addon, .form-inline .input-group .input-group-btn, .navbar-form .input-group .input-group-btn, .form-inline .input-group .form-control, .navbar-form .input-group .form-control {
-    width: auto;
-  }
-
+    vertical-align: middle; }
+    .form-inline .input-group .input-group-addon, .navbar-form .input-group .input-group-addon,
+    .form-inline .input-group .input-group-btn,
+    .navbar-form .input-group .input-group-btn,
+    .form-inline .input-group .form-control,
+    .navbar-form .input-group .form-control {
+      width: auto; }
   .form-inline .input-group > .form-control, .navbar-form .input-group > .form-control {
-    width: 100%;
-  }
-
+    width: 100%; }
   .form-inline .control-label, .navbar-form .control-label {
     margin-bottom: 0;
-    vertical-align: middle;
-  }
-
-  .form-inline .radio, .navbar-form .radio, .form-inline .checkbox, .navbar-form .checkbox {
+    vertical-align: middle; }
+  .form-inline .radio, .navbar-form .radio,
+  .form-inline .checkbox,
+  .navbar-form .checkbox {
     display: inline-block;
     margin-top: 0;
     margin-bottom: 0;
-    vertical-align: middle;
-  }
-
-  .form-inline .radio label, .navbar-form .radio label, .form-inline .checkbox label, .navbar-form .checkbox label {
-    padding-left: 0;
-  }
-
-  .form-inline .radio input[type="radio"], .navbar-form .radio input[type="radio"], .form-inline .checkbox input[type="checkbox"], .navbar-form .checkbox input[type="checkbox"] {
+    vertical-align: middle; }
+    .form-inline .radio label, .navbar-form .radio label,
+    .form-inline .checkbox label,
+    .navbar-form .checkbox label {
+      padding-left: 0; }
+  .form-inline .radio input[type="radio"], .navbar-form .radio input[type="radio"],
+  .form-inline .checkbox input[type="checkbox"],
+  .navbar-form .checkbox input[type="checkbox"] {
     position: relative;
-    margin-left: 0;
-  }
-
+    margin-left: 0; }
   .form-inline .has-feedback .form-control-feedback, .navbar-form .has-feedback .form-control-feedback {
-    top: 0;
-  }
-}
-
-.form-horizontal {
-  .radio, .checkbox, .radio-inline, .checkbox-inline {
-    margin-top: 0;
-    margin-bottom: 0;
-    padding-top: 7px;
-  }
-
-  .radio, .checkbox {
-    min-height: 27px;
-  }
-
-  .form-group {
-    margin-left: -20px;
-    margin-right: -20px;
-
-    &:before {
-      content: " ";
-      display: table;
-    }
-
-    &:after {
-      content: " ";
-      display: table;
-      clear: both;
-    }
-  }
-
-  .has-feedback control-feedback {
-    top: 0;
-    right: 20px;
-  }
-}
+    top: 0; } }
 
+.form-horizontal .radio,
+.form-horizontal .checkbox,
+.form-horizontal .radio-inline,
+.form-horizontal .checkbox-inline {
+  margin-top: 0;
+  margin-bottom: 0;
+  padding-top: 7px; }
+.form-horizontal .radio,
+.form-horizontal .checkbox {
+  min-height: 27px; }
+.form-horizontal .form-group {
+  margin-left: -20px;
+  margin-right: -20px; }
+  .form-horizontal .form-group:before, .form-horizontal .form-group:after {
+    content: " ";
+    display: table; }
+  .form-horizontal .form-group:after {
+    clear: both; }
 @media (min-width: 768px) {
   .form-horizontal .control-label {
     text-align: right;
     margin-bottom: 0;
-    padding-top: 7px;
-  }
-}
-
+    padding-top: 7px; } }
+.form-horizontal .has-feedback control-feedback {
+  top: 0;
+  right: 20px; }
 @media (min-width: 768px) {
   .form-horizontal .form-group-lg .control-label {
-    padding-top: 14.3px;
-  }
-}
-
+    padding-top: 14.3px; } }
 @media (min-width: 768px) {
   .form-horizontal .form-group-sm .control-label {
-    padding-top: 6px;
-  }
-}
+    padding-top: 6px; } }
 
 .btn {
   display: inline-block;
   margin-bottom: 0;
-  font-weight: normal;
-  text-align: center;
-  vertical-align: middle;
-  cursor: pointer;
-  background-image: none;
-  white-space: nowrap;
-  padding: 6px 12px;
-  font-size: 14px;
-  line-height: 1.428571429;
-  border-radius: 3px;
-  -webkit-user-select: none;
-  -moz-user-select: none;
-  -ms-user-select: none;
-  user-select: none;
-  color: #FFFFFF;
-  background-color: #457995;
-  border: 1px solid #1b4257;
-  outline: 0;
-
-  &:active, &.active {
-    color: #FFF;
-    background-color: #30596f;
-    outline: 0;
-    border-color: #1d1d1d;
-    text-decoration: none;
-  }
-}
-
-.open > .btn.dropdown-toggle {
-  color: #FFF;
-  background-color: #30596f;
-  outline: 0;
-  border-color: #1d1d1d;
-  text-decoration: none;
-}
-
-.btn {
-  &:hover, &:focus {
-    background-color: #315a71;
-    color: #FFF;
-    border-radius: 3px;
-    border: 1px solid #1b4257;
-    text-decoration: none;
-  }
-
-  &:active, &.active {
-    background-image: none;
-    outline: 0;
-  }
-}
-
-.open > .btn.dropdown-toggle {
-  background-image: none;
-  outline: 0;
-}
-
-.btn {
-  &.disabled {
-    background-color: #FFFFFF;
-    border-color: #1d1d1d;
-    outline: 0;
-
-    &:hover, &:focus, &:active, &.active {
-      background-color: #FFFFFF;
-      border-color: #1d1d1d;
-      outline: 0;
-    }
-  }
-
-  &[disabled] {
-    background-color: #FFFFFF;
-    border-color: #1d1d1d;
-    outline: 0;
-
-    &:hover, &:focus, &:active, &.active {
-      background-color: #FFFFFF;
-      border-color: #1d1d1d;
-      outline: 0;
-    }
-  }
-}
-
-fieldset[disabled] .btn {
-  background-color: #FFFFFF;
+  font-weight: normal;
+  text-align: center;
+  vertical-align: middle;
+  cursor: pointer;
+  background-image: none;
+  white-space: nowrap;
+  padding: 6px 12px;
+  font-size:14px;
+  line-height: 1.428571429;
+  border-radius: 3px;
+  -webkit-user-select: none;
+  -moz-user-select: none;
+  -ms-user-select: none;
+  user-select: none;
+  color: #000;
+  background-color: none;
+  border: 1px solid #1b4257;
+  outline:0; }
+.btn:active, .btn.active, .open > .btn.dropdown-toggle {
+  color: #000;
+  background-color: none;
+  outline:0;
   border-color: #1d1d1d;
-  outline: 0;
-
-  &:hover, &:focus, &:active, &.active {
+  text-decoration: none; }
+.btn:hover, .btn:focus {
+	background-color: #dbdbdb;
+	color: #000;
+	border-radius: 3px;
+	border: 1px solid #1b4257;
+	text-decoration: none;}
+
+  .btn:active, .btn.active, .open > .btn.dropdown-toggle {
+    background-image: none;
+	outline:0; }
+  .btn.disabled, .btn.disabled:hover, .btn.disabled:focus, .btn.disabled:active, .btn.disabled.active, .btn[disabled], .btn[disabled]:hover, .btn[disabled]:focus, .btn[disabled]:active, .btn[disabled].active, fieldset[disabled] .btn, fieldset[disabled] .btn:hover, fieldset[disabled] .btn:focus, fieldset[disabled] .btn:active, fieldset[disabled] .btn.active {
     background-color: #FFFFFF;
     border-color: #1d1d1d;
-    outline: 0;
-  }
-}
+	outline:0; }
 
-.btn {
-  .badge {
+  .btn .badge {
     color: #FFFFFF;
-    background-color: #3e3e3e;
-  }
-
-  &:focus, &:active:focus, &.active:focus {
+    background-color: #3e3e3e; }
+  .btn:focus, .btn:active:focus, .btn.active:focus {
     outline: thin dotted;
     outline: 5px auto -webkit-focus-ring-color;
     outline-offset: -2px;
-    outline: 0;
-  }
-
-  &:active, &.active {
-    outline: 0;
-  }
+	outline:0; }
 
-  &.disabled, &[disabled] {
+  .btn:active, .btn.active {
+    outline: 0;  }
+  .btn.disabled, .btn[disabled], fieldset[disabled] .btn {
     cursor: not-allowed;
     pointer-events: none;
     opacity: 0.30;
-    filter: alpha(opacity = 30);
+    filter: alpha(opacity=30);
     -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled] .btn {
-  cursor: not-allowed;
-  pointer-events: none;
-  opacity: 0.30;
-  filter: alpha(opacity = 30);
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-.act_flush {
-  &:hover, &:focus {
-    color: #FFF;
-    background-color: #336480;
-    border-color: 1px solid #1d1d1d;
-    outline: 0;
-  }
-}
-
-.btn-default {
-  &:active, &.active {
-    background-image: none;
-    outline: 0;
-  }
-}
-
-.open > .btn-default.dropdown-toggle {
-  background-image: none;
-  outline: 0;
-}
-
-.btn-default {
-  &.disabled {
-    background-color: #FFFFFF;
-    border-color: 1px solid #1d1d1d;
-    outline: 0;
-
-    &:hover, &:focus, &:active, &.active {
-      background-color: #FFFFFF;
-      border-color: 1px solid #1d1d1d;
-      outline: 0;
-    }
-  }
-
-  &[disabled] {
-    background-color: #FFFFFF;
-    border-color: 1px solid #1d1d1d;
-    outline: 0;
-
-    &:hover, &:focus, &:active, &.active {
-      background-color: #FFFFFF;
-      border-color: 1px solid #1d1d1d;
-      outline: 0;
-    }
-  }
-}
+    box-shadow: none; }
 
-fieldset[disabled] .btn-default {
-  background-color: #FFFFFF;
+.act_flush:hover, .act_flush:focus {
+  color: #000;
+  background-color: #dbdbdb;
   border-color: 1px solid #1d1d1d;
-  outline: 0;
+  outline:0; }
 
-  &:hover, &:focus, &:active, &.active {
+  .btn-default:active, .btn-default.active, .open > .btn-default.dropdown-toggle {
+    background-color: #dbdbdb;
+    color:#000;
+    outline:0; }
+  .btn-default.disabled, .btn-default.disabled:hover, .btn-default.disabled:focus, .btn-default.disabled:active, .btn-default.disabled.active, .btn-default[disabled], .btn-default[disabled]:hover, .btn-default[disabled]:focus, .btn-default[disabled]:active, .btn-default[disabled].active, fieldset[disabled] .btn-default, fieldset[disabled] .btn-default:hover, fieldset[disabled] .btn-default:focus, fieldset[disabled] .btn-default:active, fieldset[disabled] .btn-default.active {
     background-color: #FFFFFF;
     border-color: 1px solid #1d1d1d;
-    outline: 0;
-  }
-}
-
-.btn-default .badge {
-  color: #FFFFFF;
-  background-color: #3e3e3e;
-  outline: 0;
-}
+    outline:0; }
+  .btn-default .badge {
+    color: #FFFFFF;
+    background-color: #3e3e3e;
+    outline:0; }
 
 .btn-primary {
   color: #fff !important;
-  background-color: #FF7E25;
-  border: 1px solid #6c6c6c;
-  outline: 0;
-
-  &:hover, &:focus, &:active, &.active {
+  background-color: #FF6E05;
+  border: 1px solid #1b4257;
+  outline:0;   }
+  .btn-primary:hover, .btn-primary:focus, .btn-primary:active, .btn-primary.active, .open > .btn-primary.dropdown-toggle {
     color: #fff;
     background-color: #EC7726;
-    border-color: 1px solid #6c6c6c;
-    outline: 0;
-  }
-}
-
-.open > .btn-primary.dropdown-toggle {
-  color: #fff;
-  background-color: #EC7726;
-  border-color: 1px solid #6c6c6c;
-  outline: 0;
-}
-
-.btn-primary {
-  &:active, &.active {
-    background-image: none;
-  }
-}
+    border-color: 1px solid #1b4257;
+    outline:0; }
 
-.open > .btn-primary.dropdown-toggle {
-  background-image: none;
-}
-
-.btn-primary {
-  &.disabled {
-    background-color: #FF7E25;
-    border-color: #6c6c6c;
-    outline: 0;
-
-    &:hover, &:focus, &:active, &.active {
-      background-color: #FF7E25;
-      border-color: #6c6c6c;
-      outline: 0;
-    }
-  }
-
-  &[disabled] {
-    background-color: #FF7E25;
-    border-color: #6c6c6c;
-    outline: 0;
-
-    &:hover, &:focus, &:active, &.active {
-      background-color: #FF7E25;
-      border-color: #6c6c6c;
-      outline: 0;
-    }
-  }
-}
-
-fieldset[disabled] .btn-primary {
-  background-color: #FF7E25;
-  border-color: #6c6c6c;
-  outline: 0;
-
-  &:hover, &:focus, &:active, &.active {
-    background-color: #FF7E25;
-    border-color: #6c6c6c;
-    outline: 0;
-  }
-}
+  .btn-primary:active, .btn-primary.active, .open > .btn-primary.dropdown-toggle {
+    background-image: none; }
+  .btn-primary.disabled, .btn-primary.disabled:hover, .btn-primary.disabled:focus, .btn-primary.disabled:active, .btn-primary.disabled.active, .btn-primary[disabled], .btn-primary[disabled]:hover, .btn-primary[disabled]:focus, .btn-primary[disabled]:active, .btn-primary[disabled].active, fieldset[disabled] .btn-primary, fieldset[disabled] .btn-primary:hover, fieldset[disabled] .btn-primary:focus, fieldset[disabled] .btn-primary:active, fieldset[disabled] .btn-primary.active {
+    background-color: #FF6E05;
+    border-color: #1b4257;
+    outline:0; }
 
-.btn-primary .badge {
-  color: #FF8B00;
-  background-color: #fff;
-}
+  .btn-primary .badge {
+    color: #FF8B00;
+    background-color: #fff; }
 
 .btn-success {
   color: #fff;
   background-color: #85ce53;
-  border-color: #323232;
-
-  &:hover, &:focus, &:active, &.active {
+  border-color: #323232; }
+  .btn-success:hover, .btn-success:focus, .btn-success:active, .btn-success.active, .open > .btn-success.dropdown-toggle {
     color: #fff;
     background-color: #7fc54f;
     border-color: #323232;
-    outline: 0;
-  }
-}
-
-.open > .btn-success.dropdown-toggle {
-  color: #fff;
-  background-color: #7fc54f;
-  border-color: #323232;
-  outline: 0;
-}
-
-.btn-success {
-  &:active, &.active {
-    background-image: none;
-  }
-}
-
-.open > .btn-success.dropdown-toggle {
-  background-image: none;
-}
-
-.btn-success {
-  &.disabled {
-    background-color: #9BD275;
-    border-color: #8dcc62;
-    outline: 0;
-
-    &:hover, &:focus, &:active, &.active {
-      background-color: #9BD275;
-      border-color: #8dcc62;
-      outline: 0;
-    }
-  }
-
-  &[disabled] {
-    background-color: #9BD275;
-    border-color: #8dcc62;
-    outline: 0;
-
-    &:hover, &:focus, &:active, &.active {
-      background-color: #9BD275;
-      border-color: #8dcc62;
-      outline: 0;
-    }
-  }
-}
-
-fieldset[disabled] .btn-success {
-  background-color: #9BD275;
-  border-color: #8dcc62;
-  outline: 0;
-
-  &:hover, &:focus, &:active, &.active {
+	outline:0; }
+  .btn-success:active, .btn-success.active, .open > .btn-success.dropdown-toggle {
+    background-image: none; }
+  .btn-success.disabled, .btn-success.disabled:hover, .btn-success.disabled:focus, .btn-success.disabled:active, .btn-success.disabled.active, .btn-success[disabled], .btn-success[disabled]:hover, .btn-success[disabled]:focus, .btn-success[disabled]:active, .btn-success[disabled].active, fieldset[disabled] .btn-success, fieldset[disabled] .btn-success:hover, fieldset[disabled] .btn-success:focus, fieldset[disabled] .btn-success:active, fieldset[disabled] .btn-success.active {
     background-color: #9BD275;
     border-color: #8dcc62;
-    outline: 0;
-  }
-}
+	outline:0; }
 
-.btn-success .badge {
-  color: #9BD275;
-  background-color: #fff;
-}
+  .btn-success .badge {
+    color: #9BD275;
+    background-color: #fff; }
 
 .btn-info {
   color: #fff;
   background-color: #B0CDDB;
-  border-color: #9ec2d3;
-
-  &:hover, &:focus, &:active, &.active {
+  border-color: #9ec2d3; }
+  .btn-info:hover, .btn-info:focus, .btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
     color: #fff;
     background-color: #8db7cb;
-    border-color: #74a7c0;
-  }
-}
-
-.open > .btn-info.dropdown-toggle {
-  color: #fff;
-  background-color: #8db7cb;
-  border-color: #74a7c0;
-}
-
-.btn-info {
-  &:active, &.active {
-    background-image: none;
-  }
-}
+    border-color: #74a7c0; }
 
-.open > .btn-info.dropdown-toggle {
-  background-image: none;
-}
-
-.btn-info {
-  &.disabled {
-    background-color: #B0CDDB;
-    border-color: #9ec2d3;
-
-    &:hover, &:focus, &:active, &.active {
-      background-color: #B0CDDB;
-      border-color: #9ec2d3;
-    }
-  }
-
-  &[disabled] {
-    background-color: #B0CDDB;
-    border-color: #9ec2d3;
-
-    &:hover, &:focus, &:active, &.active {
-      background-color: #B0CDDB;
-      border-color: #9ec2d3;
-    }
-  }
-}
-
-fieldset[disabled] .btn-info {
-  background-color: #B0CDDB;
-  border-color: #9ec2d3;
-
-  &:hover, &:focus, &:active, &.active {
+  .btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
+    background-image: none; }
+  .btn-info.disabled, .btn-info.disabled:hover, .btn-info.disabled:focus, .btn-info.disabled:active, .btn-info.disabled.active, .btn-info[disabled], .btn-info[disabled]:hover, .btn-info[disabled]:focus, .btn-info[disabled]:active, .btn-info[disabled].active, fieldset[disabled] .btn-info, fieldset[disabled] .btn-info:hover, fieldset[disabled] .btn-info:focus, fieldset[disabled] .btn-info:active, fieldset[disabled] .btn-info.active {
     background-color: #B0CDDB;
-    border-color: #9ec2d3;
-  }
-}
+    border-color: #9ec2d3; }
 
-.btn-info .badge {
-  color: #B0CDDB;
-  background-color: #fff;
-}
+  .btn-info .badge {
+    color: #B0CDDB;
+    background-color: #fff; }
 
 .btn-warning {
   color: #fff;
-  background-color: #FF7E25;
-  border-color: #1b4257;
-
-  &:hover, &:focus, &:active, &.active {
+  background-color: #FF6E05;
+  border-color: #1b4257; }
+  .btn-warning:hover, .btn-warning:focus, .btn-warning:active, .btn-warning.active, .open > .btn-warning.dropdown-toggle {
     color: #fff;
     background-color: #EC7726;
-    border-color: #1b4257;
-  }
-}
-
-.open > .btn-warning.dropdown-toggle {
-  color: #fff;
-  background-color: #EC7726;
-  border-color: #1b4257;
-}
-
-.btn-warning {
-  &:active, &.active {
-    background-image: none;
-  }
-}
-
-.open > .btn-warning.dropdown-toggle {
-  background-image: none;
-}
-
-.btn-warning {
-  &.disabled {
-    background-color: #f0ad4e;
-    border-color: #eea236;
+    border-color: #1b4257; }
 
-    &:hover, &:focus, &:active, &.active {
-      background-color: #f0ad4e;
-      border-color: #eea236;
-    }
-  }
-
-  &[disabled] {
-    background-color: #f0ad4e;
-    border-color: #eea236;
-
-    &:hover, &:focus, &:active, &.active {
-      background-color: #f0ad4e;
-      border-color: #eea236;
-    }
-  }
-}
-
-fieldset[disabled] .btn-warning {
-  background-color: #f0ad4e;
-  border-color: #eea236;
-
-  &:hover, &:focus, &:active, &.active {
+  .btn-warning:active, .btn-warning.active, .open > .btn-warning.dropdown-toggle {
+    background-image: none; }
+  .btn-warning.disabled, .btn-warning.disabled:hover, .btn-warning.disabled:focus, .btn-warning.disabled:active, .btn-warning.disabled.active, .btn-warning[disabled], .btn-warning[disabled]:hover, .btn-warning[disabled]:focus, .btn-warning[disabled]:active, .btn-warning[disabled].active, fieldset[disabled] .btn-warning, fieldset[disabled] .btn-warning:hover, fieldset[disabled] .btn-warning:focus, fieldset[disabled] .btn-warning:active, fieldset[disabled] .btn-warning.active {
     background-color: #f0ad4e;
-    border-color: #eea236;
-  }
-}
+    border-color: #eea236; }
 
-.btn-warning .badge {
-  color: #f0ad4e;
-  background-color: #fff;
-}
+  .btn-warning .badge {
+    color: #f0ad4e;
+    background-color: #fff; }
 
 .btn-danger {
   color: #fff;
   background-color: #CB4326;
-  border-color: #1B4257;
-
-  &:hover, &:focus, &:active, &.active {
+  border-color: #1B4257; }
+  .btn-danger:hover, .btn-danger:focus, .btn-danger:active, .btn-danger.active, .open > .btn-danger.dropdown-toggle {
     color: #fff;
     background-color: #B63B21;
-    border-color: #1B4257;
-  }
-}
-
-.open > .btn-danger.dropdown-toggle {
-  color: #fff;
-  background-color: #B63B21;
-  border-color: #1B4257;
-}
-
-.btn-danger {
-  &:active, &.active {
-    background-image: none;
-  }
-}
-
-.open > .btn-danger.dropdown-toggle {
-  background-image: none;
-}
-
-.btn-danger {
-  &.disabled {
-    background-color: #F05050;
-    border-color: #ee3939;
-
-    &:hover, &:focus, &:active, &.active {
-      background-color: #F05050;
-      border-color: #ee3939;
-    }
-  }
-
-  &[disabled] {
-    background-color: #F05050;
-    border-color: #ee3939;
-
-    &:hover, &:focus, &:active, &.active {
-      background-color: #F05050;
-      border-color: #ee3939;
-    }
-  }
-}
-
-fieldset[disabled] .btn-danger {
-  background-color: #F05050;
-  border-color: #ee3939;
-
-  &:hover, &:focus, &:active, &.active {
+    border-color: #1B4257; }
+  .btn-danger:active, .btn-danger.active, .open > .btn-danger.dropdown-toggle {
+    background-image: none; }
+  .btn-danger.disabled, .btn-danger.disabled:hover, .btn-danger.disabled:focus, .btn-danger.disabled:active, .btn-danger.disabled.active, .btn-danger[disabled], .btn-danger[disabled]:hover, .btn-danger[disabled]:focus, .btn-danger[disabled]:active, .btn-danger[disabled].active, fieldset[disabled] .btn-danger, fieldset[disabled] .btn-danger:hover, fieldset[disabled] .btn-danger:focus, fieldset[disabled] .btn-danger:active, fieldset[disabled] .btn-danger.active {
     background-color: #F05050;
-    border-color: #ee3939;
-  }
-}
-
-.btn-danger .badge {
-  color: #F05050;
-  background-color: #fff;
-}
+    border-color: #ee3939; }
+  .btn-danger .badge {
+    color: #F05050;
+    background-color: #fff; }
 
 .btn-link {
   color: #FF8B00;
   font-weight: normal;
   cursor: pointer;
-  border-radius: 0;
-  background-color: transparent;
-  -webkit-box-shadow: none;
-  box-shadow: none;
-
-  &:active, &[disabled] {
+  border-radius: 0; }
+  .btn-link, .btn-link:active, .btn-link[disabled], fieldset[disabled] .btn-link {
     background-color: transparent;
     -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-}
-
-fieldset[disabled] .btn-link {
-  background-color: transparent;
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
-
-.btn-link {
-  border-color: transparent;
-
-  &:hover, &:focus, &:active {
-    border-color: transparent;
-  }
-
-  &:hover, &:focus {
+    box-shadow: none; }
+  .btn-link, .btn-link:hover, .btn-link:focus, .btn-link:active {
+    border-color: transparent; }
+  .btn-link:hover, .btn-link:focus {
     color: #9f4d03;
     text-decoration: underline;
-    background-color: transparent;
-  }
-
-  &[disabled] {
-    &:hover, &:focus {
-      color: #777777;
-      text-decoration: none;
-    }
-  }
-}
+    background-color: transparent; }
 
-fieldset[disabled] .btn-link {
-  &:hover, &:focus {
+  .btn-link[disabled]:hover, .btn-link[disabled]:focus, fieldset[disabled] .btn-link:hover, fieldset[disabled] .btn-link:focus {
     color: #777777;
-    text-decoration: none;
-  }
-}
+    text-decoration: none; }
+
 
 .btn-lg, .btn-group-lg > .btn {
   padding: 9px 12px;
   font-size: 18px;
-  line-height: 1.33;
-}
+  line-height: 1.33; }
 
 .btn-sm, .btn-group-sm > .btn {
   padding: 5px 10px;
   font-size: 12px;
   line-height: 1.5;
-  border-radius: 3px;
-}
+  border-radius: 3px; }
 
 .btn-xs, .btn-group-xs > .btn {
   padding: 1px 4px;
   font-size: 12px;
   line-height: 1.5;
-  border-radius: 3px;
-}
+  border-radius: 3px; }
 
 .btn-block {
   display: block;
-  width: 100%;
+  width: 100%; }
 
-  + .btn-block {
-    margin-top: 5px;
-  }
-}
+.btn-block + .btn-block {
+  margin-top: 5px; }
 
-input {
-  &[type="submit"].btn-block, &[type="reset"].btn-block, &[type="button"].btn-block {
-    width: 100%;
-  }
-}
+input[type="submit"].btn-block,
+input[type="reset"].btn-block,
+input[type="button"].btn-block {
+  width: 100%; }
 
 .fade {
   opacity: 0;
-  filter: alpha(opacity = 0);
+  filter: alpha(opacity=0);
   -webkit-transition: opacity 0.15s linear;
   -o-transition: opacity 0.15s linear;
-  transition: opacity 0.15s linear;
+  transition: opacity 0.15s linear; }
+  .fade.in {
+    opacity: 1; filter: alpha(opacity=100); }
 
-  &.in {
-    opacity: 1;
-    filter: alpha(opacity = 100);
-  }
-}
 
 .collapse {
-  display: none;
-
-  &.in {
-    display: block;
-  }
-}
+  display: none; }
+  .collapse.in {
+    display: block; }
 
 tr.collapse.in {
-  display: table-row;
-}
+  display: table-row; }
 
 tbody.collapse.in {
-  display: table-row-group;
-}
+  display: table-row-group; }
 
 .collapsing {
   position: relative;
@@ -5425,8 +3137,7 @@ tbody.collapse.in {
   overflow: hidden;
   -webkit-transition: height 0.35s ease;
   -o-transition: height 0.35s ease;
-  transition: height 0.35s ease;
-}
+  transition: height 0.35s ease; }
 
 .caret {
   display: inline-block;
@@ -5436,16 +3147,14 @@ tbody.collapse.in {
   vertical-align: middle;
   border-top: 4px solid;
   border-right: 4px solid transparent;
-  border-left: 4px solid transparent;
-}
+  border-left: 4px solid transparent; }
 
 .dropdown {
-  position: relative;
-}
+  position: relative; }
+
 
 .dropdown-toggle:focus {
-  outline: 0;
-}
+  outline: 0; }
 
 .dropdown-menu {
   position: absolute;
@@ -5458,10 +3167,10 @@ tbody.collapse.in {
   padding: 5px 0;
   margin: 2px 0 0;
   list-style: none;
-  font-size: 14px;
+  font-size:14px;
   text-align: left;
-  background-color: #315a71;
-  color: #fff;
+  background-color: #f0f0f0;
+  color: #000;
   border-left: 1px solid #1b4257;
   border-right: 1px solid #1b4257;
   border-bottom: 1px solid #1b4257;
@@ -5469,93 +3178,65 @@ tbody.collapse.in {
   -webkit-box-shadow: 0 6px 12px rgba(0, 0, 0, 0.175);
   box-shadow: 0 6px 12px rgba(0, 0, 0, 0.175);
   background-clip: padding-box;
-  -webkit-box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.6);
-  -moz-box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.6);
-  box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.6);
-  opacity: 0.97;
+  -webkit-box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.60);
+  -moz-box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.60);
+  box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.60);
+  opacity: 0.97; }
 
-  &.pull-right {
+  .dropdown-menu.pull-right {
     right: 0;
     left: auto;
-    background-color: #e5e5e5;
-  }
+    background-color: #e5e5e5; }
 
-  .divider {
+  .dropdown-menu .divider {
     height: 1px;
     margin: 9px 0;
     overflow: hidden;
-    background-color: #e5e5e5;
-  }
-
-  > {
-    li > a {
-      display: block;
-      padding: 3px 20px;
-      clear: both;
-      font-weight: normal;
-      line-height: 1.428571429;
-      color: #fff;
-      white-space: nowrap;
-      outline: 0;
-
-      &:hover, &:focus {
-        text-decoration: none;
-        color: #FFFFFF;
-        background-color: #FF7E25;
-      }
-    }
-
-    .active > a {
-      color: #fff;
-      text-decoration: none;
-      outline: 0;
-      background-color: #FF7E25;
+    background-color: #e5e5e5; }
+  .dropdown-menu > li > a {
+    display: block;
+    padding: 3px 20px;
+    clear: both;
+    font-weight: normal;
+    line-height: 1.428571429;
+    color: #000;
+    white-space: nowrap;
+	outline:0;}
 
-      &:hover, &:focus {
-        color: #fff;
-        text-decoration: none;
-        outline: 0;
-        background-color: #FF7E25;
-      }
-    }
+.dropdown-menu > li > a:hover, .dropdown-menu > li > a:focus {
+  text-decoration: none;
+  color: #FFFFFF;
+  background-color: #FF6E05; }
 
-    .disabled > a {
-      color: #777777;
+.dropdown-menu > .active > a, .dropdown-menu > .active > a:hover, .dropdown-menu > .active > a:focus {
+  color: #fff;
+  text-decoration: none;
+  outline: 0;
+  background-color: #FF6E05; }
 
-      &:hover, &:focus {
-        color: #777777;
-      }
+.dropdown-menu > .disabled > a, .dropdown-menu > .disabled > a:hover, .dropdown-menu > .disabled > a:focus {
+  color: #777777; }
 
-      &:hover, &:focus {
-        text-decoration: none;
-        background-color: transparent;
-        background-image: none;
-        filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
-        cursor: not-allowed;
-      }
-    }
-  }
-}
+.dropdown-menu > .disabled > a:hover, .dropdown-menu > .disabled > a:focus {
+  text-decoration: none;
+  background-color: transparent;
+  background-image: none;
+  filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
+  cursor: not-allowed; }
 
-.open > {
-  .dropdown-menu {
-    display: block;
-  }
 
-  a {
-    outline: 0;
-  }
-}
+.open > .dropdown-menu {
+  display: block; }
+.open > a {
+  outline: 0; }
 
 .dropdown-menu-right {
   left: auto;
-  right: 0;
-}
+  right: 0; }
 
 .dropdown-menu-left {
   left: 0;
-  right: auto;
-}
+  right: auto; }
 
 .dropdown-header {
   display: block;
@@ -5563,8 +3244,7 @@ tbody.collapse.in {
   font-size: 12px;
   line-height: 1.428571429;
   color: #b0b0b0;
-  white-space: nowrap;
-}
+  white-space: nowrap; }
 
 .dropdown-backdrop {
   position: fixed;
@@ -5572,805 +3252,467 @@ tbody.collapse.in {
   right: 0;
   bottom: 0;
   top: 0;
-  z-index: 990;
-}
+  z-index: 990; }
 
 .pull-right > .dropdown-menu {
   right: 0;
-  left: auto;
-}
+  left: auto; }
 
-.dropup .caret, .navbar-fixed-bottom .dropdown .caret {
+.dropup .caret,
+.navbar-fixed-bottom .dropdown .caret {
   border-top: 0;
   border-bottom: 4px solid;
-  content: "";
-}
-
-.dropup .dropdown-menu, .navbar-fixed-bottom .dropdown .dropdown-menu {
+  content: ""; }
+.dropup .dropdown-menu,
+.navbar-fixed-bottom .dropdown .dropdown-menu {
   top: auto;
   bottom: 100%;
-  margin-bottom: 1px;
-}
+  margin-bottom: 1px; }
 
 @media (min-width: 768px) {
-  .navbar-right {
-    .dropdown-menu {
-      right: 0;
-      left: auto;
-    }
-
-    .dropdown-menu-left {
-      left: 0;
-      right: auto;
-    }
-  }
-}
-
-.btn-group, .btn-group-vertical {
+  .navbar-right .dropdown-menu {
+    right: 0;
+    left: auto; }
+  .navbar-right .dropdown-menu-left {
+    left: 0;
+    right: auto; } }
+.btn-group,
+.btn-group-vertical {
   position: relative;
   display: inline-block;
-  vertical-align: middle;
-}
-
-.btn-group > .btn, .btn-group-vertical > .btn {
-  position: relative;
-  float: left;
-}
-
-.btn-group > .btn {
-  &:hover, &:focus, &:active, &.active {
-    z-index: 2;
-    -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
-    -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
-    transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
-  }
-}
-
-.btn-group-vertical > .btn {
-  &:hover, &:focus, &:active, &.active {
-    z-index: 2;
-    -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
-    -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
-    transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
-  }
-}
-
-.btn-group > .btn:focus, .btn-group-vertical > .btn:focus {
-  outline: 0;
-}
-
-.btn-group {
-  .btn + {
-    .btn, .btn-group {
-      margin-left: -1px;
-    }
-  }
-
-  .btn-group + {
-    .btn, .btn-group {
-      margin-left: -1px;
-    }
-  }
-}
+  vertical-align: middle; }
+  .btn-group > .btn,
+  .btn-group-vertical > .btn {
+    position: relative;
+    float: left; }
+    .btn-group > .btn:hover, .btn-group > .btn:focus, .btn-group > .btn:active, .btn-group > .btn.active,
+    .btn-group-vertical > .btn:hover,
+    .btn-group-vertical > .btn:focus,
+    .btn-group-vertical > .btn:active,
+    .btn-group-vertical > .btn.active {
+      z-index: 2;
+	  -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
+	  -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
+	  transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important; }
+    .btn-group > .btn:focus,
+    .btn-group-vertical > .btn:focus {
+      outline: 0; }
+
+.btn-group .btn + .btn,
+.btn-group .btn + .btn-group,
+.btn-group .btn-group + .btn,
+.btn-group .btn-group + .btn-group {
+  margin-left: -1px; }
 
 .btn-toolbar {
-  margin-left: -5px;
-
-  &:before {
+  margin-left: -5px; }
+  .btn-toolbar:before, .btn-toolbar:after {
     content: " ";
-    display: table;
-  }
+    display: table; }
+  .btn-toolbar:after {
+    clear: both; }
+  .btn-toolbar .btn-group,
+  .btn-toolbar .input-group {
+    float: left; }
+  .btn-toolbar > .btn,
+  .btn-toolbar > .btn-group,
+  .btn-toolbar > .input-group {
+    margin-left: 5px; }
+
+.btn-group > .btn:not(:first-child):not(:last-child):not(.dropdown-toggle) {
+  border-radius: 0; }
+
+.btn-group > .btn:first-child {
+  margin-left: 0; }
+  .btn-group > .btn:first-child:not(:last-child):not(.dropdown-toggle) {
+    border-bottom-right-radius: 0;
+    border-top-right-radius: 0; }
+
+.btn-group > .btn:last-child:not(:first-child),
+.btn-group > .dropdown-toggle:not(:first-child) {
+  border-bottom-left-radius: 0;
+  border-top-left-radius: 0; }
 
-  &:after {
-    content: " ";
-    display: table;
-    clear: both;
-  }
+.btn-group > .btn-group {
+  float: left; }
 
-  .btn-group, .input-group {
-    float: left;
-  }
+.btn-group > .btn-group:not(:first-child):not(:last-child) > .btn {
+  border-radius: 0; }
 
-  > {
-    .btn, .btn-group, .input-group {
-      margin-left: 5px;
-    }
-  }
-}
+.btn-group > .btn-group:first-child > .btn:last-child,
+.btn-group > .btn-group:first-child > .dropdown-toggle {
+  border-bottom-right-radius: 0;
+  border-top-right-radius: 0; }
 
-.btn-group {
-  > {
-    .btn {
-      &:not(:first-child):not(:last-child):not(.dropdown-toggle) {
-        border-radius: 0;
-      }
-
-      &:first-child {
-        margin-left: 0;
-
-        &:not(:last-child):not(.dropdown-toggle) {
-          border-bottom-right-radius: 0;
-          border-top-right-radius: 0;
-        }
-      }
-
-      &:last-child:not(:first-child) {
-        border-bottom-left-radius: 0;
-        border-top-left-radius: 0;
-      }
-    }
-
-    .dropdown-toggle:not(:first-child) {
-      border-bottom-left-radius: 0;
-      border-top-left-radius: 0;
-    }
-
-    .btn-group {
-      float: left;
+.btn-group > .btn-group:last-child > .btn:first-child {
+  border-bottom-left-radius: 0;
+  border-top-left-radius: 0; }
 
-      &:not(:first-child):not(:last-child) > .btn {
-        border-radius: 0;
-      }
-
-      &:first-child > {
-        .btn:last-child, .dropdown-toggle {
-          border-bottom-right-radius: 0;
-          border-top-right-radius: 0;
-        }
-      }
-
-      &:last-child > .btn:first-child {
-        border-bottom-left-radius: 0;
-        border-top-left-radius: 0;
-      }
-    }
-  }
-
-  .dropdown-toggle {
-    &:active, &:hover {
-      outline: 0;
-      color: #FFFFFF;
-      background-color: none;
-      border-color: #000;
-    }
-  }
+.btn-group .dropdown-toggle:active, .btn-group .dropdown-toggle:hover, .btn-group.open .dropdown-toggle {
+  outline: 0;
+  color: #000;
+  background-color: none;
+  border-color: #000; }
 
-  &.open .dropdown-toggle {
-    outline: 0;
-    color: #FFFFFF;
-    background-color: none;
-    border-color: #000;
-  }
-
-  > {
-    .btn + .dropdown-toggle {
-      padding-left: 8px;
-      padding-right: 8px;
-    }
-
-    .btn-lg + .dropdown-toggle {
-      padding-left: 12px;
-      padding-right: 12px;
-    }
-  }
-}
+.btn-group > .btn + .dropdown-toggle {
+  padding-left: 8px;
+  padding-right: 8px; }
 
-.btn-group-lg.btn-group > .btn + .dropdown-toggle {
+.btn-group > .btn-lg + .dropdown-toggle, .btn-group-lg.btn-group > .btn + .dropdown-toggle {
   padding-left: 12px;
-  padding-right: 12px;
-}
+  padding-right: 12px; }
 
-.btn-group.open .dropdown-toggle.btn-link {
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
+.btn-group.open .dropdown-toggle {}
+  .btn-group.open .dropdown-toggle.btn-link {
+    -webkit-box-shadow: none;
+    box-shadow: none; }
 
 .btn .caret {
-  margin-left: 0;
-}
+  margin-left: 0; }
 
 .btn-lg .caret, .btn-group-lg > .btn .caret {
   border-width: 5px 5px 0;
-  border-bottom-width: 0;
-}
-
-.dropup {
-  .btn-lg .caret, .btn-group-lg > .btn .caret {
-    border-width: 0 5px 5px;
-  }
-}
-
-.btn-group-vertical > {
-  .btn {
-    display: block;
-    float: none;
-    width: 100%;
-    max-width: 100%;
-  }
-
-  .btn-group {
-    display: block;
-    float: none;
-    width: 100%;
-    max-width: 100%;
-
-    > .btn {
-      display: block;
-      float: none;
-      width: 100%;
-      max-width: 100%;
-    }
-
-    &:before {
-      content: " ";
-      display: table;
-    }
-
-    &:after {
-      content: " ";
-      display: table;
-      clear: both;
-    }
+  border-bottom-width: 0; }
 
-    > .btn {
-      float: none;
-    }
-  }
+.dropup .btn-lg .caret, .dropup .btn-group-lg > .btn .caret {
+  border-width: 0 5px 5px; }
 
-  .btn + {
-    .btn, .btn-group {
-      margin-top: -1px;
-      margin-left: 0;
-    }
-  }
+.btn-group-vertical > .btn,
+.btn-group-vertical > .btn-group,
+.btn-group-vertical > .btn-group > .btn {
+  display: block;
+  float: none;
+  width: 100%;
+  max-width: 100%; }
+.btn-group-vertical > .btn-group:before, .btn-group-vertical > .btn-group:after {
+  content: " ";
+  display: table; }
+.btn-group-vertical > .btn-group:after {
+  clear: both; }
+.btn-group-vertical > .btn-group > .btn {
+  float: none; }
+.btn-group-vertical > .btn + .btn,
+.btn-group-vertical > .btn + .btn-group,
+.btn-group-vertical > .btn-group + .btn,
+.btn-group-vertical > .btn-group + .btn-group {
+  margin-top: -1px;
+  margin-left: 0; }
 
-  .btn-group + {
-    .btn, .btn-group {
-      margin-top: -1px;
-      margin-left: 0;
-    }
-  }
+.btn-group-vertical > .btn:not(:first-child):not(:last-child) {
+  border-radius: 0; }
+.btn-group-vertical > .btn:first-child:not(:last-child) {
+  border-top-right-radius: 3px;
+  border-bottom-right-radius: 0;
+  border-bottom-left-radius: 0; }
+.btn-group-vertical > .btn:last-child:not(:first-child) {
+  border-bottom-left-radius: 3px;
+  border-top-right-radius: 0;
+  border-top-left-radius: 0; }
 
-  .btn {
-    &:not(:first-child):not(:last-child) {
-      border-radius: 0;
-    }
+.btn-group-vertical > .btn-group:not(:first-child):not(:last-child) > .btn {
+  border-radius: 0; }
 
-    &:first-child:not(:last-child) {
-      border-top-right-radius: 3px;
-      border-bottom-right-radius: 0;
-      border-bottom-left-radius: 0;
-    }
+.btn-group-vertical > .btn-group:first-child:not(:last-child) > .btn:last-child,
+.btn-group-vertical > .btn-group:first-child:not(:last-child) > .dropdown-toggle {
+  border-bottom-right-radius: 0;
+  border-bottom-left-radius: 0; }
 
-    &:last-child:not(:first-child) {
-      border-bottom-left-radius: 3px;
-      border-top-right-radius: 0;
-      border-top-left-radius: 0;
-    }
-  }
-
-  .btn-group {
-    &:not(:first-child):not(:last-child) > .btn {
-      border-radius: 0;
-    }
-
-    &:first-child:not(:last-child) > {
-      .btn:last-child, .dropdown-toggle {
-        border-bottom-right-radius: 0;
-        border-bottom-left-radius: 0;
-      }
-    }
-
-    &:last-child:not(:first-child) > .btn:first-child {
-      border-top-right-radius: 0;
-      border-top-left-radius: 0;
-    }
-  }
-}
+.btn-group-vertical > .btn-group:last-child:not(:first-child) > .btn:first-child {
+  border-top-right-radius: 0;
+  border-top-left-radius: 0; }
 
 .btn-group-justified {
   display: table;
   width: 100%;
   table-layout: fixed;
-  border-collapse: separate;
-
-  > {
-    .btn {
-      float: none;
-      display: table-cell;
-      width: 1%;
-    }
-
-    .btn-group {
-      float: none;
-      display: table-cell;
-      width: 1%;
-
-      .btn {
-        width: 100%;
-      }
-
-      .dropdown-menu {
-        left: auto;
-      }
-    }
-  }
-}
-
-[data-toggle="buttons"] > .btn > input {
-  &[type="radio"], &[type="checkbox"] {
-    position: absolute;
-    z-index: -1;
-    opacity: 0;
-    filter: alpha(opacity = 0);
-  }
-}
+  border-collapse: separate; }
+  .btn-group-justified > .btn,
+  .btn-group-justified > .btn-group {
+    float: none;
+    display: table-cell;
+    width: 1%; }
+  .btn-group-justified > .btn-group .btn {
+    width: 100%; }
+  .btn-group-justified > .btn-group .dropdown-menu {
+    left: auto; }
+
+[data-toggle="buttons"] > .btn > input[type="radio"],
+[data-toggle="buttons"] > .btn > input[type="checkbox"] {
+  position: absolute;
+  z-index: -1;
+  opacity: 0;
+  filter: alpha(opacity=0); }
 
 .input-group {
   position: relative;
   display: table;
-  border-collapse: separate;
-
-  &[class*="col-"] {
+  border-collapse: separate; }
+  .input-group[class*="col-"] {
     float: none;
     padding-left: 0;
-    padding-right: 0;
-  }
-
-  .form-control {
+    padding-right: 0; }
+  .input-group .form-control {
     position: relative;
     z-index: 2;
     float: left;
     width: 100%;
-    margin-bottom: 0;
-  }
-}
-
-.input-group-addon, .input-group-btn, .input-group .form-control {
-  display: table-cell;
-}
-
-.input-group-addon:not(:first-child):not(:last-child), .input-group-btn:not(:first-child):not(:last-child), .input-group .form-control:not(:first-child):not(:last-child) {
-  border-radius: 0;
-}
-
-.input-group-addon, .input-group-btn {
+    margin-bottom: 0; }
+
+.input-group-addon,
+.input-group-btn,
+.input-group .form-control {
+  display: table-cell; }
+  .input-group-addon:not(:first-child):not(:last-child),
+  .input-group-btn:not(:first-child):not(:last-child),
+  .input-group .form-control:not(:first-child):not(:last-child) {
+    border-radius: 0; }
+
+.input-group-addon,
+.input-group-btn {
   width: 1%;
   white-space: nowrap;
-  vertical-align: middle;
-}
+  vertical-align: middle; }
 
 .input-group-addon {
   padding: 6px 12px;
-  font-size: 14px;
+  font-size:14px;
   font-weight: normal;
   line-height: 1;
   color: #FFF;
   text-align: center;
   background-color: #eeeeee;
   border: 1px solid #ccc;
-  border-radius: 3px;
-
-  &.input-sm {
-    padding: 5px 10px;
-    font-size: 12px;
-    border-radius: 3px;
-  }
-}
-
-.form-horizontal .form-group-sm .input-group-addon.form-control {
-  padding: 5px 10px;
-  font-size: 12px;
-  border-radius: 3px;
-}
-
-.input-group-sm > {
-  .input-group-addon, .input-group-btn > .input-group-addon.btn {
+  border-radius: 3px; }
+  .input-group-addon.input-sm, .form-horizontal .form-group-sm .input-group-addon.form-control,
+  .input-group-sm > .input-group-addon,
+  .input-group-sm > .input-group-btn > .input-group-addon.btn {
     padding: 5px 10px;
     font-size: 12px;
-    border-radius: 3px;
-  }
-}
-
-.input-group-addon.input-lg, .form-horizontal .form-group-lg .input-group-addon.form-control {
-  padding: 10px 16px;
-  font-size: 18px;
-  border-radius: 6px;
-}
-
-.input-group-lg > {
-  .input-group-addon, .input-group-btn > .input-group-addon.btn {
+    border-radius: 3px; }
+  .input-group-addon.input-lg, .form-horizontal .form-group-lg .input-group-addon.form-control,
+  .input-group-lg > .input-group-addon,
+  .input-group-lg > .input-group-btn > .input-group-addon.btn {
     padding: 10px 16px;
     font-size: 18px;
-    border-radius: 6px;
-  }
-}
-
-.input-group-addon input {
-  &[type="radio"], &[type="checkbox"] {
-    margin-top: 0;
-  }
-}
-
-.input-group .form-control:first-child, .input-group-addon:first-child {
+    border-radius: 6px; }
+  .input-group-addon input[type="radio"],
+  .input-group-addon input[type="checkbox"] {
+    margin-top: 0; }
+
+.input-group .form-control:first-child,
+.input-group-addon:first-child,
+.input-group-btn:first-child > .btn,
+.input-group-btn:first-child > .btn-group > .btn,
+.input-group-btn:first-child > .dropdown-toggle,
+.input-group-btn:last-child > .btn:not(:last-child):not(.dropdown-toggle),
+.input-group-btn:last-child > .btn-group:not(:last-child) > .btn {
   border-bottom-right-radius: 0;
-  border-top-right-radius: 0;
-}
-
-.input-group-btn {
-  &:first-child > {
-    .btn, .btn-group > .btn, .dropdown-toggle {
-      border-bottom-right-radius: 0;
-      border-top-right-radius: 0;
-    }
-  }
-
-  &:last-child > {
-    .btn:not(:last-child):not(.dropdown-toggle), .btn-group:not(:last-child) > .btn {
-      border-bottom-right-radius: 0;
-      border-top-right-radius: 0;
-    }
-  }
-}
+  border-top-right-radius: 0; }
 
 .input-group-addon:first-child {
-  border-right: 0;
-}
-
-.input-group .form-control:last-child, .input-group-addon:last-child {
+  border-right: 0; }
+
+.input-group .form-control:last-child,
+.input-group-addon:last-child,
+.input-group-btn:last-child > .btn,
+.input-group-btn:last-child > .btn-group > .btn,
+.input-group-btn:last-child > .dropdown-toggle,
+.input-group-btn:first-child > .btn:not(:first-child),
+.input-group-btn:first-child > .btn-group:not(:first-child) > .btn {
   border-bottom-left-radius: 0;
-  border-top-left-radius: 0;
-}
-
-.input-group-btn {
-  &:last-child > {
-    .btn, .btn-group > .btn, .dropdown-toggle {
-      border-bottom-left-radius: 0;
-      border-top-left-radius: 0;
-    }
-  }
-
-  &:first-child > {
-    .btn:not(:first-child), .btn-group:not(:first-child) > .btn {
-      border-bottom-left-radius: 0;
-      border-top-left-radius: 0;
-    }
-  }
-}
+  border-top-left-radius: 0; }
 
 .input-group-addon:last-child {
-  border-left: 0;
-}
+  border-left: 0; }
 
 .input-group-btn {
   position: relative;
   font-size: 0;
-  white-space: nowrap;
-
-  > .btn {
-    position: relative;
-
-    + .btn {
-      margin-left: -1px;
-    }
-
-    &:hover, &:focus, &:active {
-      z-index: 2;
-    }
-  }
-
-  &:first-child > {
-    .btn, .btn-group {
-      margin-right: -1px;
-    }
-  }
-
-  &:last-child > {
-    .btn, .btn-group {
-      margin-left: -1px;
-    }
-  }
-}
+  white-space: nowrap; }
+  .input-group-btn > .btn {
+    position: relative; }
+    .input-group-btn > .btn + .btn {
+      margin-left: -1px; }
+    .input-group-btn > .btn:hover, .input-group-btn > .btn:focus, .input-group-btn > .btn:active {
+      z-index: 2; }
+  .input-group-btn:first-child > .btn,
+  .input-group-btn:first-child > .btn-group {
+    margin-right: -1px; }
+  .input-group-btn:last-child > .btn,
+  .input-group-btn:last-child > .btn-group {
+    margin-left: -1px; }
 
 .nav {
   margin-bottom: 0;
   padding-left: 0;
-  list-style: none;
-
-  &:before {
-    content: " ";
-    display: table;
-  }
-
-  &:after {
+  list-style: none; }
+  .nav:before, .nav:after {
     content: " ";
-    display: table;
-    clear: both;
-  }
-
-  > li {
-    position: relative;
-    display: block;
-
-    > a {
-      position: relative;
-      display: block;
-      padding: 10px 15px;
-      color: #FFF;
-      border-radius: 0px;
-      border-top-right-radius: 10px;
-      margin-right: 0px;
-      background-color: #315a71;
-      opacity: 0.6;
-      filter: alpha(opacity = 50);
-    }
-  }
-}
-
-.nav-tabs > li > a {
-  position: relative;
-  display: block;
-  padding: 10px 15px;
-  color: #FFF;
-  border-radius: 0px;
-  border-top-right-radius: 10px;
-  margin-right: 0px;
-  background-color: #315a71;
-  opacity: 0.6;
-  filter: alpha(opacity = 50);
-}
-
-.nav > li {
-  &#menu_messages {
-    > a {
-      position: relative;
-      display: block;
-      padding: none;
-      color: #FF7E25;
-      background-color: transparent;
-      margin-right: 10px;
-      border: none;
-      opacity: 1.0;
-    }
-
-    > a:hover {
-      text-decoration: underline;
-    }
-  }
-
-  > a {
-    &:hover, &:focus {
-      text-decoration: none;
-      background-color: #315a71;
-      color: #FFF;
-      opacity: 0.8;
-    }
-  }
-}
-
-a:focus {
-  text-decoration: underline;
-}
-
-.nav {
-  > li.disabled > a {
-    color: #fff;
-
-    &:hover, &:focus {
-      color: #fff;
-      text-decoration: none;
-      background-color: #839caa;
-      opacity: 0.9;
-      cursor: not-allowed;
-    }
-  }
-
-  .open > a {
-    background-color: #336480;
-    cursor: pointer;
-
-    &:hover, &:focus {
-      background-color: #336480;
-      cursor: pointer;
-    }
-  }
-
-  .nav-divider {
+    display: table; }
+  .nav:after {
+    clear: both; }
+  .nav > li {
+    position: relative;
+    display: block; }
+    .nav > li > a, .nav-tabs > li > a {
+		position: relative;
+		display: block;
+		padding: 10px 15px;
+		color: #FFF;
+		border-radius: 0px;
+		border-top-right-radius: 10px;
+		margin-right: 0px;
+		background-color: #172c38;
+		opacity: 0.6;
+		filter: alpha(opacity=50);}
+	.nav > li#menu_messages > a {
+      position: relative;
+      display: block;
+      padding: none;
+	  color:#FF6E05;
+	  background-color:transparent;
+	  margin-right: 10px;
+	  border:none;
+	  opacity: 1.0;}
+      .nav > li > a:hover, .nav > li > a:focus {
+        text-decoration: none;
+        background-color: #172c38;
+		color: #FFF;
+		opacity: 0.8; }
+		.nav > li#menu_messages > a:hover, a:focus {
+		text-decoration: underline; }
+
+    .nav > li.disabled > a {
+		color: #fff; }
+      .nav > li.disabled > a:hover, .nav > li.disabled > a:focus {
+		  color: #fff;
+		  text-decoration: none;
+		  background-color: #839caa;
+		  opacity:0.9;
+		  cursor: not-allowed; }
+
+  .nav .open > a, .nav .open > a:hover, .nav .open > a:focus {
+    background-color: #172c38;
+    cursor:pointer; }
+
+  .nav .nav-divider {
     height: 1px;
     margin: 9px 0;
     overflow: hidden;
-    background-color: #e5e5e5;
-  }
-
-  > li > a > img {
-    max-width: none;
-  }
-}
+    background-color: #e5e5e5; }
+  .nav > li > a > img {
+    max-width: none; }
 
 .nav-tabs {
-  margin-right: 1px;
-
-  > li {
-    float: left;
-
-    > a {
+  margin-right: 1px; }
+  .nav-tabs > li {
+    float: left; }
+    .nav-tabs > li > a {
       line-height: 1.428571429;
-      border: none;
-      cursor: pointer;
-
-      &:hover {
-        opacity: 0.8;
-        filter: alpha(opacity = 80);
-      }
-    }
-
-    &.active > a {
+	  border:none;
+	  cursor:pointer;}
+	.nav-tabs > li > a:hover {opacity: 0.8; filter: alpha(opacity=80);}
+    .nav-tabs > li.active > a, .nav-tabs > li.active > a:hover, .nav-tabs > li.active > a:focus {
       color: #FFF;
       background-color: #393939;
       border-bottom-color: transparent;
       cursor: pointer;
-      opacity: 1;
-      filter: alpha(opacity = 100);
-
-      &:hover, &:focus {
-        color: #FFF;
-        background-color: #393939;
-        border-bottom-color: transparent;
-        cursor: pointer;
-        opacity: 1;
-        filter: alpha(opacity = 100);
-      }
-    }
-  }
-}
-
-.nav-pills > li {
-  float: left;
-
-  > a {
-    border-radius: 0;
-  }
-
-  &.active > a {
+	  opacity: 1;
+	  filter: alpha(opacity=100);}
+
+	  .nav-pills > li {
+  float: left; }
+  .nav-pills > li > a {
+    border-radius: 0; }
+  .nav-pills > li.active > a, .nav-pills > li.active > a:hover, .nav-pills > li.active > a:focus {
     color: #fff;
     background-color: #1b4257;
-    opacity: 1.0;
-
-    &:hover, &:focus {
-      color: #fff;
-      background-color: #1b4257;
-      opacity: 1.0;
-    }
-  }
-}
+	opacity: 1.0; }
 
 .nav-stacked > li {
-  float: none;
-
-  + li {
+  float: none; }
+  .nav-stacked > li + li {
     margin-top: 2px;
-    margin-left: 0;
-  }
-}
+    margin-left: 0; }
 
 .nav-justified, .nav-tabs.nav-justified {
-  width: 100%;
-}
-
-.nav-justified > li, .nav-tabs.nav-justified > li {
-  float: none;
-}
-
-.nav-justified > li > a, .nav-tabs.nav-justified > li > a {
-  text-align: left;
-  margin-bottom: 5px;
-}
-
-.nav-justified > .dropdown .dropdown-menu {
-  top: auto;
-  left: auto;
-}
-
-@media (min-width: 768px) {
+  width: 100%; }
   .nav-justified > li, .nav-tabs.nav-justified > li {
-    display: table-cell;
-    width: 1%;
-  }
-
-  .nav-justified > li > a, .nav-tabs.nav-justified > li > a {
-    margin-bottom: 0;
-  }
-}
+    float: none; }
+    .nav-justified > li > a, .nav-tabs.nav-justified > li > a {
+      text-align: left;
+      margin-bottom: 5px; }
+  .nav-justified > .dropdown .dropdown-menu {
+    top: auto;
+    left: auto; }
+  @media (min-width: 768px) {
+    .nav-justified > li, .nav-tabs.nav-justified > li {
+      display: table-cell;
+      width: 1%; }
+      .nav-justified > li > a, .nav-tabs.nav-justified > li > a {
+        margin-bottom: 0; } }
 
 .nav-tabs-justified, .nav-tabs.nav-justified {
-  border-bottom: 0;
-}
-
-.nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
-  margin-right: 0;
-  border-radius: 3px;
-}
-
-.nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a, .nav-tabs-justified > .active > a:hover, .nav-tabs.nav-justified > .active > a:hover, .nav-tabs-justified > .active > a:focus, .nav-tabs.nav-justified > .active > a:focus {
-  border: 1px solid #656565;
-}
-
-@media (min-width: 768px) {
+  border-bottom: 0; }
   .nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
-    border-bottom: 1px solid #656565;
-    border-radius: 3px 3px 0 0;
-  }
-
-  .nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a, .nav-tabs-justified > .active > a:hover, .nav-tabs.nav-justified > .active > a:hover, .nav-tabs-justified > .active > a:focus, .nav-tabs.nav-justified > .active > a:focus {
-    border-bottom-color: transparent;
-  }
-}
-
-.tab-content > {
-  .tab-pane {
-    display: none;
-  }
-
-  .active {
-    display: block;
-  }
-}
+    margin-right: 0;
+    border-radius: 3px; }
+  .nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a,
+  .nav-tabs-justified > .active > a:hover,
+  .nav-tabs.nav-justified > .active > a:hover,
+  .nav-tabs-justified > .active > a:focus,
+  .nav-tabs.nav-justified > .active > a:focus {
+    border: 1px solid #656565; }
+  @media (min-width: 768px) {
+    .nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
+      border-bottom: 1px solid #656565;
+      border-radius: 3px 3px 0 0; }
+    .nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a,
+    .nav-tabs-justified > .active > a:hover,
+    .nav-tabs.nav-justified > .active > a:hover,
+    .nav-tabs-justified > .active > a:focus,
+    .nav-tabs.nav-justified > .active > a:focus {
+      border-bottom-color: transparent; } }
+
+.tab-content > .tab-pane {
+  display: none; }
+  .tab-content > .active {
+  display: block; }
 
 .tab-pane .content-box {
-  border: none !important;
+  border:none !important;
   box-shadow: none;
-  -webkit-box-shadow: none;
-}
+  -webkit-box-shadow: none; }
 
 .nav-tabs .dropdown-menu {
   margin-top: -1px;
   border-top-right-radius: 0;
   border-top-left-radius: 0;
-  cursor: pointer;
-}
+  cursor:pointer;}
+
 
 .navbar {
   position: relative;
   min-height: 50px;
   margin-bottom: 0;
-  border: 1px solid transparent;
-
-  &:before {
-    content: " ";
-    display: table;
-  }
-
-  &:after {
-    content: " ";
-    display: table;
-    clear: both;
-  }
-}
-
-@media (min-width: 768px) {
-  .navbar {
-    border-radius: 0;
-  }
-}
-
-.navbar-header {
-  &:before {
-    content: " ";
-    display: table;
-  }
-
-  &:after {
+  border: 1px solid transparent; }
+  .navbar:before, .navbar:after {
     content: " ";
-    display: table;
-    clear: both;
-  }
-}
-
+    display: table; }
+  .navbar:after {
+    clear: both; }
+  @media (min-width: 768px) {
+    .navbar {
+      border-radius: 0; } }
+
+.navbar-header:before, .navbar-header:after {
+  content: " ";
+  display: table; }
+.navbar-header:after {
+  clear: both; }
 @media (min-width: 768px) {
   .navbar-header {
-    float: left;
-  }
-}
+    float: left; } }
 
 .navbar-collapse {
   overflow-x: visible;
@@ -6378,143 +3720,92 @@ a:focus {
   padding-left: 20px;
   border-top: 1px solid transparent;
   box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1);
-  -webkit-overflow-scrolling: touch;
-
-  &:before {
+  -webkit-overflow-scrolling: touch; }
+  .navbar-collapse:before, .navbar-collapse:after {
     content: " ";
-    display: table;
-  }
-
-  &:after {
-    content: " ";
-    display: table;
-    clear: both;
-  }
-
-  &.in {
-    overflow-y: auto;
-  }
-}
-
-@media (min-width: 768px) {
-  .navbar-collapse {
-    width: auto;
-    border-top: 0;
-    box-shadow: none;
-
-    &.collapse {
-      display: block !important;
-      height: auto !important;
-      padding-bottom: 0;
-      overflow: visible !important;
-    }
-
-    &.in {
-      overflow-y: visible;
-    }
-  }
-
-  .navbar-fixed-top .navbar-collapse, .navbar-static-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
-    padding-left: 0;
-    padding-right: 0;
-  }
-}
-
-.navbar-fixed-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
-  max-height: 340px;
-}
-
-@media (max-width: 480px) and (orientation: landscape) {
-  .navbar-fixed-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
-    max-height: 200px;
-  }
-}
-
-.container > {
-  .navbar-header, .navbar-collapse {
-    margin-right: -20px;
-    margin-left: -20px;
-  }
-}
-
-.container-fluid > {
-  .navbar-header, .navbar-collapse {
-    margin-right: -20px;
-    margin-left: -20px;
-  }
-}
-
-@media (min-width: 768px) {
-  .container > {
-    .navbar-header, .navbar-collapse {
-      margin-right: 0;
-      margin-left: 0;
-    }
-  }
-
-  .container-fluid > {
-    .navbar-header, .navbar-collapse {
+    display: table; }
+  .navbar-collapse:after {
+    clear: both; }
+  .navbar-collapse.in {
+    overflow-y: auto; }
+  @media (min-width: 768px) {
+    .navbar-collapse {
+      width: auto;
+      border-top: 0;
+      box-shadow: none; }
+      .navbar-collapse.collapse {
+        display: block !important;
+        height: auto !important;
+        padding-bottom: 0;
+        overflow: visible !important; }
+      .navbar-collapse.in {
+        overflow-y: visible; }
+      .navbar-fixed-top .navbar-collapse, .navbar-static-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
+        padding-left: 0;
+        padding-right: 0; } }
+
+.navbar-fixed-top .navbar-collapse,
+.navbar-fixed-bottom .navbar-collapse {
+  max-height: 340px; }
+  @media (max-width: 480px) and (orientation: landscape) {
+    .navbar-fixed-top .navbar-collapse,
+    .navbar-fixed-bottom .navbar-collapse {
+      max-height: 200px; } }
+
+.container > .navbar-header,
+.container > .navbar-collapse,
+.container-fluid > .navbar-header,
+.container-fluid > .navbar-collapse {
+  margin-right: -20px;
+  margin-left: -20px; }
+  @media (min-width: 768px) {
+    .container > .navbar-header,
+    .container > .navbar-collapse,
+    .container-fluid > .navbar-header,
+    .container-fluid > .navbar-collapse {
       margin-right: 0;
-      margin-left: 0;
-    }
-  }
-}
+      margin-left: 0; } }
 
 .navbar-static-top {
   z-index: 1000;
-  border-width: 0 0 1px;
-}
-
-@media (min-width: 768px) {
-  .navbar-static-top {
-    border-radius: 0;
-  }
-}
+  border-width: 0 0 1px; }
+  @media (min-width: 768px) {
+    .navbar-static-top {
+      border-radius: 0; } }
 
-.navbar-fixed-top, .navbar-fixed-bottom {
+.navbar-fixed-top,
+.navbar-fixed-bottom {
   position: fixed;
   right: 0;
   left: 0;
   z-index: 1030;
   -webkit-transform: translate3d(0, 0, 0);
-  transform: translate3d(0, 0, 0);
-}
-
-@media (min-width: 768px) {
-  .navbar-fixed-top, .navbar-fixed-bottom {
-    border-radius: 0;
-  }
-}
+  transform: translate3d(0, 0, 0); }
+  @media (min-width: 768px) {
+    .navbar-fixed-top,
+    .navbar-fixed-bottom {
+      border-radius: 0; } }
 
 .navbar-fixed-top {
   top: 0;
-  border-width: 0 0 1px;
-}
+  border-width: 0 0 1px; }
 
 .navbar-fixed-bottom {
   bottom: 0;
   margin-bottom: 0;
-  border-width: 1px 0 0;
-}
+  border-width: 1px 0 0; }
 
 .navbar-brand {
   float: left;
   padding: 15px 20px;
   font-size: 18px;
-  height: 50px;
-
-  &:hover, &:focus {
-    text-decoration: none;
-  }
-}
+  height: 50px; }
+  .navbar-brand:hover, .navbar-brand:focus {
+    text-decoration: none; }
 
-@media (min-width: 768px) {
-  .navbar > {
-    .container .navbar-brand, .container-fluid .navbar-brand {
-      margin-left: -20px;
-    }
-  }
-}
+  @media (min-width: 768px) {
+    .navbar > .container .navbar-brand, .navbar > .container-fluid .navbar-brand {
+      margin-left: -20px; } }
 
 .navbar-toggle {
   position: relative;
@@ -6526,94 +3817,60 @@ a:focus {
   background-color: transparent;
   background-image: none;
   border: 1px solid transparent;
-  border-radius: 3px;
-
-  &:focus {
-    outline: 0;
-  }
-
-  .icon-bar {
+  border-radius: 3px; }
+  .navbar-toggle:focus {
+    outline: 0; }
+  .navbar-toggle .icon-bar {
     display: block;
     width: 22px;
     height: 2px;
-    border-radius: 1px;
-
-    + .icon-bar {
-      margin-top: 4px;
-    }
-  }
-}
-
-@media (min-width: 768px) {
-  .navbar-toggle {
-    display: none;
-  }
-}
+    border-radius: 1px; }
+  .navbar-toggle .icon-bar + .icon-bar {
+    margin-top: 4px; }
+  @media (min-width: 768px) {
+    .navbar-toggle {
+      display: none; } }
 
 .navbar-nav {
-  margin: 7.5px -20px;
-
-  > li > a {
+  margin: 7.5px -20px; }
+  .navbar-nav > li > a {
     padding-top: 10px;
     padding-bottom: 10px;
-    line-height: 20px;
-  }
-}
-
-@media (max-width: 767px) {
-  .navbar-nav .open .dropdown-menu {
-    position: static;
-    float: none;
-    width: auto;
-    margin-top: 0;
-    background-color: transparent;
-    border: 0;
-    box-shadow: none;
-
-    > li > a, .dropdown-header {
-      padding: 5px 15px 5px 25px;
-    }
-
-    > li > a {
-      line-height: 20px;
-
-      &:hover, &:focus {
-        background-image: none;
-      }
-    }
-  }
-}
-
-@media (min-width: 768px) {
-  .navbar-nav {
-    float: left;
-    margin: 0;
-
-    > li {
+    line-height: 20px; }
+  @media (max-width: 767px) {
+    .navbar-nav .open .dropdown-menu {
+      position: static;
+      float: none;
+      width: auto;
+      margin-top: 0;
+      background-color: transparent;
+      border: 0;
+      box-shadow: none; }
+      .navbar-nav .open .dropdown-menu > li > a,
+      .navbar-nav .open .dropdown-menu .dropdown-header {
+        padding: 5px 15px 5px 25px; }
+      .navbar-nav .open .dropdown-menu > li > a {
+        line-height: 20px; }
+        .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-nav .open .dropdown-menu > li > a:focus {
+          background-image: none; } }
+  @media (min-width: 768px) {
+    .navbar-nav {
       float: left;
-
-      > a {
-        padding-top: 15px;
-        padding-bottom: 15px;
-      }
-    }
-
-    &.navbar-right:last-child {
-      margin-right: -20px;
-    }
-  }
-}
+      margin: 0; }
+      .navbar-nav > li {
+        float: left; }
+        .navbar-nav > li > a {
+          padding-top: 15px;
+          padding-bottom: 15px; }
+      .navbar-nav.navbar-right:last-child {
+        margin-right: -20px; } }
 
 @media (min-width: 768px) {
   .navbar-left {
-    float: left !important;
-  }
+    float: left !important; }
 
   .navbar-right {
-    float: right !important;
-  }
-}
-
+    float: right !important; } }
 .navbar-form {
   margin-left: -20px;
   margin-right: -20px;
@@ -6623,613 +3880,306 @@ a:focus {
   -webkit-box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1), 0 1px 0 rgba(255, 255, 255, 0.1);
   box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1), 0 1px 0 rgba(255, 255, 255, 0.1);
   margin-top: 8px;
-  margin-bottom: 8px;
-}
-
-@media (max-width: 767px) {
-  .navbar-form .form-group {
-    margin-bottom: 5px;
-  }
-}
-
-@media (min-width: 768px) {
-  .navbar-form {
-    width: auto;
-    border: 0;
-    margin-left: 0;
-    margin-right: 0;
-    padding-top: 0;
-    padding-bottom: 0;
-    -webkit-box-shadow: none;
-    box-shadow: none;
-
-    &.navbar-right:last-child {
-      margin-right: -20px;
-    }
-  }
-}
+  margin-bottom: 8px; }
+  @media (max-width: 767px) {
+    .navbar-form .form-group {
+      margin-bottom: 5px; } }
+  @media (min-width: 768px) {
+    .navbar-form {
+      width: auto;
+      border: 0;
+      margin-left: 0;
+      margin-right: 0;
+      padding-top: 0;
+      padding-bottom: 0;
+      -webkit-box-shadow: none;
+      box-shadow: none; }
+      .navbar-form.navbar-right:last-child {
+        margin-right: -20px; } }
 
 .navbar-nav > li > .dropdown-menu {
   margin-top: 0;
-  border-top-right-radius: 0;
-  border-top-left-radius: 0;
-}
-
-.navbar-fixed-bottom .navbar-nav > li > .dropdown-menu {
-  border-bottom-right-radius: 0;
-  border-bottom-left-radius: 0;
-}
-
-.navbar-btn {
-  margin-top: 8px;
-  margin-bottom: 8px;
-
-  &.btn-sm {
-    margin-top: 10px;
-    margin-bottom: 10px;
-  }
-}
-
-.btn-group-sm > .navbar-btn.btn {
-  margin-top: 10px;
-  margin-bottom: 10px;
-}
-
-.navbar-btn.btn-xs, .btn-group-xs > .navbar-btn.btn {
-  margin-top: 14px;
-  margin-bottom: 14px;
-}
-
-.navbar-text {
-  margin-top: 15px;
-  margin-bottom: 15px;
-}
-
-@media (min-width: 768px) {
-  .navbar-text {
-    float: left;
-    margin-left: 20px;
-    margin-right: 20px;
-
-    &.navbar-right:last-child {
-      margin-right: 0;
-    }
-  }
-}
-
-.navbar-default {
-  background-color: transparent;
-  border-color: none;
-
-  .navbar-brand {
-    color: #F7F7F7;
-
-    &:hover, &:focus {
-      color: #dedede;
-      background-color: transparent;
-    }
-  }
-
-  .navbar-text {
-    color: #F7F7F7;
-  }
-
-  .navbar-nav > {
-    li > a {
-      color: #F7F7F7;
-
-      &:hover, &:focus {
-        color: #FF7E25;
-        background-color: transparent;
-      }
-    }
-
-    .active > a {
-      color: #555;
-      background-color: #2b2b2b;
-
-      &:hover, &:focus {
-        color: #555;
-        background-color: #2b2b2b;
-      }
-    }
-
-    .disabled > a {
-      color: #ccc;
-      background-color: transparent;
-
-      &:hover, &:focus {
-        color: #ccc;
-        background-color: transparent;
-      }
-    }
-  }
-
-  .navbar-toggle {
-    border-color: #FFF;
-
-    &:hover, &:focus {
-      background-color: #555;
-    }
-
-    .icon-bar {
-      background-color: #FFF;
-    }
-  }
-
-  .navbar-nav > .open > a {
-    background-color: #2b2b2b;
-    color: #555;
-
-    &:hover, &:focus {
-      background-color: #2b2b2b;
-      color: #555;
-    }
-  }
-
-  .navbar-link {
-    color: #F7F7F7;
-
-    &:hover {
-      color: #FF8B00;
-    }
-  }
-
-  .btn-link {
-    color: #F7F7F7;
-
-    &:hover, &:focus {
-      color: #FF8B00;
-    }
-
-    &[disabled] {
-      &:hover, &:focus {
-        color: #ccc;
-      }
-    }
-  }
-}
-
-@media (max-width: 767px) {
-  .navbar-default .navbar-nav .open .dropdown-menu > {
-    li > a {
-      color: #F7F7F7;
-
-      &:hover, &:focus {
-        color: #FF8B00;
-        background-color: transparent;
-      }
-    }
-
-    .active > a {
-      color: #555;
-      background-color: #2b2b2b;
+  border-top-right-radius: 0;
+  border-top-left-radius: 0; }
 
-      &:hover, &:focus {
-        color: #555;
-        background-color: #2b2b2b;
-      }
-    }
+.navbar-fixed-bottom .navbar-nav > li > .dropdown-menu {
+  border-bottom-right-radius: 0;
+  border-bottom-left-radius: 0; }
 
-    .disabled > a {
-      color: #ccc;
-      background-color: transparent;
+.navbar-btn {
+  margin-top: 8px;
+  margin-bottom: 8px; }
+  .navbar-btn.btn-sm, .btn-group-sm > .navbar-btn.btn {
+    margin-top: 10px;
+    margin-bottom: 10px; }
+  .navbar-btn.btn-xs, .btn-group-xs > .navbar-btn.btn {
+    margin-top: 14px;
+    margin-bottom: 14px; }
 
-      &:hover, &:focus {
-        color: #ccc;
-        background-color: transparent;
-      }
-    }
-  }
-}
+.navbar-text {
+  margin-top: 15px;
+  margin-bottom: 15px; }
+  @media (min-width: 768px) {
+    .navbar-text {
+      float: left;
+      margin-left: 20px;
+      margin-right: 20px; }
+      .navbar-text.navbar-right:last-child {
+        margin-right: 0; } }
 
-fieldset[disabled] .navbar-default .btn-link {
-  &:hover, &:focus {
+.navbar-default {
+  background-color: transparent;
+  border-color: none; }
+  .navbar-default .navbar-brand {
+    color: #F7F7F7; }
+    .navbar-default .navbar-brand:hover, .navbar-default .navbar-brand:focus {
+      color: #dedede;
+      background-color: transparent; }
+  .navbar-default .navbar-text {
+    color: #F7F7F7; }
+  .navbar-default .navbar-nav > li > a {
+    color: #F7F7F7; }
+    .navbar-default .navbar-nav > li > a:hover, .navbar-default .navbar-nav > li > a:focus {
+      color: #FF6E05;
+      background-color: transparent; }
+
+  .navbar-default .navbar-nav > .active > a, .navbar-default .navbar-nav > .active > a:hover, .navbar-default .navbar-nav > .active > a:focus {
+    color: #555;
+    background-color: #2b2b2b; }
+  .navbar-default .navbar-nav > .disabled > a, .navbar-default .navbar-nav > .disabled > a:hover, .navbar-default .navbar-nav > .disabled > a:focus {
     color: #ccc;
-  }
-}
+    background-color: transparent; }
+  .navbar-default .navbar-toggle {
+    border-color: #FFF; }
+    .navbar-default .navbar-toggle:hover, .navbar-default .navbar-toggle:focus {
+      background-color: #555; }
+    .navbar-default .navbar-toggle .icon-bar {
+      background-color: #FFF; }
+	.navbar-default .navbar-nav > .open > a, .navbar-default .navbar-nav > .open > a:hover, .navbar-default .navbar-nav > .open > a:focus {
+    background-color: #2b2b2b;
+    color: #555; }
+  @media (max-width: 767px) {
+    .navbar-default .navbar-nav .open .dropdown-menu > li > a {
+      color: #F7F7F7; }
+      .navbar-default .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > li > a:focus {
+        color: #FF8B00;
+        background-color: transparent; }
+ .navbar-default .navbar-nav .open .dropdown-menu > .active > a, .navbar-default .navbar-nav .open .dropdown-menu > .active > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > .active > a:focus {
+      color: #555;
+      background-color: #2b2b2b; }
+    .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a, .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:focus {
+      color: #ccc;
+      background-color: transparent; } }
+  .navbar-default .navbar-link {
+    color: #F7F7F7; }
+    .navbar-default .navbar-link:hover {
+      color: #FF8B00; }
+  .navbar-default .btn-link {
+    color: #F7F7F7; }
+    .navbar-default .btn-link:hover, .navbar-default .btn-link:focus {
+      color: #FF8B00; }
+    .navbar-default .btn-link[disabled]:hover, .navbar-default .btn-link[disabled]:focus, fieldset[disabled] .navbar-default .btn-link:hover, fieldset[disabled] .navbar-default .btn-link:focus {
+      color: #ccc; }
 
 .navbar-inverse {
   background-color: #222;
-  border-color: #090909;
-
-  .navbar-brand {
-    color: #777777;
-
-    &:hover, &:focus {
+  border-color: #090909; }
+  .navbar-inverse .navbar-brand {
+    color: #777777; }
+    .navbar-inverse .navbar-brand:hover, .navbar-inverse .navbar-brand:focus {
       color: #fff;
-      background-color: transparent;
-    }
-  }
-
-  .navbar-text {
-    color: #777777;
-  }
-
-  .navbar-nav > {
-    li > a {
-      color: #777777;
+      background-color: transparent; }
 
-      &:hover, &:focus {
-        color: #fff;
-        background-color: transparent;
-      }
-    }
-
-    .active > a {
+  .navbar-inverse .navbar-text {
+    color: #777777; }
+  .navbar-inverse .navbar-nav > li > a {
+    color: #777777; }
+    .navbar-inverse .navbar-nav > li > a:hover, .navbar-inverse .navbar-nav > li > a:focus {
       color: #fff;
-      background-color: #090909;
-
-      &:hover, &:focus {
-        color: #fff;
-        background-color: #090909;
-      }
-    }
-
-    .disabled > a {
-      color: #3e3e3e;
-      background-color: transparent;
-
-      &:hover, &:focus {
-        color: #3e3e3e;
-        background-color: transparent;
-      }
-    }
-  }
-
-  .navbar-toggle {
-    border-color: #2d2d2d;
-
-    &:hover, &:focus {
-      background-color: #2d2d2d;
-    }
-
-    .icon-bar {
-      background-color: #fff;
-    }
-  }
-
-  .navbar-collapse, .navbar-form {
-    border-color: #101010;
-  }
-
-  .navbar-nav > .open > a {
-    background-color: #090909;
+      background-color: transparent; }
+  .navbar-inverse .navbar-nav > .active > a, .navbar-inverse .navbar-nav > .active > a:hover, .navbar-inverse .navbar-nav > .active > a:focus {
     color: #fff;
+    background-color: #090909; }
+  .navbar-inverse .navbar-nav > .disabled > a, .navbar-inverse .navbar-nav > .disabled > a:hover, .navbar-inverse .navbar-nav > .disabled > a:focus {
+    color: #3e3e3e;
+    background-color: transparent; }
+  .navbar-inverse .navbar-toggle {
+    border-color: #2d2d2d; }
+    .navbar-inverse .navbar-toggle:hover, .navbar-inverse .navbar-toggle:focus {
+      background-color: #2d2d2d; }
+
+    .navbar-inverse .navbar-toggle .icon-bar {
+      background-color: #fff; }
+  .navbar-inverse .navbar-collapse,
+  .navbar-inverse .navbar-form {
+    border-color: #101010; }
+  .navbar-inverse .navbar-nav > .open > a, .navbar-inverse .navbar-nav > .open > a:hover, .navbar-inverse .navbar-nav > .open > a:focus {
+    background-color: #090909;
+    color: #fff; }
+  @media (max-width: 767px) {
+    .navbar-inverse .navbar-nav .open .dropdown-menu > .dropdown-header {
+      border-color: #090909; }
+    .navbar-inverse .navbar-nav .open .dropdown-menu .divider {
+      background-color: #090909; }
+    .navbar-inverse .navbar-nav .open .dropdown-menu > li > a {
+      color: #777777; }
+      .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:focus {
+        color: #fff;
+        background-color: transparent; }
 
-    &:hover, &:focus {
-      background-color: #090909;
-      color: #fff;
-    }
-  }
-
-  .navbar-link {
-    color: #777777;
-
-    &:hover {
+ .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a, .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:focus {
       color: #fff;
-    }
-  }
-
-  .btn-link {
-    color: #777777;
+      background-color: #090909; }
 
-    &:hover, &:focus {
-      color: #fff;
-    }
-
-    &[disabled] {
-      &:hover, &:focus {
-        color: #3e3e3e;
-      }
-    }
-  }
-}
+    .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a, .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:focus {
+      color: #3e3e3e;
+      background-color: transparent; } }
 
-@media (max-width: 767px) {
-  .navbar-inverse .navbar-nav .open .dropdown-menu {
-    > .dropdown-header {
-      border-color: #090909;
-    }
-
-    .divider {
-      background-color: #090909;
-    }
-
-    > {
-      li > a {
-        color: #777777;
-
-        &:hover, &:focus {
-          color: #fff;
-          background-color: transparent;
-        }
-      }
-
-      .active > a {
-        color: #fff;
-        background-color: #090909;
-
-        &:hover, &:focus {
-          color: #fff;
-          background-color: #090909;
-        }
-      }
-
-      .disabled > a {
-        color: #3e3e3e;
-        background-color: transparent;
-
-        &:hover, &:focus {
-          color: #3e3e3e;
-          background-color: transparent;
-        }
-      }
-    }
-  }
-}
+  .navbar-inverse .navbar-link {
+    color: #777777; }
+    .navbar-inverse .navbar-link:hover {
+      color: #fff; }
+  .navbar-inverse .btn-link {
+    color: #777777; }
+    .navbar-inverse .btn-link:hover, .navbar-inverse .btn-link:focus {
+      color: #fff; }
 
-fieldset[disabled] .navbar-inverse .btn-link {
-  &:hover, &:focus {
-    color: #3e3e3e;
-  }
-}
+    .navbar-inverse .btn-link[disabled]:hover, .navbar-inverse .btn-link[disabled]:focus, fieldset[disabled] .navbar-inverse .btn-link:hover, fieldset[disabled] .navbar-inverse .btn-link:focus {
+      color: #3e3e3e; }
 
 .breadcrumb {
   padding: 8px 15px;
   margin-bottom: 20px;
   list-style: none;
   background-color: #f5f5f5;
-  border-radius: 3px;
-
-  > {
-    li {
-      display: inline-block;
-
-      + li:before {
-        content: "/ ";
-        padding: 0 5px;
-        color: #ccc;
-      }
-    }
-
-    .active {
-      color: #777777;
-    }
-  }
-}
+  border-radius: 3px; }
+  .breadcrumb > li {
+    display: inline-block; }
+    .breadcrumb > li + li:before {
+      content: "/ ";
+      padding: 0 5px;
+      color: #ccc; }
+  .breadcrumb > .active {
+    color: #777777; }
 
 .pagination {
   display: inline-block;
   padding-left: 0;
   margin: 20px 0;
-  border-radius: 3px;
-
-  > {
-    li {
-      display: inline;
-
-      > {
-        a, span {
-          position: relative;
-          float: left;
-          padding: 6px 12px;
-          line-height: 1.428571429;
-          text-decoration: none;
-          color: #FFFFFF;
-          background-color: #427795;
-          border: 1px solid rgba(23, 44, 56, 0.4);
-          margin-left: -1px;
-          cursor: pointer;
-        }
-      }
-
-      &:first-child > {
-        a, span {
-          margin-left: 0;
-          border-bottom-left-radius: 3px;
-          border-top-left-radius: 3px;
-        }
-      }
-
-      &:last-child > {
-        a, span {
-          border-bottom-right-radius: 3px;
-          border-top-right-radius: 3px;
-        }
-      }
-
-      > {
-        a {
-          &:hover, &:focus {
-            color: #FFFFFF;
-            background-color: #FF7E25;
-          }
-        }
-
-        span {
-          &:hover, &:focus {
-            color: #FFFFFF;
-            background-color: #FF7E25;
-          }
-        }
-      }
-    }
-
-    .active > {
-      a {
-        z-index: 2;
-        color: #FFFFFF;
-        background-color: #FF7E25;
-        cursor: default;
-
-        &:hover, &:focus {
-          z-index: 2;
-          color: #FFFFFF;
-          background-color: #FF7E25;
-          cursor: default;
-        }
-      }
-
-      span {
-        z-index: 2;
-        color: #FFFFFF;
-        background-color: #FF7E25;
-        cursor: default;
-
-        &:hover, &:focus {
-          z-index: 2;
-          color: #FFFFFF;
-          background-color: #FF7E25;
-          cursor: default;
-        }
-      }
-    }
-
-    .disabled > {
-      span {
-        color: #000;
-        background-color: #e3e3e3;
-        cursor: not-allowed;
-
-        &:hover, &:focus {
-          color: #000;
-          background-color: #e3e3e3;
-          cursor: not-allowed;
-        }
-      }
-
-      a {
-        color: #000;
-        background-color: #e3e3e3;
-        cursor: not-allowed;
-
-        &:hover, &:focus {
-          color: #000;
-          background-color: #e3e3e3;
-          cursor: not-allowed;
-        }
-      }
-    }
-  }
-}
-
-.pagination-lg > li {
-  > {
-    a, span {
-      padding: 10px 16px;
-      font-size: 18px;
-    }
-  }
-
-  &:first-child > {
-    a, span {
-      border-bottom-left-radius: 6px;
-      border-top-left-radius: 6px;
-    }
-  }
-
-  &:last-child > {
-    a, span {
-      border-bottom-right-radius: 6px;
-      border-top-right-radius: 6px;
-    }
-  }
-}
+  border-radius: 3px; }
+  .pagination > li {
+    display: inline; }
+    .pagination > li > a,
+    .pagination > li > span {
+      position: relative;
+      float: left;
+      padding: 6px 12px;
+      line-height: 1.428571429;
+      text-decoration: none;
+      color: #FFF;
+      background-color: #45565f;
+      border: 1px solid rgba(23, 44, 56, 0.4);
+      margin-left: -1px;
+      cursor: pointer; }
+    .pagination > li:first-child > a,
+    .pagination > li:first-child > span {
+      margin-left: 0;
+      border-bottom-left-radius: 3px;
+      border-top-left-radius: 3px; }
+    .pagination > li:last-child > a,
+    .pagination > li:last-child > span {
+      border-bottom-right-radius: 3px;
+      border-top-right-radius: 3px; }
+  .pagination > li > a:hover, .pagination > li > a:focus,
+  .pagination > li > span:hover,
+  .pagination > li > span:focus {
+    color: #FFFFFF;
+    background-color: #FF6E05; }
 
-.pagination-sm > li {
-  > {
-    a, span {
-      padding: 5px 10px;
-      font-size: 12px;
-    }
-  }
+  .pagination > .active > a, .pagination > .active > a:hover, .pagination > .active > a:focus,
+  .pagination > .active > span,
+  .pagination > .active > span:hover,
+  .pagination > .active > span:focus {
+    z-index: 2;
+    color: #FFFFFF;
+    background-color: #FF6E05;
+    cursor: default; }
+
+  .pagination > .disabled > span,
+  .pagination > .disabled > span:hover,
+  .pagination > .disabled > span:focus,
+  .pagination > .disabled > a,
+  .pagination > .disabled > a:hover,
+  .pagination > .disabled > a:focus {
+    color: #000;
+    background-color: #e3e3e3;
+    cursor: not-allowed; }
 
-  &:first-child > {
-    a, span {
-      border-bottom-left-radius: 3px;
-      border-top-left-radius: 3px;
-    }
-  }
 
-  &:last-child > {
-    a, span {
-      border-bottom-right-radius: 3px;
-      border-top-right-radius: 3px;
-    }
-  }
-}
+.pagination-lg > li > a,
+.pagination-lg > li > span {
+  padding: 10px 16px;
+  font-size: 18px; }
+.pagination-lg > li:first-child > a,
+.pagination-lg > li:first-child > span {
+  border-bottom-left-radius: 6px;
+  border-top-left-radius: 6px; }
+.pagination-lg > li:last-child > a,
+.pagination-lg > li:last-child > span {
+  border-bottom-right-radius: 6px;
+  border-top-right-radius: 6px; }
+
+.pagination-sm > li > a,
+.pagination-sm > li > span {
+  padding: 5px 10px;
+  font-size: 12px; }
+.pagination-sm > li:first-child > a,
+.pagination-sm > li:first-child > span {
+  border-bottom-left-radius: 3px;
+  border-top-left-radius: 3px; }
+.pagination-sm > li:last-child > a,
+.pagination-sm > li:last-child > span {
+  border-bottom-right-radius: 3px;
+  border-top-right-radius: 3px; }
 
 .pager {
   padding-left: 0;
   margin: 20px 0;
   list-style: none;
-  text-align: center;
-
-  &:before {
-    content: " ";
-    display: table;
-  }
-
-  &:after {
+  text-align: center; }
+  .pager:before, .pager:after {
     content: " ";
-    display: table;
-    clear: both;
-  }
-
-  li {
-    display: inline;
-
-    > {
-      a, span {
-        display: inline-block;
-        padding: 5px 14px;
-        background-color: #fff;
-        border: 1px solid #ddd;
-        border-radius: 15px;
-      }
-
-      a {
-        &:hover, &:focus {
-          text-decoration: none;
-          background-color: #eeeeee;
-        }
-      }
-    }
-  }
-
-  .next > {
-    a, span {
-      float: right;
-    }
-  }
-
-  .previous > {
-    a, span {
-      float: left;
-    }
-  }
-
-  .disabled > {
-    a {
-      color: #777777;
+    display: table; }
+  .pager:after {
+    clear: both; }
+  .pager li {
+    display: inline; }
+    .pager li > a,
+    .pager li > span {
+      display: inline-block;
+      padding: 5px 14px;
       background-color: #fff;
-      cursor: not-allowed;
-
-      &:hover, &:focus {
-        color: #777777;
-        background-color: #fff;
-        cursor: not-allowed;
-      }
-    }
+      border: 1px solid #ddd;
+      border-radius: 15px; }
+    .pager li > a:hover,
+    .pager li > a:focus {
+      text-decoration: none;
+      background-color: #eeeeee; }
+
+  .pager .next > a,
+  .pager .next > span {
+    float: right; }
+  .pager .previous > a,
+  .pager .previous > span {
+    float: left; }
+  .pager .disabled > a,
+  .pager .disabled > a:hover,
+  .pager .disabled > a:focus,
+  .pager .disabled > span {
+    color: #777777;
+    background-color: #fff;
+    cursor: not-allowed; }
 
-    span {
-      color: #777777;
-      background-color: #fff;
-      cursor: not-allowed;
-    }
-  }
-}
 
 .label {
   display: inline;
@@ -7241,91 +4191,60 @@ fieldset[disabled] .navbar-inverse .btn-link {
   text-align: center;
   white-space: nowrap;
   vertical-align: baseline;
-  border-radius: .25em;
-
-  &:empty {
-    display: none;
-  }
-}
+  border-radius: .25em; }
+  .label:empty {
+    display: none; }
+  .btn .label {
+    position: relative;
+    top: -1px; }
 
-.btn .label {
-  position: relative;
-  top: -1px;
-}
+a.label:hover, a.label:focus {
+  color: #fff;
+  text-decoration: none;
+  cursor: pointer; }
 
-a.label {
-  &:hover, &:focus {
-    color: #fff;
-    text-decoration: none;
-    cursor: pointer;
-  }
-}
 
 .label-default {
-  background-color: #777777;
-
-  &[href] {
-    &:hover, &:focus {
-      background-color: #5e5e5e;
-      border-color: #323232;
-    }
-  }
-}
+  background-color: #777777; }
+  .label-default[href]:hover, .label-default[href]:focus {
+    background-color: #5e5e5e;
+	border-color: #323232;}
+
 
 .label-primary {
-  background-color: #FF8B00;
+  background-color: #FF8B00; }
+  .label-primary[href]:hover, .label-primary[href]:focus {
+    background-color: #b85904; }
 
-  &[href] {
-    &:hover, &:focus {
-      background-color: #b85904;
-    }
-  }
-}
 
 .label-success {
-  background-color: #4FB654;
-  border-color: #323232;
-
-  &[href] {
-    &:hover, &:focus {
-      background-color: #7fc54f;
-      border-color: #323232;
-    }
-  }
-}
+  background-color: #397E37;
+  border-color: #323232;}
+  .label-success[href]:hover, .label-success[href]:focus {
+    background-color: #7fc54f;
+	border-color: #323232;	}
+
 
 .label-info {
-  background-color: #B0CDDB;
+  background-color: #B0CDDB; }
+  .label-info[href]:hover, .label-info[href]:focus {
+    background-color: #8db7cb;
+	border-color: #323232;	}
 
-  &[href] {
-    &:hover, &:focus {
-      background-color: #8db7cb;
-      border-color: #323232;
-    }
-  }
-}
 
 .label-warning {
-  background-color: #f0ad4e;
-
-  &[href] {
-    &:hover, &:focus {
-      background-color: #ec971f;
-      border-color: #323232;
-    }
-  }
-}
+  background-color: #f0ad4e; }
+  .label-warning[href]:hover, .label-warning[href]:focus {
+    background-color: #ec971f;
+	border-color: #323232;}
+
 
 .label-danger {
-  background-color: #DA4829;
-
-  &[href] {
-    &:hover, &:focus {
-      background-color: #ec2121;
-      border-color: #323232;
-    }
-  }
-}
+  background-color: #DA4829; }
+  .label-danger[href]:hover, .label-danger[href]:focus {
+    background-color: #ec2121;
+	border-color: #323232;}
+
 
 .badge {
   display: inline-block;
@@ -7338,94 +4257,56 @@ a.label {
   vertical-align: baseline;
   white-space: nowrap;
   text-align: center;
-  background-color: #777777;
-  border-radius: 10px;
-
-  &:empty {
-    display: none;
-  }
-}
-
-.btn .badge {
-  position: relative;
-  top: -1px;
-}
-
-.btn-xs .badge, .btn-group-xs > .btn .badge {
-  top: 0;
-  padding: 1px 5px;
-}
-
-a.list-group-item.active > .badge {
-  color: #FF8B00;
-  background-color: #fff;
-}
-
-.nav-pills > {
-  .active > a > .badge {
+  background-color: #ff6e05;
+  border-radius: 10px; }
+  .badge:empty {
+    display: none; }
+  .btn .badge {
+    position: relative;
+    top: -1px; }
+  .btn-xs .badge, .btn-group-xs > .btn .badge {
+    top: 0;
+    padding: 1px 5px; }
+  a.list-group-item.active > .badge, .nav-pills > .active > a > .badge {
     color: #FF8B00;
-    background-color: #fff;
-  }
+    background-color: #fff; }
+  .nav-pills > li > a > .badge {
+    margin-left: 3px; }
 
-  li > a > .badge {
-    margin-left: 3px;
-  }
-}
+a.badge:hover, a.badge:focus {
+  color: #fff;
+  text-decoration: none;
+  cursor: pointer; }
 
-a.badge {
-  &:hover, &:focus {
-    color: #fff;
-    text-decoration: none;
-    cursor: pointer;
-  }
-}
 
 .jumbotron {
   padding: 30px;
   margin-bottom: 30px;
   color: inherit;
-  background-color: #eeeeee;
-
-  h1, .h1 {
-    color: inherit;
-  }
-
-  p {
+  background-color: #eeeeee; }
+  .jumbotron h1,
+  .jumbotron .h1 {
+    color: inherit; }
+  .jumbotron p {
     margin-bottom: 15px;
     font-size: 21px;
-    font-weight: 200;
-  }
-
-  > hr {
-    border-top-color: #d5d5d5;
-  }
-}
-
-.container .jumbotron {
-  border-radius: 6px;
-}
-
-.jumbotron .container {
-  max-width: 100%;
-}
-
-@media screen and (min-width: 768px) {
-  .jumbotron {
-    padding-top: 48px;
-    padding-bottom: 48px;
-  }
-
+    font-weight: 200; }
+  .jumbotron > hr {
+    border-top-color: #d5d5d5; }
   .container .jumbotron {
-    padding-left: 60px;
-    padding-right: 60px;
-  }
-
-  .jumbotron {
-    h1, .h1 {
-      font-size: 63px;
-    }
-  }
-}
+    border-radius: 6px; }
+  .jumbotron .container {
+    max-width: 100%; }
+  @media screen and (min-width: 768px) {
+    .jumbotron {
+      padding-top: 48px;
+      padding-bottom: 48px; }
+      .container .jumbotron {
+        padding-left: 60px;
+        padding-right: 60px; }
+      .jumbotron h1,
+      .jumbotron .h1 {
+        font-size: 63px; } }
 
 .thumbnail {
   display: block;
@@ -7437,1115 +4318,635 @@ a.badge {
   border-radius: 3px;
   -webkit-transition: all 0.2s ease-in-out;
   -o-transition: all 0.2s ease-in-out;
-  transition: all 0.2s ease-in-out;
-
-  > img, a > img {
+  transition: all 0.2s ease-in-out; }
+  .thumbnail > img,
+  .thumbnail a > img {
     display: block;
     width: 100% \9;
     max-width: 100%;
     height: auto;
     margin-left: auto;
-    margin-right: auto;
-  }
-
-  .caption {
+    margin-right: auto; }
+  .thumbnail .caption {
     padding: 9px;
-    color: #3C3C3B;
-  }
-}
+    color: #3C3C3B; }
+
+a.thumbnail:hover,
+a.thumbnail:focus,
+a.thumbnail.active {
+  border-color: #FF8B00; }
 
-a.thumbnail {
-  &:hover, &:focus, &.active {
-    border-color: #FF8B00;
-  }
-}
 
 .alert {
   padding: 15px;
   margin-bottom: 20px;
   border: 1px solid #b0b0b0;
   border-radius: 3px;
-  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
-  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
-
-  h4 {
-    margin-top: 0;
-    color: inherit;
-  }
-
-  .alert-link {
-    font-weight: bold;
-  }
-
-  > {
-    p, ul {
-      margin-bottom: 0;
-    }
-
-    p + p {
-      margin-top: 5px;
-    }
-  }
-}
-
-.alert-dismissable, .alert-dismissible {
-  padding-right: 35px;
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
 }
 
-.alert-dismissable .close, .alert-dismissible .close {
-  position: relative;
-  top: -2px;
-  right: -21px;
-  color: inherit;
-}
+  .alert h4 {
+    margin-top: 0;
+    color: inherit; }
+  .alert .alert-link {
+    font-weight: bold; }
+  .alert > p,
+  .alert > ul {
+    margin-bottom: 0; }
+  .alert > p + p {
+    margin-top: 5px; }
+
+.alert-dismissable,
+.alert-dismissible {
+  padding-right: 35px; }
+  .alert-dismissable .close,
+  .alert-dismissible .close {
+    position: relative;
+    top: -2px;
+    right: -21px;
+    color: inherit; }
 
 .alert-success {
-  background-color: #fbfbfb;
-  border-color: #a5a5a5;
-  color: #000;
-
-  hr {
-    border-top-color: #8dcc62;
-  }
-
-  .alert-link {
-    color: #72bd3e;
-  }
-}
+	background-color: #fbfbfb;
+	border-color: #a5a5a5;
+	color: #000; }
+  .alert-success hr {
+    border-top-color: #8dcc62; }
+  .alert-success .alert-link {
+    color: #72bd3e; }
 
 .alert-info {
-  background-color: #fbfbfb;
-  border-color: #a5a5a5;
-  color: #000;
-  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
-  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
-
-  hr {
-    border-top-color: #DA4829;
-  }
-
-  .alert-link {
-    color: #DA4829;
-  }
+	background-color: #fbfbfb;
+	border-color: #a5a5a5;
+	color: #000;
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
 }
 
-.alert-warning {
-  background-color: #fff;
-  border: 1px solid #d12d0a;
-  color: #000;
-
-  hr {
-    border-top-color: #f7e1b5;
-  }
+  .alert-info hr {
+    border-top-color: #DA4829; }
+  .alert-info .alert-link {
+    color: #DA4829; }
 
-  .alert-link {
-    color: #df8a13;
-  }
-}
+.alert-warning {
+	background-color: #fff;
+	border: 1px solid #d12d0a;
+	color: #000;}
+  .alert-warning hr {
+    border-top-color: #f7e1b5; }
+  .alert-warning .alert-link {
+    color: #df8a13; }
 
 .alert-danger {
-  background-color: #30596f;
-  border-color: #b0b0b0;
-
-  hr {
-    border-top-color: #DA4829;
-  }
-
-  .alert-link {
-    color: #DA4829;
-  }
-}
+	background-color: #45565f;
+	border-color: #f00; }
+  .alert-danger hr {
+    border-top-color: #DA4829; }
+  .alert-danger .alert-link {
+    color: #DA4829; }
 
 @-webkit-keyframes progress-bar-stripes {
   from {
-    background-position: 40px 0;
-  }
-
+    background-position: 40px 0; }
   to {
-    background-position: 0 0;
-  }
-}
-
+    background-position: 0 0; } }
 @keyframes progress-bar-stripes {
   from {
-    background-position: 40px 0;
-  }
-
+    background-position: 40px 0; }
   to {
-    background-position: 0 0;
-  }
-}
-
+    background-position: 0 0; } }
 .progress {
   margin-bottom: 3px;
   color: #000;
   overflow: hidden;
   height: 20px;
-  background-color: #DBDBDB;
-  border-radius: 3px;
-  position: relative;
-  -webkit-box-shadow: inset 0px 1px 2px 1px rgb(172, 172, 172);
-  box-shadow: inset inset 0px 1px 2px 1px rgb(172, 172, 172);
-}
+  background-color: #EAEAEA;
+  border: 1px solid #b9b9b9;
+  position: relative; }
 
 .progress-bar {
   float: left;
   width: 0%;
   height: 100%;
   font-size: 12px;
-  line-height: 20px;
   color: #fff;
   text-align: center;
-  background-color: #FF7E25;
+  background-color: #FF6E05;
   position: relative;
   z-index: 2;
   -webkit-box-shadow: inset 0 20px 0 rgba(0, 0, 0, 0.15);
   box-shadow: inset 0 20px 0 rgba(0, 0, 0, 0.15);
   -webkit-transition: width 0.6s ease;
   -o-transition: width 0.6s ease;
-  transition: width 0.6s ease;
-  margin: 1px 0 0 0 !important;
-}
+  transition: width 0.6s ease; }
 
-.progress-striped .progress-bar, .progress-bar-striped {
+.progress-striped .progress-bar,
+.progress-bar-striped {
   background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
   background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
   background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-  background-size: 40px 40px;
-}
+  background-size: 40px 40px; }
 
-.progress.active .progress-bar {
+.progress.active .progress-bar,
+.progress-bar.active {
   -webkit-animation: progress-bar-stripes 2s linear infinite;
   -o-animation: progress-bar-stripes 2s linear infinite;
-  animation: progress-bar-stripes 2s linear infinite;
-}
+  animation: progress-bar-stripes 2s linear infinite; }
 
-.progress-bar {
-  &.active {
-    -webkit-animation: progress-bar-stripes 2s linear infinite;
-    -o-animation: progress-bar-stripes 2s linear infinite;
-    animation: progress-bar-stripes 2s linear infinite;
-  }
-
-  &[aria-valuenow="1"], &[aria-valuenow="2"] {
-    min-width: 30px;
-  }
-
-  &[aria-valuenow="0"] {
-    color: #777777;
-    min-width: 30px;
-    background-color: transparent;
-    background-image: none;
-    box-shadow: none;
-  }
-}
+.progress-bar[aria-valuenow="1"], .progress-bar[aria-valuenow="2"] {
+  min-width: 30px; }
+.progress-bar[aria-valuenow="0"] {
+  color: #777777;
+  min-width: 30px;
+  background-color: transparent;
+  background-image: none;
+  box-shadow: none; }
 
 .progress-bar-success {
-  background-color: #4FB654;
-}
-
-.progress-striped .progress-bar-success {
-  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-}
+  background-color: #4FB654; }
+  .progress-striped .progress-bar-success {
+    background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+    background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+    background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
 
 .progress-bar-info {
-  background-color: #038CCF;
-}
-
-.progress-striped .progress-bar-info {
-  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-}
+  background-color: #45565f; }
+  .progress-striped .progress-bar-info {
+    background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+    background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+    background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
 
 .progress-bar-warning {
   background-color: #CCB60F;
-  color: #FFFFFF !important;
-}
-
-.progress-striped .progress-bar-warning {
-  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-}
+  color: #FFFFFF !important; }
+  .progress-striped .progress-bar-warning {
+    background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+    background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+    background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
 
 .progress-bar-danger {
-  background-color: #CC2400;
-}
-
-.progress-striped .progress-bar-danger {
-  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-}
-
-.media, .media-body {
+  background-color: #CC2400; }
+  .progress-striped .progress-bar-danger {
+    background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+    background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+    background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
+
+.media,
+.media-body {
   overflow: hidden;
-  zoom: 1;
-}
+  zoom: 1; }
 
-.media {
-  margin-top: 15px;
-
-  .media {
-    margin-top: 15px;
-  }
+.media,
+.media .media {
+  margin-top: 15px; }
 
-  &:first-child {
-    margin-top: 0;
-  }
-}
+.media:first-child {
+  margin-top: 0; }
 
 .media-object {
-  display: block;
-}
+  display: block; }
 
 .media-heading {
-  margin: 0 0 5px;
-}
-
-.media > {
-  .pull-left {
-    margin-right: 10px;
-  }
+  margin: 0 0 5px; }
 
-  .pull-right {
-    margin-left: 10px;
-  }
-}
+.media > .pull-left {
+  margin-right: 10px; }
+.media > .pull-right {
+  margin-left: 10px; }
 
 .media-list {
   padding-left: 0;
-  list-style: none;
-}
+  list-style: none; }
 
 .list-group {
   margin-bottom: 20px;
-  padding-left: 0;
-}
+  padding-left: 0; }
 
 .list-group-item {
   position: relative;
   display: block;
   padding: 6px 8px;
   margin-bottom: -1px;
-  background-color: #294c5f;
-
-  &:last-child {
-    margin-bottom: 0;
-  }
-
-  > .badge {
-    float: right;
-
-    + .badge {
-      margin-right: 5px;
-    }
-  }
-}
+  background-color: #172c38; }
+  .list-group-item:last-child {
+    margin-bottom: 0; }
+  .list-group-item > .badge {
+    float: right; }
+  .list-group-item > .badge + .badge {
+    margin-right: 5px; }
 
 a.list-group-item {
   color: #FFFFFF;
   border-radius: 0;
-  outline: 0;
-
-  .list-group-item-heading {
-    color: #2d2d2d;
-  }
+  outline:0; }
 
-  &:hover, &:focus {
+  a.list-group-item .list-group-item-heading {
+    color: #2d2d2d; }
+  a.list-group-item:hover, a.list-group-item:focus {
     text-decoration: none;
     color: #000;
-    background-color: #FFF;
-  }
-
-  &:hover:before, &:focus:before {
-    background: #FFFFFF;
-    content: "";
-    height: 42px;
-    left: 0;
-    position: absolute;
-    top: 0;
-    width: 3px;
-  }
-}
-
-.list-group-item {
-  &.disabled {
-    background-color: #eeeeee;
-    color: #777777;
-
-    &:hover, &:focus {
-      background-color: #eeeeee;
-      color: #777777;
-    }
-
-    .list-group-item-heading, &:hover .list-group-item-heading, &:focus .list-group-item-heading {
-      color: inherit;
-    }
-
-    .list-group-item-text, &:hover .list-group-item-text, &:focus .list-group-item-text {
-      color: #777777;
-    }
-  }
-
-  &.active {
-    z-index: 2;
-
-    &:hover, &:focus {
-      z-index: 2;
-    }
+    background-color: #FFF; }
 
-    &:before, &:hover:before, &:focus:before {
-      background: #ff8b00;
-      content: "";
-      height: 42px;
-      left: 0;
-      position: absolute;
-      top: 0px;
-      width: 3px;
-    }
-
-    .list-group-item-heading {
-      color: inherit;
-
-      > {
-        small, .small {
-          color: inherit;
-        }
-      }
-    }
-
-    &:hover .list-group-item-heading {
-      color: inherit;
-
-      > {
-        small, .small {
-          color: inherit;
-        }
-      }
-    }
-
-    &:focus .list-group-item-heading {
-      color: inherit;
-
-      > {
-        small, .small {
-          color: inherit;
-        }
-      }
-    }
-
-    .list-group-item-text, &:hover .list-group-item-text, &:focus .list-group-item-text {
-      color: #fedcbd;
-    }
-
-    + .collapse > .list-group-item:before, &:hover + .collapse > .list-group-item:before, &:focus + .collapse > .list-group-item:before {
-      background: #FF8B00;
+    a.list-group-item:hover:before, a.list-group-item:focus:before {
+      background: #FFFFFF;
       content: "";
       height: 42px;
       left: 0;
       position: absolute;
-      top: 0px;
-      width: 3px;
-    }
-  }
-}
+      top: 0;
+      width: 3px; }
+
+.list-group-item.disabled, .list-group-item.disabled:hover, .list-group-item.disabled:focus {
+  background-color: #eeeeee;
+  color: #777777; }
+
+  .list-group-item.disabled .list-group-item-heading, .list-group-item.disabled:hover .list-group-item-heading, .list-group-item.disabled:focus .list-group-item-heading {
+    color: inherit; }
+
+  .list-group-item.disabled .list-group-item-text, .list-group-item.disabled:hover .list-group-item-text, .list-group-item.disabled:focus .list-group-item-text {
+    color: #777777; }
+
+.list-group-item.active, .list-group-item.active:hover, .list-group-item.active:focus {
+  z-index: 2; }
+  .list-group-item.active:before, .list-group-item.active:hover:before, .list-group-item.active:focus:before {
+    background: #ff8b00;
+    content: "";
+    height: 42px;
+    left: 0;
+    position: absolute;
+    top: 0px;
+    width: 3px; }
+
+  .list-group-item.active .list-group-item-heading,
+  .list-group-item.active .list-group-item-heading > small,
+  .list-group-item.active .list-group-item-heading > .small, .list-group-item.active:hover .list-group-item-heading,
+  .list-group-item.active:hover .list-group-item-heading > small,
+  .list-group-item.active:hover .list-group-item-heading > .small, .list-group-item.active:focus .list-group-item-heading,
+  .list-group-item.active:focus .list-group-item-heading > small,
+  .list-group-item.active:focus .list-group-item-heading > .small {
+    color: inherit; }
+  .list-group-item.active .list-group-item-text, .list-group-item.active:hover .list-group-item-text, .list-group-item.active:focus .list-group-item-text {
+    color: #fedcbd; }
+  .list-group-item.active + .collapse > .list-group-item:before, .list-group-item.active:hover + .collapse > .list-group-item:before, .list-group-item.active:focus + .collapse > .list-group-item:before {
+    background: #FF8B00;
+    content: "";
+    height: 42px;
+    left: 0;
+    position: absolute;
+    top: 0px;
+    width: 3px; }
 
 .list-group-item-success {
   color: #9BD275;
-  background-color: #9BD275;
-}
+  background-color: #9BD275; }
 
 a.list-group-item-success {
-  color: #9BD275;
-
-  .list-group-item-heading {
-    color: inherit;
-  }
-
-  &:hover, &:focus {
+  color: #9BD275; }
+  a.list-group-item-success .list-group-item-heading {
+    color: inherit; }
+  a.list-group-item-success:hover, a.list-group-item-success:focus {
     color: #9BD275;
-    background-color: #8dcc62;
-  }
-
-  &.active {
+    background-color: #8dcc62; }
+  a.list-group-item-success.active, a.list-group-item-success.active:hover, a.list-group-item-success.active:focus {
     color: #fff;
     background-color: #9BD275;
-    border-color: #9BD275;
-
-    &:hover, &:focus {
-      color: #fff;
-      background-color: #9BD275;
-      border-color: #9BD275;
-    }
-  }
-}
+    border-color: #9BD275; }
 
 .list-group-item-info {
   color: #31708f;
-  background-color: #d9edf7;
-}
+  background-color: #d9edf7; }
 
 a.list-group-item-info {
-  color: #31708f;
-
-  .list-group-item-heading {
-    color: inherit;
-  }
-
-  &:hover, &:focus {
+  color: #31708f; }
+  a.list-group-item-info .list-group-item-heading {
+    color: inherit; }
+  a.list-group-item-info:hover, a.list-group-item-info:focus {
     color: #31708f;
-    background-color: #c4e3f3;
-  }
-
-  &.active {
+    background-color: #c4e3f3; }
+  a.list-group-item-info.active, a.list-group-item-info.active:hover, a.list-group-item-info.active:focus {
     color: #fff;
     background-color: #31708f;
-    border-color: #31708f;
-
-    &:hover, &:focus {
-      color: #fff;
-      background-color: #31708f;
-      border-color: #31708f;
-    }
-  }
-}
+    border-color: #31708f; }
 
 .list-group-item-warning {
   color: #f0ad4e;
-  background-color: #fcf8e3;
-}
+  background-color: #fcf8e3; }
 
 a.list-group-item-warning {
-  color: #f0ad4e;
-
-  .list-group-item-heading {
-    color: inherit;
-  }
-
-  &:hover, &:focus {
+  color: #f0ad4e; }
+  a.list-group-item-warning .list-group-item-heading {
+    color: inherit; }
+  a.list-group-item-warning:hover, a.list-group-item-warning:focus {
     color: #f0ad4e;
-    background-color: #faf2cc;
-  }
-
-  &.active {
+    background-color: #faf2cc; }
+  a.list-group-item-warning.active, a.list-group-item-warning.active:hover, a.list-group-item-warning.active:focus {
     color: #fff;
     background-color: #f0ad4e;
-    border-color: #f0ad4e;
-
-    &:hover, &:focus {
-      color: #fff;
-      background-color: #f0ad4e;
-      border-color: #f0ad4e;
-    }
-  }
-}
+    border-color: #f0ad4e; }
 
 .list-group-item-danger {
   color: #F05050;
-  background-color: #F05050;
-}
+  background-color: #F05050; }
 
 a.list-group-item-danger {
-  color: #F05050;
-
-  .list-group-item-heading {
-    color: inherit;
-  }
-
-  &:hover, &:focus {
+  color: #F05050; }
+  a.list-group-item-danger .list-group-item-heading {
+    color: inherit; }
+  a.list-group-item-danger:hover, a.list-group-item-danger:focus {
     color: #F05050;
-    background-color: #ee3939;
-  }
-
-  &.active {
+    background-color: #ee3939; }
+  a.list-group-item-danger.active, a.list-group-item-danger.active:hover, a.list-group-item-danger.active:focus {
     color: #fff;
     background-color: #F05050;
-    border-color: #F05050;
-
-    &:hover, &:focus {
-      color: #fff;
-      background-color: #F05050;
-      border-color: #F05050;
-    }
-  }
-}
+    border-color: #F05050; }
 
 .list-group-item-heading {
   margin-top: 0;
-  margin-bottom: 5px;
-}
+  margin-bottom: 5px; }
 
 .list-group-item-text {
   margin-bottom: 0;
-  line-height: 1.3;
-}
+  line-height: 1.3; }
 
 .panel {
   border: 1px solid #b0b0b0;
-  margin-bottom: 20px;
-}
+  margin-bottom: 20px; }
 
 .panel-body {
   padding: 15px;
-  background-color: #F0F0F0;
-
-  &:before {
-    content: " ";
-    display: table;
-  }
-
-  &:after {
+  background-color: #F0F0F0;}
+  .panel-body:before, .panel-body:after {
     content: " ";
-    display: table;
-    clear: both;
-  }
-}
+    display: table; }
+  .panel-body:after {
+    clear: both; }
 
 .panel-heading {
   padding: 10px 15px;
   border-bottom: 1px solid #b0b0b0;
   border-top-right-radius: 2px;
   border-top-left-radius: 2px;
-  background-color: #30596f;
+  background-color: #45565f; }
 
-  > .dropdown .dropdown-toggle {
-    color: inherit;
-  }
-}
+  .panel-heading > .dropdown .dropdown-toggle {
+    color: inherit; }
 
 .panel-title {
   margin-top: 0;
   margin-bottom: 0;
   font-size: 16px;
-  color: inherit;
-
-  > a {
-    color: inherit;
-  }
-}
+  color: inherit; }
+  .panel-title > a {
+    color: inherit; }
 
 .panel-footer {
   padding: 10px 15px;
   background-color: #f5f5f5;
   border-top: 1px solid #ddd;
   border-bottom-right-radius: 2px;
-  border-bottom-left-radius: 2px;
-}
+  border-bottom-left-radius: 2px; }
 
 .panel > .list-group {
-  margin-bottom: 0;
-
-  .list-group-item {
+  margin-bottom: 0; }
+  .panel > .list-group .list-group-item {
     border-width: 1px 0;
-    border-radius: 0;
-  }
-
-  &:first-child .list-group-item:first-child {
-    border-top: 0;
-  }
-
-  &:last-child .list-group-item:last-child {
-    border-bottom: 0;
-  }
-}
-
-.panel-heading + .list-group .list-group-item:first-child, .list-group + .panel-footer {
-  border-top-width: 0;
-}
-
-.panel > {
-  .table, .table-responsive > .table, .panel-collapse > .table {
-    margin-bottom: 0;
-  }
-
-  .table:first-child, .table-responsive:first-child > .table:first-child {
-    border-top-right-radius: 2px;
-    border-top-left-radius: 2px;
-  }
-
-  .table:first-child > {
-    thead:first-child > tr:first-child {
-      td:first-child, th:first-child {
-        border-top-left-radius: 2px;
-      }
-    }
-
-    tbody:first-child > tr:first-child {
-      td:first-child, th:first-child {
-        border-top-left-radius: 2px;
-      }
-    }
-  }
-
-  .table-responsive:first-child > .table:first-child > {
-    thead:first-child > tr:first-child {
-      td:first-child, th:first-child {
-        border-top-left-radius: 2px;
-      }
-    }
-
-    tbody:first-child > tr:first-child {
-      td:first-child, th:first-child {
-        border-top-left-radius: 2px;
-      }
-    }
-  }
-
-  .table:first-child > {
-    thead:first-child > tr:first-child {
-      td:last-child, th:last-child {
-        border-top-right-radius: 2px;
-      }
-    }
-
-    tbody:first-child > tr:first-child {
-      td:last-child, th:last-child {
-        border-top-right-radius: 2px;
-      }
-    }
-  }
-
-  .table-responsive:first-child > .table:first-child > {
-    thead:first-child > tr:first-child {
-      td:last-child, th:last-child {
-        border-top-right-radius: 2px;
-      }
-    }
-
-    tbody:first-child > tr:first-child {
-      td:last-child, th:last-child {
-        border-top-right-radius: 2px;
-      }
-    }
-  }
-
-  .table:last-child, .table-responsive:last-child > .table:last-child {
-    border-bottom-right-radius: 2px;
-    border-bottom-left-radius: 2px;
-  }
-
-  .table:last-child > {
-    tbody:last-child > tr:last-child {
-      td:first-child, th:first-child {
-        border-bottom-left-radius: 2px;
-      }
-    }
-
-    tfoot:last-child > tr:last-child {
-      td:first-child, th:first-child {
-        border-bottom-left-radius: 2px;
-      }
-    }
-  }
-
-  .table-responsive:last-child > .table:last-child > {
-    tbody:last-child > tr:last-child {
-      td:first-child, th:first-child {
-        border-bottom-left-radius: 2px;
-      }
-    }
-
-    tfoot:last-child > tr:last-child {
-      td:first-child, th:first-child {
-        border-bottom-left-radius: 2px;
-      }
-    }
-  }
-
-  .table:last-child > {
-    tbody:last-child > tr:last-child {
-      td:last-child, th:last-child {
-        border-bottom-right-radius: 2px;
-      }
-    }
-
-    tfoot:last-child > tr:last-child {
-      td:last-child, th:last-child {
-        border-bottom-right-radius: 2px;
-      }
-    }
-  }
-
-  .table-responsive:last-child > .table:last-child > {
-    tbody:last-child > tr:last-child {
-      td:last-child, th:last-child {
-        border-bottom-right-radius: 2px;
-      }
-    }
-
-    tfoot:last-child > tr:last-child {
-      td:last-child, th:last-child {
-        border-bottom-right-radius: 2px;
-      }
-    }
-  }
-
-  .panel-body + {
-    .table, .table-responsive {
-      border-top: 1px solid #eee;
-    }
-  }
-
-  .table > tbody:first-child > tr:first-child {
-    th, td {
-      border-top: 0;
-    }
-  }
-
-  .table-bordered, .table-responsive > .table-bordered {
-    border: 0;
-  }
-
-  .table-bordered > {
-    thead > tr > {
-      th:first-child, td:first-child {
-        border-left: 0;
-      }
-    }
-
-    tbody > tr > {
-      th:first-child, td:first-child {
-        border-left: 0;
-      }
-    }
-
-    tfoot > tr > {
-      th:first-child, td:first-child {
-        border-left: 0;
-      }
-    }
-  }
-
-  .table-responsive > .table-bordered > {
-    thead > tr > {
-      th:first-child, td:first-child {
-        border-left: 0;
-      }
-    }
-
-    tbody > tr > {
-      th:first-child, td:first-child {
-        border-left: 0;
-      }
-    }
-
-    tfoot > tr > {
-      th:first-child, td:first-child {
-        border-left: 0;
-      }
-    }
-  }
-
-  .table-bordered > {
-    thead > tr > {
-      th:last-child, td:last-child {
-        border-right: 0;
-      }
-    }
-
-    tbody > tr > {
-      th:last-child, td:last-child {
-        border-right: 0;
-      }
-    }
-
-    tfoot > tr > {
-      th:last-child, td:last-child {
-        border-right: 0;
-      }
-    }
-  }
-
-  .table-responsive > .table-bordered > {
-    thead > tr > {
-      th:last-child, td:last-child {
-        border-right: 0;
-      }
-    }
-
-    tbody > tr > {
-      th:last-child, td:last-child {
-        border-right: 0;
-      }
-    }
-
-    tfoot > tr > {
-      th:last-child, td:last-child {
-        border-right: 0;
-      }
-    }
-  }
-
-  .table-bordered > {
-    thead > tr:first-child > {
-      td, th {
-        border-bottom: 0;
-      }
-    }
-
-    tbody > tr:first-child > {
-      td, th {
-        border-bottom: 0;
-      }
-    }
-  }
-
-  .table-responsive > .table-bordered > {
-    thead > tr:first-child > {
-      td, th {
-        border-bottom: 0;
-      }
-    }
-
-    tbody > tr:first-child > {
-      td, th {
-        border-bottom: 0;
-      }
-    }
-  }
-
-  .table-bordered > {
-    tbody > tr:last-child > {
-      td, th {
-        border-bottom: 0;
-      }
-    }
-
-    tfoot > tr:last-child > {
-      td, th {
-        border-bottom: 0;
-      }
-    }
-  }
-
-  .table-responsive {
-    > .table-bordered > {
-      tbody > tr:last-child > {
-        td, th {
-          border-bottom: 0;
-        }
-      }
-
-      tfoot > tr:last-child > {
-        td, th {
-          border-bottom: 0;
-        }
-      }
-    }
-
-    border: 0;
-    margin-bottom: 0;
-  }
-}
+    border-radius: 0; }
+  .panel > .list-group:first-child .list-group-item:first-child {
+    border-top: 0; }
+  .panel > .list-group:last-child .list-group-item:last-child {
+    border-bottom: 0; }
+
+.panel-heading + .list-group .list-group-item:first-child {
+  border-top-width: 0; }
+
+.list-group + .panel-footer {
+  border-top-width: 0; }
+
+.panel > .table,
+.panel > .table-responsive > .table,
+.panel > .panel-collapse > .table {
+  margin-bottom: 0; }
+.panel > .table:first-child,
+.panel > .table-responsive:first-child > .table:first-child {
+  border-top-right-radius: 2px;
+  border-top-left-radius: 2px; }
+  .panel > .table:first-child > thead:first-child > tr:first-child td:first-child,
+  .panel > .table:first-child > thead:first-child > tr:first-child th:first-child,
+  .panel > .table:first-child > tbody:first-child > tr:first-child td:first-child,
+  .panel > .table:first-child > tbody:first-child > tr:first-child th:first-child,
+  .panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:first-child,
+  .panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:first-child,
+  .panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:first-child,
+  .panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:first-child {
+    border-top-left-radius: 2px; }
+  .panel > .table:first-child > thead:first-child > tr:first-child td:last-child,
+  .panel > .table:first-child > thead:first-child > tr:first-child th:last-child,
+  .panel > .table:first-child > tbody:first-child > tr:first-child td:last-child,
+  .panel > .table:first-child > tbody:first-child > tr:first-child th:last-child,
+  .panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:last-child,
+  .panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:last-child,
+  .panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:last-child,
+  .panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:last-child {
+    border-top-right-radius: 2px; }
+.panel > .table:last-child,
+.panel > .table-responsive:last-child > .table:last-child {
+  border-bottom-right-radius: 2px;
+  border-bottom-left-radius: 2px; }
+  .panel > .table:last-child > tbody:last-child > tr:last-child td:first-child,
+  .panel > .table:last-child > tbody:last-child > tr:last-child th:first-child,
+  .panel > .table:last-child > tfoot:last-child > tr:last-child td:first-child,
+  .panel > .table:last-child > tfoot:last-child > tr:last-child th:first-child,
+  .panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:first-child,
+  .panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:first-child,
+  .panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:first-child,
+  .panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:first-child {
+    border-bottom-left-radius: 2px; }
+  .panel > .table:last-child > tbody:last-child > tr:last-child td:last-child,
+  .panel > .table:last-child > tbody:last-child > tr:last-child th:last-child,
+  .panel > .table:last-child > tfoot:last-child > tr:last-child td:last-child,
+  .panel > .table:last-child > tfoot:last-child > tr:last-child th:last-child,
+  .panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:last-child,
+  .panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:last-child,
+  .panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:last-child,
+  .panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:last-child {
+    border-bottom-right-radius: 2px; }
+.panel > .panel-body + .table,
+.panel > .panel-body + .table-responsive {
+  border-top: 1px solid #eee; }
+.panel > .table > tbody:first-child > tr:first-child th,
+.panel > .table > tbody:first-child > tr:first-child td {
+  border-top: 0; }
+.panel > .table-bordered,
+.panel > .table-responsive > .table-bordered {
+  border: 0; }
+  .panel > .table-bordered > thead > tr > th:first-child,
+  .panel > .table-bordered > thead > tr > td:first-child,
+  .panel > .table-bordered > tbody > tr > th:first-child,
+  .panel > .table-bordered > tbody > tr > td:first-child,
+  .panel > .table-bordered > tfoot > tr > th:first-child,
+  .panel > .table-bordered > tfoot > tr > td:first-child,
+  .panel > .table-responsive > .table-bordered > thead > tr > th:first-child,
+  .panel > .table-responsive > .table-bordered > thead > tr > td:first-child,
+  .panel > .table-responsive > .table-bordered > tbody > tr > th:first-child,
+  .panel > .table-responsive > .table-bordered > tbody > tr > td:first-child,
+  .panel > .table-responsive > .table-bordered > tfoot > tr > th:first-child,
+  .panel > .table-responsive > .table-bordered > tfoot > tr > td:first-child {
+    border-left: 0; }
+  .panel > .table-bordered > thead > tr > th:last-child,
+  .panel > .table-bordered > thead > tr > td:last-child,
+  .panel > .table-bordered > tbody > tr > th:last-child,
+  .panel > .table-bordered > tbody > tr > td:last-child,
+  .panel > .table-bordered > tfoot > tr > th:last-child,
+  .panel > .table-bordered > tfoot > tr > td:last-child,
+  .panel > .table-responsive > .table-bordered > thead > tr > th:last-child,
+  .panel > .table-responsive > .table-bordered > thead > tr > td:last-child,
+  .panel > .table-responsive > .table-bordered > tbody > tr > th:last-child,
+  .panel > .table-responsive > .table-bordered > tbody > tr > td:last-child,
+  .panel > .table-responsive > .table-bordered > tfoot > tr > th:last-child,
+  .panel > .table-responsive > .table-bordered > tfoot > tr > td:last-child {
+    border-right: 0; }
+  .panel > .table-bordered > thead > tr:first-child > td,
+  .panel > .table-bordered > thead > tr:first-child > th,
+  .panel > .table-bordered > tbody > tr:first-child > td,
+  .panel > .table-bordered > tbody > tr:first-child > th,
+  .panel > .table-responsive > .table-bordered > thead > tr:first-child > td,
+  .panel > .table-responsive > .table-bordered > thead > tr:first-child > th,
+  .panel > .table-responsive > .table-bordered > tbody > tr:first-child > td,
+  .panel > .table-responsive > .table-bordered > tbody > tr:first-child > th {
+    border-bottom: 0; }
+  .panel > .table-bordered > tbody > tr:last-child > td,
+  .panel > .table-bordered > tbody > tr:last-child > th,
+  .panel > .table-bordered > tfoot > tr:last-child > td,
+  .panel > .table-bordered > tfoot > tr:last-child > th,
+  .panel > .table-responsive > .table-bordered > tbody > tr:last-child > td,
+  .panel > .table-responsive > .table-bordered > tbody > tr:last-child > th,
+  .panel > .table-responsive > .table-bordered > tfoot > tr:last-child > td,
+  .panel > .table-responsive > .table-bordered > tfoot > tr:last-child > th {
+    border-bottom: 0; }
+.panel > .table-responsive {
+  border: 0;
+  margin-bottom: 0; }
 
 .panel-group {
-  margin-bottom: 20px;
-
-  .panel {
+  margin-bottom: 20px; }
+  .panel-group .panel {
     margin-bottom: 0;
-    border-radius: 3px;
-
-    + .panel {
-      margin-top: 5px;
-    }
-  }
-
-  .panel-heading {
-    border-bottom: 0;
-
-    + .panel-collapse > .panel-body {
-      border-top: 1px solid #ddd;
-    }
-  }
-
-  .panel-footer {
-    border-top: 0;
-
-    + .panel-collapse .panel-body {
-      border-bottom: 1px solid #ddd;
-    }
-  }
-}
-
-.panel-default {
-  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
-  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
-
-  > {
-    .panel-heading {
-      color: #fff;
-      border-color: #b0b0b0;
-
-      + .panel-collapse > .panel-body {
-        border-top-color: #b0b0b0;
-      }
-
-      .badge {
-        color: #f5f5f5;
-        background-color: #2d2d2d;
-      }
-    }
-
-    .panel-footer + .panel-collapse > .panel-body {
-      border-bottom-color: #b0b0b0;
-    }
-  }
-}
-
-.panel-primary {
-  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
-  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
-
-  > {
-    .panel-heading {
-      color: #FFF;
-      border-color: #b0b0b0;
-
-      + .panel-collapse > .panel-body {
-        border-top-color: #FF8B00;
-      }
-
-      .badge {
-        color: #FF8B00;
-        background-color: #fff;
-      }
-    }
-
-    .panel-footer + .panel-collapse > .panel-body {
-      border-bottom-color: #FF8B00;
-    }
-  }
-}
+    border-radius: 3px; }
+    .panel-group .panel + .panel {
+      margin-top: 5px; }
+  .panel-group .panel-heading {
+    border-bottom: 0; }
+    .panel-group .panel-heading + .panel-collapse > .panel-body {
+      border-top: 1px solid #ddd; }
+  .panel-group .panel-footer {
+    border-top: 0; }
+    .panel-group .panel-footer + .panel-collapse .panel-body {
+      border-bottom: 1px solid #ddd; }
+  .panel-default {
+	-webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
+    box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
+  .panel-default > .panel-heading {
+	color: #fff;
+	border-color: #b0b0b0; }
+    .panel-default > .panel-heading + .panel-collapse > .panel-body {
+      border-top-color: #b0b0b0; }
+    .panel-default > .panel-heading .badge {
+      color: #f5f5f5;
+      background-color: #2d2d2d; }
+  .panel-default > .panel-footer + .panel-collapse > .panel-body {
+    border-bottom-color: #b0b0b0; }
+  .panel-primary {
+	-webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
+    box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
+  .panel-primary > .panel-heading {
+    color: #FFF;
+    border-color: #b0b0b0; }
+    .panel-primary > .panel-heading + .panel-collapse > .panel-body {
+      border-top-color: #FF8B00; }
+    .panel-primary > .panel-heading .badge {
+      color: #FF8B00;
+      background-color: #fff; }
+  .panel-primary > .panel-footer + .panel-collapse > .panel-body {
+    border-bottom-color: #FF8B00; }
 
 .panel-success {
-  border-color: #9BD275;
-
-  > {
-    .panel-heading {
+  border-color: #9BD275; }
+  .panel-success > .panel-heading {
+    color: #9BD275;
+    background-color: #9BD275;
+    border-color: #9BD275; }
+    .panel-success > .panel-heading + .panel-collapse > .panel-body {
+      border-top-color: #9BD275; }
+    .panel-success > .panel-heading .badge {
       color: #9BD275;
-      background-color: #9BD275;
-      border-color: #9BD275;
-
-      + .panel-collapse > .panel-body {
-        border-top-color: #9BD275;
-      }
-
-      .badge {
-        color: #9BD275;
-        background-color: #9BD275;
-      }
-    }
-
-    .panel-footer + .panel-collapse > .panel-body {
-      border-bottom-color: #9BD275;
-    }
-  }
-}
+      background-color: #9BD275; }
+  .panel-success > .panel-footer + .panel-collapse > .panel-body {
+    border-bottom-color: #9BD275; }
 
 .panel-info {
-  border-color: #b0b0b0;
-
-  > {
-    .panel-heading {
-      color: #31708f;
-      background-color: #d9edf7;
-      border-color: #b0b0b0;
-
-      + .panel-collapse > .panel-body {
-        border-top-color: #b0b0b0;
-      }
-
-      .badge {
-        color: #d9edf7;
-        background-color: #31708f;
-      }
-    }
-
-    .panel-footer + .panel-collapse > .panel-body {
-      border-bottom-color: #b0b0b0;
-    }
-  }
-}
+  border-color: #b0b0b0; }
+  .panel-info > .panel-heading {
+    color: #31708f;
+    background-color: #d9edf7;
+    border-color: #b0b0b0; }
+    .panel-info > .panel-heading + .panel-collapse > .panel-body {
+      border-top-color: #b0b0b0; }
+    .panel-info > .panel-heading .badge {
+      color: #d9edf7;
+      background-color: #31708f; }
+  .panel-info > .panel-footer + .panel-collapse > .panel-body {
+    border-bottom-color: #b0b0b0; }
 
 .panel-warning {
-  border-color: #faebcc;
-
-  > {
-    .panel-heading {
-      color: #f0ad4e;
-      background-color: #fcf8e3;
-      border-color: #faebcc;
-
-      + .panel-collapse > .panel-body {
-        border-top-color: #faebcc;
-      }
-
-      .badge {
-        color: #fcf8e3;
-        background-color: #f0ad4e;
-      }
-    }
-
-    .panel-footer + .panel-collapse > .panel-body {
-      border-bottom-color: #faebcc;
-    }
-  }
-}
+  border-color: #faebcc; }
+  .panel-warning > .panel-heading {
+    color: #f0ad4e;
+    background-color: #fcf8e3;
+    border-color: #faebcc; }
+    .panel-warning > .panel-heading + .panel-collapse > .panel-body {
+      border-top-color: #faebcc; }
+    .panel-warning > .panel-heading .badge {
+      color: #fcf8e3;
+      background-color: #f0ad4e; }
+  .panel-warning > .panel-footer + .panel-collapse > .panel-body {
+    border-bottom-color: #faebcc; }
 
 .panel-danger {
-  border-color: #F05050;
-
-  > {
-    .panel-heading {
+  border-color: #F05050; }
+  .panel-danger > .panel-heading {
+    color: #F05050;
+    background-color: #F05050;
+    border-color: #F05050; }
+    .panel-danger > .panel-heading + .panel-collapse > .panel-body {
+      border-top-color: #F05050; }
+    .panel-danger > .panel-heading .badge {
       color: #F05050;
-      background-color: #F05050;
-      border-color: #F05050;
-
-      + .panel-collapse > .panel-body {
-        border-top-color: #F05050;
-      }
-
-      .badge {
-        color: #F05050;
-        background-color: #F05050;
-      }
-    }
-
-    .panel-footer + .panel-collapse > .panel-body {
-      border-bottom-color: #F05050;
-    }
-  }
-}
+      background-color: #F05050; }
+  .panel-danger > .panel-footer + .panel-collapse > .panel-body {
+    border-bottom-color: #F05050; }
 
 .embed-responsive {
   position: relative;
   display: block;
   height: 0;
   padding: 0;
-  overflow: hidden;
-
-  .embed-responsive-item, iframe, embed, object {
+  overflow: hidden; }
+  .embed-responsive .embed-responsive-item,
+  .embed-responsive iframe,
+  .embed-responsive embed,
+  .embed-responsive object {
     position: absolute;
     top: 0;
     left: 0;
     bottom: 0;
     height: 100%;
     width: 100%;
-    border: 0;
-  }
-
-  &.embed-responsive-16by9 {
-    padding-bottom: 56.25%;
-  }
-
-  &.embed-responsive-4by3 {
-    padding-bottom: 75%;
-  }
-}
+    border: 0; }
+  .embed-responsive.embed-responsive-16by9 {
+    padding-bottom: 56.25%; }
+  .embed-responsive.embed-responsive-4by3 {
+    padding-bottom: 75%; }
 
 .well {
   min-height: 20px;
@@ -8553,54 +4954,44 @@ a.list-group-item-danger {
   margin-bottom: 20px;
   background-color: none;
   border: none;
-  border-radius: none;
-
-  blockquote {
+  border-radius: none; }
+  .well blockquote {
     border-color: #ddd;
-    border-color: rgba(0, 0, 0, 0.15);
-  }
-}
+    border-color: rgba(0, 0, 0, 0.15); }
 
 .well-lg {
   padding: 24px;
-  border-radius: 6px;
-}
+  border-radius: 6px; }
 
 .well-sm {
   padding: 9px;
-  border-radius: 3px;
-}
+  border-radius: 3px; }
 
 .close {
-  float: right;
+  float:right;
   font-size: 21px;
   font-weight: bold;
   line-height: 1;
   color: #FFFFFF;
   text-shadow: 0 1px 0 #000;
   opacity: 1;
-  filter: alpha(opacity = 100);
-
-  &:hover, &:focus {
+  filter: alpha(opacity=100); }
+  .close:hover, .close:focus {
     color: #000;
     text-decoration: none;
     cursor: pointer;
     opacity: 1;
-    filter: alpha(opacity = 100);
-  }
-}
+    filter: alpha(opacity=100); }
 
 button.close {
   padding: 0;
   cursor: pointer;
   background: transparent;
   border: 0;
-  -webkit-appearance: none;
-}
+  -webkit-appearance: none; }
 
 .modal-open {
-  overflow: hidden;
-}
+  overflow: hidden; }
 
 .modal {
   display: none;
@@ -8612,34 +5003,27 @@ button.close {
   left: 0;
   z-index: 1050;
   -webkit-overflow-scrolling: touch;
-  outline: 0;
-
-  &.fade .modal-dialog {
+  outline: 0; }
+  .modal.fade .modal-dialog {
     -webkit-transform: translate3d(0, -25%, 0);
     transform: translate3d(0, -25%, 0);
     -webkit-transition: -webkit-transform 0.3s ease-out;
     -moz-transition: -moz-transform 0.3s ease-out;
     -o-transition: -o-transform 0.3s ease-out;
-    transition: transform 0.3s ease-out;
-  }
-
-  &.in .modal-dialog {
+    transition: transform 0.3s ease-out; }
+  .modal.in .modal-dialog {
     -webkit-transform: translate3d(0, 0, 0);
-    transform: translate3d(0, 0, 0);
-  }
-}
+    transform: translate3d(0, 0, 0); }
 
 .modal-open .modal {
   overflow-x: hidden;
-  overflow-y: auto;
-}
+  overflow-y: auto; }
 
 .modal-dialog {
   position: relative;
   width: auto;
   margin: 62px 10px 10px 10px;
-  border: 1px solid #7a7a7a;
-}
+  border: 1px solid #7a7a7a;}
 
 .modal-content {
   position: relative;
@@ -8649,8 +5033,7 @@ button.close {
   -webkit-box-shadow: 0 5px 15px rgb(30, 30, 30);
   box-shadow: 0 5px 15px rgb(5, 5, 5);
   background-clip: padding-box;
-  outline: 0;
-}
+  outline: 0; }
 
 .modal-backdrop {
   position: fixed;
@@ -8659,113 +5042,79 @@ button.close {
   bottom: 0;
   left: 0;
   z-index: 1040;
-  background-color: #000;
-
-  &.fade {
+  background-color: #000; }
+  .modal-backdrop.fade {
     opacity: 0;
-    filter: alpha(opacity = 0);
-  }
-
-  &.in {
+    filter: alpha(opacity=0); }
+  .modal-backdrop.in {
     opacity: 0.5;
-    filter: alpha(opacity = 50);
-  }
-}
+    filter: alpha(opacity=50); }
 
 .modal-header {
-  padding-left: 10px;
-  padding-right: 10px;
-  padding-top: 3px;
-  padding-bottom: 1px;
+  padding-left:10px;
+  padding-right:10px;
+  padding-top:3px;
+  padding-bottom:1px;
   border-bottom: 1px solid #4a4a4a;
   min-height: 16.42857px;
-  background-color: #427795;
-  color: #FFF;
+  background-color: #45565f;
+  color: #FFF; }
 
-  .close {
-    margin-top: -2px;
-  }
-}
+.modal-header .close {
+  margin-top: -2px; }
 
 .modal-title {
   margin: 0;
-  line-height: 1.428571429;
-}
+  line-height: 1.428571429; }
 
 .modal-body {
   position: relative;
   padding: 5px;
-  background-color: #FFF;
-
-  .table-hover > tbody > tr:hover > {
-    td, th {
-      background-color: #336480;
-      color: #FFF;
-    }
-  }
-}
+  background-color: #FFF;}
+.modal-body .table-hover > tbody > tr:hover > td,
+.modal-body .table-hover > tbody > tr:hover > th {
+  background-color: #f06702;
+  color: #FFF; }
 
 .modal-footer {
   padding: 5px;
   text-align: right;
-  background-color: #f0f0f0;
-  border-top: 1px solid inherit;
-
-  &:before {
-    content: " ";
-    display: table;
-  }
-
-  &:after {
+  background-color: #ddd;
+  border-top: 1px solid inherit; }
+  .modal-footer:before, .modal-footer:after {
     content: " ";
-    display: table;
-    clear: both;
-  }
-
-  .btn + .btn {
+    display: table; }
+  .modal-footer:after {
+    clear: both; }
+  .modal-footer .btn + .btn {
     margin-left: 5px;
-    margin-bottom: 0;
-  }
-
-  .btn-group .btn + .btn {
-    margin-left: -1px;
-  }
-
-  .btn-block + .btn-block {
-    margin-left: 0;
-  }
-}
+    margin-bottom: 0; }
+  .modal-footer .btn-group .btn + .btn {
+    margin-left: -1px; }
+  .modal-footer .btn-block + .btn-block {
+    margin-left: 0; }
 
 .modal-scrollbar-measure {
   position: absolute;
   top: -9999px;
   width: 50px;
   height: 50px;
-  overflow: scroll;
-}
+  overflow: scroll; }
 
 @media (min-width: 768px) {
   .modal-dialog {
     width: 600px;
-    margin: 82px auto 30px auto;
-  }
+    margin: 82px auto 30px auto; }
 
   .modal-content {
     -webkit-box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5);
-    box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5);
-  }
+    box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5); }
 
   .modal-sm {
-    width: 300px;
-  }
-}
-
+    width: 300px; } }
 @media (min-width: 992px) {
   .modal-lg {
-    width: 900px;
-  }
-}
-
+    width: 900px; } }
 .tooltip {
   position: absolute;
   z-index: 1070;
@@ -8774,113 +5123,83 @@ button.close {
   font-size: 12px;
   line-height: 1.4;
   opacity: 0;
-  filter: alpha(opacity = 0);
-
-  &.in {
+  filter: alpha(opacity=0); }
+  .tooltip.in {
     opacity: 0.9;
-    filter: alpha(opacity = 90);
-  }
-
-  &.top {
+    filter: alpha(opacity=90); }
+  .tooltip.top {
     margin-top: -3px;
-    padding: 5px 0;
-  }
-
-  &.right {
+    padding: 5px 0; }
+  .tooltip.right {
     margin-left: 3px;
-    padding: 0 5px;
-  }
-
-  &.bottom {
+    padding: 0 5px; }
+  .tooltip.bottom {
     margin-top: 3px;
-    padding: 5px 0;
-  }
-
-  &.left {
+    padding: 5px 0; }
+  .tooltip.left {
     margin-left: -3px;
-    padding: 0 5px;
-  }
-}
+    padding: 0 5px; }
 
 .tooltip-inner {
   max-width: 200px;
   padding: 3px 8px;
   color: #fff;
   text-align: center;
-  text-decoration: none;
-  background-color: #000;
-  border-radius: 3px;
-}
-
-.tooltip-arrow {
-  position: absolute;
-  width: 0;
-  height: 0;
-  border-color: transparent;
-  border-style: solid;
-}
-
-.tooltip {
-  &.top .tooltip-arrow {
-    bottom: 0;
-    left: 50%;
-    margin-left: -5px;
-    border-width: 5px 5px 0;
-    border-top-color: #000;
-  }
-
-  &.top-left .tooltip-arrow {
-    bottom: 0;
-    left: 5px;
-    border-width: 5px 5px 0;
-    border-top-color: #000;
-  }
-
-  &.top-right .tooltip-arrow {
-    bottom: 0;
-    right: 5px;
-    border-width: 5px 5px 0;
-    border-top-color: #000;
-  }
-
-  &.right .tooltip-arrow {
-    top: 50%;
-    left: 0;
-    margin-top: -5px;
-    border-width: 5px 5px 5px 0;
-    border-right-color: #000;
-  }
-
-  &.left .tooltip-arrow {
-    top: 50%;
-    right: 0;
-    margin-top: -5px;
-    border-width: 5px 0 5px 5px;
-    border-left-color: #000;
-  }
-
-  &.bottom .tooltip-arrow {
-    top: 0;
-    left: 50%;
-    margin-left: -5px;
-    border-width: 0 5px 5px;
-    border-bottom-color: #000;
-  }
+  text-decoration: none;
+  background-color: #000;
+  border-radius: 3px; }
 
-  &.bottom-left .tooltip-arrow {
-    top: 0;
-    left: 5px;
-    border-width: 0 5px 5px;
-    border-bottom-color: #000;
-  }
+.tooltip-arrow {
+  position: absolute;
+  width: 0;
+  height: 0;
+  border-color: transparent;
+  border-style: solid; }
 
-  &.bottom-right .tooltip-arrow {
-    top: 0;
-    right: 5px;
-    border-width: 0 5px 5px;
-    border-bottom-color: #000;
-  }
-}
+.tooltip.top .tooltip-arrow {
+  bottom: 0;
+  left: 50%;
+  margin-left: -5px;
+  border-width: 5px 5px 0;
+  border-top-color: #000; }
+.tooltip.top-left .tooltip-arrow {
+  bottom: 0;
+  left: 5px;
+  border-width: 5px 5px 0;
+  border-top-color: #000; }
+.tooltip.top-right .tooltip-arrow {
+  bottom: 0;
+  right: 5px;
+  border-width: 5px 5px 0;
+  border-top-color: #000; }
+.tooltip.right .tooltip-arrow {
+  top: 50%;
+  left: 0;
+  margin-top: -5px;
+  border-width: 5px 5px 5px 0;
+  border-right-color: #000; }
+.tooltip.left .tooltip-arrow {
+  top: 50%;
+  right: 0;
+  margin-top: -5px;
+  border-width: 5px 0 5px 5px;
+  border-left-color: #000; }
+.tooltip.bottom .tooltip-arrow {
+  top: 0;
+  left: 50%;
+  margin-left: -5px;
+  border-width: 0 5px 5px;
+  border-bottom-color: #000; }
+.tooltip.bottom-left .tooltip-arrow {
+  top: 0;
+  left: 5px;
+  border-width: 0 5px 5px;
+  border-bottom-color: #000; }
+.tooltip.bottom-right .tooltip-arrow {
+  top: 0;
+  right: 5px;
+  border-width: 0 5px 5px;
+  border-bottom-color: #000; }
 
 .popover {
   position: absolute;
@@ -8894,201 +5213,143 @@ button.close {
   background-color: #fff;
   background-clip: padding-box;
   border: 1px solid #ccc;
-  border: 1px solid rgba(0, 0, 0, 0.3);
+  border: 1px solid rgba(0, 0, 0, 0.30);
   border-radius: 6px;
-  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
-  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
-  white-space: normal;
-
-  &.top {
-    margin-top: -10px;
-  }
-
-  &.right {
-    margin-left: 10px;
-  }
-
-  &.bottom {
-    margin-top: 10px;
-  }
-
-  &.left {
-    margin-left: -10px;
-  }
-}
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
+  white-space: normal; }
+  .popover.top {
+    margin-top: -10px; }
+  .popover.right {
+    margin-left: 10px; }
+  .popover.bottom {
+    margin-top: 10px; }
+  .popover.left {
+    margin-left: -10px; }
 
 .popover-title {
   margin: 0;
   padding: 8px 14px;
-  font-size: 14px;
+  font-size:14px;
   font-weight: normal;
   line-height: 18px;
   background-color: #f7f7f7;
   border-bottom: 1px solid #ebebeb;
-  border-radius: 5px 5px 0 0;
-}
+  border-radius: 5px 5px 0 0; }
 
 .popover-content {
-  padding: 9px 14px;
-}
+  padding: 9px 14px; }
 
-.popover {
-  > .arrow {
-    position: absolute;
-    display: block;
-    width: 0;
-    height: 0;
-    border-color: transparent;
-    border-style: solid;
+.popover > .arrow, .popover > .arrow:after {
+  position: absolute;
+  display: block;
+  width: 0;
+  height: 0;
+  border-color: transparent;
+  border-style: solid; }
 
-    &:after {
-      position: absolute;
-      display: block;
-      width: 0;
-      height: 0;
-      border-color: transparent;
-      border-style: solid;
-      border-width: 10px;
-      content: "";
-    }
+.popover > .arrow {
+  border-width: 11px; }
 
-    border-width: 11px;
-  }
+.popover > .arrow:after {
+  border-width: 10px;
+  content: ""; }
 
-  &.top > .arrow {
-    left: 50%;
-    margin-left: -11px;
+.popover.top > .arrow {
+  left: 50%;
+  margin-left: -11px;
+  border-bottom-width: 0;
+  border-top-color: #999999;
+  border-top-color: rgba(0, 0, 0, 0.25);
+  bottom: -11px; }
+  .popover.top > .arrow:after {
+    content: " ";
+    bottom: 1px;
+    margin-left: -10px;
     border-bottom-width: 0;
-    border-top-color: #999999;
-    border-top-color: rgba(0, 0, 0, 0.25);
-    bottom: -11px;
-
-    &:after {
-      content: " ";
-      bottom: 1px;
-      margin-left: -10px;
-      border-bottom-width: 0;
-      border-top-color: #fff;
-    }
-  }
-
-  &.right > .arrow {
-    top: 50%;
-    left: -11px;
-    margin-top: -11px;
+    border-top-color: #fff; }
+.popover.right > .arrow {
+  top: 50%;
+  left: -11px;
+  margin-top: -11px;
+  border-left-width: 0;
+  border-right-color: #999999;
+  border-right-color: rgba(0, 0, 0, 0.25); }
+  .popover.right > .arrow:after {
+    content: " ";
+    left: 1px;
+    bottom: -10px;
     border-left-width: 0;
-    border-right-color: #999999;
-    border-right-color: rgba(0, 0, 0, 0.25);
-
-    &:after {
-      content: " ";
-      left: 1px;
-      bottom: -10px;
-      border-left-width: 0;
-      border-right-color: #fff;
-    }
-  }
-
-  &.bottom > .arrow {
-    left: 50%;
-    margin-left: -11px;
+    border-right-color: #fff; }
+.popover.bottom > .arrow {
+  left: 50%;
+  margin-left: -11px;
+  border-top-width: 0;
+  border-bottom-color: #999999;
+  border-bottom-color: rgba(0, 0, 0, 0.25);
+  top: -11px; }
+  .popover.bottom > .arrow:after {
+    content: " ";
+    top: 1px;
+    margin-left: -10px;
     border-top-width: 0;
-    border-bottom-color: #999999;
-    border-bottom-color: rgba(0, 0, 0, 0.25);
-    top: -11px;
-
-    &:after {
-      content: " ";
-      top: 1px;
-      margin-left: -10px;
-      border-top-width: 0;
-      border-bottom-color: #fff;
-    }
-  }
-
-  &.left > .arrow {
-    top: 50%;
-    right: -11px;
-    margin-top: -11px;
+    border-bottom-color: #fff; }
+.popover.left > .arrow {
+  top: 50%;
+  right: -11px;
+  margin-top: -11px;
+  border-right-width: 0;
+  border-left-color: #999999;
+  border-left-color: rgba(0, 0, 0, 0.25); }
+  .popover.left > .arrow:after {
+    content: " ";
+    right: 1px;
     border-right-width: 0;
-    border-left-color: #999999;
-    border-left-color: rgba(0, 0, 0, 0.25);
-
-    &:after {
-      content: " ";
-      right: 1px;
-      border-right-width: 0;
-      border-left-color: #fff;
-      bottom: -10px;
-    }
-  }
-}
+    border-left-color: #fff;
+    bottom: -10px; }
 
 .carousel {
-  position: relative;
-}
+  position: relative; }
 
 .carousel-inner {
   position: relative;
   overflow: hidden;
-  width: 100%;
-
-  > {
-    .item {
-      display: none;
-      position: relative;
-      -webkit-transition: 0.6s ease-in-out left;
-      -o-transition: 0.6s ease-in-out left;
-      transition: 0.6s ease-in-out left;
-
-      > {
-        img, a > img {
-          display: block;
-          width: 100% \9;
-          max-width: 100%;
-          height: auto;
-          line-height: 1;
-        }
-      }
-    }
-
-    .active, .next, .prev {
+  width: 100%; }
+  .carousel-inner > .item {
+    display: none;
+    position: relative;
+    -webkit-transition: 0.6s ease-in-out left;
+    -o-transition: 0.6s ease-in-out left;
+    transition: 0.6s ease-in-out left; }
+    .carousel-inner > .item > img,
+    .carousel-inner > .item > a > img {
       display: block;
-    }
-
-    .active {
-      left: 0;
-    }
-
-    .next, .prev {
-      position: absolute;
-      top: 0;
-      width: 100%;
-    }
-
-    .next {
-      left: 100%;
-    }
-
-    .prev {
-      left: -100%;
-    }
-
-    .next.left, .prev.right {
-      left: 0;
-    }
-
-    .active {
-      &.left {
-        left: -100%;
-      }
-
-      &.right {
-        left: 100%;
-      }
-    }
-  }
-}
+      width: 100% \9;
+      max-width: 100%;
+      height: auto;
+      line-height: 1; }
+  .carousel-inner > .active,
+  .carousel-inner > .next,
+  .carousel-inner > .prev {
+    display: block; }
+  .carousel-inner > .active {
+    left: 0; }
+  .carousel-inner > .next,
+  .carousel-inner > .prev {
+    position: absolute;
+    top: 0;
+    width: 100%; }
+  .carousel-inner > .next {
+    left: 100%; }
+  .carousel-inner > .prev {
+    left: -100%; }
+  .carousel-inner > .next.left,
+  .carousel-inner > .prev.right {
+    left: 0; }
+  .carousel-inner > .active.left {
+    left: -100%; }
+  .carousel-inner > .active.right {
+    left: 100%; }
 
 .carousel-control {
   position: absolute;
@@ -9097,70 +5358,57 @@ button.close {
   bottom: 0;
   width: 15%;
   opacity: 0.5;
-  filter: alpha(opacity = 50);
+  filter: alpha(opacity=50);
   font-size: 20px;
   color: #fff;
   text-align: center;
-  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6);
-
-  &.left {
+  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6); }
+  .carousel-control.left {
     background-image: -webkit-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
     background-image: -o-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
     background-image: linear-gradient(to right, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
     background-repeat: repeat-x;
-    filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);
-  }
-
-  &.right {
+    filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1); }
+  .carousel-control.right {
     left: auto;
     right: 0;
     background-image: -webkit-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);
     background-image: -o-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);
     background-image: linear-gradient(to right, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);
     background-repeat: repeat-x;
-    filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);
-  }
-
-  &:hover, &:focus {
+    filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1); }
+  .carousel-control:hover, .carousel-control:focus {
     outline: 0;
     color: #fff;
     text-decoration: none;
     opacity: 0.9;
-    filter: alpha(opacity = 90);
-  }
-
-  .icon-prev, .icon-next, .glyphicon-chevron-left, .glyphicon-chevron-right {
+    filter: alpha(opacity=90); }
+  .carousel-control .icon-prev,
+  .carousel-control .icon-next,
+  .carousel-control .glyphicon-chevron-left,
+  .carousel-control .glyphicon-chevron-right {
     position: absolute;
     top: 50%;
     z-index: 5;
-    display: inline-block;
-  }
-
-  .icon-prev, .glyphicon-chevron-left {
+    display: inline-block; }
+  .carousel-control .icon-prev,
+  .carousel-control .glyphicon-chevron-left {
     left: 50%;
-    margin-left: -10px;
-  }
-
-  .icon-next, .glyphicon-chevron-right {
+    margin-left: -10px; }
+  .carousel-control .icon-next,
+  .carousel-control .glyphicon-chevron-right {
     right: 50%;
-    margin-right: -10px;
-  }
-
-  .icon-prev, .icon-next {
+    margin-right: -10px; }
+  .carousel-control .icon-prev,
+  .carousel-control .icon-next {
     width: 20px;
     height: 20px;
     margin-top: -10px;
-    font-family: serif;
-  }
-
-  .icon-prev:before {
-    content: '\2039';
-  }
-
-  .icon-next:before {
-    content: '\203a';
-  }
-}
+    font-family: serif; }
+  .carousel-control .icon-prev:before {
+    content: '\2039'; }
+  .carousel-control .icon-next:before {
+    content: '\203a'; }
 
 .carousel-indicators {
   position: absolute;
@@ -9171,9 +5419,8 @@ button.close {
   margin-left: -30%;
   padding-left: 0;
   list-style: none;
-  text-align: center;
-
-  li {
+  text-align: center; }
+  .carousel-indicators li {
     display: inline-block;
     width: 10px;
     height: 10px;
@@ -9183,16 +5430,12 @@ button.close {
     border-radius: 10px;
     cursor: pointer;
     background-color: #000 \9;
-    background-color: transparent;
-  }
-
-  .active {
+    background-color: transparent; }
+  .carousel-indicators .active {
     margin: 0;
     width: 12px;
     height: 12px;
-    background-color: #fff;
-  }
-}
+    background-color: #fff; }
 
 .carousel-caption {
   position: absolute;
@@ -9204,350 +5447,269 @@ button.close {
   padding-bottom: 20px;
   color: #fff;
   text-align: center;
-  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6);
-
-  .btn {
-    text-shadow: none;
-  }
-}
+  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6); }
+  .carousel-caption .btn {
+    text-shadow: none; }
 
 @media screen and (min-width: 768px) {
-  .carousel-control {
-    .glyphicon-chevron-left, .glyphicon-chevron-right, .icon-prev, .icon-next {
-      width: 30px;
-      height: 30px;
-      margin-top: -15px;
-      font-size: 30px;
-    }
-
-    .glyphicon-chevron-left, .icon-prev {
-      margin-left: -15px;
-    }
-
-    .glyphicon-chevron-right, .icon-next {
-      margin-right: -15px;
-    }
-  }
+  .carousel-control .glyphicon-chevron-left,
+  .carousel-control .glyphicon-chevron-right,
+  .carousel-control .icon-prev,
+  .carousel-control .icon-next {
+    width: 30px;
+    height: 30px;
+    margin-top: -15px;
+    font-size: 30px; }
+  .carousel-control .glyphicon-chevron-left,
+  .carousel-control .icon-prev {
+    margin-left: -15px; }
+  .carousel-control .glyphicon-chevron-right,
+  .carousel-control .icon-next {
+    margin-right: -15px; }
 
   .carousel-caption {
     left: 20%;
     right: 20%;
-    padding-bottom: 30px;
-  }
+    padding-bottom: 30px; }
 
   .carousel-indicators {
-    bottom: 20px;
-  }
-}
-
+    bottom: 20px; } }
 .clearfix:before, .content-box:before, .clearfix:after, .content-box:after {
   content: " ";
-  display: table;
-}
-
+  display: table; }
 .clearfix:after, .content-box:after {
-  clear: both;
-}
+  clear: both; }
 
 .center-block {
   display: block;
   margin-left: auto;
-  margin-right: auto;
-}
+  margin-right: auto; }
 
 .pull-right {
   float: right !important;
-  margin-top: 0px;
-}
+  margin-top: 0px;}
 
 .pull-left {
   float: left !important;
-  margin-top: 0px;
-}
+  margin-top: 0px;}
 
 .hide {
-  display: none !important;
-}
+  display: none !important; }
 
 .show {
   display: block !important;
-  color: #757575;
-}
+  color: #2ba632; }
 
 .invisible {
-  visibility: hidden;
-}
+  visibility: hidden; }
 
 .text-hide {
   font: 0/0 a;
   color: transparent;
   text-shadow: none;
   background-color: transparent;
-  border: 0;
-}
+  border: 0; }
 
 .hidden {
   display: none !important;
-  visibility: hidden !important;
-}
+  visibility: hidden !important; }
 
 .affix {
   position: fixed;
   -webkit-transform: translate3d(0, 0, 0);
-  transform: translate3d(0, 0, 0);
-}
+  transform: translate3d(0, 0, 0); }
 
 @-ms-viewport {
-  width: device-width;
-}
-
-.visible-xs, .visible-sm, .visible-md, .visible-lg, .visible-xs-block, .visible-xs-inline, .visible-xs-inline-block, .visible-sm-block, .visible-sm-inline, .visible-sm-inline-block, .visible-md-block, .visible-md-inline, .visible-md-inline-block, .visible-lg-block, .visible-lg-inline, .visible-lg-inline-block, .visible-print, .visible-print-block, .visible-print-inline, .visible-print-inline-block {
-  display: none !important;
-}
+  width: device-width; }
+.visible-xs, .visible-sm, .visible-md, .visible-lg {
+  display: none !important; }
+
+.visible-xs-block,
+.visible-xs-inline,
+.visible-xs-inline-block,
+.visible-sm-block,
+.visible-sm-inline,
+.visible-sm-inline-block,
+.visible-md-block,
+.visible-md-inline,
+.visible-md-inline-block,
+.visible-lg-block,
+.visible-lg-inline,
+.visible-lg-inline-block {
+  display: none !important; }
 
 @media (max-width: 767px) {
   .visible-xs {
-    display: block !important;
-  }
+    display: block !important; }
 
   table.visible-xs {
-    display: table;
-  }
+    display: table; }
 
   tr.visible-xs {
-    display: table-row !important;
-  }
-
-  th.visible-xs, td.visible-xs {
-    display: table-cell !important;
-  }
-}
+    display: table-row !important; }
 
+  th.visible-xs,
+  td.visible-xs {
+    display: table-cell !important; } }
 @media (max-width: 767px) {
   .visible-xs-block {
-    display: block !important;
-  }
-}
+    display: block !important; } }
 
 @media (max-width: 767px) {
   .visible-xs-inline {
-    display: inline !important;
-  }
-}
+    display: inline !important; } }
 
 @media (max-width: 767px) {
   .visible-xs-inline-block {
-    display: inline-block !important;
-  }
-}
+    display: inline-block !important; } }
 
 @media (min-width: 768px) and (max-width: 991px) {
   .visible-sm {
-    display: block !important;
-  }
+    display: block !important; }
 
   table.visible-sm {
-    display: table;
-  }
+    display: table; }
 
   tr.visible-sm {
-    display: table-row !important;
-  }
-
-  th.visible-sm, td.visible-sm {
-    display: table-cell !important;
-  }
-}
+    display: table-row !important; }
 
+  th.visible-sm,
+  td.visible-sm {
+    display: table-cell !important; } }
 @media (min-width: 768px) and (max-width: 991px) {
   .visible-sm-block {
-    display: block !important;
-  }
-}
+    display: block !important; } }
 
 @media (min-width: 768px) and (max-width: 991px) {
   .visible-sm-inline {
-    display: inline !important;
-  }
-}
+    display: inline !important; } }
 
 @media (min-width: 768px) and (max-width: 991px) {
   .visible-sm-inline-block {
-    display: inline-block !important;
-  }
-}
+    display: inline-block !important; } }
 
 @media (min-width: 992px) and (max-width: 1199px) {
   .visible-md {
-    display: block !important;
-  }
+    display: block !important; }
 
   table.visible-md {
-    display: table;
-  }
+    display: table; }
 
   tr.visible-md {
-    display: table-row !important;
-  }
-
-  th.visible-md, td.visible-md {
-    display: table-cell !important;
-  }
-}
+    display: table-row !important; }
 
+  th.visible-md,
+  td.visible-md {
+    display: table-cell !important; } }
 @media (min-width: 992px) and (max-width: 1199px) {
   .visible-md-block {
-    display: block !important;
-  }
-}
+    display: block !important; } }
 
 @media (min-width: 992px) and (max-width: 1199px) {
   .visible-md-inline {
-    display: inline !important;
-  }
-}
+    display: inline !important; } }
 
 @media (min-width: 992px) and (max-width: 1199px) {
   .visible-md-inline-block {
-    display: inline-block !important;
-  }
-}
+    display: inline-block !important; } }
 
 @media (min-width: 1200px) {
   .visible-lg {
-    display: block !important;
-  }
+    display: block !important; }
 
   table.visible-lg {
-    display: table;
-  }
+    display: table; }
 
   tr.visible-lg {
-    display: table-row !important;
-  }
-
-  th.visible-lg, td.visible-lg {
-    display: table-cell !important;
-  }
-}
+    display: table-row !important; }
 
+  th.visible-lg,
+  td.visible-lg {
+    display: table-cell !important; } }
 @media (min-width: 1200px) {
   .visible-lg-block {
-    display: block !important;
-  }
-}
+    display: block !important; } }
 
 @media (min-width: 1200px) {
   .visible-lg-inline {
-    display: inline !important;
-  }
-}
+    display: inline !important; } }
 
 @media (min-width: 1200px) {
   .visible-lg-inline-block {
-    display: inline-block !important;
-  }
-}
+    display: inline-block !important; } }
 
 @media (max-width: 767px) {
   .hidden-xs, .page-side {
-    display: none !important;
-  }
-}
-
+    display: none !important; } }
 @media (min-width: 768px) and (max-width: 991px) {
   .hidden-sm {
-    display: none !important;
-  }
-}
-
+    display: none !important; } }
 /* COLLAPSE SIDEBAR @media*/
 @media (max-width: 768px), (max-height: 669px) {
   .toggle-sidebar {
-    display: none !important;
-  }
-}
-
+    display: none !important; } }
 /* COLLAPSE SIDEBAR @media END*/
 @media (min-width: 992px) and (max-width: 1199px) {
   .hidden-md {
-    display: none !important;
-  }
-}
-
+    display: none !important; } }
 @media (min-width: 1200px) {
   .hidden-lg {
-    display: none !important;
-  }
-}
+    display: none !important; } }
+.visible-print {
+  display: none !important; }
 
 @media print {
   .visible-print {
-    display: block !important;
-  }
+    display: block !important; }
 
   table.visible-print {
-    display: table;
-  }
+    display: table; }
 
   tr.visible-print {
-    display: table-row !important;
-  }
-
-  th.visible-print, td.visible-print {
-    display: table-cell !important;
-  }
-}
-
-@media print {
-  .visible-print-block {
-    display: block !important;
-  }
-}
-
-@media print {
-  .visible-print-inline {
-    display: inline !important;
-  }
-}
-
-@media print {
-  .visible-print-inline-block {
-    display: inline-block !important;
-  }
-}
+    display: table-row !important; }
+
+  th.visible-print,
+  td.visible-print {
+    display: table-cell !important; } }
+.visible-print-block {
+  display: none !important; }
+  @media print {
+    .visible-print-block {
+      display: block !important; } }
+
+.visible-print-inline {
+  display: none !important; }
+  @media print {
+    .visible-print-inline {
+      display: inline !important; } }
+
+.visible-print-inline-block {
+  display: none !important; }
+  @media print {
+    .visible-print-inline-block {
+      display: inline-block !important; } }
 
 @media print {
   .hidden-print {
-    display: none !important;
-  }
-}
-
+    display: none !important; } }
 * {
-  -webkit-font-smoothing: antialiased;
-}
+  -webkit-font-smoothing: antialiased; }
 
-html {
+html, body {
   height: 100%;
   font-family: 'SourceSansProRegular';
   scrollbar-width: thin;
-  scrollbar-color: #315a71 #e3e3e3;
+  scrollbar-color: #45565f #e3e3e3;
   background-color: #fff;
 }
 
 body {
-  height: 100%;
-  font-family: 'SourceSansProRegular';
-  scrollbar-width: thin;
-  scrollbar-color: #315a71 #e3e3e3;
-  background-color: #fff;
   touch-action: manipulation;
   min-width: 320px;
 }
 
 .widget-sort-handle {
-  touch-action: none;
-}
+  touch-action: none; }
 
 .page-head {
   top: 0;
@@ -9555,7 +5717,7 @@ body {
   position: fixed;
   width: 100%;
   z-index: 2;
-  background-color: #172c38;
+  background-color:#172c38;
   border-bottom: 1px solid #171717;
 }
 
@@ -9563,55 +5725,49 @@ body {
   height: calc(100% - 52px);
   padding-top: 52px;
   position: relative;
-  z-index: 1;
-
-  > .row {
-    height: 100%;
-  }
-}
-
-.page-content-head {
-  .container-fluid {
-    background-color: #FBFBFB;
-    margin-left: 20px;
-    margin-right: 20px;
-    border: 1px solid #b0b0b0;
-    border-radius: 0px;
-    min-height: 47px;
-    height: auto;
-    padding: 6px 14px 5px 14px;
-    -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
-    box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
-  }
-
-  padding-bottom: 2px;
-  padding-top: 10px;
-  color: #000;
-}
+  z-index: 1; }
+  .page-content > .row {
+    height: 100%; }
+.page-content-head .container-fluid {
+  color:#000;
+  background-color: none;
+  margin-right: 20px;
+  margin-left: 20px;
+  border-bottom: 1px solid #aeaeae;
+  border-radius: 0px;
+  min-height: 46px;
+  height: 46px;
+  padding: 9px 14px 5px 0px; }
 
-.content-box-head {
-  padding-bottom: 2px;
+.page-content-head, .content-box-head {
+  padding-bottom: 5px;
   padding-top: 10px;
-  color: #000;
+  color:#000;
 }
 
-.page-content-head .navbar-nav, .content-box-head .navbar-nav {
-  width: 100%;
-}
+  .page-content-head .navbar-nav, .content-box-head .navbar-nav {
+    width: 100%; }
+  .page-content-head h1, .content-box-head h1, .page-content-head h2, .content-box-head h2, .page-content-head h3, .content-box-head h3 {
+	line-height: inherit;
+    margin: 0; }
 
-.page-content-head h1, .content-box-head h1, .page-content-head h2, .content-box-head h2, .page-content-head h3, .content-box-head h3 {
-  line-height: inherit;
-  margin: 0;
+.page-content-head h1, content-box-head h1 {
+    padding-left: 10px;
+    padding-right: 10px;
+    color: #000;
+    text-decoration-line: none;
+    font-weight: bold;
+    text-transform: uppercase;
 }
 
 .page-content-main {
   min-height: calc(100% - 64px);
-  padding: 9px 0px 21px 0px;
+  padding: 6px 0px 21px 0px;
 }
 
 .page-side {
   background: #172c38;
-  border: none;
+  border:none;
   height: 100% !important;
   height: calc(100% - 52px) !important;
   left: 0;
@@ -9619,13 +5775,11 @@ body {
   margin-top: 52px;
   position: fixed;
   top: 0;
-  z-index: 3;
-}
+  z-index: 3; }
 
 .page-side-nav--active {
   background: #F7F7F7;
-  border-left: 3px solid #FF8B00;
-}
+  border-left: 3px solid #FF8B00; }
 
 .page-foot {
   bottom: 0;
@@ -9636,7 +5790,7 @@ body {
   position: fixed;
   height: 20px;
   background: #172c38;
-  color: #FFF;
+  color:#FFF;
   border-top: 1px solid #162b36;
 }
 
@@ -9644,565 +5798,392 @@ body {
   padding: 0px 0px;
   margin: 0px 0px;
   background: none;
-  border: 1px solid #b0b0b0;
-  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
-  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
-
-  hr {
-    border: none;
-  }
-}
-
-.content-box-main {
-  padding-bottom: 15px;
-  padding-top: 15px;
-}
-
+  border: 1px solid #a8a8a8;
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
+.content-box hr {
+	border:none; }
+  .content-box-main {
+    padding-bottom: 15px;
+    padding-top: 15px; }
 .tab-content {
-  padding: 0px 0px;
-  margin: 0px 0px;
-
-  > .tab-content {
-    padding: 0 15px;
-  }
-
-  .tab-content:last-child {
-    margin-bottom: 0;
-  }
-}
+   padding: 0px 0px;
+   margin: 0px 0px; }
+  .tab-content > .tab-content {
+    padding: 0 15px; }
+  .tab-content .tab-content:last-child {
+    margin-bottom: 0; }
 
 .page-content-main section[class^="col-"] + section[class^="col-"] {
-  padding-top: 20px;
-}
+  padding-top: 20px; }
 
 .brand-logo {
-  display: none;
-}
-
-@media (min-width: 768px) {
-  .brand-logo {
-    display: inline-block;
-  }
-}
+  display: none; }
+  @media (min-width: 768px) {
+    .brand-logo {
+      display: inline-block; } }
 
 .brand-icon {
-  display: inline-block;
-}
-
-@media (min-width: 768px) {
-  .brand-icon {
-    display: none;
-  }
-}
+  display: inline-block; }
+  @media (min-width: 768px) {
+    .brand-icon {
+      display: none; } }
 
 @media (min-width: 768px) {
   .col-sm-disable-spacer {
-    padding-top: 0 !important;
-  }
-}
+    padding-top: 0 !important; } }
 
 @media (min-width: 992px) {
   .col-md-disable-spacer {
-    padding-top: 0 !important;
-  }
-}
+    padding-top: 0 !important; } }
 
 @media (min-width: 1200px) {
   .col-lg-disable-spacer {
-    padding-top: 0 !important;
-  }
-}
+    padding-top: 0 !important; } }
 
 .page-login {
-  background: #172c38;
-
-  .container {
+  background: #FFF; }
+  .page-login .container {
     min-height: 100%;
-    margin-bottom: -60px;
-
-    &:after {
-      height: 60px;
-    }
-  }
-
-  .login-foot {
-    color: #FFF;
-  }
-}
+    margin-bottom: -60px; }
+    .page-login .container:after {
+      height: 60px; }
+.page-login .login-foot {color:#FFF;}
 
 .login-foot {
-  font-size: 12px;
-}
+  font-size: 12px; 
+  max-width: 400px;
+  margin: 0px auto 0px auto;
+  background-color: #172c38;}
 
 .login-modal-container {
-  color: #FFF;
-  border: 1px solid #fff;
+  color:#FFF;
+  border: none;
   max-width: 400px;
-  margin: 100px auto 15px auto;
-}
-
+  margin: 100px auto 0px auto; 
+  background-color: #172c38;}
 .login-modal-head {
   height: 75px;
-  padding: 0 20px;
-}
-
+  padding: 0 20px; }
 .login-modal-content {
-  padding: 20px 20px 20px 20px;
-}
-
+  padding: 20px 20px 20px 20px; }
 .login-modal-foot {
   border-top: 1px solid #E5E5E5;
   height: 60px;
-  padding: 20px 20px 0 20px;
-
-  a {
+  padding: 20px 20px 0 20px; }
+  .login-modal-foot a {
     color: #7D7D7D;
-    text-decoration: none;
-
-    &:hover {
+    text-decoration: none; }
+    .login-modal-foot a:hover {
       color: #646464;
-      text-decoration: underline;
-    }
-  }
-}
+      text-decoration: underline; }
 
 @media (min-width: 768px) {
   .list-inline .btn-group-container {
-    float: right;
-  }
-}
+    float: right;} }
 
 .btn.btn-fixed {
   max-width: 174px;
-  width: 100%;
-}
+  width: 100%; }
 
 .progress-bar-placeholder {
   font-size: 12px;
   position: absolute;
   text-align: center;
   width: 100%;
-  z-index: 1;
-}
+  z-index: 1; }
 
 /* BOOTSTRAP EDIT */
-
 .list-group-item {
   border-left: none;
-  border-right: none;
-
-  &.collapsed .caret {
+  border-right: none; }
+  .list-group-item.collapsed .caret {
     border-bottom: 4px solid green;
-    border-top: 0;
-  }
-}
-
+    border-top: 0; }
 /* BOOTSTRAP EDIT END */
 
 /* COLLAPSE SIDEBAR */
-
 main.page-content.col-lg-12 {
   padding-left: 90px;
 }
 
 #navigation.col-sidebar-left {
-  width: 70px;
+  width:70px;
   background-color: transparent !important;
   overflow: hidden;
+}
 
-  > div {
-    &.row {
-      height: 100% !important;
-
-      > nav.page-side-nav {
-        width: 70px;
-        background-color: #172c38 !important;
-        height: 100% !important;
-        border-right: 1px solid #162b36;
-      }
-    }
-
-    > nav > #mainmenu > div > {
-      a.list-group-item {
-        font-size: 14px;
-        text-align: center;
-
-        > span {
-          &.fa, &.glyphicon {
-            visibility: visible;
-            font-size: 20px;
-          }
-
-          &.__iconspacer {
-            width: 50px;
-            height: 25px;
-            padding: 0px;
-          }
-        }
-
-        width: 70px;
-        height: 70px;
-        padding-left: 0px;
-        padding-right: 0px;
-        padding-top: 15px;
-        border-bottom: 2px solid #1b313e;
-      }
-
-      div {
-        &.collapsing > a.list-group-item {
-          padding-left: 10px !important;
-          font-size: 14px !important;
-          display: block !important;
-          position: absolute !important;
-          left: 70px !important;
-        }
-
-        &.collapse.in > div.collapsing > a.list-group-item {
-          padding-left: 10px !important;
-          font-size: 14px !important;
-          display: block !important;
-          position: absolute !important;
-          left: 166px !important;
-        }
-      }
-
-      a.list-group-item.active-menu-title {
-        color: #000 !important;
-        background-color: #FFF !important;
-      }
-    }
-  }
+#navigation.col-sidebar-left > div.row {
+  height:100% !important;
 }
 
-a.list-group-item.active-menu-title.collapsed {
-  color: #000 !important;
-  background-color: #FFF !important;
+#navigation.col-sidebar-left > div.row > nav.page-side-nav {
+  width:70px;
+  background-color:#172c38 !important;
+  height:100% !important;
+  border-right: 1px solid #162b36;
 }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > {
-  a.list-group-item[aria-expanded="true"] {
-    color: #000 !important;
-    background-color: #FFF !important;
-  }
-
-  div {
-    &.collapse {
-      &.in {
-        > {
-          a.list-group-item[aria-expanded="true"], div.collapse.in > a.list-group-item.menu-level-3-item.active {
-            color: #000 !important;
-            background-color: #FFF !important;
-          }
-        }
-
-        > div.collapse.in > a.list-group-item {
-          padding-left: 10px !important;
-          font-size: 14px !important;
-          background-color: #294c5f !important;
-          opacity: 0.98;
-        }
-      }
-
-      > a.list-group-item {
-        padding-left: 10px !important;
-        font-size: 14px !important;
-        background-color: #294c5f !important;
-        opacity: 0.98;
-      }
-
-      > div.collapse > a.list-group-item {
-        padding-left: 10px !important;
-        font-size: 14px !important;
-      }
-    }
-
-    &.collapsed > a.list-group-item {
-      padding-left: 10px !important;
-      font-size: 14px !important;
-    }
-
-    &.collapse {
-      > {
-        a.list-group-item, div.collapse > a.list-group-item {
-          padding: 3px 8px !important;
-        }
-      }
-
-      &.in > div.collapse.in > a.list-group-item:hover {
-        text-decoration: none !important;
-        color: #000 !important;
-        background-color: #FFF !important;
-      }
-    }
-  }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item {
+  font-size:14px;
+  text-align:center;
 }
 
-a.list-group-item:focus {
-  text-decoration: none !important;
-  color: #000 !important;
-  background-color: #FFF !important;
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.fa,
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.glyphicon {
+  visibility: visible;
+  font-size:20px;
 }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item {
-  &.active-menu-title, &:hover {
-    color: #000 !important;
-    background-color: #FFF !important;
-  }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.__iconspacer {
+  width:50px;
+  height:25px;
+  padding:0px;
+}
+
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item {
+  width: 70px;
+  height: 70px;
+  padding-left: 0px;
+  padding-right: 0px;
+  padding-top:15px;
+  border-bottom:2px solid #515151;
 }
 
-a.list-group-item:focus {
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsing > a.list-group-item {
+  padding-left: 10px !important;
+  font-size:14px !important;
+  display: block !important;
+  position: absolute !important;
+  left: 70px !important;
+}
+
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapsing > a.list-group-item {
+  padding-left: 10px !important;
+  font-size:14px !important;
+  display: block !important;
+  position: absolute !important;
+  left: 166px !important;
+}
+
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item.active-menu-title, a.list-group-item.active-menu-title.collapsed,
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item[aria-expanded="true"],
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item[aria-expanded="true"],
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item.menu-level-3-item.active {
   color: #000 !important;
   background-color: #FFF !important;
 }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div {
-  &.collapse.in > a.list-group-item {
-    &.collapsed:focus, &:focus {
-      color: #000 !important;
-      background-color: #FFF !important;
-    }
-  }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > a.list-group-item,
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item {
+  padding-left: 10px !important;
+  font-size:14px !important;
+  background-color: #172c38 !important;
+  opacity: 0.98;
+}
 
-  &.active-menu.collapse.in > a.list-group-item.active {
-    color: #000 !important;
-    background-color: #FFF !important;
-  }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > div.collapse > a.list-group-item,
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsed > a.list-group-item {
+  padding-left: 10px !important;
+  font-size:14px !important;
+}
 
-  &.collapse.in {
-    width: 168px;
-    font-size: 14px;
-    z-index: 10;
-    position: absolute;
-    left: 70px;
-    margin-top: -70px;
-    border: 1px solid #1f3a4a;
-    -webkit-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
-    -moz-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
-    box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
-
-    > div.collapse.in {
-      width: 168px;
-      font-size: 14px;
-      z-index: 10;
-      position: absolute;
-      left: 166px;
-      margin-top: -26px;
-      border: 1px solid #1f3a4a;
-      -webkit-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
-      -moz-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
-      box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
-    }
-  }
-
-  &.collapsing, &.collapse.in > div.collapsing {
-    display: none;
-  }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > a.list-group-item,
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > div.collapse > a.list-group-item {
+  padding: 3px 8px !important;
+}
+
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item:hover, a.list-group-item:focus {
+  text-decoration: none !important;
+  color: #000 !important;
+  background-color: #FFF !important;
+}
+
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item.active-menu-title,
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item:hover, a.list-group-item:focus,
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item.collapsed:focus,
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item:focus,
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.active-menu.collapse.in >a.list-group-item.active {
+  color: #000 !important;
+  background-color: #FFF !important;
 }
 
 /* Sub Level One */
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in {
+  width:168px;
+  font-size:13px;
+  z-index: 10;
+  position: absolute;
+  left: 70px;
+  margin-top:-70px;
+  border:1px solid #1f3a4a;
+  -webkit-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
+  -moz-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
+  box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
+}
 
 /* Sub Level Two */
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in {
+  width:168px;
+  font-size:13px;
+  z-index: 10;
+  position: absolute;
+  left: 166px;
+  margin-top:-26px;
+  border:1px solid #1f3a4a;
+  -webkit-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
+  -moz-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
+  box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
+}
+
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsing,
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapsing {
+  display:none;
+}
 
 button.toggle-sidebar {
-  color: #FFF;
-  background-color: transparent;
-  font-size: 14px;
-  border: none;
+  color:#FFF;
+  background-color:transparent;
+  font-size:14px;
+  border:none;
   margin-top: 18px;
-  float: left;
-  outline: none;
+  float:left;
+  outline:none;
 }
 
 /* COLLAPSE SIDEBAR END*/
 
 #navigation.collapse.in {
-  display: block !important;
-}
+  display: block !important; }
 
-.list-group-submenu .list-group-item:last-child, .collapse .list-group-item:last-child {
-  border-bottom: none;
-}
+.list-group-submenu .list-group-item:last-child,
+.collapse .list-group-item:last-child {
+  border-bottom: none; }
 
-.dropdown-menu > li > a, .dropdown-header {
-  padding: 3px 10px;
-}
+.dropdown-menu > li > a,
+.dropdown-header {
+  padding: 3px 10px; }
 
-.nav-tabs {
-  > {
-    li {
-      border-radius: 0px;
-      border-top-right-radius: 10px;
-      margin-right: 2px;
-
-      > a {
-        border-radius: 0px;
-        border-top-right-radius: 10px;
-        margin-right: 0px;
-        -webkit-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
-        -moz-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
-        box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
-      }
-    }
-
-    .dropdown > a {
-      -webkit-box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.6);
-      -moz-box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.6);
-      box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.6);
-
-      &.pull-right {
-        -webkit-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
-        -moz-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
-        box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
-      }
-    }
-
-    li {
-      > a {
-        outline: 0;
-
-        &:hover, &:focus {
-          outline: 0;
-        }
-      }
-
-      &.active > a {
-        background: #315a71 !important;
-        outline: 0;
-      }
-
-      > a.visible-lg-inline-block {
-        &:not(.pull-right) {
-          border-top-right-radius: 0px !important;
-          padding-left: 10px !important;
-          padding-right: 5px !important;
-        }
-
-        &.pull-right {
-          border-left: 0px !important;
-          padding-left: 5px !important;
-          padding-right: 10px !important;
-        }
-      }
-    }
-  }
-
-  &.nav-justified {
-    border-right: 1px solid #656565;
-
-    > li {
-      border-bottom: 1px solid #656565;
-      border-top: 1px solid #656565;
-      border-left: 1px solid #656565;
-      border-radius: 0px;
-      background: #818180;
-
-      > a {
-        color: #FFFFFF;
-        font-family: 'SourceSansProSemibold';
-      }
-    }
-  }
-}
+.nav-tabs > li {
+  border-radius: 0px;
+  border-top-right-radius: 10px;
+  margin-right: 2px; }
 
-@media (min-width: 768px) {
-  .nav-tabs.nav-justified > li > a {
-    border-bottom: 1px solid transparent;
-  }
-}
+.nav-tabs > li > a {
+  border-radius: 0px;
+  border-top-right-radius: 10px;
+  margin-right: 0px;
+  -webkit-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60);
+  -moz-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60);
+  box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60); }
+
+.nav-tabs > .dropdown > a {
+  -webkit-box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.60);
+  -moz-box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.60);
+  box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.60); }
+
+.nav-tabs > .dropdown > a.pull-right {
+  -webkit-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60);
+  -moz-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60);
+  box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60); }
+
+.nav-tabs > li > a,
+.nav-tabs > li > a:hover,
+.nav-tabs > li > a:focus {
+ outline:0;
+ font-weight: 100; }
+
+.nav-tabs > li.active > a {
+  background: #172c38 !important;
+  outline:0;
+  font-weight: 100;  }
+
+.nav-tabs > li > a.visible-lg-inline-block:not(.pull-right) {
+  border-top-right-radius: 0px !important;
+  padding-left: 10px !important;
+  padding-right: 5px !important; }
+
+.nav-tabs > li > a.visible-lg-inline-block.pull-right {
+  border-left: 0px !important;
+  padding-left: 5px !important;
+  padding-right: 10px !important; }
 
-@media (max-width: 767px) {
-  .nav-tabs.nav-justified > li.active > a {
-    border-right: 0 !important;
-  }
-}
+.nav-tabs.nav-justified {
+  border-right: 1px solid #656565; }
+  .nav-tabs.nav-justified > li {
+    border-bottom: 1px solid #656565;
+    border-top: 1px solid #656565;
+    border-left: 1px solid #656565;
+    border-radius: 0px;
+    background: #818180; }
+    .nav-tabs.nav-justified > li > a {
+      color: #FFFFFF;
+      font-family: 'SourceSansProSemibold'; }
+      @media (min-width: 768px) {
+        .nav-tabs.nav-justified > li > a {
+          border-bottom: 1px solid transparent; } }
+  @media (max-width: 767px) {
+    .nav-tabs.nav-justified > li.active > a {
+      border-right: 0 !important; } }
 
 @media (min-width: 768px) {
   > li.active + li > a {
-    border-left: 1px solid transparent;
-  }
-}
+    border-left: 1px solid transparent; } }
 
 > li:last-child > a {
-  border-right: 1px solid transparent !important;
-}
-
-@media (max-width: 767px) {
-  > li:last-child > a {
-    margin-bottom: 0;
-  }
-}
+  border-right: 1px solid transparent !important; }
+  @media (max-width: 767px) {
+    > li:last-child > a {
+      margin-bottom: 0; } }
 
 .btn .glyphicon {
-  vertical-align: -1px;
-}
-
+  vertical-align: -1px; }
+.table { width:100%; }
 .table {
-  width: 100%;
-  margin-bottom: 0px !important;
-}
+  margin-bottom: 0px !important; }
 
-.nav-tabs-justified .nav-tabs.nav-justified > .active > a:focus, .nav-tabs.nav-justified .nav-tabs.nav-justified > .active > a:focus {
-  border: 0px !important;
-}
+.nav-tabs-justified .nav-tabs.nav-justified > .active > a:focus, .nav-tabs.nav-justified .nav-tabs.nav-justified > .active > a:focus, .nav-tabs.nav-justified .nav-tabs.nav-justified > .active > a:focus {
+  border: 0px !important; }
 
 .table th, strong, b {
-  font-family: 'SourceSansProSemibold';
-  font-weight: normal;
-}
+  font-weight: 100;  }
 
 .table > tbody > tr > td:last-child {
-  padding-right: 15px;
-}
+  padding-right: 5px; }
 
 /* helpers */
-
 .__nowrap {
-  white-space: nowrap;
-}
+  white-space: nowrap; }
 
 .__nomb {
-  margin-bottom: 0;
-}
+  margin-bottom: 0; }
 
 .__mb {
-  margin-bottom: 15px;
-}
+  margin-bottom: 15px; }
 
 .__mt {
-  margin-top: 15px;
-}
+  margin-top: 15px; }
 
 .__ml {
-  margin-left: 15px;
-}
+  margin-left: 15px; }
 
 .__mr {
-  margin-right: 15px;
-}
+  margin-right: 15px; }
 
 .__iconspacer {
-  padding-right: 10px;
-}
+  padding-right: 10px; }
 
 #mainmenu .glyphicon {
-  vertical-align: -2px;
-}
+  vertical-align: -2px; }
 
 .list-group-item {
   overflow: hidden;
-  text-overflow: ellipsis;
-
-  + div {
-    &.collapse {
-      margin-bottom: -1px;
-    }
-
-    > a {
-      padding-left: 44px;
-    }
-  }
-
-  &:before {
+  text-overflow: ellipsis; }
+  .list-group-item + div.collapse {
+    margin-bottom: -1px; }
+  .list-group-item + div > a {
+    padding-left: 44px; }
+  .list-group-item:before {
     background: #FF8B00;
     content: "";
     height: 42px;
@@ -10214,51 +6195,32 @@ button.toggle-sidebar {
     -webkit-transition: width .2s;
     -moz-transition: width .2s;
     -o-transition: width .2s;
-    transition: width .2s;
-  }
-}
+    transition: width .2s; }
 
 .list-group-submenu a {
-  padding-left: 56px;
-}
+  padding-left: 56px; }
 
 .active-menu-title, .active-menu a {
   text-decoration: none;
   position: relative;
-  background-color: #30596F;
-}
-
-.active-menu-title:before, .active-menu a:before {
-  width: 3px;
-}
-
-.active-menu-title.active {
-  background-color: #fff;
-  color: #000;
-}
-
-.active-menu a {
-  &.active {
-    background-color: #fff;
-    color: #000;
-  }
+  background-color: #24323a; }
+  .active-menu-title:before, .active-menu a:before {
+    width: 3px; }
+  .active-menu-title.active, .active-menu a.active {
+	background-color: #fff;
+	color: #000; }
 
-  &:before {
-    background: #FF8B00;
-  }
-}
+.active-menu a:before {
+  background: #FF8B00; }
 
 .alert.alert-danger {
-  color: #FFF !important;
-}
+  color: #FFF !important; }
 
-.nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
-  border-radius: 0 !important;
-}
+.nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a, .nav-tabs.nav-justified > li > a {
+  border-radius: 0 !important; }
 
 .navbar-brand {
-  padding: 10px 20px;
-}
+  padding: 10px 20px; }
 
 .label-opnsense {
   /* emulates btn */
@@ -10267,150 +6229,110 @@ button.toggle-sidebar {
   font-size: 12px;
   line-height: 1.5;
   border-radius: 3px;
-  border-color: #323232;
-}
+  border-color: #323232;}
 
 .label-opnsense-sm {
   /* emulates btn-sm */
   padding: 6px 11px;
-  border-color: #323232;
-}
+  border-color: #323232;}
 
 .label-opnsense-xs {
   /* emulates btn-xs */
   padding: 2px 5px;
-  border-color: #323232;
-}
+  border-color: #323232;}
 
 ::-webkit-scrollbar {
-  width: 8px;
-}
+  width: 8px; }
 
 ::-webkit-scrollbar-button {
   width: 8px;
-  height: 0px;
-}
+  height: 0px; }
 
 ::-webkit-scrollbar-track {
   background: #e3e3e3;
   box-shadow: 0px 0px 0px;
-  border-radius: 0;
-}
+  border-radius: 0; }
 
 ::-webkit-scrollbar-thumb {
-  background: #315a71;
+  background: #172c38;
   border: thin solid #e5e5e5;
-  border-radius: 0px;
+  border-radius: 0px; }
 
-  &:hover {
-    background: #ec6d12;
-  }
-}
+::-webkit-scrollbar-thumb:hover {
+  background: #ec6d12; }
 
 .widgetdiv {
   padding-top: 0px !important;
-  padding-bottom: 20px;
-}
+  padding-bottom: 20px; }
 
 select {
   overflow: hidden;
   border: 1px solid #1d1d1d;
-  background-color: #427795;
-  color: #FFF;
+  background-color: #f0f0f0;
+  color: #000;
   -webkit-appearance: none;
   -moz-appearance: none;
   appearance: none;
   cursor: pointer;
   background-repeat: no-repeat;
   background-position: right;
-  background-image: url(/ui/themes/tukan/build/images/caret.png) !important;
-
-  &:hover, &:active, &:focus {
-    overflow: hidden;
-    border: 1px solid #1d1d1d;
-    background-color: #336480;
-    color: #FFF;
-    -webkit-appearance: none;
-    -moz-appearance: none;
-    appearance: none;
-    cursor: pointer;
-    background-repeat: no-repeat;
-    background-position: right;
-    background-image: url(/ui/themes/tukan/build/images/caret.png) !important;
-  }
-}
+  background-image: url(/ui/themes/tukan/build/images/caret.png) !important; }
 
-option {
-  &:hover, &:active, &:focus {
-    background-color: #FF7E25;
-  }
-}
+select:hover, select:active, select:focus {
+  overflow: hidden;
+  border: 1px solid #1d1d1d;
+  background-color: #f0f0f0;
+  color: #000;
+  -webkit-appearance: none;
+  -moz-appearance: none;
+  appearance: none;
+  cursor: pointer;
+  background-repeat: no-repeat;
+  background-position: right;
+  background-image: url(/ui/themes/tukan/build/images/caret.png) !important; }
 
-#grid-log th[data-column-id="__timestamp__"], #filter-log-entries th[data-column-id="__timestamp__"] {
-  min-width: 3.5em;
-}
+option:hover, option:active, option:focus {
+    background-color:#FF6E05;
+	}
 
+#grid-log th[data-column-id="__timestamp__"],
+#filter-log-entries th[data-column-id="__timestamp__"] {
+  min-width: 3.5em; }
 #grid-top {
-  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
-  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
-}
+    -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
+    box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
 
 @media screen and (max-width: 767px) {
   .table-responsive {
-    margin-bottom: 0;
-
-    > .table > {
-      thead > tr > {
-        th, td {
-          white-space: normal;
-        }
-      }
-
-      tbody > tr > {
-        th, td {
-          white-space: normal;
-        }
-      }
-
-      tfoot > tr > {
-        th, td {
-          white-space: normal;
-        }
-      }
-    }
-  }
-}
-
-label > input {
-  &[type="checkbox"], &[type="radio"] {
-    margin-right: .4em;
-    float: left;
-  }
-}
-
-#log-settings {
-  label[for^="act"] {
-    margin-right: 1.5em;
-  }
-
-  table > tbody > tr > td {
-    vertical-align: middle;
-  }
-
-  select {
-    &#filterlogentries, &#filterlogentriesupdateinterval {
-      width: 5em;
-    }
-
-    &#filterlogentriesinterfaces {
-      min-width: 100%;
-      max-width: 100%;
-    }
-  }
-}
+    margin-bottom: 0; }
+    .table-responsive > .table > thead > tr > th,
+    .table-responsive > .table > thead > tr > td,
+    .table-responsive > .table > tbody > tr > th,
+    .table-responsive > .table > tbody > tr > td,
+    .table-responsive > .table > tfoot > tr > th,
+    .table-responsive > .table > tfoot > tr > td {
+      white-space: normal; } }
+
+label > input[type="checkbox"],
+label > input[type="radio"] {
+  margin-right: .4em;
+  float: left; }
+
+#log-settings label[for^="act"] {
+  margin-right: 1.5em; }
+
+#log-settings table>tbody>tr>td {
+  vertical-align: middle; }
+
+#log-settings select#filterlogentries,
+#log-settings select#filterlogentriesupdateinterval {
+  width: 5em; }
+
+#log-settings select#filterlogentriesinterfaces {
+  min-width: 100%;
+  max-width: 100%; }
 
 /* fields in firewall schedule */
-
 [data-state="lightcoral"] {
   background-color: #ffe83e;
 }
@@ -10423,64 +6345,50 @@ label > input {
   background-color: #ffe83e;
 }
 
-#ipsec {
-  #ipsec-mobile, #ipsec-tunnel, #ipsec-overview {
-    background-color: #f0f0f0 !important;
-  }
-
-  .ipsec-tab {
-    background-color: #839caa !important;
-    color: #FFF !important;
+#ipsec #ipsec-mobile, #ipsec #ipsec-tunnel, #ipsec #ipsec-overview {
+	background-color: #f0f0f0 !important;
+}
 
-    &.activetab {
-      background-color: #315a71 !important;
-      color: #FFF !important;
-    }
-  }
+#ipsec .ipsec-tab {
+	background-color: #45565f !important;
+	color: #FFF !important;
 }
 
+#ipsec .ipsec-tab.activetab {
+	background-color: #172c38 !important;
+	color: #FFF !important;
+}
 .fw_pass {
   background-color: #295f2b !important;
-  color: #FFF;
+  color:#FFF;
 }
-
 .fw_block {
-  background-color: #CB4326 !important;
-  color: #FFF;
+  background-color: #A22626 !important;
+  color:#FFF;
 }
-
 .fw_nat {
   background-color: #CBA026 !important;
-  color: #FFF;
+  color:#FFF;
 }
-
-/*additional extensions for theme-tukan*/
+  /*additional extensions for theme-tukan*/
 
 #tab_1 #maintabs {
   border-bottom: 1px solid #b0b0b0;
 }
 
-textarea#update_status {
-  color: inherit !important;
-  -webkit-box-shadow: none !important;
-  box-shadow: none !important;
-  border: none !important;
-
-  &:hover {
-    color: inherit !important;
-    -webkit-box-shadow: none !important;
-    box-shadow: none !important;
-    border: none !important;
-  }
+textarea#update_status, textarea#update_status:hover {
+  color:inherit !important;
+  -webkit-box-shadow:none !important;
+  box-shadow:none !important;
+  border:none !important;
 }
 
 .fa-toggle-off::before {
-  color: #FF8B00 !important;
-  outline: none !important;
-}
+  color:#FF8B00 !important;
+  outline:none !important; }
 
 .fa-toggle-on::before {
-  outline: none !important;
+  outline:none !important;
 }
 
 .fa-search::before, .glyphicon-search::before {
@@ -10488,7 +6396,7 @@ textarea#update_status {
 }
 
 .glyphicon.glyphicon-search::before {
-  color: #000 !important;
+  color:#000 !important;
 }
 
 .fa-times-circle::before {
@@ -10500,42 +6408,30 @@ textarea#update_status {
   content: "\f059";
   cursor: pointer;
 }
-
 .fa-refresh::before {
   content: "\f021";
 }
 
-.bootgrid-header .search .glyphicon, .bootgrid-footer .search .glyphicon, .input-group-addon {
+.bootgrid-header .search .glyphicon, .bootgrid-footer .search .glyphicon,.input-group-addon {
   top: 0;
-  background-color: #FF7E25 !important;
-  border: 1px solid #FF7E25 !important;
+  background-color: #FF6E05 !important;
+  border: 1px solid #FF6E05 !important;
 }
 
-div.container-fluid > {
-  .fa-search::before, .fa-refresh::before {
-    color: #FFFFFF !important;
-  }
-}
+div.container-fluid >.fa-search::before, div.container-fluid >.fa-refresh::before {
+  color: #FFFFFF !important; }
 
-.panel-heading h3:hover {
+.panel-heading h3:hover, h3:focus {
   color: #FFFFFF;
   text-decoration: none;
 }
 
-h3 {
-  &:focus {
-    color: #FFFFFF;
-    text-decoration: none;
-  }
-
-  &:link {
-    color: #FFFFFF;
-    text-decoration: underline;
-  }
+h3:link {
+  color:#FFFFFF;text-decoration: underline;
+}
 
-  &:hover, &:focus {
-    text-decoration: underline;
-  }
+h3:hover, h3:focus {
+  text-decoration: underline;
 }
 
 #grid-log {
@@ -10543,67 +6439,32 @@ h3 {
 }
 
 .table-condensed.table-hover {
-  border: 1px solid #bdbdbd;
+    border: 1px solid #bdbdbd;
 }
 
 #rules.table-condensed.table-hover {
-  border: none;
-}
-
-.btn-group.bootstrap-select {
-  &.open, &:hover {
-    border-color: #323232 !important;
-    color: #FFFFFF !important;
-  }
+    border: none;
 }
 
-.glyphicon {
-  &.glyphicon-play.text-muted, &.glyphicon-remove.text-muted, &.glyphicon-remove-sign.text-muted, &.glyphicon-info-sign.text-muted {
-    color: #000 !important;
-  }
+.btn-group.bootstrap-select.open, .btn-group.bootstrap-select:hover {
+  border-color: #323232 !important;
+  color:#FFFFFF !important;
 }
 
-.fa {
-  &.fa-exclamation.fa-fw.text-muted, &.fa-arrows-h.fa-fw.text-muted {
-    color: #000 !important;
-  }
-
-  &.fa-long-arrow-left {
-    color: #000 !important;
-
-    &::before {
-      color: #000 !important;
-    }
-  }
-
-  &.fa-info-circle.text-muted {
-    color: #000 !important;
-  }
-
-  &.fa-times-circle.text-muted, &.fa-times.text-muted {
-    color: #000 !important;
-
-    &::before {
-      color: #000 !important;
-    }
-  }
-
-  &.fa-play.text-muted::before {
-    color: #000 !important;
-  }
+.glyphicon.glyphicon-play.text-muted, .glyphicon.glyphicon-remove.text-muted, .glyphicon.glyphicon-remove-sign.text-muted, .glyphicon.glyphicon-info-sign.text-muted,.fa.fa-exclamation.fa-fw.text-muted,.fa.fa-arrows-h.fa-fw.text-muted,.fa.fa-long-arrow-left,.fa.fa-long-arrow-left::before,.fa.fa-info-circle.text-muted,.fa.fa-times-circle.text-muted,.fa.fa-times-circle.text-muted::before,.fa.fa-times.text-muted,.fa.fa-times.text-muted::before,.fa.fa-play.text-muted::before {
+  color: #000 !important;
 }
 
 #system_log-widgets.content-box {
-  border: none;
-  box-shadow: none;
+  border:none; box-shadow: none;
 }
 
-#chart, #chart_intf_in, #chart_intf_out, #chart_top_ports, #chart_top_sources, #traffic_graph_widget_chart_in, #traffic_graph_widget_chart_out {
+#chart,#chart_intf_in,#chart_intf_out,#chart_top_ports,#chart_top_sources,#traffic_graph_widget_chart_in,#traffic_graph_widget_chart_out {
   background-color: #FFF;
   border: 1px solid #b0b0b0;
 }
 
-/*additional extensions for sensei*/
+  /*additional extensions for sensei*/
 
 .preloader-wrapper {
   background-color: #e3e3e3 !important;
@@ -10619,67 +6480,67 @@ h3 {
   box-shadow: none !important;
 }
 
-input[type="checkbox"] {
-  &.checkbox-switch + i::before, &.checkbox-icon + i::before {
-    color: #CB4326 !important;
-  }
-
-  &.checkbox-switch {
-    + i::before {
-      color: #CB4326 !important;
-    }
-
-    &:checked + i::before {
-      color: #4FB654 !important;
-    }
-  }
-
-  &.checkbox-icon:checked + i::before, &.checkbox-icon-2:checked + i::before {
-    color: #4FB654 !important;
-  }
+input[type="checkbox"].checkbox-switch + i::before, input[type="checkbox"].checkbox-icon + i::before, input[type="checkbox"].checkbox-switch + i::before {
+  color: #CB4326 !important;
+}
+
+input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox"].checkbox-icon:checked + i::before, input[type="checkbox"].checkbox-icon-2:checked + i::before {
+  color: #4FB654 !important;
 }
 
 .modal-header > span {
   color: #000;
 }
 
-.bootstrap-datetimepicker-widget {
-  table td span:hover {
+.bootstrap-datetimepicker-widget table td span:hover {
     background: none !important;
-  }
+}
 
-  background-color: #FF7E25 !important;
+.bootstrap-datetimepicker-widget {
+  background-color:#FF6E05 !important;
 }
 
-.modal-side {
-  > .p-15 {
-    padding-left: 10px;
-    padding-right: 10px;
-    padding-top: 3px;
-    padding-bottom: 1px;
-    border-bottom: 1px solid #4a4a4a;
-    min-height: 16.42857px;
-    background-color: #427795;
-    color: #FFF;
-  }
+.modal-side > .p-15 {
+  padding-left: 10px;
+  padding-right: 10px;
+  padding-top: 3px;
+  padding-bottom: 1px;
+  border-bottom: 1px solid #4a4a4a;
+  min-height: 16.42857px;
+  background-color: #45565f;
+  color: #FFF;
+}
 
+.modal-side {
   margin: 62px 10px 10px 10px;
   background-color: #f0f0f0 !important;
 }
 
 .panel-report-tools:hover {
-  color: #fff !important;
+  color: #FFF !important;
 }
 
 .alert-primary {
-  background-color: none !important;
+  background-color:none !important;
   color: #000 !important;
 }
 
 label.btn.au-target {
-  color: #FFF !important;
+  color: #000 !important;
 }
 
 .table.border {
   border: 1px solid #bdbdbd;
 }
+
+.rule.text-muted > td:nth-child(1n+3) {
+  text-decoration: line-through;
+}
+
+.rule.text-muted > td:last-child {
+  text-decoration:none;
+}
+
+#reports-tab {
+    border-bottom: 1px solid #a5a5a5;
+}
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/tokenizer2.scss b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/tokenizer2.scss
index bf8dfa8901..831c175858 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/tokenizer2.scss
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/tokenizer2.scss
@@ -7,29 +7,34 @@
     min-height: 34px;
     cursor: text;
     border-radius: 3px;
-    border: 1px solid #4d83a1;
+    border: 1px solid #a8a8a8;
     background-color: #ffffff;
+
     &.disabled {
       background-color: #eee;
       cursor: not-allowed;
     }
   }
+
   &.focus > .tokens-container {
     outline: 0;
-    border-color: #4d83a1;
+    border-color: #a8a8a8;
     background-color: #FFFFFF;
     -webkit-box-shadow: none;
     box-shadow: none;
   }
+
   > .tokens-container {
     &.input-sm {
       padding: 0 0 4px 4px;
       min-height: 30px;
     }
+
     &.input-lg {
       padding: 0 0 9px 9px;
       min-height: 46px;
     }
+
     > {
       .token {
         padding: 0 1.2em 0 5px;
@@ -43,6 +48,7 @@
         position: relative;
         vertical-align: middle;
       }
+
       .placeholder, .token-search {
         display: inline-block;
         margin: 5px 5px 0 0;
@@ -51,35 +57,42 @@
       }
     }
   }
+
   &.sortable > .tokens-container > .token {
     cursor: move;
   }
+
   &.single > .tokens-container > .token {
     display: block;
     border-color: #fff;
     background-color: transparent;
   }
+
   &.sortable > .tokens-container > .token.shadow {
     border-color: #ccc;
     background-color: #ccc;
     filter: alpha(opacity = 50);
     opacity: .2;
   }
+
   > .tokens-container {
     > {
       .placeholder {
         color: #c9c9c9;
         padding: 0;
       }
+
       .token-search {
         color: #000;
         padding: 0;
       }
     }
+
     &:focus, &:hover {
-      border-color: #00A7FF;
+      border-color: #FF6E05;
       background-color: #FFFFFF;
     }
+
     > .token-search > input {
       padding: 0;
       margin: 0;
@@ -88,35 +101,42 @@
       border: none;
       outline: none;
       width: 100%;
+
       &::-ms-clear {
         display: none;
       }
     }
+
     &.input-sm > {
       .placeholder, .token-search, .token {
         margin: 4px 4px 0 0;
       }
     }
+
     &.input-lg > {
       .placeholder, .token-search, .token {
         margin: 9px 9px 0 0;
       }
     }
+
     > .token {
       &.pending-delete {
         background-color: #5b72a4;
         border-color: #425c96;
         color: #fff;
+
         > .dismiss {
           color: #fff;
         }
       }
+
       > .dismiss {
         position: absolute;
         right: 5px;
         color: #a9b9d8;
         text-decoration: none;
         cursor: pointer;
+
         &:after {
           content: "×";
           color: #000;
@@ -129,6 +149,7 @@
 .tokenize-dropdown {
   position: absolute;
   display: none;
+
   > .dropdown-menu {
     min-height: 10px;
     width: 100%;
@@ -136,11 +157,14 @@
     margin: -1px 0 0 0;
     visibility: visible;
     opacity: 1;
+
     li {
       cursor: pointer;
+
       > a .tokenize-highlight {
         font-weight: bold;
       }
+
       &.locked {
         padding: 3px 20px;
         color: #333;
@@ -148,10 +172,12 @@
         text-overflow: ellipsis;
         overflow-x: hidden;
       }
+
       > a {
         text-overflow: ellipsis;
         overflow-x: hidden;
       }
+
       &:not(.active) a {
         &:hover, &:focus {
           background-color: transparent;
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/bootstrap-select-1.13.3.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/bootstrap-select-1.13.3.css
index d8cfa48d25..01c6683218 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/bootstrap-select-1.13.3.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/bootstrap-select-1.13.3.css
@@ -25,7 +25,7 @@ select.selectpicker {
 .bootstrap-select > .dropdown-toggle.bs-placeholder:hover,
 .bootstrap-select > .dropdown-toggle.bs-placeholder:focus,
 .bootstrap-select > .dropdown-toggle.bs-placeholder:active {
-  color: #fff;
+  color: #000;
 }
 .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary,
 .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary,
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/jquery.bootgrid.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/jquery.bootgrid.css
index 7f871447e6..3440c283d3 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/jquery.bootgrid.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/jquery.bootgrid.css
@@ -39,8 +39,8 @@
 }
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu,
 .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu {
-  color: #fff;
-  background-color: #30596f;
+  color: #000;
+  background-color: #f0f0f0;
   border-color: #1d1d1d;
   text-align: left;
 }
@@ -95,6 +95,7 @@
   -o-text-overflow: ellipsis;
   text-overflow: ellipsis;
   white-space: nowrap;
+  color:#FFF;
 }
 .bootgrid-table th > .column-header-anchor > .icon {
   color: #000;
@@ -141,6 +142,7 @@
   -o-text-overflow: inherit !important;
   text-overflow: inherit !important;
   white-space: inherit !important;
+  color: #FFF;
 }
 .table-responsive .bootgrid-table td {
   overflow: inherit !important;
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
index df4a0ea045..f99129bc81 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
@@ -1,13 +1,13 @@
 @charset "UTF-8";
 .widgetdiv .content-box-head {
-  background: #294c5f !important;
+  background: #354248 !important;
   color: #FFF !important;
   padding-bottom: 1px !important;
   padding-top: 1px !important;
   padding-right: 1px !important;
-  padding-left: 5px !important;
+  padding-left: 4px !important;
   min-height: 25px !important;
-  border: 1px solid #fff; }
+  border: 1px solid #2f2f2f; }
 
   .widgetdiv .content-box-head .btn-group .btn {
     color: #FFFFFF !important;
@@ -27,6 +27,7 @@
 @font-face {
   font-family: 'SourceSansProRegular';
   src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf") format("truetype"); }
+  
 /*! normalize.css v3.0.1 | MIT License | git.io/normalize */
 table
 html {
@@ -67,7 +68,7 @@ template {
   display: none; }
 
 a {
-  color: #FF6C06;
+  color: #D95E04;
   text-decoration: none;
   background: transparent;
   outline: 0;  }
@@ -76,7 +77,7 @@ a {
 	outline: 0; }
 
   a:hover, a:focus {
-    color: #FF6C06;
+    color: #D95E04;
     text-decoration: underline; }
 
 abbr[title] {
@@ -90,7 +91,7 @@ dfn {
   font-style: italic; }
 
 h1 {
-  font-size: 2em;
+  font-size: 8em;
   margin: 0.67em 0; }
 
 mark {
@@ -210,7 +211,7 @@ table {
   border-collapse: none;
   border-spacing: 0;
   color: #000;
-  background-color: #F0F0F0;
+  background-color: #fff;
   width: 100%; }
 
 td,
@@ -924,7 +925,7 @@ html {
 
 body {
   font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
-  font-size: 14px;
+  font-size:14px;
   line-height: 1.428571429;
   color: #000;
 }
@@ -996,7 +997,6 @@ hr {
 
 h1, h2, h3, h4, h5, h6,
 .h1, .h2, .h3, .h4, .h5, .h6 {
-  font-family: "SourceSansProSemiBold";
   font-weight: 100;
   line-height: 1.4;
   color: inherit; }
@@ -1051,22 +1051,23 @@ h6, .h6 {
     font-size: 75%; }
 
 h1, .h1 {
-  font-size: 23px; }
+  font-size: 24px;
+  font-weight: bold;  }
 
 h2, .h2 {
   font-size: 16px; }
 
 h3, .h3 {
-  font-size: 14px; }
+  font-size:14px; }
 
 h4, .h4 {
   font-size: 18px; }
 
 h5, .h5 {
-  font-size: 14px; }
+  font-size:14px; }
 
 h6, .h6 {
-  font-size: 12px; }
+  font-size:12px; }
 
 p {
   margin: 0 0 10px; }
@@ -1132,7 +1133,7 @@ a.text-success:hover {
   color: #7fc54f; }
 
 .text-info {
-  color: #47809f; }
+  color: #ff6e05; }
 
 a.text-info:hover {
   color: #245269; }
@@ -1182,6 +1183,9 @@ a.bg-warning:hover {
 a.bg-danger:hover {
   background-color: #ec2121; }
 
+fa.fa-long-arrow-right {
+  color: #d951ff !important; }
+
 .page-header {
   padding-bottom: 9px;
   margin: 40px 0 20px;
@@ -2036,7 +2040,7 @@ th {
     padding: 10px 0px 10px 20px;
     line-height: 1.428571429;
     vertical-align: top;
-	border-top: 1px solid #e3e3e3; }
+    border-top: 1px solid #f0f0f0; }
   .table > thead > tr > th {
     vertical-align: bottom;  }
   .table > caption + thead > tr:first-child > th,
@@ -2048,10 +2052,11 @@ th {
     border-top: 0;
     font-family: 'SourceSansProSemibold';
     font-weight: normal;
-	border-bottom: 1px solid #bdbdbd;
-	background-color: #e3e3e3;}
+    border-bottom: 1px solid #5e5e5e;
+    background-color: #45565f;
+    color: #FFF;}
   .table > tbody + tbody {
-    border-top: 2px solid #eee; }
+    border-top: 2px solid #5e5e5e; }
   .table .table {
     background-color: none; }
 
@@ -2078,11 +2083,12 @@ th {
 
 .table-striped > tbody > tr:nth-child(odd) > td,
 .table-striped > tbody > tr:nth-child(odd) > th {
-  background-color: #fbfbfb; }
+  background-color: #fff; }
 
 .table-hover > tbody > tr:hover > td,
 .table-hover > tbody > tr:hover > th {
-  background-color:#f2fafe; }
+  background-color: #738087;
+  color: #FFF; }
 
 table col[class*="col-"] {
   position: static;
@@ -2271,7 +2277,7 @@ input[type="checkbox"]:focus {
 output {
   display: block;
   padding-top: 7px;
-  font-size: 14px;
+  font-size:14px;
   line-height: 1.428571429;
   color: #000; }
 
@@ -2296,12 +2302,12 @@ input[type="color"]
   width: 100%;
   height: 34px;
   padding: 6px 12px;
-  font-size: 14px;
+  font-size:14px;
   line-height: 1.428571429;
   color: #000;
   background-color: #FFF;
   background-image: none;
-  border: 1px solid #4d83a1;
+  border: 1px solid #1b4257;
   border-radius: 3px;
   text-overflow: ellipsis;
   max-width: 348px;
@@ -2328,7 +2334,7 @@ input[type="color"]
    {
 	color: #000;
 	background-color: none;
-    border-color: #00A7FF;
+  border-color: #ff6e05;
 	outline: 0; }
 
   select:focus,
@@ -2349,10 +2355,10 @@ input[type="color"]
   input[type="color"]:focus
 
    {
-    color: #000;
-	border-color: #00A7FF;
-	background-color: none;
-	outline: 0; }
+     color: #000;
+     border-color: #FF6E05;
+     background-color: none;
+     outline: 0; }
 
   select::-moz-placeholder,
   textarea::-moz-placeholder,
@@ -2464,7 +2470,7 @@ input[type="color"]
 	background-color: #f0f0f0;
 	opacity: 1.0;
 	filter: alpha(opacity=100);
-	border-color: #4d83a1;
+	border-color: #a8a8a8;
 	color:#a8a8a8;}
 
   select[disabled]:hover, select[readonly]:hover, fieldset[disabled]:hover,
@@ -2887,26 +2893,26 @@ select[multiple].input-lg,
   background-image: none;
   white-space: nowrap;
   padding: 6px 12px;
-  font-size: 14px;
+  font-size:14px;
   line-height: 1.428571429;
   border-radius: 3px;
   -webkit-user-select: none;
   -moz-user-select: none;
   -ms-user-select: none;
   user-select: none;
-  color: #FFFFFF;
-  background-color: #457995;
+  color: #000;
+  background-color: none;
   border: 1px solid #1b4257;
   outline:0; }
 .btn:active, .btn.active, .open > .btn.dropdown-toggle {
-   color: #FFF;
-    background-color: #30596f;
-	outline:0;
-    border-color: #1d1d1d;
-	text-decoration: none; }
+  color: #000;
+  background-color: none;
+  outline:0;
+  border-color: #1d1d1d;
+  text-decoration: none; }
 .btn:hover, .btn:focus {
-	background-color: #315a71;
-	color: #FFF;
+	background-color: #dbdbdb;
+	color: #000;
 	border-radius: 3px;
 	border: 1px solid #1b4257;
 	text-decoration: none;}
@@ -2939,13 +2945,14 @@ select[multiple].input-lg,
     box-shadow: none; }
 
 .act_flush:hover, .act_flush:focus {
-  color: #FFF;
-  background-color: #336480;
+  color: #000;
+  background-color: #dbdbdb;
   border-color: 1px solid #1d1d1d;
   outline:0; }
 
   .btn-default:active, .btn-default.active, .open > .btn-default.dropdown-toggle {
-    background-image: none;
+    background-color: #dbdbdb;
+    color:#000;
     outline:0; }
   .btn-default.disabled, .btn-default.disabled:hover, .btn-default.disabled:focus, .btn-default.disabled:active, .btn-default.disabled.active, .btn-default[disabled], .btn-default[disabled]:hover, .btn-default[disabled]:focus, .btn-default[disabled]:active, .btn-default[disabled].active, fieldset[disabled] .btn-default, fieldset[disabled] .btn-default:hover, fieldset[disabled] .btn-default:focus, fieldset[disabled] .btn-default:active, fieldset[disabled] .btn-default.active {
     background-color: #FFFFFF;
@@ -2958,20 +2965,20 @@ select[multiple].input-lg,
 
 .btn-primary {
   color: #fff !important;
-  background-color: #FF7E25;
-  border: 1px solid #6c6c6c;
+  background-color: #FF6E05;
+  border: 1px solid #1b4257;
   outline:0;   }
   .btn-primary:hover, .btn-primary:focus, .btn-primary:active, .btn-primary.active, .open > .btn-primary.dropdown-toggle {
     color: #fff;
     background-color: #EC7726;
-    border-color: 1px solid #6c6c6c;
+    border-color: 1px solid #1b4257;
     outline:0; }
 
   .btn-primary:active, .btn-primary.active, .open > .btn-primary.dropdown-toggle {
     background-image: none; }
   .btn-primary.disabled, .btn-primary.disabled:hover, .btn-primary.disabled:focus, .btn-primary.disabled:active, .btn-primary.disabled.active, .btn-primary[disabled], .btn-primary[disabled]:hover, .btn-primary[disabled]:focus, .btn-primary[disabled]:active, .btn-primary[disabled].active, fieldset[disabled] .btn-primary, fieldset[disabled] .btn-primary:hover, fieldset[disabled] .btn-primary:focus, fieldset[disabled] .btn-primary:active, fieldset[disabled] .btn-primary.active {
-    background-color: #FF7E25;
-    border-color: #6c6c6c;
+    background-color: #FF6E05;
+    border-color: #1b4257;
     outline:0; }
 
   .btn-primary .badge {
@@ -3019,7 +3026,7 @@ select[multiple].input-lg,
 
 .btn-warning {
   color: #fff;
-  background-color: #FF7E25;
+  background-color: #FF6E05;
   border-color: #1b4257; }
   .btn-warning:hover, .btn-warning:focus, .btn-warning:active, .btn-warning.active, .open > .btn-warning.dropdown-toggle {
     color: #fff;
@@ -3160,10 +3167,10 @@ tbody.collapse.in {
   padding: 5px 0;
   margin: 2px 0 0;
   list-style: none;
-  font-size: 14px;
+  font-size:14px;
   text-align: left;
-  background-color: #315a71;
-  color: #fff;
+  background-color: #f0f0f0;
+  color: #000;
   border-left: 1px solid #1b4257;
   border-right: 1px solid #1b4257;
   border-bottom: 1px solid #1b4257;
@@ -3192,20 +3199,20 @@ tbody.collapse.in {
     clear: both;
     font-weight: normal;
     line-height: 1.428571429;
-    color: #fff;
+    color: #000;
     white-space: nowrap;
 	outline:0;}
 
 .dropdown-menu > li > a:hover, .dropdown-menu > li > a:focus {
   text-decoration: none;
   color: #FFFFFF;
-  background-color: #FF7E25; }
+  background-color: #FF6E05; }
 
 .dropdown-menu > .active > a, .dropdown-menu > .active > a:hover, .dropdown-menu > .active > a:focus {
   color: #fff;
   text-decoration: none;
   outline: 0;
-  background-color: #FF7E25; }
+  background-color: #FF6E05; }
 
 .dropdown-menu > .disabled > a, .dropdown-menu > .disabled > a:hover, .dropdown-menu > .disabled > a:focus {
   color: #777777; }
@@ -3343,7 +3350,7 @@ tbody.collapse.in {
 
 .btn-group .dropdown-toggle:active, .btn-group .dropdown-toggle:hover, .btn-group.open .dropdown-toggle {
   outline: 0;
-  color: #FFFFFF;
+  color: #000;
   background-color: none;
   border-color: #000; }
 
@@ -3468,7 +3475,7 @@ tbody.collapse.in {
 
 .input-group-addon {
   padding: 6px 12px;
-  font-size: 14px;
+  font-size:14px;
   font-weight: normal;
   line-height: 1;
   color: #FFF;
@@ -3555,21 +3562,21 @@ tbody.collapse.in {
 		border-radius: 0px;
 		border-top-right-radius: 10px;
 		margin-right: 0px;
-		background-color: #315a71;
+		background-color: #172c38;
 		opacity: 0.6;
 		filter: alpha(opacity=50);}
 	.nav > li#menu_messages > a {
       position: relative;
       display: block;
       padding: none;
-	  color:#FF7E25;
+	  color:#FF6E05;
 	  background-color:transparent;
 	  margin-right: 10px;
 	  border:none;
 	  opacity: 1.0;}
       .nav > li > a:hover, .nav > li > a:focus {
         text-decoration: none;
-        background-color: #315a71;
+        background-color: #172c38;
 		color: #FFF;
 		opacity: 0.8; }
 		.nav > li#menu_messages > a:hover, a:focus {
@@ -3585,8 +3592,8 @@ tbody.collapse.in {
 		  cursor: not-allowed; }
 
   .nav .open > a, .nav .open > a:hover, .nav .open > a:focus {
-    background-color: #336480;
-	cursor:pointer; }
+    background-color: #172c38;
+    cursor:pointer; }
 
   .nav .nav-divider {
     height: 1px;
@@ -3933,7 +3940,7 @@ tbody.collapse.in {
   .navbar-default .navbar-nav > li > a {
     color: #F7F7F7; }
     .navbar-default .navbar-nav > li > a:hover, .navbar-default .navbar-nav > li > a:focus {
-      color: #FF7E25;
+      color: #FF6E05;
       background-color: transparent; }
 
   .navbar-default .navbar-nav > .active > a, .navbar-default .navbar-nav > .active > a:hover, .navbar-default .navbar-nav > .active > a:focus {
@@ -4069,8 +4076,8 @@ tbody.collapse.in {
       padding: 6px 12px;
       line-height: 1.428571429;
       text-decoration: none;
-      color: #FFFFFF;
-      background-color: #427795;
+      color: #FFF;
+      background-color: #45565f;
       border: 1px solid rgba(23, 44, 56, 0.4);
       margin-left: -1px;
       cursor: pointer; }
@@ -4087,7 +4094,7 @@ tbody.collapse.in {
   .pagination > li > span:hover,
   .pagination > li > span:focus {
     color: #FFFFFF;
-    background-color: #FF7E25; }
+    background-color: #FF6E05; }
 
   .pagination > .active > a, .pagination > .active > a:hover, .pagination > .active > a:focus,
   .pagination > .active > span,
@@ -4095,7 +4102,7 @@ tbody.collapse.in {
   .pagination > .active > span:focus {
     z-index: 2;
     color: #FFFFFF;
-    background-color: #FF7E25;
+    background-color: #FF6E05;
     cursor: default; }
 
   .pagination > .disabled > span,
@@ -4211,7 +4218,7 @@ a.label:hover, a.label:focus {
 
 
 .label-success {
-  background-color: #4FB654;
+  background-color: #397E37;
   border-color: #323232;}
   .label-success[href]:hover, .label-success[href]:focus {
     background-color: #7fc54f;
@@ -4250,7 +4257,7 @@ a.label:hover, a.label:focus {
   vertical-align: baseline;
   white-space: nowrap;
   text-align: center;
-  background-color: #777777;
+  background-color: #ff6e05;
   border-radius: 10px; }
   .badge:empty {
     display: none; }
@@ -4392,8 +4399,8 @@ a.thumbnail.active {
     color: #df8a13; }
 
 .alert-danger {
-	background-color: #30596f;
-	border-color: #b0b0b0; }
+	background-color: #45565f;
+	border-color: #f00; }
   .alert-danger hr {
     border-top-color: #DA4829; }
   .alert-danger .alert-link {
@@ -4414,30 +4421,25 @@ a.thumbnail.active {
   color: #000;
   overflow: hidden;
   height: 20px;
-  background-color: #DBDBDB;
-  border-radius: 3px;
-  position: relative;
-  -webkit-box-shadow: inset 0px 1px 2px 1px rgb(172, 172, 172);
-	box-shadow: inset inset 0px 1px 2px 1px rgb(172, 172, 172); }
+  background-color: #EAEAEA;
+  border: 1px solid #b9b9b9;
+  position: relative; }
 
 .progress-bar {
   float: left;
   width: 0%;
   height: 100%;
   font-size: 12px;
-  line-height: 20px;
   color: #fff;
   text-align: center;
-  background-color: #FF7E25;
+  background-color: #FF6E05;
   position: relative;
   z-index: 2;
   -webkit-box-shadow: inset 0 20px 0 rgba(0, 0, 0, 0.15);
   box-shadow: inset 0 20px 0 rgba(0, 0, 0, 0.15);
   -webkit-transition: width 0.6s ease;
   -o-transition: width 0.6s ease;
-  transition: width 0.6s ease;
-  margin: 1px 0 0 0 !important;
-}
+  transition: width 0.6s ease; }
 
 .progress-striped .progress-bar,
 .progress-bar-striped {
@@ -4469,7 +4471,7 @@ a.thumbnail.active {
     background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
 
 .progress-bar-info {
-  background-color: #038CCF; }
+  background-color: #45565f; }
   .progress-striped .progress-bar-info {
     background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
     background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
@@ -4526,7 +4528,7 @@ a.thumbnail.active {
   display: block;
   padding: 6px 8px;
   margin-bottom: -1px;
-  background-color: #294c5f; }
+  background-color: #172c38; }
   .list-group-item:last-child {
     margin-bottom: 0; }
   .list-group-item > .badge {
@@ -4685,7 +4687,7 @@ a.list-group-item-danger {
   border-bottom: 1px solid #b0b0b0;
   border-top-right-radius: 2px;
   border-top-left-radius: 2px;
-  background-color: #30596f; }
+  background-color: #45565f; }
 
   .panel-heading > .dropdown .dropdown-toggle {
     color: inherit; }
@@ -5055,7 +5057,7 @@ button.close {
   padding-bottom:1px;
   border-bottom: 1px solid #4a4a4a;
   min-height: 16.42857px;
-  background-color: #427795;
+  background-color: #45565f;
   color: #FFF; }
 
 .modal-header .close {
@@ -5071,13 +5073,13 @@ button.close {
   background-color: #FFF;}
 .modal-body .table-hover > tbody > tr:hover > td,
 .modal-body .table-hover > tbody > tr:hover > th {
-  background-color: #336480;
+  background-color: #f06702;
   color: #FFF; }
 
 .modal-footer {
   padding: 5px;
   text-align: right;
-  background-color: #f0f0f0;
+  background-color: #ddd;
   border-top: 1px solid inherit; }
   .modal-footer:before, .modal-footer:after {
     content: " ";
@@ -5228,7 +5230,7 @@ button.close {
 .popover-title {
   margin: 0;
   padding: 8px 14px;
-  font-size: 14px;
+  font-size:14px;
   font-weight: normal;
   line-height: 18px;
   background-color: #f7f7f7;
@@ -5496,7 +5498,7 @@ button.close {
 
 .show {
   display: block !important;
-  color:#757575;}
+  color: #2ba632; }
 
 .invisible {
   visibility: hidden; }
@@ -5697,7 +5699,7 @@ html, body {
   height: 100%;
   font-family: 'SourceSansProRegular';
   scrollbar-width: thin;
-  scrollbar-color: #315a71 #e3e3e3;
+  scrollbar-color: #45565f #e3e3e3;
   background-color: #fff;
 }
 
@@ -5727,19 +5729,18 @@ body {
   .page-content > .row {
     height: 100%; }
 .page-content-head .container-fluid {
-  background-color: #FBFBFB;
-  margin-left: 20px;
+  color:#000;
+  background-color: none;
   margin-right: 20px;
-  border: 1px solid #b0b0b0;
+  margin-left: 20px;
+  border-bottom: 1px solid #aeaeae;
   border-radius: 0px;
-  min-height: 47px;
-  height:auto;
-  padding: 6px 14px 5px 14px;
-  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
+  min-height: 46px;
+  height: 46px;
+  padding: 9px 14px 5px 0px; }
 
 .page-content-head, .content-box-head {
-  padding-bottom: 2px;
+  padding-bottom: 5px;
   padding-top: 10px;
   color:#000;
 }
@@ -5750,9 +5751,18 @@ body {
 	line-height: inherit;
     margin: 0; }
 
+.page-content-head h1, content-box-head h1 {
+    padding-left: 10px;
+    padding-right: 10px;
+    color: #000;
+    text-decoration-line: none;
+    font-weight: bold;
+    text-transform: uppercase;
+}
+
 .page-content-main {
   min-height: calc(100% - 64px);
-  padding: 9px 0px 21px 0px;
+  padding: 6px 0px 21px 0px;
 }
 
 .page-side {
@@ -5788,7 +5798,7 @@ body {
   padding: 0px 0px;
   margin: 0px 0px;
   background: none;
-  border: 1px solid #b0b0b0;
+  border: 1px solid #a8a8a8;
   -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
   box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
 .content-box hr {
@@ -5832,7 +5842,7 @@ body {
     padding-top: 0 !important; } }
 
 .page-login {
-  background: #172c38; }
+  background: #FFF; }
   .page-login .container {
     min-height: 100%;
     margin-bottom: -60px; }
@@ -5841,13 +5851,17 @@ body {
 .page-login .login-foot {color:#FFF;}
 
 .login-foot {
-  font-size: 12px; }
+  font-size: 12px; 
+  max-width: 400px;
+  margin: 0px auto 0px auto;
+  background-color: #172c38;}
 
 .login-modal-container {
   color:#FFF;
-  border: 1px solid #fff;
+  border: none;
   max-width: 400px;
-  margin: 100px auto 15px auto; }
+  margin: 100px auto 0px auto; 
+  background-color: #172c38;}
 .login-modal-head {
   height: 75px;
   padding: 0 20px; }
@@ -5933,12 +5947,12 @@ main.page-content.col-lg-12 {
   padding-left: 0px;
   padding-right: 0px;
   padding-top:15px;
-  border-bottom:2px solid #1b313e;
+  border-bottom:2px solid #515151;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsing > a.list-group-item {
   padding-left: 10px !important;
-  font-size: 14px !important;
+  font-size:14px !important;
   display: block !important;
   position: absolute !important;
   left: 70px !important;
@@ -5946,7 +5960,7 @@ main.page-content.col-lg-12 {
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapsing > a.list-group-item {
   padding-left: 10px !important;
-  font-size: 14px !important;
+  font-size:14px !important;
   display: block !important;
   position: absolute !important;
   left: 166px !important;
@@ -5963,15 +5977,15 @@ main.page-content.col-lg-12 {
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > a.list-group-item,
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item {
   padding-left: 10px !important;
-  font-size: 14px !important;
-  background-color: #294c5f !important;
+  font-size:14px !important;
+  background-color: #172c38 !important;
   opacity: 0.98;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > div.collapse > a.list-group-item,
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsed > a.list-group-item {
   padding-left: 10px !important;
-  font-size: 14px !important;
+  font-size:14px !important;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > a.list-group-item,
@@ -5997,7 +6011,7 @@ main.page-content.col-lg-12 {
 /* Sub Level One */
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in {
   width:168px;
-  font-size:14px;
+  font-size:13px;
   z-index: 10;
   position: absolute;
   left: 70px;
@@ -6011,7 +6025,7 @@ main.page-content.col-lg-12 {
 /* Sub Level Two */
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in {
   width:168px;
-  font-size:14px;
+  font-size:13px;
   z-index: 10;
   position: absolute;
   left: 166px;
@@ -6076,11 +6090,13 @@ button.toggle-sidebar {
 .nav-tabs > li > a,
 .nav-tabs > li > a:hover,
 .nav-tabs > li > a:focus {
- outline:0; }
+ outline:0;
+ font-weight: 100; }
 
 .nav-tabs > li.active > a {
-  background: #315a71 !important;
-  outline:0; }
+  background: #172c38 !important;
+  outline:0;
+  font-weight: 100;  }
 
 .nav-tabs > li > a.visible-lg-inline-block:not(.pull-right) {
   border-top-right-radius: 0px !important;
@@ -6130,11 +6146,10 @@ button.toggle-sidebar {
   border: 0px !important; }
 
 .table th, strong, b {
-  font-family: 'SourceSansProSemibold';
-  font-weight: normal; }
+  font-weight: 100;  }
 
 .table > tbody > tr > td:last-child {
-padding-right: 15px; }
+  padding-right: 5px; }
 
 /* helpers */
 .__nowrap {
@@ -6188,7 +6203,7 @@ padding-right: 15px; }
 .active-menu-title, .active-menu a {
   text-decoration: none;
   position: relative;
-  background-color: #30596F; }
+  background-color: #24323a; }
   .active-menu-title:before, .active-menu a:before {
     width: 3px; }
   .active-menu-title.active, .active-menu a.active {
@@ -6239,7 +6254,7 @@ padding-right: 15px; }
   border-radius: 0; }
 
 ::-webkit-scrollbar-thumb {
-  background: #315a71;
+  background: #172c38;
   border: thin solid #e5e5e5;
   border-radius: 0px; }
 
@@ -6253,8 +6268,8 @@ padding-right: 15px; }
 select {
   overflow: hidden;
   border: 1px solid #1d1d1d;
-  background-color: #427795;
-  color: #FFF;
+  background-color: #f0f0f0;
+  color: #000;
   -webkit-appearance: none;
   -moz-appearance: none;
   appearance: none;
@@ -6266,8 +6281,8 @@ select {
 select:hover, select:active, select:focus {
   overflow: hidden;
   border: 1px solid #1d1d1d;
-  background-color: #336480;
-  color: #FFF;
+  background-color: #f0f0f0;
+  color: #000;
   -webkit-appearance: none;
   -moz-appearance: none;
   appearance: none;
@@ -6277,7 +6292,7 @@ select:hover, select:active, select:focus {
   background-image: url(/ui/themes/tukan/build/images/caret.png) !important; }
 
 option:hover, option:active, option:focus {
-    background-color:#FF7E25;
+    background-color:#FF6E05;
 	}
 
 #grid-log th[data-column-id="__timestamp__"],
@@ -6335,12 +6350,12 @@ label > input[type="radio"] {
 }
 
 #ipsec .ipsec-tab {
-	background-color: #839caa !important;
+	background-color: #45565f !important;
 	color: #FFF !important;
 }
 
 #ipsec .ipsec-tab.activetab {
-	background-color: #315a71 !important;
+	background-color: #172c38 !important;
 	color: #FFF !important;
 }
 .fw_pass {
@@ -6348,7 +6363,7 @@ label > input[type="radio"] {
   color:#FFF;
 }
 .fw_block {
-  background-color: #CB4326 !important;
+  background-color: #A22626 !important;
   color:#FFF;
 }
 .fw_nat {
@@ -6399,8 +6414,8 @@ textarea#update_status, textarea#update_status:hover {
 
 .bootgrid-header .search .glyphicon, .bootgrid-footer .search .glyphicon,.input-group-addon {
   top: 0;
-  background-color: #FF7E25 !important;
-  border: 1px solid #FF7E25 !important;
+  background-color: #FF6E05 !important;
+  border: 1px solid #FF6E05 !important;
 }
 
 div.container-fluid >.fa-search::before, div.container-fluid >.fa-refresh::before {
@@ -6482,7 +6497,7 @@ input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox
 }
 
 .bootstrap-datetimepicker-widget {
-  background-color:#FF7E25 !important;
+  background-color:#FF6E05 !important;
 }
 
 .modal-side > .p-15 {
@@ -6492,7 +6507,7 @@ input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox
   padding-bottom: 1px;
   border-bottom: 1px solid #4a4a4a;
   min-height: 16.42857px;
-  background-color: #427795;
+  background-color: #45565f;
   color: #FFF;
 }
 
@@ -6502,7 +6517,7 @@ input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox
 }
 
 .panel-report-tools:hover {
-  color: #fff !important;
+  color: #FFF !important;
 }
 
 .alert-primary {
@@ -6511,9 +6526,21 @@ input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox
 }
 
 label.btn.au-target {
-  color: #FFF !important;
+  color: #000 !important;
 }
 
 .table.border {
-    border: 1px solid #bdbdbd;
+  border: 1px solid #bdbdbd;
+}
+
+.rule.text-muted > td:nth-child(1n+3) {
+  text-decoration: line-through;
+}
+
+.rule.text-muted > td:last-child {
+  text-decoration:none;
+}
+
+#reports-tab {
+    border-bottom: 1px solid #a5a5a5;
 }
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/pick-a-color-1.2.3.min.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/pick-a-color-1.2.3.min.css
index 0606f04c53..4cfbe3d1f4 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/pick-a-color-1.2.3.min.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/pick-a-color-1.2.3.min.css
@@ -22,9 +22,9 @@
 .pick-a-color-markup .color-menu .color-preview.violet{background-color:#ee81ee}
 .pick-a-color-markup .color-menu .color-preview.purple{background-color:#80007f}
 .pick-a-color-markup .color-menu .color-preview.black{background-color:#000}
-.pick-a-color-markup .color-menu .basicColors-content li>a,.pick-a-color-markup .color-menu .savedColors-content li>a{padding:5px 15px 3px 15px;cursor:default;min-height:25px;color:#FFF}.pick-a-color-markup .color-menu .basicColors-content li>a:hover,.pick-a-color-markup .color-menu .savedColors-content li>a:hover{background-color:none}
+.pick-a-color-markup .color-menu .basicColors-content li>a,.pick-a-color-markup .color-menu .savedColors-content li>a{padding:5px 15px 3px 15px;cursor:default;min-height:25px;color:#000}.pick-a-color-markup .color-menu .basicColors-content li>a:hover,.pick-a-color-markup .color-menu .savedColors-content li>a:hover{background-color:none}
 @media screen and (max-width:991px){.pick-a-color-markup .color-menu .basicColors-content li>a,.pick-a-color-markup .color-menu .savedColors-content li>a{min-height:40px}}
-.pick-a-color-markup .color-menu .basicColors-content li:hover a,.pick-a-color-markup .color-menu .savedColors-content li:hover a{color:#FFF;background-image:none;filter:none;text-decoration:none;font-weight:bold}@media screen and (max-width:991px){.pick-a-color-markup .color-menu .basicColors-content li:hover a,.pick-a-color-markup .color-menu .savedColors-content li:hover a{background-color:#fff;font-weight:normal}}
+.pick-a-color-markup .color-menu .basicColors-content li:hover a,.pick-a-color-markup .color-menu .savedColors-content li:hover a{color:#000;background-image:none;filter:none;text-decoration:none;font-weight:bold}@media screen and (max-width:991px){.pick-a-color-markup .color-menu .basicColors-content li:hover a,.pick-a-color-markup .color-menu .savedColors-content li:hover a{background-color:#fff;font-weight:normal}}
 .pick-a-color-markup .color-menu .btn.color-select{margin:0px 5px;height:20px;padding:0px 5px;margin-top:0px;line-height:1.5px;border-radius:4px}@media screen and (max-width:991px){.pick-a-color-markup .color-menu .btn.color-select{height:35px}}
 .pick-a-color-markup .caret{margin-bottom:3px;color: #000;}
 .pick-a-color-markup .color-menu-instructions,.pick-a-color-markup .advanced-instructions{text-align:center;padding:0px 6px;margin:0px;font-size:14px;font-weight:normal}@media screen and (min-width:992px){.pick-a-color-markup .color-menu-instructions,.pick-a-color-markup .advanced-instructions{display:none}}
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/tokenize2.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/tokenize2.css
index 56bd92a6d0..8feb992392 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/tokenize2.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/tokenize2.css
@@ -6,8 +6,8 @@
     min-height: 34px;
     cursor: text;
     border-radius: 3px;
-	border: 1px solid #4d83a1;
-	background-color: #ffffff;
+    border: 1px solid #a8a8a8;
+    background-color: #ffffff;
 }
 
 .tokenize > .tokens-container.disabled {
@@ -17,7 +17,7 @@
 
 .tokenize.focus > .tokens-container {
     outline: 0;
-	border-color:#4d83a1;
+	border-color:#a8a8a8;
 	background-color:#FFFFFF;
 	-webkit-box-shadow: none;
 	box-shadow: none;
@@ -80,7 +80,7 @@
 
 .tokenize > .tokens-container:focus,
 .tokenize > .tokens-container:hover {
-	border-color:#00A7FF;
+	border-color:#FF6E05;
 	background-color:#FFFFFF;
 }
 
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/images/caret.png b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/images/caret.png
index eade468d75883b756f15060b233eff15e314b215..c5a91e69a3bf5d9cf9aa3d2708e50fa28a124af2 100644
GIT binary patch
delta 2922
zcmV-w3zhW43HKI|8Gi-<001bu2Mz!L3b$!PLr_UWLm*IcZ)Rz1WdHz3$E}xlP*eF9
z$A9;xhlCagMM~&RdI#w>bm<@}AqgRr5K>UFA+opvYe7T=%Ze^l!L`s96|rDNz+M+*
zQBc>#f}p7E1s>tOH?x1dnRha0?k8u?Jvry*{ARuv0MZD9&wo#cWdX?Gi3H((p0wDw
zcpC0^03#nfkONu_rjYLu78V5l(LUV+(9HF==}ax~znL71Eo1@!g&~~85;8LoK81J>
zlP?effXYYWI;%wd8LmZGL4Y)faK{XD=D2r;ljiu3*__C5FN7xnz>^pZ0S5pQ8i~`g
znH;1JNf%)Y9)F9=LpTy)S7r)>g>Wgti!(AZXSfq#!=!(!!}*VzNs^ij21mkkv&<Ua
zn=9m}GuD9rw`HV@=YK;RaZ-xFKODL0BhRchEi+KUyrhuOdFHZa^Jh6l>>oAHOrcl&
zJhK?yf%7a*i}ILfhG5}du81Bv&w|WwNqx4^Cqh!6O@9xP^pGAR;bg8aeV%htB4g$`
zn;RW6&%(5bz=a$yNn9Wfm-L)0@RiJ%AzbK<$yn$?loIK`&|9pe2Nv7gM-t~nN%Hw3
zPf1OFdYB}io$e=z3$r66_ll4Oo99$UK-fZ^Fv;@)kst+#0S~YM8wfxW$OP#?1Zcn;
zaDfo;k$-OtfUJjzy;?LggjXhijeyHZ5z#!5Q^cmxc}%m#G%E{BTL5Ox<lJBWfjWEE
zAnLV+SQfIYj)h2&vk+tG0MPaV0LrI@n9h4-U3LI)rk5!eWY5KB))rs@5y$`qpaL|2
z4lo3!zzWy_XW$NeKmZ6uCW!+p027%f1DRwMSbqmLfdWtjc7WZW0vrT~K`l52PJkBB
z0nUTV;5z69cfn&Y0EWS9Fa|z>DF}ja5E-ICDv&0m2bn-tkOSlj`9MKXI1~pZLL7((
ziJ^7SW~c}%fhwRwP#yFu)CQf0u0nm#Lue2hh2BG7U=&P(6<~E(A2x>_U=KJDj)a%P
z9Dg_q&VlpcZE!hU1s{c*;q&ly_%1vEzlO(A040T@qO?$^C<l}mDijruN=6A#8&HL)
zGE^0+5!H_BM%_jYpx&T9qp@fTnuaz-JEQ&4QD`PQ3%vndjIKb}qMOkd(YMiq=rQzn
z3>l+_F~K-t=$Kdx2eS%OfGNXNV@_i(VSnyohB2S8SS%H5fVIc^W8<)?*tOVV?0#$$
zwiDZj9m0;|a5xp53C;x<ieunJxB}c>+)>;)Tt99YH;I?RYvQf&zW8`N51)rG!`I`_
z;`{M0@lym@f*!$%5K3SX))2N6ju6@jw+O?8DWV+FfapSuB&HHK5zC2<#7o2{#D5P`
zQc~Jdj#5jdxKg=N<x<C`u1F0^eJ071j7eUk1d^DvjZ{PGBt0a3Ad|`ZWOs5rSw!AO
zt|MO{KO;{{Q>4wL>C!Cejnb9U&C>nSZ)FHFdNLj|D`awH%4AN;+>&`COOVx<^^#@C
zZjh~%ZIit(J1$3&vy=;!%aALUtACffDmNmJlh>E`k!Q*0%O94%AU{MwQFJI?6eeXe
z<p|{xWmo~LV4y%(NL46OIHu5}Fs3N4XrmadxLUDN@r>dC6-Cvj(y8gx?bH+0d(<yV
z>Pj9;Y^AMAjY|DW6UvK}-IdwOh00CJca^`W&{TX>(o}Y;w5U8)MXMUCE`L>BrFua1
zlIoj93X7Z<F&7msI<e@H8mwll7Ou8d?XcPnwQ+R~bw72!`d;-5>Tfit8txjY8l@U%
zHAXclny#8$%~H*Cny+YzG!I%jt(<m|Hm0Sf<*y~yI;7R3HKlE!9i^S8-K70ghp6MA
zldMy!)1@<}tEn5TyH2-3_kWQdLC--iMQ@K@x88)lfqsns7X23e5d&odx<QUXgTWI+
zvZ0${mSL6Q9V4ufgHf8%exqJv*x1%M#kkV=mI-WPXTmkvZ_>9Iv)FMlZ*kS)`=%sQ
z57TVZ2Gc<^s#%a(o>`08TXS9Wc=Mg+-R9pdY%S6)j#xall(!79%zv|Nw|sA9Y{j&y
zw7O$Ww)VB&Xx(c4&c?)sZF9ipfi1;0*mjF;m+dz@dpm($qur>zu6?5YKKuI)3Jzfo
z#ST{-F^-;&8y!0wKRekuiJVS2{pD=xoaS8bJhH@K346(rB||RSE)17LE(5MK*F@K!
zT?gE>+!$_EZqMCy+<#f_)$T7nj6703j(WWHwD1&op7xyZa`Ia5)#;7$_VX_E?(vcL
ziSnuNdFHF_%kgdS9rLsGTkF^9kMR%m-|2s!u1;st>*!+v_5teyE(VeUBLXV|p9dKS
z34+>#;oyMaUBOR6^g?(cEukQk9=a>^X_!G+R@iS#u}j02R(~#i5pEg2F1$N}60tI(
zKH^iPXXN(C$5Dn+;;61@ndpS*y6A}*@0gO9fmrj{^|9CERO7gDt?{_{==kdR@nt^C
zb}t)FuuUjPxVPM3`Re6YSE#N?UvXxo%u2?}lZlwbn8f<TuZ&Pe6=OV!p0qD%jOoSP
z!+gzhXO*%>*?%tV686hvm*kS<5snLI7iToZEu}2w4cCiX!F`wNpL#HLA}utnCT%)B
zCcP;GpOKi+#*^oz@h)a+WUkKa<D2jc_ybu^S-Z2w1c8ETAtYQbY!xXW;^&6gQ2c{<
zFxxe|GJA4W^s1Aq<yP}n-&kY3X6u@lIlei+tVOS7u7B-Xr?qa=y214x>kn;!HY9E6
z+NiTJf8%hjUvBLt;-<7sH}fp=O7cE#j@jIvub!WqKlFp&4-Ey<1%iV6Tb#EX{1N>l
z_s5>C)?4>({a(l_yjEmUR95u0m|1-7C(ED8f12Kwysc-u-Sz`Juse7=?(KBjSz97k
zl2bCYD}Q)bb1AK~u=L~ZmAkK&*_0jJL);_YGf*B>-nv(J?~c7+D^e=%R(e)8?Ni&g
zb>GB(*8ctj?gttVsvj&m_~mEr&kqjy9cr%9uPQr?J)C{`#gXVE-M={eQdg~7T~z(8
zhF3FC8(w>{&c3d$Uafw61Kc2P7(JSBwD*|zv47S^)5b$h)TW~2;JEnst6vj;y>}w;
zMAu1&lZ~hJPVGBQIbGNcHLqzNYe{JtXpL*_YYS-WYIklw{hQfuH62<Vm1h*sY(Gmp
zn}2rtT+X@iPJZW`^PKZTT`RjDUx>YM=i<_fJ(mJ6UAgRg`9ilx_qi)BS30gbU2VJO
zaDT1ky505W8@4x2-?Y7Xy2q}k`Ih~y)?UZn_P!;3XZzjy&)@dGefbXk&h@(?cl+)|
z-Ft99;r_q_)`O9U=?~vM%6>HUIQI$WN#Rr3r)AI7o>l#B^n25Q-N2ba@4*|-Bc4AV
zVh+9jL-@zn;rtim7iBLsU)GISjdYCqj(_&PTJ~!AHUIV0n}R>({@nN0@a?I;-2b{U
z7CSclPVjE}eenmC4>cccK6Z_VjX(R8@o8$Ja8hNm_Orw1?k_Q4UQVt0iu+pr&FEYE
z_rUK@rZc9e`3wPLRtlgHhm(^5cwYkmIS$bdh^{6|&uQjagXVPpEP;RGIbA(#c7FiW
zxC0QC3qTN}Q4S!kmpiAeXCzakJAkdNCH^lHCR<z0)gmFv6EitI{Xrc7Tsr{Y1k=+~
z`=_VB9YLCX2ta4noK~MPEb<0ZVxT08xqP$4Isd;k^WSg13fbkkE*Ss-00v@9M??Vs
z0RI60puMM)00009a7bBm000XU00;mJ69E94oEVc%1Qu37Nkl<ZILl-F|NlP&tpO7Q
z9l)q1Bh(TWe3GuNu2|Fe?%lf?spb=GhLLIkQNe|5C^;4|FfcGMj^_ALONO>30PbWG
U<?S^t)c^nh07*qoM6N<$g0e4?qW}N^

literal 1219
zcmeAS@N?(olHy`uVBq!ia0vp^l0YoT!3-qjQ@-0UFfcO&_=LCux&QzF2a=;;Gz3Oq
z2&9+2NoHVRWGD&p3kGI{kqj7uzq6|XlK^LdM`SSr1Gf+eGhVt|_XjA*UgGKN%6^}d
ziC<MAAVqQ$P)M@GHKHUqKdq!Zu_%?HATcwqL@zJ3M8QPQK+njaO+6A+)~I^AIEH8h
zC;#Z@=3$j|GiWF}z_5-zmg%I431?SK1Lq6n&;RWi4usFH_exnN3)H~i>FVdQ&MBb@
E0O<iUegFUf


From 8756e7c807bf3abb600de41269c58a875adc5bab Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 12 Mar 2021 14:34:24 +0100
Subject: [PATCH 0478/3088] net/haproxy: only accept a single value for
 backend/server fields, refs #2266

When Multiple=Y is set, then backend/server fields are preselected.
This makes it impossible to remove backends/servers, even when the rule
does not actually use them.
---
 net/haproxy/pkg-descr                                        | 5 +++++
 .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 4e83fe3062..86fcbd003e 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+3.1
+
+Changed:
+* rules: only accept a single value for backend/server fields (#2266)
+
 3.0
 
 Added:
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 8c172b6cfd..3beabcd33c 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2086,7 +2086,7 @@
                         </template>
                     </Model>
                     <ValidationMessage>Related backend item not found</ValidationMessage>
-                    <Multiple>Y</Multiple>
+                    <Multiple>N</Multiple>
                     <Required>N</Required>
                 </use_backend>
                 <use_server type="ModelRelationField">
@@ -2098,7 +2098,7 @@
                         </template>
                     </Model>
                     <ValidationMessage>Related server item not found</ValidationMessage>
-                    <Multiple>Y</Multiple>
+                    <Multiple>N</Multiple>
                     <Required>N</Required>
                 </use_server>
                 <http_request_auth type="TextField">

From 56ca1c517d57308be07b203723cd5a6147484ed9 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 14 Mar 2021 22:41:22 +0100
Subject: [PATCH 0479/3088] net/haproxy: add migration to fix undeletable
 items, fixes #2266

---
 .../app/models/OPNsense/HAProxy/HAProxy.xml   |  2 +-
 .../OPNsense/HAProxy/Migrations/M3_1_0.php    | 55 +++++++++++++++++++
 2 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M3_1_0.php

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 3beabcd33c..58ac8e28e4 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/HAProxy</mount>
-    <version>3.0.0</version>
+    <version>3.1.0</version>
     <description>the HAProxy load balancer</description>
     <items>
         <general>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M3_1_0.php b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M3_1_0.php
new file mode 100644
index 0000000000..a41024c00d
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M3_1_0.php
@@ -0,0 +1,55 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Frank Wall
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\HAProxy\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M3_1_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        foreach ($model->getNodeByReference('actions.action')->iterateItems() as $action) {
+            switch ((string)$action->type) {
+                case 'use_backend':
+                    // do nothing, keep the value
+                    break;
+                case 'use_server':
+                    // do nothing, keep the value
+                    break;
+                default:
+                    // Clear referenced items if they are not in use.
+                    $action->use_backend = null;
+                    $action->use_server = null;
+                    break;
+            }
+        }
+    }
+}

From f6b4c1899a0211129f0b17cb2e14284024f1847b Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 14 Mar 2021 22:44:51 +0100
Subject: [PATCH 0480/3088] net/haproxy: bump version

---
 net/haproxy/Makefile  | 2 +-
 net/haproxy/pkg-descr | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index fa8508ba7a..c2f195fc2a 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		3.0
+PLUGIN_VERSION=		3.1
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 86fcbd003e..69ef2148a7 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -8,6 +8,9 @@ Plugin Changelog
 
 3.1
 
+Fixed:
+* fix items that cannot be deleted (#2266)
+
 Changed:
 * rules: only accept a single value for backend/server fields (#2266)
 

From 6613c6abf274032e6e83584f7636a7d2d1a32102 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 15 Mar 2021 10:25:03 +0100
Subject: [PATCH 0481/3088] misc/theme-tukan: fix whitespace

---
 .../opnsense/www/themes/tukan/assets/stylesheets/main.scss  | 6 +++---
 .../src/opnsense/www/themes/tukan/build/css/main.css        | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
index f99129bc81..6c5e30aad1 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
@@ -27,7 +27,7 @@
 @font-face {
   font-family: 'SourceSansProRegular';
   src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf") format("truetype"); }
-  
+
 /*! normalize.css v3.0.1 | MIT License | git.io/normalize */
 table
 html {
@@ -5851,7 +5851,7 @@ body {
 .page-login .login-foot {color:#FFF;}
 
 .login-foot {
-  font-size: 12px; 
+  font-size: 12px;
   max-width: 400px;
   margin: 0px auto 0px auto;
   background-color: #172c38;}
@@ -5860,7 +5860,7 @@ body {
   color:#FFF;
   border: none;
   max-width: 400px;
-  margin: 100px auto 0px auto; 
+  margin: 100px auto 0px auto;
   background-color: #172c38;}
 .login-modal-head {
   height: 75px;
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
index f99129bc81..6c5e30aad1 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
@@ -27,7 +27,7 @@
 @font-face {
   font-family: 'SourceSansProRegular';
   src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf") format("truetype"); }
-  
+
 /*! normalize.css v3.0.1 | MIT License | git.io/normalize */
 table
 html {
@@ -5851,7 +5851,7 @@ body {
 .page-login .login-foot {color:#FFF;}
 
 .login-foot {
-  font-size: 12px; 
+  font-size: 12px;
   max-width: 400px;
   margin: 0px auto 0px auto;
   background-color: #172c38;}
@@ -5860,7 +5860,7 @@ body {
   color:#FFF;
   border: none;
   max-width: 400px;
-  margin: 100px auto 0px auto; 
+  margin: 100px auto 0px auto;
   background-color: #172c38;}
 .login-modal-head {
   height: 75px;

From 25ad1051b6baa143f7ce8fdb63e90f8fed5811e9 Mon Sep 17 00:00:00 2001
From: lucas12433 <41630758+lucas12433@users.noreply.github.com>
Date: Mon, 15 Mar 2021 08:32:43 +0100
Subject: [PATCH 0482/3088] Update actions_wireguard.conf

Make Wireguard rebootable via cron Job
---
 .../src/opnsense/service/conf/actions.d/actions_wireguard.conf   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
index eda045e381..38a58fa0c8 100644
--- a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
+++ b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
@@ -21,6 +21,7 @@ command:
 parameters:
 type:script
 message:restarting Wireguard
+description: Restart Wireguard
 
 [genkey]
 command:/usr/local/opnsense/scripts/OPNsense/Wireguard/genkey.sh

From 4a437aa30201b3c03290ac0004d629507ab5588b Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 16 Mar 2021 14:00:56 +0100
Subject: [PATCH 0483/3088] net/wireguard: Add config sync (#2282)

---
 net/wireguard/Makefile                                | 3 +--
 net/wireguard/pkg-descr                               | 4 ++++
 net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc | 9 +++++++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 9a3654e78f..914a5cf2ca 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		1.4
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.5
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index ff1299e523..44ecbcc457 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,10 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+1.5
+
+* Allow synchronization of config
+
 1.4
 
 * Add IPv6 gateway support (contributed by Alexander Korinek)
diff --git a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
index ae40d9618d..d2ec171b70 100644
--- a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -68,3 +68,12 @@ function wireguard_interfaces()
     $interfaces['wireguard'] = $oic;
     return $interfaces;
 }
+
+function wireguard_xmlrpc_sync()
+{
+    $result = array();
+    $result['id'] = 'wireguard';
+    $result['section'] = 'OPNsense.wireguard';
+    $result['description'] = gettext('WireGuard');
+    return array($result);
+}

From 8749029e76fe117ab580de07f6a9e56500e3ae51 Mon Sep 17 00:00:00 2001
From: Arnavion <me@arnavion.dev>
Date: Sun, 21 Mar 2021 10:20:10 -0700
Subject: [PATCH 0484/3088] os-smart: Add new action and API parameter for JSON
 info from smartctl.

- The existing `smart info.*` actions have been merged into one `smart info`
  action that takes the type as a parameter.

- There is now a `smart info_json` action that runs the same `smartctl` command
  with an additional `--json=c` parameter for JSON output.

- The `/api/smart/service/info` API now takes an optional `"json": true`
  request body parameter that changes the response `"output"` value from
  a string to a JSON object. The JSON object is the output of
  the `smart info_json` action.

Fixes #2283
---
 .../OPNsense/Smart/Api/ServiceController.php  | 11 +++++-
 .../service/conf/actions.d/actions_smart.conf | 34 +++++--------------
 2 files changed, 18 insertions(+), 27 deletions(-)

diff --git a/sysutils/smart/src/opnsense/mvc/app/controllers/OPNsense/Smart/Api/ServiceController.php b/sysutils/smart/src/opnsense/mvc/app/controllers/OPNsense/Smart/Api/ServiceController.php
index 905315623e..324a6e1111 100644
--- a/sysutils/smart/src/opnsense/mvc/app/controllers/OPNsense/Smart/Api/ServiceController.php
+++ b/sysutils/smart/src/opnsense/mvc/app/controllers/OPNsense/Smart/Api/ServiceController.php
@@ -57,6 +57,7 @@ public function infoAction()
         if ($this->request->isPost()) {
             $device = $this->request->getPost('device');
             $type   = $this->request->getPost('type');
+            $json   = $this->request->getPost('json');
 
             if (!in_array($device, $this->getDevices())) {
                 return array("message" => "Invalid device name");
@@ -70,7 +71,15 @@ public function infoAction()
 
             $backend = new Backend();
 
-            $output = $backend->configdpRun("smart", array("info", $type, "/dev/" . $device));
+            $params = array("info", $type, "/dev/" . $device);
+            if ($json != NULL) {
+                $params[0] = "info_json";
+            }
+
+            $output = $backend->configdpRun("smart", $params);
+            if ($json != NULL) {
+                $output = json_decode($output, true);
+            }
 
             return array("output" => $output);
         }
diff --git a/sysutils/smart/src/opnsense/service/conf/actions.d/actions_smart.conf b/sysutils/smart/src/opnsense/service/conf/actions.d/actions_smart.conf
index 104c227e4d..7085815254 100644
--- a/sysutils/smart/src/opnsense/service/conf/actions.d/actions_smart.conf
+++ b/sysutils/smart/src/opnsense/service/conf/actions.d/actions_smart.conf
@@ -10,35 +10,17 @@ parameters:
 type:script_output
 message:list installed devices
 
-[info.i]
-command:/usr/local/sbin/smartctl -i
-parameters:%s; exit 0
-type:script_output
-message:Get identity info for device %s
-
-[info.H]
-command:/usr/local/sbin/smartctl -H
-parameters:%s; exit 0
+[info]
+command:/usr/local/sbin/smartctl
+parameters:-%s %s; exit 0
 type:script_output
-message:Get SMART health status info for device %s
+message:exec smartctl -%s for device %s
 
-[info.c]
-command:/usr/local/sbin/smartctl -c
-parameters:%s; exit 0
-type:script_output
-message:Get capabilities for device %s
-
-[info.A]
-command:/usr/local/sbin/smartctl -A
-parameters:%s; exit 0
-type:script_output
-message:Get vendor-specific attributes for device %s
-
-[info.a]
-command:/usr/local/sbin/smartctl -a
-parameters:%s; exit 0
+[info_json]
+command:/usr/local/sbin/smartctl
+parameters:-%s --json=c %s; exit 0
 type:script_output
-message:Get all SMART info for device %s
+message:exec smartctl -%s (JSON) for device %s
 
 [log.error]
 command:/usr/local/sbin/smartctl -l error

From 45021cd0697c881aafd3517bfdf6bce3e775f3d0 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sun, 21 Mar 2021 19:48:52 +0100
Subject: [PATCH 0485/3088] net-mgmt/telegraf: add datadog output (#2290)

---
 net-mgmt/telegraf/Makefile                     |  3 +--
 net-mgmt/telegraf/pkg-descr                    |  4 ++++
 .../OPNsense/Telegraf/forms/output.xml         | 18 ++++++++++++++++++
 .../app/models/OPNsense/Telegraf/Output.xml    | 14 +++++++++++++-
 .../templates/OPNsense/Telegraf/telegraf.conf  | 11 +++++++++++
 5 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index 284cc8f355..c5279eb7ab 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.8.3
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.9.0
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 5dd3e3a581..b49f834fbc 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -11,6 +11,10 @@ Kafka, MQTT, NSQ, and many others.
 Plugin Changelog
 ================
 
+1.9.0
+
+* Add Datadog output
+
 1.8.2
 
 * Add 'ntpq' input
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
index 0e726a008d..89f8ee137b 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
@@ -167,4 +167,22 @@
         <type>checkbox</type>
         <help>Send string metrics as Prometheus labels.</help>
     </field>
+    <field>
+        <id>output.datadog_enable</id>
+        <label>Enable Datadog Output</label>
+        <type>checkbox</type>
+        <help>This will enable Datadog output.</help>
+    </field>
+    <field>
+        <id>output.datadog_url</id>
+        <label>Datadog URL</label>
+        <type>text</type>
+        <help>Set the URL where metrics shoud be sent to. Format is without square brackets, just like https://app.datadoghq.com/api/v1/series.</help>
+    </field>
+    <field>
+        <id>output.datadog_apikey</id>
+        <label>Datadog API Key</label>
+        <type>text</type>
+        <help>Set the API Key for accessing Datadog.</help>
+    </field>
 </form>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index 7b479f0c9c..c3b090acf7 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/telegraf/output</mount>
     <description>Telegraf outputs configuration</description>
-    <version>1.4.1</version>
+    <version>1.4.2</version>
     <items>
         <influx_enable type="BooleanField">
             <default>0</default>
@@ -109,5 +109,17 @@
             <default></default>
             <Required>N</Required>
         </influx_v2_bucket>
+        <datadog_enable type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </datadog_enable>
+        <datadog_url type="TextField">
+            <default></default>
+            <Required>N</Required>
+        </datadog_url>
+        <datadog_apikey type="TextField">
+            <default></default>
+            <Required>N</Required>
+        </datadog_apikey>
     </items>
 </model>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index f9e83ea4d7..07d1d38b82 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -75,6 +75,17 @@
 {%   endif %}
 {% endif %}
 
+{% if helpers.exists('OPNsense.telegraf.output.datadog_enable') and OPNsense.telegraf.output.datadog_enable == '1' %}
+[[outputs.datadog]]
+{%   if helpers.exists('OPNsense.telegraf.output.datadog_url') and OPNsense.telegraf.output.datadog_url != '' %}
+  url = "{{ OPNsense.telegraf.output.datadog_url }}"
+{%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.datadog_apikey') and OPNsense.telegraf.output.datadog_apikey != '' %}
+  apikey = "{{ OPNsense.telegraf.output.datadog_apikey }}"
+{%   endif %}
+  timeout = "5s"
+{% endif %}
+
 {% if helpers.exists('OPNsense.telegraf.output.graphite_enable') and OPNsense.telegraf.output.graphite_enable == '1' %}
 [[outputs.graphite]]
 {%   if helpers.exists('OPNsense.telegraf.output.graphite_server') and OPNsense.telegraf.output.graphite_server != '' %}

From 61a9282bea26e03a8c21c7310611c03e1110c6e5 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Sun, 21 Mar 2021 22:36:09 +0300
Subject: [PATCH 0486/3088] WOL widget fix (#2291)

fix button binding after cutting scripts from widgets
---
 net/wol/Makefile                                     |  3 +--
 .../src/www/widgets/widgets/wake_on_lan.widget.php   | 12 +++++++-----
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/net/wol/Makefile b/net/wol/Makefile
index 7f29a872c1..818fde3268 100644
--- a/net/wol/Makefile
+++ b/net/wol/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		wol
-PLUGIN_VERSION=		2.3
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		2.4
 PLUGIN_DEPENDS=		wol
 PLUGIN_COMMENT=		Wake on LAN Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/wol/src/www/widgets/widgets/wake_on_lan.widget.php b/net/wol/src/www/widgets/widgets/wake_on_lan.widget.php
index adef5d97a5..843341a657 100644
--- a/net/wol/src/www/widgets/widgets/wake_on_lan.widget.php
+++ b/net/wol/src/www/widgets/widgets/wake_on_lan.widget.php
@@ -75,10 +75,12 @@
   </tfoot>
 </table>
 <script>
-$('.wakeupbtn').click(function(event) {
-    event.preventDefault();
-    var data = this.dataset;
-    $.post('/api/wol/wol/set', {'uuid': data['uuid']}, function(result) {
+    $("#dashboard_container").on("WidgetsReady", function() {
+        $('.wakeupbtn').click(function(event) {
+            event.preventDefault();
+            var data = this.dataset;
+            $.post('/api/wol/wol/set', {'uuid': data['uuid']}, function(result) {
+            });
+        })
     });
-})
 </script>

From 6e50ef903ae0e20d6438e510804da05935de7a38 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 22 Mar 2021 11:32:51 +0100
Subject: [PATCH 0487/3088] os-smart: simplify
 https://github.com/opnsense/plugins/pull/2289 a bit.

---
 .../controllers/OPNsense/Smart/Api/ServiceController.php | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/sysutils/smart/src/opnsense/mvc/app/controllers/OPNsense/Smart/Api/ServiceController.php b/sysutils/smart/src/opnsense/mvc/app/controllers/OPNsense/Smart/Api/ServiceController.php
index 324a6e1111..874ba272f2 100644
--- a/sysutils/smart/src/opnsense/mvc/app/controllers/OPNsense/Smart/Api/ServiceController.php
+++ b/sysutils/smart/src/opnsense/mvc/app/controllers/OPNsense/Smart/Api/ServiceController.php
@@ -57,7 +57,7 @@ public function infoAction()
         if ($this->request->isPost()) {
             $device = $this->request->getPost('device');
             $type   = $this->request->getPost('type');
-            $json   = $this->request->getPost('json');
+            $mode   = empty($this->request->getPost('json')) ? "info" : "info_json";
 
             if (!in_array($device, $this->getDevices())) {
                 return array("message" => "Invalid device name");
@@ -71,13 +71,10 @@ public function infoAction()
 
             $backend = new Backend();
 
-            $params = array("info", $type, "/dev/" . $device);
-            if ($json != NULL) {
-                $params[0] = "info_json";
-            }
+            $params = array($mode, $type, "/dev/" . $device);
 
             $output = $backend->configdpRun("smart", $params);
-            if ($json != NULL) {
+            if ($mode == 'info_json') {
                 $output = json_decode($output, true);
             }
 

From 19d24b491fcfe2ab8b66aafa4146fc5a63eaad20 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 21 Mar 2021 23:51:18 +0100
Subject: [PATCH 0488/3088] add new plugin: qemu-guest-agent, closes #1586

---
 emulators/qemu-guest-agent/Makefile           |  8 +++
 emulators/qemu-guest-agent/pkg-descr          |  5 ++
 .../etc/inc/plugins.inc.d/qemuguestagent.inc  | 70 +++++++++++++++++++
 .../QemuGuestAgent/Api/ServiceController.php  | 46 ++++++++++++
 .../QemuGuestAgent/Api/SettingsController.php | 46 ++++++++++++
 .../QemuGuestAgent/IndexController.php        | 47 +++++++++++++
 .../OPNsense/QemuGuestAgent/forms/general.xml | 23 ++++++
 .../OPNsense/QemuGuestAgent/ACL/ACL.xml       | 11 +++
 .../OPNsense/QemuGuestAgent/Menu/Menu.xml     |  8 +++
 .../QemuGuestAgent/QemuGuestAgent.php         | 49 +++++++++++++
 .../QemuGuestAgent/QemuGuestAgent.xml         | 60 ++++++++++++++++
 .../views/OPNsense/QemuGuestAgent/index.volt  | 63 +++++++++++++++++
 .../scripts/OPNsense/QemuGuestAgent/setup.sh  | 10 +++
 .../actions.d/actions_qemuguestagent.conf     | 29 ++++++++
 .../OPNsense/QemuGuestAgent/+TARGETS          |  1 +
 .../OPNsense/QemuGuestAgent/rc.conf.d         | 15 ++++
 16 files changed, 491 insertions(+)
 create mode 100644 emulators/qemu-guest-agent/Makefile
 create mode 100644 emulators/qemu-guest-agent/pkg-descr
 create mode 100644 emulators/qemu-guest-agent/src/etc/inc/plugins.inc.d/qemuguestagent.inc
 create mode 100644 emulators/qemu-guest-agent/src/opnsense/mvc/app/controllers/OPNsense/QemuGuestAgent/Api/ServiceController.php
 create mode 100644 emulators/qemu-guest-agent/src/opnsense/mvc/app/controllers/OPNsense/QemuGuestAgent/Api/SettingsController.php
 create mode 100644 emulators/qemu-guest-agent/src/opnsense/mvc/app/controllers/OPNsense/QemuGuestAgent/IndexController.php
 create mode 100644 emulators/qemu-guest-agent/src/opnsense/mvc/app/controllers/OPNsense/QemuGuestAgent/forms/general.xml
 create mode 100644 emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/ACL/ACL.xml
 create mode 100644 emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/Menu/Menu.xml
 create mode 100644 emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.php
 create mode 100644 emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.xml
 create mode 100644 emulators/qemu-guest-agent/src/opnsense/mvc/app/views/OPNsense/QemuGuestAgent/index.volt
 create mode 100755 emulators/qemu-guest-agent/src/opnsense/scripts/OPNsense/QemuGuestAgent/setup.sh
 create mode 100644 emulators/qemu-guest-agent/src/opnsense/service/conf/actions.d/actions_qemuguestagent.conf
 create mode 100644 emulators/qemu-guest-agent/src/opnsense/service/templates/OPNsense/QemuGuestAgent/+TARGETS
 create mode 100644 emulators/qemu-guest-agent/src/opnsense/service/templates/OPNsense/QemuGuestAgent/rc.conf.d

diff --git a/emulators/qemu-guest-agent/Makefile b/emulators/qemu-guest-agent/Makefile
new file mode 100644
index 0000000000..1f9c4268f7
--- /dev/null
+++ b/emulators/qemu-guest-agent/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		qemu-guest-agent
+PLUGIN_VERSION=		0.1
+PLUGIN_DEVEL=		yes
+PLUGIN_COMMENT=		QEMU Guest Agent for OPNsense
+PLUGIN_DEPENDS=		qemu-guest-agent
+PLUGIN_MAINTAINER=	opnsense@moov.de
+
+.include "../../Mk/plugins.mk"
diff --git a/emulators/qemu-guest-agent/pkg-descr b/emulators/qemu-guest-agent/pkg-descr
new file mode 100644
index 0000000000..2ff6915607
--- /dev/null
+++ b/emulators/qemu-guest-agent/pkg-descr
@@ -0,0 +1,5 @@
+QEMU Guest Agent for FreeBSD
+
+Port homepage https://github.com/aborche/qemu-guest-agent
+
+WWW: http://wiki.qemu.org/Main_Page
diff --git a/emulators/qemu-guest-agent/src/etc/inc/plugins.inc.d/qemuguestagent.inc b/emulators/qemu-guest-agent/src/etc/inc/plugins.inc.d/qemuguestagent.inc
new file mode 100644
index 0000000000..50ad2acc9e
--- /dev/null
+++ b/emulators/qemu-guest-agent/src/etc/inc/plugins.inc.d/qemuguestagent.inc
@@ -0,0 +1,70 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Frank Wall
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function qemuguestagent_enabled()
+{
+    global $config;
+
+    return isset($config['OPNsense']['QemuGuestAgent']['general']['Enabled']) &&
+    $config['OPNsense']['QemuGuestAgent']['general']['Enabled'] == 1;
+}
+
+/**
+ *  register legacy service
+ * @return array
+ */
+function qemuguestagent_services()
+{
+    $services = array();
+
+    if (!qemuguestagent_enabled()) {
+        return $services;
+    }
+
+    $services[] = array(
+        'description' => gettext('QEMU Guest Agent'),
+        'pidfile' => '/var/run/qemu-ga.pid',
+        'configd' => array(
+            'restart' => array('qemuguestagent restart'),
+            'start' => array('qemuguestagent start'),
+            'stop' => array('qemuguestagent stop'),
+        ),
+        'name' => 'qemu-ga',
+    );
+
+    return $services;
+}
+
+function qemuguestagent_xmlrpc_sync()
+{
+    $result = array();
+    $result['id'] = 'qemuguestagent';
+    $result['section'] = 'OPNsense.QemuGuestAgent';
+    $result['description'] = gettext('QEMU Guest Agent');
+    return array($result);
+}
diff --git a/emulators/qemu-guest-agent/src/opnsense/mvc/app/controllers/OPNsense/QemuGuestAgent/Api/ServiceController.php b/emulators/qemu-guest-agent/src/opnsense/mvc/app/controllers/OPNsense/QemuGuestAgent/Api/ServiceController.php
new file mode 100644
index 0000000000..c07d9ff99f
--- /dev/null
+++ b/emulators/qemu-guest-agent/src/opnsense/mvc/app/controllers/OPNsense/QemuGuestAgent/Api/ServiceController.php
@@ -0,0 +1,46 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Frank Wall
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\QemuGuestAgent\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+
+/**
+ * Class ServiceController
+ * @package OPNsense\QemuGuestAgent
+ */
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\QemuGuestAgent\QemuGuestAgent';
+    protected static $internalServiceTemplate = 'OPNsense/QemuGuestAgent';
+    protected static $internalServiceEnabled = 'general.Enabled';
+    protected static $internalServiceName = 'qemuguestagent';
+}
diff --git a/emulators/qemu-guest-agent/src/opnsense/mvc/app/controllers/OPNsense/QemuGuestAgent/Api/SettingsController.php b/emulators/qemu-guest-agent/src/opnsense/mvc/app/controllers/OPNsense/QemuGuestAgent/Api/SettingsController.php
new file mode 100644
index 0000000000..3578301fa6
--- /dev/null
+++ b/emulators/qemu-guest-agent/src/opnsense/mvc/app/controllers/OPNsense/QemuGuestAgent/Api/SettingsController.php
@@ -0,0 +1,46 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Frank Wall
+ *    Copyright (C) 2015-2019 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\QemuGuestAgent\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Config;
+use OPNsense\ZabbixAgent\ZabbixAgent;
+
+/**
+ * settings controller for QemuGuestAgent
+ * @package OPNsense\QemuGuestAgent
+ */
+class SettingsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'qemuguestagent';
+    protected static $internalModelClass = 'OPNsense\QemuGuestAgent\QemuGuestAgent';
+}
diff --git a/emulators/qemu-guest-agent/src/opnsense/mvc/app/controllers/OPNsense/QemuGuestAgent/IndexController.php b/emulators/qemu-guest-agent/src/opnsense/mvc/app/controllers/OPNsense/QemuGuestAgent/IndexController.php
new file mode 100644
index 0000000000..3e1f7f5ef2
--- /dev/null
+++ b/emulators/qemu-guest-agent/src/opnsense/mvc/app/controllers/OPNsense/QemuGuestAgent/IndexController.php
@@ -0,0 +1,47 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Frank Wall
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\QemuGuestAgent;
+
+/**
+ * Class IndexController
+ * @package OPNsense\QemuGuestAgent
+ */
+class IndexController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        // pick the template to serve
+        $this->view->pick('OPNsense/QemuGuestAgent/index');
+        // fetch form data "general" in
+        $this->view->generalForm = $this->getForm("general");
+    }
+}
diff --git a/emulators/qemu-guest-agent/src/opnsense/mvc/app/controllers/OPNsense/QemuGuestAgent/forms/general.xml b/emulators/qemu-guest-agent/src/opnsense/mvc/app/controllers/OPNsense/QemuGuestAgent/forms/general.xml
new file mode 100644
index 0000000000..86ff2811df
--- /dev/null
+++ b/emulators/qemu-guest-agent/src/opnsense/mvc/app/controllers/OPNsense/QemuGuestAgent/forms/general.xml
@@ -0,0 +1,23 @@
+<form>
+    <field>
+        <id>qemuguestagent.general.Enabled</id>
+        <label>Enable Service</label>
+        <type>checkbox</type>
+        <help>Enable the QEMU guest agent service.</help>
+    </field>
+    <field>
+        <id>qemuguestagent.general.LogDebug</id>
+        <label>Debug Logging</label>
+        <type>checkbox</type>
+        <help>Log extra debugging information.</help>
+    </field>
+    <field>
+        <id>qemuguestagent.general.DisabledRPCs</id>
+        <label>Disabled RPCs</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <sortable>true</sortable>
+        <help>A list of RPCs to disable.</help>
+    </field>
+</form>
diff --git a/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/ACL/ACL.xml b/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/ACL/ACL.xml
new file mode 100644
index 0000000000..05a218ed59
--- /dev/null
+++ b/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/ACL/ACL.xml
@@ -0,0 +1,11 @@
+<acl>
+    <page-services-qemuguestagent>
+        <name>Services: QEMU Guest Agent</name>
+        <patterns>
+            <pattern>ui/qemuguestagent/*</pattern>
+            <pattern>api/qemuguestagent/*</pattern>
+            <pattern>ui/diagnostics/log/core/qemu-ga/*</pattern>
+            <pattern>api/diagnostics/log/core/qemu-ga/*</pattern>
+        </patterns>
+    </page-services-qemuguestagent>
+</acl>
diff --git a/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/Menu/Menu.xml b/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/Menu/Menu.xml
new file mode 100644
index 0000000000..8cecba521b
--- /dev/null
+++ b/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/Menu/Menu.xml
@@ -0,0 +1,8 @@
+<menu>
+    <Services>
+        <QemuGuestAgent VisibleName="QEMU Guest Agent" cssClass="fa fa-cog fa-fw">
+            <Settings order="10" url="/ui/qemuguestagent"/>
+            <Logs order="20" url="/ui/diagnostics/log/core/qemu-ga"/>
+      </QemuGuestAgent>
+    </Services>
+</menu>
diff --git a/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.php b/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.php
new file mode 100644
index 0000000000..e84d734e47
--- /dev/null
+++ b/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.php
@@ -0,0 +1,49 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Frank Wall
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\QemuGuestAgent;
+
+use OPNsense\Base\BaseModel;
+
+class QemuGuestAgent extends BaseModel
+{
+    /**
+     * check if service is enabled
+     * @return bool is the QemuGuestAgent service enabled
+     */
+    public function isEnabled()
+    {
+        if ((string)$this->general->Enabled === "1") {
+            return true;
+        }
+        return false;
+    }
+}
diff --git a/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.xml b/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.xml
new file mode 100644
index 0000000000..8c037740b5
--- /dev/null
+++ b/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.xml
@@ -0,0 +1,60 @@
+<model>
+    <mount>//OPNsense/QemuGuestAgent</mount>
+    <version>1.0.0</version>
+    <description>QEMU Guest Agent for OPNsense</description>
+    <items>
+        <general>
+            <Enabled type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </Enabled>
+            <LogDebug type="BooleanField">
+                <default>0</default>
+                <Required>N</Required>
+            </LogDebug>
+            <DisabledRPCs type="OptionField">
+                <Required>N</Required>
+                <default></default>
+                <Sorted>Y</Sorted>
+                <Multiple>Y</Multiple>
+                <OptionValues>
+                    <guest-exec>guest-exec</guest-exec>
+                    <guest-exec-status>guest-exec-status</guest-exec-status>
+                    <guest-file-close>guest-file-close</guest-file-close>
+                    <guest-file-flush>guest-file-flush</guest-file-flush>
+                    <guest-file-open>guest-file-open</guest-file-open>
+                    <guest-file-read>guest-file-read</guest-file-read>
+                    <guest-file-seek>guest-file-seek</guest-file-seek>
+                    <guest-file-write>guest-file-write</guest-file-write>
+                    <guest-fsfreeze-freeze>guest-fsfreeze-freeze</guest-fsfreeze-freeze>
+                    <guest-fsfreeze-freeze-list>guest-fsfreeze-freeze-list</guest-fsfreeze-freeze-list>
+                    <guest-fsfreeze-status>guest-fsfreeze-status</guest-fsfreeze-status>
+                    <guest-fsfreeze-thaw>guest-fsfreeze-thaw</guest-fsfreeze-thaw>
+                    <guest-fstrim>guest-fstrim</guest-fstrim>
+                    <guest-get-fsinfo>guest-get-fsinfo</guest-get-fsinfo>
+                    <guest-get-host-name>guest-get-host-name</guest-get-host-name>
+                    <guest-get-memory-block-info>guest-get-memory-block-info</guest-get-memory-block-info>
+                    <guest-get-memory-blocks>guest-get-memory-blocks</guest-get-memory-blocks>
+                    <guest-get-osinfo>guest-get-osinfo</guest-get-osinfo>
+                    <guest-get-time>guest-get-time</guest-get-time>
+                    <guest-get-timezone>guest-get-timezone</guest-get-timezone>
+                    <guest-get-users>guest-get-users</guest-get-users>
+                    <guest-get-vcpus>guest-get-vcpus</guest-get-vcpus>
+                    <guest-info>guest-info</guest-info>
+                    <guest-network-get-interfaces>guest-network-get-interfaces</guest-network-get-interfaces>
+                    <guest-ping>guest-ping</guest-ping>
+                    <guest-set-memory-blocks>guest-set-memory-blocks</guest-set-memory-blocks>
+                    <guest-set-time>guest-set-time</guest-set-time>
+                    <guest-set-user-password>guest-set-user-password</guest-set-user-password>
+                    <guest-set-vcpus>guest-set-vcpus</guest-set-vcpus>
+                    <guest-shutdown>guest-shutdown</guest-shutdown>
+                    <guest-suspend-disk>guest-suspend-disk</guest-suspend-disk>
+                    <guest-suspend-hybrid>guest-suspend-hybrid</guest-suspend-hybrid>
+                    <guest-suspend-ram>guest-suspend-ram</guest-suspend-ram>
+                    <guest-sync>guest-sync</guest-sync>
+                    <guest-sync-delimited>guest-sync-delimited</guest-sync-delimited>
+                </OptionValues>
+            </DisabledRPCs>
+        </general>
+    </items>
+</model>
diff --git a/emulators/qemu-guest-agent/src/opnsense/mvc/app/views/OPNsense/QemuGuestAgent/index.volt b/emulators/qemu-guest-agent/src/opnsense/mvc/app/views/OPNsense/QemuGuestAgent/index.volt
new file mode 100644
index 0000000000..49563e73e8
--- /dev/null
+++ b/emulators/qemu-guest-agent/src/opnsense/mvc/app/views/OPNsense/QemuGuestAgent/index.volt
@@ -0,0 +1,63 @@
+{#
+
+OPNsense® is Copyright © 2021 Frank Wall
+OPNsense® is Copyright © 2014 – 2015 by Deciso B.V.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<script>
+    $( document ).ready(function() {
+        // load initial data
+        var data_get_map = {'frm_GeneralSettings':"/api/qemuguestagent/settings/get"};
+        mapDataToFormUI(data_get_map).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+        });
+
+        // link apply button to API set action
+        $("#saveAct").click(function(){
+            saveFormToEndpoint(url="/api/qemuguestagent/settings/set",formid='frm_GeneralSettings',callback_ok=function(){
+                // reconfigure service
+                ajaxCall(url="/api/qemuguestagent/service/reconfigure", sendData={}, callback=function(data,status) {
+                });
+            });
+        });
+    });
+</script>
+
+<div class="alert alert-info hidden" role="alert" id="responseMsg">
+
+</div>
+
+<div  class="col-md-12">
+    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}}
+</div>
+
+<div class="col-md-12">
+    <hr/>
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b></button>
+    <br/>
+    <br/>
+</div>
diff --git a/emulators/qemu-guest-agent/src/opnsense/scripts/OPNsense/QemuGuestAgent/setup.sh b/emulators/qemu-guest-agent/src/opnsense/scripts/OPNsense/QemuGuestAgent/setup.sh
new file mode 100755
index 0000000000..f3e18ed33c
--- /dev/null
+++ b/emulators/qemu-guest-agent/src/opnsense/scripts/OPNsense/QemuGuestAgent/setup.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# Check if the kernel module exists
+KERNMOD='virtio_console'
+if [ -e /boot/kernel/${KERNMOD}.ko ]; then
+    # Load module
+    kldload $KERNMOD 2>&1
+fi
+
+exit 0
diff --git a/emulators/qemu-guest-agent/src/opnsense/service/conf/actions.d/actions_qemuguestagent.conf b/emulators/qemu-guest-agent/src/opnsense/service/conf/actions.d/actions_qemuguestagent.conf
new file mode 100644
index 0000000000..c236540b22
--- /dev/null
+++ b/emulators/qemu-guest-agent/src/opnsense/service/conf/actions.d/actions_qemuguestagent.conf
@@ -0,0 +1,29 @@
+[start]
+command:/usr/local/opnsense/scripts/OPNsense/QemuGuestAgent/setup.sh; /usr/local/etc/rc.d/qemu-guest-agent start
+parameters:
+type:script
+message:starting qemu-guest-agent
+
+[stop]
+command:/usr/local/etc/rc.d/qemu-guest-agent stop; exit 0
+parameters:
+type:script
+message:stopping qemu-guest-agent
+
+[restart]
+command:/usr/local/opnsense/scripts/OPNsense/QemuGuestAgent/setup.sh; /usr/local/etc/rc.d/qemu-guest-agent restart
+parameters:
+type:script
+message:restarting qemu-guest-agent
+
+[reload]
+command:/usr/local/opnsense/scripts/OPNsense/QemuGuestAgent/setup.sh; /usr/local/etc/rc.d/qemu-guest-agent restart
+parameters:
+type:script
+message:restarting qemu-guest-agent
+
+[status]
+command:/usr/local/etc/rc.d/qemu-guest-agent status; exit 0
+parameters:
+type:script_output
+message:requesting qemu-guest-agent status
diff --git a/emulators/qemu-guest-agent/src/opnsense/service/templates/OPNsense/QemuGuestAgent/+TARGETS b/emulators/qemu-guest-agent/src/opnsense/service/templates/OPNsense/QemuGuestAgent/+TARGETS
new file mode 100644
index 0000000000..3bc91f3c9f
--- /dev/null
+++ b/emulators/qemu-guest-agent/src/opnsense/service/templates/OPNsense/QemuGuestAgent/+TARGETS
@@ -0,0 +1 @@
+rc.conf.d:/etc/rc.conf.d/qemu_guest_agent
diff --git a/emulators/qemu-guest-agent/src/opnsense/service/templates/OPNsense/QemuGuestAgent/rc.conf.d b/emulators/qemu-guest-agent/src/opnsense/service/templates/OPNsense/QemuGuestAgent/rc.conf.d
new file mode 100644
index 0000000000..ea9c80f8ce
--- /dev/null
+++ b/emulators/qemu-guest-agent/src/opnsense/service/templates/OPNsense/QemuGuestAgent/rc.conf.d
@@ -0,0 +1,15 @@
+{# Default setting is enabled, so that no GUI interaction is required. #}
+{% if not (helpers.exists('OPNsense.QemuGuestAgent.general.LogDebug')) or OPNsense.QemuGuestAgent.general.Enabled|default("0") != "0" %}
+{%   set optional_flags = [] %}
+{%   do optional_flags.append('-d -l /var/log/qemu-ga.log') %}
+{%   if helpers.exists('OPNsense.QemuGuestAgent.general.LogDebug') and OPNsense.QemuGuestAgent.general.LogDebug|default("0") == "1" %}
+{%     do optional_flags.append('-v') %}
+{%   endif %}
+{%   if helpers.exists('OPNsense.QemuGuestAgent.general.DisabledRPCs') and not helpers.empty('OPNsense.QemuGuestAgent.general.DisabledRPCs') %}
+{%     do optional_flags.append('--blacklist=' ~ OPNsense.QemuGuestAgent.general.DisabledRPCs) %}
+{%   endif %}
+qemu_guest_agent_enable="YES"
+qemu_guest_agent_flags="{{optional_flags|join(' ')}}"
+{% else %}
+qemu_guest_agent_enable="NO"
+{% endif %}

From e154d9ca39fbcf979e5e87d794707e9acba6f484 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 22 Mar 2021 19:47:29 +0100
Subject: [PATCH 0489/3088] README: sync

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index b5698e1495..78311c2290 100644
--- a/README.md
+++ b/README.md
@@ -38,6 +38,7 @@ dns/bind -- BIND domain name service
 dns/dnscrypt-proxy -- Flexible DNS proxy supporting DNSCrypt and DoH
 dns/dyndns -- Dynamic DNS Support
 dns/rfc2136 -- RFC-2136 Support
+emulators/qemu-guest-agent -- QEMU Guest Agent for OPNsense (development only)
 mail/postfix -- SMTP mail relay
 mail/rspamd -- Protect your network from spam
 misc/theme-cicada -- The cicada theme - dark grey

From 75d5af5228e866b344c46268b20827fe6f0f983f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 24 Mar 2021 10:16:28 +0100
Subject: [PATCH 0490/3088] net/wireguard: change deps according to FreeBSD
 shift

---
 net/wireguard/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 914a5cf2ca..2e0da8f81f 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		1.5
 PLUGIN_COMMENT=		WireGuard VPN service
-PLUGIN_DEPENDS=		wireguard
+PLUGIN_DEPENDS=		wireguard-go wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
 .include "../../Mk/plugins.mk"

From f557e2b09a2f927a31b5fa7e2173b941e6dd0988 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 24 Mar 2021 16:35:09 +0100
Subject: [PATCH 0491/3088] XMLRPC / HA-Sync: add  services keyword (introduced
 https://github.com/opnsense/core/issues/4834) in xmlrpc templates for
 existing plugins.

---
 dns/bind/src/etc/inc/plugins.inc.d/bind.inc                      | 1 +
 .../src/etc/inc/plugins.inc.d/qemuguestagent.inc                 | 1 +
 net-mgmt/zabbix-agent/src/etc/inc/plugins.inc.d/zabbixagent.inc  | 1 +
 net/frr/src/etc/inc/plugins.inc.d/frr.inc                        | 1 +
 net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc                | 1 +
 net/relayd/src/etc/inc/plugins.inc.d/relayd.inc                  | 1 +
 net/tayga/src/etc/inc/plugins.inc.d/tayga.inc                    | 1 +
 net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc            | 1 +
 security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc   | 1 +
 security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc           | 1 +
 security/tinc/src/etc/inc/plugins.inc.d/tinc.inc                 | 1 +
 www/nginx/src/etc/inc/plugins.inc.d/nginx.inc                    | 1 +
 12 files changed, 12 insertions(+)

diff --git a/dns/bind/src/etc/inc/plugins.inc.d/bind.inc b/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
index 495764bb52..2b050aa2bb 100644
--- a/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
+++ b/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
@@ -60,5 +60,6 @@ function bind_xmlrpc_sync()
     $result['id'] = 'bind';
     $result['section'] = 'OPNsense.bind';
     $result['description'] = gettext('BIND domain name service');
+    $result['services'] = ['named'];
     return array($result);
 }
diff --git a/emulators/qemu-guest-agent/src/etc/inc/plugins.inc.d/qemuguestagent.inc b/emulators/qemu-guest-agent/src/etc/inc/plugins.inc.d/qemuguestagent.inc
index 50ad2acc9e..9304b1f126 100644
--- a/emulators/qemu-guest-agent/src/etc/inc/plugins.inc.d/qemuguestagent.inc
+++ b/emulators/qemu-guest-agent/src/etc/inc/plugins.inc.d/qemuguestagent.inc
@@ -66,5 +66,6 @@ function qemuguestagent_xmlrpc_sync()
     $result['id'] = 'qemuguestagent';
     $result['section'] = 'OPNsense.QemuGuestAgent';
     $result['description'] = gettext('QEMU Guest Agent');
+    $result['services'] = ['qemu-ga'];
     return array($result);
 }
diff --git a/net-mgmt/zabbix-agent/src/etc/inc/plugins.inc.d/zabbixagent.inc b/net-mgmt/zabbix-agent/src/etc/inc/plugins.inc.d/zabbixagent.inc
index c5d7a1f0aa..ba083f7722 100644
--- a/net-mgmt/zabbix-agent/src/etc/inc/plugins.inc.d/zabbixagent.inc
+++ b/net-mgmt/zabbix-agent/src/etc/inc/plugins.inc.d/zabbixagent.inc
@@ -82,5 +82,6 @@ function zabbixagent_xmlrpc_sync()
     $result['id'] = 'zabbixagent';
     $result['section'] = 'OPNsense.zabbixagent.settings';
     $result['description'] = gettext('Zabbix monitoring agent');
+    $result['services'] = ['zabbix_agentd'];
     return array($result);
 }
diff --git a/net/frr/src/etc/inc/plugins.inc.d/frr.inc b/net/frr/src/etc/inc/plugins.inc.d/frr.inc
index ff2b3f5a7b..3b546e8303 100644
--- a/net/frr/src/etc/inc/plugins.inc.d/frr.inc
+++ b/net/frr/src/etc/inc/plugins.inc.d/frr.inc
@@ -142,5 +142,6 @@ function frr_xmlrpc_sync()
     $result['id'] = 'quagga';
     $result['section'] = 'OPNsense.quagga';
     $result['description'] = gettext('FRR');
+    $result['services'] = ['frr'];
     return array($result);
 }
diff --git a/net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc b/net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc
index 320127ded3..cfeabbc4d2 100644
--- a/net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc
+++ b/net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc
@@ -79,5 +79,6 @@ function haproxy_xmlrpc_sync()
     $result['id'] = 'haproxy';
     $result['section'] = 'OPNsense.HAProxy';
     $result['description'] = gettext('HAProxy Load Balancer');
+    $result['services'] = ['haproxy'];
     return array($result);
 }
diff --git a/net/relayd/src/etc/inc/plugins.inc.d/relayd.inc b/net/relayd/src/etc/inc/plugins.inc.d/relayd.inc
index eb3b9f931f..08b2e98b4a 100644
--- a/net/relayd/src/etc/inc/plugins.inc.d/relayd.inc
+++ b/net/relayd/src/etc/inc/plugins.inc.d/relayd.inc
@@ -73,6 +73,7 @@ function relayd_xmlrpc_sync()
     $result[] = array(
         'description' => gettext('Relayd Load Balancer'),
         'section' => 'OPNsense.relayd',
+        'services' => ['relayd'],
         /* kept for backwards compat: */
         'id' => 'lb',
     );
diff --git a/net/tayga/src/etc/inc/plugins.inc.d/tayga.inc b/net/tayga/src/etc/inc/plugins.inc.d/tayga.inc
index 88f8e5bcda..e273043341 100644
--- a/net/tayga/src/etc/inc/plugins.inc.d/tayga.inc
+++ b/net/tayga/src/etc/inc/plugins.inc.d/tayga.inc
@@ -59,6 +59,7 @@ function tayga_xmlrpc_sync()
     $result['id'] = 'taygavpn';
     $result['section'] = 'OPNsense.tayga';
     $result['description'] = gettext('Tayga');
+    $result['services'] = ['tayga'];
     return array($result);
 }
 
diff --git a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
index d2ec171b70..42c4f7b051 100644
--- a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -75,5 +75,6 @@ function wireguard_xmlrpc_sync()
     $result['id'] = 'wireguard';
     $result['section'] = 'OPNsense.wireguard';
     $result['description'] = gettext('WireGuard');
+    $result['services'] = ['wireguard-go'];
     return array($result);
 }
diff --git a/security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc b/security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc
index 2b8c5fff2d..51550d04e1 100644
--- a/security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc
+++ b/security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc
@@ -79,5 +79,6 @@ function openconnect_xmlrpc_sync()
     $result['id'] = 'openconnectvpn';
     $result['section'] = 'OPNsense.openconnect';
     $result['description'] = gettext('OpenConnect');
+    $result['services'] = ['tincd'];
     return array($result);
 }
diff --git a/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc b/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
index 335e708021..374e2ab1a2 100644
--- a/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
+++ b/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
@@ -135,6 +135,7 @@ function stunnel_xmlrpc_sync()
         'description' => gettext('Stunnel'),
         'section' => 'OPNsense.Stunnel',
         'id' => 'stunnel',
+        'services' => ['stunnel', 'identd_stunnel'],
     );
     return $result;
 }
diff --git a/security/tinc/src/etc/inc/plugins.inc.d/tinc.inc b/security/tinc/src/etc/inc/plugins.inc.d/tinc.inc
index d2afe051bf..8d714a4a38 100644
--- a/security/tinc/src/etc/inc/plugins.inc.d/tinc.inc
+++ b/security/tinc/src/etc/inc/plugins.inc.d/tinc.inc
@@ -104,5 +104,6 @@ function tinc_xmlrpc_sync()
     $result['id'] = 'tincvpn';
     $result['section'] = 'OPNsense.Tinc';
     $result['description'] = gettext('Tinc VPN');
+    $result['services'] = ['tincd'];
     return array($result);
 }
diff --git a/www/nginx/src/etc/inc/plugins.inc.d/nginx.inc b/www/nginx/src/etc/inc/plugins.inc.d/nginx.inc
index a84b5c639c..cf35e06139 100644
--- a/www/nginx/src/etc/inc/plugins.inc.d/nginx.inc
+++ b/www/nginx/src/etc/inc/plugins.inc.d/nginx.inc
@@ -61,5 +61,6 @@ function nginx_xmlrpc_sync()
     $result['id'] = 'nginx';
     $result['section'] = 'OPNsense.Nginx';
     $result['description'] = gettext('Nginx Load Balancer');
+    $result['services'] = ['nginx'];
     return array($result);
 }

From 73bc94bd5da2b822632977759e6cf96abc09f344 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sun, 28 Mar 2021 18:37:46 +0200
Subject: [PATCH 0492/3088] net/freeradius: Add HA config sync (#2300)

---
 net/freeradius/Makefile                               |  3 +--
 net/freeradius/pkg-descr                              |  4 ++++
 .../src/etc/inc/plugins.inc.d/freeradius.inc          | 11 ++++++++++-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index a62c2a0d52..1b61d34a68 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.9
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.9.10
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 76ee5794f7..d0d029ffd1 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,10 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.10
+
+* Add HA config sync
+
 1.9.9
 
 * Create option to set EAP-TTLS-GTC (contributed by Kjeld Schouten-Lebbing)
diff --git a/net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc b/net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc
index 64640fcd45..6f36e4bd1f 100644
--- a/net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc
+++ b/net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc
@@ -1,7 +1,7 @@
 <?php
 
 /*
-    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+    Copyright (C) 2017 - 2021 Michael Muenz <m.muenz@gmail.com>
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
@@ -47,3 +47,12 @@ function freeradius_services()
 
     return $services;
 }
+
+function freeradius_xmlrpc_sync()
+{
+    $result = array();
+    $result['id'] = 'freeradius';
+    $result['section'] = 'OPNsense.freeradius';
+    $result['description'] = gettext('Freeradius');
+    return array($result);
+}

From 2faa645086ac7af5a15ffa5125f69189dc0e8675 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 27 Mar 2021 19:51:56 +0100
Subject: [PATCH 0493/3088] net/freeradius: HA config sync, add services
 binding. for https://github.com/opnsense/plugins/pull/2300

---
 net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc b/net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc
index 6f36e4bd1f..dfe576325c 100644
--- a/net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc
+++ b/net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc
@@ -54,5 +54,6 @@ function freeradius_xmlrpc_sync()
     $result['id'] = 'freeradius';
     $result['section'] = 'OPNsense.freeradius';
     $result['description'] = gettext('Freeradius');
+    $result['services'] = ["freeradius"];
     return array($result);
 }

From 095740ab393f6e572c359fbedef17d76c3c82cd7 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 29 Mar 2021 00:01:10 +0200
Subject: [PATCH 0494/3088] net/haproxy: ignore incompatible options when
 LibreSSL is used, refs #2013

---
 net/haproxy/pkg-descr                                  |  5 +++++
 .../service/templates/OPNsense/HAProxy/haproxy.conf    | 10 +++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 69ef2148a7..2dbcc504d4 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+3.2
+
+Changed:
+* ignore incompatible ciphersuites options when LibreSSL is used (#2013)
+
 3.1
 
 Fixed:
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index a530b0a7a1..d9923f7996 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -926,7 +926,11 @@ global
     ssl-default-bind-ciphers {{ OPNsense.HAProxy.general.tuning.ssl_cipherList }}
 {%   endif %}
 {%   if OPNsense.HAProxy.general.tuning.ssl_cipherSuites|default("") != "" %}
+{%     if helpers.exists('system.firmware.flavour') and not(helpers.empty('system.firmware.flavour')) and system.firmware.flavour|default('') == 'libressl' %}
+    # WARNING: ssl-default-bind-ciphersuites cannot be used with flavour {{ system.firmware.flavour}}.
+{%     else %}
     ssl-default-bind-ciphersuites {{ OPNsense.HAProxy.general.tuning.ssl_cipherSuites }}
+{%     endif %}
 {%   endif %}
 {% endif %}
 {# # pass-through options #}
@@ -1162,7 +1166,11 @@ frontend {{frontend.name}}
 {%             do ssl_options.append('ciphers ' ~ frontend.ssl_cipherList) %}
 {%           endif %}
 {%           if frontend.ssl_cipherSuites|default("") != "" %}
-{%             do ssl_options.append('ciphersuites ' ~ frontend.ssl_cipherSuites) %}
+{%             if helpers.exists('system.firmware.flavour') and not(helpers.empty('system.firmware.flavour')) and system.firmware.flavour|default('') == 'libressl' %}
+    # WARNING: ciphersuites cannot be used with flavour {{ system.firmware.flavour}}.
+{%             else %}
+{%               do ssl_options.append('ciphersuites ' ~ frontend.ssl_cipherSuites) %}
+{%             endif %}
 {%           endif %}
 {#           # HSTS #}
 {%           if frontend.ssl_hstsEnabled|default("") == '1' and frontend.mode == 'http' %}

From bd3811438708311dd5966a5733589879dab9c622 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 29 Mar 2021 00:04:12 +0200
Subject: [PATCH 0495/3088] net/haproxy: bump version

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index c2f195fc2a..381ec9f771 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		3.1
+PLUGIN_VERSION=		3.2
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy
 PLUGIN_MAINTAINER=	opnsense@moov.de

From 00cab9b5de04737bb44ff2f26345f141af9b7ca6 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 29 Mar 2021 09:49:13 +0200
Subject: [PATCH 0496/3088] xmlrpc has sync - typo in
 https://github.com/opnsense/plugins/commit/f557e2b09a2f927a31b5fa7e2173b941e6dd0988

---
 security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc b/security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc
index 51550d04e1..c14a9d26d1 100644
--- a/security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc
+++ b/security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc
@@ -79,6 +79,6 @@ function openconnect_xmlrpc_sync()
     $result['id'] = 'openconnectvpn';
     $result['section'] = 'OPNsense.openconnect';
     $result['description'] = gettext('OpenConnect');
-    $result['services'] = ['tincd'];
+    $result['services'] = ['openconnect'];
     return array($result);
 }

From 64ba7429d2d4dc82cfb95565797a8f2d06ca261b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 29 Mar 2021 09:44:30 +0200
Subject: [PATCH 0497/3088] sysutils/smart: bump version

---
 sysutils/smart/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/sysutils/smart/Makefile b/sysutils/smart/Makefile
index a02589a0be..ccc3474b27 100644
--- a/sysutils/smart/Makefile
+++ b/sysutils/smart/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		smart
-PLUGIN_VERSION=		2.1
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		2.2
 PLUGIN_COMMENT=		SMART tools
 PLUGIN_DEPENDS=		smartmontools
 PLUGIN_MAINTAINER=	franco@opnsense.org

From 648b18301fa384064233a7f77487d41a610b44a2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 29 Mar 2021 09:47:59 +0200
Subject: [PATCH 0498/3088] plugins: bump a few revisions where metadata
 changed

---
 dns/bind/Makefile              | 2 +-
 net-mgmt/zabbix-agent/Makefile | 2 +-
 net/frr/Makefile               | 2 +-
 net/relayd/Makefile            | 2 +-
 net/tayga/Makefile             | 2 +-
 security/openconnect/Makefile  | 2 +-
 security/tinc/Makefile         | 2 +-
 www/nginx/Makefile             | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index e16959f8e3..1909668726 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.16
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind916
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index af1be66116..40f39eee66 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		zabbix-agent
 PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_DEPENDS=		zabbix5-agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/frr/Makefile b/net/frr/Makefile
index 9172a4a4ab..11c964bfd8 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.21
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index c7bd04749f..de76204b17 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		relayd
 PLUGIN_VERSION=		2.4
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com
diff --git a/net/tayga/Makefile b/net/tayga/Makefile
index 33f54830ff..e350d4580b 100644
--- a/net/tayga/Makefile
+++ b/net/tayga/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		tayga
 PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Tayga NAT64
 PLUGIN_DEPENDS=		tayga
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/openconnect/Makefile b/security/openconnect/Makefile
index afd5f9a200..ce2b17e2d6 100644
--- a/security/openconnect/Makefile
+++ b/security/openconnect/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		openconnect
 PLUGIN_VERSION=		1.4.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		OpenConnect Client
 PLUGIN_DEPENDS=		openconnect
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index 4e6a8afafe..e7bcf5a701 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		tinc
 PLUGIN_VERSION=		1.6
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 4964118c00..28fcf5bbeb 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.21
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 6cca3bee4e6340fa2033ef614f63897e27722907 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 29 Mar 2021 09:52:56 +0200
Subject: [PATCH 0499/3088] security/openconnect: once is enough

---
 security/openconnect/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/openconnect/Makefile b/security/openconnect/Makefile
index ce2b17e2d6..7dc3f6859b 100644
--- a/security/openconnect/Makefile
+++ b/security/openconnect/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		openconnect
 PLUGIN_VERSION=		1.4.0
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		OpenConnect Client
 PLUGIN_DEPENDS=		openconnect
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 30da21dcaff6eab6ccde8618ef0992baa49bea2e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 29 Mar 2021 09:54:51 +0200
Subject: [PATCH 0500/3088] net/freeradius: sync LICENSE and small cleanup

---
 LICENSE                                       |  2 +-
 .../src/etc/inc/plugins.inc.d/freeradius.inc  | 48 +++++++++----------
 2 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/LICENSE b/LICENSE
index 7079730ae9..64a02ae244 100644
--- a/LICENSE
+++ b/LICENSE
@@ -22,7 +22,7 @@ Copyright (c) 2019 Juergen Kellerer
 Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>
 Copyright (c) 2020 Marc Leuser
 Copyright (c) 2020 Martin Wasley
-Copyright (c) 2017-2020 Michael Muenz <m.muenz@gmail.com>
+Copyright (c) 2017-2021 Michael Muenz <m.muenz@gmail.com>
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
 Copyright (c) 2010 Seth Mos <seth.mos@dds.nl>
 Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
diff --git a/net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc b/net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc
index dfe576325c..ab1a541762 100644
--- a/net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc
+++ b/net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc
@@ -1,30 +1,30 @@
 <?php
 
 /*
-    Copyright (C) 2017 - 2021 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2017-2021 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 function freeradius_services()
 {

From a35d368f5d5e9e9d2bed11780de1bf4fb5127d73 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 30 Mar 2021 09:43:05 +0200
Subject: [PATCH 0501/3088] make: core releng additions

---
 Mk/defaults.mk | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 1ec722ffe0..6210fd1e89 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -121,7 +121,9 @@ mfc: ensure-stable
 	fi
 .else
 	@git checkout stable/${PLUGIN_ABI}
-	@git cherry-pick -x ${MFC}
+	@if ! git cherry-pick -x ${MFC}; then \
+		git cherry-pick --abort; \
+	fi
 .endif
 	@git checkout master
 .endfor
@@ -131,3 +133,8 @@ stable:
 
 master:
 	@git checkout master
+
+rebase:
+	@git checkout stable/${PLUGIN_ABI}
+	@git rebase -i
+	@git checkout master

From 78bcfc0b1b0be4aaf1c90bfda105f90abbd64058 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 31 Mar 2021 10:23:15 +0200
Subject: [PATCH 0502/3088] net/wireguard: assorted simple changes

---
 .../src/etc/inc/plugins.inc.d/wireguard.inc   | 50 ++++++++--------
 .../forms/dialogEditWireguardServer.xml       |  1 +
 .../app/views/OPNsense/Wireguard/general.volt | 58 +++++++++----------
 .../scripts/OPNsense/Wireguard/genkey.sh      | 18 +++---
 .../conf/actions.d/actions_wireguard.conf     | 20 +++----
 .../src/www/widgets/include/wireguard.inc     |  1 +
 .../www/widgets/widgets/wireguard.widget.php  |  2 +-
 7 files changed, 72 insertions(+), 78 deletions(-)

diff --git a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
index 42c4f7b051..f4f58fffdf 100644
--- a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -1,30 +1,30 @@
 <?php
 
 /*
-    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * TERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 function wireguard_enabled()
 {
@@ -41,7 +41,7 @@ function wireguard_services()
     }
 
     $services[] = array(
-        'description' => gettext('Wireguard VPN'),
+        'description' => gettext('WireGuard VPN'),
         'configd' => array(
             'restart' => array('wireguard restart'),
             'start' => array('wireguard start'),
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
index 9354e8abfe..1a11881210 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
@@ -48,6 +48,7 @@
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
+        <advanced>true</advanced>
         <help>Set the interface specific DNS server.</help>
     </field>
     <field>
diff --git a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
index fa720d7042..60c1c6c390 100644
--- a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
+++ b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
@@ -1,31 +1,29 @@
 {#
-
-OPNsense® is Copyright © 2014 – 2018 by Deciso B.V.
-This file is Copyright © 2018 by Michael Muenz <m.muenz@gmail.com>
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-    this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-    this list of conditions and the following disclaimer in the documentation
-    and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
+ # OPNsense (c) 2014-2018 by Deciso B.V.
+ # OPNsense (c) 2018 Michael Muenz <m.muenz@gmail.com>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1.  Redistributions of source code must retain the above copyright notice,
+ #     this list of conditions and the following disclaimer.
+ #
+ # 2.  Redistributions in binary form must reproduce the above copyright notice,
+ #     this list of conditions and the following disclaimer in the documentation
+ #     and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
 
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
@@ -42,7 +40,7 @@ POSSIBILITY OF SUCH DAMAGE.
             {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
             <div class="col-md-12">
                 <hr />
-                <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Save') }}</b><i id="saveAct_progress"></i></button>
+                <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
             </div>
         </div>
     </div>
@@ -71,7 +69,7 @@ POSSIBILITY OF SUCH DAMAGE.
         </table>
         <div class="col-md-12">
             <hr />
-            <button class="btn btn-primary"  id="saveAct_client" type="button"><b>{{ lang._('Save') }}</b><i id="saveAct_client_progress"></i></button>
+            <button class="btn btn-primary" id="saveAct_client" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_client_progress"></i></button>
             <br /><br />
         </div>
     </div>
@@ -100,7 +98,7 @@ POSSIBILITY OF SUCH DAMAGE.
         </table>
         <div class="col-md-12">
             <hr />
-            <button class="btn btn-primary"  id="saveAct_server" type="button"><b>{{ lang._('Save') }}</b><i id="saveAct_server_progress"></i></button>
+            <button class="btn btn-primary" id="saveAct_server" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_server_progress"></i></button>
             <br /><br />
         </div>
     </div>
diff --git a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/genkey.sh b/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/genkey.sh
index 1cb5e59201..b580bf49dc 100755
--- a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/genkey.sh
+++ b/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/genkey.sh
@@ -30,8 +30,8 @@ GENPRIV="/usr/local/bin/wg genkey"
 GENPUB="/usr/local/bin/wg pubkey"
 
 cleanup() {
-  # Delete old files
-  rm -f $TMPDIR/wireguard.*
+	# Delete old files
+	rm -f $TMPDIR/wireguard.*
 }
 
 private() {
@@ -45,11 +45,11 @@ public() {
 }
 
 case "$1" in
-        private)
-                cleanup
-                private
-                ;;
-        public)
-                public
-                ;;
+private)
+	cleanup
+	private
+	;;
+public)
+	public
+	;;
 esac
diff --git a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
index 38a58fa0c8..3257da26d0 100644
--- a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
+++ b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
@@ -5,13 +5,13 @@ command:
     /usr/local/etc/rc.routing_configure
 parameters:
 type:script
-message:starting Wireguard
+message:Starting WireGuard
 
 [stop]
 command:/usr/local/etc/rc.d/wireguard stop
 parameters:
 type:script
-message:stopping Wireguard
+message:Stopping WireGuard
 
 [restart]
 command:
@@ -20,29 +20,23 @@ command:
     /usr/local/etc/rc.routing_configure
 parameters:
 type:script
-message:restarting Wireguard
-description: Restart Wireguard
+message:Restarting WireGuard
+description: Restart WireGuard
 
 [genkey]
 command:/usr/local/opnsense/scripts/OPNsense/Wireguard/genkey.sh
 parameters: %s
 type:script_output
-message:generating Wireguard keys
+message:Generating WireGuard keys
 
 [showconf]
 command:/usr/local/bin/wg show all
 parameters:
 type:script_output
-message:show Wireguard config
+message:Show WireGuard config
 
 [showhandshake]
 command:/usr/local/bin/wg show all latest-handshakes
 parameters:
 type:script_output
-message:show Wireguard handshakes
-
-[widget]
-command:/usr/local/bin/wg show all latest-handshakes
-parameters:
-type:script_output
-message:show Wireguard handshakes for widget
+message:Show WireGuard handshakes
diff --git a/net/wireguard/src/www/widgets/include/wireguard.inc b/net/wireguard/src/www/widgets/include/wireguard.inc
index 4d93377615..b95fc1fa6f 100644
--- a/net/wireguard/src/www/widgets/include/wireguard.inc
+++ b/net/wireguard/src/www/widgets/include/wireguard.inc
@@ -1,3 +1,4 @@
 <?php
 
 $wireguard_title = gettext('WireGuard');
+$wireguard_title_link = 'ui/wireguard/general/index';
diff --git a/net/wireguard/src/www/widgets/widgets/wireguard.widget.php b/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
index 95bc8eab67..792743af99 100644
--- a/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
+++ b/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
@@ -30,7 +30,7 @@
 require_once("guiconfig.inc");
 require_once("widgets/include/wireguard.inc");
 
-$data = trim(configd_run("wireguard widget"));
+$data = trim(configd_run('wireguard showhandshake'));
 
 $empty = strlen($data) == 0;
 ?>

From cd055ae707f719c2d3e3627b977c8fc155dfaacc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 31 Mar 2021 10:31:18 +0200
Subject: [PATCH 0503/3088] net/wireguard: typo in refactor

---
 net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
index f4f58fffdf..68de9927ee 100644
--- a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -20,7 +20,7 @@
  * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
  * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * TERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.

From a4fab385be7c9a171872e495b6cbe403d32e31c9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 31 Mar 2021 11:41:13 +0200
Subject: [PATCH 0504/3088] net/wireguard: make listen port optional, reformat
 config and header style

---
 .../Wireguard/Api/ServerController.php        | 42 +++++++++----------
 .../forms/dialogEditWireguardServer.xml       |  2 +-
 .../app/models/OPNsense/Wireguard/Server.xml  |  3 +-
 .../OPNsense/Wireguard/wireguard-server.conf  |  9 ++--
 4 files changed, 27 insertions(+), 29 deletions(-)

diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
index c505ecb2ab..a492e93802 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Wireguard\Api;
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
index 1a11881210..3667908a88 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
@@ -33,7 +33,7 @@
         <id>server.port</id>
         <label>Listen Port</label>
         <type>text</type>
-        <help>Set port for this instance to listen on.</help>
+        <help>Optionally set a fixed port for this instance to listen on. The standard port range starts at 51820.</help>
     </field>
     <field>
         <id>server.mtu</id>
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
index 01bae78842..c5ff1d90f4 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
@@ -28,8 +28,7 @@
                     <Required>N</Required>
                 </privkey>
                 <port type="PortField">
-                    <default>51820</default>
-                    <Required>Y</Required>
+                    <Required>N</Required>
                 </port>
                 <mtu type="IntegerField">
                     <MinimumValue>1</MinimumValue>
diff --git a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
index 0d07a5ff3e..374c3c82ba 100644
--- a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
+++ b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
@@ -1,19 +1,20 @@
 {% if helpers.exists('OPNsense.wireguard.general.enabled') and OPNsense.wireguard.general.enabled == '1' %}
-
 {% if helpers.exists('OPNsense.wireguard.server.servers.server') %}
 {%   for server_list in helpers.toList('OPNsense.wireguard.server.servers.server') %}
 {%     if TARGET_FILTERS['OPNsense.wireguard.server.servers.server.' ~ loop.index0] or TARGET_FILTERS['OPNsense.wireguard.server.servers.server'] %}
 {%       if server_list.enabled == '1' %}
 [Interface]
+PrivateKey = {{ server_list.privkey }}
 Address = {{ server_list.tunneladdress }}
+{%         if server_list.port|default('') != '' %}
+ListenPort = {{ server_list.port }}
+{%         endif %}
 {%         if server_list.dns|default('') != '' %}
 DNS = {{ server_list.dns }}
 {%         endif %}
 {%         if server_list.mtu|default('') != '' %}
 MTU = {{ server_list.mtu }}
 {%         endif %}
-ListenPort = {{ server_list.port }}
-PrivateKey = {{ server_list.privkey }}
 {%         if server_list.disableroutes == '1' %}
 Table = off
 {%         endif %}
@@ -25,6 +26,7 @@ PostDown = route {{- ' -6' if ':' in server_list.gateway }} del {{ server_list.g
 {%           for peerlist in server_list.peers.split(",") %}
 {%             set peerlist2_data = helpers.getUUID(peerlist) %}
 {%             if peerlist2_data != {} and peerlist2_data.enabled == '1' %}
+
 [Peer]
 PublicKey = {{ peerlist2_data.pubkey }}
 {%               if peerlist2_data.psk|default('') != '' %}
@@ -44,5 +46,4 @@ PersistentKeepalive = {{ peerlist2_data.keepalive }}
 {%     endif %}
 {%   endfor %}
 {% endif %}
-
 {% endif %}

From aed72a5fec7bac71ef8f9d4c08be08a757ea1a39 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 31 Mar 2021 11:50:38 +0200
Subject: [PATCH 0505/3088] net/wireguard: small update to mimic default demo
 configuration

---
 .../service/templates/OPNsense/Wireguard/wireguard-server.conf  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
index 374c3c82ba..82db761908 100644
--- a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
+++ b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
@@ -32,10 +32,10 @@ PublicKey = {{ peerlist2_data.pubkey }}
 {%               if peerlist2_data.psk|default('') != '' %}
 PresharedKey = {{ peerlist2_data.psk }}
 {%               endif %}
-AllowedIPs = {{ peerlist2_data.tunneladdress }}
 {%               if peerlist2_data.serveraddress|default('') != '' %}
 Endpoint = {{ peerlist2_data.serveraddress }}:{{ peerlist2_data.serverport }}
 {%               endif %}
+AllowedIPs = {{ peerlist2_data.tunneladdress }}
 {%               if peerlist2_data.keepalive|default('') != '' %}
 PersistentKeepalive = {{ peerlist2_data.keepalive }}
 {%               endif %}

From 16f3522d08d30919b17e66bdec38352ef4c75208 Mon Sep 17 00:00:00 2001
From: tiny6996 <mathias.palmersheim@mathiasp.me>
Date: Fri, 2 Apr 2021 13:18:23 -0500
Subject: [PATCH 0506/3088] fixes #2239 addes suricata eve.json as input
 (#2309)

---
 net-mgmt/telegraf/Makefile                                | 2 +-
 net-mgmt/telegraf/pkg-descr                               | 3 +++
 .../mvc/app/controllers/OPNsense/Telegraf/forms/input.xml | 6 ++++++
 .../opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml  | 4 ++++
 .../service/templates/OPNsense/Telegraf/telegraf.conf     | 8 ++++++++
 5 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index c5279eb7ab..fc30142acd 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.9.0
+PLUGIN_VERSION=		1.10.0
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index b49f834fbc..2bd64b400e 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -10,6 +10,9 @@ Kafka, MQTT, NSQ, and many others.
 
 Plugin Changelog
 ================
+1.10.0
+
+* Add intrusion detection alert input
 
 1.9.0
 
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
index d7ec44fbba..992c4bb375 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
@@ -137,4 +137,10 @@
         <type>checkbox</type>
         <help>Can increase metric gather times.</help>
     </field>
+    <field>
+        <id>input.intrusion_detection_alerts</id>
+        <label>Intrusion Dectection Alerts</label>
+        <type>checkbox</type>
+        <help>Requires Intrustion detection alerts are stored locally.</help>
+   </field>
 </form>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index c3b090acf7..588f3061cf 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -121,5 +121,9 @@
             <default></default>
             <Required>N</Required>
         </datadog_apikey>
+        <intrusion_detection_alerts type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </intrusion_detection_alerts>
     </items>
 </model>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index 07d1d38b82..09bff97eee 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -252,6 +252,14 @@
 {%   else %}
   dns_lookup = false
 {%   endif %}
+{% if helpers.exists('OPNsense.telegraf.input.intrusion_detection_alerts') and OPNsense.telegraf.input.intrusion_detection_alerts == '1' %}
+[[inputs.tail]]
+  data_format = "json"
+  files = ["/var/log/suricata/eve.json"]
+  name_override = "suricata"
+  tag_keys = ["event_type","src_ip","src_port","dest_ip","dest_port"]
+  json_string_fields = ["*"]
+{% endif %}
 {% endif %}
 
 {% endif %}

From 600290ce200558017e0f157430564e5cd796a13c Mon Sep 17 00:00:00 2001
From: Christian Brueffer <christian@brueffer.io>
Date: Tue, 6 Apr 2021 11:21:55 +0200
Subject: [PATCH 0507/3088] mail/postfix: fix a bunch of parameter description
 typos. (#2317)

---
 .../app/controllers/OPNsense/Postfix/forms/general.xml    | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
index 97d2d23230..0b7f475da0 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
@@ -81,7 +81,7 @@
         <style>tokenize</style>
         <type>select_multiple</type>
         <allownew>true</allownew>
-        <help>Masquerade internal domains to the outside. When you set example.com, the domain host.internal.example.com will be rewritten to exmaple.com when mail leaves the system.</help>
+        <help>Masquerade internal domains to the outside. When you set example.com, the domain host.internal.example.com will be rewritten to example.com when mail leaves the system.</help>
     </field>
     <field>
         <id>general.disable_ssl</id>
@@ -148,7 +148,7 @@
         <label>Enforce Recipient Relay Check</label>
         <type>checkbox</type>
         <advanced>true</advanced>
-        <help>If you enable this, every entry in Recipients will be checked against. When there is no match mail will be rejected. Be aware that it does not matter if the action is "OK" or "REJECT". This setup allows you to run postfix in front of an internal system and already rejecting unsolicited mail at the border.</help>
+        <help>If you enable this, every entry in Recipients will be checked against. When there is no match mail will be rejected. Be aware that it does not matter if the action is "OK" or "REJECT". This setup allows you to run postfix in front of an internal system and already reject unsolicited mail at the border.</help>
     </field>
     <field>
         <id>general.extensive_helo_restrictions</id>
@@ -162,7 +162,7 @@
     </field>
     <field>
         <id>general.reject_unknown_client_hostname</id>
-        <label>Reject Unkown Client Hostname</label>
+        <label>Reject Unknown Client Hostname</label>
         <type>checkbox</type>
     </field>
     <field>
@@ -177,7 +177,7 @@
     </field>
      <field>
         <id>general.reject_unknown_helo_hostname</id>
-        <label>Reject Unkown HELO Hostname</label>
+        <label>Reject Unknown HELO Hostname</label>
         <type>checkbox</type>
     </field>
     <field>

From 41bbb4872fe4cfed35d6eef454fdda7fe04a9fd7 Mon Sep 17 00:00:00 2001
From: Christian Brueffer <christian@brueffer.io>
Date: Tue, 6 Apr 2021 12:17:28 +0200
Subject: [PATCH 0508/3088] mail/postfix: fix more label/help typos. (#2318)

---
 .../mvc/app/controllers/OPNsense/Postfix/forms/general.xml  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
index 0b7f475da0..1ad688f19d 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
@@ -123,7 +123,7 @@
         <id>general.relayhost</id>
         <label>Smart Host</label>
         <type>text</type>
-        <help>Set the IP address or FQDN where all outgoung mails are sent to.</help>
+        <help>Set the IP address or FQDN where all outgoing mails are sent to.</help>
     </field>
     <field>
         <id>general.smtpauth_enabled</id>
@@ -198,13 +198,13 @@
     </field>
     <field>
         <id>general.reject_non_fqdn_sender</id>
-        <label>Reject Non FQDN Sender</label>
+        <label>Reject Non-FQDN Sender</label>
         <type>checkbox</type>
         <help>For example senders without a domain or only a hostname.</help>
     </field>
     <field>
         <id>general.reject_non_fqdn_recipient</id>
-        <label>Reject Non FQDN Recipient</label>
+        <label>Reject Non-FQDN Recipient</label>
         <type>checkbox</type>
         <help>For example recipients without a domain or only a hostname.</help>
     </field>

From 926d426442d2e3401d0e296ee54d512de3137dce Mon Sep 17 00:00:00 2001
From: Christian Brueffer <christian@brueffer.io>
Date: Tue, 6 Apr 2021 12:22:20 +0200
Subject: [PATCH 0509/3088] sysutils/munin-node: fix description typo. (#2242)

---
 README.md                    | 2 +-
 sysutils/munin-node/Makefile | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 78311c2290..80ca245301 100644
--- a/README.md
+++ b/README.md
@@ -94,7 +94,7 @@ sysutils/git-backup -- Track config changes using git
 sysutils/hw-probe -- Collect hardware diagnostics
 sysutils/lcdproc-sdeclcd -- LCDProc for SDEC LCD devices
 sysutils/mail-backup -- Send configuration file backup by e-mail
-sysutils/munin-node -- Munin monitorin agent
+sysutils/munin-node -- Munin monitoring agent
 sysutils/node_exporter -- Prometheus exporter for machine metrics
 sysutils/nut -- Network UPS Tools
 sysutils/smart -- SMART tools
diff --git a/sysutils/munin-node/Makefile b/sysutils/munin-node/Makefile
index 9012e10407..95702e163b 100644
--- a/sysutils/munin-node/Makefile
+++ b/sysutils/munin-node/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		munin-node
 PLUGIN_VERSION=		1.0
 PLUGIN_REVISION=	1
-PLUGIN_COMMENT=		Munin monitorin agent
+PLUGIN_COMMENT=		Munin monitoring agent
 PLUGIN_DEPENDS=		munin-node
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 

From 6a42c655b67eb8c56b61438c362d67bf832c4ec4 Mon Sep 17 00:00:00 2001
From: Christian Brueffer <christian@brueffer.io>
Date: Tue, 6 Apr 2021 14:17:54 +0200
Subject: [PATCH 0510/3088] mail/postfix: more typo fixes. (#2319)

---
 .../OPNsense/Postfix/forms/dialogEditPostfixHeadercheck.xml     | 2 +-
 .../mvc/app/controllers/OPNsense/Postfix/forms/general.xml      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/dialogEditPostfixHeadercheck.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/dialogEditPostfixHeadercheck.xml
index bde023d7db..5fe46d1414 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/dialogEditPostfixHeadercheck.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/dialogEditPostfixHeadercheck.xml
@@ -16,6 +16,6 @@
         <label>Process filter</label>
         <type>dropdown</type>
         <help><![CDATA[Set when the header_check should be processed.<br>See the <a href="http://www.postfix.org/header_checks.5.html" target="_blank">Postfix manual about header_checks(5)</a>]]></help>
-        <hint>RECEIVING = header_checks / DELIVERING =  smtp_header_checks</hint>
+        <hint>RECEIVING = header_checks / DELIVERING = smtp_header_checks</hint>
     </field>
 </form>
diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
index 1ad688f19d..7b21cc1300 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
@@ -73,7 +73,7 @@
         <id>general.message_size_limit</id>
         <label>Message Size Limit</label>
         <type>text</type>
-        <help>Set the max size for messages to accept, default is 501200000 Byte which is 50MB. Values must be entered in Bytes.</help>
+        <help>Set the max size for messages to accept, default is 51200000 Bytes which is 50MB. Values must be entered in Bytes.</help>
     </field>
     <field>
         <id>general.masquerade_domains</id>

From 8ef4dbf1989da018ceeb9d2b8f99b01a2af84917 Mon Sep 17 00:00:00 2001
From: Hippi Viking <33314937+hippi-viking@users.noreply.github.com>
Date: Wed, 7 Apr 2021 07:30:52 +0000
Subject: [PATCH 0511/3088] Allow maltrail sensor periodic restart from webGUI
 (#2322)

Maltrail sensor is a memory hog (or it might leak memory), if I don't restart it every few days it crashes with OOM or worst case it takes suricata and/or ntopng with it as well. The commit makes the Maltrail sensor restart option visible webGUI's cron settings to make restarting convenient.
---
 .../opnsense/service/conf/actions.d/actions_maltrailsensor.conf  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/maltrail/src/opnsense/service/conf/actions.d/actions_maltrailsensor.conf b/security/maltrail/src/opnsense/service/conf/actions.d/actions_maltrailsensor.conf
index fa6090dd0b..51b2c66536 100644
--- a/security/maltrail/src/opnsense/service/conf/actions.d/actions_maltrailsensor.conf
+++ b/security/maltrail/src/opnsense/service/conf/actions.d/actions_maltrailsensor.conf
@@ -15,6 +15,7 @@ command:/usr/local/opnsense/scripts/OPNsense/Maltrail/setup.sh;/usr/local/etc/rc
 parameters:
 type:script
 message:restarting Maltrail sensor
+description:Restart Maltrail sensor
 
 [status]
 command:/usr/local/etc/rc.d/opnsense-maltrailsensor status;exit 0

From c890b9795280a865bf4c9b94aefda7d9b344c87d Mon Sep 17 00:00:00 2001
From: definitio <37266727+definitio@users.noreply.github.com>
Date: Thu, 8 Apr 2021 13:22:40 +0300
Subject: [PATCH 0512/3088] Update HAProxy OCSP stapling via local UNIX socket

---
 .../src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh     | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh
index 12c4c8724e..6bf8af9283 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh
@@ -18,6 +18,7 @@
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
 HAPROXY_DIR="/tmp/haproxy/ssl"
+HAPROXY_SOCKET="/var/run/haproxy.socket"
 
 for _pem in "$HAPROXY_DIR"/*.pem; do
     cert_file="$(basename "$_pem")"
@@ -64,6 +65,11 @@ for _pem in "$HAPROXY_DIR"/*.pem; do
 
             if [ "${_ret}" != "0" ]; then
                 echo "Updating OCSP stapling failed with return code ${_ret}"
+            else
+                _update="$(openssl enc -base64 -A -in "${_ocsp}")"
+                if ! echo "set ssl ocsp-response ${_update}" | socat stdio $HAPROXY_SOCKET; then
+                    echo "Updating haproxy OCSP stapling via socket failed"
+                fi
             fi
         fi
     fi

From bf8329957a1778beacf8ee02e5aef0a8488ff7a7 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sat, 10 Apr 2021 09:58:02 +0200
Subject: [PATCH 0513/3088] net-mgmt/netdata: allow to set IPv6 address (#1914)

---
 net-mgmt/netdata/Makefile                            |  3 +--
 net-mgmt/netdata/pkg-descr                           | 12 ++++++++++++
 .../service/templates/OPNsense/Netdata/netdata.conf  |  3 ++-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/net-mgmt/netdata/Makefile b/net-mgmt/netdata/Makefile
index 3c5fd6b740..cb657ff660 100644
--- a/net-mgmt/netdata/Makefile
+++ b/net-mgmt/netdata/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		netdata
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Real-time performance monitoring
 PLUGIN_DEPENDS=		netdata
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/netdata/pkg-descr b/net-mgmt/netdata/pkg-descr
index e53440aa38..3fc3732e14 100644
--- a/net-mgmt/netdata/pkg-descr
+++ b/net-mgmt/netdata/pkg-descr
@@ -7,3 +7,15 @@ happening on the systems it runs (including web servers, databases,
 applications), using highly interactive web dashboards.
 
 WWW: https://github.com/netdata/netdata
+
+
+Plugin Changelog
+================
+
+1.1
+
+* Allow listening to IPv6 address
+
+1.0
+
+* Allow to set listening IP and port
diff --git a/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata.conf b/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata.conf
index 4b5504a5b5..105254bcc2 100644
--- a/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata.conf
+++ b/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata.conf
@@ -10,7 +10,8 @@
 # global netdata configuration
 [global]
         history = 86400
-        bind to = {{ OPNsense.netdata.general.listen }}
+        bind to = {% if ':' in OPNsense.netdata.general.listen %}[{{ OPNsense.netdata.general.listen }}]{% else %} {{ OPNsense.netdata.general.listen }}{% endif %}
+        
         disconnect idle web clients after seconds = 3600
         run as user = netdata
         web files owner = netdata

From b6530b6e6205b5869ae6d601385bface9e632c26 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sat, 10 Apr 2021 10:06:16 +0200
Subject: [PATCH 0514/3088] mail/fetchmail: New plugin (#2093)

---
 mail/fetchmail/Makefile                       |  8 ++
 mail/fetchmail/pkg-descr                      | 15 +++
 .../src/etc/inc/plugins.inc.d/fetchmail.inc   | 49 ++++++++++
 .../Fetchmail/Api/GeneralController.php       | 37 ++++++++
 .../Fetchmail/Api/MailboxController.php       | 67 ++++++++++++++
 .../Fetchmail/Api/ServiceController.php       | 43 +++++++++
 .../OPNsense/Fetchmail/GeneralController.php  | 38 ++++++++
 .../OPNsense/Fetchmail/MailboxController.php  | 38 ++++++++
 .../forms/dialogEditFetchmailMailbox.xml      | 56 ++++++++++++
 .../OPNsense/Fetchmail/forms/general.xml      | 14 +++
 .../app/models/OPNsense/Fetchmail/ACL/ACL.xml |  9 ++
 .../app/models/OPNsense/Fetchmail/General.php | 34 +++++++
 .../app/models/OPNsense/Fetchmail/General.xml | 15 +++
 .../app/models/OPNsense/Fetchmail/Mailbox.php | 34 +++++++
 .../app/models/OPNsense/Fetchmail/Mailbox.xml | 45 +++++++++
 .../models/OPNsense/Fetchmail/Menu/Menu.xml   |  8 ++
 .../app/views/OPNsense/Fetchmail/general.volt | 61 +++++++++++++
 .../app/views/OPNsense/Fetchmail/mailbox.volt | 91 +++++++++++++++++++
 .../scripts/OPNsense/Fetchmail/setup.sh       |  5 +
 .../conf/actions.d/actions_fetchmail.conf     | 24 +++++
 .../templates/OPNsense/Fetchmail/+TARGETS     |  2 +
 .../templates/OPNsense/Fetchmail/fetchmail    |  6 ++
 .../templates/OPNsense/Fetchmail/fetchmailrc  | 14 +++
 23 files changed, 713 insertions(+)
 create mode 100644 mail/fetchmail/Makefile
 create mode 100644 mail/fetchmail/pkg-descr
 create mode 100644 mail/fetchmail/src/etc/inc/plugins.inc.d/fetchmail.inc
 create mode 100644 mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/GeneralController.php
 create mode 100644 mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/MailboxController.php
 create mode 100644 mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/ServiceController.php
 create mode 100644 mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/GeneralController.php
 create mode 100644 mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/MailboxController.php
 create mode 100644 mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/forms/dialogEditFetchmailMailbox.xml
 create mode 100644 mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/forms/general.xml
 create mode 100644 mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/ACL/ACL.xml
 create mode 100644 mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.php
 create mode 100644 mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.xml
 create mode 100644 mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.php
 create mode 100644 mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.xml
 create mode 100644 mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Menu/Menu.xml
 create mode 100644 mail/fetchmail/src/opnsense/mvc/app/views/OPNsense/Fetchmail/general.volt
 create mode 100644 mail/fetchmail/src/opnsense/mvc/app/views/OPNsense/Fetchmail/mailbox.volt
 create mode 100644 mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh
 create mode 100644 mail/fetchmail/src/opnsense/service/conf/actions.d/actions_fetchmail.conf
 create mode 100644 mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/+TARGETS
 create mode 100644 mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmail
 create mode 100644 mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmailrc

diff --git a/mail/fetchmail/Makefile b/mail/fetchmail/Makefile
new file mode 100644
index 0000000000..a2a871f380
--- /dev/null
+++ b/mail/fetchmail/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		fetchmail
+PLUGIN_VERSION=		0.1
+PLUGIN_COMMENT=		Remote-mail retrieval utility
+PLUGIN_DEPENDS=		fetchmail
+PLUGIN_MAINTAINER=	m.muenz@gmail.com
+PLUGIN_DEVEL=       yes
+
+.include "../../Mk/plugins.mk"
diff --git a/mail/fetchmail/pkg-descr b/mail/fetchmail/pkg-descr
new file mode 100644
index 0000000000..8ae7146501
--- /dev/null
+++ b/mail/fetchmail/pkg-descr
@@ -0,0 +1,15 @@
+Fetchmail is a full-featured, robust, well-documented remote-mail retrieval and forwarding
+utility intended to be used over on-demand TCP/IP links (such as SLIP or PPP connections).
+It supports every remote-mail protocol now in use on the Internet: POP2, POP3, RPOP, APOP,
+KPOP, all flavors of IMAP, ETRN, and ODMR.
+
+Plugin Changelog
+================
+
+1.0
+
+* Allow fetching IMAP mailboxes
+* Allow fetching POP3 mailboxes
+
+
+WWW: https://www.fetchmail.info/
diff --git a/mail/fetchmail/src/etc/inc/plugins.inc.d/fetchmail.inc b/mail/fetchmail/src/etc/inc/plugins.inc.d/fetchmail.inc
new file mode 100644
index 0000000000..1243a3e6ef
--- /dev/null
+++ b/mail/fetchmail/src/etc/inc/plugins.inc.d/fetchmail.inc
@@ -0,0 +1,49 @@
+<?php
+
+/*
+    Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+function fetchmail_services()
+{
+    global $config;
+
+    $services = array();
+
+    if (isset($config['OPNsense']['fetchmail']['general']['enabled']) && $config['OPNsense']['fetchmail']['general']['enabled'] == 1) {
+        $services[] = array(
+            'description' => gettext('Fetchmail'),
+            'configd' => array(
+                'restart' => array('fetchmail restart'),
+                'start' => array('fetchmail start'),
+                'stop' => array('fetchmail stop'),
+            ),
+            'name' => 'fetchmail',
+            'pidfile' => '/var/run/fetchmail/fetchmail.pid'
+        );
+    }
+
+    return $services;
+}
diff --git a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/GeneralController.php b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/GeneralController.php
new file mode 100644
index 0000000000..3a9d3ba8f8
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/GeneralController.php
@@ -0,0 +1,37 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Fetchmail\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class GeneralController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelClass = '\OPNsense\Fetchmail\General';
+    protected static $internalModelName = 'general';
+}
diff --git a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/MailboxController.php b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/MailboxController.php
new file mode 100644
index 0000000000..403c36152b
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/MailboxController.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Fetchmail\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class MailboxController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'mailbox';
+    protected static $internalModelClass = '\OPNsense\Fetchmail\Mailbox';
+
+    public function searchMailboxAction()
+    {
+        return $this->searchBase('mailboxes.mailbox', array("enabled", "host", "protocol", "user", "password", "destinationmail", "destination"));
+    }
+
+    public function getMailboxAction($uuid = null)
+    {
+        return $this->getBase('mailbox', 'mailboxes.mailbox', $uuid);
+    }
+
+    public function addMailboxAction()
+    {
+        return $this->addBase('mailbox', 'mailboxes.mailbox');
+    }
+
+    public function delMailboxAction($uuid)
+    {
+        return $this->delBase('mailboxes.mailbox', $uuid);
+    }
+
+    public function setMailboxAction($uuid)
+    {
+        return $this->setBase('mailbox', 'mailboxes.mailbox', $uuid);
+    }
+
+    public function toggleMailboxAction($uuid)
+    {
+        return $this->toggleBase('mailboxes.mailbox', $uuid);
+    }
+}
diff --git a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/ServiceController.php b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/ServiceController.php
new file mode 100644
index 0000000000..d3ea06f1aa
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/ServiceController.php
@@ -0,0 +1,43 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Fetchmail\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+
+/**
+ * Class ServiceController
+ * @package OPNsense\Fetchmail
+ */
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Fetchmail\General';
+    protected static $internalServiceTemplate = 'OPNsense/Fetchmail';
+    protected static $internalServiceEnabled = 'enabled';
+    protected static $internalServiceName = 'fetchmail';
+}
diff --git a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/GeneralController.php b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/GeneralController.php
new file mode 100644
index 0000000000..dde96e5211
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/GeneralController.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Fetchmail;
+
+class GeneralController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->generalForm = $this->getForm("general");
+        $this->view->pick('OPNsense/Fetchmail/general');
+    }
+}
diff --git a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/MailboxController.php b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/MailboxController.php
new file mode 100644
index 0000000000..1417158fdd
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/MailboxController.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Fetchmail;
+
+class MailboxController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->formDialogEditFetchmailMailbox = $this->getForm("dialogEditFetchmailMailbox");
+        $this->view->pick('OPNsense/Fetchmail/mailbox');
+    }
+}
diff --git a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/forms/dialogEditFetchmailMailbox.xml b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/forms/dialogEditFetchmailMailbox.xml
new file mode 100644
index 0000000000..98307b4d4e
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/forms/dialogEditFetchmailMailbox.xml
@@ -0,0 +1,56 @@
+<form>
+    <field>
+        <id>mailbox.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will enable or disable the mailbox retrieving.</help>
+    </field>
+    <field>
+        <id>mailbox.host</id>
+        <label>Host</label>
+        <type>text</type>
+        <help>Hostname of the mail server where mailbox is located.</help>
+    </field>
+    <field>
+        <id>mailbox.protocol</id>
+        <label>Protocol</label>
+        <type>dropdown</type>
+        <help>Choose the protocol to use.</help>
+    </field>
+    <field>
+        <id>mailbox.user</id>
+        <label>Username</label>
+        <type>text</type>
+        <help>Username to authenticate against remote mail server.</help>
+    </field>
+    <field>
+        <id>mailbox.password</id>
+        <label>Password</label>
+        <type>text</type>
+        <help>Password to authenticate against remote mail server.</help>
+    </field>
+    <field>
+        <id>mailbox.destinationmail</id>
+        <label>Destination Email</label>
+        <type>text</type>
+        <help>Set the mail address to deliver fetched mails to.</help>
+    </field>
+    <field>
+        <id>mailbox.destination</id>
+        <label>Destination Host</label>
+        <type>text</type>
+        <help>Set the mail server hostname or IP to deliver fetched mails to.</help>
+    </field>
+    <field>
+        <id>mailbox.usessl</id>
+        <label>Use SSL</label>
+        <type>checkbox</type>
+        <help>This will enable or disable usage of encrypted connections. For IMAP and POP3 it will switch the ports to 993 and 995.</help>
+    </field>
+    <field>
+        <id>mailbox.sslfingerprint</id>
+        <label>Certificate Fingerprint</label>
+        <type>text</type>
+        <help>If the server is using a self-signed certificate, the only option fetching mails is to enter the certficiate fingerprint here.</help>
+    </field>
+</form>
diff --git a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/forms/general.xml b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/forms/general.xml
new file mode 100644
index 0000000000..ac02481893
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/forms/general.xml
@@ -0,0 +1,14 @@
+<form>
+    <field>
+        <id>general.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>This will activate the Fetchmail daemon.</help>
+    </field>
+    <field>
+        <id>general.interval</id>
+        <label>Interval</label>
+        <type>text</type>
+        <help>Interval in seconds how often to retrieve mails.</help>
+    </field>
+</form>
diff --git a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/ACL/ACL.xml b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/ACL/ACL.xml
new file mode 100644
index 0000000000..e3727a40ad
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+    <page-services-fetchmail>
+        <name>Services: Fetchmail</name>
+        <patterns>
+            <pattern>ui/fetchmail/*</pattern>
+            <pattern>api/fetchmail/*</pattern>
+        </patterns>
+    </page-services-fetchmail>
+</acl>
diff --git a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.php b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.php
new file mode 100644
index 0000000000..7c5a75d762
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.php
@@ -0,0 +1,34 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+  *ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+ 
+namespace OPNsense\Fetchmail;
+
+use OPNsense\Base\BaseModel;
+
+class General extends BaseModel
+{
+}
diff --git a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.xml b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.xml
new file mode 100644
index 0000000000..09cb296c5f
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.xml
@@ -0,0 +1,15 @@
+<model>
+    <mount>//OPNsense/fetchmail/general</mount>
+    <description>Fetchmail configuration</description>
+    <version>0.1</version>
+    <items>
+        <enabled type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enabled>
+        <interval type="IntegerField">
+            <default>600</default>
+            <Required>Y</Required>
+        </interval>
+    </items>
+</model>
diff --git a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.php b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.php
new file mode 100644
index 0000000000..e843ede942
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.php
@@ -0,0 +1,34 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+  *ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Fetchmail;
+
+use OPNsense\Base\BaseModel;
+
+class Mailbox extends BaseModel
+{
+}
diff --git a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.xml b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.xml
new file mode 100644
index 0000000000..fe711b2c1a
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.xml
@@ -0,0 +1,45 @@
+<model>
+    <mount>//OPNsense/fetchmail/mailbox</mount>
+    <description>Fetchmail configuration</description>
+    <version>0.1</version>
+    <items>
+        <mailboxes>
+            <mailbox type="ArrayField">
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <host type="HostnameField">
+                    <Required>Y</Required>
+                </host>
+                <protocol type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <pop3>POP3</pop3>
+                        <imap>IMAP</imap>
+                    </OptionValues>
+                </protocol>
+                <user type="TextField">
+                    <Required>Y</Required>
+                </user>
+                <password type="TextField">
+                    <Required>Y</Required>
+                </password>
+                <destinationmail type="EmailField">
+                    <Required>Y</Required>
+                </destinationmail>
+                <destination type="HostnameField">
+                    <Required>Y</Required>
+                </destination>
+                <usessl type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </usessl>
+                <sslfingerprint type="TextField">
+                    <Required>N</Required>
+                    <mask>/^[A-Fa-f0-9\:]$/</mask>
+                </sslfingerprint>                
+            </mailbox>
+        </mailboxes>
+    </items>
+</model>
diff --git a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Menu/Menu.xml b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Menu/Menu.xml
new file mode 100644
index 0000000000..59c8854d8c
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Menu/Menu.xml
@@ -0,0 +1,8 @@
+<menu>
+  <Services>
+    <Fetchmail cssClass="fa fa-envelope fa-fw">
+      <General url="/ui/fetchmail/general/index" order="10"/>
+      <Mailbox url="/ui/fetchmail/mailbox/index" order="20"/>
+    </Fetchmail>
+  </Services>
+</menu>
diff --git a/mail/fetchmail/src/opnsense/mvc/app/views/OPNsense/Fetchmail/general.volt b/mail/fetchmail/src/opnsense/mvc/app/views/OPNsense/Fetchmail/general.volt
new file mode 100644
index 0000000000..77f259c4c3
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/mvc/app/views/OPNsense/Fetchmail/general.volt
@@ -0,0 +1,61 @@
+{#
+ #
+ # Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+<div class="tab-content content-box tab-content">
+    <div id="general" class="tab-pane fade in active">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
+            <div class="col-md-12">
+                <hr />
+                <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
+            </div>
+        </div>
+    </div>
+</div>
+
+<script>
+    $( document ).ready(function () {
+        var data_get_map = {'frm_general_settings':"/api/fetchmail/general/get"};
+        mapDataToFormUI(data_get_map).done(function (data) {
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+        });
+
+        updateServiceControlUI('fetchmail');
+
+        // link save button to API set action
+        $("#saveAct").click(function () {
+            saveFormToEndpoint(url="/api/fetchmail/general/set", formid='frm_general_settings',callback_ok=function () {
+                $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+                ajaxCall(url="/api/fetchmail/service/reconfigure", sendData={}, callback=function (data,status) {
+                    updateServiceControlUI('fetchmail');
+                    $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                });
+            });
+        });
+
+    });
+</script>
diff --git a/mail/fetchmail/src/opnsense/mvc/app/views/OPNsense/Fetchmail/mailbox.volt b/mail/fetchmail/src/opnsense/mvc/app/views/OPNsense/Fetchmail/mailbox.volt
new file mode 100644
index 0000000000..3be00f23d7
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/mvc/app/views/OPNsense/Fetchmail/mailbox.volt
@@ -0,0 +1,91 @@
+{#
+ #
+ # Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+<div class="tab-content content-box tab-content">
+    <div id="mailbox" class="tab-pane fade in active">
+        <table id="grid-mailbox" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="dialogEditFetchmailMailbox">
+            <thead>
+            <tr>
+                <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="host" data-type="string" data-visible="true">{{ lang._('Host') }}</th>
+                <th data-column-id="protocol" data-type="string" data-visible="true">{{ lang._('Protocol') }}</th>
+                <th data-column-id="user" data-type="string" data-visible="true">{{ lang._('Username') }}</th>
+                <th data-column-id="password" data-type="string" data-visible="true">{{ lang._('Password') }}</th>
+                <th data-column-id="destination" data-type="string" data-visible="true">{{ lang._('Destination') }}</th>
+                <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+            </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+        <div class="col-md-12">
+            <hr/>
+            <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress" class=""></i></button>
+            <br/><br/>
+        </div>
+    </div>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditFetchmailMailbox,'id':'dialogEditFetchmailMailbox','label':lang._('Edit Mailbox')])}}
+
+<script>
+
+$(function() {
+
+    $("#grid-mailbox").UIBootgrid(
+        {   'search':'/api/fetchmail/mailbox/searchMailbox',
+            'get':'/api/fetchmail/mailbox/getMailbox/',
+            'set':'/api/fetchmail/mailbox/setMailbox/',
+            'add':'/api/fetchmail/mailbox/addMailbox/',
+            'del':'/api/fetchmail/mailbox/delMailbox/',
+            'toggle':'/api/fetchmail/mailbox/toggleMailbox/'
+        }
+    );
+
+    updateServiceControlUI('fetchmail');
+
+    $("#saveAct").click(function(){
+        saveFormToEndpoint(url="/api/fetchmail/mailbox/set", formid='frm_general_settings',callback_ok=function(){
+        $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url="/api/fetchmail/service/reconfigure", sendData={}, callback=function(data,status) {
+                updateServiceControlUI('fetchmail');
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+            });
+        });
+    });
+
+});
+</script>
diff --git a/mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh b/mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh
new file mode 100644
index 0000000000..394e49ce40
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+mkdir -p /var/run/fetchmail
+chown fetchmail:wheel /var/run/fetchmail
+chmod 755 /var/run/fetchmail
diff --git a/mail/fetchmail/src/opnsense/service/conf/actions.d/actions_fetchmail.conf b/mail/fetchmail/src/opnsense/service/conf/actions.d/actions_fetchmail.conf
new file mode 100644
index 0000000000..9c38206dba
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/service/conf/actions.d/actions_fetchmail.conf
@@ -0,0 +1,24 @@
+[start]
+command:/usr/local/opnsense/scripts/OPNsense/Fetchmail/setup.sh;/usr/local/etc/rc.d/fetchmail start
+parameters:
+type:script
+message:starting Fetchmail
+
+[stop]
+command:/usr/local/etc/rc.d/fetchmail stop; exit 0
+parameters:
+type:script
+message:stopping Fetchmail
+
+[restart]
+command:/usr/local/opnsense/scripts/OPNsense/Fetchmail/setup.sh;/usr/local/etc/rc.d/fetchmail restart
+parameters:
+type:script
+message:restarting Fetchmail
+description:Restart Fetchmail service
+
+[status]
+command:/usr/local/etc/rc.d/fetchmail status;exit 0
+parameters:
+type:script_output
+message:request Fetchmail status
diff --git a/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/+TARGETS b/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/+TARGETS
new file mode 100644
index 0000000000..014ce2e157
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/+TARGETS
@@ -0,0 +1,2 @@
+fetchmailrc:/usr/local/etc/fetchmailrc
+fetchmail:/etc/rc.conf.d/fetchmail
diff --git a/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmail b/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmail
new file mode 100644
index 0000000000..4a21f3d9c9
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmail
@@ -0,0 +1,6 @@
+{% if helpers.exists('OPNsense.fetchmail.general.enabled') and OPNsense.fetchmail.general.enabled == '1' %}
+fetchmail_var_script="/usr/local/opnsense/scripts/OPNsense/Fetchmail/setup.sh"
+fetchmail_enable="YES"
+{% else %}
+fetchmail_enable="NO"
+{% endif %}
diff --git a/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmailrc b/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmailrc
new file mode 100644
index 0000000000..3438c2fcf6
--- /dev/null
+++ b/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmailrc
@@ -0,0 +1,14 @@
+{% if helpers.exists('OPNsense.fetchmail.general.enabled') and OPNsense.fetchmail.general.enabled == '1' %}
+
+set daemon {{ OPNsense.fetchmail.general.interval }}
+set syslog
+
+{% if helpers.exists('OPNsense.fetchmail.mailbox.mailboxes.mailbox') %}
+{%   for mailbox_list in helpers.toList('OPNsense.fetchmail.mailbox.mailboxes.mailbox') %}
+{%     if mailbox_list.enabled == '1' %}
+poll {{ mailbox_list.host }} protocol {{ mailbox_list.protocol }} username "{{ mailbox_list.user }}" password "{{ mailbox_list.password }}" is {{ mailbox_list.destinationmail }} smtphost {{ mailbox_list.destination }} {% if mailbox_list.usessl == "0" %} sslproto '' {% endif %} {% if mailbox_list.sslfingerprint|default('') != '' %} sslfingerprint "{{ mailbox_list.sslfingerprint }}" {% endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+
+{% endif %}

From e89c92145a16457c7b3e0ebc4a5e900cb9edcc36 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sat, 10 Apr 2021 10:12:23 +0200
Subject: [PATCH 0515/3088] net/chrony: add diagnostics (#2220)

---
 net/chrony/Makefile                           |  3 +-
 net/chrony/pkg-descr                          |  4 ++
 .../OPNsense/Chrony/Api/ServiceController.php | 48 ++++++++++++-
 .../app/views/OPNsense/Chrony/general.volt    | 71 +++++++++++++++++--
 .../conf/actions.d/actions_chrony.conf        | 24 +++++++
 5 files changed, 140 insertions(+), 10 deletions(-)

diff --git a/net/chrony/Makefile b/net/chrony/Makefile
index a905579e2f..4bfc40a55c 100644
--- a/net/chrony/Makefile
+++ b/net/chrony/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		chrony
-PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		Chrony time synchronisation
 PLUGIN_DEPENDS=		chrony
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/chrony/pkg-descr b/net/chrony/pkg-descr
index 4464c2fa7a..c273e65812 100644
--- a/net/chrony/pkg-descr
+++ b/net/chrony/pkg-descr
@@ -4,6 +4,10 @@ better in virtual environments.
 Plugin Changelog
 ----------------
 
+1.2
+
+* Add Diagnostics
+
 1.1
 
 * Add NTS support
diff --git a/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/Api/ServiceController.php b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/Api/ServiceController.php
index d441d9dc68..e3a6813908 100644
--- a/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/Api/ServiceController.php
+++ b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/Api/ServiceController.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
+ * Copyright (C) 2020-2021 Michael Muenz <m.muenz@gmail.com>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -29,6 +29,8 @@
 namespace OPNsense\Chrony\Api;
 
 use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Backend;
+use OPNsense\Chrony\General;
 
 class ServiceController extends ApiMutableServiceControllerBase
 {
@@ -36,4 +38,48 @@ class ServiceController extends ApiMutableServiceControllerBase
     protected static $internalServiceTemplate = 'OPNsense/Chrony';
     protected static $internalServiceEnabled = 'enabled';
     protected static $internalServiceName = 'chrony';
+
+    /**
+     * show chrony sources
+     * @return array
+     */
+    public function chronysourcesAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun("chrony chronysources");
+        return array("response" => $response);
+    }
+
+    /**
+     * show chrony stats
+     * @return array
+     */
+    public function chronysourcestatsAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun("chrony chronysourcestats");
+        return array("response" => $response);
+    }
+
+    /**
+     * show chrony tracking
+     * @return array
+     */
+    public function chronytrackingAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun("chrony chronytracking");
+        return array("response" => $response);
+    }
+
+    /**
+     * show chrony authdata
+     * @return array
+     */
+    public function chronyauthdataAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun("chrony chronyauthdata");
+        return array("response" => $response);
+    }
 }
diff --git a/net/chrony/src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt b/net/chrony/src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt
index be8b75de22..00ba994203 100644
--- a/net/chrony/src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt
+++ b/net/chrony/src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt
@@ -1,6 +1,6 @@
 {#
  # Copyright (c) 2019 Deciso B.V.
- # Copyright (c) 2020 Michael Muenz <m.muenz@gmail.com>
+ # Copyright (c) 2020-2021 Michael Muenz <m.muenz@gmail.com>
  # All rights reserved.
  #
  # Redistribution and use in source and binary forms, with or without modification,
@@ -25,15 +25,66 @@
  # POSSIBILITY OF SUCH DAMAGE.
  #}
 
-<div class="content-box" style="padding-bottom: 1.5em;">
-    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-    <div class="col-md-12">
-        <hr />
-        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
+    <li><a data-toggle="tab" href="#chronysources">{{ lang._('Sources') }}</a></li>
+    <li><a data-toggle="tab" href="#chronysourcestats">{{ lang._('Source Stats') }}</a></li>
+    <li><a data-toggle="tab" href="#chronytracking">{{ lang._('Tracking') }}</a></li>
+    <li><a data-toggle="tab" href="#chronyauthdata">{{ lang._('Auth Data') }}</a></li>
+</ul>
+
+<div class="tab-content content-box tab-content">
+    <div id="general" class="tab-pane fade in active">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
+            <div class="col-md-12">
+                <hr />
+                <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
+            </div>
+        </div>
+    </div>
+    <div id="chronysources" class="tab-pane fade in">
+        <pre id="listchronysources"></pre>
+    </div>
+    <div id="chronysourcestats" class="tab-pane fade in">
+        <pre id="listchronysourcestats"></pre>
+    </div>
+    <div id="chronytracking" class="tab-pane fade in">
+        <pre id="listchronytracking"></pre>
+    </div>
+    <div id="chronyauthdata" class="tab-pane fade in">
+        <pre id="listchronyauthdata"></pre>
     </div>
 </div>
 
 <script>
+
+// Put API call into a function, needed for auto-refresh
+function update_chronysources() {
+    ajaxCall(url="/api/chrony/service/chronysources", sendData={}, callback=function(data,status) {
+        $("#listchronysources").text(data['response']);
+    });
+}
+
+function update_chronysourcestats() {
+    ajaxCall(url="/api/chrony/service/chronysourcestats", sendData={}, callback=function(data,status) {
+        $("#listchronysourcestats").text(data['response']);
+    });
+}
+
+// Put API call into a function, needed for auto-refresh
+function update_chronytracking() {
+    ajaxCall(url="/api/chrony/service/chronytracking", sendData={}, callback=function(data,status) {
+        $("#listchronytracking").text(data['response']);
+    });
+}
+
+function update_chronyauthdata() {
+    ajaxCall(url="/api/chrony/service/chronyauthdata", sendData={}, callback=function(data,status) {
+        $("#listchronyauthdata").text(data['response']);
+    });
+}
+
     $(function() {
         var data_get_map = {'frm_general_settings':"/api/chrony/general/get"};
         mapDataToFormUI(data_get_map).done(function(data){
@@ -41,8 +92,14 @@
             $('.selectpicker').selectpicker('refresh');
         });
 
-     updateServiceControlUI('chrony');
+    updateServiceControlUI('chrony');
 
+    // Call function update_neighbor with a auto-refresh of 5 seconds
+    setInterval(update_chronysources, 5000);
+    setInterval(update_chronysourcestats, 5000);
+    setInterval(update_chronytracking, 5000);
+    setInterval(update_chronyauthdata, 5000);
+ 
         // link save button to API set action
         $("#saveAct").click(function(){
             saveFormToEndpoint(url="/api/chrony/general/set", formid='frm_general_settings',callback_ok=function(){
diff --git a/net/chrony/src/opnsense/service/conf/actions.d/actions_chrony.conf b/net/chrony/src/opnsense/service/conf/actions.d/actions_chrony.conf
index dd50d41c47..10b185b46c 100644
--- a/net/chrony/src/opnsense/service/conf/actions.d/actions_chrony.conf
+++ b/net/chrony/src/opnsense/service/conf/actions.d/actions_chrony.conf
@@ -21,3 +21,27 @@ command:/usr/local/etc/rc.d/chronyd status;exit 0
 parameters:
 type:script_output
 message:request chrony status
+
+[chronysources]
+command:/usr/local/bin/chronyc sources
+parameters:
+type:script_output
+message:show chrony sources
+
+[chronysourcestats]
+command:/usr/local/bin/chronyc sourcestats
+parameters:
+type:script_output
+message:show chrony sourcestats
+
+[chronytracking]
+command:/usr/local/bin/chronyc tracking
+parameters:
+type:script_output
+message:show chrony tracking
+
+[chronyauthdata]
+command:/usr/local/bin/chronyc -N authdata
+parameters:
+type:script_output
+message:show chrony authdata

From e856da6018a2259667752af6fdbcb9d10899da70 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sat, 10 Apr 2021 10:13:30 +0200
Subject: [PATCH 0516/3088] net/freeradius: Add IPv6 support to client IP and
 harden loose model (#2301)

* Update Client.xml

* Update clients.conf
---
 .../opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml    | 4 ++--
 .../service/templates/OPNsense/Freeradius/clients.conf        | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
index 0fa4d9c522..da69e00e95 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/freeradius/client</mount>
     <description>FreeRADIUS client configuration</description>
-    <version>1.0.0</version>
+    <version>1.0.1</version>
     <items>
         <clients>
             <client type="ArrayField">
@@ -15,7 +15,7 @@
                 <secret type="TextField">
                     <Required>Y</Required>
                 </secret>
-                <ip type="TextField">
+                <ip type="HostnameField">
                     <Required>N</Required>
                 </ip>
             </client>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
index a220e557f0..8a7896a866 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
@@ -6,7 +6,11 @@
 client "{{ client_list.name }}" {
        secret    = {{ client_list.secret }}
        shortname = "{{ client_list.name }}"
+{%       if ':' in client_list.ip %}
+       ipv6addr  = {{ client_list.ip }}
+{%       else %}       
        ipaddr    = {{ client_list.ip }}
+{%       endif %}
 }
 
 {%     endif %}

From 8181542c662369b44fb9b2f2d964e5c156f35b45 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sat, 10 Apr 2021 10:15:19 +0200
Subject: [PATCH 0517/3088] security/maltrail: add syslog support (#2222)

---
 security/maltrail/Makefile                           |  3 +--
 security/maltrail/pkg-descr                          |  4 ++++
 .../controllers/OPNsense/Maltrail/forms/sensor.xml   | 12 ++++++++++++
 .../mvc/app/models/OPNsense/Maltrail/Sensor.xml      |  9 ++++++++-
 .../templates/OPNsense/Maltrail/maltrail.conf        |  6 ++++++
 5 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/security/maltrail/Makefile b/security/maltrail/Makefile
index 9371d85122..b12529d08a 100644
--- a/security/maltrail/Makefile
+++ b/security/maltrail/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		maltrail
-PLUGIN_VERSION=		1.6
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.7
 PLUGIN_COMMENT=		Malicious traffic detection system
 PLUGIN_DEPENDS=		maltrail
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/maltrail/pkg-descr b/security/maltrail/pkg-descr
index 8e22fe521c..7df4a37578 100644
--- a/security/maltrail/pkg-descr
+++ b/security/maltrail/pkg-descr
@@ -11,6 +11,10 @@ WWW: https://github.com/stamparm/maltrail
 Changelog
 ---------
 
+1.7
+
+* Add syslog export
+
 1.6
 
 * Allow to set capture buffer size
diff --git a/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml b/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml
index df6f7639a8..754a3b3922 100644
--- a/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml
+++ b/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml
@@ -29,4 +29,16 @@
         <type>text</type>
         <help>Port of the logging server. Leave empty when sensor and server run on the same system.</help>
     </field>
+    <field>
+        <id>sensor.syslogserver</id>
+        <label>Syslog Server</label>
+        <type>text</type>
+        <help>IP address of the remote syslog server.</help>
+    </field>
+    <field>
+        <id>sensor.syslogport</id>
+        <label>Syslog Port</label>
+        <type>text</type>
+        <help>Port of the syslog server.</help>
+    </field>
 </form>
diff --git a/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Sensor.xml b/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Sensor.xml
index c1b87fcfe9..4a97c5757d 100644
--- a/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Sensor.xml
+++ b/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Sensor.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/maltrail/sensor</mount>
     <description>Maltrail sensor configuration</description>
-    <version>0.0.2</version>
+    <version>0.0.3</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -24,5 +24,12 @@
             <default>8337</default>
             <Required>Y</Required>
         </remoteport>
+        <syslogserver type="HostnameField">
+            <Required>N</Required>
+        </syslogserver>
+        <syslogport type="PortField">
+            <default>514</default>
+            <Required>Y</Required>
+        </syslogport>
     </items>
 </model>
diff --git a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
index dde70dec88..85943100f6 100644
--- a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
+++ b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
@@ -26,6 +26,12 @@ DISABLE_LOCAL_LOG_STORAGE false
 {%   endif %}
 {% endif %}
 
+{% if helpers.exists('OPNsense.maltrail.sensor.enabled') and OPNsense.maltrail.sensor.enabled == '1' %}
+{%   if helpers.exists('OPNsense.maltrail.sensor.syslogserver') and OPNsense.maltrail.sensor.syslogserver != '' %}
+SYSLOG_SERVER {{ OPNsense.maltrail.sensor.syslogserver }}:{{ OPNsense.maltrail.sensor.syslogport }}
+{%   endif %}
+{% endif %}
+
 SENSOR_NAME $HOSTNAME
 CUSTOM_TRAILS_DIR /usr/local/maltrail/trails/custom/
 PROCESS_COUNT $CPU_CORES

From 84480c7d3a4146cb3ee967c43d8816d4d38eabba Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sat, 10 Apr 2021 10:22:33 +0200
Subject: [PATCH 0518/3088] net-mgmt/zabbix-proxy: Add multiple settings to GUI
 (#2275)

---
 net-mgmt/zabbix5-proxy/Makefile                |  3 +--
 net-mgmt/zabbix5-proxy/pkg-descr               |  6 ++++++
 .../OPNsense/Zabbixproxy/forms/general.xml     | 18 ++++++++++++++++++
 .../models/OPNsense/Zabbixproxy/General.xml    |  9 +++++++++
 .../OPNsense/Zabbixproxy/zabbix_proxy.conf     |  9 +++++++++
 5 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/zabbix5-proxy/Makefile b/net-mgmt/zabbix5-proxy/Makefile
index fd8d3942b6..d00e2de4ee 100644
--- a/net-mgmt/zabbix5-proxy/Makefile
+++ b/net-mgmt/zabbix5-proxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		zabbix5-proxy
-PLUGIN_VERSION=		1.3
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.4
 PLUGIN_COMMENT=		Zabbix Proxy enables decentralized monitoring
 PLUGIN_DEPENDS=		zabbix5-proxy
 PLUGIN_CONFLICTS=   zabbix4-proxy
diff --git a/net-mgmt/zabbix5-proxy/pkg-descr b/net-mgmt/zabbix5-proxy/pkg-descr
index c99e873c49..64c6f3d22e 100644
--- a/net-mgmt/zabbix5-proxy/pkg-descr
+++ b/net-mgmt/zabbix5-proxy/pkg-descr
@@ -12,6 +12,12 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.4
+
+* Allow setting ConfigFrequency
+* Allow setting DataSenderFrequency
+* Allow setting StartVMwareCollectors
+
 1.3
 
 * Switch to zabbix5-proxy
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
index 11de26c17b..95a1c55426 100644
--- a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
@@ -85,6 +85,12 @@
         <type>text</type>
         <help>Number of pre-forked instances of discoverers.</help>
     </field>
+    <field>
+        <id>general.startvmwarecollectors</id>
+        <label>Start VMware Collectors</label>
+        <type>text</type>
+        <help>Number of pre-forked instances of VMware Collectors.</help>
+    </field>
     <field>
         <id>general.starthttppollers</id>
         <label>Start HTTP Pollers</label>
@@ -121,6 +127,18 @@
         <type>text</type>
         <help>Specifies how long we wait for agent, SNMP device or external check (in seconds).</help>
     </field>
+    <field>
+        <id>general.configfrequency</id>
+        <label>Config Frequency</label>
+        <type>text</type>
+        <help>Specifies the time how often proxy retrieves configuration data from zabbix server (in seconds).</help>
+    </field>    
+    <field>
+        <id>general.datasenderfrequency</id>
+        <label>Data Sender Frequency</label>
+        <type>text</type>
+        <help>Specifies the time how often the proxy will send collected data to the server (in seconds).</help>
+    </field>
     <field>
         <id>general.encryption</id>
         <label>PSK based encryption</label>
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
index b4955e3c85..45029f7c39 100644
--- a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
@@ -61,6 +61,9 @@
             <default>1</default>
             <Required>N</Required>
         </startdiscoverers>
+        <startvmwarecollectors type="IntegerField">
+            <Required>N</Required>
+        </startvmwarecollectors>
         <starthttppollers type="IntegerField">
             <default>1</default>
             <Required>N</Required>
@@ -87,6 +90,12 @@
             <default>4</default>
             <Required>N</Required>
         </timeout>
+        <configfrequency type="IntegerField">
+            <Required>N</Required>
+        </configfrequency>
+        <datasenderfrequency type="IntegerField">
+            <Required>N</Required>
+        </datasenderfrequency>
         <encryption type="BooleanField">
             <default>0</default>
             <Required>Y</Required>
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf b/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
index 31e1e31edd..266dc466c1 100644
--- a/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
@@ -26,6 +26,12 @@ DBName=/var/db/zabbix/zabbix_proxy.db
 {% if helpers.exists('OPNsense.zabbixproxy.general.proxyofflinebuffer') and OPNsense.zabbixproxy.general.proxyofflinebuffer != '' %}
 ProxyOfflineBuffer={{ OPNsense.zabbixproxy.general.proxyofflinebuffer }}
 {% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.configfrequency') and OPNsense.zabbixproxy.general.configfrequency != '' %}
+ConfigFrequency={{ OPNsense.zabbixproxy.general.configfrequency }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.datasenderfrequency') and OPNsense.zabbixproxy.general.datasenderfrequency != '' %}
+DataSenderFrequency={{ OPNsense.zabbixproxy.general.datasenderfrequency }}
+{% endif %}
 {% if helpers.exists('OPNsense.zabbixproxy.general.startpollers') and OPNsense.zabbixproxy.general.startpollers != '' %}
 StartPollers={{ OPNsense.zabbixproxy.general.startpollers }}
 {% endif %}
@@ -44,6 +50,9 @@ StartPingers={{ OPNsense.zabbixproxy.general.startpingers }}
 {% if helpers.exists('OPNsense.zabbixproxy.general.startdiscoverers') and OPNsense.zabbixproxy.general.startdiscoverers != '' %}
 StartDiscoverers={{ OPNsense.zabbixproxy.general.startdiscoverers }}
 {% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.startvmwarecollectors') and OPNsense.zabbixproxy.general.startvmwarecollectors != '' %}
+StartVMwareCollectors={{ OPNsense.zabbixproxy.general.startvmwarecollectors }}
+{% endif %}
 {% if helpers.exists('OPNsense.zabbixproxy.general.starthttppollers') and OPNsense.zabbixproxy.general.starthttppollers != '' %}
 StartHTTPPollers={{ OPNsense.zabbixproxy.general.starthttppollers }}
 {% endif %}

From ff9fff5b03859ef38b4c53f2d7b9bc3087244b65 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Sat, 10 Apr 2021 11:27:13 +0300
Subject: [PATCH 0519/3088] location.conf: fix proxy_ssl_name, add hook (#2243)

---
 .../service/templates/OPNsense/Nginx/location.conf        | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 006a1b30d7..d0bc1e03b3 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -178,10 +178,10 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
     proxy_ssl_server_name on;
 {%     else %}
     proxy_ssl_server_name off;
-{%         if upstream.tls_name_override is defined and upstream.tls_name_override != '' %}
+{%     endif %}
+{%     if upstream.tls_name_override is defined and upstream.tls_name_override != '' %}
     proxy_ssl_name {{ upstream.tls_name_override }};
-{%         endif %}
-{%     endif%}
+{%     endif %}
 {%     if upstream.tls_protocol_versions is defined and upstream.tls_protocol_versions != '' %}
     proxy_ssl_protocols {{ upstream.tls_protocol_versions.replace(',', ' ') }};
 {%     endif %}
@@ -206,5 +206,5 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
 {%   endfor %}
 {% endif %}
 {% endif %}{# honeypot #}
-
+    include {{ location['@uuid'] }}_post/*.conf;
 }

From f7fda26ebb9b6f66d533b74993e4736382e00d62 Mon Sep 17 00:00:00 2001
From: Thomas Laubrock <github@schmu.net>
Date: Sat, 10 Apr 2021 10:29:29 +0200
Subject: [PATCH 0520/3088] fix(Issue: 2111) Apply loadbalancing for UDP
 (#2247)

---
 .../opnsense/service/templates/OPNsense/Nginx/streams.conf  | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
index aa4342a274..a5c991570d 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
@@ -9,7 +9,11 @@
     # UPSTREAM SERVERS
 {% for upstream in helpers.toList('OPNsense.Nginx.upstream') %}
     upstream upstream{{ upstream['@uuid'].replace('-','') }} {
-        hash $remote_addr consistent;
+{%   if upstream.load_balancing_algorithm is defined and upstream.load_balancing_algorithm != '' %}
+{%     if upstream.load_balancing_algorithm == 'ip_hash' %}
+           hash $remote_addr consistent;
+{%     endif %}
+{%   endif %}
 {%   for upstream_serveruuid in upstream.serverentries.split(',') %}
 {%     set upstream_server = helpers.getUUID(upstream_serveruuid) %}
         server {% if ':' in upstream_server.server %}[{% endif %}{{ upstream_server.server }}{% if ':' in upstream_server.server %}]{% endif

From 29529a33ba5603acd6e8fb5a0e9f7ca15b19629a Mon Sep 17 00:00:00 2001
From: Carlos Cesario <carloscesario@gmail.com>
Date: Sat, 10 Apr 2021 05:32:49 -0300
Subject: [PATCH 0521/3088] Add nginx X-Forwarded-Port and  X-Forwarded-Host
 (#2237)

Some applications as Keycloak when running behind Nginx proxy need these flags configured

proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;

This cause no impact in other applications already configured, at least for my applications
---
 .../src/opnsense/service/templates/OPNsense/Nginx/location.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index d0bc1e03b3..5df147b2b7 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -153,6 +153,8 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Port $server_port;
+    proxy_set_header X-Forwarded-Host $host;
     proxy_set_header X-TLS-Client-Intercepted $tls_intercepted;
 {%   if location.proxy_read_timeout is defined and location.proxy_read_timeout != '' %}
     proxy_read_timeout {{ location.proxy_read_timeout }}s;

From 49fce40ef74c52557e23809bf2c4c0080563c710 Mon Sep 17 00:00:00 2001
From: Manuel Faux <mfaux@conf.at>
Date: Sat, 10 Apr 2021 10:35:33 +0200
Subject: [PATCH 0522/3088] www/nginx: Grid view improvements (#2158)

---
 .../OPNsense/Nginx/Api/SettingsController.php | 34 ++++++++++++++++---
 .../mvc/app/views/OPNsense/Nginx/index.volt   | 30 +++++++++++-----
 2 files changed, 50 insertions(+), 14 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
index 4bec574e9e..a8e651c586 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
@@ -104,7 +104,7 @@ public function setcredentialAction($uuid)
     // Upstream
     public function searchupstreamAction()
     {
-        return $this->searchBase('upstream', array('description', 'serverentries'));
+        return $this->searchBase('upstream', array('description', 'serverentries', 'tls_enable', 'load_balancing_algorithm'));
     }
 
     public function getupstreamAction($uuid = null)
@@ -158,7 +158,28 @@ public function setupstreamserverAction($uuid)
     // Location
     public function searchlocationAction()
     {
-        return $this->searchBase('location', array('description','urlpattern', 'path_prefix', 'matchtype', 'enable_secrules', 'force_https'));
+        $data = $this->searchBase('location', array(
+            'description','urlpattern', 'path_prefix', 'matchtype', 'upstream',
+            'enable_secrules', 'enable_learning_mode', 'force_https',
+            'xss_block_score', 'sqli_block_score', 'custom_policy'
+        ));
+
+        // Create "waf_status" column (enabled/disabled/learning)
+        foreach ($data['rows'] as &$row) {
+            if ($row['enable_secrules']) {
+                if ($row['enable_learning_mode']) {
+                    $row['waf_status'] = gettext('learning');
+                }
+                else {
+                    $row['waf_status'] = gettext('enabled');
+                }
+            }
+            else {
+                $row['waf_status'] = gettext('disabled');
+            }
+        }
+
+        return $data;
     }
 
     public function getlocationAction($uuid = null)
@@ -185,7 +206,7 @@ public function setlocationAction($uuid)
     // Custom Policy
     public function searchcustompolicyAction()
     {
-        return $this->searchBase('custom_policy', array('name', 'operator', 'value', 'action'));
+        return $this->searchBase('custom_policy', array('name', 'operator', 'value', 'action', 'naxsi_rules'));
     }
 
     public function getcustompolicyAction($uuid = null)
@@ -212,7 +233,10 @@ public function setcustompolicyAction($uuid)
     // http server
     public function searchhttpserverAction()
     {
-        return $this->searchBase('http_server', array('servername', 'https_only', 'certificate', 'listen_http_port', 'listen_https_port'));
+        return $this->searchBase('http_server', array(
+            'servername', 'locations', 'root', 'https_only', 'certificate',
+            'listen_http_port', 'listen_https_port'
+        ));
     }
 
     public function gethttpserverAction($uuid = null)
@@ -266,7 +290,7 @@ public function setstreamserverAction($uuid)
     // naxsi rules
     public function searchnaxsiruleAction()
     {
-        return $this->searchBase('naxsi_rule', array('description', 'identifier', 'ruletype', 'message'));
+        return $this->searchBase('naxsi_rule', array('description', 'identifier', 'ruletype', 'match_type', 'score', 'match_value', 'message'));
     }
 
     public function getnaxsiruleAction($uuid = null)
diff --git a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
index b46e20485d..ec5a47d716 100644
--- a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
+++ b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
@@ -217,8 +217,12 @@
                 <th data-column-id="urlpattern" data-type="string" data-sortable="true"  data-visible="true">{{ lang._('URL Pattern') }}</th>
                 <th data-column-id="path_prefix" data-type="string" data-sortable="true"  data-visible="true">{{ lang._('URL Path Prefix') }}</th>
                 <th data-column-id="matchtype" data-type="string" data-sortable="true"  data-visible="true">{{ lang._('Match Type') }}</th>
-                <th data-column-id="enable_secrules" data-type="boolean" data-sortable="true"  data-visible="true">{{ lang._('WAF Enabled') }}</th>
-                <th data-column-id="force_https" data-type="boolean" data-sortable="true"  data-visible="true">{{ lang._('Force HTTPS') }}</th>
+                <th data-column-id="upstream" data-type="string" data-sortable="true"  data-visible="false">{{ lang._('Upstream') }}</th>
+                <th data-column-id="waf_status" data-type="string" data-sortable="true"  data-visible="true">{{ lang._('WAF Status') }}</th>
+                <th data-column-id="xss_block_score" data-type="string" data-sortable="true"  data-visible="false">{{ lang._('XSS Score') }}</th>
+                <th data-column-id="sqli_block_score" data-type="string" data-sortable="true"  data-visible="false">{{ lang._('SQLi Score') }}</th>
+                <th data-column-id="custom_policy" data-type="string" data-width="50%" data-sortable="true"  data-visible="false">{{ lang._('WAF Policies') }}</th>
+                <th data-column-id="force_https" data-type="boolean" data-width="10em" data-sortable="true"  data-visible="true">{{ lang._('Force HTTPS') }}</th>
                 <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
             </tr>
             </thead>
@@ -268,6 +272,8 @@
             <tr>
                 <th data-column-id="description" data-type="string" data-sortable="false"  data-visible="true">{{ lang._('Description') }}</th>
                 <th data-column-id="serverentries" data-type="string" data-sortable="false"  data-visible="true">{{ lang._('Servers') }}</th>
+                <th data-column-id="load_balancing_algorithm" data-type="string" data-sortable="false"  data-visible="false">{{ lang._('Load Balancing') }}</th>
+                <th data-column-id="tls_enable" data-type="boolean" data-width="12em" data-sortable="false"  data-visible="true">{{ lang._('TLS Enabled') }}</th>
                 <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
             </tr>
             </thead>
@@ -332,10 +338,12 @@
             <thead>
                 <tr>
                     <th data-column-id="servername" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Servername') }}</th>
-                    <th data-column-id="https_only" data-type="boolean" data-sortable="true" data-visible="true">{{ lang._('HTTPS Only') }}</th>
+                    <th data-column-id="locations" data-type="string" data-sortable="true" data-visible="false">{{ lang._('Locations') }}</th>
+                    <th data-column-id="root" data-type="string" data-sortable="true" data-visible="false">{{ lang._('File System Root') }}</th>
                     <th data-column-id="certificate" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Certificate') }}</th>
-                    <th data-column-id="listen_http_port" data-type="string" data-sortable="true" data-visible="true">{{ lang._('HTTP Port') }}</th>
-                    <th data-column-id="listen_https_port" data-type="string" data-sortable="true" data-visible="true">{{ lang._('HTTPS Port') }}</th>
+                    <th data-column-id="https_only" data-type="boolean" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('HTTPS Only') }}</th>
+                    <th data-column-id="listen_http_port" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('HTTP Port') }}</th>
+                    <th data-column-id="listen_https_port" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('HTTPS Port') }}</th>
                     <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
@@ -414,9 +422,10 @@
             <thead>
                 <tr>
                     <th data-column-id="name" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="operator" data-type="boolean" data-sortable="true" data-visible="true">{{ lang._('Operator') }}</th>
-                    <th data-column-id="value" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Value') }}</th>
-                    <th data-column-id="action" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Action') }}</th>
+                    <th data-column-id="operator" data-type="boolean" data-width="12em" data-sortable="true" data-visible="true">{{ lang._('Operator') }}</th>
+                    <th data-column-id="value" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('Value') }}</th>
+                    <th data-column-id="naxsi_rules" data-type="string" data-sortable="true" data-visible="false">{{ lang._('Rules') }}</th>
+                    <th data-column-id="action" data-type="string" data-width="12em" data-sortable="true" data-visible="true">{{ lang._('Action') }}</th>
                     <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
@@ -438,8 +447,11 @@
             <thead>
                 <tr>
                     <th data-column-id="description" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="ruletype" data-type="boolean" data-sortable="true" data-visible="true">{{ lang._('Rule Type') }}</th>
+                    <th data-column-id="ruletype" data-type="boolean" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('Rule Type') }}</th>
+                    <th data-column-id="match_type" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('Match Type') }}</th>
                     <th data-column-id="identifier" data-type="string" data-sortable="true" data-visible="true">{{ lang._('ID') }}</th>
+                    <th data-column-id="score" data-type="integer" data-width=7em" data-sortable="true" data-visible="true">{{ lang._('Score') }}</th>
+                    <th data-column-id="match_value" data-type="string" data-sortable="true" data-visible="false">{{ lang._('Value') }}</th>
                     <th data-column-id="message" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Message') }}</th>
                     <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>

From 69a9a1d4545936716461f7c83306ee2549661d00 Mon Sep 17 00:00:00 2001
From: Manuel Faux <mfaux@conf.at>
Date: Sat, 10 Apr 2021 10:42:10 +0200
Subject: [PATCH 0523/3088] www/nginx: Naxsi whitelist improvements (#2156)

---
 .../OPNsense/Nginx/forms/naxsi_rule.xml       | 15 ++-
 .../Constraints/NaxsiIdentifierConstraint.php | 98 +++++++++++++++++++
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml   | 15 ++-
 .../templates/OPNsense/Nginx/naxsirule.conf   |  8 +-
 4 files changed, 124 insertions(+), 12 deletions(-)
 create mode 100644 www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_rule.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_rule.xml
index 6a8232fc00..87b7bd8673 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_rule.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_rule.xml
@@ -19,19 +19,23 @@
     <field>
         <id>naxsi_rule.identifier</id>
         <label>ID</label>
-        <type>text</type>
-       <help>The unique numerical ID of the rule, that will be used in logs and in whitelists. IDs inferior to 1000 are reserved for Naxsi internal rules (protocol mismatch etc.)</help>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <help>For blacklist rules, the unique numerical ID of the rule, that will be used in logs and in whitelists. IDs inferior to 1000 are reserved for Naxsi internal rules (protocol mismatch etc.)&lt;br&gt;For whitelists, specify one or more comma separated IDs to whitelist. 0 whitelists all rules.</help>
     </field>
     <field>
         <id>naxsi_rule.ruletype</id>
         <label>Rule Type</label>
         <type>dropdown</type>
+        <help>Main rules increase the policiy's score if matched. Basic rules are added directly to the location and match immeditaly. Basic rules are specifically useful for whitelist rules. Also basic rules need to be added to a policy to allow association with a location.</help>
     </field>
     <field>
         <id>naxsi_rule.regex</id>
         <label>Use Regular Expressions</label>
         <type>checkbox</type>
-       <help>If enabled, the match value, the URL, named parameters and headers are matched using regular expressions; otherwise only exact matches trigger the rule.</help>
+        <help>If enabled, the match value, the URL, named parameters and headers are matched using regular expressions; otherwise only exact matches trigger the rule.</help>
     </field>
     <field>
         <id>naxsi_rule.match_value</id>
@@ -43,12 +47,13 @@
         <label>Match Type</label>
         <type>dropdown</type>
         <style>selectpicker</style>
+        <help>A blacklist rule increases the policy's score if the pattern matches. A whitelist rule instructs Naxsi to ignore specific rules under specific conditions.</help>
     </field>
     <field>
         <id>naxsi_rule.args</id>
         <label>Search in any GET Argument</label>
         <type>checkbox</type>
-       <help>Search for matchs in a request's GET arguments.</help>
+        <help>Search for matchs in a request's GET arguments.</help>
     </field>
     <field>
         <id>naxsi_rule.url</id>
@@ -60,7 +65,7 @@
         <id>naxsi_rule.headers</id>
         <label>Search in any HTTP Header</label>
         <type>checkbox</type>
-       <help>Search for matchs in a request's HTTP headers.</help>
+        <help>Search for matchs in a request's HTTP headers.</help>
     </field>
     <field>
         <id>naxsi_rule.body</id>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
new file mode 100644
index 0000000000..085b5d9f7f
--- /dev/null
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
@@ -0,0 +1,98 @@
+<?php
+
+/*
+* Copyright (C) 2020 Manuel Faux
+* All rights reserved.
+*
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted provided that the following conditions are met:
+*
+* 1. Redistributions of source code must retain the above copyright notice,
+*    this list of conditions and the following disclaimer.
+*
+* 2. Redistributions in binary form must reproduce the above copyright
+*    notice, this list of conditions and the following disclaimer in the
+*    documentation and/or other materials provided with the distribution.
+*
+* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+* POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Base\Constraints;
+
+use Phalcon\Validation\Message;
+
+/**
+ * a very specific nginx check for Naxsi rule IDs - not reusable
+ *
+ * Class NaxsiIdentifierConstraint
+ * @package OPNsense\Nginx\Constraints
+ */
+class NaxsiIdentifierConstraint extends BaseConstraint
+{
+    public function validate(\Phalcon\Validation $validator, $attribute)
+    {
+        $node = $this->getOption('node');
+        if ($node) {
+            $parentNode = $node->getParentNode();
+
+            // Validate whitelist IDs
+            if ($parentNode->match_type == 'wl') {
+                $vals = explode(",", (string)$node); // Whitelists can use several IDs
+                $pos = 0;
+                $neg = 0;
+
+                // Check each ID
+                foreach ($vals as $val) {
+                    $intval = intval($val);
+
+                    if (!is_numeric($val)) {
+                        $validator->appendMessage(new Message(gettext("All rule IDs need to be numeric."), $attribute));
+                    }
+                    // 0 can only be used solely
+                    elseif ($intval == 0 && count($vals) > 1) {
+                        $validator->appendMessage(new Message(gettext("If ID 0 is specified, no other IDs can be listed."), $attribute));
+                    }
+                    elseif ($intval < 0) {
+                        $neg++;
+                    }
+                    elseif ($intval > 0) {
+                        $pos++;
+                    }
+                }
+
+                // All IDs need to be positive or all negative
+                if ($neg > 0 && $pos > 0) {
+                    $validator->appendMessage(new Message(gettext("Negative and positive IDs cannot be mixed."), $attribute));
+                }
+            }
+            // Validate rule IDs
+            else {
+                $val = (string)$node;
+                if (!is_numeric($val)) {
+                    // Did the user try to specify multiple IDs?
+                    if (strpos($val, ',')) {
+                        $validator->appendMessage(new Message(gettext("Rules can only have a single ID."), $attribute));
+                    }
+                    else {
+                        $validator->appendMessage(new Message(gettext("Rule IDs need to be numeric."), $attribute));
+                    }
+                }
+                // Check that no internal ID was used
+                elseif (intval($val) < 1000) {
+                    $validator->appendMessage(new Message(gettext("Rule IDs lower than 1000 are reserved for internal rules."), $attribute));
+                }
+            }
+        }
+
+        return true;
+    }
+}
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index ab53840531..d079f90b7a 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.20.0</version>
+  <version>1.20.1</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>
@@ -530,9 +530,13 @@
           </check001>
         </Constraints>
       </message>
-      <identifier type="IntegerField">
+      <identifier type="CSVListField">
         <Required>Y</Required>
-        <minValue>1000</minValue>
+        <Constraints>
+          <check001>
+            <type>NaxsiIdentifierConstraint</type>
+          </check001>
+        </Constraints>
       </identifier>
       <dollar_url type="TextField">
         <Required>N</Required>
@@ -557,6 +561,11 @@
           <id>Blacklist</id>
           <wl>Whitelist</wl>
         </OptionValues>
+        <Constraints>
+          <check001>
+            <reference>identifier.check001</reference>
+          </check001>
+        </Constraints>
       </match_type>
       <negate type="BooleanField">
         <Required>Y</Required>
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/naxsirule.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/naxsirule.conf
index a3410bc3d9..c6e45870bf 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/naxsirule.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/naxsirule.conf
@@ -45,13 +45,13 @@
 {{ mz_matches|join('|') }}
 {%- endmacro %}
 {% macro naxsi_rule(uuid, rule, ruletype) -%}
-{%   if rule.message is defined and rule.match_value is defined %}
+{%   if rule.match_type == 'id' %}
     {{ ruletype }}{% if rule.negate is defined and rule.negate == '1' %} negative{% endif
-    %} {{ rule.match_type }}:{{ rule.identifier }} "{% if rule.regex == '1' %}rx{% else %}str{% endif
+    %} id:{{ rule.identifier }} "{% if rule.regex == '1' %}rx{% else %}str{% endif
     %}:{{ rule.match_value }}" "msg:{{ rule.message }}" "mz:{{ naxsi_mzhelper(rule)
     }}" "s:$policy{{ uuid.replace('-', '') }}:{{ rule.score }}";
-{%   else %}
-    {{ ruletype }} {{ rule.match_type }}:{{ rule.identifier }};
+{%   elif rule.match_type == 'wl' %}
+    {{ ruletype }} wl:{{ rule.identifier }}{% if naxsi_mzhelper(rule) != '' %} "mz:{{ naxsi_mzhelper(rule) }}"{% endif %};
 {%   endif %}
 {%- endmacro %}
 {% if naxsi_ruletype == 'basic' %}

From efddc02352ae759b1374658fdb0011584de7b1f3 Mon Sep 17 00:00:00 2001
From: Ingo Theiss <ingo.theiss@i-matrixx.de>
Date: Sun, 11 Apr 2021 13:07:09 +0200
Subject: [PATCH 0524/3088] Fix wrong stream server ca filename (#2240)

If a CA Certificate for an stream server was selected the CA was saved with the last hostname set from the forearch loop of the HTTP Servers in the block above!
---
 www/nginx/src/opnsense/scripts/nginx/setup.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index d8452c804b..26942bce36 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -154,7 +154,7 @@ function find_ca($refid)
                     $ca = find_ca($caref);
                     if (isset($ca)) {
                         export_pem_file(
-                            KEY_DIRECTORY . $hostname . '_ca.pem',
+                            KEY_DIRECTORY . $stream_server['@attributes']['uuid'] . '_ca.pem',
                             $ca['crt']
                         );
                     }

From 0e22f6a36611f93725fdabd1eac2a29271269b29 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 12 Apr 2021 08:49:30 +0200
Subject: [PATCH 0525/3088] net/frr: Add BFD support (#2326)

---
 net/frr/Makefile                              |   3 +-
 net/frr/pkg-descr                             |   4 +
 .../OPNsense/Quagga/Api/BfdController.php     |  75 +++++++++++
 .../OPNsense/Quagga/BfdController.php         |  39 ++++++
 .../controllers/OPNsense/Quagga/forms/bfd.xml |   8 ++
 .../Quagga/forms/dialogEditBFDNeighbor.xml    |  19 +++
 .../OPNsense/Quagga/forms/general.xml         |   2 +-
 .../mvc/app/models/OPNsense/Quagga/BFD.php    |  31 +++++
 .../mvc/app/models/OPNsense/Quagga/BFD.xml    |  27 ++++
 .../app/models/OPNsense/Quagga/Menu/Menu.xml  |   1 +
 .../mvc/app/views/OPNsense/Quagga/bfd.volt    | 118 ++++++++++++++++++
 .../templates/OPNsense/Quagga/+TARGETS        |   1 +
 .../templates/OPNsense/Quagga/bfdd.conf       |  29 +++++
 .../service/templates/OPNsense/Quagga/frr     |   1 +
 14 files changed, 355 insertions(+), 3 deletions(-)
 create mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BfdController.php
 create mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BfdController.php
 create mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bfd.xml
 create mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml
 create mode 100644 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.php
 create mode 100644 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
 create mode 100644 net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
 create mode 100644 net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 11c964bfd8..7aa041dd20 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.21
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.22
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index c0da556154..a5aa793d9e 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -11,6 +11,10 @@ switching and routing, Internet access routers, and Internet peering.
 Plugin Changelog
 ================
 
+1.22
+
+* Add BFD support
+
 1.21
 
 * Deprecate Ruby parser for FRR diagnostic output, remove Ruby dependency
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BfdController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BfdController.php
new file mode 100644
index 0000000000..4904f54c0d
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BfdController.php
@@ -0,0 +1,75 @@
+<?php
+
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Fabian Franz
+ * Copyright (C) 2017-2021 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Quagga\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class BfdController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'bfd';
+    protected static $internalModelClass = '\OPNsense\Quagga\BFD';
+
+    public function searchNeighborAction()
+    {
+        return $this->searchBase(
+            'neighbors.neighbor',
+            array("enabled",
+                  "description",
+                  "address")
+        );
+    }
+
+    public function getNeighborAction($uuid = null)
+    {
+        $this->sessionClose();
+        return $this->getBase('neighbor', 'neighbors.neighbor', $uuid);
+    }
+
+    public function addNeighborAction()
+    {
+        return $this->addBase('neighbor', 'neighbors.neighbor');
+    }
+
+    public function delNeighborAction($uuid)
+    {
+        return $this->delBase('neighbors.neighbor', $uuid);
+    }
+
+    public function setNeighborAction($uuid)
+    {
+        return $this->setBase('neighbor', 'neighbors.neighbor', $uuid);
+    }
+
+    public function toggleNeighborAction($uuid)
+    {
+        return $this->toggleBase('neighbors.neighbor', $uuid);
+    }
+}
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BfdController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BfdController.php
new file mode 100644
index 0000000000..93575aa03f
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BfdController.php
@@ -0,0 +1,39 @@
+<?php
+
+/*
+ * Copyright (C) 2017 Fabian Franz
+ * Copyright (C) 2017-2021 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Quagga;
+
+class BfdController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->bfdForm = $this->getForm("bfd");
+        $this->view->formDialogEditBFDNeighbor = $this->getForm("dialogEditBFDNeighbor");
+        $this->view->pick('OPNsense/Quagga/bfd');
+    }
+}
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bfd.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bfd.xml
new file mode 100644
index 0000000000..a0233c4cff
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bfd.xml
@@ -0,0 +1,8 @@
+<form>
+    <field>
+        <id>bfd.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>This will activate the BFD service.</help>
+    </field>
+</form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml
new file mode 100644
index 0000000000..4a76e64a95
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml
@@ -0,0 +1,19 @@
+<form>
+  <field>
+    <id>neighbor.enabled</id>
+    <label>Enabled</label>
+    <type>checkbox</type>
+  </field>
+  <field>
+    <id>neighbor.description</id>
+    <label>Description</label>
+    <type>text</type>
+    <help>Set an optional description for this neighbor.</help>
+  </field>
+  <field>
+    <id>neighbor.address</id>
+    <label>Peer-IP</label>
+    <type>text</type>
+    <help>Specify the IP of your neighbor.</help>
+  </field>
+</form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
index 29c3e7bd71..926afe40f2 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
@@ -26,7 +26,7 @@
     </field>
     <field>
         <id>general.sysloglevel</id>
-        <label>log level</label>
+        <label>Log Level</label>
         <type>dropdown</type>
         <help>This is the detail level of the log. A higher level means more data is logged.</help>
     </field>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.php b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.php
new file mode 100644
index 0000000000..39313ae57b
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace OPNsense\Quagga;
+
+use OPNsense\Base\BaseModel;
+
+/*
+    Copyright (C) 2017 Fabian Franz
+    Copyright (C) 2017 - 2021 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+class BFD extends BaseModel
+{
+}
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
new file mode 100644
index 0000000000..df4e256b75
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
@@ -0,0 +1,27 @@
+<model>
+    <mount>//OPNsense/quagga/bfd</mount>
+    <description>BFD configuration</description>
+    <version>1.0.0</version>
+    <items>
+        <enabled type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enabled>
+        <neighbors>
+            <neighbor type="ArrayField">
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <description type="TextField">
+                    <default></default>
+                    <Required>N</Required>
+                </description>
+                <address type="NetworkField">
+                    <default></default>
+                    <Required>Y</Required>
+                </address>
+            </neighbor>
+        </neighbors>
+    </items>
+</model>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
index e294cc1151..450399f57a 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
@@ -6,6 +6,7 @@
     <OSPFv3 VisibleName="OSPFv3" cssClass="fa fa-map fa-fw" url="/ui/quagga/ospf6/index" order="25" />
     <!--<ISIS VisibleName="IS-IS" cssClass="fa fa-bolt fa-fw" url="/ui/quagga/isis/index" order="30" />-->
     <BGP VisibleName="BGP" cssClass="fa fa-globe fa-fw" url="/ui/quagga/bgp/index" order="40" />
+    <BFD VisibleName="BFD" cssClass="fa fa-exchange fa-fw" url="/ui/quagga/bfd/index" order="50" />
     <Diagnostics VisibleName="Diagnostics" cssClass="fa fa-medkit fa-fw" order="50">
       <General VisibleName="General" url="/ui/quagga/diagnostics/general" order="1" />
       <OSPF VisibleName="OSPF" url="/ui/quagga/diagnostics/ospf" order="20" />
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
new file mode 100644
index 0000000000..3c56ad63eb
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
@@ -0,0 +1,118 @@
+{#
+
+OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+Copyright (C) 2017 Fabian Franz
+Copyright (C) 2017 - 2021 Michael Muenz <m.muenz@gmail.com>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+    this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+    this list of conditions and the following disclaimer in the documentation
+    and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+<!-- Navigation bar -->
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
+    <li><a data-toggle="tab" href="#neighbors">{{ lang._('Neighbors') }}</a></li>
+</ul>
+<div class="tab-content content-box tab-content">
+    <div id="general" class="tab-pane fade in active">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            {{ partial("layout_partials/base_form",['fields':bfdForm,'id':'frm_bfd_settings'])}}
+            <div class="col-md-12">
+                <hr />
+                <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
+            </div>
+        </div>
+    </div>
+    <div id="neighbors" class="tab-pane fade in">
+        <table id="grid-neighbors" class="table table-responsive" data-editDialog="DialogEditBFDNeighbor">
+            <thead>
+                <tr>
+                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="description" data-type="string" data-visible="true">{{ lang._('Description') }}</th>
+                    <th data-column-id="address" data-type="string" data-visible="true">{{ lang._('Neighbor Address') }}</th>
+                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td colspan="10"></td>
+                    <td colspan="1">
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span></button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
+</div>
+
+<script>
+
+function quagga_update_status() {
+    updateServiceControlUI('quagga');
+}
+
+$(document).ready(function() {
+  var data_get_map = {'frm_bfd_settings':"/api/quagga/bfd/get"};
+  mapDataToFormUI(data_get_map).done(function(data){
+      formatTokenizersUI();
+      $('.selectpicker').selectpicker('refresh');
+  });
+  quagga_update_status();
+
+  // link save button to API set action
+  $("#saveAct").click(function(){
+      saveFormToEndpoint(url="/api/quagga/bfd/set",formid='frm_bfd_settings',callback_ok=function(){
+          $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+          ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
+              quagga_update_status();
+              $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+          });
+      });
+  });
+
+  /* allow a user to manually reload the service (for forms which do not do it automatically) */
+  $('.reload_btn').click(function reload_handler() {
+    $(".reloadAct_progress").addClass("fa-spin");
+    ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
+        quagga_update_status();
+        $(".reloadAct_progress").removeClass("fa-spin");
+    });
+  });
+
+  $("#grid-neighbors").UIBootgrid(
+    { 'search':'/api/quagga/bfd/searchNeighbor',
+      'get':'/api/quagga/bfd/getNeighbor/',
+      'set':'/api/quagga/bfd/setNeighbor/',
+      'add':'/api/quagga/bfd/addNeighbor/',
+      'del':'/api/quagga/bfd/delNeighbor/',
+      'toggle':'/api/quagga/bfd/toggleNeighbor/',
+      'options':{selection:false, multiSelect:false}
+    }
+  );
+});
+</script>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBFDNeighbor,'id':'DialogEditBFDNeighbor','label':lang._('Edit Neighbor')])}}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
index a09b88d86a..30b11bedbf 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
@@ -1,3 +1,4 @@
+bfdd.conf:/usr/local/etc/frr/bfdd.conf
 bgpd.conf:/usr/local/etc/frr/bgpd.conf
 ospfd.conf:/usr/local/etc/frr/ospfd.conf
 ospfd_carp.conf:/usr/local/etc/frr/ospfd_carp.conf
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
new file mode 100644
index 0000000000..8b13652630
--- /dev/null
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
@@ -0,0 +1,29 @@
+{% if helpers.exists('OPNsense.quagga.bfd.enabled') and OPNsense.quagga.bfd.enabled == '1' %}
+!
+! Zebra configuration saved from vty
+!   2017/03/03 20:21:04
+!
+{% if helpers.exists('OPNsense.quagga.general') %}
+{%   if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
+log syslog {{ OPNsense.quagga.general.sysloglevel }}
+{%   endif %}
+{%   if helpers.exists('OPNsense.quagga.general.profile') %}
+frr defaults {{ OPNsense.quagga.general.profile }}
+{%   endif %}
+{% endif %}
+!
+!
+!
+line vty
+!
+!
+bfd
+{%   if helpers.exists('OPNsense.quagga.bfd.neighbors.neighbor') %}
+{%     for neighbor in helpers.toList('OPNsense.quagga.bfd.neighbors.neighbor') %}
+{%       if neighbor.enabled == '1' %}
+ peer {{ neighbor.address }}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+!
+{% endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
index f119450b6a..2163fb73a3 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
@@ -7,6 +7,7 @@ start_precmd="ifconfig | grep 'carp: MASTER'"
 frr_daemons="zebra{%
 if helpers.exists('OPNsense.quagga.ospf.enabled') and OPNsense.quagga.ospf.enabled == '1' %} ospfd{% endif %}{%
 if helpers.exists('OPNsense.quagga.rip.enabled') and OPNsense.quagga.rip.enabled == '1' %} ripd{% endif %}{%
+if helpers.exists('OPNsense.quagga.bfd.enabled') and OPNsense.quagga.bfd.enabled == '1' %} bfdd{% endif %}{%
 if helpers.exists('OPNsense.quagga.bgp.enabled') and OPNsense.quagga.bgp.enabled == '1' %} bgpd{% endif %}{%
 if helpers.exists('OPNsense.quagga.ospf6.enabled') and OPNsense.quagga.ospf6.enabled == '1' %} ospf6d{% endif %}{%
 if helpers.exists('OPNsense.quagga.ripng.enabled') and OPNsense.quagga.ripng.enabled == '1' %} ripngd{% endif %}{%

From 94351ebddf78da21c14e9cf6e8656126f4a127fe Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 12 Apr 2021 08:50:05 +0200
Subject: [PATCH 0526/3088] www/nginx: cleanups and sync

---
 LICENSE                                                  | 1 +
 .../OPNsense/Nginx/Api/SettingsController.php            | 6 ++----
 .../Base/Constraints/NaxsiIdentifierConstraint.php       | 9 +++------
 3 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/LICENSE b/LICENSE
index 64a02ae244..c36cfbddd5 100644
--- a/LICENSE
+++ b/LICENSE
@@ -19,6 +19,7 @@ Copyright (c) 2010 Jim Pingle <jimp@pfsense.org>
 Copyright (c) 2015 Jos Schellevis
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>
 Copyright (c) 2019 Juergen Kellerer
+Copyright (c) 2020 Manuel Faux
 Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>
 Copyright (c) 2020 Marc Leuser
 Copyright (c) 2020 Martin Wasley
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
index a8e651c586..ccb2cb6d98 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
@@ -169,12 +169,10 @@ public function searchlocationAction()
             if ($row['enable_secrules']) {
                 if ($row['enable_learning_mode']) {
                     $row['waf_status'] = gettext('learning');
-                }
-                else {
+                } else {
                     $row['waf_status'] = gettext('enabled');
                 }
-            }
-            else {
+            } else {
                 $row['waf_status'] = gettext('disabled');
             }
         }
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
index 085b5d9f7f..2373aae529 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
@@ -60,11 +60,9 @@ public function validate(\Phalcon\Validation $validator, $attribute)
                     // 0 can only be used solely
                     elseif ($intval == 0 && count($vals) > 1) {
                         $validator->appendMessage(new Message(gettext("If ID 0 is specified, no other IDs can be listed."), $attribute));
-                    }
-                    elseif ($intval < 0) {
+                    } elseif ($intval < 0) {
                         $neg++;
-                    }
-                    elseif ($intval > 0) {
+                    } elseif ($intval > 0) {
                         $pos++;
                     }
                 }
@@ -81,8 +79,7 @@ public function validate(\Phalcon\Validation $validator, $attribute)
                     // Did the user try to specify multiple IDs?
                     if (strpos($val, ',')) {
                         $validator->appendMessage(new Message(gettext("Rules can only have a single ID."), $attribute));
-                    }
-                    else {
+                    } else {
                         $validator->appendMessage(new Message(gettext("Rule IDs need to be numeric."), $attribute));
                     }
                 }

From 8beadebc55072e234bacde5c7e900bbc44422ed0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 12 Apr 2021 08:50:33 +0200
Subject: [PATCH 0527/3088] mail/fetchmail: cleanups and sync

---
 README.md                                                       | 1 +
 .../src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.php  | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.xml  | 2 +-
 mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh | 0
 4 files changed, 3 insertions(+), 2 deletions(-)
 mode change 100644 => 100755 mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh

diff --git a/README.md b/README.md
index 80ca245301..6debfb375f 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,7 @@ dns/dnscrypt-proxy -- Flexible DNS proxy supporting DNSCrypt and DoH
 dns/dyndns -- Dynamic DNS Support
 dns/rfc2136 -- RFC-2136 Support
 emulators/qemu-guest-agent -- QEMU Guest Agent for OPNsense (development only)
+mail/fetchmail -- Remote-mail retrieval utility (development only)
 mail/postfix -- SMTP mail relay
 mail/rspamd -- Protect your network from spam
 misc/theme-cicada -- The cicada theme - dark grey
diff --git a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.php b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.php
index 7c5a75d762..5ec3f1dd2b 100644
--- a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.php
+++ b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.php
@@ -24,7 +24,7 @@
   *ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
- 
+
 namespace OPNsense\Fetchmail;
 
 use OPNsense\Base\BaseModel;
diff --git a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.xml b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.xml
index fe711b2c1a..adc2e8a4ff 100644
--- a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.xml
+++ b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.xml
@@ -38,7 +38,7 @@
                 <sslfingerprint type="TextField">
                     <Required>N</Required>
                     <mask>/^[A-Fa-f0-9\:]$/</mask>
-                </sslfingerprint>                
+                </sslfingerprint>
             </mailbox>
         </mailboxes>
     </items>
diff --git a/mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh b/mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh
old mode 100644
new mode 100755

From f7bc50cb2b9992d1de58bed53dc8699f1b0d6711 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 12 Apr 2021 08:51:04 +0200
Subject: [PATCH 0528/3088] plugins: cleanups

---
 .../opnsense/service/templates/OPNsense/Netdata/netdata.conf    | 2 +-
 .../mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml  | 2 +-
 .../src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt     | 2 +-
 .../opnsense/service/templates/OPNsense/Freeradius/clients.conf | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata.conf b/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata.conf
index 105254bcc2..8e2c769e37 100644
--- a/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata.conf
+++ b/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata.conf
@@ -11,7 +11,7 @@
 [global]
         history = 86400
         bind to = {% if ':' in OPNsense.netdata.general.listen %}[{{ OPNsense.netdata.general.listen }}]{% else %} {{ OPNsense.netdata.general.listen }}{% endif %}
-        
+
         disconnect idle web clients after seconds = 3600
         run as user = netdata
         web files owner = netdata
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
index 95a1c55426..771ad073d8 100644
--- a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
@@ -132,7 +132,7 @@
         <label>Config Frequency</label>
         <type>text</type>
         <help>Specifies the time how often proxy retrieves configuration data from zabbix server (in seconds).</help>
-    </field>    
+    </field>
     <field>
         <id>general.datasenderfrequency</id>
         <label>Data Sender Frequency</label>
diff --git a/net/chrony/src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt b/net/chrony/src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt
index 00ba994203..308d4c4eaf 100644
--- a/net/chrony/src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt
+++ b/net/chrony/src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt
@@ -99,7 +99,7 @@ function update_chronyauthdata() {
     setInterval(update_chronysourcestats, 5000);
     setInterval(update_chronytracking, 5000);
     setInterval(update_chronyauthdata, 5000);
- 
+
         // link save button to API set action
         $("#saveAct").click(function(){
             saveFormToEndpoint(url="/api/chrony/general/set", formid='frm_general_settings',callback_ok=function(){
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
index 8a7896a866..c7c2c35672 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
@@ -8,7 +8,7 @@ client "{{ client_list.name }}" {
        shortname = "{{ client_list.name }}"
 {%       if ':' in client_list.ip %}
        ipv6addr  = {{ client_list.ip }}
-{%       else %}       
+{%       else %}
        ipaddr    = {{ client_list.ip }}
 {%       endif %}
 }

From cf2ca4761d79ba642d623b3462edebc3f606b3b6 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 12 Apr 2021 09:21:21 +0200
Subject: [PATCH 0529/3088] IDPS - ruleset : add copy of some rule files which
 are being shipped empty in et-pro telemetry. closes
 https://github.com/opnsense/core/issues/4914

---
 .../intrusion-detection-content-et-open/Makefile   |  8 ++++++++
 .../intrusion-detection-content-et-open/pkg-descr  |  5 +++++
 .../suricata/metadata/rules/et-open-extra.xml      | 14 ++++++++++++++
 3 files changed, 27 insertions(+)
 create mode 100644 security/intrusion-detection-content-et-open/Makefile
 create mode 100644 security/intrusion-detection-content-et-open/pkg-descr
 create mode 100644 security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml

diff --git a/security/intrusion-detection-content-et-open/Makefile b/security/intrusion-detection-content-et-open/Makefile
new file mode 100644
index 0000000000..31eceaaaf5
--- /dev/null
+++ b/security/intrusion-detection-content-et-open/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		intrusion-detection-content-et-open
+PLUGIN_VERSION=		1.0.0
+#PLUGIN_REVISION=	1
+PLUGIN_COMMENT=		IDS Proofpoint ET open ruleset, duplicates some rule files which are being delivered empty in ET Pro Telemetry edition so both can be installed
+PLUGIN_MAINTAINER=	ad@opnsense.org
+PLUGIN_WWW=		https://rules.emergingthreats.net/
+
+.include "../../Mk/plugins.mk"
diff --git a/security/intrusion-detection-content-et-open/pkg-descr b/security/intrusion-detection-content-et-open/pkg-descr
new file mode 100644
index 0000000000..74ae504353
--- /dev/null
+++ b/security/intrusion-detection-content-et-open/pkg-descr
@@ -0,0 +1,5 @@
+IDS Proofpoint ET open ruleset, duplicates some rule files which are being delivered empty in ET Pro Telemetry edition so both can be installed
+
+LICENSE: https://www.proofpoint.com/us/license
+
+WWW: https://www.proofpoint.com/us/blog/threat-insight
diff --git a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
new file mode 100644
index 0000000000..8f4a929511
--- /dev/null
+++ b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0"?>
+<ruleset documentation_url="http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ">
+    <location url="https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz" prefix="ET open"/>
+    <version url="https://rules.emergingthreats.net/open/suricata-4.0/version.txt"/>
+    <files>
+        <file description="botcc.portgrouped" url="inline::rules/botcc.portgrouped.rules"et_open-botcc.portgrouped.rules</file>
+        <file description="botcc" url="inline::rules/botcc.rules">et_open.botcc.rules</file>
+        <file description="ciarmy" url="inline::rules/ciarmy.rules">et_open.ciarmy.rules</file>
+        <file description="compromised" url="inline::rules/compromised.rules">et_open.compromised.rules</file>
+        <file description="drop" url="inline::rules/drop.rules">et_open.drop.rules</file>
+        <file description="dshield" url="inline::rules/dshield.rules">et_open.dshield.rules</file>
+        <file description="tor" url="inline::rules/tor.rules">et_open.tor.rules</file>
+    </files>
+</ruleset>

From c7591a1a8450b9cce2cc66c677ec5c53ec2a9753 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 12 Apr 2021 09:26:03 +0200
Subject: [PATCH 0530/3088] security/intrusion-detection-content-et-open:
 shorten description

---
 README.md                                                     | 1 +
 security/intrusion-detection-content-et-open/Makefile         | 2 +-
 security/intrusion-detection-content-et-open/pkg-descr        | 4 ++--
 .../scripts/suricata/metadata/rules/et-open-extra.xml         | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 6debfb375f..c45187bd86 100644
--- a/README.md
+++ b/README.md
@@ -78,6 +78,7 @@ net-mgmt/zabbix5-proxy -- Zabbix Proxy enables decentralized monitoring
 security/acme-client -- Let's Encrypt client
 security/clamav -- Antivirus engine for detecting malicious threats
 security/etpro-telemetry -- ET Pro Telemetry Edition
+security/intrusion-detection-content-et-open -- IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition
 security/intrusion-detection-content-et-pro -- IDS Proofpoint ET Pro ruleset (needs a valid subscription)
 security/intrusion-detection-content-pt-open -- IDS PT Research ruleset (only for non-commercial use)
 security/intrusion-detection-content-snort-vrt -- IDS Snort VRT ruleset (needs registration or subscription)
diff --git a/security/intrusion-detection-content-et-open/Makefile b/security/intrusion-detection-content-et-open/Makefile
index 31eceaaaf5..036bd551e5 100644
--- a/security/intrusion-detection-content-et-open/Makefile
+++ b/security/intrusion-detection-content-et-open/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		intrusion-detection-content-et-open
 PLUGIN_VERSION=		1.0.0
 #PLUGIN_REVISION=	1
-PLUGIN_COMMENT=		IDS Proofpoint ET open ruleset, duplicates some rule files which are being delivered empty in ET Pro Telemetry edition so both can be installed
+PLUGIN_COMMENT=		IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://rules.emergingthreats.net/
 
diff --git a/security/intrusion-detection-content-et-open/pkg-descr b/security/intrusion-detection-content-et-open/pkg-descr
index 74ae504353..7065fc3ed4 100644
--- a/security/intrusion-detection-content-et-open/pkg-descr
+++ b/security/intrusion-detection-content-et-open/pkg-descr
@@ -1,5 +1,5 @@
-IDS Proofpoint ET open ruleset, duplicates some rule files which are being delivered empty in ET Pro Telemetry edition so both can be installed
+IDS Proofpoint ET open ruleset duplicates rule files which are being
+delivered empty in ET Pro Telemetry edition so both can be installed.
 
 LICENSE: https://www.proofpoint.com/us/license
-
 WWW: https://www.proofpoint.com/us/blog/threat-insight
diff --git a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
index 8f4a929511..563b11476a 100644
--- a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
+++ b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
@@ -3,7 +3,7 @@
     <location url="https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz" prefix="ET open"/>
     <version url="https://rules.emergingthreats.net/open/suricata-4.0/version.txt"/>
     <files>
-        <file description="botcc.portgrouped" url="inline::rules/botcc.portgrouped.rules"et_open-botcc.portgrouped.rules</file>
+        <file description="botcc.portgrouped" url="inline::rules/botcc.portgrouped.rules">et_open-botcc.portgrouped.rules</file>
         <file description="botcc" url="inline::rules/botcc.rules">et_open.botcc.rules</file>
         <file description="ciarmy" url="inline::rules/ciarmy.rules">et_open.ciarmy.rules</file>
         <file description="compromised" url="inline::rules/compromised.rules">et_open.compromised.rules</file>

From 4ca327938e5235530c1514c96de9b45587e227da Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Sun, 11 Apr 2021 18:39:53 +0300
Subject: [PATCH 0531/3088] setup.php: minor fixes

-get rid of the "PHP Warning: Use of undefined constant 'next'" message
-make streams block work for single stream server in config (correctly identify the case of a single server)
---
 www/nginx/src/opnsense/scripts/nginx/setup.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index 26942bce36..4860fbcd03 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -86,7 +86,7 @@ function find_ca($refid)
           // try to find the reference
             $cert = find_cert($http_server['certificate']);
             if (!isset($cert)) {
-                next;
+                continue;
             }
             $chain = [];
             $ca_chain = ca_chain_array($cert);
@@ -121,7 +121,7 @@ function find_ca($refid)
 }
 // end http, begin streams
 if (isset($nginx['stream_server'])) {
-    if (is_array($nginx['stream_server']) && !isset($nginx['stream_server']['servername'])) {
+    if (is_array($nginx['stream_server']) && !isset($nginx['stream_server']['@attributes']['uuid'])) {
         $stream_servers = $nginx['stream_server'];
     } else {
         $stream_servers = array($nginx['stream_server']);
@@ -131,7 +131,7 @@ function find_ca($refid)
           // try to find the reference
             $cert = find_cert($stream_server['certificate']);
             if (!isset($cert)) {
-                next;
+                continue;
             }
             $chain = [];
             $ca_chain = ca_chain_array($cert);
@@ -184,7 +184,7 @@ function find_ca($refid)
                     foreach (ca_chain_array($cert) as $entry) {
                         $chain[] = base64_decode($entry['crt']);
                     }
-                    $hostname = explode(',', $http_server['servername'])[0];
+
                     export_pem_file(
                         KEY_DIRECTORY . $upstream['tls_client_certificate'] . '.pem',
                         $cert['crt'],

From 8bc1616baf3aa5b7ba676175fcfa49e6e75f2f69 Mon Sep 17 00:00:00 2001
From: Tobias <5389669+botboe@users.noreply.github.com>
Date: Wed, 14 Apr 2021 11:44:03 +0200
Subject: [PATCH 0532/3088] New Plugin "RadSecProxy" (#1894)

---
 net/radsecproxy/Makefile                      |   8 +
 net/radsecproxy/pkg-descr                     |   5 +
 .../src/etc/inc/plugins.inc.d/radsecproxy.inc |  73 +++
 net/radsecproxy/src/etc/rc.d/os-radsecproxy   |  46 ++
 .../RadSecProxy/Api/ClientsController.php     |  67 +++
 .../RadSecProxy/Api/GeneralController.php     |  33 ++
 .../RadSecProxy/Api/RealmsController.php      |  63 +++
 .../RadSecProxy/Api/RewritesController.php    |  67 +++
 .../RadSecProxy/Api/ServersController.php     |  67 +++
 .../RadSecProxy/Api/ServiceController.php     |  40 ++
 .../RadSecProxy/Api/TlsController.php         |  67 +++
 .../RadSecProxy/ClientsController.php         |  36 ++
 .../RadSecProxy/GeneralController.php         |  34 ++
 .../OPNsense/RadSecProxy/IndexController.php  |  34 ++
 .../OPNsense/RadSecProxy/RealmsController.php |  34 ++
 .../RadSecProxy/RewritesController.php        |  36 ++
 .../RadSecProxy/ServersController.php         |  34 ++
 .../OPNsense/RadSecProxy/TlsController.php    |  34 ++
 .../RadSecProxy/forms/dialogClient.xml        |  96 ++++
 .../RadSecProxy/forms/dialogRealm.xml         |  71 +++
 .../RadSecProxy/forms/dialogRewrite.xml       | 101 ++++
 .../RadSecProxy/forms/dialogServer.xml        | 102 ++++
 .../OPNsense/RadSecProxy/forms/dialogTls.xml  |  68 +++
 .../OPNsense/RadSecProxy/forms/general.xml    | 121 +++++
 .../models/OPNsense/RadSecProxy/Menu/Menu.xml |  12 +
 .../OPNsense/RadSecProxy/RadSecProxy.php      |  31 ++
 .../OPNsense/RadSecProxy/RadSecProxy.xml      | 514 ++++++++++++++++++
 .../views/OPNsense/RadSecProxy/clients.volt   |  56 ++
 .../views/OPNsense/RadSecProxy/general.volt   |  31 ++
 .../views/OPNsense/RadSecProxy/realms.volt    |  54 ++
 .../views/OPNsense/RadSecProxy/rewrites.volt  |  54 ++
 .../views/OPNsense/RadSecProxy/servers.volt   |  56 ++
 .../app/views/OPNsense/RadSecProxy/tls.volt   |  55 ++
 .../OPNsense/RadSecProxy/generate_certs.php   | 105 ++++
 .../scripts/OPNsense/RadSecProxy/setup.sh     |  18 +
 .../conf/actions.d/actions_radsecproxy.conf   |  35 ++
 .../templates/OPNsense/RadSecProxy/+TARGETS   |   2 +
 .../OPNsense/RadSecProxy/radsecproxy.conf     | 240 ++++++++
 .../templates/OPNsense/RadSecProxy/rc.conf.d  |   7 +
 39 files changed, 2607 insertions(+)
 create mode 100644 net/radsecproxy/Makefile
 create mode 100644 net/radsecproxy/pkg-descr
 create mode 100644 net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
 create mode 100755 net/radsecproxy/src/etc/rc.d/os-radsecproxy
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ClientsController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/GeneralController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/RealmsController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/RewritesController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ServersController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ServiceController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/TlsController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/ClientsController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/GeneralController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/IndexController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/RealmsController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/RewritesController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/ServersController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/TlsController.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogClient.xml
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRealm.xml
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRewrite.xml
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogServer.xml
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogTls.xml
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/general.xml
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.php
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/general.volt
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt
 create mode 100644 net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt
 create mode 100755 net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/generate_certs.php
 create mode 100755 net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/setup.sh
 create mode 100644 net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf
 create mode 100644 net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/+TARGETS
 create mode 100644 net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf
 create mode 100644 net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d

diff --git a/net/radsecproxy/Makefile b/net/radsecproxy/Makefile
new file mode 100644
index 0000000000..c27c40120a
--- /dev/null
+++ b/net/radsecproxy/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		radsecproxy
+PLUGIN_VERSION=	0.1
+PLUGIN_COMMENT=	RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
+PLUGIN_DEPENDS=	radsecproxy
+PLUGIN_MAINTAINER=	tobias@boehnert.dev
+PLUGIN_DEVEL=		yes
+
+.include "../../Mk/plugins.mk"
diff --git a/net/radsecproxy/pkg-descr b/net/radsecproxy/pkg-descr
new file mode 100644
index 0000000000..ef872b8a71
--- /dev/null
+++ b/net/radsecproxy/pkg-descr
@@ -0,0 +1,5 @@
+A generic RADIUS proxy that in addition to usual RADIUS UDP
+transport, also supports TLS (RadSec), as well as RADIUS
+over TCP and DTLS. The aim is for the proxy to have
+sufficient features to be flexible, while at the same time
+to be small, efficient and easy to configure.
diff --git a/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc b/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
new file mode 100644
index 0000000000..57e8734776
--- /dev/null
+++ b/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
@@ -0,0 +1,73 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+function radsecproxy_enabled()
+{
+    $model = new \OPNsense\RadSecProxy\RadSecProxy();
+    if ((string)$model->general->enabled == '1') {
+        return true;
+    }
+
+    return false;
+}
+
+function radsecproxy_syslog()
+{
+    // $syslogconf = array();
+
+    // $syslogconf['radsecproxy'] = array(
+    //     'local' => '/var/log/radsecproxy.log',
+    //     'facility' => array('radsecproxy'),
+    //     'remote' => 'relayd',
+    // );
+
+    // return $syslogconf;
+
+    $logfacilities = array();
+    $logfacilities['radsecproxy'] = array(
+        'facility' => array('LOG_DAEMON'),
+    );
+    return $logfacilities;
+
+}
+
+
+function radsecproxy_services()
+{
+    $services = array();
+
+    if (radsecproxy_enabled()) {
+        $services[] = array(
+            'description' => gettext('Radius Secure Proxy'),
+            'configd' => array(
+                'restart' => array('radsecproxy restart'),
+                'start' => array('radsecproxy start'),
+                'stop' => array('radsecproxy stop'),
+            ),
+            'name' => 'radsecproxy',
+            'pidfile' => '/var/run/radsecproxy/radsecproxy.pid'
+        );
+    }
+    return $services;
+}
diff --git a/net/radsecproxy/src/etc/rc.d/os-radsecproxy b/net/radsecproxy/src/etc/rc.d/os-radsecproxy
new file mode 100755
index 0000000000..4faca1f6bd
--- /dev/null
+++ b/net/radsecproxy/src/etc/rc.d/os-radsecproxy
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# PROVIDE: radsecproxy
+# REQUIRE: LOGIN
+# KEYWORD: shutdown
+
+# Add the following line to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# radsecproxy_enable (bool): Set to NO by default.
+#               Set it to YES to enable radsecproxy.
+
+. /etc/rc.subr
+
+name="radsecproxy"
+rcvar=radsecproxy_enable
+
+: ${radsecproxy_enable:="NO"}
+: ${radsecproxy_user:="root"}
+: ${radsecproxy_group:="wheel"}
+: ${radsecproxy_pidfile:="/var/run/radsecproxy.pid"}
+
+user=${radsecproxy_user}
+group=${radsecproxy_group}
+pidfile=${radsecproxy_pidfile}
+required_files=/usr/local/etc/radsecproxy.conf
+
+command="/usr/local/sbin/${name}"
+command_args="-c /usr/local/etc/radsecproxy.conf -i ${pidfile}"
+
+start_precmd="radsecproxy_prestart"
+stop_postcmd="radsecproxy_poststop"
+
+radsecproxy_prestart() 
+{
+	mkdir -p $(dirname $pidfile)
+	chown ${user}:${group} $(dirname $pidfile)
+}
+
+radsecproxy_poststop() 
+{
+	rm -f ${pidfile}
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ClientsController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ClientsController.php
new file mode 100644
index 0000000000..a256a87650
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ClientsController.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class ClientsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'radsecproxy';
+    protected static $internalModelClass = 'OPNsense\RadSecProxy\RadSecProxy';
+
+    public function searchItemAction()
+    {
+        return $this->searchBase(
+            "clients.client",
+            array('enabled', 'description', 'host', 'identifier', 'type'),
+            "name"
+        );
+    }
+
+    public function setItemAction($uuid)
+    {
+        return $this->setBase("client", "clients.client", $uuid);
+    }
+
+    public function addItemAction()
+    {
+        return $this->addBase("client", "clients.client");
+    }
+
+    public function getItemAction($uuid = null)
+    {
+        return $this->getBase("client", "clients.client", $uuid);
+    }
+
+    public function delItemAction($uuid)
+    {
+        return $this->delBase("clients.client", $uuid);
+    }
+
+    public function toggleItemAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("clients.client", $uuid, $enabled);
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/GeneralController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/GeneralController.php
new file mode 100644
index 0000000000..786df74ebe
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/GeneralController.php
@@ -0,0 +1,33 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class GeneralController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'radsecproxy';
+    protected static $internalModelClass = 'OPNsense\RadSecProxy\RadSecProxy';
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/RealmsController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/RealmsController.php
new file mode 100644
index 0000000000..4c33d0ae28
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/RealmsController.php
@@ -0,0 +1,63 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class RealmsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'radsecproxy';
+    protected static $internalModelClass = 'OPNsense\RadSecProxy\RadSecProxy';
+
+    public function searchItemAction()
+    {
+        return $this->searchBase("realms.realm", array('enabled', 'description', 'realm'), "description");
+    }
+
+    public function setItemAction($uuid)
+    {
+        return $this->setBase("realm", "realms.realm", $uuid);
+    }
+
+    public function addItemAction()
+    {
+        return $this->addBase("realm", "realms.realm");
+    }
+
+    public function getItemAction($uuid = null)
+    {
+        return $this->getBase("realm", "realms.realm", $uuid);
+    }
+
+    public function delItemAction($uuid)
+    {
+        return $this->delBase("realms.realm", $uuid);
+    }
+
+    public function toggleItemAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("realms.realm", $uuid, $enabled);
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/RewritesController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/RewritesController.php
new file mode 100644
index 0000000000..c1fb95d929
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/RewritesController.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class RewritesController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'radsecproxy';
+    protected static $internalModelClass = 'OPNsense\RadSecProxy\RadSecProxy';
+
+    public function searchItemAction()
+    {
+        return $this->searchBase(
+            "rewrites.rewrite",
+            array('enabled', 'name', 'description'),
+            "name"
+        );
+    }
+
+    public function setItemAction($uuid)
+    {
+        return $this->setBase("rewrite", "rewrites.rewrite", $uuid);
+    }
+
+    public function addItemAction()
+    {
+        return $this->addBase("rewrite", "rewrites.rewrite");
+    }
+
+    public function getItemAction($uuid = null)
+    {
+        return $this->getBase("rewrite", "rewrites.rewrite", $uuid);
+    }
+
+    public function delItemAction($uuid)
+    {
+        return $this->delBase("rewrites.rewrite", $uuid);
+    }
+
+    public function toggleItemAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("rewrites.rewrite", $uuid, $enabled);
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ServersController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ServersController.php
new file mode 100644
index 0000000000..55394aa5e3
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ServersController.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class ServersController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'radsecproxy';
+    protected static $internalModelClass = 'OPNsense\RadSecProxy\RadSecProxy';
+
+    public function searchItemAction()
+    {
+        return $this->searchBase(
+            "servers.server",
+            array('description', 'host', 'type', 'identifier', 'tlsConfig'),
+            "name"
+        );
+    }
+
+    public function setItemAction($uuid)
+    {
+        return $this->setBase("server", "servers.server", $uuid);
+    }
+
+    public function addItemAction()
+    {
+        return $this->addBase("server", "servers.server");
+    }
+
+    public function getItemAction($uuid = null)
+    {
+        return $this->getBase("server", "servers.server", $uuid);
+    }
+
+    public function delItemAction($uuid)
+    {
+        return $this->delBase("servers.server", $uuid);
+    }
+
+    public function toggleItemAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("servers.server", $uuid, $enabled);
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ServiceController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ServiceController.php
new file mode 100644
index 0000000000..2aebebd844
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/ServiceController.php
@@ -0,0 +1,40 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Backend;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\RadSecProxy\RadSecProxy';
+    protected static $internalServiceTemplate = 'OPNsense/RadSecProxy';
+    protected static $internalServiceEnabled = 'general.enabled';
+    protected static $internalServiceName = 'radsecproxy';
+    protected function reconfigureForceRestart()
+    {
+        return 0;
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/TlsController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/TlsController.php
new file mode 100644
index 0000000000..0c9dddee13
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/Api/TlsController.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class TlsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'radsecproxy';
+    protected static $internalModelClass = 'OPNsense\RadSecProxy\RadSecProxy';
+
+    public function searchItemAction()
+    {
+        return $this->searchBase(
+            "tlsConfigs.tlsConfig",
+            array('description', 'name', 'caCertificateRefId', 'proxyCertificateRefId'),
+            "name"
+        );
+    }
+
+    public function setItemAction($uuid)
+    {
+        return $this->setBase("tlsConfig", "tlsConfigs.tlsConfig", $uuid);
+    }
+
+    public function addItemAction()
+    {
+        return $this->addBase("tlsConfig", "tlsConfigs.tlsConfig");
+    }
+
+    public function getItemAction($uuid = null)
+    {
+        return $this->getBase("tlsConfig", "tlsConfigs.tlsConfig", $uuid);
+    }
+
+    public function delItemAction($uuid)
+    {
+        return $this->delBase("tlsConfigs.tlsConfig", $uuid);
+    }
+
+    public function toggleItemAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("tlsConfigs.tlsConfig", $uuid, $enabled);
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/ClientsController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/ClientsController.php
new file mode 100644
index 0000000000..91e92ce299
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/ClientsController.php
@@ -0,0 +1,36 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy;
+
+class ClientsController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        //$this->view->generalForm = $this->getForm("clients");
+        // pick the template to serve to our users.
+        $this->view->pick('OPNsense/RadSecProxy/clients');
+        $this->view->formDialogClient = $this->getForm("dialogClient");
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/GeneralController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/GeneralController.php
new file mode 100644
index 0000000000..5c17d3cd88
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/GeneralController.php
@@ -0,0 +1,34 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy;
+
+class GeneralController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->generalForm = $this->getForm("general");
+        $this->view->pick('OPNsense/RadSecProxy/general');
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/IndexController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/IndexController.php
new file mode 100644
index 0000000000..3596535ace
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/IndexController.php
@@ -0,0 +1,34 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy;
+
+class IndexController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->basicForm = $this->getForm("basic");
+        $this->view->pick('OPNsense/RadSecProxy/index');
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/RealmsController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/RealmsController.php
new file mode 100644
index 0000000000..d227bbac1d
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/RealmsController.php
@@ -0,0 +1,34 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy;
+
+class RealmsController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/RadSecProxy/realms');
+        $this->view->formDialogRealm = $this->getForm("dialogRealm");
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/RewritesController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/RewritesController.php
new file mode 100644
index 0000000000..92869405e7
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/RewritesController.php
@@ -0,0 +1,36 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy;
+
+class RewritesController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        //$this->view->generalForm = $this->getForm("clients");
+        // pick the template to serve to our users.
+        $this->view->pick('OPNsense/RadSecProxy/rewrites');
+        $this->view->formDialogRewrite = $this->getForm("dialogRewrite");
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/ServersController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/ServersController.php
new file mode 100644
index 0000000000..98186c1015
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/ServersController.php
@@ -0,0 +1,34 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy;
+
+class ServersController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/RadSecProxy/servers');
+        $this->view->formDialogServer = $this->getForm("dialogServer");
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/TlsController.php b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/TlsController.php
new file mode 100644
index 0000000000..146157e55d
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/TlsController.php
@@ -0,0 +1,34 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy;
+
+class TlsController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/RadSecProxy/tls');
+        $this->view->formDialogTls = $this->getForm("dialogTls");
+    }
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogClient.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogClient.xml
new file mode 100644
index 0000000000..127ff57686
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogClient.xml
@@ -0,0 +1,96 @@
+<form>
+
+    <field>
+        <type>section_title</type>
+        <label>General</label>
+    </field>
+
+    <field>
+        <id>client.enabled</id>
+        <label>Enable Client</label>
+        <type>checkbox</type>
+        <help>Allow connections from this client</help>
+    </field>
+
+    <field>
+        <id>client.identifier</id>
+        <label>Unique identifier</label>
+        <type>text</type>
+        <help>Unique identifier for this client</help>
+    </field>
+
+    <field>
+        <id>client.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Short description of this client</help>
+    </field>
+    
+    <field>
+        <id>client.host</id>
+        <label>IP / Net</label>
+        <type>text</type>
+        <help>The client's IP or net</help>
+    </field>
+    
+    <field>
+        <id>client.type</id>
+        <label>Type</label>
+        <type>dropdown</type>
+        <help>Choose the type of client. Default Radius-clients use UDP.</help>
+    </field>
+
+    <field>
+        <id>client.secret</id>
+        <label>Secret</label>
+        <type>text</type>
+        <help>The shared RADIUS key with this client. This option is optional for TLS/DTLS and if omitted will default to "radsec". (Note that using a secret other than "radsec" for TLS is a violation of the standard (RFC 6614) and that the proposed standard for DTLS stipulates that the secret must be "radius/dtls".)</help>
+    </field>
+
+    <field>
+        <type>section_title</type>
+        <label>Advanced settings</label>
+        <advanced>true</advanced>
+    </field>
+
+    <field>
+        <id>client.tlsConfig</id>
+        <label>TLS-Config</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help>For a TLS/DTLS client you may also specify the tls option. The option value must be the name of a previously defined TLS block. If this option is not specified, the TLS block with the name defaultClient or default will be used if defined (in that order). If the specified TLS block name does not exist, or the option is not specified and none of the defaults exist, the proxy will exit with an error.</help>
+    </field>
+
+    <field>
+        <id>client.certificateNameCheck</id>
+        <label>Certificate-Name-Check</label>
+        <advanced>true</advanced>        
+        <type>dropdown</type>
+        <help>For a TLS/DTLS server, disable the default behaviour of matching CN or SubjectAltName against the specified hostname or IP address.</help>
+    </field>
+
+    <field>
+        <id>client.matchCertificateAttribute</id>
+        <label>Match Certificate-Attribute</label>
+        <advanced>true</advanced>        
+        <type>text</type>
+        <help>Perform additional validation of certificate attributes (CN | SubjectAltName:URI | SubjectAltName:DNS). Currently matching of CN and SubjectAltName types URI DNS and IP is supported.</help>
+    </field>
+
+    <field>
+        <id>client.rewriteIn</id>
+        <label>Rewrite incoming requests</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help><![CDATA[Apply the operations in the specified rewrite block on incoming (request) or outgoing (response) messages from this client. Rewriting incoming messages is done before, outgoing after other processing. If the <b>RewriteIn</b> is not configured, the rewrite blocks <b>defaultClient</b> or <b>default</b> will be applied if defined. No default blocks are applied for <b>RewriteOut</b>.]]></help>
+    </field>
+
+    <field>
+        <id>client.rewriteOut</id>
+        <label>Rewrite outgoing requests</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help><![CDATA[Apply the operations in the specified rewrite block on incoming (request) or outgoing (response) messages from this client. Rewriting incoming messages is done before, outgoing after other processing. If the <b>RewriteIn</b> is not configured, the rewrite blocks <b>defaultClient</b> or <b>default</b> will be applied if defined. No default blocks are applied for <b>RewriteOut</b>.]]></help>
+    </field>
+
+</form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRealm.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRealm.xml
new file mode 100644
index 0000000000..6c270fed76
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRealm.xml
@@ -0,0 +1,71 @@
+<form>
+
+    <field>
+        <type>section_title</type>
+        <label>General</label>
+    </field>
+
+    <field>
+        <id>realm.enabled</id>
+        <label>Enable Realm</label>
+        <type>checkbox</type>
+        <help>Enable this realm</help>
+    </field>
+    
+    <field>
+        <id>realm.realm</id>
+        <label>Realm</label>
+        <type>text</type>
+        <help>* | realm | /regex/</help>
+    </field>
+
+    <field>
+        <id>realm.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Short description to identify this realm and its target</help>
+    </field>
+    
+    <field>
+        <type>section_title</type>
+        <label>Authentication</label>
+    </field>
+
+    <field>
+        <id>realm.server</id>
+        <label>Server</label>
+        <type>select_multiple</type>
+        <sortable>true</sortable>
+        <style>tokenize</style>
+        <help>If not configured, the proxy will deny all Access-Requests for this realm.</help>
+    </field>
+
+    <field>
+        <id>realm.replyMessage</id>
+        <label>Reply-Message</label>
+        <type>text</type>
+        <help><![CDATA[Specify a message to be sent back to the client if a Access-Request is denied because no <b>server</b> is configured.]]></help>
+    </field>
+    
+    <field>
+        <type>section_title</type>
+        <label>Accounting</label>
+    </field>
+
+    <field>
+        <id>realm.accountingServer</id>
+        <label>Accounting-Server</label>
+        <type>select_multiple</type>
+        <sortable>true</sortable>
+        <style>tokenize</style>
+        <help>If not configured, the proxy will silently ignore all Accounting-Requests for this realm.</help>
+    </field>
+
+    <field>
+        <id>realm.accountingResponse</id>
+        <label>Accounting-Response</label>
+        <type>dropdown</type>
+        <help><![CDATA[Enable sending Accounting-Response instead of ignoring Accounting-Requests when no <b>accoutingServer</b> is configured.]]></help>
+    </field>
+
+</form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRewrite.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRewrite.xml
new file mode 100644
index 0000000000..ca8ef6092b
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRewrite.xml
@@ -0,0 +1,101 @@
+<form>
+
+    <field>
+        <id>rewrite.enabled</id>
+        <label>Enable rewrite-rule</label>
+        <type>checkbox</type>
+        <help>Use this rule</help>
+    </field>
+
+    <field>
+        <id>rewrite.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Unique name for this rule</help>
+    </field>
+
+    <field>
+        <id>rewrite.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Short description of this rule</help>
+    </field>
+
+    <field>
+        <id>rewrite.addAttributes</id>
+        <label>Add attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>attribute:value</i>, one per line<br/>Add an attribute to the radius message and set it to value. The attribute must be specified using the numerical attribute id. The value can either be numerical, a string, or a hex value. If the value starts with a number, it is interpreted as a 32bit unsigned integer. Use the ’ character at the start of the value to force string interpretation. When using hex value, it is recommended to also lead with ’ to avoid unintended numeric interpretation. See the CONFIGURATION SYNTAX section for further details.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.addVendorAttributes</id>
+        <label>Add vendor-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>vendor:subattribute:value</i>, one per line<br/>Add a vendor attribute to the radius message, specified by vendor and subattribute. Both vendor and subattribute must be specified as numerical values. The format of value is the same as for addAttribute above.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.supplementAttributes</id>
+        <label>Add supplement-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>attribute:value</i>, one per line<br/>Add an attribute to the radius message and set it to value, only if the attribute is not yet present on the message. The format of value is the same as for addAttribute above.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.supplementVendorAttributes</id>
+        <label>Add supplement-vendor-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>vendor:subattribute:value</i>, one per line<br/>Add a vendor attribute to the radius message only if the subattribute of this vendor is not yet present on the message. The format of is the same as for addVendorAttribute above.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.modifyAttributes</id>
+        <label>Modify attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>attribute:/regex/replace/</i>, one per line<br/>Modify the given attribute using the regex replace pattern. As above, attribute must be specified by a numerical value. Example usage: modifyAttribute 1:/^(.*)@local$/\1@example.com/]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.modifyVendorAttributes</id>
+        <label>Modify vendor-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>vendor:subattribute:/regex/replace/</i>, one per line<br/>Modify the given subattribute of given vendor using the regex replace pattern. Other than the added vendor, the same syntax as for ModifyAttribute applies.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.removeAttributes</id>
+        <label>Remove attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>attribute</i>, one per line<br/>Remove all attributes with the given id.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.removeVendorAttributes</id>
+        <label>Remove vendor-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>vendor[:subattribute]</i>, one per line<br/>Remove all vendor attributes that match the given vendor and subattribute. If the subattribute is omitted, all attributes with the given vendor id are removed.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.whitelistMode</id>
+        <label>Whitelist-mode</label>
+        <type>dropdown</type>
+        <help><![CDATA[Enable whitelist mode. All attributes except those configured with <b>WhitelistAttribute</b> or <b>WhitelistVendorAttribute</b> will be removed. While whitelist mode is active, <b>RemoveAttribute</b> and <b>RemoveVendorAttribute</b> statements are ignored.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.whitelistAttributes</id>
+        <label>Whitelist attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>attribute</i>, one per line<br/>Do not remove attributes with the given id when WhitelistMode is on. Ignored otherwise.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.whitelistVendorAttributes</id>
+        <label>Whitelist vendor-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>vendor[:subattribute]</i>, one per line<br/>Do not remove vendor attributes that match the given vendor and subattribute when WhitelistMode is on. Ignored otherwise. If the subattribute is omitted, the complete vendor attribute is whitelisted. Otherwise only the specified subattribute is kept but all other subattributes are removed.]]></help>
+    </field>
+
+</form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogServer.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogServer.xml
new file mode 100644
index 0000000000..ce44adcb9f
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogServer.xml
@@ -0,0 +1,102 @@
+<form>
+
+    <field>
+        <type>section_title</type>
+        <label>General</label>
+    </field>
+
+    <field>
+        <id>server.identifier</id>
+        <label>Unique identifier</label>
+        <type>text</type>
+        <help>Unique identifier for this server</help>
+    </field>
+
+    <field>
+        <id>server.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Short description to identify this server</help>
+    </field>
+
+    <field>
+        <id>server.host</id>
+        <label>Hostname / IP</label>
+        <type>text</type>
+        <help>The server's IP or hostname to connect to</help>
+    </field>
+
+    <field>
+        <id>server.port</id>
+        <label>Port</label>
+        <type>text</type>
+        <help>The port (UDP/TCP) to connect to. If omitted, UDP and TCP will default to 1812 while TLS and DTLS will default to 2083.</help>
+    </field>
+
+    <field>
+        <id>server.statusServer</id>
+        <label>Status-Server</label>
+        <type>dropdown</type>
+        <help><![CDATA[Enable the use of status-server messages for this server (default <b>off</b>). If statusserver is enabled (<b>on</b>), the proxy will send regular status-server messages to the server to verify that it is alive. Status tracking of the server will solely depend on status-server message and ignore lost requests. This should only be enabled if the server supports it. With the option <b>minimal</b> status-server messages are only sent when regular requests have been lost and no other replies have been received.]]></help>
+    </field>
+
+    <field>
+        <id>server.type</id>
+        <label>Type</label>
+        <type>dropdown</type>
+        <help>Choose the type of server. Default Radius-clients use UDP.</help>
+    </field>
+
+    <field>
+        <id>server.secret</id>
+        <label>Secret</label>
+        <type>text</type>
+        <help>The shared RADIUS key with this server. This option is optional for TLS/DTLS and if omitted will default to "radsec". (Note that using a secret other than "radsec" for TLS is a violation of the standard (RFC 6614) and that the proposed standard for DTLS stipulates that the secret must be "radius/dtls".)</help>
+    </field>
+
+    <field>
+        <id>server.tlsConfig</id>
+        <label>TLS-Config</label>
+        <type>dropdown</type>
+        <help>For a TLS/DTLS client you may also specify the tls option. The option value must be the name of a previously defined TLS block. If this option is not specified, the TLS block with the name defaultClient or default will be used if defined (in that order). If the specified TLS block name does not exist, or the option is not specified and none of the defaults exist, the proxy will exit with an error.</help>
+    </field>
+
+    <field>
+        <type>section_title</type>
+        <label>Advanced settings</label>
+        <advanced>true</advanced>
+    </field>
+
+    <field>
+        <id>server.certificateNameCheck</id>
+        <label>Certificate-Name-Check</label>
+        <advanced>true</advanced>        
+        <type>dropdown</type>
+        <help>For a TLS/DTLS server, disable the default behaviour of matching CN or SubjectAltName against the specified hostname or IP address.</help>
+    </field>
+
+    <field>
+        <id>server.matchCertificateAttribute</id>
+        <label>Match Certificate-Attribute</label>
+        <advanced>true</advanced>        
+        <type>text</type>
+        <help>Perform additional validation of certificate attributes (CN | SubjectAltName:URI | SubjectAltName:DNS). Currently matching of CN and SubjectAltName types URI DNS and IP is supported. Note that currently this option can only be specified once in a client block.</help>
+    </field>
+
+    <field>
+        <id>server.rewriteIn</id>
+        <label>Rewrite incoming requests</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help><![CDATA[Apply the operations in the specified rewrite block on incoming (request) or outgoing (response) messages for this server. Rewriting incoming messages is done before, outgoing after other processing. If the <b>RewriteIn</b> is not configured, the rewrite blocks <b>defaultClient</b> or <b>default</b> will be applied if defined. No default blocks are applied for <b>RewriteOut</b>.]]></help>
+    </field>
+
+    <field>
+        <id>server.rewriteOut</id>
+        <label>Rewrite outgoing requests</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help><![CDATA[Apply the operations in the specified rewrite block on incoming (request) or outgoing (response) messages for this server. Rewriting incoming messages is done before, outgoing after other processing. If the <b>RewriteIn</b> is not configured, the rewrite blocks <b>defaultClient</b> or <b>default</b> will be applied if defined. No default blocks are applied for <b>RewriteOut</b>.]]></help>
+    </field>
+
+</form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogTls.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogTls.xml
new file mode 100644
index 0000000000..240d91266e
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogTls.xml
@@ -0,0 +1,68 @@
+<form>
+
+    <field>
+        <type>section_title</type>
+        <label>General</label>
+    </field>
+
+    <field>
+        <id>tlsConfig.name</id>
+        <label>Unique name</label>
+        <type>text</type>
+        <help>This TLS-config's unique name</help>
+    </field>
+
+    <field>
+        <id>tlsConfig.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Short description to identify this TLS-config</help>
+    </field>
+    
+    <field>
+        <id>tlsConfig.caCertificateRefId</id>
+        <label>CA-certificate</label>
+        <type>dropdown</type>
+        <help>The CA certificate file used to verify the peers certificate.</help>
+    </field>
+
+    <field>
+        <id>tlsConfig.proxyCertificateRefId</id>
+        <label>This server's certificate</label>
+        <type>dropdown</type>
+        <help>The server certificate this proxy will use. The file may also contain a certificate chain.</help>
+    </field>
+    
+    <field>
+        <type>section_title</type>
+        <label>Advanced settings</label>
+        <advanced>true</advanced>
+    </field>
+
+    <field>
+        <id>tlsConfig.policyOids</id>
+        <label>Policy OIDs</label>
+        <advanced>true</advanced>   
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>Require the peers certificate to adhere to the policy specified by this oid / these oids.</help>
+    </field>
+
+    <field>
+        <id>tlsConfig.crlCheck</id>
+        <label>CRL-Check</label>
+        <advanced>true</advanced>   
+        <type>dropdown</type>
+        <help><![CDATA[Enable checking peer certificate against the CRL (default off). Note that radsecproxy does not fetch the CRLs itslef. This has to be done separately, e.g. with <b>fetch-crl</b>.]]></help>
+    </field>
+
+    <field>
+        <id>tlsConfig.cacheExpiry</id>
+        <label>Cache Expiry (seconds)</label>
+        <advanced>true</advanced>   
+        <type>text</type>
+        <help>Specify how many seconds the CA and CRL information should be cached. By default, the CA and CRL are loaded at startup and cached indefinetely. This option may be set to zero to disable caching.</help>
+    </field>
+
+</form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/general.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/general.xml
new file mode 100644
index 0000000000..eaf9611ed2
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/general.xml
@@ -0,0 +1,121 @@
+<form>
+
+    <field>
+        <id>radsecproxy.general.enabled</id>
+        <label>Enable RadSecProxy</label>
+        <type>checkbox</type>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.logLevel</id>
+        <label>Loglevel</label>
+        <type>dropdown</type>
+        <help>This option specifies the debug level. It must be set to 1, 2, 3, 4 or 5, where 1 logs only serious errors, and 5 logs everything. The default is 2 which logs errors, warnings and a few informational messages.</help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.logFullUsername</id>
+        <label>Log full username</label>
+        <type>dropdown</type>
+        <help>This can be set to off to only log the realm in Access-Accept/Reject log messages (for privacy).</help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.logMac</id>
+        <label>Log MAC</label>
+        <type>dropdown</type>
+        <help><![CDATA[The LogMAC option can be used to control if and how Calling-Station-Id (the users Ethernet MAC address) is being logged. It can be set to one of <b>Static</b>, <b>Original</b>, <b>VendorHashed</b>, <b>VendorKeyHashed</b>, <b>FullyHashed</b> or <b>FullyKeyHashed</b>. The default value for LogMAC is <b>Original</b>.]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.loopPrevention</id>
+        <label>Loop-prevention</label>
+        <type>dropdown</type>
+        <help>When this is enabled (on), a request will never be sent to a server named the same as the client it was received from. I.e., the names of the client block and the server block are compared. Note that this only gives limited protection against loops. It can be used as a basic option and inside server blocks where it overrides the basic setting.</help>
+    </field>
+
+    <field>
+        <type>section_title</type>
+        <label>Advanced settings</label>
+        <advanced>true</advanced>
+    </field>
+    
+    <field>
+        <type>section_title</type>
+        <label>Listening IPs and Ports</label>
+        <advanced>true</advanced>
+        <help>Listen for the address and port for the respective protocol. Normally the proxy will listen to the standard ports if configured to handle clients with the respective protocol. The default ports are 1812 for UDP and TCP and 2083 for TLS and DTLS. On most systems it will do this for all of the system’s IP addresses (both IPv4 and IPv6). On some systems however, it may respond to only IPv4 or only IPv6. To specify an alternate port you may use a value on the form *:port where port is any valid port number. If you also want to specify a specific address you can do e.g. 192.168.1.1:1812 or [2001:db8::1]:1812. The port may be omitted if you want the default one. Note that you must use brackets around the IPv6 address. These options may be specified multiple times to listen to multiple addresses and/or ports for each protocol.</help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.listenUdp</id>
+        <label>Listen UDP</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.listenTcp</id>
+        <label>Listen TCP</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.listenTls</id>
+        <label>Listen TLS</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.listenDtls</id>
+        <label>Listen DTLS</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+    
+    <field>
+        <type>section_title</type>
+        <label>Source IPs and Ports</label>
+        <advanced>true</advanced>
+        <help>This can be used to specify source address and/or source port that the proxy will use for connecting to clients to send messages (e.g. Access Request). The same syntax as for Listen... applies.</help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.sourceUdp</id>
+        <label>Source UDP</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.sourceTcp</id>
+        <label>Source TCP</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.sourceTls</id>
+        <label>Source TLS</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.sourceDtls</id>
+        <label>Source DTLS</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+ </form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml
new file mode 100644
index 0000000000..65b18340f0
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml
@@ -0,0 +1,12 @@
+<menu>
+    <Services>
+        <RadSecProxy VisibleName="RadSecProxy" cssClass="fa fa-shield fa-fw">
+            <Basic VisibleName="General" order="10" url="/ui/radsecproxy/general" />
+            <Clients VisibleName="Clients" order="20" url="/ui/radsecproxy/clients" />
+            <Servers VisibleName="Servers" order="30" url="/ui/radsecproxy/servers" />
+            <Realms VisibleName="Realms" order="40" url="/ui/radsecproxy/realms" />
+            <Tls VisibleName="TLS" order="50" url="/ui/radsecproxy/tls" />
+            <Rewrites VisibleName="Rewrite-Rules" order="60" url="/ui/radsecproxy/rewrites" />
+        </RadSecProxy>
+    </Services>
+</menu>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.php b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.php
new file mode 100644
index 0000000000..31e1b506e4
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.php
@@ -0,0 +1,31 @@
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\RadSecProxy;
+
+use OPNsense\Base\BaseModel;
+
+class RadSecProxy extends BaseModel
+{
+}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml
new file mode 100644
index 0000000000..145fb8b59f
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml
@@ -0,0 +1,514 @@
+<model>
+    <mount>//OPNsense/radsecproxy</mount>
+    <description>
+        RadSecProxy-Management
+    </description>
+    <version>0.0.1</version>
+    <items>
+        <general>
+
+            <enabled type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </enabled>
+
+            <logLevel type="OptionField">
+                <Required>Y</Required>
+                <default>2</default>
+                <OptionValues>
+                    <ll1 value="1">1 (only serious errors)</ll1>
+                    <ll2 value="2">2 (default)</ll2>
+                    <ll3 value="3">3</ll3>
+                    <ll4 value="4">4</ll4>
+                    <ll5 value="5">5 (log everything)</ll5>
+                </OptionValues>    
+            </logLevel>
+
+            <logFullUsername type="OptionField">
+                <Required>Y</Required>
+                <default>off</default>
+                <OptionValues>
+                    <on>On</on>
+                    <off>Off</off>
+                </OptionValues>
+            </logFullUsername>
+
+            <logMac type="OptionField">
+                <Required>Y</Required>
+                <default>Original</default>
+                <OptionValues>
+                    <Static>Static</Static>
+                    <Original>Original</Original>
+                    <VendorHashed>VendorHashed</VendorHashed>
+                    <VendorKeyHashed>VendorKeyHashed</VendorKeyHashed>
+                    <FullyHashed>FullyHashed</FullyHashed>
+                    <FullyKeyHashed>FullyKeyHashed</FullyKeyHashed>
+                </OptionValues>    
+            </logMac>
+
+            <loopPrevention type="OptionField">
+                <Required>Y</Required>
+                <default>on</default>
+                <OptionValues>
+                    <on>On</on>
+                    <off>Off</off>
+                </OptionValues>
+            </loopPrevention>
+
+            <listenUdp type="TextField">
+                <Required>N</Required>
+            </listenUdp>
+
+            <listenTcp type="TextField">
+                <Required>N</Required>
+            </listenTcp>
+
+            <listenTls type="TextField">
+                <Required>N</Required>
+            </listenTls>
+
+            <listenDtls type="TextField">
+                <Required>N</Required>
+            </listenDtls>
+
+            <sourceUdp type="TextField">
+                <Required>N</Required>
+            </sourceUdp>
+
+            <sourceTcp type="TextField">
+                <Required>N</Required>
+            </sourceTcp>
+
+            <sourceTls type="TextField">
+                <Required>N</Required>
+            </sourceTls>
+
+            <sourceDtls type="TextField">
+                <Required>N</Required>
+            </sourceDtls>
+
+        </general>
+
+        <clients>
+            <client type="ArrayField">
+
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+
+                <identifier type="TextField">
+                    <Required>Y</Required>
+                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                            <ValidationMessage>Identifier already in use</ValidationMessage>
+                        </check001>
+                    </Constraints>
+                </identifier>
+
+                <description type="TextField">
+                    <Required>N</Required>
+                </description>
+
+                <host type="NetworkField">
+                    <Required>Y</Required>
+                    <IpAllowed>Y</IpAllowed>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                        </check001>
+                    </Constraints>
+                </host>
+
+                <type type="OptionField">
+                    <Required>Y</Required>
+                    <default>udp</default>
+                    <OptionValues>
+                        <udp>UDP</udp>
+                        <tcp>TCP</tcp>
+                        <tls>TLS</tls>
+                        <dtls>DTLS</dtls>
+                    </OptionValues>    
+                </type>
+
+                <secret type="TextField">
+                    <Required>N</Required>
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>Must be set for UDP-clients.</ValidationMessage>
+                            <type>SetIfConstraint</type>
+                            <field>type</field>
+                            <check>udp</check>
+                        </check001>
+                        <check002>
+                            <ValidationMessage>Must be set for TCP-clients.</ValidationMessage>
+                            <type>SetIfConstraint</type>
+                            <field>type</field>
+                            <check>tcp</check>
+                        </check002>
+                    </Constraints>
+                </secret>
+
+                <tlsConfig type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <tlsConfigs>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>tlsConfigs.tlsConfig</items>
+                            <display>name</display>
+                        </tlsConfigs>
+                    </Model>
+                </tlsConfig>
+
+                <certificateNameCheck type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                    </OptionValues>
+                </certificateNameCheck>
+
+                <matchCertificateAttribute type="TextField">
+                    <Required>N</Required>
+                </matchCertificateAttribute>
+
+                <rewriteIn type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <rewrites>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>rewrites.rewrite</items>
+                            <display>name</display>
+                        </rewrites>
+                    </Model>
+                </rewriteIn>
+
+                <rewriteOut type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <rewrites>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>rewrites.rewrite</items>
+                            <display>name</display>
+                        </rewrites>
+                    </Model>
+                </rewriteOut>
+
+            </client>
+        </clients>
+
+        <servers>
+            <server type="ArrayField">
+
+                <identifier type="TextField">
+                    <Required>Y</Required>
+                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                            <ValidationMessage>Identifier already in use</ValidationMessage>
+                        </check001>
+                    </Constraints>
+                </identifier>
+
+                <description type="TextField">
+                    <Required>N</Required>
+                </description>
+                
+                <host type="TextField">
+                    <Required>Y</Required>
+                    <IpAllowed>Y</IpAllowed>
+                </host>
+
+                <port type="PortField">
+                    <Required>N</Required>
+                </port>
+
+                <statusServer type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                        <minimal>Minimal</minimal>
+                        <auto>Auto</auto>
+                    </OptionValues>
+                </statusServer>
+
+                <type type="OptionField">
+                    <Required>Y</Required>
+                    <default>udp</default>
+                    <OptionValues>
+                        <udp>UDP</udp>
+                        <tcp>TCP</tcp>
+                        <tls>TLS</tls>
+                        <dtls>DTLS</dtls>
+                    </OptionValues>
+                </type>
+
+                <secret type="TextField">
+                    <Required>N</Required>
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>Must be set for UDP-servers.</ValidationMessage>
+                            <type>SetIfConstraint</type>
+                            <field>type</field>
+                            <check>udp</check>
+                        </check001>
+                        <check002>
+                            <ValidationMessage>Must be set for TCP-servers.</ValidationMessage>
+                            <type>SetIfConstraint</type>
+                            <field>type</field>
+                            <check>tcp</check>
+                        </check002>
+                    </Constraints>
+                </secret>
+
+                <tlsConfig type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <tlsConfigs>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>tlsConfigs.tlsConfig</items>
+                            <display>name</display>
+                        </tlsConfigs>
+                    </Model>
+                </tlsConfig>
+
+                <certificateNameCheck type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                    </OptionValues>
+                </certificateNameCheck>
+
+                <matchCertificateAttribute type="TextField">
+                    <Required>N</Required>
+                </matchCertificateAttribute>
+
+                <rewriteIn type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <rewrites>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>rewrites.rewrite</items>
+                            <display>name</display>
+                        </rewrites>
+                    </Model>
+                </rewriteIn>
+
+                <rewriteOut type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <rewrites>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>rewrites.rewrite</items>
+                            <display>name</display>
+                        </rewrites>
+                    </Model>
+                </rewriteOut>
+
+            </server>
+        </servers>
+
+        <tlsConfigs>
+            <tlsConfig type="ArrayField">
+
+                <name type="TextField">
+                    <Required>Y</Required>
+                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
+                    <default>default</default>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                            <ValidationMessage>Name already in use</ValidationMessage>
+                        </check001>
+                    </Constraints>
+                </name>
+
+                <description type="TextField">
+                    <Required>N</Required>
+                </description>
+
+                <caCertificateRefId type="CertificateField">
+                    <Required>Y</Required>
+                    <ValidationMessage>Field is required</ValidationMessage>
+                    <Type>ca</Type>
+                </caCertificateRefId>
+
+                <proxyCertificateRefId type="CertificateField">
+                    <Required>Y</Required>
+                    <ValidationMessage>Field is required</ValidationMessage>
+                    <Type>cert</Type>
+                </proxyCertificateRefId>
+
+                <policyOids type="CSVListField">
+                    <Required>N</Required>
+                    <multiple>Y</multiple>
+                </policyOids>
+
+                <crlCheck type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                    </OptionValues>
+                </crlCheck>
+
+                <cacheExpiry type="IntegerField">
+                    <Required>N</Required>
+                </cacheExpiry>
+
+            </tlsConfig>
+        </tlsConfigs>
+
+        <realms>
+            <realm type="ArrayField">
+
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                
+                <description type="TextField">
+                    <Required>N</Required>
+                </description>
+
+                <realm type="TextField">
+                    <Required>Y</Required>
+                    <ValidationMessage>Must not be empty</ValidationMessage>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                            <ValidationMessage>Must be unique</ValidationMessage>
+                        </check001>
+                    </Constraints>
+                </realm>
+
+                <server type="ModelRelationField">
+                    <Multiple>Y</Multiple>
+                    <Required>N</Required>
+                    <Sorted>Y</Sorted>
+                    <Model>
+                        <servers>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>servers.server</items>
+                            <display>identifier</display>
+                        </servers>
+                    </Model>
+                    <ValidationMessage>Related server not found</ValidationMessage>
+                </server>
+
+                <accountingServer type="ModelRelationField">
+                    <Multiple>Y</Multiple>
+                    <Required>N</Required>
+                    <Sorted>Y</Sorted>
+                    <Model>
+                        <servers>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>servers.server</items>
+                            <display>identifier</display>
+                        </servers>
+                    </Model>
+                    <ValidationMessage>Related server not found</ValidationMessage>
+                </accountingServer>
+
+                <accountingResponse type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                    </OptionValues>
+                </accountingResponse>
+
+                <replyMessage type="TextField">
+                    <Required>N</Required>
+                </replyMessage>
+
+            </realm>
+        </realms>
+
+        <rewrites>
+            <rewrite type="ArrayField">
+
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+
+                <name type="TextField">
+                    <Required>Y</Required>
+                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
+                    <default>default</default>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                            <ValidationMessage>Name already in use</ValidationMessage>
+                        </check001>
+                    </Constraints>
+                </name>
+
+                <addAttributes type="TextField">
+                    <Required>N</Required>
+                </addAttributes>
+
+                <addVendorAttributes type="TextField">
+                    <Required>N</Required>
+                </addVendorAttributes>
+
+                <supplementAttributes type="TextField">
+                    <Required>N</Required>
+                </supplementAttributes>
+
+                <supplementVendorAttributes type="TextField">
+                    <Required>N</Required>
+                </supplementVendorAttributes>
+
+                <modifyAttributes type="TextField">
+                    <Required>N</Required>
+                </modifyAttributes>
+
+                <modifyVendorAttributes type="TextField">
+                    <Required>N</Required>
+                </modifyVendorAttributes>
+
+                <removeAttributes type="TextField">
+                    <Required>N</Required>
+                </removeAttributes>
+
+                <removeVendorAttributes type="TextField">
+                    <Required>N</Required>
+                </removeVendorAttributes>
+
+                <whitelistMode type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                    </OptionValues>
+                </whitelistMode>
+ 
+                <whitelistAttributes type="TextField">
+                    <Required>N</Required>
+                </whitelistAttributes>
+ 
+                <whitelistVendorAttributes type="TextField">
+                    <Required>N</Required>
+                </whitelistVendorAttributes>
+
+            </rewrite>
+        </rewrites>
+    </items>
+</model>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt
new file mode 100644
index 0000000000..33e7413f28
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt
@@ -0,0 +1,56 @@
+<script>
+    $( document ).ready(function() {
+        $("#grid-addresses").UIBootgrid(
+            {   search:'/api/radsecproxy/clients/searchItem/',
+                get:'/api/radsecproxy/clients/getItem/',
+                set:'/api/radsecproxy/clients/setItem/',
+                add:'/api/radsecproxy/clients/addItem/',
+                del:'/api/radsecproxy/clients/delItem/',
+                toggle:'/api/radsecproxy/clients/toggleItem/'
+            }
+        );
+        updateServiceControlUI('radsecproxy');
+
+        // link apply button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            // action to run after successful save, for example reconfigure service.
+            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                // action to run after reload
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('radsecproxy');
+            });
+        });
+    });
+</script>
+
+<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogClient">
+    <thead>
+        <tr>
+            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+            <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
+            <th data-column-id="host" data-type="string">{{ lang._('Host') }}</th>
+            <th data-column-id="identifier" data-type="string">{{ lang._('Identifier') }}</th>
+            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+        <tr>
+            <td></td>
+            <td>
+                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+            </td>
+        </tr>
+    </tfoot>
+</table>
+
+<div class="col-md-12">
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogClient,'id':'DialogClient','label':lang._('Edit client')])}}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/general.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/general.volt
new file mode 100644
index 0000000000..1508a57b5f
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/general.volt
@@ -0,0 +1,31 @@
+<script type="text/javascript">
+    $( document ).ready(function() {
+        var data_get_map = {'frm_GeneralSettings':"/api/radsecproxy/general/get"};
+        mapDataToFormUI(data_get_map).done(function(data){
+            $('.selectpicker').selectpicker('refresh');
+        });
+        updateServiceControlUI('radsecproxy');
+        
+        // link save button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            saveFormToEndpoint(url="/api/radsecproxy/general/set",formid='frm_GeneralSettings',callback_ok=function(){
+                // action to run after successful save, for example reconfigure service.
+                ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                    // action to run after reload
+                    $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                    updateServiceControlUI('radsecproxy');
+                });
+            });
+        });
+        
+    });
+</script>
+<div class="content-box" style="padding-bottom: 1.5em;">
+    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}}
+
+    <div class="col-md-12">
+        <hr />
+        <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
+    </div>
+</div>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt
new file mode 100644
index 0000000000..974842f40e
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt
@@ -0,0 +1,54 @@
+<script>
+    $( document ).ready(function() {
+        $("#grid-addresses").UIBootgrid(
+            {   search:'/api/radsecproxy/realms/searchItem/',
+                get:'/api/radsecproxy/realms/getItem/',
+                set:'/api/radsecproxy/realms/setItem/',
+                add:'/api/radsecproxy/realms/addItem/',
+                del:'/api/radsecproxy/realms/delItem/',
+                toggle:'/api/radsecproxy/realms/toggleItem/'
+            }
+        );
+        updateServiceControlUI('radsecproxy');
+
+        // link apply button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            // action to run after successful save, for example reconfigure service.
+            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                // action to run after reload
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('radsecproxy');
+            });
+        });
+    });
+</script>
+
+<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogRealm">
+    <thead>
+        <tr>
+            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+            <th data-column-id="realm" data-type="string">{{ lang._('Realm') }}</th>
+            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+        <tr>
+            <td></td>
+            <td>
+                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+            </td>
+        </tr>
+    </tfoot>
+</table>
+
+<div class="col-md-12">
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogRealm,'id':'DialogRealm','label':lang._('Edit realm')])}}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt
new file mode 100644
index 0000000000..ded6289663
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt
@@ -0,0 +1,54 @@
+<script>
+    $( document ).ready(function() {
+        $("#grid-addresses").UIBootgrid(
+            {   search:'/api/radsecproxy/rewrites/searchItem/',
+                get:'/api/radsecproxy/rewrites/getItem/',
+                set:'/api/radsecproxy/rewrites/setItem/',
+                add:'/api/radsecproxy/rewrites/addItem/',
+                del:'/api/radsecproxy/rewrites/delItem/',
+                toggle:'/api/radsecproxy/rewrites/toggleItem/'
+            }
+        );
+        updateServiceControlUI('radsecproxy');
+
+        // link apply button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            // action to run after successful save, for example reconfigure service.
+            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                // action to run after reload
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('radsecproxy');
+            });
+        });
+    });
+</script>
+
+<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogRewrite">
+    <thead>
+        <tr>
+            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+            <th data-column-id="name" data-type="string">{{ lang._('Type') }}</th>
+            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+        <tr>
+            <td></td>
+            <td>
+                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+            </td>
+        </tr>
+    </tfoot>
+</table>
+
+<div class="col-md-12">
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogRewrite,'id':'DialogRewrite','label':lang._('Edit rewrite-rule')])}}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt
new file mode 100644
index 0000000000..0581869990
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt
@@ -0,0 +1,56 @@
+<script>
+    $( document ).ready(function() {
+        $("#grid-addresses").UIBootgrid(
+            {   search:'/api/radsecproxy/servers/searchItem/',
+                get:'/api/radsecproxy/servers/getItem/',
+                set:'/api/radsecproxy/servers/setItem/',
+                add:'/api/radsecproxy/servers/addItem/',
+                del:'/api/radsecproxy/servers/delItem/',
+                toggle:'/api/radsecproxy/servers/toggleItem/'
+            }
+        );
+        updateServiceControlUI('radsecproxy');
+
+        // link apply button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            // action to run after successful save, for example reconfigure service.
+            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                // action to run after reload
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('radsecproxy');
+            });
+        });
+    });
+</script>
+
+<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogServer">
+    <thead>
+        <tr>
+            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            <th data-column-id="host" data-type="string">{{ lang._('Host') }}</th>
+            <th data-column-id="identifier" data-type="string">{{ lang._('Identifier') }}</th>
+            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+            <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
+            <th data-column-id="tlsConfig" data-type="string">{{ lang._('TLS-Config') }}</th>
+            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+        <tr>
+            <td></td>
+            <td>
+                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+            </td>
+        </tr>
+    </tfoot>
+</table>
+
+<div class="col-md-12">
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogServer,'id':'DialogServer','label':lang._('Edit server')])}}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt
new file mode 100644
index 0000000000..3533486053
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt
@@ -0,0 +1,55 @@
+<script>
+    $( document ).ready(function() {
+        $("#grid-addresses").UIBootgrid(
+            {   search:'/api/radsecproxy/tls/searchItem/',
+                get:'/api/radsecproxy/tls/getItem/',
+                set:'/api/radsecproxy/tls/setItem/',
+                add:'/api/radsecproxy/tls/addItem/',
+                del:'/api/radsecproxy/tls/delItem/',
+                toggle:'/api/radsecproxy/tls/toggleItem/'
+            }
+        );
+        updateServiceControlUI('radsecproxy');
+
+        // link apply button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            // action to run after successful save, for example reconfigure service.
+            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                // action to run after reload
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('radsecproxy');
+            });
+        });
+    });
+</script>
+
+<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogTls">
+    <thead>
+        <tr>
+            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
+            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+            <th data-column-id="caCertificateRefId" data-type="string">{{ lang._('CA-certificate') }}</th>
+            <th data-column-id="proxyCertificateRefId" data-type="string">{{ lang._('Proxy-certificate') }}</th>
+            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+        <tr>
+            <td></td>
+            <td>
+                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+            </td>
+        </tr>
+    </tfoot>
+</table>
+
+<div class="col-md-12">
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogTls,'id':'DialogTls','label':lang._('Edit TLS-config')])}}
diff --git a/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/generate_certs.php b/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/generate_certs.php
new file mode 100755
index 0000000000..9414db161c
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/generate_certs.php
@@ -0,0 +1,105 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+    Copyright (C) 2020 Tobias Boehnert
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require_once("config.inc");
+require_once("certs.inc");
+require_once("legacy_bindings.inc");
+
+use OPNsense\Core\Config;
+
+$outputFolder = "/usr/local/etc/radsecproxy.d/certs/";
+
+
+echo "begin generating of RadSecProxy-TLS-certificates\n";
+echo "output-directory: " . $outputFolder . "\n";
+
+if (! function_exists('writeCertFile')) {
+    function writeCertFile($pathToFile, $certificateData)
+    {
+        // generate cert pem file
+        $pem_content = trim(str_replace("\n\n", "\n", str_replace(
+            "\r",
+            "",
+            base64_decode((string)$certificateData)
+        )));
+
+        $pem_content .= "\n";
+        file_put_contents($pathToFile, $pem_content);
+        chmod($pathToFile, 0600);
+        echo "generated file " . $pathToFile . "\n";
+    }
+}
+
+if (! function_exists('deleteFilesInFolder')) {
+    function deleteFilesInFolder($pathToFolder)
+    {
+        echo "deleting all files in folder " . $pathToFolder . "\n";
+        $files = glob($pathToFolder . '/*');
+        
+        foreach ($files as $file) {
+            //Make sure that this is a file and not a directory.
+            if (is_file($file)) {
+                //Use the unlink function to delete the file.
+                unlink($file);
+                echo "deleted file " . $file . "\n";
+            }
+        }
+    }
+}
+
+// traverse radsecproxy's tls-configs
+$configObj = Config::getInstance()->object();
+
+deleteFilesInFolder($outputFolder);
+if (isset($configObj->OPNsense->radsecproxy->tlsConfigs)) {
+    foreach ($configObj->OPNsense->radsecproxy->tlsConfigs->children() as $tlsConfig) {
+        echo "parsing TLS-config \"" . $tlsConfig->name . "\"\n";
+
+        $caCertRefId = (string)$tlsConfig->caCertificateRefId;
+        $proxyCertRefId = (string)$tlsConfig->proxyCertificateRefId;
+
+        if ($caCertRefId != "") {
+            echo "looking for CA-cert-file\n";
+            foreach ($configObj->ca as $ca) {
+                if ($caCertRefId == (string)$ca->refid) {
+                    echo "creating CA-cert-files from \"" . $ca->descr . "\"\n";
+                    writeCertFile($outputFolder . $tlsConfig->name . "_ca-cert.pem", $ca->crt);
+                }
+            }
+        }
+
+        if ($proxyCertRefId != "") {
+            foreach ($configObj->cert as $cert) {
+                if ($proxyCertRefId == (string)$cert->refid) {
+                    echo "creating proxy-cert-files from \"" . $cert->descr . "\"\n";
+                    writeCertFile($outputFolder . $tlsConfig->name . "_proxy-cert.pem", $cert->crt);
+                    writeCertFile($outputFolder . $tlsConfig->name . "_proxy-key.pem", $cert->prv);
+                }
+            }
+        }
+    }
+} else {
+    echo "no TLS-configs found\n";
+}
diff --git a/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/setup.sh b/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/setup.sh
new file mode 100755
index 0000000000..cd09c51f98
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/setup.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+RADSECPROXY_DIRS="/usr/local/etc/radsecproxy.d /usr/local/etc/radsecproxy.d/certs"
+
+for directory in ${RADSECPROXY_DIRS}; do
+    mkdir -p ${directory}
+    chown -R www:www ${directory}
+    chmod -R 750 ${directory}
+done
+
+
+# export required certs to filesystem
+/usr/local/opnsense/scripts/OPNsense/RadSecProxy/generate_certs.php > /dev/null 2>&1
+
+# remove logfile - sometimes it will stop radsecproxy from starting
+#rm /var/log/radsecproxy.log
+
+exit 0
diff --git a/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf b/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf
new file mode 100644
index 0000000000..42dfe22969
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf
@@ -0,0 +1,35 @@
+[setup]
+command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;
+parameters:
+type:script
+message:setup radsecproxy service requirements
+
+[start]
+command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;/usr/local/etc/rc.d/radsecproxy start;
+parameters:
+type:script
+message:starting radsecproxy
+
+[stop]
+command:/usr/local/etc/rc.d/radsecproxy stop;
+parameters:
+type:script
+message:stopping radsecproxy
+
+[restart]
+command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;/usr/local/etc/rc.d/radsecproxy restart;
+parameters:
+type:script
+message:restarting radsecproxy
+
+[reload]
+command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;/usr/local/etc/rc.d/radsecproxy restart;
+parameters:
+type:script
+message:reloading radsecproxy
+
+[status]
+command:/usr/local/etc/rc.d/radsecproxy status;exit 0;
+parameters:
+type:script_output
+message:radsecproxy status
diff --git a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/+TARGETS b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/+TARGETS
new file mode 100644
index 0000000000..294d4f30db
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/+TARGETS
@@ -0,0 +1,2 @@
+radsecproxy.conf:/usr/local/etc/radsecproxy.conf
+rc.conf.d:/etc/rc.conf.d/radsecproxy
diff --git a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf
new file mode 100644
index 0000000000..b0563b335f
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf
@@ -0,0 +1,240 @@
+{% if helpers.exists('OPNsense.radsecproxy.general') and OPNsense.radsecproxy.general.enabled|default("0") == "1" %}
+{% set certDir = '/usr/local/etc/radsecproxy.d/certs/' %}
+# auto-generated config-file for radsecproxy
+###########################################
+# GENERAL
+###########################################
+
+#PidFile /var/run/radsecproxy.pid
+#LogDestination file:///var/log/radsecproxy.log
+LogDestination x-syslog:///LOG_DAEMON
+
+{% if OPNsense.radsecproxy.general.logLevel is defined and OPNsense.radsecproxy.general.logLevel != "" %}
+LogLevel {{ OPNsense.radsecproxy.general.logLevel }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.logFullUsername is defined and OPNsense.radsecproxy.general.logFullUsername != "" %}
+LogFullUsername {{ OPNsense.radsecproxy.general.logFullUsername }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.logMac is defined and OPNsense.radsecproxy.general.logMac != "" %}
+LogMac {{ OPNsense.radsecproxy.general.logMac }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.loopPrevention is defined and OPNsense.radsecproxy.general.loopPrevention != "" %}
+LoopPrevention {{ OPNsense.radsecproxy.general.loopPrevention }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.listenUdp is defined and OPNsense.radsecproxy.general.listenUdp != "" %}
+ListenUDP {{ OPNsense.radsecproxy.general.listenUdp }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.listenTcp is defined and OPNsense.radsecproxy.general.listenTcp != "" %}
+ListenTCP {{ OPNsense.radsecproxy.general.listenTcp }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.listenTls is defined and OPNsense.radsecproxy.general.listenTls != "" %}
+ListenTLS {{ OPNsense.radsecproxy.general.listenTls }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.listenDtls is defined and OPNsense.radsecproxy.general.listenDtls != "" %}
+ListenDTLS {{ OPNsense.radsecproxy.general.listenDtls }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.sourceUdp is defined and OPNsense.radsecproxy.general.sourceUdp != "" %}
+SourceUDP {{ OPNsense.radsecproxy.general.sourceUdp }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.sourceTcp is defined and OPNsense.radsecproxy.general.sourceTcp != "" %}
+SourceTCP {{ OPNsense.radsecproxy.general.sourceTcp }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.sourceTls is defined and OPNsense.radsecproxy.general.sourceTls != "" %}
+SourceTLS {{ OPNsense.radsecproxy.general.sourceTls }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.sourceDtls is defined and OPNsense.radsecproxy.general.sourceDtls != "" %}
+SourceDTLS {{ OPNsense.radsecproxy.general.sourceDtls }}
+{% endif %}
+
+###########################################
+# TLS-CONFIGS
+###########################################
+
+{% for tlsConfig in helpers.toList('OPNsense.radsecproxy.tlsConfigs.tlsConfig') %}
+# config for TLS-Config "{{ tlsConfig.description }}"
+tls {{ tlsConfig.name }} {
+{% if tlsConfig.caCertificateRefId is defined and tlsConfig.caCertificateRefId != "" %}
+  CACertificateFile   {{ certDir}}{{ tlsConfig.name }}_ca-cert.pem
+{% endif %}
+{% if tlsConfig.proxyCertificateRefId is defined and tlsConfig.proxyCertificateRefId != "" %}
+  CertificateFile     {{ certDir}}{{ tlsConfig.name }}_proxy-cert.pem
+  CertificateKeyFile  {{ certDir}}{{ tlsConfig.name }}_proxy-key.pem
+{% endif %}
+{% if tlsConfig.policyOids is defined and tlsConfig.policyOids != "" %}
+{% for policyOid in tlsConfig.policyOids.split(',') %}
+  PolicyOID {{ policyOid }}
+{% endfor %}
+{% endif %} 
+  CRLCheck {{ tlsConfig.crlCheck }}
+{% if tlsConfig.cacheExpiry is defined and tlsConfig.cacheExpiry != "" %}
+  CacheExpiry {{ tlsConfig.cacheExpiry }}
+{% endif %}
+}
+
+{% endfor %}
+
+###########################################
+# REWRITE-RULES
+###########################################
+
+{% for rewriteRule in helpers.toList('OPNsense.radsecproxy.rewrites.rewrite') %}
+{% if rewriteRule.enabled is defined and rewriteRule.enabled == "1" %}
+
+rewrite {{ rewriteRule.name }} {
+{% if rewriteRule.addAttributes is defined and rewriteRule.addAttributes != "" %}
+{% for addAttribute in rewriteRule.addAttributes.split("\n") %}
+  AddAttribute {{ addAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.addVendorAttributes is defined and rewriteRule.addVendorAttributes != "" %}
+{% for addVendorAttribute in rewriteRule.addVendorAttributes.split("\n") %}
+  AddVendorAttribute {{ addVendorAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.supplementAttributes is defined and rewriteRule.supplementAttributes != "" %}
+{% for supplementAttribute in rewriteRule.supplementAttributes.split("\n") %}
+  SupplementAttribute {{ supplementAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.supplementVendorAttributes is defined and rewriteRule.supplementVendorAttributes != "" %}
+{% for supplementVendorAttribute in rewriteRule.supplementVendorAttributes.split("\n") %}
+  SupplementVendorAttribute {{ supplementVendorAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.modifyAttributes is defined and rewriteRule.modifyAttributes != "" %}
+{% for modifyAttribute in rewriteRule.modifyAttributes.split("\n") %}
+  ModifyAttribute {{ modifyAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.modifyVendorAttributes is defined and rewriteRule.modifyVendorAttributes != "" %}
+{% for modifyVendorAttribute in rewriteRule.modifyVendorAttributes.split("\n") %}
+  ModifyVendorAttribute {{ modifyVendorAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.removeAttributes is defined and rewriteRule.removeAttributes != "" %}
+{% for removeAttribute in rewriteRule.removeAttributes.split("\n") %}
+  RemoveAttribute {{ removeAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.removeVendorAttributes is defined and rewriteRule.removeVendorAttributes != "" %}
+{% for removeVendorAttribute in rewriteRule.removeVendorAttributes.split("\n") %}
+  RemoveVendorAttribute {{ removeVendorAttribute }}
+{% endfor %}
+{% endif %}
+  WhitelistMode {{ rewriteRule.whitelistMode }}
+{% if rewriteRule.whitelistAttributes is defined and rewriteRule.whitelistAttributes != "" %}
+{% for whitelistAttribute in rewriteRule.whitelistAttributes.split("\n") %}
+  WhitelistAttribute {{ whitelistAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.whitelistVendorAttributes is defined and rewriteRule.whitelistVendorAttributes != "" %}
+{% for whitelistVendorAttribute in rewriteRule.whitelistVendorAttributes.split("\n") %}
+  WhitelistVendorAttribute {{ whitelistVendorAttribute }}
+{% endfor %}
+{% endif %}
+}
+{% endif %}
+{% endfor %}
+
+###########################################
+# CLIENTS
+###########################################
+
+{% for client in helpers.toList('OPNsense.radsecproxy.clients.client') %}
+{% if client.enabled is defined and client.enabled == "1" %}
+# config for client "{{ client.description }}"
+client {{ client.identifier }} {
+  Host {{ client.host }}
+  Type {{ client.type }}
+{% if client.secret is defined and client.secret != "" %}
+  Secret {{ client.secret }}
+{% endif %}
+{% if client.tlsConfig is defined and client.tlsConfig != "" %}
+{% set tlsConfig = helpers.getUUID(client.tlsConfig) %}
+  Tls {{ tlsConfig.name }}
+{% endif %}
+  CertificateNameCheck {{ client.certificateNameCheck }}
+{% if client.matchCertificateAttribute is defined and client.matchCertificateAttribute != "" %}
+  matchCertificateAttribute {{ client.matchCertificateAttribute }}
+{% endif %}
+{% if client.rewriteIn is defined and client.rewriteIn != "" %}
+{% set rewriteInRule = helpers.getUUID(client.rewriteIn) %}
+  RewriteIn {{ rewriteInRule.name }}
+{% endif %}
+{% if client.rewriteOut is defined and client.rewriteOut != "" %}
+{% set rewriteOutRule = helpers.getUUID(client.rewriteOut) %}
+  RewriteOut {{ rewriteOutRule.name }}
+{% endif %}
+}
+
+{% else %}
+# config for client "{{ client.description }}" not enabled, skipping!"
+
+{% endif %}
+{% endfor %}
+
+###########################################
+# SERVERS
+###########################################
+
+{% for server in helpers.toList('OPNsense.radsecproxy.servers.server') %}
+# config for server "{{ server.description }}"
+server {{ server.identifier }} {
+  Host {{ server.host }}
+{% if server.port is defined and server.port != "" %}
+  Port {{ server.port }}
+{% endif %}
+  Type {{ server.type }}
+{% if server.secret is defined and server.secret != "" %}
+  Secret {{ server.secret }}
+{% endif %}
+{% if server.tlsConfig is defined and server.tlsConfig != "" %}
+{% set tlsConfig = helpers.getUUID(server.tlsConfig) %}
+  Tls {{ tlsConfig.name }}
+{% endif %}
+  StatusServer {{ server.statusServer }}
+  CertificateNameCheck {{ server.certificateNameCheck }}
+{% if server.matchCertificateAttribute is defined and server.matchCertificateAttribute != "" %}
+  matchCertificateAttribute {{ server.matchCertificateAttribute }}
+{% endif %}
+{% if server.rewriteIn is defined and server.rewriteIn != "" %}
+{% set rewriteInRule = helpers.getUUID(server.rewriteIn) %}
+  RewriteIn {{ rewriteInRule.name }}
+{% endif %}
+{% if server.rewriteOut is defined and server.rewriteOut != "" %}
+{% set rewriteOutRule = helpers.getUUID(server.rewriteOut) %}
+  RewriteOut {{ rewriteOutRule.name }}
+{% endif %}
+}
+
+{% endfor %}
+
+###########################################
+# REALMS
+###########################################
+
+{% for realm in helpers.toList('OPNsense.radsecproxy.realms.realm') %}
+{% if realm.enabled is defined and realm.enabled == "1" %}
+# config for realm "{{ realm.realm }}"
+realm {{ realm.realm }} {
+{% if realm.server is defined and realm.server != "" %}
+{% for serverUuid in realm.server.split(',') %}
+{% set server = helpers.getUUID(serverUuid) %}
+  Server {{ server.identifier }}
+{% endfor %}
+{% endif %}
+{% if realm.replyMessage is defined and realm.replyMessage != "" %}
+  ReplyMessage "{{ realm.replyMessage }}"
+{% endif %}
+{% if realm.accountingResponse is defined and realm.accountingResponse != "" %}
+  AccountingResponse {{ realm.accountingResponse }}
+{% endif %}
+}
+
+{% else %}
+# config for realm "{{ realm.realm }}" not enabled, skipping!"
+
+{% endif %}
+{% endfor %}
+{# END OF TEMPLATE #}
+{% endif %}
diff --git a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d
new file mode 100644
index 0000000000..03409f3a79
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d
@@ -0,0 +1,7 @@
+{% if helpers.exists('OPNsense.radsecproxy.general.enabled') and OPNsense.radsecproxy.general.enabled == '1' %}
+radsecproxy_enable="YES"
+{% else %}
+radsecproxy_enable="NO"
+{% endif %}
+radsecproxy_user="root"
+radsecproxy_group="wheel"

From ee44f5d1e415c0d9c6347cf58c6a95f10a3a62c4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 Apr 2021 11:45:41 +0200
Subject: [PATCH 0533/3088] net/radsecproxy: scrub whitespaces

---
 LICENSE                                       |    1 +
 README.md                                     |    1 +
 net/radsecproxy/src/etc/rc.d/os-radsecproxy   |    4 +-
 .../RadSecProxy/forms/dialogClient.xml        |  192 +--
 .../RadSecProxy/forms/dialogRealm.xml         |  142 +--
 .../RadSecProxy/forms/dialogRewrite.xml       |  202 ++--
 .../RadSecProxy/forms/dialogServer.xml        |  204 ++--
 .../OPNsense/RadSecProxy/forms/dialogTls.xml  |  136 +--
 .../OPNsense/RadSecProxy/forms/general.xml    |  242 ++--
 .../models/OPNsense/RadSecProxy/Menu/Menu.xml |   24 +-
 .../OPNsense/RadSecProxy/RadSecProxy.xml      | 1028 ++++++++---------
 .../views/OPNsense/RadSecProxy/clients.volt   |  112 +-
 .../views/OPNsense/RadSecProxy/general.volt   |   62 +-
 .../views/OPNsense/RadSecProxy/realms.volt    |  108 +-
 .../views/OPNsense/RadSecProxy/rewrites.volt  |  108 +-
 .../views/OPNsense/RadSecProxy/servers.volt   |  112 +-
 .../app/views/OPNsense/RadSecProxy/tls.volt   |  110 +-
 .../OPNsense/RadSecProxy/generate_certs.php   |    2 +-
 .../conf/actions.d/actions_radsecproxy.conf   |   70 +-
 .../templates/OPNsense/RadSecProxy/+TARGETS   |    4 +-
 .../OPNsense/RadSecProxy/radsecproxy.conf     |  480 ++++----
 .../templates/OPNsense/RadSecProxy/rc.conf.d  |   14 +-
 22 files changed, 1680 insertions(+), 1678 deletions(-)

diff --git a/LICENSE b/LICENSE
index c36cfbddd5..c0d0614edb 100644
--- a/LICENSE
+++ b/LICENSE
@@ -30,6 +30,7 @@ Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
 Copyright (c) 2017-2019 Smart-Soft
 Copyright (c) 2013 Stanley P. Miller \ stan-qaz
 Copyright (c) 2020 Starkstromkonsument
+Copyright (c) 2020 Tobias Boehnert
 Copyright (c) 2010 Yehuda Katz
 Copyright (c) 2015 YoungJoo.Kim <vozltx@gmail.com>
 Copyright (c) 2020 devNan0 <nan0@nan0.dev>
diff --git a/README.md b/README.md
index c45187bd86..0d7a3cdb0d 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,7 @@ net/haproxy -- Reliable, high performance TCP/HTTP load balancer
 net/igmp-proxy -- IGMP-Proxy Service
 net/mdns-repeater -- Proxy multicast DNS between networks
 net/ntopng -- Traffic Analysis and Flow Collection
+net/radsecproxy -- RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport (development only)
 net/relayd -- Relayd Load Balancer
 net/shadowsocks -- Secure socks5 proxy
 net/siproxd -- Siproxd is a proxy daemon for the SIP protocol
diff --git a/net/radsecproxy/src/etc/rc.d/os-radsecproxy b/net/radsecproxy/src/etc/rc.d/os-radsecproxy
index 4faca1f6bd..cb79588f7e 100755
--- a/net/radsecproxy/src/etc/rc.d/os-radsecproxy
+++ b/net/radsecproxy/src/etc/rc.d/os-radsecproxy
@@ -31,13 +31,13 @@ command_args="-c /usr/local/etc/radsecproxy.conf -i ${pidfile}"
 start_precmd="radsecproxy_prestart"
 stop_postcmd="radsecproxy_poststop"
 
-radsecproxy_prestart() 
+radsecproxy_prestart()
 {
 	mkdir -p $(dirname $pidfile)
 	chown ${user}:${group} $(dirname $pidfile)
 }
 
-radsecproxy_poststop() 
+radsecproxy_poststop()
 {
 	rm -f ${pidfile}
 }
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogClient.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogClient.xml
index 127ff57686..a74c90b696 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogClient.xml
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogClient.xml
@@ -1,96 +1,96 @@
-<form>
-
-    <field>
-        <type>section_title</type>
-        <label>General</label>
-    </field>
-
-    <field>
-        <id>client.enabled</id>
-        <label>Enable Client</label>
-        <type>checkbox</type>
-        <help>Allow connections from this client</help>
-    </field>
-
-    <field>
-        <id>client.identifier</id>
-        <label>Unique identifier</label>
-        <type>text</type>
-        <help>Unique identifier for this client</help>
-    </field>
-
-    <field>
-        <id>client.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <help>Short description of this client</help>
-    </field>
-    
-    <field>
-        <id>client.host</id>
-        <label>IP / Net</label>
-        <type>text</type>
-        <help>The client's IP or net</help>
-    </field>
-    
-    <field>
-        <id>client.type</id>
-        <label>Type</label>
-        <type>dropdown</type>
-        <help>Choose the type of client. Default Radius-clients use UDP.</help>
-    </field>
-
-    <field>
-        <id>client.secret</id>
-        <label>Secret</label>
-        <type>text</type>
-        <help>The shared RADIUS key with this client. This option is optional for TLS/DTLS and if omitted will default to "radsec". (Note that using a secret other than "radsec" for TLS is a violation of the standard (RFC 6614) and that the proposed standard for DTLS stipulates that the secret must be "radius/dtls".)</help>
-    </field>
-
-    <field>
-        <type>section_title</type>
-        <label>Advanced settings</label>
-        <advanced>true</advanced>
-    </field>
-
-    <field>
-        <id>client.tlsConfig</id>
-        <label>TLS-Config</label>
-        <advanced>true</advanced>
-        <type>dropdown</type>
-        <help>For a TLS/DTLS client you may also specify the tls option. The option value must be the name of a previously defined TLS block. If this option is not specified, the TLS block with the name defaultClient or default will be used if defined (in that order). If the specified TLS block name does not exist, or the option is not specified and none of the defaults exist, the proxy will exit with an error.</help>
-    </field>
-
-    <field>
-        <id>client.certificateNameCheck</id>
-        <label>Certificate-Name-Check</label>
-        <advanced>true</advanced>        
-        <type>dropdown</type>
-        <help>For a TLS/DTLS server, disable the default behaviour of matching CN or SubjectAltName against the specified hostname or IP address.</help>
-    </field>
-
-    <field>
-        <id>client.matchCertificateAttribute</id>
-        <label>Match Certificate-Attribute</label>
-        <advanced>true</advanced>        
-        <type>text</type>
-        <help>Perform additional validation of certificate attributes (CN | SubjectAltName:URI | SubjectAltName:DNS). Currently matching of CN and SubjectAltName types URI DNS and IP is supported.</help>
-    </field>
-
-    <field>
-        <id>client.rewriteIn</id>
-        <label>Rewrite incoming requests</label>
-        <advanced>true</advanced>
-        <type>dropdown</type>
-        <help><![CDATA[Apply the operations in the specified rewrite block on incoming (request) or outgoing (response) messages from this client. Rewriting incoming messages is done before, outgoing after other processing. If the <b>RewriteIn</b> is not configured, the rewrite blocks <b>defaultClient</b> or <b>default</b> will be applied if defined. No default blocks are applied for <b>RewriteOut</b>.]]></help>
-    </field>
-
-    <field>
-        <id>client.rewriteOut</id>
-        <label>Rewrite outgoing requests</label>
-        <advanced>true</advanced>
-        <type>dropdown</type>
-        <help><![CDATA[Apply the operations in the specified rewrite block on incoming (request) or outgoing (response) messages from this client. Rewriting incoming messages is done before, outgoing after other processing. If the <b>RewriteIn</b> is not configured, the rewrite blocks <b>defaultClient</b> or <b>default</b> will be applied if defined. No default blocks are applied for <b>RewriteOut</b>.]]></help>
-    </field>
-
-</form>
+<form>
+
+    <field>
+        <type>section_title</type>
+        <label>General</label>
+    </field>
+
+    <field>
+        <id>client.enabled</id>
+        <label>Enable Client</label>
+        <type>checkbox</type>
+        <help>Allow connections from this client</help>
+    </field>
+
+    <field>
+        <id>client.identifier</id>
+        <label>Unique identifier</label>
+        <type>text</type>
+        <help>Unique identifier for this client</help>
+    </field>
+
+    <field>
+        <id>client.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Short description of this client</help>
+    </field>
+
+    <field>
+        <id>client.host</id>
+        <label>IP / Net</label>
+        <type>text</type>
+        <help>The client's IP or net</help>
+    </field>
+
+    <field>
+        <id>client.type</id>
+        <label>Type</label>
+        <type>dropdown</type>
+        <help>Choose the type of client. Default Radius-clients use UDP.</help>
+    </field>
+
+    <field>
+        <id>client.secret</id>
+        <label>Secret</label>
+        <type>text</type>
+        <help>The shared RADIUS key with this client. This option is optional for TLS/DTLS and if omitted will default to "radsec". (Note that using a secret other than "radsec" for TLS is a violation of the standard (RFC 6614) and that the proposed standard for DTLS stipulates that the secret must be "radius/dtls".)</help>
+    </field>
+
+    <field>
+        <type>section_title</type>
+        <label>Advanced settings</label>
+        <advanced>true</advanced>
+    </field>
+
+    <field>
+        <id>client.tlsConfig</id>
+        <label>TLS-Config</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help>For a TLS/DTLS client you may also specify the tls option. The option value must be the name of a previously defined TLS block. If this option is not specified, the TLS block with the name defaultClient or default will be used if defined (in that order). If the specified TLS block name does not exist, or the option is not specified and none of the defaults exist, the proxy will exit with an error.</help>
+    </field>
+
+    <field>
+        <id>client.certificateNameCheck</id>
+        <label>Certificate-Name-Check</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help>For a TLS/DTLS server, disable the default behaviour of matching CN or SubjectAltName against the specified hostname or IP address.</help>
+    </field>
+
+    <field>
+        <id>client.matchCertificateAttribute</id>
+        <label>Match Certificate-Attribute</label>
+        <advanced>true</advanced>
+        <type>text</type>
+        <help>Perform additional validation of certificate attributes (CN | SubjectAltName:URI | SubjectAltName:DNS). Currently matching of CN and SubjectAltName types URI DNS and IP is supported.</help>
+    </field>
+
+    <field>
+        <id>client.rewriteIn</id>
+        <label>Rewrite incoming requests</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help><![CDATA[Apply the operations in the specified rewrite block on incoming (request) or outgoing (response) messages from this client. Rewriting incoming messages is done before, outgoing after other processing. If the <b>RewriteIn</b> is not configured, the rewrite blocks <b>defaultClient</b> or <b>default</b> will be applied if defined. No default blocks are applied for <b>RewriteOut</b>.]]></help>
+    </field>
+
+    <field>
+        <id>client.rewriteOut</id>
+        <label>Rewrite outgoing requests</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help><![CDATA[Apply the operations in the specified rewrite block on incoming (request) or outgoing (response) messages from this client. Rewriting incoming messages is done before, outgoing after other processing. If the <b>RewriteIn</b> is not configured, the rewrite blocks <b>defaultClient</b> or <b>default</b> will be applied if defined. No default blocks are applied for <b>RewriteOut</b>.]]></help>
+    </field>
+
+</form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRealm.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRealm.xml
index 6c270fed76..9aa636e609 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRealm.xml
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRealm.xml
@@ -1,71 +1,71 @@
-<form>
-
-    <field>
-        <type>section_title</type>
-        <label>General</label>
-    </field>
-
-    <field>
-        <id>realm.enabled</id>
-        <label>Enable Realm</label>
-        <type>checkbox</type>
-        <help>Enable this realm</help>
-    </field>
-    
-    <field>
-        <id>realm.realm</id>
-        <label>Realm</label>
-        <type>text</type>
-        <help>* | realm | /regex/</help>
-    </field>
-
-    <field>
-        <id>realm.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <help>Short description to identify this realm and its target</help>
-    </field>
-    
-    <field>
-        <type>section_title</type>
-        <label>Authentication</label>
-    </field>
-
-    <field>
-        <id>realm.server</id>
-        <label>Server</label>
-        <type>select_multiple</type>
-        <sortable>true</sortable>
-        <style>tokenize</style>
-        <help>If not configured, the proxy will deny all Access-Requests for this realm.</help>
-    </field>
-
-    <field>
-        <id>realm.replyMessage</id>
-        <label>Reply-Message</label>
-        <type>text</type>
-        <help><![CDATA[Specify a message to be sent back to the client if a Access-Request is denied because no <b>server</b> is configured.]]></help>
-    </field>
-    
-    <field>
-        <type>section_title</type>
-        <label>Accounting</label>
-    </field>
-
-    <field>
-        <id>realm.accountingServer</id>
-        <label>Accounting-Server</label>
-        <type>select_multiple</type>
-        <sortable>true</sortable>
-        <style>tokenize</style>
-        <help>If not configured, the proxy will silently ignore all Accounting-Requests for this realm.</help>
-    </field>
-
-    <field>
-        <id>realm.accountingResponse</id>
-        <label>Accounting-Response</label>
-        <type>dropdown</type>
-        <help><![CDATA[Enable sending Accounting-Response instead of ignoring Accounting-Requests when no <b>accoutingServer</b> is configured.]]></help>
-    </field>
-
-</form>
+<form>
+
+    <field>
+        <type>section_title</type>
+        <label>General</label>
+    </field>
+
+    <field>
+        <id>realm.enabled</id>
+        <label>Enable Realm</label>
+        <type>checkbox</type>
+        <help>Enable this realm</help>
+    </field>
+
+    <field>
+        <id>realm.realm</id>
+        <label>Realm</label>
+        <type>text</type>
+        <help>* | realm | /regex/</help>
+    </field>
+
+    <field>
+        <id>realm.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Short description to identify this realm and its target</help>
+    </field>
+
+    <field>
+        <type>section_title</type>
+        <label>Authentication</label>
+    </field>
+
+    <field>
+        <id>realm.server</id>
+        <label>Server</label>
+        <type>select_multiple</type>
+        <sortable>true</sortable>
+        <style>tokenize</style>
+        <help>If not configured, the proxy will deny all Access-Requests for this realm.</help>
+    </field>
+
+    <field>
+        <id>realm.replyMessage</id>
+        <label>Reply-Message</label>
+        <type>text</type>
+        <help><![CDATA[Specify a message to be sent back to the client if a Access-Request is denied because no <b>server</b> is configured.]]></help>
+    </field>
+
+    <field>
+        <type>section_title</type>
+        <label>Accounting</label>
+    </field>
+
+    <field>
+        <id>realm.accountingServer</id>
+        <label>Accounting-Server</label>
+        <type>select_multiple</type>
+        <sortable>true</sortable>
+        <style>tokenize</style>
+        <help>If not configured, the proxy will silently ignore all Accounting-Requests for this realm.</help>
+    </field>
+
+    <field>
+        <id>realm.accountingResponse</id>
+        <label>Accounting-Response</label>
+        <type>dropdown</type>
+        <help><![CDATA[Enable sending Accounting-Response instead of ignoring Accounting-Requests when no <b>accoutingServer</b> is configured.]]></help>
+    </field>
+
+</form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRewrite.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRewrite.xml
index ca8ef6092b..e4a9e57a59 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRewrite.xml
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogRewrite.xml
@@ -1,101 +1,101 @@
-<form>
-
-    <field>
-        <id>rewrite.enabled</id>
-        <label>Enable rewrite-rule</label>
-        <type>checkbox</type>
-        <help>Use this rule</help>
-    </field>
-
-    <field>
-        <id>rewrite.name</id>
-        <label>Name</label>
-        <type>text</type>
-        <help>Unique name for this rule</help>
-    </field>
-
-    <field>
-        <id>rewrite.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <help>Short description of this rule</help>
-    </field>
-
-    <field>
-        <id>rewrite.addAttributes</id>
-        <label>Add attribute(s)</label>
-        <type>textbox</type>
-        <help><![CDATA[<i>attribute:value</i>, one per line<br/>Add an attribute to the radius message and set it to value. The attribute must be specified using the numerical attribute id. The value can either be numerical, a string, or a hex value. If the value starts with a number, it is interpreted as a 32bit unsigned integer. Use the ’ character at the start of the value to force string interpretation. When using hex value, it is recommended to also lead with ’ to avoid unintended numeric interpretation. See the CONFIGURATION SYNTAX section for further details.]]></help>
-    </field>
-
-    <field>
-        <id>rewrite.addVendorAttributes</id>
-        <label>Add vendor-attribute(s)</label>
-        <type>textbox</type>
-        <help><![CDATA[<i>vendor:subattribute:value</i>, one per line<br/>Add a vendor attribute to the radius message, specified by vendor and subattribute. Both vendor and subattribute must be specified as numerical values. The format of value is the same as for addAttribute above.]]></help>
-    </field>
-
-    <field>
-        <id>rewrite.supplementAttributes</id>
-        <label>Add supplement-attribute(s)</label>
-        <type>textbox</type>
-        <help><![CDATA[<i>attribute:value</i>, one per line<br/>Add an attribute to the radius message and set it to value, only if the attribute is not yet present on the message. The format of value is the same as for addAttribute above.]]></help>
-    </field>
-
-    <field>
-        <id>rewrite.supplementVendorAttributes</id>
-        <label>Add supplement-vendor-attribute(s)</label>
-        <type>textbox</type>
-        <help><![CDATA[<i>vendor:subattribute:value</i>, one per line<br/>Add a vendor attribute to the radius message only if the subattribute of this vendor is not yet present on the message. The format of is the same as for addVendorAttribute above.]]></help>
-    </field>
-
-    <field>
-        <id>rewrite.modifyAttributes</id>
-        <label>Modify attribute(s)</label>
-        <type>textbox</type>
-        <help><![CDATA[<i>attribute:/regex/replace/</i>, one per line<br/>Modify the given attribute using the regex replace pattern. As above, attribute must be specified by a numerical value. Example usage: modifyAttribute 1:/^(.*)@local$/\1@example.com/]]></help>
-    </field>
-
-    <field>
-        <id>rewrite.modifyVendorAttributes</id>
-        <label>Modify vendor-attribute(s)</label>
-        <type>textbox</type>
-        <help><![CDATA[<i>vendor:subattribute:/regex/replace/</i>, one per line<br/>Modify the given subattribute of given vendor using the regex replace pattern. Other than the added vendor, the same syntax as for ModifyAttribute applies.]]></help>
-    </field>
-
-    <field>
-        <id>rewrite.removeAttributes</id>
-        <label>Remove attribute(s)</label>
-        <type>textbox</type>
-        <help><![CDATA[<i>attribute</i>, one per line<br/>Remove all attributes with the given id.]]></help>
-    </field>
-
-    <field>
-        <id>rewrite.removeVendorAttributes</id>
-        <label>Remove vendor-attribute(s)</label>
-        <type>textbox</type>
-        <help><![CDATA[<i>vendor[:subattribute]</i>, one per line<br/>Remove all vendor attributes that match the given vendor and subattribute. If the subattribute is omitted, all attributes with the given vendor id are removed.]]></help>
-    </field>
-
-    <field>
-        <id>rewrite.whitelistMode</id>
-        <label>Whitelist-mode</label>
-        <type>dropdown</type>
-        <help><![CDATA[Enable whitelist mode. All attributes except those configured with <b>WhitelistAttribute</b> or <b>WhitelistVendorAttribute</b> will be removed. While whitelist mode is active, <b>RemoveAttribute</b> and <b>RemoveVendorAttribute</b> statements are ignored.]]></help>
-    </field>
-
-    <field>
-        <id>rewrite.whitelistAttributes</id>
-        <label>Whitelist attribute(s)</label>
-        <type>textbox</type>
-        <help><![CDATA[<i>attribute</i>, one per line<br/>Do not remove attributes with the given id when WhitelistMode is on. Ignored otherwise.]]></help>
-    </field>
-
-    <field>
-        <id>rewrite.whitelistVendorAttributes</id>
-        <label>Whitelist vendor-attribute(s)</label>
-        <type>textbox</type>
-        <help><![CDATA[<i>vendor[:subattribute]</i>, one per line<br/>Do not remove vendor attributes that match the given vendor and subattribute when WhitelistMode is on. Ignored otherwise. If the subattribute is omitted, the complete vendor attribute is whitelisted. Otherwise only the specified subattribute is kept but all other subattributes are removed.]]></help>
-    </field>
-
-</form>
+<form>
+
+    <field>
+        <id>rewrite.enabled</id>
+        <label>Enable rewrite-rule</label>
+        <type>checkbox</type>
+        <help>Use this rule</help>
+    </field>
+
+    <field>
+        <id>rewrite.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Unique name for this rule</help>
+    </field>
+
+    <field>
+        <id>rewrite.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Short description of this rule</help>
+    </field>
+
+    <field>
+        <id>rewrite.addAttributes</id>
+        <label>Add attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>attribute:value</i>, one per line<br/>Add an attribute to the radius message and set it to value. The attribute must be specified using the numerical attribute id. The value can either be numerical, a string, or a hex value. If the value starts with a number, it is interpreted as a 32bit unsigned integer. Use the ’ character at the start of the value to force string interpretation. When using hex value, it is recommended to also lead with ’ to avoid unintended numeric interpretation. See the CONFIGURATION SYNTAX section for further details.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.addVendorAttributes</id>
+        <label>Add vendor-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>vendor:subattribute:value</i>, one per line<br/>Add a vendor attribute to the radius message, specified by vendor and subattribute. Both vendor and subattribute must be specified as numerical values. The format of value is the same as for addAttribute above.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.supplementAttributes</id>
+        <label>Add supplement-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>attribute:value</i>, one per line<br/>Add an attribute to the radius message and set it to value, only if the attribute is not yet present on the message. The format of value is the same as for addAttribute above.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.supplementVendorAttributes</id>
+        <label>Add supplement-vendor-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>vendor:subattribute:value</i>, one per line<br/>Add a vendor attribute to the radius message only if the subattribute of this vendor is not yet present on the message. The format of is the same as for addVendorAttribute above.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.modifyAttributes</id>
+        <label>Modify attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>attribute:/regex/replace/</i>, one per line<br/>Modify the given attribute using the regex replace pattern. As above, attribute must be specified by a numerical value. Example usage: modifyAttribute 1:/^(.*)@local$/\1@example.com/]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.modifyVendorAttributes</id>
+        <label>Modify vendor-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>vendor:subattribute:/regex/replace/</i>, one per line<br/>Modify the given subattribute of given vendor using the regex replace pattern. Other than the added vendor, the same syntax as for ModifyAttribute applies.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.removeAttributes</id>
+        <label>Remove attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>attribute</i>, one per line<br/>Remove all attributes with the given id.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.removeVendorAttributes</id>
+        <label>Remove vendor-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>vendor[:subattribute]</i>, one per line<br/>Remove all vendor attributes that match the given vendor and subattribute. If the subattribute is omitted, all attributes with the given vendor id are removed.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.whitelistMode</id>
+        <label>Whitelist-mode</label>
+        <type>dropdown</type>
+        <help><![CDATA[Enable whitelist mode. All attributes except those configured with <b>WhitelistAttribute</b> or <b>WhitelistVendorAttribute</b> will be removed. While whitelist mode is active, <b>RemoveAttribute</b> and <b>RemoveVendorAttribute</b> statements are ignored.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.whitelistAttributes</id>
+        <label>Whitelist attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>attribute</i>, one per line<br/>Do not remove attributes with the given id when WhitelistMode is on. Ignored otherwise.]]></help>
+    </field>
+
+    <field>
+        <id>rewrite.whitelistVendorAttributes</id>
+        <label>Whitelist vendor-attribute(s)</label>
+        <type>textbox</type>
+        <help><![CDATA[<i>vendor[:subattribute]</i>, one per line<br/>Do not remove vendor attributes that match the given vendor and subattribute when WhitelistMode is on. Ignored otherwise. If the subattribute is omitted, the complete vendor attribute is whitelisted. Otherwise only the specified subattribute is kept but all other subattributes are removed.]]></help>
+    </field>
+
+</form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogServer.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogServer.xml
index ce44adcb9f..5bd03d4316 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogServer.xml
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogServer.xml
@@ -1,102 +1,102 @@
-<form>
-
-    <field>
-        <type>section_title</type>
-        <label>General</label>
-    </field>
-
-    <field>
-        <id>server.identifier</id>
-        <label>Unique identifier</label>
-        <type>text</type>
-        <help>Unique identifier for this server</help>
-    </field>
-
-    <field>
-        <id>server.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <help>Short description to identify this server</help>
-    </field>
-
-    <field>
-        <id>server.host</id>
-        <label>Hostname / IP</label>
-        <type>text</type>
-        <help>The server's IP or hostname to connect to</help>
-    </field>
-
-    <field>
-        <id>server.port</id>
-        <label>Port</label>
-        <type>text</type>
-        <help>The port (UDP/TCP) to connect to. If omitted, UDP and TCP will default to 1812 while TLS and DTLS will default to 2083.</help>
-    </field>
-
-    <field>
-        <id>server.statusServer</id>
-        <label>Status-Server</label>
-        <type>dropdown</type>
-        <help><![CDATA[Enable the use of status-server messages for this server (default <b>off</b>). If statusserver is enabled (<b>on</b>), the proxy will send regular status-server messages to the server to verify that it is alive. Status tracking of the server will solely depend on status-server message and ignore lost requests. This should only be enabled if the server supports it. With the option <b>minimal</b> status-server messages are only sent when regular requests have been lost and no other replies have been received.]]></help>
-    </field>
-
-    <field>
-        <id>server.type</id>
-        <label>Type</label>
-        <type>dropdown</type>
-        <help>Choose the type of server. Default Radius-clients use UDP.</help>
-    </field>
-
-    <field>
-        <id>server.secret</id>
-        <label>Secret</label>
-        <type>text</type>
-        <help>The shared RADIUS key with this server. This option is optional for TLS/DTLS and if omitted will default to "radsec". (Note that using a secret other than "radsec" for TLS is a violation of the standard (RFC 6614) and that the proposed standard for DTLS stipulates that the secret must be "radius/dtls".)</help>
-    </field>
-
-    <field>
-        <id>server.tlsConfig</id>
-        <label>TLS-Config</label>
-        <type>dropdown</type>
-        <help>For a TLS/DTLS client you may also specify the tls option. The option value must be the name of a previously defined TLS block. If this option is not specified, the TLS block with the name defaultClient or default will be used if defined (in that order). If the specified TLS block name does not exist, or the option is not specified and none of the defaults exist, the proxy will exit with an error.</help>
-    </field>
-
-    <field>
-        <type>section_title</type>
-        <label>Advanced settings</label>
-        <advanced>true</advanced>
-    </field>
-
-    <field>
-        <id>server.certificateNameCheck</id>
-        <label>Certificate-Name-Check</label>
-        <advanced>true</advanced>        
-        <type>dropdown</type>
-        <help>For a TLS/DTLS server, disable the default behaviour of matching CN or SubjectAltName against the specified hostname or IP address.</help>
-    </field>
-
-    <field>
-        <id>server.matchCertificateAttribute</id>
-        <label>Match Certificate-Attribute</label>
-        <advanced>true</advanced>        
-        <type>text</type>
-        <help>Perform additional validation of certificate attributes (CN | SubjectAltName:URI | SubjectAltName:DNS). Currently matching of CN and SubjectAltName types URI DNS and IP is supported. Note that currently this option can only be specified once in a client block.</help>
-    </field>
-
-    <field>
-        <id>server.rewriteIn</id>
-        <label>Rewrite incoming requests</label>
-        <advanced>true</advanced>
-        <type>dropdown</type>
-        <help><![CDATA[Apply the operations in the specified rewrite block on incoming (request) or outgoing (response) messages for this server. Rewriting incoming messages is done before, outgoing after other processing. If the <b>RewriteIn</b> is not configured, the rewrite blocks <b>defaultClient</b> or <b>default</b> will be applied if defined. No default blocks are applied for <b>RewriteOut</b>.]]></help>
-    </field>
-
-    <field>
-        <id>server.rewriteOut</id>
-        <label>Rewrite outgoing requests</label>
-        <advanced>true</advanced>
-        <type>dropdown</type>
-        <help><![CDATA[Apply the operations in the specified rewrite block on incoming (request) or outgoing (response) messages for this server. Rewriting incoming messages is done before, outgoing after other processing. If the <b>RewriteIn</b> is not configured, the rewrite blocks <b>defaultClient</b> or <b>default</b> will be applied if defined. No default blocks are applied for <b>RewriteOut</b>.]]></help>
-    </field>
-
-</form>
+<form>
+
+    <field>
+        <type>section_title</type>
+        <label>General</label>
+    </field>
+
+    <field>
+        <id>server.identifier</id>
+        <label>Unique identifier</label>
+        <type>text</type>
+        <help>Unique identifier for this server</help>
+    </field>
+
+    <field>
+        <id>server.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Short description to identify this server</help>
+    </field>
+
+    <field>
+        <id>server.host</id>
+        <label>Hostname / IP</label>
+        <type>text</type>
+        <help>The server's IP or hostname to connect to</help>
+    </field>
+
+    <field>
+        <id>server.port</id>
+        <label>Port</label>
+        <type>text</type>
+        <help>The port (UDP/TCP) to connect to. If omitted, UDP and TCP will default to 1812 while TLS and DTLS will default to 2083.</help>
+    </field>
+
+    <field>
+        <id>server.statusServer</id>
+        <label>Status-Server</label>
+        <type>dropdown</type>
+        <help><![CDATA[Enable the use of status-server messages for this server (default <b>off</b>). If statusserver is enabled (<b>on</b>), the proxy will send regular status-server messages to the server to verify that it is alive. Status tracking of the server will solely depend on status-server message and ignore lost requests. This should only be enabled if the server supports it. With the option <b>minimal</b> status-server messages are only sent when regular requests have been lost and no other replies have been received.]]></help>
+    </field>
+
+    <field>
+        <id>server.type</id>
+        <label>Type</label>
+        <type>dropdown</type>
+        <help>Choose the type of server. Default Radius-clients use UDP.</help>
+    </field>
+
+    <field>
+        <id>server.secret</id>
+        <label>Secret</label>
+        <type>text</type>
+        <help>The shared RADIUS key with this server. This option is optional for TLS/DTLS and if omitted will default to "radsec". (Note that using a secret other than "radsec" for TLS is a violation of the standard (RFC 6614) and that the proposed standard for DTLS stipulates that the secret must be "radius/dtls".)</help>
+    </field>
+
+    <field>
+        <id>server.tlsConfig</id>
+        <label>TLS-Config</label>
+        <type>dropdown</type>
+        <help>For a TLS/DTLS client you may also specify the tls option. The option value must be the name of a previously defined TLS block. If this option is not specified, the TLS block with the name defaultClient or default will be used if defined (in that order). If the specified TLS block name does not exist, or the option is not specified and none of the defaults exist, the proxy will exit with an error.</help>
+    </field>
+
+    <field>
+        <type>section_title</type>
+        <label>Advanced settings</label>
+        <advanced>true</advanced>
+    </field>
+
+    <field>
+        <id>server.certificateNameCheck</id>
+        <label>Certificate-Name-Check</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help>For a TLS/DTLS server, disable the default behaviour of matching CN or SubjectAltName against the specified hostname or IP address.</help>
+    </field>
+
+    <field>
+        <id>server.matchCertificateAttribute</id>
+        <label>Match Certificate-Attribute</label>
+        <advanced>true</advanced>
+        <type>text</type>
+        <help>Perform additional validation of certificate attributes (CN | SubjectAltName:URI | SubjectAltName:DNS). Currently matching of CN and SubjectAltName types URI DNS and IP is supported. Note that currently this option can only be specified once in a client block.</help>
+    </field>
+
+    <field>
+        <id>server.rewriteIn</id>
+        <label>Rewrite incoming requests</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help><![CDATA[Apply the operations in the specified rewrite block on incoming (request) or outgoing (response) messages for this server. Rewriting incoming messages is done before, outgoing after other processing. If the <b>RewriteIn</b> is not configured, the rewrite blocks <b>defaultClient</b> or <b>default</b> will be applied if defined. No default blocks are applied for <b>RewriteOut</b>.]]></help>
+    </field>
+
+    <field>
+        <id>server.rewriteOut</id>
+        <label>Rewrite outgoing requests</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help><![CDATA[Apply the operations in the specified rewrite block on incoming (request) or outgoing (response) messages for this server. Rewriting incoming messages is done before, outgoing after other processing. If the <b>RewriteIn</b> is not configured, the rewrite blocks <b>defaultClient</b> or <b>default</b> will be applied if defined. No default blocks are applied for <b>RewriteOut</b>.]]></help>
+    </field>
+
+</form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogTls.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogTls.xml
index 240d91266e..d294c204d7 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogTls.xml
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/dialogTls.xml
@@ -1,68 +1,68 @@
-<form>
-
-    <field>
-        <type>section_title</type>
-        <label>General</label>
-    </field>
-
-    <field>
-        <id>tlsConfig.name</id>
-        <label>Unique name</label>
-        <type>text</type>
-        <help>This TLS-config's unique name</help>
-    </field>
-
-    <field>
-        <id>tlsConfig.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <help>Short description to identify this TLS-config</help>
-    </field>
-    
-    <field>
-        <id>tlsConfig.caCertificateRefId</id>
-        <label>CA-certificate</label>
-        <type>dropdown</type>
-        <help>The CA certificate file used to verify the peers certificate.</help>
-    </field>
-
-    <field>
-        <id>tlsConfig.proxyCertificateRefId</id>
-        <label>This server's certificate</label>
-        <type>dropdown</type>
-        <help>The server certificate this proxy will use. The file may also contain a certificate chain.</help>
-    </field>
-    
-    <field>
-        <type>section_title</type>
-        <label>Advanced settings</label>
-        <advanced>true</advanced>
-    </field>
-
-    <field>
-        <id>tlsConfig.policyOids</id>
-        <label>Policy OIDs</label>
-        <advanced>true</advanced>   
-        <type>select_multiple</type>
-        <style>tokenize</style>
-        <allownew>true</allownew>
-        <help>Require the peers certificate to adhere to the policy specified by this oid / these oids.</help>
-    </field>
-
-    <field>
-        <id>tlsConfig.crlCheck</id>
-        <label>CRL-Check</label>
-        <advanced>true</advanced>   
-        <type>dropdown</type>
-        <help><![CDATA[Enable checking peer certificate against the CRL (default off). Note that radsecproxy does not fetch the CRLs itslef. This has to be done separately, e.g. with <b>fetch-crl</b>.]]></help>
-    </field>
-
-    <field>
-        <id>tlsConfig.cacheExpiry</id>
-        <label>Cache Expiry (seconds)</label>
-        <advanced>true</advanced>   
-        <type>text</type>
-        <help>Specify how many seconds the CA and CRL information should be cached. By default, the CA and CRL are loaded at startup and cached indefinetely. This option may be set to zero to disable caching.</help>
-    </field>
-
-</form>
+<form>
+
+    <field>
+        <type>section_title</type>
+        <label>General</label>
+    </field>
+
+    <field>
+        <id>tlsConfig.name</id>
+        <label>Unique name</label>
+        <type>text</type>
+        <help>This TLS-config's unique name</help>
+    </field>
+
+    <field>
+        <id>tlsConfig.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Short description to identify this TLS-config</help>
+    </field>
+
+    <field>
+        <id>tlsConfig.caCertificateRefId</id>
+        <label>CA-certificate</label>
+        <type>dropdown</type>
+        <help>The CA certificate file used to verify the peers certificate.</help>
+    </field>
+
+    <field>
+        <id>tlsConfig.proxyCertificateRefId</id>
+        <label>This server's certificate</label>
+        <type>dropdown</type>
+        <help>The server certificate this proxy will use. The file may also contain a certificate chain.</help>
+    </field>
+
+    <field>
+        <type>section_title</type>
+        <label>Advanced settings</label>
+        <advanced>true</advanced>
+    </field>
+
+    <field>
+        <id>tlsConfig.policyOids</id>
+        <label>Policy OIDs</label>
+        <advanced>true</advanced>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>Require the peers certificate to adhere to the policy specified by this oid / these oids.</help>
+    </field>
+
+    <field>
+        <id>tlsConfig.crlCheck</id>
+        <label>CRL-Check</label>
+        <advanced>true</advanced>
+        <type>dropdown</type>
+        <help><![CDATA[Enable checking peer certificate against the CRL (default off). Note that radsecproxy does not fetch the CRLs itslef. This has to be done separately, e.g. with <b>fetch-crl</b>.]]></help>
+    </field>
+
+    <field>
+        <id>tlsConfig.cacheExpiry</id>
+        <label>Cache Expiry (seconds)</label>
+        <advanced>true</advanced>
+        <type>text</type>
+        <help>Specify how many seconds the CA and CRL information should be cached. By default, the CA and CRL are loaded at startup and cached indefinetely. This option may be set to zero to disable caching.</help>
+    </field>
+
+</form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/general.xml b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/general.xml
index eaf9611ed2..eb311b0076 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/general.xml
+++ b/net/radsecproxy/src/opnsense/mvc/app/controllers/OPNsense/RadSecProxy/forms/general.xml
@@ -1,121 +1,121 @@
-<form>
-
-    <field>
-        <id>radsecproxy.general.enabled</id>
-        <label>Enable RadSecProxy</label>
-        <type>checkbox</type>
-    </field>
-
-    <field>
-        <id>radsecproxy.general.logLevel</id>
-        <label>Loglevel</label>
-        <type>dropdown</type>
-        <help>This option specifies the debug level. It must be set to 1, 2, 3, 4 or 5, where 1 logs only serious errors, and 5 logs everything. The default is 2 which logs errors, warnings and a few informational messages.</help>
-    </field>
-
-    <field>
-        <id>radsecproxy.general.logFullUsername</id>
-        <label>Log full username</label>
-        <type>dropdown</type>
-        <help>This can be set to off to only log the realm in Access-Accept/Reject log messages (for privacy).</help>
-    </field>
-
-    <field>
-        <id>radsecproxy.general.logMac</id>
-        <label>Log MAC</label>
-        <type>dropdown</type>
-        <help><![CDATA[The LogMAC option can be used to control if and how Calling-Station-Id (the users Ethernet MAC address) is being logged. It can be set to one of <b>Static</b>, <b>Original</b>, <b>VendorHashed</b>, <b>VendorKeyHashed</b>, <b>FullyHashed</b> or <b>FullyKeyHashed</b>. The default value for LogMAC is <b>Original</b>.]]></help>
-    </field>
-
-    <field>
-        <id>radsecproxy.general.loopPrevention</id>
-        <label>Loop-prevention</label>
-        <type>dropdown</type>
-        <help>When this is enabled (on), a request will never be sent to a server named the same as the client it was received from. I.e., the names of the client block and the server block are compared. Note that this only gives limited protection against loops. It can be used as a basic option and inside server blocks where it overrides the basic setting.</help>
-    </field>
-
-    <field>
-        <type>section_title</type>
-        <label>Advanced settings</label>
-        <advanced>true</advanced>
-    </field>
-    
-    <field>
-        <type>section_title</type>
-        <label>Listening IPs and Ports</label>
-        <advanced>true</advanced>
-        <help>Listen for the address and port for the respective protocol. Normally the proxy will listen to the standard ports if configured to handle clients with the respective protocol. The default ports are 1812 for UDP and TCP and 2083 for TLS and DTLS. On most systems it will do this for all of the system’s IP addresses (both IPv4 and IPv6). On some systems however, it may respond to only IPv4 or only IPv6. To specify an alternate port you may use a value on the form *:port where port is any valid port number. If you also want to specify a specific address you can do e.g. 192.168.1.1:1812 or [2001:db8::1]:1812. The port may be omitted if you want the default one. Note that you must use brackets around the IPv6 address. These options may be specified multiple times to listen to multiple addresses and/or ports for each protocol.</help>
-    </field>
-
-    <field>
-        <id>radsecproxy.general.listenUdp</id>
-        <label>Listen UDP</label>
-        <type>text</type>
-        <advanced>true</advanced>
-        <help><![CDATA[Format: (address|*)[:port]]]></help>
-    </field>
-
-    <field>
-        <id>radsecproxy.general.listenTcp</id>
-        <label>Listen TCP</label>
-        <type>text</type>
-        <advanced>true</advanced>
-        <help><![CDATA[Format: (address|*)[:port]]]></help>
-    </field>
-
-    <field>
-        <id>radsecproxy.general.listenTls</id>
-        <label>Listen TLS</label>
-        <type>text</type>
-        <advanced>true</advanced>
-        <help><![CDATA[Format: (address|*)[:port]]]></help>
-    </field>
-
-    <field>
-        <id>radsecproxy.general.listenDtls</id>
-        <label>Listen DTLS</label>
-        <type>text</type>
-        <advanced>true</advanced>
-        <help><![CDATA[Format: (address|*)[:port]]]></help>
-    </field>
-    
-    <field>
-        <type>section_title</type>
-        <label>Source IPs and Ports</label>
-        <advanced>true</advanced>
-        <help>This can be used to specify source address and/or source port that the proxy will use for connecting to clients to send messages (e.g. Access Request). The same syntax as for Listen... applies.</help>
-    </field>
-
-    <field>
-        <id>radsecproxy.general.sourceUdp</id>
-        <label>Source UDP</label>
-        <type>text</type>
-        <advanced>true</advanced>
-        <help><![CDATA[Format: (address|*)[:port]]]></help>
-    </field>
-
-    <field>
-        <id>radsecproxy.general.sourceTcp</id>
-        <label>Source TCP</label>
-        <type>text</type>
-        <advanced>true</advanced>
-        <help><![CDATA[Format: (address|*)[:port]]]></help>
-    </field>
-
-    <field>
-        <id>radsecproxy.general.sourceTls</id>
-        <label>Source TLS</label>
-        <type>text</type>
-        <advanced>true</advanced>
-        <help><![CDATA[Format: (address|*)[:port]]]></help>
-    </field>
-
-    <field>
-        <id>radsecproxy.general.sourceDtls</id>
-        <label>Source DTLS</label>
-        <type>text</type>
-        <advanced>true</advanced>
-        <help><![CDATA[Format: (address|*)[:port]]]></help>
-    </field>
-
- </form>
+<form>
+
+    <field>
+        <id>radsecproxy.general.enabled</id>
+        <label>Enable RadSecProxy</label>
+        <type>checkbox</type>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.logLevel</id>
+        <label>Loglevel</label>
+        <type>dropdown</type>
+        <help>This option specifies the debug level. It must be set to 1, 2, 3, 4 or 5, where 1 logs only serious errors, and 5 logs everything. The default is 2 which logs errors, warnings and a few informational messages.</help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.logFullUsername</id>
+        <label>Log full username</label>
+        <type>dropdown</type>
+        <help>This can be set to off to only log the realm in Access-Accept/Reject log messages (for privacy).</help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.logMac</id>
+        <label>Log MAC</label>
+        <type>dropdown</type>
+        <help><![CDATA[The LogMAC option can be used to control if and how Calling-Station-Id (the users Ethernet MAC address) is being logged. It can be set to one of <b>Static</b>, <b>Original</b>, <b>VendorHashed</b>, <b>VendorKeyHashed</b>, <b>FullyHashed</b> or <b>FullyKeyHashed</b>. The default value for LogMAC is <b>Original</b>.]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.loopPrevention</id>
+        <label>Loop-prevention</label>
+        <type>dropdown</type>
+        <help>When this is enabled (on), a request will never be sent to a server named the same as the client it was received from. I.e., the names of the client block and the server block are compared. Note that this only gives limited protection against loops. It can be used as a basic option and inside server blocks where it overrides the basic setting.</help>
+    </field>
+
+    <field>
+        <type>section_title</type>
+        <label>Advanced settings</label>
+        <advanced>true</advanced>
+    </field>
+
+    <field>
+        <type>section_title</type>
+        <label>Listening IPs and Ports</label>
+        <advanced>true</advanced>
+        <help>Listen for the address and port for the respective protocol. Normally the proxy will listen to the standard ports if configured to handle clients with the respective protocol. The default ports are 1812 for UDP and TCP and 2083 for TLS and DTLS. On most systems it will do this for all of the system’s IP addresses (both IPv4 and IPv6). On some systems however, it may respond to only IPv4 or only IPv6. To specify an alternate port you may use a value on the form *:port where port is any valid port number. If you also want to specify a specific address you can do e.g. 192.168.1.1:1812 or [2001:db8::1]:1812. The port may be omitted if you want the default one. Note that you must use brackets around the IPv6 address. These options may be specified multiple times to listen to multiple addresses and/or ports for each protocol.</help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.listenUdp</id>
+        <label>Listen UDP</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.listenTcp</id>
+        <label>Listen TCP</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.listenTls</id>
+        <label>Listen TLS</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.listenDtls</id>
+        <label>Listen DTLS</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <type>section_title</type>
+        <label>Source IPs and Ports</label>
+        <advanced>true</advanced>
+        <help>This can be used to specify source address and/or source port that the proxy will use for connecting to clients to send messages (e.g. Access Request). The same syntax as for Listen... applies.</help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.sourceUdp</id>
+        <label>Source UDP</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.sourceTcp</id>
+        <label>Source TCP</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.sourceTls</id>
+        <label>Source TLS</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+    <field>
+        <id>radsecproxy.general.sourceDtls</id>
+        <label>Source DTLS</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Format: (address|*)[:port]]]></help>
+    </field>
+
+ </form>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml
index 65b18340f0..38211fc76c 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml
+++ b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml
@@ -1,12 +1,12 @@
-<menu>
-    <Services>
-        <RadSecProxy VisibleName="RadSecProxy" cssClass="fa fa-shield fa-fw">
-            <Basic VisibleName="General" order="10" url="/ui/radsecproxy/general" />
-            <Clients VisibleName="Clients" order="20" url="/ui/radsecproxy/clients" />
-            <Servers VisibleName="Servers" order="30" url="/ui/radsecproxy/servers" />
-            <Realms VisibleName="Realms" order="40" url="/ui/radsecproxy/realms" />
-            <Tls VisibleName="TLS" order="50" url="/ui/radsecproxy/tls" />
-            <Rewrites VisibleName="Rewrite-Rules" order="60" url="/ui/radsecproxy/rewrites" />
-        </RadSecProxy>
-    </Services>
-</menu>
+<menu>
+    <Services>
+        <RadSecProxy VisibleName="RadSecProxy" cssClass="fa fa-shield fa-fw">
+            <Basic VisibleName="General" order="10" url="/ui/radsecproxy/general" />
+            <Clients VisibleName="Clients" order="20" url="/ui/radsecproxy/clients" />
+            <Servers VisibleName="Servers" order="30" url="/ui/radsecproxy/servers" />
+            <Realms VisibleName="Realms" order="40" url="/ui/radsecproxy/realms" />
+            <Tls VisibleName="TLS" order="50" url="/ui/radsecproxy/tls" />
+            <Rewrites VisibleName="Rewrite-Rules" order="60" url="/ui/radsecproxy/rewrites" />
+        </RadSecProxy>
+    </Services>
+</menu>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml
index 145fb8b59f..231a2e9ba7 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml
+++ b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml
@@ -1,514 +1,514 @@
-<model>
-    <mount>//OPNsense/radsecproxy</mount>
-    <description>
-        RadSecProxy-Management
-    </description>
-    <version>0.0.1</version>
-    <items>
-        <general>
-
-            <enabled type="BooleanField">
-                <default>0</default>
-                <Required>Y</Required>
-            </enabled>
-
-            <logLevel type="OptionField">
-                <Required>Y</Required>
-                <default>2</default>
-                <OptionValues>
-                    <ll1 value="1">1 (only serious errors)</ll1>
-                    <ll2 value="2">2 (default)</ll2>
-                    <ll3 value="3">3</ll3>
-                    <ll4 value="4">4</ll4>
-                    <ll5 value="5">5 (log everything)</ll5>
-                </OptionValues>    
-            </logLevel>
-
-            <logFullUsername type="OptionField">
-                <Required>Y</Required>
-                <default>off</default>
-                <OptionValues>
-                    <on>On</on>
-                    <off>Off</off>
-                </OptionValues>
-            </logFullUsername>
-
-            <logMac type="OptionField">
-                <Required>Y</Required>
-                <default>Original</default>
-                <OptionValues>
-                    <Static>Static</Static>
-                    <Original>Original</Original>
-                    <VendorHashed>VendorHashed</VendorHashed>
-                    <VendorKeyHashed>VendorKeyHashed</VendorKeyHashed>
-                    <FullyHashed>FullyHashed</FullyHashed>
-                    <FullyKeyHashed>FullyKeyHashed</FullyKeyHashed>
-                </OptionValues>    
-            </logMac>
-
-            <loopPrevention type="OptionField">
-                <Required>Y</Required>
-                <default>on</default>
-                <OptionValues>
-                    <on>On</on>
-                    <off>Off</off>
-                </OptionValues>
-            </loopPrevention>
-
-            <listenUdp type="TextField">
-                <Required>N</Required>
-            </listenUdp>
-
-            <listenTcp type="TextField">
-                <Required>N</Required>
-            </listenTcp>
-
-            <listenTls type="TextField">
-                <Required>N</Required>
-            </listenTls>
-
-            <listenDtls type="TextField">
-                <Required>N</Required>
-            </listenDtls>
-
-            <sourceUdp type="TextField">
-                <Required>N</Required>
-            </sourceUdp>
-
-            <sourceTcp type="TextField">
-                <Required>N</Required>
-            </sourceTcp>
-
-            <sourceTls type="TextField">
-                <Required>N</Required>
-            </sourceTls>
-
-            <sourceDtls type="TextField">
-                <Required>N</Required>
-            </sourceDtls>
-
-        </general>
-
-        <clients>
-            <client type="ArrayField">
-
-                <enabled type="BooleanField">
-                    <default>1</default>
-                    <Required>Y</Required>
-                </enabled>
-
-                <identifier type="TextField">
-                    <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
-                    <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
-                    <Constraints>
-                        <check001>
-                            <type>UniqueConstraint</type>
-                            <ValidationMessage>Identifier already in use</ValidationMessage>
-                        </check001>
-                    </Constraints>
-                </identifier>
-
-                <description type="TextField">
-                    <Required>N</Required>
-                </description>
-
-                <host type="NetworkField">
-                    <Required>Y</Required>
-                    <IpAllowed>Y</IpAllowed>
-                    <Constraints>
-                        <check001>
-                            <type>UniqueConstraint</type>
-                        </check001>
-                    </Constraints>
-                </host>
-
-                <type type="OptionField">
-                    <Required>Y</Required>
-                    <default>udp</default>
-                    <OptionValues>
-                        <udp>UDP</udp>
-                        <tcp>TCP</tcp>
-                        <tls>TLS</tls>
-                        <dtls>DTLS</dtls>
-                    </OptionValues>    
-                </type>
-
-                <secret type="TextField">
-                    <Required>N</Required>
-                    <Constraints>
-                        <check001>
-                            <ValidationMessage>Must be set for UDP-clients.</ValidationMessage>
-                            <type>SetIfConstraint</type>
-                            <field>type</field>
-                            <check>udp</check>
-                        </check001>
-                        <check002>
-                            <ValidationMessage>Must be set for TCP-clients.</ValidationMessage>
-                            <type>SetIfConstraint</type>
-                            <field>type</field>
-                            <check>tcp</check>
-                        </check002>
-                    </Constraints>
-                </secret>
-
-                <tlsConfig type="ModelRelationField">
-                    <Required>N</Required>
-                    <Model>
-                        <tlsConfigs>
-                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
-                            <items>tlsConfigs.tlsConfig</items>
-                            <display>name</display>
-                        </tlsConfigs>
-                    </Model>
-                </tlsConfig>
-
-                <certificateNameCheck type="OptionField">
-                    <Required>Y</Required>
-                    <default>off</default>
-                    <OptionValues>
-                        <on>On</on>
-                        <off>Off</off>
-                    </OptionValues>
-                </certificateNameCheck>
-
-                <matchCertificateAttribute type="TextField">
-                    <Required>N</Required>
-                </matchCertificateAttribute>
-
-                <rewriteIn type="ModelRelationField">
-                    <Required>N</Required>
-                    <Model>
-                        <rewrites>
-                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
-                            <items>rewrites.rewrite</items>
-                            <display>name</display>
-                        </rewrites>
-                    </Model>
-                </rewriteIn>
-
-                <rewriteOut type="ModelRelationField">
-                    <Required>N</Required>
-                    <Model>
-                        <rewrites>
-                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
-                            <items>rewrites.rewrite</items>
-                            <display>name</display>
-                        </rewrites>
-                    </Model>
-                </rewriteOut>
-
-            </client>
-        </clients>
-
-        <servers>
-            <server type="ArrayField">
-
-                <identifier type="TextField">
-                    <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
-                    <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
-                    <Constraints>
-                        <check001>
-                            <type>UniqueConstraint</type>
-                            <ValidationMessage>Identifier already in use</ValidationMessage>
-                        </check001>
-                    </Constraints>
-                </identifier>
-
-                <description type="TextField">
-                    <Required>N</Required>
-                </description>
-                
-                <host type="TextField">
-                    <Required>Y</Required>
-                    <IpAllowed>Y</IpAllowed>
-                </host>
-
-                <port type="PortField">
-                    <Required>N</Required>
-                </port>
-
-                <statusServer type="OptionField">
-                    <Required>Y</Required>
-                    <default>off</default>
-                    <OptionValues>
-                        <on>On</on>
-                        <off>Off</off>
-                        <minimal>Minimal</minimal>
-                        <auto>Auto</auto>
-                    </OptionValues>
-                </statusServer>
-
-                <type type="OptionField">
-                    <Required>Y</Required>
-                    <default>udp</default>
-                    <OptionValues>
-                        <udp>UDP</udp>
-                        <tcp>TCP</tcp>
-                        <tls>TLS</tls>
-                        <dtls>DTLS</dtls>
-                    </OptionValues>
-                </type>
-
-                <secret type="TextField">
-                    <Required>N</Required>
-                    <Constraints>
-                        <check001>
-                            <ValidationMessage>Must be set for UDP-servers.</ValidationMessage>
-                            <type>SetIfConstraint</type>
-                            <field>type</field>
-                            <check>udp</check>
-                        </check001>
-                        <check002>
-                            <ValidationMessage>Must be set for TCP-servers.</ValidationMessage>
-                            <type>SetIfConstraint</type>
-                            <field>type</field>
-                            <check>tcp</check>
-                        </check002>
-                    </Constraints>
-                </secret>
-
-                <tlsConfig type="ModelRelationField">
-                    <Required>N</Required>
-                    <Model>
-                        <tlsConfigs>
-                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
-                            <items>tlsConfigs.tlsConfig</items>
-                            <display>name</display>
-                        </tlsConfigs>
-                    </Model>
-                </tlsConfig>
-
-                <certificateNameCheck type="OptionField">
-                    <Required>Y</Required>
-                    <default>off</default>
-                    <OptionValues>
-                        <on>On</on>
-                        <off>Off</off>
-                    </OptionValues>
-                </certificateNameCheck>
-
-                <matchCertificateAttribute type="TextField">
-                    <Required>N</Required>
-                </matchCertificateAttribute>
-
-                <rewriteIn type="ModelRelationField">
-                    <Required>N</Required>
-                    <Model>
-                        <rewrites>
-                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
-                            <items>rewrites.rewrite</items>
-                            <display>name</display>
-                        </rewrites>
-                    </Model>
-                </rewriteIn>
-
-                <rewriteOut type="ModelRelationField">
-                    <Required>N</Required>
-                    <Model>
-                        <rewrites>
-                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
-                            <items>rewrites.rewrite</items>
-                            <display>name</display>
-                        </rewrites>
-                    </Model>
-                </rewriteOut>
-
-            </server>
-        </servers>
-
-        <tlsConfigs>
-            <tlsConfig type="ArrayField">
-
-                <name type="TextField">
-                    <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
-                    <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
-                    <default>default</default>
-                    <Constraints>
-                        <check001>
-                            <type>UniqueConstraint</type>
-                            <ValidationMessage>Name already in use</ValidationMessage>
-                        </check001>
-                    </Constraints>
-                </name>
-
-                <description type="TextField">
-                    <Required>N</Required>
-                </description>
-
-                <caCertificateRefId type="CertificateField">
-                    <Required>Y</Required>
-                    <ValidationMessage>Field is required</ValidationMessage>
-                    <Type>ca</Type>
-                </caCertificateRefId>
-
-                <proxyCertificateRefId type="CertificateField">
-                    <Required>Y</Required>
-                    <ValidationMessage>Field is required</ValidationMessage>
-                    <Type>cert</Type>
-                </proxyCertificateRefId>
-
-                <policyOids type="CSVListField">
-                    <Required>N</Required>
-                    <multiple>Y</multiple>
-                </policyOids>
-
-                <crlCheck type="OptionField">
-                    <Required>Y</Required>
-                    <default>off</default>
-                    <OptionValues>
-                        <on>On</on>
-                        <off>Off</off>
-                    </OptionValues>
-                </crlCheck>
-
-                <cacheExpiry type="IntegerField">
-                    <Required>N</Required>
-                </cacheExpiry>
-
-            </tlsConfig>
-        </tlsConfigs>
-
-        <realms>
-            <realm type="ArrayField">
-
-                <enabled type="BooleanField">
-                    <default>1</default>
-                    <Required>Y</Required>
-                </enabled>
-                
-                <description type="TextField">
-                    <Required>N</Required>
-                </description>
-
-                <realm type="TextField">
-                    <Required>Y</Required>
-                    <ValidationMessage>Must not be empty</ValidationMessage>
-                    <Constraints>
-                        <check001>
-                            <type>UniqueConstraint</type>
-                            <ValidationMessage>Must be unique</ValidationMessage>
-                        </check001>
-                    </Constraints>
-                </realm>
-
-                <server type="ModelRelationField">
-                    <Multiple>Y</Multiple>
-                    <Required>N</Required>
-                    <Sorted>Y</Sorted>
-                    <Model>
-                        <servers>
-                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
-                            <items>servers.server</items>
-                            <display>identifier</display>
-                        </servers>
-                    </Model>
-                    <ValidationMessage>Related server not found</ValidationMessage>
-                </server>
-
-                <accountingServer type="ModelRelationField">
-                    <Multiple>Y</Multiple>
-                    <Required>N</Required>
-                    <Sorted>Y</Sorted>
-                    <Model>
-                        <servers>
-                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
-                            <items>servers.server</items>
-                            <display>identifier</display>
-                        </servers>
-                    </Model>
-                    <ValidationMessage>Related server not found</ValidationMessage>
-                </accountingServer>
-
-                <accountingResponse type="OptionField">
-                    <Required>Y</Required>
-                    <default>off</default>
-                    <OptionValues>
-                        <on>On</on>
-                        <off>Off</off>
-                    </OptionValues>
-                </accountingResponse>
-
-                <replyMessage type="TextField">
-                    <Required>N</Required>
-                </replyMessage>
-
-            </realm>
-        </realms>
-
-        <rewrites>
-            <rewrite type="ArrayField">
-
-                <enabled type="BooleanField">
-                    <default>1</default>
-                    <Required>Y</Required>
-                </enabled>
-
-                <name type="TextField">
-                    <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
-                    <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
-                    <default>default</default>
-                    <Constraints>
-                        <check001>
-                            <type>UniqueConstraint</type>
-                            <ValidationMessage>Name already in use</ValidationMessage>
-                        </check001>
-                    </Constraints>
-                </name>
-
-                <addAttributes type="TextField">
-                    <Required>N</Required>
-                </addAttributes>
-
-                <addVendorAttributes type="TextField">
-                    <Required>N</Required>
-                </addVendorAttributes>
-
-                <supplementAttributes type="TextField">
-                    <Required>N</Required>
-                </supplementAttributes>
-
-                <supplementVendorAttributes type="TextField">
-                    <Required>N</Required>
-                </supplementVendorAttributes>
-
-                <modifyAttributes type="TextField">
-                    <Required>N</Required>
-                </modifyAttributes>
-
-                <modifyVendorAttributes type="TextField">
-                    <Required>N</Required>
-                </modifyVendorAttributes>
-
-                <removeAttributes type="TextField">
-                    <Required>N</Required>
-                </removeAttributes>
-
-                <removeVendorAttributes type="TextField">
-                    <Required>N</Required>
-                </removeVendorAttributes>
-
-                <whitelistMode type="OptionField">
-                    <Required>Y</Required>
-                    <default>off</default>
-                    <OptionValues>
-                        <on>On</on>
-                        <off>Off</off>
-                    </OptionValues>
-                </whitelistMode>
- 
-                <whitelistAttributes type="TextField">
-                    <Required>N</Required>
-                </whitelistAttributes>
- 
-                <whitelistVendorAttributes type="TextField">
-                    <Required>N</Required>
-                </whitelistVendorAttributes>
-
-            </rewrite>
-        </rewrites>
-    </items>
-</model>
+<model>
+    <mount>//OPNsense/radsecproxy</mount>
+    <description>
+        RadSecProxy-Management
+    </description>
+    <version>0.0.1</version>
+    <items>
+        <general>
+
+            <enabled type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </enabled>
+
+            <logLevel type="OptionField">
+                <Required>Y</Required>
+                <default>2</default>
+                <OptionValues>
+                    <ll1 value="1">1 (only serious errors)</ll1>
+                    <ll2 value="2">2 (default)</ll2>
+                    <ll3 value="3">3</ll3>
+                    <ll4 value="4">4</ll4>
+                    <ll5 value="5">5 (log everything)</ll5>
+                </OptionValues>
+            </logLevel>
+
+            <logFullUsername type="OptionField">
+                <Required>Y</Required>
+                <default>off</default>
+                <OptionValues>
+                    <on>On</on>
+                    <off>Off</off>
+                </OptionValues>
+            </logFullUsername>
+
+            <logMac type="OptionField">
+                <Required>Y</Required>
+                <default>Original</default>
+                <OptionValues>
+                    <Static>Static</Static>
+                    <Original>Original</Original>
+                    <VendorHashed>VendorHashed</VendorHashed>
+                    <VendorKeyHashed>VendorKeyHashed</VendorKeyHashed>
+                    <FullyHashed>FullyHashed</FullyHashed>
+                    <FullyKeyHashed>FullyKeyHashed</FullyKeyHashed>
+                </OptionValues>
+            </logMac>
+
+            <loopPrevention type="OptionField">
+                <Required>Y</Required>
+                <default>on</default>
+                <OptionValues>
+                    <on>On</on>
+                    <off>Off</off>
+                </OptionValues>
+            </loopPrevention>
+
+            <listenUdp type="TextField">
+                <Required>N</Required>
+            </listenUdp>
+
+            <listenTcp type="TextField">
+                <Required>N</Required>
+            </listenTcp>
+
+            <listenTls type="TextField">
+                <Required>N</Required>
+            </listenTls>
+
+            <listenDtls type="TextField">
+                <Required>N</Required>
+            </listenDtls>
+
+            <sourceUdp type="TextField">
+                <Required>N</Required>
+            </sourceUdp>
+
+            <sourceTcp type="TextField">
+                <Required>N</Required>
+            </sourceTcp>
+
+            <sourceTls type="TextField">
+                <Required>N</Required>
+            </sourceTls>
+
+            <sourceDtls type="TextField">
+                <Required>N</Required>
+            </sourceDtls>
+
+        </general>
+
+        <clients>
+            <client type="ArrayField">
+
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+
+                <identifier type="TextField">
+                    <Required>Y</Required>
+                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                            <ValidationMessage>Identifier already in use</ValidationMessage>
+                        </check001>
+                    </Constraints>
+                </identifier>
+
+                <description type="TextField">
+                    <Required>N</Required>
+                </description>
+
+                <host type="NetworkField">
+                    <Required>Y</Required>
+                    <IpAllowed>Y</IpAllowed>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                        </check001>
+                    </Constraints>
+                </host>
+
+                <type type="OptionField">
+                    <Required>Y</Required>
+                    <default>udp</default>
+                    <OptionValues>
+                        <udp>UDP</udp>
+                        <tcp>TCP</tcp>
+                        <tls>TLS</tls>
+                        <dtls>DTLS</dtls>
+                    </OptionValues>
+                </type>
+
+                <secret type="TextField">
+                    <Required>N</Required>
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>Must be set for UDP-clients.</ValidationMessage>
+                            <type>SetIfConstraint</type>
+                            <field>type</field>
+                            <check>udp</check>
+                        </check001>
+                        <check002>
+                            <ValidationMessage>Must be set for TCP-clients.</ValidationMessage>
+                            <type>SetIfConstraint</type>
+                            <field>type</field>
+                            <check>tcp</check>
+                        </check002>
+                    </Constraints>
+                </secret>
+
+                <tlsConfig type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <tlsConfigs>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>tlsConfigs.tlsConfig</items>
+                            <display>name</display>
+                        </tlsConfigs>
+                    </Model>
+                </tlsConfig>
+
+                <certificateNameCheck type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                    </OptionValues>
+                </certificateNameCheck>
+
+                <matchCertificateAttribute type="TextField">
+                    <Required>N</Required>
+                </matchCertificateAttribute>
+
+                <rewriteIn type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <rewrites>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>rewrites.rewrite</items>
+                            <display>name</display>
+                        </rewrites>
+                    </Model>
+                </rewriteIn>
+
+                <rewriteOut type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <rewrites>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>rewrites.rewrite</items>
+                            <display>name</display>
+                        </rewrites>
+                    </Model>
+                </rewriteOut>
+
+            </client>
+        </clients>
+
+        <servers>
+            <server type="ArrayField">
+
+                <identifier type="TextField">
+                    <Required>Y</Required>
+                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                            <ValidationMessage>Identifier already in use</ValidationMessage>
+                        </check001>
+                    </Constraints>
+                </identifier>
+
+                <description type="TextField">
+                    <Required>N</Required>
+                </description>
+
+                <host type="TextField">
+                    <Required>Y</Required>
+                    <IpAllowed>Y</IpAllowed>
+                </host>
+
+                <port type="PortField">
+                    <Required>N</Required>
+                </port>
+
+                <statusServer type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                        <minimal>Minimal</minimal>
+                        <auto>Auto</auto>
+                    </OptionValues>
+                </statusServer>
+
+                <type type="OptionField">
+                    <Required>Y</Required>
+                    <default>udp</default>
+                    <OptionValues>
+                        <udp>UDP</udp>
+                        <tcp>TCP</tcp>
+                        <tls>TLS</tls>
+                        <dtls>DTLS</dtls>
+                    </OptionValues>
+                </type>
+
+                <secret type="TextField">
+                    <Required>N</Required>
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>Must be set for UDP-servers.</ValidationMessage>
+                            <type>SetIfConstraint</type>
+                            <field>type</field>
+                            <check>udp</check>
+                        </check001>
+                        <check002>
+                            <ValidationMessage>Must be set for TCP-servers.</ValidationMessage>
+                            <type>SetIfConstraint</type>
+                            <field>type</field>
+                            <check>tcp</check>
+                        </check002>
+                    </Constraints>
+                </secret>
+
+                <tlsConfig type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <tlsConfigs>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>tlsConfigs.tlsConfig</items>
+                            <display>name</display>
+                        </tlsConfigs>
+                    </Model>
+                </tlsConfig>
+
+                <certificateNameCheck type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                    </OptionValues>
+                </certificateNameCheck>
+
+                <matchCertificateAttribute type="TextField">
+                    <Required>N</Required>
+                </matchCertificateAttribute>
+
+                <rewriteIn type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <rewrites>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>rewrites.rewrite</items>
+                            <display>name</display>
+                        </rewrites>
+                    </Model>
+                </rewriteIn>
+
+                <rewriteOut type="ModelRelationField">
+                    <Required>N</Required>
+                    <Model>
+                        <rewrites>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>rewrites.rewrite</items>
+                            <display>name</display>
+                        </rewrites>
+                    </Model>
+                </rewriteOut>
+
+            </server>
+        </servers>
+
+        <tlsConfigs>
+            <tlsConfig type="ArrayField">
+
+                <name type="TextField">
+                    <Required>Y</Required>
+                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
+                    <default>default</default>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                            <ValidationMessage>Name already in use</ValidationMessage>
+                        </check001>
+                    </Constraints>
+                </name>
+
+                <description type="TextField">
+                    <Required>N</Required>
+                </description>
+
+                <caCertificateRefId type="CertificateField">
+                    <Required>Y</Required>
+                    <ValidationMessage>Field is required</ValidationMessage>
+                    <Type>ca</Type>
+                </caCertificateRefId>
+
+                <proxyCertificateRefId type="CertificateField">
+                    <Required>Y</Required>
+                    <ValidationMessage>Field is required</ValidationMessage>
+                    <Type>cert</Type>
+                </proxyCertificateRefId>
+
+                <policyOids type="CSVListField">
+                    <Required>N</Required>
+                    <multiple>Y</multiple>
+                </policyOids>
+
+                <crlCheck type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                    </OptionValues>
+                </crlCheck>
+
+                <cacheExpiry type="IntegerField">
+                    <Required>N</Required>
+                </cacheExpiry>
+
+            </tlsConfig>
+        </tlsConfigs>
+
+        <realms>
+            <realm type="ArrayField">
+
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+
+                <description type="TextField">
+                    <Required>N</Required>
+                </description>
+
+                <realm type="TextField">
+                    <Required>Y</Required>
+                    <ValidationMessage>Must not be empty</ValidationMessage>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                            <ValidationMessage>Must be unique</ValidationMessage>
+                        </check001>
+                    </Constraints>
+                </realm>
+
+                <server type="ModelRelationField">
+                    <Multiple>Y</Multiple>
+                    <Required>N</Required>
+                    <Sorted>Y</Sorted>
+                    <Model>
+                        <servers>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>servers.server</items>
+                            <display>identifier</display>
+                        </servers>
+                    </Model>
+                    <ValidationMessage>Related server not found</ValidationMessage>
+                </server>
+
+                <accountingServer type="ModelRelationField">
+                    <Multiple>Y</Multiple>
+                    <Required>N</Required>
+                    <Sorted>Y</Sorted>
+                    <Model>
+                        <servers>
+                            <source>OPNsense.RadSecProxy.RadSecProxy</source>
+                            <items>servers.server</items>
+                            <display>identifier</display>
+                        </servers>
+                    </Model>
+                    <ValidationMessage>Related server not found</ValidationMessage>
+                </accountingServer>
+
+                <accountingResponse type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                    </OptionValues>
+                </accountingResponse>
+
+                <replyMessage type="TextField">
+                    <Required>N</Required>
+                </replyMessage>
+
+            </realm>
+        </realms>
+
+        <rewrites>
+            <rewrite type="ArrayField">
+
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+
+                <name type="TextField">
+                    <Required>Y</Required>
+                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
+                    <default>default</default>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                            <ValidationMessage>Name already in use</ValidationMessage>
+                        </check001>
+                    </Constraints>
+                </name>
+
+                <addAttributes type="TextField">
+                    <Required>N</Required>
+                </addAttributes>
+
+                <addVendorAttributes type="TextField">
+                    <Required>N</Required>
+                </addVendorAttributes>
+
+                <supplementAttributes type="TextField">
+                    <Required>N</Required>
+                </supplementAttributes>
+
+                <supplementVendorAttributes type="TextField">
+                    <Required>N</Required>
+                </supplementVendorAttributes>
+
+                <modifyAttributes type="TextField">
+                    <Required>N</Required>
+                </modifyAttributes>
+
+                <modifyVendorAttributes type="TextField">
+                    <Required>N</Required>
+                </modifyVendorAttributes>
+
+                <removeAttributes type="TextField">
+                    <Required>N</Required>
+                </removeAttributes>
+
+                <removeVendorAttributes type="TextField">
+                    <Required>N</Required>
+                </removeVendorAttributes>
+
+                <whitelistMode type="OptionField">
+                    <Required>Y</Required>
+                    <default>off</default>
+                    <OptionValues>
+                        <on>On</on>
+                        <off>Off</off>
+                    </OptionValues>
+                </whitelistMode>
+
+                <whitelistAttributes type="TextField">
+                    <Required>N</Required>
+                </whitelistAttributes>
+
+                <whitelistVendorAttributes type="TextField">
+                    <Required>N</Required>
+                </whitelistVendorAttributes>
+
+            </rewrite>
+        </rewrites>
+    </items>
+</model>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt
index 33e7413f28..c03c5d45b1 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt
@@ -1,56 +1,56 @@
-<script>
-    $( document ).ready(function() {
-        $("#grid-addresses").UIBootgrid(
-            {   search:'/api/radsecproxy/clients/searchItem/',
-                get:'/api/radsecproxy/clients/getItem/',
-                set:'/api/radsecproxy/clients/setItem/',
-                add:'/api/radsecproxy/clients/addItem/',
-                del:'/api/radsecproxy/clients/delItem/',
-                toggle:'/api/radsecproxy/clients/toggleItem/'
-            }
-        );
-        updateServiceControlUI('radsecproxy');
-
-        // link apply button to API set action
-        $("#saveAct").click(function(){
-            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-            // action to run after successful save, for example reconfigure service.
-            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
-                // action to run after reload
-                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-                updateServiceControlUI('radsecproxy');
-            });
-        });
-    });
-</script>
-
-<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogClient">
-    <thead>
-        <tr>
-            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
-            <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-            <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
-            <th data-column-id="host" data-type="string">{{ lang._('Host') }}</th>
-            <th data-column-id="identifier" data-type="string">{{ lang._('Identifier') }}</th>
-            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-        </tr>
-    </thead>
-    <tbody>
-    </tbody>
-    <tfoot>
-        <tr>
-            <td></td>
-            <td>
-                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-            </td>
-        </tr>
-    </tfoot>
-</table>
-
-<div class="col-md-12">
-    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
-</div>
-
-{{ partial("layout_partials/base_dialog",['fields':formDialogClient,'id':'DialogClient','label':lang._('Edit client')])}}
+<script>
+    $( document ).ready(function() {
+        $("#grid-addresses").UIBootgrid(
+            {   search:'/api/radsecproxy/clients/searchItem/',
+                get:'/api/radsecproxy/clients/getItem/',
+                set:'/api/radsecproxy/clients/setItem/',
+                add:'/api/radsecproxy/clients/addItem/',
+                del:'/api/radsecproxy/clients/delItem/',
+                toggle:'/api/radsecproxy/clients/toggleItem/'
+            }
+        );
+        updateServiceControlUI('radsecproxy');
+
+        // link apply button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            // action to run after successful save, for example reconfigure service.
+            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                // action to run after reload
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('radsecproxy');
+            });
+        });
+    });
+</script>
+
+<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogClient">
+    <thead>
+        <tr>
+            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+            <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
+            <th data-column-id="host" data-type="string">{{ lang._('Host') }}</th>
+            <th data-column-id="identifier" data-type="string">{{ lang._('Identifier') }}</th>
+            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+        <tr>
+            <td></td>
+            <td>
+                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+            </td>
+        </tr>
+    </tfoot>
+</table>
+
+<div class="col-md-12">
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogClient,'id':'DialogClient','label':lang._('Edit client')])}}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/general.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/general.volt
index 1508a57b5f..2c264100fd 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/general.volt
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/general.volt
@@ -1,31 +1,31 @@
-<script type="text/javascript">
-    $( document ).ready(function() {
-        var data_get_map = {'frm_GeneralSettings':"/api/radsecproxy/general/get"};
-        mapDataToFormUI(data_get_map).done(function(data){
-            $('.selectpicker').selectpicker('refresh');
-        });
-        updateServiceControlUI('radsecproxy');
-        
-        // link save button to API set action
-        $("#saveAct").click(function(){
-            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-            saveFormToEndpoint(url="/api/radsecproxy/general/set",formid='frm_GeneralSettings',callback_ok=function(){
-                // action to run after successful save, for example reconfigure service.
-                ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
-                    // action to run after reload
-                    $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-                    updateServiceControlUI('radsecproxy');
-                });
-            });
-        });
-        
-    });
-</script>
-<div class="content-box" style="padding-bottom: 1.5em;">
-    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}}
-
-    <div class="col-md-12">
-        <hr />
-        <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-    </div>
-</div>
+<script type="text/javascript">
+    $( document ).ready(function() {
+        var data_get_map = {'frm_GeneralSettings':"/api/radsecproxy/general/get"};
+        mapDataToFormUI(data_get_map).done(function(data){
+            $('.selectpicker').selectpicker('refresh');
+        });
+        updateServiceControlUI('radsecproxy');
+
+        // link save button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            saveFormToEndpoint(url="/api/radsecproxy/general/set",formid='frm_GeneralSettings',callback_ok=function(){
+                // action to run after successful save, for example reconfigure service.
+                ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                    // action to run after reload
+                    $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                    updateServiceControlUI('radsecproxy');
+                });
+            });
+        });
+
+    });
+</script>
+<div class="content-box" style="padding-bottom: 1.5em;">
+    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}}
+
+    <div class="col-md-12">
+        <hr />
+        <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
+    </div>
+</div>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt
index 974842f40e..85453ec79d 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt
@@ -1,54 +1,54 @@
-<script>
-    $( document ).ready(function() {
-        $("#grid-addresses").UIBootgrid(
-            {   search:'/api/radsecproxy/realms/searchItem/',
-                get:'/api/radsecproxy/realms/getItem/',
-                set:'/api/radsecproxy/realms/setItem/',
-                add:'/api/radsecproxy/realms/addItem/',
-                del:'/api/radsecproxy/realms/delItem/',
-                toggle:'/api/radsecproxy/realms/toggleItem/'
-            }
-        );
-        updateServiceControlUI('radsecproxy');
-
-        // link apply button to API set action
-        $("#saveAct").click(function(){
-            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-            // action to run after successful save, for example reconfigure service.
-            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
-                // action to run after reload
-                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-                updateServiceControlUI('radsecproxy');
-            });
-        });
-    });
-</script>
-
-<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogRealm">
-    <thead>
-        <tr>
-            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
-            <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-            <th data-column-id="realm" data-type="string">{{ lang._('Realm') }}</th>
-            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-        </tr>
-    </thead>
-    <tbody>
-    </tbody>
-    <tfoot>
-        <tr>
-            <td></td>
-            <td>
-                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-            </td>
-        </tr>
-    </tfoot>
-</table>
-
-<div class="col-md-12">
-    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
-</div>
-
-{{ partial("layout_partials/base_dialog",['fields':formDialogRealm,'id':'DialogRealm','label':lang._('Edit realm')])}}
+<script>
+    $( document ).ready(function() {
+        $("#grid-addresses").UIBootgrid(
+            {   search:'/api/radsecproxy/realms/searchItem/',
+                get:'/api/radsecproxy/realms/getItem/',
+                set:'/api/radsecproxy/realms/setItem/',
+                add:'/api/radsecproxy/realms/addItem/',
+                del:'/api/radsecproxy/realms/delItem/',
+                toggle:'/api/radsecproxy/realms/toggleItem/'
+            }
+        );
+        updateServiceControlUI('radsecproxy');
+
+        // link apply button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            // action to run after successful save, for example reconfigure service.
+            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                // action to run after reload
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('radsecproxy');
+            });
+        });
+    });
+</script>
+
+<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogRealm">
+    <thead>
+        <tr>
+            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+            <th data-column-id="realm" data-type="string">{{ lang._('Realm') }}</th>
+            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+        <tr>
+            <td></td>
+            <td>
+                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+            </td>
+        </tr>
+    </tfoot>
+</table>
+
+<div class="col-md-12">
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogRealm,'id':'DialogRealm','label':lang._('Edit realm')])}}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt
index ded6289663..0da6b6612c 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt
@@ -1,54 +1,54 @@
-<script>
-    $( document ).ready(function() {
-        $("#grid-addresses").UIBootgrid(
-            {   search:'/api/radsecproxy/rewrites/searchItem/',
-                get:'/api/radsecproxy/rewrites/getItem/',
-                set:'/api/radsecproxy/rewrites/setItem/',
-                add:'/api/radsecproxy/rewrites/addItem/',
-                del:'/api/radsecproxy/rewrites/delItem/',
-                toggle:'/api/radsecproxy/rewrites/toggleItem/'
-            }
-        );
-        updateServiceControlUI('radsecproxy');
-
-        // link apply button to API set action
-        $("#saveAct").click(function(){
-            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-            // action to run after successful save, for example reconfigure service.
-            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
-                // action to run after reload
-                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-                updateServiceControlUI('radsecproxy');
-            });
-        });
-    });
-</script>
-
-<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogRewrite">
-    <thead>
-        <tr>
-            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
-            <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-            <th data-column-id="name" data-type="string">{{ lang._('Type') }}</th>
-            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-        </tr>
-    </thead>
-    <tbody>
-    </tbody>
-    <tfoot>
-        <tr>
-            <td></td>
-            <td>
-                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-            </td>
-        </tr>
-    </tfoot>
-</table>
-
-<div class="col-md-12">
-    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
-</div>
-
-{{ partial("layout_partials/base_dialog",['fields':formDialogRewrite,'id':'DialogRewrite','label':lang._('Edit rewrite-rule')])}}
+<script>
+    $( document ).ready(function() {
+        $("#grid-addresses").UIBootgrid(
+            {   search:'/api/radsecproxy/rewrites/searchItem/',
+                get:'/api/radsecproxy/rewrites/getItem/',
+                set:'/api/radsecproxy/rewrites/setItem/',
+                add:'/api/radsecproxy/rewrites/addItem/',
+                del:'/api/radsecproxy/rewrites/delItem/',
+                toggle:'/api/radsecproxy/rewrites/toggleItem/'
+            }
+        );
+        updateServiceControlUI('radsecproxy');
+
+        // link apply button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            // action to run after successful save, for example reconfigure service.
+            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                // action to run after reload
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('radsecproxy');
+            });
+        });
+    });
+</script>
+
+<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogRewrite">
+    <thead>
+        <tr>
+            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+            <th data-column-id="name" data-type="string">{{ lang._('Type') }}</th>
+            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+        <tr>
+            <td></td>
+            <td>
+                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+            </td>
+        </tr>
+    </tfoot>
+</table>
+
+<div class="col-md-12">
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogRewrite,'id':'DialogRewrite','label':lang._('Edit rewrite-rule')])}}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt
index 0581869990..b394b1e5ad 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt
@@ -1,56 +1,56 @@
-<script>
-    $( document ).ready(function() {
-        $("#grid-addresses").UIBootgrid(
-            {   search:'/api/radsecproxy/servers/searchItem/',
-                get:'/api/radsecproxy/servers/getItem/',
-                set:'/api/radsecproxy/servers/setItem/',
-                add:'/api/radsecproxy/servers/addItem/',
-                del:'/api/radsecproxy/servers/delItem/',
-                toggle:'/api/radsecproxy/servers/toggleItem/'
-            }
-        );
-        updateServiceControlUI('radsecproxy');
-
-        // link apply button to API set action
-        $("#saveAct").click(function(){
-            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-            // action to run after successful save, for example reconfigure service.
-            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
-                // action to run after reload
-                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-                updateServiceControlUI('radsecproxy');
-            });
-        });
-    });
-</script>
-
-<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogServer">
-    <thead>
-        <tr>
-            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
-            <th data-column-id="host" data-type="string">{{ lang._('Host') }}</th>
-            <th data-column-id="identifier" data-type="string">{{ lang._('Identifier') }}</th>
-            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-            <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
-            <th data-column-id="tlsConfig" data-type="string">{{ lang._('TLS-Config') }}</th>
-            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-        </tr>
-    </thead>
-    <tbody>
-    </tbody>
-    <tfoot>
-        <tr>
-            <td></td>
-            <td>
-                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-            </td>
-        </tr>
-    </tfoot>
-</table>
-
-<div class="col-md-12">
-    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
-</div>
-
-{{ partial("layout_partials/base_dialog",['fields':formDialogServer,'id':'DialogServer','label':lang._('Edit server')])}}
+<script>
+    $( document ).ready(function() {
+        $("#grid-addresses").UIBootgrid(
+            {   search:'/api/radsecproxy/servers/searchItem/',
+                get:'/api/radsecproxy/servers/getItem/',
+                set:'/api/radsecproxy/servers/setItem/',
+                add:'/api/radsecproxy/servers/addItem/',
+                del:'/api/radsecproxy/servers/delItem/',
+                toggle:'/api/radsecproxy/servers/toggleItem/'
+            }
+        );
+        updateServiceControlUI('radsecproxy');
+
+        // link apply button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            // action to run after successful save, for example reconfigure service.
+            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                // action to run after reload
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('radsecproxy');
+            });
+        });
+    });
+</script>
+
+<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogServer">
+    <thead>
+        <tr>
+            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            <th data-column-id="host" data-type="string">{{ lang._('Host') }}</th>
+            <th data-column-id="identifier" data-type="string">{{ lang._('Identifier') }}</th>
+            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+            <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
+            <th data-column-id="tlsConfig" data-type="string">{{ lang._('TLS-Config') }}</th>
+            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+        <tr>
+            <td></td>
+            <td>
+                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+            </td>
+        </tr>
+    </tfoot>
+</table>
+
+<div class="col-md-12">
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogServer,'id':'DialogServer','label':lang._('Edit server')])}}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt
index 3533486053..cc63e0c747 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt
@@ -1,55 +1,55 @@
-<script>
-    $( document ).ready(function() {
-        $("#grid-addresses").UIBootgrid(
-            {   search:'/api/radsecproxy/tls/searchItem/',
-                get:'/api/radsecproxy/tls/getItem/',
-                set:'/api/radsecproxy/tls/setItem/',
-                add:'/api/radsecproxy/tls/addItem/',
-                del:'/api/radsecproxy/tls/delItem/',
-                toggle:'/api/radsecproxy/tls/toggleItem/'
-            }
-        );
-        updateServiceControlUI('radsecproxy');
-
-        // link apply button to API set action
-        $("#saveAct").click(function(){
-            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-            // action to run after successful save, for example reconfigure service.
-            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
-                // action to run after reload
-                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-                updateServiceControlUI('radsecproxy');
-            });
-        });
-    });
-</script>
-
-<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogTls">
-    <thead>
-        <tr>
-            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
-            <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
-            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-            <th data-column-id="caCertificateRefId" data-type="string">{{ lang._('CA-certificate') }}</th>
-            <th data-column-id="proxyCertificateRefId" data-type="string">{{ lang._('Proxy-certificate') }}</th>
-            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-        </tr>
-    </thead>
-    <tbody>
-    </tbody>
-    <tfoot>
-        <tr>
-            <td></td>
-            <td>
-                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-            </td>
-        </tr>
-    </tfoot>
-</table>
-
-<div class="col-md-12">
-    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
-</div>
-
-{{ partial("layout_partials/base_dialog",['fields':formDialogTls,'id':'DialogTls','label':lang._('Edit TLS-config')])}}
+<script>
+    $( document ).ready(function() {
+        $("#grid-addresses").UIBootgrid(
+            {   search:'/api/radsecproxy/tls/searchItem/',
+                get:'/api/radsecproxy/tls/getItem/',
+                set:'/api/radsecproxy/tls/setItem/',
+                add:'/api/radsecproxy/tls/addItem/',
+                del:'/api/radsecproxy/tls/delItem/',
+                toggle:'/api/radsecproxy/tls/toggleItem/'
+            }
+        );
+        updateServiceControlUI('radsecproxy');
+
+        // link apply button to API set action
+        $("#saveAct").click(function(){
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            // action to run after successful save, for example reconfigure service.
+            ajaxCall(url="/api/radsecproxy/service/reconfigure", sendData={},callback=function(data,status) {
+                // action to run after reload
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('radsecproxy');
+            });
+        });
+    });
+</script>
+
+<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogTls">
+    <thead>
+        <tr>
+            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
+            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+            <th data-column-id="caCertificateRefId" data-type="string">{{ lang._('CA-certificate') }}</th>
+            <th data-column-id="proxyCertificateRefId" data-type="string">{{ lang._('Proxy-certificate') }}</th>
+            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+        <tr>
+            <td></td>
+            <td>
+                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+            </td>
+        </tr>
+    </tfoot>
+</table>
+
+<div class="col-md-12">
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogTls,'id':'DialogTls','label':lang._('Edit TLS-config')])}}
diff --git a/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/generate_certs.php b/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/generate_certs.php
index 9414db161c..d123a56e2b 100755
--- a/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/generate_certs.php
+++ b/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/generate_certs.php
@@ -57,7 +57,7 @@ function deleteFilesInFolder($pathToFolder)
     {
         echo "deleting all files in folder " . $pathToFolder . "\n";
         $files = glob($pathToFolder . '/*');
-        
+
         foreach ($files as $file) {
             //Make sure that this is a file and not a directory.
             if (is_file($file)) {
diff --git a/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf b/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf
index 42dfe22969..79ca190462 100644
--- a/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf
+++ b/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf
@@ -1,35 +1,35 @@
-[setup]
-command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;
-parameters:
-type:script
-message:setup radsecproxy service requirements
-
-[start]
-command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;/usr/local/etc/rc.d/radsecproxy start;
-parameters:
-type:script
-message:starting radsecproxy
-
-[stop]
-command:/usr/local/etc/rc.d/radsecproxy stop;
-parameters:
-type:script
-message:stopping radsecproxy
-
-[restart]
-command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;/usr/local/etc/rc.d/radsecproxy restart;
-parameters:
-type:script
-message:restarting radsecproxy
-
-[reload]
-command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;/usr/local/etc/rc.d/radsecproxy restart;
-parameters:
-type:script
-message:reloading radsecproxy
-
-[status]
-command:/usr/local/etc/rc.d/radsecproxy status;exit 0;
-parameters:
-type:script_output
-message:radsecproxy status
+[setup]
+command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;
+parameters:
+type:script
+message:setup radsecproxy service requirements
+
+[start]
+command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;/usr/local/etc/rc.d/radsecproxy start;
+parameters:
+type:script
+message:starting radsecproxy
+
+[stop]
+command:/usr/local/etc/rc.d/radsecproxy stop;
+parameters:
+type:script
+message:stopping radsecproxy
+
+[restart]
+command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;/usr/local/etc/rc.d/radsecproxy restart;
+parameters:
+type:script
+message:restarting radsecproxy
+
+[reload]
+command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;/usr/local/etc/rc.d/radsecproxy restart;
+parameters:
+type:script
+message:reloading radsecproxy
+
+[status]
+command:/usr/local/etc/rc.d/radsecproxy status;exit 0;
+parameters:
+type:script_output
+message:radsecproxy status
diff --git a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/+TARGETS b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/+TARGETS
index 294d4f30db..d7da8ea4c2 100644
--- a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/+TARGETS
+++ b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/+TARGETS
@@ -1,2 +1,2 @@
-radsecproxy.conf:/usr/local/etc/radsecproxy.conf
-rc.conf.d:/etc/rc.conf.d/radsecproxy
+radsecproxy.conf:/usr/local/etc/radsecproxy.conf
+rc.conf.d:/etc/rc.conf.d/radsecproxy
diff --git a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf
index b0563b335f..bdb62ce381 100644
--- a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf
+++ b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf
@@ -1,240 +1,240 @@
-{% if helpers.exists('OPNsense.radsecproxy.general') and OPNsense.radsecproxy.general.enabled|default("0") == "1" %}
-{% set certDir = '/usr/local/etc/radsecproxy.d/certs/' %}
-# auto-generated config-file for radsecproxy
-###########################################
-# GENERAL
-###########################################
-
-#PidFile /var/run/radsecproxy.pid
-#LogDestination file:///var/log/radsecproxy.log
-LogDestination x-syslog:///LOG_DAEMON
-
-{% if OPNsense.radsecproxy.general.logLevel is defined and OPNsense.radsecproxy.general.logLevel != "" %}
-LogLevel {{ OPNsense.radsecproxy.general.logLevel }}
-{% endif %}
-{% if OPNsense.radsecproxy.general.logFullUsername is defined and OPNsense.radsecproxy.general.logFullUsername != "" %}
-LogFullUsername {{ OPNsense.radsecproxy.general.logFullUsername }}
-{% endif %}
-{% if OPNsense.radsecproxy.general.logMac is defined and OPNsense.radsecproxy.general.logMac != "" %}
-LogMac {{ OPNsense.radsecproxy.general.logMac }}
-{% endif %}
-{% if OPNsense.radsecproxy.general.loopPrevention is defined and OPNsense.radsecproxy.general.loopPrevention != "" %}
-LoopPrevention {{ OPNsense.radsecproxy.general.loopPrevention }}
-{% endif %}
-{% if OPNsense.radsecproxy.general.listenUdp is defined and OPNsense.radsecproxy.general.listenUdp != "" %}
-ListenUDP {{ OPNsense.radsecproxy.general.listenUdp }}
-{% endif %}
-{% if OPNsense.radsecproxy.general.listenTcp is defined and OPNsense.radsecproxy.general.listenTcp != "" %}
-ListenTCP {{ OPNsense.radsecproxy.general.listenTcp }}
-{% endif %}
-{% if OPNsense.radsecproxy.general.listenTls is defined and OPNsense.radsecproxy.general.listenTls != "" %}
-ListenTLS {{ OPNsense.radsecproxy.general.listenTls }}
-{% endif %}
-{% if OPNsense.radsecproxy.general.listenDtls is defined and OPNsense.radsecproxy.general.listenDtls != "" %}
-ListenDTLS {{ OPNsense.radsecproxy.general.listenDtls }}
-{% endif %}
-{% if OPNsense.radsecproxy.general.sourceUdp is defined and OPNsense.radsecproxy.general.sourceUdp != "" %}
-SourceUDP {{ OPNsense.radsecproxy.general.sourceUdp }}
-{% endif %}
-{% if OPNsense.radsecproxy.general.sourceTcp is defined and OPNsense.radsecproxy.general.sourceTcp != "" %}
-SourceTCP {{ OPNsense.radsecproxy.general.sourceTcp }}
-{% endif %}
-{% if OPNsense.radsecproxy.general.sourceTls is defined and OPNsense.radsecproxy.general.sourceTls != "" %}
-SourceTLS {{ OPNsense.radsecproxy.general.sourceTls }}
-{% endif %}
-{% if OPNsense.radsecproxy.general.sourceDtls is defined and OPNsense.radsecproxy.general.sourceDtls != "" %}
-SourceDTLS {{ OPNsense.radsecproxy.general.sourceDtls }}
-{% endif %}
-
-###########################################
-# TLS-CONFIGS
-###########################################
-
-{% for tlsConfig in helpers.toList('OPNsense.radsecproxy.tlsConfigs.tlsConfig') %}
-# config for TLS-Config "{{ tlsConfig.description }}"
-tls {{ tlsConfig.name }} {
-{% if tlsConfig.caCertificateRefId is defined and tlsConfig.caCertificateRefId != "" %}
-  CACertificateFile   {{ certDir}}{{ tlsConfig.name }}_ca-cert.pem
-{% endif %}
-{% if tlsConfig.proxyCertificateRefId is defined and tlsConfig.proxyCertificateRefId != "" %}
-  CertificateFile     {{ certDir}}{{ tlsConfig.name }}_proxy-cert.pem
-  CertificateKeyFile  {{ certDir}}{{ tlsConfig.name }}_proxy-key.pem
-{% endif %}
-{% if tlsConfig.policyOids is defined and tlsConfig.policyOids != "" %}
-{% for policyOid in tlsConfig.policyOids.split(',') %}
-  PolicyOID {{ policyOid }}
-{% endfor %}
-{% endif %} 
-  CRLCheck {{ tlsConfig.crlCheck }}
-{% if tlsConfig.cacheExpiry is defined and tlsConfig.cacheExpiry != "" %}
-  CacheExpiry {{ tlsConfig.cacheExpiry }}
-{% endif %}
-}
-
-{% endfor %}
-
-###########################################
-# REWRITE-RULES
-###########################################
-
-{% for rewriteRule in helpers.toList('OPNsense.radsecproxy.rewrites.rewrite') %}
-{% if rewriteRule.enabled is defined and rewriteRule.enabled == "1" %}
-
-rewrite {{ rewriteRule.name }} {
-{% if rewriteRule.addAttributes is defined and rewriteRule.addAttributes != "" %}
-{% for addAttribute in rewriteRule.addAttributes.split("\n") %}
-  AddAttribute {{ addAttribute }}
-{% endfor %}
-{% endif %}
-{% if rewriteRule.addVendorAttributes is defined and rewriteRule.addVendorAttributes != "" %}
-{% for addVendorAttribute in rewriteRule.addVendorAttributes.split("\n") %}
-  AddVendorAttribute {{ addVendorAttribute }}
-{% endfor %}
-{% endif %}
-{% if rewriteRule.supplementAttributes is defined and rewriteRule.supplementAttributes != "" %}
-{% for supplementAttribute in rewriteRule.supplementAttributes.split("\n") %}
-  SupplementAttribute {{ supplementAttribute }}
-{% endfor %}
-{% endif %}
-{% if rewriteRule.supplementVendorAttributes is defined and rewriteRule.supplementVendorAttributes != "" %}
-{% for supplementVendorAttribute in rewriteRule.supplementVendorAttributes.split("\n") %}
-  SupplementVendorAttribute {{ supplementVendorAttribute }}
-{% endfor %}
-{% endif %}
-{% if rewriteRule.modifyAttributes is defined and rewriteRule.modifyAttributes != "" %}
-{% for modifyAttribute in rewriteRule.modifyAttributes.split("\n") %}
-  ModifyAttribute {{ modifyAttribute }}
-{% endfor %}
-{% endif %}
-{% if rewriteRule.modifyVendorAttributes is defined and rewriteRule.modifyVendorAttributes != "" %}
-{% for modifyVendorAttribute in rewriteRule.modifyVendorAttributes.split("\n") %}
-  ModifyVendorAttribute {{ modifyVendorAttribute }}
-{% endfor %}
-{% endif %}
-{% if rewriteRule.removeAttributes is defined and rewriteRule.removeAttributes != "" %}
-{% for removeAttribute in rewriteRule.removeAttributes.split("\n") %}
-  RemoveAttribute {{ removeAttribute }}
-{% endfor %}
-{% endif %}
-{% if rewriteRule.removeVendorAttributes is defined and rewriteRule.removeVendorAttributes != "" %}
-{% for removeVendorAttribute in rewriteRule.removeVendorAttributes.split("\n") %}
-  RemoveVendorAttribute {{ removeVendorAttribute }}
-{% endfor %}
-{% endif %}
-  WhitelistMode {{ rewriteRule.whitelistMode }}
-{% if rewriteRule.whitelistAttributes is defined and rewriteRule.whitelistAttributes != "" %}
-{% for whitelistAttribute in rewriteRule.whitelistAttributes.split("\n") %}
-  WhitelistAttribute {{ whitelistAttribute }}
-{% endfor %}
-{% endif %}
-{% if rewriteRule.whitelistVendorAttributes is defined and rewriteRule.whitelistVendorAttributes != "" %}
-{% for whitelistVendorAttribute in rewriteRule.whitelistVendorAttributes.split("\n") %}
-  WhitelistVendorAttribute {{ whitelistVendorAttribute }}
-{% endfor %}
-{% endif %}
-}
-{% endif %}
-{% endfor %}
-
-###########################################
-# CLIENTS
-###########################################
-
-{% for client in helpers.toList('OPNsense.radsecproxy.clients.client') %}
-{% if client.enabled is defined and client.enabled == "1" %}
-# config for client "{{ client.description }}"
-client {{ client.identifier }} {
-  Host {{ client.host }}
-  Type {{ client.type }}
-{% if client.secret is defined and client.secret != "" %}
-  Secret {{ client.secret }}
-{% endif %}
-{% if client.tlsConfig is defined and client.tlsConfig != "" %}
-{% set tlsConfig = helpers.getUUID(client.tlsConfig) %}
-  Tls {{ tlsConfig.name }}
-{% endif %}
-  CertificateNameCheck {{ client.certificateNameCheck }}
-{% if client.matchCertificateAttribute is defined and client.matchCertificateAttribute != "" %}
-  matchCertificateAttribute {{ client.matchCertificateAttribute }}
-{% endif %}
-{% if client.rewriteIn is defined and client.rewriteIn != "" %}
-{% set rewriteInRule = helpers.getUUID(client.rewriteIn) %}
-  RewriteIn {{ rewriteInRule.name }}
-{% endif %}
-{% if client.rewriteOut is defined and client.rewriteOut != "" %}
-{% set rewriteOutRule = helpers.getUUID(client.rewriteOut) %}
-  RewriteOut {{ rewriteOutRule.name }}
-{% endif %}
-}
-
-{% else %}
-# config for client "{{ client.description }}" not enabled, skipping!"
-
-{% endif %}
-{% endfor %}
-
-###########################################
-# SERVERS
-###########################################
-
-{% for server in helpers.toList('OPNsense.radsecproxy.servers.server') %}
-# config for server "{{ server.description }}"
-server {{ server.identifier }} {
-  Host {{ server.host }}
-{% if server.port is defined and server.port != "" %}
-  Port {{ server.port }}
-{% endif %}
-  Type {{ server.type }}
-{% if server.secret is defined and server.secret != "" %}
-  Secret {{ server.secret }}
-{% endif %}
-{% if server.tlsConfig is defined and server.tlsConfig != "" %}
-{% set tlsConfig = helpers.getUUID(server.tlsConfig) %}
-  Tls {{ tlsConfig.name }}
-{% endif %}
-  StatusServer {{ server.statusServer }}
-  CertificateNameCheck {{ server.certificateNameCheck }}
-{% if server.matchCertificateAttribute is defined and server.matchCertificateAttribute != "" %}
-  matchCertificateAttribute {{ server.matchCertificateAttribute }}
-{% endif %}
-{% if server.rewriteIn is defined and server.rewriteIn != "" %}
-{% set rewriteInRule = helpers.getUUID(server.rewriteIn) %}
-  RewriteIn {{ rewriteInRule.name }}
-{% endif %}
-{% if server.rewriteOut is defined and server.rewriteOut != "" %}
-{% set rewriteOutRule = helpers.getUUID(server.rewriteOut) %}
-  RewriteOut {{ rewriteOutRule.name }}
-{% endif %}
-}
-
-{% endfor %}
-
-###########################################
-# REALMS
-###########################################
-
-{% for realm in helpers.toList('OPNsense.radsecproxy.realms.realm') %}
-{% if realm.enabled is defined and realm.enabled == "1" %}
-# config for realm "{{ realm.realm }}"
-realm {{ realm.realm }} {
-{% if realm.server is defined and realm.server != "" %}
-{% for serverUuid in realm.server.split(',') %}
-{% set server = helpers.getUUID(serverUuid) %}
-  Server {{ server.identifier }}
-{% endfor %}
-{% endif %}
-{% if realm.replyMessage is defined and realm.replyMessage != "" %}
-  ReplyMessage "{{ realm.replyMessage }}"
-{% endif %}
-{% if realm.accountingResponse is defined and realm.accountingResponse != "" %}
-  AccountingResponse {{ realm.accountingResponse }}
-{% endif %}
-}
-
-{% else %}
-# config for realm "{{ realm.realm }}" not enabled, skipping!"
-
-{% endif %}
-{% endfor %}
-{# END OF TEMPLATE #}
-{% endif %}
+{% if helpers.exists('OPNsense.radsecproxy.general') and OPNsense.radsecproxy.general.enabled|default("0") == "1" %}
+{% set certDir = '/usr/local/etc/radsecproxy.d/certs/' %}
+# auto-generated config-file for radsecproxy
+###########################################
+# GENERAL
+###########################################
+
+#PidFile /var/run/radsecproxy.pid
+#LogDestination file:///var/log/radsecproxy.log
+LogDestination x-syslog:///LOG_DAEMON
+
+{% if OPNsense.radsecproxy.general.logLevel is defined and OPNsense.radsecproxy.general.logLevel != "" %}
+LogLevel {{ OPNsense.radsecproxy.general.logLevel }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.logFullUsername is defined and OPNsense.radsecproxy.general.logFullUsername != "" %}
+LogFullUsername {{ OPNsense.radsecproxy.general.logFullUsername }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.logMac is defined and OPNsense.radsecproxy.general.logMac != "" %}
+LogMac {{ OPNsense.radsecproxy.general.logMac }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.loopPrevention is defined and OPNsense.radsecproxy.general.loopPrevention != "" %}
+LoopPrevention {{ OPNsense.radsecproxy.general.loopPrevention }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.listenUdp is defined and OPNsense.radsecproxy.general.listenUdp != "" %}
+ListenUDP {{ OPNsense.radsecproxy.general.listenUdp }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.listenTcp is defined and OPNsense.radsecproxy.general.listenTcp != "" %}
+ListenTCP {{ OPNsense.radsecproxy.general.listenTcp }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.listenTls is defined and OPNsense.radsecproxy.general.listenTls != "" %}
+ListenTLS {{ OPNsense.radsecproxy.general.listenTls }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.listenDtls is defined and OPNsense.radsecproxy.general.listenDtls != "" %}
+ListenDTLS {{ OPNsense.radsecproxy.general.listenDtls }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.sourceUdp is defined and OPNsense.radsecproxy.general.sourceUdp != "" %}
+SourceUDP {{ OPNsense.radsecproxy.general.sourceUdp }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.sourceTcp is defined and OPNsense.radsecproxy.general.sourceTcp != "" %}
+SourceTCP {{ OPNsense.radsecproxy.general.sourceTcp }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.sourceTls is defined and OPNsense.radsecproxy.general.sourceTls != "" %}
+SourceTLS {{ OPNsense.radsecproxy.general.sourceTls }}
+{% endif %}
+{% if OPNsense.radsecproxy.general.sourceDtls is defined and OPNsense.radsecproxy.general.sourceDtls != "" %}
+SourceDTLS {{ OPNsense.radsecproxy.general.sourceDtls }}
+{% endif %}
+
+###########################################
+# TLS-CONFIGS
+###########################################
+
+{% for tlsConfig in helpers.toList('OPNsense.radsecproxy.tlsConfigs.tlsConfig') %}
+# config for TLS-Config "{{ tlsConfig.description }}"
+tls {{ tlsConfig.name }} {
+{% if tlsConfig.caCertificateRefId is defined and tlsConfig.caCertificateRefId != "" %}
+  CACertificateFile   {{ certDir}}{{ tlsConfig.name }}_ca-cert.pem
+{% endif %}
+{% if tlsConfig.proxyCertificateRefId is defined and tlsConfig.proxyCertificateRefId != "" %}
+  CertificateFile     {{ certDir}}{{ tlsConfig.name }}_proxy-cert.pem
+  CertificateKeyFile  {{ certDir}}{{ tlsConfig.name }}_proxy-key.pem
+{% endif %}
+{% if tlsConfig.policyOids is defined and tlsConfig.policyOids != "" %}
+{% for policyOid in tlsConfig.policyOids.split(',') %}
+  PolicyOID {{ policyOid }}
+{% endfor %}
+{% endif %}
+  CRLCheck {{ tlsConfig.crlCheck }}
+{% if tlsConfig.cacheExpiry is defined and tlsConfig.cacheExpiry != "" %}
+  CacheExpiry {{ tlsConfig.cacheExpiry }}
+{% endif %}
+}
+
+{% endfor %}
+
+###########################################
+# REWRITE-RULES
+###########################################
+
+{% for rewriteRule in helpers.toList('OPNsense.radsecproxy.rewrites.rewrite') %}
+{% if rewriteRule.enabled is defined and rewriteRule.enabled == "1" %}
+
+rewrite {{ rewriteRule.name }} {
+{% if rewriteRule.addAttributes is defined and rewriteRule.addAttributes != "" %}
+{% for addAttribute in rewriteRule.addAttributes.split("\n") %}
+  AddAttribute {{ addAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.addVendorAttributes is defined and rewriteRule.addVendorAttributes != "" %}
+{% for addVendorAttribute in rewriteRule.addVendorAttributes.split("\n") %}
+  AddVendorAttribute {{ addVendorAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.supplementAttributes is defined and rewriteRule.supplementAttributes != "" %}
+{% for supplementAttribute in rewriteRule.supplementAttributes.split("\n") %}
+  SupplementAttribute {{ supplementAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.supplementVendorAttributes is defined and rewriteRule.supplementVendorAttributes != "" %}
+{% for supplementVendorAttribute in rewriteRule.supplementVendorAttributes.split("\n") %}
+  SupplementVendorAttribute {{ supplementVendorAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.modifyAttributes is defined and rewriteRule.modifyAttributes != "" %}
+{% for modifyAttribute in rewriteRule.modifyAttributes.split("\n") %}
+  ModifyAttribute {{ modifyAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.modifyVendorAttributes is defined and rewriteRule.modifyVendorAttributes != "" %}
+{% for modifyVendorAttribute in rewriteRule.modifyVendorAttributes.split("\n") %}
+  ModifyVendorAttribute {{ modifyVendorAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.removeAttributes is defined and rewriteRule.removeAttributes != "" %}
+{% for removeAttribute in rewriteRule.removeAttributes.split("\n") %}
+  RemoveAttribute {{ removeAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.removeVendorAttributes is defined and rewriteRule.removeVendorAttributes != "" %}
+{% for removeVendorAttribute in rewriteRule.removeVendorAttributes.split("\n") %}
+  RemoveVendorAttribute {{ removeVendorAttribute }}
+{% endfor %}
+{% endif %}
+  WhitelistMode {{ rewriteRule.whitelistMode }}
+{% if rewriteRule.whitelistAttributes is defined and rewriteRule.whitelistAttributes != "" %}
+{% for whitelistAttribute in rewriteRule.whitelistAttributes.split("\n") %}
+  WhitelistAttribute {{ whitelistAttribute }}
+{% endfor %}
+{% endif %}
+{% if rewriteRule.whitelistVendorAttributes is defined and rewriteRule.whitelistVendorAttributes != "" %}
+{% for whitelistVendorAttribute in rewriteRule.whitelistVendorAttributes.split("\n") %}
+  WhitelistVendorAttribute {{ whitelistVendorAttribute }}
+{% endfor %}
+{% endif %}
+}
+{% endif %}
+{% endfor %}
+
+###########################################
+# CLIENTS
+###########################################
+
+{% for client in helpers.toList('OPNsense.radsecproxy.clients.client') %}
+{% if client.enabled is defined and client.enabled == "1" %}
+# config for client "{{ client.description }}"
+client {{ client.identifier }} {
+  Host {{ client.host }}
+  Type {{ client.type }}
+{% if client.secret is defined and client.secret != "" %}
+  Secret {{ client.secret }}
+{% endif %}
+{% if client.tlsConfig is defined and client.tlsConfig != "" %}
+{% set tlsConfig = helpers.getUUID(client.tlsConfig) %}
+  Tls {{ tlsConfig.name }}
+{% endif %}
+  CertificateNameCheck {{ client.certificateNameCheck }}
+{% if client.matchCertificateAttribute is defined and client.matchCertificateAttribute != "" %}
+  matchCertificateAttribute {{ client.matchCertificateAttribute }}
+{% endif %}
+{% if client.rewriteIn is defined and client.rewriteIn != "" %}
+{% set rewriteInRule = helpers.getUUID(client.rewriteIn) %}
+  RewriteIn {{ rewriteInRule.name }}
+{% endif %}
+{% if client.rewriteOut is defined and client.rewriteOut != "" %}
+{% set rewriteOutRule = helpers.getUUID(client.rewriteOut) %}
+  RewriteOut {{ rewriteOutRule.name }}
+{% endif %}
+}
+
+{% else %}
+# config for client "{{ client.description }}" not enabled, skipping!"
+
+{% endif %}
+{% endfor %}
+
+###########################################
+# SERVERS
+###########################################
+
+{% for server in helpers.toList('OPNsense.radsecproxy.servers.server') %}
+# config for server "{{ server.description }}"
+server {{ server.identifier }} {
+  Host {{ server.host }}
+{% if server.port is defined and server.port != "" %}
+  Port {{ server.port }}
+{% endif %}
+  Type {{ server.type }}
+{% if server.secret is defined and server.secret != "" %}
+  Secret {{ server.secret }}
+{% endif %}
+{% if server.tlsConfig is defined and server.tlsConfig != "" %}
+{% set tlsConfig = helpers.getUUID(server.tlsConfig) %}
+  Tls {{ tlsConfig.name }}
+{% endif %}
+  StatusServer {{ server.statusServer }}
+  CertificateNameCheck {{ server.certificateNameCheck }}
+{% if server.matchCertificateAttribute is defined and server.matchCertificateAttribute != "" %}
+  matchCertificateAttribute {{ server.matchCertificateAttribute }}
+{% endif %}
+{% if server.rewriteIn is defined and server.rewriteIn != "" %}
+{% set rewriteInRule = helpers.getUUID(server.rewriteIn) %}
+  RewriteIn {{ rewriteInRule.name }}
+{% endif %}
+{% if server.rewriteOut is defined and server.rewriteOut != "" %}
+{% set rewriteOutRule = helpers.getUUID(server.rewriteOut) %}
+  RewriteOut {{ rewriteOutRule.name }}
+{% endif %}
+}
+
+{% endfor %}
+
+###########################################
+# REALMS
+###########################################
+
+{% for realm in helpers.toList('OPNsense.radsecproxy.realms.realm') %}
+{% if realm.enabled is defined and realm.enabled == "1" %}
+# config for realm "{{ realm.realm }}"
+realm {{ realm.realm }} {
+{% if realm.server is defined and realm.server != "" %}
+{% for serverUuid in realm.server.split(',') %}
+{% set server = helpers.getUUID(serverUuid) %}
+  Server {{ server.identifier }}
+{% endfor %}
+{% endif %}
+{% if realm.replyMessage is defined and realm.replyMessage != "" %}
+  ReplyMessage "{{ realm.replyMessage }}"
+{% endif %}
+{% if realm.accountingResponse is defined and realm.accountingResponse != "" %}
+  AccountingResponse {{ realm.accountingResponse }}
+{% endif %}
+}
+
+{% else %}
+# config for realm "{{ realm.realm }}" not enabled, skipping!"
+
+{% endif %}
+{% endfor %}
+{# END OF TEMPLATE #}
+{% endif %}
diff --git a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d
index 03409f3a79..35042a335c 100644
--- a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d
+++ b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d
@@ -1,7 +1,7 @@
-{% if helpers.exists('OPNsense.radsecproxy.general.enabled') and OPNsense.radsecproxy.general.enabled == '1' %}
-radsecproxy_enable="YES"
-{% else %}
-radsecproxy_enable="NO"
-{% endif %}
-radsecproxy_user="root"
-radsecproxy_group="wheel"
+{% if helpers.exists('OPNsense.radsecproxy.general.enabled') and OPNsense.radsecproxy.general.enabled == '1' %}
+radsecproxy_enable="YES"
+{% else %}
+radsecproxy_enable="NO"
+{% endif %}
+radsecproxy_user="root"
+radsecproxy_group="wheel"

From b41246811d7bb2b2532deeb3a901798e953f8013 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 14 Apr 2021 23:37:45 +0200
Subject: [PATCH 0534/3088] net/haproxy: fix config test when service is not
 enabled

---
 net/haproxy/pkg-descr                                          | 3 +++
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf   | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 2dbcc504d4..685819d341 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -8,6 +8,9 @@ Plugin Changelog
 
 3.2
 
+Fixed:
+* fix config test when HAProxy service is not enabled
+
 Changed:
 * ignore incompatible ciphersuites options when LibreSSL is used (#2013)
 
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index d9923f7996..5cd9e07221 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -829,7 +829,7 @@ userlist {{object.name | regex_replace ("[^A-Za-z0-9]","")}}
 #
 # NOTE: HAProxy is currently DISABLED
 #
-{%- endif -%}
+{% endif %}
 
 {#- ############################### -#}
 {#-             GLOBAL              -#}

From fddf85bef2c11c17f9f7a18804eda0b47e631a74 Mon Sep 17 00:00:00 2001
From: jeremiah-rs <42019310+jeremiah-rs@users.noreply.github.com>
Date: Thu, 15 Apr 2021 07:25:01 -0400
Subject: [PATCH 0535/3088] Minor update to Acl.xml (#2100)

Minor edit to make error message clearer.
---
 dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
index 6abff3a73a..474a0a0dfd 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
@@ -13,7 +13,7 @@
                     <default></default>
                     <Required>Y</Required>
                     <mask>/^(?!any$|localhost$|localnets$|none$)[0-9a-zA-Z_\-]{1,32}$/u</mask>
-                    <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9a-zA-Z_-. Built-in ACL names must not be used: any, localhost, localnets, none.</ValidationMessage>
+                    <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9, a-z, A-Z, _ and -. Built-in ACL names must not be used: any, localhost, localnets, none.</ValidationMessage>
                 </name>
                 <networks type="NetworkField">
                     <default></default>

From 3a163e8c941d8e1b9d75c4f1b977e03884a50eec Mon Sep 17 00:00:00 2001
From: Ang Iongchun <ang@iongchun.tw>
Date: Thu, 15 Apr 2021 19:48:10 +0800
Subject: [PATCH 0536/3088] dns/bind: enhance allow transfer (#1814)

* dns/bind: allow-transfer/query for slave zones

* dns/bind: global allow-transfer configuration
---
 .../Bind/forms/dialogEditBindDomain.xml       | 24 +++++++++----------
 .../OPNsense/Bind/forms/general.xml           |  6 +++++
 .../mvc/app/models/OPNsense/Bind/General.xml  | 11 +++++++++
 .../templates/OPNsense/Bind/named.conf        |  7 ++++++
 4 files changed, 36 insertions(+), 12 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
index dfd13fd206..c5e51d4928 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
@@ -11,6 +11,18 @@
         <type>text</type>
         <help>Set the name for this zone. Both forward and reverse zones may be specified, i.e. example.com or 0.168.192.in-addr.arpa.</help>
     </field>
+    <field>
+        <id>domain.allowtransfer</id>
+        <label>Allow Transfer</label>
+        <type>dropdown</type>
+        <help>Define an ACL where you allow which server can retrieve this zone.</help>
+    </field>
+    <field>
+        <id>domain.allowquery</id>
+        <label>Allow Query</label>
+        <type>dropdown</type>
+        <help>Define an ACL where you allow which client are allowed to query this zone.</help>
+    </field>
     <field>
         <id>domain.type</id>
         <label>Type</label>
@@ -41,18 +53,6 @@
         <type>header</type>
         <style>zone_type zone_type_master</style>
     </field>
-    <field>
-        <id>domain.allowtransfer</id>
-        <label>Allow Transfer</label>
-        <type>dropdown</type>
-        <help>Define an ACL where you allow which server can retrieve this zone. If this value is empty, domain transfers from everywhere are allowed.</help>
-    </field>
-    <field>
-        <id>domain.allowquery</id>
-        <label>Allow Query</label>
-        <type>dropdown</type>
-        <help>Define an ACL where you allow which client are allowed to query this zone.</help>
-    </field>
     <field>
         <id>domain.ttl</id>
         <label>TTL</label>
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index 1889a6a477..05ea9fb728 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -73,6 +73,12 @@
         <type>dropdown</type>
         <help>Define an ACL where you allow which clients can resolve via this service. Usually use your local LAN.</help>
     </field>
+    <field>
+        <id>general.allowtransfer</id>
+        <label>Allow Transfer</label>
+        <type>dropdown</type>
+        <help>Define an ACL where you allow which server can retrieve zones.</help>
+    </field>
     <field>
         <id>general.dnssecvalidation</id>
         <label>DNSSEC Validation</label>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index 1d0dc3c7f0..455f87d3db 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -72,6 +72,17 @@
             <Required>N</Required>
             <ValidationMessage>Choose an ACL.</ValidationMessage>
         </recursion>
+        <allowtransfer type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>N</Multiple>
+            <Required>N</Required>
+        </allowtransfer>
         <dnssecvalidation type="OptionField">
             <OptionValues>
                 <no>No</no>
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 9309033bca..e6f4a53d27 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -46,6 +46,13 @@ options {
 {%   endfor %}
 {% endif %}
 
+{% if helpers.exists('OPNsense.bind.general.allowtransfer') and OPNsense.bind.general.allowtransfer != '' %}
+{%   for list in helpers.toList('OPNsense.bind.general.allowtransfer') %}
+{%   set allowtransfer = helpers.getUUID(list) %}
+        allow-transfer    { {{ allowtransfer.name }}; };
+{%   endfor %}
+{% endif %}
+
 {% if helpers.exists('OPNsense.bind.general.maxcachesize') and OPNsense.bind.general.maxcachesize != '' %}
         max-cache-size    {{ OPNsense.bind.general.maxcachesize }}%;
 {% endif %}

From fc45f464be9a9543c2d63fee5b99116297429cee Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 15 Apr 2021 13:50:35 +0200
Subject: [PATCH 0537/3088] dns/bind: bump version

---
 dns/bind/Makefile  | 3 +--
 dns/bind/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 1909668726..2f0d237624 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.16
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.17
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind916
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index f449017325..6cb3c94559 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -8,6 +8,11 @@ necessary for asking and answering name service questions.
 Plugin Changelog
 ================
 
+1.17
+
+* Make "Allow Transfer" and "Allow Query" configuration available to slave zones
+* Add "Allow Transfer" to General page for default/fallback
+
 1.16
 
 * Fix slave zone templating

From c95924d8247d439b7c5446ca8b586869474e795f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 18 Apr 2021 15:04:10 +0200
Subject: [PATCH 0538/3088] Framework: update grep

---
 Mk/plugins.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 01a35264c1..d1cb1e7e6d 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -284,7 +284,7 @@ lint-desc: check
 
 lint-shell:
 	@for FILE in $$(find ${.CURDIR}/src -name "*.sh" -type f); do \
-	    if [ "$$(head $${FILE} | grep -c '^#!\/bin\/sh$$')" == "0" ]; then \
+	    if [ "$$(head $${FILE} | grep -cx '#!\/bin\/sh')" == "0" ]; then \
 	        echo "Missing shebang in $${FILE}"; exit 1; \
 	    fi; \
 	    sh -n $${FILE} || exit 1; \

From 5d63a9ad995ed68845a4ff2d1cdff842fcc50331 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 19 Apr 2021 22:08:48 +0200
Subject: [PATCH 0539/3088] devel/debug: xdebug v3 configuration

---
 devel/debug/Makefile                               | 2 +-
 devel/debug/src/etc/php/ext-20-xdebug-settings.ini | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/devel/debug/Makefile b/devel/debug/Makefile
index 13fe7f3d9b..19cdd1241b 100644
--- a/devel/debug/Makefile
+++ b/devel/debug/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		debug
 PLUGIN_VERSION=		1.3
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Debugging Tools
 PLUGIN_DEPENDS=		php${PLUGIN_PHP}-pear-PHP_CodeSniffer \
 			php${PLUGIN_PHP}-pecl-xdebug \
diff --git a/devel/debug/src/etc/php/ext-20-xdebug-settings.ini b/devel/debug/src/etc/php/ext-20-xdebug-settings.ini
index 74cba733b4..30ab5e7282 100644
--- a/devel/debug/src/etc/php/ext-20-xdebug-settings.ini
+++ b/devel/debug/src/etc/php/ext-20-xdebug-settings.ini
@@ -1,2 +1,4 @@
-xdebug.profiler_enable_trigger = 1
+xdebug.mode = profile;
+xdebug.start_with_request = trigger;
 xdebug.profiler_output_name = cachegrind.out.%t.%p
+xdebug.profiler_output_dir = /tmp

From dc937ddfd7592b098b943d594e7109cd4d101df3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Apr 2021 10:33:16 +0200
Subject: [PATCH 0540/3088] devel/debug: change to version 1.4

---
 devel/debug/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/devel/debug/Makefile b/devel/debug/Makefile
index 19cdd1241b..f97500c858 100644
--- a/devel/debug/Makefile
+++ b/devel/debug/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		debug
-PLUGIN_VERSION=		1.3
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.4
 PLUGIN_COMMENT=		Debugging Tools
 PLUGIN_DEPENDS=		php${PLUGIN_PHP}-pear-PHP_CodeSniffer \
 			php${PLUGIN_PHP}-pecl-xdebug \

From 5cde1f811bd2cab1caa7a868d4182959fe476ff4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Apr 2021 10:35:08 +0200
Subject: [PATCH 0541/3088] misc/theme-rebellion: bump version

---
 misc/theme-rebellion/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/misc/theme-rebellion/Makefile b/misc/theme-rebellion/Makefile
index 97bd1578d4..f83bf6f1c4 100644
--- a/misc/theme-rebellion/Makefile
+++ b/misc/theme-rebellion/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		theme-rebellion
-PLUGIN_VERSION=		1.8.6
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.8.7
 PLUGIN_COMMENT=		A suitably dark theme
 PLUGIN_MAINTAINER=	team-rebellion@queens-park.com
 

From 6ceac562c80b029c7a52479c8b79b408778150bd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Apr 2021 10:37:55 +0200
Subject: [PATCH 0542/3088] net-mgmt/telegraf: order pkg-descr

---
 net-mgmt/telegraf/pkg-descr | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 2bd64b400e..fdbbce9fc1 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -7,9 +7,11 @@ metrics to a variety of other datastores, services, and message
 queues, including InfluxDB, Graphite, OpenTSDB, Datadog, Librato,
 Kafka, MQTT, NSQ, and many others.
 
+WWW: https://www.influxdata.com/time-series-platform/telegraf/
 
 Plugin Changelog
 ================
+
 1.10.0
 
 * Add intrusion detection alert input
@@ -44,6 +46,3 @@ Plugin Changelog
 1.7.5
 
 * Add Graphite tag support
-
-
-WWW: https://www.influxdata.com/time-series-platform/telegraf/

From e11930407431a19a331e90ce798cc710ba5a216f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Apr 2021 10:49:59 +0200
Subject: [PATCH 0543/3088] security/maltrail: update changelog

---
 security/maltrail/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/maltrail/pkg-descr b/security/maltrail/pkg-descr
index 7df4a37578..9863acea0f 100644
--- a/security/maltrail/pkg-descr
+++ b/security/maltrail/pkg-descr
@@ -13,6 +13,7 @@ Changelog
 
 1.7
 
+* Allow sensor cron restart
 * Add syslog export
 
 1.6

From 29b268413b80e935e9dfa7fd30b7cedd3597a5f9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Apr 2021 10:54:55 +0200
Subject: [PATCH 0544/3088] net/wireguard: prep for new version

---
 net/wireguard/Makefile  | 2 +-
 net/wireguard/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 2e0da8f81f..d47a3d3d31 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		1.5
+PLUGIN_VERSION=		1.6
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard-go wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 44ecbcc457..10880a4279 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,11 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+1.6
+
+* Move DNS setting to advanced
+* Make listen port optional
+
 1.5
 
 * Allow synchronization of config

From 228ea71fc8e0d2f2cd25b7fa09adae0cc2801250 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Apr 2021 10:57:49 +0200
Subject: [PATCH 0545/3088] net/freeradius: update version

---
 net/freeradius/Makefile  | 2 +-
 net/freeradius/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 1b61d34a68..2c0998709f 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.10
+PLUGIN_VERSION=		1.9.11
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index d0d029ffd1..b7dbcee0b7 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,10 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.11
+
+Add IPv6 support to client IP
+
 1.9.10
 
 * Add HA config sync

From 90c8a662d91369fe056393bddf30906340bb1fed Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Apr 2021 11:05:40 +0200
Subject: [PATCH 0546/3088] www/nginx: update changelog

---
 www/nginx/Makefile  |  3 +--
 www/nginx/pkg-descr | 14 ++++++++++++--
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 28fcf5bbeb..fb7fab07ab 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.21
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.22
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index f4dc18e6a1..47c9a2a02f 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -5,9 +5,21 @@ NGINX functionality includes HTTP server, HTTP and mail reverse proxy, caching,
 load balancing, compression, request throttling, connection multiplexing and
 reuse, SSL offload and HTTP media streaming.
 
+WWW: https://nginx.org/
+
 Plugin Changelog
 ================
 
+1.22
+
+* Add X-Forwarded-Port and X-Forwarded-Host headers (contributed by Carlos Cesario)
+* Fix wrong stream server CA filename (contributed by Ingo Theiss)
+* Fix proxy_ssl_name and add hook (contributed by kulikov-a)
+* Apply loadbalancing for UDP (contributed by Thomas Laubrock)
+* Naxsi whitelist improvements (contributed by Manuel Faux)
+* Grid view improvements (contributed by Manuel Faux)
+* Minor fixes in setup.php (contributed by kulikov-a)
+
 1.21
 
 * fix performance issue with autoban feature (contributed by jkellerer)
@@ -164,5 +176,3 @@ Plugin Changelog
 * add experimental support to handle the web interface (can only be enabled via CLI)
 * add WAF (NAXSI) support
 * add Authentication support
-
-WWW: https://nginx.org/

From a61d7642fd6b9ea30f445b50348811dfd88a614a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Apr 2021 13:13:49 +0200
Subject: [PATCH 0547/3088] dns/bind: update changelog

---
 dns/bind/pkg-descr | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 6cb3c94559..d35ebdb90b 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -10,8 +10,8 @@ Plugin Changelog
 
 1.17
 
-* Make "Allow Transfer" and "Allow Query" configuration available to slave zones
-* Add "Allow Transfer" to General page for default/fallback
+* Make "Allow Transfer" and "Allow Query" configuration available to slave zones (contributed by Ang Iongchun)
+* Add "Allow Transfer" to General page for default/fallback (contributed by Ang Iongchun)
 
 1.16
 

From 6c7b0db55b39e57be288378ca5536fe24c09ccc6 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 20 Apr 2021 17:22:32 +0200
Subject: [PATCH 0548/3088] net/firewall - phalcon 4 compatbility for
 https://github.com/opnsense/core/issues/4012

---
 .../src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index 3eff2d05eb..a6bf1d4a64 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -29,7 +29,7 @@
 namespace OPNsense\Firewall;
 
 use OPNsense\Core\Config;
-use Phalcon\Validation\Message;
+use Phalcon\Messages\Message;
 use OPNsense\Base\BaseModel;
 use OPNsense\Firewall\Util;
 

From 54583683bc4d67a88fbefe5d55d8a29e98a5079d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 21 Apr 2021 08:33:35 +0200
Subject: [PATCH 0549/3088] net/firewall: bump revision

---
 net/firewall/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index 4b40f0f05c..9bb8c5ed87 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		firewall
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Firewall API supplemental package
 PLUGIN_MAINTAINER=	ad@opnsense.org
 

From 576164256de7fa36f336b5acac5ec3cf7fc70e24 Mon Sep 17 00:00:00 2001
From: nan0 <49376203+devNan0@users.noreply.github.com>
Date: Wed, 21 Apr 2021 08:56:28 +0200
Subject: [PATCH 0550/3088] Fix leading space in freeradius logformat (#2228)

---
 .../src/opnsense/scripts/systemhealth/logformats/freeradius.py  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/freeradius/src/opnsense/scripts/systemhealth/logformats/freeradius.py b/net/freeradius/src/opnsense/scripts/systemhealth/logformats/freeradius.py
index 23fc0d7398..345aa1bd5e 100755
--- a/net/freeradius/src/opnsense/scripts/systemhealth/logformats/freeradius.py
+++ b/net/freeradius/src/opnsense/scripts/systemhealth/logformats/freeradius.py
@@ -27,7 +27,7 @@
 import re
 import datetime
 from . import BaseLogFormat
-freeradius_timeformat = r'^([A-Za-z]{3}\s[A-Za-z]{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\d{4}\s[:]).*'
+freeradius_timeformat = r'^([A-Za-z]{3}\s[A-Za-z]{3}\s+\d{1,2}\s\d{2}:\d{2}:\d{2}\s\d{4}\s[:]).*'
 
 
 class FreeRADIUSLogFormat(BaseLogFormat):

From 84cc6b20d26a5b40ef9789ea5f0b15c96871c897 Mon Sep 17 00:00:00 2001
From: rmrfus <rmrf@x123.net>
Date: Tue, 20 Apr 2021 23:57:42 -0700
Subject: [PATCH 0551/3088] Fix FreeDNS update in DynDNS plugin (#2263)

---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 4 ++--
 dns/dyndns/src/www/services_dyndns_edit.php               | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 67c250a3a0..c47e491bc6 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -587,7 +587,7 @@ class updatedns
                 $this->_checkStatus(0, $code);
                 break;
             case 'freedns':
-                curl_setopt($ch, CURLOPT_URL, 'https://freedns.afraid.org/dynamic/update.php?' . $this->_dnsPass);
+                curl_setopt($ch, CURLOPT_URL, 'https://sync.afraid.org/u/' . $this->_dnsPass . '/');
                 break;
             case 'dnsexit':
                 curl_setopt($ch, CURLOPT_URL, 'https://update.dnsexit.com/RemoteUpdate.sv?login=' . urlencode($this->_dnsUser) . '&password=' . $this->_dnsPass . '&host=' . $this->_dnsHost . '&myip=' . $this->_dnsIP);
@@ -1329,7 +1329,7 @@ class updatedns
                 }
                 break;
             case 'freedns':
-                if (preg_match("/has not changed./i", $data)) {
+                if (preg_match("/No IP change detected.*skipping update/i", $data)) {
                     $status = "Dynamic DNS ({$this->_dnsHost}): (Success) No Change In IP Address";
                     $successful_update = true;
                 } elseif (preg_match("/Updated/i", $data)) {
diff --git a/dns/dyndns/src/www/services_dyndns_edit.php b/dns/dyndns/src/www/services_dyndns_edit.php
index 388cbbcbe3..2ac1766c09 100644
--- a/dns/dyndns/src/www/services_dyndns_edit.php
+++ b/dns/dyndns/src/www/services_dyndns_edit.php
@@ -369,6 +369,7 @@ function is_dyndns_username($uname)
                         <br /><?= gettext('For Custom Entries, Username and Password represent HTTP Authentication username and passwords.') ?>
                         <br /><?= gettext('Gandi LiveDNS: The subdomain / record to update.') ?>
                         <br /><?= gettext('GoDaddy: Enter your API Key Token.') ?>
+                        <br /><?= gettext('FreeDNS: Leave blank.') ?>
                       </div>
                     </td>
                   </tr>

From 5b2ac550c49af5c14356cdc592568e3febc2d54f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 21 Apr 2021 08:51:01 +0200
Subject: [PATCH 0552/3088] dns/dyndns: small cleanup and new version

---
 dns/dyndns/Makefile                           |   3 +-
 .../src/etc/inc/plugins.inc.d/dyndns.inc      |   2 +-
 .../inc/plugins.inc.d/dyndns/phpDynDNS.inc    | 123 ++++++------------
 3 files changed, 39 insertions(+), 89 deletions(-)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index 451840d028..da4ebda94a 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		dyndns
-PLUGIN_VERSION=		1.23
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.24
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
index 40744ebd5c..8652456942 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
@@ -101,9 +101,9 @@ function dyndns_list()
         'azurev6' => 'Azure DNS (v6)',
         'citynetwork' => 'City Network',
         'cloudflare' => 'Cloudflare',
-        'cloudflare-v6' => 'Cloudflare (v6)',
         'cloudflare-token' => 'Cloudflare API token',
         'cloudflare-token-v6' => 'Cloudflare API token (v6)',
+        'cloudflare-v6' => 'Cloudflare (v6)',
         'custom' => 'Custom',
         'custom-v6' => 'Custom (v6)',
         'dhs' => 'DHS',
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index c47e491bc6..e86b66e007 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -1,57 +1,8 @@
 <?php
 
 /*
- * PHP.updateDNS (OPNsense version)
+ *  phpDynDNS
  *
- * +====================================================+
- *  Services Supported:
- *    - DynDns (dyndns.org) [dynamic, static, custom]
- *    - DHSDns (dhs.org)
- *    - No-IP (no-ip.com)
- *    - EasyDNS (easydns.com)
- *    - DHS (www.dhs.org)
- *    - HN (hn.org) -- incomplete checking!
- *    - DynS (dyns.org)
- *    - ZoneEdit (zoneedit.com)
- *    - FreeDNS (freedns.afraid.org)
- *    - Loopia (loopia.se)
- *    - StaticCling (staticcling.org)
- *    - DNSexit (dnsexit.com)
- *    - Namecheap (namecheap.com)
- *    - HE.net (dns.he.net)
- *    - HE.net IPv6 (dns.he.net)
- *    - HE.net Tunnelbroker IP update (ipv4.tunnelbroker.net)
- *    - SelfHost (selfhost.de)
- *    - Amazon Route53 (aws.amazon.com)
- *    - DNS-O-Matic (dnsomatic.com)
- *    - Custom dynamic DNS (any URL)
- *    - Custom dynamic DNS IPv6 (any URL)
- *    - Cloudflare (www.cloudflare.com)
- *    - Cloudflare IPv6 (www.cloudflare.com)
- *    - Cloudflare API token (www.cloudflare.com)
- *    - Cloudflare API token IPv6 (www.cloudflare.com)
- *    - Eurodns (eurodns.com)
- *    - GratisDNS (gratisdns.dk)
- *    - City Network (citynetwork.se)
- *    - Duck DNS (duckdns.org)
- *    - Google Domains (domains.google.com)
- *    - STRATO (strato.com)
- *    - 3322 (3322.net)
- *    - Oray (oray.com)
- *    - regfish (regfish.de)
- *    - regfish IPv6 (regfish.de)
- *    - dynv6 IPv6 (dynv6.com)
- *    - DigitalOcean (digitalocean.com)
- *    - Gandi LiveDNS (gandi.net)
- *    - Azure DNS (azure.microsoft.com)
- *    - Linode (linode.com)
- *    - Linode IPv6 (linode.com)
- *    - GoDaddy (godaddy.com)
- *    - GoDaddy IPv6 (godaddy.com)
- * +----------------------------------------------------+
- *  Requirements:
- *    - PHP version 4.0.2 or higher with the CURL Library and the PCRE Library
- * +----------------------------------------------------+
  *  Public Functions
  *    - updatedns()
  *
@@ -63,52 +14,52 @@
  *    - _debug()
  *    - _checkIP()
  * +----------------------------------------------------+
- *  DynDNS Dynamic              - Last Tested: 12 July 2005
- *  DynDNS Static               - Last Tested: NEVER
- *  DynDNS Custom               - Last Tested: NEVER
- *  No-IP                       - Last Tested: 20 July 2008
- *  HN.org                      - Last Tested: 12 July 2005
- *  EasyDNS                     - Last Tested: 20 July 2008
- *  DHS                         - Last Tested: 12 July 2005
- *  ZoneEdit                    - Last Tested: NEVER
- *  Dyns                        - Last Tested: NEVER
- *  ODS                         - Last Tested: 02 August 2005
- *  FreeDNS                     - Last Tested: 23 Feb 2011
- *  Loopia                      - Last Tested: NEVER
- *  StaticCling                 - Last Tested: 27 April 2006
- *  DNSexit                     - Last Tested: 20 July 2008
- *  Namecheap                   - Last Tested: 31 August 2010
- *  HE.net                      - Last Tested: 7 July 2013
- *  HE.net IPv6                 - Last Tested: 7 July 2013
- *  HE.net Tunnel               - Last Tested: 28 June 2011
- *  SelfHost                    - Last Tested: 26 December 2011
+ *  3322                        - Last Tested: 26 May 2017
  *  Amazon Route53              - Last Tested: 01 April 2012
- *  DNS-O-Matic                 - Last Tested: 9 September 2010
+ *  Amazon Route53 v6           - Last Tested: 19 November 2017
+ *  Azure DNS                   - Last Tested: 16 October 2019
+ *  City Network                - Last Tested: 13 November 2013
  *  Cloudflare                  - Last Tested: 16 April 2019
  *  Cloudflare IPv6             - Last Tested: 16 April 2019
  *  Cloudflare w/API token      - Last Tested: 13 June 2020
  *  Cloudflare w/API token v6   - Last Tested: NEVER
+ *  DHS                         - Last Tested: 12 July 2005
+ *  DNS-O-Matic                 - Last Tested: 9 September 2010
+ *  DNSexit                     - Last Tested: 20 July 2008
+ *  DigitalOcean                - Last Tested: 25 June 2019
+ *  Duck DNS                    - Last Tested: 04 March 2015
+ *  DynDNS Custom               - Last Tested: NEVER
+ *  DynDNS Dynamic              - Last Tested: 12 July 2005
+ *  DynDNS Static               - Last Tested: NEVER
+ *  Dyns                        - Last Tested: NEVER
+ *  EasyDNS                     - Last Tested: 20 July 2008
  *  Eurodns                     - Last Tested: 25 July 2018
+ *  FreeDNS                     - Last Tested: 06 March 2021
+ *  Gandi LiveDNS               - Last Tested: 24 August 2020
+ *  GoDaddy                     - Last Tested: 10 July 2020
+ *  GoDaddy v6                  - Last Tested: 10 July 2020
+ *  Google Domains              - Last Tested: 20 February 2017
  *  GratisDNS                   - Last Tested: 26 January 2020
+ *  HE.net                      - Last Tested: 7 July 2013
+ *  HE.net IPv6                 - Last Tested: 7 July 2013
+ *  HE.net Tunnel               - Last Tested: 28 June 2011
+ *  HN.org                      - Last Tested: 12 July 2005
+ *  Linode                      - Last Tested: 25 February 2020
+ *  Linode v6                   - Last Tested: 25 February 2020
+ *  Loopia                      - Last Tested: NEVER
+ *  Namecheap                   - Last Tested: 31 August 2010
+ *  No-IP                       - Last Tested: 20 July 2008
+ *  ODS                         - Last Tested: 02 August 2005
  *  OVH DynHOST                 - Last Tested: NEVER
- *  City Network                - Last Tested: 13 November 2013
- *  Duck DNS                    - Last Tested: 04 March 2015
- *  Google Domains              - Last Tested: 20 February 2017
- *  STRATO                      - Last Tested: 09 May 2017
- *  3322                        - Last Tested: 26 May 2017
  *  Oray                        - Last Tested: 26 May 2017
- *  regfish                     - Last Tested: 15 August 2017
- *  regfish v6                  - Last Tested: 15 August 2017
- *  Amazon Route53 v6           - Last Tested: 19 November 2017
+ *  STRATO                      - Last Tested: 09 May 2017
+ *  SelfHost                    - Last Tested: 26 December 2011
+ *  StaticCling                 - Last Tested: 27 April 2006
+ *  ZoneEdit                    - Last Tested: NEVER
  *  dynv6                       - Last Tested: 25 June 2019
  *  dynv6 v6                    - Last Tested: 25 June 2019
- *  DigitalOcean                - Last Tested: 25 June 2019
- *  Azure DNS                   - Last Tested: 16 October 2019
- *  Linode                      - Last Tested: 25 February 2020
- *  Linode v6                   - Last Tested: 25 February 2020
- *  GoDaddy                     - Last Tested: 10 July 2020
- *  GoDaddy v6                  - Last Tested: 10 July 2020
- *  Gandi LiveDNS               - Last Tested: 24 August 2020
+ *  regfish                     - Last Tested: 15 August 2017
+ *  regfish v6                  - Last Tested: 15 August 2017
  * +====================================================+
  *
  * @author    E.Kristensen
@@ -125,7 +76,7 @@ class updatedns
     var $_cacheFile;
     var $_cacheFile_v6;
     var $_debugFile;
-    var $_UserAgent = 'User-Agent: phpDynDNS/0.7';
+    var $_UserAgent = 'User-Agent: phpDynDNS/0.8';
     var $_errorVerbosity = 0;
     var $_dnsService;
     var $_dnsUser;

From 8a4c61f72137f92d26525da0c4e83c64d338a725 Mon Sep 17 00:00:00 2001
From: schreibubi <schreibubi@users.noreply.github.com>
Date: Wed, 21 Apr 2021 09:01:50 +0200
Subject: [PATCH 0553/3088] dns/dyndns: Add hetzner dns console to supported
 dyndns services (#2201)

---
 .../src/etc/inc/plugins.inc.d/dyndns.inc      |   2 +
 .../inc/plugins.inc.d/dyndns/phpDynDNS.inc    | 103 ++++++++++++++++++
 2 files changed, 105 insertions(+)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
index 8652456942..e38fd0a46e 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
@@ -128,6 +128,8 @@ function dyndns_list()
         'he-net' => 'HE.net',
         'he-net-tunnelbroker' => 'HE.net Tunnelbroker',
         'he-net-v6' => 'HE.net (v6)',
+        'hetzner' => 'Hetzner DNS Console',
+        'hetzner-v6' => 'Hetzner DNS Console (v6)',
         'linode' => 'Linode',
         'linode-v6' => 'Linode (v6)',
         'loopia' => 'Loopia',
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index e86b66e007..329c6db816 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -214,6 +214,8 @@ class updatedns
                 break;
             case 'cloudflare-token':
             case 'cloudflare-token-v6':
+            case 'hetzner':
+            case 'hetzner-v6':
                 if (!$dnsPass) {
                     $this->_error(4);
                 } elseif (!$dnsHost) {
@@ -244,6 +246,7 @@ class updatedns
             case 'regfish-v6':
             case 'route53-v6':
             case 'cloudflare-token-v6':
+            case 'hetzner-v6':
                 $this->_useIPv6 = true;
                 break;
             default:
@@ -318,6 +321,8 @@ class updatedns
                 case 'he-net':
                 case 'he-net-tunnelbroker':
                 case 'he-net-v6':
+                case 'hetzner':
+                case 'hetzner-v6':
                 case 'hn':
                 case 'linode':
                 case 'linode-v6':
@@ -821,6 +826,87 @@ class updatedns
                     }
                 }
                 break;
+            case 'hetzner':
+            case 'hetzner-v6':
+                $baseUrl = 'https://dns.hetzner.com/api/v1';
+                $fqdn = str_replace(' ', '', $this->_dnsHost);
+                $recordType = ($this->_useIPv6) ? 'AAAA' : 'A';
+                $ttlData = intval($this->_dnsTTL) < 1 ? 120 : intval($this->_dnsTTL);
+                $hostData = array(
+                    "value" => "{$this->_dnsIP}",
+                    "type" => $recordType,
+                    "name" => "",
+                    "ttl" => $ttlData,
+		    "zone_id" => ""
+                );
+
+                $headerAuth = array(
+                    "Auth-API-Token: {$this->_dnsPass}",
+                    'Content-Type: application/json'
+                );
+
+                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+                curl_setopt($ch, CURLOPT_HTTPHEADER, $headerAuth);
+
+                // Get all zone info
+                $zonesUrl = "$baseUrl/zones";
+                curl_setopt($ch, CURLOPT_URL, $zonesUrl);
+                $rawoutput = curl_exec($ch);
+                $output = json_decode($rawoutput);
+                $zoneId = null; // Set default value
+
+
+                // Iterate zone objects, check if $fqdn is equal to or ends with zone name
+                foreach ($output->zones as $key => $zoneObj) {
+
+                    if (preg_match("/^{$zoneObj->name}$|\.{$zoneObj->name}$/", $fqdn)) {
+                        // Found matching zone
+                        $zoneId = $zoneObj->id;
+                        // Get $hostName from $fqdn, set $domainName
+                        // These are only really used for log messages.
+                        $hostName = preg_replace("/\.?{$zoneObj->name}$/", '', $fqdn);
+                        $domainName = $zoneObj->name;
+
+                        break;
+                    }
+                }
+
+                if ($zoneId) { // If zone ID was found get host ID
+                    $dnsRecordsUrl = "$baseUrl/records?zone_id=$zoneId";
+                    curl_setopt($ch, CURLOPT_URL, $dnsRecordsUrl);
+                    $rawoutput = curl_exec($ch);
+                    $output = json_decode($rawoutput);
+                    $recordId = null;
+
+
+                    // Iterate zone objects, check if $hostName exist of the same type
+                    foreach ($output->records as $key => $recordObj) {
+                        if (preg_match("/^{$recordObj->name}$/", $hostName)) {
+                            if ($recordObj->type == $recordType) {
+                                // Found matching host
+                                $recordId = $recordObj->id;
+                                break;
+                            }
+                        }
+                    }
+
+                    if ($recordId) { // If record ID was found, update record
+                        $setRecordUrl = "$baseUrl/records/$recordId";
+                        curl_setopt($ch, CURLOPT_URL, $setRecordUrl);
+                        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
+                    }
+                    else {
+                        $setRecordUrl = "$baseUrl/records";
+                        curl_setopt($ch, CURLOPT_URL, $setRecordUrl);
+                        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
+                    }
+
+                    $hostData["zone_id"] = $zoneId;
+                    $hostData["name"] = $hostName;
+
+                    curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($hostData));
+                }
+                break;
             case 'eurodns':
                 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
                 curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
@@ -1396,6 +1482,23 @@ class updatedns
                     log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
                 }
                 break;
+            case 'hetzner':
+            case 'hetzner-v6':
+                $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+                $output = json_decode($data);
+                if ($output->record->value === $this->_dnsIP) {
+                    $status = "Dynamic DNS: (Success) {$this->_dnsHost} updated to {$this->_dnsIP}";
+                    $successful_update = true;
+                } elseif ($http_code == 401) {
+                    $status = 'Dynamic DNS: (Error) Bad authentication attempt because of a wrong API Key.';
+                } elseif ($http_code == 403) {
+                    $status = 'Dynamic DNS: (Error) Access to the resource is denied. Mainly due to a lack of permissions to access it!';
+                } else {
+                    $status = 'Dynamic DNS: (Error) "Unknown Response"';
+                    log_error("Dynamic DNS: HTTP Status: {$http_code}  PAYLOAD: {$data}");
+                    $this->_debug($data);
+                }
+                break;
             case 'digitalocean':
                 $output = json_decode($data);
                 if ($output->domain_record->data === $this->_dnsIP) {

From 893e57d8bbec9ba90417e13ab0d9170dd9afbe86 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 21 Apr 2021 09:09:06 +0200
Subject: [PATCH 0554/3088] dns/dyndns: style updates, remove NEVER tested

---
 .../inc/plugins.inc.d/dyndns/phpDynDNS.inc    | 24 +++++++------------
 1 file changed, 8 insertions(+), 16 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 329c6db816..3eec775e8f 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -22,16 +22,12 @@
  *  Cloudflare                  - Last Tested: 16 April 2019
  *  Cloudflare IPv6             - Last Tested: 16 April 2019
  *  Cloudflare w/API token      - Last Tested: 13 June 2020
- *  Cloudflare w/API token v6   - Last Tested: NEVER
  *  DHS                         - Last Tested: 12 July 2005
  *  DNS-O-Matic                 - Last Tested: 9 September 2010
  *  DNSexit                     - Last Tested: 20 July 2008
  *  DigitalOcean                - Last Tested: 25 June 2019
  *  Duck DNS                    - Last Tested: 04 March 2015
- *  DynDNS Custom               - Last Tested: NEVER
  *  DynDNS Dynamic              - Last Tested: 12 July 2005
- *  DynDNS Static               - Last Tested: NEVER
- *  Dyns                        - Last Tested: NEVER
  *  EasyDNS                     - Last Tested: 20 July 2008
  *  Eurodns                     - Last Tested: 25 July 2018
  *  FreeDNS                     - Last Tested: 06 March 2021
@@ -43,19 +39,18 @@
  *  HE.net                      - Last Tested: 7 July 2013
  *  HE.net IPv6                 - Last Tested: 7 July 2013
  *  HE.net Tunnel               - Last Tested: 28 June 2011
+ *  Hetzner DNS Console         - Last Tested: 06 February 2021
+ *  Hetzner DNS Console v6      - Last Tested: 06 February 2021
  *  HN.org                      - Last Tested: 12 July 2005
  *  Linode                      - Last Tested: 25 February 2020
  *  Linode v6                   - Last Tested: 25 February 2020
- *  Loopia                      - Last Tested: NEVER
  *  Namecheap                   - Last Tested: 31 August 2010
  *  No-IP                       - Last Tested: 20 July 2008
  *  ODS                         - Last Tested: 02 August 2005
- *  OVH DynHOST                 - Last Tested: NEVER
  *  Oray                        - Last Tested: 26 May 2017
  *  STRATO                      - Last Tested: 09 May 2017
  *  SelfHost                    - Last Tested: 26 December 2011
  *  StaticCling                 - Last Tested: 27 April 2006
- *  ZoneEdit                    - Last Tested: NEVER
  *  dynv6                       - Last Tested: 25 June 2019
  *  dynv6 v6                    - Last Tested: 25 June 2019
  *  regfish                     - Last Tested: 15 August 2017
@@ -832,18 +827,18 @@ class updatedns
                 $fqdn = str_replace(' ', '', $this->_dnsHost);
                 $recordType = ($this->_useIPv6) ? 'AAAA' : 'A';
                 $ttlData = intval($this->_dnsTTL) < 1 ? 120 : intval($this->_dnsTTL);
-                $hostData = array(
+                $hostData = [
                     "value" => "{$this->_dnsIP}",
                     "type" => $recordType,
                     "name" => "",
                     "ttl" => $ttlData,
-		    "zone_id" => ""
-                );
+                    "zone_id" => ""
+                ];
 
-                $headerAuth = array(
+                $headerAuth = [
                     "Auth-API-Token: {$this->_dnsPass}",
                     'Content-Type: application/json'
-                );
+                ];
 
                 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                 curl_setopt($ch, CURLOPT_HTTPHEADER, $headerAuth);
@@ -855,10 +850,8 @@ class updatedns
                 $output = json_decode($rawoutput);
                 $zoneId = null; // Set default value
 
-
                 // Iterate zone objects, check if $fqdn is equal to or ends with zone name
                 foreach ($output->zones as $key => $zoneObj) {
-
                     if (preg_match("/^{$zoneObj->name}$|\.{$zoneObj->name}$/", $fqdn)) {
                         // Found matching zone
                         $zoneId = $zoneObj->id;
@@ -894,8 +887,7 @@ class updatedns
                         $setRecordUrl = "$baseUrl/records/$recordId";
                         curl_setopt($ch, CURLOPT_URL, $setRecordUrl);
                         curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
-                    }
-                    else {
+                    } else {
                         $setRecordUrl = "$baseUrl/records";
                         curl_setopt($ch, CURLOPT_URL, $setRecordUrl);
                         curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');

From 8b9f9071919317cd1c126fa675ecc7b7c81a6fb0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 21 Apr 2021 09:22:51 +0200
Subject: [PATCH 0555/3088] dns/dyndns: fix copy and paste unprotected object
 access

The original code was intended to look up results or let them
go in case of invalid returns but it was simplified to the point
of not being able to check for validity in the return data.

Fix this the best way we can for all three affected services.

PR: https://github.com/opnsense/plugins/pull/2288
PR: https://github.com/opnsense/plugins/issues/1564
---
 .../inc/plugins.inc.d/dyndns/phpDynDNS.inc    | 99 ++++++++++---------
 1 file changed, 52 insertions(+), 47 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 3eec775e8f..6be420c029 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -785,16 +785,18 @@ class updatedns
                 $output = json_decode(curl_exec($ch));
                 $zoneId = null; // Set default value
 
-                // Iterate zone objects, check if $fqdn is equal to or ends with zone name
-                foreach ($output->result as $key => $zoneObj) {
-                    if (preg_match("/^{$zoneObj->name}$|\.{$zoneObj->name}$/", $fqdn)) {
-                        // Found matching zone
-                        $zoneId = $zoneObj->id;
-                        // Get $hostName from $fqdn, set $domainName
-                        // These are only really used for log messages.
-                        $hostName = preg_replace("/\.?{$zoneObj->name}$/", '', $fqdn);
-                        $domainName = $zoneObj->name;
-                        break;
+                if (!empty($output->result)) {
+                    // Iterate zone objects, check if $fqdn is equal to or ends with zone name
+                    foreach ($output->result as $key => $zoneObj) {
+                        if (preg_match("/^{$zoneObj->name}$|\.{$zoneObj->name}$/", $fqdn)) {
+                            // Found matching zone
+                            $zoneId = $zoneObj->id;
+                            // Get $hostName from $fqdn, set $domainName
+                            // These are only really used for log messages.
+                            $hostName = preg_replace("/\.?{$zoneObj->name}$/", '', $fqdn);
+                            $domainName = $zoneObj->name;
+                            break;
+                        }
                     }
                 }
 
@@ -846,39 +848,40 @@ class updatedns
                 // Get all zone info
                 $zonesUrl = "$baseUrl/zones";
                 curl_setopt($ch, CURLOPT_URL, $zonesUrl);
-                $rawoutput = curl_exec($ch);
-                $output = json_decode($rawoutput);
+                $output = json_decode(curl_exec($ch));
                 $zoneId = null; // Set default value
 
-                // Iterate zone objects, check if $fqdn is equal to or ends with zone name
-                foreach ($output->zones as $key => $zoneObj) {
-                    if (preg_match("/^{$zoneObj->name}$|\.{$zoneObj->name}$/", $fqdn)) {
-                        // Found matching zone
-                        $zoneId = $zoneObj->id;
-                        // Get $hostName from $fqdn, set $domainName
-                        // These are only really used for log messages.
-                        $hostName = preg_replace("/\.?{$zoneObj->name}$/", '', $fqdn);
-                        $domainName = $zoneObj->name;
+                if (!empty($output->zones)) {
+                    // Iterate zone objects, check if $fqdn is equal to or ends with zone name
+                    foreach ($output->zones as $key => $zoneObj) {
+                        if (preg_match("/^{$zoneObj->name}$|\.{$zoneObj->name}$/", $fqdn)) {
+                            // Found matching zone
+                            $zoneId = $zoneObj->id;
+                            // Get $hostName from $fqdn, set $domainName
+                            // These are only really used for log messages.
+                            $hostName = preg_replace("/\.?{$zoneObj->name}$/", '', $fqdn);
+                            $domainName = $zoneObj->name;
 
-                        break;
+                            break;
+                        }
                     }
                 }
 
                 if ($zoneId) { // If zone ID was found get host ID
                     $dnsRecordsUrl = "$baseUrl/records?zone_id=$zoneId";
                     curl_setopt($ch, CURLOPT_URL, $dnsRecordsUrl);
-                    $rawoutput = curl_exec($ch);
-                    $output = json_decode($rawoutput);
+                    $output = json_decode(curl_exec($ch));
                     $recordId = null;
 
-
-                    // Iterate zone objects, check if $hostName exist of the same type
-                    foreach ($output->records as $key => $recordObj) {
-                        if (preg_match("/^{$recordObj->name}$/", $hostName)) {
-                            if ($recordObj->type == $recordType) {
-                                // Found matching host
-                                $recordId = $recordObj->id;
-                                break;
+                    if (!empty($output->records)) {
+                        // Iterate zone objects, check if $hostName exist of the same type
+                        foreach ($output->records as $key => $recordObj) {
+                            if (preg_match("/^{$recordObj->name}$/", $hostName)) {
+                                if ($recordObj->type == $recordType) {
+                                    // Found matching host
+                                    $recordId = $recordObj->id;
+                                    break;
+                                }
                             }
                         }
                     }
@@ -1028,13 +1031,15 @@ class updatedns
                 $output = json_decode(curl_exec($ch));
                 $domainId = null;
 
-                // Find matching domain and split the hostname part from it
-                foreach ($output->data as $key => $domainObj) {
-                    if (preg_match("/^{$domainObj->domain}$|\.{$domainObj->domain}$/", $fqdn)) {
-                        $domainId = $domainObj->id;
-                        $hostName = preg_replace("/\.?{$domainObj->domain}$/", '', $fqdn);
-                        $domainName = $domainObj->domain;
-                        break;
+                if (!empty($output->data)) {
+                    // Find matching domain and split the hostname part from it
+                    foreach ($output->data as $key => $domainObj) {
+                        if (preg_match("/^{$domainObj->domain}$|\.{$domainObj->domain}$/", $fqdn)) {
+                            $domainId = $domainObj->id;
+                            $hostName = preg_replace("/\.?{$domainObj->domain}$/", '', $fqdn);
+                            $domainName = $domainObj->domain;
+                            break;
+                        }
                     }
                 }
 
@@ -1048,17 +1053,17 @@ class updatedns
                     $output = json_decode(curl_exec($ch));
                     $recordId = null;
 
-                    // Find matching record
-                    foreach ($output->data as $key => $recordObj) {
-                        if ($recordObj->type == $recordType && $recordObj->name == $hostName) {
-                            $recordId = $recordObj->id;
-                            break;
+                    if (!empty($output->data)) {
+                        // Find matching record
+                        foreach ($output->data as $key => $recordObj) {
+                            if ($recordObj->type == $recordType && $recordObj->name == $hostName) {
+                                $recordId = $recordObj->id;
+                                break;
+                            }
                         }
                     }
 
-                    $hostData = array(
-                        "target" => "{$this->_dnsIP}",
-                    );
+                    $hostData = [ 'target' => "{$this->_dnsIP}" ];
 
                     if ($recordId) {
                         // Update record

From 1a5508e45ea4ed73b9cbeb0eb4cef3f747c74354 Mon Sep 17 00:00:00 2001
From: Michael Paul <mipxx@users.noreply.github.com>
Date: Wed, 21 Apr 2021 09:31:45 +0200
Subject: [PATCH 0556/3088] dns/dyndns: add support for deSEC.io (#2023)

---
 .../src/etc/inc/plugins.inc.d/dyndns.inc      |  3 +
 .../inc/plugins.inc.d/dyndns/phpDynDNS.inc    | 80 +++++++++++++++++++
 dns/dyndns/src/www/services_dyndns_edit.php   |  4 +-
 3 files changed, 86 insertions(+), 1 deletion(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
index e38fd0a46e..bdf846b7a9 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
@@ -106,6 +106,9 @@ function dyndns_list()
         'cloudflare-v6' => 'Cloudflare (v6)',
         'custom' => 'Custom',
         'custom-v6' => 'Custom (v6)',
+        'desec' => 'deSEC',
+        'desec-v4-v6' => 'deSEC (v4+v6)',
+        'desec-v6' => 'deSEC (v6)',
         'dhs' => 'DHS',
         'digitalocean' => 'DigitalOcean',
         'dnsexit' => 'DNSexit',
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 6be420c029..0395d97aa7 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -51,6 +51,9 @@
  *  STRATO                      - Last Tested: 09 May 2017
  *  SelfHost                    - Last Tested: 26 December 2011
  *  StaticCling                 - Last Tested: 27 April 2006
+ *  deSEC                       - Last Tested: 09 September 2020
+ *  deSEC v6                    - Last Tested: 09 September 2020
+ *  deSEC v4 + v6               - Last Tested: 09 September 2020
  *  dynv6                       - Last Tested: 25 June 2019
  *  dynv6 v6                    - Last Tested: 25 June 2019
  *  regfish                     - Last Tested: 15 August 2017
@@ -219,6 +222,15 @@ class updatedns
                     $this->_error(9);
                 }
                 break;
+            case 'desec':
+            case 'desec-v4-v6':
+            case 'desec-v6':
+                if (!$dnsPass) {
+                    $this->_error(4);
+                } elseif (!$dnsHost) {
+                    $this->_error(5);
+                }
+                break;
             default:
                 if (!$dnsUser) {
                     $this->_error(3);
@@ -241,6 +253,8 @@ class updatedns
             case 'regfish-v6':
             case 'route53-v6':
             case 'cloudflare-token-v6':
+            case 'desec-v4-v6':
+            case 'desec-v6':
             case 'hetzner-v6':
                 $this->_useIPv6 = true;
                 break;
@@ -294,6 +308,9 @@ class updatedns
                 case 'cloudflare-token-v6':
                 case 'custom':
                 case 'custom-v6':
+                case 'desec':
+                case 'desec-v4-v6':
+                case 'desec-v6':
                 case 'dhs':
                 case 'digitalocean':
                 case 'gandi-livedns':
@@ -1201,6 +1218,51 @@ class updatedns
 
                 curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonBody);
                 break;
+            case 'desec':
+                /*
+                * https://desec.readthedocs.io/en/latest/dyndns/update-api.html
+                * dnsHost should be the domain
+                * dnsPass should be the token, NOT the token id
+                * IPv6 is empty so deSEC API will not set this to the IPv6 of the sending interface if the connection is made via IPv6
+                */
+                $server = "https://update.dedyn.io/";
+                $url = '?hostname=' . $this->_dnsHost . '&myipv4=' . $this->_dnsIP . '&myipv6=""';
+                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsHost . ':' . $this->_dnsPass);
+                curl_setopt($ch, CURLOPT_URL, $server . $url);
+                break;
+            case 'desec-v4-v6':
+                /*
+                * https://desec.readthedocs.io/en/latest/dyndns/update-api.html
+                * dnsHost should be the domain
+                * dnsPass should be the token, NOT the 36-character token id (https://forum.netgate.com/post/930114)
+                * IPv4 is determined by deSEC API via the sending interface
+                */
+                
+                // temporarily disable useIPv6 to get IPv4 Address
+                $this->_useIPv6 = false;
+                $ipv4 = $this->_checkIP();
+                $this->_useIPv6 = true;
+
+                $server = "https://update.dedyn.io/";
+                $url = '?hostname=' . $this->_dnsHost . '&myipv4=' . $ipv4 . '&myipv6=' . $this->_dnsIP;
+                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsHost . ':' . $this->_dnsPass);
+                curl_setopt($ch, CURLOPT_URL, $server . $url);
+                break;
+            case 'desec-v6':
+                /*
+                * https://desec.readthedocs.io/en/latest/dyndns/update-api.html
+                * dnsHost should be the domain
+                * dnsPass should be the token, NOT the 36-character token id (https://forum.netgate.com/post/930114)
+                */
+                $server = "https://update6.dedyn.io/";
+                $url = '?hostname=' . $this->_dnsHost . '&myipv6=' . $this->_dnsIP;
+                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+                curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V6);
+                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsHost . ':' . $this->_dnsPass);
+                curl_setopt($ch, CURLOPT_URL, $server . $url);
+                break;
             default:
                 break;
         }
@@ -1700,6 +1762,24 @@ class updatedns
                     log_error("Dynamic DNS: (Error) HTTPS Status: {$http_code} PAYLOAD: {$data}");
                 }
                 break;
+            case 'desec':
+            case 'desec-v4-v6':
+            case 'desec-v6':
+                $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+                /*
+                * HTTP Code 404 should not be possible due to dnsUser == dnsHost, a wrong hostname should cause HTTP 401 Unauthorized.
+                */
+                if ($http_code == 401) {
+                    $status = 'Dynamic DNS: (Error) Bad authentication attempt because of a wrong Password.';
+                } elseif ($http_code == 403) {
+                    $status = 'Dynamic DNS: (Error) Access to the resource is denied. The selected hostname is not eligible for dynamic updates.';
+                } elseif ($http_code == 429) {
+                    $status = 'Dynamic DNS: (Error) Rate limit reached. Please don\'t try more than one request per minute.';
+                } elseif ($http_code == 200 AND preg_match('/good/i', $data)) {
+                    $status = 'Dynamic DNS: (Success) IP Address Updated Successfully!';
+                    $successful_update = true;
+                }
+                break;
             default:
                 break;
         }
diff --git a/dns/dyndns/src/www/services_dyndns_edit.php b/dns/dyndns/src/www/services_dyndns_edit.php
index 2ac1766c09..0bd39d8383 100644
--- a/dns/dyndns/src/www/services_dyndns_edit.php
+++ b/dns/dyndns/src/www/services_dyndns_edit.php
@@ -75,7 +75,7 @@ function is_dyndns_username($uname)
     }
     $input_errors = array();
     $pconfig = $_POST;
-    if(($pconfig['type'] == "freedns" || $pconfig['type'] == "linode" || $pconfig['type'] == "linode-v6" || $pconfig['type'] == "namecheap" || $pconfig['type'] == "cloudflare-token" || $pconfig['type'] == "cloudflare-token-v6") && $pconfig['username'] == "") {
+    if(($pconfig['type'] == "freedns" || $pconfig['type'] == "linode" || $pconfig['type'] == "linode-v6" || $pconfig['type'] == "namecheap" || $pconfig['type'] == "cloudflare-token" || $pconfig['type'] == "cloudflare-token-v6" || $pconfig['type'] == "desec" || $pconfig['type'] == "desec-v4-v6" || $pconfig['type'] == "desec-v6") && $pconfig['username'] == "") {
         $pconfig['username'] = "none";
     }
 
@@ -369,6 +369,7 @@ function is_dyndns_username($uname)
                         <br /><?= gettext('For Custom Entries, Username and Password represent HTTP Authentication username and passwords.') ?>
                         <br /><?= gettext('Gandi LiveDNS: The subdomain / record to update.') ?>
                         <br /><?= gettext('GoDaddy: Enter your API Key Token.') ?>
+                        <br /><?= gettext('deSEC: no Username necessary. Your Hostname is used instead.') ?>
                         <br /><?= gettext('FreeDNS: Leave blank.') ?>
                       </div>
                     </td>
@@ -387,6 +388,7 @@ function is_dyndns_username($uname)
                         <br /><?= gettext('Cloudflare: Enter your API token or Global API key.') ?>
                         <br /><?= gettext('Gandi LiveDNS: Enter your API token.') ?>
                         <br /><?= gettext('GoDaddy: Enter your API Secret Token.') ?>
+                        <br /><?= gettext('deSEC: Enter your Token for your hostname, NOT the 36-character Token ID from the webinterface.') ?>
                       </div>
                     </td>
                   </tr>

From 29cd3a04feca56f448d30f546eb68c79f7626895 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 21 Apr 2021 09:33:04 +0200
Subject: [PATCH 0557/3088] dns/dyndns: post-op

---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 0395d97aa7..a7f45f6668 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -1238,7 +1238,7 @@ class updatedns
                 * dnsPass should be the token, NOT the 36-character token id (https://forum.netgate.com/post/930114)
                 * IPv4 is determined by deSEC API via the sending interface
                 */
-                
+
                 // temporarily disable useIPv6 to get IPv4 Address
                 $this->_useIPv6 = false;
                 $ipv4 = $this->_checkIP();
@@ -1775,7 +1775,7 @@ class updatedns
                     $status = 'Dynamic DNS: (Error) Access to the resource is denied. The selected hostname is not eligible for dynamic updates.';
                 } elseif ($http_code == 429) {
                     $status = 'Dynamic DNS: (Error) Rate limit reached. Please don\'t try more than one request per minute.';
-                } elseif ($http_code == 200 AND preg_match('/good/i', $data)) {
+                } elseif ($http_code == 200 && preg_match('/good/i', $data)) {
                     $status = 'Dynamic DNS: (Success) IP Address Updated Successfully!';
                     $successful_update = true;
                 }

From 40e058138ebdc8b5c47d176aceb9bbb15b97625c Mon Sep 17 00:00:00 2001
From: polkhigh33 <61509972+polkhigh33@users.noreply.github.com>
Date: Wed, 21 Apr 2021 09:39:43 +0200
Subject: [PATCH 0558/3088] Added All-Inkl v4 and v6 DynDNS support (#1725)

---
 .../src/etc/inc/plugins.inc.d/dyndns.inc      |  2 ++
 .../inc/plugins.inc.d/dyndns/phpDynDNS.inc    | 34 +++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
index bdf846b7a9..9b2e1b0200 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
@@ -97,6 +97,8 @@ function dyndns_list()
 
     return array(
         '3322' => '3322',
+        'all-inkl' => 'All-Inkl',
+        'all-inkl-v6' => 'All-Inkl (v6)',
         'azure' => 'Azure DNS',
         'azurev6' => 'Azure DNS (v6)',
         'citynetwork' => 'City Network',
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index a7f45f6668..6789a2dd43 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -15,6 +15,7 @@
  *    - _checkIP()
  * +----------------------------------------------------+
  *  3322                        - Last Tested: 26 May 2017
+ *  All-Inkl                    - Last Tested: 02 March 2020
  *  Amazon Route53              - Last Tested: 01 April 2012
  *  Amazon Route53 v6           - Last Tested: 19 November 2017
  *  Azure DNS                   - Last Tested: 16 October 2019
@@ -243,6 +244,7 @@ class updatedns
         }
 
         switch ($dnsService) {
+            case 'all-inkl-v6':
             case 'azurev6':
             case 'cloudflare-v6':
             case 'custom-v6':
@@ -299,6 +301,8 @@ class updatedns
         } else {
             switch ($this->_dnsService) {
                 case '3322':
+                case 'all-inkl':
+                case 'all-inkl-v6':
                 case 'azure':
                 case 'azurev6':
                 case 'citynetwork':
@@ -1178,6 +1182,20 @@ class updatedns
                 curl_setopt($ch, CURLOPT_HEADER, 1);
                 curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
                 break;
+            case 'all-inkl':
+            case 'all-inkl-v6':
+                $server = "https://dyndns.kasserver.com/";
+                $url = $server . '?myip=' . $this->_dnsIP;
+                curl_setopt($ch, CURLOPT_URL, $url );
+                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser.':'.$this->_dnsPass);
+                // fix: All-Inkl dyndns.kasserver.com only supports v4
+                $ipv4 = get_interface_ip($this->_dnsRequestIf);
+                if (!is_ipaddr($ipv4)) {
+                    log_error("Dynamic DNS ({$this->_dnsHost}): (Error) Need a IPv4 address on $this->_dnsRequestIf!");
+                    return false;
+                }
+                curl_setopt($ch, CURLOPT_INTERFACE, $ipv4);
+                // fix end
             case 'godaddy':
             case 'godaddy-v6':
                 /* Read https://developer.godaddy.com/ for API documentation */
@@ -1745,6 +1763,22 @@ class updatedns
                     $this->_debug($data);
                 }
                 break;
+            case 'all-inkl':
+            case 'all-inkl-v6':
+                $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+                if (preg_match('/good\s' . $this->_dnsIP . '/i', $data)) {
+                    $status = "Dynamic DNS: (Success) IP Update Successfully!";
+                    $successful_update = true;
+                } elseif ($http_code == 401) {
+                    $status = "Dynamic DNS: (Error) Authentication failed!";
+                } elseif (preg_match('/bad\s\(dyndns_target_ip_syntax_incorrect\)/i', $data)) {
+                    $status = "Dynamic DNS: (Error) IP Syntax incorrect ($this->_dnsIP)!";
+                } else {
+                    $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
+                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
+                    $this->_debug($data);
+                }
+                break;
             case 'godaddy':
             case 'godaddy-v6':
                 /* See https://developer.godaddy.com/ for API documentation, not all codes are handled. */

From 76ab286634e891d2a95db6b510f9597f8ac485ee Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 21 Apr 2021 09:40:40 +0200
Subject: [PATCH 0559/3088] dns/dyndns: post-op

---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 6789a2dd43..e6428978a0 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -1186,8 +1186,8 @@ class updatedns
             case 'all-inkl-v6':
                 $server = "https://dyndns.kasserver.com/";
                 $url = $server . '?myip=' . $this->_dnsIP;
-                curl_setopt($ch, CURLOPT_URL, $url );
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser.':'.$this->_dnsPass);
+                curl_setopt($ch, CURLOPT_URL, $url);
+                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
                 // fix: All-Inkl dyndns.kasserver.com only supports v4
                 $ipv4 = get_interface_ip($this->_dnsRequestIf);
                 if (!is_ipaddr($ipv4)) {

From 532a8fca36f8cea4ac6697f725a767f7eba99d04 Mon Sep 17 00:00:00 2001
From: Jan Koppe <post@jankoppe.de>
Date: Wed, 21 Apr 2021 09:43:12 +0200
Subject: [PATCH 0560/3088] dyndns: add helptext for digitalocean configuration
 (#1833)

---
 dns/dyndns/src/www/services_dyndns_edit.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dns/dyndns/src/www/services_dyndns_edit.php b/dns/dyndns/src/www/services_dyndns_edit.php
index 0bd39d8383..d41bb37b68 100644
--- a/dns/dyndns/src/www/services_dyndns_edit.php
+++ b/dns/dyndns/src/www/services_dyndns_edit.php
@@ -318,6 +318,7 @@ function is_dyndns_username($uname)
                       <div class="hidden" data-for="help_for_host">
                         <?= gettext("Enter the complete host/domain name. example: myhost.dyndns.org") ?><br />
                         <?= gettext("For he.net tunnelbroker, enter your tunnel ID") ?><br />
+                        <?= gettext("For DigitalOcean, enter the zone/domain name.") ?>
                         <?= gettext('Gandi LiveDNS: Enter the 2nd-level domain ("example.org").') ?>
                       </div>
                     </td>
@@ -366,6 +367,7 @@ function is_dyndns_username($uname)
                         <br /><?= gettext('Duck DNS: Enter your Token.') ?>
                         <br /><?= gettext('dynv6: Enter your Token.') ?>
                         <br /><?= gettext('Azure: Enter your Azure AD application ID.') ?>
+                        <br /><?= gettext('DigitalOcean: Enter the domain record ID.') ?>
                         <br /><?= gettext('For Custom Entries, Username and Password represent HTTP Authentication username and passwords.') ?>
                         <br /><?= gettext('Gandi LiveDNS: The subdomain / record to update.') ?>
                         <br /><?= gettext('GoDaddy: Enter your API Key Token.') ?>
@@ -385,6 +387,7 @@ function is_dyndns_username($uname)
                         <br /><?= gettext('dynv6: Leave blank.') ?>
                         <br /><?= gettext('Azure: client secret of the AD application') ?>
                         <br /><?= gettext('Linode: Enter your Personal Access Token.') ?>
+                        <br /><?= gettext('DigitalOcean: Enter your Access Token.') ?>
                         <br /><?= gettext('Cloudflare: Enter your API token or Global API key.') ?>
                         <br /><?= gettext('Gandi LiveDNS: Enter your API token.') ?>
                         <br /><?= gettext('GoDaddy: Enter your API Secret Token.') ?>

From 4140a8afb040c761860b8dc4c72590d14de519bf Mon Sep 17 00:00:00 2001
From: Jan Koppe <post@jankoppe.de>
Date: Wed, 21 Apr 2021 09:45:23 +0200
Subject: [PATCH 0561/3088] dyndns: add support for digitialocean v6 records
 (#1832)

---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc       |  1 +
 .../src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc    | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
index 9b2e1b0200..09ad91469e 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
@@ -113,6 +113,7 @@ function dyndns_list()
         'desec-v6' => 'deSEC (v6)',
         'dhs' => 'DHS',
         'digitalocean' => 'DigitalOcean',
+        'digitalocean-v6' => 'DigitalOcean (v6)',
         'dnsexit' => 'DNSexit',
         'dnsomatic' => 'DNS-O-Matic',
         'duckdns' => 'Duck DNS',
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index e6428978a0..5a33487809 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -27,6 +27,7 @@
  *  DNS-O-Matic                 - Last Tested: 9 September 2010
  *  DNSexit                     - Last Tested: 20 July 2008
  *  DigitalOcean                - Last Tested: 25 June 2019
+ *  DigitalOcean v6             - Last Tested: 13 May 2020
  *  Duck DNS                    - Last Tested: 04 March 2015
  *  DynDNS Dynamic              - Last Tested: 12 July 2005
  *  EasyDNS                     - Last Tested: 20 July 2008
@@ -248,6 +249,7 @@ class updatedns
             case 'azurev6':
             case 'cloudflare-v6':
             case 'custom-v6':
+            case 'digitalocean-v6':
             case 'dynv6-v6':
             case 'he-net-v6':
             case 'godaddy-v6':
@@ -626,6 +628,7 @@ class updatedns
                 curl_setopt($ch, CURLOPT_URL, $server . 'hostname=' . $this->_dnsHost);
                 break;
             case 'digitalocean':
+            case 'digitalocean-v6':
                 /*
                 * dnsHost should be the root domain
                 * dnsUser should be the record ID
@@ -634,6 +637,13 @@ class updatedns
                 $server = "https://api.digitalocean.com/v2/domains/" . $this->_dnsHost . "/records/" . $this->_dnsUser;
                 $hostData = array("data" => "{$this->_dnsIP}");
 
+                /*
+                * DigitalOcean does not offer the API via IPv6, so we need
+                * to force sending the request using IPv4 when updating for IPv6
+                */
+                curl_setopt($ch, CURLOPT_INTERFACE, $this->_dnsRequestIf);
+                curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
+
                 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
                 curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
                 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
@@ -1577,6 +1587,7 @@ class updatedns
                 }
                 break;
             case 'digitalocean':
+            case 'digitalocean-v6':
                 $output = json_decode($data);
                 if ($output->domain_record->data === $this->_dnsIP) {
                     $status = "Dynamic DNS: (Success) Record ID {$this->_dnsUser} updated to {$this->_dnsIP}";

From 98548b27811ae7d847bef9640d78ed043a25f99b Mon Sep 17 00:00:00 2001
From: Victor Kislov <vityan888@gmail.com>
Date: Wed, 21 Apr 2021 10:48:43 +0300
Subject: [PATCH 0562/3088] =?UTF-8?q?DynDNS=20-=20Updated=20No-Ip=20client?=
 =?UTF-8?q?=20code=20to=20use=20APIv2=20which=20also=20supports=20g?=
 =?UTF-8?q?=E2=80=A6=20(#1836)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../inc/plugins.inc.d/dyndns/phpDynDNS.inc    | 74 +++++++------------
 1 file changed, 25 insertions(+), 49 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 5a33487809..5f78efdd50 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -47,7 +47,7 @@
  *  Linode                      - Last Tested: 25 February 2020
  *  Linode v6                   - Last Tested: 25 February 2020
  *  Namecheap                   - Last Tested: 31 August 2010
- *  No-IP                       - Last Tested: 20 July 2008
+ *  No-IP                       - Last Tested: 15 May 2020
  *  ODS                         - Last Tested: 02 August 2005
  *  Oray                        - Last Tested: 26 May 2017
  *  STRATO                      - Last Tested: 09 May 2017
@@ -446,8 +446,11 @@ class updatedns
                 break;
             case 'noip':
             case 'noip-free':
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-                $server = "https://dynupdate.no-ip.com/ducupdate.php";
+                curl_setopt_array($ch, [
+                    CURLOPT_SSL_VERIFYPEER => true,
+                    CURLOPT_USERPWD => $this->_dnsUser.':'.$this->_dnsPass
+                ]);
+                $server = "https://dynupdate.no-ip.com/nic/update";
                 $port = "";
                 if ($this->_dnsServer) {
                     $server = $this->_dnsServer;
@@ -467,7 +470,7 @@ class updatedns
                 } else {
                     $iptoset = $this->_dnsIP;
                 }
-                curl_setopt($ch, CURLOPT_URL, $server . $port . '?username=' . urlencode($this->_dnsUser) . '&pass=' . urlencode($this->_dnsPass) . '&hostname=' . $this->_dnsHost . '&ip=' . $iptoset);
+                curl_setopt($ch, CURLOPT_URL, $server . $port . '?hostname=' . $this->_dnsHost.'&myip=' . $iptoset);
                 break;
             case 'easydns':
                 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
@@ -1323,62 +1326,35 @@ class updatedns
                 break;
             case 'noip':
             case 'noip-free':
-                list($ip,$code) = explode(":", $data);
+                $noIpPrc = explode(' ', $data);
+                $code = $noIpPrc[0];
+                $ip = isset($noIpPrc[1]) ? $noIpPrc[1] : 'n/a';
                 switch ($code) {
-                    case 0:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Success) IP address is current, no update performed.";
+                    case 'good':
+                        $status = "Dynamic DNS ({$this->_dnsHost}): (Success) DNS hostname update successful.";
                         $successful_update = true;
                         break;
-                    case 1:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Success) DNS hostname update successful.";
+                    case 'nochg':
+                        $status = "Dynamic DNS ({$this->_dnsHost}): (Success) IP address is current, no update performed.";
                         $successful_update = true;
                         break;
-                    case 2:
+                    case 'nohost':
                         $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Hostname supplied does not exist.";
                         break;
-                    case 3:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Invalid Username.";
-                        break;
-                    case 4:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Invalid Password.";
-                        break;
-                    case 5:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) To many updates sent.";
-                        break;
-                    case 6:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Account disabled due to violation of No-IP terms of service.";
-                        break;
-                    case 7:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Invalid IP. IP Address submitted is improperly formatted or is a private IP address or is on a blacklist.";
-                        break;
-                    case 8:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Disabled / Locked Hostname.";
+                    case 'badauth':
+                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Invalid Username or Password.";
                         break;
-                    case 9:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Host updated is configured as a web redirect and no update was performed.";
-                        break;
-                    case 10:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Group supplied does not exist.";
-                        break;
-                    case 11:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Success) DNS group update is successful.";
-                        $successful_update = true;
-                        break;
-                    case 12:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Success) DNS group is current, no update performed.";
-                        $successful_update = true;
-                        break;
-                    case 13:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Update client support not available for supplied hostname or group.";
+                    case 'badagent':
+                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Client disabled. Client should exit and not perform any more updates without user intervention.";
                         break;
-                    case 14:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Hostname supplied does not have offline settings configured.";
+                    case '!donate':
+                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Requested update feature only available to Enhanced subscribers.";
                         break;
-                    case 99:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Client disabled. Client should exit and not perform any more updates without user intervention.";
+                    case '911':
+                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) No-IP servers currently experiencing outages. Retry no sooner than 30 minutes.";
                         break;
-                    case 100:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Client disabled. Client should exit and not perform any more updates without user intervention.";
+                    case 'abuse':
+                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Account disabled due to violation of No-IP terms of service.";
                         break;
                     default:
                         $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";

From ee651b0dbcef14f2c31b8e58dcd58edc0d9e09fc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 21 Apr 2021 09:51:33 +0200
Subject: [PATCH 0563/3088] dns/dyndns: post-op

---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 5f78efdd50..47b4684b0c 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -448,7 +448,7 @@ class updatedns
             case 'noip-free':
                 curl_setopt_array($ch, [
                     CURLOPT_SSL_VERIFYPEER => true,
-                    CURLOPT_USERPWD => $this->_dnsUser.':'.$this->_dnsPass
+                    CURLOPT_USERPWD => $this->_dnsUser . ':' . $this->_dnsPass
                 ]);
                 $server = "https://dynupdate.no-ip.com/nic/update";
                 $port = "";
@@ -470,7 +470,7 @@ class updatedns
                 } else {
                     $iptoset = $this->_dnsIP;
                 }
-                curl_setopt($ch, CURLOPT_URL, $server . $port . '?hostname=' . $this->_dnsHost.'&myip=' . $iptoset);
+                curl_setopt($ch, CURLOPT_URL, $server . $port . '?hostname=' . $this->_dnsHost . '&myip=' . $iptoset);
                 break;
             case 'easydns':
                 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);

From c86550940769517fa28efef1130c8363faba6333 Mon Sep 17 00:00:00 2001
From: Starkstromkonsument <it@starkstromkonsument.de>
Date: Thu, 22 Apr 2021 16:27:53 +0200
Subject: [PATCH 0564/3088] net-mgmt/zabbix-proxy: add logfile and logformat to
 WebUI (#1937)

---
 net-mgmt/zabbix4-proxy/Makefile               |  3 +-
 net-mgmt/zabbix4-proxy/pkg-descr              |  4 ++
 .../models/OPNsense/Zabbixproxy/ACL/ACL.xml   |  2 +
 .../models/OPNsense/Zabbixproxy/Menu/Menu.xml |  5 +-
 .../systemhealth/logformats/zabbix_proxy.py   | 56 +++++++++++++++++++
 net-mgmt/zabbix5-proxy/pkg-descr              |  1 +
 .../models/OPNsense/Zabbixproxy/ACL/ACL.xml   |  2 +
 .../models/OPNsense/Zabbixproxy/Menu/Menu.xml |  5 +-
 .../systemhealth/logformats/zabbix_proxy.py   | 56 +++++++++++++++++++
 9 files changed, 130 insertions(+), 4 deletions(-)
 create mode 100644 net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
 create mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py

diff --git a/net-mgmt/zabbix4-proxy/Makefile b/net-mgmt/zabbix4-proxy/Makefile
index d9ece0f6f9..97c8cc9b66 100644
--- a/net-mgmt/zabbix4-proxy/Makefile
+++ b/net-mgmt/zabbix4-proxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		zabbix4-proxy
-PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		Zabbix Proxy enables decentralized monitoring
 PLUGIN_DEPENDS=		zabbix4-proxy
 PLUGIN_CONFLICTS=   zabbix5-proxy
diff --git a/net-mgmt/zabbix4-proxy/pkg-descr b/net-mgmt/zabbix4-proxy/pkg-descr
index d60b33addc..32d9a8c1aa 100644
--- a/net-mgmt/zabbix4-proxy/pkg-descr
+++ b/net-mgmt/zabbix4-proxy/pkg-descr
@@ -12,6 +12,10 @@ WWW: http://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.3
+
+* Add logfile to WebUI (Starkstromkonsument <https://github.com/Starkstromkonsument>)
+
 1.2
 
 * Allow adding multiple listen addresses
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml b/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
index 6166a2c68d..77a65e8798 100644
--- a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
+++ b/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
@@ -4,6 +4,8 @@
       <patterns>
          <pattern>ui/zabbixproxy/*</pattern>
          <pattern>api/zabbixproxy/*</pattern>
+         <pattern>ui/diagnostics/log/core/zabbix_proxy/*</pattern>
+         <pattern>api/diagnostics/log/core/zabbix_proxy/*</pattern>
       </patterns>
    </page-services-zabbixproxy>
 </acl>
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml b/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
index 7b53017433..1b0ed8a101 100644
--- a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
+++ b/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
@@ -1,5 +1,8 @@
 <menu>
   <Services>
-    <Zabbixproxy VisibleName="Zabbix Proxy" cssClass="fa fa-eye" url="/ui/zabbixproxy/general/index" />
+    <Zabbixproxy VisibleName="Zabbix Proxy" cssClass="fa fa-eye">
+        <Settings order="10" url="/ui/zabbixproxy/general/index"/>
+        <Log VisibleName="Log File" order="50" url="/ui/diagnostics/log/core/zabbix_proxy"/>
+    </Zabbixproxy>
   </Services>
 </menu>
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py b/net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
new file mode 100644
index 0000000000..cc691a2ee2
--- /dev/null
+++ b/net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
@@ -0,0 +1,56 @@
+"""
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    Copyright (C) 2020 Starkstromkonsument <https://github.com/Starkstromkonsument>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import re
+import datetime
+from . import BaseLogFormat
+zabbix_timeformat = r'(\d*):(\d{4}\d{2}\d{2}:\d{2}\d{2}\d{2})\.\d{3}\s(.*)'
+
+
+class ZabbixLogFormat(BaseLogFormat):
+    def __init__(self, filename):
+        super(ZabbixLogFormat, self).__init__(filename)
+        self._priority = 100
+
+    def match(self, line):
+        return self._filename.find('zabbix_proxy') > -1 and re.match(zabbix_timeformat, line) is not  None
+
+    @staticmethod
+    def timestamp(line):
+        tmp = re.match(zabbix_timeformat, line)
+        grp = tmp.group(2)
+        return datetime.datetime.strptime(grp, "%Y%m%d:%H%M%S").isoformat()
+
+    @staticmethod
+    def process_name(line):
+        tmp = re.match(zabbix_timeformat, line)
+        return tmp.group(1)
+
+    @staticmethod
+    def line(line):
+        tmp = re.match(zabbix_timeformat, line)
+        return tmp.group(3)
+
diff --git a/net-mgmt/zabbix5-proxy/pkg-descr b/net-mgmt/zabbix5-proxy/pkg-descr
index 64c6f3d22e..58238b6d67 100644
--- a/net-mgmt/zabbix5-proxy/pkg-descr
+++ b/net-mgmt/zabbix5-proxy/pkg-descr
@@ -21,6 +21,7 @@ Plugin Changelog
 1.3
 
 * Switch to zabbix5-proxy
+* Add logfile to WebUI (Starkstromkonsument <https://github.com/Starkstromkonsument>)
 
 1.2
 
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
index 6166a2c68d..9b1dd7b5b9 100644
--- a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
@@ -4,6 +4,8 @@
       <patterns>
          <pattern>ui/zabbixproxy/*</pattern>
          <pattern>api/zabbixproxy/*</pattern>
+         <pattern>ui/diagnostics/log/zabbix/zabbix_proxy/*</pattern>
+         <pattern>api/diagnostics/log/zabbix/zabbix_proxy/*</pattern>
       </patterns>
    </page-services-zabbixproxy>
 </acl>
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
index 7b53017433..c4813378c5 100644
--- a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
@@ -1,5 +1,8 @@
 <menu>
   <Services>
-    <Zabbixproxy VisibleName="Zabbix Proxy" cssClass="fa fa-eye" url="/ui/zabbixproxy/general/index" />
+    <Zabbixproxy VisibleName="Zabbix Proxy" cssClass="fa fa-eye">
+        <Settings order="10" url="/ui/zabbixproxy/general/index"/>
+        <Log VisibleName="Log File" order="50" url="/ui/diagnostics/log/zabbix/zabbix_proxy"/>
+    </Zabbixproxy>
   </Services>
 </menu>
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py b/net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
new file mode 100644
index 0000000000..cc691a2ee2
--- /dev/null
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
@@ -0,0 +1,56 @@
+"""
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    Copyright (C) 2020 Starkstromkonsument <https://github.com/Starkstromkonsument>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import re
+import datetime
+from . import BaseLogFormat
+zabbix_timeformat = r'(\d*):(\d{4}\d{2}\d{2}:\d{2}\d{2}\d{2})\.\d{3}\s(.*)'
+
+
+class ZabbixLogFormat(BaseLogFormat):
+    def __init__(self, filename):
+        super(ZabbixLogFormat, self).__init__(filename)
+        self._priority = 100
+
+    def match(self, line):
+        return self._filename.find('zabbix_proxy') > -1 and re.match(zabbix_timeformat, line) is not  None
+
+    @staticmethod
+    def timestamp(line):
+        tmp = re.match(zabbix_timeformat, line)
+        grp = tmp.group(2)
+        return datetime.datetime.strptime(grp, "%Y%m%d:%H%M%S").isoformat()
+
+    @staticmethod
+    def process_name(line):
+        tmp = re.match(zabbix_timeformat, line)
+        return tmp.group(1)
+
+    @staticmethod
+    def line(line):
+        tmp = re.match(zabbix_timeformat, line)
+        return tmp.group(3)
+

From e10e1fa970ae00c0a947617f94df264ea4f7af61 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 22 Apr 2021 16:35:35 +0200
Subject: [PATCH 0565/3088] plugins: remove GitHub links as previously
 discussed

E-mails and real names are ok.  PRs welcome.
---
 mail/postfix/pkg-descr                                       | 4 ++--
 net-mgmt/zabbix-agent/pkg-descr                              | 4 ++--
 net-mgmt/zabbix4-proxy/Makefile                              | 2 +-
 net-mgmt/zabbix4-proxy/pkg-descr                             | 2 +-
 .../opnsense/scripts/systemhealth/logformats/zabbix_proxy.py | 2 +-
 net-mgmt/zabbix5-proxy/Makefile                              | 4 ++--
 net-mgmt/zabbix5-proxy/pkg-descr                             | 5 ++++-
 .../opnsense/scripts/systemhealth/logformats/zabbix_proxy.py | 2 +-
 8 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index 92c04b7692..f873fb8259 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -13,11 +13,11 @@ Plugin Changelog
 
 1.17
 
-* Add smtpd_sasl_auth_enable to configuration (by @fhloston)
+* Add smtpd_sasl_auth_enable to configuration (contributed by fhloston)
 
 1.16
 
-* Add support for header_checks (Starkstromkonsument <https://github.com/Starkstromkonsument>)
+* Add support for header_checks (contributed by Starkstromkonsument)
 
 1.15
 
diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index 3c687fcbc7..e080b7c51c 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -14,6 +14,6 @@ Plugin Changelog
 
 1.8
 
-* Add Changelog (Starkstromkonsument <https://github.com/Starkstromkonsument>)
-* Fix logformat (Starkstromkonsument <https://github.com/Starkstromkonsument>)
+* Add Changelog (contributed by Starkstromkonsument)
+* Fix logformat (contributed by Starkstromkonsument)
 * Switch to Zabbix Agent 5.0
diff --git a/net-mgmt/zabbix4-proxy/Makefile b/net-mgmt/zabbix4-proxy/Makefile
index 97c8cc9b66..1000368f5c 100644
--- a/net-mgmt/zabbix4-proxy/Makefile
+++ b/net-mgmt/zabbix4-proxy/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		zabbix4-proxy
 PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		Zabbix Proxy enables decentralized monitoring
 PLUGIN_DEPENDS=		zabbix4-proxy
-PLUGIN_CONFLICTS=   zabbix5-proxy
+PLUGIN_CONFLICTS=	zabbix5-proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
 .include "../../Mk/plugins.mk"
diff --git a/net-mgmt/zabbix4-proxy/pkg-descr b/net-mgmt/zabbix4-proxy/pkg-descr
index 32d9a8c1aa..706669f8a2 100644
--- a/net-mgmt/zabbix4-proxy/pkg-descr
+++ b/net-mgmt/zabbix4-proxy/pkg-descr
@@ -14,7 +14,7 @@ Plugin Changelog
 
 1.3
 
-* Add logfile to WebUI (Starkstromkonsument <https://github.com/Starkstromkonsument>)
+* Add log file to web GUI (contributed by Starkstromkonsument)
 
 1.2
 
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py b/net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
index cc691a2ee2..285afab39d 100644
--- a/net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
+++ b/net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
@@ -1,6 +1,6 @@
 """
     Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
-    Copyright (C) 2020 Starkstromkonsument <https://github.com/Starkstromkonsument>
+    Copyright (C) 2020 Starkstromkonsument
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
diff --git a/net-mgmt/zabbix5-proxy/Makefile b/net-mgmt/zabbix5-proxy/Makefile
index d00e2de4ee..d01fce28e2 100644
--- a/net-mgmt/zabbix5-proxy/Makefile
+++ b/net-mgmt/zabbix5-proxy/Makefile
@@ -1,8 +1,8 @@
 PLUGIN_NAME=		zabbix5-proxy
-PLUGIN_VERSION=		1.4
+PLUGIN_VERSION=		1.5
 PLUGIN_COMMENT=		Zabbix Proxy enables decentralized monitoring
 PLUGIN_DEPENDS=		zabbix5-proxy
-PLUGIN_CONFLICTS=   zabbix4-proxy
+PLUGIN_CONFLICTS=	zabbix4-proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
 .include "../../Mk/plugins.mk"
diff --git a/net-mgmt/zabbix5-proxy/pkg-descr b/net-mgmt/zabbix5-proxy/pkg-descr
index 58238b6d67..158cf60878 100644
--- a/net-mgmt/zabbix5-proxy/pkg-descr
+++ b/net-mgmt/zabbix5-proxy/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.5
+
+* Add log file to web GUI (contributed by Starkstromkonsument)
+
 1.4
 
 * Allow setting ConfigFrequency
@@ -21,7 +25,6 @@ Plugin Changelog
 1.3
 
 * Switch to zabbix5-proxy
-* Add logfile to WebUI (Starkstromkonsument <https://github.com/Starkstromkonsument>)
 
 1.2
 
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py b/net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
index cc691a2ee2..285afab39d 100644
--- a/net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
@@ -1,6 +1,6 @@
 """
     Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
-    Copyright (C) 2020 Starkstromkonsument <https://github.com/Starkstromkonsument>
+    Copyright (C) 2020 Starkstromkonsument
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without

From 09c28f831e4db1fd9065edfc307a8d0141cc6b6a Mon Sep 17 00:00:00 2001
From: Nicola <xbb@users.noreply.github.com>
Date: Thu, 22 Apr 2021 20:38:10 +0200
Subject: [PATCH 0566/3088] sysutils/nut: add apcupsd support (#2337)

---
 sysutils/nut/Makefile                         |  3 +--
 sysutils/nut/pkg-descr                        |  4 ++++
 .../OPNsense/Nut/forms/settings.xml           | 20 +++++++++++++++++++
 .../mvc/app/models/OPNsense/Nut/Nut.xml       | 15 +++++++++++++-
 .../service/templates/OPNsense/Nut/ups.conf   |  9 +++++++++
 .../templates/OPNsense/Nut/upsmon.conf        |  5 +++++
 6 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/sysutils/nut/Makefile b/sysutils/nut/Makefile
index 52fe1c9c98..caf7bfcc96 100644
--- a/sysutils/nut/Makefile
+++ b/sysutils/nut/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		nut
-PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.8
 PLUGIN_COMMENT=		Network UPS Tools
 PLUGIN_DEPENDS=		nut
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/sysutils/nut/pkg-descr b/sysutils/nut/pkg-descr
index 2a4925c4d1..9f9fe6b37a 100644
--- a/sysutils/nut/pkg-descr
+++ b/sysutils/nut/pkg-descr
@@ -9,6 +9,10 @@ and management interface.
 Plugin Changelog
 ----------------
 
+1.8
+
+* Add apcupsd-ups driver support
+
 1.7
 
 * Add PowerWare bcmxcp_usb driver
diff --git a/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/forms/settings.xml b/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/forms/settings.xml
index 444cb42a59..919cb56463 100644
--- a/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/forms/settings.xml
+++ b/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/forms/settings.xml
@@ -76,6 +76,26 @@
                 <help>Set extra arguments for this UPS, e.g. "port=auto".</help>
             </field>
         </subtab>
+        <subtab id="nut-ups-apcupsd" description="APCUPSD-Driver">
+            <field>
+                <id>nut.apcupsd.enable</id>
+                <label>Enable</label>
+                <type>checkbox</type>
+                <help>Enable the APCUPSD controlled devices driver.</help>
+            </field>
+            <field>
+                <id>nut.apcupsd.hostname</id>
+                <label>Hostname</label>
+                <type>text</type>
+                <help>Set the hostname or ip of the remote apcupsd server.</help>
+            </field>
+            <field>
+                <id>nut.apcupsd.port</id>
+                <label>Port</label>
+                <type>text</type>
+                <help>Set the port of the remote apcupsd server (optional).</help>
+            </field>
+        </subtab>
         <subtab id="nut-ups-bcmxcpusb" description="BCMXCPUSB-Driver">
             <field>
                 <id>nut.bcmxcpusb.enable</id>
diff --git a/sysutils/nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml b/sysutils/nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml
index d8247f37c4..3a200bd11b 100644
--- a/sysutils/nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml
+++ b/sysutils/nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml
@@ -1,7 +1,7 @@
 <model>
   <mount>//OPNsense/Nut</mount>
   <description>Network UPS Tools</description>
-  <version>1.0.3</version>
+  <version>1.0.4</version>
   <items>
     <general>
       <enable type="BooleanField">
@@ -59,6 +59,19 @@
         <Required>N</Required>
       </args>
     </apcsmart>
+    <apcupsd>
+      <enable type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </enable>
+      <hostname type="HostnameField">
+        <Required>Y</Required>
+        <default>localhost</default>
+      </hostname>
+      <port type="PortField">
+        <Required>N</Required>
+      </port>
+    </apcupsd>
     <bcmxcpusb>
       <enable type="BooleanField">
         <Required>Y</Required>
diff --git a/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/ups.conf b/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/ups.conf
index 6204f6d256..846345cf7e 100644
--- a/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/ups.conf
+++ b/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/ups.conf
@@ -20,6 +20,15 @@ driver=apcsmart
 {%       endfor %}
 {%     endif %}
 {%   endif %}
+{%   if helpers.exists('OPNsense.Nut.apcupsd.enable') and OPNsense.Nut.apcupsd.enable == '1' %}
+[{{ OPNsense.Nut.general.name }}]
+driver=apcupsd-ups
+{%     if helpers.exists('OPNsense.Nut.apcupsd.port') and OPNsense.Nut.apcupsd.port != '' %}
+port={{ OPNsense.Nut.apcupsd.hostname }}:{{ OPNsense.Nut.apcupsd.port }}
+{%     else %}
+port={{ OPNsense.Nut.apcupsd.hostname }}
+{%     endif %}
+{%   endif %}
 {%   if helpers.exists('OPNsense.Nut.bcmxcpusb.enable') and OPNsense.Nut.bcmxcpusb.enable == '1' %}
 [{{ OPNsense.Nut.general.name }}]
 driver=bcmxcp_usb
diff --git a/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/upsmon.conf b/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/upsmon.conf
index 334bc91a93..e37c424774 100644
--- a/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/upsmon.conf
+++ b/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/upsmon.conf
@@ -16,6 +16,11 @@ MONITOR {{ OPNsense.Nut.general.name }} 1 monuser {{ OPNsense.Nut.account.mon_pa
 SHUTDOWNCMD "/usr/local/etc/rc.halt"
 POWERDOWNFLAG /etc/killpower
 {% endif %}
+{% if helpers.exists('OPNsense.Nut.apcupsd.enable') and OPNsense.Nut.apcupsd.enable == '1' %}
+MONITOR {{ OPNsense.Nut.general.name }} 1 monuser {{ OPNsense.Nut.account.mon_password }} master
+SHUTDOWNCMD "/usr/local/etc/rc.halt"
+POWERDOWNFLAG /etc/killpower
+{% endif %}
 {% if helpers.exists('OPNsense.Nut.bcmxcpusb.enable') and OPNsense.Nut.bcmxcpusb.enable == '1' %}
 MONITOR {{ OPNsense.Nut.general.name }} 1 monuser {{ OPNsense.Nut.account.mon_password }} master
 SHUTDOWNCMD "/usr/local/etc/rc.halt"

From 73b0e36f12af2c2418d644d83ac432e5988d74aa Mon Sep 17 00:00:00 2001
From: Joshua Schmidlkofer <joshland@gmail.com>
Date: Fri, 23 Apr 2021 02:08:43 -0700
Subject: [PATCH 0567/3088] net-mgmt/net-snmp: Add support for agentx (#2325)

---
 net-mgmt/net-snmp/Makefile                                  | 2 +-
 net-mgmt/net-snmp/pkg-descr                                 | 4 ++++
 .../mvc/app/controllers/OPNsense/Netsnmp/forms/general.xml  | 6 ++++++
 .../opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml    | 6 +++++-
 .../opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf  | 5 +++++
 5 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/net-snmp/Makefile b/net-mgmt/net-snmp/Makefile
index 77c00a3b9d..133d1cf23e 100644
--- a/net-mgmt/net-snmp/Makefile
+++ b/net-mgmt/net-snmp/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		net-snmp
-PLUGIN_VERSION=		1.4
+PLUGIN_VERSION=		1.5
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Net-SNMP is a daemon for the SNMP protocol
 PLUGIN_DEPENDS=		net-snmp
diff --git a/net-mgmt/net-snmp/pkg-descr b/net-mgmt/net-snmp/pkg-descr
index c2f08d0bac..c61e6d62df 100644
--- a/net-mgmt/net-snmp/pkg-descr
+++ b/net-mgmt/net-snmp/pkg-descr
@@ -11,6 +11,10 @@ WWW: http://www.net-snmp.org
 Plugin Changelog
 ----------------
 
+1.5
+
+* Add support for agentx.
+
 1.4
 
 * Include installed version number in extended OID
diff --git a/net-mgmt/net-snmp/src/opnsense/mvc/app/controllers/OPNsense/Netsnmp/forms/general.xml b/net-mgmt/net-snmp/src/opnsense/mvc/app/controllers/OPNsense/Netsnmp/forms/general.xml
index 46df7feb72..114b0761a5 100644
--- a/net-mgmt/net-snmp/src/opnsense/mvc/app/controllers/OPNsense/Netsnmp/forms/general.xml
+++ b/net-mgmt/net-snmp/src/opnsense/mvc/app/controllers/OPNsense/Netsnmp/forms/general.xml
@@ -23,6 +23,12 @@
         <type>text</type>
         <help>Set the contact address to use.</help>
     </field>
+    <field>
+        <id>general.enableagentx</id>
+        <label>Add AgentX Support</label>
+        <type>checkbox</type>
+        <help>Enable support for AgentX Application (FRR, others).</help>
+    </field>
     <field>
         <id>general.l3visibility</id>
         <label>Layer 3 Visibility</label>
diff --git a/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml b/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml
index fe2bbb7e1e..911568aab8 100644
--- a/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml
+++ b/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/netsnmp/general</mount>
     <description>Netsnmp configuration</description>
-    <version>1.0.3</version>
+    <version>1.0.4</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -27,6 +27,10 @@
             <default>0</default>
             <Required>Y</Required>
         </versionoid>
+        <enableagentx type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enableagentx>
         <listen type="NetworkField">
             <FieldSeparator>,</FieldSeparator>
             <Required>N</Required>
diff --git a/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf b/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf
index 1afbeaad89..a04c0a1820 100644
--- a/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf
+++ b/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf
@@ -12,6 +12,11 @@ agentAddress udp6:[{{ network }}]:161
 agentAddress udp:161,udp6:[::1]:161
 {% endif %}
 
+{% if OPNsense.netsnmp.general.enableagentx == '1' %}
+master agentx
+agentxsocket /var/agentx/master
+agentxperms 777 777
+{% endif %}
 
 {% if helpers.exists('OPNsense.netsnmp.general.community') and OPNsense.netsnmp.general.community != '' %}
 rocommunity {{ OPNsense.netsnmp.general.community }}

From c00a5d3208c9d9d8a1006a6c1e8721b8a0ba1c87 Mon Sep 17 00:00:00 2001
From: Frank Brendel <frank.brendel@eurolog.com>
Date: Fri, 23 Apr 2021 11:16:16 +0200
Subject: [PATCH 0568/3088] net/relayd: fix typo in relayd.conf template

---
 net/relayd/Makefile                                             | 2 +-
 .../src/opnsense/service/templates/OPNsense/Relayd/relayd.conf  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index de76204b17..d16c606a3e 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		relayd
-PLUGIN_VERSION=		2.4
+PLUGIN_VERSION=		2.5
 PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
diff --git a/net/relayd/src/opnsense/service/templates/OPNsense/Relayd/relayd.conf b/net/relayd/src/opnsense/service/templates/OPNsense/Relayd/relayd.conf
index 6bcc696a79..f8b6b9bbcd 100644
--- a/net/relayd/src/opnsense/service/templates/OPNsense/Relayd/relayd.conf
+++ b/net/relayd/src/opnsense/service/templates/OPNsense/Relayd/relayd.conf
@@ -106,7 +106,7 @@ disable
 {%    set backuptablecheck = helpers.getUUID(virtualserver.backuptransport_tablecheck) if virtualserver.backuptransport_tablecheck is defined %}
 {%    set _backuptablecheck = '' %}
 {%    if backuptablecheck.type == 'http' and backuptablecheck.path is defined%}
-{%     set _backuptablecheck = 'check ' ~ backuptablecheck.type ~ 's' %}
+{%     set _backuptablecheck = 'check ' ~ backuptablecheck.type %}
 {%     if backuptablecheck.ssl|default('0') == '1' %}
 {%      set _backuptablecheck = _backuptablecheck ~ 's' %}
 {%     endif %}

From 6c738d467d4d4fc1735114528d40ffa2407d12bc Mon Sep 17 00:00:00 2001
From: Joshua Schmidlkofer <joshland@gmail.com>
Date: Fri, 23 Apr 2021 02:45:55 -0700
Subject: [PATCH 0569/3088] net/frr: Add support for agentx (#2321)

---
 .../mvc/app/controllers/OPNsense/Quagga/forms/general.xml   | 6 ++++++
 .../src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml | 4 ++++
 .../opnsense/service/templates/OPNsense/Quagga/bgpd.conf    | 4 ++++
 net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr  | 6 ++++++
 .../opnsense/service/templates/OPNsense/Quagga/ospf6d.conf  | 3 +++
 .../opnsense/service/templates/OPNsense/Quagga/ospfd.conf   | 3 +++
 .../opnsense/service/templates/OPNsense/Quagga/zebra.conf   | 6 ++++++
 7 files changed, 32 insertions(+)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
index 926afe40f2..fc3d304c31 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
@@ -18,6 +18,12 @@
         <type>checkbox</type>
         <help>This will activate the routing service only on the master device.</help>
     </field>
+    <field>
+        <id>general.enablesnmp</id>
+        <label>Enable SNMP AgentX Support</label>
+        <type>checkbox</type>
+        <help>This will activate support for Net-SNMP AgentX.</help>
+    </field>
     <field>
         <id>general.enablesyslog</id>
         <label>Enable logging</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
index de9a496bde..cc0b58304b 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
@@ -24,6 +24,10 @@
             <default>1</default>
             <Required>Y</Required>
         </enablesyslog>
+        <enablesnmp type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enablesnmp>
         <sysloglevel type="OptionField">
             <Required>Y</Required>
             <multiple>N</multiple>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 4bd7d7ef60..bd2d0e3b32 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -241,6 +241,10 @@ route-map {{ routemap.name }} {{ routemap.action }} {{ routemap.id }}
 !
 {% endif %}
 !
+{% if helpers.exists('OPNsense.quagga.bgpd.enabled') and OPNsense.quagga.general.enablesnmp == '1' %}
+agentx
+{% endif %}
+!
 line vty
 !
 {% endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
index 2163fb73a3..9c8ee85256 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
@@ -17,3 +17,9 @@ start_postcmd="/usr/local/opnsense/scripts/frr/carp_event_handler"
 {% else %}
 frr_enable="NO"
 {% endif %}
+{% if OPNsense.quagga.general.enablesnmp == '1' %}
+zebra_flags="${zebra_flags} -M snmp"
+bgpd_flags="${bgpd_flags} -M snmp"
+ospf_flags="${ospf_flags} -M snmp"
+ospf6_flags="${ospf6_flags} -M snmp"
+{% endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
index 603950f669..92fb578d97 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
@@ -14,6 +14,9 @@ log syslog {{ OPNsense.quagga.general.sysloglevel }}
 {%   if helpers.exists('OPNsense.quagga.general.profile') %}
 frr defaults {{ OPNsense.quagga.general.profile }}
 {%   endif %}
+{%   if OPNsense.quagga.general.enablesnmp == '1' %}
+agentx
+{%   endif %}
 {% endif %}
 !
 !
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
index dda33b080a..350f4925cb 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
@@ -14,6 +14,9 @@ log syslog {{ OPNsense.quagga.general.sysloglevel }}
 {%   if helpers.exists('OPNsense.quagga.general.profile') %}
 frr defaults {{ OPNsense.quagga.general.profile }}
 {%   endif %}
+{%   if OPNsense.quagga.general.enablesnmp == '1' %}
+agentx
+{%   endif %}
 {% endif %}
 !
 !
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/zebra.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/zebra.conf
index 06de1506be..fbc685f72b 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/zebra.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/zebra.conf
@@ -13,6 +13,12 @@ log syslog {{ OPNsense.quagga.general.sysloglevel }}
 !
 !
 !
+!
+{% if OPNsense.quagga.general.enablesnmp == '1' %}
+agentx
+{% endif %}
+!
+!
 ip forwarding
 ipv6 forwarding
 !

From a4d7040d06a29a33aa3efa0bfb63a480700efb3e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 23 Apr 2021 11:48:02 +0200
Subject: [PATCH 0570/3088] net/frr: add release note

---
 net/frr/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index a5aa793d9e..3fb961354a 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -14,6 +14,7 @@ Plugin Changelog
 1.22
 
 * Add BFD support
+* Add support for agentx (contributed by Joshua Schmidlkofer)
 
 1.21
 

From 5cd954c51658dc308006483cd9f0e1e7a9fb75a5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 23 Apr 2021 11:48:16 +0200
Subject: [PATCH 0571/3088] net-mgmt/zabbix?-proxy: whitespace cleanup

---
 .../src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py | 1 -
 .../src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py | 1 -
 2 files changed, 2 deletions(-)

diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py b/net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
index 285afab39d..c08dbeccb1 100644
--- a/net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
+++ b/net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
@@ -53,4 +53,3 @@ def process_name(line):
     def line(line):
         tmp = re.match(zabbix_timeformat, line)
         return tmp.group(3)
-
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py b/net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
index 285afab39d..c08dbeccb1 100644
--- a/net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
+++ b/net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
@@ -53,4 +53,3 @@ def process_name(line):
     def line(line):
         tmp = re.match(zabbix_timeformat, line)
         return tmp.group(3)
-

From fcd6cd9876d02937ae59f63039c27b96fa09132b Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 26 Apr 2021 08:33:49 +0200
Subject: [PATCH 0572/3088] net/chrony: add makestep to default config (#2350)

---
 net/chrony/Makefile                                           | 2 +-
 net/chrony/pkg-descr                                          | 4 ++++
 .../opnsense/service/templates/OPNsense/Chrony/chrony.conf    | 1 +
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/chrony/Makefile b/net/chrony/Makefile
index 4bfc40a55c..8ca31c20bb 100644
--- a/net/chrony/Makefile
+++ b/net/chrony/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		chrony
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		Chrony time synchronisation
 PLUGIN_DEPENDS=		chrony
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/chrony/pkg-descr b/net/chrony/pkg-descr
index c273e65812..a6283aec5f 100644
--- a/net/chrony/pkg-descr
+++ b/net/chrony/pkg-descr
@@ -4,6 +4,10 @@ better in virtual environments.
 Plugin Changelog
 ----------------
 
+1.3
+
+* Add makestep to configuration
+
 1.2
 
 * Add Diagnostics
diff --git a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
index e800d636df..6910ea4a46 100644
--- a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
+++ b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
@@ -3,6 +3,7 @@
 port {{ OPNsense.chrony.general.port }}
 driftfile /var/db/chrony/drift
 pidfile /var/run/chrony/chronyd.pid
+makestep 1 3
 
 {%   if helpers.exists('OPNsense.chrony.general.ntsclient') and OPNsense.chrony.general.ntsclient == '1' %}
 ntsdumpdir /var/lib/chrony

From 9a132c18050da5dc54f7c84a451ca2937ab46254 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 26 Apr 2021 11:19:46 +0200
Subject: [PATCH 0573/3088] emulators/qemu-guest-agent: release initial version
 (#2357)

emulators/qemu-guest-agent: release initial version
---
 emulators/qemu-guest-agent/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/emulators/qemu-guest-agent/Makefile b/emulators/qemu-guest-agent/Makefile
index 1f9c4268f7..3e56e911f8 100644
--- a/emulators/qemu-guest-agent/Makefile
+++ b/emulators/qemu-guest-agent/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		qemu-guest-agent
-PLUGIN_VERSION=		0.1
-PLUGIN_DEVEL=		yes
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		QEMU Guest Agent for OPNsense
 PLUGIN_DEPENDS=		qemu-guest-agent
 PLUGIN_MAINTAINER=	opnsense@moov.de

From eacc857cdceb7bc898c62eac7fc16d5354126fdd Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 28 Apr 2021 22:08:51 +0200
Subject: [PATCH 0574/3088] net/frr: finalize BFD for BGP (#2364)

---
 net/frr/Makefile                                            | 1 +
 .../OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml         | 6 ++++++
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml | 4 ++++
 .../opnsense/service/templates/OPNsense/Quagga/bgpd.conf    | 5 ++++-
 4 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 7aa041dd20..2b73a8a551 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.22
+PLUGIN_REVISION=    1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 146dff7db0..649062d393 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -38,6 +38,12 @@
     <label>Multi-Hop</label>
     <type>checkbox</type>
   </field>
+  <field>
+    <id>neighbor.bfd</id>
+    <label>BFD</label>
+    <type>checkbox</type>
+    <help>You can enable BFD support for this neighbor.</help>
+  </field>
   <field>
     <id>neighbor.keepalive</id>
     <label>Keepalive</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index e1106e13e1..b657eba87e 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -74,6 +74,10 @@
                                 <default>0</default>
                                 <Required>N</Required>
                         </multihop>
+                        <bfd type="BooleanField">
+                                <default>0</default>
+                                <Required>N</Required>
+                        </bfd>
                         <keepalive type="IntegerField">
                                 <Required>N</Required>
                                 <MinimumValue>1</MinimumValue>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index bd2d0e3b32..c788574537 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -28,7 +28,10 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%     for neighbor in helpers.toList('OPNsense.quagga.bgp.neighbors.neighbor') %}
 {%       if neighbor.enabled == '1' %}
  neighbor {{ neighbor.address }} remote-as {{ neighbor.remoteas }}
-{%         if 'updatesource' in neighbor and neighbor.updatesource != '' %}
+{%         if 'bfd' in neighbor and neighbor.bfd == '1' %}
+ neighbor {{ neighbor.address }} bfd
+{%         endif %}
+ {%        if 'updatesource' in neighbor and neighbor.updatesource != '' %}
  neighbor {{ neighbor.address }} update-source {{ physical_interface(neighbor.updatesource) }}
 {%         endif %}
 {%         if 'multihop' in neighbor and neighbor.multihop == '1' %}

From da4aa10d6fb89ca970fa23bd4eed92d4cdeb770f Mon Sep 17 00:00:00 2001
From: Kimotu Bates <45389306+Kimotu@users.noreply.github.com>
Date: Wed, 28 Apr 2021 22:41:51 +0200
Subject: [PATCH 0575/3088] Fixed expected mime-type (#1807)

Chrome and Firefox report CSP as application/csp-report and not application/json. This lead to HTTP 400 BAD REQUEST.
No csp logs were created. With this fix, the form is csp report is processed and written to logs.
---
 www/nginx/src/opnsense/scripts/nginx/csp_report.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/scripts/nginx/csp_report.php b/www/nginx/src/opnsense/scripts/nginx/csp_report.php
index 303eed9858..116707a096 100755
--- a/www/nginx/src/opnsense/scripts/nginx/csp_report.php
+++ b/www/nginx/src/opnsense/scripts/nginx/csp_report.php
@@ -29,7 +29,7 @@
 $log_file = '/var/log/nginx/csp_violations.log';
 
 // make sure we don't have any formatting issues here
-if (stristr($_SERVER['CONTENT_TYPE'], 'json') === false) {
+if (stristr($_SERVER['CONTENT_TYPE'], 'csp-report') === false) {
     http_response_code(400);
     echo "This endpoint expects JSON data. Please send data using a json mime time (for example application/json)";
     exit(0);

From b63964117c940efe8b34244fa0c61d9791d523b4 Mon Sep 17 00:00:00 2001
From: James French <frenchie@frenchie.id.au>
Date: Sat, 1 May 2021 01:48:10 +0800
Subject: [PATCH 0576/3088] net/wireguard: Make tunneladdress an optional
 parameter (#2352)

---
 net/wireguard/Makefile                                        | 2 +-
 net/wireguard/pkg-descr                                       | 4 ++++
 .../src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml | 2 +-
 .../templates/OPNsense/Wireguard/wireguard-server.conf        | 2 ++
 4 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index d47a3d3d31..097f67923a 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		1.6
+PLUGIN_VERSION=		1.7
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard-go wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 10880a4279..a7fc930799 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,10 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+1.7
+
+* Make tunnel address (wg interface address) optional
+
 1.6
 
 * Move DNS setting to advanced
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
index 6a749c3d78..7b99312233 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
@@ -43,7 +43,7 @@
                 <tunneladdress type="NetworkField">
                     <default></default>
                     <FieldSeparator>,</FieldSeparator>
-                    <Required>Y</Required>
+                    <Required>N</Required>
                     <asList>Y</asList>
                 </tunneladdress>
                 <disableroutes type="BooleanField">
diff --git a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
index 82db761908..5e03ddb005 100644
--- a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
+++ b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
@@ -5,7 +5,9 @@
 {%       if server_list.enabled == '1' %}
 [Interface]
 PrivateKey = {{ server_list.privkey }}
+{%         if server_list.tunneladdress|default('') != '' %}
 Address = {{ server_list.tunneladdress }}
+{%         endif %}
 {%         if server_list.port|default('') != '' %}
 ListenPort = {{ server_list.port }}
 {%         endif %}

From 89d9ac097c80b3db742682c847d19284b69f4cbb Mon Sep 17 00:00:00 2001
From: tiny6996 <mathias.palmersheim@mathiasp.me>
Date: Tue, 4 May 2021 13:48:13 -0500
Subject: [PATCH 0577/3088]  net-mgmt/telegraf: fixed #2369 if statements in
 wrong spot and wrong model form (#2370)

---
 net-mgmt/telegraf/Makefile                                    | 2 +-
 net-mgmt/telegraf/pkg-descr                                   | 4 ++++
 .../src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml   | 4 ++++
 .../src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml  | 4 ----
 .../service/templates/OPNsense/Telegraf/telegraf.conf         | 3 ++-
 5 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index fc30142acd..9aa85c02c4 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.10.0
+PLUGIN_VERSION=		1.10.1
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index fdbbce9fc1..9cacb5cf5f 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 Plugin Changelog
 ================
 
+1.10.1
+
+* Fix Suricata input controller being the output section and incorrect statement
+
 1.10.0
 
 * Add intrusion detection alert input
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
index bf4cd5d910..721ea4e987 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
@@ -89,5 +89,9 @@
             <default>0</default>
             <Required>N</Required>
         </ntpq_dns_lookup>
+        <intrusion_detection_alerts type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </intrusion_detection_alerts>
     </items>
 </model>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index 588f3061cf..c3b090acf7 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -121,9 +121,5 @@
             <default></default>
             <Required>N</Required>
         </datadog_apikey>
-        <intrusion_detection_alerts type="BooleanField">
-            <default>0</default>
-            <Required>N</Required>
-        </intrusion_detection_alerts>
     </items>
 </model>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index 09bff97eee..f553999f73 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -252,6 +252,8 @@
 {%   else %}
   dns_lookup = false
 {%   endif %}
+{% endif %}
+
 {% if helpers.exists('OPNsense.telegraf.input.intrusion_detection_alerts') and OPNsense.telegraf.input.intrusion_detection_alerts == '1' %}
 [[inputs.tail]]
   data_format = "json"
@@ -260,6 +262,5 @@
   tag_keys = ["event_type","src_ip","src_port","dest_ip","dest_port"]
   json_string_fields = ["*"]
 {% endif %}
-{% endif %}
 
 {% endif %}

From 264e739bf675bd57a901836b599da08900a8fadc Mon Sep 17 00:00:00 2001
From: Fabian Franz BSc <fabianfrz@users.noreply.github.com>
Date: Sun, 9 May 2021 13:43:36 +0200
Subject: [PATCH 0578/3088] www/nginx: source code migration for Phalcon 4
 (#2382)

---
 www/nginx/Makefile                            |  2 +-
 www/nginx/pkg-descr                           |  4 ++++
 .../OPNsense/Nginx/Api/SettingsController.php |  3 ---
 .../Constraints/NaxsiIdentifierConstraint.php |  4 ++--
 .../Constraints/NgxBusyBufferConstraint.php   | 19 +++++++------------
 5 files changed, 14 insertions(+), 18 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index fb7fab07ab..df5c3e49eb 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.22
+PLUGIN_VERSION=		1.23
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 47c9a2a02f..729721ed59 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,10 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.23
+
+* Migration for PHP Phalcon 4 (non breaking change for UI/API)
+
 1.22
 
 * Add X-Forwarded-Port and X-Forwarded-Host headers (contributed by Carlos Cesario)
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
index ccb2cb6d98..443946ffca 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
@@ -615,7 +615,6 @@ private function convert_ipacl_for_client($response_data)
     /**
      * @param null $uuid the uuid which should get cleared before
      * @throws \ReflectionException if the model was not found
-     * @throws \Phalcon\Validation\Exception on validation errors
      */
     private function regenerate_hostname_map($uuid = null)
     {
@@ -644,7 +643,6 @@ private function regenerate_hostname_map($uuid = null)
     /**
      * @param null $uuid the uuid which should get cleared before
      * @throws \ReflectionException if the model was not found
-     * @throws \Phalcon\Validation\Exception on validation errors
      */
     private function regenerate_ipacl($uuid = null)
     {
@@ -673,7 +671,6 @@ private function regenerate_ipacl($uuid = null)
     /**
      * @param $uuids array list of UUIDs
      * @param $path string the model prefix from the element to delete
-     * @throws \Phalcon\Validation\Exception
      */
     private function delete_uuids($uuids, $path): void
     {
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
index 2373aae529..43b4abf1e0 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
@@ -28,7 +28,7 @@
 
 namespace OPNsense\Base\Constraints;
 
-use Phalcon\Validation\Message;
+use Phalcon\Messages\Message;
 
 /**
  * a very specific nginx check for Naxsi rule IDs - not reusable
@@ -38,7 +38,7 @@
  */
 class NaxsiIdentifierConstraint extends BaseConstraint
 {
-    public function validate(\Phalcon\Validation $validator, $attribute)
+    public function validate(\Phalcon\Validation $validator, $attribute) : bool
     {
         $node = $this->getOption('node');
         if ($node) {
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
index ba7d7944f6..bbf2c5ac82 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
@@ -28,7 +28,7 @@
 
 namespace OPNsense\Base\Constraints;
 
-use Phalcon\Validation\Message;
+use Phalcon\Messages\Message;
 
 /**
  * a very specific nginx check - not reusable
@@ -38,7 +38,7 @@
  */
 class NgxBusyBufferConstraint extends BaseConstraint
 {
-    public function validate(\Phalcon\Validation $validator, $attribute)
+    public function validate(\Phalcon\Validation $validator, $attribute) : bool
     {
         $node = $this->getOption('node');
         if ($node) {
@@ -64,26 +64,22 @@ public function validate(\Phalcon\Validation $validator, $attribute)
                     $proxy_buffer_size_int = intval((string) $proxy_buffer_size_node);
                 }
 
-                if (
-                    isset($proxy_buffers_total_minus1_size) && isset($proxy_busy_buffers_size) &&
+                if (isset($proxy_buffers_total_minus1_size) && isset($proxy_busy_buffers_size) &&
                     $proxy_buffers_total_minus1_size < $proxy_busy_buffers_size
                 ) {
                     $validator->appendMessage(new Message(
                         gettext("Proxy Buffer Size must be less than the size of all Proxy Buffers minus one buffer."),
-                        $attribute,
-                        $this->getOption('name')
+                        $attribute
                     ));
                 }
 
                 // nginx: [emerg] "proxy_busy_buffers_size" must be equal to or greater than the maximum of the value of "proxy_buffer_size" and one of the "proxy_buffers"
-                if (
-                    isset($proxy_busy_buffers_size) && isset($proxy_buffers_size_int) &&
+                if (isset($proxy_busy_buffers_size) && isset($proxy_buffers_size_int) &&
                     $proxy_busy_buffers_size < $proxy_buffers_size_int
                 ) {
                     $validator->appendMessage(new Message(
                         gettext("Proxy Busy Buffers Size must be equal to or greater than the maximum of one of the Proxy Buffers."),
-                        $attribute,
-                        $this->getOption('name')
+                        $attribute
                     ));
                 }
 
@@ -94,8 +90,7 @@ public function validate(\Phalcon\Validation $validator, $attribute)
                 ) {
                     $validator->appendMessage(new Message(
                         gettext("Proxy Busy Buffers Size must be equal to or greater than the maximum of the value of Proxy Buffer Size."),
-                        $attribute,
-                        $this->getOption('name')
+                        $attribute
                     ));
                 }
             }

From a4d2230f6a2e5215a8c2ee423c08781636c992bc Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 10 May 2021 22:50:35 +0200
Subject: [PATCH 0579/3088] net/haproxy: bump version, update changelog

---
 net/haproxy/Makefile  | 2 +-
 net/haproxy/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 381ec9f771..0a46eb1dd2 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		3.2
+PLUGIN_VERSION=		3.3
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 685819d341..b445b6efae 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+3.3
+
+Changed:
+* use HAProxy socket to apply updated OCSP stapling data (in cron job) (#2351)
+
 3.2
 
 Fixed:

From 13f55969431c1e2020bde4f9f709609d9c805bd7 Mon Sep 17 00:00:00 2001
From: djh-live-apps <80447151+djh-live-apps@users.noreply.github.com>
Date: Tue, 11 May 2021 18:03:09 +1000
Subject: [PATCH 0580/3088] security/acme-client: Added native support for
 Vultr DNS API (#2344)

* Add native support for Vultr DNS API
---
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsVultr.php      | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 3 files changed, 63 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsVultr.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 2bc5df97d8..b1bccf6f6d 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -972,6 +972,21 @@
         <label>API Key</label>
         <type>text</type>
     </field>
+    <field>
+        <label>Vultr Cloud API</label>
+        <type>header</type>
+        <style>table_dns table_dns_vultr</style>
+    </field>
+    <field>
+        <label>NOTE: A DNS sleep time of at least 1000 is recommended.</label>
+        <type>header</type>
+        <style>table_dns table_dns_vultr</style>
+    </field>
+    <field>
+        <id>validation.dns_vultr_key</id>
+        <label>Key</label>
+        <type>text</type>
+    </field>
     <field>
         <label>Yandex</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsVultr.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsVultr.php
new file mode 100644
index 0000000000..2b52824a34
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsVultr.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2021 David Hughes
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Vultr DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsVultr extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['VULTR_API_KEY'] = (string)$this->config->dns_vultr_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index edbcfdfcd1..6fd163f1c0 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -434,6 +434,7 @@
                         <dns_unoeuro>UnoEuro API</dns_unoeuro>
                         <dns_variomedia>Variomedia.de API</dns_variomedia>
                         <dns_vscale>Vscale API</dns_vscale>
+                        <dns_vultr>Vultr API</dns_vultr>
                         <dns_yandex>Yandex PDD API</dns_yandex>
                         <dns_zilore>Zilore DNS API</dns_zilore>
                         <dns_zonomi>zonomi.com domain API</dns_zonomi>
@@ -853,6 +854,9 @@
                 <dns_vscale_key type="TextField">
                     <Required>N</Required>
                 </dns_vscale_key>
+                <dns_vultr_key type="TextField">
+                    <Required>N</Required>
+                </dns_vultr_key>
                 <dns_yandex_token type="TextField">
                     <Required>N</Required>
                 </dns_yandex_token>

From 4428246a0f78647514d28162b6636dbb334165cb Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 11 May 2021 10:04:18 +0200
Subject: [PATCH 0581/3088] security/acme-client: update changelog

---
 security/acme-client/pkg-descr | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 0be03d6644..1df43367a0 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,6 +10,9 @@ Plugin Changelog
 
 2.5
 
+Added:
+* add native support for Vultr DNS API (#2344)
+
 Fixed:
 * ensure that the auto renewal cron job is properly disabled (#2178)
 

From 0334ceae5685cb259c9f04923a08f1d46ba5f94f Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Fri, 14 May 2021 17:26:16 +0200
Subject: [PATCH 0582/3088] net/relayd: Usability improvements (#2373)

net/relayd: Usability improvements https://github.com/opnsense/plugins/issues/2232

o support enable/disable flag on backend hosts, while here perform some minor cleanups as well (use our standard classes and some style fixes) for https://github.com/opnsense/plugins/issues/2232
o lock delete action to prevent "delete selected" from ignoring most entries. (eventually it might be better to stick to ApiMutableModelControllerBase actions to simplify logiuc, but since there's all some logic incorporated in these endpoints now, let's keep it as is now and only add a lock.)
o ignore backup without check in relayd.conf (prevent crash with "Template Error" when a backup without a template is provided)
o extend status controller with "wait" flag to give relayd some time for collecting status (retry mechanism)
o refactor status.volt use jQuery components to construct items and make sure each row contains all relevant data
o extend status controller output with attached configuration data and add listen_address and port(s) for virtualservers
o extend model with an easy to use "get by name" method (getObjectsByAttribute)
o change api response for host properties, since we can't uniquely tell which host item belongs to the output of `relayctl show summary`, we search the ones that are most likely to match
o extend status controller toggle action so it can enable/disable hosts on "add" and "remove" actions, $id's are (a list of) uuid's in that case
o extend status controller to return "unconfigured" when disabled in the configuration, so we can distinct between temporary disabled (running config) and offline
o status page: switch icons to fonts-awesome (standard theme) in status view
o status page: add filter option in status view
o status page: add bind address and port in virtual server field
o status page: add host name(s) if it differs from the address, so we can search on user configurable names as well
o status page: add transitions, down -> stopped, disabled -> enabled (+ service reconfigure)
o status page: always show host disable button
o status page: restructure translation texts
o status page: add toggle to hide table column, provides some additional overview when only single tables are used in a virtual server
o status page: support local presets using localStorage object, quickly traverse through different filters previously saved on the local client.


sponsored by : Modirum (https://www.modirum.com/)
---
 net/relayd/Makefile                           |   4 +-
 .../OPNsense/Relayd/Api/ServiceController.php |   7 +-
 .../Relayd/Api/SettingsController.php         |  86 +--
 .../OPNsense/Relayd/Api/StatusController.php  | 177 ++++--
 .../OPNsense/Relayd/forms/host.xml            |   6 +
 .../mvc/app/models/OPNsense/Relayd/Relayd.php |  17 +
 .../mvc/app/models/OPNsense/Relayd/Relayd.xml |  24 +-
 .../mvc/app/views/OPNsense/Relayd/index.volt  |  14 +-
 .../mvc/app/views/OPNsense/Relayd/status.volt | 547 ++++++++++++++----
 .../templates/OPNsense/Relayd/relayd.conf     | 218 +++----
 10 files changed, 804 insertions(+), 296 deletions(-)

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index d16c606a3e..c94f25e2a0 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		relayd
-PLUGIN_VERSION=		2.5
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		2.6
+#PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com
diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/ServiceController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/ServiceController.php
index d255473d48..83eda01320 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/ServiceController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/ServiceController.php
@@ -2,6 +2,7 @@
 
 /*
  * Copyright (C) 2018 EURO-LOG AG
+ * Copyright (c) 2021 Deciso B.V.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -98,10 +99,9 @@ public function reconfigureAction()
                 $this->sessionClose();
                 $result['function'] = "reconfigure";
                 $result['status'] = 'failed';
-                $mdlRelayd = new Relayd();
                 $backend = new Backend();
                 $status = $this->statusAction();
-                if ($mdlRelayd->general->enabled->__toString() == 1) {
+                if (!empty((string)$this->getModel()->general->enabled)) {
                     $result = $this->configtestAction();
                     if ($result['template'] == 'OK' && preg_match('/configuration OK$/', $result['result']) == 1) {
                         if ($status['status'] != 'running') {
@@ -118,8 +118,7 @@ public function reconfigureAction()
                     }
                 }
                 $this->lock(1);
-                $mdlRelayd = new Relayd();
-                if ($mdlRelayd->configClean()) {
+                if ($this->getModel()->configClean()) {
                     $result['status'] = 'ok';
                 }
                 return $result;
diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
index 67b0ff0091..0f71cf62c6 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
@@ -2,7 +2,7 @@
 
 /**
  *    Copyright (C) 2018 EURO-LOG AG
- *
+ *    Copyright (c) 2021 Deciso B.V.
  *    All rights reserved.
  *
  *    Redistribution and use in source and binary forms, with or without
@@ -30,7 +30,7 @@
 
 namespace OPNsense\Relayd\Api;
 
-use OPNsense\Base\ApiControllerBase;
+use OPNsense\Base\ApiMutableModelControllerBase;
 use OPNsense\Core\Config;
 use OPNsense\Relayd\Relayd;
 use OPNsense\Base\UIModelGrid;
@@ -39,25 +39,17 @@
  * Class SettingsController
  * @package OPNsense\Relayd
  */
-class SettingsController extends ApiControllerBase
+class SettingsController extends ApiMutableModelControllerBase
 {
 
     protected static $internalModelName = 'relayd';
     protected static $internalModelClass = '\OPNsense\Relayd\Relayd';
-    public $mdlRelayd = null;
 
     /**
      * list with valid model node types
      */
     private $nodeTypes = array('general', 'host', 'tablecheck', 'table', 'protocol', 'virtualserver');
 
-    /**
-     * initialize object properties
-     */
-    public function onConstruct()
-    {
-        $this->mdlRelayd = new Relayd();
-    }
 
     /**
      * check if changes to the relayd settings were made
@@ -66,7 +58,7 @@ public function onConstruct()
     public function dirtyAction()
     {
         $result = array('status' => 'ok');
-        $result['relayd']['dirty'] = $this->mdlRelayd->configChanged();
+        $result['relayd']['dirty'] = $this->getModel()->configChanged();
         return $result;
     }
 
@@ -82,12 +74,12 @@ public function getAction($nodeType = null, $uuid = null)
         if ($this->request->isGet() && $nodeType != null) {
             $this->validateNodeType($nodeType);
             if ($nodeType == 'general') {
-                $node = $this->mdlRelayd->getNodeByReference($nodeType);
+                $node = $this->getModel()->getNodeByReference($nodeType);
             } else {
                 if ($uuid != null) {
-                    $node = $this->mdlRelayd->getNodeByReference($nodeType . '.' . $uuid);
+                    $node = $this->getModel()->getNodeByReference($nodeType . '.' . $uuid);
                 } else {
-                    $node = $this->mdlRelayd->$nodeType->Add();
+                    $node = $this->getModel()->$nodeType->Add();
                 }
             }
             if ($node != null) {
@@ -111,12 +103,12 @@ public function setAction($nodeType = null, $uuid = null)
         if ($this->request->isPost() && $this->request->hasPost('relayd') && $nodeType != null) {
             $this->validateNodeType($nodeType);
             if ($nodeType == 'general') {
-                $node = $this->mdlRelayd->getNodeByReference($nodeType);
+                $node = $this->getModel()->getNodeByReference($nodeType);
             } else {
                 if ($uuid != null) {
-                    $node = $this->mdlRelayd->getNodeByReference($nodeType . '.' . $uuid);
+                    $node = $this->getModel()->getNodeByReference($nodeType . '.' . $uuid);
                 } else {
-                    $node = $this->mdlRelayd->$nodeType->Add();
+                    $node = $this->getModel()->$nodeType->Add();
                 }
             }
             if ($node != null) {
@@ -207,16 +199,16 @@ public function setAction($nodeType = null, $uuid = null)
                 }
 
                 $node->setNodes($relaydInfo[$nodeType]);
-                $valMsgs = $this->mdlRelayd->performValidation();
+                $valMsgs = $this->getModel()->performValidation();
                 foreach ($valMsgs as $field => $msg) {
                     $fieldnm = str_replace($node->__reference, "relayd." . $nodeType, $msg->getField());
                     $result["validations"][$fieldnm] = $msg->getMessage();
                 }
                 if (empty($result["validations"])) {
                     unset($result["validations"]);
-                    $this->mdlRelayd->serializeToConfig();
+                    $this->getModel()->serializeToConfig();
                     $cfgRelayd = Config::getInstance()->save();
-                    if ($this->mdlRelayd->configDirty()) {
+                    if ($this->getModel()->configDirty()) {
                         $result['status'] = 'ok';
                     }
                 }
@@ -234,13 +226,14 @@ public function setAction($nodeType = null, $uuid = null)
     public function delAction($nodeType = null, $uuid = null)
     {
         $result = array("result" => "failed");
+        Config::getInstance()->lock();
         if ($nodeType != null) {
             $this->validateNodeType($nodeType);
             if ($uuid != null) {
-                $node = $this->mdlRelayd->getNodeByReference($nodeType . '.' . $uuid);
+                $node = $this->getModel()->getNodeByReference($nodeType . '.' . $uuid);
                 if ($node != null) {
-                    $nodeName = $this->mdlRelayd->getNodeByReference($nodeType . '.' . $uuid . '.name')->__toString();
-                    if ($this->mdlRelayd->$nodeType->del($uuid) == true) {
+                    $nodeName = $this->getModel()->getNodeByReference($nodeType . '.' . $uuid . '.name')->__toString();
+                    if ($this->getModel()->$nodeType->del($uuid) == true) {
                         // delete relations
                         switch ($nodeType) {
                             case 'host':
@@ -250,7 +243,7 @@ public function delAction($nodeType = null, $uuid = null)
                                     $uuid,
                                     'host',
                                     $nodeName,
-                                    $this->mdlRelayd
+                                    $this->getModel()
                                 );
                                 break;
                             case 'tablecheck':
@@ -260,7 +253,7 @@ public function delAction($nodeType = null, $uuid = null)
                                     $uuid,
                                     'tablecheck',
                                     $nodeName,
-                                    $this->mdlRelayd
+                                    $this->getModel()
                                 );
                                 $this->deleteRelations(
                                     'virtualserver',
@@ -268,7 +261,7 @@ public function delAction($nodeType = null, $uuid = null)
                                     $uuid,
                                     'tablecheck',
                                     $nodeName,
-                                    $this->mdlRelayd
+                                    $this->getModel()
                                 );
                                 break;
                             case 'table':
@@ -278,7 +271,7 @@ public function delAction($nodeType = null, $uuid = null)
                                     $uuid,
                                     'table',
                                     $nodeName,
-                                    $this->mdlRelayd
+                                    $this->getModel()
                                 );
                                 $this->deleteRelations(
                                     'virtualserver',
@@ -286,7 +279,7 @@ public function delAction($nodeType = null, $uuid = null)
                                     $uuid,
                                     'table',
                                     $nodeName,
-                                    $this->mdlRelayd
+                                    $this->getModel()
                                 );
                                 break;
                             case 'protocol':
@@ -296,13 +289,13 @@ public function delAction($nodeType = null, $uuid = null)
                                     $uuid,
                                     'protocol',
                                     $nodeName,
-                                    $this->mdlRelayd
+                                    $this->getModel()
                                 );
                                 break;
                         }
-                        $this->mdlRelayd->serializeToConfig();
+                        $this->getModel()->serializeToConfig();
                         Config::getInstance()->save();
-                        if ($this->mdlRelayd->configDirty()) {
+                        if ($this->getModel()->configDirty()) {
                             $result['status'] = 'ok';
                         }
                     }
@@ -312,6 +305,21 @@ public function delAction($nodeType = null, $uuid = null)
         return $result;
     }
 
+    /**
+     * toggle status
+     * @param string $nodeType node type to address
+     * @param string $uuid id to toggled
+     * @param string|null $enabled set enabled by default
+     * @return array status
+     * @throws \Phalcon\Validation\Exception when field validations fail
+     * @throws \ReflectionException when not bound to model
+     */
+    public function toggleAction($nodeType, $uuid, $enabled = null)
+    {
+        $this->getModel()->configDirty();
+        return $this->toggleBase($nodeType, $uuid, $enabled);
+    }
+
     /**
      * search relayd settings
      * @param $nodeType
@@ -322,11 +330,11 @@ public function searchAction($nodeType = null)
         $this->sessionClose();
         if ($this->request->isPost() && $nodeType != null) {
             $this->validateNodeType($nodeType);
-            $grid = new UIModelGrid($this->mdlRelayd->$nodeType);
+            $grid = new UIModelGrid($this->getModel()->$nodeType);
             $fields = array();
             switch ($nodeType) {
                 case 'host':
-                    $fields = array('name', 'address');
+                    $fields = array('enabled', 'name', 'address');
                     break;
                 case 'tablecheck':
                     $fields = array('name', 'type');
@@ -342,7 +350,7 @@ public function searchAction($nodeType = null)
                     break;
             }
             $result = $grid->fetchBindRequest($this->request, $fields);
-            $result['dirty'] = $this->mdlRelayd->configChanged();
+            $result['dirty'] = $this->getModel()->configChanged();
             return $result;
         }
     }
@@ -374,7 +382,7 @@ private function deleteRelations(
         $relNodeType = null,
         $relNodeName = null
     ) {
-        $nodes = $this->mdlRelayd->$nodeType->getNodes();
+        $nodes = $this->getModel()->$nodeType->getNodes();
         // get nodes with relations
         foreach ($nodes as $nodeUuid => $node) {
             // get relation uuids
@@ -382,14 +390,14 @@ private function deleteRelations(
                 // remove uuid from field
                 if ($fieldUuid == $relUuid) {
                     $refField = $nodeType . '.' . $nodeUuid . '.' . $nodeField;
-                    $relNode = $this->mdlRelayd->getNodeByReference($refField);
+                    $relNode = $this->getModel()->getNodeByReference($refField);
                     $nodeRels = str_replace($relUuid, '', $relNode->__toString());
                     $nodeRels = str_replace(',,', ',', $nodeRels);
                     $nodeRels = rtrim($nodeRels, ',');
                     $nodeRels = ltrim($nodeRels, ',');
-                    $this->mdlRelayd->setNodeByReference($refField, $nodeRels);
+                    $this->getModel()->setNodeByReference($refField, $nodeRels);
                     if ($relNode->isEmptyAndRequired()) {
-                        $nodeName = $this->mdlRelayd->getNodeByReference("{$nodeType}.{$nodeUuid}.name")->__toString();
+                        $nodeName = $this->getModel()->getNodeByReference("{$nodeType}.{$nodeUuid}.name")->__toString();
                         throw new \Exception("Cannot delete $relNodeType '$relNodeName' from $nodeType '$nodeName'");
                     }
                 }
diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
index deb9a75e6a..dfd721fcb3 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
@@ -2,6 +2,7 @@
 
 /**
  *    Copyright (C) 2018 EURO-LOG AG
+ *    Copyright (c) 2021 Deciso B.V.
  *
  *    All rights reserved.
  *
@@ -32,6 +33,7 @@
 
 use OPNsense\Base\ApiControllerBase;
 use OPNsense\Core\Backend;
+use OPNsense\Core\Config;
 use OPNsense\Relayd\Relayd;
 
 /**
@@ -43,15 +45,32 @@ class StatusController extends ApiControllerBase
     /**
      * get relayd summary
      */
-    public function sumAction()
+    public function sumAction($wait=0)
     {
         $result = array("result" => "failed");
         $backend = new Backend();
+        $relaydMdl = new Relayd();
+
+        // when $wait is set, try for max 10 seconds to receive a sensible status (wait for unknowns to resolve)
+        $max_tries = !empty($wait) ? 10 : 1;
         $output = array();
-        $output = explode("\n", trim($backend->configdRun('relayd summary')));
+        for ($i = 0; $i < $max_tries; $i++) {
+            $output = explode("\n", trim($backend->configdRun('relayd summary')));
+            $unknowns = 0;
+            foreach ($output as $line) {
+                if (substr($line, -strlen("unknown")) == "unknown") {
+                    $unknowns++;
+                }
+            }
+            if (!empty($output[0]) && $unknowns == 0) {
+                break;
+            }
+            sleep(1);
+        }
         if (empty($output[0])) {
             return $result;
         }
+        $output[] = "0\t****\t"; // end of data marker
         $result["result"] = 'ok';
         $virtualServerId = 0;
         $virtualServerType = '';
@@ -59,40 +78,119 @@ public function sumAction()
         $virtualserver = array();
         $rows = array();
         foreach ($output as $line) {
-            $words = explode("\t", $line);
-            $id = trim($words[0]);
-            $type = trim($words[1]);
-            if ($type == 'redirect' || $type == 'relay') {
+            $words = array_map('trim', explode("\t", $line));
+            $id = $words[0];
+            $type = $words[1];
+            if ($type == 'redirect' || $type == 'relay' || $type == '****') {
                 // new virtual server id/type means new record
                 if (
-                    ($id != $virtualServerId
-                    && $virtualServerId > 0)
-                    || ($type != $virtualServerType
-                    && strlen($virtualServerType) > 5)
+                    ($id != $virtualServerId && $virtualServerId > 0) ||
+                    ($type != $virtualServerType && strlen($virtualServerType) > 5) ||
+                    ($type == '****' && !empty($virtualserver))
                 ) {
+                    // append backend hosts not found in the list, since relayd only supports disabled tables
+                    // you might loose track of hosts that are disabled
+                    if (!empty($virtualserver['tables'])) {
+                        foreach ($virtualserver['tables'] as &$table) {
+                            if (!empty($table['uuid'])) {
+                                $tblnode = $relaydMdl->getNodeByReference("table.".$table['uuid']);
+                                foreach (explode(",", (string)$tblnode->hosts) as $host_uuid) {
+                                    $found = false;
+                                    if (!empty($table['hosts'])) {
+                                        foreach ($table['hosts'] as $tblhost) {
+                                            foreach ($tblhost['properties'] as $hprops) {
+                                                if ($hprops['uuid'] == $host_uuid) {
+                                                    $found = true;
+                                                }
+                                            }
+                                        }
+                                    } else {
+                                        $table['hosts'] = [];
+                                    }
+                                    if (!$found) {
+                                        $hostnode = $relaydMdl->getNodeByReference("host.".$host_uuid);
+                                        $table['hosts'][$host_uuid] = [
+                                            "name" => (string)$hostnode->address,
+                                            "description" => (string)$hostnode->name,
+                                            "avlblty" => null,
+                                            "status" => empty((string)$hostnode->enabled) ? "disabled" : "-",
+                                            "properties" => [
+                                                [
+                                                    "uuid" => $host_uuid,
+                                                    "name" => (string)$hostnode->name,
+                                                    "enabled" => (string)$hostnode->enabled
+                                                ]
+                                            ]
+                                        ];
+                                    }
+                                }
+                            }
+                        }
+                    }
                     $rows[] = $virtualserver;
-                    $virtualserver = array();
+                    if ($type == '****') {
+                        break; // end
+                    }
+                    $virtualserver = [];
                 }
                 $virtualServerId = $id;
                 $virtualServerType = $type;
                 $virtualserver['id'] = $id;
                 $virtualserver['type'] = $type;
-                $virtualserver['name'] = trim($words[2]);
-                $virtualserver['status'] = trim($words[4]);
-            }
-            if ($type == 'table') {
+                $virtualserver['name'] = $words[2];
+                $virtualserver['status'] = $words[4];
+                $objs = $relaydMdl->getObjectsByAttribute("virtualserver", "name", $virtualserver['name']);
+                if (count($objs) > 0) {
+                    $obj = $objs[0];
+                    $virtualserver['uuid'] = $obj->getAttribute('uuid');
+                    $virtualserver['listen_address'] = (string)$obj->listen_address;
+                    $virtualserver['listen_startport'] = (string)$obj->listen_startport;
+                    $virtualserver['listen_endport'] = (string)$obj->listen_endport;
+                }
+            } elseif ($type == 'table') {
                 $tableId = $id;
-                $virtualserver['tables'][$tableId]['name'] = trim($words[2]);
-                $virtualserver['tables'][$tableId]['status'] = trim($words[4]);
-            }
-            if ($type == 'host') {
+                if (empty($virtualserver['tables'])) {
+                    $virtualserver['tables'] = [];
+                }
+                $virtualserver['tables'][$tableId] = [];
+                $virtualserver['tables'][$tableId]['name'] = $words[2];
+                $virtualserver['tables'][$tableId]['status'] = $words[4];
+                $objs = $relaydMdl->getObjectsByAttribute("table", "name", explode(":", $words[2])[0]);
+                if (count($objs) > 0) {
+                    $virtualserver['tables'][$tableId]['uuid'] = $objs[0]->getAttribute('uuid');
+                }
+            } elseif ($type == 'host') {
                 $hostId = trim($words[0]);
-                $virtualserver['tables'][$tableId]['hosts'][$hostId]['name'] = trim($words[2]);
-                $virtualserver['tables'][$tableId]['hosts'][$hostId]['avlblty'] = trim($words[3]);
-                $virtualserver['tables'][$tableId]['hosts'][$hostId]['status'] = trim($words[4]);
+                if (empty($virtualserver['tables'][$tableId]['hosts'])) {
+                    $virtualserver['tables'][$tableId]['hosts'] = [];
+                }
+                $virtualserver['tables'][$tableId]['hosts'][$hostId] = ['properties' => []];
+                $virtualserver['tables'][$tableId]['hosts'][$hostId]['name'] = $words[2];
+                $virtualserver['tables'][$tableId]['hosts'][$hostId]['avlblty'] = $words[3];
+                $status = $words[4] == 'disabled' ? 'stopped' : $words[4];
+                $virtualserver['tables'][$tableId]['hosts'][$hostId]['status'] = $status;
+                // XXX: `relayctl show summary` name is actually the number, append name as description when found
+                $objs = $relaydMdl->getObjectsByAttribute("host", "address", $words[2]);
+                if (count($objs) > 0) {
+                    $linked_hosts = [];
+                    if (!empty($virtualserver['tables'][$tableId]['uuid'])) {
+                        $tblnode = $relaydMdl->getNodeByReference("table.".$virtualserver['tables'][$tableId]['uuid']);
+                        $linked_hosts = explode(",", (string)$tblnode->hosts);
+                    }
+                    // hosts aren't necessarily unique due to address matching
+                    foreach ($objs as $obj) {
+                        $this_uuid = $obj->getAttribute('uuid');
+                        if (empty($linked_hosts) || in_array($this_uuid, $linked_hosts)) {
+                            $virtualserver['tables'][$tableId]['hosts'][$hostId]['properties'][] = [
+                                'uuid' => $this_uuid,
+                                'name' => (string)$obj->name,
+                                "enabled" => (string)$obj->enabled
+                            ];
+                        }
+                    }
+                }
             }
         }
-        $rows[] = $virtualserver;
         $result["rows"] = $rows;
         return $result;
     }
@@ -102,29 +200,32 @@ public function sumAction()
      */
     public function toggleAction($nodeType = null, $id = null, $action = null)
     {
+        $result = array("result" => "failed", "function" => "toggle");
         if ($this->request->isPost()) {
             $this->sessionClose();
-        }
-        $result = array("result" => "failed", "function" => "toggle");
-        if (
-            $nodeType != null &&
-                ($nodeType == 'redirect' ||
-                 $nodeType == 'table' ||
-                 $nodeType == 'host')
-        ) {
-            if (
-                $action != null &&
-                    ($action == 'enable' ||
-                     $action == 'disable')
-            ) {
+            $backend = new Backend();
+            if (in_array($nodeType, ['redirect', 'table', 'host']) && in_array($action, ['enable', 'disable'])){
                 if ($id != null && $id > 0) {
-                    $backend = new Backend();
-                    $result["output"] = $backend->configdRun("relayd toggle $nodeType $action $id");
+                    $result["output"] = $backend->configdpRun("relayd toggle",[$nodeType, $action, $id]);
                     if (isset($result["output"])) {
                         $result["result"] = 'ok';
                     }
                     $result["output"] = trim($result["output"]);
                 }
+            } elseif ($nodeType == 'host' && in_array($action, ['remove', 'add'])) {
+                Config::getInstance()->lock();
+                $new_status = $action == "remove" ? "0" : "1";
+                $relaydMdl = new Relayd();
+                foreach (explode(",", $id) as $host_uuid) {
+                    $obj = $relaydMdl->getNodeByReference("host.".$host_uuid);
+                    if ($obj != null) {
+                        $obj->enabled = $new_status;
+                    }
+                }
+                $relaydMdl->serializeToConfig();
+                Config::getInstance()->save();
+                // invoke service controller
+                return (new ServiceController())->reconfigureAction();
             }
         }
         return $result;
diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/forms/host.xml b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/forms/host.xml
index 1c6967ae03..09dcea4fac 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/forms/host.xml
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/forms/host.xml
@@ -1,4 +1,10 @@
 <form>
+   <field>
+      <id>relayd.host.enabled</id>
+      <label>Enabled</label>
+      <type>checkbox</type>
+      <help>Set this option to enable this destination.</help>
+   </field>
    <field>
       <id>relayd.host.name</id>
       <label>Name</label>
diff --git a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.php b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.php
index e80a832e0c..0669849ed4 100644
--- a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.php
+++ b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.php
@@ -64,4 +64,21 @@ public function configClean()
     {
         return @unlink("/tmp/relayd.dirty");
     }
+
+    /**
+     * @param string $type type of object (host, table, virtualserver)
+     * @param string $name name of the attribute
+     * @param string $value value to match
+     * @return ArrayField[] items found
+     */
+    public function getObjectsByAttribute($type, $name, $value)
+    {
+        $results = [];
+        foreach ($this->$type->iterateItems() as $item) {
+            if ((string)$item->$name == $value) {
+                  $results[] = $item;
+            }
+        }
+        return $results;
+    }
 }
diff --git a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
index a67061d672..60852198b0 100644
--- a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
+++ b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
@@ -1,6 +1,6 @@
 <model>
    <mount>//OPNsense/relayd</mount>
-   <version>1.0.2</version>
+   <version>1.0.3</version>
    <description>Relayd settings</description>
    <items>
       <general>
@@ -35,10 +35,20 @@
          </timeout>
       </general>
       <host type="ArrayField">
+        <enabled type="BooleanField">
+            <default>1</default>
+            <Required>Y</Required>
+         </enabled>
          <name type="TextField">
             <Required>Y</Required>
             <mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</mask>
             <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
+            <Constraints>
+                <check001>
+                    <ValidationMessage>Host names should be unique.</ValidationMessage>
+                    <type>UniqueConstraint</type>
+                </check001>
+            </Constraints>
          </name>
          <address type="TextField">
             <Required>Y</Required>
@@ -67,6 +77,12 @@
             <Required>Y</Required>
             <mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</mask>
             <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
+            <Constraints>
+                <check001>
+                    <ValidationMessage>Table names should be unique.</ValidationMessage>
+                    <type>UniqueConstraint</type>
+                </check001>
+            </Constraints>
          </name>
          <enabled type="BooleanField">
             <default>0</default>
@@ -134,6 +150,12 @@
             <Required>Y</Required>
             <mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</mask>
             <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
+            <Constraints>
+                <check001>
+                    <ValidationMessage>Virtual server names should be unique.</ValidationMessage>
+                    <type>UniqueConstraint</type>
+                </check001>
+            </Constraints>
          </name>
          <enabled type="BooleanField">
             <default>0</default>
diff --git a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
index 0544e23d15..0b1ea7e48f 100644
--- a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
+++ b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
@@ -1,6 +1,7 @@
 {#
 
 Copyright © 2018 by EURO-LOG AG
+Copyright (c) 2021 Deciso B.V.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification,
@@ -95,13 +96,17 @@ POSSIBILITY OF SUCH DAMAGE.
       });
 
       ['host', 'tablecheck', 'table', 'protocol', 'virtualserver'].forEach(function(element) {
-         $("#grid-" + element).UIBootgrid({
+         let endpoints = {
             'search': '/api/relayd/settings/search/' + element + '/',
             'get':    '/api/relayd/settings/get/' + element + '/',
             'set':    '/api/relayd/settings/set/' + element + '/',
             'add':    '/api/relayd/settings/set/' + element + '/',
             'del':    '/api/relayd/settings/del/' + element + '/'
-         });
+         };
+         if (['virtualserver', 'host', 'table'].includes(element)) {
+            endpoints['toggle'] = '/api/relayd/settings/toggle/' + element + '/';
+         }
+         $("#grid-" + element).UIBootgrid(endpoints);
       });
 
       // show/hide options depending on other options
@@ -239,6 +244,7 @@ POSSIBILITY OF SUCH DAMAGE.
       <table id="grid-host" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogEditHost">
          <thead>
             <tr>
+                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                 <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
                 <th data-column-id="address" data-type="string">{{ lang._('Address') }}</th>
                 <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
@@ -285,7 +291,7 @@ POSSIBILITY OF SUCH DAMAGE.
       <table id="grid-table" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogEditTable">
          <thead>
             <tr>
-                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="boolean">{{ lang._('Enabled') }}</th>
+                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                 <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
                 <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                 <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Edit') }} | {{ lang._('Delete') }}</th>
@@ -331,7 +337,7 @@ POSSIBILITY OF SUCH DAMAGE.
       <table id="grid-virtualserver" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogEditVirtualServer">
          <thead>
             <tr>
-                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="boolean">{{ lang._('Enabled') }}</th>
+                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                 <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
                 <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
                 <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
diff --git a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/status.volt b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/status.volt
index 0bcee42f73..c3a15c73b1 100644
--- a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/status.volt
+++ b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/status.volt
@@ -1,6 +1,7 @@
 {#
 
 Copyright © 2018 by EURO-LOG AG
+Copyright (c) 2021 Deciso B.V.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification,
@@ -27,128 +28,462 @@ POSSIBILITY OF SUCH DAMAGE.
 #}
 
 <script type="text/javascript">
-   $( document ).ready(function() {
+  $( document ).ready(function() {
+      /**
+       * create status and start/stop buttons
+       **/
+      function getControlButtons(status, id, nodeType) {
+          let status_btn = $('<button class="label label-opnsense label-opnsense-xs"/>');
+          let action_btn = $('<button class="btn btn-xs btn-default" data-toggle="tooltip"/>').attr('data-nodeid', id).attr('data-nodetype', nodeType);
+          let action_btn_remove = action_btn.clone(true);
+          let response = [];
+
+          if (status.substring(0, 6) === 'active' || status === 'up') {
+              status_btn.addClass('label-success').append($('<i class="fa fa-play fa-fw"/>'));
+              action_btn.addClass('node_action').append($('<i class="fa fa-stop fa-fw"/>')).attr('data-nodeaction', 'disable');
+              action_btn.attr('title', $("#stop_" + nodeType + "_label").text());
+              response.push(status_btn);
+              if (nodeType === 'host') {
+                  action_btn_remove.addClass('node_action').append($('<i class="fa fa-times fa-fw"/>')).attr('data-nodeaction', 'remove');
+                  action_btn_remove.attr('title', $("#remove_host_label").text());
+                  response.push(action_btn_remove);
+              }
+              response.push(action_btn);
+          } else if (['stopped', 'disabled'].includes(status)) {
+              status_btn.addClass('label-danger').append($('<i class="fa fa-stop fa-fw"/>'));
+              action_btn.addClass('node_action').append($('<i class="fa fa-play fa-fw"/>')).attr('data-nodeaction', 'enable');
+              action_btn.attr('title', $("#start_" + nodeType + "_label").text());
+              if (status === 'stopped' && nodeType === 'host') {
+                 action_btn_remove.addClass('node_action').append($('<i class="fa fa-times fa-fw"/>')).attr('data-nodeaction', 'remove');
+                 action_btn_remove.attr('title', $("#remove_host_label").text());
+                 response.push(status_btn, action_btn_remove, action_btn);
+              } else {
+                 response.push(status_btn, action_btn);
+              }
+          } else if (status === 'down' && nodeType == 'host') {
+              // remove host (permanent down)
+              status_btn.addClass('label-danger').append($('<i class="fa fa-stop fa-fw"/>'));
+              action_btn.addClass('node_action').append($('<i class="fa fa-times fa-fw"/>')).attr('data-nodeaction', 'remove');
+              action_btn.attr('title', $("#remove_host_label").text());
+              response.push(status_btn, action_btn);
+          } else {
+              status_btn.addClass('label-danger').append($('<i class="fa fa-stop fa-fw"/>'));
+              action_btn.append($('<i class="fa fa-play fa-fw"/>')).attr('disabled', 'disabled');
+              response.push(status_btn, action_btn);
+          }
+          // no action for relays; see relayctl(8)
+          if (nodeType === 'relay') {
+              action_btn.removeClass('node_action').attr('disabled', 'disabled');
+          }
+          return response;
+      };
+
+      /**
+       * apply provided filters on selected data, reformat virtual server and table groups with borders
+       */
+      function apply_filters() {
+          let prev_tr = null;
+          let filter_vs = $("#filter_virtualserver").val();
+          let filter_table = $("#filter_table").val();
+          let filter_host = $("#filter_host").val();
+          if ($("#hide_table_column").prop('checked')) {
+              $(".relayd_table").hide();
+              $(".relayd_table_th").hide();
+          } else {
+              $(".relayd_table").show();
+              $(".relayd_table_th").show();
+          }
+
+          $('#tableStatus > tbody > tr').each(function(){
+              let vs_td = $(this).find("td.relayd_virtualserver");
+              let tbl_td = $(this).find("td.relayd_table");
+              let host_td = $(this).find("td.relayd_host");
+              let is_visible_row = true;
+
+              // filter;
+              if (filter_vs !== "" && vs_td.data('display_name') !== undefined && vs_td.data('display_name').toUpperCase().indexOf(filter_vs.toUpperCase()) == -1) {
+                  is_visible_row=false;
+              } else if (filter_table !== "" && tbl_td.data('display_name') !== undefined && tbl_td.data('display_name').toUpperCase().indexOf(filter_table.toUpperCase()) == -1) {
+                  is_visible_row=false;
+              } else if (filter_host !== "" && host_td.data('display_name') !== undefined && host_td.data('display_name').toUpperCase().indexOf(filter_host.toUpperCase()) == -1) {
+                  is_visible_row=false;
+              }
+              if (is_visible_row) {
+                  $(this).show();
+                  if (prev_tr !== null && prev_tr.find("td.relayd_virtualserver").data('id') === vs_td.data('id')){
+                      vs_td.find("div.object_container").hide();
+                      vs_td.css('border-top-style', 'hidden');
+                  } else {
+                      vs_td.find("div.object_container").show();
+                      vs_td.css('border-top-style', 'solid');
+                  }
+
+                  if (prev_tr !== null && prev_tr.find("td.relayd_table").data('id') === tbl_td.data('id')){
+                      tbl_td.find("div.object_container").hide();
+                      tbl_td.css('border-top-style', 'hidden');
+                  } else {
+                      tbl_td.find("div.object_container").show();
+                      tbl_td.css('border-top-style', 'solid');
+                  }
+                  prev_tr = $(this);
+              } else {
+                  $(this).hide();
+              }
+          });
+      }
+
+      /**
+       * bind form events
+       */
       updateServiceControlUI('relayd');
+
       // get status and build the table body
-      $('#btnRefresh').unbind('click').click(function() {
-         ajaxCall(url = "/api/relayd/status/sum", sendData={}, callback = function(result, status) {
+      $('#btnRefresh').click(function(event) {
+        event.preventDefault();
+        if ($("#btnRefreshProgress").hasClass("fa-spinner")) {
+            return;
+        }
+        // do not wait for relayctl output on consecutive calls
+        let api_wait = $('#tableStatus > tbody > tr').length > 0 ? 1 : 0;
+        $("#btnRefreshProgress").addClass("fa-spinner fa-pulse");
+        ajaxCall("/api/relayd/status/sum/"+api_wait, {}, function(result, status) {
+            $('#tableStatus > tbody').empty();
             if (status == "success" && result.result === 'ok') {
-               $('#tableStatus > tbody').empty();
-               $('#tableStatus > tbody').attr('style', 'display:none;');
-               /* create a table row for each host and combine
-                  virtualserver/table fields afterwards via rowspan */
-               $.each(result.rows, function (vkey, virtualserver) {
-                  var vrowspan = 0;
-                  var trowspan = [];
-                  var html = '<tr class="vrow"><td id="virtualServer' + vkey + '">';
-                  html += getControlButtons(virtualserver.status, virtualserver.id, virtualserver.type);
-                  html += virtualserver.name + ' (' + virtualserver.type + '): ' + virtualserver.status + '</td>';
-                  var tfirst = true;
-                  $.each(virtualserver.tables, function(tkey, table) {
-                     trowspan[tkey] = 0;
-                     if (tfirst == true) {
-                        tfirst = false;
-                     } else {
-                        html += '<tr>';
-                     }
-                     html += '<td id="table' + tkey + '">';
-                     html += getControlButtons(table.status, tkey, 'table');
-                     html += table.name + ' ' + table.status + '</td>';
-                     var hfirst = true;
-                     $.each(table.hosts, function(hkey, host) {
-                        if (hfirst == true) {
-                           hfirst = false;
-                        } else {
-                           html += '<tr>';
+                /* create a table row for each host and combine
+                  virtualserver/table fields afterwards (hide repeating items and align borders accordingly) */
+                $.each(result.rows, function (vkey, virtualserver) {
+                    let $vs_td = $('<td data-id="'+vkey+'" class="relayd_virtualserver"/>');
+                    let listen_str = "";
+                    if (virtualserver.listen_address !== undefined) {
+                        listen_str = " [" + virtualserver.listen_address + ":" + virtualserver.listen_startport +"] "
+                    }
+                    $vs_td.append(
+                        $('<div class="object_container"/>').append(
+                            getControlButtons(virtualserver.status, virtualserver.id, virtualserver.type),
+                            virtualserver.name,
+                            listen_str,
+                            ' (' + virtualserver.type + '): ',
+                            virtualserver.status
+                        ).data('payload', virtualserver).data('type', 'virtualserver')
+                    );
+                    $vs_td.data('display_name', virtualserver.name + listen_str);
+                    if (virtualserver.tables) {
+                        $.each(virtualserver.tables, function(tkey, table) {
+                            let $tbl_td = $('<td data-id="'+tkey+'" class="relayd_table"/>');
+                            $tbl_td.data('display_name', table.name);
+                            $tbl_td.append(
+                                $('<div class="object_container"/>').append(
+                                    getControlButtons(table.status, tkey, 'table'),
+                                    table.name + ' ' + table.status
+                                ).data('payload', table).data('type', 'table')
+                            );
+                            if (table.hosts) {
+                                $.each(table.hosts, function(hkey, host) {
+                                    let $host_td = $('<td data-id="'+hkey+'" class="relayd_host"/>');
+                                    let host_names = [];
+                                    let display_name = host.name ;
+                                    if (host.properties != undefined) {
+                                        for (i=0; i < host.properties.length; i++) {
+                                            if (host.properties[i].name !== host.name) {
+                                                host_names.push(host.properties[i].name);
+                                            }
+                                        }
+                                        if (host_names.length > 0) {
+                                            display_name = display_name + ' [' + host_names.join(',') + '] ';
+                                        }
+                                    }
+                                    $host_td.append(
+                                        $('<div class="object_container"/>').append(
+                                            getControlButtons(host.status, hkey, 'host'),
+                                            display_name,
+                                            " ",
+                                            host.status
+                                        ).data('payload', host).data('type', 'host')
+                                    );
+                                    $host_td.data('display_name', display_name);
+                                    $('#tableStatus > tbody').append(
+                                        $("<tr/>").append(
+                                            $vs_td.clone(true),
+                                            $tbl_td.clone(true),
+                                            $host_td
+                                        )
+                                    );
+                                });
+                            } else {
+                                $('#tableStatus > tbody').append(
+                                    $("<tr/>").append(
+                                        $vs_td.clone(true),
+                                        $tbl_td.clone(true),
+                                        $("<td/>")
+                                    )
+                                );
+                            }
+                        });
+                    } else {
+                        $('#tableStatus > tbody').append(
+                            $("<tr/>").append(
+                                $vs_td.clone(true),
+                                $("<td/>"),
+                                $("<td/>")
+                              )
+                           );
+                    }
+                });
+                $('[data-toggle="tooltip"]').tooltip();
+                apply_filters();
+                // bind node actions
+                $(".node_action").click(function(){
+                    let container = $(this).closest("div.object_container");
+                    let item_payload = container.data('payload');
+                    let action = $(this).data('nodeaction');
+                    let nodeid = $(this).data('nodeid');
+                    let nodetype = $(this).data('nodetype');
+                    let host_uuids = [];
+                    let host_enabled = false;
+                    if (item_payload.properties != undefined) {
+                        for (i=0; i < item_payload.properties.length; i++) {
+                            host_uuids.push(item_payload.properties[i].uuid);
+                            if (item_payload.properties[i].enabled === "1") {
+                                host_enabled = true;
+                            }
                         }
-                        vrowspan++;
-                        trowspan[tkey]++;
-                        html += '<td>';
-                        html += getControlButtons(host.status, hkey, 'host');
-                        html += host.name + ' ' + host.status + '</td></tr>';
-                     });
-                     // dummy host for disabled tables
-                     if (hfirst == true) {
-                        vrowspan++;
-                        html += '<td></td>';
-                     }
-                  });
-
-                  $('#tableStatus > tbody').append(html);
-                  $('#virtualServer' + vkey).attr('rowspan', vrowspan);
-                  $.each(trowspan, function(tid, trowspan) {
-                     $('#table' + tid).attr('rowspan', trowspan);
-                  });
-                  $('#tableStatus > tbody > tr.vrow > td').css('border-top', '2px solid #ddd');
-                  $('#tableStatus > tbody').fadeIn();
-               });
+                    }
+                    if (action === "remove" && nodetype == 'host') {
+                        if (item_payload !== undefined) {
+                            stdDialogConfirm(
+                                '{{ lang._('Relayd') }}',
+                                $("#remove_host_message").text().trim(),
+                                '{{ lang._('Yes') }}',
+                                '{{ lang._('No') }}',
+                                function () {
+                                    if (host_uuids.length > 0) {
+                                        ajaxCall("/api/relayd/status/toggle/host/" + host_uuids.join(',') + "/remove", {}, function(result, status) {
+                                            $("#btnRefresh").click();
+                                        });
+                                    }
+                                }
+                            );
+                        }
+                    } else if (action === "enable" && nodetype == 'host' && !host_enabled) {
+                        stdDialogConfirm(
+                            '{{ lang._('Relayd') }}',
+                            $("#add_host_message").text().trim(),
+                            '{{ lang._('Yes') }}',
+                            '{{ lang._('No') }}',
+                            function () {
+                                if (item_payload.properties != undefined) {
+                                    if (host_uuids.length > 0) {
+                                      ajaxCall("/api/relayd/status/toggle/host/" + host_uuids.join(',') + "/add", {}, function(result, status) {
+                                          $("#btnRefresh").click();
+                                      });
+                                    }
+                                }
+                            }
+                        );
+                    } else {
+                        // default action, parameters for relayctl
+                        ajaxCall("/api/relayd/status/toggle/" + nodetype + "/" + nodeid + "/" +  action, {}, function(result, status) {
+                            $("#btnRefresh").click();
+                        });
+                    }
+                });
             } else {
                $("#tableStatus").html("<tr><td><br/>{{ lang._('The status could not be fetched. Is Relayd running?') }}</td></tr>");
             }
-            $('#btnRefresh').blur();
+            $("#btnRefreshProgress").removeClass("fa-spinner fa-pulse");
          });
       });
+      $(".filter_item").keyup(apply_filters);
+
+      /**
+       * stored selections (presets) events
+       */
+      function update_presets(selected) {
+          let settings = JSON.parse(window.localStorage.getItem("api.relayd.presets"));
+          if (settings === null) {
+              settings = {};
+          }
+          $("#stored_filters").empty();
+          $("#stored_filters").append($("<option/>").val("").text("{{ lang._('Add new')}}"));
+          $("#stored_filters").append($("<option/>").val("__clear__").text("{{ lang._('Clear')}}"));
+
+          Object.keys(settings).sort().forEach(function(name) {
+              $("#stored_filters").append(
+                  $("<option/>").val(name).text(name)
+              );
+          });
+          if (selected !== undefined) {
+              $("#stored_filters").val(selected);
+          }
+          $("#stored_filters").selectpicker("refresh");
+      }
+      $("#stored_filters").change(function(){
+          if ($(this).val() === "__clear__") {
+              $("#hide_table_column").prop("checked", false);
+              $(".filter_item").val("");
+          } else if ($(this).val() !== "" !== $(this).val() !== "__clear__") {
+              let settings = JSON.parse(window.localStorage.getItem("api.relayd.presets"));
+              if (settings !== null && settings[$(this).val()] !== undefined) {
+                  let selections = settings[$(this).val()];
+                  Object.keys(selections).forEach(function(prop) {
+                      let target = $("#"+prop);
+                      if (target.prop("type") === "checkbox") {
+                          target.prop('checked', selections[prop]);
+                      } else {
+                          target.val(selections[prop]);
+                      }
+                  });
+              }
+          }
+          apply_filters();
+      });
+      $("#hide_table_column").change(apply_filters);
+
+      $("#template_add").click(function(event){
+          event.preventDefault();
+          let selected_name = "";
+          if ($(this).val() !== "__clear__") {
+              selected_name = $("#stored_filters").val();
+          }
+          BootstrapDialog.show({
+              type:BootstrapDialog.TYPE_DANGER,
+              title: "<?= gettext("Relayd");?>",
+              message: [
+                  $("<span/>").text("<?=gettext('Save as :');?>"),
+                  $("<input type='text' class='form-control'/>").val(selected_name),
+              ],
+              buttons: [{
+                        label: "<?= gettext("Abort");?>",
+                        action: function(dialogRef) {
+                            dialogRef.close();
+                        }}, {
+                        label: "<?= gettext("Save");?>",
+                        action: function(dialogRef) {
+                          let template_name = dialogRef.getModalBody().find('input').val();
+                          let settings = JSON.parse(window.localStorage.getItem("api.relayd.presets"));
+                          if (settings === null) {
+                              settings = {};
+                          }
+                          settings[template_name] = {
+                            "filter_virtualserver": $("#filter_virtualserver").val(),
+                            "filter_table": $("#filter_table").val(),
+                            "filter_host": $("#filter_host").val(),
+                            "hide_table_column": $("#hide_table_column").is(':checked')
+                          };
+                          window.localStorage.setItem("api.relayd.presets", JSON.stringify(settings));
+                          update_presets(template_name);
+                          dialogRef.close();
+                      }
+                  }]
+          });
+      });
+      $("#template_delete").click(function(){
+          let settings = JSON.parse(window.localStorage.getItem("api.relayd.presets"));
+          let prop = $("#stored_filters").val();
+          if (settings !== null && settings[prop] !== undefined) {
+              delete settings[prop];
+              window.localStorage.setItem("api.relayd.presets", JSON.stringify(settings));
+              update_presets();
+          }
+      });
 
-      // initial load
+      /**
+       * initial load
+       */
       $("#btnRefresh").click();
+      if (window.localStorage) {
+          update_presets();
+          $("#presets").collapse('show');
+      } else {
+          // without localStorage, presets aren't supported
+          $("#stored_presets_panel").delete();
+      }
 
    });
 
-   // create status and start/stop buttons
-   function getControlButtons(status, id, nodeType) {
-       var statusClass = "btn btn-xs glyphicon ";
-       var controlClass = "btn btn-xs btn-default glyphicon ";
-       var action;
-
-       if (status.substring(0, 6) === 'active' || status === 'up') {
-          statusClass += "btn-success glyphicon-play";
-          controlClass += "glyphicon-stop";
-          controlTitle = "Stop this " + nodeType;
-          action = 'onclick="toggleNode(\'' + nodeType + '\', ' + id + ', \'disable\')""';
-       } else if (status === 'disabled') {
-          statusClass += "btn-danger glyphicon-stop";
-          controlClass += "glyphicon-play";
-          controlTitle = "Start this " + nodeType;
-          action = 'onclick="toggleNode(\'' + nodeType + '\', ' + id + ', \'enable\')"';
-       } else {
-          statusClass += "btn-danger glyphicon-stop";
-          controlClass += "glyphicon-play";
-          action = 'disabled="disabled"';
-       }
-       // no action for relays; see relayctl(8)
-       if (nodeType === 'relay') {
-          action = 'disabled="disabled"';
-       }
-       var html = '<span class="' + statusClass + '" style="cursor: default;"> </span>&nbsp;';
-       html += '<span ' + action + ' class="' + controlClass + '" title="' + controlTitle + '"> </span>&nbsp;';
-       return html;
-    };
-
-    // enable/disable redirects, tables or hosts
-    function toggleNode(nodeType, id, action) {
-        ajaxCall(url = "/api/relayd/status/toggle/" + nodeType + "/" + id + "/" + action, callback = function(result, status) {
-           $("#btnRefresh").click();
-        });
-     };
-
 </script>
 
-<div class="content-box">
-   <table id="tableStatus" class="table table-condensed">
-      <thead><tr><th>{{ lang._('Virtual Server') }}</th><th>{{ lang._('Table') }}</th><th>{{ lang._('Host') }}</th></tr></thead>
-      <tbody style="display:none;"></tbody>
-   </table>
-   <div  class="col-sm-12">
-      <div class="row">
-         <table class="table">
-            <tr>
-               <td>
-                  <div class="pull-right">
-                     <button class="btn btn-primary" id="btnRefresh" type="button"><b>{{ lang._('Refresh') }}</b> <span id="btnRefreshProgress" class="fa fa-refresh"> </span></button>
-                  </div>
-               </td>
-            </tr>
-         </table>
+<style type="text/css">
+.panel-heading-sm{
+    height: 28px;
+    padding: 4px 10px;
+}
+</style>
+
+<div style="display:none" id="tooltips">
+    <!--
+      dynamic labels to ease translations
+    -->
+    <label id="stop_host_label">{{ lang._('Stop this host') }}</label>
+    <label id="stop_table_label">{{ lang._('Stop this table') }}</label>
+    <label id="stop_relay_label">{{ lang._('Stop this relay') }}</label>
+    <label id="stop_redirect_label">{{ lang._('Stop this redirect') }}</label>
+    <label id="start_host_label">{{ lang._('Start this host') }}</label>
+    <label id="start_table_label">{{ lang._('Start this table') }}</label>
+    <label id="start_relay_label">{{ lang._('Start this relay') }}</label>
+    <label id="start_redirect_label">{{ lang._('Start this redirect') }}</label>
+    <label id="remove_host_label">{{ lang._('Disable this host') }}</label>
+    <label id="remove_host_message">{{ lang._('
+      Are you sure you do want to disable this host?
+      When being used in other virtual servers it will be disabled in there as well.') }}
+    </label>
+    <label id="add_host_message">{{ lang._('
+      Are you sure you do want to enable this host?
+      When being used in other virtual servers it will be enabled in there as well.') }}
+    </label>
+</div>
+
+
+   <div class="panel panel-primary" id="stored_presets_panel">
+      <div class="panel-heading panel-heading-sm">
+        <i class="fa fa-chevron-down" style="cursor: pointer;" data-toggle="collapse" data-target="#presets"></i>
+        <b>{{ lang._('Presets') }}</b>
+      </div>
+      <div class="panel-body collapse" id="presets">
+          <form class="form-inline">
+            <div class="form-group">
+              <select class="selectpicker" id="stored_filters" data-toggle="tooltip" title="{{ lang._('Saved selections')}}">
+              </select>
+              <button id="template_add" type="button" class="btn btn-default" data-toggle="tooltip" title="{{ lang._('Add template')}}">
+                  <span class="fa fa-save"></span>
+              </button>
+              <button id="template_delete" type="button" class="btn btn-default" data-toggle="tooltip" title="{{ lang._('Deleted selected template')}}">
+                  <span class="fa fa-trash"></span>
+              </button>
+              <div class="checkbox">
+                <input type="checkbox" id="hide_table_column">
+                <label for="hide_table_column"><strong>{{ lang._('Hide table column')}}</strong></label>
+              </div>
+            </div>
+          </form>
       </div>
    </div>
+   <div class="panel panel-default">
+   <table id="tableStatus" class="table table-condensed">
+      <thead>
+          <tr>
+              <th class="relayd_virtualserver_th">{{ lang._('Virtual Server') }}</th>
+              <th class="relayd_table_th">{{ lang._('Table') }}</th>
+              <th class="relayd_host_th">{{ lang._('Host') }}</th>
+          </tr>
+          <tr>
+              <th class="relayd_virtualserver_th"><input type="text" id="filter_virtualserver" class="input-sm filter_item" autocomplete="off"></th>
+              <th class="relayd_table_th"><input type="text" id="filter_table" class="input-sm filter_item" autocomplete="off"></th>
+              <th class="relayd_host_th"><input type="text" id="filter_host" class="input-sm filter_item" autocomplete="off"></th>
+          </tr>
+      </thead>
+      <tbody></tbody>
+      <tfoot>
+        <tr>
+           <td colspan="3">
+              <div class="pull-right">
+                 <button class="btn btn-primary" id="btnRefresh" type="button"><b>{{ lang._('Refresh') }}</b>
+                   <span id="btnRefreshProgress" class="fa fa-refresh"> </span>
+                 </button>
+              </div>
+           </td>
+        </tr>
+      </tfoot>
+   </table>
+ </div>
 </div>
diff --git a/net/relayd/src/opnsense/service/templates/OPNsense/Relayd/relayd.conf b/net/relayd/src/opnsense/service/templates/OPNsense/Relayd/relayd.conf
index f8b6b9bbcd..5f99db8955 100644
--- a/net/relayd/src/opnsense/service/templates/OPNsense/Relayd/relayd.conf
+++ b/net/relayd/src/opnsense/service/templates/OPNsense/Relayd/relayd.conf
@@ -1,6 +1,7 @@
 # DO NOT EDIT THIS FILE -- OPNsense auto-generated file
 
 {% from 'OPNsense/Macros/interface.macro' import physical_interface %}
+{%  set all_active_tables = [] %}
 {% if helpers.exists('OPNsense.relayd.general') %}
 {%  if helpers.exists('OPNsense.relayd.general.interval') %}
 interval {{ OPNsense.relayd.general.interval }}
@@ -18,21 +19,30 @@ timeout {{ OPNsense.relayd.general.timeout }}
 
 {% if helpers.exists('OPNsense.relayd.table') %}
 {%  for table in helpers.toList('OPNsense.relayd.table') %}
-{%   set name = table.name %}
 {%   set disable = '' %}
-{%   set hosts = '' %}
+{%   set hosts = [] %}
 {%   if table.enabled|default('1') == '0' %}
 {%    set disable = ' disable' %}
 {%   endif %}
-table <{{ name }}>{{ disable }} {
-{%    for host in table.hosts.split(",") %}
-{%      set host = helpers.getUUID(host) %}
-{%      set ipTTL = " ip ttl " ~ host.ipTTL if host.ipTTL is defined %}
-{%      set priority = " priority " ~ host.priority if host.priority is defined %}
-{%      set retry = " retry " ~ host.retry if host.retry is defined %}
+{%   for hostid in table.hosts.split(",") %}
+{%     set host = helpers.getUUID(hostid) %}
+{%     if host.enabled|default("1") == "1" %}
+{%       do hosts.append(host) %}
+{%     endif %}
+{%   endfor %}
+{%    if hosts|length > 0 %}
+table <{{ table.name }}>{{ disable }} {
+{%      do all_active_tables.append(table['@uuid']) %}
+{%      for host in hosts %}
+{%        set ipTTL = " ip ttl " ~ host.ipTTL if host.ipTTL is defined %}
+{%        set priority = " priority " ~ host.priority if host.priority is defined %}
+{%        set retry = " retry " ~ host.retry if host.retry is defined %}
+{%        if host.enabled|default("1") == "1" %}
 {{ host.address }}{{ ipTTL }}{{ priority }}{{ retry }}
-{%    endfor %}
+{%        endif %}
+{%      endfor %}
 }
+{%    endif %}
 {%  endfor %}
 {% endif %}
 
@@ -45,106 +55,110 @@ table <{{ name }}>{{ disable }} {
 {% endif %}
 
 {% if helpers.exists('OPNsense.relayd.virtualserver') %}
-{%  for virtualserver in helpers.toList('OPNsense.relayd.virtualserver') %}
+{%    for virtualserver in helpers.toList('OPNsense.relayd.virtualserver') %}
+{%      if virtualserver.transport_table in all_active_tables or virtualserver.backuptransport_table in all_active_tables %}
 {{ virtualserver.type }} "{{virtualserver.name}}" {
-{%   if virtualserver.enabled|default('1') == '0' %}
+{%        if virtualserver.enabled|default('1') == '0' %}
 disable
-{%   endif %}
-{%   set listen = "listen on " ~ virtualserver.listen_address %}
-{%   if virtualserver.listen_startport is defined %}
-{%    set listen = listen ~ " port " ~ virtualserver.listen_startport %}
-{%    if virtualserver.listen_endport is defined and virtualserver.type == 'redirect'%}
-{%     set listen = listen ~ ":" ~ virtualserver.listen_endport %}
-{%    endif %}
-{%   endif %}
-{%   if virtualserver.listen_interface is defined and virtualserver.type == 'redirect' %}
-{%    set listen = listen ~ " interface " ~ physical_interface(virtualserver.listen_interface) %}
-{%   endif %}
+{%        endif %}
+{%        set listen = "listen on " ~ virtualserver.listen_address %}
+{%        if virtualserver.listen_startport is defined %}
+{%          set listen = listen ~ " port " ~ virtualserver.listen_startport %}
+{%          if virtualserver.listen_endport is defined and virtualserver.type == 'redirect'%}
+{%            set listen = listen ~ ":" ~ virtualserver.listen_endport %}
+{%          endif %}
+{%        endif %}
+{%        if virtualserver.listen_interface is defined and virtualserver.type == 'redirect' %}
+{%          set listen = listen ~ " interface " ~ physical_interface(virtualserver.listen_interface) %}
+{%        endif %}
 {{ listen }}
-{%   set transport_type = 'forward' %}
-{%   if virtualserver.type == 'redirect' %}
-{%    set transport_type = virtualserver.transport_type %}
-{%    if virtualserver.transport_type == 'route' %}
-{%     set routing_interface = " interface " ~ virtualserver.routing_interface %}
-{%    endif %}
-{%   endif %}
-{%   set table = helpers.getUUID(virtualserver.transport_table) %}
-{%   set tablecheck = helpers.getUUID(virtualserver.transport_tablecheck) %}
-{%   set _tablecheck = '' %}
-{%   if tablecheck.type == 'http' and tablecheck.path is defined %}
-{%    set _tablecheck = 'check ' ~ tablecheck.type %}
-{%    if tablecheck.ssl|default('0') == '1' %}
-{%     set _tablecheck = _tablecheck ~ 's' %}
-{%    endif %}
-{%    set _tablecheck = _tablecheck ~ ' "' ~ tablecheck.path ~ '"' %}
-{%    if tablecheck.host is defined %}
-{%     set _tablecheck = _tablecheck ~ ' host ' ~ tablecheck.host %}
-{%    endif %}
-{%    if tablecheck.code is defined %}
-{%     set _tablecheck = _tablecheck ~ ' code ' ~ tablecheck.code %}
-{%    elif tablecheck.digest is defined %}
-{%     set _tablecheck = _tablecheck ~ ' digest "' ~ tablecheck.digest ~ '"' %}
-{%    else %}
-{%     set _tablecheck = '' %}
-{%    endif %}
-{%   elif tablecheck.type == 'script' and tablecheck.path is defined %}
-{%    set _tablecheck = 'check ' ~ tablecheck.type ~ ' "' ~ tablecheck.path ~ '"' %}
-{%   elif tablecheck.type == 'send' and tablecheck.expect is defined %}
-{%    set _tablecheck = 'check ' ~ tablecheck.type ~ ' "' ~ tablecheck.data ~ '" expect "' ~ tablecheck.expect ~ '"' %}
-{%    if tablecheck.ssl|default('0') == '1' %}
-{%     set _tablecheck = _tablecheck ~ ' ssl' %}
-{%    endif %}
-{%   else %}
-{%    set _tablecheck = 'check ' ~ tablecheck.type %}
-{%   endif %}
-{%   set port = " port " ~ virtualserver.transport_port if virtualserver.transport_port is defined %}
-{%   set timeout = " timeout " ~ virtualserver.transport_timeout if virtualserver.transport_timeout is defined %}
-{%   set interval = " interval " ~ virtualserver.transport_interval if virtualserver.transport_interval is defined %}
+{%        set transport_type = 'forward' %}
+{%        if virtualserver.type == 'redirect' %}
+{%          set transport_type = virtualserver.transport_type %}
+{%          if virtualserver.transport_type == 'route' %}
+{%            set routing_interface = " interface " ~ virtualserver.routing_interface %}
+{%          endif %}
+{%        endif %}
+{%        if virtualserver.transport_table in all_active_tables %}
+{%          set table = helpers.getUUID(virtualserver.transport_table) %}
+{%          set tablecheck = helpers.getUUID(virtualserver.transport_tablecheck) %}
+{%          set _tablecheck = '' %}
+{%          if tablecheck.type == 'http' and tablecheck.path is defined %}
+{%            set _tablecheck = 'check ' ~ tablecheck.type %}
+{%            if tablecheck.ssl|default('0') == '1' %}
+{%              set _tablecheck = _tablecheck ~ 's' %}
+{%            endif %}
+{%            set _tablecheck = _tablecheck ~ ' "' ~ tablecheck.path ~ '"' %}
+{%            if tablecheck.host is defined %}
+{%              set _tablecheck = _tablecheck ~ ' host ' ~ tablecheck.host %}
+{%            endif %}
+{%            if tablecheck.code is defined %}
+{%              set _tablecheck = _tablecheck ~ ' code ' ~ tablecheck.code %}
+{%            elif tablecheck.digest is defined %}
+{%              set _tablecheck = _tablecheck ~ ' digest "' ~ tablecheck.digest ~ '"' %}
+{%            else %}
+{%              set _tablecheck = '' %}
+{%            endif %}
+{%          elif tablecheck.type == 'script' and tablecheck.path is defined %}
+{%            set _tablecheck = 'check ' ~ tablecheck.type ~ ' "' ~ tablecheck.path ~ '"' %}
+{%          elif tablecheck.type == 'send' and tablecheck.expect is defined %}
+{%            set _tablecheck = 'check ' ~ tablecheck.type ~ ' "' ~ tablecheck.data ~ '" expect "' ~ tablecheck.expect ~ '"' %}
+{%            if tablecheck.ssl|default('0') == '1' %}
+{%              set _tablecheck = _tablecheck ~ ' ssl' %}
+{%            endif %}
+{%          else %}
+{%            set _tablecheck = 'check ' ~ tablecheck.type %}
+{%          endif %}
+{%          set port = " port " ~ virtualserver.transport_port if virtualserver.transport_port is defined %}
+{%          set timeout = " timeout " ~ virtualserver.transport_timeout if virtualserver.transport_timeout is defined %}
+{%          set interval = " interval " ~ virtualserver.transport_interval if virtualserver.transport_interval is defined %}
 {{ transport_type }} to <{{ table.name }}>{{ port }} mode {{ virtualserver.transport_tablemode }}{{ timeout }} {{ interval }} {{ _tablecheck }} {{ routing_interface }}
-{%   if virtualserver.backuptransport_table is defined and virtualserver.transport_type == 'forward' %}
-{%    set backuptable = helpers.getUUID(virtualserver.backuptransport_table) %}
-{%    set backuptablecheck = helpers.getUUID(virtualserver.backuptransport_tablecheck) if virtualserver.backuptransport_tablecheck is defined %}
-{%    set _backuptablecheck = '' %}
-{%    if backuptablecheck.type == 'http' and backuptablecheck.path is defined%}
-{%     set _backuptablecheck = 'check ' ~ backuptablecheck.type %}
-{%     if backuptablecheck.ssl|default('0') == '1' %}
-{%      set _backuptablecheck = _backuptablecheck ~ 's' %}
-{%     endif %}
-{%     set _backuptablecheck = _backuptablecheck ~ ' "' ~ backuptablecheck.path ~ '"' %}
-{%     if backuptablecheck.host is defined %}
-{%      set _backuptablecheck = _backuptablecheck ~ ' host ' ~ backuptablecheck.host %}
-{%     endif %}
-{%     if backuptablecheck.code is defined %}
-{%      set _backuptablecheck = _backuptablecheck ~ ' code ' ~ backuptablecheck.code %}
-{%     elif backuptablecheck.digest is defined %}
-{%      set _backuptablecheck = _backuptablecheck ~ ' digest "' ~ backuptablecheck.digest ~ '"' %}
-{%     else %}
-{%      set _backuptablecheck = '' %}
-{%     endif %}
-{%    elif backuptablecheck.type == 'script' and backuptablecheck.path is defined %}
-{%     set _backuptablecheck = 'check ' ~ backuptablecheck.type ~ ' "' ~ backuptablecheck.path ~ '"' %}
-{%    elif backuptablecheck.type == 'send' and backuptablecheck.expect is defined %}
-{%     set _backuptablecheck = 'check ' ~ backuptablecheck.type ~ ' "' ~ backuptablecheck.data ~ '" expect "' ~ backuptablecheck.expect ~ '"' %}
-{%     if backuptablecheck.ssl|default('0') == '1' %}
-{%      set _backuptablecheck = _backuptablecheck ~ ' ssl' %}
-{%     endif %}
-{%    else %}
-{%     set _backuptablecheck = 'check ' ~ backuptablecheck.type %}
-{%    endif %}
-{%   set backuptimeout = " timeout " ~ virtualserver.backuptransport_timeout if virtualserver.backuptransport_timeout is defined %}
-{%   set backupinterval = " interval " ~ virtualserver.backuptransport_interval if virtualserver.backuptransport_interval is defined %}
+{%        endif %}
+{%        set backuptablecheck = helpers.getUUID(virtualserver.backuptransport_tablecheck) if virtualserver.backuptransport_tablecheck is defined else None%}
+{%        if backuptablecheck and virtualserver.backuptransport_table is defined and virtualserver.backuptransport_table in all_active_tables and virtualserver.transport_type == 'forward'  %}
+{%          set backuptable = helpers.getUUID(virtualserver.backuptransport_table) %}
+{%          set _backuptablecheck = '' %}
+{%          if backuptablecheck.type == 'http' and backuptablecheck.path is defined%}
+{%            set _backuptablecheck = 'check ' ~ backuptablecheck.type %}
+{%            if backuptablecheck.ssl|default('0') == '1' %}
+{%              set _backuptablecheck = _backuptablecheck ~ 's' %}
+{%            endif %}
+{%            set _backuptablecheck = _backuptablecheck ~ ' "' ~ backuptablecheck.path ~ '"' %}
+{%            if backuptablecheck.host is defined %}
+{%              set _backuptablecheck = _backuptablecheck ~ ' host ' ~ backuptablecheck.host %}
+{%            endif %}
+{%            if backuptablecheck.code is defined %}
+{%              set _backuptablecheck = _backuptablecheck ~ ' code ' ~ backuptablecheck.code %}
+{%            elif backuptablecheck.digest is defined %}
+{%              set _backuptablecheck = _backuptablecheck ~ ' digest "' ~ backuptablecheck.digest ~ '"' %}
+{%            else %}
+{%              set _backuptablecheck = '' %}
+{%            endif %}
+{%          elif backuptablecheck.type == 'script' and backuptablecheck.path is defined %}
+{%            set _backuptablecheck = 'check ' ~ backuptablecheck.type ~ ' "' ~ backuptablecheck.path ~ '"' %}
+{%          elif backuptablecheck.type == 'send' and backuptablecheck.expect is defined %}
+{%            set _backuptablecheck = 'check ' ~ backuptablecheck.type ~ ' "' ~ backuptablecheck.data ~ '" expect "' ~ backuptablecheck.expect ~ '"' %}
+{%            if backuptablecheck.ssl|default('0') == '1' %}
+{%              set _backuptablecheck = _backuptablecheck ~ ' ssl' %}
+{%            endif %}
+{%          else %}
+{%            set _backuptablecheck = 'check ' ~ backuptablecheck.type %}
+{%          endif %}
+{%          set backuptimeout = " timeout " ~ virtualserver.backuptransport_timeout if virtualserver.backuptransport_timeout is defined %}
+{%          set backupinterval = " interval " ~ virtualserver.backuptransport_interval if virtualserver.backuptransport_interval is defined %}
 {{ transport_type }} to <{{ backuptable.name }}>{{ port }} mode {{ virtualserver.transport_tablemode }}{{ backuptimeout }} {{ backupinterval }} {{ _backuptablecheck }}
-{%   endif %}
-{%   if virtualserver.sessiontimeout is defined %}
+{%        endif %}
+{%        if virtualserver.sessiontimeout is defined %}
 session timeout {{ virtualserver.sessiontimeout }}
-{%   endif %}
-{%   if virtualserver.stickyaddress|default('0') == '1' and virtualserver.type == 'redirect' %}
+{%        endif %}
+{%        if virtualserver.stickyaddress|default('0') == '1' and virtualserver.type == 'redirect' %}
 sticky-address
-{%   endif %}
-{%   if virtualserver.protocol is defined and virtualserver.type == 'relay' %}
-{%    set protocol = helpers.getUUID(virtualserver.protocol) %}
+{%        endif %}
+{%        if virtualserver.protocol is defined and virtualserver.type == 'relay' %}
+{%          set protocol = helpers.getUUID(virtualserver.protocol) %}
 protocol "{{ protocol.name }}"
-{%   endif %}
+{%        endif %}
 }
-{%  endfor %}
+{%      endif %}
+{%    endfor %}
 {% endif %}

From b2a556f05718defea7dcece39eb7847083d15b38 Mon Sep 17 00:00:00 2001
From: jan-win1993 <47572976+jan-win1993@users.noreply.github.com>
Date: Wed, 19 May 2021 12:32:51 +0200
Subject: [PATCH 0583/3088] Add puppet-agent plugin (#2358)

---
 sysutils/puppet-agent/Makefile                |  8 ++
 sysutils/puppet-agent/pkg-descr               |  7 ++
 .../src/etc/inc/plugins.inc.d/puppetagent.inc | 61 ++++++++++++
 .../PuppetAgent/Api/ServiceController.php     | 75 +++++++++++++++
 .../PuppetAgent/Api/SettingsController.php    | 93 +++++++++++++++++++
 .../OPNsense/PuppetAgent/IndexController.php  | 47 ++++++++++
 .../OPNsense/PuppetAgent/forms/general.xml    | 20 ++++
 .../models/OPNsense/PuppetAgent/ACL/ACL.xml   |  9 ++
 .../models/OPNsense/PuppetAgent/Menu/Menu.xml |  5 +
 .../OPNsense/PuppetAgent/PuppetAgent.php      | 38 ++++++++
 .../OPNsense/PuppetAgent/PuppetAgent.xml      | 24 +++++
 .../app/views/OPNsense/PuppetAgent/index.volt | 62 +++++++++++++
 .../conf/actions.d/actions_puppetagent.conf   | 23 +++++
 .../templates/OPNsense/PuppetAgent/+TARGETS   |  2 +
 .../OPNsense/PuppetAgent/puppetagent.conf     | 10 ++
 .../templates/OPNsense/PuppetAgent/rc.conf.d  |  5 +
 16 files changed, 489 insertions(+)
 create mode 100644 sysutils/puppet-agent/Makefile
 create mode 100644 sysutils/puppet-agent/pkg-descr
 create mode 100644 sysutils/puppet-agent/src/etc/inc/plugins.inc.d/puppetagent.inc
 create mode 100644 sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/ServiceController.php
 create mode 100644 sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/SettingsController.php
 create mode 100644 sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/IndexController.php
 create mode 100644 sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/forms/general.xml
 create mode 100644 sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/ACL/ACL.xml
 create mode 100644 sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/Menu/Menu.xml
 create mode 100644 sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.php
 create mode 100644 sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
 create mode 100644 sysutils/puppet-agent/src/opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt
 create mode 100644 sysutils/puppet-agent/src/opnsense/service/conf/actions.d/actions_puppetagent.conf
 create mode 100644 sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/+TARGETS
 create mode 100644 sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
 create mode 100644 sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/rc.conf.d

diff --git a/sysutils/puppet-agent/Makefile b/sysutils/puppet-agent/Makefile
new file mode 100644
index 0000000000..af7209fe70
--- /dev/null
+++ b/sysutils/puppet-agent/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		puppet-agent
+PLUGIN_VERSION=		0.1
+PLUGIN_DEVEL=		yes
+PLUGIN_COMMENT=		Manage Puppet Agent
+PLUGIN_DEPENDS=		puppet7
+PLUGIN_MAINTAINER=	jan.wink93@gmail.com
+
+.include "../../Mk/plugins.mk"
diff --git a/sysutils/puppet-agent/pkg-descr b/sysutils/puppet-agent/pkg-descr
new file mode 100644
index 0000000000..ed77366165
--- /dev/null
+++ b/sysutils/puppet-agent/pkg-descr
@@ -0,0 +1,7 @@
+Puppet lets you centrally manage every important aspect of your system using
+a cross-platform specification language that manages all the separate
+elements normally aggregated in different files, like users, cron jobs, and
+hosts, along with obviously discrete elements like packages, services, and
+files.
+
+WWW:  https://puppet.com/docs/puppet/latest/man/agent.html
diff --git a/sysutils/puppet-agent/src/etc/inc/plugins.inc.d/puppetagent.inc b/sysutils/puppet-agent/src/etc/inc/plugins.inc.d/puppetagent.inc
new file mode 100644
index 0000000000..bbeb217b07
--- /dev/null
+++ b/sysutils/puppet-agent/src/etc/inc/plugins.inc.d/puppetagent.inc
@@ -0,0 +1,61 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Jan Winkler 
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function puppetagent_enabled()
+{
+    global $config;
+
+    return isset($config['OPNsense']['puppetagent']['general']['Enabled']) &&
+    $config['OPNsense']['puppetagent']['general']['Enabled'] == 1;
+}
+
+/**
+ *  register legacy service
+ * @return array
+ */
+function puppetagent_services()
+{
+    $services = array();
+
+    if (!puppetagent_enabled()) {
+        return $services;
+    }
+
+    $services[] = array(
+        'description' => gettext('Puppet Agent Service'),
+        'pidfile' => '/var/run/puppet/agent.pid',
+        'configd' => array(
+            'restart' => array('puppetagent restart'),
+            'start' => array('puppetagent start'),
+            'stop' => array('puppetagent stop'),
+        ),
+        'name' => 'puppet-agent',
+    );
+
+    return $services;
+}
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/ServiceController.php b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/ServiceController.php
new file mode 100644
index 0000000000..58c60f552d
--- /dev/null
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/ServiceController.php
@@ -0,0 +1,75 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Jan Winkler
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\PuppetAgent\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Backend;
+use OPNsense\PuppetAgent\PuppetAgent;
+
+/**
+ * Class ServiceController
+ * @package OPNsense\PuppetAgent
+ */
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\PuppetAgent\PuppetAgent';
+    protected static $internalServiceTemplate = 'OPNsense/PuppetAgent';
+    protected static $internalServiceEnabled = 'general.Enabled';
+    protected static $internalServiceName = 'puppetagent';
+
+    public function reconfigureAction()
+    {
+        if ($this->request->isPost()) {
+            // close session for long running action
+            $this->sessionClose();
+
+            $backend = new Backend();
+            // generate template
+            $backend->configdRun('template reload OPNsense/PuppetAgent');
+
+            $mdlPuppetAgent = new PuppetAgent();
+
+            // (res)start daemon
+            if ($mdlPuppetAgent->general->Enabled->__toString() == 1) {
+                $this->startAction();
+            }
+            // stop Puppet Agent when disabled
+            else {
+                $this->stopAction();
+            }
+            return array("status" => "ok");
+            }
+        else {
+            return array("status" => "failed");
+        }
+    }
+}
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/SettingsController.php b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/SettingsController.php
new file mode 100644
index 0000000000..fcd5e88615
--- /dev/null
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/SettingsController.php
@@ -0,0 +1,93 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Jan Winkler
+ *    Copyright (C) 2015-2019 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\PuppetAgent\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\PuppetAgent\PuppetAgent;
+use OPNsense\Core\Config;
+
+/**
+ * Class SettingsController Handles settings related API actions for the PuppetAgent module
+ * @package OPNsense\PuppetAgent
+ */
+class SettingsController extends ApiControllerBase
+{
+    /**
+     * retrieve PuppetAgent general settings
+     * @return array general settings
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function getAction()
+    {
+        // define list of configurable settings
+        $result = array();
+        if ($this->request->isGet()) {
+            $mdlPuppetAgent = new PuppetAgent();
+            $result['puppetagent'] = $mdlPuppetAgent->getNodes();
+        }
+        return $result;
+    }
+
+    /**
+     * update PupppetAgent settings
+     * @return array status
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function setAction()
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost()) {
+            // load model and update with provided data
+            $mdlPuppetAgent = new PuppetAgent();
+            $mdlPuppetAgent->setNodes($this->request->getPost("puppetagent"));
+
+            // perform validation
+            $valMsgs = $mdlPuppetAgent->performValidation();
+            foreach ($valMsgs as $field => $msg) {
+                if (!array_key_exists("validations", $result)) {
+                    $result["validations"] = array();
+                }
+                $result["validations"]["puppetagent." . $msg->getField()] = $msg->getMessage();
+            }
+
+            // serialize model to config and save
+            if ($valMsgs->count() == 0) {
+                $mdlPuppetAgent->serializeToConfig();
+                Config::getInstance()->save();
+                $result["result"] = "saved";
+            }
+        }
+        return $result;
+    }
+}
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/IndexController.php b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/IndexController.php
new file mode 100644
index 0000000000..d5398024d0
--- /dev/null
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/IndexController.php
@@ -0,0 +1,47 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Jan Winkler
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\PuppetAgent;
+
+/**
+ * Class IndexController
+ * @package OPNsense\PuppetAgent
+ */
+class IndexController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        // pick the template to serve to our users.
+        $this->view->pick('OPNsense/PuppetAgent/index');
+        // fetch form data "general" in
+        $this->view->generalForm = $this->getForm("general");
+    }
+}
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/forms/general.xml b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/forms/general.xml
new file mode 100644
index 0000000000..6713c5ec46
--- /dev/null
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/forms/general.xml
@@ -0,0 +1,20 @@
+<form>
+    <field>
+        <id>puppetagent.general.Enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>Enable Puppet Agent</help>
+    </field>
+    <field>
+        <id>puppetagent.general.FQDN</id>
+        <label>Puppet Server FQDN</label>
+        <type>text</type>
+        <help>Change Puppet Server FQDN</help>
+    </field>
+    <field>
+        <id>puppetagent.general.Environment</id>
+        <label>Puppet Environment</label>
+        <type>text</type>
+        <help>Change Puppet Agent Environment</help>
+    </field>
+</form>
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/ACL/ACL.xml b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/ACL/ACL.xml
new file mode 100644
index 0000000000..b65ad7e656
--- /dev/null
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+    <page-user-puppetagent>
+        <name>Services: Puppet Agent</name>
+        <patterns>
+            <pattern>ui/puppetagent/*</pattern>
+            <pattern>api/puppetagent/*</pattern>
+        </patterns>
+    </page-user-puppetagent>
+</acl>
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/Menu/Menu.xml b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/Menu/Menu.xml
new file mode 100644
index 0000000000..e0c6f69d70
--- /dev/null
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/Menu/Menu.xml
@@ -0,0 +1,5 @@
+<menu>
+    <Services>
+        <PuppetAgent VisibleName="Puppet Agent" url="/ui/puppetagent"/>
+    </Services>
+</menu>
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.php b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.php
new file mode 100644
index 0000000000..0dd518a3cd
--- /dev/null
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.php
@@ -0,0 +1,38 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Jan Winkler
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\PuppetAgent;
+
+use OPNsense\Base\BaseModel;
+
+class PuppetAgent extends BaseModel
+{
+}
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
new file mode 100644
index 0000000000..100aeeeb0f
--- /dev/null
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
@@ -0,0 +1,24 @@
+<model>
+    <mount>//OPNsense/puppetagent</mount>
+    <description>
+        Manage Puppet Agent service
+    </description>
+    <items>
+        <!-- container -->
+        <general>
+            <!-- fields -->
+            <Enabled type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </Enabled>
+            <FQDN type="HostnameField">
+                <Required>Y</Required>
+            </FQDN>
+            <Environment type="TextField">
+                <Required>Y</Required>
+                <mask>/^.{1,100}$/u</mask>
+                <ValidationMessage>Should be a string between 1 and 100 characters.</ValidationMessage>
+            </Environment>
+        </general>
+    </items>
+</model>
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt b/sysutils/puppet-agent/src/opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt
new file mode 100644
index 0000000000..289cf4e88b
--- /dev/null
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt
@@ -0,0 +1,62 @@
+{#
+
+OPNsense® is Copyright © 2021 Jan Winkler
+OPNsense® is Copyright © 2014 – 2015 by Deciso B.V.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<script>
+    $( document ).ready(function() {
+        var data_get_map = {'frm_GeneralSettings':"/api/puppetagent/settings/get"};
+        mapDataToFormUI(data_get_map).done(function(data){
+            // place actions to run after load, for example update form styles.
+        });
+
+        updateServiceControlUI('puppetagent');
+
+        // link save button to API set action
+        $("#saveAct").click(function(){
+            saveFormToEndpoint(url="/api/puppetagent/settings/set",formid='frm_GeneralSettings',callback_ok=function(){
+                // action to run after successful save, for example reconfigure service.
+                ajaxCall(url="/api/puppetagent/service/reconfigure", sendData={},callback=function(data,status) {
+                    // action to run after reload
+                    updateServiceControlUI('puppetagent');
+                });
+            });
+        });
+    });
+</script>
+
+<div class="alert alert-info hidden" role="alert" id="responseMsg">
+
+</div>
+
+<div  class="col-md-12">
+    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}}
+</div>
+
+<div class="col-md-12">
+    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Save') }}</b></button>
+</div>
diff --git a/sysutils/puppet-agent/src/opnsense/service/conf/actions.d/actions_puppetagent.conf b/sysutils/puppet-agent/src/opnsense/service/conf/actions.d/actions_puppetagent.conf
new file mode 100644
index 0000000000..8081449535
--- /dev/null
+++ b/sysutils/puppet-agent/src/opnsense/service/conf/actions.d/actions_puppetagent.conf
@@ -0,0 +1,23 @@
+[start]
+command:/usr/local/etc/rc.d/puppet start
+parameters:
+type:script
+message:starting puppet agent
+
+[stop]
+command:/usr/local/etc/rc.d/puppet onestop
+parameters:
+type:script
+message:stop puppet agent
+
+[restart]
+command:/usr/local/etc/rc.d/puppet restart
+parameters:
+type:script
+message:restart puppet agent
+
+[status]
+command:/usr/local/etc/rc.d/puppet onestatus; exit 0
+parameters:
+type:script_output
+message:request puppet agent status
diff --git a/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/+TARGETS b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/+TARGETS
new file mode 100644
index 0000000000..085fa8c75b
--- /dev/null
+++ b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/+TARGETS
@@ -0,0 +1,2 @@
+puppetagent.conf:/usr/local/etc/puppet/puppet.conf
+rc.conf.d:/etc/rc.conf.d/puppet
diff --git a/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
new file mode 100644
index 0000000000..1319d02e81
--- /dev/null
+++ b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
@@ -0,0 +1,10 @@
+{% if helpers.exists('OPNsense.puppetagent.general') and OPNsense.puppetagent.general.Enabled|default("0") == "1" %}
+[main]
+certname = {{ system.hostname|lower }}.{{ system.domain|lower }}
+server = {{ OPNsense.puppetagent.general.FQDN|default("") }}
+{% if helpers.exists('OPNsense.puppetagent.general') and not helpers.empty('OPNsense.puppetagent.general.Environment') %}
+[agent]
+environment = {{ OPNsense.puppetagent.general.Environment|default("") }}
+{% endif %}
+{% endif %}
+
diff --git a/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/rc.conf.d b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/rc.conf.d
new file mode 100644
index 0000000000..a36c64f16b
--- /dev/null
+++ b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/rc.conf.d
@@ -0,0 +1,5 @@
+{% if helpers.exists('OPNsense.puppetagent.general') and OPNsense.puppetagent.general.Enabled|default("0") == "1" %}
+puppet_enable="YES"
+{% else %}
+puppet_enable="NO"
+{% endif %}

From afab6eaf7d6e86d8a11a23b7faf3ac4fad0ccbe5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 19 May 2021 16:00:17 +0200
Subject: [PATCH 0584/3088] plugins: style, whitespace and sync

---
 LICENSE                                            |  4 +++-
 README.md                                          |  3 ++-
 .../systemhealth/logformats/zabbix_proxy.py        |  0
 .../systemhealth/logformats/zabbix_proxy.py        |  0
 .../src/etc/inc/plugins.inc.d/radsecproxy.inc      |  1 -
 .../OPNsense/Relayd/Api/StatusController.php       | 14 +++++++-------
 .../src/etc/inc/plugins.inc.d/puppetagent.inc      |  2 +-
 .../OPNsense/PuppetAgent/Api/ServiceController.php |  3 +--
 .../OPNsense/PuppetAgent/puppetagent.conf          |  1 -
 .../Base/Constraints/NaxsiIdentifierConstraint.php |  2 +-
 .../Base/Constraints/NgxBusyBufferConstraint.php   |  8 +++++---
 11 files changed, 20 insertions(+), 18 deletions(-)
 mode change 100644 => 100755 net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
 mode change 100644 => 100755 net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py

diff --git a/LICENSE b/LICENSE
index c0d0614edb..33e3021840 100644
--- a/LICENSE
+++ b/LICENSE
@@ -5,7 +5,8 @@ Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
 Copyright (c) 2020 D. Domig
 Copyright (c) 2011 Dan Myers
 Copyright (c) 2017-2018 David Harrigan
-Copyright (c) 2014-2020 Deciso B.V.
+Copyright (c) 2021 David Hughes
+Copyright (c) 2014-2021 Deciso B.V.
 Copyright (c) 2008 Donovan Schonknecht
 Copyright (c) 2016-2019 EURO-LOG AG
 Copyright (c) 2006 Eric Friesen
@@ -15,6 +16,7 @@ Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
 Copyright (c) 2014-2021 Franco Fichtner <franco@opnsense.org>
 Copyright (c) 2016-2021 Frank Wall
 Copyright (c) 2016 IT-assistans Sverige AB
+Copyright (c) 2021 Jan Winkler
 Copyright (c) 2010 Jim Pingle <jimp@pfsense.org>
 Copyright (c) 2015 Jos Schellevis
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>
diff --git a/README.md b/README.md
index 0d7a3cdb0d..8817be2f50 100644
--- a/README.md
+++ b/README.md
@@ -38,7 +38,7 @@ dns/bind -- BIND domain name service
 dns/dnscrypt-proxy -- Flexible DNS proxy supporting DNSCrypt and DoH
 dns/dyndns -- Dynamic DNS Support
 dns/rfc2136 -- RFC-2136 Support
-emulators/qemu-guest-agent -- QEMU Guest Agent for OPNsense (development only)
+emulators/qemu-guest-agent -- QEMU Guest Agent for OPNsense
 mail/fetchmail -- Remote-mail retrieval utility (development only)
 mail/postfix -- SMTP mail relay
 mail/rspamd -- Protect your network from spam
@@ -100,6 +100,7 @@ sysutils/mail-backup -- Send configuration file backup by e-mail
 sysutils/munin-node -- Munin monitoring agent
 sysutils/node_exporter -- Prometheus exporter for machine metrics
 sysutils/nut -- Network UPS Tools
+sysutils/puppet-agent -- Manage Puppet Agent (development only)
 sysutils/smart -- SMART tools
 sysutils/virtualbox -- VirtualBox guest additions
 sysutils/vmware -- VMware tools
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py b/net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
old mode 100644
new mode 100755
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py b/net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
old mode 100644
new mode 100755
diff --git a/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc b/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
index 57e8734776..840749a926 100644
--- a/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
+++ b/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
@@ -49,7 +49,6 @@ function radsecproxy_syslog()
         'facility' => array('LOG_DAEMON'),
     );
     return $logfacilities;
-
 }
 
 
diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
index dfd721fcb3..8f10376439 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
@@ -45,7 +45,7 @@ class StatusController extends ApiControllerBase
     /**
      * get relayd summary
      */
-    public function sumAction($wait=0)
+    public function sumAction($wait = 0)
     {
         $result = array("result" => "failed");
         $backend = new Backend();
@@ -93,7 +93,7 @@ public function sumAction($wait=0)
                     if (!empty($virtualserver['tables'])) {
                         foreach ($virtualserver['tables'] as &$table) {
                             if (!empty($table['uuid'])) {
-                                $tblnode = $relaydMdl->getNodeByReference("table.".$table['uuid']);
+                                $tblnode = $relaydMdl->getNodeByReference("table." . $table['uuid']);
                                 foreach (explode(",", (string)$tblnode->hosts) as $host_uuid) {
                                     $found = false;
                                     if (!empty($table['hosts'])) {
@@ -108,7 +108,7 @@ public function sumAction($wait=0)
                                         $table['hosts'] = [];
                                     }
                                     if (!$found) {
-                                        $hostnode = $relaydMdl->getNodeByReference("host.".$host_uuid);
+                                        $hostnode = $relaydMdl->getNodeByReference("host." . $host_uuid);
                                         $table['hosts'][$host_uuid] = [
                                             "name" => (string)$hostnode->address,
                                             "description" => (string)$hostnode->name,
@@ -174,7 +174,7 @@ public function sumAction($wait=0)
                 if (count($objs) > 0) {
                     $linked_hosts = [];
                     if (!empty($virtualserver['tables'][$tableId]['uuid'])) {
-                        $tblnode = $relaydMdl->getNodeByReference("table.".$virtualserver['tables'][$tableId]['uuid']);
+                        $tblnode = $relaydMdl->getNodeByReference("table." . $virtualserver['tables'][$tableId]['uuid']);
                         $linked_hosts = explode(",", (string)$tblnode->hosts);
                     }
                     // hosts aren't necessarily unique due to address matching
@@ -204,9 +204,9 @@ public function toggleAction($nodeType = null, $id = null, $action = null)
         if ($this->request->isPost()) {
             $this->sessionClose();
             $backend = new Backend();
-            if (in_array($nodeType, ['redirect', 'table', 'host']) && in_array($action, ['enable', 'disable'])){
+            if (in_array($nodeType, ['redirect', 'table', 'host']) && in_array($action, ['enable', 'disable'])) {
                 if ($id != null && $id > 0) {
-                    $result["output"] = $backend->configdpRun("relayd toggle",[$nodeType, $action, $id]);
+                    $result["output"] = $backend->configdpRun("relayd toggle", [$nodeType, $action, $id]);
                     if (isset($result["output"])) {
                         $result["result"] = 'ok';
                     }
@@ -217,7 +217,7 @@ public function toggleAction($nodeType = null, $id = null, $action = null)
                 $new_status = $action == "remove" ? "0" : "1";
                 $relaydMdl = new Relayd();
                 foreach (explode(",", $id) as $host_uuid) {
-                    $obj = $relaydMdl->getNodeByReference("host.".$host_uuid);
+                    $obj = $relaydMdl->getNodeByReference("host." . $host_uuid);
                     if ($obj != null) {
                         $obj->enabled = $new_status;
                     }
diff --git a/sysutils/puppet-agent/src/etc/inc/plugins.inc.d/puppetagent.inc b/sysutils/puppet-agent/src/etc/inc/plugins.inc.d/puppetagent.inc
index bbeb217b07..c5dd7cc636 100644
--- a/sysutils/puppet-agent/src/etc/inc/plugins.inc.d/puppetagent.inc
+++ b/sysutils/puppet-agent/src/etc/inc/plugins.inc.d/puppetagent.inc
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2021 Jan Winkler 
+ *    Copyright (C) 2021 Jan Winkler
  *    All rights reserved.
  *
  *    Redistribution and use in source and binary forms, with or without
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/ServiceController.php b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/ServiceController.php
index 58c60f552d..14af09d7ee 100644
--- a/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/ServiceController.php
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/ServiceController.php
@@ -67,8 +67,7 @@ public function reconfigureAction()
                 $this->stopAction();
             }
             return array("status" => "ok");
-            }
-        else {
+        } else {
             return array("status" => "failed");
         }
     }
diff --git a/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
index 1319d02e81..3da8f402e0 100644
--- a/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
+++ b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
@@ -7,4 +7,3 @@ server = {{ OPNsense.puppetagent.general.FQDN|default("") }}
 environment = {{ OPNsense.puppetagent.general.Environment|default("") }}
 {% endif %}
 {% endif %}
-
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
index 43b4abf1e0..b40c832dd2 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
@@ -38,7 +38,7 @@
  */
 class NaxsiIdentifierConstraint extends BaseConstraint
 {
-    public function validate(\Phalcon\Validation $validator, $attribute) : bool
+    public function validate(\Phalcon\Validation $validator, $attribute): bool
     {
         $node = $this->getOption('node');
         if ($node) {
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
index bbf2c5ac82..6067ad0644 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
@@ -38,7 +38,7 @@
  */
 class NgxBusyBufferConstraint extends BaseConstraint
 {
-    public function validate(\Phalcon\Validation $validator, $attribute) : bool
+    public function validate(\Phalcon\Validation $validator, $attribute): bool
     {
         $node = $this->getOption('node');
         if ($node) {
@@ -64,7 +64,8 @@ public function validate(\Phalcon\Validation $validator, $attribute) : bool
                     $proxy_buffer_size_int = intval((string) $proxy_buffer_size_node);
                 }
 
-                if (isset($proxy_buffers_total_minus1_size) && isset($proxy_busy_buffers_size) &&
+                if (
+                    isset($proxy_buffers_total_minus1_size) && isset($proxy_busy_buffers_size) &&
                     $proxy_buffers_total_minus1_size < $proxy_busy_buffers_size
                 ) {
                     $validator->appendMessage(new Message(
@@ -74,7 +75,8 @@ public function validate(\Phalcon\Validation $validator, $attribute) : bool
                 }
 
                 // nginx: [emerg] "proxy_busy_buffers_size" must be equal to or greater than the maximum of the value of "proxy_buffer_size" and one of the "proxy_buffers"
-                if (isset($proxy_busy_buffers_size) && isset($proxy_buffers_size_int) &&
+                if (
+                    isset($proxy_busy_buffers_size) && isset($proxy_buffers_size_int) &&
                     $proxy_busy_buffers_size < $proxy_buffers_size_int
                 ) {
                     $validator->appendMessage(new Message(

From e933752be2bbb434b89eb2f5c60e1f216098da61 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 19 May 2021 19:59:29 +0200
Subject: [PATCH 0585/3088] security/intrusion-detection-content-et-open add
 emerging-inappropriate ruleset

---
 security/intrusion-detection-content-et-open/Makefile           | 2 +-
 .../opnsense/scripts/suricata/metadata/rules/et-open-extra.xml  | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/intrusion-detection-content-et-open/Makefile b/security/intrusion-detection-content-et-open/Makefile
index 036bd551e5..cb93113e2b 100644
--- a/security/intrusion-detection-content-et-open/Makefile
+++ b/security/intrusion-detection-content-et-open/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		intrusion-detection-content-et-open
-PLUGIN_VERSION=		1.0.0
+PLUGIN_VERSION=		1.0.1
 #PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
index 563b11476a..ca6f397f64 100644
--- a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
+++ b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
@@ -10,5 +10,6 @@
         <file description="drop" url="inline::rules/drop.rules">et_open.drop.rules</file>
         <file description="dshield" url="inline::rules/dshield.rules">et_open.dshield.rules</file>
         <file description="tor" url="inline::rules/tor.rules">et_open.tor.rules</file>
+        <file description="emerging-inappropriate" url="inline::rules/emerging-inappropriate.rules">et_open.emerging-inappropriate.rules</file>
     </files>
 </ruleset>

From 008da911f577ebd1345e185c6080df32863d6d15 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Thu, 20 May 2021 18:17:44 +0200
Subject: [PATCH 0586/3088] net/relayd: Usability improvements
 https://github.com/opnsense/plugins/issues/2232 (#2398)

minor visual improvements on the status page.

o reset cursor pointer on status widgets
o in host column add one button spacing for better alignment
o add a space between buttons and text
---
 .../mvc/app/views/OPNsense/Relayd/status.volt       | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/status.volt b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/status.volt
index c3a15c73b1..0d7a422717 100644
--- a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/status.volt
+++ b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/status.volt
@@ -33,7 +33,7 @@ POSSIBILITY OF SUCH DAMAGE.
        * create status and start/stop buttons
        **/
       function getControlButtons(status, id, nodeType) {
-          let status_btn = $('<button class="label label-opnsense label-opnsense-xs"/>');
+          let status_btn = $('<button class="label label-opnsense label-opnsense-xs"/>').css('cursor', 'auto');
           let action_btn = $('<button class="btn btn-xs btn-default" data-toggle="tooltip"/>').attr('data-nodeid', id).attr('data-nodetype', nodeType);
           let action_btn_remove = action_btn.clone(true);
           let response = [];
@@ -75,6 +75,14 @@ POSSIBILITY OF SUCH DAMAGE.
           if (nodeType === 'relay') {
               action_btn.removeClass('node_action').attr('disabled', 'disabled');
           }
+
+          if (nodeType == 'host' && response.length == 2) {
+              response.push(
+                $('<button class="label label-opnsense label-opnsense-xs"/>').css('cursor', 'auto').css('opacity', '0').append(
+                    $("<i class='fa fa-fw'/>")
+                )
+              );
+          }
           return response;
       };
 
@@ -160,6 +168,7 @@ POSSIBILITY OF SUCH DAMAGE.
                     $vs_td.append(
                         $('<div class="object_container"/>').append(
                             getControlButtons(virtualserver.status, virtualserver.id, virtualserver.type),
+                            '&nbsp;',
                             virtualserver.name,
                             listen_str,
                             ' (' + virtualserver.type + '): ',
@@ -174,6 +183,7 @@ POSSIBILITY OF SUCH DAMAGE.
                             $tbl_td.append(
                                 $('<div class="object_container"/>').append(
                                     getControlButtons(table.status, tkey, 'table'),
+                                    '&nbsp;',
                                     table.name + ' ' + table.status
                                 ).data('payload', table).data('type', 'table')
                             );
@@ -195,6 +205,7 @@ POSSIBILITY OF SUCH DAMAGE.
                                     $host_td.append(
                                         $('<div class="object_container"/>').append(
                                             getControlButtons(host.status, hkey, 'host'),
+                                            '&nbsp;',
                                             display_name,
                                             " ",
                                             host.status

From 378fe7368449d4642bf57e20a7d4e1d03b2d8490 Mon Sep 17 00:00:00 2001
From: Manuel Faux <mfaux@conf.at>
Date: Sun, 23 May 2021 21:49:13 +0200
Subject: [PATCH 0587/3088] www/nginx: Custom error pages (#2149)

* [www/nginx] Improvement of default error pages

* Added custom error page for 403 error
* Configured WAF Denied error page for 405
* Make default error pages mobile friendly

* [www/nginx] Add ability to configure error pages via GUI

* Custom error pages for 4xx and 5xx HTTP status codes can be configured
  via GUI.
* Correct indenting
* Push version

* [www/nginx] Improved customized error pages

* Form displays meaning of HTTP status code
* Allow status code rewriting

* [www/nginx] Incorporated code review findings

* [www/nginx] Add HTML content of custom error page to config

Added HTML content of custom error pages to model

* [www/nginx] Added ability to redirect error pages to URL

* Add option to redirect to new page instead of displaying a
  custom error page.
* Incorporated code review findinds.
* Fixed error_page syntax for status code change

* [www/nginx] Added error page configuration to locations

Custom error pages can be overwritten on a per location basis.

* [www/nginx] Custom error pages for WAF violations
---
 www/nginx/pkg-descr                           |   1 +
 .../etc/nginx/views/opnsense_error_403.html   |  60 ++++++++++
 .../etc/nginx/views/opnsense_error_404.html   |   1 +
 .../nginx/views/opnsense_server_error.html    |   1 +
 www/nginx/src/etc/nginx/views/waf_denied.html |   1 +
 .../OPNsense/Nginx/Api/SettingsController.php |  36 ++++++
 .../OPNsense/Nginx/IndexController.php        |   1 +
 .../OPNsense/Nginx/forms/errorpage.xml        |  36 ++++++
 .../OPNsense/Nginx/forms/httpserver.xml       |   7 ++
 .../OPNsense/Nginx/forms/location.xml         |  15 +++
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml   | 104 ++++++++++++++++++
 .../mvc/app/views/OPNsense/Nginx/index.volt   |  27 +++++
 .../src/opnsense/scripts/nginx/setup.php      |  55 +++++++++
 .../templates/OPNsense/Nginx/http.conf        |  69 ++++++++++--
 .../templates/OPNsense/Nginx/location.conf    |  11 ++
 .../www/js/nginx/dist/configuration.min.js    |   2 +-
 .../opnsense/www/js/nginx/src/nginx_config.js |  25 ++++-
 17 files changed, 440 insertions(+), 12 deletions(-)
 create mode 100644 www/nginx/src/etc/nginx/views/opnsense_error_403.html
 create mode 100644 www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/errorpage.xml

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 729721ed59..bcb357234f 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -32,6 +32,7 @@ Plugin Changelog
 
 * User interface improvements of NAXSI configuration (contributed by 8191)
 * Fixed missing certificate validation of upstreams (contributed by 8191)
+* Add custom error pages on a per HTTP server basis (contributed by 8191)
 
 1.19
 
diff --git a/www/nginx/src/etc/nginx/views/opnsense_error_403.html b/www/nginx/src/etc/nginx/views/opnsense_error_403.html
new file mode 100644
index 0000000000..05b6871ec1
--- /dev/null
+++ b/www/nginx/src/etc/nginx/views/opnsense_error_403.html
@@ -0,0 +1,60 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>Access Denied</title>
+    <meta name="generator" content="OPNsense" />
+    <meta name="language" content="en-US" />
+    <meta name="viewport" content="width=device-width,initial-scale=1" />
+    <style>
+        body {
+            background-color: black;
+            max-width: 1000px;
+            margin: auto;
+            padding-top: 20px;
+        }
+        h1, p, span, a, .footertext {
+            text-align: center;
+            color: white;
+            vertical-align: baseline;
+        }
+        @media screen and (min-width: 700px) {
+            .logo {
+                float: right;
+            }
+            .footertext {
+                text-align: left;
+                float: left;
+                position: absolute;
+                bottom: 0px;
+            }
+            footer {
+                height: 55px;
+                position: relative;
+            }
+            img {
+                float: right;
+            }
+        }
+        @media screen and (max-width: 699px) {
+            .footertext {
+                margin-bottom: 10px;
+            }
+            footer a {
+                display: block;
+                text-align: center;
+            }
+        }
+    </style>
+</head>
+<body>
+    <h1>Access Denied</h1>
+    <p>You are not permitted to access the requested resource.</p>
+    <p>Please contact the webmaster if you think this is an error.</p>
+    <hr />
+    <footer>
+          <div class="footertext">Web Application Protection by OPNsense</div>
+          <a href="https://opnsense.org/"><img class="logo" alt="OPNsense Logo" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAANYAAAAyCAYAAAAgNiW6AAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAFxGAABcRgEUlENBAAAAB3RJTUUH4gEeEjABrR1oTgAAELlJREFUeNrtnXuUXVV5wH/fuY95ZfIokASQh0IaHtEShAICRVcTXsbE0BZh4lKitGhgqZRlLeoqRVdUihRW0a5KsYjpBBCRV0l4pEUJRBawQBIwSQvIm0ACk0lmJjNz7zlf//j2uffOnXPO3JncmcmE81vrrrlzzj777L3v/vbj29/+tixZsgSAadOm0dHRcQLweeAUYB9AGF2ywIpJkyZdtnPnTlauXDngZpg2EUFVPwJ8FjgVmDbKaesHLgYeaW9vH3RzyZIlqCoiArA/sAD4ODAT8Ea5zDLAQ8ByIIhKX8r4k3V/cx0dHV8C/g74wBinYarnDa6LbW1tAKiqhwnUPwCHjVGaCsCkqBuhsHueh6qeDvwjcByQG8Mye2sM35UyArzp06cDfAm4mrEXKgBV1UEXgyAAQET+EvgXxk6oANR9BjFz5sww0WcDPwNOYmyFCiAY4/elDBPvnXfeOQHrqRrGOzEh5557LplMBuAA4JvAlPFOE1gvumXLFrAGaDk2DExJGUQWm1NV9lQ+sAZYiw2J6jmXEaAN+HBSoLC3Av4MmFNxS4HfAutcOuuBAtOB84GmxIDledVC4Jiq25uAJ12Z1ZtTgVmjEG/KKJHFfrRKHgKWAO/V+2VOCTGXIQQrn8+HXz+MTdZDNgOfA16sc9KOwoQlUbDcvCojItVl9jug7cwzz9z4wAMPEDW0HQnZbJYdO3bQ3Nz8U1LBmlBkMe1fJWtxQrV9+3ZaWlrq8qJcLoeqZqihB3S9AkD1y19R1dcAMplMZc+2u9SsyRORPKb9q+QhEdm4evXqyrTvNoVCgXXr1jFv3ry6xZkyNmQZXNELAE1NTdRTlRtq0+qAAKxYsWK80iUMFsRdqsrSpUuZP39+vfJJW1sbc+fOrVt8KWNHVEstAN3d3eOdtgnHtddeO95JSNlDGO3FzJSU9yWpYKWkjAKpYKWkjALZ3Y8iJeX9xXnnnRcaMMSSClZKyjBoa2urXg46GZgNFLH1zCeBYipYKSkjYzrwNWA78AzWSZ2J2Y7+WzrHSkkZJr7vC3AB8CxmBfSnmPXOA9hy1fmpYKWkDAMRIZPJ7I/1WPdgNqObgNeBvwDuBE5Kh4IpKcNnKtDled6uIAiywCIgD/wUeAfw0h4rJWX4vAe0BkHQgu02XwlswDbH7gf4qWClpAwDVeWss87aArwG/BXwNDbXuhkTqs8Cv0mHgikpw2T16tVggvQV4GB3OQccDrwM3J4K1l7I+vnQOBn8Qtm0RgER++Jj14+4p7b4Ni6ASc3Q3WtxqJrqS13EAhQFjq4xviieXwBZz6UzvCgQuPiT0rppoT1bDAamL0xkIQ/ZAhxxd21p2bQQfIWMlOMI49OulSxvbSNAOoAfAMdTXsdqD4Jgg+d5QSpYexGbF7ovAlqEjAdBQFbKPjn8/j76840V4QWCAI68d2Bcz54BjY2ukgr09EE2D36BPLb5VIGCZPBRW8RZ/0nIZwYKweZFtaVdnUR5AhrYO1QpeEIRYMu50NELR7q4NywybUGIr6YxUCWHkHUeS4pejkLO7enetMgEpODDnP8a+P7nz4ZsheeSrECxAJkcDYCHoKr0ixB8u2slGYVvtn6uL4f/KPBo+Fy4ePy+FqzQExQxjmMmCqGAANYVBRwCnKLK8SIcCkwWu9Odb2QL8BxWGZ7FJt9sWlgWiI2fKqu1+gvQkGcWcJpf4DjgIBFaAF+gA+UFnLuEhixbFROmXTvgmIdLSfxjrGWPKmcP2FD0eTaX5WOqnINwFNAk0AE8Dty+o48/qMLGhVBUc9CiQADiWfynqnIscJDAJFceXUGRN1w+16JsRPDzuYH53bSwJJSgZNz7P57NcQxwAEITUBDhXWwX+zpfePy7XT/vDDMxu6o3nGiCpapa9DyvnhsnAT7EwN3KPtA73pmtmfJW1SkEfBn4AubVKkk59R7CA8DVGY9nArUKBm7IaMxoyPMVzFXDIQlx9QPrgetRbkPoa5o84P584EdEC5YA38tlmQ98A9i36v5i4HyFizMe67ICGS1FNNODSzF/JQcNUUpbRLgLuEYDXmjIwu8XQCYDuWYo9ADwIYTLgHMYvEu8kl3AE8A1qtwnQrBp0cCh5kQTrA96nncZ9XNyo0Ar8BkG+rvYhml99ng2Lih9bcFc2P11jY/+EVYhj1O4UIRHwvmJ42DgJ5iZzlDkMd+KN4gwB/O12LOpPAyUqr/VnIMJbpzPkWOAHwKfLirvuGv7ufQtpDZmYm7+Pgos7fd5PrSjdUL1EeBGrGcdiibgNGCuCN9V5TqE4uZF5Z5rognWbOCqMXjPGlV9ebwzWwu5RlNSYBXsghFEMQv4J+DTqmxx1/KYcNQiVJU0AH8LbG3KcnVP7c3fETWEOR7z0Pwrp0+4gNqFqjqe5ZhavMtdm4rVq1qEqpLJwJUivAW0V/bH6TrWYP4XuE5EivV0DDNaFPtBlQzwKeIdh24BHsHmLFEcD3yi4v8TMfOcKAJsMXQ90Y5DM8Alu4ocOYzi63bpeyUhTBY4GkBtIXZBQtiXsTlknH+JecCxFf+f5a5FFjHwFDa3iqIZuAyYUdmIpII1kGeAi4D1QRDU0wvUqCECIkzGevMo+oFvqDIPG+pE4WFrMCGnY61xFG9gQ8jziB8uHwycMYxs3O3CX0Gyv8gZ7u9+wAdjwmwH/kaVM4B7Y8K0AIcCqOJhghU3ensOM1m6yMUdxRysNy1pQSfaUHAn1hrVU4sXYC36/wC3Aa+GjjmrD2nYg2nBhjNRdAG/E6EA/F9CHK0AquRFBjkjrWQbJlxFV25xSo0TVcmI1ORYdROmLPoD0If1ApFpdPPAqcT41nfpe16EHuClofIrwhQGOoWt5k1V3hbBw3r8qHLOAScAd4Rz1D1SsFQ1dI5ZLUBPYWPjvjq+LlDVHhHpA3MW2tfXN5GECmxOlI+5l6m4l1TJcwBOlX5AQrgC1hj5JP8Oh7q4dtSQ/h73t3+INOZdhWggvu7mKA+Jiwlxhc9PY7AmspL+irj6E8IdrpAVt+62RwpWUiZVdZuI9O9+VAMJggAR4aabbhrvPI4En/gK2Yrtcn0Ka83XR4TJYr0QQCPxvQHYaKGIUkQSD2eYBjULVigAAcmjES9jGS0SfzDEdGzO+Ap2KsvzEWXjubLApTHJA3KQFXz3zqS07Ssm8BNSsAQQVZ1oPcposxMbpkQNyzzgcqAH5XY1NXG1wwYR2EXZaCDJoUMrcAo2xEs6rKLRfWqh5qH9Ng+m+XS4PEe9vwkzNQpUWYkN76N0Cd1OuZIbIr/7+naGwFSSBbCFCuXRRBOslCqctcB28XgOYudGM4DrEc4QOxLpMcBPcDGfpM87AtvMB8kn1GRIrrAjYoqPh83tXiD+2KnDgJ+JcDvw494Onm6cNmCNbjicDKxyZZLUUGSoEOBUKzjB8QTEI8Aqe9KcpwFTod8N/AdWYTwRG18No855mHKhmSEEp05nQ0TRTVm442jFLFBWNU7jeuBPmhpKWtThHDCWwXqjZoaWl1KDlArWBMcvV95VmCXCUNV5KnZiy90i/DNwiI7OqoI3qsuAygrgFzWEnAFcAtzX288VmKqe5vqP1QbIUjoUnOAceU9p7aQX+Ba21vJVhj6sbx8X7hTgUhHW1vjKPuBtkht9D3jLKTjqjtsC04FyCcI2rGcaaj53IGZNcirwtT6f52p8XQ+wleQGK4Mpf0pKklSw9gK6emy/FNClypUiPA78PSY0Q41KPgr8O7YbdkMNr9uILXnspGRgHolPWfM2OghbVblUhEeBrwO1HM3y51jP/hnMAcxQrAWWUdYKxuW3QIUGNB0KTnA2LyoJlW3IMxX4asyw9VLiTXEqmQ1cVOPQrQ9TZb/qvn8g4nMQsD8y+g23CP3ALZhJ1xXUZjz9Mexk0Vro8c0o4VX3/0Ex+Z1BhTylPdbexEDBeBfTAN4LXIwZre6T8PRpquzL0HO0yvPBFgHXRjzjAW8onCnJ1g/15A3gO8CvsAblXJLX4+YB19USsRfucrOdA19n8MJzBvOCuwB3aGMqWHsHDcCXMXu/6qFKN3A95gPvKszANooZ2MS+k9qVhDkGn7oZ0iKjNCISZQrCV116K9MqmPuxy11+f0C85fzB2Dx0OKqbBuLnci1UNG17hGBNBCvyPZwcZhR7QsS9LuAOzHp8OfBLotefGrAW/l2STYFqFbqA4VXa2iIV1FNagKU4Q9oqXgd+ji0rHAD8a0xUTe5ToD4HxfuV+R2POVb1D5NKVQL3339/LcEC4tewfMpl/CrxWynC36WXsu1eFJW/V1L96aO+Np3lVErN+X2JZPs+XF5r3S2elN9e3DHDEN1jKVgvUuEToj5lYifOV29HKOzcufN92WstXrwYz/MQEZqamvB9v2SAXCwWERGWLVtGZ2dn9fBDQwt8RxHT0kWRpdxDJdniFYBdquwSKe3SjYsvrGBJc5gO4oV4xLgc9xEv/HnKpkVJ+e118RRcWuOsOHK4otbk/G6lQtijJDDn3OY21vnTIiKLMQfylbyqqhNi71O9mTRpEs3NzTQ0NJSMgD3nxSWbzQLkOzs7T8ft9algu+d5gaqiCrkc/ZSNaKtpAma7Gnk48XOi7UCH216ynnj2A2aq0gCJ20t+r1qTAe6wEJOtbijtdq5mCnCYa3NmE2/1vxXoVqUTW0KI40ARpqkZFR+VEG49UEjaNnKB53mnUf8hWjO276Vy4XIHNvZ/X/ZYrjGZi1lC9GJOSgqYlmkqNvE+kcHavPVhj7VvC7xrbffTMa/xgG+jzMd2zcZNvjcrbHO/wipsY19rRLgDgRtF2M7AXceV7ALuEKn/HMvRj2nhzoq41wz8UJWlmNlWXMXacOPddF1oi+v3YssTUfIwB/hPV44nxcS11cVRcsQTFdEs9xkL7lTVJ4EJb62+Gw3DLOycpVp5EVgT/vNaJzTbwGcNtpEx6rc7lOiJfkgA3CXQh3lAekyEXwBfjAjrYRU2idsVHhzlpvIeTP0dtZfqaPeJoxu458Kys5t7gQeBsyPC5jAvU0ncGChPiZQ9NY3nAvEjwHdEpG8v6K2KOnKL06TV/Gp2YJq9F1SV9vZ25q4qOdV8ETPZGYm1w22EdndSWnS9EqhJc1LFb4ArZBTdxymgyhPA9xn+PE6BG1T574prnZilypMjSM4vgWs8IajW6oylcCnWbd4AfB54SUTw/XpoO8eU6jLb3QwM9Rv0Yo4rvxAEwc1VigvAhCsIuAXzAbiG2irc28A1mM3gDgC/vzSceQ1TaV/lvg/VcnQCN7lnXh6mBbnEfI9/QAjUFsC/6MpmKEFWzGLkW6pc4RoPfB9aTbWzAbPG+AkkKm9CtrqyW4YtUQxw2pnFjiAZymCzHhRdxn6NOTssgM0zbr311rhn1mCalgCrfJupz5rD7hBgDkYaKLtBfx1g1apVI4nvXVcezZiiIe/e0YP9wBuxXuBh4O1QoNrb20sRHOEMcT0PBR5U5QkRPoE5aDkWmxeFSovQb8hjwF2qPBn6pfAVjloNz30ScjZJ2FL0uTyb4RbMquA0TAEyFZsH7gLexHYn36nwsECviLlkO/K+koHwU8D3iHfY+YT7/ibmGzFqnc3DPNpqxYNFrLf9NWZJcTrmH3CmK0vFBP5FV4Z37fRZ3+o2u2wvwAmrzLtuzgNfecEZ9t7s8nsy5rRmsktnD9bI/Bbzb7EuLLveKqX+/wPOlvw8NtrSyAAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAxOC0wNi0yMlQyMDo1OTo0NiswMjowMCzFdxYAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMTgtMDEtMzBUMTc6NDg6MDErMDE6MDBrpqImAAAAAElFTkSuQmCC" /></a>
+    </footer>
+</body>
+</html>
diff --git a/www/nginx/src/etc/nginx/views/opnsense_error_404.html b/www/nginx/src/etc/nginx/views/opnsense_error_404.html
index 48e45ca984..7148964064 100644
--- a/www/nginx/src/etc/nginx/views/opnsense_error_404.html
+++ b/www/nginx/src/etc/nginx/views/opnsense_error_404.html
@@ -5,6 +5,7 @@
     <title>Not Found</title>
     <meta name="generator" content="OPNsense" />
     <meta name="language" content="en-US" />
+    <meta name="viewport" content="width=device-width,initial-scale=1" />
     <style>
         body {
             background-color: black;
diff --git a/www/nginx/src/etc/nginx/views/opnsense_server_error.html b/www/nginx/src/etc/nginx/views/opnsense_server_error.html
index 293d9ae836..dcc7dc2a08 100644
--- a/www/nginx/src/etc/nginx/views/opnsense_server_error.html
+++ b/www/nginx/src/etc/nginx/views/opnsense_server_error.html
@@ -5,6 +5,7 @@
     <title>Request Denied</title>
     <meta name="generator" content="OPNsense" />
     <meta name="language" content="en-US" />
+    <meta name="viewport" content="width=device-width,initial-scale=1" />
     <style>
         body {
             background-color: black;
diff --git a/www/nginx/src/etc/nginx/views/waf_denied.html b/www/nginx/src/etc/nginx/views/waf_denied.html
index b5e96d2c9d..7fdcc343c8 100644
--- a/www/nginx/src/etc/nginx/views/waf_denied.html
+++ b/www/nginx/src/etc/nginx/views/waf_denied.html
@@ -5,6 +5,7 @@
     <title>Request Denied</title>
     <meta name="generator" content="OPNsense" />
     <meta name="language" content="en-US" />
+    <meta name="viewport" content="width=device-width,initial-scale=1" />
     <style>
         body {
             background-color: black;
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
index 443946ffca..36beafbc72 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
@@ -396,6 +396,42 @@ public function setlimit_zoneAction($uuid)
         return $this->setBase('limit_zone', 'limit_zone', $uuid);
     }
 
+    // Error pages
+    public function searcherrorpageAction()
+    {
+        return $this->searchBase('errorpage', array('name', 'statuscodes', 'response'));
+    }
+
+    public function geterrorpageAction($uuid = null)
+    {
+        $this->sessionClose();
+        $data = $this->getBase('errorpage', 'errorpage', $uuid);
+        // Decode base64 encoded page content
+        $data['errorpage']['pagecontent'] = base64_decode($data['errorpage']['pagecontent']);
+        return $data;
+    }
+
+    public function adderrorpageAction()
+    {
+        return $this->addBase('errorpage', 'errorpage', array(
+            // Encode page content with base64
+            'pagecontent' => base64_encode($this->request->getPost('errorpage')['pagecontent'])
+        ));
+    }
+
+    public function delerrorpageAction($uuid)
+    {
+        return $this->delBase('errorpage', $uuid);
+    }
+
+    public function seterrorpageAction($uuid)
+    {
+        return $this->setBase('errorpage', 'errorpage', $uuid, array(
+            // Encode page content with base64
+            'pagecontent' => base64_encode($this->request->getPost('errorpage')['pagecontent'])
+        ));
+    }
+
     // TLS fingerprints for MITM detection
     public function searchtls_fingerprintAction()
     {
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php
index 1325fd6b6f..9af641c118 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php
@@ -61,6 +61,7 @@ public function indexAction()
         $this->view->cache_path = $this->getForm("cache_path");
         $this->view->sni_hostname_map = $this->getForm("sni_hostname_map");
         $this->view->ipacl = $this->getForm("ipacl");
+        $this->view->errorpage = $this->getForm("errorpage");
         $this->view->tls_fingerprint = $this->getForm("tls_fingerprint");
         $this->view->syslog_target = $this->getForm("syslog_target");
         $nginx = new Nginx();
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/errorpage.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/errorpage.xml
new file mode 100644
index 0000000000..39ae4795f5
--- /dev/null
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/errorpage.xml
@@ -0,0 +1,36 @@
+<form>
+    <field>
+        <id>errorpage.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Enter a name for your error page.</help>
+    </field>
+    <field>
+        <id>errorpage.statuscodes</id>
+        <label>Status Codes</label>
+        <type>select_multiple</type>
+        <style>selectpicker</style>
+        <help>Enter the HTTP status codes for which the error page shall be shown.</help>
+    </field>
+    <field>
+        <id>errorpage.pagecontent</id>
+        <label>Page Content</label>
+        <type>textbox</type>
+        <help>The HTML page content to display.</help>
+    </field>
+    <field>
+        <id>errorpage.redirect</id>
+        <label>Redirect Target</label>
+        <type>text</type>
+        <help>Instead of displaying a static error page redirect to a URL.</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>errorpage.response</id>
+        <label>Response Status Code</label>
+        <type>dropdown</type>
+        <style>selectpicker</style>
+        <help>Optionally enter a HTTP status code to change the response to. This does not work in combination with a redirection target.</help>
+        <advanced>true</advanced>
+    </field>
+</form>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
index 62b3f44d65..f59e1e5f75 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
@@ -237,4 +237,11 @@
     <style>selectpicker</style>
     <help>If you choose multiple limits, the strictest will be used.</help>
   </field>
+  <field>
+    <id>httpserver.errorpages</id>
+    <label>Error Pages</label>
+    <style>selectpicker</style>
+    <type>select_multiple</type>
+    <help>Select custom error pages to display instead of the default builtin error pages. If at least one error page is selected here, all default error pages will be disabled.</help>
+  </field>
 </form>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
index 05adce9381..97b247d9b7 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
@@ -35,6 +35,14 @@
     <type>checkbox</type>
     <help>Enable learning mode means nothing is blocked but logged.</help>
   </field>
+  <field>
+    <id>location.secrules_errorpage</id>
+    <label>Violation Error Page</label>
+    <style>selectpicker</style>
+    <type>dropdown</type>
+    <help>Select a custom error page to display instead of the default builtin error pages for security rule violations. Only the page content itself is used. Status code rewriting and redirection is not supported.</help>
+    <advanced>true</advanced>
+  </field>
   <field>
     <id>location.xss_block_score</id>
     <label>Block XSS Score</label>
@@ -312,4 +320,11 @@
     <advanced>true</advanced>
     <help>If you enable this option, nginx will not terminate the connection to the backend server if the client connection is terminated.</help>
   </field>
+  <field>
+    <id>location.errorpages</id>
+    <label>Error Pages</label>
+    <style>selectpicker</style>
+    <type>select_multiple</type>
+    <help>Select custom error pages to display instead of the default builtin error pages. Selection will override error pages configured on HTTP server.</help>
+  </field>
 </form>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index d079f90b7a..c5ac1ca223 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -204,6 +204,21 @@
         <default>0</default>
         <Required>Y</Required>
       </enable_learning_mode>
+      <secrules_errorpage type="ModelRelationField">
+        <Model>
+          <template>
+            <source>OPNsense.Nginx.Nginx</source>
+            <items>errorpage</items>
+            <display>name</display>
+            <filters>
+              <pagecontent>/.+/</pagecontent>
+            </filters>
+          </template>
+        </Model>
+        <ValidationMessage>Selected error page(s) not found</ValidationMessage>
+        <Required>N</Required>
+        <multiple>N</multiple>
+      </secrules_errorpage>
       <xss_block_score type="IntegerField">
         <Required>N</Required>
       </xss_block_score>
@@ -464,6 +479,18 @@
         <Required>Y</Required>
         <default>0</default>
       </proxy_ssl_server_name>
+      <errorpages type="ModelRelationField">
+        <Model>
+          <template>
+            <source>OPNsense.Nginx.Nginx</source>
+            <items>errorpage</items>
+            <display>name</display>
+          </template>
+        </Model>
+        <ValidationMessage>Selected error page(s) not found</ValidationMessage>
+        <Required>N</Required>
+        <multiple>Y</multiple>
+      </errorpages>
     </location>
 
     <custom_policy type="ArrayField">
@@ -852,6 +879,18 @@
         <Required>Y</Required>
         <default>0</default>
       </zero_rtt>
+      <errorpages type="ModelRelationField">
+        <Model>
+          <template>
+            <source>OPNsense.Nginx.Nginx</source>
+            <items>errorpage</items>
+            <display>name</display>
+          </template>
+        </Model>
+        <ValidationMessage>Selected error page(s) not found</ValidationMessage>
+        <Required>N</Required>
+        <multiple>Y</multiple>
+      </errorpages>
     </http_server>
 
     <stream_server type="ArrayField">
@@ -1442,6 +1481,71 @@
       </rate>
     </limit_zone>
 
+    <errorpage type="ArrayField">
+      <name type="TextField">
+        <Required>Y</Required>
+      </name>
+      <statuscodes type="OptionField">
+        <multiple>Y</multiple>
+        <OptionValues>
+          <status_400 value="400">400 Bad Request</status_400>
+          <status_401 value="401">401 Unauthorized</status_401>
+          <status_403 value="403">403 Forbidden</status_403>
+          <status_404 value="404">404 Not Found</status_404>
+          <status_405 value="405">405 Method Not Allowed</status_405>
+          <status_407 value="407">407 Proxy Authentication Required</status_407>
+          <status_408 value="408">408 Request Timeout</status_408>
+          <status_410 value="410">410 Gone</status_410>
+          <status_415 value="415">415 Unsupported Media Type</status_415>
+          <status_429 value="429">429 Too Many Requests</status_429>
+          <status_431 value="431">431 Request Header Fields Too Large</status_431>
+          <status_500 value="500">500 Internal Server Error</status_500>
+          <status_501 value="501">501 Not Implemented</status_501>
+          <status_502 value="502">502 Bad Gateway</status_502>
+          <status_503 value="503">503 Service Unavailable</status_503>
+          <status_504 value="504">504 Gateway Timeout</status_504>
+        </OptionValues>
+        <Required>Y</Required>
+      </statuscodes>
+      <pagecontent type="Base64Field">
+        <default>PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDxtZXRhIGNoYXJzZXQ9IlVURi04Ij4KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsaW5pdGlhbC1zY2FsZT0xIiAvPgogICAgPHRpdGxlPkVycm9yPC90aXRsZT4KPC9oZWFkPgo8Ym9keT4KICAgIDxoMT5FcnJvcjwvaDE+CiAgICA8cD5Tb3JyeSwgYnV0IHNvbWV0aGluZyB3ZW50IHdyb25nLjwvcD4KPC9ib2R5Pgo8L2h0bWw+</default>
+        <Constraints>
+          <check001>
+            <type>SingleSelectConstraint</type>
+            <ValidationMessage>Page content is required if redirect is not used and needs to be empty otherwise.</ValidationMessage>
+            <addFields>
+              <field1>redirect</field1>
+            </addFields>
+            <isRequired>Y</isRequired>
+          </check001>
+        </Constraints>
+      </pagecontent>
+      <redirect type="UrlField">
+        <Required>N</Required>
+        <Constraints>
+          <check001>
+            <reference>pagecontent.check001</reference>
+          </check001>
+        </Constraints>
+      </redirect>
+      <response type="OptionField">
+        <multiple>N</multiple>
+        <OptionValues>
+          <status_200 value="200">200 OK</status_200>
+          <status_300 value="300">300 Multiple Choice</status_300>
+          <status_301 value="301">301 Moved Permanently</status_301>
+          <status_302 value="302">302 Found</status_302>
+          <status_401 value="401">401 Unauthorized</status_401>
+          <status_403 value="403">403 Forbidden</status_403>
+          <status_404 value="404">404 Not Found</status_404>
+          <status_451 value="451">451 Unavailable For Legal Reasons</status_451>
+          <status_500 value="500">500 Internal Server Error</status_500>
+          <status_503 value="503">503 Service Unavailable</status_503>
+        </OptionValues>
+        <Required>N</Required>
+      </response>
+    </errorpage>
+
     <tls_fingerprint type="ArrayField">
       <description type="TextField">
         <Required>Y</Required>
diff --git a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
index ec5a47d716..7ad59f7168 100644
--- a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
+++ b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
@@ -124,6 +124,9 @@
             <li>
                 <a data-toggle="tab" id="subtab_item_nginx-http-cache_path" href="#subtab_nginx-http-cache_path">{{ lang._('Cache Path')}}</a>
             </li>
+            <li>
+                <a data-toggle="tab" id="subtab_item_nginx-http-errorpages" href="#subtab_nginx-http-errorpages">{{ lang._('Error Pages')}}</a>
+            </li>
             <li>
                 <a data-toggle="tab" id="subtab_item_nginx-http-tls-fingerprint" href="#subtab_nginx-http-tls-fingerprint">{{ lang._('TLS Fingerprint (Advanced)')}}</a>
             </li>
@@ -606,6 +609,29 @@
             </tfoot>
         </table>
     </div>
+    <div id="subtab_nginx-http-errorpages" class="tab-pane fade">
+        <table id="grid-errorpage" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="errorpage_dlg">
+            <thead>
+                <tr>
+                    <th data-column-id="name" data-width="15%" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Name') }}</th>
+                    <th data-column-id="statuscodes" data-type="string" data-formatter="statuscodes" data-sortable="false" data-visible="true">{{ lang._('Status Codes') }}</th>
+                    <th data-column-id="response" data-width="13em" data-type="string" data-formatter="response" data-sortable="true">{{ lang._('Response') }}</th>
+                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span></button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
     <div id="subtab_nginx-http-tls-fingerprint" class="tab-pane fade">
         <table id="grid-tls_fingerprint" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="tls_fingerprint_dlg">
             <thead>
@@ -670,5 +696,6 @@
 {{ partial("layout_partials/base_dialog",['fields': cache_path,'id':'cache_pathdlg', 'label':lang._('Edit Cache Path')]) }}
 {{ partial("layout_partials/base_dialog",['fields': sni_hostname_map,'id':'sni_hostname_mapdlg', 'label':lang._('Edit SNI Hostname Mapping')]) }}
 {{ partial("layout_partials/base_dialog",['fields': ipacl,'id':'ipacl_dlg', 'label':lang._('Edit IP ACL')]) }}
+{{ partial("layout_partials/base_dialog",['fields': errorpage,'id':'errorpage_dlg', 'label':lang._('Edit Error Page')]) }}
 {{ partial("layout_partials/base_dialog",['fields': tls_fingerprint,'id':'tls_fingerprint_dlg', 'label':lang._('Edit TLS Fingerprint')]) }}
 {{ partial("layout_partials/base_dialog",['fields': syslog_target,'id':'syslog_target_dlg', 'label':lang._('Edit SYSLOG Target')]) }}
diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index 4860fbcd03..202db26508 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -239,11 +239,66 @@ function find_ca($refid)
         unset($file);
     }
 }
+
 // create directories for cache
 foreach ($nginx->cache_path->iterateItems() as $cache_path) {
     @mkdir((string)$cache_path->path, 0755, true);
 }
 
+// create custom error pages
+const ERRORPAGE_DIR = '/usr/local/etc/nginx/views';
+@mkdir(ERRORPAGE_DIR, 0755, true);
+$used_errorpages = array();
+// search used error pages in http servers and locations
+foreach (array($nginx->http_server, $nginx->location) as $entity) {
+    foreach ($entity->iterateItems() as $element) {
+        $pages = explode(',', $element->errorpages);
+        foreach ($pages as $page) {
+            $page = str_replace('-', '', $page);
+            if (!in_array($page, $used_errorpages)) {
+                $used_errorpages[] = $page;
+            }
+        }
+    }
+}
+// search used WAF error pages
+foreach ($nginx->location->iterateItems() as $location) {
+    if ($location->secrules_errorpage != '') {
+        $page = str_replace('-', '', $location->secrules_errorpage);
+        if (!in_array($page, $used_errorpages)) {
+            $used_errorpages[] = $page;
+        }
+    }
+}
+// create/update error pages
+foreach ($nginx->errorpage->iterateItems() as $errorpage) {
+    $uuid = str_replace('-', '', $errorpage->getAttributes()['uuid']);
+    if (in_array($uuid, $used_errorpages)) {
+        $filename = "error_$uuid.html";
+        $content = base64_decode((string)$errorpage->pagecontent);
+        // Does error page have a content?
+        if (strlen($content) > 0) {
+            $fs_hash = @hash_file("sha1", ERRORPAGE_DIR . "/$filename");
+            if ($fs_hash !== hash("sha1", $content)) {
+                @file_put_contents(ERRORPAGE_DIR . "/$filename", $content);
+            }
+            chmod(ERRORPAGE_DIR . "/$filename", 0644);
+        }
+        else {
+            unset($used_errorpages[array_search($uuid, $used_errorpages)]);
+        }
+    }
+}
+// delete unused (old) error pages
+$dir = new \DirectoryIterator(ERRORPAGE_DIR);
+foreach ($dir as $file) {
+    if ($file->isFile() && strpos($file->getFilename(), 'error_') === 0) {
+        if (!in_array(substr($file->getFilename(), 6, 32), $used_errorpages)) {
+            @unlink($file->getPathname());
+        }
+    }
+}
+
 // export TLS fingerprint database for MitM detection
 $tls_fingerprint_database = array();
 foreach ($nginx->tls_fingerprint->iterateItems() as $tls_fingerprint) {
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index bcd597f133..49aca5f88b 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -171,8 +171,38 @@ server {
     satisfy {{ server.satisfy }};
 {% endif %}
     #include tls.conf;
+{% set used_errorpages = [] %}
+{% if server.errorpages is defined and server.errorpages != '' %}
+{%   for errorpage_uuid in server.errorpages.split(',') %}
+{%     do used_errorpages.append(errorpage_uuid) %}
+{%     set errorpage = helpers.getUUID(errorpage_uuid) %}
+    error_page {{ errorpage.statuscodes.replace(',', ' ') }} {% if errorpage.response is defined and errorpage.response != '' %}={{ errorpage.response }} {% endif %}{% if errorpage.redirect is defined and errorpage.redirect != '' %}{{ errorpage.redirect }}{% else %}/error_{{ errorpage_uuid.replace('-', '') }}.html{% endif %};
+{%     if errorpage.redirect is not defined or errorpage.redirect == '' %}
+    location = /error_{{ errorpage_uuid.replace('-', '') }}.html {
+        internal;
+        root /usr/local/etc/nginx/views;
+    }
+{%     endif %}
+{%    endfor %}
+{% else %}
+    error_page 403 /opnsense_error_403.html;
     error_page 404 /opnsense_error_404.html;
+    error_page 405 /waf_denied.html;
     error_page 500 501 502 503 504 /opnsense_server_error.html;
+
+    location = /opnsense_error_403.html {
+        internal;
+        root /usr/local/etc/nginx/views;
+    }
+    location = /opnsense_error_404.html {
+        internal;
+        root /usr/local/etc/nginx/views;
+    }
+    location = /opnsense_server_error.html {
+        internal;
+        root /usr/local/etc/nginx/views;
+    }
+{% endif %}
 {% if server.security_header is defined and server.security_header != '' %}
 {% set security_rule = helpers.getUUID(server.security_header) %}
 {%   if security_rule is defined %}
@@ -193,14 +223,6 @@ server {
         return 403 "You got banned permanently from this server.";
     }
     error_page 418 = @permanentban;
-    location = /opnsense_server_error.html {
-        internal;
-        root /usr/local/etc/nginx/views;
-    }
-    location = /opnsense_error_404.html {
-        internal;
-        root /usr/local/etc/nginx/views;
-    }
     location = /waf_denied.html {
         root /usr/local/etc/nginx/views;
         access_log /var/log/nginx/waf_denied.access.log main;
@@ -292,11 +314,38 @@ server {
 {% endif %}
 
 {%   if server.locations is defined %}
+{%     set location_errorpages = [] %}
 {%     for location_uuid in server.locations.split(',') %}
 {%       set location = helpers.getUUID(location_uuid) %}
-{%         if location.urlpattern is defined %}
-{%       include "OPNsense/Nginx/location.conf" ignore missing with context %}
+{%       if location.urlpattern is defined %}
+{%         include "OPNsense/Nginx/location.conf" ignore missing with context %}
+{#         Find used error pages in secrules_errorpage #}
+{%         if location.secrules_errorpage is defined and location.secrules_errorpage != '' %}
+{%           if location.secrules_errorpage not in location_errorpages %}
+{%             do location_errorpages.append(location.secrules_errorpage) %}
+{%           endif %}
+{%         endif %}
+{#         Find custom error pages used in locations #}
+{%         if location.errorpages is defined and location.errorpages != '' %}
+{%           for errorpage_uuid in location.errorpages.split(',') %}
+{%             if errorpage_uuid not in location_errorpages %}
+{%               do location_errorpages.append(errorpage_uuid) %}
+{%             endif %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%     endfor %}
+{# Error pages used in locations #}
+{%     for errorpage_uuid in location_errorpages %}
+{%       if errorpage_uuid not in used_errorpages %}
+{%         set errorpage = helpers.getUUID(errorpage_uuid) %}
+{%         if errorpage.redirect is not defined or errorpage.redirect == '' %}
+location = /error_{{ errorpage_uuid.replace('-', '') }}.html {
+    internal;
+    root /usr/local/etc/nginx/views;
+}
 {%         endif %}
+{%       endif %}
 {%     endfor %}
 {%   endif %}
 
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 5df147b2b7..254055642f 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -36,7 +36,17 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
     LibInjectionSql;
     CheckRule "$LIBINJECTION_SQL >= {{ location.sqli_block_score }}" BLOCK;
 {% endif %}
+{% if location.secrules_errorpage is defined and location.secrules_errorpage != '' %}
+    DeniedUrl "/error_{{ location.secrules_errorpage.replace('-', '') }}.html";
+{% else %}
     DeniedUrl "/waf_denied.html";
+{% endif %}
+{% if location.errorpages is defined and location.errorpages != '' %}
+{%   for errorpage_uuid in location.errorpages.split(',') %}
+{%     set errorpage = helpers.getUUID(errorpage_uuid) %}
+    error_page {{ errorpage.statuscodes.replace(',', ' ') }} {% if errorpage.response is defined and errorpage.response != '' %}={{ errorpage.response }} {% endif %}{% if errorpage.redirect is defined and errorpage.redirect != '' %}{{ errorpage.redirect }}{% else %}/error_{{ errorpage_uuid.replace('-', '') }}.html{% endif %};
+{%    endfor %}
+{% endif %}
 {% if location.force_https is defined and location.force_https == '1' %}
     if ($scheme != "https") {
         return 302 https://$host$request_uri;
@@ -210,3 +220,4 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
 {% endif %}{# honeypot #}
     include {{ location['@uuid'] }}_post/*.conf;
 }
+
diff --git a/www/nginx/src/opnsense/www/js/nginx/dist/configuration.min.js b/www/nginx/src/opnsense/www/js/nginx/dist/configuration.min.js
index 26a2136603..c6a86734e3 100644
--- a/www/nginx/src/opnsense/www/js/nginx/dist/configuration.min.js
+++ b/www/nginx/src/opnsense/www/js/nginx/dist/configuration.min.js
@@ -1 +1 @@
-!function(e){var t={};function i(n){if(t[n])return t[n].exports;var s=t[n]={i:n,l:!1,exports:{}};return e[n].call(s.exports,s,s.exports,i),s.l=!0,s.exports}i.m=e,i.c=t,i.d=function(e,t,n){i.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:n})},i.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},i.t=function(e,t){if(1&t&&(e=i(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var n=Object.create(null);if(i.r(n),Object.defineProperty(n,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var s in e)i.d(n,s,function(t){return e[t]}.bind(null,s));return n},i.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return i.d(t,"a",t),t},i.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},i.p="",i(i.s=27)}({27:function(e,t,i){"use strict";i.r(t);var n=Backbone.View.extend({tagName:"div",attributes:{class:"container-fluid"},child_views:[],createModel:null,upstreamCollection:null,initialize:function(e){this.dataField=$(e.dataField),this.entryclass=e.entryclass,this.createModel=e.createModel,this.upstreamCollection=e.upstreamCollection,this.listenTo(this.collection,"add remove reset",this.render),this.listenTo(this.collection,"change",this.update),this.dataField.after(this.$el)},events:{"click .add":"addEntry"},render:function(){this.child_views.forEach(e=>e.remove()),this.$el.html(""),this.child_views=[],this.update(),this.collection.each(e=>{const t=new this.entryclass({model:e,collection:this.collection,upstreamCollection:this.upstreamCollection});this.child_views.push(t),this.$el.append(t.$el),t.render()}),this.$el.append($('\n            <div class="row">\n                <button class="btn btn-primary pull-right add">\n                    <span class="fa fa-plus"></span>\n                </button>\n            </div>'))},update:function(){this.dataField.data("data",this.collection.toJSON())},addEntry:function(e){e.preventDefault(),this.collection.add(this.createModel())}});var s=Backbone.Collection.extend({url:"/api/nginx/settings/searchupstream",parse:function(e){return e.rows}});const a=Backbone.View.extend({tagName:"div",attributes:{class:"row"},events:{"keyup .key":function(){this.model.set("hostname",this.key.value)},"change .value":function(){this.model.set("upstream",this.value.value)},"click .delete":"deleteEntry"},key:null,value:null,delBtn:null,first:null,second:null,third:null,upstreamCollection:null,initialize:function(e){this.upstreamCollection=e.upstreamCollection,this.listenTo(this.upstreamCollection,"update reset add remove",this.regenerate_list),this.first=document.createElement("div"),this.first.classList.add("col-sm-5"),this.key=document.createElement("input"),this.first.append(this.key),this.key.type="text",this.key.classList.add("key"),this.key.value=this.model.get("hostname"),this.second=document.createElement("div"),this.second.classList.add("col-sm-5"),this.value=document.createElement("select"),this.second.append(this.value),this.value.classList.add("value"),this.value.classList.add("form-control"),this.value.value=this.model.get("upstream"),this.third=document.createElement("div"),this.third.classList.add("col-sm-2"),this.third.style.textAlign="right",this.delBtn=document.createElement("button"),this.delBtn.classList.add("delete"),this.delBtn.classList.add("btn"),this.delBtn.innerHTML='<span class="fa fa-trash"></span>',this.third.append(this.delBtn),this.model.has("upstream")&&0!==this.upstreamCollection.where({uuid:this.model.get("upstream")}).length||this.upstreamCollection.length>0&&this.model.set("upstream",this.upstreamCollection.at(0).get("uuid")),this.$el.append(this.first).append(this.second).append(this.third)},render:function(){$(this.key).val(this.model.get("hostname")),this.regenerate_list(),$(this.value).val(this.model.get("upstream"))},deleteEntry:function(e){e.preventDefault(),this.collection.remove(this.model)},regenerate_list:function(){const e=$(this.value);e.html(""),this.upstreamCollection.each(t=>e.append(`<option value="${t.escape("uuid")}">${t.escape("description")}</option>`)),e.val(this.model.get("upstream")),e.selectpicker("refresh")}}),l=Backbone.View.extend({tagName:"div",attributes:{class:"row"},events:{"keyup .key":function(){this.model.set("network",this.key.value)},"change .value":function(){this.model.set("action",this.value.value)},"click .delete":"deleteEntry"},key:null,value:null,delBtn:null,first:null,second:null,third:null,upstreamCollection:null,initialize:function(e){this.upstreamCollection=e.upstreamCollection,this.listenTo(this.upstreamCollection,"update reset add remove",this.regenerate_list),this.first=document.createElement("div"),this.first.classList.add("col-sm-5"),this.key=document.createElement("input"),this.first.append(this.key),this.key.type="text",this.key.classList.add("key"),this.key.value=this.model.get("network"),this.second=document.createElement("div"),this.second.classList.add("col-sm-5"),this.value=document.createElement("select"),this.second.append(this.value),this.value.classList.add("value"),this.value.classList.add("form-control"),this.value.value=this.model.get("action"),this.third=document.createElement("div"),this.third.classList.add("col-sm-2"),this.third.style.textAlign="right",this.delBtn=document.createElement("button"),this.delBtn.classList.add("delete"),this.delBtn.classList.add("btn"),this.delBtn.innerHTML='<span class="fa fa-trash"></span>',this.third.append(this.delBtn),this.$el.append(this.first).append(this.second).append(this.third)},render:function(){$(this.key).val(this.model.get("network")),this.regenerate_list(),$(this.value).val(this.model.get("action"))},deleteEntry:function(e){e.preventDefault(),this.collection.remove(this.model)},regenerate_list:function(){const e=$(this.value);e.html(""),this.upstreamCollection.each(t=>e.append(`<option value="${t.escape("value")}">${t.escape("name")}</option>`)),e.val(this.model.get("action")),e.selectpicker("refresh")}});var o=Backbone.Collection.extend({initialize:function(){let e=this;$("#snihostname\\.data").change(function(){e.regenerateFromView()})},regenerateFromView:function(){let e=$("#snihostname\\.data").data("data");_.isArray(e)||(e=[]),this.reset(e)}}),r=Backbone.Model.extend({}),c=Backbone.Model.extend({}),d=Backbone.Collection.extend({initialize:function(){let e=this;$("#ipacl\\.data").change(function(){e.regenerateFromView()})},regenerateFromView:function(){let e=$("#ipacl\\.data").data("data");_.isArray(e)||(e=[]),this.reset(e)}});const u=new s,h=new Backbone.Collection([{name:"Deny",value:"deny"},{name:"Allow",value:"allow"}]);$(document).ready(function(){mapDataToFormUI({frm_nginx:"/api/nginx/settings/get"}).done(function(){formatTokenizersUI(),$('select[data-allownew="false"]').selectpicker("refresh"),updateServiceControlUI("nginx")}),""!==window.location.hash&&$('a[href="'+window.location.hash+'"]').click(),$(".nav-tabs a").on("shown.bs.tab",function(e){history.pushState(null,null,e.target.hash)}),$(".reload_btn").click(function(){$(".reloadAct_progress").addClass("fa-spin"),ajaxCall("/api/nginx/service/reconfigure",{},function(){$(".reloadAct_progress").removeClass("fa-spin")})}),$('[id*="save_"]').each(function(){$(this).click(function(){let e=$(this).closest("form").attr("id"),t=$(this).closest("form").attr("data-title");saveFormToEndpoint("/api/nginx/settings/set",e,function(){$("#"+e+"_progress").addClass("fa fa-spinner fa-pulse"),ajaxCall("/api/nginx/service/reconfigure",{},function(i,n){$("#"+e+"_progress").removeClass("fa fa-spinner fa-pulse"),void 0===i||"success"===n&&"ok"===i.status?updateServiceControlUI("nginx"):BootstrapDialog.show({type:BootstrapDialog.TYPE_WARNING,title:t,message:JSON.stringify(i),draggable:!0})})})})}),["upstream","upstreamserver","location","credential","userlist","httpserver","streamserver","httprewrite","custompolicy","security_header","ipacl","limit_zone","cache_path","limit_request_connection","snifwd","tls_fingerprint","syslog_target","naxsirule"].forEach(function(e){$("#grid-"+e).UIBootgrid({search:"/api/nginx/settings/search"+e,get:"/api/nginx/settings/get"+e+"/",set:"/api/nginx/settings/set"+e+"/",add:"/api/nginx/settings/add"+e+"/",del:"/api/nginx/settings/del"+e+"/",options:{selection:!1,multiSelect:!1}})}),bind_naxsi_rule_dl_button(),function(){let e=new n({dataField:document.getElementById("snihostname.data"),upstreamCollection:u,entryclass:a,collection:new o,createModel:function(){return new r({hostname:"localhost"})}});window.snifield=e,e.render(),$("#grid-upstream").on("loaded.rs.jquery.bootgrid",function(){u.fetch()}),u.fetch()}();let e=new n({dataField:document.getElementById("ipacl.data"),upstreamCollection:h,entryclass:l,collection:new d,createModel:function(){return new c({network:"::",action:"deny"})}});window.ipaclfield=e,e.render()})}});
\ No newline at end of file
+!function(e){var t={};function n(s){if(t[s])return t[s].exports;var i=t[s]={i:s,l:!1,exports:{}};return e[s].call(i.exports,i,i.exports,n),i.l=!0,i.exports}n.m=e,n.c=t,n.d=function(e,t,s){n.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:s})},n.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.t=function(e,t){if(1&t&&(e=n(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var s=Object.create(null);if(n.r(s),Object.defineProperty(s,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var i in e)n.d(s,i,function(t){return e[t]}.bind(null,i));return s},n.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(t,"a",t),t},n.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},n.p="",n(n.s=27)}({27:function(e,t,n){"use strict";n.r(t);var s=Backbone.View.extend({tagName:"div",attributes:{class:"container-fluid"},child_views:[],createModel:null,upstreamCollection:null,initialize:function(e){this.dataField=$(e.dataField),this.entryclass=e.entryclass,this.createModel=e.createModel,this.upstreamCollection=e.upstreamCollection,this.listenTo(this.collection,"add remove reset",this.render),this.listenTo(this.collection,"change",this.update),this.dataField.after(this.$el)},events:{"click .add":"addEntry"},render:function(){this.child_views.forEach(e=>e.remove()),this.$el.html(""),this.child_views=[],this.update(),this.collection.each(e=>{const t=new this.entryclass({model:e,collection:this.collection,upstreamCollection:this.upstreamCollection});this.child_views.push(t),this.$el.append(t.$el),t.render()}),this.$el.append($('\n            <div class="row">\n                <button class="btn btn-primary pull-right add">\n                    <span class="fa fa-plus"></span>\n                </button>\n            </div>'))},update:function(){this.dataField.data("data",this.collection.toJSON())},addEntry:function(e){e.preventDefault(),this.collection.add(this.createModel())}});var i=Backbone.Collection.extend({url:"/api/nginx/settings/searchupstream",parse:function(e){return e.rows}});const a=Backbone.View.extend({tagName:"div",attributes:{class:"row"},events:{"keyup .key":function(){this.model.set("hostname",this.key.value)},"change .value":function(){this.model.set("upstream",this.value.value)},"click .delete":"deleteEntry"},key:null,value:null,delBtn:null,first:null,second:null,third:null,upstreamCollection:null,initialize:function(e){this.upstreamCollection=e.upstreamCollection,this.listenTo(this.upstreamCollection,"update reset add remove",this.regenerate_list),this.first=document.createElement("div"),this.first.classList.add("col-sm-5"),this.key=document.createElement("input"),this.first.append(this.key),this.key.type="text",this.key.classList.add("key"),this.key.value=this.model.get("hostname"),this.second=document.createElement("div"),this.second.classList.add("col-sm-5"),this.value=document.createElement("select"),this.second.append(this.value),this.value.classList.add("value"),this.value.classList.add("form-control"),this.value.value=this.model.get("upstream"),this.third=document.createElement("div"),this.third.classList.add("col-sm-2"),this.third.style.textAlign="right",this.delBtn=document.createElement("button"),this.delBtn.classList.add("delete"),this.delBtn.classList.add("btn"),this.delBtn.innerHTML='<span class="fa fa-trash"></span>',this.third.append(this.delBtn),this.model.has("upstream")&&0!==this.upstreamCollection.where({uuid:this.model.get("upstream")}).length||this.upstreamCollection.length>0&&this.model.set("upstream",this.upstreamCollection.at(0).get("uuid")),this.$el.append(this.first).append(this.second).append(this.third)},render:function(){$(this.key).val(this.model.get("hostname")),this.regenerate_list(),$(this.value).val(this.model.get("upstream"))},deleteEntry:function(e){e.preventDefault(),this.collection.remove(this.model)},regenerate_list:function(){const e=$(this.value);e.html(""),this.upstreamCollection.each(t=>e.append(`<option value="${t.escape("uuid")}">${t.escape("description")}</option>`)),e.val(this.model.get("upstream")),e.selectpicker("refresh")}}),l=Backbone.View.extend({tagName:"div",attributes:{class:"row"},events:{"keyup .key":function(){this.model.set("network",this.key.value)},"change .value":function(){this.model.set("action",this.value.value)},"click .delete":"deleteEntry"},key:null,value:null,delBtn:null,first:null,second:null,third:null,upstreamCollection:null,initialize:function(e){this.upstreamCollection=e.upstreamCollection,this.listenTo(this.upstreamCollection,"update reset add remove",this.regenerate_list),this.first=document.createElement("div"),this.first.classList.add("col-sm-5"),this.key=document.createElement("input"),this.first.append(this.key),this.key.type="text",this.key.classList.add("key"),this.key.value=this.model.get("network"),this.second=document.createElement("div"),this.second.classList.add("col-sm-5"),this.value=document.createElement("select"),this.second.append(this.value),this.value.classList.add("value"),this.value.classList.add("form-control"),this.value.value=this.model.get("action"),this.third=document.createElement("div"),this.third.classList.add("col-sm-2"),this.third.style.textAlign="right",this.delBtn=document.createElement("button"),this.delBtn.classList.add("delete"),this.delBtn.classList.add("btn"),this.delBtn.innerHTML='<span class="fa fa-trash"></span>',this.third.append(this.delBtn),this.$el.append(this.first).append(this.second).append(this.third)},render:function(){$(this.key).val(this.model.get("network")),this.regenerate_list(),$(this.value).val(this.model.get("action"))},deleteEntry:function(e){e.preventDefault(),this.collection.remove(this.model)},regenerate_list:function(){const e=$(this.value);e.html(""),this.upstreamCollection.each(t=>e.append(`<option value="${t.escape("value")}">${t.escape("name")}</option>`)),e.val(this.model.get("action")),e.selectpicker("refresh")}});var o=Backbone.Collection.extend({initialize:function(){let e=this;$("#snihostname\\.data").change(function(){e.regenerateFromView()})},regenerateFromView:function(){let e=$("#snihostname\\.data").data("data");_.isArray(e)||(e=[]),this.reset(e)}}),r=Backbone.Model.extend({}),c=Backbone.Model.extend({}),d=Backbone.Collection.extend({initialize:function(){let e=this;$("#ipacl\\.data").change(function(){e.regenerateFromView()})},regenerateFromView:function(){let e=$("#ipacl\\.data").data("data");_.isArray(e)||(e=[]),this.reset(e)}});const u=new i,h=new Backbone.Collection([{name:"Deny",value:"deny"},{name:"Allow",value:"allow"}]);$(document).ready(function(){mapDataToFormUI({frm_nginx:"/api/nginx/settings/get"}).done(function(){formatTokenizersUI(),$('select[data-allownew="false"]').selectpicker("refresh"),updateServiceControlUI("nginx")}),""!==window.location.hash&&$('a[href="'+window.location.hash+'"]').click(),$(".nav-tabs a").on("shown.bs.tab",function(e){history.pushState(null,null,e.target.hash)}),$(".reload_btn").click(function(){$(".reloadAct_progress").addClass("fa-spin"),ajaxCall("/api/nginx/service/reconfigure",{},function(){$(".reloadAct_progress").removeClass("fa-spin")})}),$('[id*="save_"]').each(function(){$(this).click(function(){let e=$(this).closest("form").attr("id"),t=$(this).closest("form").attr("data-title");saveFormToEndpoint("/api/nginx/settings/set",e,function(){$("#"+e+"_progress").addClass("fa fa-spinner fa-pulse"),ajaxCall("/api/nginx/service/reconfigure",{},function(n,s){$("#"+e+"_progress").removeClass("fa fa-spinner fa-pulse"),void 0===n||"success"===s&&"ok"===n.status?updateServiceControlUI("nginx"):BootstrapDialog.show({type:BootstrapDialog.TYPE_WARNING,title:t,message:JSON.stringify(n),draggable:!0})})})})}),["upstream","upstreamserver","location","credential","userlist","httpserver","streamserver","httprewrite","custompolicy","security_header","ipacl","limit_zone","cache_path","limit_request_connection","snifwd","errorpage","tls_fingerprint","syslog_target","naxsirule"].forEach(function(e){$("#grid-"+e).UIBootgrid({search:"/api/nginx/settings/search"+e,get:"/api/nginx/settings/get"+e+"/",set:"/api/nginx/settings/set"+e+"/",add:"/api/nginx/settings/add"+e+"/",del:"/api/nginx/settings/del"+e+"/",options:{selection:!1,multiSelect:!1,formatters:{commands:function(e,t){return'<button type="button" class="btn btn-xs btn-default command-edit" data-row-id="'+t.uuid+'"><span class="fa fa-pencil"></span></button> <button type="button" class="btn btn-xs btn-default command-copy" data-row-id="'+t.uuid+'"><span class="fa fa-clone"></span></button><button type="button" class="btn btn-xs btn-default command-delete" data-row-id="'+t.uuid+'"><span class="fa fa-trash-o"></span></button>'},response:function(e,t){return"none"==t.response?"unchanged":t.response},statuscodes:function(e,t){const n=[],s=t.statuscodes.split(",");for(let e of s)n.push(e.substr(0,3));return n.join(", ")}}}})}),bind_naxsi_rule_dl_button(),function(){let e=new s({dataField:document.getElementById("snihostname.data"),upstreamCollection:u,entryclass:a,collection:new o,createModel:function(){return new r({hostname:"localhost"})}});window.snifield=e,e.render(),$("#grid-upstream").on("loaded.rs.jquery.bootgrid",function(){u.fetch()}),u.fetch()}();let e=new s({dataField:document.getElementById("ipacl.data"),upstreamCollection:h,entryclass:l,collection:new d,createModel:function(){return new c({network:"::",action:"deny"})}});window.ipaclfield=e,e.render()})}});
\ No newline at end of file
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/nginx_config.js b/www/nginx/src/opnsense/www/js/nginx/src/nginx_config.js
index 4cd780377d..0e69aaf179 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/nginx_config.js
+++ b/www/nginx/src/opnsense/www/js/nginx/src/nginx_config.js
@@ -68,6 +68,7 @@ function init_grids() {
         'cache_path',
         'limit_request_connection',
         'snifwd',
+        'errorpage',
         'tls_fingerprint',
         'syslog_target',
         'naxsirule'].forEach(function (element) {
@@ -78,7 +79,29 @@ function init_grids() {
                 'set': '/api/nginx/settings/set' + element + '/',
                 'add': '/api/nginx/settings/add' + element + '/',
                 'del': '/api/nginx/settings/del' + element + '/',
-                'options': {selection: false, multiSelect: false}
+                'options': {
+                    selection: false,
+                    multiSelect: false,
+                    formatters: {
+                        "commands": function (column, row) {
+                            return "<button type=\"button\" class=\"btn btn-xs btn-default command-edit\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-pencil\"></span></button> " +
+                                "<button type=\"button\" class=\"btn btn-xs btn-default command-copy\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-clone\"></span></button>" +
+                                "<button type=\"button\" class=\"btn btn-xs btn-default command-delete\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-trash-o\"></span></button>";
+                        },
+                        "response": function (column, row) {
+                            return ((row.response == "none") ? "unchanged" : row.response);
+                        },
+                        // Extract 3 digit HTTP status code from string with human readable text (302 Found -> 302)
+                        "statuscodes": function (column, row) {
+                            const result = [];
+                            const elems = row.statuscodes.split(",");
+                            for (let elem of elems) {
+                                result.push(elem.substr(0, 3));
+                            }
+                            return result.join(", ");
+                        }
+                    }
+                }
             }
         );
     });

From efc63a8470e56fe85980e694ba1c741b14052f31 Mon Sep 17 00:00:00 2001
From: Fabian Franz BSc <fabianfrz@users.noreply.github.com>
Date: Sun, 23 May 2021 21:51:19 +0200
Subject: [PATCH 0588/3088] fix nginx changelog

the pull request pointed to the wrong version, will be in 1.23, not in 1.20
---
 www/nginx/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index bcb357234f..5dde33a516 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 
 1.23
 
+* Add custom error pages on a per HTTP server basis (contributed by 8191)
 * Migration for PHP Phalcon 4 (non breaking change for UI/API)
 
 1.22
@@ -32,7 +33,6 @@ Plugin Changelog
 
 * User interface improvements of NAXSI configuration (contributed by 8191)
 * Fixed missing certificate validation of upstreams (contributed by 8191)
-* Add custom error pages on a per HTTP server basis (contributed by 8191)
 
 1.19
 

From cf349b192ffc710c9054d21073fad2da65fba9f2 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 25 May 2021 11:18:27 +0200
Subject: [PATCH 0589/3088] ET-Pro Telemetry - prevent old data from being
 flushed to Proofpoint when the state got lost or the script hasn't executed
 for a longer period of time.

---
 security/etpro-telemetry/Makefile                         | 2 +-
 .../opnsense/scripts/etpro_telemetry/send_telemetry.py    | 2 +-
 .../opnsense/scripts/etpro_telemetry/telemetry/state.py   | 8 +++++---
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index 6c41f6a7ca..6c596634bd 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		etpro-telemetry
-PLUGIN_VERSION=		1.4
+PLUGIN_VERSION=		1.5
 PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/send_telemetry.py b/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/send_telemetry.py
index 7ee104393c..dea1240b7d 100755
--- a/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/send_telemetry.py
+++ b/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/send_telemetry.py
@@ -51,7 +51,7 @@
                     default="/var/log/suricata/")
 parser.add_argument('-s', '--state', help='persistent state (and lock) filename',
                     default="/usr/local/var/run/et_telemetry.state")
-parser.add_argument('-d', '--days', help='Maximum number of days to look back on initial run', type=int, default=2)
+parser.add_argument('-d', '--days', help='Maximum number of days to look back', type=float, default=1)
 parser.add_argument('-D', '--direct',
                     help='do not sleep before send (disable traffic spread)',
                     action="store_true",
diff --git a/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/telemetry/state.py b/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/telemetry/state.py
index 40df17ae9f..8303f1535e 100755
--- a/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/telemetry/state.py
+++ b/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/telemetry/state.py
@@ -46,12 +46,14 @@ def get_last_update(self):
         :return: datetime
         """
         self._file_handle.seek(0)
+        file_handle_stamp = None
+        max_age = datetime.datetime.now() - datetime.timedelta(days=self._init_last_days)
         try:
-            result = datetime.datetime.fromtimestamp(float(self._file_handle.readline()))
+            file_handle_stamp = datetime.datetime.fromtimestamp(float(self._file_handle.readline()))
         except ValueError:
-            result = datetime.datetime.now() - datetime.timedelta(days=self._init_last_days)
+            return max_age
 
-        return result
+        return max(file_handle_stamp, max_age)
 
     def set_last_update(self, stamp):
         """ set last timestamp

From b90c3d472f12f05a5086a5a45f917c2fe8dba4e3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 May 2021 10:59:38 +0200
Subject: [PATCH 0590/3088] security/etpro-telemetry: clear revision after
 version change

---
 security/etpro-telemetry/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index 6c596634bd..0c8026ba50 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		etpro-telemetry
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html

From 98360da05a527380bdb6ddad2f8f935b5e358c24 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 May 2021 11:05:29 +0200
Subject: [PATCH 0591/3088] net/relayd: never got past 2.4 in stable branch

---
 net/relayd/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index c94f25e2a0..d0c095ff8e 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		relayd
-PLUGIN_VERSION=		2.6
-#PLUGIN_REVISION=	2
+PLUGIN_VERSION=		2.5
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com

From e6fcf152be908f8325660a44708ca6b38661778c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 May 2021 11:11:05 +0200
Subject: [PATCH 0592/3088] net/freeradius: package version bump

---
 net/freeradius/Makefile  | 2 +-
 net/freeradius/pkg-descr | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 2c0998709f..dd739fa1d9 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.11
+PLUGIN_VERSION=		1.9.12
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index b7dbcee0b7..5c5c726ac1 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,9 +15,13 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.12
+
+* Fix leading space in freeradius logformat (contributed by nan0)
+
 1.9.11
 
-Add IPv6 support to client IP
+* Add IPv6 support to client IP
 
 1.9.10
 

From 6044259ae57de958cb49f04eaaf190dd926df749 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 May 2021 11:19:27 +0200
Subject: [PATCH 0593/3088] www/nginx: style sweep

---
 www/nginx/src/opnsense/scripts/nginx/setup.php                 | 3 +--
 .../opnsense/service/templates/OPNsense/Nginx/location.conf    | 1 -
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index 202db26508..2c1b58c692 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -283,8 +283,7 @@ function find_ca($refid)
                 @file_put_contents(ERRORPAGE_DIR . "/$filename", $content);
             }
             chmod(ERRORPAGE_DIR . "/$filename", 0644);
-        }
-        else {
+        } else {
             unset($used_errorpages[array_search($uuid, $used_errorpages)]);
         }
     }
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 254055642f..b18872e4d4 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -220,4 +220,3 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
 {% endif %}{# honeypot #}
     include {{ location['@uuid'] }}_post/*.conf;
 }
-

From c80f848c398015c816f96a004c7102b950412b30 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 May 2021 11:29:08 +0200
Subject: [PATCH 0594/3088] dns/dyndns: start a changelog

---
 dns/dyndns/pkg-descr | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/dns/dyndns/pkg-descr b/dns/dyndns/pkg-descr
index 16ae728ae9..b2b56473ab 100644
--- a/dns/dyndns/pkg-descr
+++ b/dns/dyndns/pkg-descr
@@ -1 +1,14 @@
 Support for numerous Dynamic DNS services (DynDNS et al)
+
+Plugin Changelog
+================
+
+1.24
+
+* Fix FreeDNS update in DynDNS plugin (contributed by rmrfus)
+* Add hetzner dns console to supported dyndns services (contributed by schreibubi)
+* Add support for deSEC.io (contributed by Michael Paul)
+* Add All-Inkl v4 and v6 DynDNS support (contributed by polkhigh33)
+* Add support for digitalocean v6 records (contributed by Jan Koppe)
+* Updated No-Ip client code to use APIv2 (contributed by Victor Kislov)
+* Fix copy and paste unprotected JSON object access

From bfdc07de980df2076a8d9a2dac0044c83e65d491 Mon Sep 17 00:00:00 2001
From: windgmbh <49904312+windgmbh@users.noreply.github.com>
Date: Fri, 28 May 2021 09:34:03 +0200
Subject: [PATCH 0595/3088] mail/postfix: Add TLS compatibility modes (#2255)

---
 mail/postfix/Makefile                         |  2 +-
 mail/postfix/pkg-descr                        |  4 ++
 .../OPNsense/Postfix/forms/general.xml        | 14 +++--
 .../app/models/OPNsense/Postfix/General.xml   | 24 +++++---
 .../templates/OPNsense/Postfix/main.cf        | 55 ++++++++++++++++---
 5 files changed, 78 insertions(+), 21 deletions(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index 54ec134638..cbf3339046 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		postfix
-PLUGIN_VERSION=		1.18
+PLUGIN_VERSION=		1.19
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix-sasl
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index f873fb8259..ad3563c437 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -6,6 +6,10 @@ is completely different.
 Plugin Changelog
 ================
 
+1.19
+
+* Add TLS server/ client compatibility modes based on Mozilla's TLS configuration recommendations (https://ssl-config.mozilla.org).
+
 1.18
 
 * Add 'milter_default_action' choice
diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
index 7b21cc1300..dda5f8f2b5 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
@@ -90,10 +90,16 @@
         <help>Disable SSLv2 and SSLv3, only TLS allowed.</help>
     </field>
     <field>
-        <id>general.disable_weak_ciphers</id>
-        <label>Disable Weak Ciphers And Algorithms</label>
-        <type>checkbox</type>
-        <help>This will disable known weak ciphers like DES, RC4 or MD5.</help>
+        <id>general.tls_server_compatibility</id>
+        <label>TLS Server Compatibility</label>
+        <type>dropdown</type>
+        <help>TLS version/ cipher compatibility of the SMTP service</help>
+    </field>
+    <field>
+        <id>general.tls_client_compatibility</id>
+        <label>TLS Client Compatibility</label>
+        <type>dropdown</type>
+        <help>TLS version/ cipher compatibility of the SMTP Client</help>
     </field>
     <field>
         <id>general.tlswrappermode</id>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
index f829a07afc..4f0e11d8c4 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/postfix/general</mount>
     <description>Postfix configuration</description>
-    <version>1.2.5</version>
+    <version>1.2.6</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -61,14 +61,24 @@
             <mask>/^([0-9a-z\.\-\_]{1,128})(,[0-9a-z\.\-\_]{1,128})*$/ui</mask>
             <ValidationMessage>Only up to 128 of the following characters are allowed: 0-9a-zA-Z.-_</ValidationMessage>
         </masquerade_domains>
-        <disable_ssl type="BooleanField">
-            <default>1</default>
+        <tls_server_compatibility type="OptionField">
+            <default>intermediate</default>
             <Required>Y</Required>
-        </disable_ssl>
-        <disable_weak_ciphers type="BooleanField">
-            <default>1</default>
+            <OptionValues>
+                <modern>Modern</modern>
+                <intermediate>Intermediate</intermediate>
+                <old>Old</old>
+            </OptionValues>
+        </tls_server_compatibility>
+        <tls_client_compatibility type="OptionField">
+            <default>intermediate</default>
             <Required>Y</Required>
-        </disable_weak_ciphers>
+            <OptionValues>
+                <modern>Modern</modern>
+                <intermediate>Intermediate</intermediate>
+                <old>Old</old>
+            </OptionValues>
+        </tls_client_compatibility>
         <tlswrappermode type="BooleanField">
             <default>0</default>
             <Required>Y</Required>
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index 8df295bb9e..6301219587 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -83,29 +83,66 @@ message_size_limit = {{ OPNsense.postfix.general.message_size_limit }}
 {% if helpers.exists('OPNsense.postfix.general.masquerade_domains') and OPNsense.postfix.general.masquerade_domains != '' %}
 masquerade_domains = {{ OPNsense.postfix.general.masquerade_domains }}
 {% endif %}
-{% if helpers.exists('OPNsense.postfix.general.disable_ssl') and OPNsense.postfix.general.disable_ssl == '1' %}
-smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
-smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
-smtpd_tls_protocols=!SSLv2,!SSLv3
-smtp_tls_protocols=!SSLv2,!SSLv3
-{% endif %}
-{% if helpers.exists('OPNsense.postfix.general.disable_weak_ciphers') and OPNsense.postfix.general.disable_weak_ciphers == '1' %}
-smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
-{% endif %}
 {% if helpers.exists('OPNsense.postfix.general.tlswrappermode') and OPNsense.postfix.general.tlswrappermode == '1' %}
 smtp_tls_wrappermode = yes
 {% endif %}
+
 {% if helpers.exists('OPNsense.postfix.general.smtpclient_security') and OPNsense.postfix.general.smtpclient_security != '' %}
 smtp_tls_security_level = {{ OPNsense.postfix.general.smtpclient_security }}
+smtp_tls_loglevel = 1
+{% endif %}
+{% if helpers.exists('OPNsense.postfix.general.tls_client_compatibility') %}
+{% if OPNsense.postfix.general.tls_client_compatibility == 'modern' %}
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2
+{% elif OPNsense.postfix.general.tls_client_compatibility == 'intermediate' %}
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_mandatory_ciphers = medium
+{% elif OPNsense.postfix.general.tls_client_compatibility == 'old' %}
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtp_tls_mandatory_ciphers = low
+{% endif %}
+smtp_tls_protocols = $smtp_tls_mandatory_protocols
+{% if OPNsense.postfix.general.tls_client_compatibility != 'modern' %}
+smtp_tls_ciphers = $smtp_tls_mandatory_ciphers
+{% endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.postfix.general.certificate') and OPNsense.postfix.general.certificate != '' %}
 smtpd_use_tls = yes
+smtpd_tls_auth_only = yes
+smtpd_tls_loglevel = 1
+smtpd_tls_received_header = yes
 smtpd_tls_cert_file = /usr/local/etc/postfix/cert_opn.pem
 {% endif %}
 {% if helpers.exists('OPNsense.postfix.general.ca') and OPNsense.postfix.general.ca != '' %}
 smtpd_tls_CAfile = /usr/local/etc/postfix/ca_opn.pem
 {% endif %}
+{% if helpers.exists('OPNsense.postfix.general.tls_server_compatibility') %}
+{% if OPNsense.postfix.general.tls_server_compatibility == 'modern' %}
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2
+{% elif OPNsense.postfix.general.tls_server_compatibility == 'intermediate' %}
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_dh1024_param_file = /usr/local/etc/dh-parameters.2048
+smtpd_tls_mandatory_ciphers = medium
+{% elif OPNsense.postfix.general.tls_server_compatibility == 'old' %}
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+smtpd_tls_dh1024_param_file = /usr/local/etc/dh-parameters.2048
+smtpd_tls_mandatory_ciphers = low
+{% endif %}
+smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
+{% if OPNsense.postfix.general.tls_server_compatibility != 'modern' %}
+smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers
+{% endif %}
+{% if helpers.exists('OPNsense.postfix.general.tls_client_compatibility') or helpers.exists('OPNsense.postfix.general.tls_server_compatibility') %}
+tls_low_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
+tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+{% if OPNsense.postfix.general.tls_server_compatibility == 'old' %}
+tls_preempt_cipherlist = yes
+{% else %}
+tls_preempt_cipherlist = no
+{% endif %}
+{% endif%}
 
+{% endif %}
 {% if helpers.exists('OPNsense.postfix.general.relayhost') and OPNsense.postfix.general.relayhost != '' %}
 relayhost = {{ OPNsense.postfix.general.relayhost }}
 {% endif %}

From b0ad36d2ca7f11ba58abd55e85d9744574acf405 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 31 May 2021 16:30:29 +0200
Subject: [PATCH 0596/3088] Framework: conditional PLUGIN_PKGSUFFIX and PHP 8
 file ignore

---
 Mk/plugins.mk | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index d1cb1e7e6d..73b2605654 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -73,11 +73,13 @@ PLUGIN_PKGNAMES+=	${PLUGIN_PREFIX}${CONFLICT}${PLUGIN_SUFFIX} \
 .endfor
 
 .if "${PLUGIN_DEVEL}" != ""
-PLUGIN_PKGNAME=		${PLUGIN_PREFIX}${PLUGIN_NAME}${PLUGIN_SUFFIX}
+PLUGIN_PKGSUFFIX=	${PLUGIN_SUFFIX}
 .else
-PLUGIN_PKGNAME=		${PLUGIN_PREFIX}${PLUGIN_NAME}
+PLUGIN_PKGSUFFIX=	# empty
 .endif
 
+PLUGIN_PKGNAME=		${PLUGIN_PREFIX}${PLUGIN_NAME}${PLUGIN_PKGSUFFIX}
+
 .if "${PLUGIN_REVISION}" != "" && "${PLUGIN_REVISION}" != "0"
 PLUGIN_PKGVERSION=	${PLUGIN_VERSION}_${PLUGIN_REVISION}
 .else
@@ -309,7 +311,7 @@ lint-php: check
 	    ! -name "*.svg" ! -name "*.woff" ! -name "*.woff2" \
 	    ! -name "*.otf" ! -name "*.png" ! -name "*.js" ! -name "*.md" \
 	    ! -name "*.scss" ! -name "*.py" ! -name "*.ttf" ! -name "*.txz" \
-	    ! -name "*.tgz" ! -name "*.xml.dist" ! -name "*.sh" \
+	    ! -name "*.tgz" ! -name "*.xml.dist" ! -name "*.sh" ! -name "bootstrap80.php" \
 	    -type f -print0 | xargs -0 -n1 php -l
 
 lint: lint-desc lint-shell lint-xml lint-exec lint-php

From ea03e161a65163892d5c5eb754d7e43e4d6b4b8a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 31 May 2021 16:48:06 +0200
Subject: [PATCH 0597/3088] misc: simplify PLUGIN_NO_ABI and use it for themes

---
 Mk/defaults.mk                | 2 ++
 Mk/plugins.mk                 | 4 ++--
 misc/theme-cicada/Makefile    | 1 +
 misc/theme-rebellion/Makefile | 1 +
 misc/theme-tukan/Makefile     | 1 +
 misc/theme-vicuna/Makefile    | 1 +
 6 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 6210fd1e89..518004e55c 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -23,6 +23,8 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 
+OSABIPREFIX=	FreeBSD
+
 LOCALBASE?=	/usr/local
 PAGER?=		less
 
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 73b2605654..27de43371d 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -104,8 +104,8 @@ manifest: check
 	@echo "licenselogic: \"single\""
 	@echo "licenses: [ \"BSD2CLAUSE\" ]"
 .if defined(PLUGIN_NO_ABI)
-	@echo "arch: `pkg config abi | tr '[:upper:]' '[:lower:]' | cut -d: -f1`:*:*"
-	@echo "abi: `pkg config abi | cut -d: -f1`:*:*"
+	@echo "arch: \"${OSABIPREFIX:tl}:*:*\""
+	@echo "abi: \"${OSABIPREFIX}:*:*\""
 .endif
 .if defined(PLUGIN_DEPENDS)
 	@echo "deps: {"
diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index 33e19692fc..f2a49f3d47 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -2,5 +2,6 @@ PLUGIN_NAME=		theme-cicada
 PLUGIN_VERSION=		1.28
 PLUGIN_COMMENT=		The cicada theme - dark grey
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
+PLUGIN_NO_ABI=		yes
 
 .include "../../Mk/plugins.mk"
diff --git a/misc/theme-rebellion/Makefile b/misc/theme-rebellion/Makefile
index f83bf6f1c4..d50e43e6e6 100644
--- a/misc/theme-rebellion/Makefile
+++ b/misc/theme-rebellion/Makefile
@@ -2,5 +2,6 @@ PLUGIN_NAME=		theme-rebellion
 PLUGIN_VERSION=		1.8.7
 PLUGIN_COMMENT=		A suitably dark theme
 PLUGIN_MAINTAINER=	team-rebellion@queens-park.com
+PLUGIN_NO_ABI=		yes
 
 .include "../../Mk/plugins.mk"
diff --git a/misc/theme-tukan/Makefile b/misc/theme-tukan/Makefile
index 4d9f9cc95b..7c959ab18c 100644
--- a/misc/theme-tukan/Makefile
+++ b/misc/theme-tukan/Makefile
@@ -2,5 +2,6 @@ PLUGIN_NAME=		theme-tukan
 PLUGIN_VERSION=		1.25
 PLUGIN_COMMENT=		The tukan theme - blue/white
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
+PLUGIN_NO_ABI=		yes
 
 .include "../../Mk/plugins.mk"
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index 0bfdb6476c..58d940a985 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -2,5 +2,6 @@ PLUGIN_NAME=		theme-vicuna
 PLUGIN_VERSION=		1.4
 PLUGIN_COMMENT=		The vicuna theme - dark anthrazit
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
+PLUGIN_NO_ABI=		yes
 
 .include "../../Mk/plugins.mk"

From 179edb8eb2a8348f7832e851ab8bb124260663aa Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 31 May 2021 17:53:02 +0200
Subject: [PATCH 0598/3088] Framework: tiniest flavour/variants glue for #2408

---
 Mk/plugins.mk | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 27de43371d..03b15df427 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -65,6 +65,21 @@ PLUGIN_DEVEL?=		yes
 PLUGIN_PREFIX?=		os-
 PLUGIN_SUFFIX?=		-devel
 
+.if !empty(PLUGIN_VARIANTS)
+PLUGIN_VARIANT?=	${PLUGIN_VARIANTS:[1]}
+.endif
+
+.if !empty(PLUGIN_VARIANT)
+PLUGIN_NAME:=		${${PLUGIN_VARIANT}_NAME}
+.if empty(PLUGIN_NAME)
+.error Plugin variant '${PLUGIN_VARIANT}' does not exist
+.endif
+.for _PLUGIN_VARIANT in ${PLUGIN_VARIANTS}
+PLUGIN_CONFLICTS+=	${${_PLUGIN_VARIANT}_NAME}
+.endfor
+PLUGIN_DEPENDS+=	${${PLUGIN_VARIANT}_DEPENDS}
+.endif
+
 PLUGIN_PKGNAMES=	${PLUGIN_PREFIX}${PLUGIN_NAME}${PLUGIN_SUFFIX} \
 			${PLUGIN_PREFIX}${PLUGIN_NAME}
 .for CONFLICT in ${PLUGIN_CONFLICTS}

From fe11c45336dcf8b12c676ec5de5576bc4339201b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 31 May 2021 17:53:31 +0200
Subject: [PATCH 0599/3088] net-mgmt/zabbix-proxy: copy with variants support

---
 net-mgmt/zabbix-proxy/Makefile                |  13 ++
 net-mgmt/zabbix-proxy/pkg-descr               |  36 ++++
 .../src/etc/inc/plugins.inc.d/zabbixproxy.inc |  49 ++++++
 .../Zabbixproxy/Api/GeneralController.php     |  39 +++++
 .../Zabbixproxy/Api/ServiceController.php     |  47 +++++
 .../Zabbixproxy/GeneralController.php         |  38 ++++
 .../OPNsense/Zabbixproxy/forms/general.xml    | 163 ++++++++++++++++++
 .../models/OPNsense/Zabbixproxy/ACL/ACL.xml   |  11 ++
 .../models/OPNsense/Zabbixproxy/General.php   |  35 ++++
 .../models/OPNsense/Zabbixproxy/General.xml   | 116 +++++++++++++
 .../models/OPNsense/Zabbixproxy/Menu/Menu.xml |   8 +
 .../views/OPNsense/Zabbixproxy/general.volt   |  60 +++++++
 .../scripts/OPNsense/Zabbixproxy/setup.sh     |  16 ++
 .../systemhealth/logformats/zabbix_proxy.py   |  55 ++++++
 .../conf/actions.d/actions_zabbixproxy.conf   |  23 +++
 .../templates/OPNsense/Zabbixproxy/+TARGETS   |   3 +
 .../OPNsense/Zabbixproxy/zabbix_proxy         |   6 +
 .../OPNsense/Zabbixproxy/zabbix_proxy.conf    |  85 +++++++++
 .../OPNsense/Zabbixproxy/zabbix_proxy.psk     |   5 +
 19 files changed, 808 insertions(+)
 create mode 100644 net-mgmt/zabbix-proxy/Makefile
 create mode 100644 net-mgmt/zabbix-proxy/pkg-descr
 create mode 100644 net-mgmt/zabbix-proxy/src/etc/inc/plugins.inc.d/zabbixproxy.inc
 create mode 100644 net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/GeneralController.php
 create mode 100644 net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/ServiceController.php
 create mode 100644 net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/GeneralController.php
 create mode 100644 net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
 create mode 100644 net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
 create mode 100644 net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.php
 create mode 100644 net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
 create mode 100644 net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
 create mode 100644 net-mgmt/zabbix-proxy/src/opnsense/mvc/app/views/OPNsense/Zabbixproxy/general.volt
 create mode 100755 net-mgmt/zabbix-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh
 create mode 100755 net-mgmt/zabbix-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
 create mode 100644 net-mgmt/zabbix-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf
 create mode 100644 net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS
 create mode 100644 net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy
 create mode 100644 net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
 create mode 100644 net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.psk

diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
new file mode 100644
index 0000000000..322d8d87b3
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -0,0 +1,13 @@
+PLUGIN_NAME=		zabbix-proxy
+PLUGIN_VERSION=		1.5
+PLUGIN_COMMENT=		Zabbix Proxy enables decentralized monitoring
+PLUGIN_MAINTAINER=	m.muenz@gmail.com
+PLUGIN_VARIANTS=	zabbix5 zabbix4
+
+zabbix5_NAME=		zabbix5-proxy
+zabbix5_DEPENDS=	zabbix5-proxy
+
+zabbix4_NAME=		zabbix4-proxy
+zabbix4_DEPENDS=	zabbix4-proxy
+
+.include "../../Mk/plugins.mk"
diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
new file mode 100644
index 0000000000..158cf60878
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -0,0 +1,36 @@
+Zabbix is an enterprise-class open source distributed monitoring solution.
+
+Zabbix is software that monitors numerous parameters of a network and the
+health and integrity of servers. Zabbix uses a flexible notification
+mechanism that allows users to configure e-mail based alerts for virtually
+any event. This allows a fast reaction to server problems. Zabbix offers
+excellent reporting and data visualisation features based on the stored
+data. This makes Zabbix ideal for capacity planning.
+
+WWW: https://www.zabbix.com/
+
+Plugin Changelog
+----------------
+
+1.5
+
+* Add log file to web GUI (contributed by Starkstromkonsument)
+
+1.4
+
+* Allow setting ConfigFrequency
+* Allow setting DataSenderFrequency
+* Allow setting StartVMwareCollectors
+
+1.3
+
+* Switch to zabbix5-proxy
+
+1.2
+
+* Allow adding multiple listen addresses
+
+1.1
+
+* Add ProxyOfflineBuffer parameter
+* Switch to new service control UI
diff --git a/net-mgmt/zabbix-proxy/src/etc/inc/plugins.inc.d/zabbixproxy.inc b/net-mgmt/zabbix-proxy/src/etc/inc/plugins.inc.d/zabbixproxy.inc
new file mode 100644
index 0000000000..d26017268a
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/etc/inc/plugins.inc.d/zabbixproxy.inc
@@ -0,0 +1,49 @@
+<?php
+
+/*
+    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+function zabbixproxy_services()
+{
+    global $config;
+
+    $services = array();
+
+    if (isset($config['OPNsense']['zabbixproxy']['general']['enabled']) && $config['OPNsense']['zabbixproxy']['general']['enabled'] == 1) {
+        $services[] = array(
+            'description' => gettext('Zabbix Proxy'),
+            'configd' => array(
+                'restart' => array('zabbixproxy restart'),
+                'start' => array('zabbixproxy start'),
+                'stop' => array('zabbixproxy stop'),
+            ),
+            'name' => 'zabbixproxy',
+            'pidfile' => '/var/run/zabbix/zabbix_proxy.pid'
+        );
+    }
+
+    return $services;
+}
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/GeneralController.php b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/GeneralController.php
new file mode 100644
index 0000000000..7a930881dc
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/GeneralController.php
@@ -0,0 +1,39 @@
+<?php
+
+/**
+ *    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Zabbixproxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class GeneralController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelClass = '\OPNsense\Zabbixproxy\General';
+    protected static $internalModelName = 'general';
+}
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/ServiceController.php b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/ServiceController.php
new file mode 100644
index 0000000000..d94f2a1ced
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/ServiceController.php
@@ -0,0 +1,47 @@
+<?php
+
+/**
+ *    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Zabbixproxy\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Backend;
+use OPNsense\Zabbixproxy\General;
+
+/**
+ * Class ServiceController
+ * @package OPNsense\Zabbixproxy
+ */
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Zabbixproxy\General';
+    protected static $internalServiceTemplate = 'OPNsense/Zabbixproxy';
+    protected static $internalServiceEnabled = 'enabled';
+    protected static $internalServiceName = 'zabbixproxy';
+}
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/GeneralController.php b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/GeneralController.php
new file mode 100644
index 0000000000..56e2667c7f
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/GeneralController.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Zabbixproxy;
+
+class GeneralController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->generalForm = $this->getForm("general");
+        $this->view->pick('OPNsense/Zabbixproxy/general');
+    }
+}
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
new file mode 100644
index 0000000000..771ad073d8
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
@@ -0,0 +1,163 @@
+<form>
+    <field>
+        <id>general.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>This will activate the Zabbix Proxy service.</help>
+    </field>
+    <field>
+        <id>general.proxymode</id>
+        <label>Proxy Mode</label>
+        <type>checkbox</type>
+        <help>Active (default) or passive mode, only switch to passive if you know what you are doing.</help>
+    </field>
+    <field>
+        <id>general.server</id>
+        <label>Server</label>
+        <type>text</type>
+        <help>IP address or hostname of Zabbix server.</help>
+    </field>
+    <field>
+        <id>general.serverport</id>
+        <label>Server Port</label>
+        <type>text</type>
+        <help>Port of Zabbix trapper on Zabbix server. Default is fine for most scenarios.</help>
+    </field>
+    <field>
+        <id>general.hostname</id>
+        <label>Hostname</label>
+        <type>text</type>
+        <help>The name of this Zabbix instance. It has to match with the defined name in the central Zabbix server.</help>
+    </field>
+    <field>
+        <id>general.listenip</id>
+        <label>Listen IP</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>List of comma delimited IP addresses that the trapper should listen on. Trapper will listen on all network interfaces if this parameter is missing.</help>
+    </field>
+    <field>
+        <id>general.listenport</id>
+        <label>Listen Port</label>
+        <type>text</type>
+        <help>Listen port for trapper. Default is just fine.</help>
+    </field>
+    <field>
+        <id>general.sourceip</id>
+        <label>Source IP</label>
+        <type>text</type>
+        <help>Source IP address for outgoing connections.</help>
+    </field>
+    <field>
+        <id>general.startpollers</id>
+        <label>Start Pollers</label>
+        <type>text</type>
+        <help>Number of pre-forked instances of pollers.</help>
+    </field>
+    <field>
+        <id>general.startipmipollers</id>
+        <label>Start IPMI Pollers</label>
+        <type>text</type>
+        <help>Number of pre-forked instances of IPMI pollers.</help>
+    </field>
+    <field>
+        <id>general.startpollersunreachable</id>
+        <label>Start Pollers Unreachable</label>
+        <type>text</type>
+        <help>Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java).</help>
+    </field>
+    <field>
+        <id>general.starttrappers</id>
+        <label>Start Trappers</label>
+        <type>text</type>
+        <help>Number of pre-forked instances of trappers. Trappers accept incoming connections from Zabbix sender and active agents.</help>
+    </field>
+    <field>
+        <id>general.startpingers</id>
+        <label>Start Pingers</label>
+        <type>text</type>
+        <help>Number of pre-forked instances of ICMP pingers.</help>
+    </field>
+    <field>
+        <id>general.startdiscoverers</id>
+        <label>Start Discoverers</label>
+        <type>text</type>
+        <help>Number of pre-forked instances of discoverers.</help>
+    </field>
+    <field>
+        <id>general.startvmwarecollectors</id>
+        <label>Start VMware Collectors</label>
+        <type>text</type>
+        <help>Number of pre-forked instances of VMware Collectors.</help>
+    </field>
+    <field>
+        <id>general.starthttppollers</id>
+        <label>Start HTTP Pollers</label>
+        <type>text</type>
+        <help>Number of pre-forked instances of HTTP pollers.</help>
+    </field>
+    <field>
+        <id>general.cachesize</id>
+        <label>Cache Size</label>
+        <type>text</type>
+        <help>Size of configuration cache, in bytes. Shared memory size, for storing hosts and items data. Range: 128K-8G</help>
+    </field>
+    <field>
+        <id>general.historycachesize</id>
+        <label>History Cache Size</label>
+        <type>text</type>
+        <help>Size of history cache in bytes. Shared memory size for storing history data. Range: 128K-2G</help>
+    </field>
+    <field>
+        <id>general.historyindexcachesize</id>
+        <label>History Index Cache Size</label>
+        <type>text</type>
+        <help>Size of history index cache in bytes. Shared memory size for indexing history cache. Range: 128K-2G</help>
+    </field>
+    <field>
+        <id>general.proxyofflinebuffer</id>
+        <label>Proxy Offline Buffer</label>
+        <type>text</type>
+        <help>Set the time in hours how long the values will be buffered when the server is unreachable.</help>
+    </field>
+    <field>
+        <id>general.timeout</id>
+        <label>Timeout</label>
+        <type>text</type>
+        <help>Specifies how long we wait for agent, SNMP device or external check (in seconds).</help>
+    </field>
+    <field>
+        <id>general.configfrequency</id>
+        <label>Config Frequency</label>
+        <type>text</type>
+        <help>Specifies the time how often proxy retrieves configuration data from zabbix server (in seconds).</help>
+    </field>
+    <field>
+        <id>general.datasenderfrequency</id>
+        <label>Data Sender Frequency</label>
+        <type>text</type>
+        <help>Specifies the time how often the proxy will send collected data to the server (in seconds).</help>
+    </field>
+    <field>
+        <id>general.encryption</id>
+        <label>PSK based encryption</label>
+        <type>checkbox</type>
+        <help>Enable PSK based encryption for communicating with the Zabbix server</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>general.encryptionidentity</id>
+        <label>PSK Identity</label>
+        <type>text</type>
+        <help>The PSK identity configured on the Zabbix server</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>general.encryptionpsk</id>
+        <label>PSK</label>
+        <type>text</type>
+        <help>The PSK configured on the Zabbix server</help>
+        <advanced>true</advanced>
+    </field>
+</form>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
new file mode 100644
index 0000000000..9b1dd7b5b9
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
@@ -0,0 +1,11 @@
+<acl>
+   <page-services-zabbixproxy>
+      <name>Services: Zabbix Proxy</name>
+      <patterns>
+         <pattern>ui/zabbixproxy/*</pattern>
+         <pattern>api/zabbixproxy/*</pattern>
+         <pattern>ui/diagnostics/log/zabbix/zabbix_proxy/*</pattern>
+         <pattern>api/diagnostics/log/zabbix/zabbix_proxy/*</pattern>
+      </patterns>
+   </page-services-zabbixproxy>
+</acl>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.php b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.php
new file mode 100644
index 0000000000..351dbd9db5
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Zabbixproxy;
+
+use OPNsense\Base\BaseModel;
+
+class General extends BaseModel
+{
+}
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
new file mode 100644
index 0000000000..45029f7c39
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
@@ -0,0 +1,116 @@
+<model>
+    <mount>//OPNsense/zabbixproxy/general</mount>
+    <description>Zabbix Proxy configuration</description>
+    <version>2.0.2</version>
+    <items>
+        <enabled type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enabled>
+        <proxymode type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </proxymode>
+        <server type="TextField">
+            <default></default>
+            <Required>N</Required>
+        </server>
+        <serverport type="TextField">
+            <default>10051</default>
+            <Required>N</Required>
+        </serverport>
+        <hostname type="TextField">
+            <default>Zabbix proxy</default>
+            <Required>Y</Required>
+        </hostname>
+        <listenport type="TextField">
+            <default>10051</default>
+            <Required>N</Required>
+        </listenport>
+        <listenip type="NetworkField">
+            <default></default>
+            <FieldSeparator>,</FieldSeparator>
+            <asList>Y</asList>
+            <Required>N</Required>
+        </listenip>
+        <sourceip type="NetworkField">
+            <default></default>
+            <Required>N</Required>
+        </sourceip>
+        <startpollers type="TextField">
+            <default>5</default>
+            <Required>N</Required>
+        </startpollers>
+        <startipmipollers type="IntegerField">
+            <default>0</default>
+            <Required>N</Required>
+        </startipmipollers>
+        <startpollersunreachable type="IntegerField">
+            <default>1</default>
+            <Required>N</Required>
+        </startpollersunreachable>
+        <starttrappers type="IntegerField">
+            <default>5</default>
+            <Required>N</Required>
+        </starttrappers>
+        <startpingers type="IntegerField">
+            <default>1</default>
+            <Required>N</Required>
+        </startpingers>
+        <startdiscoverers type="IntegerField">
+            <default>1</default>
+            <Required>N</Required>
+        </startdiscoverers>
+        <startvmwarecollectors type="IntegerField">
+            <Required>N</Required>
+        </startvmwarecollectors>
+        <starthttppollers type="IntegerField">
+            <default>1</default>
+            <Required>N</Required>
+        </starthttppollers>
+        <cachesize type="TextField">
+            <default>8M</default>
+            <Required>N</Required>
+        </cachesize>
+        <historycachesize type="TextField">
+            <default>16M</default>
+            <Required>N</Required>
+        </historycachesize>
+        <historyindexcachesize type="TextField">
+            <default>4M</default>
+            <Required>N</Required>
+        </historyindexcachesize>
+        <proxyofflinebuffer type="IntegerField">
+            <Required>N</Required>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>720</MaximumValue>
+            <ValidationMessage>Set a number between 1 and 720.</ValidationMessage>
+        </proxyofflinebuffer>
+        <timeout type="IntegerField">
+            <default>4</default>
+            <Required>N</Required>
+        </timeout>
+        <configfrequency type="IntegerField">
+            <Required>N</Required>
+        </configfrequency>
+        <datasenderfrequency type="IntegerField">
+            <Required>N</Required>
+        </datasenderfrequency>
+        <encryption type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </encryption>
+        <encryptionidentity type="TextField">
+            <default></default>
+            <Required>N</Required>
+            <mask>/^.{1,128}$/</mask>
+            <ValidationMessage>Should be a string between 1 and 128 characters.</ValidationMessage>
+        </encryptionidentity>
+        <encryptionpsk type="TextField">
+            <default></default>
+            <Required>N</Required>
+            <mask>/^[A-Fa-f0-9]{32,512}$/</mask>
+            <ValidationMessage>Should be a hexadecimal string between 32 and 512 characters.</ValidationMessage>
+        </encryptionpsk>
+    </items>
+</model>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
new file mode 100644
index 0000000000..c4813378c5
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
@@ -0,0 +1,8 @@
+<menu>
+  <Services>
+    <Zabbixproxy VisibleName="Zabbix Proxy" cssClass="fa fa-eye">
+        <Settings order="10" url="/ui/zabbixproxy/general/index"/>
+        <Log VisibleName="Log File" order="50" url="/ui/diagnostics/log/zabbix/zabbix_proxy"/>
+    </Zabbixproxy>
+  </Services>
+</menu>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/views/OPNsense/Zabbixproxy/general.volt b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/views/OPNsense/Zabbixproxy/general.volt
new file mode 100644
index 0000000000..0d5bef3833
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/views/OPNsense/Zabbixproxy/general.volt
@@ -0,0 +1,60 @@
+{#
+
+OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+This file is Copyright © 2019 by Michael Muenz <m.muenz@gmail.com>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+    this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+    this list of conditions and the following disclaimer in the documentation
+    and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+<div class="content-box" style="padding-bottom: 1.5em;">
+    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
+    <div class="col-md-12">
+        <hr />
+        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
+    </div>
+</div>
+
+<script>
+    $( document ).ready(function() {
+        var data_get_map = {'frm_general_settings':"/api/zabbixproxy/general/get"};
+        mapDataToFormUI(data_get_map).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+        });
+
+        updateServiceControlUI('zabbixproxy');
+
+        // link save button to API set action
+        $("#saveAct").click(function(){
+            saveFormToEndpoint(url="/api/zabbixproxy/general/set", formid='frm_general_settings',callback_ok=function(){
+                $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+                ajaxCall(url="/api/zabbixproxy/service/reconfigure", sendData={}, callback=function(data,status) {
+                    ajaxCall(url="/api/zabbixproxy/service/status", sendData={}, callback=function(data,status) {
+                        updateServiceControlUI('zabbixproxy');
+                        });
+                        $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                });
+            });
+        });
+    });
+</script>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh b/net-mgmt/zabbix-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh
new file mode 100755
index 0000000000..ba95dc0f4c
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Setup database directory
+mkdir -p /var/db/zabbix
+chown -R zabbix:zabbix /var/db/zabbix
+chmod 755 /var/db/zabbix
+
+# Setup logging
+mkdir /var/log/zabbix
+chown -R zabbix:zabbix /var/log/zabbix
+chmod 770 /var/log/zabbix
+
+# Setup PID directory
+mkdir -p /var/run/zabbix
+chown -R zabbix:zabbix /var/run/zabbix
+chmod 755 /var/run/zabbix
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py b/net-mgmt/zabbix-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
new file mode 100755
index 0000000000..c08dbeccb1
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
@@ -0,0 +1,55 @@
+"""
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    Copyright (C) 2020 Starkstromkonsument
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import re
+import datetime
+from . import BaseLogFormat
+zabbix_timeformat = r'(\d*):(\d{4}\d{2}\d{2}:\d{2}\d{2}\d{2})\.\d{3}\s(.*)'
+
+
+class ZabbixLogFormat(BaseLogFormat):
+    def __init__(self, filename):
+        super(ZabbixLogFormat, self).__init__(filename)
+        self._priority = 100
+
+    def match(self, line):
+        return self._filename.find('zabbix_proxy') > -1 and re.match(zabbix_timeformat, line) is not  None
+
+    @staticmethod
+    def timestamp(line):
+        tmp = re.match(zabbix_timeformat, line)
+        grp = tmp.group(2)
+        return datetime.datetime.strptime(grp, "%Y%m%d:%H%M%S").isoformat()
+
+    @staticmethod
+    def process_name(line):
+        tmp = re.match(zabbix_timeformat, line)
+        return tmp.group(1)
+
+    @staticmethod
+    def line(line):
+        tmp = re.match(zabbix_timeformat, line)
+        return tmp.group(3)
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf b/net-mgmt/zabbix-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf
new file mode 100644
index 0000000000..7904a14457
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf
@@ -0,0 +1,23 @@
+[start]
+command:/usr/local/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh;/usr/local/etc/rc.d/zabbix_proxy start
+parameters:
+type:script
+message:starting Zabbix Proxy
+
+[stop]
+command:/usr/local/etc/rc.d/zabbix_proxy stop; exit 0
+parameters:
+type:script
+message:stopping Zabbix Proxy
+
+[restart]
+command:/usr/local/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh;/usr/local/etc/rc.d/zabbix_proxy restart
+parameters:
+type:script
+message:restarting Zabbix Proxy
+
+[status]
+command:/usr/local/etc/rc.d/zabbix_proxy status;exit 0
+parameters:
+type:script_output
+message:request Zabbix Proxy status
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS
new file mode 100644
index 0000000000..b797902b6f
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS
@@ -0,0 +1,3 @@
+zabbix_proxy:/etc/rc.conf.d/zabbix_proxy
+zabbix_proxy.conf:/usr/local/etc/zabbix5/zabbix_proxy.conf
+zabbix_proxy.psk:/usr/local/etc/zabbix5/zabbix_proxy.psk
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy
new file mode 100644
index 0000000000..f9c1bb348a
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy
@@ -0,0 +1,6 @@
+{% if helpers.exists('OPNsense.zabbixproxy.general.enabled') and OPNsense.zabbixproxy.general.enabled == '1' %}
+zabbix_proxy_var_script="/usr/local/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh"
+zabbix_proxy_enable="YES"
+{% else %}
+zabbix_proxy_enable="NO"
+{% endif %}
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
new file mode 100644
index 0000000000..266dc466c1
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
@@ -0,0 +1,85 @@
+{% if helpers.exists('OPNsense.zabbixproxy.general.enabled') and OPNsense.zabbixproxy.general.enabled == '1' %}
+
+{% if helpers.exists('OPNsense.zabbixproxy.general.proxymode') and OPNsense.zabbixproxy.general.proxymode == '1' %}
+ProxyMode=1
+{% else %}
+ProxyMode=0
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.server') and OPNsense.zabbixproxy.general.server != '' %}
+Server={{ OPNsense.zabbixproxy.general.server }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.serverport') and OPNsense.zabbixproxy.general.serverport != '' %}
+ServerPort={{ OPNsense.zabbixproxy.general.serverport }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.hostname') and OPNsense.zabbixproxy.general.hostname != '' %}
+Hostname={{ OPNsense.zabbixproxy.general.hostname }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.listenport') and OPNsense.zabbixproxy.general.listenport != '' %}
+ListenPort={{ OPNsense.zabbixproxy.general.listenport }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.sourceip') and OPNsense.zabbixproxy.general.sourceip != '' %}
+SourceIP={{ OPNsense.zabbixproxy.general.sourceip }}
+{% endif %}
+LogFile=/var/log/zabbix/zabbix_proxy.log
+PidFile=/var/run/zabbix/zabbix_proxy.pid
+DBName=/var/db/zabbix/zabbix_proxy.db
+{% if helpers.exists('OPNsense.zabbixproxy.general.proxyofflinebuffer') and OPNsense.zabbixproxy.general.proxyofflinebuffer != '' %}
+ProxyOfflineBuffer={{ OPNsense.zabbixproxy.general.proxyofflinebuffer }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.configfrequency') and OPNsense.zabbixproxy.general.configfrequency != '' %}
+ConfigFrequency={{ OPNsense.zabbixproxy.general.configfrequency }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.datasenderfrequency') and OPNsense.zabbixproxy.general.datasenderfrequency != '' %}
+DataSenderFrequency={{ OPNsense.zabbixproxy.general.datasenderfrequency }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.startpollers') and OPNsense.zabbixproxy.general.startpollers != '' %}
+StartPollers={{ OPNsense.zabbixproxy.general.startpollers }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.startipmipollers') and OPNsense.zabbixproxy.general.startipmipollers != '' %}
+StartIPMIPollers={{ OPNsense.zabbixproxy.general.startipmipollers }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.startpollersunreachable') and OPNsense.zabbixproxy.general.startpollersunreachable != '' %}
+StartPollersUnreachable={{ OPNsense.zabbixproxy.general.startpollersunreachable }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.starttrappers') and OPNsense.zabbixproxy.general.starttrappers != '' %}
+StartTrappers={{ OPNsense.zabbixproxy.general.starttrappers }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.startpingers') and OPNsense.zabbixproxy.general.startpingers != '' %}
+StartPingers={{ OPNsense.zabbixproxy.general.startpingers }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.startdiscoverers') and OPNsense.zabbixproxy.general.startdiscoverers != '' %}
+StartDiscoverers={{ OPNsense.zabbixproxy.general.startdiscoverers }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.startvmwarecollectors') and OPNsense.zabbixproxy.general.startvmwarecollectors != '' %}
+StartVMwareCollectors={{ OPNsense.zabbixproxy.general.startvmwarecollectors }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.starthttppollers') and OPNsense.zabbixproxy.general.starthttppollers != '' %}
+StartHTTPPollers={{ OPNsense.zabbixproxy.general.starthttppollers }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.listenip') and OPNsense.zabbixproxy.general.listenip != '' %}
+ListenIP={{ OPNsense.zabbixproxy.general.listenip }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.cachesize') and OPNsense.zabbixproxy.general.cachesize != '' %}
+CacheSize={{ OPNsense.zabbixproxy.general.cachesize }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.historycachesize') and OPNsense.zabbixproxy.general.historycachesize != '' %}
+HistoryCacheSize={{ OPNsense.zabbixproxy.general.historycachesize }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.historyindexcachesize') and OPNsense.zabbixproxy.general.historyindexcachesize != '' %}
+HistoryIndexCacheSize={{ OPNsense.zabbixproxy.general.historyindexcachesize }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.timeout') and OPNsense.zabbixproxy.general.timeout != '' %}
+Timeout={{ OPNsense.zabbixproxy.general.timeout }}
+{% endif %}
+FpingLocation=/usr/local/sbin/fping
+Fping6Location=/usr/local/sbin/fping6
+{% if helpers.exists('OPNsense.zabbixproxy.general.encryption') and OPNsense.zabbixproxy.general.encryption == '1' %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.proxymode') and OPNsense.zabbixproxy.general.proxymode == '1' %}
+TLSAccept=psk
+{% else %}
+TLSConnect=psk
+{% endif %}
+TLSPSKFile=/usr/local/etc/zabbix5/zabbix_proxy.psk
+TLSPSKIdentity={{ OPNsense.zabbixproxy.general.encryptionidentity }}
+{% endif %}
+{% endif %}
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.psk b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.psk
new file mode 100644
index 0000000000..1e53053b50
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.psk
@@ -0,0 +1,5 @@
+{% if helpers.exists('OPNsense.zabbixproxy.general.enabled') and OPNsense.zabbixproxy.general.enabled == '1' %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.encryption') and OPNsense.zabbixproxy.general.encryption == '1' %}
+{{ OPNsense.zabbixproxy.general.encryptionpsk }}
+{% endif %}
+{% endif %}

From b9e936f46414d056978f15be17905118bdae2fe7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 1 Jun 2021 07:39:38 +0200
Subject: [PATCH 0600/3088] net-mgmt/zabbix-proxy: replace PLUGIN_VARIANT for
 cheap effect

---
 Mk/defaults.mk                                                 | 1 +
 net-mgmt/zabbix-proxy/pkg-descr                                | 2 +-
 .../opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS   | 3 ---
 .../service/templates/OPNsense/Zabbixproxy/+TARGETS.in         | 3 +++
 .../Zabbixproxy/{zabbix_proxy.conf => zabbix_proxy.conf.in}    | 2 +-
 5 files changed, 6 insertions(+), 5 deletions(-)
 delete mode 100644 net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS
 create mode 100644 net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS.in
 rename net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/{zabbix_proxy.conf => zabbix_proxy.conf.in} (98%)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 518004e55c..aa06adb612 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -77,6 +77,7 @@ REPLACEMENTS=	PLUGIN_ABI \
 		PLUGIN_NAME \
 		PLUGIN_PKGNAME \
 		PLUGIN_PKGVERSION \
+		PLUGIN_VARIANT \
 		PLUGIN_WWW
 
 SED_REPLACE=	# empty
diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index 158cf60878..fdffbe0b9c 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -24,7 +24,7 @@ Plugin Changelog
 
 1.3
 
-* Switch to zabbix5-proxy
+* Added support for Zabbix 5
 
 1.2
 
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS
deleted file mode 100644
index b797902b6f..0000000000
--- a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS
+++ /dev/null
@@ -1,3 +0,0 @@
-zabbix_proxy:/etc/rc.conf.d/zabbix_proxy
-zabbix_proxy.conf:/usr/local/etc/zabbix5/zabbix_proxy.conf
-zabbix_proxy.psk:/usr/local/etc/zabbix5/zabbix_proxy.psk
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS.in b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS.in
new file mode 100644
index 0000000000..2176faf2bd
--- /dev/null
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS.in
@@ -0,0 +1,3 @@
+zabbix_proxy:/etc/rc.conf.d/zabbix_proxy
+zabbix_proxy.conf:/usr/local/etc/%%PLUGIN_VARIANT%%/zabbix_proxy.conf
+zabbix_proxy.psk:/usr/local/etc/%%PLUGIN_VARIANT%%/zabbix_proxy.psk
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
similarity index 98%
rename from net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
rename to net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
index 266dc466c1..d3b5ec2580 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
@@ -79,7 +79,7 @@ TLSAccept=psk
 {% else %}
 TLSConnect=psk
 {% endif %}
-TLSPSKFile=/usr/local/etc/zabbix5/zabbix_proxy.psk
+TLSPSKFile=/usr/local/etc/%%PLUGIN_VARIANT%%/zabbix_proxy.psk
 TLSPSKIdentity={{ OPNsense.zabbixproxy.general.encryptionidentity }}
 {% endif %}
 {% endif %}

From 12b943c41a911e6d701be43085e3033d19f5952a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 1 Jun 2021 09:52:22 +0200
Subject: [PATCH 0601/3088] net-mgmt/zabbix4-proxy: drop port merged into
 zabbix-proxy

---
 README.md                                     |   2 +-
 net-mgmt/zabbix4-proxy/Makefile               |   8 -
 net-mgmt/zabbix4-proxy/pkg-descr              |  26 ----
 .../src/etc/inc/plugins.inc.d/zabbixproxy.inc |  49 ------
 .../Zabbixproxy/Api/GeneralController.php     |  39 -----
 .../Zabbixproxy/Api/ServiceController.php     |  47 ------
 .../Zabbixproxy/GeneralController.php         |  38 -----
 .../OPNsense/Zabbixproxy/forms/general.xml    | 145 ------------------
 .../models/OPNsense/Zabbixproxy/ACL/ACL.xml   |  11 --
 .../models/OPNsense/Zabbixproxy/General.php   |  35 -----
 .../models/OPNsense/Zabbixproxy/General.xml   | 107 -------------
 .../models/OPNsense/Zabbixproxy/Menu/Menu.xml |   8 -
 .../views/OPNsense/Zabbixproxy/general.volt   |  60 --------
 .../scripts/OPNsense/Zabbixproxy/setup.sh     |  15 --
 .../systemhealth/logformats/zabbix_proxy.py   |  55 -------
 .../conf/actions.d/actions_zabbixproxy.conf   |  23 ---
 .../templates/OPNsense/Zabbixproxy/+TARGETS   |   3 -
 .../OPNsense/Zabbixproxy/zabbix_proxy         |   6 -
 .../OPNsense/Zabbixproxy/zabbix_proxy.conf    |  76 ---------
 .../OPNsense/Zabbixproxy/zabbix_proxy.psk     |   5 -
 20 files changed, 1 insertion(+), 757 deletions(-)
 delete mode 100644 net-mgmt/zabbix4-proxy/Makefile
 delete mode 100644 net-mgmt/zabbix4-proxy/pkg-descr
 delete mode 100644 net-mgmt/zabbix4-proxy/src/etc/inc/plugins.inc.d/zabbixproxy.inc
 delete mode 100644 net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/GeneralController.php
 delete mode 100644 net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/ServiceController.php
 delete mode 100644 net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/GeneralController.php
 delete mode 100644 net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
 delete mode 100644 net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
 delete mode 100644 net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.php
 delete mode 100644 net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
 delete mode 100644 net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
 delete mode 100644 net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/views/OPNsense/Zabbixproxy/general.volt
 delete mode 100755 net-mgmt/zabbix4-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh
 delete mode 100755 net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
 delete mode 100644 net-mgmt/zabbix4-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf
 delete mode 100644 net-mgmt/zabbix4-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS
 delete mode 100644 net-mgmt/zabbix4-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy
 delete mode 100644 net-mgmt/zabbix4-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
 delete mode 100644 net-mgmt/zabbix4-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.psk

diff --git a/README.md b/README.md
index 8817be2f50..d4d0225d10 100644
--- a/README.md
+++ b/README.md
@@ -74,7 +74,7 @@ net-mgmt/netdata -- Real-time performance monitoring
 net-mgmt/nrpe -- Execute nagios plugins
 net-mgmt/telegraf -- Agent for collecting metrics and data
 net-mgmt/zabbix-agent -- Zabbix monitoring agent
-net-mgmt/zabbix4-proxy -- Zabbix Proxy enables decentralized monitoring
+net-mgmt/zabbix-proxy -- Zabbix Proxy enables decentralized monitoring
 net-mgmt/zabbix5-proxy -- Zabbix Proxy enables decentralized monitoring
 security/acme-client -- Let's Encrypt client
 security/clamav -- Antivirus engine for detecting malicious threats
diff --git a/net-mgmt/zabbix4-proxy/Makefile b/net-mgmt/zabbix4-proxy/Makefile
deleted file mode 100644
index 1000368f5c..0000000000
--- a/net-mgmt/zabbix4-proxy/Makefile
+++ /dev/null
@@ -1,8 +0,0 @@
-PLUGIN_NAME=		zabbix4-proxy
-PLUGIN_VERSION=		1.3
-PLUGIN_COMMENT=		Zabbix Proxy enables decentralized monitoring
-PLUGIN_DEPENDS=		zabbix4-proxy
-PLUGIN_CONFLICTS=	zabbix5-proxy
-PLUGIN_MAINTAINER=	m.muenz@gmail.com
-
-.include "../../Mk/plugins.mk"
diff --git a/net-mgmt/zabbix4-proxy/pkg-descr b/net-mgmt/zabbix4-proxy/pkg-descr
deleted file mode 100644
index 706669f8a2..0000000000
--- a/net-mgmt/zabbix4-proxy/pkg-descr
+++ /dev/null
@@ -1,26 +0,0 @@
-Zabbix is an enterprise-class open source distributed monitoring solution.
-
-Zabbix is software that monitors numerous parameters of a network and the
-health and integrity of servers. Zabbix uses a flexible notification
-mechanism that allows users to configure e-mail based alerts for virtually
-any event. This allows a fast reaction to server problems. Zabbix offers
-excellent reporting and data visualisation features based on the stored
-data. This makes Zabbix ideal for capacity planning.
-
-WWW: http://www.zabbix.com/
-
-Plugin Changelog
-----------------
-
-1.3
-
-* Add log file to web GUI (contributed by Starkstromkonsument)
-
-1.2
-
-* Allow adding multiple listen addresses
-
-1.1
-
-* Add ProxyOfflineBuffer parameter
-* Switch to new service control UI
diff --git a/net-mgmt/zabbix4-proxy/src/etc/inc/plugins.inc.d/zabbixproxy.inc b/net-mgmt/zabbix4-proxy/src/etc/inc/plugins.inc.d/zabbixproxy.inc
deleted file mode 100644
index d26017268a..0000000000
--- a/net-mgmt/zabbix4-proxy/src/etc/inc/plugins.inc.d/zabbixproxy.inc
+++ /dev/null
@@ -1,49 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-function zabbixproxy_services()
-{
-    global $config;
-
-    $services = array();
-
-    if (isset($config['OPNsense']['zabbixproxy']['general']['enabled']) && $config['OPNsense']['zabbixproxy']['general']['enabled'] == 1) {
-        $services[] = array(
-            'description' => gettext('Zabbix Proxy'),
-            'configd' => array(
-                'restart' => array('zabbixproxy restart'),
-                'start' => array('zabbixproxy start'),
-                'stop' => array('zabbixproxy stop'),
-            ),
-            'name' => 'zabbixproxy',
-            'pidfile' => '/var/run/zabbix/zabbix_proxy.pid'
-        );
-    }
-
-    return $services;
-}
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/GeneralController.php b/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/GeneralController.php
deleted file mode 100644
index 7a930881dc..0000000000
--- a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/GeneralController.php
+++ /dev/null
@@ -1,39 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-namespace OPNsense\Zabbixproxy\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-
-class GeneralController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelClass = '\OPNsense\Zabbixproxy\General';
-    protected static $internalModelName = 'general';
-}
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/ServiceController.php b/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/ServiceController.php
deleted file mode 100644
index d94f2a1ced..0000000000
--- a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/ServiceController.php
+++ /dev/null
@@ -1,47 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-namespace OPNsense\Zabbixproxy\Api;
-
-use OPNsense\Base\ApiMutableServiceControllerBase;
-use OPNsense\Core\Backend;
-use OPNsense\Zabbixproxy\General;
-
-/**
- * Class ServiceController
- * @package OPNsense\Zabbixproxy
- */
-class ServiceController extends ApiMutableServiceControllerBase
-{
-    protected static $internalServiceClass = '\OPNsense\Zabbixproxy\General';
-    protected static $internalServiceTemplate = 'OPNsense/Zabbixproxy';
-    protected static $internalServiceEnabled = 'enabled';
-    protected static $internalServiceName = 'zabbixproxy';
-}
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/GeneralController.php b/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/GeneralController.php
deleted file mode 100644
index 56e2667c7f..0000000000
--- a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/GeneralController.php
+++ /dev/null
@@ -1,38 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-namespace OPNsense\Zabbixproxy;
-
-class GeneralController extends \OPNsense\Base\IndexController
-{
-    public function indexAction()
-    {
-        $this->view->generalForm = $this->getForm("general");
-        $this->view->pick('OPNsense/Zabbixproxy/general');
-    }
-}
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml b/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
deleted file mode 100644
index 11de26c17b..0000000000
--- a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
+++ /dev/null
@@ -1,145 +0,0 @@
-<form>
-    <field>
-        <id>general.enabled</id>
-        <label>Enable</label>
-        <type>checkbox</type>
-        <help>This will activate the Zabbix Proxy service.</help>
-    </field>
-    <field>
-        <id>general.proxymode</id>
-        <label>Proxy Mode</label>
-        <type>checkbox</type>
-        <help>Active (default) or passive mode, only switch to passive if you know what you are doing.</help>
-    </field>
-    <field>
-        <id>general.server</id>
-        <label>Server</label>
-        <type>text</type>
-        <help>IP address or hostname of Zabbix server.</help>
-    </field>
-    <field>
-        <id>general.serverport</id>
-        <label>Server Port</label>
-        <type>text</type>
-        <help>Port of Zabbix trapper on Zabbix server. Default is fine for most scenarios.</help>
-    </field>
-    <field>
-        <id>general.hostname</id>
-        <label>Hostname</label>
-        <type>text</type>
-        <help>The name of this Zabbix instance. It has to match with the defined name in the central Zabbix server.</help>
-    </field>
-    <field>
-        <id>general.listenip</id>
-        <label>Listen IP</label>
-        <style>tokenize</style>
-        <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>List of comma delimited IP addresses that the trapper should listen on. Trapper will listen on all network interfaces if this parameter is missing.</help>
-    </field>
-    <field>
-        <id>general.listenport</id>
-        <label>Listen Port</label>
-        <type>text</type>
-        <help>Listen port for trapper. Default is just fine.</help>
-    </field>
-    <field>
-        <id>general.sourceip</id>
-        <label>Source IP</label>
-        <type>text</type>
-        <help>Source IP address for outgoing connections.</help>
-    </field>
-    <field>
-        <id>general.startpollers</id>
-        <label>Start Pollers</label>
-        <type>text</type>
-        <help>Number of pre-forked instances of pollers.</help>
-    </field>
-    <field>
-        <id>general.startipmipollers</id>
-        <label>Start IPMI Pollers</label>
-        <type>text</type>
-        <help>Number of pre-forked instances of IPMI pollers.</help>
-    </field>
-    <field>
-        <id>general.startpollersunreachable</id>
-        <label>Start Pollers Unreachable</label>
-        <type>text</type>
-        <help>Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java).</help>
-    </field>
-    <field>
-        <id>general.starttrappers</id>
-        <label>Start Trappers</label>
-        <type>text</type>
-        <help>Number of pre-forked instances of trappers. Trappers accept incoming connections from Zabbix sender and active agents.</help>
-    </field>
-    <field>
-        <id>general.startpingers</id>
-        <label>Start Pingers</label>
-        <type>text</type>
-        <help>Number of pre-forked instances of ICMP pingers.</help>
-    </field>
-    <field>
-        <id>general.startdiscoverers</id>
-        <label>Start Discoverers</label>
-        <type>text</type>
-        <help>Number of pre-forked instances of discoverers.</help>
-    </field>
-    <field>
-        <id>general.starthttppollers</id>
-        <label>Start HTTP Pollers</label>
-        <type>text</type>
-        <help>Number of pre-forked instances of HTTP pollers.</help>
-    </field>
-    <field>
-        <id>general.cachesize</id>
-        <label>Cache Size</label>
-        <type>text</type>
-        <help>Size of configuration cache, in bytes. Shared memory size, for storing hosts and items data. Range: 128K-8G</help>
-    </field>
-    <field>
-        <id>general.historycachesize</id>
-        <label>History Cache Size</label>
-        <type>text</type>
-        <help>Size of history cache in bytes. Shared memory size for storing history data. Range: 128K-2G</help>
-    </field>
-    <field>
-        <id>general.historyindexcachesize</id>
-        <label>History Index Cache Size</label>
-        <type>text</type>
-        <help>Size of history index cache in bytes. Shared memory size for indexing history cache. Range: 128K-2G</help>
-    </field>
-    <field>
-        <id>general.proxyofflinebuffer</id>
-        <label>Proxy Offline Buffer</label>
-        <type>text</type>
-        <help>Set the time in hours how long the values will be buffered when the server is unreachable.</help>
-    </field>
-    <field>
-        <id>general.timeout</id>
-        <label>Timeout</label>
-        <type>text</type>
-        <help>Specifies how long we wait for agent, SNMP device or external check (in seconds).</help>
-    </field>
-    <field>
-        <id>general.encryption</id>
-        <label>PSK based encryption</label>
-        <type>checkbox</type>
-        <help>Enable PSK based encryption for communicating with the Zabbix server</help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <id>general.encryptionidentity</id>
-        <label>PSK Identity</label>
-        <type>text</type>
-        <help>The PSK identity configured on the Zabbix server</help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <id>general.encryptionpsk</id>
-        <label>PSK</label>
-        <type>text</type>
-        <help>The PSK configured on the Zabbix server</help>
-        <advanced>true</advanced>
-    </field>
-</form>
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml b/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
deleted file mode 100644
index 77a65e8798..0000000000
--- a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<acl>
-   <page-services-zabbixproxy>
-      <name>Services: Zabbix Proxy</name>
-      <patterns>
-         <pattern>ui/zabbixproxy/*</pattern>
-         <pattern>api/zabbixproxy/*</pattern>
-         <pattern>ui/diagnostics/log/core/zabbix_proxy/*</pattern>
-         <pattern>api/diagnostics/log/core/zabbix_proxy/*</pattern>
-      </patterns>
-   </page-services-zabbixproxy>
-</acl>
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.php b/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.php
deleted file mode 100644
index 351dbd9db5..0000000000
--- a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.php
+++ /dev/null
@@ -1,35 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-namespace OPNsense\Zabbixproxy;
-
-use OPNsense\Base\BaseModel;
-
-class General extends BaseModel
-{
-}
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml b/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
deleted file mode 100644
index b4955e3c85..0000000000
--- a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
+++ /dev/null
@@ -1,107 +0,0 @@
-<model>
-    <mount>//OPNsense/zabbixproxy/general</mount>
-    <description>Zabbix Proxy configuration</description>
-    <version>2.0.2</version>
-    <items>
-        <enabled type="BooleanField">
-            <default>0</default>
-            <Required>Y</Required>
-        </enabled>
-        <proxymode type="BooleanField">
-            <default>0</default>
-            <Required>Y</Required>
-        </proxymode>
-        <server type="TextField">
-            <default></default>
-            <Required>N</Required>
-        </server>
-        <serverport type="TextField">
-            <default>10051</default>
-            <Required>N</Required>
-        </serverport>
-        <hostname type="TextField">
-            <default>Zabbix proxy</default>
-            <Required>Y</Required>
-        </hostname>
-        <listenport type="TextField">
-            <default>10051</default>
-            <Required>N</Required>
-        </listenport>
-        <listenip type="NetworkField">
-            <default></default>
-            <FieldSeparator>,</FieldSeparator>
-            <asList>Y</asList>
-            <Required>N</Required>
-        </listenip>
-        <sourceip type="NetworkField">
-            <default></default>
-            <Required>N</Required>
-        </sourceip>
-        <startpollers type="TextField">
-            <default>5</default>
-            <Required>N</Required>
-        </startpollers>
-        <startipmipollers type="IntegerField">
-            <default>0</default>
-            <Required>N</Required>
-        </startipmipollers>
-        <startpollersunreachable type="IntegerField">
-            <default>1</default>
-            <Required>N</Required>
-        </startpollersunreachable>
-        <starttrappers type="IntegerField">
-            <default>5</default>
-            <Required>N</Required>
-        </starttrappers>
-        <startpingers type="IntegerField">
-            <default>1</default>
-            <Required>N</Required>
-        </startpingers>
-        <startdiscoverers type="IntegerField">
-            <default>1</default>
-            <Required>N</Required>
-        </startdiscoverers>
-        <starthttppollers type="IntegerField">
-            <default>1</default>
-            <Required>N</Required>
-        </starthttppollers>
-        <cachesize type="TextField">
-            <default>8M</default>
-            <Required>N</Required>
-        </cachesize>
-        <historycachesize type="TextField">
-            <default>16M</default>
-            <Required>N</Required>
-        </historycachesize>
-        <historyindexcachesize type="TextField">
-            <default>4M</default>
-            <Required>N</Required>
-        </historyindexcachesize>
-        <proxyofflinebuffer type="IntegerField">
-            <Required>N</Required>
-            <MinimumValue>1</MinimumValue>
-            <MaximumValue>720</MaximumValue>
-            <ValidationMessage>Set a number between 1 and 720.</ValidationMessage>
-        </proxyofflinebuffer>
-        <timeout type="IntegerField">
-            <default>4</default>
-            <Required>N</Required>
-        </timeout>
-        <encryption type="BooleanField">
-            <default>0</default>
-            <Required>Y</Required>
-        </encryption>
-        <encryptionidentity type="TextField">
-            <default></default>
-            <Required>N</Required>
-            <mask>/^.{1,128}$/</mask>
-            <ValidationMessage>Should be a string between 1 and 128 characters.</ValidationMessage>
-        </encryptionidentity>
-        <encryptionpsk type="TextField">
-            <default></default>
-            <Required>N</Required>
-            <mask>/^[A-Fa-f0-9]{32,512}$/</mask>
-            <ValidationMessage>Should be a hexadecimal string between 32 and 512 characters.</ValidationMessage>
-        </encryptionpsk>
-    </items>
-</model>
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml b/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
deleted file mode 100644
index 1b0ed8a101..0000000000
--- a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<menu>
-  <Services>
-    <Zabbixproxy VisibleName="Zabbix Proxy" cssClass="fa fa-eye">
-        <Settings order="10" url="/ui/zabbixproxy/general/index"/>
-        <Log VisibleName="Log File" order="50" url="/ui/diagnostics/log/core/zabbix_proxy"/>
-    </Zabbixproxy>
-  </Services>
-</menu>
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/views/OPNsense/Zabbixproxy/general.volt b/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/views/OPNsense/Zabbixproxy/general.volt
deleted file mode 100644
index 0d5bef3833..0000000000
--- a/net-mgmt/zabbix4-proxy/src/opnsense/mvc/app/views/OPNsense/Zabbixproxy/general.volt
+++ /dev/null
@@ -1,60 +0,0 @@
-{#
-
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
-This file is Copyright © 2019 by Michael Muenz <m.muenz@gmail.com>
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-    this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-    this list of conditions and the following disclaimer in the documentation
-    and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
-<div class="content-box" style="padding-bottom: 1.5em;">
-    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-    <div class="col-md-12">
-        <hr />
-        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-    </div>
-</div>
-
-<script>
-    $( document ).ready(function() {
-        var data_get_map = {'frm_general_settings':"/api/zabbixproxy/general/get"};
-        mapDataToFormUI(data_get_map).done(function(data){
-            formatTokenizersUI();
-            $('.selectpicker').selectpicker('refresh');
-        });
-
-        updateServiceControlUI('zabbixproxy');
-
-        // link save button to API set action
-        $("#saveAct").click(function(){
-            saveFormToEndpoint(url="/api/zabbixproxy/general/set", formid='frm_general_settings',callback_ok=function(){
-                $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-                ajaxCall(url="/api/zabbixproxy/service/reconfigure", sendData={}, callback=function(data,status) {
-                    ajaxCall(url="/api/zabbixproxy/service/status", sendData={}, callback=function(data,status) {
-                        updateServiceControlUI('zabbixproxy');
-                        });
-                        $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-                });
-            });
-        });
-    });
-</script>
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh b/net-mgmt/zabbix4-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh
deleted file mode 100755
index 4ce930e20e..0000000000
--- a/net-mgmt/zabbix4-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-# Setup database directory
-mkdir -p /var/db/zabbix
-chown -R zabbix:zabbix /var/db/zabbix
-chmod 755 /var/db/zabbix
-
-# Setup logging
-touch /var/log/zabbix_proxy.log
-chown -R zabbix:zabbix /var/log/zabbix_proxy.log
-
-# Setup PID directory
-mkdir -p /var/run/zabbix
-chown -R zabbix:zabbix /var/run/zabbix
-chmod 755 /var/run/zabbix
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py b/net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
deleted file mode 100755
index c08dbeccb1..0000000000
--- a/net-mgmt/zabbix4-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
+++ /dev/null
@@ -1,55 +0,0 @@
-"""
-    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
-    Copyright (C) 2020 Starkstromkonsument
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-     this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-     notice, this list of conditions and the following disclaimer in the
-     documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-"""
-import re
-import datetime
-from . import BaseLogFormat
-zabbix_timeformat = r'(\d*):(\d{4}\d{2}\d{2}:\d{2}\d{2}\d{2})\.\d{3}\s(.*)'
-
-
-class ZabbixLogFormat(BaseLogFormat):
-    def __init__(self, filename):
-        super(ZabbixLogFormat, self).__init__(filename)
-        self._priority = 100
-
-    def match(self, line):
-        return self._filename.find('zabbix_proxy') > -1 and re.match(zabbix_timeformat, line) is not  None
-
-    @staticmethod
-    def timestamp(line):
-        tmp = re.match(zabbix_timeformat, line)
-        grp = tmp.group(2)
-        return datetime.datetime.strptime(grp, "%Y%m%d:%H%M%S").isoformat()
-
-    @staticmethod
-    def process_name(line):
-        tmp = re.match(zabbix_timeformat, line)
-        return tmp.group(1)
-
-    @staticmethod
-    def line(line):
-        tmp = re.match(zabbix_timeformat, line)
-        return tmp.group(3)
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf b/net-mgmt/zabbix4-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf
deleted file mode 100644
index 7904a14457..0000000000
--- a/net-mgmt/zabbix4-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-[start]
-command:/usr/local/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh;/usr/local/etc/rc.d/zabbix_proxy start
-parameters:
-type:script
-message:starting Zabbix Proxy
-
-[stop]
-command:/usr/local/etc/rc.d/zabbix_proxy stop; exit 0
-parameters:
-type:script
-message:stopping Zabbix Proxy
-
-[restart]
-command:/usr/local/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh;/usr/local/etc/rc.d/zabbix_proxy restart
-parameters:
-type:script
-message:restarting Zabbix Proxy
-
-[status]
-command:/usr/local/etc/rc.d/zabbix_proxy status;exit 0
-parameters:
-type:script_output
-message:request Zabbix Proxy status
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS b/net-mgmt/zabbix4-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS
deleted file mode 100644
index d04227a916..0000000000
--- a/net-mgmt/zabbix4-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS
+++ /dev/null
@@ -1,3 +0,0 @@
-zabbix_proxy:/etc/rc.conf.d/zabbix_proxy
-zabbix_proxy.conf:/usr/local/etc/zabbix4/zabbix_proxy.conf
-zabbix_proxy.psk:/usr/local/etc/zabbix4/zabbix_proxy.psk
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy b/net-mgmt/zabbix4-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy
deleted file mode 100644
index f9c1bb348a..0000000000
--- a/net-mgmt/zabbix4-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy
+++ /dev/null
@@ -1,6 +0,0 @@
-{% if helpers.exists('OPNsense.zabbixproxy.general.enabled') and OPNsense.zabbixproxy.general.enabled == '1' %}
-zabbix_proxy_var_script="/usr/local/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh"
-zabbix_proxy_enable="YES"
-{% else %}
-zabbix_proxy_enable="NO"
-{% endif %}
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf b/net-mgmt/zabbix4-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
deleted file mode 100644
index 78371ec2af..0000000000
--- a/net-mgmt/zabbix4-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
+++ /dev/null
@@ -1,76 +0,0 @@
-{% if helpers.exists('OPNsense.zabbixproxy.general.enabled') and OPNsense.zabbixproxy.general.enabled == '1' %}
-
-{% if helpers.exists('OPNsense.zabbixproxy.general.proxymode') and OPNsense.zabbixproxy.general.proxymode == '1' %}
-ProxyMode=1
-{% else %}
-ProxyMode=0
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.server') and OPNsense.zabbixproxy.general.server != '' %}
-Server={{ OPNsense.zabbixproxy.general.server }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.serverport') and OPNsense.zabbixproxy.general.serverport != '' %}
-ServerPort={{ OPNsense.zabbixproxy.general.serverport }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.hostname') and OPNsense.zabbixproxy.general.hostname != '' %}
-Hostname={{ OPNsense.zabbixproxy.general.hostname }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.listenport') and OPNsense.zabbixproxy.general.listenport != '' %}
-ListenPort={{ OPNsense.zabbixproxy.general.listenport }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.sourceip') and OPNsense.zabbixproxy.general.sourceip != '' %}
-SourceIP={{ OPNsense.zabbixproxy.general.sourceip }}
-{% endif %}
-LogFile=/var/log/zabbix_proxy.log
-PidFile=/var/run/zabbix/zabbix_proxy.pid
-DBName=/var/db/zabbix/zabbix_proxy.db
-{% if helpers.exists('OPNsense.zabbixproxy.general.proxyofflinebuffer') and OPNsense.zabbixproxy.general.proxyofflinebuffer != '' %}
-ProxyOfflineBuffer={{ OPNsense.zabbixproxy.general.proxyofflinebuffer }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.startpollers') and OPNsense.zabbixproxy.general.startpollers != '' %}
-StartPollers={{ OPNsense.zabbixproxy.general.startpollers }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.startipmipollers') and OPNsense.zabbixproxy.general.startipmipollers != '' %}
-StartIPMIPollers={{ OPNsense.zabbixproxy.general.startipmipollers }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.startpollersunreachable') and OPNsense.zabbixproxy.general.startpollersunreachable != '' %}
-StartPollersUnreachable={{ OPNsense.zabbixproxy.general.startpollersunreachable }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.starttrappers') and OPNsense.zabbixproxy.general.starttrappers != '' %}
-StartTrappers={{ OPNsense.zabbixproxy.general.starttrappers }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.startpingers') and OPNsense.zabbixproxy.general.startpingers != '' %}
-StartPingers={{ OPNsense.zabbixproxy.general.startpingers }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.startdiscoverers') and OPNsense.zabbixproxy.general.startdiscoverers != '' %}
-StartDiscoverers={{ OPNsense.zabbixproxy.general.startdiscoverers }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.starthttppollers') and OPNsense.zabbixproxy.general.starthttppollers != '' %}
-StartHTTPPollers={{ OPNsense.zabbixproxy.general.starthttppollers }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.listenip') and OPNsense.zabbixproxy.general.listenip != '' %}
-ListenIP={{ OPNsense.zabbixproxy.general.listenip }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.cachesize') and OPNsense.zabbixproxy.general.cachesize != '' %}
-CacheSize={{ OPNsense.zabbixproxy.general.cachesize }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.historycachesize') and OPNsense.zabbixproxy.general.historycachesize != '' %}
-HistoryCacheSize={{ OPNsense.zabbixproxy.general.historycachesize }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.historyindexcachesize') and OPNsense.zabbixproxy.general.historyindexcachesize != '' %}
-HistoryIndexCacheSize={{ OPNsense.zabbixproxy.general.historyindexcachesize }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.timeout') and OPNsense.zabbixproxy.general.timeout != '' %}
-Timeout={{ OPNsense.zabbixproxy.general.timeout }}
-{% endif %}
-FpingLocation=/usr/local/sbin/fping
-Fping6Location=/usr/local/sbin/fping6
-{% if helpers.exists('OPNsense.zabbixproxy.general.encryption') and OPNsense.zabbixproxy.general.encryption == '1' %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.proxymode') and OPNsense.zabbixproxy.general.proxymode == '1' %}
-TLSAccept=psk
-{% else %}
-TLSConnect=psk
-{% endif %}
-TLSPSKFile=/usr/local/etc/zabbix4/zabbix_proxy.psk
-TLSPSKIdentity={{ OPNsense.zabbixproxy.general.encryptionidentity }}
-{% endif %}
-{% endif %}
diff --git a/net-mgmt/zabbix4-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.psk b/net-mgmt/zabbix4-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.psk
deleted file mode 100644
index 1e53053b50..0000000000
--- a/net-mgmt/zabbix4-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.psk
+++ /dev/null
@@ -1,5 +0,0 @@
-{% if helpers.exists('OPNsense.zabbixproxy.general.enabled') and OPNsense.zabbixproxy.general.enabled == '1' %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.encryption') and OPNsense.zabbixproxy.general.encryption == '1' %}
-{{ OPNsense.zabbixproxy.general.encryptionpsk }}
-{% endif %}
-{% endif %}

From 2cb55cb5b27c6fb6bff21eede79cd615c79dff18 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 3 Jun 2021 13:16:21 +0200
Subject: [PATCH 0602/3088] net-mgmt/telegraf: add telegraf.d as config include
 (#2413)

---
 net-mgmt/telegraf/Makefile                                  | 2 +-
 net-mgmt/telegraf/pkg-descr                                 | 4 ++++
 .../src/opnsense/scripts/OPNsense/Telegraf/setup.sh         | 6 +++---
 .../opnsense/service/templates/OPNsense/Telegraf/telegraf   | 1 +
 4 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index 9aa85c02c4..c8732d79c5 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.10.1
+PLUGIN_VERSION=		1.11.0
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 9cacb5cf5f..b36867f331 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 Plugin Changelog
 ================
 
+1.11.0
+
+* Set telegraf.d as additional config include
+
 1.10.1
 
 * Fix Suricata input controller being the output section and incorrect statement
diff --git a/net-mgmt/telegraf/src/opnsense/scripts/OPNsense/Telegraf/setup.sh b/net-mgmt/telegraf/src/opnsense/scripts/OPNsense/Telegraf/setup.sh
index 3a59faffa3..c18039d0b6 100755
--- a/net-mgmt/telegraf/src/opnsense/scripts/OPNsense/Telegraf/setup.sh
+++ b/net-mgmt/telegraf/src/opnsense/scripts/OPNsense/Telegraf/setup.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 
-mkdir -p /var/log/telegraf
-chown -R telegraf:telegraf /var/log/telegraf
-chmod 750 /var/log/telegraf
+mkdir -p /usr/local/etc/telegraf.d /var/log/telegraf
+chown -R telegraf:telegraf /usr/local/etc/telegraf.d /var/log/telegraf
+chmod 750 /usr/local/etc/telegraf.d /var/log/telegraf
 
 /usr/sbin/pw groupmod proxy -m telegraf
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf
index 57f13d58e8..193a97c65b 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf
@@ -1,6 +1,7 @@
 {% if helpers.exists('OPNsense.telegraf.general.enabled') and OPNsense.telegraf.general.enabled == '1' %}
 telegraf_var_script="/usr/local/opnsense/scripts/OPNsense/Telegraf/setup.sh"
 telegraf_enable="YES"
+telegraf_confdir="/usr/local/etc/telegraf.d"
 {% else %}
 telegraf_enable="NO"
 {% endif %}

From 5c6409be801ad85027d5e4f1cd549fdbddb97d25 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 7 Jun 2021 10:37:07 +0200
Subject: [PATCH 0603/3088] dns/rfc2136: scrub unused formfld

---
 dns/rfc2136/src/www/services_rfc2136_edit.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/rfc2136/src/www/services_rfc2136_edit.php b/dns/rfc2136/src/www/services_rfc2136_edit.php
index d0b6365231..d17c64c571 100644
--- a/dns/rfc2136/src/www/services_rfc2136_edit.php
+++ b/dns/rfc2136/src/www/services_rfc2136_edit.php
@@ -217,7 +217,7 @@
                   <tr>
                     <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Server");?></td>
                     <td>
-                      <input name="server" type="text" class="formfld" id="server" size="30" value="<?=$pconfig['server'];?>" />
+                      <input name="server" type="text" id="server" size="30" value="<?=$pconfig['server'];?>" />
                     </td>
                   </tr>
                   <tr>

From 8e19b0161871ccb31a68a409f1c2457f9aee4bbb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 7 Jun 2021 10:37:28 +0200
Subject: [PATCH 0604/3088] net/igmp-proxy: scrub unused formfld

---
 net/igmp-proxy/src/www/services_igmpproxy_edit.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/igmp-proxy/src/www/services_igmpproxy_edit.php b/net/igmp-proxy/src/www/services_igmpproxy_edit.php
index b3e6f6fc8a..ecc60177b8 100644
--- a/net/igmp-proxy/src/www/services_igmpproxy_edit.php
+++ b/net/igmp-proxy/src/www/services_igmpproxy_edit.php
@@ -172,7 +172,7 @@ function removeRow() {
                     <tr>
                       <td><a id="help_for_descr" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Description");?></td>
                       <td>
-                        <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=$pconfig['descr'];?>" />
+                        <input name="descr" type="text" id="descr" size="40" value="<?=$pconfig['descr'];?>" />
                         <div class="hidden" data-for="help_for_descr">
                           <?=gettext("You may enter a description here for your reference (not parsed).");?>
                         </div>
@@ -199,7 +199,7 @@ function removeRow() {
                     <tr>
                       <td><a id="help_for_threshold" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Threshold");?></td>
                       <td>
-                        <input name="threshold" type="text" class="formfld unknown" id="threshold" value="<?=$pconfig['threshold'];?>" />
+                        <input name="threshold" type="text" id="threshold" value="<?=$pconfig['threshold'];?>" />
                         <div class="hidden" data-for="help_for_threshold">
                           <?=gettext("Defines the TTL threshold for the network interface. ".
                                "Packets with a lower TTL than the threshold value will be ignored. ".

From 21f078cd46b51f406ff8882bca6934e5e3e93f8d Mon Sep 17 00:00:00 2001
From: polkhigh33 <61509972+polkhigh33@users.noreply.github.com>
Date: Mon, 7 Jun 2021 10:51:19 +0200
Subject: [PATCH 0605/3088] Added missing break; (#2420)

---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 47b4684b0c..6eb12fe704 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -1209,6 +1209,7 @@ class updatedns
                 }
                 curl_setopt($ch, CURLOPT_INTERFACE, $ipv4);
                 // fix end
+                break;
             case 'godaddy':
             case 'godaddy-v6':
                 /* Read https://developer.godaddy.com/ for API documentation */

From 8745e3ad3a92c5031a75418870e9b9295035812f Mon Sep 17 00:00:00 2001
From: Jan Winkler <jan.winkler@markt.de>
Date: Tue, 8 Jun 2021 13:40:08 +0200
Subject: [PATCH 0606/3088] Puppet Agent plugin version 0.2

---
 sysutils/puppet-agent/Makefile                |  4 +-
 .../src/etc/inc/plugins.inc.d/puppetagent.inc |  3 +-
 .../PuppetAgent/Api/ServiceController.php     | 26 ---------
 .../PuppetAgent/Api/SettingsController.php    | 55 ++-----------------
 .../app/views/OPNsense/PuppetAgent/index.volt | 26 +++++----
 .../conf/actions.d/actions_puppetagent.conf   |  2 +-
 6 files changed, 23 insertions(+), 93 deletions(-)

diff --git a/sysutils/puppet-agent/Makefile b/sysutils/puppet-agent/Makefile
index af7209fe70..60340eb676 100644
--- a/sysutils/puppet-agent/Makefile
+++ b/sysutils/puppet-agent/Makefile
@@ -1,8 +1,8 @@
 PLUGIN_NAME=		puppet-agent
-PLUGIN_VERSION=		0.1
+PLUGIN_VERSION=		0.2
 PLUGIN_DEVEL=		yes
 PLUGIN_COMMENT=		Manage Puppet Agent
-PLUGIN_DEPENDS=		puppet7
+PLUGIN_DEPENDS=		puppet7 py-opn-cli
 PLUGIN_MAINTAINER=	jan.wink93@gmail.com
 
 .include "../../Mk/plugins.mk"
diff --git a/sysutils/puppet-agent/src/etc/inc/plugins.inc.d/puppetagent.inc b/sysutils/puppet-agent/src/etc/inc/plugins.inc.d/puppetagent.inc
index c5dd7cc636..60274cabc3 100644
--- a/sysutils/puppet-agent/src/etc/inc/plugins.inc.d/puppetagent.inc
+++ b/sysutils/puppet-agent/src/etc/inc/plugins.inc.d/puppetagent.inc
@@ -30,8 +30,7 @@ function puppetagent_enabled()
 {
     global $config;
 
-    return isset($config['OPNsense']['puppetagent']['general']['Enabled']) &&
-    $config['OPNsense']['puppetagent']['general']['Enabled'] == 1;
+    return !empty($config['OPNsense']['puppetagent']['general']['Enabled']);
 }
 
 /**
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/ServiceController.php b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/ServiceController.php
index 14af09d7ee..a2bdd04524 100644
--- a/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/ServiceController.php
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/ServiceController.php
@@ -45,30 +45,4 @@ class ServiceController extends ApiMutableServiceControllerBase
     protected static $internalServiceTemplate = 'OPNsense/PuppetAgent';
     protected static $internalServiceEnabled = 'general.Enabled';
     protected static $internalServiceName = 'puppetagent';
-
-    public function reconfigureAction()
-    {
-        if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
-            $backend = new Backend();
-            // generate template
-            $backend->configdRun('template reload OPNsense/PuppetAgent');
-
-            $mdlPuppetAgent = new PuppetAgent();
-
-            // (res)start daemon
-            if ($mdlPuppetAgent->general->Enabled->__toString() == 1) {
-                $this->startAction();
-            }
-            // stop Puppet Agent when disabled
-            else {
-                $this->stopAction();
-            }
-            return array("status" => "ok");
-        } else {
-            return array("status" => "failed");
-        }
-    }
 }
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/SettingsController.php b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/SettingsController.php
index fcd5e88615..025525aaae 100644
--- a/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/SettingsController.php
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/Api/SettingsController.php
@@ -31,7 +31,7 @@
 
 namespace OPNsense\PuppetAgent\Api;
 
-use OPNsense\Base\ApiControllerBase;
+use OPNsense\Base\ApiMutableModelControllerBase;
 use OPNsense\PuppetAgent\PuppetAgent;
 use OPNsense\Core\Config;
 
@@ -39,55 +39,8 @@
  * Class SettingsController Handles settings related API actions for the PuppetAgent module
  * @package OPNsense\PuppetAgent
  */
-class SettingsController extends ApiControllerBase
+class SettingsController extends ApiMutableModelControllerBase
 {
-    /**
-     * retrieve PuppetAgent general settings
-     * @return array general settings
-     * @throws \OPNsense\Base\ModelException
-     * @throws \ReflectionException
-     */
-    public function getAction()
-    {
-        // define list of configurable settings
-        $result = array();
-        if ($this->request->isGet()) {
-            $mdlPuppetAgent = new PuppetAgent();
-            $result['puppetagent'] = $mdlPuppetAgent->getNodes();
-        }
-        return $result;
-    }
-
-    /**
-     * update PupppetAgent settings
-     * @return array status
-     * @throws \OPNsense\Base\ModelException
-     * @throws \ReflectionException
-     */
-    public function setAction()
-    {
-        $result = array("result" => "failed");
-        if ($this->request->isPost()) {
-            // load model and update with provided data
-            $mdlPuppetAgent = new PuppetAgent();
-            $mdlPuppetAgent->setNodes($this->request->getPost("puppetagent"));
-
-            // perform validation
-            $valMsgs = $mdlPuppetAgent->performValidation();
-            foreach ($valMsgs as $field => $msg) {
-                if (!array_key_exists("validations", $result)) {
-                    $result["validations"] = array();
-                }
-                $result["validations"]["puppetagent." . $msg->getField()] = $msg->getMessage();
-            }
-
-            // serialize model to config and save
-            if ($valMsgs->count() == 0) {
-                $mdlPuppetAgent->serializeToConfig();
-                Config::getInstance()->save();
-                $result["result"] = "saved";
-            }
-        }
-        return $result;
-    }
+    protected static $internalModelName = 'puppetagent';
+    protected static $internalModelClass = 'OPNsense\PuppetAgent\PuppetAgent';
 }
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt b/sysutils/puppet-agent/src/opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt
index 289cf4e88b..10b93ddf76 100644
--- a/sysutils/puppet-agent/src/opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt
@@ -33,19 +33,17 @@ POSSIBILITY OF SUCH DAMAGE.
         mapDataToFormUI(data_get_map).done(function(data){
             // place actions to run after load, for example update form styles.
         });
-
-        updateServiceControlUI('puppetagent');
-
         // link save button to API set action
-        $("#saveAct").click(function(){
-            saveFormToEndpoint(url="/api/puppetagent/settings/set",formid='frm_GeneralSettings',callback_ok=function(){
-                // action to run after successful save, for example reconfigure service.
-                ajaxCall(url="/api/puppetagent/service/reconfigure", sendData={},callback=function(data,status) {
-                    // action to run after reload
-                    updateServiceControlUI('puppetagent');
+        $("#saveAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint(url="/api/puppetagent/settings/set",formid='frm_GeneralSettings', function() {
+                    dfObj.resolve();
                 });
-            });
+                return dfObj;
+            }
         });
+        updateServiceControlUI('puppetagent');
     });
 </script>
 
@@ -58,5 +56,11 @@ POSSIBILITY OF SUCH DAMAGE.
 </div>
 
 <div class="col-md-12">
-    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Save') }}</b></button>
+    <button class="btn btn-primary"  id="saveAct"
+        data-endpoint='/api/puppetagent/service/reconfigure'
+        data-label="{{ lang._('Save') }}"
+        data-service-widget="puppetagent"
+        data-error-title="{{ lang._('Error reconfiguring puppetagent') }}"
+        type="button"
+    ></button>
 </div>
diff --git a/sysutils/puppet-agent/src/opnsense/service/conf/actions.d/actions_puppetagent.conf b/sysutils/puppet-agent/src/opnsense/service/conf/actions.d/actions_puppetagent.conf
index 8081449535..f31c2bbdad 100644
--- a/sysutils/puppet-agent/src/opnsense/service/conf/actions.d/actions_puppetagent.conf
+++ b/sysutils/puppet-agent/src/opnsense/service/conf/actions.d/actions_puppetagent.conf
@@ -5,7 +5,7 @@ type:script
 message:starting puppet agent
 
 [stop]
-command:/usr/local/etc/rc.d/puppet onestop
+command:/usr/local/etc/rc.d/puppet stop
 parameters:
 type:script
 message:stop puppet agent

From 98c6d4b6368c291a3ba605edf888a237bec5801a Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 8 Jun 2021 19:34:55 +0200
Subject: [PATCH 0607/3088] ftp/tftp: New plugin (#2389)

---
 ftp/tftp/Makefile                             |  8 +++
 ftp/tftp/pkg-descr                            |  4 ++
 ftp/tftp/src/etc/inc/plugins.inc.d/tftp.inc   | 49 ++++++++++++++
 .../OPNsense/Tftp/Api/GeneralController.php   | 37 +++++++++++
 .../OPNsense/Tftp/Api/ServiceController.php   | 39 +++++++++++
 .../OPNsense/Tftp/GeneralController.php       | 38 +++++++++++
 .../OPNsense/Tftp/forms/general.xml           | 14 ++++
 .../mvc/app/models/OPNsense/Tftp/ACL/ACL.xml  |  9 +++
 .../mvc/app/models/OPNsense/Tftp/General.php  | 35 ++++++++++
 .../mvc/app/models/OPNsense/Tftp/General.xml  | 15 +++++
 .../app/models/OPNsense/Tftp/Menu/Menu.xml    |  7 ++
 .../mvc/app/views/OPNsense/Tftp/general.volt  | 66 +++++++++++++++++++
 .../service/conf/actions.d/actions_tftp.conf  | 23 +++++++
 .../service/templates/OPNsense/Tftp/+TARGETS  |  1 +
 .../service/templates/OPNsense/Tftp/tftpd     |  6 ++
 15 files changed, 351 insertions(+)
 create mode 100644 ftp/tftp/Makefile
 create mode 100644 ftp/tftp/pkg-descr
 create mode 100644 ftp/tftp/src/etc/inc/plugins.inc.d/tftp.inc
 create mode 100644 ftp/tftp/src/opnsense/mvc/app/controllers/OPNsense/Tftp/Api/GeneralController.php
 create mode 100644 ftp/tftp/src/opnsense/mvc/app/controllers/OPNsense/Tftp/Api/ServiceController.php
 create mode 100644 ftp/tftp/src/opnsense/mvc/app/controllers/OPNsense/Tftp/GeneralController.php
 create mode 100644 ftp/tftp/src/opnsense/mvc/app/controllers/OPNsense/Tftp/forms/general.xml
 create mode 100644 ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/ACL/ACL.xml
 create mode 100644 ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/General.php
 create mode 100644 ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/General.xml
 create mode 100644 ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/Menu/Menu.xml
 create mode 100644 ftp/tftp/src/opnsense/mvc/app/views/OPNsense/Tftp/general.volt
 create mode 100644 ftp/tftp/src/opnsense/service/conf/actions.d/actions_tftp.conf
 create mode 100644 ftp/tftp/src/opnsense/service/templates/OPNsense/Tftp/+TARGETS
 create mode 100644 ftp/tftp/src/opnsense/service/templates/OPNsense/Tftp/tftpd

diff --git a/ftp/tftp/Makefile b/ftp/tftp/Makefile
new file mode 100644
index 0000000000..6ae8189031
--- /dev/null
+++ b/ftp/tftp/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		tftp
+PLUGIN_VERSION=		0.1
+PLUGIN_COMMENT=		TFTP server
+PLUGIN_DEPENDS=		tftp-hpa
+PLUGIN_DEVEL=       yes
+PLUGIN_MAINTAINER=	m.muenz@gmail.com
+
+.include "../../Mk/plugins.mk"
diff --git a/ftp/tftp/pkg-descr b/ftp/tftp/pkg-descr
new file mode 100644
index 0000000000..0fca4a3102
--- /dev/null
+++ b/ftp/tftp/pkg-descr
@@ -0,0 +1,4 @@
+tftp-hpa is portable, BSD derived tftp server.  It supports advanced
+options such as blksize, blksize2, tsize, timeout, and utimeout.
+It also supported rulebased security options.
+
diff --git a/ftp/tftp/src/etc/inc/plugins.inc.d/tftp.inc b/ftp/tftp/src/etc/inc/plugins.inc.d/tftp.inc
new file mode 100644
index 0000000000..71a0d9a39c
--- /dev/null
+++ b/ftp/tftp/src/etc/inc/plugins.inc.d/tftp.inc
@@ -0,0 +1,49 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function tftp_services()
+{
+    global $config;
+
+    $services = array();
+
+    if (isset($config['OPNsense']['tftp']['general']['enabled']) && $config['OPNsense']['tftp']['general']['enabled'] == 1) {
+        $services[] = array(
+            'description' => gettext('tftp daemon'),
+            'configd' => array(
+                'restart' => array('tftp restart'),
+                'start' => array('tftp start'),
+                'stop' => array('tftp stop'),
+            ),
+            'name' => 'in.tftpd',
+            'pidfile' => '/var/run/tftpd.pid'
+        );
+    }
+
+    return $services;
+}
diff --git a/ftp/tftp/src/opnsense/mvc/app/controllers/OPNsense/Tftp/Api/GeneralController.php b/ftp/tftp/src/opnsense/mvc/app/controllers/OPNsense/Tftp/Api/GeneralController.php
new file mode 100644
index 0000000000..8e99066c98
--- /dev/null
+++ b/ftp/tftp/src/opnsense/mvc/app/controllers/OPNsense/Tftp/Api/GeneralController.php
@@ -0,0 +1,37 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Tftp\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class GeneralController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelClass = '\OPNsense\Tftp\General';
+    protected static $internalModelName = 'general';
+}
diff --git a/ftp/tftp/src/opnsense/mvc/app/controllers/OPNsense/Tftp/Api/ServiceController.php b/ftp/tftp/src/opnsense/mvc/app/controllers/OPNsense/Tftp/Api/ServiceController.php
new file mode 100644
index 0000000000..28efc5ea71
--- /dev/null
+++ b/ftp/tftp/src/opnsense/mvc/app/controllers/OPNsense/Tftp/Api/ServiceController.php
@@ -0,0 +1,39 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Tftp\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Tftp\General';
+    protected static $internalServiceTemplate = 'OPNsense/Tftp';
+    protected static $internalServiceEnabled = 'enabled';
+    protected static $internalServiceName = 'tftp';
+}
diff --git a/ftp/tftp/src/opnsense/mvc/app/controllers/OPNsense/Tftp/GeneralController.php b/ftp/tftp/src/opnsense/mvc/app/controllers/OPNsense/Tftp/GeneralController.php
new file mode 100644
index 0000000000..baf4c7d0bf
--- /dev/null
+++ b/ftp/tftp/src/opnsense/mvc/app/controllers/OPNsense/Tftp/GeneralController.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Tftp;
+
+class GeneralController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->generalForm = $this->getForm('general');
+        $this->view->pick('OPNsense/Tftp/general');
+    }
+}
diff --git a/ftp/tftp/src/opnsense/mvc/app/controllers/OPNsense/Tftp/forms/general.xml b/ftp/tftp/src/opnsense/mvc/app/controllers/OPNsense/Tftp/forms/general.xml
new file mode 100644
index 0000000000..85a19059bc
--- /dev/null
+++ b/ftp/tftp/src/opnsense/mvc/app/controllers/OPNsense/Tftp/forms/general.xml
@@ -0,0 +1,14 @@
+<form>
+    <field>
+        <id>general.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>Enable TFTP daemon.</help>
+    </field>
+    <field>
+        <id>general.listen</id>
+        <label>Listen Address</label>
+        <type>text</type>
+        <help>Set the IP addresses to listen to.</help>
+    </field>
+</form>
diff --git a/ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/ACL/ACL.xml b/ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/ACL/ACL.xml
new file mode 100644
index 0000000000..19a816d40f
--- /dev/null
+++ b/ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+   <page-services-tftp>
+      <name>Services: TFTP</name>
+      <patterns>
+         <pattern>ui/tftp/*</pattern>
+         <pattern>api/tftp/*</pattern>
+      </patterns>
+   </page-services-tftp>
+</acl>
diff --git a/ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/General.php b/ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/General.php
new file mode 100644
index 0000000000..a1c0a0d3fb
--- /dev/null
+++ b/ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/General.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Tftp;
+
+use OPNsense\Base\BaseModel;
+
+class General extends BaseModel
+{
+}
diff --git a/ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/General.xml b/ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/General.xml
new file mode 100644
index 0000000000..42284290b8
--- /dev/null
+++ b/ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/General.xml
@@ -0,0 +1,15 @@
+<model>
+    <mount>//OPNsense/tftp/general</mount>
+    <description>TFTP configuration</description>
+    <version>0.0.1</version>
+    <items>
+        <enabled type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enabled>
+        <listen type="HostnameField">
+            <default>127.0.0.1</default>
+            <Required>Y</Required>
+        </listen>
+    </items>
+</model>
diff --git a/ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/Menu/Menu.xml b/ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/Menu/Menu.xml
new file mode 100644
index 0000000000..2c810ee3db
--- /dev/null
+++ b/ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/Menu/Menu.xml
@@ -0,0 +1,7 @@
+<menu>
+  <Services>
+    <TFTP cssClass="fa fa-rocket">
+      <General url="/ui/tftp/general/index"/>
+    </TFTP>
+  </Services>
+</menu>
diff --git a/ftp/tftp/src/opnsense/mvc/app/views/OPNsense/Tftp/general.volt b/ftp/tftp/src/opnsense/mvc/app/views/OPNsense/Tftp/general.volt
new file mode 100644
index 0000000000..23bbd73721
--- /dev/null
+++ b/ftp/tftp/src/opnsense/mvc/app/views/OPNsense/Tftp/general.volt
@@ -0,0 +1,66 @@
+{#
+ # Copyright (c) 2019 Deciso B.V.
+ # Copyright (c) 2021 Michael Muenz <m.muenz@gmail.com>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<div class="content-box" style="padding-bottom: 1.5em;">
+    <div id="about">
+        <table class="table-responsive table table-striped">
+            <tr>
+                <td>
+                {{ lang._('The root folder for transfering files is /usr/local/tftp.') }}
+                </td>
+            </tr>
+        </table>
+    </div>
+    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
+    <div class="col-md-12">
+        <hr />
+        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
+    </div>
+</div>
+
+<script>
+    $(function() {
+        var data_get_map = {'frm_general_settings':"/api/tftp/general/get"};
+        mapDataToFormUI(data_get_map).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+        });
+
+     updateServiceControlUI('tftp');
+
+        // link save button to API set action
+        $("#saveAct").click(function(){
+            saveFormToEndpoint(url="/api/tftp/general/set", formid='frm_general_settings',callback_ok=function(){
+                $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+                ajaxCall(url="/api/tftp/service/reconfigure", sendData={}, callback=function(data,status) {
+                    updateServiceControlUI('tftp');
+                    $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                });
+            });
+        });
+    });
+</script>
diff --git a/ftp/tftp/src/opnsense/service/conf/actions.d/actions_tftp.conf b/ftp/tftp/src/opnsense/service/conf/actions.d/actions_tftp.conf
new file mode 100644
index 0000000000..5e05be709a
--- /dev/null
+++ b/ftp/tftp/src/opnsense/service/conf/actions.d/actions_tftp.conf
@@ -0,0 +1,23 @@
+[start]
+command:/usr/local/etc/rc.d/tftpd start
+parameters:
+type:script
+message:starting tftp
+
+[stop]
+command:/usr/local/etc/rc.d/tftpd stop
+parameters:
+type:script
+message:stopping tftp
+
+[restart]
+command:/usr/local/etc/rc.d/tftpd restart
+parameters:
+type:script
+message:restarting tftp
+
+[status]
+command:/usr/local/etc/rc.d/tftpd status;exit 0
+parameters:
+type:script_output
+message:request tftp status
diff --git a/ftp/tftp/src/opnsense/service/templates/OPNsense/Tftp/+TARGETS b/ftp/tftp/src/opnsense/service/templates/OPNsense/Tftp/+TARGETS
new file mode 100644
index 0000000000..14cc1b4e33
--- /dev/null
+++ b/ftp/tftp/src/opnsense/service/templates/OPNsense/Tftp/+TARGETS
@@ -0,0 +1 @@
+tftpd:/etc/rc.conf.d/tftpd
diff --git a/ftp/tftp/src/opnsense/service/templates/OPNsense/Tftp/tftpd b/ftp/tftp/src/opnsense/service/templates/OPNsense/Tftp/tftpd
new file mode 100644
index 0000000000..982879ac71
--- /dev/null
+++ b/ftp/tftp/src/opnsense/service/templates/OPNsense/Tftp/tftpd
@@ -0,0 +1,6 @@
+{% if helpers.exists('OPNsense.tftp.general.enabled') and OPNsense.tftp.general.enabled == '1' %}
+tftpd_enable="YES"
+tftpd_flags="-s /usr/local/tftp -a {{ OPNsense.tftp.general.listen }}"
+{% else %}
+tftpd_enable="NO"
+{% endif %}

From 2b6ef7ea6178d771bc6d3a4fabe0ecc8122327d3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 8 Jun 2021 19:36:19 +0200
Subject: [PATCH 0608/3088] ftp/tftp: small changes

---
 README.md          | 1 +
 ftp/tftp/Makefile  | 2 +-
 ftp/tftp/pkg-descr | 1 -
 3 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index d4d0225d10..d8dd3041aa 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,7 @@ dns/dnscrypt-proxy -- Flexible DNS proxy supporting DNSCrypt and DoH
 dns/dyndns -- Dynamic DNS Support
 dns/rfc2136 -- RFC-2136 Support
 emulators/qemu-guest-agent -- QEMU Guest Agent for OPNsense
+ftp/tftp -- TFTP server (development only)
 mail/fetchmail -- Remote-mail retrieval utility (development only)
 mail/postfix -- SMTP mail relay
 mail/rspamd -- Protect your network from spam
diff --git a/ftp/tftp/Makefile b/ftp/tftp/Makefile
index 6ae8189031..8a8d93eb02 100644
--- a/ftp/tftp/Makefile
+++ b/ftp/tftp/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		tftp
 PLUGIN_VERSION=		0.1
 PLUGIN_COMMENT=		TFTP server
 PLUGIN_DEPENDS=		tftp-hpa
-PLUGIN_DEVEL=       yes
+PLUGIN_DEVEL=		yes
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
 .include "../../Mk/plugins.mk"
diff --git a/ftp/tftp/pkg-descr b/ftp/tftp/pkg-descr
index 0fca4a3102..2d721591bc 100644
--- a/ftp/tftp/pkg-descr
+++ b/ftp/tftp/pkg-descr
@@ -1,4 +1,3 @@
 tftp-hpa is portable, BSD derived tftp server.  It supports advanced
 options such as blksize, blksize2, tsize, timeout, and utimeout.
 It also supported rulebased security options.
-

From 8f41ae23f797ebdc503fb7133251742f270e913b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 9 Jun 2021 08:22:36 +0200
Subject: [PATCH 0609/3088] dns/dyndns: bump revision after fix

---
 dns/dyndns/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index da4ebda94a..70ea960929 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		dyndns
 PLUGIN_VERSION=		1.24
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 

From 47490058c4d24f1b9f42e075a46efb0326e9a3a0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 9 Jun 2021 10:28:58 +0200
Subject: [PATCH 0610/3088] sysutils/puppet-agent: testing matters :D

---
 sysutils/puppet-agent/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/puppet-agent/Makefile b/sysutils/puppet-agent/Makefile
index 60340eb676..7e1977c2a1 100644
--- a/sysutils/puppet-agent/Makefile
+++ b/sysutils/puppet-agent/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		puppet-agent
 PLUGIN_VERSION=		0.2
 PLUGIN_DEVEL=		yes
 PLUGIN_COMMENT=		Manage Puppet Agent
-PLUGIN_DEPENDS=		puppet7 py-opn-cli
+PLUGIN_DEPENDS=		puppet7 py${PLUGIN_PYTHON}-opn-cli
 PLUGIN_MAINTAINER=	jan.wink93@gmail.com
 
 .include "../../Mk/plugins.mk"

From bf87cf04a0adafdebbd993d0a98a3a51e8eed2c6 Mon Sep 17 00:00:00 2001
From: Juergen Kellerer <juergen@k123.eu>
Date: Wed, 9 Jun 2021 19:27:25 +0200
Subject: [PATCH 0611/3088] AcmeClient/Sftp: Fix updates of readonly files when
 owner is numeric

---
 security/acme-client/pkg-descr                |  5 ++
 .../OPNsense/AcmeClient/SftpUploader.php      | 68 +++++++++++++++----
 2 files changed, 60 insertions(+), 13 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 1df43367a0..9c801f8487 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+2.6
+
+Fixed:
+* sftp update of write protected cert files with a numeric owner
+
 2.5
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpUploader.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpUploader.php
index 883dac3567..bf6a466e32 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpUploader.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpUploader.php
@@ -43,6 +43,7 @@ class SftpUploader
 
     /* @var SftpClient */
     private $sftp;
+    private $sftp_connection_file_owner = -2;
 
     private $pending_files = [];
     private $pending_base_path = "";
@@ -237,7 +238,7 @@ public function upload(): int
                 $remote_filename = basename((empty($file["target"]) ? $local_file : $file["target"]));
                 $remote_file = $remote_files[$remote_filename] ?: ["type" => "-", "owner" => $username];
                 $remote_is_file = $remote_file["type"] === "-";
-                $remote_is_readonly = preg_match('/^-r-.r-.+$/', $remote_file["permissions"] ?: "");
+                $remote_is_readonly = preg_match('/^[^wW]+$/', $remote_file["permissions"] ?: "");
 
                 // Check if a folder/socket/symlink, etc is in the way
                 if (!$remote_is_file) {
@@ -253,38 +254,40 @@ public function upload(): int
 
 
                 // Initial upload when permissions are properly set.
-                $retry_with_permission_change =
+                $should_upload_with_permission_change =
                     $chmod !== false
-                    && $remote_file["owner"] === $username
                     && isset($remote_files[$remote_filename]);
 
                 if (!$remote_is_readonly) {
                     $preserve_times_and_mod = $chmod !== false;
 
                     if ($error = $this->sftp->put($local_file, $remote_filename, $preserve_times_and_mod)->lastError()) {
-                        Utils::log()->error("Failed uploading file '{$local_file}' to '{$file["target"]}'", $error);
-
                         if ($error["permission_denied"] !== true) {
-                            $retry_with_permission_change = false;
+                            $should_upload_with_permission_change = false;
                         }
 
-                        if ($retry_with_permission_change) {
-                            Utils::log()->info("Retrying file '{$local_file}' to '{$file["target"]}' with adjusted permissions");
+                        if ($should_upload_with_permission_change) {
+                            $this->sftp->clearError();
                         } else {
+                            Utils::log()->error("Failed uploading file '{$local_file}' to '{$file["target"]}'", $error);
                             return self::UPLOAD_ERROR_NO_PERMISSION;
                         }
                     } else {
-                        $retry_with_permission_change = false;
+                        $should_upload_with_permission_change = false;
                     }
                 }
 
-
                 // Second attempt when initial failed or was skipped due to write protection (only possible if we have chmod defined to reset permissions later)
-                if ($retry_with_permission_change) {
-                    $this->sftp->chmod($remote_filename, '0600');
+                if ($should_upload_with_permission_change && $this->isFileOwnedByConnection($remote_file, $connection)) {
+                    Utils::log()->info("Trying to upload file '{$local_file}' to '{$file["target"]}' with adjusted permissions");
+
+                    if ($error = $this->sftp->chmod($remote_filename, '0600')->lastError()) {
+                        Utils::log()->error("Failed changing permission to '0600' for '{$file["target"]}'. ", $error);
+                        $this->sftp->clearError();
+                    }
 
                     if ($error = $this->sftp->put($local_file, $remote_filename)->lastError()) {
-                        Utils::log()->error("Failed uploading file '{$local_file}' to '{$file["target"]}'", $error);
+                        Utils::log()->error("Failed uploading file (with adjusted permissions) '{$local_file}' to '{$file["target"]}'", $error);
                         return self::UPLOAD_ERROR_NO_PERMISSION;
                     }
                 } elseif ($remote_is_readonly) {
@@ -323,6 +326,45 @@ public function upload(): int
         return self::UPLOAD_SUCCESS;
     }
 
+    private function isFileOwnedByConnection(array $remote_file, array $connection): bool
+    {
+        if (isset($remote_file["owner"])) {
+            // Direct match when file owner was returned as username
+            if ($remote_file["owner"] === $connection["user"]) {
+                return true;
+            }
+
+            // Detect file owner when it was returned as numeric value.
+            if (preg_match('/^[0-9]+$/', $remote_file["owner"])) {
+                // Uploading a temp file to see what owner this connection creates
+                if ($this->sftp_connection_file_owner === -2) {
+                    $local_test_file = $this->temporaryFile();
+                    $remote_test_file = basename($local_test_file);
+
+                    $this->sftp->clearError();
+
+                    if ($error = $this->sftp->put($local_test_file, $remote_test_file)->lastError()) {
+                        Utils::log()->error("Failed uploading test file to detect ownership. Next uploads may fail as well.", $error);
+                    } else {
+                        // Get owner of the test file
+                        $file_info = $this->sftp->ls()[$remote_test_file] ?: ["owner" => -1];
+                        // Cleanup
+                        $this->sftp->rm($remote_test_file);
+                        $this->sftp->clearError();
+                        // Cache the result
+                        $this->sftp_connection_file_owner = $file_info["owner"];
+                    }
+                }
+
+                if ($remote_file["owner"] == $this->sftp_connection_file_owner) {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+
     private function deleteSourceIfRequested($file)
     {
         if (

From 76ec2c13ae93361b34416678fcdf8fde99e53205 Mon Sep 17 00:00:00 2001
From: jkellerer <jkellerer@users.noreply.github.com>
Date: Fri, 11 Jun 2021 09:48:37 +0200
Subject: [PATCH 0612/3088] Maltrail: Integrate fail2ban IP-list with firewall
 aliases (#2017)

---
 security/maltrail/Makefile                    |  2 +-
 security/maltrail/pkg-descr                   |  4 +
 .../Maltrail/Api/ServerController.php         | 77 +++++++++++++++++++
 .../OPNsense/Maltrail/forms/server.xml        |  6 ++
 .../app/models/OPNsense/Maltrail/Server.xml   |  6 +-
 .../templates/OPNsense/Maltrail/maltrail.conf |  3 +
 6 files changed, 96 insertions(+), 2 deletions(-)

diff --git a/security/maltrail/Makefile b/security/maltrail/Makefile
index b12529d08a..04126919b3 100644
--- a/security/maltrail/Makefile
+++ b/security/maltrail/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		maltrail
-PLUGIN_VERSION=		1.7
+PLUGIN_VERSION=		1.8
 PLUGIN_COMMENT=		Malicious traffic detection system
 PLUGIN_DEPENDS=		maltrail
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/maltrail/pkg-descr b/security/maltrail/pkg-descr
index 9863acea0f..0bb1e62876 100644
--- a/security/maltrail/pkg-descr
+++ b/security/maltrail/pkg-descr
@@ -11,6 +11,10 @@ WWW: https://github.com/stamparm/maltrail
 Changelog
 ---------
 
+1.8
+
+* Add firewall alias "BlocklistMaltrail" that points to the built-in ip block list
+
 1.7
 
 * Allow sensor cron restart
diff --git a/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/Api/ServerController.php b/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/Api/ServerController.php
index afc87089f2..a42c495106 100644
--- a/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/Api/ServerController.php
+++ b/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/Api/ServerController.php
@@ -29,9 +29,86 @@
 namespace OPNsense\Maltrail\Api;
 
 use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Firewall\Alias;
 
 class ServerController extends ApiMutableModelControllerBase
 {
     protected static $internalModelClass = '\OPNsense\Maltrail\Server';
     protected static $internalModelName = 'server';
+
+    protected function setActionHook()
+    {
+        $model = $this->getModel();
+
+        // Handle addition/removal of "BlocklistMaltrail"
+        if (strval($model->addblocklistalias) == "1") {
+            $enabled = strval($model->enabled) == "1";
+            $address = trim(strval($model->listenaddress));
+
+            if ($address == "0.0.0.0") {
+                $address = "127.0.0.1";
+            } else if ($address == "::") {
+                $address = "::1";
+            }
+
+            if (strpos($address, ':') !== false) {
+                $address = "[$address]";
+            }
+
+            $address = $address . ':' . strval($model->listenport);
+
+            self::toggleBlocklistAlias(true, $enabled, $address);
+        } else {
+            self::toggleBlocklistAlias(false);
+        }
+    }
+
+    const BLOCKLIST_ALIAS_NAME = "BlocklistMaltrail";
+    const BLOCKLIST_ALIAS_DESCRIPTION = "Autogenerated alias for Maltrail's fail2ban feature";
+    const BLOCKLIST_ALIAS_UPDATE_FREQ = (1 / 24 / 60 * 5); // (1) is 24 hours | (1 / 24 / 60 * 5) is every 5 minutes
+
+    private static function toggleBlocklistAlias(bool $add, bool $enabled = false, string $addressAndPort = "")
+    {
+        $model = new Alias();
+
+        // Search for existing alias
+        $blocklist = null;
+        $blocklistIndex = null;
+        foreach ($model->aliases->alias->iterateItems() as $index => $alias) {
+            if (strval($alias->name) == self::BLOCKLIST_ALIAS_NAME) {
+                $blocklist = $alias;
+                $blocklistIndex = $index;
+                break;
+            }
+        }
+
+        // Add, update or remove the alias
+        if ($add) {
+            if ($blocklist === null) {
+                $blocklist = $model->aliases->alias->add();
+                $blocklist->name = self::BLOCKLIST_ALIAS_NAME;
+                $blocklist->description = self::BLOCKLIST_ALIAS_DESCRIPTION;
+                $blocklist->updatefreq = strval(self::BLOCKLIST_ALIAS_UPDATE_FREQ);
+            }
+
+            $url = "http://$addressAndPort/fail2ban";
+            $enabled = ($enabled ? "1" : "0");
+
+            $needsUpdate = strval($blocklist->type) != "urltable"
+                || strval($blocklist->content) != $url
+                || strval($blocklist->enabled) != $enabled;
+
+            if ($needsUpdate) {
+                $blocklist->type = "urltable";
+                $blocklist->content = $url;
+                $blocklist->enabled = $enabled;
+
+                $model->serializeToConfig();
+            }
+        } else if ($blocklistIndex !== null) {
+            if ($model->aliases->alias->del($blocklistIndex)) {
+                $model->serializeToConfig();
+            }
+        }
+    }
 }
diff --git a/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/server.xml b/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/server.xml
index 67d433f296..03ca77c5c2 100644
--- a/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/server.xml
+++ b/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/server.xml
@@ -5,6 +5,12 @@
         <type>checkbox</type>
         <help>This will activate the Maltrail server. You can use this service to also collect data from remote Maltrail sensors.</help>
     </field>
+    <field>
+        <id>server.addblocklistalias</id>
+        <label>Add Blocklist Alias</label>
+        <type>checkbox</type>
+        <help>Adds firewall alias "BlocklistMaltrail" referencing Maltrail's "/fail2ban" IP list. You can use this alias to block IPs that Maltrail detected as malicious.</help>
+    </field>
     <field>
         <id>server.listenaddress</id>
         <label>UI Listen Address</label>
diff --git a/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Server.xml b/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Server.xml
index 0c94548350..94df269c2c 100644
--- a/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Server.xml
+++ b/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Server.xml
@@ -1,12 +1,16 @@
 <model>
     <mount>//OPNsense/maltrail/server</mount>
     <description>Maltrail server configuration</description>
-    <version>0.0.1</version>
+    <version>0.0.2</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
             <Required>Y</Required>
         </enabled>
+        <addblocklistalias type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </addblocklistalias>
         <listenaddress type="HostnameField">
             <default>0.0.0.0</default>
             <Required>Y</Required>
diff --git a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
index 85943100f6..5e107c94ca 100644
--- a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
+++ b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
@@ -7,6 +7,9 @@ HTTP_ADDRESS {{ OPNsense.maltrail.server.listenaddress }}
 HTTP_PORT {{ OPNsense.maltrail.server.listenport }}
 USE_SSL false
 
+# Regular expression to be used in external /fail2ban calls for extraction of attacker source IPs
+FAIL2BAN_REGEX attacker|reputation|potential[^"]*(web scan|directory traversal|injection|remote code)|spammer|mass scanner
+
 {%   if helpers.exists('OPNsense.maltrail.server.loglistenaddress') and OPNsense.maltrail.server.loglistenaddress != '' %}
 UDP_ADDRESS {{ OPNsense.maltrail.server.loglistenaddress }}
 {%   endif %}

From a0ddf96645ebc390f5c2c7089f683c1bdcf65a5d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 14 Jun 2021 16:13:14 +0200
Subject: [PATCH 0613/3088] plugins: remove use of $main_buttons

PR: https://github.com/opnsense/core/issues/4216
---
 dns/dyndns/Makefile                           |  2 +-
 dns/dyndns/src/www/services_dyndns.php        | 10 +++++-----
 dns/rfc2136/Makefile                          |  2 +-
 dns/rfc2136/src/www/services_rfc2136.php      | 10 +++++-----
 net/igmp-proxy/Makefile                       |  2 +-
 net/igmp-proxy/src/www/services_igmpproxy.php | 10 +++++-----
 6 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index 70ea960929..b049331a4d 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		dyndns
 PLUGIN_VERSION=		1.24
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
diff --git a/dns/dyndns/src/www/services_dyndns.php b/dns/dyndns/src/www/services_dyndns.php
index 03bddbfcb6..30f5d259ce 100644
--- a/dns/dyndns/src/www/services_dyndns.php
+++ b/dns/dyndns/src/www/services_dyndns.php
@@ -67,10 +67,6 @@
 
 legacy_html_escape_form_data($a_dyndns);
 
-$main_buttons = array(
-    array('label' => gettext('Add'), 'href' => 'services_dyndns_edit.php'),
-);
-
 ?>
 <body>
   <script>
@@ -125,7 +121,11 @@
                       <th><?=gettext("Hostname");?></th>
                       <th><?=gettext("Cached IP");?></th>
                       <th><?=gettext("Description");?></th>
-                      <th class="text-nowrap"></th>
+                      <th class="text-nowrap">
+                        <a href="services_dyndns_edit.php" class="btn btn-primary btn-xs" data-toggle="tooltip" title="<?= html_safe(gettext('Add')) ?>">
+                          <i class="fa fa-plus fa-fw"></i>
+                        </a>
+                      </th>
                     </tr>
                   </thead>
                   <tbody>
diff --git a/dns/rfc2136/Makefile b/dns/rfc2136/Makefile
index c186e4856d..dc089e39b0 100644
--- a/dns/rfc2136/Makefile
+++ b/dns/rfc2136/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		rfc2136
 PLUGIN_VERSION=		1.6
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		RFC-2136 Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_DEPENDS=		bind-tools
diff --git a/dns/rfc2136/src/www/services_rfc2136.php b/dns/rfc2136/src/www/services_rfc2136.php
index 5f7aaee8a1..16936da0a6 100644
--- a/dns/rfc2136/src/www/services_rfc2136.php
+++ b/dns/rfc2136/src/www/services_rfc2136.php
@@ -65,10 +65,6 @@
 
 legacy_html_escape_form_data($a_rfc2136);
 
-$main_buttons = array(
-    array('label' => gettext('Add'), 'href' => 'services_rfc2136_edit.php'),
-);
-
 ?>
 <body>
   <script>
@@ -124,7 +120,11 @@
                       <th><?=gettext("Hostname");?></th>
                       <th><?=gettext("Cached IP");?></th>
                       <th><?=gettext("Description");?></th>
-                      <th class"text-nowrap"></th>
+                      <th class"text-nowrap">
+                        <a href="services_rfc2136_edit.php" class="btn btn-primary btn-xs" data-toggle="tooltip" title="<?= html_safe(gettext('Add')) ?>">
+                          <i class="fa fa-plus fa-fw"></i>
+                        </a>
+                      </th>
                     </tr>
                   </thead>
                   <tbody>
diff --git a/net/igmp-proxy/Makefile b/net/igmp-proxy/Makefile
index d5546cdb17..e322484ae3 100644
--- a/net/igmp-proxy/Makefile
+++ b/net/igmp-proxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		igmp-proxy
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		igmpproxy
 PLUGIN_COMMENT=		IGMP-Proxy Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/igmp-proxy/src/www/services_igmpproxy.php b/net/igmp-proxy/src/www/services_igmpproxy.php
index 8522c500ff..7f1dbd171d 100644
--- a/net/igmp-proxy/src/www/services_igmpproxy.php
+++ b/net/igmp-proxy/src/www/services_igmpproxy.php
@@ -53,10 +53,6 @@
 
 legacy_html_escape_form_data($a_igmpproxy);
 
-$main_buttons = array(
-    array('label' => gettext('Add'), 'href' => 'services_igmpproxy_edit.php'),
-);
-
 ?>
 <body>
   <script>
@@ -102,7 +98,11 @@
                       <td><?=gettext("Type");?></td>
                       <td><?=gettext("Values");?></td>
                       <td><?=gettext("Description");?></td>
-                      <td class="text-nowrap"></td>
+                      <td class="text-nowrap">
+                        <a href="services_igmpproxy_edit.php" class="btn btn-primary btn-xs" data-toggle="tooltip" title="<?= html_safe(gettext('Add')) ?>">
+                          <i class="fa fa-plus fa-fw"></i>
+                        </a>
+                      </td>
                     </tr>
                   </thead>
                   <tbody>

From 86c9abff1fd6c4d62f349ae988f4e75849b609e1 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 16 Jun 2021 15:16:41 +0200
Subject: [PATCH 0614/3088] net/freeradius: remove LEAP (#2433)

---
 net/freeradius/Makefile                           |  2 +-
 net/freeradius/pkg-descr                          |  4 ++++
 .../OPNsense/Freeradius/mods-enabled-eap          | 15 ---------------
 3 files changed, 5 insertions(+), 16 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index dd739fa1d9..158d41481b 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.12
+PLUGIN_VERSION=		1.9.13
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 5c5c726ac1..6d212d0283 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,10 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.13
+
+* Remove LEAP section from configuration
+
 1.9.12
 
 * Fix leading space in freeradius logformat (contributed by nan0)
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
index 8093143e8b..e4eb1f9dbb 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@@ -99,21 +99,6 @@ eap {
 #               virtual_server = "inner-tunnel"
 #       }
 
-        # Cisco LEAP
-        #
-        #  We do not recommend using LEAP in new deployments.  See:
-        #  http://www.securiteam.com/tools/5TP012ACKE.html
-        #
-        #  Cisco LEAP uses the MS-CHAP algorithm (but not
-        #  the MS-CHAP attributes) to perform it's authentication.
-        #
-        #  As a result, LEAP *requires* access to the plain-text
-        #  User-Password, or the NT-Password attributes.
-        #  'System' authentication is impossible with LEAP.
-        #
-        leap {
-        }
-
         #  Generic Token Card.
         #
         #  Currently, this is only permitted inside of EAP-TTLS,

From aac9e0b041429f011111521da49d4008d5948bd3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 17 Jun 2021 12:23:56 +0200
Subject: [PATCH 0615/3088] plugins: minor style updates

---
 .../mvc/app/views/OPNsense/Relayd/status.volt | 54 +++++++++----------
 .../Maltrail/Api/ServerController.php         |  4 +-
 .../templates/OPNsense/Nginx/http.conf        |  2 +-
 3 files changed, 29 insertions(+), 31 deletions(-)

diff --git a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/status.volt b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/status.volt
index 0d7a422717..f178414e9f 100644
--- a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/status.volt
+++ b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/status.volt
@@ -1,31 +1,29 @@
 {#
-
-Copyright © 2018 by EURO-LOG AG
-Copyright (c) 2021 Deciso B.V.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-this list of conditions and the following disclaimer in the documentation
-and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
+ # Copyright (c) 2018 EURO-LOG AG
+ # Copyright (c) 2021 Deciso B.V.
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
 
 <script type="text/javascript">
   $( document ).ready(function() {
@@ -191,7 +189,7 @@ POSSIBILITY OF SUCH DAMAGE.
                                 $.each(table.hosts, function(hkey, host) {
                                     let $host_td = $('<td data-id="'+hkey+'" class="relayd_host"/>');
                                     let host_names = [];
-                                    let display_name = host.name ;
+                                    let display_name = host.name;
                                     if (host.properties != undefined) {
                                         for (i=0; i < host.properties.length; i++) {
                                             if (host.properties[i].name !== host.name) {
diff --git a/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/Api/ServerController.php b/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/Api/ServerController.php
index a42c495106..1857843ba8 100644
--- a/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/Api/ServerController.php
+++ b/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/Api/ServerController.php
@@ -47,7 +47,7 @@ protected function setActionHook()
 
             if ($address == "0.0.0.0") {
                 $address = "127.0.0.1";
-            } else if ($address == "::") {
+            } elseif ($address == "::") {
                 $address = "::1";
             }
 
@@ -105,7 +105,7 @@ private static function toggleBlocklistAlias(bool $add, bool $enabled = false, s
 
                 $model->serializeToConfig();
             }
-        } else if ($blocklistIndex !== null) {
+        } elseif ($blocklistIndex !== null) {
             if ($model->aliases->alias->del($blocklistIndex)) {
                 $model->serializeToConfig();
             }
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index 49aca5f88b..3d52446953 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -13,7 +13,7 @@ log_format  main_ext  '$remote_addr - $remote_user [$time_local] "$request" '
                       'rt=$request_time '
                       'ua="$upstream_addr" us="$upstream_status" '
                       'ut="$upstream_response_time" ul="$upstream_response_length" '
-                      'cs=$upstream_cache_status' ;
+                      'cs=$upstream_cache_status';
 log_format  handshake   '"$http_user_agent" "$ssl_ciphers" "$ssl_curves"';
 log_format  anonymized  ':: - $remote_user [$time_local] "$request" '
                   '$status $body_bytes_sent "$http_referer" '

From d961dc12cf5033cfc098f248921858310f5dca57 Mon Sep 17 00:00:00 2001
From: Micha M <contact-micha+github@posteo.de>
Date: Sat, 19 Jun 2021 13:15:51 +0200
Subject: [PATCH 0616/3088] net/freeradius: Update mods-enabled-eap comments to
 v 3.0.22

Signed-off-by: Micha M <contact-micha+github@posteo.de>
---
 .../OPNsense/Freeradius/mods-enabled-eap      | 638 +++++++++++-------
 1 file changed, 405 insertions(+), 233 deletions(-)

diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
index e4eb1f9dbb..352983d8b4 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@@ -4,7 +4,7 @@
 ##
 ##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
 ##
-##      $Id: 427016c66da92b5aa87ac784e74550c4e723c0cd $
+##        $Id: 239ac4c00c1240f38d21881eec5588a84d1ba0fe $
 
 #######################################################################
 #
@@ -37,7 +37,7 @@ eap {
         #  configurable length of time, entries in the list
         #  expire, and are deleted.
         #
-        timer_expire     = 60
+        timer_expire = 60
 
         #  There are many EAP types, but the server has support
         #  for only a limited subset.  If the server receives
@@ -51,6 +51,7 @@ eap {
         #  If another module is NOT configured to handle the
         #  request, then the request will still end up being
         #  rejected.
+        #
         ignore_unknown_eap_types = no
 
         # Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
@@ -59,17 +60,24 @@ eap {
         #
         # We can work around it by configurably adding an extra
         # zero byte.
+        #
         cisco_accounting_username_bug = no
 
-        #
         #  Help prevent DoS attacks by limiting the number of
         #  sessions that the server is tracking.  For simplicity,
         #  this is taken from the "max_requests" directive in
         #  radiusd.conf.
+        #
         max_sessions = ${max_requests}
 
-        # Supported EAP-types
 
+        ############################################################
+        #
+        #  Supported EAP-types
+        #
+
+
+        #  EAP-MD5
         #
         #  We do NOT recommend using EAP-MD5 authentication
         #  for wireless connections.  It is insecure, and does
@@ -78,17 +86,17 @@ eap {
         md5 {
         }
 
+
+        #  EAP-pwd -- secure password-based authentication
         #
-        # EAP-pwd -- secure password-based authentication
-        #
-#       pwd {
-#               group = 19
+        #pwd {
+        #        group = 19
 
-                #
-#               server_id = theserver@example.com
+        #        server_id = theserver@example.com
 
                 #  This has the same meaning as for TLS.
-#               fragment_size = 1020
+                #
+        #        fragment_size = 1020
 
                 # The virtual server which determines the
                 # "known good" password for the user.
@@ -96,10 +104,22 @@ eap {
                 # section is processed.  EAP-PWD requests can be
                 # distinguished by having a User-Name, but
                 # no User-Password, CHAP-Password, EAP-Message, etc.
-#               virtual_server = "inner-tunnel"
-#       }
+                #
+        #        virtual_server = "inner-tunnel"
+        #}
+
 
-        #  Generic Token Card.
+        #  Cisco LEAP
+        #
+        #  We do not recommend using LEAP in new deployments.  See:
+        #  http://www.securiteam.com/tools/5TP012ACKE.html
+        #
+        #  As of 3.0.22, LEAP has been removed from the server.
+        #  It is insecure, and no one should be using it.
+        #
+
+
+        #  EAP-GTC -- Generic Token Card
         #
         #  Currently, this is only permitted inside of EAP-TTLS,
         #  or EAP-PEAP.  The module "challenges" the user with
@@ -113,7 +133,8 @@ eap {
         gtc {
                 #  The default challenge, which many clients
                 #  ignore..
-                #challenge = "Password: "
+                #
+        #        challenge = "Password: "
 
                 #  The plain-text response which comes back
                 #  is put into a User-Password attribute,
@@ -130,9 +151,11 @@ eap {
                 auth_type = PAP
         }
 
-        ## Common TLS configuration for TLS-based EAP types
+
+        #  Common TLS configuration for TLS-based EAP types
+        #  ------------------------------------------------
         #
-        #  See raddb/certs/README for additional comments
+        #  See raddb/certs/README.md for additional comments
         #  on certificates.
         #
         #  If OpenSSL was not found at the time the server was
@@ -152,14 +175,11 @@ eap {
         #  to install the server, and to perform some simple
         #  tests with EAP-TLS, TTLS, or PEAP.
         #
-        #  See also:
-        #
-        #  http://www.dslreports.com/forum/remark,9286052~mode=flat
-        #
         #  Note that you should NOT use a globally known CA here!
         #  e.g. using a Verisign cert as a "known CA" means that
         #  ANYONE who has a certificate signed by them can
         #  authenticate via EAP-TLS!  This is likely not what you want.
+        #
         tls-config tls-common {
 {% if helpers.exists('OPNsense.freeradius.eap.enable_client_cert') and OPNsense.freeradius.eap.enable_client_cert == '1' %}
 {%   if helpers.exists('OPNsense.freeradius.eap.certificate') and OPNsense.freeradius.eap.certificate != '' %}
@@ -170,22 +190,48 @@ eap {
 {% else %}
                 private_key_password = whatever
                 private_key_file = ${certdir}/server.pem
+
                 #  If Private key & Certificate are located in
                 #  the same file, then private_key_file &
                 #  certificate_file must contain the same file
                 #  name.
                 #
                 #  If ca_file (below) is not used, then the
-                #  certificate_file below MUST include not
-                #  only the server certificate, but ALSO all
-                #  of the CA certificates used to sign the
-                #  server certificate.
+                #  certificate_file below SHOULD also include all of
+                #  the intermediate CA certificates used to sign the
+                #  server certificate, but NOT the root CA.
+                #
+                #  Including the ROOT CA certificate is not useful and
+                #  merely inflates the exchanged data volume during
+                #  the TLS negotiation.
+                #
+                #  This file should contain the server certificate,
+                #  followed by intermediate certificates, in order.
+                #  i.e. If we have a server certificate signed by CA1,
+                #  which is signed by CA2, which is signed by a root
+                #  CA, then the "certificate_file" should contain
+                #  server.pem, followed by CA1.pem, followed by
+                #  CA2.pem.
+                #
+                #  When using "ca_file" or "ca_dir", the
+                #  "certificate_file" should contain only
+                #  "server.pem".  And then you may (or may not) need
+                #  to set "auto_chain", depending on your version of
+                #  OpenSSL.
+                #
+                #  In short, SSL / TLS certificates are complex.
+                #  There are many versions of software, each of which
+                #  behave slightly differently.  It is impossible to
+                #  give advice which will work everywhere.  Instead,
+                #  we give general guidelines.
+                #
                 certificate_file = ${certdir}/server.pem
 {% endif %}
                 #  Trusted Root CA list
                 #
-                #  ALL of the CA's in this list will be trusted
-                #  to issue client certificates for authentication.
+                #  This file can contain multiple CA certificates.
+                #  ALL of the CA's in this list will be trusted to
+                #  issue client certificates for authentication.
                 #
                 #  In general, you should use self-signed
                 #  certificates for 802.1x (EAP) authentication.
@@ -206,41 +252,49 @@ eap {
                 #
                 #  When setting "auto_chain = no", the server certificate
                 #  file MUST include the full certificate chain.
-        #       auto_chain = yes
+                #
+        #        auto_chain = yes
 
+                #  If OpenSSL supports TLS-PSK, then we can use a
+                #  fixed PSK identity and (hex) password.  As of
+                #  3.0.18, these can be used at the same time as the
+                #  certificate configuration, but only for TLS 1.0
+                #  through 1.2.
                 #
-                #  If OpenSSL supports TLS-PSK, then we can use
-                #  a PSK identity and (hex) password.  When the
-                #  following two configuration items are specified,
-                #  then certificate-based configuration items are
-                #  not allowed.  e.g.:
+                #  If PSK and certificates are configured at the same
+                #  time for TLS 1.3, then the server will warn you,
+                #  and will disable TLS 1.3, as it will not work.
                 #
-                #       private_key_password
-                #       private_key_file
-                #       certificate_file
-                #       ca_file
-                #       ca_path
+                #  The work around is to have two modules (or for
+                #  RadSec, two listen sections).  One will have PSK
+                #  configured, and the other will have certificates
+                #  configured.
                 #
-                #  For now, the identity is fixed, and must be the
-                #  same on the client.  The passphrase must be a hex
-                #  value, and can be up to 256 hex digits.
+        #        psk_identity = "test"
+        #        psk_hexphrase = "036363823"
+
+                #  Dynamic queries for the PSK.  If TLS-PSK is used,
+                #  and psk_query is set, then you MUST NOT use
+                #  psk_identity or psk_hexphrase.
                 #
-                #  Future versions of the server may be able to
-                #  look up the shared key (hexphrase) based on the
-                #  identity.
+                #  Instead, use a dynamic expansion similar to the one
+                #  below.  It keys off of TLS-PSK-Identity.  It should
+                #  return a of string no more than 512 hex characters.
+                #  That string will be converted to binary, and will
+                #  be used as the dynamic PSK hexphrase.
                 #
-        #       psk_identity = "test"
-        #       psk_hexphrase = "036363823"
-
+                #  Note that this query is just an example.  You will
+                #  need to customize it for your installation.
                 #
+        #        psk_query = "%{sql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
+
                 #  For DH cipher suites to work, you have to
                 #  run OpenSSL to create the DH file first:
                 #
-                #       openssl dhparam -out certs/dh 2048
+                #    openssl dhparam -out certs/dh 2048
                 #
                 dh_file = ${certdir}/dh
 
-                #
                 #  If your system doesn't have /dev/urandom,
                 #  you will need to create this file, and
                 #  periodically change its contents.
@@ -249,9 +303,8 @@ eap {
                 #  write to files in its configuration
                 #  directory.
                 #
-        #       random_file = /dev/urandom
+        #        random_file = /dev/urandom
 
-                #
                 #  This can never exceed the size of a RADIUS
                 #  packet (4096 bytes), and is preferably half
                 #  that, to accommodate other attributes in
@@ -260,7 +313,7 @@ eap {
                 #  In these cases, fragment size should be
                 #  1024 or less.
                 #
-        #       fragment_size = 1024
+        #        fragment_size = 1024
 
                 #  include_length is a flag which is
                 #  by default set to yes If set to
@@ -270,14 +323,14 @@ eap {
                 #  message is included ONLY in the
                 #  First packet of a fragment series.
                 #
-        #       include_length = yes
+        #        include_length = yes
 
 
                 #  Check the Certificate Revocation List
                 #
                 #  1) Copy CA certificates and CRLs to same directory.
                 #  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
-                #    'c_rehash' is OpenSSL's command.
+                #     'c_rehash' is OpenSSL's command.
                 #  3) uncomment the lines below.
                 #  5) Restart radiusd
 {% if helpers.exists('OPNsense.freeradius.eap.enable_client_cert') and OPNsense.freeradius.eap.enable_client_cert == '1' %}
@@ -288,25 +341,38 @@ eap {
         #       check_crl = yes
 {% endif %}
                 # Check if intermediate CAs have been revoked.
-        #       check_all_crl = yes
+        #        check_all_crl = yes
 
                 ca_path = ${cadir}
 
+                # OpenSSL does not reload contents of ca_path dir over time.
+                # That means that if check_crl is enabled and CRLs are loaded
+                # from ca_path dir, at some point CRLs will expire and
+                # RADIUSd will stop authenticating users.
+                # If ca_path_reload_interval is non-zero, it will force OpenSSL
+                # to reload all data from ca_path periodically
+                #
+                # Flush ca_path each hour
+        #        ca_path_reload_interval = 3600
+
+
+                # Accept an expired Certificate Revocation List
                 #
+        #        allow_expired_crl = no
+
                 #  If check_cert_issuer is set, the value will
                 #  be checked against the DN of the issuer in
                 #  the client certificate.  If the values do not
                 #  match, the certificate verification will fail,
                 #  rejecting the user.
                 #
-                #  In 2.1.10 and later, this check can be done
-                #  more generally by checking the value of the
-                #  TLS-Client-Cert-Issuer attribute.  This check
-                #  can be done via any mechanism you choose.
+                #  This check can be done more generally by checking
+                #  the value of the TLS-Client-Cert-Issuer attribute.
+                #  This check can be done via any mechanism you
+                #  choose.
                 #
-        #       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
+        #        check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
 
-                #
                 #  If check_cert_cn is set, the value will
                 #  be xlat'ed and checked against the CN
                 #  in the client certificate.  If the values
@@ -317,57 +383,108 @@ eap {
                 #  "check_cert_issuer" is not set, or if
                 #  the check succeeds.
                 #
-                #  In 2.1.10 and later, this check can be done
-                #  more generally by checking the value of the
-                #  TLS-Client-Cert-CN attribute.  This check
-                #  can be done via any mechanism you choose.
-                #
-        #       check_cert_cn = %{User-Name}
-                #
-                # Set this option to specify the allowed
-                # TLS cipher suites.  The format is listed
-                # in "man 1 ciphers".
+                #  This check can be done more generally by writing
+                #  "unlang" statements to examine the value of the
+                #  TLS-Client-Cert-Common-Name attribute.
                 #
-                # For EAP-FAST, use "ALL:!EXPORT:!eNULL:!SSLv2"
+        #        check_cert_cn = %{User-Name}
+
+                #  Set this option to specify the allowed
+                #  TLS cipher suites.  The format is listed
+                #  in "man 1 ciphers".
                 #
                 cipher_list = "DEFAULT"
 
-                # If enabled, OpenSSL will use server cipher list
-                # (possibly defined by cipher_list option above)
-                # for choosing right cipher suite rather than
-                # using client-specified list which is OpenSSl default
-                # behavior. Having it set to yes is a current best practice
-                # for TLS
+                #  If enabled, OpenSSL will use server cipher list
+                #  (possibly defined by cipher_list option above)
+                #  for choosing right cipher suite rather than
+                #  using client-specified list which is OpenSSl default
+                #  behavior.  Setting this to "yes" means that OpenSSL
+                #  will choose the servers ciphers, even if they do not
+                #  best match what the client sends.
+                #
+                #  TLS negotiation is usually good, but can be imperfect.
+                #  This setting allows administrators to "fine tune" it
+                #  if necessary.
+                #
                 cipher_server_preference = no
 
-                # Work-arounds for OpenSSL nonsense
-                # OpenSSL 1.0.1f and 1.0.1g do not calculate
-                # the EAP keys correctly.  The fix is to upgrade
-                # OpenSSL, or disable TLS 1.2 here.
+                #  You can selectively disable TLS versions for
+                #  compatability with old client devices.
                 #
-                #  For EAP-FAST, this MUST be set to "yes".
+                #  If your system has OpenSSL 1.1.0 or greater, do NOT
+                #  use these.  Instead, set tls_min_version and
+                #  tls_max_version.
                 #
-#               disable_tlsv1_2 = no
+#                disable_tlsv1_2 = yes
+#                disable_tlsv1_1 = yes
+#                disable_tlsv1 = yes
 
-                #
 
+                #  Set min / max TLS version.
+                #
+                #  Generally speaking you should NOT use TLS 1.0 or
+                #  TLS 1.1.  They are old, possibly insecure, and
+                #  deprecated.  However, it is sometimes necessary to
+                #  enable it for compatibility with legact systems.
+                #  We recommend replacing those legacy systems, and
+                #  using at least TLS 1.2.
+                #
+                #  Some Debian versions disable older versions of TLS,
+                #  and requires the application to manually enable
+                #  them.
+                #
+                #  If you are running such a distribution, you should
+                #  set these options, otherwise older clients will not
+                #  be able to connect.
+                #
+                #  Allowed values are "1.0", "1.1", "1.2", and "1.3".
                 #
+                #  As of 2021, it is STRONGLY RECOMMENDED to set
+                #
+                #        tls_min_version = "1.2"
+                #
+                #  Older TLS versions are insecure and deprecated.
+                #
+                #  In order to enable TLS 1.0 and TLS 1.1, you may
+                #  also need to update cipher_list below to:
+                #
+                #        cipher_list = "DEFAULT@SECLEVEL=1"
+                #
+                #  The values must be in quotes.
+                #
+                tls_min_version = "1.2"
+                tls_max_version = "1.2"
+
                 #  Elliptical cryptography configuration
                 #
-                #  Only for OpenSSL >= 0.9.8.f
+                #  This configuration should be one of the following:
+                #
+                #  * a name of the curve to use, e.g. "prime256v1".
+                #
+                #  * a colon separated list of curve NIDs or names.
+                #
+                #  * an empty string, in which case OpenSSL will choose
+                #    the "best" curve for the situation.
+                #
+                #  For supported curve names, please run
+                #
+                #        openssl ecparam -list_curves
                 #
                 ecdh_curve = "prime256v1"
 
-                #
                 #  Session resumption / fast reauthentication
                 #  cache.
                 #
                 #  The cache contains the following information:
                 #
-                #  session Id - unique identifier, managed by SSL
-                #  User-Name  - from the Access-Accept
-                #  Stripped-User-Name - from the Access-Request
-                #  Cached-Session-Policy - from the Access-Accept
+                #   session Id - unique identifier, managed by SSL
+                #   User-Name  - from the Access-Accept
+                #   Stripped-User-Name - from the Access-Request
+                #   Cached-Session-Policy - from the Access-Accept
+                #
+                #  See also the "store" subsection below for
+                #  additional attributes which can be cached.
                 #
                 #  The "Cached-Session-Policy" is the name of a
                 #  policy which should be applied to the cached
@@ -384,11 +501,32 @@ eap {
                 #  You probably also want "use_tunneled_reply = yes"
                 #  when using fast session resumption.
                 #
+                #  You can check if a session has been resumed by
+                #  looking for the existence of the EAP-Session-Resumed
+                #  attribute.  Note that this attribute will *only*
+                #  exist in the "post-auth" section.
+                #
+                #  CAVEATS: The cache is stored and reloaded BEFORE
+                #  the "post-auth" section is run.  This limitation
+                #  makes caching more difficult than it should be.  In
+                #  practice, it means that the first authentication
+                #  session must set the reply attributes before the
+                #  post-auth section is run.
+                #
+                #  When the session is resumed, the attributes are
+                #  restored and placed into the session-state list.
+                #
                 cache {
-                        #
                         #  Enable it.  The default is "no". Deleting the entire "cache"
                         #  subsection also disables caching.
                         #
+                        #  The session cache requires the use of the
+                        #  "name" and "persist_dir" configuration
+                        #  items, below.
+                        #
+                        #  The internal OpenSSL session cache has been permanently
+                        #  disabled.
+                        #
                         #  You can disallow resumption for a particular user by adding the
                         #  following attribute to the control item list:
                         #
@@ -399,22 +537,11 @@ eap {
                         #
                         enable = yes
 
-                        #
                         #  Lifetime of the cached entries, in hours. The sessions will be
                         #  deleted/invalidated after this time.
                         #
                         lifetime = 24 # hours
 
-                        #
-                        #  The maximum number of entries in the
-                        #  cache.  Set to "0" for "infinite".
-                        #
-                        #  This could be set to the number of users
-                        #  who are logged in... which can be a LOT.
-                        #
-                        max_entries = 255
-
-                        #
                         #  Internal "name" of the session cache. Used to
                         #  distinguish which TLS context sessions belong to.
                         #
@@ -423,14 +550,18 @@ eap {
                         #  set the "name" if you want to persist sessions (see
                         #  below).
                         #
-                        #name = "EAP module"
+                #        name = "EAP module"
 
-                        #
                         #  Simple directory-based storage of sessions.
                         #  Two files per session will be written, the SSL
                         #  state and the cached VPs. This will persist session
                         #  across server restarts.
                         #
+                        #  The default directory is ${logdir}, for historical
+                        #  reasons.  You should ${db_dir} instead.  And check
+                        #  the value of db_dir in the main radiusd.conf file.
+                        #  It should not point to ${raddb}
+                        #
                         #  The server will need write perms, and the directory
                         #  should be secured from anyone else. You might want
                         #  a script to remove old files from here periodically:
@@ -439,13 +570,27 @@ eap {
                         #
                         #  This feature REQUIRES "name" option be set above.
                         #
-                        #persist_dir = "${logdir}/tlscache"
+                #        persist_dir = "${logdir}/tlscache"
+
+                        #
+                        #  As of 3.0.20, it is possible to partially
+                        #  control which attributes exist in the
+                        #  session cache.  This subsection lists
+                        #  attributes which are taken from the reply,
+                        #  and saved to the on-disk cache.  When the
+                        #  session is resumed, these attributes are
+                        #  added to the "session-state" list.  The
+                        #  default configuration will then take care
+                        #  of copying them to the reply.
+                        #
+                        store {
+                                Tunnel-Private-Group-Id
+                        }
                 }
 
-                #
-                #  As of version 2.1.10, client certificates can be
-                #  validated via an external command.  This allows
-                #  dynamic CRLs or OCSP to be used.
+                #  Client certificates can be validated via an
+                #  external command.  This allows dynamic CRLs or OCSP
+                #  to be used.
                 #
                 #  This configuration is commented out in the
                 #  default configuration.  Uncomment it, and configure
@@ -464,7 +609,8 @@ eap {
                         #  If you want to skip verify on OCSP success,
                         #  uncomment this configuration item, and set it
                         #  to "yes".
-        #               skip_if_ocsp_ok = no
+                        #
+                #        skip_if_ocsp_ok = no
 
                         #  A temporary directory where the client
                         #  certificates are stored.  This directory
@@ -477,7 +623,8 @@ eap {
                         #
                         #  You should also delete all of the files
                         #  in the directory when the server starts.
-        #               tmpdir = /tmp/radiusd
+                        #
+                #        tmpdir = /tmp/radiusd
 
                         #  The command used to verify the client cert.
                         #  We recommend using the OpenSSL command-line
@@ -491,25 +638,24 @@ eap {
                         #  in PEM format.  This file is automatically
                         #  deleted by the server when the command
                         #  returns.
-        #               client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+                        #
+                #        client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
                 }
 
-                #
                 #  OCSP Configuration
+                #
                 #  Certificates can be verified against an OCSP
                 #  Responder. This makes it possible to immediately
                 #  revoke certificates without the distribution of
                 #  new Certificate Revocation Lists (CRLs).
                 #
                 ocsp {
-                        #
                         #  Enable it.  The default is "no".
                         #  Deleting the entire "ocsp" subsection
                         #  also disables ocsp checking
                         #
                         enable = no
 
-                        #
                         #  The OCSP Responder URL can be automatically
                         #  extracted from the certificate in question.
                         #  To override the OCSP Responder URL set
@@ -517,13 +663,11 @@ eap {
                         #
                         override_cert_url = yes
 
-                        #
                         #  If the OCSP Responder address is not extracted from
                         #  the certificate, the URL can be defined here.
                         #
                         url = "http://127.0.0.1/ocsp/"
 
-                        #
                         # If the OCSP Responder can not cope with nonce
                         # in the request, then it can be disabled here.
                         #
@@ -537,15 +681,13 @@ eap {
                         # to disable it in the query here.
                         # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
                         #
-                        # use_nonce = yes
+                #        use_nonce = yes
 
-                        #
                         # Number of seconds before giving up waiting
                         # for OCSP response. 0 uses system default.
                         #
-                        # timeout = 0
+                #        timeout = 0
 
-                        #
                         # Normally an error in querying the OCSP
                         # responder (no response from server, server did
                         # not understand the request, etc) will result in
@@ -559,34 +701,55 @@ eap {
                         # certificates to connect if the OCSP responder
                         # is not available. Use with caution.
                         #
-                        # softfail = no
+                #        softfail = no
                 }
         }
 
-        ## EAP-TLS
+
+        #  EAP-TLS
         #
-        #  As of Version 3.0, the TLS configuration for TLS-based
-        #  EAP types is above in the "tls-config" section.
+        #  The TLS configuration for TLS-based EAP types is held in
+        #  the "tls-config" section, above.
         #
         tls {
-                # Point to the common TLS configuration
+                #  Point to the common TLS configuration
+                #
                 tls = tls-common
 
-                #
-                # As part of checking a client certificate, the EAP-TLS
-                # sets some attributes such as TLS-Client-Cert-CN. This
-                # virtual server has access to these attributes, and can
-                # be used to accept or reject the request.
+                #  As part of checking a client certificate, the EAP-TLS
+                #  sets some attributes such as TLS-Client-Cert-Common-Name. This
+                #  virtual server has access to these attributes, and can
+                #  be used to accept or reject the request.
                 #
 {% if helpers.exists('OPNsense.freeradius.eap.enable_client_cert') and OPNsense.freeradius.eap.enable_client_cert == '1' %}
 {%   if helpers.exists('OPNsense.freeradius.eap.check_tls_names') and OPNsense.freeradius.eap.check_tls_names == '1' %}
                 virtual_server = check-eap-tls
 {%   endif %}
 {% endif %}
+                #  You can control whether or not EAP-TLS requires a
+                #  client certificate by setting
+                #
+                #        configurable_client_cert = yes
+                #
+                #  Once that setting has been changed, you can then set
+                #
+                #        EAP-TLS-Require-Client-Cert = No
+                #
+                #  in the control items for a request, and the EAP-TLS
+                #  module will not require a client certificate from
+                #  the supplicant.
+                #
+                #  WARNING: This configuration should only be used
+                #  when the users are placed into a "captive portal"
+                #  or "walled garden", where they have limited network
+                #  access.  Otherwise the configuraton will allow
+                #  anyone on the network, without authenticating them!
+                #
+#                configurable_client_cert = no
         }
 
 
-        ## EAP-TTLS
+        #  EAP-TTLS -- Tunneled TLS
         #
         #  The TTLS module implements the EAP-TTLS protocol,
         #  which can be described as EAP inside of Diameter,
@@ -618,6 +781,7 @@ eap {
                 {% else %}
                 default_eap_type = md5
                 {% endif %}
+
                 #  The tunneled authentication request does not usually
                 #  contain useful attributes like 'Calling-Station-Id',
                 #  etc.  These attributes are outside of the tunnel,
@@ -634,17 +798,19 @@ eap {
                 #
                 copy_request_to_tunnel = no
 
+                #  This configuration item is deprecated.  Instead,
+                #  you should use:
                 #
-                #  As of version 3.0.5, this configuration item
-                #  is deprecated.  Instead, you should use
-                #
-                #       update outer.session-state {
-                #               ...
-                #
-                #       }
+                #    update outer.session-state {
+                #      ...
+                #    }
                 #
                 #  This will cache attributes for the final Access-Accept.
                 #
+                #  See "update outer.session-state" in the "post-auth"
+                #  sections of sites-available/default, and of
+                #  sites-available/inner-tunnel
+                #
                 #  The reply attributes sent to the NAS are usually
                 #  based on the name of the user 'outside' of the
                 #  tunnel (usually 'anonymous').  If you want to send
@@ -660,15 +826,11 @@ eap {
 {%   else %}
                 use_tunneled_reply = no
 {%   endif %}
-                #
                 #  The inner tunneled request can be sent
                 #  through a virtual server constructed
                 #  specifically for this purpose.
                 #
-                #  If this entry is commented out, the inner
-                #  tunneled request will be sent through
-                #  the virtual server that processed the
-                #  outer requests.
+                #  A virtual server MUST be specified.
                 #
                 virtual_server = "inner-tunnel"
 
@@ -676,23 +838,26 @@ eap {
                 #  same field in the "tls" configuration, above.
                 #  The default value here is "yes".
                 #
-        #       include_length = yes
+        #        include_length = yes
 
+                #  Unlike EAP-TLS, EAP-TTLS does not require a client
+                #  certificate. However, you can require one by setting the
+                #  following option. You can also override this option by
+                #  setting
                 #
-                # Unlike EAP-TLS, EAP-TTLS does not require a client
-                # certificate. However, you can require one by setting the
-                # following option. You can also override this option by
-                # setting
+                #    EAP-TLS-Require-Client-Cert = Yes
                 #
-                #       EAP-TLS-Require-Client-Cert = Yes
+                #  in the control items for a request.
                 #
-                # in the control items for a request.
+                #  Note that the majority of supplicants do not support using a
+                #  client certificate with EAP-TTLS, so this option is unlikely
+                #  to be usable for most people.
                 #
-        #       require_client_cert = yes
+        #        require_client_cert = yes
         }
 
 
-        ## EAP-PEAP
+        #  EAP-PEAP
         #
 
         ##################################################
@@ -705,31 +870,25 @@ eap {
         #  and the client never sends another Access-Request,
         #  then
         #
-        #               STOP!
+        #                STOP!
         #
         #  The server certificate has to have special OID's
         #  in it, or else the Microsoft clients will silently
         #  fail.  See the "scripts/xpextensions" file for
         #  details, and the following page:
         #
-        #       http://support.microsoft.com/kb/814394/en-us
-        #
-        #  For additional Windows XP SP2 issues, see:
-        #
-        #       http://support.microsoft.com/kb/885453/en-us
-        #
+        #        https://support.microsoft.com/en-us/help/814394/
         #
         #  If is still doesn't work, and you're using Samba,
         #  you may be encountering a Samba bug.  See:
         #
-        #       https://bugzilla.samba.org/show_bug.cgi?id=6563
+        #        https://bugzilla.samba.org/show_bug.cgi?id=6563
         #
         #  Note that we do not necessarily agree with their
         #  explanation... but the fix does appear to work.
         #
         ##################################################
 
-        #
         #  The tunneled EAP session needs a default EAP type
         #  which is separate from the one for the non-tunneled
         #  EAP module.  Inside of the TLS/PEAP tunnel, we
@@ -761,17 +920,19 @@ eap {
                 #
                 copy_request_to_tunnel = no
 
+                #  This configuration item is deprecated.  Instead,
+                #  you should use:
                 #
-                #  As of version 3.0.5, this configuration item
-                #  is deprecated.  Instead, you should use
-                #
-                #       update outer.session-state {
-                #               ...
-                #
-                #       }
+                #    update outer.session-state {
+                #      ...
+                #    }
                 #
                 #  This will cache attributes for the final Access-Accept.
                 #
+                #  See "update outer.session-state" in the "post-auth"
+                #  sections of sites-available/default, and of
+                #  sites-available/inner-tunnel
+                #
 {%   if helpers.exists('OPNsense.freeradius.general.vlanassign') and OPNsense.freeradius.general.vlanassign == '1' %}
                 use_tunneled_reply = yes
 {%   else %}
@@ -783,46 +944,49 @@ eap {
                 #  Set this entry to "no" to proxy the tunneled
                 #  EAP-MSCHAP-V2 as normal MSCHAPv2.
                 #
-        #       proxy_tunneled_request_as_eap = yes
-
+                #  This setting can be over-ridden on a packet by
+                #  packet basis by setting
                 #
+                #        &control:Proxy-Tunneled-Request-As-EAP = yes
+                #
+        #        proxy_tunneled_request_as_eap = yes
+
                 #  The inner tunneled request can be sent
                 #  through a virtual server constructed
                 #  specifically for this purpose.
                 #
-                #  If this entry is commented out, the inner
-                #  tunneled request will be sent through
-                #  the virtual server that processed the
-                #  outer requests.
+                #  A virtual server MUST be specified.
                 #
                 virtual_server = "inner-tunnel"
 
-                # This option enables support for MS-SoH
-                # see doc/SoH.txt for more info.
-                # It is disabled by default.
+                #  This option enables support for MS-SoH
+                #  see doc/SoH.txt for more info.
+                #  It is disabled by default.
                 #
-        #       soh = yes
+        #        soh = yes
 
+                #  The SoH reply will be turned into a request which
+                #  can be sent to a specific virtual server:
                 #
-                # The SoH reply will be turned into a request which
-                # can be sent to a specific virtual server:
-                #
-        #       soh_virtual_server = "soh-server"
+        #        soh_virtual_server = "soh-server"
 
+                #  Unlike EAP-TLS, PEAP does not require a client certificate.
+                #  However, you can require one by setting the following
+                #  option. You can also override this option by setting
                 #
-                # Unlike EAP-TLS, PEAP does not require a client certificate.
-                # However, you can require one by setting the following
-                # option. You can also override this option by setting
+                #    EAP-TLS-Require-Client-Cert = Yes
                 #
-                #       EAP-TLS-Require-Client-Cert = Yes
+                #  in the control items for a request.
                 #
-                # in the control items for a request.
+                #  Note that the majority of supplicants do not support using a
+                #  client certificate with PEAP, so this option is unlikely to
+                #  be usable for most people.
                 #
-        #       require_client_cert = yes
+        #        require_client_cert = yes
         }
 
-        #
-        #  This takes no configuration.
+
+        #  EAP-MSCHAPv2
         #
         #  Note that it is the EAP MS-CHAPv2 sub-module, not
         #  the main 'mschap' module.
@@ -836,68 +1000,76 @@ eap {
         #  currently support.
         #
         mschapv2 {
-                #  Prior to version 2.1.11, the module never
-                #  sent the MS-CHAP-Error message to the
-                #  client.  This worked, but it had issues
-                #  when the cached password was wrong.  The
-                #  server *should* send "E=691 R=0" to the
-                #  client, which tells it to prompt the user
-                #  for a new password.
-                #
-                #  The default is to behave as in 2.1.10 and
-                #  earlier, which is known to work.  If you
-                #  set "send_error = yes", then the error
-                #  message will be sent back to the client.
-                #  This *may* help some clients work better,
-                #  but *may* also cause other clients to stop
-                #  working.
-                #
-#               send_error = no
+                #  In earlier versions of the server, this module
+                #  never sent the MS-CHAP-Error message to the client.
+                #  This worked, but it had issues when the cached
+                #  password was wrong.  The server *should* send
+                #  "E=691 R=0" to the client, which tells it to prompt
+                #  the user for a new password.
+                #
+                #  The default is to use that functionality.  which is
+                #  known to work.  If you set "send_error = yes", then
+                #  the error message will be sent back to the client.
+                #  This *may* help some clients work better, but *may*
+                #  also cause other clients to stop working.
+                #
+        #        send_error = no
 
                 #  Server identifier to send back in the challenge.
                 #  This should generally be the host name of the
                 #  RADIUS server.  Or, some information to uniquely
                 #  identify it.
-#               identity = "FreeRADIUS"
+                #
+        #        identity = "FreeRADIUS"
         }
 
-        ## EAP-FAST
+
+        #  EAP-FAST
         #
         #  The FAST module implements the EAP-FAST protocol
         #
-#       fast {
-                # Point to the common TLS configuration
+        #fast {
+                #  Point to the common TLS configuration
+                #
+        #        tls = tls-common
+
+                #  If 'cipher_list' is set here, it will over-ride the
+                #  'cipher_list' configuration from the 'tls-common'
+                #  configuration.  The EAP-FAST module has it's own
+                #  over-ride for 'cipher_list' because the
+                #  specifications mandata a different set of ciphers
+                #  than are used by the other EAP methods.
                 #
-                # cipher_list though must include "ADH" for anonymous provisioning.
-                # This is not as straight forward as appending "ADH" alongside
-                # "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
-                # recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
+                #  cipher_list though must include "ADH" for anonymous provisioning.
+                #  This is not as straight forward as appending "ADH" alongside
+                #  "DEFAULT" as "DEFAULT" contains "!aNULL" so instead it is
+                #  recommended "ALL:!EXPORT:!eNULL:!SSLv2" is used
                 #
-#               tls = tls-common
+        #        cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
 
-                # PAC lifetime in seconds (default: seven days)
+                #  PAC lifetime in seconds (default: seven days)
                 #
-#               pac_lifetime = 604800
+        #        pac_lifetime = 604800
 
-                # Authority ID of the server
+                #  Authority ID of the server
                 #
-                # if you are running a cluster of RADIUS servers, you should make
-                # the value chosen here (and for "pac_opaque_key") the same on all
-                # your RADIUS servers.  This value should be unique to your
-                # installation.  We suggest using a domain name.
+                #  If you are running a cluster of RADIUS servers, you should make
+                #  the value chosen here (and for "pac_opaque_key") the same on all
+                #  your RADIUS servers.  This value should be unique to your
+                #  installation.  We suggest using a domain name.
                 #
-#               authority_identity = "1234"
+        #        authority_identity = "1234"
 
-                # PAC Opaque encryption key (must be exactly 32 bytes in size)
+                #  PAC Opaque encryption key (must be exactly 32 bytes in size)
                 #
-                # This value MUST be secret, and MUST be generated using
-                # a secure method, such as via 'openssl rand -hex 32'
+                #  This value MUST be secret, and MUST be generated using
+                #  a secure method, such as via 'openssl rand -hex 32'
                 #
-#               pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
+        #        pac_opaque_key = "0123456789abcdef0123456789ABCDEF"
 
-                # Same as for TTLS, PEAP, etc.
+                #  Same as for TTLS, PEAP, etc.
                 #
-#               virtual_server = inner-tunnel
-#       }
+        #        virtual_server = inner-tunnel
+        #}
 }
 {% endif %}

From 82d6747092ae9bc5d341176d606e03198d11c140 Mon Sep 17 00:00:00 2001
From: Micha M <contact-micha+github@posteo.de>
Date: Sat, 19 Jun 2021 14:08:01 +0200
Subject: [PATCH 0617/3088] net/freeradius: Reduce TLS min version to 1.0

Older Android devices (e.g. 5.1.1 and 7.0) do not work with
TLS 1.2 for EAP authentication.

Signed-off-by: Micha M <contact-micha+github@posteo.de>
---
 .../service/templates/OPNsense/Freeradius/mods-enabled-eap      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
index 352983d8b4..980a6ed095 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@@ -453,7 +453,7 @@ eap {
                 #
                 #  The values must be in quotes.
                 #
-                tls_min_version = "1.2"
+                tls_min_version = "1.0"
                 tls_max_version = "1.2"
 
                 #  Elliptical cryptography configuration

From 6d986d6cf82489704a75fa206a46b458ed1521d2 Mon Sep 17 00:00:00 2001
From: Micha M <contact-micha+github@posteo.de>
Date: Sat, 19 Jun 2021 14:40:28 +0200
Subject: [PATCH 0618/3088] net/freeradius: Bump plugin version and changelog

Signed-off-by: Micha M <contact-micha+github@posteo.de>
---
 net/freeradius/Makefile  | 2 +-
 net/freeradius/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 158d41481b..871235bcd0 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.13
+PLUGIN_VERSION=		1.9.14
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 6d212d0283..7c1e16e60c 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,11 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.14
+
+* Updates comments in mods-enabled-eap to match upstream version 3.0.22
+* Set TLS minimum version to 1.0 for compatibility with older EAP clients
+
 1.9.13
 
 * Remove LEAP section from configuration

From 20c3ba490dbcc0d069801d934957e67aba7911f7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 21 Jun 2021 05:23:23 +0200
Subject: [PATCH 0619/3088] net-mgmt/zabbix5-proxy: drop dupliate port

---
 README.md                                     |   3 +-
 net-mgmt/zabbix-proxy/Makefile                |   2 +-
 net-mgmt/zabbix5-proxy/Makefile               |   8 -
 net-mgmt/zabbix5-proxy/pkg-descr              |  36 ----
 .../src/etc/inc/plugins.inc.d/zabbixproxy.inc |  49 ------
 .../Zabbixproxy/Api/GeneralController.php     |  39 -----
 .../Zabbixproxy/Api/ServiceController.php     |  47 -----
 .../Zabbixproxy/GeneralController.php         |  38 ----
 .../OPNsense/Zabbixproxy/forms/general.xml    | 163 ------------------
 .../models/OPNsense/Zabbixproxy/ACL/ACL.xml   |  11 --
 .../models/OPNsense/Zabbixproxy/General.php   |  35 ----
 .../models/OPNsense/Zabbixproxy/General.xml   | 116 -------------
 .../models/OPNsense/Zabbixproxy/Menu/Menu.xml |   8 -
 .../views/OPNsense/Zabbixproxy/general.volt   |  60 -------
 .../scripts/OPNsense/Zabbixproxy/setup.sh     |  16 --
 .../systemhealth/logformats/zabbix_proxy.py   |  55 ------
 .../conf/actions.d/actions_zabbixproxy.conf   |  23 ---
 .../templates/OPNsense/Zabbixproxy/+TARGETS   |   3 -
 .../OPNsense/Zabbixproxy/zabbix_proxy         |   6 -
 .../OPNsense/Zabbixproxy/zabbix_proxy.conf    |  85 ---------
 .../OPNsense/Zabbixproxy/zabbix_proxy.psk     |   5 -
 21 files changed, 2 insertions(+), 806 deletions(-)
 delete mode 100644 net-mgmt/zabbix5-proxy/Makefile
 delete mode 100644 net-mgmt/zabbix5-proxy/pkg-descr
 delete mode 100644 net-mgmt/zabbix5-proxy/src/etc/inc/plugins.inc.d/zabbixproxy.inc
 delete mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/GeneralController.php
 delete mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/ServiceController.php
 delete mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/GeneralController.php
 delete mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
 delete mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
 delete mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.php
 delete mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
 delete mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
 delete mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/views/OPNsense/Zabbixproxy/general.volt
 delete mode 100755 net-mgmt/zabbix5-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh
 delete mode 100755 net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
 delete mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf
 delete mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS
 delete mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy
 delete mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
 delete mode 100644 net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.psk

diff --git a/README.md b/README.md
index d8dd3041aa..28b402f0b8 100644
--- a/README.md
+++ b/README.md
@@ -75,8 +75,7 @@ net-mgmt/netdata -- Real-time performance monitoring
 net-mgmt/nrpe -- Execute nagios plugins
 net-mgmt/telegraf -- Agent for collecting metrics and data
 net-mgmt/zabbix-agent -- Zabbix monitoring agent
-net-mgmt/zabbix-proxy -- Zabbix Proxy enables decentralized monitoring
-net-mgmt/zabbix5-proxy -- Zabbix Proxy enables decentralized monitoring
+net-mgmt/zabbix-proxy -- Zabbix monitoring proxy
 security/acme-client -- Let's Encrypt client
 security/clamav -- Antivirus engine for detecting malicious threats
 security/etpro-telemetry -- ET Pro Telemetry Edition
diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 322d8d87b3..ec72c7e56a 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		zabbix-proxy
 PLUGIN_VERSION=		1.5
-PLUGIN_COMMENT=		Zabbix Proxy enables decentralized monitoring
+PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 PLUGIN_VARIANTS=	zabbix5 zabbix4
 
diff --git a/net-mgmt/zabbix5-proxy/Makefile b/net-mgmt/zabbix5-proxy/Makefile
deleted file mode 100644
index d01fce28e2..0000000000
--- a/net-mgmt/zabbix5-proxy/Makefile
+++ /dev/null
@@ -1,8 +0,0 @@
-PLUGIN_NAME=		zabbix5-proxy
-PLUGIN_VERSION=		1.5
-PLUGIN_COMMENT=		Zabbix Proxy enables decentralized monitoring
-PLUGIN_DEPENDS=		zabbix5-proxy
-PLUGIN_CONFLICTS=	zabbix4-proxy
-PLUGIN_MAINTAINER=	m.muenz@gmail.com
-
-.include "../../Mk/plugins.mk"
diff --git a/net-mgmt/zabbix5-proxy/pkg-descr b/net-mgmt/zabbix5-proxy/pkg-descr
deleted file mode 100644
index 158cf60878..0000000000
--- a/net-mgmt/zabbix5-proxy/pkg-descr
+++ /dev/null
@@ -1,36 +0,0 @@
-Zabbix is an enterprise-class open source distributed monitoring solution.
-
-Zabbix is software that monitors numerous parameters of a network and the
-health and integrity of servers. Zabbix uses a flexible notification
-mechanism that allows users to configure e-mail based alerts for virtually
-any event. This allows a fast reaction to server problems. Zabbix offers
-excellent reporting and data visualisation features based on the stored
-data. This makes Zabbix ideal for capacity planning.
-
-WWW: https://www.zabbix.com/
-
-Plugin Changelog
-----------------
-
-1.5
-
-* Add log file to web GUI (contributed by Starkstromkonsument)
-
-1.4
-
-* Allow setting ConfigFrequency
-* Allow setting DataSenderFrequency
-* Allow setting StartVMwareCollectors
-
-1.3
-
-* Switch to zabbix5-proxy
-
-1.2
-
-* Allow adding multiple listen addresses
-
-1.1
-
-* Add ProxyOfflineBuffer parameter
-* Switch to new service control UI
diff --git a/net-mgmt/zabbix5-proxy/src/etc/inc/plugins.inc.d/zabbixproxy.inc b/net-mgmt/zabbix5-proxy/src/etc/inc/plugins.inc.d/zabbixproxy.inc
deleted file mode 100644
index d26017268a..0000000000
--- a/net-mgmt/zabbix5-proxy/src/etc/inc/plugins.inc.d/zabbixproxy.inc
+++ /dev/null
@@ -1,49 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-function zabbixproxy_services()
-{
-    global $config;
-
-    $services = array();
-
-    if (isset($config['OPNsense']['zabbixproxy']['general']['enabled']) && $config['OPNsense']['zabbixproxy']['general']['enabled'] == 1) {
-        $services[] = array(
-            'description' => gettext('Zabbix Proxy'),
-            'configd' => array(
-                'restart' => array('zabbixproxy restart'),
-                'start' => array('zabbixproxy start'),
-                'stop' => array('zabbixproxy stop'),
-            ),
-            'name' => 'zabbixproxy',
-            'pidfile' => '/var/run/zabbix/zabbix_proxy.pid'
-        );
-    }
-
-    return $services;
-}
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/GeneralController.php b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/GeneralController.php
deleted file mode 100644
index 7a930881dc..0000000000
--- a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/GeneralController.php
+++ /dev/null
@@ -1,39 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-namespace OPNsense\Zabbixproxy\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-
-class GeneralController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelClass = '\OPNsense\Zabbixproxy\General';
-    protected static $internalModelName = 'general';
-}
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/ServiceController.php b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/ServiceController.php
deleted file mode 100644
index d94f2a1ced..0000000000
--- a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/Api/ServiceController.php
+++ /dev/null
@@ -1,47 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-namespace OPNsense\Zabbixproxy\Api;
-
-use OPNsense\Base\ApiMutableServiceControllerBase;
-use OPNsense\Core\Backend;
-use OPNsense\Zabbixproxy\General;
-
-/**
- * Class ServiceController
- * @package OPNsense\Zabbixproxy
- */
-class ServiceController extends ApiMutableServiceControllerBase
-{
-    protected static $internalServiceClass = '\OPNsense\Zabbixproxy\General';
-    protected static $internalServiceTemplate = 'OPNsense/Zabbixproxy';
-    protected static $internalServiceEnabled = 'enabled';
-    protected static $internalServiceName = 'zabbixproxy';
-}
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/GeneralController.php b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/GeneralController.php
deleted file mode 100644
index 56e2667c7f..0000000000
--- a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/GeneralController.php
+++ /dev/null
@@ -1,38 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-namespace OPNsense\Zabbixproxy;
-
-class GeneralController extends \OPNsense\Base\IndexController
-{
-    public function indexAction()
-    {
-        $this->view->generalForm = $this->getForm("general");
-        $this->view->pick('OPNsense/Zabbixproxy/general');
-    }
-}
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
deleted file mode 100644
index 771ad073d8..0000000000
--- a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
+++ /dev/null
@@ -1,163 +0,0 @@
-<form>
-    <field>
-        <id>general.enabled</id>
-        <label>Enable</label>
-        <type>checkbox</type>
-        <help>This will activate the Zabbix Proxy service.</help>
-    </field>
-    <field>
-        <id>general.proxymode</id>
-        <label>Proxy Mode</label>
-        <type>checkbox</type>
-        <help>Active (default) or passive mode, only switch to passive if you know what you are doing.</help>
-    </field>
-    <field>
-        <id>general.server</id>
-        <label>Server</label>
-        <type>text</type>
-        <help>IP address or hostname of Zabbix server.</help>
-    </field>
-    <field>
-        <id>general.serverport</id>
-        <label>Server Port</label>
-        <type>text</type>
-        <help>Port of Zabbix trapper on Zabbix server. Default is fine for most scenarios.</help>
-    </field>
-    <field>
-        <id>general.hostname</id>
-        <label>Hostname</label>
-        <type>text</type>
-        <help>The name of this Zabbix instance. It has to match with the defined name in the central Zabbix server.</help>
-    </field>
-    <field>
-        <id>general.listenip</id>
-        <label>Listen IP</label>
-        <style>tokenize</style>
-        <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>List of comma delimited IP addresses that the trapper should listen on. Trapper will listen on all network interfaces if this parameter is missing.</help>
-    </field>
-    <field>
-        <id>general.listenport</id>
-        <label>Listen Port</label>
-        <type>text</type>
-        <help>Listen port for trapper. Default is just fine.</help>
-    </field>
-    <field>
-        <id>general.sourceip</id>
-        <label>Source IP</label>
-        <type>text</type>
-        <help>Source IP address for outgoing connections.</help>
-    </field>
-    <field>
-        <id>general.startpollers</id>
-        <label>Start Pollers</label>
-        <type>text</type>
-        <help>Number of pre-forked instances of pollers.</help>
-    </field>
-    <field>
-        <id>general.startipmipollers</id>
-        <label>Start IPMI Pollers</label>
-        <type>text</type>
-        <help>Number of pre-forked instances of IPMI pollers.</help>
-    </field>
-    <field>
-        <id>general.startpollersunreachable</id>
-        <label>Start Pollers Unreachable</label>
-        <type>text</type>
-        <help>Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java).</help>
-    </field>
-    <field>
-        <id>general.starttrappers</id>
-        <label>Start Trappers</label>
-        <type>text</type>
-        <help>Number of pre-forked instances of trappers. Trappers accept incoming connections from Zabbix sender and active agents.</help>
-    </field>
-    <field>
-        <id>general.startpingers</id>
-        <label>Start Pingers</label>
-        <type>text</type>
-        <help>Number of pre-forked instances of ICMP pingers.</help>
-    </field>
-    <field>
-        <id>general.startdiscoverers</id>
-        <label>Start Discoverers</label>
-        <type>text</type>
-        <help>Number of pre-forked instances of discoverers.</help>
-    </field>
-    <field>
-        <id>general.startvmwarecollectors</id>
-        <label>Start VMware Collectors</label>
-        <type>text</type>
-        <help>Number of pre-forked instances of VMware Collectors.</help>
-    </field>
-    <field>
-        <id>general.starthttppollers</id>
-        <label>Start HTTP Pollers</label>
-        <type>text</type>
-        <help>Number of pre-forked instances of HTTP pollers.</help>
-    </field>
-    <field>
-        <id>general.cachesize</id>
-        <label>Cache Size</label>
-        <type>text</type>
-        <help>Size of configuration cache, in bytes. Shared memory size, for storing hosts and items data. Range: 128K-8G</help>
-    </field>
-    <field>
-        <id>general.historycachesize</id>
-        <label>History Cache Size</label>
-        <type>text</type>
-        <help>Size of history cache in bytes. Shared memory size for storing history data. Range: 128K-2G</help>
-    </field>
-    <field>
-        <id>general.historyindexcachesize</id>
-        <label>History Index Cache Size</label>
-        <type>text</type>
-        <help>Size of history index cache in bytes. Shared memory size for indexing history cache. Range: 128K-2G</help>
-    </field>
-    <field>
-        <id>general.proxyofflinebuffer</id>
-        <label>Proxy Offline Buffer</label>
-        <type>text</type>
-        <help>Set the time in hours how long the values will be buffered when the server is unreachable.</help>
-    </field>
-    <field>
-        <id>general.timeout</id>
-        <label>Timeout</label>
-        <type>text</type>
-        <help>Specifies how long we wait for agent, SNMP device or external check (in seconds).</help>
-    </field>
-    <field>
-        <id>general.configfrequency</id>
-        <label>Config Frequency</label>
-        <type>text</type>
-        <help>Specifies the time how often proxy retrieves configuration data from zabbix server (in seconds).</help>
-    </field>
-    <field>
-        <id>general.datasenderfrequency</id>
-        <label>Data Sender Frequency</label>
-        <type>text</type>
-        <help>Specifies the time how often the proxy will send collected data to the server (in seconds).</help>
-    </field>
-    <field>
-        <id>general.encryption</id>
-        <label>PSK based encryption</label>
-        <type>checkbox</type>
-        <help>Enable PSK based encryption for communicating with the Zabbix server</help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <id>general.encryptionidentity</id>
-        <label>PSK Identity</label>
-        <type>text</type>
-        <help>The PSK identity configured on the Zabbix server</help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <id>general.encryptionpsk</id>
-        <label>PSK</label>
-        <type>text</type>
-        <help>The PSK configured on the Zabbix server</help>
-        <advanced>true</advanced>
-    </field>
-</form>
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
deleted file mode 100644
index 9b1dd7b5b9..0000000000
--- a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/ACL/ACL.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<acl>
-   <page-services-zabbixproxy>
-      <name>Services: Zabbix Proxy</name>
-      <patterns>
-         <pattern>ui/zabbixproxy/*</pattern>
-         <pattern>api/zabbixproxy/*</pattern>
-         <pattern>ui/diagnostics/log/zabbix/zabbix_proxy/*</pattern>
-         <pattern>api/diagnostics/log/zabbix/zabbix_proxy/*</pattern>
-      </patterns>
-   </page-services-zabbixproxy>
-</acl>
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.php b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.php
deleted file mode 100644
index 351dbd9db5..0000000000
--- a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.php
+++ /dev/null
@@ -1,35 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-namespace OPNsense\Zabbixproxy;
-
-use OPNsense\Base\BaseModel;
-
-class General extends BaseModel
-{
-}
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
deleted file mode 100644
index 45029f7c39..0000000000
--- a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
+++ /dev/null
@@ -1,116 +0,0 @@
-<model>
-    <mount>//OPNsense/zabbixproxy/general</mount>
-    <description>Zabbix Proxy configuration</description>
-    <version>2.0.2</version>
-    <items>
-        <enabled type="BooleanField">
-            <default>0</default>
-            <Required>Y</Required>
-        </enabled>
-        <proxymode type="BooleanField">
-            <default>0</default>
-            <Required>Y</Required>
-        </proxymode>
-        <server type="TextField">
-            <default></default>
-            <Required>N</Required>
-        </server>
-        <serverport type="TextField">
-            <default>10051</default>
-            <Required>N</Required>
-        </serverport>
-        <hostname type="TextField">
-            <default>Zabbix proxy</default>
-            <Required>Y</Required>
-        </hostname>
-        <listenport type="TextField">
-            <default>10051</default>
-            <Required>N</Required>
-        </listenport>
-        <listenip type="NetworkField">
-            <default></default>
-            <FieldSeparator>,</FieldSeparator>
-            <asList>Y</asList>
-            <Required>N</Required>
-        </listenip>
-        <sourceip type="NetworkField">
-            <default></default>
-            <Required>N</Required>
-        </sourceip>
-        <startpollers type="TextField">
-            <default>5</default>
-            <Required>N</Required>
-        </startpollers>
-        <startipmipollers type="IntegerField">
-            <default>0</default>
-            <Required>N</Required>
-        </startipmipollers>
-        <startpollersunreachable type="IntegerField">
-            <default>1</default>
-            <Required>N</Required>
-        </startpollersunreachable>
-        <starttrappers type="IntegerField">
-            <default>5</default>
-            <Required>N</Required>
-        </starttrappers>
-        <startpingers type="IntegerField">
-            <default>1</default>
-            <Required>N</Required>
-        </startpingers>
-        <startdiscoverers type="IntegerField">
-            <default>1</default>
-            <Required>N</Required>
-        </startdiscoverers>
-        <startvmwarecollectors type="IntegerField">
-            <Required>N</Required>
-        </startvmwarecollectors>
-        <starthttppollers type="IntegerField">
-            <default>1</default>
-            <Required>N</Required>
-        </starthttppollers>
-        <cachesize type="TextField">
-            <default>8M</default>
-            <Required>N</Required>
-        </cachesize>
-        <historycachesize type="TextField">
-            <default>16M</default>
-            <Required>N</Required>
-        </historycachesize>
-        <historyindexcachesize type="TextField">
-            <default>4M</default>
-            <Required>N</Required>
-        </historyindexcachesize>
-        <proxyofflinebuffer type="IntegerField">
-            <Required>N</Required>
-            <MinimumValue>1</MinimumValue>
-            <MaximumValue>720</MaximumValue>
-            <ValidationMessage>Set a number between 1 and 720.</ValidationMessage>
-        </proxyofflinebuffer>
-        <timeout type="IntegerField">
-            <default>4</default>
-            <Required>N</Required>
-        </timeout>
-        <configfrequency type="IntegerField">
-            <Required>N</Required>
-        </configfrequency>
-        <datasenderfrequency type="IntegerField">
-            <Required>N</Required>
-        </datasenderfrequency>
-        <encryption type="BooleanField">
-            <default>0</default>
-            <Required>Y</Required>
-        </encryption>
-        <encryptionidentity type="TextField">
-            <default></default>
-            <Required>N</Required>
-            <mask>/^.{1,128}$/</mask>
-            <ValidationMessage>Should be a string between 1 and 128 characters.</ValidationMessage>
-        </encryptionidentity>
-        <encryptionpsk type="TextField">
-            <default></default>
-            <Required>N</Required>
-            <mask>/^[A-Fa-f0-9]{32,512}$/</mask>
-            <ValidationMessage>Should be a hexadecimal string between 32 and 512 characters.</ValidationMessage>
-        </encryptionpsk>
-    </items>
-</model>
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
deleted file mode 100644
index c4813378c5..0000000000
--- a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/Menu/Menu.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<menu>
-  <Services>
-    <Zabbixproxy VisibleName="Zabbix Proxy" cssClass="fa fa-eye">
-        <Settings order="10" url="/ui/zabbixproxy/general/index"/>
-        <Log VisibleName="Log File" order="50" url="/ui/diagnostics/log/zabbix/zabbix_proxy"/>
-    </Zabbixproxy>
-  </Services>
-</menu>
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/views/OPNsense/Zabbixproxy/general.volt b/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/views/OPNsense/Zabbixproxy/general.volt
deleted file mode 100644
index 0d5bef3833..0000000000
--- a/net-mgmt/zabbix5-proxy/src/opnsense/mvc/app/views/OPNsense/Zabbixproxy/general.volt
+++ /dev/null
@@ -1,60 +0,0 @@
-{#
-
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
-This file is Copyright © 2019 by Michael Muenz <m.muenz@gmail.com>
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-    this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-    this list of conditions and the following disclaimer in the documentation
-    and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
-<div class="content-box" style="padding-bottom: 1.5em;">
-    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-    <div class="col-md-12">
-        <hr />
-        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-    </div>
-</div>
-
-<script>
-    $( document ).ready(function() {
-        var data_get_map = {'frm_general_settings':"/api/zabbixproxy/general/get"};
-        mapDataToFormUI(data_get_map).done(function(data){
-            formatTokenizersUI();
-            $('.selectpicker').selectpicker('refresh');
-        });
-
-        updateServiceControlUI('zabbixproxy');
-
-        // link save button to API set action
-        $("#saveAct").click(function(){
-            saveFormToEndpoint(url="/api/zabbixproxy/general/set", formid='frm_general_settings',callback_ok=function(){
-                $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-                ajaxCall(url="/api/zabbixproxy/service/reconfigure", sendData={}, callback=function(data,status) {
-                    ajaxCall(url="/api/zabbixproxy/service/status", sendData={}, callback=function(data,status) {
-                        updateServiceControlUI('zabbixproxy');
-                        });
-                        $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-                });
-            });
-        });
-    });
-</script>
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh b/net-mgmt/zabbix5-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh
deleted file mode 100755
index ba95dc0f4c..0000000000
--- a/net-mgmt/zabbix5-proxy/src/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh
-
-# Setup database directory
-mkdir -p /var/db/zabbix
-chown -R zabbix:zabbix /var/db/zabbix
-chmod 755 /var/db/zabbix
-
-# Setup logging
-mkdir /var/log/zabbix
-chown -R zabbix:zabbix /var/log/zabbix
-chmod 770 /var/log/zabbix
-
-# Setup PID directory
-mkdir -p /var/run/zabbix
-chown -R zabbix:zabbix /var/run/zabbix
-chmod 755 /var/run/zabbix
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py b/net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
deleted file mode 100755
index c08dbeccb1..0000000000
--- a/net-mgmt/zabbix5-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
+++ /dev/null
@@ -1,55 +0,0 @@
-"""
-    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
-    Copyright (C) 2020 Starkstromkonsument
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-     this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-     notice, this list of conditions and the following disclaimer in the
-     documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-"""
-import re
-import datetime
-from . import BaseLogFormat
-zabbix_timeformat = r'(\d*):(\d{4}\d{2}\d{2}:\d{2}\d{2}\d{2})\.\d{3}\s(.*)'
-
-
-class ZabbixLogFormat(BaseLogFormat):
-    def __init__(self, filename):
-        super(ZabbixLogFormat, self).__init__(filename)
-        self._priority = 100
-
-    def match(self, line):
-        return self._filename.find('zabbix_proxy') > -1 and re.match(zabbix_timeformat, line) is not  None
-
-    @staticmethod
-    def timestamp(line):
-        tmp = re.match(zabbix_timeformat, line)
-        grp = tmp.group(2)
-        return datetime.datetime.strptime(grp, "%Y%m%d:%H%M%S").isoformat()
-
-    @staticmethod
-    def process_name(line):
-        tmp = re.match(zabbix_timeformat, line)
-        return tmp.group(1)
-
-    @staticmethod
-    def line(line):
-        tmp = re.match(zabbix_timeformat, line)
-        return tmp.group(3)
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf b/net-mgmt/zabbix5-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf
deleted file mode 100644
index 7904a14457..0000000000
--- a/net-mgmt/zabbix5-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-[start]
-command:/usr/local/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh;/usr/local/etc/rc.d/zabbix_proxy start
-parameters:
-type:script
-message:starting Zabbix Proxy
-
-[stop]
-command:/usr/local/etc/rc.d/zabbix_proxy stop; exit 0
-parameters:
-type:script
-message:stopping Zabbix Proxy
-
-[restart]
-command:/usr/local/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh;/usr/local/etc/rc.d/zabbix_proxy restart
-parameters:
-type:script
-message:restarting Zabbix Proxy
-
-[status]
-command:/usr/local/etc/rc.d/zabbix_proxy status;exit 0
-parameters:
-type:script_output
-message:request Zabbix Proxy status
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS b/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS
deleted file mode 100644
index b797902b6f..0000000000
--- a/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/+TARGETS
+++ /dev/null
@@ -1,3 +0,0 @@
-zabbix_proxy:/etc/rc.conf.d/zabbix_proxy
-zabbix_proxy.conf:/usr/local/etc/zabbix5/zabbix_proxy.conf
-zabbix_proxy.psk:/usr/local/etc/zabbix5/zabbix_proxy.psk
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy b/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy
deleted file mode 100644
index f9c1bb348a..0000000000
--- a/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy
+++ /dev/null
@@ -1,6 +0,0 @@
-{% if helpers.exists('OPNsense.zabbixproxy.general.enabled') and OPNsense.zabbixproxy.general.enabled == '1' %}
-zabbix_proxy_var_script="/usr/local/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh"
-zabbix_proxy_enable="YES"
-{% else %}
-zabbix_proxy_enable="NO"
-{% endif %}
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf b/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
deleted file mode 100644
index 266dc466c1..0000000000
--- a/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf
+++ /dev/null
@@ -1,85 +0,0 @@
-{% if helpers.exists('OPNsense.zabbixproxy.general.enabled') and OPNsense.zabbixproxy.general.enabled == '1' %}
-
-{% if helpers.exists('OPNsense.zabbixproxy.general.proxymode') and OPNsense.zabbixproxy.general.proxymode == '1' %}
-ProxyMode=1
-{% else %}
-ProxyMode=0
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.server') and OPNsense.zabbixproxy.general.server != '' %}
-Server={{ OPNsense.zabbixproxy.general.server }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.serverport') and OPNsense.zabbixproxy.general.serverport != '' %}
-ServerPort={{ OPNsense.zabbixproxy.general.serverport }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.hostname') and OPNsense.zabbixproxy.general.hostname != '' %}
-Hostname={{ OPNsense.zabbixproxy.general.hostname }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.listenport') and OPNsense.zabbixproxy.general.listenport != '' %}
-ListenPort={{ OPNsense.zabbixproxy.general.listenport }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.sourceip') and OPNsense.zabbixproxy.general.sourceip != '' %}
-SourceIP={{ OPNsense.zabbixproxy.general.sourceip }}
-{% endif %}
-LogFile=/var/log/zabbix/zabbix_proxy.log
-PidFile=/var/run/zabbix/zabbix_proxy.pid
-DBName=/var/db/zabbix/zabbix_proxy.db
-{% if helpers.exists('OPNsense.zabbixproxy.general.proxyofflinebuffer') and OPNsense.zabbixproxy.general.proxyofflinebuffer != '' %}
-ProxyOfflineBuffer={{ OPNsense.zabbixproxy.general.proxyofflinebuffer }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.configfrequency') and OPNsense.zabbixproxy.general.configfrequency != '' %}
-ConfigFrequency={{ OPNsense.zabbixproxy.general.configfrequency }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.datasenderfrequency') and OPNsense.zabbixproxy.general.datasenderfrequency != '' %}
-DataSenderFrequency={{ OPNsense.zabbixproxy.general.datasenderfrequency }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.startpollers') and OPNsense.zabbixproxy.general.startpollers != '' %}
-StartPollers={{ OPNsense.zabbixproxy.general.startpollers }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.startipmipollers') and OPNsense.zabbixproxy.general.startipmipollers != '' %}
-StartIPMIPollers={{ OPNsense.zabbixproxy.general.startipmipollers }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.startpollersunreachable') and OPNsense.zabbixproxy.general.startpollersunreachable != '' %}
-StartPollersUnreachable={{ OPNsense.zabbixproxy.general.startpollersunreachable }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.starttrappers') and OPNsense.zabbixproxy.general.starttrappers != '' %}
-StartTrappers={{ OPNsense.zabbixproxy.general.starttrappers }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.startpingers') and OPNsense.zabbixproxy.general.startpingers != '' %}
-StartPingers={{ OPNsense.zabbixproxy.general.startpingers }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.startdiscoverers') and OPNsense.zabbixproxy.general.startdiscoverers != '' %}
-StartDiscoverers={{ OPNsense.zabbixproxy.general.startdiscoverers }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.startvmwarecollectors') and OPNsense.zabbixproxy.general.startvmwarecollectors != '' %}
-StartVMwareCollectors={{ OPNsense.zabbixproxy.general.startvmwarecollectors }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.starthttppollers') and OPNsense.zabbixproxy.general.starthttppollers != '' %}
-StartHTTPPollers={{ OPNsense.zabbixproxy.general.starthttppollers }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.listenip') and OPNsense.zabbixproxy.general.listenip != '' %}
-ListenIP={{ OPNsense.zabbixproxy.general.listenip }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.cachesize') and OPNsense.zabbixproxy.general.cachesize != '' %}
-CacheSize={{ OPNsense.zabbixproxy.general.cachesize }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.historycachesize') and OPNsense.zabbixproxy.general.historycachesize != '' %}
-HistoryCacheSize={{ OPNsense.zabbixproxy.general.historycachesize }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.historyindexcachesize') and OPNsense.zabbixproxy.general.historyindexcachesize != '' %}
-HistoryIndexCacheSize={{ OPNsense.zabbixproxy.general.historyindexcachesize }}
-{% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.timeout') and OPNsense.zabbixproxy.general.timeout != '' %}
-Timeout={{ OPNsense.zabbixproxy.general.timeout }}
-{% endif %}
-FpingLocation=/usr/local/sbin/fping
-Fping6Location=/usr/local/sbin/fping6
-{% if helpers.exists('OPNsense.zabbixproxy.general.encryption') and OPNsense.zabbixproxy.general.encryption == '1' %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.proxymode') and OPNsense.zabbixproxy.general.proxymode == '1' %}
-TLSAccept=psk
-{% else %}
-TLSConnect=psk
-{% endif %}
-TLSPSKFile=/usr/local/etc/zabbix5/zabbix_proxy.psk
-TLSPSKIdentity={{ OPNsense.zabbixproxy.general.encryptionidentity }}
-{% endif %}
-{% endif %}
diff --git a/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.psk b/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.psk
deleted file mode 100644
index 1e53053b50..0000000000
--- a/net-mgmt/zabbix5-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.psk
+++ /dev/null
@@ -1,5 +0,0 @@
-{% if helpers.exists('OPNsense.zabbixproxy.general.enabled') and OPNsense.zabbixproxy.general.enabled == '1' %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.encryption') and OPNsense.zabbixproxy.general.encryption == '1' %}
-{{ OPNsense.zabbixproxy.general.encryptionpsk }}
-{% endif %}
-{% endif %}

From f7718fd6bfbbf9f2acc94d8498c6346c97f155b9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 23 Jun 2021 10:37:54 +0200
Subject: [PATCH 0620/3088] sysutils/nextcloud-backup: migrated from core

PR: https://github.com/opnsense/core/issues/4670
---
 README.md                                     |   1 +
 sysutils/nextcloud-backup/Makefile            |   7 +
 sysutils/nextcloud-backup/pkg-descr           |   4 +
 .../app/library/OPNsense/Backup/Nextcloud.php | 392 ++++++++++++++++++
 .../OPNsense/Backup/NextcloudSettings.php     |  41 ++
 .../OPNsense/Backup/NextcloudSettings.xml     |  56 +++
 6 files changed, 501 insertions(+)
 create mode 100644 sysutils/nextcloud-backup/Makefile
 create mode 100644 sysutils/nextcloud-backup/pkg-descr
 create mode 100644 sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
 create mode 100644 sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.php
 create mode 100644 sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml

diff --git a/README.md b/README.md
index 28b402f0b8..1ad835393e 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,7 @@ sysutils/hw-probe -- Collect hardware diagnostics
 sysutils/lcdproc-sdeclcd -- LCDProc for SDEC LCD devices
 sysutils/mail-backup -- Send configuration file backup by e-mail
 sysutils/munin-node -- Munin monitoring agent
+sysutils/nextcloud-backup -- Track config changes using NextCloud (development only)
 sysutils/node_exporter -- Prometheus exporter for machine metrics
 sysutils/nut -- Network UPS Tools
 sysutils/puppet-agent -- Manage Puppet Agent (development only)
diff --git a/sysutils/nextcloud-backup/Makefile b/sysutils/nextcloud-backup/Makefile
new file mode 100644
index 0000000000..e5863b0787
--- /dev/null
+++ b/sysutils/nextcloud-backup/Makefile
@@ -0,0 +1,7 @@
+PLUGIN_NAME=		nextcloud-backup
+PLUGIN_VERSION=		0.1
+PLUGIN_DEVEL=		yes
+PLUGIN_COMMENT=		Track config changes using NextCloud
+PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
+
+.include "../../Mk/plugins.mk"
diff --git a/sysutils/nextcloud-backup/pkg-descr b/sysutils/nextcloud-backup/pkg-descr
new file mode 100644
index 0000000000..23c4f87d84
--- /dev/null
+++ b/sysutils/nextcloud-backup/pkg-descr
@@ -0,0 +1,4 @@
+This package adds a backup option using an existing NextCloud instance.
+
+Due to the sensitive nature of the data being send to the backup, we
+strongly advise to not use a public service to send backups to.
diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
new file mode 100644
index 0000000000..cca8365167
--- /dev/null
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
@@ -0,0 +1,392 @@
+<?php
+
+/*
+ * Copyright (C) 2018 Deciso B.V.
+ * Copyright (C) 2018 Fabian Franz
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Backup;
+
+use OPNsense\Core\Config;
+use OPNsense\Backup\NextcloudSettings;
+
+/**
+ * Class Nextcloud backup
+ * @package OPNsense\Backup
+ */
+class Nextcloud extends Base implements IBackupProvider
+{
+    /**
+     * get required (user interface) fields for backup connector
+     * @return array configuration fields, types and description
+     */
+    public function getConfigurationFields()
+    {
+        $fields = array(
+            array(
+                "name" => "enabled",
+                "type" => "checkbox",
+                "label" => gettext("Enable"),
+                "value" => null
+            ),
+            array(
+                "name" => "url",
+                "type" => "text",
+                "label" => gettext("URL"),
+                "help" => gettext("The Base URL to Nextcloud without trailing slash. For example: https://cloud.example.com"),
+                "value" => null
+            ),
+            array(
+                "name" => "user",
+                "type" => "text",
+                "label" => gettext("User Name"),
+                "help" => gettext("The name you use for logging into your Nextcloud account"),
+                "value" => null
+            ),
+            array(
+                "name" => "password",
+                "type" => "password",
+                "label" => gettext("Password"),
+                "help" => gettext("The app password which has been generated for you"),
+                "value" => null
+            ),
+            array(
+                "name" => "password_encryption",
+                "type" => "password",
+                "label" => gettext("Encryption Password (Optional)"),
+                "help" => gettext("A password to encrypt your configuration"),
+                "value" => null
+            ),
+            array(
+                "name" => "backupdir",
+                "type" => "text",
+                "label" => gettext("Directory Name without leading slash, starting from user's root"),
+                "value" => 'OPNsense-Backup'
+            )
+        );
+        $nextcloud = new NextcloudSettings();
+        foreach ($fields as &$field) {
+            $field['value'] = (string)$nextcloud->getNodeByReference($field['name']);
+        }
+        return $fields;
+    }
+
+    /**
+     * backup provider name
+     * @return string user friendly name
+     */
+    public function getName()
+    {
+        return gettext("Nextcloud");
+    }
+
+    /**
+     * validate and set configuration
+     * @param array $conf configuration array
+     * @return array of validation errors when not saved
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function setConfiguration($conf)
+    {
+        $nextCloud = new NextcloudSettings();
+        $this->setModelProperties($nextCloud, $conf);
+        $validation_messages = $this->validateModel($nextCloud);
+        if (empty($validation_messages)) {
+            $nextCloud->serializeToConfig();
+            Config::getInstance()->save();
+        }
+        return $validation_messages;
+    }
+
+    /**
+     * perform backup
+     * @return array filelist
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function backup()
+    {
+        $cnf = Config::getInstance();
+        $nextcloud = new NextcloudSettings();
+        if ($cnf->isValid() && !empty((string)$nextcloud->enabled)) {
+            $config = $cnf->object();
+            $url = (string)$nextcloud->url;
+            $username = (string)$nextcloud->user;
+            $password = (string)$nextcloud->password;
+            $backupdir = (string)$nextcloud->backupdir;
+            $crypto_password = (string)$nextcloud->password_encryption;
+            $hostname = $config->system->hostname . '.' . $config->system->domain;
+            $configname = 'config-' . $hostname . '-' .  date('Y-m-d_H_i_s') . '.xml';
+            // backup source data to local strings (plain/encrypted)
+            $confdata = file_get_contents('/conf/config.xml');
+            if (!empty($crypto_password)) {
+                $confdata = $this->encrypt($confdata, $crypto_password);
+            }
+            // Check if destination directory exists, create (full path) if not
+            try {
+                $internal_username = $this->getInternalUsername($url, $username, $password);
+                $this->create_directory($url, $username, $password, $internal_username, $backupdir);
+            } catch (\Exception $e) {
+                return array();
+            }
+
+            try {
+                $this->upload_file_content(
+                    $url,
+                    $username,
+                    $password,
+                    $internal_username,
+                    $backupdir,
+                    $configname,
+                    $confdata
+                );
+                // do not list directories
+                return array_filter(
+                    $this->listFiles($url, $username, $password, $internal_username, "/$backupdir/", false),
+                    function ($filename) {
+                        return (substr($filename, -1) !== '/');
+                    }
+                );
+            } catch (\Exception $e) {
+                return array();
+            }
+        }
+    }
+
+    /**
+     * dir listing
+     * @param string $url remote location
+     * @param string $username username
+     * @param string $password password to use
+     * @param string $internal_username internal username for the webdav directory
+     * @param string $directory location to list
+     * @param bool $only_dirs only list directories
+     * @return array
+     * @throws \Exception
+     */
+    public function listFiles($url, $username, $password, $internal_username, $directory = '/', $only_dirs = true)
+    {
+        $result = $this->curl_request(
+            "$url/remote.php/dav/files/$internal_username$directory",
+            $username,
+            $password,
+            'PROPFIND',
+            "Error while fetching filelist from Nextcloud '{$directory}' path"
+        );
+        // workaround - simplexml seems to be broken when using namespaces - remove them.
+        $xml = simplexml_load_string(str_replace(['<d:', '</d:'], ['<', '</'], $result['response']));
+        $ret = array();
+        foreach ($xml->children() as $response) {
+            // d:response
+            if ($response->getName() == 'response') {
+                $fileurl =  (string)$response->href;
+                $dirname = explode("/remote.php/dav/files/$internal_username", $fileurl, 2)[1];
+                if (
+                    $response->propstat->prop->resourcetype->children()->count() > 0 &&
+                    $response->propstat->prop->resourcetype->children()[0]->getName() == 'collection' &&
+                    $only_dirs
+                ) {
+                    $ret[] = $dirname;
+                } elseif (!$only_dirs) {
+                    $ret[] = $dirname;
+                }
+            }
+        }
+        return $ret;
+    }
+
+    /**
+     * upload file
+     * @param string $url remote location
+     * @param string $username remote user
+     * @param string $password password to use
+     * @param string $backupdir remote directory
+     * @param string $filename filename to use
+     * @param string $local_file_content contents to save
+     * @throws \Exception when upload fails
+     */
+    public function upload_file_content($url, $username, $password, $internal_username, $backupdir, $filename, $local_file_content)
+    {
+        $this->curl_request(
+            $url . "/remote.php/dav/files/$internal_username/$backupdir/$filename",
+            $username,
+            $password,
+            'PUT',
+            'cannot execute PUT',
+            $local_file_content
+        );
+    }
+
+    /**
+     * create new remote directory if doesn't exist
+     * @param string $url remote location
+     * @param string $username remote user
+     * @param string $password password to use
+     * @param string $backupdir remote directory
+     * @throws \Exception when create dir fails
+     */
+    public function create_directory($url, $username, $password, $internal_username, $backupdir)
+    {
+        $parent_path = dirname($backupdir);
+        try {
+            $directories = $this->listFiles($url, $username, $password, $internal_username, "/{$parent_path}");
+        } catch (\Exception $e) {
+            if ($backupdir == ".") {
+                // We cannot create root, if we reached here there's some other problem
+                syslog(LOG_ERR, "Check Nextcloud configuration parameters");
+                return false;
+            }
+            // If error assume dir doesn't exist. Create parent folder
+            if ($this->create_directory($url, $username, $password, $internal_username, $parent_path) === false) {
+                throw new \Exception();
+            }
+        }
+        // if path exists ok
+        if (in_array("/{$backupdir}/", $directories)) {
+            return;
+        }
+
+        $this->curl_request(
+            $url . "/remote.php/dav/files/{$internal_username}/{$backupdir}",
+            $username,
+            $password,
+            'MKCOL',
+            'cannot execute MKCOL'
+        );
+    }
+
+    public function getInternalUsername($url, $username, $password): string
+    {
+        $xml_response = $this->ocs_request(
+            "$url/ocs/v1.php/cloud/user",
+            $username,
+            $password,
+            "GET",
+            "Cannot get real username"
+        );
+
+        try {
+            $data = $xml_response->data;
+            if ($data == null) {
+                return $username; // no data found, return the old username
+            }
+            $real_username = $data->id;
+            if ($real_username == null) {
+                return $username;
+            }
+            return $real_username;
+        } catch (\Exception $exception) {
+            return $username; // error - continue with old username
+        }
+    }
+
+    /**
+     * @param string $url remote location
+     * @param string $username remote user
+     * @param string $password password to use
+     * @param string $method http method, PUT, GET, ...
+     * @param string $error_message message to log on failure
+     * @param null|string $postdata http body
+     * @param array $headers HTTP headers
+     * @return array response status
+     * @throws \Exception when request fails
+     */
+    public function curl_request(
+        $url,
+        $username,
+        $password,
+        $method,
+        $error_message,
+        $postdata = null,
+        $headers = array("User-Agent: OPNsense Firewall")
+    ) {
+        $curl = curl_init();
+        curl_setopt_array($curl, array(
+            CURLOPT_URL => $url,
+            CURLOPT_CUSTOMREQUEST => $method, // Create a file in WebDAV is PUT
+            CURLOPT_RETURNTRANSFER => true, // Do not output the data to STDOUT
+            CURLOPT_VERBOSE => 0,           // same here
+            CURLOPT_MAXREDIRS => 0,         // no redirects
+            CURLOPT_TIMEOUT => 60,          // maximum time: 1 min
+            CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
+            CURLOPT_USERPWD => $username . ":" . $password,
+            CURLOPT_HTTPHEADER => $headers
+        ));
+        if ($postdata != null) {
+            curl_setopt($curl, CURLOPT_POSTFIELDS, $postdata);
+        }
+        $response = curl_exec($curl);
+        $err = curl_error($curl);
+        $info = curl_getinfo($curl);
+        if (!($info['http_code'] == 200 || $info['http_code'] == 207 || $info['http_code'] == 201) || $err) {
+            syslog(LOG_ERR, $error_message);
+            syslog(LOG_ERR, json_encode($info));
+            throw new \Exception();
+        }
+        curl_close($curl);
+        return array('response' => $response, 'info' => $info);
+    }
+
+    /**
+     * @param $url string URL to call
+     * @param $username string username
+     * @param $password string password
+     * @param $method string HTTP verb
+     * @param $error_message string error message to forward to the http calling method
+     * @param null $postdata post data if any (can be null)
+     * @return array|\SimpleXMLElement|null
+     * @throws \Exception
+     */
+    public function ocs_request($url, $username, $password, $method, $error_message, $postdata = null)
+    {
+        $headers = $headers = array("User-Agent: OPNsense Firewall", "OCS-APIRequest: true");
+        $result = $this->curl_request($url, $username, $password, $method, $error_message, $postdata, $headers);
+        if (array_key_exists('content_type', $result['info'])) {
+            if (stripos($result['info']['content_type'], 'xml') !== false) {
+                return new \SimpleXMLElement($result['response']);
+            }
+            if (stripos($result['info']['content_type'], 'json') !== false) {
+                return json_decode($result['response'], true);
+            }
+
+            throw new \Exception();
+        }
+
+        return null;
+    }
+
+    /**
+     * Is this provider enabled
+     * @return boolean enabled status
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function isEnabled()
+    {
+        $nextCloud = new NextcloudSettings();
+        return (string)$nextCloud->enabled === "1";
+    }
+}
diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.php b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.php
new file mode 100644
index 0000000000..fc2518993a
--- /dev/null
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.php
@@ -0,0 +1,41 @@
+<?php
+
+/**
+ *    Copyright (C) 2018 Fabian Franz
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Backup;
+
+use OPNsense\Base\BaseModel;
+
+/**
+ * Class Nextcloud
+ * @package Backup
+ */
+class NextcloudSettings extends BaseModel
+{
+}
diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
new file mode 100644
index 0000000000..b8c63ab7fe
--- /dev/null
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
@@ -0,0 +1,56 @@
+<model>
+    <mount>//system/backup/nextcloud</mount>
+    <version>1.0.0</version>
+    <description>OPNsense Nextcloud Backup Settings</description>
+    <items>
+        <enabled type="BooleanField">
+          <default>0</default>
+          <Required>Y</Required>
+        </enabled>
+        <url type="TextField">
+            <Required>N</Required>
+            <mask>/^https?:\/\/.*[^\/]$/</mask>
+            <ValidationMessage>The url must be valid without a trailing slash. For example: https://nextcloud.example.com or https://example.com/nextcloud</ValidationMessage>
+            <Constraints>
+                <check001>
+                    <ValidationMessage>An URL for the Nextcloud server must be set.</ValidationMessage>
+                    <type>DependConstraint</type>
+                    <addFields>
+                        <field1>enabled</field1>
+                    </addFields>
+                </check001>
+            </Constraints>
+        </url>
+        <user type="TextField">
+            <Constraints>
+                <check001>
+                    <ValidationMessage>An user for the Nextcloud server must be set.</ValidationMessage>
+                    <type>DependConstraint</type>
+                    <addFields>
+                        <field1>enabled</field1>
+                    </addFields>
+                </check001>
+            </Constraints>
+        </user>
+        <password type="TextField">
+            <Constraints>
+                <check001>
+                    <ValidationMessage>A password for a Nextcloud server must be set.</ValidationMessage>
+                    <type>DependConstraint</type>
+                    <addFields>
+                        <field1>enabled</field1>
+                    </addFields>
+                </check001>
+            </Constraints>
+        </password>
+        <password_encryption type="TextField">
+            <Required>N</Required>
+        </password_encryption>
+        <backupdir type="TextField">
+            <Required>Y</Required>
+            <mask>/^([\w%+\-]+\/)*[\w+%\-]+$/</mask>
+            <default>OPNsense-Backup</default>
+            <ValidationMessage>The Backup Directory can only consist of alphanumeric characters, dash, underscores and slash. No leading or trailing slash.</ValidationMessage>
+        </backupdir>
+    </items>
+</model>

From b13ff8993fc9ecfea763afc74fe6199c4e37cb17 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 23 Jun 2021 11:45:58 +0200
Subject: [PATCH 0621/3088] Update Makefile

---
 mail/fetchmail/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/mail/fetchmail/Makefile b/mail/fetchmail/Makefile
index a2a871f380..3dba199e8f 100644
--- a/mail/fetchmail/Makefile
+++ b/mail/fetchmail/Makefile
@@ -1,8 +1,7 @@
 PLUGIN_NAME=		fetchmail
-PLUGIN_VERSION=		0.1
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		Remote-mail retrieval utility
 PLUGIN_DEPENDS=		fetchmail
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_DEVEL=       yes
 
 .include "../../Mk/plugins.mk"

From 01396c7ea2d273b4078481d156646660d6f44938 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 23 Jun 2021 11:49:27 +0200
Subject: [PATCH 0622/3088] Update setup.sh

---
 mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh b/mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh
index 394e49ce40..feda292bc6 100755
--- a/mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh
+++ b/mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh
@@ -3,3 +3,4 @@
 mkdir -p /var/run/fetchmail
 chown fetchmail:wheel /var/run/fetchmail
 chmod 755 /var/run/fetchmail
+chmod 700 /usr/local/etc/fetchmailrc

From 7a82982f865fb842f7e8bbfa066decaaafec74db Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 23 Jun 2021 11:54:46 +0200
Subject: [PATCH 0623/3088] README: it's alive!

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 1ad835393e..5de9ba462a 100644
--- a/README.md
+++ b/README.md
@@ -40,7 +40,7 @@ dns/dyndns -- Dynamic DNS Support
 dns/rfc2136 -- RFC-2136 Support
 emulators/qemu-guest-agent -- QEMU Guest Agent for OPNsense
 ftp/tftp -- TFTP server (development only)
-mail/fetchmail -- Remote-mail retrieval utility (development only)
+mail/fetchmail -- Remote-mail retrieval utility
 mail/postfix -- SMTP mail relay
 mail/rspamd -- Protect your network from spam
 misc/theme-cicada -- The cicada theme - dark grey

From 87e58358c094ba4ca81d5b622308be196dc8d8f2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 29 Jun 2021 09:11:05 +0200
Subject: [PATCH 0624/3088] Framework: default to upcoming PHP 7.4

---
 Mk/defaults.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index aa06adb612..1422232d28 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -66,7 +66,7 @@ PLUGIN_PYTHON?=	${_PLUGIN_PYTHON:[2]:S/./ /g:[1..2]:tW:S/ //}
 .endif
 
 PLUGIN_ABI?=	21.1
-PLUGIN_PHP?=	73
+PLUGIN_PHP?=	74
 PLUGIN_PYTHON?=	37
 
 REPLACEMENTS=	PLUGIN_ABI \

From 96b498a6d01de87d585621c5a093c716ba69a5d2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 29 Jun 2021 09:27:44 +0200
Subject: [PATCH 0625/3088] Framework: stop guessing build parameters

Either we can figure them out at runtime or they were
passed by the build system previously.

Out of band builds are no longer supported, but can be
fixed by specifying the relevant variables like the build
would.
---
 Mk/defaults.mk | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 1422232d28..b6fac0244e 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -51,6 +51,13 @@ PLUGIN_FLAVOUR?=	Base
 .endif
 .endif
 
+VERSIONBIN=	${LOCALBASE}/sbin/opnsense-version
+
+.if exists(${VERSIONBIN})
+_PLUGIN_ABI!=	${VERSIONBIN} -a
+PLUGIN_ABI?=	${_PLUGIN_ABI}
+.endif
+
 PHPBIN=		${LOCALBASE}/bin/php
 
 .if exists(${PHPBIN})
@@ -65,9 +72,11 @@ _PLUGIN_PYTHON!=${PYTHONLINK} -V
 PLUGIN_PYTHON?=	${_PLUGIN_PYTHON:[2]:S/./ /g:[1..2]:tW:S/ //}
 .endif
 
-PLUGIN_ABI?=	21.1
-PLUGIN_PHP?=	74
-PLUGIN_PYTHON?=	37
+.for REPLACEMENT in ABI PHP PYTHON
+. if empty(PLUGIN_${REPLACEMENT})
+.  error Cannot build without PLUGIN_${REPLACEMENT} set
+. endif
+.endfor
 
 REPLACEMENTS=	PLUGIN_ABI \
 		PLUGIN_ARCH \

From 4dd2f2bc85bd4603efe18528e583a09b5a8dbd18 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 1 Jul 2021 09:11:56 +0200
Subject: [PATCH 0626/3088] sysutils/nextcloud-backup: release for use in 21.7

---
 sysutils/nextcloud-backup/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/sysutils/nextcloud-backup/Makefile b/sysutils/nextcloud-backup/Makefile
index e5863b0787..dd29cd1013 100644
--- a/sysutils/nextcloud-backup/Makefile
+++ b/sysutils/nextcloud-backup/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		nextcloud-backup
-PLUGIN_VERSION=		0.1
-PLUGIN_DEVEL=		yes
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		Track config changes using NextCloud
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 

From 722d316508e62a9eb6fe18f9ff11bfd934cc5e18 Mon Sep 17 00:00:00 2001
From: Fabian Franz <franz.fabian.94@gmail.com>
Date: Sun, 4 Jul 2021 22:34:06 +0200
Subject: [PATCH 0627/3088] www/nginx: hotfix api endpoints + frontend for
 Phalcon 4

---
 .../OPNsense/Nginx/Api/LogsController.php     |  6 +-
 .../OPNsense/Nginx/Api/SettingsController.php | 60 +++++++++----------
 .../OPNsense/Nginx/IndexController.php        |  2 +-
 .../www/js/nginx/dist/tls_handshakes.min.js   |  2 +-
 4 files changed, 35 insertions(+), 35 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
index 0f0b709126..de4d4cf5b3 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
@@ -59,7 +59,7 @@ public function accessesAction($uuid = null)
      * action to query the TLS handshake information - useful for building fingerprint databases
      * @throws \Exception
      */
-    public function tls_handshakesAction()
+    public function tlsHandshakesAction()
     {
         $this->sendConfigdToClient('nginx tls_handshakes');
     }
@@ -90,7 +90,7 @@ public function errorsAction($uuid = null)
      * @return array if feasible, otherwise null and the data is sent directly back
      * @throws \OPNsense\Base\ModelException ?
      */
-    public function stream_accessesAction($uuid = null)
+    public function streamAccessesAction($uuid = null)
     {
         $this->nginx = new Nginx();
         if (!isset($uuid)) {
@@ -109,7 +109,7 @@ public function stream_accessesAction($uuid = null)
      * @return array if feasible, otherwise null and the data is sent directly back
      * @throws \OPNsense\Base\ModelException ?
      */
-    public function stream_errorsAction($uuid = null)
+    public function streamErrorsAction($uuid = null)
     {
         $this->nginx = new Nginx();
         if (!isset($uuid)) {
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
index 36beafbc72..29c56282e4 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
@@ -340,34 +340,34 @@ public function sethttprewriteAction($uuid)
     }
 
     // http security headers
-    public function searchsecurity_headerAction()
+    public function searchsecurityHeaderAction()
     {
         return $this->searchBase('security_header', array('description'));
     }
 
-    public function getsecurity_headerAction($uuid = null)
+    public function getsecurityHeaderAction($uuid = null)
     {
         $this->sessionClose();
         return $this->getBase('security_header', 'security_header', $uuid);
     }
 
-    public function addsecurity_headerAction()
+    public function addsecurityHeaderAction()
     {
         return $this->addBase('security_header', 'security_header');
     }
 
-    public function delsecurity_headerAction($uuid)
+    public function delsecurityHeaderAction($uuid)
     {
         return $this->delBase('security_header', $uuid);
     }
 
-    public function setsecurity_headerAction($uuid)
+    public function setsecurityHeaderAction($uuid)
     {
         return $this->setBase('security_header', 'security_header', $uuid);
     }
 
     // access limit zone headers
-    public function searchlimit_zoneAction()
+    public function searchlimitZoneAction()
     {
         return $this->searchBase(
             'limit_zone',
@@ -375,23 +375,23 @@ public function searchlimit_zoneAction()
         );
     }
 
-    public function getlimit_zoneAction($uuid = null)
+    public function getlimitZoneAction($uuid = null)
     {
         $this->sessionClose();
         return $this->getBase('limit_zone', 'limit_zone', $uuid);
     }
 
-    public function addlimit_zoneAction()
+    public function addlimitZoneAction()
     {
         return $this->addBase('limit_zone', 'limit_zone');
     }
 
-    public function dellimit_zoneAction($uuid)
+    public function dellimitZoneAction($uuid)
     {
         return $this->delBase('limit_zone', $uuid);
     }
 
-    public function setlimit_zoneAction($uuid)
+    public function setlimitZoneAction($uuid)
     {
         return $this->setBase('limit_zone', 'limit_zone', $uuid);
     }
@@ -433,34 +433,34 @@ public function seterrorpageAction($uuid)
     }
 
     // TLS fingerprints for MITM detection
-    public function searchtls_fingerprintAction()
+    public function searchtlsFingerprintAction()
     {
         return $this->searchBase('tls_fingerprint', array('description'));
     }
 
-    public function gettls_fingerprintAction($uuid = null)
+    public function gettlsFingerprintAction($uuid = null)
     {
         $this->sessionClose();
         return $this->getBase('tls_fingerprint', 'tls_fingerprint', $uuid);
     }
 
-    public function addtls_fingerprintAction()
+    public function addtlsFingerprintAction()
     {
         return $this->addBase('tls_fingerprint', 'tls_fingerprint');
     }
 
-    public function deltls_fingerprintAction($uuid)
+    public function deltlsFingerprintAction($uuid)
     {
         return $this->delBase('tls_fingerprint', $uuid);
     }
 
-    public function settls_fingerprintAction($uuid)
+    public function settlsFingerprintAction($uuid)
     {
         return $this->setBase('tls_fingerprint', 'tls_fingerprint', $uuid);
     }
 
     // limit_request_connection
-    public function searchlimit_request_connectionAction()
+    public function searchlimitRequestConnectionAction()
     {
         return $this->searchBase(
             'limit_request_connection',
@@ -468,28 +468,28 @@ public function searchlimit_request_connectionAction()
         );
     }
 
-    public function getlimit_request_connectionAction($uuid = null)
+    public function getlimitRequestConnectionAction($uuid = null)
     {
         $this->sessionClose();
         return $this->getBase('limit_request_connection', 'limit_request_connection', $uuid);
     }
 
-    public function addlimit_request_connectionAction()
+    public function addlimitRequestConnectionAction()
     {
         return $this->addBase('limit_request_connection', 'limit_request_connection');
     }
 
-    public function dellimit_request_connectionAction($uuid)
+    public function dellimitRequestConnectionAction($uuid)
     {
         return $this->delBase('limit_request_connection', $uuid);
     }
 
-    public function setlimit_request_connectionAction($uuid)
+    public function setlimitRequestConnectionAction($uuid)
     {
         return $this->setBase('limit_request_connection', 'limit_request_connection', $uuid);
     }
     // cache path
-    public function searchcache_pathAction()
+    public function searchcachePathAction()
     {
         return $this->searchBase(
             'cache_path',
@@ -497,23 +497,23 @@ public function searchcache_pathAction()
         );
     }
 
-    public function getcache_pathAction($uuid = null)
+    public function getcachePathAction($uuid = null)
     {
         $this->sessionClose();
         return $this->getBase('cache_path', 'cache_path', $uuid);
     }
 
-    public function addcache_pathAction()
+    public function addcachePathAction()
     {
         return $this->addBase('cache_path', 'cache_path');
     }
 
-    public function delcache_pathAction($uuid)
+    public function delcachePathAction($uuid)
     {
         return $this->delBase('cache_path', $uuid);
     }
 
-    public function setcache_pathAction($uuid)
+    public function setcachePathAction($uuid)
     {
         return $this->setBase('cache_path', 'cache_path', $uuid);
     }
@@ -719,28 +719,28 @@ private function delete_uuids($uuids, $path): void
         }
     }
     // SYSLOG targets
-    public function searchsyslog_targetAction()
+    public function searchsyslogTargetAction()
     {
         return $this->searchBase('syslog_target', array('description', 'host', 'facility', 'severity'));
     }
 
-    public function getsyslog_targetAction($uuid = null)
+    public function getsyslogTargetAction($uuid = null)
     {
         $this->sessionClose();
         return $this->getBase('syslog_target', 'syslog_target', $uuid);
     }
 
-    public function addsyslog_targetAction()
+    public function addsyslogTargetAction()
     {
         return $this->addBase('syslog_target', 'syslog_target');
     }
 
-    public function delsyslog_targetAction($uuid)
+    public function delsyslogTargetAction($uuid)
     {
         return $this->delBase('syslog_target', $uuid);
     }
 
-    public function setsyslog_targetAction($uuid)
+    public function setsyslogTargetAction($uuid)
     {
         return $this->setBase('syslog_target', 'syslog_target', $uuid);
     }
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php
index 9af641c118..e80537625b 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php
@@ -82,7 +82,7 @@ public function logsAction()
     /**
      * show the nginx TLS handshakes page /ui/nginx/index/tls_handshakes
      */
-    public function tls_handshakesAction()
+    public function tlsHandshakesAction()
     {
         $this->view->pick('OPNsense/Nginx/tls_handshakes');
     }
diff --git a/www/nginx/src/opnsense/www/js/nginx/dist/tls_handshakes.min.js b/www/nginx/src/opnsense/www/js/nginx/dist/tls_handshakes.min.js
index 7e79808939..d703bd4a5b 100644
--- a/www/nginx/src/opnsense/www/js/nginx/dist/tls_handshakes.min.js
+++ b/www/nginx/src/opnsense/www/js/nginx/dist/tls_handshakes.min.js
@@ -1 +1 @@
-!function(t){var n={};function e(o){if(n[o])return n[o].exports;var r=n[o]={i:o,l:!1,exports:{}};return t[o].call(r.exports,r,r.exports,e),r.l=!0,r.exports}e.m=t,e.c=n,e.d=function(t,n,o){e.o(t,n)||Object.defineProperty(t,n,{enumerable:!0,get:o})},e.r=function(t){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})},e.t=function(t,n){if(1&n&&(t=e(t)),8&n)return t;if(4&n&&"object"==typeof t&&t&&t.__esModule)return t;var o=Object.create(null);if(e.r(o),Object.defineProperty(o,"default",{enumerable:!0,value:t}),2&n&&"string"!=typeof t)for(var r in t)e.d(o,r,function(n){return t[n]}.bind(null,r));return o},e.n=function(t){var n=t&&t.__esModule?function(){return t.default}:function(){return t};return e.d(n,"a",n),n},e.o=function(t,n){return Object.prototype.hasOwnProperty.call(t,n)},e.p="",e(e.s=28)}([function(t,n,e){var o=e(2),r=e(4),i=/[&<>"']/g,c=RegExp(i.source);t.exports=function(t){return(t=r(t))&&c.test(t)?t.replace(i,o):t}},function(t,n,e){var o=e(6).Symbol;t.exports=o},function(t,n,e){var o=e(3)({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"});t.exports=o},function(t,n){t.exports=function(t){return function(n){return null==t?void 0:t[n]}}},function(t,n,e){var o=e(5);t.exports=function(t){return null==t?"":o(t)}},function(t,n,e){var o=e(1),r=e(9),i=e(10),c=e(11),l=1/0,u=o?o.prototype:void 0,s=u?u.toString:void 0;t.exports=function t(n){if("string"==typeof n)return n;if(i(n))return r(n,t)+"";if(c(n))return s?s.call(n):"";var e=n+"";return"0"==e&&1/n==-l?"-0":e}},function(t,n,e){var o=e(7),r="object"==typeof self&&self&&self.Object===Object&&self,i=o||r||Function("return this")();t.exports=i},function(t,n,e){(function(n){var e="object"==typeof n&&n&&n.Object===Object&&n;t.exports=e}).call(this,e(8))},function(t,n){var e;e=function(){return this}();try{e=e||new Function("return this")()}catch(t){"object"==typeof window&&(e=window)}t.exports=e},function(t,n){t.exports=function(t,n){for(var e=-1,o=null==t?0:t.length,r=Array(o);++e<o;)r[e]=n(t[e],e,t);return r}},function(t,n){var e=Array.isArray;t.exports=e},function(t,n,e){var o=e(12),r=e(15),i="[object Symbol]";t.exports=function(t){return"symbol"==typeof t||r(t)&&o(t)==i}},function(t,n,e){var o=e(1),r=e(13),i=e(14),c="[object Null]",l="[object Undefined]",u=o?o.toStringTag:void 0;t.exports=function(t){return null==t?void 0===t?l:c:u&&u in Object(t)?r(t):i(t)}},function(t,n,e){var o=e(1),r=Object.prototype,i=r.hasOwnProperty,c=r.toString,l=o?o.toStringTag:void 0;t.exports=function(t){var n=i.call(t,l),e=t[l];try{t[l]=void 0;var o=!0}catch(t){}var r=c.call(t);return o&&(n?t[l]=e:delete t[l]),r}},function(t,n){var e=Object.prototype.toString;t.exports=function(t){return e.call(t)}},function(t,n){t.exports=function(t){return null!=t&&"object"==typeof t}},,,,,,,,function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<div>\n    <div class="col-md-12">\n        <h2>'+(null==(__t=_.escape(ua))?"":__t)+'</h2>\n    </div>\n</div>\n<div>\n    <div class="col-md-9">\n        <div class="content_holder"></div>\n    </div>\n    <div class="col-md-3">\n        <svg class="chart_holder"></svg>\n    </div>\n</div>\n';return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<div>\n    <div class="col-md-10">\n        <div class="row">\n            <div class="col-md-3">\n                Count\n            </div>\n            <div class="col-md-9">'+(null==(__t=_.escape(count))?"":__t)+'</div>\n            <div class="col-md-3">\n                Ciphers\n            </div>\n            <div class="col-md-9">'+(null==(__t=_.escape(ciphers))?"":__t)+'</div>\n            <div class="col-md-3">\n                Curves\n            </div>\n            <div class="col-md-9">'+(null==(__t=_.escape(curves))?"":__t)+'</div>\n        </div>\n    </div>\n    <div class="col-md-2">\n        <button class="btn btn-primary"><i class="fa fa-thumbs-up"></i> Store / Trust</button>\n    </div>\n\n</div>\n';return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<div>\n    <table>\n        <tr>\n            <td><label>Description</label></td>\n            <td><input type="text" id="fp_description" /></td>\n        </tr>\n        <tr>\n            <td><label>Trusted</label></td>\n            <td><input type="checkbox" id="fp_trusted" /></td>\n        </tr>\n    </table>\n</div>\n';return __p}},,,function(t,n,e){"use strict";e.r(n);var o=Backbone.Model.extend({url:"/api/nginx/logs/tls_handshakes"}),r=e(23),i=e.n(r),c=e(24),l=e.n(c),u=e(25),s=e.n(u);const a=new o,d=Backbone.View.extend({initialize:function(t){this.ua=t.ua},events:{"click button":"trust_fingerprint"},render:function(){this.$el.html(l()(this.model.toJSON()))},trust_fingerprint:function(){const t=this;BootstrapDialog.show({type:BootstrapDialog.TYPE_INFO,title:"Save new fingerprint",message:$("<div></div>").html(s()({})),buttons:[{label:"Save",cssClass:"btn-primary",icon:"fa fa-floppy-o ",action:function(n){t.handle_trust(n.$modalBody.find("#fp_description").val(),n.$modalBody.find("#fp_trusted").is(":checked")),n.close()}},{label:"Close",action:function(t){t.close()}}]})},handle_trust:function(t,n){ajaxCall("/api/nginx/settings/addtls_fingerprint",{tls_fingerprint:{curves:this.model.get("curves"),ciphers:this.model.get("ciphers"),user_agent:this.ua,trusted:n?"1":"0",description:t}},function(t,n){})}}),p=Backbone.View.extend({initialize:function(t){this.ua=t.ua,this.render()},render:function(){const t=this;this.$el.html(i()({ua:this.ua}));const n=this.$el.find(".content_holder"),e=this.$el.find(".chart_holder"),o=this.collection.map(function(t){return{label:t.get("ciphers")+"||"+t.get("curves"),value:t.get("count")}});this.collection.forEach(function(e){const o=new d({model:e,ua:t.ua});n.append(o.$el),o.render()});try{nv.addGraph(function(){const t=nv.models.pieChart();return t.x(function(t){return t.label}),t.y(function(t){return t.value}),t.showLabels(!1),t.labelType("value"),t.donut(!0),t.donutRatio(.2),d3.select(e[0]).datum(o).transition().duration(350).call(t),t})}catch(t){console.log(t)}}}),f=new(Backbone.View.extend({initialize:function(){this.listenTo(this.model,"sync",this.render)},render:function(){this.$el.html(""),this.render_all(this.model.attributes)},render_all(t){for(const n in t)if(t.hasOwnProperty(n)){const e=new Backbone.Collection(t[n]),o=new p({collection:e,ua:n});this.$el.append(o.$el)}}}))({model:a});$("#tls_handshakes_application").append(f.$el),a.fetch()}]);
\ No newline at end of file
+!function(t){var n={};function e(o){if(n[o])return n[o].exports;var r=n[o]={i:o,l:!1,exports:{}};return t[o].call(r.exports,r,r.exports,e),r.l=!0,r.exports}e.m=t,e.c=n,e.d=function(t,n,o){e.o(t,n)||Object.defineProperty(t,n,{enumerable:!0,get:o})},e.r=function(t){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})},e.t=function(t,n){if(1&n&&(t=e(t)),8&n)return t;if(4&n&&"object"==typeof t&&t&&t.__esModule)return t;var o=Object.create(null);if(e.r(o),Object.defineProperty(o,"default",{enumerable:!0,value:t}),2&n&&"string"!=typeof t)for(var r in t)e.d(o,r,function(n){return t[n]}.bind(null,r));return o},e.n=function(t){var n=t&&t.__esModule?function(){return t.default}:function(){return t};return e.d(n,"a",n),n},e.o=function(t,n){return Object.prototype.hasOwnProperty.call(t,n)},e.p="",e(e.s=28)}([function(t,n,e){var o=e(2),r=e(4),i=/[&<>"']/g,c=RegExp(i.source);t.exports=function(t){return(t=r(t))&&c.test(t)?t.replace(i,o):t}},function(t,n,e){var o=e(6).Symbol;t.exports=o},function(t,n,e){var o=e(3)({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"});t.exports=o},function(t,n){t.exports=function(t){return function(n){return null==t?void 0:t[n]}}},function(t,n,e){var o=e(5);t.exports=function(t){return null==t?"":o(t)}},function(t,n,e){var o=e(1),r=e(9),i=e(10),c=e(11),l=1/0,u=o?o.prototype:void 0,s=u?u.toString:void 0;t.exports=function t(n){if("string"==typeof n)return n;if(i(n))return r(n,t)+"";if(c(n))return s?s.call(n):"";var e=n+"";return"0"==e&&1/n==-l?"-0":e}},function(t,n,e){var o=e(7),r="object"==typeof self&&self&&self.Object===Object&&self,i=o||r||Function("return this")();t.exports=i},function(t,n,e){(function(n){var e="object"==typeof n&&n&&n.Object===Object&&n;t.exports=e}).call(this,e(8))},function(t,n){var e;e=function(){return this}();try{e=e||new Function("return this")()}catch(t){"object"==typeof window&&(e=window)}t.exports=e},function(t,n){t.exports=function(t,n){for(var e=-1,o=null==t?0:t.length,r=Array(o);++e<o;)r[e]=n(t[e],e,t);return r}},function(t,n){var e=Array.isArray;t.exports=e},function(t,n,e){var o=e(12),r=e(15),i="[object Symbol]";t.exports=function(t){return"symbol"==typeof t||r(t)&&o(t)==i}},function(t,n,e){var o=e(1),r=e(13),i=e(14),c="[object Null]",l="[object Undefined]",u=o?o.toStringTag:void 0;t.exports=function(t){return null==t?void 0===t?l:c:u&&u in Object(t)?r(t):i(t)}},function(t,n,e){var o=e(1),r=Object.prototype,i=r.hasOwnProperty,c=r.toString,l=o?o.toStringTag:void 0;t.exports=function(t){var n=i.call(t,l),e=t[l];try{t[l]=void 0;var o=!0}catch(t){}var r=c.call(t);return o&&(n?t[l]=e:delete t[l]),r}},function(t,n){var e=Object.prototype.toString;t.exports=function(t){return e.call(t)}},function(t,n){t.exports=function(t){return null!=t&&"object"==typeof t}},,,,,,,,function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<div>\n    <div class="col-md-12">\n        <h2>'+(null==(__t=_.escape(ua))?"":__t)+'</h2>\n    </div>\n</div>\n<div>\n    <div class="col-md-9">\n        <div class="content_holder"></div>\n    </div>\n    <div class="col-md-3">\n        <svg class="chart_holder"></svg>\n    </div>\n</div>\n';return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)"undefined"!=typeof count&&"undefined"!=typeof ciphers&&"undefined"!=typeof curves&&(__p+='\n<div>\n    <div class="col-md-10">\n        <div class="row">\n            <div class="col-md-3">\n                Count\n            </div>\n            <div class="col-md-9">'+(null==(__t=_.escape(count||""))?"":__t)+'</div>\n            <div class="col-md-3">\n                Ciphers\n            </div>\n            <div class="col-md-9">'+(null==(__t=_.escape(ciphers||""))?"":__t)+'</div>\n            <div class="col-md-3">\n                Curves\n            </div>\n            <div class="col-md-9">'+(null==(__t=_.escape(curves||""))?"":__t)+'</div>\n        </div>\n    </div>\n    <div class="col-md-2">\n        <button class="btn btn-primary"><i class="fa fa-thumbs-up"></i> Store / Trust</button>\n    </div>\n</div>\n'),__p+="\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<div>\n    <table>\n        <tr>\n            <td><label>Description</label></td>\n            <td><input type="text" id="fp_description" /></td>\n        </tr>\n        <tr>\n            <td><label>Trusted</label></td>\n            <td><input type="checkbox" id="fp_trusted" /></td>\n        </tr>\n    </table>\n</div>\n';return __p}},,,function(t,n,e){"use strict";e.r(n);var o=Backbone.Model.extend({url:"/api/nginx/logs/tls_handshakes"}),r=e(23),i=e.n(r),c=e(24),l=e.n(c),u=e(25),s=e.n(u);const a=new o,d=Backbone.View.extend({initialize:function(t){this.ua=t.ua},events:{"click button":"trust_fingerprint"},render:function(){this.$el.html(l()(this.model.toJSON()))},trust_fingerprint:function(){const t=this;BootstrapDialog.show({type:BootstrapDialog.TYPE_INFO,title:"Save new fingerprint",message:$("<div></div>").html(s()({})),buttons:[{label:"Save",cssClass:"btn-primary",icon:"fa fa-floppy-o ",action:function(n){t.handle_trust(n.$modalBody.find("#fp_description").val(),n.$modalBody.find("#fp_trusted").is(":checked")),n.close()}},{label:"Close",action:function(t){t.close()}}]})},handle_trust:function(t,n){ajaxCall("/api/nginx/settings/addtls_fingerprint",{tls_fingerprint:{curves:this.model.get("curves"),ciphers:this.model.get("ciphers"),user_agent:this.ua,trusted:n?"1":"0",description:t}},function(t,n){})}}),p=Backbone.View.extend({initialize:function(t){this.ua=t.ua,this.render()},render:function(){const t=this;this.$el.html(i()({ua:this.ua}));const n=this.$el.find(".content_holder"),e=this.$el.find(".chart_holder"),o=this.collection.map(function(t){return{label:t.get("ciphers")+"||"+t.get("curves"),value:t.get("count")}});this.collection.forEach(function(e){const o=new d({model:e,ua:t.ua});n.append(o.$el),o.render()});try{nv.addGraph(function(){const t=nv.models.pieChart();return t.x(function(t){return t.label}),t.y(function(t){return t.value}),t.showLabels(!1),t.labelType("value"),t.donut(!0),t.donutRatio(.2),d3.select(e[0]).datum(o).transition().duration(350).call(t),t})}catch(t){console.log(t)}}}),f=new(Backbone.View.extend({initialize:function(){this.listenTo(this.model,"sync",this.render)},render:function(){this.$el.html(""),this.render_all(this.model.attributes)},render_all(t){for(const n in t)if(t.hasOwnProperty(n)&&void 0!==t[n]&&"function"!=typeof t[n]){const e=new Backbone.Collection(t[n]),o=new p({collection:e,ua:n});this.$el.append(o.$el)}}}))({model:a});$("#tls_handshakes_application").append(f.$el),a.fetch()}]);
\ No newline at end of file

From b189f6ccbb755afecbed10a3adfbd217d28d80fe Mon Sep 17 00:00:00 2001
From: Fabian Franz <franz.fabian.94@gmail.com>
Date: Sun, 4 Jul 2021 22:35:13 +0200
Subject: [PATCH 0628/3088] security/tor: hotfix tor API endpoint

---
 .../mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php
index 7ccba0c222..a5ae94af95 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php
@@ -74,7 +74,7 @@ public function stopAction()
      * query tor hidden service hostnames
      * @return array
      */
-    public function get_hidden_servicesAction()
+    public function getHiddenServicesAction()
     {
         $backend = new Backend();
         $response = json_decode($backend->configdRun('tor gethostnames'));

From 88259efe50b22f1988a81e964b02fd9bb685ab3a Mon Sep 17 00:00:00 2001
From: Fabian Franz <franz.fabian.94@gmail.com>
Date: Sun, 4 Jul 2021 22:36:25 +0200
Subject: [PATCH 0629/3088] www/nginx, security/tor: non-hotfix relevant
 changes

---
 security/tor/Makefile                                    | 2 +-
 www/nginx/Makefile                                       | 1 +
 www/nginx/pkg-descr                                      | 4 ++++
 www/nginx/src/opnsense/www/js/nginx/package.json         | 3 ++-
 .../opnsense/www/js/nginx/src/templates/Fingerprint.html | 9 +++++----
 .../src/opnsense/www/js/nginx/src/tls_handshakes.js      | 2 +-
 6 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/security/tor/Makefile b/security/tor/Makefile
index e13b2366cd..5c19670bb9 100644
--- a/security/tor/Makefile
+++ b/security/tor/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		tor
 PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		The Onion Router
 PLUGIN_DEPENDS=		tor ruby
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index df5c3e49eb..1653e31ad1 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.23
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 5dde33a516..978c576ff3 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,10 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.23_1
+
+* fix some issues with the MVC router
+
 1.23
 
 * Add custom error pages on a per HTTP server basis (contributed by 8191)
diff --git a/www/nginx/src/opnsense/www/js/nginx/package.json b/www/nginx/src/opnsense/www/js/nginx/package.json
index 67feb82a87..8aa881c9e4 100644
--- a/www/nginx/src/opnsense/www/js/nginx/package.json
+++ b/www/nginx/src/opnsense/www/js/nginx/package.json
@@ -11,6 +11,7 @@
   },
   "scripts": {
     "webpack-cli": "webpack-cli",
-    "build": "webpack-cli --config webpack.conf.js"
+    "build": "webpack-cli --config webpack.conf.js",
+    "build-dev": "webpack-cli --config webpack.conf.js --mode development"
   }
 }
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/templates/Fingerprint.html b/www/nginx/src/opnsense/www/js/nginx/src/templates/Fingerprint.html
index c124365e7d..d28a7ac35a 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/templates/Fingerprint.html
+++ b/www/nginx/src/opnsense/www/js/nginx/src/templates/Fingerprint.html
@@ -1,22 +1,23 @@
+<% if (typeof count !== 'undefined' && typeof ciphers !== 'undefined' && typeof curves !== 'undefined') { %>
 <div>
     <div class="col-md-10">
         <div class="row">
             <div class="col-md-3">
                 Count
             </div>
-            <div class="col-md-9"><%= _.escape(count) %></div>
+            <div class="col-md-9"><%= _.escape(count || '') %></div>
             <div class="col-md-3">
                 Ciphers
             </div>
-            <div class="col-md-9"><%= _.escape(ciphers) %></div>
+            <div class="col-md-9"><%= _.escape(ciphers || '') %></div>
             <div class="col-md-3">
                 Curves
             </div>
-            <div class="col-md-9"><%= _.escape(curves) %></div>
+            <div class="col-md-9"><%= _.escape(curves || '') %></div>
         </div>
     </div>
     <div class="col-md-2">
         <button class="btn btn-primary"><i class="fa fa-thumbs-up"></i> Store / Trust</button>
     </div>
-
 </div>
+<% } %>
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/tls_handshakes.js b/www/nginx/src/opnsense/www/js/nginx/src/tls_handshakes.js
index 697e646669..50d580d0c4 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/tls_handshakes.js
+++ b/www/nginx/src/opnsense/www/js/nginx/src/tls_handshakes.js
@@ -119,7 +119,7 @@ const FingerprintMain = Backbone.View.extend({
     render_all(attributes) {
         for (const ua in attributes) {
             // skip loop if the property is from prototype
-            if (attributes.hasOwnProperty(ua)) {
+            if (attributes.hasOwnProperty(ua) && typeof attributes[ua] !== 'undefined' && typeof attributes[ua] !== 'function') {
                 const fingerprints = new Backbone.Collection(attributes[ua]);
                 const fingerprints_view = new FingerPrintList({'collection': fingerprints, 'ua': ua});
                 this.$el.append(fingerprints_view.$el);

From ff3d2bbd5041ee885d58b70c00ba8f8cabe3b1aa Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 5 Jul 2021 09:17:50 +0200
Subject: [PATCH 0630/3088] www/nginx: still the same version and already noted

---
 www/nginx/pkg-descr | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 978c576ff3..5dde33a516 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,10 +10,6 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
-1.23_1
-
-* fix some issues with the MVC router
-
 1.23
 
 * Add custom error pages on a per HTTP server basis (contributed by 8191)

From 4edd7c8e5dbb0eff1dbab10e52391c8e8a4aa988 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 5 Jul 2021 09:53:42 +0200
Subject: [PATCH 0631/3088] security/acme-client: drop unused

---
 .../src/opnsense/mvc/app/models/OPNsense/AcmeClient/ACL/ACL.xml  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/ACL/ACL.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/ACL/ACL.xml
index 11a53cc6e8..528fe599ba 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/ACL/ACL.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/ACL/ACL.xml
@@ -4,7 +4,6 @@
         <patterns>
             <pattern>ui/acmeclient/*</pattern>
             <pattern>api/acmeclient/*</pattern>
-            <pattern>diag_logs_acmeclient.php</pattern>
         </patterns>
     </page-services-letsencrypt>
 </acl>

From 355184d1097a9b6ab2961d3ed523fdc0e7390b2c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Jul 2021 09:07:37 +0200
Subject: [PATCH 0632/3088] Framework: allow DEVABI override

---
 Mk/defaults.mk | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index b6fac0244e..57f9e39597 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -72,11 +72,15 @@ _PLUGIN_PYTHON!=${PYTHONLINK} -V
 PLUGIN_PYTHON?=	${_PLUGIN_PYTHON:[2]:S/./ /g:[1..2]:tW:S/ //}
 .endif
 
-.for REPLACEMENT in ABI PHP PYTHON
-. if empty(PLUGIN_${REPLACEMENT})
-.  error Cannot build without PLUGIN_${REPLACEMENT} set
-. endif
-.endfor
+.if empty(DEVABI)
+. for REPLACEMENT in ABI PHP PYTHON
+.  if empty(PLUGIN_${REPLACEMENT})
+.   error Cannot build without PLUGIN_${REPLACEMENT} set
+.  endif
+. endfor
+.else
+PLUGIN_ABI=	${DEVABI}
+.endif
 
 REPLACEMENTS=	PLUGIN_ABI \
 		PLUGIN_ARCH \

From f6a5588f4210f80c8d90969c6afed9ba46221202 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Jul 2021 09:18:55 +0200
Subject: [PATCH 0633/3088] net/radsecproxy: release 1.0 for 21.7

---
 net/radsecproxy/Makefile | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/radsecproxy/Makefile b/net/radsecproxy/Makefile
index c27c40120a..7ee4427db0 100644
--- a/net/radsecproxy/Makefile
+++ b/net/radsecproxy/Makefile
@@ -1,8 +1,7 @@
 PLUGIN_NAME=		radsecproxy
-PLUGIN_VERSION=	0.1
-PLUGIN_COMMENT=	RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
-PLUGIN_DEPENDS=	radsecproxy
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
+PLUGIN_DEPENDS=		radsecproxy
 PLUGIN_MAINTAINER=	tobias@boehnert.dev
-PLUGIN_DEVEL=		yes
 
 .include "../../Mk/plugins.mk"

From 41223a88da4b16892880221c1186ce2f5973d490 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Jul 2021 09:19:39 +0200
Subject: [PATCH 0634/3088] README: sync

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 5de9ba462a..57e83bfd17 100644
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ net/haproxy -- Reliable, high performance TCP/HTTP load balancer
 net/igmp-proxy -- IGMP-Proxy Service
 net/mdns-repeater -- Proxy multicast DNS between networks
 net/ntopng -- Traffic Analysis and Flow Collection
-net/radsecproxy -- RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport (development only)
+net/radsecproxy -- RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
 net/relayd -- Relayd Load Balancer
 net/shadowsocks -- Secure socks5 proxy
 net/siproxd -- Siproxd is a proxy daemon for the SIP protocol
@@ -98,7 +98,7 @@ sysutils/hw-probe -- Collect hardware diagnostics
 sysutils/lcdproc-sdeclcd -- LCDProc for SDEC LCD devices
 sysutils/mail-backup -- Send configuration file backup by e-mail
 sysutils/munin-node -- Munin monitoring agent
-sysutils/nextcloud-backup -- Track config changes using NextCloud (development only)
+sysutils/nextcloud-backup -- Track config changes using NextCloud
 sysutils/node_exporter -- Prometheus exporter for machine metrics
 sysutils/nut -- Network UPS Tools
 sysutils/puppet-agent -- Manage Puppet Agent (development only)

From dc34198aef684970564662adb36261c402159f89 Mon Sep 17 00:00:00 2001
From: Github-jjw <60520600+Github-jjw@users.noreply.github.com>
Date: Fri, 9 Jul 2021 11:09:59 +0200
Subject: [PATCH 0635/3088] security/acme-client: Added support for Nederhost
 DNS API (#2407)

* Add Nederhost API support
---
 .../AcmeClient/forms/dialogValidation.xml     | 10 +++++
 .../AcmeClient/LeValidation/DnsNederhost.php  | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 3 files changed, 58 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNederhost.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index b1bccf6f6d..acb434e60e 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1262,4 +1262,14 @@
         <label>API Token</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Nederhost API</label>
+        <type>header</type>
+        <style>table_dns table_dns_nederhost</style>
+    </field>
+    <field>
+        <id>validation.dns_nederhost_key</id>
+        <label>Key</label>
+        <type>text</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNederhost.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNederhost.php
new file mode 100644
index 0000000000..c2ee7afe35
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNederhost.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2021 
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * NederHost DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsNederhost extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['NederHost_Key'] = (string)$this->config->dns_nederhost_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 6fd163f1c0..f0345239ea 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -421,6 +421,7 @@
                         <dns_namecom>Name.com API</dns_namecom>
                         <dns_namecheap>Namecheap API</dns_namecheap>
                         <dns_namesilo>Namesilo.com API</dns_namesilo>
+                        <dns_nederhost>Nederhost API</dns_nederhost>
                         <dns_netcup>netcup DNS API</dns_netcup>
                         <dns_nsone>NS1.com API</dns_nsone>
                         <dns_nsupdate>nsupdate (RFC 2136)</dns_nsupdate>
@@ -766,6 +767,9 @@
                 <dns_namesilo_key type="TextField">
                     <Required>N</Required>
                 </dns_namesilo_key>
+                <dns_nederhost_key type="TextField">
+                    <Required>N</Required>
+                </dns_nederhost_key>
                 <dns_netcup_cid type="TextField">
                     <Required>N</Required>
                 </dns_netcup_cid>

From b40901e338dda792db229b622c819b78077a8dfa Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 9 Jul 2021 11:11:19 +0200
Subject: [PATCH 0636/3088] security/acme-client: add copyright information,
 refs #2407

---
 .../library/OPNsense/AcmeClient/LeValidation/DnsNederhost.php   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNederhost.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNederhost.php
index c2ee7afe35..38ab692b8a 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNederhost.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNederhost.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2021 
+ * Copyright (C) 2021 Github-jjw
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

From 00bbd32bb8383bc487cd908879a1aaf55a7b4cb9 Mon Sep 17 00:00:00 2001
From: Jimbambuli <30672094+Jimbambuli@users.noreply.github.com>
Date: Fri, 9 Jul 2021 11:13:33 +0200
Subject: [PATCH 0637/3088] security/acme client: Added support for DDNSS DNS
 API (#2415)

* Add DDNSS API support
---
 .../AcmeClient/forms/dialogValidation.xml     | 10 +++++
 .../AcmeClient/LeValidation/DnsDdnss.php      | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 3 files changed, 58 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDdnss.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index acb434e60e..ce1bcb61d0 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -266,6 +266,16 @@
         <id>validation.dns_cyon_password</id>
         <label>Password</label>
         <type>password</type>
+    </field>
+	<field>
+        <label>DDNSS API</label>
+        <type>header</type>
+        <style>table_dns table_dns_ddnss</style>
+    </field>
+    <field>
+        <id>validation.dns_ddnss_token</id>
+        <label>API Token</label>
+        <type>text</type>
     </field>
     <field>
         <label>DirectAdmin</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDdnss.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDdnss.php
new file mode 100644
index 0000000000..206518b539
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDdnss.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Marcel Koepfli
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * DDNSS DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDdnss extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DDNSS_Token'] = (string)$this->config->dns_ddnss_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index f0345239ea..aff07d3917 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -382,6 +382,7 @@
                         <dns_cx>CloudXNS.com API</dns_cx>
                         <dns_cn>Core-Networks API</dns_cn>
                         <dns_cyon>cyon.ch API</dns_cyon>
+                        <dns_ddnss>DDNSS API</dns_ddnss>
                         <dns_desec>deSEC.io API</dns_desec>
                         <dns_dgon>DigitalOcean API</dns_dgon>
                         <dns_da>DirectAdmin API</dns_da>
@@ -524,6 +525,9 @@
                     <Required>N</Required>
                     <default>1</default>
                 </dns_da_insecure>
+                <dns_ddnss_token type="TextField">
+                    <Required>N</Required>
+                </dns_ddnss_token>
                 <dns_dgon_key type="TextField">
                     <Required>N</Required>
                 </dns_dgon_key>

From c4ae96d6a53cc610a9ffa7c9465a118f27a4b6f6 Mon Sep 17 00:00:00 2001
From: manhofmann <66171315+manhofmann@users.noreply.github.com>
Date: Fri, 9 Jul 2021 11:23:55 +0200
Subject: [PATCH 0638/3088] security/acme-client: Added support for ZONE DNS
 API (#2417)

* Added support for ZONE DNS API
---
 .../AcmeClient/forms/dialogValidation.xml     | 16 +++++++
 .../AcmeClient/LeValidation/DnsZone.php       | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 3 files changed, 68 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsZone.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index ce1bcb61d0..395a907458 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1272,6 +1272,22 @@
         <label>API Token</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Zone.eu API</label>
+        <type>header</type>
+        <style>table_dns table_dns_zone</style>
+    </field>
+    <field>
+        <id>validation.dns_zone_username</id>
+        <label>Zone Username</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_zone_key</id>
+        <label>API Key</label>
+        <type>text</type>
+        <help>Can be generated under ZoneID account management</help>
+    </field>
     <field>
         <label>Nederhost API</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsZone.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsZone.php
new file mode 100644
index 0000000000..ff09d24ab6
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsZone.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Manuel Hofmann
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Zone DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsZone extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['ZONE_Username'] = (string)$this->config->dns_zone_username;
+        $this->acme_env['ZONE_Key'] = (string)$this->config->dns_zone_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index aff07d3917..5d156b9c7d 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -439,6 +439,7 @@
                         <dns_vultr>Vultr API</dns_vultr>
                         <dns_yandex>Yandex PDD API</dns_yandex>
                         <dns_zilore>Zilore DNS API</dns_zilore>
+                        <dns_zone>Zone.eu API</dns_zone>
                         <dns_zonomi>zonomi.com domain API</dns_zonomi>
                     </OptionValues>
                 </dns_service>
@@ -965,6 +966,12 @@
                 <dns_infomaniak_token type="TextField">
                     <Required>N</Required>
                 </dns_infomaniak_token>
+                <dns_zone_username type="TextField">
+                    <Required>N</Required>
+                </dns_zone_username>
+                <dns_zone_key type="TextField">
+                    <Required>N</Required>
+                </dns_zone_key>
             </validation>
         </validations>
         <actions>

From 2236c55c1f334f49ec495d1bcbec5c0051eae79c Mon Sep 17 00:00:00 2001
From: Nim G <theredspoon@users.noreply.github.com>
Date: Fri, 9 Jul 2021 02:28:32 -0700
Subject: [PATCH 0639/3088] security/acme-client: Add support for Njalla DNS
 API (#2446)

* Add Njalla API support
---
 .../AcmeClient/forms/dialogValidation.xml     | 10 +++++
 .../AcmeClient/LeValidation/DnsNjalla.php     | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 3 files changed, 58 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNjalla.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 395a907458..128a43efdb 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -812,6 +812,16 @@
         <label>API Password</label>
         <type>text</type>
     </field>
+    <field>
+        <label>Njalla</label>
+        <type>header</type>
+        <style>table_dns table_dns_njalla</style>
+    </field>
+    <field>
+        <id>validation.dns_njalla_token</id>
+        <label>API Token</label>
+        <type>text</type>
+    </field>
     <field>
         <label>NS1.com</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNjalla.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNjalla.php
new file mode 100644
index 0000000000..3d9c8622b4
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNjalla.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Njalla API
+ * @package OPNsense\AcmeClient
+ */
+class DnsNjalla extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['NJALLA_Token'] = (string)$this->config->dns_njalla_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 5d156b9c7d..af732bdb3d 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -424,6 +424,7 @@
                         <dns_namesilo>Namesilo.com API</dns_namesilo>
                         <dns_nederhost>Nederhost API</dns_nederhost>
                         <dns_netcup>netcup DNS API</dns_netcup>
+                        <dns_njalla>Njalla API</dns_njalla>
                         <dns_nsone>NS1.com API</dns_nsone>
                         <dns_nsupdate>nsupdate (RFC 2136)</dns_nsupdate>
                         <dns_opnsense>OPNsense BIND Plugin</dns_opnsense>
@@ -784,6 +785,9 @@
                 <dns_netcup_pw type="TextField">
                     <Required>N</Required>
                 </dns_netcup_pw>
+                <dns_njalla_token type="TextField">
+                    <Required>N</Required>
+                </dns_njalla_token>
                 <dns_nsone_key type="TextField">
                     <Required>N</Required>
                 </dns_nsone_key>

From 01caf57c56a8382146f2dc369d8275d1190e2ee8 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 9 Jul 2021 11:29:49 +0200
Subject: [PATCH 0640/3088] security/acme-client: update copyright information,
 refs #2446

---
 .../app/library/OPNsense/AcmeClient/LeValidation/DnsNjalla.php  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNjalla.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNjalla.php
index 3d9c8622b4..d36a902e14 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNjalla.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNjalla.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2021 Nim G
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

From 7aebfb02b0191cb273a444f7e651011740350866 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 9 Jul 2021 11:34:09 +0200
Subject: [PATCH 0641/3088] security/acme-client: update changelog

---
 security/acme-client/pkg-descr | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 9c801f8487..6ae3cfff1d 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,8 +10,14 @@ Plugin Changelog
 
 2.6
 
+Added:
+* add support for Nederhost DNS API (#2407)
+* add support for DDNSS DNS API (#2415)
+* add support for Zone.eu DNS API (#2417)
+* add support for Njalla DNS API (#2446)
+
 Fixed:
-* sftp update of write protected cert files with a numeric owner
+* sftp update of write protected cert files with a numeric owner (#2426)
 
 2.5
 

From 661be9e95fd5048afb24bf475023cb813473b3d0 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 9 Jul 2021 11:34:25 +0200
Subject: [PATCH 0642/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 790c3b15a9..97ee0b6eaa 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		2.5
+PLUGIN_VERSION=		2.6
 PLUGIN_COMMENT=		Let's Encrypt client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From a4efaae149ed2fbf4d1c8e5cc9e86803a1e09800 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 9 Jul 2021 11:49:08 +0200
Subject: [PATCH 0643/3088] security/acme-client: change IP discovery URL,
 fixes #2419

---
 security/acme-client/pkg-descr                                 | 3 +++
 .../library/OPNsense/AcmeClient/LeValidation/DnsNamecheap.php  | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 6ae3cfff1d..bebb1192fb 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -19,6 +19,9 @@ Added:
 Fixed:
 * sftp update of write protected cert files with a numeric owner (#2426)
 
+Changed:
+* Namecheap: change IP discovery URL to avoid rate-limits (#2419)
+
 2.5
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamecheap.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamecheap.php
index 5d252d3e98..43f94150f8 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamecheap.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNamecheap.php
@@ -45,7 +45,7 @@ public function prepare()
             $this->acme_env['NAMECHEAP_SOURCEIP'] = (string)$this->config->dns_namecheap_sourceip;
         } else {
             // Use a public service to get our source IP for Namecheap API
-            $this->acme_env['NAMECHEAP_SOURCEIP'] = 'https://ifconfig.co/ip';
+            $this->acme_env['NAMECHEAP_SOURCEIP'] = 'https://ipinfo.io/ip';
         }
     }
 }

From 66ad35a410fadf13881d11c5c2d1658fde001eb3 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 9 Jul 2021 12:07:52 +0200
Subject: [PATCH 0644/3088] security/acme-client: add support for Domeneshop
 DNS API, fixes #2390

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsDomeneshop.php | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 4 files changed, 68 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDomeneshop.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index bebb1192fb..be9ada2d62 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -15,6 +15,7 @@ Added:
 * add support for DDNSS DNS API (#2415)
 * add support for Zone.eu DNS API (#2417)
 * add support for Njalla DNS API (#2446)
+* add support for Domeneshop DNS API (#2390)
 
 Fixed:
 * sftp update of write protected cert files with a numeric owner (#2426)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 128a43efdb..6fac8e3b5b 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -339,6 +339,21 @@
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Domeneshop DNS API</label>
+        <type>header</type>
+        <style>table_dns table_dns_domeneshop</style>
+    </field>
+    <field>
+        <id>validation.dns_domeneshop_token</id>
+        <label>Token</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_domeneshop_secret</id>
+        <label>Secret</label>
+        <type>password</type>
+    </field>
     <field>
         <label>DNSPod</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDomeneshop.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDomeneshop.php
new file mode 100644
index 0000000000..09ca23a4fb
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDomeneshop.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Domeneshop API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDomeneshop extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DOMENESHOP_Token'] = (string)$this->config->dns_domeneshop_token;
+        $this->acme_env['DOMENESHOP_Secret'] = (string)$this->config->dns_domeneshop_secret;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index af732bdb3d..1f3db5fd0b 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -387,6 +387,7 @@
                         <dns_dgon>DigitalOcean API</dns_dgon>
                         <dns_da>DirectAdmin API</dns_da>
                         <dns_dnsimple>DNSimple API</dns_dnsimple>
+                        <dns_domeneshop>Domeneshop API</dns_domeneshop>
                         <dns_me>DNSMadeEasy.com API</dns_me>
                         <dns_dp>DNSPod.cn API</dns_dp>
                         <dns_doapi>Domain-Offensive LetsEncrypt API</dns_doapi>
@@ -545,6 +546,12 @@
                 <dns_do_password type="TextField">
                     <Required>N</Required>
                 </dns_do_password>
+                <dns_domeneshop_token type="TextField">
+                    <Required>N</Required>
+                </dns_domeneshop_token>
+                <dns_domeneshop_secret type="TextField">
+                    <Required>N</Required>
+                </dns_domeneshop_secret>
                 <dns_dp_id type="TextField">
                     <Required>N</Required>
                 </dns_dp_id>

From f7bdcda43cb5a2c150a9f6ee4eb2594faa6d9202 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 9 Jul 2021 12:15:06 +0200
Subject: [PATCH 0645/3088] security/acme-client: add support for IONOS domain
 API, fixes #2345

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsIonos.php      | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 4 files changed, 68 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsIonos.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index be9ada2d62..0f08eea380 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -16,6 +16,7 @@ Added:
 * add support for Zone.eu DNS API (#2417)
 * add support for Njalla DNS API (#2446)
 * add support for Domeneshop DNS API (#2390)
+* add support for IONOS domain API (#2345)
 
 Fixed:
 * sftp update of write protected cert files with a numeric owner (#2426)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 6fac8e3b5b..527601cfdc 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -550,6 +550,21 @@
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>IONOS domain API</label>
+        <type>header</type>
+        <style>table_dns table_dns_ionos</style>
+    </field>
+    <field>
+        <id>validation.dns_ionos_prefix</id>
+        <label>Prefix</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_ionos_secret</id>
+        <label>Secret</label>
+        <type>password</type>
+    </field>
     <field>
         <label>IPSConfig</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsIonos.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsIonos.php
new file mode 100644
index 0000000000..19d1b51901
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsIonos.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * IONOS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsIonos extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['IONOS_PREFIX'] = (string)$this->config->dns_ionos_prefix;
+        $this->acme_env['IONOS_SECRET'] = (string)$this->config->dns_ionos_secret;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 1f3db5fd0b..70e5080e77 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -409,6 +409,7 @@
                         <dns_infoblox>Infoblox API</dns_infoblox>
                         <dns_infomaniak>Infomaniak API</dns_infomaniak>
                         <dns_inwx>INWX XMLRPC API</dns_inwx>
+                        <dns_ionos>IONOS domain API</dns_ionos>
                         <dns_ispconfig>ISPConfig 3.1+ API</dns_ispconfig>
                         <dns_joker>Joker API</dns_joker>
                         <dns_kinghost>KingHost DNS API</dns_kinghost>
@@ -621,6 +622,12 @@
                 <dns_inws_password type="TextField">
                     <Required>N</Required>
                 </dns_inws_password>
+                <dns_ionos_prefix type="TextField">
+                    <Required>N</Required>
+                </dns_ionos_prefix>
+                <dns_ionos_secret type="TextField">
+                    <Required>N</Required>
+                </dns_ionos_secret>
                 <dns_ispconfig_user type="TextField">
                     <Required>N</Required>
                 </dns_ispconfig_user>

From 6829dc1a2577ce9695d23e8170ae46f5a17075d3 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 9 Jul 2021 12:35:51 +0200
Subject: [PATCH 0646/3088] net/haproxy: fix empty resolve-prefer option,
 closes #2340

---
 net/haproxy/pkg-descr                                        | 5 +++++
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index b445b6efae..4d9a646df1 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+3.4
+
+Fixed:
+* fix empty resolve-prefer option (#2340)
+
 3.3
 
 Changed:
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 5cd9e07221..cfb2c1d012 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1657,7 +1657,7 @@ backend {{backend.name}}
 {%               if backend.resolvePrefer|default("") != "" %}
 {#                 # prefer backend configuration #}
 {%                 do server_options.append('resolve-prefer ' ~ backend.resolvePrefer) %}
-{%               elif server_data.linkedResolver|default("") != "" %}
+{%               elif server_data.resolvePrefer|default("") != "" %}
 {%                 do server_options.append('resolve-prefer ' ~ server_data.resolvePrefer) %}
 {%               endif %}
 {#               # source address #}

From 70497698e08900c7d6926402a19b36168a4d3572 Mon Sep 17 00:00:00 2001
From: Harrison <harry@simans.net>
Date: Sat, 10 Jul 2021 03:52:55 -0400
Subject: [PATCH 0647/3088] net/FreeRADIUS: Fix issue with being unable to
 specify a CIDR (#2459)

---
 net/freeradius/Makefile                                       | 2 +-
 net/freeradius/pkg-descr                                      | 4 ++++
 .../opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml    | 4 ++--
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 871235bcd0..b9f22ddb84 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.14
+PLUGIN_VERSION=		1.9.15
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 7c1e16e60c..2ea2e9084e 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,10 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.15
+
+* Fixed validation of CIDR for client network ranges
+
 1.9.14
 
 * Updates comments in mods-enabled-eap to match upstream version 3.0.22
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
index da69e00e95..22caf41c24 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/freeradius/client</mount>
     <description>FreeRADIUS client configuration</description>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <items>
         <clients>
             <client type="ArrayField">
@@ -15,7 +15,7 @@
                 <secret type="TextField">
                     <Required>Y</Required>
                 </secret>
-                <ip type="HostnameField">
+                <ip type="NetworkField">
                     <Required>N</Required>
                 </ip>
             </client>

From 75a4a908b1da13752da311c9599551c841a100e2 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 11 Jul 2021 13:45:00 +0200
Subject: [PATCH 0648/3088] net-mgmt/zabbix-agent: allow CIDR notation,
 resolves #2296

---
 net-mgmt/zabbix-agent/pkg-descr                              | 5 +++++
 .../mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml      | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index e080b7c51c..f8168dc7cf 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -12,6 +12,11 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.9
+
+Added:
+* Allow CIDR notation in "Zabbix Servers" field (#2296)
+
 1.8
 
 * Add Changelog (contributed by Starkstromkonsument)
diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
index aebf63777e..346cba8465 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
@@ -22,7 +22,7 @@
                     <default>127.0.0.1</default>
                     <Required>Y</Required>
                     <multiple>Y</multiple>
-                    <mask>/^([a-zA-Z0-9\.:\[\]\-]*?,)*([a-zA-Z0-9\.:\[\]\-]*)$/</mask>
+                    <mask>/^([a-zA-Z0-9\.:\[\]\-\/]*?,)*([a-zA-Z0-9\.:\[\]\-\/]*)$/</mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please provide valid Zabbix server addresses, i.e. 10.0.0.1 or zabbix.example.com.</ValidationMessage>
                 </serverList>

From c82fbd5a7591ac86ae244fb1b41f4b6a0ed25047 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 11 Jul 2021 13:46:47 +0200
Subject: [PATCH 0649/3088] net-mgmt/zabbix-agent: reformat changelog

---
 net-mgmt/zabbix-agent/pkg-descr | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index f8168dc7cf..88a5698583 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -19,6 +19,11 @@ Added:
 
 1.8
 
+Added:
 * Add Changelog (contributed by Starkstromkonsument)
+
+Fixed:
 * Fix logformat (contributed by Starkstromkonsument)
+
+Changed:
 * Switch to Zabbix Agent 5.0

From cc147ed4ff6002f29953ce39cd89d54398ca4216 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 11 Jul 2021 13:47:05 +0200
Subject: [PATCH 0650/3088] net-mgmt/zabbix-agent: bump version

---
 net-mgmt/zabbix-agent/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index 40f39eee66..b1160326c8 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		zabbix-agent
-PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.9
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_DEPENDS=		zabbix5-agent
 PLUGIN_MAINTAINER=	opnsense@moov.de

From 71afeecb2b0abac2fe67f30983394d64b0c1c738 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 11 Jul 2021 14:13:19 +0200
Subject: [PATCH 0651/3088] net-mgmt/zabbix-agent: use "NetworkField" wherever
 applicable

---
 net-mgmt/zabbix-agent/pkg-descr                 |  3 +++
 .../OPNsense/ZabbixAgent/forms/settings.xml     |  5 +++--
 .../models/OPNsense/ZabbixAgent/ZabbixAgent.xml | 17 +++++++++--------
 3 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index 88a5698583..58fa72932d 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -17,6 +17,9 @@ Plugin Changelog
 Added:
 * Allow CIDR notation in "Zabbix Servers" field (#2296)
 
+Changed:
+* Use "NetworkField" wherever applicable for better input validation
+
 1.8
 
 Added:
diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml
index 8618b53785..406ae29a4b 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml
@@ -31,7 +31,8 @@
             <id>zabbixagent.settings.main.sourceIP</id>
             <label>Source IP</label>
             <type>text</type>
-            <help><![CDATA[Source IP address for outgoing connections.]]></help>
+            <hint>Optional</hint>
+            <help><![CDATA[An optional source IP address for outgoing connections.]]></help>
         </field>
         <field>
             <id>zabbixagent.settings.main.serverList</id>
@@ -112,7 +113,7 @@
             <type>select_multiple</type>
             <style>tokenize</style>
             <allownew>true</allownew>
-            <help><![CDATA[List of IP:port (or hostname:port) pairs of Zabbix servers for active checks. If port is not specified, default port is used. IPv6 addresses must be enclosed in square brackets if port for that host is specified. If port is not specified, square brackets for IPv6 addresses are optional. If this parameter is not specified, active checks are disabled. Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1]]]></help>
+            <help><![CDATA[List of IP:port (or hostname:port) pairs of Zabbix servers for active checks. If port is not specified, the default port is used. IPv6 addresses must be enclosed in square brackets if the port for that host is specified. If the port is not specified, square brackets for IPv6 addresses are optional. If this parameter is not specified, active checks are disabled. Examples: zabbix.example.com, 10.0.0.2:20051, [::1]:30051,::1, [12fc::1]]]></help>
         </field>
         <field>
             <id>zabbixagent.settings.features.refreshActiveChecks</id>
diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
index 346cba8465..bf622ad70b 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
@@ -24,7 +24,7 @@
                     <multiple>Y</multiple>
                     <mask>/^([a-zA-Z0-9\.:\[\]\-\/]*?,)*([a-zA-Z0-9\.:\[\]\-\/]*)$/</mask>
                     <ChangeCase>lower</ChangeCase>
-                    <ValidationMessage>Please provide valid Zabbix server addresses, i.e. 10.0.0.1 or zabbix.example.com.</ValidationMessage>
+                    <ValidationMessage>Please provide valid Zabbix server addresses, i.e. zabbix.example.com, 10.0.0.2 or 10.0.0.0/24.</ValidationMessage>
                 </serverList>
                 <listenPort type="IntegerField">
                     <default>10050</default>
@@ -32,18 +32,19 @@
                     <MaximumValue>65535</MaximumValue>
                     <Required>Y</Required>
                 </listenPort>
-                <listenIP type="CSVListField">
+                <listenIP type="NetworkField">
                     <default>0.0.0.0</default>
                     <Required>Y</Required>
                     <multiple>Y</multiple>
-                    <mask>/^((([0-9a-zA-Z._\-\*:]+)([,]){0,1}))*/u</mask>
-                    <ChangeCase>lower</ChangeCase>
-                    <ValidationMessage>Please provide valid IP addresses, i.e. 10.0.0.1.</ValidationMessage>
+                    <NetMaskAllowed>N</NetMaskAllowed>
+                    <asList>Y</asList>
+                    <FieldSeparator>,</FieldSeparator>
+                    <ValidationMessage>Please provide one or more valid IP addresses, i.e. 10.0.0.1.</ValidationMessage>
                 </listenIP>
-                <sourceIP type="TextField">
+                <sourceIP type="NetworkField">
                     <Required>N</Required>
-                    <mask>/^.{1,255}$/u</mask>
-                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                    <NetMaskAllowed>N</NetMaskAllowed>
+                    <ValidationMessage>Please provide a valid IP address, i.e. 10.0.0.1.</ValidationMessage>
                 </sourceIP>
                 <logFileSize type="IntegerField">
                     <default>100</default>

From fd0aa8e3cd15f02032e6e369adfb0504b533f165 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 11 Jul 2021 14:24:58 +0200
Subject: [PATCH 0652/3088] net-mgmt/zabbix-agent: add changelog for past
 releases

---
 net-mgmt/zabbix-agent/pkg-descr | 41 +++++++++++++++++++++++++++++++--
 1 file changed, 39 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index 58fa72932d..0bb3b893dd 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -23,10 +23,47 @@ Changed:
 1.8
 
 Added:
-* Add Changelog (contributed by Starkstromkonsument)
+* Add Changelog (contributed by Starkstromkonsument, #1954)
 
 Fixed:
-* Fix logformat (contributed by Starkstromkonsument)
+* Fix logformat (contributed by Starkstromkonsument, #1954)
 
 Changed:
 * Switch to Zabbix Agent 5.0
+
+1.7
+
+Added:
+* Add support for PSK encryption (#1618)
+
+Changed:
+* Switch to new log view (#1593)
+
+1.6
+
+Added:
+* Add option to grant sudo root access
+
+1.5
+
+Fixed:
+* Relax validation mask for User Parameters (#1252)
+
+Changed:
+* Migrate to ApiMutableServiceController
+
+1.4
+
+Added:
+* Add support for Item Key Aliases
+* Add support for User Parameters
+
+Changed:
+* Switch to Zabbix Agent 4.0 (#1091)
+* Remove default comments from template
+
+1.3
+
+Fixed:
+* Add working default values (#491)
+* Fixed service controls (#551)

From 2a5bb93007bb7092e2f85555b84b71409adeab84 Mon Sep 17 00:00:00 2001
From: "Bradlee H. Edmondson" <bradleeedmondson@users.noreply.github.com>
Date: Sun, 11 Jul 2021 08:32:02 -0400
Subject: [PATCH 0653/3088] net-mgmt/zabbix-agent: add syslog option (#2348)

* zabbix_agentd.conf: handle enableSyslog condition

zabbix_agentd.conf: Write 'system' for logging to syslog or 'file' (plus file options) for logging to file

* ZabbixAgent.xml: add syslogEnable option

* settings.xml: describe option for enabling syslog
---
 .../controllers/OPNsense/ZabbixAgent/forms/settings.xml  | 7 +++++++
 .../mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml  | 4 ++++
 .../templates/OPNsense/ZabbixAgent/zabbix_agentd.conf    | 9 ++++++++-
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml
index 8618b53785..0ec47135a5 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml
@@ -41,6 +41,13 @@
             <allownew>true</allownew>
             <help><![CDATA[List of IP addresses (or hostnames) of Zabbix servers. Incoming connections will be accepted only from the hosts listed here.]]></help>
         </field>
+        <field>
+            <id>zabbixagent.settings.main.syslogEnable</id>
+            <label>Log to syslog</label>
+            <type>text</type>
+            <help><![CDATA[Use syslog, instead of logging to file.]]></help>
+            <advanced>true</advanced>
+        </field>
         <field>
             <id>zabbixagent.settings.main.logFileSize</id>
             <label>Log File Size</label>
diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
index aebf63777e..4786605fd3 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
@@ -45,6 +45,10 @@
                     <mask>/^.{1,255}$/u</mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                 </sourceIP>
+                <syslogEnable type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </syslogEnable>
                 <logFileSize type="IntegerField">
                     <default>100</default>
                     <MinimumValue>1</MinimumValue>
diff --git a/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf b/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf
index 9a258e07a1..d38321723b 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf
+++ b/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf
@@ -7,10 +7,17 @@
 ############ GENERAL PARAMETERS #################
 
 PidFile=/var/run/zabbix/zabbix_agentd.pid
+
+
+{% if helpers.exists('OPNsense.ZabbixAgent.settings.main.syslogEnable') and OPNsense.ZabbixAgent.settings.main.syslogEnable|default('0') == '1' %}
+LogType=system
+{% else %}
 LogType=file
 LogFile=/var/log/zabbix/zabbix_agentd.log
-
 LogFileSize={{OPNsense.ZabbixAgent.settings.main.logFileSize}}
+{% endif %}
+
+
 DebugLevel={{OPNsense.ZabbixAgent.settings.main.debugLevel|replace("val_", "")}}
 
 {% if helpers.exists('OPNsense.ZabbixAgent.settings.main.sourceIP') %}

From 3cd19129edcbad077efe3b9728734b0e760447e7 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 11 Jul 2021 14:34:55 +0200
Subject: [PATCH 0654/3088] net-mgmt/zabbix-agent: update changelog, bump model
 version

---
 net-mgmt/zabbix-agent/pkg-descr                                 | 1 +
 .../mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml         | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index 0bb3b893dd..8e22f33350 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -16,6 +16,7 @@ Plugin Changelog
 
 Added:
 * Allow CIDR notation in "Zabbix Servers" field (#2296)
+* Add syslog option, allow logging to syslog (#2348)
 
 Changed:
 * Use "NetworkField" wherever applicable for better input validation
diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
index bf622ad70b..bbc416f0d3 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/ZabbixAgent</mount>
-    <version>1.2.3</version>
+    <version>1.2.4</version>
     <description>Zabbix monitoring agent</description>
     <items>
         <!-- local settings that should NOT be synced to another node -->

From 5e445a4dde147d7c93ceb81e9a3f1d005a4b859c Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 11 Jul 2021 14:39:52 +0200
Subject: [PATCH 0655/3088] net-mgmt/zabbix-agent: post-merge fixes, refs #2348

---
 .../app/controllers/OPNsense/ZabbixAgent/forms/settings.xml  | 5 ++---
 .../templates/OPNsense/ZabbixAgent/zabbix_agentd.conf        | 2 --
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml
index 9735389b8e..8af59aceab 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml
@@ -45,9 +45,8 @@
         <field>
             <id>zabbixagent.settings.main.syslogEnable</id>
             <label>Log to syslog</label>
-            <type>text</type>
-            <help><![CDATA[Use syslog, instead of logging to file.]]></help>
-            <advanced>true</advanced>
+            <type>checkbox</type>
+            <help><![CDATA[Use syslog instead of logging to a file.]]></help>
         </field>
         <field>
             <id>zabbixagent.settings.main.logFileSize</id>
diff --git a/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf b/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf
index d38321723b..3974f44086 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf
+++ b/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf
@@ -8,7 +8,6 @@
 
 PidFile=/var/run/zabbix/zabbix_agentd.pid
 
-
 {% if helpers.exists('OPNsense.ZabbixAgent.settings.main.syslogEnable') and OPNsense.ZabbixAgent.settings.main.syslogEnable|default('0') == '1' %}
 LogType=system
 {% else %}
@@ -17,7 +16,6 @@ LogFile=/var/log/zabbix/zabbix_agentd.log
 LogFileSize={{OPNsense.ZabbixAgent.settings.main.logFileSize}}
 {% endif %}
 
-
 DebugLevel={{OPNsense.ZabbixAgent.settings.main.debugLevel|replace("val_", "")}}
 
 {% if helpers.exists('OPNsense.ZabbixAgent.settings.main.sourceIP') %}

From ed8ba4e67445a427b7c12c78b5232e18055890f6 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 11 Jul 2021 14:43:50 +0200
Subject: [PATCH 0656/3088] security/acme-client: bump model version

---
 .../opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 70e5080e77..29a998e7b0 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>2.0.0</version>
+    <version>2.1.0</version>
     <description>A secure Let's Encrypt plugin</description>
     <items>
         <settings>

From baef02807673bbce1e3eba9405d2cf0ce2b5b314 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 Jul 2021 08:24:58 +0200
Subject: [PATCH 0657/3088] net/haproxy: for #2457

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 0a46eb1dd2..b17e6fb8d6 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		3.3
+PLUGIN_VERSION=		3.4
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy
 PLUGIN_MAINTAINER=	opnsense@moov.de

From da4743e2e98340ee2fc93359be06faa52865f1dd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jul 2021 09:02:10 +0200
Subject: [PATCH 0658/3088] ftp/tftp: release 1.0 and sync

---
 LICENSE           | 4 ++++
 README.md         | 2 +-
 ftp/tftp/Makefile | 3 +--
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/LICENSE b/LICENSE
index 33e3021840..4e612f5904 100644
--- a/LICENSE
+++ b/LICENSE
@@ -15,6 +15,7 @@ Copyright (c) 2017-2019 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
 Copyright (c) 2014-2021 Franco Fichtner <franco@opnsense.org>
 Copyright (c) 2016-2021 Frank Wall
+Copyright (c) 2021 Github-jjw
 Copyright (c) 2016 IT-assistans Sverige AB
 Copyright (c) 2021 Jan Winkler
 Copyright (c) 2010 Jim Pingle <jimp@pfsense.org>
@@ -22,10 +23,13 @@ Copyright (c) 2015 Jos Schellevis
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>
 Copyright (c) 2019 Juergen Kellerer
 Copyright (c) 2020 Manuel Faux
+Copyright (c) 2021 Manuel Hofmann
 Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>
 Copyright (c) 2020 Marc Leuser
+Copyright (c) 2021 Marcel Koepfli
 Copyright (c) 2020 Martin Wasley
 Copyright (c) 2017-2021 Michael Muenz <m.muenz@gmail.com>
+Copyright (c) 2021 Nim G
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
 Copyright (c) 2010 Seth Mos <seth.mos@dds.nl>
 Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
diff --git a/README.md b/README.md
index 57e83bfd17..6d761ebadf 100644
--- a/README.md
+++ b/README.md
@@ -39,7 +39,7 @@ dns/dnscrypt-proxy -- Flexible DNS proxy supporting DNSCrypt and DoH
 dns/dyndns -- Dynamic DNS Support
 dns/rfc2136 -- RFC-2136 Support
 emulators/qemu-guest-agent -- QEMU Guest Agent for OPNsense
-ftp/tftp -- TFTP server (development only)
+ftp/tftp -- TFTP server
 mail/fetchmail -- Remote-mail retrieval utility
 mail/postfix -- SMTP mail relay
 mail/rspamd -- Protect your network from spam
diff --git a/ftp/tftp/Makefile b/ftp/tftp/Makefile
index 8a8d93eb02..7b150eabcb 100644
--- a/ftp/tftp/Makefile
+++ b/ftp/tftp/Makefile
@@ -1,8 +1,7 @@
 PLUGIN_NAME=		tftp
-PLUGIN_VERSION=		0.1
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		TFTP server
 PLUGIN_DEPENDS=		tftp-hpa
-PLUGIN_DEVEL=		yes
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
 .include "../../Mk/plugins.mk"

From 72d35cb714dd949742fdf6470283473bbbea0bdb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 21 Jul 2021 10:52:03 +0200
Subject: [PATCH 0659/3088] Framework: demote errors to warnings

---
 Mk/defaults.mk | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 57f9e39597..69c1125f24 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -72,16 +72,16 @@ _PLUGIN_PYTHON!=${PYTHONLINK} -V
 PLUGIN_PYTHON?=	${_PLUGIN_PYTHON:[2]:S/./ /g:[1..2]:tW:S/ //}
 .endif
 
-.if empty(DEVABI)
-. for REPLACEMENT in ABI PHP PYTHON
-.  if empty(PLUGIN_${REPLACEMENT})
-.   error Cannot build without PLUGIN_${REPLACEMENT} set
-.  endif
-. endfor
-.else
+.if !empty(DEVABI)
 PLUGIN_ABI=	${DEVABI}
 .endif
 
+.for REPLACEMENT in ABI PHP PYTHON
+. if empty(PLUGIN_${REPLACEMENT})
+.  warning Cannot build without PLUGIN_${REPLACEMENT} set
+. endif
+.endfor
+
 REPLACEMENTS=	PLUGIN_ABI \
 		PLUGIN_ARCH \
 		PLUGIN_FLAVOUR \

From 3462fcfc0510578cbd72f38482a58fea74820442 Mon Sep 17 00:00:00 2001
From: gyorsok <gyorsok@users.noreply.github.com>
Date: Thu, 29 Jul 2021 12:30:44 +0200
Subject: [PATCH 0660/3088] dns/bind: slave zone master ip should be a list
 (#2424)

---
 dns/bind/Makefile                                           | 2 +-
 dns/bind/pkg-descr                                          | 4 ++++
 .../OPNsense/Bind/forms/dialogEditBindDomain.xml            | 4 +++-
 .../src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml    | 6 ++++--
 .../src/opnsense/service/templates/OPNsense/Bind/named.conf | 2 +-
 5 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 2f0d237624..08fc3e7af9 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.17
+PLUGIN_VERSION=		1.18
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind916
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index d35ebdb90b..5e7e6e27ac 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -8,6 +8,10 @@ necessary for asking and answering name service questions.
 Plugin Changelog
 ================
 
+1.18
+
+* Allow specifying multiple masters for slave zones
+
 1.17
 
 * Make "Allow Transfer" and "Allow Query" configuration available to slave zones (contributed by Ang Iongchun)
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
index c5e51d4928..7d01d57089 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
@@ -37,7 +37,9 @@
     <field>
         <id>domain.masterip</id>
         <label>Master IP</label>
-        <type>text</type>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew> 
         <help>Set the IP address of master server when using slave mode.</help>
     </field>
     <field>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
index 8fc55f2c8e..8aad51f826 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/bind/domain</mount>
     <description>BIND domain configuration</description>
-    <version>1.0.0</version>
+    <version>1.0.1</version>
     <items>
         <domains>
             <domain type="ArrayField">
@@ -17,8 +17,10 @@
                         <slave>slave</slave>
                     </OptionValues>
                 </type>
-                <masterip type="HostnameField">
+                <masterip type="NetworkField">
                     <Required>N</Required>
+                    <FieldSeparator>,</FieldSeparator>
+                    <asList>Y</asList>
                 </masterip>
                 <allownotifyslave type="NetworkField">
                     <Required>N</Required>
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index e6f4a53d27..7f8d5a708b 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -127,7 +127,7 @@ zone "rpzbing" { type master; file "/usr/local/etc/namedb/master/bing.db"; notif
 {%     if domain.enabled == '1' %}
 {%     set allow_transfer = helpers.getUUID(domain.allowtransfer) %}
 {%     set allow_query = helpers.getUUID(domain.allowquery) %}
-zone "{{ domain.domainname }}" { type {{ domain.type }}; {% if domain.type == 'slave' %}masters { {{ domain.masterip }}; }; {% if domain.allownotifyslave is defined %} allow-notify { {{ domain.allownotifyslave.replace(',', '; ') }}; };{% endif %} file "/usr/local/etc/namedb/slave/{{ domain.domainname }}.db"; {% else %}file "/usr/local/etc/namedb/master/{{ domain.domainname }}.db"; {% endif %}{% if domain.allowtransfer is defined %} allow-transfer { {{ allow_transfer.name }}; };{% endif %}{% if domain.allowquery is defined %} allow-query { {{ allow_query.name }}; };{% endif %} };
+zone "{{ domain.domainname }}" { type {{ domain.type }}; {% if domain.type == 'slave' %}masters { {{ domain.masterip.replace(',', '; ') }}; }; {% if domain.allownotifyslave is defined %} allow-notify { {{ domain.allownotifyslave.replace(',', '; ') }}; };{% endif %} file "/usr/local/etc/namedb/slave/{{ domain.domainname }}.db"; {% else %}file "/usr/local/etc/namedb/master/{{ domain.domainname }}.db"; {% endif %}{% if domain.allowtransfer is defined %} allow-transfer { {{ allow_transfer.name }}; };{% endif %}{% if domain.allowquery is defined %} allow-query { {{ allow_query.name }}; };{% endif %} };
 {%     endif %}
 {%   endfor %}
 {% endif %}

From 46a44dc0642c6e7ea51f0729c15e17223287d6b4 Mon Sep 17 00:00:00 2001
From: "Patrick M. Hausen" <hausen@punkt.de>
Date: Thu, 29 Jul 2021 12:53:20 +0200
Subject: [PATCH 0661/3088] mail/postfix: make `delay_warning_time`
 configurable (#2469)

---
 mail/postfix/Makefile                                      | 2 +-
 mail/postfix/pkg-descr                                     | 4 ++++
 .../mvc/app/controllers/OPNsense/Postfix/forms/general.xml | 6 ++++++
 .../opnsense/mvc/app/models/OPNsense/Postfix/General.xml   | 7 +++++++
 .../opnsense/service/templates/OPNsense/Postfix/main.cf    | 4 ++++
 5 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index cbf3339046..399eb2d626 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		postfix
-PLUGIN_VERSION=		1.19
+PLUGIN_VERSION=		1.20
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix-sasl
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index ad3563c437..49ff2b05a2 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -6,6 +6,10 @@ is completely different.
 Plugin Changelog
 ================
 
+1.20
+
+* Make 'delay_warning_time' configurable in the UI
+
 1.19
 
 * Add TLS server/ client compatibility modes based on Mozilla's TLS configuration recommendations (https://ssl-config.mozilla.org).
diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
index dda5f8f2b5..24df5c4a1b 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
@@ -241,4 +241,10 @@
         <type>checkbox</type>
         <help>Use Recipient Address Verification. Please keep in mind that this could put significant load onto the next server.</help>
     </field>
+    <field>
+        <id>general.delay_warning_time</id>
+        <label>Delay Warning Time</label>
+        <type>text</type>
+        <help>Time until we send a notification to the sender if mail is delayed (in hours) - 0 or empty to disable.</help>
+    </field>
 </form>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
index 4f0e11d8c4..4be05625e7 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
@@ -185,5 +185,12 @@
             <default>0</default>
             <Required>Y</Required>
         </reject_unverified_recipient>
+        <delay_warning_time type="IntegerField">
+            <default>0</default>
+            <Required>N</Required>
+            <MinimumValue>0</MinimumValue>
+            <MaximumValue>24</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 24 to activate - 0 or empty to disable.</ValidationMessage>
+        </delay_warning_time>
     </items>
 </model>
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index 6301219587..784b87b894 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -223,6 +223,10 @@ relay_recipient_maps = hash:/usr/local/etc/postfix/recipient_access
 smtpd_recipient_restrictions = {{ smtpd_recipient_restrictions | join(', ') }}
 {% endif %}
 
+{% if helpers.exists('OPNsense.postfix.general.delay_warning_time') and OPNsense.postfix.general.delay_warning_time != '0' %}
+delay_warning_time = {{ OPNsense.postfix.general.delay_warning_time }}h
+{% endif %}
+
 smtpd_helo_required = yes
 
 {% if helpers.exists('OPNsense.postfix.general.extensive_helo_restrictions') and OPNsense.postfix.general.extensive_helo_restrictions == '1' %}

From b3d607153476c13255cb1b043508f18d7a013af8 Mon Sep 17 00:00:00 2001
From: Neozlag <50456371+Neozlag@users.noreply.github.com>
Date: Thu, 29 Jul 2021 14:39:14 +0200
Subject: [PATCH 0662/3088] Replace stop action by the reload option in
 reconfigureForceRestart (#2450)

---
 .../OPNsense/Nginx/Api/ServiceController.php  | 25 +++----------------
 .../service/conf/actions.d/actions_nginx.conf |  6 +++++
 2 files changed, 10 insertions(+), 21 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php
index c72fa511c9..b783fb05a2 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php
@@ -57,27 +57,6 @@ public function stopAction()
      * @throws \Exception when configd action fails
      * @throws \ReflectionException when model can't be instantiated
      */
-    public function reconfigureAction()
-    {
-        if ($this->request->isPost()) {
-            $this->sessionClose();
-            $model = $this->getModel();
-            $backend = new Backend();
-            if ($this->reconfigureForceRestart()) {
-                $backend->configdRun('nginx stop');
-            }
-            $backend->configdRun('template reload OPNsense/Nginx');
-            $runStatus = $this->statusAction();
-            if ($runStatus['status'] != 'running') {
-                $backend->configdRun('nginx start');
-            } else {
-                $backend->configdRun('nginx reload');
-            }
-            return array('status' => 'ok');
-        } else {
-            return array('status' => 'failed');
-        }
-    }
 
     /**
      * retrieve status of service
@@ -117,4 +96,8 @@ public function vtsAction()
         $this->response->setStatusCode(404, "Not Found");
         return array();
     }
+    
+    protected function reconfigureForceRestart() {
+        return 0;
+    }
 }
diff --git a/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf b/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
index 73cda14033..8b7d4ebdcd 100644
--- a/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
+++ b/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
@@ -60,3 +60,9 @@ type:script
 command:/usr/local/opnsense/scripts/nginx/vts.php
 parameters:
 type:script_output
+
+[reload]
+command:/usr/local/etc/rc.d/nginx reload
+parameters:
+type:script_output
+message:reloading nginx

From ac4febaa9325d4a97339afb4e604f9c0bf932777 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 31 Jul 2021 14:30:57 +0200
Subject: [PATCH 0663/3088] security/acme-client: add support for new ACME
 CA's, closes #2361

---
 security/acme-client/pkg-descr                |  9 ++++
 .../OPNsense/AcmeClient/forms/settings.xml    |  6 +--
 .../library/OPNsense/AcmeClient/LeAccount.php |  8 +--
 .../OPNsense/AcmeClient/LeAutomation/Base.php |  6 +--
 .../OPNsense/AcmeClient/LeCertificate.php     |  6 +--
 .../library/OPNsense/AcmeClient/LeCommon.php  | 28 ++++++++--
 .../OPNsense/AcmeClient/LeValidation/Base.php | 10 ++--
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 16 +++++-
 .../OPNsense/AcmeClient/Migrations/M3_0_0.php | 54 +++++++++++++++++++
 .../views/OPNsense/AcmeClient/settings.volt   |  4 +-
 10 files changed, 120 insertions(+), 27 deletions(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_0_0.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 0f08eea380..b6dc6e05ea 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,15 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.0
+
+Added:
+* add support for new ACME CA's: buypass, buypass_test, sslcom, zerossl (#2361)
+
+Changed:
+* rename "Let's Encrypt Environment" to "ACME CA" (#2361)
+* preserve old LE accounts/certs by adding a compatibility layer (#2361)
+
 2.6
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
index ad0247d9e4..b72241e641 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
@@ -12,10 +12,10 @@
         <help><![CDATA[Enable automatic renewal for certificates to prevent expiration. This will add a cron job to the system. You may want to customize the cron job schedule to your needs, because re-issueing a certificate may lead to a short downtime, depending on the selected challenge type and service.]]></help>
     </field>
     <field>
-        <id>acmeclient.settings.environment</id>
-        <label>Let's Encrypt Environment</label>
+        <id>acmeclient.settings.ca</id>
+        <label>ACME CA</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose Let's Encrypts staging environment when using it for the first time or while testing new challenge types. The staging environment offers <a href="https://letsencrypt.org/docs/staging-environment/">relaxed rate limits</a>.<br/><div class="text-info"><b>NOTE:</b>Certificates signed by the staging environment are NOT valid. You need to forcefully re-sign (or delete and re-create) them after switching from staging to production environment.</div>]]></help>
+        <help><![CDATA[The ACME CA that should be used to issue or renew certificates. Note that some of them offer paid services and may require a subscription. Check the <a href="https://github.com/acmesh-official/acme.sh/wiki/Server">acme.sh documentation</a> for a list of supported CAs.]]></help>
     </field>
     <field>
         <id>acmeclient.settings.haproxyIntegration</id>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
index dc8f0d33f8..5aa9e2ab20 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -53,8 +53,8 @@ public function __construct(string $uuid)
         // Set log level
         $this->setLoglevel();
 
-        // Set Let's Encrypt environment
-        $this->setEnvironment();
+        // Set ACME CA
+        $this->setCa();
 
         // Store acme filenames
         $this->acme_args[] = LeUtils::execSafe('--home %s', self::ACME_HOME_DIR);
@@ -66,7 +66,7 @@ public function __construct(string $uuid)
     public function generateKey()
     {
         // Collect account information
-        $account_conf_dir = self::ACME_BASE_ACCOUNT_DIR . '/' . (string)$this->config->id . '_' . $this->environment;
+        $account_conf_dir = self::ACME_BASE_ACCOUNT_DIR . '/' . (string)$this->config->id . '_' . $this->ca_compat;
         $account_conf_file = $account_conf_dir . '/account.conf';
         $account_key_file = $account_conf_dir . '/account.key';
         $account_json_file = $account_conf_dir . '/account.json';
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
index b6a07a7275..67ce269f2d 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * Copyright (C) 2018 Franco Fichtner <franco@opnsense.org>
  * All rights reserved.
@@ -63,8 +63,8 @@ public function init(string $certid, string $accountuuid)
         // Set log level
         $this->setLoglevel();
 
-        // Set Let's Encrypt environment
-        $this->setEnvironment();
+        // Set ACME CA
+        $this->setCa();
 
         return true;
     }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 97b4d2364e..bc84d49b3b 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -74,8 +74,8 @@ public function __construct(string $uuid, bool $force = false, bool $cron = fals
         // Set log level
         $this->setLoglevel();
 
-        // Set Let's Encrypt environment
-        $this->setEnvironment();
+        // Set ACME CA
+        $this->setCa();
 
         // Handle special key types
         if ($this->config->keyLength == 'key_ec256' || $this->config->keyLength == 'key_ec384') {
@@ -528,7 +528,7 @@ public function revoke()
         LeUtils::log('revoking certificate: ' . (string)$this->config->name);
 
         // Collect account information
-        $account_conf_dir = self::ACME_BASE_ACCOUNT_DIR . '/' . $this->account_id . '_' . $this->environment;
+        $account_conf_dir = self::ACME_BASE_ACCOUNT_DIR . '/' . $this->account_id . '_' . $this->ca_compat;
         $account_conf_file = $account_conf_dir . '/account.conf';
 
         // Preparation to run acme client
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
index 151445d0c7..422a825084 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
@@ -83,7 +83,8 @@ abstract class LeCommon
     protected $cron;                # Run from cron job
     protected $config;              # AcmeClient config object
     protected $debug;               # Debug logging (bool)
-    protected $environment;         # Let's Encrypt environment (uses shortnames)
+    protected $ca;                  # ACME CA
+    protected $ca_compat;           # ACME CA for compat with old LE CA names
     protected $force;               # Force operation
     protected $model;               # AcmeClient model object
     protected $uuid;                # AcmeClient config object uuid
@@ -136,12 +137,29 @@ public function isEnabled()
     }
 
     /**
-     * set Let's Encrypt environment for acme.sh
+     * set ACME CA for acme.sh
      */
-    public function setEnvironment()
+    public function setCa()
     {
-        $this->environment = (string)$this->model->getNodeByReference('settings.environment');
-        $this->acme_args[] = $this->environment == 'stg' ? '--staging' : null;
+        $this->ca = (string)$this->model->getNodeByReference('settings.ca');
+        $this->acme_args[] = LeUtils::execSafe('--server %s', $this->ca);
+
+        // Evaluate how the CA should be represented in filenames.
+        // This is a compatibility layer. It ensures that old files that
+        // were generated for the Let's Encrypt Production/Staging CA
+        // can still be used.
+        switch ($this->ca) {
+            case 'letsencrypt':
+                $ca_compat = 'prod';
+                break;
+            case 'letsencrypt_test':
+                $ca_compat = 'stg';
+                break;
+            default:
+                $ca_compat = $this->ca;
+                break;
+        }
+        $this->ca_compat = $ca_compat;
     }
 
     /**
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index a694432288..0c2dcb317a 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * Copyright (C) 2018 Franco Fichtner <franco@opnsense.org>
  * All rights reserved.
@@ -73,8 +73,8 @@ public function init(string $certid, string $accountuuid)
         // Set log level
         $this->setLoglevel();
 
-        // Set Let's Encrypt environment
-        $this->setEnvironment();
+        // Set ACME CA
+        $this->setCa();
 
         // Store acme hook
         switch ((string)$this->config->method) {
@@ -141,8 +141,8 @@ public function run(bool $renew = false)
             }
         }
 
-        // Use individual account config for each environment
-        $account_conf_dir = self::ACME_BASE_ACCOUNT_DIR . '/' . $this->account_id . '_' . $this->environment;
+        // Use individual account config for each CA
+        $account_conf_dir = self::ACME_BASE_ACCOUNT_DIR . '/' . $this->account_id . '_' . $this->ca_compat;
         $account_conf_file = $account_conf_dir . '/account.conf';
 
         // Preparation to run acme client
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 29a998e7b0..a105ce5987 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>2.1.0</version>
+    <version>3.0.0</version>
     <description>A secure Let's Encrypt plugin</description>
     <items>
         <settings>
@@ -27,13 +27,25 @@
                 <Required>N</Required>
             </UpdateCron>
             <environment type="OptionField">
-                <Required>Y</Required>
+                <Required>N</Required>
                 <default>prod</default>
                 <OptionValues>
                     <prod>Production Environment [default]</prod>
                     <stg>Staging Environment</stg>
                 </OptionValues>
             </environment>
+            <ca type="OptionField">
+                <Required>Y</Required>
+                <default></default>
+                <OptionValues>
+                    <buypass>Buypass</buypass>
+                    <buypass_test>Buypass Test CA</buypass_test>
+                    <letsencrypt>Let's Encrypt [default]</letsencrypt>
+                    <letsencrypt_test>Let's Encrypt Test CA</letsencrypt_test>
+                    <sslcom>SSL.com</sslcom>
+                    <zerossl>ZeroSSL</zerossl>
+                </OptionValues>
+            </ca>
             <challengePort type="IntegerField">
                 <default>43580</default>
                 <MinimumValue>1024</MinimumValue>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_0_0.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_0_0.php
new file mode 100644
index 0000000000..a2f0262e56
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_0_0.php
@@ -0,0 +1,54 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Frank Wall
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\AcmeClient\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M3_0_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        // Get old LE environment and map to new value
+        $env = (string)$model->settings->environment;
+        switch ($env) {
+            case 'prod':
+                $new_ca = 'letsencrypt';
+                break;
+            case 'stg':
+                $new_ca = 'letsencrypt_test';
+                break;
+        }
+
+        // Set new CA
+        $model->settings->ca = $new_ca;
+        $model->settings->environment = null; // clear old value
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
index 2d1b034e74..a77378f439 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
@@ -1,6 +1,6 @@
 {#
 
-Copyright (C) 2017-2019 Frank Wall
+Copyright (C) 2017-2021 Frank Wall
 OPNsense® is Copyright © 2014-2015 by Deciso B.V.
 All rights reserved.
 
@@ -247,7 +247,7 @@ POSSIBILITY OF SUCH DAMAGE.
         <br/>
     </div>
     <div class="col-md-12">
-        <b>{{ lang._("Please read the official %sLet's Encrypt documentation%s before using this plugin. Otherwise you will easily hit its %srate limits%s and thus all your attempts to issue a certificate will fail.") | format('<a href="https://letsencrypt.org/how-it-works/">', '</a>', '<a href="https://letsencrypt.org/docs/rate-limits/">', '</a>') }}</b>{{ lang._("Please use Let's Encrypt's %sstaging servers%s when using this plugin for the first time or while testing a new challenge type. You will have to reissue your certificates when switching from staging to production servers to get valid certificates.") | format('<a href="https://letsencrypt.org/docs/staging-environment/">', '</a>') }}
+        <b>{{ lang._("Please read the official %sLet's Encrypt documentation%s before using this plugin. It should give you a good overview about how the various ACME CAs work, so you do not hit their %srate limits%s and avoid common misconfigurations, which would let all your attempts to issue a certificate fail.") | format('<a href="https://letsencrypt.org/how-it-works/">', '</a>', '<a href="https://letsencrypt.org/docs/rate-limits/">', '</a>') }}</b>{{ lang._("Please use a %stest CA%s when using this plugin for the first time or while testing a new challenge type. Note that you will have to reissue your certificates when switching from a test to a production CA to get valid certificates.") | format('<a href="https://letsencrypt.org/docs/staging-environment/">', '</a>') }}
         <br/>
         {{ lang._('Please use the %sissue tracker%s to report bugs or request new features.') | format('<a href="https://github.com/opnsense/plugins/issues">', '</a>') }}
         <br/>

From 5e1210bb0df8be4855024d4653630c46200f95a5 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 31 Jul 2021 14:53:20 +0200
Subject: [PATCH 0664/3088] security/acme-client: rename to "ACME Client", refs
 #2361

---
 security/acme-client/Makefile                        |  2 +-
 security/acme-client/pkg-descr                       |  1 +
 .../src/etc/inc/plugins.inc.d/acmeclient.inc         |  4 ++--
 .../OPNsense/AcmeClient/Api/SettingsController.php   | 10 +++++-----
 .../OPNsense/AcmeClient/forms/dialogCertificate.xml  |  8 ++++----
 .../OPNsense/AcmeClient/forms/dialogValidation.xml   |  6 +++---
 .../OPNsense/AcmeClient/forms/settings.xml           |  4 ++--
 .../app/library/OPNsense/AcmeClient/LeAccount.php    |  4 ++--
 .../OPNsense/AcmeClient/LeAutomationInterface.php    |  4 ++--
 .../library/OPNsense/AcmeClient/LeCertificate.php    | 12 ++++++------
 .../mvc/app/library/OPNsense/AcmeClient/LeCommon.php |  2 +-
 .../OPNsense/AcmeClient/LeValidationInterface.php    |  4 ++--
 .../mvc/app/models/OPNsense/AcmeClient/ACL/ACL.xml   |  6 +++---
 .../app/models/OPNsense/AcmeClient/AcmeClient.xml    |  2 +-
 .../mvc/app/models/OPNsense/AcmeClient/Menu/Menu.xml |  5 ++---
 .../mvc/app/views/OPNsense/AcmeClient/accounts.volt  |  4 ++--
 .../opnsense/scripts/OPNsense/AcmeClient/lecert.php  |  8 ++++----
 .../service/conf/actions.d/actions_acmeclient.conf   |  2 +-
 .../OPNsense/AcmeClient/lighttpd-acme-challenge.conf |  2 +-
 19 files changed, 45 insertions(+), 45 deletions(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 97ee0b6eaa..de8023fa3b 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		acme-client
 PLUGIN_VERSION=		2.6
-PLUGIN_COMMENT=		Let's Encrypt client
+PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
 
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index b6dc6e05ea..101894d32b 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -14,6 +14,7 @@ Added:
 * add support for new ACME CA's: buypass, buypass_test, sslcom, zerossl (#2361)
 
 Changed:
+* rename plugin from "Let's Encrypt client" to "ACME Client" (#2361)
 * rename "Let's Encrypt Environment" to "ACME CA" (#2361)
 * preserve old LE accounts/certs by adding a compatibility layer (#2361)
 
diff --git a/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc b/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc
index 801a1fb076..92b8881e20 100644
--- a/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc
+++ b/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2017 Frank Wall
+ *    Copyright (C) 2017-2021 Frank Wall
  *    All rights reserved.
  *
  *    Redistribution and use in source and binary forms, with or without
@@ -58,7 +58,7 @@ function acmeclient_services()
     }
 
     $services[] = array(
-        'description' => gettext('Let\'s Encrypt client'),
+        'description' => gettext('ACME client'),
         'pidfile' => '/var/run/lighttpd-acme-challenge.pid',
         'configd' => array(
             'restart' => array('acme-http-challenge restart'),
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
index 3dee7cfb25..c8bef98053 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2017 Frank Wall
+ *    Copyright (C) 2017-2021 Frank Wall
  *    Copyright (C) 2015 Deciso B.V.
  *
  *    All rights reserved.
@@ -263,7 +263,7 @@ public function fetchHAProxyIntegrationAction()
                     // Add a new HAProxy ACL
                     $acl_uuid = $mdlHAProxy->newAcl(
                         "find_acme_challenge",
-                        "Added by Let's Encrypt plugin",
+                        "Added by ACME Client plugin",
                         "path_beg",
                         "0",
                         array("path_beg" => "/.well-known/acme-challenge/")
@@ -273,7 +273,7 @@ public function fetchHAProxyIntegrationAction()
                     $backend_uuid = $mdlHAProxy->newBackend(
                         "1",
                         "acme_challenge_backend",
-                        "Added by Let's Encrypt plugin",
+                        "Added by ACME Client plugin",
                         "http",
                         "source",
                         "",
@@ -283,7 +283,7 @@ public function fetchHAProxyIntegrationAction()
                     // Add a new HAProxy action
                     $action_uuid = $mdlHAProxy->newAction(
                         "redirect_acme_challenges",
-                        "Added by Let's Encrypt plugin",
+                        "Added by ACME Client plugin",
                         "if",
                         "",
                         "and",
@@ -298,7 +298,7 @@ public function fetchHAProxyIntegrationAction()
                     // Add a new HAProxy server
                     $server_uuid = $mdlHAProxy->newServer(
                         "acme_challenge_host",
-                        "Added by Let's Encrypt plugin",
+                        "Added by ACME Client plugin",
                         "127.0.0.1",
                         $acme_port,
                         "active",
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
index ee0eb8dafe..a78b2f0515 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
@@ -27,24 +27,24 @@
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
-        <help><![CDATA[Configure additional names that should be part of the certificate, i.e. www.example.com or mail.example.com. Use TAB key to complete typing a FQDN.<br/><div class="text-info"><b>NOTE:</b>You need to forcefully re-issue the certificate if you change "Alt Names" after the certificate was signed by the Let's Encrypt Authority! Use the "issue" button in the Commands column in this case.</div>]]></help>
+        <help><![CDATA[Configure additional names that should be part of the certificate, i.e. www.example.com or mail.example.com. Use TAB key to complete typing a FQDN.<br/><div class="text-info"><b>NOTE:</b>You need to forcefully re-issue the certificate if you change "Alt Names" after the certificate was signed by the ACME CA! Use the "issue" button in the Commands column in this case.</div>]]></help>
         <hint>Enter FQDN here. Finish with TAB.</hint>
     </field>
     <field>
-        <label>Let's Encrypt Settings</label>
+        <label>ACME CA Settings</label>
         <type>header</type>
     </field>
     <field>
         <id>certificate.account</id>
         <label>LE Account</label>
         <type>dropdown</type>
-        <help><![CDATA[Set the Let's Encrypt account to use for this certificate.]]></help>
+        <help><![CDATA[Set the ACME CA account to use for this certificate.]]></help>
     </field>
     <field>
         <id>certificate.validationMethod</id>
         <label>Challenge Type</label>
         <type>dropdown</type>
-        <help><![CDATA[Set the Let's Encrypt challenge type for this certificate.]]></help>
+        <help><![CDATA[Set the ACME challenge type for this certificate.]]></help>
     </field>
     <field>
         <id>certificate.autoRenewal</id>
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 527601cfdc..4faa6b778f 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -21,7 +21,7 @@
         <id>validation.method</id>
         <label>Challenge Type</label>
         <type>dropdown</type>
-        <help>Set the Let's Encrypt challenge type. You'll have to add configuration for the selected challenge type below.</help>
+        <help>Set the ACME challenge type. You'll have to add configuration for the selected challenge type below.</help>
     </field>
     <field>
         <label>HTTP-01</label>
@@ -48,7 +48,7 @@
         <id>validation.http_opn_interface</id>
         <label>Interface</label>
         <type>dropdown</type>
-        <help><![CDATA[The FQDN's used in your certificate must currently point to an official IP address. Choose the interface where this IP address is currently configured. OPNsense will automatically create a temporary port forward to allow the Let's Encrypt validation to succeed. This will lead to a short downtime of the service that is normally used with this IP address.<br/><div class="text-info"><b>NOTE:</b>This will ONLY work if the official IP addresses are LOCALLY configured on your OPNsense firewall.</div>]]></help>
+        <help><![CDATA[The FQDN's used in your certificate must currently point to an official IP address. Choose the interface where this IP address is currently configured. OPNsense will automatically create a temporary port forward to allow the ACME validation to succeed. This will lead to a short downtime of the service that is normally used with this IP address.<br/><div class="text-info"><b>NOTE:</b>This will ONLY work if the official IP addresses are LOCALLY configured on your OPNsense firewall.</div>]]></help>
     </field>
     <field>
         <id>validation.http_opn_ipaddresses</id>
@@ -56,7 +56,7 @@
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
-        <help><![CDATA[The FQDN's used in your certificate must currently point to one or more official IP addresses. Enter the all of these IP addresses here. OPNsense will automatically create a temporary port forward to allow the Let's Encrypt validation to succeed. This will lead to a short downtime of the service that is normally used with these IP addresses.<br/><div class="text-info"><b>NOTE:</b>This will ONLY work if the official IP addresses are LOCALLY configured on your OPNsense firewall.</div>]]></help>
+        <help><![CDATA[The FQDN's used in your certificate must currently point to one or more official IP addresses. Enter the all of these IP addresses here. OPNsense will automatically create a temporary port forward to allow the ACME validation to succeed. This will lead to a short downtime of the service that is normally used with these IP addresses.<br/><div class="text-info"><b>NOTE:</b>This will ONLY work if the official IP addresses are LOCALLY configured on your OPNsense firewall.</div>]]></help>
         <hint>Enter IP addresses here. Finish each with TAB.</hint>
     </field>
     <field>
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
index b72241e641..e5cea7414a 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
@@ -3,7 +3,7 @@
         <id>acmeclient.settings.enabled</id>
         <label>Enable Plugin</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable Let's Encrypt plugin.]]></help>
+        <help><![CDATA[Enable ACME client plugin.]]></help>
     </field>
     <field>
         <id>acmeclient.settings.autoRenewal</id>
@@ -33,7 +33,7 @@
         <id>acmeclient.settings.challengePort</id>
         <label>Local HTTP Port</label>
         <type>text</type>
-        <help><![CDATA[When using HTTP-01 as challenge type, a local webserver is used to provide acme challenge data to the Let's Encrypt servers. The local webserver is NOT directly exposed to the outside and should NOT use port 80 or any other well-known port. This setting allows you to change the local port of this webserver in case it interferes with another local service. Defaults to port 43580.]]></help>
+        <help><![CDATA[When using HTTP-01 as challenge type, a local webserver is used to provide acme challenge data to the ACME CA. The local webserver is NOT directly exposed to the outside and should NOT use port 80 or any other well-known port. This setting allows you to change the local port of this webserver in case it interferes with another local service. Defaults to port 43580.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
index 5aa9e2ab20..ad172033c2 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
@@ -31,7 +31,7 @@
 use OPNsense\Core\Config;
 
 /**
- * Manage Let's Encrypt accounts with acme.sh
+ * Manage ACME CA accounts with acme.sh
  * @package OPNsense\AcmeClient
  */
 class LeAccount extends LeCommon
@@ -192,7 +192,7 @@ public function isRegistered()
     }
 
     /**
-     * register account with Let's Encrypt
+     * register account with configured ACME CA
      * @return bool
      */
     public function register()
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationInterface.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationInterface.php
index 707b65affd..30607fd80d 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationInterface.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationInterface.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * All rights reserved.
  *
@@ -30,7 +30,7 @@
 namespace OPNsense\AcmeClient;
 
 /**
- * Interface for Let's Encrypt automations
+ * Interface for ACME Client automations
  * @package OPNsense\AcmeClient
  */
 interface LeAutomationInterface
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index bc84d49b3b..16fc4839a1 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -37,7 +37,7 @@
 use OPNsense\AcmeClient\LeValidationFactory;
 
 /**
- * Manage Let's Encrypt certificates with acme.sh
+ * Manage ACME certificates with acme.sh
  * @package OPNsense\AcmeClient
  */
 class LeCertificate extends LeCommon
@@ -169,7 +169,7 @@ public function import(bool $skip_validation = false)
 
         // Collect required CA information
         $ca_cn = LeUtils::local_cert_get_cn($ca_content, false);
-        $ca['descr'] = (string)$ca_cn . ' (Let\'s Encrypt)';
+        $ca['descr'] = (string)$ca_cn . ' (ACME Client)';
 
         // Prepare CA for import
         LeUtils::local_ca_import($ca, $ca_content);
@@ -186,7 +186,7 @@ public function import(bool $skip_validation = false)
             }
         } else {
             // Create new CA
-            LeUtils::log("importing Let's Encrypt CA: ${ca_cn}");
+            LeUtils::log("importing ACME CA: ${ca_cn}");
             $newca = Config::getInstance()->object()->addChild('ca');
             foreach (array_keys($ca) as $cacfg) {
                 $newca->addChild($cacfg, (string)$ca[$cacfg]);
@@ -251,7 +251,7 @@ public function import(bool $skip_validation = false)
 
         // Collect required cert information
         $cert_cn = LeUtils::local_cert_get_cn($cert_content, false);
-        $cert['descr'] = (string)$cert_cn . ' (Let\'s Encrypt)';
+        $cert['descr'] = (string)$cert_cn . ' (ACME Client)';
         $cert['refid'] = $cert_refid;
 
         // Prepare certificate for import
@@ -277,7 +277,7 @@ public function import(bool $skip_validation = false)
                 $newcert->addChild($certcfg, (string)$cert[$certcfg]);
             }
         }
-        LeUtils::log("${import_log_message} Let's Encrypt X.509 certificate: ${cert_cn}");
+        LeUtils::log("${import_log_message} ACME X.509 certificate: ${cert_cn}");
 
         /**
          * Step 3: update configuration
@@ -300,7 +300,7 @@ public function import(bool $skip_validation = false)
     }
 
     /**
-     * check if certificate is already issued by Let's Encrypt
+     * check if certificate is already issued by ACME CA
      * @return bool
      */
     public function isIssued()
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
index 422a825084..f8d765bd33 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
@@ -32,7 +32,7 @@
 use OPNsense\AcmeClient\LeUtils;
 
 /**
- * Common constants and functions for all Let's Encrypt classes
+ * Common constants and functions for all ACME classes
  * @package OPNsense\AcmeClient
  */
 abstract class LeCommon
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationInterface.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationInterface.php
index 903486ffac..86c6be4513 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationInterface.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationInterface.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * All rights reserved.
  *
@@ -30,7 +30,7 @@
 namespace OPNsense\AcmeClient;
 
 /**
- * Interface for Let's Encrypt validation methods
+ * Interface for ACME validation methods
  * @package OPNsense\Backup
  */
 interface LeValidationInterface
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/ACL/ACL.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/ACL/ACL.xml
index 528fe599ba..6800fe4488 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/ACL/ACL.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/ACL/ACL.xml
@@ -1,9 +1,9 @@
 <acl>
-    <page-services-letsencrypt>
-        <name>Services: Let's Encrypt</name>
+    <page-services-acmeclient>
+        <name>Services: ACME Client</name>
         <patterns>
             <pattern>ui/acmeclient/*</pattern>
             <pattern>api/acmeclient/*</pattern>
         </patterns>
-    </page-services-letsencrypt>
+    </page-services-acmeclient>
 </acl>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index a105ce5987..5f0c4fd6c5 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
     <version>3.0.0</version>
-    <description>A secure Let's Encrypt plugin</description>
+    <description>A secure ACME Client plugin</description>
     <items>
         <settings>
             <enabled type="BooleanField">
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Menu/Menu.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Menu/Menu.xml
index 33a92cfb5f..07b758fd0b 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Menu/Menu.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Menu/Menu.xml
@@ -1,7 +1,6 @@
 <menu>
     <Services>
-      <!-- using LE prefix for proper sorting -->
-      <LEAcmeClient VisibleName="Let's Encrypt" cssClass="fa fa-certificate fa-fw">
+      <AcmeClient VisibleName="ACME Client" cssClass="fa fa-certificate fa-fw">
           <Settings order="10" url="/ui/acmeclient">
               <General url="/ui/acmeclient#general-settings"/>
           </Settings>
@@ -13,6 +12,6 @@
               <SystemLog VisibleName="System Log" order="10" url="/ui/acmeclient/logs"/>
               <AcmeLog VisibleName="Acme Log" order="20" url="/ui/diagnostics/log/core/acmeclient"/>
           </Logs>
-      </LEAcmeClient>
+      </AcmeClient>
     </Services>
 </menu>
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
index 7a95eef4b1..212d766735 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
@@ -1,6 +1,6 @@
 {#
 
-Copyright (C) 2017 Frank Wall
+Copyright (C) 2017-2021 Frank Wall
 OPNsense® is Copyright © 2014-2015 by Deciso B.V.
 All rights reserved.
 
@@ -300,7 +300,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 if (gridParams['register'] != undefined) {
                     var uuid=$(this).data("row-id");
                     stdDialogConfirm('{{ lang._('Confirmation Required') }}',
-                        '{{ lang._('Register the selected account with Lets Encrypt?') }}',
+                        '{{ lang._('Register the selected account with the configured ACME CA?') }}',
                         '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
                         ajaxCall(url=gridParams['register'] + uuid,sendData={},callback=function(data,status){
                             // reload grid afterwards
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
index 3558d44dce..76fb546cfb 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
@@ -41,7 +41,7 @@
 const ABOUT = <<<TXT
 
 This script acts as a bridge between the OPNsense WebGUI/API and the
-acme.sh Let's Encrypt client.
+acme.sh ACME client.
 
 TXT;
 
@@ -66,7 +66,7 @@
         'description' => 'run automations for the specified certificate',
     ],
     'register' => [
-        'description' => 'register the specified account with Lets Encrypt',
+        'description' => 'register the specified account with ACME CA',
     ],
 ];
 
@@ -76,7 +76,7 @@
 --mode              Specify the mode of operation
 --cert              The certificate UUID when working with a single certificate
 --all               Work with ALL enabled certificates
---account           The account UUID when working with an Lets Encrypt account
+--account           The account UUID when working with an ACME CA account
 --force             Force certain operations (i.e. renew)
 --cron              Special mode when running from cron (i.e. consider auto renew settings)
 TXT;
@@ -98,7 +98,7 @@
 - Completely remove a certificate (keeping the copy in Trust Store untouched)
   lecert.php --mode remove --cert 00000000-0000-0000-0000-000000000000
 
-- When registering a new account with Lets Encrypt
+- When registering a new account with ACME CA
   lecert.php --mode register --account 00000000-0000-0000-0000-000000000000
 TXT;
 
diff --git a/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf b/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
index 81a14363b1..8f379a6da7 100644
--- a/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
+++ b/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
@@ -82,7 +82,7 @@ command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daem
 parameters:
 type:script
 message:cronjob running to sign or renew certificates
-description:Renew Let's Encrypt certificates
+description:Renew ACME certificates
 
 [register-account]
 command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode register --account
diff --git a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf
index c5746dddfe..5f3cf31d29 100644
--- a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf
+++ b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf
@@ -21,7 +21,7 @@ server.max-keep-alive-idle = 30
 # server.virtual-* options
 server.document-root = "/var/empty"
 
-# Let's Encrypt acme challenges
+# ACME challenges
 alias.url += ( "/.well-known/acme-challenge/" => "/var/etc/acme-client/challenges/.well-known/acme-challenge/" )
 
 # Maximum idle time with nothing being written

From 057e21c9a34b759f7e01e13c049b7cb7008af96c Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 31 Jul 2021 14:54:00 +0200
Subject: [PATCH 0665/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index de8023fa3b..aa8f7cc864 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		2.6
+PLUGIN_VERSION=		3.0
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 53b20d2a17495e20d247efb4cd9b021ea7fdc685 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 31 Jul 2021 14:57:39 +0200
Subject: [PATCH 0666/3088] security/acme-client: remove obsolete account
 parameters

---
 security/acme-client/pkg-descr                        |  3 +++
 .../OPNsense/AcmeClient/forms/dialogAccount.xml       |  7 -------
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml | 11 -----------
 3 files changed, 3 insertions(+), 18 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 101894d32b..0e3f1c9a24 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -18,6 +18,9 @@ Changed:
 * rename "Let's Encrypt Environment" to "ACME CA" (#2361)
 * preserve old LE accounts/certs by adding a compatibility layer (#2361)
 
+Removed:
+* remove obsolete account parameters: certificateAuthority, lastUpdate
+
 2.6
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml
index 2800717bd7..b8a2e2ebb8 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml
@@ -23,11 +23,4 @@
         <type>text</type>
         <help>Optional e-mail address for this account.</help>
     </field>
-    <field>
-        <id>account.certificateAuthority</id>
-        <label>Certificate Authority</label>
-        <type>dropdown</type>
-        <help><![CDATA[Select the certificate authority for this account.]]></help>
-        <advanced>true</advanced>
-    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 5f0c4fd6c5..99247de8f5 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -144,21 +144,10 @@
                 <email type="EmailField">
                     <Required>N</Required>
                 </email>
-                <certificateAuthority type="OptionField">
-                    <Required>Y</Required>
-                    <default>letsencrypt</default>
-                    <OptionValues>
-                        <letsencrypt>Let's Encrypt CA</letsencrypt>
-                    </OptionValues>
-                </certificateAuthority>
                 <!-- hidden field; the private key for this account -->
                 <key type="TextField">
                     <Required>N</Required>
                 </key>
-                <!-- TODO: old value that was migrated to statusLastUpdate, should be removed -->
-                <lastUpdate type="IntegerField">
-                    <Required>N</Required>
-                </lastUpdate>
                 <!-- hidden field; status of last operation -->
                 <statusCode type="IntegerField">
                     <Required>N</Required>

From b8dcfba9fa24337e9fea1904b0ae5119504c3784 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 2 Aug 2021 09:05:09 +0200
Subject: [PATCH 0667/3088] dns/dnscrypt-proxy: fix logging (#2467)

Fix logging due to Phalcon4 update
---
 dns/dnscrypt-proxy/Makefile                                 | 3 +--
 dns/dnscrypt-proxy/pkg-descr                                | 4 ++++
 .../mvc/app/models/OPNsense/Dnscryptproxy/Menu/Menu.xml     | 6 +++---
 .../src/opnsense/scripts/OPNsense/Dnscryptproxy/setup.sh    | 2 ++
 4 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index 54b2cc4b25..2cfd73068d 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		dnscrypt-proxy
-PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.9
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index 1728cf52fe..aad8c9492a 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -5,6 +5,10 @@ such as DNSCrypt v2 and DNS-over-HTTPS.
 Plugin Changelog
 ================
 
+1.9
+
+* Fix logging due to Phalcon4 update
+
 1.8
 
 * Remove 8 discontinued DNSBL lists and 2 that are not updated any more
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Menu/Menu.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Menu/Menu.xml
index 8133628f02..da5d87e56a 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Menu/Menu.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Menu/Menu.xml
@@ -2,9 +2,9 @@
     <Services>
         <DNSCrypt-Proxy cssClass="fa fa-lock fa-fw">
             <Configuration url="/ui/dnscryptproxy/general/index" order="10"/>
-            <GeneralLog VisibleName="Log / General" order="20" url="/ui/diagnostics/log/dnscrypt-proxy/dnscrypt-proxy"/>
-            <QueryLog VisibleName="Log / Queries" order="30"  url="/ui/diagnostics/log/dnscrypt-proxy/query"/>
-            <NXLog VisibleName="Log / NX" order="40" url="/ui/diagnostics/log/dnscrypt-proxy/nx"/>
+            <GeneralLog VisibleName="Log / General" order="20" url="/ui/diagnostics/log/dnscryptproxy/dnscrypt-proxy"/>
+            <QueryLog VisibleName="Log / Queries" order="30"  url="/ui/diagnostics/log/dnscryptproxy/query"/>
+            <NXLog VisibleName="Log / NX" order="40" url="/ui/diagnostics/log/dnscryptproxy/nx"/>
         </DNSCrypt-Proxy>
     </Services>
 </menu>
diff --git a/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/setup.sh b/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/setup.sh
index 0d289f2b70..9d36378d2a 100755
--- a/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/setup.sh
+++ b/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/setup.sh
@@ -2,3 +2,5 @@
 
 mkdir -p /var/log/dnscrypt-proxy
 chown -R _dnscrypt-proxy:_dnscrypt-proxy /var/log/dnscrypt-proxy
+(cd /var/log && ln -s dnscrypt-proxy dnscryptproxy)
+chown -R _dnscrypt-proxy:_dnscrypt-proxy /var/log/dnscryptproxy

From 11c39082da004e1b236b120c2424b1d75209d1d8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 2 Aug 2021 10:45:31 +0200
Subject: [PATCH 0668/3088] dns/dnscrypt-proxy: minor tweaks

---
 .../opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt  | 1 +
 .../src/opnsense/scripts/OPNsense/Dnscryptproxy/setup.sh        | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt b/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt
index 3879b097eb..c9106294bc 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt
@@ -291,5 +291,6 @@ $( document ).ready(function() {
         });
     });
 
+    updateServiceControlUI('dnscryptproxy');
 });
 </script>
diff --git a/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/setup.sh b/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/setup.sh
index 9d36378d2a..6c277c5aec 100755
--- a/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/setup.sh
+++ b/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/setup.sh
@@ -2,5 +2,7 @@
 
 mkdir -p /var/log/dnscrypt-proxy
 chown -R _dnscrypt-proxy:_dnscrypt-proxy /var/log/dnscrypt-proxy
+
+rm -f /var/log/dnscryptproxy
 (cd /var/log && ln -s dnscrypt-proxy dnscryptproxy)
 chown -R _dnscrypt-proxy:_dnscrypt-proxy /var/log/dnscryptproxy

From 566254336a01c9981cd8101ec1ab3f74188516d9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 2 Aug 2021 13:24:49 +0200
Subject: [PATCH 0669/3088] plugins: whitespace sweep

---
 .../controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml    | 2 +-
 .../app/controllers/OPNsense/Nginx/Api/ServiceController.php    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
index 7d01d57089..afde58416d 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
@@ -39,7 +39,7 @@
         <label>Master IP</label>
         <style>tokenize</style>
         <type>select_multiple</type>
-        <allownew>true</allownew> 
+        <allownew>true</allownew>
         <help>Set the IP address of master server when using slave mode.</help>
     </field>
     <field>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php
index b783fb05a2..4588f6c6f5 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php
@@ -96,7 +96,7 @@ public function vtsAction()
         $this->response->setStatusCode(404, "Not Found");
         return array();
     }
-    
+
     protected function reconfigureForceRestart() {
         return 0;
     }

From 28e885b7ece53f879ff9e73703c066904a294709 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 3 Aug 2021 08:20:52 +0200
Subject: [PATCH 0670/3088] net-mgmt/telegraf: add unbound (#2488)

---
 net-mgmt/telegraf/Makefile                                | 2 +-
 net-mgmt/telegraf/pkg-descr                               | 5 +++++
 .../app/controllers/OPNsense/Telegraf/forms/general.xml   | 6 ++++++
 .../mvc/app/controllers/OPNsense/Telegraf/forms/input.xml | 8 +++++++-
 .../opnsense/mvc/app/models/OPNsense/Telegraf/General.xml | 6 +++++-
 .../opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml   | 3 +++
 .../src/opnsense/scripts/OPNsense/Telegraf/setup.sh       | 1 +
 .../opnsense/service/templates/OPNsense/Telegraf/telegraf | 3 +++
 .../service/templates/OPNsense/Telegraf/telegraf.conf     | 7 +++++++
 9 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index c8732d79c5..a7e3d647ad 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.11.0
+PLUGIN_VERSION=		1.12.0
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index b36867f331..0ab481d8f8 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,11 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 Plugin Changelog
 ================
 
+1.12.0
+
+* Allow to start telegraf with wheel group permissions
+* Add Unbound input
+
 1.11.0
 
 * Set telegraf.d as additional config include
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/general.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/general.xml
index ff2eea081f..95a80b7fd2 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/general.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/general.xml
@@ -5,6 +5,12 @@
         <type>checkbox</type>
         <help>This will activate the telegraf agent.</help>
     </field>
+    <field>
+        <id>general.wheelgroup</id>
+        <label>Wheel Group</label>
+        <type>checkbox</type>
+        <help>This will start the process with wheel group permission. Please use this with care, currently only needed for Unbound and Suricata.</help>
+    </field>
     <field>
         <id>general.interval</id>
         <label>Interval</label>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
index 992c4bb375..7f318d9c2b 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
@@ -142,5 +142,11 @@
         <label>Intrusion Dectection Alerts</label>
         <type>checkbox</type>
         <help>Requires Intrustion detection alerts are stored locally.</help>
-   </field>
+    </field>
+    <field>
+        <id>input.unbound</id>
+        <label>Unbound</label>
+        <type>checkbox</type>
+        <help>Enable the collection of Unbound metrics.</help>
+    </field>
 </form>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/General.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/General.xml
index e994cd8771..ed05705e35 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/General.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/General.xml
@@ -1,12 +1,16 @@
 <model>
     <mount>//OPNsense/telegraf/general</mount>
     <description>Telegraf general configuration</description>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
             <Required>Y</Required>
         </enabled>
+        <wheelgroup type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </wheelgroup>
         <interval type="IntegerField">
             <default>10</default>
             <Required>Y</Required>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
index 721ea4e987..3e4f6e85d0 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
@@ -93,5 +93,8 @@
             <default>0</default>
             <Required>N</Required>
         </intrusion_detection_alerts>
+        <unbound type="BooleanField">
+            <Required>N</Required>
+        </unbound>
     </items>
 </model>
diff --git a/net-mgmt/telegraf/src/opnsense/scripts/OPNsense/Telegraf/setup.sh b/net-mgmt/telegraf/src/opnsense/scripts/OPNsense/Telegraf/setup.sh
index c18039d0b6..e4329aafed 100755
--- a/net-mgmt/telegraf/src/opnsense/scripts/OPNsense/Telegraf/setup.sh
+++ b/net-mgmt/telegraf/src/opnsense/scripts/OPNsense/Telegraf/setup.sh
@@ -5,3 +5,4 @@ chown -R telegraf:telegraf /usr/local/etc/telegraf.d /var/log/telegraf
 chmod 750 /usr/local/etc/telegraf.d /var/log/telegraf
 
 /usr/sbin/pw groupmod proxy -m telegraf
+/usr/sbin/pw groupmod unbound -m telegraf
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf
index 193a97c65b..54ccc238f6 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf
@@ -1,4 +1,7 @@
 {% if helpers.exists('OPNsense.telegraf.general.enabled') and OPNsense.telegraf.general.enabled == '1' %}
+{%   if OPNsense.telegraf.general.wheelgroup == '1' %}
+telegraf_group="wheel"
+{%   endif %}
 telegraf_var_script="/usr/local/opnsense/scripts/OPNsense/Telegraf/setup.sh"
 telegraf_enable="YES"
 telegraf_confdir="/usr/local/etc/telegraf.d"
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index f553999f73..f74f878542 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -263,4 +263,11 @@
   json_string_fields = ["*"]
 {% endif %}
 
+{% if helpers.exists('OPNsense.telegraf.input.unbound') and OPNsense.telegraf.input.unbound == '1' %}
+[[inputs.unbound]]
+   binary = "/usr/local/sbin/unbound-control"
+   config_file = "/var/unbound/unbound.conf"
+   thread_as_tag = true
+{% endif %}
+
 {% endif %}

From 98436f3b1a91154d636d03b9b650ce5e9ff88199 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 4 Aug 2021 08:32:52 +0200
Subject: [PATCH 0671/3088] www/nginx: bump revision

---
 www/nginx/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 1653e31ad1..42b0ebce2d 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.23
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From c149e55aa691768206a08b49229d174051b9f858 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 4 Aug 2021 08:44:02 +0200
Subject: [PATCH 0672/3088] Scripts: ignore excessive print

---
 Scripts/update-list.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Scripts/update-list.sh b/Scripts/update-list.sh
index 0fd2aa5e50..be82d5e54a 100755
--- a/Scripts/update-list.sh
+++ b/Scripts/update-list.sh
@@ -29,7 +29,7 @@ set -e
 
 PATTERN=XXXNEWLISTHEREXXX
 
-(echo '```'; ${MAKE} list; echo '```') > README.list
+(echo '```'; ${MAKE} list 2> /dev/null; echo '```') > README.list
 
 sed -e '/```/,/```/c\
 '"${PATTERN}"'

From 1e0e4dc323098531973f23b1271d5f8962819517 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 4 Aug 2021 12:19:19 +0200
Subject: [PATCH 0673/3088] security/acme-client: remove the legacy log file,
 refs #2366

---
 security/acme-client/pkg-descr                       |  1 +
 .../app/library/OPNsense/AcmeClient/LeAccount.php    |  2 +-
 .../mvc/app/library/OPNsense/AcmeClient/LeCommon.php | 12 ++++++------
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 0e3f1c9a24..337a667b36 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -17,6 +17,7 @@ Changed:
 * rename plugin from "Let's Encrypt client" to "ACME Client" (#2361)
 * rename "Let's Encrypt Environment" to "ACME CA" (#2361)
 * preserve old LE accounts/certs by adding a compatibility layer (#2361)
+* remove the legacy log file and only rely on syslog logging (#2366)
 
 Removed:
 * remove obsolete account parameters: certificateAuthority, lastUpdate
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
index ad172033c2..afec980fd2 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
@@ -73,7 +73,7 @@ public function generateKey()
         $account_ca_file = $account_conf_dir . '/ca.conf';
         $acme_conf = array();
         $acme_conf[] = "CERT_HOME='" . self::ACME_HOME_DIR . "'";
-        $acme_conf[] = "LOG_FILE='" . self::ACME_LOG_FILE . "'";
+        $acme_conf[] = "SYS_LOG='" . $this->acme_syslog . "'";
         $acme_conf[] = "ACCOUNT_KEY_PATH='" . $account_key_file . "'";
         $acme_conf[] = "ACCOUNT_JSON_PATH='" . $account_json_file . "'";
         $acme_conf[] = "CA_CONF='" . $account_ca_file . "'";
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
index f8d765bd33..1863061d6e 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
@@ -42,7 +42,6 @@ abstract class LeCommon
     public const ACME_BASE_CERT_DIR = '/var/etc/acme-client/certs';
     public const ACME_BASE_CONFIG_DIR = '/var/etc/acme-client/configs';
     public const ACME_HOME_DIR = '/var/etc/acme-client/home';
-    public const ACME_LOG_FILE = '/var/log/acme.sh.log';
 
     // Defaults for acme.sh
     public const ACME_ACCOUNT_KEY_LENGTH = 4096;
@@ -61,6 +60,7 @@ abstract class LeCommon
     protected $acme_args = array(); # command line arguments to be passed to acme.sh
     protected $acme_env = array();  # environment variables to be used when running acme.sh
     protected $acme_keylength;      # private key length in acme.sh compatible format
+    protected $acme_syslog;         # syslog log level
 
     // Certificate details and configuration
     protected $cert_id;             # AcmeClient certificate object ID
@@ -173,34 +173,34 @@ public function setLoglevel()
             case 'extended':
                 $this->acme_args[] = '--syslog 6';
                 $this->acme_args[] = '--log-level 2';
+                $this->acme_syslog = 6;
                 $this->debug = false;
                 break;
             case 'debug':
                 $this->acme_args[] = '--syslog 7';
                 $this->acme_args[] = '--debug';
+                $this->acme_syslog = 7;
                 $this->debug = true;
                 break;
             case 'debug2':
                 $this->acme_args[] = '--syslog 7';
                 $this->acme_args[] = '--debug 2';
+                $this->acme_syslog = 7;
                 $this->debug = true;
                 break;
             case 'debug3':
                 $this->acme_args[] = '--syslog 7';
                 $this->acme_args[] = '--debug 3';
+                $this->acme_syslog = 7;
                 $this->debug = true;
                 break;
             default:
                 $this->acme_args[] = '--syslog 6';
                 $this->acme_args[] = '--log-level 1';
+                $this->acme_syslog = 6;
                 $this->debug = false;
                 break;
         }
-
-        // Set log file
-        // NOTE: This log file is no longer exposed to the GUI. However, it may
-        // still turn out to be useful for debug purposes in rare egde cases.
-        $this->acme_args[] = LeUtils::execSafe('--log %s', self::ACME_LOG_FILE);
     }
 
     /**

From e4684ec47eda70cd5376c0dfd7ffd4624c30dc06 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 4 Aug 2021 12:48:58 +0200
Subject: [PATCH 0674/3088] security/acme-client: update tooltip style, closes
 #2188

---
 security/acme-client/pkg-descr                 |  1 +
 .../OPNsense/AcmeClient/certificates.volt      | 18 ++++++++++--------
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 337a667b36..cd81cf072f 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -18,6 +18,7 @@ Changed:
 * rename "Let's Encrypt Environment" to "ACME CA" (#2361)
 * preserve old LE accounts/certs by adding a compatibility layer (#2361)
 * remove the legacy log file and only rely on syslog logging (#2366)
+* update tooltip style for 21.7 (#2188)
 
 Removed:
 * remove obsolete account parameters: certificateAuthority, lastUpdate
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index c30891a762..fb90c8d15b 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -59,13 +59,13 @@ POSSIBILITY OF SUCH DAMAGE.
             url: '/api/acmeclient/certificates/search',
             formatters: {
                 "commands": function (column, row) {
-                    return "<button type=\"button\" title=\"{{ lang._('edit certificate') }}\" class=\"btn btn-xs btn-default command-edit\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-pencil\"></span></button> " +
-                        "<button type=\"button\" title=\"{{ lang._('copy certificate') }}\" class=\"btn btn-xs btn-default command-copy\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-clone\"></span></button>" +
-                        "<button type=\"button\" title=\"{{ lang._('issue or renew certificate') }}\" class=\"btn btn-xs btn-default command-sign\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-repeat\"></span></button>" +
-                        "<button type=\"button\" title=\"{{ lang._('run automations') }}\" class=\"btn btn-xs btn-default command-automation\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-paper-plane\"></span></button>" +
-                        "<button type=\"button\" title=\"{{ lang._('revoke certificate') }}\" class=\"btn btn-xs btn-default command-revoke\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-power-off\"></span></button>" +
-                        "<button type=\"button\" title=\"{{ lang._('reset certificate') }}\" class=\"btn btn-xs btn-default command-removekey\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-history\"></span></button>" +
-                        "<button type=\"button\" title=\"{{ lang._('remove certificate') }}\" class=\"btn btn-xs btn-default command-delete\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-trash-o\"></span></button>";
+                    return "<button type=\"button\" title=\"{{ lang._('edit certificate') }}\" class=\"btn btn-xs btn-default command-edit bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-pencil\"></span></button> " +
+                        "<button type=\"button\" title=\"{{ lang._('copy certificate') }}\" class=\"btn btn-xs btn-default command-copy bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-clone\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('issue or renew certificate') }}\" class=\"btn btn-xs btn-default command-sign bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-repeat\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('run automations') }}\" class=\"btn btn-xs btn-default command-automation bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-paper-plane\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('revoke certificate') }}\" class=\"btn btn-xs btn-default command-revoke bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-power-off\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('reset certificate') }}\" class=\"btn btn-xs btn-default command-removekey bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-history\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('remove certificate') }}\" class=\"btn btn-xs btn-default command-delete bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-trash-o\"></span></button>";
                 },
                 "rowtoggle": function (column, row) {
                     if (parseInt(row[column.id], 2) == 1) {
@@ -140,6 +140,9 @@ POSSIBILITY OF SUCH DAMAGE.
          */
         var grid_certificates = $("#grid-certificates").bootgrid(gridopt).on("loaded.rs.jquery.bootgrid", function (e)
         {
+            // toggle all rendered tooltips (once for all)
+            $('.bootgrid-tooltip').tooltip();
+
             // scale footer on resize
             $(this).find("tfoot td:first-child").attr('colspan',$(this).find("th").length - 1);
             $(this).find('tr[data-row-id]').each(function(){
@@ -209,7 +212,6 @@ POSSIBILITY OF SUCH DAMAGE.
          * copy actions for items from opnsense_bootgrid_plugin.js
          */
         grid_certificates.on("loaded.rs.jquery.bootgrid", function(){
-
             // edit dialog id to use
             var editDlg = $(this).attr('data-editDialog');
             var gridId = $(this).attr('id');

From 8bc24bc9adc1212aeafdd8a3ddcfa54ebc46fdd0 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 4 Aug 2021 12:59:52 +0200
Subject: [PATCH 0675/3088] security/acme-client: add tooltips for account
 command buttons, refs #2188

While here, align tooltips with core UI by using capitalization.
---
 security/acme-client/pkg-descr                     |  1 +
 .../app/views/OPNsense/AcmeClient/accounts.volt    | 11 +++++++----
 .../views/OPNsense/AcmeClient/certificates.volt    | 14 +++++++-------
 3 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index cd81cf072f..d80dac31fc 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -19,6 +19,7 @@ Changed:
 * preserve old LE accounts/certs by adding a compatibility layer (#2361)
 * remove the legacy log file and only rely on syslog logging (#2366)
 * update tooltip style for 21.7 (#2188)
+* add tooltips for account command buttons (#2188)
 
 Removed:
 * remove obsolete account parameters: certificateAuthority, lastUpdate
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
index 212d766735..0f03c4b1d9 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
@@ -53,10 +53,10 @@ POSSIBILITY OF SUCH DAMAGE.
             url: '/api/acmeclient/accounts/search',
             formatters: {
                 "commands": function (column, row) {
-                    return "<button type=\"button\" class=\"btn btn-xs btn-default command-edit\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-pencil\"></span></button> " +
-                        "<button type=\"button\" class=\"btn btn-xs btn-default command-copy\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-clone\"></span></button>" +
-                        "<button type=\"button\" class=\"btn btn-xs btn-default command-register\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-address-book-o\"></span></button>" +
-                        "<button type=\"button\" class=\"btn btn-xs btn-default command-delete\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-trash-o\"></span></button>";
+                    return "<button type=\"button\" title=\"{{ lang._('Edit account') }}\" class=\"btn btn-xs btn-default command-edit bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-pencil\"></span></button> " +
+                        "<button type=\"button\" title=\"{{ lang._('Copy account') }}\" class=\"btn btn-xs btn-default command-copy bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-clone\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('Register account') }}\" class=\"btn btn-xs btn-default command-register bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-address-book-o\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('Remove account') }}\" class=\"btn btn-xs btn-default command-delete bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-trash-o\"></span></button>";
                 },
                 "rowtoggle": function (column, row) {
                     if (parseInt(row[column.id], 2) == 1) {
@@ -117,6 +117,9 @@ POSSIBILITY OF SUCH DAMAGE.
          */
         var grid_accounts = $("#grid-accounts").bootgrid(gridopt).on("loaded.rs.jquery.bootgrid", function (e)
         {
+            // toggle all rendered tooltips (once for all)
+            $('.bootgrid-tooltip').tooltip();
+
             // scale footer on resize
             $(this).find("tfoot td:first-child").attr('colspan',$(this).find("th").length - 1);
             $(this).find('tr[data-row-id]').each(function(){
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index fb90c8d15b..5c053a9d59 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -59,13 +59,13 @@ POSSIBILITY OF SUCH DAMAGE.
             url: '/api/acmeclient/certificates/search',
             formatters: {
                 "commands": function (column, row) {
-                    return "<button type=\"button\" title=\"{{ lang._('edit certificate') }}\" class=\"btn btn-xs btn-default command-edit bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-pencil\"></span></button> " +
-                        "<button type=\"button\" title=\"{{ lang._('copy certificate') }}\" class=\"btn btn-xs btn-default command-copy bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-clone\"></span></button>" +
-                        "<button type=\"button\" title=\"{{ lang._('issue or renew certificate') }}\" class=\"btn btn-xs btn-default command-sign bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-repeat\"></span></button>" +
-                        "<button type=\"button\" title=\"{{ lang._('run automations') }}\" class=\"btn btn-xs btn-default command-automation bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-paper-plane\"></span></button>" +
-                        "<button type=\"button\" title=\"{{ lang._('revoke certificate') }}\" class=\"btn btn-xs btn-default command-revoke bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-power-off\"></span></button>" +
-                        "<button type=\"button\" title=\"{{ lang._('reset certificate') }}\" class=\"btn btn-xs btn-default command-removekey bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-history\"></span></button>" +
-                        "<button type=\"button\" title=\"{{ lang._('remove certificate') }}\" class=\"btn btn-xs btn-default command-delete bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-trash-o\"></span></button>";
+                    return "<button type=\"button\" title=\"{{ lang._('Edit certificate') }}\" class=\"btn btn-xs btn-default command-edit bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-pencil\"></span></button> " +
+                        "<button type=\"button\" title=\"{{ lang._('Copy certificate') }}\" class=\"btn btn-xs btn-default command-copy bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-clone\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('Issue or renew certificate') }}\" class=\"btn btn-xs btn-default command-sign bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-repeat\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('Run automations') }}\" class=\"btn btn-xs btn-default command-automation bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-paper-plane\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('Revoke certificate') }}\" class=\"btn btn-xs btn-default command-revoke bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-power-off\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('Reset certificate') }}\" class=\"btn btn-xs btn-default command-removekey bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-history\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('Remove certificate') }}\" class=\"btn btn-xs btn-default command-delete bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-trash-o\"></span></button>";
                 },
                 "rowtoggle": function (column, row) {
                     if (parseInt(row[column.id], 2) == 1) {

From bc0b544b023e3703176bac634993cdf0ab47fdf0 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 5 Aug 2021 22:56:53 +0200
Subject: [PATCH 0676/3088] security/acme-client: add introduction pages

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/AccountsController.php         |  5 +-
 .../OPNsense/AcmeClient/ActionsController.php |  5 +-
 .../AcmeClient/CertificatesController.php     |  5 +-
 .../OPNsense/AcmeClient/IndexController.php   |  5 +-
 .../AcmeClient/ValidationsController.php      |  5 +-
 .../OPNsense/AcmeClient/forms/settings.xml    |  6 +++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 .../views/OPNsense/AcmeClient/accounts.volt   | 26 ++++++++--
 .../views/OPNsense/AcmeClient/actions.volt    | 26 ++++++++--
 .../OPNsense/AcmeClient/certificates.volt     | 44 +++++++++++------
 .../views/OPNsense/AcmeClient/settings.volt   | 49 +++++++++++++++----
 .../OPNsense/AcmeClient/validations.volt      | 25 ++++++++--
 13 files changed, 164 insertions(+), 42 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index d80dac31fc..b172474e3a 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 
 Added:
 * add support for new ACME CA's: buypass, buypass_test, sslcom, zerossl (#2361)
+* add introduction pages and an option to hide them
 
 Changed:
 * rename plugin from "Let's Encrypt client" to "ACME Client" (#2361)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/AccountsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/AccountsController.php
index 374112c23f..202b578fd0 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/AccountsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/AccountsController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2017 Frank Wall
+ *    Copyright (C) 2017-2021 Frank Wall
  *    Copyright (C) 2015 Deciso B.V.
  *
  *    All rights reserved.
@@ -41,6 +41,9 @@ public function indexAction()
     {
         // include form definitions
         $this->view->formDialogAccount = $this->getForm("dialogAccount");
+        // set additional view parameters
+        $mdlAcme = new \OPNsense\AcmeClient\AcmeClient();
+        $this->view->showIntro = (string)$mdlAcme ->settings->showIntro;
         // choose template
         $this->view->pick('OPNsense/AcmeClient/accounts');
     }
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/ActionsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/ActionsController.php
index 002446342b..fb438bff65 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/ActionsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/ActionsController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2017 Frank Wall
+ *    Copyright (C) 2017-2021 Frank Wall
  *    Copyright (C) 2015 Deciso B.V.
  *
  *    All rights reserved.
@@ -41,6 +41,9 @@ public function indexAction()
     {
         // include form definitions
         $this->view->formDialogAction = $this->getForm("dialogAction");
+        // set additional view parameters
+        $mdlAcme = new \OPNsense\AcmeClient\AcmeClient();
+        $this->view->showIntro = (string)$mdlAcme ->settings->showIntro;
         // choose template
         $this->view->pick('OPNsense/AcmeClient/actions');
     }
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/CertificatesController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/CertificatesController.php
index 8e58c37ef7..df9b8fd53b 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/CertificatesController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/CertificatesController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2017 Frank Wall
+ *    Copyright (C) 2017-2021 Frank Wall
  *    Copyright (C) 2015 Deciso B.V.
  *
  *    All rights reserved.
@@ -41,6 +41,9 @@ public function indexAction()
     {
         // include form definitions
         $this->view->formDialogCertificate = $this->getForm("dialogCertificate");
+        // set additional view parameters
+        $mdlAcme = new \OPNsense\AcmeClient\AcmeClient();
+        $this->view->showIntro = (string)$mdlAcme ->settings->showIntro;
         // choose template
         $this->view->pick('OPNsense/AcmeClient/certificates');
     }
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/IndexController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/IndexController.php
index f13b7e9c12..59a0f966c4 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/IndexController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/IndexController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2017 Frank Wall
+ *    Copyright (C) 2017-2021 Frank Wall
  *    Copyright (C) 2015 Deciso B.V.
  *
  *    All rights reserved.
@@ -45,6 +45,9 @@ public function indexAction()
     {
         // include form definitions
         $this->view->settingsForm = $this->getForm("settings");
+        // set additional view parameters
+        $mdlAcme = new \OPNsense\AcmeClient\AcmeClient();
+        $this->view->showIntro = (string)$mdlAcme ->settings->showIntro;
         // pick the template to serve
         $this->view->pick('OPNsense/AcmeClient/settings');
     }
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/ValidationsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/ValidationsController.php
index 8c2f2a3652..32a8e613bd 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/ValidationsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/ValidationsController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2017 Frank Wall
+ *    Copyright (C) 2017-2021 Frank Wall
  *    Copyright (C) 2015 Deciso B.V.
  *
  *    All rights reserved.
@@ -41,6 +41,9 @@ public function indexAction()
     {
         // include form definitions
         $this->view->formDialogValidation = $this->getForm("dialogValidation");
+        // set additional view parameters
+        $mdlAcme = new \OPNsense\AcmeClient\AcmeClient();
+        $this->view->showIntro = (string)$mdlAcme ->settings->showIntro;
         // choose template
         $this->view->pick('OPNsense/AcmeClient/validations');
     }
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
index e5cea7414a..770341a2ce 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
@@ -29,6 +29,12 @@
         <type>dropdown</type>
         <help><![CDATA[Specifies the log level for acme.sh, default is "normal". All other log levels add information for debug purposes, but be aware that this will break the log formatting in the GUI.  Levels "debug 2" and "debug 3" log successively deeper log messages from the acme.sh including messages from DNS-01 DNSAPI scripts.]]></help>
     </field>
+    <field>
+        <id>acmeclient.settings.showIntro</id>
+        <label>Show introduction pages</label>
+        <type>checkbox</type>
+        <help><![CDATA[Uncheck to hide all additional introduction pages.]]></help>
+    </field>
     <field>
         <id>acmeclient.settings.challengePort</id>
         <label>Local HTTP Port</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 99247de8f5..91183a3ea8 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -121,6 +121,10 @@
                     <debug3>debug 3</debug3>
                 </OptionValues>
             </logLevel>
+            <showIntro type="BooleanField">
+                <Required>Y</Required>
+                <default>1</default>
+            </showIntro>
         </settings>
         <accounts>
             <account type="ArrayField">
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
index 0f03c4b1d9..dfa7eb6cf1 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
@@ -321,12 +321,28 @@ POSSIBILITY OF SUCH DAMAGE.
 
 </script>
 
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#accounts">{{ lang._('Accounts') }}</a></li>
+<ul class="nav nav-tabs" role="tablist" id="maintabs">
+    <li {% if showIntro|default('0')=='1' %}class="active"{% endif %}><a data-toggle="tab" id="accounts-introduction" href="#subtab_accounts-introduction"><b>{{ lang._('Introduction') }}</b></a></li>
+    <li {% if showIntro|default('0')=='0' %}class="active"{% endif %}><a data-toggle="tab" id="accounts-tab" href="#accounts"><b>{{ lang._('Accounts') }}</b></a></li>
 </ul>
 
-<div class="tab-content content-box tab-content">
-    <div id="accounts" class="tab-pane fade in active">
+<div class="content-box tab-content">
+
+    <div id="subtab_accounts-introduction" class="tab-pane fade {% if showIntro|default('0')=='1' %}in active{% endif %}">
+        <div class="col-md-12">
+            <h1>{{ lang._('Accounts') }}</h1>
+            <p>{{ lang._('In order to create certificates, an account is required. Also the following information should be considered:') }}</p>
+            <ul>
+              <li>{{ lang._('The account will be %sregistered automatically%s at the chosen CA. The CA will then associate new certificates to the selected account.') | format('<b>', '</b>') }}</li>
+              <li>{{ lang._('Usually CAs will let you know if something went wrong and a certificate is about to expire, therefore a %svalid e-mail address%s should be provided.') | format('<b>', '</b>') }}</li>
+              <li>{{ lang._('For certain use-cases it can be useful to register %smultiple accounts%s, but the policy of the CA should be respected with this regard.') | format('<b>', '</b>') }}</li>
+            </ul>
+            <p>{{ lang._('When requesting support from a CA the account ID may be required, %sthis documentation%s contains information how to get the internal account ID from the log files.') | format('<a href="https://letsencrypt.org/docs/account-id/">', '</a>') }}</p>
+        </div>
+    </div>
+
+    <div id="accounts" class="tab-pane fade {% if showIntro|default('0')=='0' %}in active{% endif %}">
+
         <table id="grid-accounts" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogAccount">
             <thead>
             <tr>
@@ -351,7 +367,9 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
+
     </div>
+
 </div>
 
 {# include dialogs #}
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
index 1585373c1a..e0f8b6fcab 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
@@ -1,6 +1,6 @@
 {#
 
-Copyright (C) 2017-2019 Frank Wall
+Copyright (C) 2017-2021 Frank Wall
 OPNsense® is Copyright © 2014-2015 by Deciso B.V.
 All rights reserved.
 
@@ -196,12 +196,27 @@ POSSIBILITY OF SUCH DAMAGE.
 
 </script>
 
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#actions">{{ lang._('Automation') }}</a></li>
+<ul class="nav nav-tabs" role="tablist" id="maintabs">
+    <li {% if showIntro|default('0')=='1' %}class="active"{% endif %}><a data-toggle="tab" id="actions-introduction" href="#subtab_actions-introduction"><b>{{ lang._('Introduction') }}</b></a></li>
+    <li {% if showIntro|default('0')=='0' %}class="active"{% endif %}><a data-toggle="tab" id="actions-tab" href="#actions"><b>{{ lang._('Automations') }}</b></a></li>
 </ul>
 
-<div class="tab-content content-box tab-content">
-    <div id="actions" class="tab-pane fade in active">
+<div class="content-box tab-content">
+
+    <div id="subtab_actions-introduction" class="tab-pane fade {% if showIntro|default('0')=='1' %}in active{% endif %}">
+        <div class="col-md-12">
+            <h1>{{ lang._('Automations') }}</h1>
+            <p>{{ lang._('Automations are a completely optional feature, but they can make life much easier, especially when using short-lived certificates. Typically use-case include:') }}</p>
+            <ul>
+              <li>{{ lang._("%sRestart a service%s when a certificate was renewed to ensure that the newest certificate is being used. This is especially useful when using an ACME certificate for the OPNsense WebGUI or in combination with the HAProxy or NGINX plugins. Any OPNsense core service or plugin service may be restarted.") | format('<b>', '</b>') }}</li>
+              <li>{{ lang._("Copy a certificate to one or more other hosts using the %sSFTP/SSH protocol%s. This way OPNsense can be used as a central authority for ACME certificates and secrets for DNS providers can be kept on a secure device.") | format('<b>', '</b>') }}</li>
+              <li>{{ lang._("Deploy a certificate to an external service, for example a %sCDN%s provider.") | format('<b>', '</b>') }}</li>
+            </ul>
+            <p>{{ lang._("This plugin can theoretically utilize most of %sacme.sh's webhooks%s. However, not all webhooks are currently implemented. Feel free to submit a %sfeature request%s if support for a acme.sh webhook should be added to the plugin.") | format('<a href="https://github.com/acmesh-official/acme.sh/wiki/deployhooks">', '</a>', '<a href="https://github.com/opnsense/plugins/issues">', '</a>') }}</p>
+        </div>
+    </div>
+
+    <div id="actions" class="tab-pane fade {% if showIntro|default('0')=='0' %}in active{% endif %}">
         <table id="grid-actions" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogAction">
             <thead>
             <tr>
@@ -225,6 +240,7 @@ POSSIBILITY OF SUCH DAMAGE.
             </tfoot>
         </table>
     </div>
+
 </div>
 
 {# include dialogs #}
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index 5c053a9d59..e50cda7f2b 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -2,7 +2,7 @@
 
 (Partially duplicates code from opnsense_bootgrid_plugin.js.)
 
-Copyright (C) 2017-2020 Frank Wall
+Copyright (C) 2017-2021 Frank Wall
 Copyright (C) 2015 Deciso B.V.
 OPNsense® is Copyright © 2014-2015 by Deciso B.V.
 All rights reserved.
@@ -431,12 +431,28 @@ POSSIBILITY OF SUCH DAMAGE.
 
 </script>
 
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#certificates">{{ lang._('Certificates') }}</a></li>
+<ul class="nav nav-tabs" role="tablist" id="maintabs">
+    <li {% if showIntro|default('0')=='1' %}class="active"{% endif %}><a data-toggle="tab" id="certificates-introduction" href="#subtab_certificates-introduction"><b>{{ lang._('Introduction') }}</b></a></li>
+    <li {% if showIntro|default('0')=='0' %}class="active"{% endif %}><a data-toggle="tab" id="certificates-tab" href="#certificates"><b>{{ lang._('Certificates') }}</b></a></li>
 </ul>
 
-<div class="tab-content content-box tab-content">
-    <div id="certificates" class="tab-pane fade in active">
+<div class="content-box tab-content">
+
+    <div id="subtab_certificates-introduction" class="tab-pane fade {% if showIntro|default('0')=='1' %}in active{% endif %}">
+        <div class="col-md-12">
+            <h1>{{ lang._('Certificates') }}</h1>
+            <p>{{ lang._('This plugin supports an unlimited number of certificates. However, the CA may restrict the number of certificates per week or implement other rate-limits. Retrying a failed validation many times in a row may also cause further attempts to fail due to rate-limits. The CA documentation should contain further information.') }}</p>
+            <p>{{ lang._('The following principles apply when managing certificates with this plugin:') }}</p>
+            <ul>
+              <li>{{ lang._('Certificates must be %svalidated%s by the CA before they can be used. This process runs in the background and may take several minutes to complete. The progress can be monitored by using the %slog files%s.') | format('<b>', '</b>', '<a href="/ui/acmeclient/logs">', '</a>') }}</li>
+              <li>{{ lang._('Certificates are stored in the %sOPNsense certificate storage%s. When a CA has completed the validation of a certificate request, the resulting certificate is then automatically imported into the OPNsense certificate storage. The same applies when renewing certificates, the existing entry in the OPNsense certificate storage will automatically be updated.') | format('<a href="/system_certmanager.php">', '</a>') }}</li>
+              <li>{{ lang._('When removing a certificate from the plugin, the certificate in the %sOPNsense certificate storage%s is %sNOT removed%s, because it may still be used by a core application or another plugin. Obsolete certificates should be manually removed from the OPNsense certificate storage. Note that when creating a new certificate with the same name, a new certificated will be imported into the OPNsense certificate storage (instead of updating the existing entry).') | format('<a href="/system_certmanager.php">', '</a>', '<b>', '</b>') }}</li>
+            </ul>
+            <p>{{ lang._('When experiencing issues, try setting the log level to "debug" in %ssettings%s.') | format('<a href="/ui/acmeclient#settings">', '</a>') }}</p>
+        </div>
+    </div>
+
+    <div id="certificates" class="tab-pane fade {% if showIntro|default('0')=='0' %}in active{% endif %}">
         <table id="grid-certificates" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogCertificate">
             <thead>
             <tr>
@@ -463,15 +479,15 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-    </div>
-    <div class="col-md-12">
-        <hr/>
-        <button class="btn btn-primary" id="signallcertsAct" type="button"><b>{{ lang._('Issue/Renew Certificates Now') }}</b><i id="signallcertsAct_progress" class=""></i></button>
-        <br/>
-    </div>
-    <div class="col-md-12">
-        {{ lang._('Use the Issue/Renew button to let the acme client automatically issue any new certificate and renew existing certificates (only if required). If you want to only issue/renew or revoke a single certificate, use the buttons in the Commands column. This will forcefully issue/renew the certificate, even if it is not required.') }} <b>{{ lang._('The process may take some time and thus will run in the background, you will not get any notification in the GUI. Use the log file to monitor the progress and to see error messages.') }}</b>
-        <br/><br/>
+        <div class="col-md-12">
+            <hr/>
+            <button class="btn btn-primary" id="signallcertsAct" type="button"><b>{{ lang._('Issue/Renew Certificates Now') }}</b><i id="signallcertsAct_progress" class=""></i></button>
+            <br/>
+        </div>
+        <div class="col-md-12">
+            {{ lang._('Use the Issue/Renew button to let the acme client automatically issue any new certificate and renew existing certificates (only if required). If you want to only issue/renew or revoke a single certificate, use the buttons in the Commands column. This will forcefully issue/renew the certificate, even if it is not required.') }} <b>{{ lang._('The process may take some time and thus will run in the background, you will not get any notification in the GUI. Use the log file to monitor the progress and to see error messages.') }}</b>
+            <br/><br/>
+        </div>
     </div>
 </div>
 
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
index a77378f439..3d462bb547 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
@@ -226,17 +226,51 @@ POSSIBILITY OF SUCH DAMAGE.
             });
 
         });
+
+        // update history on tab state and implement navigation
+        if(window.location.hash != "") {
+            $('a[href="' + window.location.hash + '"]').click()
+        }
+        $('.nav-tabs a').on('shown.bs.tab', function (e) {
+            history.pushState(null, null, e.target.hash);
+        });
+
     });
 
 </script>
 
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#settings">{{ lang._('Settings') }}</a></li>
+<ul class="nav nav-tabs" role="tablist" id="maintabs">
+    <li {% if showIntro|default('0')=='1' %}class="active"{% endif %}><a data-toggle="tab" id="settings-introduction" href="#subtab_settings-introduction"><b>{{ lang._('Introduction') }}</b></a></li>
+    <li {% if showIntro|default('0')=='0' %}class="active"{% endif %}><a data-toggle="tab" id="settings-tab" href="#settings"><b>{{ lang._('Settings') }}</b></a></li>
     <li><a href="" id="scheduled_updates" style="display:none">{{ lang._('Update Schedule') }}</a></li>
 </ul>
 
-<div class="tab-content content-box tab-content">
-    <div id="settings" class="tab-pane fade in active">
+<div class="content-box tab-content">
+
+    <div id="subtab_settings-introduction" class="tab-pane fade {% if showIntro|default('0')=='1' %}in active{% endif %}">
+        <div class="col-md-12">
+            <h1>{{ lang._('Quick Start Guide') }}</h1>
+            <p>{{ lang._("Welcome to the ACME Client plugin! This plugin allows you to create SSL certificates by using one of the following Certificate Authorities (CAs):") }}</p>
+            <ul>
+              <li>{{ lang._("%sLet's Encrypt:%s A free, automated, and open certificate authority, run for the public's benefit. It is a service provided by the Internet Security Research Group (ISRG). Read more about the ACME protocol in %stheir documentation%s.") | format('<b>', '</b>', '<a href="https://letsencrypt.org/how-it-works/" target="_blank">', '</a>') }}</li>
+              <li>{{ lang._('%sBuypass:%s A commercial, european certificate authority, based in Norway. Check out %stheir documentation%s for details about rate-limits and the usage policy.') | format('<b>', '</b>', '<a href="https://www.buypass.com/ssl/resources/go-ssl-technical-specification" target="_blank">', '</a>') }}</li>
+              <li>{{ lang._('%sSSL.com:%s A commercial, globally trusted certificate authority. They provide an %sextensive guide%s for using their paid services with the ACME protocol.') | format('<b>', '</b>', '<a href="https://www.ssl.com/guide/ssl-tls-certificate-issuance-and-revocation-with-acme/" target="_blank">', '</a>') }}</li>
+              <li>{{ lang._("%sZeroSSL:%s A commercial, european certificate authority, based in Austria. They provide a feature overview on %stheir website%s for users of Let's Encrypt.") | format('<b>', '</b>', '<a href="https://zerossl.com/letsencrypt-alternative/" target="_blank">', '</a>') }}</li>
+            </ul>
+            <p>{{ lang._("Setting up this plugin for the first time involves the following steps") }}</p>
+            <ul>
+              <li>{{ lang._('%sEnable%s the plugin: When enabling this plugin in the %ssettings%s, a lightweight service is started and cron jobs are added for automatic tasks.') | format('<b>', '</b>', '<a href="/ui/acmeclient#settings">', '</a>') }}</li>
+              <li>{{ lang._('Create an %saccount%s: An %saccount%s is required and will be automatically at the chosen CA.') | format('<b>', '</b>', '<a href="/ui/acmeclient/accounts">', '</a>') }}</li>
+              <li>{{ lang._('Set up a %schallenge type%s: Choose the %schallenge type%s that works best for you and if necessary, add the credentials for your DNS provider.') | format('<b>', '</b>', '<a href="/ui/acmeclient/validations">', '</a>') }}</li>
+              <li>{{ lang._('Add %sautomations%s: This is optional, but recommended when using short-lived certificates. %sAutomations%s allow to automatically run tasks when a certificate was created or renewed.') | format('<b>', '</b>', '<a href="/ui/acmeclient/actions">', '</a>') }}</li>
+              <li>{{ lang._('Create %scertificates%s: Finally create the %scertificates%s and let the CA complete the validation process.') | format('<b>', '</b>', '<a href="/ui/acmeclient/certificates">', '</a>') }}</li>
+            </ul>
+            <p><b>{{ lang._("Please read the official documentation for the preferred CA before using this plugin. It should give you a good overview about how their implementation of the ACME protocol works, so you do not hit their %srate limits%s and avoid common misconfigurations. Otherwise all attempts to issue a certificate would most likely fail. ") | format('<a href="https://letsencrypt.org/docs/rate-limits/">', '</a>') }}</b>{{ lang._("Ensure to use a %stest CA%s when using this plugin for the first time or while testing a new challenge type. Note that you will have to reissue your certificates when switching from a test CA to a production CA to get valid certificates.") | format('<a href="https://letsencrypt.org/docs/staging-environment/">', '</a>') }}</p>
+            <p>{{ lang._('Please use the %sissue tracker%s to report bugs or request new features. Note that some CAs offer paid services. These services are not affiliated to this plugin. The maintainers and developers of this plugin will not provide support for paid services.') | format('<a href="https://github.com/opnsense/plugins/issues">', '</a>') }}</p>
+        </div>
+    </div>
+
+    <div id="settings" class="tab-pane fade {% if showIntro|default('0')=='0' %}in active{% endif %}">
 {{ partial("layout_partials/base_form",['fields':settingsForm,'id':'frm_settings'])}}
     </div>
     <div class="col-md-12">
@@ -247,12 +281,9 @@ POSSIBILITY OF SUCH DAMAGE.
         <br/>
     </div>
     <div class="col-md-12">
-        <b>{{ lang._("Please read the official %sLet's Encrypt documentation%s before using this plugin. It should give you a good overview about how the various ACME CAs work, so you do not hit their %srate limits%s and avoid common misconfigurations, which would let all your attempts to issue a certificate fail.") | format('<a href="https://letsencrypt.org/how-it-works/">', '</a>', '<a href="https://letsencrypt.org/docs/rate-limits/">', '</a>') }}</b>{{ lang._("Please use a %stest CA%s when using this plugin for the first time or while testing a new challenge type. Note that you will have to reissue your certificates when switching from a test to a production CA to get valid certificates.") | format('<a href="https://letsencrypt.org/docs/staging-environment/">', '</a>') }}
-        <br/>
-        {{ lang._('Please use the %sissue tracker%s to report bugs or request new features.') | format('<a href="https://github.com/opnsense/plugins/issues">', '</a>') }}
         <br/>
-        <br/>
-        <p>{{ lang._('This plugin includes code from the %s project.') | format('<a href="https://github.com/acmesh-official/acme.sh">acmesh-official/acme.sh</a>' ) }} {{ lang._('Licensed under GPLv3.') }}<br/>{{ lang._('Let"s Encrypt(tm) is a trademark of the Internet Security Research Group. All rights reserved.') }}</p>
+        <p>{{ lang._('This plugin includes code from the %s project.') | format('<a href="https://github.com/acmesh-official/acme.sh">acmesh-official/acme.sh</a>' ) }} {{ lang._('Licensed under %sGPLv3%s.') | format('<a href="https://github.com/acmesh-official/acme.sh/blob/master/LICENSE.md">', '</a>' ) }}<br/>{{ lang._("Let's Encrypt(tm) is a trademark of the Internet Security Research Group. All rights reserved.") }}</p>
         <br/>
     </div>
+
 </div>
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
index 6ece1b0aa7..176841dd8b 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
@@ -1,6 +1,6 @@
 {#
 
-Copyright (C) 2017 Frank Wall
+Copyright (C) 2017-2021 Frank Wall
 OPNsense® is Copyright © 2014-2015 by Deciso B.V.
 All rights reserved.
 
@@ -90,12 +90,26 @@ POSSIBILITY OF SUCH DAMAGE.
 
 </script>
 
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#validations">{{ lang._('Challenge Types') }}</a></li>
+<ul class="nav nav-tabs" role="tablist" id="maintabs">
+    <li {% if showIntro|default('0')=='1' %}class="active"{% endif %}><a data-toggle="tab" id="validations-introduction" href="#subtab_validations-introduction"><b>{{ lang._('Introduction') }}</b></a></li>
+    <li {% if showIntro|default('0')=='0' %}class="active"{% endif %}><a data-toggle="tab" id="validations-tab" href="#validations"><b>{{ lang._('Challenge Types') }}</b></a></li>
 </ul>
 
-<div class="tab-content content-box tab-content">
-    <div id="validations" class="tab-pane fade in active">
+<div class="content-box tab-content">
+
+    <div id="subtab_validations-introduction" class="tab-pane fade {% if showIntro|default('0')=='1' %}in active{% endif %}">
+        <div class="col-md-12">
+            <h1>{{ lang._('Challenge Types') }}</h1>
+            <p>{{ lang._('As defined by the ACME standard, Certificate Authorities (CAs) must validate that you control a domain name. This is done by using "challenges". The following challenge types are supported:') }}</p>
+            <ul>
+              <li>{{ lang._('%sDNS-01:%s This is the most reliable challenge type and thus highly recommended when using this plugin. It requires that you control the DNS for your domain name and that your DNS provider is supported both %sby acme.sh%s and this plugin.') | format('<b>', '</b>', '<a href="https://github.com/acmesh-official/acme.sh/wiki/dnsapi" target="_blank">', '</a>') }}</li>
+              <li>{{ lang._("%sHTTP-01:%s This challenge type usually requires manual configuration and is not recommended. The DNS name used in the certificate must point to the OPNsense host where the ACME Client plugin is running on. The integrated web service will try to guess the correct settings for your setup, but this may not always work out-of-the-box. Furthermore this challenge type cannot be used to create %swildcard certificates with Let's Encrypt%s.") | format('<b>', '</b>', '<a href="https://letsencrypt.org/docs/challenge-types/#http-01-challenge" target="_blank">', '</a>') }}</li>
+            </ul>
+            <p>{{ lang._('When experiencing issues with a challenge type, try setting the log level to "debug". Please provide full logs when %sreporting issues%s for a challenge type. You should also consider to ask the Certificate Authority for support, if you choose to use a commercial CA.') | format('<a href="https://github.com/opnsense/plugins/issues">', '</a>') }}</p>
+        </div>
+    </div>
+
+    <div id="validations" class="tab-pane fade {% if showIntro|default('0')=='0' %}in active{% endif %}">
         <table id="grid-validations" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogValidation">
             <thead>
             <tr>
@@ -119,6 +133,7 @@ POSSIBILITY OF SUCH DAMAGE.
             </tfoot>
         </table>
     </div>
+
 </div>
 
 {# include dialogs #}

From 052d0c4fe0977871d1315941d7934d9e56f8ecc0 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 5 Aug 2021 23:36:02 +0200
Subject: [PATCH 0677/3088] security/acme-client: show more options in list
 view

---
 security/acme-client/pkg-descr                                  | 1 +
 .../controllers/OPNsense/AcmeClient/Api/ActionsController.php   | 2 +-
 .../OPNsense/AcmeClient/Api/ValidationsController.php           | 2 +-
 .../src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt | 1 +
 .../opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt | 1 +
 5 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index b172474e3a..756d6ac15a 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -21,6 +21,7 @@ Changed:
 * remove the legacy log file and only rely on syslog logging (#2366)
 * update tooltip style for 21.7 (#2188)
 * add tooltips for account command buttons (#2188)
+* show more options in list view for challenge types and automations
 
 Removed:
 * remove obsolete account parameters: certificateAuthority, lastUpdate
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ActionsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ActionsController.php
index 0dec0e4b98..2634c404d5 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ActionsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ActionsController.php
@@ -72,7 +72,7 @@ public function toggleAction($uuid, $enabled = null)
 
     public function searchAction()
     {
-        return $this->searchBase('actions.action', array('enabled', 'name', 'description'), 'name');
+        return $this->searchBase('actions.action', array('enabled', 'name', 'type', 'description'), 'name');
     }
 
     public function sftpGetIdentityAction()
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ValidationsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ValidationsController.php
index 8dd6893139..703a8fef35 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ValidationsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ValidationsController.php
@@ -73,6 +73,6 @@ public function toggleAction($uuid, $enabled = null)
 
     public function searchAction()
     {
-        return $this->searchBase('validations.validation', array('enabled', 'name', 'description'), 'name');
+        return $this->searchBase('validations.validation', array('enabled', 'name', 'method', 'description'), 'name');
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
index e0f8b6fcab..c1eaf5f079 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
@@ -222,6 +222,7 @@ POSSIBILITY OF SUCH DAMAGE.
             <tr>
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                 <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
+                <th data-column-id="type" data-type="string">{{ lang._('Command') }}</th>
                 <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
                 <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
index 176841dd8b..bd1e4c42fa 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
@@ -115,6 +115,7 @@ POSSIBILITY OF SUCH DAMAGE.
             <tr>
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                 <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
+                <th data-column-id="method" data-type="string">{{ lang._('Challenge Type') }}</th>
                 <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
                 <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>

From 04861f4122738e1fc549b95b7637b7f28b5843c8 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 5 Aug 2021 23:53:40 +0200
Subject: [PATCH 0678/3088] security/acme-client: update changelog

---
 security/acme-client/pkg-descr | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 756d6ac15a..edb548f03d 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -13,17 +13,18 @@ Plugin Changelog
 Added:
 * add support for new ACME CA's: buypass, buypass_test, sslcom, zerossl (#2361)
 * add introduction pages and an option to hide them
+* add tooltips for account command buttons (#2188)
 
 Changed:
 * rename plugin from "Let's Encrypt client" to "ACME Client" (#2361)
+* change the suffix for imports to the certificate storage to "ACME Client" (#2361)
 * rename "Let's Encrypt Environment" to "ACME CA" (#2361)
 * preserve old LE accounts/certs by adding a compatibility layer (#2361)
-* remove the legacy log file and only rely on syslog logging (#2366)
 * update tooltip style for 21.7 (#2188)
-* add tooltips for account command buttons (#2188)
 * show more options in list view for challenge types and automations
 
 Removed:
+* remove the legacy log file and only rely on syslog logging (#2366)
 * remove obsolete account parameters: certificateAuthority, lastUpdate
 
 2.6

From 58b6c71018fb3a591673d9fd1fe2531d1cfba2a5 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 6 Aug 2021 10:21:55 +0200
Subject: [PATCH 0679/3088] security/acme-client: improve wording

---
 .../opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt   | 2 +-
 .../mvc/app/views/OPNsense/AcmeClient/certificates.volt       | 4 ++--
 .../src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt  | 2 +-
 .../opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt  | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
index c1eaf5f079..5cbf1e502d 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
@@ -206,7 +206,7 @@ POSSIBILITY OF SUCH DAMAGE.
     <div id="subtab_actions-introduction" class="tab-pane fade {% if showIntro|default('0')=='1' %}in active{% endif %}">
         <div class="col-md-12">
             <h1>{{ lang._('Automations') }}</h1>
-            <p>{{ lang._('Automations are a completely optional feature, but they can make life much easier, especially when using short-lived certificates. Typically use-case include:') }}</p>
+            <p>{{ lang._('Automations are a completely optional feature, but they can make life much easier, especially when using short-lived certificates. Typically use-cases include:') }}</p>
             <ul>
               <li>{{ lang._("%sRestart a service%s when a certificate was renewed to ensure that the newest certificate is being used. This is especially useful when using an ACME certificate for the OPNsense WebGUI or in combination with the HAProxy or NGINX plugins. Any OPNsense core service or plugin service may be restarted.") | format('<b>', '</b>') }}</li>
               <li>{{ lang._("Copy a certificate to one or more other hosts using the %sSFTP/SSH protocol%s. This way OPNsense can be used as a central authority for ACME certificates and secrets for DNS providers can be kept on a secure device.") | format('<b>', '</b>') }}</li>
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index e50cda7f2b..0335295570 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -461,8 +461,8 @@ POSSIBILITY OF SUCH DAMAGE.
                 <th data-column-id="altNames" data-type="string">{{ lang._('Multi-Domain (SAN)') }}</th>
                 <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
                 <th data-column-id="lastUpdate" data-type="string" data-formatter="certdate">{{ lang._('Issue/Renewal Date') }}</th>
-                <th data-column-id="statusCode" data-type="string" data-formatter="acmestatus">{{ lang._('Last Acme Status') }}</th>
-                <th data-column-id="statusLastUpdate" data-type="string" data-formatter="acmestatusdate">{{ lang._('Last Acme Run') }}</th>
+                <th data-column-id="statusCode" data-type="string" data-formatter="acmestatus">{{ lang._('Last ACME Status') }}</th>
+                <th data-column-id="statusLastUpdate" data-type="string" data-formatter="acmestatusdate">{{ lang._('Last ACME Run') }}</th>
                 <th data-column-id="commands" data-width="11em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
             </tr>
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt
index ae057bc86f..78f1d5e6f1 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt
@@ -86,7 +86,7 @@
 
 <ul class="nav nav-tabs" role="tablist" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#systemlog"><b>{{ lang._('System Log') }}</b></a></li>
-    <li><a data-toggle="tab" href="#acmelog">{{ lang._('Acme Log') }}</a></li>
+    <li><a data-toggle="tab" href="#acmelog">{{ lang._('ACME Log') }}</a></li>
 </ul>
 
 <div class="content-box tab-content">
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
index 3d462bb547..146a17a92e 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
@@ -201,7 +201,7 @@ POSSIBILITY OF SUCH DAMAGE.
             BootstrapDialog.show({
                 type: BootstrapDialog.TYPE_DANGER,
                 title: "{{ lang._('Wipe all certificate and account data') }}",
-                message: "{{ lang._('This will remove ALL certificates, private keys, CSRs from acme client and reset all certificate and account states. However, existing certificates will remain in OPNsense trust storage. The acme client will automatically regenerate everything on its next scheduled run. This is most useful when importing a config backup to a new firewall. Continue?') }}",
+                message: "{{ lang._('This will remove ALL certificates, private keys, CSRs from ACME Client and reset all certificate and account states. However, existing certificates will remain in OPNsense trust storage. The ACME Client will automatically regenerate everything on its next scheduled run. This is most useful when importing a config backup to a new firewall. Continue?') }}",
                 buttons: [{
                     label: '{{ lang._('Continue') }}',
                     cssClass: 'btn-primary',
@@ -277,7 +277,7 @@ POSSIBILITY OF SUCH DAMAGE.
         <hr/>
         <button class="btn btn-primary" id="reconfigureAct" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
         <button class="btn btn-primary" id="configtestAct" type="button"><b>{{ lang._('Test Config') }}</b><i id="configtestAct_progress" class=""></i></button>
-        <button class="btn btn-primary" id="resetAct" type="button"><b>{{ lang._('Reset acme client') }}</b><i id="resetAct_progress" class=""></i></button>
+        <button class="btn btn-primary" id="resetAct" type="button"><b>{{ lang._('Reset ACME Client') }}</b><i id="resetAct_progress" class=""></i></button>
         <br/>
     </div>
     <div class="col-md-12">

From 6ebbaf75559df5d68f72d941e181326f7c0248fa Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 6 Aug 2021 11:27:34 +0200
Subject: [PATCH 0680/3088] security/acme-client: add support for custom ACME
 EAB kid/hmac

---
 security/acme-client/pkg-descr                   |  1 +
 .../OPNsense/AcmeClient/forms/dialogAccount.xml  | 16 ++++++++++++++++
 .../OPNsense/AcmeClient/forms/settings.xml       |  2 +-
 .../library/OPNsense/AcmeClient/LeAccount.php    |  7 +++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml    | 10 ++++++++++
 5 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index edb548f03d..3dfdcafaef 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -14,6 +14,7 @@ Added:
 * add support for new ACME CA's: buypass, buypass_test, sslcom, zerossl (#2361)
 * add introduction pages and an option to hide them
 * add tooltips for account command buttons (#2188)
+* add support for custom ACME EAB kid/hmac when registering accounts
 
 Changed:
 * rename plugin from "Let's Encrypt client" to "ACME Client" (#2361)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml
index b8a2e2ebb8..246f279dfa 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml
@@ -23,4 +23,20 @@
         <type>text</type>
         <help>Optional e-mail address for this account.</help>
     </field>
+    <field>
+        <label>Optional EAB Credentials</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>account.eab_kid</id>
+        <label>Key Identifier</label>
+        <type>text</type>
+        <help><![CDATA[An optional value provided by the CA when using ACME External Account Binding (EAB).]]></help>
+    </field>
+    <field>
+        <id>account.eab_hmac</id>
+        <label>HMAC Key</label>
+        <type>password</type>
+        <help><![CDATA[An optional value provided by the CA when using ACME External Account Binding (EAB).]]></help>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
index 770341a2ce..e3b64b0ad0 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
@@ -15,7 +15,7 @@
         <id>acmeclient.settings.ca</id>
         <label>ACME CA</label>
         <type>dropdown</type>
-        <help><![CDATA[The ACME CA that should be used to issue or renew certificates. Note that some of them offer paid services and may require a subscription. Check the <a href="https://github.com/acmesh-official/acme.sh/wiki/Server">acme.sh documentation</a> for a list of supported CAs.]]></help>
+        <help><![CDATA[The ACME CA that should be used to issue or renew certificates. Note that some of them offer paid services and may require a subscription. Check the <a href="https://github.com/acmesh-official/acme.sh/wiki/Server" target="_blank">acme.sh documentation</a> for a list of supported CAs.]]></help>
     </field>
     <field>
         <id>acmeclient.settings.haproxyIntegration</id>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
index afec980fd2..57589b7c5a 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
@@ -212,6 +212,13 @@ public function register()
         if (!($this->isRegistered())) {
             LeUtils::log_debug('starting account registration for ' . (string)$this->config->name, $this->debug);
 
+            // Check if ACME External Account Binding (EAB) is enabled
+            if (!empty((string)$this->config->eab_kid) && !empty((string)$this->config->eab_hmac) {
+                LeUtils::log_debug('enabling ACME EAB for this account', $this->debug);
+                $this->acme_args[] = LeUtils::execSafe('--eab-kid %s', $this->config->eab_kid);
+                $this->acme_args[] = LeUtils::execSafe('--eab-hmac-key %s', $this->config->eab_hmac);
+            }
+
             // Preparation to run acme client
             $proc_env = $this->acme_env; // env variables for proc_open()
             $proc_env['PATH'] = $this::ACME_ENV_PATH;
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 91183a3ea8..5e0a936f61 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -148,6 +148,16 @@
                 <email type="EmailField">
                     <Required>N</Required>
                 </email>
+                <eab_kid type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,8192}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 8192 characters.</ValidationMessage>
+                </eab_kid>
+                <eab_hmac type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,8192}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 8192 characters.</ValidationMessage>
+                </eab_hmac>
                 <!-- hidden field; the private key for this account -->
                 <key type="TextField">
                     <Required>N</Required>

From be9aa41ae1f8b4fd918442893137b58f8353534a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 7 Aug 2021 22:21:32 +0200
Subject: [PATCH 0681/3088] security/acme-client: make it possible to use
 multiple CAs

---
 security/acme-client/pkg-descr                |  8 ++++--
 .../AcmeClient/forms/dialogAccount.xml        | 10 ++++++++
 .../OPNsense/AcmeClient/forms/settings.xml    |  6 -----
 .../library/OPNsense/AcmeClient/LeAccount.php |  4 +--
 .../OPNsense/AcmeClient/LeAutomation/Base.php |  2 +-
 .../OPNsense/AcmeClient/LeCertificate.php     |  3 ++-
 .../library/OPNsense/AcmeClient/LeCommon.php  | 25 ++++++++++++++-----
 .../OPNsense/AcmeClient/LeValidation/Base.php |  2 +-
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 24 +++++++++---------
 .../OPNsense/AcmeClient/Migrations/M3_0_0.php |  9 ++++---
 .../views/OPNsense/AcmeClient/settings.volt   |  2 +-
 11 files changed, 60 insertions(+), 35 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 3dfdcafaef..a78db9bedf 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -11,15 +11,19 @@ Plugin Changelog
 3.0
 
 Added:
-* add support for new ACME CA's: buypass, buypass_test, sslcom, zerossl (#2361)
+* add support for new ACME CAs: buypass, buypass_test, sslcom, zerossl (#2361)
+* add CA setting to accounts, make it possible to use multiple CAs
 * add introduction pages and an option to hide them
 * add tooltips for account command buttons (#2188)
 * add support for custom ACME EAB kid/hmac when registering accounts
 
+Fixed:
+* properly set/get the UUID of LE objects
+
 Changed:
 * rename plugin from "Let's Encrypt client" to "ACME Client" (#2361)
 * change the suffix for imports to the certificate storage to "ACME Client" (#2361)
-* rename "Let's Encrypt Environment" to "ACME CA" (#2361)
+* rename "Let's Encrypt Environment" to "ACME CA" and move to account settings (#2361)
 * preserve old LE accounts/certs by adding a compatibility layer (#2361)
 * update tooltip style for 21.7 (#2188)
 * show more options in list view for challenge types and automations
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml
index 246f279dfa..33854114a7 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml
@@ -17,12 +17,22 @@
         <type>text</type>
         <help>Description for this account.</help>
     </field>
+    <field>
+        <label>NOTE: Settings below must not be changed after account registration.</label>
+        <type>header</type>
+    </field>
     <field>
         <id>account.email</id>
         <label>E-Mail Address</label>
         <type>text</type>
         <help>Optional e-mail address for this account.</help>
     </field>
+    <field>
+        <id>account.ca</id>
+        <label>ACME CA</label>
+        <type>dropdown</type>
+        <help><![CDATA[The ACME CA that should be used for this account and all associated certificates. Note that some of them offer paid services and may require a subscription. Check the <a href="https://github.com/acmesh-official/acme.sh/wiki/Server" target="_blank">acme.sh documentation</a> for a list of supported CAs.]]></help>
+    </field>
     <field>
         <label>Optional EAB Credentials</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
index e3b64b0ad0..285b55c7fc 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
@@ -11,12 +11,6 @@
         <type>checkbox</type>
         <help><![CDATA[Enable automatic renewal for certificates to prevent expiration. This will add a cron job to the system. You may want to customize the cron job schedule to your needs, because re-issueing a certificate may lead to a short downtime, depending on the selected challenge type and service.]]></help>
     </field>
-    <field>
-        <id>acmeclient.settings.ca</id>
-        <label>ACME CA</label>
-        <type>dropdown</type>
-        <help><![CDATA[The ACME CA that should be used to issue or renew certificates. Note that some of them offer paid services and may require a subscription. Check the <a href="https://github.com/acmesh-official/acme.sh/wiki/Server" target="_blank">acme.sh documentation</a> for a list of supported CAs.]]></help>
-    </field>
     <field>
         <id>acmeclient.settings.haproxyIntegration</id>
         <label>HAProxy Integration</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
index 57589b7c5a..94a91008d7 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
@@ -54,7 +54,7 @@ public function __construct(string $uuid)
         $this->setLoglevel();
 
         // Set ACME CA
-        $this->setCa();
+        $this->setCa($uuid);
 
         // Store acme filenames
         $this->acme_args[] = LeUtils::execSafe('--home %s', self::ACME_HOME_DIR);
@@ -213,7 +213,7 @@ public function register()
             LeUtils::log_debug('starting account registration for ' . (string)$this->config->name, $this->debug);
 
             // Check if ACME External Account Binding (EAB) is enabled
-            if (!empty((string)$this->config->eab_kid) && !empty((string)$this->config->eab_hmac) {
+            if (!empty((string)$this->config->eab_kid) && !empty((string)$this->config->eab_hmac)) {
                 LeUtils::log_debug('enabling ACME EAB for this account', $this->debug);
                 $this->acme_args[] = LeUtils::execSafe('--eab-kid %s', $this->config->eab_kid);
                 $this->acme_args[] = LeUtils::execSafe('--eab-hmac-key %s', $this->config->eab_hmac);
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
index 67ce269f2d..349e22bff4 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
@@ -64,7 +64,7 @@ public function init(string $certid, string $accountuuid)
         $this->setLoglevel();
 
         // Set ACME CA
-        $this->setCa();
+        $this->setCa($accountuuid);
 
         return true;
     }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 16fc4839a1..cfe13498d8 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -75,7 +75,7 @@ public function __construct(string $uuid, bool $force = false, bool $cron = fals
         $this->setLoglevel();
 
         // Set ACME CA
-        $this->setCa();
+        $this->setCa((string)$this->config->account);
 
         // Handle special key types
         if ($this->config->keyLength == 'key_ec256' || $this->config->keyLength == 'key_ec384') {
@@ -351,6 +351,7 @@ public function issue()
             return false;
         }
         LeUtils::log("${acme_action} certificate: " . (string)$this->config->name);
+        LeUtils::log('using CA: ' . $this->ca);
 
         // Ensure that account is registered.
         if (!($this->setAccount())) {
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
index 1863061d6e..d2097fe7ad 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
@@ -105,7 +105,7 @@ public function getId()
      */
     public function getUuid()
     {
-        return (string)$this->config->uuid;
+        return (string)$this->uuid;
     }
 
     /**
@@ -124,6 +124,7 @@ public function loadConfig(string $path, string $uuid)
         // Store config objects
         $this->config = $obj;
         $this->model = $model;
+        $this->uuid = $uuid;
         return true;
     }
 
@@ -139,16 +140,28 @@ public function isEnabled()
     /**
      * set ACME CA for acme.sh
      */
-    public function setCa()
+    public function setCa(string $uuid)
     {
-        $this->ca = (string)$this->model->getNodeByReference('settings.ca');
-        $this->acme_args[] = LeUtils::execSafe('--server %s', $this->ca);
+        // Get account config object
+        $model = new \OPNsense\AcmeClient\AcmeClient();
+        $obj = $model->getNodeByReference("accounts.account.${uuid}");
+        if (empty($obj) || $obj == null) {
+            LeUtils::log_error("unable to set CA, account not found: ${uuid}");
+            return false;
+        }
+
+        // Extract ACME CA from account config
+        $acme_ca = (string)$obj->ca;
+        $this->ca = $acme_ca;
+
+        // Add CA to acme arguments
+        $this->acme_args[] = LeUtils::execSafe('--server %s', $acme_ca);
 
         // Evaluate how the CA should be represented in filenames.
         // This is a compatibility layer. It ensures that old files that
         // were generated for the Let's Encrypt Production/Staging CA
         // can still be used.
-        switch ($this->ca) {
+        switch ($acme_ca) {
             case 'letsencrypt':
                 $ca_compat = 'prod';
                 break;
@@ -156,7 +169,7 @@ public function setCa()
                 $ca_compat = 'stg';
                 break;
             default:
-                $ca_compat = $this->ca;
+                $ca_compat = $acme_ca;
                 break;
         }
         $this->ca_compat = $ca_compat;
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index 0c2dcb317a..d50292c665 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -74,7 +74,7 @@ public function init(string $certid, string $accountuuid)
         $this->setLoglevel();
 
         // Set ACME CA
-        $this->setCa();
+        $this->setCa($accountuuid);
 
         // Store acme hook
         switch ((string)$this->config->method) {
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 5e0a936f61..a2f097edef 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -34,18 +34,6 @@
                     <stg>Staging Environment</stg>
                 </OptionValues>
             </environment>
-            <ca type="OptionField">
-                <Required>Y</Required>
-                <default></default>
-                <OptionValues>
-                    <buypass>Buypass</buypass>
-                    <buypass_test>Buypass Test CA</buypass_test>
-                    <letsencrypt>Let's Encrypt [default]</letsencrypt>
-                    <letsencrypt_test>Let's Encrypt Test CA</letsencrypt_test>
-                    <sslcom>SSL.com</sslcom>
-                    <zerossl>ZeroSSL</zerossl>
-                </OptionValues>
-            </ca>
             <challengePort type="IntegerField">
                 <default>43580</default>
                 <MinimumValue>1024</MinimumValue>
@@ -148,6 +136,18 @@
                 <email type="EmailField">
                     <Required>N</Required>
                 </email>
+                <ca type="OptionField">
+                    <Required>Y</Required>
+                    <default>letsencrypt</default>
+                    <OptionValues>
+                        <buypass>Buypass</buypass>
+                        <buypass_test>Buypass Test CA</buypass_test>
+                        <letsencrypt>Let's Encrypt [default]</letsencrypt>
+                        <letsencrypt_test>Let's Encrypt Test CA</letsencrypt_test>
+                        <sslcom>SSL.com</sslcom>
+                        <zerossl>ZeroSSL</zerossl>
+                    </OptionValues>
+                </ca>
                 <eab_kid type="TextField">
                     <Required>N</Required>
                     <mask>/^.{1,8192}$/u</mask>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_0_0.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_0_0.php
index a2f0262e56..1ef4c2f664 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_0_0.php
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_0_0.php
@@ -46,9 +46,12 @@ public function run($model)
                 $new_ca = 'letsencrypt_test';
                 break;
         }
-
-        // Set new CA
-        $model->settings->ca = $new_ca;
         $model->settings->environment = null; // clear old value
+
+        // Search accounts
+        foreach ($model->getNodeByReference('accounts.account')->iterateItems() as $account) {
+            // Set CA
+            $account->ca = $new_ca;
+        }
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
index 146a17a92e..539fc97381 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
@@ -260,7 +260,7 @@ POSSIBILITY OF SUCH DAMAGE.
             <p>{{ lang._("Setting up this plugin for the first time involves the following steps") }}</p>
             <ul>
               <li>{{ lang._('%sEnable%s the plugin: When enabling this plugin in the %ssettings%s, a lightweight service is started and cron jobs are added for automatic tasks.') | format('<b>', '</b>', '<a href="/ui/acmeclient#settings">', '</a>') }}</li>
-              <li>{{ lang._('Create an %saccount%s: An %saccount%s is required and will be automatically at the chosen CA.') | format('<b>', '</b>', '<a href="/ui/acmeclient/accounts">', '</a>') }}</li>
+              <li>{{ lang._('Create an %saccount%s: An %saccount%s is required. It determines which CA will be used for all associated certificates.') | format('<b>', '</b>', '<a href="/ui/acmeclient/accounts">', '</a>') }}</li>
               <li>{{ lang._('Set up a %schallenge type%s: Choose the %schallenge type%s that works best for you and if necessary, add the credentials for your DNS provider.') | format('<b>', '</b>', '<a href="/ui/acmeclient/validations">', '</a>') }}</li>
               <li>{{ lang._('Add %sautomations%s: This is optional, but recommended when using short-lived certificates. %sAutomations%s allow to automatically run tasks when a certificate was created or renewed.') | format('<b>', '</b>', '<a href="/ui/acmeclient/actions">', '</a>') }}</li>
               <li>{{ lang._('Create %scertificates%s: Finally create the %scertificates%s and let the CA complete the validation process.') | format('<b>', '</b>', '<a href="/ui/acmeclient/certificates">', '</a>') }}</li>

From fe092d785fcedc25b1f8e5c25f5dcd758c65b811 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 8 Aug 2021 18:52:14 +0200
Subject: [PATCH 0682/3088] security/acme-client: finishing touches for version
 3.0

---
 .../controllers/OPNsense/AcmeClient/forms/settings.xml   | 2 +-
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml    | 2 +-
 .../mvc/app/views/OPNsense/AcmeClient/certificates.volt  | 9 +++------
 .../mvc/app/views/OPNsense/AcmeClient/settings.volt      | 2 +-
 4 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
index 285b55c7fc..4089801a00 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
@@ -27,7 +27,7 @@
         <id>acmeclient.settings.showIntro</id>
         <label>Show introduction pages</label>
         <type>checkbox</type>
-        <help><![CDATA[Uncheck to hide all additional introduction pages.]]></help>
+        <help><![CDATA[Uncheck to hide all introduction pages.]]></help>
     </field>
     <field>
         <id>acmeclient.settings.challengePort</id>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index a2f097edef..47d3ba221b 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1034,7 +1034,7 @@
                         <restart_nginx>Restart Nginx (OPNsense plugin)</restart_nginx>
                         <upload_highwinds>Upload certificate to Highwinds CDN</upload_highwinds>
                         <upload_sftp>Upload certificate via SFTP</upload_sftp>
-                        <configd>System or Plugin Command (select below)</configd>
+                        <configd>System or Plugin Command</configd>
                     </OptionValues>
                 </type>
                 <highwinds_account_hash type="TextField">
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index 0335295570..334e7914be 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -448,7 +448,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('Certificates are stored in the %sOPNsense certificate storage%s. When a CA has completed the validation of a certificate request, the resulting certificate is then automatically imported into the OPNsense certificate storage. The same applies when renewing certificates, the existing entry in the OPNsense certificate storage will automatically be updated.') | format('<a href="/system_certmanager.php">', '</a>') }}</li>
               <li>{{ lang._('When removing a certificate from the plugin, the certificate in the %sOPNsense certificate storage%s is %sNOT removed%s, because it may still be used by a core application or another plugin. Obsolete certificates should be manually removed from the OPNsense certificate storage. Note that when creating a new certificate with the same name, a new certificated will be imported into the OPNsense certificate storage (instead of updating the existing entry).') | format('<a href="/system_certmanager.php">', '</a>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._('When experiencing issues, try setting the log level to "debug" in %ssettings%s.') | format('<a href="/ui/acmeclient#settings">', '</a>') }}</p>
+            <p>{{ lang._('When experiencing issues, try setting the log level to "debug" on the %ssettings%s page.') | format('<a href="/ui/acmeclient#settings">', '</a>') }}</p>
         </div>
     </div>
 
@@ -481,12 +481,9 @@ POSSIBILITY OF SUCH DAMAGE.
         </table>
         <div class="col-md-12">
             <hr/>
-            <button class="btn btn-primary" id="signallcertsAct" type="button"><b>{{ lang._('Issue/Renew Certificates Now') }}</b><i id="signallcertsAct_progress" class=""></i></button>
+            <button class="btn btn-primary" id="signallcertsAct" type="button"><b>{{ lang._('Issue/Renew All Certificates') }}</b><i id="signallcertsAct_progress" class=""></i></button>
+            <br/>
             <br/>
-        </div>
-        <div class="col-md-12">
-            {{ lang._('Use the Issue/Renew button to let the acme client automatically issue any new certificate and renew existing certificates (only if required). If you want to only issue/renew or revoke a single certificate, use the buttons in the Commands column. This will forcefully issue/renew the certificate, even if it is not required.') }} <b>{{ lang._('The process may take some time and thus will run in the background, you will not get any notification in the GUI. Use the log file to monitor the progress and to see error messages.') }}</b>
-            <br/><br/>
         </div>
     </div>
 </div>
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
index 539fc97381..fb111608b1 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
@@ -259,7 +259,7 @@ POSSIBILITY OF SUCH DAMAGE.
             </ul>
             <p>{{ lang._("Setting up this plugin for the first time involves the following steps") }}</p>
             <ul>
-              <li>{{ lang._('%sEnable%s the plugin: When enabling this plugin in the %ssettings%s, a lightweight service is started and cron jobs are added for automatic tasks.') | format('<b>', '</b>', '<a href="/ui/acmeclient#settings">', '</a>') }}</li>
+              <li>{{ lang._('%sEnable%s the plugin: When enabling this plugin on the %ssettings%s page, a lightweight service is started and a cron job is added to run periodic tasks.') | format('<b>', '</b>', '<a href="/ui/acmeclient#settings">', '</a>') }}</li>
               <li>{{ lang._('Create an %saccount%s: An %saccount%s is required. It determines which CA will be used for all associated certificates.') | format('<b>', '</b>', '<a href="/ui/acmeclient/accounts">', '</a>') }}</li>
               <li>{{ lang._('Set up a %schallenge type%s: Choose the %schallenge type%s that works best for you and if necessary, add the credentials for your DNS provider.') | format('<b>', '</b>', '<a href="/ui/acmeclient/validations">', '</a>') }}</li>
               <li>{{ lang._('Add %sautomations%s: This is optional, but recommended when using short-lived certificates. %sAutomations%s allow to automatically run tasks when a certificate was created or renewed.') | format('<b>', '</b>', '<a href="/ui/acmeclient/actions">', '</a>') }}</li>

From 4d07d7481b9ce5fcbcde07a2492a9f1d7ed86ac2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 9 Aug 2021 07:55:24 +0200
Subject: [PATCH 0683/3088] README: sync

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6d761ebadf..a19e04af69 100644
--- a/README.md
+++ b/README.md
@@ -76,7 +76,7 @@ net-mgmt/nrpe -- Execute nagios plugins
 net-mgmt/telegraf -- Agent for collecting metrics and data
 net-mgmt/zabbix-agent -- Zabbix monitoring agent
 net-mgmt/zabbix-proxy -- Zabbix monitoring proxy
-security/acme-client -- Let's Encrypt client
+security/acme-client -- ACME Client
 security/clamav -- Antivirus engine for detecting malicious threats
 security/etpro-telemetry -- ET Pro Telemetry Edition
 security/intrusion-detection-content-et-open -- IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition

From f9019d0256453b87ee2865f6bef2cd756efca331 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 9 Aug 2021 09:53:45 +0200
Subject: [PATCH 0684/3088] mail/postfix: move to postfix35 package

---
 mail/postfix/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index 399eb2d626..84c6f2441e 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		postfix
 PLUGIN_VERSION=		1.20
 PLUGIN_COMMENT=		SMTP mail relay
-PLUGIN_DEPENDS=		postfix-sasl
+PLUGIN_DEPENDS=		postfix35
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
 .include "../../Mk/plugins.mk"

From 17efe7400f568e917118480982a834d943110829 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 9 Aug 2021 10:32:30 +0200
Subject: [PATCH 0685/3088] net/haproxy: move to haproxy22 for now

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index b17e6fb8d6..56ef721c94 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		3.4
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
-PLUGIN_DEPENDS=		haproxy
+PLUGIN_DEPENDS=		haproxy22
 PLUGIN_MAINTAINER=	opnsense@moov.de
 
 .include "../../Mk/plugins.mk"

From ef88595e0cc60b89d24ac93a24462af44265a02b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Aug 2021 16:30:48 +0200
Subject: [PATCH 0686/3088] Framework: removed the need for these trampoline
 targets

---
 Mk/plugins.mk | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 03b15df427..1502ab8c66 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -101,12 +101,6 @@ PLUGIN_PKGVERSION=	${PLUGIN_VERSION}_${PLUGIN_REVISION}
 PLUGIN_PKGVERSION=	${PLUGIN_VERSION}
 .endif
 
-name: check
-	@echo ${PLUGIN_PKGNAME}
-
-depends: check
-	@echo ${PLUGIN_DEPENDS}
-
 manifest: check
 	@echo "name: ${PLUGIN_PKGNAME}"
 	@echo "version: \"${PLUGIN_PKGVERSION}\""

From 1001fa80406ca62f4700c2ac35626259a223f9e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20St=C3=BCrz?= <andreas.stuerz@markt.de>
Date: Sun, 15 Aug 2021 21:07:57 +0200
Subject: [PATCH 0687/3088] use OrderDict because csv.DictReader returns a dict
 after version 3.7 (#2496)

* use OrderDict because csv.DictReader returns a dict after version 3.7
---
 .../src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
index 391527d890..733daf113b 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
@@ -2,6 +2,7 @@
 import re
 import csv
 import json
+from collections import OrderedDict
 from io import StringIO
 
 class Cmd():
@@ -317,6 +318,7 @@ def getResultObj(self, res):
 
         reader = self.getDict(res)
         for row in reader:
+            row = OrderedDict(row)
             # show only server
             if row['svname'] in ['BACKEND', 'FRONTEND']:
                 continue

From 8c3d1e1a0fb1f79c73c51a258a37ef3d9eee09f2 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 15 Aug 2021 21:09:48 +0200
Subject: [PATCH 0688/3088] net/haproxy: bump version

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 56ef721c94..be6664fc86 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		3.4
+PLUGIN_VERSION=		3.5
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy22
 PLUGIN_MAINTAINER=	opnsense@moov.de

From 33bb1b5e87822d7d679eea1449467c23a51a3464 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 15 Aug 2021 21:10:33 +0200
Subject: [PATCH 0689/3088] net/haproxy: update changelog

---
 net/haproxy/pkg-descr | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 4d9a646df1..fce3447a04 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+3.5
+
+Fixed:
+* fix maintenance page not loading (#2485)
+
 3.4
 
 Fixed:

From ed7ea5d9918b62f4cab209fe815cf1d269bde26e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 3 Sep 2021 20:31:24 +0200
Subject: [PATCH 0690/3088] devel/debug: vim renamed again, but better removed
 from "debug"

---
 devel/debug/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devel/debug/Makefile b/devel/debug/Makefile
index f97500c858..52d7ef7886 100644
--- a/devel/debug/Makefile
+++ b/devel/debug/Makefile
@@ -5,7 +5,7 @@ PLUGIN_DEPENDS=		php${PLUGIN_PHP}-pear-PHP_CodeSniffer \
 			php${PLUGIN_PHP}-pecl-xdebug \
 			phpunit7-php${PLUGIN_PHP} \
 			py${PLUGIN_PYTHON}-pycodestyle \
-			p5-File-Slurp vim-console git
+			p5-File-Slurp git
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
 .include "../../Mk/plugins.mk"

From 57ed95797912ffadec012904429f604951b2ff1d Mon Sep 17 00:00:00 2001
From: Gavin Chappell <g-a-c@users.noreply.github.com>
Date: Wed, 8 Sep 2021 09:55:05 +0100
Subject: [PATCH 0691/3088] Update LE reference to ACME (#2526)

---
 .../OPNsense/AcmeClient/forms/dialogCertificate.xml           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
index a78b2f0515..ead828f216 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
@@ -13,7 +13,7 @@
         <id>certificate.name</id>
         <label>Common Name</label>
         <type>text</type>
-        <help>Common Name (CN) for this certificate.</help>
+        <help>Common Name (CN) and first Alt Name (subjectAltName) for this certificate.</help>
     </field>
     <field>
         <id>certificate.description</id>
@@ -36,7 +36,7 @@
     </field>
     <field>
         <id>certificate.account</id>
-        <label>LE Account</label>
+        <label>ACME Account</label>
         <type>dropdown</type>
         <help><![CDATA[Set the ACME CA account to use for this certificate.]]></help>
     </field>

From c943362b3dc30b551482de1e0c4c8fb7e8198eb3 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 8 Sep 2021 11:21:21 +0200
Subject: [PATCH 0692/3088] security/acme-client: update changelog

---
 security/acme-client/pkg-descr | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index a78db9bedf..724aae3e7c 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.1
+
+Changed:
+* rename "LE Account" to "ACME Account" in certificate dialog (#2526)
+
 3.0
 
 Added:

From 9ebb22b6fc52d9d11e634ef59127171e6a993082 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 8 Sep 2021 11:21:37 +0200
Subject: [PATCH 0693/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index aa8f7cc864..465cc25781 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.0
+PLUGIN_VERSION=		3.1
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 311eccb6388a8533e4e41d1ec298660b2a9bb5c3 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 9 Sep 2021 09:50:33 +0200
Subject: [PATCH 0694/3088] net-mgmt/telegraf: Allow Run as Root (#2520)

---
 net-mgmt/telegraf/Makefile                                    | 2 +-
 net-mgmt/telegraf/pkg-descr                                   | 4 ++++
 .../mvc/app/controllers/OPNsense/Telegraf/forms/general.xml   | 4 ++--
 .../src/opnsense/service/templates/OPNsense/Telegraf/telegraf | 1 +
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index a7e3d647ad..71ae1610bb 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.12.0
+PLUGIN_VERSION=		1.12.1
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 0ab481d8f8..9b28b08a95 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 Plugin Changelog
 ================
 
+1.12.1
+
+* Rename "Wheel Group" to "Run as Root" and set user permissions
+
 1.12.0
 
 * Allow to start telegraf with wheel group permissions
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/general.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/general.xml
index 95a80b7fd2..cddb34f67d 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/general.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/general.xml
@@ -7,9 +7,9 @@
     </field>
     <field>
         <id>general.wheelgroup</id>
-        <label>Wheel Group</label>
+        <label>Run as Root</label>
         <type>checkbox</type>
-        <help>This will start the process with wheel group permission. Please use this with care, currently only needed for Unbound and Suricata.</help>
+        <help>This will start the process with wheel group and root user permission. Please use this with care, currently only needed for Unbound and Suricata.</help>
     </field>
     <field>
         <id>general.interval</id>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf
index 54ccc238f6..5e91fffa8f 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf
@@ -1,5 +1,6 @@
 {% if helpers.exists('OPNsense.telegraf.general.enabled') and OPNsense.telegraf.general.enabled == '1' %}
 {%   if OPNsense.telegraf.general.wheelgroup == '1' %}
+telegraf_user="root"
 telegraf_group="wheel"
 {%   endif %}
 telegraf_var_script="/usr/local/opnsense/scripts/OPNsense/Telegraf/setup.sh"

From 2e1f6fa47ea9dda0631d7caa3e027ebb923f794d Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 9 Sep 2021 09:51:51 +0200
Subject: [PATCH 0695/3088] dns/dnscrypt-proxy: rename label in templating
 (#2519)

PR: https://forum.opnsense.org/index.php?topic=24297.0
---
 .../OPNsense/Dnscryptproxy/dnscrypt-proxy.toml         | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
index f6627a3a71..dcade82dfb 100644
--- a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
@@ -126,21 +126,21 @@ cache = false
   file = '/var/log/dnscrypt-proxy/nx.log'
   format = 'tsv'
 
-[whitelist]
-  whitelist_file = 'whitelist.txt'
+[allowed_names]
+  allowed_names_file = 'whitelist.txt'
   log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
   log_format = 'tsv'
 
 {% if helpers.exists('OPNsense.dnscryptproxy.dnsbl.enabled') and OPNsense.dnscryptproxy.dnsbl.enabled == '1' %}
-[blacklist]
-  blacklist_file = 'blacklist.txt'
+[blocked_names]
+  blocked_names_file = 'blacklist.txt'
   log_file = '/var/log/dnscrypt-proxy/blocked.log'
   log_format = 'tsv'
 {% endif %}
 
 [sources]
   [sources.'public-resolvers']
-  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
+  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
   cache_file = 'public-resolvers.md'
   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
   refresh_delay = 72

From 9004ee48775967d5da952a7d2daccdf13ff1b042 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 9 Sep 2021 09:53:32 +0200
Subject: [PATCH 0696/3088] net-mgmt/collectd: Add tcpconns and ipstats plugins
 (#2514)

---
 net-mgmt/collectd/Makefile                           |  3 +--
 net-mgmt/collectd/pkg-descr                          |  5 +++++
 .../controllers/OPNsense/Collectd/forms/general.xml  | 12 ++++++++++++
 .../mvc/app/models/OPNsense/Collectd/General.xml     | 10 +++++++++-
 .../templates/OPNsense/Collectd/collectd.conf        | 10 +++++++++-
 5 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/net-mgmt/collectd/Makefile b/net-mgmt/collectd/Makefile
index d4a91d1854..8df6de3212 100644
--- a/net-mgmt/collectd/Makefile
+++ b/net-mgmt/collectd/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		collectd
-PLUGIN_VERSION=		1.3
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.4
 PLUGIN_COMMENT=		Collect system and application performance metrics periodically
 PLUGIN_DEPENDS=		collectd5
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/collectd/pkg-descr b/net-mgmt/collectd/pkg-descr
index a350d3e2bc..b50a748d9a 100644
--- a/net-mgmt/collectd/pkg-descr
+++ b/net-mgmt/collectd/pkg-descr
@@ -7,6 +7,11 @@ in RRD files.
 Plugin Changelog
 ================
 
+1.4
+
+* Add ipstats plugin
+* Add tcpconns plugin
+
 1.3
 
 * Add support for CPU aggregation (contributed by @pmhausen)
diff --git a/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/forms/general.xml b/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/forms/general.xml
index 6e05b7ca87..1826b8b637 100644
--- a/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/forms/general.xml
+++ b/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/forms/general.xml
@@ -191,4 +191,16 @@
         <type>checkbox</type>
         <help>The Users plugin counts the number of users currently logged into the system (SSH).</help>
     </field>
+    <field>
+        <id>general.p_tcpconns</id>
+        <label>Enable tcpconns plugin</label>
+        <type>checkbox</type>
+        <help>The tcpconns plugin lists a summary of all tcp connections.</help>
+    </field>
+    <field>
+        <id>general.p_ipstats</id>
+        <label>Enable ipstats plugin</label>
+        <type>checkbox</type>
+        <help>The ipstats plugin lists multiple interface stats.</help>
+    </field>
 </form>
diff --git a/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml b/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml
index b87d8f5ffb..ead3dcf6c9 100644
--- a/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml
+++ b/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/collectd/general</mount>
     <description>Collectd configuration</description>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -133,5 +133,13 @@
             <default>1</default>
             <Required>N</Required>
         </p_users_enable>
+        <p_tcpconns type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </p_tcpconns>
+        <p_ipstats type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </p_ipstats>
     </items>
 </model>
diff --git a/net-mgmt/collectd/src/opnsense/service/templates/OPNsense/Collectd/collectd.conf b/net-mgmt/collectd/src/opnsense/service/templates/OPNsense/Collectd/collectd.conf
index 15af1eae7b..52f58491ae 100644
--- a/net-mgmt/collectd/src/opnsense/service/templates/OPNsense/Collectd/collectd.conf
+++ b/net-mgmt/collectd/src/opnsense/service/templates/OPNsense/Collectd/collectd.conf
@@ -58,7 +58,15 @@ LoadPlugin users
 {% if helpers.exists('OPNsense.collectd.general.p_graphite_enable') and OPNsense.collectd.general.p_graphite_enable == '1' %}
 LoadPlugin write_graphite
 {% endif %}
-
+{% if helpers.exists('OPNsense.collectd.general.p_tcpconns') and OPNsense.collectd.general.p_tcpconns == '1' %}
+LoadPlugin tcpconns
+<Plugin tcpconns>
+       AllPortsSummary true
+</Plugin>
+{% endif %}
+{% if helpers.exists('OPNsense.collectd.general.p_ipstats') and OPNsense.collectd.general.p_ipstats == '1' %}
+LoadPlugin ipstats
+{% endif %}
 ##############################################################################
 # Plugin configuration                                                       #
 #----------------------------------------------------------------------------#

From f934be62851bb95e7a3e0c74ef7f9fd3f2ea43b5 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 9 Sep 2021 09:54:45 +0200
Subject: [PATCH 0697/3088] net/freeradius: fix secret and allow ecdh curve
 selection (#2511)

---
 net/freeradius/Makefile                               |  2 +-
 net/freeradius/pkg-descr                              |  5 +++++
 .../app/controllers/OPNsense/Freeradius/forms/eap.xml |  6 ++++++
 .../mvc/app/models/OPNsense/Freeradius/Eap.xml        | 11 ++++++++++-
 .../templates/OPNsense/Freeradius/clients.conf        |  2 +-
 .../templates/OPNsense/Freeradius/mods-enabled-eap    |  2 +-
 6 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index b9f22ddb84..eeaa9f0809 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.15
+PLUGIN_VERSION=		1.9.16
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 2ea2e9084e..f79c4cfd20 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,11 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.16
+
+* Allow user to choose Elliptic Curve in EAP
+* Allow client secrets starting with hash sign
+
 1.9.15
 
 * Fixed validation of CIDR for client network ranges
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
index 531cc4fde8..8747dd6aaa 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
@@ -5,6 +5,12 @@
         <type>dropdown</type>
         <help>Set the default EAP type.</help>
     </field>
+    <field>
+        <id>eap.elliptic_curve</id>
+        <label>Elliptic Curve</label>
+        <type>dropdown</type>
+        <help>Set the Elliptical cryptography configuration.</help>
+    </field>
     <field>
         <id>eap.enable_client_cert</id>
         <label>Use own certificates</label>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index 9ec71ef013..f4604c752f 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/freeradius/eap</mount>
     <description>EAP configuration</description>
-    <version>1.0.0</version>
+    <version>1.9.16</version>
     <items>
         <default_eap_type type="OptionField">
             <default>md5</default>
@@ -16,6 +16,15 @@
                 <ttls-gtc>TTLS-GTC</ttls-gtc>
             </OptionValues>
         </default_eap_type>
+        <elliptic_curve type="OptionField">
+            <default>prime256v1</default>
+            <Required>Y</Required>
+            <multiple>N</multiple>
+            <OptionValues>
+                <prime256v1>prime256v1</prime256v1>
+                <secp384r1>secp384r1</secp384r1>
+            </OptionValues>
+        </elliptic_curve>
         <enable_client_cert type="BooleanField">
             <default>0</default>
             <Required>Y</Required>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
index c7c2c35672..bac3ce8a11 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
@@ -4,7 +4,7 @@
 {%   for client_list in helpers.toList('OPNsense.freeradius.client.clients.client') %}
 {%     if client_list.enabled == '1' %}
 client "{{ client_list.name }}" {
-       secret    = {{ client_list.secret }}
+       secret    = "{{ client_list.secret }}"
        shortname = "{{ client_list.name }}"
 {%       if ':' in client_list.ip %}
        ipv6addr  = {{ client_list.ip }}
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
index 980a6ed095..ff98fca0b8 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@@ -471,7 +471,7 @@ eap {
                 #
                 #        openssl ecparam -list_curves
                 #
-                ecdh_curve = "prime256v1"
+                ecdh_curve = "{{ OPNsense.freeradius.eap.elliptic_curve }}"
 
                 #  Session resumption / fast reauthentication
                 #  cache.

From 3bc072ad9cc6b0789a591cc1285d7e43a70ac197 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 9 Sep 2021 09:57:15 +0200
Subject: [PATCH 0698/3088] net/chrony: Adjust chronyc timeouts (#2460)

---
 net/chrony/Makefile                                       | 2 +-
 net/chrony/pkg-descr                                      | 4 ++++
 .../opnsense/service/conf/actions.d/actions_chrony.conf   | 8 ++++----
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/net/chrony/Makefile b/net/chrony/Makefile
index 8ca31c20bb..d87cafe8e9 100644
--- a/net/chrony/Makefile
+++ b/net/chrony/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		chrony
-PLUGIN_VERSION=		1.3
+PLUGIN_VERSION=		1.4
 PLUGIN_COMMENT=		Chrony time synchronisation
 PLUGIN_DEPENDS=		chrony
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/chrony/pkg-descr b/net/chrony/pkg-descr
index a6283aec5f..eb87118f74 100644
--- a/net/chrony/pkg-descr
+++ b/net/chrony/pkg-descr
@@ -4,6 +4,10 @@ better in virtual environments.
 Plugin Changelog
 ----------------
 
+1.4
+
+* Adjust timeouts and retries for chronyc
+
 1.3
 
 * Add makestep to configuration
diff --git a/net/chrony/src/opnsense/service/conf/actions.d/actions_chrony.conf b/net/chrony/src/opnsense/service/conf/actions.d/actions_chrony.conf
index 10b185b46c..cc0beb772d 100644
--- a/net/chrony/src/opnsense/service/conf/actions.d/actions_chrony.conf
+++ b/net/chrony/src/opnsense/service/conf/actions.d/actions_chrony.conf
@@ -23,25 +23,25 @@ type:script_output
 message:request chrony status
 
 [chronysources]
-command:/usr/local/bin/chronyc sources
+command:/usr/local/bin/chronyc -m 'timeout 100' 'retries 0' sources
 parameters:
 type:script_output
 message:show chrony sources
 
 [chronysourcestats]
-command:/usr/local/bin/chronyc sourcestats
+command:/usr/local/bin/chronyc -m 'timeout 100' 'retries 0' sourcestats
 parameters:
 type:script_output
 message:show chrony sourcestats
 
 [chronytracking]
-command:/usr/local/bin/chronyc tracking
+command:/usr/local/bin/chronyc -m 'timeout 100' 'retries 0' tracking
 parameters:
 type:script_output
 message:show chrony tracking
 
 [chronyauthdata]
-command:/usr/local/bin/chronyc -N authdata
+command:/usr/local/bin/chronyc -N -m 'timeout 100' 'retries 0' authdata
 parameters:
 type:script_output
 message:show chrony authdata

From 0c756bbd79d6c7114e84a958e7990303d446d4c6 Mon Sep 17 00:00:00 2001
From: mr44er <46787531+mr44er@users.noreply.github.com>
Date: Mon, 13 Sep 2021 21:20:56 +0200
Subject: [PATCH 0699/3088] Update fetchmailrc (#2534)

---
 mail/fetchmail/Makefile                                         | 2 +-
 .../opnsense/service/templates/OPNsense/Fetchmail/fetchmailrc   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/mail/fetchmail/Makefile b/mail/fetchmail/Makefile
index 3dba199e8f..db47f30b41 100644
--- a/mail/fetchmail/Makefile
+++ b/mail/fetchmail/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		fetchmail
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Remote-mail retrieval utility
 PLUGIN_DEPENDS=		fetchmail
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmailrc b/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmailrc
index 3438c2fcf6..891cf3772e 100644
--- a/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmailrc
+++ b/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmailrc
@@ -6,7 +6,7 @@ set syslog
 {% if helpers.exists('OPNsense.fetchmail.mailbox.mailboxes.mailbox') %}
 {%   for mailbox_list in helpers.toList('OPNsense.fetchmail.mailbox.mailboxes.mailbox') %}
 {%     if mailbox_list.enabled == '1' %}
-poll {{ mailbox_list.host }} protocol {{ mailbox_list.protocol }} username "{{ mailbox_list.user }}" password "{{ mailbox_list.password }}" is {{ mailbox_list.destinationmail }} smtphost {{ mailbox_list.destination }} {% if mailbox_list.usessl == "0" %} sslproto '' {% endif %} {% if mailbox_list.sslfingerprint|default('') != '' %} sslfingerprint "{{ mailbox_list.sslfingerprint }}" {% endif %}
+poll {{ mailbox_list.host }} protocol {{ mailbox_list.protocol }} username "{{ mailbox_list.user }}" password "{{ mailbox_list.password }}" is {{ mailbox_list.destinationmail }} smtphost {{ mailbox_list.destination }} {% if mailbox_list.usessl == "0" %}ssl {% endif %} {% if mailbox_list.sslfingerprint|default('') != '' %} sslfingerprint "{{ mailbox_list.sslfingerprint }}" {% endif %}
 {%     endif %}
 {%   endfor %}
 {% endif %}

From 55b620034b5476901113bc548a771955f074a295 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 15 Sep 2021 14:05:38 +0200
Subject: [PATCH 0700/3088] net/upnp: replace obsolete find_interface_ip()

PR: https://github.com/opnsense/core/issues/4749
---
 net/upnp/Makefile                                | 2 +-
 net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index 9dca9a4c47..145438e569 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		upnp
 PLUGIN_VERSION=		1.4
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		miniupnpd
 PLUGIN_COMMENT=		Universal Plug and Play Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 9c0caff43e..f1d23f2e70 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -148,9 +148,8 @@ function miniupnpd_configure_do($verbose = false)
             $if = get_real_interface($iface);
             /* above function returns iface if fail */
             if ($if != $iface) {
-                $addr = find_interface_ip($if);
-                /* check that the interface has an ip address before adding parameters */
-                if (is_ipaddr($addr)) {
+                list ($addr) = interfaces_primary_address($iface);
+                if (!empty($addr)) {
                     $config_text .= "listening_ip={$if}\n";
                     if (!$ifaces_active) {
                         $webgui_ip = $addr;

From a395ee96dc93392c68acda4c4b034deaf8f19fae Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 15 Sep 2021 14:12:42 +0200
Subject: [PATCH 0701/3088] net/upnp: actually use get_interface_ip() which is
 backwards compatible

PR: https://github.com/opnsense/core/issues/4749
---
 net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index f1d23f2e70..9547836fe8 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -148,7 +148,7 @@ function miniupnpd_configure_do($verbose = false)
             $if = get_real_interface($iface);
             /* above function returns iface if fail */
             if ($if != $iface) {
-                list ($addr) = interfaces_primary_address($iface);
+                $addr = get_interface_ip($iface);
                 if (!empty($addr)) {
                     $config_text .= "listening_ip={$if}\n";
                     if (!$ifaces_active) {

From 2a9624071fe7c0fcf570a5249d24321e847c2add Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 16 Sep 2021 07:36:44 +0200
Subject: [PATCH 0702/3088] net/realtek-re: add vendor driver plugin

---
 net/realtek-re/Makefile                          | 7 +++++++
 net/realtek-re/pkg-descr                         | 7 +++++++
 net/realtek-re/src/etc/rc.loader.d/50-realtek-re | 2 ++
 3 files changed, 16 insertions(+)
 create mode 100644 net/realtek-re/Makefile
 create mode 100644 net/realtek-re/pkg-descr
 create mode 100644 net/realtek-re/src/etc/rc.loader.d/50-realtek-re

diff --git a/net/realtek-re/Makefile b/net/realtek-re/Makefile
new file mode 100644
index 0000000000..c361bada31
--- /dev/null
+++ b/net/realtek-re/Makefile
@@ -0,0 +1,7 @@
+PLUGIN_NAME=		realtek-re
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		Realtek re(4) vendor driver
+PLUGIN_MAINTAINER=	franco@opnsense.org
+PLUGIN_DEPENDS=		realtek-re-kmod
+
+.include "../../Mk/plugins.mk"
diff --git a/net/realtek-re/pkg-descr b/net/realtek-re/pkg-descr
new file mode 100644
index 0000000000..f134d75937
--- /dev/null
+++ b/net/realtek-re/pkg-descr
@@ -0,0 +1,7 @@
+This is the official driver from Realtek and can be loaded instead of
+the FreeBSD driver built into the GENERIC kernel if you experience
+issues with it (eg. watchdog timeouts), or your card is not supported.
+
+Please note this driver requires a system reboot to activate.
+
+WWW: https://www.realtek.com/en/component/zoo/category/network-interface-controllers-10-100-1000m-gigabit-ethernet-pci-express-software
diff --git a/net/realtek-re/src/etc/rc.loader.d/50-realtek-re b/net/realtek-re/src/etc/rc.loader.d/50-realtek-re
new file mode 100644
index 0000000000..59662ee7e2
--- /dev/null
+++ b/net/realtek-re/src/etc/rc.loader.d/50-realtek-re
@@ -0,0 +1,2 @@
+if_re_load="YES"
+if_re_name="/boot/modules/if_re.ko"

From fc904af8f11e7a1fb25b24dc4212a283f8300e80 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 16 Sep 2021 07:40:28 +0200
Subject: [PATCH 0703/3088] README: sync

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index a19e04af69..8850cdfac8 100644
--- a/README.md
+++ b/README.md
@@ -58,6 +58,7 @@ net/igmp-proxy -- IGMP-Proxy Service
 net/mdns-repeater -- Proxy multicast DNS between networks
 net/ntopng -- Traffic Analysis and Flow Collection
 net/radsecproxy -- RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
+net/realtek-re -- Realtek re(4) vendor driver
 net/relayd -- Relayd Load Balancer
 net/shadowsocks -- Secure socks5 proxy
 net/siproxd -- Siproxd is a proxy daemon for the SIP protocol

From e10d7e6a6689b201d6b9051238182b0c9b64e27f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 22 Sep 2021 13:31:38 +0200
Subject: [PATCH 0704/3088] mail/fetchmail: add version info

---
 mail/fetchmail/pkg-descr | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/mail/fetchmail/pkg-descr b/mail/fetchmail/pkg-descr
index 8ae7146501..41d9cfd416 100644
--- a/mail/fetchmail/pkg-descr
+++ b/mail/fetchmail/pkg-descr
@@ -6,6 +6,10 @@ KPOP, all flavors of IMAP, ETRN, and ODMR.
 Plugin Changelog
 ================
 
+1.1
+
+* Fix "ssl" keyword syntax (contributed by mr44er)
+
 1.0
 
 * Allow fetching IMAP mailboxes

From 722debb0ba2977284af30acecad29d1a19e0a44b Mon Sep 17 00:00:00 2001
From: Luca Zeug <luclu@users.noreply.github.com>
Date: Thu, 23 Sep 2021 15:37:53 +0200
Subject: [PATCH 0705/3088] dns/dyndns: add desec.io wildcard support (#2545)

---
 dns/dyndns/src/www/services_dyndns_edit.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dns/dyndns/src/www/services_dyndns_edit.php b/dns/dyndns/src/www/services_dyndns_edit.php
index d41bb37b68..2ced127821 100644
--- a/dns/dyndns/src/www/services_dyndns_edit.php
+++ b/dns/dyndns/src/www/services_dyndns_edit.php
@@ -116,6 +116,9 @@ function is_dyndns_username($uname)
             case 'cloudflare-v6':
             case 'cloudflare-token':
             case 'cloudflare-token-v6':
+            case 'desec':
+            case 'desec-v4-v6':
+            case 'desec-v6':
             case 'eurodns':
             case 'godaddy':
             case 'godaddy-v6':

From ae697392293e4a7fb3e9ed0450a559adccbab2e6 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 28 Sep 2021 17:21:07 +0200
Subject: [PATCH 0706/3088] security/acme-client: expose import feature to GUI

---
 security/acme-client/pkg-descr                |  5 +++++
 .../AcmeClient/Api/CertificatesController.php | 19 +++++++++++++++++
 .../OPNsense/AcmeClient/certificates.volt     | 21 +++++++++++++++++++
 .../conf/actions.d/actions_acmeclient.conf    |  6 ++++++
 4 files changed, 51 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 724aae3e7c..832ae46aba 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.2
+
+Added:
+* add button to (re-) import a certificate into the trust storage
+
 3.1
 
 Changed:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
index 5a56a56a09..e72baa6307 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
@@ -172,4 +172,23 @@ public function automationAction($uuid)
         }
         return $result;
     }
+
+    /**
+     * (re-) import the certificate by uuid
+     * @param $uuid item unique id
+     * @return array status
+     */
+    public function importAction($uuid)
+    {
+        $result = array("result" => "failed");
+        $mdlAcme = new AcmeClient();
+        if ($uuid != null) {
+            $node = $mdlAcme->getNodeByReference('certificates.certificate.' . $uuid);
+            if ($node != null) {
+                $backend = new Backend();
+                $response = $backend->configdRun("acmeclient import ${uuid}");
+            }
+        }
+        return $result;
+    }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index 334e7914be..f74432af69 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -49,6 +49,7 @@ POSSIBILITY OF SUCH DAMAGE.
             revoke:'/api/acmeclient/certificates/revoke/',
             removekey:'/api/acmeclient/certificates/removekey/',
             automation:'/api/acmeclient/certificates/automation/',
+            import:'/api/acmeclient/certificates/import/',
         };
 
         var gridopt = {
@@ -62,6 +63,7 @@ POSSIBILITY OF SUCH DAMAGE.
                     return "<button type=\"button\" title=\"{{ lang._('Edit certificate') }}\" class=\"btn btn-xs btn-default command-edit bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-pencil\"></span></button> " +
                         "<button type=\"button\" title=\"{{ lang._('Copy certificate') }}\" class=\"btn btn-xs btn-default command-copy bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-clone\"></span></button>" +
                         "<button type=\"button\" title=\"{{ lang._('Issue or renew certificate') }}\" class=\"btn btn-xs btn-default command-sign bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-repeat\"></span></button>" +
+                        "<button type=\"button\" title=\"{{ lang._('(Re-) Import certificate') }}\" class=\"btn btn-xs btn-default command-import bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-certificate\"></span></button>" +
                         "<button type=\"button\" title=\"{{ lang._('Run automations') }}\" class=\"btn btn-xs btn-default command-automation bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-paper-plane\"></span></button>" +
                         "<button type=\"button\" title=\"{{ lang._('Revoke certificate') }}\" class=\"btn btn-xs btn-default command-revoke bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-power-off\"></span></button>" +
                         "<button type=\"button\" title=\"{{ lang._('Reset certificate') }}\" class=\"btn btn-xs btn-default command-removekey bootgrid-tooltip\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-history\"></span></button>" +
@@ -397,6 +399,25 @@ POSSIBILITY OF SUCH DAMAGE.
                 }
             });
 
+            // import certificate into trust storage
+            grid_certificates.find(".command-import").on("click", function(e)
+            {
+                if (gridParams['import'] != undefined) {
+                    var uuid=$(this).data("row-id");
+                    stdDialogConfirm('{{ lang._('Confirmation Required') }}',
+                        '{{ lang._('(Re-) import the selected certificate into the trust storage?') }}',
+                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
+                        ajaxCall(url=gridParams['import'] + uuid,
+                            sendData={},callback=function(data,status){
+                                // reload grid after sign
+                                $("#"+gridId).bootgrid("reload");
+                            });
+                    });
+                } else {
+                    console.log("[grid] action import missing")
+                }
+            });
+
         });
 
         // Hide options that are irrelevant in this context.
diff --git a/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf b/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
index 8f379a6da7..7af68eaa45 100644
--- a/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
+++ b/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
@@ -77,6 +77,12 @@ parameters:%s
 type:script
 message:running automations for a certificate
 
+[import]
+command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode import --cert
+parameters:%s
+type:script
+message:running import for a certificate
+
 [cron-auto-renew]
 command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode issue --all --cron
 parameters:

From e7f9320ff223d79979a3c1481d7c9121d94417f6 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 28 Sep 2021 17:21:26 +0200
Subject: [PATCH 0707/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 465cc25781..def551fa6b 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.1
+PLUGIN_VERSION=		3.2
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 9220a4149940cd9f020a678e2c954c6a62c0ba01 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 28 Sep 2021 18:01:14 +0200
Subject: [PATCH 0708/3088] security/acme-client: minor improvements for import
 feature

---
 .../mvc/app/views/OPNsense/AcmeClient/certificates.volt       | 2 +-
 .../src/opnsense/scripts/OPNsense/AcmeClient/lecert.php       | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index f74432af69..f7eae4892d 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -405,7 +405,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 if (gridParams['import'] != undefined) {
                     var uuid=$(this).data("row-id");
                     stdDialogConfirm('{{ lang._('Confirmation Required') }}',
-                        '{{ lang._('(Re-) import the selected certificate into the trust storage?') }}',
+                        '{{ lang._('(Re-) import the selected certificate and associated CA certificates into the trust storage?') }}',
                         '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
                         ajaxCall(url=gridParams['import'] + uuid,
                             sendData={},callback=function(data,status){
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
index 76fb546cfb..73bb87ee28 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
@@ -171,7 +171,9 @@ function main()
         }
     } elseif ($options['mode'] === 'import' && isset($options['cert'])) {
         $cert = new LeCertificate($options['cert']);
-        $cert->import();
+        // Set $skip_validation to allow import even when validation
+        // is currently failing.
+        $cert->import(true);
     } elseif ($options['mode'] === 'revoke' && isset($options['cert'])) {
         $cert = new LeCertificate($options['cert']);
         $cert->revoke();

From 247408e50a95cb7770bf4c91558aed9d9738dc6a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 28 Sep 2021 18:08:54 +0200
Subject: [PATCH 0709/3088] security/acme-client: fix CA association, closes
 #2550

---
 security/acme-client/pkg-descr                            | 3 +++
 .../mvc/app/library/OPNsense/AcmeClient/LeCertificate.php | 8 +++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 832ae46aba..a7dc6c18e2 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -13,6 +13,9 @@ Plugin Changelog
 Added:
 * add button to (re-) import a certificate into the trust storage
 
+Fixed:
+* associate certificates with the correct CA when multiple CAs use the same name (#2550)
+
 3.1
 
 Changed:
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index cfe13498d8..9aaf313beb 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -159,7 +159,7 @@ public function import(bool $skip_validation = false)
         foreach (Config::getInstance()->object()->ca as $cacrt) {
             $cacrt_subject = cert_get_subject($cacrt->crt, true);
             $cacrt_issuer = cert_get_issuer($cacrt->crt, true);
-            if (($ca_subject == $cacrt_subject) and ($ca_issuer == $cacrt_issuer)) {
+            if (($ca_subject === $cacrt_subject) and ($ca_issuer === $cacrt_issuer)) {
                 // Use old refid instead of generating a new one
                 $ca['refid'] = (string)$cacrt->refid;
                 $ca_found = true;
@@ -257,6 +257,12 @@ public function import(bool $skip_validation = false)
         // Prepare certificate for import
         cert_import($cert, $cert_content, $key_content);
 
+        // Overwrite caref in order to use the correct CA (GH #2550).
+        // This is required because cert_import() uses lookup_ca_by_subject()
+        // to find a matching CA. If multiple CAs are using the same name, the
+        // first CA wins, but it may still be the wrong CA.
+        $cert['caref'] = (string)$ca['refid'];
+
         // Check if cert was found in config
         if ($cert_found == true) {
             // Update existing cert

From 774374a49e261c43ff70ee6f02346177951f2b3d Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 28 Sep 2021 18:24:07 +0200
Subject: [PATCH 0710/3088] security/acme-client: fix width of commands column

---
 .../mvc/app/views/OPNsense/AcmeClient/certificates.volt         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index f7eae4892d..c0483969bf 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -484,7 +484,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 <th data-column-id="lastUpdate" data-type="string" data-formatter="certdate">{{ lang._('Issue/Renewal Date') }}</th>
                 <th data-column-id="statusCode" data-type="string" data-formatter="acmestatus">{{ lang._('Last ACME Status') }}</th>
                 <th data-column-id="statusLastUpdate" data-type="string" data-formatter="acmestatusdate">{{ lang._('Last ACME Run') }}</th>
-                <th data-column-id="commands" data-width="11em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="commands" data-width="13em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
             </tr>
             </thead>

From 50315e830e575eee2b5473658337a265e5c97160 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Sep 2021 08:23:00 +0200
Subject: [PATCH 0711/3088] dns: bump revisions where changes exist vs. stable

---
 dns/dnscrypt-proxy/Makefile | 1 +
 dns/dyndns/Makefile         | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index 2cfd73068d..1c29346d61 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		dnscrypt-proxy
 PLUGIN_VERSION=		1.9
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index b049331a4d..e503a65620 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		dyndns
 PLUGIN_VERSION=		1.24
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 

From 6a58548140343dbcecfbf8a9e33406f93ea575d0 Mon Sep 17 00:00:00 2001
From: Frank Brendel <frank.brendel@eurolog.com>
Date: Wed, 29 Sep 2021 10:41:22 +0200
Subject: [PATCH 0712/3088] net/relayd: add ip protocol for redirections
 (#2391)

---
 net/relayd/Makefile                           |  2 +-
 .../OPNsense/Relayd/forms/virtualserver.xml   |  8 ++++++++
 .../mvc/app/models/OPNsense/Relayd/Relayd.xml | 19 ++++++++++++++++++-
 .../mvc/app/views/OPNsense/Relayd/index.volt  |  2 ++
 .../templates/OPNsense/Relayd/relayd.conf     |  3 +++
 5 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index d0c095ff8e..0641c68acb 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		relayd
-PLUGIN_VERSION=		2.5
+PLUGIN_VERSION=		2.6
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com
diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/forms/virtualserver.xml b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/forms/virtualserver.xml
index 66636718d4..0135923ede 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/forms/virtualserver.xml
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/forms/virtualserver.xml
@@ -35,6 +35,14 @@
          Specify an address to listen on.]]>
       </help>
    </field>
+   <field>
+      <id>relayd.virtualserver.listen_proto</id>
+      <label>Listen IP Protocol</label>
+      <type>dropdown</type>
+      <help><![CDATA[
+         Specify an IP protocol for the listener.]]>
+      </help>
+   </field>
    <field>
       <id>relayd.virtualserver.listen_startport</id>
       <label>Listen Port</label>
diff --git a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
index 60852198b0..985f0e23de 100644
--- a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
+++ b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
@@ -1,6 +1,6 @@
 <model>
    <mount>//OPNsense/relayd</mount>
-   <version>1.0.3</version>
+   <version>1.0.4</version>
    <description>Relayd settings</description>
    <items>
       <general>
@@ -175,6 +175,14 @@
             <ChangeCase>lower</ChangeCase>
             <ValidationMessage>Please specify a valid servername or IP address.</ValidationMessage>
          </listen_address>
+         <listen_proto type="OptionField">
+             <Required>Y</Required>
+             <default>tcp</default>
+             <OptionValues>
+                 <tcp>TCP</tcp>
+                 <udp>UDP</udp>
+             </OptionValues>
+         </listen_proto>
          <listen_startport type="PortField">
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
@@ -296,6 +304,15 @@
             <ValidationMessage>Table check not found</ValidationMessage>
             <multiple>N</multiple>
             <Required>N</Required>
+            <Constraints>
+                <check001>
+                    <ValidationMessage>Table check must be set.</ValidationMessage>
+                    <type>DependConstraint</type>
+                    <addFields>
+                        <field1>backuptransport_table</field1>
+                    </addFields>
+                </check001>
+            </Constraints>
          </backuptransport_tablecheck>
          <backuptransport_tablemode type="OptionField">
             <default>roundrobin</default>
diff --git a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
index 0b1ea7e48f..71cb811011 100644
--- a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
+++ b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
@@ -117,6 +117,7 @@ POSSIBILITY OF SUCH DAMAGE.
          var transport_tablemode = $('#relayd\\.virtualserver\\.transport_tablemode').val();
          var backuptransport_tablemode = $('#relayd\\.virtualserver\\.backuptransport_tablemode').val();
 
+         $('tr[id="row_relayd.virtualserver.listen_proto"]').addClass('hidden');
          $('tr[id="row_relayd.virtualserver.transport_type"]').addClass('hidden');
          $('tr[id="row_relayd.virtualserver.routing_interface"]').addClass('hidden');
          $('tr[id="row_relayd.virtualserver.stickyaddress"]').addClass('hidden');
@@ -129,6 +130,7 @@ POSSIBILITY OF SUCH DAMAGE.
          $('#relayd\\.virtualserver\\.backuptransport_tablemode').empty().append('<option value="roundrobin">Round Robin </option>');
 
          if(servertype == 'redirect'){
+            $('tr[id="row_relayd.virtualserver.listen_proto"]').removeClass('hidden');
             $('tr[id="row_relayd.virtualserver.transport_type"]').removeClass('hidden');
             if(transport_type == 'route'){
                $('tr[id="row_relayd.virtualserver.routing_interface"]').removeClass('hidden');
diff --git a/net/relayd/src/opnsense/service/templates/OPNsense/Relayd/relayd.conf b/net/relayd/src/opnsense/service/templates/OPNsense/Relayd/relayd.conf
index 5f99db8955..b4d3fb121e 100644
--- a/net/relayd/src/opnsense/service/templates/OPNsense/Relayd/relayd.conf
+++ b/net/relayd/src/opnsense/service/templates/OPNsense/Relayd/relayd.conf
@@ -62,6 +62,9 @@ table <{{ table.name }}>{{ disable }} {
 disable
 {%        endif %}
 {%        set listen = "listen on " ~ virtualserver.listen_address %}
+{%        if virtualserver.listen_proto is defined and virtualserver.type == 'redirect' %}
+{%          set listen = listen ~ " " ~ virtualserver.listen_proto %}
+{%        endif %}
 {%        if virtualserver.listen_startport is defined %}
 {%          set listen = listen ~ " port " ~ virtualserver.listen_startport %}
 {%          if virtualserver.listen_endport is defined and virtualserver.type == 'redirect'%}

From 5d89d2adba525537f9eb81d67974adfcd0b0eb43 Mon Sep 17 00:00:00 2001
From: Richard Bateman <richard@batemansr.us>
Date: Wed, 6 Oct 2021 15:09:19 -0600
Subject: [PATCH 0713/3088] net/haproxy: add support for additional resolver
 options (#2560)

* net/haproxy: add support for advanced resolver properties (#2330)
---
 .../OPNsense/HAProxy/forms/dialogResolver.xml | 49 +++++++++++++++++++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 43 ++++++++++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf   | 21 ++++++++
 3 files changed, 113 insertions(+)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml
index a604d7d6fb..d4fb81e86c 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml
@@ -51,4 +51,53 @@
         <type>text</type>
         <help><![CDATA[This configures the default time between two DNS queries, when no valid response has been received. Enter a number followed by one of the supported suffixes "d" (days), "h" (hour), "m" (minute), "s" (seconds), "ms" (miliseconds).]]></help>
     </field>
+    <field>
+        <id>resolver.accepted_payload_size</id>
+        <label>Max DNS answer size</label>
+        <type>text</type>
+        <help><![CDATA[Defines the maximum payload size accepted by HAProxy and announced to all the name servers configured in this resolvers section. The default is 512 bytes, the maximum allowed is 8192.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>resolver.hold_valid</id>
+        <label>Valid hold time</label>
+        <type>text</type>
+        <help><![CDATA[When haproxy receives a valid NS response it will not query DNS until valid time expires. Default is "10s".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>resolver.hold_obsolete</id>
+        <label>Obsolete hold time</label>
+        <type>text</type>
+        <help><![CDATA[As a DNS server may not answer all the IPs in one DNS request, haproxy keeps a cache of previous answers. An answer will be considered obsolete after [hold obsolete] seconds without the IP returned. Default is "30s".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>resolver.hold_refused</id>
+        <label>Refused hold time</label>
+        <type>text</type>
+        <help><![CDATA[When the DNS server refuses the resolve request haproxy will not retry until [hold refused] elapses. Default "30s".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>resolver.hold_nx</id>
+        <label>NX hold time</label>
+        <type>text</type>
+        <help><![CDATA[When haproxy receives a NXDOMAIN error message (domain does not exist) from the resolver it will not retry until [hold nx] elapses. Default "30s".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>resolver.hold_timeout</id>
+        <label>Valid hold time</label>
+        <type>text</type>
+        <help><![CDATA[When a DNS resolve request times out haproxy will not retry until [hold timeout] elapses. Default "30s"]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>resolver.hold_other</id>
+        <label>Other hold time</label>
+        <type>text</type>
+        <help><![CDATA[Sets the "hold other" timeout value for the resolver. Default "30s"]]></help>
+        <advanced>true</advanced>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 58ac8e28e4..bf8cc88950 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2754,6 +2754,49 @@
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </timeout_retry>
+                <accepted_payload_size type="IntegerField">
+                    <default>512</default>
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>8192</MaximumValue>
+                    <ValidationMessage>Should be a number between 0 and 8192</ValidationMessage>
+                    <Required>N</Required>
+                </accepted_payload_size>
+                <hold_valid type="TextField">
+                    <default>10s</default>
+                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
+                    <Required>N</Required>
+                </hold_valid>
+                <hold_obsolete type="TextField">
+                    <default>10s</default>
+                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
+                    <Required>N</Required>
+                </hold_obsolete>
+                <hold_refused type="TextField">
+                    <default>10s</default>
+                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
+                    <Required>N</Required>
+                </hold_refused>
+                <hold_nx type="TextField">
+                    <default>10s</default>
+                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
+                    <Required>N</Required>
+                </hold_nx>
+                <hold_timeout type="TextField">
+                    <default>10s</default>
+                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
+                    <Required>N</Required>
+                </hold_timeout>
+                <hold_other type="TextField">
+                    <default>10s</default>
+                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
+                    <Required>N</Required>
+                </hold_other>
             </resolver>
         </resolvers>
         <mailers>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index cfb2c1d012..7b40fbd6a2 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1080,6 +1080,27 @@ resolvers {{resolver.id}}
 {%       if resolver.timeout_retry|default("") != "" %}
     timeout retry {{resolver.timeout_retry}}
 {%       endif %}
+{%       if resolver.accepted_payload_size|default("") != "" %}
+    accepted_payload_size {{resolver.accepted_payload_size}}
+{%       endif %}
+{%       if resolver.hold_valid|default("") != "" %}
+    hold valid {{resolver.hold_valid}}
+{%       endif %}
+{%       if resolver.hold_obsolete|default("") != "" %}
+    hold obsolete {{resolver.hold_obsolete}}
+{%       endif %}
+{%       if resolver.hold_refused|default("") != "" %}
+    hold refused {{resolver.hold_refused}}
+{%       endif %}
+{%       if resolver.hold_nx|default("") != "" %}
+    hold nx {{resolver.hold_nx}}
+{%       endif %}
+{%       if resolver.hold_timeout|default("") != "" %}
+    hold timeout {{resolver.hold_timeout}}
+{%       endif %}
+{%       if resolver.hold_other|default("") != "" %}
+    hold other {{resolver.hold_other}}
+{%       endif %}
 
 {%     else %}
 # Resolver (DISABLED): {{resolver.name}}

From d4be1e7732697c64f80eee48c89c08448ae32b83 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 6 Oct 2021 23:11:47 +0200
Subject: [PATCH 0714/3088] net/haproxy: remove default values, refs #2560

---
 .../opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml   | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index bf8cc88950..15b3ce18e9 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2755,44 +2755,37 @@
                     <Required>N</Required>
                 </timeout_retry>
                 <accepted_payload_size type="IntegerField">
-                    <default>512</default>
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>8192</MaximumValue>
                     <ValidationMessage>Should be a number between 0 and 8192</ValidationMessage>
                     <Required>N</Required>
                 </accepted_payload_size>
                 <hold_valid type="TextField">
-                    <default>10s</default>
                     <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </hold_valid>
                 <hold_obsolete type="TextField">
-                    <default>10s</default>
                     <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </hold_obsolete>
                 <hold_refused type="TextField">
-                    <default>10s</default>
                     <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </hold_refused>
                 <hold_nx type="TextField">
-                    <default>10s</default>
                     <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </hold_nx>
                 <hold_timeout type="TextField">
-                    <default>10s</default>
                     <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </hold_timeout>
                 <hold_other type="TextField">
-                    <default>10s</default>
                     <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>

From 04fa2aa60abac0adb59f2202df1fb96fd7d951df Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 6 Oct 2021 23:13:26 +0200
Subject: [PATCH 0715/3088] net/haproxy: update changelog

---
 net/haproxy/pkg-descr | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index fce3447a04..c4e4ba9013 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+3.6
+
+Added:
+* add support for advanced resolver properties (#2330)
+
 3.5
 
 Fixed:

From 0c80a6a34bbaa129afb42471f40276d6aa9189c8 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 6 Oct 2021 23:13:41 +0200
Subject: [PATCH 0716/3088] net/haproxy: bump version

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index be6664fc86..96f7ef0820 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		3.5
+PLUGIN_VERSION=		3.6
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy22
 PLUGIN_MAINTAINER=	opnsense@moov.de

From d3457c26201c0af570e7209a36e7ccf0858b7d0b Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 6 Oct 2021 23:29:22 +0200
Subject: [PATCH 0717/3088] net/haproxy: fix label, refs #2560

---
 .../app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml
index d4fb81e86c..a769aead4c 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml
@@ -88,7 +88,7 @@
     </field>
     <field>
         <id>resolver.hold_timeout</id>
-        <label>Valid hold time</label>
+        <label>Timeout hold time</label>
         <type>text</type>
         <help><![CDATA[When a DNS resolve request times out haproxy will not retry until [hold timeout] elapses. Default "30s"]]></help>
         <advanced>true</advanced>

From f87134f665e81be5efc389f28063ce39d58377a5 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Thu, 7 Oct 2021 01:13:12 +0300
Subject: [PATCH 0718/3088]  security/acme-client: api resetAction field name
 typo #2562

---
 .../controllers/OPNsense/AcmeClient/Api/ServiceController.php   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php
index d7de8f5f33..de54eeeea6 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php
@@ -215,7 +215,7 @@ public function resetAction()
         }
         // reset account states
         foreach ($model->getNodeByReference('accounts.account')->iterateItems() as $account) {
-            $account->lastUpdate = null;
+            $account->statusLastUpdate = null;
         }
         // reset acme.sh data
         $backend = new Backend();

From f84d859924e5d2491b0d0df9b3d343fd546f3119 Mon Sep 17 00:00:00 2001
From: Matt Elek Harris <matt@elekharris.com>
Date: Wed, 6 Oct 2021 18:42:42 -0400
Subject: [PATCH 0719/3088] security/acme-client: added support for custom ACME
 CAs (#2529)

---
 .../OPNsense/AcmeClient/forms/dialogAccount.xml |  6 ++++++
 .../library/OPNsense/AcmeClient/LeCommon.php    | 17 ++++++++++++++++-
 .../models/OPNsense/AcmeClient/AcmeClient.xml   |  6 ++++++
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml
index 33854114a7..c19bff4f86 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml
@@ -33,6 +33,12 @@
         <type>dropdown</type>
         <help><![CDATA[The ACME CA that should be used for this account and all associated certificates. Note that some of them offer paid services and may require a subscription. Check the <a href="https://github.com/acmesh-official/acme.sh/wiki/Server" target="_blank">acme.sh documentation</a> for a list of supported CAs.]]></help>
     </field>
+    <field>
+        <id>account.custom_ca</id>
+        <label>Custom ACME CA URL</label>
+        <type>text</type>
+        <help><![CDATA[The HTTPS URL of the custom ACME CA that should be used for this account and all associated certificates. If using your own CA, make sure the Root CA is added to OPNsense's trust store. For example: https://acme-v02.api.letsencrypt.org/directory or https://ca.internal/acme/directory]]></help>
+    </field>
     <field>
         <label>Optional EAB Credentials</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
index d2097fe7ad..5ea7b5c7d2 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
@@ -84,6 +84,7 @@ abstract class LeCommon
     protected $config;              # AcmeClient config object
     protected $debug;               # Debug logging (bool)
     protected $ca;                  # ACME CA
+    protected $custom_ca;           # Custom ACME CA URL
     protected $ca_compat;           # ACME CA for compat with old LE CA names
     protected $force;               # Force operation
     protected $model;               # AcmeClient model object
@@ -154,8 +155,22 @@ public function setCa(string $uuid)
         $acme_ca = (string)$obj->ca;
         $this->ca = $acme_ca;
 
+        // Extract custom ACME CA URL
+        $acme_custom_ca = (string)$obj->custom_ca;
+        $this->custom_ca = $acme_custom_ca;
+
         // Add CA to acme arguments
-        $this->acme_args[] = LeUtils::execSafe('--server %s', $acme_ca);
+        if ($acme_ca == "custom") {
+            // Custom CA
+            if (empty($acme_custom_ca) || ($acme_custom_ca == null)) {
+                LeUtils::log_error("custom CA must not be empty.");
+                return false;
+            }
+            $this->acme_args[] = LeUtils::execSafe('--server %s', $acme_custom_ca);
+        } else {
+            // Normal CAs
+            $this->acme_args[] = LeUtils::execSafe('--server %s', $acme_ca);
+        }
 
         // Evaluate how the CA should be represented in filenames.
         // This is a compatibility layer. It ensures that old files that
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 47d3ba221b..0ec434d228 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -146,8 +146,14 @@
                         <letsencrypt_test>Let's Encrypt Test CA</letsencrypt_test>
                         <sslcom>SSL.com</sslcom>
                         <zerossl>ZeroSSL</zerossl>
+                        <custom>Custom CA URL</custom>
                     </OptionValues>
                 </ca>
+                <custom_ca type="TextField">
+                    <Required>N</Required>
+                    <mask>/^https?:\/\/.*[^\/]$/</mask>
+                    <ValidationMessage>The url must be a valid ACME endpoint without a trailing slash.</ValidationMessage>
+                </custom_ca>
                 <eab_kid type="TextField">
                     <Required>N</Required>
                     <mask>/^.{1,8192}$/u</mask>

From 437d4135494d3d40106de9a07dfd35e13b5fdfde Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 7 Oct 2021 00:17:11 +0200
Subject: [PATCH 0720/3088] security/acme-client: update changelog

---
 security/acme-client/pkg-descr | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index a7dc6c18e2..26febc7e65 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.3
+
+Fixed:
+* fix ACME Client reset (#2562)
+
 3.2
 
 Added:

From 3c5efa554516848c30ecd84f0da77c9a39d9f5d0 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 7 Oct 2021 00:17:28 +0200
Subject: [PATCH 0721/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index def551fa6b..59f807ac82 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.2
+PLUGIN_VERSION=		3.3
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 35ae215ebe27df34f62dd493a709d6ded56eb014 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 7 Oct 2021 01:01:17 +0200
Subject: [PATCH 0722/3088] security/acme-client: hide custom CA URL field when
 not required, refs #2529

---
 .../OPNsense/AcmeClient/forms/dialogAccount.xml        |  7 ++++++-
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml  |  2 +-
 .../mvc/app/views/OPNsense/AcmeClient/accounts.volt    | 10 ++++++++++
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml
index c19bff4f86..0b91393082 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAccount.xml
@@ -33,9 +33,14 @@
         <type>dropdown</type>
         <help><![CDATA[The ACME CA that should be used for this account and all associated certificates. Note that some of them offer paid services and may require a subscription. Check the <a href="https://github.com/acmesh-official/acme.sh/wiki/Server" target="_blank">acme.sh documentation</a> for a list of supported CAs.]]></help>
     </field>
+    <field>
+        <label>CA Options</label>
+        <type>header</type>
+        <style>ca_options ca_options_custom</style>
+    </field>
     <field>
         <id>account.custom_ca</id>
-        <label>Custom ACME CA URL</label>
+        <label>Custom CA URL</label>
         <type>text</type>
         <help><![CDATA[The HTTPS URL of the custom ACME CA that should be used for this account and all associated certificates. If using your own CA, make sure the Root CA is added to OPNsense's trust store. For example: https://acme-v02.api.letsencrypt.org/directory or https://ca.internal/acme/directory]]></help>
     </field>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 0ec434d228..0ae3d67208 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -152,7 +152,7 @@
                 <custom_ca type="TextField">
                     <Required>N</Required>
                     <mask>/^https?:\/\/.*[^\/]$/</mask>
-                    <ValidationMessage>The url must be a valid ACME endpoint without a trailing slash.</ValidationMessage>
+                    <ValidationMessage>The URL must be a valid ACME endpoint without a trailing slash.</ValidationMessage>
                 </custom_ca>
                 <eab_kid type="TextField">
                     <Required>N</Required>
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
index dfa7eb6cf1..d9e417ebde 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
@@ -317,6 +317,16 @@ POSSIBILITY OF SUCH DAMAGE.
 
         });
 
+        // hook into on-show event for dialog to extend layout.
+        $('#DialogAccount').on('shown.bs.modal', function (e) {
+            // hide options that are irrelevant for the selected CA
+            $("#account\\.ca").change(function(){
+                $(".ca_options").hide();
+                $(".ca_options_"+$(this).val()).show();
+            });
+            $("#account\\.ca").change();
+        })
+
     });
 
 </script>

From 85997b73ebde8534d901aa3ebacc99d65a76aeb3 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 7 Oct 2021 01:02:20 +0200
Subject: [PATCH 0723/3088] security/acme-client: update changelog

---
 security/acme-client/pkg-descr | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 26febc7e65..bf40e15c90 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,6 +10,9 @@ Plugin Changelog
 
 3.3
 
+Added:
+* add support for custom ACME CAs (#2529)
+
 Fixed:
 * fix ACME Client reset (#2562)
 

From 962a63310f60661dbf2b7a380e5f8e6e256a9712 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 7 Oct 2021 23:40:08 +0200
Subject: [PATCH 0724/3088] net/haproxy: deploy haproxy.conf if it does not
 exist, fixes #2474

---
 net/haproxy/pkg-descr                             | 6 ++++++
 net/haproxy/src/etc/rc.syshook.d/start/50-haproxy | 7 +++++++
 2 files changed, 13 insertions(+)
 create mode 100755 net/haproxy/src/etc/rc.syshook.d/start/50-haproxy

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index c4e4ba9013..0b23647bff 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -11,6 +11,12 @@ Plugin Changelog
 Added:
 * add support for advanced resolver properties (#2330)
 
+Fixed:
+* no haproxy.conf after restoring a config backup (#2474)
+
+Changed:
+* deploy haproxy.conf if it does not exist (#2474)
+
 3.5
 
 Fixed:
diff --git a/net/haproxy/src/etc/rc.syshook.d/start/50-haproxy b/net/haproxy/src/etc/rc.syshook.d/start/50-haproxy
new file mode 100755
index 0000000000..09c0e0ef1f
--- /dev/null
+++ b/net/haproxy/src/etc/rc.syshook.d/start/50-haproxy
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# fallback if no config file exists (i.e. after config backup restore)
+if [ ! -e /usr/local/etc/haproxy.conf -a -e /usr/local/etc/haproxy.conf.staging ]; then
+    cp /usr/local/etc/haproxy.conf.staging /usr/local/etc/haproxy.conf
+    /usr/local/etc/rc.d/haproxy start
+fi

From 93b33f05dc9ffd717698748151350aa4dd890696 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 10 Oct 2021 22:35:26 +0200
Subject: [PATCH 0725/3088] security/acme-client: add support for Porkbun API,
 closes #2561

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsPorkbun.php    | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  9 +++-
 4 files changed, 69 insertions(+), 1 deletion(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsPorkbun.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index bf40e15c90..7479fda315 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 
 Added:
 * add support for custom ACME CAs (#2529)
+* add support for Porkbun API (#2561)
 
 Fixed:
 * fix ACME Client reset (#2562)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 4faa6b778f..2f8e45bd45 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1338,4 +1338,19 @@
         <label>Key</label>
         <type>text</type>
     </field>
+    <field>
+        <label>Porkbun API</label>
+        <type>header</type>
+        <style>table_dns table_dns_porkbun</style>
+    </field>
+    <field>
+        <id>validation.dns_porkbun_key</id>
+        <label>API Key</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_porkbun_secret</id>
+        <label>Secret API Key</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsPorkbun.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsPorkbun.php
new file mode 100644
index 0000000000..872b85baf6
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsPorkbun.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Porkbun API
+ * @package OPNsense\AcmeClient
+ */
+class DnsPorkbun extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['PORKBUN_API_KEY'] = (string)$this->config->dns_porkbun_key;
+        $this->acme_env['PORKBUN_SECRET_API_KEY'] = (string)$this->config->dns_porkbun_secret;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 0ae3d67208..f5292f5223 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>3.0.0</version>
+    <version>3.1.0</version>
     <description>A secure ACME Client plugin</description>
     <items>
         <settings>
@@ -454,6 +454,7 @@
                         <dns_ovh>OVH, kimsufi, soyoustart and runabove API</dns_ovh>
                         <dns_pdns>PowerDNS.com API</dns_pdns>
                         <dns_pleskxml>Plesk XML API</dns_pleskxml>
+                        <dns_porkbun>Porkbun API</dns_porkbun>
                         <dns_schlundtech>SchlundTech</dns_schlundtech>
                         <dns_selectel>selectel.com / selectel.ru domain API</dns_selectel>
                         <dns_servercow>Servercow API v1</dns_servercow>
@@ -884,6 +885,12 @@
                 <dns_pdns_token type="TextField">
                     <Required>N</Required>
                 </dns_pdns_token>
+                <dns_porkbun_key type="TextField">
+                    <Required>N</Required>
+                </dns_porkbun_key>
+                <dns_porkbun_secret type="TextField">
+                    <Required>N</Required>
+                </dns_porkbun_secret>
                 <dns_sl_key type="TextField">
                     <Required>N</Required>
                 </dns_sl_key>

From dca4c6ea4cd4a3a4ac4b948fbbbb5c68d183814a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 10 Oct 2021 22:40:22 +0200
Subject: [PATCH 0726/3088] security/acme-client: change default Challenge Type
 from HTTP-01 to DNS-01

---
 security/acme-client/pkg-descr                                | 3 +++
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml         | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 7479fda315..304aa75090 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -17,6 +17,9 @@ Added:
 Fixed:
 * fix ACME Client reset (#2562)
 
+Changed:
+* change default Challenge Type from HTTP-01 to DNS-01
+
 3.2
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index f5292f5223..5bac98072a 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -335,7 +335,7 @@
                 </description>
                 <method type="OptionField">
                     <Required>Y</Required>
-                    <default>http01</default>
+                    <default>dns01</default>
                     <OptionValues>
                         <http01>HTTP-01</http01>
                         <dns01>DNS-01</dns01>
@@ -386,7 +386,7 @@
                 </http_haproxyFrontends>
                 <dns_service type="OptionField">
                     <Required>Y</Required>
-                    <default>dns_nsupdate</default>
+                    <default>dns_freedns</default>
                     <OptionValues>
                         <dns_1984hosting>1984Hosting API</dns_1984hosting>
                         <dns_acmedns>ACME DNS API</dns_acmedns>

From b95b508b0a4ebb2ed572f11f48190fdea89a97f1 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 10 Oct 2021 23:34:03 +0200
Subject: [PATCH 0727/3088] emulators/qemu-guest-agent: load required kernel
 module, fixes #2405

---
 emulators/qemu-guest-agent/pkg-descr                | 13 ++++++++++++-
 .../src/etc/rc.syshook.d/early/50-qemu-guest-agent  |  9 +++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100755 emulators/qemu-guest-agent/src/etc/rc.syshook.d/early/50-qemu-guest-agent

diff --git a/emulators/qemu-guest-agent/pkg-descr b/emulators/qemu-guest-agent/pkg-descr
index 2ff6915607..12375095f5 100644
--- a/emulators/qemu-guest-agent/pkg-descr
+++ b/emulators/qemu-guest-agent/pkg-descr
@@ -1,5 +1,16 @@
 QEMU Guest Agent for FreeBSD
 
 Port homepage https://github.com/aborche/qemu-guest-agent
-
 WWW: http://wiki.qemu.org/Main_Page
+
+Plugin Changelog
+================
+
+1.1
+
+Fixed:
+* fix service startup by loading required kernel module (#2405)
+
+1.0
+
+* Initial release
diff --git a/emulators/qemu-guest-agent/src/etc/rc.syshook.d/early/50-qemu-guest-agent b/emulators/qemu-guest-agent/src/etc/rc.syshook.d/early/50-qemu-guest-agent
new file mode 100755
index 0000000000..eb8cdd80b7
--- /dev/null
+++ b/emulators/qemu-guest-agent/src/etc/rc.syshook.d/early/50-qemu-guest-agent
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+if kldstat -qn virtio_console.ko; then
+  echo "qemu-guest-agent: virtio_console already loaded."
+elif kldload -q virtio_console.ko; then
+  echo "qemu-guest-agent: successfully loaded virtio_console."
+else
+  echo "qemu-guest-agent: failed to load virtio_console."
+fi

From b928ca2f738b1e471a07c6ad5ed3f5a8e817d90a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 10 Oct 2021 23:39:29 +0200
Subject: [PATCH 0728/3088] emulators/qemu-guest-agent: bump version

---
 emulators/qemu-guest-agent/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/emulators/qemu-guest-agent/Makefile b/emulators/qemu-guest-agent/Makefile
index 3e56e911f8..ff879738bc 100644
--- a/emulators/qemu-guest-agent/Makefile
+++ b/emulators/qemu-guest-agent/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		qemu-guest-agent
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		QEMU Guest Agent for OPNsense
 PLUGIN_DEPENDS=		qemu-guest-agent
 PLUGIN_MAINTAINER=	opnsense@moov.de

From c1fa3752bf8b072eda231f98eb263227c04df84f Mon Sep 17 00:00:00 2001
From: Jan Winkler <jan.winkler@markt.de>
Date: Mon, 11 Oct 2021 10:20:22 +0200
Subject: [PATCH 0729/3088] Release puppet-agent version 1.0

---
 sysutils/puppet-agent/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/sysutils/puppet-agent/Makefile b/sysutils/puppet-agent/Makefile
index 7e1977c2a1..712b01e4fd 100644
--- a/sysutils/puppet-agent/Makefile
+++ b/sysutils/puppet-agent/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		puppet-agent
-PLUGIN_VERSION=		0.2
-PLUGIN_DEVEL=		yes
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		Manage Puppet Agent
 PLUGIN_DEPENDS=		puppet7 py${PLUGIN_PYTHON}-opn-cli
 PLUGIN_MAINTAINER=	jan.wink93@gmail.com

From f57a538c7f78799215362b32e0b5d26a30784f9d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 11 Oct 2021 12:24:55 +0200
Subject: [PATCH 0730/3088] Framework: use parallel lint if available via core

---
 Mk/plugins.mk | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 1502ab8c66..ac715b3ecf 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -314,7 +314,12 @@ lint-exec: check
 .endif
 .endfor
 
+LINTBIN?=	${.CURDIR}/../../../core/contrib/parallel-lint/parallel-lint
+
 lint-php: check
+.if exists(${LINTBIN})
+	@if [ -d ${.CURDIR}/src ]; then ${LINTBIN} src; fi
+.else
 	@find ${.CURDIR}/src \
 	    ! -name "*.xml" ! -name "*.xml.sample" ! -name "*.eot" \
 	    ! -name "*.svg" ! -name "*.woff" ! -name "*.woff2" \
@@ -322,6 +327,7 @@ lint-php: check
 	    ! -name "*.scss" ! -name "*.py" ! -name "*.ttf" ! -name "*.txz" \
 	    ! -name "*.tgz" ! -name "*.xml.dist" ! -name "*.sh" ! -name "bootstrap80.php" \
 	    -type f -print0 | xargs -0 -n1 php -l
+.endif
 
 lint: lint-desc lint-shell lint-xml lint-exec lint-php
 

From ec9b1025649bc8dfee2b264dbf4606e820e0b95b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 11 Oct 2021 12:29:37 +0200
Subject: [PATCH 0731/3088] www/nginx: style sweep

---
 .../app/controllers/OPNsense/Nginx/Api/ServiceController.php   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php
index 4588f6c6f5..cfc2459896 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php
@@ -97,7 +97,8 @@ public function vtsAction()
         return array();
     }
 
-    protected function reconfigureForceRestart() {
+    protected function reconfigureForceRestart()
+    {
         return 0;
     }
 }

From f2980f917851c8c6512ecd7afac6e3a981c5f707 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 11 Oct 2021 23:43:50 +0200
Subject: [PATCH 0732/3088] sysutils/puppet-agent: add log file

---
 sysutils/puppet-agent/pkg-descr               | 12 +++++
 .../models/OPNsense/PuppetAgent/Menu/Menu.xml |  5 +-
 .../OPNsense/PuppetAgent/PuppetAgent.xml      |  5 +-
 .../systemhealth/logformats/puppet_agent.py   | 50 +++++++++++++++++++
 .../templates/OPNsense/PuppetAgent/+TARGETS   |  1 +
 .../OPNsense/PuppetAgent/newsyslog.conf       |  4 ++
 .../OPNsense/PuppetAgent/puppetagent.conf     |  1 +
 7 files changed, 74 insertions(+), 4 deletions(-)
 create mode 100755 sysutils/puppet-agent/src/opnsense/scripts/systemhealth/logformats/puppet_agent.py
 create mode 100644 sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/newsyslog.conf

diff --git a/sysutils/puppet-agent/pkg-descr b/sysutils/puppet-agent/pkg-descr
index ed77366165..959369790f 100644
--- a/sysutils/puppet-agent/pkg-descr
+++ b/sysutils/puppet-agent/pkg-descr
@@ -5,3 +5,15 @@ hosts, along with obviously discrete elements like packages, services, and
 files.
 
 WWW:  https://puppet.com/docs/puppet/latest/man/agent.html
+
+Plugin Changelog
+================
+
+1.0
+
+Added:
+* add log file
+
+0.1
+
+* Initial release
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/Menu/Menu.xml b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/Menu/Menu.xml
index e0c6f69d70..d989bfc18f 100644
--- a/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/Menu/Menu.xml
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/Menu/Menu.xml
@@ -1,5 +1,8 @@
 <menu>
     <Services>
-        <PuppetAgent VisibleName="Puppet Agent" url="/ui/puppetagent"/>
+        <PuppetAgent VisibleName="Puppet Agent" cssClass="fa fa-certificate fa-fw">
+            <Settings order="10" url="/ui/puppetagent"/>
+            <Logs order="20" url="/ui/diagnostics/log/core/puppet-agent"/>
+      </PuppetAgent>
     </Services>
 </menu>
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
index 100aeeeb0f..f706d65a59 100644
--- a/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
@@ -1,8 +1,7 @@
 <model>
     <mount>//OPNsense/puppetagent</mount>
-    <description>
-        Manage Puppet Agent service
-    </description>
+    <version>1.0.0</version>
+    <description>Manage Puppet Agent service</description>
     <items>
         <!-- container -->
         <general>
diff --git a/sysutils/puppet-agent/src/opnsense/scripts/systemhealth/logformats/puppet_agent.py b/sysutils/puppet-agent/src/opnsense/scripts/systemhealth/logformats/puppet_agent.py
new file mode 100755
index 0000000000..a4013e9ed8
--- /dev/null
+++ b/sysutils/puppet-agent/src/opnsense/scripts/systemhealth/logformats/puppet_agent.py
@@ -0,0 +1,50 @@
+"""
+    Copyright (c) 2021 Frank Wall
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    Copyright (c) 2020 devNan0 <nan0@nan0.dev>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import re
+import datetime
+from . import BaseLogFormat
+puppet_timeformat = r'^(\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+[-+]{1}\d{4}).*'
+
+
+class TelegrafLogFormat(BaseLogFormat):
+    def __init__(self, filename):
+        super(TelegrafLogFormat, self).__init__(filename)
+        self._priority = 100
+
+    def match(self, line):
+        return self._filename.find('puppet') > -1 and re.match(puppet_timeformat, line) is not None
+
+    @staticmethod
+    def timestamp(line):
+        tmp = re.match(puppet_timeformat, line)
+        grp = tmp.group(1)
+        return datetime.datetime.strptime(grp, "%Y-%m-%d %H:%M:%S %z").isoformat()
+
+    @staticmethod
+    def line(line):
+        return line[26:].strip()
diff --git a/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/+TARGETS b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/+TARGETS
index 085fa8c75b..c34b302bbf 100644
--- a/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/+TARGETS
+++ b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/+TARGETS
@@ -1,2 +1,3 @@
 puppetagent.conf:/usr/local/etc/puppet/puppet.conf
+newsyslog.conf:/etc/newsyslog.conf.d/puppet-agent
 rc.conf.d:/etc/rc.conf.d/puppet
diff --git a/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/newsyslog.conf b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/newsyslog.conf
new file mode 100644
index 0000000000..190ea6a8f6
--- /dev/null
+++ b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/newsyslog.conf
@@ -0,0 +1,4 @@
+{% if helpers.exists('OPNsense.puppetagent.general') and OPNsense.puppetagent.general.Enabled|default("0") == "1" %}
+# logfilename               [owner:group]   mode   count size   when    flags   [/pid_file]                [sig_num]
+/var/log/puppet-agent.log   puppet:puppet   640    7     *      @T00    JCB     /var/run/puppet/agent.pid  1
+{% endif %}
diff --git a/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
index 3da8f402e0..c375941a97 100644
--- a/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
+++ b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
@@ -2,6 +2,7 @@
 [main]
 certname = {{ system.hostname|lower }}.{{ system.domain|lower }}
 server = {{ OPNsense.puppetagent.general.FQDN|default("") }}
+logdest = /var/log/puppet-agent.log
 {% if helpers.exists('OPNsense.puppetagent.general') and not helpers.empty('OPNsense.puppetagent.general.Environment') %}
 [agent]
 environment = {{ OPNsense.puppetagent.general.Environment|default("") }}

From b7c4afa7afb95a0637d369df9a8f3e77834106cc Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 12 Oct 2021 00:16:48 +0200
Subject: [PATCH 0733/3088] sysutils/puppet-agent: add introduction page

---
 sysutils/puppet-agent/pkg-descr               |  1 +
 .../app/views/OPNsense/PuppetAgent/index.volt | 47 ++++++++++++++-----
 2 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/sysutils/puppet-agent/pkg-descr b/sysutils/puppet-agent/pkg-descr
index 959369790f..64ec7afe9d 100644
--- a/sysutils/puppet-agent/pkg-descr
+++ b/sysutils/puppet-agent/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 
 Added:
 * add log file
+* add introduction page
 
 0.1
 
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt b/sysutils/puppet-agent/src/opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt
index 10b93ddf76..7e0d533c56 100644
--- a/sysutils/puppet-agent/src/opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt
@@ -1,5 +1,6 @@
 {#
 
+OPNsense® is Copyright © 2021 Frank Wall
 OPNsense® is Copyright © 2021 Jan Winkler
 OPNsense® is Copyright © 2014 – 2015 by Deciso B.V.
 All rights reserved.
@@ -47,20 +48,40 @@ POSSIBILITY OF SUCH DAMAGE.
     });
 </script>
 
-<div class="alert alert-info hidden" role="alert" id="responseMsg">
+<ul class="nav nav-tabs" role="tablist" id="maintabs">
+    <li class="active"><a data-toggle="tab" id="settings-introduction" href="#subtab_settings-introduction"><b>{{ lang._('Introduction') }}</b></a></li>
+    <li><a data-toggle="tab" id="settings-tab" href="#settings"><b>{{ lang._('Settings') }}</b></a></li>
+</ul>
 
-</div>
+<div class="content-box tab-content">
 
-<div  class="col-md-12">
-    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}}
-</div>
+    <div id="subtab_settings-introduction" class="tab-pane fade in active">
+        <div class="col-md-12">
+            <h1>{{ lang._('Quick Start Guide') }}</h1>
+            <p>{{ lang._("Welcome to the Puppet Agent plugin! This plugin allows you to integrate OPNsense with your Puppet environment.") }}</p>
+            <p>{{ lang._("Keep in mind that you should not treat OPNsense like any other operating system. Most notably you should not modify system files or packages. Instead use the OPNsense API to make configuration changes and to manage plugins. The following tools are a good starting point when trying to automate OPNsense with Puppet:") }}</p>
+            <ul>
+              <li>{{ lang._("%sopn-cli:%s A command line client to configure OPNsense core and plugin components through their respective APIs.") | format('<a href="https://github.com/andeman/opn-cli" target="_blank">', '</a>') }}</li>
+              <li>{{ lang._("%spuppet/opnsense:%s A read-to-use Puppet module for automating the OPNsense firewall.") | format('<a href="https://github.com/andeman/puppet-opnsense" target="_blank">', '</a>') }}</li>
+            </ul>
+            <p>{{ lang._("Note that these tools are not directly related to this plugin. Please report issues and missing features directly to the author.") }}</p>
+        </div>
+    </div>
+
+    <div id="settings" class="tab-pane fade">
+        {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}}
+
+        <div class="col-md-12">
+            <hr/>
+            <button class="btn btn-primary"  id="saveAct"
+                data-endpoint='/api/puppetagent/service/reconfigure'
+                data-label="{{ lang._('Save') }}"
+                data-service-widget="puppetagent"
+                data-error-title="{{ lang._('Error reconfiguring puppetagent') }}"
+                type="button">
+            </button>
+            <br/>
+        </div>
+    </div>
 
-<div class="col-md-12">
-    <button class="btn btn-primary"  id="saveAct"
-        data-endpoint='/api/puppetagent/service/reconfigure'
-        data-label="{{ lang._('Save') }}"
-        data-service-widget="puppetagent"
-        data-error-title="{{ lang._('Error reconfiguring puppetagent') }}"
-        type="button"
-    ></button>
 </div>

From 24be98dc0777350d3185ce870b6a7f489ad02e9c Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 12 Oct 2021 10:56:39 +0200
Subject: [PATCH 0734/3088] sysutils/puppet-agent: fix logformat

---
 .../opnsense/scripts/systemhealth/logformats/puppet_agent.py  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysutils/puppet-agent/src/opnsense/scripts/systemhealth/logformats/puppet_agent.py b/sysutils/puppet-agent/src/opnsense/scripts/systemhealth/logformats/puppet_agent.py
index a4013e9ed8..7004c40d25 100755
--- a/sysutils/puppet-agent/src/opnsense/scripts/systemhealth/logformats/puppet_agent.py
+++ b/sysutils/puppet-agent/src/opnsense/scripts/systemhealth/logformats/puppet_agent.py
@@ -31,9 +31,9 @@
 puppet_timeformat = r'^(\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+[-+]{1}\d{4}).*'
 
 
-class TelegrafLogFormat(BaseLogFormat):
+class PuppetLogFormat(BaseLogFormat):
     def __init__(self, filename):
-        super(TelegrafLogFormat, self).__init__(filename)
+        super(PuppetLogFormat, self).__init__(filename)
         self._priority = 100
 
     def match(self, line):

From fc773e6a1a9732513a8adb24386b63d3cf387756 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 12 Oct 2021 11:35:48 +0200
Subject: [PATCH 0735/3088] README: sync

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8850cdfac8..9bc15ce244 100644
--- a/README.md
+++ b/README.md
@@ -102,7 +102,7 @@ sysutils/munin-node -- Munin monitoring agent
 sysutils/nextcloud-backup -- Track config changes using NextCloud
 sysutils/node_exporter -- Prometheus exporter for machine metrics
 sysutils/nut -- Network UPS Tools
-sysutils/puppet-agent -- Manage Puppet Agent (development only)
+sysutils/puppet-agent -- Manage Puppet Agent
 sysutils/smart -- SMART tools
 sysutils/virtualbox -- VirtualBox guest additions
 sysutils/vmware -- VMware tools

From ca805ea20df7869276327277f83ab9a373579638 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 13 Oct 2021 23:03:44 +0200
Subject: [PATCH 0736/3088] net/haproxy: add hard-stop-after to ensure proper
 service restart/shutdown

---
 net/haproxy/pkg-descr                                     | 2 ++
 .../OPNsense/HAProxy/forms/generalSettings.xml            | 6 ++++++
 .../opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml  | 8 +++++++-
 .../service/templates/OPNsense/HAProxy/haproxy.conf       | 3 +++
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 0b23647bff..aa184412f3 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -10,12 +10,14 @@ Plugin Changelog
 
 Added:
 * add support for advanced resolver properties (#2330)
+* add graceful stop timeout to service settings
 
 Fixed:
 * no haproxy.conf after restoring a config backup (#2474)
 
 Changed:
 * deploy haproxy.conf if it does not exist (#2474)
+* add new timeout (60s) which will terminate open connections when using graceful stop
 
 3.5
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
index d0efde12b2..aa3f791ff0 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
@@ -15,6 +15,12 @@
         <type>checkbox</type>
         <help><![CDATA[Enable HAProxy's graceful stop mode. In this mode HAProxy will continue to process existing connections until they close. Note that this may severely slow down HAProxy's shutdown, depending on the configured timeout values. If graceful stop mode is not enabled, HAProxy will use the hard stop mode where it immediately quits and all established connections are closed. Hard stop mode is recommended.]]></help>
     </field>
+    <field>
+        <id>haproxy.general.hardStopAfter</id>
+        <label>Graceful stop timeout</label>
+        <type>text</type>
+        <help><![CDATA[Set the maximum time allowed to perform a clean graceful stop. HAProxy will terminate all open connections when the timeout is reached. This may be used to ensure that the instance will quit even if connections remain opened. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+    </field>
     <field>
         <id>haproxy.general.seamlessReload</id>
         <label>Seamless reload</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 15b3ce18e9..b6c025d915 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/HAProxy</mount>
-    <version>3.1.0</version>
+    <version>3.2.0</version>
     <description>the HAProxy load balancer</description>
     <items>
         <general>
@@ -12,6 +12,12 @@
                 <default>0</default>
                 <Required>Y</Required>
             </gracefulStop>
+            <hardStopAfter type="TextField">
+                <default>60s</default>
+                <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
+                <Required>N</Required>
+            </hardStopAfter>
             <seamlessReload type="BooleanField">
                 <default>0</default>
                 <Required>Y</Required>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 7b40fbd6a2..71c439df13 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -859,6 +859,9 @@ global
 {%     endif %}
 {%   endfor %}
 {% endif %}
+{% if OPNsense.HAProxy.general.hardStopAfter|default('') != '' %}
+    hard-stop-after             {{OPNsense.HAProxy.general.hardStopAfter}}
+{% endif %}
 {% if helpers.exists('OPNsense.HAProxy.general.tuning.maxConnections') %}
     maxconn                     {{OPNsense.HAProxy.general.tuning.maxConnections}}
 {% endif %}

From d483eeba702e52c2687a7d3464a02159194a176f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 13 Oct 2021 23:57:38 +0200
Subject: [PATCH 0737/3088] net/haproxy: support "monitor-uri" and "monitor
 fail" in rules, closes #2387

---
 net/haproxy/pkg-descr                                 |  1 +
 .../OPNsense/HAProxy/forms/dialogAction.xml           | 11 +++++++++++
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml       |  5 +++++
 .../service/templates/OPNsense/HAProxy/haproxy.conf   |  8 ++++++++
 4 files changed, 25 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index aa184412f3..3b578b24bc 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -11,6 +11,7 @@ Plugin Changelog
 Added:
 * add support for advanced resolver properties (#2330)
 * add graceful stop timeout to service settings
+* support "monitor-uri" and "monitor fail" in rules (#2387)
 
 Fixed:
 * no haproxy.conf after restoring a config backup (#2474)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index 1e86836371..f0d17e77e2 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -354,6 +354,17 @@
         <type>text</type>
         <help><![CDATA[A standard HAProxy expression formed by a sample-fetch followed by some converters.]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>type_table table_monitor_fail</style>
+    </field>
+    <field>
+        <id>action.monitor_fail_uri</id>
+        <label>Monitoring URI</label>
+        <type>text</type>
+        <help><![CDATA[Specifies a URI which will be intercepted to return HAProxy's health status instead of forwarding the request. When a HTTP request is received, HAProxy will return either "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on the fined failure conditions.]]></help>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index b6c025d915..8521443feb 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2068,6 +2068,7 @@
                         <http-response_replace-value>http-response header replace value</http-response_replace-value>
                         <http-response_set-status>http-response set-status</http-response_set-status>
                         <http-response_set-var>http-response set-var</http-response_set-var>
+                        <monitor_fail>monitor fail: report failure to a monitor request</monitor_fail>
                         <tcp-request_connection_accept>tcp-request connection accept</tcp-request_connection_accept>
                         <tcp-request_connection_reject>tcp-request connection reject</tcp-request_connection_reject>
                         <tcp-request_content_accept>tcp-request content accept</tcp-request_content_accept>
@@ -2252,6 +2253,10 @@
                     <mask>/^.{1,4096}$/u</mask>
                     <Required>N</Required>
                 </http_response_set_var_expr>
+                <monitor_fail_uri type="TextField">
+                    <mask>/^.{1,4096}$/u</mask>
+                    <Required>N</Required>
+                </monitor_fail_uri>
                 <tcp_request_content_lua type="TextField">
                     <mask>/^.{1,4096}$/u</mask>
                     <Required>N</Required>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 71c439df13..15dc3f76e7 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -522,6 +522,14 @@
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
 {%           endif %}
+{%         elif action_data.type == 'monitor_fail' %}
+{%           if action_data.monitor_fail_uri|default("") != "" %}
+{%             do action_options.append('monitor-uri ' ~ action_data.monitor_fail_uri ~ '\n   ') %}
+{%             do action_options.append('monitor fail') %}
+{%           else %}
+{%             set action_enabled = '0' %}
+    # ERROR: missing parameters
+{%           endif %}
 {%         elif action_data.type == 'tcp-request_connection_accept' %}
 {%           do action_options.append('tcp-request connection accept') %}
 {%         elif action_data.type == 'tcp-request_connection_reject' %}

From 7a0aeeba68f092e732ca6b598fc43f52a88a8c31 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 17 Oct 2021 21:42:56 +0200
Subject: [PATCH 0738/3088] net/haproxy: allow retries to be set to "0", closes
 #2585

---
 net/haproxy/pkg-descr                                         | 1 +
 .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml  | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 3b578b24bc..c20f334be9 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -19,6 +19,7 @@ Fixed:
 Changed:
 * deploy haproxy.conf if it does not exist (#2474)
 * add new timeout (60s) which will terminate open connections when using graceful stop
+* allow retries to be set to "0" (#2585)
 
 3.5
 
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 8521443feb..5f7d9db7b7 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -223,7 +223,7 @@
                     <Required>N</Required>
                 </timeoutServer>
                 <retries type="IntegerField">
-                    <MinimumValue>1</MinimumValue>
+                    <MinimumValue>0</MinimumValue>
                     <MaximumValue>100</MaximumValue>
                     <default>3</default>
                     <ValidationMessage>Please specify a value between 1 and 100.</ValidationMessage>
@@ -1143,7 +1143,7 @@
                     <Required>N</Required>
                 </tuning_timeoutServer>
                 <tuning_retries type="IntegerField">
-                    <MinimumValue>1</MinimumValue>
+                    <MinimumValue>0</MinimumValue>
                     <MaximumValue>100</MaximumValue>
                     <ValidationMessage>Please specify a value between 1 and 100.</ValidationMessage>
                     <Required>N</Required>

From 0c40837f1f5b4ecc2767d7693bf6248440728c47 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 17 Oct 2021 22:15:42 +0200
Subject: [PATCH 0739/3088] net/haproxy: add new option "case-sensitive" to
 conditions, closes #2576

---
 net/haproxy/pkg-descr                         |   1 +
 .../OPNsense/HAProxy/forms/dialogAcl.xml      |   6 +
 .../app/models/OPNsense/HAProxy/HAProxy.xml   |   4 +
 .../templates/OPNsense/HAProxy/haproxy.conf   | 132 +++++++++++++++---
 4 files changed, 121 insertions(+), 22 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index c20f334be9..5cba9c35d3 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -12,6 +12,7 @@ Added:
 * add support for advanced resolver properties (#2330)
 * add graceful stop timeout to service settings
 * support "monitor-uri" and "monitor fail" in rules (#2387)
+* add new option "case-sensitive" to conditions (#2576)
 
 Fixed:
 * no haproxy.conf after restoring a config backup (#2474)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
index 3d5bb47cd4..4643f99a87 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
@@ -27,6 +27,12 @@
         <type>checkbox</type>
         <help><![CDATA[Use this to invert the meaning of the expression.]]></help>
     </field>
+    <field>
+        <id>acl.caseSensitive</id>
+        <label>Case-sensitive</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable to make the condition case-sensitive (if applicable). By default all conditions are not case-sensitive.]]></help>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 5f7d9db7b7..f1b2e2f039 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1585,6 +1585,10 @@
                     <default>0</default>
                     <Required>Y</Required>
                 </negate>
+                <caseSensitive type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </caseSensitive>
                 <hdr_beg type="TextField">
                     <mask>/^.{1,255}$/u</mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 15dc3f76e7..7d11f3df99 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -83,119 +83,187 @@
 {%               endif %}
 {%             elif acl_data.expression == 'hdr_beg' %}
 {%               if acl_data.hdr_beg|default("") != "" %}
-{%                 do acl_options.append('hdr_beg(host) -i ' ~ acl_data.hdr_beg) %}
+{%                 do acl_options.append('hdr_beg(host)') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.hdr_beg) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'hdr_end' %}
 {%               if acl_data.hdr_end|default("") != "" %}
-{%                 do acl_options.append('hdr_end(host) -i ' ~ acl_data.hdr_end) %}
+{%                 do acl_options.append('hdr_end(host)') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.hdr_end) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'hdr' %}
 {%               if acl_data.hdr|default("") != "" %}
-{%                 do acl_options.append('hdr(host) -i ' ~ acl_data.hdr) %}
+{%                 do acl_options.append('hdr(host)') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.hdr) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'hdr_reg' %}
 {%               if acl_data.hdr_reg|default("") != "" %}
-{%                 do acl_options.append('hdr_reg(host) -i ' ~ acl_data.hdr_reg) %}
+{%                 do acl_options.append('hdr_reg(host)') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.hdr_reg) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'hdr_sub' %}
 {%               if acl_data.hdr_sub|default("") != "" %}
-{%                 do acl_options.append('hdr_sub(host) -i ' ~ acl_data.hdr_sub) %}
+{%                 do acl_options.append('hdr_sub(host)') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append('acl_data.hdr_sub) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'path_beg' %}
 {%               if acl_data.path_beg|default("") != "" %}
-{%                 do acl_options.append('path_beg -i ' ~ acl_data.path_beg) %}
+{%                 do acl_options.append('path_beg') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.path_beg) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'path_end' %}
 {%               if acl_data.path_end|default("") != "" %}
-{%                 do acl_options.append('path_end -i ' ~ acl_data.path_end) %}
+{%                 do acl_options.append('path_end') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.path_end) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'path' %}
 {%               if acl_data.path|default("") != "" %}
-{%                 do acl_options.append('path -i ' ~ acl_data.path) %}
+{%                 do acl_options.append('path') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.path) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'path_reg' %}
 {%               if acl_data.path_reg|default("") != "" %}
-{%                 do acl_options.append('path_reg -i ' ~ acl_data.path_reg) %}
+{%                 do acl_options.append('path_reg') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.path_reg) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'path_dir' %}
 {%               if acl_data.path_dur|default("") != "" %}
-{%                 do acl_options.append('path_dir -i ' ~ acl_data.path_dir) %}
+{%                 do acl_options.append('path_dir') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.path_dir) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'path_sub' %}
 {%               if acl_data.path_sub|default("") != "" %}
-{%                 do acl_options.append('path_sub -i ' ~ acl_data.path_sub) %}
+{%                 do acl_options.append('path_sub') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.path_sub) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'cust_hdr_beg' %}
 {%               if acl_data.cust_hdr_beg|default("") != "" and acl_data.cust_hdr_beg_name|default("") != "" %}
-{%                 do acl_options.append('hdr_beg(' ~ acl_data.cust_hdr_beg_name ~ ') -i ' ~ acl_data.cust_hdr_beg) %}
+{%                 do acl_options.append('hdr_beg(' ~ acl_data.cust_hdr_beg_name ~ ')') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.cust_hdr_beg) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'cust_hdr_end' %}
 {%               if acl_data.cust_hdr_end|default("") != "" and acl_data.cust_hdr_end_name|default("") %}
-{%                 do acl_options.append('hdr_end(' ~ acl_data.cust_hdr_end_name ~ ') -i ' ~ acl_data.cust_hdr_end) %}
+{%                 do acl_options.append('hdr_end(' ~ acl_data.cust_hdr_end_name ~ ')') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.cust_hdr_end) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'cust_hdr' %}
 {%               if acl_data.cust_hdr|default("") != "" and acl_data.cust_hdr_name|default("") != "" %}
-{%                 do acl_options.append('hdr(' ~ acl_data.cust_hdr_name ~ ') -i ' ~ acl_data.cust_hdr) %}
+{%                 do acl_options.append('hdr(' ~ acl_data.cust_hdr_name ~ ')') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.cust_hdr) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'cust_hdr_reg' %}
 {%               if acl_data.cust_hdr_reg|default("") != "" and acl_data.cust_hdr_reg_name|default("") != "" %}
-{%                 do acl_options.append('hdr_reg(' ~ acl_data.cust_hdr_reg_name ~ ') -i ' ~ acl_data.cust_hdr_reg) %}
+{%                 do acl_options.append('hdr_reg(' ~ acl_data.cust_hdr_reg_name ~ ')') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.cust_hdr_reg) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'cust_hdr_sub' %}
 {%               if acl_data.cust_hdr_sub|default("") != "" and acl_data.cust_hdr_sub_name|default("") != "" %}
-{%                 do acl_options.append('hdr_sub(' ~ acl_data.cust_hdr_sub_name ~ ') -i ' ~ acl_data.cust_hdr_sub) %}
+{%                 do acl_options.append('hdr_sub(' ~ acl_data.cust_hdr_sub_name ~ ')') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.cust_hdr_sub) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'url_param' %}
 {%               if acl_data.url_param_value|default("") != "" and acl_data.url_param|default("") != "" %}
-{%                 do acl_options.append('url_param(' ~ acl_data.url_param ~ ') -i ' ~ acl_data.url_param_value) %}
+{%                 do acl_options.append('url_param(' ~ acl_data.url_param ~ ')') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.url_param_value) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
@@ -281,35 +349,55 @@
 {%               endif %}
 {%             elif acl_data.expression == 'ssl_sni' %}
 {%               if acl_data.ssl_sni|default("") != "" %}
-{%                 do acl_options.append('req.ssl_sni -i ' ~ acl_data.ssl_sni) %}
+{%                 do acl_options.append('req.ssl_sni') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.ssl_sni) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'ssl_sni_sub' %}
 {%               if acl_data.ssl_sni_sub|default("") != "" %}
-{%                 do acl_options.append('req.ssl_sni -m sub -i ' ~ acl_data.ssl_sni_sub) %}
+{%                 do acl_options.append('req.ssl_sni -m sub') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.ssl_sni_sub) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'ssl_sni_beg' %}
 {%               if acl_data.ssl_sni_beg|default("") != "" %}
-{%                 do acl_options.append('req.ssl_sni -m beg -i ' ~ acl_data.ssl_sni_beg) %}
+{%                 do acl_options.append('req.ssl_sni -m beg') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.ssl_sni_beg) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'ssl_sni_end' %}
 {%               if acl_data.ssl_sni_end|default("") != "" %}
-{%                 do acl_options.append('req.ssl_sni -m end -i ' ~ acl_data.ssl_sni_end) %}
+{%                 do acl_options.append('req.ssl_sni -m end') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.ssl_sni_end) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'ssl_sni_reg' %}
 {%               if acl_data.ssl_sni_reg|default("") != "" %}
-{%                 do acl_options.append('req.ssl_sni -m reg -i ' ~ acl_data.ssl_sni_reg) %}
+{%                 do acl_options.append('req.ssl_sni -m reg') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.ssl_sni_reg) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters

From 24c5c1ef0851de639ac5f542c32efe02ec69a816 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 18 Oct 2021 10:18:57 +0200
Subject: [PATCH 0740/3088] www/nginx: setup.sh is overloaded with runtime data
 #2581

---
 .../src/opnsense/service/conf/actions.d/actions_nginx.conf      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf b/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
index 8b7d4ebdcd..70bf433875 100644
--- a/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
+++ b/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
@@ -62,7 +62,7 @@ parameters:
 type:script_output
 
 [reload]
-command:/usr/local/etc/rc.d/nginx reload
+command:/usr/local/opnsense/scripts/nginx/setup.php;/usr/local/etc/rc.d/nginx reload
 parameters:
 type:script_output
 message:reloading nginx

From 50e70f8fe67726e3ccf6422e7e86d44ee9ceedaa Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 19 Oct 2021 10:26:27 +0200
Subject: [PATCH 0741/3088] net/haproxy: adjust validation message, refs #2585

---
 .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index f1b2e2f039..7eaa7c3dda 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -226,7 +226,7 @@
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>100</MaximumValue>
                     <default>3</default>
-                    <ValidationMessage>Please specify a value between 1 and 100.</ValidationMessage>
+                    <ValidationMessage>Please specify a value between 0 and 100.</ValidationMessage>
                     <Required>Y</Required>
                 </retries>
                 <redispatch type="OptionField">
@@ -1145,7 +1145,7 @@
                 <tuning_retries type="IntegerField">
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>100</MaximumValue>
-                    <ValidationMessage>Please specify a value between 1 and 100.</ValidationMessage>
+                    <ValidationMessage>Please specify a value between 0 and 100.</ValidationMessage>
                     <Required>N</Required>
                 </tuning_retries>
                 <customOptions type="TextField">

From 72bbdc16af0213d5573f81d74b59f87cc7da8360 Mon Sep 17 00:00:00 2001
From: Jan Wiesemann <kontakt@janwiesemann.de>
Date: Tue, 19 Oct 2021 15:12:15 +0200
Subject: [PATCH 0742/3088] Added STRATO IPv6 to DynDNS (#2567)

---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc       |  1 +
 .../src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc    | 11 +++++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
index 09ad91469e..476cc286d5 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
@@ -151,6 +151,7 @@ function dyndns_list()
         'route53-v6' => 'Route 53 (v6)',
         'selfhost' => 'SelfHost',
         'strato' => 'STRATO',
+        'strato-v6' => 'STRATO (v6)',
         'zoneedit' => 'ZoneEdit',
     );
 }
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 6eb12fe704..aeef52eef6 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -50,7 +50,8 @@
  *  No-IP                       - Last Tested: 15 May 2020
  *  ODS                         - Last Tested: 02 August 2005
  *  Oray                        - Last Tested: 26 May 2017
- *  STRATO                      - Last Tested: 09 May 2017
+ *  STRATO                      - Last Tested: 08 October 2021
+ *  STRATO V6                   - Last Tested: 08 October 2021
  *  SelfHost                    - Last Tested: 26 December 2011
  *  StaticCling                 - Last Tested: 27 April 2006
  *  deSEC                       - Last Tested: 09 September 2020
@@ -260,6 +261,7 @@ class updatedns
             case 'desec-v4-v6':
             case 'desec-v6':
             case 'hetzner-v6':
+            case 'strato-v6':
                 $this->_useIPv6 = true;
                 break;
             default:
@@ -358,6 +360,7 @@ class updatedns
                 case 'selfhost':
                 case 'staticcling':
                 case 'strato':
+                case 'strato-v6':
                 case 'zoneedit':
                     $this->_update();
                     if ($this->_dnsDummyUpdateDone == true) {
@@ -1019,11 +1022,14 @@ class updatedns
                 curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
                 break;
             case 'strato':
+            case 'strato-v6':
                 $server = "https://dyndns.strato.com/nic/update?hostname={$this->_dnsHost}&myip={$this->_dnsIP}";
                 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
                 curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
                 curl_setopt($ch, CURLOPT_URL, $server);
-                curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
+                if ($this->_curlIpresolveV4) {
+                    curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
+                }
                 break;
             case '3322':
                 $server = "http://members.3322.net/dyndns/update?hostname={$this->_dnsHost}&myip={$this->_dnsIP}";
@@ -1651,6 +1657,7 @@ class updatedns
             case 'ovh-dynhost':
             case 'selfhost':
             case 'strato':
+            case 'strato-v6':
                 if (preg_match('/notfqdn/i', $data)) {
                     $status = "Dynamic DNS: (Error) Not a FQDN";
                 } elseif (preg_match('/nochg/i', $data)) {

From 13fb7d7d01ed18b974366512858ed5ee0e5d9210 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 19 Oct 2021 15:13:41 +0200
Subject: [PATCH 0743/3088] dns/dyndns: new changes coming up

---
 dns/dyndns/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index e503a65620..3226022b7e 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		dyndns
-PLUGIN_VERSION=		1.24
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.25
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 

From 35c1324a4a7f34a257dba4a6c44f1874ca73039f Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 19 Oct 2021 15:14:59 +0200
Subject: [PATCH 0744/3088] www/c-icap: Fix logging due to Phalcon4 update
 (#2528)

---
 www/c-icap/Makefile                                             | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/CICAP/Menu/Menu.xml    | 2 +-
 www/c-icap/src/opnsense/scripts/OPNsense/CICAP/setup.sh         | 2 ++
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/www/c-icap/Makefile b/www/c-icap/Makefile
index 4d7407750a..9f1fe36abe 100644
--- a/www/c-icap/Makefile
+++ b/www/c-icap/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		c-icap
 PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		c-icap connects the web proxy with a virus scanner
 PLUGIN_DEPENDS=		c-icap c-icap-modules
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/Menu/Menu.xml b/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/Menu/Menu.xml
index 3def2f275a..326a689d0b 100644
--- a/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/Menu/Menu.xml
+++ b/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/Menu/Menu.xml
@@ -2,7 +2,7 @@
   <Services>
     <C_ICAP VisibleName="C-ICAP" cssClass="fa fa-ambulance">
         <Configuration order="10" url="/ui/cicap/general/index"/>
-        <LogFile VisibleName="Log File" order="20" url="/ui/diagnostics/log/c-icap/server"/>
+        <LogFile VisibleName="Log File" order="20" url="/ui/diagnostics/log/cicap/server"/>
     </C_ICAP>
   </Services>
 </menu>
diff --git a/www/c-icap/src/opnsense/scripts/OPNsense/CICAP/setup.sh b/www/c-icap/src/opnsense/scripts/OPNsense/CICAP/setup.sh
index d9bc156779..8e29386a1a 100755
--- a/www/c-icap/src/opnsense/scripts/OPNsense/CICAP/setup.sh
+++ b/www/c-icap/src/opnsense/scripts/OPNsense/CICAP/setup.sh
@@ -7,6 +7,8 @@ chmod 750 /var/run/c-icap
 mkdir -p /var/log/c-icap
 chown -R c_icap:c_icap /var/log/c-icap
 chmod 750 /var/log/c-icap
+(cd /var/log && ln -s c-icap cicap)
+chown -R c_icap:c_icap /var/log/cicap
 
 mkdir -p /tmp/c-icap/templates/virus_scan/en
 chmod -R 755 /tmp/c-icap/

From 46ca70a2249d377a74e328a00e984fc4dbeae1b7 Mon Sep 17 00:00:00 2001
From: DeepCoreSystem <devap@deepcore.eu>
Date: Tue, 19 Oct 2021 15:19:32 +0200
Subject: [PATCH 0745/3088] Make regfish DynDNS work for IPv4 and IPv6 (#2531)

regfish requires 2 different URIs to update, depending on the IP family. https://dyndns.regfish.de is for IPv4 and https://dyndns6.regfish.de is for IPv6.
---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index aeef52eef6..efaa71bf07 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -1044,9 +1044,11 @@ class updatedns
                 curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
                 break;
             case 'regfish':
+                $server = "https://dyndns.regfish.de/?fqdn={$this->_dnsHost}&ipv4={$this->_dnsIP}&forcehost=1&token=" . urlencode($this->_dnsUser);
+                curl_setopt($ch, CURLOPT_URL, $server);
+                break;
             case 'regfish-v6':
-                $family = $this->_useIPv6 ? 'ipv6' : 'ipv4';
-                $server = "https://dyndns.regfish.de/?fqdn={$this->_dnsHost}&{$family}={$this->_dnsIP}&forcehost=1&token=" . urlencode($this->_dnsUser);
+                $server = "https://dyndns6.regfish.de/?fqdn={$this->_dnsHost}&ipv6={$this->_dnsIP}&forcehost=1&token=" . urlencode($this->_dnsUser);
                 curl_setopt($ch, CURLOPT_URL, $server);
                 break;
             case 'linode':

From 9a7cc4dcf9599b599ce1cb206b278679e1be03b8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 19 Oct 2021 15:20:54 +0200
Subject: [PATCH 0746/3088] dns/dyndns: sort this case block

---
 .../src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc     | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index efaa71bf07..3e21cbdaef 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -248,19 +248,19 @@ class updatedns
         switch ($dnsService) {
             case 'all-inkl-v6':
             case 'azurev6':
+            case 'cloudflare-token-v6':
             case 'cloudflare-v6':
             case 'custom-v6':
+            case 'desec-v4-v6':
+            case 'desec-v6':
             case 'digitalocean-v6':
             case 'dynv6-v6':
-            case 'he-net-v6':
             case 'godaddy-v6':
+            case 'he-net-v6':
+            case 'hetzner-v6':
             case 'linode-v6':
             case 'regfish-v6':
             case 'route53-v6':
-            case 'cloudflare-token-v6':
-            case 'desec-v4-v6':
-            case 'desec-v6':
-            case 'hetzner-v6':
             case 'strato-v6':
                 $this->_useIPv6 = true;
                 break;

From 526e2710e59fb358ab68ea639435d415476e1f34 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 19 Oct 2021 15:23:56 +0200
Subject: [PATCH 0747/3088] dns/dyndns: accept wildcard entry for hetzner;
 closes #2406

---
 dns/dyndns/src/www/services_dyndns_edit.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/dns/dyndns/src/www/services_dyndns_edit.php b/dns/dyndns/src/www/services_dyndns_edit.php
index 2ced127821..eef3911212 100644
--- a/dns/dyndns/src/www/services_dyndns_edit.php
+++ b/dns/dyndns/src/www/services_dyndns_edit.php
@@ -113,9 +113,9 @@ function is_dyndns_username($uname)
 
         switch ($pconfig['type']) {
             case 'cloudflare':
-            case 'cloudflare-v6':
             case 'cloudflare-token':
             case 'cloudflare-token-v6':
+            case 'cloudflare-v6':
             case 'desec':
             case 'desec-v4-v6':
             case 'desec-v6':
@@ -123,6 +123,8 @@ function is_dyndns_username($uname)
             case 'godaddy':
             case 'godaddy-v6':
             case 'googledomains':
+            case 'hetzner':
+            case 'hetzner-v6':
             case 'linode':
             case 'linode-v6':
             case 'namecheap':

From 302826f561b187780c770fad20e9886bdfe62f6d Mon Sep 17 00:00:00 2001
From: Martin Wasley <mjwasley@queens-park.com>
Date: Thu, 21 Oct 2021 13:48:19 +0100
Subject: [PATCH 0748/3088] Override colour given in the vpn_ipsec.php file
 (#1999)

Override colour given in the vpn_ipsec.php file
---
 .../www/themes/rebellion/assets/stylesheets/main.scss        | 5 +++++
 .../src/opnsense/www/themes/rebellion/build/css/main.css     | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
index 92c6f2deee..f9b9179fa0 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
@@ -9264,3 +9264,8 @@ div.Tokenize ul {
 .image_invertible {
   filter: invert(1);
 }
+
+.phase1_tr td {
+  background-color: #282828 !important;
+}
+
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
index c3520c56a3..caa98b644d 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
@@ -7820,3 +7820,7 @@ div.Tokenize ul.TokensContainer li.Token a.Close {
 .image_invertible {
         filter: invert(1);
 }
+
+.phase1_tr td {
+  background-color: #282828 !important;
+}

From b95b6c759199a872d63f5d74386cc3da8df38148 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 21 Oct 2021 14:52:10 +0200
Subject: [PATCH 0749/3088] misc/theme-rebellion: bump version

---
 misc/theme-rebellion/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/theme-rebellion/Makefile b/misc/theme-rebellion/Makefile
index d50e43e6e6..b15ab9ea56 100644
--- a/misc/theme-rebellion/Makefile
+++ b/misc/theme-rebellion/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-rebellion
-PLUGIN_VERSION=		1.8.7
+PLUGIN_VERSION=		1.8.8
 PLUGIN_COMMENT=		A suitably dark theme
 PLUGIN_MAINTAINER=	team-rebellion@queens-park.com
 PLUGIN_NO_ABI=		yes

From fb050b28495f5cd270c140e0c4296cf5b0622faa Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 21 Oct 2021 14:53:21 +0200
Subject: [PATCH 0750/3088] www/nginx: remove obsolete comment

---
 .../controllers/OPNsense/Nginx/Api/ServiceController.php  | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php
index cfc2459896..c8a9f280b2 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/ServiceController.php
@@ -50,14 +50,6 @@ public function stopAction()
         return array('status' => 'failed');
     }
 
-
-    /**
-     * reconfigure with optional stop, generate config and start / reload
-     * @return array response message
-     * @throws \Exception when configd action fails
-     * @throws \ReflectionException when model can't be instantiated
-     */
-
     /**
      * retrieve status of service
      * @return array response message

From 161ff20d69b5b613bae7fccd2e76a9febd52dc5e Mon Sep 17 00:00:00 2001
From: fhloston <fhloston@users.noreply.github.com>
Date: Thu, 21 Oct 2021 15:28:01 +0200
Subject: [PATCH 0751/3088] add enablecarp to softether (#2172)

---
 .../src/etc/inc/plugins.inc.d/softether.inc   | 13 ++++
 .../src/etc/rc.syshook.d/carp/50-softether    | 70 +++++++++++++++++++
 .../OPNsense/Softether/forms/general.xml      | 13 ++++
 .../app/models/OPNsense/Softether/General.xml | 13 ++++
 .../OPNsense/Softether/softether_server       |  3 +
 5 files changed, 112 insertions(+)
 create mode 100755 security/softether/src/etc/rc.syshook.d/carp/50-softether

diff --git a/security/softether/src/etc/inc/plugins.inc.d/softether.inc b/security/softether/src/etc/inc/plugins.inc.d/softether.inc
index 93a337adba..e11d8b8392 100644
--- a/security/softether/src/etc/inc/plugins.inc.d/softether.inc
+++ b/security/softether/src/etc/inc/plugins.inc.d/softether.inc
@@ -32,6 +32,19 @@ function softether_enabled()
     return (string)$model->enabled == '1';
 }
 
+function softether_carp_enabled()
+{
+    $model = new \OPNsense\Softether\General();
+    return (string)$model->enabled == '1' &&
+        (string)$model->enablecarp == '1';
+}
+
+function softether_carp_interfaces()
+{
+    $model = new \OPNsense\Softether\General();
+    return (string)$model->carpinterfaces;
+}
+
 function softether_services()
 {
     $services = array();
diff --git a/security/softether/src/etc/rc.syshook.d/carp/50-softether b/security/softether/src/etc/rc.syshook.d/carp/50-softether
new file mode 100755
index 0000000000..ca50c43ca6
--- /dev/null
+++ b/security/softether/src/etc/rc.syshook.d/carp/50-softether
@@ -0,0 +1,70 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2018 Franco Fichtner <franco@opnsense.org>
+ * Copyright (C) 2004 Scott Ullrich <sullrich@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once('config.inc');
+require_once('util.inc');
+require_once('interfaces.inc');
+require_once('plugins.inc.d/softether.inc');
+
+if (softether_carp_enabled()) {
+    // XXX: carp enable/disable mode
+    $subsystem = !empty($argv[1]) ? $argv[1] : '';
+    $type = !empty($argv[2]) ? $argv[2] : '';
+
+    if ($type != 'MASTER' && $type != 'BACKUP') {
+        log_error("Carp '$type' event unknown from source '{$subsystem}'");
+        exit(1);
+    }
+
+    if (!strstr($subsystem, '@')) {
+        log_error("Carp '$type' event triggered from wrong source '{$subsystem}'");
+        exit(1);
+    }
+
+    list ($vhid, $iface) = explode('@', $subsystem);
+    $friendly = convert_real_interface_to_friendly_interface_name($iface);
+
+    if (!(strpos(softether_carp_interfaces(),$friendly) !== false)) {
+        exit(0);
+    }
+
+    switch ($type) {
+        case 'MASTER':
+            touch('/var/run/softether/CARP_MASTER');
+            shell_exec('/usr/local/etc/rc.d/softether_server start');
+            break;
+        case 'BACKUP':
+            if (file_exists('/var/run/softether/CARP_MASTER')) {
+                unlink('/var/run/softether/CARP_MASTER');
+            }
+            shell_exec('/usr/local/etc/rc.d/softether_server stop');
+            break;
+    }
+}
diff --git a/security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/forms/general.xml b/security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/forms/general.xml
index c5a99db13f..8e738f5d41 100644
--- a/security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/forms/general.xml
+++ b/security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/forms/general.xml
@@ -5,4 +5,17 @@
         <type>checkbox</type>
         <help>This will activate SoftEther vpnserver process.</help>
     </field>
+    <field>
+        <id>general.enablecarp</id>
+        <label>Enable CARP Failover</label>
+        <type>checkbox</type>
+        <help>This will activate the vpnserver service only on the master device.</help>
+    </field>
+    <field>
+        <id>general.carpinterfaces</id>
+        <label>Monitored CARP interfaces</label>
+        <type>select_multiple</type>
+        <help><![CDATA[Select the interfaces, whose CARP transitions should be monitored.]]></help>
+        <hint>Type or select interface.</hint>
+    </field>
 </form>
diff --git a/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/General.xml b/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/General.xml
index 743f6585d6..05968a34c2 100644
--- a/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/General.xml
+++ b/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/General.xml
@@ -7,5 +7,18 @@
             <default>0</default>
             <Required>Y</Required>
         </enabled>
+        <enablecarp type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enablecarp>
+        <carpinterfaces type="InterfaceField">
+                <Required>N</Required>
+                <multiple>Y</multiple>
+                <default></default>
+                <AllowDynamic>Y</AllowDynamic>
+                <filters>
+                    <enable>/^(?!0).*$/</enable>
+                </filters>
+        </carpinterfaces>
     </items>
 </model>
diff --git a/security/softether/src/opnsense/service/templates/OPNsense/Softether/softether_server b/security/softether/src/opnsense/service/templates/OPNsense/Softether/softether_server
index 72a7f30480..29fcf71906 100644
--- a/security/softether/src/opnsense/service/templates/OPNsense/Softether/softether_server
+++ b/security/softether/src/opnsense/service/templates/OPNsense/Softether/softether_server
@@ -1,6 +1,9 @@
 {% if helpers.exists('OPNsense.softether.general.enabled') and OPNsense.softether.general.enabled == '1' %}
 softether_server_var_script="/usr/local/opnsense/scripts/OPNsense/Softether/setup.sh"
 softether_server_enable="YES"
+{% if helpers.exists('OPNsense.softether.general.enablecarp') and OPNsense.softether.general.enablecarp == '1' %}
+required_files="/var/run/softether/CARP_MASTER"
+{% endif %}
 {% else %}
 softether_server_enable="NO"
 {% endif %}

From 293d1708fc9aaf3f1358433006630abd7ac6a360 Mon Sep 17 00:00:00 2001
From: ruworuro <ruworuro@users.noreply.github.com>
Date: Thu, 21 Oct 2021 15:29:33 +0200
Subject: [PATCH 0752/3088] sysutils/nut - Add port field to netclient (#2052)

---
 sysutils/nut/Makefile                                       | 2 +-
 .../mvc/app/controllers/OPNsense/Nut/forms/settings.xml     | 6 ++++++
 .../nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml    | 4 ++++
 .../src/opnsense/service/templates/OPNsense/Nut/upsmon.conf | 2 +-
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/sysutils/nut/Makefile b/sysutils/nut/Makefile
index caf7bfcc96..1e9315072c 100644
--- a/sysutils/nut/Makefile
+++ b/sysutils/nut/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nut
-PLUGIN_VERSION=		1.8
+PLUGIN_VERSION=		1.8.1
 PLUGIN_COMMENT=		Network UPS Tools
 PLUGIN_DEPENDS=		nut
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/forms/settings.xml b/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/forms/settings.xml
index 919cb56463..41d6cfe5e3 100644
--- a/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/forms/settings.xml
+++ b/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/forms/settings.xml
@@ -157,6 +157,12 @@
                 <type>text</type>
                 <help>Set the IP address of the remote NUT server.</help>
             </field>
+            <field>
+                <id>nut.netclient.port</id>
+                <label>Port</label>
+                <type>text</type>
+                <help>Set the TCP port of the remote NUT server.</help>
+            </field>
             <field>
                 <id>nut.netclient.user</id>
                 <label>Username</label>
diff --git a/sysutils/nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml b/sysutils/nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml
index 3a200bd11b..3ee149b386 100644
--- a/sysutils/nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml
+++ b/sysutils/nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml
@@ -111,6 +111,10 @@
         <default></default>
         <Required>N</Required>
       </address>
+      <port type="PortField">
+        <default>3493</default>
+        <Required>N</Required>
+      </port>
       <user type="TextField">
         <Required>N</Required>
       </user>
diff --git a/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/upsmon.conf b/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/upsmon.conf
index e37c424774..da20af35da 100644
--- a/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/upsmon.conf
+++ b/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/upsmon.conf
@@ -7,7 +7,7 @@ SHUTDOWNCMD "/usr/local/etc/rc.halt"
 POWERDOWNFLAG /etc/killpower
 {% endif %}
 {% if helpers.exists('OPNsense.Nut.netclient.enable') and OPNsense.Nut.netclient.enable == '1' %}
-MONITOR {{ OPNsense.Nut.general.name }}@{{ OPNsense.Nut.netclient.address }} 1 {{ OPNsense.Nut.netclient.user }} {{ OPNsense.Nut.netclient.password }} slave
+MONITOR {{ OPNsense.Nut.general.name }}@{{ OPNsense.Nut.netclient.address }}{% if helpers.exists('OPNsense.Nut.netclient.port') %}:{{ OPNsense.Nut.netclient.port }}{% endif %} 1 {{ OPNsense.Nut.netclient.user }} {{ OPNsense.Nut.netclient.password }} slave
 SHUTDOWNCMD "/usr/local/etc/rc.halt"
 POWERDOWNFLAG /etc/killpower
 {% endif %}

From 2b9edbb85b7d45341e65b2a59d39f46df90201c5 Mon Sep 17 00:00:00 2001
From: lfirewall1243 <41630758+lfirewall1243@users.noreply.github.com>
Date: Thu, 21 Oct 2021 15:34:55 +0200
Subject: [PATCH 0753/3088] Update Postfix Description (#2281)

---
 .../mvc/app/controllers/OPNsense/Postfix/forms/general.xml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
index 24df5c4a1b..9a4eade64a 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
@@ -27,7 +27,7 @@
         <id>general.inet_interfaces</id>
         <label>Listen IPs</label>
         <type>text</type>
-        <help>The 'Listen IPs' parameter specifies the IP address to listen to. Default is to listen on all interfaces.</help>
+        <help>The 'Listen IPs' parameter specifies a comma-separated list of IP addresses to listen to. Default is to listen on all interfaces.</help>
     </field>
     <field>
         <id>general.inet_port</id>

From 2803e3bf3f0f39c1a1c7cd04ab207b445d52564d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 21 Oct 2021 15:36:38 +0200
Subject: [PATCH 0754/3088] security/softether: bump version

---
 security/softether/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/softether/Makefile b/security/softether/Makefile
index e1e595bcc9..c595499554 100644
--- a/security/softether/Makefile
+++ b/security/softether/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		softether
-PLUGIN_VERSION=		0.1
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		0.2
 PLUGIN_COMMENT=		Cross-platform Multi-protocol VPN Program
 PLUGIN_DEPENDS=		softether
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From a591eb0e35cfe1d67f20dcf2a4fdc205defde81b Mon Sep 17 00:00:00 2001
From: Nuno <45106055+rare-magma@users.noreply.github.com>
Date: Thu, 21 Oct 2021 15:45:51 +0200
Subject: [PATCH 0755/3088] add insecure_skip_verify as an option for Influx v1
 output (#2356)

---
 .../mvc/app/controllers/OPNsense/Telegraf/forms/output.xml  | 6 ++++++
 .../opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml    | 4 ++++
 .../service/templates/OPNsense/Telegraf/telegraf.conf       | 5 +++++
 3 files changed, 15 insertions(+)

diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
index 89f8ee137b..8f184761be 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
@@ -35,6 +35,12 @@
         <type>text</type>
         <help>Set the password for authentication.</help>
     </field>
+    <field>
+        <id>output.influx_ssl_verify</id>
+        <label>Disable SSL verification</label>
+        <type>checkbox</type>
+        <help>This will skip chain and host verification.</help>
+    </field>
     <field>
         <id>output.influx_v2_enable</id>
         <label>Enable Influx v2 Output</label>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index c3b090acf7..a64d586bbc 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -27,6 +27,10 @@
             <default></default>
             <Required>N</Required>
         </influx_password>
+        <influx_ssl_verify type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </influx_ssl_verify>
         <graphite_enable type="BooleanField">
             <default>0</default>
             <Required>N</Required>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index f74f878542..f9ab13f5b8 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -73,6 +73,11 @@
 {% if helpers.exists('OPNsense.telegraf.output.influx_password') and OPNsense.telegraf.output.influx_password != '' %}
   password = "{{ OPNsense.telegraf.output.influx_password }}"
 {%   endif %}
+{% if helpers.exists('OPNsense.telegraf.output.influx_ssl_verify') and OPNsense.telegraf.output.influx_ssl_verify == '1' %}
+  insecure_skip_verify = true
+{%   else %}
+  insecure_skip_verify = false
+{%   endif %}
 {% endif %}
 
 {% if helpers.exists('OPNsense.telegraf.output.datadog_enable') and OPNsense.telegraf.output.datadog_enable == '1' %}

From ad39a00188370e119ccdd4aa255b77e1261d0198 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 21 Oct 2021 15:49:01 +0200
Subject: [PATCH 0756/3088] add insecure_skip_verify as an option for Influx v1
 output (#2356) fix naming

---
 .../mvc/app/controllers/OPNsense/Telegraf/forms/output.xml    | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml  | 4 ++--
 .../service/templates/OPNsense/Telegraf/telegraf.conf         | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
index 8f184761be..38be9076f7 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
@@ -36,7 +36,7 @@
         <help>Set the password for authentication.</help>
     </field>
     <field>
-        <id>output.influx_ssl_verify</id>
+        <id>output.influx_insecure_skip_verify</id>
         <label>Disable SSL verification</label>
         <type>checkbox</type>
         <help>This will skip chain and host verification.</help>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index a64d586bbc..e6072a3638 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -27,10 +27,10 @@
             <default></default>
             <Required>N</Required>
         </influx_password>
-        <influx_ssl_verify type="BooleanField">
+        <influx_insecure_skip_verify type="BooleanField">
             <default>0</default>
             <Required>N</Required>
-        </influx_ssl_verify>
+        </influx_insecure_skip_verify>
         <graphite_enable type="BooleanField">
             <default>0</default>
             <Required>N</Required>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index f9ab13f5b8..9d946839bb 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -73,7 +73,7 @@
 {% if helpers.exists('OPNsense.telegraf.output.influx_password') and OPNsense.telegraf.output.influx_password != '' %}
   password = "{{ OPNsense.telegraf.output.influx_password }}"
 {%   endif %}
-{% if helpers.exists('OPNsense.telegraf.output.influx_ssl_verify') and OPNsense.telegraf.output.influx_ssl_verify == '1' %}
+{% if helpers.exists('OPNsense.telegraf.output.influx_insecure_skip_verify') and OPNsense.telegraf.output.influx_insecure_skip_verify == '1' %}
   insecure_skip_verify = true
 {%   else %}
   insecure_skip_verify = false

From e762a7dd775b182dfd52e667cad2030c784bbaaa Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 21 Oct 2021 15:49:34 +0200
Subject: [PATCH 0757/3088] net-mgmt/telegraf: bump version

---
 net-mgmt/telegraf/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index 71ae1610bb..0e31d6ae9f 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.12.1
+PLUGIN_VERSION=		1.12.2
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 590dcec2586df788bb9733e987c63e8facd95a58 Mon Sep 17 00:00:00 2001
From: Martin Wasley <mjwasley@queens-park.com>
Date: Thu, 21 Oct 2021 14:50:43 +0100
Subject: [PATCH 0758/3088] UDP Broadcast relay Update (#2384)

The server side  data-width is too large for tablets. Reduced to give a better overall view, though this truncates data it looks better on a tablet.
Bumped revision and updated pkg-descr.
---
 net/udpbroadcastrelay/Makefile                 |  2 +-
 net/udpbroadcastrelay/pkg-descr                |  4 ++++
 .../OPNsense/UDPBroadcastRelay/index.volt      | 18 +++++++++---------
 3 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/net/udpbroadcastrelay/Makefile b/net/udpbroadcastrelay/Makefile
index b8aa04860e..9d11bafa50 100644
--- a/net/udpbroadcastrelay/Makefile
+++ b/net/udpbroadcastrelay/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		udpbroadcastrelay
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Control ubpbroadcastrelay processes
 PLUGIN_DEPENDS=		udpbroadcastrelay
 PLUGIN_MAINTAINER=	mjwasley@gmail.com
diff --git a/net/udpbroadcastrelay/pkg-descr b/net/udpbroadcastrelay/pkg-descr
index 684ef947f6..e43597ee47 100644
--- a/net/udpbroadcastrelay/pkg-descr
+++ b/net/udpbroadcastrelay/pkg-descr
@@ -27,3 +27,7 @@ udp_vars=" --id 1 --port 80 --dev eth0 --dev eth1"
 
 Warcraft 3 Server Discovery
 udp_vars=" --id 1 --port 6112 --dev eth0 --dev eth1"
+
+It is a requirement that generally a firewall entry will be required to allow the server responses
+back to the requesting client. As it's not known what the port/address of the server is then this
+entry will need to be created manually.
\ No newline at end of file
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt b/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
index f8c106948f..cd84f0720a 100644
--- a/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
@@ -87,16 +87,16 @@ POSSIBILITY OF SUCH DAMAGE.
         <table id="grid-proxies" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogEdit">
             <thead>
             <tr>
-                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                <th data-column-id="interfaces" data-width="10em" data-type="string" data-visible="true">{{ lang._('Interfaces') }}</th>
-                <th data-column-id="multicastaddress" data-width="15em" data-type="string" data-visible="true">{{ lang._('Multicast Addresses') }}</th>
-                <th data-column-id="sourceaddress"  data-width="11em" data-type="string" data-visible="true">{{ lang._('Source Address') }}</th>
-                <th data-column-id="listenport" data-width="8em" data-type="string" data-visible="true">{{ lang._('Listen Port') }}</th>
-                <th data-column-id="InstanceID" data-width="6em" data-type="string" data-visible="true">{{ lang._('ID') }}</th>
-                <th data-column-id="description" data-width="15em" data-type="string">{{ lang._('Description') }}</th>
+                <th data-column-id="enabled" data-width="1em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="interfaces" data-width="2em" data-type="string" data-visible="true">{{ lang._('Interfaces') }}</th>
+                <th data-column-id="multicastaddress" data-width="2em" data-type="string" data-visible="true">{{ lang._('Multicast Addresses') }}</th>
+                <th data-column-id="sourceaddress"  data-width="2em" data-type="string" data-visible="true">{{ lang._('Source Address') }}</th>
+                <th data-column-id="listenport" data-width="2em" data-type="string" data-visible="true">{{ lang._('Listen Port') }}</th>
+                <th data-column-id="InstanceID" data-width="1em" data-type="string" data-visible="true">{{ lang._('ID') }}</th>
+                <th data-column-id="description" data-width="2em" data-type="string">{{ lang._('Description') }}</th>
                 <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                <th data-column-id="RevertTTL" data-width="10em" data-type="string"  data-visible="true" data-formatter="boolean">{{ lang._('Use ID as TTL') }}</th>
-                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="RevertTTL" data-width="2em" data-type="string"  data-visible="true" data-formatter="boolean">{{ lang._('Use ID as TTL') }}</th>
+                <th data-column-id="commands" data-width="2em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
             </tr>
             </thead>
             <tbody>

From 5cbc2e2664a21b2071be2189bdb0158f12cd250a Mon Sep 17 00:00:00 2001
From: ryan <33b5e5@users.noreply.github.com>
Date: Thu, 21 Oct 2021 06:53:22 -0700
Subject: [PATCH 0759/3088] Add option to enable/disable local query logs
 (#2385)

---
 dns/dnscrypt-proxy/pkg-descr                               | 4 ++++
 .../controllers/OPNsense/Dnscryptproxy/forms/general.xml   | 7 +++++++
 .../mvc/app/models/OPNsense/Dnscryptproxy/General.xml      | 6 +++++-
 .../templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml   | 2 ++
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index aad8c9492a..4d379c6018 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -5,6 +5,10 @@ such as DNSCrypt v2 and DNS-over-HTTPS.
 Plugin Changelog
 ================
 
+1.10 
+
+* Add option to enable/disable local query logs
+
 1.9
 
 * Fix logging due to Phalcon4 update
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
index cda8bf0707..d9e01d5452 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
@@ -165,4 +165,11 @@
         <allownew>true</allownew>
         <help><![CDATA[Set a list of <a href="https://dnscrypt.info/public-servers">known servers</a> e.g. if you want to stick with Cisco only. You can also put your manually added servers here. Please use on your own risk.]]></help>
     </field>
+    </field>
+        <field>
+        <id>general.query_logs</id>
+        <label>Enable query logs</label>
+        <type>checkbox</type>
+        <help>This will enable/disable local logs. This includes both [query_log] and [nx_log] as described in the DNSCrypt-Proxy documentation.</help>
+    </field>
 </form>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
index 806459a5bf..e3f51b3534 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/dnscryptproxy/general</mount>
     <description>dnscrypt-proxy configuration</description>
-    <version>0.1.0</version>
+    <version>0.1.1</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -136,5 +136,9 @@
         <serverlist type="CSVListField">
             <Required>N</Required>
         </serverlist>
+        <query_logs type="BooleanField">
+            <default>1</default>
+            <Required>Y</Required>
+        </query_logs>
     </items>
 </model>
diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
index dcade82dfb..48b0f609cd 100644
--- a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
@@ -118,6 +118,7 @@ cache_neg_max_ttl = {{ OPNsense.dnscryptproxy.general.cache_neg_max_ttl }}
 cache = false
 {%   endif %}
 
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.query_logs') and OPNsense.dnscryptproxy.general.query_logs == '1' %}
 [query_log]
   file = '/var/log/dnscrypt-proxy/query.log'
   format = 'tsv'
@@ -125,6 +126,7 @@ cache = false
 [nx_log]
   file = '/var/log/dnscrypt-proxy/nx.log'
   format = 'tsv'
+{%   endif %}
 
 [allowed_names]
   allowed_names_file = 'whitelist.txt'

From 6650d4d327f0656340732f10f01262ad4df51b8d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 21 Oct 2021 15:54:02 +0200
Subject: [PATCH 0760/3088] dns/dnscrypt-proxy: bump version

---
 dns/dnscrypt-proxy/Makefile  | 3 +--
 dns/dnscrypt-proxy/pkg-descr | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index 1c29346d61..26d9d6d8df 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		dnscrypt-proxy
-PLUGIN_VERSION=		1.9
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.10
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index 4d379c6018..9e5283742c 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -5,7 +5,7 @@ such as DNSCrypt v2 and DNS-over-HTTPS.
 Plugin Changelog
 ================
 
-1.10 
+1.10
 
 * Add option to enable/disable local query logs
 

From db291ca7ff1333cbeae04617c06cbe1f5596329e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 21 Oct 2021 15:57:05 +0200
Subject: [PATCH 0761/3088] dns/dnscrypt-proxy: xml issue in previous

---
 .../app/controllers/OPNsense/Dnscryptproxy/forms/general.xml   | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
index d9e01d5452..d3665bb692 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
@@ -165,8 +165,7 @@
         <allownew>true</allownew>
         <help><![CDATA[Set a list of <a href="https://dnscrypt.info/public-servers">known servers</a> e.g. if you want to stick with Cisco only. You can also put your manually added servers here. Please use on your own risk.]]></help>
     </field>
-    </field>
-        <field>
+    <field>
         <id>general.query_logs</id>
         <label>Enable query logs</label>
         <type>checkbox</type>

From 0ac78b5f0119c37fb86f421015bfd1a0037b1fa4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 21 Oct 2021 15:59:08 +0200
Subject: [PATCH 0762/3088] plugins: style sweep

---
 .../opnsense/www/themes/rebellion/assets/stylesheets/main.scss  | 1 -
 net/udpbroadcastrelay/pkg-descr                                 | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
index f9b9179fa0..da4ca7c79c 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
@@ -9268,4 +9268,3 @@ div.Tokenize ul {
 .phase1_tr td {
   background-color: #282828 !important;
 }
-
diff --git a/net/udpbroadcastrelay/pkg-descr b/net/udpbroadcastrelay/pkg-descr
index e43597ee47..bd8f32978d 100644
--- a/net/udpbroadcastrelay/pkg-descr
+++ b/net/udpbroadcastrelay/pkg-descr
@@ -30,4 +30,4 @@ udp_vars=" --id 1 --port 6112 --dev eth0 --dev eth1"
 
 It is a requirement that generally a firewall entry will be required to allow the server responses
 back to the requesting client. As it's not known what the port/address of the server is then this
-entry will need to be created manually.
\ No newline at end of file
+entry will need to be created manually.

From 4cb6dfae1de5121e13ba7378df28544150470dc2 Mon Sep 17 00:00:00 2001
From: Karlson2k <k2k@narod.ru>
Date: Thu, 21 Oct 2021 17:09:11 +0300
Subject: [PATCH 0763/3088] dns/dnscrypt-proxy: added support for
 'disabled_server_names' (#2518)

---
 dns/dnscrypt-proxy/pkg-descr                              | 1 +
 .../controllers/OPNsense/Dnscryptproxy/forms/general.xml  | 8 ++++++++
 .../mvc/app/models/OPNsense/Dnscryptproxy/General.xml     | 7 +++++++
 .../templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml  | 4 ++++
 4 files changed, 20 insertions(+)

diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index 9e5283742c..e95ca7a432 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -8,6 +8,7 @@ Plugin Changelog
 1.10
 
 * Add option to enable/disable local query logs
+* Add manual disable of specific servers 
 
 1.9
 
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
index d3665bb692..9992fca0c3 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
@@ -171,4 +171,12 @@
         <type>checkbox</type>
         <help>This will enable/disable local logs. This includes both [query_log] and [nx_log] as described in the DNSCrypt-Proxy documentation.</help>
     </field>
+    <field>
+        <id>general.disabled_serverlist</id>
+        <label>Disabled Servers List</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[Exclude servers from automatic selection. Add any specific server names here if you do not want to use them for any reason.]]></help>
+    </field>  
 </form>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
index e3f51b3534..85826254e3 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
@@ -140,5 +140,12 @@
             <default>1</default>
             <Required>Y</Required>
         </query_logs>
+        <disabled_serverlist type="TextField">
+            <mask>/^([a-z0-9.,\-]{1,70})$/</mask>
+            <default></default>
+            <Required>N</Required>
+            <FieldSeparator>,</FieldSeparator>
+            <asList>Y</asList>
+        </disabled_serverlist>
     </items>
 </model>
diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
index 48b0f609cd..2207b162b1 100644
--- a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
@@ -4,6 +4,10 @@
 server_names = [{{ "'" + ("','".join(OPNsense.dnscryptproxy.general.serverlist.split(','))) + "'" }}]
 {%   endif %}
 
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.disabled_serverlist') and OPNsense.dnscryptproxy.general.disabled_serverlist != '' %}
+disabled_server_names = ['{{OPNsense.dnscryptproxy.general.disabled_serverlist}}']
+{%   endif %}
+
 {%   if helpers.exists('OPNsense.dnscryptproxy.general.listen_addresses') and OPNsense.dnscryptproxy.general.listen_addresses != '' %}
 listen_addresses = [{{ "'" + ("','".join(OPNsense.dnscryptproxy.general.listen_addresses.split(','))) + "'" }}]
 {%   else %}

From 700f3ef81be678fe8431dec671279c5530ced065 Mon Sep 17 00:00:00 2001
From: jamiew0w <jamiew0w@users.noreply.github.com>
Date: Thu, 21 Oct 2021 15:29:03 +0100
Subject: [PATCH 0764/3088] net/vnstat: added yearly table to vnstat service
 (#2452)

---
 net/vnstat/Makefile                                   |  2 +-
 net/vnstat/pkg-descr                                  |  5 +++++
 .../OPNsense/Vnstat/Api/ServiceController.php         | 11 +++++++++++
 .../mvc/app/views/OPNsense/Vnstat/general.volt        | 10 ++++++++++
 .../service/conf/actions.d/actions_vnstat.conf        |  8 +++++++-
 5 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/net/vnstat/Makefile b/net/vnstat/Makefile
index bd8388bee2..03414717c4 100644
--- a/net/vnstat/Makefile
+++ b/net/vnstat/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		vnstat
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		vnStat is a console-based network traffic monitor
 PLUGIN_DEPENDS=		vnstat
diff --git a/net/vnstat/pkg-descr b/net/vnstat/pkg-descr
index f4eea85ce5..942ef7533c 100644
--- a/net/vnstat/pkg-descr
+++ b/net/vnstat/pkg-descr
@@ -9,6 +9,11 @@ ensures light use of system resources.
 Plugin Changelog
 ================
 
+1.3
+
+* Added Yearly statistics.
+* Fixed typo leftover from removing weekly statistics.
+
 1.2
 
 * Remove Weekly statistics, unsupported since vnStat v2
diff --git a/net/vnstat/src/opnsense/mvc/app/controllers/OPNsense/Vnstat/Api/ServiceController.php b/net/vnstat/src/opnsense/mvc/app/controllers/OPNsense/Vnstat/Api/ServiceController.php
index c72a5d421d..a8fbebb7c2 100644
--- a/net/vnstat/src/opnsense/mvc/app/controllers/OPNsense/Vnstat/Api/ServiceController.php
+++ b/net/vnstat/src/opnsense/mvc/app/controllers/OPNsense/Vnstat/Api/ServiceController.php
@@ -78,6 +78,17 @@ public function monthlyAction()
         return array("response" => $response);
     }
 
+    /**
+     * list yearly statistics
+     * @return array
+     */
+    public function yearlyAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun("vnstat yearly");
+        return array("response" => $response);
+    }
+
     /**
      * remove database folder
      * @return array
diff --git a/net/vnstat/src/opnsense/mvc/app/views/OPNsense/Vnstat/general.volt b/net/vnstat/src/opnsense/mvc/app/views/OPNsense/Vnstat/general.volt
index add9b5564f..469b8ba84a 100644
--- a/net/vnstat/src/opnsense/mvc/app/views/OPNsense/Vnstat/general.volt
+++ b/net/vnstat/src/opnsense/mvc/app/views/OPNsense/Vnstat/general.volt
@@ -31,6 +31,7 @@
     <li><a data-toggle="tab" href="#hourly">{{ lang._('Hourly Statistics') }}</a></li>
     <li><a data-toggle="tab" href="#daily">{{ lang._('Daily Statistics') }}</a></li>
     <li><a data-toggle="tab" href="#monthly">{{ lang._('Monthly Statistics') }}</a></li>
+    <li><a data-toggle="tab" href="#yearly">{{ lang._('Yearly Statistics') }}</a></li>
 </ul>
 
 <div class="tab-content content-box tab-content">
@@ -53,6 +54,9 @@
     <div id="monthly" class="tab-pane fade in">
       <pre id="listmonthly"></pre>
     </div>
+    <div id="yearly" class="tab-pane fade in">
+      <pre id="listyearly"></pre>
+    </div>
 </div>
 
 <script>
@@ -73,6 +77,11 @@ function update_monthly() {
         $("#listmonthly").text(data['response']);
     });
 }
+function update_yearly() {
+    ajaxCall(url="/api/vnstat/service/yearly", sendData={}, callback=function(data,status) {
+        $("#listyearly").text(data['response']);
+    });
+}
 
 $( document ).ready(function() {
     var data_get_map = {'frm_general_settings':"/api/vnstat/general/get"};
@@ -87,6 +96,7 @@ $( document ).ready(function() {
     setInterval(update_hourly, 3000);
     setInterval(update_daily, 3000);
     setInterval(update_monthly, 3000);
+    setInterval(update_yearly, 3000);
 
     $("#saveAct").click(function(){
         saveFormToEndpoint(url="/api/vnstat/general/set", formid='frm_general_settings',callback_ok=function(){
diff --git a/net/vnstat/src/opnsense/service/conf/actions.d/actions_vnstat.conf b/net/vnstat/src/opnsense/service/conf/actions.d/actions_vnstat.conf
index 5c998c805f..0e13bb1b3f 100644
--- a/net/vnstat/src/opnsense/service/conf/actions.d/actions_vnstat.conf
+++ b/net/vnstat/src/opnsense/service/conf/actions.d/actions_vnstat.conf
@@ -38,7 +38,13 @@ message:request Vnstat daily status
 command:/usr/local/bin/vnstat -m
 parameters:
 type:script_output
-message:request Vnstat weekly status
+message:request Vnstat monthly status
+
+[yearly]
+command:/usr/local/bin/vnstat -y
+parameters:
+type:script_output
+message:request Vnstat yearly status
 
 [resetdb]
 command:rm -rf /var/lib/vnstat

From bd59493ef42e3bb84956525dbecb19ad1d2a6d97 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E3=83=84?= <1109954+Xeroxxx@users.noreply.github.com>
Date: Thu, 21 Oct 2021 16:32:30 +0200
Subject: [PATCH 0765/3088] Update lldpd (#2505)

Identify correctly as Network Connectivity Device (Class 4).
---
 .../lldpd/src/opnsense/service/templates/OPNsense/Lldpd/lldpd   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/lldpd/src/opnsense/service/templates/OPNsense/Lldpd/lldpd b/net-mgmt/lldpd/src/opnsense/service/templates/OPNsense/Lldpd/lldpd
index 192925dac1..9595e7d7d3 100644
--- a/net-mgmt/lldpd/src/opnsense/service/templates/OPNsense/Lldpd/lldpd
+++ b/net-mgmt/lldpd/src/opnsense/service/templates/OPNsense/Lldpd/lldpd
@@ -1,6 +1,6 @@
 {% if helpers.exists('OPNsense.lldpd.general.enabled') and OPNsense.lldpd.general.enabled == '1' %}
 lldpd_enable="YES"
-lldpd_flags="{% if helpers.exists('OPNsense.lldpd.general.cdp') and OPNsense.lldpd.general.cdp == '1' %}-c{% endif %}{% if helpers.exists('OPNsense.lldpd.general.fdp') and OPNsense.lldpd.general.fdp == '1' %} -f{% endif %}{% if helpers.exists('OPNsense.lldpd.general.edp') and OPNsense.lldpd.general.edp == '1' %} -e{% endif %}{% if helpers.exists('OPNsense.lldpd.general.sonmp') and OPNsense.lldpd.general.sonmp == '1' %} -s{% endif %}{% if helpers.exists('OPNsense.lldpd.general.interface') and OPNsense.lldpd.general.interface != '' %} -I {{ OPNsense.lldpd.general.interface }}{% endif %}"
+lldpd_flags="{% if helpers.exists('OPNsense.lldpd.general.cdp') and OPNsense.lldpd.general.cdp == '1' %}-c{% endif %}{% if helpers.exists('OPNsense.lldpd.general.fdp') and OPNsense.lldpd.general.fdp == '1' %} -f{% endif %}{% if helpers.exists('OPNsense.lldpd.general.edp') and OPNsense.lldpd.general.edp == '1' %} -e{% endif %}{% if helpers.exists('OPNsense.lldpd.general.sonmp') and OPNsense.lldpd.general.sonmp == '1' %} -s{% endif %}{% if helpers.exists('OPNsense.lldpd.general.interface') and OPNsense.lldpd.general.interface != '' %} -I {{ OPNsense.lldpd.general.interface }}{% endif %} -M 4"
 {% else %}
 lldpd_enable="NO"
 {% endif %}

From 91887acf395236f76c2381ecde2a5a236eb5711f Mon Sep 17 00:00:00 2001
From: Pasi Suominen <pasiz@pasiz.net>
Date: Thu, 21 Oct 2021 17:33:57 +0300
Subject: [PATCH 0766/3088] Added support for Extreme networks EXOS switches
 VLAN and policy management (#2516)

---
 .../forms/dialogEditFreeRADIUSUser.xml        | 20 +++++++++++++++++++
 .../OPNsense/Freeradius/forms/general.xml     |  6 ++++++
 .../models/OPNsense/Freeradius/General.xml    |  6 +++++-
 .../app/models/OPNsense/Freeradius/User.xml   | 13 +++++++++++-
 .../templates/OPNsense/Freeradius/users       | 13 ++++++++++++
 5 files changed, 56 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
index a859a6396d..ea4848a834 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
@@ -69,6 +69,26 @@
         <advanced>true</advanced>
         <help>Set how many times one account is allowed to login at the same time.</help>
     </field>
+    <field>
+        <id>user.exos_vlan_untagged</id>
+        <label>EXOS VLAN Untagged</label>
+        <type>text</type>
+        <help>Set exos vlan untagged</help>
+    </field>
+    <field>
+        <id>user.exos_vlan_tagged</id>
+        <label>EXOS VLAN Tagged list</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>Set exos vlan tagged</help>
+    </field>
+    <field>
+        <id>user.exos_policy</id>
+        <label>EXOS policy</label>
+        <type>text</type>
+        <help>Set exos policy filter id with Filter-ID="Entrasys:version=1:mgmt=su:policy=[policy_name]"</help>
+    </field>
     <field>
         <id>user.wispr_bw_min_up</id>
         <label>WISPr Bandwith Min UP</label>
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml
index 7f4de121b3..65a8795af1 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml
@@ -17,6 +17,12 @@
         <type>checkbox</type>
         <help>This allows you to bind to an external LDAP server. Be aware that FreeRADIUS will not start if there is no further configuration.</help>
     </field>
+    <field>
+        <id>general.exos</id>
+        <label>Enable EXOS attributes</label>
+        <type>checkbox</type>
+        <help>This enables the EXOS VLAN and policy attributes assignment via users tab.</help>
+    </field>
     <field>
         <id>general.wispr</id>
         <label>Enable WISPr attributes</label>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
index 339c42e1d8..be78892afe 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/freeradius/general</mount>
     <description>FreeRADIUS configuration</description>
-    <version>1.0.0</version>
+    <version>1.0.1</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -15,6 +15,10 @@
             <default>0</default>
             <Required>N</Required>
         </ldap_enabled>
+        <exos type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </exos>
         <wispr type="BooleanField">
             <default>0</default>
             <Required>N</Required>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
index f56b97050c..616b946b9e 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/freeradius/user</mount>
     <description>FreeRADIUS user configuration</description>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <items>
         <users>
             <user type="ArrayField">
@@ -49,6 +49,17 @@
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>1024</MaximumValue>
                 </simuse>
+                <exos_vlan_untagged type="IntegerField">
+                    <Required>N</Required>
+                    <MaximumValue>4096</MaximumValue>
+                </exos_vlan_untagged>
+                <exos_vlan_tagged type="CSVListField">
+                    <Required>N</Required>
+                    <mask>/^(\d{1,4},)*(\d{1,4})$/</mask>
+                </exos_vlan_tagged>
+                <exos_policy type="TextField">
+                    <Required>N</Required>
+                </exos_policy>
                 <wispr_bw_min_up type="IntegerField">
                     <Required>N</Required>
                 </wispr_bw_min_up>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
index 163ab828cf..3d1f99e6ab 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
@@ -31,6 +31,19 @@
        Tunnel-Private-Group-Id = {{ user_list.vlan }},
 {%         endif %}
 {%       endif %}
+{%       if helpers.exists('OPNsense.freeradius.general.exos') and OPNsense.freeradius.general.exos == '1' %}
+{%         if user_list.exos_vlan_untagged is defined and user_list.exos_vlan_tagged is not defined %}
+       Extreme-Netlogin-Extended-VLAN = "U{{ user_list.exos_vlan_untagged }}",
+{%         endif %}
+{%           if user_list.exos_vlan_tagged is defined%}
+       Extreme-Netlogin-Extended-VLAN = "{% if user_list.exos_vlan_untagged is defined -%}
+       U{{ user_list.exos_vlan_untagged }};{% endif -%}
+       {% for exostaggedlist in user_list.exos_vlan_tagged.split(',') %}T{{ exostaggedlist }};{% endfor %}",
+{%           endif %}
+{%         if user_list.exos_policy is defined %}
+       Filter-ID="Enterasys:version=1:mgmt=su:policy={{ user_list.exos_policy }}",
+{%         endif %}
+{%       endif %}
 {%       if helpers.exists('OPNsense.freeradius.general.wispr') and OPNsense.freeradius.general.wispr == '1' %}
 {%         if user_list.wispr_bw_min_up is defined %}
        WISPr-Bandwidth-Min-Up = {{ user_list.wispr_bw_min_up }},

From 53708068983a270e1245932768ab6ea7a9eaa05c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 21 Oct 2021 16:33:23 +0200
Subject: [PATCH 0767/3088] net-mgmt/lldpd: bump revision

---
 net-mgmt/lldpd/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/lldpd/Makefile b/net-mgmt/lldpd/Makefile
index 0b778bcae3..96a79b57a2 100644
--- a/net-mgmt/lldpd/Makefile
+++ b/net-mgmt/lldpd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		lldpd
 PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		LLDP allows you to know exactly on which port is a server
 PLUGIN_DEPENDS=		lldpd
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 7a70ee75e6083ad3de24e7ed6fa67c9bbea72e17 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 21 Oct 2021 16:34:18 +0200
Subject: [PATCH 0768/3088] plugins: whitespace sweep

---
 dns/dnscrypt-proxy/pkg-descr                                    | 2 +-
 .../app/controllers/OPNsense/Dnscryptproxy/forms/general.xml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index e95ca7a432..540b718146 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -8,7 +8,7 @@ Plugin Changelog
 1.10
 
 * Add option to enable/disable local query logs
-* Add manual disable of specific servers 
+* Add manual disable of specific servers
 
 1.9
 
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
index 9992fca0c3..41d4d57d26 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
@@ -178,5 +178,5 @@
         <style>tokenize</style>
         <allownew>true</allownew>
         <help><![CDATA[Exclude servers from automatic selection. Add any specific server names here if you do not want to use them for any reason.]]></help>
-    </field>  
+    </field>
 </form>

From 220fb4c8ea64b73ab1081770c9d6d75727aafceb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 21 Oct 2021 16:41:40 +0200
Subject: [PATCH 0769/3088] net/freeradius: changes for next version

---
 net/freeradius/Makefile  | 2 +-
 net/freeradius/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index eeaa9f0809..7ac00905a2 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.16
+PLUGIN_VERSION=		1.9.17
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index f79c4cfd20..023f6c57ad 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,10 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.17
+
+* Added support for Extreme networks EXOS switch Extreme-Netlogin-Extended-VLAN VSA and policy for GEN2 (contributed by Pasi Suominen)
+
 1.9.16
 
 * Allow user to choose Elliptic Curve in EAP

From 4df8b686f527b8d4eeba584aa6e1fdbec1209ab9 Mon Sep 17 00:00:00 2001
From: Zixian Cai <2891235+caizixian@users.noreply.github.com>
Date: Fri, 22 Oct 2021 18:49:16 +1100
Subject: [PATCH 0770/3088] security/openconnect: support different protocols
 (#2512)

---
 security/openconnect/Makefile                    |  3 +--
 security/openconnect/pkg-descr                   |  4 ++++
 .../OPNsense/Openconnect/forms/general.xml       |  6 ++++++
 .../app/models/OPNsense/Openconnect/General.xml  | 16 +++++++++++++++-
 .../OPNsense/Openconnect/openconnect.conf        |  3 +++
 5 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/security/openconnect/Makefile b/security/openconnect/Makefile
index 7dc3f6859b..c8efe45d2b 100644
--- a/security/openconnect/Makefile
+++ b/security/openconnect/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		openconnect
-PLUGIN_VERSION=		1.4.0
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.4.1
 PLUGIN_COMMENT=		OpenConnect Client
 PLUGIN_DEPENDS=		openconnect
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/openconnect/pkg-descr b/security/openconnect/pkg-descr
index cba5a5c274..43b692d192 100644
--- a/security/openconnect/pkg-descr
+++ b/security/openconnect/pkg-descr
@@ -6,6 +6,10 @@ the Juniper SSL VPN which is now known as Pulse Connect Secure.
 Plugin Changelog
 ================
 
+1.4.1
+
+* Allow selection of different protocols
+
 1.4.0
 
 * Add "pin-sha256" certificate hash
diff --git a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
index 8ce430a187..847b4f3dab 100644
--- a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
+++ b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
@@ -47,4 +47,10 @@
         <type>dropdown</type>
         <help>Select the client certificate to use.</help>
     </field>
+    <field>
+        <id>general.protocol</id>
+        <label>Protocl</label>
+        <type>dropdown</type>
+        <help>Select the protocol to use.</help>
+    </field>
 </form>
diff --git a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
index 73924acf6f..8c09e9d66c 100644
--- a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
+++ b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/openconnect/general</mount>
     <description>Openconnect configuration</description>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -47,5 +47,19 @@
             <Type>cert</Type>
             <Required>N</Required>
         </clientcertificate>
+        <protocol type="OptionField">
+            <default>anyconnect</default>
+            <multiple>N</multiple>
+            <Required>Y</Required>
+                <OptionValues>
+                    <anyconnect>Cisco AnyConnect</anyconnect>
+                    <nc>Juniper</nc>
+                    <pulse>Pulse Connect Secure</pulse>
+                    <gp>Palo Alto Networks GlobalProtect</gp>
+                    <f5>F5 Big-IP</f5>
+                    <fortinet>Fortinet Fortigate</fortinet>
+                    <array>Array Networks AG</array>
+                </OptionValues>
+        </protocol>
     </items>
 </model>
diff --git a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
index d7d888caa5..626091fadb 100644
--- a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
+++ b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
@@ -19,4 +19,7 @@ authgroup={{ OPNsense.openconnect.general.group }}
 certificate=/usr/local/etc/openconnect_cert.pem
 sslkey=/usr/local/etc/openconnect_key.pem
 {%   endif %}
+{%   if helpers.exists('OPNsense.openconnect.general.protocol') and OPNsense.openconnect.general.protocol != '' %}
+protocol={{ OPNsense.openconnect.general.protocol }}
+{%   endif %}
 {% endif %}

From d8d28b9724aa67e0018b6dca8e06603a4d54a934 Mon Sep 17 00:00:00 2001
From: Steve Vigneau <c0nsumer@myopia.home.nuxx.net>
Date: Sun, 24 Oct 2021 22:07:54 -0400
Subject: [PATCH 0771/3088] Renamed "Linode Cloud API" to "Linode API (v4)" and
 "Linode API" to "Linode API (v3 / Deprecated)" to eliminate confusion when
 selecting API, as current Linode API is v4.

---
 security/acme-client/Makefile                               | 2 +-
 security/acme-client/pkg-descr                              | 6 ++++++
 .../OPNsense/AcmeClient/forms/dialogValidation.xml          | 4 ++--
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml       | 4 ++--
 4 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 59f807ac82..d3a8c100bc 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.3
+PLUGIN_VERSION=		3.4
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 304aa75090..e1dde9f17d 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,12 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.4
+
+Fixed:
+* rename "Linode Cloud API" to "Linode API (v4)"
+* rename "Linode API" to "Linode API (v3 / Deprecated)"
+
 3.3
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 2f8e45bd45..36a2853568 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -664,7 +664,7 @@
         <type>text</type>
     </field>
     <field>
-        <label>Linode</label>
+        <label>Linode API (v3 / Deprecated)</label>
         <type>header</type>
         <style>table_dns table_dns_linode</style>
     </field>
@@ -679,7 +679,7 @@
         <type>text</type>
     </field>
     <field>
-        <label>Linode Cloud API</label>
+        <label>Linode API (v4)</label>
         <type>header</type>
         <style>table_dns table_dns_linode_v4</style>
     </field>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 5bac98072a..9b3650d8de 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -437,8 +437,8 @@
                         <dns_knot>Knot (knsupdate) DNS API</dns_knot>
                         <dns_leaseweb>LeaseWeb API</dns_leaseweb>
                         <dns_lexicon>lexicon DNS API</dns_lexicon>
-                        <dns_linode>Linode API</dns_linode>
-                        <dns_linode_v4>Linode Cloud API</dns_linode_v4>
+                        <dns_linode>Linode API (v3 / Deprecated)</dns_linode>
+                        <dns_linode_v4>Linode API (v4)</dns_linode_v4>
                         <dns_loopia>Loopia API</dns_loopia>
                         <dns_lua>LuaDNS.com API</dns_lua>
                         <dns_miab>MailinaBox API</dns_miab>

From e169760799b9706d9e9d86077ea9218ee8a7b63f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 25 Oct 2021 22:06:28 +0200
Subject: [PATCH 0772/3088] security/openconnect: fix typo, refs #2512

---
 .../mvc/app/controllers/OPNsense/Openconnect/forms/general.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
index 847b4f3dab..2631072a6d 100644
--- a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
+++ b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
@@ -49,7 +49,7 @@
     </field>
     <field>
         <id>general.protocol</id>
-        <label>Protocl</label>
+        <label>Protocol</label>
         <type>dropdown</type>
         <help>Select the protocol to use.</help>
     </field>

From 87a0402c172e9380bc3210ecaa9439ee92884649 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 25 Oct 2021 22:09:29 +0200
Subject: [PATCH 0773/3088] security/acme-client: update changelog

---
 security/acme-client/pkg-descr | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index e1dde9f17d..c0fbc44972 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,9 +10,9 @@ Plugin Changelog
 
 3.4
 
-Fixed:
-* rename "Linode Cloud API" to "Linode API (v4)"
-* rename "Linode API" to "Linode API (v3 / Deprecated)"
+Changed:
+* rename "Linode Cloud API" to "Linode API (v4)" (#2609)
+* rename "Linode API" to "Linode API (v3 / Deprecated)" (#2609)
 
 3.3
 

From 5c73bd27509889d172aa70a1c50714dfd9b1e4f2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 27 Oct 2021 11:20:38 +0200
Subject: [PATCH 0774/3088] dns/dyndns: release notes for 1.25

---
 dns/dyndns/pkg-descr | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/dns/dyndns/pkg-descr b/dns/dyndns/pkg-descr
index b2b56473ab..8c452c9fab 100644
--- a/dns/dyndns/pkg-descr
+++ b/dns/dyndns/pkg-descr
@@ -3,6 +3,13 @@ Support for numerous Dynamic DNS services (DynDNS et al)
 Plugin Changelog
 ================
 
+1.25
+
+* Make regfish DynDNS work for IPv4 and IPv6 (contributed by DeepCoreSystem)
+* Added STRATO IPv6 to DynDNS (contributed by Jan Wiesemann)
+* Added desec.io wildcard support (contributed by Luca Zeug)
+* Accept wildcard entry for Hetzner
+
 1.24
 
 * Fix FreeDNS update in DynDNS plugin (contributed by rmrfus)

From ff0e665a868a7ff7ec3ef5a516339b037b38b727 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 28 Oct 2021 12:12:06 +0200
Subject: [PATCH 0775/3088] net/wireguard: Make endpoint port optional (#2617)

---
 net/wireguard/Makefile                                        | 2 +-
 net/wireguard/pkg-descr                                       | 4 ++++
 .../templates/OPNsense/Wireguard/wireguard-server.conf        | 3 ++-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 097f67923a..5bb74f7d77 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		1.7
+PLUGIN_VERSION=		1.8
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard-go wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index a7fc930799..753538d011 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,10 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+1.8
+
+* Empty port in Endpoint is allowed
+
 1.7
 
 * Make tunnel address (wg interface address) optional
diff --git a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
index 5e03ddb005..e76aaf1fac 100644
--- a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
+++ b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
@@ -35,8 +35,9 @@ PublicKey = {{ peerlist2_data.pubkey }}
 PresharedKey = {{ peerlist2_data.psk }}
 {%               endif %}
 {%               if peerlist2_data.serveraddress|default('') != '' %}
-Endpoint = {{ peerlist2_data.serveraddress }}:{{ peerlist2_data.serverport }}
+Endpoint = {{ peerlist2_data.serveraddress }}{% if peerlist2_data.serverport|default('') != '' %}:{{ peerlist2_data.serverport }}{% else %}:51820{% endif %}
 {%               endif %}
+
 AllowedIPs = {{ peerlist2_data.tunneladdress }}
 {%               if peerlist2_data.keepalive|default('') != '' %}
 PersistentKeepalive = {{ peerlist2_data.keepalive }}

From eebe9b346ff9667b588e8aaaddfbfecfeb02a913 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 28 Oct 2021 12:24:09 +0200
Subject: [PATCH 0776/3088] net/frr: Add route-reflector-client to BGP neighbor
 config (#2618)

---
 net/frr/Makefile                                            | 3 +--
 net/frr/pkg-descr                                           | 4 ++++
 .../OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml         | 5 +++++
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml | 4 ++++
 .../opnsense/service/templates/OPNsense/Quagga/bgpd.conf    | 6 ++++++
 5 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 2b73a8a551..98b32bbefe 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.22
-PLUGIN_REVISION=    1
+PLUGIN_VERSION=		1.23
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 3fb961354a..829df3bb52 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -11,6 +11,10 @@ switching and routing, Internet access routers, and Internet peering.
 Plugin Changelog
 ================
 
+1.23
+
+* Add route-reflector-client to BGP neighbor config
+
 1.22
 
 * Add BFD support
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 649062d393..3ae8d68301 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -38,6 +38,11 @@
     <label>Multi-Hop</label>
     <type>checkbox</type>
   </field>
+  <field>
+    <id>neighbor.rrclient</id>
+    <label>Route Reflector Client</label>
+    <type>checkbox</type>
+  </field>
   <field>
     <id>neighbor.bfd</id>
     <label>BFD</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index b657eba87e..767e8d0081 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -74,6 +74,10 @@
                                 <default>0</default>
                                 <Required>N</Required>
                         </multihop>
+                        <rrclient type="BooleanField">
+                                <default>0</default>
+                                <Required>N</Required>
+                        </rrclient>
                         <bfd type="BooleanField">
                                 <default>0</default>
                                 <Required>N</Required>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index c788574537..2505bb1134 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -67,6 +67,9 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%         if 'nexthopself' in neighbor and neighbor.nexthopself == '1' %}
   neighbor {{ neighbor.address }} next-hop-self
 {%         endif %}
+{%         if 'rrclient' in neighbor and neighbor.rrclient == '1' %}
+  neighbor {{ neighbor.address }} route-reflector-client
+{%         endif %}
 {%         if 'defaultoriginate' in neighbor and neighbor.defaultoriginate == '1' %}
   neighbor {{ neighbor.address }} default-originate
 {%         endif %}
@@ -134,6 +137,9 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%         if 'nexthopself' in neighbor and neighbor.nexthopself == '1' %}
   neighbor {{ neighbor.address }} next-hop-self
 {%         endif %}
+{%         if 'rrclient' in neighbor and neighbor.rrclient == '1' %}
+  neighbor {{ neighbor.address }} route-reflector-client
+{%         endif %}
 {%         if 'defaultoriginate' in neighbor and neighbor.defaultoriginate == '1' %}
   neighbor {{ neighbor.address }} default-originate
 {%         endif %}

From 5374a0d18535fc484a30683966fb37a1e3c300de Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 28 Oct 2021 14:09:04 +0200
Subject: [PATCH 0777/3088] ET Pro - telemetry: swich to new suricata 5
 endpoint

---
 security/etpro-telemetry/Makefile                   |  2 +-
 .../suricata/metadata/rules/et-telemetry.xml        | 13 ++++++++++---
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index 0c8026ba50..c40b30bac2 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		etpro-telemetry
-PLUGIN_VERSION=		1.5
+PLUGIN_VERSION=		1.6
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html
diff --git a/security/etpro-telemetry/src/opnsense/scripts/suricata/metadata/rules/et-telemetry.xml b/security/etpro-telemetry/src/opnsense/scripts/suricata/metadata/rules/et-telemetry.xml
index d8357c5a93..d5e0324c25 100644
--- a/security/etpro-telemetry/src/opnsense/scripts/suricata/metadata/rules/et-telemetry.xml
+++ b/security/etpro-telemetry/src/opnsense/scripts/suricata/metadata/rules/et-telemetry.xml
@@ -1,13 +1,13 @@
 <?xml version="1.0"?>
 <ruleset documentation_url="http://docs.opnsense.org/">
-    <location url="https://opnsense.emergingthreats.net/api/v1/ruleset" prefix="ET telemetry"/>
+    <location url="https://opnsense.emergingthreats.net/api/v1/ruleset/engine/suricata/5" prefix="ET telemetry"/>
     <headers>
        <Authorization>Bearer %%et_telemetry.token%%</Authorization>
     </headers>
     <version url="https://opnsense.emergingthreats.net/api/v1/ruleset/version"/>
     <files>
         <file url="inline::rules/telemetry_sids.txt" required="true">telemetry_sids.txt</file>
-        <file url="https://opnsense.emergingthreats.net/api/v1/ruleset/version" required="true">telemetry_version.json</file>
+        <file url="https://opnsense-staging.emergingthreats.net/api/v1/ruleset/version" required="true">telemetry_version.json</file>
         <file description="botcc.portgrouped" url="inline::rules/botcc.portgrouped.rules">botcc.portgrouped.rules</file>
         <file description="botcc" url="inline::rules/botcc.rules">botcc.rules</file>
         <file description="ciarmy" url="inline::rules/ciarmy.rules">ciarmy.rules</file>
@@ -15,25 +15,31 @@
         <file description="drop" url="inline::rules/drop.rules">drop.rules</file>
         <file description="dshield" url="inline::rules/dshield.rules">dshield.rules</file>
         <file description="emerging-activex" url="inline::rules/emerging-activex.rules">emerging-activex.rules</file>
+        <file description="emerging-adware_pup" url="inline::rules/emerging-adware_pup.rules">emerging-adware_pup.rules</file>
         <file description="emerging-attack_response" url="inline::rules/emerging-attack_response.rules">emerging-attack_response.rules</file>
         <file description="emerging-chat" url="inline::rules/emerging-chat.rules">emerging-chat.rules</file>
+        <file description="emerging-coinminer" url="inline::rules/emerging-coinminer.rules">emerging-coinminer.rules</file>
         <file description="emerging-current_events" url="inline::rules/emerging-current_events.rules">emerging-current_events.rules</file>
         <file description="emerging-deleted" url="inline::rules/emerging-deleted.rules">emerging-deleted.rules</file>
         <file description="emerging-dns" url="inline::rules/emerging-dns.rules">emerging-dns.rules</file>
         <file description="emerging-dos" url="inline::rules/emerging-dos.rules">emerging-dos.rules</file>
         <file description="emerging-exploit" url="inline::rules/emerging-exploit.rules">emerging-exploit.rules</file>
+        <file description="emerging-exploit_kit" url="inline::rules/emerging-exploit_kit.rules">emerging-exploit_kit.rules</file>
         <file description="emerging-ftp" url="inline::rules/emerging-ftp.rules">emerging-ftp.rules</file>
         <file description="emerging-games" url="inline::rules/emerging-games.rules">emerging-games.rules</file>
+        <file description="emerging-hunting" url="inline::rules/emerging-hunting.rules">emerging-hunting.rules</file>
         <file description="emerging-icmp" url="inline::rules/emerging-icmp.rules">emerging-icmp.rules</file>
         <file description="emerging-icmp_info" url="inline::rules/emerging-icmp_info.rules">emerging-icmp_info.rules</file>
         <file description="emerging-imap" url="inline::rules/emerging-imap.rules">emerging-imap.rules</file>
         <file description="emerging-inappropriate" url="inline::rules/emerging-inappropriate.rules">emerging-inappropriate.rules</file>
         <file description="emerging-info" url="inline::rules/emerging-info.rules">emerging-info.rules</file>
+        <file description="emerging-ja3" url="inline::rules/emerging-ja3.rules">emerging-ja3.rules</file>
         <file description="emerging-malware" url="inline::rules/emerging-malware.rules">emerging-malware.rules</file>
         <file description="emerging-misc" url="inline::rules/emerging-misc.rules">emerging-misc.rules</file>
         <file description="emerging-mobile_malware" url="inline::rules/emerging-mobile_malware.rules">emerging-mobile_malware.rules</file>
         <file description="emerging-netbios" url="inline::rules/emerging-netbios.rules">emerging-netbios.rules</file>
         <file description="emerging-p2p" url="inline::rules/emerging-p2p.rules">emerging-p2p.rules</file>
+        <file description="emerging-phishing" url="inline::rules/emerging-phishing.rules">emerging-phishing.rules</file>
         <file description="emerging-policy" url="inline::rules/emerging-policy.rules">emerging-policy.rules</file>
         <file description="emerging-pop3" url="inline::rules/emerging-pop3.rules">emerging-pop3.rules</file>
         <file description="emerging-rpc" url="inline::rules/emerging-rpc.rules">emerging-rpc.rules</file>
@@ -45,7 +51,6 @@
         <file description="emerging-sql" url="inline::rules/emerging-sql.rules">emerging-sql.rules</file>
         <file description="emerging-telnet" url="inline::rules/emerging-telnet.rules">emerging-telnet.rules</file>
         <file description="emerging-tftp" url="inline::rules/emerging-tftp.rules">emerging-tftp.rules</file>
-        <file description="emerging-trojan" url="inline::rules/emerging-trojan.rules">emerging-trojan.rules</file>
         <file description="emerging-user_agents" url="inline::rules/emerging-user_agents.rules">emerging-user_agents.rules</file>
         <file description="emerging-voip" url="inline::rules/emerging-voip.rules">emerging-voip.rules</file>
         <file description="emerging-web_client" url="inline::rules/emerging-web_client.rules">emerging-web_client.rules</file>
@@ -53,6 +58,8 @@
         <file description="emerging-web_specific_apps" url="inline::rules/emerging-web_specific_apps.rules">emerging-web_specific_apps.rules</file>
         <file description="emerging-worm" url="inline::rules/emerging-worm.rules">emerging-worm.rules</file>
         <file description="tor" url="inline::rules/tor.rules">tor.rules</file>
+        <!-- archived sets -->
+        <file description="emerging-trojan" url="inline::rules/emerging-trojan.rules" deprecated="true">emerging-trojan.rules</file>
     </files>
     <properties>
         <property name="et_telemetry.token" default=""/>

From 31b82cdd2e43724c3e1873821e961469b99433db Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Thu, 28 Oct 2021 20:32:48 +0300
Subject: [PATCH 0778/3088] typo

---
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 7d11f3df99..d6e0624ef3 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -131,7 +131,7 @@
 {%                 if acl_data.caseSensitive|default('0') == '0' %}
 {%                   do acl_options.append('-i') %}
 {%                 endif %}
-{%                 do acl_options.append('acl_data.hdr_sub) %}
+{%                 do acl_options.append(acl_data.hdr_sub) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters

From 18cd9f647799b061371e9c0eabbeefd5da12c78b Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Thu, 28 Oct 2021 20:34:26 +0300
Subject: [PATCH 0779/3088] indentfirst->first

https://jinja.palletsprojects.com/en/3.0.x/templates/#jinja-filters.indent
---
 .../opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml
index fd766e0025..2f7d7a4eec 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml
@@ -53,7 +53,7 @@ frontends:
       {{ cert_refid }}:
         path: {{ cert_template % cert_refid }}
         default: {{ "True" if frontend.ssl_default_certificate == cert_refid else "False" }}
-{{      getCert(cert_refid) | indent( width=8, indentfirst=True) -}}
+{{      getCert(cert_refid) | indent( width=8, first=True) -}}
 {%    endfor %}
 {%  endfor %}
 {% else %}

From 844292e0f84f64e4b0406a86153c2cc4f5187924 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 29 Oct 2021 07:52:13 +0200
Subject: [PATCH 0780/3088] net/radsecproxy: kill removed declarations

---
 .../src/etc/inc/plugins.inc.d/radsecproxy.inc | 45 ++++++++++---------
 1 file changed, 23 insertions(+), 22 deletions(-)

diff --git a/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc b/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
index 840749a926..a614e0bffc 100644
--- a/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
+++ b/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
@@ -1,26 +1,29 @@
 <?php
 
 /*
-    Copyright (C) 2020 Tobias Boehnert
-    All rights reserved.
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2020 Tobias Boehnert
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 function radsecproxy_enabled()
 {
@@ -37,9 +40,7 @@ function radsecproxy_syslog()
     // $syslogconf = array();
 
     // $syslogconf['radsecproxy'] = array(
-    //     'local' => '/var/log/radsecproxy.log',
     //     'facility' => array('radsecproxy'),
-    //     'remote' => 'relayd',
     // );
 
     // return $syslogconf;

From 122c90e3244e67033cfa515e333536a3e313c0c4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 29 Oct 2021 08:01:53 +0200
Subject: [PATCH 0781/3088] plugins: remove obsolete 'remote' keyword

---
 net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc |  1 -
 net/relayd/src/etc/inc/plugins.inc.d/relayd.inc   |  6 ++++--
 security/tinc/src/etc/inc/plugins.inc.d/tinc.inc  | 10 +++++-----
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc b/net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc
index cfeabbc4d2..790965b800 100644
--- a/net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc
+++ b/net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc
@@ -39,7 +39,6 @@ function haproxy_syslog()
     $syslogconf['haproxy'] = array(
         'local' => '/var/haproxy/var/run/log',
         'facility' => array('haproxy'),
-        'remote' => 'relayd',
     );
 
     return $syslogconf;
diff --git a/net/relayd/src/etc/inc/plugins.inc.d/relayd.inc b/net/relayd/src/etc/inc/plugins.inc.d/relayd.inc
index 08b2e98b4a..1acfd4f3f7 100644
--- a/net/relayd/src/etc/inc/plugins.inc.d/relayd.inc
+++ b/net/relayd/src/etc/inc/plugins.inc.d/relayd.inc
@@ -83,9 +83,11 @@ function relayd_xmlrpc_sync()
 
 function relayd_syslog()
 {
-    $logfacilities = array();
+    $logfacilities = [];
 
-    $logfacilities['relayd'] = array('facility' => array('relayd'), 'remote' => 'relayd');
+    $logfacilities['relayd'] = [
+        'facility' => ['relayd']
+    ];
 
     return $logfacilities;
 }
diff --git a/security/tinc/src/etc/inc/plugins.inc.d/tinc.inc b/security/tinc/src/etc/inc/plugins.inc.d/tinc.inc
index 8d714a4a38..e732ece416 100644
--- a/security/tinc/src/etc/inc/plugins.inc.d/tinc.inc
+++ b/security/tinc/src/etc/inc/plugins.inc.d/tinc.inc
@@ -41,12 +41,12 @@ function tinc_enabled()
 
 function tinc_syslog()
 {
-    $logfacilities = array();
+    $logfacilities = [];
+
+    $logfacilities['tinc'] = [
+        'facility' => ['tincd'],
+    ];
 
-    $logfacilities['tinc'] = array(
-        'facility' => array('tincd'),
-        'remote' => 'vpn',
-    );
     $mdl = new \OPNsense\Tinc\Tinc();
 
     foreach ($mdl->networks->network->iterateItems() as $network) {

From 1b7802f362842c9792d144db55b1ab0ce6eb7e56 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 29 Oct 2021 08:07:17 +0200
Subject: [PATCH 0782/3088] net/haproxy: bump revision after fixes

---
 net/haproxy/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 96f7ef0820..5bbe663779 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		3.6
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy22
 PLUGIN_MAINTAINER=	opnsense@moov.de

From 719b4b00be0a7135c5978bd666ffe5b0fd5cd505 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 31 Oct 2021 23:27:11 +0100
Subject: [PATCH 0783/3088] net/haproxy: improve handling of Lua scripts, fixes
 #2265

---
 net/haproxy/pkg-descr                         | 11 +++++
 .../OPNsense/HAProxy/forms/dialogLua.xml      | 12 +++++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 14 +++++-
 .../OPNsense/HAProxy/Migrations/M3_3_0.php    | 45 +++++++++++++++++++
 .../OPNsense/HAProxy/exportLuaScripts.php     | 19 +++++---
 .../templates/OPNsense/HAProxy/haproxy.conf   | 13 ++++--
 6 files changed, 103 insertions(+), 11 deletions(-)
 create mode 100644 net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M3_3_0.php

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 5cba9c35d3..ed04439847 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,17 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+3.7
+
+Added:
+* add options "preload" and "filename scheme" to Lua scripts (#2265)
+
+Fixed:
+* unable to use the "require" function in Lua scripts (#2265)
+
+Changed:
+* set "lua-prepend-path" so that Lua scripts can be found (#2265)
+
 3.6
 
 Added:
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogLua.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogLua.xml
index 72a791e424..23ef5b0307 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogLua.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogLua.xml
@@ -17,6 +17,18 @@
         <type>text</type>
         <help>Description for this Lua script.</help>
     </field>
+    <field>
+        <id>lua.preload</id>
+        <label>Preload on startup</label>
+        <type>checkbox</type>
+        <help>Whether HAProxy should load and execute this Lua script on startup. This is the default behaviour. However, if this Lua script is included by other Lua scripts using the "require" function, then preloading should be disabled to avoid HAProxy errors.</help>
+    </field>
+    <field>
+        <id>lua.filename_scheme</id>
+        <label>Filename Scheme</label>
+        <type>dropdown</type>
+        <help><![CDATA[Specify the filename scheme for this Lua script. Usually using the ID is sufficient and the most fail-safe apparoach. However, when using Lua's "require" function this apparoach will not work and it becomes necessary to use the specified name as filename. In this case all non-alphanumeric characters are removed from the filename. Note that this may cause issues when creating multiple Lua scripts with the same name.]]></help>
+    </field>
     <field>
         <id>lua.content</id>
         <label>Content</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 7eaa7c3dda..89cfe9e0f9 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/HAProxy</mount>
-    <version>3.2.0</version>
+    <version>3.3.0</version>
     <description>the HAProxy load balancer</description>
     <items>
         <general>
@@ -2364,6 +2364,18 @@
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </description>
+                <preload type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </preload>
+                <filename_scheme type="OptionField">
+                    <Required>Y</Required>
+                    <default>id</default>
+                    <OptionValues>
+                        <id>Use a random ID for the filename [default]</id>
+                        <name>Use the specified name as filename</name>
+                    </OptionValues>
+                </filename_scheme>
                 <content type="TextField">
                     <Required>Y</Required>
                 </content>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M3_3_0.php b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M3_3_0.php
new file mode 100644
index 0000000000..5714a405bc
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M3_3_0.php
@@ -0,0 +1,45 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Frank Wall
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\HAProxy\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M3_3_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        // Lua scripts have a 'filename_scheme' and 'preload' field now
+        foreach ($model->getNodeByReference('luas.lua')->iterateItems() as $lua) {
+            $lua->filename_scheme = 'id';
+            $lua->preload = '1';
+        }
+    }
+}
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php
index d0da858af4..82243d95f7 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php
@@ -2,7 +2,7 @@
 <?php
 
 /*
- * Copyright (C) 2016 Frank Wall
+ * Copyright (C) 2016-2021 Frank Wall
  * Copyright (C) 2015 Deciso B.V.
  * All rights reserved.
  *
@@ -46,12 +46,17 @@
         }
         $lua_name = (string)$lua->name;
         $lua_id = (string)$lua->id;
-        if ($lua_id != "") {
-            $lua_content = htmlspecialchars_decode(str_replace("\r", "", (string)$lua->content));
-            $lua_filename = $export_path . $lua_id . ".lua";
-            file_put_contents($lua_filename, $lua_content);
-            chmod($lua_filename, 0600);
-            echo "lua script exported to " . $lua_filename . "\n";
+        $lua_filename_scheme = (string)$lua->filename_scheme;
+        if ($lua_filename_scheme != '' and $lua_filename_scheme === 'name') {
+          $_name_alnum = preg_replace("/[^A-Za-z0-9]/", '', $lua_name);
+          $lua_filename = $export_path . $_name_alnum . '.lua';
+        } else {
+          $lua_filename = $export_path . $lua_id . '.lua';
         }
+        $lua_content = htmlspecialchars_decode(str_replace("\r", "", (string)$lua->content));
+        file_put_contents($lua_filename, $lua_content);
+        chmod($lua_filename, 0600);
+        chown($lua_filename, 'www');
+        echo "lua script exported to " . $lua_filename . "\n";
     }
 }
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index d6e0624ef3..44f3e25dd1 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -995,12 +995,19 @@ global
 {% do logging.append(OPNsense.HAProxy.general.logging.facility) %}
 {% do logging.append(OPNsense.HAProxy.general.logging.level) if OPNsense.HAProxy.general.logging.level|default("") != "" %}
     log {{logging|join(' ')}}
+{# # lua scripts #}
+    lua-prepend-path /tmp/haproxy/lua/?.lua
 {% if helpers.exists('OPNsense.HAProxy.luas.lua') %}
-    # lua scripts
 {%   for lua in helpers.toList('OPNsense.HAProxy.luas.lua') %}
-{%     if lua.enabled == '1' %}
+{%     if lua.enabled == '1' and lua.preload|default('') == '1' %}
+{#       # select the filename scheme for lua scripts #}
+{%       if lua.filename_scheme|default('id') == 'name' %}
+{%         set lua_filename = lua.name | regex_replace ("[^A-Za-z0-9]","") %}
+{%       else %}
+{%         set lua_filename = lua.id %}
+{%       endif %}
     # lua script: {{lua.name}}
-    lua-load /tmp/haproxy/lua/{{lua.id}}.lua
+    lua-load /tmp/haproxy/lua/{{lua_filename}}.lua
 {%     endif %}
 {%   endfor %}
 {% endif %}

From 8be174d6684fe2754f81cb34d676f89f4ef12099 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 31 Oct 2021 23:41:06 +0100
Subject: [PATCH 0784/3088] net/haproxy: bump version

---
 net/haproxy/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 5bbe663779..36875ce938 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		3.6
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		3.7
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy22
 PLUGIN_MAINTAINER=	opnsense@moov.de

From e65a152efb86de7839be44ca72d1367e8ee4457a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 31 Oct 2021 23:48:49 +0100
Subject: [PATCH 0785/3088] net/haproxy: align global options for improved
 readability

---
 .../service/templates/OPNsense/HAProxy/haproxy.conf         | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 44f3e25dd1..4ce226be3b 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -994,9 +994,9 @@ global
 {% do logging.append('len ' ~ OPNsense.HAProxy.general.logging.length) if OPNsense.HAProxy.general.logging.length|default("") != "" %}
 {% do logging.append(OPNsense.HAProxy.general.logging.facility) %}
 {% do logging.append(OPNsense.HAProxy.general.logging.level) if OPNsense.HAProxy.general.logging.level|default("") != "" %}
-    log {{logging|join(' ')}}
+    log                         {{logging|join(' ')}}
 {# # lua scripts #}
-    lua-prepend-path /tmp/haproxy/lua/?.lua
+    lua-prepend-path            /tmp/haproxy/lua/?.lua
 {% if helpers.exists('OPNsense.HAProxy.luas.lua') %}
 {%   for lua in helpers.toList('OPNsense.HAProxy.luas.lua') %}
 {%     if lua.enabled == '1' and lua.preload|default('') == '1' %}
@@ -1007,7 +1007,7 @@ global
 {%         set lua_filename = lua.id %}
 {%       endif %}
     # lua script: {{lua.name}}
-    lua-load /tmp/haproxy/lua/{{lua_filename}}.lua
+    lua-load                    /tmp/haproxy/lua/{{lua_filename}}.lua
 {%     endif %}
 {%   endfor %}
 {% endif %}

From 1418230564ed2d80003466bf8239122f7930a856 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Mon, 1 Nov 2021 23:18:46 +0300
Subject: [PATCH 0786/3088] net/haproxy: add syslog-ng socket (#2620)

* add syslog-ng socket
---
 net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc               | 1 -
 .../src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS    | 1 +
 .../opnsense/service/templates/OPNsense/HAProxy/log_socket.conf | 2 ++
 3 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/log_socket.conf

diff --git a/net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc b/net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc
index 790965b800..f0a402deec 100644
--- a/net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc
+++ b/net/haproxy/src/etc/inc/plugins.inc.d/haproxy.inc
@@ -37,7 +37,6 @@ function haproxy_syslog()
     $syslogconf = array();
 
     $syslogconf['haproxy'] = array(
-        'local' => '/var/haproxy/var/run/log',
         'facility' => array('haproxy'),
     );
 
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS
index b42f343eb9..44ff260d2f 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS
@@ -1,3 +1,4 @@
 haproxy.conf:/usr/local/etc/haproxy.conf.staging
 rc.conf.d:/etc/rc.conf.d/haproxy
 sslCerts.yaml:/usr/local/etc/haproxy/sslCerts.yaml
+log_socket.conf:/usr/local/opnsense/service/templates/OPNsense/Syslog/sources/haproxy.conf
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/log_socket.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/log_socket.conf
new file mode 100644
index 0000000000..6bc3ba80bb
--- /dev/null
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/log_socket.conf
@@ -0,0 +1,2 @@
+
+    unix-dgram("/var/haproxy/var/run/log" dir_perm(0755) flags(syslog-protocol));

From 50815c9c509c3d0c71feaf9f007818c29477cfbc Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 1 Nov 2021 21:21:40 +0100
Subject: [PATCH 0787/3088] net/haproxy: update changelog for #2620

---
 net/haproxy/pkg-descr | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index ed04439847..b611a0698b 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -10,9 +10,11 @@ Plugin Changelog
 
 Added:
 * add options "preload" and "filename scheme" to Lua scripts (#2265)
+* add syslog-ng socket for logging (#2620)
 
 Fixed:
 * unable to use the "require" function in Lua scripts (#2265)
+* request logging not working (#2587)
 
 Changed:
 * set "lua-prepend-path" so that Lua scripts can be found (#2265)

From a387c1ff86f48a081f8cda2367787c0c2ddecf85 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 1 Nov 2021 23:44:45 +0100
Subject: [PATCH 0788/3088] net/haproxy: show hints after every config change,
 refs #2590

---
 net/haproxy/pkg-descr                         |   2 +
 .../mvc/app/views/OPNsense/HAProxy/index.volt | 162 +++++-------------
 2 files changed, 49 insertions(+), 115 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index b611a0698b..1b3e21cd3c 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -11,6 +11,7 @@ Plugin Changelog
 Added:
 * add options "preload" and "filename scheme" to Lua scripts (#2265)
 * add syslog-ng socket for logging (#2620)
+* show hint to apply changes after every config change (#2590)
 
 Fixed:
 * unable to use the "require" function in Lua scripts (#2265)
@@ -18,6 +19,7 @@ Fixed:
 
 Changed:
 * set "lua-prepend-path" so that Lua scripts can be found (#2265)
+* show "apply" and "test syntax" buttons on introduction pages
 
 3.6
 
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 51f40d96a3..07a4ffe548 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -300,7 +300,6 @@ POSSIBILITY OF SUCH DAMAGE.
             $("#healthcheck\\.type").change(function(){
                 var service_id = 'table_' + $(this).val();
                 $(".type_table").hide();
-                // $(".table_"+$(this).val()).show();
                 $("."+service_id).show();
             });
             $("#healthcheck\\.type").change();
@@ -517,15 +516,35 @@ POSSIBILITY OF SUCH DAMAGE.
                                 });
                             });
                         }
-                    //});
                     });
 
                 });
             });
         });
 
+        // show hint after every config change
+        function add_apply_reminder() {
+            hint_msg = "{{ lang._('After changing settings, please remember to apply them with the button below') }}"
+            $('[id*="haproxyChangeMessage"]').each(function(){
+                $(this).append(hint_msg);
+            });
+
+        };
+        add_apply_reminder();
+
+        // show or hide the correct buttons depending on which tab is shown
+        // NOTE: This does not work on already shown tabs, so this event must
+        // fire first.
+        $('.nav-tabs a').on('show.bs.tab', function (e) {
+            if (/^\#general/.test(e.target.hash)) {
+              $("#haproxyCommonButtons").hide();
+            } else {
+              $("#haproxyCommonButtons").show();
+            }
+        });
+
         // update history on tab state and implement navigation
-        if(window.location.hash != "") {
+        if (window.location.hash != "") {
             $('a[href="' + window.location.hash + '"]').click()
         }
         $('.nav-tabs a').on('shown.bs.tab', function (e) {
@@ -745,7 +764,7 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 
     <div id="frontends" class="tab-pane fade">
-        <table id="grid-frontends" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogFrontend">
+        <table id="grid-frontends" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogFrontend" data-editAlert="haproxyChangeMessage">
             <thead>
             <tr>
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
@@ -768,17 +787,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <div class="col-md-12">
-            <hr/>
-            <button class="btn btn-primary" id="reconfigureAct-frontends" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
-            <button class="btn btn-primary" id="configtestAct-frontends" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
-            <br/>
-            <br/>
-        </div>
     </div>
 
     <div id="backends" class="tab-pane fade">
-        <table id="grid-backends" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogBackend">
+        <table id="grid-backends" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogBackend" data-editAlert="haproxyChangeMessage">
             <thead>
             <tr>
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
@@ -801,17 +813,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <div class="col-md-12">
-            <hr/>
-            <button class="btn btn-primary" id="reconfigureAct-backends" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
-            <button class="btn btn-primary" id="configtestAct-backends" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
-            <br/>
-            <br/>
-        </div>
     </div>
 
     <div id="servers" class="tab-pane fade">
-        <table id="grid-servers" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogServer">
+        <table id="grid-servers" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogServer" data-editAlert="haproxyChangeMessage">
             <thead>
             <tr>
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
@@ -837,17 +842,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <div class="col-md-12">
-            <hr/>
-            <button class="btn btn-primary" id="reconfigureAct-servers" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
-            <button class="btn btn-primary" id="configtestAct-servers" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
-            <br/>
-            <br/>
-        </div>
     </div>
 
     <div id="healthchecks" class="tab-pane fade">
-        <table id="grid-healthchecks" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogHealthcheck">
+        <table id="grid-healthchecks" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogHealthcheck" data-editAlert="haproxyChangeMessage">
             <thead>
             <tr>
                 <th data-column-id="healthcheckid" data-type="number"  data-visible="false">{{ lang._('Health Monitor ID') }}</th>
@@ -869,17 +867,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <div class="col-md-12">
-            <hr/>
-            <button class="btn btn-primary" id="reconfigureAct-healthchecks" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
-            <button class="btn btn-primary" id="configtestAct-healthchecks" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
-            <br/>
-            <br/>
-        </div>
     </div>
 
     <div id="actions" class="tab-pane fade">
-        <table id="grid-actions" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogAction">
+        <table id="grid-actions" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogAction" data-editAlert="haproxyChangeMessage">
             <thead>
             <tr>
                 <th data-column-id="actionid" data-type="number"  data-visible="false">{{ lang._('Rule ID') }}</th>
@@ -901,17 +892,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <div class="col-md-12">
-            <hr/>
-            <button class="btn btn-primary" id="reconfigureAct-actions" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
-            <button class="btn btn-primary" id="configtestAct-actions" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
-            <br/>
-            <br/>
-        </div>
     </div>
 
     <div id="acls" class="tab-pane fade">
-        <table id="grid-acls" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogAcl">
+        <table id="grid-acls" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogAcl" data-editAlert="haproxyChangeMessage">
             <thead>
             <tr>
                 <th data-column-id="aclid" data-type="number"  data-visible="false">{{ lang._('Condition ID') }}</th>
@@ -933,17 +917,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <div class="col-md-12">
-            <hr/>
-            <button class="btn btn-primary" id="reconfigureAct-acls" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
-            <button class="btn btn-primary" id="configtestAct-acls" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
-            <br/>
-            <br/>
-        </div>
     </div>
 
     <div id="users" class="tab-pane fade">
-        <table id="grid-users" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogUser">
+        <table id="grid-users" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogUser" data-editAlert="haproxyChangeMessage">
             <thead>
             <tr>
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
@@ -966,17 +943,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <div class="col-md-12">
-            <hr/>
-            <button class="btn btn-primary" id="reconfigureAct-users" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
-            <button class="btn btn-primary" id="configtestAct-users" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
-            <br/>
-            <br/>
-        </div>
     </div>
 
     <div id="groups" class="tab-pane fade">
-        <table id="grid-groups" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogGroup">
+        <table id="grid-groups" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogGroup" data-editAlert="haproxyChangeMessage">
             <thead>
             <tr>
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
@@ -999,17 +969,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <div class="col-md-12">
-            <hr/>
-            <button class="btn btn-primary" id="reconfigureAct-groups" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
-            <button class="btn btn-primary" id="configtestAct-groups" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
-            <br/>
-            <br/>
-        </div>
     </div>
 
     <div id="luas" class="tab-pane fade">
-        <table id="grid-luas" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogLua">
+        <table id="grid-luas" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogLua" data-editAlert="haproxyChangeMessage">
             <thead>
             <tr>
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
@@ -1032,17 +995,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <div class="col-md-12">
-            <hr/>
-            <button class="btn btn-primary" id="reconfigureAct-luas" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
-            <button class="btn btn-primary" id="configtestAct-luas" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
-            <br/>
-            <br/>
-        </div>
     </div>
 
     <div id="errorfiles" class="tab-pane fade">
-        <table id="grid-errorfiles" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogErrorfile">
+        <table id="grid-errorfiles" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogErrorfile" data-editAlert="haproxyChangeMessage">
             <thead>
             <tr>
                 <th data-column-id="errorfileid" data-type="number"  data-visible="false">{{ lang._('Error Message ID') }}</th>
@@ -1064,17 +1020,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <div class="col-md-12">
-            <hr/>
-            <button class="btn btn-primary" id="reconfigureAct-errorfiles" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
-            <button class="btn btn-primary" id="configtestAct-errorfiles" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
-            <br/>
-            <br/>
-        </div>
     </div>
 
     <div id="mapfiles" class="tab-pane fade">
-        <table id="grid-mapfiles" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogMapfile">
+        <table id="grid-mapfiles" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogMapfile" data-editAlert="haproxyChangeMessage">
             <thead>
             <tr>
                 <th data-column-id="mapfileid" data-type="number"  data-visible="false">{{ lang._('Map File ID') }}</th>
@@ -1096,17 +1045,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <div class="col-md-12">
-            <hr/>
-            <button class="btn btn-primary" id="reconfigureAct-mapfiles" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
-            <button class="btn btn-primary" id="configtestAct-mapfiles" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
-            <br/>
-            <br/>
-        </div>
     </div>
 
     <div id="cpus" class="tab-pane fade">
-        <table id="grid-cpus" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogCpu">
+        <table id="grid-cpus" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogCpu" data-editAlert="haproxyChangeMessage">
             <thead>
             <tr>
                 <th data-column-id="cpuid" data-type="number"  data-visible="false">{{ lang._('CPU Rule ID') }}</th>
@@ -1131,17 +1073,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <div class="col-md-12">
-            <hr/>
-            <button class="btn btn-primary" id="reconfigureAct-cpus" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
-            <button class="btn btn-primary" id="configtestAct-cpus" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
-            <br/>
-            <br/>
-        </div>
     </div>
 
     <div id="resolvers" class="tab-pane fade">
-        <table id="grid-resolvers" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogResolver">
+        <table id="grid-resolvers" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogResolver" data-editAlert="haproxyChangeMessage">
             <thead>
             <tr>
                 <th data-column-id="resolverid" data-type="number"  data-visible="false">{{ lang._('Resolver ID') }}</th>
@@ -1164,17 +1099,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <div class="col-md-12">
-            <hr/>
-            <button class="btn btn-primary" id="reconfigureAct-resolvers" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
-            <button class="btn btn-primary" id="configtestAct-resolvers" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
-            <br/>
-            <br/>
-        </div>
     </div>
 
     <div id="mailers" class="tab-pane fade">
-        <table id="grid-mailers" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogMailer">
+        <table id="grid-mailers" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogMailer" data-editAlert="haproxyChangeMessage">
             <thead>
             <tr>
                 <th data-column-id="mailerid" data-type="number"  data-visible="false">{{ lang._('Mailer ID') }}</th>
@@ -1198,13 +1126,6 @@ POSSIBILITY OF SUCH DAMAGE.
             </tr>
             </tfoot>
         </table>
-        <div class="col-md-12">
-            <hr/>
-            <button class="btn btn-primary" id="reconfigureAct-mailers" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
-            <button class="btn btn-primary" id="configtestAct-mailers" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
-            <br/>
-            <br/>
-        </div>
     </div>
 
     <!-- subtabs for general "Settings" tab below -->
@@ -1284,6 +1205,17 @@ POSSIBILITY OF SUCH DAMAGE.
             </div>
         </div>
     </div>
+
+    <!-- buttons for all grid pages -->
+    <div class="col-md-12" id="haproxyCommonButtons" style="display: none">
+        <div id="haproxyChangeMessage" class="alert alert-info" style="display: none" role="alert">
+        </div>
+        <hr/>
+        <button class="btn btn-primary" id="reconfigureAct-common" type="button"><b>{{ lang._('Apply') }}</b><i id="reconfigureAct_progress" class=""></i></button>
+        <button class="btn btn-primary" id="configtestAct-common" type="button"><b>{{ lang._('Test syntax') }}</b><i id="configtestAct_progress" class=""></i></button>
+        <br/><br/>
+    </div>
+
 </div>
 
 {# include dialogs #}

From 440e76aa8fd397cd7b1c1fae76cf19654c9f273b Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 2 Nov 2021 00:49:56 +0100
Subject: [PATCH 0789/3088] net/haproxy: show warning for pending configuration
 changes, closes #2590

---
 net/haproxy/pkg-descr                         |  1 +
 .../mvc/app/views/OPNsense/HAProxy/index.volt | 31 ++++++++++++++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 1b3e21cd3c..6ba357c233 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -12,6 +12,7 @@ Added:
 * add options "preload" and "filename scheme" to Lua scripts (#2265)
 * add syslog-ng socket for logging (#2620)
 * show hint to apply changes after every config change (#2590)
+* show warning for pending configuration changes (#2590)
 
 Fixed:
 * unable to use the "require" function in Lua scripts (#2265)
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 07a4ffe548..6aaf9cef27 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -356,6 +356,11 @@ POSSIBILITY OF SUCH DAMAGE.
                                 message: data['status'],
                                 draggable: true
                             });
+                        } else {
+                            // reload page to hide pending changes reminder
+                            setTimeout(function () {
+                                window.location.reload(true)
+                            }, 300);
                         }
                         // when done, disable progress animation
                         $('[id*="reconfigureAct_progress"]').each(function(){
@@ -509,6 +514,11 @@ POSSIBILITY OF SUCH DAMAGE.
                                         message: data['status'],
                                         draggable: true
                                     });
+                                } else {
+                                    // reload page to hide pending changes reminder
+                                    setTimeout(function () {
+                                        window.location.reload(true)
+                                    }, 300);
                                 }
                                 // when done, disable progress animation
                                 $('[id*="saveAndReconfigureAct_progress"]').each(function(){
@@ -522,9 +532,25 @@ POSSIBILITY OF SUCH DAMAGE.
             });
         });
 
+        /***********************************************************************
+         * UI tricks
+         **********************************************************************/
+
+        // show reminder when config has pending changes
+        function pending_changes_reminder() {
+            ajaxCall(url="/api/haproxy/export/diff/", sendData={}, callback=function(data,status) {
+                if (data['response'] && data['response'].trim()) {
+                    $("#haproxyPendingReminder").show();
+                } else {
+                    $("#haproxyPendingReminder").hide();
+                }
+            });
+        }
+        pending_changes_reminder();
+
         // show hint after every config change
         function add_apply_reminder() {
-            hint_msg = "{{ lang._('After changing settings, please remember to apply them with the button below') }}"
+            hint_msg = "{{ lang._('After changing settings, please remember to test and apply them with the buttons below.') }}"
             $('[id*="haproxyChangeMessage"]').each(function(){
                 $(this).append(hint_msg);
             });
@@ -1208,6 +1234,9 @@ POSSIBILITY OF SUCH DAMAGE.
 
     <!-- buttons for all grid pages -->
     <div class="col-md-12" id="haproxyCommonButtons" style="display: none">
+        <div id="haproxyPendingReminder" class="alert alert-warning" style="display: none" role="alert">
+            {{ lang._("There are pending configuration changes that must be applied in order for them to take effect. To review them visit the %sConfig Diff%s page.") | format('<a href="/ui/haproxy/export#diff" class="alert-link" target="_blank">', '</a>') }}
+        </div>
         <div id="haproxyChangeMessage" class="alert alert-info" style="display: none" role="alert">
         </div>
         <hr/>

From 8ebdbb91571649a29fb3da08105b64269c2cc33f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 3 Nov 2021 10:28:56 +0100
Subject: [PATCH 0790/3088] net/haproxy: adjust help text on maintenance page

---
 .../opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
index ae75d8a20f..50eb005110 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
@@ -548,7 +548,7 @@ POSSIBILITY OF SUCH DAMAGE.
             </tfoot>
         </table>
         <div class="col-md-12">
-          <p>{{ lang._("%sChoose a command to change a server's state in runtime:%s") | format('<b>', '</b>') }}</p>
+          <p>{{ lang._("%sThe following commands are available to change a server's state in runtime:%s") | format('<b>', '</b>') }}</p>
           <ul>
             <li><span class="fa fa-check"></span> {{ lang._('%sSet state to ready:%s This puts the server in normal mode.') | format('<b>', '</b>') }}</li>
             <li><span class="fa fa-sort-amount-desc"></span> {{ lang._('%sSet state to drain:%s This removes the server from load balancing. Health checks will continue to run and it still accepts new persistent connections.') | format('<b>', '</b>') }}</li>

From c02db89234e1b35ef40b0605bc00ba11e9109721 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 3 Nov 2021 10:48:20 +0100
Subject: [PATCH 0791/3088] net/haproxy: standardize both configtest buttons

---
 .../mvc/app/views/OPNsense/HAProxy/index.volt        | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 6aaf9cef27..b2d7f27ce3 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -431,18 +431,26 @@ POSSIBILITY OF SUCH DAMAGE.
                         if (data['result'].indexOf('ALERT') > -1) {
                             BootstrapDialog.show({
                                 type: BootstrapDialog.TYPE_DANGER,
-                                title: "{{ lang._('HAProxy config contains critical errors') }}",
+                                title: "{{ lang._('HAProxy configtest found critical errors') }}",
                                 message: data['result'],
                                 draggable: true
                             });
                         } else if (data['result'].indexOf('WARNING') > -1) {
                             BootstrapDialog.show({
                                 type: BootstrapDialog.TYPE_WARNING,
-                                title: "{{ lang._('HAProxy config contains minor errors') }}",
+                                title: "{{ lang._('HAProxy configtest found minor errors') }}",
                                 message: data['result'],
                                 draggable: true
                             });
+                        } else {
+                            BootstrapDialog.show({
+                                type: BootstrapDialog.TYPE_WARNING,
+                                title: "{{ lang._('HAProxy configtest result') }}",
+                                message: "{{ lang._('Your HAProxy config contains no errors.') }}",
+                                draggable: true
+                            });
                         }
+
                         // when done, disable progress animation
                         $('[id*="saveAndTestAct_progress"]').each(function(){
                             $(this).removeClass("fa fa-spinner fa-pulse");

From 7b9b478b4203791333fa2ec80b485b288bade0d0 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 3 Nov 2021 10:49:48 +0100
Subject: [PATCH 0792/3088] net/haproxy: fix indentation

---
 .../mvc/app/views/OPNsense/HAProxy/index.volt | 146 +++++++++---------
 1 file changed, 72 insertions(+), 74 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index b2d7f27ce3..ba0cf32f02 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -322,94 +322,92 @@ POSSIBILITY OF SUCH DAMAGE.
         // reconfigure haproxy to activate changes
         $('[id*="reconfigureAct"]').each(function(){
             $(this).click(function(){
-
-            // set progress animation
-            $('[id*="reconfigureAct_progress"]').each(function(){
-                $(this).addClass("fa fa-spinner fa-pulse");
-            });
-            // first run syntax check to catch critical errors
-            ajaxCall(url="/api/haproxy/service/configtest", sendData={}, callback=function(data,status) {
-                // show warning in case of critical errors
-                if (data['result'].indexOf('ALERT') > -1) {
-                    BootstrapDialog.show({
-                        type: BootstrapDialog.TYPE_DANGER,
-                        title: "{{ lang._('HAProxy configtest found critical errors') }}",
-                        message: "{{ lang._('The HAProxy service may not be able to start due to critical errors. Run syntax check for further details or review the changes in the %sConfiguration Diff%s.')|format('<a href=\"/ui/haproxy/export#diff\">','</a>') }}",
-                        buttons: [{
-                            icon: 'fa fa-trash-o',
-                            label: '{{ lang._('Abort') }}',
-                            action: function(dlg){
-                                // when done, disable progress animation
-                                $('[id*="reconfigureAct_progress"]').each(function(){
-                                    $(this).removeClass("fa fa-spinner fa-pulse");
+                // set progress animation
+                $('[id*="reconfigureAct_progress"]').each(function(){
+                    $(this).addClass("fa fa-spinner fa-pulse");
+                });
+                // first run syntax check to catch critical errors
+                ajaxCall(url="/api/haproxy/service/configtest", sendData={}, callback=function(data,status) {
+                    // show warning in case of critical errors
+                    if (data['result'].indexOf('ALERT') > -1) {
+                        BootstrapDialog.show({
+                            type: BootstrapDialog.TYPE_DANGER,
+                            title: "{{ lang._('HAProxy configtest found critical errors') }}",
+                            message: "{{ lang._('The HAProxy service may not be able to start due to critical errors. Run syntax check for further details or review the changes in the %sConfiguration Diff%s.')|format('<a href=\"/ui/haproxy/export#diff\">','</a>') }}",
+                            buttons: [{
+                                icon: 'fa fa-trash-o',
+                                label: '{{ lang._('Abort') }}',
+                                action: function(dlg){
+                                    // when done, disable progress animation
+                                    $('[id*="reconfigureAct_progress"]').each(function(){
+                                        $(this).removeClass("fa fa-spinner fa-pulse");
+                                    });
+                                    dlg.close();
+                                }
+                            }]
+                        });
+                    } else {
+                        ajaxCall(url="/api/haproxy/service/reconfigure", sendData={}, callback=function(data,status) {
+                            if (status != "success" || data['status'] != 'ok') {
+                                BootstrapDialog.show({
+                                    type: BootstrapDialog.TYPE_WARNING,
+                                    title: "{{ lang._('Error reconfiguring HAProxy') }}",
+                                    message: data['status'],
+                                    draggable: true
                                 });
-                                dlg.close();
+                            } else {
+                                // reload page to hide pending changes reminder
+                                setTimeout(function () {
+                                    window.location.reload(true)
+                                }, 300);
                             }
-                        }]
-                    });
-                } else {
-                    ajaxCall(url="/api/haproxy/service/reconfigure", sendData={}, callback=function(data,status) {
-                        if (status != "success" || data['status'] != 'ok') {
-                            BootstrapDialog.show({
-                                type: BootstrapDialog.TYPE_WARNING,
-                                title: "{{ lang._('Error reconfiguring HAProxy') }}",
-                                message: data['status'],
-                                draggable: true
+                            // when done, disable progress animation
+                            $('[id*="reconfigureAct_progress"]').each(function(){
+                                $(this).removeClass("fa fa-spinner fa-pulse");
                             });
-                        } else {
-                            // reload page to hide pending changes reminder
-                            setTimeout(function () {
-                                window.location.reload(true)
-                            }, 300);
-                        }
-                        // when done, disable progress animation
-                        $('[id*="reconfigureAct_progress"]').each(function(){
-                            $(this).removeClass("fa fa-spinner fa-pulse");
                         });
-                    });
-                }
-            });
+                    }
+                });
             });
         });
 
         // test configuration file
         $('[id*="configtestAct"]').each(function(){
             $(this).click(function(){
-
-            // set progress animation
-            $('[id*="configtestAct_progress"]').each(function(){
-                $(this).addClass("fa fa-spinner fa-pulse");
-            });
-
-            ajaxCall(url="/api/haproxy/service/configtest", sendData={}, callback=function(data,status) {
-                // when done, disable progress animation
+                // set progress animation
                 $('[id*="configtestAct_progress"]').each(function(){
-                    $(this).removeClass("fa fa-spinner fa-pulse");
+                    $(this).addClass("fa fa-spinner fa-pulse");
                 });
 
-                if (data['result'].indexOf('ALERT') > -1) {
-                    BootstrapDialog.show({
-                        type: BootstrapDialog.TYPE_DANGER,
-                        title: "{{ lang._('HAProxy configtest found critical errors') }}",
-                        message: data['result'],
-                        draggable: true
+                ajaxCall(url="/api/haproxy/service/configtest", sendData={}, callback=function(data,status) {
+                    // when done, disable progress animation
+                    $('[id*="configtestAct_progress"]').each(function(){
+                        $(this).removeClass("fa fa-spinner fa-pulse");
                     });
-                } else if (data['result'].indexOf('WARNING') > -1) {
-                    BootstrapDialog.show({
-                        type: BootstrapDialog.TYPE_WARNING,
-                        title: "{{ lang._('HAProxy configtest found minor errors') }}",
-                        message: data['result'],
-                        draggable: true
-                    });
-                } else {
-                    BootstrapDialog.show({
-                        type: BootstrapDialog.TYPE_WARNING,
-                        title: "{{ lang._('HAProxy configtest result') }}",
-                        message: "{{ lang._('Your HAProxy config contains no errors.') }}",
-                        draggable: true
-                    });
-                }
-            });
+
+                    if (data['result'].indexOf('ALERT') > -1) {
+                        BootstrapDialog.show({
+                            type: BootstrapDialog.TYPE_DANGER,
+                            title: "{{ lang._('HAProxy configtest found critical errors') }}",
+                            message: data['result'],
+                            draggable: true
+                        });
+                    } else if (data['result'].indexOf('WARNING') > -1) {
+                        BootstrapDialog.show({
+                            type: BootstrapDialog.TYPE_WARNING,
+                            title: "{{ lang._('HAProxy configtest found minor errors') }}",
+                            message: data['result'],
+                            draggable: true
+                        });
+                    } else {
+                        BootstrapDialog.show({
+                            type: BootstrapDialog.TYPE_WARNING,
+                            title: "{{ lang._('HAProxy configtest result') }}",
+                            message: "{{ lang._('Your HAProxy config contains no errors.') }}",
+                            draggable: true
+                        });
+                    }
+                });
             });
         });
 

From 8951f76ebb8772e8b41f1ae4d1a09b9f403e7c96 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 3 Nov 2021 12:49:38 +0100
Subject: [PATCH 0793/3088] net/haproxy: add recent fix to changelog

---
 net/haproxy/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 6ba357c233..0609ea6f36 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -17,6 +17,7 @@ Added:
 Fixed:
 * unable to use the "require" function in Lua scripts (#2265)
 * request logging not working (#2587)
+* fix syntax error in template (#2619)
 
 Changed:
 * set "lua-prepend-path" so that Lua scripts can be found (#2265)

From ffa7ad54bc778a6cd804248a89f2740e92890135 Mon Sep 17 00:00:00 2001
From: Adrian Fedoreanu <phedoreanu@users.noreply.github.com>
Date: Thu, 4 Nov 2021 07:57:50 +0000
Subject: [PATCH 0794/3088] dns/dyndns: add support for 1984Hosting (#1952)

---
 .../src/etc/inc/plugins.inc.d/dyndns.inc      |  1 +
 .../inc/plugins.inc.d/dyndns/phpDynDNS.inc    | 24 +++++++++++++++++++
 dns/dyndns/src/www/services_dyndns_edit.php   |  4 +++-
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
index 476cc286d5..762549e53e 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
@@ -96,6 +96,7 @@ function dyndns_list()
      */
 
     return array(
+        '1984-hosting' => '1984 Hosting Company',
         '3322' => '3322',
         'all-inkl' => 'All-Inkl',
         'all-inkl-v6' => 'All-Inkl (v6)',
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 3e21cbdaef..10cd62432d 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -14,6 +14,7 @@
  *    - _debug()
  *    - _checkIP()
  * +----------------------------------------------------+
+ *  1984 Hosting Company        - Last Tested: 03 August 2020
  *  3322                        - Last Tested: 26 May 2017
  *  All-Inkl                    - Last Tested: 02 March 2020
  *  Amazon Route53              - Last Tested: 01 April 2012
@@ -168,6 +169,7 @@ class updatedns
             case 'linode':
             case 'linode-v6':
             case 'namecheap':
+            case '1984-hosting':
                 if (!$dnsPass) {
                     $this->_error(4);
                 } elseif (!$dnsHost) {
@@ -304,6 +306,7 @@ class updatedns
             $this->_error(10);
         } else {
             switch ($this->_dnsService) {
+                case '1984-hosting':
                 case '3322':
                 case 'all-inkl':
                 case 'all-inkl-v6':
@@ -1031,6 +1034,11 @@ class updatedns
                     curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
                 }
                 break;
+            case '1984-hosting':
+                $server = "https://api.1984.is/1.0/freedns/?apikey={$this->_dnsPass}&domain={$this->_dnsHost}&ip={$this->_dnsIP}";
+                curl_setopt($ch, CURLOPT_URL, $server);
+                curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
+                break;
             case '3322':
                 $server = "http://members.3322.net/dyndns/update?hostname={$this->_dnsHost}&myip={$this->_dnsIP}";
                 curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
@@ -1643,6 +1651,22 @@ class updatedns
                         $this->_debug($data);
                 }
                 break;
+            case '1984-hosting':
+                $output = json_decode($data);
+                if ($output === null) {
+                    $status = "Dynamic DNS ({$this->_dnsHost}): ERROR - empty response.";
+                } elseif ($output->ok === true) {
+                    $status = "Dynamic DNS: (Success) {$this->_dnsHost} updated to {$this->_dnsIP}";
+                    $successful_update = true;
+                } elseif ($output->error) {
+                    $status = "Dynamic DNS ({$this->_dnsHost}): ERROR - Invalid Credentials! Don't forget to use API Key for password field with 1984 Hosting Company.";
+                } elseif ($output->lookup) {
+                    $status = "Dynamic DNS ({$this->_dnsHost}): ERROR - Zone ID was not found.";
+                } else {
+                    $status = "Dynamic DNS ({$this->_dnsHost}): UNKNOWN ERROR - {$output->errors[0]->message}";
+                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
+                }
+                break;
             case '3322':
             case 'citynetwork':
             case 'dnsomatic':
diff --git a/dns/dyndns/src/www/services_dyndns_edit.php b/dns/dyndns/src/www/services_dyndns_edit.php
index eef3911212..6fae49dc86 100644
--- a/dns/dyndns/src/www/services_dyndns_edit.php
+++ b/dns/dyndns/src/www/services_dyndns_edit.php
@@ -75,7 +75,8 @@ function is_dyndns_username($uname)
     }
     $input_errors = array();
     $pconfig = $_POST;
-    if(($pconfig['type'] == "freedns" || $pconfig['type'] == "linode" || $pconfig['type'] == "linode-v6" || $pconfig['type'] == "namecheap" || $pconfig['type'] == "cloudflare-token" || $pconfig['type'] == "cloudflare-token-v6" || $pconfig['type'] == "desec" || $pconfig['type'] == "desec-v4-v6" || $pconfig['type'] == "desec-v6") && $pconfig['username'] == "") {
+
+    if(($pconfig['type'] == "freedns" || $pconfig['type'] == "linode" || $pconfig['type'] == "linode-v6" || $pconfig['type'] == "namecheap" || $pconfig['type'] == "cloudflare-token" || $pconfig['type'] == "cloudflare-token-v6" || $pconfig['type'] == "desec" || $pconfig['type'] == "desec-v4-v6" || $pconfig['type'] == "desec-v6" || $pconfig['type'] == "1984-hosting") && $pconfig['username'] == "") {
         $pconfig['username'] = "none";
     }
 
@@ -128,6 +129,7 @@ function is_dyndns_username($uname)
             case 'linode':
             case 'linode-v6':
             case 'namecheap':
+            case '1984-hosting':
                 $host_to_check = preg_replace('/^[@*]\./', '', $host_to_check);
                 break;
             default:

From b9452963e8e3ea06519a69063b2094628c6aef11 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 4 Nov 2021 09:00:04 +0100
Subject: [PATCH 0795/3088] dns/dyndns: start release notes for 1.26

---
 dns/dyndns/Makefile                         | 2 +-
 dns/dyndns/pkg-descr                        | 4 ++++
 dns/dyndns/src/www/services_dyndns_edit.php | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index 3226022b7e..bf2d1b3722 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		dyndns
-PLUGIN_VERSION=		1.25
+PLUGIN_VERSION=		1.26
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
diff --git a/dns/dyndns/pkg-descr b/dns/dyndns/pkg-descr
index 8c452c9fab..c6faedff33 100644
--- a/dns/dyndns/pkg-descr
+++ b/dns/dyndns/pkg-descr
@@ -3,6 +3,10 @@ Support for numerous Dynamic DNS services (DynDNS et al)
 Plugin Changelog
 ================
 
+1.26
+
+* Added support for 1984 Hosting Company (contributed by Adrian Fedoreanu)
+
 1.25
 
 * Make regfish DynDNS work for IPv4 and IPv6 (contributed by DeepCoreSystem)
diff --git a/dns/dyndns/src/www/services_dyndns_edit.php b/dns/dyndns/src/www/services_dyndns_edit.php
index 6fae49dc86..7de8d9cbb3 100644
--- a/dns/dyndns/src/www/services_dyndns_edit.php
+++ b/dns/dyndns/src/www/services_dyndns_edit.php
@@ -113,6 +113,7 @@ function is_dyndns_username($uname)
         $host_to_check = $pconfig['host'];
 
         switch ($pconfig['type']) {
+            case '1984-hosting':
             case 'cloudflare':
             case 'cloudflare-token':
             case 'cloudflare-token-v6':
@@ -129,7 +130,6 @@ function is_dyndns_username($uname)
             case 'linode':
             case 'linode-v6':
             case 'namecheap':
-            case '1984-hosting':
                 $host_to_check = preg_replace('/^[@*]\./', '', $host_to_check);
                 break;
             default:

From 793419733a874129089608d801adac865844cb70 Mon Sep 17 00:00:00 2001
From: Marc Collins <mmarccollins@gmail.com>
Date: Thu, 4 Nov 2021 19:10:12 +1100
Subject: [PATCH 0796/3088] dns/dyndns: customDns log error details & inject
 %Host% (#2393)

---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 1 +
 dns/dyndns/src/www/services_dyndns_edit.php               | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 10cd62432d..5fcb01a8a0 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -785,6 +785,7 @@ class updatedns
                     curl_setopt($ch, CURLOPT_USERPWD, "{$this->_dnsUser}:{$this->_dnsPass}");
                 }
                 $server = str_replace("%IP%", $this->_dnsIP, $this->_dnsUpdateURL);
+                $server = str_replace("%HOST%", $this->_dnsHost, $server);
                 curl_setopt($ch, CURLOPT_URL, $server);
                 break;
             case 'cloudflare':
diff --git a/dns/dyndns/src/www/services_dyndns_edit.php b/dns/dyndns/src/www/services_dyndns_edit.php
index 7de8d9cbb3..9eac454d85 100644
--- a/dns/dyndns/src/www/services_dyndns_edit.php
+++ b/dns/dyndns/src/www/services_dyndns_edit.php
@@ -428,6 +428,8 @@ function is_dyndns_username($uname)
                         <?= gettext("This is the only field required by for Custom Dynamic DNS, and is only used by Custom Entries.") ?>
                         <br />
                         <?= gettext("If you need the new IP to be included in the request, put %IP% in its place.") ?>
+                        <br />
+                        <?= gettext("If you need the new host to be included in the request, put %HOST% in its place.") ?>
                       </div>
                     </td>
                   </tr>
@@ -442,6 +444,8 @@ function is_dyndns_username($uname)
                         <br />
                         <?= gettext("If you need the new IP to be included in the request, put %IP% in its place.") ?>
                         <br />
+                        <?= gettext("If you need the new Host to be included in the request, put %HOST% in its place.") ?>
+                        <br />
                         <?= gettext('If you need to include multiple possible values, separate them with a |. If your provider includes a |, escape it with \|') ?>
                         <br />
                         <?= gettext('Tabs (\t), newlines (\n) and carriage returns (\r) at the beginning or end of the returned results are removed before comparison.') ?>

From 190fda243eaffe0d51d264a0153d85effc6e4bc9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 4 Nov 2021 09:11:28 +0100
Subject: [PATCH 0797/3088] dns/dyndns: more stuff

---
 dns/dyndns/pkg-descr | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dns/dyndns/pkg-descr b/dns/dyndns/pkg-descr
index c6faedff33..3c8b56c589 100644
--- a/dns/dyndns/pkg-descr
+++ b/dns/dyndns/pkg-descr
@@ -6,6 +6,8 @@ Plugin Changelog
 1.26
 
 * Added support for 1984 Hosting Company (contributed by Adrian Fedoreanu)
+* Added %HOST% support for custom dynamic DNS (contributed by Marc Collins)
+* Add PAYLOAD log and debug support for missing code spots
 
 1.25
 

From f259171e57328fc09b22da2c21459d7b3e195015 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 4 Nov 2021 09:21:06 +0100
Subject: [PATCH 0798/3088] dns/dyndns: patch in a number of missing debug/log
 lines

Reported by: @Nillth
---
 .../inc/plugins.inc.d/dyndns/phpDynDNS.inc    | 66 +++++++++++--------
 1 file changed, 39 insertions(+), 27 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 5fcb01a8a0..15876d366a 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -1376,6 +1376,7 @@ class updatedns
                         break;
                     default:
                         $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
+                        log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
                         $this->_debug("Unknown Response: " . $data);
                         break;
                 }
@@ -1395,7 +1396,7 @@ class updatedns
                 } else {
                     $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
                     log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug($data);
+                    $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'hn':
@@ -1415,7 +1416,7 @@ class updatedns
                 } else {
                     $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
                     log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug($data);
+                    $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'dyns':
@@ -1433,7 +1434,7 @@ class updatedns
                 } else {
                     $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
                     log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug($data);
+                    $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'ods':
@@ -1443,7 +1444,7 @@ class updatedns
                 } else {
                     $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
                     log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug($data);
+                    $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'freedns':
@@ -1456,7 +1457,7 @@ class updatedns
                 } else {
                     $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
                     log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug($data);
+                    $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'dnsexit':
@@ -1469,7 +1470,7 @@ class updatedns
                 } else {
                     $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
                     log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug($data);
+                    $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'staticcling':
@@ -1493,7 +1494,7 @@ class updatedns
                 } else {
                     $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
                     log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug($data);
+                    $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'namecheap':
@@ -1516,8 +1517,8 @@ class updatedns
                     $successful_update = true;
                 } else {
                     $status = "Dynamic DNS: (Unknown Response)";
-                    log_error("Dynamic DNS: PAYLOAD: {$data}");
-                    $this->_debug($data);
+                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
+                    $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'route53':
@@ -1544,6 +1545,8 @@ class updatedns
                     $status = "Dynamic DNS: (Success) IP Address Updated Successfully!";
                 } else {
                     $status = "Dynamic DNS: (Error) Result did not match.";
+                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
+                    $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'cloudflare':
@@ -1561,6 +1564,7 @@ class updatedns
                 } else {
                     $status = "Dynamic DNS ({$this->_dnsHost}): UNKNOWN ERROR - {$output->errors[0]->message}";
                     log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
+                    $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'hetzner':
@@ -1576,8 +1580,8 @@ class updatedns
                     $status = 'Dynamic DNS: (Error) Access to the resource is denied. Mainly due to a lack of permissions to access it!';
                 } else {
                     $status = 'Dynamic DNS: (Error) "Unknown Response"';
-                    log_error("Dynamic DNS: HTTP Status: {$http_code}  PAYLOAD: {$data}");
-                    $this->_debug($data);
+                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
+                    $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'digitalocean':
@@ -1588,7 +1592,8 @@ class updatedns
                     $successful_update = true;
                 } else {
                     $status = "Dynamic DNS Record ID ({$this->_dnsUser}): UNKNOWN ERROR";
-                    log_error("Dynamic DNS Record ID ({$this->_dnsUser}): PAYLOAD: {$data}");
+                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
+                    $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'gandi-livedns':
@@ -1606,7 +1611,7 @@ class updatedns
                 } else {
                     $status = 'Dynamic DNS: (Error) "Unknown Response"';
                     log_error("Dynamic DNS: HTTP Status: {$http_code}  PAYLOAD: {$data}");
-                    $this->_debug($data);
+                    $this->_debug("Unknown HTTP status: " . $http_code);
                 }
                 break;
             case 'gratisdns':
@@ -1623,8 +1628,8 @@ class updatedns
                         $successful_update = true;
                 } else {
                         $status = "Dynamic DNS: (Unknown Response)";
-                        log_error("Dynamic DNS: PAYLOAD: {$data}");
-                        $this->_debug($data);
+                        log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
+                        $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'duckdns':
@@ -1633,8 +1638,8 @@ class updatedns
                         $successful_update = true;
                 } else {
                         $status = "Dynamic DNS: (Unknown Response)";
-                        log_error("Dynamic DNS: PAYLOAD: {$data}");
-                        $this->_debug($data);
+                        log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
+                        $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'dynv6':
@@ -1648,8 +1653,8 @@ class updatedns
                         $successful_update = true;
                 } else {
                         $status = "Dynamic DNS: (Unknown Response)";
-                        log_error("Dynamic DNS: PAYLOAD: {$data}");
-                        $this->_debug($data);
+                        log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
+                        $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case '1984-hosting':
@@ -1666,6 +1671,7 @@ class updatedns
                 } else {
                     $status = "Dynamic DNS ({$this->_dnsHost}): UNKNOWN ERROR - {$output->errors[0]->message}";
                     log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
+                    $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case '3322':
@@ -1713,8 +1719,8 @@ class updatedns
                     $status = "Dynamic DNS: (Error) Specified hostname does not exist under this username";
                 } else {
                     $status = "Dynamic DNS: (Unknown Response)";
-                    log_error("Dynamic DNS: PAYLOAD: {$data}");
-                    $this->_debug($data);
+                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
+                    $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'regfish':
@@ -1747,8 +1753,8 @@ class updatedns
                     $status = 'Dynamic DNS: (Error) Cannot update load balancer';
                 } else {
                     $status = "Dynamic DNS: (Unknown Response)";
-                    log_error("Dynamic DNS: PAYLOAD: {$data}");
-                    $this->_debug($data);
+                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
+                    $this->_debug("Unknown Response: " . $data);
                 }
             case 'linode':
             case 'linode-v6':
@@ -1766,6 +1772,7 @@ class updatedns
                 } else {
                     $status = "Dynamic DNS ($fqdn): UNKNOWN ERROR";
                     log_error("Dynamic DNS ($fqdn): PAYLOAD: {$data}");
+                    $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'azure':
@@ -1781,8 +1788,8 @@ class updatedns
                     $successful_update = true;
                 } else {
                     $status = 'Dynamic DNS: (Error) "Unknown Response"';
-                    log_error("Dynamic DNS: HTTP Status: {$http_code}  PAYLOAD: {$data}");
-                    $this->_debug($data);
+                    log_error("Dynamic DNS: HTTP status: {$http_code} PAYLOAD: {$data}");
+                    $this->_debug("Unknown HTTP status: " . $http_code);
                 }
                 break;
             case 'all-inkl':
@@ -1798,7 +1805,7 @@ class updatedns
                 } else {
                     $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
                     log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug($data);
+                    $this->_debug("Unknown Response: " . $data);
                 }
                 break;
             case 'godaddy':
@@ -1815,7 +1822,8 @@ class updatedns
                     $status = 'Dynamic DNS: (Error) Resource not found';
                 } else {
                     $status = "Dynamic DNS: (Error) Repsonse not handled check the following: {$data}";
-                    log_error("Dynamic DNS: (Error) HTTPS Status: {$http_code} PAYLOAD: {$data}");
+                    log_error("Dynamic DNS: HTTP status: {$http_code} PAYLOAD: {$data}");
+                    $this->_debug("Unknown HTTP status: " . $http_code);
                 }
                 break;
             case 'desec':
@@ -1834,6 +1842,10 @@ class updatedns
                 } elseif ($http_code == 200 && preg_match('/good/i', $data)) {
                     $status = 'Dynamic DNS: (Success) IP Address Updated Successfully!';
                     $successful_update = true;
+                } else {
+                    $status = "Dynamic DNS: (Error) Repsonse not handled check the following: {$data}";
+                    log_error("Dynamic DNS: HTTP status: {$http_code} PAYLOAD: {$data}");
+                    $this->_debug("Unknown HTTP status: " . $http_code);
                 }
                 break;
             default:

From 3ef0e32bcd54867cfc016133c96b3414da85eae5 Mon Sep 17 00:00:00 2001
From: "Patrick M. Hausen" <hausen@punkt.de>
Date: Thu, 4 Nov 2021 10:51:29 +0100
Subject: [PATCH 0799/3088] Dns/bind - add query-source(-v6) to advanced
 options (#2629)

---
 dns/bind/Makefile                                |  2 +-
 dns/bind/pkg-descr                               |  4 ++++
 .../controllers/OPNsense/Bind/forms/general.xml  | 16 +++++++++++++++-
 .../mvc/app/models/OPNsense/Bind/General.xml     | 10 ++++++++++
 .../service/templates/OPNsense/Bind/named.conf   |  8 ++++++++
 5 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 08fc3e7af9..025638dbf2 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.18
+PLUGIN_VERSION=		1.19
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind916
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 5e7e6e27ac..b92f8177fe 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -8,6 +8,10 @@ necessary for asking and answering name service questions.
 Plugin Changelog
 ================
 
+1.19
+
+* Add support for "Query Source [IP|IPv6]" options.
+
 1.18
 
 * Allow specifying multiple masters for slave zones
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index 05ea9fb728..da2938c356 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -33,6 +33,20 @@
         <type>text</type>
         <help>Set the port the service should listen to.</help>
     </field>
+    <field>
+        <id>general.querysource</id>
+        <label>Query Source IP</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Specify the IPv4 address used as a source for outbound queries.</help>
+    </field>
+    <field>
+        <id>general.querysourcev6</id>
+        <label>Query Source IPv6</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Specify the IPv6 address used as a source for outbound queries.</help>
+    </field>
     <field>
         <id>general.transfersource</id>
         <label>Transfer Source IP</label>
@@ -45,7 +59,7 @@
         <label>Transfer Source IPv6</label>
         <type>text</type>
         <advanced>true</advanced>
-        <help>This determines which local address is bound to IPv6 TCP connections used to fetch zones transferred inbound by the server.</help>
+        <help>Specify the IPv6 address used as a source for zone transfers.</help>
     </field>
     <field>
         <id>general.forwarders</id>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index 455f87d3db..5d67e79318 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -27,6 +27,16 @@
             <Required>Y</Required>
             <asList>Y</asList>
         </listenv6>
+        <querysource type="NetworkField">
+            <Required>N</Required>
+            <AddressFamily>ipv4</AddressFamily>
+            <NetMaskAllowed>N</NetMaskAllowed>
+        </querysource>
+        <querysourcev6 type="NetworkField">
+            <Required>N</Required>
+            <AddressFamily>ipv6</AddressFamily>
+            <NetMaskAllowed>N</NetMaskAllowed>
+        </querysourcev6>
         <transfersource type="NetworkField">
             <Required>N</Required>
             <AddressFamily>ipv4</AddressFamily>
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 7f8d5a708b..376efe90fa 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -22,6 +22,14 @@ options {
         listen-on-v6 port {{ OPNsense.bind.general.port }} { {{ OPNsense.bind.general.listenv6.replace(',', '; ') }}; };
 {% endif -%}
 
+{% if helpers.exists('OPNsense.bind.general.querysource') and OPNsense.bind.general.querysource != '' %}
+        query-source {{ OPNsense.bind.general.querysource }};
+{% endif -%}
+
+{% if helpers.exists('OPNsense.bind.general.querysourcev6') and OPNsense.bind.general.querysourcev6 != '' %}
+        query-source-v6 {{ OPNsense.bind.general.querysourcev6 }};
+{% endif -%}
+
 {% if helpers.exists('OPNsense.bind.general.transfersource') and OPNsense.bind.general.transfersource != '' %}
         transfer-source {{ OPNsense.bind.general.transfersource }};
 {% endif -%}

From 53090bb170a9e17c796b0894a0f52a34ac8b49d8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 5 Nov 2021 08:21:11 +0100
Subject: [PATCH 0800/3088] Framework: retire DEVABI

Failed experiment.  ;)
---
 Mk/defaults.mk | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 69c1125f24..b794cebfba 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -56,6 +56,8 @@ VERSIONBIN=	${LOCALBASE}/sbin/opnsense-version
 .if exists(${VERSIONBIN})
 _PLUGIN_ABI!=	${VERSIONBIN} -a
 PLUGIN_ABI?=	${_PLUGIN_ABI}
+.else
+PLUGIN_ABI?=	21.7
 .endif
 
 PHPBIN=		${LOCALBASE}/bin/php
@@ -72,9 +74,6 @@ _PLUGIN_PYTHON!=${PYTHONLINK} -V
 PLUGIN_PYTHON?=	${_PLUGIN_PYTHON:[2]:S/./ /g:[1..2]:tW:S/ //}
 .endif
 
-.if !empty(DEVABI)
-PLUGIN_ABI=	${DEVABI}
-.endif
 
 .for REPLACEMENT in ABI PHP PYTHON
 . if empty(PLUGIN_${REPLACEMENT})

From 3e5c4547578680dd9e6165917a817d5bbec21a5c Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Fri, 5 Nov 2021 08:25:57 +0100
Subject: [PATCH 0801/3088] net/freeradius: Allow setting of minimum TLS
 version (#2463)

---
 net/freeradius/pkg-descr                               |  1 +
 .../app/controllers/OPNsense/Freeradius/forms/eap.xml  |  6 ++++++
 .../mvc/app/models/OPNsense/Freeradius/Eap.xml         | 10 ++++++++++
 .../templates/OPNsense/Freeradius/mods-enabled-eap     |  2 +-
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 023f6c57ad..1be5165ef2 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -27,6 +27,7 @@ Plugin Changelog
 1.9.15
 
 * Fixed validation of CIDR for client network ranges
+* Allow setting of minimum TLS version
 
 1.9.14
 
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
index 8747dd6aaa..8438620895 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
@@ -41,4 +41,10 @@
         <type>checkbox</type>
         <help>Checks that the username given by the user matches the Common-Name of the certificate.</help>
     </field>
+    <field>
+        <id>eap.tls_min_version</id>
+        <label>TLS Minimum Version</label>
+        <type>dropdown</type>
+        <help>Set minimum TLS version. Please be aware that every version below 1.2 is considered as insecure.</help>
+    </field>
 </form>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index f4604c752f..1f5e027958 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -45,5 +45,15 @@
             <default>0</default>
             <Required>Y</Required>
         </check_tls_names>
+        <tls_min_version type="OptionField">
+            <default>Option1</default>
+            <Required>Y</Required>
+            <multiple>N</multiple>
+            <OptionValues>
+                <Option1 value="1.0">1.0</Option1>
+                <Option2 value="1.1">1.1</Option2>
+                <Option3 value="1.2">1.2</Option3>
+            </OptionValues>
+        </tls_min_version>
     </items>
 </model>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
index ff98fca0b8..954edf8b66 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@@ -453,7 +453,7 @@ eap {
                 #
                 #  The values must be in quotes.
                 #
-                tls_min_version = "1.0"
+                tls_min_version = "{{ OPNsense.freeradius.eap.tls_min_version }}"
                 tls_max_version = "1.2"
 
                 #  Elliptical cryptography configuration

From 3b8d729760b079624e177f5073ad65fd9b76f074 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 5 Nov 2021 08:27:45 +0100
Subject: [PATCH 0802/3088] net/freeradius: final touches

---
 net/freeradius/pkg-descr                                        | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 1be5165ef2..48d2418319 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -18,6 +18,7 @@ Plugin Changelog
 1.9.17
 
 * Added support for Extreme networks EXOS switch Extreme-Netlogin-Extended-VLAN VSA and policy for GEN2 (contributed by Pasi Suominen)
+* Allow setting of minimum TLS version
 
 1.9.16
 
@@ -27,7 +28,6 @@ Plugin Changelog
 1.9.15
 
 * Fixed validation of CIDR for client network ranges
-* Allow setting of minimum TLS version
 
 1.9.14
 
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index 1f5e027958..953501e0b1 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/freeradius/eap</mount>
     <description>EAP configuration</description>
-    <version>1.9.16</version>
+    <version>1.9.17</version>
     <items>
         <default_eap_type type="OptionField">
             <default>md5</default>

From 7bc794ff489964149cd2f0809923b4fd0d362a72 Mon Sep 17 00:00:00 2001
From: Gavin Chappell <g-a-c@users.noreply.github.com>
Date: Tue, 9 Nov 2021 08:07:05 +0000
Subject: [PATCH 0803/3088] net/frr: Multiple fixes/features (#2633)

---
 net/frr/pkg-descr                             |   4 +
 .../Quagga/forms/dialogEditBGPNeighbor.xml    |  16 +-
 .../Quagga/forms/dialogEditBGPPrefixLists.xml |   4 +-
 .../mvc/app/models/OPNsense/Quagga/BGP.xml    |  13 ++
 .../templates/OPNsense/Quagga/bgpd.conf       | 188 +++++++-----------
 5 files changed, 106 insertions(+), 119 deletions(-)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 829df3bb52..1e52df4ba0 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -14,6 +14,10 @@ Plugin Changelog
 1.23
 
 * Add route-reflector-client to BGP neighbor config
+* bugfix: BGP Prefix List "IP version" field appears to be ineffective (#2602)
+* feature: IPv6 link-local neighbors require an interface to be specified (#2604)
+* feature: multiprotocol BGP sessions are not supported (#2606)
+* bugfix: Multiple BGP peers causes config generation error (#2623)
 
 1.22
 
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 3ae8d68301..f494060aae 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -26,7 +26,14 @@
     <id>neighbor.updatesource</id>
     <label>Update-Source Interface</label>
     <type>select_multiple</type>
-    <help>Physical name of the interface facing the peer</help>
+    <help><![CDATA[Physical name of the IPv4 interface facing the peer. Please refer to the <a href="http://docs.frrouting.org/en/stable-7.4/bgp.html#clicmd-[no]neighborPEERupdate-source%3CIFNAME|ADDRESS%3E">FRR documentation</a> for more information.]]></help>
+  </field>
+  <field>
+    <id>neighbor.linklocalinterface</id>
+    <label>IPv6 link-local interface</label>
+    <type>dropdown</type>
+    <advanced>true</advanced>
+    <help><![CDATA[Interface to use for IPv6 link-local neighbours. Please refer to the <a href="http://docs.frrouting.org/en/stable-7.4/bgp.html#clicmd-[no]neighborPEERinterfaceIFNAME">FRR documentation</a> for more information.]]></help>
   </field>
   <field>
     <id>neighbor.nexthopself</id>
@@ -38,6 +45,13 @@
     <label>Multi-Hop</label>
     <type>checkbox</type>
   </field>
+  <field>
+    <id>neighbor.multiprotocol</id>
+    <label>Multi-Protocol</label>
+    <type>checkbox</type>
+    <advanced>true</advanced>
+    <help><![CDATA[Is this neighbour multiprotocol capable per <a href="https://datatracker.ietf.org/doc/html/rfc2283.html">RFC 2283</a>]]></help>
+  </field>
   <field>
     <id>neighbor.rrclient</id>
     <label>Route Reflector Client</label>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml
index 115e015de8..276e4e5d45 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml
@@ -20,7 +20,7 @@
   <field>
     <id>prefixlist.version</id>
     <label>IP Version</label>
-    <type>select_multiple</type>
+    <type>dropdown</type>
     <help>Set the IP version to use.</help>
   </field>
   <field>
@@ -32,7 +32,7 @@
   <field>
     <id>prefixlist.action</id>
     <label>Action</label>
-    <type>select_multiple</type>
+    <type>dropdown</type>
     <help>Set permit for match or deny to negate the rule.</help>
   </field>
   <field>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 767e8d0081..cc5b2782bf 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -66,6 +66,15 @@
                                         <enable>/^(?!0).*$/</enable>
                                 </filters>
                         </updatesource>
+                        <linklocalinterface type="InterfaceField">
+                                <default></default>
+                                <Required>N</Required>
+                                <multiple>N</multiple>
+                                <AllowDynamic>Y</AllowDynamic>
+                                <filters>
+                                        <enable>/^(?!0).*$/</enable>
+                                </filters>
+                        </linklocalinterface>
                         <nexthopself type="BooleanField">
                                 <default>0</default>
                                 <Required>N</Required>
@@ -74,6 +83,10 @@
                                 <default>0</default>
                                 <Required>N</Required>
                         </multihop>
+                        <multiprotocol type="BooleanField">
+                                <default>0</default>
+                                <Required>N</Required>
+                        </multiprotocol>
                         <rrclient type="BooleanField">
                                 <default>0</default>
                                 <Required>N</Required>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 2505bb1134..e0a9b8d5c5 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -1,5 +1,31 @@
 {% if helpers.exists('OPNsense.quagga.bgp.enabled') and OPNsense.quagga.bgp.enabled == '1' %}
-{% from 'OPNsense/Macros/interface.macro' import physical_interface %}
+{%   from 'OPNsense/Macros/interface.macro' import physical_interface %}
+{%   set addressFamilies = ['ipv4', 'ipv6' ] %}
+{%   set neighbors = {'ipv4': [], 'ipv6': []} %}
+{%   set networks = {'ipv4': [], 'ipv6': []} %}
+
+{%   if helpers.exists('OPNsense.quagga.bgp.neighbors.neighbor') %}
+{%     for neighbor in helpers.toList('OPNsense.quagga.bgp.neighbors.neighbor') %}
+{%       if neighbor.enabled == '1' and neighbor.multiprotocol == '1' %}
+{#         // the .append() method in Jinja2 returns "None", so filter through default() to suppress #}
+{{         neighbors['ipv4'].append(neighbor) | default("", True) }}
+{{         neighbors['ipv6'].append(neighbor) | default("", True) }}
+{%       elif neighbor.enabled == '1' and ':' not in neighbor.address %}
+{{         neighbors['ipv4'].append(neighbor) | default("", True) }}
+{%       elif neighbor.enabled == '1' and ':' in neighbor.address %}
+{{         neighbors['ipv6'].append(neighbor) | default("", True) }}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{%   if helpers.exists('OPNsense.quagga.bgp.networks') %}
+{%     for network in OPNsense.quagga.bgp.networks.split(',') %}
+{%       if ':' not in network %}
+{{         networks['ipv4'].append(network) | default("", True) }}
+{%       elif ':' in network %}
+{{         networks['ipv6'].append(network) | default("", True) }}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
 !
 ! Zebra configuration saved from vty
 !   2017/03/03 20:21:04
@@ -31,9 +57,12 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%         if 'bfd' in neighbor and neighbor.bfd == '1' %}
  neighbor {{ neighbor.address }} bfd
 {%         endif %}
- {%        if 'updatesource' in neighbor and neighbor.updatesource != '' %}
+{%         if ':' not in neighbor.address and 'updatesource' in neighbor and neighbor.updatesource != '' %}
  neighbor {{ neighbor.address }} update-source {{ physical_interface(neighbor.updatesource) }}
 {%         endif %}
+{%         if ':' in neighbor.address and 'linklocalinterface' in neighbor and neighbor.linklocalinterface != '' %}
+ neighbor {{ neighbor.address }} interface {{ physical_interface(neighbor.linklocalinterface) }}
+{%         endif %}
 {%         if 'multihop' in neighbor and neighbor.multihop == '1' %}
  neighbor {{ neighbor.address }} ebgp-multihop
 {%         endif %}
@@ -48,145 +77,72 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%       endif %}
 {%     endfor %}
 {%   endif %}
- address-family ipv4 unicast
-{%   if helpers.exists('OPNsense.quagga.bgp.networks') %}
-{%     for network in OPNsense.quagga.bgp.networks.split(',') %}
-{%       if ':' not in network %}
-  network {{ network }}
-{%       endif %}
-{%     endfor %}
-{%   endif %}
+
+{%  for addressFamily in addressFamilies %}
+ address-family {{ addressFamily }} unicast
 {%   if helpers.exists('OPNsense.quagga.bgp.redistribute') and OPNsense.quagga.bgp.redistribute != '' %}
 {%     for bgp_redistribute in OPNsense.quagga.bgp.redistribute.split(',') %}
   redistribute {{ bgp_redistribute }}
 {%     endfor %}
 {%   endif %}
-{%   if helpers.exists('OPNsense.quagga.bgp.neighbors.neighbor') and ':' not in OPNsense.quagga.bgp.neighbors.neighbor.address %}
-{%     for neighbor in helpers.toList('OPNsense.quagga.bgp.neighbors.neighbor') %}
-{%       if neighbor.enabled == '1' and ':' not in neighbor.address %}
-{%         if 'nexthopself' in neighbor and neighbor.nexthopself == '1' %}
-  neighbor {{ neighbor.address }} next-hop-self
-{%         endif %}
-{%         if 'rrclient' in neighbor and neighbor.rrclient == '1' %}
-  neighbor {{ neighbor.address }} route-reflector-client
-{%         endif %}
-{%         if 'defaultoriginate' in neighbor and neighbor.defaultoriginate == '1' %}
-  neighbor {{ neighbor.address }} default-originate
-{%         endif %}
-{%         if neighbor.linkedPrefixlistIn|default("") != "" %}
-{%           for prefixlist in neighbor.linkedPrefixlistIn.split(",") %}
-{%             set prefixlist2_data = helpers.getUUID(prefixlist) %}
-{%             if prefixlist2_data != {} and prefixlist2_data.enabled == '1' %}
-  neighbor {{ neighbor.address }} prefix-list {{ prefixlist2_data.name }} in
-{%             endif %}
-{%           endfor %}
-{%         endif %}
-{%         if neighbor.linkedPrefixlistOut|default("") != "" %}
-{%           for prefixlist in neighbor.linkedPrefixlistOut.split(",") %}
-{%             set prefixlist_data = helpers.getUUID(prefixlist) %}
-{%             if prefixlist_data != {} and prefixlist_data.enabled == '1' %}
-  neighbor {{ neighbor.address }} prefix-list {{ prefixlist_data.name }} out
-{%             endif %}
-{%           endfor %}
-{%         endif %}
-{%         if neighbor.linkedRoutemapIn|default("") != "" %}
-{%           for aspath in neighbor.linkedRoutemapIn.split(",") %}
-{%             set routemap2_data = helpers.getUUID(aspath) %}
-{%             if routemap2_data != {} and routemap2_data.enabled == '1' %}
-  neighbor {{ neighbor.address }} route-map {{ routemap2_data.name }} in
-{%             endif %}
-{%           endfor %}
-{%         endif %}
-{%         if neighbor.linkedRoutemapOut|default("") != "" %}
-{%           for aspath in neighbor.linkedRoutemapOut.split(",") %}
-{%             set routemap_data = helpers.getUUID(aspath) %}
-{%             if routemap_data != {} and routemap_data.enabled == '1' %}
-  neighbor {{ neighbor.address }} route-map {{ routemap_data.name }} out
-{%             endif %}
-{%           endfor %}
-{%         endif %}
-{%       endif %}
-{%     endfor %}
-{%   endif %}
-{%   if helpers.exists('OPNsense.quagga.bgp.neighbors.neighbor') %}
-{%     for neighbor in helpers.toList('OPNsense.quagga.bgp.neighbors.neighbor') %}
-{%       if neighbor.enabled == '1' and ':' in neighbor.address %}
-  no neighbor {{ neighbor.address }} activate
-{%       endif %}
-{%     endfor %}
-{%   endif %}
- exit-address-family
-!
- address-family ipv6 unicast
-{%   if helpers.exists('OPNsense.quagga.bgp.networks') and ':' in OPNsense.quagga.bgp.networks %}
-{%     for network in OPNsense.quagga.bgp.networks.split(',') %}
-{%       if ':' in network %}
+{%   for network in networks[addressFamily] %}
   network {{ network }}
-{%       endif %}
-{%     endfor %}
-{%   endif %}
-{%   if helpers.exists('OPNsense.quagga.bgp.redistribute') and OPNsense.quagga.bgp.redistribute != '' %}
-{%     for bgp_redistribute in OPNsense.quagga.bgp.redistribute.split(',') %}
-  redistribute {{ bgp_redistribute }}
-{%     endfor %}
-{%   endif %}
-{%   if helpers.exists('OPNsense.quagga.bgp.neighbors.neighbor') %}
-{%     for neighbor in helpers.toList('OPNsense.quagga.bgp.neighbors.neighbor') %}
-{%       if neighbor.enabled == '1' and ':' in neighbor.address %}
+{%   endfor %}
+{%   for neighbor in neighbors[addressFamily] %}
   neighbor {{ neighbor.address }} activate
-{%         if 'nexthopself' in neighbor and neighbor.nexthopself == '1' %}
+{%     if 'nexthopself' in neighbor and neighbor.nexthopself == '1' %}
   neighbor {{ neighbor.address }} next-hop-self
-{%         endif %}
-{%         if 'rrclient' in neighbor and neighbor.rrclient == '1' %}
+{%     endif %}
+{%     if 'rrclient' in neighbor and neighbor.rrclient == '1' %}
   neighbor {{ neighbor.address }} route-reflector-client
-{%         endif %}
-{%         if 'defaultoriginate' in neighbor and neighbor.defaultoriginate == '1' %}
+{%     endif %}
+{%     if 'defaultoriginate' in neighbor and neighbor.defaultoriginate == '1' %}
   neighbor {{ neighbor.address }} default-originate
-{%         endif %}
-{%         if neighbor.linkedPrefixlistIn|default("") != "" %}
-{%           for prefixlist in neighbor.linkedPrefixlistIn.split(",") %}
-{%             set prefixlist2_data = helpers.getUUID(prefixlist) %}
-{%             if prefixlist2_data != {} and prefixlist2_data.enabled == '1' %}
+{%     endif %}
+{%     if neighbor.linkedPrefixlistIn|default("") != "" %}
+{%       for prefixlist in neighbor.linkedPrefixlistIn.split(",") %}
+{%         set prefixlist2_data = helpers.getUUID(prefixlist) %}
+{%         if prefixlist2_data != {} and prefixlist2_data.enabled == '1' %}
   neighbor {{ neighbor.address }} prefix-list {{ prefixlist2_data.name }} in
-{%             endif %}
-{%           endfor %}
 {%         endif %}
-{%         if neighbor.linkedPrefixlistOut|default("") != "" %}
-{%           for prefixlist in neighbor.linkedPrefixlistOut.split(",") %}
-{%             set prefixlist_data = helpers.getUUID(prefixlist) %}
-{%             if prefixlist_data != {} and prefixlist_data.enabled == '1' %}
+{%       endfor %}
+{%     endif %}
+{%     if neighbor.linkedPrefixlistOut|default("") != "" %}
+{%       for prefixlist in neighbor.linkedPrefixlistOut.split(",") %}
+{%         set prefixlist_data = helpers.getUUID(prefixlist) %}
+{%         if prefixlist_data != {} and prefixlist_data.enabled == '1' %}
   neighbor {{ neighbor.address }} prefix-list {{ prefixlist_data.name }} out
-{%             endif %}
-{%           endfor %}
 {%         endif %}
-{%         if neighbor.linkedRoutemapIn|default("") != "" %}
-{%           for aspath in neighbor.linkedRoutemapIn.split(",") %}
-{%             set routemap2_data = helpers.getUUID(aspath) %}
-{%             if routemap2_data != {} and routemap2_data.enabled == '1' %}
+{%       endfor %}
+{%     endif %}
+{%     if neighbor.linkedRoutemapIn|default("") != "" %}
+{%       for aspath in neighbor.linkedRoutemapIn.split(",") %}
+{%         set routemap2_data = helpers.getUUID(aspath) %}
+{%         if routemap2_data != {} and routemap2_data.enabled == '1' %}
   neighbor {{ neighbor.address }} route-map {{ routemap2_data.name }} in
-{%             endif %}
-{%           endfor %}
 {%         endif %}
-{%         if neighbor.linkedRoutemapOut|default("") != "" %}
-{%           for aspath in neighbor.linkedRoutemapOut.split(",") %}
-{%             set routemap_data = helpers.getUUID(aspath) %}
-{%             if routemap_data != {} and routemap_data.enabled == '1' %}
+{%       endfor %}
+{%     endif %}
+{%     if neighbor.linkedRoutemapOut|default("") != "" %}
+{%       for aspath in neighbor.linkedRoutemapOut.split(",") %}
+{%         set routemap_data = helpers.getUUID(aspath) %}
+{%         if routemap_data != {} and routemap_data.enabled == '1' %}
   neighbor {{ neighbor.address }} route-map {{ routemap_data.name }} out
-{%             endif %}
-{%           endfor %}
 {%         endif %}
-{%       endif %}
-{%     endfor %}
-{%   endif %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
  exit-address-family
 !
+{%  endfor %}
+
 {%   if helpers.exists('OPNsense.quagga.bgp.prefixlists.prefixlist') %}
 {%     for prefixlist in helpers.sortDictList(OPNsense.quagga.bgp.prefixlists.prefixlist, 'name', 'seqnumber' ) %}
-{%       if prefixlist.enabled == '1' and ':' not in prefixlist.network %}
+{%       if prefixlist.enabled == '1' and prefixlist.version == 'IPv4' %}
 ip prefix-list {{ prefixlist.name }} seq {{ prefixlist.seqnumber }} {{ prefixlist.action }} {{ prefixlist.network }}
 {%       endif %}
 !
-{%       if prefixlist.enabled == '1' and ':' in prefixlist.network %}
+{%       if prefixlist.enabled == '1' and prefixlist.version == 'IPv6' %}
 ipv6 prefix-list {{ prefixlist.name }} seq {{ prefixlist.seqnumber }} {{ prefixlist.action }} {{ prefixlist.network }}
 {%       endif %}
 {%     endfor %}

From e8af90b1a36102e0b9c3eb05bef56610e147bf16 Mon Sep 17 00:00:00 2001
From: Andrew <andrew.hotlab@hotmail.com>
Date: Tue, 9 Nov 2021 20:26:41 +0100
Subject: [PATCH 0804/3088] Use the righ URL for FreeDNS

Needed to close upstream issue: opnsense/plugins#2428
---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 15876d366a..7efaa72ea4 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -570,7 +570,7 @@ class updatedns
                 $this->_checkStatus(0, $code);
                 break;
             case 'freedns':
-                curl_setopt($ch, CURLOPT_URL, 'https://sync.afraid.org/u/' . $this->_dnsPass . '/');
+                curl_setopt($ch, CURLOPT_URL, 'https://freedns.afraid.org/dynamic/update.php?' . $this->_dnsPass . '/');
                 break;
             case 'dnsexit':
                 curl_setopt($ch, CURLOPT_URL, 'https://update.dnsexit.com/RemoteUpdate.sv?login=' . urlencode($this->_dnsUser) . '&password=' . $this->_dnsPass . '&host=' . $this->_dnsHost . '&myip=' . $this->_dnsIP);

From 1dd188781750ce218a27e8bcc2c26240867b1c0b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 11 Nov 2021 07:42:31 +0100
Subject: [PATCH 0805/3088] dns/dyndns: update changelog

---
 dns/dyndns/pkg-descr | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/dns/dyndns/pkg-descr b/dns/dyndns/pkg-descr
index 3c8b56c589..3c47212268 100644
--- a/dns/dyndns/pkg-descr
+++ b/dns/dyndns/pkg-descr
@@ -5,15 +5,16 @@ Plugin Changelog
 
 1.26
 
-* Added support for 1984 Hosting Company (contributed by Adrian Fedoreanu)
-* Added %HOST% support for custom dynamic DNS (contributed by Marc Collins)
+* Add support for 1984 Hosting Company (contributed by Adrian Fedoreanu)
+* Add %HOST% support for custom dynamic DNS (contributed by Marc Collins)
+* Revert FreeDNS URL change (contributed by andrewhotlab)
 * Add PAYLOAD log and debug support for missing code spots
 
 1.25
 
 * Make regfish DynDNS work for IPv4 and IPv6 (contributed by DeepCoreSystem)
-* Added STRATO IPv6 to DynDNS (contributed by Jan Wiesemann)
-* Added desec.io wildcard support (contributed by Luca Zeug)
+* Add STRATO IPv6 to DynDNS (contributed by Jan Wiesemann)
+* Add desec.io wildcard support (contributed by Luca Zeug)
 * Accept wildcard entry for Hetzner
 
 1.24
@@ -23,5 +24,5 @@ Plugin Changelog
 * Add support for deSEC.io (contributed by Michael Paul)
 * Add All-Inkl v4 and v6 DynDNS support (contributed by polkhigh33)
 * Add support for digitalocean v6 records (contributed by Jan Koppe)
-* Updated No-Ip client code to use APIv2 (contributed by Victor Kislov)
+* Update No-Ip client code to use APIv2 (contributed by Victor Kislov)
 * Fix copy and paste unprotected JSON object access

From 30ca5f23773c05076e43e02de307e57c86621bee Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 11 Nov 2021 07:44:37 +0100
Subject: [PATCH 0806/3088] net/vnstat: clear revision after version bump

---
 net/vnstat/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/vnstat/Makefile b/net/vnstat/Makefile
index 03414717c4..445106e949 100644
--- a/net/vnstat/Makefile
+++ b/net/vnstat/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		vnstat
 PLUGIN_VERSION=		1.3
-PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		vnStat is a console-based network traffic monitor
 PLUGIN_DEPENDS=		vnstat
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 66e69a5efaef74cf13bfc88e6d0e3eb0c133e8e9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 11 Nov 2021 07:48:00 +0100
Subject: [PATCH 0807/3088] www/nginx: restart fpm too in reload case

---
 .../src/opnsense/service/conf/actions.d/actions_nginx.conf      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf b/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
index 70bf433875..1cb7927e53 100644
--- a/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
+++ b/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
@@ -62,7 +62,7 @@ parameters:
 type:script_output
 
 [reload]
-command:/usr/local/opnsense/scripts/nginx/setup.php;/usr/local/etc/rc.d/nginx reload
+command:/usr/local/opnsense/scripts/nginx/setup.php;/usr/local/etc/rc.d/php-fpm restart;/usr/local/etc/rc.d/nginx reload
 parameters:
 type:script_output
 message:reloading nginx

From 9cc24a91c7d14cf1dc478fa3fcd2f58adb307f35 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 11 Nov 2021 13:37:48 +0100
Subject: [PATCH 0808/3088] net-mgmt/telegraf: patch in release notes

---
 net-mgmt/telegraf/pkg-descr | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 9b28b08a95..40f690458f 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 Plugin Changelog
 ================
 
+1.12.2
+
+* Add insecure_skip_verify as an option for Influx v1 output
+
 1.12.1
 
 * Rename "Wheel Group" to "Run as Root" and set user permissions

From 1de84577a79b4366ff3ce32b3c1f304ce0302a32 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 11 Nov 2021 19:10:32 +0100
Subject: [PATCH 0809/3088] logging / relayd - move syslog target to plugin
 where it belongs [], closes https://github.com/opnsense/plugins/issues/2643

---
 .../service/templates/OPNsense/Syslog/local/relayd.conf     | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 net/relayd/src/opnsense/service/templates/OPNsense/Syslog/local/relayd.conf

diff --git a/net/relayd/src/opnsense/service/templates/OPNsense/Syslog/local/relayd.conf b/net/relayd/src/opnsense/service/templates/OPNsense/Syslog/local/relayd.conf
new file mode 100644
index 0000000000..4c84d2e98e
--- /dev/null
+++ b/net/relayd/src/opnsense/service/templates/OPNsense/Syslog/local/relayd.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [relayd].
+###################################################################
+filter f_local_relayd {
+    program("relayd");
+};

From 7c146eaa4327691582a74b500ec1a9e929d57e3f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 12 Nov 2021 08:58:14 +0100
Subject: [PATCH 0810/3088] net/relayd: bump for latest change

---
 net/relayd/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index 0641c68acb..e995794309 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		relayd
 PLUGIN_VERSION=		2.6
+PLIGIN_REVISION=	1
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com

From 037ef927f15f81f79512feffa2759ffda4d3a499 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 12 Nov 2021 21:55:34 +0100
Subject: [PATCH 0811/3088] security/acme-client: add support for acme.sh
 deploy hook "synology_dsm", closes #2236

---
 security/acme-client/pkg-descr                |  8 ++
 .../AcmeClient/forms/dialogAction.xml         | 55 +++++++++++--
 .../LeAutomation/AcmeSynologyDsm.php          | 56 +++++++++++++
 .../OPNsense/AcmeClient/LeAutomation/Base.php | 82 ++++++++++++++++++-
 .../{Configd.php => ConfigdGeneric.php}       |  8 +-
 .../{RestartGui.php => ConfigdRestartGui.php} |  4 +-
 ...tHaproxy.php => ConfigdRestartHaproxy.php} |  4 +-
 ...startNginx.php => ConfigdRestartNginx.php} |  4 +-
 ...ghwinds.php => ConfigdUploadHighwinds.php} |  4 +-
 .../{UploadSftp.php => ConfigdUploadSftp.php} |  4 +-
 .../OPNsense/AcmeClient/LeCertificate.php     |  2 +-
 .../library/OPNsense/AcmeClient/LeCommon.php  |  3 +
 .../OPNsense/AcmeClient/LeValidation/Base.php |  7 +-
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 55 +++++++++++--
 .../OPNsense/AcmeClient/Migrations/M3_1_0.php | 72 ++++++++++++++++
 15 files changed, 337 insertions(+), 31 deletions(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php
 rename security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/{Configd.php => ConfigdGeneric.php} (87%)
 rename security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/{RestartGui.php => ConfigdRestartGui.php} (93%)
 rename security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/{RestartHaproxy.php => ConfigdRestartHaproxy.php} (93%)
 rename security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/{RestartNginx.php => ConfigdRestartNginx.php} (93%)
 rename security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/{UploadHighwinds.php => ConfigdUploadHighwinds.php} (93%)
 rename security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/{UploadSftp.php => ConfigdUploadSftp.php} (93%)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_1_0.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index c0fbc44972..0777c8d513 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,14 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.5
+
+Added:
+* add support for Synology DSM deploy hook (#2236)
+
+Changed:
+* refactor code to support acme.sh deploy hooks
+
 3.4
 
 Changed:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index db41ea6485..2c875b786e 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -26,7 +26,7 @@
     <field>
         <label>Required Parameters</label>
         <type>header</type>
-        <style>method_table method_table_upload_highwinds</style>
+        <style>method_table method_table_configd_upload_highwinds</style>
     </field>
     <field>
         <id>action.highwinds_account_hash</id>
@@ -43,7 +43,7 @@
     <field>
         <label>Required Parameters</label>
         <type>header</type>
-        <style>method_table method_table_upload_sftp</style>
+        <style>method_table method_table_configd_upload_sftp</style>
     </field>
     <field>
         <id>action.sftp_host</id>
@@ -145,13 +145,58 @@
     <field>
         <label>Required Parameters</label>
         <type>header</type>
-        <style>method_table method_table_configd</style>
+        <style>method_table method_table_configd_generic</style>
     </field>
     <field>
-        <id>action.configd</id>
+        <id>action.configd_generic_command</id>
         <label>System Command</label>
         <type>dropdown</type>
         <help>Select a pre-defined system command which should be run.</help>
-        <style>table_optional table_optional_configd</style>
+    </field>
+    <field>
+        <label>Required Parameters</label>
+        <type>header</type>
+        <style>method_table method_table_acme_synology_dsm</style>
+    </field>
+    <field>
+        <id>action.acme_synology_dsm_hostname</id>
+        <label>Synology Hostname</label>
+        <type>text</type>
+        <help>Hostname of IP adress of the Synology DSM, i.e. synology.example.com or 192.168.0.1.</help>
+    </field>
+    <field>
+        <id>action.acme_synology_dsm_port</id>
+        <label>Synology Port</label>
+        <type>text</type>
+        <help>Port that will be used when connecting to Synology DSM.</help>
+    </field>
+    <field>
+        <id>action.acme_synology_dsm_scheme</id>
+        <label>Scheme</label>
+        <type>dropdown</type>
+        <help>Connection scheme that will be used when uploading certificates to Synology DSM.</help>
+    </field>
+    <field>
+        <id>action.acme_synology_dsm_username</id>
+        <label>Username</label>
+        <type>text</type>
+        <help>Username to login, must be an administrator.</help>
+    </field>
+    <field>
+        <id>action.acme_synology_dsm_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
+    <field>
+        <id>action.acme_synology_dsm_deviceid</id>
+        <label>Device ID</label>
+        <type>text</type>
+        <help>If Synology DSM has OTP enabled, then the device ID has to be provided so that no OTP is required when running the automation.</help>
+    </field>
+    <field>
+        <id>action.acme_synology_dsm_create</id>
+        <label>Create certificates</label>
+        <type>checkbox</type>
+        <help>This option ensures that a new certificate is created in Synology DSM if it does not exist yet. If unchecked only existing certificates will be updated.</help>
     </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php
new file mode 100644
index 0000000000..c1fb58a0a1
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php
@@ -0,0 +1,56 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Run acme.sh deploy hook synology_dsm
+ * @package OPNsense\AcmeClient
+ */
+class AcmeSynologyDsm extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['SYNO_Certificate'] = 'OPNsense ACME cert ' . $this->cert_id;
+        $this->acme_env['SYNO_Hostname'] = (string)$this->config->acme_synology_dsm_hostname;
+        $this->acme_env['SYNO_Port'] = (string)$this->config->acme_synology_dsm_port;
+        $this->acme_env['SYNO_Scheme'] = (string)$this->config->acme_synology_dsm_scheme;
+        $this->acme_env['SYNO_Username'] = (string)$this->config->acme_synology_dsm_username;
+        $this->acme_env['SYNO_Password'] = (string)$this->config->acme_synology_dsm_password;
+        if (!empty((string)$this->config->acme_synology_dsm_create)) {
+            $this->acme_env['SYNO_Create'] = (string)$this->config->acme_synology_dsm_create;
+        }
+        if (!empty((string)$this->config->acme_synology_dsm_deviceid)) {
+            $this->acme_env['SYNO_DID'] = (string)$this->config->acme_synology_dsm_deviceid;
+        }
+        $this->acme_args[] = '--deploy-hook synology_dsm';
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
index 349e22bff4..e15ab16f42 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
@@ -47,7 +47,7 @@ abstract class Base extends \OPNsense\AcmeClient\LeCommon
      * Initialize LeAutomation object by adding the required configuration.
      * @return boolean
      */
-    public function init(string $certid, string $accountuuid)
+    public function init(string $certid, string $certname, string $accountuuid)
     {
         // Get config object
         $this->loadConfig(self::CONFIG_PATH, $this->uuid);
@@ -60,12 +60,25 @@ public function init(string $certid, string $accountuuid)
         $this->account_id = (string)$account->id;
         $this->account_uuid = (string)$account->uuid;
 
+        // Teach acme.sh about DNS API hook location
+        $this->acme_env['_SCRIPT_HOME'] = self::ACME_SCRIPT_HOME;
+
         // Set log level
         $this->setLoglevel();
 
         // Set ACME CA
         $this->setCa($accountuuid);
 
+        // Store acme filenames
+        $this->acme_args[] = LeUtils::execSafe('--home %s', self::ACME_HOME_DIR);
+        $this->acme_args[] = LeUtils::execSafe('--certpath %s', sprintf(self::ACME_CERT_FILE, $this->cert_id));
+        $this->acme_args[] = LeUtils::execSafe('--keypath %s', sprintf(self::ACME_KEY_FILE, $this->cert_id));
+        $this->acme_args[] = LeUtils::execSafe('--capath %s', sprintf(self::ACME_CHAIN_FILE, $this->cert_id));
+        $this->acme_args[] = LeUtils::execSafe('--fullchainpath %s', sprintf(self::ACME_FULLCHAIN_FILE, $this->cert_id));
+
+        // Main domain for acme
+        $this->acme_args[] = LeUtils::execSafe('--domain %s', $certname);
+
         return true;
     }
 
@@ -80,7 +93,72 @@ public function run()
             return true; // not an error
         }
 
-        LeUtils::log('running automation: ' . $this->config->name);
+        // The prefix determines which automation flavour is being used.
+        if (preg_match('/acme.*/i', $this->getType())) {
+            $this->runAcme();
+        } elseif (preg_match('/configd_.*/i', $this->getType())) {
+            $this->runConfigd();
+        } else {
+            LeUtils::log_error('unsupported automation flavour: ' . $this->getType());
+            return false;
+        }
+    }
+
+    /**
+     * run acme.sh deploy hooks commands
+     * @return boolean
+     */
+    public function runAcme()
+    {
+        LeUtils::log('running automation (acme.sh): ' . $this->config->name);
+
+        // Preparation to run acme client
+        $proc_env = $this->acme_env; // env variables for proc_open()
+        $proc_env['PATH'] = $this::ACME_ENV_PATH;
+        $proc_desc = array(  // descriptor array for proc_open()
+            0 => array("pipe", "r"), // stdin
+            1 => array("pipe", "w"), // stdout
+            2 => array("pipe", "w")  // stderr
+        );
+        $proc_pipes = array();
+
+        // Run acme client
+        $acmecmd = self::ACME_CMD
+          . ' '
+          . '--deploy '
+          . implode(' ', $this->acme_args);
+        LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
+        $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
+
+        // Make sure the resource could be setup properly
+        if (is_resource($proc)) {
+            // Close all pipes
+            fclose($proc_pipes[0]);
+            fclose($proc_pipes[1]);
+            fclose($proc_pipes[2]);
+            // Get exit code
+            $result = proc_close($proc);
+        } else {
+            LeUtils::log_error('unable to start acme client process');
+            return false;
+        }
+
+        // Check validation result
+        if ($result) {
+            LeUtils::log_error('running acme.sh deploy hook failed (' . $this->getMethod() . ')');
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * run configd commands
+     * @return boolean
+     */
+    public function runConfigd()
+    {
+        LeUtils::log('running automation (configd): ' . $this->config->name);
         $backend = new \OPNsense\Core\Backend();
         $response = $backend->configdRun((string)$this->command, $this->command_args);
         return true;
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Configd.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdGeneric.php
similarity index 87%
rename from security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Configd.php
rename to security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdGeneric.php
index 810fafab54..c56a1bb893 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Configd.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdGeneric.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -35,17 +35,17 @@
  * Run selected configd command
  * @package OPNsense\AcmeClient
  */
-class Configd extends Base implements LeAutomationInterface
+class ConfigdGeneric extends Base implements LeAutomationInterface
 {
     public function prepare()
     {
         // Make sure a configd command was specified.
-        if (empty((string)$this->config->configd)) {
+        if (empty((string)$this->config->configd_generic_command)) {
             LeUtils::log_error('no configd command specified for automation: ' . $this->config->name);
             return false;
         }
 
-        $this->command = (string)$this->config->configd;
+        $this->command = (string)$this->config->configd_generic_command;
         return true;
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartGui.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdRestartGui.php
similarity index 93%
rename from security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartGui.php
rename to security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdRestartGui.php
index e63cf479e5..18d35b2b5f 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartGui.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdRestartGui.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34,7 +34,7 @@
  * Restart OPNsense WebGUI
  * @package OPNsense\AcmeClient
  */
-class RestartGui extends Base implements LeAutomationInterface
+class ConfigdRestartGui extends Base implements LeAutomationInterface
 {
     public function prepare()
     {
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartHaproxy.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdRestartHaproxy.php
similarity index 93%
rename from security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartHaproxy.php
rename to security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdRestartHaproxy.php
index c40e9fce7c..25f351ef09 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartHaproxy.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdRestartHaproxy.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34,7 +34,7 @@
  * Restart local HAProxy service
  * @package OPNsense\AcmeClient
  */
-class RestartHaproxy extends Base implements LeAutomationInterface
+class ConfigdRestartHaproxy extends Base implements LeAutomationInterface
 {
     public function prepare()
     {
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartNginx.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdRestartNginx.php
similarity index 93%
rename from security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartNginx.php
rename to security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdRestartNginx.php
index fc803e78ad..c2e9f4863e 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/RestartNginx.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdRestartNginx.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34,7 +34,7 @@
  * Restart local Nginx service
  * @package OPNsense\AcmeClient
  */
-class RestartNginx extends Base implements LeAutomationInterface
+class ConfigdRestartNginx extends Base implements LeAutomationInterface
 {
     public function prepare()
     {
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/UploadHighwinds.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdUploadHighwinds.php
similarity index 93%
rename from security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/UploadHighwinds.php
rename to security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdUploadHighwinds.php
index 1e9bfdcba3..a17197815f 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/UploadHighwinds.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdUploadHighwinds.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34,7 +34,7 @@
  * Upload certificate to Highwinds CDN API
  * @package OPNsense\AcmeClient
  */
-class UploadHighwinds extends Base implements LeAutomationInterface
+class ConfigdUploadHighwinds extends Base implements LeAutomationInterface
 {
     public function prepare()
     {
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/UploadSftp.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdUploadSftp.php
similarity index 93%
rename from security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/UploadSftp.php
rename to security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdUploadSftp.php
index 11770c8f5e..af4ddd8cda 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/UploadSftp.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdUploadSftp.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34,7 +34,7 @@
  * Upload certificate via SFTP to arbitrary hosts
  * @package OPNsense\AcmeClient
  */
-class UploadSftp extends Base implements LeAutomationInterface
+class ConfigdUploadSftp extends Base implements LeAutomationInterface
 {
     public function prepare()
     {
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 9aaf313beb..72a8f1eced 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -605,7 +605,7 @@ public function runAutomations()
         foreach ($automations as $auto_uuid) {
             $autoFactory = new LeAutomationFactory();
             $automation = $autoFactory->getAutomation($auto_uuid);
-            $automation->init($this->getId(), (string)$this->config->account);
+            $automation->init($this->getId(), (string)$this->config->name, (string)$this->config->account);
             // Ignore invalid automations.
             if ($automation->prepare()) {
                 $automation->run();
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
index 5ea7b5c7d2..ce1ed6e715 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
@@ -41,11 +41,14 @@ abstract class LeCommon
     public const ACME_BASE_ACCOUNT_DIR = '/var/etc/acme-client/accounts';
     public const ACME_BASE_CERT_DIR = '/var/etc/acme-client/certs';
     public const ACME_BASE_CONFIG_DIR = '/var/etc/acme-client/configs';
+    public const ACME_CMD = '/usr/local/sbin/acme.sh';
     public const ACME_HOME_DIR = '/var/etc/acme-client/home';
 
     // Defaults for acme.sh
     public const ACME_ACCOUNT_KEY_LENGTH = 4096;
     public const ACME_ENV_PATH = '/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin';
+    public const ACME_SCRIPT_HOME = '/usr/local/share/examples/acme.sh';
+    public const ACME_WEBROOT = '/var/etc/acme-client/challenges';
 
     // Filenames for certs, configs, ...
     public const ACME_CERT_DIR = '/var/etc/acme-client/certs/%s/';
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index d50292c665..433572cba9 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -68,7 +68,7 @@ public function init(string $certid, string $accountuuid)
         $this->account_uuid = (string)$account->getUuid();
 
         // Teach acme.sh about DNS API hook location
-        $this->acme_env['_SCRIPT_HOME'] = '/usr/local/share/examples/acme.sh';
+        $this->acme_env['_SCRIPT_HOME'] = self::ACME_SCRIPT_HOME;
 
         // Set log level
         $this->setLoglevel();
@@ -83,7 +83,7 @@ public function init(string $certid, string $accountuuid)
                 $this->acme_args[] = LeUtils::execSafe('--dnssleep %s', (string)$this->config->dns_sleep);
                 break;
             case 'http01':
-                $this->acme_args[] = '--webroot /var/etc/acme-client/challenges';
+                $this->acme_args[] = '--webroot ' . self::ACME_WEBROOT;
                 break;
         }
 
@@ -159,7 +159,8 @@ public function run(bool $renew = false)
         // NOTE: We "export" certificates to our own directory, so we don't have to deal
         // with domain names in filesystem, but instead can use the ID of our certObj, which
         // will never change.
-        $acmecmd = '/usr/local/sbin/acme.sh '
+        $acmecmd = self::ACME_CMD
+          . ' '
           . "--${acme_action} "
           . implode(' ', $this->acme_args) . ' '
           . LeUtils::execSafe('--accountconf %s', $account_conf_file);
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 9b3650d8de..c514f31c4c 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1042,12 +1042,13 @@
                 <type type="OptionField">
                     <Required>Y</Required>
                     <OptionValues>
-                        <restart_gui>Restart OPNsense Web UI</restart_gui>
-                        <restart_haproxy>Restart HAProxy (OPNsense plugin)</restart_haproxy>
-                        <restart_nginx>Restart Nginx (OPNsense plugin)</restart_nginx>
-                        <upload_highwinds>Upload certificate to Highwinds CDN</upload_highwinds>
-                        <upload_sftp>Upload certificate via SFTP</upload_sftp>
-                        <configd>System or Plugin Command</configd>
+                        <configd_restart_gui>Restart OPNsense Web UI</configd_restart_gui>
+                        <configd_restart_haproxy>Restart HAProxy (OPNsense plugin)</configd_restart_haproxy>
+                        <configd_restart_nginx>Restart Nginx (OPNsense plugin)</configd_restart_nginx>
+                        <configd_upload_highwinds>Upload certificate to Highwinds CDN</configd_upload_highwinds>
+                        <configd_upload_sftp>Upload certificate via SFTP</configd_upload_sftp>
+                        <acme_synology_dsm>Upload certificate to Synology DSM</acme_synology_dsm>
+                        <configd_generic>System or Plugin Command</configd_generic>
                     </OptionValues>
                 </type>
                 <highwinds_account_hash type="TextField">
@@ -1136,6 +1137,7 @@
                     <ValidationMessage>Should be a string between 1 and 255 characters.
                                        Characters are limited to [a-z], [0-9] and [{}@./-_%] and the string must neither begin nor end with '/'.</ValidationMessage>
                 </sftp_filename_fullchain>
+                <!-- old value, should be removed in next major release -->
                 <configd type="ConfigdActionsField">
                     <filters>
                         <description>/^(?!.*(Let\'s\ Encrypt|acme|[fF]irmware))([\S\s]{1,255})/</description>
@@ -1143,6 +1145,47 @@
                     <ValidationMessage>Select a command from the list.</ValidationMessage>
                     <Required>N</Required>
                 </configd>
+                <configd_generic_command type="ConfigdActionsField">
+                    <filters>
+                        <description>/^(?!.*(Let\'s\ Encrypt|acme|[fF]irmware))([\S\s]{1,255})/</description>
+                    </filters>
+                    <ValidationMessage>Select a command from the list.</ValidationMessage>
+                    <Required>N</Required>
+                </configd_generic_command>
+                <acme_synology_dsm_hostname type="HostnameField">
+                    <default></default>
+                    <Required>N</Required>
+                </acme_synology_dsm_hostname>
+                <acme_synology_dsm_port type="PortField">
+                    <default>5000</default>
+                    <Required>N</Required>
+                </acme_synology_dsm_port>
+                <acme_synology_dsm_scheme type="OptionField">
+                    <default>http</default>
+                    <Required>N</Required>
+                    <OptionValues>
+                        <http>HTTP [default]</http>
+                        <https>HTTPS</https>
+                    </OptionValues>
+                </acme_synology_dsm_scheme>
+                <acme_synology_dsm_username type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_synology_dsm_username>
+                <acme_synology_dsm_password type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_synology_dsm_password>
+                <acme_synology_dsm_create type="BooleanField">
+                    <default>1</default>
+                </acme_synology_dsm_create>
+                <acme_synology_dsm_deviceid type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_synology_dsm_deviceid>
             </action>
         </actions>
     </items>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_1_0.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_1_0.php
new file mode 100644
index 0000000000..f8f751cd24
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_1_0.php
@@ -0,0 +1,72 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Frank Wall
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\AcmeClient\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M3_1_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        // Search actions
+        foreach ($model->getNodeByReference('actions.action')->iterateItems() as $action) {
+            // Field "configd" was renamed to "configd_generic_command"
+            if (!empty((string)$action->configd)) {
+                $action->configd_generic_command = (string)$action->configd;
+                $action->configd = null; // clear old value
+            }
+
+            // Get old type and map to new value
+            $old_type = (string)$action->type;
+            switch ($old_type) {
+                case 'configd':
+                    $new_type = 'configd_generic';
+                    break;
+                case 'restart_gui':
+                    $new_type = 'configd_restart_gui';
+                    break;
+                case 'restart_haproxy':
+                    $new_type = 'configd_restart_haproxy';
+                    break;
+                case 'restart_nginx':
+                    $new_type = 'configd_restart_nginx';
+                    break;
+                case 'upload_highwinds':
+                    $new_type = 'configd_upload_highwinds';
+                    break;
+                case 'upload_sftp':
+                    $new_type = 'configd_upload_sftp';
+                    break;
+            }
+            $action->type = $new_type;
+        }
+    }
+}

From 5f52f3869eb7db23dc2030e3a8ab9f21ed4095d1 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 12 Nov 2021 22:54:21 +0100
Subject: [PATCH 0812/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index d3a8c100bc..eab7942448 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.4
+PLUGIN_VERSION=		3.5
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From d1907f96135343a5fc3fa8f4f12aaecfdf7fbfa1 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 12 Nov 2021 23:35:00 +0100
Subject: [PATCH 0813/3088] security/acme-client: add support for acme.sh
 deploy hook "fritzbox"

---
 security/acme-client/pkg-descr                |  3 +-
 .../AcmeClient/forms/dialogAction.xml         | 21 +++++++++
 .../AcmeClient/LeAutomation/AcmeFritzbox.php  | 47 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 16 +++++++
 4 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeFritzbox.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 0777c8d513..d81b18e4a4 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -11,7 +11,8 @@ Plugin Changelog
 3.5
 
 Added:
-* add support for Synology DSM deploy hook (#2236)
+* new automation: cert upload to Synology DSM (#2236)
+* new automation: cert upload to FRITZ!Box router
 
 Changed:
 * refactor code to support acme.sh deploy hooks
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index 2c875b786e..15dbabc9fa 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -199,4 +199,25 @@
         <type>checkbox</type>
         <help>This option ensures that a new certificate is created in Synology DSM if it does not exist yet. If unchecked only existing certificates will be updated.</help>
     </field>
+    <field>
+        <label>Required Parameters</label>
+        <type>header</type>
+        <style>method_table method_table_acme_fritzbox</style>
+    </field>
+    <field>
+        <id>action.acme_fritzbox_url</id>
+        <label>FRITZ!Box URL</label>
+        <type>text</type>
+        <help>URL of the router, i.e. https://fritzbox.example.com.</help>
+    </field>
+    <field>
+        <id>action.acme_fritzbox_username</id>
+        <label>Username</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>action.acme_fritzbox_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeFritzbox.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeFritzbox.php
new file mode 100644
index 0000000000..ed60880aa8
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeFritzbox.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Run acme.sh deploy hook fritzbox
+ * @package OPNsense\AcmeClient
+ */
+class AcmeFritzbox extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DEPLOY_FRITZBOX_URL'] = (string)$this->config->acme_fritzbox_url;
+        $this->acme_env['DEPLOY_FRITZBOX_USERNAME'] = (string)$this->config->acme_fritzbox_username;
+        $this->acme_env['DEPLOY_FRITZBOX_PASSWORD'] = (string)$this->config->acme_fritzbox_password;
+        $this->acme_args[] = '--deploy-hook fritzbox';
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index c514f31c4c..362bb20177 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1047,6 +1047,7 @@
                         <configd_restart_nginx>Restart Nginx (OPNsense plugin)</configd_restart_nginx>
                         <configd_upload_highwinds>Upload certificate to Highwinds CDN</configd_upload_highwinds>
                         <configd_upload_sftp>Upload certificate via SFTP</configd_upload_sftp>
+                        <acme_fritzbox>Upload certificate to FRITZ!Box router</acme_fritzbox>
                         <acme_synology_dsm>Upload certificate to Synology DSM</acme_synology_dsm>
                         <configd_generic>System or Plugin Command</configd_generic>
                     </OptionValues>
@@ -1186,6 +1187,21 @@
                     <mask>/^.{1,1024}$/u</mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_synology_dsm_deviceid>
+                <acme_fritzbox_url type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_fritzbox_url>
+                <acme_fritzbox_username type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_fritzbox_username>
+                <acme_fritzbox_password type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_fritzbox_password>
             </action>
         </actions>
     </items>

From 9143ccf8072d12df07139eeeb9d1f8d479561219 Mon Sep 17 00:00:00 2001
From: SB <s.burrell.rsa@gmail.com>
Date: Sun, 14 Nov 2021 11:05:40 +0200
Subject: [PATCH 0814/3088] net/frr: added as-override to gui (#2517)

---
 .../app/controllers/OPNsense/Quagga/Api/BgpController.php   | 1 +
 .../OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml         | 6 ++++++
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml | 4 ++++
 .../opnsense/service/templates/OPNsense/Quagga/bgpd.conf    | 3 +++
 4 files changed, 14 insertions(+)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
index 68fb8c75ba..8eb6bd1296 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
@@ -52,6 +52,7 @@ public function searchNeighborAction()
                   "holddown",
                   "connecttimer",
                   "defaultoriginate",
+                  "asoverride",
                   "linkedPrefixlistIn",
                   "linkedPrefixlistOut",
                   "linkedRoutemapIn",
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index f494060aae..0171233fe9 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -89,6 +89,12 @@
     <label>Send Defaultroute</label>
     <type>checkbox</type>
   </field>
+  <field>
+    <id>neighbor.asoverride</id>
+    <label>Enable As-Override</label>
+    <type>checkbox</type>
+	<help>Override AS number of the originating router with the local AS number. This command is only allowed for eBGP peers.</help>
+  </field>
   <field>
     <id>neighbor.linkedPrefixlistIn</id>
     <label>Prefix-List In</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index cc5b2782bf..76dbc3ec9b 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -114,6 +114,10 @@
                                 <default>0</default>
                                 <Required>N</Required>
                         </defaultoriginate>
+                        <asoverride type="BooleanField">
+                                <default>0</default>
+                                <Required>N</Required>
+                        </asoverride>
                         <linkedPrefixlistIn type="ModelRelationField">
                                 <Model>
                                         <template>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index e0a9b8d5c5..a9c4b993ee 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -99,6 +99,9 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%     if 'defaultoriginate' in neighbor and neighbor.defaultoriginate == '1' %}
   neighbor {{ neighbor.address }} default-originate
 {%     endif %}
+{%     if 'asoverride' in neighbor and neighbor.asoverride == '1' %}
+  neighbor {{ neighbor.address }} as-override
+{%         endif %}
 {%     if neighbor.linkedPrefixlistIn|default("") != "" %}
 {%       for prefixlist in neighbor.linkedPrefixlistIn.split(",") %}
 {%         set prefixlist2_data = helpers.getUUID(prefixlist) %}

From aeff602fd2eecc1fc350445e5ca3838c20713e78 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 14 Nov 2021 10:13:17 +0100
Subject: [PATCH 0815/3088] net/frr: improve label

---
 .../controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 0171233fe9..089c15faf4 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -91,7 +91,7 @@
   </field>
   <field>
     <id>neighbor.asoverride</id>
-    <label>Enable As-Override</label>
+    <label>Enable AS-Override</label>
     <type>checkbox</type>
 	<help>Override AS number of the originating router with the local AS number. This command is only allowed for eBGP peers.</help>
   </field>

From 09ffc138cbaeddd712848a454174c9375cf66a2a Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Sun, 14 Nov 2021 11:28:54 +0300
Subject: [PATCH 0816/3088] support syslog-ng

add filter definition for syslog-ng
---
 .../service/templates/OPNsense/AcmeClient/+TARGETS         | 1 +
 .../templates/OPNsense/AcmeClient/syslog-filter.conf       | 7 +++++++
 2 files changed, 8 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/syslog-filter.conf

diff --git a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/+TARGETS b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/+TARGETS
index d00a853394..5190d6c339 100644
--- a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/+TARGETS
+++ b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/+TARGETS
@@ -1,2 +1,3 @@
 lighttpd-acme-challenge.conf:/var/etc/lighttpd-acme-challenge.conf
 rc.conf.d:/etc/rc.conf.d/acme_http_challenge
+syslog-filter.conf:/usr/local/opnsense/service/templates/OPNsense/Syslog/local/acmeclient.conf
diff --git a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/syslog-filter.conf b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/syslog-filter.conf
new file mode 100644
index 0000000000..051781f28f
--- /dev/null
+++ b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/syslog-filter.conf
@@ -0,0 +1,7 @@
+###################################################################
+# Local syslog-ng configuration filter definition [acmeclient].
+###################################################################
+filter f_local_acmeclient {
+    program("acme.sh");
+};
+

From 5d54ac69c7a3f7f1d06dd6df7d88686cf6b8b96e Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 15 Nov 2021 00:16:49 +0100
Subject: [PATCH 0817/3088] security/acme-client: update changelog

---
 security/acme-client/pkg-descr | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index d81b18e4a4..07084fd483 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -14,6 +14,9 @@ Added:
 * new automation: cert upload to Synology DSM (#2236)
 * new automation: cert upload to FRITZ!Box router
 
+Fixed:
+* fix logging when clog is disabled (#2555)
+
 Changed:
 * refactor code to support acme.sh deploy hooks
 

From a63070bf50c0153e0b3225bc8fd3bd8fe99b0eba Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 15 Nov 2021 10:08:26 +0100
Subject: [PATCH 0818/3088] net/telegraf: Add skip_verify also to influxv2
 (#2649)

---
 net-mgmt/telegraf/Makefile                                  | 2 +-
 net-mgmt/telegraf/pkg-descr                                 | 4 ++++
 .../mvc/app/controllers/OPNsense/Telegraf/forms/output.xml  | 6 ++++++
 .../opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml    | 4 ++++
 .../service/templates/OPNsense/Telegraf/telegraf.conf       | 5 +++++
 5 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index 0e31d6ae9f..a45240ddb8 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.12.2
+PLUGIN_VERSION=		1.12.3
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 40f690458f..f43c1a2cbb 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 Plugin Changelog
 ================
 
+1.12.3
+
+* Add insecure_skip_verify as an option for Influx v2 output
+
 1.12.2
 
 * Add insecure_skip_verify as an option for Influx v1 output
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
index 38be9076f7..0b1c1a6e4e 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
@@ -71,6 +71,12 @@
         <type>text</type>
         <help>Set the name of the bucket in Influx v2.</help>
     </field>
+    <field>
+        <id>output.influx_v2_insecure_skip_verify</id>
+        <label>Disable SSL verification v2</label>
+        <type>checkbox</type>
+        <help>This will skip chain and host verification.</help>
+    </field>
     <field>
         <id>output.graphite_enable</id>
         <label>Enable Graphite Output</label>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index e6072a3638..7e7bdb8055 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -113,6 +113,10 @@
             <default></default>
             <Required>N</Required>
         </influx_v2_bucket>
+        <influx_v2_insecure_skip_verify type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </influx_v2_insecure_skip_verify>
         <datadog_enable type="BooleanField">
             <default>0</default>
             <Required>N</Required>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index 9d946839bb..6bd064beb6 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -164,6 +164,11 @@
 {%   if helpers.exists('OPNsense.telegraf.output.influx_v2_bucket') and OPNsense.telegraf.output.influx_v2_bucket != '' %}
   bucket = "{{ OPNsense.telegraf.output.influx_v2_bucket }}"
 {%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.influx_v2_insecure_skip_verify') and OPNsense.telegraf.output.influx_v2_insecure_skip_verify == '1' %}
+  insecure_skip_verify = true
+{%   else %}
+  insecure_skip_verify = false
+{%   endif %}
 {% endif %}
 
 {% if helpers.exists('OPNsense.telegraf.input.cpu') and OPNsense.telegraf.input.cpu == '1' %}

From 7ce6c2b7b6a57bf6bfc8b385e65b0049ddb2f0a1 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 15 Nov 2021 13:11:08 +0100
Subject: [PATCH 0819/3088] net/wireguard: rename WireGuard to WireGuard
 (Group) in filter rules (#2650)

---
 net/wireguard/Makefile                                | 2 +-
 net/wireguard/pkg-descr                               | 4 ++++
 net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 5bb74f7d77..8cd2d5c43a 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		1.8
+PLUGIN_VERSION=		1.9
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard-go wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 753538d011..e6d9ce270f 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,10 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+1.9
+
+* Rename interface label in filter rules (#2577)
+
 1.8
 
 * Empty port in Endpoint is allowed
diff --git a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
index 68de9927ee..2efb42b500 100644
--- a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -61,7 +61,7 @@ function wireguard_interfaces()
     }
     $oic = array('enable' => true);
     $oic['if'] = 'wireguard';
-    $oic['descr'] = 'WireGuard';
+    $oic['descr'] = gettext('WireGuard (Group)');
     $oic['type'] = 'group';
     $oic['virtual'] = true;
     $oic['networks'] = array();

From 8cab014523e64b36df957640ad44619a327c1b61 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 16 Nov 2021 08:41:46 +0100
Subject: [PATCH 0820/3088] plugins: style sweep

---
 .../opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php  | 6 +++---
 .../templates/OPNsense/AcmeClient/syslog-filter.conf        | 1 -
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php
index 82243d95f7..8406572815 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php
@@ -48,10 +48,10 @@
         $lua_id = (string)$lua->id;
         $lua_filename_scheme = (string)$lua->filename_scheme;
         if ($lua_filename_scheme != '' and $lua_filename_scheme === 'name') {
-          $_name_alnum = preg_replace("/[^A-Za-z0-9]/", '', $lua_name);
-          $lua_filename = $export_path . $_name_alnum . '.lua';
+            $_name_alnum = preg_replace("/[^A-Za-z0-9]/", '', $lua_name);
+            $lua_filename = $export_path . $_name_alnum . '.lua';
         } else {
-          $lua_filename = $export_path . $lua_id . '.lua';
+            $lua_filename = $export_path . $lua_id . '.lua';
         }
         $lua_content = htmlspecialchars_decode(str_replace("\r", "", (string)$lua->content));
         file_put_contents($lua_filename, $lua_content);
diff --git a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/syslog-filter.conf b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/syslog-filter.conf
index 051781f28f..5fb8096370 100644
--- a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/syslog-filter.conf
+++ b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/syslog-filter.conf
@@ -4,4 +4,3 @@
 filter f_local_acmeclient {
     program("acme.sh");
 };
-

From 07bce501d390e0ef0fc5c037ce29a085a5410694 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 18 Nov 2021 23:31:46 +0100
Subject: [PATCH 0821/3088] net-mgmt/zabbix-proxy: use new db file for each
 version, fixes #1943

---
 net-mgmt/zabbix-proxy/pkg-descr                               | 4 ++++
 .../templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in       | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index fdffbe0b9c..3c969a50ec 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.6
+
+* Fix upgrade path by using a new db file for each version (#1943)
+
 1.5
 
 * Add log file to web GUI (contributed by Starkstromkonsument)
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
index d3b5ec2580..f4b2adf115 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
@@ -22,7 +22,7 @@ SourceIP={{ OPNsense.zabbixproxy.general.sourceip }}
 {% endif %}
 LogFile=/var/log/zabbix/zabbix_proxy.log
 PidFile=/var/run/zabbix/zabbix_proxy.pid
-DBName=/var/db/zabbix/zabbix_proxy.db
+DBName=/var/db/zabbix/%%PLUGIN_VARIANT%%_proxy.db
 {% if helpers.exists('OPNsense.zabbixproxy.general.proxyofflinebuffer') and OPNsense.zabbixproxy.general.proxyofflinebuffer != '' %}
 ProxyOfflineBuffer={{ OPNsense.zabbixproxy.general.proxyofflinebuffer }}
 {% endif %}

From d155732db6c8508070e55df72445dcc71686e53f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 18 Nov 2021 23:34:57 +0100
Subject: [PATCH 0822/3088] net-mgmt/zabbix-proxy: add plugin variant for
 version 5.4

---
 net-mgmt/zabbix-proxy/Makefile  | 5 ++++-
 net-mgmt/zabbix-proxy/pkg-descr | 1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index ec72c7e56a..2b21519930 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -2,11 +2,14 @@ PLUGIN_NAME=		zabbix-proxy
 PLUGIN_VERSION=		1.5
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_VARIANTS=	zabbix5 zabbix4
+PLUGIN_VARIANTS=	zabbix5 zabbix54 zabbix4
 
 zabbix5_NAME=		zabbix5-proxy
 zabbix5_DEPENDS=	zabbix5-proxy
 
+zabbix54_NAME=		zabbix54-proxy
+zabbix54_DEPENDS=	zabbix54-proxy
+
 zabbix4_NAME=		zabbix4-proxy
 zabbix4_DEPENDS=	zabbix4-proxy
 
diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index 3c969a50ec..9a405114b5 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -15,6 +15,7 @@ Plugin Changelog
 1.6
 
 * Fix upgrade path by using a new db file for each version (#1943)
+* Add plugin variant for Zabbix Proxy 5.4
 
 1.5
 

From d30672897b67ecfe5841efdd4fd2a8b4427de50f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 18 Nov 2021 23:36:09 +0100
Subject: [PATCH 0823/3088] net-mgmt/zabbix-proxy: bump version

---
 net-mgmt/zabbix-proxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 2b21519930..362f05058b 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		zabbix-proxy
-PLUGIN_VERSION=		1.5
+PLUGIN_VERSION=		1.6
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 PLUGIN_VARIANTS=	zabbix5 zabbix54 zabbix4

From 1aac7bde4b45482d706e54a6ba7a1614a1b57ac6 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 19 Nov 2021 23:53:07 +0100
Subject: [PATCH 0824/3088] net/haproxy: add support for unix sockets, refs
 #2040

---
 .../OPNsense/HAProxy/forms/dialogFrontend.xml         |  2 +-
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml       |  4 ++--
 .../src/opnsense/scripts/OPNsense/HAProxy/setup.sh    |  2 +-
 .../service/templates/OPNsense/HAProxy/haproxy.conf   | 11 ++++++++++-
 4 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 14e6448499..f7ed024366 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -23,7 +23,7 @@
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
-        <help><![CDATA[Configure listen addresses for this Public Service, i.e. 127.0.0.1:8080 or www.example.com:443. Use TAB key to complete typing a listen address.]]></help>
+        <help><![CDATA[Configure listen addresses for this Public Service, i.e. 127.0.0.1:8080 or www.example.com:443 or unix@socket-name. Use TAB key to complete typing a listen address.]]></help>
         <hint>Enter address:port here. Finish with TAB.</hint>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 89cfe9e0f9..d1a80ce55b 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -427,9 +427,9 @@
                 <bind type="CSVListField">
                     <Required>Y</Required>
                     <multiple>Y</multiple>
-                    <mask>/^((([0-9a-zA-Z._\-\*:\[\]]+:[0-9]+(-[0-9]+)?)([,]){0,1}))*/u</mask>
+                    <mask>/^((([0-9a-zA-Z._\-\*:\[\]]+:+[0-9]+(-[0-9]+)?|unix@[0-9a-z_\-]+)([,]){0,1}))*/u</mask>
                     <ChangeCase>lower</ChangeCase>
-                    <ValidationMessage>Please provide a valid listen address, i.e. 127.0.0.1:8080, [::1]:8080 or www.example.com:443. Port range as start-end, i.e. 127.0.0.1:1220-1240.</ValidationMessage>
+                    <ValidationMessage>Please provide a valid listen address, i.e. 127.0.0.1:8080, [::1]:8080, www.example.com:443 or unix@socket-name. Port range as start-end, i.e. 127.0.0.1:1220-1240.</ValidationMessage>
                 </bind>
                 <bindOptions type="TextField">
                     <Required>N</Required>
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
index 8dc393461a..72be06fa62 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
@@ -5,7 +5,7 @@ if [ -f /etc/rc.conf.d/haproxy ]; then
 fi
 
 # NOTE: Keep /var/haproxy on this list, see GH issue opnsense/plugins #39.
-HAPROXY_DIRS="/var/haproxy /var/haproxy/var/run /tmp/haproxy /tmp/haproxy/ssl /tmp/haproxy/lua /tmp/haproxy/errorfiles /tmp/haproxy/mapfiles"
+HAPROXY_DIRS="/var/haproxy /var/haproxy/var/run /tmp/haproxy /tmp/haproxy/ssl /tmp/haproxy/lua /tmp/haproxy/errorfiles /tmp/haproxy/mapfiles /tmp/haproxy/sockets"
 
 for directory in ${HAPROXY_DIRS}; do
     mkdir -p ${directory}
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 4ce226be3b..f74430cb45 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1358,7 +1358,16 @@ frontend {{frontend.name}}
 {#       # bind/listen configuration #}
 {%       if frontend.bind|default("") != "" %}
 {%         for bind in frontend.bind.split(",") %}
-    bind {{bind}} name {{bind}} {% if frontend.bindOptions|default("") != "" %}{{ frontend.bindOptions }} {% endif %}{% if frontend.ssl_enabled == '1' and ssl_certs|default("") != "" %}ssl {{ ssl_options|join(' ') }} {{ ssl_certs|join(' ') }} {% endif %}{% if adv_options|length > 0 %} {{ adv_options|join(' ') }} {% endif %}
+{#           # check if this is a unix socket #}
+{%           set unix_bind = bind | regex_replace ("^unix@.*","TRUE") %}
+{%           if unix_bind == "TRUE" %}
+{#             # extract socket name and add full path #}
+{%             set socket_name = bind | regex_replace ("^unix@","") %}
+{%             set bind_address = "unix@/tmp/haproxy/sockets/" ~ socket_name %}
+{%           else %}
+{%             set bind_address = bind %}
+{%           endif %}
+    bind {{bind_address}} name {{bind_address}} {% if frontend.bindOptions|default("") != "" %}{{ frontend.bindOptions }} {% endif %}{% if frontend.ssl_enabled == '1' and ssl_certs|default("") != "" %}ssl {{ ssl_options|join(' ') }} {{ ssl_certs|join(' ') }} {% endif %}{% if adv_options|length > 0 %} {{ adv_options|join(' ') }} {% endif %}
 
 {%         endfor %}
 {%       endif %}

From 4d94864c93893cd043769019bdb568ff4d8e374b Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 20 Nov 2021 00:44:32 +0100
Subject: [PATCH 0825/3088] net/haproxy: support unix sockets as server
 addresses, refs #2040

---
 .../OPNsense/HAProxy/forms/dialogServer.xml    | 12 ++++++++++++
 .../app/models/OPNsense/HAProxy/HAProxy.xml    | 18 +++++++++++++++++-
 .../templates/OPNsense/HAProxy/haproxy.conf    | 18 +++++++++++++++++-
 3 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
index 1436580cf5..01b71a120b 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
@@ -67,9 +67,21 @@
         <help><![CDATA[Add resolver options. Use TAB key to complete typing.]]></help>
         <hint>Type option name or choose from list.</hint>
     </field>
+    <field>
+        <label>UNIX Socket</label>
+        <type>header</type>
+        <style>table_server_type table_server_type_unix</style>
+    </field>
+    <field>
+        <id>server.unix_socket</id>
+        <label>Frontend (Socket Origin)</label>
+        <type>dropdown</type>
+        <help>Select the frontend that provides the UNIX socket. This UNIX socket will be used as the server's address, making it possible to send connections to this frontend. Only frontends that provide the unix@ pattern as listen address can be selected.</help>
+    </field>
     <field>
         <label>Common Options</label>
         <type>header</type>
+        <style>table_server_type table_server_type_static table_server_type_template</style>
     </field>
     <field>
         <id>server.port</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index d1a80ce55b..009938fc32 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/HAProxy</mount>
-    <version>3.3.0</version>
+    <version>3.4.0</version>
     <description>the HAProxy load balancer</description>
     <items>
         <general>
@@ -1251,6 +1251,7 @@
                     <OptionValues>
                         <static>static</static>
                         <template>template</template>
+                        <unix>unix socket</unix>
                     </OptionValues>
                 </type>
                 <serviceName type="TextField">
@@ -1342,6 +1343,21 @@
                 <advanced type="TextField">
                     <Required>N</Required>
                 </advanced>
+                <unix_socket type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.HAProxy.HAProxy</source>
+                            <items>frontends.frontend</items>
+                            <display>name</display>
+                            <filters>
+                                <bind>/unix@/</bind>
+                            </filters>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related frontend item not found</ValidationMessage>
+                    <Required>N</Required>
+                    <Multiple>N</Multiple>
+                </unix_socket>
             </server>
         </servers>
         <healthchecks>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index f74430cb45..bfe118cb9c 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1657,13 +1657,29 @@ backend {{backend.name}}
 # ERROR: server data not found ({{server}})
 {%           else %}
 {#             # check if all required server parameters are set #}
-{%             if (server_data.type|default("") == 'static' and server_data.address|default("") == '') or (server_data.type|default("") == 'template' and (server_data.serviceName|default("") == '' or server_data.number|default("") == '')) %}
+{%             if (server_data.type|default("") == 'static' and server_data.address|default("") == '') or (server_data.type|default("") == 'template' and (server_data.serviceName|default("") == '' or server_data.number|default("") == '')) or (server_data.type|default("") == 'unix' and server_data.unix_socket|default("") == '') %}
 # ERROR: server is invalid, required parameters not set ({{server_data.name}})
 {%             else %}
 {#               # server type #}
 {%               set server_basics = [] %}
 {%               if server_data.type|default("") == 'template' %}
 {%                 do server_basics.append('server-template ' ~ server_data.name ~ ' ' ~ server_data.number ~ ' ' ~ server_data.serviceName) %}
+{%               elif server_data.type|default("") == 'unix' %}
+{#                 # extract unix socket information from frontend #}
+{%                 set frontend_data = helpers.getUUID(server_data.unix_socket) %}
+{%                 set socket_path = "" %}
+{%                 for bind in frontend_data.bind.split(",") %}
+{#                   # check if this is a unix socket #}
+{%                   set unix_bind = bind | regex_replace ("^unix@.*","TRUE") %}
+{%                   if unix_bind == "TRUE" %}
+{#                     # extract socket name and add full path #}
+{%                     set socket_name = bind | regex_replace ("^unix@","") %}
+{%                     set socket_path = "unix@/tmp/haproxy/sockets/" ~ socket_name %}
+{%                     do server_basics.append('server ' ~ server_data.name ~ ' ' ~ socket_path) %}
+{#                     # only the first unix socket is considered #}
+{%                     break %}
+{%                   endif %}
+{%                 endfor %}
 {%               else %}
 {%                 do server_basics.append('server ' ~ server_data.name ~ ' ' ~ server_data.address) %}
 {%               endif %}

From ee12197aca53bf9b9f8cd6811ec29214c2dac362 Mon Sep 17 00:00:00 2001
From: Markus Peter <bimbar@users.noreply.github.com>
Date: Mon, 22 Nov 2021 08:52:34 +0100
Subject: [PATCH 0826/3088] Add nginx listen addresses and default_server,
 fixes #973, #1218, #1675, #2574 (#2578)

- Changed listen_http_port, listen_https_port, listen_port to listen_http_address, listen_https_address, listen_address (issue #973, #2574)
- Migrated the old listen_X_port to the new listen_X_address
- Data Model ver 1.20.0 -> 1.21.0
- implemented default_server directive for non-tls listeners (issue #1218)
- amended Help Message
- added defaults for http server listen addresses
- added changelog
- fixed setup.php certificate setup
- fixed inexplicable missing Reconfigureaction in ServiceController
- fixed version numbers
- removed reconfigureaction in ServiceController again, because it was due to a code cleanup by fichtner and has to be fixed on a higher level
- added NgxUniqueDefaultServerConstraint which makes sure that default_servers do not conflict
- added i18n for the error message
- fixed some formatting issues
- added type hints
---
 www/nginx/Makefile                            |   3 +-
 www/nginx/pkg-descr                           |   5 +
 .../OPNsense/Nginx/Api/LogsController.php     |   2 +-
 .../OPNsense/Nginx/Api/SettingsController.php |   4 +-
 .../OPNsense/Nginx/forms/httpserver.xml       |  23 ++-
 .../OPNsense/Nginx/forms/streamserver.xml     |   9 +-
 .../NgxUniqueDefaultServerConstraint.php      | 134 ++++++++++++++++++
 .../OPNsense/Nginx/Migrations/M1_24_0.php     |  59 ++++++++
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml   |  48 ++++---
 .../mvc/app/views/OPNsense/Nginx/index.volt   |   7 +-
 .../src/opnsense/scripts/nginx/setup.php      |   4 +-
 .../templates/OPNsense/Nginx/http.conf        |  18 +--
 .../templates/OPNsense/Nginx/streams.conf     |   8 +-
 13 files changed, 278 insertions(+), 46 deletions(-)
 create mode 100644 www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php
 create mode 100644 www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_24_0.php

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 42b0ebce2d..1fa6c45f02 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.23
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.24
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 5dde33a516..4978ddb057 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,11 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.24
+
+* Change all Listen Port directives to Listen Address and migrate the Port data to Addresses
+* Add default_server option to HTTP Server
+
 1.23
 
 * Add custom error pages on a per HTTP server basis (contributed by 8191)
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
index de4d4cf5b3..765c1be820 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
@@ -170,7 +170,7 @@ private function list_streams()
     {
         $data = [];
         foreach ($this->nginx->stream_server->iterateItems() as $item) {
-            $data[] = array('id' => $item->getAttributes()['uuid'], 'port' => (string)$item->listen_port);
+            $data[] = array('id' => $item->getAttributes()['uuid'], 'port' => (string)$item->listen_address);
         }
         return $data;
     }
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
index 29c56282e4..8cc0f45871 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
@@ -233,7 +233,7 @@ public function searchhttpserverAction()
     {
         return $this->searchBase('http_server', array(
             'servername', 'locations', 'root', 'https_only', 'certificate',
-            'listen_http_port', 'listen_https_port'
+            'listen_http_address', 'listen_https_address', 'default_server'
         ));
     }
 
@@ -261,7 +261,7 @@ public function sethttpserverAction($uuid)
     // stream server
     public function searchstreamserverAction()
     {
-        return $this->searchBase('stream_server', array('description', 'certificate', 'udp', 'listen_port'));
+        return $this->searchBase('stream_server', array('description', 'certificate', 'udp', 'listen_address'));
     }
 
     public function getstreamserverAction($uuid = null)
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
index f59e1e5f75..2809f56c9c 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
@@ -1,13 +1,24 @@
 <form>
   <field>
-    <id>httpserver.listen_http_port</id>
-    <label>HTTP Listen Port</label>
-    <type>text</type>
+    <id>httpserver.listen_http_address</id>
+    <label>HTTP Listen Address</label>
+    <allownew>true</allownew>
+    <style>tokenize</style>
+    <type>select_multiple</type>
+    <help>Enter a list of IP addresses and ports which can be used in nginx listen directives. To listen on a port on all IPs, use for example "80,[::]:80"</help>
   </field>
   <field>
-    <id>httpserver.listen_https_port</id>
-    <label>HTTPS Listen Port</label>
-    <type>text</type>
+    <id>httpserver.listen_https_address</id>
+    <label>HTTPS Listen Address</label>
+    <allownew>true</allownew>
+    <style>tokenize</style>
+    <type>select_multiple</type>
+    <help>Enter a list of IP addresses and ports which can be used in nginx listen directives. To listen on a port on all IPs, use for example "443,[::]:443"</help>
+  </field>
+  <field>
+    <id>httpserver.default_server</id>
+    <label>Default Server</label>
+    <type>checkbox</type>
   </field>
   <field>
     <id>httpserver.syslog_targets</id>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/streamserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/streamserver.xml
index b0d524d8c7..a76c22e977 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/streamserver.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/streamserver.xml
@@ -1,8 +1,11 @@
 <form>
   <field>
-    <id>streamserver.listen_port</id>
-    <label>Listen Port</label>
-    <type>text</type>
+    <id>streamserver.listen_address</id>
+    <label>Listen Address</label>
+    <allownew>true</allownew>
+    <style>tokenize</style>
+    <type>select_multiple</type>
+    <help>Enter a list of IP addresses and ports which can be used in nginx listen directives. To listen on a port on all IPs, use for example "22,[::]:22"</help>
   </field>
   <field>
     <id>streamserver.udp</id>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php
new file mode 100644
index 0000000000..1b54234658
--- /dev/null
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php
@@ -0,0 +1,134 @@
+<?php
+
+/*
+* Copyright (C) 2021 Markus Peter mpeter at one-it.de
+* All rights reserved.
+*
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted provided that the following conditions are met:
+*
+* 1. Redistributions of source code must retain the above copyright notice,
+*    this list of conditions and the following disclaimer.
+*
+* 2. Redistributions in binary form must reproduce the above copyright
+*    notice, this list of conditions and the following disclaimer in the
+*    documentation and/or other materials provided with the distribution.
+*
+* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+* POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Base\Constraints;
+
+use Phalcon\Messages\Message;
+
+/**
+ * a very specific nginx check - not reusable
+ * it checks for the uniqueness of servers with the default_server directive
+ *
+ * Class NgxUniqueDefaultServerConstraint
+ * @package OPNsense\Nginx\Constraints
+ */
+class NgxUniqueDefaultServerConstraint extends BaseConstraint
+{
+    public function validate(\Phalcon\Validation $validator, $attribute): bool
+    {
+        $node = $this->getOption('node');
+        if ($node) {
+			$httpServerNode = $node->getParentNode();
+			$defaultServerNode = $httpServerNode->getChild("default_server");
+            if (!$this->isEmpty($defaultServerNode))
+            {
+				$myUUID = $httpServerNode->getAttribute("uuid");
+				$myListenHTTPAddress = $httpServerNode->getChild("listen_http_address");
+				
+				$httpServersNode = $httpServerNode->getParentNode();
+				
+				$httpServers = $httpServersNode->getChildren();
+
+				$msg = "";				
+				foreach ($httpServers as $httpServer)
+				{
+					$uuid = $httpServer->getAttribute("uuid");
+					if ($uuid != $myUUID)
+					{
+						$defaultServerNode = $httpServer->getChild("default_server");
+						if (!$this->isEmpty($defaultServerNode))
+						{
+							$listenHTTPAddressNode = $httpServer->getChild("listen_http_address");
+							if ($this->compareListenAddresses($myListenHTTPAddress, $listenHTTPAddressNode, $msg))
+							{
+								$validator->appendMessage(new Message(
+									sprintf(gettext("There can only be one Default Server on each listening address: %s conflict."), $msg),
+									$attribute
+								));
+							}
+						}
+					}
+				}
+			}
+        }
+        return true;
+    }
+    
+    private function compareListenAddresses($as, $bs, &$msg): bool
+    {
+		foreach (explode(",", $as) as $a)
+		{
+			list($a_af, $a_ip, $a_port) = $this->extractAFIPPort($a);
+			foreach (explode(",", $bs) as $b)
+			{
+				list($b_af, $b_ip, $b_port) = $this->extractAFIPPort($b);
+				if ($a_af == $b_af && $a_port == $b_port)
+				{
+					if ($a_ip == null || $a_ip == "::" || $b_ip == null || $b_ip == "::" || $a_ip == $b_ip)
+					{
+						$msg = "IPv" . $a_af . ": [" . $a_ip . "]:" . $a_port . " and IPv" . $b_af . ": [" . $b_ip . "]:" . $b_port;
+						return true;
+					}
+				}
+			}
+		}
+		return false;
+	}
+	private function extractAFIPPort($in): array
+	{
+		$af = null;
+		$ip = null;
+		$port = null;
+		if (!strpos($in, ":"))
+		{
+			//if only number, then ipv4 port only
+			$af = 4;
+			$port = $in;
+		}
+		else
+		{
+			//extract ip and port
+			if (preg_match("/(?:([0-9.]+)|\[([0-9a-fA-F:]+)\]):(\d+)/", $in, $parts));
+			{
+				if (strpos($in, "[") === 0)
+				{
+					$af = 6;
+					$ip = inet_ntop(inet_pton($parts[2]));
+					$port = $parts[3];
+				}
+				else
+				{
+					$af = 4;
+					$ip = long2ip(ip2long($parts[1]));
+					$port = $parts[3];
+				}
+			}
+		}
+		return [$af, $ip, $port];
+	}
+}
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_24_0.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_24_0.php
new file mode 100644
index 0000000000..cac938df98
--- /dev/null
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_24_0.php
@@ -0,0 +1,59 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Markus Peter mpeter at one-it.de
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Nginx\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M1_24_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        foreach ($model->getNodeByReference('http_server')->iterateItems() as $http_server) {
+			if ($http_server->listen_http_port != '')
+			{
+				$http_server->listen_http_address = $http_server->listen_http_port . ',[::]:' . $http_server->listen_http_port;
+				$http_server->listen_http_port = null;
+			}
+			if ($http_server->listen_https_port != '')
+			{
+				$http_server->listen_https_address = $http_server->listen_https_port . ',[::]:' . $http_server->listen_https_port;
+				$http_server->listen_https_port = null;
+			}
+        }
+        foreach ($model->getNodeByReference('stream_server')->iterateItems() as $server) {
+			if ($server->listen_port != '')
+			{
+				$server->listen_address = $server->listen_port . ',[::]:' . $server->listen_port;
+				$server->listen_port = null;
+			}
+        }
+    }
+}
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index c5ac1ca223..0bea091e0b 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.20.1</version>
+  <version>1.24.0</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>
@@ -662,14 +662,34 @@
         <Required>N</Required>
         <multiple>Y</multiple>
       </syslog_targets>
-      <listen_http_port type="PortField">
+      <listen_http_address type="CSVListField">
         <Required>N</Required>
-        <default>80</default>
-      </listen_http_port>
-      <listen_https_port type="PortField">
+        <multiple>Y</multiple>
+        <default>80,[::]:80</default>
+        <mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+))*$/i</mask>
+        <ValidationMessage>Please provide a valid listen address or port, i.e. 127.0.0.1:8080, [::1]:8080, 8080.</ValidationMessage>
+        <Constraints>
+          <check001>
+            <type>NgxUniqueDefaultServerConstraint</type>
+          </check001>
+        </Constraints>
+      </listen_http_address>
+      <listen_https_address type="CSVListField">
         <Required>N</Required>
-        <default>443</default>
-      </listen_https_port>
+        <multiple>Y</multiple>
+        <default>443,[::]:443</default>
+        <mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+))*$/i</mask>
+        <ValidationMessage>Please provide a valid listen address or port, i.e. 127.0.0.1:8080, [::1]:8080, 8080.</ValidationMessage>
+      </listen_https_address>
+      <default_server type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+        <Constraints>
+          <check001>
+            <type>NgxUniqueDefaultServerConstraint</type>
+          </check001>
+        </Constraints>
+      </default_server>
       <proxy_protocol type="BooleanField">
         <default>0</default>
         <Required>Y</Required>
@@ -894,16 +914,12 @@
     </http_server>
 
     <stream_server type="ArrayField">
-      <listen_port type="PortField">
+      <listen_address type="CSVListField">
         <Required>N</Required>
-        <default>80</default>
-        <Constraints>
-          <check001>
-            <ValidationMessage>You can only use one server at this port.</ValidationMessage>
-            <type>UniqueConstraint</type>
-          </check001>
-        </Constraints>
-      </listen_port>
+        <multiple>Y</multiple>
+        <mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+))*$/i</mask>
+        <ValidationMessage>Please provide a valid listen address or port, i.e. 127.0.0.1:8080, [::1]:8080, 8080.</ValidationMessage>
+      </listen_address>
       <syslog_targets type="ModelRelationField">
         <Model>
           <template>
diff --git a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
index 7ad59f7168..72bd40d91f 100644
--- a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
+++ b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
@@ -345,8 +345,9 @@
                     <th data-column-id="root" data-type="string" data-sortable="true" data-visible="false">{{ lang._('File System Root') }}</th>
                     <th data-column-id="certificate" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Certificate') }}</th>
                     <th data-column-id="https_only" data-type="boolean" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('HTTPS Only') }}</th>
-                    <th data-column-id="listen_http_port" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('HTTP Port') }}</th>
-                    <th data-column-id="listen_https_port" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('HTTPS Port') }}</th>
+                    <th data-column-id="listen_http_address" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('HTTP Address') }}</th>
+                    <th data-column-id="listen_https_address" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('HTTPS Address') }}</th>
+                    <th data-column-id="default_server" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('Default') }}</th>
                     <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
@@ -369,7 +370,7 @@
                 <tr>
                     <th data-column-id="certificate" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Certificate') }}</th>
                     <th data-column-id="udp" data-type="string" data-sortable="true" data-visible="true">{{ lang._('UDP') }}</th>
-                    <th data-column-id="listen_port" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Port') }}</th>
+                    <th data-column-id="listen_address" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Address') }}</th>
                     <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index 2c1b58c692..849b482572 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -82,7 +82,7 @@ function find_ca($refid)
         $http_servers = array($nginx['http_server']);
     }
     foreach ($http_servers as $http_server) {
-        if (!empty($http_server['listen_https_port']) && !empty($http_server['certificate'])) {
+        if (!empty($http_server['listen_https_address']) && !empty($http_server['certificate'])) {
           // try to find the reference
             $cert = find_cert($http_server['certificate']);
             if (!isset($cert)) {
@@ -127,7 +127,7 @@ function find_ca($refid)
         $stream_servers = array($nginx['stream_server']);
     }
     foreach ($stream_servers as $stream_server) {
-        if (!empty($stream_server['listen_port']) && !empty($stream_server['certificate'])) {
+        if (!empty($stream_server['listen_address']) && !empty($stream_server['certificate'])) {
           // try to find the reference
             $cert = find_cert($stream_server['certificate']);
             if (!isset($cert)) {
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index 3d52446953..243777d2e4 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -90,15 +90,17 @@ include opnsense_http_vhost_plugins/*.conf;
 server {
 {% set our_headers = [] %}
 {% do our_headers.append('X-Powered-By') %}
-{%   if server.listen_http_port is defined %}
-    listen  {{ server.listen_http_port }}{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %};
-    listen  [::]:{{ server.listen_http_port }}{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %};
-{% do listen_list.append(server.listen_http_port) %}
+
+{%   if server.listen_http_address is defined and server.listen_http_address != '' %}
+{%     for listen_address in server.listen_http_address.split(',') %}
+    listen {{ listen_address }}{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %}{% if server.default_server is defined and server.default_server == '1' %} default_server{% endif %};
+{%     endfor %}
 {%   endif %}
-{%   if server.listen_https_port is defined and server.certificate is defined %}
-    listen  {{ server.listen_https_port }} http2 ssl;
-    listen  [::]:{{ server.listen_https_port }} http2 ssl;
-{% do listen_list.append(server.listen_https_port) %}
+
+{%   if server.listen_https_address is defined and server.listen_https_address != '' and server.certificate is defined %}
+{%     for listen_address in server.listen_https_address.split(',') %}
+    listen {{ listen_address }} http2 ssl;
+{%     endfor %}
 {%     if server.ca is defined %}
     ssl_client_certificate /usr/local/etc/nginx/key/{{ single_servername }}_ca.pem;
     ssl_verify_client {{ server.verify_client }};
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
index a5c991570d..f19d6a6cd5 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
@@ -46,9 +46,11 @@
     # servers
     server {
 {%   set tls_enabled = server.certificate is defined %}
-{%   if server.listen_port is defined %}
-        listen  {{ server.listen_port }}{% if server.udp is defined and server.udp == '1' %} udp{% endif %}{% if tls_enabled %} ssl{% endif %}{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %};
-        listen  [::]:{{ server.listen_port }}{% if server.udp is defined and server.udp == '1' %} udp{% endif %}{% if tls_enabled %} ssl{% endif %}{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %};
+
+{%   if server.listen_address is defined and server.listen_address != '' %}
+{%     for listen_address in server.listen_address.split(',') %}
+        listen {{ listen_address }}{% if server.udp is defined and server.udp == '1' %} udp{% endif %}{% if tls_enabled %} ssl{% endif %}{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %};
+{%     endfor %}
 {%   endif %}
 
         access_log  /var/log/nginx/stream_{{ server['@uuid'] }}.access.log main;

From 880e13538ee1d89892bfb0324350079e93e64811 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 22 Nov 2021 09:09:55 +0100
Subject: [PATCH 0827/3088] www/nginx: give this code a style update

---
 LICENSE                                       |   1 +
 .../NgxUniqueDefaultServerConstraint.php      | 199 ++++++++----------
 .../OPNsense/Nginx/Migrations/M1_24_0.php     |  69 +++---
 3 files changed, 126 insertions(+), 143 deletions(-)

diff --git a/LICENSE b/LICENSE
index 4e612f5904..761fe6976a 100644
--- a/LICENSE
+++ b/LICENSE
@@ -27,6 +27,7 @@ Copyright (c) 2021 Manuel Hofmann
 Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>
 Copyright (c) 2020 Marc Leuser
 Copyright (c) 2021 Marcel Koepfli
+Copyright (c) 2021 Markus Peter <mpeter@one-it.de>
 Copyright (c) 2020 Martin Wasley
 Copyright (c) 2017-2021 Michael Muenz <m.muenz@gmail.com>
 Copyright (c) 2021 Nim G
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php
index 1b54234658..9534251250 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php
@@ -1,30 +1,30 @@
 <?php
 
 /*
-* Copyright (C) 2021 Markus Peter mpeter at one-it.de
-* All rights reserved.
-*
-* Redistribution and use in source and binary forms, with or without
-* modification, are permitted provided that the following conditions are met:
-*
-* 1. Redistributions of source code must retain the above copyright notice,
-*    this list of conditions and the following disclaimer.
-*
-* 2. Redistributions in binary form must reproduce the above copyright
-*    notice, this list of conditions and the following disclaimer in the
-*    documentation and/or other materials provided with the distribution.
-*
-* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-* POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2021 Markus Peter <mpeter@one-it.de>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 namespace OPNsense\Base\Constraints;
 
@@ -43,92 +43,79 @@ public function validate(\Phalcon\Validation $validator, $attribute): bool
     {
         $node = $this->getOption('node');
         if ($node) {
-			$httpServerNode = $node->getParentNode();
-			$defaultServerNode = $httpServerNode->getChild("default_server");
-            if (!$this->isEmpty($defaultServerNode))
-            {
-				$myUUID = $httpServerNode->getAttribute("uuid");
-				$myListenHTTPAddress = $httpServerNode->getChild("listen_http_address");
-				
-				$httpServersNode = $httpServerNode->getParentNode();
-				
-				$httpServers = $httpServersNode->getChildren();
+            $httpServerNode = $node->getParentNode();
+            $defaultServerNode = $httpServerNode->getChild("default_server");
+            if (!$this->isEmpty($defaultServerNode)) {
+                $myUUID = $httpServerNode->getAttribute("uuid");
+                $myListenHTTPAddress = $httpServerNode->getChild("listen_http_address");
+
+                $httpServersNode = $httpServerNode->getParentNode();
+
+                $httpServers = $httpServersNode->getChildren();
 
-				$msg = "";				
-				foreach ($httpServers as $httpServer)
-				{
-					$uuid = $httpServer->getAttribute("uuid");
-					if ($uuid != $myUUID)
-					{
-						$defaultServerNode = $httpServer->getChild("default_server");
-						if (!$this->isEmpty($defaultServerNode))
-						{
-							$listenHTTPAddressNode = $httpServer->getChild("listen_http_address");
-							if ($this->compareListenAddresses($myListenHTTPAddress, $listenHTTPAddressNode, $msg))
-							{
-								$validator->appendMessage(new Message(
-									sprintf(gettext("There can only be one Default Server on each listening address: %s conflict."), $msg),
-									$attribute
-								));
-							}
-						}
-					}
-				}
-			}
+                $msg = "";
+                foreach ($httpServers as $httpServer) {
+                    $uuid = $httpServer->getAttribute("uuid");
+                    if ($uuid != $myUUID) {
+                        $defaultServerNode = $httpServer->getChild("default_server");
+                        if (!$this->isEmpty($defaultServerNode)) {
+                            $listenHTTPAddressNode = $httpServer->getChild("listen_http_address");
+                            if ($this->compareListenAddresses($myListenHTTPAddress, $listenHTTPAddressNode, $msg)) {
+                                $validator->appendMessage(new Message(
+                                    sprintf(gettext("There can only be one Default Server on each listening address: %s conflict."), $msg),
+                                    $attribute
+                                ));
+                            }
+                        }
+                    }
+                }
+            }
         }
         return true;
     }
-    
+
     private function compareListenAddresses($as, $bs, &$msg): bool
     {
-		foreach (explode(",", $as) as $a)
-		{
-			list($a_af, $a_ip, $a_port) = $this->extractAFIPPort($a);
-			foreach (explode(",", $bs) as $b)
-			{
-				list($b_af, $b_ip, $b_port) = $this->extractAFIPPort($b);
-				if ($a_af == $b_af && $a_port == $b_port)
-				{
-					if ($a_ip == null || $a_ip == "::" || $b_ip == null || $b_ip == "::" || $a_ip == $b_ip)
-					{
-						$msg = "IPv" . $a_af . ": [" . $a_ip . "]:" . $a_port . " and IPv" . $b_af . ": [" . $b_ip . "]:" . $b_port;
-						return true;
-					}
-				}
-			}
-		}
-		return false;
-	}
-	private function extractAFIPPort($in): array
-	{
-		$af = null;
-		$ip = null;
-		$port = null;
-		if (!strpos($in, ":"))
-		{
-			//if only number, then ipv4 port only
-			$af = 4;
-			$port = $in;
-		}
-		else
-		{
-			//extract ip and port
-			if (preg_match("/(?:([0-9.]+)|\[([0-9a-fA-F:]+)\]):(\d+)/", $in, $parts));
-			{
-				if (strpos($in, "[") === 0)
-				{
-					$af = 6;
-					$ip = inet_ntop(inet_pton($parts[2]));
-					$port = $parts[3];
-				}
-				else
-				{
-					$af = 4;
-					$ip = long2ip(ip2long($parts[1]));
-					$port = $parts[3];
-				}
-			}
-		}
-		return [$af, $ip, $port];
-	}
+        foreach (explode(",", $as) as $a) {
+            list($a_af, $a_ip, $a_port) = $this->extractAFIPPort($a);
+            foreach (explode(",", $bs) as $b) {
+                list($b_af, $b_ip, $b_port) = $this->extractAFIPPort($b);
+                if ($a_af == $b_af && $a_port == $b_port) {
+                    if ($a_ip == null || $a_ip == "::" || $b_ip == null || $b_ip == "::" || $a_ip == $b_ip) {
+                        $msg = "IPv" . $a_af . ": [" . $a_ip . "]:" . $a_port . " and IPv" . $b_af . ": [" . $b_ip . "]:" . $b_port;
+                        return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
+
+    private function extractAFIPPort($in): array
+    {
+        $af = null;
+        $ip = null;
+        $port = null;
+        if (!strpos($in, ":")) {
+            //if only number, then ipv4 port only
+            $af = 4;
+            $port = $in;
+        } else {
+            //extract ip and port
+            if (preg_match("/(?:([0-9.]+)|\[([0-9a-fA-F:]+)\]):(\d+)/", $in, $parts)) {
+            }
+            {
+            if (strpos($in, "[") === 0) {
+                $af = 6;
+                $ip = inet_ntop(inet_pton($parts[2]));
+                $port = $parts[3];
+            } else {
+                $af = 4;
+                $ip = long2ip(ip2long($parts[1]));
+                $port = $parts[3];
+            }
+            }
+        }
+        return [$af, $ip, $port];
+    }
 }
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_24_0.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_24_0.php
index cac938df98..981fbd99a4 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_24_0.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_24_0.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2021 Markus Peter mpeter at one-it.de
+/*
+ * Copyright (C) 2021 Markus Peter <mpeter@one-it.de>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Nginx\Migrations;
@@ -37,23 +35,20 @@ class M1_24_0 extends BaseModelMigration
     public function run($model)
     {
         foreach ($model->getNodeByReference('http_server')->iterateItems() as $http_server) {
-			if ($http_server->listen_http_port != '')
-			{
-				$http_server->listen_http_address = $http_server->listen_http_port . ',[::]:' . $http_server->listen_http_port;
-				$http_server->listen_http_port = null;
-			}
-			if ($http_server->listen_https_port != '')
-			{
-				$http_server->listen_https_address = $http_server->listen_https_port . ',[::]:' . $http_server->listen_https_port;
-				$http_server->listen_https_port = null;
-			}
+            if ($http_server->listen_http_port != '') {
+                $http_server->listen_http_address = $http_server->listen_http_port . ',[::]:' . $http_server->listen_http_port;
+                $http_server->listen_http_port = null;
+            }
+            if ($http_server->listen_https_port != '') {
+                $http_server->listen_https_address = $http_server->listen_https_port . ',[::]:' . $http_server->listen_https_port;
+                $http_server->listen_https_port = null;
+            }
         }
         foreach ($model->getNodeByReference('stream_server')->iterateItems() as $server) {
-			if ($server->listen_port != '')
-			{
-				$server->listen_address = $server->listen_port . ',[::]:' . $server->listen_port;
-				$server->listen_port = null;
-			}
+            if ($server->listen_port != '') {
+                $server->listen_address = $server->listen_port . ',[::]:' . $server->listen_port;
+                $server->listen_port = null;
+            }
         }
     }
 }

From 341d075c715c6961076658bf198966c927a1b6c0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 22 Nov 2021 09:14:59 +0100
Subject: [PATCH 0828/3088] net/frr: prepare for next version

---
 net/frr/Makefile  | 2 +-
 net/frr/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 98b32bbefe..74ddf6e952 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.23
+PLUGIN_VERSION=		1.24
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 1e52df4ba0..dbaaf95e19 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -11,6 +11,10 @@ switching and routing, Internet access routers, and Internet peering.
 Plugin Changelog
 ================
 
+1.24
+
+* Add AS-Override (#2517)
+
 1.23
 
 * Add route-reflector-client to BGP neighbor config

From a49db755335fdc7ea57309c9230a6cff39f30fb2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 22 Nov 2021 09:16:57 +0100
Subject: [PATCH 0829/3088] www/nginx: document the other change after 1.23
 here

---
 www/nginx/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 4978ddb057..6f59a18a0c 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -14,6 +14,7 @@ Plugin Changelog
 
 * Change all Listen Port directives to Listen Address and migrate the Port data to Addresses
 * Add default_server option to HTTP Server
+* Replace stop action by the reload option in reconfigureForceRestart (#2450)
 
 1.23
 

From 486f604a0594452f7bad6e438a04adec9e5d6901 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Mon, 22 Nov 2021 22:12:59 +0300
Subject: [PATCH 0830/3088] www/nginx: add server ssl directives to GUI (#2478)

---
 www/nginx/pkg-descr                           |  1 +
 .../OPNsense/Nginx/forms/httpserver.xml       | 29 +++++++++++++++++++
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml   | 23 +++++++++++++++
 .../templates/OPNsense/Nginx/http.conf        | 11 +++++--
 4 files changed, 61 insertions(+), 3 deletions(-)

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 6f59a18a0c..3afedea298 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -15,6 +15,7 @@ Plugin Changelog
 * Change all Listen Port directives to Listen Address and migrate the Port data to Addresses
 * Add default_server option to HTTP Server
 * Replace stop action by the reload option in reconfigureForceRestart (#2450)
+* Add server ssl_protocols, ssl_ciphers, ssl_prefer_server_ciphers directives to GUI
 
 1.23
 
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
index 2809f56c9c..533f4d7430 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
@@ -143,6 +143,35 @@
     <type>checkbox</type>
     <help>If you check this box, a TLS encrypted connection is enforced.</help>
   </field>
+  <field>
+    <id>httpserver.tls_protocols</id>
+    <label>TLS Protocols</label>
+    <style>selectpicker</style>
+    <type>select_multiple</type>
+    <advanced>true</advanced>
+    <help>Enable specified protocols. Default: TLSv1.2 TLSv1.3. TLSv1 and TLSv1.1 are insecure and excluded from GUI.</help>
+  </field> 
+  <field>
+    <id>httpserver.tls_ciphers</id>
+    <label>TLS Ciphers</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Specify enabled ciphers in the TLS library cipher string format. Example: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256. NGINX default (empty field): HIGH:!aNULL:!MD5.</help>
+  </field>
+  <field>
+    <id>httpserver.tls_ecdh_curve</id>
+    <label>ECDH curve</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Specify a curve(s) for ECDHE ciphers. NGINX default (empty field): auto.</help>
+  </field>
+  <field>
+    <id>httpserver.tls_prefer_server_ciphers</id>
+    <label>Prefer server ciphers</label>
+    <type>checkbox</type>
+    <advanced>true</advanced>
+    <help>Prefers server ciphers over client ciphers.</help>
+  </field>
   <field>
     <id>httpserver.ocsp_stapling</id>
     <label>OCSP Stapling</label>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 0bea091e0b..07411f8568 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -793,6 +793,29 @@
         <default>0</default>
         <Required>Y</Required>
       </https_only>
+      <tls_protocols type="OptionField">
+        <multiple>Y</multiple>
+        <Sorted>Y</Sorted>
+        <OptionValues>
+          <TLSv1_2 value="TLSv1.2">TLSv1.2</TLSv1_2>
+          <TLSv1_3 value="TLSv1.3">TLSv1.3</TLSv1_3>
+        </OptionValues>
+        <Required>Y</Required>
+        <default>TLSv1.2,TLSv1.3</default>
+      </tls_protocols>
+      <tls_ciphers type="TextField">
+        <default>ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256</default>
+        <Required>N</Required>
+        <mask>/^((((!|\+|-)?[A-Z][A-Z\d\+-]+)|(@STRENGTH)):?)*$/i</mask>
+      </tls_ciphers>
+      <tls_ecdh_curve type="TextField">
+        <Required>N</Required>
+        <mask>/^(([A-Z\d-]+):?)*$/i</mask>
+      </tls_ecdh_curve>
+      <tls_prefer_server_ciphers type="BooleanField">
+        <default>1</default>
+        <Required>Y</Required>
+      </tls_prefer_server_ciphers>
       <ocsp_stapling type="BooleanField">
         <default>0</default>
         <Required>Y</Required>
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index 243777d2e4..287b6893af 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -110,13 +110,18 @@ server {
 {%     endif %}
     ssl_certificate_key /usr/local/etc/nginx/key/{{ single_servername }}.key;
     ssl_certificate /usr/local/etc/nginx/key/{{ single_servername }}.pem;
-    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_protocols {{ server.tls_protocols.replace(',', ' ') }};
     ssl_dhparam /usr/local/etc/dh-parameters.4096;
-    ssl_ciphers 'ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256';
+{%     if server.tls_ciphers is defined and server.tls_ciphers != '' %}
+    ssl_ciphers {{ server.tls_ciphers }};
+{%     endif %}
+{%     if server.tls_ecdh_curve is defined and server.tls_ecdh_curve != '' %}
+    ssl_ecdh_curve {{ server.tls_ecdh_curve }};
+{%     endif %}
     ssl_session_timeout 1d;
     ssl_session_cache shared:SSL:50m;
     ssl_session_tickets off;
-    ssl_prefer_server_ciphers on;
+    ssl_prefer_server_ciphers {% if server.tls_prefer_server_ciphers is defined and server.tls_prefer_server_ciphers == '0'%}off{% else %}on{% endif %};
 {%     if server.ocsp_stapling is defined and server.ocsp_stapling == '1'%}
     ssl_stapling on;
     ssl_stapling_verify {% if server.ocsp_verify is defined and server.ocsp_verify == '1' %}On{% else %}Off{% endif %};

From bd2132e202f948d6867058f17593f893e58bf91d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 23 Nov 2021 07:28:49 +0100
Subject: [PATCH 0831/3088] Revert "Use the righ URL for FreeDNS"

This reverts commit e8af90b1a36102e0b9c3eb05bef56610e147bf16.
---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 7efaa72ea4..15876d366a 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -570,7 +570,7 @@ class updatedns
                 $this->_checkStatus(0, $code);
                 break;
             case 'freedns':
-                curl_setopt($ch, CURLOPT_URL, 'https://freedns.afraid.org/dynamic/update.php?' . $this->_dnsPass . '/');
+                curl_setopt($ch, CURLOPT_URL, 'https://sync.afraid.org/u/' . $this->_dnsPass . '/');
                 break;
             case 'dnsexit':
                 curl_setopt($ch, CURLOPT_URL, 'https://update.dnsexit.com/RemoteUpdate.sv?login=' . urlencode($this->_dnsUser) . '&password=' . $this->_dnsPass . '&host=' . $this->_dnsHost . '&myip=' . $this->_dnsIP);

From f308970fa07c1c1490c58fcf01a0755f5fc35507 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 23 Nov 2021 07:29:23 +0100
Subject: [PATCH 0832/3088] dns/dyndns: undo revert, we will be using v2 only

---
 dns/dyndns/Makefile  | 1 +
 dns/dyndns/pkg-descr | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index bf2d1b3722..0624e9ecc8 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		dyndns
 PLUGIN_VERSION=		1.26
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
diff --git a/dns/dyndns/pkg-descr b/dns/dyndns/pkg-descr
index 3c47212268..d005aa117d 100644
--- a/dns/dyndns/pkg-descr
+++ b/dns/dyndns/pkg-descr
@@ -7,7 +7,6 @@ Plugin Changelog
 
 * Add support for 1984 Hosting Company (contributed by Adrian Fedoreanu)
 * Add %HOST% support for custom dynamic DNS (contributed by Marc Collins)
-* Revert FreeDNS URL change (contributed by andrewhotlab)
 * Add PAYLOAD log and debug support for missing code spots
 
 1.25

From e59d217711c8c207c154729fdba4dbd6e375eed6 Mon Sep 17 00:00:00 2001
From: "Helmut K. C. Tessarek" <tessarek@evermeet.cx>
Date: Tue, 23 Nov 2021 01:35:29 -0500
Subject: [PATCH 0833/3088] add more info what actually happens when nut is
 enabled (#2651)

PR: https://forum.opnsense.org/index.php?topic=25581.0
---
 .../mvc/app/controllers/OPNsense/Nut/forms/settings.xml         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/forms/settings.xml b/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/forms/settings.xml
index 41d6cfe5e3..48b3fdf6ad 100644
--- a/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/forms/settings.xml
+++ b/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/forms/settings.xml
@@ -5,7 +5,7 @@
                 <id>nut.general.enable</id>
                 <label>Enable Nut</label>
                 <type>checkbox</type>
-                <help>Enable or disable the nut service.</help>
+                <help>Enable or disable the nut service. If enabled, the system will shutdown when the UPS emits a low battery warning.</help>
             </field>
             <field>
                 <id>nut.general.mode</id>

From 40017f5e616576e50a0ad9e51ae38bd95a1e558b Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 23 Nov 2021 14:11:35 +0100
Subject: [PATCH 0834/3088] net-mgmt/zabbix-agent: add variants support /
 release 1.10 (#2656)

---
 net-mgmt/zabbix-agent/Makefile                           | 9 +++++++--
 net-mgmt/zabbix-agent/pkg-descr                          | 5 +++++
 .../templates/OPNsense/ZabbixAgent/zabbix_agentd.conf    | 6 +++++-
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index b1160326c8..189733fa35 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,7 +1,12 @@
 PLUGIN_NAME=		zabbix-agent
-PLUGIN_VERSION=		1.9
+PLUGIN_VERSION=		1.10
 PLUGIN_COMMENT=		Zabbix monitoring agent
-PLUGIN_DEPENDS=		zabbix5-agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
+PLUGIN_VARIANTS=	zabbix5 zabbix54
 
+zabbix5_NAME=		zabbix-agent
+zabbix5_DEPENDS=		zabbix5-agent
+
+zabbix54_NAME=		zabbix54-agent
+zabbix54_DEPENDS=		zabbix54-agent
 .include "../../Mk/plugins.mk"
diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index 8e22f33350..bb8f364c70 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -12,6 +12,11 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.10
+
+Changed:
+* Replace EnableRemoteCommands with AllowKey/DenyKey (#1978)
+
 1.9
 
 Added:
diff --git a/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf b/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf
index 3974f44086..bafea22b4f 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf
+++ b/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf
@@ -22,7 +22,11 @@ DebugLevel={{OPNsense.ZabbixAgent.settings.main.debugLevel|replace("val_", "")}}
 SourceIP={{OPNsense.ZabbixAgent.settings.main.sourceIP}}
 {% endif %}
 
-EnableRemoteCommands={{OPNsense.ZabbixAgent.settings.features.enableRemoteCommands}}
+{% if OPNsense.ZabbixAgent.settings.features.enableRemoteCommands|default("") == '1' %}
+AllowKey=system.run[*]
+{% else %}
+DenyKey=system.run[*]
+{% endif %}
 LogRemoteCommands={{OPNsense.ZabbixAgent.settings.features.logRemoteCommands}}
 
 Server={{OPNsense.ZabbixAgent.settings.main.serverList}}

From d1192a381e29bc95bf78fd53e715c4563c2c3e06 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 23 Nov 2021 14:13:01 +0100
Subject: [PATCH 0835/3088] plugins: whitespace sweep

---
 net-mgmt/zabbix-agent/Makefile                                | 4 ++--
 .../mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index 189733fa35..a0d556e711 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -5,8 +5,8 @@ PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_VARIANTS=	zabbix5 zabbix54
 
 zabbix5_NAME=		zabbix-agent
-zabbix5_DEPENDS=		zabbix5-agent
+zabbix5_DEPENDS=	zabbix5-agent
 
 zabbix54_NAME=		zabbix54-agent
-zabbix54_DEPENDS=		zabbix54-agent
+zabbix54_DEPENDS=	zabbix54-agent
 .include "../../Mk/plugins.mk"
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
index 533f4d7430..e4a925509d 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
@@ -150,7 +150,7 @@
     <type>select_multiple</type>
     <advanced>true</advanced>
     <help>Enable specified protocols. Default: TLSv1.2 TLSv1.3. TLSv1 and TLSv1.1 are insecure and excluded from GUI.</help>
-  </field> 
+  </field>
   <field>
     <id>httpserver.tls_ciphers</id>
     <label>TLS Ciphers</label>

From 422242fca1dd7f32824cc7672c9d30929e999dde Mon Sep 17 00:00:00 2001
From: zarcjap <zarcjap@users.noreply.github.com>
Date: Tue, 23 Nov 2021 08:58:14 -0500
Subject: [PATCH 0836/3088] Fix for digitalocean-v6

added digitalocean-v6 to switch, it was missing and returning error 6 'Dynamic DNS: (ERROR!) The Dynamic DNS Service provided is not yet supported.'
---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 15876d366a..d7b5582cfd 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -324,6 +324,7 @@ class updatedns
                 case 'desec-v6':
                 case 'dhs':
                 case 'digitalocean':
+                case 'digitalocean-v6':
                 case 'gandi-livedns':
                 case 'dnsexit':
                 case 'dnsomatic':

From d724e1bd60609e7a5a615e169d8942be20e5e039 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 23 Nov 2021 15:22:38 +0100
Subject: [PATCH 0837/3088] dns/dyndns: new version

---
 dns/dyndns/Makefile  | 3 +--
 dns/dyndns/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index 0624e9ecc8..67afe795c0 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		dyndns
-PLUGIN_VERSION=		1.26
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.27
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
diff --git a/dns/dyndns/pkg-descr b/dns/dyndns/pkg-descr
index d005aa117d..8f8dcb2326 100644
--- a/dns/dyndns/pkg-descr
+++ b/dns/dyndns/pkg-descr
@@ -3,6 +3,10 @@ Support for numerous Dynamic DNS services (DynDNS et al)
 Plugin Changelog
 ================
 
+1.27
+
+* Add missing digitalocean-v6 switch case (contributed by zarcjap)
+
 1.26
 
 * Add support for 1984 Hosting Company (contributed by Adrian Fedoreanu)

From 41ae6236dedb4746c91190635ebfcfe8bc96040f Mon Sep 17 00:00:00 2001
From: Steven Robert Kirk <stevenrkirk@gmail.com>
Date: Thu, 25 Nov 2021 15:29:14 +0800
Subject: [PATCH 0838/3088] Update miniupnpd.inc (#2667)

Typo: 'Univeral' -> 'Universal'
---
 net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 9547836fe8..68738d0428 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -53,7 +53,7 @@ function miniupnpd_services()
 
     $pconfig = array();
     $pconfig['name'] = 'miniupnpd';
-    $pconfig['description'] = gettext('Univeral Plug and Play');
+    $pconfig['description'] = gettext('Universal Plug and Play');
     $pconfig['php']['restart'] = array('miniupnpd_stop', 'miniupnpd_start');
     $pconfig['php']['start'] = array('miniupnpd_start');
     $pconfig['php']['stop'] = array('miniupnpd_stop');

From 4b3abbf54683a942a8ee14a236c24e89ff1b4c70 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 25 Nov 2021 13:09:56 +0100
Subject: [PATCH 0839/3088] dns/dyndns: patch this spot

PR: https://github.com/opnsense/plugins/issues/2666
---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index d7b5582cfd..143929ec8d 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -1499,7 +1499,8 @@ class updatedns
                 }
                 break;
             case 'namecheap':
-                $tmp = str_replace("^M", "", $data);
+                /* technically this is wrong but proves a point about the document being broken remotely */
+                $tmp = preg_replace('/(\<\?xml[^?]+?encoding=.?)utf-16([^?]+?\?\>)/i', '$1utf-8$2', $data);
                 $ncresponse = simplexml_load_string($tmp);
                 if (preg_match("/internal server error/i", $data)) {
                     $status = "Dynamic DNS: (Error) Server side error.";

From df0243a42ee787322ec8c50261e9fc8f67733ed7 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 25 Nov 2021 14:12:58 +0100
Subject: [PATCH 0840/3088] net/firewall - "No RDR" option for Automation /
 Source NAT, closes https://github.com/opnsense/plugins/issues/2504

---
 .../controllers/OPNsense/Firewall/forms/dialogSNatRule.xml  | 6 ++++++
 .../OPNsense/Firewall/FieldTypes/SourceNatRuleField.php     | 2 +-
 .../opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml    | 6 +++++-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml
index 48e1b9a5f1..0c87b04503 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml
@@ -5,6 +5,12 @@
         <type>checkbox</type>
         <help>Enable this rule</help>
     </field>
+    <field>
+        <id>rule.nonat</id>
+        <label>Do not NAT</label>
+        <type>checkbox</type>
+        <help>Enabling this option will disable NAT for traffic matching this rule and stop processing Outbound NAT rules.</help>
+    </field>
     <field>
         <id>rule.sequence</id>
         <label>Sequence</label>
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
index f00fb1c980..de1e1ad91f 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
@@ -45,7 +45,7 @@ class SourceNatRuleContainerField extends ContainerField
      */
     public function serialize()
     {
-        $result = array();
+        $result = [];
         $source_mapper = [
             'enabled' => false,
             'source_net' => false,
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index 3fa4cfc8cf..3655695e30 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/Firewall/Filter</mount>
-    <version>1.0.0</version>
+    <version>1.0.1</version>
     <migration_prefix>MFP</migration_prefix>
     <description>
         OPNsense firewall filter rules
@@ -112,6 +112,10 @@
                     <default>1</default>
                     <Required>Y</Required>
                 </enabled>
+                <nonat type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </nonat>
                 <sequence type="IntegerField">
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>99999</MaximumValue>

From 07222909ad3caf8f4f2448a849f6d40c098c97a3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 25 Nov 2021 14:14:50 +0100
Subject: [PATCH 0841/3088] net-mgmt/zabbix-agent: missing a release note

---
 net-mgmt/zabbix-agent/pkg-descr | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index bb8f364c70..b569787361 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -14,6 +14,9 @@ Plugin Changelog
 
 1.10
 
+Added:
+* Plugin variant for Zabbix Agent 5.4
+
 Changed:
 * Replace EnableRemoteCommands with AllowKey/DenyKey (#1978)
 

From 166fa7a894c919d6a615007164d806794229f429 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 28 Nov 2021 22:26:39 +0100
Subject: [PATCH 0842/3088] net/haproxy: bump version

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 36875ce938..c60e81b2fb 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		3.7
+PLUGIN_VERSION=		3.8
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy22
 PLUGIN_MAINTAINER=	opnsense@moov.de

From d3e3d463331437f55c104a44f3e7ea21a22eba38 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 28 Nov 2021 22:27:46 +0100
Subject: [PATCH 0843/3088] net/haproxy: update changelog

---
 net/haproxy/pkg-descr | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 0609ea6f36..22938d5de6 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+3.8
+
+Added:
+* add support for unix sockets (#2040)
+
 3.7
 
 Added:

From 51f6d0e8d28cb56abfb3dd4bf8d12f48ce9b0213 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 28 Nov 2021 23:33:31 +0100
Subject: [PATCH 0844/3088] net/haproxy: add max connections option to servers
 (#2641)

---
 net/haproxy/pkg-descr                         |  5 ++++
 .../OPNsense/HAProxy/forms/dialogFrontend.xml |  2 +-
 .../OPNsense/HAProxy/forms/dialogServer.xml   |  7 +++++
 .../HAProxy/forms/generalDefaults.xml         | 10 +++++--
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 30 +++++++++++++------
 .../templates/OPNsense/HAProxy/haproxy.conf   |  5 ++++
 6 files changed, 47 insertions(+), 12 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 22938d5de6..19252be162 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -10,6 +10,11 @@ Plugin Changelog
 
 Added:
 * add support for unix sockets (#2040)
+* add "max connections" option to servers (#2641)
+
+Changed:
+* allow setting "max connections" to "0" (unlimited)
+* raise maximum value for "max connections" to 10000000
 
 3.7
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index f7ed024366..682e0bb278 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -242,7 +242,7 @@
     </field>
     <field>
         <id>frontend.tuning_maxConnections</id>
-        <label>Max. Connections</label>
+        <label>Maximum Connections</label>
         <type>text</type>
         <help><![CDATA[Set the maximum number of concurrent connections for this Public Service.]]></help>
     </field>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
index 01b71a120b..fa2283086a 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
@@ -138,6 +138,13 @@
         <hint>Type certificate name or choose from list.</hint>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>server.maxConnections</id>
+        <label>Max Connections</label>
+        <type>text</type>
+        <help><![CDATA[Specifies the maximal number of concurrent connections that will be sent to this server. The default value is "0" which means unlimited.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>server.weight</id>
         <label>Weight</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalDefaults.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalDefaults.xml
index 4a44e0aee1..81a9700f7e 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalDefaults.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalDefaults.xml
@@ -5,9 +5,15 @@
     </field>
     <field>
         <id>haproxy.general.defaults.maxConnections</id>
-        <label>Max. Connections</label>
+        <label>Maximum Connections (Public Services)</label>
         <type>text</type>
-        <help><![CDATA[Set the maximum number of concurrent connections for this frontend.]]></help>
+        <help><![CDATA[Set the maximum number of concurrent connections for public services.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.defaults.maxConnectionsServers</id>
+        <label>Maximum Connections (Servers)</label>
+        <type>text</type>
+        <help><![CDATA[Set the maximum number of concurrent connections for servers.]]></help>
     </field>
     <field>
         <id>haproxy.general.defaults.timeoutClient</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 009938fc32..5efa6dff9b 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -67,9 +67,9 @@
                     <Required>Y</Required>
                 </root>
                 <maxConnections type="IntegerField">
-                    <MinimumValue>1</MinimumValue>
-                    <MaximumValue>500000</MaximumValue>
-                    <ValidationMessage>Please specify a value between 1 and 500000.</ValidationMessage>
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>10000000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 10000000.</ValidationMessage>
                     <Required>N</Required>
                 </maxConnections>
                 <nbproc type="IntegerField">
@@ -194,11 +194,17 @@
             </tuning>
             <defaults>
                 <maxConnections type="IntegerField">
-                    <MinimumValue>1</MinimumValue>
-                    <MaximumValue>500000</MaximumValue>
-                    <ValidationMessage>Please specify a value between 1 and 500000.</ValidationMessage>
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>10000000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 10000000.</ValidationMessage>
                     <Required>N</Required>
                 </maxConnections>
+                <maxConnectionsServers type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>10000000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 10000000.</ValidationMessage>
+                    <Required>N</Required>
+                </maxConnectionsServers>
                 <timeoutClient type="TextField">
                     <default>30s</default>
                     <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
@@ -598,9 +604,9 @@
                     <Required>N</Required>
                 </basicAuthGroups>
                 <tuning_maxConnections type="IntegerField">
-                    <MinimumValue>1</MinimumValue>
-                    <MaximumValue>500000</MaximumValue>
-                    <ValidationMessage>Please specify a value between 1 and 500000.</ValidationMessage>
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>10000000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 10000000.</ValidationMessage>
                     <Required>N</Required>
                 </tuning_maxConnections>
                 <tuning_timeoutClient type="TextField">
@@ -1318,6 +1324,12 @@
                     <Type>cert</Type>
                     <ValidationMessage>Please select a valid certificate from the list.</ValidationMessage>
                 </sslClientCertificate>
+                <maxConnections type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>10000000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 10000000.</ValidationMessage>
+                    <Required>N</Required>
+                </maxConnections>
                 <weight type="IntegerField">
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>256</MaximumValue>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index bfe118cb9c..b95910675a 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1095,6 +1095,9 @@ defaults
 {%   if OPNsense.HAProxy.general.defaults.init_addr|default("") != "" %}
     default-server init-addr {{OPNsense.HAProxy.general.defaults.init_addr}}
 {%   endif %}
+{%   if OPNsense.HAProxy.general.defaults.maxConnectionsServers|default("") != "" %}
+    default-server maxconn {{OPNsense.HAProxy.general.defaults.maxConnectionsServers}}
+{%   endif %}
 {%   if OPNsense.HAProxy.general.defaults.customOptions|default("") != "" %}
     # WARNING: pass through options below this line
 {%     for customOpt in OPNsense.HAProxy.general.defaults.customOptions.split("\n") %}
@@ -1725,6 +1728,8 @@ backend {{backend.name}}
 {#                 # add all additions from healthchecks here #}
 {%                 do server_options.append(healthcheck_additions|join(' ')) if healthcheck_additions.length != '0' %}
 {%               endif %}
+{#               # server maxconn #}
+{%               do server_options.append('maxconn ' ~ server_data.maxConnections) if server_data.maxConnections|default("") != "" %}
 {#               # server weight #}
 {%               do server_options.append('weight ' ~ server_data.weight) if server_data.weight|default("") != "" %}
 {#               # server role/mode #}

From 892f14040987020c0dfed5777089d6c085ee869d Mon Sep 17 00:00:00 2001
From: Michael Newton <miken32@gmail.com>
Date: Mon, 29 Nov 2021 00:42:25 -0700
Subject: [PATCH 0845/3088] dns/bind: allow signed zone transfers (#2599)

---
 .../Bind/forms/dialogEditBindDomain.xml       | 12 ++++++++
 .../mvc/app/models/OPNsense/Bind/Domain.xml   | 15 ++++++++++
 .../mvc/app/views/OPNsense/Bind/general.volt  |  8 +++++
 .../templates/OPNsense/Bind/named.conf        | 29 ++++++++++++++++++-
 4 files changed, 63 insertions(+), 1 deletion(-)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
index afde58416d..eed6958bb0 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
@@ -42,6 +42,18 @@
         <allownew>true</allownew>
         <help>Set the IP address of master server when using slave mode.</help>
     </field>
+    <field>
+        <id>domain.transferkeyalgo</id>
+        <label>Transfer Key Algorithm</label>
+        <type>dropdown</type>
+        <help>Set the authentication algorithm for the TSIG key.</help>
+    </field>
+    <field>
+        <id>domain.transferkey</id>
+        <label>Transfer Key</label>
+        <type>text</type>
+        <help>The TSIG key used to transfer domain data from the master server.</help>
+    </field>
     <field>
         <id>domain.allownotifyslave</id>
         <label>Allow Notfiy</label>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
index 8aad51f826..2ddbcf003b 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
@@ -22,6 +22,21 @@
                     <FieldSeparator>,</FieldSeparator>
                     <asList>Y</asList>
                 </masterip>
+                <transferkeyalgo type="OptionField">
+                    <Required>N</Required>
+                    <OptionValues>
+                        <hmac-sha512>HMAC-SHA512</hmac-sha512>
+                        <hmac-sha384>HMAC-SHA384</hmac-sha384>
+                        <hmac-sha256>HMAC-SHA256</hmac-sha256>
+                        <hmac-sha224>HMAC-SHA224</hmac-sha224>
+                        <hmac-sha1>HMAC-SHA1</hmac-sha1>
+                        <hmac-md5>HMAC-MD5</hmac-md5>
+                    </OptionValues>
+                </transferkeyalgo>
+                <transferkey type="TextField">
+                    <Required>N</Required>
+                    <default></default>
+                </transferkey>
                 <allownotifyslave type="NetworkField">
                     <Required>N</Required>
                     <FieldSeparator>,</FieldSeparator>
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index cc3a15c292..47a7053502 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -275,6 +275,14 @@ $( document ).ready(function() {
         });
     });
 
+    $('#domain\\.transferkeyalgo').on('change', function(e) {
+        if (e.target.selectedIndex === 0) {
+            $('#domain\\.transferkey').val('').attr('readonly', true);
+        } else {
+            $('#domain\\.transferkey').attr('readonly', false);
+        }
+    });
+
     // Hide options that are irrelevant in this context.
     $('#dialogEditBindDomain').on('shown.bs.modal', function (e) {
         $("#domain\\.type").change(function(){
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 376efe90fa..abb5b57200 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -135,7 +135,34 @@ zone "rpzbing" { type master; file "/usr/local/etc/namedb/master/bing.db"; notif
 {%     if domain.enabled == '1' %}
 {%     set allow_transfer = helpers.getUUID(domain.allowtransfer) %}
 {%     set allow_query = helpers.getUUID(domain.allowquery) %}
-zone "{{ domain.domainname }}" { type {{ domain.type }}; {% if domain.type == 'slave' %}masters { {{ domain.masterip.replace(',', '; ') }}; }; {% if domain.allownotifyslave is defined %} allow-notify { {{ domain.allownotifyslave.replace(',', '; ') }}; };{% endif %} file "/usr/local/etc/namedb/slave/{{ domain.domainname }}.db"; {% else %}file "/usr/local/etc/namedb/master/{{ domain.domainname }}.db"; {% endif %}{% if domain.allowtransfer is defined %} allow-transfer { {{ allow_transfer.name }}; };{% endif %}{% if domain.allowquery is defined %} allow-query { {{ allow_query.name }}; };{% endif %} };
+zone "{{ domain.domainname }}" {
+        type {{ domain.type }};
+{%       if domain.type == 'slave' %}
+        masters { {{ domain.masterip.replace(',', '; ') }}; };
+{%         if domain.allownotifyslave is defined %}
+        allow-notify { {{ domain.allownotifyslave.replace(',', '; ') }}; };
+{%         endif %}
+        file "/usr/local/etc/namedb/slave/{{ domain.domainname }}.db";
+{%       else %}
+        file "/usr/local/etc/namedb/master/{{ domain.domainname }}.db";
+{%       endif %}
+{%       if domain.allowtransfer is defined %}
+        allow-transfer { {{ allow_transfer.name }}; };
+{%       endif %}
+{%       if domain.allowquery is defined %}
+        allow-query { {{ allow_query.name }}; };
+{%       endif %}
+};
+{%       if domain.type == 'slave' and domain.transferkey is defined %}
+{%         set key_name = 'tsig-transferkey-' ~ domain.domainname.replace('.', '-') %}
+key "{{ key_name }}" {
+        algorithm "{{ domain.transferkeyalgo }}";
+        secret "{{ domain.transferkey }}";
+};
+server {{ domain.masterip }} {
+        keys { "{{ key_name }}" };
+};
+{%       endif %}
 {%     endif %}
 {%   endfor %}
 {% endif %}

From 57ada90e890832b67ad93f54bed2ee26bde4b669 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 29 Nov 2021 22:32:59 +0100
Subject: [PATCH 0846/3088] security/acme-client: fix SFTP upload (#2671)

---
 security/acme-client/pkg-descr                               | 5 +++++
 .../src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 07084fd483..7a14027924 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.6
+
+Fixed:
+* fix SFTP upload (#2671)
+
 3.5
 
 Added:
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
index e7899a4364..c3cbd385ef 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
@@ -408,7 +408,7 @@ function getOptionsById($automation_id, $silent = false)
     }
 
     if (is_object($action = getActionById($automation_id))) {
-        if ($action->enabled && "upload_sftp" === (string)$action->type) {
+        if ($action->enabled && "configd_upload_sftp" === (string)$action->type) {
             return [
                 "host" => trim((string)$action->sftp_host),
                 "host-key" => trim((string)$action->sftp_host_key),

From 47877708520ff839e8b81b40a8df62babe6f377d Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 29 Nov 2021 22:33:22 +0100
Subject: [PATCH 0847/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index eab7942448..d5feedbbea 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.5
+PLUGIN_VERSION=		3.6
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 0f70ad8ce76d30435adf09c31d342271909be848 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 29 Nov 2021 00:09:39 +0100
Subject: [PATCH 0848/3088] net-mgmt/zabbix-agent: improve help text, refs
 #2646

---
 .../mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml
index 8af59aceab..46fdf4947c 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml
@@ -66,7 +66,7 @@
             <id>zabbixagent.settings.main.sudoRoot</id>
             <label>Enable sudo root permissions</label>
             <type>checkbox</type>
-            <help><![CDATA[When enabled, a sudo rule is created to grant full root access to Zabbix Agent. This may be required for certain checks.]]></help>
+            <help><![CDATA[When enabled, a sudo rule is created to grant root access to the Zabbix user. When adding a User Parameter, just add "sudo" to the command to run it as root, i.e. instead of "echo test" use "sudo echo test".]]></help>
             <advanced>false</advanced>
         </field>
     </tab>

From 83813dcbb570d31103d6e1804988200137e6a72e Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 30 Nov 2021 23:12:11 +0100
Subject: [PATCH 0849/3088] security/acme-client: fix acme.sh deploy hook error
 handling (#2674)

---
 security/acme-client/pkg-descr                                | 1 +
 .../mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 7a14027924..a7a2a1c4b8 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 
 Fixed:
 * fix SFTP upload (#2671)
+* fix PHP error when acme.sh deploy hook returns an error (#2674)
 
 3.5
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
index e15ab16f42..175a51e9f0 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
@@ -143,9 +143,9 @@ public function runAcme()
             return false;
         }
 
-        // Check validation result
+        // Check result
         if ($result) {
-            LeUtils::log_error('running acme.sh deploy hook failed (' . $this->getMethod() . ')');
+            LeUtils::log_error('running acme.sh deploy hook failed (' . $this->getType() . ')');
             return false;
         }
 

From 96a89a4c468c46488c0687cdcf1f887e07c5db86 Mon Sep 17 00:00:00 2001
From: Alex <alexander.noack@web.de>
Date: Sat, 4 Dec 2021 23:03:53 +0100
Subject: [PATCH 0850/3088] Added (local)Unifi to ACME actions (#2664)

---
 .../AcmeClient/forms/dialogAction.xml         | 11 +++++
 .../AcmeClient/LeAutomation/AcmeUnifi.php     | 46 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  5 ++
 3 files changed, 62 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeUnifi.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index 15dbabc9fa..b46f455196 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -220,4 +220,15 @@
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Required Parameters</label>
+        <type>header</type>
+        <style>method_table method_table_acme_unifi</style>
+    </field>
+    <field>
+        <id>action.acme_unifi_keystore</id>
+        <label>Unifi keystore file</label>
+        <type>text</type>
+        <help>Path to the Unifi keystore file in the local filesystem, i.e. /usr/local/share/java/unifi/data/keystore.</help>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeUnifi.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeUnifi.php
new file mode 100644
index 0000000000..e8af643447
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeUnifi.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Alexander Noack
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Run acme.sh deploy hook unifi
+ * @package OPNsense\AcmeClient
+ */
+class AcmeUnifi extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DEPLOY_UNIFI_KEYSTORE'] = (string)$this->config->acme_unifi_keystore;
+        $this->acme_env['DEPLOY_UNIFI_RELOAD'] = 'service unifi restart';
+        $this->acme_args[] = '--deploy-hook unifi';
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 362bb20177..0fa09b84c1 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1049,6 +1049,7 @@
                         <configd_upload_sftp>Upload certificate via SFTP</configd_upload_sftp>
                         <acme_fritzbox>Upload certificate to FRITZ!Box router</acme_fritzbox>
                         <acme_synology_dsm>Upload certificate to Synology DSM</acme_synology_dsm>
+                        <acme_unifi>Update local Unifi keystore</acme_unifi>
                         <configd_generic>System or Plugin Command</configd_generic>
                     </OptionValues>
                 </type>
@@ -1202,6 +1203,10 @@
                     <mask>/^.{1,1024}$/u</mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_fritzbox_password>
+                <acme_unifi_keystore type="TextField">
+                    <default>/usr/local/share/java/unifi/data/keystore</default>
+                    <Required>N</Required>
+                </acme_unifi_keystore>
             </action>
         </actions>
     </items>

From 9e07edc60b0583e1ed2297ad837a7e15b9ac5b95 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 4 Dec 2021 23:07:58 +0100
Subject: [PATCH 0851/3088] security/acme-client: update changelogs, refs #2664

---
 security/acme-client/pkg-descr | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index a7a2a1c4b8..6703241570 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,6 +10,9 @@ Plugin Changelog
 
 3.6
 
+Added:
+* new automation: update local Unifi keystore (#2664)
+
 Fixed:
 * fix SFTP upload (#2671)
 * fix PHP error when acme.sh deploy hook returns an error (#2674)

From c8a115291df30e46ac0b7d86c312e8bbd1f0efd4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 7 Dec 2021 09:56:42 +0100
Subject: [PATCH 0852/3088] dns/dyndns: set CURLOPT_INTERFACE away from IP
 address for #2582

---
 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 143929ec8d..44ceb97556 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -1265,8 +1265,8 @@ class updatedns
                         'Authorization: sso-key ' . $this->_dnsUser . ':' . $this->_dnsPass
                 ));
                 curl_setopt($ch, CURLOPT_URL, $url);
-
                 curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonBody);
+                curl_setopt($ch, CURLOPT_INTERFACE, $this->_dnsRequestIf);
                 break;
             case 'desec':
                 /*

From 5320722aba6dd0d7a372f2816ddae0dab67b3156 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 7 Dec 2021 15:40:35 +0100
Subject: [PATCH 0853/3088] net/freeradius: Fix bad default (#2687)

---
 net/freeradius/Makefile                                         | 1 +
 .../src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml     | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 7ac00905a2..2c17c8138f 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		freeradius
 PLUGIN_VERSION=		1.9.17
+PLUGIN_REVISION=  1
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index 953501e0b1..6ff7fece79 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -46,7 +46,7 @@
             <Required>Y</Required>
         </check_tls_names>
         <tls_min_version type="OptionField">
-            <default>Option1</default>
+            <default>1.0</default>
             <Required>Y</Required>
             <multiple>N</multiple>
             <OptionValues>

From a43ab626d088660e92fed70d12a760c5a29b3280 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 7 Dec 2021 23:28:54 +0100
Subject: [PATCH 0854/3088] security/acme-client: add support for dynv6 HTTP
 API, closes #2678

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 10 +++++
 .../AcmeClient/LeValidation/DnsDynv6.php      | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 4 files changed, 59 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDynv6.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 6703241570..ee87936d98 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 
 Added:
 * new automation: update local Unifi keystore (#2664)
+* add support for dynv6 HTTP API (#2678)
 
 Fixed:
 * fix SFTP upload (#2671)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 36a2853568..2f13068c8a 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1353,4 +1353,14 @@
         <label>Secret API Key</label>
         <type>password</type>
     </field>
+    <field>
+        <label>dynv6 HTTP API</label>
+        <type>header</type>
+        <style>table_dns table_dns_dynv6</style>
+    </field>
+    <field>
+        <id>validation.dns_dynv6_token</id>
+        <label>HTTP Token</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDynv6.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDynv6.php
new file mode 100644
index 0000000000..c1d9115f05
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDynv6.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * dynv6 HTTP API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDynv6 extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DYNV6_TOKEN'] = (string)$this->config->dns_dynv6_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 0fa09b84c1..982ffaf3b6 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -417,6 +417,7 @@
                         <dns_duckdns>DuckDNS API</dns_duckdns>
                         <dns_dyn>Dyn Managed DNS API</dns_dyn>
                         <dns_dynu>Dynu API</dns_dynu>
+                        <dns_dynv6>dynv6 HTTP API</dns_dynv6>
                         <dns_euserv>EUserv</dns_euserv>
                         <dns_freedns>FreeDNS API</dns_freedns>
                         <dns_gandi_livedns>Gandi LiveDNS API</dns_gandi_livedns>
@@ -1018,6 +1019,9 @@
                 <dns_zone_key type="TextField">
                     <Required>N</Required>
                 </dns_zone_key>
+                <dns_dynv6_token type="TextField">
+                    <Required>N</Required>
+                </dns_dynv6_token>
             </validation>
         </validations>
         <actions>

From 2af67affad8f6d7baa74b104242ee0d0c9ac8044 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 8 Dec 2021 00:32:40 +0100
Subject: [PATCH 0855/3088] security/acme-client: add support for TLS-ALPN-01
 challenge type, closes #2661

---
 security/acme-client/pkg-descr                |   1 +
 .../AcmeClient/forms/dialogValidation.xml     |  36 +++++
 .../OPNsense/AcmeClient/forms/settings.xml    |   7 +
 .../OPNsense/AcmeClient/LeValidation/Base.php |   3 +
 .../AcmeClient/LeValidation/TlsalpnAcme.php   | 143 ++++++++++++++++++
 .../AcmeClient/LeValidationFactory.php        |   5 +-
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  33 +++-
 .../OPNsense/AcmeClient/validations.volt      |  12 +-
 8 files changed, 236 insertions(+), 4 deletions(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index ee87936d98..87339fe032 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 Added:
 * new automation: update local Unifi keystore (#2664)
 * add support for dynv6 HTTP API (#2678)
+* add support for TLS-ALPN-01 challenge type (#2661)
 
 Fixed:
 * fix SFTP upload (#2671)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 2f13068c8a..3e2efdbd16 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -78,6 +78,42 @@
         <allownew>true</allownew>
         <help>Choose the local HAProxy frontends. They will automatically be configured to redirect acme challenges to the internal acme client. The HAProxy service will automatically be restarted if a certificate was renewed.</help>
     </field>
+    <field>
+        <label>TLS-ALPN-01</label>
+        <type>header</type>
+        <style>method_table method_table_tlsalpn01</style>
+    </field>
+    <field>
+        <id>validation.tlsalpn_service</id>
+        <label>TLS-ALPN Service</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <label>acme.sh TLS Web Server</label>
+        <type>header</type>
+        <style>table_tlsalpn table_tlsalpn_acme</style>
+    </field>
+    <field>
+        <id>validation.tlsalpn_acme_autodiscovery</id>
+        <label>IP Auto-Discovery</label>
+        <type>checkbox</type>
+        <help><![CDATA[The FQDN's used in your certificate must currently point to an official IP address. Choose this option to let OPNsense try to auto-discover these IP addresses. This will lead to a short downtime of the service that is normally used with this IP address.<br/><div class="text-info"><b>NOTE:</b>This will ONLY work if the official IP addresses are LOCALLY configured on your OPNsense firewall.</div>]]></help>
+    </field>
+    <field>
+        <id>validation.tlsalpn_acme_interface</id>
+        <label>Interface</label>
+        <type>dropdown</type>
+        <help><![CDATA[The FQDN's used in your certificate must currently point to an official IP address. Choose the interface where this IP address is currently configured. OPNsense will automatically create a temporary port forward to allow the ACME validation to succeed. This will lead to a short downtime of the service that is normally used with this IP address.<br/><div class="text-info"><b>NOTE:</b>This will ONLY work if the official IP addresses are LOCALLY configured on your OPNsense firewall.</div>]]></help>
+    </field>
+    <field>
+        <id>validation.tlsalpn_acme_ipaddresses</id>
+        <label>IP Addresses</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[The FQDN's used in your certificate must currently point to one or more official IP addresses. Enter the all of these IP addresses here. OPNsense will automatically create a temporary port forward to allow the ACME validation to succeed. This will lead to a short downtime of the service that is normally used with these IP addresses.<br/><div class="text-info"><b>NOTE:</b>This will ONLY work if the official IP addresses are LOCALLY configured on your OPNsense firewall.</div>]]></help>
+        <hint>Enter IP addresses here. Finish each with TAB.</hint>
+    </field>
     <field>
         <label>DNS-01</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
index 4089801a00..a6b30ca044 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
@@ -36,6 +36,13 @@
         <help><![CDATA[When using HTTP-01 as challenge type, a local webserver is used to provide acme challenge data to the ACME CA. The local webserver is NOT directly exposed to the outside and should NOT use port 80 or any other well-known port. This setting allows you to change the local port of this webserver in case it interferes with another local service. Defaults to port 43580.]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>acmeclient.settings.TLSchallengePort</id>
+        <label>Local TLS ALPN Port</label>
+        <type>text</type>
+        <help><![CDATA[The service port when using TLS-ALPN-01 as challenge type. It works similar to the HTTP-01 challenge type. Defaults to port 43581.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>acmeclient.settings.restartTimeout</id>
         <label>Automation Timeout</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index 433572cba9..3c0a6881ac 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -85,6 +85,9 @@ public function init(string $certid, string $accountuuid)
             case 'http01':
                 $this->acme_args[] = '--webroot ' . self::ACME_WEBROOT;
                 break;
+            case 'tlsalpn01':
+                $this->acme_args[] = '--alpn';
+                break;
         }
 
         // Store acme filenames
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
new file mode 100644
index 0000000000..db8466892a
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
@@ -0,0 +1,143 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+require_once("interfaces.inc");
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\AcmeClient\LeUtils;
+use OPNsense\Core\Config;
+
+/**
+ * Use acme.sh TLS web server for TLS-ALPN-01 validation
+ * @package OPNsense\AcmeClient
+ */
+class TlsalpnAcme extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $configdir = (string)sprintf(self::ACME_CONFIG_DIR, $this->cert_id);
+
+        // Get configured TLS port for acme.sh web server.
+        $configObj = Config::getInstance()->object();
+        $local_tls_port = $configObj->OPNsense->AcmeClient->settings->TLSchallengePort;
+        $this->acme_args[] = LeUtils::execSafe('--tlsport %s', (string)$local_tls_port);
+
+        // Collect all IP addresses here, automatic port forward will be applied for each IP
+        $iplist = array();
+
+        // Add IP addresses from auto-discovery feature
+        if ($this->config->tlsalpn_acme_autodiscovery == 1) {
+            $dnslist = explode(',', $this->cert_altnames);
+            $dnslist[] = $this->cert_name;
+            foreach ($dnslist as $fqdn) {
+                // NOTE: This may take some time.
+                $ip_found = gethostbyname("${fqdn}.");
+                if (!empty($ip_found)) {
+                    $iplist[] = (string)$ip_found;
+                }
+            }
+        }
+
+        // Add IP addresses from user input
+        $additional_ip = (string)$this->config->tlsalpn_acme_ipaddresses;
+        if (!empty($additional_ip)) {
+            foreach (explode(',', $additional_ip) as $ip) {
+                $iplist[] = $ip;
+            }
+        }
+
+        // Add IP address from chosen interface
+        if (!empty((string)$this->config->tlsalpn_acme_interface)) {
+            $interface_ip = get_interface_ip((string)$this->config->tlsalpn_acme_interface);
+            if (!empty($interface_ip)) {
+                $iplist[] = $interface_ip;
+            }
+        }
+
+        // Check if IPv6 support is enabled
+        if (isset($configObj->system->ipv6allow) && ($configObj->system->ipv6allow == '1')) {
+            $_ipv6_enabled = true;
+        } else {
+            $_ipv6_enabled = false;
+        }
+
+        // Generate rules for all IP addresses
+        $anchor_rules = "";
+        if (!empty($iplist)) {
+            $dedup_iplist = array_unique($iplist);
+            // Add one rule for every IP
+            foreach ($dedup_iplist as $ip) {
+                if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+                    // IPv4
+                    $_dst = '127.0.0.1';
+                    $_family = 'inet';
+                    LeUtils::log("using IPv4 address: ${ip}");
+                } elseif (($_ipv6_enabled == true) && (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))) {
+                    // IPv6
+                    $_dst = '::1';
+                    $_family = 'inet6';
+                    LeUtils::log("using IPv6 address: ${ip}");
+                } else {
+                    continue; // skip broken entries
+                }
+                $anchor_rules .= "rdr pass ${_family} proto tcp from any to ${ip} port 443 -> ${_dst} port ${local_tls_port}\n";
+            }
+        } else {
+            LeUtils::log_error("no IP addresses found to setup port forward");
+            return false;
+        }
+
+        // Abort if no rules were generated
+        if (empty($anchor_rules)) {
+            LeUtils::log_error("unable to setup a port forward (empty ruleset)");
+            return false;
+        }
+
+        // Create temporary port forward to allow acme challenges to get through
+        $anchor_setup = "rdr-anchor \"acme-client\"\n";
+        file_put_contents("${configdir}/acme_anchor_setup", $anchor_setup);
+        chmod("${configdir}/acme_anchor_setup", 0600);
+        mwexec("/sbin/pfctl -f ${configdir}/acme_anchor_setup");
+        file_put_contents("${configdir}/acme_anchor_rules", $anchor_rules);
+        chmod("${configdir}/acme_anchor_rules", 0600);
+        mwexec("/sbin/pfctl -a acme-client -f ${configdir}/acme_anchor_rules");
+    }
+
+    public function cleanup()
+    {
+        // Flush OPNsense port forward rules.
+        mwexec('/sbin/pfctl -a acme-client -F all');
+
+        // Workaround to solve disconnection issues reported by some users.
+        $backend = new \OPNsense\Core\Backend();
+        $response = $backend->configdRun('filter reload');
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
index 1a2611d219..06e8be49b0 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * All rights reserved.
  *
@@ -62,6 +62,9 @@ public function getValidation(string $uuid)
             case 'http01':
                 $search_name = "http_" . $obj->http_service;
                 break;
+            case 'tlsalpn01':
+                $search_name = "tlsalpn_" . $obj->tlsalpn_service;
+                break;
         }
 
         // Convert to PascalCase
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 982ffaf3b6..37e3df2956 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>3.1.0</version>
+    <version>3.2.0</version>
     <description>A secure ACME Client plugin</description>
     <items>
         <settings>
@@ -34,12 +34,18 @@
                     <stg>Staging Environment</stg>
                 </OptionValues>
             </environment>
-            <challengePort type="IntegerField">
+            <challengePort type="PortField">
                 <default>43580</default>
                 <MinimumValue>1024</MinimumValue>
                 <MaximumValue>65535</MaximumValue>
                 <Required>Y</Required>
             </challengePort>
+            <TLSchallengePort type="PortField">
+                <default>43581</default>
+                <MinimumValue>1024</MinimumValue>
+                <MaximumValue>65535</MaximumValue>
+                <Required>Y</Required>
+            </TLSchallengePort>
             <restartTimeout type="IntegerField">
                 <default>600</default>
                 <MinimumValue>10</MinimumValue>
@@ -339,6 +345,7 @@
                     <OptionValues>
                         <http01>HTTP-01</http01>
                         <dns01>DNS-01</dns01>
+                        <tlsalpn01>TLS-ALPN-01</tlsalpn01>
                     </OptionValues>
                 </method>
                 <http_service type="OptionField">
@@ -384,6 +391,28 @@
                     <multiple>Y</multiple>
                     <Required>N</Required>
                 </http_haproxyFrontends>
+                <tlsalpn_service type="OptionField">
+                    <Required>Y</Required>
+                    <default>acme</default>
+                    <OptionValues>
+                        <acme>acme.sh TLS Web Server (automatic port forward)</acme>
+                    </OptionValues>
+                </tlsalpn_service>
+                <tlsalpn_acme_autodiscovery type="BooleanField">
+                    <default>1</default>
+                    <Required>N</Required>
+                </tlsalpn_acme_autodiscovery>
+                <tlsalpn_acme_interface type="InterfaceField">
+                    <Required>N</Required>
+                    <default>wan</default>
+                    <filters>
+                        <enable>/^(?!0).*$/</enable>
+                    </filters>
+                </tlsalpn_acme_interface>
+                <tlsalpn_acme_ipaddresses type="CSVListField">
+                    <Required>N</Required>
+                    <multiple>Y</multiple>
+                </tlsalpn_acme_ipaddresses>
                 <dns_service type="OptionField">
                     <Required>Y</Required>
                     <default>dns_freedns</default>
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
index bd1e4c42fa..c095c42988 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
@@ -77,11 +77,20 @@ POSSIBILITY OF SUCH DAMAGE.
                 } else {
                 }
             });
+            $("#validation\\.tlsalpn_service").change(function(){
+                var service_id = 'table_tlsalpn_' + $(this).val();
+                $(".table_tlsalpn").hide();
+                if ($("#validation\\.method").val() == 'tlsalpn01') {
+                    $("."+service_id).show();
+                } else {
+                }
+            });
             $("#validation\\.method").change(function(){
                 $(".method_table").hide();
                 $(".method_table_"+$(this).val()).show();
                 $("#validation\\.dns_service").change();
                 $("#validation\\.http_service").change();
+                $("#validation\\.tlsalpn_service").change();
             });
             $("#validation\\.method").change();
 
@@ -103,7 +112,8 @@ POSSIBILITY OF SUCH DAMAGE.
             <p>{{ lang._('As defined by the ACME standard, Certificate Authorities (CAs) must validate that you control a domain name. This is done by using "challenges". The following challenge types are supported:') }}</p>
             <ul>
               <li>{{ lang._('%sDNS-01:%s This is the most reliable challenge type and thus highly recommended when using this plugin. It requires that you control the DNS for your domain name and that your DNS provider is supported both %sby acme.sh%s and this plugin.') | format('<b>', '</b>', '<a href="https://github.com/acmesh-official/acme.sh/wiki/dnsapi" target="_blank">', '</a>') }}</li>
-              <li>{{ lang._("%sHTTP-01:%s This challenge type usually requires manual configuration and is not recommended. The DNS name used in the certificate must point to the OPNsense host where the ACME Client plugin is running on. The integrated web service will try to guess the correct settings for your setup, but this may not always work out-of-the-box. Furthermore this challenge type cannot be used to create %swildcard certificates with Let's Encrypt%s.") | format('<b>', '</b>', '<a href="https://letsencrypt.org/docs/challenge-types/#http-01-challenge" target="_blank">', '</a>') }}</li>
+              <li>{{ lang._("%sHTTP-01:%s This challenge type usually requires manual configuration and is not recommended. The DNS name used in the certificate must point to the OPNsense host where the ACME Client plugin is running on. The integrated web service will try to guess the correct settings for your setup, but this may not always work out-of-the-box. Furthermore this challenge type cannot be used to validate %swildcard certificates with Let's Encrypt%s.") | format('<b>', '</b>', '<a href="https://letsencrypt.org/docs/challenge-types/#http-01-challenge" target="_blank">', '</a>') }}</li>
+              <li>{{ lang._("%sTLS-ALPN-01:%s This works similar to the HTTP-01 challenge type and has the same requirements. It works if port 80 is unavailable. Other challenge types should be preferred. This challenge type cannot be used to validate %swildcard certificates with Let's Encrypt%s.") | format('<b>', '</b>', '<a href="https://letsencrypt.org/docs/challenge-types/#tls-alpn-01" target="_blank">', '</a>') }}</li>
             </ul>
             <p>{{ lang._('When experiencing issues with a challenge type, try setting the log level to "debug". Please provide full logs when %sreporting issues%s for a challenge type. You should also consider to ask the Certificate Authority for support, if you choose to use a commercial CA.') | format('<a href="https://github.com/opnsense/plugins/issues">', '</a>') }}</p>
         </div>

From f3169f5f9da8cc591df3f7ea85e35328b0f71bd1 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 8 Dec 2021 00:47:14 +0100
Subject: [PATCH 0856/3088] security/acme-client: fix path for pf config files

---
 security/acme-client/pkg-descr                                | 1 +
 .../library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 87339fe032..167a9b7f45 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -18,6 +18,7 @@ Added:
 Fixed:
 * fix SFTP upload (#2671)
 * fix PHP error when acme.sh deploy hook returns an error (#2674)
+* fix path for storing pf config files when using HTTP-01
 
 3.5
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
index 32f6d31385..3b2d7a3c97 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -42,6 +42,8 @@ class HttpOpnsense extends Base implements LeValidationInterface
 {
     public function prepare()
     {
+        $configdir = (string)sprintf(self::ACME_CONFIG_DIR, $this->cert_id);
+
         // Get configured HTTP port for local lighttpd server.
         $configObj = Config::getInstance()->object();
         $local_http_port = $configObj->OPNsense->AcmeClient->settings->challengePort;

From d918baab46e95aeef50cc446134c6d25ec016a99 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Dec 2021 07:51:08 +0100
Subject: [PATCH 0857/3088] net/freeradius: tab

---
 net/freeradius/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 2c17c8138f..36189e116b 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		freeradius
 PLUGIN_VERSION=		1.9.17
-PLUGIN_REVISION=  1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 38a704a521a14656833dc9f0699a3dd9437fcd93 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Dec 2021 07:53:09 +0100
Subject: [PATCH 0858/3088] dns/dyndns: follow up on previous

---
 dns/dyndns/Makefile  | 1 +
 dns/dyndns/pkg-descr | 1 +
 2 files changed, 2 insertions(+)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index 67afe795c0..7f7782cb2b 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		dyndns
 PLUGIN_VERSION=		1.27
+PlUGIN_REVISION=	1
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
diff --git a/dns/dyndns/pkg-descr b/dns/dyndns/pkg-descr
index 8f8dcb2326..ff5dc2c1d9 100644
--- a/dns/dyndns/pkg-descr
+++ b/dns/dyndns/pkg-descr
@@ -6,6 +6,7 @@ Plugin Changelog
 1.27
 
 * Add missing digitalocean-v6 switch case (contributed by zarcjap)
+* Fix GoDaddy IPv6 update (contributed by Team Rebellion)
 
 1.26
 

From 5f72f88d60c6d34f0e68e6f600e6fb968aeab94b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 8 Dec 2021 10:01:20 +0100
Subject: [PATCH 0859/3088] security/etpro-telemetry - missed a 'staging' in
 the definition file, closes https://github.com/opnsense/plugins/issues/2685

---
 .../opnsense/scripts/suricata/metadata/rules/et-telemetry.xml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/etpro-telemetry/src/opnsense/scripts/suricata/metadata/rules/et-telemetry.xml b/security/etpro-telemetry/src/opnsense/scripts/suricata/metadata/rules/et-telemetry.xml
index d5e0324c25..cbccbfc01a 100644
--- a/security/etpro-telemetry/src/opnsense/scripts/suricata/metadata/rules/et-telemetry.xml
+++ b/security/etpro-telemetry/src/opnsense/scripts/suricata/metadata/rules/et-telemetry.xml
@@ -7,7 +7,7 @@
     <version url="https://opnsense.emergingthreats.net/api/v1/ruleset/version"/>
     <files>
         <file url="inline::rules/telemetry_sids.txt" required="true">telemetry_sids.txt</file>
-        <file url="https://opnsense-staging.emergingthreats.net/api/v1/ruleset/version" required="true">telemetry_version.json</file>
+        <file url="https://opnsense.emergingthreats.net/api/v1/ruleset/version" required="true">telemetry_version.json</file>
         <file description="botcc.portgrouped" url="inline::rules/botcc.portgrouped.rules">botcc.portgrouped.rules</file>
         <file description="botcc" url="inline::rules/botcc.rules">botcc.rules</file>
         <file description="ciarmy" url="inline::rules/ciarmy.rules">ciarmy.rules</file>

From 47aea72c2338784bcd1b52daa6e98ac74e690a56 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Dec 2021 11:05:43 +0100
Subject: [PATCH 0860/3088] security/etpro-telemetry: bump revision

---
 security/etpro-telemetry/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index c40b30bac2..5daa5f0869 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		etpro-telemetry
 PLUGIN_VERSION=		1.6
+PLUGIN_VERSION=		1
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html

From 378ee0a626ba30cd5806fa58cded6d5dcd9b6eb7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Dec 2021 12:24:37 +0100
Subject: [PATCH 0861/3088] security/etpro-telemetry: silly typo

---
 security/etpro-telemetry/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index 5daa5f0869..c3bac8a52e 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		etpro-telemetry
 PLUGIN_VERSION=		1.6
-PLUGIN_VERSION=		1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html

From 04835c3edcee4b92507d15663f830d230f71afac Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Dec 2021 12:27:17 +0100
Subject: [PATCH 0862/3088] dns/dyndns: not my day

---
 dns/dyndns/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index 7f7782cb2b..cd07376764 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		dyndns
 PLUGIN_VERSION=		1.27
-PlUGIN_REVISION=	1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 

From 3c7d3502d0162b66d55c741be1eefd4ce31955ad Mon Sep 17 00:00:00 2001
From: Manuel Faux <mfaux@conf.at>
Date: Thu, 9 Dec 2021 13:08:04 +0100
Subject: [PATCH 0863/3088] www/nginx: Log display improvements (#2165)

Move pagination and filtering of Nginx logs (error
and access logs for HTTP, Stream and Nginx) from
client browser to server to allow efficient display
of big log files in web UI.

- Allow displaying of archived log files via web UI
- Added default parameters to LogParserBase
- Pass text query base64 encoded to configd to prevent shell injection
- Encode "/" in query before sending via AJAX
- Display correct values (total/found/displayed/...) in case of no results
---
 www/nginx/Makefile                            |   2 +-
 www/nginx/pkg-descr                           |   4 +
 .../OPNsense/Nginx/Api/LogsController.php     | 126 ++++++++++++---
 .../OPNsense/Nginx/IndexController.php        |   8 -
 .../OPNsense/Nginx/LogsController.php         |  87 ++++++++++
 .../OPNsense/Nginx/AccessLogParser.php        |  33 +---
 .../library/OPNsense/Nginx/ErrorLogParser.php |  22 +--
 .../library/OPNsense/Nginx/LogParserBase.php  | 123 +++++++++++++++
 .../OPNsense/Nginx/StreamAccessLogParser.php  |  34 +---
 .../app/models/OPNsense/Nginx/Menu/Menu.xml   |   6 +-
 .../mvc/app/views/OPNsense/Nginx/logs.volt    |   4 +-
 .../src/opnsense/scripts/nginx/list_logs.php  | 106 +++++++++++++
 .../src/opnsense/scripts/nginx/read_log.php   | 148 ++++++++++--------
 .../service/conf/actions.d/actions_nginx.conf |   8 +-
 www/nginx/src/opnsense/www/css/nginx/logs.css |  43 +++++
 .../www/js/nginx/dist/logviewer.min.js        |   2 +-
 .../src/opnsense/www/js/nginx/src/config.js   |  18 ---
 .../nginx/src/controller/LogCategoryList.js   |  50 ++++--
 .../www/js/nginx/src/controller/LogView.js    | 100 +++++++++---
 .../www/js/nginx/src/controller/TabLogList.js |  22 ++-
 .../opnsense/www/js/nginx/src/logviewer.js    |  30 +++-
 .../www/js/nginx/src/models/LogCollection.js  |   3 +-
 .../js/nginx/src/models/LogLinesCollection.js |  36 ++---
 .../nginx/src/models/LogServerCollection.js   |  13 ++
 .../www/js/nginx/src/models/LogServerMenu.js  |   2 +
 .../js/nginx/src/templates/TabCollection.html |   9 +-
 .../www/js/nginx/src/templates/logviewer.html |  66 ++++----
 27 files changed, 797 insertions(+), 308 deletions(-)
 create mode 100644 www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/LogsController.php
 create mode 100644 www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/LogParserBase.php
 create mode 100755 www/nginx/src/opnsense/scripts/nginx/list_logs.php
 create mode 100644 www/nginx/src/opnsense/www/css/nginx/logs.css
 delete mode 100644 www/nginx/src/opnsense/www/js/nginx/src/config.js
 create mode 100644 www/nginx/src/opnsense/www/js/nginx/src/models/LogServerCollection.js
 create mode 100644 www/nginx/src/opnsense/www/js/nginx/src/models/LogServerMenu.js

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 1fa6c45f02..290dec87ff 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.24
+PLUGIN_VERSION=		1.25
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 3afedea298..165ae90fca 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,10 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.25
+
+* Reworked logging frontent to support filtering and historic view (contributed by Manuel Faux)
+
 1.24
 
 * Change all Listen Port directives to Listen Address and migrate the Port data to Addresses
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
index 765c1be820..c340ba5fb7 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
@@ -2,7 +2,8 @@
 
 /*
 
-    Copyright (C) 2018 Fabian Franz
+    Copyright (C) 2018-2020 Fabian Franz
+    Copyright (C) 2020 Manuel Faux
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
@@ -40,18 +41,26 @@ class LogsController extends ApiControllerBase
      * "/" -> list of access logs
      * "/uuid" -> conent of access log
      * @param null|string $uuid log uuid of the HTTP server from which the error log should be returned
+     * @param $fileno int number of logfile to retrieve
+     * @param $page int pagination page to retrieve
+     * @param $perPage int number of entries per page
+     * @param $query string filter string to apply
      * @return array if feasible, otherwise null and the data is sent directly back
      * @throws \OPNsense\Base\ModelException ?
      */
-    public function accessesAction($uuid = null)
+    public function accessesAction($uuid = null, $fileno = null, $page = 0, $perPage = 0, $query = "")
     {
         $this->nginx = new Nginx();
         if (!isset($uuid)) {
             // emulate REST API -> /accesses delivers a list of servers with access logs
             return $this->list_vhosts();
-        } else {
+        }
+        elseif (!isset($fileno)) {
+            return $this->list_logfiles('access', $uuid);
+        }
+        else {
             // emulate REST call for a specific log /accesses/uuid
-            $this->call_configd('access', $uuid);
+            $this->get_logs('access', $uuid, $fileno, $page, $perPage, $query);
         }
     }
 
@@ -68,18 +77,26 @@ public function tlsHandshakesAction()
      * "/" -> list of error logs
      * "/uuid" -> conent of error log
      * @param null|string $uuid uuid of the HTTP server from which the error log should be returned
+     * @param $fileno int number of logfile to retrieve
+     * @param $page int pagination page to retrieve
+     * @param $perPage int number of entries per page
+     * @param $query string filter string to apply
      * @return array if feasible, otherwise null and the data is sent directly back
      * @throws \OPNsense\Base\ModelException ?
      */
-    public function errorsAction($uuid = null)
+    public function errorsAction($uuid = null, $fileno = null, $page = 0, $perPage = 0, $query = "")
     {
         $this->nginx = new Nginx();
         if (!isset($uuid)) {
             // emulate REST API -> /errors delivers a list of servers with error logs
             return $this->list_vhosts();
-        } else {
+        }
+        elseif (!isset($fileno)) {
+            return $this->list_logfiles('error', $uuid);
+        }
+        else {
             // emulate REST call for a specific log /errors/uuid
-            $this->call_configd('error', $uuid);
+            $this->get_logs('error', $uuid, $fileno, $page, $perPage, $query);
         }
     }
 
@@ -87,18 +104,26 @@ public function errorsAction($uuid = null)
      * "/" -> list of access logs
      * "/uuid" -> conent of access log
      * @param null|string $uuid log uuid of the stream server from which the error log should be returned
+     * @param $fileno int number of logfile to retrieve
+     * @param $page int pagination page to retrieve
+     * @param $perPage int number of entries per page
+     * @param $query string filter string to apply
      * @return array if feasible, otherwise null and the data is sent directly back
      * @throws \OPNsense\Base\ModelException ?
      */
-    public function streamAccessesAction($uuid = null)
+    public function streamaccessesAction($uuid = null, $fileno = null, $page = 0, $perPage = 0, $query = "")
     {
         $this->nginx = new Nginx();
         if (!isset($uuid)) {
             // emulate REST API -> /stream_accesses delivers a list of servers with access logs
             return $this->list_streams();
-        } else {
+        }
+        elseif (!isset($fileno)) {
+            return $this->list_stream_logfiles('streamaccess', $uuid);
+        }
+        else {
             // emulate REST call for a specific log /stream_accesses/uuid
-            $this->call_configd_stream('streamaccess', $uuid);
+            $this->get_stream_logs('streamaccess', $uuid, $fileno, $page, $perPage, $query);
         }
     }
 
@@ -106,49 +131,112 @@ public function streamAccessesAction($uuid = null)
      * "/" -> list of access logs
      * "/uuid" -> conent of error log
      * @param null $uuid uuid of the stream server from which the error log should be returned
+     * @param $fileno int number of logfile to retrieve
+     * @param $page int pagination page to retrieve
+     * @param $perPage int number of entries per page
+     * @param $query string filter string to apply
      * @return array if feasible, otherwise null and the data is sent directly back
      * @throws \OPNsense\Base\ModelException ?
      */
-    public function streamErrorsAction($uuid = null)
+    public function streamerrorsAction($uuid = null, $fileno = null, $page = 0, $perPage = 0, $query = "")
     {
         $this->nginx = new Nginx();
         if (!isset($uuid)) {
             // emulate REST API -> /stream_errors delivers a list of servers with error logs
             return $this->list_streams();
-        } else {
+        }
+        elseif (!isset($fileno)) {
+            return $this->list_stream_logfiles('streamerror', $uuid);
+        }
+        else {
             // emulate REST call for a specific log /stream_errors/uuid
-            $this->call_configd_stream('streamerror', $uuid);
+            $this->get_stream_logs('streamerror', $uuid, $fileno, $page, $perPage, $query);
         }
     }
 
 
     /**
+     * Retrieve log content for HTTP server.
+     *
      * @param $type string access or error for the used log type
      * @param $uuid string uuid of the server
+     * @param $fileno int number of logfile to retrieve
+     * @param $page int pagination page to retrieve
+     * @param $perPage int number of entries per page
+     * @param $query string filter string to apply
      * @return |null
      * @throws \Exception ?
      */
-    private function call_configd($type, $uuid)
+    private function get_logs($type, $uuid, $fileno, $page, $perPage, $query)
     {
         if (!($this->vhost_exists($uuid) || $uuid == 'global')) {
-            $this->response->setStatusCode(404, "Not Found");
+            return $this->response->setStatusCode(404, "Not Found");
         }
 
-        return $this->sendConfigdToClient('nginx log ' . $type . ' ' . $uuid);
+        $page = intval($page);
+        $perPage = intval($perPage);
+        $query = base64_encode(urldecode($query));
+
+        return $this->sendConfigdToClient("nginx log $type $uuid $fileno $page $perPage $query");
     }
+
+    /**
+     * Retrieve available log files for specific HTTP server uuid.
+     *
+     * @param $type string access or error for the used log type
+     * @param $uuid string uuid of the server
+     * @return |null
+     * @throws \Exception ?
+     */
+    private function list_logfiles($type, $uuid)
+    {
+        if (!($this->vhost_exists($uuid) || $uuid == 'global')) {
+            return $this->response->setStatusCode(404, "Not Found");
+        }
+
+        return $this->sendConfigdToClient("nginx listlogs $type $uuid");
+    }
+
+    /**
+     * Retrieve log content for stream server.
+     *
+     * @param $type string access or error for the used log type
+     * @param $uuid string uuid of the server
+     * @param $fileno int number of logfile to retrieve
+     * @param $page int pagination page to retrieve
+     * @param $perPage int number of entries per page
+     * @param $query string filter string to apply
+     * @return |null
+     * @throws \Exception ?
+     */
+    private function get_stream_logs($type, $uuid, $fileno, $page, $perPage, $query)
+    {
+        if (!$this->stream_exists($uuid)) {
+            return $this->response->setStatusCode(404, "Not Found");
+        }
+
+        $page = intval($page);
+        $perPage = intval($perPage);
+        $query = base64_encode(urldecode($query));
+
+        return $this->sendConfigdToClient("nginx log $type $uuid $fileno $page $perPage $query");
+    }
+
     /**
+     * Retrieve available log files for specific stream server uuid.
+     *
      * @param $type string access or error for the used log type
      * @param $uuid string uuid of the server
      * @return |null
      * @throws \Exception ?
      */
-    private function call_configd_stream($type, $uuid)
+    private function list_stream_logfiles($type, $uuid)
     {
         if (!$this->stream_exists($uuid)) {
-            $this->response->setStatusCode(404, "Not Found");
+            return $this->response->setStatusCode(404, "Not Found");
         }
 
-        return $this->sendConfigdToClient('nginx log ' . $type . ' ' . $uuid);
+        return $this->sendConfigdToClient("nginx listlogs $type $uuid");
     }
 
     /**
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php
index e80537625b..410e04989f 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php
@@ -71,14 +71,6 @@ public function indexAction()
         $this->view->pick('OPNsense/Nginx/index');
     }
 
-    /**
-     * show the nginx logs page /ui/nginx/index/logs
-     */
-    public function logsAction()
-    {
-        $this->view->pick('OPNsense/Nginx/logs');
-    }
-
     /**
      * show the nginx TLS handshakes page /ui/nginx/index/tls_handshakes
      */
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/LogsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/LogsController.php
new file mode 100644
index 0000000000..fec65f18d4
--- /dev/null
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/LogsController.php
@@ -0,0 +1,87 @@
+<?php
+
+/*
+
+    Copyright (C) 2020 Manuel Faux
+    Copyright (C) 2018-2020 Fabian Franz
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+
+*/
+
+
+namespace OPNsense\Nginx;
+
+/**
+* Class IndexController
+* @package OPNsense/Nginx
+*/
+class LogsController extends \OPNsense\Base\IndexController
+{
+    /**
+     * show the configuration page /ui/nginx/logs
+     * @throws \Exception when a form cannot be loaded
+     */
+    public function indexAction()
+    {
+        $this->view->log = 'global';
+        $this->view->pick('OPNsense/Nginx/logs');
+    }
+
+    /**
+     * show the nginx logs page /ui/nginx/logs/accesses
+     */
+    public function accessesAction()
+    {
+        $this->view->log = 'accesses';
+        $this->view->pick('OPNsense/Nginx/logs');
+    }
+
+    /**
+     * show the nginx logs page /ui/nginx/logs/errors
+     */
+    public function errorsAction()
+    {
+        $this->view->log = 'errors';
+        $this->view->pick('OPNsense/Nginx/logs');
+    }
+
+    /**
+     * show the nginx logs page /ui/nginx/logs/stream_accesses
+     */
+    public function streamaccessesAction()
+    {
+        $this->view->log = 'stream_accesses';
+        $this->view->pick('OPNsense/Nginx/logs');
+    }
+
+    /**
+     * show the nginx logs page /ui/nginx/logs/stream_errors
+     */
+    public function streamerrorsAction()
+    {
+        $this->view->log = 'stream_errors';
+        $this->view->pick('OPNsense/Nginx/logs');
+    }
+}
diff --git a/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/AccessLogParser.php b/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/AccessLogParser.php
index 5f6ed187c1..f2d94de63c 100644
--- a/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/AccessLogParser.php
+++ b/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/AccessLogParser.php
@@ -2,7 +2,8 @@
 
 /*
 
-    Copyright (C) 2018 Fabian Franz
+    Copyright (C) 2018-2020 Fabian Franz
+    Copyright (C) 2020 Manuel Faux
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
@@ -29,32 +30,11 @@
 
 namespace OPNsense\Nginx;
 
-class AccessLogParser
+class AccessLogParser extends LogParserBase
 {
-    private $file_name;
-    private $result;
-
     private const LogLineRegex = '/(\S+) - (\S+) \[([\d\sa-z\:\-\/\+]+)\] "([^"]+?)" (\d+) (\d+) "([^"]*?)" "([^"]*?)" "([^"]*?)"/i';
 
-    function __construct($file_name)
-    {
-        $this->file_name = $file_name;
-        $this->result = array();
-        $this->parse_file();
-    }
-
-    private function parse_file()
-    {
-        $handle = @fopen($this->file_name, 'r');
-        if ($handle) {
-            while (($buffer = fgets($handle)) !== false) {
-                $this->result[] = $this->parse_line($buffer);
-            }
-            fclose($handle);
-        }
-    }
-
-    private function parse_line($line)
+    protected function parse_line($line)
     {
         $container = new AccessLogLine();
         if (preg_match(self::LogLineRegex, $line, $data)) {
@@ -70,9 +50,4 @@ private function parse_line($line)
         }
         return $container;
     }
-
-    public function get_result()
-    {
-        return $this->result;
-    }
 }
diff --git a/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/ErrorLogParser.php b/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/ErrorLogParser.php
index fd272a4d0c..99336e2b62 100644
--- a/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/ErrorLogParser.php
+++ b/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/ErrorLogParser.php
@@ -2,7 +2,8 @@
 
 /*
 
-    Copyright (C) 2018 Fabian Franz
+    Copyright (C) 2018-2020 Fabian Franz
+    Copyright (C) 2020 Manuel Faux
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
@@ -29,21 +30,11 @@
 
 namespace OPNsense\Nginx;
 
-class ErrorLogParser
+class ErrorLogParser extends LogParserBase
 {
-    private $file_name;
-    private $lines;
-    private $result;
-
     private const LogLineRegex = '/(\S+) (\S+) \[([\d\sa-z\:\-\/\+\#]+)\] ([\S:]+): (.+)/i';
 
-    function __construct($file_name)
-    {
-        $this->file_name = $file_name;
-        $this->lines = file($this->file_name);
-        $this->result = array_map([$this, 'parse_line'], $this->lines);
-    }
-    private function parse_line($line)
+    protected function parse_line($line)
     {
         $container = new ErrorLogLine();
         if (preg_match(self::LogLineRegex, $line, $data)) {
@@ -55,9 +46,4 @@ private function parse_line($line)
         }
         return $container;
     }
-
-    public function get_result()
-    {
-        return $this->result;
-    }
 }
diff --git a/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/LogParserBase.php b/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/LogParserBase.php
new file mode 100644
index 0000000000..9c38adcfaa
--- /dev/null
+++ b/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/LogParserBase.php
@@ -0,0 +1,123 @@
+<?php
+
+/*
+
+    Copyright (C) 2018-2020 Fabian Franz
+    Copyright (C) 2020 Manuel Faux
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Nginx;
+
+abstract class LogParserBase
+{
+    protected $result;
+
+    /**
+     * Constructs a new LogParserBase instance.
+     *
+     * @param $file_name string path to log file of the HTTP server to be parsed
+     * @param $page int pagination page to retrieve (first page is 0)
+     * @param $per_page int number of entries per page if positive, retrieve
+     *                      all elements otherwise
+     * @param $query string filter string to apply
+     */
+    function __construct($file_name, $page = 0, $per_page = 0, $query = array())
+    {
+        $this->file_name = $file_name;
+        $this->page = $page;
+        $this->per_page = $per_page;
+        $this->query = $query;
+        $this->page_count = 0;
+        $this->total_lines = 0;
+        $this->query_lines = 0;
+        $this->result = array();
+
+        $this->parse_file();
+    }
+
+    /**
+     * Forward read complete gz compressed logfile into memory, reverse file,
+     * count lines, save lines which match filter and count matching lines.
+     */
+    private function parse_file()
+    {
+        $lines = gzfile($this->file_name);
+        if ($lines !== false && count($lines) > 0) {
+            $lines = array_reverse($lines);
+
+            $filtering = false;
+            // Did we receive a non-zero filtering query?
+            foreach ($this->query as $key => $val) {
+                if (strlen($val) > 0) {
+                    $filtering = true;
+                }
+            }
+            
+            $cnt = 0;
+            foreach ($lines as $line) {
+                $pass = true;
+
+                $parsed_line = '';
+                // Perform filtering if needed
+                if ($filtering) {
+                    $parsed_line = $this->parse_line($line);
+
+                    foreach ($this->query as $key => $val) {
+                        $val = (string)$val;
+                        if (!empty($val) && strpos($parsed_line->{$key}, (string)$val) === false) {
+                            $pass = false;
+                        }
+                    }
+                }
+
+                if ($pass) {
+                    if ($this->per_page <= 0 || floor($cnt / $this->per_page) == $this->page) {
+                        // Only parse line if not already parsed due to filtering
+                        if (!$filtering) {
+                            $parsed_line = $this->parse_line($line);
+                        }
+
+                        $this->result[] = $parsed_line;
+                    }
+                    $cnt++;
+                }
+            }
+
+            $this->page_count = $this->per_page > 0 ? ceil($cnt / $this->per_page) : 1;
+            $this->total_lines = count($lines);
+            $this->query_lines = $cnt;
+        }
+
+        unset($lines);
+    }
+
+    abstract protected function parse_line($line);
+
+    public function get_result()
+    {
+        return $this->result;
+    }
+}
+
diff --git a/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/StreamAccessLogParser.php b/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/StreamAccessLogParser.php
index 37726d7047..f6974d6e0a 100644
--- a/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/StreamAccessLogParser.php
+++ b/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/StreamAccessLogParser.php
@@ -2,7 +2,8 @@
 
 /*
 
-    Copyright (C) 2018 Fabian Franz
+    Copyright (C) 2018-2020 Fabian Franz
+    Copyright (C) 2020 Manuel Faux
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
@@ -29,33 +30,11 @@
 
 namespace OPNsense\Nginx;
 
-class StreamAccessLogParser
+class StreamAccessLogParser extends LogParserBase
 {
-    private $file_name;
-    private $result;
-
     private const LogLineRegex = '/(\S+) \[([\d\sa-z\:\-\/\+]+)\] (\S+?) (\d+) (\d+) (\d+) (\d+(?:\.\d+)?)/i';
 
-
-    function __construct($file_name)
-    {
-        $this->file_name = $file_name;
-        $this->result = array();
-        $this->parse_file();
-    }
-
-    private function parse_file()
-    {
-        $handle = @fopen($this->file_name, 'r');
-        if ($handle) {
-            while (($buffer = fgets($handle)) !== false) {
-                $this->result[] = $this->parse_line($buffer);
-            }
-            fclose($handle);
-        }
-    }
-
-    private function parse_line($line)
+    protected function parse_line($line)
     {
         $container = new StreamAccessLogLine();
         if (preg_match(self::LogLineRegex, $line, $data)) {
@@ -68,9 +47,4 @@ private function parse_line($line)
         }
         return $container;
     }
-
-    public function get_result()
-    {
-        return $this->result;
-    }
 }
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Menu/Menu.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Menu/Menu.xml
index d9f5822205..bbe625bd7e 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Menu/Menu.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Menu/Menu.xml
@@ -5,7 +5,11 @@
       <Banned url="/ui/nginx/index/ban" order="20"/>
       <TLSFingerprints VisibleName="TLS Fingerprints" url="/ui/nginx/index/tls_handshakes" order="30"/>
       <VTS VisibleName="Traffic Statistic" url="/ui/nginx/index/vts" order="90"/>
-      <Logs url="/ui/nginx/index/logs" order="100"/>
+      <HTTPAccessLogs VisibleName="Logs / HTTP Access" url="/ui/nginx/logs/accesses" order="100"/>
+      <HTTPErrorLogs VisibleName="Logs / HTTP Error" url="/ui/nginx/logs/errors" order="110"/>
+      <StreamAccessLogs VisibleName="Logs / Stream Access" url="/ui/nginx/logs/stream_accesses" order="120"/>
+      <StreamErrorLogs VisibleName="Logs / Stream Error" url="/ui/nginx/logs/stream_errors" order="130"/>
+      <ErrorLogs VisibleName="Logs / Global Error" url="/ui/nginx/logs" order="140"/>
     </Nginx>
   </Services>
 </menu>
diff --git a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/logs.volt b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/logs.volt
index 125fc5d63f..b920f706b6 100644
--- a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/logs.volt
+++ b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/logs.volt
@@ -25,7 +25,9 @@
 # POSSIBILITY OF SUCH DAMAGE.
 #}
 
-<div id="logapplication"></div>
+<link rel="stylesheet" href="{{ cache_safe('/ui/css/nginx/logs.css') }}" type="text/css" />
+
+<div id="logapplication" data-log="{{ log }}"></div>
 
 <script src="{{ cache_safe('/ui/js/nginx/lib/lodash.min.js') }}"></script>
 <script src="{{ cache_safe('/ui/js/nginx/lib/backbone-min.js') }}"></script>
diff --git a/www/nginx/src/opnsense/scripts/nginx/list_logs.php b/www/nginx/src/opnsense/scripts/nginx/list_logs.php
new file mode 100755
index 0000000000..c3b94e9dd9
--- /dev/null
+++ b/www/nginx/src/opnsense/scripts/nginx/list_logs.php
@@ -0,0 +1,106 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2020 Manuel Faux
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *  1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once 'config.inc';
+
+use OPNsense\Nginx\Nginx;
+
+$log_prefix = '/var/log/nginx/';
+$log_suffix = '.log';
+
+function list_logfiles($prefix) {
+    global $log_prefix;
+    $filename = $log_prefix . $prefix;
+
+    $result = [];
+    $files = glob("$filename*", GLOB_NOSORT);
+    foreach ($files as $file) {
+        // Extract number of logrotate (e.g. error.log.4.gz) and set -1 for currently active file
+        $number = (strlen($file) > strlen($filename)) ? substr($file, strlen($filename) + 1, -3) : -1;
+        $result[$number] = array(
+            'filename' => substr($file, strlen($log_prefix)),
+            'date' => ($number >= 0) ? date('d/M/Y', filemtime($file) - 3600) : 'current',
+            'number' => $number
+        );
+    }
+
+    ksort($result, SORT_NUMERIC);
+    $result = array_values($result);
+
+    return $result;
+}
+
+if ($_SERVER['argc'] < 3) {
+    die('{"error": "Incorrect amount of parameters given"}');
+}
+
+// first parameter: error|access
+$mode = $_SERVER['argv'][1];
+// second parameter: uuid of server
+$server = $_SERVER['argv'][2];
+$nginx = new Nginx();
+
+$result = [];
+// special case: the global error log
+if ($server == 'global') {
+    $result = list_logfiles('error.log');
+}
+else {
+    switch ($mode) {
+        case 'error':
+        case 'access':
+            if ($data = $nginx->getNodeByReference('http_server.' . $server)) {
+                $server_names = (string)$data->servername;
+                if (empty($server_names)) {
+                    die('{"error": "The server entry has no server name"}');
+                }
+
+                $log_file_name = basename($server_names) . '.' . $mode . $log_suffix;
+                $result = list_logfiles($log_file_name);
+            }
+            else {
+                die('{"error": "UUID not found"}');
+            }
+            break;
+        case 'streamerror':
+        case 'streamaccess':
+            if ($data = $nginx->getNodeByReference('stream_server.' . $server)) {
+                $mode = str_replace('stream', '', $mode);
+                $log_file_name = 'stream_' . $server . '.' . $mode . $log_suffix;
+                $result = list_logfiles($log_file_name);
+            } else {
+                die('{"error": "UUID not found"}');
+            }
+            break;
+        default:
+            die('{"error": "action (' . $mode . ') not found"}');
+    }
+}
+
+echo json_encode($result);
diff --git a/www/nginx/src/opnsense/scripts/nginx/read_log.php b/www/nginx/src/opnsense/scripts/nginx/read_log.php
index 488c018efc..1ee5e40309 100755
--- a/www/nginx/src/opnsense/scripts/nginx/read_log.php
+++ b/www/nginx/src/opnsense/scripts/nginx/read_log.php
@@ -2,7 +2,8 @@
 <?php
 
 /*
- * Copyright (C) 2018 Fabian Franz
+ * Copyright (C) 2018-2020 Fabian Franz
+ * Copyright (C) 2020 Manuel Faux
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -37,7 +38,7 @@
 $log_prefix = '/var/log/nginx/';
 $log_suffix = '.log';
 
-if ($_SERVER['argc'] != 3) {
+if ($_SERVER['argc'] < 6) {
     die('{"error": "Incorrect amount of parameters given"}');
 }
 
@@ -45,81 +46,92 @@
 $mode = $_SERVER['argv'][1];
 // second parameter: uuid of server
 $server = $_SERVER['argv'][2];
+// third parameter: file number
+$file_no = (strlen($_SERVER['argv'][3]) > 0) ? max(intval($_SERVER['argv'][3]), -1) : -1;
+// third parameter: current page
+$page = max(intval($_SERVER['argv'][4]), 0);
+// fourth parameter: lines per page
+$per_page = max(intval($_SERVER['argv'][5]), 0);
+// fifth parameter: filter query
+$query = json_decode(base64_decode($_SERVER['argv'][6]), true);
 $nginx = new Nginx();
 
+if (!is_array($query)) {
+    $query = array();
+}
+
+if ($file_no >= 0) {
+    $log_suffix .= ".$file_no.gz";
+}
+
+$result = [];
 // special case: the global error log
 if ($server == 'global') {
-    $logparser = new ErrorLogParser($log_prefix . 'error.log');
-    echo json_encode(empty($logparser->get_result()) ?
-        array('error' => 'no lines found') :
-        $logparser->get_result());
-    exit(0);
+    $logparser = new ErrorLogParser($log_prefix . 'error' . $log_suffix, $page, $per_page, $query);
 }
+else {
+    switch ($mode) {
+        case 'error':
+        case 'access':
+            if ($data = $nginx->getNodeByReference('http_server.' . $server)) {
+                $server_names = (string)$data->servername;
+                if (empty($server_names)) {
+                    die('{"error": "The server entry has no server name"}');
+                }
+                $log_file_name = $log_prefix . basename($server_names) . '.' . $mode . $log_suffix;
+                // this entry has no log file, ignore it
+                if (!file_exists($log_file_name)) {
+                    break;
+                }
+                $logparser = null;
 
-switch ($mode) {
-    case 'error':
-    case 'access':
-        if ($data = $nginx->getNodeByReference('http_server.' . $server)) {
-            $server_names = (string)$data->servername;
-            if (empty($server_names)) {
-                die('{"error": "The server entry has no server name"}');
+                if ($mode == 'error') {
+                    $logparser = new ErrorLogParser($log_file_name, $page, $per_page, $query);
+                } elseif ($mode == 'access') {
+                    $logparser = new AccessLogParser($log_file_name, $page, $per_page, $query);
+                }
             }
-            $lines = [];
-            $log_file_name = $log_prefix . basename($server_names) . '.' . $mode . $log_suffix;
-            // this entry has no log file, ignore it
-            if (!file_exists($log_file_name)) {
-                break;
+            else {
+                die('{"error": "UUID not found"}');
             }
-            $logparser = null;
+            break;
+        case 'streamerror':
+        case 'streamaccess':
+            if ($data = $nginx->getNodeByReference('stream_server.' . $server)) {
+                $mode = str_replace('stream', '', $mode);
+                $log_file_name = $log_prefix . 'stream_' . $server . '.' . $mode . $log_suffix;
+                // this entry has no log file, ignore it
+                if (!file_exists($log_file_name)) {
+                    die('{"error": "file not found"}');
+                }
+                $logparser = null;
 
-            if ($mode == 'error') {
-                $logparser = new ErrorLogParser($log_file_name);
-            } elseif ($mode == 'access') {
-                $logparser = new AccessLogParser($log_file_name);
-            }
-            // we cannot parse the file - something went wrong
-            if ($logparser == null) {
-                break;
-            }
-            $lines = array_merge($lines, $logparser->get_result());
-            if (empty($lines)) {
-                $lines['error'] = 'no lines found';
-            }
-            echo json_encode($lines);
-        } else {
-            die('{"error": "UUID not found"}');
-        }
-        break;
-    case 'streamerror':
-    case 'streamaccess':
-        if ($data = $nginx->getNodeByReference('stream_server.' . $server)) {
-            $lines = [];
-            $mode = str_replace('stream', '', $mode);
-            $log_file_name = $log_prefix . 'stream_' . $server . '.' . $mode . $log_suffix;
-            // this entry has no log file, ignore it
-            if (!file_exists($log_file_name)) {
-                die('{"error": "file not found"}');
+                if ($mode == 'error') {
+                    $logparser = new ErrorLogParser($log_file_name, $page, $per_page, $query);
+                } elseif ($mode == 'access') {
+                    $logparser = new StreamAccessLogParser($log_file_name, $page, $per_page, $query);
+                }
+            } else {
+                die('{"error": "UUID not found"}');
             }
-            $logparser = null;
+            break;
+        default:
+            die('{"error": "action (' . $mode . ') not found"}');
+    }
+}
 
-            if ($mode == 'error') {
-                $logparser = new ErrorLogParser($log_file_name);
-            } elseif ($mode == 'access') {
-                $logparser = new StreamAccessLogParser($log_file_name);
-            }
-            // we cannot parse the file - something went wrong
-            if ($logparser == null) {
-                break;
-            }
-            $lines = array_merge($lines, $logparser->get_result());
-            if (empty($lines)) {
-                $lines['error'] = 'no lines found';
-            }
-            echo json_encode($lines);
-        } else {
-            die('{"error": "UUID not found"}');
-        }
-        break;
-    default:
-        die('{"error": "action (' . $mode . ') not found"}');
+
+// we cannot parse the file - something went wrong
+if ($logparser === null) {
+    $result['error'] = 'cannot retrieve requested logs';
+}
+else {
+    $result['lines'] = $logparser->get_result();
+    $result['pages'] = $logparser->page_count;
+    $result['total'] = $logparser->total_lines;
+    $result['found'] = $logparser->query_lines;
+    $result['returned'] = count($result['lines']);
+    $result['query'] = json_encode($query);
 }
+
+echo json_encode($result);
diff --git a/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf b/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
index 1cb7927e53..ed34d49711 100644
--- a/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
+++ b/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
@@ -28,9 +28,15 @@ type:script_output
 
 [log]
 command:/usr/local/opnsense/scripts/nginx/read_log.php
+parameters: %s %s %s %s %s %s
+type:script_output
+message:querying nginx %s log for %s rotate %s (page %s of %s with filter %s)
+
+[listlogs]
+command:/usr/local/opnsense/scripts/nginx/list_logs.php
 parameters: %s %s
 type:script_output
-message:restarting nginx
+message:listing nginx %s log for %s
 
 [tls_handshakes]
 command:cat /var/log/nginx/handshakes.json
diff --git a/www/nginx/src/opnsense/www/css/nginx/logs.css b/www/nginx/src/opnsense/www/css/nginx/logs.css
new file mode 100644
index 0000000000..c8bf446a04
--- /dev/null
+++ b/www/nginx/src/opnsense/www/css/nginx/logs.css
@@ -0,0 +1,43 @@
+/*
+* Copyright (C) 2020 Manuel Faux
+* All rights reserved.
+*
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted provided that the following conditions are met:
+*
+*  1. Redistributions of source code must retain the above copyright notice,
+*   this list of conditions and the following disclaimer.
+*
+*  2. Redistributions in binary form must reproduce the above copyright
+*    notice, this list of conditions and the following disclaimer in the
+*    documentation and/or other materials provided with the distribution.
+*
+* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+* POSSIBILITY OF SUCH DAMAGE.
+*/
+
+thead.sticky-top th {
+    position: sticky;
+    top: 80px;
+    background-color: white;
+}
+
+thead.sticky-top tr:first-child th {
+    top: 50px;
+}
+
+tfoot.sticky-bottom th {
+    position: sticky;
+    bottom: 50px;
+    background-color: white;
+    font-weight: normal;
+    font-family: inherit;
+}
diff --git a/www/nginx/src/opnsense/www/js/nginx/dist/logviewer.min.js b/www/nginx/src/opnsense/www/js/nginx/dist/logviewer.min.js
index 8bdd4e6c74..a52439ce83 100644
--- a/www/nginx/src/opnsense/www/js/nginx/dist/logviewer.min.js
+++ b/www/nginx/src/opnsense/www/js/nginx/dist/logviewer.min.js
@@ -1 +1 @@
-!function(e){var t={};function n(l){if(t[l])return t[l].exports;var i=t[l]={i:l,l:!1,exports:{}};return e[l].call(i.exports,i,i.exports,n),i.l=!0,i.exports}n.m=e,n.c=t,n.d=function(e,t,l){n.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:l})},n.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.t=function(e,t){if(1&t&&(e=n(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var l=Object.create(null);if(n.r(l),Object.defineProperty(l,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var i in e)n.d(l,i,function(t){return e[t]}.bind(null,i));return l},n.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(t,"a",t),t},n.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},n.p="",n(n.s=26)}([function(e,t,n){var l=n(2),i=n(4),o=/[&<>"']/g,r=RegExp(o.source);e.exports=function(e){return(e=i(e))&&r.test(e)?e.replace(o,l):e}},function(e,t,n){var l=n(6).Symbol;e.exports=l},function(e,t,n){var l=n(3)({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"});e.exports=l},function(e,t){e.exports=function(e){return function(t){return null==e?void 0:e[t]}}},function(e,t,n){var l=n(5);e.exports=function(e){return null==e?"":l(e)}},function(e,t,n){var l=n(1),i=n(9),o=n(10),r=n(11),_=1/0,a=l?l.prototype:void 0,s=a?a.toString:void 0;e.exports=function e(t){if("string"==typeof t)return t;if(o(t))return i(t,e)+"";if(r(t))return s?s.call(t):"";var n=t+"";return"0"==n&&1/t==-_?"-0":n}},function(e,t,n){var l=n(7),i="object"==typeof self&&self&&self.Object===Object&&self,o=l||i||Function("return this")();e.exports=o},function(e,t,n){(function(t){var n="object"==typeof t&&t&&t.Object===Object&&t;e.exports=n}).call(this,n(8))},function(e,t){var n;n=function(){return this}();try{n=n||new Function("return this")()}catch(e){"object"==typeof window&&(n=window)}e.exports=n},function(e,t){e.exports=function(e,t){for(var n=-1,l=null==e?0:e.length,i=Array(l);++n<l;)i[n]=t(e[n],n,e);return i}},function(e,t){var n=Array.isArray;e.exports=n},function(e,t,n){var l=n(12),i=n(15),o="[object Symbol]";e.exports=function(e){return"symbol"==typeof e||i(e)&&l(e)==o}},function(e,t,n){var l=n(1),i=n(13),o=n(14),r="[object Null]",_="[object Undefined]",a=l?l.toStringTag:void 0;e.exports=function(e){return null==e?void 0===e?_:r:a&&a in Object(e)?i(e):o(e)}},function(e,t,n){var l=n(1),i=Object.prototype,o=i.hasOwnProperty,r=i.toString,_=l?l.toStringTag:void 0;e.exports=function(e){var t=o.call(e,_),n=e[_];try{e[_]=void 0;var l=!0}catch(e){}var i=r.call(e);return l&&(t?e[_]=n:delete e[_]),i}},function(e,t){var n=Object.prototype.toString;e.exports=function(e){return n.call(e)}},function(e,t){e.exports=function(e){return null!=e&&"object"==typeof e}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='\n<a data-toggle="dropdown"\n   href="#"\n   class="dropdown-toggle pull-right visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block"\n   role="button">\n    <b><span class="caret"></span></b>\n</a>\n<a data-toggle="tab"\n   class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"\n   style="border-right: 0px;"><b>'+(null==(__t=_.escape(name))?"":__t)+'</b></a>\n<ul class="dropdown-menu" role="menu">\n    ',model.forEach(function(e){__p+='\n    <li>\n        <a data-toggle="tab"\n           class="menuEntry"\n           data-model-cid="'+(null==(__t=e.cid)?"":__t)+'"\n           data-model-uuid="'+(null==(__t=e.escape("id"))?"":__t)+'"\n           id="subtab_item_'+(null==(__t=e.escape("id"))?"":__t)+'"\n           href="#subtab_'+(null==(__t=e.escape("id"))?"":__t)+'">'+(null==(__t=e.has("server_name")?e.escape("server_name"):e.escape("port"))?"":__t)+"</a>\n    </li>\n    "}),__p+="\n</ul>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='\n<a data-toggle="tab"\n   class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"\n   style="border-top-right-radius: 10px !important; padding-right: 10px !important;">\n    <b>'+(null==(__t=_.escape(name))?"":__t)+"</b>\n</a>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="remote_ip">'+(null==(__t=model.escape("remote_ip"))?"":__t)+'</td>\n<td class="username">'+(null==(__t=model.escape("username"))?"":__t)+'</td>\n<td class="status">'+(null==(__t=model.escape("status"))?"":__t)+'</td>\n<td class="size">'+(null==(__t=model.escape("size"))?"":__t)+'</td>\n<td class="referer">'+(null==(__t=model.escape("http_referer"))?"":__t)+'</td>\n<td class="user_agent">'+(null==(__t=model.escape("user_agent"))?"":__t)+'</td>\n<td class="forwarded_for">'+(null==(__t=model.escape("forwarded_for"))?"":__t)+'</td>\n<td class="request_line">'+(null==(__t=model.escape("request_line"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="remote_ip">'+(null==(__t=model.escape("remote_ip"))?"":__t)+'</td>\n<td class="status">'+(null==(__t=model.escape("status"))?"":__t)+'</td>\n<td class="bytes_sent">'+(null==(__t=model.escape("bytes_sent"))?"":__t)+'</td>\n<td class="bytes_received">'+(null==(__t=model.escape("bytes_received"))?"":__t)+'</td>\n<td class="session_time">'+(null==(__t=model.escape("session_time"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="date">'+(null==(__t=model.escape("date"))?"":__t)+'</td>\n<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="severity">'+(null==(__t=model.escape("severity"))?"":__t)+'</td>\n<td class="number">'+(null==(__t=model.escape("number"))?"":__t)+'</td>\n<td class="message">'+(null==(__t=model.escape("message"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj){let count=0;__p+='<table class="table table-striped">\n    <thead>\n        <tr>\n            ',"errors"===log_type||"stream_errors"===log_type?(count=5,__p+="\n            <th>Date</th>\n            <th>Time</th>\n            <th>Severity</th>\n            <th>Number</th>\n            <th>Message</th>\n            "):"accesses"===log_type?(count=9,__p+="\n            <th>Time</th>\n            <th>Remote IP</th>\n            <th>Username</th>\n            <th>Status</th>\n            <th>Size</th>\n            <th>Referer</th>\n            <th>User Agent</th>\n            <th>Forwarded For</th>\n            <th>Request Line</th>\n            "):(count=6,__p+="\n            <th>Time</th>\n            <th>Remote IP</th>\n            <th>Status</th>\n            <th>Bytes Sent</th>\n            <th>Bytes Received</th>\n            <th>Session Time</th>\n            "),__p+='\n        </tr>\n        <tr class="filter">\n            ',"errors"===log_type||"stream_errors"===log_type?__p+='\n            <td><input type="text" value="'+(null==(__t=model.escape("date"))?"":__t)+'" name="date" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("severity"))?"":__t)+'" name="severity" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("number"))?"":__t)+'" name="number" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("message"))?"":__t)+'" name="message" /></td>\n            ':"accesses"===log_type?__p+='\n            <td><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("remote_ip"))?"":__t)+'" name="remote_ip" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("username"))?"":__t)+'" name="username" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("status"))?"":__t)+'" name="status" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("size"))?"":__t)+'" name="size" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("http_referer"))?"":__t)+'" name="http_referer" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("user_agent"))?"":__t)+'" name="user_agent" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("forwarded_for"))?"":__t)+'" name="forwarded_for" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("request_line"))?"":__t)+'" name="request_line" /></td>\n            ':__p+='\n            <td><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("remote_ip"))?"":__t)+'" name="remote_ip" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("status"))?"":__t)+'" name="status" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("bytes_sent"))?"":__t)+'" name="bytes_sent" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("bytes_received"))?"":__t)+'" name="bytes_received" /></td>\n            <td><input type="text" value="'+(null==(__t=model.escape("session_time"))?"":__t)+'" name="session_time" /></td>\n            ',__p+='\n        </tr>\n    </thead>\n    <tbody>\n    </tbody>\n    <tfoot>\n        <tr>\n            <td>\n                <button class="btn btn-primary" id="paging_back"><i class="fa fa-backward" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="paging_forward"><i class="fa fa-forward " aria-hidden="true"></i></button>\n            </td>\n            <td colspan="3">\n                Entries per page:\n                <input type="range" list="tickmarks" min="5" max="1000" step="5" id="entrycount" value="100" />\n                <datalist id="tickmarks">\n                    <option value="5" label="5">\n                    <option value="100" label="100">\n                    <option value="200" label="200">\n                    <option value="300">\n                    <option value="400">\n                    <option value="500" label="500">\n                    <option value="600">\n                    <option value="700">\n                    <option value="800">\n                    <option value="900">\n                    <option value="1000" label="1000">\n                </datalist>\n            </td>\n            <td colspan="'+(null==(__t=count-3)?"":__t)+'"></td>\n        </tr>\n    </tfoot>\n</table>\n'}return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<div style="text-align: center;">\n    No data available...\n</div>\n';return __p}},,,,function(e,t,n){"use strict";n.r(t);const l=new Backbone.Collection([{name:"HTTP Access Logs",logType:"accesses"},{name:"HTTP Error Logs",logType:"errors"},{name:"Stream Access Logs",logType:"stream_accesses"},{name:"Stream Error Logs",logType:"stream_errors"}]);var i=Backbone.Model.extend({});var o=Backbone.Collection.extend({model:i,url:function(){return"/api/nginx/logs/"+this.logType},initialize:function(e){this.logType=e.logType}}),r=n(16),_=n.n(r);var a=Backbone.View.extend({tagName:"li",events:{"click .mainentry":"mainMenuClick","click .menuEntry":"menuEntryClick"},initialize:function(e){this.listenTo(this.collection,"sync",this.render),this.listenTo(this.collection,"update",this.render),this.logview=e.logview},render:function(){this.$el.html(""),this.renderCollection()},renderCollection:function(){this.$el.addClass("dropdown"),this.$el.html(""),this.$el.append(_()({model:this.collection,name:this.model.attributes.name}))},mainMenuClick:function(){this.collection.models[0]&&this.handleElementClick(this.collection.models[0].id)},menuEntryClick:function(e){this.handleElementClick(e.target.dataset.modelUuid)},handleElementClick:function(e){this.logview.get_log(this.model.get("logType"),e)}}),s=n(17),c=n.n(s);var u=Backbone.View.extend({tagName:"li",initialize:function(e){this.logview=e.logview,this.log_name=e.log_name,this.visible_name=e.visible_name,this.log_type=e.log_type},events:{"click .mainentry":"handleElementClick"},log_name:null,log_type:null,visible_name:null,render:function(){this.$el.html(c()({name:this.visible_name}))},handleElementClick:function(){this.logview.get_log(this.log_type,this.log_name)}});var d=Backbone.View.extend({tagName:"ul",className:"nav nav-tabs",initialize:function(e){this.listenTo(this.collection,"sync",this.render),this.listenTo(this.collection,"update",this.render),this.logview=e.logview},render:function(){this.$el.attr("role","tablist"),this.$el.html(""),this.collection.forEach(e=>this.render_one(e)),this.render_single_tabs()},render_one:function(e){const t=new o({uuid:e.get("url"),logType:e.get("logType")}),n=new a({collection:t,model:e,logview:this.logview});this.$el.append(n.$el),t.fetch()},render_single_tabs:function(){const e=new u({logview:this.logview,log_name:"global",visible_name:"Global Error Log",log_type:"errors"});e.render(),this.$el.append(e.$el)}}),p=n(18),m=n.n(p),h=n(19),f=n.n(h),b=n(20),g=n.n(b),v=n(21),y=n.n(v);var x=Backbone.Model.extend({});var w=Backbone.Collection.extend({model:x,url:function(){return`/api/nginx/logs/${this.logType}/${this.uuid}`},initialize:function(){this.logType="none",this.uuid="none"},parse:function(e){return"error"in e?[]:e},filter_collection:function(e){const t=e.keys();return this.filter(function(n){if(!n)return!1;for(let l=0;l<t.length;l++){const i=t[l];if("string"==typeof e.get(i)&&0!==e.get(i).length){if(!n.has(i))return!1;if(!n.get(i).includes(e.get(i)))return!1}}return!0})}}),k=n(22),j=n.n(k);const T=Backbone.View.extend({tagName:"tr",initialize:function(e){this.type=e.type},render:function(){this.$el.html(this.get_template()({model:this.model}))},get_template:function(){return"accesses"===this.type?m.a:"stream_accesses"===this.type?f.a:g.a}});const q=new(Backbone.View.extend({tagName:"div",className:"content-box tab-content",events:{"keyup .filter input":"update_filter","click #paging_back":"page_back","click #paging_forward":"page_forward","change #entrycount":"change_entry_count"},page_entry_count:100,current_page:0,current_filtered_collection:null,initialize:function(){this.collection=new w,this.filter_model=new Backbone.Model,this.listenTo(this.collection,"sync",this.clear_and_render),this.listenTo(this.collection,"update",this.clear_and_render),this.listenTo(this.filter_model,"change",this.clear_and_render),this.type=""},render:function(){let e=this.$el.find("tbody");if(e.length<1?0!==this.collection.length?(this.$el.html(y()({log_type:this.type,model:this.filter_model})),e=this.$el.find("tbody")):this.$el.html(j.a):e.html(""),0!==this.collection.length){null==this.current_filtered_collection&&(this.current_filtered_collection=this.collection.filter_collection(this.filter_model));const t=this.current_page*this.page_entry_count,n=t+this.page_entry_count;this.current_filtered_collection.slice(t,n).forEach(t=>this.render_one(e,t))}},render_one:function(e,t){const n=new T({type:this.type,model:t});n.render(),e.append(n.$el)},get_log:function(e,t){this.collection.uuid=t,this.collection.logType=e,this.type=e,this.$el.html(""),this.filter_model.clear(),this.update()},update:function(){this.collection.fetch()},clear_and_render:function(){this.current_filtered_collection=null,this.render()},update_filter:function(e){const t=e.target;this.filter_model.set(t.name,$(t).val())},page_back:function(){this.current_page>0&&(this.current_page--,this.render())},page_forward:function(){(this.current_page+1)*this.page_entry_count<this.collection.length&&(this.current_page++,this.render())},change_entry_count:function(e){this.page_entry_count=e.target.value,this.current_page=0,this.render()}})),S=new d({collection:l,logview:q});$(document.getElementById("logapplication")).append(S.$el).append(q.$el),S.render()}]);
\ No newline at end of file
+!function(e){var t={};function n(i){if(t[i])return t[i].exports;var l=t[i]={i:i,l:!1,exports:{}};return e[i].call(l.exports,l,l.exports,n),l.l=!0,l.exports}n.m=e,n.c=t,n.d=function(e,t,i){n.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:i})},n.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.t=function(e,t){if(1&t&&(e=n(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var i=Object.create(null);if(n.r(i),Object.defineProperty(i,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var l in e)n.d(i,l,function(t){return e[t]}.bind(null,l));return i},n.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(t,"a",t),t},n.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},n.p="",n(n.s=26)}([function(e,t,n){var i=n(2),l=n(4),r=/[&<>"']/g,o=RegExp(r.source);e.exports=function(e){return(e=l(e))&&o.test(e)?e.replace(r,i):e}},function(e,t,n){var i=n(6).Symbol;e.exports=i},function(e,t,n){var i=n(3)({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"});e.exports=i},function(e,t){e.exports=function(e){return function(t){return null==e?void 0:e[t]}}},function(e,t,n){var i=n(5);e.exports=function(e){return null==e?"":i(e)}},function(e,t,n){var i=n(1),l=n(9),r=n(10),o=n(11),a=1/0,s=i?i.prototype:void 0,_=s?s.toString:void 0;e.exports=function e(t){if("string"==typeof t)return t;if(r(t))return l(t,e)+"";if(o(t))return _?_.call(t):"";var n=t+"";return"0"==n&&1/t==-a?"-0":n}},function(e,t,n){var i=n(7),l="object"==typeof self&&self&&self.Object===Object&&self,r=i||l||Function("return this")();e.exports=r},function(e,t,n){(function(t){var n="object"==typeof t&&t&&t.Object===Object&&t;e.exports=n}).call(this,n(8))},function(e,t){var n;n=function(){return this}();try{n=n||new Function("return this")()}catch(e){"object"==typeof window&&(n=window)}e.exports=n},function(e,t){e.exports=function(e,t){for(var n=-1,i=null==e?0:e.length,l=Array(i);++n<i;)l[n]=t(e[n],n,e);return l}},function(e,t){var n=Array.isArray;e.exports=n},function(e,t,n){var i=n(12),l=n(15),r="[object Symbol]";e.exports=function(e){return"symbol"==typeof e||l(e)&&i(e)==r}},function(e,t,n){var i=n(1),l=n(13),r=n(14),o="[object Null]",a="[object Undefined]",s=i?i.toStringTag:void 0;e.exports=function(e){return null==e?void 0===e?a:o:s&&s in Object(e)?l(e):r(e)}},function(e,t,n){var i=n(1),l=Object.prototype,r=l.hasOwnProperty,o=l.toString,a=i?i.toStringTag:void 0;e.exports=function(e){var t=r.call(e,a),n=e[a];try{e[a]=void 0;var i=!0}catch(e){}var l=o.call(e);return i&&(t?e[a]=n:delete e[a]),l}},function(e,t){var n=Object.prototype.toString;e.exports=function(e){return n.call(e)}},function(e,t){e.exports=function(e){return null!=e&&"object"==typeof e}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='\r\n<a data-toggle="dropdown"\r\n   href="#"\r\n   class="dropdown-toggle pull-right visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block"\r\n   role="button">\r\n    <b><span class="caret"></span></b>\r\n</a>\r\n<a data-toggle="tab"\r\n   class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"\r\n   style="border-right: 0px;"><b>'+(null==(__t=_.escape(name))?"":__t)+'</b></a>\r\n<ul class="dropdown-menu" role="menu" id="tab_'+(null==(__t=_.escape(id))?"":__t)+'">\r\n    ',model.forEach(function(e){__p+='\r\n    <li>\r\n        <a data-toggle="tab"\r\n           class="menuEntry"\r\n           data-model-cid="'+(null==(__t=e.cid)?"":__t)+'"\r\n           data-model-uuid="'+(null==(__t=_.escape(id))?"":__t)+'"\r\n           data-model-fileno="'+(null==(__t=e.escape("number"))?"":__t)+'"\r\n           id="subtab_item_'+(null==(__t=_.escape(id))?"":__t)+"_"+(null==(__t=e.escape("number"))?"":__t)+'"\r\n           href="#subtab_'+(null==(__t=_.escape(id))?"":__t)+'">'+(null==(__t=e.escape("date"))?"":__t)+"</a>\r\n    </li>\r\n    "}),__p+="\r\n</ul>\r\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='\n<a data-toggle="tab"\n   class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"\n   style="border-top-right-radius: 10px !important; padding-right: 10px !important;">\n    <b>'+(null==(__t=_.escape(name))?"":__t)+"</b>\n</a>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="remote_ip">'+(null==(__t=model.escape("remote_ip"))?"":__t)+'</td>\n<td class="username">'+(null==(__t=model.escape("username"))?"":__t)+'</td>\n<td class="status">'+(null==(__t=model.escape("status"))?"":__t)+'</td>\n<td class="size">'+(null==(__t=model.escape("size"))?"":__t)+'</td>\n<td class="referer">'+(null==(__t=model.escape("http_referer"))?"":__t)+'</td>\n<td class="user_agent">'+(null==(__t=model.escape("user_agent"))?"":__t)+'</td>\n<td class="forwarded_for">'+(null==(__t=model.escape("forwarded_for"))?"":__t)+'</td>\n<td class="request_line">'+(null==(__t=model.escape("request_line"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="remote_ip">'+(null==(__t=model.escape("remote_ip"))?"":__t)+'</td>\n<td class="status">'+(null==(__t=model.escape("status"))?"":__t)+'</td>\n<td class="bytes_sent">'+(null==(__t=model.escape("bytes_sent"))?"":__t)+'</td>\n<td class="bytes_received">'+(null==(__t=model.escape("bytes_received"))?"":__t)+'</td>\n<td class="session_time">'+(null==(__t=model.escape("session_time"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="date">'+(null==(__t=model.escape("date"))?"":__t)+'</td>\n<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="severity">'+(null==(__t=model.escape("severity"))?"":__t)+'</td>\n<td class="number">'+(null==(__t=model.escape("number"))?"":__t)+'</td>\n<td class="message">'+(null==(__t=model.escape("message"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj){let count=0;__p+='<table class="table table-striped">\r\n    <thead class="sticky-top">\r\n        <tr>\r\n            ',"errors"===log_type||"stream_errors"===log_type?(count=5,__p+="\r\n            <th>Date</th>\r\n            <th>Time</th>\r\n            <th>Severity</th>\r\n            <th>Number</th>\r\n            <th>Message</th>\r\n            "):"accesses"===log_type?(count=9,__p+="\r\n            <th>Time</th>\r\n            <th>Remote IP</th>\r\n            <th>Username</th>\r\n            <th>Status</th>\r\n            <th>Size</th>\r\n            <th>Referer</th>\r\n            <th>User Agent</th>\r\n            <th>Forwarded For</th>\r\n            <th>Request Line</th>\r\n            "):(count=6,__p+="\r\n            <th>Time</th>\r\n            <th>Remote IP</th>\r\n            <th>Status</th>\r\n            <th>Bytes Sent</th>\r\n            <th>Bytes Received</th>\r\n            <th>Session Time</th>\r\n            "),__p+='\r\n        </tr>\r\n        <tr class="filter">\r\n            ',"errors"===log_type||"stream_errors"===log_type?__p+='\r\n            <th><input type="text" value="'+(null==(__t=model.escape("date"))?"":__t)+'" name="date" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("severity"))?"":__t)+'" name="severity" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("number"))?"":__t)+'" name="number" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("message"))?"":__t)+'" name="message" /></th>\r\n            ':"accesses"===log_type?__p+='\r\n            <th><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("remote_ip"))?"":__t)+'" name="remote_ip" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("username"))?"":__t)+'" name="username" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("status"))?"":__t)+'" name="status" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("size"))?"":__t)+'" name="size" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("http_referer"))?"":__t)+'" name="http_referer" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("user_agent"))?"":__t)+'" name="user_agent" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("forwarded_for"))?"":__t)+'" name="forwarded_for" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("request_line"))?"":__t)+'" name="request_line" /></th>\r\n            ':__p+='\r\n            <th><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("remote_ip"))?"":__t)+'" name="remote_ip" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("status"))?"":__t)+'" name="status" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("bytes_sent"))?"":__t)+'" name="bytes_sent" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("bytes_received"))?"":__t)+'" name="bytes_received" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("session_time"))?"":__t)+'" name="session_time" /></th>\r\n            ',__p+='\r\n        </tr>\r\n    </thead>\r\n    <tbody>\r\n    </tbody>\r\n    <tfoot class="sticky-bottom">\r\n        <tr>\r\n            <th class="text-nowrap">\r\n                <button class="btn btn-primary" id="paging_first" title="First Page"><i class="fa fa-fast-backward" aria-hidden="true"></i></button>\r\n                <button class="btn btn-primary" id="paging_back" title="Previous Page"><i class="fa fa-step-backward" aria-hidden="true"></i></button>\r\n                <button class="btn btn-primary" id="refresh" title="Refresh"><i class="fa fa-refresh" aria-hidden="true"></i></button>\r\n                <button class="btn btn-primary" id="paging_forward" title="Next Page"><i class="fa fa-step-forward" aria-hidden="true"></i></button>\r\n                <button class="btn btn-primary" id="paging_last" title="Last Page"><i class="fa fa-fast-forward " aria-hidden="true"></i></button>\r\n            </th>\r\n            <th>\r\n                Page <span id="currentpage">1</span>/<span id="pagecount">0</span>\r\n            </th>\r\n            <th colspan="2">\r\n                <label for="entrycount"><span id="entrycountdisplay">100</span> lines per page</label>\r\n                <input type="range" list="tickmarks" min="5" max="1000" step="5" id="entrycount" value="100" />\r\n                <datalist id="tickmarks">\r\n                    <option value="5" label="5">\r\n                    <option value="100" label="100">\r\n                    <option value="200" label="200">\r\n                    <option value="300">\r\n                    <option value="400">\r\n                    <option value="500" label="500">\r\n                    <option value="600">\r\n                    <option value="700">\r\n                    <option value="800">\r\n                    <option value="900">\r\n                    <option value="1000" label="1000">\r\n                </datalist>\r\n            </th>\r\n            <th colspan="'+(null==(__t=count-4)?"":__t)+'">Found lines: <span id="resultcount">0</span>/<span id="totalcount">0</span></th>\r\n        </tr>\r\n    </tfoot>\r\n</table>\r\n'}return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<div style="text-align: center;">\n    No data available...\n</div>\n';return __p}},,,,function(e,t,n){"use strict";n.r(t);var i=Backbone.Model.extend({});var l=Backbone.Collection.extend({model:i,url:function(){return`/api/nginx/logs/${this.logType}`},initialize:function(e){this.logType=e.logType}}),r=Backbone.Model.extend({});var o=Backbone.Collection.extend({model:r,url:function(){return`/api/nginx/logs/${this.logType}/${this.uuid}`},initialize:function(e){this.logType=e.logType,this.uuid=e.uuid}}),a=n(16),s=n.n(a);var _=Backbone.View.extend({tagName:"li",events:{"click .mainentry":"mainMenuClick","click .menuEntry":"menuEntryClick"},initialize:function(e){this.listenTo(this.collection,"update",this.render),this.logType=e.logType,this.logview=e.logview},render:function(){this.$el.html(""),this.renderCollection()},renderCollection:function(){this.$el.addClass("dropdown"),"global"==this.model.get("id")&&(this.$el.addClass("active"),this.logview.get_log("errors","global",0)),this.$el.html(""),this.$el.append(s()({model:this.collection,id:this.model.get("id"),name:this.model.has("server_name")?this.model.get("server_name"):"Port "+this.model.get("port")}))},mainMenuClick:function(){this.collection.models[0]&&(this.handleElementClick(this.model.get("id"),this.collection.models[0].get("number")),$(`#tab_${this.model.get("id")} li`).removeClass("active"),$(`#subtab_item_${this.model.get("id")}_${this.collection.models[0].get("number")}`).parent().addClass("active"))},menuEntryClick:function(e){this.handleElementClick(e.target.dataset.modelUuid,e.target.dataset.modelFileno)},handleElementClick:function(e,t){this.logview.get_log(this.logType,e,t)}}),c=n(17),u=n.n(c);Backbone.View.extend({tagName:"li",initialize:function(e){this.logview=e.logview,this.log_name=e.log_name,this.visible_name=e.visible_name,this.log_type=e.log_type},events:{"click .mainentry":"handleElementClick"},log_name:null,log_type:null,visible_name:null,render:function(){this.$el.html(u()({name:this.visible_name}))},handleElementClick:function(){this.logview.get_log(this.log_type,this.log_name)}});var p=Backbone.View.extend({tagName:"ul",className:"nav nav-tabs",initialize:function(e){this.listenTo(this.collection,"update",this.render),this.logview=e.logview,this.logType=e.logType},render:function(){this.$el.attr("role","tablist"),this.$el.html(""),"global"==this.logType?this.render_global_error_tab():this.collection.forEach(e=>this.render_one_server(e))},render_one_server:function(e){const t=new o({uuid:e.get("id"),logType:this.logType}),n=new _({collection:t,model:e,logType:this.logType,logview:this.logview});this.$el.append(n.$el),t.fetch()},render_global_error_tab:function(){const e=new o({uuid:"global",logType:"errors"}),t=new _({collection:e,model:new Backbone.Model({server_name:"Global Error Log",id:"global"}),logType:"errors",logview:this.logview});this.$el.append(t.$el),e.fetch()}}),d=n(18),h=n.n(d),m=n(19),g=n.n(m),b=n(20),f=n.n(b),y=n(21),v=n.n(y);var x=Backbone.Model.extend({});var w=Backbone.Collection.extend({model:x,url:function(){return`/api/nginx/logs/${this.logType}/${this.uuid}/${this.fileNo}/${this.page}/${this.pageSize}/${this.create_filter()}`},initialize:function(){this.logType="none",this.uuid="none",this.fileNo=-1,this.page=0,this.pageSize=0,this.filter_model=new Backbone.Model},parse:function(e){return"error"in e?[]:(this.page_count=e.pages,this.total_entries=e.total,this.displayed_entries=e.found,e.lines)},create_filter:function(){return encodeURIComponent(JSON.stringify(this.filter_model))}}),k=n(22),j=n.n(k);const T=Backbone.View.extend({tagName:"tr",initialize:function(e){this.type=e.type},render:function(){this.$el.html(this.get_template()({model:this.model}))},get_template:function(){return"accesses"===this.type?h.a:"stream_accesses"===this.type?g.a:f.a}});const C=new(Backbone.View.extend({tagName:"div",className:"content-box tab-content",events:{"keyup .filter input":"update_filter","click #paging_first":"page_first","click #paging_back":"page_back","click #refresh":"update","click #paging_forward":"page_forward","click #paging_last":"page_last","change #entrycount":"change_entry_count"},page_entry_count:100,filter_delay:-1,initialize:function(){this.collection=new w,this.listenTo(this.collection,"sync",this.render),this.listenTo(this.collection,"update",this.render),this.listenTo(this.collection.filter_model,"change",this.render),this.type=""},render:function(){let e=this.$("tbody");e.length<1?0!==this.collection.length?(this.$el.html(v()({log_type:this.type,model:this.collection.filter_model})),e=this.$("tbody")):this.$el.html(j.a):e.html(""),0!==this.collection.length&&null==this.current_filtered_collection&&this.collection.forEach(t=>this.render_one(e,t)),this.$("#entrycountdisplay").html(this.page_entry_count),this.$("#currentpage").html(this.current_page+1),this.$("#pagecount").html(this.collection.page_count),this.$("#totalcount").html(this.collection.total_entries),this.$("#resultcount").html(this.collection.displayed_entries),this.current_page>=this.collection.page_count-1?(this.$("#paging_last").addClass("disabled"),this.$("#paging_forward").addClass("disabled")):(this.$("#paging_last").removeClass("disabled"),this.$("#paging_forward").removeClass("disabled")),this.current_page<=0?(this.$("#paging_back").addClass("disabled"),this.$("#paging_first").addClass("disabled")):(this.$("#paging_back").removeClass("disabled"),this.$("#paging_first").removeClass("disabled"))},render_one:function(e,t){const n=new T({type:this.type,model:t});n.render(),e.append(n.$el)},get_log:function(e,t,n){this.collection.uuid=t,this.collection.logType=e,this.collection.fileNo=n,this.type=e,this.current_page=0,this.$el.html(""),this.collection.filter_model.clear(),this.update()},update:function(){this.collection.page=this.current_page,this.collection.pageSize=this.page_entry_count,this.collection.fetch()},update_filter:function(e){clearTimeout(this.filter_delay);const t=e.target;this.collection.filter_model.set(t.name,$(t).val()),this.current_page=0,this.filter_delay=setTimeout(function(e){e.update()},500,this)},page_first:function(){this.current_page=0,this.update()},page_back:function(){this.current_page>0&&(this.current_page--,this.update())},page_forward:function(){this.current_page<this.collection.page_count&&(this.current_page++,this.update())},page_last:function(){this.current_page=this.collection.page_count-1,this.update()},change_entry_count:function(e){this.page_entry_count=e.target.value,this.current_page=0,this.update()}})),S=$("#logapplication").data("log"),q=new l({logType:S}),z=new p({collection:q,logview:C,logType:S});$("#logapplication").append(z.$el).append(C.$el),"global"!=S?q.fetch():z.render()}]);
\ No newline at end of file
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/config.js b/www/nginx/src/opnsense/www/js/nginx/src/config.js
deleted file mode 100644
index 4887d29780..0000000000
--- a/www/nginx/src/opnsense/www/js/nginx/src/config.js
+++ /dev/null
@@ -1,18 +0,0 @@
-export const defaultEndpoints = new Backbone.Collection([
-    {
-        "name": 'HTTP Access Logs',
-        "logType" : 'accesses'
-    },
-    {
-        "name": 'HTTP Error Logs',
-        "logType" : 'errors'
-    },
-    {
-        "name": 'Stream Access Logs',
-        "logType" : 'stream_accesses'
-    },
-    {
-        "name": 'Stream Error Logs',
-        "logType" : 'stream_errors'
-    }
-]);
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/controller/LogCategoryList.js b/www/nginx/src/opnsense/www/js/nginx/src/controller/LogCategoryList.js
index bf770b8cfe..7a8d7a8a8f 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/controller/LogCategoryList.js
+++ b/www/nginx/src/opnsense/www/js/nginx/src/controller/LogCategoryList.js
@@ -7,42 +7,58 @@ let LogCategoryList = Backbone.View.extend({
     className: "nav nav-tabs",
 
     initialize: function(data) {
-        this.listenTo(this.collection, "sync",   this.render);
         this.listenTo(this.collection, "update", this.render);
         this.logview = data.logview;
+        this.logType = data.logType;
     },
 
     render: function() {
         this.$el.attr('role', 'tablist');
         this.$el.html('');
-        this.collection.forEach((element) => this.render_one(element));
-        this.render_single_tabs();
+
+        if (this.logType == 'global') {
+            this.render_global_error_tab();
+        }
+        else {
+            this.collection.forEach((element) => this.render_one_server(element));
+        }
     },
 
-    render_one: function(element) {
-        const servers = new LogCollection(
+    render_one_server: function(element) {
+        const files = new LogCollection(
             {
-                uuid: element.get('url'),
-                logType: element.get('logType')
+                uuid: element.get('id'),
+                logType: this.logType
             }
         );
         const logList = new TabLogList({
-            collection: servers,
+            collection: files,
             model: element,
+            logType: this.logType,
             logview: this.logview
         });
         this.$el.append(logList.$el);
-        servers.fetch();
+        files.fetch();
     },
-    render_single_tabs: function () {
-        const single_tab = new SingleTab({
-            logview: this.logview,
-            log_name: 'global',
-            visible_name: 'Global Error Log',
-            log_type: 'errors'});
-        single_tab.render();
-        this.$el.append(single_tab.$el);
 
+    render_global_error_tab: function () {
+        const files = new LogCollection(
+            {
+                uuid: 'global',
+                logType: 'errors'
+            }
+        );
+        const logList = new TabLogList({
+            collection: files,
+            model: new Backbone.Model({
+                server_name: 'Global Error Log',
+                id: 'global'
+            }),
+            logType: 'errors',
+            logview: this.logview
+        });
+        this.$el.append(logList.$el);
+        files.fetch();
     }
 });
 
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/controller/LogView.js b/www/nginx/src/opnsense/www/js/nginx/src/controller/LogView.js
index fe82540f8e..c0792ce47c 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/controller/LogView.js
+++ b/www/nginx/src/opnsense/www/js/nginx/src/controller/LogView.js
@@ -33,29 +33,30 @@ const LogView = Backbone.View.extend({
     className: 'content-box tab-content',
     events: {
         "keyup .filter input": "update_filter",
+        "click #paging_first": "page_first",
         "click #paging_back": "page_back",
+        "click #refresh": "update",
         "click #paging_forward": "page_forward",
+        "click #paging_last": "page_last",
         "change #entrycount": "change_entry_count",
     },
     page_entry_count: 100,
-    current_page: 0,
-    current_filtered_collection: null,
+    filter_delay: -1,
 
     initialize: function() {
         this.collection = new LogLinesCollection();
-        this.filter_model = new Backbone.Model();
-        this.listenTo(this.collection, "sync", this.clear_and_render);
-        this.listenTo(this.collection, "update", this.clear_and_render);
-        this.listenTo(this.filter_model, "change", this.clear_and_render);
+        this.listenTo(this.collection, "sync", this.render);
+        this.listenTo(this.collection, "update", this.render);
+        this.listenTo(this.collection.filter_model, "change", this.render);
         this.type = '';
     },
 
     render: function() {
-        let tbody = this.$el.find('tbody');
+        let tbody = this.$('tbody');
         if (tbody.length < 1) {
             if (this.collection.length !== 0) {
-                this.$el.html(logViewer({log_type: this.type, model: this.filter_model}));
-                tbody = this.$el.find('tbody');
+                this.$el.html(logViewer({log_type: this.type, model: this.collection.filter_model}));
+                tbody = this.$('tbody');
             } else {
                 this.$el.html(noDataAvailable);
             }
@@ -63,57 +64,104 @@ const LogView = Backbone.View.extend({
         else {
             tbody.html('');
         }
+        
         if (this.collection.length !== 0) {
             if (this.current_filtered_collection == null) {
-                this.current_filtered_collection = this.collection.filter_collection(this.filter_model);
+                this.collection.forEach(
+                    (model) => this.render_one(tbody, model)
+                );
             }
-            const index_begin = this.current_page * this.page_entry_count;
-            const index_end = index_begin + this.page_entry_count;
-            this.current_filtered_collection.slice(index_begin, index_end).forEach(
-                (model) => this.render_one(tbody, model)
-            );
+        }
+
+        this.$('#entrycountdisplay').html(this.page_entry_count);
+        this.$('#currentpage').html(this.current_page + 1);
+        this.$('#pagecount').html(this.collection.page_count);
+        this.$('#totalcount').html(this.collection.total_entries);
+        this.$('#resultcount').html(this.collection.displayed_entries);
+
+        if (this.current_page >= this.collection.page_count - 1) {
+            this.$('#paging_last').addClass("disabled");
+            this.$('#paging_forward').addClass("disabled");
+        }
+        else {
+            this.$('#paging_last').removeClass("disabled");
+            this.$('#paging_forward').removeClass("disabled");
+        }
+
+        if (this.current_page <= 0) {
+            this.$('#paging_back').addClass("disabled");
+            this.$('#paging_first').addClass("disabled");
+        }
+        else {
+            this.$('#paging_back').removeClass("disabled");
+            this.$('#paging_first').removeClass("disabled");
         }
     },
+
     render_one: function(parent_element, model) {
         const logline = new LogViewLine({type: this.type, model: model});
         logline.render();
         parent_element.append(logline.$el);
     },
-    get_log: function(type, uuid) {
+
+    get_log: function(type, uuid, fileNo) {
         this.collection.uuid = uuid;
         this.collection.logType = type;
+        this.collection.fileNo = fileNo;
         this.type = type;
+        this.current_page = 0;
         this.$el.html('');
-        this.filter_model.clear();
+        this.collection.filter_model.clear();
         this.update();
     },
+
     update: function () {
+        this.collection.page = this.current_page;
+        this.collection.pageSize = this.page_entry_count;
         this.collection.fetch();
     },
-    clear_and_render: function() {
-        this.current_filtered_collection = null;
-        this.render();
-    },
+
     update_filter: function (event) {
+        clearTimeout(this.filter_delay);
         const element = event.target;
-        this.filter_model.set(element.name, $(element).val());
+        this.collection.filter_model.set(element.name, $(element).val());
+        this.current_page = 0;
+
+        // Delay update to avoid multiple requests during typing
+        this.filter_delay = setTimeout(function(instance) {
+            instance.update();
+        }, 500, this);
     },
+
+    page_first: function () {
+        this.current_page = 0;
+        this.update();
+    },
+
     page_back: function () {
         if (this.current_page > 0) {
             this.current_page--;
-            this.render();
+            this.update();
         }
     },
+
     page_forward: function () {
-        if ((this.current_page + 1) * this.page_entry_count < this.collection.length) {
+        if (this.current_page < this.collection.page_count) {
             this.current_page++;
-            this.render();
+            this.update();
         }
     },
+
+    page_last: function () {
+        this.current_page = this.collection.page_count - 1;
+        this.update();
+    },
+
     change_entry_count: function (event) {
         this.page_entry_count = event.target.value;
         this.current_page = 0;
-        this.render();
+        this.update();
     }
 });
+
 export default LogView;
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/controller/TabLogList.js b/www/nginx/src/opnsense/www/js/nginx/src/controller/TabLogList.js
index 60e1d3ba28..3533df6398 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/controller/TabLogList.js
+++ b/www/nginx/src/opnsense/www/js/nginx/src/controller/TabLogList.js
@@ -9,8 +9,8 @@ let TabLogList = Backbone.View.extend({
     },
 
     initialize: function(data) {
-        this.listenTo(this.collection, "sync", this.render);
         this.listenTo(this.collection, "update", this.render);
+        this.logType = data.logType;
         this.logview = data.logview;
     },
 
@@ -21,21 +21,31 @@ let TabLogList = Backbone.View.extend({
 
     renderCollection: function() {
         this.$el.addClass('dropdown');
+        if (this.model.get('id') == "global") {
+            this.$el.addClass('active');
+            this.logview.get_log('errors', 'global', -1);
+        }
         this.$el.html('');
         this.$el.append(
-            TabTemplateCollection({model: this.collection, name: this.model.attributes.name})
+            TabTemplateCollection({
+                model: this.collection,
+                id: this.model.get('id'),
+                name: this.model.has('server_name') ? this.model.get('server_name') : "Port " + this.model.get('port')
+            })
         );
     },
     mainMenuClick: function () {
         if (this.collection.models[0]) {
-            this.handleElementClick(this.collection.models[0].id);
+            this.handleElementClick(this.model.get('id'), this.collection.models[0].get('number'));
+            $(`#tab_${this.model.get('id')} li`).removeClass('active');
+            $(`#subtab_item_${this.model.get('id')}_${this.collection.models[0].get('number')}`).parent().addClass('active');
         }
     },
     menuEntryClick: function (event) {
-        this.handleElementClick(event.target.dataset['modelUuid']);
+        this.handleElementClick(event.target.dataset['modelUuid'], event.target.dataset['modelFileno']);
     },
-    handleElementClick: function (uuid) {
-        this.logview.get_log(this.model.get('logType'), uuid);
+    handleElementClick: function (uuid, fileNo) {
+        this.logview.get_log(this.logType, uuid, fileNo);
     }
 });
 export default TabLogList;
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/logviewer.js b/www/nginx/src/opnsense/www/js/nginx/src/logviewer.js
index dad07be5f7..0051e00e42 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/logviewer.js
+++ b/www/nginx/src/opnsense/www/js/nginx/src/logviewer.js
@@ -1,15 +1,33 @@
-import {defaultEndpoints} from './config';
+import LogServerCollection from './models/LogServerCollection';
 import LogCategoryList from './controller/LogCategoryList';
 import LogView from './controller/LogView';
 
+// Skeleton with header (navigation) and footer (pagination)
 const logview = new LogView();
-
+// Get type of log to display from volt view (data-log HTML attribute)
+const type = $('#logapplication').data('log');
+// Query (HTTP or stream) server list
+const servers = new LogServerCollection({
+    logType: type
+});
+// Render tabs with server logs (one tab per server)
 const menu = new LogCategoryList({
-    collection: defaultEndpoints,
-    logview: logview
+    collection: servers,
+    logview: logview,
+    logType: type // 'errors', 'accesses' or 'global'
 });
 
-$(document.getElementById('logapplication'))
+// Place log application to volt template
+$('#logapplication')
     .append(menu.$el)
     .append(logview.$el);
-menu.render();
+
+if (type != 'global') {
+    // Global error log does not require server list
+    servers.fetch();
+}
+else {
+    // Update of server list triggers render() which does not
+    // occur for global error log
+    menu.render();
+}
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/models/LogCollection.js b/www/nginx/src/opnsense/www/js/nginx/src/models/LogCollection.js
index 19febb1f38..0221235e1c 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/models/LogCollection.js
+++ b/www/nginx/src/opnsense/www/js/nginx/src/models/LogCollection.js
@@ -3,10 +3,11 @@ import LogFileMenuEntry from './LogFileMenuEntry';
 const LogCollection = Backbone.Collection.extend({
     model: LogFileMenuEntry,
     url: function () {
-        return '/api/nginx/logs/' + this.logType;
+        return `/api/nginx/logs/${this.logType}/${this.uuid}`;
     },
     initialize: function (params) {
         this.logType = params.logType;
+        this.uuid = params.uuid;
     }
 });
 
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/models/LogLinesCollection.js b/www/nginx/src/opnsense/www/js/nginx/src/models/LogLinesCollection.js
index 2e3eb2921d..806f0c0775 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/models/LogLinesCollection.js
+++ b/www/nginx/src/opnsense/www/js/nginx/src/models/LogLinesCollection.js
@@ -3,39 +3,29 @@ import LogLine from "./LogLine";
 const LogLinesCollection = Backbone.Collection.extend({
     model: LogLine,
     url: function () {
-        return `/api/nginx/logs/${this.logType}/${this.uuid}`;
+        return `/api/nginx/logs/${this.logType}/${this.uuid}/${this.fileNo}/${this.page}/${this.pageSize}/${this.create_filter()}`;
     },
     initialize: function () {
         this.logType = 'none';
         this.uuid = 'none';
+        this.fileNo = -1;
+        this.page = 0;
+        this.pageSize = 0;
+        this.filter_model = new Backbone.Model();
     },
     parse: function(response) {
         if ('error' in response) {
             return [];
         }
-        return response;
+        else {
+            this.page_count = response.pages;
+            this.total_entries = response.total;
+            this.displayed_entries = response.found;
+            return response.lines;
+        }
     },
-    filter_collection: function(filter_model) {
-        const filter_model_keys = filter_model.keys();
-        return this.filter(function (model) {
-            if (!model) {
-                return false;
-            }
-            for (let i = 0; i < filter_model_keys.length; i++) {
-                const property = filter_model_keys[i];
-                if (typeof(filter_model.get(property)) !== "string"
-                    || filter_model.get(property).length === 0) {
-                    continue;
-                }
-                if (!model.has(property)) {
-                    return false;
-                }
-                if (!model.get(property).includes(filter_model.get(property))) {
-                    return false;
-                }
-            }
-            return true;
-        });
+    create_filter: function() {
+        return encodeURIComponent(JSON.stringify(this.filter_model));
     }
 });
 
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/models/LogServerCollection.js b/www/nginx/src/opnsense/www/js/nginx/src/models/LogServerCollection.js
new file mode 100644
index 0000000000..9fdfdc75b3
--- /dev/null
+++ b/www/nginx/src/opnsense/www/js/nginx/src/models/LogServerCollection.js
@@ -0,0 +1,13 @@
+import LogServerMenu from './LogServerMenu';
+
+const LogServerCollection = Backbone.Collection.extend({
+    model: LogServerMenu,
+    url: function () {
+        return `/api/nginx/logs/${this.logType}`;
+    },
+    initialize: function (params) {
+        this.logType = params.logType;
+    }
+});
+
+export default LogServerCollection;
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/models/LogServerMenu.js b/www/nginx/src/opnsense/www/js/nginx/src/models/LogServerMenu.js
new file mode 100644
index 0000000000..170a06af68
--- /dev/null
+++ b/www/nginx/src/opnsense/www/js/nginx/src/models/LogServerMenu.js
@@ -0,0 +1,2 @@
+export default Backbone.Model.extend({
+});
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/templates/TabCollection.html b/www/nginx/src/opnsense/www/js/nginx/src/templates/TabCollection.html
index ee317a10c9..d5ea04354a 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/templates/TabCollection.html
+++ b/www/nginx/src/opnsense/www/js/nginx/src/templates/TabCollection.html
@@ -37,15 +37,16 @@
 <a data-toggle="tab"
    class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"
    style="border-right: 0px;"><b><%= _.escape(name) %></b></a>
-<ul class="dropdown-menu" role="menu">
+<ul class="dropdown-menu" role="menu" id="tab_<%= _.escape(id) %>">
     <% model.forEach(function(row) { %>
     <li>
         <a data-toggle="tab"
            class="menuEntry"
            data-model-cid="<%= row.cid %>"
-           data-model-uuid="<%= row.escape('id') %>"
-           id="subtab_item_<%= row.escape('id') %>"
-           href="#subtab_<%= row.escape('id') %>"><%= row.has("server_name") ? row.escape("server_name") : row.escape("port") %></a>
+           data-model-uuid="<%= _.escape(id) %>"
+           data-model-fileno="<%= row.escape('number') %>"
+           id="subtab_item_<%= _.escape(id) %>_<%= row.escape('number') %>"
+           href="#subtab_<%= _.escape(id) %>"><%= row.escape("date") %></a>
     </li>
     <% }) %>
 </ul>
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/templates/logviewer.html b/www/nginx/src/opnsense/www/js/nginx/src/templates/logviewer.html
index 4973fbb9cc..66f4f19ca4 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/templates/logviewer.html
+++ b/www/nginx/src/opnsense/www/js/nginx/src/templates/logviewer.html
@@ -1,5 +1,5 @@
 <% let count = 0; %><table class="table table-striped">
-    <thead>
+    <thead class="sticky-top">
         <tr>
             <% if (log_type === 'errors' || log_type === 'stream_errors') {
             count = 5; %>
@@ -31,41 +31,47 @@
         </tr>
         <tr class="filter">
             <% if (log_type === 'errors' || log_type === 'stream_errors') { %>
-            <td><input type="text" value="<%= model.escape('date') %>" name="date" /></td>
-            <td><input type="text" value="<%= model.escape('time') %>" name="time" /></td>
-            <td><input type="text" value="<%= model.escape('severity') %>" name="severity" /></td>
-            <td><input type="text" value="<%= model.escape('number') %>" name="number" /></td>
-            <td><input type="text" value="<%= model.escape('message') %>" name="message" /></td>
+            <th><input type="text" value="<%= model.escape('date') %>" name="date" /></th>
+            <th><input type="text" value="<%= model.escape('time') %>" name="time" /></th>
+            <th><input type="text" value="<%= model.escape('severity') %>" name="severity" /></th>
+            <th><input type="text" value="<%= model.escape('number') %>" name="number" /></th>
+            <th><input type="text" value="<%= model.escape('message') %>" name="message" /></th>
             <% } else if (log_type === 'accesses') { %>
-            <td><input type="text" value="<%= model.escape('time') %>" name="time" /></td>
-            <td><input type="text" value="<%= model.escape('remote_ip') %>" name="remote_ip" /></td>
-            <td><input type="text" value="<%= model.escape('username') %>" name="username" /></td>
-            <td><input type="text" value="<%= model.escape('status') %>" name="status" /></td>
-            <td><input type="text" value="<%= model.escape('size') %>" name="size" /></td>
-            <td><input type="text" value="<%= model.escape('http_referer') %>" name="http_referer" /></td>
-            <td><input type="text" value="<%= model.escape('user_agent') %>" name="user_agent" /></td>
-            <td><input type="text" value="<%= model.escape('forwarded_for') %>" name="forwarded_for" /></td>
-            <td><input type="text" value="<%= model.escape('request_line') %>" name="request_line" /></td>
+            <th><input type="text" value="<%= model.escape('time') %>" name="time" /></th>
+            <th><input type="text" value="<%= model.escape('remote_ip') %>" name="remote_ip" /></th>
+            <th><input type="text" value="<%= model.escape('username') %>" name="username" /></th>
+            <th><input type="text" value="<%= model.escape('status') %>" name="status" /></th>
+            <th><input type="text" value="<%= model.escape('size') %>" name="size" /></th>
+            <th><input type="text" value="<%= model.escape('http_referer') %>" name="http_referer" /></th>
+            <th><input type="text" value="<%= model.escape('user_agent') %>" name="user_agent" /></th>
+            <th><input type="text" value="<%= model.escape('forwarded_for') %>" name="forwarded_for" /></th>
+            <th><input type="text" value="<%= model.escape('request_line') %>" name="request_line" /></th>
             <% } else { %>
-            <td><input type="text" value="<%= model.escape('time') %>" name="time" /></td>
-            <td><input type="text" value="<%= model.escape('remote_ip') %>" name="remote_ip" /></td>
-            <td><input type="text" value="<%= model.escape('status') %>" name="status" /></td>
-            <td><input type="text" value="<%= model.escape('bytes_sent') %>" name="bytes_sent" /></td>
-            <td><input type="text" value="<%= model.escape('bytes_received') %>" name="bytes_received" /></td>
-            <td><input type="text" value="<%= model.escape('session_time') %>" name="session_time" /></td>
+            <th><input type="text" value="<%= model.escape('time') %>" name="time" /></th>
+            <th><input type="text" value="<%= model.escape('remote_ip') %>" name="remote_ip" /></th>
+            <th><input type="text" value="<%= model.escape('status') %>" name="status" /></th>
+            <th><input type="text" value="<%= model.escape('bytes_sent') %>" name="bytes_sent" /></th>
+            <th><input type="text" value="<%= model.escape('bytes_received') %>" name="bytes_received" /></th>
+            <th><input type="text" value="<%= model.escape('session_time') %>" name="session_time" /></th>
             <% } %>
         </tr>
     </thead>
     <tbody>
     </tbody>
-    <tfoot>
+    <tfoot class="sticky-bottom">
         <tr>
-            <td>
-                <button class="btn btn-primary" id="paging_back"><i class="fa fa-backward" aria-hidden="true"></i></button>
-                <button class="btn btn-primary" id="paging_forward"><i class="fa fa-forward " aria-hidden="true"></i></button>
-            </td>
-            <td colspan="3">
-                Entries per page:
+            <th class="text-nowrap">
+                <button class="btn btn-primary" id="paging_first" title="First Page"><i class="fa fa-fast-backward" aria-hidden="true"></i></button>
+                <button class="btn btn-primary" id="paging_back" title="Previous Page"><i class="fa fa-step-backward" aria-hidden="true"></i></button>
+                <button class="btn btn-primary" id="refresh" title="Refresh"><i class="fa fa-refresh" aria-hidden="true"></i></button>
+                <button class="btn btn-primary" id="paging_forward" title="Next Page"><i class="fa fa-step-forward" aria-hidden="true"></i></button>
+                <button class="btn btn-primary" id="paging_last" title="Last Page"><i class="fa fa-fast-forward " aria-hidden="true"></i></button>
+            </th>
+            <th>
+                Page <span id="currentpage">1</span>/<span id="pagecount">0</span>
+            </th>
+            <th colspan="2">
+                <label for="entrycount"><span id="entrycountdisplay">100</span> lines per page</label>
                 <input type="range" list="tickmarks" min="5" max="1000" step="5" id="entrycount" value="100" />
                 <datalist id="tickmarks">
                     <option value="5" label="5">
@@ -80,8 +86,8 @@
                     <option value="900">
                     <option value="1000" label="1000">
                 </datalist>
-            </td>
-            <td colspan="<%= count - 3 %>"></td>
+            </th>
+            <th colspan="<%= count - 4 %>">Found lines: <span id="resultcount">0</span>/<span id="totalcount">0</span></th>
         </tr>
     </tfoot>
 </table>

From be4c373145737f5e5dd6047aacc5657cd937b032 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 10 Dec 2021 10:45:53 +0100
Subject: [PATCH 0864/3088] LICENSE: sync

---
 LICENSE | 1 +
 1 file changed, 1 insertion(+)

diff --git a/LICENSE b/LICENSE
index 761fe6976a..8d1a91e7ee 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,5 @@
 Copyright (c) 2015-2020 Ad Schellevis <ad@opnsense.org>
+Copyright (c) 2021 Alexander Noack
 Copyright (c) 2021 Andreas Stuerz
 Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>

From 8f9bada228adce8929c6ac23ad784c8e309fc3c7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 10 Dec 2021 10:51:38 +0100
Subject: [PATCH 0865/3088] www/nginx: style sweep

---
 .../OPNsense/Nginx/Api/LogsController.php     | 24 +++++++------------
 .../library/OPNsense/Nginx/LogParserBase.php  |  3 +--
 .../src/opnsense/scripts/nginx/list_logs.php  |  9 ++++---
 .../src/opnsense/scripts/nginx/read_log.php   |  9 +++----
 .../www/js/nginx/src/controller/LogView.js    |  2 +-
 5 files changed, 17 insertions(+), 30 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
index c340ba5fb7..b332460060 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
@@ -54,11 +54,9 @@ public function accessesAction($uuid = null, $fileno = null, $page = 0, $perPage
         if (!isset($uuid)) {
             // emulate REST API -> /accesses delivers a list of servers with access logs
             return $this->list_vhosts();
-        }
-        elseif (!isset($fileno)) {
+        } elseif (!isset($fileno)) {
             return $this->list_logfiles('access', $uuid);
-        }
-        else {
+        } else {
             // emulate REST call for a specific log /accesses/uuid
             $this->get_logs('access', $uuid, $fileno, $page, $perPage, $query);
         }
@@ -90,11 +88,9 @@ public function errorsAction($uuid = null, $fileno = null, $page = 0, $perPage =
         if (!isset($uuid)) {
             // emulate REST API -> /errors delivers a list of servers with error logs
             return $this->list_vhosts();
-        }
-        elseif (!isset($fileno)) {
+        } elseif (!isset($fileno)) {
             return $this->list_logfiles('error', $uuid);
-        }
-        else {
+        } else {
             // emulate REST call for a specific log /errors/uuid
             $this->get_logs('error', $uuid, $fileno, $page, $perPage, $query);
         }
@@ -117,11 +113,9 @@ public function streamaccessesAction($uuid = null, $fileno = null, $page = 0, $p
         if (!isset($uuid)) {
             // emulate REST API -> /stream_accesses delivers a list of servers with access logs
             return $this->list_streams();
-        }
-        elseif (!isset($fileno)) {
+        } elseif (!isset($fileno)) {
             return $this->list_stream_logfiles('streamaccess', $uuid);
-        }
-        else {
+        } else {
             // emulate REST call for a specific log /stream_accesses/uuid
             $this->get_stream_logs('streamaccess', $uuid, $fileno, $page, $perPage, $query);
         }
@@ -144,11 +138,9 @@ public function streamerrorsAction($uuid = null, $fileno = null, $page = 0, $per
         if (!isset($uuid)) {
             // emulate REST API -> /stream_errors delivers a list of servers with error logs
             return $this->list_streams();
-        }
-        elseif (!isset($fileno)) {
+        } elseif (!isset($fileno)) {
             return $this->list_stream_logfiles('streamerror', $uuid);
-        }
-        else {
+        } else {
             // emulate REST call for a specific log /stream_errors/uuid
             $this->get_stream_logs('streamerror', $uuid, $fileno, $page, $perPage, $query);
         }
diff --git a/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/LogParserBase.php b/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/LogParserBase.php
index 9c38adcfaa..9f8df92965 100644
--- a/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/LogParserBase.php
+++ b/www/nginx/src/opnsense/mvc/app/library/OPNsense/Nginx/LogParserBase.php
@@ -74,7 +74,7 @@ private function parse_file()
                     $filtering = true;
                 }
             }
-            
+
             $cnt = 0;
             foreach ($lines as $line) {
                 $pass = true;
@@ -120,4 +120,3 @@ public function get_result()
         return $this->result;
     }
 }
-
diff --git a/www/nginx/src/opnsense/scripts/nginx/list_logs.php b/www/nginx/src/opnsense/scripts/nginx/list_logs.php
index c3b94e9dd9..93d78207c8 100755
--- a/www/nginx/src/opnsense/scripts/nginx/list_logs.php
+++ b/www/nginx/src/opnsense/scripts/nginx/list_logs.php
@@ -34,7 +34,8 @@
 $log_prefix = '/var/log/nginx/';
 $log_suffix = '.log';
 
-function list_logfiles($prefix) {
+function list_logfiles($prefix)
+{
     global $log_prefix;
     $filename = $log_prefix . $prefix;
 
@@ -70,8 +71,7 @@ function list_logfiles($prefix) {
 // special case: the global error log
 if ($server == 'global') {
     $result = list_logfiles('error.log');
-}
-else {
+} else {
     switch ($mode) {
         case 'error':
         case 'access':
@@ -83,8 +83,7 @@ function list_logfiles($prefix) {
 
                 $log_file_name = basename($server_names) . '.' . $mode . $log_suffix;
                 $result = list_logfiles($log_file_name);
-            }
-            else {
+            } else {
                 die('{"error": "UUID not found"}');
             }
             break;
diff --git a/www/nginx/src/opnsense/scripts/nginx/read_log.php b/www/nginx/src/opnsense/scripts/nginx/read_log.php
index 1ee5e40309..65f288d60c 100755
--- a/www/nginx/src/opnsense/scripts/nginx/read_log.php
+++ b/www/nginx/src/opnsense/scripts/nginx/read_log.php
@@ -68,8 +68,7 @@
 // special case: the global error log
 if ($server == 'global') {
     $logparser = new ErrorLogParser($log_prefix . 'error' . $log_suffix, $page, $per_page, $query);
-}
-else {
+} else {
     switch ($mode) {
         case 'error':
         case 'access':
@@ -90,8 +89,7 @@
                 } elseif ($mode == 'access') {
                     $logparser = new AccessLogParser($log_file_name, $page, $per_page, $query);
                 }
-            }
-            else {
+            } else {
                 die('{"error": "UUID not found"}');
             }
             break;
@@ -124,8 +122,7 @@
 // we cannot parse the file - something went wrong
 if ($logparser === null) {
     $result['error'] = 'cannot retrieve requested logs';
-}
-else {
+} else {
     $result['lines'] = $logparser->get_result();
     $result['pages'] = $logparser->page_count;
     $result['total'] = $logparser->total_lines;
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/controller/LogView.js b/www/nginx/src/opnsense/www/js/nginx/src/controller/LogView.js
index c0792ce47c..01011c0a14 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/controller/LogView.js
+++ b/www/nginx/src/opnsense/www/js/nginx/src/controller/LogView.js
@@ -64,7 +64,7 @@ const LogView = Backbone.View.extend({
         else {
             tbody.html('');
         }
-        
+
         if (this.collection.length !== 0) {
             if (this.current_filtered_collection == null) {
                 this.collection.forEach(

From 676a93dd6c1dc0b5c8c65daae3dd153c00eb341d Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Fri, 10 Dec 2021 15:32:56 +0100
Subject: [PATCH 0866/3088] net-mgmt/zabbix-proxy: Add Allowed Stats IP (#2699)

---
 net-mgmt/zabbix-proxy/Makefile                            | 2 +-
 net-mgmt/zabbix-proxy/pkg-descr                           | 4 ++++
 .../controllers/OPNsense/Zabbixproxy/forms/general.xml    | 8 ++++++++
 .../mvc/app/models/OPNsense/Zabbixproxy/General.xml       | 8 +++++++-
 .../templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in   | 3 +++
 5 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 362f05058b..06492f992d 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		zabbix-proxy
-PLUGIN_VERSION=		1.6
+PLUGIN_VERSION=		1.7
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 PLUGIN_VARIANTS=	zabbix5 zabbix54 zabbix4
diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index 9a405114b5..ca419ae32a 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.7 
+
+* Add StatsIP field to allow retrieving statistics (#2697)
+
 1.6
 
 * Fix upgrade path by using a new db file for each version (#1943)
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
index 771ad073d8..8124eaa217 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
@@ -139,6 +139,14 @@
         <type>text</type>
         <help>Specifies the time how often the proxy will send collected data to the server (in seconds).</help>
     </field>
+    <field>
+        <id>general.statsip</id>
+        <label>Stats Allowed IP</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>IP address of host allowed to retrieve proxy statistics.</help>
+    </field>
     <field>
         <id>general.encryption</id>
         <label>PSK based encryption</label>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
index 45029f7c39..6602576a22 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/zabbixproxy/general</mount>
     <description>Zabbix Proxy configuration</description>
-    <version>2.0.2</version>
+    <version>2.0.3</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -96,6 +96,12 @@
         <datasenderfrequency type="IntegerField">
             <Required>N</Required>
         </datasenderfrequency>
+        <statsip type="NetworkField">
+            <default></default>
+            <FieldSeparator>,</FieldSeparator>
+            <asList>Y</asList>
+            <Required>N</Required>
+        </statsip>
         <encryption type="BooleanField">
             <default>0</default>
             <Required>Y</Required>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
index f4b2adf115..9eace261bf 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
@@ -71,6 +71,9 @@ HistoryIndexCacheSize={{ OPNsense.zabbixproxy.general.historyindexcachesize }}
 {% if helpers.exists('OPNsense.zabbixproxy.general.timeout') and OPNsense.zabbixproxy.general.timeout != '' %}
 Timeout={{ OPNsense.zabbixproxy.general.timeout }}
 {% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.statsip') and OPNsense.zabbixproxy.general.statsip != '' %}
+StatsAllowedIP={{ OPNsense.zabbixproxy.general.statsip }}
+{% endif %}
 FpingLocation=/usr/local/sbin/fping
 Fping6Location=/usr/local/sbin/fping6
 {% if helpers.exists('OPNsense.zabbixproxy.general.encryption') and OPNsense.zabbixproxy.general.encryption == '1' %}

From 6673bb86922d419b8b563d3f0632aa3b2619500e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 11 Dec 2021 12:30:48 +0100
Subject: [PATCH 0867/3088] mail/fetchmail: remove

---
 LICENSE                                       |  2 +-
 README.md                                     |  1 -
 mail/fetchmail/Makefile                       |  7 --
 mail/fetchmail/pkg-descr                      | 19 ----
 .../src/etc/inc/plugins.inc.d/fetchmail.inc   | 49 ----------
 .../Fetchmail/Api/GeneralController.php       | 37 --------
 .../Fetchmail/Api/MailboxController.php       | 67 --------------
 .../Fetchmail/Api/ServiceController.php       | 43 ---------
 .../OPNsense/Fetchmail/GeneralController.php  | 38 --------
 .../OPNsense/Fetchmail/MailboxController.php  | 38 --------
 .../forms/dialogEditFetchmailMailbox.xml      | 56 ------------
 .../OPNsense/Fetchmail/forms/general.xml      | 14 ---
 .../app/models/OPNsense/Fetchmail/ACL/ACL.xml |  9 --
 .../app/models/OPNsense/Fetchmail/General.php | 34 -------
 .../app/models/OPNsense/Fetchmail/General.xml | 15 ---
 .../app/models/OPNsense/Fetchmail/Mailbox.php | 34 -------
 .../app/models/OPNsense/Fetchmail/Mailbox.xml | 45 ---------
 .../models/OPNsense/Fetchmail/Menu/Menu.xml   |  8 --
 .../app/views/OPNsense/Fetchmail/general.volt | 61 -------------
 .../app/views/OPNsense/Fetchmail/mailbox.volt | 91 -------------------
 .../scripts/OPNsense/Fetchmail/setup.sh       |  6 --
 .../conf/actions.d/actions_fetchmail.conf     | 24 -----
 .../templates/OPNsense/Fetchmail/+TARGETS     |  2 -
 .../templates/OPNsense/Fetchmail/fetchmail    |  6 --
 .../templates/OPNsense/Fetchmail/fetchmailrc  | 14 ---
 25 files changed, 1 insertion(+), 719 deletions(-)
 delete mode 100644 mail/fetchmail/Makefile
 delete mode 100644 mail/fetchmail/pkg-descr
 delete mode 100644 mail/fetchmail/src/etc/inc/plugins.inc.d/fetchmail.inc
 delete mode 100644 mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/GeneralController.php
 delete mode 100644 mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/MailboxController.php
 delete mode 100644 mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/ServiceController.php
 delete mode 100644 mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/GeneralController.php
 delete mode 100644 mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/MailboxController.php
 delete mode 100644 mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/forms/dialogEditFetchmailMailbox.xml
 delete mode 100644 mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/forms/general.xml
 delete mode 100644 mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/ACL/ACL.xml
 delete mode 100644 mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.php
 delete mode 100644 mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.xml
 delete mode 100644 mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.php
 delete mode 100644 mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.xml
 delete mode 100644 mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Menu/Menu.xml
 delete mode 100644 mail/fetchmail/src/opnsense/mvc/app/views/OPNsense/Fetchmail/general.volt
 delete mode 100644 mail/fetchmail/src/opnsense/mvc/app/views/OPNsense/Fetchmail/mailbox.volt
 delete mode 100755 mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh
 delete mode 100644 mail/fetchmail/src/opnsense/service/conf/actions.d/actions_fetchmail.conf
 delete mode 100644 mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/+TARGETS
 delete mode 100644 mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmail
 delete mode 100644 mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmailrc

diff --git a/LICENSE b/LICENSE
index 8d1a91e7ee..674caff049 100644
--- a/LICENSE
+++ b/LICENSE
@@ -12,7 +12,7 @@ Copyright (c) 2008 Donovan Schonknecht
 Copyright (c) 2016-2019 EURO-LOG AG
 Copyright (c) 2006 Eric Friesen
 Copyright (c) 2008-2010 Ermal Luçi
-Copyright (c) 2017-2019 Fabian Franz
+Copyright (c) 2017-2020 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
 Copyright (c) 2014-2021 Franco Fichtner <franco@opnsense.org>
 Copyright (c) 2016-2021 Frank Wall
diff --git a/README.md b/README.md
index 9bc15ce244..2c9a30bb3a 100644
--- a/README.md
+++ b/README.md
@@ -40,7 +40,6 @@ dns/dyndns -- Dynamic DNS Support
 dns/rfc2136 -- RFC-2136 Support
 emulators/qemu-guest-agent -- QEMU Guest Agent for OPNsense
 ftp/tftp -- TFTP server
-mail/fetchmail -- Remote-mail retrieval utility
 mail/postfix -- SMTP mail relay
 mail/rspamd -- Protect your network from spam
 misc/theme-cicada -- The cicada theme - dark grey
diff --git a/mail/fetchmail/Makefile b/mail/fetchmail/Makefile
deleted file mode 100644
index db47f30b41..0000000000
--- a/mail/fetchmail/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-PLUGIN_NAME=		fetchmail
-PLUGIN_VERSION=		1.1
-PLUGIN_COMMENT=		Remote-mail retrieval utility
-PLUGIN_DEPENDS=		fetchmail
-PLUGIN_MAINTAINER=	m.muenz@gmail.com
-
-.include "../../Mk/plugins.mk"
diff --git a/mail/fetchmail/pkg-descr b/mail/fetchmail/pkg-descr
deleted file mode 100644
index 41d9cfd416..0000000000
--- a/mail/fetchmail/pkg-descr
+++ /dev/null
@@ -1,19 +0,0 @@
-Fetchmail is a full-featured, robust, well-documented remote-mail retrieval and forwarding
-utility intended to be used over on-demand TCP/IP links (such as SLIP or PPP connections).
-It supports every remote-mail protocol now in use on the Internet: POP2, POP3, RPOP, APOP,
-KPOP, all flavors of IMAP, ETRN, and ODMR.
-
-Plugin Changelog
-================
-
-1.1
-
-* Fix "ssl" keyword syntax (contributed by mr44er)
-
-1.0
-
-* Allow fetching IMAP mailboxes
-* Allow fetching POP3 mailboxes
-
-
-WWW: https://www.fetchmail.info/
diff --git a/mail/fetchmail/src/etc/inc/plugins.inc.d/fetchmail.inc b/mail/fetchmail/src/etc/inc/plugins.inc.d/fetchmail.inc
deleted file mode 100644
index 1243a3e6ef..0000000000
--- a/mail/fetchmail/src/etc/inc/plugins.inc.d/fetchmail.inc
+++ /dev/null
@@ -1,49 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-function fetchmail_services()
-{
-    global $config;
-
-    $services = array();
-
-    if (isset($config['OPNsense']['fetchmail']['general']['enabled']) && $config['OPNsense']['fetchmail']['general']['enabled'] == 1) {
-        $services[] = array(
-            'description' => gettext('Fetchmail'),
-            'configd' => array(
-                'restart' => array('fetchmail restart'),
-                'start' => array('fetchmail start'),
-                'stop' => array('fetchmail stop'),
-            ),
-            'name' => 'fetchmail',
-            'pidfile' => '/var/run/fetchmail/fetchmail.pid'
-        );
-    }
-
-    return $services;
-}
diff --git a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/GeneralController.php b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/GeneralController.php
deleted file mode 100644
index 3a9d3ba8f8..0000000000
--- a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/GeneralController.php
+++ /dev/null
@@ -1,37 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Fetchmail\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-
-class GeneralController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelClass = '\OPNsense\Fetchmail\General';
-    protected static $internalModelName = 'general';
-}
diff --git a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/MailboxController.php b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/MailboxController.php
deleted file mode 100644
index 403c36152b..0000000000
--- a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/MailboxController.php
+++ /dev/null
@@ -1,67 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Fetchmail\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-
-class MailboxController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelName = 'mailbox';
-    protected static $internalModelClass = '\OPNsense\Fetchmail\Mailbox';
-
-    public function searchMailboxAction()
-    {
-        return $this->searchBase('mailboxes.mailbox', array("enabled", "host", "protocol", "user", "password", "destinationmail", "destination"));
-    }
-
-    public function getMailboxAction($uuid = null)
-    {
-        return $this->getBase('mailbox', 'mailboxes.mailbox', $uuid);
-    }
-
-    public function addMailboxAction()
-    {
-        return $this->addBase('mailbox', 'mailboxes.mailbox');
-    }
-
-    public function delMailboxAction($uuid)
-    {
-        return $this->delBase('mailboxes.mailbox', $uuid);
-    }
-
-    public function setMailboxAction($uuid)
-    {
-        return $this->setBase('mailbox', 'mailboxes.mailbox', $uuid);
-    }
-
-    public function toggleMailboxAction($uuid)
-    {
-        return $this->toggleBase('mailboxes.mailbox', $uuid);
-    }
-}
diff --git a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/ServiceController.php b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/ServiceController.php
deleted file mode 100644
index d3ea06f1aa..0000000000
--- a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/Api/ServiceController.php
+++ /dev/null
@@ -1,43 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Fetchmail\Api;
-
-use OPNsense\Base\ApiMutableServiceControllerBase;
-
-/**
- * Class ServiceController
- * @package OPNsense\Fetchmail
- */
-class ServiceController extends ApiMutableServiceControllerBase
-{
-    protected static $internalServiceClass = '\OPNsense\Fetchmail\General';
-    protected static $internalServiceTemplate = 'OPNsense/Fetchmail';
-    protected static $internalServiceEnabled = 'enabled';
-    protected static $internalServiceName = 'fetchmail';
-}
diff --git a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/GeneralController.php b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/GeneralController.php
deleted file mode 100644
index dde96e5211..0000000000
--- a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/GeneralController.php
+++ /dev/null
@@ -1,38 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Fetchmail;
-
-class GeneralController extends \OPNsense\Base\IndexController
-{
-    public function indexAction()
-    {
-        $this->view->generalForm = $this->getForm("general");
-        $this->view->pick('OPNsense/Fetchmail/general');
-    }
-}
diff --git a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/MailboxController.php b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/MailboxController.php
deleted file mode 100644
index 1417158fdd..0000000000
--- a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/MailboxController.php
+++ /dev/null
@@ -1,38 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Fetchmail;
-
-class MailboxController extends \OPNsense\Base\IndexController
-{
-    public function indexAction()
-    {
-        $this->view->formDialogEditFetchmailMailbox = $this->getForm("dialogEditFetchmailMailbox");
-        $this->view->pick('OPNsense/Fetchmail/mailbox');
-    }
-}
diff --git a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/forms/dialogEditFetchmailMailbox.xml b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/forms/dialogEditFetchmailMailbox.xml
deleted file mode 100644
index 98307b4d4e..0000000000
--- a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/forms/dialogEditFetchmailMailbox.xml
+++ /dev/null
@@ -1,56 +0,0 @@
-<form>
-    <field>
-        <id>mailbox.enabled</id>
-        <label>Enabled</label>
-        <type>checkbox</type>
-        <help>This will enable or disable the mailbox retrieving.</help>
-    </field>
-    <field>
-        <id>mailbox.host</id>
-        <label>Host</label>
-        <type>text</type>
-        <help>Hostname of the mail server where mailbox is located.</help>
-    </field>
-    <field>
-        <id>mailbox.protocol</id>
-        <label>Protocol</label>
-        <type>dropdown</type>
-        <help>Choose the protocol to use.</help>
-    </field>
-    <field>
-        <id>mailbox.user</id>
-        <label>Username</label>
-        <type>text</type>
-        <help>Username to authenticate against remote mail server.</help>
-    </field>
-    <field>
-        <id>mailbox.password</id>
-        <label>Password</label>
-        <type>text</type>
-        <help>Password to authenticate against remote mail server.</help>
-    </field>
-    <field>
-        <id>mailbox.destinationmail</id>
-        <label>Destination Email</label>
-        <type>text</type>
-        <help>Set the mail address to deliver fetched mails to.</help>
-    </field>
-    <field>
-        <id>mailbox.destination</id>
-        <label>Destination Host</label>
-        <type>text</type>
-        <help>Set the mail server hostname or IP to deliver fetched mails to.</help>
-    </field>
-    <field>
-        <id>mailbox.usessl</id>
-        <label>Use SSL</label>
-        <type>checkbox</type>
-        <help>This will enable or disable usage of encrypted connections. For IMAP and POP3 it will switch the ports to 993 and 995.</help>
-    </field>
-    <field>
-        <id>mailbox.sslfingerprint</id>
-        <label>Certificate Fingerprint</label>
-        <type>text</type>
-        <help>If the server is using a self-signed certificate, the only option fetching mails is to enter the certficiate fingerprint here.</help>
-    </field>
-</form>
diff --git a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/forms/general.xml b/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/forms/general.xml
deleted file mode 100644
index ac02481893..0000000000
--- a/mail/fetchmail/src/opnsense/mvc/app/controllers/OPNsense/Fetchmail/forms/general.xml
+++ /dev/null
@@ -1,14 +0,0 @@
-<form>
-    <field>
-        <id>general.enabled</id>
-        <label>Enable</label>
-        <type>checkbox</type>
-        <help>This will activate the Fetchmail daemon.</help>
-    </field>
-    <field>
-        <id>general.interval</id>
-        <label>Interval</label>
-        <type>text</type>
-        <help>Interval in seconds how often to retrieve mails.</help>
-    </field>
-</form>
diff --git a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/ACL/ACL.xml b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/ACL/ACL.xml
deleted file mode 100644
index e3727a40ad..0000000000
--- a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/ACL/ACL.xml
+++ /dev/null
@@ -1,9 +0,0 @@
-<acl>
-    <page-services-fetchmail>
-        <name>Services: Fetchmail</name>
-        <patterns>
-            <pattern>ui/fetchmail/*</pattern>
-            <pattern>api/fetchmail/*</pattern>
-        </patterns>
-    </page-services-fetchmail>
-</acl>
diff --git a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.php b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.php
deleted file mode 100644
index 5ec3f1dd2b..0000000000
--- a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.php
+++ /dev/null
@@ -1,34 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-  *ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Fetchmail;
-
-use OPNsense\Base\BaseModel;
-
-class General extends BaseModel
-{
-}
diff --git a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.xml b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.xml
deleted file mode 100644
index 09cb296c5f..0000000000
--- a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/General.xml
+++ /dev/null
@@ -1,15 +0,0 @@
-<model>
-    <mount>//OPNsense/fetchmail/general</mount>
-    <description>Fetchmail configuration</description>
-    <version>0.1</version>
-    <items>
-        <enabled type="BooleanField">
-            <default>0</default>
-            <Required>Y</Required>
-        </enabled>
-        <interval type="IntegerField">
-            <default>600</default>
-            <Required>Y</Required>
-        </interval>
-    </items>
-</model>
diff --git a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.php b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.php
deleted file mode 100644
index e843ede942..0000000000
--- a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.php
+++ /dev/null
@@ -1,34 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-  *ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Fetchmail;
-
-use OPNsense\Base\BaseModel;
-
-class Mailbox extends BaseModel
-{
-}
diff --git a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.xml b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.xml
deleted file mode 100644
index adc2e8a4ff..0000000000
--- a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Mailbox.xml
+++ /dev/null
@@ -1,45 +0,0 @@
-<model>
-    <mount>//OPNsense/fetchmail/mailbox</mount>
-    <description>Fetchmail configuration</description>
-    <version>0.1</version>
-    <items>
-        <mailboxes>
-            <mailbox type="ArrayField">
-                <enabled type="BooleanField">
-                    <default>1</default>
-                    <Required>Y</Required>
-                </enabled>
-                <host type="HostnameField">
-                    <Required>Y</Required>
-                </host>
-                <protocol type="OptionField">
-                    <Required>Y</Required>
-                    <OptionValues>
-                        <pop3>POP3</pop3>
-                        <imap>IMAP</imap>
-                    </OptionValues>
-                </protocol>
-                <user type="TextField">
-                    <Required>Y</Required>
-                </user>
-                <password type="TextField">
-                    <Required>Y</Required>
-                </password>
-                <destinationmail type="EmailField">
-                    <Required>Y</Required>
-                </destinationmail>
-                <destination type="HostnameField">
-                    <Required>Y</Required>
-                </destination>
-                <usessl type="BooleanField">
-                    <default>1</default>
-                    <Required>Y</Required>
-                </usessl>
-                <sslfingerprint type="TextField">
-                    <Required>N</Required>
-                    <mask>/^[A-Fa-f0-9\:]$/</mask>
-                </sslfingerprint>
-            </mailbox>
-        </mailboxes>
-    </items>
-</model>
diff --git a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Menu/Menu.xml b/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Menu/Menu.xml
deleted file mode 100644
index 59c8854d8c..0000000000
--- a/mail/fetchmail/src/opnsense/mvc/app/models/OPNsense/Fetchmail/Menu/Menu.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<menu>
-  <Services>
-    <Fetchmail cssClass="fa fa-envelope fa-fw">
-      <General url="/ui/fetchmail/general/index" order="10"/>
-      <Mailbox url="/ui/fetchmail/mailbox/index" order="20"/>
-    </Fetchmail>
-  </Services>
-</menu>
diff --git a/mail/fetchmail/src/opnsense/mvc/app/views/OPNsense/Fetchmail/general.volt b/mail/fetchmail/src/opnsense/mvc/app/views/OPNsense/Fetchmail/general.volt
deleted file mode 100644
index 77f259c4c3..0000000000
--- a/mail/fetchmail/src/opnsense/mvc/app/views/OPNsense/Fetchmail/general.volt
+++ /dev/null
@@ -1,61 +0,0 @@
-{#
- #
- # Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
- # All rights reserved.
- #
- # Redistribution and use in source and binary forms, with or without modification,
- # are permitted provided that the following conditions are met:
- #
- # 1. Redistributions of source code must retain the above copyright notice,
- #    this list of conditions and the following disclaimer.
- #
- # 2. Redistributions in binary form must reproduce the above copyright notice,
- #    this list of conditions and the following disclaimer in the documentation
- #    and/or other materials provided with the distribution.
- #
- # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
- # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- # POSSIBILITY OF SUCH DAMAGE.
- #}
-<div class="tab-content content-box tab-content">
-    <div id="general" class="tab-pane fade in active">
-        <div class="content-box" style="padding-bottom: 1.5em;">
-            {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-            <div class="col-md-12">
-                <hr />
-                <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-            </div>
-        </div>
-    </div>
-</div>
-
-<script>
-    $( document ).ready(function () {
-        var data_get_map = {'frm_general_settings':"/api/fetchmail/general/get"};
-        mapDataToFormUI(data_get_map).done(function (data) {
-            formatTokenizersUI();
-            $('.selectpicker').selectpicker('refresh');
-        });
-
-        updateServiceControlUI('fetchmail');
-
-        // link save button to API set action
-        $("#saveAct").click(function () {
-            saveFormToEndpoint(url="/api/fetchmail/general/set", formid='frm_general_settings',callback_ok=function () {
-                $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-                ajaxCall(url="/api/fetchmail/service/reconfigure", sendData={}, callback=function (data,status) {
-                    updateServiceControlUI('fetchmail');
-                    $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-                });
-            });
-        });
-
-    });
-</script>
diff --git a/mail/fetchmail/src/opnsense/mvc/app/views/OPNsense/Fetchmail/mailbox.volt b/mail/fetchmail/src/opnsense/mvc/app/views/OPNsense/Fetchmail/mailbox.volt
deleted file mode 100644
index 3be00f23d7..0000000000
--- a/mail/fetchmail/src/opnsense/mvc/app/views/OPNsense/Fetchmail/mailbox.volt
+++ /dev/null
@@ -1,91 +0,0 @@
-{#
- #
- # Copyright (C) 2020 Michael Muenz <m.muenz@gmail.com>
- # All rights reserved.
- #
- # Redistribution and use in source and binary forms, with or without modification,
- # are permitted provided that the following conditions are met:
- #
- # 1. Redistributions of source code must retain the above copyright notice,
- #    this list of conditions and the following disclaimer.
- #
- # 2. Redistributions in binary form must reproduce the above copyright notice,
- #    this list of conditions and the following disclaimer in the documentation
- #    and/or other materials provided with the distribution.
- #
- # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
- # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- # POSSIBILITY OF SUCH DAMAGE.
- #}
-<div class="tab-content content-box tab-content">
-    <div id="mailbox" class="tab-pane fade in active">
-        <table id="grid-mailbox" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="dialogEditFetchmailMailbox">
-            <thead>
-            <tr>
-                <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                <th data-column-id="host" data-type="string" data-visible="true">{{ lang._('Host') }}</th>
-                <th data-column-id="protocol" data-type="string" data-visible="true">{{ lang._('Protocol') }}</th>
-                <th data-column-id="user" data-type="string" data-visible="true">{{ lang._('Username') }}</th>
-                <th data-column-id="password" data-type="string" data-visible="true">{{ lang._('Password') }}</th>
-                <th data-column-id="destination" data-type="string" data-visible="true">{{ lang._('Destination') }}</th>
-                <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-            </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-            <tr>
-                <td></td>
-                <td>
-                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                </td>
-            </tr>
-            </tfoot>
-        </table>
-        <div class="col-md-12">
-            <hr/>
-            <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress" class=""></i></button>
-            <br/><br/>
-        </div>
-    </div>
-</div>
-
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditFetchmailMailbox,'id':'dialogEditFetchmailMailbox','label':lang._('Edit Mailbox')])}}
-
-<script>
-
-$(function() {
-
-    $("#grid-mailbox").UIBootgrid(
-        {   'search':'/api/fetchmail/mailbox/searchMailbox',
-            'get':'/api/fetchmail/mailbox/getMailbox/',
-            'set':'/api/fetchmail/mailbox/setMailbox/',
-            'add':'/api/fetchmail/mailbox/addMailbox/',
-            'del':'/api/fetchmail/mailbox/delMailbox/',
-            'toggle':'/api/fetchmail/mailbox/toggleMailbox/'
-        }
-    );
-
-    updateServiceControlUI('fetchmail');
-
-    $("#saveAct").click(function(){
-        saveFormToEndpoint(url="/api/fetchmail/mailbox/set", formid='frm_general_settings',callback_ok=function(){
-        $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall(url="/api/fetchmail/service/reconfigure", sendData={}, callback=function(data,status) {
-                updateServiceControlUI('fetchmail');
-                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-            });
-        });
-    });
-
-});
-</script>
diff --git a/mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh b/mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh
deleted file mode 100755
index feda292bc6..0000000000
--- a/mail/fetchmail/src/opnsense/scripts/OPNsense/Fetchmail/setup.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-
-mkdir -p /var/run/fetchmail
-chown fetchmail:wheel /var/run/fetchmail
-chmod 755 /var/run/fetchmail
-chmod 700 /usr/local/etc/fetchmailrc
diff --git a/mail/fetchmail/src/opnsense/service/conf/actions.d/actions_fetchmail.conf b/mail/fetchmail/src/opnsense/service/conf/actions.d/actions_fetchmail.conf
deleted file mode 100644
index 9c38206dba..0000000000
--- a/mail/fetchmail/src/opnsense/service/conf/actions.d/actions_fetchmail.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-[start]
-command:/usr/local/opnsense/scripts/OPNsense/Fetchmail/setup.sh;/usr/local/etc/rc.d/fetchmail start
-parameters:
-type:script
-message:starting Fetchmail
-
-[stop]
-command:/usr/local/etc/rc.d/fetchmail stop; exit 0
-parameters:
-type:script
-message:stopping Fetchmail
-
-[restart]
-command:/usr/local/opnsense/scripts/OPNsense/Fetchmail/setup.sh;/usr/local/etc/rc.d/fetchmail restart
-parameters:
-type:script
-message:restarting Fetchmail
-description:Restart Fetchmail service
-
-[status]
-command:/usr/local/etc/rc.d/fetchmail status;exit 0
-parameters:
-type:script_output
-message:request Fetchmail status
diff --git a/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/+TARGETS b/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/+TARGETS
deleted file mode 100644
index 014ce2e157..0000000000
--- a/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/+TARGETS
+++ /dev/null
@@ -1,2 +0,0 @@
-fetchmailrc:/usr/local/etc/fetchmailrc
-fetchmail:/etc/rc.conf.d/fetchmail
diff --git a/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmail b/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmail
deleted file mode 100644
index 4a21f3d9c9..0000000000
--- a/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmail
+++ /dev/null
@@ -1,6 +0,0 @@
-{% if helpers.exists('OPNsense.fetchmail.general.enabled') and OPNsense.fetchmail.general.enabled == '1' %}
-fetchmail_var_script="/usr/local/opnsense/scripts/OPNsense/Fetchmail/setup.sh"
-fetchmail_enable="YES"
-{% else %}
-fetchmail_enable="NO"
-{% endif %}
diff --git a/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmailrc b/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmailrc
deleted file mode 100644
index 891cf3772e..0000000000
--- a/mail/fetchmail/src/opnsense/service/templates/OPNsense/Fetchmail/fetchmailrc
+++ /dev/null
@@ -1,14 +0,0 @@
-{% if helpers.exists('OPNsense.fetchmail.general.enabled') and OPNsense.fetchmail.general.enabled == '1' %}
-
-set daemon {{ OPNsense.fetchmail.general.interval }}
-set syslog
-
-{% if helpers.exists('OPNsense.fetchmail.mailbox.mailboxes.mailbox') %}
-{%   for mailbox_list in helpers.toList('OPNsense.fetchmail.mailbox.mailboxes.mailbox') %}
-{%     if mailbox_list.enabled == '1' %}
-poll {{ mailbox_list.host }} protocol {{ mailbox_list.protocol }} username "{{ mailbox_list.user }}" password "{{ mailbox_list.password }}" is {{ mailbox_list.destinationmail }} smtphost {{ mailbox_list.destination }} {% if mailbox_list.usessl == "0" %}ssl {% endif %} {% if mailbox_list.sslfingerprint|default('') != '' %} sslfingerprint "{{ mailbox_list.sslfingerprint }}" {% endif %}
-{%     endif %}
-{%   endfor %}
-{% endif %}
-
-{% endif %}

From 0b1f103d6f162ae71d240a988bb6d407111d7880 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 13 Dec 2021 07:35:20 +0100
Subject: [PATCH 0868/3088] dns/dyndns: finally reformat r53 source file

The file is _old_ and we've never gone back to merge something
if an upstream even exists.
---
 .../src/etc/inc/plugins.inc.d/dyndns/r53.inc  | 1426 +++++++++--------
 1 file changed, 725 insertions(+), 701 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/r53.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/r53.inc
index d7ebc65fbc..46a83a380a 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/r53.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/r53.inc
@@ -45,709 +45,733 @@
 */
 class Route53
 {
-	const API_VERSION = '2010-10-01';
-
-	protected $__accessKey; // AWS Access key
-	protected $__secretKey; // AWS Secret key
-	protected $__host;
-
-	public function getAccessKey() { return $this->__accessKey; }
-	public function getSecretKey() { return $this->__secretKey; }
-	public function getHost() { return $this->__host; }
-
-	protected $__verifyHost = 1;
-	protected $__verifyPeer = 1;
-
-	// verifyHost and verifyPeer determine whether curl verifies ssl certificates.
-	// It may be necessary to disable these checks on certain systems.
-	// These only have an effect if SSL is enabled.
-	public function verifyHost() { return $this->__verifyHost; }
-	public function enableVerifyHost($enable = true) { $this->__verifyHost = $enable; }
-
-	public function verifyPeer() { return $this->__verifyPeer; }
-	public function enableVerifyPeer($enable = true) { $this->__verifyPeer = $enable; }
-
-	/**
-	* Constructor
-	*
-	* @param string $accessKey Access key
-	* @param string $secretKey Secret key
-	* @return void
-	*/
-	public function __construct($accessKey = null, $secretKey = null, $host = 'route53.amazonaws.com') {
-		if ($accessKey !== null && $secretKey !== null) {
-			$this->setAuth($accessKey, $secretKey);
-		}
-		$this->__host = $host;
-	}
-
-	/**
-	* Set AWS access key and secret key
-	*
-	* @param string $accessKey Access key
-	* @param string $secretKey Secret key
-	* @return void
-	*/
-	public function setAuth($accessKey, $secretKey) {
-		$this->__accessKey = $accessKey;
-		$this->__secretKey = $secretKey;
-	}
-
-	/**
-	* Lists the hosted zones on the account
-	*
-	* @param string marker A pagination marker returned by a previous truncated call
-	* @param int maxItems The maximum number of items per page.  The service uses min($maxItems, 100).
-	* @return A list of hosted zones
-	*/
-	public function listHostedZones($marker = null, $maxItems = 100) {
-		$rest = new Route53Request($this, 'hostedzone', 'GET');
-
-		if($marker !== null) {
-			$rest->setParameter('marker', $marker);
-		}
-		if($maxItems !== 100) {
-			$rest->setParameter('maxitems', $maxItems);
-		}
-
-		$rest = $rest->getResponse();
-		if($rest->error === false && $rest->code !== 200) {
-			$rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
-		}
-		if($rest->error !== false) {
-			$this->__triggerError('listHostedZones', $rest->error);
-			return false;
-		}
-
-		$response = array();
-		if (!isset($rest->body))
-		{
-			return $response;
-		}
-
-		$zones = array();
-		foreach($rest->body->HostedZones->HostedZone as $z)
-		{
-			$zones[] = $this->parseHostedZone($z);
-		}
-		$response['HostedZone'] = $zones;
-
-		if(isset($rest->body->MaxItems)) {
-			$response['MaxItems'] = (string)$rest->body->MaxItems;
-		}
-
-		if(isset($rest->body->IsTruncated)) {
-			$response['IsTruncated'] = (string)$rest->body->IsTruncated;
-			if($response['IsTruncated'] == 'true') {
-				$response['NextMarker'] = (string)$rest->body->NextMarker;
-			}
-		}
-
-		return $response;
-	}
-
-	/**
-	* Retrieves information on a specified hosted zone
-	*
-	* @param string zoneId The id of the hosted zone, as returned by CreateHostedZoneResponse or ListHostedZoneResponse
-	*                      In other words, if ListHostedZoneResponse shows the zone's Id as '/hostedzone/Z1PA6795UKMFR9',
-	*                      then that full value should be passed here, including the '/hostedzone/' prefix.
-	* @return A data structure containing information about the specified zone
-	*/
-	public function getHostedZone($zoneId) {
-		// we'll strip off the leading forward slash, so we can use it as the action directly.
-		$zoneId = trim($zoneId, '/');
-
-		$rest = new Route53Request($this, $zoneId, 'GET');
-
-		$rest = $rest->getResponse();
-		if($rest->error === false && $rest->code !== 200) {
-			$rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
-		}
-		if($rest->error !== false) {
-			$this->__triggerError('getHostedZone', $rest->error);
-			return false;
-		}
-
-		$response = array();
-		if (!isset($rest->body))
-		{
-			return $response;
-		}
-
-		$response['HostedZone'] = $this->parseHostedZone($rest->body->HostedZone);
-		$response['NameServers'] = $this->parseDelegationSet($rest->body->DelegationSet);
-
-		return $response;
-	}
-
-	/**
-	* Creates a new hosted zone
-	*
-	* @param string name The name of the hosted zone (e.g. "example.com.")
-	* @param string reference A user-specified unique reference for this request
-	* @param string comment An optional user-specified comment to attach to the zone
-	* @return A data structure containing information about the newly created zone
-	*/
-	public function createHostedZone($name, $reference, $comment = '') {
-		// hosted zone names must end with a period, but people will forget this a lot...
-		if(strrpos($name, '.') != (strlen($name) - 1)) {
-			$name .= '.';
-		}
-
-		$data = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
-		$data .= '<CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/'.Route53::API_VERSION."/\">\n";
-		$data .= '<Name>'.$name."</Name>\n";
-		$data .= '<CallerReference>'.$reference."</CallerReference>\n";
-		if(strlen($comment) > 0) {
-			$data .= "<HostedZoneConfig>\n";
-			$data .= '<Comment>'.$comment."</Comment>\n";
-			$data .= "</HostedZoneConfig>\n";
-		}
-		$data .= "</CreateHostedZoneRequest>\n";
-
-		$rest = new Route53Request($this, 'hostedzone', 'POST', $data);
-
-		$rest = $rest->getResponse();
-
-		if($rest->error === false && !in_array($rest->code, array(200, 201, 202, 204)) ) {
-			$rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
-		}
-		if($rest->error !== false) {
-			$this->__triggerError('createHostedZone', $rest->error);
-			return false;
-		}
-
-		$response = array();
-		if (!isset($rest->body))
-		{
-			return $response;
-		}
-
-		$response['HostedZone'] = $this->parseHostedZone($rest->body->HostedZone);
-		$response['ChangeInfo'] = $this->parseChangeInfo($rest->body->ChangeInfo);
-		$response['NameServers'] = $this->parseDelegationSet($rest->body->DelegationSet);
-
-		return $response;
-	}
-
-	/**
-	* Retrieves information on a specified hosted zone
-	*
-	* @param string zoneId The id of the hosted zone, as returned by CreateHostedZoneResponse or ListHostedZoneResponse
-	*                      In other words, if ListHostedZoneResponse shows the zone's Id as '/hostedzone/Z1PA6795UKMFR9',
-	*                      then that full value should be passed here, including the '/hostedzone/' prefix.
-	* @return The change request data corresponding to this delete
-	*/
-	public function deleteHostedZone($zoneId) {
-		// we'll strip off the leading forward slash, so we can use it as the action directly.
-		$zoneId = trim($zoneId, '/');
-
-		$rest = new Route53Request($this, $zoneId, 'DELETE');
-
-		$rest = $rest->getResponse();
-		if($rest->error === false && $rest->code !== 200) {
-			$rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
-		}
-		if($rest->error !== false) {
-			$this->__triggerError('deleteHostedZone', $rest->error);
-			return false;
-		}
-
-		if (!isset($rest->body))
-		{
-			return array();
-		}
-
-		return $this->parseChangeInfo($rest->body->ChangeInfo);
-	}
-
-	/**
-	* Retrieves a list of resource record sets for a given zone
-	*
-	* @param string zoneId The id of the hosted zone, as returned by CreateHostedZoneResponse or ListHostedZoneResponse
-	*                      In other words, if ListHostedZoneResponse shows the zone's Id as '/hostedzone/Z1PA6795UKMFR9',
-	*                      then that full value should be passed here, including the '/hostedzone/' prefix.
-	* @param string type The type of resource record set to begin listing from. If this is specified, $name must also be specified.
-	*                    Must be one of: A, AAAA, CNAME, MX, NS, PTR, SOA, SPF, SRV, TXT
-	* @param string name The name at which to begin listing resource records (in the lexographic order of records).
-	* @param int maxItems The maximum number of results to return.  The service uses min($maxItems, 100).
-	* @return The list of matching resource record sets
-	*/
-	public function listResourceRecordSets($zoneId, $type = '', $name = '', $maxItems = 100) {
-		// we'll strip off the leading forward slash, so we can use it as the action directly.
-		$zoneId = trim($zoneId, '/');
-
-		$rest = new Route53Request($this, $zoneId.'/rrset', 'GET');
-
-		if(strlen($type) > 0) {
-			$rest->setParameter('type', $type);
-		}
-		if(strlen($name) > 0) {
-			$rest->setParameter('name', $name);
-		}
-		if($maxItems != 100) {
-			$rest->setParameter('maxitems', $maxItems);
-		}
-
-		$rest = $rest->getResponse();
-		if($rest->error === false && $rest->code !== 200) {
-			$rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
-		}
-		if($rest->error !== false) {
-			$this->__triggerError('listResourceRecordSets', $rest->error);
-			return false;
-		}
-
-		$response = array();
-		if (!isset($rest->body))
-		{
-			return $response;
-		}
-
-		$recordSets = array();
-		foreach($rest->body->ResourceRecordSets->ResourceRecordSet as $set) {
-			$recordSets[] = $this->parseResourceRecordSet($set);
-		}
-
-		$response['ResourceRecordSets'] = $recordSets;
-
-		if(isset($rest->body->MaxItems)) {
-			$response['MaxItems'] = (string)$rest->body->MaxItems;
-		}
-
-		if(isset($rest->body->IsTruncated)) {
-			$response['IsTruncated'] = (string)$rest->body->IsTruncated;
-			if($response['IsTruncated'] == 'true') {
-				$response['NextRecordName'] = (string)$rest->body->NextRecordName;
-				$response['NextRecordType'] = (string)$rest->body->NextRecordType;
-			}
-		}
-
-		return $response;
-	}
-
-	/**
-	* Makes the specified resource record set changes (create or delete).
-	*
-	* @param string zoneId The id of the hosted zone, as returned by CreateHostedZoneResponse or ListHostedZoneResponse
-	*                      In other words, if ListHostedZoneResponse shows the zone's Id as '/hostedzone/Z1PA6795UKMFR9',
-	*                      then that full value should be passed here, including the '/hostedzone/' prefix.
-	* @param array changes An array of change objects, as they are returned by the prepareChange utility method.
-	*                      You may also pass a single change object.
-	* @param string comment An optional comment to attach to the change request
-	* @return The status of the change request
-	*/
-	public function changeResourceRecordSets($zoneId, $changes, $comment = '') {
-		// we'll strip off the leading forward slash, so we can use it as the action directly.
-		$zoneId = trim($zoneId, '/');
-
-		$data = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
-		$data .= '<ChangeResourceRecordSetsRequest xmlns="https://route53.amazonaws.com/doc/'.Route53::API_VERSION."/\">\n";
-		$data .= "<ChangeBatch>\n";
-
-		if(strlen($comment) > 0) {
-			$data .= '<Comment>'.$comment."</Comment>\n";
-		}
-
-                if(!is_array($changes)) {
-			$changes = array($changes);
-		}
-
-		$data .= "<Changes>\n";
-		foreach($changes as $change) {
-			$data .= $change;
-		}
-		$data .= "</Changes>\n";
-
-		$data .= "</ChangeBatch>\n";
-		$data .= "</ChangeResourceRecordSetsRequest>\n";
-
-		$rest = new Route53Request($this, $zoneId.'/rrset', 'POST', $data);
-
-		$rest = $rest->getResponse();
-		if($rest->error === false && !in_array($rest->code, array(200, 201, 202, 204))) {
-			$rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
-		}
-		if($rest->error !== false) {
-			$this->__triggerError('changeResourceRecordSets', $rest->error);
-			return false;
-		}
-
-		if (!isset($rest->body))
-		{
-			return array();
-		}
-
-		return $this->parseChangeInfo($rest->body->ChangeInfo);
-	}
-
-	/**
-	* Retrieves information on a specified change request
-	*
-	* @param string changeId The id of the change, as returned by CreateHostedZoneResponse or ChangeResourceRecordSets
-	*                      In other words, if CreateHostedZoneResponse showed the change's Id as '/change/C2682N5HXP0BZ4',
-	*                      then that full value should be passed here, including the '/change/' prefix.
-	* @return The status of the change request
-	*/
-	public function getChange($changeId) {
-		// we'll strip off the leading forward slash, so we can use it as the action directly.
-		$zoneId = trim($changeId, '/');
-
-		$rest = new Route53Request($this, $changeId, 'GET');
-
-		$rest = $rest->getResponse();
-		if($rest->error === false && $rest->code !== 200) {
-			$rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
-		}
-		if($rest->error !== false) {
-			$this->__triggerError('getChange', $rest->error);
-			return false;
-		}
-
-		if (!isset($rest->body))
-		{
-			return array();
-		}
-
-		return $this->parseChangeInfo($rest->body->ChangeInfo);
-	}
-
-
-
-	/**
-	* Utility function to parse a HostedZone tag structure
-	*/
-	private function parseHostedZone($tag) {
-		$zone = array();
-		$zone['Id'] = (string)$tag->Id;
-		$zone['Name'] = (string)$tag->Name;
-		$zone['CallerReference'] = (string)$tag->CallerReference;
-
-		// these might always be set, but check just in case, since
-		// their values are option on CreateHostedZone requests
-		if(isset($tag->Config) && isset($tag->Config->Comment)) {
-			$zone['Config'] = array('Comment' => (string)$tag->Config->Comment);
-		}
-
-		return $zone;
-	}
-
-	/**
-	* Utility function to parse a ChangeInfo tag structure
-	*/
-	private function parseChangeInfo($tag) {
-		$info = array();
-		$info['Id'] = (string)$tag->Id;
-		$info['Status'] = (string)$tag->Status;
-		$info['SubmittedAt'] = (string)$tag->SubmittedAt;
-		return $info;
-	}
-
-	/**
-	* Utility function to parse a DelegationSet tag structure
-	*/
-	private function parseDelegationSet($tag) {
-		$servers = array();
-		foreach($tag->NameServers->NameServer as $ns) {
-			$servers[] = (string)$ns;
-		}
-		return $servers;
-	}
-
-	/**
-	* Utility function to parse a ResourceRecordSet tag structure
-	*/
-	private function parseResourceRecordSet($tag) {
-		$rrs = array();
-		$rrs['Name'] = (string)$tag->Name;
-		$rrs['Type'] = (string)$tag->Type;
-		$rrs['TTL'] = (string)$tag->TTL;
-		$rrs['ResourceRecords'] = array();
-		foreach($tag->ResourceRecords->ResourceRecord as $rr) {
-			$rrs['ResourceRecords'][] = (string)$rr->Value;
-		}
-		return $rrs;
-	}
-
-	/**
-	* Utility function to prepare a Change object for ChangeResourceRecordSets requests.
-	* All fields are required.
-	*
-	* @param string action The action to perform.  One of: CREATE, DELETE
-	* @param string name The name to perform the action on.
-	*                    If it does not end with '.', then AWS treats the name as relative to the zone root.
-	* @param string type The type of record being modified.
-	*                    Must be one of: A, AAAA, CNAME, MX, NS, PTR, SOA, SPF, SRV, TXT
-	* @param int ttl The time-to-live value for this record, in seconds.
-	* @param array records An array of resource records to attach to this change.
-	*                      Each member of this array can either be a string, or an array of strings.
-	*                      Passing an array of strings will attach multiple values to a single resource record.
-	*                      If a single string is passed as $records instead of an array,
-	*                      it will be treated as a single-member array.
-	* @return object An opaque object containing the change request.
-	*                Do not write code that depends on the contents of this object, as it may change at any time.
-	*/
-	public function prepareChange($action, $name, $type, $ttl, $records) {
-		$change = "<Change>\n";
-		$change .= '<Action>'.$action."</Action>\n";
-		$change .= "<ResourceRecordSet>\n";
-		$change .= '<Name>'.$name."</Name>\n";
-		$change .= '<Type>'.$type."</Type>\n";
-		$change .= '<TTL>'.$ttl."</TTL>\n";
-		$change .= "<ResourceRecords>\n";
-
-		if(!is_array($records)) {
-			$records = array($records);
-		}
-
-		foreach($records as $record) {
-			$change .= "<ResourceRecord>\n";
-			if(is_array($record)) {
-				foreach($record as $value) {
-					$change .= '<Value>'.$value."</Value>\n";
-				}
-			}
-			else {
-				$change .= '<Value>'.$record."</Value>\n";
-			}
-			$change .= "</ResourceRecord>\n";
-		}
-
-		$change .= "</ResourceRecords>\n";
-		$change .= "</ResourceRecordSet>\n";
-		$change .= "</Change>\n";
-
-		return $change;
-	}
-
-	/**
-	* Trigger an error message
-	*
-	* @internal Used by member functions to output errors
-	* @param array $error Array containing error information
-	* @return string
-	*/
-	public function __triggerError($functionname, $error)
-	{
-		if($error == false) {
-			log_error(sprintf("Route53::%s(): Encountered an error, but no description given", $functionname));
-		}
-		else if(isset($error['curl']) && $error['curl'])
-		{
-			log_error(sprintf("Route53::%s(): %s %s", $functionname, $error['code'], $error['message']));
-		}
-		else if(isset($error['Error']))
-		{
-			$e = $error['Error'];
-			$message = sprintf("Route53::%s(): %s - %s: %s\nRequest Id: %s\n", $functionname, $e['Type'], $e['Code'], $e['Message'], $error['RequestId']);
-			log_error($message);
-		}
-	}
-
-	/**
-	* Callback handler for 503 retries.
-	*
-	* @internal Used by SimpleDBRequest to call the user-specified callback, if set
-	* @param $attempt The number of failed attempts so far
-	* @return The retry delay in microseconds, or 0 to stop retrying.
-	*/
-	public function __executeServiceTemporarilyUnavailableRetryDelay($attempt)
-	{
-		if(is_callable($this->__serviceUnavailableRetryDelayCallback)) {
-			$callback = $this->__serviceUnavailableRetryDelayCallback;
-			return $callback($attempt);
-		}
-		return 0;
-	}
+    const API_VERSION = '2010-10-01';
+
+    protected $__accessKey; // AWS Access key
+    protected $__secretKey; // AWS Secret key
+    protected $__host;
+
+    public function getAccessKey()
+    {
+        return $this->__accessKey;
+    }
+    public function getSecretKey()
+    {
+        return $this->__secretKey;
+    }
+    public function getHost()
+    {
+        return $this->__host;
+    }
+
+    protected $__verifyHost = 1;
+    protected $__verifyPeer = 1;
+
+    // verifyHost and verifyPeer determine whether curl verifies ssl certificates.
+    // It may be necessary to disable these checks on certain systems.
+    // These only have an effect if SSL is enabled.
+    public function verifyHost()
+    {
+        return $this->__verifyHost;
+    }
+    public function enableVerifyHost($enable = true)
+    {
+        $this->__verifyHost = $enable;
+    }
+
+    public function verifyPeer()
+    {
+        return $this->__verifyPeer;
+    }
+    public function enableVerifyPeer($enable = true)
+    {
+        $this->__verifyPeer = $enable;
+    }
+
+    /**
+    * Constructor
+    *
+    * @param string $accessKey Access key
+    * @param string $secretKey Secret key
+    * @return void
+    */
+    public function __construct($accessKey = null, $secretKey = null, $host = 'route53.amazonaws.com')
+    {
+        if ($accessKey !== null && $secretKey !== null) {
+            $this->setAuth($accessKey, $secretKey);
+        }
+        $this->__host = $host;
+    }
+
+    /**
+    * Set AWS access key and secret key
+    *
+    * @param string $accessKey Access key
+    * @param string $secretKey Secret key
+    * @return void
+    */
+    public function setAuth($accessKey, $secretKey)
+    {
+        $this->__accessKey = $accessKey;
+        $this->__secretKey = $secretKey;
+    }
+
+    /**
+    * Lists the hosted zones on the account
+    *
+    * @param string marker A pagination marker returned by a previous truncated call
+    * @param int maxItems The maximum number of items per page.  The service uses min($maxItems, 100).
+    * @return A list of hosted zones
+    */
+    public function listHostedZones($marker = null, $maxItems = 100)
+    {
+        $rest = new Route53Request($this, 'hostedzone', 'GET');
+
+        if ($marker !== null) {
+            $rest->setParameter('marker', $marker);
+        }
+        if ($maxItems !== 100) {
+            $rest->setParameter('maxitems', $maxItems);
+        }
+
+        $rest = $rest->getResponse();
+        if ($rest->error === false && $rest->code !== 200) {
+            $rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
+        }
+        if ($rest->error !== false) {
+            $this->__triggerError('listHostedZones', $rest->error);
+            return false;
+        }
+
+        $response = array();
+        if (!isset($rest->body)) {
+            return $response;
+        }
+
+        $zones = array();
+        foreach ($rest->body->HostedZones->HostedZone as $z) {
+            $zones[] = $this->parseHostedZone($z);
+        }
+        $response['HostedZone'] = $zones;
+
+        if (isset($rest->body->MaxItems)) {
+            $response['MaxItems'] = (string)$rest->body->MaxItems;
+        }
+
+        if (isset($rest->body->IsTruncated)) {
+            $response['IsTruncated'] = (string)$rest->body->IsTruncated;
+            if ($response['IsTruncated'] == 'true') {
+                $response['NextMarker'] = (string)$rest->body->NextMarker;
+            }
+        }
+
+        return $response;
+    }
+
+    /**
+    * Retrieves information on a specified hosted zone
+    *
+    * @param string zoneId The id of the hosted zone, as returned by CreateHostedZoneResponse or ListHostedZoneResponse
+    *                      In other words, if ListHostedZoneResponse shows the zone's Id as '/hostedzone/Z1PA6795UKMFR9',
+    *                      then that full value should be passed here, including the '/hostedzone/' prefix.
+    * @return A data structure containing information about the specified zone
+    */
+    public function getHostedZone($zoneId)
+    {
+        // we'll strip off the leading forward slash, so we can use it as the action directly.
+        $zoneId = trim($zoneId, '/');
+
+        $rest = new Route53Request($this, $zoneId, 'GET');
+
+        $rest = $rest->getResponse();
+        if ($rest->error === false && $rest->code !== 200) {
+            $rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
+        }
+        if ($rest->error !== false) {
+            $this->__triggerError('getHostedZone', $rest->error);
+            return false;
+        }
+
+        $response = array();
+        if (!isset($rest->body)) {
+            return $response;
+        }
+
+        $response['HostedZone'] = $this->parseHostedZone($rest->body->HostedZone);
+        $response['NameServers'] = $this->parseDelegationSet($rest->body->DelegationSet);
+
+        return $response;
+    }
+
+    /**
+    * Creates a new hosted zone
+    *
+    * @param string name The name of the hosted zone (e.g. "example.com.")
+    * @param string reference A user-specified unique reference for this request
+    * @param string comment An optional user-specified comment to attach to the zone
+    * @return A data structure containing information about the newly created zone
+    */
+    public function createHostedZone($name, $reference, $comment = '')
+    {
+        // hosted zone names must end with a period, but people will forget this a lot...
+        if (strrpos($name, '.') != (strlen($name) - 1)) {
+            $name .= '.';
+        }
+
+        $data = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
+        $data .= '<CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/' . Route53::API_VERSION . "/\">\n";
+        $data .= '<Name>' . $name . "</Name>\n";
+        $data .= '<CallerReference>' . $reference . "</CallerReference>\n";
+        if (strlen($comment) > 0) {
+            $data .= "<HostedZoneConfig>\n";
+            $data .= '<Comment>' . $comment . "</Comment>\n";
+            $data .= "</HostedZoneConfig>\n";
+        }
+        $data .= "</CreateHostedZoneRequest>\n";
+
+        $rest = new Route53Request($this, 'hostedzone', 'POST', $data);
+
+        $rest = $rest->getResponse();
+
+        if ($rest->error === false && !in_array($rest->code, array(200, 201, 202, 204))) {
+            $rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
+        }
+        if ($rest->error !== false) {
+            $this->__triggerError('createHostedZone', $rest->error);
+            return false;
+        }
+
+        $response = array();
+        if (!isset($rest->body)) {
+            return $response;
+        }
+
+        $response['HostedZone'] = $this->parseHostedZone($rest->body->HostedZone);
+        $response['ChangeInfo'] = $this->parseChangeInfo($rest->body->ChangeInfo);
+        $response['NameServers'] = $this->parseDelegationSet($rest->body->DelegationSet);
+
+        return $response;
+    }
+
+    /**
+    * Retrieves information on a specified hosted zone
+    *
+    * @param string zoneId The id of the hosted zone, as returned by CreateHostedZoneResponse or ListHostedZoneResponse
+    *                      In other words, if ListHostedZoneResponse shows the zone's Id as '/hostedzone/Z1PA6795UKMFR9',
+    *                      then that full value should be passed here, including the '/hostedzone/' prefix.
+    * @return The change request data corresponding to this delete
+    */
+    public function deleteHostedZone($zoneId)
+    {
+        // we'll strip off the leading forward slash, so we can use it as the action directly.
+        $zoneId = trim($zoneId, '/');
+
+        $rest = new Route53Request($this, $zoneId, 'DELETE');
+
+        $rest = $rest->getResponse();
+        if ($rest->error === false && $rest->code !== 200) {
+            $rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
+        }
+        if ($rest->error !== false) {
+            $this->__triggerError('deleteHostedZone', $rest->error);
+            return false;
+        }
+
+        if (!isset($rest->body)) {
+            return array();
+        }
+
+        return $this->parseChangeInfo($rest->body->ChangeInfo);
+    }
+
+    /**
+    * Retrieves a list of resource record sets for a given zone
+    *
+    * @param string zoneId The id of the hosted zone, as returned by CreateHostedZoneResponse or ListHostedZoneResponse
+    *                      In other words, if ListHostedZoneResponse shows the zone's Id as '/hostedzone/Z1PA6795UKMFR9',
+    *                      then that full value should be passed here, including the '/hostedzone/' prefix.
+    * @param string type The type of resource record set to begin listing from. If this is specified, $name must also be specified.
+    *                    Must be one of: A, AAAA, CNAME, MX, NS, PTR, SOA, SPF, SRV, TXT
+    * @param string name The name at which to begin listing resource records (in the lexographic order of records).
+    * @param int maxItems The maximum number of results to return.  The service uses min($maxItems, 100).
+    * @return The list of matching resource record sets
+    */
+    public function listResourceRecordSets($zoneId, $type = '', $name = '', $maxItems = 100)
+    {
+        // we'll strip off the leading forward slash, so we can use it as the action directly.
+        $zoneId = trim($zoneId, '/');
+
+        $rest = new Route53Request($this, $zoneId . '/rrset', 'GET');
+
+        if (strlen($type) > 0) {
+            $rest->setParameter('type', $type);
+        }
+        if (strlen($name) > 0) {
+            $rest->setParameter('name', $name);
+        }
+        if ($maxItems != 100) {
+            $rest->setParameter('maxitems', $maxItems);
+        }
+
+        $rest = $rest->getResponse();
+        if ($rest->error === false && $rest->code !== 200) {
+            $rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
+        }
+        if ($rest->error !== false) {
+            $this->__triggerError('listResourceRecordSets', $rest->error);
+            return false;
+        }
+
+        $response = array();
+        if (!isset($rest->body)) {
+            return $response;
+        }
+
+        $recordSets = array();
+        foreach ($rest->body->ResourceRecordSets->ResourceRecordSet as $set) {
+            $recordSets[] = $this->parseResourceRecordSet($set);
+        }
+
+        $response['ResourceRecordSets'] = $recordSets;
+
+        if (isset($rest->body->MaxItems)) {
+            $response['MaxItems'] = (string)$rest->body->MaxItems;
+        }
+
+        if (isset($rest->body->IsTruncated)) {
+            $response['IsTruncated'] = (string)$rest->body->IsTruncated;
+            if ($response['IsTruncated'] == 'true') {
+                $response['NextRecordName'] = (string)$rest->body->NextRecordName;
+                $response['NextRecordType'] = (string)$rest->body->NextRecordType;
+            }
+        }
+
+        return $response;
+    }
+
+    /**
+    * Makes the specified resource record set changes (create or delete).
+    *
+    * @param string zoneId The id of the hosted zone, as returned by CreateHostedZoneResponse or ListHostedZoneResponse
+    *                      In other words, if ListHostedZoneResponse shows the zone's Id as '/hostedzone/Z1PA6795UKMFR9',
+    *                      then that full value should be passed here, including the '/hostedzone/' prefix.
+    * @param array changes An array of change objects, as they are returned by the prepareChange utility method.
+    *                      You may also pass a single change object.
+    * @param string comment An optional comment to attach to the change request
+    * @return The status of the change request
+    */
+    public function changeResourceRecordSets($zoneId, $changes, $comment = '')
+    {
+        // we'll strip off the leading forward slash, so we can use it as the action directly.
+        $zoneId = trim($zoneId, '/');
+
+        $data = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
+        $data .= '<ChangeResourceRecordSetsRequest xmlns="https://route53.amazonaws.com/doc/' . Route53::API_VERSION . "/\">\n";
+        $data .= "<ChangeBatch>\n";
+
+        if (strlen($comment) > 0) {
+            $data .= '<Comment>' . $comment . "</Comment>\n";
+        }
+
+        if (!is_array($changes)) {
+            $changes = array($changes);
+        }
+
+        $data .= "<Changes>\n";
+        foreach ($changes as $change) {
+            $data .= $change;
+        }
+        $data .= "</Changes>\n";
+
+        $data .= "</ChangeBatch>\n";
+        $data .= "</ChangeResourceRecordSetsRequest>\n";
+
+        $rest = new Route53Request($this, $zoneId . '/rrset', 'POST', $data);
+
+        $rest = $rest->getResponse();
+        if ($rest->error === false && !in_array($rest->code, array(200, 201, 202, 204))) {
+            $rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
+        }
+        if ($rest->error !== false) {
+            $this->__triggerError('changeResourceRecordSets', $rest->error);
+            return false;
+        }
+
+        if (!isset($rest->body)) {
+            return array();
+        }
+
+        return $this->parseChangeInfo($rest->body->ChangeInfo);
+    }
+
+    /**
+    * Retrieves information on a specified change request
+    *
+    * @param string changeId The id of the change, as returned by CreateHostedZoneResponse or ChangeResourceRecordSets
+    *                      In other words, if CreateHostedZoneResponse showed the change's Id as '/change/C2682N5HXP0BZ4',
+    *                      then that full value should be passed here, including the '/change/' prefix.
+    * @return The status of the change request
+    */
+    public function getChange($changeId)
+    {
+        // we'll strip off the leading forward slash, so we can use it as the action directly.
+        $zoneId = trim($changeId, '/');
+
+        $rest = new Route53Request($this, $changeId, 'GET');
+
+        $rest = $rest->getResponse();
+        if ($rest->error === false && $rest->code !== 200) {
+            $rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
+        }
+        if ($rest->error !== false) {
+            $this->__triggerError('getChange', $rest->error);
+            return false;
+        }
+
+        if (!isset($rest->body)) {
+            return array();
+        }
+
+        return $this->parseChangeInfo($rest->body->ChangeInfo);
+    }
+
+
+
+    /**
+    * Utility function to parse a HostedZone tag structure
+    */
+    private function parseHostedZone($tag)
+    {
+        $zone = array();
+        $zone['Id'] = (string)$tag->Id;
+        $zone['Name'] = (string)$tag->Name;
+        $zone['CallerReference'] = (string)$tag->CallerReference;
+
+        // these might always be set, but check just in case, since
+        // their values are option on CreateHostedZone requests
+        if (isset($tag->Config) && isset($tag->Config->Comment)) {
+            $zone['Config'] = array('Comment' => (string)$tag->Config->Comment);
+        }
+
+        return $zone;
+    }
+
+    /**
+    * Utility function to parse a ChangeInfo tag structure
+    */
+    private function parseChangeInfo($tag)
+    {
+        $info = array();
+        $info['Id'] = (string)$tag->Id;
+        $info['Status'] = (string)$tag->Status;
+        $info['SubmittedAt'] = (string)$tag->SubmittedAt;
+        return $info;
+    }
+
+    /**
+    * Utility function to parse a DelegationSet tag structure
+    */
+    private function parseDelegationSet($tag)
+    {
+        $servers = array();
+        foreach ($tag->NameServers->NameServer as $ns) {
+            $servers[] = (string)$ns;
+        }
+        return $servers;
+    }
+
+    /**
+    * Utility function to parse a ResourceRecordSet tag structure
+    */
+    private function parseResourceRecordSet($tag)
+    {
+        $rrs = array();
+        $rrs['Name'] = (string)$tag->Name;
+        $rrs['Type'] = (string)$tag->Type;
+        $rrs['TTL'] = (string)$tag->TTL;
+        $rrs['ResourceRecords'] = array();
+        foreach ($tag->ResourceRecords->ResourceRecord as $rr) {
+            $rrs['ResourceRecords'][] = (string)$rr->Value;
+        }
+        return $rrs;
+    }
+
+    /**
+    * Utility function to prepare a Change object for ChangeResourceRecordSets requests.
+    * All fields are required.
+    *
+    * @param string action The action to perform.  One of: CREATE, DELETE
+    * @param string name The name to perform the action on.
+    *                    If it does not end with '.', then AWS treats the name as relative to the zone root.
+    * @param string type The type of record being modified.
+    *                    Must be one of: A, AAAA, CNAME, MX, NS, PTR, SOA, SPF, SRV, TXT
+    * @param int ttl The time-to-live value for this record, in seconds.
+    * @param array records An array of resource records to attach to this change.
+    *                      Each member of this array can either be a string, or an array of strings.
+    *                      Passing an array of strings will attach multiple values to a single resource record.
+    *                      If a single string is passed as $records instead of an array,
+    *                      it will be treated as a single-member array.
+    * @return object An opaque object containing the change request.
+    *                Do not write code that depends on the contents of this object, as it may change at any time.
+    */
+    public function prepareChange($action, $name, $type, $ttl, $records)
+    {
+        $change = "<Change>\n";
+        $change .= '<Action>' . $action . "</Action>\n";
+        $change .= "<ResourceRecordSet>\n";
+        $change .= '<Name>' . $name . "</Name>\n";
+        $change .= '<Type>' . $type . "</Type>\n";
+        $change .= '<TTL>' . $ttl . "</TTL>\n";
+        $change .= "<ResourceRecords>\n";
+
+        if (!is_array($records)) {
+            $records = array($records);
+        }
+
+        foreach ($records as $record) {
+            $change .= "<ResourceRecord>\n";
+            if (is_array($record)) {
+                foreach ($record as $value) {
+                    $change .= '<Value>' . $value . "</Value>\n";
+                }
+            } else {
+                $change .= '<Value>' . $record . "</Value>\n";
+            }
+            $change .= "</ResourceRecord>\n";
+        }
+
+        $change .= "</ResourceRecords>\n";
+        $change .= "</ResourceRecordSet>\n";
+        $change .= "</Change>\n";
+
+        return $change;
+    }
+
+    /**
+    * Trigger an error message
+    *
+    * @internal Used by member functions to output errors
+    * @param array $error Array containing error information
+    * @return string
+    */
+    public function __triggerError($functionname, $error)
+    {
+        if ($error == false) {
+            log_error(sprintf("Route53::%s(): Encountered an error, but no description given", $functionname));
+        } elseif (isset($error['curl']) && $error['curl']) {
+            log_error(sprintf("Route53::%s(): %s %s", $functionname, $error['code'], $error['message']));
+        } elseif (isset($error['Error'])) {
+            $e = $error['Error'];
+            $message = sprintf("Route53::%s(): %s - %s: %s\nRequest Id: %s\n", $functionname, $e['Type'], $e['Code'], $e['Message'], $error['RequestId']);
+            log_error($message);
+        }
+    }
+
+    /**
+    * Callback handler for 503 retries.
+    *
+    * @internal Used by SimpleDBRequest to call the user-specified callback, if set
+    * @param $attempt The number of failed attempts so far
+    * @return The retry delay in microseconds, or 0 to stop retrying.
+    */
+    public function __executeServiceTemporarilyUnavailableRetryDelay($attempt)
+    {
+        if (is_callable($this->__serviceUnavailableRetryDelayCallback)) {
+            $callback = $this->__serviceUnavailableRetryDelayCallback;
+            return $callback($attempt);
+        }
+        return 0;
+    }
 }
 
 final class Route53Request
 {
-	private $r53, $action, $verb, $data, $parameters = array();
-	public $response;
-
-	/**
-	* Constructor
-	*
-	* @param string $r53 The Route53 object making this request
-	* @param string $action SimpleDB action
-	* @param string $verb HTTP verb
-	* @param string $data For POST requests, the data being posted (optional)
-	* @return mixed
-	*/
-	function __construct($r53, $action, $verb, $data = '') {
-		$this->r53 = $r53;
-		$this->action = $action;
-		$this->verb = $verb;
-		$this->data = $data;
-		$this->response = new STDClass;
-		$this->response->error = false;
-	}
-
-	/**
-	* Set request parameter
-	*
-	* @param string  $key Key
-	* @param string  $value Value
-	* @param boolean $replace Whether to replace the key if it already exists (default true)
-	* @return void
-	*/
-	public function setParameter($key, $value, $replace = true) {
-		if(!$replace && isset($this->parameters[$key]))
-		{
-			$temp = (array)($this->parameters[$key]);
-			$temp[] = $value;
-			$this->parameters[$key] = $temp;
-		}
-		else
-		{
-			$this->parameters[$key] = $value;
-		}
-	}
-
-	/**
-	* Get the response
-	*
-	* @return object | false
-	*/
-	public function getResponse() {
-
-		$params = array();
-		foreach ($this->parameters as $var => $value)
-		{
-			if(is_array($value))
-			{
-				foreach($value as $v)
-				{
-					$params[] = $var.'='.$this->__customUrlEncode($v);
-				}
-			}
-			else
-			{
-				$params[] = $var.'='.$this->__customUrlEncode($value);
-			}
-		}
-
-		sort($params, SORT_STRING);
-
-		$query = implode('&', $params);
-
-		// must be in format 'Sun, 06 Nov 1994 08:49:37 GMT'
-		$date = gmdate('D, d M Y H:i:s e');
-
-		$headers = array();
-		$headers[] = 'Date: '.$date;
-		$headers[] = 'Host: '.$this->r53->getHost();
-
-		$auth = 'AWS3-HTTPS AWSAccessKeyId='.$this->r53->getAccessKey();
-		$auth .= ',Algorithm=HmacSHA256,Signature='.$this->__getSignature($date);
-		$headers[] = 'X-Amzn-Authorization: '.$auth;
-
-		$url = 'https://'.$this->r53->getHost().'/'.Route53::API_VERSION.'/'.$this->action.'?'.$query;
-
-		// Basic setup
-		$curl = curl_init();
-		curl_setopt($curl, CURLOPT_USERAGENT, 'Route53/php');
-
-		curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, ($this->r53->verifyHost() ? 1 : 0));
-		curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, ($this->r53->verifyPeer() ? 1 : 0));
-
-		curl_setopt($curl, CURLOPT_URL, $url);
-		curl_setopt($curl, CURLOPT_RETURNTRANSFER, false);
-		curl_setopt($curl, CURLOPT_WRITEFUNCTION, array(&$this, '__responseWriteCallback'));
-		curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
-
-		// Request types
-		switch ($this->verb) {
-			case 'GET': break;
-			case 'POST':
-				curl_setopt($curl, CURLOPT_CUSTOMREQUEST, $this->verb);
-				if(strlen($this->data) > 0) {
-					curl_setopt($curl, CURLOPT_POSTFIELDS, $this->data);
-					$headers[] = 'Content-Type: text/plain';
-					$headers[] = 'Content-Length: '.strlen($this->data);
-				}
-			break;
-			case 'DELETE':
-				curl_setopt($curl, CURLOPT_CUSTOMREQUEST, 'DELETE');
-			break;
-			default: break;
-		}
-		curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
-		curl_setopt($curl, CURLOPT_HEADER, false);
-
-		// Execute, grab errors
-		if (curl_exec($curl)) {
-			$this->response->code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
-		} else {
-			$this->response->error = array(
-				'curl' => true,
-				'code' => curl_errno($curl),
-				'message' => curl_error($curl),
-				'resource' => $this->resource
-			);
-		}
-
-		@curl_close($curl);
-
-		// Parse body into XML
-		if ($this->response->error === false && isset($this->response->body)) {
-			$this->response->body = simplexml_load_string($this->response->body);
-
-			// Grab Route53 errors
-			if (!in_array($this->response->code, array(200, 201, 202, 204))
-				&& isset($this->response->body->Error)) {
-				$error = $this->response->body->Error;
-				$output = array();
-				$output['curl'] = false;
-				$output['Error'] = array();
-				$output['Error']['Type'] = (string)$error->Type;
-				$output['Error']['Code'] = (string)$error->Code;
-				$output['Error']['Message'] = (string)$error->Message;
-				$output['RequestId'] = (string)$this->response->body->RequestId;
-
-				$this->response->error = $output;
-				unset($this->response->body);
-			}
-		}
-
-		return $this->response;
-	}
-
-	/**
-	* CURL write callback
-	*
-	* @param resource &$curl CURL resource
-	* @param string &$data Data
-	* @return integer
-	*/
-	private function __responseWriteCallback(&$curl, &$data) {
-		$this->response->body .= $data;
-		return strlen($data);
-	}
-
-	/**
-	* Contributed by afx114
-	* URL encode the parameters as per http://docs.amazonwebservices.com/AWSECommerceService/latest/DG/index.html?Query_QueryAuth.html
-	* PHP's rawurlencode() follows RFC 1738, not RFC 3986 as required by Amazon. The only difference is the tilde (~), so convert it back after rawurlencode
-	* See: http://www.morganney.com/blog/API/AWS-Product-Advertising-API-Requires-a-Signed-Request.php
-	*
-	* @param string $var String to encode
-	* @return string
-	*/
-	private function __customUrlEncode($var) {
-		return str_replace('%7E', '~', rawurlencode($var));
-	}
-
-	/**
-	* Generate the auth string using Hmac-SHA256
-	*
-	* @internal Used by SimpleDBRequest::getResponse()
-	* @param string $string String to sign
-	* @return string
-	*/
-	private function __getSignature($string) {
-		return base64_encode(hash_hmac('sha256', $string, $this->r53->getSecretKey(), true));
-	}
+    private $r53, $action, $verb, $data, $parameters = array();
+    public $response;
+
+    /**
+    * Constructor
+    *
+    * @param string $r53 The Route53 object making this request
+    * @param string $action SimpleDB action
+    * @param string $verb HTTP verb
+    * @param string $data For POST requests, the data being posted (optional)
+    * @return mixed
+    */
+    function __construct($r53, $action, $verb, $data = '')
+    {
+        $this->r53 = $r53;
+        $this->action = $action;
+        $this->verb = $verb;
+        $this->data = $data;
+        $this->response = new STDClass();
+        $this->response->error = false;
+    }
+
+    /**
+    * Set request parameter
+    *
+    * @param string  $key Key
+    * @param string  $value Value
+    * @param boolean $replace Whether to replace the key if it already exists (default true)
+    * @return void
+    */
+    public function setParameter($key, $value, $replace = true)
+    {
+        if (!$replace && isset($this->parameters[$key])) {
+            $temp = (array)($this->parameters[$key]);
+            $temp[] = $value;
+            $this->parameters[$key] = $temp;
+        } else {
+            $this->parameters[$key] = $value;
+        }
+    }
+
+    /**
+    * Get the response
+    *
+    * @return object | false
+    */
+    public function getResponse()
+    {
+
+        $params = array();
+        foreach ($this->parameters as $var => $value) {
+            if (is_array($value)) {
+                foreach ($value as $v) {
+                    $params[] = $var . '=' . $this->__customUrlEncode($v);
+                }
+            } else {
+                $params[] = $var . '=' . $this->__customUrlEncode($value);
+            }
+        }
+
+        sort($params, SORT_STRING);
+
+        $query = implode('&', $params);
+
+        // must be in format 'Sun, 06 Nov 1994 08:49:37 GMT'
+        $date = gmdate('D, d M Y H:i:s e');
+
+        $headers = array();
+        $headers[] = 'Date: ' . $date;
+        $headers[] = 'Host: ' . $this->r53->getHost();
+
+        $auth = 'AWS3-HTTPS AWSAccessKeyId=' . $this->r53->getAccessKey();
+        $auth .= ',Algorithm=HmacSHA256,Signature=' . $this->__getSignature($date);
+        $headers[] = 'X-Amzn-Authorization: ' . $auth;
+
+        $url = 'https://' . $this->r53->getHost() . '/' . Route53::API_VERSION . '/' . $this->action . '?' . $query;
+
+        // Basic setup
+        $curl = curl_init();
+        curl_setopt($curl, CURLOPT_USERAGENT, 'Route53/php');
+
+        curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, ($this->r53->verifyHost() ? 1 : 0));
+        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, ($this->r53->verifyPeer() ? 1 : 0));
+
+        curl_setopt($curl, CURLOPT_URL, $url);
+        curl_setopt($curl, CURLOPT_RETURNTRANSFER, false);
+        curl_setopt($curl, CURLOPT_WRITEFUNCTION, array(&$this, '__responseWriteCallback'));
+        curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
+
+        // Request types
+        switch ($this->verb) {
+            case 'GET':
+                break;
+            case 'POST':
+                curl_setopt($curl, CURLOPT_CUSTOMREQUEST, $this->verb);
+                if (strlen($this->data) > 0) {
+                    curl_setopt($curl, CURLOPT_POSTFIELDS, $this->data);
+                    $headers[] = 'Content-Type: text/plain';
+                    $headers[] = 'Content-Length: ' . strlen($this->data);
+                }
+                break;
+            case 'DELETE':
+                curl_setopt($curl, CURLOPT_CUSTOMREQUEST, 'DELETE');
+                break;
+            default:
+                break;
+        }
+        curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
+        curl_setopt($curl, CURLOPT_HEADER, false);
+
+        // Execute, grab errors
+        if (curl_exec($curl)) {
+            $this->response->code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
+        } else {
+            $this->response->error = array(
+                'curl' => true,
+                'code' => curl_errno($curl),
+                'message' => curl_error($curl),
+                'resource' => $this->resource
+            );
+        }
+
+        @curl_close($curl);
+
+        // Parse body into XML
+        if ($this->response->error === false && isset($this->response->body)) {
+            $this->response->body = simplexml_load_string($this->response->body);
+
+            // Grab Route53 errors
+            if (
+                !in_array($this->response->code, array(200, 201, 202, 204))
+                && isset($this->response->body->Error)
+            ) {
+                $error = $this->response->body->Error;
+                $output = array();
+                $output['curl'] = false;
+                $output['Error'] = array();
+                $output['Error']['Type'] = (string)$error->Type;
+                $output['Error']['Code'] = (string)$error->Code;
+                $output['Error']['Message'] = (string)$error->Message;
+                $output['RequestId'] = (string)$this->response->body->RequestId;
+
+                $this->response->error = $output;
+                unset($this->response->body);
+            }
+        }
+
+        return $this->response;
+    }
+
+    /**
+    * CURL write callback
+    *
+    * @param resource &$curl CURL resource
+    * @param string &$data Data
+    * @return integer
+    */
+    private function __responseWriteCallback(&$curl, &$data)
+    {
+        $this->response->body .= $data;
+        return strlen($data);
+    }
+
+    /**
+    * Contributed by afx114
+    * URL encode the parameters as per http://docs.amazonwebservices.com/AWSECommerceService/latest/DG/index.html?Query_QueryAuth.html
+    * PHP's rawurlencode() follows RFC 1738, not RFC 3986 as required by Amazon. The only difference is the tilde (~), so convert it back after rawurlencode
+    * See: http://www.morganney.com/blog/API/AWS-Product-Advertising-API-Requires-a-Signed-Request.php
+    *
+    * @param string $var String to encode
+    * @return string
+    */
+    private function __customUrlEncode($var)
+    {
+        return str_replace('%7E', '~', rawurlencode($var));
+    }
+
+    /**
+    * Generate the auth string using Hmac-SHA256
+    *
+    * @internal Used by SimpleDBRequest::getResponse()
+    * @param string $string String to sign
+    * @return string
+    */
+    private function __getSignature($string)
+    {
+        return base64_encode(hash_hmac('sha256', $string, $this->r53->getSecretKey(), true));
+    }
 }

From e1296274cbb7e887efede9f1fba10820b3cdf189 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 13 Dec 2021 07:36:13 +0100
Subject: [PATCH 0869/3088] net-mgmt/zabbix-proxy: whitespace sweep

---
 net-mgmt/zabbix-proxy/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index ca419ae32a..dadafe0660 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -12,7 +12,7 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
-1.7 
+1.7
 
 * Add StatsIP field to allow retrieving statistics (#2697)
 

From 9b3c8a2d1f1ba113cc618f3bcc2e62ed93fe633c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 13 Dec 2021 07:40:32 +0100
Subject: [PATCH 0870/3088] net/firewall: nonat feature

---
 net/firewall/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index 9bb8c5ed87..44daa1d075 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		firewall
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Firewall API supplemental package
 PLUGIN_MAINTAINER=	ad@opnsense.org
 

From b63e34618b3dde8e59d44f666dfab60c7a6aed55 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 14 Dec 2021 13:23:34 +0100
Subject: [PATCH 0871/3088] dns/bind: new version

---
 dns/bind/Makefile  | 2 +-
 dns/bind/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 025638dbf2..7018cf0f6e 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.19
+PLUGIN_VERSION=		1.20
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind916
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index b92f8177fe..ea2c307f3c 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -8,6 +8,10 @@ necessary for asking and answering name service questions.
 Plugin Changelog
 ================
 
+1.20
+
+* Allow signed zone transfers (contributed by Michael Newton)
+
 1.19
 
 * Add support for "Query Source [IP|IPv6]" options.

From da2004e414f2e99de4f0559234bb819b97bf0e99 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 15 Dec 2021 13:30:23 +0100
Subject: [PATCH 0872/3088] mail/postfix: make CA file static if not selected
 (#2709)

---
 mail/postfix/Makefile                                         | 2 +-
 mail/postfix/pkg-descr                                        | 4 ++++
 .../src/opnsense/service/templates/OPNsense/Postfix/main.cf   | 3 +++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index 84c6f2441e..ba8f9944ec 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		postfix
-PLUGIN_VERSION=		1.20
+PLUGIN_VERSION=		1.21
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix35
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index 49ff2b05a2..0fd8e0ccab 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -6,6 +6,10 @@ is completely different.
 Plugin Changelog
 ================
 
+1.21
+
+* Add static link to root certficiates
+
 1.20
 
 * Make 'delay_warning_time' configurable in the UI
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index 784b87b894..3dcc6292b8 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -37,6 +37,7 @@ recipient_bcc_maps = hash:/usr/local/etc/postfix/recipientbcc
 sender_canonical_maps = regexp:/usr/local/etc/postfix/sendercanonical
 header_checks = regexp:/usr/local/etc/postfix/header_checks_receiving
 smtp_header_checks = regexp:/usr/local/etc/postfix/header_checks_delivering
+smtp_tls_CAfile = /etc/ssl/cert.pem
 ##########################
 # END SYSTEM DEFAULTS
 ##########################
@@ -115,6 +116,8 @@ smtpd_tls_cert_file = /usr/local/etc/postfix/cert_opn.pem
 {% endif %}
 {% if helpers.exists('OPNsense.postfix.general.ca') and OPNsense.postfix.general.ca != '' %}
 smtpd_tls_CAfile = /usr/local/etc/postfix/ca_opn.pem
+{% else %}
+smtpd_tls_CAfile = /etc/ssl/cert.pem
 {% endif %}
 {% if helpers.exists('OPNsense.postfix.general.tls_server_compatibility') %}
 {% if OPNsense.postfix.general.tls_server_compatibility == 'modern' %}

From 2b0c28f1325ed51ae09599ca4f7e8c8a4000072a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 19 Dec 2021 22:22:07 +0100
Subject: [PATCH 0873/3088] security/acme-client: fix SFTP buttons not visible,
 refs #2712

---
 security/acme-client/pkg-descr                               | 5 +++++
 .../opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt  | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 167a9b7f45..a392a30bf4 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.7
+
+Fixed:
+* fix SFTP buttons not visible (#2712)
+
 3.6
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
index 5cbf1e502d..7f258eafeb 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
@@ -96,7 +96,7 @@ POSSIBILITY OF SUCH DAMAGE.
         (function ($identityType) {
             var identityDiv = makeStatusDiv($identityType);
 
-            makeButton("{{ lang._('Show Identity') }}", "upload_sftp", "btn-info")
+            makeButton("{{ lang._('Show Identity') }}", "configd_upload_sftp", "btn-info")
                 .click(function () {
                     identityDiv.hide();
                     var button = $(this);
@@ -145,7 +145,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 {msg: "{{ lang._('Test failed, see details.') }}"},
             ];
 
-            makeButton("{{ lang._('Test Connection') }}", "upload_sftp")
+            makeButton("{{ lang._('Test Connection') }}", "configd_upload_sftp")
                 .click(function () {
                     statusDiv.hide();
                     var button = $(this);

From 95d461b0b31c2a0ea150e59a49ecccd416da8597 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 19 Dec 2021 22:29:46 +0100
Subject: [PATCH 0874/3088] security/acme-client: fix invalid default value
 when no WAN interface can be found, closes #2712

---
 security/acme-client/pkg-descr                                  | 1 +
 .../opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml  | 2 --
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index a392a30bf4..ad9ac65bb9 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 
 Fixed:
 * fix SFTP buttons not visible (#2712)
+* fix invalid default value when no WAN interface can be found (#2712)
 
 3.6
 
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 37e3df2956..ed0692c23b 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -362,7 +362,6 @@
                 </http_opn_autodiscovery>
                 <http_opn_interface type="InterfaceField">
                     <Required>N</Required>
-                    <default>wan</default>
                     <filters>
                         <enable>/^(?!0).*$/</enable>
                     </filters>
@@ -404,7 +403,6 @@
                 </tlsalpn_acme_autodiscovery>
                 <tlsalpn_acme_interface type="InterfaceField">
                     <Required>N</Required>
-                    <default>wan</default>
                     <filters>
                         <enable>/^(?!0).*$/</enable>
                     </filters>

From 80f0c0b8783a5ba895b493df76086b316b57a8a6 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 19 Dec 2021 23:02:43 +0100
Subject: [PATCH 0875/3088] security/acme-client: fix incompatibility with new
 gcloud SDK, closes #2710

While here, add the --quiet option which is recommended when running
gcloud commands in a script.
---
 security/acme-client/pkg-descr                    |  1 +
 .../AcmeClient/LeValidation/DnsGcloud.php         | 15 ++++++++-------
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index ad9ac65bb9..65bc3ac43e 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 Fixed:
 * fix SFTP buttons not visible (#2712)
 * fix invalid default value when no WAN interface can be found (#2712)
+* fix incompatibility with new gcloud SDK (#2710)
 
 3.6
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGcloud.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGcloud.php
index 045363b7c3..5b3f35ce1f 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGcloud.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGcloud.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2021 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -64,7 +64,8 @@ public function prepare()
         }
 
         // Preparations to run gcloud CLI.
-        $val_id = (string)$this->config->id;
+        // NOTE: Never versions of gcloud SDK no longer allow dots in config names.
+        $val_id = str_replace('.', '-', (string)$this->config->id);
         $gcloud_config = "acme-${val_id}";
         $gcloud_key_file = '/tmp/acme_' . (string)$this->config->dns_service . "_${val_id}.json";
         file_put_contents($gcloud_key_file, (string)$this->config->dns_gcloud_key);
@@ -74,11 +75,11 @@ public function prepare()
         $proc_env['CLOUDSDK_CORE_PROJECT'] = $gcloud_project;
 
         // Ensure that a working gcloud config exists.
-        LeUtils::run_shell_command("/usr/local/bin/gcloud config configurations create ${gcloud_config}", $proc_env);
-        LeUtils::run_shell_command("/usr/local/bin/gcloud config configurations activate ${gcloud_config}", $proc_env);
-        LeUtils::run_shell_command("/usr/local/bin/gcloud auth activate-service-account --key-file=${gcloud_key_file}", $proc_env);
-        LeUtils::run_shell_command("/usr/local/bin/gcloud config set account ${gcloud_account}", $proc_env);
-        LeUtils::run_shell_command("/usr/local/bin/gcloud config set project ${gcloud_project}", $proc_env);
+        LeUtils::run_shell_command("/usr/local/bin/gcloud --quiet config configurations create ${gcloud_config}", $proc_env);
+        LeUtils::run_shell_command("/usr/local/bin/gcloud --quiet config configurations activate ${gcloud_config}", $proc_env);
+        LeUtils::run_shell_command("/usr/local/bin/gcloud --quiet auth activate-service-account --key-file=${gcloud_key_file}", $proc_env);
+        LeUtils::run_shell_command("/usr/local/bin/gcloud --quiet config set account ${gcloud_account}", $proc_env);
+        LeUtils::run_shell_command("/usr/local/bin/gcloud --quiet config set project ${gcloud_project}", $proc_env);
 
         // Save config for acme client.
         $this->acme_env['CLOUDSDK_PYTHON'] = '/usr/local/bin/python3';

From 937dee3fc487db07d826400444b7cf56faa8eedd Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 19 Dec 2021 23:05:37 +0100
Subject: [PATCH 0876/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index d5feedbbea..0617ed933d 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.6
+PLUGIN_VERSION=		3.7
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 8b856ddc1d126269a9e041ac5559fc0c4166fc6c Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 24 Dec 2021 23:56:41 +0100
Subject: [PATCH 0877/3088] net/haproxy: add SNI support to servers and health
 checks (#2388)

---
 net/haproxy/pkg-descr                         |  8 +++
 .../HAProxy/forms/dialogHealthcheck.xml       | 18 ++++---
 .../OPNsense/HAProxy/forms/dialogServer.xml   |  6 +++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 23 ++++++++-
 .../OPNsense/HAProxy/Migrations/M3_5_0.php    | 50 +++++++++++++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf   | 19 ++++++-
 6 files changed, 115 insertions(+), 9 deletions(-)
 create mode 100644 net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M3_5_0.php

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 19252be162..01e41f56bf 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,14 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+3.9
+
+Added:
+* add SSL SNI setting to servers and health checks (#2388)
+
+Changed:
+* replace "force SSL" setting with "SSL preferences" in health checks (#2388)
+
 3.8
 
 Added:
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogHealthcheck.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogHealthcheck.xml
index a3d23ffbc6..8d3ad20c8e 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogHealthcheck.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogHealthcheck.xml
@@ -17,18 +17,24 @@
         <type>dropdown</type>
         <help><![CDATA[Select type of health check.]]></help>
     </field>
+    <field>
+        <id>healthcheck.ssl</id>
+        <label>SSL preferences</label>
+        <type>dropdown</type>
+        <help><![CDATA[This option forces encryption of all health checks over SSL, regardless of whether the server uses SSL or not for the normal traffic.]]></help>
+    </field>
+    <field>
+        <id>healthcheck.sslSNI</id>
+        <label>SSL SNI</label>
+        <type>text</type>
+        <help><![CDATA[The host name sent in the SNI TLS extension to the server. Overrides the server's SNI setting for health checks.]]></help>
+    </field>
     <field>
         <id>healthcheck.interval</id>
         <label>Check interval</label>
         <type>text</type>
         <help><![CDATA[Select interval (in milliseconds) between two consecutive health checks. This value can be overriden in backend pool and real server configuration.]]></help>
     </field>
-    <field>
-        <id>healthcheck.force_ssl</id>
-        <label>Force SSL</label>
-        <type>checkbox</type>
-        <help><![CDATA[This option forces encryption of all health checks over SSL, regardless of whether the server uses SSL or not for the normal traffic.]]></help>
-    </field>
     <field>
         <id>healthcheck.checkport</id>
         <label>Port to check</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
index fa2283086a..30dd1a308a 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
@@ -108,6 +108,12 @@
         <type>checkbox</type>
         <help><![CDATA[Enable or disable SSL communication with this server.]]></help>
     </field>
+    <field>
+        <id>server.sslSNI</id>
+        <label>SSL SNI</label>
+        <type>text</type>
+        <help><![CDATA[The host name sent in the SNI TLS extension to the server.]]></help>
+    </field>
     <field>
         <id>server.sslVerify</id>
         <label>Verify SSL Certificate</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 5efa6dff9b..1a52f7e1d1 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/HAProxy</mount>
-    <version>3.4.0</version>
+    <version>3.5.0</version>
     <description>the HAProxy load balancer</description>
     <items>
         <general>
@@ -1304,6 +1304,11 @@
                     <default>0</default>
                     <Required>Y</Required>
                 </ssl>
+                <sslSNI type="TextField">
+                    <mask>/^([0-9a-zA-Z._\-]){1,255}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </sslSNI>
                 <sslVerify type="BooleanField">
                     <default>1</default>
                     <Required>Y</Required>
@@ -1406,6 +1411,22 @@
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>Y</Required>
                 </interval>
+                <ssl type="OptionField">
+                    <Required>N</Required>
+                    <default>nopref</default>
+                    <OptionValues>
+                        <nopref>Use server settings</nopref>
+                        <ssl>Force SSL for health checks</ssl>
+                        <sslsni>Force SSL+SNI for health checks</sslsni>
+                        <nossl>Force no SSL for health checks</nossl>
+                    </OptionValues>
+                </ssl>
+                <sslSNI type="TextField">
+                    <mask>/^([0-9a-zA-Z._\-]){1,255}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </sslSNI >
+                <!-- XXX: old value, required for model migration to 3.5.0 -->
                 <force_ssl type="BooleanField">
                     <default>0</default>
                     <Required>N</Required>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M3_5_0.php b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M3_5_0.php
new file mode 100644
index 0000000000..24306366e0
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M3_5_0.php
@@ -0,0 +1,50 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Frank Wall
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\HAProxy\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M3_5_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        foreach ($model->getNodeByReference('healthchecks.healthcheck')->iterateItems() as $healthcheck) {
+            switch ((string)$healthcheck->force_ssl) {
+                case '0':
+                    $healthcheck->ssl = 'nopref';
+                    break;
+                case '1':
+                    $healthcheck->ssl = 'ssl';
+                    break;
+            }
+        }
+    }
+}
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index b95910675a..8eb29fb40f 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1722,8 +1722,19 @@ backend {{backend.name}}
 {%                   do server_options.append('port ' ~ server_data.checkport) %}
 {%                 endif %}
 {#                 # force SSL encryption for health checks #}
-{%                 if healthcheck_data.force_ssl|default('') == '1' %}
-{%                   do server_options.append('check-ssl ') %}
+{%                 if healthcheck_data.ssl|default('') == 'ssl' or healthcheck_data.ssl|default('') == 'sslsni' %}
+{%                   do server_options.append('check-ssl') %}
+{%                 elif healthcheck_data.ssl|default('') == 'nossl' %}
+{%                   do server_options.append('no-check-ssl') %}
+{%                 endif %}
+{#                 # add SNI header for health checks #}
+{%                 if healthcheck_data.ssl|default('') == 'sslsni' and healthcheck_data.sslSNI|default('') != '' %}
+{%                   do server_options.append('check-sni ' ~ healthcheck_data.sslSNI) %}
+{#                 # fallback to server SNI value #}
+{%                 elif healthcheck_data.ssl|default('') == 'sslsni' and server_data.sslSNI|default('') != '' %}
+{%                   do server_options.append('check-sni ' ~ server_data.sslSNI) %}
+{%                 elif healthcheck_data.ssl|default('') == 'sslsni' and (healthcheck_data.sslSNI|default('') == '' and server_data.sslSNI|default('') == '') %}
+# ERROR: missing SSL SNI value
 {%                 endif %}
 {#                 # add all additions from healthchecks here #}
 {%                 do server_options.append(healthcheck_additions|join(' ')) if healthcheck_additions.length != '0' %}
@@ -1739,6 +1750,10 @@ backend {{backend.name}}
 {#               # server ssl communication #}
 {%               if server_data.ssl|default("") == '1' %}
 {%                 do server_options.append('ssl') %}
+{#                 # SNI #}
+{%                 if server_data.sslSNI|default('') != '' %}
+{%                   do server_options.append('sni str(' ~ server_data.sslSNI ~ ')') %}
+{%                 endif %}
 {#                 # HTTP/2 #}
 {%                 if backend.http2Enabled|default("") == '1' and backend.ba_advertised_protocols|default("") != "" %}
 {#                   # convert protocols to HAProxy-compatible format #}

From eb0c22302196460483590f4c0d537f3d90559bda Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 25 Dec 2021 00:19:37 +0100
Subject: [PATCH 0878/3088] net/haproxy: health check port is no longer an
 advanced option

---
 net/haproxy/pkg-descr                                          | 1 +
 .../controllers/OPNsense/HAProxy/forms/dialogHealthcheck.xml   | 3 +--
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 01e41f56bf..052d12cec4 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -13,6 +13,7 @@ Added:
 
 Changed:
 * replace "force SSL" setting with "SSL preferences" in health checks (#2388)
+* health check port is no longer an advanced option
 
 3.8
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogHealthcheck.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogHealthcheck.xml
index 8d3ad20c8e..f77d4ccb72 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogHealthcheck.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogHealthcheck.xml
@@ -39,8 +39,7 @@
         <id>healthcheck.checkport</id>
         <label>Port to check</label>
         <type>text</type>
-        <help><![CDATA[Provide the TCP communication port to use during check, i.e. 80 or 443.]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Provide an optional TCP communication port to use during health checks, i.e. 80 or 443. The server port will used for health checks when no port is specified.]]></help>
     </field>
     <field>
         <label>HTTP check options</label>

From 5a1efaf8f1d139158f5ee0d7b8767cccae00ee91 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 25 Dec 2021 00:20:01 +0100
Subject: [PATCH 0879/3088] net/haproxy: bump version

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index c60e81b2fb..1a155bad49 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		3.8
+PLUGIN_VERSION=		3.9
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy22
 PLUGIN_MAINTAINER=	opnsense@moov.de

From 88aed06cdb80a030f8f51f5e30bdc7c7057711c0 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 25 Dec 2021 00:32:56 +0100
Subject: [PATCH 0880/3088] net/haproxy: fix link and update help text

---
 .../mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
index 30dd1a308a..53190b12cd 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
@@ -125,7 +125,7 @@
         <label>SSL Verify CA</label>
         <type>select_multiple</type>
         <allownew>true</allownew>
-        <help><![CDATA[These CAs will be used to verify server's certificate. <br/>To import additional CAs, go to <a href="/system_certmanager.php">Certificate Manager</a>.]]></help>
+        <help><![CDATA[The selected CAs will be used to verify the server certificate. When nothing is selected, the system-wide CA certificate bundle will be used. <br/>To import additional CAs, go to <a href="/system_camanager.php">Authority Manager</a>.]]></help>
         <hint>Type CA name or choose from list.</hint>
     </field>
     <field>

From 0b05f1d71bf7c139fbfb9cbb58adab0cef25d298 Mon Sep 17 00:00:00 2001
From: Jeffrey <jeffrey@wirehead.be>
Date: Sat, 25 Dec 2021 13:18:17 +0100
Subject: [PATCH 0881/3088] add description for restart action (#2718)

Add description for restart action so it can be used in automations (e.g. after acme cert update, restart freeradius which uses it)
---
 .../src/opnsense/service/conf/actions.d/actions_freeradius.conf  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/freeradius/src/opnsense/service/conf/actions.d/actions_freeradius.conf b/net/freeradius/src/opnsense/service/conf/actions.d/actions_freeradius.conf
index db3cbdd12f..ae633eb117 100644
--- a/net/freeradius/src/opnsense/service/conf/actions.d/actions_freeradius.conf
+++ b/net/freeradius/src/opnsense/service/conf/actions.d/actions_freeradius.conf
@@ -14,6 +14,7 @@ message:stopping FreeRADIUS
 command:/usr/local/opnsense/scripts/Freeradius/setup.sh;/usr/local/etc/rc.d/radiusd restart
 parameters:
 type:script
+description:Restart FreeRADIUS service
 message:restarting FreeRADIUS
 
 [status]

From bb3f06227fe48049b43a68eed3c9a94ee44044c7 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 29 Dec 2021 22:18:50 +0100
Subject: [PATCH 0882/3088] dns/ddclient - work in progress, replacement for
 dyndns using ddclient package

---
 dns/ddclient/Makefile                         |  7 ++
 dns/ddclient/pkg-descr                        |  1 +
 .../DynDNS/Api/AccountsController.php         | 73 ++++++++++++++
 .../OPNsense/DynDNS/Api/ServiceController.php | 49 ++++++++++
 .../OPNsense/DynDNS/IndexController.php       | 46 +++++++++
 .../OPNsense/DynDNS/forms/dialogAccount.xml   | 39 ++++++++
 .../app/models/OPNsense/DynDNS/ACL/ACL.xml    |  9 ++
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.php | 39 ++++++++
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml | 52 ++++++++++
 .../app/models/OPNsense/DynDNS/Menu/Menu.xml  |  5 +
 .../mvc/app/views/OPNsense/DynDNS/index.volt  | 96 +++++++++++++++++++
 .../conf/actions.d/actions_ddclient.conf      | 25 +++++
 .../templates/OPNsense/ddclient/+TARGETS      |  2 +
 .../templates/OPNsense/ddclient/ddclient.conf | 45 +++++++++
 .../templates/OPNsense/ddclient/rc.conf.d     |  5 +
 15 files changed, 493 insertions(+)
 create mode 100644 dns/ddclient/Makefile
 create mode 100644 dns/ddclient/pkg-descr
 create mode 100644 dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
 create mode 100644 dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/ServiceController.php
 create mode 100644 dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/IndexController.php
 create mode 100644 dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
 create mode 100644 dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/ACL/ACL.xml
 create mode 100644 dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
 create mode 100644 dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
 create mode 100644 dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/Menu/Menu.xml
 create mode 100644 dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
 create mode 100644 dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
 create mode 100644 dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/+TARGETS
 create mode 100644 dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
 create mode 100644 dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
new file mode 100644
index 0000000000..5e3081e0a2
--- /dev/null
+++ b/dns/ddclient/Makefile
@@ -0,0 +1,7 @@
+PLUGIN_NAME=		ddclient
+PLUGIN_VERSION=		1
+PLUGIN_REVISION=	1
+PLUGIN_COMMENT=		Dynamic DNS client
+PLUGIN_MAINTAINER=	ad@opnsense.org
+
+.include "../../Mk/plugins.mk"
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
new file mode 100644
index 0000000000..0aed7a9f65
--- /dev/null
+++ b/dns/ddclient/pkg-descr
@@ -0,0 +1 @@
+Support for numerous Dynamic DNS services using ddclient
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
new file mode 100644
index 0000000000..55e775635a
--- /dev/null
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
@@ -0,0 +1,73 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\DynDNS\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class AccountsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'account';
+    protected static $internalModelClass = 'OPNsense\DynDNS\DynDNS';
+
+    public function searchItemAction()
+    {
+        return $this->searchBase(
+            "accounts.account",
+            ['enabled', 'service', 'description', 'username', 'hostnames'],
+            "description"
+        );
+    }
+
+    public function setItemAction($uuid)
+    {
+        return $this->setBase("account", "accounts.account", $uuid);
+    }
+
+    public function addItemAction()
+    {
+        return $this->addBase("account", "accounts.account");
+    }
+
+    public function getItemAction($uuid = null)
+    {
+        return $this->getBase("account", "accounts.account", $uuid);
+    }
+
+    public function delItemAction($uuid)
+    {
+        return $this->delBase("accounts.account", $uuid);
+    }
+
+    public function toggleItemAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("accounts.account", $uuid, $enabled);
+    }
+}
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/ServiceController.php b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/ServiceController.php
new file mode 100644
index 0000000000..a2fd9644c5
--- /dev/null
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/ServiceController.php
@@ -0,0 +1,49 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\DynDNS\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+
+/**
+ * {@inheritdoc}
+ */
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\DynDNS\DynDNS';
+    protected static $internalServiceEnabled = 'general.enabled';
+    protected static $internalServiceTemplate = 'OPNsense/ddclient';
+    protected static $internalServiceName = 'ddclient';
+
+    protected function reconfigureForceRestart()
+    {
+        return 0;
+    }
+}
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/IndexController.php b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/IndexController.php
new file mode 100644
index 0000000000..12b1df3bb3
--- /dev/null
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/IndexController.php
@@ -0,0 +1,46 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\DynDNS;
+
+/**
+ * Class IndexController
+ * @package OPNsense\DynDNS
+ */
+class IndexController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        // link dialogs
+        $this->view->formDialogAccount = $this->getForm("dialogAccount");
+        // choose template
+        $this->view->pick('OPNsense/DynDNS/index');
+    }
+}
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
new file mode 100644
index 0000000000..9a946d1406
--- /dev/null
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -0,0 +1,39 @@
+<form>
+    <field>
+        <id>account.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>Enable this virtual server</help>
+    </field>
+    <field>
+        <id>account.service</id>
+        <label>Service</label>
+        <type>dropdown</type>
+        <help>Select the service to use.</help>
+    </field>
+    <field>
+        <id>account.username</id>
+        <label>Username</label>
+        <type>text</type>
+        <help>Username or login to use</help>
+    </field>
+    <field>
+        <id>account.password</id>
+        <label>Password</label>
+        <type>password</type>
+        <help>Password associated with this account</help>
+    </field>
+    <field>
+        <id>account.hostnames</id>
+        <label>Hostname(s)</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>Hostname to update</help>
+    </field>
+    <field>
+        <id>account.description</id>
+        <label>Description</label>
+        <type>text</type>
+    </field>
+</form>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/ACL/ACL.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/ACL/ACL.xml
new file mode 100644
index 0000000000..4503995ce9
--- /dev/null
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+    <page-services-dyndns>
+        <name>Services: Dynamic DNS</name>
+        <patterns>
+            <pattern>ui/dyndns/*</pattern>
+            <pattern>api/dyndns/*</pattern>
+        </patterns>
+    </page-services-dyndns>
+</acl>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
new file mode 100644
index 0000000000..1515e16935
--- /dev/null
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
@@ -0,0 +1,39 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+ namespace OPNsense\DynDNS;
+
+ use OPNsense\Base\BaseModel;
+
+ /**
+  * Class DynDNS
+  * @package OPNsense\DynDNS
+  */
+ class DynDNS extends BaseModel
+ {
+ }
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
new file mode 100644
index 0000000000..82614c0a60
--- /dev/null
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -0,0 +1,52 @@
+<model>
+    <mount>//OPNsense/DynDNS</mount>
+    <version>1.0.0</version>
+    <description>
+        Dynamic DNS client
+    </description>
+    <items>
+        <general>
+            <enabled type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </enabled>
+        </general>
+        <accounts>
+            <account type="ArrayField">
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <service type="OptionField">
+                    <Required>Y</Required>
+                    <ValidationMessage>A service type is required.</ValidationMessage>
+                    <OptionValues>
+                        <noip>Noip</noip>
+                        <nsupdatev4>nsupdate (IPv4)</nsupdatev4>
+                        <nsupdatev6>nsupdate (IPv6)</nsupdatev6>
+                    </OptionValues>
+                </service>
+                <username type="TextField">
+                    <Required>Y</Required>
+                    <mask>/^([a-z0-9\-.@_:+])*$/u</mask>
+                    <ValidationMessage>The username contains invalid characters.</ValidationMessage>
+                </username>
+                <password type="UpdateOnlyTextField">
+                    <Required>Y</Required>
+                    <mask>/^[^\n]*$/</mask>
+                </password>
+                <hostnames type="HostnameField">
+                    <Required>Y</Required>
+                    <IpAllowed>N</IpAllowed>
+                    <AsList>Y</AsList>
+                    <FieldSeparator>,</FieldSeparator>
+                </hostnames>
+                <description type="TextField">
+                    <Required>N</Required>
+                    <mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</mask>
+                    <ValidationMessage>Description should be a string between 1 and 255 characters</ValidationMessage>
+                </description>
+            </account>
+        </accounts>
+    </items>
+</model>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/Menu/Menu.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/Menu/Menu.xml
new file mode 100644
index 0000000000..633e9ccc1e
--- /dev/null
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/Menu/Menu.xml
@@ -0,0 +1,5 @@
+<menu>
+    <Services>
+        <DynamicDNS VisibleName="Dynamic DNS" url="/ui/dyndns/" cssClass="fa fa-tags fa-fw"/>
+    </Services>
+</menu>
diff --git a/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt b/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
new file mode 100644
index 0000000000..e4811c564f
--- /dev/null
+++ b/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
@@ -0,0 +1,96 @@
+{#
+
+OPNsense® is Copyright © 2021 by Deciso B.V.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<script>
+
+    $( document ).ready(function() {
+        $("#grid-accounts").UIBootgrid(
+            {   search:'/api/dyndns/accounts/search_item',
+                get:'/api/dyndns/accounts/get_item/',
+                set:'/api/dyndns/accounts/set_item/',
+                add:'/api/dyndns/accounts/add_item/',
+                del:'/api/dyndns/accounts/del_item/',
+                toggle:'/api/dyndns/accounts/toggle_item/'
+            }
+        );
+
+        $("#reconfigureAct").SimpleActionButton();
+        updateServiceControlUI('dyndns');
+    });
+
+</script>
+
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" id="destinations" href="#tab_destinations">{{ lang._('Accounts') }}</a></li>
+</ul>
+<div class="tab-content content-box">
+    <div id="tab_accounts" class="tab-pane fade in active">
+        <!-- tab page "accounts" -->
+        <table id="grid-accounts" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogAccount" data-editAlert="ddclientChangeMessage">
+            <thead>
+            <tr>
+                <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="service" data-type="string">{{ lang._('Service') }}</th>
+                <th data-column-id="username" data-type="string">{{ lang._('Username') }}</th>
+                <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+            </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-fw fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-fw fa-trash-o"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+    </div>
+    <div class="col-md-12">
+        <div id="ddclientChangeMessage" class="alert alert-info" style="display: none" role="alert">
+            {{ lang._('After changing settings, please remember to apply them with the button below') }}
+        </div>
+        <hr/>
+        <button class="btn btn-primary" id="reconfigureAct"
+                data-endpoint='/api/dyndns/service/reconfigure'
+                data-label="{{ lang._('Apply') }}"
+                data-service-widget="dyndns"
+                data-error-title="{{ lang._('Error reconfiguring DynDNS') }}"
+                type="button"
+        ></button>
+        <br/><br/>
+    </div>
+</div>
+
+
+{# include dialogs #}
+{{ partial("layout_partials/base_dialog",['fields':formDialogAccount,'id':'DialogAccount','label':lang._('Edit Account')])}}
diff --git a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
new file mode 100644
index 0000000000..5ceb8a7872
--- /dev/null
+++ b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
@@ -0,0 +1,25 @@
+[start]
+command:/usr/local/etc/rc.d/ddclient start
+type:script
+message:starting ddclient
+
+[stop]
+command:/usr/local/etc/rc.d/ddclient stop
+type:script
+message:stopping ddclient
+
+[status]
+command:/usr/local/etc/rc.d/ddclient status; exit 0
+type:script_output
+message:get ddclient status
+
+[restart]
+command:/usr/local/etc/rc.d/ddclient restart
+type:script
+message:restarting ddclient
+description:Restart ddclient service
+
+[reload]
+command:/usr/local/etc/rc.d/ddclient reload
+type:script
+message:reload ddclient configuration
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/+TARGETS b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/+TARGETS
new file mode 100644
index 0000000000..0ec7e572f1
--- /dev/null
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/+TARGETS
@@ -0,0 +1,2 @@
+rc.conf.d:/etc/rc.conf.d/ddclient
+ddclient.conf:/usr/local/etc/ddclient.conf
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
new file mode 100644
index 0000000000..d6ee57efff
--- /dev/null
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -0,0 +1,45 @@
+daemon=300                  # check every 300 seconds
+syslog=yes                  # log update msgs to syslog
+pid=/var/run/ddclient.pid   # record PID in file.
+
+{%  set websettings = {
+    'noip': 'use=web,',
+    'nsupdate': 'use=web, web=http://ipv4.nsupdate.info/myip,'
+} %}
+
+
+{%  if helpers.exists('OPNsense.DynDNS.accounts.account') %}
+{%    for account in helpers.toList('OPNsense.DynDNS.accounts.account') %}
+{%        if account.enabled|default('0') == '1' %}
+{%            if account.service == 'noip' %}
+
+protocol=noip,                                  \
+use=web,                                        \
+ssl=yes,                                        \
+login={{account.username}},                     \
+password={{account.password}}                   \
+{{account.hostnames}}
+
+{%            elif account.service == 'nsupdatev4' %}
+
+protocol=dyndns2,                               \
+use=web, web=https://ipv4.nsupdate.info/myip,   \
+ssl=yes,                                        \
+server=ipv4.nsupdate.info,                      \
+login={{account.username}},                     \
+password='{{account.password}}'                 \
+{{account.hostnames}}
+
+{%            elif account.service == 'nsupdatev6' %}
+protocol=dyndns2,                               \
+use=web, web=https://ipv6.nsupdate.info/myip,   \
+ssl=yes,                                        \
+server=ipv6.nsupdate.info,                      \
+login={{account.username}},                     \
+password='{{account.password}}'                 \
+{{account.hostnames}}
+
+{%            endif %}
+{%        endif %}
+{%    endfor %}
+{%  endif %}
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d
new file mode 100644
index 0000000000..c89c76bd53
--- /dev/null
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d
@@ -0,0 +1,5 @@
+{% if not helpers.empty('OPNsense.DynDNS.general.enabled') %}
+ddclient_enable="YES"
+{% else %}
+ddclient_enable="NO"
+{% endif %}

From 142ea68c0649b69df9713a900afb8406835ba770 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 30 Dec 2021 19:07:16 +0100
Subject: [PATCH 0883/3088] dns/ddclient - work in progress, replacement for
 dyndns using ddclient package

---
 .../DynDNS/Api/SettingsController.php         | 49 ++++++++++++
 .../OPNsense/DynDNS/IndexController.php       |  1 +
 .../OPNsense/DynDNS/forms/settings.xml        | 16 ++++
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml | 22 ++++++
 .../app/models/OPNsense/DynDNS/Menu/Menu.xml  |  5 +-
 .../mvc/app/views/OPNsense/DynDNS/index.volt  | 53 +++++++++----
 .../OPNsense/Syslog/local/ddclient.conf       |  6 ++
 .../templates/OPNsense/ddclient/ddclient.conf | 77 ++++++++++++-------
 8 files changed, 183 insertions(+), 46 deletions(-)
 create mode 100644 dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/SettingsController.php
 create mode 100644 dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
 create mode 100644 dns/ddclient/src/opnsense/service/templates/OPNsense/Syslog/local/ddclient.conf

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/SettingsController.php b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/SettingsController.php
new file mode 100644
index 0000000000..b6d14516be
--- /dev/null
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/SettingsController.php
@@ -0,0 +1,49 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\DynDNS\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class SettingsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'ddclient';
+    protected static $internalModelClass = 'OPNsense\DynDNS\DynDNS';
+
+    public function getAction()
+    {
+        $data = parent::getAction();
+        return [
+            'ddclient' => [
+                'general' => $data['ddclient']['general']
+            ]
+        ];
+    }
+}
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/IndexController.php b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/IndexController.php
index 12b1df3bb3..4214f012ff 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/IndexController.php
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/IndexController.php
@@ -40,6 +40,7 @@ public function indexAction()
     {
         // link dialogs
         $this->view->formDialogAccount = $this->getForm("dialogAccount");
+        $this->view->formSettings = $this->getForm("settings");
         // choose template
         $this->view->pick('OPNsense/DynDNS/index');
     }
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
new file mode 100644
index 0000000000..38fadde58c
--- /dev/null
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
@@ -0,0 +1,16 @@
+<form>
+    <field>
+        <id>ddclient.general.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>Enable ddclient</help>
+    </field>
+    <field>
+        <id>ddclient.general.checkip</id>
+        <label>Check ip method</label>
+        <type>dropdown</type>
+        <help>
+          How to determine the address to uswe for this host
+        </help>
+    </field>
+</form>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 82614c0a60..b9896be226 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -10,6 +10,28 @@
                 <default>1</default>
                 <Required>Y</Required>
             </enabled>
+            <checkip type="OptionField">
+                <Required>Y</Required>
+                <default>web_dyndns</default>
+                <ValidationMessage>An IP service type is required.</ValidationMessage>
+                <OptionValues>
+                    <web_dyndns>dyndns</web_dyndns>
+                    <web_freedns>freedns</web_freedns>
+                    <web_googledomains>googledomains</web_googledomains>
+                    <web_he>he</web_he>
+                    <web_ip4only_me value="web_ip4only.me">ip4only.me</web_ip4only_me>
+                    <web_ip6only_me value="web_ip6only.me">ip4only.me</web_ip6only_me>
+                    <web_ipify_ipv4 value="web_ipify-ipv4">ipify-ipv4</web_ipify_ipv4>
+                    <web_ipify_ipv6 value="web_ipify-ipv6">ipify-ipv6</web_ipify_ipv6>
+                    <web_loopia>loopia</web_loopia>
+                    <web_myonlineportal>myonlineportal</web_myonlineportal>
+                    <web_noip_ipv4 value="web_noip-ipv4">noip-ipv4</web_noip_ipv4>
+                    <web_noip_ipv6 value="web_noip-ipv6">noip-ipv6</web_noip_ipv6>
+                    <web_nsupdate_info_ipv4 value="web_nsupdate.info-ipv4">nsupdate.info-ipv4</web_nsupdate_info_ipv4>
+                    <web_nsupdate_info_ipv6 value="web_nsupdate.info-ipv6">nsupdate.info-ipv4</web_nsupdate_info_ipv6>
+                    <web_zoneedit>zoneedit</web_zoneedit>
+                </OptionValues>
+            </checkip>
         </general>
         <accounts>
             <account type="ArrayField">
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/Menu/Menu.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/Menu/Menu.xml
index 633e9ccc1e..e2ed793074 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/Menu/Menu.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/Menu/Menu.xml
@@ -1,5 +1,8 @@
 <menu>
     <Services>
-        <DynamicDNS VisibleName="Dynamic DNS" url="/ui/dyndns/" cssClass="fa fa-tags fa-fw"/>
+        <DynamicDNS VisibleName="Dynamic DNS" cssClass="fa fa-tags fa-fw">
+            <settings order="10" url="/ui/dyndns/"/>
+            <log order="100" VisibleName="Log File" url="/ui/diagnostics/log/core/ddclient"/>
+        </DynamicDNS>
     </Services>
 </menu>
diff --git a/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt b/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
index e4811c564f..9a40d6f8ae 100644
--- a/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
+++ b/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
@@ -38,15 +38,29 @@ POSSIBILITY OF SUCH DAMAGE.
                 toggle:'/api/dyndns/accounts/toggle_item/'
             }
         );
+        let data_get_map = {'frm_settings':"/api/dyndns/settings/get"};
+        mapDataToFormUI(data_get_map).done(function(){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('dyndns');
+        });
 
-        $("#reconfigureAct").SimpleActionButton();
-        updateServiceControlUI('dyndns');
+        $("#reconfigureAct").SimpleActionButton({
+          onPreAction: function() {
+              const dfObj = new $.Deferred();
+              saveFormToEndpoint("/api/dyndns/settings/set", 'frm_settings', function(){
+                  dfObj.resolve();
+              });
+              return dfObj;
+          }
+        });
     });
 
 </script>
 
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" id="destinations" href="#tab_destinations">{{ lang._('Accounts') }}</a></li>
+    <li class="active"><a data-toggle="tab" id="destinations" href="#tab_accounts">{{ lang._('Accounts') }}</a></li>
+    <li><a data-toggle="tab" href="#settings" id="settings_tab">{{ lang._('General settings') }}</a></li>
 </ul>
 <div class="tab-content content-box">
     <div id="tab_accounts" class="tab-pane fade in active">
@@ -75,22 +89,29 @@ POSSIBILITY OF SUCH DAMAGE.
             </tfoot>
         </table>
     </div>
-    <div class="col-md-12">
-        <div id="ddclientChangeMessage" class="alert alert-info" style="display: none" role="alert">
-            {{ lang._('After changing settings, please remember to apply them with the button below') }}
-        </div>
-        <hr/>
-        <button class="btn btn-primary" id="reconfigureAct"
-                data-endpoint='/api/dyndns/service/reconfigure'
-                data-label="{{ lang._('Apply') }}"
-                data-service-widget="dyndns"
-                data-error-title="{{ lang._('Error reconfiguring DynDNS') }}"
-                type="button"
-        ></button>
-        <br/><br/>
+    <div id="settings" class="tab-pane fade in">
+      {{ partial("layout_partials/base_form",['fields':formSettings,'id':'frm_settings'])}}
     </div>
 </div>
 
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <div id="ddclientChangeMessage" class="alert alert-info" style="display: none" role="alert">
+                {{ lang._('After changing settings, please remember to apply them with the button below') }}
+            </div>
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint='/api/dyndns/service/reconfigure'
+                    data-label="{{ lang._('Apply') }}"
+                    data-service-widget="dyndns"
+                    data-error-title="{{ lang._('Error reconfiguring DynDNS') }}"
+                    type="button"
+            ></button>
+            <br/><br/>
+        </div>
+    </div>
+</section>
 
 {# include dialogs #}
 {{ partial("layout_partials/base_dialog",['fields':formDialogAccount,'id':'DialogAccount','label':lang._('Edit Account')])}}
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/Syslog/local/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/Syslog/local/ddclient.conf
new file mode 100644
index 0000000000..7dc55b0775
--- /dev/null
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/Syslog/local/ddclient.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [ddclient].
+###################################################################
+filter f_local_ddclient {
+    program("ddclient");
+};
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index d6ee57efff..3e5b2baafa 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -2,44 +2,63 @@ daemon=300                  # check every 300 seconds
 syslog=yes                  # log update msgs to syslog
 pid=/var/run/ddclient.pid   # record PID in file.
 
-{%  set websettings = {
-    'noip': 'use=web,',
-    'nsupdate': 'use=web, web=http://ipv4.nsupdate.info/myip,'
-} %}
-
+#
+# setup how we expect to retrieve an IP address
+#
+{%  if not helpers.empty('OPNsense.DynDNS.general.checkip') and OPNsense.DynDNS.general.checkip.startswith('web_')  %}
+{%      set checkip = OPNsense.DynDNS.general.checkip.lstrip('web_') %}
+{%      if checkip == 'dyndns' %}
+use=web, web=http://checkip.dyndns.org/, web-skip="Current IP Address:"
+{%      elif checkip == 'freedns' %}
+use=web, web=https://freedns.afraid.org/dynamic/check.php
+{%      elif checkip == 'googledomains' %}
+use=web, web=https://domains.google.com/checkip
+{%      elif checkip == 'he' %}
+use=web, web=http://checkip.dns.he.net/
+{%      elif checkip == 'ip4only.me' %}
+use=web, web=http://ip4only.me/api/
+{%      elif checkip == 'ip6only.me' %}
+use=web, web=http://ip6only.me/api/
+{%      elif checkip == 'ipify-ipv4' %}
+use=web, web=https://api.ipify.org/
+{%      elif checkip == 'ipify-ipv6' %}
+use=web, web=https://api6.ipify.org/
+{%      elif checkip == 'loopia' %}
+use=web, web=http://dns.loopia.se/checkip/checkip.php, web-skip="Current IP Address:"
+{%      elif checkip == 'myonlineportal' %}
+use=web, web=https://myonlineportal.net/checkip
+{%      elif checkip == 'noip-ipv4' %}
+use=web, web=http://ip1.dynupdate.no-ip.com/
+{%      elif checkip == 'noip-ipv6' %}
+use=web, web=http://ip1.dynupdate6.no-ip.com/
+{%      elif checkip == 'nsupdate.info-ipv4' %}
+use=web, web=https://ipv4.nsupdate.info/myip
+{%      elif checkip == 'nsupdate.info-ipv6' %}
+use=web, web=https://ipv6.nsupdate.info/myip
+{%      elif checkip == 'zoneedit' %}
+use=web, web=http://dynamic.zoneedit.com/checkip.html
+{%      endif %}
+{%  endif %}
 
 {%  if helpers.exists('OPNsense.DynDNS.accounts.account') %}
 {%    for account in helpers.toList('OPNsense.DynDNS.accounts.account') %}
 {%        if account.enabled|default('0') == '1' %}
 {%            if account.service == 'noip' %}
-
-protocol=noip,                                  \
-use=web,                                        \
-ssl=yes,                                        \
-login={{account.username}},                     \
-password={{account.password}}                   \
-{{account.hostnames}}
-
+protocol=noip
+ssl=yes
 {%            elif account.service == 'nsupdatev4' %}
-
-protocol=dyndns2,                               \
-use=web, web=https://ipv4.nsupdate.info/myip,   \
-ssl=yes,                                        \
-server=ipv4.nsupdate.info,                      \
-login={{account.username}},                     \
-password='{{account.password}}'                 \
-{{account.hostnames}}
-
+protocol=dyndns2
+ssl=yes
+server=ipv4.nsupdate.info
 {%            elif account.service == 'nsupdatev6' %}
-protocol=dyndns2,                               \
-use=web, web=https://ipv6.nsupdate.info/myip,   \
-ssl=yes,                                        \
-server=ipv6.nsupdate.info,                      \
-login={{account.username}},                     \
-password='{{account.password}}'                 \
+protocol=dyndns2
+ssl=yes
+server=ipv6.nsupdate.info
+{%            endif %}
+login={{account.username}}
+password={{account.password}}
 {{account.hostnames}}
 
-{%            endif %}
 {%        endif %}
 {%    endfor %}
 {%  endif %}

From a1a382c58eaa97a2047b63fde5bf70d8af87667f Mon Sep 17 00:00:00 2001
From: axelrtgs <jamie@axelrtgs.com>
Date: Fri, 31 Dec 2021 00:53:08 -0500
Subject: [PATCH 0884/3088] add support for cPanel HTTP API

---
 security/acme-client/pkg-descr                |  5 ++
 .../AcmeClient/forms/dialogValidation.xml     | 22 +++++++++
 .../AcmeClient/LeValidation/DnsCpanel.php     | 47 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 10 ++++
 4 files changed, 84 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCpanel.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 65bc3ac43e..fe2966bf29 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.8
+
+Added:
+* add support for cPanel HTTP API
+
 3.7
 
 Fixed:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 3e2efdbd16..fad8386d72 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1399,4 +1399,26 @@
         <label>HTTP Token</label>
         <type>password</type>
     </field>
+     <field>
+        <label>cPanel HTTP API</label>
+        <type>header</type>
+        <style>table_dns table_dns_cpanel</style>
+    </field>
+    <field>
+        <id>validation.dns_cpanel_user</id>
+        <label>cPanel Username</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_cpanel_token</id>
+        <label>cPanel API Token</label>
+        <type>password</type>
+        <help>Ref: https://docs.cpanel.net/cpanel/security/manage-api-tokens-in-cpanel/</help>
+    </field>
+    <field>
+        <id>validation.dns_cpanel_hostname</id>
+        <label>cPanel Hostname</label>
+        <type>text</type>
+        <help>EX: https://hostname:2083</help>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCpanel.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCpanel.php
new file mode 100644
index 0000000000..7425b01d92
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCpanel.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Axelrtgs
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * CF DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsCpanel extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        # https://github.com/acmesh-official/acme.sh/wiki/dnsapi#136-use-cpanel-dns-systems
+        $this->acme_env['cPanel_Username'] = (string)$this->config->dns_cpanel_user;
+        $this->acme_env['cPanel_Apitoken'] = (string)$this->config->dns_cpanel_token;
+        $this->acme_env['cPanel_Hostname'] = (string)$this->config->dns_cpanel_hostname;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index ed0692c23b..ba2f1711a4 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -429,6 +429,7 @@
                         <dns_cf>CloudFlare.com API</dns_cf>
                         <dns_cx>CloudXNS.com API</dns_cx>
                         <dns_cn>Core-Networks API</dns_cn>
+                        <dns_cpanel>cPanel API</dns_cpanel>
                         <dns_cyon>cyon.ch API</dns_cyon>
                         <dns_ddnss>DDNSS API</dns_ddnss>
                         <dns_desec>deSEC.io API</dns_desec>
@@ -1049,6 +1050,15 @@
                 <dns_dynv6_token type="TextField">
                     <Required>N</Required>
                 </dns_dynv6_token>
+                <dns_cpanel_user type="TextField">
+                    <Required>N</Required>
+                </dns_cpanel_user>
+                <dns_cpanel_token type="TextField">
+                    <Required>N</Required>
+                </dns_cpanel_token>
+                <dns_cpanel_hostname type="TextField">
+                    <Required>N</Required>
+                </dns_cpanel_hostname>
             </validation>
         </validations>
         <actions>

From 62a13562c979dad57dc96f3c1a33a89490030ccc Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 2 Jan 2022 16:45:15 +0100
Subject: [PATCH 0885/3088] dns/ddclient - work in progress, replacement for
 dyndns using ddclient package

---
 .../OPNsense/DynDNS/forms/dialogAccount.xml   |  7 +++++
 .../OPNsense/DynDNS/forms/settings.xml        | 13 +++++++++
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml | 29 +++++++++++++++++--
 .../app/models/OPNsense/DynDNS/Menu/Menu.xml  |  2 +-
 .../mvc/app/views/OPNsense/DynDNS/index.volt  | 16 ++++++++++
 .../templates/OPNsense/ddclient/ddclient.conf | 16 ++++++----
 6 files changed, 74 insertions(+), 9 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index 9a946d1406..2ee8e7271e 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -23,6 +23,13 @@
         <type>password</type>
         <help>Password associated with this account</help>
     </field>
+    <field>
+        <id>account.wildcard</id>
+        <label>Wildcard</label>
+        <type>checkbox</type>
+        <style>optional_setting service_dyndns2 service_easydns</style>
+        <help>add a DNS wildcard CNAME record that points to the configured host.</help>
+    </field>
     <field>
         <id>account.hostnames</id>
         <label>Hostname(s)</label>
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
index 38fadde58c..fb0f9a4285 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
@@ -5,6 +5,19 @@
         <type>checkbox</type>
         <help>Enable ddclient</help>
     </field>
+    <field>
+        <id>ddclient.general.verbose</id>
+        <label>Verbose</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>Enable verbose logging</help>
+    </field>
+    <field>
+        <id>ddclient.general.daemon_delay</id>
+        <label>Interval</label>
+        <type>text</type>
+        <help>Interval in seconds to check for address changes</help>
+    </field>
     <field>
         <id>ddclient.general.checkip</id>
         <label>Check ip method</label>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index b9896be226..e9bf53869d 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -10,6 +10,16 @@
                 <default>1</default>
                 <Required>Y</Required>
             </enabled>
+            <verbose type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </verbose>
+            <daemon_delay type="IntegerField">
+                <default>300</default>
+                <Required>Y</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>86400</MaximumValue>
+            </daemon_delay>
             <checkip type="OptionField">
                 <Required>Y</Required>
                 <default>web_dyndns</default>
@@ -28,7 +38,7 @@
                     <web_noip_ipv4 value="web_noip-ipv4">noip-ipv4</web_noip_ipv4>
                     <web_noip_ipv6 value="web_noip-ipv6">noip-ipv6</web_noip_ipv6>
                     <web_nsupdate_info_ipv4 value="web_nsupdate.info-ipv4">nsupdate.info-ipv4</web_nsupdate_info_ipv4>
-                    <web_nsupdate_info_ipv6 value="web_nsupdate.info-ipv6">nsupdate.info-ipv4</web_nsupdate_info_ipv6>
+                    <web_nsupdate_info_ipv6 value="web_nsupdate.info-ipv6">nsupdate.info-ipv6</web_nsupdate_info_ipv6>
                     <web_zoneedit>zoneedit</web_zoneedit>
                 </OptionValues>
             </checkip>
@@ -43,9 +53,18 @@
                     <Required>Y</Required>
                     <ValidationMessage>A service type is required.</ValidationMessage>
                     <OptionValues>
+                        <changeip>Changeip</changeip>
+                        <dyndns2>DynDNS.com</dyndns2>
+                        <dnspark>DnsPark</dnspark>
+                        <dslreports1>DslReports</dslreports1>
+                        <duckdns>DuckDNS</duckdns>
+                        <easydns>EasyDNS</easydns>
+                        <googledomains>Google</googledomains>
+                        <namecheap>NameCheap</namecheap>
                         <noip>Noip</noip>
-                        <nsupdatev4>nsupdate (IPv4)</nsupdatev4>
-                        <nsupdatev6>nsupdate (IPv6)</nsupdatev6>
+                        <nsupdatev4>nsupdate.info (IPv4)</nsupdatev4>
+                        <nsupdatev6>nsupdate.info (IPv6)</nsupdatev6>
+                        <zoneedit1>Zoneedit</zoneedit1>
                     </OptionValues>
                 </service>
                 <username type="TextField">
@@ -63,6 +82,10 @@
                     <AsList>Y</AsList>
                     <FieldSeparator>,</FieldSeparator>
                 </hostnames>
+                <wildcard type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </wildcard>
                 <description type="TextField">
                     <Required>N</Required>
                     <mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</mask>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/Menu/Menu.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/Menu/Menu.xml
index e2ed793074..0834a4ab75 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/Menu/Menu.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/Menu/Menu.xml
@@ -1,7 +1,7 @@
 <menu>
     <Services>
         <DynamicDNS VisibleName="Dynamic DNS" cssClass="fa fa-tags fa-fw">
-            <settings order="10" url="/ui/dyndns/"/>
+            <Settings order="10" url="/ui/dyndns/"/>
             <log order="100" VisibleName="Log File" url="/ui/diagnostics/log/core/ddclient"/>
         </DynamicDNS>
     </Services>
diff --git a/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt b/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
index 9a40d6f8ae..4355f4144d 100644
--- a/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
+++ b/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
@@ -54,6 +54,22 @@ POSSIBILITY OF SUCH DAMAGE.
               return dfObj;
           }
         });
+        $('#DialogAccount').on('shown.bs.modal', function (e) {
+            $("#account\\.service").change(function(){
+                let service = $(this).val();
+                $(".optional_setting").each(function(){
+                    let this_item = $(this);
+                    if (this_item.hasClass("service_"+service)) {
+                        this_item.prop( "disabled", false );
+                        this_item.closest("tr").show();
+                    } else {
+                        this_item.closest("tr").hide();
+                        this_item.prop( "disabled", true );
+                    }
+                });
+            });
+            $("#account\\.service").change();
+        });
     });
 
 </script>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 3e5b2baafa..83ddb549d4 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -1,6 +1,9 @@
-daemon=300                  # check every 300 seconds
+daemon={{OPNsense.DynDNS.general.daemon_delay|default('300')}}
 syslog=yes                  # log update msgs to syslog
 pid=/var/run/ddclient.pid   # record PID in file.
+{% if not helpers.empty('OPNsense.DynDNS.general.verbose') %}
+verbose=yes
+{% endif %}
 
 #
 # setup how we expect to retrieve an IP address
@@ -43,10 +46,7 @@ use=web, web=http://dynamic.zoneedit.com/checkip.html
 {%  if helpers.exists('OPNsense.DynDNS.accounts.account') %}
 {%    for account in helpers.toList('OPNsense.DynDNS.accounts.account') %}
 {%        if account.enabled|default('0') == '1' %}
-{%            if account.service == 'noip' %}
-protocol=noip
-ssl=yes
-{%            elif account.service == 'nsupdatev4' %}
+{%            if account.service == 'nsupdatev4' %}
 protocol=dyndns2
 ssl=yes
 server=ipv4.nsupdate.info
@@ -54,7 +54,13 @@ server=ipv4.nsupdate.info
 protocol=dyndns2
 ssl=yes
 server=ipv6.nsupdate.info
+{%            else %}
+protocol={{account.service}}
+ssl=yes
 {%            endif %}
+{%            if account.wildcard|default('0') == '1' %}
+wildcard=yes
+{%            endif}
 login={{account.username}}
 password={{account.password}}
 {{account.hostnames}}

From b3fa1c62f9a6f488171db56e948044fcc6c9d511 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 2 Jan 2022 16:50:56 +0100
Subject: [PATCH 0886/3088] dns/ddclient - replacement for dyndns using
 ddclient package

---
 dns/ddclient/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 5e3081e0a2..4cdc7bf15b 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1
-PLUGIN_REVISION=	1
+#PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
 

From 434cfdd6862d69f7cffd2a293d875978cc976b3a Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 2 Jan 2022 19:52:20 +0100
Subject: [PATCH 0887/3088] dns/ddclient - replacement for dyndns using
 ddclient package

fix typo and username is optional for some services
---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml    | 2 +-
 .../service/templates/OPNsense/ddclient/ddclient.conf         | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index e9bf53869d..c5521211f5 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -68,7 +68,7 @@
                     </OptionValues>
                 </service>
                 <username type="TextField">
-                    <Required>Y</Required>
+                    <Required>N</Required>
                     <mask>/^([a-z0-9\-.@_:+])*$/u</mask>
                     <ValidationMessage>The username contains invalid characters.</ValidationMessage>
                 </username>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 83ddb549d4..a395865830 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -60,8 +60,10 @@ ssl=yes
 {%            endif %}
 {%            if account.wildcard|default('0') == '1' %}
 wildcard=yes
-{%            endif}
+{%            endif %}
+{%            if account.username %}
 login={{account.username}}
+{%            endif %}
 password={{account.password}}
 {{account.hostnames}}
 

From e92d37409b5fc10d640d44fe48cd9fec387b4293 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 3 Jan 2022 07:55:08 +0100
Subject: [PATCH 0888/3088] dns/ddclient: standard plumbing

(happy to see this progress!)
---
 dns/ddclient/Makefile                                       | 4 +++-
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php  | 6 +++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 4cdc7bf15b..7fed78369e 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,8 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1
+PLUGIN_DEVEL=		yes
+PLUGIN_VERSION=		0.1
 #PLUGIN_REVISION=	1
+PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
 
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
index 1515e16935..00726445e7 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
@@ -34,6 +34,6 @@
   * Class DynDNS
   * @package OPNsense\DynDNS
   */
- class DynDNS extends BaseModel
- {
- }
+class DynDNS extends BaseModel
+{
+}

From 3ab017bc39b291f4e2fc8f2d58766425b8ae8923 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 3 Jan 2022 07:58:22 +0100
Subject: [PATCH 0889/3088] README: sync

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 2c9a30bb3a..650f72b703 100644
--- a/README.md
+++ b/README.md
@@ -35,6 +35,7 @@ devel/debug -- Debugging Tools
 devel/grid_example -- A sample framework application
 devel/helloworld -- A sample framework application
 dns/bind -- BIND domain name service
+dns/ddclient -- Dynamic DNS client (development only)
 dns/dnscrypt-proxy -- Flexible DNS proxy supporting DNSCrypt and DoH
 dns/dyndns -- Dynamic DNS Support
 dns/rfc2136 -- RFC-2136 Support

From a9d590d6c8060e697d9d6cf32fac694bf285056c Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 3 Jan 2022 09:28:20 +0100
Subject: [PATCH 0890/3088] net-mgmt/telegraf: add timeout to unbound input
 (#2726)

---
 net-mgmt/telegraf/Makefile                                    | 2 +-
 net-mgmt/telegraf/pkg-descr                                   | 4 ++++
 .../service/templates/OPNsense/Telegraf/telegraf.conf         | 1 +
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index a45240ddb8..c99b624efc 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.12.3
+PLUGIN_VERSION=		1.12.4
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index f43c1a2cbb..b7919dd38a 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 Plugin Changelog
 ================
 
+1.12.4
+
+* Add 5 second timeout to unbound input
+
 1.12.3
 
 * Add insecure_skip_verify as an option for Influx v2 output
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index 6bd064beb6..51050038f9 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -278,6 +278,7 @@
    binary = "/usr/local/sbin/unbound-control"
    config_file = "/var/unbound/unbound.conf"
    thread_as_tag = true
+   timeout = "5s"
 {% endif %}
 
 {% endif %}

From 2791b5941ddc68e3def5909a0f745190e455ae6a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 3 Jan 2022 10:36:26 +0100
Subject: [PATCH 0891/3088] plugins: translation style updates

---
 .../opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml  | 2 +-
 .../mvc/app/controllers/OPNsense/Nginx/forms/location.xml | 2 +-
 .../OPNsense/ProxySSO/Api/ServiceController.php           | 8 ++++----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 1a52f7e1d1..ff4e24be8a 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2637,7 +2637,7 @@
                 <thread_id type="OptionField">
                     <Required>Y</Required>
                     <OptionValues>
-                        <all>All HAProxy threads </all>
+                        <all>All HAProxy threads</all>
                         <odd>Threads with odd ID</odd>
                         <even>Threads with even ID</even>
                         <x1>Thread 1</x1>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
index 97b247d9b7..d76106cd94 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
@@ -290,7 +290,7 @@
     <label>Proxy Send Timeout</label>
     <type>text</type>
     <advanced>true</advanced>
-    <help>Enter a custom timout between data it sent to the client after which the connection is closed. </help>
+    <help>Enter a custom timout between data it sent to the client after which the connection is closed.</help>
   </field>
   <field>
     <id>location.proxy_buffering</id>
diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/Api/ServiceController.php b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/Api/ServiceController.php
index 9b8d1a102f..3f84db5ac8 100644
--- a/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/Api/ServiceController.php
+++ b/www/web-proxy-sso/src/opnsense/mvc/app/controllers/OPNsense/ProxySSO/Api/ServiceController.php
@@ -189,9 +189,9 @@ public function getCheckListAction()
             $ldap_ip_esc = escapeshellarg($ldap_ip);
             $resolv_reverse = chop(shell_exec("drill -x {$ldap_ip_esc} | grep -A 1 'ANSWER SECTION' | tail -n 1 | awk '{print \$5}'"));
             if (empty($resolv_reverse)) {
-                $dns_ldap_reverse_resolution["message"] = gettext('LDAP server IP reverse lookup error. ');
+                $dns_ldap_reverse_resolution["message"] = gettext('LDAP server IP reverse lookup error.');
             } elseif (!empty($ldap_fqdn) && $resolv_reverse != "{$ldap_fqdn}.") {
-                $dns_ldap_reverse_resolution["message"] = gettext('LDAP server reverse DNS lookup is not equal to LDAP server FQDN. ');
+                $dns_ldap_reverse_resolution["message"] = gettext('LDAP server reverse DNS lookup is not equal to LDAP server FQDN.');
             } else {
                 $dns_ldap_reverse_resolution["status"] = "ok";
                 $ldap_fqdn = substr($resolv_reverse, 0, strlen($resolv_reverse) - 1);
@@ -208,9 +208,9 @@ public function getCheckListAction()
             $ldap_fqdn_esc = escapeshellarg($ldap_fqdn);
             $resolv = chop(shell_exec("drill {$ldap_fqdn_esc} | grep -A 1 'ANSWER SECTION' | tail -n 1 | awk '{print \$5}'"));
             if (empty($resolv)) {
-                $dns_ldap_resolution["message"] = gettext('LDAP server DNS lookup error. ');
+                $dns_ldap_resolution["message"] = gettext('LDAP server DNS lookup error.');
             } elseif (!empty($ldap_ip) && $resolv != $ldap_ip) {
-                $dns_ldap_resolution["message"] = gettext('LDAP server DNS lookup is not equal to LDAP IP. ');
+                $dns_ldap_resolution["message"] = gettext('LDAP server DNS lookup is not equal to LDAP IP.');
             } else {
                 $dns_ldap_resolution["status"] = "ok";
                 if (empty($ldap_ip)) {

From 47988bc563f0afe5c2e2e55debc6bc16f85cdf1d Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 3 Jan 2022 13:37:13 +0100
Subject: [PATCH 0892/3088] security/openconnect: allow username to be 64
 characters long (#2739)

---
 security/openconnect/Makefile                               | 2 +-
 security/openconnect/pkg-descr                              | 4 ++++
 .../mvc/app/models/OPNsense/Openconnect/General.xml         | 6 +++---
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/security/openconnect/Makefile b/security/openconnect/Makefile
index c8efe45d2b..a7b669daa8 100644
--- a/security/openconnect/Makefile
+++ b/security/openconnect/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		openconnect
-PLUGIN_VERSION=		1.4.1
+PLUGIN_VERSION=		1.4.2
 PLUGIN_COMMENT=		OpenConnect Client
 PLUGIN_DEPENDS=		openconnect
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/openconnect/pkg-descr b/security/openconnect/pkg-descr
index 43b692d192..b437df097e 100644
--- a/security/openconnect/pkg-descr
+++ b/security/openconnect/pkg-descr
@@ -6,6 +6,10 @@ the Juniper SSL VPN which is now known as Pulse Connect Secure.
 Plugin Changelog
 ================
 
+1.4.2
+
+* Allow usernames up to 64 characters
+
 1.4.1
 
 * Allow selection of different protocols
diff --git a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
index 8c09e9d66c..75b33b5e04 100644
--- a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
+++ b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/openconnect/general</mount>
     <description>Openconnect configuration</description>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -16,8 +16,8 @@
         <user type="TextField">
             <default>user</default>
             <Required>Y</Required>
-            <mask>/^[a-zA-Z0-9.\@_-]{1,32}$/</mask>
-            <ValidationMessage>Please provide a valid username. Allowed characters are a-zA-Z0-9._-@ and it has to be 1-32 characters long.</ValidationMessage>
+            <mask>/^[a-zA-Z0-9.\@_-]{1,64}$/</mask>
+            <ValidationMessage>Please provide a valid username. Allowed characters are a-zA-Z0-9._-@ and it has to be 1-64 characters long.</ValidationMessage>
         </user>
         <password type="TextField">
             <default>password</default>

From 5fbb28375b34bcc5fd60bbb2e0ba577954f018b5 Mon Sep 17 00:00:00 2001
From: Manuel Faux <mfaux@conf.at>
Date: Mon, 3 Jan 2022 14:13:06 +0100
Subject: [PATCH 0893/3088] www/nginx: Load logs for single server on demand
 (#2711)

Loading of the logging page takes very look if many servers are configured.
With this change the single log files for a server are loaded only after
clicking the down error for the server entry in the log view.
---
 .../src/opnsense/www/js/nginx/dist/logviewer.min.js      | 2 +-
 .../www/js/nginx/src/controller/LogCategoryList.js       | 1 -
 .../opnsense/www/js/nginx/src/controller/TabLogList.js   | 9 +++++++--
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/www/nginx/src/opnsense/www/js/nginx/dist/logviewer.min.js b/www/nginx/src/opnsense/www/js/nginx/dist/logviewer.min.js
index a52439ce83..1b334119eb 100644
--- a/www/nginx/src/opnsense/www/js/nginx/dist/logviewer.min.js
+++ b/www/nginx/src/opnsense/www/js/nginx/dist/logviewer.min.js
@@ -1 +1 @@
-!function(e){var t={};function n(i){if(t[i])return t[i].exports;var l=t[i]={i:i,l:!1,exports:{}};return e[i].call(l.exports,l,l.exports,n),l.l=!0,l.exports}n.m=e,n.c=t,n.d=function(e,t,i){n.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:i})},n.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.t=function(e,t){if(1&t&&(e=n(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var i=Object.create(null);if(n.r(i),Object.defineProperty(i,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var l in e)n.d(i,l,function(t){return e[t]}.bind(null,l));return i},n.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(t,"a",t),t},n.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},n.p="",n(n.s=26)}([function(e,t,n){var i=n(2),l=n(4),r=/[&<>"']/g,o=RegExp(r.source);e.exports=function(e){return(e=l(e))&&o.test(e)?e.replace(r,i):e}},function(e,t,n){var i=n(6).Symbol;e.exports=i},function(e,t,n){var i=n(3)({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"});e.exports=i},function(e,t){e.exports=function(e){return function(t){return null==e?void 0:e[t]}}},function(e,t,n){var i=n(5);e.exports=function(e){return null==e?"":i(e)}},function(e,t,n){var i=n(1),l=n(9),r=n(10),o=n(11),a=1/0,s=i?i.prototype:void 0,_=s?s.toString:void 0;e.exports=function e(t){if("string"==typeof t)return t;if(r(t))return l(t,e)+"";if(o(t))return _?_.call(t):"";var n=t+"";return"0"==n&&1/t==-a?"-0":n}},function(e,t,n){var i=n(7),l="object"==typeof self&&self&&self.Object===Object&&self,r=i||l||Function("return this")();e.exports=r},function(e,t,n){(function(t){var n="object"==typeof t&&t&&t.Object===Object&&t;e.exports=n}).call(this,n(8))},function(e,t){var n;n=function(){return this}();try{n=n||new Function("return this")()}catch(e){"object"==typeof window&&(n=window)}e.exports=n},function(e,t){e.exports=function(e,t){for(var n=-1,i=null==e?0:e.length,l=Array(i);++n<i;)l[n]=t(e[n],n,e);return l}},function(e,t){var n=Array.isArray;e.exports=n},function(e,t,n){var i=n(12),l=n(15),r="[object Symbol]";e.exports=function(e){return"symbol"==typeof e||l(e)&&i(e)==r}},function(e,t,n){var i=n(1),l=n(13),r=n(14),o="[object Null]",a="[object Undefined]",s=i?i.toStringTag:void 0;e.exports=function(e){return null==e?void 0===e?a:o:s&&s in Object(e)?l(e):r(e)}},function(e,t,n){var i=n(1),l=Object.prototype,r=l.hasOwnProperty,o=l.toString,a=i?i.toStringTag:void 0;e.exports=function(e){var t=r.call(e,a),n=e[a];try{e[a]=void 0;var i=!0}catch(e){}var l=o.call(e);return i&&(t?e[a]=n:delete e[a]),l}},function(e,t){var n=Object.prototype.toString;e.exports=function(e){return n.call(e)}},function(e,t){e.exports=function(e){return null!=e&&"object"==typeof e}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='\r\n<a data-toggle="dropdown"\r\n   href="#"\r\n   class="dropdown-toggle pull-right visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block"\r\n   role="button">\r\n    <b><span class="caret"></span></b>\r\n</a>\r\n<a data-toggle="tab"\r\n   class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"\r\n   style="border-right: 0px;"><b>'+(null==(__t=_.escape(name))?"":__t)+'</b></a>\r\n<ul class="dropdown-menu" role="menu" id="tab_'+(null==(__t=_.escape(id))?"":__t)+'">\r\n    ',model.forEach(function(e){__p+='\r\n    <li>\r\n        <a data-toggle="tab"\r\n           class="menuEntry"\r\n           data-model-cid="'+(null==(__t=e.cid)?"":__t)+'"\r\n           data-model-uuid="'+(null==(__t=_.escape(id))?"":__t)+'"\r\n           data-model-fileno="'+(null==(__t=e.escape("number"))?"":__t)+'"\r\n           id="subtab_item_'+(null==(__t=_.escape(id))?"":__t)+"_"+(null==(__t=e.escape("number"))?"":__t)+'"\r\n           href="#subtab_'+(null==(__t=_.escape(id))?"":__t)+'">'+(null==(__t=e.escape("date"))?"":__t)+"</a>\r\n    </li>\r\n    "}),__p+="\r\n</ul>\r\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='\n<a data-toggle="tab"\n   class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"\n   style="border-top-right-radius: 10px !important; padding-right: 10px !important;">\n    <b>'+(null==(__t=_.escape(name))?"":__t)+"</b>\n</a>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="remote_ip">'+(null==(__t=model.escape("remote_ip"))?"":__t)+'</td>\n<td class="username">'+(null==(__t=model.escape("username"))?"":__t)+'</td>\n<td class="status">'+(null==(__t=model.escape("status"))?"":__t)+'</td>\n<td class="size">'+(null==(__t=model.escape("size"))?"":__t)+'</td>\n<td class="referer">'+(null==(__t=model.escape("http_referer"))?"":__t)+'</td>\n<td class="user_agent">'+(null==(__t=model.escape("user_agent"))?"":__t)+'</td>\n<td class="forwarded_for">'+(null==(__t=model.escape("forwarded_for"))?"":__t)+'</td>\n<td class="request_line">'+(null==(__t=model.escape("request_line"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="remote_ip">'+(null==(__t=model.escape("remote_ip"))?"":__t)+'</td>\n<td class="status">'+(null==(__t=model.escape("status"))?"":__t)+'</td>\n<td class="bytes_sent">'+(null==(__t=model.escape("bytes_sent"))?"":__t)+'</td>\n<td class="bytes_received">'+(null==(__t=model.escape("bytes_received"))?"":__t)+'</td>\n<td class="session_time">'+(null==(__t=model.escape("session_time"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="date">'+(null==(__t=model.escape("date"))?"":__t)+'</td>\n<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="severity">'+(null==(__t=model.escape("severity"))?"":__t)+'</td>\n<td class="number">'+(null==(__t=model.escape("number"))?"":__t)+'</td>\n<td class="message">'+(null==(__t=model.escape("message"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj){let count=0;__p+='<table class="table table-striped">\r\n    <thead class="sticky-top">\r\n        <tr>\r\n            ',"errors"===log_type||"stream_errors"===log_type?(count=5,__p+="\r\n            <th>Date</th>\r\n            <th>Time</th>\r\n            <th>Severity</th>\r\n            <th>Number</th>\r\n            <th>Message</th>\r\n            "):"accesses"===log_type?(count=9,__p+="\r\n            <th>Time</th>\r\n            <th>Remote IP</th>\r\n            <th>Username</th>\r\n            <th>Status</th>\r\n            <th>Size</th>\r\n            <th>Referer</th>\r\n            <th>User Agent</th>\r\n            <th>Forwarded For</th>\r\n            <th>Request Line</th>\r\n            "):(count=6,__p+="\r\n            <th>Time</th>\r\n            <th>Remote IP</th>\r\n            <th>Status</th>\r\n            <th>Bytes Sent</th>\r\n            <th>Bytes Received</th>\r\n            <th>Session Time</th>\r\n            "),__p+='\r\n        </tr>\r\n        <tr class="filter">\r\n            ',"errors"===log_type||"stream_errors"===log_type?__p+='\r\n            <th><input type="text" value="'+(null==(__t=model.escape("date"))?"":__t)+'" name="date" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("severity"))?"":__t)+'" name="severity" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("number"))?"":__t)+'" name="number" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("message"))?"":__t)+'" name="message" /></th>\r\n            ':"accesses"===log_type?__p+='\r\n            <th><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("remote_ip"))?"":__t)+'" name="remote_ip" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("username"))?"":__t)+'" name="username" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("status"))?"":__t)+'" name="status" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("size"))?"":__t)+'" name="size" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("http_referer"))?"":__t)+'" name="http_referer" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("user_agent"))?"":__t)+'" name="user_agent" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("forwarded_for"))?"":__t)+'" name="forwarded_for" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("request_line"))?"":__t)+'" name="request_line" /></th>\r\n            ':__p+='\r\n            <th><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("remote_ip"))?"":__t)+'" name="remote_ip" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("status"))?"":__t)+'" name="status" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("bytes_sent"))?"":__t)+'" name="bytes_sent" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("bytes_received"))?"":__t)+'" name="bytes_received" /></th>\r\n            <th><input type="text" value="'+(null==(__t=model.escape("session_time"))?"":__t)+'" name="session_time" /></th>\r\n            ',__p+='\r\n        </tr>\r\n    </thead>\r\n    <tbody>\r\n    </tbody>\r\n    <tfoot class="sticky-bottom">\r\n        <tr>\r\n            <th class="text-nowrap">\r\n                <button class="btn btn-primary" id="paging_first" title="First Page"><i class="fa fa-fast-backward" aria-hidden="true"></i></button>\r\n                <button class="btn btn-primary" id="paging_back" title="Previous Page"><i class="fa fa-step-backward" aria-hidden="true"></i></button>\r\n                <button class="btn btn-primary" id="refresh" title="Refresh"><i class="fa fa-refresh" aria-hidden="true"></i></button>\r\n                <button class="btn btn-primary" id="paging_forward" title="Next Page"><i class="fa fa-step-forward" aria-hidden="true"></i></button>\r\n                <button class="btn btn-primary" id="paging_last" title="Last Page"><i class="fa fa-fast-forward " aria-hidden="true"></i></button>\r\n            </th>\r\n            <th>\r\n                Page <span id="currentpage">1</span>/<span id="pagecount">0</span>\r\n            </th>\r\n            <th colspan="2">\r\n                <label for="entrycount"><span id="entrycountdisplay">100</span> lines per page</label>\r\n                <input type="range" list="tickmarks" min="5" max="1000" step="5" id="entrycount" value="100" />\r\n                <datalist id="tickmarks">\r\n                    <option value="5" label="5">\r\n                    <option value="100" label="100">\r\n                    <option value="200" label="200">\r\n                    <option value="300">\r\n                    <option value="400">\r\n                    <option value="500" label="500">\r\n                    <option value="600">\r\n                    <option value="700">\r\n                    <option value="800">\r\n                    <option value="900">\r\n                    <option value="1000" label="1000">\r\n                </datalist>\r\n            </th>\r\n            <th colspan="'+(null==(__t=count-4)?"":__t)+'">Found lines: <span id="resultcount">0</span>/<span id="totalcount">0</span></th>\r\n        </tr>\r\n    </tfoot>\r\n</table>\r\n'}return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<div style="text-align: center;">\n    No data available...\n</div>\n';return __p}},,,,function(e,t,n){"use strict";n.r(t);var i=Backbone.Model.extend({});var l=Backbone.Collection.extend({model:i,url:function(){return`/api/nginx/logs/${this.logType}`},initialize:function(e){this.logType=e.logType}}),r=Backbone.Model.extend({});var o=Backbone.Collection.extend({model:r,url:function(){return`/api/nginx/logs/${this.logType}/${this.uuid}`},initialize:function(e){this.logType=e.logType,this.uuid=e.uuid}}),a=n(16),s=n.n(a);var _=Backbone.View.extend({tagName:"li",events:{"click .mainentry":"mainMenuClick","click .menuEntry":"menuEntryClick"},initialize:function(e){this.listenTo(this.collection,"update",this.render),this.logType=e.logType,this.logview=e.logview},render:function(){this.$el.html(""),this.renderCollection()},renderCollection:function(){this.$el.addClass("dropdown"),"global"==this.model.get("id")&&(this.$el.addClass("active"),this.logview.get_log("errors","global",0)),this.$el.html(""),this.$el.append(s()({model:this.collection,id:this.model.get("id"),name:this.model.has("server_name")?this.model.get("server_name"):"Port "+this.model.get("port")}))},mainMenuClick:function(){this.collection.models[0]&&(this.handleElementClick(this.model.get("id"),this.collection.models[0].get("number")),$(`#tab_${this.model.get("id")} li`).removeClass("active"),$(`#subtab_item_${this.model.get("id")}_${this.collection.models[0].get("number")}`).parent().addClass("active"))},menuEntryClick:function(e){this.handleElementClick(e.target.dataset.modelUuid,e.target.dataset.modelFileno)},handleElementClick:function(e,t){this.logview.get_log(this.logType,e,t)}}),c=n(17),u=n.n(c);Backbone.View.extend({tagName:"li",initialize:function(e){this.logview=e.logview,this.log_name=e.log_name,this.visible_name=e.visible_name,this.log_type=e.log_type},events:{"click .mainentry":"handleElementClick"},log_name:null,log_type:null,visible_name:null,render:function(){this.$el.html(u()({name:this.visible_name}))},handleElementClick:function(){this.logview.get_log(this.log_type,this.log_name)}});var p=Backbone.View.extend({tagName:"ul",className:"nav nav-tabs",initialize:function(e){this.listenTo(this.collection,"update",this.render),this.logview=e.logview,this.logType=e.logType},render:function(){this.$el.attr("role","tablist"),this.$el.html(""),"global"==this.logType?this.render_global_error_tab():this.collection.forEach(e=>this.render_one_server(e))},render_one_server:function(e){const t=new o({uuid:e.get("id"),logType:this.logType}),n=new _({collection:t,model:e,logType:this.logType,logview:this.logview});this.$el.append(n.$el),t.fetch()},render_global_error_tab:function(){const e=new o({uuid:"global",logType:"errors"}),t=new _({collection:e,model:new Backbone.Model({server_name:"Global Error Log",id:"global"}),logType:"errors",logview:this.logview});this.$el.append(t.$el),e.fetch()}}),d=n(18),h=n.n(d),m=n(19),g=n.n(m),b=n(20),f=n.n(b),y=n(21),v=n.n(y);var x=Backbone.Model.extend({});var w=Backbone.Collection.extend({model:x,url:function(){return`/api/nginx/logs/${this.logType}/${this.uuid}/${this.fileNo}/${this.page}/${this.pageSize}/${this.create_filter()}`},initialize:function(){this.logType="none",this.uuid="none",this.fileNo=-1,this.page=0,this.pageSize=0,this.filter_model=new Backbone.Model},parse:function(e){return"error"in e?[]:(this.page_count=e.pages,this.total_entries=e.total,this.displayed_entries=e.found,e.lines)},create_filter:function(){return encodeURIComponent(JSON.stringify(this.filter_model))}}),k=n(22),j=n.n(k);const T=Backbone.View.extend({tagName:"tr",initialize:function(e){this.type=e.type},render:function(){this.$el.html(this.get_template()({model:this.model}))},get_template:function(){return"accesses"===this.type?h.a:"stream_accesses"===this.type?g.a:f.a}});const C=new(Backbone.View.extend({tagName:"div",className:"content-box tab-content",events:{"keyup .filter input":"update_filter","click #paging_first":"page_first","click #paging_back":"page_back","click #refresh":"update","click #paging_forward":"page_forward","click #paging_last":"page_last","change #entrycount":"change_entry_count"},page_entry_count:100,filter_delay:-1,initialize:function(){this.collection=new w,this.listenTo(this.collection,"sync",this.render),this.listenTo(this.collection,"update",this.render),this.listenTo(this.collection.filter_model,"change",this.render),this.type=""},render:function(){let e=this.$("tbody");e.length<1?0!==this.collection.length?(this.$el.html(v()({log_type:this.type,model:this.collection.filter_model})),e=this.$("tbody")):this.$el.html(j.a):e.html(""),0!==this.collection.length&&null==this.current_filtered_collection&&this.collection.forEach(t=>this.render_one(e,t)),this.$("#entrycountdisplay").html(this.page_entry_count),this.$("#currentpage").html(this.current_page+1),this.$("#pagecount").html(this.collection.page_count),this.$("#totalcount").html(this.collection.total_entries),this.$("#resultcount").html(this.collection.displayed_entries),this.current_page>=this.collection.page_count-1?(this.$("#paging_last").addClass("disabled"),this.$("#paging_forward").addClass("disabled")):(this.$("#paging_last").removeClass("disabled"),this.$("#paging_forward").removeClass("disabled")),this.current_page<=0?(this.$("#paging_back").addClass("disabled"),this.$("#paging_first").addClass("disabled")):(this.$("#paging_back").removeClass("disabled"),this.$("#paging_first").removeClass("disabled"))},render_one:function(e,t){const n=new T({type:this.type,model:t});n.render(),e.append(n.$el)},get_log:function(e,t,n){this.collection.uuid=t,this.collection.logType=e,this.collection.fileNo=n,this.type=e,this.current_page=0,this.$el.html(""),this.collection.filter_model.clear(),this.update()},update:function(){this.collection.page=this.current_page,this.collection.pageSize=this.page_entry_count,this.collection.fetch()},update_filter:function(e){clearTimeout(this.filter_delay);const t=e.target;this.collection.filter_model.set(t.name,$(t).val()),this.current_page=0,this.filter_delay=setTimeout(function(e){e.update()},500,this)},page_first:function(){this.current_page=0,this.update()},page_back:function(){this.current_page>0&&(this.current_page--,this.update())},page_forward:function(){this.current_page<this.collection.page_count&&(this.current_page++,this.update())},page_last:function(){this.current_page=this.collection.page_count-1,this.update()},change_entry_count:function(e){this.page_entry_count=e.target.value,this.current_page=0,this.update()}})),S=$("#logapplication").data("log"),q=new l({logType:S}),z=new p({collection:q,logview:C,logType:S});$("#logapplication").append(z.$el).append(C.$el),"global"!=S?q.fetch():z.render()}]);
\ No newline at end of file
+!function(e){var t={};function n(i){if(t[i])return t[i].exports;var l=t[i]={i:i,l:!1,exports:{}};return e[i].call(l.exports,l,l.exports,n),l.l=!0,l.exports}n.m=e,n.c=t,n.d=function(e,t,i){n.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:i})},n.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.t=function(e,t){if(1&t&&(e=n(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var i=Object.create(null);if(n.r(i),Object.defineProperty(i,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var l in e)n.d(i,l,function(t){return e[t]}.bind(null,l));return i},n.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(t,"a",t),t},n.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},n.p="",n(n.s=26)}([function(e,t,n){var i=n(2),l=n(4),o=/[&<>"']/g,a=RegExp(o.source);e.exports=function(e){return(e=l(e))&&a.test(e)?e.replace(o,i):e}},function(e,t,n){var i=n(6).Symbol;e.exports=i},function(e,t,n){var i=n(3)({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"});e.exports=i},function(e,t){e.exports=function(e){return function(t){return null==e?void 0:e[t]}}},function(e,t,n){var i=n(5);e.exports=function(e){return null==e?"":i(e)}},function(e,t,n){var i=n(1),l=n(9),o=n(10),a=n(11),s=1/0,r=i?i.prototype:void 0,_=r?r.toString:void 0;e.exports=function e(t){if("string"==typeof t)return t;if(o(t))return l(t,e)+"";if(a(t))return _?_.call(t):"";var n=t+"";return"0"==n&&1/t==-s?"-0":n}},function(e,t,n){var i=n(7),l="object"==typeof self&&self&&self.Object===Object&&self,o=i||l||Function("return this")();e.exports=o},function(e,t,n){(function(t){var n="object"==typeof t&&t&&t.Object===Object&&t;e.exports=n}).call(this,n(8))},function(e,t){var n;n=function(){return this}();try{n=n||new Function("return this")()}catch(e){"object"==typeof window&&(n=window)}e.exports=n},function(e,t){e.exports=function(e,t){for(var n=-1,i=null==e?0:e.length,l=Array(i);++n<i;)l[n]=t(e[n],n,e);return l}},function(e,t){var n=Array.isArray;e.exports=n},function(e,t,n){var i=n(12),l=n(15),o="[object Symbol]";e.exports=function(e){return"symbol"==typeof e||l(e)&&i(e)==o}},function(e,t,n){var i=n(1),l=n(13),o=n(14),a="[object Null]",s="[object Undefined]",r=i?i.toStringTag:void 0;e.exports=function(e){return null==e?void 0===e?s:a:r&&r in Object(e)?l(e):o(e)}},function(e,t,n){var i=n(1),l=Object.prototype,o=l.hasOwnProperty,a=l.toString,s=i?i.toStringTag:void 0;e.exports=function(e){var t=o.call(e,s),n=e[s];try{e[s]=void 0;var i=!0}catch(e){}var l=a.call(e);return i&&(t?e[s]=n:delete e[s]),l}},function(e,t){var n=Object.prototype.toString;e.exports=function(e){return n.call(e)}},function(e,t){e.exports=function(e){return null!=e&&"object"==typeof e}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='\n<a data-toggle="dropdown"\n   href="#"\n   class="dropdown-toggle pull-right visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block"\n   role="button">\n    <b><span class="caret"></span></b>\n</a>\n<a data-toggle="tab"\n   class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"\n   style="border-right: 0px;"><b>'+(null==(__t=_.escape(name))?"":__t)+'</b></a>\n<ul class="dropdown-menu" role="menu" id="tab_'+(null==(__t=_.escape(id))?"":__t)+'">\n    ',model.forEach(function(e){__p+='\n    <li>\n        <a data-toggle="tab"\n           class="menuEntry"\n           data-model-cid="'+(null==(__t=e.cid)?"":__t)+'"\n           data-model-uuid="'+(null==(__t=_.escape(id))?"":__t)+'"\n           data-model-fileno="'+(null==(__t=e.escape("number"))?"":__t)+'"\n           id="subtab_item_'+(null==(__t=_.escape(id))?"":__t)+"_"+(null==(__t=e.escape("number"))?"":__t)+'"\n           href="#subtab_'+(null==(__t=_.escape(id))?"":__t)+'">'+(null==(__t=e.escape("date"))?"":__t)+"</a>\n    </li>\n    "}),__p+="\n</ul>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='\n<a data-toggle="tab"\n   class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"\n   style="border-top-right-radius: 10px !important; padding-right: 10px !important;">\n    <b>'+(null==(__t=_.escape(name))?"":__t)+"</b>\n</a>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="remote_ip">'+(null==(__t=model.escape("remote_ip"))?"":__t)+'</td>\n<td class="username">'+(null==(__t=model.escape("username"))?"":__t)+'</td>\n<td class="status">'+(null==(__t=model.escape("status"))?"":__t)+'</td>\n<td class="size">'+(null==(__t=model.escape("size"))?"":__t)+'</td>\n<td class="referer">'+(null==(__t=model.escape("http_referer"))?"":__t)+'</td>\n<td class="user_agent">'+(null==(__t=model.escape("user_agent"))?"":__t)+'</td>\n<td class="forwarded_for">'+(null==(__t=model.escape("forwarded_for"))?"":__t)+'</td>\n<td class="request_line">'+(null==(__t=model.escape("request_line"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="remote_ip">'+(null==(__t=model.escape("remote_ip"))?"":__t)+'</td>\n<td class="status">'+(null==(__t=model.escape("status"))?"":__t)+'</td>\n<td class="bytes_sent">'+(null==(__t=model.escape("bytes_sent"))?"":__t)+'</td>\n<td class="bytes_received">'+(null==(__t=model.escape("bytes_received"))?"":__t)+'</td>\n<td class="session_time">'+(null==(__t=model.escape("session_time"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="date">'+(null==(__t=model.escape("date"))?"":__t)+'</td>\n<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="severity">'+(null==(__t=model.escape("severity"))?"":__t)+'</td>\n<td class="number">'+(null==(__t=model.escape("number"))?"":__t)+'</td>\n<td class="message">'+(null==(__t=model.escape("message"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj){let count=0;__p+='<table class="table table-striped">\n    <thead class="sticky-top">\n        <tr>\n            ',"errors"===log_type||"stream_errors"===log_type?(count=5,__p+="\n            <th>Date</th>\n            <th>Time</th>\n            <th>Severity</th>\n            <th>Number</th>\n            <th>Message</th>\n            "):"accesses"===log_type?(count=9,__p+="\n            <th>Time</th>\n            <th>Remote IP</th>\n            <th>Username</th>\n            <th>Status</th>\n            <th>Size</th>\n            <th>Referer</th>\n            <th>User Agent</th>\n            <th>Forwarded For</th>\n            <th>Request Line</th>\n            "):(count=6,__p+="\n            <th>Time</th>\n            <th>Remote IP</th>\n            <th>Status</th>\n            <th>Bytes Sent</th>\n            <th>Bytes Received</th>\n            <th>Session Time</th>\n            "),__p+='\n        </tr>\n        <tr class="filter">\n            ',"errors"===log_type||"stream_errors"===log_type?__p+='\n            <th><input type="text" value="'+(null==(__t=model.escape("date"))?"":__t)+'" name="date" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("severity"))?"":__t)+'" name="severity" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("number"))?"":__t)+'" name="number" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("message"))?"":__t)+'" name="message" /></th>\n            ':"accesses"===log_type?__p+='\n            <th><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("remote_ip"))?"":__t)+'" name="remote_ip" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("username"))?"":__t)+'" name="username" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("status"))?"":__t)+'" name="status" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("size"))?"":__t)+'" name="size" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("http_referer"))?"":__t)+'" name="http_referer" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("user_agent"))?"":__t)+'" name="user_agent" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("forwarded_for"))?"":__t)+'" name="forwarded_for" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("request_line"))?"":__t)+'" name="request_line" /></th>\n            ':__p+='\n            <th><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("remote_ip"))?"":__t)+'" name="remote_ip" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("status"))?"":__t)+'" name="status" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("bytes_sent"))?"":__t)+'" name="bytes_sent" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("bytes_received"))?"":__t)+'" name="bytes_received" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("session_time"))?"":__t)+'" name="session_time" /></th>\n            ',__p+='\n        </tr>\n    </thead>\n    <tbody>\n    </tbody>\n    <tfoot class="sticky-bottom">\n        <tr>\n            <th class="text-nowrap">\n                <button class="btn btn-primary" id="paging_first" title="First Page"><i class="fa fa-fast-backward" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="paging_back" title="Previous Page"><i class="fa fa-step-backward" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="refresh" title="Refresh"><i class="fa fa-refresh" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="paging_forward" title="Next Page"><i class="fa fa-step-forward" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="paging_last" title="Last Page"><i class="fa fa-fast-forward " aria-hidden="true"></i></button>\n            </th>\n            <th>\n                Page <span id="currentpage">1</span>/<span id="pagecount">0</span>\n            </th>\n            <th colspan="2">\n                <label for="entrycount"><span id="entrycountdisplay">100</span> lines per page</label>\n                <input type="range" list="tickmarks" min="5" max="1000" step="5" id="entrycount" value="100" />\n                <datalist id="tickmarks">\n                    <option value="5" label="5">\n                    <option value="100" label="100">\n                    <option value="200" label="200">\n                    <option value="300">\n                    <option value="400">\n                    <option value="500" label="500">\n                    <option value="600">\n                    <option value="700">\n                    <option value="800">\n                    <option value="900">\n                    <option value="1000" label="1000">\n                </datalist>\n            </th>\n            <th colspan="'+(null==(__t=count-4)?"":__t)+'">Found lines: <span id="resultcount">0</span>/<span id="totalcount">0</span></th>\n        </tr>\n    </tfoot>\n</table>\n'}return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<div style="text-align: center;">\n    No data available...\n</div>\n';return __p}},,,,function(e,t,n){"use strict";n.r(t);var i=Backbone.Model.extend({});var l=Backbone.Collection.extend({model:i,url:function(){return`/api/nginx/logs/${this.logType}`},initialize:function(e){this.logType=e.logType}}),o=Backbone.Model.extend({});var a=Backbone.Collection.extend({model:o,url:function(){return`/api/nginx/logs/${this.logType}/${this.uuid}`},initialize:function(e){this.logType=e.logType,this.uuid=e.uuid}}),s=n(16),r=n.n(s);var _=Backbone.View.extend({tagName:"li",events:{"click .mainentry":"mainMenuClick","click .menuEntry":"menuEntryClick","click .dropdown-toggle":"menuDropdownClick"},initialize:function(e){this.listenTo(this.collection,"update",this.render),this.logType=e.logType,this.logview=e.logview,this.render()},render:function(){this.$el.html(""),this.renderCollection()},renderCollection:function(){this.$el.addClass("dropdown"),"global"==this.model.get("id")&&(this.$el.addClass("active"),this.logview.get_log("errors","global",-1)),this.$el.html(""),this.$el.append(r()({model:this.collection,id:this.model.get("id"),name:this.model.has("server_name")?this.model.get("server_name"):"Port "+this.model.get("port")}))},mainMenuClick:function(){this.collection.models[0]&&(this.handleElementClick(this.model.get("id"),-1),$(`#tab_${this.model.get("id")} li`).removeClass("active"),$(`#subtab_item_${this.model.get("id")}_${this.collection.models[0].get("number")}`).parent().addClass("active"))},menuDropdownClick:function(e){this.collection.fetch()},menuEntryClick:function(e){this.handleElementClick(e.target.dataset.modelUuid,e.target.dataset.modelFileno)},handleElementClick:function(e,t){this.logview.get_log(this.logType,e,t)}}),c=n(17),u=n.n(c);Backbone.View.extend({tagName:"li",initialize:function(e){this.logview=e.logview,this.log_name=e.log_name,this.visible_name=e.visible_name,this.log_type=e.log_type},events:{"click .mainentry":"handleElementClick"},log_name:null,log_type:null,visible_name:null,render:function(){this.$el.html(u()({name:this.visible_name}))},handleElementClick:function(){this.logview.get_log(this.log_type,this.log_name)}});var p=Backbone.View.extend({tagName:"ul",className:"nav nav-tabs",initialize:function(e){this.listenTo(this.collection,"update",this.render),this.logview=e.logview,this.logType=e.logType},render:function(){this.$el.attr("role","tablist"),this.$el.html(""),"global"==this.logType?this.render_global_error_tab():this.collection.forEach(e=>this.render_one_server(e))},render_one_server:function(e){const t=new a({uuid:e.get("id"),logType:this.logType}),n=new _({collection:t,model:e,logType:this.logType,logview:this.logview});this.$el.append(n.$el)},render_global_error_tab:function(){const e=new a({uuid:"global",logType:"errors"}),t=new _({collection:e,model:new Backbone.Model({server_name:"Global Error Log",id:"global"}),logType:"errors",logview:this.logview});this.$el.append(t.$el),e.fetch()}}),d=n(18),h=n.n(d),m=n(19),g=n.n(m),b=n(20),f=n.n(b),y=n(21),v=n.n(y);var w=Backbone.Model.extend({});var x=Backbone.Collection.extend({model:w,url:function(){return`/api/nginx/logs/${this.logType}/${this.uuid}/${this.fileNo}/${this.page}/${this.pageSize}/${this.create_filter()}`},initialize:function(){this.logType="none",this.uuid="none",this.fileNo=-1,this.page=0,this.pageSize=0,this.filter_model=new Backbone.Model},parse:function(e){return"error"in e?[]:(this.page_count=e.pages,this.total_entries=e.total,this.displayed_entries=e.found,e.lines)},create_filter:function(){return encodeURIComponent(JSON.stringify(this.filter_model))}}),k=n(22),j=n.n(k);const T=Backbone.View.extend({tagName:"tr",initialize:function(e){this.type=e.type},render:function(){this.$el.html(this.get_template()({model:this.model}))},get_template:function(){return"accesses"===this.type?h.a:"stream_accesses"===this.type?g.a:f.a}});const C=new(Backbone.View.extend({tagName:"div",className:"content-box tab-content",events:{"keyup .filter input":"update_filter","click #paging_first":"page_first","click #paging_back":"page_back","click #refresh":"update","click #paging_forward":"page_forward","click #paging_last":"page_last","change #entrycount":"change_entry_count"},page_entry_count:100,filter_delay:-1,initialize:function(){this.collection=new x,this.listenTo(this.collection,"sync",this.render),this.listenTo(this.collection,"update",this.render),this.listenTo(this.collection.filter_model,"change",this.render),this.type=""},render:function(){let e=this.$("tbody");e.length<1?0!==this.collection.length?(this.$el.html(v()({log_type:this.type,model:this.collection.filter_model})),e=this.$("tbody")):this.$el.html(j.a):e.html(""),0!==this.collection.length&&null==this.current_filtered_collection&&this.collection.forEach(t=>this.render_one(e,t)),this.$("#entrycountdisplay").html(this.page_entry_count),this.$("#currentpage").html(this.current_page+1),this.$("#pagecount").html(this.collection.page_count),this.$("#totalcount").html(this.collection.total_entries),this.$("#resultcount").html(this.collection.displayed_entries),this.current_page>=this.collection.page_count-1?(this.$("#paging_last").addClass("disabled"),this.$("#paging_forward").addClass("disabled")):(this.$("#paging_last").removeClass("disabled"),this.$("#paging_forward").removeClass("disabled")),this.current_page<=0?(this.$("#paging_back").addClass("disabled"),this.$("#paging_first").addClass("disabled")):(this.$("#paging_back").removeClass("disabled"),this.$("#paging_first").removeClass("disabled"))},render_one:function(e,t){const n=new T({type:this.type,model:t});n.render(),e.append(n.$el)},get_log:function(e,t,n){this.collection.uuid=t,this.collection.logType=e,this.collection.fileNo=n,this.type=e,this.current_page=0,this.$el.html(""),this.collection.filter_model.clear(),this.update()},update:function(){this.collection.page=this.current_page,this.collection.pageSize=this.page_entry_count,this.collection.fetch()},update_filter:function(e){clearTimeout(this.filter_delay);const t=e.target;this.collection.filter_model.set(t.name,$(t).val()),this.current_page=0,this.filter_delay=setTimeout(function(e){e.update()},500,this)},page_first:function(){this.current_page=0,this.update()},page_back:function(){this.current_page>0&&(this.current_page--,this.update())},page_forward:function(){this.current_page<this.collection.page_count&&(this.current_page++,this.update())},page_last:function(){this.current_page=this.collection.page_count-1,this.update()},change_entry_count:function(e){this.page_entry_count=e.target.value,this.current_page=0,this.update()}})),S=$("#logapplication").data("log"),q=new l({logType:S}),z=new p({collection:q,logview:C,logType:S});$("#logapplication").append(z.$el).append(C.$el),"global"!=S?q.fetch():z.render()}]);
\ No newline at end of file
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/controller/LogCategoryList.js b/www/nginx/src/opnsense/www/js/nginx/src/controller/LogCategoryList.js
index 7a8d7a8a8f..e6305fbf1b 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/controller/LogCategoryList.js
+++ b/www/nginx/src/opnsense/www/js/nginx/src/controller/LogCategoryList.js
@@ -38,7 +38,6 @@ let LogCategoryList = Backbone.View.extend({
             logview: this.logview
         });
         this.$el.append(logList.$el);
-        files.fetch();
     },
 
     render_global_error_tab: function () {
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/controller/TabLogList.js b/www/nginx/src/opnsense/www/js/nginx/src/controller/TabLogList.js
index 3533df6398..5e6777317f 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/controller/TabLogList.js
+++ b/www/nginx/src/opnsense/www/js/nginx/src/controller/TabLogList.js
@@ -5,13 +5,15 @@ let TabLogList = Backbone.View.extend({
     tagName: 'li',
     events: {
         "click .mainentry": "mainMenuClick",
-        "click .menuEntry": "menuEntryClick"
+        "click .menuEntry": "menuEntryClick",
+        "click .dropdown-toggle": "menuDropdownClick"
     },
 
     initialize: function(data) {
         this.listenTo(this.collection, "update", this.render);
         this.logType = data.logType;
         this.logview = data.logview;
+        this.render();
     },
 
     render: function() {
@@ -36,11 +38,14 @@ let TabLogList = Backbone.View.extend({
     },
     mainMenuClick: function () {
         if (this.collection.models[0]) {
-            this.handleElementClick(this.model.get('id'), this.collection.models[0].get('number'));
+            this.handleElementClick(this.model.get('id'), -1);
             $(`#tab_${this.model.get('id')} li`).removeClass('active');
             $(`#subtab_item_${this.model.get('id')}_${this.collection.models[0].get('number')}`).parent().addClass('active');
         }
     },
+    menuDropdownClick: function (event) {
+        this.collection.fetch();
+    },
     menuEntryClick: function (event) {
         this.handleElementClick(event.target.dataset['modelUuid'], event.target.dataset['modelFileno']);
     },

From e67328a951a08b3344c68ffb8d407d1a91d603ea Mon Sep 17 00:00:00 2001
From: Marc Leuser <github@mleuser.de>
Date: Mon, 3 Jan 2022 14:25:34 +0100
Subject: [PATCH 0894/3088] net/frr: replace U+00A0 with an actual space didn't
 seem to cause any trouble, but my editor noticed it

---
 net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
index 0544b9ab57..74e2e7cb2d 100644
--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@@ -206,7 +206,7 @@ message:FRR diagnostics "show ip ospf database"
 command:/usr/local/opnsense/scripts/frr/legacy-diagnostics.py --ospf-database
 parameters:
 type:script_output
-message:FRR diagnostics "show ip ospf database json"
+message:FRR diagnostics "show ip ospf database json"
 
 [diagnostics.ospf_interface]
 command:/usr/local/bin/vtysh -c "show ip ospf interface"

From 54115c43045ad72d517add5f7ad593904d0a61ec Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 3 Jan 2022 15:24:01 +0100
Subject: [PATCH 0895/3088] net/frr: add "all" parameter to BGP neighbor
 (#2704)

---
 net/frr/Makefile                                            | 2 +-
 net/frr/pkg-descr                                           | 4 ++++
 .../OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml         | 6 ++++++
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml | 6 +++++-
 .../opnsense/service/templates/OPNsense/Quagga/bgpd.conf    | 3 ++-
 5 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 74ddf6e952..1ccdf2d16b 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.24
+PLUGIN_VERSION=		1.25
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index dbaaf95e19..f2a1fa87ea 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -11,6 +11,10 @@ switching and routing, Internet access routers, and Internet peering.
 Plugin Changelog
 ================
 
+1.25
+
+* Add "All" option to next-hop-self command (#2673)
+
 1.24
 
 * Add AS-Override (#2517)
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 089c15faf4..d9f7f012d5 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -40,6 +40,12 @@
     <label>Next-Hop-Self</label>
     <type>checkbox</type>
   </field>
+  <field>
+    <id>neighbor.nexthopselfall</id>
+    <label>Next-Hop-Self All</label>
+    <type>checkbox</type>
+    <help>Add the parameter "all" after next-hop-self command.</help>
+  </field>
   <field>
     <id>neighbor.multihop</id>
     <label>Multi-Hop</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 76dbc3ec9b..3a052bd4eb 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/bgp</mount>
     <description>BGP Routing configuration</description>
-    <version>1.0.5</version>
+    <version>1.0.6</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -79,6 +79,10 @@
                                 <default>0</default>
                                 <Required>N</Required>
                         </nexthopself>
+                        <nexthopselfall type="BooleanField">
+                                <default>0</default>
+                                <Required>N</Required>
+                        </nexthopselfall>
                         <multihop type="BooleanField">
                                 <default>0</default>
                                 <Required>N</Required>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index a9c4b993ee..3f43144fd2 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -91,7 +91,8 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%   for neighbor in neighbors[addressFamily] %}
   neighbor {{ neighbor.address }} activate
 {%     if 'nexthopself' in neighbor and neighbor.nexthopself == '1' %}
-  neighbor {{ neighbor.address }} next-hop-self
+  neighbor {{ neighbor.address }} next-hop-self {% if 'nexthopselfall' in neighbor and neighbor.nexthopselfall == '1' %}all{%  endif %}
+
 {%     endif %}
 {%     if 'rrclient' in neighbor and neighbor.rrclient == '1' %}
   neighbor {{ neighbor.address }} route-reflector-client

From be8192b82eeed8bd5cc9ddfc111c3ee04a5d58ae Mon Sep 17 00:00:00 2001
From: Manuel Faux <mfaux@conf.at>
Date: Mon, 3 Jan 2022 18:13:08 +0100
Subject: [PATCH 0896/3088] [www/nginx] Fixed vts style to allow theming
 (#2682)

Removed hard-coded colors from vts.css and added classes to allow
theming (default OPNsense theme and contributed themes).
---
 .../mvc/app/views/OPNsense/Nginx/vts.volt     | 34 +++++++------
 www/nginx/src/opnsense/www/css/nginx/logs.css |  2 -
 www/nginx/src/opnsense/www/css/nginx/vts.css  | 14 ++----
 .../www/js/nginx/dist/logviewer.min.js        |  2 +-
 .../www/js/nginx/src/templates/logviewer.html | 48 +++++++++----------
 5 files changed, 44 insertions(+), 56 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/vts.volt b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/vts.volt
index e76b581cc8..ba65faa935 100644
--- a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/vts.volt
+++ b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/vts.volt
@@ -108,6 +108,10 @@
             filter:"filterZones",
             upstream:"upstreamZones",
             cache:"cacheZones"
+        },
+        classes: {
+            table: "table table-condensed table-hover table-striped",
+            div: "panel"
         }
     };
 
@@ -274,23 +278,21 @@
             aHe('strong', it.sharedZones.name), byteFormat(it.sharedZones.maxSize), byteFormat(it.sharedZones.usedSize),
             it.sharedZones.usedNode]);
         body = aHe('tbody', aHe('tr', bodys[0]));
-        o = aHe('h2', vtsStatusVars.titles.main) + aHe('table', `${head}${body}`);
-        o = aHe(`div id="${vtsStatusVars.ids.main}"`, o);
+        o = aHe('h2', vtsStatusVars.titles.main) + aHe(`table class="${vtsStatusVars.classes.table}"`, `${head}${body}`);
+        o = aHe(`div id="${vtsStatusVars.ids.main}" class="${vtsStatusVars.classes.div}"`, o);
         return o;
     }
     function templateServerZone(filter, group, id, cache) {
-        let n = 0, s, o = '';
+        let s, o = '';
         for(const name in filter) {
             if (filter.hasOwnProperty(name)) {
                 const zone = filter[name];
                 const uniq = `${id}.${group}.${name}`;
-                let clas = '';
                 let flag = '';
                 let responseCount = 0;
                 let responseTotal = 0;
                 let cacheCount = 0;
                 let cacheTotal = 0;
-                clas = (n++ % 2) ? 'odd' : '';
                 flag = (group.indexOf("country") !== -1 && name.length === 2)
                     ? `<img class="flag flag-${name.toLowerCase()}" alt="flag ${name.toLowerCase()}" />`
                     : '';
@@ -322,7 +324,7 @@
                     }
                     s += aHe('td', cacheTotal);
                 }
-                o += aHe(`tr class="${clas}"`, s);
+                o += aHe('tr', s);
             }
         }
         return o;
@@ -334,10 +336,9 @@
         while (n < filter.length) {
             const peer = filter[n];
             const uniq = `${id}.${group}.${peer.server}`;
-            let clas = '';
             let responseCount = 0;
             let responseTotal = 0;
-            clas = (n++ % 2) ? 'odd' : '';
+            n++;
             s = aHe('th', peer.server) +
                 aHe('td', [formatAvailability(peer.backup, peer.down), formatTime(peer.responseMsec),
                     peer.weight, peer.maxFails, peer.failTimeout,
@@ -358,22 +359,19 @@
                 byteFormat(aPs.getValue(`${uniq}.outBytes`, peer.outBytes)),
                 byteFormat(aPs.getValue(`${uniq}.inBytes`, peer.inBytes))
             ]);
-            o += aHe(`tr class="${clas}"`, s);
+            o += aHe('tr', s);
         }
         return o;
     }
     function templateCacheZone(filter, group, id) {
-        let n = 0;
         let s;
         let o = '';
         for(const name in filter) {
             if (filter.hasOwnProperty(name)) {
                 const zone = filter[name];
                 const uniq = `${id}.${group}.${name}`;
-                let clas = '';
                 let cacheCount = 0;
                 let cacheTotal = 0;
-                clas = (n++ % 2) ? 'odd' : '';
                 s = aHe('th', name) +
                     aHe('td', [byteFormat(zone.maxSize),
                         byteFormat(zone.usedSize),
@@ -390,7 +388,7 @@
                     }
                 }
                 s += aHe('td', cacheTotal);
-                o += aHe(`tr class="${clas}"`, s);
+                o += aHe('tr', s);
             }
         }
         return o;
@@ -414,7 +412,7 @@
         head = templateServerHeader(cache);
         bodys[0] = templateServerZone(it.serverZones, 'server', vtsStatusVars.ids.server, cache);
         body = aHe('tbody', bodys[0]);
-        out += aHe(`div id="${vtsStatusVars.ids.server}"`, aHe('h2', vtsStatusVars.titles.server) + aHe('table', head + body));
+        out += aHe(`div id="${vtsStatusVars.ids.server}" class="${vtsStatusVars.classes.div}"`, aHe('h2', vtsStatusVars.titles.server) + aHe(`table class="${vtsStatusVars.classes.table}"`, head + body));
         /* filterZones */
         if (vtsStatusVars.ids.filter in it) {
             tmp = '';
@@ -424,7 +422,7 @@
                     head = templateServerHeader(cache);
                     bodys[0] = templateServerZone(filter, group, vtsStatusVars.ids.filter, cache);
                     body = aHe('tbody', bodys[0]);
-                    tmp += aHe('h3', group) + aHe('table', head + body);
+                    tmp += aHe('h3', group) + aHe(`table class="${vtsStatusVars.classes.table}"`, head + body);
                 }
             }
             out += aHe(`div id="${vtsStatusVars.ids.filter}"`, aHe('h2', vtsStatusVars.titles.filter) + tmp);
@@ -444,10 +442,10 @@
                             group = g2.get('description');
                         }
                     }
-                    tmp += aHe('h3', group) + aHe('table', head + body);
+                    tmp += aHe('h3', group) + aHe(`table class="${vtsStatusVars.classes.table}"`, head + body);
                 }
             }
-            out += aHe(`div id="${vtsStatusVars.ids.upstream}"`, aHe('h2', vtsStatusVars.titles.upstream) + tmp);
+            out += aHe(`div id="${vtsStatusVars.ids.upstream}" class="${vtsStatusVars.classes.div}"`, aHe('h2', vtsStatusVars.titles.upstream) + tmp);
         }
         /* cacheZones */
         if (vtsStatusVars.ids.cache in it) {
@@ -455,7 +453,7 @@
             bodys[0] = templateCacheZone(it.cacheZones, 'cache', vtsStatusVars.ids.cache);
             body = aHe('tbody', bodys[0]);
             out += aHe(`div id="${vtsStatusVars.ids.cache}"`,
-                aHe('h2', vtsStatusVars.titles.cache) + aHe('table', head + body));
+                aHe('h2', vtsStatusVars.titles.cache) + aHe(`table class="${vtsStatusVars.classes.table}"`, head + body));
         }
         return out;
     }
diff --git a/www/nginx/src/opnsense/www/css/nginx/logs.css b/www/nginx/src/opnsense/www/css/nginx/logs.css
index c8bf446a04..a5ea942e99 100644
--- a/www/nginx/src/opnsense/www/css/nginx/logs.css
+++ b/www/nginx/src/opnsense/www/css/nginx/logs.css
@@ -27,7 +27,6 @@
 thead.sticky-top th {
     position: sticky;
     top: 80px;
-    background-color: white;
 }
 
 thead.sticky-top tr:first-child th {
@@ -37,7 +36,6 @@ thead.sticky-top tr:first-child th {
 tfoot.sticky-bottom th {
     position: sticky;
     bottom: 50px;
-    background-color: white;
     font-weight: normal;
     font-family: inherit;
 }
diff --git a/www/nginx/src/opnsense/www/css/nginx/vts.css b/www/nginx/src/opnsense/www/css/nginx/vts.css
index 310d2fb667..a63c5e1b20 100644
--- a/www/nginx/src/opnsense/www/css/nginx/vts.css
+++ b/www/nginx/src/opnsense/www/css/nginx/vts.css
@@ -24,7 +24,9 @@
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */
-
+#update {
+    margin-bottom: 1em;
+}
 #monitor h1 {
     margin: .5em 0 0 0;
 }
@@ -38,15 +40,10 @@
     font-size: .8em;
     margin: .5em 0;
     border-collapse: collapse;
-    border-bottom: 1px #DED solid;
 }
 #monitor thead th {
     font-size: 1em;
     padding: .1em .3em;
-    border: .2em solid #FFF;
-}
-#monitor tbody tr.odd {
-    background: #F5F5F5;
 }
 #monitor tbody th {
     text-align: left;
@@ -58,11 +55,6 @@
 #monitor tbody td.key {
     font-size: 1em;
     padding: .1em .3em;
-    border: .2em solid #FFF;
-}
-#monitor div.update {
-    margin-top: 32px;
-    color: #696969;
 }
 /* from https://www.flag-sprites.com */
 .flag {
diff --git a/www/nginx/src/opnsense/www/js/nginx/dist/logviewer.min.js b/www/nginx/src/opnsense/www/js/nginx/dist/logviewer.min.js
index 1b334119eb..57b3898188 100644
--- a/www/nginx/src/opnsense/www/js/nginx/dist/logviewer.min.js
+++ b/www/nginx/src/opnsense/www/js/nginx/dist/logviewer.min.js
@@ -1 +1 @@
-!function(e){var t={};function n(i){if(t[i])return t[i].exports;var l=t[i]={i:i,l:!1,exports:{}};return e[i].call(l.exports,l,l.exports,n),l.l=!0,l.exports}n.m=e,n.c=t,n.d=function(e,t,i){n.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:i})},n.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.t=function(e,t){if(1&t&&(e=n(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var i=Object.create(null);if(n.r(i),Object.defineProperty(i,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var l in e)n.d(i,l,function(t){return e[t]}.bind(null,l));return i},n.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(t,"a",t),t},n.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},n.p="",n(n.s=26)}([function(e,t,n){var i=n(2),l=n(4),o=/[&<>"']/g,a=RegExp(o.source);e.exports=function(e){return(e=l(e))&&a.test(e)?e.replace(o,i):e}},function(e,t,n){var i=n(6).Symbol;e.exports=i},function(e,t,n){var i=n(3)({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"});e.exports=i},function(e,t){e.exports=function(e){return function(t){return null==e?void 0:e[t]}}},function(e,t,n){var i=n(5);e.exports=function(e){return null==e?"":i(e)}},function(e,t,n){var i=n(1),l=n(9),o=n(10),a=n(11),s=1/0,r=i?i.prototype:void 0,_=r?r.toString:void 0;e.exports=function e(t){if("string"==typeof t)return t;if(o(t))return l(t,e)+"";if(a(t))return _?_.call(t):"";var n=t+"";return"0"==n&&1/t==-s?"-0":n}},function(e,t,n){var i=n(7),l="object"==typeof self&&self&&self.Object===Object&&self,o=i||l||Function("return this")();e.exports=o},function(e,t,n){(function(t){var n="object"==typeof t&&t&&t.Object===Object&&t;e.exports=n}).call(this,n(8))},function(e,t){var n;n=function(){return this}();try{n=n||new Function("return this")()}catch(e){"object"==typeof window&&(n=window)}e.exports=n},function(e,t){e.exports=function(e,t){for(var n=-1,i=null==e?0:e.length,l=Array(i);++n<i;)l[n]=t(e[n],n,e);return l}},function(e,t){var n=Array.isArray;e.exports=n},function(e,t,n){var i=n(12),l=n(15),o="[object Symbol]";e.exports=function(e){return"symbol"==typeof e||l(e)&&i(e)==o}},function(e,t,n){var i=n(1),l=n(13),o=n(14),a="[object Null]",s="[object Undefined]",r=i?i.toStringTag:void 0;e.exports=function(e){return null==e?void 0===e?s:a:r&&r in Object(e)?l(e):o(e)}},function(e,t,n){var i=n(1),l=Object.prototype,o=l.hasOwnProperty,a=l.toString,s=i?i.toStringTag:void 0;e.exports=function(e){var t=o.call(e,s),n=e[s];try{e[s]=void 0;var i=!0}catch(e){}var l=a.call(e);return i&&(t?e[s]=n:delete e[s]),l}},function(e,t){var n=Object.prototype.toString;e.exports=function(e){return n.call(e)}},function(e,t){e.exports=function(e){return null!=e&&"object"==typeof e}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='\n<a data-toggle="dropdown"\n   href="#"\n   class="dropdown-toggle pull-right visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block"\n   role="button">\n    <b><span class="caret"></span></b>\n</a>\n<a data-toggle="tab"\n   class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"\n   style="border-right: 0px;"><b>'+(null==(__t=_.escape(name))?"":__t)+'</b></a>\n<ul class="dropdown-menu" role="menu" id="tab_'+(null==(__t=_.escape(id))?"":__t)+'">\n    ',model.forEach(function(e){__p+='\n    <li>\n        <a data-toggle="tab"\n           class="menuEntry"\n           data-model-cid="'+(null==(__t=e.cid)?"":__t)+'"\n           data-model-uuid="'+(null==(__t=_.escape(id))?"":__t)+'"\n           data-model-fileno="'+(null==(__t=e.escape("number"))?"":__t)+'"\n           id="subtab_item_'+(null==(__t=_.escape(id))?"":__t)+"_"+(null==(__t=e.escape("number"))?"":__t)+'"\n           href="#subtab_'+(null==(__t=_.escape(id))?"":__t)+'">'+(null==(__t=e.escape("date"))?"":__t)+"</a>\n    </li>\n    "}),__p+="\n</ul>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='\n<a data-toggle="tab"\n   class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"\n   style="border-top-right-radius: 10px !important; padding-right: 10px !important;">\n    <b>'+(null==(__t=_.escape(name))?"":__t)+"</b>\n</a>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="remote_ip">'+(null==(__t=model.escape("remote_ip"))?"":__t)+'</td>\n<td class="username">'+(null==(__t=model.escape("username"))?"":__t)+'</td>\n<td class="status">'+(null==(__t=model.escape("status"))?"":__t)+'</td>\n<td class="size">'+(null==(__t=model.escape("size"))?"":__t)+'</td>\n<td class="referer">'+(null==(__t=model.escape("http_referer"))?"":__t)+'</td>\n<td class="user_agent">'+(null==(__t=model.escape("user_agent"))?"":__t)+'</td>\n<td class="forwarded_for">'+(null==(__t=model.escape("forwarded_for"))?"":__t)+'</td>\n<td class="request_line">'+(null==(__t=model.escape("request_line"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="remote_ip">'+(null==(__t=model.escape("remote_ip"))?"":__t)+'</td>\n<td class="status">'+(null==(__t=model.escape("status"))?"":__t)+'</td>\n<td class="bytes_sent">'+(null==(__t=model.escape("bytes_sent"))?"":__t)+'</td>\n<td class="bytes_received">'+(null==(__t=model.escape("bytes_received"))?"":__t)+'</td>\n<td class="session_time">'+(null==(__t=model.escape("session_time"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="date">'+(null==(__t=model.escape("date"))?"":__t)+'</td>\n<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="severity">'+(null==(__t=model.escape("severity"))?"":__t)+'</td>\n<td class="number">'+(null==(__t=model.escape("number"))?"":__t)+'</td>\n<td class="message">'+(null==(__t=model.escape("message"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj){let count=0;__p+='<table class="table table-striped">\n    <thead class="sticky-top">\n        <tr>\n            ',"errors"===log_type||"stream_errors"===log_type?(count=5,__p+="\n            <th>Date</th>\n            <th>Time</th>\n            <th>Severity</th>\n            <th>Number</th>\n            <th>Message</th>\n            "):"accesses"===log_type?(count=9,__p+="\n            <th>Time</th>\n            <th>Remote IP</th>\n            <th>Username</th>\n            <th>Status</th>\n            <th>Size</th>\n            <th>Referer</th>\n            <th>User Agent</th>\n            <th>Forwarded For</th>\n            <th>Request Line</th>\n            "):(count=6,__p+="\n            <th>Time</th>\n            <th>Remote IP</th>\n            <th>Status</th>\n            <th>Bytes Sent</th>\n            <th>Bytes Received</th>\n            <th>Session Time</th>\n            "),__p+='\n        </tr>\n        <tr class="filter">\n            ',"errors"===log_type||"stream_errors"===log_type?__p+='\n            <th><input type="text" value="'+(null==(__t=model.escape("date"))?"":__t)+'" name="date" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("severity"))?"":__t)+'" name="severity" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("number"))?"":__t)+'" name="number" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("message"))?"":__t)+'" name="message" /></th>\n            ':"accesses"===log_type?__p+='\n            <th><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("remote_ip"))?"":__t)+'" name="remote_ip" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("username"))?"":__t)+'" name="username" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("status"))?"":__t)+'" name="status" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("size"))?"":__t)+'" name="size" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("http_referer"))?"":__t)+'" name="http_referer" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("user_agent"))?"":__t)+'" name="user_agent" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("forwarded_for"))?"":__t)+'" name="forwarded_for" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("request_line"))?"":__t)+'" name="request_line" /></th>\n            ':__p+='\n            <th><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("remote_ip"))?"":__t)+'" name="remote_ip" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("status"))?"":__t)+'" name="status" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("bytes_sent"))?"":__t)+'" name="bytes_sent" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("bytes_received"))?"":__t)+'" name="bytes_received" /></th>\n            <th><input type="text" value="'+(null==(__t=model.escape("session_time"))?"":__t)+'" name="session_time" /></th>\n            ',__p+='\n        </tr>\n    </thead>\n    <tbody>\n    </tbody>\n    <tfoot class="sticky-bottom">\n        <tr>\n            <th class="text-nowrap">\n                <button class="btn btn-primary" id="paging_first" title="First Page"><i class="fa fa-fast-backward" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="paging_back" title="Previous Page"><i class="fa fa-step-backward" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="refresh" title="Refresh"><i class="fa fa-refresh" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="paging_forward" title="Next Page"><i class="fa fa-step-forward" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="paging_last" title="Last Page"><i class="fa fa-fast-forward " aria-hidden="true"></i></button>\n            </th>\n            <th>\n                Page <span id="currentpage">1</span>/<span id="pagecount">0</span>\n            </th>\n            <th colspan="2">\n                <label for="entrycount"><span id="entrycountdisplay">100</span> lines per page</label>\n                <input type="range" list="tickmarks" min="5" max="1000" step="5" id="entrycount" value="100" />\n                <datalist id="tickmarks">\n                    <option value="5" label="5">\n                    <option value="100" label="100">\n                    <option value="200" label="200">\n                    <option value="300">\n                    <option value="400">\n                    <option value="500" label="500">\n                    <option value="600">\n                    <option value="700">\n                    <option value="800">\n                    <option value="900">\n                    <option value="1000" label="1000">\n                </datalist>\n            </th>\n            <th colspan="'+(null==(__t=count-4)?"":__t)+'">Found lines: <span id="resultcount">0</span>/<span id="totalcount">0</span></th>\n        </tr>\n    </tfoot>\n</table>\n'}return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<div style="text-align: center;">\n    No data available...\n</div>\n';return __p}},,,,function(e,t,n){"use strict";n.r(t);var i=Backbone.Model.extend({});var l=Backbone.Collection.extend({model:i,url:function(){return`/api/nginx/logs/${this.logType}`},initialize:function(e){this.logType=e.logType}}),o=Backbone.Model.extend({});var a=Backbone.Collection.extend({model:o,url:function(){return`/api/nginx/logs/${this.logType}/${this.uuid}`},initialize:function(e){this.logType=e.logType,this.uuid=e.uuid}}),s=n(16),r=n.n(s);var _=Backbone.View.extend({tagName:"li",events:{"click .mainentry":"mainMenuClick","click .menuEntry":"menuEntryClick","click .dropdown-toggle":"menuDropdownClick"},initialize:function(e){this.listenTo(this.collection,"update",this.render),this.logType=e.logType,this.logview=e.logview,this.render()},render:function(){this.$el.html(""),this.renderCollection()},renderCollection:function(){this.$el.addClass("dropdown"),"global"==this.model.get("id")&&(this.$el.addClass("active"),this.logview.get_log("errors","global",-1)),this.$el.html(""),this.$el.append(r()({model:this.collection,id:this.model.get("id"),name:this.model.has("server_name")?this.model.get("server_name"):"Port "+this.model.get("port")}))},mainMenuClick:function(){this.collection.models[0]&&(this.handleElementClick(this.model.get("id"),-1),$(`#tab_${this.model.get("id")} li`).removeClass("active"),$(`#subtab_item_${this.model.get("id")}_${this.collection.models[0].get("number")}`).parent().addClass("active"))},menuDropdownClick:function(e){this.collection.fetch()},menuEntryClick:function(e){this.handleElementClick(e.target.dataset.modelUuid,e.target.dataset.modelFileno)},handleElementClick:function(e,t){this.logview.get_log(this.logType,e,t)}}),c=n(17),u=n.n(c);Backbone.View.extend({tagName:"li",initialize:function(e){this.logview=e.logview,this.log_name=e.log_name,this.visible_name=e.visible_name,this.log_type=e.log_type},events:{"click .mainentry":"handleElementClick"},log_name:null,log_type:null,visible_name:null,render:function(){this.$el.html(u()({name:this.visible_name}))},handleElementClick:function(){this.logview.get_log(this.log_type,this.log_name)}});var p=Backbone.View.extend({tagName:"ul",className:"nav nav-tabs",initialize:function(e){this.listenTo(this.collection,"update",this.render),this.logview=e.logview,this.logType=e.logType},render:function(){this.$el.attr("role","tablist"),this.$el.html(""),"global"==this.logType?this.render_global_error_tab():this.collection.forEach(e=>this.render_one_server(e))},render_one_server:function(e){const t=new a({uuid:e.get("id"),logType:this.logType}),n=new _({collection:t,model:e,logType:this.logType,logview:this.logview});this.$el.append(n.$el)},render_global_error_tab:function(){const e=new a({uuid:"global",logType:"errors"}),t=new _({collection:e,model:new Backbone.Model({server_name:"Global Error Log",id:"global"}),logType:"errors",logview:this.logview});this.$el.append(t.$el),e.fetch()}}),d=n(18),h=n.n(d),m=n(19),g=n.n(m),b=n(20),f=n.n(b),y=n(21),v=n.n(y);var w=Backbone.Model.extend({});var x=Backbone.Collection.extend({model:w,url:function(){return`/api/nginx/logs/${this.logType}/${this.uuid}/${this.fileNo}/${this.page}/${this.pageSize}/${this.create_filter()}`},initialize:function(){this.logType="none",this.uuid="none",this.fileNo=-1,this.page=0,this.pageSize=0,this.filter_model=new Backbone.Model},parse:function(e){return"error"in e?[]:(this.page_count=e.pages,this.total_entries=e.total,this.displayed_entries=e.found,e.lines)},create_filter:function(){return encodeURIComponent(JSON.stringify(this.filter_model))}}),k=n(22),j=n.n(k);const T=Backbone.View.extend({tagName:"tr",initialize:function(e){this.type=e.type},render:function(){this.$el.html(this.get_template()({model:this.model}))},get_template:function(){return"accesses"===this.type?h.a:"stream_accesses"===this.type?g.a:f.a}});const C=new(Backbone.View.extend({tagName:"div",className:"content-box tab-content",events:{"keyup .filter input":"update_filter","click #paging_first":"page_first","click #paging_back":"page_back","click #refresh":"update","click #paging_forward":"page_forward","click #paging_last":"page_last","change #entrycount":"change_entry_count"},page_entry_count:100,filter_delay:-1,initialize:function(){this.collection=new x,this.listenTo(this.collection,"sync",this.render),this.listenTo(this.collection,"update",this.render),this.listenTo(this.collection.filter_model,"change",this.render),this.type=""},render:function(){let e=this.$("tbody");e.length<1?0!==this.collection.length?(this.$el.html(v()({log_type:this.type,model:this.collection.filter_model})),e=this.$("tbody")):this.$el.html(j.a):e.html(""),0!==this.collection.length&&null==this.current_filtered_collection&&this.collection.forEach(t=>this.render_one(e,t)),this.$("#entrycountdisplay").html(this.page_entry_count),this.$("#currentpage").html(this.current_page+1),this.$("#pagecount").html(this.collection.page_count),this.$("#totalcount").html(this.collection.total_entries),this.$("#resultcount").html(this.collection.displayed_entries),this.current_page>=this.collection.page_count-1?(this.$("#paging_last").addClass("disabled"),this.$("#paging_forward").addClass("disabled")):(this.$("#paging_last").removeClass("disabled"),this.$("#paging_forward").removeClass("disabled")),this.current_page<=0?(this.$("#paging_back").addClass("disabled"),this.$("#paging_first").addClass("disabled")):(this.$("#paging_back").removeClass("disabled"),this.$("#paging_first").removeClass("disabled"))},render_one:function(e,t){const n=new T({type:this.type,model:t});n.render(),e.append(n.$el)},get_log:function(e,t,n){this.collection.uuid=t,this.collection.logType=e,this.collection.fileNo=n,this.type=e,this.current_page=0,this.$el.html(""),this.collection.filter_model.clear(),this.update()},update:function(){this.collection.page=this.current_page,this.collection.pageSize=this.page_entry_count,this.collection.fetch()},update_filter:function(e){clearTimeout(this.filter_delay);const t=e.target;this.collection.filter_model.set(t.name,$(t).val()),this.current_page=0,this.filter_delay=setTimeout(function(e){e.update()},500,this)},page_first:function(){this.current_page=0,this.update()},page_back:function(){this.current_page>0&&(this.current_page--,this.update())},page_forward:function(){this.current_page<this.collection.page_count&&(this.current_page++,this.update())},page_last:function(){this.current_page=this.collection.page_count-1,this.update()},change_entry_count:function(e){this.page_entry_count=e.target.value,this.current_page=0,this.update()}})),S=$("#logapplication").data("log"),q=new l({logType:S}),z=new p({collection:q,logview:C,logType:S});$("#logapplication").append(z.$el).append(C.$el),"global"!=S?q.fetch():z.render()}]);
\ No newline at end of file
+!function(e){var t={};function n(i){if(t[i])return t[i].exports;var l=t[i]={i:i,l:!1,exports:{}};return e[i].call(l.exports,l,l.exports,n),l.l=!0,l.exports}n.m=e,n.c=t,n.d=function(e,t,i){n.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:i})},n.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.t=function(e,t){if(1&t&&(e=n(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var i=Object.create(null);if(n.r(i),Object.defineProperty(i,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var l in e)n.d(i,l,function(t){return e[t]}.bind(null,l));return i},n.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(t,"a",t),t},n.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},n.p="",n(n.s=26)}([function(e,t,n){var i=n(2),l=n(4),a=/[&<>"']/g,o=RegExp(a.source);e.exports=function(e){return(e=l(e))&&o.test(e)?e.replace(a,i):e}},function(e,t,n){var i=n(6).Symbol;e.exports=i},function(e,t,n){var i=n(3)({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"});e.exports=i},function(e,t){e.exports=function(e){return function(t){return null==e?void 0:e[t]}}},function(e,t,n){var i=n(5);e.exports=function(e){return null==e?"":i(e)}},function(e,t,n){var i=n(1),l=n(9),a=n(10),o=n(11),s=1/0,r=i?i.prototype:void 0,_=r?r.toString:void 0;e.exports=function e(t){if("string"==typeof t)return t;if(a(t))return l(t,e)+"";if(o(t))return _?_.call(t):"";var n=t+"";return"0"==n&&1/t==-s?"-0":n}},function(e,t,n){var i=n(7),l="object"==typeof self&&self&&self.Object===Object&&self,a=i||l||Function("return this")();e.exports=a},function(e,t,n){(function(t){var n="object"==typeof t&&t&&t.Object===Object&&t;e.exports=n}).call(this,n(8))},function(e,t){var n;n=function(){return this}();try{n=n||new Function("return this")()}catch(e){"object"==typeof window&&(n=window)}e.exports=n},function(e,t){e.exports=function(e,t){for(var n=-1,i=null==e?0:e.length,l=Array(i);++n<i;)l[n]=t(e[n],n,e);return l}},function(e,t){var n=Array.isArray;e.exports=n},function(e,t,n){var i=n(12),l=n(15),a="[object Symbol]";e.exports=function(e){return"symbol"==typeof e||l(e)&&i(e)==a}},function(e,t,n){var i=n(1),l=n(13),a=n(14),o="[object Null]",s="[object Undefined]",r=i?i.toStringTag:void 0;e.exports=function(e){return null==e?void 0===e?s:o:r&&r in Object(e)?l(e):a(e)}},function(e,t,n){var i=n(1),l=Object.prototype,a=l.hasOwnProperty,o=l.toString,s=i?i.toStringTag:void 0;e.exports=function(e){var t=a.call(e,s),n=e[s];try{e[s]=void 0;var i=!0}catch(e){}var l=o.call(e);return i&&(t?e[s]=n:delete e[s]),l}},function(e,t){var n=Object.prototype.toString;e.exports=function(e){return n.call(e)}},function(e,t){e.exports=function(e){return null!=e&&"object"==typeof e}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='\n<a data-toggle="dropdown"\n   href="#"\n   class="dropdown-toggle pull-right visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block"\n   role="button">\n    <b><span class="caret"></span></b>\n</a>\n<a data-toggle="tab"\n   class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"\n   style="border-right: 0px;"><b>'+(null==(__t=_.escape(name))?"":__t)+'</b></a>\n<ul class="dropdown-menu" role="menu" id="tab_'+(null==(__t=_.escape(id))?"":__t)+'">\n    ',model.forEach(function(e){__p+='\n    <li>\n        <a data-toggle="tab"\n           class="menuEntry"\n           data-model-cid="'+(null==(__t=e.cid)?"":__t)+'"\n           data-model-uuid="'+(null==(__t=_.escape(id))?"":__t)+'"\n           data-model-fileno="'+(null==(__t=e.escape("number"))?"":__t)+'"\n           id="subtab_item_'+(null==(__t=_.escape(id))?"":__t)+"_"+(null==(__t=e.escape("number"))?"":__t)+'"\n           href="#subtab_'+(null==(__t=_.escape(id))?"":__t)+'">'+(null==(__t=e.escape("date"))?"":__t)+"</a>\n    </li>\n    "}),__p+="\n</ul>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='\n<a data-toggle="tab"\n   class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"\n   style="border-top-right-radius: 10px !important; padding-right: 10px !important;">\n    <b>'+(null==(__t=_.escape(name))?"":__t)+"</b>\n</a>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="remote_ip">'+(null==(__t=model.escape("remote_ip"))?"":__t)+'</td>\n<td class="username">'+(null==(__t=model.escape("username"))?"":__t)+'</td>\n<td class="status">'+(null==(__t=model.escape("status"))?"":__t)+'</td>\n<td class="size">'+(null==(__t=model.escape("size"))?"":__t)+'</td>\n<td class="referer">'+(null==(__t=model.escape("http_referer"))?"":__t)+'</td>\n<td class="user_agent">'+(null==(__t=model.escape("user_agent"))?"":__t)+'</td>\n<td class="forwarded_for">'+(null==(__t=model.escape("forwarded_for"))?"":__t)+'</td>\n<td class="request_line">'+(null==(__t=model.escape("request_line"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="remote_ip">'+(null==(__t=model.escape("remote_ip"))?"":__t)+'</td>\n<td class="status">'+(null==(__t=model.escape("status"))?"":__t)+'</td>\n<td class="bytes_sent">'+(null==(__t=model.escape("bytes_sent"))?"":__t)+'</td>\n<td class="bytes_received">'+(null==(__t=model.escape("bytes_received"))?"":__t)+'</td>\n<td class="session_time">'+(null==(__t=model.escape("session_time"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="date">'+(null==(__t=model.escape("date"))?"":__t)+'</td>\n<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="severity">'+(null==(__t=model.escape("severity"))?"":__t)+'</td>\n<td class="number">'+(null==(__t=model.escape("number"))?"":__t)+'</td>\n<td class="message">'+(null==(__t=model.escape("message"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj){let count=0;__p+='<table class="table table-striped">\n    <thead class="sticky-top">\n        <tr>\n            ',"errors"===log_type||"stream_errors"===log_type?(count=5,__p+="\n            <th>Date</th>\n            <th>Time</th>\n            <th>Severity</th>\n            <th>Number</th>\n            <th>Message</th>\n            "):"accesses"===log_type?(count=9,__p+="\n            <th>Time</th>\n            <th>Remote IP</th>\n            <th>Username</th>\n            <th>Status</th>\n            <th>Size</th>\n            <th>Referer</th>\n            <th>User Agent</th>\n            <th>Forwarded For</th>\n            <th>Request Line</th>\n            "):(count=6,__p+="\n            <th>Time</th>\n            <th>Remote IP</th>\n            <th>Status</th>\n            <th>Bytes Sent</th>\n            <th>Bytes Received</th>\n            <th>Session Time</th>\n            "),__p+='\n        </tr>\n        <tr class="filter">\n            ',"errors"===log_type||"stream_errors"===log_type?__p+='\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("date"))?"":__t)+'" name="date" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("severity"))?"":__t)+'" name="severity" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("number"))?"":__t)+'" name="number" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("message"))?"":__t)+'" name="message" /></th>\n            ':"accesses"===log_type?__p+='\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("remote_ip"))?"":__t)+'" name="remote_ip" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("username"))?"":__t)+'" name="username" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("status"))?"":__t)+'" name="status" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("size"))?"":__t)+'" name="size" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("http_referer"))?"":__t)+'" name="http_referer" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("user_agent"))?"":__t)+'" name="user_agent" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("forwarded_for"))?"":__t)+'" name="forwarded_for" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("request_line"))?"":__t)+'" name="request_line" /></th>\n            ':__p+='\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("remote_ip"))?"":__t)+'" name="remote_ip" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("status"))?"":__t)+'" name="status" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("bytes_sent"))?"":__t)+'" name="bytes_sent" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("bytes_received"))?"":__t)+'" name="bytes_received" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("session_time"))?"":__t)+'" name="session_time" /></th>\n            ',__p+='\n        </tr>\n    </thead>\n    <tbody>\n    </tbody>\n    <tfoot class="sticky-bottom">\n        <tr>\n            <th class="text-nowrap active">\n                <button class="btn btn-primary" id="paging_first" title="First Page"><i class="fa fa-fast-backward" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="paging_back" title="Previous Page"><i class="fa fa-step-backward" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="refresh" title="Refresh"><i class="fa fa-refresh" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="paging_forward" title="Next Page"><i class="fa fa-step-forward" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="paging_last" title="Last Page"><i class="fa fa-fast-forward " aria-hidden="true"></i></button>\n            </th>\n            <th class="active">\n                Page <span id="currentpage">1</span>/<span id="pagecount">0</span>\n            </th>\n            <th class="active" colspan="2">\n                <label for="entrycount"><span id="entrycountdisplay">100</span> lines per page</label>\n                <input type="range" list="tickmarks" min="5" max="1000" step="5" id="entrycount" value="100" />\n                <datalist id="tickmarks">\n                    <option value="5" label="5">\n                    <option value="100" label="100">\n                    <option value="200" label="200">\n                    <option value="300">\n                    <option value="400">\n                    <option value="500" label="500">\n                    <option value="600">\n                    <option value="700">\n                    <option value="800">\n                    <option value="900">\n                    <option value="1000" label="1000">\n                </datalist>\n            </th>\n            <th class="active" colspan="'+(null==(__t=count-4)?"":__t)+'">Found lines: <span id="resultcount">0</span>/<span id="totalcount">0</span></th>\n        </tr>\n    </tfoot>\n</table>\n'}return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<div style="text-align: center;">\n    No data available...\n</div>\n';return __p}},,,,function(e,t,n){"use strict";n.r(t);var i=Backbone.Model.extend({});var l=Backbone.Collection.extend({model:i,url:function(){return`/api/nginx/logs/${this.logType}`},initialize:function(e){this.logType=e.logType}}),a=Backbone.Model.extend({});var o=Backbone.Collection.extend({model:a,url:function(){return`/api/nginx/logs/${this.logType}/${this.uuid}`},initialize:function(e){this.logType=e.logType,this.uuid=e.uuid}}),s=n(16),r=n.n(s);var _=Backbone.View.extend({tagName:"li",events:{"click .mainentry":"mainMenuClick","click .menuEntry":"menuEntryClick","click .dropdown-toggle":"menuDropdownClick"},initialize:function(e){this.listenTo(this.collection,"update",this.render),this.logType=e.logType,this.logview=e.logview,this.render()},render:function(){this.$el.html(""),this.renderCollection()},renderCollection:function(){this.$el.addClass("dropdown"),"global"==this.model.get("id")&&(this.$el.addClass("active"),this.logview.get_log("errors","global",-1)),this.$el.html(""),this.$el.append(r()({model:this.collection,id:this.model.get("id"),name:this.model.has("server_name")?this.model.get("server_name"):"Port "+this.model.get("port")}))},mainMenuClick:function(){this.collection.models[0]&&(this.handleElementClick(this.model.get("id"),-1),$(`#tab_${this.model.get("id")} li`).removeClass("active"),$(`#subtab_item_${this.model.get("id")}_${this.collection.models[0].get("number")}`).parent().addClass("active"))},menuDropdownClick:function(e){this.collection.fetch()},menuEntryClick:function(e){this.handleElementClick(e.target.dataset.modelUuid,e.target.dataset.modelFileno)},handleElementClick:function(e,t){this.logview.get_log(this.logType,e,t)}}),c=n(17),u=n.n(c);Backbone.View.extend({tagName:"li",initialize:function(e){this.logview=e.logview,this.log_name=e.log_name,this.visible_name=e.visible_name,this.log_type=e.log_type},events:{"click .mainentry":"handleElementClick"},log_name:null,log_type:null,visible_name:null,render:function(){this.$el.html(u()({name:this.visible_name}))},handleElementClick:function(){this.logview.get_log(this.log_type,this.log_name)}});var p=Backbone.View.extend({tagName:"ul",className:"nav nav-tabs",initialize:function(e){this.listenTo(this.collection,"update",this.render),this.logview=e.logview,this.logType=e.logType},render:function(){this.$el.attr("role","tablist"),this.$el.html(""),"global"==this.logType?this.render_global_error_tab():this.collection.forEach(e=>this.render_one_server(e))},render_one_server:function(e){const t=new o({uuid:e.get("id"),logType:this.logType}),n=new _({collection:t,model:e,logType:this.logType,logview:this.logview});this.$el.append(n.$el)},render_global_error_tab:function(){const e=new o({uuid:"global",logType:"errors"}),t=new _({collection:e,model:new Backbone.Model({server_name:"Global Error Log",id:"global"}),logType:"errors",logview:this.logview});this.$el.append(t.$el),e.fetch()}}),d=n(18),h=n.n(d),m=n(19),g=n.n(m),b=n(20),f=n.n(b),v=n(21),y=n.n(v);var w=Backbone.Model.extend({});var x=Backbone.Collection.extend({model:w,url:function(){return`/api/nginx/logs/${this.logType}/${this.uuid}/${this.fileNo}/${this.page}/${this.pageSize}/${this.create_filter()}`},initialize:function(){this.logType="none",this.uuid="none",this.fileNo=-1,this.page=0,this.pageSize=0,this.filter_model=new Backbone.Model},parse:function(e){return"error"in e?[]:(this.page_count=e.pages,this.total_entries=e.total,this.displayed_entries=e.found,e.lines)},create_filter:function(){return encodeURIComponent(JSON.stringify(this.filter_model))}}),k=n(22),j=n.n(k);const T=Backbone.View.extend({tagName:"tr",initialize:function(e){this.type=e.type},render:function(){this.$el.html(this.get_template()({model:this.model}))},get_template:function(){return"accesses"===this.type?h.a:"stream_accesses"===this.type?g.a:f.a}});const C=new(Backbone.View.extend({tagName:"div",className:"content-box tab-content",events:{"keyup .filter input":"update_filter","click #paging_first":"page_first","click #paging_back":"page_back","click #refresh":"update","click #paging_forward":"page_forward","click #paging_last":"page_last","change #entrycount":"change_entry_count"},page_entry_count:100,filter_delay:-1,initialize:function(){this.collection=new x,this.listenTo(this.collection,"sync",this.render),this.listenTo(this.collection,"update",this.render),this.listenTo(this.collection.filter_model,"change",this.render),this.type=""},render:function(){let e=this.$("tbody");e.length<1?0!==this.collection.length?(this.$el.html(y()({log_type:this.type,model:this.collection.filter_model})),e=this.$("tbody")):this.$el.html(j.a):e.html(""),0!==this.collection.length&&null==this.current_filtered_collection&&this.collection.forEach(t=>this.render_one(e,t)),this.$("#entrycountdisplay").html(this.page_entry_count),this.$("#currentpage").html(this.current_page+1),this.$("#pagecount").html(this.collection.page_count),this.$("#totalcount").html(this.collection.total_entries),this.$("#resultcount").html(this.collection.displayed_entries),this.current_page>=this.collection.page_count-1?(this.$("#paging_last").addClass("disabled"),this.$("#paging_forward").addClass("disabled")):(this.$("#paging_last").removeClass("disabled"),this.$("#paging_forward").removeClass("disabled")),this.current_page<=0?(this.$("#paging_back").addClass("disabled"),this.$("#paging_first").addClass("disabled")):(this.$("#paging_back").removeClass("disabled"),this.$("#paging_first").removeClass("disabled"))},render_one:function(e,t){const n=new T({type:this.type,model:t});n.render(),e.append(n.$el)},get_log:function(e,t,n){this.collection.uuid=t,this.collection.logType=e,this.collection.fileNo=n,this.type=e,this.current_page=0,this.$el.html(""),this.collection.filter_model.clear(),this.update()},update:function(){this.collection.page=this.current_page,this.collection.pageSize=this.page_entry_count,this.collection.fetch()},update_filter:function(e){clearTimeout(this.filter_delay);const t=e.target;this.collection.filter_model.set(t.name,$(t).val()),this.current_page=0,this.filter_delay=setTimeout(function(e){e.update()},500,this)},page_first:function(){this.current_page=0,this.update()},page_back:function(){this.current_page>0&&(this.current_page--,this.update())},page_forward:function(){this.current_page<this.collection.page_count&&(this.current_page++,this.update())},page_last:function(){this.current_page=this.collection.page_count-1,this.update()},change_entry_count:function(e){this.page_entry_count=e.target.value,this.current_page=0,this.update()}})),S=$("#logapplication").data("log"),q=new l({logType:S}),z=new p({collection:q,logview:C,logType:S});$("#logapplication").append(z.$el).append(C.$el),"global"!=S?q.fetch():z.render()}]);
\ No newline at end of file
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/templates/logviewer.html b/www/nginx/src/opnsense/www/js/nginx/src/templates/logviewer.html
index 66f4f19ca4..a92d60c6e1 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/templates/logviewer.html
+++ b/www/nginx/src/opnsense/www/js/nginx/src/templates/logviewer.html
@@ -31,28 +31,28 @@
         </tr>
         <tr class="filter">
             <% if (log_type === 'errors' || log_type === 'stream_errors') { %>
-            <th><input type="text" value="<%= model.escape('date') %>" name="date" /></th>
-            <th><input type="text" value="<%= model.escape('time') %>" name="time" /></th>
-            <th><input type="text" value="<%= model.escape('severity') %>" name="severity" /></th>
-            <th><input type="text" value="<%= model.escape('number') %>" name="number" /></th>
-            <th><input type="text" value="<%= model.escape('message') %>" name="message" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('date') %>" name="date" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('time') %>" name="time" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('severity') %>" name="severity" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('number') %>" name="number" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('message') %>" name="message" /></th>
             <% } else if (log_type === 'accesses') { %>
-            <th><input type="text" value="<%= model.escape('time') %>" name="time" /></th>
-            <th><input type="text" value="<%= model.escape('remote_ip') %>" name="remote_ip" /></th>
-            <th><input type="text" value="<%= model.escape('username') %>" name="username" /></th>
-            <th><input type="text" value="<%= model.escape('status') %>" name="status" /></th>
-            <th><input type="text" value="<%= model.escape('size') %>" name="size" /></th>
-            <th><input type="text" value="<%= model.escape('http_referer') %>" name="http_referer" /></th>
-            <th><input type="text" value="<%= model.escape('user_agent') %>" name="user_agent" /></th>
-            <th><input type="text" value="<%= model.escape('forwarded_for') %>" name="forwarded_for" /></th>
-            <th><input type="text" value="<%= model.escape('request_line') %>" name="request_line" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('time') %>" name="time" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('remote_ip') %>" name="remote_ip" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('username') %>" name="username" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('status') %>" name="status" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('size') %>" name="size" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('http_referer') %>" name="http_referer" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('user_agent') %>" name="user_agent" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('forwarded_for') %>" name="forwarded_for" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('request_line') %>" name="request_line" /></th>
             <% } else { %>
-            <th><input type="text" value="<%= model.escape('time') %>" name="time" /></th>
-            <th><input type="text" value="<%= model.escape('remote_ip') %>" name="remote_ip" /></th>
-            <th><input type="text" value="<%= model.escape('status') %>" name="status" /></th>
-            <th><input type="text" value="<%= model.escape('bytes_sent') %>" name="bytes_sent" /></th>
-            <th><input type="text" value="<%= model.escape('bytes_received') %>" name="bytes_received" /></th>
-            <th><input type="text" value="<%= model.escape('session_time') %>" name="session_time" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('time') %>" name="time" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('remote_ip') %>" name="remote_ip" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('status') %>" name="status" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('bytes_sent') %>" name="bytes_sent" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('bytes_received') %>" name="bytes_received" /></th>
+            <th class="active"><input type="text" value="<%= model.escape('session_time') %>" name="session_time" /></th>
             <% } %>
         </tr>
     </thead>
@@ -60,17 +60,17 @@
     </tbody>
     <tfoot class="sticky-bottom">
         <tr>
-            <th class="text-nowrap">
+            <th class="text-nowrap active">
                 <button class="btn btn-primary" id="paging_first" title="First Page"><i class="fa fa-fast-backward" aria-hidden="true"></i></button>
                 <button class="btn btn-primary" id="paging_back" title="Previous Page"><i class="fa fa-step-backward" aria-hidden="true"></i></button>
                 <button class="btn btn-primary" id="refresh" title="Refresh"><i class="fa fa-refresh" aria-hidden="true"></i></button>
                 <button class="btn btn-primary" id="paging_forward" title="Next Page"><i class="fa fa-step-forward" aria-hidden="true"></i></button>
                 <button class="btn btn-primary" id="paging_last" title="Last Page"><i class="fa fa-fast-forward " aria-hidden="true"></i></button>
             </th>
-            <th>
+            <th class="active">
                 Page <span id="currentpage">1</span>/<span id="pagecount">0</span>
             </th>
-            <th colspan="2">
+            <th class="active" colspan="2">
                 <label for="entrycount"><span id="entrycountdisplay">100</span> lines per page</label>
                 <input type="range" list="tickmarks" min="5" max="1000" step="5" id="entrycount" value="100" />
                 <datalist id="tickmarks">
@@ -87,7 +87,7 @@
                     <option value="1000" label="1000">
                 </datalist>
             </th>
-            <th colspan="<%= count - 4 %>">Found lines: <span id="resultcount">0</span>/<span id="totalcount">0</span></th>
+            <th class="active" colspan="<%= count - 4 %>">Found lines: <span id="resultcount">0</span>/<span id="totalcount">0</span></th>
         </tr>
     </tfoot>
 </table>

From 3f853bd9d3591f8d25d02270f452ba401a58d84c Mon Sep 17 00:00:00 2001
From: Manuel Faux <mfaux@conf.at>
Date: Tue, 4 Jan 2022 21:15:00 +0100
Subject: [PATCH 0897/3088] default_server for https servers

Fixes #2741
---
 .../src/opnsense/service/templates/OPNsense/Nginx/http.conf     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index 287b6893af..13e5659a99 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -99,7 +99,7 @@ server {
 
 {%   if server.listen_https_address is defined and server.listen_https_address != '' and server.certificate is defined %}
 {%     for listen_address in server.listen_https_address.split(',') %}
-    listen {{ listen_address }} http2 ssl;
+    listen {{ listen_address }} http2 ssl{% if server.default_server is defined and server.default_server == '1' %} default_server{% endif %};
 {%     endfor %}
 {%     if server.ca is defined %}
     ssl_client_certificate /usr/local/etc/nginx/key/{{ single_servername }}_ca.pem;

From 4e63c89275d83abc7fd57bea4450d76402e762f6 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 5 Jan 2022 12:43:01 +0100
Subject: [PATCH 0898/3088] security/acme-client: post merge fix for #2731

---
 security/acme-client/pkg-descr                               | 5 ++++-
 .../OPNsense/AcmeClient/forms/dialogValidation.xml           | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index fe2966bf29..d679217f48 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,8 +10,11 @@ Plugin Changelog
 
 3.8
 
+NOTE: Support for the cPanel API is not functional. It requires
+a new version of acme.sh, which has not been released yet.
+
 Added:
-* add support for cPanel HTTP API
+* add support for cPanel HTTP API (#2731)
 
 3.7
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index fad8386d72..129d19c1e4 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1413,7 +1413,7 @@
         <id>validation.dns_cpanel_token</id>
         <label>cPanel API Token</label>
         <type>password</type>
-        <help>Ref: https://docs.cpanel.net/cpanel/security/manage-api-tokens-in-cpanel/</help>
+        <help><![CDATA[Please refer to the <a href="https://docs.cpanel.net/cpanel/security/manage-api-tokens-in-cpanel/">cPanel documentation</a> for further information.]]></help>
     </field>
     <field>
         <id>validation.dns_cpanel_hostname</id>

From ed25316489292232b6711078d4c463cf57bf0a4a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 3 Jan 2022 00:35:35 +0100
Subject: [PATCH 0899/3088] security/acme-client: show CA in accounts list

---
 security/acme-client/pkg-descr                              | 6 ++++++
 .../OPNsense/AcmeClient/Api/AccountsController.php          | 2 +-
 .../mvc/app/views/OPNsense/AcmeClient/accounts.volt         | 1 +
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index d679217f48..d7c904fdb7 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -16,6 +16,12 @@ a new version of acme.sh, which has not been released yet.
 Added:
 * add support for cPanel HTTP API (#2731)
 
+Fixed:
+* fix calculation of renewal date (#2721)
+
+Changed:
+* show CA in accounts list
+
 3.7
 
 Fixed:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php
index ef6dfbf2d6..922850399f 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php
@@ -74,7 +74,7 @@ public function toggleAction($uuid, $enabled = null)
 
     public function searchAction()
     {
-        return $this->searchBase('accounts.account', array('enabled', 'name', 'email', 'statusCode', 'statusLastUpdate'), 'name');
+        return $this->searchBase('accounts.account', array('enabled', 'name', 'email', 'ca', 'statusCode', 'statusLastUpdate'), 'name');
     }
 
     /**
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
index d9e417ebde..ec20a20e89 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
@@ -359,6 +359,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                 <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
                 <th data-column-id="email" data-type="string">{{ lang._('E-Mail') }}</th>
+                <th data-column-id="ca" data-type="string">{{ lang._('CA') }}</th>
                 <th data-column-id="statusCode" data-type="string" data-formatter="accountstatus">{{ lang._('Status') }}</th>
                 <th data-column-id="statusLastUpdate" data-type="string" data-formatter="acmestatusdate">{{ lang._('Registration Date') }}</th>
                 <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>

From 0cac1cadc2f85bcf1dd68c42cd0bf71ecc724be8 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 5 Jan 2022 12:00:01 +0100
Subject: [PATCH 0900/3088] security/acme-client: fix calculation of renewal
 date, closes #2721

Now we read the validFrom information directly from the cert file
in order to calculate the renewal date.

This is necessary, because in ae697392293e4a7fb3e9ed0450a559adccbab2e6
we made the import feature available to the end-user. As a result,
the value of lastUpdate() does not only change after issue/renewal,
but also everytime the user clicks on the "import" button.
---
 .../OPNsense/AcmeClient/LeCertificate.php     | 25 ++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 72a8f1eced..54e32d9608 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -414,8 +414,31 @@ public function needsRenewal()
     {
         $return = false;
 
+        // Try to get issue date from certificate
+        if (is_file($this->cert_file)) {
+            // Read contents from certificate file
+            $cert_content = @file_get_contents($this->cert_file);
+            if ($cert_content != false) {
+                $cert_info = @openssl_x509_parse($cert_content);
+                if (!empty($cert_info['validFrom_time_t'])) {
+                    $last_update = $cert_info['validFrom_time_t'];
+                } else {
+                    LeUtils::log_error('unable to get expiration time from certificate for ' . (string)$this->config->name);
+                    $last_update = 0; // Just assume the cert requires renewal.
+                }
+            } else {
+                LeUtils::log_error('unable to read certificate content from file for ' . (string)$this->config->name);
+                $last_update = 0; // Just assume the cert requires renewal.
+            }
+        } elseif (!empty((string)$this->config->lastUpdate)) {
+            // Fallback to lastUpdate() state, although it may not be correct
+            // if the cert was imported manually after issue/renewal.
+            $last_update = (string)$this->config->lastUpdate;
+        } else {
+            $last_update = 0; // Just assume the cert requires renewal.
+        }
+
         // Collect required information
-        $last_update = !empty((string)$this->config->lastUpdate) ? (string)$this->config->lastUpdate : 0;
         $current_time = new \DateTime();
         $last_update_time = new \DateTime();
         $last_update_time->setTimestamp($last_update);

From fc78ebae146e757792316b4853a1fe63c31cef73 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 6 Jan 2022 14:45:47 +0100
Subject: [PATCH 0901/3088] security/acme-client: fix ecc cert handling in
 automations, closes #2723

---
 security/acme-client/pkg-descr                           | 1 +
 .../library/OPNsense/AcmeClient/LeAutomation/Base.php    | 9 ++++++++-
 .../app/library/OPNsense/AcmeClient/LeCertificate.php    | 7 +++++--
 .../mvc/app/library/OPNsense/AcmeClient/LeCommon.php     | 1 +
 .../library/OPNsense/AcmeClient/LeValidation/Base.php    | 9 ++++++---
 5 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index d7c904fdb7..5b08b3bf0a 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -18,6 +18,7 @@ Added:
 
 Fixed:
 * fix calculation of renewal date (#2721)
+* properly handle ecc certs in automations (#2723)
 
 Changed:
 * show CA in accounts list
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
index 175a51e9f0..1f11081fa7 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
@@ -47,7 +47,7 @@ abstract class Base extends \OPNsense\AcmeClient\LeCommon
      * Initialize LeAutomation object by adding the required configuration.
      * @return boolean
      */
-    public function init(string $certid, string $certname, string $accountuuid)
+    public function init(string $certid, string $certname, string $accountuuid, bool $certecc = false)
     {
         // Get config object
         $this->loadConfig(self::CONFIG_PATH, $this->uuid);
@@ -79,6 +79,13 @@ public function init(string $certid, string $certname, string $accountuuid)
         // Main domain for acme
         $this->acme_args[] = LeUtils::execSafe('--domain %s', $certname);
 
+        // ECC cert
+        $this->cert_ecc = $certecc;
+        if ($this->cert_ecc) {
+            // Pass --ecc to acme client to locate the correct cert directory
+            $this->acme_args[] = '--ecc';
+        }
+
         return true;
     }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 54e32d9608..06e406b579 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -81,6 +81,9 @@ public function __construct(string $uuid, bool $force = false, bool $cron = fals
         if ($this->config->keyLength == 'key_ec256' || $this->config->keyLength == 'key_ec384') {
             // Pass --ecc to acme client to locate the correct cert directory
             $this->acme_args[] = '--ecc';
+            $this->cert_ecc = true;
+        } else {
+            $this->cert_ecc = false;
         }
 
         // Store cert filenames
@@ -628,7 +631,7 @@ public function runAutomations()
         foreach ($automations as $auto_uuid) {
             $autoFactory = new LeAutomationFactory();
             $automation = $autoFactory->getAutomation($auto_uuid);
-            $automation->init($this->getId(), (string)$this->config->name, (string)$this->config->account);
+            $automation->init($this->getId(), (string)$this->config->name, (string)$this->config->account, $this->cert_ecc);
             // Ignore invalid automations.
             if ($automation->prepare()) {
                 $automation->run();
@@ -677,7 +680,7 @@ public function setValidation()
                 LeUtils::log_error('invalid challenge type for certificate: ' . (string)$this->config->name);
                 return false;
             }
-            if (!$val->init((string)$this->config->id, (string)$this->config->account)) {
+            if (!$val->init((string)$this->config->id, (string)$this->config->account, $this->cert_ecc)) {
                 LeUtils::log_error('failed to initialize validation for certificate: ' . (string)$this->config->name);
                 return false;
             }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
index ce1ed6e715..631fab0c4f 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
@@ -73,6 +73,7 @@ abstract class LeCommon
     protected $cert_domainalias;    # AcmeClient certificate object domain alias
     protected $cert_challengealias; # AcmeClient certificate object challenge alias
     protected $cert_keylength;      # Private key length
+    protected $cert_ecc;            # ECC cert?
 
     // Account details
     protected $account_id;          # AcmeClient account object ID
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index 3c0a6881ac..c0289569eb 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -50,7 +50,7 @@ abstract class Base extends \OPNsense\AcmeClient\LeCommon
      * @param $accountuuid string the UUID of the account object
      * @return bool
      */
-    public function init(string $certid, string $accountuuid)
+    public function init(string $certid, string $accountuuid, bool $certecc = false)
     {
         // Get config object
         $this->loadConfig(self::CONFIG_PATH, $this->uuid);
@@ -97,6 +97,9 @@ public function init(string $certid, string $accountuuid)
         $this->acme_args[] = LeUtils::execSafe('--capath %s', sprintf(self::ACME_CHAIN_FILE, $this->cert_id));
         $this->acme_args[] = LeUtils::execSafe('--fullchainpath %s', sprintf(self::ACME_FULLCHAIN_FILE, $this->cert_id));
 
+        // ECC cert
+        $this->cert_ecc = $certecc;
+
         return true;
     }
 
@@ -136,8 +139,8 @@ public function run(bool $renew = false)
         // Issue or renew
         $acme_action = $renew == true ? 'renew' : 'issue';
 
-        // Handle special key types
-        if ($this->cert_keylength == 'ec256' || $this->cert_keylength == 'ec384') {
+        // Handle ECC certs
+        if ($this->cert_ecc) {
             if ($renew == true) {
                 // If it's a renew then pass --ecc to acme client to locate the correct cert directory
                 $this->acme_args[] = '--ecc';

From 973ad0987371b0a5127efeb4a7b7012ba22237a4 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 6 Jan 2022 17:45:24 +0100
Subject: [PATCH 0902/3088] net/haproxy: fix custom TCP health checks, closes
 #2653

---
 net/haproxy/pkg-descr                         |  3 +++
 .../templates/OPNsense/HAProxy/haproxy.conf   | 22 +++++++++++--------
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 052d12cec4..c809c34340 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -11,6 +11,9 @@ Plugin Changelog
 Added:
 * add SSL SNI setting to servers and health checks (#2388)
 
+Fixed:
+* fix custom TCP health checks (#2653)
+
 Changed:
 * replace "force SSL" setting with "SSL preferences" in health checks (#2388)
 * health check port is no longer an advanced option
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 8eb29fb40f..71e377f182 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1487,25 +1487,29 @@ backend {{backend.name}}
 {%           set healthcheck_enabled = '0' %}
 {%         elif healthcheck_data.type == 'tcp' %}
 {#           # custom TCP health check option #}
+{#           # TODO: add support for multiple send/expect steps, see plugins/#2653 #}
 {%           if healthcheck_data.tcp_enabled|default("") == '1' %}
-{#             # validate options: both must not be disabled at the same time #}
+{#             # check if any of the required values can be found #}
 {%             if healthcheck_data.tcp_sendValue|default("") == "" and healthcheck_data.tcp_matchValue|default("") == "" %}
-    # ERROR: invalid custom TCP health check, missing "sendValue" or "matchValue"
+    # ERROR: invalid custom TCP health check, missing send/expect data
 {%             else %}
+    option tcp-check
+{#             # check for "send" value #}
+{%             if healthcheck_data.tcp_sendValue|default("") != "" %}
+    tcp-check send {{healthcheck_data.tcp_sendValue}}
+{%             endif %}
 {%               set healthcheck_customtcp = [] %}
-{%               do healthcheck_customtcp.append('send ' ~ healthcheck_data.tcp_sendValue) if healthcheck_data.tcp_sendValue|default("") != "" %}
 {%               if healthcheck_data.tcp_matchValue|default("") != "" %}
-{%                 do healthcheck_customtcp.append('expect ' ~ healthcheck_data.tcp_matchType) %}
+{%                 do healthcheck_customtcp.append(healthcheck_data.tcp_matchType) %}
 {%                 if healthcheck_data.tcp_negate == '1' and healthcheck_data.tcp_matchType|default("") != 'binary' %}
 {%                   do healthcheck_customtcp.append('!') %}
 {%                 endif %}
 {%                 do healthcheck_customtcp.append(healthcheck_data.tcp_matchValue) %}
 {%               endif %}
-{#               # XXX: some values (send/match) must be properly escaped (whitespace) #}
-{#               # TODO: add support for multiple send/expect steps #}
-    option tcp-check
-    tcp-check connect
-    tcp-check {{healthcheck_customtcp|join(' ')}}
+{#               # check for "expect" value #}
+{%               if (healthcheck_customtcp|length > 0 ) %}
+    tcp-check expect {{healthcheck_customtcp|join(' ')}}
+{%               endif %}
 {%             endif %}
 {%           endif %}
 {%         elif healthcheck_data.type == 'http' %}

From 9c6eaca8dc22810e2a31b0fa07d2c179b2312485 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 7 Jan 2022 08:25:01 +0100
Subject: [PATCH 0903/3088] security/acme-client: @fraenki ;)

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 0617ed933d..72043e1637 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.7
+PLUGIN_VERSION=		3.8
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 8815fa92270092c7e26787e53630161aebb42558 Mon Sep 17 00:00:00 2001
From: Marvo2011 <Marvin.Edeler@gmail.com>
Date: Fri, 7 Jan 2022 16:44:41 +0100
Subject: [PATCH 0904/3088] Adding Selfhost DNS for acme.sh (#2746)

* Added Selfhost DNS
---
 .../AcmeClient/forms/dialogValidation.xml     | 27 +++++++++++
 .../AcmeClient/LeValidation/DnsSelfhost.php   | 47 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 13 +++++
 3 files changed, 87 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelfhost.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 129d19c1e4..c057c209b3 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1018,6 +1018,33 @@
         <label>API Key</label>
         <type>text</type>
     </field>
+    <field>
+        <label>Selfhost</label>
+        <type>header</type>
+        <style>table_dns table_dns_selfhost</style>
+    </field>
+    <field>
+        <id>validation.dns_selfhost_user</id>
+        <label>User</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_selfhost_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
+    <field>
+        <id>validation.dns_selfhost_rid</id>
+        <label>rid</label>
+        <type>text</type>
+        <help>Please create the TXT Record with Subdomain _acme-challenge first, than you can get the ID from the edit page.</help>
+    </field>
+    <field>
+        <id>validation.dns_selfhost_rid2</id>
+        <label>rid2</label>
+        <type>text</type>
+        <help>Please create a second TXT Record with Subdomain _acme-challenge (needed to support ACME v2).</help>
+    </field>
     <field>
         <label>Servercow</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelfhost.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelfhost.php
new file mode 100644
index 0000000000..f487e9a014
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelfhost.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * Copyright (C) 2022 Marvo2011
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Selfhost API
+ * @package OPNsense\AcmeClient
+ */
+class DnsSelfhost extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['SELFHOSTDNS_USERNAME'] = (string)$this->config->dns_selfhost_user;
+        $this->acme_env['SELFHOSTDNS_PASSWORD'] = (string)$this->config->dns_selfhost_password;
+        $this->acme_env['SELFHOSTDNS_RID'] = (string)$this->config->dns_selfhost_rid;
+        $this->acme_env['SELFHOSTDNS_RID2'] = (string)$this->config->dns_selfhost_rid2;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index ba2f1711a4..53b71855d4 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -486,6 +486,7 @@
                         <dns_porkbun>Porkbun API</dns_porkbun>
                         <dns_schlundtech>SchlundTech</dns_schlundtech>
                         <dns_selectel>selectel.com / selectel.ru domain API</dns_selectel>
+                        <dns_selfhost>Selfhost API</dns_selfhost>
                         <dns_servercow>Servercow API v1</dns_servercow>
                         <dns_unoeuro>UnoEuro API</dns_unoeuro>
                         <dns_variomedia>Variomedia.de API</dns_variomedia>
@@ -923,6 +924,18 @@
                 <dns_sl_key type="TextField">
                     <Required>N</Required>
                 </dns_sl_key>
+                <dns_selfhost_user type="TextField">
+                    <Required>N</Required>
+                </dns_selfhost_user>
+                <dns_selfhost_password type="TextField">
+                    <Required>N</Required>
+                </dns_selfhost_password>
+                <dns_selfhost_rid type="TextField">
+                    <Required>N</Required>
+                </dns_selfhost_rid>
+                <dns_selfhost_rid2 type="TextField">
+                    <Required>N</Required>
+                </dns_selfhost_rid2>
                 <dns_servercow_username type="TextField">
                     <Required>N</Required>
                 </dns_servercow_username>

From 9490497f57e0ba32bc839aae7577521deb555dcf Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 7 Jan 2022 17:59:26 +0100
Subject: [PATCH 0905/3088] security/acme-client: update changelog

---
 security/acme-client/pkg-descr | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 5b08b3bf0a..b5025b594c 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,11 +10,12 @@ Plugin Changelog
 
 3.8
 
-NOTE: Support for the cPanel API is not functional. It requires
+NOTE: Support for the cPanel and Selfhost API is not functional. It requires
 a new version of acme.sh, which has not been released yet.
 
 Added:
 * add support for cPanel HTTP API (#2731)
+* add support for Selfhost DNS API (#2746)
 
 Fixed:
 * fix calculation of renewal date (#2721)

From bc39b7a4c86761a4063fda2dfd913b12ef82b81f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 7 Jan 2022 09:22:20 +0100
Subject: [PATCH 0906/3088] LICENSE: sync

---
 LICENSE | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/LICENSE b/LICENSE
index 674caff049..7650f46e65 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,7 @@
 Copyright (c) 2015-2020 Ad Schellevis <ad@opnsense.org>
 Copyright (c) 2021 Alexander Noack
 Copyright (c) 2021 Andreas Stuerz
+Copyright (c) 2021 Axelrtgs
 Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
 Copyright (c) 2020 D. Domig
@@ -30,6 +31,7 @@ Copyright (c) 2020 Marc Leuser
 Copyright (c) 2021 Marcel Koepfli
 Copyright (c) 2021 Markus Peter <mpeter@one-it.de>
 Copyright (c) 2020 Martin Wasley
+Copyright (c) 2022 Marvo2011
 Copyright (c) 2017-2021 Michael Muenz <m.muenz@gmail.com>
 Copyright (c) 2021 Nim G
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>

From 1a86d52df8da219cbe24681e2ff67167ebad090e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 11 Jan 2022 08:56:59 +0100
Subject: [PATCH 0907/3088] net/freeradius: bump revision for restart
 description change

---
 net/freeradius/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 36189e116b..1cf9e37c6f 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		freeradius
 PLUGIN_VERSION=		1.9.17
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 5a61822b0ddd5e5ef2c598bd3e8667e98c6caba4 Mon Sep 17 00:00:00 2001
From: Manuel Faux <mfaux@conf.at>
Date: Wed, 12 Jan 2022 11:24:08 +0100
Subject: [PATCH 0908/3088] www/nginx: Rework security header forms and adding
 CSP frame-ancestors and HSTS preload directives (#2702)

The security header edit dialog contains many fields and a tabbed
interface for the dialog itself allows better configuration of the headers.
---
 www/nginx/Makefile                            |    2 +-
 www/nginx/README.md                           |    4 +-
 www/nginx/pkg-descr                           |    7 +
 .../OPNsense/Nginx/Api/SettingsController.php |   54 +-
 .../OPNsense/Nginx/forms/security_headers.xml | 1238 +++++++++--------
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml   |   85 +-
 .../mvc/app/views/OPNsense/Nginx/index.volt   |    7 +-
 .../views/OPNsense/Nginx/tabbed_dialog.volt   |  183 +++
 .../OPNsense/Nginx/security_rule.conf         |   16 +-
 9 files changed, 1016 insertions(+), 580 deletions(-)
 create mode 100644 www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/tabbed_dialog.volt

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 290dec87ff..1343b145a0 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.25
+PLUGIN_VERSION=		1.26
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/README.md b/www/nginx/README.md
index e094ccd0f6..e90253a919 100644
--- a/www/nginx/README.md
+++ b/www/nginx/README.md
@@ -33,11 +33,11 @@ Most are standard but some endpoints support maps, which are not
 supported by OPNsense core.
 
 You can detect them simply as they are doing more than just a mapping
-to the *base methods.
+to the \*base methods.
 
 Such mappings work in the way that they catch up the request,
 map the internal data first, and then forward their UUIDs
-to the *base method.
+to the \*base method.
 
 ## The nginx plugin as infrastucture
 
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 165ae90fca..77df4834a5 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,13 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.26
+
+* Enhancement of security headers (contributed by Manuel Faux)
+  Add Frame-Ancestors, add "preload", removed deprecated HPKP
+* Performance enhancements for log display
+* Fixed display of vts and logs for non-default styles
+
 1.25
 
 * Reworked logging frontent to support filtering and historic view (contributed by Manuel Faux)
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
index 8cc0f45871..853a83291a 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
@@ -342,7 +342,59 @@ public function sethttprewriteAction($uuid)
     // http security headers
     public function searchsecurityHeaderAction()
     {
-        return $this->searchBase('security_header', array('description'));
+        $data = $this->searchBase('security_header',
+            ['description', 'referrer', 'xssprotection', 'strict_transport_security_time',
+            'enable_csp', 'csp_report_only', 'csp_default_src_enabled', 'csp_script_src_enabled', 'csp_img_src_enabled',
+            'csp_style_src_enabled', 'csp_media_src_enabled', 'csp_font_src_enabled', 'csp_frame_src_enabled',
+            'csp_frame_ancestors_enabled', 'csp_form_action_enabled']);
+
+        // Create "hsts" column (disabled/time)
+        foreach ($data['rows'] as &$row) {
+            if (intval($row['strict_transport_security_time']) > 0) {
+                $row['hsts'] = sprintf(gettext("%d sec"), intval($row['strict_transport_security_time']));
+            } else {
+                $row['hsts'] = gettext('disabled');
+            }
+        }
+
+        // Create "csp" column (enabled/report only/disabled)
+        foreach ($data['rows'] as &$row) {
+            if ($row['enable_csp']) {
+                if ($row['csp_report_only']) {
+                    $row['csp'] = gettext('report only');
+                } else {
+                    $row['csp'] = gettext('enabled');
+                }
+            } else {
+                $row['csp'] = gettext('disabled');
+            }
+        }
+
+        // Create "csp_details" column
+        foreach ($data['rows'] as &$row) {
+            if ($row['enable_csp']) {
+                $enabled = [];
+                if ($row['csp_default_src_enabled']) $enabled[] = gettext("Default Source");
+                if ($row['csp_script_src_enabled']) $enabled[] = gettext("Script Source");
+                if ($row['csp_img_src_enabled']) $enabled[] = gettext("Image Source");
+                if ($row['csp_style_src_enabled']) $enabled[] = gettext("Style Source");
+                if ($row['csp_media_src_enabled']) $enabled[] = gettext("Media Source");
+                if ($row['csp_font_src_enabled']) $enabled[] = gettext("Font Source");
+                if ($row['csp_frame_src_enabled']) $enabled[] = gettext("Frame Source");
+                if ($row['csp_frame_ancestors_enabled']) $enabled[] = gettext("Frame Ancestors");
+                if ($row['csp_form_action_enabled']) $enabled[] = gettext("Form Action");
+
+                if (count($enabled)) {
+                    $row['csp_details'] = implode(', ', $enabled);
+                } else {
+                    $row['csp_details'] = gettext('none');
+                }
+            } else {
+                $row['csp_details'] = '';
+            }
+        }
+
+        return $data;
     }
 
     public function getsecurityHeaderAction($uuid = null)
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/security_headers.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/security_headers.xml
index f4004ea58c..a5a2eab0b1 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/security_headers.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/security_headers.xml
@@ -1,553 +1,689 @@
 <form>
-  <field>
-    <id>security_header.description</id>
-    <label>Description</label>
-    <type>text</type>
-    <help>This is only for your reference.</help>
-  </field>
-  <field>
-    <id>security_header.referrer</id>
-    <label>Referrer</label>
-    <style>selectpicker</style>
-    <type>dropdown</type>
-    <help><![CDATA[
-      <ul>
-        <li>Same Origin: The header will be sent if you stay on the same server using the same protocol (no data leak)</li>
-        <li>No Referrer When Downgrade: Prevents sending a referrer when switching from HTTPS to HTTP</li>
-        <li>Origin, Strict-Origin: Always send the header but no path or query information. Strict Origin additionally suppressed the header on downgrades.</li>
-        <li>(Strict) Origin When Cross Origin: Full Referrer on the same origin, and like (Strict) Origin when cross domain.</li>
-        <li>Unsafe URL: Sends the full URL to all pages</li>
-      </ul> ]]></help>
-  </field>
-  <field>
-    <id>security_header.xssprotection</id>
-    <label>XSS Protection</label>
-    <style>selectpicker</style>
-    <type>dropdown</type>
-    <help><![CDATA[
-      <ul>
-        <li>Block: The browser should block the response</li>
-        <li>Off: Allow Anything</li>
-        <li>On: The Browser decides how to handle it.</li>
-      </ul> ]]></help>
-  </field>
-  <field>
-    <id>security_header.content_type_options</id>
-    <label>Don't Sniff Content Type</label>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.strict_transport_security_time</id>
-    <label>Strict Transport Security: Time</label>
-    <type>text</type>
-    <help>A time in seconds in which the transport security (TLS) should be enforced.</help>
-  </field>
-  <field>
-    <id>security_header.strict_transport_security_include_subdomains</id>
-    <label>Strict Transport Security: Include Subdomains</label>
-    <type>checkbox</type>
-    <help>If checked, also subdomains are affected.</help>
-  </field>
-  <field>
-    <id>security_header.hpkp_keys</id>
-    <label>HTTP Public Key Pinning: Fingerprints</label>
-    <type>select_multiple</type>
-    <style>tokenize</style>
-    <allownew>true</allownew>
-    <help><![CDATA[ Enter a comma separated list of public key fingerprints here.
-    You can find some documentetion about this feature in the
-    <a href="https://developer.mozilla.org/de/docs/Web/Security/Public_Key_Pinning">Mozilla Wiki</a>.
-    It is not recommended to use this feature with short lived certificates.]]></help>
-  </field>
-  <field>
-    <id>security_header.hpkp_report_only</id>
-    <label>HTTP Public Key Pinning: Report Only</label>
-    <type>checkbox</type>
-    <help>If you only want to test it, you can check this box (policy will be deployed but not enforced).</help>
-  </field>
-  <field>
-    <id>security_header.hpkp_time</id>
-    <label>HTTP Public Key Pinning: Max Age</label>
-    <type>text</type>
-  </field>
-  <field>
-    <id>security_header.hpkp_include_subdomains</id>
-    <label>HTTP Public Key Pinning: Include Subdomains</label>
-    <type>checkbox</type>
-    <help>If checked, also subdomains are affected.</help>
-  </field>
-  <field>
-    <id>security_header.enable_csp</id>
-    <label>Content Security Policy: Enable</label>
-    <type>checkbox</type>
-    <help>If checked, the CSP is enabled.</help>
-  </field>
-  <field>
-    <id>security_header.csp_report_only</id>
-    <label>Content Security Policy: Report Only</label>
-    <type>checkbox</type>
-    <help>If checked, the CSP is not enforced (learning mode).</help>
-  </field>
-  <field>
-    <type>header</type>
-    <label>Content Security Policy: Default Source</label>
-  </field>
-  <field>
-    <id>security_header.csp_default_src_enabled</id>
-    <label>Enable</label>
-    <type>checkbox</type>
-    <help>If checked, this part of the CSP is enabled.</help>
-  </field>
-  <field>
-    <id>security_header.csp_default_src_data_urls</id>
-    <label>Enable Data URLs</label>
-    <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_default_src_http_urls</id>
-    <label>Enable HTTP(S) URLs</label>
-    <type>select_multiple</type>
-    <allownew>true</allownew>
-    <style>tokenize</style>
-    <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
-      You can use wildcards here like https://*.exmaple.com.</help>
-  </field>
-  <field>
-    <id>security_header.csp_default_src_inline</id>
-    <label>Enable Inline Scripting</label>
-    <type>checkbox</type>
-    <help>Checking this directive allows to use scripts or styles directly embedded in in the HTML content.
-      Examples are the script and the style tags.</help>
-  </field>
-  <field>
-    <id>security_header.csp_default_src_eval</id>
-    <label>Enable Eval</label>
-    <type>checkbox</type>
-    <help>Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS.</help>
-  </field>
-  <field>
-    <id>security_header.csp_default_src_self</id>
-    <label>Enable Same Origin (recommended)</label>
-    <type>checkbox</type>
-    <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
-  </field>
-  <field>
-    <id>security_header.csp_default_src_blob</id>
-    <label>Enable Blobs</label>
-    <type>checkbox</type>
-    <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
-  </field>
-  <field>
-    <id>security_header.csp_default_src_mediastream</id>
-    <label>Enable Media Streams</label>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_default_src_filesystem</id>
-    <label>Enable File System URLs</label>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_default_src_none</id>
-    <label>Forbid Explicitly</label>
-    <type>checkbox</type>
-    <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
-  </field>
-  <field>
-    <type>header</type>
-    <label>Content Security Policy: Script Source</label>
-  </field>
-  <field>
-    <id>security_header.csp_script_src_enabled</id>
-    <label>Enable</label>
-    <type>checkbox</type>
-    <help>If checked, this part of the CSP is enabled.</help>
-  </field>
-  <field>
-    <id>security_header.csp_script_src_data_urls</id>
-    <label>Enable Data URLs</label>
-    <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_script_src_http_urls</id>
-    <label>Enable HTTP(S) URLs</label>
-    <type>select_multiple</type>
-    <allownew>true</allownew>
-    <style>tokenize</style>
-    <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
-      You can use wildcards here like https://*.exmaple.com.</help>
-  </field>
-  <field>
-    <id>security_header.csp_script_src_inline</id>
-    <label>Enable Inline Scripting</label>
-    <type>checkbox</type>
-    <help>Checking this directive allows to use scripts or styles directly embedded in in the HTML content.
-      Examples are the script and the style tags.</help>
-  </field>
-  <field>
-    <id>security_header.csp_script_src_eval</id>
-    <label>Enable Eval</label>
-    <type>checkbox</type>
-    <help>Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS.</help>
-  </field>
-  <field>
-    <id>security_header.csp_script_src_self</id>
-    <label>Enable Same Origin (recommended)</label>
-    <type>checkbox</type>
-    <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
-  </field>
-  <field>
-    <id>security_header.csp_script_src_blob</id>
-    <label>Enable Blobs</label>
-    <type>checkbox</type>
-    <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
-  </field>
-  <field>
-    <id>security_header.csp_script_src_mediastream</id>
-    <label>Enable Media Streams</label>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_script_src_filesystem</id>
-    <label>Enable File System URLs</label>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_script_src_none</id>
-    <label>Forbid Explicitly</label>
-    <type>checkbox</type>
-    <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
-  </field>
-  <field>
-    <type>header</type>
-    <label>Content Security Policy: Image Source</label>
-  </field>
-  <field>
-    <id>security_header.csp_img_src_enabled</id>
-    <label>Enable</label>
-    <type>checkbox</type>
-    <help>If checked, this part of the CSP is enabled.</help>
-  </field>
-  <field>
-    <id>security_header.csp_img_src_data_urls</id>
-    <label>Enable Data URLs</label>
-    <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_img_src_http_urls</id>
-    <label>Enable HTTP(S) URLs</label>
-    <type>select_multiple</type>
-    <allownew>true</allownew>
-    <style>tokenize</style>
-    <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
-      You can use wildcards here like https://*.exmaple.com.</help>
-  </field>
-  <field>
-    <id>security_header.csp_img_src_inline</id>
-    <label>Enable Inline Scripting</label>
-    <type>checkbox</type>
-    <help>Checking this directive allows to use scripts or styles directly embedded in in the HTML content.
-      Examples are the script and the style tags.</help>
-  </field>
-  <field>
-    <id>security_header.csp_img_src_eval</id>
-    <label>Enable Eval</label>
-    <type>checkbox</type>
-    <help>Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS.</help>
-  </field>
-  <field>
-    <id>security_header.csp_img_src_self</id>
-    <label>Enable Same Origin (recommended)</label>
-    <type>checkbox</type>
-    <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
-  </field>
-  <field>
-    <id>security_header.csp_img_src_blob</id>
-    <label>Enable Blobs</label>
-    <type>checkbox</type>
-    <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
-  </field>
-  <field>
-    <id>security_header.csp_img_src_mediastream</id>
-    <label>Enable Media Streams</label>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_img_src_filesystem</id>
-    <label>Enable File System URLs</label>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_img_src_none</id>
-    <label>Forbid Explicitly</label>
-    <type>checkbox</type>
-    <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
-  </field>
-  <field>
-    <type>header</type>
-    <label>Content Security Policy: Stylesheet Source</label>
-  </field>
-  <field>
-    <id>security_header.csp_style_src_enabled</id>
-    <label>Enable</label>
-    <type>checkbox</type>
-    <help>If checked, this part of the CSP is enabled.</help>
-  </field>
-  <field>
-    <id>security_header.csp_style_src_data_urls</id>
-    <label>Enable Data URLs</label>
-    <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_style_src_http_urls</id>
-    <label>Enable HTTP(S) URLs</label>
-    <type>select_multiple</type>
-    <allownew>true</allownew>
-    <style>tokenize</style>
-    <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
-      You can use wildcards here like https://*.exmaple.com.</help>
-  </field>
-  <field>
-    <id>security_header.csp_style_src_inline</id>
-    <label>Enable Inline Scripting</label>
-    <type>checkbox</type>
-    <help>Checking this directive allows to use scripts or styles directly embedded in in the HTML content.
-      Examples are the script and the style tags.</help>
-  </field>
-  <field>
-    <id>security_header.csp_style_src_eval</id>
-    <label>Enable Eval</label>
-    <type>checkbox</type>
-    <help>Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS.</help>
-  </field>
-  <field>
-    <id>security_header.csp_style_src_self</id>
-    <label>Enable Same Origin (recommended)</label>
-    <type>checkbox</type>
-    <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
-  </field>
-  <field>
-    <id>security_header.csp_style_src_blob</id>
-    <label>Enable Blobs</label>
-    <type>checkbox</type>
-    <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
-  </field>
-  <field>
-    <id>security_header.csp_style_src_mediastream</id>
-    <label>Enable Media Streams</label>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_style_src_filesystem</id>
-    <label>Enable File System URLs</label>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_style_src_none</id>
-    <label>Forbid Explicitly</label>
-    <type>checkbox</type>
-    <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
-  </field>
-  <field>
-    <type>header</type>
-    <label>Content Security Policy: Media Source</label>
-  </field>
-  <field>
-    <id>security_header.csp_media_src_enabled</id>
-    <label>Enable</label>
-    <type>checkbox</type>
-    <help>If checked, this part of the CSP is enabled.</help>
-  </field>
-  <field>
-    <id>security_header.csp_media_src_data_urls</id>
-    <label>Enable Data URLs</label>
-    <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_media_src_http_urls</id>
-    <label>Enable HTTP(S) URLs</label>
-    <type>select_multiple</type>
-    <allownew>true</allownew>
-    <style>tokenize</style>
-    <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
-      You can use wildcards here like https://*.exmaple.com.</help>
-  </field>
-  <field>
-    <id>security_header.csp_media_src_inline</id>
-    <label>Enable Inline Scripting</label>
-    <type>checkbox</type>
-    <help>Checking this directive allows to use scripts or styles directly embedded in in the HTML content.
-      Examples are the script and the style tags.</help>
-  </field>
-  <field>
-    <id>security_header.csp_media_src_eval</id>
-    <label>Enable Eval</label>
-    <type>checkbox</type>
-    <help>Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS.</help>
-  </field>
-  <field>
-    <id>security_header.csp_media_src_self</id>
-    <label>Enable Same Origin (recommended)</label>
-    <type>checkbox</type>
-    <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
-  </field>
-  <field>
-    <id>security_header.csp_media_src_blob</id>
-    <label>Enable Blobs</label>
-    <type>checkbox</type>
-    <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
-  </field>
-  <field>
-    <id>security_header.csp_media_src_mediastream</id>
-    <label>Enable Media Streams</label>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_media_src_filesystem</id>
-    <label>Enable File System URLs</label>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_media_src_none</id>
-    <label>Forbid Explicitly</label>
-    <type>checkbox</type>
-    <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
-  </field>
-  <field>
-    <type>header</type>
-    <label>Content Security Policy: Font Source</label>
-  </field>
-  <field>
-    <id>security_header.csp_font_src_enabled</id>
-    <label>Enable</label>
-    <type>checkbox</type>
-    <help>If checked, this part of the CSP is enabled.</help>
-  </field>
-  <field>
-    <id>security_header.csp_font_src_data_urls</id>
-    <label>Enable Data URLs</label>
-    <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_font_src_http_urls</id>
-    <label>Enable HTTP(S) URLs</label>
-    <type>select_multiple</type>
-    <allownew>true</allownew>
-    <style>tokenize</style>
-    <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
-      You can use wildcards here like https://*.exmaple.com.</help>
-  </field>
-  <field>
-    <id>security_header.csp_font_src_inline</id>
-    <label>Enable Inline Scripting</label>
-    <type>checkbox</type>
-    <help>Checking this directive allows to use scripts or styles directly embedded in in the HTML content.
-      Examples are the script and the style tags.</help>
-  </field>
-  <field>
-    <id>security_header.csp_font_src_eval</id>
-    <label>Enable Eval</label>
-    <type>checkbox</type>
-    <help>Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS.</help>
-  </field>
-  <field>
-    <id>security_header.csp_font_src_self</id>
-    <label>Enable Same Origin (recommended)</label>
-    <type>checkbox</type>
-    <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
-  </field>
-  <field>
-    <id>security_header.csp_font_src_blob</id>
-    <label>Enable Blobs</label>
-    <type>checkbox</type>
-    <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
-  </field>
-  <field>
-    <id>security_header.csp_font_src_mediastream</id>
-    <label>Enable Media Streams</label>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_font_src_filesystem</id>
-    <label>Enable File System URLs</label>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_font_src_none</id>
-    <label>Forbid Explicitly</label>
-    <type>checkbox</type>
-    <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
-  </field>
-  <field>
-    <type>header</type>
-    <label>Content Security Policy: Form Action</label>
-  </field>
-  <field>
-    <id>security_header.csp_form_action_enabled</id>
-    <label>Enable</label>
-    <type>checkbox</type>
-    <help>If checked, this part of the CSP is enabled.</help>
-  </field>
-  <field>
-    <id>security_header.csp_form_action_data_urls</id>
-    <label>Enable Data URLs</label>
-    <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_form_action_http_urls</id>
-    <label>Enable HTTP(S) URLs</label>
-    <type>select_multiple</type>
-    <allownew>true</allownew>
-    <style>tokenize</style>
-    <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
-      You can use wildcards here like https://*.exmaple.com.</help>
-  </field>
-  <field>
-    <id>security_header.csp_form_action_inline</id>
-    <label>Enable Inline Scripting</label>
-    <type>checkbox</type>
-    <help>Checking this directive allows to use scripts or styles directly embedded in in the HTML content.
-      Examples are the script and the style tags.</help>
-  </field>
-  <field>
-    <id>security_header.csp_form_action_eval</id>
-    <label>Enable Eval</label>
-    <type>checkbox</type>
-    <help>Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS.</help>
-  </field>
-  <field>
-    <id>security_header.csp_form_action_self</id>
-    <label>Enable Same Origin (recommended)</label>
-    <type>checkbox</type>
-    <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
-  </field>
-  <field>
-    <id>security_header.csp_form_action_blob</id>
-    <label>Enable Blobs</label>
-    <type>checkbox</type>
-    <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
-  </field>
-  <field>
-    <id>security_header.csp_form_action_mediastream</id>
-    <label>Enable Media Streams</label>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_form_action_filesystem</id>
-    <label>Enable File System URLs</label>
-    <type>checkbox</type>
-  </field>
-  <field>
-    <id>security_header.csp_form_action_none</id>
-    <label>Forbid Explicitly</label>
-    <type>checkbox</type>
-    <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
-  </field>
+  <tab id="general" description="General">
+    <field>
+      <type>header</type>
+      <label>General</label>
+    </field>
+    <field>
+      <id>security_header.description</id>
+      <label>Description</label>
+      <type>text</type>
+      <help>This is only for your reference.</help>
+    </field>
+    <field>
+      <id>security_header.referrer</id>
+      <label>Referrer</label>
+      <style>selectpicker</style>
+      <type>dropdown</type>
+      <help><![CDATA[
+        <ul>
+          <li>Same Origin: The header will be sent if you stay on the same server using the same protocol (no data leak)</li>
+          <li>No Referrer When Downgrade: Prevents sending a referrer when switching from HTTPS to HTTP</li>
+          <li>Origin, Strict-Origin: Always send the header but no path or query information. Strict Origin additionally suppressed the header on downgrades.</li>
+          <li>(Strict) Origin When Cross Origin: Full Referrer on the same origin, and like (Strict) Origin when cross domain.</li>
+          <li>Unsafe URL: Sends the full URL to all pages</li>
+        </ul> ]]></help>
+    </field>
+    <field>
+      <id>security_header.xssprotection</id>
+      <label>XSS Protection</label>
+      <style>selectpicker</style>
+      <type>dropdown</type>
+      <help><![CDATA[
+        <ul>
+          <li>Block: The browser should block the response</li>
+          <li>Off: Allow Anything</li>
+          <li>On: The Browser decides how to handle it.</li>
+        </ul> ]]></help>
+    </field>
+    <field>
+      <id>security_header.content_type_options</id>
+      <label>Don't Sniff Content Type</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <type>header</type>
+      <label>HTTP Strict Transport Security (HSTS)</label>
+    </field>
+    <field>
+      <id>security_header.strict_transport_security_time</id>
+      <label>Time (Max Age)</label>
+      <type>text</type>
+      <help>A time in seconds in which the transport security (TLS) should be enforced.</help>
+    </field>
+    <field>
+      <id>security_header.strict_transport_security_include_subdomains</id>
+      <label>Include Subdomains</label>
+      <type>checkbox</type>
+      <help>If checked, also subdomains are affected.</help>
+    </field>
+    <field>
+      <id>security_header.strict_transport_security_preload</id>
+      <label>Preload</label>
+      <type>checkbox</type>
+      <help><![CDATA[If checked, the preload directive is added. Google maintains <a href="https://hstspreload.org/">an HSTS preload service</a>. By following the guidelines and successfully submitting your domain, browsers will never connect to your domain using an insecure connection. While the service is hosted by Google, all browsers have stated an intent to use (or actually started using) the preload list. However, it is not part of the HSTS specification and should not be treated as official.]]></help>
+    </field>
+    <field>
+      <type>header</type>
+      <label>Content Security Policy (CSP)</label>
+    </field>
+    <field>
+      <id>security_header.enable_csp</id>
+      <label>Enable</label>
+      <type>checkbox</type>
+      <help>If checked, the Content Security Policy (CSP) header is enabled. A detailed configuration is still required via the other tabs of this sheet.</help>
+    </field>
+    <field>
+      <id>security_header.csp_report_only</id>
+      <label>Report Only</label>
+      <type>checkbox</type>
+      <help>If checked, the CSP is not enforced (learning mode).</help>
+    </field>
+  </tab>
+  <tab id="default_source" description="Default Source">
+    <field>
+      <type>header</type>
+      <label>Content Security Policy: Default Source</label>
+      <hint><![CDATA[The setting <em>Content Security Policy: Enable</em> on the <em>General</em> tab needs to be enabled to activate this header.]]></hint>
+    </field>
+    <field>
+      <id>security_header.csp_default_src_enabled</id>
+      <label>Enable</label>
+      <type>checkbox</type>
+      <help>If checked, this part of the CSP is enabled.</help>
+    </field>
+    <field>
+      <id>security_header.csp_default_src_data_urls</id>
+      <label>Enable Data URLs</label>
+      <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_default_src_http_urls</id>
+      <label>Enable HTTP(S) URLs</label>
+      <type>select_multiple</type>
+      <allownew>true</allownew>
+      <style>tokenize</style>
+      <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
+        You can use wildcards here like https://*.exmaple.com.</help>
+    </field>
+    <field>
+      <id>security_header.csp_default_src_inline</id>
+      <label>Enable Inline Scripting</label>
+      <type>checkbox</type>
+      <help>Checking this directive allows to use scripts or styles directly embedded in in the HTML content.
+        Examples are the script and the style tags.</help>
+    </field>
+    <field>
+      <id>security_header.csp_default_src_eval</id>
+      <label>Enable Eval</label>
+      <type>checkbox</type>
+      <help>Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS.</help>
+    </field>
+    <field>
+      <id>security_header.csp_default_src_self</id>
+      <label>Enable Same Origin (recommended)</label>
+      <type>checkbox</type>
+      <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
+    </field>
+    <field>
+      <id>security_header.csp_default_src_blob</id>
+      <label>Enable Blobs</label>
+      <type>checkbox</type>
+      <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
+    </field>
+    <field>
+      <id>security_header.csp_default_src_mediastream</id>
+      <label>Enable Media Streams</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_default_src_filesystem</id>
+      <label>Enable File System URLs</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_default_src_none</id>
+      <label>Forbid Explicitly</label>
+      <type>checkbox</type>
+      <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
+    </field>
+  </tab>
+  <tab id="script-src" description="Script">
+    <field>
+      <type>header</type>
+      <label>Content Security Policy: Script Source</label>
+      <hint><![CDATA[The setting <em>Content Security Policy: Enable</em> on the <em>General</em> tab needs to be enabled to activate this header.]]></hint>
+    </field>
+    <field>
+      <id>security_header.csp_script_src_enabled</id>
+      <label>Enable</label>
+      <type>checkbox</type>
+      <help>If checked, this part of the CSP is enabled.</help>
+    </field>
+    <field>
+      <id>security_header.csp_script_src_data_urls</id>
+      <label>Enable Data URLs</label>
+      <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_script_src_http_urls</id>
+      <label>Enable HTTP(S) URLs</label>
+      <type>select_multiple</type>
+      <allownew>true</allownew>
+      <style>tokenize</style>
+      <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
+        You can use wildcards here like https://*.exmaple.com.</help>
+    </field>
+    <field>
+      <id>security_header.csp_script_src_inline</id>
+      <label>Enable Inline Scripting</label>
+      <type>checkbox</type>
+      <help>Checking this directive allows to use scripts or styles directly embedded in in the HTML content.
+        Examples are the script and the style tags.</help>
+    </field>
+    <field>
+      <id>security_header.csp_script_src_eval</id>
+      <label>Enable Eval</label>
+      <type>checkbox</type>
+      <help>Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS.</help>
+    </field>
+    <field>
+      <id>security_header.csp_script_src_self</id>
+      <label>Enable Same Origin (recommended)</label>
+      <type>checkbox</type>
+      <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
+    </field>
+    <field>
+      <id>security_header.csp_script_src_blob</id>
+      <label>Enable Blobs</label>
+      <type>checkbox</type>
+      <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
+    </field>
+    <field>
+      <id>security_header.csp_script_src_mediastream</id>
+      <label>Enable Media Streams</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_script_src_filesystem</id>
+      <label>Enable File System URLs</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_script_src_none</id>
+      <label>Forbid Explicitly</label>
+      <type>checkbox</type>
+      <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
+    </field>
+  </tab>
+  <tab id="image-src" description="Image">
+    <field>
+      <type>header</type>
+      <label>Content Security Policy: Image Source</label>
+      <hint><![CDATA[The setting <em>Content Security Policy: Enable</em> on the <em>General</em> tab needs to be enabled to activate this header.]]></hint>
+    </field>
+    <field>
+      <id>security_header.csp_img_src_enabled</id>
+      <label>Enable</label>
+      <type>checkbox</type>
+      <help>If checked, this part of the CSP is enabled.</help>
+    </field>
+    <field>
+      <id>security_header.csp_img_src_data_urls</id>
+      <label>Enable Data URLs</label>
+      <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_img_src_http_urls</id>
+      <label>Enable HTTP(S) URLs</label>
+      <type>select_multiple</type>
+      <allownew>true</allownew>
+      <style>tokenize</style>
+      <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
+        You can use wildcards here like https://*.exmaple.com.</help>
+    </field>
+    <field>
+      <id>security_header.csp_img_src_inline</id>
+      <label>Enable Inline Scripting</label>
+      <type>checkbox</type>
+      <help>Checking this directive allows to use scripts or styles directly embedded in in the HTML content.
+        Examples are the script and the style tags.</help>
+    </field>
+    <field>
+      <id>security_header.csp_img_src_eval</id>
+      <label>Enable Eval</label>
+      <type>checkbox</type>
+      <help>Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS.</help>
+    </field>
+    <field>
+      <id>security_header.csp_img_src_self</id>
+      <label>Enable Same Origin (recommended)</label>
+      <type>checkbox</type>
+      <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
+    </field>
+    <field>
+      <id>security_header.csp_img_src_blob</id>
+      <label>Enable Blobs</label>
+      <type>checkbox</type>
+      <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
+    </field>
+    <field>
+      <id>security_header.csp_img_src_mediastream</id>
+      <label>Enable Media Streams</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_img_src_filesystem</id>
+      <label>Enable File System URLs</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_img_src_none</id>
+      <label>Forbid Explicitly</label>
+      <type>checkbox</type>
+      <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
+    </field>
+  </tab>
+  <tab id="styleseet-src" description="Stylesheet">
+    <field>
+      <type>header</type>
+      <label>Content Security Policy: Stylesheet Source</label>
+      <hint><![CDATA[The setting <em>Content Security Policy: Enable</em> on the <em>General</em> tab needs to be enabled to activate this header.]]></hint>
+    </field>
+    <field>
+      <id>security_header.csp_style_src_enabled</id>
+      <label>Enable</label>
+      <type>checkbox</type>
+      <help>If checked, this part of the CSP is enabled.</help>
+    </field>
+    <field>
+      <id>security_header.csp_style_src_data_urls</id>
+      <label>Enable Data URLs</label>
+      <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_style_src_http_urls</id>
+      <label>Enable HTTP(S) URLs</label>
+      <type>select_multiple</type>
+      <allownew>true</allownew>
+      <style>tokenize</style>
+      <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
+        You can use wildcards here like https://*.exmaple.com.</help>
+    </field>
+    <field>
+      <id>security_header.csp_style_src_inline</id>
+      <label>Enable Inline Scripting</label>
+      <type>checkbox</type>
+      <help>Checking this directive allows to use scripts or styles directly embedded in in the HTML content.
+        Examples are the script and the style tags.</help>
+    </field>
+    <field>
+      <id>security_header.csp_style_src_eval</id>
+      <label>Enable Eval</label>
+      <type>checkbox</type>
+      <help>Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS.</help>
+    </field>
+    <field>
+      <id>security_header.csp_style_src_self</id>
+      <label>Enable Same Origin (recommended)</label>
+      <type>checkbox</type>
+      <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
+    </field>
+    <field>
+      <id>security_header.csp_style_src_blob</id>
+      <label>Enable Blobs</label>
+      <type>checkbox</type>
+      <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
+    </field>
+    <field>
+      <id>security_header.csp_style_src_mediastream</id>
+      <label>Enable Media Streams</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_style_src_filesystem</id>
+      <label>Enable File System URLs</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_style_src_none</id>
+      <label>Forbid Explicitly</label>
+      <type>checkbox</type>
+      <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
+    </field>
+  </tab>
+  <tab id="media-src" description="Media">
+    <field>
+      <type>header</type>
+      <label>Content Security Policy: Media Source</label>
+      <hint><![CDATA[The setting <em>Content Security Policy: Enable</em> on the <em>General</em> tab needs to be enabled to activate this header.]]></hint>
+    </field>
+    <field>
+      <id>security_header.csp_media_src_enabled</id>
+      <label>Enable</label>
+      <type>checkbox</type>
+      <help>If checked, this part of the CSP is enabled.</help>
+    </field>
+    <field>
+      <id>security_header.csp_media_src_data_urls</id>
+      <label>Enable Data URLs</label>
+      <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_media_src_http_urls</id>
+      <label>Enable HTTP(S) URLs</label>
+      <type>select_multiple</type>
+      <allownew>true</allownew>
+      <style>tokenize</style>
+      <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
+        You can use wildcards here like https://*.exmaple.com.</help>
+    </field>
+    <field>
+      <id>security_header.csp_media_src_inline</id>
+      <label>Enable Inline Scripting</label>
+      <type>checkbox</type>
+      <help>Checking this directive allows to use scripts or styles directly embedded in in the HTML content.
+        Examples are the script and the style tags.</help>
+    </field>
+    <field>
+      <id>security_header.csp_media_src_eval</id>
+      <label>Enable Eval</label>
+      <type>checkbox</type>
+      <help>Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS.</help>
+    </field>
+    <field>
+      <id>security_header.csp_media_src_self</id>
+      <label>Enable Same Origin (recommended)</label>
+      <type>checkbox</type>
+      <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
+    </field>
+    <field>
+      <id>security_header.csp_media_src_blob</id>
+      <label>Enable Blobs</label>
+      <type>checkbox</type>
+      <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
+    </field>
+    <field>
+      <id>security_header.csp_media_src_mediastream</id>
+      <label>Enable Media Streams</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_media_src_filesystem</id>
+      <label>Enable File System URLs</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_media_src_none</id>
+      <label>Forbid Explicitly</label>
+      <type>checkbox</type>
+      <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
+    </field>
+  </tab>
+  <tab id="frame" description="Frame">
+    <field>
+      <type>header</type>
+      <label>Content Security Policy: Frame Source</label>
+      <hint><![CDATA[The setting <em>Content Security Policy: Enable</em> on the <em>General</em> tab needs to be enabled to activate this header.]]></hint>
+    </field>
+    <field>
+      <id>security_header.csp_frame_src_enabled</id>
+      <label>Enable</label>
+      <type>checkbox</type>
+      <help>If checked, this part of the CSP is enabled.</help>
+    </field>
+    <field>
+      <id>security_header.csp_frame_src_data_urls</id>
+      <label>Enable Data URLs</label>
+      <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_frame_src_http_urls</id>
+      <label>Enable HTTP(S) URLs</label>
+      <type>select_multiple</type>
+      <allownew>true</allownew>
+      <style>tokenize</style>
+      <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
+        You can use wildcards here like https://*.exmaple.com.</help>
+    </field>
+    <field>
+      <id>security_header.csp_frame_src_inline</id>
+      <label>Enable Inline Scripting</label>
+      <type>checkbox</type>
+      <help>Checking this directive allows to use scripts or styles directly embedded in in the HTML content.
+        Examples are the script and the style tags.</help>
+    </field>
+    <field>
+      <id>security_header.csp_frame_src_eval</id>
+      <label>Enable Eval</label>
+      <type>checkbox</type>
+      <help>Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS.</help>
+    </field>
+    <field>
+      <id>security_header.csp_frame_src_self</id>
+      <label>Enable Same Origin (recommended)</label>
+      <type>checkbox</type>
+      <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
+    </field>
+    <field>
+      <id>security_header.csp_frame_src_blob</id>
+      <label>Enable Blobs</label>
+      <type>checkbox</type>
+      <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
+    </field>
+    <field>
+      <id>security_header.csp_frame_src_mediastream</id>
+      <label>Enable Media Streams</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_frame_src_filesystem</id>
+      <label>Enable File System URLs</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_frame_src_none</id>
+      <label>Forbid Explicitly</label>
+      <type>checkbox</type>
+      <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
+    </field>
+    <field>
+      <type>header</type>
+      <label>Content Security Policy: Frame Ancestors</label>
+      <hint><![CDATA[The setting <em>Content Security Policy: Enable</em> on the <em>General</em> tab needs to be enabled to activate this header.]]></hint>
+    </field>
+    <field>
+      <id>security_header.csp_frame_ancestors_enabled</id>
+      <label>Enable</label>
+      <type>checkbox</type>
+      <help>If checked, this part of the CSP is enabled.</help>
+    </field>
+    <field>
+      <id>security_header.csp_frame_ancestors_data_urls</id>
+      <label>Enable Data URLs</label>
+      <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_frame_ancestors_http_urls</id>
+      <label>Enable HTTP(S) URLs</label>
+      <type>select_multiple</type>
+      <allownew>true</allownew>
+      <style>tokenize</style>
+      <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
+        You can use wildcards here like https://*.exmaple.com.</help>
+    </field>
+    <field>
+      <id>security_header.csp_frame_ancestors_self</id>
+      <label>Enable Same Origin (recommended)</label>
+      <type>checkbox</type>
+      <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
+    </field>
+    <field>
+      <id>security_header.csp_frame_ancestors_blob</id>
+      <label>Enable Blobs</label>
+      <type>checkbox</type>
+      <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
+    </field>
+    <field>
+      <id>security_header.csp_frame_ancestors_mediastream</id>
+      <label>Enable Media Streams</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_frame_ancestors_filesystem</id>
+      <label>Enable File System URLs</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_frame_ancestors_none</id>
+      <label>Forbid Explicitly</label>
+      <type>checkbox</type>
+      <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
+    </field>
+  </tab>
+  <tab id="font-src" description="Font">
+    <field>
+      <type>header</type>
+      <label>Content Security Policy: Font Source</label>
+      <hint><![CDATA[The setting <em>Content Security Policy: Enable</em> on the <em>General</em> tab needs to be enabled to activate this header.]]></hint>
+    </field>
+    <field>
+      <id>security_header.csp_font_src_enabled</id>
+      <label>Enable</label>
+      <type>checkbox</type>
+      <help>If checked, this part of the CSP is enabled.</help>
+    </field>
+    <field>
+      <id>security_header.csp_font_src_data_urls</id>
+      <label>Enable Data URLs</label>
+      <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_font_src_http_urls</id>
+      <label>Enable HTTP(S) URLs</label>
+      <type>select_multiple</type>
+      <allownew>true</allownew>
+      <style>tokenize</style>
+      <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
+        You can use wildcards here like https://*.exmaple.com.</help>
+    </field>
+    <field>
+      <id>security_header.csp_font_src_inline</id>
+      <label>Enable Inline Scripting</label>
+      <type>checkbox</type>
+      <help>Checking this directive allows to use scripts or styles directly embedded in in the HTML content.
+        Examples are the script and the style tags.</help>
+    </field>
+    <field>
+      <id>security_header.csp_font_src_eval</id>
+      <label>Enable Eval</label>
+      <type>checkbox</type>
+      <help>Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS.</help>
+    </field>
+    <field>
+      <id>security_header.csp_font_src_self</id>
+      <label>Enable Same Origin (recommended)</label>
+      <type>checkbox</type>
+      <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
+    </field>
+    <field>
+      <id>security_header.csp_font_src_blob</id>
+      <label>Enable Blobs</label>
+      <type>checkbox</type>
+      <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
+    </field>
+    <field>
+      <id>security_header.csp_font_src_mediastream</id>
+      <label>Enable Media Streams</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_font_src_filesystem</id>
+      <label>Enable File System URLs</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_font_src_none</id>
+      <label>Forbid Explicitly</label>
+      <type>checkbox</type>
+      <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
+    </field>
+  </tab>
+  <tab id="form-action" description="Form">
+    <field>
+      <type>header</type>
+      <label>Content Security Policy: Form Action</label>
+      <hint><![CDATA[The setting <em>Content Security Policy: Enable</em> on the <em>General</em> tab needs to be enabled to activate this header.]]></hint>
+    </field>
+    <field>
+      <id>security_header.csp_form_action_enabled</id>
+      <label>Enable</label>
+      <type>checkbox</type>
+      <help>If checked, this part of the CSP is enabled.</help>
+    </field>
+    <field>
+      <id>security_header.csp_form_action_data_urls</id>
+      <label>Enable Data URLs</label>
+      <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_form_action_http_urls</id>
+      <label>Enable HTTP(S) URLs</label>
+      <type>select_multiple</type>
+      <allownew>true</allownew>
+      <style>tokenize</style>
+      <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
+        You can use wildcards here like https://*.exmaple.com.</help>
+    </field>
+    <field>
+      <id>security_header.csp_form_action_inline</id>
+      <label>Enable Inline Scripting</label>
+      <type>checkbox</type>
+      <help>Checking this directive allows to use scripts or styles directly embedded in in the HTML content.
+        Examples are the script and the style tags.</help>
+    </field>
+    <field>
+      <id>security_header.csp_form_action_eval</id>
+      <label>Enable Eval</label>
+      <type>checkbox</type>
+      <help>Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS.</help>
+    </field>
+    <field>
+      <id>security_header.csp_form_action_self</id>
+      <label>Enable Same Origin (recommended)</label>
+      <type>checkbox</type>
+      <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
+    </field>
+    <field>
+      <id>security_header.csp_form_action_blob</id>
+      <label>Enable Blobs</label>
+      <type>checkbox</type>
+      <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
+    </field>
+    <field>
+      <id>security_header.csp_form_action_mediastream</id>
+      <label>Enable Media Streams</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_form_action_filesystem</id>
+      <label>Enable File System URLs</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_form_action_none</id>
+      <label>Forbid Explicitly</label>
+      <type>checkbox</type>
+      <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
+    </field>
+  </tab>
 </form>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 07411f8568..ddcdcf19d5 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1194,19 +1194,10 @@
         <Required>Y</Required>
         <default>1</default>
       </strict_transport_security_include_subdomains>
-      <hpkp_keys type="CSVListField">
-        <Required>N</Required>
-        <mask>/[a-z0-9\+\/=]+(,[a-z0-9\+\/=]+)*/i</mask>
-      </hpkp_keys>
-      <hpkp_report_only type="BooleanField">
-        <Required>Y</Required>
-      </hpkp_report_only>
-      <hpkp_time type="IntegerField">
-        <Required>N</Required>
-      </hpkp_time>
-      <hpkp_include_subdomains type="BooleanField">
+      <strict_transport_security_preload type="BooleanField">
         <Required>Y</Required>
-      </hpkp_include_subdomains>
+        <default>0</default>
+      </strict_transport_security_preload>
       <enable_csp type="BooleanField">
         <Required>Y</Required>
       </enable_csp>
@@ -1448,6 +1439,76 @@
         <Required>Y</Required>
         <default>0</default>
       </csp_font_src_none>
+      <csp_frame_src_enabled type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_frame_src_enabled>
+      <csp_frame_src_data_urls type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_frame_src_data_urls>
+      <csp_frame_src_http_urls type="CSVListField">
+        <Required>N</Required>
+      </csp_frame_src_http_urls>
+      <csp_frame_src_inline type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_frame_src_inline>
+      <csp_frame_src_eval type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_frame_src_eval>
+      <csp_frame_src_self type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_frame_src_self>
+      <csp_frame_src_blob type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_frame_src_blob>
+      <csp_frame_src_mediastream type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_frame_src_mediastream>
+      <csp_frame_src_filesystem type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_frame_src_filesystem>
+      <csp_frame_src_none type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_frame_src_none>
+      <csp_frame_ancestors_enabled type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_frame_ancestors_enabled>
+      <csp_frame_ancestors_data_urls type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_frame_ancestors_data_urls>
+      <csp_frame_ancestors_http_urls type="CSVListField">
+        <Required>N</Required>
+      </csp_frame_ancestors_http_urls>
+      <csp_frame_ancestors_self type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_frame_ancestors_self>
+      <csp_frame_ancestors_blob type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_frame_ancestors_blob>
+      <csp_frame_ancestors_mediastream type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_frame_ancestors_mediastream>
+      <csp_frame_ancestors_filesystem type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_frame_ancestors_filesystem>
+      <csp_frame_ancestors_none type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_frame_ancestors_none>
       <csp_form_action_enabled type="BooleanField">
         <Required>Y</Required>
         <default>0</default>
diff --git a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
index 72bd40d91f..eacb21ea14 100644
--- a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
+++ b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
@@ -478,6 +478,11 @@
             <thead>
                 <tr>
                     <th data-column-id="description" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
+                    <th data-column-id="referrer" data-type="string" data-sortable="true" data-visible="false">{{ lang._('Referrer') }}</th>
+                    <th data-column-id="xssprotection" data-type="string" data-sortable="true" data-visible="true">{{ lang._('XSS Protection') }}</th>
+                    <th data-column-id="hsts" data-type="string" data-sortable="true" data-visible="true">{{ lang._('HSTS') }}</th>
+                    <th data-column-id="csp" data-type="string" data-sortable="true" data-visible="true">{{ lang._('CSP') }}</th>
+                    <th data-column-id="csp_details" data-type="string" data-sortable="true" data-visible="false">{{ lang._('CSP Rules') }}</th>
                     <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
@@ -691,7 +696,7 @@
 {{ partial("layout_partials/base_dialog",['fields': httprewrite,'id':'httprewritedlg', 'label':lang._('Edit URL Rewrite')]) }}
 {{ partial("layout_partials/base_dialog",['fields': naxsi_custom_policy,'id':'custompolicydlg', 'label':lang._('Edit WAF Policy')]) }}
 {{ partial("layout_partials/base_dialog",['fields': naxsi_rule,'id':'naxsiruledlg', 'label':lang._('Edit Naxsi Rule')]) }}
-{{ partial("layout_partials/base_dialog",['fields': security_headers,'id':'security_headersdlg', 'label':lang._('Edit Security Headers')]) }}
+{{ partial("OPNsense/Nginx/tabbed_dialog",['fields': security_headers,'id':'security_headersdlg', 'label':lang._('Edit Security Headers')]) }}
 {{ partial("layout_partials/base_dialog",['fields': limit_request_connection,'id':'limit_request_connectiondlg', 'label':lang._('Edit Request Connection Limit')]) }}
 {{ partial("layout_partials/base_dialog",['fields': limit_zone,'id':'limit_zonedlg', 'label':lang._('Edit Limit Zone')]) }}
 {{ partial("layout_partials/base_dialog",['fields': cache_path,'id':'cache_pathdlg', 'label':lang._('Edit Cache Path')]) }}
diff --git a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/tabbed_dialog.volt b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/tabbed_dialog.volt
new file mode 100644
index 0000000000..0d5e75e9f0
--- /dev/null
+++ b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/tabbed_dialog.volt
@@ -0,0 +1,183 @@
+{#
+ # Copyright (c) 2021 Manuel Faux
+ # OPNsense® is Copyright © 2014-2021 by Deciso B.V.
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+{#
+ # Generate input dialog, uses the following parameters (as associative array):
+ #
+ # fields          :   list of field type objects, see form_input_tr tag for details
+ # id              :   form id, used as unique id for this modal form. inner form to place data is called frm_[id]
+ #                     save button is identified by btn_[id]_save
+ # label           :   dialog label
+ #}
+
+{# Volt templates in php7 have issues with scope sometimes, copy input values to make them more unique #}
+{% set base_dialog_id=id %}
+{% set base_dialog_fields=fields %}
+{% set base_dialog_label=label %}
+
+{# Find if there are help supported or advanced field on this page #}
+{% set base_dialog_help=false %}
+{% set base_dialog_advanced=false %}
+{% for field in base_dialog_fields|default({})%}
+    {% for name,element in field %}
+        {% if name=='help' %}
+            {% set base_dialog_help=true %}
+        {% endif %}
+        {% if name=='advanced' %}
+            {% set base_dialog_advanced=true %}
+        {% endif %}
+    {% endfor %}
+    {% if base_dialog_help|default(false) and base_dialog_advanced|default(false) %}
+        {% break %}
+    {% endif %}
+{% endfor %}
+
+<script>
+    $(function() {
+        // hook into on-show event to extend validation
+        $('#{{base_dialog_id}}').on('shown.bs.modal', function (e) {
+            $('.nav-tabs a[href="#frm_{{base_dialog_id}}-tab_general"]').tab('show');
+
+            $("#btn_{{base_dialog_id}}_save").click(function() {
+                // TODO: Search for tab with validation errors, but currently only the first tab has even validation rules
+                $('.nav-tabs a[href="#frm_{{base_dialog_id}}-tab_general"]').tab('show');
+            });
+        })
+
+        // Read currently selected tab in main form and store for later
+        $('#{{base_dialog_id}}').on('show.bs.modal', function (e) {
+            $('#{{base_dialog_id}}').attr("data-inittab", window.location.hash);
+        });
+        // Restore selected tab of main form as URL was modified by dialog tabs
+        $('#{{base_dialog_id}}').on('hide.bs.modal', function (e) {
+            window.location.hash = $('#{{base_dialog_id}}').attr("data-inittab");
+        });
+    });
+</script>
+
+<div class="modal fade" id="{{base_dialog_id}}" tabindex="-1" role="dialog" aria-labelledby="{{base_dialog_id}}Label" aria-hidden="true">
+    <div class="modal-backdrop fade in"></div>
+    <div class="modal-dialog modal-lg">
+        <div class="modal-content">
+            <div class="modal-header">
+                <button type="button" class="close" data-dismiss="modal" aria-label="{{ lang._('Close') }}"><span aria-hidden="true">&times;</span></button>
+                <h4 class="modal-title" id="{{base_dialog_id}}Label">{{base_dialog_label}}</h4>
+            </div>
+            <div class="modal-body">
+                <ul class="nav nav-tabs" role="tablist" id="dialogtabs">
+                    {% for field in base_dialog_fields['tabs']|default({})%}
+                    <li>
+                        <a data-toggle="tab" href="#frm_{{base_dialog_id}}-tab_{{field[0]}}"><b>{{field[1]}}</b></a>
+                    </li>
+                    {% endfor %}
+                </ul>
+                <form id="frm_{{base_dialog_id}}">
+                    <div class="content-box tab-content">
+                        <div class="table-responsive">
+                            <table class="table table-striped table-condensed">
+                                <colgroup>
+                                    <col class="col-md-3"/>
+                                    <col class="col-md-{{ 12-3-msgzone_width|default(5) }}"/>
+                                    <col class="col-md-{{ msgzone_width|default(5) }}"/>
+                                </colgroup>
+                                <tbody>
+                                {%  if base_dialog_advanced|default(false) or base_dialog_help|default(false) %}
+                                    <tr>
+                                        <td>{% if base_dialog_advanced|default(false) %}<a href="#"><i class="fa fa-toggle-off text-danger" id="show_advanced_formDialog{{base_dialog_id}}"></i></a> <small>{{ lang._('advanced mode') }}</small>{% endif %}</td>
+                                        <td colspan="2" style="text-align:right;">
+                                            {% if base_dialog_help|default(false) %}<small>{{ lang._('full help') }}</small> <a href="#"><i class="fa fa-toggle-off text-danger" id="show_all_help_formDialog{{base_dialog_id}}"></i></a>{% endif %}
+                                        </td>
+                                    </tr>
+                                {% endif %}
+                                </tbody>
+                            </table>
+                        </div>
+                        {% for tab in base_dialog_fields['tabs']|default({})%}
+                        <div id="frm_{{base_dialog_id}}-tab_{{tab[0]}}" class="tab-pane fade">
+                            <div class="table-responsive">
+                                <table class="table table-striped table-condensed">
+                                    <colgroup>
+                                        <col class="col-md-3"/>
+                                        <col class="col-md-{{ 12-3-msgzone_width|default(5) }}"/>
+                                        <col class="col-md-{{ msgzone_width|default(5) }}"/>
+                                    </colgroup>
+                                    <tbody>
+                            {% for field in tab[2]|default({})%}
+                                {# looks a bit buggy in the volt templates, field parameters won't reset properly here #}
+                                {% set advanced=false %}
+                                {% set help=false %}
+                                {% set hint=false %}
+                                {% set style=false %}
+                                {% set maxheight=false %}
+                                {% set width=false %}
+                                {% set allownew=false %}
+                                {% set readonly=false %}
+                                {% if field['type'] == 'header' %}
+                                    </tbody>
+                                </table>
+                            </div>
+                            <div class="table-responsive {{field['style']|default('')}}">
+                                <table class="table table-striped table-condensed">
+                                    <colgroup>
+                                        <col class="col-md-3"/>
+                                        <col class="col-md-{{ 12-3-msgzone_width|default(5) }}"/>
+                                        <col class="col-md-{{ msgzone_width|default(5) }}"/>
+                                    </colgroup>
+                                    <thead>
+                                        <tr{% if field['advanced']|default(false)=='true' %} data-advanced="true"{% endif %}>
+                                            <th colspan="3">
+                                                <h2>{{field['label']}}</h2>
+                                                {%- if field['hint']|default(false) %}
+                                                <small>{{field['hint']}}</small>
+                                                {%- endif %}
+                                            </th>
+                                        </tr>
+                                    </thead>
+                                    <tbody>
+                                {% else %}
+                                  {{ partial("layout_partials/form_input_tr",field)}}
+                                {% endif %}
+                            {% endfor %}
+                                    </tbody>
+                                </table>
+                            </div>
+                        </div>
+                        {% endfor %}
+                    </div>
+                </form>
+            </div>
+            <div class="modal-footer">
+                {% if hasSaveBtn|default('true') == 'true' %}
+                <button type="button" class="btn btn-default" data-dismiss="modal">{{ lang._('Cancel') }}</button>
+                <button type="button" class="btn btn-primary" id="btn_{{base_dialog_id}}_save">{{ lang._('Save') }} <i id="btn_{{base_dialog_id}}_save_progress" class=""></i></button>
+                {% else %}
+                <button type="button" class="btn btn-default" data-dismiss="modal">{{ lang._('Close') }}</button>
+                {% endif %}
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/security_rule.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/security_rule.conf
index 73ab27993e..f309c4cbf2 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/security_rule.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/security_rule.conf
@@ -1,3 +1,4 @@
+    # security rules
 {% if security_rule.referrer is defined %}
 {% do our_headers.append('Referrer-Policy') %}
     add_header Referrer-Policy "{{ security_rule.referrer }}" always;
@@ -13,21 +14,12 @@
 {% if security_rule.strict_transport_security_time is defined %}
 {% do our_headers.append('Strict-Transport-Security') %}
     add_header Strict-Transport-Security "max-age={{ security_rule.strict_transport_security_time }}{%
-  if security_rule.strict_transport_security_include_subdomains is defined and
-     security_rule.strict_transport_security_include_subdomains == '1' %}; includeSubDomains{% endif %}" always;
-{% endif %}
-{% if security_rule.hpkp_keys is defined and security_rule.hpkp_time is defined %}
-{% do our_headers.append('Public-Key-Pins') %}
-{% do our_headers.append('Public-Key-Pins-Report-Only') %}
-    add_header Public-Key-Pins{% if security_rule.hpkp_report_only is defined and security_rule.hpkp_report_only == '1'
-  %}-Report-Only{% endif %} "{% for key in security_rule.hpkp_keys.split(',')
-  %}pin-sha256={{ key }}; {% endfor %}max-age={{ security_rule.hpkp_time }}{%
-  if security_rule.hpkp_include_subdomains is defined and
-     security_rule.hpkp_include_subdomains == '1' %}; includeSubDomains{% endif %}" always;
+  if security_rule.strict_transport_security_include_subdomains|default('0') == '1' %}; includeSubDomains{% endif %}{%
+  if security_rule.strict_transport_security_preload|default('0') == '1' %}; preload{% endif %}" always;
 {% endif %}
 {% if security_rule.enable_csp is defined and security_rule.enable_csp == '1' %}
 {% set hash_csp = {} %}
-{%   for csp_category in ['default-src', 'script-src', 'img-src', 'style-src', 'media-src', 'font-src', 'form-action'] %}
+{%   for csp_category in ['default-src', 'script-src', 'img-src', 'style-src', 'media-src', 'font-src', 'frame-src', 'frame-ancestors', 'form-action'] %}
 {%     set prefix = 'csp_' + csp_category.replace('-', '_') + '_' %}
 {%     if security_rule[prefix + 'enabled'] == '1' %}
 {%       set current_list = [] %}

From ecd60155980709115871d6c051ca3a06c49b57a6 Mon Sep 17 00:00:00 2001
From: Alanin <alanin@alanin.de>
Date: Thu, 13 Jan 2022 09:17:21 +0100
Subject: [PATCH 0909/3088] net/freeradius: options for fallback vlan (#2566)

---
 net/freeradius/Makefile                       |  3 +--
 net/freeradius/pkg-descr                      |  4 ++++
 .../OPNsense/Freeradius/forms/general.xml     | 14 +++++++++++
 .../models/OPNsense/Freeradius/General.xml    | 24 ++++++++++++++++++-
 .../templates/OPNsense/Freeradius/users       |  8 +++++++
 5 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 1cf9e37c6f..a98a82cb33 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.17
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.9.18
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 48d2418319..d2006a9d0d 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,10 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.18
+
+* Added support for fallback VLAN
+
 1.9.17
 
 * Added support for Extreme networks EXOS switch Extreme-Netlogin-Extended-VLAN VSA and policy for GEN2 (contributed by Pasi Suominen)
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml
index 65a8795af1..c97af703e6 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml
@@ -11,6 +11,20 @@
         <type>checkbox</type>
         <help>This allows you to dynamically assign VLANs on your physical switch ports.</help>
     </field>
+    <field>
+        <id>general.fallbackvlan_enabled</id>
+        <label>Enable VLAN fallback assignment</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>This allows you to define a fallback VLAN-Group-ID. Warning: Setting this option will send an accepted RADIUS reply even if the authentication attempt fails.</help>
+    </field>
+    <field>
+        <id>general.fallbackvlan_id</id>
+        <label>Fallback VLAN ID</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Define the Fallback VLAN group ID.</help>
+    </field>
     <field>
         <id>general.ldap_enabled</id>
         <label>Enable LDAP</label>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
index be78892afe..a0aa117928 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/freeradius/general</mount>
     <description>FreeRADIUS configuration</description>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -11,6 +11,28 @@
             <default>0</default>
             <Required>N</Required>
         </vlanassign>
+        <fallbackvlan_enabled type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+            <Constraints>
+                <check001>
+                    <reference>fallbackvlan_id.check001</reference>
+                </check001>
+            </Constraints>
+        </fallbackvlan_enabled>
+        <fallbackvlan_id type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>4096</MaximumValue>
+            <Constraints>
+                <check001>
+                    <ValidationMessage>You need to set a propper VLAN ID.</ValidationMessage>
+                    <type>DependConstraint</type>
+                    <addFields>
+                        <field1>fallbackvlan_enabled</field1>
+                    </addFields>
+                </check001>
+            </Constraints>
+        </fallbackvlan_id>
         <ldap_enabled type="BooleanField">
             <default>0</default>
             <Required>N</Required>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
index 3d1f99e6ab..a7c46550e6 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
@@ -98,4 +98,12 @@ DEFAULT Hint == "CSLIP"
 
 DEFAULT Hint == "SLIP"
         Framed-Protocol = SLIP
+{%  if helpers.exists('OPNsense.freeradius.general.fallbackvlan_enabled') and OPNsense.freeradius.general.fallbackvlan_enabled == '1' %}
+
+DEFAULT Auth-Type := Accept
+       Tunnel-Type = VLAN,
+       Tunnel-Medium-Type = IEEE-802,
+       Tunnel-Private-Group-Id = {{ OPNsense.freeradius.general.fallbackvlan_id }},
+       Framed-Protocol = PPP
+{%  endif %}
 {% endif %}

From 1ab87794b318d41aa23b4b79b0952ea6ac9ebc5a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Jan 2022 08:14:31 +0100
Subject: [PATCH 0910/3088] www/nginx: style sweep

---
 .../OPNsense/Nginx/Api/SettingsController.php | 43 ++++++++++++++-----
 1 file changed, 32 insertions(+), 11 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
index 853a83291a..19d73ae696 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
@@ -342,11 +342,14 @@ public function sethttprewriteAction($uuid)
     // http security headers
     public function searchsecurityHeaderAction()
     {
-        $data = $this->searchBase('security_header',
+        $data = $this->searchBase(
+            'security_header',
             ['description', 'referrer', 'xssprotection', 'strict_transport_security_time',
             'enable_csp', 'csp_report_only', 'csp_default_src_enabled', 'csp_script_src_enabled', 'csp_img_src_enabled',
             'csp_style_src_enabled', 'csp_media_src_enabled', 'csp_font_src_enabled', 'csp_frame_src_enabled',
-            'csp_frame_ancestors_enabled', 'csp_form_action_enabled']);
+            'csp_frame_ancestors_enabled',
+            'csp_form_action_enabled']
+        );
 
         // Create "hsts" column (disabled/time)
         foreach ($data['rows'] as &$row) {
@@ -374,15 +377,33 @@ public function searchsecurityHeaderAction()
         foreach ($data['rows'] as &$row) {
             if ($row['enable_csp']) {
                 $enabled = [];
-                if ($row['csp_default_src_enabled']) $enabled[] = gettext("Default Source");
-                if ($row['csp_script_src_enabled']) $enabled[] = gettext("Script Source");
-                if ($row['csp_img_src_enabled']) $enabled[] = gettext("Image Source");
-                if ($row['csp_style_src_enabled']) $enabled[] = gettext("Style Source");
-                if ($row['csp_media_src_enabled']) $enabled[] = gettext("Media Source");
-                if ($row['csp_font_src_enabled']) $enabled[] = gettext("Font Source");
-                if ($row['csp_frame_src_enabled']) $enabled[] = gettext("Frame Source");
-                if ($row['csp_frame_ancestors_enabled']) $enabled[] = gettext("Frame Ancestors");
-                if ($row['csp_form_action_enabled']) $enabled[] = gettext("Form Action");
+                if ($row['csp_default_src_enabled']) {
+                    $enabled[] = gettext("Default Source");
+                }
+                if ($row['csp_script_src_enabled']) {
+                    $enabled[] = gettext("Script Source");
+                }
+                if ($row['csp_img_src_enabled']) {
+                    $enabled[] = gettext("Image Source");
+                }
+                if ($row['csp_style_src_enabled']) {
+                    $enabled[] = gettext("Style Source");
+                }
+                if ($row['csp_media_src_enabled']) {
+                    $enabled[] = gettext("Media Source");
+                }
+                if ($row['csp_font_src_enabled']) {
+                    $enabled[] = gettext("Font Source");
+                }
+                if ($row['csp_frame_src_enabled']) {
+                    $enabled[] = gettext("Frame Source");
+                }
+                if ($row['csp_frame_ancestors_enabled']) {
+                    $enabled[] = gettext("Frame Ancestors");
+                }
+                if ($row['csp_form_action_enabled']) {
+                    $enabled[] = gettext("Form Action");
+                }
 
                 if (count($enabled)) {
                     $row['csp_details'] = implode(', ', $enabled);

From b7793cdf0fc5e1d27fe46410eed84027623cf6fa Mon Sep 17 00:00:00 2001
From: Manuel Faux <mfaux@conf.at>
Date: Sun, 16 Jan 2022 17:01:13 +0100
Subject: [PATCH 0911/3088] www/nginx: model was modified in 5a61822 but
 version not incremented

---
 www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index ddcdcf19d5..c6d69989b2 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.24.0</version>
+  <version>1.26.0</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>

From 874d2e393e29951ed57c220f9f06e49a73790a5f Mon Sep 17 00:00:00 2001
From: digitalshow <ingo@koinzer.net>
Date: Mon, 17 Jan 2022 08:33:30 +0100
Subject: [PATCH 0912/3088] Add description and message to wol action (#2753)

To be able to create a cronjob via the web GUI we need a description for the action.
---
 net/wol/src/opnsense/service/conf/actions.d/actions_wol.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/wol/src/opnsense/service/conf/actions.d/actions_wol.conf b/net/wol/src/opnsense/service/conf/actions.d/actions_wol.conf
index bc90627a32..696fc145d1 100644
--- a/net/wol/src/opnsense/service/conf/actions.d/actions_wol.conf
+++ b/net/wol/src/opnsense/service/conf/actions.d/actions_wol.conf
@@ -2,3 +2,5 @@
 command:/usr/local/bin/wol -i
 parameters: %s %s
 type:script
+description:Wake-On-LAN for host with broadcast IP and MAC
+message:Waking up host %s %s

From 6778f56508f389c79acbe6148b0a469afdf6e3f8 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Mon, 17 Jan 2022 11:27:15 +0300
Subject: [PATCH 0913/3088] www/nginx: 1.24.0 migration fix (#2755)

---
 .../OPNsense/Nginx/Migrations/M1_24_0.php     | 35 +++++++++++--------
 1 file changed, 21 insertions(+), 14 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_24_0.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_24_0.php
index 981fbd99a4..ef2817157f 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_24_0.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_24_0.php
@@ -29,26 +29,33 @@
 namespace OPNsense\Nginx\Migrations;
 
 use OPNsense\Base\BaseModelMigration;
+use OPNsense\Core\Config;
 
 class M1_24_0 extends BaseModelMigration
 {
+    /**
+     * Listen ports to listen addresses movements
+     * @param Nginx $model
+     */
     public function run($model)
     {
-        foreach ($model->getNodeByReference('http_server')->iterateItems() as $http_server) {
-            if ($http_server->listen_http_port != '') {
-                $http_server->listen_http_address = $http_server->listen_http_port . ',[::]:' . $http_server->listen_http_port;
-                $http_server->listen_http_port = null;
-            }
-            if ($http_server->listen_https_port != '') {
-                $http_server->listen_https_address = $http_server->listen_https_port . ',[::]:' . $http_server->listen_https_port;
-                $http_server->listen_https_port = null;
-            }
+        $cfgObj = Config::getInstance()->object();
+        $ports = array();
+        foreach ($cfgObj->OPNsense->Nginx->http_server as $cfg_http_server) {
+            $uuid = (string)$cfg_http_server->attributes()['uuid'];
+            $ports['http_port'] = (isset($cfg_http_server->listen_http_port) && $cfg_http_server->listen_http_port != '') ? $cfg_http_server->listen_http_port : null;
+            $ports['https_port'] = (isset($cfg_http_server->listen_https_port) && $cfg_http_server->listen_https_port != '') ? $cfg_http_server->listen_https_port : null;
+            $http_server = $model->getNodeByReference('http_server.' . $uuid);
+            $http_server->listen_http_address = (isset($ports['http_port'])) ? $ports['http_port'] . ',[::]:' . $ports['http_port'] : null;
+            $http_server->listen_https_address = (isset($ports['https_port'])) ? $ports['https_port'] . ',[::]:' . $ports['https_port'] : null;
         }
-        foreach ($model->getNodeByReference('stream_server')->iterateItems() as $server) {
-            if ($server->listen_port != '') {
-                $server->listen_address = $server->listen_port . ',[::]:' . $server->listen_port;
-                $server->listen_port = null;
-            }
+        foreach ($cfgObj->OPNsense->Nginx->stream_server as $cfg_stream_server) {
+            $uuid = (string)$cfg_stream_server->attributes()['uuid'];
+            $port = (isset($cfg_stream_server->listen_port) && $cfg_stream_server->listen_port != '') ? $cfg_stream_server->listen_port : null;
+            $server = $model->getNodeByReference('stream_server.' . $uuid);
+            $server->listen_address = (isset($port)) ? $port . ',[::]:' . $port : null;
         }
+        // run default migration actions
+        parent::run($model);
     }
 }

From 6bf0c6386512a02d40453a95ed92e87b7d48bad1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Jan 2022 13:57:57 +0100
Subject: [PATCH 0914/3088] dns/ddclient: ready for release

---
 LICENSE               | 2 +-
 README.md             | 2 +-
 dns/ddclient/Makefile | 3 +--
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/LICENSE b/LICENSE
index 7650f46e65..e3a53b56c0 100644
--- a/LICENSE
+++ b/LICENSE
@@ -24,7 +24,7 @@ Copyright (c) 2010 Jim Pingle <jimp@pfsense.org>
 Copyright (c) 2015 Jos Schellevis
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>
 Copyright (c) 2019 Juergen Kellerer
-Copyright (c) 2020 Manuel Faux
+Copyright (c) 2020-2021 Manuel Faux
 Copyright (c) 2021 Manuel Hofmann
 Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>
 Copyright (c) 2020 Marc Leuser
diff --git a/README.md b/README.md
index 650f72b703..0dabdf1213 100644
--- a/README.md
+++ b/README.md
@@ -35,7 +35,7 @@ devel/debug -- Debugging Tools
 devel/grid_example -- A sample framework application
 devel/helloworld -- A sample framework application
 dns/bind -- BIND domain name service
-dns/ddclient -- Dynamic DNS client (development only)
+dns/ddclient -- Dynamic DNS client
 dns/dnscrypt-proxy -- Flexible DNS proxy supporting DNSCrypt and DoH
 dns/dyndns -- Dynamic DNS Support
 dns/rfc2136 -- RFC-2136 Support
diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 7fed78369e..2c67781fd6 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_DEVEL=		yes
-PLUGIN_VERSION=		0.1
+PLUGIN_VERSION=		1.0
 #PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client

From 6ed716ea25c4ee57caaa2072ee284aa20cd80c79 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 17 Jan 2022 14:22:21 +0100
Subject: [PATCH 0915/3088] dns/dyndns - flag for removal and move shared
 function get_dyndns_ip() into package to isolate it further.

Our new ddclient plugin replaces the old dyndns one, make sure people know it's going away so they can contribute other vendors if needed or switch to the ones that are already supported.

(also related to https://github.com/opnsense/core/issues/5434)
---
 .../src/etc/inc/plugins.inc.d/dyndns.inc      | 39 +++++++++++++++++++
 .../inc/plugins.inc.d/dyndns/phpDynDNS.inc    |  2 +-
 dns/dyndns/src/www/services_dyndns.php        |  9 ++++-
 .../widgets/widgets/dyn_dns_status.widget.php | 13 ++++++-
 4 files changed, 58 insertions(+), 5 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
index 762549e53e..54f1db403d 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
@@ -249,3 +249,42 @@ function dyndns_failover_interface($interface, $family = 'all')
     /* fall through to get real interface the hard way */
     return get_real_interface($interface, $family);
 }
+
+
+function get_dyndns_ip_address($int, $ipver = 4)
+{
+    $ip_address = $ipver == 6 ? get_interface_ipv6($int) : get_interface_ip($int);
+    if (empty($ip_address)) {
+        log_error("Aborted IPv{$ipver} detection: no address for {$int}");
+        return 'down';
+    }
+
+    if ($ipver != 6 && is_private_ip($ip_address)) {
+        /* Chinese alternative is http://ip.3322.net/ */
+        $hosttocheck = 'http://checkip.dyndns.org';
+        $ip_ch = curl_init($hosttocheck);
+        curl_setopt($ip_ch, CURLOPT_RETURNTRANSFER, 1);
+        curl_setopt($ip_ch, CURLOPT_INTERFACE, $ip_address);
+        curl_setopt($ip_ch, CURLOPT_CONNECTTIMEOUT, 5);
+        curl_setopt($ip_ch, CURLOPT_TIMEOUT, 30);
+        curl_setopt($ip_ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
+        $ip_result = curl_exec($ip_ch);
+        if ($ip_result !== false) {
+            preg_match('=<body>Current IP Address: (.*)</body>=siU', $ip_result, $matches);
+            $ip_address = trim($matches[1]);
+        } else {
+            log_error('Aborted IPv4 detection: ' . curl_error($ip_ch));
+            $ip_address = '';
+        }
+        curl_close($ip_ch);
+    } elseif ($ipver == 6 && is_linklocal($ip_address)) {
+        log_error('Aborted IPv6 detection: cannot bind to link-local address');
+        $ip_address = '';
+    }
+
+    if (($ipver == 6 && !is_ipaddrv6($ip_address)) || ($ipver != 6 && !is_ipaddrv4($ip_address))) {
+        return 'down';
+    }
+
+    return $ip_address;
+}
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
index 44ceb97556..0bf6908165 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
@@ -2022,7 +2022,7 @@ class updatedns
 
     function _checkIP()
     {
-        $ip_address = get_dyndns_ip($this->_if, $this->_useIPv6 ? 6 : 4);
+        $ip_address = get_dyndns_ip_address($this->_if, $this->_useIPv6 ? 6 : 4);
         if (!is_ipaddr($ip_address)) {
             if ($this->_dnsVerboseLog) {
                 log_error("Dynamic DNS ({$this->_dnsHost}): IP address could not be extracted");
diff --git a/dns/dyndns/src/www/services_dyndns.php b/dns/dyndns/src/www/services_dyndns.php
index 30f5d259ce..a209477baa 100644
--- a/dns/dyndns/src/www/services_dyndns.php
+++ b/dns/dyndns/src/www/services_dyndns.php
@@ -110,6 +110,11 @@
     <div class="container-fluid">
       <div class="row">
         <section class="col-xs-12">
+          <div class="alert alert-warning" role="alert">
+              <strong>
+                  <?=gettext("Please make sure to upgrade to os-ddclient before 21.7 is released as this plugin will be removed from our repository");?>
+              </strong>
+          </div>
           <div class="tab-content content-box col-xs-12">
             <form method="post" name="iform" id="iform">
               <div class="table-responsive">
@@ -146,14 +151,14 @@
                       $filename = dyndns_cache_file($dyndns, 4);
                       $fdata = '';
                       if (file_exists($filename) && !empty($dyndns['enable'])) {
-                          $ipaddr = get_dyndns_ip(dyndns_failover_interface($dyndns['interface'], 'all'), 4);
+                          $ipaddr = get_dyndns_ip_address(dyndns_failover_interface($dyndns['interface'], 'all'), 4);
                           $fdata = @file_get_contents($filename);
                       }
 
                       $filename_v6 = dyndns_cache_file($dyndns, 6);
                       $fdata6 = '';
                       if (file_exists($filename_v6) && !empty($dyndns['enable'])) {
-                          $ipv6addr = get_dyndns_ip(dyndns_failover_interface($dyndns['interface'], 'inet6'), 6);
+                          $ipv6addr = get_dyndns_ip_address(dyndns_failover_interface($dyndns['interface'], 'inet6'), 6);
                           $fdata6 = @file_get_contents($filename_v6);
                       }
 
diff --git a/dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php b/dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php
index 7728dec222..55a59d6115 100644
--- a/dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php
+++ b/dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php
@@ -48,14 +48,14 @@
         $filename = dyndns_cache_file($dyndns, 4);
         $fdata = '';
         if (!empty($dyndns['enable']) && file_exists($filename)) {
-            $ipaddr = get_dyndns_ip(dyndns_failover_interface($dyndns['interface'], 'all'), 4);
+            $ipaddr = get_dyndns_ip_address(dyndns_failover_interface($dyndns['interface'], 'all'), 4);
             $fdata = @file_get_contents($filename);
         }
 
         $filename_v6 = dyndns_cache_file($dyndns, 6);
         $fdata6 = '';
         if (!empty($dyndns['enable']) && file_exists($filename_v6)) {
-            $ipv6addr = get_dyndns_ip(dyndns_failover_interface($dyndns['interface'], 'inet6'), 6);
+            $ipv6addr = get_dyndns_ip_address(dyndns_failover_interface($dyndns['interface'], 'inet6'), 6);
             $fdata6 = @file_get_contents($filename_v6);
         }
 
@@ -86,6 +86,15 @@
 
 <table class="table table-striped table-condensed">
   <thead>
+    <tr>
+        <th colspan="4">
+          <div class="alert alert-warning" role="alert">
+              <strong>
+                  <?=gettext("Please make sure to upgrade to os-ddclient before 21.7 is released as this plugin will be removed from our repository");?>
+              </strong>
+          </div>
+        </th>
+    </tr>
     <tr>
       <th style="word-break:break-word;"><?=gettext("Interface");?></th>
       <th style="word-break:break-word;"><?=gettext("Service");?></th>

From 9012be99d82c5daa9ef26a0f0077146e9d58aa30 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 17 Jan 2022 14:28:36 +0100
Subject: [PATCH 0916/3088] dns/rfc2136 - move get_dyndns_ip() to plugin to
 avoid further usage from core, related to
 https://github.com/opnsense/core/issues/5434

---
 .../src/etc/inc/plugins.inc.d/rfc2136.inc     | 42 ++++++++++++++++++-
 dns/rfc2136/src/www/services_rfc2136.php      |  4 +-
 .../www/widgets/widgets/rfc2136.widget.php    |  4 +-
 3 files changed, 44 insertions(+), 6 deletions(-)

diff --git a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
index 8663b5f250..1a568bc86a 100644
--- a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
+++ b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
@@ -173,7 +173,7 @@ EOD;
                 list($cachedipv4, $cacheTimev4) = array('', '');
             }
             if (isset($dnsupdate['usepublicip'])) {
-                $wanip = get_dyndns_ip($dnsupdate['interface'], 4);
+                $wanip = get_rfc2136_ip_address($dnsupdate['interface'], 4);
             } else {
                 $wanip = get_interface_ip($dnsupdate['interface']);
             }
@@ -200,7 +200,7 @@ EOD;
                 list($cachedipv6, $cacheTimev6) = array('', '');
             }
             if (isset($dnsupdate['usepublicip'])) {
-                $wanipv6 = get_dyndns_ip($dnsupdate['interface'], 6);
+                $wanipv6 = get_rfc2136_ip_address($dnsupdate['interface'], 6);
             } else {
                 $wanipv6 = get_interface_ipv6($dnsupdate['interface']);
             }
@@ -239,3 +239,41 @@ EOD;
         echo "done.\n";
     }
 }
+
+function get_rfc2136_ip_address($int, $ipver = 4)
+{
+    $ip_address = $ipver == 6 ? get_interface_ipv6($int) : get_interface_ip($int);
+    if (empty($ip_address)) {
+        log_error("Aborted IPv{$ipver} detection: no address for {$int}");
+        return 'down';
+    }
+
+    if ($ipver != 6 && is_private_ip($ip_address)) {
+        /* Chinese alternative is http://ip.3322.net/ */
+        $hosttocheck = 'http://checkip.dyndns.org';
+        $ip_ch = curl_init($hosttocheck);
+        curl_setopt($ip_ch, CURLOPT_RETURNTRANSFER, 1);
+        curl_setopt($ip_ch, CURLOPT_INTERFACE, $ip_address);
+        curl_setopt($ip_ch, CURLOPT_CONNECTTIMEOUT, 5);
+        curl_setopt($ip_ch, CURLOPT_TIMEOUT, 30);
+        curl_setopt($ip_ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
+        $ip_result = curl_exec($ip_ch);
+        if ($ip_result !== false) {
+            preg_match('=<body>Current IP Address: (.*)</body>=siU', $ip_result, $matches);
+            $ip_address = trim($matches[1]);
+        } else {
+            log_error('Aborted IPv4 detection: ' . curl_error($ip_ch));
+            $ip_address = '';
+        }
+        curl_close($ip_ch);
+    } elseif ($ipver == 6 && is_linklocal($ip_address)) {
+        log_error('Aborted IPv6 detection: cannot bind to link-local address');
+        $ip_address = '';
+    }
+
+    if (($ipver == 6 && !is_ipaddrv6($ip_address)) || ($ipver != 6 && !is_ipaddrv4($ip_address))) {
+        return 'down';
+    }
+
+    return $ip_address;
+}
diff --git a/dns/rfc2136/src/www/services_rfc2136.php b/dns/rfc2136/src/www/services_rfc2136.php
index 16936da0a6..a7a5029bbb 100644
--- a/dns/rfc2136/src/www/services_rfc2136.php
+++ b/dns/rfc2136/src/www/services_rfc2136.php
@@ -146,7 +146,7 @@
                         if (file_exists($filename) && !empty($rfc2136['enable']) && (empty($rfc2136['recordtype']) || $rfc2136['recordtype'] == 'A')) {
                             echo "IPv4: ";
                             if (isset($rfc2136['usepublicip'])) {
-                                $ipaddr = get_dyndns_ip($rfc2136['interface'], 4);
+                                $ipaddr = get_rfc2136_ip_address($rfc2136['interface'], 4);
                             } else {
                                 $ipaddr = get_interface_ip($rfc2136['interface']);
                             }
@@ -167,7 +167,7 @@
                         if (file_exists($filename6) && !empty($rfc2136['enable']) && (empty($rfc2136['recordtype']) || $rfc2136['recordtype'] == 'AAAA')) {
                             echo "IPv6: ";
                             if (isset($rfc2136['usepublicip'])) {
-                                $ipaddr = get_dyndns_ip($rfc2136['interface'], 6);
+                                $ipaddr = get_rfc2136_ip_address($rfc2136['interface'], 6);
                             } else {
                                 $ipaddr = get_interface_ipv6($rfc2136['interface']);
                             }
diff --git a/dns/rfc2136/src/www/widgets/widgets/rfc2136.widget.php b/dns/rfc2136/src/www/widgets/widgets/rfc2136.widget.php
index 3dc9a58cc0..0c2d57611b 100644
--- a/dns/rfc2136/src/www/widgets/widgets/rfc2136.widget.php
+++ b/dns/rfc2136/src/www/widgets/widgets/rfc2136.widget.php
@@ -49,14 +49,14 @@
         $filename = rfc2136_cache_file($rfc2136, 4);
         $fdata = '';
         if (!empty($rfc2136['enable']) && (empty($rfc2136['recordtype']) || $rfc2136['recordtype'] == 'A') && file_exists($filename)) {
-            $ipaddr = get_dyndns_ip($rfc2136['interface'], 4);
+            $ipaddr = get_rfc2136_ip_address($rfc2136['interface'], 4);
             $fdata = @file_get_contents($filename);
         }
 
         $filename_v6 = rfc2136_cache_file($rfc2136, 6);
         $fdata6 = '';
         if (!empty($rfc2136['enable']) && (empty($rfc2136['recordtype']) || $rfc2136['recordtype'] == 'AAAA') && file_exists($filename_v6)) {
-            $ipv6addr = get_dyndns_ip($rfc2136['interface'], 6);
+            $ipv6addr = get_rfc2136_ip_address($rfc2136['interface'], 6);
             $fdata6 = @file_get_contents($filename_v6);
         }
 

From b7295b3275d380918965970f8d0ac39ecb462daa Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 18 Jan 2022 08:04:28 +0100
Subject: [PATCH 0917/3088] dns: bump legacy plugins after function transfer

---
 dns/dyndns/Makefile  | 2 +-
 dns/rfc2136/Makefile | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index cd07376764..5bb7b9f3fd 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		dyndns
 PLUGIN_VERSION=		1.27
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
diff --git a/dns/rfc2136/Makefile b/dns/rfc2136/Makefile
index dc089e39b0..9a1a3618ea 100644
--- a/dns/rfc2136/Makefile
+++ b/dns/rfc2136/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		rfc2136
 PLUGIN_VERSION=		1.6
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		RFC-2136 Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_DEPENDS=		bind-tools

From 58880dede5c0f67f3893451d7158d241ae6afc82 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 18 Jan 2022 08:09:32 +0100
Subject: [PATCH 0918/3088] net/wol: bump after cron change

---
 net/wol/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wol/Makefile b/net/wol/Makefile
index 818fde3268..2cb9a50e81 100644
--- a/net/wol/Makefile
+++ b/net/wol/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		wol
 PLUGIN_VERSION=		2.4
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		wol
 PLUGIN_COMMENT=		Wake on LAN Service
 PLUGIN_MAINTAINER=	franco@opnsense.org

From f591681ff72e1460e45413d42b69e43644b20c37 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 19 Jan 2022 22:07:03 +0100
Subject: [PATCH 0919/3088] net/haproxy: upgrade to HAProxy 2.4 release series,
 refs #2644

---
 net/haproxy/Makefile                                   |  2 +-
 net/haproxy/pkg-descr                                  |  9 +++++++++
 .../OPNsense/HAProxy/forms/dialogAction.xml            | 10 +++++-----
 .../OPNsense/HAProxy/forms/dialogBackend.xml           | 10 +++++-----
 .../OPNsense/HAProxy/forms/dialogFrontend.xml          |  6 +++---
 .../OPNsense/HAProxy/forms/dialogMapfile.xml           |  2 +-
 .../opnsense/mvc/app/views/OPNsense/HAProxy/index.volt | 10 +++++-----
 7 files changed, 29 insertions(+), 20 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 1a155bad49..bcb5e4a497 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		3.9
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
-PLUGIN_DEPENDS=		haproxy22
+PLUGIN_DEPENDS=		haproxy24
 PLUGIN_MAINTAINER=	opnsense@moov.de
 
 .include "../../Mk/plugins.mk"
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index c809c34340..758d0a1029 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,14 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+3.10
+
+WARNING: This release switches to the HAProxy 2.4 release series,
+which may result in incompatible changes for some users.
+
+Changed:
+* upgrade to HAProxy 2.4 release series (#2644)
+
 3.9
 
 Added:
@@ -117,6 +125,7 @@ Fixed:
 * prevent the deletion of items that are still referenced elsewhere (core/#1897)
 
 Changed:
+* upgrade to HAProxy 2.2 release series (#2092)
 * change default SSL version to TLSv1.2 (ssl-min-ver)
 * remove weak ciphers from (default) SSL settings
 * remove default SSL bind options that would conflict with ssl-min-ver
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index f0d17e77e2..c810642591 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -89,7 +89,7 @@
         <id>action.http_request_redirect</id>
         <label>HTTP Redirect</label>
         <type>text</type>
-        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. See <a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. See <a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -128,7 +128,7 @@
         <id>action.http_request_add_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -145,7 +145,7 @@
         <id>action.http_request_set_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -251,7 +251,7 @@
         <id>action.http_response_add_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -268,7 +268,7 @@
         <id>action.http_response_set_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index 31e0eda988..27a6115e2c 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -28,7 +28,7 @@
         <id>backend.algorithm</id>
         <label>Balancing Algorithm</label>
         <type>dropdown</type>
-        <help><![CDATA[Define the load balancing algorithm to be used in a Backend Pool. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#balance">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Define the load balancing algorithm to be used in a Backend Pool. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#balance">HAProxy documentation</a> for a full description.]]></help>
         <hint>Choose a load balancing algorithm.</hint>
     </field>
     <field>
@@ -42,7 +42,7 @@
         <id>backend.proxyProtocol</id>
         <label>Proxy Protocol</label>
         <type>dropdown</type>
-        <help><![CDATA[Enforces use of the PROXY protocol over any connection established to the configured servers. The PROXY protocol informs the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the servers are not aware of the PROXY protocol. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#send-proxy">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Enforces use of the PROXY protocol over any connection established to the configured servers. The PROXY protocol informs the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the servers are not aware of the PROXY protocol. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#send-proxy">HAProxy documentation</a> for a full description.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
@@ -186,7 +186,7 @@
         <id>backend.persistence_cookiemode</id>
         <label>Cookie handling</label>
         <type>dropdown</type>
-        <help><![CDATA[Usually it is better to reuse an existing cookie. In this case HAProxy prefixes the cookie with the required information. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#4.2-cookie">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Usually it is better to reuse an existing cookie. In this case HAProxy prefixes the cookie with the required information. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#4.2-cookie">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.persistence_cookiename</id>
@@ -208,14 +208,14 @@
         <id>backend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
+        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
         <hint>Choose a persistence type.</hint>
     </field>
     <field>
         <id>backend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.stickiness_expire</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 682e0bb278..6d6a4cda76 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -322,14 +322,14 @@
         <id>frontend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
+        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
         <hint>Choose a stick-table type.</hint>
     </field>
     <field>
         <id>frontend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>frontend.stickiness_expire</id>
@@ -356,7 +356,7 @@
         <id>frontend.stickiness_counter_key</id>
         <label>Sticky counter key</label>
         <type>text</type>
-        <help><![CDATA[It describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters. Defaults to "src" to track elements of the source IP. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#tcp-request connection">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[It describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters. Defaults to "src" to track elements of the source IP. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#tcp-request connection">HAProxy documentation</a> for a full description.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
index f571ce69c3..d988e782e4 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
@@ -15,6 +15,6 @@
         <id>mapfile.content</id>
         <label>Content</label>
         <type>textbox</type>
-        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index ba0cf32f02..eda3e7ff1a 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -698,7 +698,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('Lastly, enable HAProxy using the %sService%s settings page.') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Please be aware that you need to %smanually%s add the required firewall rules for all configured services.') | format('<b>', '</b>') }}</p>
-            <p>{{ lang._('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="https://docs.opnsense.org/manual/how-tos/haproxy.html" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="https://docs.opnsense.org/manual/how-tos/haproxy.html" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -740,7 +740,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('%sConditions:%s HAProxy is capable of extracting data from requests, responses and other connection data and match it against predefined patterns. Use these powerful patterns to compose a condition that may be used in multiple Rules.') | format('<b>', '</b>') }}</li>
               <li>{{ lang._('%sRules:%s Perform a large set of actions if one or more %sConditions%s match. These Rules may be used in %sBackend Pools%s as well as %sPublic Services%s.') | format('<b>', '</b>', '<b>', '</b>', '<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#7" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#7" target="_blank">', '</a>') }}</p>
             <p>{{ lang._('Note that it is possible to directly add options to the HAProxy configuration by using the "option pass-through", a setting that is available for several configuration items. It allows you to implement configurations that are currently not officially supported by this plugin. It is strongly discouraged to rely on this feature. Please report missing features on our GitHub page!') | format('<b>', '</b>') }}</p>
             <br/>
         </div>
@@ -755,7 +755,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('%sGroup:%s A optional list containing one or more users. Groups usually make it easier to manage permissions for a large number of users') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Note that users and groups must be selected from the Backend Pool or Public Service configuration in order to be used for authentication. In addition to this users and groups may also be used in Rules/Conditions.') }}</p>
-            <p>{{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#3.4" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#3.4" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -773,7 +773,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sCache:%s HAProxy's cache which was designed to perform cache on small objects (favicon, css, etc.). This is a minimalist low-maintenance cache which runs in RAM.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sPeers:%s Configure a communication channel between two HAProxy instances. This will propagate entries of any data-types in stick-tables between these HAProxy instances over TCP connections in a multi-master fashion. Useful when aiming for a seamless failover in a HA setup.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#10" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#3.5" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#10" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#3.5" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -790,7 +790,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sResolvers:%s This feature allows in-depth configuration of how HAProxy handles name resolution and interacts with name resolvers (DNS). Each resolver configuration can be used in %sBackend Pools%s to apply individual name resolution configurations.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sE-Mail Alerts:%s It is possible to send email alerts when the state of servers changes. Each configuration can be used in %sBackend Pools%s to send e-mail alerts to the configured recipient.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#process" target="_blank">', '</a>','<a href="http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#process" target="_blank">', '</a>','<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>

From d5e60e9f77f3862f54fbfa9e54181107ac136110 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 19 Jan 2022 22:16:58 +0100
Subject: [PATCH 0920/3088] net/haproxy: remove deprecated option tune.chksize
 (#2644)

---
 net/haproxy/pkg-descr                                      | 3 +++
 .../controllers/OPNsense/HAProxy/forms/generalTuning.xml   | 7 -------
 .../opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml   | 7 -------
 .../service/templates/OPNsense/HAProxy/haproxy.conf        | 3 ---
 4 files changed, 3 insertions(+), 17 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 758d0a1029..cba85b6e40 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -14,6 +14,9 @@ which may result in incompatible changes for some users.
 Changed:
 * upgrade to HAProxy 2.4 release series (#2644)
 
+Removed:
+* remove deprecated option tune.chksize (#2644)
+
 3.9
 
 Added:
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
index ea55662de4..ff481bd137 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -48,13 +48,6 @@
         <help><![CDATA[Change the buffer size (in bytes). Lower values allow more sessions to coexist in the same amount of RAM, and higher values allow some applications with very large cookies to work. The default value is 16384. <br/><div class="text-info"><b>NOTE:</b> It is strongly recommended not to change this from the default value, as very low values will break some services such as statistics, and values larger than default size will increase memory usage, possibly causing the system to run out of memory.</div>]]></help>
         <advanced>true</advanced>
     </field>
-    <field>
-        <id>haproxy.general.tuning.checkBufferSize</id>
-        <label>Health check buffer size</label>
-        <type>text</type>
-        <help><![CDATA[Change the check buffer size (in bytes). Higher values may help find string or regex patterns in very large pages, though doing so may imply more memory and CPU usage. The default value is 16384.]]></help>
-        <advanced>true</advanced>
-    </field>
     <field>
         <id>haproxy.general.tuning.luaMaxMem</id>
         <label>Maximum RAM per LUA process</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index ff4e24be8a..9ef6f67485 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -109,13 +109,6 @@
                     <ValidationMessage>Please specify a value between 1024 and 1048576.</ValidationMessage>
                     <Required>N</Required>
                 </bufferSize>
-                <checkBufferSize type="IntegerField">
-                    <default>16384</default>
-                    <MinimumValue>1024</MinimumValue>
-                    <MaximumValue>1048576</MaximumValue>
-                    <ValidationMessage>Please specify a value between 1024 and 1048576.</ValidationMessage>
-                    <Required>N</Required>
-                </checkBufferSize>
                 <spreadChecks type="IntegerField">
                     <default>2</default>
                     <MinimumValue>0</MinimumValue>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 71e377f182..94403c1ae0 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -975,9 +975,6 @@ global
 {% if OPNsense.HAProxy.general.tuning.bogusProxyEnabled|default("") == '1' %}
     pp2-never-send-local
 {% endif %}
-{% if OPNsense.HAProxy.general.tuning.checkBufferSize|default("") != "" %}
-    tune.chksize                {{OPNsense.HAProxy.general.tuning.checkBufferSize}}
-{% endif %}
 {% if OPNsense.HAProxy.general.tuning.bufferSize|default("") != "" %}
     tune.bufsize                {{OPNsense.HAProxy.general.tuning.bufferSize}}
 {% endif %}

From 66d0b8682b7ddaa239a3e3d4519decb2efc7a328 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 19 Jan 2022 23:14:14 +0100
Subject: [PATCH 0921/3088] net/haproxy: disable strict-limits for safekeeping,
 refs #2644

---
 net/haproxy/pkg-descr                                          | 1 +
 .../app/controllers/OPNsense/HAProxy/forms/generalTuning.xml   | 2 +-
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf   | 3 +++
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index cba85b6e40..eacea0b890 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -13,6 +13,7 @@ which may result in incompatible changes for some users.
 
 Changed:
 * upgrade to HAProxy 2.4 release series (#2644)
+* disable strict-limits for safekeeping (#2644)
 
 Removed:
 * remove deprecated option tune.chksize (#2644)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
index ff481bd137..8d93dc989b 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -27,7 +27,7 @@
         <id>haproxy.general.tuning.maxConnections</id>
         <label>Maximum connections</label>
         <type>text</type>
-        <help><![CDATA[Sets the maximum number of concurrent connections per HAProxy process.<br/><div class="text-info"><b>NOTE:</b> HAProxy will not be able to allocate enough memory if you set this value too high. Consider raising the settings for kern.maxfiles and kern.maxfilesperproc if you need to specify a non-default value.</div>]]></help>
+        <help><![CDATA[Sets the maximum number of concurrent connections per HAProxy process.<br/><div class="text-info"><b>NOTE:</b> Consider raising the settings for kern.maxfiles and kern.maxfilesperproc in <a target="_blank" href="/ui/haproxy#general-settings">System: Settings: Tunables</a>, otherwise HAProxy will fail to open the specified number of connections.</div>]]></help>
     </field>
     <field>
         <id>haproxy.general.tuning.sslServerVerify</id>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 94403c1ae0..0c8c1ab2ea 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -958,6 +958,9 @@ global
 {% if OPNsense.HAProxy.general.hardStopAfter|default('') != '' %}
     hard-stop-after             {{OPNsense.HAProxy.general.hardStopAfter}}
 {% endif %}
+{# # Disable strict-limits because a syntax check will not reveal #}
+{# # whether kern.maxfilesperproc or kern.maxfiles are too low. #}
+    no strict-limits
 {% if helpers.exists('OPNsense.HAProxy.general.tuning.maxConnections') %}
     maxconn                     {{OPNsense.HAProxy.general.tuning.maxConnections}}
 {% endif %}

From 67946800aadf2544a8ad5ae82505c7b760f5248b Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 19 Jan 2022 23:51:48 +0100
Subject: [PATCH 0922/3088] net/haproxy: add support for DNS resolution over
 TCP, refs #2644

---
 net/haproxy/pkg-descr                                     | 3 +++
 .../controllers/OPNsense/HAProxy/forms/dialogResolver.xml | 4 ++--
 .../opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml  | 8 ++++----
 .../service/templates/OPNsense/HAProxy/haproxy.conf       | 3 ++-
 4 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index eacea0b890..bf40d39e77 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -11,6 +11,9 @@ Plugin Changelog
 WARNING: This release switches to the HAProxy 2.4 release series,
 which may result in incompatible changes for some users.
 
+Added:
+* add support for DNS resolution over TCP (#2644)
+
 Changed:
 * upgrade to HAProxy 2.4 release series (#2644)
 * disable strict-limits for safekeeping (#2644)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml
index a769aead4c..73ca63cdce 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogResolver.xml
@@ -24,7 +24,7 @@
         <style>tokenize</style>
         <allownew>true</allownew>
         <sortable>true</sortable>
-        <help><![CDATA[Add nameservers to this resolver configuration, i.e. 127.0.0.1:53 or 192.168.1.1:53. Use TAB key to complete typing.]]></help>
+        <help><![CDATA[Add nameservers to this resolver configuration. They may be prefixed with either tcp@ or udp@ to use the TCP or UDP protocol respectively. For example 192.168.1.1:53, tcp@192.168.1.1:53 or udp@192.168.1.1:53. Use TAB key to complete typing.]]></help>
         <hint>Enter ip:port here. Finish with TAB.</hint>
     </field>
     <field>
@@ -55,7 +55,7 @@
         <id>resolver.accepted_payload_size</id>
         <label>Max DNS answer size</label>
         <type>text</type>
-        <help><![CDATA[Defines the maximum payload size accepted by HAProxy and announced to all the name servers configured in this resolvers section. The default is 512 bytes, the maximum allowed is 8192.]]></help>
+        <help><![CDATA[Defines the maximum payload size accepted by HAProxy and announced to all the name servers configured in this resolvers section. The default is 512 bytes, the maximum allowed is 8192 for UDP and 65535 for TCP.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 9ef6f67485..efa38510d2 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2796,9 +2796,9 @@
                     <Required>N</Required>
                     <Sorted>Y</Sorted>
                     <multiple>Y</multiple>
-                    <mask>/^((([0-9a-zA-Z._\-\*:\[\]]+:[0-9]+(-[0-9]+)?)([,]){0,1}))*/u</mask>
+                    <mask>/^((((udp@|tcp@)?[0-9a-zA-Z._\-\*:\[\]]+:[0-9]+(-[0-9]+)?)([,]){0,1}))*/u</mask>
                     <ChangeCase>lower</ChangeCase>
-                    <ValidationMessage>Please provide a valid nameserver address, i.e. 127.0.0.1:53, [::1]:53 or 192.168.1.1:53.</ValidationMessage>
+                    <ValidationMessage>Please provide a valid nameserver address, i.e. 127.0.0.1:53, [::1]:53 or tcp@192.168.1.1:53.</ValidationMessage>
                 </nameservers>
                 <parse_resolv_conf type="BooleanField">
                     <default>0</default>
@@ -2825,8 +2825,8 @@
                 </timeout_retry>
                 <accepted_payload_size type="IntegerField">
                     <MinimumValue>0</MinimumValue>
-                    <MaximumValue>8192</MaximumValue>
-                    <ValidationMessage>Should be a number between 0 and 8192</ValidationMessage>
+                    <MaximumValue>65535</MaximumValue>
+                    <ValidationMessage>Should be a number between 0 and 65535</ValidationMessage>
                     <Required>N</Required>
                 </accepted_payload_size>
                 <hold_valid type="TextField">
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 0c8c1ab2ea..34862fb13f 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1174,7 +1174,8 @@ userlist stats_auth
 resolvers {{resolver.id}}
 {%       if resolver.nameservers|default("") != "" %}
 {%         for nameserver in resolver.nameservers.split(",") %}
-    nameserver {{nameserver}} {{nameserver}}
+{#  # special characters are not supported in server names #}
+    nameserver {{nameserver|replace('@', '_')}} {{nameserver}}
 {%         endfor %}
 {%       endif %}
 {%       if resolver.parse_resolv_conf|default("") == "1" %}

From daa9e3e1887f6f6660b6f9d06a54dc17eccd0264 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 20 Jan 2022 00:00:06 +0100
Subject: [PATCH 0923/3088] net/haproxy: bump plugin and model versions

---
 net/haproxy/Makefile                                            | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index bcb5e4a497..56e1e159a7 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		3.9
+PLUGIN_VERSION=		3.10
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy24
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index efa38510d2..e24826e1ee 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/HAProxy</mount>
-    <version>3.5.0</version>
+    <version>3.6.0</version>
     <description>the HAProxy load balancer</description>
     <items>
         <general>

From f2adc7799ea3080caf841a10f99f316ddfe0ac1f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 20 Jan 2022 00:23:35 +0100
Subject: [PATCH 0924/3088] net/haproxy: fix link to tunables page

---
 .../app/controllers/OPNsense/HAProxy/forms/generalTuning.xml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
index 8d93dc989b..807087cce9 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -27,7 +27,7 @@
         <id>haproxy.general.tuning.maxConnections</id>
         <label>Maximum connections</label>
         <type>text</type>
-        <help><![CDATA[Sets the maximum number of concurrent connections per HAProxy process.<br/><div class="text-info"><b>NOTE:</b> Consider raising the settings for kern.maxfiles and kern.maxfilesperproc in <a target="_blank" href="/ui/haproxy#general-settings">System: Settings: Tunables</a>, otherwise HAProxy will fail to open the specified number of connections.</div>]]></help>
+        <help><![CDATA[Sets the maximum number of concurrent connections per HAProxy process.<br/><div class="text-info"><b>NOTE:</b> Consider raising the settings for kern.maxfiles and kern.maxfilesperproc in <a target="_blank" href="/system_advanced_sysctl.php">System: Settings: Tunables</a>, otherwise HAProxy will fail to open the specified number of connections.</div>]]></help>
     </field>
     <field>
         <id>haproxy.general.tuning.sslServerVerify</id>

From 6f7127fdc6e623469ca5edc8c595912b9b916367 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Fri, 21 Jan 2022 11:41:15 +0100
Subject: [PATCH 0925/3088] net/wireguard: Allow 100 instances (#2760)

---
 net/wireguard/Makefile                                       | 2 +-
 net/wireguard/pkg-descr                                      | 4 ++++
 .../opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml    | 5 +----
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 8cd2d5c43a..22a3d57f17 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		1.9
+PLUGIN_VERSION=		1.10
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard-go wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index e6d9ce270f..515f17dbf2 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,10 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+1.10
+
+* Remove instance limit
+
 1.9
 
 * Rename interface label in filter rules (#2577)
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
index 7b99312233..64d4deb9d3 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/wireguard/server</mount>
     <description>Wireguard Server configuration</description>
-    <version>0.0.2</version>
+    <version>0.0.3</version>
     <items>
         <servers>
             <server type="ArrayField">
@@ -16,9 +16,6 @@
                     <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9, a-z, and A-Z</ValidationMessage>
                 </name>
                 <instance type="AutoNumberField">
-                    <MinimumValue>0</MinimumValue>
-                    <MaximumValue>19</MaximumValue>
-                    <ValidationMessage>Maximum number of instances reached</ValidationMessage>
                     <Required>Y</Required>
                 </instance>
                 <pubkey type="TextField">

From 95250aaeb605030024357b37839ee6e7752cce0a Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Fri, 21 Jan 2022 15:36:09 +0100
Subject: [PATCH 0926/3088] net/frr: Dont set empty defaults on required fields
 (#2761)

---
 net/frr/Makefile                                             | 2 +-
 net/frr/pkg-descr                                            | 4 ++++
 .../src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml    | 5 ++---
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/RIP.xml  | 5 ++---
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 1ccdf2d16b..ca8ca4dd54 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.25
+PLUGIN_VERSION=		1.26
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index f2a1fa87ea..77b799b58f 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -11,6 +11,10 @@ switching and routing, Internet access routers, and Internet peering.
 Plugin Changelog
 ================
 
+1.26
+
+* Fix Model migration errors
+
 1.25
 
 * Add "All" option to next-hop-self command (#2673)
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
index 6670a07892..46e433426d 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/ospf6</mount>
     <description>OSPFv3 Routing configuration</description>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -18,8 +18,7 @@
                 </OptionValues>
         </redistribute>
         <routerid type="TextField">
-                <default></default>
-                <Required>Y</Required>
+                <Required>N</Required>
                 <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
         </routerid>
         <interfaces>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/RIP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/RIP.xml
index bb315566b6..f9838ca8b7 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/RIP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/RIP.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/rip</mount>
     <description>RIP Routing configuration</description>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -14,8 +14,7 @@
             <Required>Y</Required>
         </version>
         <networks type="CSVListField">
-            <default></default>
-            <Required>Y</Required>
+            <Required>N</Required>
             <mask>/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2},)*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})$/</mask>
         </networks>
         <passiveinterfaces type="InterfaceField">

From d737686eed6a35ea8ad120c4d3d91d8942c20672 Mon Sep 17 00:00:00 2001
From: Markus Reiter <me@reitermark.us>
Date: Fri, 21 Jan 2022 15:56:34 +0100
Subject: [PATCH 0927/3088] mDNS repeater: cosmetic fixes

---
 .../src/etc/inc/plugins.inc.d/mdnsrepeater.inc         | 10 +++-------
 .../OPNsense/MDNSRepeater/IndexController.php          |  2 +-
 .../mvc/app/models/OPNsense/MDNSRepeater/ACL/ACL.xml   |  2 +-
 .../mvc/app/models/OPNsense/MDNSRepeater/Menu/Menu.xml |  2 +-
 4 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/net/mdns-repeater/src/etc/inc/plugins.inc.d/mdnsrepeater.inc b/net/mdns-repeater/src/etc/inc/plugins.inc.d/mdnsrepeater.inc
index 7cf9b86814..6990e232fb 100644
--- a/net/mdns-repeater/src/etc/inc/plugins.inc.d/mdnsrepeater.inc
+++ b/net/mdns-repeater/src/etc/inc/plugins.inc.d/mdnsrepeater.inc
@@ -28,12 +28,8 @@
 
 function mdnsrepeater_enabled()
 {
-    $mdns_repeater = new \OPNsense\MDNSRepeater\MDNSRepeater();
-    if ((string)$mdns_repeater->enabled == '1') {
-        return true;
-    }
-
-    return false;
+    $model = new \OPNsense\MDNSRepeater\MDNSRepeater();
+    return (string)$model->enabled == '1';
 }
 
 function mdnsrepeater_firewall($fw)
@@ -54,7 +50,7 @@ function mdnsrepeater_services()
     }
 
     $services[] = array(
-        'description' => gettext('MDNS Repeater'),
+        'description' => gettext('mDNS Repeater'),
         'configd' => array(
             'restart' => array('mdnsrepeater restart'),
             'start' => array('mdnsrepeater start'),
diff --git a/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/IndexController.php b/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/IndexController.php
index 10fdf5234c..1830697d45 100644
--- a/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/IndexController.php
+++ b/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/IndexController.php
@@ -37,7 +37,7 @@
 class IndexController extends \OPNsense\Base\IndexController
 {
     /**
-     * MDNS Repeater index page
+     * mDNS Repeater index page
      * @throws \Exception
      */
     public function indexAction()
diff --git a/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/ACL/ACL.xml b/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/ACL/ACL.xml
index d7bef3537c..8fe0a0f3aa 100644
--- a/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/ACL/ACL.xml
+++ b/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/ACL/ACL.xml
@@ -1,6 +1,6 @@
 <acl>
    <page-services-mdnsrepeater>
-      <name>Services: MDNS Repeatery</name>
+      <name>Services: mDNS Repeater</name>
       <patterns>
          <pattern>ui/mdnsrepeater/*</pattern>
          <pattern>api/mdnsrepeater/*</pattern>
diff --git a/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/Menu/Menu.xml b/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/Menu/Menu.xml
index c3cea26cbd..6b42fa7bc7 100644
--- a/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/Menu/Menu.xml
+++ b/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/Menu/Menu.xml
@@ -1,5 +1,5 @@
 <menu>
    <Services>
-      <MDNSRepeater VisibleName="MDNS Repeater" cssClass="fa fa-bolt fa-fw" url="/ui/mdnsrepeater"/>
+      <MDNSRepeater VisibleName="mDNS Repeater" cssClass="fa fa-forward fa-fw" url="/ui/mdnsrepeater"/>
    </Services>
 </menu>

From 7942f54a9f82b79d6a780c1c50fcb27a88629125 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 24 Jan 2022 09:22:18 +0100
Subject: [PATCH 0928/3088] dns/dyndns: fix typo

---
 dns/dyndns/src/www/services_dyndns.php                       | 2 +-
 dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/dyndns/src/www/services_dyndns.php b/dns/dyndns/src/www/services_dyndns.php
index a209477baa..c74e85c817 100644
--- a/dns/dyndns/src/www/services_dyndns.php
+++ b/dns/dyndns/src/www/services_dyndns.php
@@ -112,7 +112,7 @@
         <section class="col-xs-12">
           <div class="alert alert-warning" role="alert">
               <strong>
-                  <?=gettext("Please make sure to upgrade to os-ddclient before 21.7 is released as this plugin will be removed from our repository");?>
+                  <?=gettext("Please make sure to upgrade to os-ddclient before 22.7 is released as this plugin will be removed from our repository");?>
               </strong>
           </div>
           <div class="tab-content content-box col-xs-12">
diff --git a/dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php b/dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php
index 55a59d6115..03d6af5687 100644
--- a/dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php
+++ b/dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php
@@ -90,7 +90,7 @@
         <th colspan="4">
           <div class="alert alert-warning" role="alert">
               <strong>
-                  <?=gettext("Please make sure to upgrade to os-ddclient before 21.7 is released as this plugin will be removed from our repository");?>
+                  <?=gettext("Please make sure to upgrade to os-ddclient before 22.7 is released as this plugin will be removed from our repository");?>
               </strong>
           </div>
         </th>

From 52af627f2b18e1b1116d88d08af96c8285569642 Mon Sep 17 00:00:00 2001
From: Neozlag <50456371+Neozlag@users.noreply.github.com>
Date: Tue, 25 Jan 2022 10:15:08 +0100
Subject: [PATCH 0929/3088] Update Nextcloud.php (#2662)

It seems the try in the getInternalUsername function
was not placed very well, so the throw exception in the
ocs_request function didn't work.
---
 .../mvc/app/library/OPNsense/Backup/Nextcloud.php | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
index cca8365167..71185b1103 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
@@ -280,15 +280,14 @@ public function create_directory($url, $username, $password, $internal_username,
 
     public function getInternalUsername($url, $username, $password): string
     {
-        $xml_response = $this->ocs_request(
-            "$url/ocs/v1.php/cloud/user",
-            $username,
-            $password,
-            "GET",
-            "Cannot get real username"
-        );
-
         try {
+            $xml_response = $this->ocs_request(
+                "$url/ocs/v1.php/cloud/user",
+                $username,
+                $password,
+                "GET",
+                "Cannot get real username"
+            );        
             $data = $xml_response->data;
             if ($data == null) {
                 return $username; // no data found, return the old username

From 1e6794ca1e957fef465344af89f546f7015b5e4e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 Jan 2022 20:17:25 +0100
Subject: [PATCH 0930/3088] sysutils/nextcloud-backup: whitespace on previous

---
 .../src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
index 71185b1103..5adad6c43b 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
@@ -287,7 +287,7 @@ public function getInternalUsername($url, $username, $password): string
                 $password,
                 "GET",
                 "Cannot get real username"
-            );        
+            );
             $data = $xml_response->data;
             if ($data == null) {
                 return $username; // no data found, return the old username

From c970a82d15dcd1a3c68d03296bebd4e8e67da40b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 28 Jan 2022 09:43:26 +0100
Subject: [PATCH 0931/3088] dns/ddclient - missing upper case in model
 validation for username. closes
 https://github.com/opnsense/plugins/issues/2773

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index c5521211f5..df0a922974 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -69,7 +69,7 @@
                 </service>
                 <username type="TextField">
                     <Required>N</Required>
-                    <mask>/^([a-z0-9\-.@_:+])*$/u</mask>
+                    <mask>/^([a-zA-Z0-9\-.@_:+])*$/u</mask>
                     <ValidationMessage>The username contains invalid characters.</ValidationMessage>
                 </username>
                 <password type="UpdateOnlyTextField">

From 400110af010e8a2cd3ea0f01d4b3db87154bacb6 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 28 Jan 2022 13:28:35 +0100
Subject: [PATCH 0932/3088] dns/dyndns - move menu registration so ddclient and
 legacy dyndns are both visible when installed.

---
 dns/dyndns/Makefile                                           | 2 +-
 .../opnsense/mvc/app/models/OPNsense/DynamicDNS/Menu/Menu.xml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
index 5bb7b9f3fd..ee2bb7a736 100644
--- a/dns/dyndns/Makefile
+++ b/dns/dyndns/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		dyndns
 PLUGIN_VERSION=		1.27
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Dynamic DNS Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
diff --git a/dns/dyndns/src/opnsense/mvc/app/models/OPNsense/DynamicDNS/Menu/Menu.xml b/dns/dyndns/src/opnsense/mvc/app/models/OPNsense/DynamicDNS/Menu/Menu.xml
index 33f6a448cd..d2a7a40f2d 100644
--- a/dns/dyndns/src/opnsense/mvc/app/models/OPNsense/DynamicDNS/Menu/Menu.xml
+++ b/dns/dyndns/src/opnsense/mvc/app/models/OPNsense/DynamicDNS/Menu/Menu.xml
@@ -1,7 +1,7 @@
 <menu>
     <Services>
-        <DynamicDNS VisibleName="Dynamic DNS" url="/services_dyndns.php" cssClass="fa fa-tags fa-fw">
+        <DynamicDNSOld VisibleName="Dynamic DNS (legacy)" url="/services_dyndns.php" cssClass="fa fa-tags fa-fw">
             <Edit url="/services_dyndns_edit.php*" visibility="hidden"/>
-        </DynamicDNS>
+        </DynamicDNSOld>
     </Services>
 </menu>

From af2ec65aa0aeabb0d222c0c3e20eab3fc59d43a6 Mon Sep 17 00:00:00 2001
From: Alex Mi <43502191+mitzsch@users.noreply.github.com>
Date: Sat, 29 Jan 2022 09:47:09 +0100
Subject: [PATCH 0933/3088] dns/ddclient - Add STRATO DynDNS functionality to
 the new ddclient-dyndns plugin. (#2777)

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml   | 1 +
 .../service/templates/OPNsense/ddclient/ddclient.conf        | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index df0a922974..e6f4ea2a26 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -64,6 +64,7 @@
                         <noip>Noip</noip>
                         <nsupdatev4>nsupdate.info (IPv4)</nsupdatev4>
                         <nsupdatev6>nsupdate.info (IPv6)</nsupdatev6>
+                        <strato>STRATO</strato>
                         <zoneedit1>Zoneedit</zoneedit1>
                     </OptionValues>
                 </service>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index a395865830..fc221b7822 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -54,6 +54,11 @@ server=ipv4.nsupdate.info
 protocol=dyndns2
 ssl=yes
 server=ipv6.nsupdate.info
+{%            elif account.service == 'strato' %}
+use=web
+protocol=dyndns2
+ssl=yes
+server=dyndns.strato.com
 {%            else %}
 protocol={{account.service}}
 ssl=yes

From 8ee15ced75b5c554c0b7f3ee70dc32f7a5f6b14a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robin=20M=C3=BCller?= <robin.mueller@outlook.de>
Date: Sat, 29 Jan 2022 15:59:46 +0100
Subject: [PATCH 0934/3088] dns/ddclient Add Cloudflare (#2781)

* Added Cloudflare as DynDNS provider
* Fixed zone requirement
---
 .../controllers/OPNsense/DynDNS/forms/dialogAccount.xml    | 7 +++++++
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml | 5 +++++
 .../service/templates/OPNsense/ddclient/ddclient.conf      | 5 ++++-
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index 2ee8e7271e..9aad7678b9 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -30,6 +30,13 @@
         <style>optional_setting service_dyndns2 service_easydns</style>
         <help>add a DNS wildcard CNAME record that points to the configured host.</help>
     </field>
+    <field>
+        <id>account.zone</id>
+        <label>Zone</label>
+        <type>text</type>
+        <style>optional_setting service_cloudflare</style>
+        <help>Zone containing the host entry.</help>
+    </field>
     <field>
         <id>account.hostnames</id>
         <label>Hostname(s)</label>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index e6f4ea2a26..756d13c0df 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -54,6 +54,7 @@
                     <ValidationMessage>A service type is required.</ValidationMessage>
                     <OptionValues>
                         <changeip>Changeip</changeip>
+                        <cloudflare>Cloudflare</cloudflare>
                         <dyndns2>DynDNS.com</dyndns2>
                         <dnspark>DnsPark</dnspark>
                         <dslreports1>DslReports</dslreports1>
@@ -87,6 +88,10 @@
                     <default>0</default>
                     <Required>Y</Required>
                 </wildcard>
+                <zone type="HostnameField">
+                    <Required>N</Required>
+                    <IpAllowed>N</IpAllowed>
+                </zone>
                 <description type="TextField">
                     <Required>N</Required>
                     <mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</mask>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index fc221b7822..a506db3ec7 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -46,7 +46,10 @@ use=web, web=http://dynamic.zoneedit.com/checkip.html
 {%  if helpers.exists('OPNsense.DynDNS.accounts.account') %}
 {%    for account in helpers.toList('OPNsense.DynDNS.accounts.account') %}
 {%        if account.enabled|default('0') == '1' %}
-{%            if account.service == 'nsupdatev4' %}
+{%            if account.service == 'cloudflare' %}
+protocol=cloudflare
+zone={{account.zone}}
+{%            elif account.service == 'nsupdatev4' %}
 protocol=dyndns2
 ssl=yes
 server=ipv4.nsupdate.info

From 05ca13b59f8d578e9cdb32d826d5e40a41e8feee Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sun, 30 Jan 2022 08:20:33 +0100
Subject: [PATCH 0935/3088] net/dnscrypt-proxy: replace sed syntax which breaks
 in F13 (#2787)

---
 dns/dnscrypt-proxy/Makefile                   |  2 +-
 dns/dnscrypt-proxy/pkg-descr                  |  4 +++
 .../scripts/OPNsense/Dnscryptproxy/dnsbl.sh   | 34 +++++++++----------
 3 files changed, 22 insertions(+), 18 deletions(-)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index 26d9d6d8df..3c7a4c9d88 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		dnscrypt-proxy
-PLUGIN_VERSION=		1.10
+PLUGIN_VERSION=		1.11
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index 540b718146..f6cdd0817c 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -5,6 +5,10 @@ such as DNSCrypt v2 and DNS-over-HTTPS.
 Plugin Changelog
 ================
 
+1.11
+
+* Fix DNSBL update due to FreeBSD13 upgrade (sed syntax)
+
 1.10
 
 * Add option to enable/disable local query logs
diff --git a/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh b/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh
index 7f6153c238..23bb785899 100755
--- a/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh
+++ b/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh
@@ -38,119 +38,119 @@ mkdir -p ${WORKDIR}
 easylist() {
 	# EasyList
 	${FETCH} https://justdomains.github.io/blocklists/lists/easylist-justdomains.txt -o ${WORKDIR}/easylist-raw
-	sed "/\.$/d" ${WORKDIR}/easylist-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/easylist
+	sed "/\.$/d" ${WORKDIR}/easylist-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/easylist
 	rm ${WORKDIR}/easylist-raw
 }
 
 easyprivacy() {
 	# EasyPrivacy
 	${FETCH} https://justdomains.github.io/blocklists/lists/easyprivacy-justdomains.txt -o ${WORKDIR}/easyprivacy-raw
-	sed "/\.$/d" ${WORKDIR}/easyprivacy-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/easyprivacy
+	sed "/\.$/d" ${WORKDIR}/easyprivacy-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/easyprivacy
 	rm ${WORKDIR}/easyprivacy-raw
 }
 
 pornall() {
 	# PornAll
 	${FETCH} https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_all.list -o ${WORKDIR}/pornall-raw
-	sed "/\.$/d" ${WORKDIR}/pornall-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/pornall
+	sed "/\.$/d" ${WORKDIR}/pornall-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/pornall
 	rm ${WORKDIR}/pornall-raw
 }
 
 porntop() {
 	# PornTop1M
 	${FETCH} https://raw.githubusercontent.com/chadmayfield/pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list -o ${WORKDIR}/porntop-raw
-	sed "/\.$/d" ${WORKDIR}/porntop-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/porntop
+	sed "/\.$/d" ${WORKDIR}/porntop-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/porntop
 	rm ${WORKDIR}/porntop-raw
 }
 
 adguard() {
 	# AdGuard
 	${FETCH} https://justdomains.github.io/blocklists/lists/adguarddns-justdomains.txt -o ${WORKDIR}/adguard-raw
-	sed "/\.$/d" ${WORKDIR}/adguard-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/adguard
+	sed "/\.$/d" ${WORKDIR}/adguard-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/adguard
 	rm ${WORKDIR}/adguard-raw
 }
 
 nocoin() {
 	# NoCoin
 	${FETCH} https://justdomains.github.io/blocklists/lists/nocoin-justdomains.txt -o ${WORKDIR}/nocoin-raw
-	sed "/\.$/d" ${WORKDIR}/nocoin-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/nocoin
+	sed "/\.$/d" ${WORKDIR}/nocoin-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/nocoin
 	rm ${WORKDIR}/nocoin-raw
 }
 
 windowsspyblockerspy() {
 	# WindowsSpyBlocker (spy)
 	${FETCH} https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt -o ${WORKDIR}/windowsspyblockerspy-raw
-	sed "/\.$/d" ${WORKDIR}/windowsspyblockerspy-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/windowsspyblockerspy
+	sed "/\.$/d" ${WORKDIR}/windowsspyblockerspy-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/windowsspyblockerspy
 	rm ${WORKDIR}/windowsspyblockerspy-raw
 }
 
 windowsspyblockerupdate() {
 	# WindowsSpyBlocker (update)
 	${FETCH} https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/update.txt -o ${WORKDIR}/windowsspyblockerupdate-raw
-	sed "/\.$/d" ${WORKDIR}/windowsspyblockerupdate-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/windowsspyblockerupdate
+	sed "/\.$/d" ${WORKDIR}/windowsspyblockerupdate-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/windowsspyblockerupdate
 	rm ${WORKDIR}/windowsspyblockerupdate-raw
 }
 
 windowsspyblockerextra() {
 	# WindowsSpyBlocker (extra)
 	${FETCH} https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/extra.txt -o ${WORKDIR}/windowsspyblockerextra-raw
-	sed "/\.$/d" ${WORKDIR}/windowsspyblockerextra-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/windowsspyblockerextra
+	sed "/\.$/d" ${WORKDIR}/windowsspyblockerextra-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/windowsspyblockerextra
 	rm ${WORKDIR}/windowsspyblockerextra-raw
 }
 
 adaway() {
 	# AdAway List
 	${FETCH} https://adaway.org/hosts.txt -o ${WORKDIR}/adaway-raw
-	sed "/\.$/d" ${WORKDIR}/adaway-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/adaway
+	sed "/\.$/d" ${WORKDIR}/adaway-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/adaway
 	rm ${WORKDIR}/adaway-raw
 }
 
 yoyo() {
 	# YoYo List
 	${FETCH} "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext" -o ${WORKDIR}/yoyo-raw
-	sed "/\.$/d" ${WORKDIR}/yoyo-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/yoyo
+	sed "/\.$/d" ${WORKDIR}/yoyo-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/yoyo
 	rm ${WORKDIR}/yoyo-raw
 }
 
 stevenblack() {
         # StevenBlack
         ${FETCH} https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts -o ${WORKDIR}/stevenblack-raw
-        sed "/\.$/d" ${WORKDIR}/stevenblack-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/stevenblack
+        sed "/\.$/d" ${WORKDIR}/stevenblack-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/stevenblack
         rm ${WORKDIR}/stevenblack-raw
 }
 
 blocklistads() {
         # Blocklist.site Ads
         ${FETCH} https://blocklistproject.github.io/Lists/ads.txt -o ${WORKDIR}/blocklistads-raw
-        sed "/\.$/d" ${WORKDIR}/blocklistads-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | awk '{print $2}' > ${WORKDIR}/blocklistads
+        sed "/\.$/d" ${WORKDIR}/blocklistads-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | awk '{print $2}' > ${WORKDIR}/blocklistads
         rm ${WORKDIR}/blocklistads-raw
 }
 
 blocklistfraud() {
         # Blocklist.site Fraud
         ${FETCH} https://blocklistproject.github.io/Lists/fraud.txt -o ${WORKDIR}/blocklistfraud-raw
-        sed "/\.$/d" ${WORKDIR}/blocklistfraud-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" |awk '{print $2}' > ${WORKDIR}/blocklistfraud
+        sed "/\.$/d" ${WORKDIR}/blocklistfraud-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" |awk '{print $2}' > ${WORKDIR}/blocklistfraud
         rm ${WORKDIR}/blocklistfraud-raw
 }
 
 blocklistphishing() {
         # Blocklist.site Phishing
         ${FETCH} https://blocklistproject.github.io/Lists/phishing.txt -o ${WORKDIR}/blocklistphishing-raw
-        sed "/\.$/d" ${WORKDIR}/blocklistphishing-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | awk '{print $2}' > ${WORKDIR}/blocklistphishing
+        sed "/\.$/d" ${WORKDIR}/blocklistphishing-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | awk '{print $2}' > ${WORKDIR}/blocklistphishing
         rm ${WORKDIR}/blocklistphishing-raw
 }
 
 simplead() {
 	# Simple Ad List
 	${FETCH} https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt -o ${WORKDIR}/simplead-raw
-	sed "/\.$/d" ${WORKDIR}/simplead-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/simplead
+	sed "/\.$/d" ${WORKDIR}/simplead-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/simplead
 	rm ${WORKDIR}/simplead-raw
 }
 
 simpletrack() {
 	# Simple Tracking List
 	${FETCH} https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt -o ${WORKDIR}/simpletrack-raw
-	sed "/\.$/d" ${WORKDIR}/simpletrack-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/simpletrack
+	sed "/\.$/d" ${WORKDIR}/simpletrack-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/simpletrack
 	rm ${WORKDIR}/simpletrack-raw
 }
 

From 8bdd618652efb969ec0855b2be85af0240bbc657 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 31 Jan 2022 08:36:13 +0100
Subject: [PATCH 0936/3088] plugins: style sweep

---
 .../app/controllers/OPNsense/Telegraf/Api/ServiceController.php  | 1 -
 .../mvc/app/controllers/OPNsense/FtpProxy/ItemController.php     | 1 -
 .../app/controllers/OPNsense/Relayd/Api/SettingsController.php   | 1 -
 .../app/controllers/OPNsense/Zerotier/Api/NetworkController.php  | 1 -
 .../app/controllers/OPNsense/Zerotier/Api/SettingsController.php | 1 -
 .../src/opnsense/mvc/app/models/OPNsense/Zerotier/Zerotier.php   | 1 -
 .../src/opnsense/mvc/app/library/OPNsense/Backup/Git.php         | 1 -
 .../opnsense/mvc/app/models/OPNsense/NodeExporter/General.php    | 1 -
 8 files changed, 8 deletions(-)

diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/ServiceController.php b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/ServiceController.php
index 22c4800cf6..3f21c8b2a4 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/ServiceController.php
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/ServiceController.php
@@ -39,7 +39,6 @@
  */
 class ServiceController extends ApiControllerBase
 {
-
     /**
      * start telegraf service (in background)
      * @return array
diff --git a/net/ftp-proxy/src/opnsense/mvc/app/controllers/OPNsense/FtpProxy/ItemController.php b/net/ftp-proxy/src/opnsense/mvc/app/controllers/OPNsense/FtpProxy/ItemController.php
index 679fc52da1..a9f30d596b 100644
--- a/net/ftp-proxy/src/opnsense/mvc/app/controllers/OPNsense/FtpProxy/ItemController.php
+++ b/net/ftp-proxy/src/opnsense/mvc/app/controllers/OPNsense/FtpProxy/ItemController.php
@@ -36,5 +36,4 @@
  */
 class ItemController extends \OPNsense\Base\IndexController
 {
-
 }
diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
index 0f71cf62c6..dd18169453 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
@@ -41,7 +41,6 @@
  */
 class SettingsController extends ApiMutableModelControllerBase
 {
-
     protected static $internalModelName = 'relayd';
     protected static $internalModelClass = '\OPNsense\Relayd\Relayd';
 
diff --git a/net/zerotier/src/opnsense/mvc/app/controllers/OPNsense/Zerotier/Api/NetworkController.php b/net/zerotier/src/opnsense/mvc/app/controllers/OPNsense/Zerotier/Api/NetworkController.php
index 03dde0179a..c1b436118e 100644
--- a/net/zerotier/src/opnsense/mvc/app/controllers/OPNsense/Zerotier/Api/NetworkController.php
+++ b/net/zerotier/src/opnsense/mvc/app/controllers/OPNsense/Zerotier/Api/NetworkController.php
@@ -39,7 +39,6 @@
 
 class NetworkController extends ApiMutableModelControllerBase
 {
-
     protected static $internalModelName = 'Zerotier';
     protected static $internalModelClass = '\OPNsense\Zerotier\Zerotier';
 
diff --git a/net/zerotier/src/opnsense/mvc/app/controllers/OPNsense/Zerotier/Api/SettingsController.php b/net/zerotier/src/opnsense/mvc/app/controllers/OPNsense/Zerotier/Api/SettingsController.php
index ac37bcf878..dd1dcc4bbb 100644
--- a/net/zerotier/src/opnsense/mvc/app/controllers/OPNsense/Zerotier/Api/SettingsController.php
+++ b/net/zerotier/src/opnsense/mvc/app/controllers/OPNsense/Zerotier/Api/SettingsController.php
@@ -39,7 +39,6 @@
 
 class SettingsController extends ApiMutableModelControllerBase
 {
-
     protected static $internalModelName = 'Zerotier';
     protected static $internalModelClass = '\OPNsense\Zerotier\Zerotier';
 
diff --git a/net/zerotier/src/opnsense/mvc/app/models/OPNsense/Zerotier/Zerotier.php b/net/zerotier/src/opnsense/mvc/app/models/OPNsense/Zerotier/Zerotier.php
index a16fa8f8aa..c4067fc9de 100644
--- a/net/zerotier/src/opnsense/mvc/app/models/OPNsense/Zerotier/Zerotier.php
+++ b/net/zerotier/src/opnsense/mvc/app/models/OPNsense/Zerotier/Zerotier.php
@@ -35,5 +35,4 @@
 
 class Zerotier extends BaseModel
 {
-
 }
diff --git a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
index b9626d2119..461b813fad 100644
--- a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
+++ b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
@@ -40,7 +40,6 @@
  */
 class Git extends Base implements IBackupProvider
 {
-
     /**
      * @inheritdoc
      */
diff --git a/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.php b/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.php
index a049ba655d..075259cefb 100644
--- a/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.php
+++ b/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.php
@@ -35,5 +35,4 @@
 
 class General extends BaseModel
 {
-
 }

From 4227a01fd2e7adc873a66fb4e037cb975349ceee Mon Sep 17 00:00:00 2001
From: Karlson2k <k2k@narod.ru>
Date: Mon, 31 Jan 2022 12:26:19 +0300
Subject: [PATCH 0937/3088] dns/dnscrypt-proxy: fixed "disabled_server_names"
 (#2788)

Fixed function of "Disabled Servers List" when more than one server
specified in the list.
---
 dns/dnscrypt-proxy/pkg-descr                                    | 2 ++
 .../templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml        | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index f6cdd0817c..8619615eb4 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -8,6 +8,8 @@ Plugin Changelog
 1.11
 
 * Fix DNSBL update due to FreeBSD13 upgrade (sed syntax)
+* Fix "manual disable of specific servers" when more than one server is
+  specified (contributed by Evgeny Grin (karlson2k))
 
 1.10
 
diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
index 2207b162b1..96dd4718ef 100644
--- a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
@@ -5,7 +5,7 @@ server_names = [{{ "'" + ("','".join(OPNsense.dnscryptproxy.general.serverlist.s
 {%   endif %}
 
 {%   if helpers.exists('OPNsense.dnscryptproxy.general.disabled_serverlist') and OPNsense.dnscryptproxy.general.disabled_serverlist != '' %}
-disabled_server_names = ['{{OPNsense.dnscryptproxy.general.disabled_serverlist}}']
+disabled_server_names = [{{ "'" + ("','".join(OPNsense.dnscryptproxy.general.disabled_serverlist.split(','))) + "'" }}]
 {%   endif %}
 
 {%   if helpers.exists('OPNsense.dnscryptproxy.general.listen_addresses') and OPNsense.dnscryptproxy.general.listen_addresses != '' %}

From 6a7babcf20398b1fa845deff35edcda498384925 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 31 Jan 2022 10:30:49 +0100
Subject: [PATCH 0938/3088] net-mgmt/zabbix-agent: Add description to restart
 action (#2792)

---
 net-mgmt/zabbix-agent/Makefile                                | 2 +-
 net-mgmt/zabbix-agent/pkg-descr                               | 4 ++++
 .../opnsense/service/conf/actions.d/actions_zabbixagent.conf  | 1 +
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index a0d556e711..7a79968563 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		zabbix-agent
-PLUGIN_VERSION=		1.10
+PLUGIN_VERSION=		1.11
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_VARIANTS=	zabbix5 zabbix54
diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index b569787361..b1811bc200 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.11
+
+* Add description to restart action to allow restart via cron
+
 1.10
 
 Added:
diff --git a/net-mgmt/zabbix-agent/src/opnsense/service/conf/actions.d/actions_zabbixagent.conf b/net-mgmt/zabbix-agent/src/opnsense/service/conf/actions.d/actions_zabbixagent.conf
index c3b09eae3a..d95fb2da2d 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/service/conf/actions.d/actions_zabbixagent.conf
+++ b/net-mgmt/zabbix-agent/src/opnsense/service/conf/actions.d/actions_zabbixagent.conf
@@ -14,6 +14,7 @@ message:stopping zabbix_agentd
 command:/usr/local/opnsense/scripts/OPNsense/ZabbixAgent/setup.sh; /usr/local/etc/rc.d/zabbix_agentd restart
 parameters:
 type:script
+description:Restart Zabbix Agent
 message:restarting zabbix_agentd
 
 [status]

From 9ff548829c34a59d79cbf4e5c6b2f0ce2b459712 Mon Sep 17 00:00:00 2001
From: Markus Reiter <me@reitermark.us>
Date: Tue, 1 Feb 2022 08:05:41 +0100
Subject: [PATCH 0939/3088] Add CARP hook for mDNS repeater. (#2762)

Only run the repeater on one node.

Fixes #2595.
---
 .../src/etc/rc.syshook.d/carp/50-mdns         | 74 +++++++++++++++++++
 .../OPNsense/MDNSRepeater/forms/general.xml   | 30 +++++---
 .../OPNsense/MDNSRepeater/MDNSRepeater.xml    |  6 +-
 .../OPNsense/MDNSRepeater/mdnsrepeater        |  3 +
 4 files changed, 100 insertions(+), 13 deletions(-)
 create mode 100644 net/mdns-repeater/src/etc/rc.syshook.d/carp/50-mdns

diff --git a/net/mdns-repeater/src/etc/rc.syshook.d/carp/50-mdns b/net/mdns-repeater/src/etc/rc.syshook.d/carp/50-mdns
new file mode 100644
index 0000000000..379f111b75
--- /dev/null
+++ b/net/mdns-repeater/src/etc/rc.syshook.d/carp/50-mdns
@@ -0,0 +1,74 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+    Copyright (C) 2022 Markus Reiter <me@reitermark.us>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require_once("config.inc");
+require_once("util.inc");
+require_once('interfaces.inc');
+require_once("plugins.inc.d/mdnsrepeater.inc");
+
+$mdns_repeater = new \OPNsense\MDNSRepeater\MDNSRepeater();
+$mdns_repeater_carp_enabled =
+    (string)$mdns_repeater->enabled == '1' &&
+    (string)$mdns_repeater->enablecarp == '1';
+
+if ($mdns_repeater_carp_enabled) {
+    $subsystem = !empty($argv[1]) ? $argv[1] : '';
+    $type = !empty($argv[2]) ? $argv[2] : '';
+
+    if ($type != 'MASTER' && $type != 'BACKUP') {
+        log_error("Carp '$type' event unknown from source '{$subsystem}'");
+        exit(1);
+    }
+
+    if (!strstr($subsystem, '@')) {
+        log_error("Carp '$type' event triggered from wrong source '{$subsystem}'");
+        exit(1);
+    }
+
+    list ($vhid, $iface) = explode('@', $subsystem);
+
+    $friendly_interface = convert_real_interface_to_friendly_interface_name($iface);
+    $mdns_repeater_interfaces = explode(',', $mdns_repeater->interfaces);
+    if (!in_array($friendly_interface, $mdns_repeater_interfaces)) {
+        exit(0);
+    }
+
+    $backend = new \OPNsense\Core\Backend();
+
+    switch ($type) {
+        case 'MASTER':
+            touch('/var/run/mdns-repeater.CARP_MASTER');
+            $backend->configdRun('mdnsrepeater start');
+            break;
+        case 'BACKUP':
+            @unlink('/var/run/mdns-repeater.CARP_MASTER');
+            $backend->configdRun('mdnsrepeater stop');
+            break;
+    }
+}
diff --git a/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/forms/general.xml b/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/forms/general.xml
index e6a87140ea..d7a8bea2ca 100644
--- a/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/forms/general.xml
+++ b/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/forms/general.xml
@@ -1,14 +1,20 @@
 <form>
-   <field>
-      <id>mdnsrepeater.enabled</id>
-      <label>Enabled</label>
-      <type>checkbox</type>
-      <help>Enable the repeater.</help>
-   </field>
-   <field>
-      <id>mdnsrepeater.interfaces</id>
-      <label>Listen Interfaces</label>
-      <type>select_multiple</type>
-      <help>At least two interfaces must be selected.</help>
-   </field>
+  <field>
+    <id>mdnsrepeater.enabled</id>
+    <label>Enable</label>
+    <type>checkbox</type>
+    <help>Enable the repeater.</help>
+  </field>
+  <field>
+    <id>mdnsrepeater.enablecarp</id>
+    <label>Enable CARP Failover</label>
+    <type>checkbox</type>
+    <help>This will activate the repeater service only on the master device.</help>
+  </field>
+  <field>
+    <id>mdnsrepeater.interfaces</id>
+    <label>Listen Interfaces</label>
+    <type>select_multiple</type>
+    <help>At least two interfaces must be selected.</help>
+  </field>
 </form>
diff --git a/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/MDNSRepeater.xml b/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/MDNSRepeater.xml
index 245cc6ebe8..b3affd1764 100644
--- a/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/MDNSRepeater.xml
+++ b/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/MDNSRepeater.xml
@@ -1,12 +1,16 @@
 <model>
   <mount>//OPNsense/MDNSRepeater</mount>
-  <version>1.0.0</version>
+  <version>1.0.1</version>
   <description>mdns-repeater settings</description>
   <items>
     <enabled type="BooleanField">
       <default>0</default>
       <Required>Y</Required>
     </enabled>
+    <enablecarp type="BooleanField">
+      <default>0</default>
+      <Required>Y</Required>
+    </enablecarp>
     <interfaces type="InterfaceField">
       <default>lan</default>
       <Required>Y</Required>
diff --git a/net/mdns-repeater/src/opnsense/service/templates/OPNsense/MDNSRepeater/mdnsrepeater b/net/mdns-repeater/src/opnsense/service/templates/OPNsense/MDNSRepeater/mdnsrepeater
index feb71084a6..7ca779ca55 100644
--- a/net/mdns-repeater/src/opnsense/service/templates/OPNsense/MDNSRepeater/mdnsrepeater
+++ b/net/mdns-repeater/src/opnsense/service/templates/OPNsense/MDNSRepeater/mdnsrepeater
@@ -1,6 +1,9 @@
 {% if helpers.exists('OPNsense.MDNSRepeater.enabled') and OPNsense.MDNSRepeater.enabled == '1' %}
 {% from 'OPNsense/Macros/interface.macro' import physical_interface %}
 mdns_repeater_enable="YES"
+{% if helpers.exists('OPNsense.MDNSRepeater.enablecarp') and OPNsense.MDNSRepeater.enablecarp == '1' %}
+required_files="/var/run/mdns-repeater.CARP_MASTER"
+{% endif %}
 {% set osifnames = OPNsense.MDNSRepeater.interfaces.split(',') %}
 {% set interface_list=[] %}
 {% for i in osifnames %}

From 88148b1943a91f87be9b02aea4bfa378db85032e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 1 Feb 2022 08:24:39 +0100
Subject: [PATCH 0940/3088] net/mdns-repeater: new release 1.1

---
 LICENSE                                       |  1 +
 net/mdns-repeater/Makefile                    |  3 +-
 net/mdns-repeater/pkg-descr                   | 13 ++++-
 .../src/etc/rc.syshook.d/carp/50-mdns         | 48 +++++++++----------
 4 files changed, 37 insertions(+), 28 deletions(-)
 mode change 100644 => 100755 net/mdns-repeater/src/etc/rc.syshook.d/carp/50-mdns

diff --git a/LICENSE b/LICENSE
index e3a53b56c0..401f5af5f8 100644
--- a/LICENSE
+++ b/LICENSE
@@ -30,6 +30,7 @@ Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>
 Copyright (c) 2020 Marc Leuser
 Copyright (c) 2021 Marcel Koepfli
 Copyright (c) 2021 Markus Peter <mpeter@one-it.de>
+Copyright (c) 2022 Markus Reiter <me@reitermark.us>
 Copyright (c) 2020 Martin Wasley
 Copyright (c) 2022 Marvo2011
 Copyright (c) 2017-2021 Michael Muenz <m.muenz@gmail.com>
diff --git a/net/mdns-repeater/Makefile b/net/mdns-repeater/Makefile
index 2c17394c8d..a1febb5539 100644
--- a/net/mdns-repeater/Makefile
+++ b/net/mdns-repeater/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		mdns-repeater
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Proxy multicast DNS between networks
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 PLUGIN_DEPENDS=		mdns-repeater
diff --git a/net/mdns-repeater/pkg-descr b/net/mdns-repeater/pkg-descr
index 3bcc2b3b9e..a5ed7facd2 100644
--- a/net/mdns-repeater/pkg-descr
+++ b/net/mdns-repeater/pkg-descr
@@ -2,6 +2,15 @@ mdns-repeater is a Multicast DNS repeater. Multicast DNS uses the 224.0.0.251
 address, which is "administratively scoped" and does not leave the subnet.
 
 This program re-broadcast mDNS packets from one interface to other interfaces.
+It can be used to bridge zeroconf devices to work properly across the two subnets.
 
-It can be used to bridge zeroconf devices to work properly across the two
-subnets.
+Plugin Changelog
+================
+
+1.1
+
+* CARP support (contributed by Markus Reiter)
+
+1.0
+
+* Initial release
diff --git a/net/mdns-repeater/src/etc/rc.syshook.d/carp/50-mdns b/net/mdns-repeater/src/etc/rc.syshook.d/carp/50-mdns
old mode 100644
new mode 100755
index 379f111b75..07c1bb207b
--- a/net/mdns-repeater/src/etc/rc.syshook.d/carp/50-mdns
+++ b/net/mdns-repeater/src/etc/rc.syshook.d/carp/50-mdns
@@ -2,30 +2,30 @@
 <?php
 
 /*
-    Copyright (C) 2022 Markus Reiter <me@reitermark.us>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2022 Markus Reiter <me@reitermark.us>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 require_once("config.inc");
 require_once("util.inc");

From 6b0fcd0c2d5366d307fc47c85488dcc9b8a2c0bb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 1 Feb 2022 14:30:11 +0100
Subject: [PATCH 0941/3088] security: update these urls too

---
 .../opnsense/scripts/suricata/metadata/rules/et-open-extra.xml  | 2 +-
 .../src/opnsense/scripts/suricata/metadata/rules/et-pro.xml     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
index ca6f397f64..af9114aa4f 100644
--- a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
+++ b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<ruleset documentation_url="http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ">
+<ruleset documentation_url="https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ">
     <location url="https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz" prefix="ET open"/>
     <version url="https://rules.emergingthreats.net/open/suricata-4.0/version.txt"/>
     <files>
diff --git a/security/intrusion-detection-content-et-pro/src/opnsense/scripts/suricata/metadata/rules/et-pro.xml b/security/intrusion-detection-content-et-pro/src/opnsense/scripts/suricata/metadata/rules/et-pro.xml
index 4accb4f376..715b749bb3 100644
--- a/security/intrusion-detection-content-et-pro/src/opnsense/scripts/suricata/metadata/rules/et-pro.xml
+++ b/security/intrusion-detection-content-et-pro/src/opnsense/scripts/suricata/metadata/rules/et-pro.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<ruleset documentation_url="http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ">
+<ruleset documentation_url="https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ">
 	<location url="https://rules.emergingthreatspro.com/%%etpro.oinkcode%%/suricata-5.0/etpro.rules.tar.gz" prefix="ET Pro"/>
 	<version url="https://rules.emergingthreatspro.com/%%etpro.oinkcode%%/suricata-5.0/version.txt"/>
 	<files>

From a2c07f5ec45f7359a2d8fbe39605d08fada4e4d0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 1 Feb 2022 14:31:03 +0100
Subject: [PATCH 0942/3088] Framework: switch to 22.1

---
 Mk/defaults.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index b794cebfba..534214e2ff 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -57,7 +57,7 @@ VERSIONBIN=	${LOCALBASE}/sbin/opnsense-version
 _PLUGIN_ABI!=	${VERSIONBIN} -a
 PLUGIN_ABI?=	${_PLUGIN_ABI}
 .else
-PLUGIN_ABI?=	21.7
+PLUGIN_ABI?=	22.1
 .endif
 
 PHPBIN=		${LOCALBASE}/bin/php

From 1415dcccc24a88b1e5e5f0cca6854cb41c867e00 Mon Sep 17 00:00:00 2001
From: Zane Chua <4265429+zanechua@users.noreply.github.com>
Date: Wed, 2 Feb 2022 23:31:47 -0800
Subject: [PATCH 0943/3088] dns/bind: Implement filter-aaaa (#1722)

---
 .../OPNsense/Bind/forms/general.xml           | 20 +++++++++++++++++++
 .../mvc/app/models/OPNsense/Bind/General.xml  | 13 ++++++++++++
 .../templates/OPNsense/Bind/named.conf        | 14 +++++++++++++
 3 files changed, 47 insertions(+)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index da2938c356..8c15212100 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -69,6 +69,26 @@
         <allownew>true</allownew>
         <help>Set one or more hosts to send your DNS queries if the request is unknown.</help>
     </field>
+    <field>
+        <id>general.filteraaaav4</id>
+        <label>Enable filter-aaaa on IPv4 Clients</label>
+        <type>checkbox</type>
+        <help>This will filter AAAA records on IPv4 Clients</help>
+    </field>
+    <field>
+        <id>general.filteraaaav6</id>
+        <label>Enable filter-aaaa on IPv6 Clients</label>
+        <type>checkbox</type>
+        <help>This will filter AAAA records on IPv6 Clients</help>
+    </field>
+    <field>
+        <id>general.filteraaaaacl</id>
+        <label>ACl for filter-aaaa</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>Specifies a list of client addresses for which AAAA filtering is to be applied.</help>
+    </field>
     <field>
         <id>general.logsize</id>
         <label>Logsize in MB</label>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index 5d67e79318..edd75d1607 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -56,6 +56,19 @@
             <Required>N</Required>
             <asList>Y</asList>
         </forwarders>
+        <filteraaaav4 type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </filteraaaav4>
+        <filteraaaav6 type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </filteraaaav6>
+        <filteraaaaacl type="NetworkField">
+            <FieldSeparator>,</FieldSeparator>
+            <Required>N</Required>
+            <asList>Y</asList>
+        </filteraaaaacl>
         <logsize type="IntegerField">
             <default>5</default>
             <Required>Y</Required>
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index abb5b57200..d0c552157a 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -193,3 +193,17 @@ logging {
         category lame-servers { null; };
 };
 {% endif %}
+
+{% if helpers.exists('OPNsense.bind.general.filteraaaav4') and OPNsense.bind.general.filteraaaav4 == '1' or helpers.exists('OPNsense.bind.general.filteraaaav6') and OPNsense.bind.general.filteraaaav6 == '1' %}
+plugin query "/usr/local/lib/named/filter-aaaa.so" {
+{% if helpers.exists('OPNsense.bind.general.filteraaaav4') and OPNsense.bind.general.filteraaaav4 == '1' %}
+                   filter-aaaa-on-v4 yes;
+{% endif %}
+{% if helpers.exists('OPNsense.bind.general.filteraaaav6') and OPNsense.bind.general.filteraaaav6 == '1' %}
+                   filter-aaaa-on-v6 yes;
+{% endif %}
+{% if helpers.exists('OPNsense.bind.general.filteraaaaacl') and OPNsense.bind.general.filteraaaaacl != '' %}
+        filter-aaaa    { {{ OPNsense.bind.general.filteraaaaacl.replace(',', '; ') }}; };
+{% endif %}
+           };
+{% endif %}

From ec080d9d068cd4476e95287d0ca8fa7cd60da8e3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 3 Feb 2022 08:34:41 +0100
Subject: [PATCH 0944/3088] dns/bind: as discussed

---
 dns/bind/Makefile                                             | 2 +-
 dns/bind/pkg-descr                                            | 4 ++++
 .../src/opnsense/mvc/app/models/OPNsense/Bind/General.xml     | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 7018cf0f6e..738804e21e 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.20
+PLUGIN_VERSION=		1.21
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind916
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index ea2c307f3c..0f64290fbb 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -8,6 +8,10 @@ necessary for asking and answering name service questions.
 Plugin Changelog
 ================
 
+1.21
+
+* Add support for filter AAAA in DNS responses when A is present (contributed by Zane Chua)
+
 1.20
 
 * Allow signed zone transfers (contributed by Michael Newton)
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index edd75d1607..d9f73fc683 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/bind/general</mount>
     <description>BIND configuration</description>
-    <version>1.0.7</version>
+    <version>1.0.8</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>

From 3e64ff9251fb9c1b332f2faf2f98385cad884192 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Thu, 3 Feb 2022 09:35:06 +0000
Subject: [PATCH 0945/3088] WIP net/frr: Add BGP password support (#2800)

Add BGP password support [https://github.com/opnsense/plugins/pull/2645]

Try to figure out which entries belong to FRR before removing them, so neighbour changes won't be left on the machine after apply.
Flush our desired configuration into /usr/local/etc/frr/sa_policies.conf for easy reading and testing.

Since we don't know if passwords have changed, we will have to drop SA's first. When this is a bit bumpy, we may also try to alter the existing SA's, this shouldn't be too hard to add later on.

Co-authored-by: Michael <m.muenz@gmail.com>
---
 net/frr/pkg-descr                             |  1 +
 .../OPNsense/Quagga/Api/BgpController.php     |  2 +
 .../Quagga/forms/dialogEditBGPNeighbor.xml    | 14 ++++
 .../mvc/app/models/OPNsense/Quagga/BGP.xml    |  6 ++
 net/frr/src/opnsense/scripts/frr/register_sas | 68 +++++++++++++++++++
 net/frr/src/opnsense/scripts/quagga/setup.sh  |  3 +
 .../templates/OPNsense/Quagga/+TARGETS        |  1 +
 .../templates/OPNsense/Quagga/bgpd.conf       |  3 +
 .../OPNsense/Quagga/sa_policies.conf          | 24 +++++++
 9 files changed, 122 insertions(+)
 create mode 100755 net/frr/src/opnsense/scripts/frr/register_sas
 create mode 100644 net/frr/src/opnsense/service/templates/OPNsense/Quagga/sa_policies.conf

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 77b799b58f..a8ef2122df 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -14,6 +14,7 @@ Plugin Changelog
 1.26
 
 * Fix Model migration errors
+* Add BGP password authentication
 
 1.25
 
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
index 8eb6bd1296..9f505632e1 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
@@ -45,6 +45,8 @@ public function searchNeighborAction()
                   "description",
                   "address",
                   "remoteas",
+                  "password",
+                  "localip",
                   "updatesource",
                   "nexthopself",
                   "multihop",
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index d9f7f012d5..8665c2bce2 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -22,6 +22,20 @@
     <type>text</type>
     <help>Neighbor AS.</help>
   </field>
+  <field>
+    <id>neighbor.password</id>
+    <label>BGP MD5 Password</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Set a password for BGP authentication.</help>
+  </field>
+  <field>
+    <id>neighbor.localip</id>
+    <label>Local Initiater IP</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Set the local IP connecting to the neighbor. This is only required for BGP authentication.</help>
+  </field>
   <field>
     <id>neighbor.updatesource</id>
     <label>Update-Source Interface</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 3a052bd4eb..33dd741479 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -57,6 +57,12 @@
                                 <MinimumValue>1</MinimumValue>
                                 <MaximumValue>4294967295</MaximumValue>
                         </remoteas>
+                        <password type="TextField">
+                                <Required>N</Required>
+                        </password>
+                        <localip type="NetworkField">
+                                <Required>N</Required>
+                        </localip>
                         <updatesource type="InterfaceField">
                                 <default></default>
                                 <Required>N</Required>
diff --git a/net/frr/src/opnsense/scripts/frr/register_sas b/net/frr/src/opnsense/scripts/frr/register_sas
new file mode 100755
index 0000000000..a56c07ef6a
--- /dev/null
+++ b/net/frr/src/opnsense/scripts/frr/register_sas
@@ -0,0 +1,68 @@
+#!/usr/local/bin/python3
+"""
+    Copyright (c) 2022 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+"""
+import os
+import subprocess
+import tempfile
+from configparser import ConfigParser
+
+if __name__ == '__main__':
+    frr_sad = {}
+    frr_sa_database = "/usr/local/etc/frr/sa_policies.conf"
+    # stage 1, read required FRR policies
+    if os.path.exists(frr_sa_database):
+        cnf = ConfigParser()
+        cnf.read(frr_sa_database)
+        for section in cnf.sections():
+            if cnf.has_option(section, 'src') and cnf.has_option(section, 'dst'):
+                policy_key = "%s %s" % (cnf.get(section, 'src'), cnf.get(section, 'dst'))
+                frr_sad[policy_key] = {}
+                for prop in cnf.items(section):
+                    frr_sad[policy_key][prop[0]] = prop[1]
+
+    # stage 2, red current installed policies which seems to originate from FRR
+    registered_policies = []
+    current_policy = None
+    for line in subprocess.run(["/sbin/setkey", "-D"], capture_output=True, text=True).stdout.split('\n'):
+        parts = line.strip().split()
+        if not line.startswith('\t') and len(parts) > 1:
+            current_policy = {"src": parts[0], "dst": parts[1]}
+        elif len(parts) > 2 and parts[0] == 'A:' and parts[1] == 'tcp-md5':
+            # Let's assume we're the only ones registering these types of entries
+            registered_policies.append(current_policy)
+
+    # flush changes to temp file and load with setkey
+    temp_filename = None
+    with tempfile.NamedTemporaryFile(mode='wt', delete=False) as fo:
+        temp_filename = fo.name
+        for policy in registered_policies:
+            fo.write("delete -4 %(src)s %(dst)s tcp 0x1000;\n" % policy)
+        for new_policy in frr_sad:
+            fo.write('add -4 %(src)s %(dst)s %(protocol)s %(spi)s -A %(aalgo)s "%(key)s";\n' % frr_sad[new_policy])
+
+    if temp_filename:
+        subprocess.run(["/sbin/setkey", "-f", fo.name], capture_output=True, text=True)
diff --git a/net/frr/src/opnsense/scripts/quagga/setup.sh b/net/frr/src/opnsense/scripts/quagga/setup.sh
index 5cb140a6bc..f91e271fd3 100755
--- a/net/frr/src/opnsense/scripts/quagga/setup.sh
+++ b/net/frr/src/opnsense/scripts/quagga/setup.sh
@@ -18,3 +18,6 @@ chown -R $user:$group /var/run/frr
 # logfile (if used)
 touch /var/log/frr.log
 chown $user:$group /var/log/frr.log
+
+# register Security Associations
+/usr/local/opnsense/scripts/frr/register_sas
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
index 30b11bedbf..c2e0542d6f 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
@@ -4,6 +4,7 @@ ospfd.conf:/usr/local/etc/frr/ospfd.conf
 ospfd_carp.conf:/usr/local/etc/frr/ospfd_carp.conf
 ospf6d.conf:/usr/local/etc/frr/ospf6d.conf
 ripd.conf:/usr/local/etc/frr/ripd.conf
+sa_policies.conf:/usr/local/etc/frr/sa_policies.conf
 frr:/etc/rc.conf.d/frr
 zebra.conf:/usr/local/etc/frr/zebra.conf
 vtysh.conf:/usr/local/etc/frr/vtysh.conf
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 3f43144fd2..499ffe8e1e 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -57,6 +57,9 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%         if 'bfd' in neighbor and neighbor.bfd == '1' %}
  neighbor {{ neighbor.address }} bfd
 {%         endif %}
+{%         if 'password' in neighbor and neighbor.password != '' %}
+ neighbor {{ neighbor.address }} password {{ neighbor.password }}
+{%         endif %}
 {%         if ':' not in neighbor.address and 'updatesource' in neighbor and neighbor.updatesource != '' %}
  neighbor {{ neighbor.address }} update-source {{ physical_interface(neighbor.updatesource) }}
 {%         endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/sa_policies.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/sa_policies.conf
new file mode 100644
index 0000000000..bb1587cf3d
--- /dev/null
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/sa_policies.conf
@@ -0,0 +1,24 @@
+{% if helpers.exists('OPNsense.quagga.bgp.enabled') and OPNsense.quagga.bgp.enabled == '1' %}
+{%   if helpers.exists('OPNsense.quagga.bgp.neighbors.neighbor') %}
+{%     for neighbor in helpers.toList('OPNsense.quagga.bgp.neighbors.neighbor') %}
+{%       if neighbor.enabled == '1' and neighbor.password|default('') != '' %}
+[policy_{{neighbor['@uuid']}}_in]
+src={{ neighbor.address }}
+dst={{ neighbor.localip }}
+protocol=tcp
+spi=0x1000
+aalgo=tcp-md5
+key={{ neighbor.password }}
+
+[policy_{{neighbor['@uuid']}}_out]
+src={{ neighbor.localip }}
+dst={{ neighbor.address }}
+protocol=tcp
+spi=0x1000
+aalgo=tcp-md5
+key={{ neighbor.password }}
+
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endif %}

From f64f795329ac9073c921b88f0b6313d8dc85b987 Mon Sep 17 00:00:00 2001
From: Niklas <Alphakilo@users.noreply.github.com>
Date: Thu, 3 Feb 2022 16:35:27 +0100
Subject: [PATCH 0946/3088] dns-ddclient : minor typo and indentation
 inconsistency (#2804)

---
 .../mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
index fb0f9a4285..fd56c89214 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
@@ -23,7 +23,7 @@
         <label>Check ip method</label>
         <type>dropdown</type>
         <help>
-          How to determine the address to uswe for this host
+            How to determine the address to use for this host
         </help>
     </field>
 </form>

From 03e60fa604923d02fec3199f1ad81c8ee93c4af0 Mon Sep 17 00:00:00 2001
From: Netboy3 <1472804+netboy3@users.noreply.github.com>
Date: Thu, 3 Feb 2022 10:58:38 -0500
Subject: [PATCH 0947/3088] dns/ddclient - Add Hurricane Electric provider
 (#2805)

HE is using the dyndns2 protocol for both dynamic DNS
and IPv6 TunnelBroker services. Add both services to
the service.
---
 .../opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml    | 2 ++
 .../service/templates/OPNsense/ddclient/ddclient.conf     | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 756d13c0df..a0b7fb887c 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -61,6 +61,8 @@
                         <duckdns>DuckDNS</duckdns>
                         <easydns>EasyDNS</easydns>
                         <googledomains>Google</googledomains>
+                        <he-net>HE.net</he-net>
+                        <he-net-tunnel>HE.net TunnelBroker</he-net-tunnel>
                         <namecheap>NameCheap</namecheap>
                         <noip>Noip</noip>
                         <nsupdatev4>nsupdate.info (IPv4)</nsupdatev4>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index a506db3ec7..b676d9e305 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -49,6 +49,14 @@ use=web, web=http://dynamic.zoneedit.com/checkip.html
 {%            if account.service == 'cloudflare' %}
 protocol=cloudflare
 zone={{account.zone}}
+{%            elif account.service == 'he-net' %}
+protocol=dyndns2
+ssl=yes
+server=dyn.dns.he.net
+{%            elif account.service == 'he-net-tunnel' %}
+protocol=dyndns2
+ssl=yes
+server=ipv4.tunnelbroker.net
 {%            elif account.service == 'nsupdatev4' %}
 protocol=dyndns2
 ssl=yes

From d338587fa8442c809a2409878af9c90bf67703df Mon Sep 17 00:00:00 2001
From: Niklas <Alphakilo@users.noreply.github.com>
Date: Thu, 3 Feb 2022 17:00:59 +0100
Subject: [PATCH 0948/3088] convert list to tasks (#2803)

---
 .github/ISSUE_TEMPLATE/bug_report.md      | 8 +++-----
 .github/ISSUE_TEMPLATE/feature_request.md | 8 +++-----
 .github/ISSUE_TEMPLATE/question.md        | 5 ++---
 3 files changed, 8 insertions(+), 13 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index f54090a6b9..c06ec63b26 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -10,11 +10,9 @@ assignees: ''
 **Important notices**
 Before you add a new report, we ask you kindly to acknowledge the following:
 
-[-] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
-
-[-] I have searched the existing issues and I'm convinced that mine is new.
-
-[-] The title contains the plugin to which this issue belongs
+- [ ] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
+- [ ] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
+- [ ] The title contains the plugin to which this issue belongs
 
 **Describe the bug**
 A clear and concise description of what the bug is, including last known working version (if any).
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
index c96c1c7467..fe3c8fca51 100644
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -10,11 +10,9 @@ assignees: ''
 **Important notices**
 Before you add a new report, we ask you kindly to acknowledge the following:
 
-[-] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
-
-[-] I have searched the existing issues and I'm convinced that mine is new.
-
-[-] When the request is meant for an existing plugin, I've added its name to the title.
+- [ ] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
+- [ ] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
+- [ ] When the request is meant for an existing plugin, I've added its name to the title.
 
 **Is your feature request related to a problem? Please describe.**
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md
index 6152184ac3..b4d4daf5e5 100644
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@@ -13,6 +13,5 @@ Our forum is located at https://forum.opnsense.org , please consider joining dis
 
 Before you ask a new question, we ask you kindly to acknowledge the following:
 
-[-] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
-
-[-] I have searched the existing issues and I'm convinced that mine is new.
+- [ ] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
+- [ ] I have searched the existing issues, open and closed, and I'm convinced that mine is new.

From db7c6fabc6911c0627d390262ecdb36dd2d3b7e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robin=20M=C3=BCller?= <robin.mueller@outlook.de>
Date: Fri, 4 Feb 2022 08:28:32 +0100
Subject: [PATCH 0949/3088] dns/ddclient fix ip6only.me typo (#2807)

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index a0b7fb887c..c80e5b046b 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -30,7 +30,7 @@
                     <web_googledomains>googledomains</web_googledomains>
                     <web_he>he</web_he>
                     <web_ip4only_me value="web_ip4only.me">ip4only.me</web_ip4only_me>
-                    <web_ip6only_me value="web_ip6only.me">ip4only.me</web_ip6only_me>
+                    <web_ip6only_me value="web_ip6only.me">ip6only.me</web_ip6only_me>
                     <web_ipify_ipv4 value="web_ipify-ipv4">ipify-ipv4</web_ipify_ipv4>
                     <web_ipify_ipv6 value="web_ipify-ipv6">ipify-ipv6</web_ipify_ipv6>
                     <web_loopia>loopia</web_loopia>

From 22e8be6f68846e81c64bead30c394b596d40c02a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 4 Feb 2022 08:55:15 +0100
Subject: [PATCH 0950/3088] dns/ddclient: style

---
 .../mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml    | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
index fd56c89214..4aca916e9f 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
@@ -22,8 +22,6 @@
         <id>ddclient.general.checkip</id>
         <label>Check ip method</label>
         <type>dropdown</type>
-        <help>
-            How to determine the address to use for this host
-        </help>
+        <help>How to determine the address to use for this host</help>
     </field>
 </form>

From 8c1759abbc1ac32a6288ab8a57dcdbd23937914d Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Sat, 5 Feb 2022 14:52:07 +0000
Subject: [PATCH 0951/3088] dns/ddclient: Use interface as ip source + custom
 service (#2813)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* dns/ddclient add interface as ip source

* dns/ddclient - use interface ip per account

* dns/ddclient - cleanups and visual changes for https://github.com/opnsense/plugins/pull/2791

* dns/ddclient merge custom service from https://github.com/opnsense/plugins/pull/2808

Co-authored-by: Robin Müller <robin.mueller@outlook.de>
---
 .../DynDNS/Api/AccountsController.php         | 15 ++-
 .../OPNsense/DynDNS/forms/dialogAccount.xml   | 27 +++++-
 .../OPNsense/DynDNS/forms/settings.xml        |  6 ++
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml | 28 ++++++
 .../mvc/app/views/OPNsense/DynDNS/index.volt  | 53 ++++++++---
 .../templates/OPNsense/ddclient/ddclient.conf | 93 ++++++++++---------
 6 files changed, 164 insertions(+), 58 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
index 55e775635a..2f6367856c 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
@@ -39,11 +39,22 @@ class AccountsController extends ApiMutableModelControllerBase
 
     public function searchItemAction()
     {
-        return $this->searchBase(
+        $result = $this->searchBase(
             "accounts.account",
-            ['enabled', 'service', 'description', 'username', 'hostnames'],
+            ['enabled', 'service', 'description', 'username', 'hostnames', 'use_interface', 'interface', 'protocol'],
             "description"
         );
+        foreach ($result['rows'] as &$row) {
+            if ($row['use_interface'] == "0") {
+                $row['interface'] = "";
+            }
+            unset($row['use_interface']);
+            if ($row['service'] == 'Custom') {
+                $row['service'] = 'Custom ('.$row['protocol'].')';
+            }
+            unset($row['protocol']);
+        }
+        return $result;
     }
 
     public function setItemAction($uuid)
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index 9aad7678b9..dd0b6f0ae4 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -11,6 +11,20 @@
         <type>dropdown</type>
         <help>Select the service to use.</help>
     </field>
+    <field>
+        <id>account.protocol</id>
+        <label>Protocol</label>
+        <type>dropdown</type>
+        <help>Select the protocol to use.</help>
+        <style>optional_setting service_custom</style>
+    </field>
+    <field>
+        <id>account.server</id>
+        <label>Server</label>
+        <type>text</type>
+        <help>DynDNS Server</help>
+        <style>optional_setting service_custom</style>
+    </field>
     <field>
         <id>account.username</id>
         <label>Username</label>
@@ -27,7 +41,7 @@
         <id>account.wildcard</id>
         <label>Wildcard</label>
         <type>checkbox</type>
-        <style>optional_setting service_dyndns2 service_easydns</style>
+        <style>optional_setting service_dyndns2 service_easydns service_custom</style>
         <help>add a DNS wildcard CNAME record that points to the configured host.</help>
     </field>
     <field>
@@ -45,6 +59,17 @@
         <allownew>true</allownew>
         <help>Hostname to update</help>
     </field>
+    <field>
+        <id>account.use_interface</id>
+        <label>Use interface IP</label>
+        <type>checkbox</type>
+        <help>Use the IP of a specified interface for the update</help>
+    </field>
+    <field>
+        <id>account.interface</id>
+        <label>Interface</label>
+        <type>dropdown</type>
+    </field>
     <field>
         <id>account.description</id>
         <label>Description</label>
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
index 4aca916e9f..756a2c4408 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
@@ -24,4 +24,10 @@
         <type>dropdown</type>
         <help>How to determine the address to use for this host</help>
     </field>
+    <field>
+        <id>ddclient.general.interface</id>
+        <label>Interface</label>
+        <type>dropdown</type>
+        <style>optional_setting checkip_if</style>
+    </field>
 </form>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index c80e5b046b..7f01a0158e 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -40,8 +40,14 @@
                     <web_nsupdate_info_ipv4 value="web_nsupdate.info-ipv4">nsupdate.info-ipv4</web_nsupdate_info_ipv4>
                     <web_nsupdate_info_ipv6 value="web_nsupdate.info-ipv6">nsupdate.info-ipv6</web_nsupdate_info_ipv6>
                     <web_zoneedit>zoneedit</web_zoneedit>
+                    <if>Interface</if>
                 </OptionValues>
             </checkip>
+            <interface type="InterfaceField">
+                <Required>N</Required>
+                <multiple>N</multiple>
+                <default>wan</default>
+            </interface>
         </general>
         <accounts>
             <account type="ArrayField">
@@ -69,8 +75,21 @@
                         <nsupdatev6>nsupdate.info (IPv6)</nsupdatev6>
                         <strato>STRATO</strato>
                         <zoneedit1>Zoneedit</zoneedit1>
+                        <custom>Custom</custom>
                     </OptionValues>
                 </service>
+                <protocol type="OptionField">
+                    <Required>N</Required>
+                    <ValidationMessage>A protocol type is required.</ValidationMessage>
+                    <OptionValues>
+                        <dyndns1>DynDns1</dyndns1>
+                        <dyndns2>DynDns2</dyndns2>
+                    </OptionValues>
+                </protocol>
+                <server type="HostnameField">
+                    <Required>N</Required>
+                    <IpAllowed>N</IpAllowed>
+                </server>
                 <username type="TextField">
                     <Required>N</Required>
                     <mask>/^([a-zA-Z0-9\-.@_:+])*$/u</mask>
@@ -94,6 +113,15 @@
                     <Required>N</Required>
                     <IpAllowed>N</IpAllowed>
                 </zone>
+                <use_interface type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </use_interface>
+                <interface type="InterfaceField">
+                    <Required>N</Required>
+                    <multiple>N</multiple>
+                    <default>wan</default>
+                </interface>
                 <description type="TextField">
                     <Required>N</Required>
                     <mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</mask>
diff --git a/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt b/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
index 4355f4144d..c60d789495 100644
--- a/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
+++ b/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
@@ -54,22 +54,48 @@ POSSIBILITY OF SUCH DAMAGE.
               return dfObj;
           }
         });
-        $('#DialogAccount').on('shown.bs.modal', function (e) {
-            $("#account\\.service").change(function(){
-                let service = $(this).val();
-                $(".optional_setting").each(function(){
-                    let this_item = $(this);
-                    if (this_item.hasClass("service_"+service)) {
-                        this_item.prop( "disabled", false );
-                        this_item.closest("tr").show();
-                    } else {
-                        this_item.closest("tr").hide();
-                        this_item.prop( "disabled", true );
-                    }
-                });
+        $("#account\\.service").change(function(){
+            let service = $(this).val();
+            $("#frm_DialogAccount .optional_setting").each(function(){
+                let this_item = $(this);
+                if (this_item.hasClass("service_"+service)) {
+                    this_item.prop( "disabled", false );
+                    this_item.closest("tr").show();
+                } else {
+                    this_item.closest("tr").hide();
+                    this_item.prop( "disabled", true );
+                }
             });
+        });
+        $("#account\\.use_interface").change(function(){
+            if ($(this).is(':checked')) {
+                $("#account\\.interface").prop( "disabled", false );
+                $("#account\\.interface").closest("tr").show();
+            } else {
+                $("#account\\.interface").closest("tr").hide();
+                $("#account\\.interface").prop( "disabled", true );
+            }
+            $('#account\\.interface').selectpicker('refresh');
+        });
+        $('#DialogAccount').on('shown.bs.modal', function (e) {
             $("#account\\.service").change();
+            $("#account\\.use_interface").change();
+        });
+
+        $("#ddclient\\.general\\.checkip").change(function(){
+            let checkip = $(this).val();
+            $("#frm_settings .optional_setting").each(function(){
+                let this_item = $(this);
+                if (this_item.hasClass("checkip_"+checkip)) {
+                    this_item.prop( "disabled", false );
+                    this_item.closest("tr").show();
+                } else {
+                    this_item.closest("tr").hide();
+                    this_item.prop( "disabled", true );
+                }
+            });
         });
+        $("#ddclient\\.general\\.checkip").change();
     });
 
 </script>
@@ -88,6 +114,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                 <th data-column-id="service" data-type="string">{{ lang._('Service') }}</th>
                 <th data-column-id="username" data-type="string">{{ lang._('Username') }}</th>
+                <th data-column-id="interface" data-type="string">{{ lang._('Interface') }}</th>
                 <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
                 <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
             </tr>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index b676d9e305..5aa00ca1c3 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -1,3 +1,4 @@
+{% from 'OPNsense/Macros/interface.macro' import physical_interface %}
 daemon={{OPNsense.DynDNS.general.daemon_delay|default('300')}}
 syslog=yes                  # log update msgs to syslog
 pid=/var/run/ddclient.pid   # record PID in file.
@@ -8,79 +9,87 @@ verbose=yes
 #
 # setup how we expect to retrieve an IP address
 #
-{%  if not helpers.empty('OPNsense.DynDNS.general.checkip') and OPNsense.DynDNS.general.checkip.startswith('web_')  %}
-{%      set checkip = OPNsense.DynDNS.general.checkip.lstrip('web_') %}
-{%      if checkip == 'dyndns' %}
+{%  if not helpers.empty('OPNsense.DynDNS.general.checkip') %}
+{%    set checkip = OPNsense.DynDNS.general.checkip %}
+{%    if checkip == 'if' and OPNsense.DynDNS.general.interface|default('') != '' %}
+use=if, if={{physical_interface(OPNsense.DynDNS.general.interface)}}
+{%    elif checkip == 'web_dyndns' %}
 use=web, web=http://checkip.dyndns.org/, web-skip="Current IP Address:"
-{%      elif checkip == 'freedns' %}
+{%    elif checkip == 'web_freedns' %}
 use=web, web=https://freedns.afraid.org/dynamic/check.php
-{%      elif checkip == 'googledomains' %}
+{%    elif checkip == 'web_googledomains' %}
 use=web, web=https://domains.google.com/checkip
-{%      elif checkip == 'he' %}
+{%    elif checkip == 'web_he' %}
 use=web, web=http://checkip.dns.he.net/
-{%      elif checkip == 'ip4only.me' %}
+{%    elif checkip == 'web_ip4only.me' %}
 use=web, web=http://ip4only.me/api/
-{%      elif checkip == 'ip6only.me' %}
+{%    elif checkip == 'web_ip6only.me' %}
 use=web, web=http://ip6only.me/api/
-{%      elif checkip == 'ipify-ipv4' %}
+{%    elif checkip == 'web_ipify-ipv4' %}
 use=web, web=https://api.ipify.org/
-{%      elif checkip == 'ipify-ipv6' %}
+{%    elif checkip == 'web_ipify-ipv6' %}
 use=web, web=https://api6.ipify.org/
-{%      elif checkip == 'loopia' %}
+{%    elif checkip == 'web_loopia' %}
 use=web, web=http://dns.loopia.se/checkip/checkip.php, web-skip="Current IP Address:"
-{%      elif checkip == 'myonlineportal' %}
+{%    elif checkip == 'web_myonlineportal' %}
 use=web, web=https://myonlineportal.net/checkip
-{%      elif checkip == 'noip-ipv4' %}
+{%    elif checkip == 'web_noip-ipv4' %}
 use=web, web=http://ip1.dynupdate.no-ip.com/
-{%      elif checkip == 'noip-ipv6' %}
+{%    elif checkip == 'web_noip-ipv6' %}
 use=web, web=http://ip1.dynupdate6.no-ip.com/
-{%      elif checkip == 'nsupdate.info-ipv4' %}
+{%    elif checkip == 'web_nsupdate.info-ipv4' %}
 use=web, web=https://ipv4.nsupdate.info/myip
-{%      elif checkip == 'nsupdate.info-ipv6' %}
+{%    elif checkip == 'web_nsupdate.info-ipv6' %}
 use=web, web=https://ipv6.nsupdate.info/myip
-{%      elif checkip == 'zoneedit' %}
+{%    elif checkip == 'web_zoneedit' %}
 use=web, web=http://dynamic.zoneedit.com/checkip.html
-{%      endif %}
+{%    endif %}
 {%  endif %}
 
 {%  if helpers.exists('OPNsense.DynDNS.accounts.account') %}
 {%    for account in helpers.toList('OPNsense.DynDNS.accounts.account') %}
 {%        if account.enabled|default('0') == '1' %}
-{%            if account.service == 'cloudflare' %}
-protocol=cloudflare
-zone={{account.zone}}
+{%            if account.use_interface|default('0') == '1' %}
+use=if, if={{physical_interface(account.interface)}}, \
+{%            endif %}
+{%            if account.service == 'custom' %}
+protocol={{account.protocol}}, \
+ssl=yes, \
+server={{account.server}}, \
+{%            elif account.service == 'cloudflare' %}
+protocol=cloudflare, \
+zone={{account.zone}}, \
 {%            elif account.service == 'he-net' %}
-protocol=dyndns2
-ssl=yes
-server=dyn.dns.he.net
+protocol=dyndns2, \
+ssl=yes, \
+server=dyn.dns.he.net, \
 {%            elif account.service == 'he-net-tunnel' %}
-protocol=dyndns2
-ssl=yes
-server=ipv4.tunnelbroker.net
+protocol=dyndns2, \
+ssl=yes, \
+server=ipv4.tunnelbroker.net, \
 {%            elif account.service == 'nsupdatev4' %}
-protocol=dyndns2
-ssl=yes
-server=ipv4.nsupdate.info
+protocol=dyndns2, \
+ssl=yes, \
+server=ipv4.nsupdate.info, \
 {%            elif account.service == 'nsupdatev6' %}
-protocol=dyndns2
-ssl=yes
-server=ipv6.nsupdate.info
+protocol=dyndns2, \
+ssl=yes, \
+server=ipv6.nsupdate.info, \
 {%            elif account.service == 'strato' %}
-use=web
-protocol=dyndns2
-ssl=yes
-server=dyndns.strato.com
+protocol=dyndns2, \
+ssl=yes, \
+server=dyndns.strato.com, \
 {%            else %}
-protocol={{account.service}}
-ssl=yes
+protocol={{account.service}}, \
+ssl=yes, \
 {%            endif %}
 {%            if account.wildcard|default('0') == '1' %}
-wildcard=yes
+wildcard=yes, \
 {%            endif %}
 {%            if account.username %}
-login={{account.username}}
+login={{account.username}}, \
 {%            endif %}
-password={{account.password}}
+password={{account.password}} \
 {{account.hostnames}}
 
 {%        endif %}

From bd375036de7d1ef7fe7c375b55a72251cefd64af Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 5 Feb 2022 15:54:53 +0100
Subject: [PATCH 0952/3088] dns/ddclient - make sure there's a new version
 number before we're ready to release

---
 dns/ddclient/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 2c67781fd6..d0f2042782 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.1
 #PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client

From 12e7dd89b18dc83b8602f48aeadde6ce031a018c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robin=20M=C3=BCller?= <robin.mueller@outlook.de>
Date: Tue, 8 Feb 2022 17:07:45 +0100
Subject: [PATCH 0953/3088] dsn/ddclient option to force ssl (#2823)

* dsn/ddclient option to force ssl
* dns/ddclient default ssl
---
 .../app/controllers/OPNsense/DynDNS/forms/settings.xml |  7 +++++++
 .../opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml |  6 +++++-
 .../service/templates/OPNsense/ddclient/ddclient.conf  | 10 +++-------
 3 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
index 756a2c4408..0a54f0a61b 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
@@ -12,6 +12,13 @@
         <advanced>true</advanced>
         <help>Enable verbose logging</help>
     </field>
+    <field>
+        <id>ddclient.general.force_ssl</id>
+        <label>Force SSL</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>Force update using HTTPS</help>
+    </field>
     <field>
         <id>ddclient.general.daemon_delay</id>
         <label>Interval</label>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 7f01a0158e..36c102011d 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/DynDNS</mount>
-    <version>1.0.0</version>
+    <version>1.1.0</version>
     <description>
         Dynamic DNS client
     </description>
@@ -14,6 +14,10 @@
                 <default>0</default>
                 <Required>Y</Required>
             </verbose>
+            <force_ssl type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </force_ssl>
             <daemon_delay type="IntegerField">
                 <default>300</default>
                 <Required>Y</Required>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 5aa00ca1c3..354c5917b4 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -2,6 +2,9 @@
 daemon={{OPNsense.DynDNS.general.daemon_delay|default('300')}}
 syslog=yes                  # log update msgs to syslog
 pid=/var/run/ddclient.pid   # record PID in file.
+{% if not helpers.empty('OPNsense.DynDNS.general.force_ssl') %}
+ssl=yes
+{% endif %}
 {% if not helpers.empty('OPNsense.DynDNS.general.verbose') %}
 verbose=yes
 {% endif %}
@@ -54,34 +57,27 @@ use=if, if={{physical_interface(account.interface)}}, \
 {%            endif %}
 {%            if account.service == 'custom' %}
 protocol={{account.protocol}}, \
-ssl=yes, \
 server={{account.server}}, \
 {%            elif account.service == 'cloudflare' %}
 protocol=cloudflare, \
 zone={{account.zone}}, \
 {%            elif account.service == 'he-net' %}
 protocol=dyndns2, \
-ssl=yes, \
 server=dyn.dns.he.net, \
 {%            elif account.service == 'he-net-tunnel' %}
 protocol=dyndns2, \
-ssl=yes, \
 server=ipv4.tunnelbroker.net, \
 {%            elif account.service == 'nsupdatev4' %}
 protocol=dyndns2, \
-ssl=yes, \
 server=ipv4.nsupdate.info, \
 {%            elif account.service == 'nsupdatev6' %}
 protocol=dyndns2, \
-ssl=yes, \
 server=ipv6.nsupdate.info, \
 {%            elif account.service == 'strato' %}
 protocol=dyndns2, \
-ssl=yes, \
 server=dyndns.strato.com, \
 {%            else %}
 protocol={{account.service}}, \
-ssl=yes, \
 {%            endif %}
 {%            if account.wildcard|default('0') == '1' %}
 wildcard=yes, \

From a4ba4d9bc03cf19ca6ff648136c545424c86a25c Mon Sep 17 00:00:00 2001
From: lfirewall1243 <41630758+lfirewall1243@users.noreply.github.com>
Date: Tue, 8 Feb 2022 18:37:02 +0100
Subject: [PATCH 0954/3088] make multimap Whitelist work (#2822)

---
 mail/rspamd/Makefile                                         | 2 +-
 mail/rspamd/pkg-descr                                        | 5 +++++
 .../opnsense/service/templates/OPNsense/Rspamd/multimap.conf | 4 ++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/mail/rspamd/Makefile b/mail/rspamd/Makefile
index 01016fdafc..c1f1f8994b 100644
--- a/mail/rspamd/Makefile
+++ b/mail/rspamd/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		rspamd
-PLUGIN_VERSION=		1.11
+PLUGIN_VERSION=		1.12
 PLUGIN_COMMENT=		Protect your network from spam
 PLUGIN_DEPENDS=		rspamd
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/mail/rspamd/pkg-descr b/mail/rspamd/pkg-descr
index 183897120d..944931b608 100644
--- a/mail/rspamd/pkg-descr
+++ b/mail/rspamd/pkg-descr
@@ -5,6 +5,11 @@ lua.
 Plugin Changelog
 ----------------
 
+1.12
+
+* Adjusting the multimap setting to make the multimap whitelist work
+
+
 1.11
 
 * Fix Milter Protocol by binding to Unix Sockets
diff --git a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/multimap.conf b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/multimap.conf
index f357673dc1..7875d94872 100644
--- a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/multimap.conf
+++ b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/multimap.conf
@@ -8,13 +8,13 @@ extension_blacklist {
   filter = "extension";
   map = "/${LOCAL_CONFDIR}/local.d/bad_file_extensions.map";
   symbol = "FILENAME_BLACKLISTED";
-  action = "reject";
+  score 1000;
 }
 
 WHITELIST_SENDER_DOMAIN {
   type = "from";
   filter = "email:domain";
   map = "/${LOCAL_CONFDIR}/local.d/whitelist_sender_domains.map";
-  score = -50.0
+  score = -1000
   }
 {% endif %}

From d40c3f833146f53e0db251615676f66e74c5fa76 Mon Sep 17 00:00:00 2001
From: Rene Schuster <mail@reneschuster.de>
Date: Thu, 10 Feb 2022 08:51:00 +0100
Subject: [PATCH 0955/3088] dns/ddclient add dns-o-matic (#2829)

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml     | 1 +
 .../opnsense/service/templates/OPNsense/ddclient/ddclient.conf | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 36c102011d..6ddd20cc32 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -65,6 +65,7 @@
                     <OptionValues>
                         <changeip>Changeip</changeip>
                         <cloudflare>Cloudflare</cloudflare>
+                        <dns-o-matic>DNS-O-Matic</dns-o-matic>
                         <dyndns2>DynDNS.com</dyndns2>
                         <dnspark>DnsPark</dnspark>
                         <dslreports1>DslReports</dslreports1>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 354c5917b4..151bd52665 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -61,6 +61,9 @@ server={{account.server}}, \
 {%            elif account.service == 'cloudflare' %}
 protocol=cloudflare, \
 zone={{account.zone}}, \
+{%            elif account.service == 'dns-o-matic' %}
+protocol=dyndns2, \
+server=updates.dnsomatic.com, \
 {%            elif account.service == 'he-net' %}
 protocol=dyndns2, \
 server=dyn.dns.he.net, \

From 18428e1f5cf54f4e7e00612d38b8f07952cd3f90 Mon Sep 17 00:00:00 2001
From: Rene Schuster <mail@reneschuster.de>
Date: Thu, 10 Feb 2022 08:53:30 +0100
Subject: [PATCH 0956/3088] dns/ddclient add inwx (#2828)

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml     | 1 +
 .../opnsense/service/templates/OPNsense/ddclient/ddclient.conf | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 6ddd20cc32..00cfbef2d2 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -74,6 +74,7 @@
                         <googledomains>Google</googledomains>
                         <he-net>HE.net</he-net>
                         <he-net-tunnel>HE.net TunnelBroker</he-net-tunnel>
+                        <inwx>INWX</inwx>
                         <namecheap>NameCheap</namecheap>
                         <noip>Noip</noip>
                         <nsupdatev4>nsupdate.info (IPv4)</nsupdatev4>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 151bd52665..753ad9ddfd 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -70,6 +70,9 @@ server=dyn.dns.he.net, \
 {%            elif account.service == 'he-net-tunnel' %}
 protocol=dyndns2, \
 server=ipv4.tunnelbroker.net, \
+{%            elif account.service == 'inwx' %}
+protocol=dyndns2, \
+server=dyndns.inwx.com, \
 {%            elif account.service == 'nsupdatev4' %}
 protocol=dyndns2, \
 server=ipv4.nsupdate.info, \

From b1636198a6629bb433d0a97806bc46936fbe0044 Mon Sep 17 00:00:00 2001
From: Rene Schuster <mail@reneschuster.de>
Date: Thu, 10 Feb 2022 08:54:03 +0100
Subject: [PATCH 0957/3088] dns/ddclient add spdyn (#2827)

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml     | 1 +
 .../opnsense/service/templates/OPNsense/ddclient/ddclient.conf | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 00cfbef2d2..a11711fdcb 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -79,6 +79,7 @@
                         <noip>Noip</noip>
                         <nsupdatev4>nsupdate.info (IPv4)</nsupdatev4>
                         <nsupdatev6>nsupdate.info (IPv6)</nsupdatev6>
+                        <spdyn>spDYN</spdyn>
                         <strato>STRATO</strato>
                         <zoneedit1>Zoneedit</zoneedit1>
                         <custom>Custom</custom>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 753ad9ddfd..d4c6b0ecf1 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -79,6 +79,9 @@ server=ipv4.nsupdate.info, \
 {%            elif account.service == 'nsupdatev6' %}
 protocol=dyndns2, \
 server=ipv6.nsupdate.info, \
+{%            elif account.service == 'spdyn' %}
+protocol=dyndns2, \
+server=update.spdyn.de, \
 {%            elif account.service == 'strato' %}
 protocol=dyndns2, \
 server=dyndns.strato.com, \

From cb54991aca3b0d9e91aafcb8080610d6d88a05ea Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Feb 2022 08:22:56 +0100
Subject: [PATCH 0958/3088] LICENSE: sync

---
 LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index 401f5af5f8..750286c49a 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2015-2020 Ad Schellevis <ad@opnsense.org>
+Copyright (c) 2015-2022 Ad Schellevis <ad@opnsense.org>
 Copyright (c) 2021 Alexander Noack
 Copyright (c) 2021 Andreas Stuerz
 Copyright (c) 2021 Axelrtgs

From 6620212d7fbe43d482ceeced000c344d4719efc5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Feb 2022 08:24:11 +0100
Subject: [PATCH 0959/3088] dns/dnscrypt-proxy: do not break line

---
 dns/dnscrypt-proxy/pkg-descr | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index 8619615eb4..cbe2d972b9 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -8,8 +8,7 @@ Plugin Changelog
 1.11
 
 * Fix DNSBL update due to FreeBSD13 upgrade (sed syntax)
-* Fix "manual disable of specific servers" when more than one server is
-  specified (contributed by Evgeny Grin (karlson2k))
+* Fix "manual disable of specific servers" when more than one server is specified (contributed by Evgeny Grin (karlson2k))
 
 1.10
 

From 0cd0919f3b8bcc2a7602b317ebf50de61be49e2d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Feb 2022 08:29:36 +0100
Subject: [PATCH 0960/3088] net/frr: fix notes and version

---
 net/frr/Makefile  | 2 +-
 net/frr/pkg-descr | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index ca8ca4dd54..026281f058 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.26
+PLUGIN_VERSION=		1.27
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index a8ef2122df..be8a211623 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -11,10 +11,13 @@ switching and routing, Internet access routers, and Internet peering.
 Plugin Changelog
 ================
 
+1.27
+
+* Add BGP password authentication
+
 1.26
 
 * Fix Model migration errors
-* Add BGP password authentication
 
 1.25
 

From 8924d3b010f9bf60d41daf6c4f1983248b4b6496 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Feb 2022 08:33:03 +0100
Subject: [PATCH 0961/3088] sysutils/nextcloud-backup: adjust version

---
 sysutils/nextcloud-backup/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysutils/nextcloud-backup/Makefile b/sysutils/nextcloud-backup/Makefile
index dd29cd1013..146dce479f 100644
--- a/sysutils/nextcloud-backup/Makefile
+++ b/sysutils/nextcloud-backup/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		nextcloud-backup
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Track config changes using NextCloud
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 

From bc37630cdf36987d1c636bbf6e3e04e9a3da2022 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Feb 2022 08:50:53 +0100
Subject: [PATCH 0962/3088] dns/ddclient: update pkg-descr

---
 dns/ddclient/pkg-descr | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 0aed7a9f65..9453dcf2e0 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -1 +1,22 @@
-Support for numerous Dynamic DNS services using ddclient
+ddclient is a Perl client used to update dynamic DNS entries for
+accounts on many dynamic DNS services.
+
+WWW: https://github.com/ddclient/ddclient
+
+Plugin Changelog
+================
+
+1.1
+
+* Add spdyn, inwx and dns-o-matic (contributed by Rene Schuster)
+* Add Hurricane Electric provider (contributed by Netboy3)
+* Add option to force SSL, on by default (contributed by Robin Mueller)
+* Add Cloudflare and custom service (contributed by Robin Mueller)
+* Add STRATO provider (contributed by Alex Mi)
+* Add use interface as IP source
+* Fix ip6only.me (contributed by Robin Mueller)
+* Fix uppercase use in usernames
+
+1.0
+
+* Initial release

From 18225b7a4ae52753258deaa1f59399f2545d7fd6 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 15 Feb 2022 10:00:21 +0100
Subject: [PATCH 0963/3088] net/freeradius: Allow LDAP in inner-tunnel  (#2626)

---
 net/freeradius/Makefile                               |  2 +-
 net/freeradius/pkg-descr                              |  4 ++++
 .../controllers/OPNsense/Freeradius/forms/ldap.xml    |  6 ++++++
 .../mvc/app/models/OPNsense/Freeradius/Ldap.xml       |  6 +++++-
 .../OPNsense/Freeradius/sites-enabled-inner-tunnel    | 11 +++++++++++
 5 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index a98a82cb33..ec54c2893c 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.18
+PLUGIN_VERSION=		1.9.19
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index d2006a9d0d..9e2092f874 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,10 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.19
+
+* Allow to use LDAP in inner-tunnel (needed for LDAP authentication within 802.1X)
+
 1.9.18
 
 * Added support for fallback VLAN
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
index 38fa2a6508..29cb57c693 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
@@ -1,4 +1,10 @@
 <form>
+    <field>
+        <id>ldap.innertunnel</id>
+        <label>Inner-Tunnel LDAP</label>
+        <type>checkbox</type>
+        <help>This enables LDAP authentication in inner-tunnel configuration. This is needed for protocols requiring encrypted authentication like 802.1X.</help>
+    </field>
     <field>
         <id>ldap.protocol</id>
         <label>Protocol Type</label>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
index 3797eb5e5d..53b4f55b53 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
@@ -1,8 +1,12 @@
 <model>
     <mount>//OPNsense/freeradius/ldap</mount>
     <description>LDAP configuration</description>
-    <version>1.0.0</version>
+    <version>1.0.1</version>
     <items>
+        <innertunnel type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </innertunnel>
         <protocol type="OptionField">
             <default>LDAPS</default>
             <Required>Y</Required>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-inner-tunnel b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-inner-tunnel
index 55f9879907..a7fb955358 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-inner-tunnel
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-inner-tunnel
@@ -155,7 +155,16 @@ authorize {
 
         #
         #  The ldap module reads passwords from the LDAP database.
+{%   if helpers.exists('OPNsense.freeradius.ldap.innertunnel') and OPNsense.freeradius.general.ldap.innertunnel == '1' %}
+        ldap
+          if ((ok || updated) && User-Password) {
+              update control {
+                  Auth-Type := ldap
+              }
+          }
+{%  else %}
         -ldap
+{%  endif %}
 
         #
         #  Enforce daily limits on time spent logged in.
@@ -242,9 +251,11 @@ authenticate {
         #  authentication server, and knows what to do with authentication.
         #  LDAP servers do not.
         #
+{%   if helpers.exists('OPNsense.freeradius.ldap.innertunnel') and OPNsense.freeradius.general.ldap.innertunnel == '1' %}
 #       Auth-Type LDAP {
 #               ldap
 #       }
+{%   endif %}
 
         #
         #  Allow EAP authentication.

From acabf8281319b6502030f6bbe1acd4f53e785412 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 15 Feb 2022 21:15:29 +0100
Subject: [PATCH 0964/3088] Update sites-enabled-inner-tunnel (#2835)

---
 .../OPNsense/Freeradius/sites-enabled-inner-tunnel          | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-inner-tunnel b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-inner-tunnel
index a7fb955358..838a6a3746 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-inner-tunnel
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-inner-tunnel
@@ -252,9 +252,9 @@ authenticate {
         #  LDAP servers do not.
         #
 {%   if helpers.exists('OPNsense.freeradius.ldap.innertunnel') and OPNsense.freeradius.general.ldap.innertunnel == '1' %}
-#       Auth-Type LDAP {
-#               ldap
-#       }
+        Auth-Type LDAP {
+                ldap
+        }
 {%   endif %}
 
         #

From 9caf5b7267af70eecc9cdfc54c7e8c7576775e38 Mon Sep 17 00:00:00 2001
From: Rene Schuster <mail@reneschuster.de>
Date: Wed, 16 Feb 2022 11:48:30 +0100
Subject: [PATCH 0965/3088] dns/ddclient add dynu (#2838)

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml     | 1 +
 .../opnsense/service/templates/OPNsense/ddclient/ddclient.conf | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index a11711fdcb..f375be73b0 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -70,6 +70,7 @@
                         <dnspark>DnsPark</dnspark>
                         <dslreports1>DslReports</dslreports1>
                         <duckdns>DuckDNS</duckdns>
+                        <dynu>Dynu</dynu>
                         <easydns>EasyDNS</easydns>
                         <googledomains>Google</googledomains>
                         <he-net>HE.net</he-net>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index d4c6b0ecf1..f6aa2dac64 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -64,6 +64,9 @@ zone={{account.zone}}, \
 {%            elif account.service == 'dns-o-matic' %}
 protocol=dyndns2, \
 server=updates.dnsomatic.com, \
+{%            elif account.service == 'dynu' %}
+protocol=dyndns2, \
+server=api.dynu.com, \
 {%            elif account.service == 'he-net' %}
 protocol=dyndns2, \
 server=dyn.dns.he.net, \

From 73b1443e18868b4292bc3b8b492bf9c7f2bb2d0e Mon Sep 17 00:00:00 2001
From: Rene Schuster <mail@reneschuster.de>
Date: Wed, 16 Feb 2022 20:28:55 +0100
Subject: [PATCH 0966/3088] dns/ddclient add FreeDNS (#2837)

* dns/ddclient add FreeDNS

Co-authored-by: Ad Schellevis <AdSchellevis@users.noreply.github.com>
---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml     | 1 +
 .../opnsense/service/templates/OPNsense/ddclient/ddclient.conf | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index f375be73b0..5483207244 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -72,6 +72,7 @@
                         <duckdns>DuckDNS</duckdns>
                         <dynu>Dynu</dynu>
                         <easydns>EasyDNS</easydns>
+                        <freedns>FreeDNS</freedns>
                         <googledomains>Google</googledomains>
                         <he-net>HE.net</he-net>
                         <he-net-tunnel>HE.net TunnelBroker</he-net-tunnel>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index f6aa2dac64..d5b999fd20 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -64,6 +64,9 @@ zone={{account.zone}}, \
 {%            elif account.service == 'dns-o-matic' %}
 protocol=dyndns2, \
 server=updates.dnsomatic.com, \
+{%            elif account.service == 'freedns' %}
+protocol=freedns, \
+server=freedns.afraid.org, \
 {%            elif account.service == 'dynu' %}
 protocol=dyndns2, \
 server=api.dynu.com, \

From a07e93d85f69fdc7829e30c2ada93f9aa3bf9b69 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 18 Feb 2022 09:27:54 +0100
Subject: [PATCH 0967/3088] dns/ddclient: next iteration

---
 dns/ddclient/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index d0f2042782..f622a5768d 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.1
-#PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.2
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From c526550c15bf1ad8efbaef819ed1b98daf71d286 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 18 Feb 2022 09:37:16 +0100
Subject: [PATCH 0968/3088] dns/ddclient: style sweep

---
 .../app/controllers/OPNsense/DynDNS/Api/AccountsController.php  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
index 2f6367856c..f02e7c039f 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
@@ -50,7 +50,7 @@ public function searchItemAction()
             }
             unset($row['use_interface']);
             if ($row['service'] == 'Custom') {
-                $row['service'] = 'Custom ('.$row['protocol'].')';
+                $row['service'] = 'Custom (' . $row['protocol'] . ')';
             }
             unset($row['protocol']);
         }

From 510d55c006ac44964a6b0be94c59b07090fb5a59 Mon Sep 17 00:00:00 2001
From: "Johnny S. Lee" <6614805+johnnyslee@users.noreply.github.com>
Date: Mon, 21 Feb 2022 15:55:21 +0800
Subject: [PATCH 0969/3088] security/stunnel: Fix connect format for IPv6
 addresses (#2852)

The current code generates conf line:
```
connect = [::1]:53
```

will end up producing the following:
```
Error resolving "[::1]": Neither nodename nor servname known (EAI_NONAME)
```

stunnel(8) states that an address parameter of an option may be either:
> ...
> A colon-separated pair of IP address (either IPv4, IPv6, or domain name)
  and port number.
> ...

which means there should not be special treatment on IPv6 addresses.
---
 .../opnsense/service/templates/OPNsense/Stunnel/stunnel.conf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf
index 8c3ee5ecca..0d6590d383 100644
--- a/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf
+++ b/security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf
@@ -18,7 +18,7 @@ logId = unique
 ; **************************************************************************
 [{{service['@uuid']}}]
 accept = {% if service.accept_address %}{{service.accept_address}}:{% endif %}{{service.accept_port}}
-connect = {% if service.connect_address.find(":") > -1 %}[{{service.connect_address}}]{% else %}{{service.connect_address}}{% endif %}:{{service.connect_port}}
+connect = {{service.connect_address}}:{{service.connect_port}}
 {% if service.protocol %}
 protocol = {{service.protocol}}
 {% endif %}

From 1c701ed5b92112f2b7228b80878026215eae733b Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 21 Feb 2022 15:11:12 +0100
Subject: [PATCH 0970/3088] dns/bind: fix sed usage with FBSD13 (#2857)

---
 dns/bind/Makefile                             |  2 +-
 dns/bind/pkg-descr                            |  4 ++
 .../opnsense/scripts/OPNsense/Bind/dnsbl.sh   | 48 +++++++++----------
 3 files changed, 29 insertions(+), 25 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 738804e21e..f810d13b74 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.21
+PLUGIN_VERSION=		1.22
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind916
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 0f64290fbb..465c763340 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -8,6 +8,10 @@ necessary for asking and answering name service questions.
 Plugin Changelog
 ================
 
+1.22
+
+* Fix DNS Blacklist download
+
 1.21
 
 * Add support for filter AAAA in DNS responses when A is present (contributed by Zane Chua)
diff --git a/dns/bind/src/opnsense/scripts/OPNsense/Bind/dnsbl.sh b/dns/bind/src/opnsense/scripts/OPNsense/Bind/dnsbl.sh
index aac1ad92ee..9324b6b2a3 100755
--- a/dns/bind/src/opnsense/scripts/OPNsense/Bind/dnsbl.sh
+++ b/dns/bind/src/opnsense/scripts/OPNsense/Bind/dnsbl.sh
@@ -38,70 +38,70 @@ mkdir -p ${WORKDIR}
 easylist() {
 	# EasyList
 	${FETCH} https://justdomains.github.io/blocklists/lists/easylist-justdomains.txt -o ${WORKDIR}/easylist-raw
-	sed "/\.$/d" ${WORKDIR}/easylist-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/easylist
+	sed "/\.$/d" ${WORKDIR}/easylist-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/easylist
 	rm ${WORKDIR}/easylist-raw
 }
 
 easyprivacy() {
 	# EasyPrivacy
 	${FETCH} https://justdomains.github.io/blocklists/lists/easyprivacy-justdomains.txt -o ${WORKDIR}/easyprivacy-raw
-	sed "/\.$/d" ${WORKDIR}/easyprivacy-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/easyprivacy
+	sed "/\.$/d" ${WORKDIR}/easyprivacy-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/easyprivacy
 	rm ${WORKDIR}/easyprivacy-raw
 }
 
 pornall() {
 	# PornAll
 	${FETCH} https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_all.list -o ${WORKDIR}/pornall-raw
-	sed "/\.$/d" ${WORKDIR}/pornall-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/pornall
+	sed "/\.$/d" ${WORKDIR}/pornall-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/pornall
 	rm ${WORKDIR}/pornall-raw
 }
 
 porntop() {
 	# PornTop1M
 	${FETCH} https://raw.githubusercontent.com/chadmayfield/pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list -o ${WORKDIR}/porntop-raw
-	sed "/\.$/d" ${WORKDIR}/porntop-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/porntop
+	sed "/\.$/d" ${WORKDIR}/porntop-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/porntop
 	rm ${WORKDIR}/porntop-raw
 }
 
 emdlist() {
 	# EMD
 	${FETCH} https://hosts-file.net/emd.txt -o ${WORKDIR}/emdlist-raw
-	sed "/\.$/d" ${WORKDIR}/emdlist-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/emdlist
+	sed "/\.$/d" ${WORKDIR}/emdlist-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/emdlist
 	rm ${WORKDIR}/emdlist-raw
 }
 
 adguard() {
 	# AdGuard
 	${FETCH} https://justdomains.github.io/blocklists/lists/adguarddns-justdomains.txt -o ${WORKDIR}/adguard-raw
-	sed "/\.$/d" ${WORKDIR}/adguard-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/adguard
+	sed "/\.$/d" ${WORKDIR}/adguard-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/adguard
 	rm ${WORKDIR}/adguard-raw
 }
 
 nocoin() {
 	# NoCoin
 	${FETCH} https://justdomains.github.io/blocklists/lists/nocoin-justdomains.txt -o ${WORKDIR}/nocoin-raw
-	sed "/\.$/d" ${WORKDIR}/nocoin-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/nocoin
+	sed "/\.$/d" ${WORKDIR}/nocoin-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/nocoin
 	rm ${WORKDIR}/nocoin-raw
 }
 
 rwtracker() {
 	# RansomWare Tracker abuse.ch
 	${FETCH} https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt -o ${WORKDIR}/rwtracker-raw
-	sed "/\.$/d" ${WORKDIR}/rwtracker-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/rwtracker
+	sed "/\.$/d" ${WORKDIR}/rwtracker-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/rwtracker
 	rm ${WORKDIR}/rwtracker-raw
 }
 
 mwdomains() {
 	# MalwareDomains
 	${FETCH} http://malwaredomains.lehigh.edu/files/justdomains -o ${WORKDIR}/malwaredomains-raw
-	sed "/\.$/d" ${WORKDIR}/malwaredomains-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/malwaredomains
+	sed "/\.$/d" ${WORKDIR}/malwaredomains-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/malwaredomains
 	rm ${WORKDIR}/malwaredomains-raw
 }
 
 windowsspyblockerspy() {
 	# WindowsSpyBlocker (spy)
 	${FETCH} https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt -o ${WORKDIR}/windowsspyblockerspy-raw
-	sed "/\.$/d" ${WORKDIR}/windowsspyblockerspy-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/windowsspyblockerspy
+	sed "/\.$/d" ${WORKDIR}/windowsspyblockerspy-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/windowsspyblockerspy
 	rm ${WORKDIR}/windowsspyblockerspy-raw
 }
 
@@ -115,98 +115,98 @@ windowsspyblockerupdate() {
 windowsspyblockerextra() {
 	# WindowsSpyBlocker (extra)
 	${FETCH} https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/extra.txt -o ${WORKDIR}/windowsspyblockerextra-raw
-	sed "/\.$/d" ${WORKDIR}/windowsspyblockerextra-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/windowsspyblockerextra
+	sed "/\.$/d" ${WORKDIR}/windowsspyblockerextra-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/windowsspyblockerextra
 	rm ${WORKDIR}/windowsspyblockerextra-raw
 }
 
 cameleon() {
 	# Cameleon List
 	${FETCH} http://sysctl.org/cameleon/hosts -o ${WORKDIR}/cameleon-raw
-	sed "/\.$/d" ${WORKDIR}/cameleon-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/cameleon
+	sed "/\.$/d" ${WORKDIR}/cameleon-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/cameleon
 	rm ${WORKDIR}/cameleon-raw
 }
 
 adaway() {
 	# AdAway List
 	${FETCH} https://adaway.org/hosts.txt -o ${WORKDIR}/adaway-raw
-	sed "/\.$/d" ${WORKDIR}/adaway-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/adaway
+	sed "/\.$/d" ${WORKDIR}/adaway-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/adaway
 	rm ${WORKDIR}/adaway-raw
 }
 
 yoyo() {
 	# YoYo List
 	${FETCH} "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext" -o ${WORKDIR}/yoyo-raw
-	sed "/\.$/d" ${WORKDIR}/yoyo-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/yoyo
+	sed "/\.$/d" ${WORKDIR}/yoyo-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/yoyo
 	rm ${WORKDIR}/yoyo-raw
 }
 
 stevenblack() {
         # StevenBlack
         ${FETCH} https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts -o ${WORKDIR}/stevenblack-raw
-        sed "/\.$/d" ${WORKDIR}/stevenblack-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/stevenblack
+        sed "/\.$/d" ${WORKDIR}/stevenblack-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/stevenblack
         rm ${WORKDIR}/stevenblack-raw
 }
 
 blocklistads() {
         # Blocklist.site Ads
         ${FETCH} https://blocklistproject.github.io/Lists/ads.txt -o ${WORKDIR}/blocklistads-raw
-        sed "/\.$/d" ${WORKDIR}/blocklistads-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" > ${WORKDIR}/blocklistads
+        sed "/\.$/d" ${WORKDIR}/blocklistads-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" > ${WORKDIR}/blocklistads
         rm ${WORKDIR}/blocklistads-raw
 }
 
 blocklistfraud() {
         # Blocklist.site Fraud
         ${FETCH} https://blocklistproject.github.io/Lists/fraud.txt -o ${WORKDIR}/blocklistfraud-raw
-        sed "/\.$/d" ${WORKDIR}/blocklistfraud-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" > ${WORKDIR}/blocklistfraud
+        sed "/\.$/d" ${WORKDIR}/blocklistfraud-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" > ${WORKDIR}/blocklistfraud
         rm ${WORKDIR}/blocklistfraud-raw
 }
 
 blocklistphishing() {
         # Blocklist.site Phishing
         ${FETCH} https://blocklistproject.github.io/Lists/phishing.txt -o ${WORKDIR}/blocklistphishing-raw
-        sed "/\.$/d" ${WORKDIR}/blocklistphishing-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" > ${WORKDIR}/blocklistphishing
+        sed "/\.$/d" ${WORKDIR}/blocklistphishing-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/127\.0\.0\.1/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" > ${WORKDIR}/blocklistphishing
         rm ${WORKDIR}/blocklistphishing-raw
 }
 
 hphosts-ads() {
         # hphosts-ads
         ${FETCH} https://hosts-file.net/ad_servers.txt -o ${WORKDIR}/hphosts-ads-raw
-        sed "/\.$/d" ${WORKDIR}/hphosts-ads-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/hphosts-ads
+        sed "/\.$/d" ${WORKDIR}/hphosts-ads-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/hphosts-ads
         rm ${WORKDIR}/hphosts-ads-raw
 }
 
 hphosts-fsa() {
         # hphosts-fsa
         ${FETCH} https://hosts-file.net/fsa.txt -o ${WORKDIR}/hphosts-fsa-raw
-        sed "/\.$/d" ${WORKDIR}/hphosts-fsa-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/hphosts-fsa
+        sed "/\.$/d" ${WORKDIR}/hphosts-fsa-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/hphosts-fsa
         rm ${WORKDIR}/hphosts-fsa-raw
 }
 
 hphosts-psh() {
         # hphosts-psh
         ${FETCH} https://hosts-file.net/psh.txt -o ${WORKDIR}/hphosts-psh-raw
-        sed "/\.$/d" ${WORKDIR}/hphosts-psh-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/hphosts-psh
+        sed "/\.$/d" ${WORKDIR}/hphosts-psh-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/hphosts-psh
         rm ${WORKDIR}/hphosts-psh-raw
 }
 
 hphosts-pup() {
         # hphosts-pup
         ${FETCH} https://hosts-file.net/pup.txt -o ${WORKDIR}/hphosts-pup-raw
-        sed "/\.$/d" ${WORKDIR}/hphosts-pup-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/hphosts-pup
+        sed "/\.$/d" ${WORKDIR}/hphosts-pup-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" | sed "/localhost/d" | sed "/255\.255\.255\.255/d" | sed "/\:\:1/d" | sed "/fe80\:\:1/d" | sed "/ff00\:\:/d" | sed "/ff02\:\:/d" | sed "/0\.0\.0\.0 0\.0\.0\.0/d" | tr -d '\r' | awk 'BEGIN{FS=OFS=" ";}{print $2;}' > ${WORKDIR}/hphosts-pup
         rm ${WORKDIR}/hphosts-pup-raw
 }
 
 simplead() {
 	# Simple Ad List
 	${FETCH} https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt -o ${WORKDIR}/simplead-raw
-	sed "/\.$/d" ${WORKDIR}/simplead-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/simplead
+	sed "/\.$/d" ${WORKDIR}/simplead-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/simplead
 	rm ${WORKDIR}/simplead-raw
 }
 
 simpletrack() {
 	# Simple Tracking List
 	${FETCH} https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt -o ${WORKDIR}/simpletrack-raw
-	sed "/\.$/d" ${WORKDIR}/simpletrack-raw | sed "/^#/d" | sed "/\_/d" | sed "/^\s*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/simpletrack
+	sed "/\.$/d" ${WORKDIR}/simpletrack-raw | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/simpletrack
 	rm ${WORKDIR}/simpletrack-raw
 }
 

From 1407b4be48154743b55030b11ce5dcc993149246 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 1 Mar 2022 09:58:39 +0100
Subject: [PATCH 0971/3088] dns/ddclient - allow root zones and wildcards.
 closes https://github.com/opnsense/plugins/issues/2849

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml     | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 5483207244..87cad2655c 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -111,6 +111,9 @@
                 <hostnames type="HostnameField">
                     <Required>Y</Required>
                     <IpAllowed>N</IpAllowed>
+                    <HostWildcardAllowed>Y</HostWildcardAllowed>
+                    <FqdnWildcardAllowed>Y</FqdnWildcardAllowed>
+                    <ZoneRootAllowed>Y</ZoneRootAllowed>
                     <AsList>Y</AsList>
                     <FieldSeparator>,</FieldSeparator>
                 </hostnames>

From 6a6882e051ec8d5374c1f8e2f31550874b46ec4d Mon Sep 17 00:00:00 2001
From: Rene Schuster <mail@reneschuster.de>
Date: Wed, 23 Feb 2022 09:16:48 +0100
Subject: [PATCH 0972/3088] dns/ddclient add DNS Made Easy

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml      | 1 +
 .../opnsense/service/templates/OPNsense/ddclient/ddclient.conf  | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 87cad2655c..e99da62469 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -65,6 +65,7 @@
                     <OptionValues>
                         <changeip>Changeip</changeip>
                         <cloudflare>Cloudflare</cloudflare>
+                        <dnsmadeeasy>DNS Made Easy</dnsmadeeasy>
                         <dns-o-matic>DNS-O-Matic</dns-o-matic>
                         <dyndns2>DynDNS.com</dyndns2>
                         <dnspark>DnsPark</dnspark>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index d5b999fd20..fe8dbf2f0e 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -61,6 +61,8 @@ server={{account.server}}, \
 {%            elif account.service == 'cloudflare' %}
 protocol=cloudflare, \
 zone={{account.zone}}, \
+{%            elif account.service == 'dnsmadeeasy' %}
+protocol=dnsmadeeasy, \
 {%            elif account.service == 'dns-o-matic' %}
 protocol=dyndns2, \
 server=updates.dnsomatic.com, \

From 5cc6f76eab4a66515600f7376c5bcf8f0eaad70f Mon Sep 17 00:00:00 2001
From: Johan Lilja <SPY6000@users.noreply.github.com>
Date: Tue, 1 Mar 2022 10:04:01 +0100
Subject: [PATCH 0973/3088] dns/ddclient add Loopia (#2858)

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml     | 1 +
 .../opnsense/service/templates/OPNsense/ddclient/ddclient.conf | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index e99da62469..9b559cc664 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -78,6 +78,7 @@
                         <he-net>HE.net</he-net>
                         <he-net-tunnel>HE.net TunnelBroker</he-net-tunnel>
                         <inwx>INWX</inwx>
+                        <loopia>Loopia</loopia>
                         <namecheap>NameCheap</namecheap>
                         <noip>Noip</noip>
                         <nsupdatev4>nsupdate.info (IPv4)</nsupdatev4>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index fe8dbf2f0e..a09ef011b7 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -81,6 +81,9 @@ server=ipv4.tunnelbroker.net, \
 {%            elif account.service == 'inwx' %}
 protocol=dyndns2, \
 server=dyndns.inwx.com, \
+{%            elif account.service == 'loopia' %}
+protocol=dyndns2, \
+server=dyndns.loopia.se, \
 {%            elif account.service == 'nsupdatev4' %}
 protocol=dyndns2, \
 server=ipv4.nsupdate.info, \

From 8c253fee031aec0ab65bdf7b674ab894c1f6c991 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 1 Mar 2022 10:04:56 +0100
Subject: [PATCH 0974/3088] security/stunnel: bump version

---
 security/stunnel/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index 6ddef16665..87786dae30 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		stunnel
-PLUGIN_VERSION=		1.0.3
+PLUGIN_VERSION=		1.0.4
 PLUGIN_COMMENT=		Stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel

From 698d8164342f207ea4e964bdb524526de40bb333 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 1 Mar 2022 10:11:20 +0100
Subject: [PATCH 0975/3088] dns/ddclient: changelog updates

---
 dns/ddclient/pkg-descr | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 9453dcf2e0..545d537f46 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,12 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.2
+
+* Add Loopia (contributed by Johan Lilja)
+* Add DNS Made Easy, FreeDNS and Dynu (contributed by Rene Schuster)
+* Add root zone and wildcard support
+
 1.1
 
 * Add spdyn, inwx and dns-o-matic (contributed by Rene Schuster)

From b0fcd8230534b015bf24b346f3b1693b3ba82333 Mon Sep 17 00:00:00 2001
From: c-goes <cgo@posteo.de>
Date: Mon, 7 Mar 2022 11:40:12 +0100
Subject: [PATCH 0976/3088] net/freeradius: Fix template for
 sites-enabled-inner-tunnel (#2881)

---
 .../templates/OPNsense/Freeradius/sites-enabled-inner-tunnel  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-inner-tunnel b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-inner-tunnel
index 838a6a3746..3665e1ffa5 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-inner-tunnel
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/sites-enabled-inner-tunnel
@@ -155,7 +155,7 @@ authorize {
 
         #
         #  The ldap module reads passwords from the LDAP database.
-{%   if helpers.exists('OPNsense.freeradius.ldap.innertunnel') and OPNsense.freeradius.general.ldap.innertunnel == '1' %}
+{%   if helpers.exists('OPNsense.freeradius.ldap.innertunnel') and OPNsense.freeradius.ldap.innertunnel == '1' %}
         ldap
           if ((ok || updated) && User-Password) {
               update control {
@@ -251,7 +251,7 @@ authenticate {
         #  authentication server, and knows what to do with authentication.
         #  LDAP servers do not.
         #
-{%   if helpers.exists('OPNsense.freeradius.ldap.innertunnel') and OPNsense.freeradius.general.ldap.innertunnel == '1' %}
+{%   if helpers.exists('OPNsense.freeradius.ldap.innertunnel') and OPNsense.freeradius.ldap.innertunnel == '1' %}
         Auth-Type LDAP {
                 ldap
         }

From d408dbb6487f6316ec38e868d59fea00320323a8 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 13 Mar 2022 17:38:28 +0100
Subject: [PATCH 0977/3088] dns/ddclient - move checkip properties from general
 settings to account and implement interface selection using curl. closes
 https://github.com/opnsense/plugins/issues/2863

o adds migration taking previous use_interface toggle into account
o embed fetch address into new script /usr/local/opnsense/scripts/ddclient/checkip
o guess protocol as the result can't contain two addresses anyway (service determines protocol)
o add OVH, provided by @toxic0berliner
---
 dns/ddclient/Makefile                         |  2 +-
 dns/ddclient/pkg-descr                        |  5 ++
 .../DynDNS/Api/AccountsController.php         |  4 -
 .../OPNsense/DynDNS/forms/dialogAccount.xml   | 14 +++-
 .../OPNsense/DynDNS/forms/settings.xml        | 19 -----
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml | 64 +++++++-------
 .../OPNsense/DynDNS/Migrations/M1_2_0.php     | 70 ++++++++++++++++
 .../mvc/app/views/OPNsense/DynDNS/index.volt  | 12 +--
 .../src/opnsense/scripts/ddclient/checkip     | 84 +++++++++++++++++++
 .../templates/OPNsense/ddclient/ddclient.conf | 53 +++---------
 10 files changed, 209 insertions(+), 118 deletions(-)
 create mode 100644 dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/Migrations/M1_2_0.php
 create mode 100755 dns/ddclient/src/opnsense/scripts/ddclient/checkip

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index f622a5768d..d4f5a19148 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 545d537f46..0fedfce731 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,11 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.3
+
+* Add checkip settings per account using selected source interface when provided
+* Add OVH DynHost to the DynDNS providers
+
 1.2
 
 * Add Loopia (contributed by Johan Lilja)
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
index f02e7c039f..08c21b694c 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
@@ -45,10 +45,6 @@ public function searchItemAction()
             "description"
         );
         foreach ($result['rows'] as &$row) {
-            if ($row['use_interface'] == "0") {
-                $row['interface'] = "";
-            }
-            unset($row['use_interface']);
             if ($row['service'] == 'Custom') {
                 $row['service'] = 'Custom (' . $row['protocol'] . ')';
             }
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index dd0b6f0ae4..020d202166 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -60,14 +60,20 @@
         <help>Hostname to update</help>
     </field>
     <field>
-        <id>account.use_interface</id>
-        <label>Use interface IP</label>
+        <id>account.checkip</id>
+        <label>Check ip method</label>
+        <type>dropdown</type>
+        <help>How to determine the address to use for this host</help>
+    </field>
+    <field>
+        <id>account.force_ssl</id>
+        <label>Force SSL</label>
         <type>checkbox</type>
-        <help>Use the IP of a specified interface for the update</help>
+        <help>Force update using HTTPS</help>
     </field>
     <field>
         <id>account.interface</id>
-        <label>Interface</label>
+        <label>Interface to monitor</label>
         <type>dropdown</type>
     </field>
     <field>
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
index 0a54f0a61b..9d67554115 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
@@ -12,29 +12,10 @@
         <advanced>true</advanced>
         <help>Enable verbose logging</help>
     </field>
-    <field>
-        <id>ddclient.general.force_ssl</id>
-        <label>Force SSL</label>
-        <type>checkbox</type>
-        <advanced>true</advanced>
-        <help>Force update using HTTPS</help>
-    </field>
     <field>
         <id>ddclient.general.daemon_delay</id>
         <label>Interval</label>
         <type>text</type>
         <help>Interval in seconds to check for address changes</help>
     </field>
-    <field>
-        <id>ddclient.general.checkip</id>
-        <label>Check ip method</label>
-        <type>dropdown</type>
-        <help>How to determine the address to use for this host</help>
-    </field>
-    <field>
-        <id>ddclient.general.interface</id>
-        <label>Interface</label>
-        <type>dropdown</type>
-        <style>optional_setting checkip_if</style>
-    </field>
 </form>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 9b559cc664..eb367952fe 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/DynDNS</mount>
-    <version>1.1.0</version>
+    <version>1.2.0</version>
     <description>
         Dynamic DNS client
     </description>
@@ -14,44 +14,12 @@
                 <default>0</default>
                 <Required>Y</Required>
             </verbose>
-            <force_ssl type="BooleanField">
-                <default>1</default>
-                <Required>Y</Required>
-            </force_ssl>
             <daemon_delay type="IntegerField">
                 <default>300</default>
                 <Required>Y</Required>
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>86400</MaximumValue>
             </daemon_delay>
-            <checkip type="OptionField">
-                <Required>Y</Required>
-                <default>web_dyndns</default>
-                <ValidationMessage>An IP service type is required.</ValidationMessage>
-                <OptionValues>
-                    <web_dyndns>dyndns</web_dyndns>
-                    <web_freedns>freedns</web_freedns>
-                    <web_googledomains>googledomains</web_googledomains>
-                    <web_he>he</web_he>
-                    <web_ip4only_me value="web_ip4only.me">ip4only.me</web_ip4only_me>
-                    <web_ip6only_me value="web_ip6only.me">ip6only.me</web_ip6only_me>
-                    <web_ipify_ipv4 value="web_ipify-ipv4">ipify-ipv4</web_ipify_ipv4>
-                    <web_ipify_ipv6 value="web_ipify-ipv6">ipify-ipv6</web_ipify_ipv6>
-                    <web_loopia>loopia</web_loopia>
-                    <web_myonlineportal>myonlineportal</web_myonlineportal>
-                    <web_noip_ipv4 value="web_noip-ipv4">noip-ipv4</web_noip_ipv4>
-                    <web_noip_ipv6 value="web_noip-ipv6">noip-ipv6</web_noip_ipv6>
-                    <web_nsupdate_info_ipv4 value="web_nsupdate.info-ipv4">nsupdate.info-ipv4</web_nsupdate_info_ipv4>
-                    <web_nsupdate_info_ipv6 value="web_nsupdate.info-ipv6">nsupdate.info-ipv6</web_nsupdate_info_ipv6>
-                    <web_zoneedit>zoneedit</web_zoneedit>
-                    <if>Interface</if>
-                </OptionValues>
-            </checkip>
-            <interface type="InterfaceField">
-                <Required>N</Required>
-                <multiple>N</multiple>
-                <default>wan</default>
-            </interface>
         </general>
         <accounts>
             <account type="ArrayField">
@@ -86,6 +54,7 @@
                         <spdyn>spDYN</spdyn>
                         <strato>STRATO</strato>
                         <zoneedit1>Zoneedit</zoneedit1>
+                        <ovh>OVH DynHost</ovh>
                         <custom>Custom</custom>
                     </OptionValues>
                 </service>
@@ -127,10 +96,33 @@
                     <Required>N</Required>
                     <IpAllowed>N</IpAllowed>
                 </zone>
-                <use_interface type="BooleanField">
-                    <default>0</default>
+                <checkip type="OptionField">
+                    <Required>Y</Required>
+                    <default>web_dyndns</default>
+                    <ValidationMessage>An IP service type is required.</ValidationMessage>
+                    <OptionValues>
+                        <web_dyndns>dyndns</web_dyndns>
+                        <web_freedns>freedns</web_freedns>
+                        <web_googledomains>googledomains</web_googledomains>
+                        <web_he>he</web_he>
+                        <web_ip4only_me value="web_ip4only.me">ip4only.me</web_ip4only_me>
+                        <web_ip6only_me value="web_ip6only.me">ip6only.me</web_ip6only_me>
+                        <web_ipify_ipv4 value="web_ipify-ipv4">ipify-ipv4</web_ipify_ipv4>
+                        <web_ipify_ipv6 value="web_ipify-ipv6">ipify-ipv6</web_ipify_ipv6>
+                        <web_loopia>loopia</web_loopia>
+                        <web_myonlineportal>myonlineportal</web_myonlineportal>
+                        <web_noip_ipv4 value="web_noip-ipv4">noip-ipv4</web_noip_ipv4>
+                        <web_noip_ipv6 value="web_noip-ipv6">noip-ipv6</web_noip_ipv6>
+                        <web_nsupdate_info_ipv4 value="web_nsupdate.info-ipv4">nsupdate.info-ipv4</web_nsupdate_info_ipv4>
+                        <web_nsupdate_info_ipv6 value="web_nsupdate.info-ipv6">nsupdate.info-ipv6</web_nsupdate_info_ipv6>
+                        <web_zoneedit>zoneedit</web_zoneedit>
+                        <if>Interface</if>
+                    </OptionValues>
+                </checkip>
+                <force_ssl type="BooleanField">
+                    <default>1</default>
                     <Required>Y</Required>
-                </use_interface>
+                </force_ssl>
                 <interface type="InterfaceField">
                     <Required>N</Required>
                     <multiple>N</multiple>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/Migrations/M1_2_0.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/Migrations/M1_2_0.php
new file mode 100644
index 0000000000..339c9c98d2
--- /dev/null
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/Migrations/M1_2_0.php
@@ -0,0 +1,70 @@
+<?php
+
+/*
+ * Copyright (C) 2022 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\DynDNS\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+use OPNsense\Core\Config;
+
+class M1_2_0 extends BaseModelMigration
+{
+    /**
+     * Migrate older models into shared model
+     * @param $model
+     */
+    public function run($model)
+    {
+        $config = Config::getInstance()->object();
+
+        if (empty($config->OPNsense->DynDNS)) {
+            return;
+        }
+
+        // migration will move these settings, extract datapoints from raw config
+        $checkip =  (string)$config->OPNsense->DynDNS->general->checkip;
+        $interface = $checkip == "if" ? (string)$config->OPNsense->DynDNS->general->interface : "";
+        $force_ssl = (string)$config->OPNsense->DynDNS->general->force_ssl;
+        $pre_account = [];
+        if (!empty($config->OPNsense->DynDNS->accounts->account)) {
+            foreach ($config->OPNsense->DynDNS->accounts->account as $account) {
+                $pre_account[(string)$account->attributes()['uuid']] = [
+                    "checkip" => !empty($account->use_interface) ? "if" : $checkip,
+                    "interface" => !empty($account->use_interface) ? (string)$account->interface : $interface
+                ];
+            }
+        }
+
+        // update accounts
+        foreach ($model->accounts->account->iterateItems() as $account) {
+            $uuid =  $account->getAttributes()['uuid'];
+            $account->checkip = $pre_account[$uuid]['checkip'];
+            $account->interface = $pre_account[$uuid]['interface'];
+            $account->force_ssl = $force_ssl;
+        }
+    }
+}
diff --git a/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt b/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
index c60d789495..d8f64ad272 100644
--- a/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
+++ b/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
@@ -67,19 +67,8 @@ POSSIBILITY OF SUCH DAMAGE.
                 }
             });
         });
-        $("#account\\.use_interface").change(function(){
-            if ($(this).is(':checked')) {
-                $("#account\\.interface").prop( "disabled", false );
-                $("#account\\.interface").closest("tr").show();
-            } else {
-                $("#account\\.interface").closest("tr").hide();
-                $("#account\\.interface").prop( "disabled", true );
-            }
-            $('#account\\.interface').selectpicker('refresh');
-        });
         $('#DialogAccount').on('shown.bs.modal', function (e) {
             $("#account\\.service").change();
-            $("#account\\.use_interface").change();
         });
 
         $("#ddclient\\.general\\.checkip").change(function(){
@@ -113,6 +102,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                 <th data-column-id="service" data-type="string">{{ lang._('Service') }}</th>
+                <th data-column-id="hostnames" data-type="string">{{ lang._('Hostnames') }}</th>
                 <th data-column-id="username" data-type="string">{{ lang._('Username') }}</th>
                 <th data-column-id="interface" data-type="string">{{ lang._('Interface') }}</th>
                 <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/checkip b/dns/ddclient/src/opnsense/scripts/ddclient/checkip
new file mode 100755
index 0000000000..af6d07f05d
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/checkip
@@ -0,0 +1,84 @@
+#!/usr/local/bin/python3
+
+"""
+    Copyright (c) 2022 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import argparse
+import subprocess
+import re
+import ipaddress
+
+service_list = {
+  'dyndns': '%s://checkip.dyndns.org/',
+  'freedns': '%s://freedns.afraid.org/dynamic/check.php',
+  'googledomains': '%s://domains.google.com/checkip',
+  'he': '%s://checkip.dns.he.net/',
+  'ip4only.me': '%s://ip4only.me/api/',
+  'ip6only.me': '%s://ip6only.me/api/',
+  'ipify-ipv4': '%s://api.ipify.org/',
+  'ipify-ipv6': '%s://api6.ipify.org/',
+  'loopia': '%s://dns.loopia.se/checkip/checkip.php',
+  'myonlineportal': '%s://myonlineportal.net/checkip',
+  'noip-ipv4': '%s://ip1.dynupdate.no-ip.com/',
+  'noip-ipv6': '%s://ip1.dynupdate6.no-ip.com/',
+  'nsupdate.info-ipv4': '%s://ipv4.nsupdate.info/myip',
+  'nsupdate.info-ipv6': '%s://ipv6.nsupdate.info/myip',
+  'zoneedit': '%s://dynamic.zoneedit.com/checkip.html'
+}
+
+
+def extract_address(txt):
+    """ Extract first IPv4 or IPv6 address from provided string
+        :param txt: text blob
+        :return: str
+    """
+    for regexp in [r'[^a-fA-F0-9\:]', r'[^F0-9\.]']:
+        for line in re.sub(regexp, ' ', txt).split():
+            if line.count('.') == 3 or line.count(':') > 4:
+                try:
+                    ipaddress.ip_address(line)
+                    return line
+                except ValueError:
+                    pass
+
+if __name__ == '__main__':
+    # handle parameters
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-s', '--service', help='service name', choices=service_list.keys(), required=True)
+    parser.add_argument('-i', '--interface', help='interface', type=str, default='')
+    parser.add_argument('-t', '--tls', help='enforce tls', choices=['0', '1'], default='0')
+    inputargs = parser.parse_args()
+
+    # use curl to fetch data, so we can optionally use "--interface"
+    params = ['/usr/local/bin/curl']
+    if inputargs.interface.strip() != "":
+        params.append("--interface")
+        params.append(inputargs.interface)
+
+    proto = 'http' if inputargs.tls == "0" else 'https'
+    params.append(service_list[inputargs.service] % proto)
+
+    result = subprocess.run(params, capture_output=True, text=True).stdout
+    print (extract_address(result))
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index a09ef011b7..71d3f19728 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -2,58 +2,22 @@
 daemon={{OPNsense.DynDNS.general.daemon_delay|default('300')}}
 syslog=yes                  # log update msgs to syslog
 pid=/var/run/ddclient.pid   # record PID in file.
-{% if not helpers.empty('OPNsense.DynDNS.general.force_ssl') %}
-ssl=yes
-{% endif %}
 {% if not helpers.empty('OPNsense.DynDNS.general.verbose') %}
 verbose=yes
 {% endif %}
 
-#
-# setup how we expect to retrieve an IP address
-#
-{%  if not helpers.empty('OPNsense.DynDNS.general.checkip') %}
-{%    set checkip = OPNsense.DynDNS.general.checkip %}
-{%    if checkip == 'if' and OPNsense.DynDNS.general.interface|default('') != '' %}
-use=if, if={{physical_interface(OPNsense.DynDNS.general.interface)}}
-{%    elif checkip == 'web_dyndns' %}
-use=web, web=http://checkip.dyndns.org/, web-skip="Current IP Address:"
-{%    elif checkip == 'web_freedns' %}
-use=web, web=https://freedns.afraid.org/dynamic/check.php
-{%    elif checkip == 'web_googledomains' %}
-use=web, web=https://domains.google.com/checkip
-{%    elif checkip == 'web_he' %}
-use=web, web=http://checkip.dns.he.net/
-{%    elif checkip == 'web_ip4only.me' %}
-use=web, web=http://ip4only.me/api/
-{%    elif checkip == 'web_ip6only.me' %}
-use=web, web=http://ip6only.me/api/
-{%    elif checkip == 'web_ipify-ipv4' %}
-use=web, web=https://api.ipify.org/
-{%    elif checkip == 'web_ipify-ipv6' %}
-use=web, web=https://api6.ipify.org/
-{%    elif checkip == 'web_loopia' %}
-use=web, web=http://dns.loopia.se/checkip/checkip.php, web-skip="Current IP Address:"
-{%    elif checkip == 'web_myonlineportal' %}
-use=web, web=https://myonlineportal.net/checkip
-{%    elif checkip == 'web_noip-ipv4' %}
-use=web, web=http://ip1.dynupdate.no-ip.com/
-{%    elif checkip == 'web_noip-ipv6' %}
-use=web, web=http://ip1.dynupdate6.no-ip.com/
-{%    elif checkip == 'web_nsupdate.info-ipv4' %}
-use=web, web=https://ipv4.nsupdate.info/myip
-{%    elif checkip == 'web_nsupdate.info-ipv6' %}
-use=web, web=https://ipv6.nsupdate.info/myip
-{%    elif checkip == 'web_zoneedit' %}
-use=web, web=http://dynamic.zoneedit.com/checkip.html
-{%    endif %}
-{%  endif %}
 
 {%  if helpers.exists('OPNsense.DynDNS.accounts.account') %}
 {%    for account in helpers.toList('OPNsense.DynDNS.accounts.account') %}
 {%        if account.enabled|default('0') == '1' %}
-{%            if account.use_interface|default('0') == '1' %}
+{%            if account.checkip == 'if' %}
 use=if, if={{physical_interface(account.interface)}}, \
+{%            elif account.checkip.startswith('web_') %}
+{%                if account.interface %}
+use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -i {{physical_interface(account.interface)}} -t {{account.force_ssl}} -s {{account.checkip[4:]}}",
+{%                else %}
+use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -t {{account.force_ssl}} -s {{account.checkip[4:]}}",
+{%                endif %}
 {%            endif %}
 {%            if account.service == 'custom' %}
 protocol={{account.protocol}}, \
@@ -96,6 +60,9 @@ server=update.spdyn.de, \
 {%            elif account.service == 'strato' %}
 protocol=dyndns2, \
 server=dyndns.strato.com, \
+{%            elif account.service == 'ovh' %}
+protocol=dyndns2, \
+server=www.ovh.com, \
 {%            else %}
 protocol={{account.service}}, \
 {%            endif %}

From ff9a7211aa55d3930d0b1ad6ea2bc9b4574a5a88 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 16 Mar 2022 08:10:38 +0100
Subject: [PATCH 0978/3088] net/freeradius: bump after fix

---
 net/freeradius/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index ec54c2893c..9758324361 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		freeradius
 PLUGIN_VERSION=		1.9.19
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 9351dec807c72669c216f1cd108d6d67affe67b8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 16 Mar 2022 08:11:52 +0100
Subject: [PATCH 0979/3088] dns/ddclient: complete release notes

---
 dns/ddclient/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 0fedfce731..ea6c82a0d4 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -9,7 +9,7 @@ Plugin Changelog
 1.3
 
 * Add checkip settings per account using selected source interface when provided
-* Add OVH DynHost to the DynDNS providers
+* Add OVH DynHost to the DynDNS providers (contributed by toxic0berliner)
 
 1.2
 

From a5fee43df97469293598311ddbc3c0a9fdcb680d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Thu, 17 Mar 2022 16:10:38 +0100
Subject: [PATCH 0980/3088] Themes Cicada/Vicuna - color fix (#2840)

* dropdown >> warning >> multiselect color fix
---
 misc/theme-cicada/Makefile                        |  4 ++--
 .../themes/cicada/assets/stylesheets/main.scss    | 15 ++++++++++-----
 .../opnsense/www/themes/cicada/build/css/main.css | 14 +++++++++-----
 misc/theme-vicuna/Makefile                        |  4 ++--
 .../themes/vicuna/assets/stylesheets/main.scss    | 13 +++++++++----
 .../opnsense/www/themes/vicuna/build/css/main.css | 12 ++++++++----
 6 files changed, 40 insertions(+), 22 deletions(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index f2a49f3d47..28029063c3 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.28
-PLUGIN_COMMENT=		The cicada theme - dark grey
+PLUGIN_VERSION=		1.29
+PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
 
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index bd810ace9d..87ccc9c4cb 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -7189,12 +7189,13 @@ a.label {
 }
 
 .label-info {
-  background-color: #B0CDDB;
+  background-color: #292929;
+  border: 1px solid #191919;
 
   &[href] {
     &:hover, &:focus {
-      background-color: #8db7cb;
-      border-color: #323232;
+      background-color: #292929;
+      border: 1px solid #191919;
     }
   }
 }
@@ -8810,9 +8811,13 @@ button.close {
   font-size: 14px;
   font-weight: normal;
   line-height: 18px;
-  background-color: #f7f7f7;
-  border-bottom: 1px solid #ebebeb;
+  background-color: #2a2a2a;
+  border-bottom: 1px solid #191919;
   border-radius: 5px 5px 0 0;
+
+  > a:hover {
+    text-decoration: none;
+  }
 }
 
 .popover-content {
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index 41b44822a9..db0add871f 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -4240,10 +4240,11 @@ a.label:hover, a.label:focus {
 
 
 .label-info {
-  background-color: #B0CDDB; }
+  background-color: #292929;
+  border: 1px solid #191919;  }
   .label-info[href]:hover, .label-info[href]:focus {
-    background-color: #8db7cb;
-	border-color: #323232;	}
+    background-color: #292929;
+	border: 1px solid #191919;	}
 
 
 .label-warning {
@@ -5243,9 +5244,12 @@ button.close {
   font-size: 14px;
   font-weight: normal;
   line-height: 18px;
-  background-color: #f7f7f7;
-  border-bottom: 1px solid #ebebeb;
+  background-color: #2a2a2a;
+  border-bottom: 1px solid #191919;
   border-radius: 5px 5px 0 0; }
+  
+.popover-title > a:hover {
+  text-decoration: none; }
 
 .popover-content {
   padding: 9px 14px; }
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index 58d940a985..65a1f27a3e 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.4
-PLUGIN_COMMENT=		The vicuna theme - dark anthrazit
+PLUGIN_VERSION=		1.41
+PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
 
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
index 0ef531fdf7..10204d6e8b 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
@@ -7291,12 +7291,13 @@ a.label {
 }
 
 .label-info {
-  background-color: #B0CDDB;
+  background-color: #21303a;
+  border: 1px solid #191919;
 
   &[href] {
     &:hover, &:focus {
       background-color: #8db7cb;
-      border-color: #191919;
+      border: 1px solid #191919;
     }
   }
 }
@@ -8915,9 +8916,13 @@ button.close {
   font-size: 14px;
   font-weight: normal;
   line-height: 18px;
-  background-color: #f7f7f7;
-  border-bottom: 1px solid #ebebeb;
+  background-color: #19252d;
+  border-bottom: 1px solid #181919;
   border-radius: 5px 5px 0 0;
+
+  > a:hover {
+    text-decoration: none;
+  }
 }
 
 .popover-content {
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
index 5fc68c4414..523d5749d9 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
@@ -4217,10 +4217,11 @@ a.label:hover, a.label:focus {
 
 
 .label-info {
-  background-color: #B0CDDB; }
+  background-color: #21303a;
+  border: 1px solid #191919; }
   .label-info[href]:hover, .label-info[href]:focus {
     background-color: #8db7cb;
-	border-color: #191919;	}
+	border: 1px solid #191919;	}
 
 
 .label-warning {
@@ -5221,10 +5222,13 @@ button.close {
   font-size: 14px;
   font-weight: normal;
   line-height: 18px;
-  background-color: #f7f7f7;
-  border-bottom: 1px solid #ebebeb;
+  background-color: #19252d;
+  border-bottom: 1px solid #181919;
   border-radius: 5px 5px 0 0; }
 
+.popover-title > a:hover {
+  text-decoration: none; }
+
 .popover-content {
   padding: 9px 14px; }
 

From 09d2b21b09b42a5ab15fd39b1a783f8887f59785 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 18 Mar 2022 13:50:22 +0100
Subject: [PATCH 0981/3088] dns/ddclient - missing ssl=yes phrase, closes
 https://github.com/opnsense/plugins/issues/2894

---
 .../opnsense/service/templates/OPNsense/ddclient/ddclient.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 71d3f19728..08b5eb16e5 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -72,6 +72,9 @@ wildcard=yes, \
 {%            if account.username %}
 login={{account.username}}, \
 {%            endif %}
+{%        if account.force_ssl|default('0') == '1' %}
+ssl=yes, \
+{%        endif %}
 password={{account.password}} \
 {{account.hostnames}}
 

From abc8b4a832a298e8dd607628be0cc70fc44078c1 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 18 Mar 2022 15:29:12 +0100
Subject: [PATCH 0982/3088] Revert "dns/ddclient - missing ssl=yes phrase,
 closes https://github.com/opnsense/plugins/issues/2894"

This reverts commit 09d2b21b09b42a5ab15fd39b1a783f8887f59785.
---
 .../opnsense/service/templates/OPNsense/ddclient/ddclient.conf | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 08b5eb16e5..71d3f19728 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -72,9 +72,6 @@ wildcard=yes, \
 {%            if account.username %}
 login={{account.username}}, \
 {%            endif %}
-{%        if account.force_ssl|default('0') == '1' %}
-ssl=yes, \
-{%        endif %}
 password={{account.password}} \
 {{account.hostnames}}
 

From 4fcedf7201800e45d1ab60a24ab2755c9ac3ac68 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 18 Mar 2022 18:13:58 +0100
Subject: [PATCH 0983/3088] dns/ddclient: ssl=yes is only supported on a global
 level, since we moved the checkbos to account, the enforcement broke. This
 commit will explain the account vs global settin and adjusts the template to
 set ssl=yes on a global level. closes
 https://github.com/opnsense/plugins/issues/2894

---
 dns/ddclient/Makefile                         |  1 +
 .../OPNsense/DynDNS/forms/dialogAccount.xml   |  3 +-
 .../templates/OPNsense/ddclient/ddclient.conf | 73 +++++++++++--------
 3 files changed, 45 insertions(+), 32 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index d4f5a19148..f058a437ef 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.3
+PLUGIN_REVISION=		1
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index 020d202166..22a8fa8cab 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -69,7 +69,8 @@
         <id>account.force_ssl</id>
         <label>Force SSL</label>
         <type>checkbox</type>
-        <help>Force update using HTTPS</help>
+        <help>Force update using HTTPS, please note setting this option will enforce https updates on all accounts
+        as ddclient only supports SSL=yes on a global level (check check ip service may still use HTTP on other services)</help>
     </field>
     <field>
         <id>account.interface</id>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 71d3f19728..dfdd9c0e82 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -5,76 +5,87 @@ pid=/var/run/ddclient.pid   # record PID in file.
 {% if not helpers.empty('OPNsense.DynDNS.general.verbose') %}
 verbose=yes
 {% endif %}
-
-
+{%  set accounts = [] %}
+{%  set force_ssl = [] %}
 {%  if helpers.exists('OPNsense.DynDNS.accounts.account') %}
 {%    for account in helpers.toList('OPNsense.DynDNS.accounts.account') %}
 {%        if account.enabled|default('0') == '1' %}
-{%            if account.checkip == 'if' %}
+{%            do accounts.append(account) %}
+{%            if account.force_ssl|default('0') == '1' %}
+{%                do force_ssl.append(1) %}
+{%            endif %}
+{%        endif %}
+{%    endfor %}
+{%  endif %}
+{%  if force_ssl %}
+ssl=yes
+{%  endif %}
+
+
+{%  for account in accounts %}
+{%      if account.checkip == 'if' %}
 use=if, if={{physical_interface(account.interface)}}, \
-{%            elif account.checkip.startswith('web_') %}
-{%                if account.interface %}
+{%      elif account.checkip.startswith('web_') %}
+{%          if account.interface %}
 use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -i {{physical_interface(account.interface)}} -t {{account.force_ssl}} -s {{account.checkip[4:]}}",
-{%                else %}
+{%          else %}
 use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -t {{account.force_ssl}} -s {{account.checkip[4:]}}",
-{%                endif %}
 {%            endif %}
-{%            if account.service == 'custom' %}
+{%      endif %}
+{%      if account.service == 'custom' %}
 protocol={{account.protocol}}, \
 server={{account.server}}, \
-{%            elif account.service == 'cloudflare' %}
+{%      elif account.service == 'cloudflare' %}
 protocol=cloudflare, \
 zone={{account.zone}}, \
-{%            elif account.service == 'dnsmadeeasy' %}
+{%      elif account.service == 'dnsmadeeasy' %}
 protocol=dnsmadeeasy, \
-{%            elif account.service == 'dns-o-matic' %}
+{%      elif account.service == 'dns-o-matic' %}
 protocol=dyndns2, \
 server=updates.dnsomatic.com, \
-{%            elif account.service == 'freedns' %}
+{%      elif account.service == 'freedns' %}
 protocol=freedns, \
 server=freedns.afraid.org, \
-{%            elif account.service == 'dynu' %}
+{%      elif account.service == 'dynu' %}
 protocol=dyndns2, \
 server=api.dynu.com, \
-{%            elif account.service == 'he-net' %}
+{%      elif account.service == 'he-net' %}
 protocol=dyndns2, \
 server=dyn.dns.he.net, \
-{%            elif account.service == 'he-net-tunnel' %}
+{%      elif account.service == 'he-net-tunnel' %}
 protocol=dyndns2, \
 server=ipv4.tunnelbroker.net, \
-{%            elif account.service == 'inwx' %}
+{%      elif account.service == 'inwx' %}
 protocol=dyndns2, \
 server=dyndns.inwx.com, \
-{%            elif account.service == 'loopia' %}
+{%      elif account.service == 'loopia' %}
 protocol=dyndns2, \
 server=dyndns.loopia.se, \
-{%            elif account.service == 'nsupdatev4' %}
+{%      elif account.service == 'nsupdatev4' %}
 protocol=dyndns2, \
 server=ipv4.nsupdate.info, \
-{%            elif account.service == 'nsupdatev6' %}
+{%      elif account.service == 'nsupdatev6' %}
 protocol=dyndns2, \
 server=ipv6.nsupdate.info, \
-{%            elif account.service == 'spdyn' %}
+{%      elif account.service == 'spdyn' %}
 protocol=dyndns2, \
 server=update.spdyn.de, \
-{%            elif account.service == 'strato' %}
+{%      elif account.service == 'strato' %}
 protocol=dyndns2, \
 server=dyndns.strato.com, \
-{%            elif account.service == 'ovh' %}
+{%      elif account.service == 'ovh' %}
 protocol=dyndns2, \
 server=www.ovh.com, \
-{%            else %}
+{%      else %}
 protocol={{account.service}}, \
-{%            endif %}
-{%            if account.wildcard|default('0') == '1' %}
+{%      endif %}
+{%      if account.wildcard|default('0') == '1' %}
 wildcard=yes, \
-{%            endif %}
-{%            if account.username %}
+{%      endif %}
+{%      if account.username %}
 login={{account.username}}, \
-{%            endif %}
+{%      endif %}
 password={{account.password}} \
 {{account.hostnames}}
 
-{%        endif %}
-{%    endfor %}
-{%  endif %}
+{%  endfor %}

From fb1dedb9ee4b3edad9c02b9c1ed175150f96044d Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 18 Mar 2022 18:36:17 +0100
Subject: [PATCH 0984/3088] dns/ddclient: typo in previous. ref
 https://github.com/opnsense/plugins/issues/2894#issuecomment-1072638007

---
 .../mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index 22a8fa8cab..bb7e48fd41 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -70,7 +70,7 @@
         <label>Force SSL</label>
         <type>checkbox</type>
         <help>Force update using HTTPS, please note setting this option will enforce https updates on all accounts
-        as ddclient only supports SSL=yes on a global level (check check ip service may still use HTTP on other services)</help>
+        as ddclient only supports SSL=yes on a global level (the check ip service may still use HTTP on other services)</help>
     </field>
     <field>
         <id>account.interface</id>

From 4345a497d2629ac7b15f9e6ece7c702f7af6aeb5 Mon Sep 17 00:00:00 2001
From: Juergen Kellerer <juergen@k123.eu>
Date: Sat, 19 Mar 2022 14:46:59 +0100
Subject: [PATCH 0985/3088] acme-client: ACMEDNS_UPDATE_URL to ACMEDNS_BASE_URL

---
 .../AcmeClient/forms/dialogValidation.xml     |  6 +--
 .../AcmeClient/LeValidation/DnsAcmedns.php    |  2 +-
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  6 ++-
 .../OPNsense/AcmeClient/Migrations/M3_3_0.php | 52 +++++++++++++++++++
 4 files changed, 61 insertions(+), 5 deletions(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_3_0.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index c057c209b3..1eef3dfb5e 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1187,10 +1187,10 @@
         <type>text</type>
     </field>
     <field>
-        <id>validation.dns_acmedns_updateurl</id>
-        <label>Update URL</label>
+        <id>validation.dns_acmedns_baseurl</id>
+        <label>ACME DNS URL</label>
         <type>text</type>
-        <help>Specify the custom ACME DNS Update URL, i.e. https://auth.acme-dns.io/update (optional)</help>
+        <help>Specify the custom ACME DNS URL, i.e. https://auth.acme-dns.io:443 (optional)</help>
     </field>
     <field>
         <label>Acmeproxy</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAcmedns.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAcmedns.php
index 4ccefe4e3e..029b24e8c8 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAcmedns.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAcmedns.php
@@ -42,6 +42,6 @@ public function prepare()
         $this->acme_env['ACMEDNS_USERNAME'] = (string)$this->config->dns_acmedns_user;
         $this->acme_env['ACMEDNS_PASSWORD'] = (string)$this->config->dns_acmedns_password;
         $this->acme_env['ACMEDNS_SUBDOMAIN'] = (string)$this->config->dns_acmedns_subdomain;
-        $this->acme_env['ACMEDNS_UPDATE_URL'] = (string)$this->config->dns_acmedns_updateurl;
+        $this->acme_env['ACMEDNS_BASE_URL'] = (string)$this->config->dns_acmedns_baseurl;
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 53b71855d4..a74cfc6b45 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>3.2.0</version>
+    <version>3.3.0</version>
     <description>A secure ACME Client plugin</description>
     <items>
         <settings>
@@ -978,9 +978,13 @@
                 <dns_acmedns_subdomain type="TextField">
                     <Required>N</Required>
                 </dns_acmedns_subdomain>
+                <!-- old value, should be removed in next major release -->
                 <dns_acmedns_updateurl type="TextField">
                     <Required>N</Required>
                 </dns_acmedns_updateurl>
+                <dns_acmedns_baseurl type="TextField">
+                    <Required>N</Required>
+                </dns_acmedns_baseurl>
                 <dns_acmeproxy_endpoint type="TextField">
                     <Required>N</Required>
                 </dns_acmeproxy_endpoint>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_3_0.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_3_0.php
new file mode 100644
index 0000000000..fc6cf2e41b
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_3_0.php
@@ -0,0 +1,52 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Frank Wall
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\AcmeClient\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M3_3_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        // Migrate validations
+        foreach ($model->getNodeByReference('validations.validation')->iterateItems() as $validation) {
+            $updateUrl = trim(strval($validation->dns_acmedns_updateurl ?? ''));
+            $baseUrl = trim(strval($validation->dns_acmedns_baseurl ?? ''));
+
+            if (!empty($updateUrl) && empty($baseUrl)) {
+                // Translate "https://auth.acme-dns.io/update" to "https://auth.acme-dns.io"
+                $baseUrl = preg_replace('/\/update$/', '', $updateUrl);
+                $validation->dns_acmedns_baseurl = $baseUrl;
+                $validation->dns_acmedns_updateurl = null;
+            }
+        }
+    }
+}

From d2798e2000d5c13ba5b70d5ccefe0403ae46ac07 Mon Sep 17 00:00:00 2001
From: "Dr. Uwe Meyer-Gruhl" <17402664+meyergru@users.noreply.github.com>
Date: Sun, 20 Mar 2022 11:11:08 +0100
Subject: [PATCH 0986/3088] dns/ddclient - add option to allow IPv6 updates
 (issue 2895) (#2897)

---
 dns/ddclient/pkg-descr                                     | 4 ++++
 .../mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml | 7 +++++++
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml | 6 +++++-
 .../service/templates/OPNsense/ddclient/ddclient.conf      | 3 +++
 4 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index ea6c82a0d4..f5f875ddd5 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,10 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.4
+
+* Add advanced general setting to allow updates via IPv6
+
 1.3
 
 * Add checkip settings per account using selected source interface when provided
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
index 9d67554115..c524918d59 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
@@ -12,6 +12,13 @@
         <advanced>true</advanced>
         <help>Enable verbose logging</help>
     </field>
+    <field>
+        <id>ddclient.general.allowipv6</id>
+        <label>Allow IPv6</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>Allow IPv6 for updates</help>
+    </field>
     <field>
         <id>ddclient.general.daemon_delay</id>
         <label>Interval</label>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index eb367952fe..5f7bea18bb 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/DynDNS</mount>
-    <version>1.2.0</version>
+    <version>1.4.0</version>
     <description>
         Dynamic DNS client
     </description>
@@ -14,6 +14,10 @@
                 <default>0</default>
                 <Required>Y</Required>
             </verbose>
+            <allowipv6 type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </allowipv6>
             <daemon_delay type="IntegerField">
                 <default>300</default>
                 <Required>Y</Required>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index dfdd9c0e82..ecf43bc489 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -5,6 +5,9 @@ pid=/var/run/ddclient.pid   # record PID in file.
 {% if not helpers.empty('OPNsense.DynDNS.general.verbose') %}
 verbose=yes
 {% endif %}
+{% if not helpers.empty('OPNsense.DynDNS.general.allowipv6') %}
+ipv6=yes
+{% endif %}
 {%  set accounts = [] %}
 {%  set force_ssl = [] %}
 {%  if helpers.exists('OPNsense.DynDNS.accounts.account') %}

From 8de7489732cee28a26ccda0dd6f5aafed9bb9242 Mon Sep 17 00:00:00 2001
From: MeganerdNL <wdeurholt@wdmail.nl>
Date: Wed, 23 Mar 2022 12:59:45 +0100
Subject: [PATCH 0987/3088] security/acme-client: Add support for Transip DNS
 API (#2871)

---
 .../AcmeClient/forms/dialogValidation.xml     | 16 ++++++
 .../AcmeClient/LeValidation/DnsTransip.php    | 51 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 3 files changed, 74 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTransip.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index c057c209b3..50ac7760df 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1060,6 +1060,22 @@
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Transip</label>
+        <type>header</type>
+        <style>table_dns table_dns_transip</style>
+    </field>
+    <field>
+        <id>validation.dns_transip_username</id>
+        <label>Username</label>
+        <type>text</type>
+	<help>Your TransIP username.</help>
+    <field>
+        <id>validation.dns_transip_key</id>
+        <label>API Key</label>
+        <type>text</type>
+	<help>Requires the whole key file in a format that is compatible with TransIP.</help>
+    </field>
     <field>
         <label>UnoEuro</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTransip.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTransip.php
new file mode 100644
index 0000000000..5811202e5d
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTransip.php
@@ -0,0 +1,51 @@
+<?php
+
+/*
+ * Copyright (C) 2022 Wouter Deurholt
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Transip API
+ * @package OPNsense\AcmeClient
+ */
+class DnsTransip extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $configdir = (string)sprintf(self::ACME_CONFIG_DIR, $this->cert_id);
+        $secret_key_filename = "${configdir}/secret.key";
+        $secret_key_data = (string)$this->config->dns_transip_key . "\n";
+        file_put_contents($secret_key_filename, $secret_key_data);
+
+        // Add env variables
+        $this->acme_env['TRANSIP_Username'] = (string)$this->config->dns_transip_username;
+        $this->acme_env['TRANSIP_Key_File'] = $secret_key_filename;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 53b71855d4..5c17d14200 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -488,6 +488,7 @@
                         <dns_selectel>selectel.com / selectel.ru domain API</dns_selectel>
                         <dns_selfhost>Selfhost API</dns_selfhost>
                         <dns_servercow>Servercow API v1</dns_servercow>
+                        <dns_transip>Transip API</dns_transip>
                         <dns_unoeuro>UnoEuro API</dns_unoeuro>
                         <dns_variomedia>Variomedia.de API</dns_variomedia>
                         <dns_vscale>Vscale API</dns_vscale>
@@ -942,6 +943,12 @@
                 <dns_servercow_password type="TextField">
                     <Required>N</Required>
                 </dns_servercow_password>
+                <dns_transip_username type="TextField">
+                    <Required>N</Required>
+                </dns_transip_username>
+                <dns_transip_key type="TextField">
+                    <Required>N</Required>
+                </dns_transip_key>
                 <dns_uno_key type="TextField">
                     <Required>N</Required>
                 </dns_uno_key>

From 26da65acf1648f9af69fa39c2ee358914f69816a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 23 Mar 2022 15:14:29 +0100
Subject: [PATCH 0988/3088] dns/ddclient: change version for release and update
 changelog

---
 dns/ddclient/Makefile  | 3 +--
 dns/ddclient/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index f058a437ef..487f0af551 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.3
-PLUGIN_REVISION=		1
+PLUGIN_VERSION=		1.4
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index f5f875ddd5..9bc3469572 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 1.4
 
 * Add advanced general setting to allow updates via IPv6
+* Enforce SSL on global level with account setting
 
 1.3
 

From 28d310b18a4f903e5e2fcc6ee110cc7ea9fc5ab5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 23 Mar 2022 15:18:20 +0100
Subject: [PATCH 0989/3088] misc/theme-cicada: whitespace sweep

---
 .../src/opnsense/www/themes/cicada/build/css/main.css           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index db0add871f..cb62c354f5 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -5247,7 +5247,7 @@ button.close {
   background-color: #2a2a2a;
   border-bottom: 1px solid #191919;
   border-radius: 5px 5px 0 0; }
-  
+
 .popover-title > a:hover {
   text-decoration: none; }
 

From 06b6af9a8b4800013fcc415afd18784330a6ff1d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 23 Mar 2022 15:19:37 +0100
Subject: [PATCH 0990/3088] security/acme-client: need revision bump on current
 changes

22.1.4 is going out tomorrow without this but for accounting
purposes the devel version should get a revision bump.
---
 security/acme-client/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 72043e1637..eee4abebd4 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		acme-client
 PLUGIN_VERSION=		3.8
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 6faf4b287b17708a661efe33ff0561b9a6c91b6f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 24 Mar 2022 12:31:05 +0100
Subject: [PATCH 0991/3088] plugins: sync

---
 LICENSE   | 3 ++-
 README.md | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/LICENSE b/LICENSE
index 750286c49a..eeb835ed94 100644
--- a/LICENSE
+++ b/LICENSE
@@ -8,7 +8,7 @@ Copyright (c) 2020 D. Domig
 Copyright (c) 2011 Dan Myers
 Copyright (c) 2017-2018 David Harrigan
 Copyright (c) 2021 David Hughes
-Copyright (c) 2014-2021 Deciso B.V.
+Copyright (c) 2014-2022 Deciso B.V.
 Copyright (c) 2008 Donovan Schonknecht
 Copyright (c) 2016-2019 EURO-LOG AG
 Copyright (c) 2006 Eric Friesen
@@ -42,6 +42,7 @@ Copyright (c) 2017-2019 Smart-Soft
 Copyright (c) 2013 Stanley P. Miller \ stan-qaz
 Copyright (c) 2020 Starkstromkonsument
 Copyright (c) 2020 Tobias Boehnert
+Copyright (c) 2022 Wouter Deurholt
 Copyright (c) 2010 Yehuda Katz
 Copyright (c) 2015 YoungJoo.Kim <vozltx@gmail.com>
 Copyright (c) 2020 devNan0 <nan0@nan0.dev>
diff --git a/README.md b/README.md
index 0dabdf1213..095e89d2f5 100644
--- a/README.md
+++ b/README.md
@@ -43,10 +43,10 @@ emulators/qemu-guest-agent -- QEMU Guest Agent for OPNsense
 ftp/tftp -- TFTP server
 mail/postfix -- SMTP mail relay
 mail/rspamd -- Protect your network from spam
-misc/theme-cicada -- The cicada theme - dark grey
+misc/theme-cicada -- The cicada theme - dark grey onyx
 misc/theme-rebellion -- A suitably dark theme
 misc/theme-tukan -- The tukan theme - blue/white
-misc/theme-vicuna -- The vicuna theme - dark anthrazit
+misc/theme-vicuna -- The vicuna theme - blue sapphire
 net/chrony -- Chrony time synchronisation
 net/firewall -- Firewall API supplemental package
 net/freeradius -- RADIUS Authentication, Authorization and Accounting Server

From 872225a9bcab21d78a6ce08e80cf15c9368ae61d Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Date: Fri, 25 Mar 2022 08:47:28 +0100
Subject: [PATCH 0992/3088] dns/ddclient add servercow (#2911)

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml     | 1 +
 .../opnsense/service/templates/OPNsense/ddclient/ddclient.conf | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 5f7bea18bb..944bc435e4 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -55,6 +55,7 @@
                         <noip>Noip</noip>
                         <nsupdatev4>nsupdate.info (IPv4)</nsupdatev4>
                         <nsupdatev6>nsupdate.info (IPv6)</nsupdatev6>
+                        <servercow>Servercow</servercow>
                         <spdyn>spDYN</spdyn>
                         <strato>STRATO</strato>
                         <zoneedit1>Zoneedit</zoneedit1>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index ecf43bc489..1d9dbb54d2 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -70,6 +70,9 @@ server=ipv4.nsupdate.info, \
 {%      elif account.service == 'nsupdatev6' %}
 protocol=dyndns2, \
 server=ipv6.nsupdate.info, \
+{%      elif account.service == 'servercow' %}
+protocol=dyndns2, \
+server=dyndns.servercow.de, \
 {%      elif account.service == 'spdyn' %}
 protocol=dyndns2, \
 server=update.spdyn.de, \

From a45a8fb04463b43631011b034fcdbd506f614e26 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 23 Mar 2022 13:14:14 +0100
Subject: [PATCH 0993/3088] security/acme-client: fix copyright, refs #2898

---
 .../mvc/app/models/OPNsense/AcmeClient/Migrations/M3_3_0.php    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_3_0.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_3_0.php
index fc6cf2e41b..16c2164bb6 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_3_0.php
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M3_3_0.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2021 Frank Wall
+ *    Copyright (C) 2022 Juergen Kellerer
  *
  *    All rights reserved.
  *

From 03ad1c834bc68d70b866d477cbd67b30f7e4ecee Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 23 Mar 2022 13:22:35 +0100
Subject: [PATCH 0994/3088] security/acme-clent: preserve sort order of
 automations, closes #2833

---
 .../controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml  | 1 +
 .../opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
index ead828f216..d8f0bfd3c6 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
@@ -84,6 +84,7 @@
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
+        <sortable>true</sortable>
         <help>Choose the automations that should be run after certificate creation and renewal. Basically every application requires a quick restart to reload the updated certificate. If you don't configure an automation, the in-memory certificate may expire and cause security warnings and other issues.</help>
     </field>
     <field>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index cf8c7fd096..7d195f02e4 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -270,6 +270,7 @@
                         </actions>
                     </Model>
                     <ValidationMessage>Related automation not found</ValidationMessage>
+                    <Sorted>Y</Sorted>
                     <multiple>Y</multiple>
                     <Required>N</Required>
                 </restartActions>

From 38e5a610e7f6d4e1057529b3cb3f25b3b3e51bad Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 23 Mar 2022 13:26:34 +0100
Subject: [PATCH 0995/3088] security/acme-client: bump version

---
 security/acme-client/Makefile  | 3 +--
 security/acme-client/pkg-descr | 9 +++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index eee4abebd4..00d852986b 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.8
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		3.9
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index b5025b594c..9305b77522 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,15 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.9
+
+Added:
+* add support for Transip DNS API ( #2871)
+* execution order of automations can be changed (#2833)
+
+Fixed:
+* fix the use of a self hosted ACME-DNS service (#2898)
+
 3.8
 
 NOTE: Support for the cPanel and Selfhost API is not functional. It requires

From ccb2d6cf9bad34bfaafc9e84816a427fc4d3c7d3 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 23 Mar 2022 13:45:12 +0100
Subject: [PATCH 0996/3088] security/acme-client: fix missing closing tag, refs
  #2871

---
 .../OPNsense/AcmeClient/forms/dialogValidation.xml         | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 5b14a4c23b..7ee42f5740 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -303,7 +303,7 @@
         <label>Password</label>
         <type>password</type>
     </field>
-	<field>
+    <field>
         <label>DDNSS API</label>
         <type>header</type>
         <style>table_dns table_dns_ddnss</style>
@@ -1069,12 +1069,13 @@
         <id>validation.dns_transip_username</id>
         <label>Username</label>
         <type>text</type>
-	<help>Your TransIP username.</help>
+        <help>Your TransIP username.</help>
+    </field>
     <field>
         <id>validation.dns_transip_key</id>
         <label>API Key</label>
         <type>text</type>
-	<help>Requires the whole key file in a format that is compatible with TransIP.</help>
+        <help>Requires the whole key file in a format that is compatible with TransIP.</help>
     </field>
     <field>
         <label>UnoEuro</label>

From 4664a4c72f5cefce2b4efdf4b380b40f63a7d1d0 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 29 Mar 2022 09:24:56 +0200
Subject: [PATCH 0997/3088] net/chrony: add fallbackpeer and no cert check
 (#2774)

---
 net/chrony/Makefile                                  |  2 +-
 net/chrony/pkg-descr                                 |  5 +++++
 .../controllers/OPNsense/Chrony/forms/general.xml    | 12 ++++++++++++
 .../mvc/app/models/OPNsense/Chrony/General.xml       |  9 ++++++++-
 .../service/templates/OPNsense/Chrony/chrony.conf    |  9 +++++++++
 5 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/net/chrony/Makefile b/net/chrony/Makefile
index d87cafe8e9..05ef39bac5 100644
--- a/net/chrony/Makefile
+++ b/net/chrony/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		chrony
-PLUGIN_VERSION=		1.4
+PLUGIN_VERSION=		1.5
 PLUGIN_COMMENT=		Chrony time synchronisation
 PLUGIN_DEPENDS=		chrony
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/chrony/pkg-descr b/net/chrony/pkg-descr
index eb87118f74..f38222784a 100644
--- a/net/chrony/pkg-descr
+++ b/net/chrony/pkg-descr
@@ -4,6 +4,11 @@ better in virtual environments.
 Plugin Changelog
 ----------------
 
+1.5
+
+* Allow adding a fallback NTP when using NTS
+* Add option for nocerttimecheck if system starts with wrong time and only NTS allowed
+
 1.4
 
 * Adjust timeouts and retries for chronyc
diff --git a/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml
index 691a2b3b91..3b6b358ffb 100644
--- a/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml
+++ b/net/chrony/src/opnsense/mvc/app/controllers/OPNsense/Chrony/forms/general.xml
@@ -17,6 +17,12 @@
         <type>checkbox</type>
         <help>Enable NTS in client mode. This will add another layer of security for peers when OPNsense is the client. Every server in Peers has to support NTS.</help>
     </field>
+    <field>
+        <id>general.ntsnocert</id>
+        <label>NTS Disable Certcheck</label>
+        <type>checkbox</type>
+        <help>If you run NTS mode you can enable this option in order to ignore wrong time in certificates for the first check. This helps if your system starts with wrong time.</help>
+    </field>
     <field>
         <id>general.peers</id>
         <label>NTP Peers</label>
@@ -25,6 +31,12 @@
         <allownew>true</allownew>
         <help>Set as many NTP peers you need.</help>
     </field>
+    <field>
+        <id>general.fallbackpeers</id>
+        <label>Fallback Peer</label>
+        <type>text</type>
+        <help>Set fallback peer if you use NTS and your system starts with wrong time. Best to only use this for internal trusted peers.</help>
+    </field>
     <field>
         <id>general.allowednetworks</id>
         <label>Allowed Networks</label>
diff --git a/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
index 969b9fc178..c74a00cc4c 100644
--- a/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
+++ b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/chrony/general</mount>
     <description>Chrony configuration</description>
-    <version>0.0.1</version>
+    <version>0.0.2</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -15,12 +15,19 @@
             <default>0</default>
             <Required>Y</Required>
         </ntsclient>
+        <ntsnocert type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </ntsnocert>
         <peers type="HostnameField">
             <default>0.opnsense.pool.ntp.org</default>
             <Required>Y</Required>
             <FieldSeparator>,</FieldSeparator>
             <asList>Y</asList>
         </peers>
+        <fallbackpeers type="HostnameField">
+            <Required>N</Required>
+        </fallbackpeers>
         <allowednetworks type="NetworkField">
             <Required>N</Required>
             <FieldSeparator>,</FieldSeparator>
diff --git a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
index 6910ea4a46..91cc28792c 100644
--- a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
+++ b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
@@ -11,6 +11,10 @@ ntstrustedcerts /etc/ssl/cert.pem
 nosystemcert
 {%   endif %}
 
+{%   if helpers.exists('OPNsense.chrony.general.ntsnocert') and OPNsense.chrony.general.ntsnocert == '1' %}
+nocerttimecheck 1
+{%   endif %}
+
 {%   if not helpers.empty('OPNsense.chrony.general.peers') %}
 {%     for peer in OPNsense.chrony.general.peers.split(',') %}
 server {{ peer }} iburst {% if helpers.exists('OPNsense.chrony.general.ntsclient') and OPNsense.chrony.general.ntsclient == '1' %}nts{% endif %}
@@ -18,6 +22,11 @@ server {{ peer }} iburst {% if helpers.exists('OPNsense.chrony.general.ntsclient
 {%     endfor %}
 {%   endif %}
 
+{%   if helpers.exists('OPNsense.chrony.general.fallbackpeers') and OPNsense.chrony.general.fallbackpeers != '' %}
+authselectmode mix
+server {{ OPNsense.chrony.general.fallbackpeers }} 
+{%   endif %}
+
 {%   if not helpers.empty('OPNsense.chrony.general.allowednetworks') %}
 {%     for network in OPNsense.chrony.general.allowednetworks.split(',') %}
 allow {{ network }}

From 3dda341ba60f2793e3b038a624acf1e7efcb05d6 Mon Sep 17 00:00:00 2001
From: Juergen Kellerer <juergen@k123.eu>
Date: Sun, 20 Mar 2022 00:09:58 +0100
Subject: [PATCH 0998/3088] acme-client: New Action "Remote SSH"

Also fixed PHP warnings (errors in 8.1)
---
 .../AcmeClient/Api/ActionsController.php      |  26 ++
 .../AcmeClient/forms/dialogAction.xml         |  43 +++
 .../LeAutomation/ConfigdRemoteSsh.php         |  45 +++
 .../library/OPNsense/AcmeClient/Process.php   |  56 ++-
 .../library/OPNsense/AcmeClient/SSHKeys.php   |   6 +-
 .../OPNsense/AcmeClient/SftpClient.php        |   2 +-
 .../OPNsense/AcmeClient/SftpUploader.php      |  14 +-
 .../app/library/OPNsense/AcmeClient/Utils.php | 170 +++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  38 ++
 .../views/OPNsense/AcmeClient/actions.volt    |  31 +-
 .../OPNsense/AcmeClient/run_remote_ssh.php    | 355 ++++++++++++++++++
 .../OPNsense/AcmeClient/upload_sftp.php       | 155 ++------
 .../conf/actions.d/actions_acmeclient.conf    |  18 +
 13 files changed, 791 insertions(+), 168 deletions(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdRemoteSsh.php
 create mode 100755 security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ActionsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ActionsController.php
index 2634c404d5..441eb6fb01 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ActionsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ActionsController.php
@@ -101,6 +101,32 @@ public function sftpTestConnectionAction()
         return ["status" => "unavailable"];
     }
 
+    public function sshGetIdentityAction()
+    {
+        $result = ["status" => "unavailable"];
+
+        if ($response = $this->callBackend(["show-remote-ssh-identity"], ["remote_ssh_identity_type", "remote_ssh_host"])) {
+            $result["status"] = "ok";
+            $result["identity"] = $response;
+        }
+
+        return $result;
+    }
+
+    public function sshTestConnectionAction()
+    {
+        if (
+            $response = $this->callBackend(
+                ["test-remote-ssh-connection"],
+                ["remote_ssh_host", "remote_ssh_host_key", "remote_ssh_port", "remote_ssh_user", "remote_ssh_identity_type"]
+            )
+        ) {
+            return $response;
+        }
+
+        return ["status" => "unavailable"];
+    }
+
     private function callBackend(array $command, array $arguments = [])
     {
         if ($this->request->isPost()) {
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index b46f455196..d3ecd46644 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -142,6 +142,49 @@
             Leave blank to use default "{{name}}/fullchain.pem".</help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <label>Required Parameters</label>
+        <type>header</type>
+        <style>method_table method_table_configd_remote_ssh</style>
+    </field>
+    <field>
+        <id>action.remote_ssh_host</id>
+        <label>SSH Host</label>
+        <type>text</type>
+        <help>IP address or hostname of the SSH server.</help>
+    </field>
+    <field>
+        <id>action.remote_ssh_port</id>
+        <label>SSH Port</label>
+        <type>text</type>
+        <help>SSH server port. Leave blank to use default "22".</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>action.remote_ssh_key</id>
+        <label>Host Key</label>
+        <type>text</type>
+        <help>SSH server host key, formatted as in 'known_hosts'.
+              Leave blank to auto accept host key on first connect (not as secure as specifying it).</help>
+    </field>
+    <field>
+        <id>action.remote_ssh_user</id>
+        <label>Username</label>
+        <type>text</type>
+        <help>The username to login to the SSH server.</help>
+    </field>
+    <field>
+        <id>action.remote_ssh_identity_type</id>
+        <label>Identity Type</label>
+        <type>dropdown</type>
+        <help>The type of identify to present to the SSH server for authorization. Select 'none' to use default "ECDSA".</help>
+    </field>
+    <field>
+        <id>action.remote_ssh_command</id>
+        <label>Command</label>
+        <type>text</type>
+        <help>The command to execute on the SSH server.</help>
+    </field>
     <field>
         <label>Required Parameters</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdRemoteSsh.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdRemoteSsh.php
new file mode 100644
index 0000000000..e924e2cc28
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdRemoteSsh.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020-2022 Juergen Kellerer
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Run remote command on arbitrary hosts using SSH
+ * @package OPNsense\AcmeClient
+ */
+class ConfigdRemoteSsh extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $command = 'acmeclient run-remote-ssh-command ' . $this->config->id;
+        $this->command = $command;
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/Process.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/Process.php
index 24c9667078..59ed4808ff 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/Process.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/Process.php
@@ -115,21 +115,49 @@ public function __destruct()
         }
     }
 
-    public function get($timeout = 5, $max_length = 8192, $ending = PHP_EOL)
+    private $linesBuffer = [];
+
+    private function nextBufferedLine()
     {
-        $readables = array_filter($this->outputs, function ($stream) {
-            return is_resource($stream) && !feof($stream);
-        });
-
-        $micros = intval(($timeout - floor($timeout)) * 1000000);
-        $can_read = !empty($readables) && stream_select($readables, $w = [], $e = [], $timeout, $micros);
-        $stream = array_reduce(($can_read ? $readables : []), function ($a, $b) {
-            return is_resource($a) && !feof($a) ? $a : $b;
-        }, null);
-
-        return is_resource($stream)
-            ? stream_get_line($stream, $max_length, $ending)
-            : false;
+        return empty($this->linesBuffer)
+            ? false
+            : array_shift($this->linesBuffer);
+    }
+
+    /**
+     * Returns one line from stdout or stdin as it gets available. May return 'false' when no line became available
+     * within the specified $timeout or when another stream events occurred that returned no new content.
+     * @param $timeout float timeout in seconds
+     * @param $max_length int max length of a single line
+     * @return false|string One line of stdout/err (merged) or false when no new line exists.
+     */
+    public function get($timeout = 5, $max_length = 64 * 1024)
+    {
+        if (($line = $this->nextBufferedLine()) !== false) {
+            return $line;
+        }
+
+        $readables = array_filter($this->outputs, fn($stream) => is_resource($stream) && !feof($stream));
+        $micros = intval(($timeout - floor($timeout)) * 1000000) + 100;
+        $timeout = floor($timeout);
+        $__ = null;
+
+        $can_read = !empty($readables)
+            && stream_select($readables, $__, $__, $timeout, $micros) !== false;
+
+        if ($can_read) {
+            foreach ($readables as $stream) {
+                $content = fread($stream, $max_length);
+                if ($content !== false) {
+                    array_push($this->linesBuffer, ...preg_split('/\r\n|\n|\r/', $content));
+                    if (empty($this->linesBuffer[-1])) {
+                        array_pop($this->linesBuffer); // remove trailing empty newline
+                    }
+                }
+            }
+        }
+
+        return $this->nextBufferedLine();
     }
 
     public function put($data, $append = PHP_EOL)
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SSHKeys.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SSHKeys.php
index 39c905bdda..3d91cef69d 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SSHKeys.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SSHKeys.php
@@ -122,7 +122,7 @@ public function trustHost(string $host, $host_key = "", $port = self::DEFAULT_PO
 
 
         // Check our current known_host file
-        $addKeyInfo = function (array &$key_list) {
+        $addKeyInfo = function (array $key_list) {
             foreach ($key_list as &$item) {
                 $item["key_info"] = self::getHostKeyInfo($item["host_key"]);
             }
@@ -182,7 +182,7 @@ public function trustHost(string $host, $host_key = "", $port = self::DEFAULT_PO
             if (
                 empty($remote_host_keys)
                 && $query_error
-                && $query_error["connection_refused"]
+                && ($query_error["connection_refused"] ?? false)
                 && !$host_key
                 && self::ALTERNATE_DEFAULT_KEY_TYPE != self::DEFAULT_KEY_TYPE
             ) {
@@ -451,7 +451,7 @@ public function getIdentity(string $identity_type = self::DEFAULT_IDENTITY_TYPE,
     {
         Utils::requireThat(in_array($identity_type, self::IDENTITY_TYPES), "Identity type '$identity_type' unknown.");
 
-        list($key_type, $key_size) = explode('_', $identity_type, 2);
+        list($key_type, $key_size) = explode('_', "{$identity_type}_", 2);
         if (!$key_size && self::DEFAULT_IDENTITY_KEY_BITS[$key_type] > 0) {
             $key_size = self::DEFAULT_IDENTITY_KEY_BITS[$key_type];
         }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpClient.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpClient.php
index f9d2a00021..064b134033 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpClient.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpClient.php
@@ -173,7 +173,7 @@ public function close()
 
             $this->process = null;
 
-            if ($this->failed_status && $this->failed_status["connection_closed"]) {
+            if ($this->failed_status && ($this->failed_status["connection_closed"] ?? false)) {
                 $this->clearError();
             }
         }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpUploader.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpUploader.php
index bf6a466e32..3534958802 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpUploader.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpUploader.php
@@ -236,9 +236,9 @@ public function upload(): int
                 // Preparing upload
                 $username = $connection["user"];
                 $remote_filename = basename((empty($file["target"]) ? $local_file : $file["target"]));
-                $remote_file = $remote_files[$remote_filename] ?: ["type" => "-", "owner" => $username];
+                $remote_file = $remote_files[$remote_filename] ?? ["type" => "-", "owner" => $username];
                 $remote_is_file = $remote_file["type"] === "-";
-                $remote_is_readonly = preg_match('/^[^wW]+$/', $remote_file["permissions"] ?: "");
+                $remote_is_readonly = preg_match('/^[^wW]+$/', $remote_file["permissions"] ?? "");
 
                 // Check if a folder/socket/symlink, etc is in the way
                 if (!$remote_is_file) {
@@ -246,10 +246,10 @@ public function upload(): int
                     return self::UPLOAD_ERROR_NO_OVERWRITE;
                 }
 
-                $chgrp = $file["group"] ?: "";
+                $chgrp = $file["group"] ?? "";
                 $chgrp = preg_match('/^\d+$/', $chgrp) ? (string)$chgrp : false;
 
-                $chmod = $file["mode"] ?: "";
+                $chmod = $file["mode"] ?? "";
                 $chmod = preg_match('/^0\d{3}$/', $chmod) ? (string)$chmod : false;
 
 
@@ -347,7 +347,7 @@ private function isFileOwnedByConnection(array $remote_file, array $connection):
                         Utils::log()->error("Failed uploading test file to detect ownership. Next uploads may fail as well.", $error);
                     } else {
                         // Get owner of the test file
-                        $file_info = $this->sftp->ls()[$remote_test_file] ?: ["owner" => -1];
+                        $file_info = $this->sftp->ls()[$remote_test_file] ?? ["owner" => -1];
                         // Cleanup
                         $this->sftp->rm($remote_test_file);
                         $this->sftp->clearError();
@@ -370,7 +370,7 @@ private function deleteSourceIfRequested($file)
         if (
             isset($this->pending_files[$file])
             && is_array($existing = $this->pending_files[$file])
-            && $existing["delete_source"] === true
+            && ($existing["delete_source"] ?? false) === true
         ) {
             unlink($existing["source"]);
         }
@@ -408,7 +408,7 @@ private function temporaryFile($delete_all = false)
         }
 
         $index = $this->temporary_files_index;
-        if ($index <= 0 || !is_array($shared_temporary_files[$index])) {
+        if ($index <= 0 || !is_array($shared_temporary_files[$index] ?? null)) {
             $index = $this->temporary_files_index = ++$shared_temporary_files_index_sequence;
             $shared_temporary_files[$index] = [];
         }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/Utils.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/Utils.php
index f16d4082f1..b5842d58f2 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/Utils.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/Utils.php
@@ -142,4 +142,174 @@ public static function resolvePath(string $file, string $base = ".")
 
         return DIRECTORY_SEPARATOR . join(DIRECTORY_SEPARATOR, $path);
     }
+
+    /**
+     * @return string the path where acme.sh config is stored or null if not available.
+     */
+    public static function configPath(): string
+    {
+        static $paths = [
+            '/var/etc/acme-client',
+            __DIR__
+        ];
+        foreach ($paths as $path) {
+            if (is_dir($path)) {
+                return $path;
+            }
+        }
+        return self::requireThat(false, "No config path");
+    }
+
+    /**
+     * @param string $automation_id the automation numeric id or UUID.
+     * @return mixed|null the automation action when found.
+     */
+    public static function getAutomationActionById($automation_id)
+    {
+        $config = \OPNsense\Core\Config::getInstance()->object();
+        $client = $config->OPNsense->AcmeClient;
+
+        foreach ($client->actions->children() as $action) {
+            if (
+                $automation_id === (string)$action->attributes()["uuid"]
+                || $automation_id === (string)$action->id
+            ) {
+                return $action;
+            }
+        }
+
+        return null;
+    }
+
+    /**
+     * Print CLI help.
+     * @see Utils::runCLIMain
+     * @param string $about about text
+     * @param string $examples examples text
+     * @param array $commands the commands
+     * @return void
+     */
+    public static function printCLIHelp($about, $examples, $commands = [])
+    {
+        static $options = [
+            "-h, --help          Print commandline help",
+            "--log               Enable log to stdout (instead of syslog)",
+            "--automation-id     Read options from the action specified by id or uuid",
+            "--no-error          Always exit with 0 (original exit codes are still logged)",
+        ];
+
+        echo $about . PHP_EOL
+            . "Usage: " . basename($GLOBALS["argv"][0]) . " [options] [--command=]COMMAND" . PHP_EOL
+            . PHP_EOL . join(PHP_EOL, $options) . PHP_EOL;
+
+        foreach ($commands as $name => $cmd) {
+            echo PHP_EOL . "COMMAND \"$name\" {$cmd["description"]}" . PHP_EOL . "Options:" . PHP_EOL;
+            foreach ($cmd["options"] as $option) {
+                $option = preg_replace(['/^([^:]+)$/', '/(.+)::$/', '/(.+):$/'], ['[$1]', '[$1=value]', '$1=value'], "--$option");
+                echo "         $option" . PHP_EOL;
+            }
+        }
+
+        echo PHP_EOL . "Examples:" . PHP_EOL
+            . preg_replace('/\r\n|\n|\r/', PHP_EOL, $examples)
+            . PHP_EOL . PHP_EOL;
+    }
+
+    /**
+     * Helper that implements `main();` for a CLI application following the command design.
+     *
+     * `$commands` follows the format:
+     * ```php
+     * [
+     *   "command-name" => [
+     *     "description" => "...",
+     *     "options" => ["arg1::", "arg2::", "arg3::"],
+     *     "implementation" => "commandImplementationFunction",
+     *     "default" => true | false,
+     *   ],
+     * ]
+     * ```
+     *
+     * @param callable $help method that display's CLI help.
+     * @param callable $optionsByActionId method that returns CLI args (assoc array) from an automation action id.
+     * @param array $commands the list of commands that the CLI application can execute.
+     * @param int $exit_success  exit code for success
+     * @param int $exit_unknown_command exit code for no matching command
+     * @return void
+     */
+    public static function runCLIMain(callable $help, callable $optionsByActionId, $commands = [], $exit_success = 0, $exit_unknown_command = 255)
+    {
+        global $argv;
+        $command = self::getSelectedCLICommand($commands);
+        $options = ["help", "log", "no-error"];
+
+        $has_automation_id = preg_match('/--automation-id=\S+/', join(" ", $argv));
+        if ($has_automation_id) {
+            $options = array_merge($options, ["automation-id:", "certificates::"]);
+        } else {
+            $options = array_merge($options, $command["options"]);
+        }
+
+        $index = 0;
+        if ($options = getopt("h", $options, $index)) {
+            if (isset($options["h"]) || isset($options["help"])) {
+                $help();
+            } else {
+                if (isset($options["log"])) {
+                    self::log(true)->info("Logging to stdout enabled");
+                }
+
+                $options = array_filter($options, function ($value) {
+                    return !is_string($value)
+                        || (!empty($value = trim($value)) && $value !== "__default_value");
+                });
+
+                if (isset($options["automation-id"])) {
+                    if (is_array($config = $optionsByActionId($options["automation-id"]))) {
+                        $options = array_merge($config, $options);
+                    } else {
+                        self::log()->error("No usable config found for automation-id {$options["automation-id"]}");
+                        exit(1);
+                    }
+                }
+
+                if (is_callable($runner = $command["implementation"])) {
+                    $code = $runner($options);
+
+                    if ($code != $exit_success) {
+                        self::log()->error("Command execution failed, exit code $code. Last input was: " . json_encode($options, JSON_UNESCAPED_SLASHES));
+                    }
+
+                    exit(isset($options["no-error"]) ? $exit_success : $code);
+                } else {
+                    exit($exit_unknown_command);
+                }
+            }
+        } else {
+            if (count($argv) < 2) {
+                $help();
+            } else {
+                $cmd = join(" ", $argv);
+                self::log()->error("Parsing of '$cmd' failed at argument '{$argv[$index]}'");
+            }
+            exit(1);
+        }
+    }
+
+    private static function getSelectedCLICommand($commands = [])
+    {
+        $default = null;
+        $command = null;
+        $parsed_args = getopt("", ["command::"]);
+        foreach ($commands as $name => $cmd) {
+            if (in_array($name, $GLOBALS["argv"]) || ($parsed_args["command"] ?? "") === $name) {
+                $command = $cmd;
+            }
+            if (($cmd["default"] ?? false) === true) {
+                $default = $cmd;
+            }
+        }
+
+        return $command ?? $default;
+    }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 7d195f02e4..8a9c50de41 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1113,6 +1113,7 @@
                         <configd_restart_nginx>Restart Nginx (OPNsense plugin)</configd_restart_nginx>
                         <configd_upload_highwinds>Upload certificate to Highwinds CDN</configd_upload_highwinds>
                         <configd_upload_sftp>Upload certificate via SFTP</configd_upload_sftp>
+                        <configd_remote_ssh>Remote Command via SSH</configd_remote_ssh>
                         <acme_fritzbox>Upload certificate to FRITZ!Box router</acme_fritzbox>
                         <acme_synology_dsm>Upload certificate to Synology DSM</acme_synology_dsm>
                         <acme_unifi>Update local Unifi keystore</acme_unifi>
@@ -1205,6 +1206,43 @@
                     <ValidationMessage>Should be a string between 1 and 255 characters.
                                        Characters are limited to [a-z], [0-9] and [{}@./-_%] and the string must neither begin nor end with '/'.</ValidationMessage>
                 </sftp_filename_fullchain>
+                <remote_ssh_host type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,255}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                </remote_ssh_host>
+                <remote_ssh_host_key type="TextField">
+                    <Required>N</Required>
+                    <!-- Key format: (comment)? key-type :SPACE: key-base64 (:SPACE: comment)?
+                         Reference: https://stackoverflow.com/a/475217 -->
+                    <mask>/^.+?\s(?:[a-z0-9+\/]{4})*(?:[a-z0-9+\/]{2}==|[a-z0-9+\/]{3}=)?(?:\s.+?)?$/i</mask>
+                    <ValidationMessage>Should be a valid public SSH host key (see "known_hosts").</ValidationMessage>
+                </remote_ssh_host_key>
+                <remote_ssh_port type="IntegerField">
+                    <Required>N</Required>
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>49151</MaximumValue>
+                    <default>22</default>
+                    <ValidationMessage>Should be a valid port number between 1 and 49151.</ValidationMessage>
+                </remote_ssh_port>
+                <remote_ssh_user type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,128}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 128 characters.</ValidationMessage>
+                </remote_ssh_user>
+                <remote_ssh_identity_type type="OptionField">
+                    <Required>N</Required>
+                    <OptionValues>
+                        <ecdsa>ECDSA</ecdsa>
+                        <rsa>RSA</rsa>
+                        <ed25519>ed25519</ed25519>
+                    </OptionValues>
+                </remote_ssh_identity_type>
+                <remote_ssh_command type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a shell command between 1 and 1024 characters.</ValidationMessage>
+                </remote_ssh_command>
                 <!-- old value, should be removed in next major release -->
                 <configd type="ConfigdActionsField">
                     <filters>
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
index 7f258eafeb..9474a0613b 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
@@ -92,17 +92,21 @@ POSSIBILITY OF SUCH DAMAGE.
                 .hide();
         }
 
-        // SFTP - Identity show button
-        (function ($identityType) {
+        // SFTP/SSH - Identity show button
+        [
+            {selector: '#action\\.sftp_identity_type', group: "configd_upload_sftp", action: "sftpGetIdentity"},
+            {selector: '#action\\.remote_ssh_identity_type', group: "configd_remote_ssh", action: "sshGetIdentity"},
+        ].forEach(function(config) {
+            var $identityType = $(config.selector);
             var identityDiv = makeStatusDiv($identityType);
 
-            makeButton("{{ lang._('Show Identity') }}", "configd_upload_sftp", "btn-info")
+            makeButton("{{ lang._('Show Identity') }}", config.group, "btn-info")
                 .click(function () {
                     identityDiv.hide();
                     var button = $(this);
                     button.prop('disabled', true).find(".fa-spinner").show();
 
-                    ajaxCall("/api/acmeclient/actions/sftpGetIdentity", getFormData("DialogAction").action, function (data, status) {
+                    ajaxCall("/api/acmeclient/actions/" + config.action, getFormData("DialogAction").action, function (data, status) {
                         button.prop('disabled', false).find(".fa-spinner").hide();
 
                         if (status === "success" && data.status === "ok") {
@@ -117,10 +121,15 @@ POSSIBILITY OF SUCH DAMAGE.
             $identityType.change(function() {
                 identityDiv.hide();
             });
-        })($('#action\\.sftp_identity_type'));
+        });
+
+        // SFTP/SSH - Connection test button
+        [
+            {selector: '#action\\.sftp_user', group: "configd_upload_sftp", action: "sftpTestConnection", success: "{{ lang._('Connection and upload test succeeded.') }}"},
+            {selector: '#action\\.remote_ssh_user', group: "configd_remote_ssh", action: "sshTestConnection", success: "{{ lang._('Connection test succeeded.') }}"},
+        ].forEach(function(config) {
+            var $user = $(config.selector);
 
-        // SFTP - Connection test button
-        (function ($user) {
             var statusDiv = makeStatusDiv($user, 'alert-success').html(
                 '<div class="message"></div>'
                 + '<div class="detail-enabler" style="cursor: pointer"><i class="fa fa-plus-square"></i></div>'
@@ -145,13 +154,13 @@ POSSIBILITY OF SUCH DAMAGE.
                 {msg: "{{ lang._('Test failed, see details.') }}"},
             ];
 
-            makeButton("{{ lang._('Test Connection') }}", "configd_upload_sftp")
+            makeButton("{{ lang._('Test Connection') }}", config.group)
                 .click(function () {
                     statusDiv.hide();
                     var button = $(this);
                     button.prop('disabled', true).find(".fa-spinner").show();
 
-                    ajaxCall("/api/acmeclient/actions/sftpTestConnection", getFormData("DialogAction").action, function (data, status) {
+                    ajaxCall("/api/acmeclient/actions/" + config.action, getFormData("DialogAction").action, function (data, status) {
                         button.prop('disabled', false).find(".fa-spinner").hide();
 
                         var message = "",
@@ -161,7 +170,7 @@ POSSIBILITY OF SUCH DAMAGE.
                         if (status === "success") {
                             if (data.success === true) {
                                 statusClass = "alert-success";
-                                message = "{{ lang._('Connection and upload test succeeded.') }}"
+                                message = config.success
                             } else {
                                 detail = JSON.stringify(data, null, '  ').replace(/\\"/g, "'");
 
@@ -188,7 +197,7 @@ POSSIBILITY OF SUCH DAMAGE.
                         statusDiv.removeClass("alert-success alert-warning").addClass(statusClass).show();
                     });
                 });
-        })($('#action\\.sftp_user'));
+        });
 
         // Eagerly hiding method tables to avoid contents popping up when opening the dialog for the first time.
         $(".method_table").hide();
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
new file mode 100755
index 0000000000..3f045347bd
--- /dev/null
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
@@ -0,0 +1,355 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2022 Juergen Kellerer
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+const ABOUT = <<<TXT
+
+   This script implements remote command execution using SSH. It reuses 
+   identities and "known_hosts" management from SFTP, located inside the 
+   local configuration folder (see "upload_sftp.php" for details).
+
+   Primary purpose is to support the creation of automation tasks that trigger
+   actions after a certificate has been uploaded (requires that actions can 
+   have an execution order).
+    
+   In addition to automations, all operations can also be triggered manually
+   using simple CLI commands.
+   
+   See: EXAMPLES & actions_acmeclient.conf
+
+TXT;
+
+// Commands & help
+const COMMANDS = [
+    "run-command" => [
+        "description" => "runs the a command on the specified target host",
+        "options" => [
+            "host::", "port::", "host-key::", "user::", "identity-type::", "run::"],
+        "implementation" => "commandRunRemote",
+        "default" => true,
+    ],
+
+    "test-connection" => [
+        "description" => "connects to the host and returns results as JSON",
+        "options" => ["host:", "port::", "host-key::", "user:", "identity-type::"],
+        "implementation" => "commandTestConnection",
+    ],
+
+    "show-identity" => [
+        "description" => "prints the ssh client identity (publickey)",
+        "options" => ["identity-type::", "source-ip::", "host::", "unrestricted"],
+        "implementation" => "commandShowIdentity",
+    ],
+];
+
+const EXAMPLES = <<<TXT
+- Show the public key used to communicate with the SSH server
+  ./run_remote_ssh.php --log --identity-type=ecdsa show-identity
+
+- Test connectivity with host
+  ./run_remote_ssh.php --log --host=sshpserver --user=name test-connection
+
+- Run a command at the specific server
+  ./run_remote_ssh.php --log --host=sshserver --user=name --run='/bin/sh -c "pwd && ls -la"'
+
+- Load settings from automation with ID and run the command
+  ./run_remote_ssh.php --log --automation-id=ID
+TXT;
+
+// Connection test
+const CONNECTION_TEST_RESULT = 'OpnSense_ACME_SSH_Connected';
+const CONNECTION_TEST_COMMAND = 'echo "' . CONNECTION_TEST_RESULT . '"';
+
+const CONNECTION_EXECUTE_TIMEOUT = 60 * 7; // Max seconds that a command may run
+
+// Exit codes
+const EXITCODE_SUCCESS = 0;
+const EXITCODE_ERROR = 1;
+const EXITCODE_ERROR_UNKNOWN_COMMAND = 254;
+
+// Optional imports
+@include_once("config.inc");
+@include_once("certs.inc");
+@include_once("util.inc");
+
+// Optional autoloader (for local dev environment)
+if (!function_exists("log_error")) {
+    spl_autoload_register(function ($class_name) {
+        require_once(__DIR__ . "/../../../mvc/app/library/" . str_replace("\\", "/", $class_name) . ".php");
+    });
+}
+
+// Importing classes
+use OPNsense\AcmeClient\Process;
+use OPNsense\AcmeClient\SSHKeys;
+use OPNsense\AcmeClient\Utils;
+
+// Implementing logic
+function commandShowIdentity(array &$options): int
+{
+    $identity_type = trim(($options["identity-type"] ?? "")) ?: SSHKeys::DEFAULT_IDENTITY_TYPE;
+    $source_ip = trim(($options["source-ip"] ?? ""));
+    $host = trim(($options["host"] ?? ""));
+
+    $keys = new SSHKeys(configPath());
+    if (($id_file = $keys->getIdentity($identity_type)) && is_readable($id_file)) {
+        if (
+            !isset($options["unrestricted"])
+            && ($restrictions = SSHKeys::getIdentityRestrictions($host, $source_ip, ""))
+        ) {
+            echo "$restrictions ";
+        }
+
+        echo file_get_contents($id_file);
+        return EXITCODE_SUCCESS;
+    } else {
+        Utils::log()->error("Failed getting identity. See log output for details.");
+    }
+    return EXITCODE_ERROR;
+}
+
+function commandTestConnection(array &$options): int
+{
+    $result = ["actions" => ["connecting"], "success" => false];
+
+    $options["run"] = CONNECTION_TEST_COMMAND;
+    $lines = runRemoteCommand($options, $error);
+
+    if (!$error) {
+        $result["actions"][] = "connected";
+        if (($result["success"] = in_array(CONNECTION_TEST_RESULT, $lines))) {
+            $result["actions"][] = "echo-tested";
+        }
+    } else {
+        $result = array_merge($result, ($error ?: []));
+    }
+
+    echo json_encode($result, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT) . PHP_EOL;
+
+    return $result["success"] ? EXITCODE_SUCCESS : EXITCODE_ERROR;
+}
+
+function commandRunRemote(array &$options): int
+{
+    if (empty($options["run"])) {
+        Utils::log()->error("SSH: Command is empty, nothing to do.");
+        return EXITCODE_ERROR;
+    }
+
+    $lines = runRemoteCommand($options, $error);
+    if (!$error) {
+        $host = $options["host"] . (($port = ($options["port"] ?? false)) ? ":$port" : "");
+        Utils::log()->info("SSH [$host]> {$options["run"]}:" . PHP_EOL . join(PHP_EOL, $lines));
+        return EXITCODE_SUCCESS;
+    }
+
+    return EXITCODE_ERROR;
+}
+
+function runRemoteCommand(array $options, &$error): ?array
+{
+    static $expected_errors = [
+        ["host_not_resolved", /*   -> */ '/.*not resolve.*/i'],
+        ["host_not_trusted", /*    -> */ '/.*IDENTIFICATION HAS CHANGED.*/i'],
+        ["connection_refused", /*  -> */ '/.*connection refused.*/i'],
+        ["connection_closed", /*   -> */ '/.*connection closed.*/i'],
+        ["network_timeout", /*     -> */ '/.*timed out.*/i'],
+        ["network_unreachable", /* -> */ '/.*network.+unreachable.*/i'],
+        ["permission_denied", /*   -> */ '/.*permission denied.*/i'],
+        ["failure", /*             -> */ '/.*(error|failure|you must supply).*/i'],
+    ];
+
+    $ssh_keys = new SSHKeys(configPath());
+
+    $identity_type = trim(($options["identity-type"] ?? ""));
+    $host = trim(($options["host"] ?? ""));
+    $host_key = ($options["host-key"] ?? "");
+    $port = $options["port"] ?? 22;
+    $username = $options["user"] ?? false;
+    $command = $options["run"] ?? "";
+
+    list($ok, $cmd) = buildSSHArguments($ssh_keys, $host, $username, $identity_type, $host_key, $port);
+    if ($ok) {
+        if (empty($command)) {
+            $error = ["no_command" => true];
+        } else {
+            $cmd[] = $command;
+        }
+    } else {
+        $error = $cmd;
+        $error["connect_failed"] = true;
+        return null;
+    }
+
+    $result = [];
+    $exit_code = null;
+    $expected_error = null;
+
+    if ($process = Process::open($cmd)) {
+        $process->closeInput();
+
+        $lines = 0;
+        $start = time();
+        $mustClose = fn($lines) => (time() - $start) > CONNECTION_EXECUTE_TIMEOUT || $lines > 10000;
+
+        while ($process->isRunning() && !$mustClose($lines)) {
+            for (; ($line = $process->get()) !== false && !$mustClose($lines); $lines++) {
+                if (!$expected_error) {
+                    foreach ($expected_errors as $ee) {
+                        if (preg_match($ee[1], $line)) {
+                            if ($ee[0] !== "connection_closed") {
+                                $expected_error = [$ee[0] => true, "error" => trim($line)];
+                            }
+                            break;
+                        }
+                    }
+                }
+                $result[] = $line;
+            }
+        }
+        $exit_code = $process->close();
+        $ok = $exit_code === 0;
+    } else {
+        $ok = false;
+    }
+
+    if (!$ok) {
+        $cl = join(" ", array_map(fn($v) => escapeshellarg($v), $cmd));
+        $error = array_merge(($expected_error ?? []), [
+            "result" => $result,
+            "exit_code" => $exit_code
+        ]);
+        $error["connect_failed"] = $exit_code == 255;
+        Utils::log()->error("SSH failed with '$exit_code': $cl", $error);
+    }
+
+    return $result;
+}
+
+function buildSSHArguments(SSHKeys $ssh_keys, $host, $username, $identity_type = "", $host_key = "", $port = SSHKeys::DEFAULT_PORT): array
+{
+    if (empty(trim($host)) || empty(trim($username))) {
+        Utils::log()->error("Failed connecting to '$host'. Hostname or username is missing.");
+        return [false, ["invalid_parameters" => true]];
+    }
+
+    if (empty($identity_type)) {
+        $identity_type = SSHKeys::DEFAULT_IDENTITY_TYPE;
+    }
+
+    $trust = $ssh_keys->trustHost($host, $host_key, $port);
+    if ($trust["ok"] !== true) {
+        Utils::log()->error("Failed establishing trust in '$host'; Cause: {$trust["error"]}");
+        unset($trust["ok"]);
+        return [false, array_merge($trust, ["host_not_trusted" => true])];
+    } else {
+        $host = $trust["host"];
+    }
+
+    // Building ssh command.
+    $cmd = [
+        "ssh",
+        "-p", $port,
+        "-oUser=$username",
+        "-oUserKnownHostsFile={$ssh_keys->knownHostsFile()}",
+    ];
+
+    // Handle client side identity
+    $identity = $ssh_keys->getIdentity($identity_type, true);
+    if (is_file($identity) && is_readable($identity)) {
+        array_push(
+            $cmd,
+            "-i",
+            $identity,
+            "-oPreferredAuthentications=publickey"
+        );
+    } else {
+        Utils::log()->error("Failed adding client identity ($identity). Connect will likely fail.");
+    }
+
+    // Adding the host
+    $cmd[] = "$host";
+
+    return [true, $cmd];
+}
+
+function help()
+{
+    Utils::printCLIHelp(ABOUT, EXAMPLES, COMMANDS);
+}
+
+function getOptionsById($automation_id)
+{
+    Utils::log()->info("Reading options from automation: $automation_id");
+
+    if (is_object($action = Utils::getAutomationActionById($automation_id))) {
+        if ($action->enabled && "configd_remote_ssh" === (string)$action->type) {
+            return [
+                "host" => trim((string)$action->remote_ssh_host),
+                "host-key" => trim((string)$action->remote_ssh_host_key),
+                "port" => trim((string)$action->remote_ssh_port),
+                "identity-type" => trim((string)$action->remote_ssh_identity_type),
+                "user" => trim((string)$action->remote_ssh_user),
+                "run" => trim((string)$action->remote_ssh_command),
+            ];
+        } else {
+            Utils::log()->error("Ignoring disabled or invalid automation '$automation_id'");
+        }
+    } else {
+        Utils::log()->error("No upload automation found with uuid = '$automation_id'");
+    }
+
+    return false;
+}
+
+function configPath(): string
+{
+    if (($path = Utils::configPath())) {
+        return $path . DIRECTORY_SEPARATOR . "sftp-config"; // shared with sftp to have the same identities
+    }
+    die("Failed detecting config path");
+}
+
+function requireThat($expression, $message)
+{
+    try {
+        Utils::requireThat($message, $message);
+    } catch (\AssertionError $e) {
+        exit(EXITCODE_ERROR);
+    }
+    return $expression;
+}
+
+// Running the main script
+Utils::runCLIMain(
+    "help",
+    "getOptionsById",
+    COMMANDS,
+    EXITCODE_SUCCESS,
+    EXITCODE_ERROR_UNKNOWN_COMMAND
+);
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
index c3cbd385ef..5a11b3d60b 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
@@ -86,13 +86,6 @@
     ],
 ];
 
-const STATIC_OPTIONS = <<<TXT
--h, --help          Print commandline help
---log               Enable log to stdout (instead of syslog)
---automation-id     Read options from the action specified by id or uuid
---no-error          Always exit with 0 (original exit codes are still logged)
-TXT;
-
 const EXAMPLES = <<<TXT
 - Show the public key used to communicate with the SFTP server
   ./upload_sftp.php --log --identity-type=ecdsa show-identity
@@ -150,9 +143,9 @@
 // Implementing logic
 function commandShowIdentity(array &$options): int
 {
-    $identity_type = trim(($options["identity-type"] ?: SSHKeys::DEFAULT_IDENTITY_TYPE));
-    $source_ip = trim(($options["source-ip"] ?: ""));
-    $host = trim(($options["host"] ?: ""));
+    $identity_type = trim(($options["identity-type"] ?? "")) ?: SSHKeys::DEFAULT_IDENTITY_TYPE;
+    $source_ip = trim(($options["source-ip"] ?? ""));
+    $host = trim(($options["host"] ?? ""));
 
     $keys = new SSHKeys(configPath());
     if (($id_file = $keys->getIdentity($identity_type)) && is_readable($id_file)) {
@@ -190,7 +183,7 @@ function commandTestConnection(array &$options): int
 
         $uploader = new SftpUploader($sftp);
 
-        $chgrp = $options["chgrp"] ?: false;
+        $chgrp = ($options["chgrp"] ?? "") ?: false;
         $chmod = isset($options["chmod"]) ? ($options["chmod"] ?: DEFAULT_CERT_MODE) : false;
         $filename = $uploader->addContent("upload-test", "", 0, $chmod, $chgrp);
 
@@ -275,7 +268,7 @@ function uploadCertificatesToHost(array $options): int
     $sftp = connectWithServer($options, $error);
     if ($sftp === null) {
         Utils::log()->error("Aborting after connect failure.");
-        return $error["connect_failed"]
+        return ($error["connect_failed"] ?? false)
             ? EXITCODE_ERROR
             : EXITCODE_ERROR_NO_PERMISSION;
     }
@@ -321,10 +314,10 @@ function uploadCertificatesToHost(array $options): int
 
 function connectWithServer(array $options, &$error): ?SftpClient
 {
-    $identity_type = trim(($options["identity-type"] ?: SSHKeys::DEFAULT_IDENTITY_TYPE));
-    $host = trim(($options["host"] ?: ""));
-    $host_key = ($options["host-key"] ?: "");
-    $port = $options["port"] ?: 22;
+    $identity_type = trim(($options["identity-type"] ?? "")) ?: SSHKeys::DEFAULT_IDENTITY_TYPE;
+    $host = trim(($options["host"] ?? ""));
+    $host_key = ($options["host-key"] ?? "");
+    $port = $options["port"] ?? 22;
     $username = $options["user"];
 
     $sftp = new SftpClient(configPath(), $identity_type);
@@ -336,7 +329,7 @@ function connectWithServer(array $options, &$error): ?SftpClient
     }
 
     // Apply start path (if one was specified, defaults to home dir)
-    if (($remote_path = $options["remote-path"])) {
+    if (!empty($remote_path = ($options["remote-path"] ?? ""))) {
         if ($err = $sftp->cd($remote_path)->lastError()) {
             $error = $err;
             $error["change_home_dir_failed"] = true;
@@ -350,55 +343,7 @@ function connectWithServer(array $options, &$error): ?SftpClient
 
 function help()
 {
-    echo ABOUT . PHP_EOL
-        . "Usage: " . basename($GLOBALS["argv"][0]) . " [options] [--command=]COMMAND" . PHP_EOL
-        . PHP_EOL . STATIC_OPTIONS . PHP_EOL;
-
-    foreach (COMMANDS as $name => $cmd) {
-        echo PHP_EOL . "COMMAND \"$name\" {$cmd["description"]}" . PHP_EOL . "Options:" . PHP_EOL;
-        foreach ($cmd["options"] as $option) {
-            $option = preg_replace(['/^([^:]+)$/', '/(.+)::$/', '/(.+):$/'], ['[$1]', '[$1=value]', '$1=value'], "--$option");
-            echo "         $option" . PHP_EOL;
-        }
-    }
-
-    echo PHP_EOL . "Examples:" . PHP_EOL
-        . str_replace('/\r\n|\n|\r/g', PHP_EOL, EXAMPLES)
-        . PHP_EOL . PHP_EOL;
-}
-
-function getCommand()
-{
-    $default = null;
-    $command = null;
-    $parsed_args = getopt("", ["command::"]);
-    foreach (COMMANDS as $name => $cmd) {
-        if (in_array($name, $GLOBALS["argv"]) || $parsed_args["command"] === $name) {
-            $command = $cmd;
-        }
-        if ($cmd["default"] === true) {
-            $default = $cmd;
-        }
-    }
-
-    return $command ?: $default;
-}
-
-function getActionById($automation_id)
-{
-    $config = OPNsense\Core\Config::getInstance()->object();
-    $client = $config->OPNsense->AcmeClient;
-
-    foreach ($client->actions->children() as $action) {
-        if (
-            $automation_id === (string)$action->attributes()["uuid"]
-            || $automation_id === (string)$action->id
-        ) {
-            return $action;
-        }
-    }
-
-    return null;
+    Utils::printCLIHelp(ABOUT, EXAMPLES, COMMANDS);
 }
 
 function getOptionsById($automation_id, $silent = false)
@@ -407,7 +352,7 @@ function getOptionsById($automation_id, $silent = false)
         Utils::log()->info("Reading options from automation: $automation_id");
     }
 
-    if (is_object($action = getActionById($automation_id))) {
+    if (is_object($action = Utils::getAutomationActionById($automation_id))) {
         if ($action->enabled && "configd_upload_sftp" === (string)$action->type) {
             return [
                 "host" => trim((string)$action->sftp_host),
@@ -439,7 +384,7 @@ function addFilesToUpload(array $options, SftpUploader &$uploader)
 {
     $chmod = isset($options["chmod"]) ? ($options["chmod"] ?: DEFAULT_CERT_MODE) : false;
     $chmod_key = isset($options["chmod-key"]) ? ($options["chmod-key"] ?: DEFAULT_KEY_MODE) : false;
-    $chgrp = $options["chgrp"] ?: false;
+    $chgrp = ($options["chgrp"] ?? "") ?: false;
 
     if (isset($options["certificates"])) {
         $cert_ids = preg_split('/[,;\s]+/', $options["certificates"] ?: "", 0, PREG_SPLIT_NO_EMPTY);
@@ -571,7 +516,7 @@ function findCertificates(array $certificate_ids_or_names, $load_content = true)
     return $result;
 }
 
-function exportCertificates(array $cert_refids)
+function exportCertificates(array $cert_refids): array
 {
     $result = [];
     $config = OPNsense\Core\Config::getInstance()->object();
@@ -597,72 +542,12 @@ function exportCertificates(array $cert_refids)
 
 function configPath(): string
 {
-    static $paths = [
-        '/var/etc/acme-client',
-        __DIR__
-    ];
-    foreach ($paths as $path) {
-        if (is_dir($path)) {
-            return $path . DIRECTORY_SEPARATOR . 'sftp-config';
-        }
+    if (($path = Utils::configPath())) {
+        return $path . DIRECTORY_SEPARATOR . "sftp-config";
     }
     die("Failed detecting config path");
 }
 
-function main()
-{
-    global $argv;
-    $command = getCommand();
-    $options = ["help", "log", "no-error"];
-
-    $has_automation_id = preg_match('/--automation-id=\S+/', join(" ", $argv));
-    if ($has_automation_id) {
-        $options = array_merge($options, ["automation-id:", "certificates::"]);
-    } else {
-        $options = array_merge($options, $command["options"]);
-    }
-
-    $index = 0;
-    if ($options = getopt("h", $options, $index)) {
-        if (isset($options["h"]) || isset($options["help"])) {
-            help();
-        } else {
-            if (isset($options["log"])) {
-                Utils::log(true)->info("Logging to stdout enabled");
-            }
-
-            $options = array_filter($options, function ($value) {
-                return !is_string($value)
-                    || (!empty($value = trim($value)) && $value !== "__default_value");
-            });
-
-            if (isset($options["automation-id"])) {
-                $options = array_merge(getOptionsById($options["automation-id"]), $options);
-            }
-
-            if (is_callable($runner = $command["implementation"])) {
-                $code = $runner($options);
-
-                if ($code != EXITCODE_SUCCESS) {
-                    Utils::log()->error("Command execution failed, exit code $code. Last input was: " . json_encode($options, JSON_UNESCAPED_SLASHES));
-                }
-
-                exit(isset($options["no-error"]) ? EXITCODE_SUCCESS : $code);
-            } else {
-                exit(EXITCODE_ERROR_UNKNOWN_COMMAND);
-            }
-        }
-    } else {
-        if (count($argv) < 2) {
-            help();
-        } else {
-            $cmd = join(" ", $argv);
-            Utils::log()->error("Parsing of '$cmd' failed at argument '{$argv[$index]}'");
-        }
-        exit(1);
-    }
-}
-
 function requireThat($expression, $message)
 {
     try {
@@ -674,4 +559,10 @@ function requireThat($expression, $message)
 }
 
 // Running the main script
-main();
+Utils::runCLIMain(
+    "help",
+    "getOptionsById",
+    COMMANDS,
+    EXITCODE_SUCCESS,
+    EXITCODE_ERROR_UNKNOWN_COMMAND
+);
diff --git a/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf b/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
index 7af68eaa45..4faf4b6873 100644
--- a/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
+++ b/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
@@ -120,6 +120,24 @@ parameters:--identity-type=%s --host=%s show-identity
 type:script_output
 message:prints the public key used to connect to sftp server
 
+[run-remote-ssh-command]
+command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
+parameters:--automation-id=%s
+type:script
+message:running a command on the ssh server
+
+[test-remote-ssh-connection]
+command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
+parameters:--host=%s --host-key=%s --port=%s --user=%s --identity-type=%s --no-error test-connection
+type:script_output
+message:testing connection to ssh server
+
+[show-remote-ssh-identity]
+command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
+parameters:--identity-type=%s --host=%s show-identity
+type:script_output
+message:prints the public key used to connect to ssh server
+
 [reset-acme-client]
 command:/usr/bin/find /var/etc/acme-client/home /var/etc/acme-client/configs /var/etc/acme-client/certs /var/etc/acme-client/keys /var/etc/acme-client/accounts -type f -delete
 parameters:

From 86a5d03de1a2c7671fd1742907cd24221d31a59b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 4 Apr 2022 09:58:38 +0200
Subject: [PATCH 0999/3088] dns/ddclient - add service control, xmlrpc
 registration and syslog target

---
 .../src/etc/inc/plugins.inc.d/ddclient.inc    | 68 +++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100644 dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc

diff --git a/dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc b/dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc
new file mode 100644
index 0000000000..b5d0959100
--- /dev/null
+++ b/dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc
@@ -0,0 +1,68 @@
+<?php
+
+/*
+ * Copyright (C) 2022 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+
+function ddclient_services()
+{
+    $services = [];
+    $mdl = new \OPNsense\DynDNS\DynDNS();
+    if ($mdl->general->enabled == '1') {
+        $services[] = [
+            'description' => gettext('ddclient'),
+            'configd' => [
+                'restart' => array('ddclient restart'),
+                'start' => array('ddclient start'),
+                'stop' => array('ddclient stop'),
+            ],
+            'name' => 'ddclient',
+            'pidfile' => '/var/run/ddclient.pid',
+        ];
+    }
+    return $services;
+}
+
+function ddclient_xmlrpc_sync()
+{
+    $result = array();
+    $result[] = array(
+        'description' => gettext('ddclient'),
+        'section' => 'OPNsense.DynDNS',
+        'id' => 'ddclient',
+        'services' => ['ddclient'],
+    );
+    return $result;
+}
+
+function ddclient_syslog()
+{
+    $logfacilities = array();
+    $logfacilities['ddclient'] = array(
+        'facility' => ['ddclient']
+    );
+    return $logfacilities;
+}

From f3c4efb8fff7e1959ed1383a9f1a0c2fa61c0766 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 4 Apr 2022 20:06:40 +0200
Subject: [PATCH 1000/3088] LICENSE: sync

---
 LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index eeb835ed94..b0c9debb93 100644
--- a/LICENSE
+++ b/LICENSE
@@ -23,7 +23,7 @@ Copyright (c) 2021 Jan Winkler
 Copyright (c) 2010 Jim Pingle <jimp@pfsense.org>
 Copyright (c) 2015 Jos Schellevis
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>
-Copyright (c) 2019 Juergen Kellerer
+Copyright (c) 2019-2022 Juergen Kellerer
 Copyright (c) 2020-2021 Manuel Faux
 Copyright (c) 2021 Manuel Hofmann
 Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>

From ef9c13ac4336ee8c53444f23b00400350e5089f2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 4 Apr 2022 20:07:12 +0200
Subject: [PATCH 1001/3088] dns/ddclient: bump version

---
 dns/ddclient/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 487f0af551..f3fe1c2413 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.4
+PLUGIN_VERSION=		1.5
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 0d4c3ae41080655ddbd69296068f6c4472b3c822 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 4 Apr 2022 20:12:01 +0200
Subject: [PATCH 1002/3088] net/chrony: whitespace sweep

---
 .../src/opnsense/service/templates/OPNsense/Chrony/chrony.conf  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
index 91cc28792c..2c717494c4 100644
--- a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
+++ b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
@@ -24,7 +24,7 @@ server {{ peer }} iburst {% if helpers.exists('OPNsense.chrony.general.ntsclient
 
 {%   if helpers.exists('OPNsense.chrony.general.fallbackpeers') and OPNsense.chrony.general.fallbackpeers != '' %}
 authselectmode mix
-server {{ OPNsense.chrony.general.fallbackpeers }} 
+server {{ OPNsense.chrony.general.fallbackpeers }}
 {%   endif %}
 
 {%   if not helpers.empty('OPNsense.chrony.general.allowednetworks') %}

From 3d76b9e6d6860deea9b4a52b77b55e1678991449 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 6 Apr 2022 08:19:03 +0200
Subject: [PATCH 1003/3088] dns/ddclient: changelog update

---
 dns/ddclient/pkg-descr | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 9bc3469572..7c31315947 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,11 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.5
+
+* Add service control, XMLRPC registration and syslog target
+* Add Servercow support (contributed by FreddleSpl0it)
+
 1.4
 
 * Add advanced general setting to allow updates via IPv6

From ec93f0e36eefe107b984d48345c681dc58a099cc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 6 Apr 2022 10:16:01 +0200
Subject: [PATCH 1004/3088] sysutils/boot-delay: obsoletion note

---
 sysutils/boot-delay/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysutils/boot-delay/Makefile b/sysutils/boot-delay/Makefile
index 38582b59c0..4928a05305 100644
--- a/sysutils/boot-delay/Makefile
+++ b/sysutils/boot-delay/Makefile
@@ -3,5 +3,6 @@ PLUGIN_VERSION=		1.0
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Apply a persistent 10 second boot delay
 PLUGIN_MAINTAINER=	franco@opnsense.org
+PLUGIN_OBSOLETE=	Use System: Tunables: name "kern.cam.boot_delay" value "10000"
 
 .include "../../Mk/plugins.mk"

From 58ec526297a586b068ad3233c2c9c46f5fe81b93 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 6 Apr 2022 10:20:03 +0200
Subject: [PATCH 1005/3088] sysutils/boot-delay: fix obsolete message

---
 sysutils/boot-delay/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/boot-delay/Makefile b/sysutils/boot-delay/Makefile
index 4928a05305..e2af016999 100644
--- a/sysutils/boot-delay/Makefile
+++ b/sysutils/boot-delay/Makefile
@@ -3,6 +3,6 @@ PLUGIN_VERSION=		1.0
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Apply a persistent 10 second boot delay
 PLUGIN_MAINTAINER=	franco@opnsense.org
-PLUGIN_OBSOLETE=	Use System: Tunables: name "kern.cam.boot_delay" value "10000"
+PLUGIN_OBSOLETE=	Use System / Settings / Tunables: name "kern.cam.boot_delay" value "10000"
 
 .include "../../Mk/plugins.mk"

From 8d45144ad4662387e2bca30cd4a2f42ade4e0c6b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Thu, 21 Apr 2022 11:33:59 +0200
Subject: [PATCH 1006/3088] FRR: OSPF ipv6 influence interface cost via carp
 (#2929)

add event handler for ospf6 carp demotion including required interface fields (carp_depend_on and cost_demoted).
while here polish some small usability issues, knowing:

o Interface networktype and interfacename should be single dropdown boxes
o diagnostics / bgp - fix search in grid, should only use a formatter for presentation purposes.
o carp_frr_ospf6 rc.carp_service_status.d event handler
o add "CARP demote" to model, form and template
o bugfix previous, missing IFS= (internal field seperator)
o missing ospf6d in log event handler
---
 net/frr/pkg-descr                             |   7 ++
 .../rc.carp_service_status.d/carp_frr_ospf6   |  25 ++++
 .../Quagga/forms/dialogEditOSPF6Interface.xml |  16 ++-
 .../OPNsense/Quagga/forms/ospf6.xml           |  10 ++
 .../mvc/app/models/OPNsense/Quagga/OSPF6.xml  |  15 +++
 .../views/OPNsense/Quagga/diagnosticsbgp.volt |   2 -
 .../opnsense/scripts/frr/lib/events/ospf6d.py | 107 ++++++++++++++++++
 .../opnsense/scripts/frr/lib/events/ospfd.py  |   2 -
 .../templates/OPNsense/Quagga/+TARGETS        |   1 +
 .../service/templates/OPNsense/Quagga/frr     |   5 +-
 .../OPNsense/Quagga/ospf6d_carp.conf          |  13 +++
 .../OPNsense/Quagga/syslog-ng-frr-events.conf |   3 +-
 12 files changed, 198 insertions(+), 8 deletions(-)
 create mode 100755 net/frr/src/etc/rc.carp_service_status.d/carp_frr_ospf6
 create mode 100644 net/frr/src/opnsense/scripts/frr/lib/events/ospf6d.py
 create mode 100644 net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d_carp.conf

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index be8a211623..ff023d8304 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -11,6 +11,13 @@ switching and routing, Internet access routers, and Internet peering.
 Plugin Changelog
 ================
 
+1.28
+
+* OSPF6 Interface change networktype and interfacename to dropdown in stead of multi select
+* Diagnostics / BGP - fix search in grid, should only use a formatter for presentation purposes.
+* Add ospf6 carp demotion event handler
+
+
 1.27
 
 * Add BGP password authentication
diff --git a/net/frr/src/etc/rc.carp_service_status.d/carp_frr_ospf6 b/net/frr/src/etc/rc.carp_service_status.d/carp_frr_ospf6
new file mode 100755
index 0000000000..218699f558
--- /dev/null
+++ b/net/frr/src/etc/rc.carp_service_status.d/carp_frr_ospf6
@@ -0,0 +1,25 @@
+#!/bin/sh
+if [ -f /etc/rc.conf.d/frr ]; then
+    . /etc/rc.conf.d/frr
+fi
+
+if [ "$frr_enable" == "YES" ] && (`echo "$frr_daemons" | /usr/bin/grep -F -q -w "ospf6d"`) &&
+        (`echo "$frr_carp_demote" | /usr/bin/grep -F -q -w "ospf6d"`)  ; then
+    # OSPF enabled
+    OSPF_NEIGHBOR=`echo "show ipv6 ospf6 neighbor" | /usr/local/bin/vtysh 2>&1` IFS=
+    if [ "$?" -eq 0 ]; then
+        # running, check if we can find any neighbors
+        IFS=
+        neighbors_count=`echo $OSPF_NEIGHBOR |  grep "Full/" | wc -l`
+        unset IFS
+        if [ "$neighbors_count" -eq 0 ]; then
+            # no neighbors in state Full/* found
+            exit 2
+        else
+            exit 0
+        fi
+    else
+        # not running
+        exit 1
+    fi
+fi
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml
index 5455751673..2ddc6d8160 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml
@@ -7,7 +7,7 @@
   <field>
     <id>interface.interfacename</id>
     <label>Interface</label>
-    <type>select_multiple</type>
+    <type>dropdown</type>
     <help>Select an interface where this settings apply to.</help>
   </field>
   <field>
@@ -26,6 +26,18 @@
     <label>Cost</label>
     <type>text</type>
   </field>
+  <field>
+    <id>interface.cost_demoted</id>
+    <label>Cost (when demoted)</label>
+    <type>text</type>
+  </field>
+  <field>
+    <id>interface.carp_depend_on</id>
+    <label>Depend on (carp)</label>
+    <type>dropdown</type>
+    <help>The carp VHID to depend on, when this virtual address is not in master state,
+      the interface cost will be set to the demoted cost (specified above).</help>
+  </field>
   <field>
     <id>interface.hellointerval</id>
     <label>Hello Interval</label>
@@ -54,6 +66,6 @@
   <field>
     <id>interface.networktype</id>
     <label>Network Type</label>
-    <type>select_multiple</type>
+    <type>dropdown</type>
   </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml
index 7f61394570..43bfb1b116 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml
@@ -5,6 +5,16 @@
         <type>checkbox</type>
         <help>This will activate the OSPFv3 service if routing protocols are enabled in "General".</help>
     </field>
+    <field>
+      <id>ospf6.carp_demote</id>
+      <label>CARP demote</label>
+      <type>checkbox</type>
+      <help>
+            Register CARP status monitor, when no neighbors are found, consider this node less attractive.
+            This feature needs syslog enabled using "Debugging" logging to catch all relevant status events.
+            This option is not compatible with "Enable CARP Failover".
+      </help>
+    </field>
     <field>
         <id>ospf6.redistribute</id>
         <label>Route Redistribution</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
index 46e433426d..b6a9b1b65e 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
@@ -7,6 +7,10 @@
             <default>0</default>
             <Required>Y</Required>
         </enabled>
+        <carp_demote type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </carp_demote>
         <redistribute type="OptionField">
                 <Required>N</Required>
                 <multiple>Y</multiple>
@@ -52,6 +56,17 @@
                                 <MaximumValue>4294967295</MaximumValue>
                                 <ValidationMessage>Cost must be between 0 and 4294967295.</ValidationMessage>
                         </cost>
+                        <cost_demoted type="IntegerField">
+                                <default>65535</default>
+                                <MinimumValue>1</MinimumValue>
+                                <Required>N</Required>
+                                <MaximumValue>65535</MaximumValue>
+                                <ValidationMessage>Cost must be between 1 and 65535.</ValidationMessage>
+                        </cost_demoted>
+                        <carp_depend_on type="VirtualIPField">
+                            <type>carp</type>
+                            <Required>N</Required>
+                        </carp_depend_on>
                         <hellointerval type="IntegerField">
                                 <default></default>
                                 <MinimumValue>0</MinimumValue>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
index 60c7d72f17..b0e196ce02 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
@@ -101,7 +101,6 @@ $(document).ready(function() {
     content = _.template($('#routestpl').html())(data['response']);
     $('#routing').html(content);
     $('#routing table').bootgrid({
-      converters: dataconverters,
       formatters: dataformatters
     });
   });
@@ -110,7 +109,6 @@ $(document).ready(function() {
     content = _.template($('#routestpl').html())(data['response']);
     $('#routing6').html(content);
     $('#routing6 table').bootgrid({
-      converters: dataconverters,
       formatters: dataformatters
     });
   });
diff --git a/net/frr/src/opnsense/scripts/frr/lib/events/ospf6d.py b/net/frr/src/opnsense/scripts/frr/lib/events/ospf6d.py
new file mode 100644
index 0000000000..42d86c9d9d
--- /dev/null
+++ b/net/frr/src/opnsense/scripts/frr/lib/events/ospf6d.py
@@ -0,0 +1,107 @@
+"""
+    Copyright (c) 2022 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+"""
+import os
+import syslog
+from configparser import ConfigParser
+from ..base import BaseEventHandler
+
+
+class Ospf6dEventHandler(BaseEventHandler):
+    _config = '/usr/local/etc/frr/ospf6d_carp.conf'
+
+    @property
+    def should_run(self):
+        return self.vtysh.is_running('ospf6d')
+
+    def _read_config(self):
+        result = dict()
+        if os.path.isfile(self._config):
+            cnf = ConfigParser()
+            cnf.read(self._config)
+            not_empty = lambda x, y: cnf.has_option(x, y) and cnf.get(x, y) != '' and cnf.get(x, y) != '0'
+            for section in cnf.sections():
+                if not_empty(section, 'interface') and not_empty(section, 'interface') \
+                        and not_empty(section, 'demoted_cost') and not_empty(section, 'carp_depend_on'):
+                    default_cost = cnf.getint(section, 'default_cost') if not_empty(section, 'default_cost') else None
+                    result[cnf.get(section, 'interface')] = {
+                        'demoted_cost': cnf.getint(section, 'demoted_cost'),
+                        'carp_depend_on': cnf.get(section, 'carp_depend_on'),
+                        'default_cost': default_cost,
+                    }
+
+        return result
+
+    def execute(self):
+        if os.path.isfile(self._config):
+            # parse ospf6 interface data, keep structure similar to what ospf offers when using json output
+            ospf_interfaces = {
+                'interfaces': {}
+            }
+            this_interface = None
+            for line in self.vtysh.execute('show ipv6 ospf6 interface', translate=None).decode().split('\n'):
+                if len(line) > 0 and line[0] != ' ':
+                    this_interface  = line.split()[0]
+                    ospf_interfaces['interfaces'][this_interface] = {}
+                elif this_interface is not None:
+                    if line.find('Area ID') > 0 and line.split()[-1].isdigit():
+                        # Area ID X.X.X.X, Cost XXXX
+                        ospf_interfaces['interfaces'][this_interface]['cost'] = int(line.split()[-1])
+
+            config_interfaces = self._read_config()
+            for intf in config_interfaces:
+                if 'interfaces' in ospf_interfaces and intf in ospf_interfaces['interfaces']:
+                    ospf_intf_cost = ospf_interfaces['interfaces'][intf]['cost']
+                    is_intf_master = self.ifstatus.address_status(config_interfaces[intf]['carp_depend_on']) == 'master'
+                    is_ospf_dem = ospf_intf_cost == config_interfaces[intf]['demoted_cost']
+                    if is_intf_master and is_ospf_dem:
+                        # promote ospf6 interface
+                        conf_cost = config_interfaces[intf]['default_cost']
+                        if conf_cost is None:
+                            syslog.syslog(
+                                syslog.LOG_NOTICE, 'ospf6d promote interface %s (no default cost configured).' % intf
+                            )
+                            self.vtysh.execute(
+                                ['interface %s' % intf, 'no ipv6 ospf6 cost'], translate=None, configure=True
+                            )
+                        elif conf_cost != ospf_intf_cost:
+                            syslog.syslog(
+                                syslog.LOG_NOTICE, 'ospf6d promote interface %s (cost %d).' % (intf, conf_cost)
+                            )
+                            self.vtysh.execute(
+                                ['interface %s' % intf, 'ipv6 ospf6 cost %d' % conf_cost],
+                                translate=None, configure=True
+                            )
+                    elif not is_intf_master and not is_ospf_dem:
+                        # demote ospf6 interface
+                        conf_cost = config_interfaces[intf]['demoted_cost']
+                        syslog.syslog(
+                            syslog.LOG_NOTICE, 'ospf6d demote interface %s (cost %d).' % (intf, conf_cost)
+                        )
+                        self.vtysh.execute(
+                            ['interface %s' % intf, 'ipv6 ospf6 cost %d' % conf_cost],
+                            translate=None, configure=True
+                        )
diff --git a/net/frr/src/opnsense/scripts/frr/lib/events/ospfd.py b/net/frr/src/opnsense/scripts/frr/lib/events/ospfd.py
index d692747088..7eabadb9b7 100755
--- a/net/frr/src/opnsense/scripts/frr/lib/events/ospfd.py
+++ b/net/frr/src/opnsense/scripts/frr/lib/events/ospfd.py
@@ -59,8 +59,6 @@ def execute(self):
         if os.path.isfile(self._config):
             ospf_interfaces = self.vtysh.execute('show ip ospf interface json')
             config_interfaces = self._read_config()
-            cnf = ConfigParser()
-            cnf.read(self._config)
             for intf in config_interfaces:
                 if 'interfaces' in ospf_interfaces and intf in ospf_interfaces['interfaces']:
                     ospf_intf_cost = ospf_interfaces['interfaces'][intf]['cost']
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
index c2e0542d6f..ea22bda2da 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
@@ -3,6 +3,7 @@ bgpd.conf:/usr/local/etc/frr/bgpd.conf
 ospfd.conf:/usr/local/etc/frr/ospfd.conf
 ospfd_carp.conf:/usr/local/etc/frr/ospfd_carp.conf
 ospf6d.conf:/usr/local/etc/frr/ospf6d.conf
+ospf6d_carp.conf:/usr/local/etc/frr/ospf6d_carp.conf
 ripd.conf:/usr/local/etc/frr/ripd.conf
 sa_policies.conf:/usr/local/etc/frr/sa_policies.conf
 frr:/etc/rc.conf.d/frr
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
index 9c8ee85256..2b0b291664 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
@@ -12,7 +12,10 @@ if helpers.exists('OPNsense.quagga.bgp.enabled') and OPNsense.quagga.bgp.enabled
 if helpers.exists('OPNsense.quagga.ospf6.enabled') and OPNsense.quagga.ospf6.enabled == '1' %} ospf6d{% endif %}{%
 if helpers.exists('OPNsense.quagga.ripng.enabled') and OPNsense.quagga.ripng.enabled == '1' %} ripngd{% endif %}{%
 if helpers.exists('OPNsense.quagga.isis.enabled') and OPNsense.quagga.isis.enabled == '1' %} isisd{% endif %}"
-frr_carp_demote="{% if not helpers.empty('OPNsense.quagga.ospf.carp_demote') %} ospfd{% endif %}"
+frr_carp_demote="{%
+    if not helpers.empty('OPNsense.quagga.ospf.carp_demote') %} ospfd{% endif %}{%
+    if not helpers.empty('OPNsense.quagga.ospf6.carp_demote') %} ospf6d{% endif
+%}"
 start_postcmd="/usr/local/opnsense/scripts/frr/carp_event_handler"
 {% else %}
 frr_enable="NO"
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d_carp.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d_carp.conf
new file mode 100644
index 0000000000..af3400036f
--- /dev/null
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d_carp.conf
@@ -0,0 +1,13 @@
+{% from 'OPNsense/Macros/interface.macro' import physical_interface %}
+{% if helpers.exists('OPNsense.quagga.ospf6.interfaces.interface') %}
+{%   for interface in helpers.toList('OPNsense.quagga.ospf6.interfaces.interface') %}
+{%     if interface.enabled == '1' %}
+[{{ interface['@uuid'] }}]
+enabled={{interface.enabled|default('0')}}
+interface={{physical_interface(interface.interfacename)}}
+default_cost={{interface.cost|default('')}}
+demoted_cost={{interface.cost_demoted|default('')}}
+carp_depend_on={{interface.carp_depend_on|default('')}}
+{%     endif %}
+{%   endfor %}
+{% endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/syslog-ng-frr-events.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/syslog-ng-frr-events.conf
index 9644313b81..309d47627c 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/syslog-ng-frr-events.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/syslog-ng-frr-events.conf
@@ -6,7 +6,8 @@ destination d_frr_event {
 };
 
 filter f_frr_ospf {
-    program("ospfd") and (
+    (program("ospfd") or program("ospf6d"))
+    and (
         (
                 level("info") or level("notice")
         ) or (

From 00f5664c5673ec1a3d3d4eb72932da45aae64f5b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 21 Apr 2022 11:59:22 +0200
Subject: [PATCH 1007/3088] net/frr: small cleanups

---
 net/frr/pkg-descr                                     | 7 ++-----
 net/frr/src/opnsense/scripts/frr/lib/events/ospf6d.py | 0
 2 files changed, 2 insertions(+), 5 deletions(-)
 mode change 100644 => 100755 net/frr/src/opnsense/scripts/frr/lib/events/ospf6d.py

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index ff023d8304..9fcb50b973 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -7,6 +7,7 @@ makes it applicable to a wide variety of use cases including connecting
 hosts/VMs/containers to the network, advertising network services, LAN
 switching and routing, Internet access routers, and Internet peering.
 
+WWW: https://frrouting.org/
 
 Plugin Changelog
 ================
@@ -14,10 +15,9 @@ Plugin Changelog
 1.28
 
 * OSPF6 Interface change networktype and interfacename to dropdown in stead of multi select
-* Diagnostics / BGP - fix search in grid, should only use a formatter for presentation purposes.
+* Diagnostics / BGP - fix search in grid, should only use a formatter for presentation purposes
 * Add ospf6 carp demotion event handler
 
-
 1.27
 
 * Add BGP password authentication
@@ -131,6 +131,3 @@ Plugin Changelog
 1.8
 
 * Add area range in OSPF config
-
-
-WWW: https://frrouting.org/
diff --git a/net/frr/src/opnsense/scripts/frr/lib/events/ospf6d.py b/net/frr/src/opnsense/scripts/frr/lib/events/ospf6d.py
old mode 100644
new mode 100755

From abfa21fb63c7f69923f5d3530a901d4374ed98ea Mon Sep 17 00:00:00 2001
From: Michael Newton <miken32@gmail.com>
Date: Fri, 22 Apr 2022 06:43:22 -0600
Subject: [PATCH 1008/3088] avoid errors with repeated primary servers and keys
 (#2874)

---
 .../OPNsense/Bind/forms/dialogEditBindDomain.xml   | 10 ++++++++--
 .../mvc/app/models/OPNsense/Bind/Domain.xml        |  4 ++++
 .../mvc/app/views/OPNsense/Bind/general.volt       |  4 ++--
 .../service/templates/OPNsense/Bind/named.conf     | 14 ++++++++------
 4 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
index eed6958bb0..c7ccbfbb76 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
@@ -46,13 +46,19 @@
         <id>domain.transferkeyalgo</id>
         <label>Transfer Key Algorithm</label>
         <type>dropdown</type>
-        <help>Set the authentication algorithm for the TSIG key.</help>
+        <help>Set the authentication algorithm for the TSIG key used to transfer domain data from the master server.</help>
+    </field>
+    <field>
+        <id>domain.transferkeyname</id>
+        <label>Transfer Key Name</label>
+        <type>text</type>
+        <help>The name of the TSIG key, which must match the value on the master server.</help>
     </field>
     <field>
         <id>domain.transferkey</id>
         <label>Transfer Key</label>
         <type>text</type>
-        <help>The TSIG key used to transfer domain data from the master server.</help>
+        <help>The base64-encoded TSIG key.</help>
     </field>
     <field>
         <id>domain.allownotifyslave</id>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
index 2ddbcf003b..c33f41c975 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
@@ -33,6 +33,10 @@
                         <hmac-md5>HMAC-MD5</hmac-md5>
                     </OptionValues>
                 </transferkeyalgo>
+                <transferkeyname type="TextField">
+                    <Required>N</Required>
+                    <default></default>
+                </transferkeyname>
                 <transferkey type="TextField">
                     <Required>N</Required>
                     <default></default>
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index 47a7053502..13e9fb12a6 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -277,9 +277,9 @@ $( document ).ready(function() {
 
     $('#domain\\.transferkeyalgo').on('change', function(e) {
         if (e.target.selectedIndex === 0) {
-            $('#domain\\.transferkey').val('').attr('readonly', true);
+            $('#domain\\.transferkey,#domain\\.transferkeyname').val('').attr('readonly', true);
         } else {
-            $('#domain\\.transferkey').attr('readonly', false);
+            $('#domain\\.transferkey,#domain\\.transferkeyname').attr('readonly', false);
         }
     });
 
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index d0c552157a..94fd79aac8 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -131,6 +131,7 @@ zone "rpzbing" { type master; file "/usr/local/etc/namedb/master/bing.db"; notif
 {% endif %}
 
 {% if helpers.exists('OPNsense.bind.domain.domains.domain') %}
+{%   set usedkeys = [] %}
 {%   for domain in helpers.toList('OPNsense.bind.domain.domains.domain') %}
 {%     if domain.enabled == '1' %}
 {%     set allow_transfer = helpers.getUUID(domain.allowtransfer) %}
@@ -138,7 +139,11 @@ zone "rpzbing" { type master; file "/usr/local/etc/namedb/master/bing.db"; notif
 zone "{{ domain.domainname }}" {
         type {{ domain.type }};
 {%       if domain.type == 'slave' %}
+{%         if domain.transferkey is defined %}
+        masters { {{ domain.masterip.replace(',', ' key "' ~ domain.transferkeyname ~ '"; ') }} key "{{ domain.transferkeyname }}"; };
+{%         else %}
         masters { {{ domain.masterip.replace(',', '; ') }}; };
+{%         endif %}
 {%         if domain.allownotifyslave is defined %}
         allow-notify { {{ domain.allownotifyslave.replace(',', '; ') }}; };
 {%         endif %}
@@ -153,15 +158,12 @@ zone "{{ domain.domainname }}" {
         allow-query { {{ allow_query.name }}; };
 {%       endif %}
 };
-{%       if domain.type == 'slave' and domain.transferkey is defined %}
-{%         set key_name = 'tsig-transferkey-' ~ domain.domainname.replace('.', '-') %}
-key "{{ key_name }}" {
+{%       if domain.type == 'slave' and domain.transferkey is defined and not(domain.transferkeyname in usedkeys) %}
+{%         do usedkeys.append(domain.transferkeyname) %}
+key "{{ domain.transferkeyname }}" {
         algorithm "{{ domain.transferkeyalgo }}";
         secret "{{ domain.transferkey }}";
 };
-server {{ domain.masterip }} {
-        keys { "{{ key_name }}" };
-};
 {%       endif %}
 {%     endif %}
 {%   endfor %}

From 1417b85d96390461c84d84fa65e1ca5c1124e5ca Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 22 Apr 2022 14:45:23 +0200
Subject: [PATCH 1009/3088] dns/bind: bump

---
 dns/bind/Makefile  | 2 +-
 dns/bind/pkg-descr | 8 +++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index f810d13b74..292e24d28d 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.22
+PLUGIN_VERSION=		1.23
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind916
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 465c763340..c9e9d6e907 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -4,10 +4,15 @@ one computer can find another computer on the basis of its name.
 The BIND software distribution contains all of the software
 necessary for asking and answering name service questions.
 
+WWW: https://www.isc.org
 
 Plugin Changelog
 ================
 
+1.23
+
+* Avoid errors with repeated primary servers and keys (contributed by Michael Newton)
+
 1.22
 
 * Fix DNS Blacklist download
@@ -116,6 +121,3 @@ Plugin Changelog
 1.0
 
 * Initial release
-
-
-WWW: https://www.isc.org

From 45030fabf47f4a96df5434b4d06be56de0a0da7b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 22 Apr 2022 19:17:28 +0200
Subject: [PATCH 1010/3088] security/stunnel - with the deprecation of __items
 on our model fields make sure non of our plugins uses the old magic property.

Traversing __items is actually the same as usnig iterateItems(), which should be a valid replacement.

ref https://github.com/opnsense/core/commit/fc8890851a87d3041b820d801e6a386b88ee244b cc @swhite2
---
 security/stunnel/Makefile                                       | 1 +
 security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc          | 2 +-
 .../app/controllers/OPNsense/Stunnel/Api/ServicesController.php | 2 +-
 .../stunnel/src/opnsense/scripts/stunnel/generate_certs.php     | 2 +-
 4 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index 87786dae30..d3215d7941 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		stunnel
 PLUGIN_VERSION=		1.0.4
+PLUGIN_REVISION= 	1
 PLUGIN_COMMENT=		Stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel
diff --git a/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc b/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
index 374e2ab1a2..ad0a37973a 100644
--- a/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
+++ b/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
@@ -70,7 +70,7 @@ function stunnel_refresh_crls()
 {
     $stunnel = new OPNsense\Stunnel\Stunnel();
     $configObj = OPNsense\Core\Config::getInstance()->object();
-    foreach ($stunnel->services->service->__items as $service) {
+    foreach ($stunnel->services->service->iterateItems() as $service) {
         if (!empty((string)$service->enabled) && !empty((string)$service->enableCRL)) {
             foreach (explode(",", (string)$service->cacert) as $cacert) {
                 $this_ca = null;
diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
index edad2be838..0083aec567 100644
--- a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
@@ -39,7 +39,7 @@ protected function save()
     {
         // hook service enable status on enabled tunnels
         $this->getModel()->general->enabled = "0";
-        foreach ($this->getModel()->services->service->__items as $service) {
+        foreach ($this->getModel()->services->service->iterateItems() as $service) {
             if ((string)$service->enabled == "1") {
                 $this->getModel()->general->enabled = "1";
                 break;
diff --git a/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php b/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
index b1166611ec..908e7dd70d 100755
--- a/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
+++ b/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
@@ -37,7 +37,7 @@
 $stunnel = new Stunnel();
 $configObj = Config::getInstance()->object();
 $all_certs = [];
-foreach ($stunnel->services->service->__items as $service) {
+foreach ($stunnel->services->service->iterateItems() as $service) {
     if (!empty((string)$service->enabled)) {
         $this_uuid = $service->getAttributes()['uuid'];
         $srv_certid = (string)$service->servercert;

From c7fea104edc0767b4be1e2b36a04bbb5ed484e4b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 23 Apr 2022 00:13:35 +0200
Subject: [PATCH 1011/3088] net / frr - Routing: Diagnostics: OSPF - asbrRouter
 is an optional field, safeguard before usage.

---
 .../opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
index 80cf75ff06..1aa5e08576 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
@@ -37,7 +37,7 @@ POSSIBILITY OF SUCH DAMAGE.
       </tr>
       <tr>
         <td>{{ lang._('ASBR') }}</td>
-        <td><%= checkmark(asbrRouter == "injectingExternalRoutingInformation") %></td>
+        <td><%= checkmark(typeof asbrRouter != 'undefined' && asbrRouter == "injectingExternalRoutingInformation") %></td>
       </tr>
       <tr>
         <td>{{ lang._('Router ID') }}</td>

From fd30e06017dd1e682a5d64966b92c37a0bc367a3 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Wed, 27 Apr 2022 13:00:46 +0200
Subject: [PATCH 1012/3088] net/relayd - add listen address and port (range) to
 Virtual Server tab. closes https://github.com/opnsense/plugins/issues/2959
 (#2960)

---
 .../Relayd/Api/SettingsController.php         | 10 +++----
 .../mvc/app/views/OPNsense/Relayd/index.volt  | 27 ++++++++++++++++++-
 2 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
index dd18169453..c47153d922 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
@@ -333,19 +333,19 @@ public function searchAction($nodeType = null)
             $fields = array();
             switch ($nodeType) {
                 case 'host':
-                    $fields = array('enabled', 'name', 'address');
+                    $fields = ['enabled', 'name', 'address'];
                     break;
                 case 'tablecheck':
-                    $fields = array('name', 'type');
+                    $fields = ['name', 'type'];
                     break;
                 case 'table':
-                    $fields = array('enabled', 'name');
+                    $fields = ['enabled', 'name'];
                     break;
                 case 'protocol':
-                    $fields = array('name', 'type');
+                    $fields = ['name', 'type'];
                     break;
                 case 'virtualserver':
-                    $fields = array('enabled', 'name', 'type');
+                    $fields = ['enabled', 'name', 'type', 'listen_address', 'listen_startport', 'listen_endport'];
                     break;
             }
             $result = $grid->fetchBindRequest($this->request, $fields);
diff --git a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
index 71cb811011..8c96a0ec31 100644
--- a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
+++ b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
@@ -101,7 +101,30 @@ POSSIBILITY OF SUCH DAMAGE.
             'get':    '/api/relayd/settings/get/' + element + '/',
             'set':    '/api/relayd/settings/set/' + element + '/',
             'add':    '/api/relayd/settings/set/' + element + '/',
-            'del':    '/api/relayd/settings/del/' + element + '/'
+            'del':    '/api/relayd/settings/del/' + element + '/',
+            options: {
+                formatters: {
+                    'listen_port': function (column, row) {
+                        if (row.listen_endport) {
+                            return row.listen_startport + ":" + row.listen_endport;
+                        } else {
+                            return row.listen_startport;
+                        }
+                    },
+                    'commands': function (column, row) {
+                        return '<button type="button" class="btn btn-xs btn-default command-edit bootgrid-tooltip" data-row-id="' + row.uuid + '"><span class="fa fa-fw fa-pencil"></span></button> ' +
+                            '<button type="button" class="btn btn-xs btn-default command-copy bootgrid-tooltip" data-row-id="' + row.uuid + '"><span class="fa fa-fw fa-clone"></span></button>' +
+                            '<button type="button" class="btn btn-xs btn-default command-delete bootgrid-tooltip" data-row-id="' + row.uuid + '"><span class="fa fa-fw fa-trash-o"></span></button>';
+                    },
+                    'rowtoggle': function (column, row) {
+                        if (parseInt(row[column.id], 2) === 1) {
+                            return '<span style="cursor: pointer;" class="fa fa-fw fa-check-square-o command-toggle bootgrid-tooltip" data-value="1" data-row-id="' + row.uuid + '"></span>';
+                        } else {
+                            return '<span style="cursor: pointer;" class="fa fa-fw fa-square-o command-toggle bootgrid-tooltip" data-value="0" data-row-id="' + row.uuid + '"></span>';
+                        }
+                    },
+                }
+            }
          };
          if (['virtualserver', 'host', 'table'].includes(element)) {
             endpoints['toggle'] = '/api/relayd/settings/toggle/' + element + '/';
@@ -342,6 +365,8 @@ POSSIBILITY OF SUCH DAMAGE.
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                 <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
                 <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
+                <th data-column-id="listen_address" data-type="string">{{ lang._('Adress') }}</th>
+                <th data-column-id="listen_startport" data-formatter="listen_port" data-type="string">{{ lang._('Port') }}</th>
                 <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                 <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Edit') }} | {{ lang._('Delete') }}</th>
             </tr>

From cf917d94fd63924465d7b9c05955e80a62be6e1e Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 26 Apr 2022 20:40:08 +0200
Subject: [PATCH 1013/3088] net/relayd - upgrade version

---
 net/relayd/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index e995794309..29e7ac472f 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		relayd
-PLUGIN_VERSION=		2.6
-PLIGIN_REVISION=	1
+PLUGIN_VERSION=		2.7
+#PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com

From fd4fc038e176e83ba128efe1cfc30476d027aad1 Mon Sep 17 00:00:00 2001
From: clanto007 <44651109+clanto007@users.noreply.github.com>
Date: Wed, 27 Apr 2022 20:43:13 +0200
Subject: [PATCH 1014/3088] Add Enable Remote Commands to Zabbix Proxy (#2948)

---
 net-mgmt/zabbix-proxy/Makefile                              | 2 +-
 net-mgmt/zabbix-proxy/pkg-descr                             | 4 ++++
 .../app/controllers/OPNsense/Zabbixproxy/forms/general.xml  | 6 ++++++
 .../mvc/app/models/OPNsense/Zabbixproxy/General.xml         | 4 ++++
 .../templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in     | 5 +++++
 5 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 06492f992d..0ee78e70ba 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		zabbix-proxy
-PLUGIN_VERSION=		1.7
+PLUGIN_VERSION=		1.8
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 PLUGIN_VARIANTS=	zabbix5 zabbix54 zabbix4
diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index dadafe0660..8182875fee 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.8
+
+* Add EnableRemoteCommands (#2948)
+
 1.7
 
 * Add StatsIP field to allow retrieving statistics (#2697)
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
index 8124eaa217..168f981c3c 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
@@ -11,6 +11,12 @@
         <type>checkbox</type>
         <help>Active (default) or passive mode, only switch to passive if you know what you are doing.</help>
     </field>
+    <field>
+        <id>general.remotecommands</id>
+        <label>Enable Remote Commands</label>
+        <type>checkbox</type>
+    <help>Enable Remote Commands on Proxy.</help>
+    </field>
     <field>
         <id>general.server</id>
         <label>Server</label>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
index 6602576a22..ab55fb06cc 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
@@ -11,6 +11,10 @@
             <default>0</default>
             <Required>Y</Required>
         </proxymode>
+        <remotecommands type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </remotecommands>
         <server type="TextField">
             <default></default>
             <Required>N</Required>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
index 9eace261bf..3ee03b5dc1 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
@@ -5,6 +5,11 @@ ProxyMode=1
 {% else %}
 ProxyMode=0
 {% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.remotecommands') and OPNsense.zabbixproxy.general.remotecommands == '1' %}
+EnableRemoteCommands=1
+{% else %}
+EnableRemoteCommands=0
+{% endif %}
 {% if helpers.exists('OPNsense.zabbixproxy.general.server') and OPNsense.zabbixproxy.general.server != '' %}
 Server={{ OPNsense.zabbixproxy.general.server }}
 {% endif %}

From 85f40b884a5a6123e764f97fd7619cc66a078b70 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Fri, 29 Apr 2022 10:54:36 +0200
Subject: [PATCH 1015/3088] net/frr: (BGP) according to the FRR documentation
 and the ui validations, match is optional
 (https://docs.frrouting.org/en/latest/routemap.html#term-Matching-Conditions).
 Likely fixes https://github.com/opnsense/plugins/issues/2955 (#2965)

---
 .../src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 499ffe8e1e..de3d7b4c24 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -183,7 +183,7 @@ route-map {{ routemap.name }} {{ routemap.action }} {{ routemap.id }}
 {%             endif %}
 {%           endfor %}
 {%         endif %}
-{%         if routemap.set|default("") != '' and routemap.match|default("") != '' %}
+{%         if routemap.set|default("") != '' %}
  set {{ routemap.set }}
 {%         endif %}
 {%         if routemap.match2|default("") != "" %}

From 574c6cb5da2c05e81f75b3e3cb0df7aa5ffa9a84 Mon Sep 17 00:00:00 2001
From: Rafael Mundel <rmundel@gmail.com>
Date: Sun, 1 May 2022 11:13:03 -0400
Subject: [PATCH 1016/3088] Add Zabbix Agent 6.0 (#2963)

---
 net-mgmt/zabbix-agent/Makefile  | 5 ++++-
 net-mgmt/zabbix-agent/pkg-descr | 4 ++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index 7a79968563..1c5f92398b 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -2,7 +2,10 @@ PLUGIN_NAME=		zabbix-agent
 PLUGIN_VERSION=		1.11
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
-PLUGIN_VARIANTS=	zabbix5 zabbix54
+PLUGIN_VARIANTS=	zabbix6 zabbix5 zabbix54
+
+zabbix6_NAME=		zabbix6-agent
+zabbix6_DEPENDS=	zabbix6-agent
 
 zabbix5_NAME=		zabbix-agent
 zabbix5_DEPENDS=	zabbix5-agent
diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index b1811bc200..17e3d3d485 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.12
+
+* Plugin variant for Zabbix Agent 6.0
+
 1.11
 
 * Add description to restart action to allow restart via cron

From 8ae502d2b07d497ce68bf2707a7111d81d87c915 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 1 May 2022 17:20:07 +0200
Subject: [PATCH 1017/3088] net-mgmt/zabbix-agent: adjust changelog style

---
 net-mgmt/zabbix-agent/pkg-descr | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index 17e3d3d485..64217f1956 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -14,10 +14,12 @@ Plugin Changelog
 
 1.12
 
+Added:
 * Plugin variant for Zabbix Agent 6.0
 
 1.11
 
+Added:
 * Add description to restart action to allow restart via cron
 
 1.10

From ee04e1a5da8f12540997d127f0f30b6f4bb5a9f0 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 1 May 2022 17:25:00 +0200
Subject: [PATCH 1018/3088] net-mgmt/zabbix-agent: bump version

---
 net-mgmt/zabbix-agent/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index 1c5f92398b..a4ad113088 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		zabbix-agent
-PLUGIN_VERSION=		1.11
+PLUGIN_VERSION=		1.12
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_VARIANTS=	zabbix6 zabbix5 zabbix54

From ab4d078c907b0194687868c657fe97b769f0301d Mon Sep 17 00:00:00 2001
From: MeganerdNL <wdeurholt@wdmail.nl>
Date: Sun, 1 May 2022 17:31:59 +0200
Subject: [PATCH 1019/3088] security/acme-client: Correct TransIP API (#2932)

* Correct TransIP API, fixes #2924

API key field  type of Transip corrected from "text" to "textbox". It was not working with "text" due to linebreaks.
Furthernore added a note that 300s sleep time is recommended.
---
 .../OPNsense/AcmeClient/forms/dialogValidation.xml           | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 7ee42f5740..b9e1e755cc 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1065,6 +1065,9 @@
         <type>header</type>
         <style>table_dns table_dns_transip</style>
     </field>
+    <field>
+        <label>NOTE: A DNS sleep time of at least 300 is recommended.</label>
+        <type>header</type>
     <field>
         <id>validation.dns_transip_username</id>
         <label>Username</label>
@@ -1074,7 +1077,7 @@
     <field>
         <id>validation.dns_transip_key</id>
         <label>API Key</label>
-        <type>text</type>
+        <type>textbox</type>
         <help>Requires the whole key file in a format that is compatible with TransIP.</help>
     </field>
     <field>

From 3b5e8e50df9f0c3d76d1ce2431b8ec15a1046484 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 1 May 2022 17:39:36 +0200
Subject: [PATCH 1020/3088] security/acme-client: fix missing closing tag, refs
 #2932

---
 .../controllers/OPNsense/AcmeClient/forms/dialogValidation.xml   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index b9e1e755cc..93a6b7e4bf 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1068,6 +1068,7 @@
     <field>
         <label>NOTE: A DNS sleep time of at least 300 is recommended.</label>
         <type>header</type>
+    </field>
     <field>
         <id>validation.dns_transip_username</id>
         <label>Username</label>

From 66bd98798bc14ed030a3b2d8e7acd6f9adefde05 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 1 May 2022 17:40:56 +0200
Subject: [PATCH 1021/3088] security/acme-client: update changelog

---
 security/acme-client/pkg-descr | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 9305b77522..eebd4286a5 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.10
+
+Fixed:
+* unable to configure key in TransIP API (#2924)
+
 3.9
 
 Added:

From 6ea9913cb815e4637a65d5b4fc88223636d35a00 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 1 May 2022 17:41:12 +0200
Subject: [PATCH 1022/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 00d852986b..5dd108a98a 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.9
+PLUGIN_VERSION=		3.10
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From b4ef39efa550e352dbb3ec36e05b17caebe9b8ac Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 1 May 2022 18:06:22 +0200
Subject: [PATCH 1023/3088] security/acme-client: update changelog

---
 security/acme-client/pkg-descr | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index eebd4286a5..6cd62b0b1e 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,6 +10,9 @@ Plugin Changelog
 
 3.10
 
+Added:
+* new automation: run remote commands via SSH (#2757)
+
 Fixed:
 * unable to configure key in TransIP API (#2924)
 

From 3d2144223206b8a5edfcf22b0aa50dd2bbdc991b Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Fri, 6 May 2022 12:13:42 +0200
Subject: [PATCH 1024/3088] net/frr: allow prefix-lists up to 10000 (#2972)

---
 net/frr/Makefile                                                | 2 +-
 net/frr/pkg-descr                                               | 1 +
 .../OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml          | 2 +-
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml     | 2 +-
 4 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 026281f058..98526d16f7 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.27
+PLUGIN_VERSION=		1.28
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 9fcb50b973..5219eed253 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -17,6 +17,7 @@ Plugin Changelog
 * OSPF6 Interface change networktype and interfacename to dropdown in stead of multi select
 * Diagnostics / BGP - fix search in grid, should only use a formatter for presentation purposes
 * Add ospf6 carp demotion event handler
+* Allow BGP prefix-list number up to 10000 instead of 99
 
 1.27
 
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml
index 276e4e5d45..da50945980 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml
@@ -27,7 +27,7 @@
     <id>prefixlist.seqnumber</id>
     <label>Number</label>
     <type>text</type>
-    <help>The ACL sequence number (10-99)</help>
+    <help>The ACL sequence number (10-10000)</help>
   </field>
   <field>
     <id>prefixlist.action</id>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 33dd741479..0f37813cbe 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -240,7 +240,7 @@
                                 <default></default>
                                 <Required>Y</Required>
                                 <MinimumValue>10</MinimumValue>
-                                <MaximumValue>99</MaximumValue>
+                                <MaximumValue>10000</MaximumValue>
                         </seqnumber>
                         <action type="OptionField">
                                 <default></default>

From 32e4f8fe807178737b213763fd749a090ba7236a Mon Sep 17 00:00:00 2001
From: schreibubi <schreibubi@users.noreply.github.com>
Date: Mon, 9 May 2022 12:05:57 +0530
Subject: [PATCH 1025/3088] dns/dnscrypt-proxy: Support specifying relays for
 anonymous DNS (#2548)

---
 dns/dnscrypt-proxy/pkg-descr                   |  4 ++++
 .../OPNsense/Dnscryptproxy/forms/general.xml   |  8 ++++++++
 .../models/OPNsense/Dnscryptproxy/General.xml  |  3 +++
 .../OPNsense/Dnscryptproxy/dnscrypt-proxy.toml | 18 ++++++++++++++++++
 4 files changed, 33 insertions(+)

diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index cbe2d972b9..0be7fb48eb 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -5,6 +5,10 @@ such as DNSCrypt v2 and DNS-over-HTTPS.
 Plugin Changelog
 ================
 
+1.12
+
+* Support specifying relays for anonymous DNS
+
 1.11
 
 * Fix DNSBL update due to FreeBSD13 upgrade (sed syntax)
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
index 41d4d57d26..9243e23726 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
@@ -179,4 +179,12 @@
         <allownew>true</allownew>
         <help><![CDATA[Exclude servers from automatic selection. Add any specific server names here if you do not want to use them for any reason.]]></help>
     </field>
+    <field>
+        <id>general.relaylist</id>
+        <label>Relay List</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[Set a list of <a href="https://github.com/DNSCrypt/dnscrypt-resolvers#list-of-dnscrypt-relays">relays</a>. Will be used for relaying to all configured servers.]]></help>
+    </field>
 </form>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
index 85826254e3..3d47b93fd4 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
@@ -147,5 +147,8 @@
             <FieldSeparator>,</FieldSeparator>
             <asList>Y</asList>
         </disabled_serverlist>
+        <relaylist type="CSVListField">
+            <Required>N</Required>
+        </relaylist>
     </items>
 </model>
diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
index 96dd4718ef..61260c00e3 100644
--- a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
@@ -152,6 +152,24 @@ cache = false
   refresh_delay = 72
   prefix = ''
 
+  ## Anonymized DNS relays
+
+  [sources.'relays']
+  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
+  cache_file = 'relays.md'
+  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  refresh_delay = 72
+  prefix = ''
+
+[anonymized_dns]
+
+{% if helpers.exists('OPNsense.dnscryptproxy.general.relaylist') and OPNsense.dnscryptproxy.general.relaylist != '' %}
+ routes = [
+    { server_name='*', via=[{{ "'" + ("','".join(OPNsense.dnscryptproxy.general.relaylist.split(','))) + "'" }}] }
+ ]
+{% endif %}
+
+
 [static]
 {% if helpers.exists('OPNsense.dnscryptproxy.server.servers.server') %}
 {%   for server_list in helpers.toList('OPNsense.dnscryptproxy.server.servers.server') %}

From aeaf368781f9b412918e5a9544304b512fe685c8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 9 May 2022 08:36:18 +0200
Subject: [PATCH 1026/3088] dns/dnscrypt-proxy: bump previous

---
 dns/dnscrypt-proxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index 3c7a4c9d88..0641d52d1a 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		dnscrypt-proxy
-PLUGIN_VERSION=		1.11
+PLUGIN_VERSION=		1.12
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From e51caa73480025b19d40409fdeee88c72ca7fd87 Mon Sep 17 00:00:00 2001
From: Rafael Mundel <rmundel@gmail.com>
Date: Mon, 9 May 2022 02:47:04 -0400
Subject: [PATCH 1027/3088] Zabbix Proxy 6.0 (#2964)

---
 net-mgmt/zabbix-proxy/Makefile  | 5 ++++-
 net-mgmt/zabbix-proxy/pkg-descr | 4 ++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 0ee78e70ba..e23333467c 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -2,7 +2,10 @@ PLUGIN_NAME=		zabbix-proxy
 PLUGIN_VERSION=		1.8
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_VARIANTS=	zabbix5 zabbix54 zabbix4
+PLUGIN_VARIANTS=	zabbix6 zabbix5 zabbix54 zabbix4
+
+zabbix6_NAME=		zabbix6-proxy
+zabbix6_DEPENDS=	zabbix6-proxy
 
 zabbix5_NAME=		zabbix5-proxy
 zabbix5_DEPENDS=	zabbix5-proxy
diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index 8182875fee..4c491f7ce4 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.9
+
+* Add plugin variant for Zabbix Proxy 6.0
+
 1.8
 
 * Add EnableRemoteCommands (#2948)

From 05c646de09659ef6a982ca20e802a9d5f83b1701 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 9 May 2022 08:52:08 +0200
Subject: [PATCH 1028/3088] net-mgmt/zabbix-proxy: belongs to version 1.8

---
 net-mgmt/zabbix-proxy/pkg-descr | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index 4c491f7ce4..af6d7f8695 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -12,13 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
-1.9
-
-* Add plugin variant for Zabbix Proxy 6.0
-
 1.8
 
 * Add EnableRemoteCommands (#2948)
+* Add plugin variant for Zabbix Proxy 6.0
 
 1.7
 

From 8f158306c99cce6e200612845de72371124c3e8b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 9 May 2022 13:38:39 +0200
Subject: [PATCH 1029/3088] www/web/proxy-useracl: plugin receives no
 maintenance

---
 www/web-proxy-useracl/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/web-proxy-useracl/Makefile b/www/web-proxy-useracl/Makefile
index a2374138c9..7620cecc0f 100644
--- a/www/web-proxy-useracl/Makefile
+++ b/www/web-proxy-useracl/Makefile
@@ -2,6 +2,7 @@ PLUGIN_NAME=		web-proxy-useracl
 PLUGIN_VERSION=		1.1
 PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Group and user ACL for the web proxy
+PLUGIN_OBSOLETE= 	No changes since 2018
 PLUGIN_MAINTAINER=	kekek2@ya.ru
 PLUGIN_WWW=		https://smart-soft.ru
 

From ffcd201992021eceebd232ebeb1b73611126321f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 May 2022 09:59:20 +0200
Subject: [PATCH 1030/3088] Framework: mark obsolete plugins in list

---
 Makefile  | 3 ++-
 README.md | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 76fc96735e..d01440b965 100644
--- a/Makefile
+++ b/Makefile
@@ -39,7 +39,8 @@ PLUGIN_DIRS+=	${_${CATEGORY}}
 list:
 .for PLUGIN_DIR in ${PLUGIN_DIRS}
 	@echo ${PLUGIN_DIR} -- $$(${MAKE} -C ${PLUGIN_DIR} -v PLUGIN_COMMENT) \
-	    $$(if [ -n "$$(${MAKE} -C ${PLUGIN_DIR} -v PLUGIN_DEVEL _PLUGIN_DEVEL=)" ]; then echo "(development only)"; fi)
+	    $$(if [ -n "$$(${MAKE} -C ${PLUGIN_DIR} -v PLUGIN_DEVEL _PLUGIN_DEVEL=)" ]; then echo "(development only)"; fi) \
+	    $$(if [ -n "$$(${MAKE} -C ${PLUGIN_DIR} -v PLUGIN_OBSOLETE)" ]; then echo "(pending removal)"; fi)
 .endfor
 
 # shared targets that are sane to run from the root directory
diff --git a/README.md b/README.md
index 095e89d2f5..09a0db513b 100644
--- a/README.md
+++ b/README.md
@@ -92,7 +92,7 @@ security/tinc -- Tinc VPN
 security/tor -- The Onion Router
 sysutils/api-backup -- Provide the functionality to download the config.xml
 sysutils/apuled -- PC Engine APU LED control (development only)
-sysutils/boot-delay -- Apply a persistent 10 second boot delay
+sysutils/boot-delay -- Apply a persistent 10 second boot delay (pending removal)
 sysutils/dmidecode -- Display hardware information on the dashboard
 sysutils/git-backup -- Track config changes using git
 sysutils/hw-probe -- Collect hardware diagnostics
@@ -112,7 +112,7 @@ www/c-icap -- c-icap connects the web proxy with a virus scanner
 www/cache -- Webserver cache
 www/nginx -- Nginx HTTP server and reverse proxy
 www/web-proxy-sso -- Kerberos authentication module
-www/web-proxy-useracl -- Group and user ACL for the web proxy
+www/web-proxy-useracl -- Group and user ACL for the web proxy (pending removal)
 ```
 
 A brief description of how to use the plugins repository

From ce4469f458926917af4bb3cb40c254f1d6425d84 Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Tue, 10 May 2022 11:59:42 +0200
Subject: [PATCH 1031/3088] new plugin: security/crowdsec (#2945)

This is a plugin we developed to provide configuration and a basic UI for the crowdsec IDS and IPS. It depends on a couple of binaries recently added to ports.conf

Adding machines (servers, other firewalls) and advanced configuration are not managed by the UI but available from the command line.
---
 security/crowdsec/+POST_DEINSTALL.post        |  50 ++
 security/crowdsec/+POST_INSTALL.post          |  11 +
 security/crowdsec/+PRE_DEINSTALL.pre          |   8 +
 security/crowdsec/LICENSE                     |  21 +
 security/crowdsec/Makefile                    |  10 +
 security/crowdsec/pkg-descr                   |  49 ++
 .../crowdsec/src/etc/cron.d/oscrowdsec.cron   |   9 +
 .../src/etc/crowdsec/acquis.d/opnsense.yaml   |  15 +
 .../src/etc/inc/plugins.inc.d/crowdsec.inc    |  95 ++++
 security/crowdsec/src/etc/rc.d/oscrowdsec     | 104 +++++
 .../src/etc/rc.syshook.d/start/50-crowdsec    |   6 +
 .../CrowdSec/Api/AlertsController.php         |  33 ++
 .../CrowdSec/Api/BouncersController.php       |  33 ++
 .../CrowdSec/Api/CollectionsController.php    |  33 ++
 .../CrowdSec/Api/DecisionsController.php      |  53 +++
 .../CrowdSec/Api/GeneralController.php        |  17 +
 .../CrowdSec/Api/MachinesController.php       |  33 ++
 .../CrowdSec/Api/ParsersController.php        |  33 ++
 .../CrowdSec/Api/PostoverflowsController.php  |  33 ++
 .../CrowdSec/Api/ScenariosController.php      |  33 ++
 .../CrowdSec/Api/ServiceController.php        |  78 ++++
 .../CrowdSec/Api/VersionController.php        |  28 ++
 .../OPNsense/CrowdSec/GeneralController.php   |  19 +
 .../OPNsense/CrowdSec/OverviewController.php  |  18 +
 .../OPNsense/CrowdSec/forms/general.xml       |  95 ++++
 .../app/models/OPNsense/CrowdSec/ACL/ACL.xml  |   9 +
 .../app/models/OPNsense/CrowdSec/General.php  |  12 +
 .../app/models/OPNsense/CrowdSec/General.xml  |  56 +++
 .../models/OPNsense/CrowdSec/Menu/Menu.xml    |   8 +
 .../app/views/OPNsense/CrowdSec/general.volt  | 142 ++++++
 .../app/views/OPNsense/CrowdSec/overview.volt | 249 ++++++++++
 .../scripts/OPNsense/CrowdSec/hub-upgrade.sh  |  18 +
 .../scripts/OPNsense/CrowdSec/reconfigure.py  |  94 ++++
 .../scripts/OPNsense/CrowdSec/reconfigure.sh  |  33 ++
 .../conf/actions.d/actions_crowdsec.conf      |  94 ++++
 .../templates/OPNsense/CrowdSec/+TARGETS      |   4 +
 .../OPNsense/CrowdSec/crowdsec.rc.conf.d      |  11 +
 .../CrowdSec/crowdsec_firewall.rc.conf.d      |  11 +
 .../OPNsense/CrowdSec/oscrowdsec.rc.conf.d    |   1 +
 .../templates/OPNsense/CrowdSec/settings.json |   5 +
 .../src/opnsense/www/js/CrowdSec/crowdsec.js  | 426 ++++++++++++++++++
 41 files changed, 2090 insertions(+)
 create mode 100755 security/crowdsec/+POST_DEINSTALL.post
 create mode 100755 security/crowdsec/+POST_INSTALL.post
 create mode 100755 security/crowdsec/+PRE_DEINSTALL.pre
 create mode 100644 security/crowdsec/LICENSE
 create mode 100644 security/crowdsec/Makefile
 create mode 100644 security/crowdsec/pkg-descr
 create mode 100644 security/crowdsec/src/etc/cron.d/oscrowdsec.cron
 create mode 100644 security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml
 create mode 100644 security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc
 create mode 100755 security/crowdsec/src/etc/rc.d/oscrowdsec
 create mode 100755 security/crowdsec/src/etc/rc.syshook.d/start/50-crowdsec
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AlertsController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/BouncersController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/GeneralController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/MachinesController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ParsersController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/VersionController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/GeneralController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/OverviewController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/ACL/ACL.xml
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/Menu/Menu.xml
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/overview.volt
 create mode 100755 security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
 create mode 100755 security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
 create mode 100755 security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh
 create mode 100644 security/crowdsec/src/opnsense/service/conf/actions.d/actions_crowdsec.conf
 create mode 100644 security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/+TARGETS
 create mode 100644 security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/crowdsec.rc.conf.d
 create mode 100644 security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/crowdsec_firewall.rc.conf.d
 create mode 100644 security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/oscrowdsec.rc.conf.d
 create mode 100644 security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/settings.json
 create mode 100644 security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js

diff --git a/security/crowdsec/+POST_DEINSTALL.post b/security/crowdsec/+POST_DEINSTALL.post
new file mode 100755
index 0000000000..536a325294
--- /dev/null
+++ b/security/crowdsec/+POST_DEINSTALL.post
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# Removing the plugin from the web interface will autoremove the dependencies
+# too, and here we have to delete the files in rc.conf.d (because they are
+# generated from templates when the configuration is saved, and the package
+# system did not keep track of them).
+
+# But.. If the plugin is removed from the command line (which does not happen
+# outside of testing conditions), the crowdsec and bouncer services will not be
+# removed. However, since we deleted the files that enabled these services,
+# they will be disabled at the next reboot.
+
+rm -f /etc/rc.conf.d/crowdsec \
+      /etc/rc.conf.d/crowdsec_firewall \
+      /etc/rc.conf.d/oscrowdsec
+
+
+# Remove aliases and with them, the rules. We don't have plugin files
+# anymore so we do that on the fly.
+
+/usr/local/bin/php <<'EOT'
+<?php
+
+@include_once("config.inc");
+@include_once("certs.inc");
+@include_once("util.inc");
+
+use OPNsense\Firewall\Alias;
+use OPNsense\Core\Config;
+
+function removeAlias($name)
+{
+    $model = new Alias();
+    foreach ($model->aliases->alias->iterateItems() as $index => $alias) {
+        if (strval($alias->name) == $name) {
+            if ($model->aliases->alias->del($index)) {
+                $model->serializeToConfig();
+                Config::getInstance()->save();
+            }
+        }
+    }
+}
+
+removeAlias('crowdsec_blacklists');
+removeAlias('crowdsec6_blacklists');
+EOT
+
+
+# apply the configuration changes to the packet filter
+configctl filter reload
diff --git a/security/crowdsec/+POST_INSTALL.post b/security/crowdsec/+POST_INSTALL.post
new file mode 100755
index 0000000000..6a64974496
--- /dev/null
+++ b/security/crowdsec/+POST_INSTALL.post
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# the configuration file used in reconfigure (i.e. settings.json) may eventually
+# have credentials, so we create a directory to contain it -- the directory
+# permissions will be copied to the file while generating the jinja template.
+
+# shellcheck disable=SC2174
+mkdir -p -m 0700 /usr/local/etc/crowdsec/opnsense
+
+configctl crowdsec reconfigure
+
diff --git a/security/crowdsec/+PRE_DEINSTALL.pre b/security/crowdsec/+PRE_DEINSTALL.pre
new file mode 100755
index 0000000000..9f7107ef01
--- /dev/null
+++ b/security/crowdsec/+PRE_DEINSTALL.pre
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+# need to temporarily stop the bouncer to remove all the rules
+service crowdsec_firewall stop >/dev/null 2>&1 | :
+
+# the rest of the cleanup is done in the post-deinstall script, otherwise
+# the plugin recreates the objects during "filter reload".
+
diff --git a/security/crowdsec/LICENSE b/security/crowdsec/LICENSE
new file mode 100644
index 0000000000..92d86fc27c
--- /dev/null
+++ b/security/crowdsec/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020-2021 Crowdsec
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
new file mode 100644
index 0000000000..fb0653f197
--- /dev/null
+++ b/security/crowdsec/Makefile
@@ -0,0 +1,10 @@
+PLUGIN_NAME=		crowdsec
+PLUGIN_VERSION=		0.2
+PLUGIN_DEVEL=		yes
+#PLUGIN_REVISION=	1
+PLUGIN_DEPENDS=		crowdsec
+PLUGIN_COMMENT=		Lightweight and collaborative security engine
+PLUGIN_MAINTAINER=	marco@crowdsec.net
+PLUGIN_WWW=		https://crowdsec.net/
+
+.include "../../Mk/plugins.mk"
diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
new file mode 100644
index 0000000000..2cd4f07c10
--- /dev/null
+++ b/security/crowdsec/pkg-descr
@@ -0,0 +1,49 @@
+Crowdsec is an open-source, lightweight software, detecting peers with
+aggressive behaviors to prevent them from accessing your systems. Its user
+friendly design and assistance offers a low technical barrier of entry and
+nevertheless a high security gain.
+
+WWW: https://crowdsec.net/
+
+Plugin Changelog
+================
+
+0.2
+
+* first published release
+* added options `lapi_enabled`, `crowdsec_firewall_verbose`
+* removed options `crowdsec_flags`, `crowdsec_firewall_flags`
+* changed default for `agent_enabled`, `firewall_bouncer_enabled` to 1
+
+0.1
+
+* fixed packet tags with ipv6
+* custom `crowdsec_flags`, `crosdsec_firewall_flags`
+
+0.0.9
+
+* fixed the javascript, 0.0.8 had a syntax error
+* new option: rules_tag
+* new option: lapi_manual_configuration
+* ipv4/ipv6 validation with regexp
+
+0.0.8
+
+* crowdsec update 1.3.2
+* configurable `rules_log` and LAPI address/port
+
+0.0.7
+
+* automated removal of Alias objects when the plugin is uninstalled
+
+0.0.6
+
+* crowdsec update 1.3.1.r1
+* bouncer update to 0.0.23.r1
+* automated creation of Alias and Rule objects
+
+0.0.5
+
+* fixed an issue that prevented the bouncer from banning IPs on opnsense
+* fixed support for notification plugins
+
diff --git a/security/crowdsec/src/etc/cron.d/oscrowdsec.cron b/security/crowdsec/src/etc/cron.d/oscrowdsec.cron
new file mode 100644
index 0000000000..2ec072c402
--- /dev/null
+++ b/security/crowdsec/src/etc/cron.d/oscrowdsec.cron
@@ -0,0 +1,9 @@
+# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
+#
+# User-defined crontab files can be loaded via /etc/cron.d
+# or /usr/local/etc/cron.d and follow the same format as
+# /etc/crontab, see the crontab(5) manual page.
+SHELL=/bin/sh
+PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
+#minute	hour	mday	month	wday	who	command
+0	1,13	*	*	*	root	/usr/local/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
diff --git a/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml b/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml
new file mode 100644
index 0000000000..905be22566
--- /dev/null
+++ b/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml
@@ -0,0 +1,15 @@
+#
+# Before 22.1, OPNsense used circular logs under /var/log/*.log that
+# can still be around. They are old, in binary format and are not needed by crowdsec.
+#
+# For this reason we don't scan /var/log/*.log, but some plugins can write
+# their (plaintext) logs in that location, in such case add their pathnames too.
+#
+
+filenames:
+ # ssh
+ - /var/log/audit/*.log
+ # web admin
+ - /var/log/lighttpd/*.log
+labels:
+  type: syslog
diff --git a/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc b/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc
new file mode 100644
index 0000000000..a1e2eb6b07
--- /dev/null
+++ b/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc
@@ -0,0 +1,95 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+use OPNsense\Core\Config;
+use OPNsense\Firewall\Alias;
+use OPNsense\Firewall\Plugin;
+
+function add_alias_if_not_exist($name, $description, $proto) {
+    $model = new Alias();
+
+    if ($model->getByName($name) != null) {
+        return;
+    }
+
+    $new_alias = $model->aliases->alias->Add();
+    $new_alias->name = $name;
+    $new_alias->description = $description;
+    $new_alias->proto = $proto;
+    $new_alias->type = 'external';
+    $model->serializeToConfig();
+    Config::getInstance()->save();
+}
+
+function crowdsec_firewall(Plugin $fw)
+{
+    global $config;
+
+    $general = $config['OPNsense']['crowdsec']['general'];
+
+    $bouncer_enabled = isset($general['firewall_bouncer_enabled']) && $general['firewall_bouncer_enabled'];
+
+    if (!$bouncer_enabled) {
+        return;
+    }
+
+    $rules_log_enabled = isset($general['rules_log']) && $general['rules_log'];
+
+    $rules_tag = "";
+    if (isset($general['rules_tag'])) {
+        $rules_tag = $general['rules_tag'];
+    };
+
+    add_alias_if_not_exist('crowdsec_blacklists', 'CrowdSec (IPv4)', 'IPv4');
+
+    // https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
+
+    $fw->registerFilterRule(
+        1, /* priority */
+        array(
+            'ipprotocol' => 'inet',
+            'descr'      => 'CrowdSec (IPv4)',
+            'from'       => '$crowdsec_blacklists',     # $ to reference an alias
+            'type'       => 'block',
+            'log'        => $rules_log_enabled,
+            'tag'        => $rules_tag,
+            'label'      => 'blocked by crowdsec',
+            'quick'      => true
+        ),
+        null
+    );
+
+    add_alias_if_not_exist('crowdsec6_blacklists', 'CrowdSec (IPv6)', 'IPv6');
+
+    $fw->registerFilterRule(
+        1, /* priority */
+        array(
+            'ipprotocol' => 'inet6',
+            'descr'      => 'CrowdSec (IPv6)',
+            'from'       => '$crowdsec6_blacklists',    # $ to reference an alias
+            'type'       => 'block',
+            'log'        => $rules_log_enabled,
+            'tag'        => $rules_tag,
+            'label'      => 'blocked by crowdsec',
+            'quick'      => true
+        ),
+        null
+    );
+}
+
+function crowdsec_services()
+{
+    $services[] = array(
+        'description' => 'CrowdSec',
+        'configd' => array(
+            'restart' => array('crowdsec restart'),
+            'start'   => array('crowdsec start'),
+            'stop'    => array('crowdsec stop'),
+        ),
+        'name' => 'crowdsec'
+    );
+
+    return $services;
+}
diff --git a/security/crowdsec/src/etc/rc.d/oscrowdsec b/security/crowdsec/src/etc/rc.d/oscrowdsec
new file mode 100755
index 0000000000..a64dc0d38b
--- /dev/null
+++ b/security/crowdsec/src/etc/rc.d/oscrowdsec
@@ -0,0 +1,104 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: oscrowdsec
+# REQUIRE: NETWORKING syslogd
+# BEFORE:  DAEMON
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+
+name="oscrowdsec"
+rcvar="oscrowdsec_enable"
+
+load_rc_config $name
+
+: ${oscrowdsec_enable="NO"}
+
+
+oscrowdsec_start () {
+    #
+    # Start, or stop the services according to the plugin's configuration.
+    # When starting -> error if the services are already running
+    # When stopping -> no error
+    #
+
+    if service crowdsec enabled; then
+        service crowdsec start
+    else
+        service crowdsec stop || :
+    fi
+
+    if service crowdsec_firewall enabled; then
+        service crowdsec_firewall start
+    else
+        service crowdsec_firewall stop || :
+    fi
+
+# XXX should complain if they were not stopped?
+#    service crowdsec status
+#    if [ $? -eq 0 ]; then
+#       debug "oscrowdsec_start: crowdsec is still running"
+#       return 0
+#    fi
+}
+
+oscrowdsec_stop () {
+    # Always stop the services, enabled or not, running or not. No errors.
+
+    service crowdsec stop || :
+    service crowdsec_firewall stop || :
+
+    # XXX should complain if they were running and have not been stopped?
+}
+
+oscrowdsec_restart () {
+    oscrowdsec_stop || :
+    oscrowdsec_start
+}
+
+oscrowdsec_status () {
+    # return error if at least one program is not running
+    ret=0
+
+    if service crowdsec status; then
+        ret=$?
+    fi
+
+    if service crowdsec_firewall status; then
+        if [ $ret -eq 0 ]; then
+            ret=$?
+        fi
+    fi
+    return $ret
+}
+
+oscrowdsec_reload () {
+    # Here we take it easy. the bouncer does not even support reload
+    oscrowdsec_restart
+}
+
+case $1 in
+   start)
+      oscrowdsec_start
+      exit $?
+      ;;
+   stop)
+      oscrowdsec_stop
+      exit $?
+      ;;
+   restart)
+      oscrowdsec_restart
+      exit $?
+      ;;
+   status)
+      oscrowdsec_status
+      exit $?
+      ;;
+   reload)
+      oscrowdsec_reload
+      exit $?
+      ;;
+esac
diff --git a/security/crowdsec/src/etc/rc.syshook.d/start/50-crowdsec b/security/crowdsec/src/etc/rc.syshook.d/start/50-crowdsec
new file mode 100755
index 0000000000..58359695ff
--- /dev/null
+++ b/security/crowdsec/src/etc/rc.syshook.d/start/50-crowdsec
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+# https://docs.opnsense.org/development/backend/autorun.html
+
+/usr/local/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
+
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AlertsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AlertsController.php
new file mode 100644
index 0000000000..6aff27e81e
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AlertsController.php
@@ -0,0 +1,33 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\CrowdSec\CrowdSec;
+use OPNsense\Core\Backend;
+
+/**
+ * @package OPNsense\CrowdSec
+ */
+class AlertsController extends ApiControllerBase
+{
+    /**
+     * retrieve list of alerts
+     * @return array of alerts
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function getAction()
+    {
+        $backend = new Backend();
+        $bckresult = json_decode(trim($backend->configdRun("crowdsec alerts-list")), true);
+        if ($bckresult !== null) {
+            // only return valid json type responses
+            return $bckresult;
+        }
+        return array("message" => "unable to list alerts");
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/BouncersController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/BouncersController.php
new file mode 100644
index 0000000000..94de1a8772
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/BouncersController.php
@@ -0,0 +1,33 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\CrowdSec\CrowdSec;
+use OPNsense\Core\Backend;
+
+/**
+ * @package OPNsense\CrowdSec
+ */
+class BouncersController extends ApiControllerBase
+{
+    /**
+     * retrieve list of bouncers
+     * @return array of bouncers
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function getAction()
+    {
+        $backend = new Backend();
+        $bckresult = json_decode(trim($backend->configdRun("crowdsec bouncers-list")), true);
+        if ($bckresult !== null) {
+            // only return valid json type responses
+            return $bckresult;
+        }
+        return array("message" => "unable to list bouncers");
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php
new file mode 100644
index 0000000000..62c63afa6b
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php
@@ -0,0 +1,33 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\CrowdSec\CrowdSec;
+use OPNsense\Core\Backend;
+
+/**
+ * @package OPNsense\CrowdSec
+ */
+class CollectionsController extends ApiControllerBase
+{
+    /**
+     * retrieve list of collections
+     * @return array of collections
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function getAction()
+    {
+        $backend = new Backend();
+        $bckresult = json_decode(trim($backend->configdRun("crowdsec collections-list")), true);
+        if ($bckresult !== null) {
+            // only return valid json type responses
+            return $bckresult;
+        }
+        return array("message" => "unable to list collections");
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php
new file mode 100644
index 0000000000..7421e74e4b
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php
@@ -0,0 +1,53 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\CrowdSec\CrowdSec;
+use OPNsense\Core\Backend;
+
+/**
+ * @package OPNsense\CrowdSec
+ */
+class DecisionsController extends ApiControllerBase
+{
+    /**
+     * retrieve list of decisions
+     * @return array of decisions
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function getAction()
+    {
+        $backend = new Backend();
+        $bckresult = json_decode(trim($backend->configdRun("crowdsec decisions-list")), true);
+        if ($bckresult !== null) {
+            // only return valid json type responses
+            return $bckresult;
+        }
+        return array("message" => "unable to list decisions");
+    }
+
+    public function deleteAction($decision_id)
+    {
+        if ($this->request->isDelete()) {
+            $backend = new Backend();
+            $bckresult = $backend->configdRun("crowdsec decisions-delete ${decision_id}");
+            if ($bckresult !== null) {
+                // why does the action return \n\n for empty output?
+                if (trim($bckresult) === '') {
+                    return array("message" => "OK");
+                }
+                // TODO handle error
+                return array("message" => $bckresult);
+            }
+            return array("message" => "OK");
+        } else {
+            $this->response->setStatusCode(405, "Method Not Allowed");
+            $this->response->setHeader("Allow", "DELETE");
+        }
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/GeneralController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/GeneralController.php
new file mode 100644
index 0000000000..038e491818
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/GeneralController.php
@@ -0,0 +1,17 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+/**
+ * @package OPNsense\CrowdSec
+ */
+class GeneralController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'general';
+    protected static $internalModelClass = '\OPNsense\CrowdSec\General';
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/MachinesController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/MachinesController.php
new file mode 100644
index 0000000000..617e43bf41
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/MachinesController.php
@@ -0,0 +1,33 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\CrowdSec\CrowdSec;
+use OPNsense\Core\Backend;
+
+/**
+ * @package OPNsense\CrowdSec
+ */
+class MachinesController extends ApiControllerBase
+{
+    /**
+     * retrieve list of registered machines
+     * @return array of machines
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function getAction()
+    {
+        $backend = new Backend();
+        $bckresult = json_decode(trim($backend->configdRun("crowdsec machines-list")), true);
+        if ($bckresult !== null) {
+            // only return valid json type responses
+            return $bckresult;
+        }
+        return array("message" => "unable to list machines");
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ParsersController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ParsersController.php
new file mode 100644
index 0000000000..6dfcfcdb80
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ParsersController.php
@@ -0,0 +1,33 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\CrowdSec\CrowdSec;
+use OPNsense\Core\Backend;
+
+/**
+ * @package OPNsense\CrowdSec
+ */
+class ParsersController extends ApiControllerBase
+{
+    /**
+     * retrieve list of registered parsers
+     * @return array of parsers
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function getAction()
+    {
+        $backend = new Backend();
+        $bckresult = json_decode(trim($backend->configdRun("crowdsec parsers-list")), true);
+        if ($bckresult !== null) {
+            // only return valid json type responses
+            return $bckresult;
+        }
+        return array("message" => "unable to list parsers");
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php
new file mode 100644
index 0000000000..a52fc928c0
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php
@@ -0,0 +1,33 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\CrowdSec\CrowdSec;
+use OPNsense\Core\Backend;
+
+/**
+ * @package OPNsense\CrowdSec
+ */
+class PostoverflowsController extends ApiControllerBase
+{
+    /**
+     * retrieve list of registered postoverflows
+     * @return array of postoverflows
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function getAction()
+    {
+        $backend = new Backend();
+        $bckresult = json_decode(trim($backend->configdRun("crowdsec postoverflows-list")), true);
+        if ($bckresult !== null) {
+            // only return valid json type responses
+            return $bckresult;
+        }
+        return array("message" => "unable to list postoverflows");
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php
new file mode 100644
index 0000000000..5daa6b82b0
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php
@@ -0,0 +1,33 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\CrowdSec\CrowdSec;
+use OPNsense\Core\Backend;
+
+/**
+ * @package OPNsense\CrowdSec
+ */
+class ScenariosController extends ApiControllerBase
+{
+    /**
+     * retrieve list of registered scenarios
+     * @return array of scenarios
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function getAction()
+    {
+        $backend = new Backend();
+        $bckresult = json_decode(trim($backend->configdRun("crowdsec scenarios-list")), true);
+        if ($bckresult !== null) {
+            // only return valid json type responses
+            return $bckresult;
+        }
+        return array("message" => "unable to list scenarios");
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
new file mode 100644
index 0000000000..dae2711c78
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
@@ -0,0 +1,78 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\Core\Backend;
+
+/**
+ * Class ServiceController
+ * @package OPNsense\CrowdSec
+ */
+class ServiceController extends ApiControllerBase
+{
+    /**
+     * reconfigure CrowdSec
+     */
+    public function reloadAction()
+    {
+        $status = "failed";
+        if ($this->request->isPost()) {
+            $backend = new Backend();
+            $bckresult = trim($backend->configdRun('template reload OPNsense/CrowdSec'));
+            if ($bckresult == "OK") {
+                $bckresult = trim($backend->configdRun('crowdsec reconfigure'));
+                if ($bckresult == "OK") {
+                    $status = "ok";
+                }
+            }
+        }
+        return array("status" => $status);
+    }
+
+    /**
+     * retrieve status of crowdsec
+     * @return array
+     * @throws \Exception
+     */
+    public function statusAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun("crowdsec crowdsec-status");
+
+        $status = "unkown";
+        if (strpos($response, "not running") > 0) {
+            $status = "stopped";
+        } elseif (strpos($response, "is running") > 0) {
+            $status = "running";
+        }
+
+        $response = $backend->configdRun("crowdsec crowdsec-firewall-status");
+
+        $firewall_status = "unknown";
+        if (strpos($response, "not running") > 0) {
+            $firewall_status = "stopped";
+        } elseif (strpos($response, "is running") > 0) {
+            $firewall_status = "running";
+        }
+
+        return array(
+            "crowdsec-status" => $status,
+            "crowdsec-firewall-status" => $firewall_status,
+        );
+    }
+
+    /**
+     * return debug information
+     * @return array
+     */
+    public function debugAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun("crowdsec debug");
+        return array("message" => $response);
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/VersionController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/VersionController.php
new file mode 100644
index 0000000000..d236c26f87
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/VersionController.php
@@ -0,0 +1,28 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\CrowdSec\CrowdSec;
+use OPNsense\Core\Backend;
+
+/**
+ * @package OPNsense\CrowdSec
+ */
+class VersionController extends ApiControllerBase
+{
+    /**
+     * retrieve version description
+     * @return version description
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function getAction()
+    {
+        $backend = new Backend();
+        return $backend->configdRun("crowdsec version");
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/GeneralController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/GeneralController.php
new file mode 100644
index 0000000000..115ca686cb
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/GeneralController.php
@@ -0,0 +1,19 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec;
+
+/**
+ * Class GeneralController
+ * @package OPNsense\CrowdSec
+ */
+class GeneralController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/CrowdSec/general');
+        $this->view->generalForm = $this->getForm("general");
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/OverviewController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/OverviewController.php
new file mode 100644
index 0000000000..6dbd461d52
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/OverviewController.php
@@ -0,0 +1,18 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec;
+
+/**
+ * Class OverviewController
+ * @package OPNsense\CrowdSec
+ */
+class OverviewController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/CrowdSec/overview');
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml
new file mode 100644
index 0000000000..596c3b3e92
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml
@@ -0,0 +1,95 @@
+<form>
+
+  <!-- agent_enabled -->
+  <field>
+    <id>general.agent_enabled</id>
+    <label>Enable CrowdSec (IDS)</label>
+    <type>checkbox</type>
+    <help>Enable/disable the CrowdSec agent. Keep this enabled to detect
+      attacks and receive alerts from the CrowSec central service.</help>
+  </field>
+
+  <!-- lapi_enabled -->
+  <field>
+    <id>general.lapi_enabled</id>
+    <label>Enable LAPI</label>
+    <type>checkbox</type>
+    <help>Enable/disable the CrowdSec Local API. Keep this enabled unless you
+      connect to a LAPI on another machine</help>
+  </field>
+
+  <!-- firewall_bouncer_enabled -->
+  <field>
+    <id>general.firewall_bouncer_enabled</id>
+    <label>Enable Firewall Bouncer (IPS)</label>
+    <type>checkbox</type>
+    <help>Enable/disable the firewall bouncer. Keep this enabled to block
+      packets from the attacking IP addresses.</help>
+  </field>
+
+  <!-- lapi_manual_configuration -->
+  <field>
+    <id>general.lapi_manual_configuration</id>
+    <label>Manual LAPI configuration</label>
+    <type>checkbox</type>
+    <help>Avoid overwriting LAPI settings for config.yaml,
+      local_api_credentials.yaml, crowdsec-firewall-bouncer.yaml. The next
+      two configuration options (lapi_listen_address, lapi_listen_port) will
+      be ignored. Allows unsupported configurations like linking together
+      multiple opnsense instances or connecting to an existing crowdsec
+      multi-server setup.</help>
+  </field>
+
+  <!-- lapi_listen_address -->
+  <field>
+    <id>general.lapi_listen_address</id>
+    <label>LAPI listen address</label>
+    <type>text</type>
+    <help>Where to listen for LAPI connections: IP address. The default value
+      is 127.0.0.1. You can change it to a LAN address to connect from other
+      agents/machines and bouncers.
+
+      This is written in /usr/local/etc/crowdsec/config.yaml,
+      local_api_credentials.yaml and bouncers/crowdsec-firewall-bouncer.yaml.
+      To enable TLS, add the certificate information to config.yaml and change
+      http to https in the other two files. Comments in YAML will not be
+      preserved.</help>
+  </field>
+
+  <!-- lapi_listen_port -->
+  <field>
+    <id>general.lapi_listen_port</id>
+    <label>LAPI listen port</label>
+    <type>text</type>
+    <help>Where to listen for LAPI connections: port. The default value is
+      8080, but you can change it to avoid conflicts with existing
+      services.</help>
+  </field>
+
+  <!-- rules_log -->
+  <field>
+    <id>general.rules_log</id>
+    <label>Enable log for rules</label>
+    <type>checkbox</type>
+    <help>Enable log collection for CrowdSec's block rules.</help>
+  </field>
+
+  <!-- rules_tag -->
+  <field>
+    <id>general.rules_tag</id>
+    <label>Tag for matched packets</label>
+    <type>text</type>
+    <help>Add a tag to packets that are dropped by CrowdSec rules for
+      diagnostic purposes.</help>
+  </field>
+
+  <!-- crowdsec_firewall_verbose -->
+  <field>
+    <id>general.crowdsec_firewall_verbose</id>
+    <label>Verbose log for firewall bouncer</label>
+    <type>checkbox</type>
+    <help>Verbose /var/log/crowdsec/crowdsec-firewall-bouncer.log. Enable this
+      for debugging.</help>
+  </field>
+
+</form>
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/ACL/ACL.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/ACL/ACL.xml
new file mode 100644
index 0000000000..54840d23f9
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+    <page-user-crowdsec>
+        <name>CrowdSec</name>
+        <patterns>
+            <pattern>ui/crowdsec/*</pattern>
+            <pattern>api/crowdsec/*</pattern>
+        </patterns>
+    </page-user-crowdsec>
+</acl>
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.php b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.php
new file mode 100644
index 0000000000..3307e8ba60
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.php
@@ -0,0 +1,12 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec;
+
+use OPNsense\Base\BaseModel;
+
+class General extends BaseModel
+{
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
new file mode 100644
index 0000000000..16d3b3632d
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
@@ -0,0 +1,56 @@
+<model>
+  <mount>//OPNsense/crowdsec/general</mount>
+  <description>CrowdSec general configuration</description>
+  <version>0.2</version>
+  <items>
+
+    <agent_enabled type="BooleanField">
+      <default>1</default>
+      <Required>Y</Required>
+    </agent_enabled>
+
+    <lapi_enabled type="BooleanField">
+      <default>1</default>
+      <Required>Y</Required>
+    </lapi_enabled>
+
+    <firewall_bouncer_enabled type="BooleanField">
+      <default>1</default>
+      <Required>Y</Required>
+    </firewall_bouncer_enabled>
+
+    <lapi_manual_configuration type="BooleanField">
+      <default>0</default>
+      <Required>Y</Required>
+    </lapi_manual_configuration>
+
+    <lapi_listen_address type="TextField">
+      <default>127.0.0.1</default>
+      <Required>Y</Required>
+      <Mask>((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$))</Mask>
+    </lapi_listen_address>
+
+    <lapi_listen_port type="PortField">
+      <default>8080</default>
+      <Required>Y</Required>
+      <EnableWellKnown>N</EnableWellKnown>
+      <EnableRanges>N</EnableRanges>
+    </lapi_listen_port>
+
+    <rules_log type="BooleanField">
+      <default>0</default>
+      <Required>Y</Required>
+    </rules_log>
+
+    <rules_tag type="TextField">
+      <default></default>
+      <Required>N</Required>
+    </rules_tag>
+
+    <crowdsec_firewall_verbose type="BooleanField">
+      <default>0</default>
+      <Required>Y</Required>
+    </crowdsec_firewall_verbose>
+
+  </items>
+</model>
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/Menu/Menu.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/Menu/Menu.xml
new file mode 100644
index 0000000000..c50b8cd43d
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/Menu/Menu.xml
@@ -0,0 +1,8 @@
+<menu>
+    <Services>
+      <CrowdSec cssClass="fa fa-globe fa-fw">
+        <Settings order="1" url="/ui/crowdsec/general/index"/>
+        <Overview order="2" url="/ui/crowdsec/overview"/>
+      </CrowdSec>
+    </Services>
+</menu>
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
new file mode 100644
index 0000000000..e6753a4bf3
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
@@ -0,0 +1,142 @@
+{# SPDX-License-Identifier: MIT #}
+{# SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net> #}
+
+
+<script>
+    $( document ).ready(function() {
+        var data_get_map = {'frm_GeneralSettings':"/api/crowdsec/general/get"};
+        mapDataToFormUI(data_get_map).done(function(data){
+            // place actions to run after load, for example update form styles.
+        });
+
+        // link save button to API set action
+        $("#saveAct").click(function(){
+            saveFormToEndpoint(url="/api/crowdsec/general/set",formid='frm_GeneralSettings',callback_ok=function(){
+                $("#settingsSavedMsg").text("Saving settings....").removeClass("hidden");
+                // action to run after successful save, for example reconfigure service.
+                ajaxCall(url="/api/crowdsec/service/reload", sendData={},callback=function(data,status) {
+                    $("#settingsSavedMsg").html(
+                        '<i class="fa fa-check text-success"></i> Settings have been saved, services restarted.'
+                    ).removeClass("hidden");
+                });
+            });
+        });
+
+        if(window.location.hash != "") {
+            $('a[href="' + window.location.hash + '"]').click()
+        }
+        $('.nav-tabs a').on('shown.bs.tab', function (e) {
+            history.pushState(null, null, e.target.hash);
+        });
+    });
+</script>
+
+<style type="text/css">
+#introduction a.btn-info {
+  color: black;
+  margin: 3px;
+}
+
+.tab-pane {
+  margin: 10px;
+}
+</style>
+
+<ul class="nav nav-tabs" role="tablist" id="maintabs">
+    <li class="active"><a data-toggle="tab" id="introduction-tab" href="#introduction"><b>Introduction</b></a></li>
+    <li><a data-toggle="tab" id="settings-tab" href="#settings"><b>Settings</b></a></li>
+</ul>
+
+<div class="content-box tab-content">
+    <div id="introduction" class="tab-pane fade in active">
+        <p>This plugin installs a CrowdSec agent/<a href="https://doc.crowdsec.net/docs/next/local_api/intro">LAPI</a>
+        node, and a <a href="https://docs.crowdsec.net/docs/bouncers/firewall/">Firewall Bouncer</a>.</p>
+
+        <p>Out of the box, by enabling them in the "Settings" tab, they can protect the OPNsense server
+        by receiving thousands of IP addresses of active attackers, which are immediately banned at the
+        firewall level. In addition, the logs of the ssh service and OPNsense administration interface are
+        analyzed for possible brute-force attacks; any such scenario triggers a ban and is reported to the
+        CrowdSec Central API
+        (meaning <a href="https://docs.crowdsec.net/docs/concepts/">timestamp, scenario, attacking IP</a>).</p>
+
+        <p>Other attack behaviors can be recognized on the OPNsense server and its plugins, or 
+        <a href="https://doc.crowdsec.net/docs/next/user_guides/multiserver_setup">any other agent</a>
+        connected to the same LAPI node. Other types of remediation are possible (ex. captcha test for scraping attempts).</p>
+
+        <p>Please refer to the <a href="https://crowdsec.net/blog/category/tutorial/">tutorials</a> to explore
+        the possibilities.</p>
+
+        <p>A few remarks:</p>
+
+        <ul>
+            <li>
+                If your OPNsense is &lt;22.1, you must check "Disable circular logs" in the Settings menu for the
+                ssh and web-auth parsers to work. If you upgrade to 22.1, it will be done automatically.
+                See <a href="https://github.com/crowdsecurity/opnsense-plugin-crowdsec/blob/main/src/etc/crowdsec/acquis.d/opnsense.yaml">acquis.d/opnsense.yaml</a>
+            </li>
+            <li>
+                At the moment, the CrowdSec package for OPNsense is fully functional on the
+                command line but its web interface is limited; you can only list the installed objects and revoke
+                <a href="https://docs.crowdsec.net/docs/user_guides/decisions_mgmt/">decisions</a>. For anything else
+                you need the shell.
+            </li>
+            <li>
+                Do not enable/start the agent and bouncer services with <code>sysrc</code> or <code>/etc/rc.conf</code>
+                like you would on vanilla freebsd, the plugin takes care of that.
+            </li>
+            <li>
+                The parsers, scenarios and all objects from the <a href="https://hub.crowdsec.net/">CrowdSec Hub</a>
+                are periodically upgraded. The
+                <a href="https://hub.crowdsec.net/author/crowdsecurity/collections/freebsd">crowdsecurity/freebsd</a> and 
+                <a href="https://hub.crowdsec.net/author/crowdsecurity/collections/opnsense">crowdsecurity/opnsense</a>
+                collections are installed by default.
+            </li>
+        </ul>
+
+        <div>
+            <a class="btn btn-default btn-info" href="https://doc.crowdsec.net/">
+                crowdsec.net
+            </a>
+            <a class="btn btn-default btn-info" href="https://doc.crowdsec.net/">
+                Documentation
+            </a>
+            <a class="btn btn-default btn-info" href="https://crowdsec.net/blog/">
+                Blog
+            </a>
+            <a class="btn btn-default btn-info" href="https://app.crowdsec.net/">
+                Console
+            </a>
+            <a class="btn btn-default btn-info" href="https://hub.crowdsec.net/">
+                CrowdSec Hub
+            </a>
+        </div>
+
+        <div>
+            <a class="btn btn-default btn-info" href="https://github.com/crowdsecurity/crowdsec">
+                GitHub
+            </a>
+            <a class="btn btn-default btn-info" href="https://discourse.crowdsec.net/">
+                Discourse
+            </a>
+            <a class="btn btn-default btn-info" href="https://discord.com/invite/wGN7ShmEE8">
+                Discord
+            </a>
+            <a class="btn btn-default btn-info" href="https://twitter.com/Crowd_Security">
+                Twitter
+            </a>
+        </div>
+    </div>
+
+    <div id="settings" class="tab-pane fade active">
+        <div class="alert alert-info hidden" role="alert" id="settingsSavedMsg">
+        </div>
+        <div  class="col-md-12">
+            {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}}
+        </div>
+
+        <div class="col-md-12">
+            <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b></button>
+        </div>
+    </div>
+</div>
+
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/overview.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/overview.volt
new file mode 100644
index 0000000000..87987c30a5
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/overview.volt
@@ -0,0 +1,249 @@
+{# SPDX-License-Identifier: MIT #}
+{# SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net> #}
+
+<script src="/ui/js/moment-with-locales.min.js"></script>
+<script src="/ui/js/CrowdSec/crowdsec.js"></script>
+
+<script>
+    $(function() {
+        CrowdSec.init();
+    });
+</script>
+
+<style type="text/css">
+.content-box table {
+  table-layout: auto;
+}
+
+table.bootgrid-table tr .btn-sm {
+  padding: 2px 6px;
+}
+
+table.bootgrid-table tr > td {
+  padding: 3px;
+}
+
+li.spaced {
+  margin-left: 15px;
+}
+
+ul.nav>li>a {
+  padding: 6px;
+}
+</style>
+
+<div>
+  Service status: crowdsec <span id="crowdsec-status">...</span> - firewall bouncer <span id="crowdsec-firewall-status">...</span>
+</div>
+
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li><a data-toggle="tab" id="machines_tab" href="#machines">Machines</a></li>
+    <li><a data-toggle="tab" id="bouncers_tab" href="#bouncers">Bouncers</a></li>
+    <li class="spaced"><a data-toggle="tab" id="collections_tab" href="#collections">Collections</a></li>
+    <li><a data-toggle="tab" id="scenarios_tab" href="#scenarios">Scenarios</a></li>
+    <li><a data-toggle="tab" id="parsers_tab" href="#parsers">Parsers</a></li>
+    <li><a data-toggle="tab" id="postoverflows_tab" href="#postoverflows">Postoverflows</a></li>
+    <li class="spaced"><a data-toggle="tab" id="alerts_tab" href="#alerts">Alerts</a></li>
+    <li><a data-toggle="tab" id="decisions_tab" href="#decisions">Decisions</a></li>
+    <li class="pull-right"><a data-toggle="tab" id="debug_tab" href="#debug" style="display:none">Debug</a></li>
+</ul>
+
+<div class="tab-content content-box">
+
+    <div id="machines" class="tab-pane fade in">
+        <table class="table table-condensed table-hover table-striped">
+            <thead>
+                <tr>
+                  <th data-column-id="name">Name</th>
+                  <th data-column-id="ip_address">IP Address</th>
+                  <th data-column-id="last_update" data-formatter="datetime">Last Update</th>
+                  <th data-column-id="validated" data-formatter="yesno" data-searchable="false">Validated?</th>
+                  <th data-column-id="version">Version</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
+
+    <div id="bouncers" class="tab-pane fade in">
+        <table class="table table-condensed table-hover table-striped">
+            <thead>
+                <tr>
+                  <th data-column-id="name">Name</th>
+                  <th data-column-id="ip_address">IP Address</th>
+                  <th data-column-id="valid" data-formatter="yesno" data-searchable="false">Valid</th>
+                  <th data-column-id="last_pull" data-formatter="datetime">Last API Pull</th>
+                  <th data-column-id="type">Type</th>
+                  <th data-column-id="version">Version</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
+
+    <div id="collections" class="tab-pane fade in">
+        <table class="table table-condensed table-hover table-striped">
+            <thead>
+                <tr>
+                  <th data-column-id="name">Name</th>
+                  <th data-column-id="status">Status</th>
+                  <th data-column-id="local_version">Version</th>
+                  <th data-column-id="local_path">Local Path</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
+
+    <div id="scenarios" class="tab-pane fade in">
+        <table class="table table-condensed table-hover table-striped">
+            <thead>
+                <tr>
+                  <th data-column-id="name">Name</th>
+                  <th data-column-id="status">Status</th>
+                  <th data-column-id="local_version">Version</th>
+                  <th data-column-id="local_path">Path</th>
+                  <th data-column-id="description">Description</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
+
+    <div id="parsers" class="tab-pane fade in">
+        <table class="table table-condensed table-hover table-striped">
+            <thead>
+                <tr>
+                  <th data-column-id="name">Name</th>
+                  <th data-column-id="status">Status</th>
+                  <th data-column-id="local_version">Version</th>
+                  <th data-column-id="local_path">Local Path</th>
+                  <th data-column-id="description">Description</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
+
+    <div id="postoverflows" class="tab-pane fade in">
+        <table class="table table-condensed table-hover table-striped">
+            <thead>
+                <tr>
+                  <th data-column-id="name">Name</th>
+                  <th data-column-id="status">Status</th>
+                  <th data-column-id="local_version">Version</th>
+                  <th data-column-id="local_path">Local Path</th>
+                  <th data-column-id="description">Description</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
+
+    <div id="alerts" class="tab-pane fade in">
+        <table class="table table-condensed table-hover table-striped">
+            <thead>
+                <tr>
+                  <th data-column-id="id" data-type="numeric">ID</th>
+                  <th data-column-id="value">Value</th>
+                  <th data-column-id="reason">Reason</th>
+                  <th data-column-id="country">Country</th>
+                  <th data-column-id="as">AS</th>
+                  <th data-column-id="decisions">Decisions</th>
+                  <th data-column-id="created_at" data-formatter="datetime">Created At</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
+
+    <div id="decisions" class="tab-pane fade in">
+        Note: the decisions coming from the CAPI (signals collected by the CrowdSec users) do not appear here.
+        To show them, use <code>cscli decisions list -a</code> in a shell.
+        <table class="table table-condensed table-hover table-striped">
+            <thead>
+                <tr>
+                  <th data-column-id="delete" data-formatter="delete" data-visible-in-selection="false"></th>
+                  <th data-column-id="id" data-identifier="true" data-type="numeric">ID</th>
+                  <th data-column-id="source">Source</th>
+                  <th data-column-id="scope_value">Scope:Value</th>
+                  <th data-column-id="reason">Reason</th>
+                  <th data-column-id="action">Action</th>
+                  <th data-column-id="country">Country</th>
+                  <th data-column-id="as">AS</th>
+                  <th data-column-id="events_count" data-type="numeric">Events</th>
+                  <th data-column-id="expiration" data-formatter="duration">Expiration</th>
+                  <th data-column-id="alert_id" data-type="numeric">Alert&nbsp;ID</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
+
+    <div id="debug" class="tab-pane fade in">
+        <pre>
+        </pre>
+    </div>
+
+    <!-- Modal popup to confirm decision deletion -->
+    <div class="modal fade" id="delete-decision-modal" tabindex="-1" role="dialog" aria-labelledby="modalLabel" aria-hidden="true">
+        <div class="modal-dialog" role="document">
+            <div class="modal-content">
+                <div class="modal-header">
+                    <button type="button" class="close" data-dismiss="modal" aria-label="Close">
+                        <span aria-hidden="true">&times;</span>
+                    </button>
+                    <h4 class="modal-title" id="modalLabel">Modal Title</h4>
+                </div>
+                <div class="modal-body">
+                    Modal content...
+                </div>
+                <div class="modal-footer">
+                    <button type="button" class="btn btn-secondary" data-dismiss="modal">No, cancel</button>
+                    <button type="button" class="btn btn-danger" data-dismiss="modal" id="delete-decision-confirm">Yes, delete</button>
+                </div>
+            </div>
+        </div>
+    </div>
+
+</div>
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
new file mode 100755
index 0000000000..1c00e7a1bd
--- /dev/null
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+if [ ! -e "/usr/local/etc/crowdsec/collections/opnsense.yaml" ]; then
+    /usr/local/bin/cscli --error collections install crowdsecurity/opnsense
+fi
+
+/usr/local/bin/cscli --error hub update \
+    && /usr/local/bin/cscli --error hub upgrade
+
+if service crowdsec enabled; then
+    # have to check status explicitly because "restart" can set $? = 0 even when failing
+    if ! service crowdsec status >/dev/null 2>&1; then
+        service crowdsec start >/dev/null 2>&1 || :
+    else
+        service crowdsec restart >/dev/null 2>&1 || :
+    fi
+fi
+
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
new file mode 100755
index 0000000000..6f012249b4
--- /dev/null
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
@@ -0,0 +1,94 @@
+#!/usr/bin/env python3
+
+import logging
+import json
+import urllib.parse
+import yaml
+
+logging.basicConfig(level=logging.INFO)
+
+
+def load_config(filename):
+    with open(filename) as fin:
+        return yaml.safe_load(fin)
+
+
+# only save if some value has changed
+def save_config(filename, new_config):
+    old_config = load_config(filename)
+    if old_config != new_config:
+        with open(filename, 'w') as fout:
+            yaml.dump(new_config, fout)
+
+
+def get_netloc(settings):
+    # defaults if config has not been saved yet
+    listen_address = settings.get('lapi_listen_address', '127.0.0.1')
+    listen_port = settings.get('lapi_listen_port', '8080')
+    return '{}:{}'.format(listen_address, listen_port)
+
+
+def get_new_url(old_url, settings):
+    old_tuple = urllib.parse.urlsplit(old_url)
+    new_tuple = old_tuple._replace(netloc=get_netloc(settings))
+    new_url = urllib.parse.urlunsplit(new_tuple)
+    # client lapi requires a trailing slash for the path part
+    # and no, query and fragment don't make much sense
+    if not new_tuple.query and not new_tuple.fragment and not new_url.endswith('/'):
+        new_url += '/'
+    return new_url
+
+
+def configure_agent(settings):
+    config_path = '/usr/local/etc/crowdsec/config.yaml'
+    config = load_config(config_path)
+
+    config['common']['log_dir'] = '/var/log/crowdsec'
+    config['crowdsec_service']['acquisition_dir'] = '/usr/local/etc/crowdsec/acquis.d/'
+
+    if not int(settings.get('lapi_manual_configuration', '0')):
+        config['api']['server']['listen_uri'] = get_netloc(settings)
+
+    save_config(config_path, config)
+
+
+def configure_lapi_credentials(settings):
+    config_path = '/usr/local/etc/crowdsec/local_api_credentials.yaml'
+    config = load_config(config_path)
+
+    if not int(settings.get('lapi_manual_configuration', '0')):
+        config['url'] = get_new_url(config['url'], settings)
+
+    save_config(config_path, config)
+
+
+def configure_bouncer(settings):
+    config_path = '/usr/local/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml'
+    config = load_config(config_path)
+
+    config['log_dir'] = '/var/log/crowdsec'
+    config['blacklists_ipv4'] = 'crowdsec_blacklists'
+    config['blacklists_ipv6'] = 'crowdsec6_blacklists'
+    config['pf'] = {'anchor_name': ''}
+
+    if not int(settings.get('lapi_manual_configuration', '0')):
+        config['api_url'] = get_new_url(config['api_url'], settings)
+
+    save_config(config_path, config)
+
+
+def main():
+    try:
+        with open('/usr/local/etc/crowdsec/opnsense/settings.json') as f:
+            settings = json.load(f)
+    except FileNotFoundError:
+        logging.info("settings.json not found, won't change crowdsec config")
+        return
+
+    configure_agent(settings)
+    configure_lapi_credentials(settings)
+    configure_bouncer(settings)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh
new file mode 100755
index 0000000000..c6d0c2c2c5
--- /dev/null
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+# This script is run
+#  - when the plugin is installed (by +POST_INSTALL.post)
+#  - when saving the "settings" form (which calls /api/crowdsec/service/reload)
+#  - by hand, running "configctl crowdsec reconfigure"
+
+set -e
+
+# apply configuration options specific to opnsense
+/usr/local/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
+
+# enable pf anchor here - the tables and rules will be created by the bouncer
+/usr/local/sbin/configctl filter reload >/dev/null
+
+# the hub is upgraded by cron too
+/usr/local/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
+
+# crowdsec was already restarted by hub-upgrade.sh
+if service crowdsec_firewall enabled; then
+    # have to check status explicitly because "restart" can set $? = 0 even when failing
+    if ! service crowdsec_firewall status >/dev/null 2>&1; then
+        service crowdsec_firewall start >/dev/null 2>&1 || :
+    else
+        service crowdsec_firewall restart >/dev/null 2>&1 || :
+    fi
+fi
+
+# left from v0.0.8
+rm -f /usr/local/etc/crowdsec/opnsense-settings.json
+
+echo "OK"
+
diff --git a/security/crowdsec/src/opnsense/service/conf/actions.d/actions_crowdsec.conf b/security/crowdsec/src/opnsense/service/conf/actions.d/actions_crowdsec.conf
new file mode 100644
index 0000000000..e0e0f62932
--- /dev/null
+++ b/security/crowdsec/src/opnsense/service/conf/actions.d/actions_crowdsec.conf
@@ -0,0 +1,94 @@
+
+# https://docs.opnsense.org/development/backend/configd.html
+
+[start]
+command:/usr/local/etc/rc.d/oscrowdsec start
+type: script
+message: starting crowdsec services
+
+[stop]
+command:/usr/local/etc/rc.d/oscrowdsec stop
+type: script
+message: stopping crowdsec services
+
+[status]
+command:/usr/local/etc/rc.d/oscrowdsec status; exit 0
+type: script_output
+message: oscrowdsec status
+
+[restart]
+command:/usr/local/etc/rc.d/oscrowdsec restart
+type: script
+message: stopping crowdsec services
+
+[reload]
+command:/usr/local/etc/rc.d/oscrowdsec reload
+type: script
+message: reload crowdsec configuration
+
+[crowdsec-status]
+command:/usr/local/etc/rc.d/crowdsec status;exit 0
+type:script_output
+message: request crowdsec status
+
+[crowdsec-firewall-status]
+command:/usr/local/etc/rc.d/crowdsec_firewall status;exit 0
+type:script_output
+message: request crowdsec_firewall status
+
+[alerts-list]
+command:/usr/local/bin/cscli alerts list -l 0 -o json | sed 's/^null$/\[\]/'
+type:script_output
+message:crowdsec alerts list
+
+[bouncers-list]
+command:/usr/local/bin/cscli bouncers list -o json | sed 's/^null$/\[\]/'
+type:script_output
+message:crowdsec bouncers list
+
+[collections-list]
+command:/usr/local/bin/cscli collections list -o json
+type:script_output
+message:crowdsec collections list
+
+[decisions-list]
+command:/usr/local/bin/cscli decisions list -l 0 -o json | sed 's/^null$/\[\]/'
+type:script_output
+message:crowdsec decisions list
+
+[decisions-delete]
+command:/usr/local/bin/cscli --error decisions delete 2>&1
+parameters:--id %s
+type:script_output
+message:crowdsec decisions delete
+
+[machines-list]
+command:/usr/local/bin/cscli machines list -o json | sed 's/^null$/\[\]/'
+type:script_output
+message:crowdsec machines list
+
+[parsers-list]
+command:/usr/local/bin/cscli parsers list -o json
+type:script_output
+message:crowdsec parsers list
+
+[postoverflows-list]
+command:/usr/local/bin/cscli postoverflows list -o json
+type:script_output
+message:crowdsec postoverflows list
+
+[scenarios-list]
+command:/usr/local/bin/cscli scenarios list -o json
+type:script_output
+message:crowdsec scenarios list
+
+[version]
+command:/usr/local/bin/cscli version 2>&1
+type:script_output
+message:crowdsec version
+
+[reconfigure]
+command:/usr/local/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh
+type:script_output
+message:crowdsec reconfigure
+
diff --git a/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/+TARGETS b/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/+TARGETS
new file mode 100644
index 0000000000..c2ebc92240
--- /dev/null
+++ b/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/+TARGETS
@@ -0,0 +1,4 @@
+oscrowdsec.rc.conf.d:/etc/rc.conf.d/oscrowdsec
+crowdsec.rc.conf.d:/etc/rc.conf.d/crowdsec
+crowdsec_firewall.rc.conf.d:/etc/rc.conf.d/crowdsec_firewall
+settings.json:/usr/local/etc/crowdsec/opnsense/settings.json
diff --git a/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/crowdsec.rc.conf.d b/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/crowdsec.rc.conf.d
new file mode 100644
index 0000000000..77eebf92fa
--- /dev/null
+++ b/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/crowdsec.rc.conf.d
@@ -0,0 +1,11 @@
+# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
+{% if helpers.exists('OPNsense.crowdsec.general.agent_enabled') and OPNsense.crowdsec.general.agent_enabled|default("1") == "1" %}
+crowdsec_enable="YES"
+{% else %}
+crowdsec_enable="NO"
+{% endif %}
+{% if helpers.exists('OPNsense.crowdsec.general.lapi_enabled') and OPNsense.crowdsec.general.lapi_enabled|default("1") == "1" %}
+crowdsec_flags=""
+{% else %}
+crowdsec_flags="-no-api"
+{% endif %}
diff --git a/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/crowdsec_firewall.rc.conf.d b/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/crowdsec_firewall.rc.conf.d
new file mode 100644
index 0000000000..61bae583b4
--- /dev/null
+++ b/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/crowdsec_firewall.rc.conf.d
@@ -0,0 +1,11 @@
+# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
+{% if helpers.exists('OPNsense.crowdsec.general.firewall_bouncer_enabled') and OPNsense.crowdsec.general.firewall_bouncer_enabled|default("1") == "1" %}
+crowdsec_firewall_enable="YES"
+{% else %}
+crowdsec_firewall_enable="NO"
+{% endif %}
+{% if helpers.exists('OPNsense.crowdsec.general.crowdsec_firewall_verbose') and OPNsense.crowdsec.general.crowdsec_firewall_verbose|default("0") == "1" %}
+crowdsec_firewall_flags="-v"
+{% else %}
+crowdsec_firewall_flags=""
+{% endif %}
diff --git a/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/oscrowdsec.rc.conf.d b/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/oscrowdsec.rc.conf.d
new file mode 100644
index 0000000000..dd3cec08ea
--- /dev/null
+++ b/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/oscrowdsec.rc.conf.d
@@ -0,0 +1 @@
+oscrowdsec_enable="YES"
diff --git a/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/settings.json b/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/settings.json
new file mode 100644
index 0000000000..0c3ed00b09
--- /dev/null
+++ b/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/settings.json
@@ -0,0 +1,5 @@
+{% if helpers.exists('OPNsense.crowdsec.general') -%}
+    {{ OPNsense.crowdsec.general | tojson }}
+{%- endif %}
+
+
diff --git a/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js b/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js
new file mode 100644
index 0000000000..39eaacd43b
--- /dev/null
+++ b/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js
@@ -0,0 +1,426 @@
+/*global moment, $ */
+/*exported CrowdSec */
+/*eslint no-undef: "error"*/
+/*eslint semi: "error"*/
+
+var CrowdSec = (function() {
+    'use strict';
+
+    var _refresh_template = '<button class="btn btn-default" type="button" title="Refresh"><span class="icon glyphicon glyphicon-refresh"></span></button>';
+
+    var _dataFormatters = {
+        yesno: function(column, row) {
+            return _yesno2html(row[column.id]);
+        },
+
+        delete: function(column, row) {
+            var val = row.id;
+            if (isNaN(val)) {
+                return '';
+            }
+            return '<button type="button" class="btn btn-secondary btn-sm" value="'+val+'" onclick="CrowdSec.deleteDecision('+val+')"><i class="fa fa-trash" /></button>';
+        },
+
+        duration: function(column, row) {
+            var duration = row[column.id];
+            if (!duration) {
+                return 'n/a';
+            }
+            return $('<div>').attr({
+                'data-toggle': 'tooltip',
+                'data-placement': 'left',
+                'title': duration
+            }).text(_humanizeDuration(duration)).prop('outerHTML');
+        },
+
+        datetime: function(column, row) {
+            var dt = row[column.id];
+            var parsed = moment(dt);
+            if (!dt) {
+                return '';
+            }
+            if (!parsed.isValid()) {
+                console.error("Cannot parse timestamp: %s", dt);
+                return '???';
+            }
+            return $('<div>').attr({
+                'data-toggle': 'tooltip',
+                'data-placement': 'left',
+                'title': parsed.format()
+            }).text(_humanizeDate(dt)).prop('outerHTML');
+        },
+    };
+
+    function _parseDuration(duration) {
+        var re = /(-?)(?:(?:(\d+)h)?(\d+)m)?(\d+).\d+(m?)s/m;
+        var matches = duration.match(re);
+        var seconds = 0;
+
+        if (!matches.length) {
+            throw new Error("Unable to parse the following duration: " + duration + ".");
+        }
+        if (typeof matches[2] !== "undefined") {
+            seconds += parseInt(matches[2], 10) * 3600; // hours
+        }
+        if (typeof matches[3] !== "undefined") {
+            seconds += parseInt(matches[3], 10) * 60; // minutes
+        }
+        if (typeof matches[4] !== "undefined") {
+            seconds += parseInt(matches[4], 10); // seconds
+        }
+        if ("m" === parseInt(matches[5], 10)) {
+            // units in milliseconds
+            seconds *= 0.001;
+        }
+        if ("-" === parseInt(matches[1], 10)) {
+            // negative
+            seconds = -seconds;
+        }
+        return seconds;
+    }
+
+    function _updateFreshness(selector, timestamp) {
+        var $freshness = $(selector).find('.actionBar .freshness');
+        if (timestamp) {
+            $freshness.data('refresh_timestamp', timestamp);
+        } else {
+            timestamp = $freshness.data('refresh_timestamp');
+        }
+        var howlong_human = '???';
+        if (timestamp) {
+            var howlong_ms = moment() - moment(timestamp);
+            howlong_human = moment.duration(howlong_ms).humanize();
+        }
+        $freshness.text(howlong_human + ' ago');
+    }
+
+    function _addFreshness(selector) {
+        // this creates one timer per tab
+        var freshness_template = '<span style="float:left">Last refresh: <span class="freshness"></span></span>';
+        $(selector).find('.actionBar').prepend(freshness_template);
+        setInterval(function() {
+           _updateFreshness(selector);
+        }, 5000);
+    }
+
+    function _humanizeDate(text) {
+        return moment(text).fromNow();
+    }
+
+    function _humanizeDuration(text) {
+        return moment.duration(_parseDuration(text), 'seconds').humanize();
+    }
+
+    function _yesno2html(val) {
+        if (val) {
+            return '<i class="fa fa-check text-success"></i>';
+        } else {
+        return '<i class="fa fa-times text-danger"></i>';
+        }
+    }
+
+    function _decisionsByType(decisions) {
+        var dectypes = {};
+        if (!decisions) {
+            return '';
+        }
+        decisions.map(function(decision) {
+            // TODO ignore negative expiration?
+            dectypes[decision.type] = dectypes[decision.type] ? (dectypes[decision.type]+1) : 1;
+        });
+        var ret = '';
+        for (var type in dectypes) {
+            if (ret !== '') {
+                ret += ' ';
+            }
+            ret += (type + ':' + dectypes[type]);
+        }
+        return ret;
+    }
+
+    function _initService() {
+        $.ajax({
+            url: '/api/crowdsec/service/status',
+            cache: false
+        }).done(function(data) {
+            // TODO handle errors
+            var crowdsec_status = data['crowdsec-status'];
+            if (crowdsec_status === 'unknown') {
+                crowdsec_status = '<span class="text-danger">Unknown</span>';
+            } else {
+                crowdsec_status = _yesno2html(crowdsec_status === 'running');
+            }
+            $('#crowdsec-status').html(crowdsec_status);
+
+            var crowdsec_firewall_status = data['crowdsec-firewall-status'];
+            if (crowdsec_firewall_status === 'unknown') {
+                crowdsec_firewall_status = '<span class="text-danger">Unknown</span>';
+            } else {
+                crowdsec_firewall_status = _yesno2html(crowdsec_firewall_status === 'running');
+            }
+            $('#crowdsec-firewall-status').html(crowdsec_firewall_status);
+        });
+    }
+
+    function _initDebug() {
+        $.ajax({
+            url: '/api/crowdsec/service/debug',
+            cache: false
+        }).done(function(data) {
+            $('#debug pre').text(data.message);
+        });
+    }
+
+    function _initTab(selector, url, dataCallback) {
+        var $tab = $(selector);
+        if ($tab.find('table.bootgrid-table').length) {
+            return;
+        }
+        $tab.find('table').
+            on("initialized.rs.jquery.bootgrid", function() {
+                $(_refresh_template).on('click', function() {
+                    _refreshTab(selector, url, dataCallback);
+                }).insertBefore($tab.find('.actionBar .actions .dropdown:first'));
+                _addFreshness(selector);
+                _refreshTab(selector, url, dataCallback);
+            }).
+            bootgrid({
+                caseSensitive: false,
+                formatters: _dataFormatters
+            });
+    }
+
+    function _refreshTab(selector, url, dataCallback) {
+        $.ajax({
+            url: url,
+            cache: false
+        }).done(dataCallback);
+        _updateFreshness(selector, moment());
+    }
+
+    function _initMachines() {
+        var url = '/api/crowdsec/machines/get';
+        var dataCallback = function(data) {
+            var rows = [];
+            data.map(function(row) {
+                rows.push({
+                    name:        row.machineId,
+                    ip_address:  row.ipAddress || ' ',
+                    last_update: row.updated_at || ' ',
+                    validated:   row.isValidated,
+                    version:     row.version || ' '
+                });
+            });
+        $('#machines table').bootgrid('clear').bootgrid('append', rows);
+        };
+        _initTab('#machines', url, dataCallback);
+    }
+
+    function _initCollections() {
+        var url = '/api/crowdsec/collections/get';
+        var dataCallback = function(data) {
+            var rows = [];
+            data.collections.map(function(row) {
+                rows.push({
+                    name:          row.name,
+                    status:        row.status,
+                    local_version: row.local_version || ' ',
+                    local_path:    row.local_path || ' '
+                });
+            });
+        $('#collections table').bootgrid('clear').bootgrid('append', rows);
+        };
+        _initTab('#collections', url, dataCallback);
+    }
+
+    function _initScenarios() {
+        var url = '/api/crowdsec/scenarios/get';
+        var dataCallback = function(data) {
+            var rows = [];
+            data.scenarios.map(function(row) {
+                rows.push({
+                    name:          row.name,
+                    status:        row.status,
+                    local_version: row.local_version || ' ',
+                    local_path:    row.local_path || ' ',
+                    description:   row.description || ' '
+                });
+            });
+            $('#scenarios table').bootgrid('clear').bootgrid('append', rows);
+        };
+        _initTab('#scenarios', url, dataCallback);
+    }
+
+    function _initParsers() {
+        var url = '/api/crowdsec/parsers/get';
+        var dataCallback = function(data) {
+            var rows = [];
+            data.parsers.map(function(row) {
+                rows.push({
+                    name:          row.name,
+                    status:        row.status,
+                    local_version: row.local_version || ' ',
+                    local_path:    row.local_path || ' ',
+                    description:   row.description || ' '
+                });
+            });
+            $('#parsers table').bootgrid('clear').bootgrid('append', rows);
+        };
+        _initTab('#parsers ', url, dataCallback);
+    }
+
+    function _initPostoverflows() {
+        var url = '/api/crowdsec/postoverflows/get';
+        var dataCallback = function(data) {
+            var rows = [];
+            data.postoverflows.map(function(row) {
+                rows.push({
+                    name:          row.name,
+                    status:        row.status,
+                    local_version: row.local_version || ' ',
+                    local_path:    row.local_path || ' ',
+                    description:   row.description || ' '
+                });
+            });
+            $('#postoverflows table').bootgrid('clear').bootgrid('append', rows);
+        };
+        _initTab('#postoverflows ', url, dataCallback);
+    }
+
+    function _initBouncers() {
+        var url = '/api/crowdsec/bouncers/get';
+        var dataCallback = function(data) {
+            var rows = [];
+            data.map(function(row) {
+                // TODO - remove || ' ' later, it was fixed for 1.3.3
+                rows.push({
+                    name:       row.name,
+                    ip_address: row.ip_address || ' ',
+                    valid:      row.revoked ? false : true,
+                    last_pull:  row.last_pull,
+                    type:       row.type || ' ',
+                    version:    row.version || ' '
+                });
+            });
+            $('#bouncers table').bootgrid('clear').bootgrid('append', rows);
+        };
+        _initTab('#bouncers ', url, dataCallback);
+    }
+
+    function _initAlerts() {
+        var url = '/api/crowdsec/alerts/get';
+        var dataCallback = function(data) {
+            var rows = [];
+            data.map(function(row) {
+                rows.push({
+                    id:         row.id,
+                    value:      row.source.scope + (row.source.value?(':'+row.source.value):''),
+                    reason:     row.scenario || ' ',
+                    country:    row.source.cn || ' ',
+                    as:         row.source.as_name || ' ',
+                    decisions:  _decisionsByType(row.decisions) || ' ',
+                    created_at: row.created_at
+                });
+            });
+            $('#alerts table').bootgrid('clear').bootgrid('append', rows);
+        };
+        _initTab('#alerts ', url, dataCallback);
+    }
+
+    function _initDecisions() {
+        var url = '/api/crowdsec/decisions/get';
+        var dataCallback = function(data) {
+            var rows = [];
+            data.map(function(row) {
+                row.decisions.map(function(decision) {
+                    // ignore deleted decisions
+                    if (decision.duration.startsWith('-')) {
+                        return;
+                    }
+                    rows.push({
+                        // search will break on empty values when using .append(). so we use spaces
+                        delete:       '',
+                        id:           decision.id,
+                        source:       decision.origin || ' ',
+                        scope_value:  decision.scope + (decision.value?(':'+decision.value):''),
+                        reason:       decision.scenario || ' ',
+                        action:       decision.type || ' ',
+                        country:      row.source.cn || ' ',
+                        as:           row.source.as_name || ' ',
+                        events_count: row.events_count,
+                        // XXX pre-parse duration to seconds, and integer type, for sorting
+                        expiration:   decision.duration || ' ',
+                        alert_id:     row.id || ' '
+                    });
+                });
+            });
+            $('#decisions table').bootgrid('clear').bootgrid('append', rows);
+        };
+        _initTab('#decisions ', url, dataCallback);
+    }
+
+    function deleteDecision(decisionId) {
+        var $modal = $('#delete-decision-modal');
+        $modal.find('.modal-title').text('Delete decision #' + decisionId);
+        $modal.find('.modal-body').text('Are you sure?');
+        $modal.find('#delete-decision-confirm').on('click', function() {
+            $.ajax({
+                // XXX handle errors
+                url: '/api/crowdsec/decisions/delete/' + decisionId,
+                type: 'DELETE',
+                success: function(result) {
+                    if (result && result.message === 'OK') {
+                        $('#decisions table').bootgrid('remove', [decisionId]);
+                        $modal.modal('hide');
+                    }
+                }
+            });
+        });
+        $modal.modal('show');
+    }
+
+    function init() {
+        _initService();
+
+        $('#machines_tab').on('click', _initMachines);
+        $('#collections_tab').on('click', _initCollections);
+        $('#scenarios_tab').on('click', _initScenarios);
+        $('#parsers_tab').on('click', _initParsers);
+        $('#postoverflows_tab').on('click', _initPostoverflows);
+        $('#bouncers_tab').on('click', _initBouncers);
+        $('#alerts_tab').on('click', _initAlerts);
+        $('#decisions_tab').on('click', _initDecisions);
+
+        $('[data-toggle="tooltip"]').tooltip();
+
+        if (window.location.hash) {
+            // activate a tab from the hash, if it exists
+            $(window.location.hash+'_tab').click();
+        } else {
+            // otherwise, machines
+            $('#machines_tab').click();
+        }
+
+        $(window).on('hashchange', function(e) {
+            $(window.location.hash+'_tab').click();
+        });
+
+        if (new URLSearchParams(window.location.search).has('debug')) {
+            $('#debug_tab').show().on('click', _initDebug);
+        }
+
+        // navigation
+        if(window.location.hash != "") {
+            $('a[href="' + window.location.hash + '"]').click()
+        }
+        $('.nav-tabs a').on('shown.bs.tab', function (e) {
+            history.pushState(null, null, e.target.hash);
+        });
+    }
+
+    return {
+        deleteDecision: deleteDecision,
+        init: init
+    };
+
+}());

From b3e996c5e1962a8222296357dab9e6feb7adafe3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 May 2022 12:29:56 +0200
Subject: [PATCH 1032/3088] README: sync

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 09a0db513b..3660856d6e 100644
--- a/README.md
+++ b/README.md
@@ -79,6 +79,7 @@ net-mgmt/zabbix-agent -- Zabbix monitoring agent
 net-mgmt/zabbix-proxy -- Zabbix monitoring proxy
 security/acme-client -- ACME Client
 security/clamav -- Antivirus engine for detecting malicious threats
+security/crowdsec -- Lightweight and collaborative security engine (development only)
 security/etpro-telemetry -- ET Pro Telemetry Edition
 security/intrusion-detection-content-et-open -- IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition
 security/intrusion-detection-content-et-pro -- IDS Proofpoint ET Pro ruleset (needs a valid subscription)

From ff20cded1e655b0cb9ba3089b48bbd263b85f421 Mon Sep 17 00:00:00 2001
From: Murat <murat@balaban.io>
Date: Tue, 10 May 2022 23:30:09 -0700
Subject: [PATCH 1033/3088] os-sunnyvalley: Update Product name to reflect the
 new name: Zenarmor (#2978)

* os-sunnyvalley: Update Product name to reflect the new name: Zenarmor

* os-sunnyvalley: Update Product name to reflect the new name: Zenarmor

Co-authored-by: mb <murat@sunnyvalley.io>
---
 vendor/sunnyvalley/Makefile  | 4 ++--
 vendor/sunnyvalley/pkg-descr | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/vendor/sunnyvalley/Makefile b/vendor/sunnyvalley/Makefile
index 6d082409e3..39e7251030 100644
--- a/vendor/sunnyvalley/Makefile
+++ b/vendor/sunnyvalley/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		sunnyvalley
 PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	1
-PLUGIN_COMMENT=		Vendor repository for Sensei (Next Generation Firewall Extensions)
+PLUGIN_REVISION=	2
+PLUGIN_COMMENT=		Vendor Repository for Zenarmor (a.k.a Sensei, Next Generation Firewall Extensions)
 PLUGIN_MAINTAINER=	opensource@sunnyvalley.io
 PLUGIN_WWW=		https://www.sunnyvalley.io
 PLUGIN_DEPENDS=		${PLUGIN_FLAVOUR:tl}
diff --git a/vendor/sunnyvalley/pkg-descr b/vendor/sunnyvalley/pkg-descr
index 6f3b0fa84d..743f576974 100644
--- a/vendor/sunnyvalley/pkg-descr
+++ b/vendor/sunnyvalley/pkg-descr
@@ -1,15 +1,15 @@
-This plugin adds a proprietary repository to install Sensei, a plugin
-for OPNsense, complementing the firewall with state of the art
+This plugin adds a proprietary repository to install Zenarmor (previously Sensei), 
+a plugin for OPNsense, complementing the firewall with state of the art
 next generation firewall features.
 
 You will need to install os-sensei plugin after installing this repo plugin.
 
-Sensei features:
+Zenarmor for OPNsense features:
 
 * Application Control
 * Advanced Network Analytics
+* Auto-blocking based on Real-time Cloud Threat Intelligence
 * All-ports Full TLS Inspection
-* Cloud Threat Intelligence
 * Web Security & Web Filtering
 * User based filtering
 * Policy based filtering

From 4dd4e1ebfdaa230ff781f134a7ec01ab25350e64 Mon Sep 17 00:00:00 2001
From: Stephan de Wit <stephan.de.wit@deciso.com>
Date: Wed, 11 May 2022 10:41:16 +0200
Subject: [PATCH 1034/3088] nginx: make validation fit into phalcon compat
 layer

---
 .../OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php     | 2 +-
 .../OPNsense/Base/Constraints/NgxBusyBufferConstraint.php       | 2 +-
 .../Base/Constraints/NgxUniqueDefaultServerConstraint.php       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
index b40c832dd2..fc2c38234d 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
@@ -38,7 +38,7 @@
  */
 class NaxsiIdentifierConstraint extends BaseConstraint
 {
-    public function validate(\Phalcon\Validation $validator, $attribute): bool
+    public function validate($validator, $attribute): bool
     {
         $node = $this->getOption('node');
         if ($node) {
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
index 6067ad0644..00d0469017 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
@@ -38,7 +38,7 @@
  */
 class NgxBusyBufferConstraint extends BaseConstraint
 {
-    public function validate(\Phalcon\Validation $validator, $attribute): bool
+    public function validate($validator, $attribute): bool
     {
         $node = $this->getOption('node');
         if ($node) {
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php
index 9534251250..3526b907d0 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php
@@ -39,7 +39,7 @@
  */
 class NgxUniqueDefaultServerConstraint extends BaseConstraint
 {
-    public function validate(\Phalcon\Validation $validator, $attribute): bool
+    public function validate($validator, $attribute): bool
     {
         $node = $this->getOption('node');
         if ($node) {

From 433ec8e0f27b19920200d72db6e6e713d1bc44de Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 11 May 2022 10:48:53 +0200
Subject: [PATCH 1035/3088] www/nginx: bump revision

---
 www/nginx/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 1343b145a0..84532fec15 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.26
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From db3fb848d9ab1527b607c788db48270acbc71f20 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 11 May 2022 12:07:59 +0200
Subject: [PATCH 1036/3088] plugins: style sweep

---
 .../scripts/OPNsense/AcmeClient/run_remote_ssh.php     | 10 +++++-----
 security/crowdsec/+POST_INSTALL.post                   |  1 -
 security/crowdsec/+PRE_DEINSTALL.pre                   |  1 -
 security/crowdsec/pkg-descr                            |  1 -
 .../crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc    |  5 +++--
 .../crowdsec/src/etc/rc.syshook.d/start/50-crowdsec    |  1 -
 .../mvc/app/views/OPNsense/CrowdSec/general.volt       |  5 ++---
 .../opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh  |  1 -
 .../opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh  |  1 -
 .../service/conf/actions.d/actions_crowdsec.conf       |  1 -
 .../service/templates/OPNsense/CrowdSec/settings.json  |  2 --
 security/stunnel/Makefile                              |  2 +-
 vendor/sunnyvalley/pkg-descr                           |  2 +-
 www/web-proxy-useracl/Makefile                         |  2 +-
 14 files changed, 13 insertions(+), 22 deletions(-)

diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
index 3f045347bd..9a16b8689a 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
@@ -29,17 +29,17 @@
 
 const ABOUT = <<<TXT
 
-   This script implements remote command execution using SSH. It reuses 
-   identities and "known_hosts" management from SFTP, located inside the 
+   This script implements remote command execution using SSH. It reuses
+   identities and "known_hosts" management from SFTP, located inside the
    local configuration folder (see "upload_sftp.php" for details).
 
    Primary purpose is to support the creation of automation tasks that trigger
-   actions after a certificate has been uploaded (requires that actions can 
+   actions after a certificate has been uploaded (requires that actions can
    have an execution order).
-    
+
    In addition to automations, all operations can also be triggered manually
    using simple CLI commands.
-   
+
    See: EXAMPLES & actions_acmeclient.conf
 
 TXT;
diff --git a/security/crowdsec/+POST_INSTALL.post b/security/crowdsec/+POST_INSTALL.post
index 6a64974496..0c4a006aa4 100755
--- a/security/crowdsec/+POST_INSTALL.post
+++ b/security/crowdsec/+POST_INSTALL.post
@@ -8,4 +8,3 @@
 mkdir -p -m 0700 /usr/local/etc/crowdsec/opnsense
 
 configctl crowdsec reconfigure
-
diff --git a/security/crowdsec/+PRE_DEINSTALL.pre b/security/crowdsec/+PRE_DEINSTALL.pre
index 9f7107ef01..954af708ed 100755
--- a/security/crowdsec/+PRE_DEINSTALL.pre
+++ b/security/crowdsec/+PRE_DEINSTALL.pre
@@ -5,4 +5,3 @@ service crowdsec_firewall stop >/dev/null 2>&1 | :
 
 # the rest of the cleanup is done in the post-deinstall script, otherwise
 # the plugin recreates the objects during "filter reload".
-
diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index 2cd4f07c10..cc35c3abe3 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -46,4 +46,3 @@ Plugin Changelog
 
 * fixed an issue that prevented the bouncer from banning IPs on opnsense
 * fixed support for notification plugins
-
diff --git a/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc b/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc
index a1e2eb6b07..79348aaf76 100644
--- a/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc
+++ b/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc
@@ -7,7 +7,8 @@ use OPNsense\Core\Config;
 use OPNsense\Firewall\Alias;
 use OPNsense\Firewall\Plugin;
 
-function add_alias_if_not_exist($name, $description, $proto) {
+function add_alias_if_not_exist($name, $description, $proto)
+{
     $model = new Alias();
 
     if ($model->getByName($name) != null) {
@@ -40,7 +41,7 @@ function crowdsec_firewall(Plugin $fw)
     $rules_tag = "";
     if (isset($general['rules_tag'])) {
         $rules_tag = $general['rules_tag'];
-    };
+    }
 
     add_alias_if_not_exist('crowdsec_blacklists', 'CrowdSec (IPv4)', 'IPv4');
 
diff --git a/security/crowdsec/src/etc/rc.syshook.d/start/50-crowdsec b/security/crowdsec/src/etc/rc.syshook.d/start/50-crowdsec
index 58359695ff..35922bb443 100755
--- a/security/crowdsec/src/etc/rc.syshook.d/start/50-crowdsec
+++ b/security/crowdsec/src/etc/rc.syshook.d/start/50-crowdsec
@@ -3,4 +3,3 @@
 # https://docs.opnsense.org/development/backend/autorun.html
 
 /usr/local/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
-
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
index e6753a4bf3..4952bfb18c 100644
--- a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
@@ -59,7 +59,7 @@
         CrowdSec Central API
         (meaning <a href="https://docs.crowdsec.net/docs/concepts/">timestamp, scenario, attacking IP</a>).</p>
 
-        <p>Other attack behaviors can be recognized on the OPNsense server and its plugins, or 
+        <p>Other attack behaviors can be recognized on the OPNsense server and its plugins, or
         <a href="https://doc.crowdsec.net/docs/next/user_guides/multiserver_setup">any other agent</a>
         connected to the same LAPI node. Other types of remediation are possible (ex. captcha test for scraping attempts).</p>
 
@@ -87,7 +87,7 @@
             <li>
                 The parsers, scenarios and all objects from the <a href="https://hub.crowdsec.net/">CrowdSec Hub</a>
                 are periodically upgraded. The
-                <a href="https://hub.crowdsec.net/author/crowdsecurity/collections/freebsd">crowdsecurity/freebsd</a> and 
+                <a href="https://hub.crowdsec.net/author/crowdsecurity/collections/freebsd">crowdsecurity/freebsd</a> and
                 <a href="https://hub.crowdsec.net/author/crowdsecurity/collections/opnsense">crowdsecurity/opnsense</a>
                 collections are installed by default.
             </li>
@@ -139,4 +139,3 @@
         </div>
     </div>
 </div>
-
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
index 1c00e7a1bd..b57e86bb10 100755
--- a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
@@ -15,4 +15,3 @@ if service crowdsec enabled; then
         service crowdsec restart >/dev/null 2>&1 || :
     fi
 fi
-
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh
index c6d0c2c2c5..1c339cc01f 100755
--- a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh
@@ -30,4 +30,3 @@ fi
 rm -f /usr/local/etc/crowdsec/opnsense-settings.json
 
 echo "OK"
-
diff --git a/security/crowdsec/src/opnsense/service/conf/actions.d/actions_crowdsec.conf b/security/crowdsec/src/opnsense/service/conf/actions.d/actions_crowdsec.conf
index e0e0f62932..de9c3f6fda 100644
--- a/security/crowdsec/src/opnsense/service/conf/actions.d/actions_crowdsec.conf
+++ b/security/crowdsec/src/opnsense/service/conf/actions.d/actions_crowdsec.conf
@@ -91,4 +91,3 @@ message:crowdsec version
 command:/usr/local/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh
 type:script_output
 message:crowdsec reconfigure
-
diff --git a/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/settings.json b/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/settings.json
index 0c3ed00b09..5b3e0c90e8 100644
--- a/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/settings.json
+++ b/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/settings.json
@@ -1,5 +1,3 @@
 {% if helpers.exists('OPNsense.crowdsec.general') -%}
     {{ OPNsense.crowdsec.general | tojson }}
 {%- endif %}
-
-
diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index d3215d7941..f0a6ca8a24 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		stunnel
 PLUGIN_VERSION=		1.0.4
-PLUGIN_REVISION= 	1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel
diff --git a/vendor/sunnyvalley/pkg-descr b/vendor/sunnyvalley/pkg-descr
index 743f576974..18686981a6 100644
--- a/vendor/sunnyvalley/pkg-descr
+++ b/vendor/sunnyvalley/pkg-descr
@@ -1,4 +1,4 @@
-This plugin adds a proprietary repository to install Zenarmor (previously Sensei), 
+This plugin adds a proprietary repository to install Zenarmor (previously Sensei),
 a plugin for OPNsense, complementing the firewall with state of the art
 next generation firewall features.
 
diff --git a/www/web-proxy-useracl/Makefile b/www/web-proxy-useracl/Makefile
index 7620cecc0f..fd340b0d19 100644
--- a/www/web-proxy-useracl/Makefile
+++ b/www/web-proxy-useracl/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		web-proxy-useracl
 PLUGIN_VERSION=		1.1
 PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Group and user ACL for the web proxy
-PLUGIN_OBSOLETE= 	No changes since 2018
+PLUGIN_OBSOLETE=	No changes since 2018
 PLUGIN_MAINTAINER=	kekek2@ya.ru
 PLUGIN_WWW=		https://smart-soft.ru
 

From 4495a8396769587ff090bcc4b351a031e3b19a3d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 11 May 2022 12:08:31 +0200
Subject: [PATCH 1037/3088] Framework: moved to .pkg extension

---
 Mk/plugins.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index ac715b3ecf..591598d678 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -272,7 +272,7 @@ upgrade: upgrade-check package
 		${PKG} delete -fy ${NAME}; \
 	fi
 .endfor
-	@${PKG} add ${PKGDIR}/*.txz
+	@${PKG} add ${PKGDIR}/*.pkg
 
 mount: check
 	mount_unionfs ${.CURDIR}/src ${DESTDIR}${LOCALBASE}

From f31a35b31a3bd62cc1c6877c27729fa20d1741da Mon Sep 17 00:00:00 2001
From: "Dr. Uwe Meyer-Gruhl" <17402664+meyergru@users.noreply.github.com>
Date: Thu, 12 May 2022 10:42:10 +0200
Subject: [PATCH 1038/3088] os-wireguard: add script to enable cron renewal of
 DNS for stale connections (#2956)

---
 net/wireguard/Makefile                        |  2 +-
 net/wireguard/pkg-descr                       |  4 ++
 .../scripts/OPNsense/Wireguard/resolve-dns.sh | 49 +++++++++++++++++++
 .../conf/actions.d/actions_wireguard.conf     |  7 +++
 4 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.sh

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 22a3d57f17..3e37bd759c 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		1.10
+PLUGIN_VERSION=		1.11
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard-go wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 515f17dbf2..643516c387 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,10 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+1.11
+
+* Add script for renewal of Wireguard DNS-based entries for stale connections
+
 1.10
 
 * Remove instance limit
diff --git a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.sh b/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.sh
new file mode 100644
index 0000000000..365344f143
--- /dev/null
+++ b/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.sh
@@ -0,0 +1,49 @@
+#!/usr/local/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+
+set -e
+shopt -s nocasematch
+shopt -s extglob
+export LC_ALL=C
+
+for CONFIG_FILE in /usr/local/etc/wireguard/*.conf
+do
+
+[[ $CONFIG_FILE =~ /?([a-zA-Z0-9_=+.-]{1,15})\.conf$ ]]
+INTERFACE="${BASH_REMATCH[1]}"
+
+process_peer() {
+        [[ $PEER_SECTION -ne 1 || -z $PUBLIC_KEY || -z $ENDPOINT ]] && return 0
+        [[ $(wg show "$INTERFACE" latest-handshakes) =~ ${PUBLIC_KEY//+/\\+}\   ([0-9]+) ]
+] || return 0
+        (( ($EPOCHSECONDS - ${BASH_REMATCH[1]}) > 135 )) || return 0
+        wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"
+        reset_peer_section
+}
+
+reset_peer_section() {
+        PEER_SECTION=0
+        PUBLIC_KEY=""
+        ENDPOINT=""
+}
+
+reset_peer_section
+while read -r line || [[ -n $line ]]; do
+        stripped="${line%%\#*}"
+        key="${stripped%%=*}"; key="${key##*([[:space:]])}"; key="${key%%*([[:space:]])}"
+        value="${stripped#*=}"; value="${value##*([[:space:]])}"; value="${value%%*([[:spa
+ce:]])}"
+        [[ $key == "["* ]] && { process_peer; reset_peer_section; }
+        [[ $key == "[Peer]" ]] && PEER_SECTION=1
+        if [[ $PEER_SECTION -eq 1 ]]; then
+                case "$key" in
+                PublicKey) PUBLIC_KEY="$value"; continue ;;
+                Endpoint) ENDPOINT="$value"; continue ;;
+                esac
+        fi
+done < "$CONFIG_FILE"
+process_peer
+
+done
diff --git a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
index 3257da26d0..84fa90580c 100644
--- a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
+++ b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
@@ -23,6 +23,13 @@ type:script
 message:Restarting WireGuard
 description: Restart WireGuard
 
+[renew]
+command:/usr/local/opnsense/scripts/OPNsense/Wireguard/resolve-dns.sh
+parameters:
+type:script
+message:Renew DNS for Wireguard
+description:Renew DNS for Wireguard on stale connections
+
 [genkey]
 command:/usr/local/opnsense/scripts/OPNsense/Wireguard/genkey.sh
 parameters: %s

From 10aee293e8e942a47ade5298fcd2804c8ad7fb2b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 May 2022 10:47:07 +0200
Subject: [PATCH 1039/3088] net/wireguard: fix lint issues

755 is actually required here, .bash suffix to not break POSIX
shell lint.
---
 .../OPNsense/Wireguard/{resolve-dns.sh => resolve-dns.bash}     | 0
 .../src/opnsense/service/conf/actions.d/actions_wireguard.conf  | 2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/{resolve-dns.sh => resolve-dns.bash} (100%)
 mode change 100644 => 100755

diff --git a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.sh b/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
old mode 100644
new mode 100755
similarity index 100%
rename from net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.sh
rename to net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
diff --git a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
index 84fa90580c..c132c16b8f 100644
--- a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
+++ b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
@@ -24,7 +24,7 @@ message:Restarting WireGuard
 description: Restart WireGuard
 
 [renew]
-command:/usr/local/opnsense/scripts/OPNsense/Wireguard/resolve-dns.sh
+command:/usr/local/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
 parameters:
 type:script
 message:Renew DNS for Wireguard

From 8a4cd2b7c374d10ad9e46f6d2f1ac27c1f415ba4 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Thu, 12 May 2022 17:02:16 +0300
Subject: [PATCH 1040/3088] nginx: add headers_more support (#2845)

---
 .../mvc/app/controllers/OPNsense/Nginx/forms/settings.xml   | 6 ++++++
 .../src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml    | 3 +++
 .../opnsense/service/templates/OPNsense/Nginx/nginx.conf    | 3 +++
 3 files changed, 12 insertions(+)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
index 98cbd71d6c..08a0a8716a 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
@@ -53,6 +53,12 @@
                 <type>text</type>
                 <advanced>true</advanced>
             </field>
+            <field>
+                <id>nginx.http.headers_more_enable</id>
+                <label>Enable Headers More module</label>
+                <type>checkbox</type>
+                <help>Enhanced version of the standard headers module. Allows to add, set, or clear any output or input header.</help>
+            </field>
         </subtab>
         <subtab id="nginx-general-webgui" description="GUI Settings">
             <field>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index c6d69989b2..03852a9dae 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -47,6 +47,9 @@
         <Required>N</Required>
         <MinimumValue>1</MinimumValue>
       </server_names_hash_max_size>
+      <headers_more_enable type="BooleanField">
+        <Required>N</Required>
+      </headers_more_enable>
     </http>
 
     <userlist type="ArrayField">
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx.conf
index 0be1a6a941..a140d361de 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx.conf
@@ -5,6 +5,9 @@ load_module /usr/local/libexec/nginx/ngx_mail_module.so;
 load_module /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
 load_module /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;
 load_module /usr/local/libexec/nginx/ngx_http_js_module.so;
+{% if OPNsense.Nginx.http.headers_more_enable is defined and OPNsense.Nginx.http.headers_more_enable == '1' %}
+load_module /usr/local/libexec/nginx/ngx_http_headers_more_filter_module.so;
+{% endif %}
 
 user www staff;
 worker_processes {{ OPNsense.Nginx.http.workerprocesses }};

From 3bcfab38f6ea265bf23b5b01eccc4e82f75fbb4e Mon Sep 17 00:00:00 2001
From: Starkstromkonsument <it@starkstromkonsument.de>
Date: Thu, 12 May 2022 16:03:09 +0200
Subject: [PATCH 1041/3088] mail/postfix: Switch table format of header_checks
 from regexp_table to pcre_table (#2825)

---
 mail/postfix/Makefile                                         | 2 +-
 mail/postfix/pkg-descr                                        | 4 ++++
 .../src/opnsense/service/templates/OPNsense/Postfix/main.cf   | 4 ++--
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index ba8f9944ec..be67c238dc 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		postfix
-PLUGIN_VERSION=		1.21
+PLUGIN_VERSION=		1.22
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix35
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index 0fd8e0ccab..b45544ba64 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -6,6 +6,10 @@ is completely different.
 Plugin Changelog
 ================
 
+1.22
+
+* Switch table format of header_checks from regexp_table to pcre_table (contributed by Starkstromkonsument)
+
 1.21
 
 * Add static link to root certficiates
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index 3dcc6292b8..c4de83da01 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -35,8 +35,8 @@ virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
 sender_bcc_maps = hash:/usr/local/etc/postfix/senderbcc
 recipient_bcc_maps = hash:/usr/local/etc/postfix/recipientbcc
 sender_canonical_maps = regexp:/usr/local/etc/postfix/sendercanonical
-header_checks = regexp:/usr/local/etc/postfix/header_checks_receiving
-smtp_header_checks = regexp:/usr/local/etc/postfix/header_checks_delivering
+header_checks = pcre:/usr/local/etc/postfix/header_checks_receiving
+smtp_header_checks = pcre:/usr/local/etc/postfix/header_checks_delivering
 smtp_tls_CAfile = /etc/ssl/cert.pem
 ##########################
 # END SYSTEM DEFAULTS

From e3aadd390cbcb3441eac7e2fdc6b7098cb2c1454 Mon Sep 17 00:00:00 2001
From: MeganerdNL <wdeurholt@wdmail.nl>
Date: Thu, 12 May 2022 20:10:30 +0200
Subject: [PATCH 1042/3088] Add missing <style> field

The missing <style> field at TransIP was causing the fields below it to show up in ALL dialogs..
---
 .../controllers/OPNsense/AcmeClient/forms/dialogValidation.xml   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 93a6b7e4bf..3fc1b06600 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1068,6 +1068,7 @@
     <field>
         <label>NOTE: A DNS sleep time of at least 300 is recommended.</label>
         <type>header</type>
+        <style>table_dns table_dns_transip</style>
     </field>
     <field>
         <id>validation.dns_transip_username</id>

From c253ba6ddd9375a5d3c8af573d976d6bea9d4b86 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 13 May 2022 10:30:26 +0200
Subject: [PATCH 1043/3088] net/vnstat: vnstat is console-based, but the plugin
 is not

---
 net/vnstat/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/vnstat/Makefile b/net/vnstat/Makefile
index 445106e949..d5d2224237 100644
--- a/net/vnstat/Makefile
+++ b/net/vnstat/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		vnstat
 PLUGIN_VERSION=		1.3
-PLUGIN_COMMENT=		vnStat is a console-based network traffic monitor
+PLUGIN_COMMENT=		Network traffic monitor
 PLUGIN_DEPENDS=		vnstat
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 

From 89b122e475a7aab93a966a66226ed2fd34a33bc0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 13 May 2022 10:31:26 +0200
Subject: [PATCH 1044/3088] README: sync

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 3660856d6e..9b78a2e005 100644
--- a/README.md
+++ b/README.md
@@ -65,7 +65,7 @@ net/siproxd -- Siproxd is a proxy daemon for the SIP protocol
 net/tayga -- Tayga NAT64
 net/udpbroadcastrelay -- Control ubpbroadcastrelay processes
 net/upnp -- Universal Plug and Play Service
-net/vnstat -- vnStat is a console-based network traffic monitor
+net/vnstat -- Network traffic monitor
 net/wireguard -- WireGuard VPN service
 net/wol -- Wake on LAN Service
 net/zerotier -- Virtual Networks That Just Work
@@ -108,7 +108,7 @@ sysutils/smart -- SMART tools
 sysutils/virtualbox -- VirtualBox guest additions
 sysutils/vmware -- VMware tools
 sysutils/xen -- Xen guest utilities
-vendor/sunnyvalley -- Vendor repository for Sensei (Next Generation Firewall Extensions)
+vendor/sunnyvalley -- Vendor Repository for Zenarmor (a.k.a Sensei, Next Generation Firewall Extensions)
 www/c-icap -- c-icap connects the web proxy with a virus scanner
 www/cache -- Webserver cache
 www/nginx -- Nginx HTTP server and reverse proxy

From 8f8714c769e1dcf6b0f6cf46967b95fd64f244d3 Mon Sep 17 00:00:00 2001
From: Malware Utkonos <utkonos@users.noreply.github.com>
Date: Fri, 13 May 2022 14:07:19 -0400
Subject: [PATCH 1045/3088] Trim whitespace around public and private keys in
 config. (#2982)

---
 .../OPNsense/Wireguard/Api/ServerController.php           | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
index a492e93802..78e653c9e7 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
@@ -59,8 +59,8 @@ public function addServerAction($uuid = null)
                 $backend = new Backend();
                 $keyspriv = $backend->configdpRun("wireguard genkey", 'private');
                 $keyspub = $backend->configdpRun("wireguard genkey", 'public');
-                $node->privkey = $keyspriv;
-                $node->pubkey = $keyspub;
+                $node->privkey = trim($keyspriv);
+                $node->pubkey = trim($keyspub);
             }
             return $this->validateAndSave($node, 'server');
         }
@@ -84,8 +84,8 @@ public function setServerAction($uuid = null)
                 $backend = new Backend();
                 $keyspriv = $backend->configdpRun("wireguard genkey", 'private');
                 $keyspub = $backend->configdpRun("wireguard genkey", 'public');
-                $node->privkey = $keyspriv;
-                $node->pubkey = $keyspub;
+                $node->privkey = trim($keyspriv);
+                $node->pubkey = trim($keyspub);
             }
             return $this->validateAndSave($node, 'server');
         }

From b6f550e0dfc36378cce9659ab368209fd072066b Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sat, 14 May 2022 12:46:50 +0200
Subject: [PATCH 1046/3088] Update resolve-dns.bash (#2984)

---
 .../opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash    | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash b/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
index 365344f143..881ef276f7 100755
--- a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
+++ b/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
@@ -16,8 +16,7 @@ INTERFACE="${BASH_REMATCH[1]}"
 
 process_peer() {
         [[ $PEER_SECTION -ne 1 || -z $PUBLIC_KEY || -z $ENDPOINT ]] && return 0
-        [[ $(wg show "$INTERFACE" latest-handshakes) =~ ${PUBLIC_KEY//+/\\+}\   ([0-9]+) ]
-] || return 0
+        [[ $(wg show "$INTERFACE" latest-handshakes) =~ ${PUBLIC_KEY//+/\\+}\   ([0-9]+) ]] || return 0
         (( ($EPOCHSECONDS - ${BASH_REMATCH[1]}) > 135 )) || return 0
         wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"
         reset_peer_section
@@ -33,8 +32,7 @@ reset_peer_section
 while read -r line || [[ -n $line ]]; do
         stripped="${line%%\#*}"
         key="${stripped%%=*}"; key="${key##*([[:space:]])}"; key="${key%%*([[:space:]])}"
-        value="${stripped#*=}"; value="${value##*([[:space:]])}"; value="${value%%*([[:spa
-ce:]])}"
+        value="${stripped#*=}"; value="${value##*([[:space:]])}"; value="${value%%*([[:space:]])}"
         [[ $key == "["* ]] && { process_peer; reset_peer_section; }
         [[ $key == "[Peer]" ]] && PEER_SECTION=1
         if [[ $PEER_SECTION -eq 1 ]]; then

From 576e202b39225445ae3ac0de8811f9caeb7ae188 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 16 May 2022 09:23:10 +0200
Subject: [PATCH 1047/3088] net/wireguard: update changelog

---
 net/wireguard/pkg-descr | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 643516c387..d5787c5ffb 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -18,7 +18,8 @@ Changelog
 
 1.11
 
-* Add script for renewal of Wireguard DNS-based entries for stale connections
+* Add script for renewal of Wireguard DNS-based entries for stale connections (#2956)
+* Trim whitespace around new public and private keys in config (#2982)
 
 1.10
 

From 6cc49824549d199d0815b5e91dcd2cf677509929 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 16 May 2022 09:25:15 +0200
Subject: [PATCH 1048/3088] www/nginx: update changelog

---
 www/nginx/Makefile  | 3 +--
 www/nginx/pkg-descr | 6 +++++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 84532fec15..038d7a4536 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.26
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.27
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 77df4834a5..120f8ba95b 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,10 +10,14 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.27
+
+* add headers_more support (contributed by kulikov-a)
+
 1.26
 
 * Enhancement of security headers (contributed by Manuel Faux)
-  Add Frame-Ancestors, add "preload", removed deprecated HPKP
+* Add Frame-Ancestors, add "preload", removed deprecated HPKP
 * Performance enhancements for log display
 * Fixed display of vts and logs for non-default styles
 

From 579adb0ea9f752682b6aab920dff5bd6123e4783 Mon Sep 17 00:00:00 2001
From: Budiman Jojo <budimanjojo@gmail.com>
Date: Mon, 16 May 2022 16:59:19 +0700
Subject: [PATCH 1049/3088] net/wireguard: fix newlines and typos (#2983)

---
 .../OPNsense/Wireguard/resolve-dns.bash       | 30 +++++++++----------
 .../conf/actions.d/actions_wireguard.conf     |  4 +--
 2 files changed, 16 insertions(+), 18 deletions(-)

diff --git a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash b/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
index 881ef276f7..b7faf881ad 100755
--- a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
+++ b/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
@@ -8,40 +8,38 @@ shopt -s nocasematch
 shopt -s extglob
 export LC_ALL=C
 
-for CONFIG_FILE in /usr/local/etc/wireguard/*.conf
-do
+for CONFIG_FILE in /usr/local/etc/wireguard/*.conf; do
 
-[[ $CONFIG_FILE =~ /?([a-zA-Z0-9_=+.-]{1,15})\.conf$ ]]
-INTERFACE="${BASH_REMATCH[1]}"
+    [[ $CONFIG_FILE =~ /?([a-zA-Z0-9_=+.-]{1,15})\.conf$ ]]
+    INTERFACE="${BASH_REMATCH[1]}"
 
-process_peer() {
+    process_peer() {
         [[ $PEER_SECTION -ne 1 || -z $PUBLIC_KEY || -z $ENDPOINT ]] && return 0
-        [[ $(wg show "$INTERFACE" latest-handshakes) =~ ${PUBLIC_KEY//+/\\+}\   ([0-9]+) ]] || return 0
+        [[ $(wg show "$INTERFACE" latest-handshakes) =~ ${PUBLIC_KEY//+/\\+}\	([0-9]+) ]] || return 0
         (( ($EPOCHSECONDS - ${BASH_REMATCH[1]}) > 135 )) || return 0
         wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"
         reset_peer_section
-}
+    }
 
-reset_peer_section() {
+    reset_peer_section() {
         PEER_SECTION=0
         PUBLIC_KEY=""
         ENDPOINT=""
-}
+    }
 
-reset_peer_section
-while read -r line || [[ -n $line ]]; do
+    reset_peer_section
+    while read -r line || [[ -n $line ]]; do
         stripped="${line%%\#*}"
         key="${stripped%%=*}"; key="${key##*([[:space:]])}"; key="${key%%*([[:space:]])}"
         value="${stripped#*=}"; value="${value##*([[:space:]])}"; value="${value%%*([[:space:]])}"
         [[ $key == "["* ]] && { process_peer; reset_peer_section; }
         [[ $key == "[Peer]" ]] && PEER_SECTION=1
         if [[ $PEER_SECTION -eq 1 ]]; then
-                case "$key" in
+            case "$key" in
                 PublicKey) PUBLIC_KEY="$value"; continue ;;
                 Endpoint) ENDPOINT="$value"; continue ;;
-                esac
+            esac
         fi
-done < "$CONFIG_FILE"
-process_peer
-
+    done < "$CONFIG_FILE"
+    process_peer
 done
diff --git a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
index c132c16b8f..ac9d353e8a 100644
--- a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
+++ b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
@@ -27,8 +27,8 @@ description: Restart WireGuard
 command:/usr/local/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
 parameters:
 type:script
-message:Renew DNS for Wireguard
-description:Renew DNS for Wireguard on stale connections
+message:Renew DNS for WireGuard
+description:Renew DNS for WireGuard on stale connections
 
 [genkey]
 command:/usr/local/opnsense/scripts/OPNsense/Wireguard/genkey.sh

From 8c48df65b2fc0a38f5dc69bbc335eeb07fc7d3c2 Mon Sep 17 00:00:00 2001
From: Fabio Castagnino <fabiocastagnino@users.noreply.github.com>
Date: Mon, 7 Mar 2022 18:08:00 +0100
Subject: [PATCH 1050/3088] add support for custom configuration

---
 .../opnsense/service/templates/OPNsense/Nginx/streams.conf    | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
index f19d6a6cd5..bada862439 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
@@ -83,6 +83,8 @@
         ssl_prefer_server_ciphers on;
 {%   endif %}
 
+        include {{ server['@uuid'] }}_pre/*.conf;
+        
 {%   if server.route_field == 'upstream' %}
 {%     if server.upstream is defined %}
 {%       set upstream = helpers.getUUID(server.upstream) %}
@@ -105,6 +107,8 @@
 {%     endfor %}
 {%   endif%}
 
+        include {{ server['@uuid'] }}_post/*.conf;
+
     }
 {% endfor %}
 {% endif %}

From 051ff70b0068ebe0fe46bad27ffbaabdf61164c6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 May 2022 15:37:36 +0200
Subject: [PATCH 1051/3088] www/nginx: update package description

---
 www/nginx/pkg-descr                                             | 1 +
 .../src/opnsense/service/templates/OPNsense/Nginx/streams.conf  | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 120f8ba95b..16d6c5655d 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 
 1.27
 
+* add support for custom configuration in stream server (contributed by Fabio Castagnino)
 * add headers_more support (contributed by kulikov-a)
 
 1.26
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
index bada862439..a9c265e49e 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
@@ -84,7 +84,7 @@
 {%   endif %}
 
         include {{ server['@uuid'] }}_pre/*.conf;
-        
+
 {%   if server.route_field == 'upstream' %}
 {%     if server.upstream is defined %}
 {%       set upstream = helpers.getUUID(server.upstream) %}

From 0ca50060cbee0991b55886c3db2495db672edbee Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 18 May 2022 11:12:23 +0200
Subject: [PATCH 1052/3088] security/acme-client: bump version

---
 security/acme-client/Makefile  | 2 +-
 security/acme-client/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 5dd108a98a..e43cc7d263 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.10
+PLUGIN_VERSION=		3.11
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 6cd62b0b1e..2ca43dc00d 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.11
+
+Fixed:
+* Add missing <style> field for TransIP (#2981)
+
 3.10
 
 Added:

From f98282b821d5fa64b49eeef102f6559fb617ac98 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Tue, 24 May 2022 17:45:09 +0200
Subject: [PATCH 1053/3088] net/frr add disable-connected-check option (#2989)

While working on an Azure setup where the neighbor isn't within visible range, we stumbled upon the "disable-connected-check" option to allow loopback addresses.
Reading a bit further there seem to be different ways of dealing with similar kind of situations.

Either by setting an ebgp-multihop ttl value or to enable the disable-connected-check option. Since the multihop didn't come with a help text, it seemed like a good idea to add at least the upstream frr one. Knowning that the current multihop fieldtype currently is wrong ("enabling" will set a ttl of 255, where it should have been a number)
---
 .../OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml  | 12 +++++++++++-
 .../opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml  |  4 ++++
 .../service/templates/OPNsense/Quagga/bgpd.conf      |  3 +++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 8665c2bce2..1af5adf4a3 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -63,6 +63,10 @@
   <field>
     <id>neighbor.multihop</id>
     <label>Multi-Hop</label>
+    <help>
+      Specifying ebgp-multihop allows sessions with eBGP neighbors to establish when they are multiple hops away.
+      When the neighbor is not directly connected and this knob is not enabled, the session will not establish.
+    </help>
     <type>checkbox</type>
   </field>
   <field>
@@ -113,7 +117,13 @@
     <id>neighbor.asoverride</id>
     <label>Enable AS-Override</label>
     <type>checkbox</type>
-	<help>Override AS number of the originating router with the local AS number. This command is only allowed for eBGP peers.</help>
+    <help>Override AS number of the originating router with the local AS number. This command is only allowed for eBGP peers.</help>
+  </field>
+  <field>
+    <id>neighbor.disable_connected_check</id>
+    <label>Disable Connected Check</label>
+    <type>checkbox</type>
+    <help>Allow peerings between directly connected eBGP peers using loopback addresses.</help>
   </field>
   <field>
     <id>neighbor.linkedPrefixlistIn</id>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 0f37813cbe..f22fe8cd22 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -128,6 +128,10 @@
                                 <default>0</default>
                                 <Required>N</Required>
                         </asoverride>
+                        <disable_connected_check type="BooleanField">
+                                <default>0</default>
+                                <Required>N</Required>
+                        </disable_connected_check>
                         <linkedPrefixlistIn type="ModelRelationField">
                                 <Model>
                                         <template>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index de3d7b4c24..b7f585aff0 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -106,6 +106,9 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%     if 'asoverride' in neighbor and neighbor.asoverride == '1' %}
   neighbor {{ neighbor.address }} as-override
 {%         endif %}
+{%     if 'disable_connected_check' in neighbor and neighbor.disable_connected_check == '1' %}
+  neighbor {{ neighbor.address }} disable-connected-check
+{%         endif %}
 {%     if neighbor.linkedPrefixlistIn|default("") != "" %}
 {%       for prefixlist in neighbor.linkedPrefixlistIn.split(",") %}
 {%         set prefixlist2_data = helpers.getUUID(prefixlist) %}

From 86a8cfc43e0eeef462a55aa57f0fb5ca9969e56f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 25 May 2022 15:04:13 +0200
Subject: [PATCH 1054/3088] net/frr: prepare for next release

---
 net/frr/Makefile  | 2 +-
 net/frr/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 98526d16f7..bc203e8c5e 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.28
+PLUGIN_VERSION=		1.29
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 5219eed253..340c620761 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.29
+
+* Add disable-connected-check option
+
 1.28
 
 * OSPF6 Interface change networktype and interfacename to dropdown in stead of multi select

From 7f172eef0e6f61b13fcb1fcb9dea9dfc74b5d41b Mon Sep 17 00:00:00 2001
From: Fabian Franz <franz.fabian.94@gmail.com>
Date: Thu, 26 May 2022 07:54:06 +0200
Subject: [PATCH 1055/3088] www/nginx: add support for workers and websockets
 in CSP directive

---
 www/nginx/Makefile                            |  2 +-
 www/nginx/pkg-descr                           |  4 +
 .../OPNsense/Nginx/forms/security_headers.xml | 91 +++++++++++++++++++
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml   | 48 +++++++++-
 .../OPNsense/Nginx/security_rule.conf         |  2 +-
 5 files changed, 144 insertions(+), 3 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 038d7a4536..ecfd00ffea 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.27
+PLUGIN_VERSION=		1.28
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 16d6c5655d..ec8555ac5b 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,10 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.28
+
+* add support for connect-src and worker-src in content security policy
+
 1.27
 
 * add support for custom configuration in stream server (contributed by Fabio Castagnino)
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/security_headers.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/security_headers.xml
index a5a2eab0b1..2e7a4b839d 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/security_headers.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/security_headers.xml
@@ -617,6 +617,97 @@
       <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
     </field>
   </tab>
+  <tab id="connect_src" description="Websockets">
+    <field>
+      <type>header</type>
+      <label>Content Security Policy: Connect Source</label>
+      <hint><![CDATA[The setting <em>Content Security Policy: Enable</em> on the <em>General</em> tab needs to be enabled to activate this header.]]></hint>
+    </field>
+    <field>
+      <id>security_header.csp_connect_src_enabled</id>
+      <label>Enable</label>
+      <type>checkbox</type>
+      <help>If checked, this part of the CSP is enabled.</help>
+    </field>
+    <field>
+      <id>security_header.csp_connect_src_http_urls</id>
+      <label>Enable HTTP(S) URLs</label>
+      <type>select_multiple</type>
+      <allownew>true</allownew>
+      <style>tokenize</style>
+      <help>Allow connecting to websockets. You can use wildcards here like wss://*.exmaple.com.</help>
+    </field>
+    <field>
+      <id>security_header.csp_connect_src_none</id>
+      <label>Forbid Explicitly</label>
+      <type>checkbox</type>
+      <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
+    </field>
+  </tab>
+  <tab id="worker_src" description="Worker">
+    <field>
+      <type>header</type>
+      <label>Content Security Policy: Worker Source</label>
+      <hint><![CDATA[The setting <em>Content Security Policy: Enable</em> on the <em>General</em> tab needs to be enabled to activate this header.]]></hint>
+    </field>
+    <field>
+      <id>security_header.csp_worker_src_enabled</id>
+      <label>Enable</label>
+      <type>checkbox</type>
+      <help>If checked, this part of the CSP is enabled.</help>
+    </field>
+    <field>
+      <id>security_header.csp_worker_src_data_urls</id>
+      <label>Enable Data URLs</label>
+      <help>Data URLs are used to embed files into HTML (for example images written directly into the src attribute).</help>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_worker_src_http_urls</id>
+      <label>Enable HTTP(S) URLs</label>
+      <type>select_multiple</type>
+      <allownew>true</allownew>
+      <style>tokenize</style>
+      <help>Allow loading files over HTTP(S) allows downloading of content over other domains or CDNs.
+        You can use wildcards here like https://*.exmaple.com.</help>
+    </field>
+    <field>
+      <id>security_header.csp_worker_src_inline</id>
+      <label>Enable Inline Scripting</label>
+      <type>checkbox</type>
+      <help>Checking this directive allows to use scripts or styles directly embedded in in the HTML content.
+        Examples are the script and the style tags.</help>
+    </field>
+    <field>
+      <id>security_header.csp_worker_src_eval</id>
+      <label>Enable Eval</label>
+      <type>checkbox</type>
+      <help>Checking this box allows functions like eval or createFunction in JS, or style attributes for CSS.</help>
+    </field>
+    <field>
+      <id>security_header.csp_worker_src_self</id>
+      <label>Enable Same Origin (recommended)</label>
+      <type>checkbox</type>
+      <help>Allows everything from the same site (path can differ, but host, protocol and port need to be the same).</help>
+    </field>
+    <field>
+      <id>security_header.csp_worker_src_blob</id>
+      <label>Enable Blobs</label>
+      <type>checkbox</type>
+      <help>Allows to use blobs as a data source. This usually is content, which is somehow generated in JavaScript.</help>
+    </field>
+    <field>
+      <id>security_header.csp_worker_src_filesystem</id>
+      <label>Enable File System URLs</label>
+      <type>checkbox</type>
+    </field>
+    <field>
+      <id>security_header.csp_worker_src_none</id>
+      <label>Forbid Explicitly</label>
+      <type>checkbox</type>
+      <help>If this checkbox is checked, all other settings for this directive are ignored and everything will be forbidden.</help>
+    </field>
+  </tab>
   <tab id="form-action" description="Form">
     <field>
       <type>header</type>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 03852a9dae..f77f691b92 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.26.0</version>
+  <version>1.28.0</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>
@@ -1512,6 +1512,52 @@
         <Required>Y</Required>
         <default>0</default>
       </csp_frame_ancestors_none>
+      <csp_connect_src_enabled type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_connect_src_enabled>
+      <csp_connect_src_http_urls type="CSVListField">
+        <Required>N</Required>
+      </csp_connect_src_http_urls>
+      <csp_connect_src_none type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_connect_src_none>
+      <csp_worker_src_enabled type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_worker_src_enabled>
+      <csp_worker_src_data_urls type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_worker_src_data_urls>
+      <csp_worker_src_http_urls type="CSVListField">
+        <Required>N</Required>
+      </csp_worker_src_http_urls>
+      <csp_worker_src_inline type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_worker_src_inline>
+      <csp_worker_src_eval type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_worker_src_eval>
+      <csp_worker_src_self type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_worker_src_self>
+      <csp_worker_src_blob type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_worker_src_blob>
+      <csp_worker_src_filesystem type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_worker_src_filesystem>
+      <csp_worker_src_none type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_worker_src_none>
       <csp_form_action_enabled type="BooleanField">
         <Required>Y</Required>
         <default>0</default>
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/security_rule.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/security_rule.conf
index f309c4cbf2..0a46c83a18 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/security_rule.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/security_rule.conf
@@ -19,7 +19,7 @@
 {% endif %}
 {% if security_rule.enable_csp is defined and security_rule.enable_csp == '1' %}
 {% set hash_csp = {} %}
-{%   for csp_category in ['default-src', 'script-src', 'img-src', 'style-src', 'media-src', 'font-src', 'frame-src', 'frame-ancestors', 'form-action'] %}
+{%   for csp_category in ['default-src', 'script-src', 'img-src', 'style-src', 'media-src', 'font-src', 'frame-src', 'frame-ancestors', 'form-action', 'connect-src', 'worker-src'] %}
 {%     set prefix = 'csp_' + csp_category.replace('-', '_') + '_' %}
 {%     if security_rule[prefix + 'enabled'] == '1' %}
 {%       set current_list = [] %}

From f0dc836495a0378108d10639cb9d70b3f35caa2d Mon Sep 17 00:00:00 2001
From: Fabian Franz <franz.fabian.94@gmail.com>
Date: Thu, 26 May 2022 11:27:51 +0200
Subject: [PATCH 1056/3088] www/nginx: add support proxy_responses directive in
 streams

---
 www/nginx/pkg-descr                                      | 1 +
 .../controllers/OPNsense/Nginx/forms/streamserver.xml    | 9 ++++++++-
 .../src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml | 4 ++++
 .../service/templates/OPNsense/Nginx/streams.conf        | 3 +++
 4 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index ec8555ac5b..b1aa7bc3ad 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 1.28
 
 * add support for connect-src and worker-src in content security policy
+* add support for proxy_responses property in streams
 
 1.27
 
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/streamserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/streamserver.xml
index a76c22e977..b988ecbc49 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/streamserver.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/streamserver.xml
@@ -26,7 +26,7 @@
     <help>If you enable the proxy protocol, a downstream proxy can send the client IP and port before the real traffic is set.</help>
   </field>
   <field>
-    <id>httpserver.trusted_proxies</id>
+    <id>streamserver.trusted_proxies</id>
     <label>Trusted Proxies</label>
     <allownew>true</allownew>
     <style>tokenize</style>
@@ -34,6 +34,13 @@
     <advanced>true</advanced>
     <help>Enter a list of IP addresses or CIDR networks which are allowed to override the source IP address using the specified header.</help>
   </field>
+  <field>
+    <id>streamserver.proxy_responses</id>
+    <label>Proxy Responses (UDP)</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Due to the nature of UDP, nginx cannot know, when the communication ends and this helps as it tells nginx the number of datagrams the communication is expected to last on server side and it is expected to be closed afterwards. If you enter 0, it is expected, that the server never responds to a datagram. If nginx gets a datagram, it will still get forwarded to the client. Setting this option might be useful in (mostly) unidirectional communication as well.</help>
+  </field>
   <field>
     <id>streamserver.certificate</id>
     <label>TLS Certificate</label>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index f77f691b92..48d2e18bf0 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1059,6 +1059,10 @@
         <Required>N</Required>
         <multiple>N</multiple>
       </ip_acl>
+      <proxy_responses type="IntegerField">
+        <Required>N</Required>
+        <MinimumValue>0</MinimumValue>
+      </proxy_responses>
     </stream_server>
 
     <sni_hostname_upstream_map type="ArrayField">
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
index a9c265e49e..25c6c2ce27 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
@@ -101,6 +101,9 @@
         proxy_pass $hostmap{{ server.sni_upstream_map.replace('-','') }};
 {%   endif %}
         proxy_protocol {% if server.proxy_protocol == '1' %}on{% else %}off{% endif %};
+{%   if server.proxy_responses is defined and server.proxy_responses != '' %}
+        proxy_responses {{ server.proxy_responses }};
+{%   endif%}
 {%   if server.trusted_proxies is defined and server.trusted_proxies != '' %}
 {%     for trusted_proxy in server.trusted_proxies.split(',') %}
         set_real_ip_from {{ trusted_proxy }};

From 1f56aa14331542bb8d74218e75315128bf156f01 Mon Sep 17 00:00:00 2001
From: Fabian Franz <franz.fabian.94@gmail.com>
Date: Thu, 26 May 2022 11:29:34 +0200
Subject: [PATCH 1057/3088] www/nginx: add support proxy_responses directive in
 streams

---
 www/nginx/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index b1aa7bc3ad..697dfaafe4 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -14,6 +14,7 @@ Plugin Changelog
 
 * add support for connect-src and worker-src in content security policy
 * add support for proxy_responses property in streams
+* bugfix: trusted proxies field is now correctly named which makes it usable
 
 1.27
 

From 4723896915e324d4f9d9b2d133058b0b7af1359b Mon Sep 17 00:00:00 2001
From: Neozlag <50456371+Neozlag@users.noreply.github.com>
Date: Wed, 1 Jun 2022 10:52:46 +0200
Subject: [PATCH 1058/3088] dns/ddclient - add gandi support  (#2997)

* add gandi support for ddclient
---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml     | 1 +
 .../opnsense/service/templates/OPNsense/ddclient/ddclient.conf | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 944bc435e4..003426fc8f 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -47,6 +47,7 @@
                         <easydns>EasyDNS</easydns>
                         <freedns>FreeDNS</freedns>
                         <googledomains>Google</googledomains>
+                        <gandi>Gandi.net</gandi>
                         <he-net>HE.net</he-net>
                         <he-net-tunnel>HE.net TunnelBroker</he-net-tunnel>
                         <inwx>INWX</inwx>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 1d9dbb54d2..27d26193d7 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -52,6 +52,9 @@ server=freedns.afraid.org, \
 {%      elif account.service == 'dynu' %}
 protocol=dyndns2, \
 server=api.dynu.com, \
+{%      elif account.service == 'gandi' %}
+protocol=gandi
+zone={{account.zone}}, \
 {%      elif account.service == 'he-net' %}
 protocol=dyndns2, \
 server=dyn.dns.he.net, \

From 3bcbadaf1c84465915d35fb40b21aa187edb7593 Mon Sep 17 00:00:00 2001
From: Nicola <xbb@users.noreply.github.com>
Date: Thu, 2 Jun 2022 09:29:37 +0200
Subject: [PATCH 1059/3088] sysutils/apcupsd: new plugin (#2799)

This is a plugin to configure the apcupsd service, it includes a widget for the dashboard

Originally started by @Gibbon99 and @mrzaz (please mention their contribution too), repo here: https://github.com/Gibbon99/apcupsd and my fork: https://github.com/xbb/apcupsd where you can see the full changelog/commit list

Forum thread: https://forum.opnsense.org/index.php?topic=21487.0
---
 sysutils/apcupsd/Makefile                     |   8 +
 sysutils/apcupsd/pkg-descr                    |  21 ++
 .../src/etc/inc/plugins.inc.d/apcupsd.inc     |  77 ++++
 .../Apcupsd/Api/ServiceController.php         | 151 ++++++++
 .../Apcupsd/Api/SettingsController.php        |  41 ++
 .../OPNsense/Apcupsd/IndexController.php      |  48 +++
 .../OPNsense/Apcupsd/StatusController.php     |  47 +++
 .../OPNsense/Apcupsd/forms/general.xml        | 183 +++++++++
 .../app/models/OPNsense/Apcupsd/ACL/ACL.xml   |   9 +
 .../app/models/OPNsense/Apcupsd/Apcupsd.php   |  39 ++
 .../app/models/OPNsense/Apcupsd/Apcupsd.xml   | 159 ++++++++
 .../app/models/OPNsense/Apcupsd/Menu/Menu.xml |   8 +
 .../mvc/app/views/OPNsense/Apcupsd/index.volt |  74 ++++
 .../app/views/OPNsense/Apcupsd/status.volt    |  42 +++
 .../conf/actions.d/actions_apcupsd.conf       |  29 ++
 .../templates/OPNsense/Apcupsd/+TARGETS       |   2 +
 .../templates/OPNsense/Apcupsd/apcupsd        |  23 ++
 .../templates/OPNsense/Apcupsd/apcupsd.conf   | 356 ++++++++++++++++++
 .../src/www/widgets/include/apcupsd.inc       |   4 +
 .../www/widgets/widgets/apcupsd.widget.php    | 219 +++++++++++
 20 files changed, 1540 insertions(+)
 create mode 100644 sysutils/apcupsd/Makefile
 create mode 100644 sysutils/apcupsd/pkg-descr
 create mode 100644 sysutils/apcupsd/src/etc/inc/plugins.inc.d/apcupsd.inc
 create mode 100644 sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/Api/ServiceController.php
 create mode 100644 sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/Api/SettingsController.php
 create mode 100644 sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/IndexController.php
 create mode 100644 sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/StatusController.php
 create mode 100644 sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/forms/general.xml
 create mode 100644 sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/ACL/ACL.xml
 create mode 100644 sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Apcupsd.php
 create mode 100644 sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Apcupsd.xml
 create mode 100644 sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Menu/Menu.xml
 create mode 100644 sysutils/apcupsd/src/opnsense/mvc/app/views/OPNsense/Apcupsd/index.volt
 create mode 100644 sysutils/apcupsd/src/opnsense/mvc/app/views/OPNsense/Apcupsd/status.volt
 create mode 100644 sysutils/apcupsd/src/opnsense/service/conf/actions.d/actions_apcupsd.conf
 create mode 100644 sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/+TARGETS
 create mode 100644 sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/apcupsd
 create mode 100644 sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/apcupsd.conf
 create mode 100644 sysutils/apcupsd/src/www/widgets/include/apcupsd.inc
 create mode 100644 sysutils/apcupsd/src/www/widgets/widgets/apcupsd.widget.php

diff --git a/sysutils/apcupsd/Makefile b/sysutils/apcupsd/Makefile
new file mode 100644
index 0000000000..1b08a99071
--- /dev/null
+++ b/sysutils/apcupsd/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=        apcupsd
+PLUGIN_DEVEL=       yes
+PLUGIN_VERSION=     0.1
+PLUGIN_DEPENDS=     apcupsd
+PLUGIN_COMMENT=     APCUPSD - APC UPS daemon
+PLUGIN_MAINTAINER=  xbb@xbblabs.com
+
+.include "../../Mk/plugins.mk"
diff --git a/sysutils/apcupsd/pkg-descr b/sysutils/apcupsd/pkg-descr
new file mode 100644
index 0000000000..28f097d83a
--- /dev/null
+++ b/sysutils/apcupsd/pkg-descr
@@ -0,0 +1,21 @@
+Apcupsd, short for APC UPS daemon, can be used for controlling all APC UPS models.
+It can monitor and log the current power and battery status, perform automatic
+shutdown, and can run in network mode in order to power down other hosts on a LAN.
+
+This plugin allows you to configure an APC UPS for use with OPNsense using the
+Apcupsd project. The setup page allows you to set the most common options for
+connecting your UPS to your OPNsense router and a status page for the UPS
+status. It also includes support to act as an APC Netserver.
+
+WWW: http://www.apcupsd.org/
+
+Plugin Changelog
+================
+
+1.0
+
+Initial release
+
+* Apcupsd service control and configuration
+* UPS status page
+* Dashboard widget
diff --git a/sysutils/apcupsd/src/etc/inc/plugins.inc.d/apcupsd.inc b/sysutils/apcupsd/src/etc/inc/plugins.inc.d/apcupsd.inc
new file mode 100644
index 0000000000..94a2640164
--- /dev/null
+++ b/sysutils/apcupsd/src/etc/inc/plugins.inc.d/apcupsd.inc
@@ -0,0 +1,77 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Dan Lundqvist
+ *    Copyright (C) 2021 David Berry
+ *    Copyright (C) 2021 Nicola Pellegrini
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+/**
+ * register service
+ * @return array
+ */
+function apcupsd_services()
+{
+    global $config;
+
+    $services = array();
+
+    if (
+        isset($config['OPNsense']['apcupsd']['general']['Enabled']) &&
+        $config['OPNsense']['apcupsd']['general']['Enabled'] == 1
+    ) {
+        $services[] = array(
+            'description' => gettext('APC UPS Daemon'),
+            'configd' => array(
+                'restart' => array('apcupsd restart'),
+                'start' => array('apcupsd start'),
+                'stop' => array('apcupsd stop'),
+            ),
+            'name' => 'apcupsd',
+            'pidfile' => '/var/run/apcupsd.pid'
+        );
+    }
+    return $services;
+}
+
+/**
+ * sync configuration via xmlrpc
+ * @return array
+ */
+function apcupsd_xmlrpc_sync()
+{
+    $result = array();
+
+    $result[] = array(
+        'description' => gettext('APC UPS Daemon'),
+        'section' => 'OPNsense.apcupsd',
+        'id' => 'apcupsd',
+        'services' => ["apcupsd"],
+    );
+
+    return $result;
+}
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/Api/ServiceController.php b/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/Api/ServiceController.php
new file mode 100644
index 0000000000..ea6380e965
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/Api/ServiceController.php
@@ -0,0 +1,151 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Dan Lundqvist
+ *    Copyright (C) 2021 David Berry
+ *    Copyright (C) 2021 Nicola Pellegrini
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Apcupsd\Api;
+
+use DateTime;
+use DateTimeInterface;
+use OPNsense\Core\Backend;
+use OPNsense\Base\ApiMutableServiceControllerBase;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Apcupsd\Apcupsd';
+    protected static $internalServiceTemplate = 'OPNsense/Apcupsd';
+    protected static $internalServiceEnabled = 'general.Enabled';
+    protected static $internalServiceName = 'apcupsd';
+
+    private static $dateTimeFields = [
+        'DATE',
+        'STARTTIME',
+        'MASTERUPD',
+        'END APC',
+        'XONBATT',
+        'XOFFBATT',
+    ];
+
+    private static $dateFields = [
+        'MANDATE',
+        'BATDATE'
+    ];
+
+    public function getUpsStatusAction()
+    {
+        $result = $this->getUpsStatusOutput();
+        $result['status'] = null;
+        if (!$result['error']) {
+            $result['status'] = $this->parseUpsStatus($result['output']);
+        }
+        return $result;
+    }
+
+    private function parseUpsStatus($statusOutput)
+    {
+        $status = array();
+        foreach (explode("\n", $statusOutput) as $line) {
+            $kv = array_map('trim', explode(':', $line, 2));
+            $key = $kv[0];
+            $value = isset($kv[1]) ? $kv[1] : null;
+            $norm = $value;
+            if (empty($key)) {
+                continue;
+            }
+            if ($value === 'N/A') {
+                $norm = null;
+            } elseif (in_array($key, self::$dateTimeFields, true)) {
+                $norm = $this->tryParseDateTime($value);
+            } elseif (in_array($key, self::$dateFields, true)) {
+                $norm = $this->tryParseDate($value);
+            } elseif (preg_match('/^((?:[0-9]*[.])?[0-9]+)(?:\s+\w+)?$/i', $value, $matches)) {
+                $norm = floatval($matches[1]);
+            }
+            $status[$key] = array(
+                'value' => $value,
+                'norm' => $norm
+            );
+        }
+        return $status;
+    }
+
+    private function tryParseDateTime($dateTimeString) {
+        $formats = [
+            'Y-m-d H:i:s P', // 2021-12-27 17:51:42 +0100
+            'D M d H:i:s T Y' // Sat Sep 16 17:13:00 CEST 2000
+        ];
+        foreach ($formats as $format) {
+            $dt = DateTime::createFromFormat($format, $dateTimeString);
+            if ($dt) {
+                return $dt->format(DateTimeInterface::RFC3339);
+            }
+        }
+        return $dateTimeString;
+    }
+
+    private function tryParseDate($dateString) {
+        $formats = [
+            'Y-m-d', // 2021-12-27
+            'm/d/y', // 12/27/21
+        ];
+        foreach ($formats as $format) {
+            $dt = DateTime::createFromFormat($format, $dateString);
+            if ($dt) {
+                return $dt->format('Y-m-d');
+            }
+        }
+        return $dateString;
+    }
+
+    private function getUpsStatusOutput()
+    {
+        $output = $error = null;
+
+        if ($this->isEnabled()) {
+            $backend = new Backend();
+            $output = trim($backend->configdRun('apcupsd upsstatus'));
+            if (empty($output)) {
+                $error = 'Error: empty output from apcaccess';
+            }
+        } else {
+            $error = 'Error: apcupsd is disabled';
+        }
+
+        return array(
+            'error' => $error,
+            'output' => $output
+        );
+    }
+
+    private function isEnabled()
+    {
+        return $this->getModel()->general->Enabled == '1';
+    }
+}
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/Api/SettingsController.php b/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/Api/SettingsController.php
new file mode 100644
index 0000000000..a0132319e8
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/Api/SettingsController.php
@@ -0,0 +1,41 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Dan Lundqvist
+ *    Copyright (C) 2021 David Berry
+ *    Copyright (C) 2021 Nicola Pellegrini
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Apcupsd\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class SettingsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelClass = '\OPNsense\Apcupsd\Apcupsd';
+    protected static $internalModelName = 'apcupsd';
+}
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/IndexController.php b/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/IndexController.php
new file mode 100644
index 0000000000..2ed3db9b83
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/IndexController.php
@@ -0,0 +1,48 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Dan Lundqvist
+ *    Copyright (C) 2021 David Berry
+ *    Copyright (C) 2021 Nicola Pellegrini
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Apcupsd;
+
+/**
+ * Class IndexController
+ * @package OPNsense\Apcupsd
+ */
+
+class IndexController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        // pick the template to serve to our users.
+        $this->view->pick('OPNsense/Apcupsd/index');
+        $this->view->generalForm = $this->getForm("general");
+    }
+}
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/StatusController.php b/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/StatusController.php
new file mode 100644
index 0000000000..7930cca276
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/StatusController.php
@@ -0,0 +1,47 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Dan Lundqvist
+ *    Copyright (C) 2021 David Berry
+ *    Copyright (C) 2021 Nicola Pellegrini
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Apcupsd;
+
+/**
+ * Class StatusController
+ * @package OPNsense\Apcupsd
+ */
+
+class StatusController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        // pick the template to serve to our use
+        $this->view->pick('OPNsense/Apcupsd/status');
+    }
+}
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/forms/general.xml b/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/forms/general.xml
new file mode 100644
index 0000000000..0aa561920a
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/forms/general.xml
@@ -0,0 +1,183 @@
+<form>
+    <field>
+        <id>apcupsd.general.Enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>Enable the APC UPS service.</help>
+    </field>
+    <field>
+        <id>apcupsd.general.UPSName</id>
+        <label>UPS Name</label>
+        <type>text</type>
+        <help>
+            Specify a name for the UPS for log files, status reports etc.,
+            between 1 and 99 characters in length.
+        </help>
+        <hint>Name of the UPS for log files, status reports etc.</hint>
+    </field>
+    <field>
+        <id>apcupsd.general.UPSCable</id>
+        <label>UPS Cable Type</label>
+        <type>dropdown</type>
+        <help>Select the type of cable connecting the UPS to the server.</help>
+    </field>
+    <field>
+        <id>apcupsd.general.UPSType</id>
+        <label>UPS Type</label>
+        <type>dropdown</type>
+        <help>Select the type of UPS in use. You may also need to specify the UPS device below.</help>
+    </field>
+    <field>
+        <id>apcupsd.general.Device</id>
+        <label>UPS Device</label>
+        <type>text</type>
+        <help>
+            <![CDATA[
+            Specify the device path for the selected type of UPS:<br>
+            usb: leave blank for auto-detection<br>
+            apcsmart or dumb: /dev/tty** (serial connection)<br>
+            net: host:port (remote apcupsd network information server)<br>
+            snmp: host:port:vendor:community<br>
+            pcnet: ipaddr:username:passphrase (SmartSlot card)
+            ]]>
+        </help>
+        <hint>Path or address, leave blank for USB</hint>
+    </field>
+    <field>
+        <id>apcupsd.general.Polltime</id>
+        <label>Polltime</label>
+        <type>text</type>
+        <help>
+            <![CDATA[
+            The rate in seconds that the daemon polls the UPS for status.
+            This rate is automatically set to 1 second when the UPS goes on battery and reset to the specified value
+            when the utility power returns.<br>
+            A low setting will improve the daemon's responsiveness to certain events at the cost of higher CPU
+            utilisation.<br>
+            The default of 60 is appropriate for most situations.
+            ]]>
+        </help>
+    </field>
+    <field>
+        <id>apcupsd.general.BatteryLevel</id>
+        <label>Battery Level Shutdown (%)</label>
+        <type>text</type>
+        <help>Apcupsd will shutdown the system during a power failure when the remaining battery charge falls below the
+            specified percentage. (Default is 5).</help>
+    </field>
+    <field>
+        <id>apcupsd.general.Minutes</id>
+        <label>Battery Minutes Shutdown</label>
+        <type>text</type>
+        <help>
+            Apcupsd will shutdown the system during a power failure when the remaining runtime on batteries as
+            internally calculated by the UPS falls below the specified minutes. (Default is 3)
+        </help>
+    </field>
+    <field>
+        <id>apcupsd.general.Timeout</id>
+        <label>Battery Timeout Shutdown</label>
+        <type>text</type>
+        <help>
+            <![CDATA[
+            After a power failure occurs, apcupsd will shutdown the system after the specified number of seconds
+            have expired.<br>
+            For a Smart-UPS, this should normally be set to zero so that the shutdown time will be determined by the
+            battery level or remaining runtime.<br>
+            It is also useful for testing apcupsd because you can force a rapid shutdown by setting a small value
+            (eg. 60) and turning off the power to the UPS.
+            ]]>
+        </help>
+    </field>
+    <field>
+        <id>apcupsd.general.OnBatteryDelay</id>
+        <label>OnBattery Event Delay</label>
+        <type>text</type>
+        <help>
+            The number of seconds from when a power failure is detected until apcupsd reacts with an onbattery event.
+            (Default is 6).
+        </help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>apcupsd.general.Annoy</id>
+        <label>Annoy Time</label>
+        <type>text</type>
+        <help>Time in seconds between annoying users to signoff prior to system shutdown. 0 disables.</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>apcupsd.general.AnnoyDelay</id>
+        <label>Annoy Delay</label>
+        <type>text</type>
+        <help>Initial delay after power failure before warning users to get off the system.</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>apcupsd.general.KillDelay</id>
+        <label>Kill Delay</label>
+        <type>text</type>
+        <help>
+            <![CDATA[
+            Specifies the number of seconds for which apcupsd will continue running after a shutdown has been
+            requested.<br>
+            After the specified time, apcupsd will attempt to put the UPS into hibernate mode and kill the power to
+            the computer.<br>
+            This is for use on operating systems where apcupsd cannot regain control after a shutdown (eg. FreeBSD)
+            to issue an apcupsd --killpower command.<br>
+            Setting the delay to 0 disables it.
+            ]]>
+        </help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>apcupsd.general.Netserver</id>
+        <label>Netserver</label>
+        <type>checkbox</type>
+        <help>Enables the network information server which is required to obtain the current status information
+            from the local or remote UPS.</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>apcupsd.general.NetserverAddress</id>
+        <label>Netserver IP Address</label>
+        <type>text</type>
+        <hint>127.0.0.1 is the default</hint>
+        <help>
+            <![CDATA[
+            IP address on which the net information server will listen for incoming connections.<br>
+            Default address is 127.0.0.1 which means only local machine connections are accepted.
+            ]]>
+        </help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>apcupsd.general.NetserverPort</id>
+        <label>Netserver Port</label>
+        <type>text</type>
+        <help>Network port used to send status and event data over the network.</help>
+        <hint>Port 3551 is the default as registered with the IANA.</hint>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>apcupsd.general.UPSClass</id>
+        <label>UPS Class</label>
+        <type>dropdown</type>
+        <help>Normally standalone unless you share an UPS using an APC ShareUPS card.</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>apcupsd.general.UPSMode</id>
+        <label>UPS Mode</label>
+        <type>dropdown</type>
+        <help>Normally disable unless you share an UPS using an APC ShareUPS card.</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>apcupsd.general.NoLogon</id>
+        <label>Nologon Mode</label>
+        <type>dropdown</type>
+        <help>The condition which determines when users are prevented from logging in during a power failure.</help>
+        <advanced>true</advanced>
+    </field>
+</form>
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/ACL/ACL.xml b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/ACL/ACL.xml
new file mode 100644
index 0000000000..a911bfa876
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+    <page-services-apcupsd>
+        <name>Services: Apcupsd System Monitoring page</name>
+        <patterns>
+            <pattern>ui/apcupsd/*</pattern>
+            <pattern>api/apcupsd/*</pattern>
+        </patterns>
+    </page-services-apcupsd>
+</acl>
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Apcupsd.php b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Apcupsd.php
new file mode 100644
index 0000000000..98e12f8a36
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Apcupsd.php
@@ -0,0 +1,39 @@
+<?php
+
+/**
+ *    Copyright (C) 2021 Dan Lundqvist
+ *    Copyright (C) 2021 David Berry
+ *    Copyright (C) 2021 Nicola Pellegrini
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Apcupsd;
+
+use OPNsense\Base\BaseModel;
+
+class Apcupsd extends BaseModel
+{
+}
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Apcupsd.xml b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Apcupsd.xml
new file mode 100644
index 0000000000..cf344164f0
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Apcupsd.xml
@@ -0,0 +1,159 @@
+<model>
+    <mount>//OPNsense/apcupsd</mount>
+    <version>0.0.2</version>
+    <description>APC UPS configuration</description>
+    <items>
+        <general>
+            <Enabled type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </Enabled>
+            <UPSName type="TextField">
+                <Required>N</Required>
+                <mask>/^([0-9a-zA-Z._\- ]){1,99}$/</mask>
+                <ValidationMessage>
+                    The name should be 1 to 99 characters and contain only alphanumeric characters,
+                    dashes, underscores, dot or space.
+                </ValidationMessage>
+            </UPSName>
+            <UPSCable type="OptionField">
+                <default>smart</default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <option value="simple">Simple</option>
+                    <option value="smart">Smart</option>
+                    <option value="ether">Ether</option>
+                    <option value="usb">USB</option>
+                    <option value="940-0020B">940-0020B</option>
+                    <option value="940-0020C">940-0020C</option>
+                    <option value="940-0023A">940-0023A</option>
+                    <option value="940-0024B">940-0024B</option>
+                    <option value="940-0024C">940-0024C</option>
+                    <option value="940-0024G">940-0024G</option>
+                    <option value="940-0095A">940-0095A</option>
+                    <option value="940-0095B">940-0095B</option>
+                    <option value="940-0095C">940-0095C</option>
+                    <option value="940-0119A">940-0119A</option>
+                    <option value="940-0127A">940-0127A</option>
+                    <option value="940-0128A">940-0128A</option>
+                    <option value="940-0625A">940-0625A</option>
+                    <option value="940-1524C">940-1524C</option>
+                    <option value="MAM-04-02-2000">MAM-04-02-2000</option>
+                </OptionValues>
+            </UPSCable>
+            <UPSType type="OptionField">
+                <default>apcsmart</default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <apcsmart>apcsmart</apcsmart>
+                    <usb>usb</usb>
+                    <net>net</net>
+                    <snmp>snmp</snmp>
+                    <netsnmp>netsnmp</netsnmp>
+                    <dumb>dumb</dumb>
+                    <pcnet>pcnet</pcnet>
+                    <modbus>modbus</modbus>
+                </OptionValues>
+            </UPSType>
+            <Device type="TextField">
+                <Required>N</Required>
+            </Device>
+            <Polltime type="IntegerField">
+                <Required>Y</Required>
+                <default>60</default>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>86400</MaximumValue>
+                <ValidationMessage>Polltime must be between 1 and 86400.</ValidationMessage>
+            </Polltime>
+            <Netserver type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </Netserver>
+            <NetserverAddress type="NetworkField">
+                <default>127.0.0.1</default>
+                <Required>Y</Required>
+            </NetserverAddress>
+            <NetserverPort type="PortField">
+                <default>3551</default>
+                <Required>Y</Required>
+            </NetserverPort>
+            <OnBatteryDelay type="IntegerField">
+                <default>6</default>
+                <Required>Y</Required>
+                <MinimumValue>0</MinimumValue>
+                <MaximumValue>60</MaximumValue>
+                <ValidationMessage>On battery delay must be between 1 and 60.</ValidationMessage>
+            </OnBatteryDelay>
+            <BatteryLevel type="IntegerField">
+                <default>5</default>
+                <Required>Y</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>99</MaximumValue>
+                <ValidationMessage>Battery level must be between 1 and 99 percent.</ValidationMessage>
+            </BatteryLevel>
+            <Minutes type="IntegerField">
+                <default>3</default>
+                <Required>Y</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>60</MaximumValue>
+                <ValidationMessage>Remaining battery minutes must be between 1 and 60 minutes.</ValidationMessage>
+            </Minutes>
+            <Timeout type="IntegerField">
+                <default>0</default>
+                <Required>Y</Required>
+                <MinimumValue>0</MinimumValue>
+                <MaximumValue>360</MaximumValue>
+                <ValidationMessage>Timeout must be between 1 and 360 seconds.</ValidationMessage>
+            </Timeout>
+            <Annoy type="IntegerField">
+                <default>300</default>
+                <Required>Y</Required>
+                <MinimumValue>10</MinimumValue>
+                <MaximumValue>360</MaximumValue>
+                <ValidationMessage>Annoy time must be between 10 and 360 seconds.</ValidationMessage>
+            </Annoy>
+            <AnnoyDelay type="IntegerField">
+                <default>60</default>
+                <Required>Y</Required>
+                <MinimumValue>10</MinimumValue>
+                <MaximumValue>360</MaximumValue>
+                <ValidationMessage>Annoy delay time must be between 10 and 360 seconds.</ValidationMessage>
+            </AnnoyDelay>
+            <KillDelay type="IntegerField">
+                <default>0</default>
+                <Required>Y</Required>
+                <MinimumValue>0</MinimumValue>
+                <MaximumValue>360</MaximumValue>
+                <ValidationMessage>Kill delay time must be between 0 and 360 seconds.</ValidationMessage>
+            </KillDelay>
+            <UPSClass type="OptionField">
+                <default>standalone</default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <standalone>standalone</standalone>
+                    <shareslave>shareslave</shareslave>
+                    <sharemaster>sharemaster</sharemaster>
+                </OptionValues>
+            </UPSClass>
+            <UPSMode type="OptionField">
+                <default>disable</default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <disable>disable</disable>
+                    <share>share</share>
+                </OptionValues>
+            </UPSMode>
+            <NoLogon type="OptionField">
+                <default>disable</default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <disable>disable</disable>
+                    <timeout>timeout</timeout>
+                    <percent>percent</percent>
+                    <minutes>minutes</minutes>
+                    <always>always</always>
+                </OptionValues>
+            </NoLogon>
+        </general>
+    </items>
+</model>
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Menu/Menu.xml b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Menu/Menu.xml
new file mode 100644
index 0000000000..557d3f8ab5
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Menu/Menu.xml
@@ -0,0 +1,8 @@
+<menu>
+    <Services>
+        <Apcupsd cssClass="fa fa-battery-full fa-fw">
+            <Settings url="/ui/apcupsd" />
+            <Status url="/ui/apcupsd/status" />
+        </Apcupsd>
+    </Services>
+</menu>
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/views/OPNsense/Apcupsd/index.volt b/sysutils/apcupsd/src/opnsense/mvc/app/views/OPNsense/Apcupsd/index.volt
new file mode 100644
index 0000000000..ddda5a92ae
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/views/OPNsense/Apcupsd/index.volt
@@ -0,0 +1,74 @@
+{#
+ # Copyright (C) 2021 Dan Lundqvist
+ # Copyright (C) 2021 David Berry
+ # Copyright (C) 2021 Nicola Pellegrini
+ #
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1.  Redistributions of source code must retain the above copyright notice,
+ #     this list of conditions and the following disclaimer.
+ #
+ # 2.  Redistributions in binary form must reproduce the above copyright notice,
+ #     this list of conditions and the following disclaimer in the documentation
+ #     and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+<div  class="col-md-12">
+    {{ partial('layout_partials/base_form',['fields':generalForm,'id':'frm_GeneralSettings','apply_btn_id':'saveAct'])}}
+</div>
+<script>
+    $(document).ready(function () {
+        var data_get_map = { 'frm_GeneralSettings': '/api/apcupsd/settings/get' };
+
+        mapDataToFormUI(data_get_map).done(function(data) {
+            // place actions to run after load, for example update form styles.
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+        });
+
+        // Adds or updates the service control
+        updateServiceControlUI('apcupsd');
+
+        var waitEnabled = function(callback, ntry) {
+            ntry = ntry || 0;
+            ajaxCall('/api/apcupsd/service/status', {}, function(data) {
+                if ((data && data['status'] === 'running') || ntry > 5) {
+                    callback.call(null);
+                } else {
+                    setTimeout(function() {
+                        waitEnabled(callback, ntry++);
+                    }, 1000);
+                }
+            });
+        };
+
+        // link save button to API set action
+        $('#saveAct').click(function(){
+            saveFormToEndpoint('/api/apcupsd/settings/set', 'frm_GeneralSettings', function() {
+                $('#frm_GeneralSettings_progress').addClass('fa fa-spinner fa-pulse');
+                // action to run after successful save, for example reconfigure service.
+                ajaxCall('/api/apcupsd/service/reconfigure', {}, function(data, status) {
+                    // action to run after reload
+                    $('#frm_GeneralSettings_progress').removeClass('fa fa-spinner fa-pulse');
+                    updateServiceControlUI('apcupsd');
+                    waitEnabled(function() {
+                        updateServiceControlUI('apcupsd');
+                    });
+                });
+            });
+        });
+    });
+</script>
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/views/OPNsense/Apcupsd/status.volt b/sysutils/apcupsd/src/opnsense/mvc/app/views/OPNsense/Apcupsd/status.volt
new file mode 100644
index 0000000000..951f112a78
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/views/OPNsense/Apcupsd/status.volt
@@ -0,0 +1,42 @@
+{#
+ # Copyright (C) 2021 Dan Lundqvist
+ # Copyright (C) 2021 David Berry
+ # Copyright (C) 2021 Nicola Pellegrini
+ #
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1.  Redistributions of source code must retain the above copyright notice,
+ #     this list of conditions and the following disclaimer.
+ #
+ # 2.  Redistributions in binary form must reproduce the above copyright notice,
+ #     this list of conditions and the following disclaimer in the documentation
+ #     and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+<pre id="apcupsd-status">No status</pre>
+<script>
+    $(document).ready(function() {
+        var refreshStatus = function() {
+            ajaxCall('/api/apcupsd/service/getUpsStatus', {}, function(data, status) {
+                if (status === 'success') {
+                    $('#apcupsd-status').text(data.error || data.output);
+                    setTimeout(refreshStatus, 5000);
+                }
+            });
+        };
+        refreshStatus();
+    });
+</script>
diff --git a/sysutils/apcupsd/src/opnsense/service/conf/actions.d/actions_apcupsd.conf b/sysutils/apcupsd/src/opnsense/service/conf/actions.d/actions_apcupsd.conf
new file mode 100644
index 0000000000..03896d5e33
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/service/conf/actions.d/actions_apcupsd.conf
@@ -0,0 +1,29 @@
+[start]
+command:/usr/local/etc/rc.d/apcupsd start
+parameters:
+type:script
+message:starting apcupsd
+
+[stop]
+command:/usr/local/etc/rc.d/apcupsd stop
+parameters:
+type:script
+message:stopping apcupsd
+
+[restart]
+command:/usr/local/etc/rc.d/apcupsd restart
+parameters:
+type:script
+message:restarting apcupsd
+
+[status]
+command:/usr/local/etc/rc.d/apcupsd status;exit 0
+parameters:
+type:script_output
+message:requesting apcupsd status
+
+[upsstatus]
+command:/usr/local/sbin/apcaccess
+parameters:
+type:script_output
+message:requesting UPS Status
diff --git a/sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/+TARGETS b/sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/+TARGETS
new file mode 100644
index 0000000000..3ad405f594
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/+TARGETS
@@ -0,0 +1,2 @@
+apcupsd:/etc/rc.conf.d/apcupsd
+apcupsd.conf:/usr/local/etc/apcupsd/apcupsd.conf
diff --git a/sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/apcupsd b/sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/apcupsd
new file mode 100644
index 0000000000..cc639badf7
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/apcupsd
@@ -0,0 +1,23 @@
+{% if helpers.exists('OPNsense.apcupsd.general.Enabled') and OPNsense.apcupsd.general.Enabled == "1" %}
+apcupsd_enable="YES"
+{% else %}
+apcupsd_enable="NO"
+{% endif %}
+
+# Hook to post start/restart commands waiting for the pid file for max 3 seconds
+# this prevents the status command to erroneously report the service as stopped
+# since apcupsd detaches before the pid file creation
+
+start_postcmd="${name}_post_start_restart"
+restart_postcmd="${name}_post_start_restart"
+
+apcupsd_post_start_restart()
+{
+    if [ -n "$pidfile" ]; then
+        i=0
+        while [ ! -f "$pidfile" ] && [ "$i" -le 5 ]; do
+          i=$(( i + 1 ))
+          sleep 0.5
+        done
+    fi
+}
diff --git a/sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/apcupsd.conf b/sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/apcupsd.conf
new file mode 100644
index 0000000000..730587a3a4
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/apcupsd.conf
@@ -0,0 +1,356 @@
+## apcupsd.conf v1.1 ##
+#
+#  for apcupsd release 3.14.14 (31 May 2016) - freebsd
+
+##############################################################
+#
+# This file is auto-generated - any changes made will be lost
+#
+#############################################################
+
+# "apcupsd" POSIX config file
+
+#
+# Note that the apcupsd daemon must be restarted in order for changes to
+# this configuration file to become active.
+#
+
+#
+# ========= General configuration parameters ============
+#
+
+# UPSNAME xxx
+#   Use this to give your UPS a name in log files and such. This
+#   is particulary useful if you have multiple UPSes. This does not
+#   set the EEPROM. It should be 8 characters or less.
+{% if not helpers.empty('OPNsense.apcupsd.general.UPSName') %}
+UPSNAME {{ OPNsense.apcupsd.general.UPSName }}
+{% endif %}
+
+# UPSCABLE <cable>
+#   Defines the type of cable connecting the UPS to your computer.
+#
+#   Possible generic choices for <cable> are:
+#     simple, smart, ether, usb
+#
+#   Or a specific cable model number may be used:
+#     940-0119A, 940-0127A, 940-0128A, 940-0020B,
+#     940-0020C, 940-0023A, 940-0024B, 940-0024C,
+#     940-1524C, 940-0024G, 940-0095A, 940-0095B,
+#     940-0095C, 940-0625A, M-04-02-2000
+#
+UPSCABLE {{ OPNsense.apcupsd.general.UPSCable }}
+
+# To get apcupsd to work, in addition to defining the cable
+# above, you must also define a UPSTYPE, which corresponds to
+# the type of UPS you have (see the Description for more details).
+# You must also specify a DEVICE, sometimes referred to as a port.
+# For USB UPSes, please leave the DEVICE directive blank. For
+# other UPS types, you must specify an appropriate port or address.
+#
+# UPSTYPE   DEVICE           Description
+# apcsmart  /dev/tty**       Newer serial character device, appropriate for
+#                            SmartUPS models using a serial cable (not USB).
+#
+# usb       <BLANK>          Most new UPSes are USB. A blank DEVICE
+#                            setting enables autodetection, which is
+#                            the best choice for most installations.
+#
+# net       hostname:port    Network link to a master apcupsd through apcupsd's
+#                            Network Information Server. This is used if the
+#                            UPS powering your computer is connected to a
+#                            different computer for monitoring.
+#
+# snmp      hostname:port:vendor:community
+#                            SNMP network link to an SNMP-enabled UPS device.
+#                            Hostname is the ip address or hostname of the UPS
+#                            on the network. Vendor can be can be "APC" or
+#                            "APC_NOTRAP". "APC_NOTRAP" will disable SNMP trap
+#                            catching; you usually want "APC". Port is usually
+#                            161. Community is usually "private".
+#
+# netsnmp   hostname:port:vendor:community
+#                            OBSOLETE
+#                            Same as SNMP above but requires use of the
+#                            net-snmp library. Unless you have a specific need
+#                            for this old driver, you should use 'snmp' instead.
+#
+# dumb      /dev/tty**       Old serial character device for use with
+#                            simple-signaling UPSes.
+#
+# pcnet     ipaddr:username:passphrase:port
+#                            PowerChute Network Shutdown protocol which can be
+#                            used as an alternative to SNMP with the AP9617
+#                            family of smart slot cards. ipaddr is the IP
+#                            address of the UPS management card. username and
+#                            passphrase are the credentials for which the card
+#                            has been configured. port is the port number on
+#                            which to listen for messages from the UPS, normally
+#                            3052. If this parameter is empty or missing, the
+#                            default of 3052 will be used.
+#
+# modbus    /dev/tty**       Serial device for use with newest SmartUPS models
+#                            supporting the MODBUS protocol.
+# modbus    <BLANK>          Leave the DEVICE setting blank for MODBUS over USB
+#                            or set to the serial number of the UPS to ensure
+#                            that apcupsd binds to that particular unit
+#                            (helpful if you have more than one USB UPS).
+#
+UPSTYPE {{ OPNsense.apcupsd.general.UPSType|default("apcsmart") }}
+DEVICE {{ OPNsense.apcupsd.general.Device }}
+
+# POLLTIME <int>
+#   Interval (in seconds) at which apcupsd polls the UPS for status. This
+#   setting applies both to directly-attached UPSes (UPSTYPE apcsmart, usb,
+#   dumb) and networked UPSes (UPSTYPE net, snmp). Lowering this setting
+#   will improve apcupsd's responsiveness to certain events at the cost of
+#   higher CPU utilization. The default of 60 is appropriate for most
+#   situations.
+POLLTIME {{ OPNsense.apcupsd.general.Polltime|default("60") }}
+
+# LOCKFILE <path to lockfile>
+#   Path for device lock file. This is the directory into which the lock file
+#   will be written. The directory must already exist; apcupsd will not create
+#   it. The actual name of the lock file is computed from DEVICE.
+#   Not used on Win32.
+LOCKFILE /var/spool/lock
+
+# SCRIPTDIR <path to script directory>
+#   Directory in which apccontrol and event scripts are located.
+SCRIPTDIR /usr/local/etc/apcupsd
+
+# PWRFAILDIR <path to powerfail directory>
+#   Directory in which to write the powerfail flag file. This file
+#   is created when apcupsd initiates a system shutdown and is
+#   checked in the OS halt scripts to determine if a killpower
+#   (turning off UPS output power) is required.
+PWRFAILDIR /var/run
+
+# NOLOGINDIR <path to nologin directory>
+#   Directory in which to write the nologin file. The existence
+#   of this flag file tells the OS to disallow new logins.
+NOLOGINDIR /var/run
+
+
+#
+# ======== Configuration parameters used during power failures ==========
+#
+
+# The ONBATTERYDELAY is the time in seconds from when a power failure
+#   is detected until we react to it with an onbattery event.
+#
+#   This means that, apccontrol will be called with the powerout argument
+#   immediately when a power failure is detected.  However, the
+#   onbattery argument is passed to apccontrol only after the
+#   ONBATTERYDELAY time.  If you don't want to be annoyed by short
+#   powerfailures, make sure that apccontrol powerout does nothing
+#   i.e. comment out the wall.
+ONBATTERYDELAY {{ OPNsense.apcupsd.general.OnBatteryDelay|default("6") }}
+
+#
+# Note: BATTERYLEVEL, MINUTES, and TIMEOUT work in conjunction, so
+# the first that occurs will cause the initation of a shutdown.
+#
+
+# If during a power failure, the remaining battery percentage
+# (as reported by the UPS) is below or equal to BATTERYLEVEL,
+# apcupsd will initiate a system shutdown.
+BATTERYLEVEL {{ OPNsense.apcupsd.general.BatteryLevel|default("5") }}
+
+# If during a power failure, the remaining runtime in minutes
+# (as calculated internally by the UPS) is below or equal to MINUTES,
+# apcupsd, will initiate a system shutdown.
+MINUTES {{ OPNsense.apcupsd.general.Minutes|default("3") }}
+
+# If during a power failure, the UPS has run on batteries for TIMEOUT
+# many seconds or longer, apcupsd will initiate a system shutdown.
+# A value of 0 disables this timer.
+#
+#  Note, if you have a Smart UPS, you will most likely want to disable
+#    this timer by setting it to zero. That way, you UPS will continue
+#    on batteries until either the % charge remaing drops to or below BATTERYLEVEL,
+#    or the remaining battery runtime drops to or below MINUTES.  Of course,
+#    if you are testing, setting this to 60 causes a quick system shutdown
+#    if you pull the power plug.
+#  If you have an older dumb UPS, you will want to set this to less than
+#    the time you know you can run on batteries.
+TIMEOUT {{ OPNsense.apcupsd.general.Timeout|default("0") }}
+
+#  Time in seconds between annoying users to signoff prior to
+#  system shutdown. 0 disables.
+ANNOY {{ OPNsense.apcupsd.general.Annoy|default("300") }}
+
+# Initial delay after power failure before warning users to get
+# off the system.
+ANNOYDELAY {{ OPNsense.apcupsd.general.AnnoyDelay|default("60") }}
+
+# The condition which determines when users are prevented from
+# logging in during a power failure.
+# NOLOGON <string> [ disable | timeout | percent | minutes | always ]
+NOLOGON {{ OPNsense.apcupsd.general.NoLogon|default("disable") }}
+
+# If KILLDELAY is non-zero, apcupsd will continue running after a
+# shutdown has been requested, and after the specified time in
+# seconds attempt to kill the power. This is for use on systems
+# where apcupsd cannot regain control after a shutdown.
+# KILLDELAY <seconds>  0 disables
+KILLDELAY {{ OPNsense.apcupsd.general.KillDelay|default("0") }}
+
+#
+# ==== Configuration statements for Network Information Server ====
+#
+
+# NETSERVER [ on | off ] on enables, off disables the network
+#  information server. If netstatus is on, a network information
+#  server process will be started for serving the STATUS and
+#  EVENT data over the network (used by CGI programs).
+{% if helpers.exists('OPNsense.apcupsd.general.Netserver') and OPNsense.apcupsd.general.Netserver == "1" %}
+NETSERVER on
+{% else %}
+NETSERVER off
+{% endif %}
+
+# NISIP <dotted notation ip address>
+#  IP address on which NIS server will listen for incoming connections.
+#  This is useful if your server is multi-homed (has more than one
+#  network interface and IP address). Default value is 0.0.0.0 which
+#  means any incoming request will be serviced. Alternatively, you can
+#  configure this setting to any specific IP address of your server and
+#  NIS will listen for connections only on that interface. Use the
+#  loopback address (127.0.0.1) to accept connections only from the
+#  local machine.
+NISIP {{ OPNsense.apcupsd.general.NetserverAddress|default("127.0.0.1") }}
+
+# NISPORT <port> default is 3551 as registered with the IANA
+#  port to use for sending STATUS and EVENTS data over the network.
+#  It is not used unless NETSERVER is on. If you change this port,
+#  you will need to change the corresponding value in the cgi directory
+#  and rebuild the cgi programs.
+NISPORT {{ OPNsense.apcupsd.general.NetserverPort|default("3551") }}
+
+# If you want the last few EVENTS to be available over the network
+# by the network information server, you must define an EVENTSFILE.
+EVENTSFILE /var/log/apcupsd.events
+
+# EVENTSFILEMAX <kilobytes>
+#  By default, the size of the EVENTSFILE will be not be allowed to exceed
+#  10 kilobytes.  When the file grows beyond this limit, older EVENTS will
+#  be removed from the beginning of the file (first in first out).  The
+#  parameter EVENTSFILEMAX can be set to a different kilobyte value, or set
+#  to zero to allow the EVENTSFILE to grow without limit.
+EVENTSFILEMAX 10
+
+#
+# ========== Configuration statements used if sharing =============
+#            a UPS with more than one machine
+
+#
+# Remaining items are for ShareUPS (APC expansion card) ONLY
+#
+
+# UPSCLASS [ standalone | shareslave | sharemaster ]
+#   Normally standalone unless you share an UPS using an APC ShareUPS
+#   card.
+UPSCLASS {{ OPNsense.apcupsd.general.UPSClass|default("standalone") }}
+
+# UPSMODE [ disable | share ]
+#   Normally disable unless you share an UPS using an APC ShareUPS card.
+UPSMODE {{ OPNsense.apcupsd.general.UPSMode|default("disable") }}
+
+#
+# ===== Configuration statements to control apcupsd system logging ========
+#
+
+# Time interval in seconds between writing the STATUS file; 0 disables
+STATTIME 0
+
+# Location of STATUS file (written to only if STATTIME is non-zero)
+STATFILE /var/log/apcupsd.status
+
+# LOGSTATS [ on | off ] on enables, off disables
+# Note! This generates a lot of output, so if
+#       you turn this on, be sure that the
+#       file defined in syslog.conf for LOG_NOTICE is a named pipe.
+#  You probably do not want this on.
+LOGSTATS off
+
+# Time interval in seconds between writing the DATA records to
+#   the log file. 0 disables.
+DATATIME 0
+
+# FACILITY defines the logging facility (class) for logging to syslog.
+#          If not specified, it defaults to "daemon". This is useful
+#          if you want to separate the data logged by apcupsd from other
+#          programs.
+#FACILITY DAEMON
+
+#
+# ========== Configuration statements used in updating the UPS EPROM =========
+#
+
+#
+# These statements are used only by apctest when choosing "Set EEPROM with conf
+# file values" from the EEPROM menu. THESE STATEMENTS HAVE NO EFFECT ON APCUPSD.
+#
+
+# UPS name, max 8 characters
+#UPSNAME UPS_IDEN
+
+# Battery date - 8 characters
+#BATTDATE mm/dd/yy
+
+# Sensitivity to line voltage quality (H cause faster transfer to batteries)
+# SENSITIVITY H M L        (default = H)
+#SENSITIVITY H
+
+# UPS delay after power return (seconds)
+# WAKEUP 000 060 180 300   (default = 0)
+#WAKEUP 60
+
+# UPS Grace period after request to power off (seconds)
+# SLEEP 020 180 300 600    (default = 20)
+#SLEEP 180
+
+# Low line voltage causing transfer to batteries
+# The permitted values depend on your model as defined by last letter
+#  of FIRMWARE or APCMODEL. Some representative values are:
+#    D 106 103 100 097
+#    M 177 172 168 182
+#    A 092 090 088 086
+#    I 208 204 200 196     (default = 0 => not valid)
+#LOTRANSFER  208
+
+# High line voltage causing transfer to batteries
+# The permitted values depend on your model as defined by last letter
+#  of FIRMWARE or APCMODEL. Some representative values are:
+#    D 127 130 133 136
+#    M 229 234 239 224
+#    A 108 110 112 114
+#    I 253 257 261 265     (default = 0 => not valid)
+#HITRANSFER 253
+
+# Battery charge needed to restore power
+# RETURNCHARGE 00 15 50 90 (default = 15)
+#RETURNCHARGE 15
+
+# Alarm delay
+# 0 = zero delay after pwr fail, T = power fail + 30 sec, L = low battery, N = never
+# BEEPSTATE 0 T L N        (default = 0)
+#BEEPSTATE T
+
+# Low battery warning delay in minutes
+# LOWBATT 02 05 07 10      (default = 02)
+#LOWBATT 2
+
+# UPS Output voltage when running on batteries
+# The permitted values depend on your model as defined by last letter
+#  of FIRMWARE or APCMODEL. Some representative values are:
+#    D 115
+#    M 208
+#    A 100
+#    I 230 240 220 225     (default = 0 => not valid)
+#OUTPUTVOLTS 230
+
+# Self test interval in hours 336=2 weeks, 168=1 week, ON=at power on
+# SELFTEST 336 168 ON OFF  (default = 336)
+#SELFTEST 336
diff --git a/sysutils/apcupsd/src/www/widgets/include/apcupsd.inc b/sysutils/apcupsd/src/www/widgets/include/apcupsd.inc
new file mode 100644
index 0000000000..26fb46664e
--- /dev/null
+++ b/sysutils/apcupsd/src/www/widgets/include/apcupsd.inc
@@ -0,0 +1,4 @@
+<?php
+
+$apcupsd_title = gettext('Apcupsd');
+$apcupsd_title_link = 'ui/apcupsd';
diff --git a/sysutils/apcupsd/src/www/widgets/widgets/apcupsd.widget.php b/sysutils/apcupsd/src/www/widgets/widgets/apcupsd.widget.php
new file mode 100644
index 0000000000..3c12a8b7ac
--- /dev/null
+++ b/sysutils/apcupsd/src/www/widgets/widgets/apcupsd.widget.php
@@ -0,0 +1,219 @@
+<?php
+
+/*
+ * Copyright (C) 2021 Nicola Pellegrini
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("widgets/include/apcupsd.inc");
+
+?>
+<table id="apcupsd-widget" class="table table-striped table-condensed">
+    <colgroup>
+        <col class="apcupsd-widget-label" />
+        <col />
+    </colgroup>
+    <tbody id="apcupsd-widget-tbody"></tbody>
+</table>
+<style>
+    .apcupsd-widget-label {
+        max-width: 20em;
+        width: 30%;
+        min-width: 10em;
+    }
+
+    .apcupsd-widget-highlight {
+        font-weight: bold
+    }
+</style>
+<script>
+$(document).ready(() => {
+    const withMomentJs = moment && moment.version && typeof moment === 'function';
+
+    const $newCell = (content) => $('<td></td>').html(content);
+
+    const $newLabel = (text) => {
+        return $('<td></td>').text(text);
+    };
+
+    const $newRow = (content, label) => {
+        return $('<tr></tr>').append(
+            typeof label === 'string' ? $newLabel(label) : label,
+            content
+        );
+    };
+
+    const $newProgressBar = (width, text) => {
+        const $text = $('<span class="text-center"></span>').text(text).css({
+                position: 'absolute',
+                left: 0,
+                right: 0
+            });
+        const $bar = $('<div class="progress-bar"></div>').css({
+            width: width,
+            zIndex: 0
+        });
+        return $('<div class="progress"></div>').append($bar, $text);
+    };
+
+    const renderText = (data, label) => {
+        const text = typeof data === 'string' ? data : data.value;
+        return $newRow($('<td></td>').text(text), label);
+    };
+
+    const renderDateString = (data, label, format, parseFormat) => {
+        let value = typeof data === 'string' ? data : (data.norm || data.value);
+        let text;
+        if (withMomentJs) {
+            const m = moment(value, parseFormat);
+            if (m.isValid()) {
+                m.locale(window.navigator.language);
+                text = m.format(format);
+            }
+        }
+        return renderText(text || value, label);
+    };
+
+    const renderProgress = (data, label, progressText) => {
+        const width = data.norm + '%';
+        progressText = progressText || data.norm.toFixed(1) + ' %';
+        const pb = $newProgressBar(width, progressText);
+        return $newRow($newCell(pb), label);
+    };
+
+    const renderLoad = (loadpct, nompower) => {
+        let text = loadpct.norm.toFixed(1) + ' %';
+        if (nompower) {
+            text += ' ( ~ ' + Math.round(loadpct.norm * nompower.norm / 100) + ' W )';
+        }
+        return renderProgress(loadpct, 'Load', text);
+    };
+
+    const renderHighlight = (text, label, okRegexp, errRegexp) => {
+        const textEl = $('<span class="apcupsd-widget-highlight"></span>').text(text);
+        if (okRegexp && okRegexp.exec(text)) {
+            textEl.addClass('text-success');
+        } else if (errRegexp && errRegexp.exec(text)) {
+            textEl.addClass('text-danger');
+        } else {
+            textEl.addClass('text-warning');
+        }
+        return $newRow($('<td></td>').append(textEl), label);
+    };
+
+    const selfTestText = {
+        BT: 'Failed due to battery capacity (BT)',
+        NG: 'Failed due to overload (NG)',
+        NO: 'No results',
+    };
+
+    const updateUi = (status) => {
+        const rows = [];
+
+        if (status.MODEL) {
+            rows.push(renderText(status.MODEL, 'Model'));
+        }
+
+        if (status.STATUS) {
+            rows.push(
+                renderHighlight(
+                    status.STATUS.value,
+                    'Status',
+                    /ONLINE/,
+                    /ONBATT|LOWBATT|REPLACEBATT|NOBATT|SLAVEDOWN|COMMLOST/
+                )
+            );
+        }
+
+        if (status.SELFTEST) {
+            const value = status.SELFTEST.value;
+            const text = selfTestText[value] || value;
+            if (value === 'NO') {
+                rows.push(renderText(text, 'Self test'));
+            } else {
+                rows.push(renderHighlight(
+                    text,
+                    'Self test',
+                    /OK/,
+                    /BT|NG/
+                ));
+            }
+        }
+
+        if (status.LINEV) {
+            rows.push(renderText(status.LINEV, 'Line voltage'));
+        }
+
+        if (status.LOADPCT) {
+            rows.push(renderLoad(status.LOADPCT, status.NOMPOWER))
+        }
+
+        if (status.BCHARGE) {
+            rows.push(renderProgress(status.BCHARGE, 'Battery level'));
+        }
+
+        if (status.TIMELEFT) {
+            rows.push(renderText(status.TIMELEFT, 'Battery runtime'));
+        }
+
+        if (status.BATTV) {
+            rows.push(renderText(status.BATTV, 'Battery voltage'));
+        }
+
+        if (status.BATTDATE) {
+            rows.push(renderDateString(status.BATTDATE, 'Battery date', 'll', 'YYYY-MM-DD'));
+        }
+
+        if (status.ITEMP) {
+            rows.push(renderText(status.ITEMP, 'Temperature'));
+        }
+
+        if (status.DATE) {
+            rows.push(renderDateString(status.DATE, 'Status update', 'll LTS'));
+        }
+
+        $('#apcupsd-widget-tbody').html(rows);
+    };
+
+    const displayError = (message) => {
+        const el = $('<tr></tr>').append($('<td class="text-center text-danger" colspan="2"></td>').text(message));
+        $('#apcupsd-widget-tbody').html(el);
+    };
+
+    const refreshStatus = () => {
+        ajaxCall('/api/apcupsd/service/getUpsStatus', {}, function(data, status) {
+            if (status === 'success' && !data.error) {
+                updateUi(data.status);
+            } else {
+                displayError(data ? (data.message || data.error) : 'request error');
+            }
+            setTimeout(refreshStatus, 5000);
+        });
+    };
+
+    refreshStatus();
+});
+</script>

From fbc31e1b9f7a4061fc9eae87271ddf36925406b9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 2 Jun 2022 09:32:10 +0200
Subject: [PATCH 1060/3088] sysutils/apcupsd: update via automated scripts

---
 LICENSE                                                     | 3 +++
 README.md                                                   | 1 +
 .../controllers/OPNsense/Apcupsd/Api/ServiceController.php  | 6 ++++--
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/LICENSE b/LICENSE
index b0c9debb93..60ca98df55 100644
--- a/LICENSE
+++ b/LICENSE
@@ -5,7 +5,9 @@ Copyright (c) 2021 Axelrtgs
 Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
 Copyright (c) 2020 D. Domig
+Copyright (c) 2021 Dan Lundqvist
 Copyright (c) 2011 Dan Myers
+Copyright (c) 2021 David Berry
 Copyright (c) 2017-2018 David Harrigan
 Copyright (c) 2021 David Hughes
 Copyright (c) 2014-2022 Deciso B.V.
@@ -34,6 +36,7 @@ Copyright (c) 2022 Markus Reiter <me@reitermark.us>
 Copyright (c) 2020 Martin Wasley
 Copyright (c) 2022 Marvo2011
 Copyright (c) 2017-2021 Michael Muenz <m.muenz@gmail.com>
+Copyright (c) 2021 Nicola Pellegrini
 Copyright (c) 2021 Nim G
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
 Copyright (c) 2010 Seth Mos <seth.mos@dds.nl>
diff --git a/README.md b/README.md
index 9b78a2e005..f2d58028c8 100644
--- a/README.md
+++ b/README.md
@@ -91,6 +91,7 @@ security/softether -- Cross-platform Multi-protocol VPN Program (development onl
 security/stunnel -- Stunnel TLS proxy
 security/tinc -- Tinc VPN
 security/tor -- The Onion Router
+sysutils/apcupsd -- APCUPSD - APC UPS daemon (development only)
 sysutils/api-backup -- Provide the functionality to download the config.xml
 sysutils/apuled -- PC Engine APU LED control (development only)
 sysutils/boot-delay -- Apply a persistent 10 second boot delay (pending removal)
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/Api/ServiceController.php b/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/Api/ServiceController.php
index ea6380e965..ad653efdba 100644
--- a/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/Api/ServiceController.php
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/Api/ServiceController.php
@@ -96,7 +96,8 @@ private function parseUpsStatus($statusOutput)
         return $status;
     }
 
-    private function tryParseDateTime($dateTimeString) {
+    private function tryParseDateTime($dateTimeString)
+    {
         $formats = [
             'Y-m-d H:i:s P', // 2021-12-27 17:51:42 +0100
             'D M d H:i:s T Y' // Sat Sep 16 17:13:00 CEST 2000
@@ -110,7 +111,8 @@ private function tryParseDateTime($dateTimeString) {
         return $dateTimeString;
     }
 
-    private function tryParseDate($dateString) {
+    private function tryParseDate($dateString)
+    {
         $formats = [
             'Y-m-d', // 2021-12-27
             'm/d/y', // 12/27/21

From 739553989c9cdeef75647a33e76ffbc8e99bbde2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 2 Jun 2022 09:37:43 +0200
Subject: [PATCH 1061/3088] dns/ddclient: prep for next update

---
 dns/ddclient/Makefile  | 2 +-
 dns/ddclient/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index f3fe1c2413..f1cbd72ccd 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.5
+PLUGIN_VERSION=		1.6
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 7c31315947..91dba346b2 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,10 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.6
+
+* Add Gandi support (contributed by Neozlag)
+
 1.5
 
 * Add service control, XMLRPC registration and syslog target

From 3370683d1e377f0c511bb5f8a73e610d3b25ca49 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Fri, 3 Jun 2022 19:19:19 +0200
Subject: [PATCH 1062/3088] net/frr - BGP weight option and bug fix for
 disable-connected-check option (#2993)

* net/frr add bgp weight attribute and move disable-connected-check to the correct place. it looked like "community lists" missed a toggle action, added that as well.
---
 .../controllers/OPNsense/Quagga/Api/BgpController.php    | 5 +++++
 .../OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml      | 7 +++++++
 .../src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml  | 6 ++++++
 .../opnsense/service/templates/OPNsense/Quagga/bgpd.conf | 9 ++++++---
 4 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
index 9f505632e1..79de7caf46 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
@@ -197,6 +197,11 @@ public function setRoutemapAction($uuid)
         return $this->setBase('routemap', 'routemaps.routemap', $uuid);
     }
 
+    public function toggleCommunitylistAction($uuid)
+    {
+        return $this->toggleBase('communitylists.communitylist', $uuid);
+    }
+
     public function toggleNeighborAction($uuid)
     {
         return $this->toggleBase('neighbors.neighbor', $uuid);
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 1af5adf4a3..19f13cca10 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -29,6 +29,13 @@
     <advanced>true</advanced>
     <help>Set a password for BGP authentication.</help>
   </field>
+  <field>
+    <id>neighbor.weight</id>
+    <label>Weight</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Specify a default weight value for the neighbor’s routes.</help>
+  </field>
   <field>
     <id>neighbor.localip</id>
     <label>Local Initiater IP</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index f22fe8cd22..db890d0544 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -60,6 +60,12 @@
                         <password type="TextField">
                                 <Required>N</Required>
                         </password>
+                        <weight type="IntegerField">
+                                <default></default>
+                                <Required>N</Required>
+                                <MinimumValue>0</MinimumValue>
+                                <MaximumValue>65535</MaximumValue>
+                        </weight>
                         <localip type="NetworkField">
                                 <Required>N</Required>
                         </localip>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index b7f585aff0..a5fb926d4e 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -60,6 +60,12 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%         if 'password' in neighbor and neighbor.password != '' %}
  neighbor {{ neighbor.address }} password {{ neighbor.password }}
 {%         endif %}
+{%         if 'weight' in neighbor and neighbor.weight != '' %}
+ neighbor {{ neighbor.address }} weight {{ neighbor.weight }}
+{%         endif %}
+{%         if 'disable_connected_check' in neighbor and neighbor.disable_connected_check == '1' %}
+ neighbor {{ neighbor.address }} disable-connected-check
+{%         endif %}
 {%         if ':' not in neighbor.address and 'updatesource' in neighbor and neighbor.updatesource != '' %}
  neighbor {{ neighbor.address }} update-source {{ physical_interface(neighbor.updatesource) }}
 {%         endif %}
@@ -106,9 +112,6 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%     if 'asoverride' in neighbor and neighbor.asoverride == '1' %}
   neighbor {{ neighbor.address }} as-override
 {%         endif %}
-{%     if 'disable_connected_check' in neighbor and neighbor.disable_connected_check == '1' %}
-  neighbor {{ neighbor.address }} disable-connected-check
-{%         endif %}
 {%     if neighbor.linkedPrefixlistIn|default("") != "" %}
 {%       for prefixlist in neighbor.linkedPrefixlistIn.split(",") %}
 {%         set prefixlist2_data = helpers.getUUID(prefixlist) %}

From bce044f538db7b67893eafce6f25e6545afce6eb Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 6 Jun 2022 13:45:31 +0200
Subject: [PATCH 1063/3088] dns / ddclient - Add current ip address and updated
 timestamp to search api and grid

---
 dns/ddclient/Makefile                         |  2 +-
 dns/ddclient/pkg-descr                        |  4 +
 .../DynDNS/Api/AccountsController.php         |  5 +-
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml |  2 +-
 .../DynDNS/FieldTypes/AccountField.php        | 81 +++++++++++++++++++
 .../mvc/app/views/OPNsense/DynDNS/index.volt  |  2 +
 .../src/opnsense/scripts/ddclient/stats       | 53 ++++++++++++
 .../conf/actions.d/actions_ddclient.conf      |  5 ++
 8 files changed, 151 insertions(+), 3 deletions(-)
 create mode 100644 dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
 create mode 100755 dns/ddclient/src/opnsense/scripts/ddclient/stats

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index f1cbd72ccd..1c97be904b 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.6
+PLUGIN_VERSION=		1.7
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 91dba346b2..0464eccabb 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,10 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.7
+
+* Add current ip address and updated timestamp to search api and grid
+
 1.6
 
 * Add Gandi support (contributed by Neozlag)
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
index 08c21b694c..97c7f40607 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
@@ -41,7 +41,10 @@ public function searchItemAction()
     {
         $result = $this->searchBase(
             "accounts.account",
-            ['enabled', 'service', 'description', 'username', 'hostnames', 'use_interface', 'interface', 'protocol'],
+            [
+              'enabled', 'service', 'description', 'username', 'hostnames', 'use_interface',
+              'interface', 'protocol', 'current_ip', 'current_mtime'
+            ],
             "description"
         );
         foreach ($result['rows'] as &$row) {
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 003426fc8f..c28271bbe6 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -26,7 +26,7 @@
             </daemon_delay>
         </general>
         <accounts>
-            <account type="ArrayField">
+            <account type=".\AccountField">
                 <enabled type="BooleanField">
                     <default>1</default>
                     <Required>Y</Required>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
new file mode 100644
index 0000000000..24d856e99e
--- /dev/null
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
@@ -0,0 +1,81 @@
+<?php
+
+/**
+ *    Copyright (C) 2022 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\DynDNS\FieldTypes;
+
+use OPNsense\Base\FieldTypes\ArrayField;
+use OPNsense\Base\FieldTypes\TextField;
+use OPNsense\Base\FieldTypes\IntegerField;
+use OPNsense\Core\Backend;
+use OPNsense\Core\Config;
+
+class AccountField extends ArrayField
+{
+    private static $current_stats = null;
+
+    private function addStatsFields($node)
+    {
+        // generate new unattached fields, which are only usable to read data from (not synched to config.xml)
+        $current_ip = new TextField();
+        $current_ip->setInternalIsVirtual();
+        $current_mtime = new TextField();
+        $current_mtime->setInternalIsVirtual();
+
+        if (!empty((string)$node->hostnames)) {
+            foreach (explode(",", (string)$node->hostnames) as $hostname) {
+                if (!empty((self::$current_stats[$hostname]))) {
+                    $stats = self::$current_stats[$hostname];
+                    $current_ip->setValue($stats['ip']);
+                    $current_mtime->setValue(date('c', $stats['mtime']));
+                    break;
+                }
+            }
+        }
+        $node->addChildNode('current_ip', $current_ip);
+        $node->addChildNode('current_mtime', $current_mtime);
+    }
+
+    protected function actionPostLoadingEvent()
+    {
+        if (self::$current_stats === null) {
+            self::$current_stats = [];
+            $stats = json_decode((new Backend())->configdRun('ddclient statistics'), true);
+            if (!empty($stats) && !empty($stats['hosts'])) {
+                self::$current_stats = $stats['hosts'];
+            }
+        }
+        foreach ($this->internalChildnodes as $node) {
+            if (!$node->getInternalIsVirtual()) {
+                $this->addStatsFields($node);
+            }
+        }
+        return parent::actionPostLoadingEvent();
+    }
+}
diff --git a/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt b/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
index d8f64ad272..baaefe65d4 100644
--- a/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
+++ b/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
@@ -105,6 +105,8 @@ POSSIBILITY OF SUCH DAMAGE.
                 <th data-column-id="hostnames" data-type="string">{{ lang._('Hostnames') }}</th>
                 <th data-column-id="username" data-type="string">{{ lang._('Username') }}</th>
                 <th data-column-id="interface" data-type="string">{{ lang._('Interface') }}</th>
+                <th data-column-id="current_ip" data-type="string">{{ lang._('Current IP') }}</th>
+                <th data-column-id="current_mtime" data-type="string">{{ lang._('Updated') }}</th>
                 <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
                 <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
             </tr>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/stats b/dns/ddclient/src/opnsense/scripts/ddclient/stats
new file mode 100755
index 0000000000..891e3ea876
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/stats
@@ -0,0 +1,53 @@
+#!/usr/local/bin/python3
+
+"""
+    Copyright (c) 2022 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+
+import os
+import json
+
+filename = "/var/tmp/ddclient.cache"
+
+result = {"hosts": {}}
+if os.path.isfile(filename):
+    with open(filename, "r") as fhandle:
+        for idx, row in enumerate(fhandle):
+            if idx == 0:
+                result['version'] = row.strip('#\n ')
+            elif idx == 1:
+                tmp = row.split('(')[-1].split(')')[0]
+                if tmp.isdigit():
+                    result['updated'] = int(tmp)
+            elif tmp.startswith('#') is False:
+                record = {}
+                for pair in row.split(','):
+                    parts = pair.split('=')
+                    if len(parts) == 2:
+                        record[parts[0]] = parts[1]
+                if 'host' in record:
+                    result['hosts'][record['host']] = record
+
+print(json.dumps(result))
diff --git a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
index 5ceb8a7872..d59aaf852d 100644
--- a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
@@ -23,3 +23,8 @@ description:Restart ddclient service
 command:/usr/local/etc/rc.d/ddclient reload
 type:script
 message:reload ddclient configuration
+
+[statistics]
+command:/usr/local/opnsense/scripts/ddclient/stats
+type:script_output
+message:get ddclient statistics

From 4273f2ff1704c54ccaefe94bfe3e773b5475b422 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Jun 2022 11:43:08 +0200
Subject: [PATCH 1064/3088] devel/debug: appease xdebug warning

---
 devel/debug/Makefile                               | 2 +-
 devel/debug/src/etc/php/ext-20-xdebug-settings.ini | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/devel/debug/Makefile b/devel/debug/Makefile
index 52d7ef7886..febb5db935 100644
--- a/devel/debug/Makefile
+++ b/devel/debug/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		debug
-PLUGIN_VERSION=		1.4
+PLUGIN_VERSION=		1.5
 PLUGIN_COMMENT=		Debugging Tools
 PLUGIN_DEPENDS=		php${PLUGIN_PHP}-pear-PHP_CodeSniffer \
 			php${PLUGIN_PHP}-pecl-xdebug \
diff --git a/devel/debug/src/etc/php/ext-20-xdebug-settings.ini b/devel/debug/src/etc/php/ext-20-xdebug-settings.ini
index 30ab5e7282..7821833984 100644
--- a/devel/debug/src/etc/php/ext-20-xdebug-settings.ini
+++ b/devel/debug/src/etc/php/ext-20-xdebug-settings.ini
@@ -1,4 +1,4 @@
 xdebug.mode = profile;
-xdebug.start_with_request = trigger;
+xdebug.output_dir = /tmp
 xdebug.profiler_output_name = cachegrind.out.%t.%p
-xdebug.profiler_output_dir = /tmp
+xdebug.start_with_request = trigger;

From 216ecc2c5c58c7b1d974f4f5ef9d00c65230e0f1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 9 Jun 2022 15:32:31 +0200
Subject: [PATCH 1065/3088] net/frr: document latest change, no version bump

---
 net/frr/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 340c620761..6b2d8bd829 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -14,7 +14,7 @@ Plugin Changelog
 
 1.29
 
-* Add disable-connected-check option
+* Add disable-connected-check option and BGP weight option
 
 1.28
 

From 285dcd88c3a99f1d38c4f7ad1d8a4546daa08170 Mon Sep 17 00:00:00 2001
From: corentin <corentin.smigiel@agoracalyce.com>
Date: Mon, 20 Jun 2022 14:56:23 +0200
Subject: [PATCH 1066/3088] read Filter property instead of FilterRule

---
 .../opnsense/mvc/app/models/OPNsense/Firewall/Filter.php  | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index a6bf1d4a64..ed631c16aa 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -113,12 +113,12 @@ public function rollback($revision)
     {
         $filename = Config::getInstance()->getBackupFilename($revision);
         if ($filename) {
-            // fiddle with the dom, copy OPNsense->Firewall->FilterRule from backup to current config
+            // fiddle with the dom, copy OPNsense->Firewall->Filter from backup to current config
             $sourcexml = simplexml_load_file($filename);
-            if ($sourcexml->OPNsense->Firewall->FilterRule) {
-                $sourcedom = dom_import_simplexml($sourcexml->OPNsense->Firewall->FilterRule);
+            if ($sourcexml->OPNsense->Firewall->Filter) {
+                $sourcedom = dom_import_simplexml($sourcexml->OPNsense->Firewall->Filter);
                 $targetxml = Config::getInstance()->object();
-                $targetdom = dom_import_simplexml($targetxml->OPNsense->Firewall->FilterRule);
+                $targetdom = dom_import_simplexml($targetxml->OPNsense->Firewall->Filter);
                 $node = $targetdom->ownerDocument->importNode($sourcedom, true);
                 $targetdom->parentNode->replaceChild($node, $targetdom);
                 Config::getInstance()->save();

From 339993680de4453962d21546a181550bd1cc0f0f Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 24 Jun 2022 20:11:31 +0200
Subject: [PATCH 1067/3088] dns/ddclient - validate statistics before usage to
 prevent missing fields, for now let's assume mtime is always filled, ip
 apparantly isn't. ref
 https://forum.opnsense.org/index.php?topic=28835.msg140355

---
 dns/ddclient/Makefile                                           | 1 +
 .../mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php  | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 1c97be904b..a6ffcf4f3b 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.7
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
index 24d856e99e..b11bcaf7c0 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
@@ -50,7 +50,7 @@ private function addStatsFields($node)
 
         if (!empty((string)$node->hostnames)) {
             foreach (explode(",", (string)$node->hostnames) as $hostname) {
-                if (!empty((self::$current_stats[$hostname]))) {
+                if (!empty((self::$current_stats[$hostname]) && !empty(self::$current_stats[$hostname]['ip']))) {
                     $stats = self::$current_stats[$hostname];
                     $current_ip->setValue($stats['ip']);
                     $current_mtime->setValue(date('c', $stats['mtime']));

From a357676b926ba9db66bd72c246e9e78bbfaebfaa Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Sat, 25 Jun 2022 11:42:14 +0300
Subject: [PATCH 1068/3088] njs0.7.1 compat. (#3016)

---
 www/nginx/src/opnsense/scripts/nginx/ngx_functions.js         | 2 ++
 .../src/opnsense/service/templates/OPNsense/Nginx/http.conf   | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/www/nginx/src/opnsense/scripts/nginx/ngx_functions.js b/www/nginx/src/opnsense/scripts/nginx/ngx_functions.js
index 5f17d76ee9..3acd7d9dbc 100755
--- a/www/nginx/src/opnsense/scripts/nginx/ngx_functions.js
+++ b/www/nginx/src/opnsense/scripts/nginx/ngx_functions.js
@@ -47,3 +47,5 @@ function check_intercept(r) {
     }
     return tls_result.status;
 }
+
+export default { check_intercept };
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index 13e5659a99..735bab34d2 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -21,8 +21,8 @@ log_format  anonymized  ':: - $remote_user [$time_local] "$request" '
 
 #tcp_nopush     on;
 # https intercept detection
-js_include /usr/local/opnsense/scripts/nginx/ngx_functions.js;
-js_set $tls_intercepted check_intercept;
+js_import /usr/local/opnsense/scripts/nginx/ngx_functions.js;
+js_set $tls_intercepted ngx_functions.check_intercept;
 
 # 200M should be big enough for file servers etc.
 client_max_body_size 200M;

From d83e7d398f1b63fe6330a39358ef701c94422104 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 28 Jun 2022 07:30:53 +0200
Subject: [PATCH 1069/3088] www/nginx: bump revision after fix

---
 www/nginx/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index ecfd00ffea..3ddb8eabb7 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.28
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 946583e47fe6b890d216f897741845c9ca4a77f5 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 28 Jun 2022 19:38:29 +0200
Subject: [PATCH 1070/3088] dns/ddclient - validate statistics before usage to
 prevent missing fields [2], typo in previous fix. closes
 https://github.com/opnsense/plugins/issues/3019

---
 .../mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
index b11bcaf7c0..54d3ed624e 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
@@ -50,7 +50,7 @@ private function addStatsFields($node)
 
         if (!empty((string)$node->hostnames)) {
             foreach (explode(",", (string)$node->hostnames) as $hostname) {
-                if (!empty((self::$current_stats[$hostname]) && !empty(self::$current_stats[$hostname]['ip']))) {
+                if (!empty(self::$current_stats[$hostname]) && !empty(self::$current_stats[$hostname]['ip'])) {
                     $stats = self::$current_stats[$hostname];
                     $current_ip->setValue($stats['ip']);
                     $current_mtime->setValue(date('c', $stats['mtime']));

From 277e06db45cb4f8ed76c471c7d4d268e6df724c8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 28 Jun 2022 20:48:14 +0200
Subject: [PATCH 1071/3088] dns/ddclient: bump revision

---
 dns/ddclient/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index a6ffcf4f3b..43b4e3003e 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 8e7ec17828f3519524e2810f6264d7ffca1c002e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Jun 2022 10:09:47 +0200
Subject: [PATCH 1072/3088] dns/ddclient: update for force addition

Could be added to GUI, but needs testing first.
---
 dns/ddclient/Makefile                         |  3 +--
 dns/ddclient/pkg-descr                        |  5 +++++
 .../conf/actions.d/actions_ddclient.conf      | 20 ++++++++++++++++---
 .../templates/OPNsense/ddclient/ddclient.conf |  1 -
 .../templates/OPNsense/ddclient/rc.conf.d     |  1 +
 5 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 43b4e3003e..2c0b66f552 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.8
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 0464eccabb..ff56d64fd1 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,11 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.8
+
+* Add a force action (also available via cron)
+* Fix expected permission on ddclient.conf
+
 1.7
 
 * Add current ip address and updated timestamp to search api and grid
diff --git a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
index d59aaf852d..99e5b6b386 100644
--- a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
@@ -1,5 +1,7 @@
 [start]
-command:/usr/local/etc/rc.d/ddclient start
+command:
+    chmod 600 /usr/local/etc/ddclient.conf;
+    /usr/local/etc/rc.d/ddclient start
 type:script
 message:starting ddclient
 
@@ -14,16 +16,28 @@ type:script_output
 message:get ddclient status
 
 [restart]
-command:/usr/local/etc/rc.d/ddclient restart
+command:
+    chmod 600 /usr/local/etc/ddclient.conf;
+    /usr/local/etc/rc.d/ddclient restart
 type:script
 message:restarting ddclient
 description:Restart ddclient service
 
 [reload]
-command:/usr/local/etc/rc.d/ddclient reload
+command:
+    chmod 600 /usr/local/etc/ddclient.conf;
+    /usr/local/etc/rc.d/ddclient reload
 type:script
 message:reload ddclient configuration
 
+[force]
+command:
+    chmod 600 /usr/local/etc/ddclient.conf;
+    /usr/local/sbin/ddclient -force
+type:script
+message:forcing ddclient update
+desciption:Force ddclient update
+
 [statistics]
 command:/usr/local/opnsense/scripts/ddclient/stats
 type:script_output
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 27d26193d7..8a6b263eb3 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -1,5 +1,4 @@
 {% from 'OPNsense/Macros/interface.macro' import physical_interface %}
-daemon={{OPNsense.DynDNS.general.daemon_delay|default('300')}}
 syslog=yes                  # log update msgs to syslog
 pid=/var/run/ddclient.pid   # record PID in file.
 {% if not helpers.empty('OPNsense.DynDNS.general.verbose') %}
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d
index c89c76bd53..f4c7697564 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d
@@ -1,5 +1,6 @@
 {% if not helpers.empty('OPNsense.DynDNS.general.enabled') %}
 ddclient_enable="YES"
+ddclient_flags="-daemon {{OPNsense.DynDNS.general.daemon_delay|default('300')}}"
 {% else %}
 ddclient_enable="NO"
 {% endif %}

From 30523766e8a63fe847a45a58e7c127838859a468 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Jun 2022 12:49:03 +0200
Subject: [PATCH 1073/3088] dns/ddclient: reload does not exist,
 status/stop/restart unreliable

The rc.d file needs to be changed in FreeBSD but for now work around
this in the easiest way possible.
---
 .../service/conf/actions.d/actions_ddclient.conf     | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
index 99e5b6b386..8e5e6c59c6 100644
--- a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
@@ -6,30 +6,24 @@ type:script
 message:starting ddclient
 
 [stop]
-command:/usr/local/etc/rc.d/ddclient stop
+command:pkill -F /var/run/ddclient.pid 2> /dev/null; exit 0
 type:script
 message:stopping ddclient
 
 [status]
-command:/usr/local/etc/rc.d/ddclient status; exit 0
+command:pgrep -qF /var/run/ddclient.pid && echo "ddclient is running" || echo "ddclient is not running"
 type:script_output
 message:get ddclient status
 
 [restart]
 command:
     chmod 600 /usr/local/etc/ddclient.conf;
+    pkill -F /var/run/ddclient.pid 2> /dev/null;
     /usr/local/etc/rc.d/ddclient restart
 type:script
 message:restarting ddclient
 description:Restart ddclient service
 
-[reload]
-command:
-    chmod 600 /usr/local/etc/ddclient.conf;
-    /usr/local/etc/rc.d/ddclient reload
-type:script
-message:reload ddclient configuration
-
 [force]
 command:
     chmod 600 /usr/local/etc/ddclient.conf;

From ff9c5e2edc0b428c41203525dce381fa4b39b134 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Jun 2022 12:49:03 +0200
Subject: [PATCH 1074/3088] dns/ddclient: stop trying to reload

---
 .../controllers/OPNsense/DynDNS/Api/ServiceController.php    | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/ServiceController.php b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/ServiceController.php
index a2fd9644c5..1804fb3d82 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/ServiceController.php
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/ServiceController.php
@@ -41,9 +41,4 @@ class ServiceController extends ApiMutableServiceControllerBase
     protected static $internalServiceEnabled = 'general.enabled';
     protected static $internalServiceTemplate = 'OPNsense/ddclient';
     protected static $internalServiceName = 'ddclient';
-
-    protected function reconfigureForceRestart()
-    {
-        return 0;
-    }
 }

From fc2c08b029e6625be9ba12229093a7c674308ab3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Jun 2022 13:01:22 +0200
Subject: [PATCH 1075/3088] dns/dyndns: limit lookup time to 10 seconds

E.g. https doesn't work with checkip and would hang forever.
---
 dns/ddclient/src/opnsense/scripts/ddclient/checkip | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/checkip b/dns/ddclient/src/opnsense/scripts/ddclient/checkip
index af6d07f05d..f68ec76b8d 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/checkip
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/checkip
@@ -72,7 +72,7 @@ if __name__ == '__main__':
     inputargs = parser.parse_args()
 
     # use curl to fetch data, so we can optionally use "--interface"
-    params = ['/usr/local/bin/curl']
+    params = ['/usr/local/bin/curl', '-m', '10']
     if inputargs.interface.strip() != "":
         params.append("--interface")
         params.append(inputargs.interface)

From 8f062c3a86871279f4ec201c78e3b94cb9353237 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Jun 2022 13:06:54 +0200
Subject: [PATCH 1076/3088] dns/ddclient: document changes

---
 dns/ddclient/pkg-descr | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index ff56d64fd1..c6548b9399 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -10,6 +10,8 @@ Plugin Changelog
 
 * Add a force action (also available via cron)
 * Fix expected permission on ddclient.conf
+* Make service status and stop more reliable
+* Time out checkip script after 10 seconds
 
 1.7
 

From 99c4dbd474aa4ca59ae423cf2f4b42d77d8ec3ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= <kasper93@gmail.com>
Date: Wed, 29 Jun 2022 14:22:54 +0200
Subject: [PATCH 1077/3088] net-mgmt/telegraf: Allow to specify ping count
 (#2374)

Telegraf by default sends one ICMP packet, to make use of fields like
`standard_deviation_ms` or `average_response_ms` we need more than one
value.
---
 .../controllers/OPNsense/Telegraf/forms/input.xml    | 12 ++++++++++++
 .../mvc/app/models/OPNsense/Telegraf/Input.xml       |  6 ++++++
 .../templates/OPNsense/Telegraf/telegraf.conf        |  6 ++++++
 3 files changed, 24 insertions(+)

diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
index 7f318d9c2b..9cd77699fc 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
@@ -91,6 +91,12 @@
         <type>checkbox</type>
         <help>Ping Hosts using IPv4 and measure the metrics.</help>
     </field>
+    <field>
+        <id>input.ping_count</id>
+        <label>Ping Count (IPv4)</label>
+        <type>text</type>
+        <help>Number of ping packets to send per interval. Corresponds to the "-c" option of the ping command.</help>
+    </field>
     <field>
         <id>input.ping_hosts</id>
         <label>Ping Hosts (IPv4)</label>
@@ -105,6 +111,12 @@
         <type>checkbox</type>
         <help>Ping Hosts using IPv6 and measure the metrics.</help>
     </field>
+    <field>
+        <id>input.ping6_count</id>
+        <label>Ping Count (IPv6)</label>
+        <type>text</type>
+        <help>Number of ping packets to send per interval. Corresponds to the "-c" option of the ping command.</help>
+    </field>
     <field>
         <id>input.ping6_hosts</id>
         <label>Ping Hosts (IPv6)</label>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
index 3e4f6e85d0..0c7b08334a 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
@@ -63,6 +63,9 @@
             <default>0</default>
             <Required>N</Required>
         </ping>
+        <ping_count type="IntegerField">
+            <Required>N</Required>
+        </ping_count>
         <ping_hosts type="CSVListField">
             <Required>N</Required>
         </ping_hosts>
@@ -70,6 +73,9 @@
             <default>0</default>
             <Required>N</Required>
         </ping6>
+        <ping6_count type="IntegerField">
+            <Required>N</Required>
+        </ping6_count>
         <ping6_hosts type="CSVListField">
             <Required>N</Required>
         </ping6_hosts>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index 51050038f9..7314590c7b 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -234,6 +234,9 @@
 {%   if helpers.exists('OPNsense.telegraf.input.ping_hosts') and OPNsense.telegraf.input.ping_hosts != '' %}
   urls = [{{ "'" + ("','".join(OPNsense.telegraf.input.ping_hosts.split(','))) + "'" }}]
 {%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.input.ping_count') and OPNsense.telegraf.input.ping_count != '' %}
+  count = {{ OPNsense.telegraf.input.ping_count }}
+{%   endif %}
 {% endif %}
 
 {% if helpers.exists('OPNsense.telegraf.input.ping6') and OPNsense.telegraf.input.ping6 == '1' %}
@@ -243,6 +246,9 @@
 {%   if helpers.exists('OPNsense.telegraf.input.ping6_hosts') and OPNsense.telegraf.input.ping6_hosts != '' %}
   urls = [{{ "'" + ("','".join(OPNsense.telegraf.input.ping6_hosts.split(','))) + "'" }}]
 {%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.input.ping6_count') and OPNsense.telegraf.input.ping6_count != '' %}
+  count = {{ OPNsense.telegraf.input.ping6_count }}
+{%   endif %}
 {% endif %}
 
 {% if helpers.exists('OPNsense.telegraf.input.haproxy') and OPNsense.telegraf.input.haproxy == '1' %}

From 22e89aaf76f82487ee192a11024bf920017e9453 Mon Sep 17 00:00:00 2001
From: windgmbh <49904312+windgmbh@users.noreply.github.com>
Date: Wed, 29 Jun 2022 14:28:20 +0200
Subject: [PATCH 1078/3088] mail/postfix: Opportunistic DANE SMTP client
 security level (#2418)

---
 mail/postfix/Makefile                                     | 2 +-
 mail/postfix/pkg-descr                                    | 4 ++++
 .../app/controllers/OPNsense/Postfix/forms/general.xml    | 8 +++++++-
 .../opnsense/mvc/app/models/OPNsense/Postfix/General.xml  | 3 ++-
 .../opnsense/service/templates/OPNsense/Postfix/main.cf   | 3 +++
 5 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index be67c238dc..41188395ee 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		postfix
-PLUGIN_VERSION=		1.22
+PLUGIN_VERSION=		1.23
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix35
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index b45544ba64..518b619e94 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -6,6 +6,10 @@ is completely different.
 Plugin Changelog
 ================
 
+1.23
+
+* Add support for Opportunistic DANE as SMTP client security level
+
 1.22
 
 * Switch table format of header_checks from regexp_table to pcre_table (contributed by Starkstromkonsument)
diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
index 9a4eade64a..272a044679 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
@@ -123,7 +123,13 @@
         <id>general.smtpclient_security</id>
         <label>SMTP Client Security</label>
         <type>dropdown</type>
-        <help>Choose "none" to disable TLS for sending mail. Set encrypt to enforce TLS security, please do not use this for Internet wide communication as not every server supports TLS yet. Default is "may" which will use TLS when offered.</help>
+        <help><![CDATA[ 
+            <ul>
+                <li>'none' will disable TLS for sending mail.</li>
+                <li>'may' will use TLS when offered (Opportunistic TLS)</li>
+                <li>'encrypt' will enforce TLS on all connections. Please do not use this for Internet wide communication as not every server supports TLS yet.</li>
+                <li>'dane' will enforce TLS if a TLSA-Record is published (Opportunistic DANE, RFC 7672). DNSSEC-capable resolver is required.</li> 
+            </ul> ]]></help>
     </field>
     <field>
         <id>general.relayhost</id>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
index 4be05625e7..5a7c0c41ac 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/postfix/general</mount>
     <description>Postfix configuration</description>
-    <version>1.2.6</version>
+    <version>1.2.7</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -98,6 +98,7 @@
                 <none>none</none>
                 <may>may</may>
                 <encrypt>encrypt</encrypt>
+                <dane>dane</dane>
             </OptionValues>
         </smtpclient_security>
         <relayhost type="TextField">
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index c4de83da01..66ccd2b115 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -89,6 +89,9 @@ smtp_tls_wrappermode = yes
 {% endif %}
 
 {% if helpers.exists('OPNsense.postfix.general.smtpclient_security') and OPNsense.postfix.general.smtpclient_security != '' %}
+{% if OPNsense.postfix.general.smtpclient_security == 'dane' %}
+smtp_dns_support_level = dnssec
+{% endif %}
 smtp_tls_security_level = {{ OPNsense.postfix.general.smtpclient_security }}
 smtp_tls_loglevel = 1
 {% endif %}

From b20cbd6c04ff41aabf55d7f62f5db4470e669997 Mon Sep 17 00:00:00 2001
From: Nuno <45106055+rare-magma@users.noreply.github.com>
Date: Wed, 29 Jun 2022 14:36:11 +0200
Subject: [PATCH 1079/3088] net-mgmt/telegraf: Add internet speed input plugin
 (#2638)

* add internet_speed input plugin

* add internet_speed input interval
---
 .../OPNsense/Telegraf/forms/input.xml          | 18 ++++++++++++++++++
 .../mvc/app/models/OPNsense/Telegraf/Input.xml | 12 ++++++++++++
 .../templates/OPNsense/Telegraf/telegraf.conf  | 10 ++++++++++
 3 files changed, 40 insertions(+)

diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
index 9cd77699fc..d33e5e2731 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
@@ -49,6 +49,24 @@
         <type>checkbox</type>
         <help>Read metrics about disk IO by device.</help>
     </field>
+    <field>
+        <id>input.internet_speed</id>
+        <label>Internet Speed Test</label>
+        <type>checkbox</type>
+        <help>Enable the collection of data about the internet speed on the system.</help>
+    </field>
+    <field>
+        <id>input.internet_speed_file</id>
+        <label>Internet Speed File Download</label>
+        <type>checkbox</type>
+        <help>Enable the file download speed test.</help>
+    </field>
+    <field>
+        <id>input.internet_speed_interval</id>
+        <label>Interval</label>
+        <type>text</type>
+        <help>Default internet speed test interval in seconds.</help>
+    </field>
     <field>
         <id>input.mem</id>
         <label>Memory</label>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
index 0c7b08334a..f85b74a24f 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
@@ -35,6 +35,18 @@
             <default>1</default>
             <Required>N</Required>
         </diskio>
+       <internet_speed type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </internet_speed>
+        <internet_speed_file type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </internet_speed_file>
+        <internet_speed_interval type="IntegerField">
+            <default>360</default>
+            <Required>N</Required>
+        </internet_speed_interval>
         <mem type="BooleanField">
             <default>1</default>
             <Required>N</Required>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index 7314590c7b..699fbcc9a2 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -204,6 +204,16 @@
 [[inputs.diskio]]
 {% endif %}
 
+{% if helpers.exists('OPNsense.telegraf.input.internet_speed') and OPNsense.telegraf.input.internet_speed == '1' %}
+[[inputs.internet_speed]]
+{% if helpers.exists('OPNsense.telegraf.input.internet_speed_file') and OPNsense.telegraf.input.internet_speed_file == '1' %}
+  enable_file_download = true
+{% endif %}
+{% if helpers.exists('OPNsense.telegraf.input.internet_speed_interval') and OPNsense.telegraf.input.internet_speed_interval != '' %}
+  interval = "{{ OPNsense.telegraf.input.internet_speed_interval }}s"
+{% endif %}
+{% endif %}
+
 {% if helpers.exists('OPNsense.telegraf.input.mem') and OPNsense.telegraf.input.mem == '1' %}
 [[inputs.mem]]
 {% endif %}

From 40b4fb4f14a8e8bc2659aeddfdd23d3d63bb0ccb Mon Sep 17 00:00:00 2001
From: Maurice Walker <maurice@walker.earth>
Date: Wed, 29 Jun 2022 15:16:17 +0200
Subject: [PATCH 1080/3088] net/tayga: add custom IPv6 routing feature (#2313)

* Convert TAYGA virtual interface to interface group

Allows nat64 interface assignment (required for adding custom routes).

* Add nat64 interface to tayga interface group

Required because TAYGA virtual interface was converted to interface group in c350c81e49a89b9d57d3a86355907910b589a098.

* Add TAYGA configuration item to disable IPv6 route

* Add TAYGA GUI option to disable IPv6 prefix route

Required for adding custom routes.

* Add variable for disabling TAYGA IPv6 route

Required for adding custom routes.

* Add IPv6 route disable switch to TAYGA rc.d

Required for adding custom routes.

* Update TAYGA plugin to version 1.2

New feature: Custom IPv6 Routing

* Update TAYGA plugin to version 1.2

New feature: Custom IPv6 Routing

* Configure routes after TAYGA start

Required for custom routes.
---
 net/tayga/Makefile                                    |  3 +--
 net/tayga/pkg-descr                                   |  4 ++++
 net/tayga/src/etc/inc/plugins.inc.d/tayga.inc         |  4 ++--
 net/tayga/src/etc/rc.d/opnsense-tayga                 |  5 ++++-
 .../app/controllers/OPNsense/Tayga/forms/general.xml  |  6 ++++++
 .../mvc/app/models/OPNsense/Tayga/General.xml         |  6 +++++-
 .../service/conf/actions.d/actions_tayga.conf         | 11 +++++++++--
 .../opnsense/service/templates/OPNsense/Tayga/tayga   |  5 +++++
 8 files changed, 36 insertions(+), 8 deletions(-)

diff --git a/net/tayga/Makefile b/net/tayga/Makefile
index e350d4580b..78cffb74a4 100644
--- a/net/tayga/Makefile
+++ b/net/tayga/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		tayga
-PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		Tayga NAT64
 PLUGIN_DEPENDS=		tayga
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/tayga/pkg-descr b/net/tayga/pkg-descr
index 0ba5d319c5..4ff06aba27 100644
--- a/net/tayga/pkg-descr
+++ b/net/tayga/pkg-descr
@@ -7,6 +7,10 @@ networks where dedicated NAT64 hardware would be overkill.
 Plugin Changelog
 ================
 
+1.2
+
+* Custom IPv6 routing option
+
 1.1
 
 * Register Tayga virtual interface
diff --git a/net/tayga/src/etc/inc/plugins.inc.d/tayga.inc b/net/tayga/src/etc/inc/plugins.inc.d/tayga.inc
index e273043341..8efe00f868 100644
--- a/net/tayga/src/etc/inc/plugins.inc.d/tayga.inc
+++ b/net/tayga/src/etc/inc/plugins.inc.d/tayga.inc
@@ -70,9 +70,9 @@ function tayga_interfaces()
         return $interfaces;
     }
     $oic = array('enable' => true);
-    $oic['if'] = 'nat64';
+    $oic['if'] = 'tayga';
     $oic['descr'] = 'Tayga';
-    $oic['type'] = 'none';
+    $oic['type'] = 'group';
     $oic['virtual'] = true;
     $oic['networks'] = array();
     $interfaces['tayga'] = $oic;
diff --git a/net/tayga/src/etc/rc.d/opnsense-tayga b/net/tayga/src/etc/rc.d/opnsense-tayga
index d86a7dca3e..d911e8a692 100755
--- a/net/tayga/src/etc/rc.d/opnsense-tayga
+++ b/net/tayga/src/etc/rc.d/opnsense-tayga
@@ -29,8 +29,11 @@ tayga_start()
         sleep 1
         ifconfig nat64 inet ${tayga_v4destination}/32 ${tayga_v4address}
         ifconfig nat64 inet6 ${tayga_v6destination}/128
-        route -6 add ${tayga_v6prefix} -interface nat64
+        ifconfig nat64 group tayga
         route -4 add ${tayga_v4pool} -interface nat64
+        if [ "$tayga_v6routedisabled" != "YES" ]; then
+            route -6 add ${tayga_v6prefix} -interface nat64
+        fi
 }
 
 tayga_stop()
diff --git a/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/forms/general.xml b/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/forms/general.xml
index 14a6c52724..db60e2fc7e 100644
--- a/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/forms/general.xml
+++ b/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/forms/general.xml
@@ -41,4 +41,10 @@
         <type>text</type>
         <help>IPv6 hosts which send traffic through Tayga will be dynamically assigned an IPv4 address from this pool. Can be any size, but each IPv6 host requires one address.</help>
     </field>
+    <field>
+        <id>general.v6routedisabled</id>
+        <label>Custom IPv6 Routing</label>
+        <type>checkbox</type>
+        <help>This is an advanced setting for selective routing scenarios. It will prevent installing the route which routes the IPv6 Prefix to Tayga. This requires assigning and locking the nat64 interface, enabling dynamic gateway policy, configuring a dynamic IPv6 gateway and adding custom routes.</help>
+    </field>
 </form>
diff --git a/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
index 63680a3dbb..3b8931b41a 100644
--- a/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
+++ b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/tayga/general</mount>
     <description>Tayga configuration</description>
-    <version>0.0.4</version>
+    <version>1.2.0</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -30,5 +30,9 @@
             <default>192.168.255.0/24</default>
             <Required>Y</Required>
         </v4pool>
+        <v6routedisabled type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </v6routedisabled>
     </items>
 </model>
diff --git a/net/tayga/src/opnsense/service/conf/actions.d/actions_tayga.conf b/net/tayga/src/opnsense/service/conf/actions.d/actions_tayga.conf
index 5d4cf502ac..9b114dff97 100644
--- a/net/tayga/src/opnsense/service/conf/actions.d/actions_tayga.conf
+++ b/net/tayga/src/opnsense/service/conf/actions.d/actions_tayga.conf
@@ -5,13 +5,20 @@ type:script_output
 message:stopping tayga
 
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Tayga/setup.sh; /usr/local/etc/rc.d/opnsense-tayga start
+command:
+    /usr/local/opnsense/scripts/OPNsense/Tayga/setup.sh;
+    /usr/local/etc/rc.d/opnsense-tayga start;
+    /usr/local/etc/rc.routing_configure
 parameters:
 type:script_output
 message:starting tayga
 
 [restart]
-command:/usr/local/etc/rc.d/opnsense-tayga stop; /usr/local/opnsense/scripts/OPNsense/Tayga/setup.sh; /usr/local/etc/rc.d/opnsense-tayga start
+command:
+    /usr/local/etc/rc.d/opnsense-tayga stop;
+    /usr/local/opnsense/scripts/OPNsense/Tayga/setup.sh;
+    /usr/local/etc/rc.d/opnsense-tayga start;
+    /usr/local/etc/rc.routing_configure
 parameters:
 type:script_output
 message:restarting tayga
diff --git a/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga b/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga
index c84c7881d7..93cae0d9e1 100644
--- a/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga
+++ b/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga
@@ -7,6 +7,11 @@ tayga_v4pool={{ OPNsense.tayga.general.v4pool }}
 tayga_v6prefix={{ OPNsense.tayga.general.v6prefix }}
 tayga_v6address={{ OPNsense.tayga.general.v6address }}
 tayga_v6destination={{ OPNsense.tayga.general.v6destination }}
+{% if helpers.exists('OPNsense.tayga.general.v6routedisabled') and OPNsense.tayga.general.v6routedisabled == '1' %}
+tayga_v6routedisabled="YES"
+{% else %}
+tayga_v6routedisabled="NO"
+{% endif %}
 {% else %}
 tayga_enable="NO"
 {% endif %}

From 2cc80901f8564cac86fb18304677985f5dc81279 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Jun 2022 15:37:27 +0200
Subject: [PATCH 1081/3088] mail/postfix: style sweep

---
 .../mvc/app/controllers/OPNsense/Postfix/forms/general.xml    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
index 272a044679..35982885fa 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
@@ -123,12 +123,12 @@
         <id>general.smtpclient_security</id>
         <label>SMTP Client Security</label>
         <type>dropdown</type>
-        <help><![CDATA[ 
+        <help><![CDATA[
             <ul>
                 <li>'none' will disable TLS for sending mail.</li>
                 <li>'may' will use TLS when offered (Opportunistic TLS)</li>
                 <li>'encrypt' will enforce TLS on all connections. Please do not use this for Internet wide communication as not every server supports TLS yet.</li>
-                <li>'dane' will enforce TLS if a TLSA-Record is published (Opportunistic DANE, RFC 7672). DNSSEC-capable resolver is required.</li> 
+                <li>'dane' will enforce TLS if a TLSA-Record is published (Opportunistic DANE, RFC 7672). DNSSEC-capable resolver is required.</li>
             </ul> ]]></help>
     </field>
     <field>

From 799578e9426f72965f519403aa085611d42efa76 Mon Sep 17 00:00:00 2001
From: "Mr. Johnson" <50166184+psychogun@users.noreply.github.com>
Date: Wed, 29 Jun 2022 21:48:54 +0200
Subject: [PATCH 1082/3088] Enables basic HTTP Authentication agains
 Elasticsearch (#2703)

---
 .../controllers/OPNsense/Telegraf/forms/output.xml   | 12 ++++++++++++
 .../mvc/app/models/OPNsense/Telegraf/Output.xml      |  6 ++++++
 .../templates/OPNsense/Telegraf/telegraf.conf        |  6 ++++++
 3 files changed, 24 insertions(+)

diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
index 0b1c1a6e4e..b627fa1e6b 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
@@ -143,6 +143,18 @@
         <type>text</type>
         <help>Set the URL where metrics shoud be sent to.</help>
     </field>
+    <field>
+        <id>output.elastic_username</id>
+        <label>Elasticsearch Username</label>
+        <type>text</type>
+        <help>Optional HTTP basic authentication details for Elasticsearch.</help>
+    </field>
+        <field>
+        <id>output.elastic_password</id>
+        <label>Elasticsearch Password</label>
+        <type>text</type>
+        <help>Optional HTTP basic authentication details for Elasticsearch.</help>
+    </field>
     <field>
         <id>output.elastic_timeout</id>
         <label>Timeout</label>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index 7e7bdb8055..404bd8ddf0 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -70,6 +70,12 @@
         <elastic_url type="TextField">
             <Required>N</Required>
         </elastic_url>
+        <elastic_username type="TextField">
+            <Required>N</Required>
+        </elastic_username>
+        <elastic_password type="TextField">
+            <Required>N</Required>
+        </elastic_password>
         <elastic_timeout type="IntegerField">
             <default>5</default>
             <Required>N</Required>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index 699fbcc9a2..619f0f6d63 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -127,6 +127,12 @@
 {%   if helpers.exists('OPNsense.telegraf.output.elastic_url') and OPNsense.telegraf.output.elastic_url != '' %}
   urls = ["{{ OPNsense.telegraf.output.elastic_url }}"]
 {%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.elastic_username') and OPNsense.telegraf.output.elastic_username != '' %}
+{%     if helpers.exists('OPNsense.telegraf.output.elastic_password') and OPNsense.telegraf.output.elastic_password != '' %}
+  username = "{{ OPNsense.telegraf.output.elastic_username }}"
+  password = "{{ OPNsense.telegraf.output.elastic_password }}"
+{%     endif %}
+{%   endif %}
 {%   if helpers.exists('OPNsense.telegraf.output.elastic_timeout') and OPNsense.telegraf.output.elastic_timeout != '' %}
   timeout = "{{ OPNsense.telegraf.output.elastic_timeout }}s"
 {%   endif %}

From 5ae5abc543b2359b1faa7aa6b6e822444db9a8cd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 4 Jul 2022 11:24:50 +0200
Subject: [PATCH 1083/3088] dns/ddclient: clarify release notes

---
 dns/ddclient/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index c6548b9399..81cf7d70a2 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -8,7 +8,7 @@ Plugin Changelog
 
 1.8
 
-* Add a force action (also available via cron)
+* Add a force action available via cron
 * Fix expected permission on ddclient.conf
 * Make service status and stop more reliable
 * Time out checkip script after 10 seconds

From 16c91077afb01bf17336b6b28f36c1704e7707f0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 4 Jul 2022 11:32:13 +0200
Subject: [PATCH 1084/3088] net-mgmt/telegraf: package next version

---
 net-mgmt/telegraf/Makefile  | 2 +-
 net-mgmt/telegraf/pkg-descr | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index c99b624efc..a0f9033a43 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.12.4
+PLUGIN_VERSION=		1.12.5
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index b7919dd38a..39bc8d6084 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,12 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 Plugin Changelog
 ================
 
+1.12.5
+
+* Add support for basic HTTP Authentication agains Elasticsearch (contributed by psychogun)
+* Add internet speed input plugin (contributed by rare-magma)
+* Allow to specify ping count (Kacper Michajlow)
+
 1.12.4
 
 * Add 5 second timeout to unbound input

From ffa4e71576d4eb1bf7e507e1368382f0107d9848 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 4 Jul 2022 12:27:48 +0200
Subject: [PATCH 1085/3088] net/firewall: bump version for change

---
 net/firewall/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index 44daa1d075..6e344f2545 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		firewall
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		Firewall API supplemental package
 PLUGIN_MAINTAINER=	ad@opnsense.org
 

From 2c5636875531aa573da9928c0d42c5355a0c9ebb Mon Sep 17 00:00:00 2001
From: Nicola <xbb@users.noreply.github.com>
Date: Mon, 4 Jul 2022 12:47:04 +0200
Subject: [PATCH 1086/3088] sysutils/apcupsd: change minimum value for battery
 level and minutes settings (#3022)

---
 .../app/controllers/OPNsense/Apcupsd/forms/general.xml |  8 +++++---
 .../mvc/app/models/OPNsense/Apcupsd/Apcupsd.xml        | 10 +++++-----
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/forms/general.xml b/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/forms/general.xml
index 0aa561920a..7fd4ff0ec7 100644
--- a/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/forms/general.xml
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/forms/general.xml
@@ -62,8 +62,10 @@
         <id>apcupsd.general.BatteryLevel</id>
         <label>Battery Level Shutdown (%)</label>
         <type>text</type>
-        <help>Apcupsd will shutdown the system during a power failure when the remaining battery charge falls below the
-            specified percentage. (Default is 5).</help>
+        <help>
+            Apcupsd will shutdown the system during a power failure when the remaining battery charge falls below the
+            specified percentage. Set to -1 to disable. (Default is 5).
+        </help>
     </field>
     <field>
         <id>apcupsd.general.Minutes</id>
@@ -71,7 +73,7 @@
         <type>text</type>
         <help>
             Apcupsd will shutdown the system during a power failure when the remaining runtime on batteries as
-            internally calculated by the UPS falls below the specified minutes. (Default is 3)
+            internally calculated by the UPS falls below the specified minutes. Set to -1 to disable. (Default is 3)
         </help>
     </field>
     <field>
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Apcupsd.xml b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Apcupsd.xml
index cf344164f0..4d1ad8f541 100644
--- a/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Apcupsd.xml
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Apcupsd.xml
@@ -87,23 +87,23 @@
             <BatteryLevel type="IntegerField">
                 <default>5</default>
                 <Required>Y</Required>
-                <MinimumValue>1</MinimumValue>
+                <MinimumValue>-1</MinimumValue>
                 <MaximumValue>99</MaximumValue>
-                <ValidationMessage>Battery level must be between 1 and 99 percent.</ValidationMessage>
+                <ValidationMessage>Battery level must be between -1 and 99 percent.</ValidationMessage>
             </BatteryLevel>
             <Minutes type="IntegerField">
                 <default>3</default>
                 <Required>Y</Required>
-                <MinimumValue>1</MinimumValue>
+                <MinimumValue>-1</MinimumValue>
                 <MaximumValue>60</MaximumValue>
-                <ValidationMessage>Remaining battery minutes must be between 1 and 60 minutes.</ValidationMessage>
+                <ValidationMessage>Remaining battery minutes must be between -1 and 60 minutes.</ValidationMessage>
             </Minutes>
             <Timeout type="IntegerField">
                 <default>0</default>
                 <Required>Y</Required>
                 <MinimumValue>0</MinimumValue>
                 <MaximumValue>360</MaximumValue>
-                <ValidationMessage>Timeout must be between 1 and 360 seconds.</ValidationMessage>
+                <ValidationMessage>Timeout must be between 0 and 360 seconds.</ValidationMessage>
             </Timeout>
             <Annoy type="IntegerField">
                 <default>300</default>

From a2afc161b5a47215b185b2572728a955795394dc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 4 Jul 2022 12:48:25 +0200
Subject: [PATCH 1087/3088] sysutils/apcupsd: small mods

---
 sysutils/apcupsd/Makefile  | 2 +-
 sysutils/apcupsd/pkg-descr | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/sysutils/apcupsd/Makefile b/sysutils/apcupsd/Makefile
index 1b08a99071..4cabb532c0 100644
--- a/sysutils/apcupsd/Makefile
+++ b/sysutils/apcupsd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=        apcupsd
 PLUGIN_DEVEL=       yes
-PLUGIN_VERSION=     0.1
+PLUGIN_VERSION=     0.2
 PLUGIN_DEPENDS=     apcupsd
 PLUGIN_COMMENT=     APCUPSD - APC UPS daemon
 PLUGIN_MAINTAINER=  xbb@xbblabs.com
diff --git a/sysutils/apcupsd/pkg-descr b/sysutils/apcupsd/pkg-descr
index 28f097d83a..f7613b200c 100644
--- a/sysutils/apcupsd/pkg-descr
+++ b/sysutils/apcupsd/pkg-descr
@@ -12,9 +12,7 @@ WWW: http://www.apcupsd.org/
 Plugin Changelog
 ================
 
-1.0
-
-Initial release
+1.0 (initial release)
 
 * Apcupsd service control and configuration
 * UPS status page

From d162124a4f07f54a61b5786e9c79917267d5cc26 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 4 Jul 2022 14:36:27 +0200
Subject: [PATCH 1088/3088] Squashed commit of the following:

commit e873aa41591442e16ec0581fa8b6e8696a1821ff
Author: Ad Schellevis <ad@opnsense.org>
Date:   Mon Jul 4 14:23:32 2022 +0200

    security/stunnel: Add option to chain intermediate CAs (https://github.com/opnsense/plugins/pull/2854), better explain impact and add move to advanced

commit 1e86212ad759a10ae3c229d709a5718ab79208d5
Author: Johnny S. Lee <6614805+johnnyslee@users.noreply.github.com>
Date:   Mon Feb 21 09:52:26 2022 +0800

    security/stunnel: Allow GUI usage of restart action

    For example, we can now select "Restart Stunnel" from
    `Service/ACME-Client/Automations>Run-Command>System-or-Plugin-Command`
    in GUI.

commit 005af925b1e4c96022953757297c5a0782a81825
Author: Johnny S. Lee <6614805+johnnyslee@users.noreply.github.com>
Date:   Mon Feb 21 09:45:28 2022 +0800

    security/stunnel: Add option to chain intermediate CAs

    Add an option, defaults disabled, to chain intermediate CAs which is
    required when using ACME cert.
---
 security/stunnel/Makefile                           |  3 +--
 .../OPNsense/Stunnel/forms/dialogService.xml        | 11 +++++++++++
 .../mvc/app/models/OPNsense/Stunnel/Stunnel.xml     |  6 +++++-
 .../src/opnsense/scripts/stunnel/generate_certs.php | 13 +++++++++++--
 .../service/conf/actions.d/actions_stunnel.conf     |  1 +
 5 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index f0a6ca8a24..c27c8c3266 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		stunnel
-PLUGIN_VERSION=		1.0.4
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.0.5
 PLUGIN_COMMENT=		Stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel
diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
index 2b7f7bb649..dc8008bd93 100644
--- a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
@@ -41,6 +41,17 @@
         <type>dropdown</type>
         <help><![CDATA[Select a certificate to use for this service.]]></help>
     </field>
+    <field>
+        <id>service.chainIntermediateCAs</id>
+        <label>Chain intermediate CAs</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help><![CDATA[
+          Bundle the selected certificate with its intermediate certificate authorities together to form a certificate chain.
+          If you plan to use PKI to identify clients, you usually don't want to enable this as it expands the trust chain to all
+          certificates created by any of the parent certificates.
+          ]]></help>
+    </field>
     <field>
         <id>service.cacert</id>
         <label>CA to validate connections to</label>
diff --git a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
index 13e2f02fd6..d81c05a6a3 100644
--- a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
+++ b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/Stunnel</mount>
-    <version>1.0.3</version>
+    <version>1.0.4</version>
     <description>
         Stunnel TLS encryption proxy
     </description>
@@ -81,6 +81,10 @@
                     <Type>cert</Type>
                     <ValidationMessage>Please select a valid certificate from the list</ValidationMessage>
                 </servercert>
+                <chainIntermediateCAs type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </chainIntermediateCAs>
                 <description type="TextField">
                     <Required>N</Required>
                     <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){0,255}$/u</mask>
diff --git a/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php b/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
index 908e7dd70d..7d1d8bdb45 100755
--- a/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
+++ b/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
@@ -28,6 +28,8 @@
  */
 
 require_once('plugins.inc');
+require_once('config.inc');
+require_once('certs.inc');
 require_once("legacy_bindings.inc");
 
 use OPNsense\Stunnel\Stunnel;
@@ -43,8 +45,15 @@
         $srv_certid = (string)$service->servercert;
         foreach ($configObj->cert as $cert) {
             if ($srv_certid == (string)$cert->refid) {
-                $all_certs["{$base_path}/{$this_uuid}.crt"] =
-                    base64_decode((string)$cert->crt) . "\n" . base64_decode((string)$cert->prv);
+                $all_certs["{$base_path}/{$this_uuid}.crt"] = base64_decode((string)$cert->crt);
+                if (!empty((string)$service->chainIntermediateCAs)) {
+                    $certArr = (array)$cert;
+                    $chain = ca_chain($certArr);
+                    if (!empty($chain)) {
+                        $all_certs["{$base_path}/{$this_uuid}.crt"] .= $chain;
+                    }
+                }
+                $all_certs["{$base_path}/{$this_uuid}.crt"] .= "\n" . base64_decode((string)$cert->prv);
             }
         }
         if (!empty((string)$service->cacert)) {
diff --git a/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf b/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf
index 2ab897d8d6..e869be423b 100644
--- a/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf
+++ b/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf
@@ -32,6 +32,7 @@ command:
 parameters:
 type:script
 message:stunnel service restart
+description:Restart Stunnel
 
 [status]
 command:/usr/local/etc/rc.d/stunnel status; /usr/local/etc/rc.d/identd_stunnel onestatus; exit 0

From 06a8d618fb16995a149b9cf75bf53ff679f40643 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 4 Jul 2022 15:02:48 +0200
Subject: [PATCH 1089/3088] security/stunnel: newline for sanity in previous

---
 .../stunnel/src/opnsense/scripts/stunnel/generate_certs.php     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php b/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
index 7d1d8bdb45..a28ac69196 100755
--- a/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
+++ b/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
@@ -50,7 +50,7 @@
                     $certArr = (array)$cert;
                     $chain = ca_chain($certArr);
                     if (!empty($chain)) {
-                        $all_certs["{$base_path}/{$this_uuid}.crt"] .= $chain;
+                        $all_certs["{$base_path}/{$this_uuid}.crt"] .= "\n" . $chain;
                     }
                 }
                 $all_certs["{$base_path}/{$this_uuid}.crt"] .= "\n" . base64_decode((string)$cert->prv);

From 6ee383dffcc09f6c193784a5f8ad7eabe4137c92 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 4 Jul 2022 16:54:45 +0200
Subject: [PATCH 1090/3088] security/stunnel: remove optional setting
 chainIntermediateCAs and ship chain by default. ref
 https://github.com/opnsense/plugins/pull/2854

While working on the documentation I noticed my previous comment was wrong, which also invalidates the need for an optional setting. When it comes to the "CAfile" setting, the chain shouldn't be provided, for the listener (the server cert) it shouldn't matter at all if you ship the chain since it's not part of the authentication.

This commits simplifies https://github.com/opnsense/plugins/pull/2854 by removing the option. The current documentation online doesn't need any modifications for this.
---
 .../OPNsense/Stunnel/forms/dialogService.xml          | 11 -----------
 .../mvc/app/models/OPNsense/Stunnel/Stunnel.xml       |  6 +-----
 .../src/opnsense/scripts/stunnel/generate_certs.php   | 10 ++++------
 3 files changed, 5 insertions(+), 22 deletions(-)

diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
index dc8008bd93..2b7f7bb649 100644
--- a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/dialogService.xml
@@ -41,17 +41,6 @@
         <type>dropdown</type>
         <help><![CDATA[Select a certificate to use for this service.]]></help>
     </field>
-    <field>
-        <id>service.chainIntermediateCAs</id>
-        <label>Chain intermediate CAs</label>
-        <type>checkbox</type>
-        <advanced>true</advanced>
-        <help><![CDATA[
-          Bundle the selected certificate with its intermediate certificate authorities together to form a certificate chain.
-          If you plan to use PKI to identify clients, you usually don't want to enable this as it expands the trust chain to all
-          certificates created by any of the parent certificates.
-          ]]></help>
-    </field>
     <field>
         <id>service.cacert</id>
         <label>CA to validate connections to</label>
diff --git a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
index d81c05a6a3..13e2f02fd6 100644
--- a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
+++ b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/Stunnel</mount>
-    <version>1.0.4</version>
+    <version>1.0.3</version>
     <description>
         Stunnel TLS encryption proxy
     </description>
@@ -81,10 +81,6 @@
                     <Type>cert</Type>
                     <ValidationMessage>Please select a valid certificate from the list</ValidationMessage>
                 </servercert>
-                <chainIntermediateCAs type="BooleanField">
-                    <default>0</default>
-                    <Required>Y</Required>
-                </chainIntermediateCAs>
                 <description type="TextField">
                     <Required>N</Required>
                     <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){0,255}$/u</mask>
diff --git a/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php b/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
index a28ac69196..4aeb667e4d 100755
--- a/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
+++ b/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
@@ -46,12 +46,10 @@
         foreach ($configObj->cert as $cert) {
             if ($srv_certid == (string)$cert->refid) {
                 $all_certs["{$base_path}/{$this_uuid}.crt"] = base64_decode((string)$cert->crt);
-                if (!empty((string)$service->chainIntermediateCAs)) {
-                    $certArr = (array)$cert;
-                    $chain = ca_chain($certArr);
-                    if (!empty($chain)) {
-                        $all_certs["{$base_path}/{$this_uuid}.crt"] .= "\n" . $chain;
-                    }
+                $certArr = (array)$cert;
+                $chain = ca_chain($certArr);
+                if (!empty($chain)) {
+                    $all_certs["{$base_path}/{$this_uuid}.crt"] .= "\n" . $chain;
                 }
                 $all_certs["{$base_path}/{$this_uuid}.crt"] .= "\n" . base64_decode((string)$cert->prv);
             }

From ec1aad4c6954dfad9379972aa5dbbcdf49c7c754 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 7 Jul 2022 08:13:38 +0200
Subject: [PATCH 1091/3088] security/stunnel: improve pkg-descr a little

---
 security/stunnel/pkg-descr | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/security/stunnel/pkg-descr b/security/stunnel/pkg-descr
index c25f04950c..b3f0ac87a6 100644
--- a/security/stunnel/pkg-descr
+++ b/security/stunnel/pkg-descr
@@ -1,2 +1,4 @@
-Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code.
-(https://www.stunnel.org/)
+Stunnel is a proxy designed to add TLS encryption functionality to
+existing clients and servers without any changes in the programs' code.
+
+WWW: https://www.stunnel.org/

From b31bcb92106470b3ac08bb998a7fcb2ec09df0fa Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 11 Jul 2022 15:06:37 +0200
Subject: [PATCH 1092/3088] sysutils/apcupsd: release on master as well

---
 README.md                 | 2 +-
 sysutils/apcupsd/Makefile | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index f2d58028c8..f3ad155d9a 100644
--- a/README.md
+++ b/README.md
@@ -91,7 +91,7 @@ security/softether -- Cross-platform Multi-protocol VPN Program (development onl
 security/stunnel -- Stunnel TLS proxy
 security/tinc -- Tinc VPN
 security/tor -- The Onion Router
-sysutils/apcupsd -- APCUPSD - APC UPS daemon (development only)
+sysutils/apcupsd -- APCUPSD - APC UPS daemon
 sysutils/api-backup -- Provide the functionality to download the config.xml
 sysutils/apuled -- PC Engine APU LED control (development only)
 sysutils/boot-delay -- Apply a persistent 10 second boot delay (pending removal)
diff --git a/sysutils/apcupsd/Makefile b/sysutils/apcupsd/Makefile
index 4cabb532c0..f4c4662a07 100644
--- a/sysutils/apcupsd/Makefile
+++ b/sysutils/apcupsd/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=        apcupsd
-PLUGIN_DEVEL=       yes
-PLUGIN_VERSION=     0.2
+PLUGIN_VERSION=     1.0
 PLUGIN_DEPENDS=     apcupsd
 PLUGIN_COMMENT=     APCUPSD - APC UPS daemon
 PLUGIN_MAINTAINER=  xbb@xbblabs.com

From fb70f2ef999952d3926a222e55279c7ee3c7f72e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 11 Jul 2022 15:08:03 +0200
Subject: [PATCH 1093/3088] sysutils/boot-delay: remove obsolete

---
 README.md                                             | 1 -
 sysutils/boot-delay/Makefile                          | 8 --------
 sysutils/boot-delay/pkg-descr                         | 4 ----
 sysutils/boot-delay/src/etc/rc.loader.d/50-boot-delay | 1 -
 4 files changed, 14 deletions(-)
 delete mode 100644 sysutils/boot-delay/Makefile
 delete mode 100644 sysutils/boot-delay/pkg-descr
 delete mode 100644 sysutils/boot-delay/src/etc/rc.loader.d/50-boot-delay

diff --git a/README.md b/README.md
index f3ad155d9a..e9400dc477 100644
--- a/README.md
+++ b/README.md
@@ -94,7 +94,6 @@ security/tor -- The Onion Router
 sysutils/apcupsd -- APCUPSD - APC UPS daemon
 sysutils/api-backup -- Provide the functionality to download the config.xml
 sysutils/apuled -- PC Engine APU LED control (development only)
-sysutils/boot-delay -- Apply a persistent 10 second boot delay (pending removal)
 sysutils/dmidecode -- Display hardware information on the dashboard
 sysutils/git-backup -- Track config changes using git
 sysutils/hw-probe -- Collect hardware diagnostics
diff --git a/sysutils/boot-delay/Makefile b/sysutils/boot-delay/Makefile
deleted file mode 100644
index e2af016999..0000000000
--- a/sysutils/boot-delay/Makefile
+++ /dev/null
@@ -1,8 +0,0 @@
-PLUGIN_NAME=		boot-delay
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
-PLUGIN_COMMENT=		Apply a persistent 10 second boot delay
-PLUGIN_MAINTAINER=	franco@opnsense.org
-PLUGIN_OBSOLETE=	Use System / Settings / Tunables: name "kern.cam.boot_delay" value "10000"
-
-.include "../../Mk/plugins.mk"
diff --git a/sysutils/boot-delay/pkg-descr b/sysutils/boot-delay/pkg-descr
deleted file mode 100644
index 498604f4df..0000000000
--- a/sysutils/boot-delay/pkg-descr
+++ /dev/null
@@ -1,4 +0,0 @@
-This plugin simply adds 10 seconds to the bootup process in order to
-wait for e.g. USB drivers / devices to become ready.  The behaviour
-matches the initial installer media behaviour, which is normally
-removed after the first successful boot.
diff --git a/sysutils/boot-delay/src/etc/rc.loader.d/50-boot-delay b/sysutils/boot-delay/src/etc/rc.loader.d/50-boot-delay
deleted file mode 100644
index cdf2a41964..0000000000
--- a/sysutils/boot-delay/src/etc/rc.loader.d/50-boot-delay
+++ /dev/null
@@ -1 +0,0 @@
-kern.cam.boot_delay="10000"

From 2f27420aeb863adf5ad992e6874da80d6c401eeb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 11 Jul 2022 15:10:01 +0200
Subject: [PATCH 1094/3088] www/web-proxy-useracl: remove obsolete

---
 README.md                                     |   1 -
 www/web-proxy-useracl/+POST_DEINSTALL.post    |   6 -
 www/web-proxy-useracl/+POST_INSTALL.post      |   4 -
 www/web-proxy-useracl/Makefile                |   9 -
 www/web-proxy-useracl/pkg-descr               |   1 -
 .../etc/inc/plugins.inc.d/proxy_useracl.inc   |  61 ---
 .../ProxyUserACL/Api/SettingsController.php   | 363 ------------------
 .../OPNsense/ProxyUserACL/IndexController.php |  41 --
 .../OPNsense/ProxyUserACL/forms/dialogACL.xml |  44 ---
 .../OPNsense/ProxyUserACL/Menu/Menu.xml       |   7 -
 .../OPNsense/ProxyUserACL/ProxyUserACL.php    |  37 --
 .../OPNsense/ProxyUserACL/ProxyUserACL.xml    |  44 ---
 .../views/OPNsense/ProxyUserACL/index.volt    | 155 --------
 .../scripts/OPNsense/ProxyUserACL/reload.php  |  45 ---
 .../conf/actions.d/actions_proxyuseracl.conf  |   5 -
 .../templates/OPNsense/ProxyUserACL/+TARGETS  |   1 -
 .../OPNsense/ProxyUserACL/ProxyUserACL.conf   |  92 -----
 17 files changed, 916 deletions(-)
 delete mode 100644 www/web-proxy-useracl/+POST_DEINSTALL.post
 delete mode 100644 www/web-proxy-useracl/+POST_INSTALL.post
 delete mode 100644 www/web-proxy-useracl/Makefile
 delete mode 100644 www/web-proxy-useracl/pkg-descr
 delete mode 100644 www/web-proxy-useracl/src/etc/inc/plugins.inc.d/proxy_useracl.inc
 delete mode 100644 www/web-proxy-useracl/src/opnsense/mvc/app/controllers/OPNsense/ProxyUserACL/Api/SettingsController.php
 delete mode 100644 www/web-proxy-useracl/src/opnsense/mvc/app/controllers/OPNsense/ProxyUserACL/IndexController.php
 delete mode 100644 www/web-proxy-useracl/src/opnsense/mvc/app/controllers/OPNsense/ProxyUserACL/forms/dialogACL.xml
 delete mode 100644 www/web-proxy-useracl/src/opnsense/mvc/app/models/OPNsense/ProxyUserACL/Menu/Menu.xml
 delete mode 100644 www/web-proxy-useracl/src/opnsense/mvc/app/models/OPNsense/ProxyUserACL/ProxyUserACL.php
 delete mode 100644 www/web-proxy-useracl/src/opnsense/mvc/app/models/OPNsense/ProxyUserACL/ProxyUserACL.xml
 delete mode 100644 www/web-proxy-useracl/src/opnsense/mvc/app/views/OPNsense/ProxyUserACL/index.volt
 delete mode 100755 www/web-proxy-useracl/src/opnsense/scripts/OPNsense/ProxyUserACL/reload.php
 delete mode 100644 www/web-proxy-useracl/src/opnsense/service/conf/actions.d/actions_proxyuseracl.conf
 delete mode 100644 www/web-proxy-useracl/src/opnsense/service/templates/OPNsense/ProxyUserACL/+TARGETS
 delete mode 100644 www/web-proxy-useracl/src/opnsense/service/templates/OPNsense/ProxyUserACL/ProxyUserACL.conf

diff --git a/README.md b/README.md
index e9400dc477..5739985842 100644
--- a/README.md
+++ b/README.md
@@ -113,7 +113,6 @@ www/c-icap -- c-icap connects the web proxy with a virus scanner
 www/cache -- Webserver cache
 www/nginx -- Nginx HTTP server and reverse proxy
 www/web-proxy-sso -- Kerberos authentication module
-www/web-proxy-useracl -- Group and user ACL for the web proxy (pending removal)
 ```
 
 A brief description of how to use the plugins repository
diff --git a/www/web-proxy-useracl/+POST_DEINSTALL.post b/www/web-proxy-useracl/+POST_DEINSTALL.post
deleted file mode 100644
index f1d28cf1e8..0000000000
--- a/www/web-proxy-useracl/+POST_DEINSTALL.post
+++ /dev/null
@@ -1,6 +0,0 @@
-rm -f /usr/local/etc/squid/pre-auth/ProxyUserACL.conf
-rm -f /usr/local/etc/squid/groupACL_*.txt
-rm -f /usr/local/etc/squid/userACL_*.txt
-if [ -f /var/run/squid/squid.pid ]; then
-	service squid reload
-fi
diff --git a/www/web-proxy-useracl/+POST_INSTALL.post b/www/web-proxy-useracl/+POST_INSTALL.post
deleted file mode 100644
index 06c3c6c223..0000000000
--- a/www/web-proxy-useracl/+POST_INSTALL.post
+++ /dev/null
@@ -1,4 +0,0 @@
-/usr/local/opnsense/scripts/OPNsense/ProxyUserACL/reload.php
-if [ -f /var/run/squid/squid.pid ]; then
-	service squid reload
-fi
diff --git a/www/web-proxy-useracl/Makefile b/www/web-proxy-useracl/Makefile
deleted file mode 100644
index fd340b0d19..0000000000
--- a/www/web-proxy-useracl/Makefile
+++ /dev/null
@@ -1,9 +0,0 @@
-PLUGIN_NAME=		web-proxy-useracl
-PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	2
-PLUGIN_COMMENT=		Group and user ACL for the web proxy
-PLUGIN_OBSOLETE=	No changes since 2018
-PLUGIN_MAINTAINER=	kekek2@ya.ru
-PLUGIN_WWW=		https://smart-soft.ru
-
-.include "../../Mk/plugins.mk"
diff --git a/www/web-proxy-useracl/pkg-descr b/www/web-proxy-useracl/pkg-descr
deleted file mode 100644
index 11c11d7937..0000000000
--- a/www/web-proxy-useracl/pkg-descr
+++ /dev/null
@@ -1 +0,0 @@
-Allow users and group-based policies in the web proxy.
diff --git a/www/web-proxy-useracl/src/etc/inc/plugins.inc.d/proxy_useracl.inc b/www/web-proxy-useracl/src/etc/inc/plugins.inc.d/proxy_useracl.inc
deleted file mode 100644
index e8ef1faf98..0000000000
--- a/www/web-proxy-useracl/src/etc/inc/plugins.inc.d/proxy_useracl.inc
+++ /dev/null
@@ -1,61 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2017 Smart-Soft
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-function proxy_useracl_configure()
-{
-    return [
-        'webproxy' => ['proxy_useracl_squid_hook:2'],
-    ];
-}
-
-function proxy_useracl_squid_hook($verbose, $action)
-{
-    if (!in_array($action, ['restart', 'reload', 'start', 'stop'])) {
-        exit;
-    }
-
-    $res = configd_run('template reload OPNsense/ProxyUserACL');
-    if ($verbose) {
-        printf("template reload OPNsense/ProxyUserACL: %s\n", trim($res));
-    }
-    $res = configd_run('proxyuseracl reload');
-    if ($verbose) {
-        printf("proxyuseracl reload: %s\n", trim($res));
-    }
-}
-
-function proxy_useracl_xmlrpc_sync()
-{
-    $result = array();
-    $result['id'] = 'proxyuseracl';
-    $result['section'] = 'OPNsense.ProxyUserACL';
-    $result['description'] = gettext('Group & User Squid ACL');
-    return array($result);
-}
diff --git a/www/web-proxy-useracl/src/opnsense/mvc/app/controllers/OPNsense/ProxyUserACL/Api/SettingsController.php b/www/web-proxy-useracl/src/opnsense/mvc/app/controllers/OPNsense/ProxyUserACL/Api/SettingsController.php
deleted file mode 100644
index c788e8dca3..0000000000
--- a/www/web-proxy-useracl/src/opnsense/mvc/app/controllers/OPNsense/ProxyUserACL/Api/SettingsController.php
+++ /dev/null
@@ -1,363 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2017 Smart-Soft
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-namespace OPNsense\ProxyUserACL\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-use OPNsense\Core\Config;
-use OPNsense\Base\UIModelGrid;
-use OPNsense\Auth\AuthenticationFactory;
-use OPNsense\Proxy\Proxy;
-
-/**
- * Class SettingsController Handles settings related API actions for the ProxyUserACL
- * @package OPNsense\ProxySSO
- */
-class SettingsController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelName = 'proxyuseracl';
-    protected static $internalModelClass = '\OPNsense\ProxyUserACL\ProxyUserACL';
-
-    /**
-     *
-     * search ACL
-     * @return array
-     */
-    public function searchACLAction()
-    {
-        $this->sessionClose();
-        $mdlProxyUserACL = $this->getModel();
-        $grid = new UIModelGrid($mdlProxyUserACL->general->ACLs->ACL);
-        return $grid->fetchBindRequest(
-            $this->request,
-            array('Group', 'Name', 'Domains', 'Black', 'Priority', 'uuid'),
-            'Priority'
-        );
-    }
-
-    /**
-     *
-     * add ACL
-     * @return array
-     */
-    public function addACLAction()
-    {
-        $result = array("result" => "failed");
-        if ($this->request->isPost() && $this->request->hasPost("ACL")) {
-            $result = array("result" => "failed", "validations" => array());
-            $mdlProxyUserACL = $this->getModel();
-            $post = $this->request->getPost("ACL");
-            $post["Hex"] = $this->strToHex($post["Name"]);
-
-            $count = count($mdlProxyUserACL->general->ACLs->ACL->getNodes());
-            if ($post["Priority"] > $count) {
-                $post["Priority"] = $count;
-            }
-            foreach ($mdlProxyUserACL->general->ACLs->ACL->sortedBy("Priority", true) as $acl) {
-                $key = $acl->getAttributes()["uuid"];
-                $priority = (string)$mdlProxyUserACL->general->ACLs->ACL->{$key}->Priority;
-                if ($priority < $post["Priority"]) {
-                    break;
-                }
-                $mdlProxyUserACL->general->ACLs->ACL->{$key}->Priority = (string)($priority + 1);
-            }
-            $node = $mdlProxyUserACL->general->ACLs->ACL->Add();
-            $node->setNodes($post);
-            $find = $this->checkName($post["Name"], $post["Group"]);
-            if ($find !== true) {
-                $result["validations"]["ACL.Name"] = $find;
-            }
-            $valMsgs = $mdlProxyUserACL->performValidation();
-
-            foreach ($valMsgs as $field => $msg) {
-                $fieldnm = str_replace($node->__reference, "ACL", $msg->getField());
-                $result["validations"][$fieldnm] = $msg->getMessage();
-            }
-
-            if (count($result['validations']) <= 0) {
-                // save config if validated correctly
-                $mdlProxyUserACL->serializeToConfig();
-                Config::getInstance()->save();
-                return array("result" => "saved");
-            }
-            return $result;
-        }
-        return $result;
-    }
-
-    /**
-     *
-     * get ACL
-     * @return array
-     */
-    public function getACLAction($uuid = null)
-    {
-        $mdlProxyUserACL = $this->getModel();
-        if ($uuid == null) {
-            // generate new node, but don't save to disc
-            $node = $mdlProxyUserACL->general->ACLs->ACL->add();
-            return array("ACL" => $node->getNodes());
-        }
-
-        $node = $mdlProxyUserACL->getNodeByReference('general.ACLs.ACL.' . $uuid);
-        if ($node != null) {
-            return array("ACL" => $node->getNodes());
-        }
-
-        return array();
-    }
-
-    /**
-     *
-     * set ACL
-     * @return array
-     */
-    public function setACLAction($uuid)
-    {
-        $result = array("result" => "failed");
-        if ($this->request->isPost() && $this->request->hasPost("ACL")) {
-            $mdlProxyUserACL = $this->getModel();
-            if ($uuid != null) {
-                $node = $mdlProxyUserACL->getNodeByReference('general.ACLs.ACL.' . $uuid);
-                if ($node != null) {
-                    $result = array("result" => "failed", "validations" => array());
-                    $ACLInfo = $this->request->getPost("ACL");
-                    $ACLInfo["Hex"] = $this->strToHex($ACLInfo["Name"]);
-                    $old_priority = (string)$node->Priority;
-                    $new_priority = $ACLInfo["Priority"];
-
-                    if ($new_priority < $old_priority) {
-                        if ($new_priority < 0) {
-                            $new_priority = 0;
-                        }
-
-                        foreach ($mdlProxyUserACL->general->ACLs->ACL->sortedBy("Priority", true) as $acl) {
-                            $key = $acl->getAttributes()["uuid"];
-                            $priority = (string)$mdlProxyUserACL->general->ACLs->ACL->{$key}->Priority;
-                            if ($priority < $new_priority) {
-                                break;
-                            }
-                            if ($priority >= $old_priority) {
-                                continue;
-                            }
-                            $mdlProxyUserACL->general->ACLs->ACL->{$key}->Priority = (string)($priority + 1);
-                        }
-                    } elseif (($new_priority > $old_priority)) {
-                        $count = count($mdlProxyUserACL->general->ACLs->ACL->getNodes());
-                        if ($new_priority >= $count) {
-                            $new_priority = $count - 1;
-                            $ACLInfo["Priority"] = $new_priority;
-                        }
-                        foreach ($mdlProxyUserACL->general->ACLs->ACL->sortedBy("Priority") as $acl) {
-                            $key = $acl->getAttributes()["uuid"];
-                            $priority = (string)$mdlProxyUserACL->general->ACLs->ACL->{$key}->Priority;
-                            if ($priority > $new_priority) {
-                                break;
-                            }
-                            if ($priority <= $old_priority) {
-                                continue;
-                            }
-                            $mdlProxyUserACL->general->ACLs->ACL->{$key}->Priority = (string)($priority - 1);
-                        }
-                    }
-                    $node->setNodes($ACLInfo);
-                    $find = $this->checkName($ACLInfo["Name"], $ACLInfo["Group"]);
-                    if ($find !== true) {
-                        $result["validations"]["ACL.Name"] = $find;
-                    }
-                    $valMsgs = $mdlProxyUserACL->performValidation();
-                    foreach ($valMsgs as $field => $msg) {
-                        $fieldnm = str_replace($node->__reference, "ACL", $msg->getField());
-                        $result["validations"][$fieldnm] = $msg->getMessage();
-                    }
-
-                    if (count($result['validations']) > 0) {
-                        return $result;
-                    }
-
-                    // save config if validated correctly
-                    $mdlProxyUserACL->serializeToConfig();
-                    Config::getInstance()->save();
-                    return array("result" => "saved");
-                }
-            }
-        }
-        return $result;
-    }
-
-    /**
-     *
-     * del ACL
-     * @return array
-     */
-    public function delACLAction($uuid)
-    {
-        $result = array("result" => "failed");
-        if ($this->request->isPost() && $uuid != null) {
-            $mdlProxyUserACL = $this->getModel();
-            if ($mdlProxyUserACL->general->ACLs->ACL->del($uuid)) {
-                // if item is removed, serialize to config and save
-                $this->repackPriority();
-                $mdlProxyUserACL->serializeToConfig();
-                Config::getInstance()->save();
-                $result['result'] = 'deleted';
-            } else {
-                $result['result'] = 'not found';
-            }
-        }
-
-        return $result;
-    }
-
-    /**
-     *
-     * Change ACL priority
-     * @param $uuid item unique id
-     * @return array
-     */
-    public function updownACLAction($uuid)
-    {
-        $result = array("result" => "failed");
-        if ($this->request->isPost() && $uuid != null && $this->request->hasPost("command")) {
-            $mdlProxyUserACL = $this->getModel();
-            $count = $this->repackPriority();
-            $nodes = $mdlProxyUserACL->general->ACLs->ACL->getNodes();
-            $acl = $nodes[$uuid];
-            $priority = $acl["Priority"];
-            switch ($this->request->getPost("command")) {
-                case "up":
-                    $new_priority = $priority - 1;
-                    if ($new_priority < 0) {
-                        return array("result" => "success");
-                    }
-                    break;
-
-                case "down":
-                    $new_priority = $priority + 1;
-                    if ($new_priority >= $count) {
-                        return array("result" => "success");
-                    }
-                    break;
-
-                default:
-                    return array("result" => "failed");
-            }
-            foreach ($nodes as $key => $node) {
-                if ($node["Priority"] == $new_priority) {
-                    $mdlProxyUserACL->general->ACLs->ACL->{$key}->Priority = (string)$priority;
-                    $mdlProxyUserACL->general->ACLs->ACL->{$uuid}->Priority = (string)$new_priority;
-                    $mdlProxyUserACL->serializeToConfig();
-                    Config::getInstance()->save();
-                    return array('result' => 'success');
-                }
-            }
-        }
-        return $result;
-    }
-
-    private function checkName($user, $search)
-    {
-        $authFactory = new AuthenticationFactory();
-        $servers = $authFactory->listServers();
-
-        foreach (explode(',', (new Proxy())->forward->authentication->method) as $method) {
-            if ($method == "") {
-                return gettext("No authentication method selected");
-            }
-            $server = $servers[$method];
-            switch ($server["type"]) {
-                case "ldap":
-                    if (!isset($server["ldap_binddn"])) {
-                        return gettext("LDAP user name is not specified");
-                    }
-
-                    if (!isset($server["ldap_bindpw"])) {
-                        return gettext("LDAP user password is not specified");
-                    }
-
-                    $ldapBindURL = strstr($server['ldap_urltype'], "Standard") ? "ldap://" : "ldaps://";
-                    $ldapBindURL .= strpos($server['host'], "::") !== false ? "[{$server['host']}]" : $server['host'];
-                    $ldapBindURL .= !empty($server['ldap_port']) ? ":{$server['ldap_port']}" : "";
-                    $ldap_auth_server = $authFactory->get($server["name"]);
-                    if (
-                        $ldap_auth_server->connect(
-                            $ldapBindURL,
-                            $server["ldap_binddn"],
-                            $server["ldap_bindpw"]
-                        ) == false
-                    ) {
-                        return gettext("Error connecting to LDAP server");
-                    }
-
-                    try {
-                        $users = $ldap_auth_server->searchUsers($user, $server["ldap_attr_user"]);
-                    } catch (\Exception $e) {
-                        break;
-                    }
-                    if ($users !== false && count($users) > 0) {
-                        return true;
-                    }
-                    break;
-
-                case "local":
-                    foreach (Config::getInstance()->object()->system->{"$search"} as $item) {
-                        if ($user == (string)$item->name) {
-                            return true;
-                        }
-                    }
-                    break;
-
-                default:
-                    break;
-            }
-        }
-        return sprintf(gettext('The %s %s does not exist'), $search, $user);
-    }
-
-    private function repackPriority()
-    {
-        $mdlProxyUserACL = $this->getModel();
-        $count = 0;
-        foreach ($mdlProxyUserACL->general->ACLs->ACL->sortedBy("Priority") as $node) {
-            $key = $node->getAttributes()["uuid"];
-            $mdlProxyUserACL->general->ACLs->ACL->{$key}->Priority = (string)$count++;
-        }
-        return $count;
-    }
-
-    private function strToHex($string)
-    {
-        $hex = '';
-        for ($i = 0; $i < strlen($string); $i++) {
-            $hex .= dechex(ord($string[$i]));
-        }
-        return $hex;
-    }
-}
diff --git a/www/web-proxy-useracl/src/opnsense/mvc/app/controllers/OPNsense/ProxyUserACL/IndexController.php b/www/web-proxy-useracl/src/opnsense/mvc/app/controllers/OPNsense/ProxyUserACL/IndexController.php
deleted file mode 100644
index 46d1e0005d..0000000000
--- a/www/web-proxy-useracl/src/opnsense/mvc/app/controllers/OPNsense/ProxyUserACL/IndexController.php
+++ /dev/null
@@ -1,41 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2017 Smart-Soft
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-namespace OPNsense\ProxyUserACL;
-
-class IndexController extends \OPNsense\Base\IndexController
-{
-    public function indexAction()
-    {
-        // pick the template to serve to our users.
-        $this->view->pick('OPNsense/ProxyUserACL/index');
-        $this->view->formDialogACL = $this->getForm("dialogACL");
-    }
-}
diff --git a/www/web-proxy-useracl/src/opnsense/mvc/app/controllers/OPNsense/ProxyUserACL/forms/dialogACL.xml b/www/web-proxy-useracl/src/opnsense/mvc/app/controllers/OPNsense/ProxyUserACL/forms/dialogACL.xml
deleted file mode 100644
index ac8aca7aff..0000000000
--- a/www/web-proxy-useracl/src/opnsense/mvc/app/controllers/OPNsense/ProxyUserACL/forms/dialogACL.xml
+++ /dev/null
@@ -1,44 +0,0 @@
-<form>
-    <field>
-        <id>ACL.Name</id>
-        <label>Name</label>
-        <type>text</type>
-        <help>Enter a name of user/group. Group name is case sensitive.</help>
-    </field>
-    <field>
-        <id>ACL.Priority</id>
-        <label>Priority</label>
-        <type>text</type>
-        <help>Rule priority</help>
-    </field>
-    <field>
-        <id>ACL.Group</id>
-        <label>Group/User</label>
-        <type>dropdown</type>
-        <help>Group or User ACL</help>
-    </field>
-    <field>
-        <id>ACL.Black</id>
-        <label>Black/White</label>
-        <type>dropdown</type>
-        <help>Black or White list</help>
-    </field>
-    <field>
-        <id>ACL.Domains</id>
-        <label>Domains</label>
-        <type>select_multiple</type>
-        <style>tokenize</style>
-        <allownew>true</allownew>
-        <help><![CDATA[Destination domains.<br/>
-        You may use a regular expression, use a comma or press Enter for new item.<br/>
-        <div class="alert alert-info">
-            <b>Examples:</b><br/>
-            <b class="text-primary">mydomain.com</b> -> matches on <b>*.mydomain.com</b><br/>
-            <b class="text-primary">^https?:\/\/([a-zA-Z]+)\.mydomain\.</b> -> matches on <b>http(s)://textONLY.mydomain.*</b><br/>
-            <b class="text-primary">\.gif$</b> -> matches on <b>\*.gif</b> but not on <b class="text-danger">\*.gif\test</b><br/>
-            <b class="text-primary">\[0-9]+\.gif$</b> -> matches on <b>\123.gif</b> but not on <b class="text-danger">\test.gif</b><br/>
-        </div>
-        <div class="text-info"><b>TIP: </b>You can also paste a comma separated list into this field.</div>]]></help>
-        <hint>Regular expressions are allowed.</hint>
-    </field>
-</form>
diff --git a/www/web-proxy-useracl/src/opnsense/mvc/app/models/OPNsense/ProxyUserACL/Menu/Menu.xml b/www/web-proxy-useracl/src/opnsense/mvc/app/models/OPNsense/ProxyUserACL/Menu/Menu.xml
deleted file mode 100644
index 395d8c5031..0000000000
--- a/www/web-proxy-useracl/src/opnsense/mvc/app/models/OPNsense/ProxyUserACL/Menu/Menu.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-<menu>
-    <Services>
-        <WebProxy>
-            <ProxyUserACL VisibleName="Groups and Users" order="30" url="/ui/proxyuseracl"/>
-        </WebProxy>
-    </Services>
-</menu>
diff --git a/www/web-proxy-useracl/src/opnsense/mvc/app/models/OPNsense/ProxyUserACL/ProxyUserACL.php b/www/web-proxy-useracl/src/opnsense/mvc/app/models/OPNsense/ProxyUserACL/ProxyUserACL.php
deleted file mode 100644
index 9474512a87..0000000000
--- a/www/web-proxy-useracl/src/opnsense/mvc/app/models/OPNsense/ProxyUserACL/ProxyUserACL.php
+++ /dev/null
@@ -1,37 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2017 Smart-Soft
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-namespace OPNsense\ProxyUserACL;
-
-use OPNsense\Base\BaseModel;
-
-class ProxyUserACL extends BaseModel
-{
-}
diff --git a/www/web-proxy-useracl/src/opnsense/mvc/app/models/OPNsense/ProxyUserACL/ProxyUserACL.xml b/www/web-proxy-useracl/src/opnsense/mvc/app/models/OPNsense/ProxyUserACL/ProxyUserACL.xml
deleted file mode 100644
index 162fb04d30..0000000000
--- a/www/web-proxy-useracl/src/opnsense/mvc/app/models/OPNsense/ProxyUserACL/ProxyUserACL.xml
+++ /dev/null
@@ -1,44 +0,0 @@
-<model>
-    <mount>//OPNsense/ProxyUserACL</mount>
-    <version>1.0.0</version>
-    <description>
-        Group and User ACL settings
-    </description>
-    <items>
-        <general>
-            <ACLs>
-                <ACL type="ArrayField">
-                    <Name type="TextField">
-                        <Required>Y</Required>
-                    </Name>
-                    <Hex type="TextField">
-                        <Required>Y</Required>
-                    </Hex>
-                    <Domains type="CSVListField">
-                        <Required>N</Required>
-                    </Domains>
-                    <Black type="OptionField">
-                        <Required>Y</Required>
-                        <default>Black</default>
-                        <OptionValues>
-                            <deny>Black</deny>
-                            <allow>White</allow>
-                        </OptionValues>
-                    </Black>
-                    <Priority type="IntegerField">
-                        <default>0</default>
-                        <Required>Y</Required>
-                    </Priority>
-                    <Group type="OptionField">
-                        <Required>Y</Required>
-                        <default>group</default>
-                        <OptionValues>
-                            <group>Group</group>
-                            <user>User</user>
-                        </OptionValues>
-                    </Group>
-                </ACL>
-            </ACLs>
-        </general>
-    </items>
-</model>
diff --git a/www/web-proxy-useracl/src/opnsense/mvc/app/views/OPNsense/ProxyUserACL/index.volt b/www/web-proxy-useracl/src/opnsense/mvc/app/views/OPNsense/ProxyUserACL/index.volt
deleted file mode 100644
index e8cd10d716..0000000000
--- a/www/web-proxy-useracl/src/opnsense/mvc/app/views/OPNsense/ProxyUserACL/index.volt
+++ /dev/null
@@ -1,155 +0,0 @@
-{#
-Copyright (C) 2017 Smart-Soft
-
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright notice,
-   this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
-
-<script>
-
-    $(document).ready(function () {
-        grid = $("#grid-acl").UIBootgrid(
-            {
-                'search': '/api/proxyuseracl/settings/searchACL',
-                'get': '/api/proxyuseracl/settings/getACL/',
-                'set': '/api/proxyuseracl/settings/setACL/',
-                'add': '/api/proxyuseracl/settings/addACL/',
-                'del': '/api/proxyuseracl/settings/delACL/',
-                'toggle': '/api/proxyuseracl/settings/toggleACL/',
-                options: {
-                    formatters: {
-                        "commands": function (column, row) {
-                            return "<button type=\"button\" class=\"btn btn-xs btn-default command-edit\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-pencil\"></span></button> " +
-                                "<button type=\"button\" class=\"btn btn-xs btn-default command-copy\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-clone\"></span></button>" +
-                                "<button type=\"button\" class=\"btn btn-xs btn-default command-delete\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-trash-o\"></span></button>";
-                        },
-                        "rowtoggle": function (column, row) {
-                            if (parseInt(row[column.id], 2) == 1) {
-                                return "<span style=\"cursor: pointer;\" class=\"fa fa-check-square-o command-toggle\" data-value=\"1\" data-row-id=\"" + row.uuid + "\"></span>";
-                            } else {
-                                return "<span style=\"cursor: pointer;\" class=\"fa fa-square-o command-toggle\" data-value=\"0\" data-row-id=\"" + row.uuid + "\"></span>";
-                            }
-                        },
-                        "boolean": function (column, row) {
-                            if (parseInt(row[column.id], 2) == 1) {
-                                return "<span class=\"fa fa-check\" data-value=\"1\" data-row-id=\"" + row.uuid + "\"></span>";
-                            } else {
-                                return "<span class=\"fa fa-times\" data-value=\"0\" data-row-id=\"" + row.uuid + "\"></span>";
-                            }
-                        },
-                        "updown": function (column, row) {
-                            return "<button type=\"button\" class=\"btn btn-xs btn-default command-updown\" data-row-id=\"" + row.uuid + "\" data-command=\"up\"><span class=\"fa fa-arrow-up\"></span></button> " +
-                                "<button type=\"button\" class=\"btn btn-xs btn-default command-updown\" data-row-id=\"" + row.uuid + "\" data-command=\"down\"><span class=\"fa fa-arrow-down\"></span></button>";
-                        },
-                    }
-                }
-            }
-        );
-
-        grid.on("loaded.rs.jquery.bootgrid", function () {
-            grid.find(".command-updown").on("click", function () {
-                ajaxCall(url = "/api/proxyuseracl/settings/updownACL/" + $(this).data("row-id"), sendData = {"command": $(this).data("command")}, callback = function () {
-                    $("#grid-acl").bootgrid("reload");
-                });
-            }).end();
-
-            grid.find("*[data-action=add]").click(function () {
-                $("#btn_DialogACL_save_progress").removeClass("fa fa-spinner fa-pulse");
-                $("#btn_DialogACL_save").click(function () {
-                    $("#btn_DialogACL_save_progress").addClass("fa fa-spinner fa-pulse");
-                    var old_handleFormValidation = window.handleFormValidation;
-                    window.handleFormValidation = function (parent, validationErrors) {
-                        $("#btn_DialogACL_save_progress").removeClass("fa fa-spinner fa-pulse");
-                        window.handleFormValidation = old_handleFormValidation;
-                        handleFormValidation(parent, validationErrors);
-                    }
-                });
-            }).end();
-        });
-
-        $("#reconfigureAct").click(function () {
-            $("#reconfigureAct_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall(url = "/api/proxy/service/reconfigure", sendData = {}, callback = function (data, status) {
-                // when done, disable progress animation.
-                $("#reconfigureAct_progress").removeClass("fa fa-spinner fa-pulse");
-
-                if (status != "success" || data['status'] != 'ok') {
-                    BootstrapDialog.show({
-                        type: BootstrapDialog.TYPE_WARNING,
-                        title: "Error reconfiguring proxy",
-                        message: data['status'],
-                        draggable: true
-                    });
-                }
-            });
-        });
-    });
-</script>
-
-<div id="acl">
-    <table id="acl-content">
-        <tr>
-            <td colspan="2">
-                <table id="grid-acl" class="table table-condensed table-hover table-striped table-responsive"
-                       data-editDialog="DialogACL">
-                    <thead>
-                    <tr>
-                        <th data-column-id="Priority" data-width="10em" data-type="string" data-sortable="false"
-                            data-visible="true">{{ lang._('Number') }}</th>
-                        <th data-column-id="Group" data-width="10em" data-type="string"
-                            data-sortable="false">{{ lang._('Group') }}</th>
-                        <th data-column-id="Black" data-width="10em" data-type="string"
-                            data-sortable="false">{{ lang._('Black') }}</th>
-                        <th data-column-id="Name" data-type="string"
-                            data-sortable="false">{{ lang._('Name') }}</th>
-                        <th data-column-id="Domains" data-type="string" data-sortable="false"
-                            data-visible="true">{{ lang._('Domains') }}</th>
-                        <th data-column-id="updown" data-width="7em" data-formatter="updown"
-                            data-sortable="false">{{ lang._('Priority') }}</th>
-                        <th data-column-id="commands" data-width="7em" data-formatter="commands"
-                            data-sortable="false">{{ lang._('Commands') }}</th>
-                    </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                    <tr>
-                        <td></td>
-                        <td>
-                            <button data-action="add" type="button" class="btn btn-xs btn-default"><span
-                                        class="fa fa-plus"></span></button>
-                            <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span
-                                        class="fa fa-trash-o"></span></button>
-                        </td>
-                    </tr>
-                    </tfoot>
-                </table>
-            </td>
-        </tr>
-    </table>
-</div>
-<button class="btn btn-primary" id="reconfigureAct" type="button"><b>{{ lang._('Apply') }}</b><i
-            id="reconfigureAct_progress" class=""></i></button>
-
-{{ partial("layout_partials/base_dialog",['fields':formDialogACL,'id':'DialogACL','label':lang._('Edit user/group white and black lists')]) }}
diff --git a/www/web-proxy-useracl/src/opnsense/scripts/OPNsense/ProxyUserACL/reload.php b/www/web-proxy-useracl/src/opnsense/scripts/OPNsense/ProxyUserACL/reload.php
deleted file mode 100755
index 753ed937db..0000000000
--- a/www/web-proxy-useracl/src/opnsense/scripts/OPNsense/ProxyUserACL/reload.php
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/usr/bin/env php
-<?php
-
-/**
- *    Copyright (C) 2017 Smart-Soft
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-require_once('script/load_phalcon.php');
-
-use OPNsense\ProxyUserACL\ProxyUserACL;
-use OPNsense\Core\Config;
-
-$mdlProxyUserACL = new ProxyUserACL();
-$domain = strtoupper((string) Config::getInstance()->object()->system->domain);
-
-array_map('unlink', glob("/usr/local/etc/squid/ACL_useracl_*.txt"));
-foreach ($mdlProxyUserACL->getNodeByReference('general.ACLs.ACL')->getNodes() as $acl) {
-    file_put_contents("/usr/local/etc/squid/ACL_useracl_" .
-        $acl["Priority"] . ".txt", $acl["Name"] . "\n" .
-        ($acl["Group"]["user"]["selected"] == "1" ? $acl["Name"] . "@" . $domain . "\n" : ""));
-}
diff --git a/www/web-proxy-useracl/src/opnsense/service/conf/actions.d/actions_proxyuseracl.conf b/www/web-proxy-useracl/src/opnsense/service/conf/actions.d/actions_proxyuseracl.conf
deleted file mode 100644
index 2cddc83b89..0000000000
--- a/www/web-proxy-useracl/src/opnsense/service/conf/actions.d/actions_proxyuseracl.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-[reload]
-command:/usr/local/opnsense/scripts/OPNsense/ProxyUserACL/reload.php
-parameters:
-type:script
-message:reload web proxy user acl
diff --git a/www/web-proxy-useracl/src/opnsense/service/templates/OPNsense/ProxyUserACL/+TARGETS b/www/web-proxy-useracl/src/opnsense/service/templates/OPNsense/ProxyUserACL/+TARGETS
deleted file mode 100644
index 65d5f705db..0000000000
--- a/www/web-proxy-useracl/src/opnsense/service/templates/OPNsense/ProxyUserACL/+TARGETS
+++ /dev/null
@@ -1 +0,0 @@
-ProxyUserACL.conf:/usr/local/etc/squid/auth/ProxyUserACL.conf
diff --git a/www/web-proxy-useracl/src/opnsense/service/templates/OPNsense/ProxyUserACL/ProxyUserACL.conf b/www/web-proxy-useracl/src/opnsense/service/templates/OPNsense/ProxyUserACL/ProxyUserACL.conf
deleted file mode 100644
index a5c48fe0a7..0000000000
--- a/www/web-proxy-useracl/src/opnsense/service/templates/OPNsense/ProxyUserACL/ProxyUserACL.conf
+++ /dev/null
@@ -1,92 +0,0 @@
-{% set ldap = [] %}
-{% set local = [] %}
-{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method != '' %}
-{%      for method in OPNsense.proxy.forward.authentication.method.split(",") %}
-{%          if method == "Local Database" %}
-{%              if local.append("1") %}
-{%              endif %}
-{%          else %}
-{%              for server in helpers.toList('system.authserver') %}
-{%                  if server.type == 'ldap' and server.name == method %}
-{%                      if ldap.append(server) %}
-{%                      endif %}
-{%                  endif %}
-{%              endfor %}
-{%          endif %}
-{%      endfor %}
-{% endif %}
-
-{% if helpers.exists('OPNsense.ProxyUserACL.general.ACLs.ACL') %}
-{%      for ACL in helpers.toList('OPNsense.ProxyUserACL.general.ACLs.ACL') %}
-{%          if ACL.Group == "group" %}
-{%              if ldap|length == 1 %}
-{%                  if helpers.exists('OPNsense.ProxySSO.EnableSSO') and OPNsense.ProxySSO.EnableSSO == '1' %}
-external_acl_type ext_group_ldap_{{ ACL.Priority}} ttl=300 negative_ttl=60 %LOGIN /usr/local/libexec/squid/ext_kerberos_ldap_group_acl -a -t {{ ACL.Hex }} -D {{ system.domain|upper }}
-acl group_ldap_{{ACL.Priority}} external ext_group_ldap_{{ ACL.Priority }}
-{%                  else %}
-{%                      for authcn in ldap[0].ldap_authcn.split(";") %}
-{%                          if ldap[0].ldap_attr_user == 'cn' %}
-external_acl_type ext_ldap_{{ ACL.Priority }}_{{ loop.index }} ttl=300 negative_ttl=60 %LOGIN /usr/local/libexec/squid/ext_ldap_group_acl -R -b "{{ldap[0].ldap_basedn}}" -f "(&(cn=%a)(memberUid=%u))" -D "{{ldap[0].ldap_binddn}}" -w "{{ldap[0].ldap_bindpw}}" -p "{{ldap[0].ldap_port}}" "{{ldap[0].host}}"
-{%                          else %}
-external_acl_type ext_ldap_{{ ACL.Priority }}_{{ loop.index }} ttl=300 negative_ttl=60 %LOGIN /usr/local/libexec/squid/ext_ldap_group_acl -R -b "{{ldap[0].ldap_basedn}}" -f "(&({{ldap[0].ldap_attr_user}}=%u)(memberOf=cn=%a,{{authcn}}))" -D "{{ldap[0].ldap_binddn}}" -w "{{ldap[0].ldap_bindpw}}" -p "{{ldap[0].ldap_port}}" "{{ldap[0].host}}"
-{%                          endif %}
-acl group_ldap_{{ACL.Priority}}_{{ loop.index }} external ext_ldap_{{ ACL.Priority }}_{{ loop.index }} "/usr/local/etc/squid/ACL_useracl_{{ ACL.Priority }}.txt"
-{%                      endfor %}
-{%                  endif %}
-{%              endif %}
-{%              if local|length == 1 %}
-external_acl_type ext_group_local_{{ ACL.Priority }} ttl=300 negative_ttl=60 %LOGIN /usr/local/libexec/squid/ext_unix_group_acl -p
-acl group_local_{{ACL.Priority}} external ext_group_local_{{ ACL.Priority }} "/usr/local/etc/squid/ACL_useracl_{{ ACL.Priority }}.txt"
-{%              endif %}
-{%          else %}
-acl user_{{ACL.Priority}} proxy_auth "/usr/local/etc/squid/ACL_useracl_{{ ACL.Priority }}.txt"
-{%          endif %}
-{%          if ldap|length == 1 or local|length == 1 %}
-{%              for element in ACL.Domains.split(",") %}
-{%                  if '^' in element or '\\' in element or '$' in element or '[' in element %}
-acl domains_{{ACL.Priority}} url_regex {{element|encode_idna}}
-{%                  else %}
-acl domains_{{ACL.Priority}} url_regex {{element|encode_idna|replace(".","\.")}}
-{%                  endif %}
-{%              endfor %}
-{%          endif %}
-{%      endfor %}
-{% endif %}
-
-{% if helpers.exists('OPNsense.ProxyUserACL.general.ACLs.ACL') and (ldap|length == 1 or local|length == 1) %}
-{%      for priority in range(0,helpers.toList('OPNsense.ProxyUserACL.general.ACLs.ACL')|length) %}
-{%	        for ACL in helpers.toList('OPNsense.ProxyUserACL.general.ACLs.ACL') %}
-{%              if ACL.Priority == priority|string %}
-{%                  if ACL.Group == "group" %}
-{%                      if ldap|length == 1 %}
-{%		                if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod {{ACL.Black}} group_ldap_{{ACL.Priority}} domains_{{ACL.Priority}}
-adaptation_access request_mod  {{ACL.Black}} group_ldap_{{ACL.Priority}} domains_{{ACL.Priority}}
-{%			                endif %}
-{%                          if helpers.exists('OPNsense.ProxySSO.EnableSSO') and OPNsense.ProxySSO.EnableSSO == '1' %}
-http_access {{ACL.Black}} group_ldap_{{ACL.Priority}} domains_{{ACL.Priority}}
-{%			                else %}
-{%                              for authcn in ldap[0].ldap_authcn.split(";") %}
-http_access {{ACL.Black}} group_ldap_{{ACL.Priority}}_{{ loop.index }} domains_{{ACL.Priority}}
-{%			                    endfor %}
-{%			                endif %}
-{%			            endif %}
-{%                      if local|length == 1 %}
-{%			                if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod {{ACL.Black}} group_local_{{ACL.Priority}} domains_{{ACL.Priority}}
-adaptation_access request_mod  {{ACL.Black}} group_local_{{ACL.Priority}} domains_{{ACL.Priority}}
-{%			                endif %}
-http_access {{ACL.Black}} group_local_{{ACL.Priority}} domains_{{ACL.Priority}}
-{%			            endif %}
-{%                  else %}
-{%	                if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod {{ACL.Black}} user_{{ACL.Priority}} domains_{{ACL.Priority}}
-adaptation_access request_mod  {{ACL.Black}} user_{{ACL.Priority}} domains_{{ACL.Priority}}
-{%		                endif %}
-http_access {{ACL.Black}} user_{{ACL.Priority}} domains_{{ACL.Priority}}
-{%		            endif %}
-{%                  break %}
-{%		        endif %}
-{%	        endfor %}
-{%	    endfor %}
-{% endif %}

From 307b8d995a905fad3b9c49a9a9a9d4b414dc100e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 13 Jul 2022 10:53:12 +0200
Subject: [PATCH 1095/3088] plugins: switch to 22.7

---
 Mk/defaults.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 534214e2ff..372a645f89 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -57,7 +57,7 @@ VERSIONBIN=	${LOCALBASE}/sbin/opnsense-version
 _PLUGIN_ABI!=	${VERSIONBIN} -a
 PLUGIN_ABI?=	${_PLUGIN_ABI}
 .else
-PLUGIN_ABI?=	22.1
+PLUGIN_ABI?=	22.7
 .endif
 
 PHPBIN=		${LOCALBASE}/bin/php

From a427756cf2092a30d67d9d843a45bc8420848088 Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Wed, 13 Jul 2022 15:20:24 +0200
Subject: [PATCH 1096/3088] security/crowdsec: v1.0 (#3030)

---
 security/crowdsec/+POST_INSTALL.post          |  7 ---
 security/crowdsec/+POST_INSTALL.pre           | 10 ++++
 security/crowdsec/Makefile                    |  4 +-
 security/crowdsec/pkg-descr                   |  5 ++
 security/crowdsec/src/etc/rc.d/oscrowdsec     | 39 ++++++-------
 .../OPNsense/CrowdSec/forms/general.xml       |  2 +-
 .../app/models/OPNsense/CrowdSec/General.xml  |  2 +-
 .../app/views/OPNsense/CrowdSec/general.volt  | 56 +++++++++++++++++--
 .../scripts/OPNsense/CrowdSec/hub-upgrade.sh  |  9 ++-
 9 files changed, 90 insertions(+), 44 deletions(-)
 create mode 100755 security/crowdsec/+POST_INSTALL.pre

diff --git a/security/crowdsec/+POST_INSTALL.post b/security/crowdsec/+POST_INSTALL.post
index 0c4a006aa4..4c5abec40a 100755
--- a/security/crowdsec/+POST_INSTALL.post
+++ b/security/crowdsec/+POST_INSTALL.post
@@ -1,10 +1,3 @@
 #!/bin/sh
 
-# the configuration file used in reconfigure (i.e. settings.json) may eventually
-# have credentials, so we create a directory to contain it -- the directory
-# permissions will be copied to the file while generating the jinja template.
-
-# shellcheck disable=SC2174
-mkdir -p -m 0700 /usr/local/etc/crowdsec/opnsense
-
 configctl crowdsec reconfigure
diff --git a/security/crowdsec/+POST_INSTALL.pre b/security/crowdsec/+POST_INSTALL.pre
new file mode 100755
index 0000000000..e43e481438
--- /dev/null
+++ b/security/crowdsec/+POST_INSTALL.pre
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# The configuration file used in reconfigure (i.e. settings.json) may eventually
+# have credentials, so we need to restrict its permissions. We do so by pre-creating
+# the directory, and the template package will use its permissions while creating the file.
+# If we do that in setup.sh, the file already exists with bad permissions.
+
+# shellcheck disable=SC2174
+mkdir -p -m 0700 /usr/local/etc/crowdsec/opnsense
+
diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index fb0653f197..20e019df1b 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,7 +1,5 @@
 PLUGIN_NAME=		crowdsec
-PLUGIN_VERSION=		0.2
-PLUGIN_DEVEL=		yes
-#PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.0
 PLUGIN_DEPENDS=		crowdsec
 PLUGIN_COMMENT=		Lightweight and collaborative security engine
 PLUGIN_MAINTAINER=	marco@crowdsec.net
diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index cc35c3abe3..e7b571f603 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://crowdsec.net/
 Plugin Changelog
 ================
 
+1.0
+
+* first non-devel release
+* changed service restart to reload on hub update; fixed "service oscrowdsec status"
+
 0.2
 
 * first published release
diff --git a/security/crowdsec/src/etc/rc.d/oscrowdsec b/security/crowdsec/src/etc/rc.d/oscrowdsec
index a64dc0d38b..04a7e8c7b3 100755
--- a/security/crowdsec/src/etc/rc.d/oscrowdsec
+++ b/security/crowdsec/src/etc/rc.d/oscrowdsec
@@ -8,6 +8,7 @@
 # BEFORE:  DAEMON
 # KEYWORD: shutdown
 
+# shellcheck disable=SC1091
 . /etc/rc.subr
 
 name="oscrowdsec"
@@ -15,7 +16,7 @@ rcvar="oscrowdsec_enable"
 
 load_rc_config $name
 
-: ${oscrowdsec_enable="NO"}
+: "${oscrowdsec_enable="NO"}"
 
 
 oscrowdsec_start () {
@@ -36,13 +37,6 @@ oscrowdsec_start () {
     else
         service crowdsec_firewall stop || :
     fi
-
-# XXX should complain if they were not stopped?
-#    service crowdsec status
-#    if [ $? -eq 0 ]; then
-#       debug "oscrowdsec_start: crowdsec is still running"
-#       return 0
-#    fi
 }
 
 oscrowdsec_stop () {
@@ -50,8 +44,6 @@ oscrowdsec_stop () {
 
     service crowdsec stop || :
     service crowdsec_firewall stop || :
-
-    # XXX should complain if they were running and have not been stopped?
 }
 
 oscrowdsec_restart () {
@@ -61,23 +53,28 @@ oscrowdsec_restart () {
 
 oscrowdsec_status () {
     # return error if at least one program is not running
-    ret=0
+    service crowdsec status
+    ret=$?
 
-    if service crowdsec status; then
-        ret=$?
-    fi
-
-    if service crowdsec_firewall status; then
-        if [ $ret -eq 0 ]; then
-            ret=$?
-        fi
+    if ! service crowdsec_firewall status; then
+        ret=1
     fi
     return $ret
 }
 
 oscrowdsec_reload () {
-    # Here we take it easy. the bouncer does not even support reload
-    oscrowdsec_restart
+    if service crowdsec enabled; then
+      if service crowdsec status >/dev/null 2>&1; then
+          service crowdsec reload
+      else
+          service crowdsec restart
+      fi
+    fi
+
+    if service crowdsec_firewall enabled; then
+      # the bouncer does not support reload
+      service crowdsec_firewall restart
+    fi
 }
 
 case $1 in
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml
index 596c3b3e92..f154c544ad 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml
@@ -15,7 +15,7 @@
     <label>Enable LAPI</label>
     <type>checkbox</type>
     <help>Enable/disable the CrowdSec Local API. Keep this enabled unless you
-      connect to a LAPI on another machine</help>
+      connect to a LAPI on another machine.</help>
   </field>
 
   <!-- firewall_bouncer_enabled -->
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
index 16d3b3632d..d71245d0d5 100644
--- a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
@@ -1,7 +1,7 @@
 <model>
   <mount>//OPNsense/crowdsec/general</mount>
   <description>CrowdSec general configuration</description>
-  <version>0.2</version>
+  <version>1.0</version>
   <items>
 
     <agent_enabled type="BooleanField">
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
index 4952bfb18c..3a91e9adee 100644
--- a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
@@ -49,6 +49,8 @@
 
 <div class="content-box tab-content">
     <div id="introduction" class="tab-pane fade in active">
+        <h1>Introduction</h1>
+
         <p>This plugin installs a CrowdSec agent/<a href="https://doc.crowdsec.net/docs/next/local_api/intro">LAPI</a>
         node, and a <a href="https://docs.crowdsec.net/docs/bouncers/firewall/">Firewall Bouncer</a>.</p>
 
@@ -63,9 +65,16 @@
         <a href="https://doc.crowdsec.net/docs/next/user_guides/multiserver_setup">any other agent</a>
         connected to the same LAPI node. Other types of remediation are possible (ex. captcha test for scraping attempts).</p>
 
+	We recommend you to <a href="https://app.crowdsec.net/">register to the Console</a>. This helps you manage your instances,
+	and us to have better overall metrics.
+
         <p>Please refer to the <a href="https://crowdsec.net/blog/category/tutorial/">tutorials</a> to explore
         the possibilities.</p>
 
+        <p>For the latest plugin documentation, including how to use it with an external LAPI, see <a
+        href="https://docs.crowdsec.net/docs/next/getting_started/install_crowdsec_opnsense">Install
+        CrowdSec (OPNsense)</a></p>
+
         <p>A few remarks:</p>
 
         <ul>
@@ -85,8 +94,7 @@
                 like you would on vanilla freebsd, the plugin takes care of that.
             </li>
             <li>
-                The parsers, scenarios and all objects from the <a href="https://hub.crowdsec.net/">CrowdSec Hub</a>
-                are periodically upgraded. The
+                The parsers, scenarios and all plugins from the Hub are periodically upgraded. The
                 <a href="https://hub.crowdsec.net/author/crowdsecurity/collections/freebsd">crowdsecurity/freebsd</a> and
                 <a href="https://hub.crowdsec.net/author/crowdsecurity/collections/opnsense">crowdsecurity/opnsense</a>
                 collections are installed by default.
@@ -94,10 +102,7 @@
         </ul>
 
         <div>
-            <a class="btn btn-default btn-info" href="https://doc.crowdsec.net/">
-                crowdsec.net
-            </a>
-            <a class="btn btn-default btn-info" href="https://doc.crowdsec.net/">
+            <a class="btn btn-default btn-info" href="https://doc.crowdsec.net/docs/intro">
                 Documentation
             </a>
             <a class="btn btn-default btn-info" href="https://crowdsec.net/blog/">
@@ -111,6 +116,45 @@
             </a>
         </div>
 
+        <h1>Installation</h1>
+
+        <p>
+            On the Settings tab, you can expose CrowdSec to the LAN for other servers by changing `LAPI listen address`.
+            Otherwise, leave the defualt value.
+        </p>
+
+        <p>
+            Select the first three checkboxes: IDS, LAPI and IPS. Click Apply. If you need to restart, you can do so
+            from the <a href="/status_services.php">System > Diagnostics > Services</a> page.
+        </p>
+
+        <h1>Test the plugin</h1>
+
+        <p>
+            A quick way to test that everything is working correctly is to
+            execute the following command.
+        </p>
+
+        <p>
+            Your ssh session should freeze and you should be kicked out from
+            the firewall. You will not be able to connect to it (from the same
+            IP address) for two minutes.
+        </p>
+
+        <p>
+            It might be a good idea to have a secondary IP from which you can
+            connect, should anything go wrong.
+	</p>
+
+	<pre><code>[root@OPNsense ~]# cscli decisions add -t ban -d 2m -i </code></pre>
+
+	<p>
+	    This is a more secure way to test than attempting to brute-force
+	    yourself: the default ban period is 4 hours, and Crowdsec reads the
+	    logs from the beginning, so it could ban you even if you failed ssh
+	    login 10 times in 30 seconds two hours before installing it.
+	</p>
+
         <div>
             <a class="btn btn-default btn-info" href="https://github.com/crowdsecurity/crowdsec">
                 GitHub
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
index b57e86bb10..7b14772a9b 100755
--- a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
@@ -1,17 +1,16 @@
 #!/bin/sh
 
+/usr/local/bin/cscli --error hub update \
+    && /usr/local/bin/cscli --error hub upgrade
+
 if [ ! -e "/usr/local/etc/crowdsec/collections/opnsense.yaml" ]; then
     /usr/local/bin/cscli --error collections install crowdsecurity/opnsense
 fi
 
-/usr/local/bin/cscli --error hub update \
-    && /usr/local/bin/cscli --error hub upgrade
-
 if service crowdsec enabled; then
-    # have to check status explicitly because "restart" can set $? = 0 even when failing
     if ! service crowdsec status >/dev/null 2>&1; then
         service crowdsec start >/dev/null 2>&1 || :
     else
-        service crowdsec restart >/dev/null 2>&1 || :
+        service crowdsec reload >/dev/null 2>&1 || :
     fi
 fi

From 31a7d5d5b3a1a375d42b6f29579b7087f9191417 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 13 Jul 2022 15:31:59 +0200
Subject: [PATCH 1097/3088] security/crowdsec: style and sync

---
 README.md                           | 2 +-
 security/crowdsec/+POST_INSTALL.pre | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 5739985842..2efc92f751 100644
--- a/README.md
+++ b/README.md
@@ -79,7 +79,7 @@ net-mgmt/zabbix-agent -- Zabbix monitoring agent
 net-mgmt/zabbix-proxy -- Zabbix monitoring proxy
 security/acme-client -- ACME Client
 security/clamav -- Antivirus engine for detecting malicious threats
-security/crowdsec -- Lightweight and collaborative security engine (development only)
+security/crowdsec -- Lightweight and collaborative security engine
 security/etpro-telemetry -- ET Pro Telemetry Edition
 security/intrusion-detection-content-et-open -- IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition
 security/intrusion-detection-content-et-pro -- IDS Proofpoint ET Pro ruleset (needs a valid subscription)
diff --git a/security/crowdsec/+POST_INSTALL.pre b/security/crowdsec/+POST_INSTALL.pre
index e43e481438..e5733ae4a3 100755
--- a/security/crowdsec/+POST_INSTALL.pre
+++ b/security/crowdsec/+POST_INSTALL.pre
@@ -7,4 +7,3 @@
 
 # shellcheck disable=SC2174
 mkdir -p -m 0700 /usr/local/etc/crowdsec/opnsense
-

From 835f72cc23dfcf0b35bd0c3ffa48817076a6e11d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 14 Jul 2022 08:22:28 +0200
Subject: [PATCH 1098/3088] mail/postfix: fix missing dh parameter file on 22.7

---
 mail/postfix/Makefile                                     | 1 +
 .../data/OPNsense/Postfix/dh-parameters.2048.rfc7919      | 8 ++++++++
 .../opnsense/service/templates/OPNsense/Postfix/main.cf   | 4 ++--
 3 files changed, 11 insertions(+), 2 deletions(-)
 create mode 100644 mail/postfix/src/opnsense/data/OPNsense/Postfix/dh-parameters.2048.rfc7919

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index 41188395ee..d583c2f043 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		postfix
 PLUGIN_VERSION=		1.23
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix35
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/src/opnsense/data/OPNsense/Postfix/dh-parameters.2048.rfc7919 b/mail/postfix/src/opnsense/data/OPNsense/Postfix/dh-parameters.2048.rfc7919
new file mode 100644
index 0000000000..9b182b7201
--- /dev/null
+++ b/mail/postfix/src/opnsense/data/OPNsense/Postfix/dh-parameters.2048.rfc7919
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index 66ccd2b115..7ad6a1c279 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -127,11 +127,11 @@ smtpd_tls_CAfile = /etc/ssl/cert.pem
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2
 {% elif OPNsense.postfix.general.tls_server_compatibility == 'intermediate' %}
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtpd_tls_dh1024_param_file = /usr/local/etc/dh-parameters.2048
+smtpd_tls_dh1024_param_file = /usr/local/opnsense/data/OPNsense/Postfix/dh-parameters.2048.rfc7919
 smtpd_tls_mandatory_ciphers = medium
 {% elif OPNsense.postfix.general.tls_server_compatibility == 'old' %}
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
-smtpd_tls_dh1024_param_file = /usr/local/etc/dh-parameters.2048
+smtpd_tls_dh1024_param_file = /usr/local/opnsense/data/OPNsense/Postfix/dh-parameters.2048.rfc7919
 smtpd_tls_mandatory_ciphers = low
 {% endif %}
 smtpd_tls_protocols = $smtpd_tls_mandatory_protocols

From abf01bff99e019b31792cf3489372f07e0c33653 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 14 Jul 2022 08:29:00 +0200
Subject: [PATCH 1099/3088] www/nginx: include missing dh parameter file on
 22.7

---
 www/nginx/Makefile                                  |  2 +-
 .../data/OPNsense/Nginx/dh-parameters.4096.rfc7919  | 13 +++++++++++++
 .../service/templates/OPNsense/Nginx/http.conf      |  2 +-
 .../service/templates/OPNsense/Nginx/streams.conf   |  2 +-
 .../service/templates/OPNsense/Nginx/webgui.conf    |  2 +-
 5 files changed, 17 insertions(+), 4 deletions(-)
 create mode 100644 www/nginx/src/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 3ddb8eabb7..14fe6e55ea 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.28
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/src/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919 b/www/nginx/src/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919
new file mode 100644
index 0000000000..3cf0fcbc01
--- /dev/null
+++ b/www/nginx/src/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+-----END DH PARAMETERS-----
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index 735bab34d2..4b4e0886bc 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -111,7 +111,7 @@ server {
     ssl_certificate_key /usr/local/etc/nginx/key/{{ single_servername }}.key;
     ssl_certificate /usr/local/etc/nginx/key/{{ single_servername }}.pem;
     ssl_protocols {{ server.tls_protocols.replace(',', ' ') }};
-    ssl_dhparam /usr/local/etc/dh-parameters.4096;
+    ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
 {%     if server.tls_ciphers is defined and server.tls_ciphers != '' %}
     ssl_ciphers {{ server.tls_ciphers }};
 {%     endif %}
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
index 25c6c2ce27..3076099bc3 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
@@ -75,7 +75,7 @@
         ssl_certificate_key /usr/local/etc/nginx/key/{{ server['@uuid'] }}.key;
         ssl_certificate /usr/local/etc/nginx/key/{{ server['@uuid'] }}.pem;
         ssl_protocols TLSv1.2 TLSv1.3;
-        ssl_dhparam /usr/local/etc/dh-parameters.4096;
+        ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
         ssl_ciphers 'ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256';
         ssl_session_timeout 1d;
         ssl_session_cache shared:sslcache{{ server['@uuid'].replace('-','') }}:50m;
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/webgui.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/webgui.conf
index 0990b5393c..3288fe4069 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/webgui.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/webgui.conf
@@ -11,7 +11,7 @@ server {
   listen 80 default_server; # if redirect is enabled
   listen {% if system.webgui.port is defined and system.webgui.port != '' %}{{ system.webgui.port }}{% else %}443{% endif %} ssl http2 default_server;
   ## TLS configuration
-  ssl_dhparam /usr/local/etc/dh-parameters.4096;
+  ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
   ssl_ecdh_curve secp384r1;
   ssl_certificate /var/etc/cert.pem;
   ssl_certificate_key /var/etc/cert.pem;

From 19c614ee00a39dcbe0b313bab6a91b621838d7b9 Mon Sep 17 00:00:00 2001
From: Gavin Chappell <2798739+g-a-c@users.noreply.github.com>
Date: Fri, 15 Jul 2022 21:31:29 +0100
Subject: [PATCH 1100/3088] Re-order function parameters due to PHP8
 deprecation notice

This changes the parameters for four functions in HAProxy.php.

The ACME Client appears to call these functions with positional rather than named params
so also switch the order of the parameters in these function calls in
---
 .../app/models/OPNsense/HAProxy/HAProxy.php   | 28 +++++++++----------
 .../AcmeClient/Api/SettingsController.php     | 10 +++----
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.php b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.php
index 1028b45b36..f4c18dc4d2 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.php
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.php
@@ -138,19 +138,19 @@ public function getByAclID($uuid)
     /**
      * create a new ACL
      * @param string $name
-     * @param string $description
      * @param string $expression
+     * @param string $description
      * @param string $negate
      * @param hash $parameters
      * @return string
      */
-    public function newAcl($name, $description = "", $expression, $negate = "0", $parameters = array())
+    public function newAcl($name, $expression, $description = "", $negate = "0", $parameters = array())
     {
         $acl = $this->acls->acl->Add();
         $uuid = $acl->getAttributes()['uuid'];
         $acl->name = $name;
-        $acl->description = $description;
         $acl->expression = $expression;
+        $acl->description = $description;
         $acl->negate = $negate;
         foreach ($parameters as $key => $value) {
             $acl->$key = $value;
@@ -161,11 +161,11 @@ public function newAcl($name, $description = "", $expression, $negate = "0", $pa
     /**
      * create a new action
      * @param string $name
-     * @param string $description
      * @param string $testType
+     * @param string $type
+     * @param string $description
      * @param string $linkedAcls
      * @param string $operator
-     * @param string $type
      * @param string $useBackend
      * @param string $useServer
      * @param string $actionName
@@ -173,16 +173,16 @@ public function newAcl($name, $description = "", $expression, $negate = "0", $pa
      * @param string $actionValue
      * @return string
      */
-    public function newAction($name, $description = "", $testType, $linkedAcls = "", $operator = "and", $type, $parameters = array())
+    public function newAction($name, $testType, $type, $description = "", $linkedAcls = "", $operator = "and", $parameters = array())
     {
         $action = $this->actions->action->Add();
         $uuid = $action->getAttributes()['uuid'];
         $action->name = $name;
-        $action->description = $description;
         $action->testType = $testType;
+        $action->type = $type;
+        $action->description = $description;
         $action->linkedAcls = $linkedAcls;
         $action->operator = $operator;
-        $action->type = $type;
         foreach ($parameters as $key => $value) {
             $action->$key = $value;
         }
@@ -192,24 +192,24 @@ public function newAction($name, $description = "", $testType, $linkedAcls = "",
     /**
      * create a new server
      * @param string $name
-     * @param string $description
      * @param string $address
      * @param string $port
      * @param string $mode
+     * @param string $description
      * @param string $ssl
      * @param string $sslVerify
      * @param string $weight
      * @return string
      */
-    public function newServer($name, $description = "", $address, $port, $mode, $ssl = "0", $sslVerify = "1", $weight = "")
+    public function newServer($name, $address, $port, $mode, $description = "", $ssl = "0", $sslVerify = "1", $weight = "")
     {
         $srv = $this->servers->server->Add();
         $uuid = $srv->getAttributes()['uuid'];
         $srv->name = $name;
-        $srv->description = $description;
         $srv->address = $address;
         $srv->port = $port;
         $srv->mode = $mode;
+        $srv->description = $description;
         $srv->ssl = $ssl;
         $srv->sslVerify = $sslVerify;
         $srv->weight = $weight;
@@ -220,22 +220,22 @@ public function newServer($name, $description = "", $address, $port, $mode, $ssl
      * create a new backend
      * @param string $enabled
      * @param string $name
-     * @param string $description
      * @param string $mode
      * @param string $algorithm
+     * @param string $description
      * @param string $linkedServers
      * @param string $linkedActions
      * @return string
      */
-    public function newBackend($enabled = "0", $name, $description = "", $mode, $algorithm, $linkedServers = "", $linkedActions = "")
+    public function newBackend($enabled = "0", $name, $mode, $algorithm, $description = "", $linkedServers = "", $linkedActions = "")
     {
         $backend = $this->backends->backend->Add();
         $uuid = $backend->getAttributes()['uuid'];
         $backend->enabled = $enabled;
         $backend->name = $name;
-        $backend->description = $description;
         $backend->mode = $mode;
         $backend->algorithm = $algorithm;
+        $backend->description = $description;
         $backend->linkedServers = $linkedServers;
         $backend->linkedActions = $linkedActions;
         return $uuid;
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
index c8bef98053..ece257456a 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
@@ -263,8 +263,8 @@ public function fetchHAProxyIntegrationAction()
                     // Add a new HAProxy ACL
                     $acl_uuid = $mdlHAProxy->newAcl(
                         "find_acme_challenge",
-                        "Added by ACME Client plugin",
                         "path_beg",
+                        "Added by ACME Client plugin",
                         "0",
                         array("path_beg" => "/.well-known/acme-challenge/")
                     );
@@ -273,9 +273,9 @@ public function fetchHAProxyIntegrationAction()
                     $backend_uuid = $mdlHAProxy->newBackend(
                         "1",
                         "acme_challenge_backend",
-                        "Added by ACME Client plugin",
                         "http",
                         "source",
+                        "Added by ACME Client plugin",
                         "",
                         ""
                     );
@@ -283,11 +283,11 @@ public function fetchHAProxyIntegrationAction()
                     // Add a new HAProxy action
                     $action_uuid = $mdlHAProxy->newAction(
                         "redirect_acme_challenges",
-                        "Added by ACME Client plugin",
                         "if",
+                        "use_backend",
+                        "Added by ACME Client plugin",
                         "",
                         "and",
-                        "use_backend",
                         // Use the new backend uuid in field "useBackend"
                         array("use_backend" => $backend_uuid)
                     );
@@ -298,10 +298,10 @@ public function fetchHAProxyIntegrationAction()
                     // Add a new HAProxy server
                     $server_uuid = $mdlHAProxy->newServer(
                         "acme_challenge_host",
-                        "Added by ACME Client plugin",
                         "127.0.0.1",
                         $acme_port,
                         "active",
+                        "Added by ACME Client plugin",
                         "0",
                         "0",
                         ""

From ad0905e5751d367c09d50d8101837170a57f1299 Mon Sep 17 00:00:00 2001
From: Gavin Chappell <2798739+g-a-c@users.noreply.github.com>
Date: Fri, 15 Jul 2022 21:52:43 +0100
Subject: [PATCH 1101/3088] missed one function

---
 .../opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.php    | 6 +++---
 .../OPNsense/AcmeClient/Api/SettingsController.php          | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.php b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.php
index f4c18dc4d2..5218c256e6 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.php
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.php
@@ -218,23 +218,23 @@ public function newServer($name, $address, $port, $mode, $description = "", $ssl
 
     /**
      * create a new backend
-     * @param string $enabled
      * @param string $name
      * @param string $mode
      * @param string $algorithm
+     * @param string $enabled
      * @param string $description
      * @param string $linkedServers
      * @param string $linkedActions
      * @return string
      */
-    public function newBackend($enabled = "0", $name, $mode, $algorithm, $description = "", $linkedServers = "", $linkedActions = "")
+    public function newBackend($name, $mode, $algorithm, $enabled = "0", $description = "", $linkedServers = "", $linkedActions = "")
     {
         $backend = $this->backends->backend->Add();
         $uuid = $backend->getAttributes()['uuid'];
-        $backend->enabled = $enabled;
         $backend->name = $name;
         $backend->mode = $mode;
         $backend->algorithm = $algorithm;
+        $backend->enabled = $enabled;
         $backend->description = $description;
         $backend->linkedServers = $linkedServers;
         $backend->linkedActions = $linkedActions;
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
index ece257456a..d91f9cfd3f 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
@@ -271,10 +271,10 @@ public function fetchHAProxyIntegrationAction()
 
                     // Add a new HAProxy backend
                     $backend_uuid = $mdlHAProxy->newBackend(
-                        "1",
                         "acme_challenge_backend",
                         "http",
                         "source",
+                        "1",
                         "Added by ACME Client plugin",
                         "",
                         ""

From 0be58a3abbad1ea1518a8b810cd6261b7bf5d878 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 20 Jul 2022 12:40:17 +0200
Subject: [PATCH 1102/3088] devel/debug: try our luck here with version 9

---
 devel/debug/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devel/debug/Makefile b/devel/debug/Makefile
index febb5db935..ddbc36c4b5 100644
--- a/devel/debug/Makefile
+++ b/devel/debug/Makefile
@@ -3,7 +3,7 @@ PLUGIN_VERSION=		1.5
 PLUGIN_COMMENT=		Debugging Tools
 PLUGIN_DEPENDS=		php${PLUGIN_PHP}-pear-PHP_CodeSniffer \
 			php${PLUGIN_PHP}-pecl-xdebug \
-			phpunit7-php${PLUGIN_PHP} \
+			phpunit9-php${PLUGIN_PHP} \
 			py${PLUGIN_PYTHON}-pycodestyle \
 			p5-File-Slurp git
 PLUGIN_MAINTAINER=	franco@opnsense.org

From d27499dbccfc3fdb07bfbd8510cc6ab96a946960 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 27 Jul 2022 08:57:27 +0200
Subject: [PATCH 1103/3088] net/freeradius: Remove TTLS-GTC from default eap
 type (#3052)

---
 net/freeradius/Makefile                                       | 3 +--
 net/freeradius/pkg-descr                                      | 4 ++++
 .../src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml   | 1 -
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 9758324361..7b07c95672 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.19
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.9.20
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 9e2092f874..48342d041a 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,10 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.20
+
+* Remove TTLS-GTC from Default EAP Type (#2421)
+
 1.9.19
 
 * Allow to use LDAP in inner-tunnel (needed for LDAP authentication within 802.1X)
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index 6ff7fece79..c44c58ed39 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -13,7 +13,6 @@
                 <peap>PEAP</peap>
                 <tls>TLS</tls>
                 <ttls>TTLS</ttls>
-                <ttls-gtc>TTLS-GTC</ttls-gtc>
             </OptionValues>
         </default_eap_type>
         <elliptic_curve type="OptionField">

From 4025ed6571e2879173c3782854b3bb20a66e1966 Mon Sep 17 00:00:00 2001
From: Jan Winkler <jan.winkler@markt.de>
Date: Tue, 26 Jul 2022 17:17:39 +0200
Subject: [PATCH 1104/3088] acme-client: Add Active24 challenge type

---
 .../AcmeClient/forms/dialogValidation.xml     | 10 +++++
 .../AcmeClient/LeValidation/DnsActive24.php   | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 3 files changed, 58 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsActive24.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 3fc1b06600..f1cb926658 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -130,6 +130,16 @@
         <type>text</type>
         <help>The time in seconds to wait for all the TXT records to take effect after adding them to the DNS API. Defaults to 120 seconds.</help>
     </field>
+    <field>
+        <label>Active24</label>
+        <type>header</type>
+        <style>table_dns table_dns_active24</style>
+    </field>
+    <field>
+        <id>validation.dns_active24_token</id>
+        <label>Token</label>
+        <type>text</type>
+    </field>
     <field>
         <label>Alwaysdata</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsActive24.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsActive24.php
new file mode 100644
index 0000000000..4b26d1bcf6
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsActive24.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2022 Jan Winkler
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * ACTIVE24 API
+ * @package OPNsense\AcmeClient
+ */
+class DnsActive24 extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['ACTIVE24_Token'] = (string)$this->config->dns_active24_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 8a9c50de41..b442a838d1 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -419,6 +419,7 @@
                         <dns_1984hosting>1984Hosting API</dns_1984hosting>
                         <dns_acmedns>ACME DNS API</dns_acmedns>
                         <dns_acmeproxy>Acmeproxy API</dns_acmeproxy>
+                        <dns_active24>Active24 API</dns_active24>
                         <dns_ad>Alwaysdata.com API</dns_ad>
                         <dns_ali>aliyun.com API</dns_ali>
                         <dns_kas>All-Inkl.com domain API</dns_kas>
@@ -507,6 +508,9 @@
                     <ValidationMessage>Please specify a value between 1 and 84600.</ValidationMessage>
                     <Required>Y</Required>
                 </dns_sleep>
+                <dns_active24_token type="TextField">
+                    <Required>N</Required>
+                </dns_active24_token>
                 <dns_ad_key type="TextField">
                     <Required>N</Required>
                 </dns_ad_key>

From 472aace9396b045ac3f3b8ed2c6ddd5d2ce4ca42 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikolaj=20Brinch=20J=C3=B8rgensen?=
 <nikolajbrinch@gmail.com>
Date: Wed, 27 Jul 2022 14:54:15 +0200
Subject: [PATCH 1105/3088] Added Simply.com (used to be UnoEuro). There is an
 open PR in acme.sh DEV branch #3978, that fixes dns for simply, since they
 removed support for the old UnoEuro REST API (V1) in favour of V2 that uses
 Basic Auth. (#2888)

security/acme-client: Add Simply.com DNS API
---
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsSimply.php     | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 3 files changed, 67 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSimply.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index f1cb926658..ee96f90006 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1107,6 +1107,21 @@
         <label>User</label>
         <type>text</type>
     </field>
+    <field>
+        <label>Simply.com</label>
+        <type>header</type>
+        <style>table_dns table_dns_simply</style>
+    </field>
+    <field>
+        <id>validation.dns_simply_api_key</id>
+        <label>API Key</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_simply_account_name</id>
+        <label>Account Name</label>
+        <type>text</type>
+    </field>
     <field>
         <label>Vscale</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSimply.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSimply.php
new file mode 100644
index 0000000000..547926092d
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSimply.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * simply DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsSimply extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['SIMPLY_ApiKey'] = (string)$this->config->dns_simply_api_key;
+        $this->acme_env['SIMPLY_AccountName'] = (string)$this->config->dns_simply_account_name;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index b442a838d1..4b01dfa582 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -490,6 +490,7 @@
                         <dns_selectel>selectel.com / selectel.ru domain API</dns_selectel>
                         <dns_selfhost>Selfhost API</dns_selfhost>
                         <dns_servercow>Servercow API v1</dns_servercow>
+                        <dns_simply>Simply.com API</dns_simply>
                         <dns_transip>Transip API</dns_transip>
                         <dns_unoeuro>UnoEuro API</dns_unoeuro>
                         <dns_variomedia>Variomedia.de API</dns_variomedia>
@@ -948,6 +949,12 @@
                 <dns_servercow_password type="TextField">
                     <Required>N</Required>
                 </dns_servercow_password>
+                <dns_simply_api_key type="TextField">
+                    <Required>N</Required>
+                </dns_simply_api_key>
+                <dns_simply_account_name type="TextField">
+                    <Required>N</Required>
+                </dns_simply_account_name>
                 <dns_transip_username type="TextField">
                     <Required>N</Required>
                 </dns_transip_username>

From 5119e66a0fd9aba5b3e82f8b0d509aec55932902 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 27 Jul 2022 14:55:59 +0200
Subject: [PATCH 1106/3088] security/acme-client: fix copyright information,
 refs #2888

---
 .../app/library/OPNsense/AcmeClient/LeValidation/DnsSimply.php  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSimply.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSimply.php
index 547926092d..f6b5476a9b 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSimply.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSimply.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2022 Nikolaj Brinch Jørgensen
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

From ecbf0bfafa7c89f2699ad4f3c29276afa1444d80 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 27 Jul 2022 15:04:57 +0200
Subject: [PATCH 1107/3088] security/acme-client: bump version

---
 security/acme-client/Makefile  | 2 +-
 security/acme-client/pkg-descr | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index e43cc7d263..86944b5d69 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.11
+PLUGIN_VERSION=		3.12
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 2ca43dc00d..5fd3b9223c 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,15 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.12
+
+Added:
+* Add Simply.com DNS API (#2888)
+* Add Active24 challenge type (#3049)
+
+Fixed:
+* Re-order function parameters due to PHP8 deprecation notice (#3043)
+
 3.11
 
 Fixed:

From 6d5604e4060eb59dc906747ccc60c1ad39d4758c Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 27 Jul 2022 15:52:59 +0200
Subject: [PATCH 1108/3088] security/acme-client: add support for Cloudflare
 Zone ID, closes #2973

---
 security/acme-client/pkg-descr                              | 1 +
 .../OPNsense/AcmeClient/forms/dialogValidation.xml          | 6 ++++++
 .../app/library/OPNsense/AcmeClient/LeValidation/DnsCf.php  | 4 ++++
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml       | 3 +++
 4 files changed, 14 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 5fd3b9223c..40cb4205c0 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 Added:
 * Add Simply.com DNS API (#2888)
 * Add Active24 challenge type (#3049)
+* Add support for Zone ID in Cloudflare challenge type (#2973)
 
 Fixed:
 * Re-order function parameters due to PHP8 deprecation notice (#3043)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index ee96f90006..0d6d449c55 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -263,6 +263,12 @@
         <type>password</type>
         <help>The token needs "Read" access to Zone.Zone and "Edit" access to Zone.DNS across all zones from an account.</help>
     </field>
+    <field>
+        <id>validation.dns_cf_zone_id</id>
+        <label>CF Zone ID (Optional)</label>
+        <type>text</type>
+        <help>Note that specifying a Zone ID will limit this configuration to a single domain.</help>
+    </field>
     <field>
         <label>ClouDNS</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCf.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCf.php
index 3f6f735e01..107a09f6eb 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCf.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsCf.php
@@ -45,5 +45,9 @@ public function prepare()
         // Restricted API token (recommended)
         $this->acme_env['CF_Token'] = (string)$this->config->dns_cf_token;
         $this->acme_env['CF_Account_ID'] = (string)$this->config->dns_cf_account_id;
+        // Optional Zone ID
+        if (!empty((string)$this->config->dns_cf_zone_id)) {
+            $this->acme_env['CF_Zone_ID'] = (string)$this->config->dns_cf_zone_id;
+        }
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 4b01dfa582..19e5cd911f 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -560,6 +560,9 @@
                 <dns_cf_account_id type="TextField">
                     <Required>N</Required>
                 </dns_cf_account_id>
+                <dns_cf_zone_id type="TextField">
+                    <Required>N</Required>
+                </dns_cf_zone_id>
                 <dns_cloudns_auth_id type="TextField">
                     <Required>N</Required>
                 </dns_cloudns_auth_id>

From b773bfec8773cffb15b5859e240ae91b591f7803 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 27 Jul 2022 16:05:22 +0200
Subject: [PATCH 1109/3088] security/acme-client: simplyfi DNS service names

There is simply no point in repeating the 'API' word over and
over again for every DNS service.
---
 security/acme-client/pkg-descr                |   3 +
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 274 +++++++++---------
 2 files changed, 140 insertions(+), 137 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 40cb4205c0..80eefd1933 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -18,6 +18,9 @@ Added:
 Fixed:
 * Re-order function parameters due to PHP8 deprecation notice (#3043)
 
+Changed:
+* simplyfi DNS service names
+
 3.11
 
 Fixed:
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 19e5cd911f..c5c7c4a979 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -416,90 +416,90 @@
                     <Required>Y</Required>
                     <default>dns_freedns</default>
                     <OptionValues>
-                        <dns_1984hosting>1984Hosting API</dns_1984hosting>
-                        <dns_acmedns>ACME DNS API</dns_acmedns>
-                        <dns_acmeproxy>Acmeproxy API</dns_acmeproxy>
-                        <dns_active24>Active24 API</dns_active24>
-                        <dns_ad>Alwaysdata.com API</dns_ad>
-                        <dns_ali>aliyun.com API</dns_ali>
-                        <dns_kas>All-Inkl.com domain API</dns_kas>
-                        <dns_arvan>ArvanCloud API</dns_arvan>
-                        <dns_autodns>AutoDNS (InterNetX) API</dns_autodns>
+                        <dns_1984hosting>1984Hosting</dns_1984hosting>
+                        <dns_acmedns>ACME DNS</dns_acmedns>
+                        <dns_acmeproxy>Acmeproxy</dns_acmeproxy>
+                        <dns_active24>Active24</dns_active24>
+                        <dns_ad>Alwaysdata.com</dns_ad>
+                        <dns_ali>aliyun.com</dns_ali>
+                        <dns_kas>All-Inkl.com</dns_kas>
+                        <dns_arvan>ArvanCloud</dns_arvan>
+                        <dns_autodns>AutoDNS (InterNetX)</dns_autodns>
                         <dns_aws>AWS Route 53</dns_aws>
-                        <dns_azure>Azure DNS API</dns_azure>
-                        <dns_cloudns>ClouDNS API</dns_cloudns>
-                        <dns_cf>CloudFlare.com API</dns_cf>
-                        <dns_cx>CloudXNS.com API</dns_cx>
-                        <dns_cn>Core-Networks API</dns_cn>
-                        <dns_cpanel>cPanel API</dns_cpanel>
-                        <dns_cyon>cyon.ch API</dns_cyon>
-                        <dns_ddnss>DDNSS API</dns_ddnss>
-                        <dns_desec>deSEC.io API</dns_desec>
-                        <dns_dgon>DigitalOcean API</dns_dgon>
-                        <dns_da>DirectAdmin API</dns_da>
-                        <dns_dnsimple>DNSimple API</dns_dnsimple>
-                        <dns_domeneshop>Domeneshop API</dns_domeneshop>
-                        <dns_me>DNSMadeEasy.com API</dns_me>
-                        <dns_dp>DNSPod.cn API</dns_dp>
-                        <dns_doapi>Domain-Offensive LetsEncrypt API</dns_doapi>
-                        <dns_do>Domain-Offensive Resellerinterface/Domainrobot API</dns_do>
-                        <dns_dreamhost>DreamHost DNS API</dns_dreamhost>
-                        <dns_duckdns>DuckDNS API</dns_duckdns>
-                        <dns_dyn>Dyn Managed DNS API</dns_dyn>
-                        <dns_dynu>Dynu API</dns_dynu>
-                        <dns_dynv6>dynv6 HTTP API</dns_dynv6>
+                        <dns_azure>Azure DNS</dns_azure>
+                        <dns_cloudns>ClouDNS</dns_cloudns>
+                        <dns_cf>CloudFlare.com</dns_cf>
+                        <dns_cx>CloudXNS.com</dns_cx>
+                        <dns_cn>Core-Networks</dns_cn>
+                        <dns_cpanel>cPanel</dns_cpanel>
+                        <dns_cyon>cyon.ch</dns_cyon>
+                        <dns_ddnss>DDNSS</dns_ddnss>
+                        <dns_desec>deSEC.io</dns_desec>
+                        <dns_dgon>DigitalOcean</dns_dgon>
+                        <dns_da>DirectAdmin</dns_da>
+                        <dns_dnsimple>DNSimple</dns_dnsimple>
+                        <dns_domeneshop>Domeneshop</dns_domeneshop>
+                        <dns_me>DNSMadeEasy.com</dns_me>
+                        <dns_dp>DNSPod.cn</dns_dp>
+                        <dns_doapi>Domain-Offensive LetsEncrypt</dns_doapi>
+                        <dns_do>Domain-Offensive Resellerinterface/Domainrobot</dns_do>
+                        <dns_dreamhost>DreamHost</dns_dreamhost>
+                        <dns_duckdns>DuckDNS</dns_duckdns>
+                        <dns_dyn>Dyn Managed</dns_dyn>
+                        <dns_dynu>Dynu</dns_dynu>
+                        <dns_dynv6>dynv6</dns_dynv6>
                         <dns_euserv>EUserv</dns_euserv>
-                        <dns_freedns>FreeDNS API</dns_freedns>
-                        <dns_gandi_livedns>Gandi LiveDNS API</dns_gandi_livedns>
-                        <dns_gd>GoDaddy.com API</dns_gd>
-                        <dns_gcloud>Google Cloud DNS API</dns_gcloud>
+                        <dns_freedns>FreeDNS</dns_freedns>
+                        <dns_gandi_livedns>Gandi LiveDNS</dns_gandi_livedns>
+                        <dns_gd>GoDaddy.com</dns_gd>
+                        <dns_gcloud>Google Cloud DNS</dns_gcloud>
                         <dns_gdnsdk>GratisDNS.dk</dns_gdnsdk>
-                        <dns_hetzner>Hetzner DNS API</dns_hetzner>
-                        <dns_hexonet>hexonet.com DNS API</dns_hexonet>
-                        <dns_hostingde>hosting.de API</dns_hostingde>
+                        <dns_hetzner>Hetzner</dns_hetzner>
+                        <dns_hexonet>hexonet.com</dns_hexonet>
+                        <dns_hostingde>hosting.de</dns_hostingde>
                         <dns_he>Hurricane Electric</dns_he>
-                        <dns_infoblox>Infoblox API</dns_infoblox>
-                        <dns_infomaniak>Infomaniak API</dns_infomaniak>
-                        <dns_inwx>INWX XMLRPC API</dns_inwx>
-                        <dns_ionos>IONOS domain API</dns_ionos>
-                        <dns_ispconfig>ISPConfig 3.1+ API</dns_ispconfig>
-                        <dns_joker>Joker API</dns_joker>
-                        <dns_kinghost>KingHost DNS API</dns_kinghost>
-                        <dns_knot>Knot (knsupdate) DNS API</dns_knot>
-                        <dns_leaseweb>LeaseWeb API</dns_leaseweb>
-                        <dns_lexicon>lexicon DNS API</dns_lexicon>
-                        <dns_linode>Linode API (v3 / Deprecated)</dns_linode>
-                        <dns_linode_v4>Linode API (v4)</dns_linode_v4>
-                        <dns_loopia>Loopia API</dns_loopia>
-                        <dns_lua>LuaDNS.com API</dns_lua>
-                        <dns_miab>MailinaBox API</dns_miab>
-                        <dns_namecom>Name.com API</dns_namecom>
-                        <dns_namecheap>Namecheap API</dns_namecheap>
-                        <dns_namesilo>Namesilo.com API</dns_namesilo>
-                        <dns_nederhost>Nederhost API</dns_nederhost>
-                        <dns_netcup>netcup DNS API</dns_netcup>
-                        <dns_njalla>Njalla API</dns_njalla>
-                        <dns_nsone>NS1.com API</dns_nsone>
+                        <dns_infoblox>Infoblox</dns_infoblox>
+                        <dns_infomaniak>Infomaniak</dns_infomaniak>
+                        <dns_inwx>INWX XMLRPC</dns_inwx>
+                        <dns_ionos>IONOS domain</dns_ionos>
+                        <dns_ispconfig>ISPConfig 3.1+</dns_ispconfig>
+                        <dns_joker>Joker</dns_joker>
+                        <dns_kinghost>KingHost</dns_kinghost>
+                        <dns_knot>Knot (knsupdate)</dns_knot>
+                        <dns_leaseweb>LeaseWeb</dns_leaseweb>
+                        <dns_lexicon>lexicon</dns_lexicon>
+                        <dns_linode>Linode (v3 / Deprecated)</dns_linode>
+                        <dns_linode_v4>Linode (v4)</dns_linode_v4>
+                        <dns_loopia>Loopia</dns_loopia>
+                        <dns_lua>LuaDNS.com</dns_lua>
+                        <dns_miab>MailinaBox</dns_miab>
+                        <dns_namecom>Name.com</dns_namecom>
+                        <dns_namecheap>Namecheap</dns_namecheap>
+                        <dns_namesilo>Namesilo.com</dns_namesilo>
+                        <dns_nederhost>Nederhost</dns_nederhost>
+                        <dns_netcup>netcup</dns_netcup>
+                        <dns_njalla>Njalla</dns_njalla>
+                        <dns_nsone>NS1.com</dns_nsone>
                         <dns_nsupdate>nsupdate (RFC 2136)</dns_nsupdate>
                         <dns_opnsense>OPNsense BIND Plugin</dns_opnsense>
-                        <dns_ovh>OVH, kimsufi, soyoustart and runabove API</dns_ovh>
-                        <dns_pdns>PowerDNS.com API</dns_pdns>
-                        <dns_pleskxml>Plesk XML API</dns_pleskxml>
-                        <dns_porkbun>Porkbun API</dns_porkbun>
+                        <dns_ovh>OVH, kimsufi, soyoustart and runabove</dns_ovh>
+                        <dns_pdns>PowerDNS.com</dns_pdns>
+                        <dns_pleskxml>Plesk</dns_pleskxml>
+                        <dns_porkbun>Porkbun</dns_porkbun>
                         <dns_schlundtech>SchlundTech</dns_schlundtech>
-                        <dns_selectel>selectel.com / selectel.ru domain API</dns_selectel>
-                        <dns_selfhost>Selfhost API</dns_selfhost>
-                        <dns_servercow>Servercow API v1</dns_servercow>
-                        <dns_simply>Simply.com API</dns_simply>
-                        <dns_transip>Transip API</dns_transip>
-                        <dns_unoeuro>UnoEuro API</dns_unoeuro>
-                        <dns_variomedia>Variomedia.de API</dns_variomedia>
-                        <dns_vscale>Vscale API</dns_vscale>
-                        <dns_vultr>Vultr API</dns_vultr>
-                        <dns_yandex>Yandex PDD API</dns_yandex>
-                        <dns_zilore>Zilore DNS API</dns_zilore>
-                        <dns_zone>Zone.eu API</dns_zone>
-                        <dns_zonomi>zonomi.com domain API</dns_zonomi>
+                        <dns_selectel>selectel.com / selectel.ru</dns_selectel>
+                        <dns_selfhost>Selfhost</dns_selfhost>
+                        <dns_servercow>Servercow</dns_servercow>
+                        <dns_simply>Simply.com</dns_simply>
+                        <dns_transip>Transip</dns_transip>
+                        <dns_unoeuro>UnoEuro</dns_unoeuro>
+                        <dns_variomedia>Variomedia.de</dns_variomedia>
+                        <dns_vscale>Vscale</dns_vscale>
+                        <dns_vultr>Vultr</dns_vultr>
+                        <dns_yandex>Yandex PDD</dns_yandex>
+                        <dns_zilore>Zilore</dns_zilore>
+                        <dns_zone>Zone.eu</dns_zone>
+                        <dns_zonomi>zonomi.com</dns_zonomi>
                     </OptionValues>
                 </dns_service>
                 <dns_sleep type="IntegerField">
@@ -725,67 +725,67 @@
                     <Required>N</Required>
                     <default>cloudflare</default>
                     <OptionValues>
-                        <aliyun>Aliyun.com API</aliyun>
-                        <aurora>AuroraDNS API</aurora>
+                        <aliyun>Aliyun.com</aliyun>
+                        <aurora>AuroraDNS</aurora>
                         <auto>Auto API</auto>
-                        <azure>Azure DNS API</azure>
-                        <cloudflare>CloudFlare API</cloudflare>
-                        <cloudns>ClouDNS API</cloudns>
-                        <cloudxns>CloudXNS API</cloudxns>
-                        <conoha>ConoHa API</conoha>
-                        <constellix>Constellix API</constellix>
-                        <digitalocean>DigitalOcean API</digitalocean>
-                        <dinahosting>Dinahosting API</dinahosting>
-                        <directadmin>DirectAdmin API</directadmin>
-                        <dnsimple>DNSimple API</dnsimple>
-                        <dnsmadeeasy>DnsMadeEasy API</dnsmadeeasy>
-                        <dnspark>DNSPark API</dnspark>
-                        <dnspod>DNSPod API</dnspod>
-                        <dreamhost>Dreamhost API</dreamhost>
-                        <easydns>EasyDNS API</easydns>
-                        <easyname>Easyname API</easyname>
-                        <exoscale>ExoScale API</exoscale>
-                        <gandi>Gandi API</gandi>
-                        <gehirn>Gehirn API</gehirn>
-                        <glesys>Glesys API</glesys>
-                        <godaddy>GoDaddy API</godaddy>
-                        <googleclouddns>Google Cloud DNS API</googleclouddns>
-                        <gratisdns>GratisDNS API</gratisdns>
-                        <henet>Hurricane Electric DNS API</henet>
-                        <hetzner>Hetzner API</hetzner>
-                        <hover>Hover API</hover>
-                        <infoblox>Infoblox API</infoblox>
-                        <internetbs>Internet.bs API</internetbs>
-                        <inwx>INWX API</inwx>
-                        <linode>Linode API</linode>
-                        <linode4>Linode v4 API</linode4>
-                        <localzone>Localzone API</localzone>
-                        <luadns>LuaDNS API</luadns>
-                        <memset>Memset API</memset>
-                        <namecheap>Namecheap API</namecheap>
-                        <namesilo>Namesilo API</namesilo>
-                        <netcup>Netcup API</netcup>
-                        <nfsn>NFSN API</nfsn>
-                        <nsone>NS1 API</nsone>
-                        <onapp>OnApp API</onapp>
-                        <online>Online API</online>
-                        <ovh>OVH API</ovh>
-                        <plesk>Plesk API</plesk>
-                        <pointhq>PointHQ API</pointhq>
-                        <powerdns>PowerDNS API</powerdns>
-                        <rackspace>Rackspace API</rackspace>
-                        <rage4>Rage4 API</rage4>
-                        <route53>Route 53 API</route53>
-                        <safedns>SafeDNS API</safedns>
-                        <sakuracloud>SakuraCloud API</sakuracloud>
-                        <softlayer>Softlayer API</softlayer>
-                        <subreg>Subreg API</subreg>
-                        <transip>Transip API</transip>
-                        <vultr>Vultr API</vultr>
-                        <yandex>Yandex API</yandex>
-                        <zeit>Zeit API</zeit>
-                        <zilore>Zilore API</zilore>
-                        <zonomi>Zonomi API</zonomi>
+                        <azure>Azure</azure>
+                        <cloudflare>CloudFlare</cloudflare>
+                        <cloudns>ClouDNS</cloudns>
+                        <cloudxns>CloudXNS</cloudxns>
+                        <conoha>ConoHa</conoha>
+                        <constellix>Constellix</constellix>
+                        <digitalocean>DigitalOcean</digitalocean>
+                        <dinahosting>Dinahosting</dinahosting>
+                        <directadmin>DirectAdmin</directadmin>
+                        <dnsimple>DNSimple</dnsimple>
+                        <dnsmadeeasy>DnsMadeEasy</dnsmadeeasy>
+                        <dnspark>DNSPark</dnspark>
+                        <dnspod>DNSPod</dnspod>
+                        <dreamhost>Dreamhost</dreamhost>
+                        <easydns>EasyDNS</easydns>
+                        <easyname>Easyname</easyname>
+                        <exoscale>ExoScale</exoscale>
+                        <gandi>Gandi</gandi>
+                        <gehirn>Gehirn</gehirn>
+                        <glesys>Glesys</glesys>
+                        <godaddy>GoDaddy</godaddy>
+                        <googleclouddns>Google Cloud</googleclouddns>
+                        <gratisdns>GratisDNS</gratisdns>
+                        <henet>Hurricane Electric</henet>
+                        <hetzner>Hetzner</hetzner>
+                        <hover>Hover</hover>
+                        <infoblox>Infoblox</infoblox>
+                        <internetbs>Internet.bs</internetbs>
+                        <inwx>INWX</inwx>
+                        <linode>Linode (v3 / Deprecated)</linode>
+                        <linode4>Linode (v4)</linode4>
+                        <localzone>Localzone</localzone>
+                        <luadns>LuaDNS</luadns>
+                        <memset>Memset</memset>
+                        <namecheap>Namecheap</namecheap>
+                        <namesilo>Namesilo</namesilo>
+                        <netcup>Netcup</netcup>
+                        <nfsn>NFSN</nfsn>
+                        <nsone>NS1</nsone>
+                        <onapp>OnApp</onapp>
+                        <online>Online</online>
+                        <ovh>OVH</ovh>
+                        <plesk>Plesk</plesk>
+                        <pointhq>PointHQ</pointhq>
+                        <powerdns>PowerDNS</powerdns>
+                        <rackspace>Rackspace</rackspace>
+                        <rage4>Rage4</rage4>
+                        <route53>Route 53</route53>
+                        <safedns>SafeDNS</safedns>
+                        <sakuracloud>SakuraCloud</sakuracloud>
+                        <softlayer>Softlayer</softlayer>
+                        <subreg>Subreg</subreg>
+                        <transip>Transip</transip>
+                        <vultr>Vultr</vultr>
+                        <yandex>Yandex</yandex>
+                        <zeit>Zeit</zeit>
+                        <zilore>Zilore</zilore>
+                        <zonomi>Zonomi</zonomi>
                     </OptionValues>
                 </dns_lexicon_provider>
                 <dns_lexicon_user type="TextField">

From f7a9483bc1b0c5cc38f8cd3162c83be925ab6501 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 27 Jul 2022 16:51:27 +0200
Subject: [PATCH 1110/3088] security/acme-client: support uploading certificate
 to Vault, closes #2796

---
 security/acme-client/pkg-descr                |  7 +--
 .../AcmeClient/forms/dialogAction.xml         | 23 +++++++++
 .../AcmeClient/LeAutomation/AcmeVault.php     | 51 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 15 ++++++
 4 files changed, 93 insertions(+), 3 deletions(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeVault.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 80eefd1933..63960dbe01 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -11,9 +11,10 @@ Plugin Changelog
 3.12
 
 Added:
-* Add Simply.com DNS API (#2888)
-* Add Active24 challenge type (#3049)
-* Add support for Zone ID in Cloudflare challenge type (#2973)
+* add Simply.com DNS API (#2888)
+* add Active24 challenge type (#3049)
+* add support for Zone ID in Cloudflare challenge type (#2973)
+* new automation: upload certificate to Vault (#2796)
 
 Fixed:
 * Re-order function parameters due to PHP8 deprecation notice (#3043)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index d3ecd46644..45544272c1 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -274,4 +274,27 @@
         <type>text</type>
         <help>Path to the Unifi keystore file in the local filesystem, i.e. /usr/local/share/java/unifi/data/keystore.</help>
     </field>
+    <field>
+        <label>Required Parameters</label>
+        <type>header</type>
+        <style>method_table method_table_acme_vault</style>
+    </field>
+    <field>
+        <id>action.acme_vault_url</id>
+        <label>Vault URL</label>
+        <type>text</type>
+        <help>URL of the Vault, i.e. http://vault.example.com:8200.</help>
+    </field>
+    <field>
+        <id>action.acme_vault_prefix</id>
+        <label>Vault Prefix</label>
+        <type>text</type>
+        <help>This specifies the prefix path in Vault.</help>
+    </field>
+    <field>
+        <id>action.acme_vault_kvv2</id>
+        <label>Use KV v2</label>
+        <type>checkbox</type>
+        <help>If checked version 2 of the kv store will be used, otherwise version 1.</help>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeVault.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeVault.php
new file mode 100644
index 0000000000..3eab03d75d
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeVault.php
@@ -0,0 +1,51 @@
+<?php
+
+/*
+ * Copyright (C) 2022 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Run acme.sh deploy hook vault 
+ * @package OPNsense\AcmeClient
+ */
+class AcmeVault extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['VAULT_ADDR'] = (string)$this->config->acme_vault_url;
+        if (!empty((string)$this->config->acme_vault_prefix)) {
+            $this->acme_env['VAULT_PREFIX'] = (string)$this->config->acme_vault_prefix;
+        }
+        if ((string)$this->config->acme_vault_kvv2 == 1) {
+            $this->acme_env['VAULT_KV_V2'] = 1;
+        }
+        $this->acme_args[] = '--deploy-hook vault';
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index c5c7c4a979..b1fef123b4 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1129,6 +1129,7 @@
                         <configd_upload_sftp>Upload certificate via SFTP</configd_upload_sftp>
                         <configd_remote_ssh>Remote Command via SSH</configd_remote_ssh>
                         <acme_fritzbox>Upload certificate to FRITZ!Box router</acme_fritzbox>
+                        <acme_vault>Upload certificate to HashiCorp Vault</acme_vault>
                         <acme_synology_dsm>Upload certificate to Synology DSM</acme_synology_dsm>
                         <acme_unifi>Update local Unifi keystore</acme_unifi>
                         <configd_generic>System or Plugin Command</configd_generic>
@@ -1325,6 +1326,20 @@
                     <default>/usr/local/share/java/unifi/data/keystore</default>
                     <Required>N</Required>
                 </acme_unifi_keystore>
+                <acme_vault_url type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_vault_url>
+                <acme_vault_prefix type="TextField">
+                    <default>acme</default>
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_vault_prefix>
+                <acme_vault_kvv2 type="BooleanField">
+                    <default>1</default>
+                </acme_vault_kvv2>
             </action>
         </actions>
     </items>

From 461787e0a6382f7ed533912e2ef9ade9e36b9242 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 27 Jul 2022 16:59:05 +0200
Subject: [PATCH 1111/3088] security/acme-client: relax port number
 restriction, closes #3005

---
 security/acme-client/pkg-descr                            | 1 +
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml     | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 63960dbe01..8dab891226 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -21,6 +21,7 @@ Fixed:
 
 Changed:
 * simplyfi DNS service names
+* relax port number restriction in SSH/SFTP automations (#3005)
 
 3.11
 
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index b1fef123b4..9ed293b83f 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1160,9 +1160,9 @@
                 <sftp_port type="IntegerField">
                     <Required>N</Required>
                     <MinimumValue>1</MinimumValue>
-                    <MaximumValue>49151</MaximumValue>
+                    <MaximumValue>65535</MaximumValue>
                     <default>22</default>
-                    <ValidationMessage>Should be a valid port number between 1 and 49151.</ValidationMessage>
+                    <ValidationMessage>Should be a valid port number between 1 and 65535.</ValidationMessage>
                 </sftp_port>
                 <sftp_user type="TextField">
                     <Required>N</Required>
@@ -1236,9 +1236,9 @@
                 <remote_ssh_port type="IntegerField">
                     <Required>N</Required>
                     <MinimumValue>1</MinimumValue>
-                    <MaximumValue>49151</MaximumValue>
+                    <MaximumValue>65535</MaximumValue>
                     <default>22</default>
-                    <ValidationMessage>Should be a valid port number between 1 and 49151.</ValidationMessage>
+                    <ValidationMessage>Should be a valid port number between 1 and 65535.</ValidationMessage>
                 </remote_ssh_port>
                 <remote_ssh_user type="TextField">
                     <Required>N</Required>

From 692cc8d3e783552f9ad942d38d06cde866d91707 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Wed, 27 Jul 2022 22:49:28 +0300
Subject: [PATCH 1112/3088] www/nginx: tls fingerprints rfc8701 compat. (#3018)

* typo

* rfc8701

* rfc8701

* includes

* version bump

* ignore SCSVs (rfc5746 and rfc7507)

* add http_post hook

so we can add maps if needed

* Update pkg-descr
---
 www/nginx/Makefile                            |  3 +-
 www/nginx/pkg-descr                           |  7 +++++
 .../opnsense/scripts/nginx/ngx_functions.js   | 26 +++++++++++++----
 .../src/opnsense/scripts/nginx/setup.php      |  2 +-
 .../scripts/nginx/tls_ua_fingerprint.php      | 28 +++++++++++++------
 .../templates/OPNsense/Nginx/http.conf        |  2 ++
 6 files changed, 52 insertions(+), 16 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 14fe6e55ea..1f80edd56b 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.28
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.29
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 697dfaafe4..e623b03e42 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,13 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.29
+
+* fixed a typo in the trusted tls fingerprints db creation part of setup.php
+* rfc5746, rfc7507 and rfc8701 are taken into account on compiling and comparing tls fingerprints
+* the reason for scoring the connection as intercepted is added to the X-TLS-Client-Intercepted header. check backend settings if using this feature
+* http_post hook added to be able to map global variables
+
 1.28
 
 * add support for connect-src and worker-src in content security policy
diff --git a/www/nginx/src/opnsense/scripts/nginx/ngx_functions.js b/www/nginx/src/opnsense/scripts/nginx/ngx_functions.js
index 3acd7d9dbc..bdfdbbbcb7 100755
--- a/www/nginx/src/opnsense/scripts/nginx/ngx_functions.js
+++ b/www/nginx/src/opnsense/scripts/nginx/ngx_functions.js
@@ -1,13 +1,17 @@
 var fs = require('fs');
 var tls_fingerprints = JSON.parse(fs.readFileSync('/usr/local/etc/nginx/tls_fingerprints.json'));
+// ignore GREASE cipher suite values when compiling a browser fingerprint (see rfc8701)
+const GREASE = ["0x0a0a", "0x1a1a", "0x2a2a", "0x3a3a", "0x4a4a", "0x5a5a", "0x6a6a", "0x7a7a", "0x8a8a", "0x9a9a", "0xaaaa", "0xbaba", "0xcaca", "0xdada", "0xeaea", "0xfafa"];
+// ignore SCSV cipher suite values when compiling a browser fingerprint (see rfc5746 and rfc7507)
+const SCSV = ["TLS_EMPTY_RENEGOTIATION_INFO_SCSV", "TLS_FALLBACK_SCSV"];
 
 function check_cipher_array(r, browser_ciphers, fingerprint_ciphers, result) {
-  if (result.status == 'Intercepted') {
+  if (result.status.includes('Intercepted')) {
     return;
   }
   if (browser_ciphers.length > fingerprint_ciphers.length) {
-    // the proxy supports more cipers than the browser -> intercepted
-    result.status = "Intercepted";
+    // the proxy supports more ciphers than the browser -> intercepted
+    result.status = "Intercepted; Reason=\"excess suite\"";
     return;
   }
   var browser_cipher;
@@ -18,9 +22,9 @@ function check_cipher_array(r, browser_ciphers, fingerprint_ciphers, result) {
     browser_cipher = browser_ciphers[browser_cipher_index];
     current_index = fingerprint_ciphers.indexOf(browser_cipher);
     if (current_index === -1 || current_index <= last_index) {
-      // a cipher has been found, which is not supported by the browser
+      // a cipher has been found, which is not supported by the browser or order of preference changed
       // such a connection is definitly intercepted
-      result.status = "Intercepted";
+      result.status = "Intercepted; Reason=\"excess suite or wrong order\"";
       return;
     }
     last_index = current_index;
@@ -36,11 +40,23 @@ function check_intercept(r) {
       var ua = r.headersIn['User-Agent'];
       if (ua in tls_fingerprints) {
         var fp = tls_fingerprints[ua];
+        fp.ciphers = fp.ciphers.filter( function( el ) {
+          return ((GREASE.indexOf( el ) < 0) && (SCSV.indexOf( el ) < 0));
+        } );
+        fp.curves = fp.curves.filter( function( el ) {
+          return GREASE.indexOf( el ) < 0;
+        } );
         var browser_ciphers = r.variables.ssl_ciphers.split(':');
+        browser_ciphers = browser_ciphers.filter( function( el ) {
+          return ((GREASE.indexOf( el ) < 0) && (SCSV.indexOf( el ) < 0));
+        } );
         check_cipher_array(r, browser_ciphers, fp.ciphers, tls_result);
         if (r.variables.ssl_curves != '')
         {
           var browser_curves = r.variables.ssl_curves.split(':');
+          browser_curves = browser_curves.filter( function( el ) {
+            return GREASE.indexOf( el ) < 0;
+          } );
           check_cipher_array(r, browser_curves, fp.curves, tls_result);
         }
       }
diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index 849b482572..ce440df371 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -304,7 +304,7 @@ function find_ca($refid)
     if ((string)$tls_fingerprint->trusted == '1') {
         $ciphers = explode(':', (string)$tls_fingerprint->ciphers);
         if (!empty((string)$tls_fingerprint->curves)) {
-            $curves = explode(':', (string)$tls_fingerprint->ciphers);
+            $curves = explode(':', (string)$tls_fingerprint->curves);
         } else {
             $curves = array();
         }
diff --git a/www/nginx/src/opnsense/scripts/nginx/tls_ua_fingerprint.php b/www/nginx/src/opnsense/scripts/nginx/tls_ua_fingerprint.php
index 7ba8f1b16d..89fd7148e6 100755
--- a/www/nginx/src/opnsense/scripts/nginx/tls_ua_fingerprint.php
+++ b/www/nginx/src/opnsense/scripts/nginx/tls_ua_fingerprint.php
@@ -31,13 +31,25 @@
 
 function parse_line($line)
 {
+    // ignore GREASE cipher suite values when compiling a browser fingerprint (see rfc8701)
+    $GREASE = array("0x0a0a", "0x1a1a", "0x2a2a", "0x3a3a", "0x4a4a", "0x5a5a", "0x6a6a", "0x7a7a", "0x8a8a", "0x9a9a", "0xaaaa", "0xbaba", "0xcaca", "0xdada", "0xeaea", "0xfafa");
+    // ignore SCSV cipher suite values when compiling a browser fingerprint (see rfc5746 and rfc7507)
+    $SCSV = array("TLS_EMPTY_RENEGOTIATION_INFO_SCSV", "TLS_FALLBACK_SCSV");
     $tmp = explode('"', trim($line));
-    return array(
+    $fp = array(
         'ua' => $tmp[1],
         'ciphers' => $tmp[3],
         'curves' => $tmp[5] == '-' ? '' : $tmp[5],
         'count' => 1
     );
+    // exclude GREASE and SCSV suits from fingerprint
+    $fp_ciphers = explode(':', $fp['ciphers']);
+    $fp_ciphers = array_diff($fp_ciphers, $GREASE, $SCSV);
+    $fp['ciphers'] = implode(':', $fp_ciphers);
+    $fp_curves = explode(':', $fp['curves']);
+    $fp_curves = array_diff($fp_curves, $GREASE);
+    $fp['curves'] = implode(':', $fp_curves);
+    return $fp;
 }
 function filter_ua($key)
 {
@@ -61,13 +73,13 @@ function filter_ua($key)
 $handle = @fopen($tls_logfile, 'r');
 if ($handle) {
     while (($buffer = fgets($handle)) !== false) {
-        $md5line = md5($buffer);
-        if (array_key_exists($md5line, $fingerprints)) {
-            $fingerprints[$md5line]['count']++;
-        } else {
-            $parsed_line = parse_line($buffer);
-            if ($parsed_line['ciphers'] != '-') {
-                $fingerprints[$md5line] = $parsed_line;
+        $parsed_line = parse_line($buffer);
+        if ($parsed_line['ciphers'] != '-') {
+            $md5fp = md5($parsed_line['ua'] . $parsed_line['ciphers'] . $parsed_line['curves']);
+            if (array_key_exists($md5fp, $fingerprints)) {
+                $fingerprints[$md5fp]['count']++;
+            } else {
+                $fingerprints[$md5fp] = $parsed_line;
             }
         }
     }
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index 4b4e0886bc..b7655a0542 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -52,6 +52,8 @@ map $http_upgrade $connection_upgrade {
     ''      close;
 }
 
+include http_post/*.conf;
+
 # TODO add when core is ready for allowing nginx to serve the web interface
 # include nginx_web.conf;
 

From ca778bc0d915407526cb99a200ea7d6a6d3ecd6e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 28 Jul 2022 09:03:14 +0200
Subject: [PATCH 1113/3088] LICENSE: sync

---
 LICENSE | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index 60ca98df55..412acf3ee1 100644
--- a/LICENSE
+++ b/LICENSE
@@ -21,7 +21,7 @@ Copyright (c) 2014-2021 Franco Fichtner <franco@opnsense.org>
 Copyright (c) 2016-2021 Frank Wall
 Copyright (c) 2021 Github-jjw
 Copyright (c) 2016 IT-assistans Sverige AB
-Copyright (c) 2021 Jan Winkler
+Copyright (c) 2021-2022 Jan Winkler
 Copyright (c) 2010 Jim Pingle <jimp@pfsense.org>
 Copyright (c) 2015 Jos Schellevis
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>
@@ -37,6 +37,7 @@ Copyright (c) 2020 Martin Wasley
 Copyright (c) 2022 Marvo2011
 Copyright (c) 2017-2021 Michael Muenz <m.muenz@gmail.com>
 Copyright (c) 2021 Nicola Pellegrini
+Copyright (c) 2022 Nikolaj Brinch Jørgensen
 Copyright (c) 2021 Nim G
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
 Copyright (c) 2010 Seth Mos <seth.mos@dds.nl>

From db2e4bcb0610143f6cfa413c86c0c92f80dd3db0 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 29 Jul 2022 19:46:11 +0200
Subject: [PATCH 1114/3088] sysutils/git-backup - reference defined git.
 (https://github.com/opnsense/plugins/issues/2994)

---
 .../src/opnsense/mvc/app/library/OPNsense/Backup/Git.php    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
index 461b813fad..ebd43a9876 100644
--- a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
+++ b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
@@ -159,10 +159,10 @@ public function backup()
         } else {
             $url = substr($url, 0, $pos + 2) . urlencode((string)$mdl->user) . "@" . substr($url, $pos + 2);
         }
-        exec("cd {$targetdir} && git remote remove origin");
-        exec("cd {$targetdir} && git remote add origin " . escapeshellarg($url));
+        exec("cd {$targetdir} && {$git} remote remove origin");
+        exec("cd {$targetdir} && {$git} remote add origin " . escapeshellarg($url));
         $pushtxt = shell_exec(
-            "(cd {$targetdir} && git push origin " . escapeshellarg("master:{$mdl->branch}") .
+            "(cd {$targetdir} && {$git} push origin " . escapeshellarg("master:{$mdl->branch}") .
             " && echo '__exit_ok__') 2>&1"
         );
         if (strpos($pushtxt, '__exit_ok__')) {

From cc0605386cc4ceacb9b178852acfd19a40a8fb74 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 1 Aug 2022 07:58:27 +0200
Subject: [PATCH 1115/3088] www/nginx: PHP compat

PR: https://www.reddit.com/r/opnsense/comments/wa6xil/comment/iifo8oe/?context=3
---
 www/nginx/src/opnsense/scripts/nginx/setup.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index ce440df371..d54aae63d9 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -228,7 +228,7 @@ function find_ca($refid)
         foreach ($users as $user) {
             $user_node = $nginx->getNodeByReference("credential." . $user);
             $username = (string)$user_node->username;
-            $password = crypt((string)$user_node->password);
+            $password = crypt((string)$user_node->password, '$6$');
             fwrite($file, $username . ':' . $password . "\n");
         }
     } finally {

From e90663d0c334396272611e92b4c6c9c653bf46ab Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 1 Aug 2022 08:00:20 +0200
Subject: [PATCH 1116/3088] www/nginx: also add release note

---
 www/nginx/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index e623b03e42..6983b189f8 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -16,6 +16,7 @@ Plugin Changelog
 * rfc5746, rfc7507 and rfc8701 are taken into account on compiling and comparing tls fingerprints
 * the reason for scoring the connection as intercepted is added to the X-TLS-Client-Intercepted header. check backend settings if using this feature
 * http_post hook added to be able to map global variables
+* PHP 8 compatibility for crypt() call
 
 1.28
 

From 9f89264b38a7c1f46ff5fca7e130981469cab265 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 1 Aug 2022 08:08:50 +0200
Subject: [PATCH 1117/3088] net/haproxy: bump revision for fix

---
 net/haproxy/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 56e1e159a7..cf23f5c8f8 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		3.10
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy24
 PLUGIN_MAINTAINER=	opnsense@moov.de

From 5456249102403124223fd0c086e3dc764068d67b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 1 Aug 2022 09:06:06 +0200
Subject: [PATCH 1118/3088] dns/dyndns: duplicated string in translation

---
 dns/dyndns/src/www/services_dyndns_edit.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/dyndns/src/www/services_dyndns_edit.php b/dns/dyndns/src/www/services_dyndns_edit.php
index 9eac454d85..3b5d12cb6d 100644
--- a/dns/dyndns/src/www/services_dyndns_edit.php
+++ b/dns/dyndns/src/www/services_dyndns_edit.php
@@ -444,7 +444,7 @@ function is_dyndns_username($uname)
                         <br />
                         <?= gettext("If you need the new IP to be included in the request, put %IP% in its place.") ?>
                         <br />
-                        <?= gettext("If you need the new Host to be included in the request, put %HOST% in its place.") ?>
+                        <?= gettext("If you need the new host to be included in the request, put %HOST% in its place.") ?>
                         <br />
                         <?= gettext('If you need to include multiple possible values, separate them with a |. If your provider includes a |, escape it with \|') ?>
                         <br />

From 64d3e7fa8108328e19df1423d2ad15a8d74f6c4b Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 1 Aug 2022 09:27:19 +0200
Subject: [PATCH 1119/3088] security/maltrail: remove MFS for /var/log/ (#3039)

---
 security/maltrail/Makefile                                    | 2 +-
 security/maltrail/pkg-descr                                   | 4 ++++
 .../service/templates/OPNsense/Maltrail/maltrailsensor        | 1 -
 .../service/templates/OPNsense/Maltrail/maltrailserver        | 1 -
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/security/maltrail/Makefile b/security/maltrail/Makefile
index 04126919b3..ba46250906 100644
--- a/security/maltrail/Makefile
+++ b/security/maltrail/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		maltrail
-PLUGIN_VERSION=		1.8
+PLUGIN_VERSION=		1.9
 PLUGIN_COMMENT=		Malicious traffic detection system
 PLUGIN_DEPENDS=		maltrail
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/maltrail/pkg-descr b/security/maltrail/pkg-descr
index 0bb1e62876..ffaec161d9 100644
--- a/security/maltrail/pkg-descr
+++ b/security/maltrail/pkg-descr
@@ -11,6 +11,10 @@ WWW: https://github.com/stamparm/maltrail
 Changelog
 ---------
 
+1.9
+
+* Remove MFS support for /var/log/
+
 1.8
 
 * Add firewall alias "BlocklistMaltrail" that points to the built-in ip block list
diff --git a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrailsensor b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrailsensor
index 0f1dc4832f..6c3ffe4bb3 100644
--- a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrailsensor
+++ b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrailsensor
@@ -4,4 +4,3 @@ maltrailsensor_enable="YES"
 {% else %}
 maltrailsensor_enable="NO"
 {% endif %}
-maltrailsensor_var_mfs="/var/log/maltrail"
diff --git a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrailserver b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrailserver
index 12095bdd28..d62c5c9978 100644
--- a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrailserver
+++ b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrailserver
@@ -4,4 +4,3 @@ maltrailserver_enable="YES"
 {% else %}
 maltrailserver_enable="NO"
 {% endif %}
-maltrailserver_var_mfs="/var/log/maltrail"

From 1a4473098b2f1a93e416e03ee6975c3fe63a4948 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 1 Aug 2022 09:27:38 +0200
Subject: [PATCH 1120/3088] net-mgmt/netdata: Remove MFS support for /var/log
 (#3040)

---
 net-mgmt/netdata/Makefile                                     | 2 +-
 net-mgmt/netdata/pkg-descr                                    | 4 ++++
 .../src/opnsense/service/templates/OPNsense/Netdata/netdata   | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/netdata/Makefile b/net-mgmt/netdata/Makefile
index cb657ff660..d3001748f5 100644
--- a/net-mgmt/netdata/Makefile
+++ b/net-mgmt/netdata/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		netdata
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		Real-time performance monitoring
 PLUGIN_DEPENDS=		netdata
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/netdata/pkg-descr b/net-mgmt/netdata/pkg-descr
index 3fc3732e14..03ea456d49 100644
--- a/net-mgmt/netdata/pkg-descr
+++ b/net-mgmt/netdata/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://github.com/netdata/netdata
 Plugin Changelog
 ================
 
+1.2
+
+* Remove MFS support for /var/log
+
 1.1
 
 * Allow listening to IPv6 address
diff --git a/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata b/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata
index 5a3766600a..ba325b6f9f 100644
--- a/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata
+++ b/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata
@@ -4,4 +4,4 @@ netdata_enable="YES"
 {% else %}
 netdata_enable="NO"
 {% endif %}
-netdata_var_mfs="/var/cache/netdata /var/db/netdata /var/log/netdata"
+netdata_var_mfs="/var/cache/netdata /var/db/netdata"

From 6604664d9007fefecb91e802416a0832fcb82782 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 1 Aug 2022 09:27:54 +0200
Subject: [PATCH 1121/3088] sysutils/munin-node: Remove MFS support for
 /var/log (#3041)

---
 sysutils/munin-node/Makefile                               | 3 +--
 sysutils/munin-node/pkg-descr                              | 7 +++++++
 .../service/templates/OPNsense/Muninnode/munin_node        | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/sysutils/munin-node/Makefile b/sysutils/munin-node/Makefile
index 95702e163b..0248c76819 100644
--- a/sysutils/munin-node/Makefile
+++ b/sysutils/munin-node/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		munin-node
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Munin monitoring agent
 PLUGIN_DEPENDS=		munin-node
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/sysutils/munin-node/pkg-descr b/sysutils/munin-node/pkg-descr
index 1ac945582d..c5b0937925 100644
--- a/sysutils/munin-node/pkg-descr
+++ b/sysutils/munin-node/pkg-descr
@@ -11,3 +11,10 @@ of creating own "plugins" (graphs).
 This is the node part. It is used on all machines Munin shall watch.
 
 WWW: http://munin-monitoring.org/
+
+Plugin Changelog
+----------------
+
+1.1
+
+* Remove MFS support for /var/log
diff --git a/sysutils/munin-node/src/opnsense/service/templates/OPNsense/Muninnode/munin_node b/sysutils/munin-node/src/opnsense/service/templates/OPNsense/Muninnode/munin_node
index ffcc9469ab..893b0f3d8c 100644
--- a/sysutils/munin-node/src/opnsense/service/templates/OPNsense/Muninnode/munin_node
+++ b/sysutils/munin-node/src/opnsense/service/templates/OPNsense/Muninnode/munin_node
@@ -4,4 +4,4 @@ munin_node_enable="YES"
 {% else %}
 munin_node_enable="NO"
 {% endif %}
-munin_node_var_mfs="/var/cache/munin_node /var/db/munin_node /var/log/munin_node"
+munin_node_var_mfs="/var/cache/munin_node /var/db/munin_node"

From 4c74529f613a28b06f784ed34925e3fefd82d326 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 1 Aug 2022 09:29:17 +0200
Subject: [PATCH 1122/3088] plugins: remove obsolete _var_mfs; closes #3002

---
 .../src/opnsense/service/templates/OPNsense/Netdata/netdata      | 1 -
 .../src/opnsense/service/templates/OPNsense/Chrony/chronyd       | 1 -
 net/ntopng/src/opnsense/service/templates/OPNsense/Ntopng/ntopng | 1 -
 net/vnstat/src/opnsense/service/templates/OPNsense/Vnstat/vnstat | 1 -
 .../src/opnsense/service/templates/OPNsense/zerotier/zerotier    | 1 -
 .../src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d | 1 -
 .../src/opnsense/service/templates/OPNsense/ClamAV/clamav_clamd  | 1 -
 .../src/opnsense/service/templates/OPNsense/Muninnode/munin_node | 1 -
 8 files changed, 8 deletions(-)

diff --git a/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata b/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata
index ba325b6f9f..18cbcf68c4 100644
--- a/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata
+++ b/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata
@@ -4,4 +4,3 @@ netdata_enable="YES"
 {% else %}
 netdata_enable="NO"
 {% endif %}
-netdata_var_mfs="/var/cache/netdata /var/db/netdata"
diff --git a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chronyd b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chronyd
index 2faa5b55bc..49fffb820e 100644
--- a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chronyd
+++ b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chronyd
@@ -4,4 +4,3 @@ chronyd_enable="YES"
 {% else %}
 chronyd_enable="NO"
 {% endif %}
-chronyd_var_mfs="/var/db/chronyd /var/run/chronyd"
diff --git a/net/ntopng/src/opnsense/service/templates/OPNsense/Ntopng/ntopng b/net/ntopng/src/opnsense/service/templates/OPNsense/Ntopng/ntopng
index d1077ce1cf..84d4a2dbf2 100644
--- a/net/ntopng/src/opnsense/service/templates/OPNsense/Ntopng/ntopng
+++ b/net/ntopng/src/opnsense/service/templates/OPNsense/Ntopng/ntopng
@@ -5,4 +5,3 @@ ntopng_flags="/usr/local/etc/ntopng.conf"
 {% else %}
 ntopng_enable="NO"
 {% endif %}
-ntopng_var_mfs="/var/db/ntopng"
diff --git a/net/vnstat/src/opnsense/service/templates/OPNsense/Vnstat/vnstat b/net/vnstat/src/opnsense/service/templates/OPNsense/Vnstat/vnstat
index 923be6d5eb..c04a95f782 100644
--- a/net/vnstat/src/opnsense/service/templates/OPNsense/Vnstat/vnstat
+++ b/net/vnstat/src/opnsense/service/templates/OPNsense/Vnstat/vnstat
@@ -12,4 +12,3 @@ vnstat_additional_ifaces="{{ interfaces|join(' ') }}"
 {% else %}
 vnstat_enable="NO"
 {% endif %}
-vnstat_var_mfs="/var/lib/vnstat"
diff --git a/net/zerotier/src/opnsense/service/templates/OPNsense/zerotier/zerotier b/net/zerotier/src/opnsense/service/templates/OPNsense/zerotier/zerotier
index 78740ebaaf..b7faa41054 100644
--- a/net/zerotier/src/opnsense/service/templates/OPNsense/zerotier/zerotier
+++ b/net/zerotier/src/opnsense/service/templates/OPNsense/zerotier/zerotier
@@ -6,4 +6,3 @@ zerotier_enable="YES"
 {% else %}
 zerotier_enable="NO"
 {% endif %}
-zerotier_var_mfs="/var/db/zerotier-one"
diff --git a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d
index 41ca3359a6..b43c75151c 100644
--- a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d
+++ b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d
@@ -6,4 +6,3 @@ acme_http_challenge_var_script="/usr/local/opnsense/scripts/OPNsense/AcmeClient/
 {% else %}
 acme_http_challenge_enable=NO
 {% endif %}
-acme_http_challenge_var_mfs="/var/etc/acme-client"
diff --git a/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamav_clamd b/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamav_clamd
index 271642d42e..f46fa24a25 100644
--- a/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamav_clamd
+++ b/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamav_clamd
@@ -4,4 +4,3 @@ clamav_clamd_enable="YES"
 {% else %}
 clamav_clamd_enable="NO"
 {% endif %}
-clamav_clamd_var_mfs="/var/db/clamav"
diff --git a/sysutils/munin-node/src/opnsense/service/templates/OPNsense/Muninnode/munin_node b/sysutils/munin-node/src/opnsense/service/templates/OPNsense/Muninnode/munin_node
index 893b0f3d8c..6c9fc82aa4 100644
--- a/sysutils/munin-node/src/opnsense/service/templates/OPNsense/Muninnode/munin_node
+++ b/sysutils/munin-node/src/opnsense/service/templates/OPNsense/Muninnode/munin_node
@@ -4,4 +4,3 @@ munin_node_enable="YES"
 {% else %}
 munin_node_enable="NO"
 {% endif %}
-munin_node_var_mfs="/var/cache/munin_node /var/db/munin_node"

From c2184c76a4dda10bd3699eb4054da5454f0e0edd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 2 Aug 2022 08:34:59 +0200
Subject: [PATCH 1123/3088] www/nginx: move to password_hash() as suggested by
 @dabo-devconsole; closes #3063

---
 www/nginx/pkg-descr                            | 2 +-
 www/nginx/src/opnsense/scripts/nginx/setup.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 6983b189f8..9b18e85d6d 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -16,7 +16,7 @@ Plugin Changelog
 * rfc5746, rfc7507 and rfc8701 are taken into account on compiling and comparing tls fingerprints
 * the reason for scoring the connection as intercepted is added to the X-TLS-Client-Intercepted header. check backend settings if using this feature
 * http_post hook added to be able to map global variables
-* PHP 8 compatibility for crypt() call
+* PHP 8 compatibility: change crypt() to password_hash()
 
 1.28
 
diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index d54aae63d9..7442501047 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -228,7 +228,7 @@ function find_ca($refid)
         foreach ($users as $user) {
             $user_node = $nginx->getNodeByReference("credential." . $user);
             $username = (string)$user_node->username;
-            $password = crypt((string)$user_node->password, '$6$');
+            $password = password_hash((string)$user_node->password, PASSWORD_DEFAULT);
             fwrite($file, $username . ':' . $password . "\n");
         }
     } finally {

From 64f0ca4390c4e9a8b1bf163c2b722ffc10dd1d66 Mon Sep 17 00:00:00 2001
From: Jan Winkler <jan.winkler@markt.de>
Date: Wed, 3 Aug 2022 15:49:20 +0200
Subject: [PATCH 1124/3088] Add udr challenge type

---
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsUdr.php        | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 3 files changed, 67 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsUdr.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 0d6d449c55..0d5997740c 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1098,6 +1098,21 @@
         <type>textbox</type>
         <help>Requires the whole key file in a format that is compatible with TransIP.</help>
     </field>
+    <field>
+        <label>united-domains Reselling</label>
+        <type>header</type>
+        <style>table_dns table_dns_udr</style>
+    </field>
+    <field>
+        <id>validation.dns_udr_user</id>
+        <label>User</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_udr_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
     <field>
         <label>UnoEuro</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsUdr.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsUdr.php
new file mode 100644
index 0000000000..0fb39e8717
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsUdr.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2022 Jan Winkler
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * udr API
+ * @package OPNsense\AcmeClient
+ */
+class DnsUdr extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['UDR_USER'] = (string)$this->config->dns_udr_user;
+        $this->acme_env['UDR_PASS'] = (string)$this->config->dns_udr_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 9ed293b83f..8796d1a5ee 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -492,6 +492,7 @@
                         <dns_servercow>Servercow</dns_servercow>
                         <dns_simply>Simply.com</dns_simply>
                         <dns_transip>Transip</dns_transip>
+                        <dns_udr>united-domains Reselling</dns_udr>
                         <dns_unoeuro>UnoEuro</dns_unoeuro>
                         <dns_variomedia>Variomedia.de</dns_variomedia>
                         <dns_vscale>Vscale</dns_vscale>
@@ -964,6 +965,12 @@
                 <dns_transip_key type="TextField">
                     <Required>N</Required>
                 </dns_transip_key>
+                <dns_udr_user type="TextField">
+                    <Required>N</Required>
+                </dns_udr_user>
+                <dns_udr_password type="TextField">
+                    <Required>N</Required>
+                </dns_udr_password>
                 <dns_uno_key type="TextField">
                     <Required>N</Required>
                 </dns_uno_key>

From 684715cac90267e42ad56ab149d21f2669a1c229 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 3 Aug 2022 18:16:05 +0200
Subject: [PATCH 1125/3088] security/acme-client: update changelog, refs 3066

---
 security/acme-client/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 8dab891226..6384141a6b 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 Added:
 * add Simply.com DNS API (#2888)
 * add Active24 challenge type (#3049)
+* add united-domains Reselling challenge type (#3066)
 * add support for Zone ID in Cloudflare challenge type (#2973)
 * new automation: upload certificate to Vault (#2796)
 

From 39cd031eecec1996d6ff76131dfdf702fdbfbd5a Mon Sep 17 00:00:00 2001
From: Hobby-Student <6012744+Hobby-Student@users.noreply.github.com>
Date: Thu, 4 Aug 2022 22:59:10 +0200
Subject: [PATCH 1126/3088] update ACME Client KAS by all-inkl.com

---
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml        | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 8796d1a5ee..1c747e49bb 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1073,9 +1073,10 @@
                 </dns_kas_authdata>
                 <dns_kas_authtype type="OptionField">
                     <Required>N</Required>
-                    <default>sha1</default>
+                    <default>plain</default>
                     <OptionValues>
-                        <sha1>SHA1</sha1>
+                        <plain>plain</plain>
+                        <sha1>SHA1 (deprecated in December 2022)</sha1>
                     </OptionValues>
                 </dns_kas_authtype>
                 <dns_desec_token type="TextField">

From a0863f88a83635454134b2811e634bcaacfe0a08 Mon Sep 17 00:00:00 2001
From: Hobby-Student <6012744+Hobby-Student@users.noreply.github.com>
Date: Fri, 5 Aug 2022 09:37:16 +0200
Subject: [PATCH 1127/3088] classify KAS authdata as password

---
 .../controllers/OPNsense/AcmeClient/forms/dialogValidation.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 0d5997740c..696354ec19 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1395,7 +1395,7 @@
     <field>
         <id>validation.dns_kas_authdata</id>
         <label>KAS Authdata</label>
-        <type>text</type>
+        <type>password</type>
     </field>
     <field>
         <id>validation.dns_kas_authtype</id>

From 8dd163fd48e9897acd1ea6ec4cdc0accff2be2a6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 5 Aug 2022 10:52:32 +0200
Subject: [PATCH 1128/3088] net/relayd: phpunit 9 fix

---
 .../mvc/tests/app/compound/OPNsense/Relayd/RelaydTest.php       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/relayd/src/opnsense/mvc/tests/app/compound/OPNsense/Relayd/RelaydTest.php b/net/relayd/src/opnsense/mvc/tests/app/compound/OPNsense/Relayd/RelaydTest.php
index 86cca27199..8df0b737a4 100644
--- a/net/relayd/src/opnsense/mvc/tests/app/compound/OPNsense/Relayd/RelaydTest.php
+++ b/net/relayd/src/opnsense/mvc/tests/app/compound/OPNsense/Relayd/RelaydTest.php
@@ -40,7 +40,7 @@ class RelaydTest extends \PHPUnit\Framework\TestCase
     // holds the SettingsController object
     protected static $setRelayd;
 
-    public static function setUpBeforeClass()
+    public static function setUpBeforeClass(): void
     {
         self::$setRelayd = new \OPNsense\Relayd\Api\SettingsController();
     }

From 6d864893ee840fb68f0b13dfe7900e1a5a6dbacf Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 8 Aug 2022 10:59:48 +0200
Subject: [PATCH 1129/3088] plugins: sync

---
 LICENSE                                                         | 2 +-
 .../app/library/OPNsense/AcmeClient/LeAutomation/AcmeVault.php  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/LICENSE b/LICENSE
index 412acf3ee1..336483a1a8 100644
--- a/LICENSE
+++ b/LICENSE
@@ -18,7 +18,7 @@ Copyright (c) 2008-2010 Ermal Luçi
 Copyright (c) 2017-2020 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
 Copyright (c) 2014-2021 Franco Fichtner <franco@opnsense.org>
-Copyright (c) 2016-2021 Frank Wall
+Copyright (c) 2016-2022 Frank Wall
 Copyright (c) 2021 Github-jjw
 Copyright (c) 2016 IT-assistans Sverige AB
 Copyright (c) 2021-2022 Jan Winkler
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeVault.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeVault.php
index 3eab03d75d..7242b58f66 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeVault.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeVault.php
@@ -31,7 +31,7 @@
 use OPNsense\AcmeClient\LeAutomationInterface;
 
 /**
- * Run acme.sh deploy hook vault 
+ * Run acme.sh deploy hook vault
  * @package OPNsense\AcmeClient
  */
 class AcmeVault extends Base implements LeAutomationInterface

From ce1995a5852037ea9b342cde8099ebd659b3fa52 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 8 Aug 2022 11:03:53 +0200
Subject: [PATCH 1130/3088] sysutils/git-backup: bump

---
 sysutils/git-backup/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/git-backup/Makefile b/sysutils/git-backup/Makefile
index da33116f5d..7e83b27164 100644
--- a/sysutils/git-backup/Makefile
+++ b/sysutils/git-backup/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		git-backup
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Track config changes using git
 PLUGIN_DEPENDS=		git
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 74d625633bba00495969984190cf59be9b3666dd Mon Sep 17 00:00:00 2001
From: Jan Winkler <jan.winkler@markt.de>
Date: Mon, 8 Aug 2022 11:46:06 +0200
Subject: [PATCH 1131/3088] acme-client: Add Mythic Beasts API for challenge
 types

---
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../LeValidation/DnsMythicbeasts.php          | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 3 files changed, 67 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMythicbeasts.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 0d5997740c..c92b00098f 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -818,6 +818,21 @@
         <type>text</type>
         <help>MailinaBox Server FQDN</help>
     </field>
+    <field>
+        <label>Mythic Beasts</label>
+        <type>header</type>
+        <style>table_dns table_dns_mythic_beasts</style>
+    </field>
+    <field>
+        <id>validation.dns_mythic_beasts_key</id>
+        <label>Key</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_mythic_beasts_secret</id>
+        <label>Secret</label>
+        <type>text</type>
+    </field>
     <field>
         <label>Namecheap</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMythicbeasts.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMythicbeasts.php
new file mode 100644
index 0000000000..dc1a4d7053
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMythicbeasts.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2022 Jan Winkler
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Mythic Beasts API
+ * @package OPNsense\AcmeClient
+ */
+class DnsMythicbeasts extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['MB_AK'] = (string)$this->config->dns_mythic_beasts_key;
+        $this->acme_env['MB_AS'] = (string)$this->config->dns_mythic_beasts_secret;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 8796d1a5ee..6cbe74fe80 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -473,6 +473,7 @@
                         <dns_loopia>Loopia</dns_loopia>
                         <dns_lua>LuaDNS.com</dns_lua>
                         <dns_miab>MailinaBox</dns_miab>
+                        <dns_mythic_beasts>Mythic Beasts</dns_mythic_beasts>
                         <dns_namecom>Name.com</dns_namecom>
                         <dns_namecheap>Namecheap</dns_namecheap>
                         <dns_namesilo>Namesilo.com</dns_namesilo>
@@ -832,6 +833,12 @@
                 <dns_me_secret type="TextField">
                     <Required>N</Required>
                 </dns_me_secret>
+                <dns_mythic_beasts_key type="TextField">
+                    <Required>N</Required>
+                </dns_mythic_beasts_key>
+                <dns_mythic_beasts_secret type="TextField">
+                    <Required>N</Required>
+                </dns_mythic_beasts_secret>
                 <dns_namecheap_user type="TextField">
                     <Required>N</Required>
                 </dns_namecheap_user>

From 733f91870fed8ca397279eaac5a7303d4dc50108 Mon Sep 17 00:00:00 2001
From: Jan Winkler <jan.winkler@markt.de>
Date: Tue, 9 Aug 2022 12:26:43 +0200
Subject: [PATCH 1132/3088] security/acme-client: bump version

---
 security/acme-client/Makefile  | 2 +-
 security/acme-client/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 86944b5d69..ad0e59696e 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.12
+PLUGIN_VERSION=		3.13
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 6384141a6b..6ce18d780f 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.13
+
+Added:
+* add Mythic Beasts DNS API (#2998)
+
 3.12
 
 Added:

From 1aa3646820a32be84b1cabd0fb945de9e3883deb Mon Sep 17 00:00:00 2001
From: Jan Winkler <jan.winkler@markt.de>
Date: Tue, 9 Aug 2022 12:41:48 +0200
Subject: [PATCH 1133/3088] acme-client: Adjust file and class name for Mythic
 Beasts challenge types

---
 .../LeValidation/{DnsMythicbeasts.php => DnsMythicBeasts.php}   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/{DnsMythicbeasts.php => DnsMythicBeasts.php} (96%)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMythicbeasts.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMythicBeasts.php
similarity index 96%
rename from security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMythicbeasts.php
rename to security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMythicBeasts.php
index dc1a4d7053..f61b4fa687 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMythicbeasts.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMythicBeasts.php
@@ -35,7 +35,7 @@
  * Mythic Beasts API
  * @package OPNsense\AcmeClient
  */
-class DnsMythicbeasts extends Base implements LeValidationInterface
+class DnsMythicBeasts extends Base implements LeValidationInterface
 {
     public function prepare()
     {

From 996c01166d3ae26a25d3a2abf6fa812792908248 Mon Sep 17 00:00:00 2001
From: Jan Winkler <jan.winkler@markt.de>
Date: Tue, 9 Aug 2022 11:34:22 +0200
Subject: [PATCH 1134/3088] net/haproxy: add 2 new cache parameters, closes
 #2908

---
 .../OPNsense/HAProxy/forms/generalCache.xml          | 12 ++++++++++++
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml      | 10 ++++++++++
 .../service/templates/OPNsense/HAProxy/haproxy.conf  |  8 ++++++++
 3 files changed, 30 insertions(+)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalCache.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalCache.xml
index d9fd948b39..b38486734b 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalCache.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalCache.xml
@@ -27,4 +27,16 @@
         <type>text</type>
         <help><![CDATA[Define the maximum size of the objects to be cached. Must not be greater than an half of the maximum size of the cache. If not set, it equals to a 256th of the cache size. All objects with sizes larger than this value will not be cached.]]></help>
     </field>
+    <field>
+        <id>haproxy.general.cache.processVary</id>
+        <label>Process vary enabled</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable or disable the processing of the Vary header. When disabled, a response containing such a header will never be cached.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.cache.maxSecondaryEntries</id>
+        <label>Maximum Number of secondary entries</label>
+        <type>text</type>
+        <help><![CDATA[To add this cache parameter Vary support needs to be enabled. Define the maximum number of simultaneous secondary entries with the same primary key in the cache. Its default value is 10 and should be passed a strictly positive integer.]]></help>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index e24826e1ee..cb38652471 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -402,6 +402,16 @@
                     <Required>N</Required>
                     <ValidationMessage>Please specify a value between 1 and 2146435072.</ValidationMessage>
                 </maxObjectSize>
+                <processVary type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </processVary>
+                <maxSecondaryEntries type="IntegerField">
+                    <default>10</default>
+                    <MinimumValue>1</MinimumValue>
+                    <Required>N</Required>
+                    <ValidationMessage>Please specify a positive integer value.</ValidationMessage>
+                </maxSecondaryEntries>
             </cache>
         </general>
         <frontends>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 34862fb13f..be90eff14a 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1062,6 +1062,14 @@ cache opnsense-haproxy-cache
 {%   if OPNsense.HAProxy.general.cache.maxObjectSize|default("") != "" %}
     max-object-size {{OPNsense.HAProxy.general.cache.maxObjectSize}}
 {%   endif %}
+{%   if OPNsense.HAProxy.general.cache.processVary|default("") == "1" %}
+    process-vary on
+  {%   if OPNsense.HAProxy.general.cache.maxSecondaryEntries|default("") != "" %}
+    max-secondary-entries {{OPNsense.HAProxy.general.cache.maxSecondaryEntries}}
+  {%   endif %}
+{%   else %}
+    process-vary off
+{%   endif %}
 {%- endif -%}
 
 {# ############################### #}

From 48abe360bbfb729e9531596c57a77af7d5a32067 Mon Sep 17 00:00:00 2001
From: Jan Winkler <jan.winkler@markt.de>
Date: Tue, 9 Aug 2022 15:21:23 +0200
Subject: [PATCH 1135/3088] net/haproxy: bump version

---
 net/haproxy/Makefile  | 3 +--
 net/haproxy/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index cf23f5c8f8..d5690280ef 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		3.10
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		3.11
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy24
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index bf40d39e77..d33a113b13 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+3.11
+
+Added:
+* add support for cache parameter (#2908)
+
 3.10
 
 WARNING: This release switches to the HAProxy 2.4 release series,

From e2611c0b9f9fd0435a059ed1ad062e223b5f7bb4 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 10 Aug 2022 21:03:40 +0200
Subject: [PATCH 1136/3088] net/haproxy: bump model version

---
 .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index cb38652471..f6baa5c870 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/HAProxy</mount>
-    <version>3.6.0</version>
+    <version>3.7.0</version>
     <description>the HAProxy load balancer</description>
     <items>
         <general>

From 4546aeb47d62010ea4f8d3e4204b26285be864fe Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 12 Aug 2022 22:25:40 +0200
Subject: [PATCH 1137/3088] sysutils/git-backup: switch to passwordarea, closes
 #3070

---
 sysutils/git-backup/Makefile                                    | 2 +-
 .../src/opnsense/mvc/app/library/OPNsense/Backup/Git.php        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysutils/git-backup/Makefile b/sysutils/git-backup/Makefile
index 7e83b27164..38c14397b9 100644
--- a/sysutils/git-backup/Makefile
+++ b/sysutils/git-backup/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		git-backup
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Track config changes using git
 PLUGIN_DEPENDS=		git
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
index ebd43a9876..f402ae3bee 100644
--- a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
+++ b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
@@ -68,7 +68,7 @@ public function getConfigurationFields()
            ],
            [
              "name" => "privkey",
-             "type" => "textarea",
+             "type" => "passwordarea",
              "label" => gettext("SSH private key"),
              "help" => gettext("When provided, ssh based authentication will be used."),
              "value" => null

From 2fceec58354937388cc47a7139481fd377a105d7 Mon Sep 17 00:00:00 2001
From: "Patrick M. Hausen" <hausen@punkt.de>
Date: Sun, 14 Aug 2022 16:20:50 +0200
Subject: [PATCH 1138/3088] dns/bind - use separate tables for master and slave
 domains

---
 dns/bind/Makefile                             |   2 +-
 dns/bind/pkg-descr                            |   4 +
 .../OPNsense/Bind/Api/DomainController.php    |  27 +++-
 .../OPNsense/Bind/GeneralController.php       |   3 +-
 ...ain.xml => dialogEditBindMasterDomain.xml} |   0
 .../Bind/forms/dialogEditBindSlaveDomain.xml  |  54 ++++++++
 .../mvc/app/views/OPNsense/Bind/general.volt  | 128 +++++++++++++-----
 7 files changed, 173 insertions(+), 45 deletions(-)
 rename dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/{dialogEditBindDomain.xml => dialogEditBindMasterDomain.xml} (100%)
 create mode 100644 dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSlaveDomain.xml

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 292e24d28d..4631ccc036 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.23
+PLUGIN_VERSION=		1.24
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind916
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index c9e9d6e907..57a8283f3c 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -9,6 +9,10 @@ WWW: https://www.isc.org
 Plugin Changelog
 ================
 
+1.24
+
+* Separate tables for master and slave zones in UI (contributed by Patrick M. Hausen and Manuel Faux)
+
 1.23
 
 * Avoid errors with repeated primary servers and keys (contributed by Michael Newton)
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
index df278dc53f..7dc5ef6b1a 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
@@ -39,12 +39,20 @@ class DomainController extends ApiMutableModelControllerBase
     protected static $internalModelName = 'domain';
     protected static $internalModelClass = '\OPNsense\Bind\Domain';
 
-    public function searchDomainAction()
+    public function searchMasterDomainAction()
     {
-        return $this->searchBase('domains.domain', array(
-            "enabled", "type", "masterip", "domainname", "allowtransfer", "allowquery", "ttl",
-            "refresh", "retry", "expire", "negative", "mailadmin", "dnsserver"
-        ));
+        return $this->searchBase('domains.domain',
+            [   "enabled", "type", "domainname", "ttl", "refresh", "retry", "expire", "negative" ],
+            "domainname", function($record){return $record->type->getNodeData()["master"]["selected"] === 1;}
+        );
+    }
+
+    public function searchSlaveDomainAction()
+    {
+        return $this->searchBase('domains.domain',
+            [   "enabled", "type", "domainname", "masterip" ],
+            "domainname", function($record){return $record->type->getNodeData()["slave"]["selected"] === 1;}
+        );
     }
 
     public function getDomainAction($uuid = null)
@@ -53,9 +61,14 @@ public function getDomainAction($uuid = null)
         return $this->getBase('domain', 'domains.domain', $uuid);
     }
 
-    public function addDomainAction($uuid = null)
+    public function addMasterDomainAction($uuid = null)
+    {
+        return $this->addBase('domain', 'domains.domain', ['type' => 'master']);
+    }
+
+    public function addSlaveDomainAction($uuid = null)
     {
-        return $this->addBase('domain', 'domains.domain');
+        return $this->addBase('domain', 'domains.domain', ['type' => 'slave']);
     }
 
     public function delDomainAction($uuid)
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
index 3f0b046b82..132322f190 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
@@ -35,7 +35,8 @@ public function indexAction()
         $this->view->generalForm = $this->getForm("general");
         $this->view->dnsblForm = $this->getForm("dnsbl");
         $this->view->formDialogEditBindAcl = $this->getForm("dialogEditBindAcl");
-        $this->view->formDialogEditBindDomain = $this->getForm("dialogEditBindDomain");
+        $this->view->formDialogEditBindMasterDomain = $this->getForm("dialogEditBindMasterDomain");
+        $this->view->formDialogEditBindSlaveDomain = $this->getForm("dialogEditBindSlaveDomain");
         $this->view->formDialogEditBindRecord = $this->getForm("dialogEditBindRecord");
         $this->view->pick('OPNsense/Bind/general');
     }
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindMasterDomain.xml
similarity index 100%
rename from dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindDomain.xml
rename to dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindMasterDomain.xml
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSlaveDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSlaveDomain.xml
new file mode 100644
index 0000000000..52eac8fcb6
--- /dev/null
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSlaveDomain.xml
@@ -0,0 +1,54 @@
+<form>
+    <field>
+        <id>domain.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will enable or disable this zone.</help>
+    </field>
+    <field>
+        <id>domain.domainname</id>
+        <label>Zone Name</label>
+        <type>text</type>
+        <help>Set the name for this zone. Both forward and reverse zones may be specified, i.e. example.com or 0.168.192.in-addr.arpa.</help>
+    </field>
+    <field>
+        <id>domain.allowtransfer</id>
+        <label>Allow Transfer</label>
+        <type>dropdown</type>
+        <help>Define an ACL where you allow which server can retrieve this zone.</help>
+    </field>
+    <field>
+        <id>domain.allowquery</id>
+        <label>Allow Query</label>
+        <type>dropdown</type>
+        <help>Define an ACL where you allow which client are allowed to query this zone.</help>
+    </field>
+    <field>
+        <id>domain.masterip</id>
+        <label>Master IP</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>Set the IP address of master server when using slave mode.</help>
+    </field>
+    <field>
+        <id>domain.transferkeyalgo</id>
+        <label>Transfer Key Algorithm</label>
+        <type>dropdown</type>
+        <help>Set the authentication algorithm for the TSIG key.</help>
+    </field>
+    <field>
+        <id>domain.transferkey</id>
+        <label>Transfer Key</label>
+        <type>text</type>
+        <help>The TSIG key used to transfer domain data from the master server.</help>
+    </field>
+    <field>
+        <id>domain.allownotifyslave</id>
+        <label>Allow Notfiy</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>A list of allowed IP addresses to receive notifies from.</help>
+    </field>
+</form>
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index 13e9fb12a6..3eb6b8f0cb 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -32,7 +32,8 @@ POSSIBILITY OF SUCH DAMAGE.
     <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
     <li><a data-toggle="tab" href="#dnsbl">{{ lang._('DNSBL') }}</a></li>
     <li><a data-toggle="tab" href="#acls">{{ lang._('ACLs') }}</a></li>
-    <li><a data-toggle="tab" href="#domains">{{ lang._('Zones') }}</a></li>
+    <li><a data-toggle="tab" href="#master-domains">{{ lang._('Master Zones') }}</a></li>
+    <li><a data-toggle="tab" href="#slave-domains">{{ lang._('Slave Zones') }}</a></li>
 </ul>
 
 <div class="tab-content content-box tab-content">
@@ -83,11 +84,11 @@ POSSIBILITY OF SUCH DAMAGE.
             <br /><br />
         </div>
     </div>
-    <div id="domains" class="tab-pane fade in">
-        <div class="alert alert-warning" role="alert" style="min-height:65px;">
-            <div style="margin-top: 8px;">{{ lang._('Zone management is still in experimental state, use with caution.') }}</div>
+    <div id="master-domains" class="tab-pane fade in">
+        <div class="col-md-12">
+            <h2>{{ lang._('Zones') }}</h2>
         </div>
-        <table id="grid-domains" class="table table-condensed table-hover table-striped table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindDomain">
+        <table id="grid-master-domains" class="table table-condensed table-hover table-striped table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindMasterDomain">
             <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
@@ -109,17 +110,16 @@ POSSIBILITY OF SUCH DAMAGE.
                     <td colspan="5"></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
         </table>
         <hr/>
-        <div class="col-md-12">
-            <h2>{{ lang._('Records') }}</h2>
-        </div>
-        <div id="record-area">
-            <table id="grid-records" class="table table-condensed table-hover table-striped table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindRecord">
+        <div id="master-record-area">
+            <div class="col-md-12">
+                <h2>{{ lang._('Records') }}</h2>
+            </div>
+            <table id="grid-master-records" class="table table-condensed table-hover table-striped table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindRecord">
                 <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
@@ -149,14 +149,51 @@ POSSIBILITY OF SUCH DAMAGE.
                 {{ lang._('After changing settings, please remember to apply them with the button below') }}
             </div>
             <hr />
-            <button class="btn btn-primary" id="saveAct_domain" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_domain_progress"></i></button>
+            <button class="btn btn-primary saveAct_domain" type="button"><b>{{ lang._('Save') }}</b> <i class="saveAct_domain_progress"></i></button>
+            <br /><br />
+        </div>
+    </div>
+    <div id="slave-domains" class="tab-pane fade in">
+        <div class="col-md-12">
+            <h2>{{ lang._('Zones') }}</h2>
+        </div>
+        <table id="grid-slave-domains" class="table table-condensed table-hover table-striped table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindSlaveDomain">
+            <thead>
+                <tr>
+                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="type" data-type="string" data-visible="true">{{ lang._('Type') }}</th>
+                    <th data-column-id="domainname" data-type="string" data-visible="true">{{ lang._('Zone') }}</th>
+                    <th data-column-id="masterip" data-type="string" data-visible="true">{{ lang._('Master IPs') }}</th>
+                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td colspan="5"></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+        <hr/>
+        <div class="col-md-12">
+            <div id="ChangeMessage" class="alert alert-info" style="display: none" role="alert">
+                {{ lang._('After changing settings, please remember to apply them with the button below') }}
+            </div>
+            <hr />
+            <button class="btn btn-primary saveAct_domain" type="button"><b>{{ lang._('Save') }}</b> <i class="saveAct_domain_progress"></i></button>
             <br /><br />
         </div>
     </div>
 </div>
 
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBindAcl,'id':'dialogEditBindAcl','label':lang._('Edit ACL')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditBindDomain,'id':'dialogEditBindDomain','label':lang._('Edit Zone')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBindMasterDomain,'id':'dialogEditBindMasterDomain','label':lang._('Edit Master Zone')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBindSlaveDomain,'id':'dialogEditBindSlaveDomain','label':lang._('Edit Slave Zone')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBindRecord,'id':'dialogEditBindRecord','label':lang._('Edit Record')])}}
 
 <script>
@@ -184,11 +221,12 @@ $( document ).ready(function() {
             'toggle':'/api/bind/acl/toggleAcl/'
         }
     );
-    $("#grid-domains").UIBootgrid({
-        'search':'/api/bind/domain/searchDomain',
+
+    $("#grid-master-domains").UIBootgrid({
+        'search':'/api/bind/domain/searchMasterDomain',
         'get':'/api/bind/domain/getDomain/',
         'set':'/api/bind/domain/setDomain/',
-        'add':'/api/bind/domain/addDomain/',
+        'add':'/api/bind/domain/addMasterDomain/',
         'del':'/api/bind/domain/delDomain/',
         'toggle':'/api/bind/domain/toggleDomain/',
         options:{
@@ -198,17 +236,37 @@ $( document ).ready(function() {
             rowCount: [3,7,14,20,50,100,-1]
         }
     }).on("selected.rs.jquery.bootgrid", function(e, rows) {
-        $("#grid-records").bootgrid('reload');
+        $("#grid-master-records").bootgrid('reload');
     }).on("deselected.rs.jquery.bootgrid", function(e, rows) {
-        $("#grid-records").bootgrid('reload');
+        $("#grid-master-records").bootgrid('reload');
+    }).on("loaded.rs.jquery.bootgrid", function (e) {
+        let ids = $("#grid-master-domains").bootgrid("getCurrentRows");
+        if (ids.length > 0) {
+            $("#grid-master-domains").bootgrid('select', [ids[0].uuid]);
+        }
+    });
+
+    $("#grid-slave-domains").UIBootgrid({
+        'search':'/api/bind/domain/searchSlaveDomain',
+        'get':'/api/bind/domain/getDomain/',
+        'set':'/api/bind/domain/setDomain/',
+        'add':'/api/bind/domain/addSlaveDomain/',
+        'del':'/api/bind/domain/delDomain/',
+        'toggle':'/api/bind/domain/toggleDomain/',
+        options:{
+            selection: false,
+            multiSelect: false,
+            rowSelect: false,
+            rowCount: [7,14,20,50,100,-1]
+        }
     }).on("loaded.rs.jquery.bootgrid", function (e) {
-        let ids = $("#grid-domains").bootgrid("getCurrentRows");
+        let ids = $("#grid-slave-domains").bootgrid("getCurrentRows");
         if (ids.length > 0) {
-            $("#grid-domains").bootgrid('select', [ids[0].uuid]);
+            $("#grid-slave-domains").bootgrid('select', [ids[0].uuid]);
         }
     });
 
-    $("#grid-records").UIBootgrid({
+    $("#grid-master-records").UIBootgrid({
         'search':'/api/bind/record/searchRecord',
         'get':'/api/bind/record/getRecord/',
         'set':'/api/bind/record/setRecord/',
@@ -218,17 +276,17 @@ $( document ).ready(function() {
         options:{
             useRequestHandlerOnGet: true,
             requestHandler: function(request) {
-                let ids = $("#grid-domains").bootgrid("getSelectedRows");
+                let ids = $("#grid-master-domains").bootgrid("getSelectedRows");
                 if (ids.length > 0) {
                     request['domain'] = ids[0];
                     $("#recordAddBtn").show();
                     $("#recordDelBtn").show();
-                    $("#record-area").show();
+                    $("#master-record-area").show();
                 } else {
                     request['domain'] = 'not_found';
                     $("#recordAddBtn").hide();
                     $("#recordDelBtn").hide();
-                    $("#record-area").hide();
+                    $("#master-record-area").hide();
                 }
                 return request;
             }
@@ -267,11 +325,11 @@ $( document ).ready(function() {
         });
     });
 
-    $("#saveAct_domain").click(function(){
-        $("#saveAct_domain_progress").addClass("fa fa-spinner fa-pulse");
+    $(".saveAct_domain").click(function(){
+        $(".saveAct_domain_progress").addClass("fa fa-spinner fa-pulse");
         ajaxCall("/api/bind/service/reconfigure", {}, function(data,status) {
             updateServiceControlUI('bind');
-            $("#saveAct_domain_progress").removeClass("fa fa-spinner fa-pulse");
+            $(".saveAct_domain_progress").removeClass("fa fa-spinner fa-pulse");
         });
     });
 
@@ -283,14 +341,12 @@ $( document ).ready(function() {
         }
     });
 
-    // Hide options that are irrelevant in this context.
-    $('#dialogEditBindDomain').on('shown.bs.modal', function (e) {
-        $("#domain\\.type").change(function(){
-            $(".zone_type").hide();
-            $(".zone_type_"+$(this).val()).show();
-        });
-        $("#domain\\.type").change();
-    })
-
+    // update history on tab state and implement navigation
+    if(window.location.hash != "") {
+        $('a[href="' + window.location.hash + '"]').click()
+    }
+    $('.nav-tabs a').on('shown.bs.tab', function (e) {
+        history.pushState(null, null, e.target.hash);
+    });
 });
 </script>

From cff19744d70a05bf6acb27806b169a0927373279 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 17 Aug 2022 08:03:38 +0200
Subject: [PATCH 1139/3088] dns/bind: style sweep

---
 .../OPNsense/Bind/Api/DomainController.php       | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
index 7dc5ef6b1a..f5b5678db2 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
@@ -41,17 +41,25 @@ class DomainController extends ApiMutableModelControllerBase
 
     public function searchMasterDomainAction()
     {
-        return $this->searchBase('domains.domain',
+        return $this->searchBase(
+            'domains.domain',
             [   "enabled", "type", "domainname", "ttl", "refresh", "retry", "expire", "negative" ],
-            "domainname", function($record){return $record->type->getNodeData()["master"]["selected"] === 1;}
+            "domainname",
+            function ($record) {
+                return $record->type->getNodeData()["master"]["selected"] === 1;
+            }
         );
     }
 
     public function searchSlaveDomainAction()
     {
-        return $this->searchBase('domains.domain',
+        return $this->searchBase(
+            'domains.domain',
             [   "enabled", "type", "domainname", "masterip" ],
-            "domainname", function($record){return $record->type->getNodeData()["slave"]["selected"] === 1;}
+            "domainname",
+            function ($record) {
+                return $record->type->getNodeData()["slave"]["selected"] === 1;
+            }
         );
     }
 

From d6a5fde2f8662dfe56a2e9d137dddddb1b53475d Mon Sep 17 00:00:00 2001
From: "Patrick M. Hausen" <hausen@punkt.de>
Date: Sun, 14 Aug 2022 15:59:23 +0200
Subject: [PATCH 1140/3088] mail/postfix - disable GSSAPI when authenticating
 against smarthost (#3080)

---
 .../src/opnsense/service/templates/OPNsense/Postfix/main.cf      | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index 7ad6a1c279..5ce384efad 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -157,6 +157,7 @@ relayhost = {{ OPNsense.postfix.general.relayhost }}
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/usr/local/etc/postfix/smtp_auth
 smtp_sasl_security_options =
+smtp_sasl_mechanism_filter = !gssapi, !external, static:all
 {% endif %}
 
 {% if helpers.exists('OPNsense.postfix.general.permit_sasl_authenticated') and OPNsense.postfix.general.permit_sasl_authenticated == '1' %}

From b2dc32deec830b080abdc76e2e51e964276c105d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 17 Aug 2022 08:15:28 +0200
Subject: [PATCH 1141/3088] mail/postfix: annotate change

---
 mail/postfix/Makefile  | 2 +-
 mail/postfix/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index d583c2f043..cf53694a3c 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		postfix
 PLUGIN_VERSION=		1.23
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix35
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index 518b619e94..6bce690ce3 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 1.23
 
 * Add support for Opportunistic DANE as SMTP client security level
+* Disable defunct GSSAPI authentication (contributed by Patrick M. Hausen)
 
 1.22
 

From d724f264032bc42336cf4d6f0a146beed61a0411 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 17 Aug 2022 08:30:33 +0200
Subject: [PATCH 1142/3088] make: more stuff from core

---
 Mk/defaults.mk | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 372a645f89..6a22f46206 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -153,3 +153,11 @@ rebase:
 	@git checkout stable/${PLUGIN_ABI}
 	@git rebase -i
 	@git checkout master
+
+log:
+	@git log --stat -p stable/${PLUGIN_ABI}
+
+push:
+	@git checkout stable/${PLUGIN_ABI}
+	@git push
+	@git checkout master

From d01913106f018a2fdb9b0bc23d8288ec477ca7f2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 18 Aug 2022 14:08:02 +0200
Subject: [PATCH 1143/3088] databases/redis: migrate to NAME_setup use

PR: https://github.com/opnsense/core/issues/5917
---
 databases/redis/Makefile                                  | 2 +-
 .../opnsense/service/conf/actions.d/actions_redis.conf    | 8 ++++----
 .../src/opnsense/service/templates/OPNsense/Redis/redis   | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/databases/redis/Makefile b/databases/redis/Makefile
index c633518201..badb38f13c 100644
--- a/databases/redis/Makefile
+++ b/databases/redis/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		redis
 PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Redis DB
 PLUGIN_DEPENDS=		redis
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/databases/redis/src/opnsense/service/conf/actions.d/actions_redis.conf b/databases/redis/src/opnsense/service/conf/actions.d/actions_redis.conf
index f9183fec73..6c388a70f5 100644
--- a/databases/redis/src/opnsense/service/conf/actions.d/actions_redis.conf
+++ b/databases/redis/src/opnsense/service/conf/actions.d/actions_redis.conf
@@ -1,5 +1,5 @@
 [start]
-command:/usr/local/opnsense/scripts/redis/setup.sh;/usr/local/etc/rc.d/redis start
+command:/usr/local/etc/rc.d/redis start
 parameters:
 type:script
 message:starting redis
@@ -11,19 +11,19 @@ type:script
 message:stopping redis
 
 [restart]
-command:/usr/local/opnsense/scripts/redis/setup.sh;/usr/local/etc/rc.d/redis restart
+command:/usr/local/etc/rc.d/redis restart
 parameters:
 type:script
 message:restarting redis
 
 [status]
-command:/usr/local/etc/rc.d/redis status;exit 0
+command:/usr/local/etc/rc.d/redis status; exit 0
 parameters:
 type:script_output
 message:request redis status
 
 [resetdb]
-command:/usr/local/etc/rc.d/redis stop;rm -rf /var/db/redis
+command:/usr/local/etc/rc.d/redis stop; rm -rf /var/db/redis
 parameters:
 type:script
 message:remove all databases
diff --git a/databases/redis/src/opnsense/service/templates/OPNsense/Redis/redis b/databases/redis/src/opnsense/service/templates/OPNsense/Redis/redis
index 57fe4d2470..2ec3e47a26 100644
--- a/databases/redis/src/opnsense/service/templates/OPNsense/Redis/redis
+++ b/databases/redis/src/opnsense/service/templates/OPNsense/Redis/redis
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.redis.general.enabled') and OPNsense.redis.general.enabled == '1' %}
-redis_var_script="/usr/local/opnsense/scripts/redis/setup.sh"
+redis_setup="/usr/local/opnsense/scripts/redis/setup.sh"
 redis_enable="YES"
 {% else %}
 redis_enable="NO"

From f41e60318efcb1dd05a878b8cfc58cc81b811147 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 18 Aug 2022 14:10:25 +0200
Subject: [PATCH 1144/3088] dns/bind: migrate to NAME_setup use

PR: https://github.com/opnsense/core/issues/5917
---
 dns/bind/Makefile                                         | 1 +
 .../src/opnsense/service/conf/actions.d/actions_bind.conf | 8 ++++----
 .../src/opnsense/service/templates/OPNsense/Bind/named    | 2 +-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 4631ccc036..a65ef23a52 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.24
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind916
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/src/opnsense/service/conf/actions.d/actions_bind.conf b/dns/bind/src/opnsense/service/conf/actions.d/actions_bind.conf
index e272a068fb..d4f93e2577 100644
--- a/dns/bind/src/opnsense/service/conf/actions.d/actions_bind.conf
+++ b/dns/bind/src/opnsense/service/conf/actions.d/actions_bind.conf
@@ -1,5 +1,5 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Bind/setup.sh;/usr/local/etc/rc.d/named start
+command:/usr/local/etc/rc.d/named start
 parameters:
 type:script
 message:starting BIND
@@ -11,13 +11,13 @@ type:script
 message:stopping BIND
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Bind/setup.sh;/usr/local/etc/rc.d/named restart
+command:/usr/local/etc/rc.d/named restart
 parameters:
 type:script
 message:restarting BIND
 
 [status]
-command:/usr/local/etc/rc.d/named status;exit 0
+command:/usr/local/etc/rc.d/named status; exit 0
 parameters:
 type:script_output
 message:request BIND status
@@ -35,7 +35,7 @@ type:script
 message:fetching DNSBLs
 
 [dnsblcron]
-command:/usr/local/opnsense/scripts/OPNsense/Bind/dnsbl.sh;/usr/local/etc/rc.d/named reload
+command:/usr/local/opnsense/scripts/OPNsense/Bind/dnsbl.sh; /usr/local/etc/rc.d/named reload
 parameters:
 type:script
 message:fetching DNSBLs and restart
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named
index 1a4c02a000..34d82fcae3 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named
@@ -1,5 +1,4 @@
 {% if helpers.exists('OPNsense.bind.general.enabled') and OPNsense.bind.general.enabled == '1' %}
-named_var_script="/usr/local/opnsense/scripts/OPNsense/Bind/setup.sh"
 {% if helpers.exists('OPNsense.bind.general.disablev6') and OPNsense.bind.general.disablev6 == '1' %}
 named_flags="-4"
 {% endif %}
@@ -8,6 +7,7 @@ named_flags="-4"
 named_dnsbl="{{ OPNsense.bind.dnsbl.type }}"
 {% endif %}
 {% endif %}
+named_setup="/usr/local/opnsense/scripts/OPNsense/Bind/setup.sh"
 named_enable="YES"
 {% else %}
 named_enable="NO"

From d373e6aadae97a9d876b73fc155c9eeed7cd305a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 18 Aug 2022 14:13:07 +0200
Subject: [PATCH 1145/3088] dns/dnscrypt-proxy: migrate to NAME_setup use

PR: https://github.com/opnsense/core/issues/5917
---
 dns/dnscrypt-proxy/Makefile                                 | 1 +
 .../service/conf/actions.d/actions_dnscryptproxy.conf       | 6 +++---
 .../service/templates/OPNsense/Dnscryptproxy/dnscrypt_proxy | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index 0641d52d1a..ef81bb13e1 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		dnscrypt-proxy
 PLUGIN_VERSION=		1.12
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/dnscrypt-proxy/src/opnsense/service/conf/actions.d/actions_dnscryptproxy.conf b/dns/dnscrypt-proxy/src/opnsense/service/conf/actions.d/actions_dnscryptproxy.conf
index 3eae8eadb0..ded64e9db8 100644
--- a/dns/dnscrypt-proxy/src/opnsense/service/conf/actions.d/actions_dnscryptproxy.conf
+++ b/dns/dnscrypt-proxy/src/opnsense/service/conf/actions.d/actions_dnscryptproxy.conf
@@ -1,5 +1,5 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Dnscryptproxy/setup.sh;/usr/local/etc/rc.d/dnscrypt-proxy start
+command:/usr/local/etc/rc.d/dnscrypt-proxy start
 parameters:
 type:script
 message:starting dnscrypt-proxy
@@ -11,7 +11,7 @@ type:script
 message:stopping dnscrypt-proxy
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Dnscryptproxy/setup.sh;/usr/local/etc/rc.d/dnscrypt-proxy restart
+command:/usr/local/etc/rc.d/dnscrypt-proxy restart
 parameters:
 type:script
 message:restarting dnscrypt-proxy
@@ -29,7 +29,7 @@ type:script
 message:fetching DNSBLs
 
 [dnsblcron]
-command:/usr/local/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh;/usr/local/etc/rc.d/dnscrypt-proxy restart
+command:/usr/local/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh; /usr/local/etc/rc.d/dnscrypt-proxy restart
 parameters:
 type:script
 message:fetching DNSBLs and restart
diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt_proxy b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt_proxy
index 96c051b26a..6dad9e923d 100644
--- a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt_proxy
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt_proxy
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.dnscryptproxy.general.enabled') and OPNsense.dnscryptproxy.general.enabled == '1' %}
-dnscrypt_proxy_var_script="/usr/local/opnsense/scripts/OPNsense/Dnscryptproxy/setup.sh"
+dnscrypt_proxy_setup="/usr/local/opnsense/scripts/OPNsense/Dnscryptproxy/setup.sh"
 dnscrypt_proxy_enable="YES"
 {%   if helpers.exists('OPNsense.dnscryptproxy.general.allowprivileged') and OPNsense.dnscryptproxy.general.allowprivileged == '1' %}
 dnscrypt_proxy_suexec="YES"

From 41df3865e61d589b3e12870435b6d14b7d77945e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 18 Aug 2022 14:15:47 +0200
Subject: [PATCH 1146/3088] mail/postfix: migrate to NAME_setup use

PR: https://github.com/opnsense/core/issues/5917
---
 mail/postfix/Makefile                                     | 2 +-
 .../opnsense/service/conf/actions.d/actions_postfix.conf  | 8 ++++----
 .../opnsense/service/templates/OPNsense/Postfix/postfix   | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index cf53694a3c..8ffb1be91d 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		postfix
 PLUGIN_VERSION=		1.23
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix35
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/src/opnsense/service/conf/actions.d/actions_postfix.conf b/mail/postfix/src/opnsense/service/conf/actions.d/actions_postfix.conf
index 6fcd216fa5..b88e4e2e65 100644
--- a/mail/postfix/src/opnsense/service/conf/actions.d/actions_postfix.conf
+++ b/mail/postfix/src/opnsense/service/conf/actions.d/actions_postfix.conf
@@ -1,24 +1,24 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Postfix/setup.sh;/usr/local/etc/rc.d/postfix start
+command:/usr/local/etc/rc.d/postfix start
 parameters:
 type:script
 message:starting Postfix
 
 [stop]
-command:/usr/local/etc/rc.d/postfix stop; exit 0
+command:/usr/local/etc/rc.d/postfix stop
 parameters:
 type:script
 message:stopping Postfix
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Postfix/setup.sh;/usr/local/etc/rc.d/postfix restart
+command:/usr/local/etc/rc.d/postfix restart
 parameters:
 type:script
 message:restarting Postfix
 description:Restart Postfix service
 
 [status]
-command:/usr/local/etc/rc.d/postfix status;exit 0
+command:/usr/local/etc/rc.d/postfix status; exit 0
 parameters:
 type:script_output
 message:request Postfix status
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/postfix b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/postfix
index 1d2cfd8551..65720e2cc6 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/postfix
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/postfix
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.postfix.general.enabled') and OPNsense.postfix.general.enabled == '1' %}
-postfix_var_script="/usr/local/opnsense/scripts/OPNsense/Postfix/setup.sh"
+postfix_setup="/usr/local/opnsense/scripts/OPNsense/Postfix/setup.sh"
 postfix_enable="YES"
 {% else %}
 postfix_enable="NO"

From 19daf90ce4f1d57bfefa21703bc60efe9137101d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 18 Aug 2022 14:17:28 +0200
Subject: [PATCH 1147/3088] mail/rspamd: migrate to NAME_setup use

PR: https://github.com/opnsense/core/issues/5917
---
 mail/rspamd/Makefile                                      | 1 +
 .../opnsense/service/conf/actions.d/actions_rspamd.conf   | 8 ++++----
 .../src/opnsense/service/templates/OPNsense/Rspamd/rspamd | 2 +-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/mail/rspamd/Makefile b/mail/rspamd/Makefile
index c1f1f8994b..382a18cf22 100644
--- a/mail/rspamd/Makefile
+++ b/mail/rspamd/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		rspamd
 PLUGIN_VERSION=		1.12
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Protect your network from spam
 PLUGIN_DEPENDS=		rspamd
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/mail/rspamd/src/opnsense/service/conf/actions.d/actions_rspamd.conf b/mail/rspamd/src/opnsense/service/conf/actions.d/actions_rspamd.conf
index e4711138a0..1d8c575d90 100644
--- a/mail/rspamd/src/opnsense/service/conf/actions.d/actions_rspamd.conf
+++ b/mail/rspamd/src/opnsense/service/conf/actions.d/actions_rspamd.conf
@@ -1,23 +1,23 @@
 [start]
-command:/usr/local/opnsense/scripts/rspamd/setup.sh;/usr/local/etc/rc.d/rspamd start
+command:/usr/local/etc/rc.d/rspamd start
 parameters:
 type:script
 message:starting rspamd
 
 [stop]
-command:/usr/local/etc/rc.d/rspamd onestop
+command:/usr/local/etc/rc.d/rspamd stop
 parameters:
 type:script
 message:stopping rspamd
 
 [restart]
-command:/usr/local/opnsense/scripts/rspamd/setup.sh;/usr/local/etc/rc.d/rspamd restart
+command:/usr/local/etc/rc.d/rspamd restart
 parameters:
 type:script
 message:restarting rspamd
 
 [status]
-command:/usr/local/etc/rc.d/rspamd status;exit 0
+command:/usr/local/etc/rc.d/rspamd status; exit 0
 parameters:
 type:script_output
 message:request rspamd status
diff --git a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/rspamd b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/rspamd
index ca1a5ce4e4..e9cf0d6686 100644
--- a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/rspamd
+++ b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/rspamd
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.Rspamd.general.enabled') and OPNsense.Rspamd.general.enabled == '1' %}
-rspamd_var_script="/usr/local/opnsense/scripts/rspamd/setup.sh"
+rspamd_setup="/usr/local/opnsense/scripts/rspamd/setup.sh"
 rspamd_enable="YES"
 {% else %}
 rspamd_enable="NO"

From c67637014e543cdfb58fb548fad615ad55148fbf Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 18 Aug 2022 14:23:13 +0200
Subject: [PATCH 1148/3088] emulators/qemu-guest-agent: migrate to NAME_setup
 use

Reload action is not used and restarts anyway.

PR: https://github.com/opnsense/core/issues/5917
---
 emulators/qemu-guest-agent/Makefile                  |  1 +
 .../conf/actions.d/actions_qemuguestagent.conf       | 12 +++---------
 .../templates/OPNsense/QemuGuestAgent/rc.conf.d      |  1 +
 3 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/emulators/qemu-guest-agent/Makefile b/emulators/qemu-guest-agent/Makefile
index ff879738bc..e6b0f8d8c5 100644
--- a/emulators/qemu-guest-agent/Makefile
+++ b/emulators/qemu-guest-agent/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		qemu-guest-agent
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		QEMU Guest Agent for OPNsense
 PLUGIN_DEPENDS=		qemu-guest-agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/emulators/qemu-guest-agent/src/opnsense/service/conf/actions.d/actions_qemuguestagent.conf b/emulators/qemu-guest-agent/src/opnsense/service/conf/actions.d/actions_qemuguestagent.conf
index c236540b22..6a24b46a88 100644
--- a/emulators/qemu-guest-agent/src/opnsense/service/conf/actions.d/actions_qemuguestagent.conf
+++ b/emulators/qemu-guest-agent/src/opnsense/service/conf/actions.d/actions_qemuguestagent.conf
@@ -1,23 +1,17 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/QemuGuestAgent/setup.sh; /usr/local/etc/rc.d/qemu-guest-agent start
+command:/usr/local/etc/rc.d/qemu-guest-agent start
 parameters:
 type:script
 message:starting qemu-guest-agent
 
 [stop]
-command:/usr/local/etc/rc.d/qemu-guest-agent stop; exit 0
+command:/usr/local/etc/rc.d/qemu-guest-agent stop
 parameters:
 type:script
 message:stopping qemu-guest-agent
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/QemuGuestAgent/setup.sh; /usr/local/etc/rc.d/qemu-guest-agent restart
-parameters:
-type:script
-message:restarting qemu-guest-agent
-
-[reload]
-command:/usr/local/opnsense/scripts/OPNsense/QemuGuestAgent/setup.sh; /usr/local/etc/rc.d/qemu-guest-agent restart
+command:/usr/local/etc/rc.d/qemu-guest-agent restart
 parameters:
 type:script
 message:restarting qemu-guest-agent
diff --git a/emulators/qemu-guest-agent/src/opnsense/service/templates/OPNsense/QemuGuestAgent/rc.conf.d b/emulators/qemu-guest-agent/src/opnsense/service/templates/OPNsense/QemuGuestAgent/rc.conf.d
index ea9c80f8ce..301b81ccb2 100644
--- a/emulators/qemu-guest-agent/src/opnsense/service/templates/OPNsense/QemuGuestAgent/rc.conf.d
+++ b/emulators/qemu-guest-agent/src/opnsense/service/templates/OPNsense/QemuGuestAgent/rc.conf.d
@@ -8,6 +8,7 @@
 {%   if helpers.exists('OPNsense.QemuGuestAgent.general.DisabledRPCs') and not helpers.empty('OPNsense.QemuGuestAgent.general.DisabledRPCs') %}
 {%     do optional_flags.append('--blacklist=' ~ OPNsense.QemuGuestAgent.general.DisabledRPCs) %}
 {%   endif %}
+qemu_guest_agent_setup="/usr/local/opnsense/scripts/OPNsense/QemuGuestAgent/setup.sh"
 qemu_guest_agent_enable="YES"
 qemu_guest_agent_flags="{{optional_flags|join(' ')}}"
 {% else %}

From 9f80395a3bfbc0a09c6d65d3cb0e9a66217e03e5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 19 Aug 2022 07:49:37 +0200
Subject: [PATCH 1149/3088] www/nginx: migrate to NAME_setup use

Restructure the call flow a bit and extract fpm-related bits.

NAME_reload doesn't support NAME_setup in 2.7.2 but soon it will,
which makes it more useful than NAME_prepend.  ;)

PR: https://github.com/opnsense/core/issues/5917
---
 www/nginx/Makefile                            |  1 +
 .../OPNsense/Nginx/Migrations/M1_24_0.php     |  4 ++--
 .../src/opnsense/scripts/nginx/setup.php      |  2 ++
 .../service/conf/actions.d/actions_nginx.conf | 21 +++++++------------
 .../service/templates/OPNsense/Nginx/nginx    |  2 +-
 5 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 1f80edd56b..01ba76a22e 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.29
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_24_0.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_24_0.php
index ef2817157f..1bdb907287 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_24_0.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_24_0.php
@@ -41,7 +41,7 @@ public function run($model)
     {
         $cfgObj = Config::getInstance()->object();
         $ports = array();
-        foreach ($cfgObj->OPNsense->Nginx->http_server as $cfg_http_server) {
+        foreach ($cfgObj->OPNsense->Nginx->http_server ?? [] as $cfg_http_server) {
             $uuid = (string)$cfg_http_server->attributes()['uuid'];
             $ports['http_port'] = (isset($cfg_http_server->listen_http_port) && $cfg_http_server->listen_http_port != '') ? $cfg_http_server->listen_http_port : null;
             $ports['https_port'] = (isset($cfg_http_server->listen_https_port) && $cfg_http_server->listen_https_port != '') ? $cfg_http_server->listen_https_port : null;
@@ -49,7 +49,7 @@ public function run($model)
             $http_server->listen_http_address = (isset($ports['http_port'])) ? $ports['http_port'] . ',[::]:' . $ports['http_port'] : null;
             $http_server->listen_https_address = (isset($ports['https_port'])) ? $ports['https_port'] . ',[::]:' . $ports['https_port'] : null;
         }
-        foreach ($cfgObj->OPNsense->Nginx->stream_server as $cfg_stream_server) {
+        foreach ($cfgObj->OPNsense->Nginx->stream_server ?? [] as $cfg_stream_server) {
             $uuid = (string)$cfg_stream_server->attributes()['uuid'];
             $port = (isset($cfg_stream_server->listen_port) && $cfg_stream_server->listen_port != '') ? $cfg_stream_server->listen_port : null;
             $server = $model->getNodeByReference('stream_server.' . $uuid);
diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index 7442501047..f700a23e47 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -318,3 +318,5 @@ function find_ca($refid)
     empty($tls_fingerprint_database) ? '{}' :  json_encode($tls_fingerprint_database)
 );
 chmod('/usr/local/etc/nginx/tls_fingerprints.json', 0644);
+
+passthru('/usr/local/etc/rc.d/php-fpm start');
diff --git a/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf b/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
index ed34d49711..2107624ea9 100644
--- a/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
+++ b/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
@@ -1,5 +1,5 @@
 [start]
-command:/usr/local/opnsense/scripts/nginx/setup.php;/usr/local/etc/rc.d/php-fpm start;/usr/local/etc/rc.d/nginx start
+command:/usr/local/etc/rc.d/nginx start
 parameters:
 type:script
 message:starting nginx
@@ -11,18 +11,19 @@ type:script
 message:stopping nginx
 
 [restart]
-command:/usr/local/opnsense/scripts/nginx/setup.php;/usr/local/etc/rc.d/php-fpm restart;/usr/local/etc/rc.d/nginx restart
+command:/usr/local/etc/rc.d/nginx restart
 parameters:
 type:script
 message:restarting nginx
 
-[status]
-command:/usr/local/etc/rc.d/nginx status;exit 0
+[reload]
+command:/usr/local/etc/rc.d/nginx reload
 parameters:
-type:script_output
+type:script
+message:reloading nginx
 
-[phpstatus]
-command:/usr/local/etc/rc.d/php-fpm status; exit 0
+[status]
+command:/usr/local/etc/rc.d/nginx status; exit 0
 parameters:
 type:script_output
 
@@ -66,9 +67,3 @@ type:script
 command:/usr/local/opnsense/scripts/nginx/vts.php
 parameters:
 type:script_output
-
-[reload]
-command:/usr/local/opnsense/scripts/nginx/setup.php;/usr/local/etc/rc.d/php-fpm restart;/usr/local/etc/rc.d/nginx reload
-parameters:
-type:script_output
-message:reloading nginx
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx
index 598e6444f4..c80d61e8dd 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx
@@ -1,2 +1,2 @@
+nginx_setup="/usr/local/opnsense/scripts/nginx/setup.php"
 nginx_enable="YES"
-nginx_var_script="/usr/local/opnsense/scripts/nginx/setup.php"

From 1d2b65dcadf2fdeb997ad345eef5a70256b767e7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 19 Aug 2022 08:13:55 +0200
Subject: [PATCH 1150/3088] www/c-icap: migrate to NAME_setup use

PR: https://github.com/opnsense/core/issues/5917
---
 www/c-icap/Makefile                                       | 2 +-
 .../opnsense/service/conf/actions.d/actions_cicap.conf    | 8 ++++----
 .../src/opnsense/service/templates/OPNsense/CICAP/c_icap  | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/www/c-icap/Makefile b/www/c-icap/Makefile
index 9f1fe36abe..095dfd1622 100644
--- a/www/c-icap/Makefile
+++ b/www/c-icap/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		c-icap
 PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		c-icap connects the web proxy with a virus scanner
 PLUGIN_DEPENDS=		c-icap c-icap-modules
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/www/c-icap/src/opnsense/service/conf/actions.d/actions_cicap.conf b/www/c-icap/src/opnsense/service/conf/actions.d/actions_cicap.conf
index 0d564d26ad..db3586e14f 100644
--- a/www/c-icap/src/opnsense/service/conf/actions.d/actions_cicap.conf
+++ b/www/c-icap/src/opnsense/service/conf/actions.d/actions_cicap.conf
@@ -1,23 +1,23 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/CICAP/setup.sh;/usr/local/etc/rc.d/c-icap start
+command:/usr/local/etc/rc.d/c-icap start
 parameters:
 type:script
 message:starting c-icap
 
 [stop]
-command:/usr/local/etc/rc.d/c-icap stop; exit 0
+command:/usr/local/etc/rc.d/c-icap stop
 parameters:
 type:script
 message:stopping c-icap
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/CICAP/setup.sh;/usr/local/etc/rc.d/c-icap restart
+command:/usr/local/etc/rc.d/c-icap restart
 parameters:
 type:script
 message:restarting c-icap
 
 [status]
-command:/usr/local/etc/rc.d/c-icap status;exit 0
+command:/usr/local/etc/rc.d/c-icap status; exit 0
 parameters:
 type:script_output
 message:request c-icap status
diff --git a/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c_icap b/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c_icap
index 4be32766df..f8da98c947 100644
--- a/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c_icap
+++ b/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c_icap
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.cicap.general.enabled') and OPNsense.cicap.general.enabled == '1' %}
-c_icap_var_script="/usr/local/opnsense/scripts/OPNsense/CICAP/setup.sh"
+c_icap_setup="/usr/local/opnsense/scripts/OPNsense/CICAP/setup.sh"
 c_icap_enable="YES"
 {% else %}
 c_icap_enable="NO"

From b867e45c225fe659a22bba3ac9cc25dfc40a99cf Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Mon, 15 Aug 2022 00:59:25 +0100
Subject: [PATCH 1151/3088] Allow specifying multiple PrefixLists and
 CommunityLists

---
 .../src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml   | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index db890d0544..ca83bc01e3 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -353,8 +353,8 @@
                                                 <display>name</display>
                                         </template>
                                 </Model>
-                                <ValidationMessage>Related item not found</ValidationMessage>
-                                <Multiple>N</Multiple>
+                                <ValidationMessage>Related item PrefixList not found</ValidationMessage>
+                                <Multiple>Y</Multiple>
                                 <Required>N</Required>
                         </match2>
                         <match3 type="ModelRelationField">
@@ -365,8 +365,8 @@
                                                 <display>number</display>
                                         </template>
                                 </Model>
-                                <ValidationMessage>Related item not found</ValidationMessage>
-                                <Multiple>N</Multiple>
+                                <ValidationMessage>Related item CommunityList not found</ValidationMessage>
+                                <Multiple>Y</Multiple>
                                 <Required>N</Required>
                         </match3>
                         <set type="TextField">

From 2c54478a8afa43dfda09f7bfd9b8ef9f42824e9f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 19 Aug 2022 09:23:31 +0200
Subject: [PATCH 1152/3088] net/frr: new version and migrate to NAME_setup use

PR: https://github.com/opnsense/core/issues/5917
---
 net/frr/Makefile                                 |  2 +-
 net/frr/pkg-descr                                |  4 ++++
 .../service/conf/actions.d/actions_quagga.conf   | 16 ++++++++--------
 .../service/templates/OPNsense/Quagga/frr        |  2 +-
 4 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index bc203e8c5e..4e59d97dff 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.29
+PLUGIN_VERSION=		1.30
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 6b2d8bd829..3346819b25 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.30
+
+* Allow specifying multiple PrefixLists and CommunityLists (contributed by Patrik Kernstock)
+
 1.29
 
 * Add disable-connected-check option and BGP weight option
diff --git a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
index 74e2e7cb2d..8a4c50ce59 100644
--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@@ -1,26 +1,26 @@
 [start]
-command:/usr/local/opnsense/scripts/quagga/setup.sh;/usr/local/etc/rc.d/frr start
+command:/usr/local/etc/rc.d/frr start
 parameters:
 type:script
-message:starting quagga
+message:starting frr
 
 [stop]
-command:/usr/local/etc/rc.d/frr stop; exit 0
+command:/usr/local/etc/rc.d/frr stop
 parameters:
 type:script
-message:stopping quagga
+message:stopping frr
 
 [restart]
-command:/usr/local/opnsense/scripts/quagga/setup.sh;/usr/local/etc/rc.d/frr restart
+command:/usr/local/etc/rc.d/frr restart
 parameters:
 type:script
-message:restarting quagga
+message:restarting frr
 
 [status]
-command:/usr/local/etc/rc.d/frr status;exit 0
+command:/usr/local/etc/rc.d/frr status; exit 0
 parameters:
 type:script_output
-message:request quagga
+message:request frr
 
 [diagnostics.general_running-config]
 command:/usr/local/bin/vtysh -c "show running-config"
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
index 2b0b291664..d95013c2f3 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.quagga.general.enabled') and OPNsense.quagga.general.enabled == '1' %}
-frr_var_script="/usr/local/opnsense/scripts/quagga/setup.sh"
+frr_setup="/usr/local/opnsense/scripts/quagga/setup.sh"
 frr_enable="YES"
 {% if helpers.exists('OPNsense.quagga.general.enablecarp') and OPNsense.quagga.general.enablecarp == '1' %}
 start_precmd="ifconfig | grep 'carp: MASTER'"

From b742f4b262bb8fd46d0d603a8f8f2044a97e381d Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 24 Aug 2022 17:47:38 +0200
Subject: [PATCH 1153/3088] add Zabbix Agent/Proxy 6.2, remove 5.4; fixes #3054

---
 net-mgmt/zabbix-agent/Makefile  | 10 +++++-----
 net-mgmt/zabbix-agent/pkg-descr |  8 ++++++++
 net-mgmt/zabbix-proxy/Makefile  | 10 +++++-----
 net-mgmt/zabbix-proxy/pkg-descr |  5 +++++
 4 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index a4ad113088..70077f04ae 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,15 +1,15 @@
 PLUGIN_NAME=		zabbix-agent
-PLUGIN_VERSION=		1.12
+PLUGIN_VERSION=		1.13
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
-PLUGIN_VARIANTS=	zabbix6 zabbix5 zabbix54
+PLUGIN_VARIANTS=	zabbix62 zabbix6 zabbix5
+
+zabbix62_NAME=		zabbix62-agent
+zabbix62_DEPENDS=	zabbix62-agent
 
 zabbix6_NAME=		zabbix6-agent
 zabbix6_DEPENDS=	zabbix6-agent
 
 zabbix5_NAME=		zabbix-agent
 zabbix5_DEPENDS=	zabbix5-agent
-
-zabbix54_NAME=		zabbix54-agent
-zabbix54_DEPENDS=	zabbix54-agent
 .include "../../Mk/plugins.mk"
diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index 64217f1956..b248584e06 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -12,6 +12,14 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.13
+
+Added:
+* Plugin variant for Zabbix Agent 6.2
+
+Removed:
+* Plugin variant for Zabbix Agent 5.4
+
 1.12
 
 Added:
diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index e23333467c..84afa28784 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -1,8 +1,11 @@
 PLUGIN_NAME=		zabbix-proxy
-PLUGIN_VERSION=		1.8
+PLUGIN_VERSION=		1.9
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_VARIANTS=	zabbix6 zabbix5 zabbix54 zabbix4
+PLUGIN_VARIANTS=	zabbix62 zabbix6 zabbix5 zabbix4
+
+zabbix62_NAME=		zabbix62-proxy
+zabbix62_DEPENDS=	zabbix62-proxy
 
 zabbix6_NAME=		zabbix6-proxy
 zabbix6_DEPENDS=	zabbix6-proxy
@@ -10,9 +13,6 @@ zabbix6_DEPENDS=	zabbix6-proxy
 zabbix5_NAME=		zabbix5-proxy
 zabbix5_DEPENDS=	zabbix5-proxy
 
-zabbix54_NAME=		zabbix54-proxy
-zabbix54_DEPENDS=	zabbix54-proxy
-
 zabbix4_NAME=		zabbix4-proxy
 zabbix4_DEPENDS=	zabbix4-proxy
 
diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index af6d7f8695..1af3a44a85 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -12,6 +12,11 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.9
+
+* Add plugin variant for Zabbix Proxy 6.2
+* Remove plugin variant for Zabbix Proxy 5.4
+
 1.8
 
 * Add EnableRemoteCommands (#2948)

From f489390a9ae9c940f53aaa97a6e853f61bd714c6 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Sat, 27 Aug 2022 17:56:13 +0300
Subject: [PATCH 1154/3088] chrooted sockets binding

---
 .../src/opnsense/scripts/OPNsense/HAProxy/setup.sh        | 2 +-
 .../service/templates/OPNsense/HAProxy/haproxy.conf       | 8 +++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
index 72be06fa62..0e07ab1ba7 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
@@ -5,7 +5,7 @@ if [ -f /etc/rc.conf.d/haproxy ]; then
 fi
 
 # NOTE: Keep /var/haproxy on this list, see GH issue opnsense/plugins #39.
-HAPROXY_DIRS="/var/haproxy /var/haproxy/var/run /tmp/haproxy /tmp/haproxy/ssl /tmp/haproxy/lua /tmp/haproxy/errorfiles /tmp/haproxy/mapfiles /tmp/haproxy/sockets"
+HAPROXY_DIRS="/var/haproxy /var/haproxy/sockets /var/haproxy/var/run /tmp/haproxy /tmp/haproxy/ssl /tmp/haproxy/lua /tmp/haproxy/errorfiles /tmp/haproxy/mapfiles /tmp/haproxy/sockets"
 
 for directory in ${HAPROXY_DIRS}; do
     mkdir -p ${directory}
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index be90eff14a..ea00d11a83 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1375,11 +1375,13 @@ frontend {{frontend.name}}
 {%           if unix_bind == "TRUE" %}
 {#             # extract socket name and add full path #}
 {%             set socket_name = bind | regex_replace ("^unix@","") %}
-{%             set bind_address = "unix@/tmp/haproxy/sockets/" ~ socket_name %}
+{%             set bind_address = "/var/haproxy/sockets/" ~ socket_name ~ " user www" %}
+{%             set bind_name = "unix@" ~ socket_name %}
 {%           else %}
 {%             set bind_address = bind %}
+{%             set bind_name = bind %}
 {%           endif %}
-    bind {{bind_address}} name {{bind_address}} {% if frontend.bindOptions|default("") != "" %}{{ frontend.bindOptions }} {% endif %}{% if frontend.ssl_enabled == '1' and ssl_certs|default("") != "" %}ssl {{ ssl_options|join(' ') }} {{ ssl_certs|join(' ') }} {% endif %}{% if adv_options|length > 0 %} {{ adv_options|join(' ') }} {% endif %}
+    bind {{bind_address}} name {{bind_name}} {% if frontend.bindOptions|default("") != "" %}{{ frontend.bindOptions }} {% endif %}{% if frontend.ssl_enabled == '1' and ssl_certs|default("") != "" %}ssl {{ ssl_options|join(' ') }} {{ ssl_certs|join(' ') }} {% endif %}{% if adv_options|length > 0 %} {{ adv_options|join(' ') }} {% endif %}
 
 {%         endfor %}
 {%       endif %}
@@ -1690,7 +1692,7 @@ backend {{backend.name}}
 {%                   if unix_bind == "TRUE" %}
 {#                     # extract socket name and add full path #}
 {%                     set socket_name = bind | regex_replace ("^unix@","") %}
-{%                     set socket_path = "unix@/tmp/haproxy/sockets/" ~ socket_name %}
+{%                     set socket_path = "/sockets/" ~ socket_name %}
 {%                     do server_basics.append('server ' ~ server_data.name ~ ' ' ~ socket_path) %}
 {#                     # only the first unix socket is considered #}
 {%                     break %}

From af42c4ebf22681077c118f0815374b3b5e45f9d4 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 28 Aug 2022 10:18:20 +0200
Subject: [PATCH 1155/3088] dns/ddclient: Description field validation could be
 less strict. closes https://github.com/opnsense/plugins/issues/3095

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index c28271bbe6..8d6a9ade70 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -136,7 +136,7 @@
                 </interface>
                 <description type="TextField">
                     <Required>N</Required>
-                    <mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</mask>
+                    <mask>/^(.){1,255}$/u</mask>
                     <ValidationMessage>Description should be a string between 1 and 255 characters</ValidationMessage>
                 </description>
             </account>

From 86135ce2820387898e6c582b45eb75b5cb1a36a6 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 29 Aug 2022 08:29:55 +0200
Subject: [PATCH 1156/3088] net/wireguard: adjust naming validation (#3102)

---
 net/wireguard/Makefile                                      | 2 +-
 net/wireguard/pkg-descr                                     | 4 ++++
 .../opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml   | 6 ++++--
 .../opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml   | 6 +++---
 4 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 3e37bd759c..6aa903531e 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		1.11
+PLUGIN_VERSION=		1.12
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard-go wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index d5787c5ffb..058ea7ede3 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,10 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+1.12
+
+* Adjust validation for naming local instance and endpoints
+
 1.11
 
 * Add script for renewal of Wireguard DNS-based entries for stale connections (#2956)
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
index e547d80bd5..69527a433a 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/wireguard/client</mount>
     <description>Wireguard Client configuration</description>
-    <version>0.0.6</version>
+    <version>0.0.7</version>
     <items>
         <clients>
             <client type="ArrayField">
@@ -9,9 +9,11 @@
                     <default>1</default>
                     <Required>Y</Required>
                 </enabled>
-                <name type="HostnameField">
+                <name type="TextField">
                     <default></default>
                     <Required>Y</Required>
+                    <mask>/^([0-9a-zA-Z._\-]){1,64}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 64 characters. Allowed characters are alphanumeric characters, dash and underscores.</ValidationMessage>
                 </name>
                 <pubkey type="Base64Field">
                     <Required>Y</Required>
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
index 64d4deb9d3..476091d238 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/wireguard/server</mount>
     <description>Wireguard Server configuration</description>
-    <version>0.0.3</version>
+    <version>0.0.4</version>
     <items>
         <servers>
             <server type="ArrayField">
@@ -12,8 +12,8 @@
                 <name type="TextField">
                     <default></default>
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z]){1,32}$/u</mask>
-                    <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9, a-z, and A-Z</ValidationMessage>
+                    <mask>/^([0-9a-zA-Z._\-]){1,64}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 64 characters. Allowed characters are alphanumeric characters, dash and underscores.</ValidationMessage>
                 </name>
                 <instance type="AutoNumberField">
                     <Required>Y</Required>

From f67b03e0fb17841f71aba2c2db98841d6674b35e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 29 Aug 2022 09:50:21 +0200
Subject: [PATCH 1157/3088] net/zerotier: register device from plugin

---
 net/zerotier/Makefile                               | 2 +-
 net/zerotier/src/etc/inc/plugins.inc.d/zerotier.inc | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/zerotier/Makefile b/net/zerotier/Makefile
index bc69d92c72..101ec53855 100644
--- a/net/zerotier/Makefile
+++ b/net/zerotier/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		zerotier
 PLUGIN_VERSION=		1.3.2
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		Virtual Networks That Just Work
 PLUGIN_DEPENDS=		zerotier
 PLUGIN_MAINTAINER=	dharrigan@gmail.com
diff --git a/net/zerotier/src/etc/inc/plugins.inc.d/zerotier.inc b/net/zerotier/src/etc/inc/plugins.inc.d/zerotier.inc
index 3f2cd08d1a..b325c637b9 100644
--- a/net/zerotier/src/etc/inc/plugins.inc.d/zerotier.inc
+++ b/net/zerotier/src/etc/inc/plugins.inc.d/zerotier.inc
@@ -59,3 +59,8 @@ function zerotier_services()
 
     return $services;
 }
+
+function zerotier_devices()
+{
+    return [['pattern' => '^zt', 'volatile' => true]];
+}

From 9ce64d437a45848950c4c18ca1033b7e38fd785b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 29 Aug 2022 09:51:58 +0200
Subject: [PATCH 1158/3088] security/openconnect: register device from plugin

---
 security/openconnect/Makefile                               | 1 +
 .../openconnect/src/etc/inc/plugins.inc.d/openconnect.inc   | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/openconnect/Makefile b/security/openconnect/Makefile
index a7b669daa8..70252a6aa7 100644
--- a/security/openconnect/Makefile
+++ b/security/openconnect/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		openconnect
 PLUGIN_VERSION=		1.4.2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		OpenConnect Client
 PLUGIN_DEPENDS=		openconnect
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc b/security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc
index c14a9d26d1..f8bc4c684c 100644
--- a/security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc
+++ b/security/openconnect/src/etc/inc/plugins.inc.d/openconnect.inc
@@ -53,7 +53,6 @@ function openconnect_services()
     return $services;
 }
 
-
 function openconnect_interfaces()
 {
     $interfaces = array();
@@ -82,3 +81,8 @@ function openconnect_xmlrpc_sync()
     $result['services'] = ['openconnect'];
     return array($result);
 }
+
+function openconnect_devices()
+{
+    return [['pattern' => '^ocvpn', 'volatile' => true]];
+}

From 68bb85ddd931f6b59d6485be247cfffa4a7db084 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 29 Aug 2022 09:55:13 +0200
Subject: [PATCH 1159/3088] security/tinc: register device from plugin

---
 security/tinc/Makefile                        |  2 +-
 .../tinc/src/etc/inc/plugins.inc.d/tinc.inc   | 53 ++++++++++---------
 2 files changed, 30 insertions(+), 25 deletions(-)

diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index e7bcf5a701..403bbbc5fa 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		tinc
 PLUGIN_VERSION=		1.6
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/security/tinc/src/etc/inc/plugins.inc.d/tinc.inc b/security/tinc/src/etc/inc/plugins.inc.d/tinc.inc
index e732ece416..e69ef4c442 100644
--- a/security/tinc/src/etc/inc/plugins.inc.d/tinc.inc
+++ b/security/tinc/src/etc/inc/plugins.inc.d/tinc.inc
@@ -1,30 +1,30 @@
 <?php
 
 /*
-    Copyright (C) 2016 Deciso B.V.
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2016 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 function tinc_enabled()
 {
@@ -107,3 +107,8 @@ function tinc_xmlrpc_sync()
     $result['services'] = ['tincd'];
     return array($result);
 }
+
+function tinc_devices()
+{
+    return [['pattern' => '^tinc', 'volatile' => true]];
+}

From 08cfc8b78d8bdf38aea79746bcd17c4a36632421 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 29 Aug 2022 09:48:04 +0200
Subject: [PATCH 1160/3088] net/wireguard: register device from plugin

---
 net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
index 2efb42b500..365ffc9168 100644
--- a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -78,3 +78,8 @@ function wireguard_xmlrpc_sync()
     $result['services'] = ['wireguard-go'];
     return array($result);
 }
+
+function wireguard_devices()
+{
+    return [['pattern' => '^wg', 'volatile' => true]];
+}

From 01e574bfd0e61b1eace4d8de8064982aec474f2f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 30 Aug 2022 13:05:55 +0200
Subject: [PATCH 1161/3088] sysutils/nut: convert to NAME_setup use

PR: https://github.com/opnsense/core/issues/5917
---
 sysutils/nut/Makefile                                     | 1 +
 .../src/opnsense/service/conf/actions.d/actions_nut.conf  | 8 ++++----
 .../nut/src/opnsense/service/templates/OPNsense/Nut/nut   | 2 +-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/sysutils/nut/Makefile b/sysutils/nut/Makefile
index 1e9315072c..ab7e34d896 100644
--- a/sysutils/nut/Makefile
+++ b/sysutils/nut/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		nut
 PLUGIN_VERSION=		1.8.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Network UPS Tools
 PLUGIN_DEPENDS=		nut
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/sysutils/nut/src/opnsense/service/conf/actions.d/actions_nut.conf b/sysutils/nut/src/opnsense/service/conf/actions.d/actions_nut.conf
index d7ae051a55..65816a99db 100644
--- a/sysutils/nut/src/opnsense/service/conf/actions.d/actions_nut.conf
+++ b/sysutils/nut/src/opnsense/service/conf/actions.d/actions_nut.conf
@@ -1,23 +1,23 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Nut/setup.sh;/usr/local/etc/rc.d/nut start;/usr/local/etc/rc.d/nut_upsmon start
+command:/usr/local/etc/rc.d/nut start; /usr/local/etc/rc.d/nut_upsmon start
 parameters:
 type:script
 message:starting nut
 
 [stop]
-command:/usr/local/etc/rc.d/nut stop;/usr/local/etc/rc.d/nut_upsmon stop
+command:/usr/local/etc/rc.d/nut stop; /usr/local/etc/rc.d/nut_upsmon stop
 parameters:
 type:script
 message:stopping nut
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Nut/setup.sh;/usr/local/etc/rc.d/nut restart;/usr/local/etc/rc.d/nut_upsmon restart
+command:/usr/local/etc/rc.d/nut restart; /usr/local/etc/rc.d/nut_upsmon restart
 parameters:
 type:script
 message:restarting nut
 
 [status]
-command:/usr/local/etc/rc.d/nut_upsmon status;exit 0
+command:/usr/local/etc/rc.d/nut_upsmon status; exit 0
 parameters:
 type:script_output
 message:request nut status
diff --git a/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/nut b/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/nut
index 8015ac6dda..57744d5823 100644
--- a/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/nut
+++ b/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/nut
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.Nut.general.enable') and OPNsense.Nut.general.enable == '1' %}
-nut_var_script="/usr/local/opnsense/scripts/OPNsense/Nut/setup.sh"
+nut_setup="/usr/local/opnsense/scripts/OPNsense/Nut/setup.sh"
 nut_enable="YES"
 {% else %}
 nut_enable="NO"

From 31b1470959e59740517cd1136ba5ebaa2964ae5d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 30 Aug 2022 13:07:47 +0200
Subject: [PATCH 1162/3088] sysutils/munin-node: convert to NAME_setup use

PR: https://github.com/opnsense/core/issues/5917
---
 sysutils/munin-node/Makefile                                | 1 +
 .../opnsense/service/conf/actions.d/actions_muninnode.conf  | 6 +++---
 .../service/templates/OPNsense/Muninnode/munin_node         | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/sysutils/munin-node/Makefile b/sysutils/munin-node/Makefile
index 0248c76819..43d5c15f89 100644
--- a/sysutils/munin-node/Makefile
+++ b/sysutils/munin-node/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		munin-node
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Munin monitoring agent
 PLUGIN_DEPENDS=		munin-node
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/sysutils/munin-node/src/opnsense/service/conf/actions.d/actions_muninnode.conf b/sysutils/munin-node/src/opnsense/service/conf/actions.d/actions_muninnode.conf
index 3152e2b0d6..693a363984 100644
--- a/sysutils/munin-node/src/opnsense/service/conf/actions.d/actions_muninnode.conf
+++ b/sysutils/munin-node/src/opnsense/service/conf/actions.d/actions_muninnode.conf
@@ -1,5 +1,5 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Muninnode/setup.sh;/usr/local/etc/rc.d/munin-node start
+command:/usr/local/etc/rc.d/munin-node start
 parameters:
 type:script
 message:starting munin-node
@@ -11,13 +11,13 @@ type:script
 message:stopping munin-node
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Muninnode/setup.sh;/usr/local/etc/rc.d/munin-node restart
+command:/usr/local/etc/rc.d/munin-node restart
 parameters:
 type:script
 message:restarting munin-node
 
 [status]
-command:/usr/local/etc/rc.d/munin-node status;exit 0
+command:/usr/local/etc/rc.d/munin-node status; exit 0
 parameters:
 type:script_output
 message:request munin-node status
diff --git a/sysutils/munin-node/src/opnsense/service/templates/OPNsense/Muninnode/munin_node b/sysutils/munin-node/src/opnsense/service/templates/OPNsense/Muninnode/munin_node
index 6c9fc82aa4..ac231c1b9a 100644
--- a/sysutils/munin-node/src/opnsense/service/templates/OPNsense/Muninnode/munin_node
+++ b/sysutils/munin-node/src/opnsense/service/templates/OPNsense/Muninnode/munin_node
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.muninnode.general.enabled') and OPNsense.muninnode.general.enabled == '1' %}
-munin_node_var_script="/usr/local/opnsense/scripts/OPNsense/Muninnode/setup.sh"
+munin_node_setup="/usr/local/opnsense/scripts/OPNsense/Muninnode/setup.sh"
 munin_node_enable="YES"
 {% else %}
 munin_node_enable="NO"

From a5031eadf18d9c21f0251f7bee96d6b8a337860d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 1 Sep 2022 08:44:15 +0200
Subject: [PATCH 1163/3088] dns/ddclient: bump revision

---
 dns/ddclient/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 2c0b66f552..e3c6c75d2a 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.8
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From c9b9f10b9b440d920a9d8b36dbfd617836adf46c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Sep 2022 08:51:06 +0200
Subject: [PATCH 1164/3088] security/tor: move to NAME_setup use

PR: https://github.com/opnsense/core/issues/5917
---
 security/tor/Makefile                                       | 2 +-
 .../src/opnsense/service/conf/actions.d/actions_tor.conf    | 6 +++---
 .../tor/src/opnsense/service/templates/OPNsense/Tor/tor     | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/security/tor/Makefile b/security/tor/Makefile
index 5c19670bb9..452ca6ddc8 100644
--- a/security/tor/Makefile
+++ b/security/tor/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		tor
 PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		The Onion Router
 PLUGIN_DEPENDS=		tor ruby
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/security/tor/src/opnsense/service/conf/actions.d/actions_tor.conf b/security/tor/src/opnsense/service/conf/actions.d/actions_tor.conf
index ad3672a4ff..202c4389cb 100644
--- a/security/tor/src/opnsense/service/conf/actions.d/actions_tor.conf
+++ b/security/tor/src/opnsense/service/conf/actions.d/actions_tor.conf
@@ -1,5 +1,5 @@
 [start]
-command:/usr/local/opnsense/scripts/tor/setup.sh;/usr/local/etc/rc.d/tor start
+command:/usr/local/etc/rc.d/tor start
 parameters:
 type:script
 message:starting tor
@@ -11,13 +11,13 @@ type:script
 message:stopping tor
 
 [restart]
-command:/usr/local/opnsense/scripts/tor/setup.sh;/usr/local/etc/rc.d/tor restart
+command:/usr/local/etc/rc.d/tor restart
 parameters:
 type:script
 message:restarting tor
 
 [status]
-command:/usr/local/etc/rc.d/tor status;exit 0
+command:/usr/local/etc/rc.d/tor status; exit 0
 parameters:
 type:script_output
 message:request tor status
diff --git a/security/tor/src/opnsense/service/templates/OPNsense/Tor/tor b/security/tor/src/opnsense/service/templates/OPNsense/Tor/tor
index 5816e26026..98de5860c4 100644
--- a/security/tor/src/opnsense/service/templates/OPNsense/Tor/tor
+++ b/security/tor/src/opnsense/service/templates/OPNsense/Tor/tor
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.tor.general.enabled') and OPNsense.tor.general.enabled == '1' %}
-tor_var_script="/usr/local/opnsense/scripts/tor/setup.sh"
+tor_setup="/usr/local/opnsense/scripts/tor/setup.sh"
 tor_enable="YES"
 {% else %}
 tor_enable="NO"

From f9cbc90c35946f8ffd43b790f738ddb39a4f0898 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Sep 2022 08:53:52 +0200
Subject: [PATCH 1165/3088] security/softether: move to NAME_setup

PR: https://github.com/opnsense/core/issues/5917
---
 security/softether/Makefile                                 | 2 +-
 .../opnsense/service/conf/actions.d/actions_softether.conf  | 6 +++---
 .../service/templates/OPNsense/Softether/softether_server   | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/security/softether/Makefile b/security/softether/Makefile
index c595499554..e7cc86d2eb 100644
--- a/security/softether/Makefile
+++ b/security/softether/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		softether
-PLUGIN_VERSION=		0.2
+PLUGIN_VERSION=		0.3
 PLUGIN_COMMENT=		Cross-platform Multi-protocol VPN Program
 PLUGIN_DEPENDS=		softether
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/softether/src/opnsense/service/conf/actions.d/actions_softether.conf b/security/softether/src/opnsense/service/conf/actions.d/actions_softether.conf
index 2470ac33fa..6e840fd06e 100644
--- a/security/softether/src/opnsense/service/conf/actions.d/actions_softether.conf
+++ b/security/softether/src/opnsense/service/conf/actions.d/actions_softether.conf
@@ -1,5 +1,5 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Softether/setup.sh;/usr/local/etc/rc.d/softether_server start
+command:/usr/local/etc/rc.d/softether_server start
 parameters:
 type:script
 message:starting softether
@@ -11,13 +11,13 @@ type:script
 message:stopping softether
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Softether/setup.sh;/usr/local/etc/rc.d/softether_server restart
+command:/usr/local/etc/rc.d/softether_server restart
 parameters:
 type:script
 message:restarting softether
 
 [status]
-command:sh /usr/local/etc/rc.d/softether_server status;exit 0
+command:/usr/local/etc/rc.d/softether_server status; exit 0
 parameters:
 type:script_output
 message:softether status
diff --git a/security/softether/src/opnsense/service/templates/OPNsense/Softether/softether_server b/security/softether/src/opnsense/service/templates/OPNsense/Softether/softether_server
index 29fcf71906..be34375d56 100644
--- a/security/softether/src/opnsense/service/templates/OPNsense/Softether/softether_server
+++ b/security/softether/src/opnsense/service/templates/OPNsense/Softether/softether_server
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.softether.general.enabled') and OPNsense.softether.general.enabled == '1' %}
-softether_server_var_script="/usr/local/opnsense/scripts/OPNsense/Softether/setup.sh"
+softether_server_setup="/usr/local/opnsense/scripts/OPNsense/Softether/setup.sh"
 softether_server_enable="YES"
 {% if helpers.exists('OPNsense.softether.general.enablecarp') and OPNsense.softether.general.enablecarp == '1' %}
 required_files="/var/run/softether/CARP_MASTER"

From 6d745e8e96076c6ac9722e2c15457dc25566579f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Sep 2022 08:57:07 +0200
Subject: [PATCH 1166/3088] security/maltrail: move to NAME_setup use

PR: https://github.com/opnsense/core/issues/5917
---
 security/maltrail/Makefile                                  | 1 +
 .../service/conf/actions.d/actions_maltrailsensor.conf      | 6 +++---
 .../service/conf/actions.d/actions_maltrailserver.conf      | 6 +++---
 .../service/templates/OPNsense/Maltrail/maltrailsensor      | 2 +-
 .../service/templates/OPNsense/Maltrail/maltrailserver      | 2 +-
 5 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/security/maltrail/Makefile b/security/maltrail/Makefile
index ba46250906..051a29b993 100644
--- a/security/maltrail/Makefile
+++ b/security/maltrail/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		maltrail
 PLUGIN_VERSION=		1.9
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Malicious traffic detection system
 PLUGIN_DEPENDS=		maltrail
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/maltrail/src/opnsense/service/conf/actions.d/actions_maltrailsensor.conf b/security/maltrail/src/opnsense/service/conf/actions.d/actions_maltrailsensor.conf
index 51b2c66536..530780446c 100644
--- a/security/maltrail/src/opnsense/service/conf/actions.d/actions_maltrailsensor.conf
+++ b/security/maltrail/src/opnsense/service/conf/actions.d/actions_maltrailsensor.conf
@@ -1,5 +1,5 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Maltrail/setup.sh;/usr/local/etc/rc.d/opnsense-maltrailsensor start
+command:/usr/local/etc/rc.d/opnsense-maltrailsensor start
 parameters:
 type:script
 message:starting Maltrail sensor
@@ -11,14 +11,14 @@ type:script
 message:stopping Maltrail sensor
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Maltrail/setup.sh;/usr/local/etc/rc.d/opnsense-maltrailsensor restart
+command:/usr/local/etc/rc.d/opnsense-maltrailsensor restart
 parameters:
 type:script
 message:restarting Maltrail sensor
 description:Restart Maltrail sensor
 
 [status]
-command:/usr/local/etc/rc.d/opnsense-maltrailsensor status;exit 0
+command:/usr/local/etc/rc.d/opnsense-maltrailsensor status; exit 0
 parameters:
 type:script_output
 message:request Maltrail sensor status
diff --git a/security/maltrail/src/opnsense/service/conf/actions.d/actions_maltrailserver.conf b/security/maltrail/src/opnsense/service/conf/actions.d/actions_maltrailserver.conf
index ad8313f6f3..1cd65664b2 100644
--- a/security/maltrail/src/opnsense/service/conf/actions.d/actions_maltrailserver.conf
+++ b/security/maltrail/src/opnsense/service/conf/actions.d/actions_maltrailserver.conf
@@ -1,5 +1,5 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Maltrail/setup.sh;/usr/local/etc/rc.d/opnsense-maltrailserver start
+command:/usr/local/etc/rc.d/opnsense-maltrailserver start
 parameters:
 type:script
 message:starting Maltrail Server
@@ -11,13 +11,13 @@ type:script
 message:stopping Maltrail Server
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Maltrail/setup.sh;/usr/local/etc/rc.d/opnsense-maltrailserver restart
+command:/usr/local/etc/rc.d/opnsense-maltrailserver restart
 parameters:
 type:script
 message:restarting Maltrail Server
 
 [status]
-command:/usr/local/etc/rc.d/opnsense-maltrailserver status;exit 0
+command:/usr/local/etc/rc.d/opnsense-maltrailserver status; exit 0
 parameters:
 type:script_output
 message:request Maltrail Server status
diff --git a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrailsensor b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrailsensor
index 6c3ffe4bb3..f8af7a52e4 100644
--- a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrailsensor
+++ b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrailsensor
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.maltrail.sensor.enabled') and OPNsense.maltrail.sensor.enabled == '1' %}
-maltrailsensor_var_script="/usr/local/opnsense/scripts/OPNsense/Maltrail/setup.sh"
+maltrailsensor_setup="/usr/local/opnsense/scripts/OPNsense/Maltrail/setup.sh"
 maltrailsensor_enable="YES"
 {% else %}
 maltrailsensor_enable="NO"
diff --git a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrailserver b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrailserver
index d62c5c9978..9ddea01c62 100644
--- a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrailserver
+++ b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrailserver
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.maltrail.server.enabled') and OPNsense.maltrail.server.enabled == '1' %}
-maltrailserver_var_script="/usr/local/opnsense/scripts/OPNsense/Maltrail/setup.sh"
+maltrailserver_setup="/usr/local/opnsense/scripts/OPNsense/Maltrail/setup.sh"
 maltrailserver_enable="YES"
 {% else %}
 maltrailserver_enable="NO"

From 27d89b85955cf1cc7cd3bd721ff3fbdff062fa0d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Sep 2022 08:59:35 +0200
Subject: [PATCH 1167/3088] security/acme-client: "move" to NAME_setup use

setup.sh is being used much more differently here than anywhere else.
Not touching any of the integration, but the general problem might be
that it tries to do something else entirely that doesn't fit any other
plugin paradigm and might break at a later point.

PR: https://github.com/opnsense/core/issues/5917
---
 .../opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d
index b43c75151c..96d20f1bc0 100644
--- a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d
+++ b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d
@@ -2,7 +2,7 @@
 acme_http_challenge_enable=YES
 acme_http_challenge_conf="/var/etc/lighttpd-acme-challenge.conf"
 acme_http_challenge_pidfile="/var/run/lighttpd-acme-challenge.pid"
-acme_http_challenge_var_script="/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh"
+acme_http_challenge_setup="/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh"
 {% else %}
 acme_http_challenge_enable=NO
 {% endif %}

From abf9ebdb11e12cc52b5a4cfbe69109e110b6d173 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Sep 2022 09:09:41 +0200
Subject: [PATCH 1168/3088] security/clamav: move to NAME_setup use

Fiddle with the freshclam script to use the rc system so that
setup.sh is invoked implicity.  Restart seems more reasonable
than an opportunistic start.

PR: https://github.com/opnsense/core/issues/5917
---
 security/clamav/Makefile                                    | 2 +-
 .../src/opnsense/scripts/OPNsense/ClamAV/freshclam.sh       | 2 +-
 .../src/opnsense/service/conf/actions.d/actions_clamav.conf | 6 +-----
 .../opnsense/service/templates/OPNsense/ClamAV/clamav_clamd | 2 +-
 .../service/templates/OPNsense/ClamAV/clamav_freshclam      | 2 +-
 5 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/security/clamav/Makefile b/security/clamav/Makefile
index 668ca3fd0c..6daca4461b 100644
--- a/security/clamav/Makefile
+++ b/security/clamav/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		clamav
 PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Antivirus engine for detecting malicious threats
 PLUGIN_DEPENDS=		clamav
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/clamav/src/opnsense/scripts/OPNsense/ClamAV/freshclam.sh b/security/clamav/src/opnsense/scripts/OPNsense/ClamAV/freshclam.sh
index 5ce3c3d66d..cc94eb91c5 100755
--- a/security/clamav/src/opnsense/scripts/OPNsense/ClamAV/freshclam.sh
+++ b/security/clamav/src/opnsense/scripts/OPNsense/ClamAV/freshclam.sh
@@ -37,7 +37,7 @@ elif pgrep -qF ${PIDFILE} 2> /dev/null; then
 elif [ -z "${COMMAND}" ]; then
 	echo "missing"
 else
-       daemon -f -p ${PIDFILE} freshclam --quiet
+       daemon -f -p ${PIDFILE} /usr/local/etc/rc.d/clamav-freshclam restart
        echo "starting"
 fi
 
diff --git a/security/clamav/src/opnsense/service/conf/actions.d/actions_clamav.conf b/security/clamav/src/opnsense/service/conf/actions.d/actions_clamav.conf
index f1d5d96a19..db9285bb35 100644
--- a/security/clamav/src/opnsense/service/conf/actions.d/actions_clamav.conf
+++ b/security/clamav/src/opnsense/service/conf/actions.d/actions_clamav.conf
@@ -1,6 +1,5 @@
 [start]
 command:
-    /usr/local/opnsense/scripts/OPNsense/ClamAV/setup.sh;
     /usr/local/etc/rc.d/clamav-freshclam start;
     /usr/local/etc/rc.d/clamav-clamd start
 parameters:
@@ -17,7 +16,6 @@ message:stopping ClamAV
 
 [restart]
 command:
-    /usr/local/opnsense/scripts/OPNsense/ClamAV/setup.sh;
     /usr/local/etc/rc.d/clamav-freshclam restart;
     /usr/local/etc/rc.d/clamav-clamd restart
 parameters:
@@ -31,9 +29,7 @@ type:script_output
 message:request ClamAV status
 
 [freshclam]
-command:
-    /usr/local/opnsense/scripts/OPNsense/ClamAV/setup.sh;
-    /usr/local/opnsense/scripts/OPNsense/ClamAV/freshclam.sh
+command:/usr/local/opnsense/scripts/OPNsense/ClamAV/freshclam.sh
 parameters:%s
 type:script_output
 message:Check or install signatures
diff --git a/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamav_clamd b/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamav_clamd
index f46fa24a25..a36465aaa7 100644
--- a/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamav_clamd
+++ b/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamav_clamd
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.clamav.general.enabled') and OPNsense.clamav.general.enabled == '1' %}
-clamav_clamd_var_script="/usr/local/opnsense/scripts/OPNsense/ClamAV/setup.sh"
+clamav_clamd_setup="/usr/local/opnsense/scripts/OPNsense/ClamAV/setup.sh"
 clamav_clamd_enable="YES"
 {% else %}
 clamav_clamd_enable="NO"
diff --git a/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamav_freshclam b/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamav_freshclam
index 7315a1ae4a..5a2fc06ca4 100644
--- a/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamav_freshclam
+++ b/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamav_freshclam
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.clamav.general.fc_enabled') and OPNsense.clamav.general.fc_enabled == '1' %}
-clamav_freshclam_var_script="/usr/local/opnsense/scripts/OPNsense/ClamAV/setup.sh"
+clamav_freshclam_setup="/usr/local/opnsense/scripts/OPNsense/ClamAV/setup.sh"
 clamav_freshclam_enable="YES"
 {% else %}
 clamav_freshclam_enable="NO"

From 5ee385271eb43138d19eae94e81ba334b42c0942 Mon Sep 17 00:00:00 2001
From: vnxme <46669194+vnxme@users.noreply.github.com>
Date: Thu, 4 Aug 2022 14:55:24 +0300
Subject: [PATCH 1169/3088] Set no bgp default ipv4-unicast in bgpd.conf

---
 net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index a5fb926d4e..c2066e0f95 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -43,6 +43,7 @@ frr defaults {{ OPNsense.quagga.general.profile }}
 !
 {% if helpers.exists('OPNsense.quagga.bgp.asnumber') and OPNsense.quagga.bgp.asnumber != '' %}
 router bgp {{ OPNsense.quagga.bgp.asnumber }}
+ no bgp default ipv4-unicast
  no bgp ebgp-requires-policy
 {%   if helpers.exists('OPNsense.quagga.bgp.graceful') and OPNsense.quagga.bgp.graceful == '1' %}
  bgp graceful-restart

From 3da1edcd511003220824f72620d57a5c3b3aca41 Mon Sep 17 00:00:00 2001
From: Marvo2011 <Marvin.Edeler@gmail.com>
Date: Mon, 12 Sep 2022 09:28:08 +0200
Subject: [PATCH 1170/3088] Replace rid, rid2 with selfhost_map

Replace rid, rid2 with selfhost_map, required for the actual acme.sh master.
---
 .../OPNsense/AcmeClient/forms/dialogValidation.xml | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index f7c912ed1e..890240560d 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1065,16 +1065,10 @@
         <type>password</type>
     </field>
     <field>
-        <id>validation.dns_selfhost_rid</id>
-        <label>rid</label>
-        <type>text</type>
-        <help>Please create the TXT Record with Subdomain _acme-challenge first, than you can get the ID from the edit page.</help>
-    </field>
-    <field>
-        <id>validation.dns_selfhost_rid2</id>
-        <label>rid2</label>
-        <type>text</type>
-        <help>Please create a second TXT Record with Subdomain _acme-challenge (needed to support ACME v2).</help>
+        <id>validation.dns_selfhost_map</id>
+        <label>RID Mapping</label>
+        <type>textbox</type>
+        <help>Please create the TXT Record with Subdomain _acme-challenge first, than you can get the ID from the edit page. Up to two RIDs per fulldomain are supported but at least one must be set, e.g. _acme-challenge.domain.net:RID:RI>
     </field>
     <field>
         <label>Servercow</label>

From 89e3cfc88844ed1b73991e27e361abc743282f43 Mon Sep 17 00:00:00 2001
From: Marvo2011 <Marvin.Edeler@gmail.com>
Date: Mon, 12 Sep 2022 09:30:10 +0200
Subject: [PATCH 1171/3088] Replace rid, rid2 with SELFHOSTDNS_MAP export

Replace rid, rid2 with SELFHOSTDNS_MAP export, required for the actual acme.sh master.
---
 .../library/OPNsense/AcmeClient/LeValidation/DnsSelfhost.php   | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelfhost.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelfhost.php
index f487e9a014..881ebf792d 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelfhost.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelfhost.php
@@ -41,7 +41,6 @@ public function prepare()
     {
         $this->acme_env['SELFHOSTDNS_USERNAME'] = (string)$this->config->dns_selfhost_user;
         $this->acme_env['SELFHOSTDNS_PASSWORD'] = (string)$this->config->dns_selfhost_password;
-        $this->acme_env['SELFHOSTDNS_RID'] = (string)$this->config->dns_selfhost_rid;
-        $this->acme_env['SELFHOSTDNS_RID2'] = (string)$this->config->dns_selfhost_rid2;
+        $this->acme_env['SELFHOSTDNS_MAP'] = (string)$this->config->dns_selfhost_map;
     }
 }

From 6f1eb3785dc0d4801730d15f478105a21e17cd45 Mon Sep 17 00:00:00 2001
From: Marvo2011 <Marvin.Edeler@gmail.com>
Date: Mon, 12 Sep 2022 09:32:22 +0200
Subject: [PATCH 1172/3088] Replace rid, rid2 with selfhost_map validation

Replace rid, rid2 with selfhost_map validation, required for the actual acme.sh master.
---
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml      | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 237e2b76b4..5fd41ff307 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -948,12 +948,9 @@
                 <dns_selfhost_password type="TextField">
                     <Required>N</Required>
                 </dns_selfhost_password>
-                <dns_selfhost_rid type="TextField">
+                <dns_selfhost_map type="TextField">
                     <Required>N</Required>
-                </dns_selfhost_rid>
-                <dns_selfhost_rid2 type="TextField">
-                    <Required>N</Required>
-                </dns_selfhost_rid2>
+                </dns_selfhost_map>
                 <dns_servercow_username type="TextField">
                     <Required>N</Required>
                 </dns_servercow_username>

From 7ffcdd47890094eacca7c32fc0bdb7cf6fd0aa8a Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 14 Sep 2022 10:49:50 +0200
Subject: [PATCH 1173/3088] dns/ddclient - some prefer % chars in usernames
 (https://forum.opnsense.org/index.php?topic=26446.msg146226#msg146226)

---
 dns/ddclient/Makefile                                           | 2 +-
 dns/ddclient/pkg-descr                                          | 1 +
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml      | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index e3c6c75d2a..cc295655f8 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 81cf7d70a2..f7f9129fcd 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 * Fix expected permission on ddclient.conf
 * Make service status and stop more reliable
 * Time out checkip script after 10 seconds
+* allow % characters in usernames (rev 2)
 
 1.7
 
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 8d6a9ade70..8b8439da30 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -78,7 +78,7 @@
                 </server>
                 <username type="TextField">
                     <Required>N</Required>
-                    <mask>/^([a-zA-Z0-9\-.@_:+])*$/u</mask>
+                    <mask>/^([a-zA-Z0-9\-.@_:+\%])*$/u</mask>
                     <ValidationMessage>The username contains invalid characters.</ValidationMessage>
                 </username>
                 <password type="UpdateOnlyTextField">

From 3811b1f84324580c0f0e618d4b439319a4bbc23a Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Mon, 19 Sep 2022 20:21:27 +0200
Subject: [PATCH 1174/3088] security/crowdsec 1.0.1: fixed live logs (#3130)

---
 security/crowdsec/Makefile                             |  2 +-
 security/crowdsec/pkg-descr                            |  4 ++++
 .../crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc    | 10 ++++------
 .../OPNsense/CrowdSec/Api/ServiceController.php        |  2 +-
 .../mvc/app/models/OPNsense/CrowdSec/General.xml       |  2 +-
 5 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index 20e019df1b..b74fafce4c 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		crowdsec
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.0.1
 PLUGIN_DEPENDS=		crowdsec
 PLUGIN_COMMENT=		Lightweight and collaborative security engine
 PLUGIN_MAINTAINER=	marco@crowdsec.net
diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index e7b571f603..53fc2bf43e 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -8,6 +8,10 @@ WWW: https://crowdsec.net/
 Plugin Changelog
 ================
 
+1.0.1
+
+* fixed live logs
+
 1.0
 
 * first non-devel release
diff --git a/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc b/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc
index 79348aaf76..386bc73cac 100644
--- a/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc
+++ b/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc
@@ -53,13 +53,12 @@ function crowdsec_firewall(Plugin $fw)
             'ipprotocol' => 'inet',
             'descr'      => 'CrowdSec (IPv4)',
             'from'       => '$crowdsec_blacklists',     # $ to reference an alias
+            'direction'  => 'in',
             'type'       => 'block',
             'log'        => $rules_log_enabled,
             'tag'        => $rules_tag,
-            'label'      => 'blocked by crowdsec',
             'quick'      => true
-        ),
-        null
+        )
     );
 
     add_alias_if_not_exist('crowdsec6_blacklists', 'CrowdSec (IPv6)', 'IPv6');
@@ -70,13 +69,12 @@ function crowdsec_firewall(Plugin $fw)
             'ipprotocol' => 'inet6',
             'descr'      => 'CrowdSec (IPv6)',
             'from'       => '$crowdsec6_blacklists',    # $ to reference an alias
+            'direction'  => 'in',
             'type'       => 'block',
             'log'        => $rules_log_enabled,
             'tag'        => $rules_tag,
-            'label'      => 'blocked by crowdsec',
             'quick'      => true
-        ),
-        null
+        )
     );
 }
 
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
index dae2711c78..4774004183 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
@@ -43,7 +43,7 @@ public function statusAction()
         $backend = new Backend();
         $response = $backend->configdRun("crowdsec crowdsec-status");
 
-        $status = "unkown";
+        $status = "unknown";
         if (strpos($response, "not running") > 0) {
             $status = "stopped";
         } elseif (strpos($response, "is running") > 0) {
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
index d71245d0d5..dd124e045a 100644
--- a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
@@ -1,7 +1,7 @@
 <model>
   <mount>//OPNsense/crowdsec/general</mount>
   <description>CrowdSec general configuration</description>
-  <version>1.0</version>
+  <version>1.0.1</version>
   <items>
 
     <agent_enabled type="BooleanField">

From b5da8e67844f8547c5c8cfdf1945bc496c82d208 Mon Sep 17 00:00:00 2001
From: Matt Parnell <mparnell@gmail.com>
Date: Wed, 21 Sep 2022 10:22:28 -0500
Subject: [PATCH 1175/3088] Add icanhazip.com as a checkip provider. Fast, only
 returns IP so less processing time.

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml       | 1 +
 dns/ddclient/src/opnsense/scripts/ddclient/checkip               | 1 +
 2 files changed, 2 insertions(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 8b8439da30..336143e1a6 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -111,6 +111,7 @@
                         <web_freedns>freedns</web_freedns>
                         <web_googledomains>googledomains</web_googledomains>
                         <web_he>he</web_he>
+                        <web_icanhazip value="icanhazip">icanhazip</web_icanhazip>
                         <web_ip4only_me value="web_ip4only.me">ip4only.me</web_ip4only_me>
                         <web_ip6only_me value="web_ip6only.me">ip6only.me</web_ip6only_me>
                         <web_ipify_ipv4 value="web_ipify-ipv4">ipify-ipv4</web_ipify_ipv4>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/checkip b/dns/ddclient/src/opnsense/scripts/ddclient/checkip
index f68ec76b8d..19d6658356 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/checkip
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/checkip
@@ -35,6 +35,7 @@ service_list = {
   'freedns': '%s://freedns.afraid.org/dynamic/check.php',
   'googledomains': '%s://domains.google.com/checkip',
   'he': '%s://checkip.dns.he.net/',
+  'icanhazip': '%s://icanhazip.com/',
   'ip4only.me': '%s://ip4only.me/api/',
   'ip6only.me': '%s://ip6only.me/api/',
   'ipify-ipv4': '%s://api.ipify.org/',

From a425c1f8423902215fe02edf4fc0164ef0a6e496 Mon Sep 17 00:00:00 2001
From: Matt Parnell <mparnell@gmail.com>
Date: Wed, 21 Sep 2022 10:30:17 -0500
Subject: [PATCH 1176/3088] Appears I missed this one. I don't think
 ddclient.conf needs edited - correct me if I am wrong, as it doesn't provide
 dynamic DNS services itself.

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml       | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 336143e1a6..3c40ca3126 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -50,6 +50,7 @@
                         <gandi>Gandi.net</gandi>
                         <he-net>HE.net</he-net>
                         <he-net-tunnel>HE.net TunnelBroker</he-net-tunnel>
+                        <icanhazip>icanhazip</icanhazip>
                         <inwx>INWX</inwx>
                         <loopia>Loopia</loopia>
                         <namecheap>NameCheap</namecheap>

From ef4486f6a57848c41964352ca76c1dfc2b767bf0 Mon Sep 17 00:00:00 2001
From: Matt Parnell <mparnell@gmail.com>
Date: Wed, 21 Sep 2022 10:37:24 -0500
Subject: [PATCH 1177/3088] Actually, I was wrong. Just as an IP fetcher, we
 only need the web_ entry I believe.

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml       | 1 -
 1 file changed, 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 3c40ca3126..336143e1a6 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -50,7 +50,6 @@
                         <gandi>Gandi.net</gandi>
                         <he-net>HE.net</he-net>
                         <he-net-tunnel>HE.net TunnelBroker</he-net-tunnel>
-                        <icanhazip>icanhazip</icanhazip>
                         <inwx>INWX</inwx>
                         <loopia>Loopia</loopia>
                         <namecheap>NameCheap</namecheap>

From 01b56a35c60df9180ab32e6b5eeb4cc0c1e7f20b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 21 Sep 2022 21:08:14 +0200
Subject: [PATCH 1178/3088] dns/ddclient - Add icanhazip.com as a checkip
 provider (bugfix https://github.com/opnsense/plugins/pull/3134)

---
 dns/ddclient/Makefile                                           | 2 +-
 dns/ddclient/pkg-descr                                          | 1 +
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml      | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index cc295655f8..235e0b751e 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index f7f9129fcd..677610b207 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 * Make service status and stop more reliable
 * Time out checkip script after 10 seconds
 * allow % characters in usernames (rev 2)
+* add icanhazip.com as a checkip provider (rev 3)
 
 1.7
 
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 336143e1a6..a010321c85 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -111,7 +111,7 @@
                         <web_freedns>freedns</web_freedns>
                         <web_googledomains>googledomains</web_googledomains>
                         <web_he>he</web_he>
-                        <web_icanhazip value="icanhazip">icanhazip</web_icanhazip>
+                        <web_icanhazip>icanhazip</web_icanhazip>
                         <web_ip4only_me value="web_ip4only.me">ip4only.me</web_ip4only_me>
                         <web_ip6only_me value="web_ip6only.me">ip6only.me</web_ip6only_me>
                         <web_ipify_ipv4 value="web_ipify-ipv4">ipify-ipv4</web_ipify_ipv4>

From 522a7173009a3f287c90906bf74d83d4e7945c21 Mon Sep 17 00:00:00 2001
From: Christian Schulze <christian.schulze@gmail.com>
Date: Thu, 22 Sep 2022 21:50:55 +1000
Subject: [PATCH 1179/3088] ddclient configurable checkip timeout (#3136)

* checkip configurable timeout
---
 .../controllers/OPNsense/DynDNS/forms/dialogAccount.xml   | 6 ++++++
 .../opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml    | 8 +++++++-
 dns/ddclient/src/opnsense/scripts/ddclient/checkip        | 3 ++-
 .../service/templates/OPNsense/ddclient/ddclient.conf     | 4 ++--
 4 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index bb7e48fd41..8736374527 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -65,6 +65,12 @@
         <type>dropdown</type>
         <help>How to determine the address to use for this host</help>
     </field>
+    <field>
+        <id>account.checkip_timeout</id>
+        <label>Check ip timeout</label>
+        <type>text</type>
+        <help>How long to wait before the checkip process times out</help>
+    </field>
     <field>
         <id>account.force_ssl</id>
         <label>Force SSL</label>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index a010321c85..bcee85f31d 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/DynDNS</mount>
-    <version>1.4.0</version>
+    <version>1.5.0</version>
     <description>
         Dynamic DNS client
     </description>
@@ -126,6 +126,12 @@
                         <if>Interface</if>
                     </OptionValues>
                 </checkip>
+                <checkip_timeout type="IntegerField">
+                    <default>10</default>
+                    <Required>Y</Required>
+                    <MinimumValue>10</MinimumValue>
+                    <MaximumValue>60</MaximumValue>
+                </checkip_timeout>
                 <force_ssl type="BooleanField">
                     <default>1</default>
                     <Required>Y</Required>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/checkip b/dns/ddclient/src/opnsense/scripts/ddclient/checkip
index 19d6658356..35e2244059 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/checkip
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/checkip
@@ -70,10 +70,11 @@ if __name__ == '__main__':
     parser.add_argument('-s', '--service', help='service name', choices=service_list.keys(), required=True)
     parser.add_argument('-i', '--interface', help='interface', type=str, default='')
     parser.add_argument('-t', '--tls', help='enforce tls', choices=['0', '1'], default='0')
+    parser.add_argument('--timeout', help='timeout', type=str, default='10')
     inputargs = parser.parse_args()
 
     # use curl to fetch data, so we can optionally use "--interface"
-    params = ['/usr/local/bin/curl', '-m', '10']
+    params = ['/usr/local/bin/curl', '-m', inputargs.timeout]
     if inputargs.interface.strip() != "":
         params.append("--interface")
         params.append(inputargs.interface)
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 8a6b263eb3..89e6928cc8 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -29,9 +29,9 @@ ssl=yes
 use=if, if={{physical_interface(account.interface)}}, \
 {%      elif account.checkip.startswith('web_') %}
 {%          if account.interface %}
-use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -i {{physical_interface(account.interface)}} -t {{account.force_ssl}} -s {{account.checkip[4:]}}",
+use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -i {{physical_interface(account.interface)}} -t {{account.force_ssl}} -s {{account.checkip[4:]}} --timeout {{account.checkip_timeout|default('10')}}",
 {%          else %}
-use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -t {{account.force_ssl}} -s {{account.checkip[4:]}}",
+use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -t {{account.force_ssl}} -s {{account.checkip[4:]}} --timeout {{account.checkip_timeout|default('10')}}",
 {%            endif %}
 {%      endif %}
 {%      if account.service == 'custom' %}

From 49c8308353f3f613f2f31ea82c3aa641647ecbb7 Mon Sep 17 00:00:00 2001
From: clanto007 <44651109+clanto007@users.noreply.github.com>
Date: Mon, 26 Sep 2022 20:48:21 +0200
Subject: [PATCH 1180/3088] net\freeradius Certificate for LDAP Connection
 (#3061)

---
 net/freeradius/Makefile                       |  2 +-
 net/freeradius/pkg-descr                      |  4 +++
 .../OPNsense/Freeradius/forms/ldap.xml        | 18 ++++++++++
 .../app/models/OPNsense/Freeradius/Ldap.xml   | 11 ++++++
 .../scripts/Freeradius/generate_certs.php     | 35 +++++++++++++++++++
 .../OPNsense/Freeradius/mods-enabled-ldap     | 13 ++++++-
 6 files changed, 81 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 7b07c95672..56558aa9b1 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.20
+PLUGIN_VERSION=		1.9.21
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 48342d041a..5b5df9231d 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,10 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.21
+
+* Add Certificate, StartTLS and Server port for LDAP Connection
+
 1.9.20
 
 * Remove TTLS-GTC from Default EAP Type (#2421)
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
index 29cb57c693..be7d1affd1 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
@@ -17,6 +17,24 @@
         <type>text</type>
         <help>Set the hostname or IP address to connect to.</help>
     </field>
+    <field>
+        <id>ldap.serverport</id>
+        <label>Server Port</label>
+        <type>text</type>
+        <help>Set the port to connect</help>
+    </field>
+    <field>
+        <id>ldap.ldapcert</id>
+        <label>Certificate</label>
+        <type>dropdown</type>
+        <help>Certificate to use to connect</help>
+    </field>
+    <field>
+        <id>ldap.ldapstarttls</id>
+        <label>Start TLS</label>
+        <type>checkbox</type>
+        <help>Start TLS</help>
+    </field>
     <field>
         <id>ldap.identity</id>
         <label>Bind User</label>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
index 53b4f55b53..0ee417c475 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
@@ -18,6 +18,17 @@
         <server type="TextField">
             <Required>N</Required>
         </server>
+      <serverport type="TextField">
+            <Required>N</Required>
+        </serverport>
+        <ldapcert type="CertificateField">
+            <Type>cert</Type>
+            <Required>N</Required>
+        </ldapcert>
+        <ldapstarttls type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </ldapstarttls>
         <identity type="TextField">
             <Required>N</Required>
         </identity>
diff --git a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
index 2ac4648a5a..9b54cd6c86 100755
--- a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
+++ b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
@@ -41,6 +41,9 @@
 $ca_pem_filename = '/usr/local/etc/raddb/certs/ca_opn.pem';
 $ca_pem_content = '';
 
+$ldapcert_pem_filename = '/usr/local/etc/raddb/certs/cert_ldap.pem';
+$ldapcert_pem_content = '';
+
 // traverse Freeradius plugin for certficiates
 $configObj = Config::getInstance()->object();
 if (isset($configObj->OPNsense->freeradius)) {
@@ -108,6 +111,34 @@
                 }
             }
         }
+       $cert_refid = (string)$find_cert->ldapcert;
+        // if eap has a certificate attached, search for its contents
+        if ($cert_refid != "") {
+            foreach ($configObj->cert as $ldapcert) {
+                if ($cert_refid == (string)$ldapcert->refid) {
+                    // generate cert pem file
+                    $pem_content = trim(str_replace("\n\n", "\n", str_replace(
+                        "\r",
+                        "",
+                        base64_decode((string)$ldapcert->crt)
+                    )));
+
+                    $pem_content .= "\n";
+                    $pem_content .= trim(str_replace(
+                        "\n\n",
+                        "\n",
+                        str_replace("\r", "", base64_decode((string)$ldapcert->prv))
+                    ));
+                    $pem_content .= "\n";
+                    $ldapcert_pem_content .= $pem_content;
+                    // generate ca pem file
+                    if (!empty($ldapcert->caref)) {
+                        $ldapcert = (array)$ldapcert;
+                        $ldapcert_pem_content .= ca_chain($ldapcert);
+                    }
+                }
+            }
+        }
     }
 }
 
@@ -118,3 +149,7 @@
 file_put_contents($ca_pem_filename, $ca_pem_content);
 chmod($ca_pem_filename, 0600);
 echo "Certificates generated $ca_pem_filename\n";
+
+file_put_contents($ldapcert_pem_filename, $ldapcert_pem_content);
+chmod($ldapcert_pem_filename, 0600);
+echo "Certificates generated $ldapcert_pem_filename\n";
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap
index 7836acffe7..f45a9d389d 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-ldap
@@ -4,7 +4,9 @@ ldap {
 {%     if helpers.exists('OPNsense.freeradius.ldap.server') and OPNsense.freeradius.ldap.server != '' %}
         server = '{{ OPNsense.freeradius.ldap.protocol }}://{{ OPNsense.freeradius.ldap.server }}'
 {%     endif %}
-
+{%     if helpers.exists('OPNsense.freeradius.ldap.serverport') and OPNsense.freeradius.ldap.serverport != '' %}
+        port = '{{ OPNsense.freeradius.ldap.serverport }}'
+{%     endif %}
 {%     if helpers.exists('OPNsense.freeradius.ldap.identity') and OPNsense.freeradius.ldap.identity != '' %}
         identity = '{{ OPNsense.freeradius.ldap.identity }}'
 {%     endif %}
@@ -146,7 +148,16 @@ ldap {
 
         }
         tls {
+	{%     if helpers.exists('OPNsense.freeradius.ldap.ldapstarttls') and OPNsense.freeradius.ldap.ldapstarttls == '1' %}
+                start_tls = yes
+        {%     else %}
+                start_tls = no
+        {%     endif %}
                 require_cert    = 'allow'
+        {%     if helpers.exists('OPNsense.freeradius.ldap.ldapcert') and OPNsense.freeradius.ldap.ldapcert != '' %}
+                certificate_file = ${certdir}/cert_ldap.pem
+                private_key_file = ${certdir}/cert_ldap.pem
+        {%     endif %}
         }
         pool {
                 start = ${thread[pool].start_servers}

From aadba7a7b9c3a624cd1aef3ca75e95563a6c018f Mon Sep 17 00:00:00 2001
From: clanto007 <44651109+clanto007@users.noreply.github.com>
Date: Tue, 27 Sep 2022 15:08:21 +0200
Subject: [PATCH 1181/3088] net/freeradius: add description for start and stop
 actions (#3118)

Add description for start and stop actions so it can be used in automations.
---
 .../src/opnsense/service/conf/actions.d/actions_freeradius.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/freeradius/src/opnsense/service/conf/actions.d/actions_freeradius.conf b/net/freeradius/src/opnsense/service/conf/actions.d/actions_freeradius.conf
index ae633eb117..de1f3052d4 100644
--- a/net/freeradius/src/opnsense/service/conf/actions.d/actions_freeradius.conf
+++ b/net/freeradius/src/opnsense/service/conf/actions.d/actions_freeradius.conf
@@ -2,12 +2,14 @@
 command:/usr/local/opnsense/scripts/Freeradius/setup.sh;/usr/local/etc/rc.d/radiusd start
 parameters:
 type:script
+description:Start FreeRADIUS service
 message:starting FreeRADIUS
 
 [stop]
 command:/usr/local/etc/rc.d/radiusd stop; exit 0
 parameters:
 type:script
+description:Stop FreeRADIUS service
 message:stopping FreeRADIUS
 
 [restart]

From d9615e78e6a5c7d1bdc675290e0456901dbece01 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Wed, 28 Sep 2022 08:55:50 +0300
Subject: [PATCH 1182/3088] www/nginx: autoblock TTL (#3106)

---
 www/nginx/Makefile                             |  3 +--
 www/nginx/pkg-descr                            |  4 ++++
 .../OPNsense/Nginx/forms/settings.xml          |  7 +++++++
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml    |  7 ++++++-
 .../opnsense/scripts/nginx/ngx_autoblock.php   | 18 ++++++++++++++----
 .../service/templates/OPNsense/Nginx/http.conf |  2 +-
 6 files changed, 33 insertions(+), 8 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 01ba76a22e..19196a7191 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.29
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.30
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 9b18e85d6d..eb92afd423 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,10 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.30
+
+* add support for autoblock TTL
+
 1.29
 
 * fixed a typo in the trusted tls fingerprints db creation part of setup.php
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
index 08a0a8716a..4da550ab12 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
@@ -7,6 +7,13 @@
                 <type>checkbox</type>
                 <help>Enable configured services.</help>
             </field>
+            <field>
+                <id>nginx.general.ban_ttl</id>
+                <label>Autoblock TTL (minutes)</label>
+                <type>text</type>
+                <help>Set autoblock lifetime in minutes. Set to 0 for infinite.</help>
+                <advanced>true</advanced>
+            </field>
         </subtab>
         <subtab id="nginx-http-global" description="Global HTTP Settings">
              <field>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 48d2e18bf0..46cd6dbd32 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.28.0</version>
+  <version>1.30</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>
@@ -8,6 +8,11 @@
         <default>0</default>
         <Required>Y</Required>
       </enabled>
+      <ban_ttl type="IntegerField">
+        <default>0</default>
+        <MinimumValue>0</MinimumValue>
+        <Required>Y</Required>
+      </ban_ttl>
     </general>
 
     <webgui>
diff --git a/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php b/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
index dd953087f7..cd13ead9f3 100755
--- a/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
+++ b/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
@@ -259,8 +259,19 @@ function cleanup_work_files($work_files)
     // Reading stored banned IPs from config
     $model = new Nginx();
     $alias_ips = [];
-    foreach ($model->ban->iterateItems() as $entry) {
-        $alias_ips[] = (string)$entry->ip;
+    $ban_ttl = intval((string)$model->general->ban_ttl);
+    if ($ban_ttl && ($ban_ttl > 0)) {
+        $min_timestamp = time() - 60*$ban_ttl;
+    }
+    $change_required = false;
+    foreach ($model->ban->iterateItems() as $id => $entry) {
+        if ($min_timestamp && (intval((string)$entry->time) < $min_timestamp)) {
+            // Delete expired records from config
+            $model->ban->Del($id);
+            $change_required = true;
+        } else {
+            $alias_ips[] = (string)$entry->ip;
+        }
     }
 
     // Collecting all new IPs from ban file not yet in $alias_ips.
@@ -284,8 +295,7 @@ function cleanup_work_files($work_files)
     })();
 
     // Transfering new IPs into $alias_ips and store them permanently.
-    $new_and_alias_ips = (function () use ($model, $new_ips, $alias_ips) {
-        $change_required = false;
+    $new_and_alias_ips = (function () use ($model, $new_ips, $alias_ips, $change_required) {
 
         foreach ($new_ips as $new_ip) {
             $alias_ips[] = $new_ip;
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index b7655a0542..6a17cb554e 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -248,7 +248,7 @@ server {
 {% endif %}
 {% if server.disable_bot_protection is not defined or server.disable_bot_protection != '1' %}
     # block based on User Agents - stuff I have found over the years in my server log
-    if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|ltx71|zgrab|Ronin/2.0|Hakai/2.0) {
+    if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|l9explore|l9tcpid|Masscan|zgrab|Ronin/2.0|Hakai/2.0) {
       return 418;
     }
     {# MSIE 7 cannot be blocked - used for compatibility mode - https://blogs.msdn.microsoft.com/ieinternals/2013/09/21/internet-explorer-11s-many-user-agent-strings/ #}

From b1a603d2e3f08acf685a82c92aea1f91b05ecf2e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 4 Oct 2022 09:34:55 +0200
Subject: [PATCH 1183/3088] dns/ddclient: repackage as 1.9

---
 dns/ddclient/Makefile  | 3 +--
 dns/ddclient/pkg-descr | 7 +++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 235e0b751e..a97dd66e2a 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.9
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 677610b207..b0066cde8d 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,14 +6,17 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.9
+
+* Add icanhazip.com as a checkip provider
+* Allow % characters in usernames
+
 1.8
 
 * Add a force action available via cron
 * Fix expected permission on ddclient.conf
 * Make service status and stop more reliable
 * Time out checkip script after 10 seconds
-* allow % characters in usernames (rev 2)
-* add icanhazip.com as a checkip provider (rev 3)
 
 1.7
 

From c53553ba697559ff67846dde9ce2b7102739c01d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 4 Oct 2022 09:36:21 +0200
Subject: [PATCH 1184/3088] net/freeradius: cleanup

---
 .../opnsense/service/conf/actions.d/actions_freeradius.conf   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/src/opnsense/service/conf/actions.d/actions_freeradius.conf b/net/freeradius/src/opnsense/service/conf/actions.d/actions_freeradius.conf
index de1f3052d4..526e7ce5bd 100644
--- a/net/freeradius/src/opnsense/service/conf/actions.d/actions_freeradius.conf
+++ b/net/freeradius/src/opnsense/service/conf/actions.d/actions_freeradius.conf
@@ -6,7 +6,7 @@ description:Start FreeRADIUS service
 message:starting FreeRADIUS
 
 [stop]
-command:/usr/local/etc/rc.d/radiusd stop; exit 0
+command:/usr/local/etc/rc.d/radiusd stop
 parameters:
 type:script
 description:Stop FreeRADIUS service
@@ -20,7 +20,7 @@ description:Restart FreeRADIUS service
 message:restarting FreeRADIUS
 
 [status]
-command:/usr/local/etc/rc.d/radiusd status;exit 0
+command:/usr/local/etc/rc.d/radiusd status; exit 0
 parameters:
 type:script_output
 message:request FreeRADIUS status

From ed7a4d8205215c8302cde75d11c3679dedcc5ad8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 4 Oct 2022 09:38:56 +0200
Subject: [PATCH 1185/3088] net/frr: make new version

---
 net/frr/Makefile  | 2 +-
 net/frr/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 4e59d97dff..f623b151bd 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.30
+PLUGIN_VERSION=		1.31
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 3346819b25..51c8c767f1 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.31
+
+* Set no bgp default ipv4-unicast (contributed by vnxme)
+
 1.30
 
 * Allow specifying multiple PrefixLists and CommunityLists (contributed by Patrik Kernstock)

From 48549df9cb2613e4c1467ac45e6ab3979caedae8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 4 Oct 2022 09:43:45 +0200
Subject: [PATCH 1186/3088] dns/ddclient: complete notes

---
 dns/ddclient/pkg-descr | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index b0066cde8d..5ae4c86f76 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -8,7 +8,8 @@ Plugin Changelog
 
 1.9
 
-* Add icanhazip.com as a checkip provider
+* Add icanhazip.com as a checkip provider (contributed by Matt Parnell)
+* Configurable checkip (contributed by Christian Schulze)
 * Allow % characters in usernames
 
 1.8

From 6e94bd8709d3a4d2b7d6eff11de65ce095659f9f Mon Sep 17 00:00:00 2001
From: Awalon <awalon@users.noreply.github.com>
Date: Tue, 11 Oct 2022 13:55:30 +0200
Subject: [PATCH 1187/3088] acme.sh: Support for public DNS checks (remove
 --dnssleep option on 0s) (#3079)

---
 .../OPNsense/AcmeClient/forms/dialogValidation.xml          | 6 ++++--
 .../app/library/OPNsense/AcmeClient/LeValidation/Base.php   | 4 +++-
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml       | 4 ++--
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 890240560d..ad1d54aae1 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -126,9 +126,11 @@
     </field>
     <field>
         <id>validation.dns_sleep</id>
-        <label>Sleep Time</label>
+        <label>DNS Sleep Time</label>
         <type>text</type>
-        <help>The time in seconds to wait for all the TXT records to take effect after adding them to the DNS API. Defaults to 120 seconds.</help>
+        <help>The time in seconds to wait for all the TXT records to take effect after adding them to the DNS API. Defaults to 120 seconds.
+            For public DNS validation each 10 seconds up to 20 minutes, instead of fixed DNS sleep time set value to 0.</help>
+        <hint>0 for public DNS check or 1-84600s</hint>
     </field>
     <field>
         <label>Active24</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index c0289569eb..b516343d67 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -80,7 +80,9 @@ public function init(string $certid, string $accountuuid, bool $certecc = false)
         switch ((string)$this->config->method) {
             case 'dns01':
                 $this->acme_args[] = LeUtils::execSafe('--dns %s', (string)$this->config->dns_service);
-                $this->acme_args[] = LeUtils::execSafe('--dnssleep %s', (string)$this->config->dns_sleep);
+                if (! (string)$this->config->dns_sleep == '0') {
+                    $this->acme_args[] = LeUtils::execSafe('--dnssleep %s', (string)$this->config->dns_sleep);
+                }
                 break;
             case 'http01':
                 $this->acme_args[] = '--webroot ' . self::ACME_WEBROOT;
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 5fd41ff307..4222cc253b 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -505,10 +505,10 @@
                     </OptionValues>
                 </dns_service>
                 <dns_sleep type="IntegerField">
-                    <MinimumValue>1</MinimumValue>
+                    <MinimumValue>0</MinimumValue>
                     <MaximumValue>84600</MaximumValue>
                     <default>120</default>
-                    <ValidationMessage>Please specify a value between 1 and 84600.</ValidationMessage>
+                    <ValidationMessage>Please specify a value between 0 and 84600 seconds.</ValidationMessage>
                     <Required>Y</Required>
                 </dns_sleep>
                 <dns_active24_token type="TextField">

From cdf36209723c2ec1ae5f4cddae24420b3ca6bb92 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 12 Oct 2022 09:15:10 +0200
Subject: [PATCH 1188/3088] security/maltrail: add hostheader checking (#3144)

---
 security/maltrail/Makefile                                  | 3 +--
 security/maltrail/pkg-descr                                 | 4 ++++
 .../mvc/app/controllers/OPNsense/Maltrail/forms/general.xml | 6 ++++++
 .../opnsense/mvc/app/models/OPNsense/Maltrail/General.xml   | 6 +++++-
 .../service/templates/OPNsense/Maltrail/maltrail.conf       | 5 +++++
 5 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/security/maltrail/Makefile b/security/maltrail/Makefile
index 051a29b993..c13f207fed 100644
--- a/security/maltrail/Makefile
+++ b/security/maltrail/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		maltrail
-PLUGIN_VERSION=		1.9
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.10
 PLUGIN_COMMENT=		Malicious traffic detection system
 PLUGIN_DEPENDS=		maltrail
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/maltrail/pkg-descr b/security/maltrail/pkg-descr
index ffaec161d9..42506909e9 100644
--- a/security/maltrail/pkg-descr
+++ b/security/maltrail/pkg-descr
@@ -11,6 +11,10 @@ WWW: https://github.com/stamparm/maltrail
 Changelog
 ---------
 
+1.10
+
+* Add CHECK_HOST_DOMAINS option
+
 1.9
 
 * Remove MFS support for /var/log/
diff --git a/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/general.xml b/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/general.xml
index 93f644561e..317840e712 100644
--- a/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/general.xml
+++ b/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/general.xml
@@ -5,6 +5,12 @@
         <type>checkbox</type>
         <help>Whether to enable or disable the usage or heuristic detection.</help>
     </field>
+    <field>
+        <id>general.checkhostheader</id>
+        <label>Check Hostheaders</label>
+        <type>checkbox</type>
+        <help>Check values in Host header (along with standard non-HTTP checks) for malicious DNS trails.</help>
+    </field>
     <field>
         <id>general.updateperiod</id>
         <label>Update Period</label>
diff --git a/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/General.xml b/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/General.xml
index 4fbcc3cca4..4d21fc9b7e 100644
--- a/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/General.xml
+++ b/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/General.xml
@@ -1,12 +1,16 @@
 <model>
     <mount>//OPNsense/maltrail/general</mount>
     <description>Maltrail general configuration</description>
-    <version>0.0.1</version>
+    <version>0.0.2</version>
     <items>
         <heuristics type="BooleanField">
             <default>1</default>
             <Required>Y</Required>
         </heuristics>
+        <checkhostheader type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </checkhostheader>
         <updateperiod type="IntegerField">
             <default>86400</default>
             <Required>Y</Required>
diff --git a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
index 5e107c94ca..fcd0dd1026 100644
--- a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
+++ b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
@@ -48,6 +48,11 @@ USE_HEURISTICS true
 {% else %}
 USE_HEURISTICS false
 {% endif %}
+{% if helpers.exists('OPNsense.maltrail.general.checkhostheader') and OPNsense.maltrail.general.checkhostheader == '1' %}
+CHECK_HOST_DOMAINS true
+{% else %}
+CHECK_HOST_DOMAINS false
+{% endif %}
 CHECK_MISSING_HOST false
 {% if helpers.exists('OPNsense.maltrail.general.whitelist') and OPNsense.maltrail.general.whitelist != '' %}
 USER_WHITELIST /usr/local/share/maltrail/misc/user_whitelist.txt

From 582273aadfcc18fdf5889c3774ffab08c73fbe6e Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Wed, 12 Oct 2022 09:29:12 +0100
Subject: [PATCH 1189/3088] net/frr: Small GUI fixes (#3111)

---
 .../controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml | 2 +-
 .../OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml     | 2 +-
 .../OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml           | 2 +-
 .../OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml          | 4 ++--
 net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt   | 2 +-
 net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt  | 2 +-
 6 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml
index f68295e77d..c975900739 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml
@@ -20,7 +20,7 @@
   <field>
     <id>aspath.action</id>
     <label>Action</label>
-    <type>select_multiple</type>
+    <type>dropdown</type>
     <help>Set permit for match or deny to negate the rule.</help>
   </field>
   <field>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml
index a2755510a8..9ae82c54d3 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml
@@ -26,7 +26,7 @@
   <field>
     <id>communitylist.action</id>
     <label>Action</label>
-    <type>select_multiple</type>
+    <type>dropdown</type>
     <help>Set permit for match or deny to negate the rule.</help>
   </field>
   <field>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 19f13cca10..5ea35585fa 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -46,7 +46,7 @@
   <field>
     <id>neighbor.updatesource</id>
     <label>Update-Source Interface</label>
-    <type>select_multiple</type>
+    <type>dropdown</type>
     <help><![CDATA[Physical name of the IPv4 interface facing the peer. Please refer to the <a href="http://docs.frrouting.org/en/stable-7.4/bgp.html#clicmd-[no]neighborPEERupdate-source%3CIFNAME|ADDRESS%3E">FRR documentation</a> for more information.]]></help>
   </field>
   <field>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml
index 8922641212..8fd721533c 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml
@@ -15,12 +15,12 @@
     <id>routemap.name</id>
     <label>Name</label>
     <type>text</type>
-    <help>Route-map name to match and set your patterns, it will be enabled via the neigbor configuration.</help>
+    <help>Route-map name to match and set your patterns, it will be enabled via the neighbor configuration.</help>
   </field>
   <field>
     <id>routemap.action</id>
     <label>Action</label>
-    <type>select_multiple</type>
+    <type>dropdown</type>
     <help>Set permit for match or deny to negate the rule.</help>
   </field>
   <field>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
index 461ea62a71..6fe6af7acf 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
@@ -110,7 +110,7 @@ POSSIBILITY OF SUCH DAMAGE.
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle" data-sortable="false">{{ lang._('Enabled') }}</th>
                     <th data-column-id="name" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Name') }}</th>
                     <th data-column-id="description" data-type="string" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="seqnumber" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Secquence Number') }}</th>
+                    <th data-column-id="seqnumber" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Sequence Number') }}</th>
                     <th data-column-id="action" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Action') }}</th>
                     <th data-column-id="network" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Network') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
index 9a25d49132..b68db50c83 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
@@ -107,7 +107,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle" data-sortable="false">{{ lang._('Enabled') }}</th>
                     <th data-column-id="name" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="seqnumber" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Secquence Number') }}</th>
+                    <th data-column-id="seqnumber" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Sequence Number') }}</th>
                     <th data-column-id="action" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Action') }}</th>
                     <th data-column-id="network" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Network') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>

From 4a2a3cf5de23cca28f6f16508b92372f307f9051 Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Wed, 12 Oct 2022 09:30:38 +0100
Subject: [PATCH 1190/3088] Increase artifical BGP GUI id limits (#3110)

---
 .../OPNsense/Quagga/forms/dialogEditBGPASPath.xml    |  4 ++--
 .../Quagga/forms/dialogEditBGPCommunityLists.xml     |  2 +-
 .../Quagga/forms/dialogEditBGPPrefixLists.xml        |  4 ++--
 .../OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml |  2 +-
 .../opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml  | 12 ++++++------
 5 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml
index c975900739..50fc88cc2e 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml
@@ -3,7 +3,7 @@
     <id>aspath.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
-    <help>Enable / Disable</help>
+    <help>If this AS-Path list should be enabled.</help>
   </field>
   <field>
     <id>aspath.description</id>
@@ -15,7 +15,7 @@
     <id>aspath.number</id>
     <label>Number</label>
     <type>text</type>
-    <help>The ACL rule number (10-99); keep in mind that there are no sequence numbers with AS-Path lists. When you want to add a new line between you have to completely remove the ACL!</help>
+    <help>The ACL rule number (0-4294967294); keep in mind that there are no sequence numbers with AS-Path lists. When you want to add a new line between you have to completely remove the ACL!</help>
   </field>
   <field>
     <id>aspath.action</id>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml
index 9ae82c54d3..ad1e86dcb3 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml
@@ -15,7 +15,7 @@
     <id>communitylist.number</id>
     <label>Number</label>
     <type>text</type>
-    <help>Set the number of your Community-List. 1-99 are stardard lists while 100-500 are expanded lists.</help>
+    <help>Set the number of your Community-List. 1-99 are standard lists while 100-500 are expanded lists.</help>
   </field>
   <field>
     <id>communitylist.seqnumber</id>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml
index da50945980..2a7def2682 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml
@@ -3,7 +3,7 @@
     <id>prefixlist.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
-    <help>Enable / Disable</help>
+    <help>If this Prefix-List should be enabled.</help>
   </field>
     <field>
     <id>prefixlist.description</id>
@@ -27,7 +27,7 @@
     <id>prefixlist.seqnumber</id>
     <label>Number</label>
     <type>text</type>
-    <help>The ACL sequence number (10-10000)</help>
+    <help>The ACL sequence number (1-4294967294)</help>
   </field>
   <field>
     <id>prefixlist.action</id>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml
index 8fd721533c..59ebcb6004 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml
@@ -27,7 +27,7 @@
     <id>routemap.id</id>
     <label>ID</label>
     <type>text</type>
-    <help>Route-map ID between 10 and 99. Be aware that the sorting will be done under the hood, so when you add an entry between it get's to the right position</help>
+    <help>Route-map ID between 1 and 65535. Be aware that the sorting will be done under the hood, so when you add an entry between it get's to the right position</help>
   </field>
   <field>
     <id>routemap.match</id>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index ca83bc01e3..a061277bd2 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -205,8 +205,8 @@
                         <number type="IntegerField">
                                 <default></default>
                                 <Required>Y</Required>
-                                <MinimumValue>10</MinimumValue>
-                                <MaximumValue>99</MaximumValue>
+                                <MinimumValue>0</MinimumValue>
+                                <MaximumValue>4294967295</MaximumValue>
                         </number>
                         <action type="OptionField">
                                 <default></default>
@@ -249,8 +249,8 @@
                         <seqnumber type="IntegerField">
                                 <default></default>
                                 <Required>Y</Required>
-                                <MinimumValue>10</MinimumValue>
-                                <MaximumValue>10000</MaximumValue>
+                                <MinimumValue>1</MinimumValue>
+                                <MaximumValue>4294967294</MaximumValue>
                         </seqnumber>
                         <action type="OptionField">
                                 <default></default>
@@ -330,8 +330,8 @@
                         <id type="IntegerField">
                                 <default></default>
                                 <Required>Y</Required>
-                                <MinimumValue>10</MinimumValue>
-                                <MaximumValue>99</MaximumValue>
+                                <MinimumValue>1</MinimumValue>
+                                <MaximumValue>65535</MaximumValue>
                         </id>
                         <match type="ModelRelationField">
                                 <Model>

From 3e0372e05bc0f46765cc3089d59117973035604f Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Wed, 12 Oct 2022 10:38:19 +0100
Subject: [PATCH 1191/3088] net/frr: Added BGP Network Import-Check (#3109)

---
 .../mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml | 11 +++++++++--
 .../opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml   |  6 +++++-
 .../service/templates/OPNsense/Quagga/bgpd.conf       |  5 +++++
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
index d3bc6cca5d..d759166c5c 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
@@ -31,13 +31,20 @@
         <style>tokenize</style>
         <type>select_multiple</type>
         <allownew>true</allownew>
-        <help>Select the network to advertise, you have to set a Null route via System -> Routes</help>
+        <help>Defines which networks, which are connected to this router, will be advertised over BGP. To announce all defined networks, Network Import-Check can be disabled in advanced settings if required.</help>
+    </field>
+    <field>
+        <id>bgp.networkimportcheck</id>
+        <label>Network Import-Check</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>When enabled (default), BGP only announces networks set at 'Network' if they are present in the routers routing table (alternatively, you can also set a null-route via System -> Routes). If disabled, all configured networks will be announced.</help>
     </field>
     <field>
         <id>bgp.redistribute</id>
         <label>Route Redistribution</label>
         <type>select_multiple</type>
-        <help><![CDATA[Select other routing sources, which should be redistributed to the other nodes.]]></help>
+        <help>Select other routing sources, which should be redistributed to the other nodes.</help>
         <hint>Type or select a route source.</hint>
     </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index a061277bd2..dd4697d3e7 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/bgp</mount>
     <description>BGP Routing configuration</description>
-    <version>1.0.6</version>
+    <version>1.0.7</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -21,6 +21,10 @@
             <default>0</default>
             <Required>Y</Required>
         </graceful>
+        <networkimportcheck type="BooleanField">
+            <default>1</default>
+            <Required>Y</Required>
+        </networkimportcheck>
         <networks type="CSVListField">
             <default></default>
             <Required>N</Required>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index c2066e0f95..5c0f7e773e 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -45,6 +45,11 @@ frr defaults {{ OPNsense.quagga.general.profile }}
 router bgp {{ OPNsense.quagga.bgp.asnumber }}
  no bgp default ipv4-unicast
  no bgp ebgp-requires-policy
+{%   if helpers.exists('OPNsense.quagga.bgp.networkimportcheck') and OPNsense.quagga.bgp.networkimportcheck == '1' %}
+ bgp network import-check
+{%   else %}
+ no bgp network import-check
+{%   endif %}
 {%   if helpers.exists('OPNsense.quagga.bgp.graceful') and OPNsense.quagga.bgp.graceful == '1' %}
  bgp graceful-restart
 {%   endif %}

From 1a9b9a42128294638bd87e7950637dff3cef60e2 Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Wed, 12 Oct 2022 12:32:20 +0100
Subject: [PATCH 1192/3088] net/wireguard: Late Spring Cleaning (#3116)

---
 .../Wireguard/Api/ClientController.php        |  5 +++++
 .../Wireguard/Api/ServerController.php        | 12 ++++++++++-
 .../forms/dialogEditWireguardClient.xml       |  6 +++---
 .../forms/dialogEditWireguardServer.xml       |  6 +++---
 .../app/views/OPNsense/Wireguard/general.volt | 21 +++++++++++++------
 5 files changed, 37 insertions(+), 13 deletions(-)

diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
index 3ebd24dfd6..ae7d84660d 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
@@ -41,23 +41,28 @@ public function searchClientAction()
     {
         return $this->searchBase('clients.client', array("enabled", "name", "pubkey", "tunneladdress", "serveraddress", "serverport"));
     }
+
     public function getClientAction($uuid = null)
     {
         $this->sessionClose();
         return $this->getBase('client', 'clients.client', $uuid);
     }
+
     public function addClientAction()
     {
         return $this->addBase('client', 'clients.client');
     }
+
     public function delClientAction($uuid)
     {
         return $this->delBase('clients.client', $uuid);
     }
+
     public function setClientAction($uuid)
     {
         return $this->setBase('client', 'clients.client', $uuid);
     }
+
     public function toggleClientAction($uuid)
     {
         return $this->toggleBase('clients.client', $uuid);
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
index 78e653c9e7..5bf57767a9 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
@@ -38,13 +38,20 @@ class ServerController extends ApiMutableModelControllerBase
 
     public function searchServerAction()
     {
-        return $this->searchBase('servers.server', array("enabled", "name", "networks", "pubkey", "port", "tunneladdress"));
+        $search = $this->searchBase('servers.server', array("enabled", "instance", "peers", "name", "networks", "pubkey", "port", "tunneladdress"));
+        // prepend "wg" to all instance IDs to use as interface name
+        foreach ($search["rows"] as $key => $server) {
+            $search["rows"][$key]["interface"] = "wg" . $server["instance"];
+        }
+        return $search;
     }
+
     public function getServerAction($uuid = null)
     {
         $this->sessionClose();
         return $this->getBase('server', 'servers.server', $uuid);
     }
+
     public function addServerAction($uuid = null)
     {
         if ($this->request->isPost() && $this->request->hasPost("server")) {
@@ -66,10 +73,12 @@ public function addServerAction($uuid = null)
         }
         return array("result" => "failed");
     }
+
     public function delServerAction($uuid)
     {
         return $this->delBase('servers.server', $uuid);
     }
+
     public function setServerAction($uuid = null)
     {
         if ($this->request->isPost() && $this->request->hasPost("server")) {
@@ -91,6 +100,7 @@ public function setServerAction($uuid = null)
         }
         return array("result" => "failed");
     }
+
     public function toggleServerAction($uuid)
     {
         return $this->toggleBase('servers.server', $uuid);
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
index 7cfca02ce0..231e9c692a 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
@@ -21,7 +21,7 @@
         <id>client.psk</id>
         <label>Shared Secret</label>
         <type>text</type>
-        <help>Shared secret (PSK) for this peer.</help>
+        <help>Shared secret (PSK) for this peer. You can generate a key using "wg genpsk" on a client with WireGuard installed.</help>
     </field>
     <field>
         <id>client.tunneladdress</id>
@@ -45,8 +45,8 @@
     </field>
     <field>
         <id>client.keepalive</id>
-        <label>Keepalive</label>
+        <label>Keepalive Interval</label>
         <type>text</type>
-        <help>Set persistent keepalive interval.</help>
+        <help>Set persistent keepalive interval in seconds.</help>
     </field>
 </form>
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
index 3667908a88..eff1f9504c 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
@@ -15,19 +15,19 @@
         <id>server.instance</id>
         <label>Instance</label>
         <type>info</type>
-        <help>Set the instance number needed for interface calculation. It has to be unique for each instance.</help>
+        <help>This is the instance number to give the wg interface a unique name (wgX).</help>
     </field>
     <field>
         <id>server.pubkey</id>
         <label>Public Key</label>
         <type>text</type>
-        <help>Public key of this instance. After saving you will see here your public key.</help>
+        <help>Public key of this instance. You can specify your own one, or a key will be generated after saving.</help>
     </field>
     <field>
         <id>server.privkey</id>
         <label>Private Key</label>
         <type>text</type>
-        <help>Private key of this instance. After saving you will see here your private key, please keep it safe.</help>
+        <help>Private key of this instance. You can specify your own one, or a key will be generated after saving. Please keep this key safe.</help>
     </field>
     <field>
         <id>server.port</id>
diff --git a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
index 60c1c6c390..8b0accd2d6 100644
--- a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
+++ b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
@@ -30,7 +30,7 @@
     <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
     <li><a data-toggle="tab" href="#servers">{{ lang._('Local') }}</a></li>
     <li><a data-toggle="tab" href="#clients">{{ lang._('Endpoints') }}</a></li>
-    <li><a data-toggle="tab" href="#showconf">{{ lang._('List Configuration') }}</a></li>
+    <li><a data-toggle="tab" href="#showconf">{{ lang._('Status') }}</a></li>
     <li><a data-toggle="tab" href="#showhandshake">{{ lang._('Handshakes') }}</a></li>
 </ul>
 
@@ -51,6 +51,7 @@
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                     <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
                     <th data-column-id="serveraddress" data-type="string" data-visible="true">{{ lang._('Endpoint Address') }}</th>
+                    <th data-column-id="serverport" data-type="string" data-visible="true">{{ lang._('Endpoint Port') }}</th>
                     <th data-column-id="tunneladdress" data-type="string" data-visible="true">{{ lang._('Allowed IPs') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
@@ -60,7 +61,7 @@
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
+                    <td colspan="6"></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
                     </td>
@@ -79,8 +80,10 @@
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                     <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="port" data-type="string" data-visible="true">{{ lang._('Port') }}</th>
+                    <th data-column-id="interface" data-type="string" data-visible="true">{{ lang._('Interface') }}</th>
                     <th data-column-id="tunneladdress" data-type="string" data-visible="true">{{ lang._('Tunnel Address') }}</th>
+                    <th data-column-id="port" data-type="string" data-visible="true">{{ lang._('Port') }}</th>
+                    <th data-column-id="peers" data-type="string" data-visible="true">{{ lang._('Endpoints') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
@@ -89,7 +92,7 @@
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
+                    <td colspan="7"></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
                     </td>
@@ -136,7 +139,8 @@ $( document ).ready(function() {
     });
 
     $("#grid-clients").UIBootgrid(
-        {   'search':'/api/wireguard/client/searchClient',
+        {
+            'search':'/api/wireguard/client/searchClient',
             'get':'/api/wireguard/client/getClient/',
             'set':'/api/wireguard/client/setClient/',
             'add':'/api/wireguard/client/addClient/',
@@ -146,7 +150,8 @@ $( document ).ready(function() {
     );
 
     $("#grid-servers").UIBootgrid(
-        {   'search':'/api/wireguard/server/searchServer',
+        {
+            'search':'/api/wireguard/server/searchServer',
             'get':'/api/wireguard/server/getServer/',
             'set':'/api/wireguard/server/setServer/',
             'add':'/api/wireguard/server/addServer/',
@@ -155,6 +160,10 @@ $( document ).ready(function() {
         }
     );
 
+    // Call update funcs once when page loaded
+    update_showconf();
+    update_showhandshake();
+
     // Call function update_neighbor with a auto-refresh of 5 seconds
     setInterval(update_showconf, 5000);
     setInterval(update_showhandshake, 5000);

From 2c99d4a687095d0b461eb124b153d7a67f024888 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 14 Oct 2022 12:00:15 +0200
Subject: [PATCH 1193/3088] net/haproxy: do not call crl_update()

PR: https://forum.opnsense.org/index.php?topic=30672.0
---
 net/haproxy/Makefile                                             | 1 +
 .../src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php        | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index d5690280ef..0c4fd723e9 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		3.11
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy24
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
index b28a84ecd4..0dfa7bd262 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
@@ -71,7 +71,6 @@
                                         // CRLs require special export
                                         if ($type == 'crl') {
                                             $crl =& lookup_crl($cert_refid);
-                                            crl_update($crl);
                                             $pem_content = base64_decode($crl['text']);
                                         } else {
                                             $pem_content = str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->crt)));

From f8aaa97b722b75659004f7d44faefe74f1bdab74 Mon Sep 17 00:00:00 2001
From: JeWe37 <jewe37@gmail.com>
Date: Sat, 15 Oct 2022 17:28:00 +0200
Subject: [PATCH 1194/3088] security/openconnect: Allow further characters in
 group name (#3160)

---
 security/openconnect/Makefile                                 | 2 +-
 security/openconnect/pkg-descr                                | 4 ++++
 .../opnsense/mvc/app/models/OPNsense/Openconnect/General.xml  | 4 ++--
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/security/openconnect/Makefile b/security/openconnect/Makefile
index 70252a6aa7..019eac53ba 100644
--- a/security/openconnect/Makefile
+++ b/security/openconnect/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		openconnect
-PLUGIN_VERSION=		1.4.2
+PLUGIN_VERSION=		1.4.3
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		OpenConnect Client
 PLUGIN_DEPENDS=		openconnect
diff --git a/security/openconnect/pkg-descr b/security/openconnect/pkg-descr
index b437df097e..192eda9330 100644
--- a/security/openconnect/pkg-descr
+++ b/security/openconnect/pkg-descr
@@ -6,6 +6,10 @@ the Juniper SSL VPN which is now known as Pulse Connect Secure.
 Plugin Changelog
 ================
 
+1.4.3
+
+* Permit additional characters in group name
+
 1.4.2
 
 * Allow usernames up to 64 characters
diff --git a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
index 75b33b5e04..033edd54c2 100644
--- a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
+++ b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
@@ -40,8 +40,8 @@
         </hash>
         <group type="TextField">
             <Required>N</Required>
-            <mask>/^[a-zA-Z0-9._-]{1,64}$/</mask>
-            <ValidationMessage>Please provide a valid group name. Allowed characters are a-zA-Z0-9._- and it has to be 1-64 characters long.</ValidationMessage>
+            <mask>/^[() a-zA-Z0-9._-]{1,64}$/</mask>
+            <ValidationMessage>Please provide a valid group name. Allowed are at most 64 characters from a-zA-Z0-9._-() and space.</ValidationMessage>
         </group>
         <clientcertificate type="CertificateField">
             <Type>cert</Type>

From ea4fdeb57e4b926d9a741981e355585e9711f80f Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Sun, 16 Oct 2022 14:31:24 +0100
Subject: [PATCH 1195/3088] net/wireguard: Reworked widget (#3117)

---
 .../Wireguard/Api/GeneralController.php       | 92 ++++++++++++++++++
 .../www/widgets/widgets/wireguard.widget.php  | 97 +++++++++++++------
 2 files changed, 162 insertions(+), 27 deletions(-)

diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
index da33e0f57f..ba5caabc5b 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
@@ -2,6 +2,7 @@
 
 /**
  *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ *    Copyright (C) 2022 Patrik Kernstock <patrik@kernstock.net>
  *
  *    All rights reserved.
  *
@@ -31,9 +32,100 @@
 namespace OPNsense\Wireguard\Api;
 
 use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Config;
+use OPNsense\Core\Backend;
 
 class GeneralController extends ApiMutableModelControllerBase
 {
     protected static $internalModelClass = '\OPNsense\Wireguard\General';
     protected static $internalModelName = 'general';
+
+    public function getStatusAction()
+    {
+        // get wireguard configuration
+        $config = Config::getInstance()->object();
+        $config = $config->OPNsense->wireguard;
+
+        // craft peers array
+        $peers = [];
+        $peers_uuid_pubkey = [];
+        // enabled, name, pubkey
+        foreach ($config->client->clients->client as $client) {
+            $peerUuid = (string)$client->attributes()['uuid'];
+            $peers_uuid_pubkey[$peerUuid] = (string) $client->pubkey;
+            $peers[$peerUuid] = [
+                "name"      => (string)  $client->name,
+                "enabled"   => (integer) $client->enabled,
+                "publicKey" => (string)  $client->pubkey,
+            ];
+        }
+
+        // prepare and initialize the server array
+        $status = [];
+        $peer_pubkey_reference = [];
+        foreach ($config->server->servers->server as $server) {
+            if ($server->enabled != "1") continue;
+
+            // build basic server array
+            $interface = "wg".$server->instance;
+            $status[$interface] = [
+                "instance"  => (integer) $server->instance,
+                "interface" => (string)  $interface,
+                "enabled"   => (integer) $server->enabled,
+                "name"      => (string)  $server->name,
+                "peers"     => [],
+            ];
+
+            // parse and add peers with initial values to array
+            if (strlen($server->peers) > 0) {
+                // there is at least one peer defined
+                $serverPeers = explode(",", (string) $server->peers);
+                // iteriate over each peer uuid
+                foreach ($serverPeers as $peerUuid) {
+                    // remember interface and pubkey <> peer-uuid reference for referencing handshake logic below
+                    $peer_pubkey_reference[$interface][$peers_uuid_pubkey[$peerUuid]] = $peerUuid;
+                    // merge peer info and initial values for handshake data
+                    $status[$interface]["peers"][$peerUuid] = array_merge(
+                        $peers[$peerUuid],
+                        [
+                            "lastHandshake" => "0000-00-00 00:00:00+00:00",
+                        ]);
+                }
+            }
+        }
+
+        // Get latest handshakes by running CLI command locally
+        $data = (new Backend())->configdRun("wireguard showhandshake");
+
+        // parse and set handshake to status datastructure
+        $data = trim($data);
+        if (strlen($data) !== 0) {
+            $wgHandshakes = explode("\n", $data);
+            foreach ($wgHandshakes as $handshake) {
+                $item = explode("\t", trim($handshake));
+
+                // set interface name and publickey
+                $interface = trim($item[0]);
+                $pubkey = trim($item[1]);
+
+                // calculate handshake time based on local timezone
+                $epoch = $item[2];
+                if ($epoch > 0) {
+                    $dt = new \DateTime("@$epoch");
+                    $dt->setTimezone(new \DateTimeZone(date_default_timezone_get()));
+                    $latest = $dt->format("Y-m-d H:i:sP");
+
+                    // set handshake
+                    $peerUuid = $peer_pubkey_reference[$interface][$pubkey];
+                    if (!empty($peerUuid)) {
+                        $status[$interface]["peers"][$peerUuid]["lastHandshake"] = $latest;
+                    }
+                }
+            }
+        }
+
+        return [
+            "items" => $status
+        ];
+    }
 }
diff --git a/net/wireguard/src/www/widgets/widgets/wireguard.widget.php b/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
index 792743af99..2821332162 100644
--- a/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
+++ b/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
@@ -3,6 +3,7 @@
 /*
  * Copyright (C) 2020 Deciso B.V.
  * Copyright (C) 2020 D. Domig
+ * Copyright (C) 2022 Patrik Kernstock <patrik@kernstock.net>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30,50 +31,92 @@
 require_once("guiconfig.inc");
 require_once("widgets/include/wireguard.inc");
 
-$data = trim(configd_run('wireguard showhandshake'));
+$enabled = ($config["OPNsense"]["wireguard"]["general"]["enabled"] === "1" ? true : false);
 
-$empty = strlen($data) == 0;
 ?>
 
 <table class="table table-striped table-condensed">
     <thead>
         <tr>
+            <th><?= gettext("Name") ?></th>
             <th><?= gettext("Interface") ?></th>
             <th><?= gettext("Endpoint") ?></th>
+            <th><?= gettext("Public Key") ?></th>
             <th><?= gettext("Latest Handshake") ?></th>
         </tr>
     </thead>
-    <tbody>
+    <tbody id="wg-table-tbody">
 
-<?php if (!$empty):
-    $handshakes = explode("\n", $data);
+    <?php if (!$enabled): ?>
+    <tr>
+        <td colspan="5"><?= gettext("No WireGuard instance defined or enabled.") ?></td>
+    </tr>
+    <?php endif; ?>
 
-    foreach ($handshakes as $handshake):
-        $item = explode("\t", $handshake);
+    </tbody>
+</table>
 
-        $epoch = $item[2];
-        $latest = "-";
-        if ($epoch > 0):
-            $dt = new DateTime("@$epoch");
-            $dt->setTimezone(new DateTimeZone(date_default_timezone_get()));
-            $latest = $dt->format(gettext("Y-m-d H:i:sP"));
-        endif; ?>
+<script>
+$(window).on("load", function() {
+    function wgGenerateRow(name, interface, peerName, publicKey, latestHandshake, status)
+    {
+        publicKeyShort = publicKey.slice(0, 19) + '...';
 
-    <tr>
-        <td><?= $item[0] ?></td>
-        <td><?= gettext(substr($item[1], 0, 10)) ?>...</td>
-        <td><?= $latest ?></td>
-    </tr>
+        var tr = ''
+        +'<tr>'
+        +'    <td>' + name + '</td>'
+        +'    <td>' + interface + '</td>'
+        +'    <td>' + peerName  + '</td>'
+        +'    <td title="' + publicKey + '">' + publicKeyShort  + '</td>'
+        +'    <td>' + latestHandshake + '</td>'
+        +'</tr>';
 
-    <?php endforeach; ?>
+        return tr;
+    }
 
-<?php else: ?>
+    function wgUpdateStatusIf(obj)
+    {
+        // check if at least one peer is set. If not, ignore it.
+        if (Object.keys(obj.peers).length == 0) {
+            return '';
+        }
 
-    <tr>
-        <td colspan="3"><?= gettext("No WireGuard instance defined or enabled.") ?></td>
-    </tr>
+        // generate row based on data
+        row = '';
+        for (var peerId in obj.peers) {
+            var peer = obj.peers[peerId];
 
-<?php endif; ?>
+            // generate table row
+            row += wgGenerateRow(
+                obj.name,
+                obj.interface,
+                peer.name,
+                peer.publicKey,
+                peer.lastHandshake,
+                status
+            );
+        }
 
-    </tbody>
-</table>
+        return row;
+    }
+
+    function wgUpdateStatus()
+    {
+        var table = '';
+        ajaxGet("/api/wireguard/general/getStatus", {}, function(data, status) {
+            if (status === 'success') {
+                for (var interface in data.items) {
+                    table += wgUpdateStatusIf(data.items[interface]);
+                }
+            }
+            // update table accordingly
+            document.getElementById("wg-table-tbody").innerHTML = table;
+            setTimeout(wgUpdateStatus, 10000);
+        });
+    };
+
+    <?php if ($enabled): ?>
+    wgUpdateStatus();
+    <?php endif; ?>
+});
+</script>

From 76dc5e9b597195511b779e8c660f6512dd6e12fd Mon Sep 17 00:00:00 2001
From: agh1467 <7823088+agh1467@users.noreply.github.com>
Date: Tue, 18 Oct 2022 07:59:15 -0400
Subject: [PATCH 1196/3088] net/sslh: Initial plugin version (#2729)

This is to address the discussion about a plugin for sslh and resolves #1630.

* Includes setting listen addresses, and protocol targets.
* Includes some other advanced settings
* Service start/stop/restart control
---
 net/sslh/CHANGELOG.md                         |   6 +
 net/sslh/DEVELOPMENT.md                       | 171 ++++++++++++++++++
 net/sslh/Makefile                             |   8 +
 net/sslh/README.md                            |  69 +++++++
 net/sslh/pkg-descr                            |  19 ++
 net/sslh/src/etc/inc/plugins.inc.d/sslh.inc   |  69 +++++++
 .../OPNsense/Sslh/Api/ServiceController.php   |  77 ++++++++
 .../OPNsense/Sslh/Api/SettingsController.php  | 133 ++++++++++++++
 .../OPNsense/Sslh/SettingsController.php      |  64 +++++++
 .../OPNsense/Sslh/forms/settings.xml          | 101 +++++++++++
 .../mvc/app/models/OPNsense/Sslh/ACL/ACL.xml  |   9 +
 .../app/models/OPNsense/Sslh/Menu/Menu.xml    |   6 +
 .../mvc/app/models/OPNsense/Sslh/Settings.php |  43 +++++
 .../mvc/app/models/OPNsense/Sslh/Settings.xml |  66 +++++++
 .../mvc/app/views/OPNsense/Sslh/settings.volt |  76 ++++++++
 .../service/conf/actions.d/actions_sslh.conf  |  31 ++++
 .../service/templates/OPNsense/Sslh/+TARGETS  |   2 +
 .../templates/OPNsense/Sslh/sslh.conf.jinja   | 121 +++++++++++++
 .../templates/OPNsense/Sslh/sslh.jinja        |  11 ++
 19 files changed, 1082 insertions(+)
 create mode 100644 net/sslh/CHANGELOG.md
 create mode 100644 net/sslh/DEVELOPMENT.md
 create mode 100644 net/sslh/Makefile
 create mode 100644 net/sslh/README.md
 create mode 100644 net/sslh/pkg-descr
 create mode 100644 net/sslh/src/etc/inc/plugins.inc.d/sslh.inc
 create mode 100644 net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/Api/ServiceController.php
 create mode 100644 net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/Api/SettingsController.php
 create mode 100644 net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/SettingsController.php
 create mode 100644 net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/forms/settings.xml
 create mode 100644 net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/ACL/ACL.xml
 create mode 100644 net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Menu/Menu.xml
 create mode 100644 net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.php
 create mode 100644 net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml
 create mode 100644 net/sslh/src/opnsense/mvc/app/views/OPNsense/Sslh/settings.volt
 create mode 100644 net/sslh/src/opnsense/service/conf/actions.d/actions_sslh.conf
 create mode 100644 net/sslh/src/opnsense/service/templates/OPNsense/Sslh/+TARGETS
 create mode 100644 net/sslh/src/opnsense/service/templates/OPNsense/Sslh/sslh.conf.jinja
 create mode 100644 net/sslh/src/opnsense/service/templates/OPNsense/Sslh/sslh.jinja

diff --git a/net/sslh/CHANGELOG.md b/net/sslh/CHANGELOG.md
new file mode 100644
index 0000000000..617f3ca4f5
--- /dev/null
+++ b/net/sslh/CHANGELOG.md
@@ -0,0 +1,6 @@
+# 1.21c_1
+
+  * Initial Version
+  * Includes setting listen addresses, and protocol targets.
+  * Includes some other advanced settings
+  * Service start/stop/restart control
diff --git a/net/sslh/DEVELOPMENT.md b/net/sslh/DEVELOPMENT.md
new file mode 100644
index 0000000000..e0c34a2d68
--- /dev/null
+++ b/net/sslh/DEVELOPMENT.md
@@ -0,0 +1,171 @@
+# Development Notes
+
+The initial version of this plugin is going to cover only the most basic of settings. A first pass will include primarily the settings which are available through the command line, and included in documentation.
+
+## Configuration
+
+For configuration, this plugin utilizes the configuration file to set settings. It has more options, and parity for all settings at the command line that are needed to be used in OPNsense. I didn't want to go as far as manipulating the startup script's command execution to inject command line options.
+
+Most settings are available through the configuration file. A sample is provided through the FreeBSD ports installation:
+
+/usr/local/etc/sslh.conf.sample:
+```
+# This is a basic configuration file that should provide
+# sensible values for "standard" setup.
+
+verbose:         0;
+foreground:      false;
+inetd:           false;
+numeric:         false;
+transparent:     false;
+timeout:         2;
+user:            "nobody";
+pidfile:         "/var/run/sslh.pid";
+chroot:          "/var/empty";
+
+
+# Change hostname with your external address name.
+listen:
+(
+    { host: "thelonious"; port: "443"; }
+);
+
+protocols:
+(
+     { name: "ssh";     service: "ssh"; host: "localhost"; port: "22";        fork: true; },
+     { name: "openvpn";                 host: "localhost"; port: "1194"; },
+     { name: "xmpp";                    host: "localhost"; port: "5222"; },
+     { name: "http";                    host: "localhost"; port: "80"; },
+     { name: "tls";                     host: "localhost"; port: "443";       log_level: 0; },
+     { name: "anyprot";                 host: "localhost"; port: "443"; }
+);
+```
+
+Here is a table which maps the configurations to command line options, and includes the model data types, default values, and if a hint is defined.
+
+| Configuration Key  | Command line Option | Model Field Type | Field Default | Hint          |
+| ------------------ | ------------------- | ---------------- | ------------- | ------------- |
+| verbose            | -v, --verbose       | BooleanField     | N/A           |               |
+| foreground         | -f, --foreground    | N/A              | N/A           |               |
+| inetd              | -i, --inetd         | N/A              | N/A           |               |
+| numeric            | -n, --numeric       | BooleanField     | N/A           | 2             |
+| timeout            | -t, --timeout       | IntegerField     | N/A           |               |
+| user               | -u, --user          | N/A              | N/A           |               |
+| pidfile            | -P, --pidfile       | N/A              | N/A           |               |
+| chroot             | -C, --chroot        | N/A              | N/A           |               |
+| on_timeout         | --on-timeout        | OptionField      | ssh           |               |
+| listen             | -p, --listen        | CSVListField     | localhost:443 |               |
+| protocols          | --ssl, --tls<br>--ssh<br>--openvpn<br>--http<br>--xmpp<br>--tinc<br>--anyprot | TextField | N/A  | localhost:443<br>localhost:22<br>localhost:1194<br>localhost:80<br>localhost:5222<br>localhost:655 |
+
+Here are some non-configuration options which have representation in the model:
+
+| Model Node         | Model Field Type | Field Default | Hint          |
+| ------------------ | ---------------- | ------------- | ------------- |
+| mode               | OptionField      | fork          |               |
+
+Most settings have defaults set within the application itself, so setting defaults in the model would be redundant. Hints were provided where this occurred, and it happened that the HTML element supports a hint. The only settings with field defaults are the dropdown `OptionFields` which are set to required because selecting nothing for these would require some additional code in the Jinja template to accommodate a blank value. Since they're required, setting a default is best so the user doesn't have to interact with them. Especially since these fields are advanced and would be hidden.
+
+The configuration file has some functionality which isn't explained in the main documentation pages, but is included in some example configuration files (see `fork`, and `log_level` in sample above), and some in the source code. These settings are excluded for now, and need to be investigated further to see what OPNsense model data types would be best to use and how to visualize these settings in the UI.
+
+Some advanced settings can be seen in the test configuration file in the source:
+
+https://github.com/yrutschle/sslh/blob/master/test.cfg
+
+There are also more settings for each protocol (maybe individually?), and it's also possible to define multiple entries for some (all?) settings:
+
+```
+protocols: (
+    {   name: "tls";
+        host: "localhost";
+        port: "993";
+        sni_hostnames: [ "mail.rutschle.net" ];
+    },
+    {   name: "tls";
+        host: "localhost";
+        port: "xmpp-client";
+        sni_hostnames: [ "im.rutschle.net" ];
+    },
+    {   name: "tls";
+        host: "localhost";
+        port: "4443";
+        sni_hostnames: [ "www.rutschle.net" ];
+    }
+);
+```
+
+There is also a more advanced "regex" protocol which can be defined multiple times:
+```
+protocols: (
+    {   name: "regex";
+        host: "192.168.0.2";
+        port: "80";
+        regex_patterns:
+                ["^(GET|POST|PUT|OPTIONS|DELETE|HEADER) [^ ]* HTTP/[0-9.]*[\r\n]*Host: host_A.acme"] },
+    {   name: "regex";
+        host: "192.168.0.3";
+        port: "80";
+        regex_patterns:
+                ["^(GET|POST|PUT|OPTIONS|DELETE|HEADER) [^ ]* HTTP/[0-9.]*[\r\n]*Host: host_B.acme"] }
+);
+```
+
+To support multiple entries, an `ArrayField` type will have to be used, and bootgrids utilized to control the entries within each field. For that it may be best to split out each protocol onto a separate tab, rather than have them displayed on the same tab (may look cluttered).
+
+The style of the entries here is different than those provided in the sample which would require some additional care in the Jinja template if that style is to be used.
+
+## Command Line Options
+
+For reference, here are the command line options:
+
+Command line options:
+```
+sslh
+	[-Fconfig file]
+	[-t num]
+	[--transparent]
+	[-p listening address [-p listening address ...]
+	[--ssl target address for SSL]
+	[--tls target address for TLS]
+	[--ssh target address for SSH]
+	[--openvpn target address for OpenVPN]
+	[--http target address for HTTP]
+	[--xmpp target address for XMPP]
+	[--tinc target address for TINC]
+	[--anyprot default target address] (use this for SSLv2 connections)
+	[--on-timeout protocol name]
+	[-u username]
+	[-C chroot] [-P pidfile] [-v] [-i] [-V] [-f] [-n]
+```
+
+## Logging
+
+This application may not have a function to output to a log file. Documentation indicates that `sslh` should be started manually, and run with the `foreground` option to get log messages clearly. Otherwise, logs are sent to the `syslog` facility. There is a configuration setting: `syslog_facility: "auth";` which might be used to change this behavior.
+
+On OPNsense 22.1 the logging goes to the `audit` facility, and looks something like this:
+```
+2021-12-29T23:41:07+00:00 OPNsense.localdomain sslh-fork[62839] 62839 - [meta sequenceId="43"] sslh-fork 1.21c started
+```
+
+It's a bit noisy with the "meta sequence" part, and the PID being displayed twice. Hopefully that will get cleaned up eventually. It should be possible to utilize the built-in log API to display these log entries, and utilize a hard coded filter to display only messages for `sslh`.
+
+A more crude option is to set the `foreground` option in the configuration file, start `sslh` via configd, and redirect the output to a file located in `/var/log/`. `configd` might not do well with this since commands that it runs are expected to exit. Maybe the `&` operator can be used to background the process, and maybe `configd` could deal with that better. It would definitely need more testing to confidently use as a solution though.
+
+## Jinja Templates
+
+The protocols section can probably be reduced to a single for loop which iterates through each variable, and appends the line to the list. The extra settings described above would have to be taken into consideration if some settings only apply to specific protocols. The alternative multi-line style would also have to be considered to make sure everything looks nice in the file.
+
+## Protocol Order
+
+The `anyprot` documentation mentions that `sslh` will try protocols in the order specified (at the command line). This probably also means that it applies for the configuration file as well. Being able to change the order, will eventually be necessary for full functionality. As for a standard order, the `man` page command line reference, the order in which the commands are detailed, and the sample configuration files all use different ordering.
+
+This could possibly be done with a single `ArrayField` containing all protocol entries. With the protocol name being one of the fields in each entry. That would probably be better than the multi-field approach as described earlier. This would put all of the entries in a single bootgrid which could be displayed on a single page. A number field (`AutoNumberField`?) could be added to indicate the appropriate order. Without a UI function to perform this ordering it could get a bit complicated for new users. It's definitely more complicated than just a list of static boxes. Changing the order is not a function of the bootgrid at the moment.
+
+There is also the need to consider that some options may only be available/function for specific protocols. There may be the possibility to employ constraints/requirements for field usage if a specific field only works with a specific protocol, but it will have to be investigated further. This would tie in also to the Jinja template because the protocols section could use for loop as described above, but would definitely have to display all of the additional options for each protocol.
+
+## Service Status
+
+The fact that this service can run as different binaries means that under specific circumstances, sometimes the service status can return a status of "not running" even when the service is running. The UI won't offer to stop the service because it thinks it's not running. If the service is configured to run with the one variant, and then the configuration is changed to use the another variant without a service restart (though some error occurring), then the service status will be looking for the new variant when looking at the status, and it will say "not running," but the previous variant will still be running. If there are no errors with saving the configuration, and the service API restarts the service successfully after saving the configuration, then it should be relatively rare occurrence.
+
+## Transparent mode
+
+This function is available using the command line option "-t, --transparent" or through the configuration file using the "transparent" keyword. The documentation describes this as a "Linux only" feature, and the documentation demonstrates using this feature in conjunction with `iptables`. Since FreeBSD doesn't have `iptables` it's probably that this feature won't work. Since there is no provisions for using this feature on FreeBSD, it's been excluded from the this plugin.
diff --git a/net/sslh/Makefile b/net/sslh/Makefile
new file mode 100644
index 0000000000..d1761cbc51
--- /dev/null
+++ b/net/sslh/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=        sslh
+PLUGIN_VERSION=     0.1
+PLUGIN_DEVEL=       yes
+PLUGIN_COMMENT=     sslh configuration front-end
+PLUGIN_DEPENDS=     sslh
+PLUGIN_MAINTAINER=  agh1467@protonmail.com
+
+.include "../../Mk/plugins.mk"
diff --git a/net/sslh/README.md b/net/sslh/README.md
new file mode 100644
index 0000000000..45c65582e0
--- /dev/null
+++ b/net/sslh/README.md
@@ -0,0 +1,69 @@
+# sslh plugin for OPNsense
+
+## Introduction
+
+This is a plugin for OPNsense firewall which provides a front-end UI for managing `SSLH`.
+
+This plugin is designed for v`1.21c`, but may function with later versions.
+
+Here are some resources for `SSLH`
+
+[SSLH Project Home Page](https://www.rutschle.net/tech/sslh/README.html)
+
+[SSLH Project Source Repository](https://github.com/yrutschle/sslh)
+
+[SSLH FAQ](https://www.rutschle.net/tech/sslh/doc/FAQ.html)
+
+## Features
+
+This plugin, currently support only basic features like:
+
+* Setting multiple listen addresses
+* Setting protocol targets
+* Controlling some advanced settings
+
+## Operation
+
+The plugin can be managed from Services -> SSLH in the OPNsense UI.
+
+To begin, enable SSLH, define at least one listen address, and define a desired target protocol.
+
+### Settings
+
+Most settings for `SSLH` are included here in the UI, but some were left out due to the advanced nature, or the need to investigate further to understand the best approach to bring them into the UI. Help for each setting is included in the UI, select the "i" button to the left of each setting to show the help text.
+
+#### Listen Addresses
+
+This is a list of ADDRESS:PORT combinations. The list is comma delimited, and supports both IPv4, and IPv6 addresses.
+
+#### Protocol Targets
+
+The protocol targets each support one ADDRESS:PORT combination.
+
+### Advanced Settings
+
+Several settings are hidden by default, select the "advanced mode" button in the top left to access these settings.
+
+#### Mode
+
+This is also called the sslh "variant", and makes the start up script execute a separate binary, `sslh-fork` or `sslh-select` depending on selection. Each behaves differently, and has different performance.
+
+#### Timeout
+
+This is a global timeout, and has a default value of 2 seconds.
+
+#### On Timeout
+
+This defines the protocol to which connections will be sent after the timeout period. The default is SSH.
+
+#### Verbose
+
+This will increase the verbosity of the log messages in `SSLH`.
+
+#### Numeric
+
+This will force no DNS lookup, and make the logs contain IP addresses instead of hostnames.
+
+### License
+
+[![License](https://img.shields.io/badge/License-BSD%202--Clause-orange.svg)](https://opensource.org/licenses/BSD-2-Clause)
diff --git a/net/sslh/pkg-descr b/net/sslh/pkg-descr
new file mode 100644
index 0000000000..f818aa3d45
--- /dev/null
+++ b/net/sslh/pkg-descr
@@ -0,0 +1,19 @@
+Manage SSLH, the SSL/SHH multiplexer via the OPNsense web UI.
+
+SSLH is a service which accepts HTTPS, SSH, OpenVPN, tinc and XMPP connections on the same port.
+This makes it possible to connect to any of these servers on port 443 while
+still serving HTTPS on that port.
+
+SSLH Project Home Page: https://www.rutschle.net/tech/sslh
+SSLH FAQ: https://www.rutschle.net/tech/sslh/doc/FAQ.html
+
+Changelog
+
+================
+
+0.1
+
+  * Initial Version
+  * Includes setting listen addresses, and protocol targets.
+  * Includes some other advanced settings
+  * Service start/stop/restart control
diff --git a/net/sslh/src/etc/inc/plugins.inc.d/sslh.inc b/net/sslh/src/etc/inc/plugins.inc.d/sslh.inc
new file mode 100644
index 0000000000..d916fc9b61
--- /dev/null
+++ b/net/sslh/src/etc/inc/plugins.inc.d/sslh.inc
@@ -0,0 +1,69 @@
+<?php
+
+/*
+    Copyright (C) 2022 agh1467 <agh1467@protonmail.com>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/**
+ * Function to register the plugin's service with OPNsense.
+ *
+ * This adds the service to the System: Diagnostics: Services page at
+ * http://<opnsense>/status_services.php
+ *
+ * The suffix "_services" allows this function to be picked up by
+ * etc/inc/plugins.inc:plugins_services() and be included in the
+ * $services array to be processed by status_services.php.
+ *
+ * @return array the array of attributes for this service
+*/
+function sslh_services()
+{
+
+    // Create an array to be processed by www/status_services.php
+    $service = array();
+
+    // Load in our settings to get the enabled state of the plugin.
+    $settings = new \OPNsense\Sslh\Settings();
+
+    // Only show the plugin if it's enabled.
+    if (! ((string) $settings->enabled == '1')) {
+        // return empty array if not enabled
+        return $services;
+    }
+
+    $configd_name = 'sslh';
+    $service[] = array(
+        'name' => 'sslh',                   // Service column
+        'description' => gettext('SSLH'),   // Description column
+        'configd' => array(                 // Status column
+            'restart' => array($configd_name . ' restart'),
+            'start' => array($configd_name . ' start'),
+            'stop' => array($configd_name . ' stop'),
+        ),
+        'pidfile' => '/var/run/sslh.pid'
+    );
+
+    return $service;
+}
diff --git a/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/Api/ServiceController.php b/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/Api/ServiceController.php
new file mode 100644
index 0000000000..eb4400f853
--- /dev/null
+++ b/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/Api/ServiceController.php
@@ -0,0 +1,77 @@
+<?php
+
+/**
+ *    Copyright (C) 2022 agh1467@protonmail.com
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Sslh\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Sslh;
+
+/**
+ * An ApiMutableServiceControllerBase based class which is used to control
+ * the sslh service.
+ *
+ * @package OPNsense\Sslh
+ */
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    /**
+     * Reference the model class, which is used to determine if this service is
+     * enabled (links the model to the service)
+     *
+     * @var string $internalServiceClass
+     */
+    protected static $internalServiceClass = '\OPNsense\Sslh\Settings';
+
+    /**
+     * Before starting the service it will call configd to generate configuration
+     * data, in this case it would execute the equivalent of configctl template
+     * reload OPNsense/Sslh on the console
+     *
+     * @var string $internalServiceTemplate
+     */
+    protected static $internalServiceTemplate = 'OPNsense/Sslh';
+
+    /**
+     * Which section of the model contains a boolean defining if the service is
+     * enabled (settings.enabled)
+     *
+     * @var string $internalServiceEnabled
+     */
+    protected static $internalServiceEnabled = 'enabled';
+
+    /**
+     * Refers to the actions configuraiton file, where it can find
+     * start/stop/restart/status/reload actions:
+     * src/opnsense/service/actions.d/actions_sslh.conf
+     * @var string $internalServiceName
+     */
+    protected static $internalServiceName = 'sslh';
+
+}
diff --git a/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/Api/SettingsController.php b/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/Api/SettingsController.php
new file mode 100644
index 0000000000..4409cb2a7e
--- /dev/null
+++ b/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/Api/SettingsController.php
@@ -0,0 +1,133 @@
+<?php
+
+/**
+ *    Copyright (C) 2022 agh1467@protonmail.com
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Sslh\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+/**
+ * An ApiMutableModelControllerBase class used to perform settings related
+ * actions for this plugin.
+ *
+ * This API is accessible at the following URL endpoint:
+ *
+ * `/api/sslh/settings`
+ *
+ * Functions with a name ending in "Action" become API endpoints by extending
+ * `ApiMutableModelControllerBase`. That class creates the following encpoints:
+ * ```
+ *   search
+ *   get
+ *   add
+ *   del
+ *   set
+ *   toggle
+ * ```
+ *
+ * @package OPNsense\Sslh
+ */
+class SettingsController extends ApiMutableModelControllerBase
+{
+    /**
+     * This variable defines what to call the <model> that is defined for this
+     * Class by Phalcon. That is to say the model XML that has the same name as
+     * this controller's name, "Settings".
+     * In this case, it is the model XML file:
+     *
+     * `model/OPNsense/Sslh/Settings.xml`
+     *
+     * The model name is then used as the name of the array returned by setBase()
+     * and getBase(). In the form XMLs, the prefix used on the field IDs must
+     * match this name as API actions use the same name in their transactions.
+     * For example, the key_name in an API JSON response, will be this model
+     * name. This name is also used as the API endpoint for this Controller.
+     *
+     * `/api/sslh/settings`
+     *
+     * This locks activies of this Class to this specific model, so it won't
+     * save to other models, even within the same plugin.
+     *
+     * @var string $internalModelName
+     */
+    protected static $internalModelName = 'settings';
+
+    /**
+     * Base model class to reference.
+     *
+     * This variable defines which class to call for getMode(). It is used in a
+     * ReflectionClass call to establish the model object. This class is defined
+     * in the models directory alongside the model XML, and has the same name
+     * as this Controller. This class extends BaseModel which reads the model
+     * XML that has the same name as the class.
+     *
+     * In this case, these are the model XML file, and class definition file:
+     *
+     * `model/OPNsense/Sslh/Settings.xml`
+     *
+     * `model/OPNsense/Sslh/Settings.php`
+     *
+     * These together will establish several API endpoints on this Controller's
+     * endpoint including:
+     *
+     * `/api/sslh/settings/get`
+     *
+     * `/api/sslh/settings/set`
+     *
+     * These are both defined in the ApiMutableModelControllerBase Class:
+     *
+     * `function getAction()`
+     *
+     * `function setAction()`
+     *
+     * @var string $internalModelClass
+     */
+    protected static $internalModelClass = 'OPNsense\Sslh\Settings';
+
+    /**
+     * An API endpoint to call when no parameters are
+     * provided for the API. Can be used to test the API is working.
+
+     * API endpoint:
+     *
+     *   `/api/sslh/settings`
+     *
+     * Usage:
+     *
+     *   `/api/sslh/settings`
+     *
+     * Returns an array which gets converted to json in the POST response.
+     *
+     * @return array    includes status, saying everything is A-OK
+     */
+    public function indexAction()
+    {
+        return array('status' => 'ok');
+    }
+}
diff --git a/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/SettingsController.php b/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/SettingsController.php
new file mode 100644
index 0000000000..376a76e707
--- /dev/null
+++ b/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/SettingsController.php
@@ -0,0 +1,64 @@
+<?php
+
+/*
+    Copyright (C) 2022 agh1467@protonmail.com
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Sslh;
+
+/**
+ * An IndexController-based class that creates an endpoint to display the Settings
+ * page in the UI.
+ *
+ * @package OPNsense\Sslh
+ */
+class SettingsController extends \OPNsense\Base\IndexController
+{
+    /**
+     * This function creates an endpoint in the UI for the Settings Controller.
+     *
+     * UI endpoint:
+     * `/ui/sslh/settings`
+     *
+     * This is the default action when no parameters are provided.
+     */
+    public function indexAction()
+    {
+
+    // Set environment variables for within the Volt templates.
+    $this->view->setVars(
+        [
+            'plugin_name' => 'sslh',
+            'api_name' => 'sslh',
+            'this_form' => $this->getForm('settings'),
+            // controllers/OPNsense/Sslh/forms/settings.xml
+        ]
+    );
+
+    // pick the template as the next view to render
+    $this->view->pick('OPNsense/Sslh/settings');
+    // views/OPNsense/Sslh/settings.volt
+    }
+}
diff --git a/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/forms/settings.xml b/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/forms/settings.xml
new file mode 100644
index 0000000000..c3247f88ab
--- /dev/null
+++ b/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/forms/settings.xml
@@ -0,0 +1,101 @@
+<form>
+    <field>
+        <id>settings.enabled</id>
+        <label>Enable SSLH</label>
+        <type>checkbox</type>
+        <help>This will enable the SSLH service.</help>
+    </field>
+    <field>
+        <id>settings.listen_addresses</id>
+        <label>Listen Addresses</label>
+        <help>Hostname (or IP address) and port combination on which to listen, e.g. localhost:443, 10.5.0.1:443 (typically these resolve to-, or specify, a WAN IP address). This can be defined multiple times to bind sslh to several addresses.</help>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <type>select_multiple</type>
+    </field>
+    <field>
+        <id>settings.mode</id>
+        <label>Mode</label>
+        <help>Select the mode in which to run sslh: fork - stable but slow performance | select - new but high performance</help>
+        <type>dropdown</type>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>settings.timeout</id>
+        <label>Timeout</label>
+        <help>Timeout in seconds before forwarding the connection to the timeout protocol (which should usually be SSH). Default: 2</help>
+        <hint>2</hint>
+        <type>text</type>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>settings.on_timeout</id>
+        <label>On Timeout</label>
+        <help>Name of the protocol to connect to after the timeout period is over. Default is to forward to the first specified protocol. It usually makes sense to specify 'ssh' as the timeout protocol, as the SSH specification does not tell who is supposed to speak first and a large number of SSH clients wait for the server to send its banner. Default: ssh</help>
+        <type>dropdown</type>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>settings.ssh_target</id>
+        <label>SSH Target</label>
+        <help>Interface and port on which to forward SSH connections, typically localhost:22.</help>
+        <hint>localhost:22</hint>
+        <type>text</type>
+    </field>
+    <field>
+        <id>settings.tls_target</id>
+        <label>SSL/TLS Target</label>
+        <help>Interface and port on which to forward SSL connection, typically localhost:443. Note that you can set sslh to listen on ext_ip:443 and httpd to listen on localhost:443: this allows clients inside your network to just connect directly to httpd. Also, sslh probes for SSLv3 (or TLSv1) handshake and will reject connections from clients requesting SSLv2. This is compliant with RFC6176 which prohibits the usage of SSLv2. If you wish to accept SSLv2, use --anyprot instead.</help>
+        <hint>localhost:443</hint>
+        <type>text</type>
+    </field>
+    <field>
+        <id>settings.openvpn_target</id>
+        <label>OpenVPN Target</label>
+        <help>Interface and port on which to forward OpenVPN connections, typically localhost:1194.</help>
+        <hint>localhost:1194</hint>
+        <type>text</type>
+    </field>
+    <field>
+        <id>settings.http_target</id>
+        <label>HTTP Target</label>
+        <help>Interface and port on which to forward HTTP connections, typically localhost:80.</help>
+        <hint>localhost:80</hint>
+        <type>text</type>
+    </field>
+    <field>
+        <id>settings.xmpp_target</id>
+        <label>XMPP Target</label>
+        <help>Interface and port on which to forward XMPP connections, typically localhost:5222.</help>
+        <hint>localhost:5222</hint>
+        <type>text</type>
+    </field>
+    <field>
+        <id>settings.tinc_target</id>
+        <label>Tinc Target</label>
+        <help>Interface and port on which to forward Tinc connections, typically localhost:655.</help>
+        <hint>localhost:655</hint>
+        <type>text</type>
+    </field>
+    <field>
+        <id>settings.anyprot_target</id>
+        <label>Anyprot Target</label>
+        <hint></hint>
+        <help>Interface and port on which to forward if no other protocol has been found. Because sslh tries protocols in the order specified on the command line, this should be specified last. If no default is specified, sslh will forward unknown protocols to the first protocol specified.</help>
+        <type>text</type>
+    </field>
+    <field>
+        <id>settings.verbose</id>
+        <label>Verbose</label>
+        <help>Increase logging verboseness.</help>
+        <advanced>true</advanced>
+        <type>checkbox</type>
+    </field>
+    <field>
+        <id>settings.numeric</id>
+        <label>Numeric</label>
+        <help>Do not attempt to resolve hostnames: logs will contain IP addresses. This is mostly useful if the system's DNS is slow and running the sslh-select variant, as DNS requests will hang all connections. Default: false</help>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+    </field>
+</form>
diff --git a/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/ACL/ACL.xml b/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/ACL/ACL.xml
new file mode 100644
index 0000000000..1cb7f2f772
--- /dev/null
+++ b/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+   <page-services-sslh>
+      <name>Services: SSLH</name>
+      <patterns>
+         <pattern>ui/sslh/*</pattern>
+         <pattern>api/sslh/*</pattern>
+      </patterns>
+  </page-services-sslh>
+</acl>
diff --git a/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Menu/Menu.xml b/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Menu/Menu.xml
new file mode 100644
index 0000000000..5cf29b5d11
--- /dev/null
+++ b/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Menu/Menu.xml
@@ -0,0 +1,6 @@
+<menu>
+    <Services>
+        <Sslh cssClass="fa fa-lock fa-fw" url="/ui/sslh/settings">
+        </Sslh>
+    </Services>
+</menu>
diff --git a/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.php b/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.php
new file mode 100644
index 0000000000..7c24334bca
--- /dev/null
+++ b/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.php
@@ -0,0 +1,43 @@
+<?php
+
+/*
+    Copyright (C) 2022 agh1467@protonmail.com
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Sslh;
+
+use OPNsense\Base\BaseModel;
+
+/**
+ * Class Settings is a BaseModel class used when retriving model data
+ * via getModel().
+ *
+ * Functionality of this class is inherited entirely from BaseModel.
+ *
+ * @package OPNsense\Sslh
+ */
+class Settings extends BaseModel
+{
+}
diff --git a/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml b/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml
new file mode 100644
index 0000000000..9701eac279
--- /dev/null
+++ b/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml
@@ -0,0 +1,66 @@
+<model>
+    <mount>//OPNsense/sslh</mount>
+    <version>0.0.1</version>
+    <items>
+        <enabled type="BooleanField">
+            <required>Y</required>
+        </enabled>
+        <listen_addresses type="CSVListField">
+            <required>Y</required>
+            <default>localhost:443</default>
+            <validationmessage>Please enter at least one hostname/IP:port combination.</validationmessage>
+        </listen_addresses>
+        <mode type="OptionField">
+            <required>Y</required>
+            <default>fork</default>
+            <Multiple>N</Multiple>
+            <OptionValues>
+                <option value="fork">fork</option>
+                <option value="select">select</option>
+            </OptionValues>
+        </mode>
+        <timeout type="IntegerField">
+            <required>N</required>
+        </timeout>
+        <tls_target type="TextField">
+            <required>N</required>
+        </tls_target>
+        <ssh_target type="TextField">
+            <required>N</required>
+        </ssh_target>
+        <openvpn_target type="TextField">
+            <required>N</required>
+        </openvpn_target>
+        <http_target type="TextField">
+            <required>N</required>
+        </http_target>
+        <xmpp_target type="TextField">
+            <required>N</required>
+        </xmpp_target>
+        <tinc_target type="TextField">
+            <required>N</required>
+        </tinc_target>
+        <anyprot_target type="TextField">
+            <required>N</required>
+        </anyprot_target>
+        <on_timeout type="OptionField">
+            <required>Y</required>
+            <default>ssh</default>
+            <Multiple>N</Multiple>
+            <OptionValues>
+                <option value="ssh">SSH</option>
+                <option value="openvpn">OpenVPN</option>
+                <option value="xmpp">XMPP</option>
+                <option value="http">HTTP</option>
+                <option value="tls">TLS</option>
+                <option value="anyprot">Anyprot</option>
+            </OptionValues>
+        </on_timeout>
+        <verbose type="BooleanField">
+            <required>N</required>
+        </verbose>
+        <numeric type="BooleanField">
+            <required>N</required>
+        </numeric>
+    </items>
+</model>
diff --git a/net/sslh/src/opnsense/mvc/app/views/OPNsense/Sslh/settings.volt b/net/sslh/src/opnsense/mvc/app/views/OPNsense/Sslh/settings.volt
new file mode 100644
index 0000000000..6ea142ded8
--- /dev/null
+++ b/net/sslh/src/opnsense/mvc/app/views/OPNsense/Sslh/settings.volt
@@ -0,0 +1,76 @@
+{##
+ #
+ # OPNsense® is Copyright © 2014 – 2018 by Deciso B.V.
+ # This file is Copyright © 2022 agh1467@protonmail.com
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1.  Redistributions of source code must retain the above copyright notice,
+ #     this list of conditions and the following disclaimer.
+ #
+ # 2.  Redistributions in binary form must reproduce the above copyright notice,
+ #     this list of conditions and the following disclaimer in the documentation
+ #     and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+#}
+
+{##
+ # This is the template for the settings page.
+ #
+ # This is the main page for this plugin.
+ #
+ # Variables sent in by the controller:
+ # plugin_name  string  name of this plugin, used for API calls
+ # this_form    array   the form XML in an array
+ #}
+
+<div class="tab-content content-box tab-content">
+    <div id="settings" class="tab-pane fade in active">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            {{ partial("layout_partials/base_form",['fields':this_form,'id':'frm_settings'])}}
+            <div class="col-md-12">
+                <hr />
+                <button class="btn btn-primary"  id="saveAct" type="button">
+                    <b>{{ lang._('Save and Apply') }}</b>
+                    <i id="saveAct_progress"></i>
+                </button>
+            </div>
+        </div>
+    </div>
+</div>
+
+
+<script>
+
+$( document ).ready(function() {
+    var data_get_map = {'frm_settings':"/api/sslh/settings/get"};
+    mapDataToFormUI(data_get_map).done(function(data){
+        formatTokenizersUI();
+        $('.selectpicker').selectpicker('refresh');
+    });
+
+    $("#saveAct").click(function(){
+        saveFormToEndpoint(url="/api/{{ api_name }}/settings/set", formid='frm_settings',callback_ok=function(){
+        $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url="/api/{{ api_name }}/service/reconfigure", sendData={}, callback=function(data,status) {
+                updateServiceControlUI('{{ plugin_name }}');
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+            });
+        });
+    });
+
+    updateServiceControlUI('{{ plugin_name }}');
+});
+</script>
diff --git a/net/sslh/src/opnsense/service/conf/actions.d/actions_sslh.conf b/net/sslh/src/opnsense/service/conf/actions.d/actions_sslh.conf
new file mode 100644
index 0000000000..2e401ddb35
--- /dev/null
+++ b/net/sslh/src/opnsense/service/conf/actions.d/actions_sslh.conf
@@ -0,0 +1,31 @@
+################################################################################
+# Service Actions                                                              #
+################################################################################
+
+[status]
+command:/usr/local/etc/rc.d/sslh status || exit 0
+parameters:
+type:script_output
+message: sslh: requesting status
+description:
+
+[start]
+command:/usr/local/etc/rc.d/sslh start
+parameters:
+type:script
+message: sslh: starting
+description: sslh: Start service
+
+[stop]
+command:/usr/local/etc/rc.d/sslh stop
+parameters:
+type:script
+message: sslh: stopping
+description: sslh: Stop service
+
+[restart]
+command:/usr/local/etc/rc.d/sslh restart
+parameters:
+type:script
+message: sslh: restarting
+description: sslh: Restart service
diff --git a/net/sslh/src/opnsense/service/templates/OPNsense/Sslh/+TARGETS b/net/sslh/src/opnsense/service/templates/OPNsense/Sslh/+TARGETS
new file mode 100644
index 0000000000..14554864c4
--- /dev/null
+++ b/net/sslh/src/opnsense/service/templates/OPNsense/Sslh/+TARGETS
@@ -0,0 +1,2 @@
+sslh.jinja:/etc/rc.conf.d/sslh
+sslh.conf.jinja:/usr/local/etc/sslh.conf
diff --git a/net/sslh/src/opnsense/service/templates/OPNsense/Sslh/sslh.conf.jinja b/net/sslh/src/opnsense/service/templates/OPNsense/Sslh/sslh.conf.jinja
new file mode 100644
index 0000000000..1cbae9b6bb
--- /dev/null
+++ b/net/sslh/src/opnsense/service/templates/OPNsense/Sslh/sslh.conf.jinja
@@ -0,0 +1,121 @@
+{##
+ #
+ # OPNsense® is Copyright © 2014 – 2018 by Deciso B.V.
+ # This file is Copyright © 2022 agh1467@protonmail.com
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1.  Redistributions of source code must retain the above copyright notice,
+ #     this list of conditions and the following disclaimer.
+ #
+ # 2.  Redistributions in binary form must reproduce the above copyright notice,
+ #     this list of conditions and the following disclaimer in the documentation
+ #     and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+#}
+
+{#- /usr/local/etc/sslh.conf -#}
+{% set plugin_name = 'sslh' %}
+{# Prevent configd reload from erroring out if node doesn't exist #}
+{%  if OPNsense[plugin_name] is defined %}
+{%      set cfg = OPNsense[plugin_name] %}
+################################################################################
+#                                                                              #
+#       sslh configuration file for v1.21c                                     #
+#                                                                              #
+################################################################################
+
+{# ------------ Static options, should remain unchanged by the user. -------- #}
+{# standard location for pid files #}
+pidfile:"/var/run/sslh.pid";
+{# Run as nobody for security reasons. #}
+user: "nobody";
+
+{# ------------ Dynamic options, user configurable. -------------------------- #}
+{%      if cfg['verbose'] is defined %}
+verbose:{{ '1' if (cfg['verbose'] == '1') else '0' }};
+{%      endif -%}
+
+{%      if cfg['numeric'] is defined %}
+numeric:{{ 'true' if (cfg['numeric'] == '1') else 'false' }};
+{%      endif -%}
+
+{%      if cfg['timeout'] is defined %}
+timeout:{{ cfg['timeout'] }};
+{%      endif -%}
+
+{%      if cfg['on_timeout'] is defined %}
+on_timeout:"{{ cfg['on_timeout'] }}";
+{%      endif -%}
+
+{%      if cfg['listen_addresses'] is defined %}
+{%          set listen_list = [] %}
+{#          # listen_addresses is comma delimited string, split() to iterate through. #}
+{%          for for_listen in cfg['listen_addresses'].split(',') %}
+{#              # Need to further split the listen address by hostname:port #}
+{%              set listen_hostname, separator, listen_port = for_listen.rpartition(':') %}
+{%              if listen_hostname != '' and listen_port != '' %}
+{%                  do listen_list.append('    { host: "'~listen_hostname~'"; port: "'~listen_port~'" }') %}
+{%              endif %}
+{%          endfor %}
+{%          if listen_list != [] -%}{# Don't put this setting unless we have listen addreses to put. #}
+listen:
+(
+{{ listen_list|join(",\n") }}
+);
+{%          endif %}
+{%      endif %}
+
+{# All of the protocols #}
+protocols:
+(
+{%      if cfg['ssh_target'] is defined %}
+{%          set hostname, separator, port = cfg['ssh_target'].rpartition(':') %}
+{%          if hostname != '' and port != '' %}
+     { name: "ssh";     service: "ssh"; host: "{{ hostname }}"; port: "{{ port }}"; },
+{%          endif %}
+{%      endif %}
+{%      if cfg['openvpn_target'] is defined %}
+{%          set hostname, separator, port = cfg['openvpn_target'].rpartition(':') %}
+{%          if hostname != '' and port != '' %}
+     { name: "openvpn";                 host: "{{ hostname }}"; port: "{{ port }}"; },
+{%          endif %}
+{%      endif %}
+{%      if cfg['xmpp_target'] is defined %}
+{%          set hostname, separator, port = cfg['xmpp_target'].rpartition(':') %}
+{%          if hostname != '' and port != '' %}
+     { name: "xmpp";                    host: "{{ hostname }}"; port: "{{ port }}"; },
+{%          endif %}
+{%      endif %}
+{%      if cfg['http_target'] is defined %}
+{%          set hostname, separator, port = cfg['http_target'].rpartition(':') %}
+{%          if hostname != '' and port != '' %}
+     { name: "http";                    host: "{{ hostname }}"; port: "{{ port }}"; },
+{%          endif %}
+{%      endif %}
+{%      if cfg['tls_target'] is defined %}
+{%          set hostname, separator, port = cfg['tls_target'].rpartition(':') %}
+{%          if hostname != '' and port != '' %}
+     { name: "tls";                     host: "{{ hostname }}"; port: "{{ port }}"; },
+{%          endif %}
+{%      endif %}
+{%      if cfg['anyprot_target'] is defined %}
+{%          set hostname, separator, port = cfg['anyprot_target'].rpartition(':') %}
+{%          if hostname != '' and port != '' %}
+     { name: "anyprot";                 host: "{{ hostname }}"; port: "{{ port }}"; },
+{%          endif %}
+{%      endif %}
+);
+{%  endif %}
diff --git a/net/sslh/src/opnsense/service/templates/OPNsense/Sslh/sslh.jinja b/net/sslh/src/opnsense/service/templates/OPNsense/Sslh/sslh.jinja
new file mode 100644
index 0000000000..cc858aab1a
--- /dev/null
+++ b/net/sslh/src/opnsense/service/templates/OPNsense/Sslh/sslh.jinja
@@ -0,0 +1,11 @@
+{# /usr/local/etc/rc.conf.d/sslh #}
+{%  set plugin_name = 'sslh' %}
+{%  if OPNsense[plugin_name] is defined %}{# Prevent configd reload from erroring out if node doesn't exist #}
+{%      set cfg = OPNsense[plugin_name] %}
+{%      if cfg['enabled'] is defined %}
+sslh_enable={{ '"YES"' if (cfg['enabled'] == '1') else '"NO"' }}
+{%      endif %}
+{%      if cfg['mode'] is defined %}
+sslh_mode={{ '"fork"' if (cfg['mode'] == 'fork') else '"select"' }}
+{%      endif %}
+{%  endif %}

From 7f918905adfa045e059f42a690368ea682a736bc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 18 Oct 2022 14:22:50 +0200
Subject: [PATCH 1197/3088] Scripts: update from core.git

---
 Scripts/license | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Scripts/license b/Scripts/license
index 01d2d97d58..fac05e1752 100755
--- a/Scripts/license
+++ b/Scripts/license
@@ -84,7 +84,7 @@ sub process_file
     for my $line ( @lines ) {
         my $copy = $line;
         next if $line !~ s/copyright\s+\(c\)\s+//i;
-        $line =~ s/^[."\*\\#\s]+//g;
+        $line =~ s/^[."\*\\#\s-]+//g;
         $line =~ s/\s+$//g;
         chomp $copy;
         $copy =~ s/^[\*\\#\s]+//g;
@@ -93,7 +93,7 @@ sub process_file
             $start = $1;
             $start =~ s/[,\s\-]+//g;
         }
-        if ( $line =~ s/(\d\d\d\d\s*,?\s+)// ) {
+        if ( $line =~ s/^(\d\d\d\d\s*,?\s+)// ) {
             $end = $1;
             $end =~ s/[,\s]+//g;
         }

From f10d2cf8dfce136629be57667e9d0ac35573f0c8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 18 Oct 2022 14:31:56 +0200
Subject: [PATCH 1198/3088] net/sslh: style updates and sync

---
 LICENSE                                         |  2 ++
 README.md                                       |  1 +
 net/sslh/Makefile                               | 12 ++++++------
 .../OPNsense/Sslh/Api/ServiceController.php     |  3 +--
 .../OPNsense/Sslh/Api/SettingsController.php    |  2 +-
 .../OPNsense/Sslh/SettingsController.php        | 17 +++++++----------
 .../mvc/app/models/OPNsense/Sslh/Settings.php   |  2 +-
 .../mvc/app/views/OPNsense/Sslh/settings.volt   | 11 +++++------
 .../templates/OPNsense/Sslh/sslh.conf.jinja     |  9 ++++-----
 9 files changed, 28 insertions(+), 31 deletions(-)

diff --git a/LICENSE b/LICENSE
index 336483a1a8..0775e221e5 100644
--- a/LICENSE
+++ b/LICENSE
@@ -39,6 +39,7 @@ Copyright (c) 2017-2021 Michael Muenz <m.muenz@gmail.com>
 Copyright (c) 2021 Nicola Pellegrini
 Copyright (c) 2022 Nikolaj Brinch Jørgensen
 Copyright (c) 2021 Nim G
+Copyright (c) 2022 Patrik Kernstock <patrik@kernstock.net>
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
 Copyright (c) 2010 Seth Mos <seth.mos@dds.nl>
 Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
@@ -49,6 +50,7 @@ Copyright (c) 2020 Tobias Boehnert
 Copyright (c) 2022 Wouter Deurholt
 Copyright (c) 2010 Yehuda Katz
 Copyright (c) 2015 YoungJoo.Kim <vozltx@gmail.com>
+Copyright (c) 2022 agh1467 <agh1467@protonmail.com>
 Copyright (c) 2020 devNan0 <nan0@nan0.dev>
 All rights reserved.
 
diff --git a/README.md b/README.md
index 2efc92f751..55da66cf57 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,7 @@ net/realtek-re -- Realtek re(4) vendor driver
 net/relayd -- Relayd Load Balancer
 net/shadowsocks -- Secure socks5 proxy
 net/siproxd -- Siproxd is a proxy daemon for the SIP protocol
+net/sslh -- sslh configuration front-end (development only)
 net/tayga -- Tayga NAT64
 net/udpbroadcastrelay -- Control ubpbroadcastrelay processes
 net/upnp -- Universal Plug and Play Service
diff --git a/net/sslh/Makefile b/net/sslh/Makefile
index d1761cbc51..c4babf32ac 100644
--- a/net/sslh/Makefile
+++ b/net/sslh/Makefile
@@ -1,8 +1,8 @@
-PLUGIN_NAME=        sslh
-PLUGIN_VERSION=     0.1
-PLUGIN_DEVEL=       yes
-PLUGIN_COMMENT=     sslh configuration front-end
-PLUGIN_DEPENDS=     sslh
-PLUGIN_MAINTAINER=  agh1467@protonmail.com
+PLUGIN_NAME=		sslh
+PLUGIN_VERSION=		0.1
+PLUGIN_DEVEL=		yes
+PLUGIN_COMMENT=		sslh configuration front-end
+PLUGIN_DEPENDS=		sslh
+PLUGIN_MAINTAINER=	agh1467@protonmail.com
 
 .include "../../Mk/plugins.mk"
diff --git a/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/Api/ServiceController.php b/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/Api/ServiceController.php
index eb4400f853..18e48b826c 100644
--- a/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/Api/ServiceController.php
+++ b/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/Api/ServiceController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2022 agh1467@protonmail.com
+ *    Copyright (C) 2022 agh1467 <agh1467@protonmail.com>
  *
  *    All rights reserved.
  *
@@ -73,5 +73,4 @@ class ServiceController extends ApiMutableServiceControllerBase
      * @var string $internalServiceName
      */
     protected static $internalServiceName = 'sslh';
-
 }
diff --git a/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/Api/SettingsController.php b/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/Api/SettingsController.php
index 4409cb2a7e..59894178ee 100644
--- a/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/Api/SettingsController.php
+++ b/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/Api/SettingsController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2022 agh1467@protonmail.com
+ *    Copyright (C) 2022 agh1467 <agh1467@protonmail.com>
  *
  *    All rights reserved.
  *
diff --git a/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/SettingsController.php b/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/SettingsController.php
index 376a76e707..e1d275bb0d 100644
--- a/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/SettingsController.php
+++ b/net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/SettingsController.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
-    Copyright (C) 2022 agh1467@protonmail.com
+    Copyright (C) 2022 agh1467 <agh1467@protonmail.com>
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
@@ -46,19 +46,16 @@ class SettingsController extends \OPNsense\Base\IndexController
      */
     public function indexAction()
     {
-
-    // Set environment variables for within the Volt templates.
-    $this->view->setVars(
-        [
+        // Set environment variables for within the Volt templates.
+        $this->view->setVars([
             'plugin_name' => 'sslh',
             'api_name' => 'sslh',
             'this_form' => $this->getForm('settings'),
             // controllers/OPNsense/Sslh/forms/settings.xml
-        ]
-    );
+        ]);
 
-    // pick the template as the next view to render
-    $this->view->pick('OPNsense/Sslh/settings');
-    // views/OPNsense/Sslh/settings.volt
+        // pick the template as the next view to render
+        $this->view->pick('OPNsense/Sslh/settings');
+        // views/OPNsense/Sslh/settings.volt
     }
 }
diff --git a/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.php b/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.php
index 7c24334bca..2867591208 100644
--- a/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.php
+++ b/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
-    Copyright (C) 2022 agh1467@protonmail.com
+    Copyright (C) 2022 agh1467 <agh1467@protonmail.com>
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
diff --git a/net/sslh/src/opnsense/mvc/app/views/OPNsense/Sslh/settings.volt b/net/sslh/src/opnsense/mvc/app/views/OPNsense/Sslh/settings.volt
index 6ea142ded8..001a42c4c7 100644
--- a/net/sslh/src/opnsense/mvc/app/views/OPNsense/Sslh/settings.volt
+++ b/net/sslh/src/opnsense/mvc/app/views/OPNsense/Sslh/settings.volt
@@ -1,7 +1,6 @@
-{##
- #
- # OPNsense® is Copyright © 2014 – 2018 by Deciso B.V.
- # This file is Copyright © 2022 agh1467@protonmail.com
+{#
+ # Copyright (c) 2014-2018 Deciso B.V.
+ # Copyright (c) 2022 agh1467 <agh1467@protonmail.com>
  # All rights reserved.
  #
  # Redistribution and use in source and binary forms, with or without modification,
@@ -24,9 +23,9 @@
  # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  # POSSIBILITY OF SUCH DAMAGE.
-#}
+ #}
 
-{##
+{#
  # This is the template for the settings page.
  #
  # This is the main page for this plugin.
diff --git a/net/sslh/src/opnsense/service/templates/OPNsense/Sslh/sslh.conf.jinja b/net/sslh/src/opnsense/service/templates/OPNsense/Sslh/sslh.conf.jinja
index 1cbae9b6bb..eb0c7378a9 100644
--- a/net/sslh/src/opnsense/service/templates/OPNsense/Sslh/sslh.conf.jinja
+++ b/net/sslh/src/opnsense/service/templates/OPNsense/Sslh/sslh.conf.jinja
@@ -1,7 +1,6 @@
-{##
- #
- # OPNsense® is Copyright © 2014 – 2018 by Deciso B.V.
- # This file is Copyright © 2022 agh1467@protonmail.com
+{#
+ # Copyright (c) 2014-2018 Deciso B.V.
+ # Copyright (c) 2022 agh1467 <agh1467@protonmail.com>
  # All rights reserved.
  #
  # Redistribution and use in source and binary forms, with or without modification,
@@ -24,7 +23,7 @@
  # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  # POSSIBILITY OF SUCH DAMAGE.
-#}
+ #}
 
 {#- /usr/local/etc/sslh.conf -#}
 {% set plugin_name = 'sslh' %}

From 6d024bc0aca2995cb96251226f3e30bdd3b845a2 Mon Sep 17 00:00:00 2001
From: haarp <781030+haarp@users.noreply.github.com>
Date: Tue, 11 Oct 2022 13:46:49 +0200
Subject: [PATCH 1199/3088] Enable hardware acceleration in TOR

On suitable hardware platforms, FreeBSD/OPNsense supports hardware acceleration for crypto. Verified with https://stackoverflow.com/a/28614159/5424487

TOR however is not set up to make use of this. This change should enable it. From https://www.freebsd.org/cgi/man.cgi?tor(1):

```
       HardwareAccel 0|1
	   If non-zero,	try to use built-in (static) crypto hardware
	   acceleration	when available.	Can not	be changed while tor is
	   running. (Default: 0)
```

Because TOR (or rather OpenSSL) will fall back to software crypto when hardware crypto is not available (unless `AccelName` is also set), i see no need to make this flag configurable in the web UI, making this a very trivial PR :)
---
 security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc b/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc
index 04ccca9de0..2f8ab8a10f 100644
--- a/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc
+++ b/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc
@@ -117,6 +117,8 @@ HidServAuth {{ service.onion_service }} {{ service.auth_cookie }}
 MaxMemInQueues {{ OPNsense.tor.general.max_memory_in_queues }} MB
 {% endif %}
 
+HardwareAccel 1
+
 {% if helpers.exists('OPNsense.tor.hiddenservice') and helpers.exists('OPNsense.tor.hiddenserviceacl') and helpers.exists('OPNsense.tor.hiddenserviceacl.hiddenserviceacl') %}
 
 ############### This section is just for location-hidden services ###

From dc55acc417c3171a73870921b05941b3b82cb0c1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 19 Oct 2022 09:06:41 +0200
Subject: [PATCH 1200/3088] security/tor: bump version

---
 security/tor/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/tor/Makefile b/security/tor/Makefile
index 452ca6ddc8..b5f01436f0 100644
--- a/security/tor/Makefile
+++ b/security/tor/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		tor
-PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	4
+PLUGIN_VERSION=		1.9
 PLUGIN_COMMENT=		The Onion Router
 PLUGIN_DEPENDS=		tor ruby
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 70fdd1ba633f96eaef60f09b38a0ef1fe8dd00bf Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 19 Oct 2022 09:13:31 +0200
Subject: [PATCH 1201/3088] net/wireguard: bump version, changelog

---
 net/wireguard/Makefile  | 2 +-
 net/wireguard/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 6aa903531e..6e0e792ad5 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		1.12
+PLUGIN_VERSION=		1.13
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard-go wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 058ea7ede3..fd85d2e032 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,10 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+1.13
+
+* Reworked widget and assorted cleanups (contributed by Patrik Kernstock)
+
 1.12
 
 * Adjust validation for naming local instance and endpoints

From 312b3552c568c0294ed37b703a95a81a911145d9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 19 Oct 2022 10:21:26 +0200
Subject: [PATCH 1202/3088] security/openconnect: revision was not cleared

---
 security/openconnect/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/security/openconnect/Makefile b/security/openconnect/Makefile
index 019eac53ba..01fcf835d3 100644
--- a/security/openconnect/Makefile
+++ b/security/openconnect/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		openconnect
 PLUGIN_VERSION=		1.4.3
-PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		OpenConnect Client
 PLUGIN_DEPENDS=		openconnect
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 2aece2fee3788438c4f42a606b36e9dca7ff819c Mon Sep 17 00:00:00 2001
From: Nicholas Tay <nick@windblume.net>
Date: Wed, 19 Oct 2022 21:20:00 +1100
Subject: [PATCH 1203/3088] security/openconnect: add support for OTP token
 generation (#2980)

---
 security/openconnect/pkg-descr                       |  2 ++
 .../OPNsense/Openconnect/forms/general.xml           | 12 ++++++++++++
 .../mvc/app/models/OPNsense/Openconnect/General.xml  | 12 ++++++++++++
 .../templates/OPNsense/Openconnect/openconnect.conf  |  6 ++++++
 4 files changed, 32 insertions(+)

diff --git a/security/openconnect/pkg-descr b/security/openconnect/pkg-descr
index 192eda9330..b71d609585 100644
--- a/security/openconnect/pkg-descr
+++ b/security/openconnect/pkg-descr
@@ -8,6 +8,8 @@ Plugin Changelog
 
 1.4.3
 
+
+* Add support for one-time password generation
 * Permit additional characters in group name
 
 1.4.2
diff --git a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
index 2631072a6d..0e13339b86 100644
--- a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
+++ b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
@@ -47,6 +47,18 @@
         <type>dropdown</type>
         <help>Select the client certificate to use.</help>
     </field>
+    <field>
+        <id>general.tokenmode</id>
+        <label>Token Mode</label>
+        <type>dropdown</type>
+        <help>Use a one-time password generation mode.</help>
+    </field>
+    <field>
+        <id>general.tokensecret</id>
+        <label>Token Secret</label>
+        <type>text</type>
+        <help>Enter a secret to use with one-time password generation.</help>
+    </field>
     <field>
         <id>general.protocol</id>
         <label>Protocol</label>
diff --git a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
index 033edd54c2..647d9accd3 100644
--- a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
+++ b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
@@ -47,6 +47,18 @@
             <Type>cert</Type>
             <Required>N</Required>
         </clientcertificate>
+        <tokenmode type="OptionField">
+            <Required>N</Required>
+            <OptionValues>
+                <rsa>RSA SecurID</rsa>
+                <totp>TOTP</totp>
+                <hotp>HOTP</hotp>
+                <oidc>OpenIDConnect</oidc>
+            </OptionValues>
+        </tokenmode>
+        <tokensecret type="TextField">
+            <Required>N</Required>
+        </tokensecret>
         <protocol type="OptionField">
             <default>anyconnect</default>
             <multiple>N</multiple>
diff --git a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
index 626091fadb..e076e5e655 100644
--- a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
+++ b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
@@ -19,6 +19,12 @@ authgroup={{ OPNsense.openconnect.general.group }}
 certificate=/usr/local/etc/openconnect_cert.pem
 sslkey=/usr/local/etc/openconnect_key.pem
 {%   endif %}
+{%   if helpers.exists('OPNsense.openconnect.general.tokenmode') and OPNsense.openconnect.general.tokenmode != '' %}
+{%     if helpers.exists('OPNsense.openconnect.general.tokensecret') and OPNsense.openconnect.general.tokensecret != '' %}
+token-mode={{ OPNsense.openconnect.general.tokenmode }}
+token-secret={{ OPNsense.openconnect.general.tokensecret }}
+{%     endif %}
+{%   endif %}
 {%   if helpers.exists('OPNsense.openconnect.general.protocol') and OPNsense.openconnect.general.protocol != '' %}
 protocol={{ OPNsense.openconnect.general.protocol }}
 {%   endif %}

From 501d48df1485fea0cc816cc9310ba9da862239d0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 09:03:50 +0200
Subject: [PATCH 1204/3088] www/web-proxy-sso: use service_log() #6099

---
 .../src/etc/inc/plugins.inc.d/proxy_sso.inc         | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/www/web-proxy-sso/src/etc/inc/plugins.inc.d/proxy_sso.inc b/www/web-proxy-sso/src/etc/inc/plugins.inc.d/proxy_sso.inc
index cfe9efaaf6..253d7133b2 100644
--- a/www/web-proxy-sso/src/etc/inc/plugins.inc.d/proxy_sso.inc
+++ b/www/web-proxy-sso/src/etc/inc/plugins.inc.d/proxy_sso.inc
@@ -13,17 +13,20 @@ function proxy_sso_squid_hook($verbose, $action)
         exit;
     }
 
+    service_log('template reload OPNsense/ProxySSO: ', $verbose);
+
     $res = configd_run('template reload OPNsense/ProxySSO');
-    if ($verbose) {
-        printf("template reload OPNsense/ProxySSO: %s\n", trim($res));
-    }
+
+    service_log(trim($res) . "\n", $verbose);
 }
 
 function proxy_sso_xmlrpc_sync()
 {
-    $result = array();
+    $result = [];
+
     $result['id'] = 'proxysso';
     $result['section'] = 'OPNsense.ProxySSO';
     $result['description'] = gettext('Kerberos authentication module');
-    return array($result);
+
+    return [$result];
 }

From 0c46a06a70b4db7a092d761dbffcbbd00eca5822 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 09:07:59 +0200
Subject: [PATCH 1205/3088] net/upnp: use service_log() #6099

---
 .../src/etc/inc/plugins.inc.d/miniupnpd.inc   | 27 +++++++------------
 1 file changed, 10 insertions(+), 17 deletions(-)

diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 68738d0428..1ecb50780a 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -45,18 +45,18 @@ function miniupnpd_firewall($fw)
 
 function miniupnpd_services()
 {
-    $services = array();
+    $services = [];
 
     if (!miniupnpd_enabled()) {
         return $services;
     }
 
-    $pconfig = array();
+    $pconfig = [];
     $pconfig['name'] = 'miniupnpd';
     $pconfig['description'] = gettext('Universal Plug and Play');
-    $pconfig['php']['restart'] = array('miniupnpd_stop', 'miniupnpd_start');
-    $pconfig['php']['start'] = array('miniupnpd_start');
-    $pconfig['php']['stop'] = array('miniupnpd_stop');
+    $pconfig['php']['restart'] = ['miniupnpd_stop', 'miniupnpd_start'];
+    $pconfig['php']['start'] = ['miniupnpd_start'];
+    $pconfig['php']['stop'] = ['miniupnpd_stop'];
     $pconfig['pidfile'] = '/var/run/miniupnpd.pid';
     $services[] = $pconfig;
 
@@ -85,7 +85,7 @@ function miniupnpd_stop()
 
 function miniupnpd_configure()
 {
-    return array('bootup' => array('miniupnpd_configure_do'));
+    return ['bootup' => ['miniupnpd_configure_do']];
 }
 
 function miniupnpd_uuid()
@@ -98,7 +98,7 @@ function miniupnpd_uuid()
 
 function miniupnpd_permuser_list()
 {
-    $ret = array();
+    $ret = [];
     $count = 8;
 
     for ($i = 1; $i <= $count; $i++) {
@@ -118,18 +118,13 @@ function miniupnpd_configure_do($verbose = false)
         return;
     }
 
-    if ($verbose) {
-        echo 'Starting UPnP service...';
-        flush();
-    }
+    service_log('Starting UPnP service...', $verbose);
 
     $upnp_config = $config['installedpackages']['miniupnpd']['config'][0];
 
     $ext_ifname = get_real_interface($upnp_config['ext_iface']);
     if ($ext_ifname == $upnp_config['ext_iface']) {
-        if ($verbose) {
-            echo "failed.\n";
-        }
+        service_log("failed.\n", $verbose);
         return;
     }
 
@@ -234,7 +229,5 @@ function miniupnpd_configure_do($verbose = false)
         }
     }
 
-    if ($verbose) {
-        echo "done.\n";
-    }
+    service_verbose("done.\n", $verbose);
 }

From 59efad71c0c2a452f63f4882bdf98919d43ef73a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 09:10:44 +0200
Subject: [PATCH 1206/3088] net/igmp-proxy: use service_log() #6099

---
 .../src/etc/inc/plugins.inc.d/igmpproxy.inc   | 25 ++++++++-----------
 1 file changed, 10 insertions(+), 15 deletions(-)

diff --git a/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc b/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc
index 42d6f63ffc..246ca5e0f8 100644
--- a/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc
+++ b/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc
@@ -38,17 +38,17 @@ function igmpproxy_enabled()
 
 function igmpproxy_services()
 {
-    $services = array();
+    $services = [];
 
     if (!igmpproxy_enabled()) {
         return $services;
     }
 
-    $pconfig = array();
+    $pconfig = [];
     $pconfig['name'] = 'igmpproxy';
     $pconfig['description'] = gettext('IGMP Proxy');
-    $pconfig['php']['restart'] = array('igmpproxy_configure_do');
-    $pconfig['php']['start'] = array('igmpproxy_configure_do');
+    $pconfig['php']['restart'] = ['igmpproxy_configure_do'];
+    $pconfig['php']['start'] = ['igmpproxy_configure_do'];
     $services[] = $pconfig;
 
     return $services;
@@ -56,10 +56,10 @@ function igmpproxy_services()
 
 function igmpproxy_configure()
 {
-    return array(
-        'bootup' => array('igmpproxy_configure_do'),
-        'newwanip' => array('igmpproxy_configure_do'),
-    );
+    return [
+        'bootup' => ['igmpproxy_configure_do'],
+        'newwanip' => ['igmpproxy_configure_do'],
+    ];
 }
 
 function igmpproxy_configure_do($verbose = false)
@@ -72,10 +72,7 @@ function igmpproxy_configure_do($verbose = false)
         return;
     }
 
-    if ($verbose) {
-        echo 'Starting IGMP Proxy...';
-        flush();
-    }
+    service_log('Starting IGMP Proxy...', $verbose);
 
     $iflist = get_configured_interface_with_descr();
 
@@ -115,7 +112,5 @@ EOD;
     file_put_contents('/usr/local/etc/igmpproxy.conf', $igmpconf);
     mwexec('/usr/local/etc/rc.d/igmpproxy onestart');
 
-    if ($verbose) {
-        print "done.\n";
-    }
+    service_log("done.\n", $verbose);
 }

From a53131573e7e8e5ac45456db8967a52926dee1a3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 09:15:04 +0200
Subject: [PATCH 1207/3088] dns/rfc2136: use service_log() #6099

---
 .../src/etc/inc/plugins.inc.d/rfc2136.inc     | 93 +++++++++----------
 1 file changed, 42 insertions(+), 51 deletions(-)

diff --git a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
index 1a568bc86a..8858cde0c9 100644
--- a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
+++ b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
@@ -1,41 +1,41 @@
 <?php
 
 /*
-    Copyright (C) 2014-2017 Franco Fichtner <franco@opnsense.org>
-    Copyright (C) 2010 Ermal Luçi
-    Copyright (C) 2005-2006 Colin Smith <ethethlay@gmail.com>
-    Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2014-2017 Franco Fichtner <franco@opnsense.org>
+ * Copyright (C) 2010 Ermal Luçi
+ * Copyright (C) 2005-2006 Colin Smith <ethethlay@gmail.com>
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 function rfc2136_configure()
 {
-    return array(
-        'bootup' => array('rfc2136_configure_do'),
-        'local' => array('rfc2136_configure_do'),
-        'newwanip' => array('rfc2136_configure_do:2'),
-    );
+    return [
+        'bootup' => ['rfc2136_configure_do'],
+        'local' => ['rfc2136_configure_do'],
+        'newwanip' => ['rfc2136_configure_do:2'],
+    ];
 }
 
 function rfc2136_enabled()
@@ -55,19 +55,15 @@ function rfc2136_enabled()
 
 function rfc2136_services()
 {
-    global $config;
-
-    $services = array();
+    $services = [];
 
     if (rfc2136_enabled()) {
-        $services[] = array(
+        $services[] = [
             'description' => gettext('RFC 2136'),
-            'configd' => array(
-                'restart' => array('rfc2136 reload'),
-            ),
+            'configd' => [ 'restart' => ['rfc2136 reload'] ],
             'nocheck' => true,
             'name' => 'rfc2136',
-        );
+        ];
     }
 
     return $services;
@@ -75,10 +71,10 @@ function rfc2136_services()
 
 function rfc2136_cron()
 {
-    $jobs = array();
+    $jobs = [];
 
     if (rfc2136_enabled()) {
-        $jobs[]['autocron'] = array('/usr/local/etc/rc.rfc2136', '16', '1');
+        $jobs[]['autocron'] = ['/usr/local/etc/rc.rfc2136', '16', '1'];
     }
 
     return $jobs;
@@ -99,10 +95,7 @@ function rfc2136_configure_do($verbose = false, $int = '', $updatehost = '', $fo
         return;
     }
 
-    if ($verbose) {
-        echo 'Configuring RFC 2136 clients...';
-        flush();
-    }
+    service_log('Configuring RFC 2136 clients...', $verbose);
 
     foreach ($config['dnsupdates']['dnsupdate'] as $i => $dnsupdate) {
         if (!isset($dnsupdate['enable'])) {
@@ -170,7 +163,7 @@ EOD;
             if (file_exists($cacheFile)) {
                 list($cachedipv4, $cacheTimev4) = explode('|', file_get_contents($cacheFile));
             } else {
-                list($cachedipv4, $cacheTimev4) = array('', '');
+                list($cachedipv4, $cacheTimev4) = ['', ''];
             }
             if (isset($dnsupdate['usepublicip'])) {
                 $wanip = get_rfc2136_ip_address($dnsupdate['interface'], 4);
@@ -197,7 +190,7 @@ EOD;
             if (file_exists($cacheFile6)) {
                 list($cachedipv6, $cacheTimev6) = explode('|', file_get_contents($cacheFile6));
             } else {
-                list($cachedipv6, $cacheTimev6) = array('', '');
+                list($cachedipv6, $cacheTimev6) = ['', ''];
             }
             if (isset($dnsupdate['usepublicip'])) {
                 $wanipv6 = get_rfc2136_ip_address($dnsupdate['interface'], 6);
@@ -235,9 +228,7 @@ EOD;
         }
     }
 
-    if ($verbose) {
-        echo "done.\n";
-    }
+    service_log("done.\n", $verbose);
 }
 
 function get_rfc2136_ip_address($int, $ipver = 4)

From 1af67f41961c0b528bd72066ad02922ca2d6ee47 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 09:19:47 +0200
Subject: [PATCH 1208/3088] dns/dyndns: use service_log() #6099

---
 .../src/etc/inc/plugins.inc.d/dyndns.inc      | 39 +++++++------------
 1 file changed, 15 insertions(+), 24 deletions(-)

diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
index 54f1db403d..455d68d7d1 100644
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
+++ b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
@@ -34,11 +34,11 @@ require_once('plugins.inc.d/dyndns/r53.inc');
 
 function dyndns_configure()
 {
-    return array(
-        'bootup' => array('dyndns_configure_do'),
-        'local' => array('dyndns_configure_do'),
-        'newwanip' => array('dyndns_configure_do:2'),
-    );
+    return [
+        'bootup' => ['dyndns_configure_do'],
+        'local' => ['dyndns_configure_do'],
+        'newwanip' => ['dyndns_configure_do:2'],
+    ];
 }
 
 function dyndns_enabled()
@@ -58,19 +58,15 @@ function dyndns_enabled()
 
 function dyndns_services()
 {
-    global $config;
-
-    $services = array();
+    $services = [];
 
     if (dyndns_enabled()) {
-        $services[] = array(
+        $services[] = [
             'description' => gettext('Dynamic DNS'),
-            'configd' => array(
-                'restart' => array('dyndns reload'),
-            ),
+            'configd' => [ 'restart' => ['dyndns reload'] ],
             'nocheck' => true,
             'name' => 'dyndns',
-        );
+        ];
     }
 
     return $services;
@@ -78,10 +74,10 @@ function dyndns_services()
 
 function dyndns_cron()
 {
-    $jobs = array();
+    $jobs = [];
 
     if (dyndns_enabled()) {
-        $jobs[]['autocron'] = array('/usr/local/etc/rc.dyndns', '11', '1');
+        $jobs[]['autocron'] = ['/usr/local/etc/rc.dyndns', '11', '1'];
     }
 
     return $jobs;
@@ -95,7 +91,7 @@ function dyndns_list()
      * https://github.com/openwrt/packages/blob/master/net/ddns-scripts/files/services
      */
 
-    return array(
+    return [
         '1984-hosting' => '1984 Hosting Company',
         '3322' => '3322',
         'all-inkl' => 'All-Inkl',
@@ -154,7 +150,7 @@ function dyndns_list()
         'strato' => 'STRATO',
         'strato-v6' => 'STRATO (v6)',
         'zoneedit' => 'ZoneEdit',
-    );
+    ];
 }
 
 function dyndns_cache_file($conf, $ipver = 4)
@@ -206,10 +202,7 @@ function dyndns_configure_do($verbose = false, $int = '')
     $dyndnscfg = $config['dyndnses']['dyndns'];
     $gwgroups = return_gateway_groups_array();
 
-    if ($verbose) {
-        echo 'Configuring dynamic DNS clients...';
-        flush();
-    }
+    service_log('Configuring dynamic DNS clients...', $verbose);
 
     foreach ($dyndnscfg as $dyndns) {
         if ((empty($int)) || ($int == $dyndns['interface']) || (is_array($gwgroups[$dyndns['interface']]))) {
@@ -221,9 +214,7 @@ function dyndns_configure_do($verbose = false, $int = '')
         }
     }
 
-    if ($verbose) {
-        echo "done.\n";
-    }
+    service_log("done.\n", $verbose);
 }
 
 function dyndns_failover_interface($interface, $family = 'all')

From 3e8c480ed027b36c3cb3316b5fffa2a7dbb7c72e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 09:42:19 +0200
Subject: [PATCH 1209/3088] www/nginx: style update

---
 www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php b/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
index cd13ead9f3..721b3832c0 100755
--- a/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
+++ b/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
@@ -261,7 +261,7 @@ function cleanup_work_files($work_files)
     $alias_ips = [];
     $ban_ttl = intval((string)$model->general->ban_ttl);
     if ($ban_ttl && ($ban_ttl > 0)) {
-        $min_timestamp = time() - 60*$ban_ttl;
+        $min_timestamp = time() - 60 * $ban_ttl;
     }
     $change_required = false;
     foreach ($model->ban->iterateItems() as $id => $entry) {

From 9f40e43d573a75744d6d597a77d5070368d71568 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 09:42:40 +0200
Subject: [PATCH 1210/3088] net/wireguard: style update

---
 .../OPNsense/Wireguard/Api/GeneralController.php  | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
index ba5caabc5b..9ce308698c 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
@@ -55,7 +55,7 @@ public function getStatusAction()
             $peers_uuid_pubkey[$peerUuid] = (string) $client->pubkey;
             $peers[$peerUuid] = [
                 "name"      => (string)  $client->name,
-                "enabled"   => (integer) $client->enabled,
+                "enabled"   => (int) $client->enabled,
                 "publicKey" => (string)  $client->pubkey,
             ];
         }
@@ -64,14 +64,16 @@ public function getStatusAction()
         $status = [];
         $peer_pubkey_reference = [];
         foreach ($config->server->servers->server as $server) {
-            if ($server->enabled != "1") continue;
+            if ($server->enabled != "1") {
+                continue;
+            }
 
             // build basic server array
-            $interface = "wg".$server->instance;
+            $interface = "wg" . $server->instance;
             $status[$interface] = [
-                "instance"  => (integer) $server->instance,
+                "instance"  => (int) $server->instance,
                 "interface" => (string)  $interface,
-                "enabled"   => (integer) $server->enabled,
+                "enabled"   => (int) $server->enabled,
                 "name"      => (string)  $server->name,
                 "peers"     => [],
             ];
@@ -89,7 +91,8 @@ public function getStatusAction()
                         $peers[$peerUuid],
                         [
                             "lastHandshake" => "0000-00-00 00:00:00+00:00",
-                        ]);
+                        ]
+                    );
                 }
             }
         }

From 302d2832ac031627e61e5d6198acb34d9305e22d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 09:42:52 +0200
Subject: [PATCH 1211/3088] net/freeradius: style update

---
 .../src/opnsense/scripts/Freeradius/generate_certs.php          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
index 9b54cd6c86..efb5eabd0f 100755
--- a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
+++ b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
@@ -111,7 +111,7 @@
                 }
             }
         }
-       $cert_refid = (string)$find_cert->ldapcert;
+        $cert_refid = (string)$find_cert->ldapcert;
         // if eap has a certificate attached, search for its contents
         if ($cert_refid != "") {
             foreach ($configObj->cert as $ldapcert) {

From c6c2b68f2d67ea0c7d112cc8611e3602eef1d0ec Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 09:43:04 +0200
Subject: [PATCH 1212/3088] security/acme-client: fix XML

---
 .../controllers/OPNsense/AcmeClient/forms/dialogValidation.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index ad1d54aae1..9dc7f8afc5 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1070,7 +1070,7 @@
         <id>validation.dns_selfhost_map</id>
         <label>RID Mapping</label>
         <type>textbox</type>
-        <help>Please create the TXT Record with Subdomain _acme-challenge first, than you can get the ID from the edit page. Up to two RIDs per fulldomain are supported but at least one must be set, e.g. _acme-challenge.domain.net:RID:RI>
+        <help>Please create the TXT Record with Subdomain _acme-challenge first, than you can get the ID from the edit page. Up to two RIDs per fulldomain are supported but at least one must be set, e.g. _acme-challenge.domain.net:RID:RID</help>
     </field>
     <field>
         <label>Servercow</label>

From 2005d4b37561bcc1aeefeadae105644a671c40d9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 09:48:19 +0200
Subject: [PATCH 1213/3088] net/wireguard: use NAME_setup

PR: https://github.com/opnsense/core/issues/5917
---
 .../service/conf/actions.d/actions_wireguard.conf      | 10 ++--------
 .../service/templates/OPNsense/Wireguard/wireguard     |  2 +-
 2 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
index ac9d353e8a..109f209aa9 100644
--- a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
+++ b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
@@ -1,8 +1,5 @@
 [start]
-command:
-    /usr/local/opnsense/scripts/OPNsense/Wireguard/setup.sh;
-    /usr/local/etc/rc.d/wireguard start;
-    /usr/local/etc/rc.routing_configure
+command:/usr/local/etc/rc.d/wireguard start; /usr/local/etc/rc.routing_configure
 parameters:
 type:script
 message:Starting WireGuard
@@ -14,10 +11,7 @@ type:script
 message:Stopping WireGuard
 
 [restart]
-command:
-    /usr/local/opnsense/scripts/OPNsense/Wireguard/setup.sh;
-    /usr/local/etc/rc.d/wireguard restart;
-    /usr/local/etc/rc.routing_configure
+command:/usr/local/etc/rc.d/wireguard restart; /usr/local/etc/rc.routing_configure
 parameters:
 type:script
 message:Restarting WireGuard
diff --git a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
index 5cbde5ecf5..95627a5f4f 100644
--- a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
+++ b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.wireguard.general.enabled') and OPNsense.wireguard.general.enabled == '1' %}
-wireguard_var_script="/usr/local/opnsense/scripts/OPNsense/Wireguard/setup.sh"
+wireguard_setup="/usr/local/opnsense/scripts/OPNsense/Wireguard/setup.sh"
 wireguard_enable="YES"
 {%   if helpers.exists('OPNsense.wireguard.server.servers.server') %}
 {%   set activeservers=[] %}

From 327f006aeadeb0d54c843962d08b41dd8d3241fe Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 09:50:57 +0200
Subject: [PATCH 1214/3088] net/vnstat: use NAME_setup

PR: https://github.com/opnsense/core/issues/5917
---
 .../opnsense/service/conf/actions.d/actions_vnstat.conf   | 8 ++++----
 .../src/opnsense/service/templates/OPNsense/Vnstat/vnstat | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/vnstat/src/opnsense/service/conf/actions.d/actions_vnstat.conf b/net/vnstat/src/opnsense/service/conf/actions.d/actions_vnstat.conf
index 0e13bb1b3f..4a4fcbd64e 100644
--- a/net/vnstat/src/opnsense/service/conf/actions.d/actions_vnstat.conf
+++ b/net/vnstat/src/opnsense/service/conf/actions.d/actions_vnstat.conf
@@ -1,23 +1,23 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Vnstat/setup.sh;/usr/local/etc/rc.d/vnstat start && sleep 1
+command:/usr/local/etc/rc.d/vnstat start && sleep 1
 parameters:
 type:script
 message:starting Vnstat
 
 [stop]
-command:/usr/local/etc/rc.d/vnstat stop; exit 0
+command:/usr/local/etc/rc.d/vnstat stop
 parameters:
 type:script
 message:stopping Vnstat
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Vnstat/setup.sh;/usr/local/etc/rc.d/vnstat restart && sleep 1
+command:/usr/local/etc/rc.d/vnstat restart && sleep 1
 parameters:
 type:script
 message:restarting Vnstat
 
 [status]
-command:/usr/local/etc/rc.d/vnstat status;exit 0
+command:/usr/local/etc/rc.d/vnstat status; exit 0
 parameters:
 type:script_output
 message:request Vnstat status
diff --git a/net/vnstat/src/opnsense/service/templates/OPNsense/Vnstat/vnstat b/net/vnstat/src/opnsense/service/templates/OPNsense/Vnstat/vnstat
index c04a95f782..345177c8a0 100644
--- a/net/vnstat/src/opnsense/service/templates/OPNsense/Vnstat/vnstat
+++ b/net/vnstat/src/opnsense/service/templates/OPNsense/Vnstat/vnstat
@@ -1,6 +1,6 @@
 {% if helpers.exists('OPNsense.vnstat.general.enabled') and OPNsense.vnstat.general.enabled == '1' %}
 {% from 'OPNsense/Macros/interface.macro' import physical_interface %}
-vnstat_var_script="/usr/local/opnsense/scripts/OPNsense/Vnstat/setup.sh"
+vnstat_setup="/usr/local/opnsense/scripts/OPNsense/Vnstat/setup.sh"
 vnstat_enable="YES"
 {%   if helpers.exists('OPNsense.vnstat.general.interface') and OPNsense.vnstat.general.interface != '' %}
 {%     set interfaces = [] %}

From 596b8762c218d829f802a7f8d173948b9ca84c1d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 09:52:40 +0200
Subject: [PATCH 1215/3088] net/tayga: use NAME_setup

PR: https://github.com/opnsense/core/issues/5917
---
 .../service/conf/actions.d/actions_tayga.conf    | 16 ++++++----------
 .../service/templates/OPNsense/Tayga/tayga       |  2 +-
 2 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/net/tayga/src/opnsense/service/conf/actions.d/actions_tayga.conf b/net/tayga/src/opnsense/service/conf/actions.d/actions_tayga.conf
index 9b114dff97..527e918577 100644
--- a/net/tayga/src/opnsense/service/conf/actions.d/actions_tayga.conf
+++ b/net/tayga/src/opnsense/service/conf/actions.d/actions_tayga.conf
@@ -1,22 +1,18 @@
-[stop]
-command:/usr/local/etc/rc.d/opnsense-tayga stop
+[start]
+command:/usr/local/etc/rc.d/opnsense-tayga start; /usr/local/etc/rc.routing_configure
 parameters:
 type:script_output
-message:stopping tayga
+message:starting tayga
 
-[start]
-command:
-    /usr/local/opnsense/scripts/OPNsense/Tayga/setup.sh;
-    /usr/local/etc/rc.d/opnsense-tayga start;
-    /usr/local/etc/rc.routing_configure
+[stop]
+command:/usr/local/etc/rc.d/opnsense-tayga stop
 parameters:
 type:script_output
-message:starting tayga
+message:stopping tayga
 
 [restart]
 command:
     /usr/local/etc/rc.d/opnsense-tayga stop;
-    /usr/local/opnsense/scripts/OPNsense/Tayga/setup.sh;
     /usr/local/etc/rc.d/opnsense-tayga start;
     /usr/local/etc/rc.routing_configure
 parameters:
diff --git a/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga b/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga
index 93cae0d9e1..0d740d98c5 100644
--- a/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga
+++ b/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.tayga.general.enabled') and OPNsense.tayga.general.enabled == '1' %}
-tayga_var_script="/usr/local/opnsense/scripts/OPNsense/Tayga/setup.sh"
+tayga_script="/usr/local/opnsense/scripts/OPNsense/Tayga/setup.sh"
 tayga_enable="YES"
 tayga_v4address={{ OPNsense.tayga.general.v4address }}
 tayga_v4destination={{ OPNsense.tayga.general.v4destination }}

From d3b7d342d66d35311db9a8643986513073b261cb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 09:59:37 +0200
Subject: [PATCH 1216/3088] net/siproxd: use NAME_setup

PR: https://github.com/opnsense/core/issues/5917
---
 .../OPNsense/Siproxd/Api/ServiceController.php       |  2 +-
 .../service/conf/actions.d/actions_siproxd.conf      | 12 ++++++------
 .../service/templates/OPNsense/Siproxd/siproxd       |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/ServiceController.php b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/ServiceController.php
index e1634191fd..6e934931a9 100644
--- a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/ServiceController.php
+++ b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/ServiceController.php
@@ -46,7 +46,7 @@ class ServiceController extends ApiControllerBase
     public function showregistrationsAction()
     {
         $backend = new Backend();
-        $response = $backend->configdRun("siproxd show-registrations");
+        $response = $backend->configdRun('siproxd registrations');
         return array("response" => $response);
     }
 
diff --git a/net/siproxd/src/opnsense/service/conf/actions.d/actions_siproxd.conf b/net/siproxd/src/opnsense/service/conf/actions.d/actions_siproxd.conf
index 37fbfae760..82cf4df4e8 100644
--- a/net/siproxd/src/opnsense/service/conf/actions.d/actions_siproxd.conf
+++ b/net/siproxd/src/opnsense/service/conf/actions.d/actions_siproxd.conf
@@ -1,29 +1,29 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Siproxd/setup.sh;/usr/local/etc/rc.d/siproxd start
+command:/usr/local/etc/rc.d/siproxd start
 parameters:
 type:script
 message:starting Siproxd
 
 [stop]
-command:/usr/local/etc/rc.d/siproxd stop; exit 0
+command:/usr/local/etc/rc.d/siproxd stop
 parameters:
 type:script
 message:stopping Siproxd
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Siproxd/setup.sh;/usr/local/etc/rc.d/siproxd restart
+command:/usr/local/etc/rc.d/siproxd restart
 parameters:
 type:script
 message:restarting Siproxd
 
 [status]
-command:/usr/local/etc/rc.d/siproxd status;exit 0
+command:/usr/local/etc/rc.d/siproxd status; exit 0
 parameters:
 type:script_output
 message:request Siproxd status
 
-[show-registrations]
+[registrations]
 command:/bin/cat /var/lib/siproxd/siproxd_registrations
 parameters:
 type:script_output
-message: Show registered devices
+message:show registered devices
diff --git a/net/siproxd/src/opnsense/service/templates/OPNsense/Siproxd/siproxd b/net/siproxd/src/opnsense/service/templates/OPNsense/Siproxd/siproxd
index 9c3277f967..b836d595d8 100644
--- a/net/siproxd/src/opnsense/service/templates/OPNsense/Siproxd/siproxd
+++ b/net/siproxd/src/opnsense/service/templates/OPNsense/Siproxd/siproxd
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.siproxd.general.enabled') and OPNsense.siproxd.general.enabled == '1' %}
-siproxd_var_script="/usr/local/opnsense/scripts/OPNsense/Siproxd/setup.sh"
+siproxd_setup="/usr/local/opnsense/scripts/OPNsense/Siproxd/setup.sh"
 siproxd_enable="YES"
 {% else %}
 siproxd_enable="NO"

From 25aeebd40be3fb954ed863bbb9915479b228832d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 10:03:14 +0200
Subject: [PATCH 1217/3088] net/ntopng: use NAME_setup

PR: https://github.com/opnsense/core/issues/5917
---
 .../src/opnsense/service/conf/actions.d/actions_ntopng.conf   | 4 ++--
 .../src/opnsense/service/templates/OPNsense/Ntopng/ntopng     | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/ntopng/src/opnsense/service/conf/actions.d/actions_ntopng.conf b/net/ntopng/src/opnsense/service/conf/actions.d/actions_ntopng.conf
index 172e64bb7b..2f14f5bc23 100644
--- a/net/ntopng/src/opnsense/service/conf/actions.d/actions_ntopng.conf
+++ b/net/ntopng/src/opnsense/service/conf/actions.d/actions_ntopng.conf
@@ -1,5 +1,5 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Ntopng/setup.sh;/usr/local/etc/rc.d/ntopng start
+command:/usr/local/etc/rc.d/ntopng start
 parameters:
 type:script
 message:starting ntopng
@@ -11,7 +11,7 @@ type:script
 message:stopping ntopng
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Ntopng/setup.sh;/usr/local/etc/rc.d/ntopng restart
+command:/usr/local/etc/rc.d/ntopng restart
 parameters:
 type:script
 message:restarting ntopng
diff --git a/net/ntopng/src/opnsense/service/templates/OPNsense/Ntopng/ntopng b/net/ntopng/src/opnsense/service/templates/OPNsense/Ntopng/ntopng
index 84d4a2dbf2..e665022956 100644
--- a/net/ntopng/src/opnsense/service/templates/OPNsense/Ntopng/ntopng
+++ b/net/ntopng/src/opnsense/service/templates/OPNsense/Ntopng/ntopng
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.ntopng.general.enabled') and OPNsense.ntopng.general.enabled == '1' %}
-ntopng_var_script="/usr/local/opnsense/scripts/OPNsense/Ntopng/setup.sh"
+ntopng_setup="/usr/local/opnsense/scripts/OPNsense/Ntopng/setup.sh"
 ntopng_enable="YES"
 ntopng_flags="/usr/local/etc/ntopng.conf"
 {% else %}

From 4e01cb2333acd997b01e6a10a9c447b1ccf520dc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 10:08:03 +0200
Subject: [PATCH 1218/3088] net/haproxy: remove _var_script use

Commit message 27d89b85955c applies here as well.  For now disable
the new line until it is properly integrated.  It could otherwise
interfere with the way things are set up.

PR: https://github.com/opnsense/core/issues/5917
---
 .../src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d   | 2 +-
 .../opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d
index 261881284a..fdb9bcf37e 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d
@@ -1,6 +1,6 @@
 {% if helpers.exists('OPNsense.HAProxy.general.enabled') and OPNsense.HAProxy.general.enabled|default("0") == "1" %}
 haproxy_enable=YES
-haproxy_var_script="/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh"
+#haproxy_setup="/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh"
 haproxy_pidfile="/var/run/haproxy.pid"
 haproxy_config="/usr/local/etc/haproxy.conf"
 {% if helpers.exists('OPNsense.HAProxy.general.storeOcsp') and OPNsense.HAProxy.general.storeOcsp|default("0") == "1" %}
diff --git a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d
index 96d20f1bc0..6d1991e9df 100644
--- a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d
+++ b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d
@@ -2,7 +2,7 @@
 acme_http_challenge_enable=YES
 acme_http_challenge_conf="/var/etc/lighttpd-acme-challenge.conf"
 acme_http_challenge_pidfile="/var/run/lighttpd-acme-challenge.pid"
-acme_http_challenge_setup="/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh"
+#acme_http_challenge_setup="/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh"
 {% else %}
 acme_http_challenge_enable=NO
 {% endif %}

From 21bb530c6d8604e97d81f9bbc8520c7035bda4f2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 10:11:06 +0200
Subject: [PATCH 1219/3088] net/freeradius: use NAME_setup

PR: https://github.com/opnsense/core/issues/5917
---
 .../opnsense/service/conf/actions.d/actions_freeradius.conf   | 4 ++--
 .../opnsense/service/templates/OPNsense/Freeradius/radiusd    | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/freeradius/src/opnsense/service/conf/actions.d/actions_freeradius.conf b/net/freeradius/src/opnsense/service/conf/actions.d/actions_freeradius.conf
index 526e7ce5bd..6263cd1f07 100644
--- a/net/freeradius/src/opnsense/service/conf/actions.d/actions_freeradius.conf
+++ b/net/freeradius/src/opnsense/service/conf/actions.d/actions_freeradius.conf
@@ -1,5 +1,5 @@
 [start]
-command:/usr/local/opnsense/scripts/Freeradius/setup.sh;/usr/local/etc/rc.d/radiusd start
+command:/usr/local/etc/rc.d/radiusd start
 parameters:
 type:script
 description:Start FreeRADIUS service
@@ -13,7 +13,7 @@ description:Stop FreeRADIUS service
 message:stopping FreeRADIUS
 
 [restart]
-command:/usr/local/opnsense/scripts/Freeradius/setup.sh;/usr/local/etc/rc.d/radiusd restart
+command:/usr/local/etc/rc.d/radiusd restart
 parameters:
 type:script
 description:Restart FreeRADIUS service
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/radiusd b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/radiusd
index d5c05a8934..35b94e447c 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/radiusd
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/radiusd
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.freeradius.general.enabled') and OPNsense.freeradius.general.enabled == '1' %}
-radiusd_var_script="/usr/local/opnsense/scripts/Freeradius/setup.sh"
+radiusd_setup="/usr/local/opnsense/scripts/Freeradius/setup.sh"
 radiusd_enable="YES"
 {% else %}
 radiusd_enable="NO"

From 1e87d5ef60cd5eb9cd7c8f46fda321f391b83349 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 10:12:30 +0200
Subject: [PATCH 1220/3088] net/chrony: use NAME_setup

PR: https://github.com/opnsense/core/issues/5917
---
 .../src/opnsense/service/conf/actions.d/actions_chrony.conf | 6 +++---
 .../src/opnsense/service/templates/OPNsense/Chrony/chronyd  | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/chrony/src/opnsense/service/conf/actions.d/actions_chrony.conf b/net/chrony/src/opnsense/service/conf/actions.d/actions_chrony.conf
index cc0beb772d..a8fd65f27d 100644
--- a/net/chrony/src/opnsense/service/conf/actions.d/actions_chrony.conf
+++ b/net/chrony/src/opnsense/service/conf/actions.d/actions_chrony.conf
@@ -1,5 +1,5 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Chrony/setup.sh;/usr/local/etc/rc.d/chronyd start
+command:/usr/local/etc/rc.d/chronyd start
 parameters:
 type:script
 message:starting chrony
@@ -11,13 +11,13 @@ type:script
 message:stopping chrony
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Chrony/setup.sh;/usr/local/etc/rc.d/chronyd restart
+command:/usr/local/etc/rc.d/chronyd restart
 parameters:
 type:script
 message:restarting chrony
 
 [status]
-command:/usr/local/etc/rc.d/chronyd status;exit 0
+command:/usr/local/etc/rc.d/chronyd status; exit 0
 parameters:
 type:script_output
 message:request chrony status
diff --git a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chronyd b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chronyd
index 49fffb820e..5047568ee8 100644
--- a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chronyd
+++ b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chronyd
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.chrony.general.enabled') and OPNsense.chrony.general.enabled == '1' %}
-chronyd_var_script="/usr/local/opnsense/scripts/OPNsense/Chrony/setup.sh"
+chronyd_setup="/usr/local/opnsense/scripts/OPNsense/Chrony/setup.sh"
 chronyd_enable="YES"
 {% else %}
 chronyd_enable="NO"

From 8c3a087db1413528fea953ee5d0cd5d6fbc75312 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 10:16:04 +0200
Subject: [PATCH 1221/3088] net-mgmt/zabbix-proxy: use NAME_setup

PR: https://github.com/opnsense/core/issues/5917
---
 .../service/conf/actions.d/actions_zabbixproxy.conf       | 8 ++++----
 .../service/templates/OPNsense/Zabbixproxy/zabbix_proxy   | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf b/net-mgmt/zabbix-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf
index 7904a14457..de02101fd7 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/conf/actions.d/actions_zabbixproxy.conf
@@ -1,23 +1,23 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh;/usr/local/etc/rc.d/zabbix_proxy start
+command:/usr/local/etc/rc.d/zabbix_proxy start
 parameters:
 type:script
 message:starting Zabbix Proxy
 
 [stop]
-command:/usr/local/etc/rc.d/zabbix_proxy stop; exit 0
+command:/usr/local/etc/rc.d/zabbix_proxy stop
 parameters:
 type:script
 message:stopping Zabbix Proxy
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh;/usr/local/etc/rc.d/zabbix_proxy restart
+command:/usr/local/etc/rc.d/zabbix_proxy restart
 parameters:
 type:script
 message:restarting Zabbix Proxy
 
 [status]
-command:/usr/local/etc/rc.d/zabbix_proxy status;exit 0
+command:/usr/local/etc/rc.d/zabbix_proxy status; exit 0
 parameters:
 type:script_output
 message:request Zabbix Proxy status
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy
index f9c1bb348a..feb35290da 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.zabbixproxy.general.enabled') and OPNsense.zabbixproxy.general.enabled == '1' %}
-zabbix_proxy_var_script="/usr/local/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh"
+zabbix_proxy_setup="/usr/local/opnsense/scripts/OPNsense/Zabbixproxy/setup.sh"
 zabbix_proxy_enable="YES"
 {% else %}
 zabbix_proxy_enable="NO"

From 3f84a7f6f65080ecd95b0d9118408e09a55342de Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 10:18:58 +0200
Subject: [PATCH 1222/3088] net-mgmt/zabbix-agent: use NAME_setup

PR: https://github.com/opnsense/core/issues/5917
---
 .../opnsense/service/conf/actions.d/actions_zabbixagent.conf  | 4 ++--
 .../opnsense/service/templates/OPNsense/ZabbixAgent/rc.conf.d | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net-mgmt/zabbix-agent/src/opnsense/service/conf/actions.d/actions_zabbixagent.conf b/net-mgmt/zabbix-agent/src/opnsense/service/conf/actions.d/actions_zabbixagent.conf
index d95fb2da2d..31200b3b7c 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/service/conf/actions.d/actions_zabbixagent.conf
+++ b/net-mgmt/zabbix-agent/src/opnsense/service/conf/actions.d/actions_zabbixagent.conf
@@ -1,5 +1,5 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/ZabbixAgent/setup.sh; /usr/local/etc/rc.d/zabbix_agentd start
+command:/usr/local/etc/rc.d/zabbix_agentd start
 parameters:
 type:script
 message:starting zabbix_agentd
@@ -11,7 +11,7 @@ type:script
 message:stopping zabbix_agentd
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/ZabbixAgent/setup.sh; /usr/local/etc/rc.d/zabbix_agentd restart
+command:/usr/local/etc/rc.d/zabbix_agentd restart
 parameters:
 type:script
 description:Restart Zabbix Agent
diff --git a/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/rc.conf.d b/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/rc.conf.d
index 462754dbc8..b119808fab 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/rc.conf.d
+++ b/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/rc.conf.d
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.ZabbixAgent.settings.main.enabled') and OPNsense.ZabbixAgent.settings.main.enabled|default("0") == "1" %}
-zabbix_agentd_var_script="/usr/local/opnsense/scripts/OPNsense/ZabbixAgent/setup.sh"
+zabbix_agentd_setup="/usr/local/opnsense/scripts/OPNsense/ZabbixAgent/setup.sh"
 zabbix_agentd_config="/usr/local/etc/zabbix_agentd.conf"
 zabbix_agentd_enable="YES"
 {% else %}

From 2606ea8d1ff926cd1de713c2746909d6e16442c6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 10:47:34 +0200
Subject: [PATCH 1223/3088] net-mgmt/telegraf: use NAME_setup

PR: https://github.com/opnsense/core/issues/5917
---
 .../opnsense/service/conf/actions.d/actions_telegraf.conf | 8 ++++----
 .../opnsense/service/templates/OPNsense/Telegraf/telegraf | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/net-mgmt/telegraf/src/opnsense/service/conf/actions.d/actions_telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/conf/actions.d/actions_telegraf.conf
index 6a6db780ea..03273aa696 100644
--- a/net-mgmt/telegraf/src/opnsense/service/conf/actions.d/actions_telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/conf/actions.d/actions_telegraf.conf
@@ -1,23 +1,23 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Telegraf/setup.sh; /usr/local/etc/rc.d/telegraf start
+command:/usr/local/etc/rc.d/telegraf start
 parameters:
 type:script
 message:starting telegraf
 
 [stop]
-command:/usr/local/etc/rc.d/telegraf stop; exit 0
+command:/usr/local/etc/rc.d/telegraf stop
 parameters:
 type:script
 message:stopping telegraf
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Telegraf/setup.sh; /usr/local/etc/rc.d/telegraf restart
+command:/usr/local/etc/rc.d/telegraf restart
 parameters:
 type:script
 message:restarting telegraf
 
 [status]
-command:/usr/local/etc/rc.d/telegraf status;exit 0
+command:/usr/local/etc/rc.d/telegraf status; exit 0
 parameters:
 type:script_output
 message:request telegraf status
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf
index 5e91fffa8f..2d153aceb7 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf
@@ -3,7 +3,7 @@
 telegraf_user="root"
 telegraf_group="wheel"
 {%   endif %}
-telegraf_var_script="/usr/local/opnsense/scripts/OPNsense/Telegraf/setup.sh"
+telegraf_setup="/usr/local/opnsense/scripts/OPNsense/Telegraf/setup.sh"
 telegraf_enable="YES"
 telegraf_confdir="/usr/local/etc/telegraf.d"
 {% else %}

From fe53facdda31bc8d401199d57bbf2c48f16fcc27 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 10:49:04 +0200
Subject: [PATCH 1224/3088] net-mgmt/nrpe: use NAME_setup

PR: https://github.com/opnsense/core/issues/5917
---
 .../src/opnsense/service/conf/actions.d/actions_nrpe.conf     | 4 ++--
 .../nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe    | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net-mgmt/nrpe/src/opnsense/service/conf/actions.d/actions_nrpe.conf b/net-mgmt/nrpe/src/opnsense/service/conf/actions.d/actions_nrpe.conf
index 9411074a8e..89b66602a7 100644
--- a/net-mgmt/nrpe/src/opnsense/service/conf/actions.d/actions_nrpe.conf
+++ b/net-mgmt/nrpe/src/opnsense/service/conf/actions.d/actions_nrpe.conf
@@ -1,5 +1,5 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Nrpe/setup.sh;/usr/local/etc/rc.d/nrpe3 start
+command:/usr/local/etc/rc.d/nrpe3 start
 parameters:
 type:script
 message:starting nrpe
@@ -11,7 +11,7 @@ type:script
 message:stopping nrpe
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Nrpe/setup.sh;/usr/local/etc/rc.d/nrpe3 restart
+command:/usr/local/etc/rc.d/nrpe3 restart
 parameters:
 type:script
 message:restarting nrpe
diff --git a/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe b/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe
index 256738cbb8..dc85ed6ac8 100644
--- a/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe
+++ b/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.nrpe.general.enabled') and OPNsense.nrpe.general.enabled == '1' %}
-nrpe3_var_script="/usr/local/opnsense/scripts/OPNsense/Nrpe/setup.sh"
+nrpe3_setup="/usr/local/opnsense/scripts/OPNsense/Nrpe/setup.sh"
 nrpe3_enable="YES"
 {% else %}
 nrpe3_enable="NO"

From 8998d79644a3f157148fa7c54b8ed517936f08c4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 14:59:22 +0200
Subject: [PATCH 1225/3088] net-mgmt/netdata: use NAME_setup

PR: https://github.com/opnsense/core/issues/5917
---
 .../opnsense/service/conf/actions.d/actions_netdata.conf    | 6 +++---
 .../src/opnsense/service/templates/OPNsense/Netdata/netdata | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/net-mgmt/netdata/src/opnsense/service/conf/actions.d/actions_netdata.conf b/net-mgmt/netdata/src/opnsense/service/conf/actions.d/actions_netdata.conf
index 946afec16e..3a4b3e804c 100644
--- a/net-mgmt/netdata/src/opnsense/service/conf/actions.d/actions_netdata.conf
+++ b/net-mgmt/netdata/src/opnsense/service/conf/actions.d/actions_netdata.conf
@@ -1,5 +1,5 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Netdata/setup.sh;/usr/local/etc/rc.d/netdata start
+command:/usr/local/etc/rc.d/netdata start
 parameters:
 type:script
 message:starting Netdata
@@ -11,13 +11,13 @@ type:script
 message:stopping Netdata
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Netdata/setup.sh;/usr/local/etc/rc.d/netdata restart
+command:/usr/local/etc/rc.d/netdata restart
 parameters:
 type:script
 message:restarting Netdata
 
 [status]
-command:/usr/local/etc/rc.d/netdata status;exit 0
+command:/usr/local/etc/rc.d/netdata status; exit 0
 parameters:
 type:script_output
 message:request Netdata status
diff --git a/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata b/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata
index 18cbcf68c4..069a44fc64 100644
--- a/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata
+++ b/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.netdata.general.enabled') and OPNsense.netdata.general.enabled == '1' %}
-netdata_var_script="/usr/local/opnsense/scripts/OPNsense/Netdata/setup.sh"
+netdata_setup="/usr/local/opnsense/scripts/OPNsense/Netdata/setup.sh"
 netdata_enable="YES"
 {% else %}
 netdata_enable="NO"

From 3479c5568e949b33d169bc5cb88bc9416eff6efc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 15:01:15 +0200
Subject: [PATCH 1226/3088] net-mgmt/net-snmp: use NAME_setup

PR: https://github.com/opnsense/core/issues/5917
---
 .../opnsense/service/conf/actions.d/actions_netsnmp.conf  | 8 ++++----
 .../src/opnsense/service/templates/OPNsense/Netsnmp/snmpd | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/net-mgmt/net-snmp/src/opnsense/service/conf/actions.d/actions_netsnmp.conf b/net-mgmt/net-snmp/src/opnsense/service/conf/actions.d/actions_netsnmp.conf
index c1e0b275a1..dc6497b07f 100644
--- a/net-mgmt/net-snmp/src/opnsense/service/conf/actions.d/actions_netsnmp.conf
+++ b/net-mgmt/net-snmp/src/opnsense/service/conf/actions.d/actions_netsnmp.conf
@@ -1,23 +1,23 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Netsnmp/setup.sh;/usr/local/etc/rc.d/snmpd start
+command:/usr/local/etc/rc.d/snmpd start
 parameters:
 type:script
 message:starting Net-SNMP
 
 [stop]
-command:/usr/local/etc/rc.d/snmpd stop; exit 0
+command:/usr/local/etc/rc.d/snmpd stop
 parameters:
 type:script
 message:stopping Net-SNMP
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Netsnmp/setup.sh;/usr/local/etc/rc.d/snmpd restart
+command:/usr/local/etc/rc.d/snmpd restart
 parameters:
 type:script
 message:restarting Net-SNMP
 
 [status]
-command:/usr/local/etc/rc.d/snmpd status;exit 0
+command:/usr/local/etc/rc.d/snmpd status; exit 0
 parameters:
 type:script_output
 message:request Net-SNMP status
diff --git a/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd b/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd
index 74a0cfcb32..963f3c689b 100644
--- a/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd
+++ b/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.netsnmp.general.enabled') and OPNsense.netsnmp.general.enabled == '1' %}
-snmpd_var_script="/usr/local/opnsense/scripts/OPNsense/Netsnmp/setup.sh"
+snmpd_setup="/usr/local/opnsense/scripts/OPNsense/Netsnmp/setup.sh"
 snmpd_enable="YES"
 {% else %}
 snmpd_enable="NO"

From 8300f1920b1692b9bb569c4b4b9c359b10960dd3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Oct 2022 15:02:45 +0200
Subject: [PATCH 1227/3088] net-mgmt/collectd: use NAME_setup

PR: https://github.com/opnsense/core/issues/5917
---
 .../opnsense/service/conf/actions.d/actions_collectd.conf | 8 ++++----
 .../opnsense/service/templates/OPNsense/Collectd/collectd | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/net-mgmt/collectd/src/opnsense/service/conf/actions.d/actions_collectd.conf b/net-mgmt/collectd/src/opnsense/service/conf/actions.d/actions_collectd.conf
index 5e5473ec41..817d6a2d42 100644
--- a/net-mgmt/collectd/src/opnsense/service/conf/actions.d/actions_collectd.conf
+++ b/net-mgmt/collectd/src/opnsense/service/conf/actions.d/actions_collectd.conf
@@ -1,23 +1,23 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Collectd/setup.sh;/usr/local/etc/rc.d/collectd start
+command:/usr/local/etc/rc.d/collectd start
 parameters:
 type:script
 message:starting Collectd
 
 [stop]
-command:/usr/local/etc/rc.d/collectd stop; exit 0
+command:/usr/local/etc/rc.d/collectd stop
 parameters:
 type:script
 message:stopping Collectd
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Collectd/setup.sh;/usr/local/etc/rc.d/collectd restart
+command:/usr/local/etc/rc.d/collectd restart
 parameters:
 type:script
 message:restarting Collectd
 
 [status]
-command:/usr/local/etc/rc.d/collectd status;exit 0
+command:/usr/local/etc/rc.d/collectd status; exit 0
 parameters:
 type:script_output
 message:request Collectd status
diff --git a/net-mgmt/collectd/src/opnsense/service/templates/OPNsense/Collectd/collectd b/net-mgmt/collectd/src/opnsense/service/templates/OPNsense/Collectd/collectd
index cf5949f7d1..a9a97d84eb 100644
--- a/net-mgmt/collectd/src/opnsense/service/templates/OPNsense/Collectd/collectd
+++ b/net-mgmt/collectd/src/opnsense/service/templates/OPNsense/Collectd/collectd
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.collectd.general.enabled') and OPNsense.collectd.general.enabled == '1' %}
-collectd_var_script="/usr/local/opnsense/scripts/OPNsense/Collectd/setup.sh"
+collectd_setup="/usr/local/opnsense/scripts/OPNsense/Collectd/setup.sh"
 collectd_enable="YES"
 {% else %}
 collectd_enable="NO"

From f951f9b7c554aa3d224d989c5b86b9c0c7ae4670 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 11 Oct 2022 13:39:58 +0200
Subject: [PATCH 1228/3088] security/acme-client: add support for Google CA,
 refs #3029

---
 security/acme-client/pkg-descr                               | 5 +++++
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml        | 2 ++
 .../opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt | 1 +
 3 files changed, 8 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 6ce18d780f..648a07c0f7 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.14
+
+Added:
+* add support for Google CA (#3029)
+
 3.13
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 4222cc253b..cfaa8e67a5 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -148,6 +148,8 @@
                     <OptionValues>
                         <buypass>Buypass</buypass>
                         <buypass_test>Buypass Test CA</buypass_test>
+                        <google>Google</google>
+                        <google_test>Google Test CA</google_test>
                         <letsencrypt>Let's Encrypt [default]</letsencrypt>
                         <letsencrypt_test>Let's Encrypt Test CA</letsencrypt_test>
                         <sslcom>SSL.com</sslcom>
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
index fb111608b1..287d8ad06b 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
@@ -254,6 +254,7 @@ POSSIBILITY OF SUCH DAMAGE.
             <ul>
               <li>{{ lang._("%sLet's Encrypt:%s A free, automated, and open certificate authority, run for the public's benefit. It is a service provided by the Internet Security Research Group (ISRG). Read more about the ACME protocol in %stheir documentation%s.") | format('<b>', '</b>', '<a href="https://letsencrypt.org/how-it-works/" target="_blank">', '</a>') }}</li>
               <li>{{ lang._('%sBuypass:%s A commercial, european certificate authority, based in Norway. Check out %stheir documentation%s for details about rate-limits and the usage policy.') | format('<b>', '</b>', '<a href="https://www.buypass.com/ssl/resources/go-ssl-technical-specification" target="_blank">', '</a>') }}</li>
+              <li>{{ lang._('%sGoogle:%s A commercial certificate authority. More information is available from %stheir documentation%s.') | format('<b>', '</b>', '<a href="https://cloud.google.com/certificate-manager/docs/overview" target="_blank">', '</a>') }}</li>
               <li>{{ lang._('%sSSL.com:%s A commercial, globally trusted certificate authority. They provide an %sextensive guide%s for using their paid services with the ACME protocol.') | format('<b>', '</b>', '<a href="https://www.ssl.com/guide/ssl-tls-certificate-issuance-and-revocation-with-acme/" target="_blank">', '</a>') }}</li>
               <li>{{ lang._("%sZeroSSL:%s A commercial, european certificate authority, based in Austria. They provide a feature overview on %stheir website%s for users of Let's Encrypt.") | format('<b>', '</b>', '<a href="https://zerossl.com/letsencrypt-alternative/" target="_blank">', '</a>') }}</li>
             </ul>

From f007b8af8a96c7378b86ac0aa7f0411d3dd95764 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 11 Oct 2022 13:50:59 +0200
Subject: [PATCH 1229/3088] security/acme-client: post-merge fixes for #3122

---
 security/acme-client/pkg-descr                           | 9 +++++++--
 .../OPNsense/AcmeClient/forms/dialogValidation.xml       | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 648a07c0f7..a484ee4dc2 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -9,10 +9,15 @@ Plugin Changelog
 ================
 
 3.14
+NOTE: Users of Selfhost need to manually fix their configuration, see
+https://github.com/acmesh-official/acme.sh/wiki/dnsapi2#151-use-selfhost-dns-api
 
 Added:
 * add support for Google CA (#3029)
 
+Fixed:
+* fix Selfhost DNS API (#3122)
+
 3.13
 
 Added:
@@ -28,7 +33,7 @@ Added:
 * new automation: upload certificate to Vault (#2796)
 
 Fixed:
-* Re-order function parameters due to PHP8 deprecation notice (#3043)
+* re-order function parameters due to PHP8 deprecation notice (#3043)
 
 Changed:
 * simplyfi DNS service names
@@ -37,7 +42,7 @@ Changed:
 3.11
 
 Fixed:
-* Add missing <style> field for TransIP (#2981)
+* add missing <style> field for TransIP (#2981)
 
 3.10
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 9dc7f8afc5..5791474e64 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1070,7 +1070,7 @@
         <id>validation.dns_selfhost_map</id>
         <label>RID Mapping</label>
         <type>textbox</type>
-        <help>Please create the TXT Record with Subdomain _acme-challenge first, than you can get the ID from the edit page. Up to two RIDs per fulldomain are supported but at least one must be set, e.g. _acme-challenge.domain.net:RID:RID</help>
+        <help>Please create the TXT record with subdomain _acme-challenge first, than you can get the ID from the edit page. Up to two RIDs per fulldomain are supported but at least one must be set, e.g. _acme-challenge.domain.net:RID:RID2</help>
     </field>
     <field>
         <label>Servercow</label>

From 42553ab3e591bc86af5c1956774bcdb0527e09d2 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 11 Oct 2022 14:27:09 +0200
Subject: [PATCH 1230/3088] security/acme-client: change default DNS sleep time
 to 0, refs #3079

---
 security/acme-client/pkg-descr                                | 4 ++++
 .../OPNsense/AcmeClient/forms/dialogValidation.xml            | 3 +--
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml         | 4 ++--
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index a484ee4dc2..a4e9781b0d 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -14,10 +14,14 @@ https://github.com/acmesh-official/acme.sh/wiki/dnsapi2#151-use-selfhost-dns-api
 
 Added:
 * add support for Google CA (#3029)
+* add support for querying public DNS services (#3079)
 
 Fixed:
 * fix Selfhost DNS API (#3122)
 
+Changed:
+* change default DNS sleep time to 0 (3079)
+
 3.13
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 5791474e64..1c9efe0043 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -128,8 +128,7 @@
         <id>validation.dns_sleep</id>
         <label>DNS Sleep Time</label>
         <type>text</type>
-        <help>The time in seconds to wait for all the TXT records to take effect after adding them to the DNS API. Defaults to 120 seconds.
-            For public DNS validation each 10 seconds up to 20 minutes, instead of fixed DNS sleep time set value to 0.</help>
+        <help>The time in seconds to wait for all the TXT records to take effect after adding them to the DNS API. Defaults to 0 seconds, which causes Acme Client to check public DNS services every 10 seconds for up to 20 minutes. If set to a non-zero value, a fixed DNS sleep time will be used and the local DNS servers will be queried instead. A DNS sleep time of 120 seconds or more is recommended for some DNS APIs.</help>
         <hint>0 for public DNS check or 1-84600s</hint>
     </field>
     <field>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index cfaa8e67a5..118c963690 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>3.3.0</version>
+    <version>3.4.0</version>
     <description>A secure ACME Client plugin</description>
     <items>
         <settings>
@@ -509,7 +509,7 @@
                 <dns_sleep type="IntegerField">
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>84600</MaximumValue>
-                    <default>120</default>
+                    <default>0</default>
                     <ValidationMessage>Please specify a value between 0 and 84600 seconds.</ValidationMessage>
                     <Required>Y</Required>
                 </dns_sleep>

From b94aefde74334951abead644de49fb2fffaf246f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 21 Oct 2022 15:21:47 +0200
Subject: [PATCH 1231/3088] security/acme-client: migrate to NAME_setup use,
 closes #3113

refs https://github.com/opnsense/core/issues/5917
---
 .../OPNsense/AcmeClient/Api/ServiceController.php |  7 -------
 .../opnsense/scripts/OPNsense/AcmeClient/setup.sh |  4 ++--
 .../conf/actions.d/actions_acmeclient.conf        | 15 +++++----------
 3 files changed, 7 insertions(+), 19 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php
index de54eeeea6..0e1a34a236 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php
@@ -149,9 +149,6 @@ public function reconfigureAction()
             // generate template
             $backend->configdRun('template reload OPNsense/AcmeClient');
 
-            // now setup the environment
-            $backend->configdRun("acmeclient setup");
-
             // (res)start daemon
             if ($mdlAcme->settings->enabled->__toString() == 1) {
                 if ($runStatus['status'] == "running" && !$force_restart) {
@@ -177,8 +174,6 @@ public function configtestAction()
         $backend = new Backend();
         // first generate template based on current configuration
         $backend->configdRun('template reload OPNsense/AcmeClient');
-        // now setup the environment
-        $backend->configdRun("acmeclient setup");
         // finally run the syntax check
         $response = $backend->configdRun("acmeclient configtest");
         return array("result" => $response);
@@ -192,8 +187,6 @@ public function configtestAction()
     public function signallcertsAction()
     {
         $backend = new Backend();
-        // first setup the environment
-        $backend->configdRun("acmeclient setup");
         // run the command
         $response = $backend->configdRun("acmeclient sign-all-certs");
         return array("result" => $response);
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh
index 43140eea72..fd9b734256 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh
@@ -3,7 +3,7 @@
 ACME_BASE="/var/etc/acme-client"
 ACME_DIRS="/var/etc/acme-client/certs /var/etc/acme-client/keys /var/etc/acme-client/configs /var/etc/acme-client/challenges /var/etc/acme-client/home"
 
-# Generating dirs if missing and setting owner and mode (recursively)
+# Generate required directories and set owner/mode recursively.
 for directory in ${ACME_DIRS}; do
     mkdir -p ${directory}
     chown -R root:wheel ${directory}
@@ -16,7 +16,7 @@ if [ -L /var/etc/acme-client/home/dns_opnsense.sh ]; then
     unlink /var/etc/acme-client/home/dns_opnsense.sh
 fi
 
-# Setting owner and mode for base and immediate children (non recursive)
+# Set owner/mode for base and immediate children (non recursive).
 chown root:wheel ${ACME_BASE} ${ACME_BASE}/*
 chmod 750 ${ACME_BASE} ${ACME_BASE}/*
 
diff --git a/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf b/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
index 4faf4b6873..7c47bdf858 100644
--- a/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
+++ b/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
@@ -1,8 +1,3 @@
-[setup]
-command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh
-parameters:
-type:script_output
-
 ##########################################
 ## lighttpd actions
 ##########################################
@@ -42,7 +37,7 @@ message:testing acme_http_challenge configuration
 ##########################################
 
 [sign-cert]
-command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode issue --force --cert
+command:/usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode issue --force --cert
 parameters:%s
 type:script
 message:signing or renewing a certificate
@@ -66,25 +61,25 @@ type:script
 message:removing a certificate private key
 
 [sign-all-certs]
-command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode issue --all
+command:/usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode issue --all
 parameters:
 type:script
 message:signing or renewing all certificates
 
 [run-automation]
-command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode automation --cert
+command:/usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode automation --cert
 parameters:%s
 type:script
 message:running automations for a certificate
 
 [import]
-command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode import --cert
+command:/usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode import --cert
 parameters:%s
 type:script
 message:running import for a certificate
 
 [cron-auto-renew]
-command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh; /usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode issue --all --cron
+command:/usr/sbin/daemon -f /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode issue --all --cron
 parameters:
 type:script
 message:cronjob running to sign or renew certificates

From 07fde35bfcfc8c633d02efbbf8de80a6040013be Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 21 Oct 2022 15:42:56 +0200
Subject: [PATCH 1232/3088] security/acme-client: re-enable NAME_setup use,
 refs 4e01cb2333acd997b01e6a10a9c447b1ccf520dc

---
 .../opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d
index 6d1991e9df..96d20f1bc0 100644
--- a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d
+++ b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/rc.conf.d
@@ -2,7 +2,7 @@
 acme_http_challenge_enable=YES
 acme_http_challenge_conf="/var/etc/lighttpd-acme-challenge.conf"
 acme_http_challenge_pidfile="/var/run/lighttpd-acme-challenge.pid"
-#acme_http_challenge_setup="/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh"
+acme_http_challenge_setup="/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh"
 {% else %}
 acme_http_challenge_enable=NO
 {% endif %}

From 32e6a1d6185a3c90a32d8cb21b1acc45b154650f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 11 Oct 2022 13:17:46 +0200
Subject: [PATCH 1233/3088] net/haproxy: add support for req.ssl_hello_type,
 closes #2311

---
 net/haproxy/pkg-descr                                 |  5 +++++
 .../controllers/OPNsense/HAProxy/forms/dialogAcl.xml  | 11 +++++++++++
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml       | 10 ++++++++++
 .../service/templates/OPNsense/HAProxy/haproxy.conf   |  2 ++
 4 files changed, 28 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index d33a113b13..c6e99b5269 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+3.12
+
+Added:
+* add support for req.ssl_hello_type (#2311)
+
 3.11
 
 Added:
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
index 4643f99a87..895bd6e4b2 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
@@ -278,6 +278,17 @@
         <type>text</type>
         <help><![CDATA[Verify the CA Common-Name of the certificate presented by the client against the specified string.]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_ssl_hello_type</style>
+    </field>
+    <field>
+        <id>acl.ssl_hello_type</id>
+        <label>SSL Hello Type</label>
+        <type>dropdown</type>
+        <help><![CDATA[An integer value containing the type of the SSL hello message found in the request buffer if the buffer contains data that parse as a complete SSL (v3 or superior) client hello message.]]></help>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index f6baa5c870..3be9a91e11 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1599,6 +1599,7 @@
                         <ssl_c_verify>SSL Client certificate is valid</ssl_c_verify>
                         <ssl_c_verify_code>SSL Client certificate verify error result</ssl_c_verify_code>
                         <ssl_c_ca_commonname>SSL Client certificate issued by CA common-name</ssl_c_ca_commonname>
+                        <ssl_hello_type>SSL Hello Type</ssl_hello_type>
                         <src>Source IP matches specified IP</src>
                         <src_is_local>Source IP is local</src_is_local>
                         <src_port>Source IP: TCP source port</src_port>
@@ -1764,6 +1765,15 @@
                     <mask>/^.{1,4096}$/u</mask>
                     <Required>N</Required>
                 </ssl_c_ca_commonname>
+                <ssl_hello_type type="OptionField">
+                    <Required>N</Required>
+                    <default>x1</default>
+                    <OptionValues>
+                        <x0>0 - no client hello</x0>
+                        <x1>1 - client hello</x1>
+                        <x2>2 - server hello</x2>
+                    </OptionValues>
+                </ssl_hello_type>
                 <src type="TextField">
                     <mask>/^.{1,4096}$/u</mask>
                     <Required>N</Required>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index ea00d11a83..79fde03a07 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -284,6 +284,8 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'ssl_hello_type' %}
+{%               do acl_options.append('req.ssl_hello_type ' ~ acl_data.ssl_hello_type|replace('x', '')) %}
 {%             elif acl_data.expression == 'src' %}
 {%               if acl_data.src|default("") != "" %}
 {%                 do acl_options.append('src ' ~ acl_data.src) %}

From bae01c9dcb4a15657615bfb783dbed1e7aca90a3 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 11 Oct 2022 14:37:23 +0200
Subject: [PATCH 1234/3088] net/haproxy: update changelog

---
 net/haproxy/pkg-descr | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index c6e99b5269..7d0cde83a5 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -11,6 +11,9 @@ Plugin Changelog
 Added:
 * add support for req.ssl_hello_type (#2311)
 
+Fixed:
+* fix unix sockets in chrooted environment (#3093)
+
 3.11
 
 Added:

From 13e1dbc40a4559a38a02b3d97a165c5e39a140a6 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 11 Oct 2022 15:29:17 +0200
Subject: [PATCH 1235/3088] net/haproxy: fix peers by automatically configuring
 the local peer, closes #3114

---
 net/haproxy/pkg-descr                                |  1 +
 .../OPNsense/HAProxy/forms/generalPeers.xml          |  8 ++++----
 .../service/templates/OPNsense/HAProxy/haproxy.conf  | 12 +++++++++---
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 7d0cde83a5..dea92ff85a 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -13,6 +13,7 @@ Added:
 
 Fixed:
 * fix unix sockets in chrooted environment (#3093)
+* fix peers by automatically configuring the local peer (#3114)
 
 3.11
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalPeers.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalPeers.xml
index f1091f4f35..7dba7f9f8c 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalPeers.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalPeers.xml
@@ -10,14 +10,14 @@
         <help><![CDATA[Enable or disable HAProxy peers. This will propagate entries of any data-types in stick-tables between several HAProxy instances over TCP connections in a multi-master fashion.]]></help>
     </field>
     <field>
-        <label>Peer 1 (this host)</label>
+        <label>Peer 1</label>
         <type>header</type>
     </field>
     <field>
         <id>haproxy.general.peers.name1</id>
         <label>Peer name (FQDN)</label>
         <type>text</type>
-        <help><![CDATA[The name of the peer. This is usually the full hostname to make it possible for HAProxy to recognize the local peer. If HAProxy is unable to find the local peer it will fail to start.]]></help>
+        <help><![CDATA[The name of the peer. This is usually the fully qualified domain name. If the name matches the <a href="/system_general.php">system hostname</a>, then this peer is automatically configured as local peer.]]></help>
     </field>
     <field>
         <id>haproxy.general.peers.listen1</id>
@@ -32,14 +32,14 @@
         <help><![CDATA[The TCP port that should be used for connections to this peer. It must not be used by any other service.]]></help>
     </field>
     <field>
-        <label>Peer 2 (remote host)</label>
+        <label>Peer 2</label>
         <type>header</type>
     </field>
     <field>
         <id>haproxy.general.peers.name2</id>
         <label>Peer name (FQDN)</label>
         <type>text</type>
-        <help><![CDATA[The name of the peer. This is usually the full hostname to make it possible for HAProxy to recognize the local peer. If HAProxy is unable to find the local peer it will fail to start.]]></help>
+        <help><![CDATA[The name of the peer. This is usually the fully qualified domain name. If the name matches the <a href="/system_general.php">system hostname</a>, then this peer is automatically configured as local peer.]]></help>
     </field>
     <field>
         <id>haproxy.general.peers.listen2</id>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 79fde03a07..c6f0ff8dde 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1041,6 +1041,10 @@ global
 {%     endif %}
 {%   endif %}
 {% endif %}
+{# # specify local peer #}
+{% if peers_enabled is defined %}
+    localpeer {{ system.hostname|lower }}.{{ system.domain|lower }}
+{% endif %}
 {# # pass-through options #}
 {% if OPNsense.HAProxy.general.tuning.customOptions|default("") != "" %}
     # WARNING: pass through options below this line
@@ -1892,7 +1896,7 @@ backend {{backend.name}}
 {#               PEERS             #}
 {# ############################### #}
 
-{%- if helpers.exists('OPNsense.HAProxy.general.peers') and OPNsense.HAProxy.general.peers.enabled|default("") == "1" %}
+{%- if peers_enabled is defined %}
 {#   # ensure that no value is missing #}
 {%   if OPNsense.HAProxy.general.peers.name1|default("") != '' and
        OPNsense.HAProxy.general.peers.listen1|default("") != '' and
@@ -1901,8 +1905,10 @@ backend {{backend.name}}
        OPNsense.HAProxy.general.peers.listen2|default("") != '' and
        OPNsense.HAProxy.general.peers.port2|default("") != '' %}
 peers {{peers_name}}
-    peer {{OPNsense.HAProxy.general.peers.name1}} {{OPNsense.HAProxy.general.peers.listen1}}:{{OPNsense.HAProxy.general.peers.port1}}
-    peer {{OPNsense.HAProxy.general.peers.name2}} {{OPNsense.HAProxy.general.peers.listen2}}:{{OPNsense.HAProxy.general.peers.port2}}
+    peer {{OPNsense.HAProxy.general.peers.name1|lower}} {{OPNsense.HAProxy.general.peers.listen1}}:{{OPNsense.HAProxy.general.peers.port1}}
+    peer {{OPNsense.HAProxy.general.peers.name2|lower}} {{OPNsense.HAProxy.general.peers.listen2}}:{{OPNsense.HAProxy.general.peers.port2}}
+{%   else %}
+# ERROR: peers configuration is incomplete
 {%   endif %}
 {%- endif -%}
 

From 5cd2297802771d8e19636fae930d59e2f013b188 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 11 Oct 2022 15:43:11 +0200
Subject: [PATCH 1236/3088] net/haproxy: update documentation URLs

---
 net/haproxy/pkg-descr                                  |  3 +++
 .../OPNsense/HAProxy/forms/dialogAction.xml            | 10 +++++-----
 .../OPNsense/HAProxy/forms/dialogBackend.xml           | 10 +++++-----
 .../OPNsense/HAProxy/forms/dialogFrontend.xml          |  6 +++---
 .../OPNsense/HAProxy/forms/dialogMapfile.xml           |  2 +-
 .../opnsense/mvc/app/views/OPNsense/HAProxy/index.volt | 10 +++++-----
 6 files changed, 22 insertions(+), 19 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index dea92ff85a..37b084e82b 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -15,6 +15,9 @@ Fixed:
 * fix unix sockets in chrooted environment (#3093)
 * fix peers by automatically configuring the local peer (#3114)
 
+Changed:
+* update HAProxy documentation URLs
+
 3.11
 
 Added:
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index c810642591..f0a663f161 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -89,7 +89,7 @@
         <id>action.http_request_redirect</id>
         <label>HTTP Redirect</label>
         <type>text</type>
-        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. See <a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. See <a href="http://docs.haproxy.org/2.4/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -128,7 +128,7 @@
         <id>action.http_request_add_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.4/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -145,7 +145,7 @@
         <id>action.http_request_set_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.4/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -251,7 +251,7 @@
         <id>action.http_response_add_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.4/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -268,7 +268,7 @@
         <id>action.http_response_set_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.4/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index 27a6115e2c..cd1aec54ea 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -28,7 +28,7 @@
         <id>backend.algorithm</id>
         <label>Balancing Algorithm</label>
         <type>dropdown</type>
-        <help><![CDATA[Define the load balancing algorithm to be used in a Backend Pool. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#balance">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Define the load balancing algorithm to be used in a Backend Pool. See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#balance">HAProxy documentation</a> for a full description.]]></help>
         <hint>Choose a load balancing algorithm.</hint>
     </field>
     <field>
@@ -42,7 +42,7 @@
         <id>backend.proxyProtocol</id>
         <label>Proxy Protocol</label>
         <type>dropdown</type>
-        <help><![CDATA[Enforces use of the PROXY protocol over any connection established to the configured servers. The PROXY protocol informs the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the servers are not aware of the PROXY protocol. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#send-proxy">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Enforces use of the PROXY protocol over any connection established to the configured servers. The PROXY protocol informs the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the servers are not aware of the PROXY protocol. See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#send-proxy">HAProxy documentation</a> for a full description.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
@@ -186,7 +186,7 @@
         <id>backend.persistence_cookiemode</id>
         <label>Cookie handling</label>
         <type>dropdown</type>
-        <help><![CDATA[Usually it is better to reuse an existing cookie. In this case HAProxy prefixes the cookie with the required information. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#4.2-cookie">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Usually it is better to reuse an existing cookie. In this case HAProxy prefixes the cookie with the required information. See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#4.2-cookie">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.persistence_cookiename</id>
@@ -208,14 +208,14 @@
         <id>backend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
+        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
         <hint>Choose a persistence type.</hint>
     </field>
     <field>
         <id>backend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.stickiness_expire</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 6d6a4cda76..a028a16f17 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -322,14 +322,14 @@
         <id>frontend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
+        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
         <hint>Choose a stick-table type.</hint>
     </field>
     <field>
         <id>frontend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>frontend.stickiness_expire</id>
@@ -356,7 +356,7 @@
         <id>frontend.stickiness_counter_key</id>
         <label>Sticky counter key</label>
         <type>text</type>
-        <help><![CDATA[It describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters. Defaults to "src" to track elements of the source IP. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#tcp-request connection">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[It describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters. Defaults to "src" to track elements of the source IP. See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#tcp-request connection">HAProxy documentation</a> for a full description.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
index d988e782e4..fc0011cc87 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
@@ -15,6 +15,6 @@
         <id>mapfile.content</id>
         <label>Content</label>
         <type>textbox</type>
-        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index eda3e7ff1a..7510ca1ed2 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -698,7 +698,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('Lastly, enable HAProxy using the %sService%s settings page.') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Please be aware that you need to %smanually%s add the required firewall rules for all configured services.') | format('<b>', '</b>') }}</p>
-            <p>{{ lang._('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="https://docs.opnsense.org/manual/how-tos/haproxy.html" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="https://docs.opnsense.org/manual/how-tos/haproxy.html" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.4/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -740,7 +740,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('%sConditions:%s HAProxy is capable of extracting data from requests, responses and other connection data and match it against predefined patterns. Use these powerful patterns to compose a condition that may be used in multiple Rules.') | format('<b>', '</b>') }}</li>
               <li>{{ lang._('%sRules:%s Perform a large set of actions if one or more %sConditions%s match. These Rules may be used in %sBackend Pools%s as well as %sPublic Services%s.') | format('<b>', '</b>', '<b>', '</b>', '<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#7" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/2.4/configuration.html#7" target="_blank">', '</a>') }}</p>
             <p>{{ lang._('Note that it is possible to directly add options to the HAProxy configuration by using the "option pass-through", a setting that is available for several configuration items. It allows you to implement configurations that are currently not officially supported by this plugin. It is strongly discouraged to rely on this feature. Please report missing features on our GitHub page!') | format('<b>', '</b>') }}</p>
             <br/>
         </div>
@@ -755,7 +755,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('%sGroup:%s A optional list containing one or more users. Groups usually make it easier to manage permissions for a large number of users') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Note that users and groups must be selected from the Backend Pool or Public Service configuration in order to be used for authentication. In addition to this users and groups may also be used in Rules/Conditions.') }}</p>
-            <p>{{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#3.4" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/2.4/configuration.html#3.4" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -773,7 +773,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sCache:%s HAProxy's cache which was designed to perform cache on small objects (favicon, css, etc.). This is a minimalist low-maintenance cache which runs in RAM.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sPeers:%s Configure a communication channel between two HAProxy instances. This will propagate entries of any data-types in stick-tables between these HAProxy instances over TCP connections in a multi-master fashion. Useful when aiming for a seamless failover in a HA setup.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#10" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#3.5" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://docs.haproxy.org/2.4/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.4/configuration.html#10" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.4/configuration.html#3.5" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -790,7 +790,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sResolvers:%s This feature allows in-depth configuration of how HAProxy handles name resolution and interacts with name resolvers (DNS). Each resolver configuration can be used in %sBackend Pools%s to apply individual name resolution configurations.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sE-Mail Alerts:%s It is possible to send email alerts when the state of servers changes. Each configuration can be used in %sBackend Pools%s to send e-mail alerts to the configured recipient.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#process" target="_blank">', '</a>','<a href="http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://docs.haproxy.org/2.4/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.4/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.4/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.4/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.4/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.4/configuration.html#process" target="_blank">', '</a>','<a href="http://docs.haproxy.org/2.4/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>

From c7d77ce9bf54597162016ba45f633d991b45b459 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 21 Oct 2022 15:50:06 +0200
Subject: [PATCH 1237/3088] net/haproxy: migrate to NAME_setup use, refs
 4e01cb2333acd997b01e6a10a9c447b1ccf520dc

NAME_setup is mostly being used during system startup.
However, there are still cases where setup.sh is manually
called to ensure that certain operations like syntax check
are working properly.
---
 .../OPNsense/HAProxy/Api/ServiceController.php            | 2 --
 .../opnsense/service/conf/actions.d/actions_haproxy.conf  | 8 +-------
 .../opnsense/service/templates/OPNsense/HAProxy/rc.conf.d | 2 +-
 3 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php
index 524597aef0..0632cef861 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php
@@ -56,8 +56,6 @@ public function configtestAction()
         $backend = new Backend();
         // first generate template based on current configuration
         $backend->configdRun('template reload OPNsense/HAProxy');
-        // now export all the required files (or syntax check will fail)
-        $backend->configdRun("haproxy setup");
         // finally run the syntax check
         $response = $backend->configdRun("haproxy configtest");
         return array("result" => $response);
diff --git a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
index a9f3c5b25b..9ca6d13dd7 100644
--- a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
+++ b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
@@ -1,9 +1,3 @@
-[setup]
-command:/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh
-parameters:
-type:script_output
-message:setup haproxy service requirements
-
 [start]
 command:/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh deploy; /usr/local/opnsense/scripts/OPNsense/HAProxy/rc-wrapper.sh start
 parameters:
@@ -31,7 +25,7 @@ description:Reload HAProxy service
 message:reloading haproxy
 
 [configtest]
-command:/usr/local/sbin/haproxy -c -f /usr/local/etc/haproxy.conf.staging 2>&1 || exit 0
+command:/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh; /usr/local/sbin/haproxy -c -f /usr/local/etc/haproxy.conf.staging 2>&1 || exit 0
 parameters:
 type:script_output
 message:testing haproxy configuration
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d
index fdb9bcf37e..2e20906703 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d
@@ -1,6 +1,6 @@
 {% if helpers.exists('OPNsense.HAProxy.general.enabled') and OPNsense.HAProxy.general.enabled|default("0") == "1" %}
 haproxy_enable=YES
-#haproxy_setup="/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh"
+haproxy_setup="/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh"
 haproxy_pidfile="/var/run/haproxy.pid"
 haproxy_config="/usr/local/etc/haproxy.conf"
 {% if helpers.exists('OPNsense.HAProxy.general.storeOcsp') and OPNsense.HAProxy.general.storeOcsp|default("0") == "1" %}

From c3b6d586e90235cf9afb04c5879259c61251027e Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 21 Oct 2022 17:25:56 +0200
Subject: [PATCH 1238/3088] security/acme-client: remove saved deploy hook from
 acme.sh config files, fixes #3120

---
 security/acme-client/pkg-descr                |  4 ++-
 .../OPNsense/AcmeClient/LeAutomation/Base.php | 27 +++++++++++++++++++
 .../library/OPNsense/AcmeClient/LeCommon.php  |  3 +++
 3 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index a4e9781b0d..1e45db84a3 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -18,9 +18,11 @@ Added:
 
 Fixed:
 * fix Selfhost DNS API (#3122)
+* fix invalid cert state due to deploy error (#3120)
 
 Changed:
-* change default DNS sleep time to 0 (3079)
+* change default DNS sleep time to 0 (#3079)
+* remove saved deploy hook from acme.sh config files (#3120)
 
 3.13
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
index 1f11081fa7..4f79aa4712 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
@@ -150,6 +150,33 @@ public function runAcme()
             return false;
         }
 
+        // acme.sh records the last used deploy hook and would automatically
+        // use it on the next run. This information must be removed from the
+        // configuration file. Otherwise it would be impossible to disable
+        // or remove a deploy hook from the GUI.
+        foreach (glob(self::ACME_HOME_DIR . '/*/*.conf') as $filename) {
+            // Skip openssl config files.
+            if (preg_match('/.*.csr.conf/i', $filename)) {
+                continue;
+            }
+
+            // Read contents from file.
+            $contents = file_get_contents($filename);
+
+            // Check if deploy hook string can be found.
+            if (strpos($contents, self::ACME_DEPLOY_HOOK_STRING) !== false) {
+                // Replace the whole line with an empty string.
+                $contents = preg_replace('(' . self::ACME_DEPLOY_HOOK_STRING . '.*)', '', $contents);
+
+                // Write changes to the file.
+                if (!file_put_contents($filename, $contents)) {
+                    LeUtils::log_error('clearing recorded deploy hook from acme.sh failed (' . $filename . ')');
+                } else {
+                    LeUtils::log_debug('cleared recorded deploy deploy hook from acme.sh (' . $filename . ')', $this->debug);
+                }
+            }
+        }
+
         // Check result
         if ($result) {
             LeUtils::log_error('running acme.sh deploy hook failed (' . $this->getType() . ')');
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
index 631fab0c4f..bf278b7aae 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
@@ -59,6 +59,9 @@ abstract class LeCommon
     public const ACME_KEY_DIR = '/var/etc/acme-client/keys/%s/';
     public const ACME_KEY_FILE = '/var/etc/acme-client/keys/%s/private.key';
 
+    // acme.sh internals
+    public const ACME_DEPLOY_HOOK_STRING = 'Le_DeployHook=';
+
     // Runtime parameters for acme.sh
     protected $acme_args = array(); # command line arguments to be passed to acme.sh
     protected $acme_env = array();  # environment variables to be used when running acme.sh

From b76cdc037197d9d532ea4b4f75064e8af86f13ea Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 21 Oct 2022 17:59:38 +0200
Subject: [PATCH 1239/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index ad0e59696e..ba4fa52e1c 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.13
+PLUGIN_VERSION=		3.14
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 57e21ae339f4b19b6c0075643dacf02bbcdc07a9 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 21 Oct 2022 18:00:13 +0200
Subject: [PATCH 1240/3088] net/haproxy: bump version

---
 net/haproxy/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 0c4fd723e9..084dfc5a47 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		3.11
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		3.12
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy24
 PLUGIN_MAINTAINER=	opnsense@moov.de

From 6525ca5f94a9d71336d7c4e7e8f20878d46a44d1 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 22 Oct 2022 01:18:33 +0200
Subject: [PATCH 1241/3088] net/haproxy: add support for Prometheus exporter,
 closes #2764

---
 net/haproxy/pkg-descr                         |  1 +
 .../OPNsense/HAProxy/forms/dialogFrontend.xml | 14 +++++++++
 .../OPNsense/HAProxy/forms/generalStats.xml   | 27 ++++++++++++++++-
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 30 ++++++++++++++++++-
 .../templates/OPNsense/HAProxy/haproxy.conf   | 19 ++++++++++--
 5 files changed, 86 insertions(+), 5 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 37b084e82b..2bb68861ab 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -10,6 +10,7 @@ Plugin Changelog
 
 Added:
 * add support for req.ssl_hello_type (#2311)
+* add support for Prometheus exporter (#2764)
 
 Fixed:
 * fix unix sockets in chrooted environment (#3093)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index a028a16f17..9f6fb5801e 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -211,6 +211,20 @@
         <type>checkbox</type>
         <help><![CDATA[Enable insertion of the X-Forwarded-For header to requests sent to servers.]]></help>
     </field>
+    <field>
+        <id>frontend.prometheus_enabled</id>
+        <label>Prometheus Enabled</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable HAProxy's Prometheus exporter.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>frontend.prometheus_path</id>
+        <label>Prometheus Path</label>
+        <type>text</type>
+        <help><![CDATA[The path where the Prometheus exporter can be accessed.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <label>Basic Authentication</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalStats.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalStats.xml
index 6832e1e173..ad63e778ef 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalStats.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalStats.xml
@@ -5,7 +5,7 @@
     </field>
     <field>
         <id>haproxy.general.stats.enabled</id>
-        <label>Stats enabled</label>
+        <label>Enabled</label>
         <type>checkbox</type>
         <help><![CDATA[Enable HAProxy's statistics page.]]></help>
     </field>
@@ -57,4 +57,29 @@
         <help><![CDATA[These lines will be added to the statistics settings of to the HAProxy configuration file.<br/><div class="text-info"><b>NOTE:</b> The syntax will not be checked, use at your own risk!</div>]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <label>Prometheus Exporter</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>haproxy.general.stats.prometheus_enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable HAProxy's Prometheus exporter.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.stats.prometheus_bind</id>
+        <label>Listen addresses</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[Configure listen addresses for the prometheus exporter, i.e. 10.0.0.1:8404 or haproxy.example.com:8404. Use TAB key to complete typing a listen address.]]></help>
+        <hint>Enter address:port here. Finish with TAB.</hint>
+    </field>
+    <field>
+        <id>haproxy.general.stats.prometheus_path</id>
+        <label>Path</label>
+        <type>text</type>
+        <help><![CDATA[The path where the Prometheus exporter can be accessed.]]></help>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 3be9a91e11..8a81ffce31 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/HAProxy</mount>
-    <version>3.7.0</version>
+    <version>3.8.0</version>
     <description>the HAProxy load balancer</description>
     <items>
         <general>
@@ -376,6 +376,24 @@
                 <customOptions type="TextField">
                     <Required>N</Required>
                 </customOptions>
+                <prometheus_enabled type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </prometheus_enabled>
+                <prometheus_bind type="CSVListField">
+                    <default>*:8404</default>
+                    <Required>N</Required>
+                    <multiple>Y</multiple>
+                    <mask>/^((([0-9a-zA-Z._\-\*:\[\]]+:+[0-9]+(-[0-9]+)?|unix@[0-9a-z_\-]+)([,]){0,1}))*/u</mask>
+                    <ChangeCase>lower</ChangeCase>
+                    <ValidationMessage>Please provide a valid listen address, i.e. 10.0.0.1:8404 or haproxy.example.com:8404.</ValidationMessage>
+                </prometheus_bind>
+                <prometheus_path type="TextField">
+                    <default>/metrics</default>
+                    <Required>N</Required>
+                    <mask>/^.{1,2048}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 2048 characters.</ValidationMessage>
+                </prometheus_path>
             </stats>
             <cache>
                 <enabled type="BooleanField">
@@ -777,6 +795,16 @@
                     <default>0</default>
                     <Required>Y</Required>
                 </forwardFor>
+                <prometheus_enabled type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </prometheus_enabled>
+                <prometheus_path type="TextField">
+                    <default>/metrics</default>
+                    <Required>N</Required>
+                    <mask>/^.{1,2048}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 2048 characters.</ValidationMessage>
+                </prometheus_path>
                 <connectionBehaviour type="OptionField">
                     <Required>Y</Required>
                     <default>http-keep-alive</default>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index c6f0ff8dde..d7d910beb4 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1411,6 +1411,9 @@ frontend {{frontend.name}}
 {%       endif %}
 {%       if frontend.forwardFor == '1' and frontend.mode == 'http' %}
     option forwardfor
+{%       endif %}
+{%       if frontend.prometheus_enabled == '1' and frontend.mode == 'http' and frontend.prometheus_path|default("") != "" %}
+    http-request use-service prometheus-exporter if { path {{frontend.prometheus_path}} }
 {%       endif %}
     # tuning options
 {%       if frontend.tuning_maxConnections is defined %}
@@ -1916,7 +1919,7 @@ peers {{peers_name}}
 {#             STATISTICS          #}
 {# ############################### #}
 
-{%- if helpers.exists('OPNsense.HAProxy.general.stats') and OPNsense.HAProxy.general.stats.enabled|default("") == "1" %}
+{% if helpers.exists('OPNsense.HAProxy.general.stats') and OPNsense.HAProxy.general.stats.enabled|default("") == "1" %}
 {# # enable local stats #}
 listen local_statistics
     bind            127.0.0.1:{{OPNsense.HAProxy.general.stats.port}}
@@ -1931,7 +1934,7 @@ listen local_statistics
 {%     endfor %}
 {%   endif %}
 
-{# # remote stats are optional #}
+{#   # remote stats are optional #}
 {%   if OPNsense.HAProxy.general.stats.remoteEnabled|default("") == "1" %}
 {%     if OPNsense.HAProxy.general.stats.remoteBind|default("") != "" %}
 listen  remote_statistics
@@ -1957,8 +1960,18 @@ listen  remote_statistics
 # ERROR: remote statistics disabled, because no listen address was specified
 {%     endif %}
 {%   else %}
-# statistics are DISABLED
+# remote statistics are DISABLED
 {%   endif %}
+{% else %}
+# statistics are DISABLED
+{% endif %}
 
+{% if helpers.exists('OPNsense.HAProxy.general.stats') and OPNsense.HAProxy.general.stats.prometheus_enabled|default("") == "1" %}
+{# # enable prometheus exporter #}
+frontend prometheus_exporter
+   bind {{OPNsense.HAProxy.general.stats.prometheus_bind}}
+   mode http
+   http-request use-service prometheus-exporter if { path {{OPNsense.HAProxy.general.stats.prometheus_path}} }
 {% endif %}
+
 {%- endif -%}

From 542958352ba0aafade6dfa2a6f0d71ec5a7f3e1f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 23 Oct 2022 01:36:36 +0200
Subject: [PATCH 1242/3088] net/haproxy: add support for FastCGI applications,
 closes #2769

---
 net/haproxy/pkg-descr                         |   2 +
 .../HAProxy/Api/SettingsController.php        |  27 ++++-
 .../OPNsense/HAProxy/IndexController.php      |   3 +-
 .../OPNsense/HAProxy/forms/dialogAction.xml   |  22 ++++
 .../OPNsense/HAProxy/forms/dialogBackend.xml  |   6 +
 .../OPNsense/HAProxy/forms/dialogFcgi.xml     |  77 +++++++++++++
 .../OPNsense/HAProxy/forms/dialogServer.xml   |   7 ++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 108 ++++++++++++++++++
 .../app/models/OPNsense/HAProxy/Menu/Menu.xml |   1 +
 .../mvc/app/views/OPNsense/HAProxy/index.volt |  40 +++++++
 .../templates/OPNsense/HAProxy/haproxy.conf   |  80 ++++++++++++-
 11 files changed, 369 insertions(+), 4 deletions(-)
 create mode 100644 net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 2bb68861ab..d675ec264e 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -11,6 +11,8 @@ Plugin Changelog
 Added:
 * add support for req.ssl_hello_type (#2311)
 * add support for Prometheus exporter (#2764)
+* add support for FastCGI applications (#2769)
+* add server option to override the multiplexer protocol
 
 Fixed:
 * fix unix sockets in chrooted environment (#3093)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
index 44ccd006c2..4e0006f398 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2016-2021 Frank Wall
+ *    Copyright (C) 2016-2022 Frank Wall
  *    Copyright (C) 2015 Deciso B.V.
  *
  *    All rights reserved.
@@ -241,6 +241,31 @@ public function searchLuasAction()
         return $this->searchBase('luas.lua', array('enabled', 'name', 'description'), 'name');
     }
 
+    public function getFcgiAction($uuid = null)
+    {
+        return $this->getBase('fcgi', 'fcgis.fcgi', $uuid);
+    }
+
+    public function setFcgiAction($uuid)
+    {
+        return $this->setBase('fcgi', 'fcgis.fcgi', $uuid);
+    }
+
+    public function addFcgiAction()
+    {
+        return $this->addBase('fcgi', 'fcgis.fcgi');
+    }
+
+    public function delFcgiAction($uuid)
+    {
+        return $this->delBase('fcgis.fcgi', $uuid);
+    }
+
+    public function searchFcgisAction()
+    {
+        return $this->searchBase('fcgis.fcgi', array('name', 'description'), 'name');
+    }
+
     public function getErrorfileAction($uuid = null)
     {
         return $this->getBase('errorfile', 'errorfiles.errorfile', $uuid);
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/IndexController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/IndexController.php
index 8e2b52f65b..791f6bfe67 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/IndexController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/IndexController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2016 Frank Wall
+ *    Copyright (C) 2016-2022 Frank Wall
  *    Copyright (C) 2015 Deciso B.V.
  *    All rights reserved.
  *
@@ -49,6 +49,7 @@ public function indexAction()
         $this->view->formDialogBackend = $this->getForm("dialogBackend");
         $this->view->formDialogCpu = $this->getForm("dialogCpu");
         $this->view->formDialogErrorfile = $this->getForm("dialogErrorfile");
+        $this->view->formDialogFcgi = $this->getForm("dialogFcgi");
         $this->view->formDialogFrontend = $this->getForm("dialogFrontend");
         $this->view->formDialogGroup = $this->getForm("dialogGroup");
         $this->view->formDialogHealthcheck = $this->getForm("dialogHealthcheck");
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index f0a663f161..7a499dab84 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -448,4 +448,26 @@
         <type>dropdown</type>
         <help><![CDATA[HAProxy will use this backend pool if no match is found in the map file.]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>type_table table_fcgi_pass_header</style>
+    </field>
+    <field>
+        <id>action.fcgi_pass_header</id>
+        <label>Header Name</label>
+        <type>text</type>
+        <help><![CDATA[Specify the name of a request header which will be passed to the FastCGI application. Most request headers are already available to the FastCGI application, prefixed with "HTTP_". Thus, this directive is only required to pass headers that are purposefully omitted. Currently, the headers "Authorization", "Proxy-Authorization" and hop-by-hop headers are omitted.]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>type_table table_fcgi_set_param</style>
+    </field>
+    <field>
+        <id>action.fcgi_set_param</id>
+        <label>Parameter</label>
+        <type>text</type>
+        <help><![CDATA[Set a FastCGI parameter that should be passed to the application. Its value must follow HAProxy's <a href="http://docs.haproxy.org/2.4/configuration.html#8.2.4">Custom Log format rules</a>. With this directive, it is possible to overwrite the value of default FastCGI parameters.]]></help>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index cd1aec54ea..7615ceb09b 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -54,6 +54,12 @@
         <help><![CDATA[Add servers to this backend. Use TAB key to complete typing.]]></help>
         <hint>Type server name or choose from list.</hint>
     </field>
+    <field>
+        <id>backend.linkedFcgi</id>
+        <label>FastCGI Application</label>
+        <type>dropdown</type>
+        <help><![CDATA[Select the FastCGI application that should be used for all servers in this backend.]]></help>
+    </field>
     <field>
         <id>backend.linkedResolver</id>
         <label>Resolver</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
new file mode 100644
index 0000000000..ffaec1d91a
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
@@ -0,0 +1,77 @@
+<form>
+    <field>
+        <id>fcgi.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>Enable this FastCGI application.</help>
+    </field>
+    <field>
+        <id>fcgi.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Name to identify this FastCGI application.</help>
+    </field>
+    <field>
+        <id>fcgi.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Description for this FastCGI application.</help>
+    </field>
+    <field>
+        <id>fcgi.docroot</id>
+        <label>Docroot</label>
+        <type>text</type>
+        <help><![CDATA[Define the document root on the remote host. It will be used to build the default value of FastCGI parameters SCRIPT_FILENAME and PATH_TRANSLATED. It is a mandatory setting.]]></help>
+    </field>
+    <field>
+        <id>fcgi.index</id>
+        <label>Index</label>
+        <type>text</type>
+        <help><![CDATA[Define the script name that will be appended after an URI that ends with a slash ("/") to set the default value of the FastCGI parameter SCRIPT_NAME. It is an optional setting.]]></help>
+    </field>
+    <field>
+        <id>fcgi.path_info</id>
+        <label>Path Info</label>
+        <type>text</type>
+        <help><![CDATA[Define a regular expression to extract the script-name and the path-info from the URL-decoded path, see <a href="http://docs.haproxy.org/2.4/configuration.html#10.1.1-path-info">HAProxy's documentation</a> for further details and examples.]]></help>
+    </field>
+    <field>
+        <id>fcgi.log_stderr</id>
+        <label>STDERR Logging</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable logging of STDERR messages reported by the FastCGI application. It is an optional setting. By default STDERR messages are ignored.]]></help>
+    </field>
+    <field>
+        <id>fcgi.keep_conn</id>
+        <label>Keep Connection Open</label>
+        <type>checkbox</type>
+        <help><![CDATA[Instruct the FastCGI application to keep the connection open after sending a response. If disabled, the FastCGI application closes the connection after responding to a request.]]></help>
+    </field>
+    <field>
+        <id>fcgi.get_values</id>
+        <label>Connection Management</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable the retrieval of variables about connection management from the FastCGI application by sending the record FCGI_GET_VALUES on connection establishment. Some FastCGI applications do not support this feature and others close the connection immediately after sending their response. As a result, this option is disabled by default.]]></help>
+    </field>
+    <field>
+        <id>fcgi.mpxs_conns</id>
+        <label>Connection Multiplexing</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable the support for connection multiplexing. This option may be overwritten if the variable FCGI_MPXS_CONNS is retrieved during connection establishment.]]></help>
+    </field>
+    <field>
+        <id>fcgi.max_reqs</id>
+        <label>Maximum Concurrent Requests</label>
+        <type>text</type>
+        <help><![CDATA[Define the maximum number of concurrent requests this application will accept. This option may be overwritten if the variable FCGI_MAX_REQS is retrieved during connection establishment. Furthermore, if the application does not support connection multiplexing, this option will be ignored.]]></help>
+    </field>
+    <field>
+        <id>fcgi.linkedActions</id>
+        <label>Select Rules</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <sortable>true</sortable>
+        <help><![CDATA[Choose rules to be included in this FastCGI application. Only FastCGI rules are supported.]]></help>
+        <hint>Choose rules.</hint>
+    </field>
+</form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
index 53190b12cd..99db8ffab0 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
@@ -95,6 +95,13 @@
         <type>dropdown</type>
         <help><![CDATA[Sets the operation mode to use for this server.]]></help>
     </field>
+    <field>
+        <id>server.multiplexer_protocol</id>
+        <label>Multiplexer Protocol</label>
+        <type>dropdown</type>
+        <help><![CDATA[Forces the multiplexer's protocol to use for the outgoing connections to this server. It must be compatible with the mode of the backend (TCP or HTTP). It must also be usable on the backend side. Idea behind this option is to bypass the selection of the best multiplexer's protocol for all connections established to this server. Use only when strictly necessary.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>server.resolvePrefer</id>
         <label>Prefer IP Family</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 8a81ffce31..8289391d5c 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -911,6 +911,18 @@
                     <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </linkedServers>
+                <linkedFcgi type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.HAProxy.HAProxy</source>
+                            <items>fcgis.fcgi</items>
+                            <display>name</display>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related fcgi item not found</ValidationMessage>
+                    <Multiple>N</Multiple>
+                    <Required>N</Required>
+                </linkedFcgi>
                 <linkedResolver type="ModelRelationField">
                     <Model>
                         <template>
@@ -1282,6 +1294,16 @@
                         <disabled>disabled</disabled>
                     </OptionValues>
                 </mode>
+                <multiplexer_protocol type="OptionField">
+                    <Required>N</Required>
+                    <default>unspecified</default>
+                    <OptionValues>
+                        <unspecified>auto-selection [recommended]</unspecified>
+                        <fcgi>FastCGI</fcgi>
+                        <h2>HTTP/2</h2>
+                        <h1>HTTP/1.1</h1>
+                    </OptionValues>
+                </multiplexer_protocol>
                 <type type="OptionField">
                     <Required>Y</Required>
                     <default>static</default>
@@ -2138,6 +2160,8 @@
                         <use_backend>Use specified Backend Pool</use_backend>
                         <use_server>Override server in Backend Pool</use_server>
                         <map_use_backend>Map domains to backend pools using a map file</map_use_backend>
+                        <fcgi_pass_header>FastCGI pass-header</fcgi_pass_header>
+                        <fcgi_set_param>FastCGI set-param</fcgi_set_param>
                         <http-request_allow>http-request allow</http-request_allow>
                         <http-request_deny>http-request deny</http-request_deny>
                         <http-request_tarpit>http-request tarpit</http-request_tarpit>
@@ -2202,6 +2226,16 @@
                     <Multiple>N</Multiple>
                     <Required>N</Required>
                 </use_server>
+                <fcgi_pass_header type="TextField">
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </fcgi_pass_header>
+                <fcgi_set_param type="TextField">
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </fcgi_set_param>
                 <http_request_auth type="TextField">
                     <mask>/^.{1,4096}$/u</mask>
                     <Required>N</Required>
@@ -2471,6 +2505,80 @@
                 </content>
             </lua>
         </luas>
+        <fcgis>
+            <fcgi type="ArrayField">
+                <id type="UniqueIdField">
+                    <Required>Y</Required>
+                </id>
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <name type="TextField">
+                    <mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                    <Required>Y</Required>
+                </name>
+                <description type="TextField">
+                    <mask>/^.{1,255}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </description>
+                <docroot type="TextField">
+                    <mask>/^.{1,4096}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 4096 characters.</ValidationMessage>
+                    <Required>Y</Required>
+                </docroot>
+                <index type="TextField">
+                    <mask>/^.{1,4096}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 4096 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </index>
+                <path_info type="TextField">
+                    <mask>/^.{1,4096}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 4096 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </path_info>
+                <log_stderr type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </log_stderr>
+                <keep_conn type="BooleanField">
+                    <default>1</default>
+                    <Required>N</Required>
+                </keep_conn>
+                <get_values type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </get_values>
+                <mpxs_conns type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </mpxs_conns>
+                <max_reqs type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>100000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 1 and 100000.</ValidationMessage>
+                    <Required>N</Required>
+                </max_reqs>
+                <linkedActions type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.HAProxy.HAProxy</source>
+                            <items>actions.action</items>
+                            <display>name</display>
+                            <filters>
+                                <type>/fcgi/</type>
+                            </filters>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related action item not found</ValidationMessage>
+                    <Sorted>Y</Sorted>
+                    <multiple>Y</multiple>
+                    <Required>N</Required>
+                </linkedActions>
+            </fcgi>
+        </fcgis>
         <errorfiles>
             <errorfile type="ArrayField">
                 <id type="UniqueIdField">
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml
index 0d78bf3eb3..d95844a34c 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml
@@ -18,6 +18,7 @@
               <Users VisibleName="Users" url="/ui/haproxy#users"/>
               <Groups VisibleName="Groups" url="/ui/haproxy#groups"/>
               <Luas VisibleName="Lua Scripts" url="/ui/haproxy#luas"/>
+              <Fcgis VisibleName="FastCGI Applications" url="/ui/haproxy#fcgis"/>
               <Errorfiles VisibleName="Error Files" url="/ui/haproxy#errorfiles"/>
               <Mapfiles VisibleName="Map Files" url="/ui/haproxy#mapfiles"/>
               <Resolvers VisibleName="Resolvers" url="/ui/haproxy#resolvers"/>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 7510ca1ed2..796dd5e0ce 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -162,6 +162,18 @@ POSSIBILITY OF SUCH DAMAGE.
             }
         );
 
+        $("#grid-fcgis").UIBootgrid(
+            {   search:'/api/haproxy/settings/searchFcgis',
+                get:'/api/haproxy/settings/getFcgi/',
+                set:'/api/haproxy/settings/setFcgi/',
+                add:'/api/haproxy/settings/addFcgi/',
+                del:'/api/haproxy/settings/delFcgi/',
+                options: {
+                    rowCount:[10,25,50,100,500,1000]
+                }
+            }
+        );
+
         $("#grid-errorfiles").UIBootgrid(
             {   search:'/api/haproxy/settings/searchErrorfiles',
                 get:'/api/haproxy/settings/getErrorfile/',
@@ -676,6 +688,7 @@ POSSIBILITY OF SUCH DAMAGE.
             <li><a data-toggle="tab" id="advanced-introduction" href="#subtab_haproxy-advanced-introduction">{{ lang._('Introduction') }}</a></li>
             {% endif %}
             <li><a data-toggle="tab" id="errorfiles-tab" href="#errorfiles">{{ lang._('Error Messages') }}</a></li>
+            <li><a data-toggle="tab" href="#fcgis">{{ lang._('FastCGI Applications') }}</a></li>
             <li><a data-toggle="tab" href="#luas">{{ lang._('Lua Scripts') }}</a></li>
             <li><a data-toggle="tab" href="#mapfiles">{{ lang._('Map Files') }}</a></li>
             <li><a data-toggle="tab" href="#cpus">{{ lang._('CPU Affinity Rules') }}</a></li>
@@ -784,6 +797,7 @@ POSSIBILITY OF SUCH DAMAGE.
             <p>{{ lang._("Most of the time these features are not required, but in certain situations they will be handy:") }}</p>
             <ul>
               <li>{{ lang._("%sError Messages:%s Return a custom message instead of errors generated by HAProxy. Useful to overwrite HAProxy's internal error messages. The message must represent the full HTTP response and include required HTTP headers.") | format('<b>', '</b>') }}</li>
+              <li>{{ lang._("%sFastCGI Applications:%s HAProxy can be configured to send requests to FastCGI applications. After configuring a FastCGI application, it needs to be enabled in a %sBackend Pool%s.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sLua scripts:%s Include your own Lua code/scripts to extend HAProxy's functionality. The Lua code can be used in certain %sRules%s, for example.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sMap Files:%s A map allows to map a data in input to an other one on output. For example, this makes it possible to map a large number of domains to backend pools without using the GUI. Map files need to be used in %sRules%s, otherwise they are ignored.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sCPU Affinity Rules:%s This feature makes it possible to bind HAProxy's processes/threads to a specific CPU (or a CPU set). Furthermore it is possible to select CPU Affinity Rules in %sPublic Services%s to restrict them to a certain set of processes/threads/CPUs.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
@@ -1029,6 +1043,31 @@ POSSIBILITY OF SUCH DAMAGE.
         </table>
     </div>
 
+    <div id="fcgis" class="tab-pane fade">
+        <table id="grid-fcgis" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogFcgi" data-editAlert="haproxyChangeMessage">
+            <thead>
+            <tr>
+                <th data-column-id="fcgiid" data-type="number"  data-visible="false">{{ lang._('FastCGI ID') }}</th>
+                <th data-column-id="name" data-type="string">{{ lang._('FastCGI Application Name') }}</th>
+                <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+            </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+    </div>
+
     <div id="errorfiles" class="tab-pane fade">
         <table id="grid-errorfiles" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogErrorfile" data-editAlert="haproxyChangeMessage">
             <thead>
@@ -1264,6 +1303,7 @@ POSSIBILITY OF SUCH DAMAGE.
 {{ partial("layout_partials/base_dialog",['fields':formDialogGroup,'id':'DialogGroup','label':lang._('Edit Group')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogLua,'id':'DialogLua','label':lang._('Edit Lua Script')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogErrorfile,'id':'DialogErrorfile','label':lang._('Edit Error Message')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogFcgi,'id':'DialogFcgi','label':lang._('Edit FastCGI Application')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogMapfile,'id':'DialogMapfile','label':lang._('Edit Map File')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogCpu,'id':'DialogCpu','label':lang._('Edit CPU Affinity Rule')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogResolver,'id':'DialogResolver','label':lang._('Edit Resolver')])}}
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index d7d910beb4..e0fb1fd7aa 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -465,6 +465,20 @@
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
 {%           endif %}
+{%         elif action_data.type == 'fcgi_pass_header' %}
+{%           if action_data.fcgi_pass_header|default('') != '' %}
+{%             do action_options.append('pass-header ' ~ action_data.fcgi_pass_header) %}
+{%           else %}
+{%             set action_enabled = '0' %}
+    # ERROR: missing parameters
+{%           endif %}
+{%         elif action_data.type == 'fcgi_set_param' %}
+{%           if action_data.fcgi_set_param|default('') != '' %}
+{%             do action_options.append('set-param ' ~ action_data.fcgi_set_param) %}
+{%           else %}
+{%             set action_enabled = '0' %}
+    # ERROR: missing parameters
+{%           endif %}
 {%         elif action_data.type == 'http-request_allow' %}
 {%           do action_options.append('http-request allow') %}
 {%         elif action_data.type == 'http-request_deny' %}
@@ -696,7 +710,7 @@
 {%             set comment_lines = comment_lines + ['    # NOTE: actions with no ACLs/conditions will always match'] %}
 {%           endif %}
 {%           if action_options|length > 0 %}
-{%             do global_action_options.append(comment_lines|join('\n')) %}
+{%             do global_action_options.append(comment_lines|join('\n')) -%}
 {%             do global_action_options.append(([action_options|join(' '), acl_line]|join(' '))) %}
 {%           endif %}
 {%         else %}
@@ -1626,6 +1640,17 @@ backend {{backend.name}}
 {%  else %}
     balance {{backend.algorithm}}
 {%  endif %}
+{# # FastCGI application #}
+{%       if backend.linkedFcgi|default("") != "" %}
+{%         set fcgi_data = helpers.getUUID(backend.linkedFcgi) %}
+{%         if fcgi_data == {} %}
+# ERROR: FastCGI data not found ({{backend.linkedFcgi}})
+{%         elif fcgi_data.enabled == '0' %}
+# NOTE: specified FastCGI application is disabled ({{fcgi_data.name}})
+{%         else %}
+    use-fcgi-app {{fcgi_data.name}}
+{%         endif %}
+{%       endif %}
 {#       # call macro to evaluate stickiness config #}
 {{       StickTableConfig(backend,true) }}
     # tuning options
@@ -1771,6 +1796,12 @@ backend {{backend.name}}
 {%               if server_data.mode|default("") != 'active' %}
 {%                 do server_options.append(server_data.mode) %}
 {%               endif %}
+{#               # force multiplexer protocol if FastCGI is configured for this backend #}
+{%               if backend.linkedFcgi|default("") != "" and fcgi_data.enabled == '1' %}
+{%                 do server_options.append('proto fcgi') %}
+{%               elif server_data.multiplexer_protocol|default('') != '' and server_data.multiplexer_protocol|default('') != 'unspecified' %}
+{%                 do server_options.append('proto ' ~ server_data.multiplexer_protocol) %}
+{%               endif %}
 {#               # server ssl communication #}
 {%               if server_data.ssl|default("") == '1' %}
 {%                 do server_options.append('ssl') %}
@@ -1785,7 +1816,8 @@ backend {{backend.name}}
 {%                   do server_options.append('alpn ' ~ alpn_options) %}
 {%                 endif %}
 {#               # HTTP/2 without TLS #}
-{%               elif backend.http2Enabled|default("") == '1' and backend.http2Enabled_nontls|default("") == '1' %}
+{#               # Must be ignored when a FastCGI application is configured #}
+{%               elif backend.http2Enabled|default("") == '1' and backend.http2Enabled_nontls|default("") == '1' and (server_data.multiplexer_protocol|default('') == '' or server_data.multiplexer_protocol|default('') == 'unspecified') and (backend.linkedFcgi|default('') == '' or fcgi_data.enabled == '0') %}
 {%                 do server_options.append('proto h2') %}
 {%               endif %}
 {#               # ssl verification can be enabled for two reasons: #}
@@ -1895,6 +1927,50 @@ backend {{backend.name}}
 {%   endfor %}
 {%- endif -%}
 
+{# ############################### #}
+{#             FASTCGI             #}
+{# ############################### #}
+
+{%- if helpers.exists('OPNsense.HAProxy.fcgis') %}
+{%   for fcgi in helpers.toList('OPNsense.HAProxy.fcgis.fcgi') %}
+{#     # ignore disabled fcgis #}
+{%     if fcgi.enabled == '1' %}
+# FastCGI: {{fcgi.name}} ({{fcgi.description}})
+fcgi-app {{fcgi.name}}
+    docroot {{fcgi.docroot}}
+{%       if fcgi.log_stderr|default('') == '1' %}
+    log-stderr global
+{%       endif -%}
+{%       if fcgi.index|default('') != '' %}
+    index {{fcgi.index}}
+{%       endif -%}
+{%       if fcgi.path_info|default('') != '' %}
+    path-info {{fcgi.path_info}}
+{%       endif -%}
+{%       if fcgi.keep_conn|default('') == '1' %}
+    option keep-conn
+{%       endif -%}
+{%       if fcgi.get_values|default('') == '1' %}
+    option get-values
+{%       endif -%}
+{%       if fcgi.mpxs_conns|default('') == '1' %}
+    option mpxs-conns
+{%       endif -%}
+{%       if fcgi.max_reqs|default('') != '' %}
+    option max-reqs {{fcgi.max_reqs}}
+{%       endif -%}
+{#        # action and ACL configuration #}
+{%       if fcgi.linkedActions|default("") != "" -%}
+{#         # call macro to evaluate ACLs and actions #}
+{{         AclsAndActions(fcgi.linkedActions) }}
+{%-      endif %}
+
+{%     else %}
+# FastCGI (DISABLED): {{fcgi.name}} ({{fcgi.description}})
+{%     endif %}
+{%   endfor %}
+{%- endif %}
+
 {# ############################### #}
 {#               PEERS             #}
 {# ############################### #}

From 548566b52db2e7a5799bb67530f88086b63546b6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 24 Oct 2022 07:37:09 +0200
Subject: [PATCH 1243/3088] security/acme-client: small style update

---
 security/acme-client/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 1e45db84a3..98fd4b1bc4 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 ================
 
 3.14
+
 NOTE: Users of Selfhost need to manually fix their configuration, see
 https://github.com/acmesh-official/acme.sh/wiki/dnsapi2#151-use-selfhost-dns-api
 

From efade39416f828b199d977aee6c7f66870c5847c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 27 Oct 2022 09:03:04 +0200
Subject: [PATCH 1244/3088] License: pick up missing, remove vague attribution,
 sort better

---
 LICENSE                                                    | 7 ++++---
 Scripts/license                                            | 2 +-
 security/tor/src/opnsense/scripts/tor/tor_diag             | 7 ++++---
 .../smart/src/www/widgets/widgets/smart_status.widget.php  | 2 +-
 4 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/LICENSE b/LICENSE
index 0775e221e5..00b263a31b 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,5 @@
 Copyright (c) 2015-2022 Ad Schellevis <ad@opnsense.org>
+Copyright (c) 2022 agh1467 <agh1467@protonmail.com>
 Copyright (c) 2021 Alexander Noack
 Copyright (c) 2021 Andreas Stuerz
 Copyright (c) 2021 Axelrtgs
@@ -11,10 +12,11 @@ Copyright (c) 2021 David Berry
 Copyright (c) 2017-2018 David Harrigan
 Copyright (c) 2021 David Hughes
 Copyright (c) 2014-2022 Deciso B.V.
+Copyright (c) 2020 devNan0 <nan0@nan0.dev>
 Copyright (c) 2008 Donovan Schonknecht
-Copyright (c) 2016-2019 EURO-LOG AG
 Copyright (c) 2006 Eric Friesen
 Copyright (c) 2008-2010 Ermal Luçi
+Copyright (c) 2016-2019 EURO-LOG AG
 Copyright (c) 2017-2020 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
 Copyright (c) 2014-2021 Franco Fichtner <franco@opnsense.org>
@@ -36,6 +38,7 @@ Copyright (c) 2022 Markus Reiter <me@reitermark.us>
 Copyright (c) 2020 Martin Wasley
 Copyright (c) 2022 Marvo2011
 Copyright (c) 2017-2021 Michael Muenz <m.muenz@gmail.com>
+Copyright (c) 2012 mkirbst
 Copyright (c) 2021 Nicola Pellegrini
 Copyright (c) 2022 Nikolaj Brinch Jørgensen
 Copyright (c) 2021 Nim G
@@ -50,8 +53,6 @@ Copyright (c) 2020 Tobias Boehnert
 Copyright (c) 2022 Wouter Deurholt
 Copyright (c) 2010 Yehuda Katz
 Copyright (c) 2015 YoungJoo.Kim <vozltx@gmail.com>
-Copyright (c) 2022 agh1467 <agh1467@protonmail.com>
-Copyright (c) 2020 devNan0 <nan0@nan0.dev>
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
diff --git a/Scripts/license b/Scripts/license
index fac05e1752..6580d40b22 100755
--- a/Scripts/license
+++ b/Scripts/license
@@ -113,7 +113,7 @@ sub process_file
 
 find( \&process_file, $src );
 
-for ( sort keys %copyrights ) {
+for ( sort { lc($a) cmp lc($b) } keys %copyrights ) {
     my $date = $copyrights{$_}[0];
     next if $date == 0;
     $date = join '-', @{ $copyrights{$_} } if $copyrights{$_}[1] != $date;
diff --git a/security/tor/src/opnsense/scripts/tor/tor_diag b/security/tor/src/opnsense/scripts/tor/tor_diag
index 266644ce0a..4d5a7593ca 100755
--- a/security/tor/src/opnsense/scripts/tor/tor_diag
+++ b/security/tor/src/opnsense/scripts/tor/tor_diag
@@ -1,6 +1,9 @@
 #!/usr/local/bin/ruby
+
 =begin
-Copyright 2017 Fabian Franz
+Copyright (c) 2017 Fabian Franz
+All rights reserved.
+
 Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:
 
@@ -22,7 +25,6 @@ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 =end
 
-
 require 'enumerator'
 require 'json'
 require 'optparse'
@@ -33,7 +35,6 @@ require 'rexml/document'
 # global for showing debug output if needed
 $TOR_DEBUG = false
 
-
 config = REXML::Document.new(File.new("/conf/config.xml"))
 $TOR_PASSWORD = config.elements['opnsense/OPNsense/tor/general/control_port_password'].text
 $TOR_CONTROL_PORT = 9051
diff --git a/sysutils/smart/src/www/widgets/widgets/smart_status.widget.php b/sysutils/smart/src/www/widgets/widgets/smart_status.widget.php
index cdfcf94992..52d951f5fe 100644
--- a/sysutils/smart/src/www/widgets/widgets/smart_status.widget.php
+++ b/sysutils/smart/src/www/widgets/widgets/smart_status.widget.php
@@ -3,7 +3,7 @@
 /*
  * Copyright (C) 2018 Smart-Soft
  * Copyright (C) 2014 Deciso B.V.
- * Copyright 2012 mkirbst @ pfSense Forum
+ * Copyright (C) 2012 mkirbst
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

From fe0392a9f36c784ac4619df773bff8991da4dd47 Mon Sep 17 00:00:00 2001
From: nan0 <49376203+devNan0@users.noreply.github.com>
Date: Thu, 27 Oct 2022 15:05:45 +0200
Subject: [PATCH 1245/3088] net-mgmt/telegraf: Add apcupsd input (#3177)

---
 net-mgmt/telegraf/Makefile                           |  2 +-
 net-mgmt/telegraf/pkg-descr                          |  4 ++++
 .../controllers/OPNsense/Telegraf/forms/input.xml    | 12 ++++++++++++
 .../mvc/app/models/OPNsense/Telegraf/Input.xml       |  6 ++++++
 .../templates/OPNsense/Telegraf/telegraf.conf        |  6 ++++++
 5 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index a0f9033a43..509109d366 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.12.5
+PLUGIN_VERSION=		1.12.6
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 39bc8d6084..a98a0c459c 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 Plugin Changelog
 ================
 
+1.12.6
+
+* Add apcupsd input
+
 1.12.5
 
 * Add support for basic HTTP Authentication agains Elasticsearch (contributed by psychogun)
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
index d33e5e2731..8d79947185 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
@@ -179,4 +179,16 @@
         <type>checkbox</type>
         <help>Enable the collection of Unbound metrics.</help>
     </field>
+    <field>
+        <id>input.apcupsd</id>
+        <label>Apcupsd</label>
+        <type>checkbox</type>
+        <help>Enable the collection of apcupsd metrics.</help>
+    </field>
+    <field>
+        <id>input.apcupsd_server</id>
+        <label>Apcupsd Netserver IP Address</label>
+        <type>text</type>
+        <help>IP address or hostname of the apcupsd net information server. Default address is 127.0.0.1</help>
+    </field>
 </form>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
index f85b74a24f..95e8efdf82 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
@@ -114,5 +114,11 @@
         <unbound type="BooleanField">
             <Required>N</Required>
         </unbound>
+        <apcupsd type="BooleanField">
+            <Required>N</Required>
+        </apcupsd>
+        <apcupsd_server type="TextField">
+            <Required>N</Required>
+        </apcupsd_server>
     </items>
 </model>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index 619f0f6d63..6991423d18 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -303,4 +303,10 @@
    timeout = "5s"
 {% endif %}
 
+{% if helpers.exists('OPNsense.telegraf.input.apcupsd') and OPNsense.telegraf.input.apcupsd == '1' %}
+[[inputs.apcupsd]]
+  servers = ["tcp://{{ OPNsense.telegraf.input.apcupsd_server|default('127.0.0.1') }}:3551"]
+  timeout = "5s"
+{% endif %}
+
 {% endif %}

From d996dcc134fd310f861807029375e3db7dcc8afc Mon Sep 17 00:00:00 2001
From: nan0 <49376203+devNan0@users.noreply.github.com>
Date: Fri, 28 Oct 2022 16:23:27 +0200
Subject: [PATCH 1246/3088] sysutils/apcupsd: Add log view (#3176)

---
 sysutils/apcupsd/Makefile                                   | 2 +-
 sysutils/apcupsd/pkg-descr                                  | 4 ++++
 .../opnsense/mvc/app/models/OPNsense/Apcupsd/Menu/Menu.xml  | 5 +++--
 .../opnsense/service/templates/OPNsense/Apcupsd/+TARGETS    | 1 +
 .../service/templates/OPNsense/Apcupsd/syslog-filter.conf   | 6 ++++++
 5 files changed, 15 insertions(+), 3 deletions(-)
 create mode 100644 sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/syslog-filter.conf

diff --git a/sysutils/apcupsd/Makefile b/sysutils/apcupsd/Makefile
index f4c4662a07..e7999595d5 100644
--- a/sysutils/apcupsd/Makefile
+++ b/sysutils/apcupsd/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=        apcupsd
-PLUGIN_VERSION=     1.0
+PLUGIN_VERSION=     1.1
 PLUGIN_DEPENDS=     apcupsd
 PLUGIN_COMMENT=     APCUPSD - APC UPS daemon
 PLUGIN_MAINTAINER=  xbb@xbblabs.com
diff --git a/sysutils/apcupsd/pkg-descr b/sysutils/apcupsd/pkg-descr
index f7613b200c..82630562f3 100644
--- a/sysutils/apcupsd/pkg-descr
+++ b/sysutils/apcupsd/pkg-descr
@@ -12,6 +12,10 @@ WWW: http://www.apcupsd.org/
 Plugin Changelog
 ================
 
+1.1
+
+* Add log view
+
 1.0 (initial release)
 
 * Apcupsd service control and configuration
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Menu/Menu.xml b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Menu/Menu.xml
index 557d3f8ab5..a0b3895b0a 100644
--- a/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Menu/Menu.xml
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Menu/Menu.xml
@@ -1,8 +1,9 @@
 <menu>
     <Services>
         <Apcupsd cssClass="fa fa-battery-full fa-fw">
-            <Settings url="/ui/apcupsd" />
-            <Status url="/ui/apcupsd/status" />
+            <Settings order="10" url="/ui/apcupsd" />
+            <Status order="20" url="/ui/apcupsd/status" />
+            <LogFile VisibleName="Log File" order="30" url="/ui/diagnostics/log/core/apcupsd"/>
         </Apcupsd>
     </Services>
 </menu>
diff --git a/sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/+TARGETS b/sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/+TARGETS
index 3ad405f594..fc80c3aa8b 100644
--- a/sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/+TARGETS
+++ b/sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/+TARGETS
@@ -1,2 +1,3 @@
 apcupsd:/etc/rc.conf.d/apcupsd
 apcupsd.conf:/usr/local/etc/apcupsd/apcupsd.conf
+syslog-filter.conf:/usr/local/opnsense/service/templates/OPNsense/Syslog/local/apcupsd.conf
diff --git a/sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/syslog-filter.conf b/sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/syslog-filter.conf
new file mode 100644
index 0000000000..16b8a217a3
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/service/templates/OPNsense/Apcupsd/syslog-filter.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [apcupsd].
+###################################################################
+filter f_local_apcupsd {
+    program("apcupsd");
+};

From 0fff7f0581c76455bdabdb3e993980d9c2f8fbeb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 1 Nov 2022 09:31:06 +0100
Subject: [PATCH 1247/3088] dns/ddclient: fix description key

---
 .../src/opnsense/service/conf/actions.d/actions_ddclient.conf   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
index 8e5e6c59c6..a7ced08f30 100644
--- a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
@@ -30,7 +30,7 @@ command:
     /usr/local/sbin/ddclient -force
 type:script
 message:forcing ddclient update
-desciption:Force ddclient update
+description:Force ddclient update
 
 [statistics]
 command:/usr/local/opnsense/scripts/ddclient/stats

From 492b032aae5e4de78f074c066c262b45b4270998 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 09:10:49 +0100
Subject: [PATCH 1248/3088] dns/ddclient: bump for cron job visibility

---
 dns/ddclient/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index a97dd66e2a..da3961eca6 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.9
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 706841a62986b92ef91dbaf0c0a9debf011f8382 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 09:19:29 +0100
Subject: [PATCH 1249/3088] security/openconnect: whitespace

---
 security/openconnect/pkg-descr | 1 -
 1 file changed, 1 deletion(-)

diff --git a/security/openconnect/pkg-descr b/security/openconnect/pkg-descr
index b71d609585..5b026dc2b6 100644
--- a/security/openconnect/pkg-descr
+++ b/security/openconnect/pkg-descr
@@ -8,7 +8,6 @@ Plugin Changelog
 
 1.4.3
 
-
 * Add support for one-time password generation
 * Permit additional characters in group name
 

From b3ba075b047056f833b4fe79bff42bd6f78c898c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 09:32:28 +0100
Subject: [PATCH 1250/3088] Scripts: make "revision" target work on macOS

---
 Mk/plugins.mk      | 4 ++--
 Scripts/revbump.sh | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 591598d678..9c3f4d5478 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -1,4 +1,4 @@
-# Copyright (c) 2015-2021 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2015-2022 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -345,7 +345,7 @@ sweep: check
 	    xargs -0 -n1 ${SCRIPTSDIR}/cleanfile
 
 revision:
-	@${SCRIPTSDIR}/revbump.sh ${.CURDIR}
+	@MAKE=${MAKE} ${SCRIPTSDIR}/revbump.sh ${.CURDIR}
 
 STYLEDIRS?=	src/etc/inc src/opnsense
 
diff --git a/Scripts/revbump.sh b/Scripts/revbump.sh
index 31f1fa974f..674fd50c27 100755
--- a/Scripts/revbump.sh
+++ b/Scripts/revbump.sh
@@ -8,8 +8,8 @@ if [ -z "${DIR}" ]; then
 	DIR=.
 fi
 
-REV=$(make -C ${DIR} -v PLUGIN_REVISION)
-REV=$(expr ${REV} \+ 1)
+REV=$(${MAKE} -C ${DIR} -v PLUGIN_REVISION)
+REV=$((REV + 1))
 
 grep -v ^PLUGIN_REVISION ${DIR}/Makefile > ${DIR}/Makefile.tmp
 sed -e "s/^\(PLUGIN_VERSION.*\)/\1%PLUGIN_REVISION=	${REV}/g" \

From 6337a21b673f7403dcb7d3b09dce003075859422 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 09:33:05 +0100
Subject: [PATCH 1251/3088] sysutils/vnstat: bump revision

---
 net/vnstat/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/vnstat/Makefile b/net/vnstat/Makefile
index d5d2224237..8bbf7518fb 100644
--- a/net/vnstat/Makefile
+++ b/net/vnstat/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		vnstat
 PLUGIN_VERSION=		1.3
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Network traffic monitor
 PLUGIN_DEPENDS=		vnstat
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 8ab0089ff43781d200c05746a3ae32797a66efe7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 09:37:57 +0100
Subject: [PATCH 1252/3088] LICENSE: sync

---
 LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index 00b263a31b..68971d18b5 100644
--- a/LICENSE
+++ b/LICENSE
@@ -19,7 +19,7 @@ Copyright (c) 2008-2010 Ermal Luçi
 Copyright (c) 2016-2019 EURO-LOG AG
 Copyright (c) 2017-2020 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
-Copyright (c) 2014-2021 Franco Fichtner <franco@opnsense.org>
+Copyright (c) 2014-2022 Franco Fichtner <franco@opnsense.org>
 Copyright (c) 2016-2022 Frank Wall
 Copyright (c) 2021 Github-jjw
 Copyright (c) 2016 IT-assistans Sverige AB

From 402a01a649493629f635f67a5bcbbde9a6b4441a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 09:38:33 +0100
Subject: [PATCH 1253/3088] net/tayga: bump revision

---
 net/tayga/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/tayga/Makefile b/net/tayga/Makefile
index 78cffb74a4..bc8a613cab 100644
--- a/net/tayga/Makefile
+++ b/net/tayga/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		tayga
 PLUGIN_VERSION=		1.2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Tayga NAT64
 PLUGIN_DEPENDS=		tayga
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 1f23bf9d1df45c3cbe81d3bf6ba75c4cbf905f97 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 09:40:48 +0100
Subject: [PATCH 1254/3088] net/siproxd: bump version

---
 net/siproxd/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/siproxd/Makefile b/net/siproxd/Makefile
index d10bb8f394..0cd01392e0 100644
--- a/net/siproxd/Makefile
+++ b/net/siproxd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		siproxd
 PLUGIN_VERSION=		1.3
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Siproxd is a proxy daemon for the SIP protocol
 PLUGIN_DEPENDS=		siproxd
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 33d7e8296f58be3a10b2a0aaf62826616af26521 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 09:42:46 +0100
Subject: [PATCH 1255/3088] net/ntopng: bump revision

---
 net/ntopng/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ntopng/Makefile b/net/ntopng/Makefile
index fdced159bb..ac7da5a1ad 100644
--- a/net/ntopng/Makefile
+++ b/net/ntopng/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ntopng
 PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Traffic Analysis and Flow Collection
 PLUGIN_DEPENDS=		ntopng
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From b71a22e8cccf2246563c86ae0141a480e6b5162f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 09:47:07 +0100
Subject: [PATCH 1256/3088] net/frr: update changelog

---
 net/frr/pkg-descr | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 51c8c767f1..013eb0ae93 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -15,6 +15,9 @@ Plugin Changelog
 1.31
 
 * Set no bgp default ipv4-unicast (contributed by vnxme)
+* Increase artifical BGP GUI ID limits (contributed by Patrik Kernstock)
+* Add BGP Network Import-Check (contributed by Patrik Kernstock)
+* Assorted GUI fixes (contributed by Patrik Kernstock)
 
 1.30
 

From 2fe6cc4239c277943a34984cfd9e5e6c0a365dbd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 09:48:11 +0100
Subject: [PATCH 1257/3088] net/freeradius: bump revision

---
 net/freeradius/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 56558aa9b1..e425cc5423 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		freeradius
 PLUGIN_VERSION=		1.9.21
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 3aceda7eb61241be41a80ce24aeb30383cbe2e79 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 10:28:53 +0100
Subject: [PATCH 1258/3088] net/chrony: bump revision

---
 net/chrony/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/chrony/Makefile b/net/chrony/Makefile
index 05ef39bac5..8c7aa0bed6 100644
--- a/net/chrony/Makefile
+++ b/net/chrony/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		chrony
 PLUGIN_VERSION=		1.5
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Chrony time synchronisation
 PLUGIN_DEPENDS=		chrony
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 0319179a3526bbcaa41d50ed7883b0502a33ce8c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 10:32:38 +0100
Subject: [PATCH 1259/3088] net/mgmt/zabbix-*: bump revision

---
 net-mgmt/zabbix-agent/Makefile | 1 +
 net-mgmt/zabbix-proxy/Makefile | 1 +
 2 files changed, 2 insertions(+)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index 70077f04ae..e4fdef8cf5 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		zabbix-agent
 PLUGIN_VERSION=		1.13
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_VARIANTS=	zabbix62 zabbix6 zabbix5
diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 84afa28784..adf7ff2add 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		zabbix-proxy
 PLUGIN_VERSION=		1.9
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 PLUGIN_VARIANTS=	zabbix62 zabbix6 zabbix5 zabbix4

From 6a265fb9876188e36ad7bcede6e550ba3dd7c789 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 09:50:13 +0100
Subject: [PATCH 1260/3088] Framework: allow MFC from subdir

---
 Mk/defaults.mk | 10 +++++++---
 Mk/plugins.mk  |  4 ++++
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 6a22f46206..9a8e0fdec3 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -1,4 +1,4 @@
-# Copyright (c) 2016-2021 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2016-2022 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -121,18 +121,22 @@ ensure-stable:
 		git config branch.stable/${PLUGIN_ABI}.remote origin; \
 	fi
 
+diff_ARGS?= 	.
+
 diff: ensure-stable
 	@git diff --stat -p stable/${PLUGIN_ABI} ${.CURDIR}/${diff_ARGS:[1]}
 
+mfc_ARGS?=	.
+
 mfc: ensure-stable
 .for MFC in ${mfc_ARGS}
 .if exists(${MFC})
 	@git diff --stat -p stable/${PLUGIN_ABI} ${.CURDIR}/${MFC} > /tmp/mfc.diff
 	@git checkout stable/${PLUGIN_ABI}
 	@git apply /tmp/mfc.diff
-	@git add ${.CURDIR}
+	@git add ${.CURDIR}/${MFC}
 	@if ! git diff --quiet HEAD; then \
-		git commit -m "${MFC}: sync with master"; \
+		git commit -m "${MFC:S/^.$/${PLUGIN_DIR}/}: sync with master"; \
 	fi
 .else
 	@git checkout stable/${PLUGIN_ABI}
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 9c3f4d5478..9925f2bd83 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -80,6 +80,10 @@ PLUGIN_CONFLICTS+=	${${_PLUGIN_VARIANT}_NAME}
 PLUGIN_DEPENDS+=	${${PLUGIN_VARIANT}_DEPENDS}
 .endif
 
+.if !empty(PLUGIN_NAME)
+PLUGIN_DIR?=		${.CURDIR:S/\// /g:[-2]}/${.CURDIR:S/\// /g:[-1]}
+.endif
+
 PLUGIN_PKGNAMES=	${PLUGIN_PREFIX}${PLUGIN_NAME}${PLUGIN_SUFFIX} \
 			${PLUGIN_PREFIX}${PLUGIN_NAME}
 .for CONFLICT in ${PLUGIN_CONFLICTS}

From b2413a7f3b95047cd6b848d840fd3b7a63c912ab Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 11:08:11 +0100
Subject: [PATCH 1261/3088] net-mgmt/nrpe: bump revision

---
 net-mgmt/nrpe/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/nrpe/Makefile b/net-mgmt/nrpe/Makefile
index b6c26d948a..26c5479963 100644
--- a/net-mgmt/nrpe/Makefile
+++ b/net-mgmt/nrpe/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nrpe
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Execute nagios plugins
 PLUGIN_DEPENDS=		nrpe3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 0ce517a303b9e17d8ab074634996cd4e8ec2f90f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 11:09:45 +0100
Subject: [PATCH 1262/3088] net-mgmt/netdata: bump revision

---
 net-mgmt/netdata/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net-mgmt/netdata/Makefile b/net-mgmt/netdata/Makefile
index d3001748f5..b15bea43da 100644
--- a/net-mgmt/netdata/Makefile
+++ b/net-mgmt/netdata/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		netdata
 PLUGIN_VERSION=		1.2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Real-time performance monitoring
 PLUGIN_DEPENDS=		netdata
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From e2a3d3d67aba12da79ed9995fd8453bc3ae37aa5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 11:10:35 +0100
Subject: [PATCH 1263/3088] net-mgmt/collectd: bump revision

---
 net-mgmt/collectd/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net-mgmt/collectd/Makefile b/net-mgmt/collectd/Makefile
index 8df6de3212..87d9d39ddf 100644
--- a/net-mgmt/collectd/Makefile
+++ b/net-mgmt/collectd/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		collectd
 PLUGIN_VERSION=		1.4
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Collect system and application performance metrics periodically
 PLUGIN_DEPENDS=		collectd5
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 358cba0425933ca72b6bc39f70df1e22e5467762 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Nov 2022 11:10:56 +0100
Subject: [PATCH 1264/3088] net-mgmt/net-snmp: bump revision

---
 net-mgmt/net-snmp/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/net-snmp/Makefile b/net-mgmt/net-snmp/Makefile
index 133d1cf23e..53525c05b5 100644
--- a/net-mgmt/net-snmp/Makefile
+++ b/net-mgmt/net-snmp/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		net-snmp
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Net-SNMP is a daemon for the SNMP protocol
 PLUGIN_DEPENDS=		net-snmp
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From b5f0d60839bb56f47bb7f12b55f5adbbe02e04cb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 4 Nov 2022 09:57:41 +0100
Subject: [PATCH 1265/3088] plugins: move logfomats to syslog dir #5877

---
 .../scripts/{systemhealth => syslog}/logformats/telegraf.py       | 0
 .../scripts/{systemhealth => syslog}/logformats/zabbix_agentd.py  | 0
 .../scripts/{systemhealth => syslog}/logformats/zabbix_proxy.py   | 0
 .../scripts/{systemhealth => syslog}/logformats/freeradius.py     | 0
 .../scripts/{systemhealth => syslog}/logformats/acmeclient.py     | 0
 .../scripts/{systemhealth => syslog}/logformats/puppet_agent.py   | 0
 6 files changed, 0 insertions(+), 0 deletions(-)
 rename net-mgmt/telegraf/src/opnsense/scripts/{systemhealth => syslog}/logformats/telegraf.py (100%)
 rename net-mgmt/zabbix-agent/src/opnsense/scripts/{systemhealth => syslog}/logformats/zabbix_agentd.py (100%)
 rename net-mgmt/zabbix-proxy/src/opnsense/scripts/{systemhealth => syslog}/logformats/zabbix_proxy.py (100%)
 rename net/freeradius/src/opnsense/scripts/{systemhealth => syslog}/logformats/freeradius.py (100%)
 rename security/acme-client/src/opnsense/scripts/{systemhealth => syslog}/logformats/acmeclient.py (100%)
 rename sysutils/puppet-agent/src/opnsense/scripts/{systemhealth => syslog}/logformats/puppet_agent.py (100%)

diff --git a/net-mgmt/telegraf/src/opnsense/scripts/systemhealth/logformats/telegraf.py b/net-mgmt/telegraf/src/opnsense/scripts/syslog/logformats/telegraf.py
similarity index 100%
rename from net-mgmt/telegraf/src/opnsense/scripts/systemhealth/logformats/telegraf.py
rename to net-mgmt/telegraf/src/opnsense/scripts/syslog/logformats/telegraf.py
diff --git a/net-mgmt/zabbix-agent/src/opnsense/scripts/systemhealth/logformats/zabbix_agentd.py b/net-mgmt/zabbix-agent/src/opnsense/scripts/syslog/logformats/zabbix_agentd.py
similarity index 100%
rename from net-mgmt/zabbix-agent/src/opnsense/scripts/systemhealth/logformats/zabbix_agentd.py
rename to net-mgmt/zabbix-agent/src/opnsense/scripts/syslog/logformats/zabbix_agentd.py
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py b/net-mgmt/zabbix-proxy/src/opnsense/scripts/syslog/logformats/zabbix_proxy.py
similarity index 100%
rename from net-mgmt/zabbix-proxy/src/opnsense/scripts/systemhealth/logformats/zabbix_proxy.py
rename to net-mgmt/zabbix-proxy/src/opnsense/scripts/syslog/logformats/zabbix_proxy.py
diff --git a/net/freeradius/src/opnsense/scripts/systemhealth/logformats/freeradius.py b/net/freeradius/src/opnsense/scripts/syslog/logformats/freeradius.py
similarity index 100%
rename from net/freeradius/src/opnsense/scripts/systemhealth/logformats/freeradius.py
rename to net/freeradius/src/opnsense/scripts/syslog/logformats/freeradius.py
diff --git a/security/acme-client/src/opnsense/scripts/systemhealth/logformats/acmeclient.py b/security/acme-client/src/opnsense/scripts/syslog/logformats/acmeclient.py
similarity index 100%
rename from security/acme-client/src/opnsense/scripts/systemhealth/logformats/acmeclient.py
rename to security/acme-client/src/opnsense/scripts/syslog/logformats/acmeclient.py
diff --git a/sysutils/puppet-agent/src/opnsense/scripts/systemhealth/logformats/puppet_agent.py b/sysutils/puppet-agent/src/opnsense/scripts/syslog/logformats/puppet_agent.py
similarity index 100%
rename from sysutils/puppet-agent/src/opnsense/scripts/systemhealth/logformats/puppet_agent.py
rename to sysutils/puppet-agent/src/opnsense/scripts/syslog/logformats/puppet_agent.py

From f8fe9af7703a92dc056da80b669b38c39ef7a6c3 Mon Sep 17 00:00:00 2001
From: Mike Reiche <mike@reiche.world>
Date: Fri, 4 Nov 2022 14:27:13 +0100
Subject: [PATCH 1266/3088] Allow dynamic proxy_ssl_name. Fixes #3172 (#3173)

---
 .../mvc/app/controllers/OPNsense/Nginx/forms/location.xml   | 2 +-
 .../mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml   | 2 +-
 .../src/opnsense/service/templates/OPNsense/Nginx/http.conf | 6 ++++++
 .../opnsense/service/templates/OPNsense/Nginx/location.conf | 2 ++
 4 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
index d76106cd94..e228f35056 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
@@ -255,7 +255,7 @@
     <label>TLS SNI Forwarding</label>
     <type>checkbox</type>
     <advanced>true</advanced>
-    <help>Check this box, if you want the client SNI header to be used instead of your backend hostname. This settings overrides the configured hostname in the upstream configuration.</help>
+    <help>Check this box, if you want to passthrough the hostname you get from the downstream to the upstream connection. Can be overriden in the upstream's hostname configuration. Please note, that TLS server certificates are validated against this servername. If the server name passed by the client leads to different processing on the upstream server (i.e. different virtual host is choosen), this may cause security leaks.</help>
   </field>
   <field>
     <id>location.proxy_buffer_size</id>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
index 65ba0b5736..15fa996024 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
@@ -40,7 +40,7 @@
   <field>
     <id>upstream.tls_name_override</id>
     <label>TLS: Servername override</label>
-    <help>Use another hostname for SNI and certificate validation.</help>
+    <help>Force a specific hostname for the backend connection instead of passing the hostname from the downstream connection to the upstream connection.</help>
     <type>text</type>
   </field>
   <field>
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index 6a17cb554e..61b3325257 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -52,6 +52,12 @@ map $http_upgrade $connection_upgrade {
     ''      close;
 }
 
+# Map used in location.conf for proxy_ssl_name
+map $ssl_server_name $upstream_sni_name {
+    default $ssl_server_name;
+    '' $host;
+}
+
 include http_post/*.conf;
 
 # TODO add when core is ready for allowing nginx to serve the web interface
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index b18872e4d4..2b468ff452 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -193,6 +193,8 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
 {%     endif %}
 {%     if upstream.tls_name_override is defined and upstream.tls_name_override != '' %}
     proxy_ssl_name {{ upstream.tls_name_override }};
+{%     elif location.proxy_ssl_server_name is defined and location.proxy_ssl_server_name == '1' %}
+    proxy_ssl_name $upstream_sni_name;
 {%     endif %}
 {%     if upstream.tls_protocol_versions is defined and upstream.tls_protocol_versions != '' %}
     proxy_ssl_protocols {{ upstream.tls_protocol_versions.replace(',', ' ') }};

From 7dc3785588193a4c016128c789f997e05006317f Mon Sep 17 00:00:00 2001
From: jkellerer <jkellerer@users.noreply.github.com>
Date: Sun, 6 Nov 2022 08:25:30 +0100
Subject: [PATCH 1267/3088] net/wireguard: fixed array_merge() error for
 removed peers (#3180)

---
 .../controllers/OPNsense/Wireguard/Api/GeneralController.php  | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
index 9ce308698c..1aca5548df 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
@@ -84,6 +84,10 @@ public function getStatusAction()
                 $serverPeers = explode(",", (string) $server->peers);
                 // iteriate over each peer uuid
                 foreach ($serverPeers as $peerUuid) {
+                    // skipping removed peer that is still referenced in server
+                    if (!isset($peers[$peerUuid])) {
+                        continue;
+                    }
                     // remember interface and pubkey <> peer-uuid reference for referencing handshake logic below
                     $peer_pubkey_reference[$interface][$peers_uuid_pubkey[$peerUuid]] = $peerUuid;
                     // merge peer info and initial values for handshake data

From 460813d59e60bd61ca727007b906414632696f14 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 9 Nov 2022 12:21:13 +0200
Subject: [PATCH 1268/3088] dns/ddclient: switch this to development version

---
 dns/ddclient/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index da3961eca6..3badaf93ce 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.9
 PLUGIN_REVISION=	1
-PLUGIN_DEPENDS=		ddclient
+PLUGIN_DEPENDS=		ddclient-devel
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
 

From 5c309d2a937dbd23541d6f8951a027eb0251b41f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 9 Nov 2022 12:22:07 +0200
Subject: [PATCH 1269/3088] net/wireguard: bump after fix

---
 net/wireguard/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 6e0e792ad5..3b8d3acfef 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		1.13
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard-go wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 1781291d7f0627883cd01383a18931ce2977587c Mon Sep 17 00:00:00 2001
From: Tawmu <Tawmu@users.noreply.github.com>
Date: Wed, 9 Nov 2022 10:40:44 +0000
Subject: [PATCH 1270/3088] net/upnp: add missing firewall anchors (#3165)

---
 net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 1ecb50780a..9ded4aeb4a 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -41,6 +41,8 @@ function miniupnpd_firewall($fw)
 
     $fw->registerAnchor('miniupnpd', 'rdr');
     $fw->registerAnchor('miniupnpd', 'fw');
+    $fw->registerAnchor('miniupnpd', 'nat', 0, 'head');
+    $fw->registerAnchor('miniupnpd', 'binat');
 }
 
 function miniupnpd_services()

From b6a9b0f554164b9f0a1ee02e544fe2ef39705def Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 9 Nov 2022 14:25:51 +0100
Subject: [PATCH 1271/3088] net/freeradius - add missing syslog local target

---
 .../service/templates/OPNsense/Syslog/local/radius.conf     | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 net/freeradius/src/opnsense/service/templates/OPNsense/Syslog/local/radius.conf

diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Syslog/local/radius.conf b/net/freeradius/src/opnsense/service/templates/OPNsense/Syslog/local/radius.conf
new file mode 100644
index 0000000000..f56eef1877
--- /dev/null
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Syslog/local/radius.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [Freeradius].
+###################################################################
+filter f_local_radius {
+     program("radiusd")
+};

From ebcdb5eef611d185cd0cf90952d5a3d149a7cedf Mon Sep 17 00:00:00 2001
From: Del Attipoe <delali.att@gmail.com>
Date: Thu, 10 Nov 2022 10:40:38 +0000
Subject: [PATCH 1272/3088] net-mgmt/telegraf: Add Influxv2 timeout (#3167)

---
 net-mgmt/telegraf/pkg-descr                                 | 3 +++
 .../mvc/app/controllers/OPNsense/Telegraf/forms/output.xml  | 6 ++++++
 .../opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml    | 4 ++++
 .../service/templates/OPNsense/Telegraf/telegraf.conf       | 3 +++
 4 files changed, 16 insertions(+)

diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index a98a0c459c..9f80fd1b24 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -11,6 +11,9 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 
 Plugin Changelog
 ================
+1.12.6
+
+* Add Influx v2 flush timeout
 
 1.12.6
 
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
index b627fa1e6b..2ea1ee342b 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
@@ -77,6 +77,12 @@
         <type>checkbox</type>
         <help>This will skip chain and host verification.</help>
     </field>
+    <field>
+        <id>output.influx_v2_timeout</id>
+        <label>Timeout</label>
+        <type>text</type>
+        <help>Flush timeout for the v2 Telegraf output in seconds, formatted as a string. If not provided, will default to 5. 0 means no timeout, but is not recommended. Increase if you get timeout errors.</help>
+    </field>
     <field>
         <id>output.graphite_enable</id>
         <label>Enable Graphite Output</label>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index 404bd8ddf0..46015f2261 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -123,6 +123,10 @@
             <default>0</default>
             <Required>N</Required>
         </influx_v2_insecure_skip_verify>
+        <influx_v2_timeout type="IntegerField">
+            <default>5</default>
+            <Required>N</Required>
+        </influx_v2_timeout>
         <datadog_enable type="BooleanField">
             <default>0</default>
             <Required>N</Required>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index 6991423d18..489aadf80a 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -176,6 +176,9 @@
   insecure_skip_verify = false
 {%   endif %}
 {% endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.influx_v2_timeout') and OPNsense.telegraf.output.influx_v2_timeout != '' %}
+  timeout = "{{ OPNsense.telegraf.output.influx_v2_timeout }}s"
+{%   endif %}
 
 {% if helpers.exists('OPNsense.telegraf.input.cpu') and OPNsense.telegraf.input.cpu == '1' %}
 [[inputs.cpu]]

From 943924c0ff41c774726357a577c6935a1df98dc4 Mon Sep 17 00:00:00 2001
From: clanto007 <44651109+clanto007@users.noreply.github.com>
Date: Tue, 15 Nov 2022 08:34:13 +0100
Subject: [PATCH 1273/3088] net/freeradius: Proxy Configuration Page (#3142)

---
 net/freeradius/Makefile                       |   5 +-
 net/freeradius/pkg-descr                      |   3 +
 .../Freeradius/Api/ProxyController.php        | 409 ++++++++++++++++++
 .../OPNsense/Freeradius/ProxyController.php   |  40 ++
 .../forms/dialogEditFreeRADIUSHomeserver.xml  | 140 ++++++
 .../dialogEditFreeRADIUSHomeserverpool.xml    |  40 ++
 .../forms/dialogEditFreeRADIUSRealm.xml       |  32 ++
 .../OPNsense/Freeradius/forms/general.xml     |   7 +
 .../OPNsense/Freeradius/forms/ldap.xml        |   2 +-
 .../models/OPNsense/Freeradius/General.xml    |   4 +
 .../app/models/OPNsense/Freeradius/Ldap.xml   |   2 +-
 .../models/OPNsense/Freeradius/Menu/Menu.xml  |   5 +
 .../app/models/OPNsense/Freeradius/Proxy.php  |  22 +
 .../app/models/OPNsense/Freeradius/Proxy.xml  | 191 ++++++++
 .../app/views/OPNsense/Freeradius/proxy.volt  | 237 ++++++++++
 .../templates/OPNsense/Freeradius/+TARGETS    |   1 +
 .../templates/OPNsense/Freeradius/proxy.conf  | 126 ++++++
 17 files changed, 1261 insertions(+), 5 deletions(-)
 create mode 100644 net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ProxyController.php
 create mode 100644 net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/ProxyController.php
 create mode 100644 net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSHomeserver.xml
 create mode 100644 net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSHomeserverpool.xml
 create mode 100644 net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSRealm.xml
 create mode 100644 net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.php
 create mode 100644 net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml
 create mode 100644 net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt
 create mode 100644 net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/proxy.conf

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index e425cc5423..0d9e54433c 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,8 +1,7 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.21
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.9.22
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
-.include "../../Mk/plugins.mk"
+.include "../../Mk/plugins.mk"
\ No newline at end of file
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 5b5df9231d..98dabe097a 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -14,6 +14,9 @@ The server is fast, feature-rich, modular, and scalable.
 
 Plugin Changelog
 ================
+1.9.22
+
+* Add Proxy configuration page: HomeServer, HomeServerPool, Realm
 
 1.9.21
 
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ProxyController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ProxyController.php
new file mode 100644
index 0000000000..24baa94c6d
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ProxyController.php
@@ -0,0 +1,409 @@
+<?php
+
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Freeradius\Api;
+
+use OPNsense\Freeradius\Proxy;
+use OPNsense\Core\Config;
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Base\UIModelGrid;
+
+class ProxyController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'Proxy';
+    protected static $internalModelClass = '\OPNsense\Freeradius\Proxy';
+
+    public function getAction()
+    {
+        // define list of configurable settings
+        $result = array();
+        if ($this->request->isGet()) {
+            $mdlProxy = new Proxy();
+            $result['proxy'] = $mdlProxy->getNodes();
+        }
+        return $result;
+    }
+
+    public function setAction()
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost()) {
+            // load model and update with provided data
+            $mdlProxy = new Proxy();
+            $mdlProxy->setNodes($this->request->getPost("proxy"));
+            // perform validation
+            $valMsgs = $mdlProxy->performValidation();
+            foreach ($valMsgs as $field => $msg) {
+                if (!array_key_exists("validations", $result)) {
+                    $result["validations"] = array();
+                }
+                $result["validations"]["proxy." . $msg->getField()] = $msg->getMessage();
+            }
+            // serialize model to config and save
+            if ($valMsgs->count() == 0) {
+                $mdlProxy->serializeToConfig();
+                Config::getInstance()->save();
+                $result["result"] = "saved";
+            }
+        }
+        return $result;
+    }
+
+
+    public function searchRealmAction()
+    {
+        $this->sessionClose();
+        $mdlRealm = $this->getModel();
+        $grid = new UIModelGrid($mdlRealm->realms->realm);
+        return $grid->fetchBindRequest(
+            $this->request,
+            array("enabled", "name", "auth_pool", "acct_pool", "nostrip" )
+        );
+    }
+
+    public function getRealmAction($uuid = null)
+    {
+        $mdlRealm = $this->getModel();
+        if ($uuid != null) {
+            $node = $mdlRealm->getNodeByReference('realms.realm.' . $uuid);
+            if ($node != null) {
+                // return node
+                return array("realm" => $node->getNodes());
+            }
+        } else {
+            $node = $mdlRealm->realms->realm->add();
+            return array("realm" => $node->getNodes());
+        }
+        return array();
+    }
+
+    public function addRealmAction()
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost() && $this->request->hasPost("realm")) {
+            $result = array("result" => "failed", "validations" => array());
+            $mdlRealm = $this->getModel();
+            $node = $mdlRealm->realms->realm->Add();
+            $node->setNodes($this->request->getPost("realm"));
+            $valMsgs = $mdlRealm->performValidation();
+            foreach ($valMsgs as $field => $msg) {
+                $fieldnm = str_replace($node->__reference, "realm", $msg->getField());
+                $result["validations"][$fieldnm] = $msg->getMessage();
+            }
+            if (count($result['validations']) == 0) {
+                unset($result['validations']);
+                // save config if validated correctly
+                $mdlRealm->serializeToConfig();
+                Config::getInstance()->save();
+                unset($result['validations']);
+                $result["result"] = "saved";
+            }
+        }
+        return $result;
+    }
+
+    public function delRealmAction($uuid)
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost()) {
+            $mdlRealm = $this->getModel();
+            if ($uuid != null) {
+                if ($mdlRealm->realms->realm->del($uuid)) {
+                    $mdlRealm->serializeToConfig();
+                    Config::getInstance()->save();
+                    $result['result'] = 'deleted';
+                } else {
+                    $result['result'] = 'not found';
+                }
+            }
+        }
+        return $result;
+    }
+
+    public function setRealmAction($uuid)
+    {
+        if ($this->request->isPost() && $this->request->hasPost("realm")) {
+            $mdlSetting = $this->getModel();
+            if ($uuid != null) {
+                $node = $mdlSetting->getNodeByReference('realms.realm.' . $uuid);
+                if ($node != null) {
+                    $result = array("result" => "failed", "validations" => array());
+                    $clientInfo = $this->request->getPost("realm");
+                    $node->setNodes($clientInfo);
+                    $valMsgs = $mdlSetting->performValidation();
+                    foreach ($valMsgs as $field => $msg) {
+                        $fieldnm = str_replace($node->__reference, "realm", $msg->getField());
+                        $result["validations"][$fieldnm] = $msg->getMessage();
+                    }
+                    if (count($result['validations']) == 0) {
+                        // save config if validated correctly
+                        $mdlSetting->serializeToConfig();
+                        Config::getInstance()->save();
+                        $result = array("result" => "saved");
+                    }
+                    return $result;
+                }
+            }
+        }
+        return array("result" => "failed");
+    }
+
+    public function toggle_handler($uuid, $elements, $element)
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost()) {
+            $mdlSetting = $this->getModel();
+            if ($uuid != null) {
+                $node = $mdlSetting->getNodeByReference($elements . '.' . $element . '.' . $uuid);
+                if ($node != null) {
+                    if ($node->enabled->__toString() == "1") {
+                        $result['result'] = "Disabled";
+                        $node->enabled = "0";
+                    } else {
+                        $result['result'] = "Enabled";
+                        $node->enabled = "1";
+                    }
+                    // if item has toggled, serialize to config and save
+                    $mdlSetting->serializeToConfig();
+                    Config::getInstance()->save();
+                }
+            }
+        }
+        return $result;
+    }
+
+    public function toggleRealmAction($uuid)
+    {
+        return $this->toggle_handler($uuid, 'realms', 'realm');
+    }
+    public function searchHomeserverAction()
+    {
+        $this->sessionClose();
+        $mdlHomeserver = $this->getModel();
+        $grid = new UIModelGrid($mdlHomeserver->homeservers->homeserver);
+        return $grid->fetchBindRequest(
+            $this->request,
+            array("enabled", "name", "type", "addresstype", "ipaddr", "ipaddr6", "ipaddr6", "virtualserver", "port", "proto", "secret", "sourceip", "response_window", "no_response_fail", "zombieperiod", "reviveinterval", "statuscheck", "checkinterval", "numanswersalive", "max_outstanding", "limit_maxconnections", "limit_maxrequests", "limit_lifetime", "limit_idletimeout" )
+        );
+    }
+
+    public function getHomeserverAction($uuid = null)
+    {
+        $mdlHomeserver = $this->getModel();
+        if ($uuid != null) {
+            $node = $mdlHomeserver->getNodeByReference('homeservers.homeserver.' . $uuid);
+            if ($node != null) {
+                // return node
+                return array("homeserver" => $node->getNodes());
+            }
+        } else {
+            $node = $mdlHomeserver->homeservers->homeserver->add();
+            return array("homeserver" => $node->getNodes());
+        }
+        return array();
+    }
+
+    public function addHomeserverAction()
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost() && $this->request->hasPost("homeserver")) {
+            $result = array("result" => "failed", "validations" => array());
+            $mdlHomeserver = $this->getModel();
+            $node = $mdlHomeserver->homeservers->homeserver->Add();
+            $node->setNodes($this->request->getPost("homeserver"));
+            $valMsgs = $mdlHomeserver->performValidation();
+            foreach ($valMsgs as $field => $msg) {
+                $fieldnm = str_replace($node->__reference, "homeserver", $msg->getField());
+                $result["validations"][$fieldnm] = $msg->getMessage();
+            }
+            if (count($result['validations']) == 0) {
+                unset($result['validations']);
+                // save config if validated correctly
+                $mdlHomeserver->serializeToConfig();
+                Config::getInstance()->save();
+                unset($result['validations']);
+                $result["result"] = "saved";
+            }
+        }
+        return $result;
+    }
+
+    public function delHomeserverAction($uuid)
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost()) {
+            $mdlHomeserver = $this->getModel();
+            if ($uuid != null) {
+                if ($mdlHomeserver->homeservers->homeserver->del($uuid)) {
+                    $mdlHomeserver->serializeToConfig();
+                    Config::getInstance()->save();
+                    $result['result'] = 'deleted';
+                } else {
+                    $result['result'] = 'not found';
+                }
+            }
+        }
+        return $result;
+    }
+
+    public function setHomeserverAction($uuid)
+    {
+        if ($this->request->isPost() && $this->request->hasPost("homeserver")) {
+            $mdlSetting = $this->getModel();
+            if ($uuid != null) {
+                $node = $mdlSetting->getNodeByReference('homeservers.homeserver.' . $uuid);
+                if ($node != null) {
+                    $result = array("result" => "failed", "validations" => array());
+                    $clientInfo = $this->request->getPost("homeserver");
+                    $node->setNodes($clientInfo);
+                    $valMsgs = $mdlSetting->performValidation();
+                    foreach ($valMsgs as $field => $msg) {
+                        $fieldnm = str_replace($node->__reference, "homeserver", $msg->getField());
+                        $result["validations"][$fieldnm] = $msg->getMessage();
+                    }
+                    if (count($result['validations']) == 0) {
+                        // save config if validated correctly
+                        $mdlSetting->serializeToConfig();
+                        Config::getInstance()->save();
+                        $result = array("result" => "saved");
+                    }
+                    return $result;
+                }
+            }
+        }
+        return array("result" => "failed");
+    }
+
+    public function toggleHomeserverAction($uuid)
+    {
+        return $this->toggle_handler($uuid, 'homeservers', 'homeserver');
+    }
+    public function searchHomeserverpoolAction()
+    {
+        $this->sessionClose();
+        $mdlHomeserverpool = $this->getModel();
+        $grid = new UIModelGrid($mdlHomeserverpool->homeserverpools->homeserverpool);
+        return $grid->fetchBindRequest(
+            $this->request,
+            array("enabled", "name", "type", "virtualserver", "virtualserver", "homeservers", "fallback"  )
+        );
+    }
+
+    public function getHomeserverpoolAction($uuid = null)
+    {
+        $mdlHomeserverpool = $this->getModel();
+        if ($uuid != null) {
+            $node = $mdlHomeserverpool->getNodeByReference('homeserverpools.homeserverpool.' . $uuid);
+            if ($node != null) {
+                // return node
+                return array("homeserverpool" => $node->getNodes());
+            }
+        } else {
+            $node = $mdlHomeserverpool->homeserverpools->homeserverpool->add();
+            return array("homeserverpool" => $node->getNodes());
+        }
+        return array();
+    }
+
+    public function addHomeserverpoolAction()
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost() && $this->request->hasPost("homeserverpool")) {
+            $result = array("result" => "failed", "validations" => array());
+            $mdlHomeserverpool = $this->getModel();
+            $node = $mdlHomeserverpool->homeserverpools->homeserverpool->Add();
+            $node->setNodes($this->request->getPost("homeserverpool"));
+            $valMsgs = $mdlHomeserverpool->performValidation();
+            foreach ($valMsgs as $field => $msg) {
+                $fieldnm = str_replace($node->__reference, "homeserverpool", $msg->getField());
+                $result["validations"][$fieldnm] = $msg->getMessage();
+            }
+            if (count($result['validations']) == 0) {
+                unset($result['validations']);
+                // save config if validated correctly
+                $mdlHomeserverpool->serializeToConfig();
+                Config::getInstance()->save();
+                unset($result['validations']);
+                $result["result"] = "saved";
+            }
+        }
+        return $result;
+    }
+
+    public function delHomeserverpoolAction($uuid)
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost()) {
+            $mdlHomeserverpool = $this->getModel();
+            if ($uuid != null) {
+                if ($mdlHomeserverpool->homeserverpools->homeserverpool->del($uuid)) {
+                    $mdlHomeserverpool->serializeToConfig();
+                    Config::getInstance()->save();
+                    $result['result'] = 'deleted';
+                } else {
+                    $result['result'] = 'not found';
+                }
+            }
+        }
+        return $result;
+    }
+
+    public function setHomeserverpoolAction($uuid)
+    {
+        if ($this->request->isPost() && $this->request->hasPost("homeserverpool")) {
+            $mdlSetting = $this->getModel();
+            if ($uuid != null) {
+                $node = $mdlSetting->getNodeByReference('homeserverpools.homeserverpool.' . $uuid);
+                if ($node != null) {
+                    $result = array("result" => "failed", "validations" => array());
+                    $clientInfo = $this->request->getPost("homeserverpool");
+                    $node->setNodes($clientInfo);
+                    $valMsgs = $mdlSetting->performValidation();
+                    foreach ($valMsgs as $field => $msg) {
+                        $fieldnm = str_replace($node->__reference, "homeserverpool", $msg->getField());
+                        $result["validations"][$fieldnm] = $msg->getMessage();
+                    }
+                    if (count($result['validations']) == 0) {
+                        // save config if validated correctly
+                        $mdlSetting->serializeToConfig();
+                        Config::getInstance()->save();
+                        $result = array("result" => "saved");
+                    }
+                    return $result;
+                }
+            }
+        }
+        return array("result" => "failed");
+    }
+
+    public function toggleHomeserverpoolAction($uuid)
+    {
+        return $this->toggle_handler($uuid, 'homeserverpools', 'homeserverpool');
+    }
+}
\ No newline at end of file
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/ProxyController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/ProxyController.php
new file mode 100644
index 0000000000..a117df2438
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/ProxyController.php
@@ -0,0 +1,40 @@
+<?php
+
+/*
+ *  Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ *  All rights reserved.
+ *
+ *  Redistribution and use in source and binary forms, with or without
+ *  modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Freeradius;
+
+class ProxyController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->formDialogEditFreeRADIUSHomeserver = $this->getForm("dialogEditFreeRADIUSHomeserver");
+        $this->view->formDialogEditFreeRADIUSHomeserverpool = $this->getForm("dialogEditFreeRADIUSHomeserverpool");
+        $this->view->formDialogEditFreeRADIUSRealm = $this->getForm("dialogEditFreeRADIUSRealm");
+        $this->view->pick('OPNsense/Freeradius/proxy');
+    }
+}
\ No newline at end of file
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSHomeserver.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSHomeserver.xml
new file mode 100644
index 0000000000..dc4db86806
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSHomeserver.xml
@@ -0,0 +1,140 @@
+<form>
+    <field>
+        <id>homeserver.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will enable or disable the homeserver setting.</help>
+    </field>
+    <field>
+        <id>homeserver.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Set the name of Home Server.</help>
+    </field>
+    <field>
+        <id>homeserver.type</id>
+        <label>Type</label>
+        <type>dropdown</type>
+        <help>Set type of auth.</help>
+    </field>
+    <field>
+        <id>homeserver.addresstype</id>
+        <label>Address Type</label>
+        <type>dropdown</type>
+        <help>Set type of address</help>
+    </field>
+    <field>
+        <id>homeserver.ipaddr</id>
+        <label>IP Address</label>
+        <type>text</type>
+        <help>Set the ip address.</help>
+    </field>
+    <field>
+        <id>homeserver.ipaddr6</id>
+        <label>IP Address v6</label>
+        <type>text</type>
+        <help>Set the ip v6 address.</help>
+    </field>
+    <field>
+        <id>homeserver.virtualserver</id>
+        <label>Virtual Server</label>
+        <type>text</type>
+        <help>Set the virtual server address.</help>
+    </field>
+    <field>
+        <id>homeserver.port</id>
+        <label>Port</label>
+        <type>text</type>
+        <help>Set the port</help>
+    </field>
+    <field>
+        <id>homeserver.proto</id>
+        <label>Protocol</label>
+        <type>dropdown</type>
+        <help>Set the protocol</help>
+    </field>
+    <field>
+        <id>homeserver.secret</id>
+        <label>Secret</label>
+        <type>password</type>
+        <help>Set the secret</help>
+    </field>
+    <field>
+        <id>homeserver.sourceip</id>
+        <label>Source IP Address</label>
+        <type>text</type>
+        <help>Source IP Address</help>
+    </field>
+    <field>
+        <id>homeserver.response_window</id>
+        <label>Response Window</label>
+        <type>text</type>
+        <help>Response Window from 5 to 60</help>
+    </field>
+    <field>
+        <id>homeserver.no_response_fail</id>
+        <label>No Response Fail</label>
+        <type>checkbox</type>
+        <help>No Response Fail</help>
+    </field>
+    <field>
+        <id>homeserver.zombieperiod</id>
+        <label>Zombie Period</label>
+        <type>text</type>
+        <help>Zombie Period from 20 to 120</help>
+    </field>
+    <field>
+        <id>homeserver.reviveinterval</id>
+        <label>Revive Interval</label>
+        <type>text</type>
+        <help>Revive interval from 60 to 3600</help>
+    </field>
+    <field>
+        <id>homeserver.statuscheck</id>
+        <label>Status Check</label>
+        <type>dropdown</type>
+        <help>Status Check</help>
+    </field>
+    <field>
+        <id>homeserver.checkinterval</id>
+        <label>Check Interval</label>
+        <type>text</type>
+        <help>Check Interval from 6 to 120</help>
+    </field>
+    <field>
+        <id>homeserver.numanswersalive</id>
+        <label>Num answers to alive</label>
+        <type>text</type>
+        <help>number of status checks in a row that the home server needs to respond to before it is marked alive. From 3 to 10</help>
+    </field>
+    <field>
+        <id>homeserver.max_outstanding</id>
+        <label>Max Outstanding</label>
+        <type>text</type>
+        <help>Limit the total number of outstanding packets to the home server.</help>
+    </field>
+    <field>
+        <id>homeserver.limit_maxconnections</id>
+        <label>Limit Max Connections</label>
+        <type>text</type>
+        <help>Limit the number of TCP connections to the home server. Setting this to 0 means "no limit".</help>
+    </field>
+    <field>
+        <id>homeserver.limit_maxrequests</id>
+        <label>Limit Max Requests</label>
+        <type>text</type>
+        <help>Limit the total number of requests sent over one TCP connection. Setting this to 0 means "no limit".</help>
+    </field>
+    <field>
+        <id>homeserver.limit_lifetime</id>
+        <label>Limit lifetime</label>
+        <type>text</type>
+        <help>The lifetime, in seconds, of a TCP connection. Setting this to 0 means "forever".</help>
+    </field>
+    <field>
+        <id>homeserver.limit_idletimeout</id>
+        <label>Limit Idle Timeout</label>
+        <type>text</type>
+        <help>The idle timeout, in seconds, of a TCP connection. Setting this to 0 means "no timeout".</help>
+    </field>
+</form>
\ No newline at end of file
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSHomeserverpool.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSHomeserverpool.xml
new file mode 100644
index 0000000000..b96dd32c44
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSHomeserverpool.xml
@@ -0,0 +1,40 @@
+<form>
+    <field>
+        <id>homeserverpool.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will enable or disable the home server pool.</help>
+    </field>
+    <field>
+        <id>homeserverpool.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Set the name of Home Server Pool</help>
+    </field>
+    <field>
+        <id>homeserverpool.type</id>
+        <label>Type</label>
+        <type>dropdown</type>
+        <help>Set the type of pool</help>
+    </field>
+    <field>
+        <id>homeserverpool.virtualserver</id>
+        <label>Virtual Server</label>
+        <type>text</type>
+        <help>A virtual_server may be specified here.</help>
+    </field>
+    <field>
+        <id>homeserverpool.homeservers</id>
+        <label>Home Servers</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>The home servers.</help>
+    </field>
+    <field>
+        <id>homeserverpool.fallback</id>
+        <label>Fallback</label>
+        <type>text</type>
+        <help>If ALL home servers are dead, then this "fallback" home server is used.</help>
+    </field>
+</form>
\ No newline at end of file
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSRealm.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSRealm.xml
new file mode 100644
index 0000000000..5a682b5430
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSRealm.xml
@@ -0,0 +1,32 @@
+<form>
+    <field>
+        <id>realm.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will enable or disable the proxy config.</help>
+    </field>
+    <field>
+        <id>realm.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Set the name of Realm</help>
+    </field>
+    <field>
+        <id>realm.auth_pool</id>
+        <label>Authentication Pool</label>
+        <type>text</type>
+        <help>Should point to a "home_server_pool" that was defined.</help>
+    </field>
+    <field>
+        <id>realm.acct_pool</id>
+        <label>Accounting Pool</label>
+        <type>text</type>
+        <help>If used, should point to a "home_server_pool" that was defined.</help>
+    </field>
+    <field>
+        <id>realm.nostrip</id>
+        <label>No Strip</label>
+        <type>checkbox</type>
+        <help>Normally, when an incoming User-Name is matched against the realm, the realm name is "stripped" off, and the "stripped" user name is used to perform matches.</help>
+    </field>
+</form>
\ No newline at end of file
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml
index c97af703e6..13272db6f0 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml
@@ -145,4 +145,11 @@
         <advanced>true</advanced>
         <help>Set database name of remote MySQL server.</help>
     </field>
+    <field>
+        <id>general.fallbackproxy</id>
+        <label>Default Fallback Proxy</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>Fallback for proxy server. Default disabled.</help>
+    </field>
 </form>
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
index be7d1affd1..46bbb3613c 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
@@ -65,4 +65,4 @@
         <type>text</type>
         <help>Filter for group objects, should match all available group objects a user might be a member of.</help>
     </field>
-</form>
+</form>
\ No newline at end of file
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
index a0aa117928..49590e8f78 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
@@ -148,5 +148,9 @@
             <default>radius</default>
             <Required>Y</Required>
         </mysqldb>
+        <fallbackproxy type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </fallbackproxy>
     </items>
 </model>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
index 0ee417c475..7ca43fdba5 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
@@ -48,4 +48,4 @@
             <Required>N</Required>
         </group_filter>
     </items>
-</model>
+</model>
\ No newline at end of file
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml
index ac28507446..979d54e3ef 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml
@@ -8,6 +8,11 @@
       <Lease VisibleName="DHCP Leases" url="/ui/freeradius/lease/index" order="36"/>
       <EAP url="/ui/freeradius/eap/index" order="40"/>
       <LDAP url="/ui/freeradius/ldap/index" order="50"/>
+	  <Proxy url="/ui/freeradius/proxy/index" order="60">
+        <Homeservers url="/ui/freeradius#homeservers"/>
+        <Homeserverpools url="/ui/freeradius#homeserverpools"/>
+        <Realms url="/ui/freeradius#realms"/>
+      </Proxy>
       <LogFile VisibleName="Log File" order="80" url="/ui/diagnostics/log/core/radius"/>
     </FreeRADIUS>
   </Services>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.php b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.php
new file mode 100644
index 0000000000..40ccc778b2
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.php
@@ -0,0 +1,22 @@
+<?php
+
+namespace OPNsense\Freeradius;
+
+use OPNsense\Base\BaseModel;
+use OPNsense\Core\Backend;
+
+
+class Proxy extends BaseModel
+{
+    /**
+     * check if module is enabled
+     * @return bool is the ZabbixAgent service enabled
+     */
+    public function isEnabled()
+    {
+        if ((string)$this->settings->main->enabled === "1") {
+            return true;
+        }
+        return false;
+    }
+}
\ No newline at end of file
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml
new file mode 100644
index 0000000000..9eddba73d6
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml
@@ -0,0 +1,191 @@
+<model>
+    <mount>//OPNsense/freeradius/proxy</mount>
+    <description>Proxy configuration</description>
+    <version>0.1</version>
+    <items>
+        <homeservers>
+            <homeserver type="ArrayField">
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <name type="TextField">
+                    <Required>Y</Required>
+                </name>
+                <type type="OptionField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <auth>auth</auth>
+                        <acct>acct</acct>
+                        <authacct>auth+acct</authacct>
+                        <coa>coa</coa>
+                    </OptionValues>
+                </type>
+                <addresstype type="OptionField">
+                    <default>ipv4</default>
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <ipv4>ipv4</ipv4>
+                        <ipv6>ipv6</ipv6>
+                        <virtual_server>virtual_server</virtual_server>
+                    </OptionValues>
+                </addresstype>
+                <ipaddr type="TextField">
+                    <default>172.0.0.1</default>
+                    <Required>N</Required>
+                </ipaddr>
+                <ipaddr6 type="TextField">
+                    <default>::1</default>
+                    <Required>N</Required>
+                </ipaddr6>
+                <virtualserver type="TextField">
+                    <default>foo</default>
+                    <Required>N</Required>
+                </virtualserver>
+                <port type="IntegerField">
+                    <default>1812</default>
+                    <Required>Y</Required>
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>65535</MaximumValue>
+                </port>
+                <proto type="OptionField">
+                    <default>udp</default>
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <udp>udp</udp>
+                        <tcp>tcp</tcp>
+                    </OptionValues>
+                </proto>
+                <secret type="TextField">
+                    <default>testing123</default>
+                    <Required>N</Required>
+                </secret>
+                <sourceip type="TextField">
+                    <Required>N</Required>
+                </sourceip>
+                <response_window type="IntegerField">
+                    <default>20</default>
+                    <Required>Y</Required>
+                    <MinimumValue>5</MinimumValue>
+                    <MaximumValue>60</MaximumValue>
+                </response_window>
+                <no_response_fail type="BooleanField">
+                    <Required>N</Required>
+                </no_response_fail>
+                <zombieperiod type="IntegerField">
+                    <default>40</default>
+                    <Required>Y</Required>
+                    <MinimumValue>20</MinimumValue>
+                    <MaximumValue>120</MaximumValue>
+                </zombieperiod>
+                <reviveinterval type="IntegerField">
+                    <default>120</default>
+                    <Required>Y</Required>
+                    <MinimumValue>60</MinimumValue>
+                    <MaximumValue>3600</MaximumValue>
+                </reviveinterval>
+                <statuscheck type="OptionField">
+                    <default>status-server</default>
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <none>none</none>
+                        <status-server>status-server</status-server>
+                        <request>request</request>
+                    </OptionValues>
+                </statuscheck>
+                <checkinterval type="IntegerField">
+                    <default>30</default>
+                    <Required>Y</Required>
+                    <MinimumValue>6</MinimumValue>
+                    <MaximumValue>120</MaximumValue>
+                </checkinterval>
+                <numanswersalive type="IntegerField">
+                    <default>3</default>
+                    <Required>Y</Required>
+                    <MinimumValue>3</MinimumValue>
+                    <MaximumValue>10</MaximumValue>
+                </numanswersalive>
+                <max_outstanding type="IntegerField">
+                    <default>65536</default>
+                    <Required>Y</Required>
+                </max_outstanding>
+                <limit_maxconnections type="IntegerField">
+                    <default>16</default>
+                    <Required>Y</Required>
+                </limit_maxconnections>
+                <limit_maxrequests type="IntegerField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </limit_maxrequests>
+                <limit_lifetime type="IntegerField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </limit_lifetime>
+                <limit_idletimeout type="IntegerField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </limit_idletimeout>
+            </homeserver>
+         </homeservers>
+        <homeserverpools>
+            <homeserverpool type="ArrayField">
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <name type="TextField">
+                    <Required>Y</Required>
+                </name>
+                <type type="OptionField">
+                    <default>fail-over</default>
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <fail-over>fail-over</fail-over>
+                        <load-balance>load-balance</load-balance>
+                        <client-balance>client-balance</client-balance>
+                        <client-port-balance>client-port-balance</client-port-balance>
+                        <keyed-balance>keyed-balance</keyed-balance>
+                    </OptionValues>
+                </type>
+                <virtualserver type="TextField">
+                    <Required>N</Required>
+                </virtualserver>
+                <homeservers type="CSVListField">
+                    <default>localhost</default>
+                    <Required>Y</Required>
+                    <multiple>Y</multiple>
+                    <mask>/^([a-zA-Z0-9\.:\[\]\-\/]*?,)*([a-zA-Z0-9\.:\[\]\-\/]*)$/</mask>
+                    <ChangeCase>lower</ChangeCase>
+                    <ValidationMessage>Please provide valid server addresses, i.e. radius.example.com, 10.0.0.2 or 10.0.0.0/24.</ValidationMessage>
+                </homeservers>
+                <fallback type="TextField">
+                    <default></default>
+                    <Required>N</Required>
+                </fallback>
+            </homeserverpool>
+         </homeserverpools>
+        <realms>
+            <realm type="ArrayField">
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <name type="TextField">
+                    <Required>Y</Required>
+                </name>
+                <auth_pool type="TextField">
+                    <default></default>
+                    <Required>N</Required>
+                </auth_pool>
+                <acct_pool type="TextField">
+                    <default></default>
+                    <Required>N</Required>
+                </acct_pool>
+                <nostrip type="BooleanField">
+                    <Required>N</Required>
+                </nostrip>
+            </realm>
+        </realms>
+    </items>
+</model>
\ No newline at end of file
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt
new file mode 100644
index 0000000000..a68126faf3
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt
@@ -0,0 +1,237 @@
+{#
+
+OPNsense® is Copyright © 2014 – 2016 by Deciso B.V.
+Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<script>
+$( document ).ready(function() {
+    var data_get_map = {'frm_zabbixagent':"/api/freeradius/proxy/get"};
+
+    // load initial data
+    mapDataToFormUI(data_get_map).done(function(){
+        formatTokenizersUI();
+        $('.selectpicker').selectpicker('refresh');
+        updateServiceControlUI('freeradius');
+    });
+
+        /*************************************************************************************************************
+         * link grid actions
+         *************************************************************************************************************/
+
+        $("#grid-homeservers").UIBootgrid(
+            {   'search':'/api/freeradius/proxy/searchHomeserver',
+                'get':'/api/freeradius/proxy/getHomeserver/',
+                'set':'/api/freeradius/proxy/setHomeserver/',
+                'add':'/api/freeradius/proxy/addHomeserver/',
+                'del':'/api/freeradius/proxy/delHomeserver/',
+                'toggle':'/api/freeradius/proxy/toggleHomeserver/',
+            options: {
+                rowCount:[10,25,50,100,500,1000]
+                }
+            }
+        );
+        $("#grid-homeserverpools").UIBootgrid(
+            {   'search':'/api/freeradius/proxy/searchHomeserverpool',
+                'get':'/api/freeradius/proxy/getHomeserverpool/',
+                'set':'/api/freeradius/proxy/setHomeserverpool/',
+                'add':'/api/freeradius/proxy/addHomeserverpool/',
+                'del':'/api/freeradius/proxy/delHomeserverpool/',
+                'toggle':'/api/freeradius/proxy/toggleHomeserverpool/',
+            options: {
+                rowCount:[10,25,50,100,500,1000]
+                }
+            }
+        );
+        $("#grid-realms").UIBootgrid(
+            {   'search':'/api/freeradius/proxy/searchRealm',
+                'get':'/api/freeradius/proxy/getRealm/',
+                'set':'/api/freeradius/proxy/setRealm/',
+                'add':'/api/freeradius/proxy/addRealm/',
+                'del':'/api/freeradius/proxy/delRealm/',
+                'toggle':'/api/freeradius/proxy/toggleRealm/',
+            options: {
+                rowCount:[10,25,50,100,500,1000]
+                }
+            }
+        );
+
+        /*************************************************************************************************************
+         * Commands
+         *************************************************************************************************************/
+
+    // form save event handlers for all defined forms
+    $('[id*="save_"]').each(function(){
+        $(this).click(function(){
+            var frm_id = $(this).closest("form").attr("id");
+            var frm_title = $(this).closest("form").attr("data-title");
+
+            // save data for tab
+            saveFormToEndpoint(url="/api/freeradius/proxy/set",formid=frm_id,callback_ok=function(){
+                // set progress animation when reloading
+                $("#"+frm_id+"_progress").addClass("fa fa-spinner fa-pulse");
+
+                // on correct save, perform restart
+                ajaxCall(url="/api/freeradius/proxy/reconfigure", sendData={}, callback=function(data,status){
+                    // when done, disable progress animation.
+                    $("#"+frm_id+"_progress").removeClass("fa fa-spinner fa-pulse");
+
+                    if (status != "success" || data['status'] != 'ok' ) {
+                        // fix error handling
+                        BootstrapDialog.show({
+                            type:BootstrapDialog.TYPE_WARNING,
+                            title: frm_title,
+                            message: JSON.stringify(data),
+                            draggable: true
+                        });
+                    } else {
+                        updateServiceControlUI('freeradius');
+                    }
+                    // when done, disable progress animation.
+                    $("#"+frm_id+"_progress").removeClass("fa fa-spinner fa-pulse");
+                });
+            });
+        });
+    });
+
+        /**
+         * Reconfigure
+         */
+        $("#reconfigureAct").click(function(){
+            $("#reconfigureAct_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url="/api/freeradius/service/reconfigure", sendData={}, callback=function(data,status) {
+                // when done, disable progress animation.
+                $("#reconfigureAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('freeradius');
+                if (status != "success" || data['status'] != 'ok') {
+                    BootstrapDialog.show({
+                        type: BootstrapDialog.TYPE_WARNING,
+                        title: "{{ lang._('Error reconfiguring FreeRADIUS') }}",
+                        message: data['status'],
+                        draggable: true
+                    });
+                } else {
+                    ajaxCall(url="/api/freeradius/service/reconfigure", sendData={});
+                }
+            });
+        });
+    });
+</script>
+
+
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+            <li class= "active"><a data-toggle="tab" id="homeservers-tab" href="#homeservers">{{ lang._('Home Servers') }}</a></li>
+            <li><a data-toggle="tab" id="homeserverpools-tab" href="#homeserverpools">{{ lang._('Home Servers Pool') }}</a></li>
+            <li><a data-toggle="tab" id="realms-tab" href="#realms">{{ lang._('Realms') }}</a></li>
+</ul>
+
+<div class="content-box tab-content col-xs-12 __mb">
+    {# manually add tab content #}
+    <div id="homeservers" class="tab-pane fade in active">
+        <!-- tab page "homeservers" -->
+        <table id="grid-homeservers" class="table table-condensed table-hover table-striped" data-editDialog="dialogEditFreeRADIUSHomeserver" data-editAlert="OverrideChangeMessage">
+            <thead>
+            <tr>
+                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
+                <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
+                <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+    </div>
+    <div id="homeserverpools" class="tab-pane fade in">
+        <!-- tab page "homeserverpools" -->
+        <table id="grid-homeserverpools" class="table table-condensed table-hover table-striped" data-editDialog="dialogEditFreeRADIUSHomeserverpool"  data-editAlert="OverrideChangeMessage">
+            <thead>
+            <tr>
+                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
+                <th data-column-id="type" data-type="dropdown">{{ lang._('Type') }}</th>
+                <th data-column-id="virtualserver" data-type="string">{{ lang._('Virtual Server') }}</th>       
+                <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+        </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+    </div>        
+
+    <div id="realms" class="tab-pane fade in">
+        <!-- tab page "realms" -->
+        <table id="grid-realms" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="dialogEditFreeRADIUSRealm"  data-editAlert="OverrideChangeMessage">
+            <thead>
+            <tr>
+                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
+                <th data-column-id="auth_pool" data-type="string" data-visible="true">{{ lang._('Authentication Pool') }}</th>
+                <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+            </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+    </div>
+</div>
+<div class="col-md-12">
+        <hr/>
+        <button class="btn btn-primary" id="reconfigureAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="reconfigureAct_progress" class=""></i></button>
+        <br/><br/>
+</div>
+
+{# include dialogs #}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditFreeRADIUSHomeserver,'id':'dialogEditFreeRADIUSHomeserver','label':lang._('Edit Homeservers')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditFreeRADIUSHomeserverpool,'id':'dialogEditFreeRADIUSHomeserverpool','label':lang._('Edit Homeserverpools')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditFreeRADIUSRealm,'id':'dialogEditFreeRADIUSRealm','label':lang._('Edit Realms')])}}
\ No newline at end of file
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/+TARGETS b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/+TARGETS
index 815e084f25..6d14b91c8f 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/+TARGETS
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/+TARGETS
@@ -1,4 +1,5 @@
 clients.conf:/usr/local/etc/raddb/clients.conf
+proxy.conf:/usr/local/etc/raddb/proxy.conf
 dictionary:/usr/local/etc/raddb/dictionary
 mac2ip:/usr/local/etc/raddb/mods-config/passwd/mac2ip
 mods-enabled-counter:/usr/local/etc/raddb/mods-enabled/counter
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/proxy.conf b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/proxy.conf
new file mode 100644
index 0000000000..51234474fb
--- /dev/null
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/proxy.conf
@@ -0,0 +1,126 @@
+proxy server {
+{% if helpers.exists('OPNsense.freeradius.general.fallbackproxy') and OPNsense.freeradius.general.fallbackproxy == '1' %}
+        default_fallback = yes
+{% else %}
+        default_fallback = no
+{% endif %}
+}
+{% if helpers.exists('OPNsense.freeradius.proxy.homeservers.homeserver') %}
+{%   for homeserver_list in helpers.toList('OPNsense.freeradius.proxy.homeservers.homeserver') %}
+{%     if homeserver_list.enabled == '1' %}
+home_server {{ homeserver_list.name }} {
+        type = {{ homeserver_list.type }}
+{%         if homeserver_list.addresstype == 'ipv4' %}
+        ipaddr = {{ homeserver_list.ipaddr }}
+{%         endif %}
+{%         if homeserver_list.addresstype == 'ipv6' %}
+        ipv6addr = {{ homeserver_list.ipaddr6 }}
+{%         endif %}
+{%         if homeserver_list.addresstype == 'virtual_server' %}
+        virtual_server = {{ homeserver_list.virtualserver }}
+{%         endif %}
+        port = {{ homeserver_list.port }}
+        proto = {{ homeserver_list.proto }}
+        secret = {{ homeserver_list.secret }}
+{%         if homeserver_list.sourceip != '' %}
+        src_ipaddr = {{ homeserver_list.sourceip }}
+{%         endif %}
+        response_window = {{ homeserver_list.response_window }}
+{%         if homeserver_list.no_response_fail == '1' %}
+        no_response_fail = yes
+{%         else %}
+        no_response_fail = no
+{%         endif %}
+        zombie_period = {{ homeserver_list.zombieperiod }}
+        revive_interval = {{ homeserver_list.reviveinterval }}
+        status_check = {{ homeserver_list.statuscheck }}
+        check_interval = {{ homeserver_list.checkinterval }}
+        num_answers_to_alive = {{ homeserver_list.numanswersalive }}
+        max_outstanding = {{ homeserver_list.max_outstanding }}
+        coa {
+                irt = 2
+                mrt = 16
+                mrc = 5
+                mrd = 30
+        }
+        limit {
+              max_connections = {{ homeserver_list.limit_maxconnections }}
+              max_requests = {{ homeserver_list.limit_maxrequests }}
+              lifetime = {{ homeserver_list.limit_lifetime }}
+              idle_timeout = {{ homeserver_list.limit_idletimeout }}
+        }
+}
+{%     endif %}
+{%   endfor %}
+{% else %}
+home_server localhost {
+        type = auth
+        ipaddr = 127.0.0.1
+        port = 1812
+        secret = testing123
+        response_window = 20
+        zombie_period = 40
+        revive_interval = 120
+        status_check = status-server
+        check_interval = 30
+        num_answers_to_alive = 3
+        max_outstanding = 65536
+        coa {
+                irt = 2
+                mrt = 16
+                mrc = 5
+                mrd = 30
+        }
+        limit {
+              max_connections = 16
+              max_requests = 0
+              lifetime = 0
+              idle_timeout = 0
+        }
+}
+{% endif %}
+{% if helpers.exists('OPNsense.freeradius.proxy.homeserverpools.homeserverpool') %}
+{%   for homeserverpool_list in helpers.toList('OPNsense.freeradius.proxy.homeserverpools.homeserverpool') %}
+{%     if homeserverpool_list.enabled == '1' %}
+home_server_pool {{ homeserverpool_list.name }} {
+        type = {{ homeserverpool_list.type }}
+{%         if homeserverpool_list.virtualserver != '' %}
+        virtual_server = {{ homeserverpool_list.virtualserver }}
+{%         endif %}
+{%       if homeserverpool_list.homeservers is defined %}
+{%         for network in homeserverpool_list.homeservers.split(',') %}
+        home_server = {{ network }}
+{%         endfor %}
+{%       endif %}
+{%         if homeserverpool_list.fallback is defined %}
+        fallback = {{ homeserverpool_list.fallback }}
+{%         endif %}
+}
+{%     endif %}
+{%   endfor %}
+{% else %}
+home_server_pool my_auth_failover {
+        type = fail-over
+        home_server = localhost
+}
+{% endif %}
+{% if helpers.exists('OPNsense.freeradius.proxy.realms.realm') %}
+{%   for realm_list in helpers.toList('OPNsense.freeradius.proxy.realms.realm') %}
+{%     if realm_list.enabled == '1' %}
+realm {{ realm_list.name }} {
+{%         if realm_list.auth_pool is defined %}
+	auth_pool = {{ realm_list.auth_pool }}
+{%         endif %}
+{%         if realm_list.acct_pool is defined %}
+        acct_pool = {{ realm_list.acct_pool }}
+{%         endif %}
+{%         if realm_list.nostrip == '1' %}
+        nostrip
+{%         endif %}
+}
+{%     endif %}
+{%   endfor %}
+{% else %}
+realm LOCAL {
+}
+{% endif %}
\ No newline at end of file

From 83ef7e06879f2fc0b7b00c309a262b9057afa7c6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Nov 2022 08:55:50 +0100
Subject: [PATCH 1274/3088] net/freeradius: style updates

---
 net/freeradius/Makefile                                     | 2 +-
 net/freeradius/pkg-descr                                    | 1 +
 .../controllers/OPNsense/Freeradius/Api/ProxyController.php | 2 +-
 .../app/controllers/OPNsense/Freeradius/ProxyController.php | 2 +-
 .../Freeradius/forms/dialogEditFreeRADIUSHomeserver.xml     | 2 +-
 .../Freeradius/forms/dialogEditFreeRADIUSHomeserverpool.xml | 2 +-
 .../OPNsense/Freeradius/forms/dialogEditFreeRADIUSRealm.xml | 2 +-
 .../mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml  | 2 +-
 .../opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml    | 2 +-
 .../mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml        | 2 +-
 .../opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.php   | 3 +--
 .../opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml   | 2 +-
 .../opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt   | 6 +++---
 .../service/templates/OPNsense/Freeradius/proxy.conf        | 2 +-
 14 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 0d9e54433c..0d7330d4fb 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -4,4 +4,4 @@ PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
-.include "../../Mk/plugins.mk"
\ No newline at end of file
+.include "../../Mk/plugins.mk"
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 98dabe097a..beae3fa10f 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -14,6 +14,7 @@ The server is fast, feature-rich, modular, and scalable.
 
 Plugin Changelog
 ================
+
 1.9.22
 
 * Add Proxy configuration page: HomeServer, HomeServerPool, Realm
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ProxyController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ProxyController.php
index 24baa94c6d..d19ac612b7 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ProxyController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ProxyController.php
@@ -406,4 +406,4 @@ public function toggleHomeserverpoolAction($uuid)
     {
         return $this->toggle_handler($uuid, 'homeserverpools', 'homeserverpool');
     }
-}
\ No newline at end of file
+}
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/ProxyController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/ProxyController.php
index a117df2438..0c359a0ace 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/ProxyController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/ProxyController.php
@@ -37,4 +37,4 @@ public function indexAction()
         $this->view->formDialogEditFreeRADIUSRealm = $this->getForm("dialogEditFreeRADIUSRealm");
         $this->view->pick('OPNsense/Freeradius/proxy');
     }
-}
\ No newline at end of file
+}
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSHomeserver.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSHomeserver.xml
index dc4db86806..0d73339efb 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSHomeserver.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSHomeserver.xml
@@ -137,4 +137,4 @@
         <type>text</type>
         <help>The idle timeout, in seconds, of a TCP connection. Setting this to 0 means "no timeout".</help>
     </field>
-</form>
\ No newline at end of file
+</form>
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSHomeserverpool.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSHomeserverpool.xml
index b96dd32c44..86f8ebac7d 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSHomeserverpool.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSHomeserverpool.xml
@@ -37,4 +37,4 @@
         <type>text</type>
         <help>If ALL home servers are dead, then this "fallback" home server is used.</help>
     </field>
-</form>
\ No newline at end of file
+</form>
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSRealm.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSRealm.xml
index 5a682b5430..1e829d4890 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSRealm.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSRealm.xml
@@ -29,4 +29,4 @@
         <type>checkbox</type>
         <help>Normally, when an incoming User-Name is matched against the realm, the realm name is "stripped" off, and the "stripped" user name is used to perform matches.</help>
     </field>
-</form>
\ No newline at end of file
+</form>
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
index 46bbb3613c..be7d1affd1 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/ldap.xml
@@ -65,4 +65,4 @@
         <type>text</type>
         <help>Filter for group objects, should match all available group objects a user might be a member of.</help>
     </field>
-</form>
\ No newline at end of file
+</form>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
index 7ca43fdba5..0ee417c475 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
@@ -48,4 +48,4 @@
             <Required>N</Required>
         </group_filter>
     </items>
-</model>
\ No newline at end of file
+</model>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml
index 979d54e3ef..d74274127d 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml
@@ -8,7 +8,7 @@
       <Lease VisibleName="DHCP Leases" url="/ui/freeradius/lease/index" order="36"/>
       <EAP url="/ui/freeradius/eap/index" order="40"/>
       <LDAP url="/ui/freeradius/ldap/index" order="50"/>
-	  <Proxy url="/ui/freeradius/proxy/index" order="60">
+      <Proxy url="/ui/freeradius/proxy/index" order="60">
         <Homeservers url="/ui/freeradius#homeservers"/>
         <Homeserverpools url="/ui/freeradius#homeserverpools"/>
         <Realms url="/ui/freeradius#realms"/>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.php b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.php
index 40ccc778b2..84b6570a7f 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.php
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.php
@@ -5,7 +5,6 @@
 use OPNsense\Base\BaseModel;
 use OPNsense\Core\Backend;
 
-
 class Proxy extends BaseModel
 {
     /**
@@ -19,4 +18,4 @@ public function isEnabled()
         }
         return false;
     }
-}
\ No newline at end of file
+}
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml
index 9eddba73d6..14256fc174 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml
@@ -188,4 +188,4 @@
             </realm>
         </realms>
     </items>
-</model>
\ No newline at end of file
+</model>
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt
index a68126faf3..a4bf2d1984 100644
--- a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt
@@ -182,7 +182,7 @@ $( document ).ready(function() {
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                 <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
                 <th data-column-id="type" data-type="dropdown">{{ lang._('Type') }}</th>
-                <th data-column-id="virtualserver" data-type="string">{{ lang._('Virtual Server') }}</th>       
+                <th data-column-id="virtualserver" data-type="string">{{ lang._('Virtual Server') }}</th>
                 <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
         </tr>
             </thead>
@@ -198,7 +198,7 @@ $( document ).ready(function() {
             </tr>
             </tfoot>
         </table>
-    </div>        
+    </div>
 
     <div id="realms" class="tab-pane fade in">
         <!-- tab page "realms" -->
@@ -234,4 +234,4 @@ $( document ).ready(function() {
 {# include dialogs #}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditFreeRADIUSHomeserver,'id':'dialogEditFreeRADIUSHomeserver','label':lang._('Edit Homeservers')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditFreeRADIUSHomeserverpool,'id':'dialogEditFreeRADIUSHomeserverpool','label':lang._('Edit Homeserverpools')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditFreeRADIUSRealm,'id':'dialogEditFreeRADIUSRealm','label':lang._('Edit Realms')])}}
\ No newline at end of file
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditFreeRADIUSRealm,'id':'dialogEditFreeRADIUSRealm','label':lang._('Edit Realms')])}}
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/proxy.conf b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/proxy.conf
index 51234474fb..770129bcb4 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/proxy.conf
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/proxy.conf
@@ -123,4 +123,4 @@ realm {{ realm_list.name }} {
 {% else %}
 realm LOCAL {
 }
-{% endif %}
\ No newline at end of file
+{% endif %}

From 07146fac0df7c52e1bb62da60761d862e6660407 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Nov 2022 15:42:31 +0100
Subject: [PATCH 1275/3088] net-mgmt/telegraf: bump version

---
 net-mgmt/telegraf/Makefile  | 2 +-
 net-mgmt/telegraf/pkg-descr | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index 509109d366..733b7e9b47 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.12.6
+PLUGIN_VERSION=		1.12.7
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 9f80fd1b24..8af2c6b71d 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -11,7 +11,8 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 
 Plugin Changelog
 ================
-1.12.6
+
+1.12.7
 
 * Add Influx v2 flush timeout
 

From 005b59f4105d82f39ea0caf178450cdd60591d35 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Nov 2022 15:45:38 +0100
Subject: [PATCH 1276/3088] www/nginx: bump version

---
 www/nginx/Makefile  | 2 +-
 www/nginx/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 19196a7191..061ff42aa0 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.30
+PLUGIN_VERSION=		1.31
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index eb92afd423..2633ad5d64 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,10 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.31
+
+* Allow dynamic proxy_ssl_name (contributed by Mike Reiche)
+
 1.30
 
 * add support for autoblock TTL

From 9e4a782e3fd91ef36067c2f879bba77d3c784122 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 16 Nov 2022 14:36:56 +0100
Subject: [PATCH 1277/3088] dns/bind: update base to 9.18 (#3192)

---
 dns/bind/Makefile  | 5 ++---
 dns/bind/pkg-descr | 4 ++++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index a65ef23a52..f128980f24 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,8 +1,7 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.24
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.25
 PLUGIN_COMMENT=		BIND domain name service
-PLUGIN_DEPENDS=		bind916
+PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
 .include "../../Mk/plugins.mk"
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 57a8283f3c..4091c536b0 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -9,6 +9,10 @@ WWW: https://www.isc.org
 Plugin Changelog
 ================
 
+1.25
+
+* Update base to BIND 9.18
+
 1.24
 
 * Separate tables for master and slave zones in UI (contributed by Patrick M. Hausen and Manuel Faux)

From cfe0d0fa0202dcec640b4ed8a632b68d6101bfb1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Mon, 21 Nov 2022 08:03:03 +0100
Subject: [PATCH 1278/3088] Vicuna - Cicada color fixes (#3195)

some color fixes for .bootstrap-tagsinput; .table-custom-categories;router-view;.btn-info
---
 misc/theme-cicada/Makefile                    |  2 +-
 .../cicada/assets/stylesheets/main.scss       | 32 +++++++++++++++----
 .../www/themes/cicada/build/css/main.css      | 26 ++++++++++++---
 misc/theme-vicuna/Makefile                    |  2 +-
 .../vicuna/assets/stylesheets/main.scss       | 32 +++++++++++++++----
 .../www/themes/vicuna/build/css/main.css      | 26 ++++++++++++---
 6 files changed, 98 insertions(+), 22 deletions(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index 28029063c3..668561137e 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.29
+PLUGIN_VERSION=		1.30
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index 87ccc9c4cb..c9c4592918 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -4998,20 +4998,20 @@ fieldset[disabled] .btn-success {
 
 .btn-info {
   color: #fff;
-  background-color: #B0CDDB;
-  border-color: #9ec2d3;
+  background-color: #00370b;
+  border-color: #191919;
 
   &:hover, &:focus, &:active, &.active {
     color: #fff;
-    background-color: #8db7cb;
-    border-color: #74a7c0;
+    background-color: #dd630d;
+    border-color: #191919;
   }
 }
 
 .open > .btn-info.dropdown-toggle {
   color: #fff;
-  background-color: #8db7cb;
-  border-color: #74a7c0;
+  background-color: #dd630d;
+  border-color: #191919;
 }
 
 .btn-info {
@@ -10663,3 +10663,23 @@ ul.jqtree-tree {
 #reports-tab {
   border-bottom: 1px solid #191919;
 }
+
+router-view {
+  .text-success.m-r-5 {
+    font-weight: bold;
+    color: #fff;
+  }
+
+  .text-danger.m-r-5 {
+    font-weight: bold;
+    color: #000;
+  }
+}
+
+.bootstrap-tagsinput {
+  border: 1px solid #191919 !important;
+}
+
+.table-custom-categories {
+  border: 1px solid #181818 !important;
+}
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index cb62c354f5..dccc1cee41 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -3013,12 +3013,12 @@ select[multiple].input-lg,
 
 .btn-info {
   color: #fff;
-  background-color: #B0CDDB;
-  border-color: #9ec2d3; }
+  background-color: #00370b;
+  border-color: #191919; }
   .btn-info:hover, .btn-info:focus, .btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
     color: #fff;
-    background-color: #8db7cb;
-    border-color: #74a7c0; }
+    background-color: #dd630d;
+    border-color: #191919; }
 
   .btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
     background-image: none; }
@@ -6637,3 +6637,21 @@ ul.jqtree-tree .jqtree-title {
 #reports-tab {
     border-bottom: 1px solid #191919;
 }
+
+router-view .text-success.m-r-5 {
+  font-weight: bold;
+  color: #fff;
+}
+
+router-view .text-danger.m-r-5 {
+  font-weight: bold;
+  color: #000;
+}
+
+.bootstrap-tagsinput {
+border: 1px solid #191919 !important;
+}
+
+.table-custom-categories {
+  border: 1px solid #181818 !important;
+}
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index 65a1f27a3e..c776b682b8 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.41
+PLUGIN_VERSION=		1.42
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
index 10204d6e8b..e2dc9a6aca 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
@@ -5109,20 +5109,20 @@ fieldset[disabled] .btn-success {
 
 .btn-info {
   color: #fff;
-  background-color: #B0CDDB;
-  border-color: #9ec2d3;
+  background-color: #00370b;
+  border-color: #191919;
 
   &:hover, &:focus, &:active, &.active {
     color: #fff;
-    background-color: #8db7cb;
-    border-color: #74a7c0;
+    background-color: #dd630d;
+    border-color: #191919;
   }
 }
 
 .open > .btn-info.dropdown-toggle {
   color: #fff;
-  background-color: #8db7cb;
-  border-color: #74a7c0;
+  background-color: #dd630d;
+  border-color: #191919;
 }
 
 .btn-info {
@@ -10785,3 +10785,23 @@ ul.jqtree-tree {
 #reports-tab {
   border-bottom: 1px solid #191919;
 }
+
+router-view {
+  .text-success.m-r-5 {
+    font-weight: bold;
+    color: #fff;
+  }
+
+  .text-danger.m-r-5 {
+    font-weight: bold;
+    color: #000;
+  }
+}
+
+.bootstrap-tagsinput {
+  border: 1px solid #191919 !important;
+}
+
+.table-custom-categories {
+  border: 1px solid #181818 !important;
+}
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
index 523d5749d9..66345cd46c 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
@@ -2999,12 +2999,12 @@ select[multiple].input-lg,
 
 .btn-info {
   color: #fff;
-  background-color: #B0CDDB;
-  border-color: #9ec2d3; }
+  background-color: #00370b;
+  border-color: #191919; }
   .btn-info:hover, .btn-info:focus, .btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
     color: #fff;
-    background-color: #8db7cb;
-    border-color: #74a7c0; }
+    background-color: #dd630d;
+    border-color: #191919; }
 
   .btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
     background-image: none; }
@@ -6599,3 +6599,21 @@ ul.jqtree-tree .jqtree-title {
 #reports-tab {
     border-bottom: 1px solid #191919;
 }
+
+router-view .text-success.m-r-5 {
+  font-weight: bold;
+  color: #fff;
+}
+
+router-view .text-danger.m-r-5 {
+  font-weight: bold;
+  color: #000;
+}
+
+.bootstrap-tagsinput {
+border: 1px solid #191919 !important;
+}
+
+.table-custom-categories {
+  border: 1px solid #181818 !important;
+}

From e7e2c21a8cce6192426fc10d0d1718bd4cfcbab4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luca=20Sch=C3=B6neberg?= <luca-schoeneberg@outlook.com>
Date: Mon, 21 Nov 2022 08:07:51 +0100
Subject: [PATCH 1279/3088] dns/ddclient Add support for ddclient 3.10.0 dns
 provider (#3190)

Add 1984, ClouDNS, Dinahosting, DNSExit, DonDominio, Freemyip, godaddy, Hetzner, Key-Systems, NearlyFreeSpeech.NET, Njal.la(thanks to satrapes), sitelutions, woima and Yandex for ddclient 3.10.0.

I hope that is okay that I have taken the changes from #3129.
---
 dns/ddclient/pkg-descr                        | 18 ++++++++++++
 .../OPNsense/DynDNS/forms/dialogAccount.xml   |  4 +--
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml | 28 ++++++++++++++-----
 .../templates/OPNsense/ddclient/ddclient.conf |  8 ++++++
 4 files changed, 49 insertions(+), 9 deletions(-)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 5ae4c86f76..1b392f36a3 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,24 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.10
+
+* Update to ddclient 3.10.0
+* Add 1984 support (contributed by Luca Schoeneberg)
+* Add ClouDNS support (contributed by Luca Schoeneberg)
+* Add Dinahosting support (contributed by Luca Schoeneberg)
+* Add DNSExit support (contributed by Luca Schoeneberg)
+* Add DonDominio support (contributed by Luca Schoeneberg)
+* Add Freemyip support (contributed by Luca Schoeneberg)
+* Add godaddy support (contributed by Luca Schoeneberg)
+* Add Hetzner support (contributed by Luca Schoeneberg)
+* Add Key-Systems support (contributed by Luca Schoeneberg)
+* Add NearlyFreeSpeech.NET support (contributed by Luca Schoeneberg)
+* Add Njal.la support (contributed by satrapes)
+* Add sitelutions support (contributed by Luca Schoeneberg)
+* Add woima support (contributed by Luca Schoeneberg)
+* Add Yandex support (contributed by Luca Schoeneberg)
+
 1.9
 
 * Add icanhazip.com as a checkip provider (contributed by Matt Parnell)
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index 8736374527..eadf4fe4c8 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -41,14 +41,14 @@
         <id>account.wildcard</id>
         <label>Wildcard</label>
         <type>checkbox</type>
-        <style>optional_setting service_dyndns2 service_easydns service_custom</style>
+        <style>optional_setting service_dyndns2 service_woima service_cloudflare service_easydns service_custom</style>
         <help>add a DNS wildcard CNAME record that points to the configured host.</help>
     </field>
     <field>
         <id>account.zone</id>
         <label>Zone</label>
         <type>text</type>
-        <style>optional_setting service_cloudflare</style>
+        <style>optional_setting service_zoneedit1 service_cloudflare service_nsupdate service_gandi service_godaddy service_nfsn service_hetzner</style>
         <help>Zone containing the host entry.</help>
     </field>
     <field>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index bcee85f31d..b55c62be73 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -35,32 +35,46 @@
                     <Required>Y</Required>
                     <ValidationMessage>A service type is required.</ValidationMessage>
                     <OptionValues>
+                        <hosting1984>1984</hosting1984>
                         <changeip>Changeip</changeip>
                         <cloudflare>Cloudflare</cloudflare>
-                        <dnsmadeeasy>DNS Made Easy</dnsmadeeasy>
+                        <cloudns>ClouDNS</cloudns>
+                        <dinahosting>dinahosting</dinahosting>
+                        <dnsmadeeasy>DNS Made Easy (digicert)</dnsmadeeasy>
                         <dns-o-matic>DNS-O-Matic</dns-o-matic>
+                        <dnsexit>DNSExit</dnsexit>
                         <dyndns2>DynDNS.com</dyndns2>
                         <dnspark>DnsPark</dnspark>
-                        <dslreports1>DslReports</dslreports1>
-                        <duckdns>DuckDNS</duckdns>
+                        <dslreports1>DSLReports</dslreports1>
+                        <dondominio>DonDominio</dondominio>
+                        <duckdns>Duck DNS</duckdns>
                         <dynu>Dynu</dynu>
-                        <easydns>EasyDNS</easydns>
+                        <easydns>easyDNS</easydns>
                         <freedns>FreeDNS</freedns>
+                        <freemyip>freeMyIP</freemyip>
+                        <gandi>gandi.net</gandi>
+                        <godaddy>GoDaddy</godaddy>
                         <googledomains>Google</googledomains>
-                        <gandi>Gandi.net</gandi>
                         <he-net>HE.net</he-net>
                         <he-net-tunnel>HE.net TunnelBroker</he-net-tunnel>
+                        <hetzner>Hetzner DNS Console</hetzner>
                         <inwx>INWX</inwx>
+                        <keysystems>Key-Systems</keysystems>
                         <loopia>Loopia</loopia>
                         <namecheap>NameCheap</namecheap>
-                        <noip>Noip</noip>
+                        <nfsn>NearlyFreeSpeech.net</nfsn>
+                        <njalla>Njalla</njalla>
+                        <noip>no-ip</noip>
                         <nsupdatev4>nsupdate.info (IPv4)</nsupdatev4>
                         <nsupdatev6>nsupdate.info (IPv6)</nsupdatev6>
+                        <ovh>OVHcloud DynHost</ovh>
                         <servercow>Servercow</servercow>
+                        <sitelutions>Sitelutions</sitelutions>
                         <spdyn>spDYN</spdyn>
                         <strato>STRATO</strato>
+                        <woima>Woima</woima>
+                        <yandex>Yandex</yandex>
                         <zoneedit1>Zoneedit</zoneedit1>
-                        <ovh>OVH DynHost</ovh>
                         <custom>Custom</custom>
                     </OptionValues>
                 </service>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 89e6928cc8..290bc8ba76 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -40,6 +40,14 @@ server={{account.server}}, \
 {%      elif account.service == 'cloudflare' %}
 protocol=cloudflare, \
 zone={{account.zone}}, \
+{%      elif account.service == 'hosting1984' %}
+protocol=1984, \
+{%      elif account.service == 'godaddy' %}
+protocol=godaddy, \
+zone={{account.zone}}, \
+{%      elif account.service == 'hetzner' %}
+protocol=hetzner, \
+zone={{account.zone}}, \
 {%      elif account.service == 'dnsmadeeasy' %}
 protocol=dnsmadeeasy, \
 {%      elif account.service == 'dns-o-matic' %}

From 32cbd805f3a081683945476da614cfe6ecd91a21 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 21 Nov 2022 08:08:33 +0100
Subject: [PATCH 1280/3088] dns/ddclient: change version

---
 dns/ddclient/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 3badaf93ce..5990af97ac 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.9
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.10
 PLUGIN_DEPENDS=		ddclient-devel
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 9228eea5c7cd0509ee0ec1d66ef06b828e61f084 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 21 Nov 2022 13:12:11 +0100
Subject: [PATCH 1281/3088] plugins: bump plugins for logformat directory
 change (except net/freeradius)

---
 net-mgmt/zabbix-agent/Makefile | 2 +-
 net-mgmt/zabbix-proxy/Makefile | 2 +-
 security/acme-client/Makefile  | 1 +
 sysutils/puppet-agent/Makefile | 1 +
 4 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index e4fdef8cf5..696075de31 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		zabbix-agent
 PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_VARIANTS=	zabbix62 zabbix6 zabbix5
diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index adf7ff2add..36d3ebd475 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		zabbix-proxy
 PLUGIN_VERSION=		1.9
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 PLUGIN_VARIANTS=	zabbix62 zabbix6 zabbix5 zabbix4
diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index ba4fa52e1c..a197fa68b4 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		acme-client
 PLUGIN_VERSION=		3.14
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/sysutils/puppet-agent/Makefile b/sysutils/puppet-agent/Makefile
index 712b01e4fd..49d767c9d8 100644
--- a/sysutils/puppet-agent/Makefile
+++ b/sysutils/puppet-agent/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		puppet-agent
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Manage Puppet Agent
 PLUGIN_DEPENDS=		puppet7 py${PLUGIN_PYTHON}-opn-cli
 PLUGIN_MAINTAINER=	jan.wink93@gmail.com

From 0ea5f4c6e64b3cead014c01ac4cb0f01f8582060 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 23 Nov 2022 11:05:03 +0100
Subject: [PATCH 1282/3088] net/wireguard: make kmod default for 23.1, add go
 package

Discussed with @mimugmail -- only needs proper service check for
kmod variant as that has no PID to latch on to.
---
 net/wireguard/Makefile | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 3b8d3acfef..ec0622c2f7 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -2,7 +2,13 @@ PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		1.13
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		WireGuard VPN service
-PLUGIN_DEPENDS=		wireguard-go wireguard-tools
+PLUGIN_DEPENDS=		wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
+PLUGIN_VARIANTS=	kmod go
+
+kmod_NAME=		wireguard
+
+go_NAME=		wireguard-go
+go_DEPENDS=		wireguard-go
 
 .include "../../Mk/plugins.mk"

From 2cdaf717b269329424e1b5de1376a1fec818882b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 25 Nov 2022 20:03:25 +0100
Subject: [PATCH 1283/3088] net/wireguard: try to start late once again for
 #3203

---
 net/wireguard/Makefile                                | 2 +-
 net/wireguard/src/etc/rc.syshook.d/start/50-wireguard | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index ec0622c2f7..78472879cb 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/src/etc/rc.syshook.d/start/50-wireguard b/net/wireguard/src/etc/rc.syshook.d/start/50-wireguard
index d322638f21..c5a419c73b 100755
--- a/net/wireguard/src/etc/rc.syshook.d/start/50-wireguard
+++ b/net/wireguard/src/etc/rc.syshook.d/start/50-wireguard
@@ -1,4 +1,7 @@
 #!/bin/sh
 
+# start again to fix problems with failed name resolution (no need to restart)
+/usr/local/etc/rc.d/wireguard start
+
 # reconfigure routing for wireguard
 /usr/local/etc/rc.routing_configure

From c09c8fbc0d6356d97c6cb22e8123b81a668570b4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 1 Dec 2022 11:33:40 +0100
Subject: [PATCH 1284/3088] net/wireguard: wireguard-kmod missing from kmod
 variant

---
 net/wireguard/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 78472879cb..d8d1c83451 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -7,6 +7,7 @@ PLUGIN_MAINTAINER=	m.muenz@gmail.com
 PLUGIN_VARIANTS=	kmod go
 
 kmod_NAME=		wireguard
+kmod_DEPENDS=		wireguard-kmod
 
 go_NAME=		wireguard-go
 go_DEPENDS=		wireguard-go

From cf85f178827c762dc1d40b1892bdb4463128a027 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Fri, 2 Dec 2022 23:17:30 +0300
Subject: [PATCH 1285/3088] migrate to syslog-ng (#3208)

---
 security/clamav/Makefile                                  | 3 +--
 security/clamav/pkg-descr                                 | 5 +++++
 .../mvc/app/controllers/OPNsense/ClamAV/forms/general.xml | 8 +++++++-
 .../opnsense/mvc/app/models/OPNsense/ClamAV/ACL/ACL.xml   | 6 ++----
 .../opnsense/mvc/app/models/OPNsense/ClamAV/General.xml   | 4 ++++
 .../opnsense/mvc/app/models/OPNsense/ClamAV/Menu/Menu.xml | 3 +--
 .../opnsense/service/templates/OPNsense/ClamAV/clamd.conf | 5 ++++-
 .../service/templates/OPNsense/ClamAV/freshclam.conf      | 2 +-
 .../service/templates/OPNsense/Syslog/local/clamd.conf    | 6 ++++++
 9 files changed, 31 insertions(+), 11 deletions(-)
 create mode 100644 security/clamav/src/opnsense/service/templates/OPNsense/Syslog/local/clamd.conf

diff --git a/security/clamav/Makefile b/security/clamav/Makefile
index 6daca4461b..9b5f206a33 100644
--- a/security/clamav/Makefile
+++ b/security/clamav/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		clamav
-PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.8
 PLUGIN_COMMENT=		Antivirus engine for detecting malicious threats
 PLUGIN_DEPENDS=		clamav
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/clamav/pkg-descr b/security/clamav/pkg-descr
index e5066efc45..a601c42b35 100644
--- a/security/clamav/pkg-descr
+++ b/security/clamav/pkg-descr
@@ -9,6 +9,11 @@ database updates.
 Plugin Changelog
 ================
 
+1.8
+
+* Use syslog for logging
+* ClamAV verbose logging option added
+
 1.7
 
 * Allow addition of external signatures
diff --git a/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/forms/general.xml b/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/forms/general.xml
index 8f40db9bd9..0bc9d75bbf 100644
--- a/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/forms/general.xml
+++ b/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/forms/general.xml
@@ -159,11 +159,17 @@
         <type>text</type>
         <help>Number of files to be scanned within an archive, a document, or any other container file.</help>
     </field>
+    <field>
+        <id>general.logverbose</id>
+        <label>ClamAV log verbose</label>
+        <type>checkbox</type>
+        <help>Enable ClamAV verbose logging.</help>
+    </field>
     <field>
         <id>general.fc_logverbose</id>
         <label>Freshclam log verbose</label>
         <type>checkbox</type>
-        <help>Enable verbose logging.</help>
+        <help>Enable Freshclam verbose logging.</help>
     </field>
     <field>
         <id>general.fc_databasemirror</id>
diff --git a/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/ACL/ACL.xml b/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/ACL/ACL.xml
index 3ef9a83584..3299876ae1 100644
--- a/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/ACL/ACL.xml
+++ b/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/ACL/ACL.xml
@@ -4,10 +4,8 @@
       <patterns>
          <pattern>ui/clamav/*</pattern>
          <pattern>api/clamav/*</pattern>
-         <pattern>ui/diagnostics/log/clamav/clamd/*</pattern>
-         <pattern>api/diagnostics/log/clamav/clamd/*</pattern>
-         <pattern>ui/diagnostics/log/clamav/freshclam/*</pattern>
-         <pattern>api/diagnostics/log/clamav/freshclam/*</pattern>
+         <pattern>ui/diagnostics/log/core/clamd/*</pattern>
+         <pattern>api/diagnostics/log/core/clamd/*</pattern>
       </patterns>
    </page-services-clamav>
 </acl>
diff --git a/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/General.xml b/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/General.xml
index c3594eb8e0..4765e7b793 100644
--- a/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/General.xml
+++ b/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/General.xml
@@ -111,6 +111,10 @@
             <default>10000</default>
             <Required>N</Required>
 	</maxfiles>
+        <logverbose type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </logverbose>
         <fc_logverbose type="BooleanField">
             <default>0</default>
             <Required>N</Required>
diff --git a/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/Menu/Menu.xml b/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/Menu/Menu.xml
index e10858f138..a66268fb69 100644
--- a/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/Menu/Menu.xml
+++ b/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/Menu/Menu.xml
@@ -2,8 +2,7 @@
     <Services>
         <ClamAV cssClass="fa fa-stethoscope">
             <Configuration order="10" url="/ui/clamav/general/index"/>
-            <LogFile VisibleName="Log / Clamd" order="20" url="/ui/diagnostics/log/clamav/clamd"/>
-            <LogFile VisibleName="Log / Freshclam" order="30" url="/ui/diagnostics/log/clamav/freshclam"/>
+            <LogFile VisibleName="Log" order="20" url="/ui/diagnostics/log/core/clamd"/>
         </ClamAV>
     </Services>
 </menu>
diff --git a/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamd.conf b/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamd.conf
index 8d97d2bc71..88778b060d 100644
--- a/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamd.conf
+++ b/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamd.conf
@@ -1,6 +1,9 @@
 {% if helpers.exists('OPNsense.clamav.general.enabled') and OPNsense.clamav.general.enabled == '1' %}
-LogFile /var/log/clamav/clamd.log
 LogTime yes
+LogSyslog yes
+{%   if helpers.exists('OPNsense.clamav.general.logverbose') and OPNsense.clamav.general.logverbose == '1' %}
+LogVerbose yes
+{%   endif %}
 PidFile /var/run/clamav/clamd.pid
 DatabaseDirectory /var/db/clamav
 LocalSocket /var/run/clamav/clamd.sock
diff --git a/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/freshclam.conf b/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/freshclam.conf
index b2720128da..3bfd536c35 100644
--- a/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/freshclam.conf
+++ b/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/freshclam.conf
@@ -2,7 +2,7 @@
 
 
 DatabaseDirectory /var/db/clamav
-UpdateLogFile /var/log/clamav/freshclam.log
+LogSyslog yes
 
 LogTime yes
 {% if helpers.exists('OPNsense.clamav.general.fc_logverbose') and OPNsense.clamav.general.fc_logverbose == '1' %}
diff --git a/security/clamav/src/opnsense/service/templates/OPNsense/Syslog/local/clamd.conf b/security/clamav/src/opnsense/service/templates/OPNsense/Syslog/local/clamd.conf
new file mode 100644
index 0000000000..048381b2c5
--- /dev/null
+++ b/security/clamav/src/opnsense/service/templates/OPNsense/Syslog/local/clamd.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [clamd].
+###################################################################
+filter f_local_clamd {
+    program("clamd") or program("freshclam");
+};

From 544936f451760dc7191b73201c5507d90153a890 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Sat, 3 Dec 2022 14:38:05 +0300
Subject: [PATCH 1286/3088] typo (#3209)

---
 .../src/opnsense/mvc/app/models/OPNsense/ClamAV/Menu/Menu.xml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/Menu/Menu.xml b/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/Menu/Menu.xml
index a66268fb69..273926ee6b 100644
--- a/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/Menu/Menu.xml
+++ b/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/Menu/Menu.xml
@@ -2,7 +2,7 @@
     <Services>
         <ClamAV cssClass="fa fa-stethoscope">
             <Configuration order="10" url="/ui/clamav/general/index"/>
-            <LogFile VisibleName="Log" order="20" url="/ui/diagnostics/log/core/clamd"/>
+            <LogFile VisibleName="Log File" order="20" url="/ui/diagnostics/log/core/clamd"/>
         </ClamAV>
     </Services>
 </menu>

From 3d4205c74c657895fc8710310de77515d7c39e17 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 3 Dec 2022 14:36:11 +0100
Subject: [PATCH 1287/3088] net/wireguard: rearrange post-start duties #3206

---
 net/wireguard/Makefile                                |  2 +-
 net/wireguard/src/etc/rc.syshook.d/start/50-wireguard |  5 +----
 .../src/opnsense/scripts/OPNsense/Wireguard/post.sh   | 11 +++++++++++
 .../service/conf/actions.d/actions_wireguard.conf     |  4 ++--
 .../service/templates/OPNsense/Wireguard/wireguard    |  7 -------
 5 files changed, 15 insertions(+), 14 deletions(-)
 create mode 100755 net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/post.sh

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index d8d1c83451..bc605c893b 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/src/etc/rc.syshook.d/start/50-wireguard b/net/wireguard/src/etc/rc.syshook.d/start/50-wireguard
index c5a419c73b..78ab228040 100755
--- a/net/wireguard/src/etc/rc.syshook.d/start/50-wireguard
+++ b/net/wireguard/src/etc/rc.syshook.d/start/50-wireguard
@@ -1,7 +1,4 @@
 #!/bin/sh
 
 # start again to fix problems with failed name resolution (no need to restart)
-/usr/local/etc/rc.d/wireguard start
-
-# reconfigure routing for wireguard
-/usr/local/etc/rc.routing_configure
+configctl -dq wireguard start
diff --git a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/post.sh b/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/post.sh
new file mode 100755
index 0000000000..375ca38359
--- /dev/null
+++ b/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/post.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if [ -f /etc/rc.conf.d/wireguard ]; then
+	. /etc/rc.conf.d/wireguard
+fi
+
+for interface in ${wireguard_interfaces}; do
+	ifconfig ${interface} group wireguard
+done
+
+/usr/local/etc/rc.routing_configure
diff --git a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
index 109f209aa9..b2b96828f2 100644
--- a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
+++ b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
@@ -1,5 +1,5 @@
 [start]
-command:/usr/local/etc/rc.d/wireguard start; /usr/local/etc/rc.routing_configure
+command:/usr/local/etc/rc.d/wireguard start; /usr/local/opnsense/scripts/OPNsense/Wireguard/post.sh
 parameters:
 type:script
 message:Starting WireGuard
@@ -11,7 +11,7 @@ type:script
 message:Stopping WireGuard
 
 [restart]
-command:/usr/local/etc/rc.d/wireguard restart; /usr/local/etc/rc.routing_configure
+command:/usr/local/etc/rc.d/wireguard restart; /usr/local/opnsense/scripts/OPNsense/Wireguard/post.sh
 parameters:
 type:script
 message:Restarting WireGuard
diff --git a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
index 95627a5f4f..c4c12667a4 100644
--- a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
+++ b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
@@ -10,13 +10,6 @@ wireguard_enable="YES"
 {%     endfor %}
 {%   endif %}
 wireguard_interfaces="{{ activeservers | join(' ') }}"
-start_postcmd=opnsense_postcmd
-opnsense_postcmd()
-{
-	for interface in ${wireguard_interfaces}; do
-		ifconfig ${interface} group wireguard
-	done
-}
 {% else %}
 wireguard_enable="NO"
 {% endif %}

From 4817c184f03c0822c63b1614df2dbf60a00384dd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 13 Dec 2022 15:22:32 +0100
Subject: [PATCH 1288/3088] net/upnp: switch to other version

---
 net/upnp/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index 145438e569..f96762686e 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		upnp
 PLUGIN_VERSION=		1.4
 PLUGIN_REVISION=	2
-PLUGIN_DEPENDS=		miniupnpd
+PLUGIN_DEPENDS=		miniupnpd-devel
 PLUGIN_COMMENT=		Universal Plug and Play Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
 

From 393fe115b6cc35dc659c6165036e183c48756c71 Mon Sep 17 00:00:00 2001
From: Tawmu <Tawmu@users.noreply.github.com>
Date: Tue, 13 Dec 2022 14:25:22 +0000
Subject: [PATCH 1289/3088] net/upnp: enable STUN and allow LAN subnet override
 (#3096)

---
 net/upnp/Makefile                             |  3 +-
 .../src/etc/inc/plugins.inc.d/miniupnpd.inc   | 16 +++++-
 net/upnp/src/www/services_upnp.php            | 57 ++++++++++++++++++-
 3 files changed, 69 insertions(+), 7 deletions(-)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index f96762686e..c69f84af29 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		upnp
-PLUGIN_VERSION=		1.4
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.5
 PLUGIN_DEPENDS=		miniupnpd-devel
 PLUGIN_COMMENT=		Universal Plug and Play Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 9ded4aeb4a..9314cd2f60 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -147,7 +147,11 @@ function miniupnpd_configure_do($verbose = false)
             if ($if != $iface) {
                 $addr = get_interface_ip($iface);
                 if (!empty($addr)) {
-                    $config_text .= "listening_ip={$if}\n";
+                    if (isset($upnp_config['overridesubnet'])) {
+                        $config_text .= "listening_ip={$if}{$upnp_config['overridesubnet']}\n";
+                    } else {
+                        $config_text .= "listening_ip={$if}\n";
+                    }
                     if (!$ifaces_active) {
                         $webgui_ip = $addr;
                         $ifaces_active = $iface;
@@ -164,9 +168,17 @@ function miniupnpd_configure_do($verbose = false)
 
         if (!empty($ifaces_active)) {
             /* override wan ip address, common for carp, etc */
-            if (!empty($upnp_config['overridewanip'])) {
+            if (!empty($upnp_config['overridewanip']) && empty($upnp_config['stun_host'])) {
                 $config_text .= "ext_ip={$upnp_config['overridewanip']}\n";
             }
+                
+            /* configure STUN server if needed */
+            if (empty($upnp_config['overridewanip']) && !empty($upnp_config['stun_host'])) {
+                $config_text .= "ext_perform_stun=yes\n";
+                $config_text .= "ext_stun_host=" . ($upnp_config['stun_host']) ."\n";
+                $config_text .= "ext_stun_port=" . ($upnp_config['stun_port'] ?? "3478") . "\n";
+            }
+
             /* set upload and download bitrates */
             if (!empty($upnp_config['download']) && !empty($upnp_config['upload'])) {
                 $download = $upnp_config['download'] * 1000;
diff --git a/net/upnp/src/www/services_upnp.php b/net/upnp/src/www/services_upnp.php
index e3512ae830..d4b59d2640 100644
--- a/net/upnp/src/www/services_upnp.php
+++ b/net/upnp/src/www/services_upnp.php
@@ -68,8 +68,9 @@ function miniupnpd_validate_port($port)
 if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig = array();
 
-    $copy_fields = array('enable', 'enable_upnp', 'enable_natpmp', 'ext_iface', 'iface_array', 'download',
-                         'upload', 'overridewanip', 'logpackets', 'sysuptime', 'permdefault');
+    $copy_fields = array('enable', 'enable_upnp', 'enable_natpmp', 'ext_iface', 'iface_array', 'stun_host',
+        'stun_port', 'overridesubnet', 'download', 'upload', 'overridewanip', 'logpackets', 'sysuptime',
+        'permdefault');
 
     foreach (miniupnpd_permuser_list() as $permuser) {
         $copy_fields[] = $permuser;
@@ -104,6 +105,18 @@ function miniupnpd_validate_port($port)
     if (!empty($pconfig['overridewanip']) && !is_ipaddr($pconfig['overridewanip'])) {
         $input_errors[] = gettext('You must specify a valid ip address in the \'Override WAN address\' field');
     }
+    if (!empty($pconfig['overridewanip']) && !empty($pconfig['stun_host'])) {
+        $input_errors[] = gettext('You cannot override the WAN IP if you have a STUN host set.');
+    }
+    if (!empty($pconfig['stun_host']) && !is_addr($pconfig['stun_host']) && !is_hostname($pconfig['stun_host'])) {
+        $input_errors[] = gettext('The STUN host must be a valid IP address or hostname.');
+    }
+    if (!empty($pconfig['stun_port']) && !is_port($pconfig['stun_port'])) {
+        $input_errors[] = gettext('STUN port must contain a valid port number.');
+    }
+    if (!empty($pconfig['overridesubnet']) && count($pconfig['iface_array']) > 1) {
+        $input_errors[] = gettext('You can only override the interface subnet when one LAN interface is selected');
+    }
     if ((!empty($pconfig['download']) && empty($pconfig['upload'])) || (!empty($pconfig['upload']) && empty($pconfig['download']))) {
         $input_errors[] = gettext('You must fill in both \'Maximum Download Speed\' and \'Maximum Upload Speed\' fields');
     }
@@ -146,7 +159,7 @@ function miniupnpd_validate_port($port)
             $upnp[$fieldname] = !empty($pconfig[$fieldname]);
         }
         // text field types
-        foreach (array('ext_iface', 'download', 'upload', 'overridewanip') as $fieldname) {
+        foreach (array('ext_iface', 'download', 'upload', 'overridewanip', 'overridesubnet', 'stun_host', 'stun_port') as $fieldname) {
             $upnp[$fieldname] = $pconfig[$fieldname];
         }
         foreach (miniupnpd_permuser_list() as $fieldname) {
@@ -255,6 +268,44 @@ function miniupnpd_validate_port($port)
                        </div>
                       </td>
                     </tr>
+
+                    <tr>
+                        <td><a id="help_for_override_subnet" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Interface subnet override");?></td>
+                        <td>
+                            <select name="overridesubnet" class="selectpicker" id="overridesubnet">
+                                <option value="" <?=!empty($pconfig['overridesubnet']) ? "selected=\"selected\"" : "";?>>Interface default</option>
+<?php
+                                for ($i = 32; $i >= 1; $i--) { ?>
+                                    <option value="/<?=$i;?>" <?=!empty($pconfig['overridesubnet']) && $pconfig['overridesubnet'] == "/".$i ? "selected=\"selected\"" : "";?>>/<?=$i;?></option>
+<?php
+                                }?>
+                            </select>
+                            <div class="hidden" data-for="help_for_override_subnet">
+                                <?=gettext("You can override a single LAN interface subnet here. Useful if you are rebroadcasting UPNP traffic across networks.");?>
+                            </div>
+                        </td>
+                    </tr>
+
+                    <tr>
+                        <td><a id="help_for_stun_host" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Specify STUN server");?></td>
+                        <td>
+                            <input name="stun_host" type="text" value="<?=$pconfig['stun_host'];?>" />
+                            <div class="hidden" data-for="help_for_stun_host">
+                                <?=gettext("STUN server used to predict external WAN IP.");?>
+                            </div>
+                        </td>
+                    </tr>
+
+                    <tr>
+                        <td><a id="help_for_stun_port" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Specify STUN port");?></td>
+                        <td>
+                            <input name="stun_port" type="text" value="<?=empty($pconfig['stun_port']) ? "3478" : $pconfig['stun_port'];?>" />
+                            <div class="hidden" data-for="help_for_stun_port">
+                                <?=gettext("STUN server port used to predict external WAN IP. Defaults to 3478 if not set.");?>
+                            </div>
+                        </td>
+                    </tr>
+
                     <tr>
                       <td><a id="help_for_download" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Maximum Download Speed");?></td>
                       <td>

From 7144429a96a8c6ccccc91944537c6bdbfbe9ab0b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 13 Dec 2022 16:13:28 +0100
Subject: [PATCH 1290/3088] net/upnp: fix bugs and style issues with previous

o is_addr() not found
o service_log() typo (mea culpa)
o do not save "/" in overridesubnet
o indent and naming consistency
o do not redo validation in config code
---
 .../src/etc/inc/plugins.inc.d/miniupnpd.inc   | 18 ++--
 net/upnp/src/www/services_upnp.php            | 91 ++++++++++---------
 2 files changed, 58 insertions(+), 51 deletions(-)

diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 9314cd2f60..4da5c9c022 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -147,11 +147,11 @@ function miniupnpd_configure_do($verbose = false)
             if ($if != $iface) {
                 $addr = get_interface_ip($iface);
                 if (!empty($addr)) {
-                    if (isset($upnp_config['overridesubnet'])) {
-                        $config_text .= "listening_ip={$if}{$upnp_config['overridesubnet']}\n";
-                    } else {
-                        $config_text .= "listening_ip={$if}\n";
+                    $config_text .= "listening_ip={$if}";
+                    if (!empty($upnp_config['overridesubnet'])) {
+                        $config_text .= "/{$upnp_config['overridesubnet']}";
                     }
+                    $config_text .= "\n";
                     if (!$ifaces_active) {
                         $webgui_ip = $addr;
                         $ifaces_active = $iface;
@@ -168,14 +168,14 @@ function miniupnpd_configure_do($verbose = false)
 
         if (!empty($ifaces_active)) {
             /* override wan ip address, common for carp, etc */
-            if (!empty($upnp_config['overridewanip']) && empty($upnp_config['stun_host'])) {
+            if (!empty($upnp_config['overridewanip'])) {
                 $config_text .= "ext_ip={$upnp_config['overridewanip']}\n";
             }
-                
+
             /* configure STUN server if needed */
-            if (empty($upnp_config['overridewanip']) && !empty($upnp_config['stun_host'])) {
+            if (!empty($upnp_config['stun_host'])) {
                 $config_text .= "ext_perform_stun=yes\n";
-                $config_text .= "ext_stun_host=" . ($upnp_config['stun_host']) ."\n";
+                $config_text .= "ext_stun_host=" . ($upnp_config['stun_host']) . "\n";
                 $config_text .= "ext_stun_port=" . ($upnp_config['stun_port'] ?? "3478") . "\n";
             }
 
@@ -243,5 +243,5 @@ function miniupnpd_configure_do($verbose = false)
         }
     }
 
-    service_verbose("done.\n", $verbose);
+    service_log("done.\n", $verbose);
 }
diff --git a/net/upnp/src/www/services_upnp.php b/net/upnp/src/www/services_upnp.php
index d4b59d2640..bbd1436e9e 100644
--- a/net/upnp/src/www/services_upnp.php
+++ b/net/upnp/src/www/services_upnp.php
@@ -36,7 +36,7 @@
 function miniupnpd_validate_ip($ip)
 {
     /* validate cidr */
-    $ip_array = array();
+    $ip_array = [];
     $ip_array = explode('/', $ip);
     if (count($ip_array) == 2) {
         if ($ip_array[1] < 1 || $ip_array[1] > 32) {
@@ -66,11 +66,24 @@ function miniupnpd_validate_port($port)
 }
 
 if ($_SERVER['REQUEST_METHOD'] === 'GET') {
-    $pconfig = array();
+    $pconfig = [];
 
-    $copy_fields = array('enable', 'enable_upnp', 'enable_natpmp', 'ext_iface', 'iface_array', 'stun_host',
-        'stun_port', 'overridesubnet', 'download', 'upload', 'overridewanip', 'logpackets', 'sysuptime',
-        'permdefault');
+    $copy_fields = [
+        'download',
+        'enable',
+        'enable_natpmp',
+        'enable_upnp',
+        'ext_iface',
+        'iface_array',
+        'logpackets',
+        'overridesubnet',
+        'overridewanip',
+        'permdefault',
+        'stun_host',
+        'stun_port',
+        'sysuptime',
+        'upload',
+    ];
 
     foreach (miniupnpd_permuser_list() as $permuser) {
         $copy_fields[] = $permuser;
@@ -84,7 +97,7 @@ function miniupnpd_validate_port($port)
     // parse array
     $pconfig['iface_array'] = explode(',', $pconfig['iface_array']);
 } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    $input_errors = array();
+    $input_errors = [];
     $pconfig = $_POST;
 
     // validate form data
@@ -108,7 +121,7 @@ function miniupnpd_validate_port($port)
     if (!empty($pconfig['overridewanip']) && !empty($pconfig['stun_host'])) {
         $input_errors[] = gettext('You cannot override the WAN IP if you have a STUN host set.');
     }
-    if (!empty($pconfig['stun_host']) && !is_addr($pconfig['stun_host']) && !is_hostname($pconfig['stun_host'])) {
+    if (!empty($pconfig['stun_host']) && !is_ipaddr($pconfig['stun_host']) && !is_hostname($pconfig['stun_host'])) {
         $input_errors[] = gettext('The STUN host must be a valid IP address or hostname.');
     }
     if (!empty($pconfig['stun_port']) && !is_port($pconfig['stun_port'])) {
@@ -153,13 +166,13 @@ function miniupnpd_validate_port($port)
 
     if (count($input_errors) == 0) {
         // save form data
-        $upnp = array();
+        $upnp = [];
         // boolean types
-        foreach (array('enable', 'enable_upnp', 'enable_natpmp', 'logpackets', 'sysuptime', 'permdefault') as $fieldname) {
+        foreach (['enable', 'enable_upnp', 'enable_natpmp', 'logpackets', 'sysuptime', 'permdefault'] as $fieldname) {
             $upnp[$fieldname] = !empty($pconfig[$fieldname]);
         }
         // text field types
-        foreach (array('ext_iface', 'download', 'upload', 'overridewanip', 'overridesubnet', 'stun_host', 'stun_port') as $fieldname) {
+        foreach (['ext_iface', 'download', 'upload', 'overridewanip', 'overridesubnet', 'stun_host', 'stun_port'] as $fieldname) {
             $upnp[$fieldname] = $pconfig[$fieldname];
         }
         foreach (miniupnpd_permuser_list() as $fieldname) {
@@ -268,44 +281,38 @@ function miniupnpd_validate_port($port)
                        </div>
                       </td>
                     </tr>
-
                     <tr>
-                        <td><a id="help_for_override_subnet" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Interface subnet override");?></td>
-                        <td>
-                            <select name="overridesubnet" class="selectpicker" id="overridesubnet">
-                                <option value="" <?=!empty($pconfig['overridesubnet']) ? "selected=\"selected\"" : "";?>>Interface default</option>
-<?php
-                                for ($i = 32; $i >= 1; $i--) { ?>
-                                    <option value="/<?=$i;?>" <?=!empty($pconfig['overridesubnet']) && $pconfig['overridesubnet'] == "/".$i ? "selected=\"selected\"" : "";?>>/<?=$i;?></option>
-<?php
-                                }?>
-                            </select>
-                            <div class="hidden" data-for="help_for_override_subnet">
-                                <?=gettext("You can override a single LAN interface subnet here. Useful if you are rebroadcasting UPNP traffic across networks.");?>
-                            </div>
-                        </td>
+                      <td><a id="help_for_overridesubnet" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Interface subnet override");?></td>
+                      <td>
+                        <select name="overridesubnet" class="selectpicker" id="overridesubnet">
+                          <option value="" <?= empty($pconfig['overridesubnet']) ? 'selected="selected"' : '' ?>><?= gettext('default') ?></option>
+<?php for ($i = 32; $i >= 1; $i--): ?>
+                          <option value="<?= $i ?>" <?=!empty($pconfig['overridesubnet']) && $pconfig['overridesubnet'] == $i ? 'selected="selected"' : '' ?>><?= $i ?></option>
+<?php endfor ?>
+                        </select>
+                        <div class="hidden" data-for="help_for_overridesubnet">
+                          <?=gettext("You can override a single LAN interface subnet here. Useful if you are rebroadcasting UPNP traffic across networks.");?>
+                        </div>
+                      </td>
                     </tr>
-
                     <tr>
-                        <td><a id="help_for_stun_host" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Specify STUN server");?></td>
-                        <td>
-                            <input name="stun_host" type="text" value="<?=$pconfig['stun_host'];?>" />
-                            <div class="hidden" data-for="help_for_stun_host">
-                                <?=gettext("STUN server used to predict external WAN IP.");?>
-                            </div>
-                        </td>
+                      <td><a id="help_for_stun_host" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('STUN server') ?></td>
+                      <td>
+                        <input name="stun_host" type="text" value="<?= !empty($pconfig['stun_host']) ? $pconfig['stun_host'] : '' ?>" />
+                        <div class="hidden" data-for="help_for_stun_host">
+                          <?= gettext('STUN server used to predict external WAN IP.') ?>
+                        </div>
+                      </td>
                     </tr>
-
                     <tr>
-                        <td><a id="help_for_stun_port" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Specify STUN port");?></td>
-                        <td>
-                            <input name="stun_port" type="text" value="<?=empty($pconfig['stun_port']) ? "3478" : $pconfig['stun_port'];?>" />
-                            <div class="hidden" data-for="help_for_stun_port">
-                                <?=gettext("STUN server port used to predict external WAN IP. Defaults to 3478 if not set.");?>
-                            </div>
-                        </td>
+                      <td><a id="help_for_stun_port" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('STUN port') ?></td>
+                      <td>
+                        <input name="stun_port" type="text" placeholder="3478" value="<?= !empty($pconfig['stun_port']) ? $pconfig['stun_port'] : ''  ?>" />
+                        <div class="hidden" data-for="help_for_stun_port">
+                          <?= gettext('STUN port used to predict external WAN IP.') ?>
+                        </div>
+                      </td>
                     </tr>
-
                     <tr>
                       <td><a id="help_for_download" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Maximum Download Speed");?></td>
                       <td>

From 134097983f6841938e500e747f484abcb0e91921 Mon Sep 17 00:00:00 2001
From: Patrick Grupp <patrickgrupp@me.com>
Date: Tue, 13 Dec 2022 19:54:41 +0100
Subject: [PATCH 1291/3088] dns/ddclient: Fix IPv6 address parsing from
 external service (#3217)

When using external services to determine the public IPv6 address of an
interface, the bounds are too limited for short (but valid) IPv6
addresses. Reducing the necessary amount of colon characters in the
resolved IPv6 address for the `checkip` script to accept them fixes
this issue.
---
 dns/ddclient/pkg-descr                             | 1 +
 dns/ddclient/src/opnsense/scripts/ddclient/checkip | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 1b392f36a3..761df3b6b9 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -23,6 +23,7 @@ Plugin Changelog
 * Add sitelutions support (contributed by Luca Schoeneberg)
 * Add woima support (contributed by Luca Schoeneberg)
 * Add Yandex support (contributed by Luca Schoeneberg)
+* Fix parsing short IPv6 addresses from external service (contributed by Patrick Grupp)
 
 1.9
 
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/checkip b/dns/ddclient/src/opnsense/scripts/ddclient/checkip
index 35e2244059..b8d7ffe3d2 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/checkip
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/checkip
@@ -57,7 +57,7 @@ def extract_address(txt):
     """
     for regexp in [r'[^a-fA-F0-9\:]', r'[^F0-9\.]']:
         for line in re.sub(regexp, ' ', txt).split():
-            if line.count('.') == 3 or line.count(':') > 4:
+            if line.count('.') == 3 or line.count(':') >= 2:
                 try:
                     ipaddress.ip_address(line)
                     return line

From 6f24dff3a25953f62b6dd4f995e7d55a2e7f406f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 13 Dec 2022 19:59:48 +0100
Subject: [PATCH 1292/3088] dns/ddclient: due to backport this changes moves to
 1.9

---
 dns/ddclient/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 761df3b6b9..f09e413e5b 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -23,13 +23,13 @@ Plugin Changelog
 * Add sitelutions support (contributed by Luca Schoeneberg)
 * Add woima support (contributed by Luca Schoeneberg)
 * Add Yandex support (contributed by Luca Schoeneberg)
-* Fix parsing short IPv6 addresses from external service (contributed by Patrick Grupp)
 
 1.9
 
 * Add icanhazip.com as a checkip provider (contributed by Matt Parnell)
 * Configurable checkip (contributed by Christian Schulze)
 * Allow % characters in usernames
+* Fix parsing short IPv6 addresses from external service (contributed by Patrick Grupp)
 
 1.8
 

From 72bbf3e4afd46c3307eb745a3e549aba4fe61cfc Mon Sep 17 00:00:00 2001
From: Tom Freudenberg <tom.freudenberg@4commerce.de>
Date: Wed, 14 Dec 2022 23:35:11 +0100
Subject: [PATCH 1293/3088] add css for textarea mapfile.content (#3201)

* add css for textarea mapfile.content

- related #3198
---
 .../src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt  | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 796dd5e0ce..2dc92a7826 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -599,6 +599,12 @@ POSSIBILITY OF SUCH DAMAGE.
 
 </script>
 
+<style>
+    textarea {
+        white-space: pre;
+    }
+</style>
+
 <ul class="nav nav-tabs" role="tablist"  id="maintabs">
     {# manually add tabs #}
     <li class="active"><a data-toggle="tab" href="#introduction"><b>{{ lang._('Introduction') }}</b></a></li>

From de660623edbc40d467b38015cb6629edd3f98f95 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 15 Dec 2022 16:27:38 +0100
Subject: [PATCH 1294/3088] dns/rfc2136: probable fix for #3187

This could be more elegant in some other format that is allowed but
someone else will have to open a reasonable PR about it.  I don't
trust the number change alone in the PR as bind said it would try
to "unbreak" it again breaking the plugin if we would...
---
 dns/rfc2136/Makefile                              | 3 +--
 dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc | 7 ++++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/dns/rfc2136/Makefile b/dns/rfc2136/Makefile
index 9a1a3618ea..54f5bd4da7 100644
--- a/dns/rfc2136/Makefile
+++ b/dns/rfc2136/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		rfc2136
-PLUGIN_VERSION=		1.6
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.7
 PLUGIN_COMMENT=		RFC-2136 Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_DEPENDS=		bind-tools
diff --git a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
index 8858cde0c9..b399dfe767 100644
--- a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
+++ b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
@@ -125,9 +125,10 @@ function rfc2136_configure_do($verbose = false, $int = '', $updatehost = '', $fo
            but nsupdate insists on having both */
         $fd = fopen("/var/etc/K{$i}{$keyname}+157+00000.private", "w");
         $privkey = <<<EOD
-Private-key-format: v1.2
-Algorithm: 157 (HMAC)
-Key: {$dnsupdate['keydata']}
+key "{$keyname}" {
+	algorithm hmac-md5;
+	secret "{$dnsupdate['keydata']}";
+};
 
 EOD;
         fwrite($fd, $privkey);

From fe7f79ce1fe4c3f4a94d896e4c419949be90f8bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Fri, 16 Dec 2022 12:43:57 +0100
Subject: [PATCH 1295/3088] Cicada/Vicuna style fixes (#3218)

#introduction and .btn-info color fixes
---
 misc/theme-cicada/Makefile                                  | 2 +-
 .../opnsense/www/themes/cicada/assets/stylesheets/main.scss | 6 +++++-
 .../src/opnsense/www/themes/cicada/build/css/main.css       | 6 +++++-
 misc/theme-vicuna/Makefile                                  | 2 +-
 .../opnsense/www/themes/vicuna/assets/stylesheets/main.scss | 6 +++++-
 .../src/opnsense/www/themes/vicuna/build/css/main.css       | 6 +++++-
 6 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index 668561137e..cf7fb97e0e 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.30
+PLUGIN_VERSION=		1.31
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index c9c4592918..1d140c5b64 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -4998,7 +4998,7 @@ fieldset[disabled] .btn-success {
 
 .btn-info {
   color: #fff;
-  background-color: #00370b;
+  background-color: #226808;
   border-color: #191919;
 
   &:hover, &:focus, &:active, &.active {
@@ -10683,3 +10683,7 @@ router-view {
 .table-custom-categories {
   border: 1px solid #181818 !important;
 }
+
+#introduction a.btn-info {
+  color: #FFF !important;
+}
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index dccc1cee41..4370a9325d 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -3013,7 +3013,7 @@ select[multiple].input-lg,
 
 .btn-info {
   color: #fff;
-  background-color: #00370b;
+  background-color: #226808;
   border-color: #191919; }
   .btn-info:hover, .btn-info:focus, .btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
     color: #fff;
@@ -6655,3 +6655,7 @@ border: 1px solid #191919 !important;
 .table-custom-categories {
   border: 1px solid #181818 !important;
 }
+
+#introduction a.btn-info {
+  color: #FFF !important;
+}
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index c776b682b8..6ed096fffd 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.42
+PLUGIN_VERSION=		1.43
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
index e2dc9a6aca..8d507e10be 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
@@ -5109,7 +5109,7 @@ fieldset[disabled] .btn-success {
 
 .btn-info {
   color: #fff;
-  background-color: #00370b;
+  background-color: #226808;
   border-color: #191919;
 
   &:hover, &:focus, &:active, &.active {
@@ -10805,3 +10805,7 @@ router-view {
 .table-custom-categories {
   border: 1px solid #181818 !important;
 }
+
+#introduction a.btn-info {
+  color: #FFF !important;
+}
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
index 66345cd46c..5280281d95 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
@@ -2999,7 +2999,7 @@ select[multiple].input-lg,
 
 .btn-info {
   color: #fff;
-  background-color: #00370b;
+  background-color: #226808;
   border-color: #191919; }
   .btn-info:hover, .btn-info:focus, .btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
     color: #fff;
@@ -6617,3 +6617,7 @@ border: 1px solid #191919 !important;
 .table-custom-categories {
   border: 1px solid #181818 !important;
 }
+
+#introduction a.btn-info {
+  color: #FFF !important;
+}

From 630d6b7936d689271f837d73e0e11617a8ad26d4 Mon Sep 17 00:00:00 2001
From: Robbert Rijkse <42551307+sestary@users.noreply.github.com>
Date: Mon, 19 Dec 2022 07:01:04 -0500
Subject: [PATCH 1296/3088] dns/bind: revamp logging (#3223)

---
 dns/bind/pkg-descr                            |   1 +
 .../OPNsense/Bind/LogsController.php          |  46 +++++
 .../app/models/OPNsense/Bind/Menu/Menu.xml    |   8 +-
 .../mvc/app/views/OPNsense/Bind/logs.volt     | 173 ++++++++++++++++++
 .../scripts/syslog/logformats/bind.py         | 112 ++++++++++++
 5 files changed, 337 insertions(+), 3 deletions(-)
 create mode 100644 dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/LogsController.php
 create mode 100644 dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/logs.volt
 create mode 100644 dns/bind/src/opnsense/scripts/syslog/logformats/bind.py

diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 4091c536b0..65e8d0fe2d 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -11,6 +11,7 @@ Plugin Changelog
 
 1.25
 
+* Revamp the logging page with proper columns (contributed by Robbert Rijkse)
 * Update base to BIND 9.18
 
 1.24
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/LogsController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/LogsController.php
new file mode 100644
index 0000000000..23fde619ef
--- /dev/null
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/LogsController.php
@@ -0,0 +1,46 @@
+<?php
+
+/**
+ *    Copyright (C) 2022 Robbert Rijkse
+ *    Copyright (C) 2021 Frank Wall
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Bind;
+
+/**
+ * Class LogsController
+ * @package OPNsense\Bind
+ */
+class LogsController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        // choose template
+        $this->view->pick('OPNsense/Bind/logs');
+    }
+}
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Menu/Menu.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Menu/Menu.xml
index 13b24d1e01..5ff8fe460b 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Menu/Menu.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Menu/Menu.xml
@@ -2,9 +2,11 @@
   <Services>
     <BIND cssClass="fa fa-tags">
       <Configuration url="/ui/bind/general/index" order="10"/>
-      <GeneralLog VisibleName="Log / General" order="20" url="/ui/diagnostics/log/named/named"/>
-      <QueryLog VisibleName="Log / Queries" order="30"  url="/ui/diagnostics/log/named/query"/>
-      <BlockedLog VisibleName="Log / Blocked" order="40" url="/ui/diagnostics/log/named/rpz"/>
+      <Logs VisibleName="Log Files" order="60" url="/ui/bind/logs">
+        <GeneralLog VisibleName="General" order="10" url="/ui/bind/logs"/>
+        <QueryLog VisibleName="Query" order="20" url="/ui/bind/log/core/query/"/>
+        <BlockedLog VisibleName="Blocked" order="30" url="/ui/bind/log/core/blocked/"/>
+      </Logs>
     </BIND>
   </Services>
 </menu>
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/logs.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/logs.volt
new file mode 100644
index 0000000000..33f0442152
--- /dev/null
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/logs.volt
@@ -0,0 +1,173 @@
+{#
+ # Copyright (c) 2022 Robbert Rijkse
+ # Copyright (c) 2019 Deciso B.V.
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1.  Redistributions of source code must retain the above copyright notice,
+ #     this list of conditions and the following disclaimer.
+ #
+ # 2.  Redistributions in binary form must reproduce the above copyright notice,
+ #     this list of conditions and the following disclaimer in the documentation
+ #     and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script>
+    $( document ).ready(function() {
+      // get entries from named/named.log
+      let grid_generallog = $("#grid-generallog").UIBootgrid({
+          options:{
+              sorting:false,
+              rowSelect: false,
+              selection: false,
+              rowCount:[20,50,100,200,500,1000,-1],
+          },
+          search:'/api/diagnostics/log/named/named'
+      });
+
+      // get entries from named/query.log
+      let grid_querylog = $("#grid-querylog").UIBootgrid({
+          options:{
+              sorting:false,
+              rowSelect: false,
+              selection: false,
+              rowCount:[20,50,100,200,500,1000,-1],
+          },
+          search:'/api/diagnostics/log/named/query'
+      });
+
+      // get entries from named/rpz.log
+      let grid_blockedlog = $("#grid-blockedlog").UIBootgrid({
+          options:{
+              sorting:false,
+              rowSelect: false,
+              selection: false,
+              rowCount:[20,50,100,200,500,1000,-1],
+          },
+          search:'/api/diagnostics/log/named/rpz'
+      });
+
+      grid_generallog.on("loaded.rs.jquery.bootgrid", function(){
+          $(".action-page").click(function(event){
+              event.preventDefault();
+              $("#grid-generallog").bootgrid("search",  "");
+              let new_page = parseInt((parseInt($(this).data('row-id')) / $("#grid-log").bootgrid("getRowCount")))+1;
+              $("input.search-field").val("");
+              // XXX: a bit ugly, but clearing the filter triggers a load event.
+              setTimeout(function(){
+                  $("ul.pagination > li:last > a").data('page', new_page).click();
+              }, 100);
+          });
+      });
+
+      grid_querylog.on("loaded.rs.jquery.bootgrid", function(){
+          $(".action-page").click(function(event){
+              event.preventDefault();
+              $("#grid-querylog").bootgrid("search",  "");
+              let new_page = parseInt((parseInt($(this).data('row-id')) / $("#grid-log").bootgrid("getRowCount")))+1;
+              $("input.search-field").val("");
+              // XXX: a bit ugly, but clearing the filter triggers a load event.
+              setTimeout(function(){
+                  $("ul.pagination > li:last > a").data('page', new_page).click();
+              }, 100);
+          });
+      });
+
+    grid_blockedlog.on("loaded.rs.jquery.bootgrid", function(){
+          $(".action-page").click(function(event){
+              event.preventDefault();
+              $("#grid-blockedlog").bootgrid("search",  "");
+              let new_page = parseInt((parseInt($(this).data('row-id')) / $("#grid-log").bootgrid("getRowCount")))+1;
+              $("input.search-field").val("");
+              // XXX: a bit ugly, but clearing the filter triggers a load event.
+              setTimeout(function(){
+                  $("ul.pagination > li:last > a").data('page', new_page).click();
+              }, 100);
+          });
+      });
+
+    });
+</script>
+
+
+<ul class="nav nav-tabs" role="tablist" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#generallog"><b>{{ lang._('General Log') }}</b></a></li>
+    <li><a data-toggle="tab" href="#querylog">{{ lang._('Query Log') }}</a></li>
+    <li><a data-toggle="tab" href="#blockedlog">{{ lang._('Blocked Log') }}</a></li>
+</ul>
+
+<div class="content-box tab-content">
+
+    <div id="generallog" class="tab-pane fade in active">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            <div  class="col-sm-12">
+                <table id="grid-generallog" class="table table-condensed table-hover table-striped table-responsive" data-store-selection="true">
+                    <thead>
+                    <tr>
+                        <th data-column-id="timestamp" data-width="15em" data-type="string">{{ lang._('Date') }}</th>
+                        <th data-column-id="process_name" data-width="9em" data-type="string">{{ lang._('Type') }}</th>
+                        <th data-column-id="severity" data-width="11em" data-type="string">{{ lang._('Level')}}</th>
+                        <th data-column-id="line" data-type="string">{{ lang._('Line') }}</th>
+                    </tr>
+                    </thead>
+                    <tbody>
+                    </tbody>
+                </table>
+            </div>
+        </div>
+    </div>
+
+    <div id="querylog" class="tab-pane fade">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            <div  class="col-sm-12">
+                <table id="grid-querylog" class="table table-condensed table-hover table-striped table-responsive" data-store-selection="true">
+                    <thead>
+                    <tr>
+                        <th data-column-id="timestamp" data-width="15em" data-type="string">{{ lang._('Date') }}</th>
+                        <th data-column-id="process_name" data-width="11em" data-type="string">{{ lang._('Client') }}</th>
+                        <th data-column-id="pid" data-width="11em" data-type="string">{{ lang._('IP Address') }}</th>
+                        <th data-column-id="facility" data-width="20em" data-type="string">{{ lang._('Record') }}</th>
+                        <th data-column-id="line" data-type="string">{{ lang._('Query') }}</th>
+                    </tr>
+                    </thead>
+                    <tbody>
+                    </tbody>
+                </table>
+            </div>
+        </div>
+    </div>
+
+    <div id="blockedlog" class="tab-pane fade">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            <div  class="col-sm-12">
+                <table id="grid-blockedlog" class="table table-condensed table-hover table-striped table-responsive" data-store-selection="true">
+                    <thead>
+                    <tr>
+                        <th data-column-id="timestamp" data-width="15em" data-type="string">{{ lang._('Date') }}</th>
+                        <th data-column-id="process_name" data-width="11em" data-type="string">{{ lang._('Client') }}</th>
+                        <th data-column-id="pid" data-width="11em" data-type="string">{{ lang._('IP Address') }}</th>
+                        <th data-column-id="facility" data-width="20em" data-type="string">{{ lang._('Record') }}</th>
+                        <th data-column-id="line" data-type="string">{{ lang._('Query') }}</th>
+                    </tr>
+                    </thead>
+                    <tbody>
+                    </tbody>
+                </table>
+            </div>
+        </div>
+    </div>
+
+</div>
diff --git a/dns/bind/src/opnsense/scripts/syslog/logformats/bind.py b/dns/bind/src/opnsense/scripts/syslog/logformats/bind.py
new file mode 100644
index 0000000000..c4ef34892b
--- /dev/null
+++ b/dns/bind/src/opnsense/scripts/syslog/logformats/bind.py
@@ -0,0 +1,112 @@
+"""
+    Copyright (c) 2022 Robbert Rijkse
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import datetime
+import re
+from . import NewBaseLogFormat
+
+class BindGeneralLogFormat(NewBaseLogFormat):
+    def __init__(self, filename):
+        super().__init__(filename)
+        self._priority = 1
+        self._parts = list()
+
+    def match(self, line):
+        return self._filename.find('named/named.log') > -1
+
+    def set_line(self, line):
+        super().set_line(line)
+        self._parts = self._line.split(maxsplit=4)
+
+    @property
+    def timestamp(self):
+        # bind format return actual log data
+        ts = datetime.datetime.strptime(f"{self._parts[0]} {self._parts[1]}", "%d-%b-%Y %H:%M:%S.%f")
+        return ts.isoformat()
+
+    @property
+    def severity(self):
+        # Grab the log level
+        severity = self._parts[3].strip(":")
+        options = {
+            "critical": 2,
+            "error": 3,
+            "warning": 4,
+            "notice": 5,
+            "info": 6,
+            "debug": 7,
+            "dynamic": 7
+        }
+        if severity in options:
+            return options[severity]
+        return None
+
+    @property
+    def process_name(self):
+        # Grab the type of log message
+        return self._parts[2].strip(":")
+
+    @property
+    def line(self):
+        # Only grab the left over message
+        return self._parts[4].strip()
+
+class BindQueryLogFormat(NewBaseLogFormat):
+    def __init__(self, filename):
+        super().__init__(filename)
+        self._priority = 1
+        self._parts = list()
+
+    def match(self, line):
+        return self._filename.find('named/query.log') > -1 or self._filename.find('named/rpz.log') > -1
+
+    def set_line(self, line):
+        super().set_line(line)
+        self._parts = self._line.split(maxsplit=7)
+
+    @property
+    def timestamp(self):
+        # bind format return actual log data
+        ts = datetime.datetime.strptime(f"{self._parts[0]} {self._parts[1]}", "%d-%b-%Y %H:%M:%S.%f")
+        return ts.isoformat()
+
+    @property
+    def pid(self):
+        # Grab the IP and Port number of the client
+        # pid is used for this because you can't define custom names
+        return self._parts[4].strip()
+
+    @property
+    def facility(self):
+        # Grab the record the query was for
+        # facility is used for this because you can't define custom names
+        return self._parts[5].strip()[1:-2]
+
+    @property
+    def process_name(self):
+        # Grab the client memory ID
+        # process_name is used for this because you can't define custom names
+        return self._parts[3].strip()
+
+    @property
+    def line(self):
+        # Only grab the left over message
+        return self._parts[7].strip()

From 2db55b131a9c31f31f9fecf2760d3a21cf317920 Mon Sep 17 00:00:00 2001
From: Robbert Rijkse <42551307+sestary@users.noreply.github.com>
Date: Mon, 19 Dec 2022 07:22:54 -0500
Subject: [PATCH 1297/3088] dns/bind: update template paths to 9.18 (#3222)

---
 .../service/templates/OPNsense/Bind/+TARGETS  | 14 ++++++------
 .../templates/OPNsense/Bind/named.conf        | 22 +++++++++----------
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/+TARGETS b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/+TARGETS
index 33d000bba7..1e155e5a5b 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/+TARGETS
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/+TARGETS
@@ -1,11 +1,11 @@
-bing.db:/usr/local/etc/namedb/master/bing.db
-blacklist.db:/usr/local/etc/namedb/master/blacklist.db
-domain.db:/usr/local/etc/namedb/master/[OPNsense.bind.domain.domains.domain.%.domainname].db
-duckduckgo.db:/usr/local/etc/namedb/master/duckduckgo.db
-google.db:/usr/local/etc/namedb/master/google.db
+bing.db:/usr/local/etc/namedb/primary/bing.db
+blacklist.db:/usr/local/etc/namedb/primary/blacklist.db
+domain.db:/usr/local/etc/namedb/primary/[OPNsense.bind.domain.domains.domain.%.domainname].db
+duckduckgo.db:/usr/local/etc/namedb/primary/duckduckgo.db
+google.db:/usr/local/etc/namedb/primary/google.db
 named:/etc/rc.conf.d/named
 named.conf:/usr/local/etc/namedb/named.conf
 rndc.conf:/usr/local/etc/namedb/rndc.conf
-whitelist.db:/usr/local/etc/namedb/master/whitelist.db
+whitelist.db:/usr/local/etc/namedb/primary/whitelist.db
 whitelist.inc:/usr/local/etc/namedb/whitelist.inc
-youtube.db:/usr/local/etc/namedb/master/youtube.db
+youtube.db:/usr/local/etc/namedb/primary/youtube.db
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 94fd79aac8..b0e2efc386 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -99,34 +99,34 @@ controls {
 
 zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };
 
-zone "localhost"        { type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; };
-zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
-zone "0.ip6.arpa"       { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
+zone "localhost"        { type master; file "/usr/local/etc/namedb/primary/localhost-forward.db"; };
+zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/primary/localhost-reverse.db"; };
+zone "0.ip6.arpa"       { type master; file "/usr/local/etc/namedb/primary/localhost-reverse.db"; };
 
 {% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
 {%   if helpers.exists('OPNsense.bind.dnsbl.type') and OPNsense.bind.dnsbl.type != '' %}
-zone "whitelist.localdomain" { type master; file "/usr/local/etc/namedb/master/whitelist.db"; notify no; check-names ignore; };
-zone "blacklist.localdomain" { type master; file "/usr/local/etc/namedb/master/blacklist.db"; notify no; check-names ignore; };
+zone "whitelist.localdomain" { type master; file "/usr/local/etc/namedb/primary/whitelist.db"; notify no; check-names ignore; };
+zone "blacklist.localdomain" { type master; file "/usr/local/etc/namedb/primary/blacklist.db"; notify no; check-names ignore; };
 {%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
 {%   if helpers.exists('OPNsense.bind.dnsbl.forcesafegoogle') and OPNsense.bind.dnsbl.forcesafegoogle == '1' %}
-zone "rpzgoogle" { type master; file "/usr/local/etc/namedb/master/google.db"; notify no; check-names ignore; };
+zone "rpzgoogle" { type master; file "/usr/local/etc/namedb/primary/google.db"; notify no; check-names ignore; };
 {%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
 {%   if helpers.exists('OPNsense.bind.dnsbl.forcesafeduckduckgo') and OPNsense.bind.dnsbl.forcesafeduckduckgo == '1' %}
-zone "rpzduckduckgo" { type master; file "/usr/local/etc/namedb/master/duckduckgo.db"; notify no; check-names ignore; };
+zone "rpzduckduckgo" { type master; file "/usr/local/etc/namedb/primary/duckduckgo.db"; notify no; check-names ignore; };
 {%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
 {%   if helpers.exists('OPNsense.bind.dnsbl.forcesafeyoutube') and OPNsense.bind.dnsbl.forcesafeyoutube == '1' %}
-zone "rpzyoutube" { type master; file "/usr/local/etc/namedb/master/youtube.db"; notify no; check-names ignore; };
+zone "rpzyoutube" { type master; file "/usr/local/etc/namedb/primary/youtube.db"; notify no; check-names ignore; };
 {%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
 {%   if helpers.exists('OPNsense.bind.dnsbl.forcestrictbing') and OPNsense.bind.dnsbl.forcestrictbing == '1' %}
-zone "rpzbing" { type master; file "/usr/local/etc/namedb/master/bing.db"; notify no; check-names ignore; };
+zone "rpzbing" { type master; file "/usr/local/etc/namedb/primary/bing.db"; notify no; check-names ignore; };
 {%   endif %}
 {% endif %}
 
@@ -147,9 +147,9 @@ zone "{{ domain.domainname }}" {
 {%         if domain.allownotifyslave is defined %}
         allow-notify { {{ domain.allownotifyslave.replace(',', '; ') }}; };
 {%         endif %}
-        file "/usr/local/etc/namedb/slave/{{ domain.domainname }}.db";
+        file "/usr/local/etc/namedb/secondary/{{ domain.domainname }}.db";
 {%       else %}
-        file "/usr/local/etc/namedb/master/{{ domain.domainname }}.db";
+        file "/usr/local/etc/namedb/primary/{{ domain.domainname }}.db";
 {%       endif %}
 {%       if domain.allowtransfer is defined %}
         allow-transfer { {{ allow_transfer.name }}; };

From 45973b0be806260d6e03b5fa9b9ecb59c70b44ca Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Dec 2022 13:12:27 +0100
Subject: [PATCH 1298/3088] dns/bind: fix permission on previous

---
 dns/bind/src/opnsense/scripts/syslog/logformats/bind.py | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 dns/bind/src/opnsense/scripts/syslog/logformats/bind.py

diff --git a/dns/bind/src/opnsense/scripts/syslog/logformats/bind.py b/dns/bind/src/opnsense/scripts/syslog/logformats/bind.py
old mode 100644
new mode 100755

From cbbeafab2a40cf3a1a0f84874e98855be4ec4407 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Dec 2022 12:05:15 +0100
Subject: [PATCH 1299/3088] dns/rfc2136: the whole legacy key format is madness

The original ".key" file just disappears with all its knobs and
features.
---
 .../src/etc/inc/plugins.inc.d/rfc2136.inc     | 39 +++++--------------
 1 file changed, 10 insertions(+), 29 deletions(-)

diff --git a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
index b399dfe767..65d53f6923 100644
--- a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
+++ b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
@@ -120,35 +120,16 @@ function rfc2136_configure_do($verbose = false, $int = '', $updatehost = '', $fo
             $hostname .= ".";
         }
 
-        /* write private key file
-           this is dumb - public and private keys are the same for HMAC-MD5,
-           but nsupdate insists on having both */
-        $fd = fopen("/var/etc/K{$i}{$keyname}+157+00000.private", "w");
-        $privkey = <<<EOD
-key "{$keyname}" {
-	algorithm hmac-md5;
-	secret "{$dnsupdate['keydata']}";
-};
-
-EOD;
-        fwrite($fd, $privkey);
-        fclose($fd);
-
-        /* write public key file */
-        if ($dnsupdate['keytype'] == "zone") {
-            $flags = 257;
-            $proto = 3;
-        } elseif ($dnsupdate['keytype'] == "host") {
-            $flags = 513;
-            $proto = 3;
-        } elseif ($dnsupdate['keytype'] == "user") {
-            $flags = 0;
-            $proto = 2;
-        }
+        $keyfile = "/var/etc/nsupdatekey{$i}";
+        $keyfill = [
+            "key \"{$keyname}\" {",
+            "\talgorithm hmac-md5;",
+            "\tsecret \"{$dnsupdate['keydata']}\";",
+            "};",
+            '' /* end of file */
+        ];
 
-        $fd = fopen("/var/etc/K{$i}{$keyname}+157+00000.key", "w");
-        fwrite($fd, "{$keyname} IN KEY {$flags} {$proto} 157 {$dnsupdate['keydata']}\n");
-        fclose($fd);
+        file_put_contents($keyfile, implode(PHP_EOL, $keyfill));
 
         /* generate update instructions */
         $upinst = "";
@@ -219,7 +200,7 @@ EOD;
             @file_put_contents("/var/etc/nsupdatecmds{$i}", $upinst);
             unset($upinst);
             /* invoke nsupdate */
-            $cmd = "/usr/local/bin/nsupdate -k /var/etc/K{$i}{$keyname}+157+00000.key";
+            $cmd = "/usr/local/bin/nsupdate -k {$keyfile}";
             if (isset($dnsupdate['usetcp'])) {
                 $cmd .= " -v";
             }

From 989029fc909803db72f6feeb0cf7e1e1c43e5137 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Dec 2022 12:14:21 +0100
Subject: [PATCH 1300/3088] dns/rfc2136: remove unused keytype

---
 dns/rfc2136/src/www/services_rfc2136_edit.php | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/dns/rfc2136/src/www/services_rfc2136_edit.php b/dns/rfc2136/src/www/services_rfc2136_edit.php
index d17c64c571..9ae9027770 100644
--- a/dns/rfc2136/src/www/services_rfc2136_edit.php
+++ b/dns/rfc2136/src/www/services_rfc2136_edit.php
@@ -49,7 +49,6 @@
     $pconfig['ttl'] = isset($id) &&!empty($a_rfc2136[$id]['ttl']) ? $a_rfc2136[$id]['ttl'] : 60;
     $pconfig['keydata'] = isset($id) &&!empty($a_rfc2136[$id]['keydata']) ? $a_rfc2136[$id]['keydata'] : null;
     $pconfig['keyname'] = isset($id) &&!empty($a_rfc2136[$id]['keyname']) ? $a_rfc2136[$id]['keyname'] : null;
-    $pconfig['keytype'] = isset($id) &&!empty($a_rfc2136[$id]['keytype']) ? $a_rfc2136[$id]['keytype'] : "zone";
     $pconfig['server'] = isset($id) &&!empty($a_rfc2136[$id]['server']) ? $a_rfc2136[$id]['server'] : null;
     $pconfig['interface'] = isset($id) &&!empty($a_rfc2136[$id]['interface']) ? $a_rfc2136[$id]['interface'] : null;
     $pconfig['descr'] = isset($id) &&!empty($a_rfc2136[$id]['descr']) ? $a_rfc2136[$id]['descr'] : null;
@@ -88,7 +87,6 @@
         $rfc2136['host'] = $pconfig['host'];
         $rfc2136['ttl'] = $pconfig['ttl'];
         $rfc2136['keyname'] = $pconfig['keyname'];
-        $rfc2136['keytype'] = $pconfig['keytype'];
         $rfc2136['keydata'] = $pconfig['keydata'];
         $rfc2136['server'] = $pconfig['server'];
         $rfc2136['usetcp'] = !empty($pconfig['usetcp']);
@@ -197,14 +195,6 @@
                       </div>
                     </td>
                   </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Key type");?> </td>
-                    <td>
-                      <input name="keytype" type="radio" value="zone" <?= $pconfig['keytype'] == "zone" ? "checked=\"checked\"" :""; ?> /> <?=gettext("Zone");?> &nbsp;
-                      <input name="keytype" type="radio" value="host" <?= $pconfig['keytype'] == "host" ? "checked=\"checked\"" :""; ?> /> <?=gettext("Host");?> &nbsp;
-                      <input name="keytype" type="radio" value="user" <?= $pconfig['keytype'] == "user" ? "checked=\"checked\"" :""; ?> /> <?=gettext("User");?>
-                    </td>
-                  </tr>
                   <tr>
                     <td><a id="help_for_keydata" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Key");?></td>
                     <td>

From a07b4d26d51d97e9032c91225f65beb582e21c6b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Dec 2022 12:34:07 +0100
Subject: [PATCH 1301/3088] dns/bind: fix menu depth (only 3 levels) and ACL

---
 .../src/opnsense/mvc/app/models/OPNsense/Bind/ACL/ACL.xml | 1 +
 .../opnsense/mvc/app/models/OPNsense/Bind/Menu/Menu.xml   | 8 ++------
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/ACL/ACL.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/ACL/ACL.xml
index 83205c526b..76c52ef6c5 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/ACL/ACL.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/ACL/ACL.xml
@@ -4,6 +4,7 @@
       <patterns>
          <pattern>ui/bind/*</pattern>
          <pattern>api/bind/*</pattern>
+         <pattern>api/diagnostics/log/named/*</pattern>
       </patterns>
    </page-services-bind>
 </acl>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Menu/Menu.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Menu/Menu.xml
index 5ff8fe460b..06ed53ca81 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Menu/Menu.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Menu/Menu.xml
@@ -1,12 +1,8 @@
 <menu>
   <Services>
     <BIND cssClass="fa fa-tags">
-      <Configuration url="/ui/bind/general/index" order="10"/>
-      <Logs VisibleName="Log Files" order="60" url="/ui/bind/logs">
-        <GeneralLog VisibleName="General" order="10" url="/ui/bind/logs"/>
-        <QueryLog VisibleName="Query" order="20" url="/ui/bind/log/core/query/"/>
-        <BlockedLog VisibleName="Blocked" order="30" url="/ui/bind/log/core/blocked/"/>
-      </Logs>
+      <Configuration url="/ui/bind/general/index"/>
+      <LogFiles VisibleName="Log Files" url="/ui/bind/logs"/>
     </BIND>
   </Services>
 </menu>

From 2c667a028486e9edeeb9587ffc674680e954a736 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Dec 2022 12:44:16 +0100
Subject: [PATCH 1302/3088] LICENSE: sync

---
 LICENSE | 1 +
 1 file changed, 1 insertion(+)

diff --git a/LICENSE b/LICENSE
index 68971d18b5..dee529ae30 100644
--- a/LICENSE
+++ b/LICENSE
@@ -43,6 +43,7 @@ Copyright (c) 2021 Nicola Pellegrini
 Copyright (c) 2022 Nikolaj Brinch Jørgensen
 Copyright (c) 2021 Nim G
 Copyright (c) 2022 Patrik Kernstock <patrik@kernstock.net>
+Copyright (c) 2022 Robbert Rijkse
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
 Copyright (c) 2010 Seth Mos <seth.mos@dds.nl>
 Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>

From 75522fdf8ba8db3c63ed0e444204a4925acbad9a Mon Sep 17 00:00:00 2001
From: Dirk Silkenbaeumer <dirk@silkenbaeumer.de>
Date: Tue, 20 Dec 2022 20:36:28 +0100
Subject: [PATCH 1303/3088] SSL healthcheck

---
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index e0fb1fd7aa..9f4ab012f6 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1825,7 +1825,7 @@ backend {{backend.name}}
 {#               # 2. in health checks: to verify *only* health check communication to this server #}
 {#               # When 1. is enabled, health checks are automatically secured. #}
 {#               # Use-case for 2: when using TCP for server communication, but HTTPS for health checks. #}
-{%               if server_data.ssl|default("") == '1' or (healthcheck_enabled == '1' and healthcheck_data.force_ssl|default('') == '1') %}
+{%               if server_data.ssl|default("") == '1' or (healthcheck_enabled == '1' and (healthcheck_data.ssl|default('') == 'ssl' or healthcheck_data.ssl|default('') == 'sslsni')) %}
 {#                 # get status of ssl verification #}
 {%                 set ssl_verify_enabled = '0' %}
 {%                 if helpers.exists('OPNsense.HAProxy.general.tuning.sslServerVerify') and OPNsense.HAProxy.general.tuning.sslServerVerify|default("") != 'ignore' %}

From 39985f0c1d4a1c885b802fe50ced07b7bd4cca62 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 21 Dec 2022 13:31:25 +0100
Subject: [PATCH 1304/3088] core changes - refactor intf_item.type usage as
 referred to in https://github.com/opnsense/core/issues/6181

---
 .../src/opnsense/service/templates/OPNsense/Redis/redis.conf    | 2 +-
 security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc  | 2 +-
 .../src/opnsense/service/templates/OPNsense/Nginx/webgui.conf   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/databases/redis/src/opnsense/service/templates/OPNsense/Redis/redis.conf b/databases/redis/src/opnsense/service/templates/OPNsense/Redis/redis.conf
index 6deeeda1ae..a42284da49 100644
--- a/databases/redis/src/opnsense/service/templates/OPNsense/Redis/redis.conf
+++ b/databases/redis/src/opnsense/service/templates/OPNsense/Redis/redis.conf
@@ -54,7 +54,7 @@
 {%     endif %}
 {%     if helpers.exists('virtualip') %}
 {%       for intf_item in helpers.toList('virtualip.vip') %}
-{%         if intf_item.interface == listen_interface and intf_item.type == 'single' %}
+{%         if intf_item.interface == listen_interface and intf_item.mode in ['carp', 'ipalias'] %}
 {%           if intf_item.subnet.find(':') > -1 %}
 {% do listen_ip.append(interface_ip) %}
 {%           else %}
diff --git a/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc b/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc
index 2f8ab8a10f..977761eb84 100644
--- a/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc
+++ b/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc
@@ -27,7 +27,7 @@ SOCKSPort [{{ interface_ip }}]:{{ OPNsense.tor.general.socks_listen_port|default
 {%     endif %}
 {%     if helpers.exists('virtualip') %}
 {%       for intf_item in helpers.toList('virtualip.vip') %}
-{%         if intf_item.interface == listen_interface and intf_item.type == 'single' %}
+{%         if intf_item.interface == listen_interface and intf_item.mode in ['carp', 'ipalias'] %}
 {%           if intf_item.subnet.find(':') > -1 %}
 # {{ listen_interface }}: IPv6 VIP
 SOCKSPort [{{ intf_item.subnet }}]:{{ OPNsense.tor.general.socks_listen_port|default('9050') }}
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/webgui.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/webgui.conf
index 3288fe4069..8a14feeb10 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/webgui.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/webgui.conf
@@ -147,7 +147,7 @@ server {
 {% endfor %}
 {% if helpers.exists('virtualip') %}
 {%   for intf_item in helpers.toList('virtualip.vip') %}
-{%     if intf_item.type == 'single' %}
+{%     if intf_item.mode in ['carp', 'ipalias'] %}
 {%       set cidr = intf_item.subnet + '/' + intf_item.subnet_bits %}
 {%       if cidr not in whitelisted_networks %}
   allow {{ cidr }};

From 19ba75317b955d18dfb97f9a328a50a30feacf51 Mon Sep 17 00:00:00 2001
From: Michael Newton <miken32@gmail.com>
Date: Wed, 21 Dec 2022 07:24:28 -0700
Subject: [PATCH 1305/3088] Bind: restore TSIG key name entry (#3182)

Regression caused by commit 2fceec58
---
 .../Bind/forms/dialogEditBindSlaveDomain.xml       | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSlaveDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSlaveDomain.xml
index 52eac8fcb6..c7789f46a1 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSlaveDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSlaveDomain.xml
@@ -29,19 +29,25 @@
         <style>tokenize</style>
         <type>select_multiple</type>
         <allownew>true</allownew>
-        <help>Set the IP address of master server when using slave mode.</help>
+        <help>Set the IP address of master server.</help>
     </field>
     <field>
         <id>domain.transferkeyalgo</id>
         <label>Transfer Key Algorithm</label>
         <type>dropdown</type>
-        <help>Set the authentication algorithm for the TSIG key.</help>
+        <help>Set the authentication algorithm for the TSIG key used to transfer domain data from the master server.</help>
+    </field>
+    <field>
+        <id>domain.transferkeyname</id>
+        <label>Transfer Key Name</label>
+        <type>text</type>
+        <help>The name of the TSIG key, which must match the value on the master server.</help>
     </field>
     <field>
         <id>domain.transferkey</id>
         <label>Transfer Key</label>
         <type>text</type>
-        <help>The TSIG key used to transfer domain data from the master server.</help>
+        <help>The base64-encoded TSIG key.</help>
     </field>
     <field>
         <id>domain.allownotifyslave</id>
@@ -49,6 +55,6 @@
         <style>tokenize</style>
         <type>select_multiple</type>
         <allownew>true</allownew>
-        <help>A list of allowed IP addresses to receive notifies from.</help>
+        <help>A list of allowed IP addresses to receive notifies from (in addition to the master server.)</help>
     </field>
 </form>

From cc42b5287871edb4dabd8384841ef3ad44705d4f Mon Sep 17 00:00:00 2001
From: "Johnny S. Lee" <6614805+johnnyslee@users.noreply.github.com>
Date: Fri, 30 Dec 2022 15:19:31 +0800
Subject: [PATCH 1306/3088] security/stunnel: Add missing inclusion (#3240)

PHP Fatal error:  Uncaught Error: Call to undefined function log_msg() in /usr/local/etc/inc/plugins.inc:251
Stack trace:
 0 /usr/local/opnsense/scripts/stunnel/generate_certs.php(89): plugins_configure('crl')
 1 {main}
  thrown in /usr/local/etc/inc/plugins.inc on line 251
---
 security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php b/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
index 4aeb667e4d..da69629808 100755
--- a/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
+++ b/security/stunnel/src/opnsense/scripts/stunnel/generate_certs.php
@@ -27,6 +27,7 @@
  *    POSSIBILITY OF SUCH DAMAGE.
  */
 
+require_once('util.inc');
 require_once('plugins.inc');
 require_once('config.inc');
 require_once('certs.inc');

From 4f617b6d9cb0bfdcf6e884b96da68e467db16d8e Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 4 Jan 2023 22:50:43 +0100
Subject: [PATCH 1307/3088] net/haproxy: update URLs to HAProxy 2.6
 documentation, refs #3026

---
 net/haproxy/pkg-descr                                |  3 +++
 .../OPNsense/HAProxy/forms/dialogAction.xml          | 12 ++++++------
 .../OPNsense/HAProxy/forms/dialogBackend.xml         | 10 +++++-----
 .../OPNsense/HAProxy/forms/dialogFcgi.xml            |  2 +-
 .../OPNsense/HAProxy/forms/dialogFrontend.xml        |  6 +++---
 .../OPNsense/HAProxy/forms/dialogMapfile.xml         |  2 +-
 .../mvc/app/views/OPNsense/HAProxy/index.volt        | 10 +++++-----
 7 files changed, 24 insertions(+), 21 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index d675ec264e..2333e2ed17 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,9 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+Changed:
+* update URLs to HAProxy 2.6 documentation
+
 3.12
 
 Added:
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index 7a499dab84..e03c3632bf 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -89,7 +89,7 @@
         <id>action.http_request_redirect</id>
         <label>HTTP Redirect</label>
         <type>text</type>
-        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. See <a href="http://docs.haproxy.org/2.4/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. See <a href="http://docs.haproxy.org/2.6/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -128,7 +128,7 @@
         <id>action.http_request_add_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.4/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.6/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -145,7 +145,7 @@
         <id>action.http_request_set_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.4/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.6/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -251,7 +251,7 @@
         <id>action.http_response_add_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.4/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.6/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -268,7 +268,7 @@
         <id>action.http_response_set_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.4/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.6/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -468,6 +468,6 @@
         <id>action.fcgi_set_param</id>
         <label>Parameter</label>
         <type>text</type>
-        <help><![CDATA[Set a FastCGI parameter that should be passed to the application. Its value must follow HAProxy's <a href="http://docs.haproxy.org/2.4/configuration.html#8.2.4">Custom Log format rules</a>. With this directive, it is possible to overwrite the value of default FastCGI parameters.]]></help>
+        <help><![CDATA[Set a FastCGI parameter that should be passed to the application. Its value must follow HAProxy's <a href="http://docs.haproxy.org/2.6/configuration.html#8.2.4">Custom Log format rules</a>. With this directive, it is possible to overwrite the value of default FastCGI parameters.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index 7615ceb09b..c7babd3a7a 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -28,7 +28,7 @@
         <id>backend.algorithm</id>
         <label>Balancing Algorithm</label>
         <type>dropdown</type>
-        <help><![CDATA[Define the load balancing algorithm to be used in a Backend Pool. See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#balance">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Define the load balancing algorithm to be used in a Backend Pool. See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#balance">HAProxy documentation</a> for a full description.]]></help>
         <hint>Choose a load balancing algorithm.</hint>
     </field>
     <field>
@@ -42,7 +42,7 @@
         <id>backend.proxyProtocol</id>
         <label>Proxy Protocol</label>
         <type>dropdown</type>
-        <help><![CDATA[Enforces use of the PROXY protocol over any connection established to the configured servers. The PROXY protocol informs the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the servers are not aware of the PROXY protocol. See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#send-proxy">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Enforces use of the PROXY protocol over any connection established to the configured servers. The PROXY protocol informs the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the servers are not aware of the PROXY protocol. See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#send-proxy">HAProxy documentation</a> for a full description.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
@@ -192,7 +192,7 @@
         <id>backend.persistence_cookiemode</id>
         <label>Cookie handling</label>
         <type>dropdown</type>
-        <help><![CDATA[Usually it is better to reuse an existing cookie. In this case HAProxy prefixes the cookie with the required information. See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#4.2-cookie">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Usually it is better to reuse an existing cookie. In this case HAProxy prefixes the cookie with the required information. See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#4.2-cookie">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.persistence_cookiename</id>
@@ -214,14 +214,14 @@
         <id>backend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
+        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
         <hint>Choose a persistence type.</hint>
     </field>
     <field>
         <id>backend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.stickiness_expire</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
index ffaec1d91a..fd6e48bfd3 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
@@ -33,7 +33,7 @@
         <id>fcgi.path_info</id>
         <label>Path Info</label>
         <type>text</type>
-        <help><![CDATA[Define a regular expression to extract the script-name and the path-info from the URL-decoded path, see <a href="http://docs.haproxy.org/2.4/configuration.html#10.1.1-path-info">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[Define a regular expression to extract the script-name and the path-info from the URL-decoded path, see <a href="http://docs.haproxy.org/2.6/configuration.html#10.1.1-path-info">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <id>fcgi.log_stderr</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 9f6fb5801e..98475acd02 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -336,14 +336,14 @@
         <id>frontend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
+        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
         <hint>Choose a stick-table type.</hint>
     </field>
     <field>
         <id>frontend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>frontend.stickiness_expire</id>
@@ -370,7 +370,7 @@
         <id>frontend.stickiness_counter_key</id>
         <label>Sticky counter key</label>
         <type>text</type>
-        <help><![CDATA[It describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters. Defaults to "src" to track elements of the source IP. See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#tcp-request connection">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[It describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters. Defaults to "src" to track elements of the source IP. See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#tcp-request connection">HAProxy documentation</a> for a full description.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
index fc0011cc87..6b8e712a38 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
@@ -15,6 +15,6 @@
         <id>mapfile.content</id>
         <label>Content</label>
         <type>textbox</type>
-        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://docs.haproxy.org/2.4/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 2dc92a7826..ee36d6a4a3 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -717,7 +717,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('Lastly, enable HAProxy using the %sService%s settings page.') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Please be aware that you need to %smanually%s add the required firewall rules for all configured services.') | format('<b>', '</b>') }}</p>
-            <p>{{ lang._('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="https://docs.opnsense.org/manual/how-tos/haproxy.html" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.4/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="https://docs.opnsense.org/manual/how-tos/haproxy.html" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.6/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -759,7 +759,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('%sConditions:%s HAProxy is capable of extracting data from requests, responses and other connection data and match it against predefined patterns. Use these powerful patterns to compose a condition that may be used in multiple Rules.') | format('<b>', '</b>') }}</li>
               <li>{{ lang._('%sRules:%s Perform a large set of actions if one or more %sConditions%s match. These Rules may be used in %sBackend Pools%s as well as %sPublic Services%s.') | format('<b>', '</b>', '<b>', '</b>', '<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/2.4/configuration.html#7" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/2.6/configuration.html#7" target="_blank">', '</a>') }}</p>
             <p>{{ lang._('Note that it is possible to directly add options to the HAProxy configuration by using the "option pass-through", a setting that is available for several configuration items. It allows you to implement configurations that are currently not officially supported by this plugin. It is strongly discouraged to rely on this feature. Please report missing features on our GitHub page!') | format('<b>', '</b>') }}</p>
             <br/>
         </div>
@@ -774,7 +774,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('%sGroup:%s A optional list containing one or more users. Groups usually make it easier to manage permissions for a large number of users') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Note that users and groups must be selected from the Backend Pool or Public Service configuration in order to be used for authentication. In addition to this users and groups may also be used in Rules/Conditions.') }}</p>
-            <p>{{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/2.4/configuration.html#3.4" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/2.6/configuration.html#3.4" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -792,7 +792,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sCache:%s HAProxy's cache which was designed to perform cache on small objects (favicon, css, etc.). This is a minimalist low-maintenance cache which runs in RAM.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sPeers:%s Configure a communication channel between two HAProxy instances. This will propagate entries of any data-types in stick-tables between these HAProxy instances over TCP connections in a multi-master fashion. Useful when aiming for a seamless failover in a HA setup.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://docs.haproxy.org/2.4/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.4/configuration.html#10" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.4/configuration.html#3.5" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://docs.haproxy.org/2.6/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.6/configuration.html#10" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.6/configuration.html#3.5" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -810,7 +810,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sResolvers:%s This feature allows in-depth configuration of how HAProxy handles name resolution and interacts with name resolvers (DNS). Each resolver configuration can be used in %sBackend Pools%s to apply individual name resolution configurations.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sE-Mail Alerts:%s It is possible to send email alerts when the state of servers changes. Each configuration can be used in %sBackend Pools%s to send e-mail alerts to the configured recipient.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://docs.haproxy.org/2.4/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.4/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.4/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.4/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.4/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.4/configuration.html#process" target="_blank">', '</a>','<a href="http://docs.haproxy.org/2.4/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://docs.haproxy.org/2.6/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.6/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.6/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.6/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.6/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.6/configuration.html#process" target="_blank">', '</a>','<a href="http://docs.haproxy.org/2.6/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>

From 4538a854d5bd7a782fd49d8d79e4d159a2b15293 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 4 Jan 2023 23:19:50 +0100
Subject: [PATCH 1308/3088] net/haproxy: remove process-related options, refs
 #3026

---
 net/haproxy/pkg-descr                         |  5 ++
 .../HAProxy/Api/SettingsController.php        |  2 +-
 .../OPNsense/HAProxy/forms/dialogCpu.xml      |  6 --
 .../OPNsense/HAProxy/forms/generalTuning.xml  |  7 --
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 78 -------------------
 .../mvc/app/views/OPNsense/HAProxy/index.volt |  1 -
 .../templates/OPNsense/HAProxy/haproxy.conf   | 13 +---
 7 files changed, 9 insertions(+), 103 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 2333e2ed17..b3867d3e2c 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -9,6 +9,11 @@ Plugin Changelog
 Changed:
 * update URLs to HAProxy 2.6 documentation
 
+Removed:
+* remove Processes/nbproc option (use Threads/nbthread instead)
+* remove "Process ID" from CPU Affinity settings (now always 1)
+* remove "bind-process" option (replaced by the "process" bind keyword)
+
 3.12
 
 Added:
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
index 4e0006f398..4231ca119b 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
@@ -343,7 +343,7 @@ public function toggleCpuAction($uuid, $enabled = null)
 
     public function searchCpusAction()
     {
-        return $this->searchBase('cpus.cpu', array('enabled', 'name', 'process_id', 'thread_id', 'cpu_id'), 'name');
+        return $this->searchBase('cpus.cpu', array('enabled', 'name', 'thread_id', 'cpu_id'), 'name');
     }
 
     public function getGroupAction($uuid = null)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogCpu.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogCpu.xml
index a1d97f46ee..8e0b705960 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogCpu.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogCpu.xml
@@ -11,12 +11,6 @@
         <type>text</type>
         <help>Choose a name for this CPU affinity rule.</help>
     </field>
-    <field>
-        <id>cpu.process_id</id>
-        <label>Process ID</label>
-        <type>dropdown</type>
-        <help>Process ID that should bind to a specific CPU set. Any process IDs above nbproc are ignored.</help>
-    </field>
     <field>
         <id>cpu.thread_id</id>
         <label>Thread ID</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
index 807087cce9..0bef8a78bd 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -10,13 +10,6 @@
         <help><![CDATA[Enable or disable HAProxy running as user root. Enabling this option is strongly discouraged.<br/><div class="text-info"><b>NOTE:</b> Running as user root could be a security issue but it may be required by some features.</div>]]></help>
         <advanced>true</advanced>
     </field>
-    <field>
-        <id>haproxy.general.tuning.nbproc</id>
-        <label>HAProxy processes (DEPRECATED)</label>
-        <type>text</type>
-        <help><![CDATA[Number of HAProxy processes to start.<br/><div class="text-info"><b>WARNING:</b> This option is deprecated and will be removed in a future version of HAProxy, threads should be used instead.</div>]]></help>
-        <advanced>true</advanced>
-    </field>
     <field>
         <id>haproxy.general.tuning.nbthread</id>
         <label>HAProxy threads</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 8289391d5c..a4920acc20 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -72,13 +72,6 @@
                     <ValidationMessage>Please specify a value between 0 and 10000000.</ValidationMessage>
                     <Required>N</Required>
                 </maxConnections>
-                <nbproc type="IntegerField">
-                    <default>1</default>
-                    <MinimumValue>1</MinimumValue>
-                    <MaximumValue>128</MaximumValue>
-                    <ValidationMessage>Please specify a value between 1 and 128.</ValidationMessage>
-                    <Required>Y</Required>
-                </nbproc>
                 <nbthread type="IntegerField">
                     <default>1</default>
                     <MinimumValue>1</MinimumValue>
@@ -2712,77 +2705,6 @@
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </name>
-                <process_id type="OptionField">
-                    <Required>Y</Required>
-                    <OptionValues>
-                        <all>All HAProxy processes</all>
-                        <odd>Processes with odd ID</odd>
-                        <even>Processes with even ID</even>
-                        <x1>Process 1</x1>
-                        <x2>Process 2</x2>
-                        <x3>Process 3</x3>
-                        <x4>Process 4</x4>
-                        <x5>Process 5</x5>
-                        <x6>Process 6</x6>
-                        <x7>Process 7</x7>
-                        <x8>Process 8</x8>
-                        <x9>Process 9</x9>
-                        <x10>Process 10</x10>
-                        <x11>Process 11</x11>
-                        <x12>Process 12</x12>
-                        <x13>Process 13</x13>
-                        <x14>Process 14</x14>
-                        <x15>Process 15</x15>
-                        <x16>Process 16</x16>
-                        <x17>Process 17</x17>
-                        <x18>Process 18</x18>
-                        <x19>Process 19</x19>
-                        <x20>Process 20</x20>
-                        <x21>Process 21</x21>
-                        <x22>Process 22</x22>
-                        <x23>Process 23</x23>
-                        <x24>Process 24</x24>
-                        <x25>Process 25</x25>
-                        <x26>Process 26</x26>
-                        <x27>Process 27</x27>
-                        <x28>Process 28</x28>
-                        <x29>Process 29</x29>
-                        <x30>Process 30</x30>
-                        <x31>Process 31</x31>
-                        <x32>Process 32</x32>
-                        <x33>Process 33</x33>
-                        <x34>Process 34</x34>
-                        <x35>Process 35</x35>
-                        <x36>Process 36</x36>
-                        <x37>Process 37</x37>
-                        <x38>Process 38</x38>
-                        <x39>Process 39</x39>
-                        <x40>Process 40</x40>
-                        <x41>Process 41</x41>
-                        <x42>Process 42</x42>
-                        <x43>Process 43</x43>
-                        <x44>Process 44</x44>
-                        <x45>Process 45</x45>
-                        <x46>Process 46</x46>
-                        <x47>Process 47</x47>
-                        <x48>Process 48</x48>
-                        <x49>Process 49</x49>
-                        <x50>Process 50</x50>
-                        <x51>Process 51</x51>
-                        <x52>Process 52</x52>
-                        <x53>Process 53</x53>
-                        <x54>Process 54</x54>
-                        <x55>Process 55</x55>
-                        <x56>Process 56</x56>
-                        <x57>Process 57</x57>
-                        <x58>Process 58</x58>
-                        <x59>Process 59</x59>
-                        <x60>Process 60</x60>
-                        <x61>Process 61</x61>
-                        <x62>Process 62</x62>
-                        <x63>Process 63</x63>
-                    </OptionValues>
-                </process_id>
                 <thread_id type="OptionField">
                     <Required>Y</Required>
                     <OptionValues>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index ee36d6a4a3..54dd719be3 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -1131,7 +1131,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 <th data-column-id="cpuid" data-type="number"  data-visible="false">{{ lang._('CPU Rule ID') }}</th>
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                 <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
-                <th data-column-id="process_id" data-type="string">{{ lang._('Process ID') }}</th>
                 <th data-column-id="thread_id" data-type="string">{{ lang._('Thread ID') }}</th>
                 <th data-column-id="cpu_id" data-type="string">{{ lang._('CPU ID') }}</th>
                 <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index e0fb1fd7aa..418a16c1eb 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -960,14 +960,13 @@ global
 {% else %}
     stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
 {% endif %}
-    nbproc                      {{OPNsense.HAProxy.general.tuning.nbproc}}
 {% if OPNsense.HAProxy.general.tuning.nbthread|default('') != '' %}
     nbthread                    {{OPNsense.HAProxy.general.tuning.nbthread}}
 {% endif %}
 {% if helpers.exists('OPNsense.HAProxy.cpus.cpu') %}
 {%   for cpu_map in helpers.toList('OPNsense.HAProxy.cpus.cpu') %}
 {%     if cpu_map.enabled == '1' %}
-    cpu-map                     {{cpu_map.process_id|replace('x', '')}}/{{cpu_map.thread_id|replace('x', '')}} {{cpu_map.cpu_id|replace('x', '')|replace(',', ' ')}}
+    cpu-map                     1/{{cpu_map.thread_id|replace('x', '')}} {{cpu_map.cpu_id|replace('x', '')|replace(',', ' ')}}
 {%     endif %}
 {%   endfor %}
 {% endif %}
@@ -1372,20 +1371,14 @@ frontend {{frontend.name}}
 {%         do adv_options.append('proto h2') %}
 {%       endif %}
 {#       # CPU affinity configuration #}
-{%       set bind_process = [] %}
 {%       if frontend.linkedCpuAffinityRules|default('') != '' %}
 {%         for cpu_map in frontend.linkedCpuAffinityRules.split(',') %}
 {%           set cpu_map_data = helpers.getUUID(cpu_map) %}
 {%           if cpu_map_data.enabled == '1' %}
-{#             # Limit visibility to a certain set of processes #}
-{%             do bind_process.append(cpu_map_data.process_id|replace('x', '')) %}
-{#             # Restrict the list of processes/threads on which this listener is allowed to run #}
-{%             do adv_options.append('process ' ~ cpu_map_data.process_id|replace('x', '') ~ '/' ~ cpu_map_data.thread_id|replace('x', '')) %}
+{#             # Restrict the list of threads on which this listener is allowed to run #}
+{%             do adv_options.append('process ' ~ '1/' ~ cpu_map_data.thread_id|replace('x', '')) %}
 {%           endif %}
 {%         endfor %}
-{%         if bind_process|length > 0 %}
-    bind-process {{bind_process|join(' ')}}
-{%         endif %}
 {%       endif %}
 {#       # bind/listen configuration #}
 {%       if frontend.bind|default("") != "" %}

From 2e8b59cde703ee69ca2e0b71045427f6e8d89bb4 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 4 Jan 2023 23:28:56 +0100
Subject: [PATCH 1309/3088] net/haproxy: remove traces of removed option
 chksize, refs #3026

---
 .../controllers/OPNsense/HAProxy/forms/dialogHealthcheck.xml  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogHealthcheck.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogHealthcheck.xml
index f77d4ccb72..179ef4b8e0 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogHealthcheck.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogHealthcheck.xml
@@ -96,7 +96,7 @@
         <id>healthcheck.http_value</id>
         <label>Value</label>
         <type>text</type>
-        <help><![CDATA[Specify a value to match with the expression. <br/><div class="text-info"><b>NOTE:</b> It is important to note that the responses will be limited to a certain size defined by the global "tune.chksize" option, which defaults to 16384 bytes.</div>]]></help>
+        <help><![CDATA[Specify a value to match with the expression.]]></help>
     </field>
     <field>
         <label>Custom TCP check</label>
@@ -112,7 +112,7 @@
         <id>healthcheck.tcp_sendValue</id>
         <label>Send data</label>
         <type>text</type>
-        <help><![CDATA[Specify a value to match with the expression. <br/><div class="text-info"><b>NOTE:</b> It is important to note that the responses will be limited to a certain size defined by the global "tune.chksize" option, which defaults to 16384 bytes.</div>]]></help>
+        <help><![CDATA[Specify a value to match with the expression.]]></help>
     </field>
     <field>
         <id>healthcheck.tcp_matchType</id>

From 605a3f4b9ce1ec450b67333c844190aefb1d572f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 5 Jan 2023 00:03:05 +0100
Subject: [PATCH 1310/3088] net/haproxy: remove options "http-tunnel" and
 "forceclose", refs #3026

---
 net/haproxy/pkg-descr                         | 11 ++--
 .../OPNsense/HAProxy/forms/dialogFrontend.xml | 14 +++---
 .../app/models/OPNsense/HAProxy/HAProxy.xml   |  4 +-
 .../OPNsense/HAProxy/Migrations/M4_0_0.php    | 50 +++++++++++++++++++
 4 files changed, 65 insertions(+), 14 deletions(-)
 create mode 100644 net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_0_0.php

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index b3867d3e2c..1675d938b2 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -7,12 +7,15 @@ Plugin Changelog
 ================
 
 Changed:
-* update URLs to HAProxy 2.6 documentation
+* rename frontend option "Type" to "Connection Mode" (#3026)
+* update URLs to HAProxy 2.6 documentation (#3026)
+* migrate options "http-tunnel" and "forceclose" to "http-keep-alive" (#3026)
 
 Removed:
-* remove Processes/nbproc option (use Threads/nbthread instead)
-* remove "Process ID" from CPU Affinity settings (now always 1)
-* remove "bind-process" option (replaced by the "process" bind keyword)
+* remove Processes/nbproc option (use Threads/nbthread instead) (#3026)
+* remove "Process ID" from CPU Affinity settings (now always 1) (#3026)
+* remove "bind-process" option (replaced by the "process" bind keyword) (#3026)
+* remove options "http-tunnel" and "forceclose" from "Connection Mode" (#3026)
 
 3.12
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 98475acd02..9d776f2ff0 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -225,6 +225,13 @@
         <help><![CDATA[The path where the Prometheus exporter can be accessed.]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>frontend.connectionBehaviour</id>
+        <label>Connection Mode</label>
+        <type>dropdown</type>
+        <help><![CDATA[By default HAProxy operates in <b>keep-alive</b> mode with regards to persistent connections. Option <b>"httpclose"</b> configures HAProxy to close connections with the server and the client as soon as the request and the response are received. It will also check if a "Connection: close" header is already set in each direction, and will add one if missing. Option <b>"http-server-close"</b> enables HTTP connection-close mode on the server side while keeping the ability to support HTTP keep-alive and pipelining on the client side.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <label>Basic Authentication</label>
         <type>header</type>
@@ -426,13 +433,6 @@
         <label>Advanced settings</label>
         <type>header</type>
     </field>
-    <field>
-        <id>frontend.connectionBehaviour</id>
-        <label>Type</label>
-        <type>dropdown</type>
-        <help><![CDATA[By default HAProxy operates in <b>keep-alive</b> mode with regards to persistent connections. Option <b>"http-tunnel"</b> disables any HTTP processing past the first request and the first response. Option <b>"httpclose"</b> configures HAProxy to work in HTTP tunnel mode and check if a "Connection: close" header is already set in each direction, and will add one if missing. Option <b>"http-server-close"</b> enables HTTP connection-close mode on the server side while keeping the ability to support HTTP keep-alive and pipelining on the client side. With Option <b>"forceclose"</b> HAProxy will actively close the outgoing server channel as soon as the server has finished to respond and release some resources earlier.]]></help>
-        <advanced>true</advanced>
-    </field>
     <field>
         <id>frontend.customOptions</id>
         <label>Option pass-through</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index a4920acc20..5a465b2968 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/HAProxy</mount>
-    <version>3.8.0</version>
+    <version>4.0.0</version>
     <description>the HAProxy load balancer</description>
     <items>
         <general>
@@ -803,10 +803,8 @@
                     <default>http-keep-alive</default>
                     <OptionValues>
                         <http-keep-alive>http-keep-alive [default]</http-keep-alive>
-                        <http-tunnel>http-tunnel</http-tunnel>
                         <httpclose>httpclose</httpclose>
                         <http-server-close>http-server-close</http-server-close>
-                        <forceclose>forceclose</forceclose>
                     </OptionValues>
                 </connectionBehaviour>
                 <customOptions type="TextField">
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_0_0.php b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_0_0.php
new file mode 100644
index 0000000000..c13544da51
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_0_0.php
@@ -0,0 +1,50 @@
+<?php
+
+/**
+ *    Copyright (C) 2022 Frank Wall
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\HAProxy\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M4_0_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        foreach ($model->getNodeByReference('frontends.frontend')->iterateItems() as $frontend) {
+            switch ((string)$frontend->connectionBehaviour) {
+                case 'http-tunnel':
+                    $frontend->connectionBehaviour = 'http-keep-alive';
+                    break;
+                case 'forceclose':
+                    $frontend->connectionBehaviour = 'http-keep-alive';
+                    break;
+            }
+        }
+    }
+}

From 9bd79cff45c36066bdbef4f039418ce4998da391 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 5 Jan 2023 00:19:56 +0100
Subject: [PATCH 1311/3088] net/haproxy: add close-spread-time option, refs
 #3026

---
 net/haproxy/pkg-descr                                       | 3 +++
 .../controllers/OPNsense/HAProxy/forms/generalSettings.xml  | 6 ++++++
 .../opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml    | 5 +++++
 .../service/templates/OPNsense/HAProxy/haproxy.conf         | 3 +++
 4 files changed, 17 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 1675d938b2..cee9c1c706 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,9 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+Added:
+* add new option "Gradual connection close time" (close-spread-time) (#3026)
+
 Changed:
 * rename frontend option "Type" to "Connection Mode" (#3026)
 * update URLs to HAProxy 2.6 documentation (#3026)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
index aa3f791ff0..b9934dd6a4 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
@@ -21,6 +21,12 @@
         <type>text</type>
         <help><![CDATA[Set the maximum time allowed to perform a clean graceful stop. HAProxy will terminate all open connections when the timeout is reached. This may be used to ensure that the instance will quit even if connections remain opened. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
     </field>
+    <field>
+        <id>haproxy.general.closeSpreadTime</id>
+        <label>Gradual connection close time</label>
+        <type>text</type>
+        <help><![CDATA[Specifies a time window during which connection closing will be spread during a soft-stop operation. Idle connections will all be closed at once if this option is not set, which may cause reconnecting clients to rush against the process. For best results, it should set lower than the "Graceful stop timout" option. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+    </field>
     <field>
         <id>haproxy.general.seamlessReload</id>
         <label>Seamless reload</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 5a465b2968..340264d97f 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -18,6 +18,11 @@
                 <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                 <Required>N</Required>
             </hardStopAfter>
+            <closeSpreadTime type="TextField">
+                <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
+                <Required>N</Required>
+            </closeSpreadTime>
             <seamlessReload type="BooleanField">
                 <default>0</default>
                 <Required>Y</Required>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 418a16c1eb..c4799282f1 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -973,6 +973,9 @@ global
 {% if OPNsense.HAProxy.general.hardStopAfter|default('') != '' %}
     hard-stop-after             {{OPNsense.HAProxy.general.hardStopAfter}}
 {% endif %}
+{% if OPNsense.HAProxy.general.closeSpreadTime|default('') != '' %}
+    close-spread-time           {{OPNsense.HAProxy.general.closeSpreadTime}}
+{% endif %}
 {# # Disable strict-limits because a syntax check will not reveal #}
 {# # whether kern.maxfilesperproc or kern.maxfiles are too low. #}
     no strict-limits

From f16e410ad5f4052bad4189df6802719e2d2d4c87 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 5 Jan 2023 00:26:59 +0100
Subject: [PATCH 1312/3088] net/haproxy: switch to HAProxy 2.6 package, refs
 #3026

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 084dfc5a47..69d15276a1 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		3.12
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
-PLUGIN_DEPENDS=		haproxy24
+PLUGIN_DEPENDS=		haproxy
 PLUGIN_MAINTAINER=	opnsense@moov.de
 
 .include "../../Mk/plugins.mk"

From 26c4cce58126883be177b79ff05344213423c43e Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 5 Jan 2023 00:40:15 +0100
Subject: [PATCH 1313/3088] net/haproxy: bump version to 4.0, refs #3026

---
 net/haproxy/Makefile  | 2 +-
 net/haproxy/pkg-descr | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 69d15276a1..e3dd19ba74 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		3.12
+PLUGIN_VERSION=		4.0
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index cee9c1c706..4da2884754 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,12 +6,14 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+4.0
+
 Added:
 * add new option "Gradual connection close time" (close-spread-time) (#3026)
 
 Changed:
+* upgrade to HAProxy 2.6 release series (#3026)
 * rename frontend option "Type" to "Connection Mode" (#3026)
-* update URLs to HAProxy 2.6 documentation (#3026)
 * migrate options "http-tunnel" and "forceclose" to "http-keep-alive" (#3026)
 
 Removed:

From 57f89c616114b581c57d3a72d0d1b0cdf0380def Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 5 Jan 2023 00:48:12 +0100
Subject: [PATCH 1314/3088] net/haproxy: replace "process" with "threads" bind
 keyword, refs #3026

---
 net/haproxy/pkg-descr                                          | 3 ++-
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf   | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 4da2884754..6ea53de083 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -15,11 +15,12 @@ Changed:
 * upgrade to HAProxy 2.6 release series (#3026)
 * rename frontend option "Type" to "Connection Mode" (#3026)
 * migrate options "http-tunnel" and "forceclose" to "http-keep-alive" (#3026)
+* replace "process" with "threads" bind keyword for CPU Affinity (#3026)
 
 Removed:
 * remove Processes/nbproc option (use Threads/nbthread instead) (#3026)
 * remove "Process ID" from CPU Affinity settings (now always 1) (#3026)
-* remove "bind-process" option (replaced by the "process" bind keyword) (#3026)
+* remove "bind-process" option (replaced by the "threads" bind keyword) (#3026)
 * remove options "http-tunnel" and "forceclose" from "Connection Mode" (#3026)
 
 3.12
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index c4799282f1..f465e6bf51 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1379,7 +1379,7 @@ frontend {{frontend.name}}
 {%           set cpu_map_data = helpers.getUUID(cpu_map) %}
 {%           if cpu_map_data.enabled == '1' %}
 {#             # Restrict the list of threads on which this listener is allowed to run #}
-{%             do adv_options.append('process ' ~ '1/' ~ cpu_map_data.thread_id|replace('x', '')) %}
+{%             do adv_options.append('thread ' ~ cpu_map_data.thread_id|replace('x', '')) %}
 {%           endif %}
 {%         endfor %}
 {%       endif %}

From f9e325e88267305829b2ac96fcdef8dd6c5a318e Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 5 Jan 2023 01:12:39 +0100
Subject: [PATCH 1315/3088] net/haproxy: add new "shards" option, refs #3026

---
 net/haproxy/pkg-descr                                      | 3 ++-
 .../controllers/OPNsense/HAProxy/forms/dialogFrontend.xml  | 7 +++++++
 .../opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml   | 6 ++++++
 .../service/templates/OPNsense/HAProxy/haproxy.conf        | 4 ++++
 4 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 6ea53de083..31a2faff28 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -9,7 +9,8 @@ Plugin Changelog
 4.0
 
 Added:
-* add new option "Gradual connection close time" (close-spread-time) (#3026)
+* add new service option "Gradual connection close time" (close-spread-time) (#3026)
+* add new frontend option "shards" (#3026)
 
 Changed:
 * upgrade to HAProxy 2.6 release series (#3026)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 9d776f2ff0..2a4c492a52 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -297,6 +297,13 @@
         <hint>Choose CPU affinity rules.</hint>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>frontend.tuning_shards</id>
+        <label>Shards</label>
+        <type>text</type>
+        <help><![CDATA[This option automatically creates the specified number of listeners for every IP:port combination and evenly distributes them among available threads. This can sometimes be useful when using very large thread counts where the in-kernel locking on a single socket starts to cause a significant overhead.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <label>Logging Options</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 340264d97f..baf4277b33 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -655,6 +655,12 @@
                     <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </linkedCpuAffinityRules>
+                <tuning_shards type="IntegerField">
+                    <MinimumValue>2</MinimumValue>
+                    <MaximumValue>1000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 2 and 1000.</ValidationMessage>
+                    <Required>N</Required>
+                </tuning_shards>
                 <logging_dontLogNull type="BooleanField">
                     <default>0</default>
                     <Required>Y</Required>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index f465e6bf51..441e12ce20 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1383,6 +1383,10 @@ frontend {{frontend.name}}
 {%           endif %}
 {%         endfor %}
 {%       endif %}
+{#       # shards / multiple listeners on the same IP:port #}
+{%       if frontend.tuning_shards|default('') != '' %}
+{%         do adv_options.append('shards ' ~ frontend.tuning_shards) %}
+{%       endif %}
 {#       # bind/listen configuration #}
 {%       if frontend.bind|default("") != "" %}
 {%         for bind in frontend.bind.split(",") %}

From ef91a6b4f9feef7b412ab4a98f14f452d0c187ac Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 4 Jan 2023 21:45:00 +0100
Subject: [PATCH 1316/3088] dns/ddclient - add backend selection and  custom
 ddclient like implementation using the same input but written in python.

This adds a hybrid approach in dynamic dns support. The default will use ddclient, but when a different backend (opnsense) is selected, services change and daemon control [rc] starts the active one.
Since we're not aiming to support all currently supported vendors in the legacy plugin or ddclient, two example implementations are provided.

o dyndns2 -- simple dyndns2 api compliant accounts, accepting either the "dyndns" protocol or a predefined list of services (as already supported for ddclient)
o azure -- complex example using oauth2 to update a record in Azure DNS.
---
 dns/ddclient/Makefile                         |   2 +-
 dns/ddclient/src/etc/rc.d/ddclient_opn        |  63 ++++++
 .../DynDNS/Api/AccountsController.php         |   2 +
 .../OPNsense/DynDNS/forms/dialogAccount.xml   |   6 +
 .../OPNsense/DynDNS/forms/settings.xml        |   6 +
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml |  21 +-
 .../DynDNS/FieldTypes/AccountField.php        |   9 +-
 .../DynDNS/FieldTypes/CheckipField.php        |  58 ++++++
 .../DynDNS/FieldTypes/ServiceField.php        |  71 +++++++
 .../mvc/app/views/OPNsense/DynDNS/index.volt  |   3 +
 .../src/opnsense/scripts/ddclient/checkip     |  53 +----
 .../opnsense/scripts/ddclient/ddclient_opn.py |  50 +++++
 .../opnsense/scripts/ddclient/lib/__init__.py |  61 ++++++
 .../scripts/ddclient/lib/account/__init__.py  | 133 ++++++++++++
 .../scripts/ddclient/lib/account/azure.py     | 196 ++++++++++++++++++
 .../scripts/ddclient/lib/account/dyndns2.py   | 104 ++++++++++
 .../opnsense/scripts/ddclient/lib/address.py  |  98 +++++++++
 .../opnsense/scripts/ddclient/lib/poller.py   | 165 +++++++++++++++
 .../src/opnsense/scripts/ddclient/stats       |  16 +-
 .../conf/actions.d/actions_ddclient.conf      |  20 +-
 .../templates/OPNsense/ddclient/+TARGETS      |   2 +
 .../templates/OPNsense/ddclient/ddclient.conf |   2 +-
 .../templates/OPNsense/ddclient/ddclient.json |  34 +++
 .../OPNsense/ddclient/ddclient_opn.rc.conf.d  |   5 +
 .../templates/OPNsense/ddclient/rc.conf.d     |   2 +-
 25 files changed, 1119 insertions(+), 63 deletions(-)
 create mode 100755 dns/ddclient/src/etc/rc.d/ddclient_opn
 create mode 100644 dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/CheckipField.php
 create mode 100644 dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/ServiceField.php
 create mode 100755 dns/ddclient/src/opnsense/scripts/ddclient/ddclient_opn.py
 create mode 100644 dns/ddclient/src/opnsense/scripts/ddclient/lib/__init__.py
 create mode 100644 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
 create mode 100644 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
 create mode 100644 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
 create mode 100644 dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
 create mode 100644 dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py
 create mode 100644 dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
 create mode 100644 dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient_opn.rc.conf.d

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 5990af97ac..183e8fca16 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.10
+PLUGIN_VERSION=		1.11
 PLUGIN_DEPENDS=		ddclient-devel
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/src/etc/rc.d/ddclient_opn b/dns/ddclient/src/etc/rc.d/ddclient_opn
new file mode 100755
index 0000000000..15c12b8a84
--- /dev/null
+++ b/dns/ddclient/src/etc/rc.d/ddclient_opn
@@ -0,0 +1,63 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+# PROVIDE: ddclient_py
+# REQUIRE: SERVERS
+# KEYWORD: shutdown
+#
+
+. /etc/rc.subr
+
+name=ddclient_opn
+rcvar=ddclient_opn_enable
+command=/usr/local/opnsense/scripts/ddclient/ddclient_opn.py
+command_interpreter=/usr/local/bin/python3
+pidfile="/var/run/${name}.pid"
+load_rc_config $name
+
+# Set defaults
+: ${ddclient_opn_enable:=NO}
+
+start_postcmd=ddclient_opn_poststart
+stop_cmd=ddclient_opn_stop
+
+ddclient_opn_poststart()
+{
+  # give the daemon some time to initialize its configuration
+  for i in 1 2 3 4 5; do
+    sleep 1
+
+    if [ -s ${rc_pid} ]; then
+      break
+    fi
+  done
+}
+
+ddclient_opn_stop()
+{
+    if [ -z "$rc_pid" ]; then
+        [ -n "$rc_fast" ] && return 0
+        _run_rc_notrunning
+        return 1
+    fi
+    echo -n "Stopping ${name}."
+    kill -15 ${rc_pid}
+    # wait max 2 seconds for gentle exit
+    for i in $(seq 1 20);
+    do
+      if [ -z "`/bin/ps -ex | /usr/bin/awk '{print $1;}' | /usr/bin/grep "^${rc_pid}"`" ]; then
+        break
+      fi
+      sleep 0.1
+    done
+
+    for ddclient_pid in `/bin/ps -ex | grep 'ddclient_opn.py' | /usr/bin/awk '{print $1;}' `
+    do
+      kill -9 $ddclient_pid >/dev/null 2>&1
+    done
+
+    echo  "..done"
+}
+
+run_rc_command $1
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
index 97c7f40607..363dbbf4be 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
@@ -31,6 +31,8 @@
 namespace OPNsense\DynDNS\Api;
 
 use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
+
 
 class AccountsController extends ApiMutableModelControllerBase
 {
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index eadf4fe4c8..f1c6c6e8a6 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -25,6 +25,12 @@
         <help>DynDNS Server</help>
         <style>optional_setting service_custom</style>
     </field>
+    <field>
+        <id>account.resourceId</id>
+        <label>resourceId</label>
+        <type>text</type>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>account.username</id>
         <label>Username</label>
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
index c524918d59..5c12c5c428 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/settings.xml
@@ -25,4 +25,10 @@
         <type>text</type>
         <help>Interval in seconds to check for address changes</help>
     </field>
+    <field>
+        <id>ddclient.general.backend</id>
+        <label>Backend</label>
+        <type>dropdown</type>
+        <help>Select the backend to use.</help>
+    </field>
 </form>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index b55c62be73..92ad3b22f9 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/DynDNS</mount>
-    <version>1.5.0</version>
+    <version>1.5.1</version>
     <description>
         Dynamic DNS client
     </description>
@@ -24,6 +24,15 @@
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>86400</MaximumValue>
             </daemon_delay>
+            <backend type="OptionField">
+                <Required>Y</Required>
+                <default>ddclient</default>
+                <ValidationMessage>A backend is required.</ValidationMessage>
+                <OptionValues>
+                    <ddclient>ddclient</ddclient>
+                    <opnsense>OPNsense</opnsense>
+                </OptionValues>
+            </backend>
         </general>
         <accounts>
             <account type=".\AccountField">
@@ -31,7 +40,7 @@
                     <default>1</default>
                     <Required>Y</Required>
                 </enabled>
-                <service type="OptionField">
+                <service type=".\ServiceField">
                     <Required>Y</Required>
                     <ValidationMessage>A service type is required.</ValidationMessage>
                     <OptionValues>
@@ -99,6 +108,11 @@
                     <Required>Y</Required>
                     <mask>/^[^\n]*$/</mask>
                 </password>
+                <resourceId type="TextField">
+                    <Required>N</Required>
+                    <mask>/^[^\n]*$/</mask>
+                    <ValidationMessage>resourceId contains invalid characters.</ValidationMessage>
+                </resourceId>
                 <hostnames type="HostnameField">
                     <Required>Y</Required>
                     <IpAllowed>N</IpAllowed>
@@ -116,7 +130,7 @@
                     <Required>N</Required>
                     <IpAllowed>N</IpAllowed>
                 </zone>
-                <checkip type="OptionField">
+                <checkip type=".\CheckipField">
                     <Required>Y</Required>
                     <default>web_dyndns</default>
                     <ValidationMessage>An IP service type is required.</ValidationMessage>
@@ -153,7 +167,6 @@
                 <interface type="InterfaceField">
                     <Required>N</Required>
                     <multiple>N</multiple>
-                    <default>wan</default>
                 </interface>
                 <description type="TextField">
                     <Required>N</Required>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
index 54d3ed624e..a21bda8115 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
@@ -47,8 +47,11 @@ private function addStatsFields($node)
         $current_ip->setInternalIsVirtual();
         $current_mtime = new TextField();
         $current_mtime->setInternalIsVirtual();
-
-        if (!empty((string)$node->hostnames)) {
+        if (isset(self::$current_stats[$node->getAttribute('uuid')])) {
+            $stats = self::$current_stats[$node->getAttribute('uuid')];
+            $current_ip->setValue($stats['ip']);
+            $current_mtime->setValue(date('c', $stats['mtime']));
+        } elseif (!empty((string)$node->hostnames)) {
             foreach (explode(",", (string)$node->hostnames) as $hostname) {
                 if (!empty(self::$current_stats[$hostname]) && !empty(self::$current_stats[$hostname]['ip'])) {
                     $stats = self::$current_stats[$hostname];
@@ -69,6 +72,8 @@ protected function actionPostLoadingEvent()
             $stats = json_decode((new Backend())->configdRun('ddclient statistics'), true);
             if (!empty($stats) && !empty($stats['hosts'])) {
                 self::$current_stats = $stats['hosts'];
+            } elseif (!empty($stats)) {
+                self::$current_stats = $stats;
             }
         }
         foreach ($this->internalChildnodes as $node) {
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/CheckipField.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/CheckipField.php
new file mode 100644
index 0000000000..808ecbb5bc
--- /dev/null
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/CheckipField.php
@@ -0,0 +1,58 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\DynDNS\FieldTypes;
+
+use OPNsense\Base\FieldTypes\BaseListField;
+use OPNsense\Core\Backend;
+
+
+class CheckipField extends BaseListField
+{
+    private static $internalCacheOptionList = [];
+
+    public function setOptionValues($data)
+    {
+        if (!empty(self::$internalCacheOptionList)) {
+            $this->internalOptionList = self::$internalCacheOptionList;
+            return;
+        }
+        if (is_array($data)) {
+            $opn_backend = (string)$this->getParentModel()->general->backend == 'opnsense';
+            foreach ($data as $key => $value) {
+                self::$internalCacheOptionList[$key] = gettext($value);
+            }
+            if ($opn_backend) {
+                // OPNsense backend, change interface label and add IPv6 option
+                self::$internalCacheOptionList['if'] = gettext("Interface [IPv4]");
+                self::$internalCacheOptionList['if6'] = gettext("Interface [IPv6]");
+            }
+            $this->internalOptionList = self::$internalCacheOptionList;
+        }
+    }
+}
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/ServiceField.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/ServiceField.php
new file mode 100644
index 0000000000..e4a031fe36
--- /dev/null
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/ServiceField.php
@@ -0,0 +1,71 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\DynDNS\FieldTypes;
+
+use OPNsense\Base\FieldTypes\BaseListField;
+use OPNsense\Core\Backend;
+
+
+class ServiceField extends BaseListField
+{
+    private static $internalCacheOptionList = [];
+
+    protected function actionPostLoadingEvent()
+    {
+        if (empty(self::$internalCacheOptionList)) {
+            // request supported services from backend
+            if ((string)$this->getParentModel()->general->backend == 'opnsense') {
+                $supported = json_decode((new Backend())->configdRun("ddclient opnbackend supported"), true);
+                if (!empty($supported)) {
+                    foreach ($supported as $srv) {
+                        self::$internalCacheOptionList[$srv] = $srv;
+                    }
+                }
+            }
+        }
+        $this->internalOptionList = self::$internalCacheOptionList;
+    }
+
+    /**
+     * setter for option values
+     * @param $data
+     */
+    public function setOptionValues($data)
+    {
+        if (!empty(self::$internalCacheOptionList) || (string)$this->getParentModel()->general->backend == 'opnsense') {
+            return;
+        }
+        if (is_array($data)) {
+            foreach ($data as $key => $value) {
+                self::$internalCacheOptionList[$key] = gettext($value);
+            }
+            $this->internalOptionList = self::$internalCacheOptionList;
+        }
+    }
+}
diff --git a/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt b/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
index baaefe65d4..88ee8897e5 100644
--- a/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
+++ b/dns/ddclient/src/opnsense/mvc/app/views/OPNsense/DynDNS/index.volt
@@ -52,6 +52,9 @@ POSSIBILITY OF SUCH DAMAGE.
                   dfObj.resolve();
               });
               return dfObj;
+          },
+          onAction: function(data, status) {
+              updateServiceControlUI('dyndns');
           }
         });
         $("#account\\.service").change(function(){
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/checkip b/dns/ddclient/src/opnsense/scripts/ddclient/checkip
index b8d7ffe3d2..0f51265521 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/checkip
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/checkip
@@ -26,61 +26,18 @@
     POSSIBILITY OF SUCH DAMAGE.
 """
 import argparse
-import subprocess
-import re
-import ipaddress
+from lib import checkip_service_list, checkip
 
-service_list = {
-  'dyndns': '%s://checkip.dyndns.org/',
-  'freedns': '%s://freedns.afraid.org/dynamic/check.php',
-  'googledomains': '%s://domains.google.com/checkip',
-  'he': '%s://checkip.dns.he.net/',
-  'icanhazip': '%s://icanhazip.com/',
-  'ip4only.me': '%s://ip4only.me/api/',
-  'ip6only.me': '%s://ip6only.me/api/',
-  'ipify-ipv4': '%s://api.ipify.org/',
-  'ipify-ipv6': '%s://api6.ipify.org/',
-  'loopia': '%s://dns.loopia.se/checkip/checkip.php',
-  'myonlineportal': '%s://myonlineportal.net/checkip',
-  'noip-ipv4': '%s://ip1.dynupdate.no-ip.com/',
-  'noip-ipv6': '%s://ip1.dynupdate6.no-ip.com/',
-  'nsupdate.info-ipv4': '%s://ipv4.nsupdate.info/myip',
-  'nsupdate.info-ipv6': '%s://ipv6.nsupdate.info/myip',
-  'zoneedit': '%s://dynamic.zoneedit.com/checkip.html'
-}
-
-
-def extract_address(txt):
-    """ Extract first IPv4 or IPv6 address from provided string
-        :param txt: text blob
-        :return: str
-    """
-    for regexp in [r'[^a-fA-F0-9\:]', r'[^F0-9\.]']:
-        for line in re.sub(regexp, ' ', txt).split():
-            if line.count('.') == 3 or line.count(':') >= 2:
-                try:
-                    ipaddress.ip_address(line)
-                    return line
-                except ValueError:
-                    pass
 
 if __name__ == '__main__':
     # handle parameters
     parser = argparse.ArgumentParser()
-    parser.add_argument('-s', '--service', help='service name', choices=service_list.keys(), required=True)
+    parser.add_argument('-s', '--service', help='service name', choices=checkip_service_list.keys(), required=True)
     parser.add_argument('-i', '--interface', help='interface', type=str, default='')
-    parser.add_argument('-t', '--tls', help='enforce tls', choices=['0', '1'], default='0')
+    parser.add_argument('-t', '--tls', help='enforce tls', choices=['0', '1'], default='1')
     parser.add_argument('--timeout', help='timeout', type=str, default='10')
     inputargs = parser.parse_args()
 
-    # use curl to fetch data, so we can optionally use "--interface"
-    params = ['/usr/local/bin/curl', '-m', inputargs.timeout]
-    if inputargs.interface.strip() != "":
-        params.append("--interface")
-        params.append(inputargs.interface)
-
     proto = 'http' if inputargs.tls == "0" else 'https'
-    params.append(service_list[inputargs.service] % proto)
-
-    result = subprocess.run(params, capture_output=True, text=True).stdout
-    print (extract_address(result))
+    interface = inputargs.interface if inputargs.interface.strip() != "" else None
+    print(checkip(inputargs.service, proto, inputargs.timeout, interface))
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/ddclient_opn.py b/dns/ddclient/src/opnsense/scripts/ddclient/ddclient_opn.py
new file mode 100755
index 0000000000..ee1fb9e568
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/ddclient_opn.py
@@ -0,0 +1,50 @@
+#!/usr/local/bin/python3
+
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import argparse
+import sys
+import json
+from lib import AccountFactory, Poller
+sys.path.insert(0, "/usr/local/opnsense/site-python")
+from daemonize import Daemonize
+
+
+if __name__ == '__main__':
+    # handle parameters
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-c', '--config', help='config file [json]', default='/usr/local/etc/ddclient.json')
+    parser.add_argument('-s', '--status', help='status output file [json]', default='/var/tmp/ddclient_opn.status')
+    parser.add_argument('-f', '--foreground', help='run (log) in foreground', default=False, action='store_true')
+    parser.add_argument('-l', '--list', help='list known services and exit', default=False, action='store_true')
+    parser.add_argument('-p', '--pid', help='pid file location', default='/var/run/ddclient_opn.pid')
+    inputargs = parser.parse_args()
+    if inputargs.list:
+        print(json.dumps(AccountFactory().known_services()))
+    else:
+        cmd = lambda : Poller(inputargs.config, inputargs.status)
+        daemon = Daemonize(app="ddclient", pid=inputargs.pid, action=cmd, foreground=inputargs.foreground)
+        daemon.start()
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/__init__.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/__init__.py
new file mode 100644
index 0000000000..025fbe05a3
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/__init__.py
@@ -0,0 +1,61 @@
+"""
+    Copyright (c) 2022-2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+    -------------------------------------------------------------------------------------------------------
+    OPNsense ddclient alternative version.
+
+    The base for the application is a configuration file /usr/local/etc/ddclient.json containing a `general` and
+    `account` section. Structured dictionaries per account settings determine the services to subscribe to,
+    general settings contain verbosity settings and poll intervals for example.
+
+    Package structure:
+        * address.py
+            - contains all logic to figure out which address to use.
+        * poller.py
+            - The main poller class, which drives dyndns resolving.
+        * accounts
+            - Account/service type definitions, deriving from `BaseAccount`.
+
+    The BaseAccount type:
+
+        The lifetime of an account starts with the determination if an account object matches a requested configuration
+        account. Our AccountFactory() class is responsible for figuring our which classes are available and would
+        fit a provided definition using the `match(account)` method.
+
+        Every account has an `atime` property, which determines when was the last time we compared if the stored address
+        matches the requested one and if needed was set accordingly at the remote service.
+
+        Since every account likely has a dependency on an ip address, the base acccount implements an `execute()` method
+        which detects basic change (address, configuration changes) after which the implementation can do the actual
+        work and report if the address has really changed. This saves code and keeps the implementation simpler.
+
+    The Poller class:
+
+        Upon creation will start reading the configuration and merges the last known state (json), after each poll where something
+        changed (return status of `execute()`) the state is flushed to disk.
+
+"""
+from .address import checkip_service_list, checkip
+from .poller import AccountFactory, Poller
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
new file mode 100644
index 0000000000..de34627bdf
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
@@ -0,0 +1,133 @@
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import hashlib
+import uuid
+import time
+from ..address import checkip
+
+
+class BaseAccount:
+    _priority = 255
+
+    def __init__(self, account: dict):
+        self._account = account
+        self._account['id'] = account.get('id', str(uuid.uuid4()))
+        self._account['description'] = account.get('description', '')
+        self._state = {}
+        self._last_accessed = 0
+        self._current_address = None   # last resolved address
+
+        # calculate a hash so we can easily detect configuration changes
+        hash_list = []
+        for fieldname in sorted(account.keys()):
+            if fieldname not in ['id', 'description', 'checkip', 'checkip_timeout', 'force_ssl']:
+                hash_list.append(str(account[fieldname]))
+        self._account['md5'] = hashlib.md5("|".join(hash_list).encode()).hexdigest()
+
+
+    def update_state(self, address, status='good'):
+        """ set ip[v4 or v6] address and update in state dict when address is provided.
+        """
+        if address is not None:
+            self._state['ip'] = address
+            self._state['status'] = status
+            self._state['mtime'] = time.time()
+            self._state['md5'] = self.md5
+        self._last_accessed = time.time()
+
+    @staticmethod
+    def known_services():
+        return []
+
+    @property
+    def id(self):
+        """ account unique id
+        """
+        return self._account['id']
+
+    @property
+    def settings(self):
+        return self._account
+
+    @staticmethod
+    def match(account):
+        """ Does this account fit for the provided specification
+        """
+        return False
+
+    @property
+    def description(self):
+        return ("%(id)s [%(service)s - %(description)s] " % self._account)
+
+    @property
+    def state(self):
+        return self._state
+
+    @state.setter
+    def state(self, value: dict):
+        self._state = value
+
+    @property
+    def mtime(self):
+        return self._state.get('mtime', 0)
+
+    @property
+    def atime(self):
+        return self._last_accessed
+
+    @property
+    def md5(self):
+        return self._account.get('md5')
+
+    @property
+    def is_verbose(self):
+        return self._account.get('verbose') is True
+
+    @property
+    def current_address(self):
+        return self._current_address
+
+    def execute(self):
+        """ execute account check/update sequence, return true if state changed
+        """
+        self._current_address = checkip(
+            service = self.settings.get('checkip'),
+            proto = 'https' if self.settings.get('force_ssl', False) else 'http',
+            timeout = str(self.settings.get('checkip_timeout', '10')),
+            interface = self.settings['interface'] if self.settings.get('interface' ,'').strip() != '' else None
+        )
+
+        if self._current_address != '' and (
+                self._state.get('ip') is None or
+                self._current_address != self._state.get('ip') or
+                self.state.get('md5') != self.md5
+        ):
+            # if current address doesn't equal the current state, propagate the fact
+            return True
+        else:
+            # unmodified, keep track of last access timestamp
+            self._last_accessed = time.time()
+            return False
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
new file mode 100644
index 0000000000..4fe92e9a9a
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
@@ -0,0 +1,196 @@
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+    ----------------------------------------------------------------------------------------------------
+    Azure DNS provider, inspired by https://github.com/opnsense/plugins/pull/1547
+
+    List DNS zones using Azure cloud shell
+
+    #> az network dns zone list
+
+    Returns a structure like:
+
+    [
+      {
+        "etag": "00000000-0000-0000-0000-0000000000000",
+        "id": "/subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/example/providers/Microsoft.Network/dnszones/example.com",   <---- ResourceId
+        "location": "global",
+        "maxNumberOfRecordSets": 10000,
+        "maxNumberOfRecordsPerRecordSet": null,
+        "name": "test.deciso.com",
+        "nameServers": [
+          "ns1-07.azure-dns.com.",
+          "ns2-07.azure-dns.net.",
+          "ns3-07.azure-dns.org.",
+          "ns4-07.azure-dns.info."
+        ],
+        "numberOfRecordSets": 3,
+        "registrationVirtualNetworks": null,
+        "resolutionVirtualNetworks": null,
+        "resourceGroup": "xxxxxx",
+        "tags": {},
+        "type": "Microsoft.Network/dnszones",
+        "zoneType": "Public"
+      }
+    ]
+
+    Next create a service principal (https://learn.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az_ad_sp_create_for_rbac)
+
+    #> az ad sp create-for-rbac --name  "AcmeDnsValidator" --role "DNS Zone Contributor" --scopes /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/example/providers/Microsoft.Network/dnszones/example.com
+
+    Which returns a structure like:
+
+    {
+      "appId": "00000000-0000-0000-0000-000000000000",      <--- username
+      "displayName": "AcmeDnsValidator",
+      "password": "000000000000000000000000000000000000",   <--- Password
+      "tenant": "00000000-0000-0000-0000-000000000000"
+    }
+"""
+import syslog
+import requests
+from requests.auth import HTTPBasicAuth
+from . import BaseAccount
+
+
+class Azure(BaseAccount):
+    _services = {
+        'azure': 'management.azure.com/subscriptions'
+    }
+
+    def __init__(self, account: dict):
+        super().__init__(account)
+
+    @staticmethod
+    def known_services():
+        return  Azure._services.keys()
+
+    def match(account):
+        if account.get('service') in Azure._services:
+            return True
+        else:
+            return False
+
+    def execute(self):
+        """ Azure DNS update, uses an oauth2 sequence to login, the following requests are being performed:
+            - https://management.azure.com/subscriptions/%s --> request target to authenticate against
+            - https://login.microsoftonline.com/%s/oauth2/token --> login using the tenantId received in the prev req
+            - https://management.azure.com/%s/XXX/%s --> set hostname address using the bearer token received
+        """
+        if super().execute():
+            resourceId = self.settings.get('resourceId', '')
+            if resourceId.find('subscriptions/') == -1:
+                syslog.syslog(syslog.LOG_ERR, 'No subscription id found for account %s' % self.description)
+                return
+            subscriptionId = resourceId.split('subscriptions/')[-1].split('/')[0]
+            req = requests.get('https://management.azure.com/subscriptions/%s?api-version=2016-09-01' % subscriptionId)
+            auth_target = req.headers.get('WWW-Authenticate', '').split(maxsplit=1)
+            if len(auth_target) < 2 or auth_target[0] != 'Bearer':
+                syslog.syslog(syslog.LOG_ERR, 'No Bearer token found for account %s' % self.description)
+                return
+            elif auth_target[1].find('https://login.windows.net/') == -1:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    'Unable to find Tenant ID for account %s (response: %s)' % (self.description, auth_target[1])
+                )
+                return
+
+            tenantId = auth_target[1].split('https://login.windows.net/')[1].split('"')[0]
+            req_opts = {
+                'url':  'https://login.microsoftonline.com/%s/oauth2/token' % tenantId,
+                'data': {
+                    'resource': 'https://management.core.windows.net/',
+                    'grant_type': 'client_credentials',
+                    'client_id': self.settings.get('username'),
+                    'client_secret': self.settings.get('password')
+                },
+                'headers': {
+                    'User-Agent': 'OPNsense-dyndns'
+                }
+            }
+            req = requests.post(**req_opts)
+            try:
+                token_payload = req.json()
+            except requests.exceptions.JSONDecodeError:
+                token_payload = {}
+            if req.status_code != 200  or 'access_token' not in token_payload:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    'Unable to authenticate account %s (http_code: %d - %s)' % (
+                        self.description,
+                        req.status_code,
+                        req.text.replace('\n', '')
+                    )
+                )
+                return
+
+            for hostname in self.settings.get('hostnames', '').split(','):
+                req_opts = {
+                    'headers': {
+                        'Accept': 'application/json',
+                        'Authorization': 'Bearer %s' % token_payload['access_token'],
+                        'Content-Type': 'application/json'
+                    }
+                }
+                if self.current_address.find(':') > 1:
+                    # IPv6
+                    req_opts['url'] = 'https://management.azure.com/%s/AAAA/%s?api-version=2018-05-01' % (
+                        resourceId, hostname
+                    )
+                    req_opts['json'] = {
+                        'properties': {
+                            'AAAARecords': [
+                                {
+                                    'ipv6Address': self.current_address
+                                }
+                            ]
+                        }
+                    }
+                else:
+                    #IPv4
+                    req_opts['url'] = 'https://management.azure.com/%s/A/%s?api-version=2018-05-01' % (
+                        resourceId, hostname
+                    )
+                    req_opts['json'] = {
+                        'properties': {
+                            'ARecords': [
+                                {
+                                    'ipv4Address': self.current_address
+                                }
+                            ]
+                        }
+                    }
+
+                req = requests.patch(**req_opts)
+                if req.status_code == 200:
+                    if self.is_verbose:
+                        syslog.syslog(
+                            syslog.LOG_NOTICE,
+                            "Account %s set new ip %s [%s]" % (self.description, self.current_address, req.text.strip())
+                        )
+
+                    self.update_state(address=self.current_address)
+                    return True
+
+        return False
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
new file mode 100644
index 0000000000..2ea0649c3f
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
@@ -0,0 +1,104 @@
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import syslog
+import requests
+from requests.auth import HTTPBasicAuth
+from . import BaseAccount
+
+
+class DynDNS2(BaseAccount):
+    _priority = 65535
+
+    _services = {
+        'dyndns2': 'members.dyndns.org',
+        'dns-o-matic': 'updates.dnsomatic.com',
+        'dynu': 'api.dynu.com',
+        'he-net': 'dyn.dns.he.net',
+        'he-net-tunnel': 'ipv4.tunnelbroker.net',
+        'inwx': 'dyndns.inwx.com',
+        'loopia': 'dyndns.loopia.se',
+        'nsupdatev4': 'ipv4.nsupdate.info',
+        'nsupdatev6': 'ipv6.nsupdate.info',
+        'ovh': 'www.ovh.com',
+        'spdyn': 'update.spdyn.de',
+        'strato': 'dyndns.strato.com',
+        'noip': 'dynupdate.no-ip.com'
+    }
+
+    def __init__(self, account: dict):
+        super().__init__(account)
+
+    @staticmethod
+    def known_services():
+        return  DynDNS2._services.keys()
+
+    def match(account):
+        if account.get('service') in DynDNS2._services or (
+            account.get('server') is not None and account.get('protocol') in ['dyndns2', 'dyndns1']
+        ):
+            return True
+        else:
+            return False
+
+    def execute(self):
+        if super().execute():
+            proto = 'https' if self.settings.get('force_ssl', False) else 'http'
+            if self.settings.get('service') in self._services:
+                url = "%s://%s/nic/update" % (proto, self._services[self.settings.get('service')])
+            else:
+                url = "%s://%s/nic/update" % (proto, self.settings.get('server'))
+
+            req_opts = {
+                'url': url,
+                'params': {
+                    'hostname': self.settings.get('hostnames'),
+                    'myip': self.current_address,
+                    'wildcard': 'ON' if self.settings.get('wildcard', False) else 'NOCHG'
+                },
+                'auth': HTTPBasicAuth(self.settings.get('username'), self.settings.get('password')),
+                'headers': {
+                    'User-Agent': 'OPNsense-dyndns'
+                }
+            }
+            req = requests.get(**req_opts)
+            if req.status_code == 200:
+                if self.is_verbose:
+                    syslog.syslog(
+                        syslog.LOG_NOTICE,
+                        "Account %s set new ip %s [%s]" % (self.description, self.current_address, req.text.strip())
+                    )
+
+                self.update_state(address=self.current_address, status=req.text.split()[0])
+                return True
+            else:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Account %s failed to set new ip %s [%d - %s]" % (
+                        self.description, self.current_address, req.status_code, req.text.replace('\n', '')
+                    )
+                )
+
+        return False
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
new file mode 100644
index 0000000000..b5071214bf
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
@@ -0,0 +1,98 @@
+"""
+    Copyright (c) 2022-2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import subprocess
+import re
+import ipaddress
+
+
+checkip_service_list = {
+  'dyndns': '%s://checkip.dyndns.org/',
+  'freedns': '%s://freedns.afraid.org/dynamic/check.php',
+  'googledomains': '%s://domains.google.com/checkip',
+  'he': '%s://checkip.dns.he.net/',
+  'icanhazip': '%s://icanhazip.com/',
+  'ip4only.me': '%s://ip4only.me/api/',
+  'ip6only.me': '%s://ip6only.me/api/',
+  'ipify-ipv4': '%s://api.ipify.org/',
+  'ipify-ipv6': '%s://api6.ipify.org/',
+  'loopia': '%s://dns.loopia.se/checkip/checkip.php',
+  'myonlineportal': '%s://myonlineportal.net/checkip',
+  'noip-ipv4': '%s://ip1.dynupdate.no-ip.com/',
+  'noip-ipv6': '%s://ip1.dynupdate6.no-ip.com/',
+  'nsupdate.info-ipv4': '%s://ipv4.nsupdate.info/myip',
+  'nsupdate.info-ipv6': '%s://ipv6.nsupdate.info/myip',
+  'zoneedit': '%s://dynamic.zoneedit.com/checkip.html'
+}
+
+
+def extract_address(txt):
+    """ Extract first IPv4 or IPv6 address from provided string
+        :param txt: text blob
+        :return: str
+    """
+    for regexp in [r'[^a-fA-F0-9\:]', r'[^F0-9\.]']:
+        for line in re.sub(regexp, ' ', txt).split():
+            if line.count('.') == 3 or line.count(':') >= 2:
+                try:
+                    ipaddress.ip_address(line)
+                    return line
+                except ValueError:
+                    pass
+    return ""
+
+
+def checkip(service, proto='https', timeout='10', interface=None):
+    """ find ip address using external services defined in checkip_service_list
+        :param proto: protocol
+        :param timeout: timeout in seconds
+        :param interface: bind to interface
+        :return: str
+    """
+    if service.startswith('web_'):
+        # configuration name, strip web_ part
+        service = service[4:]
+    if service in checkip_service_list:
+        params = ['/usr/local/bin/curl', '-m', timeout]
+        if interface is not None:
+            params.append("--interface")
+            params.append(interface)
+        params.append(checkip_service_list[service] % proto)
+        return extract_address(subprocess.run(params, capture_output=True, text=True).stdout)
+    elif service in ['if', 'if6'] and interface is not None:
+        # return first non private IPv[4|6] interface address
+        ifcfg = subprocess.run(['/sbin/ifconfig', interface], capture_output=True, text=True).stdout
+        for line in ifcfg.split('\n'):
+            if line.startswith('\tinet'):
+                parts = line.split()
+                if (parts[0] == 'inet' and service == 'if') or (parts[0] == 'inet6' and service == 'if6'):
+                    try:
+                        address = ipaddress.ip_address(parts[1])
+                        if address.is_global:
+                            return address
+                    except ValueError:
+                        continue
+    else:
+        return ""
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py
new file mode 100644
index 0000000000..dc7256da5c
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py
@@ -0,0 +1,165 @@
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import fcntl
+import syslog
+import glob
+import importlib
+import sys
+import os
+import time
+import ujson
+import ipaddress
+from .account import BaseAccount
+
+
+class AccountFactory:
+    def __init__(self):
+        self._account_classes = list()
+        self._register()
+
+    def _register(self):
+        """ Register all account (type) classes.
+            These usually describe a protocol (like dyndns2)
+        """
+        pkg_name = "%s.account" % __name__[:-len(os.path.splitext(os.path.basename(__file__))[0])-1]
+        all_account_classes = list()
+        for filename in glob.glob("%s/account/*.py" % os.path.dirname(__file__)):
+            importlib.import_module(".%s" % os.path.splitext(os.path.basename(filename))[0], pkg_name)
+
+        for module_name in dir(sys.modules[pkg_name]):
+            for attribute_name in dir(getattr(sys.modules[pkg_name], module_name)):
+                cls = getattr(getattr(sys.modules[pkg_name], module_name), attribute_name)
+                if isinstance(cls, type) and issubclass(cls, BaseAccount) and cls != BaseAccount:
+                    all_account_classes.append(cls)
+
+        self._account_classes = sorted(all_account_classes, key=lambda k: k._priority)
+
+    def get(self, account: dict):
+        for handler in self._account_classes:
+            if handler.match(account):
+                return handler(account)
+
+    def known_services(self):
+        all_services = []
+        for handler in self._account_classes:
+            all_services += handler.known_services()
+        return all_services
+
+
+class Poller:
+    def __init__(self, config_filename, status_filename):
+        self._config_filename = config_filename
+        self._status_filename = status_filename
+        self._accounts = {}
+        self._general_settings = {}
+        syslog.openlog('ddclient', logoption=syslog.LOG_DAEMON, facility=syslog.LOG_LOCAL4)
+        self.startup()
+        self.run()
+
+    @property
+    def is_verbose(self):
+        return self._general_settings.get('verbose') is True
+
+    @property
+    def is_enabled(self):
+        return self._general_settings.get('enabled') is True
+
+    @property
+    def poll_interval(self):
+        return self._general_settings.get('daemon_delay', 60)
+
+    def startup(self):
+        account_factory = AccountFactory()
+        with open(self._config_filename) as f:
+            cnf = ujson.load(f)
+            if type(cnf.get('general')) is dict:
+                self._general_settings = cnf.get('general')
+            if type(cnf.get('accounts')) is list:
+                for account in cnf.get('accounts'):
+                    account['verbose'] = self.is_verbose
+                    acc = account_factory.get(account)
+                    if acc:
+                        self._accounts[acc.id] = acc
+                        if self.is_verbose:
+                            syslog.syslog(
+                                syslog.LOG_NOTICE,
+                                "Account %s uses %s for service" % (acc.description, acc.__class__.__name__)
+                            )
+                    elif self.is_verbose:
+                        syslog.syslog(
+                            syslog.LOG_NOTICE,
+                            "Unable to find a suitable target for account %(id)s [%(description)s]" % account
+                        )
+        if len(self._accounts) > 0 and os.path.isfile(self._status_filename):
+            with open(self._status_filename) as f:
+                try:
+                    state = ujson.load(f)
+                    if type(state) is dict:
+                        for sid in state:
+                            if sid in self._accounts:
+                                self._accounts[sid].state = state[sid]
+                except ValueError:
+                    syslog.syslog(syslog.LOG_ERR, "Unable to read file %s" % self._status_filename)
+
+    def flush_status(self):
+        fhandle = open(self._status_filename, 'a+')
+        try:
+            fcntl.flock(fhandle, fcntl.LOCK_EX | fcntl.LOCK_NB)
+        except IOError:
+            syslog.syslog(syslog.LOG_ERR, "Unable to flush status, %s already locked" % self._status_filename)
+            return
+        fhandle.seek(0)
+        fhandle.truncate()
+        data = {}
+        for acc_id in self._accounts:
+            data[acc_id] = self._accounts[acc_id].state
+        fhandle.write(ujson.dumps(data))
+        fhandle.close()
+
+    def run(self):
+        while True:
+            needs_flush = False
+            for acc in self._accounts.values():
+                if time.time() - acc.atime > self.poll_interval:
+                    if self.is_verbose:
+                        syslog.syslog(syslog.LOG_NOTICE, "Account %s execute" % acc.description)
+                    try:
+                        if acc.execute():
+                            if self.is_verbose:
+                                syslog.syslog(syslog.LOG_NOTICE, "Account %s changed" % acc.description)
+                            needs_flush = True
+                    except Exception as e:
+                        # fatal exception, update atime so we're not going to retry too soon
+                        acc.update_state(None)
+                        syslog.syslog(syslog.LOG_ERR, "Account %s raised fatal error (%s)" % (acc.description, e))
+
+            if needs_flush:
+                if self.is_verbose:
+                    syslog.syslog(syslog.LOG_NOTICE, "Flush dyndns status to disk")
+                self.flush_status()
+
+            # XXX: needs better poll interval calculation
+            time.sleep(5)
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/stats b/dns/ddclient/src/opnsense/scripts/ddclient/stats
index 891e3ea876..750f16eb19 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/stats
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/stats
@@ -29,10 +29,17 @@
 import os
 import json
 
-filename = "/var/tmp/ddclient.cache"
+filename = '/var/tmp/ddclient.cache'
+filename_new = '/var/tmp/ddclient_opn.status'
 
 result = {"hosts": {}}
-if os.path.isfile(filename):
+
+# both ddclient and "opnsense" ddclient exist, only use old when currently in use
+if os.path.isfile(filename) and os.path.isfile(filename_new):
+    if os.path.getmtime(filename) < os.path.getmtime(filename_new):
+        filename = None
+
+if filename is not None and os.path.isfile(filename):
     with open(filename, "r") as fhandle:
         for idx, row in enumerate(fhandle):
             if idx == 0:
@@ -49,5 +56,10 @@ if os.path.isfile(filename):
                         record[parts[0]] = parts[1]
                 if 'host' in record:
                     result['hosts'][record['host']] = record
+elif os.path.isfile(filename_new):
+    # output will look completely different when our implementation is used, the model knows how to parse this
+    # (see AccountField.php)
+    with open(filename_new) as f:
+        result = json.load(f)
 
 print(json.dumps(result))
diff --git a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
index a7ced08f30..7d3ddf3600 100644
--- a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
@@ -1,17 +1,21 @@
 [start]
 command:
     chmod 600 /usr/local/etc/ddclient.conf;
-    /usr/local/etc/rc.d/ddclient start
+    /usr/local/etc/rc.d/ddclient start ;
+    /usr/local/etc/rc.d/ddclient_opn start
 type:script
 message:starting ddclient
 
 [stop]
-command:pkill -F /var/run/ddclient.pid 2> /dev/null; exit 0
+command:pkill -F /var/run/ddclient.pid 2> /dev/null; /usr/local/etc/rc.d/ddclient_opn onestop 2> /dev/null; exit 0
 type:script
 message:stopping ddclient
 
 [status]
-command:pgrep -qF /var/run/ddclient.pid && echo "ddclient is running" || echo "ddclient is not running"
+command:
+    pgrep -qF /var/run/ddclient.pid 2> /dev/null && echo "ddclient is running" ||
+    pgrep -qF /var/run/ddclient_opn.pid 2> /dev/null &&  echo "ddclient is running" ||
+    echo "ddclient is not running"
 type:script_output
 message:get ddclient status
 
@@ -19,7 +23,8 @@ message:get ddclient status
 command:
     chmod 600 /usr/local/etc/ddclient.conf;
     pkill -F /var/run/ddclient.pid 2> /dev/null;
-    /usr/local/etc/rc.d/ddclient restart
+    /usr/local/etc/rc.d/ddclient restart ;
+    /usr/local/etc/rc.d/ddclient_opn restart
 type:script
 message:restarting ddclient
 description:Restart ddclient service
@@ -27,6 +32,8 @@ description:Restart ddclient service
 [force]
 command:
     chmod 600 /usr/local/etc/ddclient.conf;
+    rm /var/tmp/ddclient_opn.status 2>/dev/null;
+    /usr/local/etc/rc.d/ddclient_opn restart 2>/dev/null;
     /usr/local/sbin/ddclient -force
 type:script
 message:forcing ddclient update
@@ -36,3 +43,8 @@ description:Force ddclient update
 command:/usr/local/opnsense/scripts/ddclient/stats
 type:script_output
 message:get ddclient statistics
+
+[opnbackend.supported]
+command:/usr/local/opnsense/scripts/ddclient/ddclient_opn.py -l
+type:script_output
+message:get ddclient statistics
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/+TARGETS b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/+TARGETS
index 0ec7e572f1..63822fd4f2 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/+TARGETS
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/+TARGETS
@@ -1,2 +1,4 @@
 rc.conf.d:/etc/rc.conf.d/ddclient
+ddclient_opn.rc.conf.d:/etc/rc.conf.d/ddclient_opn
 ddclient.conf:/usr/local/etc/ddclient.conf
+ddclient.json:/usr/local/etc/ddclient.json
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 290bc8ba76..cf79c745a2 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -9,7 +9,7 @@ ipv6=yes
 {% endif %}
 {%  set accounts = [] %}
 {%  set force_ssl = [] %}
-{%  if helpers.exists('OPNsense.DynDNS.accounts.account') %}
+{%  if helpers.exists('OPNsense.DynDNS.accounts.account') and OPNsense.DynDNS.general.backend|default('ddclient') == 'ddclient' %}
 {%    for account in helpers.toList('OPNsense.DynDNS.accounts.account') %}
 {%        if account.enabled|default('0') == '1' %}
 {%            do accounts.append(account) %}
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
new file mode 100644
index 0000000000..3e2b8cfed1
--- /dev/null
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
@@ -0,0 +1,34 @@
+{% from 'OPNsense/Macros/interface.macro' import physical_interface %}
+{
+  "general": {
+      "enabled": {{ "true" if not helpers.empty('OPNsense.DynDNS.general.enabled') else "false" }},
+      "verbose": {{ "true" if not helpers.empty('OPNsense.DynDNS.general.verbose') else "false" }},
+      "allowipv6": {{ "true" if not helpers.empty('OPNsense.DynDNS.general.allowipv6') else "false" }},
+      "daemon_delay": {{OPNsense.DynDNS.general.daemon_delay|default('300')}}
+  },
+  "accounts": [
+{%  if helpers.exists('OPNsense.DynDNS.accounts.account') %}
+{%     for account in helpers.toList('OPNsense.DynDNS.accounts.account') %}
+{%         if account.enabled  == '1' %}
+      {
+          "id": "{{ account['@uuid'] }}",
+          "service": "{{ account.service }}",
+          "protocol": "{{ account.protocol }}",
+          "server": "{{ account.server }}",
+          "resourceId": "{{ account.resourceId }}",
+          "username": "{{ account.username }}",
+          "password": "{{ account.password }}",
+          "hostnames": "{{ account.hostnames }}",
+          "wildcard": {{ "true" if account.wildcard  == '1' else "false"}},
+          "zone": "{{ account.zone }}",
+          "checkip": "{{ account.checkip }}",
+          "checkip_timeout": {{ account.checkip_timeout }},
+          "force_ssl": {{ "true" if account.force_ssl  == '1' else "false"}},
+          "interface": "{%if account.interface %}{{physical_interface(account.interface)}}{% endif%}",
+          "description": "{{ account.description }}"
+      }{{ "," if not loop.last else ""}}
+{%         endif %}
+{%     endfor %}
+{%  endif %}
+  ]
+}
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient_opn.rc.conf.d b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient_opn.rc.conf.d
new file mode 100644
index 0000000000..42ac2302cd
--- /dev/null
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient_opn.rc.conf.d
@@ -0,0 +1,5 @@
+{% if not helpers.empty('OPNsense.DynDNS.general.enabled') and OPNsense.DynDNS.general.backend|default('ddclient') == 'opnsense' %}
+ddclient_opn_enable="YES"
+{% else %}
+ddclient_opn_enable="NO"
+{% endif %}
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d
index f4c7697564..2453343983 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d
@@ -1,4 +1,4 @@
-{% if not helpers.empty('OPNsense.DynDNS.general.enabled') %}
+{% if not helpers.empty('OPNsense.DynDNS.general.enabled') and OPNsense.DynDNS.general.backend|default('ddclient') == 'ddclient' %}
 ddclient_enable="YES"
 ddclient_flags="-daemon {{OPNsense.DynDNS.general.daemon_delay|default('300')}}"
 {% else %}

From 7f3814869227888245542e78573e21108b5521a4 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 7 Jan 2023 09:48:17 +0100
Subject: [PATCH 1317/3088] dns/ddclient - minor stylefix in Azure account
 handler

---
 .../src/opnsense/scripts/ddclient/lib/account/azure.py      | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
index 4fe92e9a9a..ff28fdef9c 100644
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
@@ -75,16 +75,14 @@
 
 
 class Azure(BaseAccount):
-    _services = {
-        'azure': 'management.azure.com/subscriptions'
-    }
+    _services = ['azure']
 
     def __init__(self, account: dict):
         super().__init__(account)
 
     @staticmethod
     def known_services():
-        return  Azure._services.keys()
+        return  Azure._services
 
     def match(account):
         if account.get('service') in Azure._services:

From 3f94700af54f262f2913f212db3f43a7b9f5195a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 9 Jan 2023 12:27:17 +0100
Subject: [PATCH 1318/3088] plugins: logoptions= using wrong syslog.LOG_DAEMON
 value

---
 dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py        | 2 +-
 net/frr/src/opnsense/scripts/frr/carp_event_handler             | 2 +-
 security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py
index dc7256da5c..4982055f8d 100644
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py
@@ -75,7 +75,7 @@ def __init__(self, config_filename, status_filename):
         self._status_filename = status_filename
         self._accounts = {}
         self._general_settings = {}
-        syslog.openlog('ddclient', logoption=syslog.LOG_DAEMON, facility=syslog.LOG_LOCAL4)
+        syslog.openlog('ddclient', facility=syslog.LOG_LOCAL4)
         self.startup()
         self.run()
 
diff --git a/net/frr/src/opnsense/scripts/frr/carp_event_handler b/net/frr/src/opnsense/scripts/frr/carp_event_handler
index 3256478b8b..5baa2f63a3 100755
--- a/net/frr/src/opnsense/scripts/frr/carp_event_handler
+++ b/net/frr/src/opnsense/scripts/frr/carp_event_handler
@@ -31,7 +31,7 @@ import lib.events
 from lib import InterfaceStatus, VtySH
 
 if __name__ == '__main__':
-    syslog.openlog('frr_carp', logoption=syslog.LOG_DAEMON, facility=syslog.LOG_LOCAL1)
+    syslog.openlog('frr_carp', facility=syslog.LOG_LOCAL1)
     syslog.syslog(syslog.LOG_NOTICE, 'FRR received carp configuration event.')
     ifstatus = InterfaceStatus()
     vtysh = VtySH()
diff --git a/security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py b/security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py
index 115619d400..3017429d55 100755
--- a/security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py
+++ b/security/stunnel/src/opnsense/scripts/stunnel/identd_stunnel.py
@@ -200,7 +200,7 @@ def run_listener():
     parser.add_argument('--foreground', help='run in forground', default=False, action='store_true')
     inputargs = parser.parse_args()
 
-    syslog.openlog('identd_stunnel', logoption=syslog.LOG_DAEMON, facility=syslog.LOG_LOCAL4)
+    syslog.openlog('identd_stunnel', facility=syslog.LOG_LOCAL4)
 
     if inputargs.foreground:
         run_listener()

From af2599ab60280a05df4bf210942058431381e64b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Jan 2023 08:45:36 +0100
Subject: [PATCH 1319/3088] plugins: style etc.

---
 LICENSE                                                       | 4 ++--
 .../controllers/OPNsense/DynDNS/Api/AccountsController.php    | 1 -
 .../app/models/OPNsense/DynDNS/FieldTypes/CheckipField.php    | 1 -
 .../app/models/OPNsense/DynDNS/FieldTypes/ServiceField.php    | 1 -
 dns/ddclient/src/opnsense/scripts/ddclient/lib/__init__.py    | 0
 .../src/opnsense/scripts/ddclient/lib/account/__init__.py     | 0
 .../src/opnsense/scripts/ddclient/lib/account/azure.py        | 0
 .../src/opnsense/scripts/ddclient/lib/account/dyndns2.py      | 0
 dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py     | 0
 dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py      | 0
 10 files changed, 2 insertions(+), 5 deletions(-)
 mode change 100644 => 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/__init__.py
 mode change 100644 => 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
 mode change 100644 => 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
 mode change 100644 => 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
 mode change 100644 => 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
 mode change 100644 => 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py

diff --git a/LICENSE b/LICENSE
index dee529ae30..fc3d5998e7 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2015-2022 Ad Schellevis <ad@opnsense.org>
+Copyright (c) 2015-2023 Ad Schellevis <ad@opnsense.org>
 Copyright (c) 2022 agh1467 <agh1467@protonmail.com>
 Copyright (c) 2021 Alexander Noack
 Copyright (c) 2021 Andreas Stuerz
@@ -11,7 +11,7 @@ Copyright (c) 2011 Dan Myers
 Copyright (c) 2021 David Berry
 Copyright (c) 2017-2018 David Harrigan
 Copyright (c) 2021 David Hughes
-Copyright (c) 2014-2022 Deciso B.V.
+Copyright (c) 2014-2023 Deciso B.V.
 Copyright (c) 2020 devNan0 <nan0@nan0.dev>
 Copyright (c) 2008 Donovan Schonknecht
 Copyright (c) 2006 Eric Friesen
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
index 363dbbf4be..f15dab90c9 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/Api/AccountsController.php
@@ -33,7 +33,6 @@
 use OPNsense\Base\ApiMutableModelControllerBase;
 use OPNsense\Core\Backend;
 
-
 class AccountsController extends ApiMutableModelControllerBase
 {
     protected static $internalModelName = 'account';
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/CheckipField.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/CheckipField.php
index 808ecbb5bc..83962e8054 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/CheckipField.php
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/CheckipField.php
@@ -31,7 +31,6 @@
 use OPNsense\Base\FieldTypes\BaseListField;
 use OPNsense\Core\Backend;
 
-
 class CheckipField extends BaseListField
 {
     private static $internalCacheOptionList = [];
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/ServiceField.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/ServiceField.php
index e4a031fe36..891423c1b6 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/ServiceField.php
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/ServiceField.php
@@ -31,7 +31,6 @@
 use OPNsense\Base\FieldTypes\BaseListField;
 use OPNsense\Core\Backend;
 
-
 class ServiceField extends BaseListField
 {
     private static $internalCacheOptionList = [];
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/__init__.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/__init__.py
old mode 100644
new mode 100755
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
old mode 100644
new mode 100755
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
old mode 100644
new mode 100755
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
old mode 100644
new mode 100755
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
old mode 100644
new mode 100755
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py
old mode 100644
new mode 100755

From 3b182a3eba1dfd4bf6349ed1dccd5b29b7b84213 Mon Sep 17 00:00:00 2001
From: Robbert Rijkse <42551307+sestary@users.noreply.github.com>
Date: Tue, 10 Jan 2023 02:51:00 -0500
Subject: [PATCH 1320/3088] dns/bind: cleanup master/slave zone UI (#3224)

---
 dns/bind/pkg-descr                            |  1 +
 .../Bind/forms/dialogEditBindMasterDomain.xml | 50 -------------------
 .../Bind/forms/dialogEditBindSlaveDomain.xml  |  4 +-
 .../mvc/app/views/OPNsense/Bind/general.volt  |  2 -
 4 files changed, 3 insertions(+), 54 deletions(-)

diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 65e8d0fe2d..864f2cc0fc 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -11,6 +11,7 @@ Plugin Changelog
 
 1.25
 
+* Cleanup/Fix the Master/Slave domain dialogs (contributed by Robbert Rijkse)
 * Revamp the logging page with proper columns (contributed by Robbert Rijkse)
 * Update base to BIND 9.18
 
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindMasterDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindMasterDomain.xml
index c7ccbfbb76..2141fb0ad0 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindMasterDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindMasterDomain.xml
@@ -23,56 +23,6 @@
         <type>dropdown</type>
         <help>Define an ACL where you allow which client are allowed to query this zone.</help>
     </field>
-    <field>
-        <id>domain.type</id>
-        <label>Type</label>
-        <type>dropdown</type>
-        <help>Set the type for this zone.</help>
-    </field>
-    <field>
-        <label>Slave Zone</label>
-        <type>header</type>
-        <style>zone_type zone_type_slave</style>
-    </field>
-    <field>
-        <id>domain.masterip</id>
-        <label>Master IP</label>
-        <style>tokenize</style>
-        <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>Set the IP address of master server when using slave mode.</help>
-    </field>
-    <field>
-        <id>domain.transferkeyalgo</id>
-        <label>Transfer Key Algorithm</label>
-        <type>dropdown</type>
-        <help>Set the authentication algorithm for the TSIG key used to transfer domain data from the master server.</help>
-    </field>
-    <field>
-        <id>domain.transferkeyname</id>
-        <label>Transfer Key Name</label>
-        <type>text</type>
-        <help>The name of the TSIG key, which must match the value on the master server.</help>
-    </field>
-    <field>
-        <id>domain.transferkey</id>
-        <label>Transfer Key</label>
-        <type>text</type>
-        <help>The base64-encoded TSIG key.</help>
-    </field>
-    <field>
-        <id>domain.allownotifyslave</id>
-        <label>Allow Notfiy</label>
-        <style>tokenize</style>
-        <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>A list of allowed IP addresses to receive notifies from.</help>
-    </field>
-    <field>
-        <label>Master Zone</label>
-        <type>header</type>
-        <style>zone_type zone_type_master</style>
-    </field>
     <field>
         <id>domain.ttl</id>
         <label>TTL</label>
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSlaveDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSlaveDomain.xml
index c7789f46a1..3b7ebd9b9e 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSlaveDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSlaveDomain.xml
@@ -47,7 +47,7 @@
         <id>domain.transferkey</id>
         <label>Transfer Key</label>
         <type>text</type>
-        <help>The base64-encoded TSIG key.</help>
+        <help>The TSIG key used to transfer domain data from the master server in Base64 encoding.</help>
     </field>
     <field>
         <id>domain.allownotifyslave</id>
@@ -55,6 +55,6 @@
         <style>tokenize</style>
         <type>select_multiple</type>
         <allownew>true</allownew>
-        <help>A list of allowed IP addresses to receive notifies from (in addition to the master server.)</help>
+        <help>A list of allowed IP addresses to receive notifies from (in addition to the master server).</help>
     </field>
 </form>
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index 3eb6b8f0cb..5a82029696 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -92,7 +92,6 @@ POSSIBILITY OF SUCH DAMAGE.
             <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="type" data-type="string" data-visible="true">{{ lang._('Type') }}</th>
                     <th data-column-id="domainname" data-type="string" data-visible="true">{{ lang._('Zone') }}</th>
                     <th data-column-id="ttl" data-type="string" data-visible="true">{{ lang._('TTL') }}</th>
                     <th data-column-id="refresh" data-type="string" data-visible="true">{{ lang._('Refresh') }}</th>
@@ -161,7 +160,6 @@ POSSIBILITY OF SUCH DAMAGE.
             <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="type" data-type="string" data-visible="true">{{ lang._('Type') }}</th>
                     <th data-column-id="domainname" data-type="string" data-visible="true">{{ lang._('Zone') }}</th>
                     <th data-column-id="masterip" data-type="string" data-visible="true">{{ lang._('Master IPs') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>

From 2d87d5b86fa979c8ca552ad28f32916d56f83951 Mon Sep 17 00:00:00 2001
From: Robbert Rijkse <42551307+sestary@users.noreply.github.com>
Date: Tue, 10 Jan 2023 03:13:11 -0500
Subject: [PATCH 1321/3088] dns/bind: add RNDC key UI support (#3239)

---
 dns/bind/pkg-descr                            |  1 +
 .../OPNsense/Bind/GeneralController.php       |  1 +
 .../OPNsense/Bind/forms/rndcKey.xml           | 14 +++++++++++
 .../mvc/app/models/OPNsense/Bind/General.xml  | 18 ++++++++++++++-
 .../mvc/app/views/OPNsense/Bind/general.volt  | 23 +++++++++++++++++++
 .../templates/OPNsense/Bind/named.conf        |  6 +++--
 .../service/templates/OPNsense/Bind/rndc.conf |  6 +++--
 7 files changed, 64 insertions(+), 5 deletions(-)
 create mode 100644 dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/rndcKey.xml

diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 864f2cc0fc..f9ffd920c4 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 
 * Cleanup/Fix the Master/Slave domain dialogs (contributed by Robbert Rijkse)
 * Revamp the logging page with proper columns (contributed by Robbert Rijkse)
+* Add UI for RNDC Key configuration (contributed by Robbert Rijkse)
 * Update base to BIND 9.18
 
 1.24
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
index 132322f190..f2bdcac42b 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
@@ -34,6 +34,7 @@ public function indexAction()
     {
         $this->view->generalForm = $this->getForm("general");
         $this->view->dnsblForm = $this->getForm("dnsbl");
+        $this->view->rndcKeyForm = $this->getForm("rndcKey");
         $this->view->formDialogEditBindAcl = $this->getForm("dialogEditBindAcl");
         $this->view->formDialogEditBindMasterDomain = $this->getForm("dialogEditBindMasterDomain");
         $this->view->formDialogEditBindSlaveDomain = $this->getForm("dialogEditBindSlaveDomain");
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/rndcKey.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/rndcKey.xml
new file mode 100644
index 0000000000..48f2fc43d3
--- /dev/null
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/rndcKey.xml
@@ -0,0 +1,14 @@
+<form>
+    <field>
+        <id>general.rndcalgo</id>
+        <label>Algorithm</label>
+        <type>dropdown</type>
+        <help>Set the authentication algorithm for the RNDC key.</help>
+    </field>
+    <field>
+        <id>general.rndcsecret</id>
+        <label>Secret</label>
+        <type>text</type>
+        <help>The base64-encoded RNDC key.</help>
+    </field>
+</form>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index d9f73fc683..7773989e05 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/bind/general</mount>
     <description>BIND configuration</description>
-    <version>1.0.8</version>
+    <version>1.0.9</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -143,5 +143,21 @@
             <Required>Y</Required>
             <asList>Y</asList>
         </ratelimitexcept>
+        <rndcalgo type="OptionField">
+            <Required>Y</Required>
+            <default>hmac-sha256</default>
+            <OptionValues>
+                <hmac-sha512>HMAC-SHA512</hmac-sha512>
+                <hmac-sha384>HMAC-SHA384</hmac-sha384>
+                <hmac-sha256>HMAC-SHA256</hmac-sha256>
+                <hmac-sha224>HMAC-SHA224</hmac-sha224>
+                <hmac-sha1>HMAC-SHA1</hmac-sha1>
+                <hmac-md5>HMAC-MD5</hmac-md5>
+            </OptionValues>
+        </rndcalgo>
+        <rndcsecret type="TextField">
+            <Required>Y</Required>
+            <default>VxtIzJevSQXqnr7h2qerrcwjnZlMWSGGFBndKeNIDfw=</default>
+        </rndcsecret>
     </items>
 </model>
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index 5a82029696..16071491d7 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -32,6 +32,7 @@ POSSIBILITY OF SUCH DAMAGE.
     <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
     <li><a data-toggle="tab" href="#dnsbl">{{ lang._('DNSBL') }}</a></li>
     <li><a data-toggle="tab" href="#acls">{{ lang._('ACLs') }}</a></li>
+    <li><a data-toggle="tab" href="#keys">{{ lang._('Keys') }}</a></li>
     <li><a data-toggle="tab" href="#master-domains">{{ lang._('Master Zones') }}</a></li>
     <li><a data-toggle="tab" href="#slave-domains">{{ lang._('Slave Zones') }}</a></li>
 </ul>
@@ -83,6 +84,21 @@ POSSIBILITY OF SUCH DAMAGE.
             <button class="btn btn-primary" id="saveAct_acl" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_acl_progress"></i></button>
             <br /><br />
         </div>
+    </div>
+     <div id="keys" class="tab-pane fade in">
+        <div class="content-box">
+            <div class="col-md-12">
+                <h2>{{ lang._('RNDC Key') }}</h2>
+            </div>
+            {{ partial("layout_partials/base_form",['fields':rndcKeyForm,'id':'frm_general_settings'])}}
+        </div>
+        <div class="col-md-12">
+            <hr />
+            <button class="btn btn-primary" id="saveRestartAct_rndckey" type="button"><b>{{ lang._('Save & Restart') }}</b> <i id="saveRestartAct_rndckey_progress"></i></button>
+            <br />
+            <b>Note:</b> Bind will be restarted when you Save, this is required when the RNDC key changes.
+            <br /><br />
+        </div>
     </div>
     <div id="master-domains" class="tab-pane fade in">
         <div class="col-md-12">
@@ -323,6 +339,13 @@ $( document ).ready(function() {
         });
     });
 
+    $("#saveRestartAct_rndckey").click(function(){
+        $("#saveRestartAct_rndckey_progress").addClass("fa fa-spinner fa-pulse");
+        ajaxCall("/api/bind/service/restart", {}, function(data,status) {
+            updateServiceControlUI('bind');
+            $("#saveRestartAct_rndckey_progress").removeClass("fa fa-spinner fa-pulse");
+        });
+    });
     $(".saveAct_domain").click(function(){
         $(".saveAct_domain_progress").addClass("fa fa-spinner fa-pulse");
         ajaxCall("/api/bind/service/reconfigure", {}, function(data,status) {
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index b0e2efc386..028e066f8e 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -88,14 +88,16 @@ options {
 {% endif %}
 };
 
+{% if helpers.exists('OPNsense.bind.general.rndcalgo') and helpers.exists('OPNsense.bind.general.rndcsecret') %}
 key "rndc-key" {
-        algorithm hmac-sha256;
-        secret "VxtIzJevSQXqnr7h2qerrcwjnZlMWSGGFBndKeNIDfw=";
+        algorithm "{{ OPNsense.bind.general.rndcalgo }}";
+        secret "{{ OPNsense.bind.general.rndcsecret }}";
 };
 controls {
         inet 127.0.0.1 port 9530
                 allow { 127.0.0.1; } keys { "rndc-key"; };
 };
+{% endif %}
 
 zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };
 
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/rndc.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/rndc.conf
index ec98967398..d4800520f1 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/rndc.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/rndc.conf
@@ -1,6 +1,7 @@
+{% if helpers.exists('OPNsense.bind.general.rndcalgo') and helpers.exists('OPNsense.bind.general.rndcsecret') %}
 key "rndc-key" {
-        algorithm hmac-sha256;
-        secret "VxtIzJevSQXqnr7h2qerrcwjnZlMWSGGFBndKeNIDfw=";
+        algorithm "{{ OPNsense.bind.general.rndcalgo }}";
+        secret "{{ OPNsense.bind.general.rndcsecret }}";
 };
 
 options {
@@ -8,3 +9,4 @@ options {
         default-server 127.0.0.1;
         default-port 9530;
 };
+{% endif %}

From 5f0a181e528df6840bdf6a35707661cf6bf748b6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Jan 2023 10:53:30 +0100
Subject: [PATCH 1322/3088] dns/bind: actually save and validate the key

It would probably be better to move it to general/advanced.
The restart is an issue but a help text would suffice.
---
 .../mvc/app/models/OPNsense/Bind/General.xml         |  2 +-
 .../mvc/app/views/OPNsense/Bind/general.volt         | 12 +++++++-----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index 7773989e05..1424be5082 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -155,7 +155,7 @@
                 <hmac-md5>HMAC-MD5</hmac-md5>
             </OptionValues>
         </rndcalgo>
-        <rndcsecret type="TextField">
+        <rndcsecret type="Base64Field">
             <Required>Y</Required>
             <default>VxtIzJevSQXqnr7h2qerrcwjnZlMWSGGFBndKeNIDfw=</default>
         </rndcsecret>
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index 16071491d7..cac119a129 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -331,7 +331,7 @@ $( document ).ready(function() {
 
     $("#saveAct_acl").click(function(){
         saveFormToEndpoint(url="/api/bind/acl/set", formid='frm_general_settings',callback_ok=function(){
-        $("#saveAct_acl_progress").addClass("fa fa-spinner fa-pulse");
+            $("#saveAct_acl_progress").addClass("fa fa-spinner fa-pulse");
             ajaxCall(url="/api/bind/service/reconfigure", sendData={}, callback=function(data,status) {
                 updateServiceControlUI('bind');
                 $("#saveAct_acl_progress").removeClass("fa fa-spinner fa-pulse");
@@ -340,10 +340,12 @@ $( document ).ready(function() {
     });
 
     $("#saveRestartAct_rndckey").click(function(){
-        $("#saveRestartAct_rndckey_progress").addClass("fa fa-spinner fa-pulse");
-        ajaxCall("/api/bind/service/restart", {}, function(data,status) {
-            updateServiceControlUI('bind');
-            $("#saveRestartAct_rndckey_progress").removeClass("fa fa-spinner fa-pulse");
+        saveFormToEndpoint(url="/api/bind/general/set", formid='frm_general_settings',callback_ok=function(){
+            $("#saveRestartAct_rndckey_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall("/api/bind/service/restart", {}, function(data,status) {
+                updateServiceControlUI('bind');
+                $("#saveRestartAct_rndckey_progress").removeClass("fa fa-spinner fa-pulse");
+            });
         });
     });
     $(".saveAct_domain").click(function(){

From 34284827a2b179ce011d79760dc6f445c251ce20 Mon Sep 17 00:00:00 2001
From: Jan Winkler <jan.winkler@markt.de>
Date: Tue, 10 Jan 2023 11:53:32 +0100
Subject: [PATCH 1323/3088] security/acme: increase max value for certificate
 renewal interval

---
 .../opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 118c963690..1fcffbf3be 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -283,7 +283,7 @@
                 <renewInterval type="IntegerField">
                     <Required>Y</Required>
                     <MinimumValue>1</MinimumValue>
-                    <MaximumValue>60</MaximumValue>
+                    <MaximumValue>5000</MaximumValue>
                     <default>60</default>
                 </renewInterval>
                 <aliasmode type="OptionField">

From b8f705e7d0eecf763d8473cffff5bd5b7a9b529a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Jan 2023 13:04:21 +0100
Subject: [PATCH 1324/3088] dns/dyndns: new target set for removal

---
 dns/dyndns/src/www/services_dyndns.php                       | 2 +-
 dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/dyndns/src/www/services_dyndns.php b/dns/dyndns/src/www/services_dyndns.php
index c74e85c817..e699285599 100644
--- a/dns/dyndns/src/www/services_dyndns.php
+++ b/dns/dyndns/src/www/services_dyndns.php
@@ -112,7 +112,7 @@
         <section class="col-xs-12">
           <div class="alert alert-warning" role="alert">
               <strong>
-                  <?=gettext("Please make sure to upgrade to os-ddclient before 22.7 is released as this plugin will be removed from our repository");?>
+                  <?=gettext("Please make sure to upgrade to os-ddclient before 23.7 is released as this plugin will be removed from our repository");?>
               </strong>
           </div>
           <div class="tab-content content-box col-xs-12">
diff --git a/dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php b/dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php
index 03d6af5687..7d5333967c 100644
--- a/dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php
+++ b/dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php
@@ -90,7 +90,7 @@
         <th colspan="4">
           <div class="alert alert-warning" role="alert">
               <strong>
-                  <?=gettext("Please make sure to upgrade to os-ddclient before 22.7 is released as this plugin will be removed from our repository");?>
+                  <?=gettext("Please make sure to upgrade to os-ddclient before 23.7 is released as this plugin will be removed from our repository");?>
               </strong>
           </div>
         </th>

From 9113795e70e84bddfc629452471b6c01f0000c50 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Jan 2023 13:09:00 +0100
Subject: [PATCH 1325/3088] net/sslh: release plugin 1.0

---
 README.md         | 2 +-
 net/sslh/Makefile | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 55da66cf57..7c1cdc3696 100644
--- a/README.md
+++ b/README.md
@@ -62,7 +62,7 @@ net/realtek-re -- Realtek re(4) vendor driver
 net/relayd -- Relayd Load Balancer
 net/shadowsocks -- Secure socks5 proxy
 net/siproxd -- Siproxd is a proxy daemon for the SIP protocol
-net/sslh -- sslh configuration front-end (development only)
+net/sslh -- sslh configuration front-end
 net/tayga -- Tayga NAT64
 net/udpbroadcastrelay -- Control ubpbroadcastrelay processes
 net/upnp -- Universal Plug and Play Service
diff --git a/net/sslh/Makefile b/net/sslh/Makefile
index c4babf32ac..e7a9d533dc 100644
--- a/net/sslh/Makefile
+++ b/net/sslh/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		sslh
-PLUGIN_VERSION=		0.1
-PLUGIN_DEVEL=		yes
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		sslh configuration front-end
 PLUGIN_DEPENDS=		sslh
 PLUGIN_MAINTAINER=	agh1467@protonmail.com

From 414679559dd2c3cd7b8a9afa385c65143ce531f4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Jan 2023 13:12:26 +0100
Subject: [PATCH 1326/3088] net/sslh: fix migration default

---
 .../src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml     | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml b/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml
index 9701eac279..f22a524e27 100644
--- a/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml
+++ b/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml
@@ -1,9 +1,10 @@
 <model>
     <mount>//OPNsense/sslh</mount>
-    <version>0.0.1</version>
+    <version>1.0.0</version>
     <items>
         <enabled type="BooleanField">
             <required>Y</required>
+            <default>0</default>
         </enabled>
         <listen_addresses type="CSVListField">
             <required>Y</required>

From 0b0c5b8dd4422c04fc0b09a232420767e6f00043 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Jan 2023 13:14:38 +0100
Subject: [PATCH 1327/3088] net/sslh: did someone actually test this? :P

---
 net/sslh/src/etc/inc/plugins.inc.d/sslh.inc | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/sslh/src/etc/inc/plugins.inc.d/sslh.inc b/net/sslh/src/etc/inc/plugins.inc.d/sslh.inc
index d916fc9b61..071cfd2da0 100644
--- a/net/sslh/src/etc/inc/plugins.inc.d/sslh.inc
+++ b/net/sslh/src/etc/inc/plugins.inc.d/sslh.inc
@@ -40,7 +40,6 @@
 */
 function sslh_services()
 {
-
     // Create an array to be processed by www/status_services.php
     $service = array();
 
@@ -50,7 +49,7 @@ function sslh_services()
     // Only show the plugin if it's enabled.
     if (! ((string) $settings->enabled == '1')) {
         // return empty array if not enabled
-        return $services;
+        return $service;
     }
 
     $configd_name = 'sslh';

From 23aae2f87ea31622d32948e7834d52a9e7152dd0 Mon Sep 17 00:00:00 2001
From: Robbert Rijkse <42551307+sestary@users.noreply.github.com>
Date: Tue, 10 Jan 2023 08:43:26 -0500
Subject: [PATCH 1328/3088] dns/bind: ensure the ACL names are unique (#3254)

---
 dns/bind/pkg-descr                                         | 1 +
 dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index f9ffd920c4..425d1c4c2a 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -11,6 +11,7 @@ Plugin Changelog
 
 1.25
 
+* Ensure you can only add one ACL with the same name (contributed by Robbert Rijkse)
 * Cleanup/Fix the Master/Slave domain dialogs (contributed by Robbert Rijkse)
 * Revamp the logging page with proper columns (contributed by Robbert Rijkse)
 * Add UI for RNDC Key configuration (contributed by Robbert Rijkse)
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
index 474a0a0dfd..c7dd887851 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
@@ -14,6 +14,12 @@
                     <Required>Y</Required>
                     <mask>/^(?!any$|localhost$|localnets$|none$)[0-9a-zA-Z_\-]{1,32}$/u</mask>
                     <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9, a-z, A-Z, _ and -. Built-in ACL names must not be used: any, localhost, localnets, none.</ValidationMessage>
+                     <Constraints>
+                        <check001>
+                            <ValidationMessage>An ACL with this name already exists.</ValidationMessage>
+                            <type>UniqueConstraint</type>
+                        </check001>
+                    </Constraints>
                 </name>
                 <networks type="NetworkField">
                     <default></default>

From 5b04a8c843bb745ea3e8e6ca21db53f695c64060 Mon Sep 17 00:00:00 2001
From: Jan Winkler <jan.winkler@markt.de>
Date: Tue, 10 Jan 2023 12:40:11 +0100
Subject: [PATCH 1329/3088] security/acme: Add online.net API for dns challenge
 type, closes #3213

---
 security/acme-client/pkg-descr                |  5 +++
 .../AcmeClient/forms/dialogValidation.xml     | 10 +++++
 .../AcmeClient/LeValidation/DnsOnline.php     | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 4 files changed, 63 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsOnline.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 98fd4b1bc4..b81bddd5ee 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.15
+
+Added:
+* add online.net DNS API (#3213)
+
 3.14
 
 NOTE: Users of Selfhost need to manually fix their configuration, see
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 1c9efe0043..09ac203b8d 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -952,6 +952,16 @@
         <type>text</type>
         <help>Optionally set the name of the hosted zone (e.g. example.com) as some DNS Providers require, like dyn.com's 'Standard DNS'.</help>
     </field>
+    <field>
+        <label>online.net</label>
+        <type>header</type>
+        <style>table_dns table_dns_online</style>
+    </field>
+    <field>
+        <id>validation.dns_online_key</id>
+        <label>API key</label>
+        <type>text</type>
+    </field>
     <field>
         <label>opnsense</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsOnline.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsOnline.php
new file mode 100644
index 0000000000..c6a07a29a0
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsOnline.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Jan Winkler
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * online.net API
+ * @package OPNsense\AcmeClient
+ */
+class DnsOnline extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['ONLINE_API_KEY'] = (string)$this->config->dns_online_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 118c963690..2ac833fe7b 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -484,6 +484,7 @@
                         <dns_njalla>Njalla</dns_njalla>
                         <dns_nsone>NS1.com</dns_nsone>
                         <dns_nsupdate>nsupdate (RFC 2136)</dns_nsupdate>
+                        <dns_online>online.net</dns_online>
                         <dns_opnsense>OPNsense BIND Plugin</dns_opnsense>
                         <dns_ovh>OVH, kimsufi, soyoustart and runabove</dns_ovh>
                         <dns_pdns>PowerDNS.com</dns_pdns>
@@ -887,6 +888,9 @@
                 <dns_nsupdate_key type="TextField">
                     <Required>N</Required>
                 </dns_nsupdate_key>
+                <dns_online_key type="TextField">
+                    <Required>N</Required>
+                </dns_online_key>
                 <dns_opnsense_host type="TextField">
                     <Required>N</Required>
                     <default>localhost</default>

From 45fa6d7842083528dc48b3dfafdc2868fe027db0 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 10 Jan 2023 15:33:22 +0100
Subject: [PATCH 1330/3088] security/acme-client: bump version

---
 security/acme-client/Makefile  | 3 +--
 security/acme-client/pkg-descr | 3 +++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index a197fa68b4..13e3111400 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.14
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		3.15
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index b81bddd5ee..d82b556aa3 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -13,6 +13,9 @@ Plugin Changelog
 Added:
 * add online.net DNS API (#3213)
 
+Changed:
+* increase max value for certificate renewal interval (#3219)
+
 3.14
 
 NOTE: Users of Selfhost need to manually fix their configuration, see

From 4258c339663fe221d85d554c531a55a754023e31 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 11 Jan 2023 07:50:13 +0100
Subject: [PATCH 1331/3088] LICENSE: sync

---
 LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index fc3d5998e7..f8e248f151 100644
--- a/LICENSE
+++ b/LICENSE
@@ -23,7 +23,7 @@ Copyright (c) 2014-2022 Franco Fichtner <franco@opnsense.org>
 Copyright (c) 2016-2022 Frank Wall
 Copyright (c) 2021 Github-jjw
 Copyright (c) 2016 IT-assistans Sverige AB
-Copyright (c) 2021-2022 Jan Winkler
+Copyright (c) 2021-2023 Jan Winkler
 Copyright (c) 2010 Jim Pingle <jimp@pfsense.org>
 Copyright (c) 2015 Jos Schellevis
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>

From e8ef909a94eb765c71f89771fb38e4547efc9039 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 11 Jan 2023 07:55:00 +0100
Subject: [PATCH 1332/3088] security/stunnel: fix missing include

---
 security/stunnel/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index c27c8c3266..304126be74 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		stunnel
 PLUGIN_VERSION=		1.0.5
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel

From 3c74322935ade971f1d05201d3450e2dfd3f62b2 Mon Sep 17 00:00:00 2001
From: Robbert Rijkse <42551307+sestary@users.noreply.github.com>
Date: Wed, 11 Jan 2023 03:47:26 -0500
Subject: [PATCH 1333/3088] dns/bind: add PR record type (#3256)

---
 dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml
index 797b43b723..733dda90bd 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/bind/record</mount>
     <description>BIND record configuration</description>
-    <version>1.0.0</version>
+    <version>1.0.1</version>
     <items>
         <records>
             <record type="ArrayField">
@@ -36,6 +36,7 @@
                         <MX>MX</MX>
                         <NS>NS</NS>
                         <PTR>PTR</PTR>
+                        <RP>RP</RP>
                         <RRSIG>RRSIG</RRSIG>
                         <SRV>SRV</SRV>
                         <TLSA>TLSA</TLSA>

From 18a4256267d20d3dd5d5dbde1091a58b7139a2dd Mon Sep 17 00:00:00 2001
From: Robbert Rijkse <42551307+sestary@users.noreply.github.com>
Date: Wed, 11 Jan 2023 03:52:32 -0500
Subject: [PATCH 1334/3088] dns/bind: move to primary/secondary (#3234)

---
 dns/bind/Makefile                             |  2 +-
 dns/bind/pkg-descr                            |  4 +
 .../OPNsense/Bind/Api/DomainController.php    | 26 ++++--
 .../OPNsense/Bind/GeneralController.php       |  4 +-
 ...in.xml => dialogEditBindPrimaryDomain.xml} |  0
 ....xml => dialogEditBindSecondaryDomain.xml} | 14 ++--
 .../mvc/app/models/OPNsense/Bind/Domain.xml   | 16 ++--
 .../OPNsense/Bind/Migrations/M1_1_0.php       | 80 +++++++++++++++++++
 .../mvc/app/views/OPNsense/Bind/general.volt  | 56 ++++++-------
 .../service/templates/OPNsense/Bind/domain.db |  2 +-
 .../templates/OPNsense/Bind/named.conf        | 30 +++----
 11 files changed, 164 insertions(+), 70 deletions(-)
 rename dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/{dialogEditBindMasterDomain.xml => dialogEditBindPrimaryDomain.xml} (100%)
 rename dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/{dialogEditBindSlaveDomain.xml => dialogEditBindSecondaryDomain.xml} (85%)
 create mode 100644 dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Migrations/M1_1_0.php

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index f128980f24..49a4e7ce2b 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.25
+PLUGIN_VERSION=		1.26
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 425d1c4c2a..4ae5a07593 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -9,6 +9,10 @@ WWW: https://www.isc.org
 Plugin Changelog
 ================
 
+1.26
+
+* Rename Master/Slave to Primary/Secondary (contributed by Robbert Rijkse)
+
 1.25
 
 * Ensure you can only add one ACL with the same name (contributed by Robbert Rijkse)
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
index f5b5678db2..d840caa6b3 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
@@ -39,26 +39,36 @@ class DomainController extends ApiMutableModelControllerBase
     protected static $internalModelName = 'domain';
     protected static $internalModelClass = '\OPNsense\Bind\Domain';
 
+    # These are here for backwards compatability, should be removed after a bit.
     public function searchMasterDomainAction()
+    {
+        return seachPrimaryDomainAction();
+    }
+    public function searchSlaveDomainAction()
+    {
+        return seachSecondaryDomainAction();
+    }
+
+    public function searchPrimaryDomainAction()
     {
         return $this->searchBase(
             'domains.domain',
             [   "enabled", "type", "domainname", "ttl", "refresh", "retry", "expire", "negative" ],
             "domainname",
             function ($record) {
-                return $record->type->getNodeData()["master"]["selected"] === 1;
+                return $record->type->getNodeData()["primary"]["selected"] === 1;
             }
         );
     }
 
-    public function searchSlaveDomainAction()
+    public function searchSecondaryDomainAction()
     {
         return $this->searchBase(
             'domains.domain',
-            [   "enabled", "type", "domainname", "masterip" ],
+            [   "enabled", "type", "domainname", "primaryip" ],
             "domainname",
             function ($record) {
-                return $record->type->getNodeData()["slave"]["selected"] === 1;
+                return $record->type->getNodeData()["secondary"]["selected"] === 1;
             }
         );
     }
@@ -69,14 +79,14 @@ public function getDomainAction($uuid = null)
         return $this->getBase('domain', 'domains.domain', $uuid);
     }
 
-    public function addMasterDomainAction($uuid = null)
+    public function addPrimaryDomainAction($uuid = null)
     {
-        return $this->addBase('domain', 'domains.domain', ['type' => 'master']);
+        return $this->addBase('domain', 'domains.domain', ['type' => 'primary']);
     }
 
-    public function addSlaveDomainAction($uuid = null)
+    public function addSecondaryDomainAction($uuid = null)
     {
-        return $this->addBase('domain', 'domains.domain', ['type' => 'slave']);
+        return $this->addBase('domain', 'domains.domain', ['type' => 'secondary']);
     }
 
     public function delDomainAction($uuid)
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
index f2bdcac42b..f233b57bba 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
@@ -36,8 +36,8 @@ public function indexAction()
         $this->view->dnsblForm = $this->getForm("dnsbl");
         $this->view->rndcKeyForm = $this->getForm("rndcKey");
         $this->view->formDialogEditBindAcl = $this->getForm("dialogEditBindAcl");
-        $this->view->formDialogEditBindMasterDomain = $this->getForm("dialogEditBindMasterDomain");
-        $this->view->formDialogEditBindSlaveDomain = $this->getForm("dialogEditBindSlaveDomain");
+        $this->view->formDialogEditBindPrimaryDomain = $this->getForm("dialogEditBindPrimaryDomain");
+        $this->view->formDialogEditBindSecondaryDomain = $this->getForm("dialogEditBindSecondaryDomain");
         $this->view->formDialogEditBindRecord = $this->getForm("dialogEditBindRecord");
         $this->view->pick('OPNsense/Bind/general');
     }
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindMasterDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
similarity index 100%
rename from dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindMasterDomain.xml
rename to dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSlaveDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSecondaryDomain.xml
similarity index 85%
rename from dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSlaveDomain.xml
rename to dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSecondaryDomain.xml
index 3b7ebd9b9e..38c563c1dd 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSlaveDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSecondaryDomain.xml
@@ -24,24 +24,24 @@
         <help>Define an ACL where you allow which client are allowed to query this zone.</help>
     </field>
     <field>
-        <id>domain.masterip</id>
-        <label>Master IP</label>
+        <id>domain.primaryip</id>
+        <label>Primary IP</label>
         <style>tokenize</style>
         <type>select_multiple</type>
         <allownew>true</allownew>
-        <help>Set the IP address of master server.</help>
+        <help>Set the IP address of primary server.</help>
     </field>
     <field>
         <id>domain.transferkeyalgo</id>
         <label>Transfer Key Algorithm</label>
         <type>dropdown</type>
-        <help>Set the authentication algorithm for the TSIG key used to transfer domain data from the master server.</help>
+        <help>Set the authentication algorithm for the TSIG key used to transfer domain data from the primary server.</help>
     </field>
     <field>
         <id>domain.transferkeyname</id>
         <label>Transfer Key Name</label>
         <type>text</type>
-        <help>The name of the TSIG key, which must match the value on the master server.</help>
+        <help>The name of the TSIG key, which must match the value on the primary server.</help>
     </field>
     <field>
         <id>domain.transferkey</id>
@@ -50,11 +50,11 @@
         <help>The TSIG key used to transfer domain data from the master server in Base64 encoding.</help>
     </field>
     <field>
-        <id>domain.allownotifyslave</id>
+        <id>domain.allownotifysecondary</id>
         <label>Allow Notfiy</label>
         <style>tokenize</style>
         <type>select_multiple</type>
         <allownew>true</allownew>
-        <help>A list of allowed IP addresses to receive notifies from (in addition to the master server).</help>
+        <help>A list of allowed IP addresses to receive notifies from (in addition to the primary server.)</help>
     </field>
 </form>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
index c33f41c975..e00591deca 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/bind/domain</mount>
     <description>BIND domain configuration</description>
-    <version>1.0.1</version>
+    <version>1.1.0</version>
     <items>
         <domains>
             <domain type="ArrayField">
@@ -10,18 +10,18 @@
                     <Required>Y</Required>
                 </enabled>
                 <type type="OptionField">
-                    <default>master</default>
+                    <default>primary</default>
                     <Required>Y</Required>
                     <OptionValues>
-                        <master>master</master>
-                        <slave>slave</slave>
+                        <primary>Primary</primary>
+                        <secondary>Secondary</secondary>
                     </OptionValues>
                 </type>
-                <masterip type="NetworkField">
+                <primaryip type="NetworkField">
                     <Required>N</Required>
                     <FieldSeparator>,</FieldSeparator>
                     <asList>Y</asList>
-                </masterip>
+                </primaryip>
                 <transferkeyalgo type="OptionField">
                     <Required>N</Required>
                     <OptionValues>
@@ -41,11 +41,11 @@
                     <Required>N</Required>
                     <default></default>
                 </transferkey>
-                <allownotifyslave type="NetworkField">
+                <allownotifysecondary type="NetworkField">
                     <Required>N</Required>
                     <FieldSeparator>,</FieldSeparator>
                     <asList>Y</asList>
-                </allownotifyslave>
+                </allownotifysecondary>
                 <domainname type="TextField">
                     <default></default>
                     <Required>Y</Required>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Migrations/M1_1_0.php b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Migrations/M1_1_0.php
new file mode 100644
index 0000000000..ceda64428b
--- /dev/null
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Migrations/M1_1_0.php
@@ -0,0 +1,80 @@
+<?php
+
+/**
+ *    Copyright (C) 2022 Robbert Rijkse
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Bind\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+use OPNsense\Core\Config;
+use OPNsense\Bind\Domain;
+
+class M1_1_0 extends BaseModelMigration
+{
+    /**
+    * Migrate older keys into new model
+    * @param $model
+    */
+    public function run($model)
+    {
+        if ($model instanceof Domain) {
+            $config = Config::getInstance()->object();
+
+            # Checks to see if there is a bind config section, otherwise skips the rest of the migration
+            if (empty($config->OPNsense->bind)) {
+                return;
+            }
+
+            $bindConfig = $config->OPNsense->bind;
+            # Loops through the domains in the config
+            foreach ($bindConfig->domain->domains->domain as $domain) {
+                $domainModel = $model->getNodeByReference('domains.domain.' . $domain->attributes()["uuid"]);
+
+                # Migrates the domain type
+                if ($domain->type == "master") {
+                    $domainModel->type->setValue("primary");
+                } else {
+                    $domainModel->type->setValue("secondary");
+                }
+
+                # Migrates the Master IP to Primary IP field
+                if (!empty($domain->masterip)) {
+                    $domainModel->primaryip->setValue($domain->masterip);
+                }
+
+                # Migrates the AllowNotify Slave to AllowNotify Secondary field
+                if (!empty($domain->allownotifyslave)) {
+                    $domainModel->allownotifysecondary->setValue($domain->allownotifyslave);
+                }
+            }
+ 
+            parent::run($model);
+        }
+    }
+}
+
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index cac119a129..9e8749d3b4 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -33,8 +33,8 @@ POSSIBILITY OF SUCH DAMAGE.
     <li><a data-toggle="tab" href="#dnsbl">{{ lang._('DNSBL') }}</a></li>
     <li><a data-toggle="tab" href="#acls">{{ lang._('ACLs') }}</a></li>
     <li><a data-toggle="tab" href="#keys">{{ lang._('Keys') }}</a></li>
-    <li><a data-toggle="tab" href="#master-domains">{{ lang._('Master Zones') }}</a></li>
-    <li><a data-toggle="tab" href="#slave-domains">{{ lang._('Slave Zones') }}</a></li>
+    <li><a data-toggle="tab" href="#primary-domains">{{ lang._('Primary Zones') }}</a></li>
+    <li><a data-toggle="tab" href="#secondary-domains">{{ lang._('Secondary Zones') }}</a></li>
 </ul>
 
 <div class="tab-content content-box tab-content">
@@ -85,7 +85,7 @@ POSSIBILITY OF SUCH DAMAGE.
             <br /><br />
         </div>
     </div>
-     <div id="keys" class="tab-pane fade in">
+    <div id="keys" class="tab-pane fade in">
         <div class="content-box">
             <div class="col-md-12">
                 <h2>{{ lang._('RNDC Key') }}</h2>
@@ -100,11 +100,11 @@ POSSIBILITY OF SUCH DAMAGE.
             <br /><br />
         </div>
     </div>
-    <div id="master-domains" class="tab-pane fade in">
+    <div id="primary-domains" class="tab-pane fade in">
         <div class="col-md-12">
             <h2>{{ lang._('Zones') }}</h2>
         </div>
-        <table id="grid-master-domains" class="table table-condensed table-hover table-striped table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindMasterDomain">
+        <table id="grid-primary-domains" class="table table-condensed table-hover table-striped table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindPrimaryDomain">
             <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
@@ -130,11 +130,11 @@ POSSIBILITY OF SUCH DAMAGE.
             </tfoot>
         </table>
         <hr/>
-        <div id="master-record-area">
+        <div id="primary-record-area">
             <div class="col-md-12">
                 <h2>{{ lang._('Records') }}</h2>
             </div>
-            <table id="grid-master-records" class="table table-condensed table-hover table-striped table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindRecord">
+            <table id="grid-primary-records" class="table table-condensed table-hover table-striped table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindRecord">
                 <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
@@ -168,16 +168,16 @@ POSSIBILITY OF SUCH DAMAGE.
             <br /><br />
         </div>
     </div>
-    <div id="slave-domains" class="tab-pane fade in">
+    <div id="secondary-domains" class="tab-pane fade in">
         <div class="col-md-12">
             <h2>{{ lang._('Zones') }}</h2>
         </div>
-        <table id="grid-slave-domains" class="table table-condensed table-hover table-striped table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindSlaveDomain">
+        <table id="grid-secondary-domains" class="table table-condensed table-hover table-striped table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindSecondaryDomain">
             <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                     <th data-column-id="domainname" data-type="string" data-visible="true">{{ lang._('Zone') }}</th>
-                    <th data-column-id="masterip" data-type="string" data-visible="true">{{ lang._('Master IPs') }}</th>
+                    <th data-column-id="primaryip" data-type="string" data-visible="true">{{ lang._('Primary IPs') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
@@ -206,8 +206,8 @@ POSSIBILITY OF SUCH DAMAGE.
 </div>
 
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBindAcl,'id':'dialogEditBindAcl','label':lang._('Edit ACL')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditBindMasterDomain,'id':'dialogEditBindMasterDomain','label':lang._('Edit Master Zone')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditBindSlaveDomain,'id':'dialogEditBindSlaveDomain','label':lang._('Edit Slave Zone')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBindPrimaryDomain,'id':'dialogEditBindPrimaryDomain','label':lang._('Edit Primary Zone')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBindSecondaryDomain,'id':'dialogEditBindSecondaryDomain','label':lang._('Edit Secondary Zone')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBindRecord,'id':'dialogEditBindRecord','label':lang._('Edit Record')])}}
 
 <script>
@@ -236,11 +236,11 @@ $( document ).ready(function() {
         }
     );
 
-    $("#grid-master-domains").UIBootgrid({
-        'search':'/api/bind/domain/searchMasterDomain',
+    $("#grid-primary-domains").UIBootgrid({
+        'search':'/api/bind/domain/searchPrimaryDomain',
         'get':'/api/bind/domain/getDomain/',
         'set':'/api/bind/domain/setDomain/',
-        'add':'/api/bind/domain/addMasterDomain/',
+        'add':'/api/bind/domain/addPrimaryDomain/',
         'del':'/api/bind/domain/delDomain/',
         'toggle':'/api/bind/domain/toggleDomain/',
         options:{
@@ -250,21 +250,21 @@ $( document ).ready(function() {
             rowCount: [3,7,14,20,50,100,-1]
         }
     }).on("selected.rs.jquery.bootgrid", function(e, rows) {
-        $("#grid-master-records").bootgrid('reload');
+        $("#grid-primary-records").bootgrid('reload');
     }).on("deselected.rs.jquery.bootgrid", function(e, rows) {
-        $("#grid-master-records").bootgrid('reload');
+        $("#grid-primary-records").bootgrid('reload');
     }).on("loaded.rs.jquery.bootgrid", function (e) {
-        let ids = $("#grid-master-domains").bootgrid("getCurrentRows");
+        let ids = $("#grid-primary-domains").bootgrid("getCurrentRows");
         if (ids.length > 0) {
-            $("#grid-master-domains").bootgrid('select', [ids[0].uuid]);
+            $("#grid-primary-domains").bootgrid('select', [ids[0].uuid]);
         }
     });
 
-    $("#grid-slave-domains").UIBootgrid({
-        'search':'/api/bind/domain/searchSlaveDomain',
+    $("#grid-secondary-domains").UIBootgrid({
+        'search':'/api/bind/domain/searchSecondaryDomain',
         'get':'/api/bind/domain/getDomain/',
         'set':'/api/bind/domain/setDomain/',
-        'add':'/api/bind/domain/addSlaveDomain/',
+        'add':'/api/bind/domain/addSecondaryDomain/',
         'del':'/api/bind/domain/delDomain/',
         'toggle':'/api/bind/domain/toggleDomain/',
         options:{
@@ -274,13 +274,13 @@ $( document ).ready(function() {
             rowCount: [7,14,20,50,100,-1]
         }
     }).on("loaded.rs.jquery.bootgrid", function (e) {
-        let ids = $("#grid-slave-domains").bootgrid("getCurrentRows");
+        let ids = $("#grid-secondary-domains").bootgrid("getCurrentRows");
         if (ids.length > 0) {
-            $("#grid-slave-domains").bootgrid('select', [ids[0].uuid]);
+            $("#grid-secondary-domains").bootgrid('select', [ids[0].uuid]);
         }
     });
 
-    $("#grid-master-records").UIBootgrid({
+    $("#grid-primary-records").UIBootgrid({
         'search':'/api/bind/record/searchRecord',
         'get':'/api/bind/record/getRecord/',
         'set':'/api/bind/record/setRecord/',
@@ -290,17 +290,17 @@ $( document ).ready(function() {
         options:{
             useRequestHandlerOnGet: true,
             requestHandler: function(request) {
-                let ids = $("#grid-master-domains").bootgrid("getSelectedRows");
+                let ids = $("#grid-primary-domains").bootgrid("getSelectedRows");
                 if (ids.length > 0) {
                     request['domain'] = ids[0];
                     $("#recordAddBtn").show();
                     $("#recordDelBtn").show();
-                    $("#master-record-area").show();
+                    $("#primary-record-area").show();
                 } else {
                     request['domain'] = 'not_found';
                     $("#recordAddBtn").hide();
                     $("#recordDelBtn").hide();
-                    $("#master-record-area").hide();
+                    $("#primary-record-area").hide();
                 }
                 return request;
             }
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/domain.db b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/domain.db
index d24ecd3ee5..a27c9e5623 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/domain.db
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/domain.db
@@ -2,7 +2,7 @@
 {%   if helpers.exists('OPNsense.bind.domain.domains.domain') %}
 {%     for domaindb in helpers.toList('OPNsense.bind.domain.domains.domain') %}
 {%       if TARGET_FILTERS['OPNsense.bind.domain.domains.domain.' ~ loop.index0] or TARGET_FILTERS['OPNsense.bind.domain.domains.domain'] %}
-{%         if domaindb.enabled == '1' and domaindb.type == 'master' %}
+{%         if domaindb.enabled == '1' and domaindb.type == 'primary' %}
 $TTL {{ domaindb.ttl }}
 @       IN      SOA    {{ domaindb.dnsserver }}. {{ domaindb.mailadmin|replace('@', '.') }}. ( {{ domaindb.serial|trim }} {{ domaindb.refresh }} {{ domaindb.retry }} {{ domaindb.expire }} {{ domaindb.negative }} )
 {%           for record in helpers.sortDictList(OPNsense.bind.record.records.record, 'name', 'type' ) %}
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 028e066f8e..c345730075 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -101,34 +101,34 @@ controls {
 
 zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };
 
-zone "localhost"        { type master; file "/usr/local/etc/namedb/primary/localhost-forward.db"; };
-zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/primary/localhost-reverse.db"; };
-zone "0.ip6.arpa"       { type master; file "/usr/local/etc/namedb/primary/localhost-reverse.db"; };
+zone "localhost"        { type primary; file "/usr/local/etc/namedb/primary/localhost-forward.db"; };
+zone "127.in-addr.arpa" { type primary; file "/usr/local/etc/namedb/primary/localhost-reverse.db"; };
+zone "0.ip6.arpa"       { type primary; file "/usr/local/etc/namedb/primary/localhost-reverse.db"; };
 
 {% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
 {%   if helpers.exists('OPNsense.bind.dnsbl.type') and OPNsense.bind.dnsbl.type != '' %}
-zone "whitelist.localdomain" { type master; file "/usr/local/etc/namedb/primary/whitelist.db"; notify no; check-names ignore; };
-zone "blacklist.localdomain" { type master; file "/usr/local/etc/namedb/primary/blacklist.db"; notify no; check-names ignore; };
+zone "whitelist.localdomain" { type primary; file "/usr/local/etc/namedb/primary/whitelist.db"; notify no; check-names ignore; };
+zone "blacklist.localdomain" { type primary; file "/usr/local/etc/namedb/primary/blacklist.db"; notify no; check-names ignore; };
 {%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
 {%   if helpers.exists('OPNsense.bind.dnsbl.forcesafegoogle') and OPNsense.bind.dnsbl.forcesafegoogle == '1' %}
-zone "rpzgoogle" { type master; file "/usr/local/etc/namedb/primary/google.db"; notify no; check-names ignore; };
+zone "rpzgoogle" { type primary; file "/usr/local/etc/namedb/primary/google.db"; notify no; check-names ignore; };
 {%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
 {%   if helpers.exists('OPNsense.bind.dnsbl.forcesafeduckduckgo') and OPNsense.bind.dnsbl.forcesafeduckduckgo == '1' %}
-zone "rpzduckduckgo" { type master; file "/usr/local/etc/namedb/primary/duckduckgo.db"; notify no; check-names ignore; };
+zone "rpzduckduckgo" { type primary; file "/usr/local/etc/namedb/primary/duckduckgo.db"; notify no; check-names ignore; };
 {%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
 {%   if helpers.exists('OPNsense.bind.dnsbl.forcesafeyoutube') and OPNsense.bind.dnsbl.forcesafeyoutube == '1' %}
-zone "rpzyoutube" { type master; file "/usr/local/etc/namedb/primary/youtube.db"; notify no; check-names ignore; };
+zone "rpzyoutube" { type primary; file "/usr/local/etc/namedb/primary/youtube.db"; notify no; check-names ignore; };
 {%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
 {%   if helpers.exists('OPNsense.bind.dnsbl.forcestrictbing') and OPNsense.bind.dnsbl.forcestrictbing == '1' %}
-zone "rpzbing" { type master; file "/usr/local/etc/namedb/primary/bing.db"; notify no; check-names ignore; };
+zone "rpzbing" { type primary; file "/usr/local/etc/namedb/primary/bing.db"; notify no; check-names ignore; };
 {%   endif %}
 {% endif %}
 
@@ -140,14 +140,14 @@ zone "rpzbing" { type master; file "/usr/local/etc/namedb/primary/bing.db"; noti
 {%     set allow_query = helpers.getUUID(domain.allowquery) %}
 zone "{{ domain.domainname }}" {
         type {{ domain.type }};
-{%       if domain.type == 'slave' %}
+{%       if domain.type == 'secondary' %}
 {%         if domain.transferkey is defined %}
-        masters { {{ domain.masterip.replace(',', ' key "' ~ domain.transferkeyname ~ '"; ') }} key "{{ domain.transferkeyname }}"; };
+        primaries { {{ domain.primaryip.replace(',', ' key "' ~ domain.transferkeyname ~ '"; ') }} key "{{ domain.transferkeyname }}"; };
 {%         else %}
-        masters { {{ domain.masterip.replace(',', '; ') }}; };
+        primaries { {{ domain.primaryip.replace(',', '; ') }}; };
 {%         endif %}
-{%         if domain.allownotifyslave is defined %}
-        allow-notify { {{ domain.allownotifyslave.replace(',', '; ') }}; };
+{%         if domain.allownotifysecondary is defined %}
+        allow-notify { {{ domain.allownotifysecondary.replace(',', '; ') }}; };
 {%         endif %}
         file "/usr/local/etc/namedb/secondary/{{ domain.domainname }}.db";
 {%       else %}
@@ -160,7 +160,7 @@ zone "{{ domain.domainname }}" {
         allow-query { {{ allow_query.name }}; };
 {%       endif %}
 };
-{%       if domain.type == 'slave' and domain.transferkey is defined and not(domain.transferkeyname in usedkeys) %}
+{%       if domain.type == 'secondary' and domain.transferkey is defined and not(domain.transferkeyname in usedkeys) %}
 {%         do usedkeys.append(domain.transferkeyname) %}
 key "{{ domain.transferkeyname }}" {
         algorithm "{{ domain.transferkeyalgo }}";

From 0b5c9a98efc864105f9b0a5643492a774fe54eef Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 11 Jan 2023 09:56:56 +0100
Subject: [PATCH 1335/3088] dns/bind: style sweep

---
 .../mvc/app/models/OPNsense/Bind/Migrations/M1_1_0.php         | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Migrations/M1_1_0.php b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Migrations/M1_1_0.php
index ceda64428b..95d8a076f0 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Migrations/M1_1_0.php
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Migrations/M1_1_0.php
@@ -72,9 +72,8 @@ public function run($model)
                     $domainModel->allownotifysecondary->setValue($domain->allownotifyslave);
                 }
             }
- 
+
             parent::run($model);
         }
     }
 }
-

From b67a1d49bf7aa78694620b19bc6981e409266356 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 11 Jan 2023 10:07:27 +0100
Subject: [PATCH 1336/3088] dns/bind: more style updates

---
 .../OPNsense/Bind/Api/DomainController.php    | 48 +++++++--------
 .../OPNsense/Bind/Migrations/M1_1_0.php       | 61 +++++++++----------
 2 files changed, 54 insertions(+), 55 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
index d840caa6b3..88a6605225 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
- *    Copyright (C) 2019 Deciso B.V.
+/*
+ * Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+ * Copyright (C) 2019 Deciso B.V.
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Bind\Api;
@@ -39,11 +37,13 @@ class DomainController extends ApiMutableModelControllerBase
     protected static $internalModelName = 'domain';
     protected static $internalModelClass = '\OPNsense\Bind\Domain';
 
-    # These are here for backwards compatability, should be removed after a bit.
+    /* XXX backwards-compatibility for 22.7 and below */
     public function searchMasterDomainAction()
     {
         return seachPrimaryDomainAction();
     }
+
+    /* XXX backwards-compatibility for 22.7 and below */
     public function searchSlaveDomainAction()
     {
         return seachSecondaryDomainAction();
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Migrations/M1_1_0.php b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Migrations/M1_1_0.php
index 95d8a076f0..c38c74facf 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Migrations/M1_1_0.php
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Migrations/M1_1_0.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2022 Robbert Rijkse
+/*
+ * Copyright (C) 2022 Robbert Rijkse
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Bind\Migrations;
@@ -45,29 +43,30 @@ public function run($model)
         if ($model instanceof Domain) {
             $config = Config::getInstance()->object();
 
-            # Checks to see if there is a bind config section, otherwise skips the rest of the migration
+            /* checks to see if there is a bind config section, otherwise skips the rest of the migration */
             if (empty($config->OPNsense->bind)) {
                 return;
             }
 
             $bindConfig = $config->OPNsense->bind;
-            # Loops through the domains in the config
+
+            /* loops through the domains in the config */
             foreach ($bindConfig->domain->domains->domain as $domain) {
-                $domainModel = $model->getNodeByReference('domains.domain.' . $domain->attributes()["uuid"]);
+                $domainModel = $model->getNodeByReference('domains.domain.' . $domain->attributes()['uuid']);
 
-                # Migrates the domain type
-                if ($domain->type == "master") {
-                    $domainModel->type->setValue("primary");
+                /* migrates the domain type */
+                if ($domain->type == 'master') {
+                    $domainModel->type->setValue('primary');
                 } else {
-                    $domainModel->type->setValue("secondary");
+                    $domainModel->type->setValue('secondary');
                 }
 
-                # Migrates the Master IP to Primary IP field
+                /* migrates the Master IP to Primary IP field */
                 if (!empty($domain->masterip)) {
                     $domainModel->primaryip->setValue($domain->masterip);
                 }
 
-                # Migrates the AllowNotify Slave to AllowNotify Secondary field
+                /* migrates the AllowNotify Slave to AllowNotify Secondary field */
                 if (!empty($domain->allownotifyslave)) {
                     $domainModel->allownotifysecondary->setValue($domain->allownotifyslave);
                 }

From 97e46ed32c80d7a45119ed6716b7d44793622e8f Mon Sep 17 00:00:00 2001
From: Robbert Rijkse <42551307+sestary@users.noreply.github.com>
Date: Wed, 11 Jan 2023 07:35:30 -0500
Subject: [PATCH 1337/3088] dns/bind: allow multiple acls (#3257)

---
 dns/bind/pkg-descr                            |  2 +
 .../forms/dialogEditBindPrimaryDomain.xml     |  8 +--
 .../forms/dialogEditBindSecondaryDomain.xml   |  8 +--
 .../OPNsense/Bind/forms/general.xml           | 10 +++-
 .../mvc/app/models/OPNsense/Bind/Domain.xml   |  6 +--
 .../mvc/app/models/OPNsense/Bind/General.xml  | 17 ++++--
 .../templates/OPNsense/Bind/named.conf        | 53 +++++++++++++------
 7 files changed, 72 insertions(+), 32 deletions(-)

diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 4ae5a07593..b7dc072780 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -11,7 +11,9 @@ Plugin Changelog
 
 1.26
 
+* Allow multiple ACLs to be selected for Transfers/Queries (contributed by Robbert Rijkse)
 * Rename Master/Slave to Primary/Secondary (contributed by Robbert Rijkse)
+* Add PR record type (contributed by Robbert Rijkse)
 
 1.25
 
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
index 2141fb0ad0..f22169f61e 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
@@ -14,14 +14,14 @@
     <field>
         <id>domain.allowtransfer</id>
         <label>Allow Transfer</label>
-        <type>dropdown</type>
-        <help>Define an ACL where you allow which server can retrieve this zone.</help>
+        <type>select_multiple</type>
+        <help>Define the ACLs where you allow which server can retrieve this zone.</help>
     </field>
     <field>
         <id>domain.allowquery</id>
         <label>Allow Query</label>
-        <type>dropdown</type>
-        <help>Define an ACL where you allow which client are allowed to query this zone.</help>
+        <type>select_multiple</type>
+        <help>Define the ACLs where you allow which client are allowed to query this zone.</help>
     </field>
     <field>
         <id>domain.ttl</id>
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSecondaryDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSecondaryDomain.xml
index 38c563c1dd..a6380c2837 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSecondaryDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindSecondaryDomain.xml
@@ -14,14 +14,14 @@
     <field>
         <id>domain.allowtransfer</id>
         <label>Allow Transfer</label>
-        <type>dropdown</type>
-        <help>Define an ACL where you allow which server can retrieve this zone.</help>
+        <type>select_multiple</type>
+        <help>Define the ACLs where you allow which server can retrieve this zone.</help>
     </field>
     <field>
         <id>domain.allowquery</id>
         <label>Allow Query</label>
-        <type>dropdown</type>
-        <help>Define an ACL where you allow which client are allowed to query this zone.</help>
+        <type>select_multiple</type>
+        <help>Define the ACLs where you allow which client are allowed to query this zone.</help>
     </field>
     <field>
         <id>domain.primaryip</id>
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index 8c15212100..f929beedd2 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -110,8 +110,14 @@
     <field>
         <id>general.allowtransfer</id>
         <label>Allow Transfer</label>
-        <type>dropdown</type>
-        <help>Define an ACL where you allow which server can retrieve zones.</help>
+        <type>select_multiple</type>
+        <help>Define the ACLs where you allow which server can retrieve zones.</help>
+    </field>
+    <field>
+        <id>general.allowquery</id>
+        <label>Allow Query</label>
+        <type>select_multiple</type>
+        <help>Define the ACLs where you allow which client are allowed to query this server.</help>
     </field>
     <field>
         <id>general.dnssecvalidation</id>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
index e00591deca..f7122536c6 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/bind/domain</mount>
     <description>BIND domain configuration</description>
-    <version>1.1.0</version>
+    <version>1.1.1</version>
     <items>
         <domains>
             <domain type="ArrayField">
@@ -58,7 +58,7 @@
                             <display>name</display>
                         </template>
                     </Model>
-                    <Multiple>N</Multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </allowtransfer>
                 <allowquery type="ModelRelationField">
@@ -69,7 +69,7 @@
                             <display>name</display>
                         </template>
                     </Model>
-                    <Multiple>N</Multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </allowquery>
                 <serial type="TextField">
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index 1424be5082..d7232ca2cf 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/bind/general</mount>
     <description>BIND configuration</description>
-    <version>1.0.9</version>
+    <version>1.0.10</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -91,7 +91,7 @@
                     <display>name</display>
                 </template>
             </Model>
-            <Multiple>N</Multiple>
+            <Multiple>Y</Multiple>
             <Required>N</Required>
             <ValidationMessage>Choose an ACL.</ValidationMessage>
         </recursion>
@@ -103,9 +103,20 @@
                     <display>name</display>
                 </template>
             </Model>
-            <Multiple>N</Multiple>
+            <Multiple>Y</Multiple>
             <Required>N</Required>
         </allowtransfer>
+        <allowquery type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
+            <Required>N</Required>
+        </allowquery>
         <dnssecvalidation type="OptionField">
             <OptionValues>
                 <no>No</no>
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index c345730075..08db14ef19 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -47,18 +47,31 @@ options {
 {% endif %}
 
 {% if helpers.exists('OPNsense.bind.general.recursion') and OPNsense.bind.general.recursion != '' %}
-{%   for list in helpers.toList('OPNsense.bind.general.recursion') %}
-{%   set recursionlist = helpers.getUUID(list) %}
         recursion          yes;
-        allow-recursion    { {{ recursionlist.name }}; };
-{%   endfor %}
+        allow-recursion {
+{%              for acl in helpers.toList('OPNsense.bind.general.recursion') %}
+{%              set recursion_acl = helpers.getUUID(acl) %}
+                {{ recursion_acl.name }};
+{%              endfor %}
+        };
 {% endif %}
 
 {% if helpers.exists('OPNsense.bind.general.allowtransfer') and OPNsense.bind.general.allowtransfer != '' %}
-{%   for list in helpers.toList('OPNsense.bind.general.allowtransfer') %}
-{%   set allowtransfer = helpers.getUUID(list) %}
-        allow-transfer    { {{ allowtransfer.name }}; };
-{%   endfor %}
+        allow-transfer {
+{%              for acl in helpers.toList('OPNsense.bind.general.allowtransfer') %}
+{%              set transfer_acl = helpers.getUUID(acl) %}
+                {{ transfer_acl.name }};
+{%              endfor %}
+        };
+{% endif %}
+
+{% if helpers.exists('OPNsense.bind.general.allowquery') and OPNsense.bind.general.allowquery != '' %}
+        allow-query {
+{%              for acl in helpers.toList('OPNsense.bind.general.allowquery') %}
+{%              set query_acl = helpers.getUUID(list) %}
+                {{ query_acl.name }};
+{%              endfor %}
+        };
 {% endif %}
 
 {% if helpers.exists('OPNsense.bind.general.maxcachesize') and OPNsense.bind.general.maxcachesize != '' %}
@@ -136,8 +149,6 @@ zone "rpzbing" { type primary; file "/usr/local/etc/namedb/primary/bing.db"; not
 {%   set usedkeys = [] %}
 {%   for domain in helpers.toList('OPNsense.bind.domain.domains.domain') %}
 {%     if domain.enabled == '1' %}
-{%     set allow_transfer = helpers.getUUID(domain.allowtransfer) %}
-{%     set allow_query = helpers.getUUID(domain.allowquery) %}
 zone "{{ domain.domainname }}" {
         type {{ domain.type }};
 {%       if domain.type == 'secondary' %}
@@ -153,12 +164,22 @@ zone "{{ domain.domainname }}" {
 {%       else %}
         file "/usr/local/etc/namedb/primary/{{ domain.domainname }}.db";
 {%       endif %}
-{%       if domain.allowtransfer is defined %}
-        allow-transfer { {{ allow_transfer.name }}; };
-{%       endif %}
-{%       if domain.allowquery is defined %}
-        allow-query { {{ allow_query.name }}; };
-{%       endif %}
+{%      if domain.allowtransfer is defined %}
+        allow-transfer {
+{%              for acl in domain.allowtransfer.split(',') %}
+{%              set transfer_acl = helpers.getUUID(acl) %}
+                {{ transfer_acl.name }};
+{%              endfor %}
+        };
+{%      endif %}
+{%      if domain.allowquery is defined %}
+        allow-query {
+{%              for acl in domain.allowquery.split(',') %}
+{%              set query_acl = helpers.getUUID(acl) %}
+                {{ query_acl.name }};
+{%              endfor %}
+        };
+{%      endif %}
 };
 {%       if domain.type == 'secondary' and domain.transferkey is defined and not(domain.transferkeyname in usedkeys) %}
 {%         do usedkeys.append(domain.transferkeyname) %}

From 7b2119578fc9838a5a808980c9c8d8ef0ebd50e4 Mon Sep 17 00:00:00 2001
From: Robbert Rijkse <42551307+sestary@users.noreply.github.com>
Date: Wed, 11 Jan 2023 08:34:21 -0500
Subject: [PATCH 1338/3088] move RNDC key to general page (#3258)

---
 .../OPNsense/Bind/GeneralController.php       |  1 -
 .../OPNsense/Bind/forms/general.xml           | 19 ++++++++++++++
 .../OPNsense/Bind/forms/rndcKey.xml           | 14 -----------
 .../mvc/app/views/OPNsense/Bind/general.volt  | 25 -------------------
 4 files changed, 19 insertions(+), 40 deletions(-)
 delete mode 100644 dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/rndcKey.xml

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
index f233b57bba..663acb0589 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
@@ -34,7 +34,6 @@ public function indexAction()
     {
         $this->view->generalForm = $this->getForm("general");
         $this->view->dnsblForm = $this->getForm("dnsbl");
-        $this->view->rndcKeyForm = $this->getForm("rndcKey");
         $this->view->formDialogEditBindAcl = $this->getForm("dialogEditBindAcl");
         $this->view->formDialogEditBindPrimaryDomain = $this->getForm("dialogEditBindPrimaryDomain");
         $this->view->formDialogEditBindSecondaryDomain = $this->getForm("dialogEditBindSecondaryDomain");
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index f929beedd2..e40b6dc869 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -169,4 +169,23 @@
         <advanced>true</advanced>
         <help>Except a list of IPs from rate-limiting like ::1</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>RNDC Key</label>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>general.rndcalgo</id>
+        <label>Algorithm</label>
+        <type>dropdown</type>
+        <advanced>true</advanced>
+        <help>Set the authentication algorithm for the RNDC key. This requires a restart of the Bind Service.</help>
+    </field>
+    <field>
+        <id>general.rndcsecret</id>
+        <label>Secret</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>The base64-encoded RNDC key. This requires a restart of the Bind Service.</help>
+    </field>
 </form>
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/rndcKey.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/rndcKey.xml
deleted file mode 100644
index 48f2fc43d3..0000000000
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/rndcKey.xml
+++ /dev/null
@@ -1,14 +0,0 @@
-<form>
-    <field>
-        <id>general.rndcalgo</id>
-        <label>Algorithm</label>
-        <type>dropdown</type>
-        <help>Set the authentication algorithm for the RNDC key.</help>
-    </field>
-    <field>
-        <id>general.rndcsecret</id>
-        <label>Secret</label>
-        <type>text</type>
-        <help>The base64-encoded RNDC key.</help>
-    </field>
-</form>
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index 9e8749d3b4..cf7991ec95 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -32,7 +32,6 @@ POSSIBILITY OF SUCH DAMAGE.
     <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
     <li><a data-toggle="tab" href="#dnsbl">{{ lang._('DNSBL') }}</a></li>
     <li><a data-toggle="tab" href="#acls">{{ lang._('ACLs') }}</a></li>
-    <li><a data-toggle="tab" href="#keys">{{ lang._('Keys') }}</a></li>
     <li><a data-toggle="tab" href="#primary-domains">{{ lang._('Primary Zones') }}</a></li>
     <li><a data-toggle="tab" href="#secondary-domains">{{ lang._('Secondary Zones') }}</a></li>
 </ul>
@@ -85,21 +84,6 @@ POSSIBILITY OF SUCH DAMAGE.
             <br /><br />
         </div>
     </div>
-    <div id="keys" class="tab-pane fade in">
-        <div class="content-box">
-            <div class="col-md-12">
-                <h2>{{ lang._('RNDC Key') }}</h2>
-            </div>
-            {{ partial("layout_partials/base_form",['fields':rndcKeyForm,'id':'frm_general_settings'])}}
-        </div>
-        <div class="col-md-12">
-            <hr />
-            <button class="btn btn-primary" id="saveRestartAct_rndckey" type="button"><b>{{ lang._('Save & Restart') }}</b> <i id="saveRestartAct_rndckey_progress"></i></button>
-            <br />
-            <b>Note:</b> Bind will be restarted when you Save, this is required when the RNDC key changes.
-            <br /><br />
-        </div>
-    </div>
     <div id="primary-domains" class="tab-pane fade in">
         <div class="col-md-12">
             <h2>{{ lang._('Zones') }}</h2>
@@ -339,15 +323,6 @@ $( document ).ready(function() {
         });
     });
 
-    $("#saveRestartAct_rndckey").click(function(){
-        saveFormToEndpoint(url="/api/bind/general/set", formid='frm_general_settings',callback_ok=function(){
-            $("#saveRestartAct_rndckey_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall("/api/bind/service/restart", {}, function(data,status) {
-                updateServiceControlUI('bind');
-                $("#saveRestartAct_rndckey_progress").removeClass("fa fa-spinner fa-pulse");
-            });
-        });
-    });
     $(".saveAct_domain").click(function(){
         $(".saveAct_domain_progress").addClass("fa fa-spinner fa-pulse");
         ajaxCall("/api/bind/service/reconfigure", {}, function(data,status) {

From 86853757123a693bbd146f6d7353604a0c94b5b1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Jan 2023 09:02:35 +0100
Subject: [PATCH 1339/3088] net/sslh: update initial changelog

---
 net/sslh/pkg-descr | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/net/sslh/pkg-descr b/net/sslh/pkg-descr
index f818aa3d45..728f4673d4 100644
--- a/net/sslh/pkg-descr
+++ b/net/sslh/pkg-descr
@@ -11,9 +11,8 @@ Changelog
 
 ================
 
-0.1
+1.0
 
-  * Initial Version
-  * Includes setting listen addresses, and protocol targets.
-  * Includes some other advanced settings
-  * Service start/stop/restart control
+* Includes setting listen addresses, and protocol targets
+* Includes some other advanced settings
+* Service start/stop/restart control

From 09ca8eec2401988ec72ae4c2f80fa623c4e8d12f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Jan 2023 09:07:11 +0100
Subject: [PATCH 1340/3088] dns/ddclient: looks like this slipped through

---
 dns/ddclient/pkg-descr | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index f09e413e5b..d26ea9ba99 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,12 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.11
+
+* Add Python backend support for custom ddclient-like implementation using the same input
+* Add AzureDNS backende using OAuth 2.0
+* Add dyndns2 backend using said API
+
 1.10
 
 * Update to ddclient 3.10.0

From 251c1261a94212737aac2171ef87ce8e2ce226d4 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 12 Jan 2023 21:22:51 +0100
Subject: [PATCH 1341/3088] net/haproxy: do not duplicate global defaults
 anymore, closes #2642

---
 net/haproxy/pkg-descr                                |  1 +
 .../service/templates/OPNsense/HAProxy/haproxy.conf  | 12 ++----------
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 31a2faff28..4028a0650a 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -17,6 +17,7 @@ Changed:
 * rename frontend option "Type" to "Connection Mode" (#3026)
 * migrate options "http-tunnel" and "forceclose" to "http-keep-alive" (#3026)
 * replace "process" with "threads" bind keyword for CPU Affinity (#3026)
+* no longer duplicate global defaults in backends/frontends (#2642)
 
 Removed:
 * remove Processes/nbproc option (use Threads/nbthread instead) (#3026)
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 441e12ce20..14442a6867 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1429,14 +1429,12 @@ frontend {{frontend.name}}
 {%       if frontend.prometheus_enabled == '1' and frontend.mode == 'http' and frontend.prometheus_path|default("") != "" %}
     http-request use-service prometheus-exporter if { path {{frontend.prometheus_path}} }
 {%       endif %}
-    # tuning options
+{#       # tuning options #}
 {%       if frontend.tuning_maxConnections is defined %}
     maxconn {{frontend.tuning_maxConnections}}
 {%       endif %}
 {%       if frontend.tuning_timeoutClient is defined %}
     timeout client {{frontend.tuning_timeoutClient}}
-{%       elif OPNsense.HAProxy.general.defaults.timeoutClient is defined %}
-    timeout client {{OPNsense.HAProxy.general.defaults.timeoutClient}}
 {%       endif %}
 {%       if frontend.tuning_timeoutHttpReq|default("") != "" and frontend.mode == 'http' %}
     timeout http-request {{frontend.tuning_timeoutHttpReq}}
@@ -1653,21 +1651,15 @@ backend {{backend.name}}
 {%       endif %}
 {#       # call macro to evaluate stickiness config #}
 {{       StickTableConfig(backend,true) }}
-    # tuning options
+{#       # tuning options #}
 {%       if backend.tuning_timeoutConnect|default("") != "" %}
     timeout connect {{backend.tuning_timeoutConnect}}
-{%       elif OPNsense.HAProxy.general.defaults.timeoutConnect is defined %}
-    timeout connect {{OPNsense.HAProxy.general.defaults.timeoutConnect}}
 {%       endif %}
 {%       if backend.tuning_timeoutCheck|default("") != "" %}
     timeout check {{backend.tuning_timeoutCheck}}
-{%       elif OPNsense.HAProxy.general.defaults.timeoutCheck is defined %}
-    timeout check {{OPNsense.HAProxy.general.defaults.timeoutCheck}}
 {%       endif %}
 {%       if backend.tuning_timeoutServer|default("") != "" %}
     timeout server {{backend.tuning_timeoutServer}}
-{%       elif OPNsense.HAProxy.general.defaults.timeoutServer is defined %}
-    timeout server {{OPNsense.HAProxy.general.defaults.timeoutServer}}
 {%       endif %}
 {%       if backend.tuning_retries|default("") != "" %}
     retries {{backend.tuning_retries}}

From 3224b8c6a924cf817538d02afb53b9c1dcd0d520 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 13 Jan 2023 09:55:42 +0100
Subject: [PATCH 1342/3088] net/upnp: add a changelog, simpifies release notes

---
 net/upnp/pkg-descr | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/net/upnp/pkg-descr b/net/upnp/pkg-descr
index 6b4094da82..091bcabff0 100644
--- a/net/upnp/pkg-descr
+++ b/net/upnp/pkg-descr
@@ -3,3 +3,12 @@ supposed to be run on your gateway machine to allow client systems to redirect
 ports and punch holes in the firewall.
 
 WWW: http://miniupnp.free.fr/
+
+Plugin Changelog
+================
+
+1.5
+
+* enable STUN and allow LAN subnet override (contributed by Tawmu)
+* add missing firewall anchors (contributed by Tawmu)
+* switch to miniupnpd 2.3.1

From 5a7c59832181c840f64e34f4c3e4805985736470 Mon Sep 17 00:00:00 2001
From: Patrik Kernstock <patrik@kernstock.net>
Date: Tue, 17 Jan 2023 15:08:25 +0000
Subject: [PATCH 1343/3088] net/frr: Added attribute-unchanged option (#3112)

---
 .../OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml      | 7 +++++++
 .../src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml  | 9 +++++++++
 .../opnsense/service/templates/OPNsense/Quagga/bgpd.conf | 3 +++
 3 files changed, 19 insertions(+)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 5ea35585fa..b00c504803 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -132,6 +132,13 @@
     <type>checkbox</type>
     <help>Allow peerings between directly connected eBGP peers using loopback addresses.</help>
   </field>
+  <field>
+    <id>neighbor.attributeunchanged</id>
+    <label>Attribute Unchanged</label>
+    <type>dropdown</type>
+    <advanced>true</advanced>
+    <help><![CDATA[This specifies attributes to be left unchanged when sending advertisements to a peer. Read more at <a href="https://docs.frrouting.org/en/latest/bgp.html#clicmd-neighbor-PEER-attribute-unchanged-as-path-next-hop-med">FRR documentation</a>.]]></help>
+  </field>
   <field>
     <id>neighbor.linkedPrefixlistIn</id>
     <label>Prefix-List In</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index dd4697d3e7..7b03f68227 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -142,6 +142,15 @@
                                 <default>0</default>
                                 <Required>N</Required>
                         </disable_connected_check>
+                        <attributeunchanged type="OptionField">
+                                <default></default>
+                                <Required>N</Required>
+                                <OptionValues>
+                                        <as-path>as-path</as-path>
+                                        <next-hop>next-hop</next-hop>
+                                        <med>med</med>
+                                </OptionValues>
+                        </attributeunchanged>
                         <linkedPrefixlistIn type="ModelRelationField">
                                 <Model>
                                         <template>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 5c0f7e773e..d608696c01 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -89,6 +89,9 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%         if 'connecttimer' in neighbor and neighbor.connecttimer != '' %}
  neighbor {{ neighbor.address }} timers connect {{ neighbor.connecttimer }}
 {%         endif %}
+{%         if 'attributeunchanged' in neighbor and neighbor.attributeunchanged != '' %}
+ neighbor {{ neighbor.address }} attribute-unchanged {{ neighbor.attributeunchanged }}
+{%         endif %}
 {%       endif %}
 {%     endfor %}
 {%   endif %}

From 9d8f6704ff4964e23dc70e8d679cce64d218d648 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 17 Jan 2023 23:38:34 +0100
Subject: [PATCH 1344/3088] sysutils/puppet-agent: add default values for
 server+environment

---
 sysutils/puppet-agent/pkg-descr                             | 3 +++
 .../mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml     | 6 +++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/sysutils/puppet-agent/pkg-descr b/sysutils/puppet-agent/pkg-descr
index 64ec7afe9d..b525dbc6eb 100644
--- a/sysutils/puppet-agent/pkg-descr
+++ b/sysutils/puppet-agent/pkg-descr
@@ -9,6 +9,9 @@ WWW:  https://puppet.com/docs/puppet/latest/man/agent.html
 Plugin Changelog
 ================
 
+Changed:
+* add default values for Puppet Server + Environment
+
 1.0
 
 Added:
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
index f706d65a59..854add7796 100644
--- a/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
@@ -1,19 +1,19 @@
 <model>
     <mount>//OPNsense/puppetagent</mount>
-    <version>1.0.0</version>
+    <version>1.1.0</version>
     <description>Manage Puppet Agent service</description>
     <items>
-        <!-- container -->
         <general>
-            <!-- fields -->
             <Enabled type="BooleanField">
                 <default>0</default>
                 <Required>Y</Required>
             </Enabled>
             <FQDN type="HostnameField">
+                <default>puppet</default>
                 <Required>Y</Required>
             </FQDN>
             <Environment type="TextField">
+                <default>production</default>
                 <Required>Y</Required>
                 <mask>/^.{1,100}$/u</mask>
                 <ValidationMessage>Should be a string between 1 and 100 characters.</ValidationMessage>

From ed0e8f9487e7a3d07d2afa27a576c34c9621c6c6 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 18 Jan 2023 00:00:13 +0100
Subject: [PATCH 1345/3088] sysutils/puppet-agent: add runinterval and
 runtimeout

---
 sysutils/puppet-agent/pkg-descr                      |  3 +++
 .../OPNsense/PuppetAgent/forms/general.xml           | 12 ++++++++++++
 .../app/models/OPNsense/PuppetAgent/PuppetAgent.xml  | 12 ++++++++++++
 .../templates/OPNsense/PuppetAgent/puppetagent.conf  |  6 ++++++
 4 files changed, 33 insertions(+)

diff --git a/sysutils/puppet-agent/pkg-descr b/sysutils/puppet-agent/pkg-descr
index b525dbc6eb..6ea5ec8e0f 100644
--- a/sysutils/puppet-agent/pkg-descr
+++ b/sysutils/puppet-agent/pkg-descr
@@ -9,6 +9,9 @@ WWW:  https://puppet.com/docs/puppet/latest/man/agent.html
 Plugin Changelog
 ================
 
+Added:
+* add new options runinterval and runtimeout
+
 Changed:
 * add default values for Puppet Server + Environment
 
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/forms/general.xml b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/forms/general.xml
index 6713c5ec46..6e5e408fe4 100644
--- a/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/forms/general.xml
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/forms/general.xml
@@ -17,4 +17,16 @@
         <type>text</type>
         <help>Change Puppet Agent Environment</help>
     </field>
+    <field>
+        <id>puppetagent.general.RunInterval</id>
+        <label>Run Interval</label>
+        <type>text</type>
+        <help>How often Puppet Agent applies the catalog. Enter a number followed by one of the supported suffixes: "y" (years), "d" (days), "h" (hours), "m" (minutes), "s" (seconds).</help>
+    </field>
+    <field>
+        <id>puppetagent.general.RunTimeout</id>
+        <label>Run Timeout</label>
+        <type>text</type>
+        <help>The maximum amount of time an agent run is allowed to take. Enter a number followed by one of the supported suffixes: "y" (years), "d" (days), "h" (hours), "m" (minutes), "s" (seconds).</help>
+    </field>
 </form>
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
index 854add7796..6379013731 100644
--- a/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
@@ -18,6 +18,18 @@
                 <mask>/^.{1,100}$/u</mask>
                 <ValidationMessage>Should be a string between 1 and 100 characters.</ValidationMessage>
             </Environment>
+            <RunInterval type="TextField">
+                <default>30m</default>
+                <mask>/^([0-9]{1,8}(?:s|m|h|d|y)?)/u</mask>
+                <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "y", "d", "h", "m" or "s".</ValidationMessage>
+                <Required>Y</Required>
+            </RunInterval>
+            <RunTimeout type="TextField">
+                <default>1h</default>
+                <mask>/^([0-9]{1,8}(?:s|m|h|d|y)?)/u</mask>
+                <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "y", "d", "h", "m" or "s".</ValidationMessage>
+                <Required>Y</Required>
+            </RunTimeout>
         </general>
     </items>
 </model>
diff --git a/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
index c375941a97..86fb476326 100644
--- a/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
+++ b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
@@ -3,6 +3,12 @@
 certname = {{ system.hostname|lower }}.{{ system.domain|lower }}
 server = {{ OPNsense.puppetagent.general.FQDN|default("") }}
 logdest = /var/log/puppet-agent.log
+{% if OPNsense.puppetagent.general.RunInterval|default("") != "" %}
+runinterval = {{ OPNsense.puppetagent.general.RunInterval }}
+{% endif %}
+{% if OPNsense.puppetagent.general.RunTimeout|default("") != "" %}
+runtimeout = {{ OPNsense.puppetagent.general.RunTimeout}}
+{% endif %}
 {% if helpers.exists('OPNsense.puppetagent.general') and not helpers.empty('OPNsense.puppetagent.general.Environment') %}
 [agent]
 environment = {{ OPNsense.puppetagent.general.Environment|default("") }}

From 07c9c9fe870db9939c629550f5bedd7b8ed8a960 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 18 Jan 2023 00:13:39 +0100
Subject: [PATCH 1346/3088] sysutils/puppet-agent: add usecacheonfailure

---
 sysutils/puppet-agent/pkg-descr                             | 1 +
 .../app/controllers/OPNsense/PuppetAgent/forms/general.xml  | 6 ++++++
 .../mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml     | 4 ++++
 .../service/templates/OPNsense/PuppetAgent/puppetagent.conf | 5 +++++
 4 files changed, 16 insertions(+)

diff --git a/sysutils/puppet-agent/pkg-descr b/sysutils/puppet-agent/pkg-descr
index 6ea5ec8e0f..2fbad135e6 100644
--- a/sysutils/puppet-agent/pkg-descr
+++ b/sysutils/puppet-agent/pkg-descr
@@ -11,6 +11,7 @@ Plugin Changelog
 
 Added:
 * add new options runinterval and runtimeout
+* add new option usecacheonfailure
 
 Changed:
 * add default values for Puppet Server + Environment
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/forms/general.xml b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/forms/general.xml
index 6e5e408fe4..adc9330b56 100644
--- a/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/forms/general.xml
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/forms/general.xml
@@ -29,4 +29,10 @@
         <type>text</type>
         <help>The maximum amount of time an agent run is allowed to take. Enter a number followed by one of the supported suffixes: "y" (years), "d" (days), "h" (hours), "m" (minutes), "s" (seconds).</help>
     </field>
+    <field>
+        <id>puppetagent.general.UseCacheOnFailure</id>
+        <label>Use Cache On Failure</label>
+        <type>checkbox</type>
+        <help>Whether to use the cached configuration when the remote configuration will not compile.</help>
+    </field>
 </form>
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
index 6379013731..ffba1a25d5 100644
--- a/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
@@ -30,6 +30,10 @@
                 <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "y", "d", "h", "m" or "s".</ValidationMessage>
                 <Required>Y</Required>
             </RunTimeout>
+            <UseCacheOnFailure type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </UseCacheOnFailure>
         </general>
     </items>
 </model>
diff --git a/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
index 86fb476326..51e6fa9156 100644
--- a/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
+++ b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
@@ -9,6 +9,11 @@ runinterval = {{ OPNsense.puppetagent.general.RunInterval }}
 {% if OPNsense.puppetagent.general.RunTimeout|default("") != "" %}
 runtimeout = {{ OPNsense.puppetagent.general.RunTimeout}}
 {% endif %}
+{% if OPNsense.puppetagent.general.UseCacheOnFailure|default("0") == "1" %}
+usecacheonfailure = true
+{% else %}
+usecacheonfailure = false
+{% endif %}
 {% if helpers.exists('OPNsense.puppetagent.general') and not helpers.empty('OPNsense.puppetagent.general.Environment') %}
 [agent]
 environment = {{ OPNsense.puppetagent.general.Environment|default("") }}

From 5f58842f5667f7dc8bb0c8a501a2cd2a2565f59a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 18 Jan 2023 00:20:27 +0100
Subject: [PATCH 1347/3088] sysutils/puppet-agent: don't wipe puppet.conf

While here, improve readability of the template and the resulting puppet.conf.
---
 sysutils/puppet-agent/pkg-descr               |  1 +
 .../OPNsense/PuppetAgent/puppetagent.conf     | 21 +++++++++----------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/sysutils/puppet-agent/pkg-descr b/sysutils/puppet-agent/pkg-descr
index 2fbad135e6..1581f039ff 100644
--- a/sysutils/puppet-agent/pkg-descr
+++ b/sysutils/puppet-agent/pkg-descr
@@ -15,6 +15,7 @@ Added:
 
 Changed:
 * add default values for Puppet Server + Environment
+* don't wipe puppet.conf if service is disabled
 
 1.0
 
diff --git a/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
index 51e6fa9156..dc3a3649d0 100644
--- a/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
+++ b/sysutils/puppet-agent/src/opnsense/service/templates/OPNsense/PuppetAgent/puppetagent.conf
@@ -1,21 +1,20 @@
-{% if helpers.exists('OPNsense.puppetagent.general') and OPNsense.puppetagent.general.Enabled|default("0") == "1" %}
 [main]
-certname = {{ system.hostname|lower }}.{{ system.domain|lower }}
-server = {{ OPNsense.puppetagent.general.FQDN|default("") }}
-logdest = /var/log/puppet-agent.log
+  certname = {{ system.hostname|lower }}.{{ system.domain|lower }}
+  logdest = /var/log/puppet-agent.log
 {% if OPNsense.puppetagent.general.RunInterval|default("") != "" %}
-runinterval = {{ OPNsense.puppetagent.general.RunInterval }}
+  runinterval = {{ OPNsense.puppetagent.general.RunInterval }}
 {% endif %}
 {% if OPNsense.puppetagent.general.RunTimeout|default("") != "" %}
-runtimeout = {{ OPNsense.puppetagent.general.RunTimeout}}
+  runtimeout = {{ OPNsense.puppetagent.general.RunTimeout}}
 {% endif %}
+  server = {{ OPNsense.puppetagent.general.FQDN|default("") }}
 {% if OPNsense.puppetagent.general.UseCacheOnFailure|default("0") == "1" %}
-usecacheonfailure = true
+  usecacheonfailure = true
 {% else %}
-usecacheonfailure = false
+  usecacheonfailure = false
 {% endif %}
-{% if helpers.exists('OPNsense.puppetagent.general') and not helpers.empty('OPNsense.puppetagent.general.Environment') %}
+
 [agent]
-environment = {{ OPNsense.puppetagent.general.Environment|default("") }}
-{% endif %}
+{% if not helpers.empty('OPNsense.puppetagent.general.Environment') %}
+  environment = {{ OPNsense.puppetagent.general.Environment|default("") }}
 {% endif %}

From 2ed53b33386f001e2cef536b62d24f46f96767d1 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 18 Jan 2023 00:21:27 +0100
Subject: [PATCH 1348/3088] sysutils/puppet-agent: bump version to 1.1

---
 sysutils/puppet-agent/Makefile  | 3 +--
 sysutils/puppet-agent/pkg-descr | 2 ++
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/sysutils/puppet-agent/Makefile b/sysutils/puppet-agent/Makefile
index 49d767c9d8..a7112f55c0 100644
--- a/sysutils/puppet-agent/Makefile
+++ b/sysutils/puppet-agent/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		puppet-agent
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Manage Puppet Agent
 PLUGIN_DEPENDS=		puppet7 py${PLUGIN_PYTHON}-opn-cli
 PLUGIN_MAINTAINER=	jan.wink93@gmail.com
diff --git a/sysutils/puppet-agent/pkg-descr b/sysutils/puppet-agent/pkg-descr
index 1581f039ff..3e8426bcb5 100644
--- a/sysutils/puppet-agent/pkg-descr
+++ b/sysutils/puppet-agent/pkg-descr
@@ -9,6 +9,8 @@ WWW:  https://puppet.com/docs/puppet/latest/man/agent.html
 Plugin Changelog
 ================
 
+1.1
+
 Added:
 * add new options runinterval and runtimeout
 * add new option usecacheonfailure

From 2f04229bc5439efd7f8af9ffbeda19a8d16ce031 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 18 Jan 2023 00:26:32 +0100
Subject: [PATCH 1349/3088] sysutils/puppet-agent: improve help text

---
 .../app/controllers/OPNsense/PuppetAgent/forms/general.xml  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/forms/general.xml b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/forms/general.xml
index adc9330b56..ce6b4412b2 100644
--- a/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/forms/general.xml
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/controllers/OPNsense/PuppetAgent/forms/general.xml
@@ -3,19 +3,19 @@
         <id>puppetagent.general.Enabled</id>
         <label>Enabled</label>
         <type>checkbox</type>
-        <help>Enable Puppet Agent</help>
+        <help>Enable the Puppet Agent service.</help>
     </field>
     <field>
         <id>puppetagent.general.FQDN</id>
         <label>Puppet Server FQDN</label>
         <type>text</type>
-        <help>Change Puppet Server FQDN</help>
+        <help>The primary Puppet Server to which the Puppet Agent should connect.</help>
     </field>
     <field>
         <id>puppetagent.general.Environment</id>
         <label>Puppet Environment</label>
         <type>text</type>
-        <help>Change Puppet Agent Environment</help>
+        <help>The environment in which Puppet is running.</help>
     </field>
     <field>
         <id>puppetagent.general.RunInterval</id>

From ec1399c9a24285f8bba3dc689fbbd0c1e7ea212b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 18 Jan 2023 14:36:18 +0100
Subject: [PATCH 1350/3088] plugins: replace relevant log_error() with
 log_msg() calls

PR: https://github.com/opnsense/core/issues/6115
---
 net/frr/src/etc/rc.syshook.d/carp/50-frr                  | 4 ++--
 net/mdns-repeater/src/etc/rc.syshook.d/carp/50-mdns       | 4 ++--
 net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc          | 7 ++++---
 security/softether/src/etc/rc.syshook.d/carp/50-softether | 4 ++--
 www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php    | 5 +----
 5 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/net/frr/src/etc/rc.syshook.d/carp/50-frr b/net/frr/src/etc/rc.syshook.d/carp/50-frr
index 05c8c0e8d3..5ffb4ca82a 100755
--- a/net/frr/src/etc/rc.syshook.d/carp/50-frr
+++ b/net/frr/src/etc/rc.syshook.d/carp/50-frr
@@ -38,12 +38,12 @@ if (frr_carp_enabled()) {
     $type = !empty($argv[2]) ? $argv[2] : '';
 
     if ($type != 'MASTER' && $type != 'BACKUP') {
-        log_error("Carp '$type' event unknown from source '{$subsystem}'");
+        log_msg("Carp '$type' event unknown from source '{$subsystem}'");
         exit(1);
     }
 
     if (!strstr($subsystem, '@')) {
-        log_error("Carp '$type' event triggered from wrong source '{$subsystem}'");
+        log_msg("Carp '$type' event triggered from wrong source '{$subsystem}'");
         exit(1);
     }
 
diff --git a/net/mdns-repeater/src/etc/rc.syshook.d/carp/50-mdns b/net/mdns-repeater/src/etc/rc.syshook.d/carp/50-mdns
index 07c1bb207b..25af77e521 100755
--- a/net/mdns-repeater/src/etc/rc.syshook.d/carp/50-mdns
+++ b/net/mdns-repeater/src/etc/rc.syshook.d/carp/50-mdns
@@ -42,12 +42,12 @@ if ($mdns_repeater_carp_enabled) {
     $type = !empty($argv[2]) ? $argv[2] : '';
 
     if ($type != 'MASTER' && $type != 'BACKUP') {
-        log_error("Carp '$type' event unknown from source '{$subsystem}'");
+        log_msg("Carp '$type' event unknown from source '{$subsystem}'");
         exit(1);
     }
 
     if (!strstr($subsystem, '@')) {
-        log_error("Carp '$type' event triggered from wrong source '{$subsystem}'");
+        log_msg("Carp '$type' event triggered from wrong source '{$subsystem}'");
         exit(1);
     }
 
diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 4da5c9c022..5ea4d0683b 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -159,10 +159,10 @@ function miniupnpd_configure_do($verbose = false)
                         $ifaces_active .= ", {$iface}";
                     }
                 } else {
-                    log_error("miniupnpd: Interface {$iface} has no ip address, ignoring");
+                    log_msg("miniupnpd: Interface {$iface} has no ip address, ignoring", LOG_WARING);
                 }
             } else {
-                log_error("miniupnpd: Could not resolve real interface for {$iface}");
+                log_msg("miniupnpd: Could not resolve real interface for {$iface}", LOG_ERR);
             }
         }
 
@@ -238,7 +238,8 @@ function miniupnpd_configure_do($verbose = false)
             /* write out the configuration */
             file_put_contents('/var/etc/miniupnpd.conf', $config_text);
 
-            log_error("miniupnpd: Starting service on interface: {$ifaces_active}");
+            log_msg("miniupnpd: Starting service on interface: {$ifaces_active}");
+
             miniupnpd_start();
         }
     }
diff --git a/security/softether/src/etc/rc.syshook.d/carp/50-softether b/security/softether/src/etc/rc.syshook.d/carp/50-softether
index ca50c43ca6..71d3e58aec 100755
--- a/security/softether/src/etc/rc.syshook.d/carp/50-softether
+++ b/security/softether/src/etc/rc.syshook.d/carp/50-softether
@@ -39,12 +39,12 @@ if (softether_carp_enabled()) {
     $type = !empty($argv[2]) ? $argv[2] : '';
 
     if ($type != 'MASTER' && $type != 'BACKUP') {
-        log_error("Carp '$type' event unknown from source '{$subsystem}'");
+        log_msg("Carp '$type' event unknown from source '{$subsystem}'");
         exit(1);
     }
 
     if (!strstr($subsystem, '@')) {
-        log_error("Carp '$type' event triggered from wrong source '{$subsystem}'");
+        log_msg("Carp '$type' event triggered from wrong source '{$subsystem}'");
         exit(1);
     }
 
diff --git a/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php b/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
index 721b3832c0..63e5c6f7a5 100755
--- a/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
+++ b/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
@@ -166,12 +166,9 @@ function create_work_files($include_tls_handshake)
                 @touch($target);
                 $work_files[] = $target;
             } else {
-                log_error("Failed renaming '$source' to '$target'. Skipping source for next run.");
+                log_msg("Failed renaming '$source' to '$target'. Skipping source for next run.");
             }
         }
-    } else {
-        //Concurrent invocation. Can be silently ignored since no work files are collected.
-        //log_error("Skipping processing. Missing: " . join(", ", array_diff(array_keys($mapping), $existing_sources)));
     }
 
     reopen_logs();

From f04504535434798c92b5b95ca2431d985d13179e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 18 Jan 2023 14:57:05 +0100
Subject: [PATCH 1351/3088] plugins: annotate support tier levels in plugins

PR: https://github.com/opnsense/core/issues/5983
---
 Mk/defaults.mk                    | 1 +
 Mk/plugins.mk                     | 1 +
 Templates/version                 | 1 +
 devel/debug/Makefile              | 1 +
 net/firewall/Makefile             | 1 +
 net/frr/Makefile                  | 1 +
 net/relayd/Makefile               | 2 +-
 security/etpro-telemetry/Makefile | 1 +
 security/stunnel/Makefile         | 1 +
 security/tinc/Makefile            | 1 +
 sysutils/git-backup/Makefile      | 1 +
 sysutils/vmware/Makefile          | 1 +
 12 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 9a8e0fdec3..9c2410f745 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -89,6 +89,7 @@ REPLACEMENTS=	PLUGIN_ABI \
 		PLUGIN_NAME \
 		PLUGIN_PKGNAME \
 		PLUGIN_PKGVERSION \
+		PLUGIN_TIER \
 		PLUGIN_VARIANT \
 		PLUGIN_WWW
 
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 9925f2bd83..ca9a51fc6d 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -44,6 +44,7 @@ PLUGIN_SCRIPTS=		+PRE_INSTALL +POST_INSTALL \
 			+PRE_DEINSTALL +POST_DEINSTALL
 
 PLUGIN_WWW?=		https://opnsense.org/
+PLUGIN_TIER?=		3
 PLUGIN_REVISION?=	0
 
 PLUGIN_REQUIRES=	PLUGIN_NAME PLUGIN_VERSION PLUGIN_COMMENT \
diff --git a/Templates/version b/Templates/version
index 95baa8fe04..f03ab1fa71 100644
--- a/Templates/version
+++ b/Templates/version
@@ -6,6 +6,7 @@
     "product_hash": "%%PLUGIN_HASH%%",
     "product_id": "%%PLUGIN_PKGNAME%%",
     "product_name": "%%PLUGIN_NAME%%",
+    "product_tier": "%%PLUGIN_TIER%%",
     "product_version": "%%PLUGIN_PKGVERSION%%",
     "product_website": "%%PLUGIN_WWW%%"
 }
diff --git a/devel/debug/Makefile b/devel/debug/Makefile
index ddbc36c4b5..0348b91ee8 100644
--- a/devel/debug/Makefile
+++ b/devel/debug/Makefile
@@ -7,5 +7,6 @@ PLUGIN_DEPENDS=		php${PLUGIN_PHP}-pear-PHP_CodeSniffer \
 			py${PLUGIN_PYTHON}-pycodestyle \
 			p5-File-Slurp git
 PLUGIN_MAINTAINER=	franco@opnsense.org
+PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"
diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index 6e344f2545..d63450cecc 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -2,5 +2,6 @@ PLUGIN_NAME=		firewall
 PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		Firewall API supplemental package
 PLUGIN_MAINTAINER=	ad@opnsense.org
+PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"
diff --git a/net/frr/Makefile b/net/frr/Makefile
index f623b151bd..e6b8b5903b 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -3,5 +3,6 @@ PLUGIN_VERSION=		1.31
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
+PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"
diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index 29e7ac472f..93bb7a3fda 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,8 +1,8 @@
 PLUGIN_NAME=		relayd
 PLUGIN_VERSION=		2.7
-#PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com
+PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"
diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index c3bac8a52e..f23b64f881 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -4,5 +4,6 @@ PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html
+PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"
diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index 304126be74..2f7b74f0c5 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -4,5 +4,6 @@ PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel
+PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"
diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index 403bbbc5fa..506eb42e93 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -4,5 +4,6 @@ PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org
+PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"
diff --git a/sysutils/git-backup/Makefile b/sysutils/git-backup/Makefile
index 38c14397b9..9c31c558f8 100644
--- a/sysutils/git-backup/Makefile
+++ b/sysutils/git-backup/Makefile
@@ -4,5 +4,6 @@ PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Track config changes using git
 PLUGIN_DEPENDS=		git
 PLUGIN_MAINTAINER=	ad@opnsense.org
+PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"
diff --git a/sysutils/vmware/Makefile b/sysutils/vmware/Makefile
index 307d0f9bf7..92bf19ab64 100644
--- a/sysutils/vmware/Makefile
+++ b/sysutils/vmware/Makefile
@@ -4,5 +4,6 @@ PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		VMware tools
 PLUGIN_DEPENDS=		open-vm-tools-nox11
 PLUGIN_MAINTAINER=	franco@opnsense.org
+PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"

From 5d859ae4e0cf5f5c5419021a7e8c1ef7c8b39daa Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 19 Jan 2023 10:20:16 +0100
Subject: [PATCH 1352/3088] dns/bind: update changelog to reflect RC2 changes

---
 dns/bind/pkg-descr | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index b7dc072780..31cc0ebc0a 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -6,6 +6,7 @@ necessary for asking and answering name service questions.
 
 WWW: https://www.isc.org
 
+
 Plugin Changelog
 ================
 
@@ -13,14 +14,14 @@ Plugin Changelog
 
 * Allow multiple ACLs to be selected for Transfers/Queries (contributed by Robbert Rijkse)
 * Rename Master/Slave to Primary/Secondary (contributed by Robbert Rijkse)
-* Add PR record type (contributed by Robbert Rijkse)
 
 1.25
 
 * Ensure you can only add one ACL with the same name (contributed by Robbert Rijkse)
 * Cleanup/Fix the Master/Slave domain dialogs (contributed by Robbert Rijkse)
 * Revamp the logging page with proper columns (contributed by Robbert Rijkse)
-* Add UI for RNDC Key configuration (contributed by Robbert Rijkse)
+* Add RNDC key configuration (contributed by Robbert Rijkse)
+* Add PR record type (contributed by Robbert Rijkse)
 * Update base to BIND 9.18
 
 1.24

From a668feff4a36f67a35e24132c9cfbc49742dc9b2 Mon Sep 17 00:00:00 2001
From: opnsenseuser <rene@team-rebellion.net>
Date: Sat, 21 Jan 2023 18:28:35 +0100
Subject: [PATCH 1353/3088] Cicada little small fix

missing "!important"
---
 misc/theme-cicada/Makefile                                    | 2 +-
 .../opnsense/www/themes/cicada/assets/stylesheets/main.scss   | 4 ++--
 .../src/opnsense/www/themes/cicada/build/css/main.css         | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index cf7fb97e0e..b79faa2084 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.31
+PLUGIN_VERSION=		1.32
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index 1d140c5b64..ce3b0072d5 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -10667,12 +10667,12 @@ ul.jqtree-tree {
 router-view {
   .text-success.m-r-5 {
     font-weight: bold;
-    color: #fff;
+    color: #fff !important;
   }
 
   .text-danger.m-r-5 {
     font-weight: bold;
-    color: #000;
+    color: #000 !important;
   }
 }
 
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index 4370a9325d..3769944df7 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -6640,12 +6640,12 @@ ul.jqtree-tree .jqtree-title {
 
 router-view .text-success.m-r-5 {
   font-weight: bold;
-  color: #fff;
+  color: #fff !important;
 }
 
 router-view .text-danger.m-r-5 {
   font-weight: bold;
-  color: #000;
+  color: #000 !important;
 }
 
 .bootstrap-tagsinput {

From ee8ae0fd02fcd3eb58da9fb0dd6791c76e7bb849 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 24 Jan 2023 08:21:28 +0100
Subject: [PATCH 1354/3088] net/frr: update pkg-descr and version

---
 net/frr/Makefile  | 2 +-
 net/frr/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index e6b8b5903b..17bd4410ce 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.31
+PLUGIN_VERSION=		1.32
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 013eb0ae93..91ccb9531e 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.32
+
+* Add attribute-unchanged option (contributed by Patrik Kernstock)
+
 1.31
 
 * Set no bgp default ipv4-unicast (contributed by vnxme)

From 89e94c4c778a55569b5772492480b9c7659f7f63 Mon Sep 17 00:00:00 2001
From: 0ln <8427756+0ln@users.noreply.github.com>
Date: Thu, 26 Jan 2023 18:15:06 +0100
Subject: [PATCH 1355/3088] net/frr: add description to restart action

---
 net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
index 8a4c50ce59..e7dade6771 100644
--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@@ -15,6 +15,7 @@ command:/usr/local/etc/rc.d/frr restart
 parameters:
 type:script
 message:restarting frr
+description:Restart FRR
 
 [status]
 command:/usr/local/etc/rc.d/frr status; exit 0

From 7205ea00948f25159bfe247531c6a8d06fdf187c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 26 Jan 2023 20:08:43 +0100
Subject: [PATCH 1356/3088] dns/bind: why is switching lib dirs a good idea?

PR: https://forum.opnsense.org/index.php?topic=32092.0
---
 dns/bind/Makefile                                               | 1 +
 .../src/opnsense/service/templates/OPNsense/Bind/named.conf     | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 49a4e7ce2b..a4b3844818 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.26
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 08db14ef19..ba12c2c009 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -220,7 +220,7 @@ logging {
 {% endif %}
 
 {% if helpers.exists('OPNsense.bind.general.filteraaaav4') and OPNsense.bind.general.filteraaaav4 == '1' or helpers.exists('OPNsense.bind.general.filteraaaav6') and OPNsense.bind.general.filteraaaav6 == '1' %}
-plugin query "/usr/local/lib/named/filter-aaaa.so" {
+plugin query "/usr/local/lib/bind/filter-aaaa.so" {
 {% if helpers.exists('OPNsense.bind.general.filteraaaav4') and OPNsense.bind.general.filteraaaav4 == '1' %}
                    filter-aaaa-on-v4 yes;
 {% endif %}

From 2ed1f987eb97d922cd984ae078e4023a70b54c3e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 27 Jan 2023 08:24:58 +0100
Subject: [PATCH 1357/3088] net/wireguard: deal with kmod service status;
 closes #3273

Shift the name from wireguard-go to wireguard in this case.
HA between go and kmod is probably not going to work fully
as the service name shifts, but eventually go should be gone.

Since wireguard rc.d script misuses "status" we don't know
what the status is and since the kmod has no "process" either
we have nothing to go on so the stop and start actions cannot
be cleanly represented and are instead replaced by a single
restart.

If you want to stop wireguard from the GUI it needs to be
disabled in its settings.
---
 net/wireguard/Makefile                        |  2 +-
 .../src/etc/inc/plugins.inc.d/wireguard.inc   | 55 ++++++++++++-------
 2 files changed, 37 insertions(+), 20 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index bc605c893b..fde39474ff 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
index 365ffc9168..cc1e49ee8d 100644
--- a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -34,49 +34,66 @@ function wireguard_enabled()
 
 function wireguard_services()
 {
-    $services = array();
+    $services = [];
 
     if (!wireguard_enabled()) {
         return $services;
     }
 
-    $services[] = array(
+    $service = [
         'description' => gettext('WireGuard VPN'),
-        'configd' => array(
-            'restart' => array('wireguard restart'),
-            'start' => array('wireguard start'),
-            'stop' => array('wireguard stop'),
-        ),
-        'name' => 'wireguard-go'
-    );
+        'configd' => [
+            'restart' => ['wireguard restart'],
+            'start' => ['wireguard start'],
+            'stop' => ['wireguard stop'],
+        ],
+        'name' => 'wireguard-go',
+    ];
+
+    if (file_exists('/boot/modules/if_wg.ko') || file_exists('/boot/kernel/if_wg.ko')) {
+        $service['name'] = 'wireguard';
+        $service['nocheck'] = true;
+    }
+
+    $services[] = $service;
 
     return $services;
 }
 
 function wireguard_interfaces()
 {
-    $interfaces = array();
+    $interfaces = [];
+
     if (!wireguard_enabled()) {
         return $interfaces;
     }
-    $oic = array('enable' => true);
-    $oic['if'] = 'wireguard';
-    $oic['descr'] = gettext('WireGuard (Group)');
-    $oic['type'] = 'group';
-    $oic['virtual'] = true;
-    $oic['networks'] = array();
-    $interfaces['wireguard'] = $oic;
+
+    $interfaces['wireguard'] = [
+        'descr' => gettext('WireGuard (Group)'),
+        'if' => 'wireguard',
+        'virtual' => true,
+        'enable' => true,
+        'type' => 'group',
+        'networks' => [],
+    ];
+
     return $interfaces;
 }
 
 function wireguard_xmlrpc_sync()
 {
-    $result = array();
+    $result = [];
+
     $result['id'] = 'wireguard';
     $result['section'] = 'OPNsense.wireguard';
     $result['description'] = gettext('WireGuard');
     $result['services'] = ['wireguard-go'];
-    return array($result);
+
+    if (file_exists('/boot/modules/if_wg.ko') || file_exists('/boot/kernel/if_wg.ko')) {
+        $result['services'] = ['wireguard'];
+    }
+
+    return [$result];
 }
 
 function wireguard_devices()

From 81fe69f422b267e201efdb153566f14c29fd184a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 27 Jan 2023 08:37:55 +0100
Subject: [PATCH 1358/3088] net/frr: bump revision

---
 net/frr/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 17bd4410ce..50bbd33daf 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.32
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From abd1638f48e71361fbd618286f2cf976948e9e7c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 27 Jan 2023 08:39:19 +0100
Subject: [PATCH 1359/3088] plugins: switch to 23.1 default

---
 Mk/defaults.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 9c2410f745..48abd23d66 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -57,7 +57,7 @@ VERSIONBIN=	${LOCALBASE}/sbin/opnsense-version
 _PLUGIN_ABI!=	${VERSIONBIN} -a
 PLUGIN_ABI?=	${_PLUGIN_ABI}
 .else
-PLUGIN_ABI?=	22.7
+PLUGIN_ABI?=	23.1
 .endif
 
 PHPBIN=		${LOCALBASE}/bin/php

From 16cbe99ebf0e776afa5deee349f9e0ff73fbe8aa Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 27 Jan 2023 08:43:17 +0100
Subject: [PATCH 1360/3088] sysutils/nut: try to address breakage

See: https://github.com/opnsense/ports/commit/d02ff345816e9
---
 sysutils/nut/Makefile                                   | 2 +-
 sysutils/nut/src/opnsense/scripts/OPNsense/Nut/setup.sh | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/sysutils/nut/Makefile b/sysutils/nut/Makefile
index ab7e34d896..99334db4ce 100644
--- a/sysutils/nut/Makefile
+++ b/sysutils/nut/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nut
 PLUGIN_VERSION=		1.8.1
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Network UPS Tools
 PLUGIN_DEPENDS=		nut
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/sysutils/nut/src/opnsense/scripts/OPNsense/Nut/setup.sh b/sysutils/nut/src/opnsense/scripts/OPNsense/Nut/setup.sh
index 582348f059..2776cc9793 100755
--- a/sysutils/nut/src/opnsense/scripts/OPNsense/Nut/setup.sh
+++ b/sysutils/nut/src/opnsense/scripts/OPNsense/Nut/setup.sh
@@ -1,4 +1,6 @@
 #!/bin/sh
-mkdir -p /var/db/nut
 
-chown uucp:uucp /var/db/nut
+pw groupmod -n dialer -m nut
+
+mkdir -p /var/db/nut
+chown -R nut:nut /var/db/nut

From fe22b85c58e7061a44176dac8aaf8169e915b647 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 28 Jan 2023 09:03:28 +0100
Subject: [PATCH 1361/3088] net/haproxy: stay on HAProxy 2.6 release series
 (#3282)

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index e3dd19ba74..b188a23eef 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		4.0
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
-PLUGIN_DEPENDS=		haproxy
+PLUGIN_DEPENDS=		haproxy26
 PLUGIN_MAINTAINER=	opnsense@moov.de
 
 .include "../../Mk/plugins.mk"

From 72c5bfbf975a68c513d61b388e156a267dca21e9 Mon Sep 17 00:00:00 2001
From: Connor Tumbleson <iBotPeaches@users.noreply.github.com>
Date: Sat, 28 Jan 2023 08:38:53 -0500
Subject: [PATCH 1362/3088] fix: correct typo on LOG_WARNING (#3286)

---
 net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 5ea4d0683b..d63c65199c 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -159,7 +159,7 @@ function miniupnpd_configure_do($verbose = false)
                         $ifaces_active .= ", {$iface}";
                     }
                 } else {
-                    log_msg("miniupnpd: Interface {$iface} has no ip address, ignoring", LOG_WARING);
+                    log_msg("miniupnpd: Interface {$iface} has no ip address, ignoring", LOG_WARNING);
                 }
             } else {
                 log_msg("miniupnpd: Could not resolve real interface for {$iface}", LOG_ERR);

From 03221109fe9aa37d1be97620fd5f018d30be924d Mon Sep 17 00:00:00 2001
From: JeWe37 <jewe37@gmail.com>
Date: Sat, 28 Jan 2023 18:24:37 +0100
Subject: [PATCH 1363/3088] security/openconnect: Set useragent="AnyConnect"
 (#3287)

Improves compatbility with some hosts
---
 security/openconnect/Makefile                                 | 2 +-
 security/openconnect/pkg-descr                                | 4 ++++
 .../service/templates/OPNsense/Openconnect/openconnect.conf   | 3 +++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/security/openconnect/Makefile b/security/openconnect/Makefile
index 01fcf835d3..6ccfbb0c53 100644
--- a/security/openconnect/Makefile
+++ b/security/openconnect/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		openconnect
-PLUGIN_VERSION=		1.4.3
+PLUGIN_VERSION=		1.4.4
 PLUGIN_COMMENT=		OpenConnect Client
 PLUGIN_DEPENDS=		openconnect
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/openconnect/pkg-descr b/security/openconnect/pkg-descr
index 5b026dc2b6..b6ac6ccfc2 100644
--- a/security/openconnect/pkg-descr
+++ b/security/openconnect/pkg-descr
@@ -6,6 +6,10 @@ the Juniper SSL VPN which is now known as Pulse Connect Secure.
 Plugin Changelog
 ================
 
+1.4.4
+
+* Improve compatibility via useragent="AnyConnect"
+
 1.4.3
 
 * Add support for one-time password generation
diff --git a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
index e076e5e655..32d13a2866 100644
--- a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
+++ b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
@@ -27,5 +27,8 @@ token-secret={{ OPNsense.openconnect.general.tokensecret }}
 {%   endif %}
 {%   if helpers.exists('OPNsense.openconnect.general.protocol') and OPNsense.openconnect.general.protocol != '' %}
 protocol={{ OPNsense.openconnect.general.protocol }}
+{%     if OPNsense.openconnect.general.protocol == 'anyconnect' %}
+useragent=AnyConnect
+{%     endif %}
 {%   endif %}
 {% endif %}

From e47b0d964d4e5cb0bcef5c31d692835468df10ea Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 29 Jan 2023 11:57:34 +0100
Subject: [PATCH 1364/3088] dns/ddclient - fix "Implicit conversion from float
 " in model

---
 .../mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
index a21bda8115..ce279e6268 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
@@ -50,7 +50,7 @@ private function addStatsFields($node)
         if (isset(self::$current_stats[$node->getAttribute('uuid')])) {
             $stats = self::$current_stats[$node->getAttribute('uuid')];
             $current_ip->setValue($stats['ip']);
-            $current_mtime->setValue(date('c', $stats['mtime']));
+            $current_mtime->setValue(date('c', (int)$stats['mtime']));
         } elseif (!empty((string)$node->hostnames)) {
             foreach (explode(",", (string)$node->hostnames) as $hostname) {
                 if (!empty(self::$current_stats[$hostname]) && !empty(self::$current_stats[$hostname]['ip'])) {

From 4d41680dcc9795e02b59110a6377b3712efc6b97 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 30 Jan 2023 09:10:22 +0100
Subject: [PATCH 1365/3088] net/upnp: bump revision

---
 net/upnp/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index c69f84af29..0b0b4e3711 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		upnp
 PLUGIN_VERSION=		1.5
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		miniupnpd-devel
 PLUGIN_COMMENT=		Universal Plug and Play Service
 PLUGIN_MAINTAINER=	franco@opnsense.org

From 5c901f1e83090bae39b0b53b80b7e05d076d7a4a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 30 Jan 2023 09:11:37 +0100
Subject: [PATCH 1366/3088] dns/ddclient: bump revision

---
 dns/ddclient/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 183e8fca16..409129f4f0 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.11
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient-devel
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From c77dd94ad40a9ecefcf46dd1017de0712b89e5e8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 1 Feb 2023 10:36:39 +0100
Subject: [PATCH 1367/3088] security/openconnect: ignore DNS information #3090

---
 .../src/opnsense/scripts/OPNsense/Openconnect/vpnc.sh     | 8 ++++++++
 .../service/templates/OPNsense/Openconnect/openconnect    | 3 ++-
 2 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100755 security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/vpnc.sh

diff --git a/security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/vpnc.sh b/security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/vpnc.sh
new file mode 100755
index 0000000000..1257be1029
--- /dev/null
+++ b/security/openconnect/src/opnsense/scripts/OPNsense/Openconnect/vpnc.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+# do not pass DNS information that clobbers /etc/resolv.conf
+export INTERNAL_IP4_DNS=
+
+. /usr/local/sbin/vpnc-script
+
+# XXX we can register the proper DNS via ifctl(8) if required later
diff --git a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect
index 5b8dd90376..25975f7f93 100644
--- a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect
+++ b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect
@@ -1,9 +1,10 @@
 {% if helpers.exists('OPNsense.openconnect.general.enabled') and OPNsense.openconnect.general.enabled == '1' %}
 openconnect_enable="YES"
+openconnect_flags="-s /usr/local/opnsense/scripts/OPNsense/Openconnect/vpnc.sh"
 {%   if helpers.exists('OPNsense.openconnect.general.server') and OPNsense.openconnect.general.server != '' %}
 {%     if helpers.exists('OPNsense.openconnect.general.user') and OPNsense.openconnect.general.user != '' %}
 {%       if helpers.exists('OPNsense.openconnect.general.password') and OPNsense.openconnect.general.password != '' %}
-openconnect_flags="--config=/usr/local/etc/openconnect.conf {{ OPNsense.openconnect.general.server }}"
+openconnect_flags="${openconnect_flags} --config=/usr/local/etc/openconnect.conf {{ OPNsense.openconnect.general.server }}"
 {%       endif %}
 {%     endif %}
 {%   endif %}

From d1a17b7650997507b8cff743a375016a7734f672 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 1 Feb 2023 11:35:19 +0100
Subject: [PATCH 1368/3088] net/wireguard: group registration issue fix

---
 net/wireguard/Makefile                        |  2 +-
 .../Wireguard/Api/ServiceController.php       | 51 +++++++++++--------
 2 files changed, 30 insertions(+), 23 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index fde39474ff..e47403fecc 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
index 94fe65ecd6..b6f93c87f6 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Wireguard\Api;
@@ -45,6 +43,15 @@ class ServiceController extends ApiMutableServiceControllerBase
     protected static $internalServiceEnabled = 'enabled';
     protected static $internalServiceName = 'wireguard';
 
+    /**
+     * hook group interface registration on reconfigure
+     * @return array
+     */
+    protected function invokeInterfaceRegistration()
+    {
+        return true;
+    }
+
     /**
      * show wireguard config
      * @return array

From 108525e89cef61b7679a864dec7de4641a6f5a23 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 1 Feb 2023 11:38:42 +0100
Subject: [PATCH 1369/3088] net/tayga: interface registration

---
 net/tayga/Makefile                                       | 2 +-
 .../controllers/OPNsense/Tayga/Api/ServiceController.php | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/net/tayga/Makefile b/net/tayga/Makefile
index bc8a613cab..fe232e6ac0 100644
--- a/net/tayga/Makefile
+++ b/net/tayga/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		tayga
 PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Tayga NAT64
 PLUGIN_DEPENDS=		tayga
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/Api/ServiceController.php b/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/Api/ServiceController.php
index 4c82981cef..54288658cf 100644
--- a/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/Api/ServiceController.php
+++ b/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/Api/ServiceController.php
@@ -36,4 +36,13 @@ class ServiceController extends ApiMutableServiceControllerBase
     protected static $internalServiceTemplate = 'OPNsense/Tayga';
     protected static $internalServiceEnabled = 'enabled';
     protected static $internalServiceName = 'tayga';
+
+    /**
+     * hook group interface registration on reconfigure
+     * @return bool
+     */
+    protected function invokeInterfaceRegistration()
+    {
+        return true;
+    }
 }

From dc7dcf320dd29a13254c851590af901e9c18e67b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 1 Feb 2023 11:39:35 +0100
Subject: [PATCH 1370/3088] net/wireguard: correct comment

---
 .../controllers/OPNsense/Wireguard/Api/ServiceController.php    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
index b6f93c87f6..627911beb4 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
@@ -45,7 +45,7 @@ class ServiceController extends ApiMutableServiceControllerBase
 
     /**
      * hook group interface registration on reconfigure
-     * @return array
+     * @return bool
      */
     protected function invokeInterfaceRegistration()
     {

From 2e1d61e301b5ac4c066f9b349f8682797de458e9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 2 Feb 2023 12:33:27 +0100
Subject: [PATCH 1371/3088] security/openconnect: small updates for 1.4.4

---
 security/openconnect/pkg-descr                           | 2 ++
 .../OPNsense/Openconnect/Api/ServiceController.php       | 9 +++++++++
 2 files changed, 11 insertions(+)

diff --git a/security/openconnect/pkg-descr b/security/openconnect/pkg-descr
index b6ac6ccfc2..77338528ce 100644
--- a/security/openconnect/pkg-descr
+++ b/security/openconnect/pkg-descr
@@ -9,6 +9,8 @@ Plugin Changelog
 1.4.4
 
 * Improve compatibility via useragent="AnyConnect"
+* Register interfaces on reconfigure
+* Ignore server-side DNS servers
 
 1.4.3
 
diff --git a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/Api/ServiceController.php b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/Api/ServiceController.php
index e7fc2ce5fd..9445a96f82 100644
--- a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/Api/ServiceController.php
+++ b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/Api/ServiceController.php
@@ -36,4 +36,13 @@ class ServiceController extends ApiMutableServiceControllerBase
     protected static $internalServiceTemplate = 'OPNsense/Openconnect';
     protected static $internalServiceEnabled = 'enabled';
     protected static $internalServiceName = 'openconnect';
+
+    /**
+     * hook group interface registration on reconfigure
+     * @return bool
+     */
+    protected function invokeInterfaceRegistration()
+    {
+        return true;
+    }
 }

From 38a172b4886deb51abfbae38cd316c8ad96850e0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 7 Feb 2023 09:34:11 +0100
Subject: [PATCH 1372/3088] plugins: remove PLUGIN_FLAVOUR handling and related
 LibreSSL bits

---
 Mk/defaults.mk                                      | 13 -------------
 Templates/version                                   |  1 -
 net/haproxy/Makefile                                |  1 +
 .../service/templates/OPNsense/HAProxy/haproxy.conf |  8 --------
 .../controllers/OPNsense/Tinc/forms/dialogHost.xml  |  2 +-
 .../OPNsense/Tinc/forms/dialogNetwork.xml           |  2 +-
 vendor/sunnyvalley/Makefile                         |  3 +--
 .../src/etc/pkg/repos/SunnyValley.conf.in           |  2 +-
 8 files changed, 5 insertions(+), 27 deletions(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 48abd23d66..a26f74bfc6 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -39,18 +39,6 @@ GITVERSION=	${SCRIPTSDIR}/version.sh
 _PLUGIN_ARCH!=	uname -p
 PLUGIN_ARCH?=	${_PLUGIN_ARCH}
 
-OPENSSL?=	${LOCALBASE}/bin/openssl
-
-.if ! defined(PLUGIN_FLAVOUR)
-.if exists(${OPENSSL})
-_PLUGIN_FLAVOUR!=	${OPENSSL} version
-PLUGIN_FLAVOUR?=	${_PLUGIN_FLAVOUR:[1]}
-.else
-.warning "Detected 'Base' flavour is not currently supported"
-PLUGIN_FLAVOUR?=	Base
-.endif
-.endif
-
 VERSIONBIN=	${LOCALBASE}/sbin/opnsense-version
 
 .if exists(${VERSIONBIN})
@@ -83,7 +71,6 @@ PLUGIN_PYTHON?=	${_PLUGIN_PYTHON:[2]:S/./ /g:[1..2]:tW:S/ //}
 
 REPLACEMENTS=	PLUGIN_ABI \
 		PLUGIN_ARCH \
-		PLUGIN_FLAVOUR \
 		PLUGIN_HASH \
 		PLUGIN_MAINTAINER \
 		PLUGIN_NAME \
diff --git a/Templates/version b/Templates/version
index f03ab1fa71..6d97cfccb5 100644
--- a/Templates/version
+++ b/Templates/version
@@ -2,7 +2,6 @@
     "product_abi": "%%PLUGIN_ABI%%",
     "product_arch": "%%PLUGIN_ARCH%%",
     "product_email": "%%PLUGIN_MAINTAINER%%",
-    "product_flavour": "%%PLUGIN_FLAVOUR%%",
     "product_hash": "%%PLUGIN_HASH%%",
     "product_id": "%%PLUGIN_PKGNAME%%",
     "product_name": "%%PLUGIN_NAME%%",
diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index b188a23eef..876f01b80f 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		4.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy26
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 14442a6867..ac158fc4ca 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1050,11 +1050,7 @@ global
     ssl-default-bind-ciphers {{ OPNsense.HAProxy.general.tuning.ssl_cipherList }}
 {%   endif %}
 {%   if OPNsense.HAProxy.general.tuning.ssl_cipherSuites|default("") != "" %}
-{%     if helpers.exists('system.firmware.flavour') and not(helpers.empty('system.firmware.flavour')) and system.firmware.flavour|default('') == 'libressl' %}
-    # WARNING: ssl-default-bind-ciphersuites cannot be used with flavour {{ system.firmware.flavour}}.
-{%     else %}
     ssl-default-bind-ciphersuites {{ OPNsense.HAProxy.general.tuning.ssl_cipherSuites }}
-{%     endif %}
 {%   endif %}
 {% endif %}
 {# # specify local peer #}
@@ -1327,11 +1323,7 @@ frontend {{frontend.name}}
 {%             do ssl_options.append('ciphers ' ~ frontend.ssl_cipherList) %}
 {%           endif %}
 {%           if frontend.ssl_cipherSuites|default("") != "" %}
-{%             if helpers.exists('system.firmware.flavour') and not(helpers.empty('system.firmware.flavour')) and system.firmware.flavour|default('') == 'libressl' %}
-    # WARNING: ciphersuites cannot be used with flavour {{ system.firmware.flavour}}.
-{%             else %}
 {%               do ssl_options.append('ciphersuites ' ~ frontend.ssl_cipherSuites) %}
-{%             endif %}
 {%           endif %}
 {#           # HSTS #}
 {%           if frontend.ssl_hstsEnabled|default("") == '1' and frontend.mode == 'http' %}
diff --git a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogHost.xml b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogHost.xml
index 0e5bc3c348..b78e2a96d7 100644
--- a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogHost.xml
+++ b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogHost.xml
@@ -50,7 +50,7 @@
       <label>Cipher</label>
       <type>dropdown</type>
       <help>The symmetric cipher algorithm used to encrypt UDP packets.
-             Any cipher supported by LibreSSL or OpenSSL is recognised.
+             Any cipher supported by OpenSSL is recognised.
              Furthermore, specifying "none" will turn off packet encryption.
              It is best to use only those ciphers which support CBC mode
       </help>
diff --git a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
index 1c2224c4d8..1b2087b947 100644
--- a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
+++ b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
@@ -37,7 +37,7 @@
       <label>Cipher</label>
       <type>dropdown</type>
       <help>The symmetric cipher algorithm used to encrypt UDP packets.
-             Any cipher supported by LibreSSL or OpenSSL is recognised.
+             Any cipher supported by OpenSSL is recognised.
              Furthermore, specifying "none" will turn off packet encryption.
              It is best to use only those ciphers which support CBC mode
       </help>
diff --git a/vendor/sunnyvalley/Makefile b/vendor/sunnyvalley/Makefile
index 39e7251030..b9ff6023ff 100644
--- a/vendor/sunnyvalley/Makefile
+++ b/vendor/sunnyvalley/Makefile
@@ -1,9 +1,8 @@
 PLUGIN_NAME=		sunnyvalley
 PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Vendor Repository for Zenarmor (a.k.a Sensei, Next Generation Firewall Extensions)
 PLUGIN_MAINTAINER=	opensource@sunnyvalley.io
 PLUGIN_WWW=		https://www.sunnyvalley.io
-PLUGIN_DEPENDS=		${PLUGIN_FLAVOUR:tl}
 
 .include "../../Mk/plugins.mk"
diff --git a/vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.in b/vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.in
index 7b4ba66e73..c4c6acc7bb 100644
--- a/vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.in
+++ b/vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.in
@@ -1,6 +1,6 @@
 SunnyValley: {
   fingerprints: "/usr/local/etc/pkg/fingerprints/SunnyValley",
-  url: "https://updates.sunnyvalley.io/opnsense/${ABI}/%%PLUGIN_ABI%%/%%PLUGIN_FLAVOUR%%/latest",
+  url: "https://updates.sunnyvalley.io/opnsense/${ABI}/%%PLUGIN_ABI%%/OpenSSL/latest",
   signature_type: "fingerprints",
   priority: 7,
   enabled: yes

From 3c4e3e7c3df3d285b95d7c2bd39df26123fa2779 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 7 Feb 2023 12:58:37 +0100
Subject: [PATCH 1373/3088] emulators/qemu-guest-agent: switch to newest qemu
 ga, fixes #3283 (#3301)

---
 emulators/qemu-guest-agent/Makefile  | 3 +--
 emulators/qemu-guest-agent/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/emulators/qemu-guest-agent/Makefile b/emulators/qemu-guest-agent/Makefile
index e6b0f8d8c5..f0c669044a 100644
--- a/emulators/qemu-guest-agent/Makefile
+++ b/emulators/qemu-guest-agent/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		qemu-guest-agent
-PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		QEMU Guest Agent for OPNsense
 PLUGIN_DEPENDS=		qemu-guest-agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/emulators/qemu-guest-agent/pkg-descr b/emulators/qemu-guest-agent/pkg-descr
index 12375095f5..e074dd911f 100644
--- a/emulators/qemu-guest-agent/pkg-descr
+++ b/emulators/qemu-guest-agent/pkg-descr
@@ -6,6 +6,11 @@ WWW: http://wiki.qemu.org/Main_Page
 Plugin Changelog
 ================
 
+1.2
+
+Changed:
+* switch to most recent version of qemu guest agent
+
 1.1
 
 Fixed:

From 2d394eabf377e25a101aef362d98e6b71ea939f7 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 7 Feb 2023 14:54:10 +0100
Subject: [PATCH 1374/3088] net/haproxy: release 4.1

---
 net/haproxy/Makefile  | 3 +--
 net/haproxy/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 876f01b80f..f400b0ba29 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		4.0
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		4.1
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy26
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 4028a0650a..22d70bfaea 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+4.1
+
+Fixed:
+* fix SSL preferences in health checks (#3221)
+
 4.0
 
 Added:

From 85a20658afc384a3b503c30b54bf5df1dc2c4100 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Feb 2023 16:33:16 +0100
Subject: [PATCH 1375/3088] net/sslh: remove emtpy cron description

---
 net/sslh/src/opnsense/service/conf/actions.d/actions_sslh.conf | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/sslh/src/opnsense/service/conf/actions.d/actions_sslh.conf b/net/sslh/src/opnsense/service/conf/actions.d/actions_sslh.conf
index 2e401ddb35..611a1fa408 100644
--- a/net/sslh/src/opnsense/service/conf/actions.d/actions_sslh.conf
+++ b/net/sslh/src/opnsense/service/conf/actions.d/actions_sslh.conf
@@ -3,11 +3,10 @@
 ################################################################################
 
 [status]
-command:/usr/local/etc/rc.d/sslh status || exit 0
+command:/usr/local/etc/rc.d/sslh status; exit 0
 parameters:
 type:script_output
 message: sslh: requesting status
-description:
 
 [start]
 command:/usr/local/etc/rc.d/sslh start

From 48d25da33dfad65932a17ba833075f5734dd6cf5 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 15 Feb 2023 23:04:14 +0100
Subject: [PATCH 1376/3088] sysutils/api-backup: add json download
 functionality

---
 sysutils/api-backup/Makefile                  |  3 +-
 sysutils/api-backup/pkg-descr                 | 11 ++++
 .../OPNsense/Backup/Api/BackupController.php  | 52 ++++++++++++++++---
 3 files changed, 58 insertions(+), 8 deletions(-)

diff --git a/sysutils/api-backup/Makefile b/sysutils/api-backup/Makefile
index d1a243984a..55131b846f 100644
--- a/sysutils/api-backup/Makefile
+++ b/sysutils/api-backup/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		api-backup
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Provide the functionality to download the config.xml
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 
diff --git a/sysutils/api-backup/pkg-descr b/sysutils/api-backup/pkg-descr
index 45972dda81..2a2a1cfe6b 100644
--- a/sysutils/api-backup/pkg-descr
+++ b/sysutils/api-backup/pkg-descr
@@ -1 +1,12 @@
 Provide the functionality to download the config.xml
+
+Plugin Changelog
+================
+
+1.1
+
+* add json download functionality
+
+1.0
+
+* initial release
diff --git a/sysutils/api-backup/src/opnsense/mvc/app/controllers/OPNsense/Backup/Api/BackupController.php b/sysutils/api-backup/src/opnsense/mvc/app/controllers/OPNsense/Backup/Api/BackupController.php
index 192be73400..e39e5682b2 100644
--- a/sysutils/api-backup/src/opnsense/mvc/app/controllers/OPNsense/Backup/Api/BackupController.php
+++ b/sysutils/api-backup/src/opnsense/mvc/app/controllers/OPNsense/Backup/Api/BackupController.php
@@ -1,6 +1,7 @@
 <?php
 
 /*
+ * Copyright (C) 2023 Frank Wall
  * Copyright (C) 2018 Fabian Franz
  * All rights reserved.
  *
@@ -34,17 +35,56 @@ class BackupController extends ApiControllerBase
 {
     const CONFIG_XML = '/conf/config.xml';
 
-    public function downloadAction()
+    /**
+     * download system config
+     * @param string $format set to 'json' to get a base64 encoded config backup
+     * @return array|mixed
+     */
+    public function downloadAction($format='plain')
     {
-        $this->response->setStatusCode(200, "OK");
-        $this->response->setContentType('application/xml', 'UTF-8');
-        $this->response->setHeader("Content-Disposition", "attachment; filename=\"config.xml\"");
         $data = file_get_contents(self::CONFIG_XML);
-        $this->response->setContent($data);
+        $status = $data === false ? 'error' : 'success';
+
+        if ($format == 'json') {
+            $response = array(
+              'status' => $status,
+              'filename' => 'config.xml',
+              'filetype' => 'application/xml',
+              'content' => base64_encode($data),
+            );
+            return $response;
+        } else {
+            $this->response->setStatusCode(200, "OK");
+            $this->response->setContentType('application/xml', 'UTF-8');
+            $this->response->setHeader("Content-Disposition", "attachment; filename=\"config.xml\"");
+            $data = file_get_contents(self::CONFIG_XML);
+            $this->response->setContent($data);
+        }
     }
 
+    /**
+     * process API results, serialize return data to json.
+     * @param $dispatcher
+     * @return string json data
+     */
     public function afterExecuteRoute($dispatcher)
     {
-        $this->response->send();
+        // check if reponse headers are already set
+        if ($this->response->getHeaders()->get("Status") != null) {
+            // Headers already set, send unmodified response.
+        } else {
+            // process response, serialize to json object
+            $data = $dispatcher->getReturnedValue();
+            if (is_array($data)) {
+                $this->response->setContentType('application/json', 'UTF-8');
+                if ($this->isExternalClient()) {
+                    $this->response->setContent(json_encode($data));
+                } else {
+                    $this->response->setContent(htmlspecialchars(json_encode($data), ENT_NOQUOTES));
+                }
+            }
+        }
+
+        return $this->response->send();
     }
 }

From 4507c7d3643d7c80f7d3c20b8bc04de94e1be7ce Mon Sep 17 00:00:00 2001
From: Matt J Cwanek <mcwanek@users.noreply.github.com>
Date: Tue, 21 Feb 2023 01:13:34 -0500
Subject: [PATCH 1377/3088] rfc2136: add more hash algorithms (#3316)

This request pulls forward some changes by user "av-commits" (see issues: https://github.com/opnsense/plugins/issues/3028 and https://github.com/opnsense/plugins/issues/1664) to add more hash algorithms to the dns/rfc2136 plugin.

I needed these changes for my personal firewall, not sure why the original changes never made it into opnsense. These changes are currently running locally just fine.
---
 dns/rfc2136/Makefile                          |  2 +-
 dns/rfc2136/pkg-descr                         |  7 ++++++
 .../src/etc/inc/plugins.inc.d/rfc2136.inc     |  2 +-
 dns/rfc2136/src/www/services_rfc2136_edit.php | 22 ++++++++++++++-----
 4 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/dns/rfc2136/Makefile b/dns/rfc2136/Makefile
index 54f5bd4da7..dac21994a5 100644
--- a/dns/rfc2136/Makefile
+++ b/dns/rfc2136/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		rfc2136
-PLUGIN_VERSION=		1.7
+PLUGIN_VERSION=		1.8
 PLUGIN_COMMENT=		RFC-2136 Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_DEPENDS=		bind-tools
diff --git a/dns/rfc2136/pkg-descr b/dns/rfc2136/pkg-descr
index defdef6d05..5ef614b97c 100644
--- a/dns/rfc2136/pkg-descr
+++ b/dns/rfc2136/pkg-descr
@@ -1 +1,8 @@
 Support for RFC-2136 based dynamic DNS updates using Bind
+
+Plugin Changelog
+================
+
+1.8
+
+* Add support for choosing hash algorithm used by nsupdate command
diff --git a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
index 65d53f6923..13a2266415 100644
--- a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
+++ b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
@@ -123,7 +123,7 @@ function rfc2136_configure_do($verbose = false, $int = '', $updatehost = '', $fo
         $keyfile = "/var/etc/nsupdatekey{$i}";
         $keyfill = [
             "key \"{$keyname}\" {",
-            "\talgorithm hmac-md5;",
+            "\talgorithm {$dnsupdate['keyalgo']};",
             "\tsecret \"{$dnsupdate['keydata']}\";",
             "};",
             '' /* end of file */
diff --git a/dns/rfc2136/src/www/services_rfc2136_edit.php b/dns/rfc2136/src/www/services_rfc2136_edit.php
index 9ae9027770..460c1e736e 100644
--- a/dns/rfc2136/src/www/services_rfc2136_edit.php
+++ b/dns/rfc2136/src/www/services_rfc2136_edit.php
@@ -33,6 +33,8 @@
 require_once("plugins.inc.d/rfc2136.inc");
 
 $a_rfc2136 = &config_read_array('dnsupdates', 'dnsupdate');
+$nsukeyalgos = array("hmac-md5", "hmac-sha1", "hmac-sha224", "hmac-sha256", "hmac-sha384", "hmac-sha512");
+$nsukeyalgodefault = "hmac-sha512";
 
 if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     if (isset($_GET['id']) && !empty($a_rfc2136[$_GET['id']])) {
@@ -49,6 +51,7 @@
     $pconfig['ttl'] = isset($id) &&!empty($a_rfc2136[$id]['ttl']) ? $a_rfc2136[$id]['ttl'] : 60;
     $pconfig['keydata'] = isset($id) &&!empty($a_rfc2136[$id]['keydata']) ? $a_rfc2136[$id]['keydata'] : null;
     $pconfig['keyname'] = isset($id) &&!empty($a_rfc2136[$id]['keyname']) ? $a_rfc2136[$id]['keyname'] : null;
+    $pconfig['keyalgo'] = isset($id) &&!empty($a_rfc2136[$id]['keyalgo']) ? $a_rfc2136[$id]['keyalgo'] : $nsukeyalgodefault;
     $pconfig['server'] = isset($id) &&!empty($a_rfc2136[$id]['server']) ? $a_rfc2136[$id]['server'] : null;
     $pconfig['interface'] = isset($id) &&!empty($a_rfc2136[$id]['interface']) ? $a_rfc2136[$id]['interface'] : null;
     $pconfig['descr'] = isset($id) &&!empty($a_rfc2136[$id]['descr']) ? $a_rfc2136[$id]['descr'] : null;
@@ -88,6 +91,7 @@
         $rfc2136['ttl'] = $pconfig['ttl'];
         $rfc2136['keyname'] = $pconfig['keyname'];
         $rfc2136['keydata'] = $pconfig['keydata'];
+        $rfc2136['keyalgo'] = $pconfig['keyalgo'];
         $rfc2136['server'] = $pconfig['server'];
         $rfc2136['usetcp'] = !empty($pconfig['usetcp']);
         $rfc2136['usepublicip'] = !empty($pconfig['usepublicip']);
@@ -149,14 +153,12 @@
                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Interface to monitor");?></td>
                    <td>
                      <select name="interface" class="selectpicker" id="requestif">
- <?php
-                      foreach (get_configured_interface_with_descr() as $if => $ifdesc):?>
+<?php foreach (get_configured_interface_with_descr() as $if => $ifdesc): ?>
                         <option value="<?=$if;?>" <?=$pconfig['interface'] == $if ? "selected=\"selected\"" : "";?>>
                           <?=htmlspecialchars($ifdesc);?>
                         </option>
-
 <?php
-                      endforeach;?>
+                        endforeach;?>
                       </select>
                     </td>
                   </tr>
@@ -195,12 +197,22 @@
                       </div>
                     </td>
                   </tr>
+                  <tr>
+                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Key algorithm");?></td>
+                    <td>
+                      <select name="keyalgo" class="selectpicker">
+<?php foreach ($nsukeyalgos as $nsukeyalgo): ?>
+                        <option value="<?=$nsukeyalgo;?>" <?= $pconfig['keyalgo'] == $nsukeyalgo ? 'selected="selected"' : '' ?>><?= gettext($nsukeyalgo) ?></option>
+<?php endforeach ?>
+                      </select>
+                    </td>
+                  </tr>
                   <tr>
                     <td><a id="help_for_keydata" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Key");?></td>
                     <td>
                       <input name="keydata" type="text" id="keydata" size="70" value="<?=htmlspecialchars($pconfig['keydata']);?>" />
                       <div class="hidden" data-for="help_for_keydata">
-                        <?=gettext("Paste an HMAC-MD5 key here.");?>
+                        <?=gettext("Paste an TSIG domain key here.");?>
                       </div>
                     </td>
                   </tr>

From 6cf9ae6c57e66d958738d1a76116a55fe30c30d7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 Feb 2023 07:47:22 +0100
Subject: [PATCH 1378/3088] dns/rfc2136: retain hmac-md5 as default, validation
 and labels

PR: https://github.com/opnsense/plugins/pull/3316
---
 .../src/etc/inc/plugins.inc.d/rfc2136.inc     |  3 ++-
 dns/rfc2136/src/www/services_rfc2136_edit.php | 23 +++++++++++++------
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
index 13a2266415..2de4d43c10 100644
--- a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
+++ b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
@@ -121,9 +121,10 @@ function rfc2136_configure_do($verbose = false, $int = '', $updatehost = '', $fo
         }
 
         $keyfile = "/var/etc/nsupdatekey{$i}";
+        $keyalgo = !empty($dnsupdate['keyalgo']) ? $dnsupdate['keyalgo'] : 'hmac-md5';
         $keyfill = [
             "key \"{$keyname}\" {",
-            "\talgorithm {$dnsupdate['keyalgo']};",
+            "\talgorithm {$keyalgo};",
             "\tsecret \"{$dnsupdate['keydata']}\";",
             "};",
             '' /* end of file */
diff --git a/dns/rfc2136/src/www/services_rfc2136_edit.php b/dns/rfc2136/src/www/services_rfc2136_edit.php
index 460c1e736e..4e093462b4 100644
--- a/dns/rfc2136/src/www/services_rfc2136_edit.php
+++ b/dns/rfc2136/src/www/services_rfc2136_edit.php
@@ -33,8 +33,15 @@
 require_once("plugins.inc.d/rfc2136.inc");
 
 $a_rfc2136 = &config_read_array('dnsupdates', 'dnsupdate');
-$nsukeyalgos = array("hmac-md5", "hmac-sha1", "hmac-sha224", "hmac-sha256", "hmac-sha384", "hmac-sha512");
-$nsukeyalgodefault = "hmac-sha512";
+
+$nsukeyalgos = [
+    'hmac-md5' => 'MD5',
+    'hmac-sha1' => 'SHA-1',
+    'hmac-sha224' => 'SHA-244',
+    'hmac-sha256' => 'SHA-256',
+    'hmac-sha384' => 'SHA-384',
+    'hmac-sha512' => 'SHA-512',
+];
 
 if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     if (isset($_GET['id']) && !empty($a_rfc2136[$_GET['id']])) {
@@ -51,7 +58,7 @@
     $pconfig['ttl'] = isset($id) &&!empty($a_rfc2136[$id]['ttl']) ? $a_rfc2136[$id]['ttl'] : 60;
     $pconfig['keydata'] = isset($id) &&!empty($a_rfc2136[$id]['keydata']) ? $a_rfc2136[$id]['keydata'] : null;
     $pconfig['keyname'] = isset($id) &&!empty($a_rfc2136[$id]['keyname']) ? $a_rfc2136[$id]['keyname'] : null;
-    $pconfig['keyalgo'] = isset($id) &&!empty($a_rfc2136[$id]['keyalgo']) ? $a_rfc2136[$id]['keyalgo'] : $nsukeyalgodefault;
+    $pconfig['keyalgo'] = isset($id) &&!empty($a_rfc2136[$id]['keyalgo']) ? $a_rfc2136[$id]['keyalgo'] : null;
     $pconfig['server'] = isset($id) &&!empty($a_rfc2136[$id]['server']) ? $a_rfc2136[$id]['server'] : null;
     $pconfig['interface'] = isset($id) &&!empty($a_rfc2136[$id]['interface']) ? $a_rfc2136[$id]['interface'] : null;
     $pconfig['descr'] = isset($id) &&!empty($a_rfc2136[$id]['descr']) ? $a_rfc2136[$id]['descr'] : null;
@@ -83,6 +90,9 @@
     if (!empty($pconfig['keyname']) && !is_domain($pconfig['keyname'])) {
         $input_errors[] = gettext("The DNS update key name contains invalid characters.");
     }
+    if (!in_array($pconfig['keyalgo'] , array_keys($nsukeyalgos))) {
+        $input_errors[] = gettext('The DNS update key algorith is invalid.');
+    }
 
     if (count($input_errors) == 0) {
         $rfc2136 = array();
@@ -157,8 +167,7 @@
                         <option value="<?=$if;?>" <?=$pconfig['interface'] == $if ? "selected=\"selected\"" : "";?>>
                           <?=htmlspecialchars($ifdesc);?>
                         </option>
-<?php
-                        endforeach;?>
+<?php endforeach ?>
                       </select>
                     </td>
                   </tr>
@@ -201,8 +210,8 @@
                     <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Key algorithm");?></td>
                     <td>
                       <select name="keyalgo" class="selectpicker">
-<?php foreach ($nsukeyalgos as $nsukeyalgo): ?>
-                        <option value="<?=$nsukeyalgo;?>" <?= $pconfig['keyalgo'] == $nsukeyalgo ? 'selected="selected"' : '' ?>><?= gettext($nsukeyalgo) ?></option>
+<?php foreach ($nsukeyalgos as $nsukeyalgo => $label): ?>
+                        <option value="<?= html_safe($nsukeyalgo) ?>" <?= $pconfig['keyalgo'] == $nsukeyalgo ? 'selected="selected"' : '' ?>><?= html_safe($label) ?></option>
 <?php endforeach ?>
                       </select>
                     </td>

From ff1f0ab1a0204f8cee1dca6fc47fd10a54f76e49 Mon Sep 17 00:00:00 2001
From: Jan Winkler <jan.winkler@markt.de>
Date: Tue, 21 Feb 2023 12:17:33 +0100
Subject: [PATCH 1379/3088] security/acme: support cert upload to Palo Alto
 Firewall, closes #3289

---
 security/acme-client/Makefile                 |  2 +-
 security/acme-client/pkg-descr                |  5 ++
 .../AcmeClient/forms/dialogAction.xml         | 20 ++++++++
 .../AcmeClient/LeAutomation/AcmePanos.php     | 47 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 16 +++++++
 5 files changed, 89 insertions(+), 1 deletion(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmePanos.php

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 13e3111400..8091d14b88 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.15
+PLUGIN_VERSION=		3.16
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index d82b556aa3..3fc684cf0a 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.16
+
+Added:
+* new automation: deploy certificates on Palo Alto Networks Firewall (#3289)
+
 3.15
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index 45544272c1..2059a2e67d 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -263,6 +263,26 @@
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Required Parameters</label>
+        <type>header</type>
+        <style>method_table method_table_acme_panos</style>
+    </field>
+    <field>
+        <id>action.acme_panos_username</id>
+        <label>Username</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>action.acme_panos_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
+    <field>
+        <id>action.acme_panos_host</id>
+        <label>Host</label>
+        <type>text</type>
+    </field>
     <field>
         <label>Required Parameters</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmePanos.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmePanos.php
new file mode 100644
index 0000000000..82ce66d12c
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmePanos.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Jan Winkler
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Run acme.sh deploy hook panos
+ * @package OPNsense\AcmeClient
+ */
+class AcmePanos extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['PANOS_USER'] = (string)$this->config->acme_panos_username;
+        $this->acme_env['PANOS_PASS'] = (string)$this->config->acme_panos_password;
+        $this->acme_env['PANOS_HOST'] = (string)$this->config->acme_panos_host;
+        $this->acme_args[] = '--deploy-hook panos --insecure';
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 23f59686a2..9488f2f277 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1147,6 +1147,7 @@
                         <configd_upload_sftp>Upload certificate via SFTP</configd_upload_sftp>
                         <configd_remote_ssh>Remote Command via SSH</configd_remote_ssh>
                         <acme_fritzbox>Upload certificate to FRITZ!Box router</acme_fritzbox>
+                        <acme_panos>Upload certificate to Palo Alto Networks Firewall</acme_panos>
                         <acme_vault>Upload certificate to HashiCorp Vault</acme_vault>
                         <acme_synology_dsm>Upload certificate to Synology DSM</acme_synology_dsm>
                         <acme_unifi>Update local Unifi keystore</acme_unifi>
@@ -1340,6 +1341,21 @@
                     <mask>/^.{1,1024}$/u</mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_fritzbox_password>
+                <acme_panos_username type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_panos_username>
+                <acme_panos_password type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_panos_password>
+                <acme_panos_host type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_panos_host>
                 <acme_unifi_keystore type="TextField">
                     <default>/usr/local/share/java/unifi/data/keystore</default>
                     <Required>N</Required>

From 2510f0b1d15e6947132c3d2179f058e8d07a106f Mon Sep 17 00:00:00 2001
From: Jan Winkler <jan.winkler@markt.de>
Date: Tue, 21 Feb 2023 19:18:24 +0100
Subject: [PATCH 1380/3088] security/acme: Add JD Cloud API dns challenge type,
 closes #3315

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 20 ++++++++
 .../AcmeClient/LeValidation/DnsJd.php         | 46 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 10 ++++
 4 files changed, 77 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsJd.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 3fc684cf0a..f00176d564 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -11,6 +11,7 @@ Plugin Changelog
 3.16
 
 Added:
+* add JD Cloud DNS API (#3315)
 * new automation: deploy certificates on Palo Alto Networks Firewall (#3289)
 
 3.15
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 09ac203b8d..8317542bd9 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -644,6 +644,26 @@
         <type>checkbox</type>
         <help>Uncheck this box if you have a valid SSL certificate for your ISPConfig installation.</help>
     </field>
+    <field>
+        <label>JD Cloud</label>
+        <type>header</type>
+        <style>table_dns table_dns_jd</style>
+    </field>
+    <field>
+        <id>validation.dns_jd_id</id>
+        <label>API key id</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_jd_region</id>
+        <label>JD Cloud region</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_jd_secret</id>
+        <label>API key secret</label>
+        <type>text</type>
+    </field>
     <field>
         <label>Joker</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsJd.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsJd.php
new file mode 100644
index 0000000000..8d38888159
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsJd.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Jan Winkler
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * JD Cloud DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsJd extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['JD_ACCESS_KEY_ID'] = (string)$this->config->dns_jd_id;
+        $this->acme_env['JD_REGION'] = (string)$this->config->dns_jd_region;
+        $this->acme_env['JD_ACCESS_KEY_SECRET'] = (string)$this->config->dns_jd_secret;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 9488f2f277..aa86eb9e60 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -465,6 +465,7 @@
                         <dns_inwx>INWX XMLRPC</dns_inwx>
                         <dns_ionos>IONOS domain</dns_ionos>
                         <dns_ispconfig>ISPConfig 3.1+</dns_ispconfig>
+                        <dns_jd>JD Cloud</dns_jd>
                         <dns_joker>Joker</dns_joker>
                         <dns_kinghost>KingHost</dns_kinghost>
                         <dns_knot>Knot (knsupdate)</dns_knot>
@@ -708,6 +709,15 @@
                     <Required>N</Required>
                     <default>1</default>
                 </dns_ispconfig_insecure>
+                <dns_jd_id type="TextField">
+                    <Required>N</Required>
+                </dns_jd_id>
+                <dns_jd_region type="TextField">
+                    <Required>N</Required>
+                </dns_jd_region>
+                <dns_jd_secret type="TextField">
+                    <Required>N</Required>
+                </dns_jd_secret>
                 <dns_joker_username type="TextField">
                     <Required>N</Required>
                 </dns_joker_username>

From 4218e82baae4ddf594fa483133748990c97e9f71 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Wed, 22 Feb 2023 15:29:27 +0300
Subject: [PATCH 1381/3088] security/acme: lighty minor config fixes

use 'deflate.' options to enable compression
mod_dirlisting is disabled by default
---
 .../OPNsense/AcmeClient/lighttpd-acme-challenge.conf   | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf
index 5f3cf31d29..b59553e269 100644
--- a/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf
+++ b/security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf
@@ -72,18 +72,16 @@ $SERVER["socket"]  == "[::1]:{{OPNsense.AcmeClient.settings.challengePort}}" { }
 # to help the rc.scripts
 server.pid-file = "/var/run/lighttpd-acme-challenge.pid"
 
-# virtual directory listings
-server.dir-listing = "disable"
-
 # enable debugging
 debug.log-request-header   = "disable"
 debug.log-response-header  = "disable"
 debug.log-request-handling = "disable"
 debug.log-file-not-found   = "disable"
 
-# gzip compression
-compress.cache-dir = "/tmp/acmelighttpdcompress/"
-compress.filetype  = ("text/plain","text/css", "text/xml", "text/javascript" )
+# enable compression
+deflate.cache-dir = "/tmp/acmelighttpdcompress/"
+deflate.mimetypes = ("text/plain", "text/css", "text/xml", "text/javascript")
+deflate.allowed-encodings = ("br", "gzip", "deflate")
 
 server.max-request-size = 4096
 server.tag = "lighttpd/ACME"

From 021b32fc3bcafa4ef6861a166aa2f9a41829b573 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Sat, 25 Feb 2023 18:09:50 +0100
Subject: [PATCH 1382/3088] dns-overview.css color theme fixes for
 Cicada/Vicuna (#3295)

* dns-overview.css color theme fixes for Cicada/Vicuna

by the way......for the dns-overview html basic structure the color "white" was written hardcoded. the color is defined differently in each theme and is already defined in the main.css. I would ask you to remove this hardcoded part so that the colors of the themes can be used again. the part I mentioned is here. see the screenshot
---
 misc/theme-cicada/Makefile                    |   2 +-
 .../themes/cicada/build/css/dns-overview.css  | 178 ++++++++++++++++++
 misc/theme-vicuna/Makefile                    |   2 +-
 .../themes/vicuna/build/css/dns-overview.css  | 178 ++++++++++++++++++
 4 files changed, 358 insertions(+), 2 deletions(-)
 create mode 100644 misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dns-overview.css
 create mode 100644 misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dns-overview.css

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index b79faa2084..5286e2a9db 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.32
+PLUGIN_VERSION=		1.33
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dns-overview.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dns-overview.css
new file mode 100644
index 0000000000..071b3e7d0d
--- /dev/null
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dns-overview.css
@@ -0,0 +1,178 @@
+.tab-content {
+    padding: 10px;
+    border-top: 1px solid #191919;
+}
+
+.banner {
+    width: 25%;
+}
+
+.stats-element {
+    height: 5em;
+    background: #202020;
+    overflow: hidden;
+    display: flex;
+    justify-content: flex-start;
+    border-radius: .3em;
+    margin:auto;
+    border: 1px solid rgb(24, 24, 24);
+}
+
+.stats-icon {
+    height: auto;
+    width: 50%;
+    object-fit:cover;
+    background: #d94f0033;
+    border-radius: 0 2em 2em 0 / 0 3em 3em 0;
+    box-shadow: 3px 5px 1px 3px rgba(217,79,0,0.25);
+}
+
+.large-icon {
+    position: relative;
+    top: 50%;
+    left: 50%;
+    transform: translate(-50%, -50%);
+    font-size: 2em;
+}
+
+.stats-text {
+    height: 5em;
+    width: 15em;
+    display: flex;
+    justify-content: center;
+    text-align: center;
+    align-items: center;
+    flex-direction: column;
+}
+
+.stats-counter-text {
+    margin: 0;
+    padding: 0;
+    text-align: center;
+    font-size: 15px;
+}
+
+.stats-inner-text {
+    margin: 0;
+    padding: 0;
+    text-align: center;
+    font-size: 15px;
+}
+
+#bannersub {
+    text-align: center;
+    margin: 5px;
+}
+
+.list-group-wrapper {
+    margin: 0px;
+    padding-top: 10px;
+    padding-bottom: 10px;
+}
+
+.list-item-domain {
+    height: 2.5em;
+}
+
+.list-group-item-border {
+    border: 1px solid #191919;
+}
+
+.list-group-item-border:first-child {
+    border-top-left-radius: 4px;
+    border-top-right-radius: 4px;
+    border-bottom: 2px solid black;
+}
+
+.list-group-item-border:last-child {
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+}
+.btn.pull-right {
+    margin-left: 3px;
+}
+
+.odd-bg {
+    background: #f7f7f7;
+}
+
+.top-item {
+    display: flex;
+    white-space: nowrap;
+}
+
+.group-p {
+    overflow: hidden;
+    height: 20px;
+    margin-right: 5px;
+    text-overflow: ellipsis;
+}
+
+.counter {
+    position: relative;
+    top: -3px;
+    color: #888;
+    font-size: 14px;
+    line-height: 1.4;
+    flex: 1;
+    text-align: right;
+}
+
+.vertical-center {
+    margin: 0;
+    position: absolute;
+    top: 50%;
+    -ms-transform: translateY(-50%);
+    transform: translateY(-50%);
+}
+
+#maintabs > li > a {
+    border: 1px solid #191919;
+}
+
+.query-success {
+    background-color: rgba(5, 142, 73, 0.3);
+}
+
+.query-info {
+    background-color: rgba(255, 227, 0, 0.3);
+}
+
+.query-danger {
+    background-color: rgba(235, 9, 9, 0.3);
+}
+
+.query-warning {
+    background-color: rgba(255, 131, 0, 0.3);
+}
+
+#searchFilter {
+    display: inline-block;
+    margin: 0 20px 0 0;
+    vertical-align: middle;
+}
+
+.tag {
+    font-size: 14px;
+    padding: .3em .4em .4em;
+    margin: 0 .1em;
+}
+
+.tag a {
+  color: #bbb;
+  cursor: pointer;
+  opacity: 0.9;
+}
+
+.tag a {
+  margin: 0 0 0 .3em;
+}
+
+.tag a fa-times {
+  color: #fff;
+  margin-bottom: 2px;
+}
+
+.tooltip-inner {
+  max-width: 1000px !important;
+}
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index 6ed096fffd..ac471e0d74 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.43
+PLUGIN_VERSION=		1.44
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dns-overview.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dns-overview.css
new file mode 100644
index 0000000000..071b3e7d0d
--- /dev/null
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dns-overview.css
@@ -0,0 +1,178 @@
+.tab-content {
+    padding: 10px;
+    border-top: 1px solid #191919;
+}
+
+.banner {
+    width: 25%;
+}
+
+.stats-element {
+    height: 5em;
+    background: #202020;
+    overflow: hidden;
+    display: flex;
+    justify-content: flex-start;
+    border-radius: .3em;
+    margin:auto;
+    border: 1px solid rgb(24, 24, 24);
+}
+
+.stats-icon {
+    height: auto;
+    width: 50%;
+    object-fit:cover;
+    background: #d94f0033;
+    border-radius: 0 2em 2em 0 / 0 3em 3em 0;
+    box-shadow: 3px 5px 1px 3px rgba(217,79,0,0.25);
+}
+
+.large-icon {
+    position: relative;
+    top: 50%;
+    left: 50%;
+    transform: translate(-50%, -50%);
+    font-size: 2em;
+}
+
+.stats-text {
+    height: 5em;
+    width: 15em;
+    display: flex;
+    justify-content: center;
+    text-align: center;
+    align-items: center;
+    flex-direction: column;
+}
+
+.stats-counter-text {
+    margin: 0;
+    padding: 0;
+    text-align: center;
+    font-size: 15px;
+}
+
+.stats-inner-text {
+    margin: 0;
+    padding: 0;
+    text-align: center;
+    font-size: 15px;
+}
+
+#bannersub {
+    text-align: center;
+    margin: 5px;
+}
+
+.list-group-wrapper {
+    margin: 0px;
+    padding-top: 10px;
+    padding-bottom: 10px;
+}
+
+.list-item-domain {
+    height: 2.5em;
+}
+
+.list-group-item-border {
+    border: 1px solid #191919;
+}
+
+.list-group-item-border:first-child {
+    border-top-left-radius: 4px;
+    border-top-right-radius: 4px;
+    border-bottom: 2px solid black;
+}
+
+.list-group-item-border:last-child {
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+}
+.btn.pull-right {
+    margin-left: 3px;
+}
+
+.odd-bg {
+    background: #f7f7f7;
+}
+
+.top-item {
+    display: flex;
+    white-space: nowrap;
+}
+
+.group-p {
+    overflow: hidden;
+    height: 20px;
+    margin-right: 5px;
+    text-overflow: ellipsis;
+}
+
+.counter {
+    position: relative;
+    top: -3px;
+    color: #888;
+    font-size: 14px;
+    line-height: 1.4;
+    flex: 1;
+    text-align: right;
+}
+
+.vertical-center {
+    margin: 0;
+    position: absolute;
+    top: 50%;
+    -ms-transform: translateY(-50%);
+    transform: translateY(-50%);
+}
+
+#maintabs > li > a {
+    border: 1px solid #191919;
+}
+
+.query-success {
+    background-color: rgba(5, 142, 73, 0.3);
+}
+
+.query-info {
+    background-color: rgba(255, 227, 0, 0.3);
+}
+
+.query-danger {
+    background-color: rgba(235, 9, 9, 0.3);
+}
+
+.query-warning {
+    background-color: rgba(255, 131, 0, 0.3);
+}
+
+#searchFilter {
+    display: inline-block;
+    margin: 0 20px 0 0;
+    vertical-align: middle;
+}
+
+.tag {
+    font-size: 14px;
+    padding: .3em .4em .4em;
+    margin: 0 .1em;
+}
+
+.tag a {
+  color: #bbb;
+  cursor: pointer;
+  opacity: 0.9;
+}
+
+.tag a {
+  margin: 0 0 0 .3em;
+}
+
+.tag a fa-times {
+  color: #fff;
+  margin-bottom: 2px;
+}
+
+.tooltip-inner {
+  max-width: 1000px !important;
+}

From 3ba03e9dd8e99620403455b18ebfb9b615b7f746 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Sun, 26 Feb 2023 13:36:01 +0100
Subject: [PATCH 1383/3088] Theme Tukan >> Missing unbound dns overview.css
 (#3324)

---
 misc/theme-tukan/Makefile                     |   2 +-
 .../themes/tukan/assets/stylesheets/main.scss |   4 +
 .../themes/tukan/build/css/dns-overview.css   | 180 ++++++++++++++++++
 .../www/themes/tukan/build/css/main.css       |   4 +
 4 files changed, 189 insertions(+), 1 deletion(-)
 create mode 100644 misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/dns-overview.css

diff --git a/misc/theme-tukan/Makefile b/misc/theme-tukan/Makefile
index 7c959ab18c..ea7459e6f1 100644
--- a/misc/theme-tukan/Makefile
+++ b/misc/theme-tukan/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-tukan
-PLUGIN_VERSION=		1.25
+PLUGIN_VERSION=		1.26
 PLUGIN_COMMENT=		The tukan theme - blue/white
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
index 6c5e30aad1..3d9ea9d606 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
@@ -6544,3 +6544,7 @@ label.btn.au-target {
 #reports-tab {
     border-bottom: 1px solid #a5a5a5;
 }
+
+.top-list .list-group-item {
+    background-color: #fff;
+}
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/dns-overview.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/dns-overview.css
new file mode 100644
index 0000000000..9824ee1de1
--- /dev/null
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/dns-overview.css
@@ -0,0 +1,180 @@
+.tab-content {
+    padding: 10px;
+    border-top: 1px solid #E5E5E5;
+}
+
+.banner {
+    width: 25%;
+}
+
+.stats-element {
+    height: 5em;
+    background: #f7f7f7;
+    overflow: hidden;
+    display: flex;
+    justify-content: flex-start;
+    border-radius: .3em;
+    margin:auto;
+    border: 1px solid rgba(217, 79, 0, 0.2);
+}
+
+.stats-icon {
+    height: auto;
+    width: 50%;
+    object-fit:cover;
+    background: #d94f0033;
+    border-radius: 0 2em 2em 0 / 0 3em 3em 0;
+    box-shadow: 3px 5px 1px 3px rgba(217,79,0,0.25);
+}
+
+.large-icon {
+    position: relative;
+    top: 50%;
+    left: 50%;
+    transform: translate(-50%, -50%);
+    font-size: 2em;
+}
+
+.stats-text {
+    height: 5em;
+    width: 15em;
+    display: flex;
+    justify-content: center;
+    text-align: center;
+    align-items: center;
+    flex-direction: column;
+}
+
+.stats-counter-text {
+    margin: 0;
+    padding: 0;
+    text-align: center;
+    font-size: 15px;
+}
+
+.stats-inner-text {
+    margin: 0;
+    padding: 0;
+    text-align: center;
+    font-size: 15px;
+}
+
+#bannersub {
+    text-align: center;
+    margin: 5px;
+}
+
+.list-group-wrapper {
+    margin: 0px;
+    padding-top: 10px;
+    padding-bottom: 10px;
+}
+
+.list-item-domain {
+    height: 2.5em;
+}
+
+.list-group-item-border {
+    border: 1px solid #ddd;
+}
+
+.list-group-item-border:first-child {
+    border-top-left-radius: 4px;
+    border-top-right-radius: 4px;
+    border-bottom: 2px solid black;
+}
+
+.list-group-item-border:last-child {
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+}
+.btn.pull-right {
+    margin-left: 3px;
+}
+
+.odd-bg {
+    background: #f7f7f7;
+}
+
+.top-item {
+    display: flex;
+    white-space: nowrap;
+}
+
+.group-p {
+    overflow: hidden;
+    height: 20px;
+    margin-right: 5px;
+    text-overflow: ellipsis;
+}
+
+.counter {
+    position: relative;
+    top: -3px;
+    color: #3c3c3b;
+    font-size: 14px;
+    line-height: 1.4;
+    flex: 1;
+    text-align: right;
+}
+
+.vertical-center {
+    margin: 0;
+    position: absolute;
+    top: 50%;
+    -ms-transform: translateY(-50%);
+    transform: translateY(-50%);
+}
+
+#maintabs > li > a {
+    border: 1px solid #E5E5E5;
+}
+
+.query-success {
+    background-color: #295f2b;
+    color: #FFF;
+}
+
+.query-info {
+    background-color: rgba(255, 227, 0, 0.3);
+}
+
+.query-danger {
+    background-color: #A22626;
+    color: #FFF;
+}
+
+.query-warning {
+    background-color: rgba(255, 131, 0, 0.3);
+}
+
+#searchFilter {
+    display: inline-block;
+    margin: 0 20px 0 0;
+    vertical-align: middle;
+}
+
+.tag {
+    font-size: 14px;
+    padding: .3em .4em .4em;
+    margin: 0 .1em;
+}
+
+.tag a {
+  color: #bbb;
+  cursor: pointer;
+  opacity: 0.9;
+}
+
+.tag a {
+  margin: 0 0 0 .3em;
+}
+
+.tag a fa-times {
+  color: #fff;
+  margin-bottom: 2px;
+}
+
+.tooltip-inner {
+  max-width: 1000px !important;
+}
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
index 6c5e30aad1..3d9ea9d606 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
@@ -6544,3 +6544,7 @@ label.btn.au-target {
 #reports-tab {
     border-bottom: 1px solid #a5a5a5;
 }
+
+.top-list .list-group-item {
+    background-color: #fff;
+}

From c7240f48368cc3cf2d9274a5326e7bee92c136d2 Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Wed, 1 Mar 2023 15:19:14 +0100
Subject: [PATCH 1384/3088] security/crowdsec 1.0.2: updated cron and log
 parsing (#3269)

---
 security/crowdsec/Makefile                    |   2 +-
 security/crowdsec/pkg-descr                   |   6 +
 .../crowdsec/src/etc/cron.d/oscrowdsec.cron   |   2 +-
 .../src/etc/crowdsec/acquis.d/opnsense.yaml   |  11 +-
 .../app/models/OPNsense/CrowdSec/General.xml  |   2 +-
 .../app/views/OPNsense/CrowdSec/general.volt  |   3 +-
 .../scripts/OPNsense/CrowdSec/hub-upgrade.sh  |  19 +-
 .../src/opnsense/www/js/CrowdSec/crowdsec.js  | 259 +++++++++---------
 8 files changed, 158 insertions(+), 146 deletions(-)

diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index b74fafce4c..c77c5f821b 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		crowdsec
-PLUGIN_VERSION=		1.0.1
+PLUGIN_VERSION=		1.0.2
 PLUGIN_DEPENDS=		crowdsec
 PLUGIN_COMMENT=		Lightweight and collaborative security engine
 PLUGIN_MAINTAINER=	marco@crowdsec.net
diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index 53fc2bf43e..846f7e8e84 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -8,6 +8,12 @@ WWW: https://crowdsec.net/
 Plugin Changelog
 ================
 
+1.0.2
+
+* updated cron job (reload only when there are updates), added small random delay
+* limit log collection to latest.log (requires 22.7+)
+* some javascript lint
+
 1.0.1
 
 * fixed live logs
diff --git a/security/crowdsec/src/etc/cron.d/oscrowdsec.cron b/security/crowdsec/src/etc/cron.d/oscrowdsec.cron
index 2ec072c402..635b78577f 100644
--- a/security/crowdsec/src/etc/cron.d/oscrowdsec.cron
+++ b/security/crowdsec/src/etc/cron.d/oscrowdsec.cron
@@ -6,4 +6,4 @@
 SHELL=/bin/sh
 PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
 #minute	hour	mday	month	wday	who	command
-0	1,13	*	*	*	root	/usr/local/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
+0	1	*	*	*	root	(sleep $(jot -r 1 1 60); /usr/local/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh)
diff --git a/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml b/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml
index 905be22566..ab73fcd906 100644
--- a/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml
+++ b/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml
@@ -7,9 +7,12 @@
 #
 
 filenames:
- # ssh
- - /var/log/audit/*.log
- # web admin
- - /var/log/lighttpd/*.log
+  # DO NOT EDIT - to add new datasources (log locations),
+  # create new files in /usr/local/etc/crowdsec/acquis.d/
+  #
+  # collection: crowdsecurity/sshd
+  - /var/log/audit/latest.log
+  # collection: crowdsecurity/opnsense-gui (web admin)
+  - /var/log/lighttpd/latest.log
 labels:
   type: syslog
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
index dd124e045a..c647de7f37 100644
--- a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
@@ -1,7 +1,7 @@
 <model>
   <mount>//OPNsense/crowdsec/general</mount>
   <description>CrowdSec general configuration</description>
-  <version>1.0.1</version>
+  <version>1.0.2</version>
   <items>
 
     <agent_enabled type="BooleanField">
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
index 3a91e9adee..76decfbb4d 100644
--- a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
@@ -1,7 +1,6 @@
 {# SPDX-License-Identifier: MIT #}
 {# SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net> #}
 
-
 <script>
     $( document ).ready(function() {
         var data_get_map = {'frm_GeneralSettings':"/api/crowdsec/general/get"};
@@ -22,7 +21,7 @@
             });
         });
 
-        if(window.location.hash != "") {
+        if(window.location.hash !== "") {
             $('a[href="' + window.location.hash + '"]').click()
         }
         $('.nav-tabs a').on('shown.bs.tab', function (e) {
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
index 7b14772a9b..4d2a568081 100755
--- a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
@@ -1,16 +1,21 @@
 #!/bin/sh
 
-/usr/local/bin/cscli --error hub update \
-    && /usr/local/bin/cscli --error hub upgrade
+test -x /usr/local/bin/cscli || exit 0
+
+/usr/local/bin/cscli --error hub update
+
+upgraded=$(/usr/local/bin/cscli --error hub upgrade)
 
 if [ ! -e "/usr/local/etc/crowdsec/collections/opnsense.yaml" ]; then
     /usr/local/bin/cscli --error collections install crowdsecurity/opnsense
 fi
 
-if service crowdsec enabled; then
-    if ! service crowdsec status >/dev/null 2>&1; then
-        service crowdsec start >/dev/null 2>&1 || :
-    else
-        service crowdsec reload >/dev/null 2>&1 || :
+if [ -n "$upgraded" ]; then
+    if service crowdsec enabled; then
+        if ! service crowdsec status >/dev/null 2>&1; then
+            service crowdsec start >/dev/null 2>&1 || :
+        else
+            service crowdsec reload >/dev/null 2>&1 || :
+        fi
     fi
 fi
diff --git a/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js b/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js
index 39eaacd43b..93b9ec7670 100644
--- a/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js
+++ b/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js
@@ -1,27 +1,27 @@
-/*global moment, $ */
-/*exported CrowdSec */
-/*eslint no-undef: "error"*/
-/*eslint semi: "error"*/
+/* global moment, $ */
+/* exported CrowdSec */
+/* eslint no-undef: "error" */
+/* eslint semi: "error" */
 
-var CrowdSec = (function() {
+var CrowdSec = (function () {
     'use strict';
 
-    var _refresh_template = '<button class="btn btn-default" type="button" title="Refresh"><span class="icon glyphicon glyphicon-refresh"></span></button>';
+    var _refreshTemplate = '<button class="btn btn-default" type="button" title="Refresh"><span class="icon glyphicon glyphicon-refresh"></span></button>';
 
     var _dataFormatters = {
-        yesno: function(column, row) {
+        yesno: function (column, row) {
             return _yesno2html(row[column.id]);
         },
 
-        delete: function(column, row) {
+        delete: function (column, row) {
             var val = row.id;
             if (isNaN(val)) {
                 return '';
             }
-            return '<button type="button" class="btn btn-secondary btn-sm" value="'+val+'" onclick="CrowdSec.deleteDecision('+val+')"><i class="fa fa-trash" /></button>';
+            return '<button type="button" class="btn btn-secondary btn-sm" value="' + val + '" onclick="CrowdSec.deleteDecision(' + val + ')"><i class="fa fa-trash" /></button>';
         },
 
-        duration: function(column, row) {
+        duration: function (column, row) {
             var duration = row[column.id];
             if (!duration) {
                 return 'n/a';
@@ -29,89 +29,89 @@ var CrowdSec = (function() {
             return $('<div>').attr({
                 'data-toggle': 'tooltip',
                 'data-placement': 'left',
-                'title': duration
+                title: duration
             }).text(_humanizeDuration(duration)).prop('outerHTML');
         },
 
-        datetime: function(column, row) {
+        datetime: function (column, row) {
             var dt = row[column.id];
             var parsed = moment(dt);
             if (!dt) {
                 return '';
             }
             if (!parsed.isValid()) {
-                console.error("Cannot parse timestamp: %s", dt);
+                console.error('Cannot parse timestamp: %s', dt);
                 return '???';
             }
             return $('<div>').attr({
                 'data-toggle': 'tooltip',
                 'data-placement': 'left',
-                'title': parsed.format()
+                title: parsed.format()
             }).text(_humanizeDate(dt)).prop('outerHTML');
-        },
+        }
     };
 
-    function _parseDuration(duration) {
+    function _parseDuration (duration) {
         var re = /(-?)(?:(?:(\d+)h)?(\d+)m)?(\d+).\d+(m?)s/m;
         var matches = duration.match(re);
         var seconds = 0;
 
         if (!matches.length) {
-            throw new Error("Unable to parse the following duration: " + duration + ".");
+            throw new Error('Unable to parse the following duration: ' + duration + '.');
         }
-        if (typeof matches[2] !== "undefined") {
+        if (typeof matches[2] !== 'undefined') {
             seconds += parseInt(matches[2], 10) * 3600; // hours
         }
-        if (typeof matches[3] !== "undefined") {
+        if (typeof matches[3] !== 'undefined') {
             seconds += parseInt(matches[3], 10) * 60; // minutes
         }
-        if (typeof matches[4] !== "undefined") {
+        if (typeof matches[4] !== 'undefined') {
             seconds += parseInt(matches[4], 10); // seconds
         }
-        if ("m" === parseInt(matches[5], 10)) {
+        if (parseInt(matches[5], 10) === 'm') {
             // units in milliseconds
             seconds *= 0.001;
         }
-        if ("-" === parseInt(matches[1], 10)) {
+        if (parseInt(matches[1], 10) === '-') {
             // negative
             seconds = -seconds;
         }
         return seconds;
     }
 
-    function _updateFreshness(selector, timestamp) {
+    function _updateFreshness (selector, timestamp) {
         var $freshness = $(selector).find('.actionBar .freshness');
         if (timestamp) {
             $freshness.data('refresh_timestamp', timestamp);
         } else {
             timestamp = $freshness.data('refresh_timestamp');
         }
-        var howlong_human = '???';
+        var howlongHuman = '???';
         if (timestamp) {
-            var howlong_ms = moment() - moment(timestamp);
-            howlong_human = moment.duration(howlong_ms).humanize();
+            var howlongms = moment() - moment(timestamp);
+            howlongHuman = moment.duration(howlongms).humanize();
         }
-        $freshness.text(howlong_human + ' ago');
+        $freshness.text(howlongHuman + ' ago');
     }
 
-    function _addFreshness(selector) {
+    function _addFreshness (selector) {
         // this creates one timer per tab
-        var freshness_template = '<span style="float:left">Last refresh: <span class="freshness"></span></span>';
-        $(selector).find('.actionBar').prepend(freshness_template);
-        setInterval(function() {
+        var freshnessTemplate = '<span style="float:left">Last refresh: <span class="freshness"></span></span>';
+        $(selector).find('.actionBar').prepend(freshnessTemplate);
+        setInterval(function () {
            _updateFreshness(selector);
         }, 5000);
     }
 
-    function _humanizeDate(text) {
+    function _humanizeDate (text) {
         return moment(text).fromNow();
     }
 
-    function _humanizeDuration(text) {
+    function _humanizeDuration (text) {
         return moment.duration(_parseDuration(text), 'seconds').humanize();
     }
 
-    function _yesno2html(val) {
+    function _yesno2html (val) {
         if (val) {
             return '<i class="fa fa-check text-success"></i>';
         } else {
@@ -119,14 +119,14 @@ var CrowdSec = (function() {
         }
     }
 
-    function _decisionsByType(decisions) {
+    function _decisionsByType (decisions) {
         var dectypes = {};
         if (!decisions) {
             return '';
         }
-        decisions.map(function(decision) {
+        decisions.map(function (decision) {
             // TODO ignore negative expiration?
-            dectypes[decision.type] = dectypes[decision.type] ? (dectypes[decision.type]+1) : 1;
+            dectypes[decision.type] = dectypes[decision.type] ? (dectypes[decision.type] + 1) : 1;
         });
         var ret = '';
         for (var type in dectypes) {
@@ -138,47 +138,47 @@ var CrowdSec = (function() {
         return ret;
     }
 
-    function _initService() {
+    function _initService () {
         $.ajax({
             url: '/api/crowdsec/service/status',
             cache: false
-        }).done(function(data) {
+        }).done(function (data) {
             // TODO handle errors
-            var crowdsec_status = data['crowdsec-status'];
-            if (crowdsec_status === 'unknown') {
-                crowdsec_status = '<span class="text-danger">Unknown</span>';
+            var crowdsecStatus = data['crowdsec-status'];
+            if (crowdsecStatus === 'unknown') {
+                crowdsecStatus = '<span class="text-danger">Unknown</span>';
             } else {
-                crowdsec_status = _yesno2html(crowdsec_status === 'running');
+                crowdsecStatus = _yesno2html(crowdsecStatus === 'running');
             }
-            $('#crowdsec-status').html(crowdsec_status);
+            $('#crowdsec-status').html(crowdsecStatus);
 
-            var crowdsec_firewall_status = data['crowdsec-firewall-status'];
-            if (crowdsec_firewall_status === 'unknown') {
-                crowdsec_firewall_status = '<span class="text-danger">Unknown</span>';
+            var crowdsecFirewallStatus = data['crowdsec-firewall-status'];
+            if (crowdsecFirewallStatus === 'unknown') {
+                crowdsecFirewallStatus = '<span class="text-danger">Unknown</span>';
             } else {
-                crowdsec_firewall_status = _yesno2html(crowdsec_firewall_status === 'running');
+                crowdsecFirewallStatus = _yesno2html(crowdsecFirewallStatus === 'running');
             }
-            $('#crowdsec-firewall-status').html(crowdsec_firewall_status);
+            $('#crowdsec-firewall-status').html(crowdsecFirewallStatus);
         });
     }
 
-    function _initDebug() {
+    function _initDebug () {
         $.ajax({
             url: '/api/crowdsec/service/debug',
             cache: false
-        }).done(function(data) {
+        }).done(function (data) {
             $('#debug pre').text(data.message);
         });
     }
 
-    function _initTab(selector, url, dataCallback) {
+    function _initTab (selector, url, dataCallback) {
         var $tab = $(selector);
         if ($tab.find('table.bootgrid-table').length) {
             return;
         }
         $tab.find('table').
-            on("initialized.rs.jquery.bootgrid", function() {
-                $(_refresh_template).on('click', function() {
+            on('initialized.rs.jquery.bootgrid', function () {
+                $(_refreshTemplate).on('click', function () {
                     _refreshTab(selector, url, dataCallback);
                 }).insertBefore($tab.find('.actionBar .actions .dropdown:first'));
                 _addFreshness(selector);
@@ -190,7 +190,7 @@ var CrowdSec = (function() {
             });
     }
 
-    function _refreshTab(selector, url, dataCallback) {
+    function _refreshTab (selector, url, dataCallback) {
         $.ajax({
             url: url,
             cache: false
@@ -198,17 +198,17 @@ var CrowdSec = (function() {
         _updateFreshness(selector, moment());
     }
 
-    function _initMachines() {
+    function _initMachines () {
         var url = '/api/crowdsec/machines/get';
-        var dataCallback = function(data) {
+        var dataCallback = function (data) {
             var rows = [];
-            data.map(function(row) {
+            data.map(function (row) {
                 rows.push({
-                    name:        row.machineId,
-                    ip_address:  row.ipAddress || ' ',
+                    name: row.machineId,
+                    ip_address: row.ipAddress || ' ',
                     last_update: row.updated_at || ' ',
-                    validated:   row.isValidated,
-                    version:     row.version || ' '
+                    validated: row.isValidated,
+                    version: row.version || ' '
                 });
             });
         $('#machines table').bootgrid('clear').bootgrid('append', rows);
@@ -216,16 +216,16 @@ var CrowdSec = (function() {
         _initTab('#machines', url, dataCallback);
     }
 
-    function _initCollections() {
+    function _initCollections () {
         var url = '/api/crowdsec/collections/get';
-        var dataCallback = function(data) {
+        var dataCallback = function (data) {
             var rows = [];
-            data.collections.map(function(row) {
+            data.collections.map(function (row) {
                 rows.push({
-                    name:          row.name,
-                    status:        row.status,
+                    name: row.name,
+                    status: row.status,
                     local_version: row.local_version || ' ',
-                    local_path:    row.local_path || ' '
+                    local_path: row.local_path || ' '
                 });
             });
         $('#collections table').bootgrid('clear').bootgrid('append', rows);
@@ -233,17 +233,17 @@ var CrowdSec = (function() {
         _initTab('#collections', url, dataCallback);
     }
 
-    function _initScenarios() {
+    function _initScenarios () {
         var url = '/api/crowdsec/scenarios/get';
-        var dataCallback = function(data) {
+        var dataCallback = function (data) {
             var rows = [];
-            data.scenarios.map(function(row) {
+            data.scenarios.map(function (row) {
                 rows.push({
-                    name:          row.name,
-                    status:        row.status,
+                    name: row.name,
+                    status: row.status,
                     local_version: row.local_version || ' ',
-                    local_path:    row.local_path || ' ',
-                    description:   row.description || ' '
+                    local_path: row.local_path || ' ',
+                    description: row.description || ' '
                 });
             });
             $('#scenarios table').bootgrid('clear').bootgrid('append', rows);
@@ -251,17 +251,17 @@ var CrowdSec = (function() {
         _initTab('#scenarios', url, dataCallback);
     }
 
-    function _initParsers() {
+    function _initParsers () {
         var url = '/api/crowdsec/parsers/get';
-        var dataCallback = function(data) {
+        var dataCallback = function (data) {
             var rows = [];
-            data.parsers.map(function(row) {
+            data.parsers.map(function (row) {
                 rows.push({
-                    name:          row.name,
-                    status:        row.status,
+                    name: row.name,
+                    status: row.status,
                     local_version: row.local_version || ' ',
-                    local_path:    row.local_path || ' ',
-                    description:   row.description || ' '
+                    local_path: row.local_path || ' ',
+                    description: row.description || ' '
                 });
             });
             $('#parsers table').bootgrid('clear').bootgrid('append', rows);
@@ -269,17 +269,17 @@ var CrowdSec = (function() {
         _initTab('#parsers ', url, dataCallback);
     }
 
-    function _initPostoverflows() {
+    function _initPostoverflows () {
         var url = '/api/crowdsec/postoverflows/get';
-        var dataCallback = function(data) {
+        var dataCallback = function (data) {
             var rows = [];
-            data.postoverflows.map(function(row) {
+            data.postoverflows.map(function (row) {
                 rows.push({
-                    name:          row.name,
-                    status:        row.status,
+                    name: row.name,
+                    status: row.status,
                     local_version: row.local_version || ' ',
-                    local_path:    row.local_path || ' ',
-                    description:   row.description || ' '
+                    local_path: row.local_path || ' ',
+                    description: row.description || ' '
                 });
             });
             $('#postoverflows table').bootgrid('clear').bootgrid('append', rows);
@@ -287,19 +287,19 @@ var CrowdSec = (function() {
         _initTab('#postoverflows ', url, dataCallback);
     }
 
-    function _initBouncers() {
+    function _initBouncers () {
         var url = '/api/crowdsec/bouncers/get';
-        var dataCallback = function(data) {
+        var dataCallback = function (data) {
             var rows = [];
-            data.map(function(row) {
+            data.map(function (row) {
                 // TODO - remove || ' ' later, it was fixed for 1.3.3
                 rows.push({
-                    name:       row.name,
+                    name: row.name,
                     ip_address: row.ip_address || ' ',
-                    valid:      row.revoked ? false : true,
-                    last_pull:  row.last_pull,
-                    type:       row.type || ' ',
-                    version:    row.version || ' '
+                    valid: row.revoked ? false : true,
+                    last_pull: row.last_pull,
+                    type: row.type || ' ',
+                    version: row.version || ' '
                 });
             });
             $('#bouncers table').bootgrid('clear').bootgrid('append', rows);
@@ -307,18 +307,18 @@ var CrowdSec = (function() {
         _initTab('#bouncers ', url, dataCallback);
     }
 
-    function _initAlerts() {
+    function _initAlerts () {
         var url = '/api/crowdsec/alerts/get';
-        var dataCallback = function(data) {
+        var dataCallback = function (data) {
             var rows = [];
-            data.map(function(row) {
+            data.map(function (row) {
                 rows.push({
-                    id:         row.id,
-                    value:      row.source.scope + (row.source.value?(':'+row.source.value):''),
-                    reason:     row.scenario || ' ',
-                    country:    row.source.cn || ' ',
-                    as:         row.source.as_name || ' ',
-                    decisions:  _decisionsByType(row.decisions) || ' ',
+                    id: row.id,
+                    value: row.source.scope + (row.source.value ? (':' + row.source.value) : ''),
+                    reason: row.scenario || ' ',
+                    country: row.source.cn || ' ',
+                    as: row.source.as_name || ' ',
+                    decisions: _decisionsByType(row.decisions) || ' ',
                     created_at: row.created_at
                 });
             });
@@ -327,30 +327,30 @@ var CrowdSec = (function() {
         _initTab('#alerts ', url, dataCallback);
     }
 
-    function _initDecisions() {
+    function _initDecisions () {
         var url = '/api/crowdsec/decisions/get';
-        var dataCallback = function(data) {
+        var dataCallback = function (data) {
             var rows = [];
-            data.map(function(row) {
-                row.decisions.map(function(decision) {
+            data.map(function (row) {
+                row.decisions.map(function (decision) {
                     // ignore deleted decisions
                     if (decision.duration.startsWith('-')) {
                         return;
                     }
                     rows.push({
                         // search will break on empty values when using .append(). so we use spaces
-                        delete:       '',
-                        id:           decision.id,
-                        source:       decision.origin || ' ',
-                        scope_value:  decision.scope + (decision.value?(':'+decision.value):''),
-                        reason:       decision.scenario || ' ',
-                        action:       decision.type || ' ',
-                        country:      row.source.cn || ' ',
-                        as:           row.source.as_name || ' ',
+                        delete: '',
+                        id: decision.id,
+                        source: decision.origin || ' ',
+                        scope_value: decision.scope + (decision.value ? (':' + decision.value) : ''),
+                        reason: decision.scenario || ' ',
+                        action: decision.type || ' ',
+                        country: row.source.cn || ' ',
+                        as: row.source.as_name || ' ',
                         events_count: row.events_count,
                         // XXX pre-parse duration to seconds, and integer type, for sorting
-                        expiration:   decision.duration || ' ',
-                        alert_id:     row.id || ' '
+                        expiration: decision.duration || ' ',
+                        alert_id: row.id || ' '
                     });
                 });
             });
@@ -359,16 +359,16 @@ var CrowdSec = (function() {
         _initTab('#decisions ', url, dataCallback);
     }
 
-    function deleteDecision(decisionId) {
+    function deleteDecision (decisionId) {
         var $modal = $('#delete-decision-modal');
         $modal.find('.modal-title').text('Delete decision #' + decisionId);
         $modal.find('.modal-body').text('Are you sure?');
-        $modal.find('#delete-decision-confirm').on('click', function() {
+        $modal.find('#delete-decision-confirm').on('click', function () {
             $.ajax({
                 // XXX handle errors
                 url: '/api/crowdsec/decisions/delete/' + decisionId,
                 type: 'DELETE',
-                success: function(result) {
+                success: function (result) {
                     if (result && result.message === 'OK') {
                         $('#decisions table').bootgrid('remove', [decisionId]);
                         $modal.modal('hide');
@@ -379,7 +379,7 @@ var CrowdSec = (function() {
         $modal.modal('show');
     }
 
-    function init() {
+    function init () {
         _initService();
 
         $('#machines_tab').on('click', _initMachines);
@@ -395,14 +395,14 @@ var CrowdSec = (function() {
 
         if (window.location.hash) {
             // activate a tab from the hash, if it exists
-            $(window.location.hash+'_tab').click();
+            $(window.location.hash + '_tab').click();
         } else {
             // otherwise, machines
             $('#machines_tab').click();
         }
 
-        $(window).on('hashchange', function(e) {
-            $(window.location.hash+'_tab').click();
+        $(window).on('hashchange', function (e) {
+            $(window.location.hash + '_tab').click();
         });
 
         if (new URLSearchParams(window.location.search).has('debug')) {
@@ -410,8 +410,8 @@ var CrowdSec = (function() {
         }
 
         // navigation
-        if(window.location.hash != "") {
-            $('a[href="' + window.location.hash + '"]').click()
+        if (window.location.hash !== '') {
+            $('a[href="' + window.location.hash + '"]').click();
         }
         $('.nav-tabs a').on('shown.bs.tab', function (e) {
             history.pushState(null, null, e.target.hash);
@@ -422,5 +422,4 @@ var CrowdSec = (function() {
         deleteDecision: deleteDecision,
         init: init
     };
-
 }());

From 5d8af379a505599aba279cd04c6a255104ce48d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Sun, 5 Mar 2023 17:53:42 +0100
Subject: [PATCH 1385/3088] all Themes color fixes (#3334)

---
 misc/theme-cicada/Makefile                     |  2 +-
 .../themes/cicada/build/css/dns-overview.css   |  8 ++++++--
 misc/theme-tukan/Makefile                      |  2 +-
 .../themes/tukan/build/css/dns-overview.css    | 18 +++++++++++++-----
 misc/theme-vicuna/Makefile                     |  2 +-
 .../themes/vicuna/build/css/dns-overview.css   | 12 ++++++++----
 6 files changed, 30 insertions(+), 14 deletions(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index 5286e2a9db..2d7b418c35 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.33
+PLUGIN_VERSION=		1.34
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dns-overview.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dns-overview.css
index 071b3e7d0d..0598d665ff 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dns-overview.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dns-overview.css
@@ -22,9 +22,9 @@
     height: auto;
     width: 50%;
     object-fit:cover;
-    background: #d94f0033;
+    background: #242424;
     border-radius: 0 2em 2em 0 / 0 3em 3em 0;
-    box-shadow: 3px 5px 1px 3px rgba(217,79,0,0.25);
+    box-shadow: 3px 5px 1px 3px rgb(28, 16, 9);
 }
 
 .large-icon {
@@ -146,6 +146,10 @@
     background-color: rgba(255, 131, 0, 0.3);
 }
 
+.query-error {
+    background-color: #402751;
+}
+
 #searchFilter {
     display: inline-block;
     margin: 0 20px 0 0;
diff --git a/misc/theme-tukan/Makefile b/misc/theme-tukan/Makefile
index ea7459e6f1..54f47d87c4 100644
--- a/misc/theme-tukan/Makefile
+++ b/misc/theme-tukan/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-tukan
-PLUGIN_VERSION=		1.26
+PLUGIN_VERSION=		1.27
 PLUGIN_COMMENT=		The tukan theme - blue/white
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/dns-overview.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/dns-overview.css
index 9824ee1de1..343f486857 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/dns-overview.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/dns-overview.css
@@ -9,22 +9,23 @@
 
 .stats-element {
     height: 5em;
-    background: #f7f7f7;
+    background: #224153;
     overflow: hidden;
     display: flex;
     justify-content: flex-start;
     border-radius: .3em;
-    margin:auto;
+    margin: auto;
     border: 1px solid rgba(217, 79, 0, 0.2);
+    color: #FFF;
 }
 
 .stats-icon {
     height: auto;
     width: 50%;
     object-fit:cover;
-    background: #d94f0033;
+    background: #274a5e;
     border-radius: 0 2em 2em 0 / 0 3em 3em 0;
-    box-shadow: 3px 5px 1px 3px rgba(217,79,0,0.25);
+    box-shadow: 3px 5px 1px 3px rgb(20, 38, 49);
 }
 
 .large-icon {
@@ -136,7 +137,8 @@
 }
 
 .query-info {
-    background-color: rgba(255, 227, 0, 0.3);
+    background-color: rgb(187, 144, 13);
+    color: #FFF;
 }
 
 .query-danger {
@@ -146,6 +148,12 @@
 
 .query-warning {
     background-color: rgba(255, 131, 0, 0.3);
+    color: #FFF;
+}
+
+.query-error {
+    background-color: #5f295c;
+    color: #FFF;
 }
 
 #searchFilter {
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index ac471e0d74..c6ef6b2acd 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.44
+PLUGIN_VERSION=		1.45
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dns-overview.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dns-overview.css
index 071b3e7d0d..1d1a9108e6 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dns-overview.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dns-overview.css
@@ -9,22 +9,22 @@
 
 .stats-element {
     height: 5em;
-    background: #202020;
+    background: #1b2b35;
     overflow: hidden;
     display: flex;
     justify-content: flex-start;
     border-radius: .3em;
     margin:auto;
-    border: 1px solid rgb(24, 24, 24);
+    border: 1px solid rgb(19, 19, 19);
 }
 
 .stats-icon {
     height: auto;
     width: 50%;
     object-fit:cover;
-    background: #d94f0033;
+    background: #1a262d;
     border-radius: 0 2em 2em 0 / 0 3em 3em 0;
-    box-shadow: 3px 5px 1px 3px rgba(217,79,0,0.25);
+    box-shadow: 3px 5px 1px 3px rgb(15, 24, 30);
 }
 
 .large-icon {
@@ -146,6 +146,10 @@
     background-color: rgba(255, 131, 0, 0.3);
 }
 
+.query-error {
+    background-color: #502e62;
+}
+
 #searchFilter {
     display: inline-block;
     margin: 0 20px 0 0;

From 4e5f7c929261088162990a3cd89b6441dd86e892 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Mon, 6 Mar 2023 08:38:45 +0100
Subject: [PATCH 1386/3088] theme: missed the "a" on rgba (#3336)

---
 .../src/opnsense/www/themes/tukan/build/css/dns-overview.css    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/dns-overview.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/dns-overview.css
index 343f486857..9b28cd020d 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/dns-overview.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/dns-overview.css
@@ -137,7 +137,7 @@
 }
 
 .query-info {
-    background-color: rgb(187, 144, 13);
+    background-color: rgba(187, 144, 13);
     color: #FFF;
 }
 

From 9c338ba1e80e70f769a3d4f8aa325180007945e4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 6 Mar 2023 21:08:47 +0100
Subject: [PATCH 1387/3088] misc: do not advance version too much ;)

---
 misc/theme-cicada/Makefile | 2 +-
 misc/theme-tukan/Makefile  | 2 +-
 misc/theme-vicuna/Makefile | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index 2d7b418c35..5286e2a9db 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.34
+PLUGIN_VERSION=		1.33
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-tukan/Makefile b/misc/theme-tukan/Makefile
index 54f47d87c4..ea7459e6f1 100644
--- a/misc/theme-tukan/Makefile
+++ b/misc/theme-tukan/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-tukan
-PLUGIN_VERSION=		1.27
+PLUGIN_VERSION=		1.26
 PLUGIN_COMMENT=		The tukan theme - blue/white
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index c6ef6b2acd..ac471e0d74 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.45
+PLUGIN_VERSION=		1.44
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes

From e788521dc4f41dad27e16d5c4a17778255f4c695 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Raphael=20B=C3=B6hm?= <raphael@deininter.net>
Date: Tue, 7 Mar 2023 10:49:55 +0700
Subject: [PATCH 1388/3088] fixed typo in HAProxy info

---
 .../mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
index a6b30ca044..9c4601096e 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/settings.xml
@@ -15,7 +15,7 @@
         <id>acmeclient.settings.haproxyIntegration</id>
         <label>HAProxy Integration</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable automatic integration with the OPNsense HAProxy plugin. <b>Requires that the OPNsense HAProxy plugin is installed.</b> This will automatically add the required backend, server, action and ACL for you. You just need to select your HAProxy frontend when configuration the certificate or challenge type. <div class="text-info"><b>NOTE:</b>This will only work for HTTP-01 validation and HAProxy frontends running in <i>http</i> mode; TCP frontends are not supported.</div>]]></help>
+        <help><![CDATA[Enable automatic integration with the OPNsense HAProxy plugin. <b>Requires that the OPNsense HAProxy plugin is installed.</b> This will automatically add the required backend, server, action and ACL for you. You just need to select your HAProxy frontend when configuring the certificate or challenge type. <div class="text-info"><b>NOTE:</b>This will only work for HTTP-01 validation and HAProxy frontends running in <i>http</i> mode; TCP frontends are not supported.</div>]]></help>
     </field>
     <field>
         <id>acmeclient.settings.logLevel</id>

From 5e63c2d0c56f7fa4f78b18aa77f1a098930fd776 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Sat, 11 Mar 2023 18:05:29 +0100
Subject: [PATCH 1389/3088] Themes/Zenarmor plugin - view modal fix (#3342)

delete wrong margin in .modal-side class for Zenarmor
---
 misc/theme-cicada/Makefile                                      | 2 +-
 .../src/opnsense/www/themes/cicada/assets/stylesheets/main.scss | 2 +-
 .../src/opnsense/www/themes/cicada/build/css/main.css           | 1 -
 misc/theme-tukan/Makefile                                       | 2 +-
 .../src/opnsense/www/themes/tukan/assets/stylesheets/main.scss  | 1 -
 .../src/opnsense/www/themes/tukan/build/css/main.css            | 1 -
 misc/theme-vicuna/Makefile                                      | 2 +-
 .../src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss | 2 +-
 .../src/opnsense/www/themes/vicuna/build/css/main.css           | 1 -
 9 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index 5286e2a9db..2d7b418c35 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.33
+PLUGIN_VERSION=		1.34
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index ce3b0072d5..0d42c65b12 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -10549,7 +10549,7 @@ input[type="checkbox"] {
     background-color: #ac5314;
   }
 
-  margin: 62px 10px 10px 10px;
+.modal-side {
   background-color: #3a3a3a !important;
 }
 
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index 3769944df7..842b9ada4e 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -6529,7 +6529,6 @@ input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox
 }
 
 .modal-side {
-  margin: 62px 10px 10px 10px;
   background-color: #3a3a3a !important;
 }
 
diff --git a/misc/theme-tukan/Makefile b/misc/theme-tukan/Makefile
index ea7459e6f1..54f47d87c4 100644
--- a/misc/theme-tukan/Makefile
+++ b/misc/theme-tukan/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-tukan
-PLUGIN_VERSION=		1.26
+PLUGIN_VERSION=		1.27
 PLUGIN_COMMENT=		The tukan theme - blue/white
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
index 3d9ea9d606..ac64bdfc27 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
@@ -6512,7 +6512,6 @@ input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox
 }
 
 .modal-side {
-  margin: 62px 10px 10px 10px;
   background-color: #f0f0f0 !important;
 }
 
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
index 3d9ea9d606..ac64bdfc27 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
@@ -6512,7 +6512,6 @@ input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox
 }
 
 .modal-side {
-  margin: 62px 10px 10px 10px;
   background-color: #f0f0f0 !important;
 }
 
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index ac471e0d74..c6ef6b2acd 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.44
+PLUGIN_VERSION=		1.45
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
index 8d507e10be..d8ca6cd05e 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
@@ -10699,7 +10699,7 @@ input[type="checkbox"] {
     color: #FFF;
   }
 
-  margin: 62px 10px 10px 10px;
+.modal-side {
   background-color: #1a262d !important;
 }
 
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
index 5280281d95..ef2def6fff 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
@@ -6517,7 +6517,6 @@ input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox
 }
 
 .modal-side {
-  margin: 62px 10px 10px 10px;
   background-color: #1a262d !important;
 }
 

From 79f64d7fa5787218d3f59918940788cdd5f3cdb4 Mon Sep 17 00:00:00 2001
From: Ask <82449731+as8net@users.noreply.github.com>
Date: Sun, 12 Mar 2023 10:33:27 +0100
Subject: [PATCH 1390/3088] net/frrr - Allow both IPv6 and IPv4 instead of just
 IPv4 (#3345)

OPNsense supports BGP on both IPv4 and IPv6, but the current frr/setkey script implementation only adds SAD entries for IPv4.
Changing -4 to -n keeps filtering on numeric addresses, but adds SAD entries for both IPv4 and IPv6 instead of only IPv4.

Tested working on a Vultr VM with BGP enabled and MD5 password on the Vultr side.
---
 net/frr/src/opnsense/scripts/frr/register_sas | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/frr/src/opnsense/scripts/frr/register_sas b/net/frr/src/opnsense/scripts/frr/register_sas
index a56c07ef6a..33d4fcee7c 100755
--- a/net/frr/src/opnsense/scripts/frr/register_sas
+++ b/net/frr/src/opnsense/scripts/frr/register_sas
@@ -60,9 +60,9 @@ if __name__ == '__main__':
     with tempfile.NamedTemporaryFile(mode='wt', delete=False) as fo:
         temp_filename = fo.name
         for policy in registered_policies:
-            fo.write("delete -4 %(src)s %(dst)s tcp 0x1000;\n" % policy)
+            fo.write("delete -n %(src)s %(dst)s tcp 0x1000;\n" % policy)
         for new_policy in frr_sad:
-            fo.write('add -4 %(src)s %(dst)s %(protocol)s %(spi)s -A %(aalgo)s "%(key)s";\n' % frr_sad[new_policy])
+            fo.write('add -n %(src)s %(dst)s %(protocol)s %(spi)s -A %(aalgo)s "%(key)s";\n' % frr_sad[new_policy])
 
     if temp_filename:
         subprocess.run(["/sbin/setkey", "-f", fo.name], capture_output=True, text=True)

From f3b14c91e64df401424553247395d02f90b0c5f6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 13 Mar 2023 11:29:35 +0100
Subject: [PATCH 1391/3088] net/frr: use a documentation-reserved AS number to
 allow default validation

PR: https://forum.opnsense.org/index.php?topic=32924.0
Also see: https://www.rfc-editor.org/rfc/rfc5398.html
---
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 7b03f68227..626da2339a 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -8,7 +8,7 @@
             <Required>Y</Required>
         </enabled>
         <asnumber type="IntegerField">
-            <default></default>
+            <default>65551</default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>4294967295</MaximumValue>

From 58f5f8f1bc055bc08850eee8aa33341ae2700881 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 14 Mar 2023 07:55:10 +0100
Subject: [PATCH 1392/3088] net/upnp: change killbypid() to wait by default

---
 net/upnp/Makefile                                | 2 +-
 net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index 0b0b4e3711..7a170f82e3 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		upnp
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		miniupnpd-devel
 PLUGIN_COMMENT=		Universal Plug and Play Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index d63c65199c..cf3233c6e5 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -80,7 +80,8 @@ function miniupnpd_start()
 
 function miniupnpd_stop()
 {
-    killbypid('/var/run/miniupnpd.pid', 'TERM', true);
+    killbypid('/var/run/miniupnpd.pid');
+
     mwexec('/sbin/pfctl -aminiupnpd -Fr 2>&1 >/dev/null');
     mwexec('/sbin/pfctl -aminiupnpd -Fn 2>&1 >/dev/null');
 }

From 9390428f12f471dfff28d77de4b50103da84679e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 Mar 2023 10:15:08 +0100
Subject: [PATCH 1393/3088] sysutils/api-backup: style sweep

---
 .../app/controllers/OPNsense/Backup/Api/BackupController.php    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/api-backup/src/opnsense/mvc/app/controllers/OPNsense/Backup/Api/BackupController.php b/sysutils/api-backup/src/opnsense/mvc/app/controllers/OPNsense/Backup/Api/BackupController.php
index e39e5682b2..d23675582d 100644
--- a/sysutils/api-backup/src/opnsense/mvc/app/controllers/OPNsense/Backup/Api/BackupController.php
+++ b/sysutils/api-backup/src/opnsense/mvc/app/controllers/OPNsense/Backup/Api/BackupController.php
@@ -40,7 +40,7 @@ class BackupController extends ApiControllerBase
      * @param string $format set to 'json' to get a base64 encoded config backup
      * @return array|mixed
      */
-    public function downloadAction($format='plain')
+    public function downloadAction($format = 'plain')
     {
         $data = file_get_contents(self::CONFIG_XML);
         $status = $data === false ? 'error' : 'success';

From a699b2c9527bdf32b2c95d46fc2fa4707972971f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 Mar 2023 10:18:34 +0100
Subject: [PATCH 1394/3088] net/frr: bump for fix

---
 net/frr/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 50bbd33daf..f55bc98fc4 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.32
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From dca7db21e0b8a6a3bb140fec149cf03718706470 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 Mar 2023 10:22:16 +0100
Subject: [PATCH 1395/3088] net/frr: for next version

---
 net/frr/Makefile  | 3 +--
 net/frr/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index f55bc98fc4..ff6f9271dd 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.32
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.33
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr7
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 91ccb9531e..00f77cfffd 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.33
+
+* Allow both IPv4 and IPv6 in BGP via setkey (contributed by as8net)
+
 1.32
 
 * Add attribute-unchanged option (contributed by Patrik Kernstock)

From 96129ccaabd9c9dc92ab661bf49dc98718c6f404 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 24 Mar 2023 14:59:38 +0100
Subject: [PATCH 1396/3088] dns/bind: add glue to operate as standalone DNS for
 core

---
 dns/bind/Makefile                           |  2 +-
 dns/bind/src/etc/inc/plugins.inc.d/bind.inc | 88 +++++++++++++--------
 2 files changed, 54 insertions(+), 36 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index a4b3844818..77b4de0627 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.26
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/src/etc/inc/plugins.inc.d/bind.inc b/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
index 2b050aa2bb..e2047e7f6d 100644
--- a/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
+++ b/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
@@ -1,30 +1,30 @@
 <?php
 
 /*
-    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 function bind_enabled()
 {
@@ -32,34 +32,52 @@ function bind_enabled()
     return (string)$model->enabled == '1';
 }
 
+function bind_configure()
+{
+    return [
+        'dns' => ['bind_configure_do'],
+    ];
+}
+
 function bind_services()
 {
-    $services = array();
+    $services = [];
 
     if (!bind_enabled()) {
         return $services;
     }
 
-    $services[] = array(
+    $model = new \OPNsense\Bind\General();
+
+    $services[] = [
         'description' => gettext('BIND Daemon'),
-        'configd' => array(
-            'restart' => array('bind restart'),
-            'start' => array('bind start'),
-            'stop' => array('bind stop'),
-        ),
+        'ports' => [(string)$model->port],
+        'configd' => [
+            'restart' => ['bind restart'],
+            'start' => ['bind start'],
+            'stop' => ['bind stop'],
+        ],
+        'pidfile' => '/var/run/named/pid',
         'name' => 'named',
-        'pidfile' => '/var/run/named/pid'
-    );
+    ];
 
     return $services;
 }
 
 function bind_xmlrpc_sync()
 {
-    $result = array();
+    $result = [];
+
     $result['id'] = 'bind';
     $result['section'] = 'OPNsense.bind';
     $result['description'] = gettext('BIND domain name service');
     $result['services'] = ['named'];
-    return array($result);
+
+    return [$result];
+}
+
+function bind_configure_do($verbose)
+{
+    configd_run('template reload OPNsense/Bind');
+    configd_run('bind restart');
 }

From 0d44da2dec1ee74498fac8e31ca8f9e310e61992 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 24 Mar 2023 15:06:34 +0100
Subject: [PATCH 1397/3088] dns/bind: if we have $verbose we might as well use
 it

---
 dns/bind/src/etc/inc/plugins.inc.d/bind.inc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/dns/bind/src/etc/inc/plugins.inc.d/bind.inc b/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
index e2047e7f6d..12ef025c50 100644
--- a/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
+++ b/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
@@ -78,6 +78,10 @@ function bind_xmlrpc_sync()
 
 function bind_configure_do($verbose)
 {
+    service_log('Starting BIND...', $verbose);
+
     configd_run('template reload OPNsense/Bind');
     configd_run('bind restart');
+
+    service_log("done.\n", $verbose);
 }

From 6a9cbddf399a26f1820f553a511c0ca0833a80ba Mon Sep 17 00:00:00 2001
From: Dmitry <dmitry.shinkaruk@lmp-project.com>
Date: Sun, 26 Mar 2023 01:07:51 +0300
Subject: [PATCH 1398/3088] Add RegRu API dns challenge type

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsRegru.php      | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 4 files changed, 68 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsRegru.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index f00176d564..de659b1824 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -11,6 +11,7 @@ Plugin Changelog
 3.16
 
 Added:
+* add RegRu DNS API
 * add JD Cloud DNS API (#3315)
 * new automation: deploy certificates on Palo Alto Networks Firewall (#3289)
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 8317542bd9..1e4de7e2f2 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1556,4 +1556,19 @@
         <type>text</type>
         <help>EX: https://hostname:2083</help>
     </field>
+    <field>
+        <label>regru</label>
+        <type>header</type>
+        <style>table_dns table_dns_regru</style>
+    </field>
+    <field>
+        <id>validation.dns_regru_username</id>
+        <label>User</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_regru_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsRegru.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsRegru.php
new file mode 100644
index 0000000000..e9cc1f6595
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsRegru.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Dmitry Shinkaruk
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+ namespace OPNsense\AcmeClient\LeValidation;
+
+ use OPNsense\AcmeClient\LeValidationInterface;
+ use OPNsense\Core\Config;
+
+ /**
+  * RegRu DNS API
+  * @package OPNsense\AcmeClient
+  */
+ class DnsRegru extends Base implements LeValidationInterface
+ {
+     public function prepare()
+     {
+         $this->acme_env['REGRU_API_Username'] = (string)$this->config->dns_regru_username;
+         $this->acme_env['REGRU_API_Password'] = (string)$this->config->dns_regru_password;
+     }
+ }
\ No newline at end of file
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index aa86eb9e60..cc001ca947 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -491,6 +491,7 @@
                         <dns_pdns>PowerDNS.com</dns_pdns>
                         <dns_pleskxml>Plesk</dns_pleskxml>
                         <dns_porkbun>Porkbun</dns_porkbun>
+                        <dns_regru>regru</dns_regru>
                         <dns_schlundtech>SchlundTech</dns_schlundtech>
                         <dns_selectel>selectel.com / selectel.ru</dns_selectel>
                         <dns_selfhost>Selfhost</dns_selfhost>
@@ -1126,6 +1127,12 @@
                 <dns_cpanel_hostname type="TextField">
                     <Required>N</Required>
                 </dns_cpanel_hostname>
+                <dns_regru_username type="TextField">
+                    <Required>N</Required>
+                </dns_regru_username>
+                <dns_regru_password type="TextField">
+                    <Required>N</Required>
+                </dns_regru_password>
             </validation>
         </validations>
         <actions>

From 53bd339164b02b43b34617a30a8e7d850f4de23b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 27 Mar 2023 09:59:50 +0200
Subject: [PATCH 1399/3088] dns/dnscrypt-proxy: also add standalone glue

---
 dns/dnscrypt-proxy/Makefile                   |  2 +-
 .../etc/inc/plugins.inc.d/dnscryptproxy.inc   | 93 ++++++++++++-------
 2 files changed, 61 insertions(+), 34 deletions(-)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index ef81bb13e1..630f1aef2d 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		dnscrypt-proxy
 PLUGIN_VERSION=		1.12
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc b/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
index 3f3588874e..7e3065bb63 100644
--- a/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
+++ b/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
@@ -1,30 +1,30 @@
 <?php
 
 /*
-    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 function dnscryptproxy_enabled()
 {
@@ -32,24 +32,51 @@ function dnscryptproxy_enabled()
     return (string)$model->enabled == '1';
 }
 
+function dnscryptproxy_configure()
+{
+    return [
+        'dns' => ['dnscryptproxy_configure_do'],
+    ];
+}
+
 function dnscryptproxy_services()
 {
-    $services = array();
+    $services = [];
 
     if (!dnscryptproxy_enabled()) {
         return $services;
     }
 
-    $services[] = array(
+    $model = new \OPNsense\Dnscryptproxy\General();
+    $ports = [];
+
+    foreach (explode(',', (string)$model->listen_addresses) as $addrport) {
+        if (preg_match('/^(?:(\[.+\]:)|([\d\.]+:))[\d]+$/', $addrport, $matches)) {
+            $ports[$matches[1]] = 1;
+        }
+    }
+
+    $services[] = [
         'description' => gettext('DNSCrypt-Proxy'),
-        'configd' => array(
-            'restart' => array('dnscryptproxy restart'),
-            'start' => array('dnscryptproxy start'),
-            'stop' => array('dnscryptproxy stop'),
-        ),
+        'configd' => [
+            'restart' => ['dnscryptproxy restart'],
+            'start' => ['dnscryptproxy start'],
+            'stop' => ['dnscryptproxy stop'],
+        ],
+        'pid' => '/var/run/dnscrypt-proxy.pid',
+        'ports' => array_keys($ports),
         'name' => 'dnscrypt-proxy',
-        'pid' => '/var/run/dnscrypt-proxy.pid'
-    );
+    ];
 
     return $services;
 }
+
+function dnscryptproxy_configure_do($verbose)
+{
+    service_log('Starting DNSCrypt-Proxy...', $verbose);
+
+    configd_run('template reload OPNsense/Dnscryptproxy');
+    configd_run('dnscryptproxy restart');
+
+    service_log("done.\n", $verbose);
+}

From 73abcfe3b506df0b7a33b6dc0cf596a95b868d15 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 27 Mar 2023 10:05:55 +0200
Subject: [PATCH 1400/3088] dns/dnscrypt-proxy: fix regex of course

We don't need non-capture groups so simplify a bit and fetch
the second capture group with the port.
---
 .../src/etc/inc/plugins.inc.d/dnscryptproxy.inc               | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc b/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
index 7e3065bb63..070b46289f 100644
--- a/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
+++ b/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
@@ -51,8 +51,8 @@ function dnscryptproxy_services()
     $ports = [];
 
     foreach (explode(',', (string)$model->listen_addresses) as $addrport) {
-        if (preg_match('/^(?:(\[.+\]:)|([\d\.]+:))[\d]+$/', $addrport, $matches)) {
-            $ports[$matches[1]] = 1;
+        if (preg_match('/^(\[.+\]|[\d\.]+):([\d]+)$/', $addrport, $matches)) {
+            $ports[$matches[2]] = 1;
         }
     }
 

From a69fa0d77dc17882f01e3488a955e81b7cb4143f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Mar 2023 08:50:12 +0200
Subject: [PATCH 1401/3088] dns/bind: refine previous

It was decided we only want the 'ports' trick for DNS so make
sure the prerequistes for it match the reality of the setup.
This was we can also extend the validation of the DNS port like
we are going to do for Unbound to ensure a functional DNS setup
when multiple DNS servers are being used on the same box.
---
 dns/bind/pkg-descr                          |  1 +
 dns/bind/src/etc/inc/plugins.inc.d/bind.inc | 15 ++++++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 31cc0ebc0a..3440061919 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -14,6 +14,7 @@ Plugin Changelog
 
 * Allow multiple ACLs to be selected for Transfers/Queries (contributed by Robbert Rijkse)
 * Rename Master/Slave to Primary/Secondary (contributed by Robbert Rijkse)
+* Add necessary hooks to allow the plugin to be used as a standalone core DNS server
 
 1.25
 
diff --git a/dns/bind/src/etc/inc/plugins.inc.d/bind.inc b/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
index 12ef025c50..a435fac634 100644
--- a/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
+++ b/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
@@ -49,9 +49,22 @@ function bind_services()
 
     $model = new \OPNsense\Bind\General();
 
+    /* DNS service is eligable for core use when both 127.0.0.1 and ::1 are set */
+    $localhost4 = false;
+    $localhost6 = false;
+
+    foreach (explode(',', (string)$model->listenv4) as $addr) {
+        $localhost4 |= $addr === '127.0.0.1';
+    }
+
+    foreach (explode(',', (string)$model->listenv6) as $addr) {
+        $localhost6 |= $addr === '::1';
+    }
+
     $services[] = [
+        /* the port may still be something other than 53, but it's safe to register a conflict for it */
+        'ports' => ($localhost4 && $localhost6 ? [(string)$model->port] : []),
         'description' => gettext('BIND Daemon'),
-        'ports' => [(string)$model->port],
         'configd' => [
             'restart' => ['bind restart'],
             'start' => ['bind start'],

From 3b94eef9905e9b8daecefce076e86388610380c6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Mar 2023 09:07:36 +0200
Subject: [PATCH 1402/3088] dns/dnscrypt-proxy: change this like bind

All DNS ports that listen on localhost for both IPv4 and IPv6
are reported to the service framework to be picked up by the
core in search of a DNS service to use.
---
 dns/dnscrypt-proxy/Makefile                     |  3 +--
 dns/dnscrypt-proxy/pkg-descr                    |  4 ++++
 .../src/etc/inc/plugins.inc.d/dnscryptproxy.inc | 17 ++++++++++++++---
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index 630f1aef2d..39d70dd46e 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		dnscrypt-proxy
-PLUGIN_VERSION=		1.12
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.13
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index 0be7fb48eb..14035109ac 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -5,6 +5,10 @@ such as DNSCrypt v2 and DNS-over-HTTPS.
 Plugin Changelog
 ================
 
+1.13
+
+* Add necessary hooks to allow the plugin to be used as a standalone core DNS server
+
 1.12
 
 * Support specifying relays for anonymous DNS
diff --git a/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc b/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
index 070b46289f..e022baec1a 100644
--- a/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
+++ b/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
@@ -50,13 +50,25 @@ function dnscryptproxy_services()
     $model = new \OPNsense\Dnscryptproxy\General();
     $ports = [];
 
+    /*
+     * DNS service is eligable for core use when both 127.0.0.1 and ::1 are set.
+     * In order to provide dual stack ports we need to intersect the resulting
+     * ports for each address family.
+     */
+    $localhost4 = [];
+    $localhost6 = [];
+
     foreach (explode(',', (string)$model->listen_addresses) as $addrport) {
-        if (preg_match('/^(\[.+\]|[\d\.]+):([\d]+)$/', $addrport, $matches)) {
-            $ports[$matches[2]] = 1;
+        if (preg_match('/^127\.0\.0\.1:([\d]+)$/', $addrport, $matches)) {
+            $localhost4[$matches[1]] = 1;
+        } elseif (preg_match('/^\[::1\]:([\d]+)$/', $addrport, $matches)) {
+            $localhost6[$matches[1]] = 1;
         }
     }
 
     $services[] = [
+        /* the port may still be something other than 53, but it's safe to register a conflict for it */
+        'ports' => array_keys(array_intersect_key($localhost4, $localhost6)),
         'description' => gettext('DNSCrypt-Proxy'),
         'configd' => [
             'restart' => ['dnscryptproxy restart'],
@@ -64,7 +76,6 @@ function dnscryptproxy_services()
             'stop' => ['dnscryptproxy stop'],
         ],
         'pid' => '/var/run/dnscrypt-proxy.pid',
-        'ports' => array_keys($ports),
         'name' => 'dnscrypt-proxy',
     ];
 

From 695f43aa99d21a5a9bee2ad2391d9463f0c20abd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Mar 2023 09:10:50 +0200
Subject: [PATCH 1403/3088] dns: rename 'ports' to 'dns_ports' for clarity

---
 dns/bind/src/etc/inc/plugins.inc.d/bind.inc                    | 2 +-
 dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/bind/src/etc/inc/plugins.inc.d/bind.inc b/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
index a435fac634..8e6a1d4d8f 100644
--- a/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
+++ b/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
@@ -63,7 +63,7 @@ function bind_services()
 
     $services[] = [
         /* the port may still be something other than 53, but it's safe to register a conflict for it */
-        'ports' => ($localhost4 && $localhost6 ? [(string)$model->port] : []),
+        'dns_ports' => ($localhost4 && $localhost6 ? [(string)$model->port] : []),
         'description' => gettext('BIND Daemon'),
         'configd' => [
             'restart' => ['bind restart'],
diff --git a/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc b/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
index e022baec1a..2bb3c7192e 100644
--- a/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
+++ b/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
@@ -68,7 +68,7 @@ function dnscryptproxy_services()
 
     $services[] = [
         /* the port may still be something other than 53, but it's safe to register a conflict for it */
-        'ports' => array_keys(array_intersect_key($localhost4, $localhost6)),
+        'dns_ports' => array_keys(array_intersect_key($localhost4, $localhost6)),
         'description' => gettext('DNSCrypt-Proxy'),
         'configd' => [
             'restart' => ['dnscryptproxy restart'],

From 2379cefe4e6e203bce7840ebbe1f0fc462574c8f Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 29 Mar 2023 09:34:34 +0200
Subject: [PATCH 1404/3088] dns/ddclient - minor cleanup in azure account type

---
 .../src/opnsense/scripts/ddclient/lib/account/azure.py       | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
index ff28fdef9c..11fd3c6370 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
@@ -85,10 +85,7 @@ def known_services():
         return  Azure._services
 
     def match(account):
-        if account.get('service') in Azure._services:
-            return True
-        else:
-            return False
+        return account.get('service') in Azure._services
 
     def execute(self):
         """ Azure DNS update, uses an oauth2 sequence to login, the following requests are being performed:

From 7124198658cca2e2da871c45cf474c90729f841f Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Wed, 29 Mar 2023 10:44:27 +0300
Subject: [PATCH 1405/3088] www/nginx: 1.32 (#3205)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* add support for resetting timed out connections and 444 responses (reset_timedout_connection)
* add option to change autoban response code to 444 (NGX_HTTP_CLOSE)
* add ssl_reject_handshake directive support
* add error log severity level support for HTTP and Stream servers
* add logging of possible errors causes to the setup script
* $internalModelUseSafeDelete enabled in API Settings controller to check item references before delete
* minor style adjustments for IP ACL and SNI Based Routing forms
* fix: add the PROXY protocol for the HTTPS listener too, if it is set for the server
* fix: set Stream server outbound PROXY protocol based on Upstream settings
* fix: set Trusted Proxies (set_real_ip_from) for Stream server only with PROXY protocol enabled
  WARNING: set_real_ip_from directive is temporary disabled due to ngx_stream_realip module missing
* fix: do not include commented out core rules in naxsi policies when importing
* fix: fixed a typo in setting the proxy_ssl_session_reuse directive value (thanks to Sigurd Våg Aaknes)
* use syslog
* enable set_real_ip_from
* move config test to setup script
---
 www/nginx/Makefile                            |  2 +-
 www/nginx/pkg-descr                           | 16 +++++++
 www/nginx/src/etc/inc/plugins.inc.d/nginx.inc | 15 ++++++
 .../OPNsense/Nginx/Api/SettingsController.php |  1 +
 .../OPNsense/Nginx/forms/httprewrite.xml      |  2 +-
 .../OPNsense/Nginx/forms/httpserver.xml       | 15 ++++++
 .../OPNsense/Nginx/forms/settings.xml         | 14 ++++++
 .../OPNsense/Nginx/forms/streamserver.xml     |  8 ++++
 .../app/models/OPNsense/Nginx/Menu/Menu.xml   |  2 +-
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml   | 47 ++++++++++++++++++-
 .../mvc/app/views/OPNsense/Nginx/index.volt   |  7 +++
 .../scripts/nginx/naxsi_rule_download.php     |  8 +++-
 .../src/opnsense/scripts/nginx/setup.php      | 23 ++++++++-
 .../templates/OPNsense/Nginx/http.conf        | 40 +++++++++-------
 .../templates/OPNsense/Nginx/location.conf    |  4 +-
 .../templates/OPNsense/Nginx/nginx.conf       |  3 +-
 .../templates/OPNsense/Nginx/streams.conf     |  6 +--
 .../OPNsense/Syslog/local/nginx.conf          |  6 +++
 18 files changed, 190 insertions(+), 29 deletions(-)
 create mode 100644 www/nginx/src/opnsense/service/templates/OPNsense/Syslog/local/nginx.conf

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 061ff42aa0..92f09f009c 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.31
+PLUGIN_VERSION=		1.32
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 2633ad5d64..37546252fd 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,22 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.32
+
+* add support for resetting timed out connections and 444 responses (reset_timedout_connection)
+* add option to change autoban response code to 444 (NGX_HTTP_CLOSE)
+* add ssl_reject_handshake directive support
+* add error log severity level support for HTTP and Stream servers
+* add logging of possible errors causes to the setup script
+* migrate general error log to syslog
+* $internalModelUseSafeDelete enabled in API Settings controller to check item references before delete
+* minor style adjustments for IP ACL and SNI Based Routing forms
+* fix: add the PROXY protocol for the HTTPS listener too, if it is set for the server
+* fix: set Stream server outbound PROXY protocol based on Upstream settings
+* fix: set Trusted Proxies (set_real_ip_from) for Stream server only with PROXY protocol enabled
+* fix: do not include commented out core rules in naxsi policies when importing
+* fix: fixed a typo in setting the proxy_ssl_session_reuse directive value (thanks to Sigurd Våg Aaknes)
+
 1.31
 
 * Allow dynamic proxy_ssl_name (contributed by Mike Reiche)
diff --git a/www/nginx/src/etc/inc/plugins.inc.d/nginx.inc b/www/nginx/src/etc/inc/plugins.inc.d/nginx.inc
index cf35e06139..ad9cd4ea3f 100644
--- a/www/nginx/src/etc/inc/plugins.inc.d/nginx.inc
+++ b/www/nginx/src/etc/inc/plugins.inc.d/nginx.inc
@@ -26,6 +26,21 @@
     POSSIBILITY OF SUCH DAMAGE.
 */
 
+/**
+ *  register syslog facilities
+ * @return array
+ */
+function nginx_syslog()
+{
+    $syslogconf = array();
+
+    $syslogconf['nginx'] = array(
+        'facility' => array('nginx'),
+    );
+
+    return $syslogconf;
+}
+
 function nginx_cron()
 {
     return array(
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
index 19d73ae696..314dc85382 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
@@ -35,6 +35,7 @@ class SettingsController extends ApiMutableModelControllerBase
 {
     protected static $internalModelClass = '\OPNsense\Nginx\Nginx';
     protected static $internalModelName = 'nginx';
+    protected static $internalModelUseSafeDelete = true;
 
     // download rules
     public function downloadrulesAction()
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httprewrite.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httprewrite.xml
index eda6fc20c4..fbc06bb5b9 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httprewrite.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httprewrite.xml
@@ -22,6 +22,6 @@
     <label>Flag</label>
     <type>dropdown</type>
     <style>selectpicker</style>
-    <help>Stop rule processing (break) and perform (internal) redirect (last). Return a moved permanently status code (301) or a teporary redirect (302).</help>
+    <help>Stop rule processing (break) or perform (internal) redirect (last). Return a moved permanently status code (301) or a temporary redirect (302).</help>
   </field>
 </form>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
index e4a925509d..73e6aff5c3 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
@@ -20,6 +20,13 @@
     <label>Default Server</label>
     <type>checkbox</type>
   </field>
+  <field>
+    <id>httpserver.tls_reject_handshake</id>
+    <label>Reject SSL Handshake</label>
+    <type>checkbox</type>
+    <help>If enabled, TLS handshakes for this server will be rejected.</help>
+    <advanced>true</advanced>
+  </field>
   <field>
     <id>httpserver.syslog_targets</id>
     <label>SYSLOG targets</label>
@@ -127,6 +134,14 @@
     <label>Access Log Format</label>
     <type>dropdown</type>
   </field>
+  <field>
+    <id>httpserver.error_log_level</id>
+    <label>Error Log Level</label>
+    <style>selectpicker</style>
+    <type>dropdown</type>
+    <help>Select Error Log Level. Log levels are listed in the order of increasing verbosity. Setting a certain log level will cause all messages of the specified and more severe log levels to be logged.</help>
+    <advanced>true</advanced>
+  </field>
   <field>
     <id>httpserver.enable_acme_support</id>
     <label>Enable Let's Encrypt Plugin Support</label>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
index 4da550ab12..e5d55040d3 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
@@ -42,6 +42,12 @@
                 <type>text</type>
                 <help>After this idle time, the client gets disconnected.</help>
             </field>
+            <field>
+                <id>nginx.http.reset_timedout</id>
+                <label>Reset Timed Out Connections</label>
+                <type>checkbox</type>
+                <help>Reset timed out connections and connections closed with the non-standard code 444. When the socket is closed, TCP RST is sent to the client, and all memory occupied by this socket is released. This helps avoid keeping an already closed socket with filled buffers in a FIN_WAIT1 state for a long time.</help>
+            </field>
             <field>
                 <id>nginx.http.default_type</id>
                 <label>Default MIME-Type</label>
@@ -60,6 +66,14 @@
                 <type>text</type>
                 <advanced>true</advanced>
             </field>
+            <field>
+                <id>nginx.http.ban_response</id>
+                <label>Autoban Response Code</label>
+                <style>selectpicker</style>
+                <type>dropdown</type>
+                <help>Select a response code for auto-blocking requests (bot user-agent or honeypot location). The default code is 403. 444 is a special response code that closes the connection without a response to the client.</help>
+                <advanced>true</advanced>
+            </field>
             <field>
                 <id>nginx.http.headers_more_enable</id>
                 <label>Enable Headers More module</label>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/streamserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/streamserver.xml
index b988ecbc49..a243578dd4 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/streamserver.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/streamserver.xml
@@ -63,6 +63,14 @@
     <label>Access Log Format</label>
     <type>dropdown</type>
   </field>
+  <field>
+    <id>streamserver.error_log_level</id>
+    <label>Error Log Level</label>
+    <style>selectpicker</style>
+    <type>dropdown</type>
+    <help>Select Error Log Level. Log levels are listed in the order of increasing verbosity. Setting a certain log level will cause all messages of the specified and more severe log levels to be logged.</help>
+    <advanced>true</advanced>
+  </field>
   <field>
     <id>streamserver.route_field</id>
     <label>Route With</label>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Menu/Menu.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Menu/Menu.xml
index bbe625bd7e..74100456fa 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Menu/Menu.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Menu/Menu.xml
@@ -9,7 +9,7 @@
       <HTTPErrorLogs VisibleName="Logs / HTTP Error" url="/ui/nginx/logs/errors" order="110"/>
       <StreamAccessLogs VisibleName="Logs / Stream Access" url="/ui/nginx/logs/stream_accesses" order="120"/>
       <StreamErrorLogs VisibleName="Logs / Stream Error" url="/ui/nginx/logs/stream_errors" order="130"/>
-      <ErrorLogs VisibleName="Logs / Global Error" url="/ui/nginx/logs" order="140"/>
+      <LogFile VisibleName="Log File" order="140" url="/ui/diagnostics/log/core/nginx"/>
     </Nginx>
   </Services>
 </menu>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 46cd6dbd32..cf4487baaa 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.30</version>
+  <version>1.32</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>
@@ -41,6 +41,10 @@
         <default>60</default>
         <Required>N</Required>
       </keepalive_timeout>
+      <reset_timedout type="BooleanField">
+        <default>0</default>
+        <Required>Y</Required>
+      </reset_timedout>
       <default_type type="TextField">
         <Required>N</Required>
       </default_type>
@@ -52,6 +56,15 @@
         <Required>N</Required>
         <MinimumValue>1</MinimumValue>
       </server_names_hash_max_size>
+      <ban_response type="OptionField">
+        <multiple>N</multiple>
+        <OptionValues>
+          <http_403 value="403">403 Forbidden</http_403>
+          <http_444 value="444">444 Terminate Connection</http_444>
+        </OptionValues>
+        <Required>Y</Required>
+        <default>403</default>
+      </ban_response>
       <headers_more_enable type="BooleanField">
         <Required>N</Required>
       </headers_more_enable>
@@ -698,6 +711,10 @@
           </check001>
         </Constraints>
       </default_server>
+      <tls_reject_handshake type="BooleanField">
+        <default>0</default>
+        <Required>Y</Required>
+      </tls_reject_handshake>
       <proxy_protocol type="BooleanField">
         <default>0</default>
         <Required>Y</Required>
@@ -786,6 +803,20 @@
         </OptionValues>
         <Required>Y</Required>
       </access_log_format>
+      <error_log_level type="OptionField">
+        <multiple>N</multiple>
+        <OptionValues>
+          <emerg value="emerg">Emergency</emerg>
+          <alert value="alert">Alert</alert>
+          <crit value="crit">Critical</crit>
+          <error value="error">Error (default)</error>
+          <warn value="warn">Warning</warn>
+          <notice value="notice">Notice</notice>
+          <info value="info">Informational</info>
+        </OptionValues>
+        <Required>Y</Required>
+        <default>error</default>
+      </error_log_level>
       <enable_acme_support type="BooleanField">
         <Required>Y</Required>
         <default>1</default>
@@ -1004,6 +1035,20 @@
         </OptionValues>
         <Required>Y</Required>
       </access_log_format>
+      <error_log_level type="OptionField">
+        <multiple>N</multiple>
+        <OptionValues>
+          <emerg value="emerg">Emergency</emerg>
+          <alert value="alert">Alert</alert>
+          <crit value="crit">Critical</crit>
+          <error value="error">Error</error>
+          <warn value="warn">Warning</warn>
+          <notice value="notice">Notice</notice>
+          <info value="info">Informational (default)</info>
+        </OptionValues>
+        <Required>Y</Required>
+        <default>info</default>
+      </error_log_level>
       <route_field type="OptionField">
         <default>upstream</default>
         <OptionValues>
diff --git a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
index eacb21ea14..78cf04adac 100644
--- a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
+++ b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
@@ -73,6 +73,10 @@
     #frm_ipacl_dlg .col-md-5 {
         width: 25%;
     }
+    #row_snihostname\.data .row,
+    #row_ipacl\.data .row {
+        padding-top: 5px;
+    }
     #row_snihostname\.data .row div,
     #row_ipacl\.data .row div {
         padding: 0;
@@ -81,6 +85,9 @@
     #frm_ipacl_dlg .bootstrap-select {
         width: 100% !important;
     }
+    .filter-option {
+        padding: inherit !important;
+    }
 
 </style>
 
diff --git a/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php b/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php
index 3eca0a62e0..0ef1300595 100755
--- a/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php
+++ b/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php
@@ -100,8 +100,13 @@ function save_to_model($data)
         $policy->action = 'BLOCK';
         // create new values for policy
         $rule_list = [];
+        $dis_rules = [];
         foreach ($rules as $rule) {
             $rule_mdl = $model->naxsi_rule->Add();
+            // exclude commented rules from policy
+            if (str_starts_with($rule['rule'], '#')) {
+                $dis_rules[] = (string)$rule_mdl->getAttributes()["uuid"];
+            }
             $rule_mdl->description = $rule['message'];
             $rule_mdl->message = $rule['message'];
             $rule_mdl->ruletype = 'main';
@@ -160,9 +165,8 @@ function save_to_model($data)
             }
             $rule_list[] = $rule_mdl->getAttributes()["uuid"];
         }
-        $policy->naxsi_rules = implode(',', $rule_list);
+        $policy->naxsi_rules = implode(',', array_diff($rule_list, $dis_rules));
     }
-
     $val_result = $model->performValidation(false);
     if (count($val_result) !== 0) {
         print_r($val_result);
diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index f700a23e47..001c7cad20 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -31,6 +31,7 @@
 const GROUP_OWNER = 'staff';
 require_once('config.inc');
 require_once('certs.inc');
+require_once('util.inc');
 use OPNsense\Nginx\Nginx;
 
 function export_pem_file($filename, $data, $post_append = null)
@@ -75,6 +76,7 @@ function find_ca($refid)
 @chgrp('/var/db/nginx/auth', GROUP_OWNER);
 @chgrp('/var/log/nginx', GROUP_OWNER);
 $nginx = $config['OPNsense']['Nginx'];
+openlog("nginx", LOG_ODELAY, LOG_USER);
 if (isset($nginx['http_server'])) {
     if (is_array($nginx['http_server']) && !isset($nginx['http_server']['servername'])) {
         $http_servers = $nginx['http_server'];
@@ -84,8 +86,10 @@ function find_ca($refid)
     foreach ($http_servers as $http_server) {
         if (!empty($http_server['listen_https_address']) && !empty($http_server['certificate'])) {
           // try to find the reference
+            $hostname = explode(',', $http_server['servername'])[0];
             $cert = find_cert($http_server['certificate']);
             if (!isset($cert)) {
+                syslog(LOG_ERR, "NGINX setup: Certificate is set but not found in config for server {$hostname}.");
                 continue;
             }
             $chain = [];
@@ -94,8 +98,9 @@ function find_ca($refid)
                 foreach ($ca_chain as $entry) {
                     $chain[] = base64_decode($entry['crt']);
                 }
+            } else {
+                syslog(LOG_WARNING, "NGINX setup: Certificate chain is empty for server {$hostname}.");
             }
-            $hostname = explode(',', $http_server['servername'])[0];
             export_pem_file(
                 KEY_DIRECTORY . $hostname . '.pem',
                 $cert['crt'],
@@ -131,6 +136,7 @@ function find_ca($refid)
           // try to find the reference
             $cert = find_cert($stream_server['certificate']);
             if (!isset($cert)) {
+                syslog(LOG_ERR, "NGINX setup: Certificate is set but not found in config for stream server {$stream_server['listen_address']}.");
                 continue;
             }
             $chain = [];
@@ -139,6 +145,8 @@ function find_ca($refid)
                 foreach ($ca_chain as $entry) {
                     $chain[] = base64_decode($entry['crt']);
                 }
+            } else {
+                syslog(LOG_WARNING, "NGINX setup: Certificate chain is empty for stream server {$stream_server['listen_address']}.");
             }
             export_pem_file(
                 KEY_DIRECTORY . $stream_server['@attributes']['uuid'] . '.pem',
@@ -194,6 +202,8 @@ function find_ca($refid)
                         KEY_DIRECTORY . $upstream['tls_client_certificate'] . '.key',
                         $cert['prv']
                     );
+                } else {
+                    syslog(LOG_ERR, "NGINX setup: Client certificate is set but not found in config for upstream {$upstream['description']}.");
                 }
             }
             if (!empty($upstream['tls_trusted_certificate'])) {
@@ -203,6 +213,8 @@ function find_ca($refid)
                     $ca = find_ca($caref);
                     if (isset($ca)) {
                         $cas[] = base64_decode($ca['crt']);
+                    } else {
+                        syslog(LOG_ERR, "NGINX setup: Trusted CA certificate is set but not found in config for upstream {$upstream['description']}.");
                     }
                 }
                 export_pem_file(
@@ -319,4 +331,13 @@ function find_ca($refid)
 );
 chmod('/usr/local/etc/nginx/tls_fingerprints.json', 0644);
 
+// test config and exit early if it not good
+$conf_test_errors = shell_safe('nginx -t -q 2>&1');
+if (!empty($conf_test_errors)) {
+    syslog(LOG_EMERG, $conf_test_errors);
+    closelog();
+    exit(1);
+}
+
+closelog();
 passthru('/usr/local/etc/rc.d/php-fpm start');
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index 61b3325257..a5470e6da0 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -46,6 +46,9 @@ server_names_hash_bucket_size {{ OPNsense.Nginx.http.server_names_hash_bucket_si
 {% if OPNsense.Nginx.http.keepalive_timeout is defined and OPNsense.Nginx.http.keepalive_timeout != '' %}
 keepalive_timeout {{ OPNsense.Nginx.http.keepalive_timeout }};
 {% endif %}
+{% if OPNsense.Nginx.http.reset_timedout is defined and OPNsense.Nginx.http.reset_timedout == '1' %}
+reset_timedout_connection on;
+{% endif %}
 
 map $http_upgrade $connection_upgrade {
     default upgrade;
@@ -105,36 +108,42 @@ server {
 {%     endfor %}
 {%   endif %}
 
-{%   if server.listen_https_address is defined and server.listen_https_address != '' and server.certificate is defined %}
+{%   if server.listen_https_address is defined and server.listen_https_address != '' %}
 {%     for listen_address in server.listen_https_address.split(',') %}
-    listen {{ listen_address }} http2 ssl{% if server.default_server is defined and server.default_server == '1' %} default_server{% endif %};
+    listen {{ listen_address }} http2 ssl{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %}{% if server.default_server is defined and server.default_server == '1' %} default_server{% endif %};
 {%     endfor %}
-{%     if server.ca is defined %}
+
+{%     if server.tls_reject_handshake is defined and server.tls_reject_handshake == '1'%}
+    ssl_reject_handshake on;
+{%     endif %}
+{%     if server.certificate is defined %}
+{%       if server.ca is defined %}
     ssl_client_certificate /usr/local/etc/nginx/key/{{ single_servername }}_ca.pem;
     ssl_verify_client {{ server.verify_client }};
-{%     endif %}
-{%     if server.zero_rtt == '1' %}
+{%       endif %}
+{%       if server.zero_rtt == '1' %}
     ssl_early_data on;
-{%     endif %}
+{%       endif %}
     ssl_certificate_key /usr/local/etc/nginx/key/{{ single_servername }}.key;
     ssl_certificate /usr/local/etc/nginx/key/{{ single_servername }}.pem;
     ssl_protocols {{ server.tls_protocols.replace(',', ' ') }};
     ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
-{%     if server.tls_ciphers is defined and server.tls_ciphers != '' %}
+{%       if server.tls_ciphers is defined and server.tls_ciphers != '' %}
     ssl_ciphers {{ server.tls_ciphers }};
-{%     endif %}
-{%     if server.tls_ecdh_curve is defined and server.tls_ecdh_curve != '' %}
+{%       endif %}
+{%       if server.tls_ecdh_curve is defined and server.tls_ecdh_curve != '' %}
     ssl_ecdh_curve {{ server.tls_ecdh_curve }};
-{%     endif %}
+{%       endif %}
     ssl_session_timeout 1d;
     ssl_session_cache shared:SSL:50m;
     ssl_session_tickets off;
     ssl_prefer_server_ciphers {% if server.tls_prefer_server_ciphers is defined and server.tls_prefer_server_ciphers == '0'%}off{% else %}on{% endif %};
-{%     if server.ocsp_stapling is defined and server.ocsp_stapling == '1'%}
+{%       if server.ocsp_stapling is defined and server.ocsp_stapling == '1'%}
     ssl_stapling on;
     ssl_stapling_verify {% if server.ocsp_verify is defined and server.ocsp_verify == '1' %}On{% else %}Off{% endif %};
-{%     else %}
+{%       else %}
     ssl_stapling off;
+{%       endif %}
 {%     endif %}
 {%   endif %}
 
@@ -172,7 +181,7 @@ server {
 {%   include "OPNsense/Nginx/syslog_targets.conf" %}
 {% endif %}
     access_log  /var/log/nginx/tls_handshake.log handshake;
-    error_log  /var/log/nginx/{{ server.servername }}.error.log;
+    error_log  /var/log/nginx/{{ server.servername }}.error.log{% if server.error_log_level is defined %} {{ server.error_log_level }}{% endif %};
 {% if server.root is defined and server.root != '' %}
     root "{{server.root}}";
 {% endif %}
@@ -233,9 +242,8 @@ server {
     location @permanentban {
         access_log /var/log/nginx/permanentban.access.log main;
         internal;
-        add_header Content-Type text/plain;
-        add_header Charset utf-8;
-        return 403 "You got banned permanently from this server.";
+        add_header "Content-Type" "text/plain; charset=UTF-8" always;
+        return {% if OPNsense.Nginx.http.ban_response is defined and OPNsense.Nginx.http.ban_response != '403' %}{{OPNsense.Nginx.http.ban_response}}{% else %}403 "You got banned permanently from this server."{% endif %};
     }
     error_page 418 = @permanentban;
     location = /waf_denied.html {
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 2b468ff452..0610d4fd5e 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -199,8 +199,8 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
 {%     if upstream.tls_protocol_versions is defined and upstream.tls_protocol_versions != '' %}
     proxy_ssl_protocols {{ upstream.tls_protocol_versions.replace(',', ' ') }};
 {%     endif %}
-{%     if upstream.tls_name_override is defined %}
-    proxy_ssl_session_reuse {% if upstream.tls_name_override != '0' %}off{% else %}on{% endif %};
+{%     if upstream.tls_session_reuse is defined %}
+    proxy_ssl_session_reuse {% if upstream.tls_session_reuse == '1' %}on{% else %}off{% endif %};
 {%     endif %}
 {%     if upstream.tls_trusted_certificate is defined and upstream.tls_trusted_certificate != '' %}
     proxy_ssl_trusted_certificate /usr/local/etc/nginx/key/trust_upstream_{{ location.upstream }}.pem;
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx.conf
index a140d361de..fb8f660756 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx.conf
@@ -12,7 +12,8 @@ load_module /usr/local/libexec/nginx/ngx_http_headers_more_filter_module.so;
 user www staff;
 worker_processes {{ OPNsense.Nginx.http.workerprocesses }};
 
-error_log  /var/log/nginx/error.log;
+#error_log  /var/log/nginx/error.log;
+error_log  syslog:server=unix:/var/run/log,facility=local6,nohostname warn;
 
 events {
     worker_connections  {{ OPNsense.Nginx.http.workerconnections }};
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
index 3076099bc3..a2d306079c 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
@@ -58,7 +58,7 @@
 {%   set syslog_targets = server.syslog_targets.split(',') %}
 {%   include "OPNsense/Nginx/syslog_targets.conf" %}
 {% endif %}
-        error_log  /var/log/nginx/stream_{{ server['@uuid'] }}.error.log info;
+        error_log  /var/log/nginx/stream_{{ server['@uuid'] }}.error.log {% if server.error_log_level is defined and server.error_log_level != 'info'%}{{ server.error_log_level }}{% else %}info{% endif %};
 
 {% if server.route_field == 'sni_upstream_map' %}
         ssl_preread on;
@@ -100,11 +100,11 @@
 {%   elif server.route_field == 'sni_upstream_map' %}
         proxy_pass $hostmap{{ server.sni_upstream_map.replace('-','') }};
 {%   endif %}
-        proxy_protocol {% if server.proxy_protocol == '1' %}on{% else %}off{% endif %};
+        proxy_protocol {% if upstream.proxy_protocol == '1' %}on{% else %}off{% endif %};
 {%   if server.proxy_responses is defined and server.proxy_responses != '' %}
         proxy_responses {{ server.proxy_responses }};
 {%   endif%}
-{%   if server.trusted_proxies is defined and server.trusted_proxies != '' %}
+{%   if server.trusted_proxies is defined and server.trusted_proxies != '' and server.proxy_protocol is defined and server.proxy_protocol == '1' %}
 {%     for trusted_proxy in server.trusted_proxies.split(',') %}
         set_real_ip_from {{ trusted_proxy }};
 {%     endfor %}
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Syslog/local/nginx.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Syslog/local/nginx.conf
new file mode 100644
index 0000000000..421c505283
--- /dev/null
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Syslog/local/nginx.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [nginx].
+###################################################################
+filter f_local_nginx {
+    program("nginx");
+};

From 410cb9dbf812d2e02aa38adba13176501869a369 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 29 Mar 2023 10:55:10 +0200
Subject: [PATCH 1406/3088] dns/ddclient - allow custom target hostname for
 dyndns2 protocol. closes https://github.com/opnsense/plugins/issues/3362

It looks like the backend code was already available, we just forgot to broadcast it to the frontend using the known_services() method
---
 .../src/opnsense/scripts/ddclient/lib/account/dyndns2.py        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
index 2ea0649c3f..e53b14c837 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
@@ -53,7 +53,7 @@ def __init__(self, account: dict):
 
     @staticmethod
     def known_services():
-        return  DynDNS2._services.keys()
+        return  list(DynDNS2._services.keys()) + ['custom']
 
     def match(account):
         if account.get('service') in DynDNS2._services or (

From c08a2ea1771b8243f8f28de27c3f2286b2beb4af Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Mar 2023 15:17:57 +0200
Subject: [PATCH 1407/3088] net/udpbroadcastrelay: fix value access in model

PR: https://forum.opnsense.org/index.php?topic=33294.0
---
 net/udpbroadcastrelay/Makefile                |  2 +-
 .../inc/plugins.inc.d/udpbroadcastrelay.inc   | 63 +++++++++----------
 2 files changed, 32 insertions(+), 33 deletions(-)

diff --git a/net/udpbroadcastrelay/Makefile b/net/udpbroadcastrelay/Makefile
index 9d11bafa50..850085eb92 100644
--- a/net/udpbroadcastrelay/Makefile
+++ b/net/udpbroadcastrelay/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		udpbroadcastrelay
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Control ubpbroadcastrelay processes
 PLUGIN_DEPENDS=		udpbroadcastrelay
 PLUGIN_MAINTAINER=	mjwasley@gmail.com
diff --git a/net/udpbroadcastrelay/src/etc/inc/plugins.inc.d/udpbroadcastrelay.inc b/net/udpbroadcastrelay/src/etc/inc/plugins.inc.d/udpbroadcastrelay.inc
index bb8a14f9f0..aeddc27c4a 100644
--- a/net/udpbroadcastrelay/src/etc/inc/plugins.inc.d/udpbroadcastrelay.inc
+++ b/net/udpbroadcastrelay/src/etc/inc/plugins.inc.d/udpbroadcastrelay.inc
@@ -1,29 +1,29 @@
 <?php
 
 /*
- *    Copyright (C) 2020 Martin Wasley
- *    All rights reserved.
+ * Copyright (C) 2020 Martin Wasley
+ * All rights reserved.
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 function udpbroadcastrelay_enabled()
@@ -31,7 +31,7 @@ function udpbroadcastrelay_enabled()
     $model = new \OPNsense\UDPBroadcastRelay\UDPBroadcastRelay();
 
     foreach ($model->udpbroadcastrelay->iterateItems() as $server) {
-        if ($server->enabled == '1') {
+        if ((string)$server->enabled == '1') {
             return true;
         }
     }
@@ -48,7 +48,7 @@ function udpbroadcastrelay_firewall($fw)
 
 function udpbroadcastrelay_services()
 {
-    $services = array();
+    $services = [];
 
     if (!udpbroadcastrelay_enabled()) {
         return $services;
@@ -57,22 +57,21 @@ function udpbroadcastrelay_services()
     $model = new \OPNsense\UDPBroadcastRelay\UDPBroadcastRelay();
 
     foreach ($model->udpbroadcastrelay->iterateItems() as $server) {
-        if ($server->enabled == '0') {
+        if ((string)$server->enabled == '0') {
             continue;
         }
 
-        $services[] = array(
-            'description' => $server->description,
-            'id' =>  $server->InstanceID,
+        $services[] = [
+            'description' => (string)$server->description,
+            'id' =>  (string)$server->InstanceID,
             'pidfile' => "/var/run/udpbroadcastrelay_{$server->InstanceID}.pid",
-            'configd' => array(
-                'restart' => array('udpbroadcastrelay restart ' . $server->InstanceID),
-                'start' => array('udpbroadcastrelay start ' . $server->InstanceID),
-                'stop' => array('udpbroadcastrelay stop ' . $server->InstanceID),
-
-            ),
+            'configd' => [
+                'restart' => ['udpbroadcastrelay restart ' . $server->InstanceID],
+                'start' => ['udpbroadcastrelay start ' . $server->InstanceID],
+                'stop' => ['udpbroadcastrelay stop ' . $server->InstanceID],
+            ],
             'name' => 'udpbroadcastrelay',
-        );
+        ];
     }
 
     return $services;

From 101ef0a2327c6da3f0d79c8264e2fc07b4a0945e Mon Sep 17 00:00:00 2001
From: Thomas C <96428856+cektom@users.noreply.github.com>
Date: Sat, 1 Apr 2023 09:30:18 +0200
Subject: [PATCH 1408/3088] Cloudflare implementation for OPNsense backend
 ddclient (#3357)

* Cloudflare implementation for OPNsense backend ddclient

This is just a basic implementation of cloudflare for ddclient with OPNsense backend. It supports a single hostname/record
It needs some better error handling and there is also no support for multiple Hostnames and Wildcard at the moment.
Credentials have remained the same, as with ddclient backend (Username=Mailaddress of the cloudflare account, Password=Global API Key)

* Fix for IPv6 recordType (AAAA)

* Refactoring for b2e663b from @AdSchellevis

* Minor changes to 38efa88
---
 .../ddclient/lib/account/cloudflare.py        | 175 ++++++++++++++++++
 1 file changed, 175 insertions(+)
 create mode 100644 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
new file mode 100644
index 0000000000..fd2843adbb
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
@@ -0,0 +1,175 @@
+"""
+    Copyright (c) 2023 Thomas Cekal <thomas@cekal.org>
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import json
+import syslog
+import requests
+from . import BaseAccount
+
+
+class Cloudflare(BaseAccount):
+    _priority = 65535
+
+    _services = {
+        'cloudflare': 'api.cloudflare.com'
+    }
+
+    def __init__(self, account: dict):
+        super().__init__(account)
+
+    @staticmethod
+    def known_services():
+        return  Cloudflare._services.keys()
+
+    def match(account):
+        return account.get('service') in Cloudflare._services
+
+    def execute(self):
+        if super().execute():
+            # IPv4/IPv6
+            recordType = None
+            if str(self.current_address).find(':') > 1:
+                #IPv6
+                recordType = "AAAA"
+            else:
+                #IPv4
+                recordType = "A"
+
+            # get ZoneID
+            url = "https://%s/client/v4/zones" % self._services[self.settings.get('service')]
+            req_opts = {
+                'url': url,
+                'params': {
+                    'name': self.settings.get('zone')
+                },
+                'headers': {
+                    'User-Agent': 'OPNsense-dyndns',
+                    'X-Auth-Email': self.settings.get('username'),
+                    'X-Auth-Key': self.settings.get('password')
+                }
+            }
+            response = requests.get(**req_opts)
+            try:
+                payload = response.json()
+            except requests.exceptions.JSONDecodeError:
+                payload = {}
+            if 'success' not in payload:
+                syslog.syslog(
+                        syslog.LOG_ERR,
+                        "Account %s error parsing JSON response [ZoneID] %s" % (self.description, response.text)
+                    )
+                return
+            if not payload.get('success', False):
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Account %s error receiving ZoneID [%s]" % (self.description, json.dumps(payload.get('errors', {})))
+                )
+                return
+
+            zone_id = payload['result'][0]['id']
+            if self.is_verbose:
+                syslog.syslog(
+                    syslog.LOG_NOTICE,
+                    "Account %s ZoneID for %s %s" % (self.description, self.settings.get('zone'), zone_id)
+                )
+
+            # Get record ID
+            req_opts = {
+                'url': f"{req_opts['url']}/{zone_id}/dns_records",
+                'params': {
+                    'name': self.settings.get('hostnames'),
+                    'type': recordType
+                },
+                'headers': req_opts['headers']
+            }
+            response = requests.get(**req_opts)
+            try:
+                payload = response.json()
+            except requests.exceptions.JSONDecodeError:
+                payload = {}
+            if 'success' not in payload:
+                syslog.syslog(
+                        syslog.LOG_ERR,
+                        "Account %s error parsing JSON response [RecordID] %s" % (self.description, response.text)
+                    )
+                return
+            if not payload.get('success', False):
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Account %s error receiving RecordID [%s]" % (
+                        self.description, json.dumps(payload.get('errors', {}))
+                    )
+                )
+                return
+
+            record_id = payload['result'][0]['id']
+            if self.is_verbose:
+                syslog.syslog(
+                    syslog.LOG_NOTICE,
+                    "Account %s RecordID for %s %s" % (self.description, self.settings.get('hostnames'), record_id)
+                )
+
+            # Send IP address update
+            req_opts = {
+                'url': f"{req_opts['url']}/{record_id}",
+                'json': {
+                    'type': recordType,
+                    'name': self.settings.get('hostnames'),
+                    'content': str(self.current_address)
+                },
+                'headers': req_opts['headers']
+            }
+            response = requests.put(**req_opts)
+            try:
+                payload = response.json()
+            except requests.exceptions.JSONDecodeError:
+                payload = {}
+            if 'success' not in payload:
+                syslog.syslog(
+                        syslog.LOG_ERR,
+                        "Account %s error parsing JSON response [UpdateIP] %s" % (self.description, response.text)
+                    )
+                return
+            if payload.get('success', False):
+                syslog.syslog(
+                    syslog.LOG_NOTICE,
+                    "Account %s set new ip %s [%s]" % (
+                        self.description,
+                        self.current_address,
+                        payload.get('result', {}).get('content', '')
+                    )
+                )
+
+                self.update_state(address=self.current_address)
+                return True
+            else:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Account %s failed to set new ip %s [%s]" % (self.description, self.current_address, response.text)
+                )
+
+
+        return False
\ No newline at end of file

From a4b63d523b713045947494b0a876280f27dcb36a Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Thu, 6 Apr 2023 07:52:10 +0200
Subject: [PATCH 1409/3088] Bump version 1.0.3; acquire packet filter logs.
 (#3376)

---
 security/crowdsec/Makefile                                  | 2 +-
 security/crowdsec/pkg-descr                                 | 6 ++++++
 security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml   | 2 ++
 .../opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml   | 2 +-
 4 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index c77c5f821b..7e7631624f 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		crowdsec
-PLUGIN_VERSION=		1.0.2
+PLUGIN_VERSION=		1.0.3
 PLUGIN_DEPENDS=		crowdsec
 PLUGIN_COMMENT=		Lightweight and collaborative security engine
 PLUGIN_MAINTAINER=	marco@crowdsec.net
diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index 846f7e8e84..91a944e53c 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -8,6 +8,12 @@ WWW: https://crowdsec.net/
 Plugin Changelog
 ================
 
+1.0.3
+
+* acquire filter logs for the firewallservices/pf collection (port scans).
+  If you already added it manually, you can remove it now to avoid counting
+  the events twice.
+
 1.0.2
 
 * updated cron job (reload only when there are updates), added small random delay
diff --git a/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml b/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml
index ab73fcd906..3850d84cf2 100644
--- a/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml
+++ b/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml
@@ -14,5 +14,7 @@ filenames:
   - /var/log/audit/latest.log
   # collection: crowdsecurity/opnsense-gui (web admin)
   - /var/log/lighttpd/latest.log
+  # collection: firewallservices/pf
+  - /var/log/filter/latest.log
 labels:
   type: syslog
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
index c647de7f37..48f41a9776 100644
--- a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
@@ -1,7 +1,7 @@
 <model>
   <mount>//OPNsense/crowdsec/general</mount>
   <description>CrowdSec general configuration</description>
-  <version>1.0.2</version>
+  <version>1.0.3</version>
   <items>
 
     <agent_enabled type="BooleanField">

From 5bd0d59975316ba38ec0969f48a17e4182f71d77 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 8 Apr 2023 18:25:58 +0200
Subject: [PATCH 1410/3088] dns/dnscrypt-proxy: change core DNS approach
 slightly

Only trigger on 0.0.0.0/:: combination.  Also makes clashes with
previous defaults and user input less likely.

Core services are already validated as being run on 0.0.0.0/:: even
when they are not so this is fine.

Change the defaults as well as they make more sense (but keep the
non-standard port) and make it a required setting (not sure what
the default would have been).
---
 dns/dnscrypt-proxy/pkg-descr                               | 1 +
 .../src/etc/inc/plugins.inc.d/dnscryptproxy.inc            | 7 ++++---
 .../controllers/OPNsense/Dnscryptproxy/forms/general.xml   | 2 +-
 .../mvc/app/models/OPNsense/Dnscryptproxy/General.xml      | 6 +++---
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index 14035109ac..76d19e885b 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -8,6 +8,7 @@ Plugin Changelog
 1.13
 
 * Add necessary hooks to allow the plugin to be used as a standalone core DNS server
+* Changed default listening addresses to 0.0.0.0/:: for new users
 
 1.12
 
diff --git a/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc b/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
index 2bb3c7192e..aeb8ef1ffc 100644
--- a/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
+++ b/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
@@ -2,6 +2,7 @@
 
 /*
  * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * Copyright (C) 2023 Franco Fichtner <franco@opnsense.org>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -51,7 +52,7 @@ function dnscryptproxy_services()
     $ports = [];
 
     /*
-     * DNS service is eligable for core use when both 127.0.0.1 and ::1 are set.
+     * DNS service is eligable for core use when both 0.0.0.0 and :: are set.
      * In order to provide dual stack ports we need to intersect the resulting
      * ports for each address family.
      */
@@ -59,9 +60,9 @@ function dnscryptproxy_services()
     $localhost6 = [];
 
     foreach (explode(',', (string)$model->listen_addresses) as $addrport) {
-        if (preg_match('/^127\.0\.0\.1:([\d]+)$/', $addrport, $matches)) {
+        if (preg_match('/^0\.0\.0\.0:([\d]+)$/', $addrport, $matches)) {
             $localhost4[$matches[1]] = 1;
-        } elseif (preg_match('/^\[::1\]:([\d]+)$/', $addrport, $matches)) {
+        } elseif (preg_match('/^\[::\]:([\d]+)$/', $addrport, $matches)) {
             $localhost6[$matches[1]] = 1;
         }
     }
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
index 9243e23726..7f5d0e8538 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
@@ -11,7 +11,7 @@
         <style>tokenize</style>
         <type>select_multiple</type>
         <allownew>true</allownew>
-        <help>Set the IP address and port combinations this service should listen on, e.g 127.0.0.1:5353 and/or [::1]:5353</help>
+        <help>Set the IP address/port combinations this service should listen on.</help>
     </field>
     <field>
         <id>general.allowprivileged</id>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
index 3d47b93fd4..4dd48bdfd6 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
@@ -1,15 +1,15 @@
 <model>
     <mount>//OPNsense/dnscryptproxy/general</mount>
     <description>dnscrypt-proxy configuration</description>
-    <version>0.1.1</version>
+    <version>0.1.2</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
             <Required>Y</Required>
         </enabled>
         <listen_addresses type="CSVListField">
-            <default>127.0.0.1:5353,[::1]:5353</default>
-            <Required>N</Required>
+            <default>0.0.0.0:5353,[::]:5353</default>
+            <Required>Y</Required>
         </listen_addresses>
         <allowprivileged type="BooleanField">
             <default>0</default>

From 84a0e9758cc56fac71e0e67059e05516917691be Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 8 Apr 2023 18:31:28 +0200
Subject: [PATCH 1411/3088] LICENSE: sync

---
 LICENSE | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/LICENSE b/LICENSE
index f8e248f151..5cf7f7c4db 100644
--- a/LICENSE
+++ b/LICENSE
@@ -19,8 +19,8 @@ Copyright (c) 2008-2010 Ermal Luçi
 Copyright (c) 2016-2019 EURO-LOG AG
 Copyright (c) 2017-2020 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
-Copyright (c) 2014-2022 Franco Fichtner <franco@opnsense.org>
-Copyright (c) 2016-2022 Frank Wall
+Copyright (c) 2014-2023 Franco Fichtner <franco@opnsense.org>
+Copyright (c) 2016-2023 Frank Wall
 Copyright (c) 2021 Github-jjw
 Copyright (c) 2016 IT-assistans Sverige AB
 Copyright (c) 2021-2023 Jan Winkler
@@ -50,6 +50,7 @@ Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
 Copyright (c) 2017-2019 Smart-Soft
 Copyright (c) 2013 Stanley P. Miller \ stan-qaz
 Copyright (c) 2020 Starkstromkonsument
+Copyright (c) 2023 Thomas Cekal <thomas@cekal.org>
 Copyright (c) 2020 Tobias Boehnert
 Copyright (c) 2022 Wouter Deurholt
 Copyright (c) 2010 Yehuda Katz

From 456620efbe12698a8dffe213627b8c55b494ad62 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 8 Apr 2023 18:36:46 +0200
Subject: [PATCH 1412/3088] dns/bind: same same but bind

---
 dns/bind/Makefile                                   |  2 +-
 dns/bind/pkg-descr                                  |  1 +
 dns/bind/src/etc/inc/plugins.inc.d/bind.inc         | 13 +++++++------
 .../mvc/app/models/OPNsense/Bind/General.xml        |  6 +++---
 4 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 77b4de0627..9e40a59062 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.26
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 3440061919..e8edd8be2f 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -15,6 +15,7 @@ Plugin Changelog
 * Allow multiple ACLs to be selected for Transfers/Queries (contributed by Robbert Rijkse)
 * Rename Master/Slave to Primary/Secondary (contributed by Robbert Rijkse)
 * Add necessary hooks to allow the plugin to be used as a standalone core DNS server
+* Changed default listening addresses to 0.0.0.0/:: for new users
 
 1.25
 
diff --git a/dns/bind/src/etc/inc/plugins.inc.d/bind.inc b/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
index 8e6a1d4d8f..627e108083 100644
--- a/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
+++ b/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
@@ -2,6 +2,7 @@
 
 /*
  * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * Copyright (C) 2023 Franco Fichtner <franco@opnsense.org>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -49,21 +50,21 @@ function bind_services()
 
     $model = new \OPNsense\Bind\General();
 
-    /* DNS service is eligable for core use when both 127.0.0.1 and ::1 are set */
-    $localhost4 = false;
-    $localhost6 = false;
+    /* DNS service is eligable for core use when both 0.0.0.0 and :: are set */
+    $any4 = false;
+    $any6 = false;
 
     foreach (explode(',', (string)$model->listenv4) as $addr) {
-        $localhost4 |= $addr === '127.0.0.1';
+        $any4 |= $addr === '0.0.0.0';
     }
 
     foreach (explode(',', (string)$model->listenv6) as $addr) {
-        $localhost6 |= $addr === '::1';
+        $any6 |= $addr === '::';
     }
 
     $services[] = [
         /* the port may still be something other than 53, but it's safe to register a conflict for it */
-        'dns_ports' => ($localhost4 && $localhost6 ? [(string)$model->port] : []),
+        'dns_ports' => ($any4 && $any6 ? [(string)$model->port] : []),
         'description' => gettext('BIND Daemon'),
         'configd' => [
             'restart' => ['bind restart'],
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index d7232ca2cf..35e193df39 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -16,13 +16,13 @@
             <Required>Y</Required>
         </enablerpz>
         <listenv4 type="NetworkField">
-            <default>127.0.0.1</default>
+            <default>0.0.0.0</default>
             <FieldSeparator>,</FieldSeparator>
             <Required>Y</Required>
             <asList>Y</asList>
         </listenv4>
         <listenv6 type="NetworkField">
-            <default>::1</default>
+            <default>::</default>
             <FieldSeparator>,</FieldSeparator>
             <Required>Y</Required>
             <asList>Y</asList>
@@ -149,7 +149,7 @@
             <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
         </ratelimitcount>
         <ratelimitexcept type="NetworkField">
-            <default>127.0.0.1,::1</default>
+            <default>0.0.0.0,::</default>
             <FieldSeparator>,</FieldSeparator>
             <Required>Y</Required>
             <asList>Y</asList>

From 026e6ebb23a52847a6f8f078e774341be1f0a6dc Mon Sep 17 00:00:00 2001
From: Glen <daygle@users.noreply.github.com>
Date: Sat, 8 Apr 2023 13:31:18 +1000
Subject: [PATCH 1413/3088] Correct 'Help Text' for Remote Port

Correct 'Help Text' for Remote Port, the removed text mentions that field can be left blank which is incorrect. A value needs to be specified for the service to run correctly.
---
 .../mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml b/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml
index 754a3b3922..c875b562c3 100644
--- a/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml
+++ b/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml
@@ -27,7 +27,7 @@
         <id>sensor.remoteport</id>
         <label>Remote Port</label>
         <type>text</type>
-        <help>Port of the logging server. Leave empty when sensor and server run on the same system.</help>
+        <help>Port of the logging server.</help>
     </field>
     <field>
         <id>sensor.syslogserver</id>

From fb882ed42a167f901cac2cb901e8f72049843367 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Thu, 30 Mar 2023 22:28:43 +0300
Subject: [PATCH 1414/3088] nginx setup: handle vts socket state

Handle possible remaining vts socket  after nginx start failure
---
 www/nginx/src/opnsense/scripts/nginx/setup.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index 001c7cad20..1b9a304fdd 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -69,14 +69,21 @@ function find_ca($refid)
 if (!isset($config['OPNsense']['Nginx'])) {
     die("nginx is not configured");
 }
+openlog("nginx", LOG_ODELAY, LOG_USER);
+syslog(LOG_DEBUG, "NGINX setup routine started.");
 @mkdir('/usr/local/etc/nginx/key', 0750, true);
 @mkdir("/var/db/nginx/auth", 0750, true);
 @mkdir("/var/log/nginx", 0750, true);
 @chgrp('/var/db/nginx', GROUP_OWNER);
 @chgrp('/var/db/nginx/auth', GROUP_OWNER);
 @chgrp('/var/log/nginx', GROUP_OWNER);
+// unlink VTS socket if nginx didn't
+$vts_socket = '/var/run/nginx_status.sock';
+if (!isvalidpid('/var/run/nginx.pid') && file_exists($vts_socket)) {
+    syslog(LOG_WARNING, "NGINX setup: nginx not running but VTS socket exists. Unlinking.");
+    @unlink($vts_socket);
+}
 $nginx = $config['OPNsense']['Nginx'];
-openlog("nginx", LOG_ODELAY, LOG_USER);
 if (isset($nginx['http_server'])) {
     if (is_array($nginx['http_server']) && !isset($nginx['http_server']['servername'])) {
         $http_servers = $nginx['http_server'];
@@ -255,6 +262,7 @@ function find_ca($refid)
 // create directories for cache
 foreach ($nginx->cache_path->iterateItems() as $cache_path) {
     @mkdir((string)$cache_path->path, 0755, true);
+    @chgrp((string)$cache_path->path, GROUP_OWNER);
 }
 
 // create custom error pages
@@ -339,5 +347,6 @@ function find_ca($refid)
     exit(1);
 }
 
+syslog(LOG_DEBUG, "NGINX setup routine completed.");
 closelog();
 passthru('/usr/local/etc/rc.d/php-fpm start');

From 55820e4f77c784fca0b89fa24593f9f1286d04ef Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Mon, 10 Apr 2023 15:22:11 +0300
Subject: [PATCH 1415/3088] www/nginx: add uuid column to the grids (#3374)

---
 .../OPNsense/Nginx/Api/SettingsController.php |  12 +-
 .../mvc/app/views/OPNsense/Nginx/index.volt   | 103 +++++++++---------
 .../www/js/nginx/dist/configuration.min.js    |   2 +-
 .../opnsense/www/js/nginx/src/nginx_config.js |  12 +-
 4 files changed, 70 insertions(+), 59 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
index 314dc85382..4a0849cf5d 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
@@ -105,7 +105,7 @@ public function setcredentialAction($uuid)
     // Upstream
     public function searchupstreamAction()
     {
-        return $this->searchBase('upstream', array('description', 'serverentries', 'tls_enable', 'load_balancing_algorithm'));
+        return $this->searchBase('upstream', array('uuid', 'description', 'serverentries', 'tls_enable', 'load_balancing_algorithm'));
     }
 
     public function getupstreamAction($uuid = null)
@@ -132,7 +132,7 @@ public function setupstreamAction($uuid)
     // Upstream Server
     public function searchupstreamserverAction()
     {
-        return $this->searchBase('upstream_server', array('description', 'server', 'port', 'priority'));
+        return $this->searchBase('upstream_server', array('uuid', 'description', 'server', 'port', 'priority'));
     }
 
     public function getupstreamserverAction($uuid = null)
@@ -160,8 +160,8 @@ public function setupstreamserverAction($uuid)
     public function searchlocationAction()
     {
         $data = $this->searchBase('location', array(
-            'description','urlpattern', 'path_prefix', 'matchtype', 'upstream',
-            'enable_secrules', 'enable_learning_mode', 'force_https',
+            'uuid', 'description', 'urlpattern', 'path_prefix', 'matchtype',
+            'upstream', 'enable_secrules', 'enable_learning_mode', 'force_https',
             'xss_block_score', 'sqli_block_score', 'custom_policy'
         ));
 
@@ -233,7 +233,7 @@ public function setcustompolicyAction($uuid)
     public function searchhttpserverAction()
     {
         return $this->searchBase('http_server', array(
-            'servername', 'locations', 'root', 'https_only', 'certificate',
+            'uuid', 'servername', 'locations', 'root', 'https_only', 'certificate',
             'listen_http_address', 'listen_https_address', 'default_server'
         ));
     }
@@ -262,7 +262,7 @@ public function sethttpserverAction($uuid)
     // stream server
     public function searchstreamserverAction()
     {
-        return $this->searchBase('stream_server', array('description', 'certificate', 'udp', 'listen_address'));
+        return $this->searchBase('stream_server', array('uuid', 'description', 'certificate', 'udp', 'listen_address'));
     }
 
     public function getstreamserverAction($uuid = null)
diff --git a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
index 78cf04adac..7a876e42ce 100644
--- a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
+++ b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
@@ -223,17 +223,18 @@
         <table id="grid-location" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="locationdlg">
             <thead>
             <tr>
-                <th data-column-id="description" data-type="string" data-sortable="true"  data-visible="true">{{ lang._('Description') }}</th>
-                <th data-column-id="urlpattern" data-type="string" data-sortable="true"  data-visible="true">{{ lang._('URL Pattern') }}</th>
-                <th data-column-id="path_prefix" data-type="string" data-sortable="true"  data-visible="true">{{ lang._('URL Path Prefix') }}</th>
-                <th data-column-id="matchtype" data-type="string" data-sortable="true"  data-visible="true">{{ lang._('Match Type') }}</th>
-                <th data-column-id="upstream" data-type="string" data-sortable="true"  data-visible="false">{{ lang._('Upstream') }}</th>
-                <th data-column-id="waf_status" data-type="string" data-sortable="true"  data-visible="true">{{ lang._('WAF Status') }}</th>
-                <th data-column-id="xss_block_score" data-type="string" data-sortable="true"  data-visible="false">{{ lang._('XSS Score') }}</th>
-                <th data-column-id="sqli_block_score" data-type="string" data-sortable="true"  data-visible="false">{{ lang._('SQLi Score') }}</th>
-                <th data-column-id="custom_policy" data-type="string" data-width="50%" data-sortable="true"  data-visible="false">{{ lang._('WAF Policies') }}</th>
-                <th data-column-id="force_https" data-type="boolean" data-width="10em" data-sortable="true"  data-visible="true">{{ lang._('Force HTTPS') }}</th>
-                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="uuid" data-type="string" data-sortable="true" data-visible="false">{{ lang._('ID') }}</th>
+                <th data-column-id="description" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
+                <th data-column-id="urlpattern" data-type="string" data-sortable="true" data-visible="true">{{ lang._('URL Pattern') }}</th>
+                <th data-column-id="path_prefix" data-type="string" data-sortable="true" data-visible="true">{{ lang._('URL Path Prefix') }}</th>
+                <th data-column-id="matchtype" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Match Type') }}</th>
+                <th data-column-id="upstream" data-type="string" data-sortable="true" data-visible="false">{{ lang._('Upstream') }}</th>
+                <th data-column-id="waf_status" data-type="string" data-sortable="true" data-visible="true">{{ lang._('WAF Status') }}</th>
+                <th data-column-id="xss_block_score" data-type="string" data-sortable="true" data-visible="false">{{ lang._('XSS Score') }}</th>
+                <th data-column-id="sqli_block_score" data-type="string" data-sortable="true" data-visible="false">{{ lang._('SQLi Score') }}</th>
+                <th data-column-id="custom_policy" data-type="string" data-width="50%" data-sortable="true" data-visible="false">{{ lang._('WAF Policies') }}</th>
+                <th data-column-id="force_https" data-type="numeric" data-width="10em" data-sortable="true" data-visible="true" data-formatter="boolean">{{ lang._('Force HTTPS') }}</th>
+                <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
             </tr>
             </thead>
             <tbody>
@@ -254,11 +255,12 @@
         <table id="grid-upstreamserver" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="upstreamserverdlg">
             <thead>
             <tr>
-                <th data-column-id="description" data-type="string" data-sortable="false"  data-visible="true">{{ lang._('Description') }}</th>
-                <th data-column-id="server" data-type="string" data-sortable="true"  data-visible="true">{{ lang._('Server') }}</th>
-                <th data-column-id="port" data-type="string" data-sortable="true"  data-visible="true">{{ lang._('Port') }}</th>
-                <th data-column-id="priority" data-type="string" data-sortable="false"  data-visible="true">{{ lang._('Priority') }}</th>
-                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="uuid" data-type="string" data-sortable="true" data-visible="false">{{ lang._('ID') }}</th>
+                <th data-column-id="description" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Description') }}</th>
+                <th data-column-id="server" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Server') }}</th>
+                <th data-column-id="port" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Port') }}</th>
+                <th data-column-id="priority" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Priority') }}</th>
+                <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
             </tr>
             </thead>
             <tbody>
@@ -280,11 +282,12 @@
         <table id="grid-upstream" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="upstreamdlg">
             <thead>
             <tr>
-                <th data-column-id="description" data-type="string" data-sortable="false"  data-visible="true">{{ lang._('Description') }}</th>
-                <th data-column-id="serverentries" data-type="string" data-sortable="false"  data-visible="true">{{ lang._('Servers') }}</th>
-                <th data-column-id="load_balancing_algorithm" data-type="string" data-sortable="false"  data-visible="false">{{ lang._('Load Balancing') }}</th>
-                <th data-column-id="tls_enable" data-type="boolean" data-width="12em" data-sortable="false"  data-visible="true">{{ lang._('TLS Enabled') }}</th>
-                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="uuid" data-type="string" data-sortable="true" data-visible="false">{{ lang._('ID') }}</th>
+                <th data-column-id="description" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Description') }}</th>
+                <th data-column-id="serverentries" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Servers') }}</th>
+                <th data-column-id="load_balancing_algorithm" data-type="string" data-sortable="false" data-visible="false">{{ lang._('Load Balancing') }}</th>
+                <th data-column-id="tls_enable" data-type="numeric" data-width="12em" data-sortable="false" data-visible="true" data-formatter="boolean">{{ lang._('TLS Enabled') }}</th>
+                <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
             </tr>
             </thead>
             <tbody>
@@ -304,8 +307,8 @@
         <table id="grid-credential" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="credentialdlg">
             <thead>
             <tr>
-                <th data-column-id="username" data-type="string" data-sortable="false"  data-visible="true">{{ lang._('Username') }}</th>
-                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="username" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Username') }}</th>
+                <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
             </tr>
             </thead>
             <tbody>
@@ -327,7 +330,7 @@
             <tr>
                 <th data-column-id="name" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Name') }}</th>
                 <th data-column-id="users" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Users') }}</th>
-                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
             </tr>
             </thead>
             <tbody>
@@ -347,15 +350,16 @@
         <table id="grid-httpserver" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="httpserverdlg">
             <thead>
                 <tr>
+                    <th data-column-id="uuid" data-type="string" data-sortable="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="servername" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Servername') }}</th>
                     <th data-column-id="locations" data-type="string" data-sortable="true" data-visible="false">{{ lang._('Locations') }}</th>
                     <th data-column-id="root" data-type="string" data-sortable="true" data-visible="false">{{ lang._('File System Root') }}</th>
                     <th data-column-id="certificate" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Certificate') }}</th>
-                    <th data-column-id="https_only" data-type="boolean" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('HTTPS Only') }}</th>
+                    <th data-column-id="https_only" data-type="numeric" data-width="7em" data-sortable="true" data-visible="true" data-formatter="boolean">{{ lang._('HTTPS Only') }}</th>
                     <th data-column-id="listen_http_address" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('HTTP Address') }}</th>
                     <th data-column-id="listen_https_address" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('HTTPS Address') }}</th>
-                    <th data-column-id="default_server" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('Default') }}</th>
-                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="default_server" data-type="numeric" data-width="7em" data-sortable="true" data-visible="true" data-formatter="boolean">{{ lang._('Default') }}</th>
+                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -375,10 +379,11 @@
         <table id="grid-streamserver" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="streamserverdlg">
             <thead>
                 <tr>
+                    <th data-column-id="uuid" data-type="string" data-sortable="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="certificate" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Certificate') }}</th>
-                    <th data-column-id="udp" data-type="string" data-sortable="true" data-visible="true">{{ lang._('UDP') }}</th>
+                    <th data-column-id="udp" data-type="numeric" data-sortable="true" data-visible="true" data-formatter="boolean">{{ lang._('UDP') }}</th>
                     <th data-column-id="listen_address" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Address') }}</th>
-                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -399,10 +404,10 @@
             <thead>
                 <tr>
                     <th data-column-id="description" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="source" data-type="boolean" data-sortable="true" data-visible="true">{{ lang._('Source URL') }}</th>
+                    <th data-column-id="source" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Source URL') }}</th>
                     <th data-column-id="destination" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Destination URL') }}</th>
                     <th data-column-id="flag" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Flag') }}</th>
-                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -433,11 +438,11 @@
             <thead>
                 <tr>
                     <th data-column-id="name" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="operator" data-type="boolean" data-width="12em" data-sortable="true" data-visible="true">{{ lang._('Operator') }}</th>
+                    <th data-column-id="operator" data-type="string" data-width="12em" data-sortable="true" data-visible="true">{{ lang._('Operator') }}</th>
                     <th data-column-id="value" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('Value') }}</th>
                     <th data-column-id="naxsi_rules" data-type="string" data-sortable="true" data-visible="false">{{ lang._('Rules') }}</th>
                     <th data-column-id="action" data-type="string" data-width="12em" data-sortable="true" data-visible="true">{{ lang._('Action') }}</th>
-                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -457,14 +462,14 @@
         <table id="grid-naxsirule" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="naxsiruledlg">
             <thead>
                 <tr>
+                    <th data-column-id="identifier" data-type="numeric" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('ID') }}</th>
                     <th data-column-id="description" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="ruletype" data-type="boolean" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('Rule Type') }}</th>
+                    <th data-column-id="ruletype" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('Rule Type') }}</th>
                     <th data-column-id="match_type" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('Match Type') }}</th>
-                    <th data-column-id="identifier" data-type="string" data-sortable="true" data-visible="true">{{ lang._('ID') }}</th>
-                    <th data-column-id="score" data-type="integer" data-width=7em" data-sortable="true" data-visible="true">{{ lang._('Score') }}</th>
+                    <th data-column-id="score" data-type="numeric" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('Score') }}</th>
                     <th data-column-id="match_value" data-type="string" data-sortable="true" data-visible="false">{{ lang._('Value') }}</th>
                     <th data-column-id="message" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Message') }}</th>
-                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -490,7 +495,7 @@
                     <th data-column-id="hsts" data-type="string" data-sortable="true" data-visible="true">{{ lang._('HSTS') }}</th>
                     <th data-column-id="csp" data-type="string" data-sortable="true" data-visible="true">{{ lang._('CSP') }}</th>
                     <th data-column-id="csp_details" data-type="string" data-sortable="true" data-visible="false">{{ lang._('CSP Rules') }}</th>
-                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -511,10 +516,10 @@
             <thead>
                 <tr>
                     <th data-column-id="path" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Path') }}</th>
-                    <th data-column-id="size" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="inactive" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="max_size" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="size" data-type="numeric" data-sortable="true" data-visible="true">{{ lang._('Size') }}</th>
+                    <th data-column-id="inactive" data-type="numeric" data-sortable="true" data-visible="true">{{ lang._('Inactive') }}</th>
+                    <th data-column-id="max_size" data-type="numeric" data-sortable="true" data-visible="true">{{ lang._('Max Size') }}</th>
+                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -539,7 +544,7 @@
                     <th data-column-id="size" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Size') }}</th>
                     <th data-column-id="rate" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Rate') }}</th>
                     <th data-column-id="rate_unit" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Rate Unit') }}</th>
-                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -564,7 +569,7 @@
                     <th data-column-id="connection_count" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Connection Count') }}</th>
                     <th data-column-id="burst" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Burst') }}</th>
                     <th data-column-id="nodelay" data-type="string" data-sortable="true" data-visible="true">{{ lang._('No Delay') }}</th>
-                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -585,7 +590,7 @@
             <thead>
                 <tr>
                     <th data-column-id="description" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -606,7 +611,7 @@
             <thead>
                 <tr>
                     <th data-column-id="description" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -629,7 +634,7 @@
                     <th data-column-id="name" data-width="15%" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Name') }}</th>
                     <th data-column-id="statuscodes" data-type="string" data-formatter="statuscodes" data-sortable="false" data-visible="true">{{ lang._('Status Codes') }}</th>
                     <th data-column-id="response" data-width="13em" data-type="string" data-formatter="response" data-sortable="true">{{ lang._('Response') }}</th>
-                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -650,7 +655,7 @@
             <thead>
                 <tr>
                     <th data-column-id="description" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -674,7 +679,7 @@
                     <th data-column-id="host" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Host') }}</th>
                     <th data-column-id="facility" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Facility') }}</th>
                     <th data-column-id="severity" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Severity') }}</th>
-                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
diff --git a/www/nginx/src/opnsense/www/js/nginx/dist/configuration.min.js b/www/nginx/src/opnsense/www/js/nginx/dist/configuration.min.js
index c6a86734e3..e7c57eb22b 100644
--- a/www/nginx/src/opnsense/www/js/nginx/dist/configuration.min.js
+++ b/www/nginx/src/opnsense/www/js/nginx/dist/configuration.min.js
@@ -1 +1 @@
-!function(e){var t={};function n(s){if(t[s])return t[s].exports;var i=t[s]={i:s,l:!1,exports:{}};return e[s].call(i.exports,i,i.exports,n),i.l=!0,i.exports}n.m=e,n.c=t,n.d=function(e,t,s){n.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:s})},n.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.t=function(e,t){if(1&t&&(e=n(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var s=Object.create(null);if(n.r(s),Object.defineProperty(s,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var i in e)n.d(s,i,function(t){return e[t]}.bind(null,i));return s},n.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(t,"a",t),t},n.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},n.p="",n(n.s=27)}({27:function(e,t,n){"use strict";n.r(t);var s=Backbone.View.extend({tagName:"div",attributes:{class:"container-fluid"},child_views:[],createModel:null,upstreamCollection:null,initialize:function(e){this.dataField=$(e.dataField),this.entryclass=e.entryclass,this.createModel=e.createModel,this.upstreamCollection=e.upstreamCollection,this.listenTo(this.collection,"add remove reset",this.render),this.listenTo(this.collection,"change",this.update),this.dataField.after(this.$el)},events:{"click .add":"addEntry"},render:function(){this.child_views.forEach(e=>e.remove()),this.$el.html(""),this.child_views=[],this.update(),this.collection.each(e=>{const t=new this.entryclass({model:e,collection:this.collection,upstreamCollection:this.upstreamCollection});this.child_views.push(t),this.$el.append(t.$el),t.render()}),this.$el.append($('\n            <div class="row">\n                <button class="btn btn-primary pull-right add">\n                    <span class="fa fa-plus"></span>\n                </button>\n            </div>'))},update:function(){this.dataField.data("data",this.collection.toJSON())},addEntry:function(e){e.preventDefault(),this.collection.add(this.createModel())}});var i=Backbone.Collection.extend({url:"/api/nginx/settings/searchupstream",parse:function(e){return e.rows}});const a=Backbone.View.extend({tagName:"div",attributes:{class:"row"},events:{"keyup .key":function(){this.model.set("hostname",this.key.value)},"change .value":function(){this.model.set("upstream",this.value.value)},"click .delete":"deleteEntry"},key:null,value:null,delBtn:null,first:null,second:null,third:null,upstreamCollection:null,initialize:function(e){this.upstreamCollection=e.upstreamCollection,this.listenTo(this.upstreamCollection,"update reset add remove",this.regenerate_list),this.first=document.createElement("div"),this.first.classList.add("col-sm-5"),this.key=document.createElement("input"),this.first.append(this.key),this.key.type="text",this.key.classList.add("key"),this.key.value=this.model.get("hostname"),this.second=document.createElement("div"),this.second.classList.add("col-sm-5"),this.value=document.createElement("select"),this.second.append(this.value),this.value.classList.add("value"),this.value.classList.add("form-control"),this.value.value=this.model.get("upstream"),this.third=document.createElement("div"),this.third.classList.add("col-sm-2"),this.third.style.textAlign="right",this.delBtn=document.createElement("button"),this.delBtn.classList.add("delete"),this.delBtn.classList.add("btn"),this.delBtn.innerHTML='<span class="fa fa-trash"></span>',this.third.append(this.delBtn),this.model.has("upstream")&&0!==this.upstreamCollection.where({uuid:this.model.get("upstream")}).length||this.upstreamCollection.length>0&&this.model.set("upstream",this.upstreamCollection.at(0).get("uuid")),this.$el.append(this.first).append(this.second).append(this.third)},render:function(){$(this.key).val(this.model.get("hostname")),this.regenerate_list(),$(this.value).val(this.model.get("upstream"))},deleteEntry:function(e){e.preventDefault(),this.collection.remove(this.model)},regenerate_list:function(){const e=$(this.value);e.html(""),this.upstreamCollection.each(t=>e.append(`<option value="${t.escape("uuid")}">${t.escape("description")}</option>`)),e.val(this.model.get("upstream")),e.selectpicker("refresh")}}),l=Backbone.View.extend({tagName:"div",attributes:{class:"row"},events:{"keyup .key":function(){this.model.set("network",this.key.value)},"change .value":function(){this.model.set("action",this.value.value)},"click .delete":"deleteEntry"},key:null,value:null,delBtn:null,first:null,second:null,third:null,upstreamCollection:null,initialize:function(e){this.upstreamCollection=e.upstreamCollection,this.listenTo(this.upstreamCollection,"update reset add remove",this.regenerate_list),this.first=document.createElement("div"),this.first.classList.add("col-sm-5"),this.key=document.createElement("input"),this.first.append(this.key),this.key.type="text",this.key.classList.add("key"),this.key.value=this.model.get("network"),this.second=document.createElement("div"),this.second.classList.add("col-sm-5"),this.value=document.createElement("select"),this.second.append(this.value),this.value.classList.add("value"),this.value.classList.add("form-control"),this.value.value=this.model.get("action"),this.third=document.createElement("div"),this.third.classList.add("col-sm-2"),this.third.style.textAlign="right",this.delBtn=document.createElement("button"),this.delBtn.classList.add("delete"),this.delBtn.classList.add("btn"),this.delBtn.innerHTML='<span class="fa fa-trash"></span>',this.third.append(this.delBtn),this.$el.append(this.first).append(this.second).append(this.third)},render:function(){$(this.key).val(this.model.get("network")),this.regenerate_list(),$(this.value).val(this.model.get("action"))},deleteEntry:function(e){e.preventDefault(),this.collection.remove(this.model)},regenerate_list:function(){const e=$(this.value);e.html(""),this.upstreamCollection.each(t=>e.append(`<option value="${t.escape("value")}">${t.escape("name")}</option>`)),e.val(this.model.get("action")),e.selectpicker("refresh")}});var o=Backbone.Collection.extend({initialize:function(){let e=this;$("#snihostname\\.data").change(function(){e.regenerateFromView()})},regenerateFromView:function(){let e=$("#snihostname\\.data").data("data");_.isArray(e)||(e=[]),this.reset(e)}}),r=Backbone.Model.extend({}),c=Backbone.Model.extend({}),d=Backbone.Collection.extend({initialize:function(){let e=this;$("#ipacl\\.data").change(function(){e.regenerateFromView()})},regenerateFromView:function(){let e=$("#ipacl\\.data").data("data");_.isArray(e)||(e=[]),this.reset(e)}});const u=new i,h=new Backbone.Collection([{name:"Deny",value:"deny"},{name:"Allow",value:"allow"}]);$(document).ready(function(){mapDataToFormUI({frm_nginx:"/api/nginx/settings/get"}).done(function(){formatTokenizersUI(),$('select[data-allownew="false"]').selectpicker("refresh"),updateServiceControlUI("nginx")}),""!==window.location.hash&&$('a[href="'+window.location.hash+'"]').click(),$(".nav-tabs a").on("shown.bs.tab",function(e){history.pushState(null,null,e.target.hash)}),$(".reload_btn").click(function(){$(".reloadAct_progress").addClass("fa-spin"),ajaxCall("/api/nginx/service/reconfigure",{},function(){$(".reloadAct_progress").removeClass("fa-spin")})}),$('[id*="save_"]').each(function(){$(this).click(function(){let e=$(this).closest("form").attr("id"),t=$(this).closest("form").attr("data-title");saveFormToEndpoint("/api/nginx/settings/set",e,function(){$("#"+e+"_progress").addClass("fa fa-spinner fa-pulse"),ajaxCall("/api/nginx/service/reconfigure",{},function(n,s){$("#"+e+"_progress").removeClass("fa fa-spinner fa-pulse"),void 0===n||"success"===s&&"ok"===n.status?updateServiceControlUI("nginx"):BootstrapDialog.show({type:BootstrapDialog.TYPE_WARNING,title:t,message:JSON.stringify(n),draggable:!0})})})})}),["upstream","upstreamserver","location","credential","userlist","httpserver","streamserver","httprewrite","custompolicy","security_header","ipacl","limit_zone","cache_path","limit_request_connection","snifwd","errorpage","tls_fingerprint","syslog_target","naxsirule"].forEach(function(e){$("#grid-"+e).UIBootgrid({search:"/api/nginx/settings/search"+e,get:"/api/nginx/settings/get"+e+"/",set:"/api/nginx/settings/set"+e+"/",add:"/api/nginx/settings/add"+e+"/",del:"/api/nginx/settings/del"+e+"/",options:{selection:!1,multiSelect:!1,formatters:{commands:function(e,t){return'<button type="button" class="btn btn-xs btn-default command-edit" data-row-id="'+t.uuid+'"><span class="fa fa-pencil"></span></button> <button type="button" class="btn btn-xs btn-default command-copy" data-row-id="'+t.uuid+'"><span class="fa fa-clone"></span></button><button type="button" class="btn btn-xs btn-default command-delete" data-row-id="'+t.uuid+'"><span class="fa fa-trash-o"></span></button>'},response:function(e,t){return"none"==t.response?"unchanged":t.response},statuscodes:function(e,t){const n=[],s=t.statuscodes.split(",");for(let e of s)n.push(e.substr(0,3));return n.join(", ")}}}})}),bind_naxsi_rule_dl_button(),function(){let e=new s({dataField:document.getElementById("snihostname.data"),upstreamCollection:u,entryclass:a,collection:new o,createModel:function(){return new r({hostname:"localhost"})}});window.snifield=e,e.render(),$("#grid-upstream").on("loaded.rs.jquery.bootgrid",function(){u.fetch()}),u.fetch()}();let e=new s({dataField:document.getElementById("ipacl.data"),upstreamCollection:h,entryclass:l,collection:new d,createModel:function(){return new c({network:"::",action:"deny"})}});window.ipaclfield=e,e.render()})}});
\ No newline at end of file
+!function(t){var e={};function n(i){if(e[i])return e[i].exports;var s=e[i]={i:i,l:!1,exports:{}};return t[i].call(s.exports,s,s.exports,n),s.l=!0,s.exports}n.m=t,n.c=e,n.d=function(t,e,i){n.o(t,e)||Object.defineProperty(t,e,{enumerable:!0,get:i})},n.r=function(t){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})},n.t=function(t,e){if(1&e&&(t=n(t)),8&e)return t;if(4&e&&"object"==typeof t&&t&&t.__esModule)return t;var i=Object.create(null);if(n.r(i),Object.defineProperty(i,"default",{enumerable:!0,value:t}),2&e&&"string"!=typeof t)for(var s in t)n.d(i,s,function(e){return t[e]}.bind(null,s));return i},n.n=function(t){var e=t&&t.__esModule?function(){return t.default}:function(){return t};return n.d(e,"a",e),e},n.o=function(t,e){return Object.prototype.hasOwnProperty.call(t,e)},n.p="",n(n.s=27)}({27:function(t,e,n){"use strict";n.r(e);var i=Backbone.View.extend({tagName:"div",attributes:{class:"container-fluid"},child_views:[],createModel:null,upstreamCollection:null,initialize:function(t){this.dataField=$(t.dataField),this.entryclass=t.entryclass,this.createModel=t.createModel,this.upstreamCollection=t.upstreamCollection,this.listenTo(this.collection,"add remove reset",this.render),this.listenTo(this.collection,"change",this.update),this.dataField.after(this.$el)},events:{"click .add":"addEntry"},render:function(){this.child_views.forEach(t=>t.remove()),this.$el.html(""),this.child_views=[],this.update(),this.collection.each(t=>{const e=new this.entryclass({model:t,collection:this.collection,upstreamCollection:this.upstreamCollection});this.child_views.push(e),this.$el.append(e.$el),e.render()}),this.$el.append($('\n            <div class="row">\n                <button class="btn btn-primary pull-right add">\n                    <span class="fa fa-plus"></span>\n                </button>\n            </div>'))},update:function(){this.dataField.data("data",this.collection.toJSON())},addEntry:function(t){t.preventDefault(),this.collection.add(this.createModel())}});var s=Backbone.Collection.extend({url:"/api/nginx/settings/searchupstream",parse:function(t){return t.rows}});const a=Backbone.View.extend({tagName:"div",attributes:{class:"row"},events:{"keyup .key":function(){this.model.set("hostname",this.key.value)},"change .value":function(){this.model.set("upstream",this.value.value)},"click .delete":"deleteEntry"},key:null,value:null,delBtn:null,first:null,second:null,third:null,upstreamCollection:null,initialize:function(t){this.upstreamCollection=t.upstreamCollection,this.listenTo(this.upstreamCollection,"update reset add remove",this.regenerate_list),this.first=document.createElement("div"),this.first.classList.add("col-sm-5"),this.key=document.createElement("input"),this.first.append(this.key),this.key.type="text",this.key.classList.add("key"),this.key.value=this.model.get("hostname"),this.second=document.createElement("div"),this.second.classList.add("col-sm-5"),this.value=document.createElement("select"),this.second.append(this.value),this.value.classList.add("value"),this.value.classList.add("form-control"),this.value.value=this.model.get("upstream"),this.third=document.createElement("div"),this.third.classList.add("col-sm-2"),this.third.style.textAlign="right",this.delBtn=document.createElement("button"),this.delBtn.classList.add("delete"),this.delBtn.classList.add("btn"),this.delBtn.innerHTML='<span class="fa fa-trash"></span>',this.third.append(this.delBtn),this.model.has("upstream")&&0!==this.upstreamCollection.where({uuid:this.model.get("upstream")}).length||this.upstreamCollection.length>0&&this.model.set("upstream",this.upstreamCollection.at(0).get("uuid")),this.$el.append(this.first).append(this.second).append(this.third)},render:function(){$(this.key).val(this.model.get("hostname")),this.regenerate_list(),$(this.value).val(this.model.get("upstream"))},deleteEntry:function(t){t.preventDefault(),this.collection.remove(this.model)},regenerate_list:function(){const t=$(this.value);t.html(""),this.upstreamCollection.each(e=>t.append(`<option value="${e.escape("uuid")}">${e.escape("description")}</option>`)),t.val(this.model.get("upstream")),t.selectpicker("refresh")}}),l=Backbone.View.extend({tagName:"div",attributes:{class:"row"},events:{"keyup .key":function(){this.model.set("network",this.key.value)},"change .value":function(){this.model.set("action",this.value.value)},"click .delete":"deleteEntry"},key:null,value:null,delBtn:null,first:null,second:null,third:null,upstreamCollection:null,initialize:function(t){this.upstreamCollection=t.upstreamCollection,this.listenTo(this.upstreamCollection,"update reset add remove",this.regenerate_list),this.first=document.createElement("div"),this.first.classList.add("col-sm-5"),this.key=document.createElement("input"),this.first.append(this.key),this.key.type="text",this.key.classList.add("key"),this.key.value=this.model.get("network"),this.second=document.createElement("div"),this.second.classList.add("col-sm-5"),this.value=document.createElement("select"),this.second.append(this.value),this.value.classList.add("value"),this.value.classList.add("form-control"),this.value.value=this.model.get("action"),this.third=document.createElement("div"),this.third.classList.add("col-sm-2"),this.third.style.textAlign="right",this.delBtn=document.createElement("button"),this.delBtn.classList.add("delete"),this.delBtn.classList.add("btn"),this.delBtn.innerHTML='<span class="fa fa-trash"></span>',this.third.append(this.delBtn),this.$el.append(this.first).append(this.second).append(this.third)},render:function(){$(this.key).val(this.model.get("network")),this.regenerate_list(),$(this.value).val(this.model.get("action"))},deleteEntry:function(t){t.preventDefault(),this.collection.remove(this.model)},regenerate_list:function(){const t=$(this.value);t.html(""),this.upstreamCollection.each(e=>t.append(`<option value="${e.escape("value")}">${e.escape("name")}</option>`)),t.val(this.model.get("action")),t.selectpicker("refresh")}});var o=Backbone.Collection.extend({initialize:function(){let t=this;$("#snihostname\\.data").change(function(){t.regenerateFromView()})},regenerateFromView:function(){let t=$("#snihostname\\.data").data("data");_.isArray(t)||(t=[]),this.reset(t)}}),r=Backbone.Model.extend({}),d=Backbone.Model.extend({}),c=Backbone.Collection.extend({initialize:function(){let t=this;$("#ipacl\\.data").change(function(){t.regenerateFromView()})},regenerateFromView:function(){let t=$("#ipacl\\.data").data("data");_.isArray(t)||(t=[]),this.reset(t)}});const u=new s,h=new Backbone.Collection([{name:"Deny",value:"deny"},{name:"Allow",value:"allow"}]);$(document).ready(function(){mapDataToFormUI({frm_nginx:"/api/nginx/settings/get"}).done(function(){formatTokenizersUI(),$('select[data-allownew="false"]').selectpicker("refresh"),updateServiceControlUI("nginx")}),""!==window.location.hash&&$('a[href="'+window.location.hash+'"]').click(),$(".nav-tabs a").on("shown.bs.tab",function(t){history.pushState(null,null,t.target.hash)}),$(".reload_btn").click(function(){$(".reloadAct_progress").addClass("fa-spin"),ajaxCall("/api/nginx/service/reconfigure",{},function(){$(".reloadAct_progress").removeClass("fa-spin")})}),$('[id*="save_"]').each(function(){$(this).click(function(){let t=$(this).closest("form").attr("id"),e=$(this).closest("form").attr("data-title");saveFormToEndpoint("/api/nginx/settings/set",t,function(){$("#"+t+"_progress").addClass("fa fa-spinner fa-pulse"),ajaxCall("/api/nginx/service/reconfigure",{},function(n,i){$("#"+t+"_progress").removeClass("fa fa-spinner fa-pulse"),void 0===n||"success"===i&&"ok"===n.status?updateServiceControlUI("nginx"):BootstrapDialog.show({type:BootstrapDialog.TYPE_WARNING,title:e,message:JSON.stringify(n),draggable:!0})})})})}),["upstream","upstreamserver","location","credential","userlist","httpserver","streamserver","httprewrite","custompolicy","security_header","ipacl","limit_zone","cache_path","limit_request_connection","snifwd","errorpage","tls_fingerprint","syslog_target","naxsirule"].forEach(function(t){$("#grid-"+t).UIBootgrid({search:"/api/nginx/settings/search"+t,get:"/api/nginx/settings/get"+t+"/",set:"/api/nginx/settings/set"+t+"/",add:"/api/nginx/settings/add"+t+"/",del:"/api/nginx/settings/del"+t+"/",commands:{copy_uuid:{method:function(t){navigator.clipboard.writeText($(this).data("row-id"))}}},options:{selection:!1,multiSelect:!1,formatters:{commands:function(t,e){return'<button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-edit" data-row-id="'+e.uuid+'" title="Edit"><span class="fa fa-fw fa-pencil"></span></button> <button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-copy_uuid" data-row-id="'+e.uuid+'" title="Copy UUID to clipboard"><span class="fa fa-fw fa-clipboard"></span></button> <button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-copy" data-row-id="'+e.uuid+'" title="Clone"><span class="fa fa-fw fa-clone"></span></button> <button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-delete" data-row-id="'+e.uuid+'" title="Delete"><span class="fa fa-fw fa-trash-o"></span></button>'},response:function(t,e){return"none"==e.response?"unchanged":e.response},statuscodes:function(t,e){const n=[],i=e.statuscodes.split(",");for(let t of i)n.push(t.substr(0,3));return n.join(", ")}}}})}),bind_naxsi_rule_dl_button(),function(){let t=new i({dataField:document.getElementById("snihostname.data"),upstreamCollection:u,entryclass:a,collection:new o,createModel:function(){return new r({hostname:"localhost"})}});window.snifield=t,t.render(),$("#grid-upstream").on("loaded.rs.jquery.bootgrid",function(){u.fetch()}),u.fetch()}();let t=new i({dataField:document.getElementById("ipacl.data"),upstreamCollection:h,entryclass:l,collection:new c,createModel:function(){return new d({network:"::",action:"deny"})}});window.ipaclfield=t,t.render()})}});
\ No newline at end of file
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/nginx_config.js b/www/nginx/src/opnsense/www/js/nginx/src/nginx_config.js
index 0e69aaf179..c2719990eb 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/nginx_config.js
+++ b/www/nginx/src/opnsense/www/js/nginx/src/nginx_config.js
@@ -79,14 +79,20 @@ function init_grids() {
                 'set': '/api/nginx/settings/set' + element + '/',
                 'add': '/api/nginx/settings/add' + element + '/',
                 'del': '/api/nginx/settings/del' + element + '/',
+                'commands': {
+                   copy_uuid: {
+                       method: function(e) { navigator.clipboard.writeText($(this).data("row-id")); }
+                    }
+                },
                 'options': {
                     selection: false,
                     multiSelect: false,
                     formatters: {
                         "commands": function (column, row) {
-                            return "<button type=\"button\" class=\"btn btn-xs btn-default command-edit\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-pencil\"></span></button> " +
-                                "<button type=\"button\" class=\"btn btn-xs btn-default command-copy\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-clone\"></span></button>" +
-                                "<button type=\"button\" class=\"btn btn-xs btn-default command-delete\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-trash-o\"></span></button>";
+                            return "<button type=\"button\" class=\"btn btn-xs btn-default bootgrid-tooltip command-edit\" data-row-id=\"" + row.uuid + "\" title=\"Edit\"><span class=\"fa fa-fw fa-pencil\"></span></button> " +
+                                "<button type=\"button\" class=\"btn btn-xs btn-default bootgrid-tooltip command-copy_uuid\" data-row-id=\"" + row.uuid + "\" title=\"Copy UUID to clipboard\"><span class=\"fa fa-fw fa-clipboard\"></span></button> " +
+                                "<button type=\"button\" class=\"btn btn-xs btn-default bootgrid-tooltip command-copy\" data-row-id=\"" + row.uuid + "\" title=\"Clone\"><span class=\"fa fa-fw fa-clone\"></span></button> " +
+                                "<button type=\"button\" class=\"btn btn-xs btn-default bootgrid-tooltip command-delete\" data-row-id=\"" + row.uuid + "\" title=\"Delete\"><span class=\"fa fa-fw fa-trash-o\"></span></button>";
                         },
                         "response": function (column, row) {
                             return ((row.response == "none") ? "unchanged" : row.response);

From cca0ae380b7fcf21fa98ae3e637eb21fa4fd6393 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 12 Apr 2023 10:20:27 +0200
Subject: [PATCH 1416/3088] dns/ddclient: prep version

---
 dns/ddclient/Makefile  | 3 +--
 dns/ddclient/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 409129f4f0..1e6f5d3ba7 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.11
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.12
 PLUGIN_DEPENDS=		ddclient-devel
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index d26ea9ba99..f9641c8a4f 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,11 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.12
+
+* Add cloudflare implementation for Python backend (contributed by Thomas Cekal)
+* Allow custom target hostname for dyndns2 protocol in Python backend
+
 1.11
 
 * Add Python backend support for custom ddclient-like implementation using the same input

From aedc03cb5c605a1dfa48aae56aa46b2ec12508fa Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Wed, 12 Apr 2023 14:35:58 +0200
Subject: [PATCH 1417/3088] crowdsecurity/crowdsec: bump version 1.0.4; fix
 acquire logs from RAM disk (#3386)

---
 security/crowdsec/Makefile                             |  2 +-
 security/crowdsec/pkg-descr                            |  5 +++++
 .../crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml   | 10 +++++++++-
 .../mvc/app/models/OPNsense/CrowdSec/General.xml       |  2 +-
 4 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index 7e7631624f..a731b72a77 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		crowdsec
-PLUGIN_VERSION=		1.0.3
+PLUGIN_VERSION=		1.0.4
 PLUGIN_DEPENDS=		crowdsec
 PLUGIN_COMMENT=		Lightweight and collaborative security engine
 PLUGIN_MAINTAINER=	marco@crowdsec.net
diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index 91a944e53c..aba38f1c24 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://crowdsec.net/
 Plugin Changelog
 ================
 
+1.0.4
+
+* Add force_inotify option to aquire logs when /var/log is in RAM, otherwise
+  a restart of the service is required after a reboot.
+
 1.0.3
 
 * acquire filter logs for the firewallservices/pf collection (port scans).
diff --git a/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml b/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml
index 3850d84cf2..7867ccdae7 100644
--- a/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml
+++ b/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml
@@ -9,12 +9,20 @@
 filenames:
   # DO NOT EDIT - to add new datasources (log locations),
   # create new files in /usr/local/etc/crowdsec/acquis.d/
-  #
+
   # collection: crowdsecurity/sshd
   - /var/log/audit/latest.log
   # collection: crowdsecurity/opnsense-gui (web admin)
   - /var/log/lighttpd/latest.log
   # collection: firewallservices/pf
   - /var/log/filter/latest.log
+
+# When OPNsense is configured with /var/log in a RAM disk,
+# the log directories are created after crowdsec is run.
+# We force crowdsec to watch over directory creation as well
+# as file creation. FreeBSD has kqueue instead of inotify
+# but the option works with both.
+force_inotify: true
+
 labels:
   type: syslog
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
index 48f41a9776..fb2d210e37 100644
--- a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
@@ -1,7 +1,7 @@
 <model>
   <mount>//OPNsense/crowdsec/general</mount>
   <description>CrowdSec general configuration</description>
-  <version>1.0.3</version>
+  <version>1.0.4</version>
   <items>
 
     <agent_enabled type="BooleanField">

From aea89f6b5ecf3640e48b4e18287a5a4cc080b7dd Mon Sep 17 00:00:00 2001
From: Reiko Asakura <asakurareiko@protonmail.ch>
Date: Tue, 11 Apr 2023 16:49:07 -0400
Subject: [PATCH 1418/3088] net/upnp: Allow subnet mask 0 in rules

---
 net/upnp/src/www/services_upnp.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/upnp/src/www/services_upnp.php b/net/upnp/src/www/services_upnp.php
index bbd1436e9e..3a73b5700b 100644
--- a/net/upnp/src/www/services_upnp.php
+++ b/net/upnp/src/www/services_upnp.php
@@ -39,7 +39,7 @@ function miniupnpd_validate_ip($ip)
     $ip_array = [];
     $ip_array = explode('/', $ip);
     if (count($ip_array) == 2) {
-        if ($ip_array[1] < 1 || $ip_array[1] > 32) {
+        if ($ip_array[1] < 0 || $ip_array[1] > 32) {
             return false;
         }
     } elseif (count($ip_array) != 1) {

From 1085a178f463f734253d92b4bb9b862077c0c751 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 13 Apr 2023 07:40:22 +0200
Subject: [PATCH 1419/3088] net/upnp: update for next release

---
 net/upnp/Makefile  | 2 +-
 net/upnp/pkg-descr | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index 7a170f82e3..73c79af48d 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		upnp
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_DEPENDS=		miniupnpd-devel
 PLUGIN_COMMENT=		Universal Plug and Play Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/upnp/pkg-descr b/net/upnp/pkg-descr
index 091bcabff0..fc73e6b009 100644
--- a/net/upnp/pkg-descr
+++ b/net/upnp/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 
 1.5
 
-* enable STUN and allow LAN subnet override (contributed by Tawmu)
-* add missing firewall anchors (contributed by Tawmu)
-* switch to miniupnpd 2.3.1
+* Enable STUN and allow LAN subnet override (contributed by Tawmu)
+* Add missing firewall anchors (contributed by Tawmu)
+* Allow subnet mask 0 in rules (contributed by Reiko Asakura)
+* Switch to miniupnpd 2.3.1

From d315c19ee85d57614c13200c2a20fca01b686fa6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 13 Apr 2023 07:41:28 +0200
Subject: [PATCH 1420/3088] dns/ddclient: permission fix

---
 .../src/opnsense/scripts/ddclient/lib/account/cloudflare.py       | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
old mode 100644
new mode 100755

From db794e2bf32837f5908db3c6ff22344fa6e948da Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 13 Apr 2023 08:40:14 +0200
Subject: [PATCH 1421/3088] dns/ddclient: switch to usev[46] use for #3307

---
 .../templates/OPNsense/ddclient/ddclient.conf        | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index cf79c745a2..9989c794a5 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -4,9 +4,7 @@ pid=/var/run/ddclient.pid   # record PID in file.
 {% if not helpers.empty('OPNsense.DynDNS.general.verbose') %}
 verbose=yes
 {% endif %}
-{% if not helpers.empty('OPNsense.DynDNS.general.allowipv6') %}
-ipv6=yes
-{% endif %}
+
 {%  set accounts = [] %}
 {%  set force_ssl = [] %}
 {%  if helpers.exists('OPNsense.DynDNS.accounts.account') and OPNsense.DynDNS.general.backend|default('ddclient') == 'ddclient' %}
@@ -23,10 +21,12 @@ ipv6=yes
 ssl=yes
 {%  endif %}
 
-
 {%  for account in accounts %}
-{%      if account.checkip == 'if' %}
-use=if, if={{physical_interface(account.interface)}}, \
+{%     if account.checkip == 'if' %}
+{%        if not helpers.empty('OPNsense.DynDNS.general.allowipv6') %}
+usev6=ifv6, \
+{%        endif %}
+usev4=ifv4, if={{physical_interface(account.interface)}}, \
 {%      elif account.checkip.startswith('web_') %}
 {%          if account.interface %}
 use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -i {{physical_interface(account.interface)}} -t {{account.force_ssl}} -s {{account.checkip[4:]}} --timeout {{account.checkip_timeout|default('10')}}",

From 0f0e8c353176f4640ac49039bf6a2b0d1e55a6ea Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 13 Apr 2023 09:02:12 +0200
Subject: [PATCH 1422/3088] dns/ddclient: fix rendering template when if but no
 interface

Use a validation in this case as it seems to be a hard requirement.
Also shuffle the dialog a little to move the fields into a more
logical sequence.
---
 .../OPNsense/DynDNS/forms/dialogAccount.xml   | 20 +++++++++----------
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml | 13 ++++++++++++
 .../ddclient/lib/account/cloudflare.py        |  2 +-
 3 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index f1c6c6e8a6..c0aac07e9f 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -5,6 +5,11 @@
         <type>checkbox</type>
         <help>Enable this virtual server</help>
     </field>
+    <field>
+        <id>account.description</id>
+        <label>Description</label>
+        <type>text</type>
+    </field>
     <field>
         <id>account.service</id>
         <label>Service</label>
@@ -71,6 +76,11 @@
         <type>dropdown</type>
         <help>How to determine the address to use for this host</help>
     </field>
+    <field>
+        <id>account.interface</id>
+        <label>Interface to monitor</label>
+        <type>dropdown</type>
+    </field>
     <field>
         <id>account.checkip_timeout</id>
         <label>Check ip timeout</label>
@@ -84,14 +94,4 @@
         <help>Force update using HTTPS, please note setting this option will enforce https updates on all accounts
         as ddclient only supports SSL=yes on a global level (the check ip service may still use HTTP on other services)</help>
     </field>
-    <field>
-        <id>account.interface</id>
-        <label>Interface to monitor</label>
-        <type>dropdown</type>
-    </field>
-    <field>
-        <id>account.description</id>
-        <label>Description</label>
-        <type>text</type>
-    </field>
 </form>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 92ad3b22f9..a04ca37949 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -153,6 +153,11 @@
                         <web_zoneedit>zoneedit</web_zoneedit>
                         <if>Interface</if>
                     </OptionValues>
+                    <Constraints>
+                        <check001>
+                            <reference>interface.check001</reference>
+                        </check001>
+                    </Constraints>
                 </checkip>
                 <checkip_timeout type="IntegerField">
                     <default>10</default>
@@ -167,6 +172,14 @@
                 <interface type="InterfaceField">
                     <Required>N</Required>
                     <multiple>N</multiple>
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>An interface is required for the selected check method</ValidationMessage>
+                            <type>SetIfConstraint</type>
+                            <field>checkip</field>
+                            <check>if</check>
+                        </check001>
+                    </Constraints>
                 </interface>
                 <description type="TextField">
                     <Required>N</Required>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
index fd2843adbb..efd5f56128 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
@@ -172,4 +172,4 @@ def execute(self):
                 )
 
 
-        return False
\ No newline at end of file
+        return False

From cb3fa05c1900f3c6cdd488964ea6e97582aa04d3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 14 Apr 2023 08:16:09 +0200
Subject: [PATCH 1423/3088] dns/ddclient: add changes

---
 dns/ddclient/pkg-descr | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index f9641c8a4f..64ea28108c 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -10,6 +10,8 @@ Plugin Changelog
 
 * Add cloudflare implementation for Python backend (contributed by Thomas Cekal)
 * Allow custom target hostname for dyndns2 protocol in Python backend
+* Adjust for missing ipv6= option including upstream patches for use=/usev4=/usev6=
+* Require a selected interface through validation when interface check method is used
 
 1.11
 

From 7aed6b513c40afb59f4ddb8bc440697ce6056940 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 16 Apr 2023 08:28:28 +0200
Subject: [PATCH 1424/3088] net/relayd: drop broken test

PR: https://github.com/opnsense/tools/issues/349
---
 .../compound/OPNsense/Relayd/RelaydTest.php   | 469 ------------------
 1 file changed, 469 deletions(-)
 delete mode 100644 net/relayd/src/opnsense/mvc/tests/app/compound/OPNsense/Relayd/RelaydTest.php

diff --git a/net/relayd/src/opnsense/mvc/tests/app/compound/OPNsense/Relayd/RelaydTest.php b/net/relayd/src/opnsense/mvc/tests/app/compound/OPNsense/Relayd/RelaydTest.php
deleted file mode 100644
index 8df0b737a4..0000000000
--- a/net/relayd/src/opnsense/mvc/tests/app/compound/OPNsense/Relayd/RelaydTest.php
+++ /dev/null
@@ -1,469 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2018 EURO-LOG AG
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace tests\OPNsense\Relayd\Api;
-
-use OPNsense\Core\Config;
-
-class RelaydTest extends \PHPUnit\Framework\TestCase
-{
-    /**
-     * list with model node types
-     */
-    private $nodeTypes = array('host', 'tablecheck', 'table', 'protocol', 'virtualserver');
-
-    // holds the SettingsController object
-    protected static $setRelayd;
-
-    public static function setUpBeforeClass(): void
-    {
-        self::$setRelayd = new \OPNsense\Relayd\Api\SettingsController();
-    }
-
-    private function cleanupNodes($nodeType = null)
-    {
-        $nodes = self::$setRelayd->mdlRelayd->$nodeType->getNodes();
-        foreach ($nodes as $nodeUuid => $node) {
-            self::$setRelayd->mdlRelayd->$nodeType->del($nodeUuid);
-        }
-    }
-
-    /**
-     * test getAction
-     */
-    public function testGet()
-    {
-        $this->assertInstanceOf('\OPNsense\Relayd\Api\SettingsController', self::$setRelayd);
-        $this->expectException(\Exception::class);
-        $response = self::$setRelayd->getAction('wrong_node_type');
-        $testConfig = [];
-        $response = self::$setRelayd->getAction('general');
-        $testConfig['general'] = $response['relayd']['general'];
-
-        $this->assertEquals($response['status'], 'ok');
-        $this->assertArrayHasKey('enabled', $response['relayd']['general']);
-
-        return $testConfig;
-    }
-
-    /**
-     * test searchAction
-     * @depends testGet
-     */
-    public function testSearch($testConfig)
-    {
-        $_SERVER['REQUEST_METHOD'] = 'POST';
-        $_POST = array('current' => '1', 'rowCount' => '7');
-
-        foreach ($this->nodeTypes as $nodeType) {
-            $response = self::$setRelayd->searchAction($nodeType);
-            $this->assertArrayHasKey('total', $response);
-            $testConfig[$nodeType] = $response['rows'];
-        }
-
-        return $testConfig;
-    }
-
-    /**
-     * test delAction
-     * not really a test if the config is empty, but we will delete something later
-     * @depends testSearch
-     */
-    public function testReset($testConfig)
-    {
-        $_SERVER['REQUEST_METHOD'] = 'POST';
-        foreach (array_reverse($this->nodeTypes) as $nodeType) {
-            foreach ($testConfig[$nodeType] as $node) {
-                $response = self::$setRelayd->delAction($nodeType, $node['uuid']);
-                $this->assertEquals($response['status'], 'ok');
-            }
-        }
-        // need an assertion here to succeed this test on empty config
-        $this->assertTrue(true);
-    }
-
-    /**
-     * test setAction general
-     * @depends testReset
-     */
-    public function testSetGeneral()
-    {
-        $_SERVER['REQUEST_METHOD'] = 'POST';
-
-        // interval too small
-        $_POST = array('relayd' => ['general' => ['interval' => '0']]);
-        $response = self::$setRelayd->setAction('general');
-        $this->assertCount(1, $response['validations']);
-        $this->assertEquals($response['result'], 'failed');
-        $this->assertNotEmpty($response['validations']['relayd.general.interval']);
-
-        // set correct interval and incorrect timeout (s. testServiceController)
-        $_POST = array('relayd' => ['general' => ['interval' => '10', 'timeout' => 86400, 'enabled' => '0']]);
-        $response = self::$setRelayd->setAction('general');
-        $this->assertEquals($response['status'], 'ok');
-    }
-
-    /**
-     * test dirtyAction
-     * @depends testSetGeneral
-     */
-    public function testDirtyAction()
-    {
-        $this->assertInstanceOf('\OPNsense\Relayd\Api\SettingsController', self::$setRelayd);
-        $response = self::$setRelayd->dirtyAction();
-        $this->assertEquals($response['status'], 'ok');
-        $this->assertEquals($response['relayd']['dirty'], true);
-    }
-
-    /**
-     * test setAction for hosts
-     * @depends testReset
-     */
-    public function testSetHost()
-    {
-        $_SERVER['REQUEST_METHOD'] = 'POST';
-
-        // empty host name
-        $_POST = array('relayd' => ['host' => ['address' => '127.0.0.1']]);
-        $response = self::$setRelayd->setAction('host');
-        $this->assertCount(1, $response['validations']);
-        $this->assertEquals($response['result'], 'failed');
-        $this->assertNotEmpty($response['validations']['relayd.host.name']);
-        $this->cleanupNodes('host');
-
-        // check mask
-        $_POST = array('relayd' => ['host' => ['name' => 'test$Host', 'address' => '127.0.0.$']]);
-        $response = self::$setRelayd->setAction('host');
-        $this->assertCount(2, $response['validations']);
-        $this->assertEquals($response['result'], 'failed');
-        $this->assertNotEmpty($response['validations']['relayd.host.name']);
-        $this->assertNotEmpty($response['validations']['relayd.host.address']);
-        $this->cleanupNodes('host');
-
-        // create host for ServiceControllerTest
-        $_POST = array('relayd' => ['host' => ['name' => 'testHost', 'address' => '127.0.0.1']]);
-        $response = self::$setRelayd->setAction('host');
-        $this->assertEquals($response['status'], 'ok');
-    }
-
-    /**
-     * test setAction for tables
-     * @depends testSetHost
-     */
-    public function testSetTable()
-    {
-        $_SERVER['REQUEST_METHOD'] = 'POST';
-
-        // check mask and missing host
-        $_POST = array('relayd' => ['table' => ['name' => 'test$Table', 'hosts' => 'aaa-111-bbb-222']]);
-        $response = self::$setRelayd->setAction('table');
-        $this->assertCount(2, $response['validations']);
-        $this->assertEquals($response['result'], 'failed');
-        $this->assertNotEmpty($response['validations']['relayd.table.name']);
-        $this->assertNotEmpty($response['validations']['relayd.table.hosts']);
-        $this->cleanupNodes('table');
-
-        // create table for ServiceControllerTest
-        $_POST = array('current' => '1', 'rowCount' => '7', 'searchPhrase' => 'testHost');
-        $response = self::$setRelayd->searchAction('host');
-        $this->assertArrayHasKey('total', $response);
-        $_POST = array('relayd' => [
-            'table' => ['name' => 'testTable', 'enabled' => 1, 'hosts' => $response['rows'][0]['uuid']]
-        ]);
-        $response = self::$setRelayd->setAction('table');
-    }
-
-    /**
-     * test setAction for tablechecks
-     * @depends testSearch
-     * @depends testReset
-     */
-    public function testSetTableCheck()
-    {
-        $_SERVER['REQUEST_METHOD'] = 'POST';
-
-        // wrong option
-        $_POST = array('relayd' => ['tablecheck' => ['name' => 'test$Check', 'type' => 'ABCXYZ']]);
-        $response = self::$setRelayd->setAction('tablecheck');
-        $this->assertCount(2, $response['validations']);
-        $this->assertEquals($response['result'], 'failed');
-        $this->assertNotEmpty($response['validations']['relayd.tablecheck.name']);
-        $this->assertNotEmpty($response['validations']['relayd.tablecheck.type']);
-        $this->cleanupNodes('tablecheck');
-
-        // type 'send' without 'expect'
-        $_POST = array('relayd' => ['tablecheck' => ['name' => 'testSend', 'type' => 'send']]);
-        $response = self::$setRelayd->setAction('tablecheck');
-        $this->assertCount(1, $response['validations']);
-        $this->assertEquals($response['result'], 'failed');
-        $this->assertNotEmpty($response['validations']['relayd.tablecheck.expect']);
-        $this->cleanupNodes('tablecheck');
-
-        // type 'script' without 'path'
-        $_POST = array('relayd' => ['tablecheck' => ['name' => 'testScript', 'type' => 'script']]);
-        $response = self::$setRelayd->setAction('tablecheck');
-        $this->assertCount(1, $response['validations']);
-        $this->assertEquals($response['result'], 'failed');
-        $this->assertNotEmpty($response['validations']['relayd.tablecheck.path']);
-        $this->cleanupNodes('tablecheck');
-
-        // type 'http' without 'code' and 'digest'
-        $_POST = array('relayd' => [
-            'tablecheck' => ['name' => 'testTableCheck', 'type' => 'http', 'path' => 'http://www.example.com']
-        ]);
-        $response = self::$setRelayd->setAction('tablecheck');
-        $this->assertCount(2, $response['validations']);
-        $this->assertEquals($response['result'], 'failed');
-        $this->assertNotEmpty($response['validations']['relayd.tablecheck.code']);
-        $this->assertNotEmpty($response['validations']['relayd.tablecheck.digest']);
-        $this->cleanupNodes('tablecheck');
-
-        // create tablecheck for ServiceControllerTest
-        $_POST = array('relayd' => [
-            'tablecheck' => [
-                'name' => 'testTableCheck',
-                'type' => 'http',
-                'path' => '/',
-                'host' => 'localhost',
-                'code' => '403',
-                'ssl' => '1']]);
-        $response = self::$setRelayd->setAction('tablecheck');
-        $this->assertEquals($response['status'], 'ok');
-    }
-
-    /**
-     * test setAction for protocols
-     * @depends testSearch
-     * @depends testReset
-     */
-    public function testSetProtocol()
-    {
-        $_SERVER['REQUEST_METHOD'] = 'POST';
-
-        // missing 'name' wrong 'type'
-        $_POST = array('relayd' => ['protocol' => ['name' => 'test$Protocol', 'type' => 'ABCXYZ']]);
-        $response = self::$setRelayd->setAction('protocol');
-        $this->assertCount(2, $response['validations']);
-        $this->assertEquals($response['result'], 'failed');
-        $this->assertNotEmpty($response['validations']['relayd.protocol.name']);
-        $this->assertNotEmpty($response['validations']['relayd.protocol.type']);
-        $this->cleanupNodes('protocol');
-
-        // create protocol for ServiceControllerTest
-        $_POST = array('relayd' => [
-            'protocol' => ['name' => 'testProtocol', 'type' => 'tcp', 'options' => 'nodelay, socket buffer 65536']
-        ]);
-        $response = self::$setRelayd->setAction('protocol');
-        $this->assertEquals($response['status'], 'ok');
-    }
-
-    /**
-     * test setAction for virtualservers
-     * @depends testSearch
-     * @depends testReset
-     */
-    public function testSetVirtualServer()
-    {
-        $_SERVER['REQUEST_METHOD'] = 'POST';
-
-        // search table and tablecheck
-        $_POST = array('current' => '1', 'rowCount' => '7', 'searchPhrase' => 'testTable');
-        $response = self::$setRelayd->searchAction('table');
-        $this->assertArrayHasKey('total', $response);
-        $tableUuid = $response['rows'][0]['uuid'];
-        $_POST = array('current' => '1', 'rowCount' => '7', 'searchPhrase' => 'testTableCheck');
-        $response = self::$setRelayd->searchAction('tablecheck');
-        $this->assertArrayHasKey('total', $response);
-        $tableCheckUuid = $response['rows'][0]['uuid'];
-        $_POST = array('current' => '1', 'rowCount' => '7', 'searchPhrase' => 'testProtocol');
-        $response = self::$setRelayd->searchAction('protocol');
-        $this->assertArrayHasKey('total', $response);
-        $protocolUuid = $response['rows'][0]['uuid'];
-
-        // check mask, misisng table, tablecheck, wrong/missing listen port/address
-        $_POST = array('relayd' => [
-            'virtualserver' => [
-                'name' => 'test{}VirtualServer',
-                'listen_startport' => '123456',
-            ]]);
-        $response = self::$setRelayd->setAction('virtualserver');
-        $this->assertCount(5, $response['validations']);
-        $this->assertEquals($response['result'], 'failed');
-        $this->assertNotEmpty($response['validations']['relayd.virtualserver.name']);
-        $this->assertNotEmpty($response['validations']['relayd.virtualserver.listen_address']);
-        $this->assertNotEmpty($response['validations']['relayd.virtualserver.listen_startport']);
-        $this->assertNotEmpty($response['validations']['relayd.virtualserver.transport_table']);
-        $this->assertNotEmpty($response['validations']['relayd.virtualserver.transport_tablecheck']);
-        $this->cleanupNodes('virtualserver');
-
-        // wrong tablemodes, missing ModelRelationField targets
-        $_POST = array('relayd' => [
-            'virtualserver' => [
-                'name' => 'testVirtualServer',
-                'listen_address' => '127.0.0.1',
-                'listen_startport' => '444',
-                'transport_table' => $tableUuid,
-                'transport_tablemode' => 'least-states',
-                'transport_tablecheck' => $tableCheckUuid,
-            ]]);
-        $response = self::$setRelayd->setAction('virtualserver');
-        $this->assertCount(1, $response['validations']);
-        $this->assertEquals($response['result'], 'failed');
-        $this->assertNotEmpty($response['validations']['relayd.virtualserver.transport_tablemode']);
-        $this->cleanupNodes('virtualserver');
-
-        // wron scheduler, missing protocol
-        $_POST = array('relayd' => [
-            'virtualserver' => [
-                'name' => 'testVirtualServer',
-                'type' => 'redirect',
-                'listen_address' => '127.0.0.1',
-                'listen_startport' => '444',
-                'transport_table' => $tableUuid,
-                'transport_tablemode' => 'least-states',
-                'transport_tablecheck' => $tableCheckUuid,
-                'backuptransport_table' => $tableUuid,
-                'backuptransport_tablemode' => 'random',
-                'backuptransport_tablecheck' => $tableCheckUuid,
-                'protocol' => 'aaa-bbb-123-456'
-            ]]);
-        $response = self::$setRelayd->setAction('virtualserver');
-        $this->assertCount(2, $response['validations']);
-        $this->assertEquals($response['result'], 'failed');
-        $this->assertNotEmpty($response['validations']['relayd.virtualserver.backuptransport_tablemode']);
-        $this->assertNotEmpty($response['validations']['relayd.virtualserver.protocol']);
-        $this->cleanupNodes('virtualserver');
-
-        // create virtualserver for ServiceControllerTest
-        $_POST = array('relayd' => [
-            'virtualserver' => [
-                'name' => 'testVirtualServer',
-                'enabled' => '1',
-                'listen_address' => '127.0.0.1',
-                'listen_startport' => '444',
-                'transport_table' => $tableUuid,
-                'transport_port' => '443',
-                'transport_tablecheck' => $tableCheckUuid,
-                'protocol' => $protocolUuid
-            ]]);
-        $response = self::$setRelayd->setAction('virtualserver');
-        $this->assertEquals($response['status'], 'ok');
-    }
-
-    /**
-     * ServiceControllerTest
-     * @depends testSetGeneral
-     * @depends testSetHost
-     * @depends testSetTable
-     * @depends testSetTableCheck
-     * @depends testSetProtocol
-     * @depends testSetVirtualServer
-     */
-    public function testServiceController()
-    {
-        $svcRelayd = new \OPNsense\Relayd\Api\ServiceController();
-        $_SERVER['REQUEST_METHOD'] = 'POST';
-
-        // stop possibly running service
-        $response = $svcRelayd->stopAction();
-        $this->assertEquals($response['response'], "OK\n\n");
-
-        // generate template and test it by Relayd
-        $response = $svcRelayd->configtestAction();
-        $this->assertEquals($response['template'], 'OK');
-        $this->assertEquals(
-            $response['result'],
-            "global timeout exceeds interval\ntable timeout exceeds interval: testTable:443"
-        );
-        $_POST = array('relayd' => ['general' => ['timeout' => '200']]);
-        $response = self::$setRelayd->setAction('general');
-        $this->assertEquals($response['status'], 'ok');
-        $response = $svcRelayd->configtestAction();
-        $this->assertEquals($response['template'], 'OK');
-        $this->assertEquals($response['result'], 'configuration OK');
-
-        // status
-        $response = $svcRelayd->statusAction();
-        $this->assertEquals($response['status'], 'disabled');
-
-        // enable
-        $_POST = array('relayd' => ['general' => ['enabled' => '1']]);
-        $response = self::$setRelayd->setAction('general');
-        $this->assertEquals($response['status'], 'ok');
-
-        // reconfigure
-        $response = $svcRelayd->reconfigureAction();
-        $this->assertEquals($response['status'], 'ok');
-
-        // status
-        $response = $svcRelayd->statusAction();
-        $this->assertEquals($response['status'], 'running');
-    }
-
-    /**
-     * StatusControllerTest
-     * @depends testServiceController
-     */
-    public function testStatusController()
-    {
-        $statRelayd = new \OPNsense\Relayd\Api\StatusController();
-        $response = $statRelayd->sumAction();
-        $this->assertEquals($response['result'], 'ok');
-        $this->assertEquals($response['rows'][0]['type'], 'relay');
-        $this->assertEquals($response['rows'][0]['name'], 'testVirtualServer');
-        $this->assertEquals($response['rows'][0]['tables'][1]['name'], 'testTable:443');
-        $this->assertEquals($response['rows'][0]['tables'][1]['status'], 'active (1 hosts)');
-        $this->assertEquals($response['rows'][0]['tables'][1]['hosts'][1]['name'], '127.0.0.1');
-
-        $response = $statRelayd->toggleAction('table', 1, 'disable');
-        $this->assertEquals($response['result'], 'ok');
-        $this->assertEquals($response['output'], 'command succeeded');
-    }
-
-    /**
-     * cleanup config
-     * @depends testStatusController
-     */
-    public function testCleanup()
-    {
-        $svcRelayd = new \OPNsense\Relayd\Api\ServiceController();
-        $response = $svcRelayd->stopAction();
-        $this->assertEquals($response['response'], "OK\n\n");
-
-        foreach (array_reverse($this->nodeTypes) as $nodeType) {
-            $this->cleanupNodes($nodeType);
-        }
-
-        $general = self::$setRelayd->mdlRelayd->getNodeByReference('general');
-        $general->setNodes(array('enabled' => '0'));
-
-        self::$setRelayd->mdlRelayd->serializeToConfig();
-        Config::getInstance()->save();
-        $this->assertTrue(true);
-    }
-}

From 61a446cdd77b7188c8bff043ab2f7cb3a8154bc3 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Wed, 19 Apr 2023 12:29:20 +0300
Subject: [PATCH 1425/3088] www/nginx: update changelog

---
 www/nginx/pkg-descr | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 37546252fd..f05159d2b3 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -20,6 +20,9 @@ Plugin Changelog
 * migrate general error log to syslog
 * $internalModelUseSafeDelete enabled in API Settings controller to check item references before delete
 * minor style adjustments for IP ACL and SNI Based Routing forms
+* handle possible remaining vts socket after nginx start failure
+* add uuid columns to the grids and a button to copy its value to clipboard
+* add Cache Path columns naming
 * fix: add the PROXY protocol for the HTTPS listener too, if it is set for the server
 * fix: set Stream server outbound PROXY protocol based on Upstream settings
 * fix: set Trusted Proxies (set_real_ip_from) for Stream server only with PROXY protocol enabled

From 75d2348a92fa33a3d0e13dce2e94ff48dcd5d24b Mon Sep 17 00:00:00 2001
From: Juergen Kellerer <juergen@k123.eu>
Date: Thu, 20 Apr 2023 12:00:28 +0200
Subject: [PATCH 1426/3088] Sftp: Use a more general ls regex pattern

Fixes cases where `ls -la` returns ? instead of a size or link count.
Also supports all types and perms specified in GNU ls now
---
 .../OPNsense/AcmeClient/SftpClient.php        | 27 +++++++++++++------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpClient.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpClient.php
index 064b134033..1804596af5 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpClient.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpClient.php
@@ -199,17 +199,28 @@ public function ls()
         $this->processAvailableInput();
         $this->process->put("ls -la");
 
-        $regex = '/^([bcdlsp\-][rwx\-]{9}[+@]?)\s+[0-9]+\s+([^\s]+)\s+([^\s]+)\s+([0-9]+)\s+(\w+\s+[0-9]+\s+[0-9:]+)\s+(.+)$/';
+        $regex = '/^'
+            . '(?P<type>[?bcCdDlMnpPs\-])'
+            . '(?P<permissions>([rw\-]{2}[sStTx\-]){3})'
+            . '(?P<acl>[^\s])?' . '\s+'
+            . '(?P<links>[^\s]+)' . '\s+'
+            . '(?P<owner>[^\s]+)' . '\s+'
+            . '(?P<group>[^\s]+)' . '\s+'
+            . '(?P<size>[^\s]+)' . '\s+'
+            . '(?P<mtime>\w+\s+[0-9]+\s+[0-9:]+)' . '\s+'
+            . '(?P<filename>.+)' . '\s*'
+            . '$/';
+
         $this->processAvailableInput(self::COMMAND_REPLY_TIMEOUT, 2, function ($line) use (&$files, $regex) {
             if (preg_match($regex, $line, $matches)) {
-                $filename = trim(stripcslashes($matches[6])); // decodes octal UTF-8 sequences
+                $filename = trim(stripcslashes($matches["filename"])); // decodes octal UTF-8 sequences
                 $files[$filename] = [
-                    "type" => $matches[1][0],
-                    "permissions" => $matches[1],
-                    "owner" => $matches[2],
-                    "group" => $matches[3],
-                    "size" => intval($matches[4]),
-                    "mtime" => strtotime($matches[5])
+                    "type" => $matches["type"],
+                    "permissions" => $matches["permissions"],
+                    "owner" => stripcslashes($matches["owner"]),
+                    "group" => stripcslashes($matches["group"]),
+                    "size" => intval($matches["size"]),
+                    "mtime" => strtotime($matches["mtime"])
                 ];
                 return true;
             }

From 7f9f08901774a0a3bdff3af3d6d94957bf491b45 Mon Sep 17 00:00:00 2001
From: "Patrick M. Hausen" <hausen@punkt.de>
Date: Thu, 20 Apr 2023 15:25:23 +0200
Subject: [PATCH 1427/3088] dns/bind: fix bug in ACL processing for
 `allow-query` section

---
 .../src/opnsense/service/templates/OPNsense/Bind/named.conf     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index ba12c2c009..b1364adf22 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -68,7 +68,7 @@ options {
 {% if helpers.exists('OPNsense.bind.general.allowquery') and OPNsense.bind.general.allowquery != '' %}
         allow-query {
 {%              for acl in helpers.toList('OPNsense.bind.general.allowquery') %}
-{%              set query_acl = helpers.getUUID(list) %}
+{%              set query_acl = helpers.getUUID(acl) %}
                 {{ query_acl.name }};
 {%              endfor %}
         };

From 94d04f74c8481ea58a09aa707bde6245c9a1ef49 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 20 Apr 2023 15:31:42 +0200
Subject: [PATCH 1428/3088] dns/bind: bump revision

---
 dns/bind/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 9e40a59062..5a305f72d4 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.26
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From f920b48a94705cc6577221f293b7796f5f0feaf7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Apr 2023 10:10:45 +0200
Subject: [PATCH 1429/3088] dns/ddclient: handle pidfile correctly on different
 backend

---
 dns/ddclient/Makefile                         |  1 +
 .../src/etc/inc/plugins.inc.d/ddclient.inc    | 33 +++++++++++--------
 .../conf/actions.d/actions_ddclient.conf      |  5 +--
 3 files changed, 22 insertions(+), 17 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 1e6f5d3ba7..3ca84dd222 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.12
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient-devel
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc b/dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc
index b5d0959100..8e087a38e4 100644
--- a/dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc
+++ b/dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc
@@ -30,39 +30,46 @@
 function ddclient_services()
 {
     $services = [];
+
     $mdl = new \OPNsense\DynDNS\DynDNS();
     if ($mdl->general->enabled == '1') {
-        $services[] = [
+        $service = [
             'description' => gettext('ddclient'),
             'configd' => [
-                'restart' => array('ddclient restart'),
-                'start' => array('ddclient start'),
-                'stop' => array('ddclient stop'),
+                'restart' => ['ddclient restart'],
+                'start' => ['ddclient start'],
+                'stop' => ['ddclient stop'],
             ],
             'name' => 'ddclient',
-            'pidfile' => '/var/run/ddclient.pid',
         ];
+        $service['pidfile'] = (string)$mdl->general->backend != 'opnsense' ? '/var/run/ddclient.pid' : '/var/run/ddclient_opn.pid';
+        $services[] = $service;
     }
+
     return $services;
 }
 
 function ddclient_xmlrpc_sync()
 {
-    $result = array();
-    $result[] = array(
+    $result = [];
+
+    $result[] = [
         'description' => gettext('ddclient'),
         'section' => 'OPNsense.DynDNS',
-        'id' => 'ddclient',
         'services' => ['ddclient'],
-    );
+        'id' => 'ddclient',
+    ];
+
     return $result;
 }
 
 function ddclient_syslog()
 {
-    $logfacilities = array();
-    $logfacilities['ddclient'] = array(
-        'facility' => ['ddclient']
-    );
+    $logfacilities = [];
+
+    $logfacilities['ddclient'] = [
+        'facility' => ['ddclient'],
+    ];
+
     return $logfacilities;
 }
diff --git a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
index 7d3ddf3600..ce63a7ef8d 100644
--- a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
@@ -12,10 +12,7 @@ type:script
 message:stopping ddclient
 
 [status]
-command:
-    pgrep -qF /var/run/ddclient.pid 2> /dev/null && echo "ddclient is running" ||
-    pgrep -qF /var/run/ddclient_opn.pid 2> /dev/null &&  echo "ddclient is running" ||
-    echo "ddclient is not running"
+command:/usr/local/sbin/pluginctl -s ddclient status
 type:script_output
 message:get ddclient status
 

From 244833b86710d2319431fad9bc85f073d450875e Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 22 Apr 2023 18:26:04 +0200
Subject: [PATCH 1430/3088] security/stunnel - flush CRL when requested, the
 code persist the CRL was isolated in
 https://github.com/opnsense/core/commit/7fec5111bdbd50e80944aa8f808fe6f26e9a9441,
 the old openssl_crl_* functions where deprecated some time ago. closes
 https://github.com/opnsense/plugins/issues/3401

---
 .../src/etc/inc/plugins.inc.d/stunnel.inc        | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc b/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
index ad0a37973a..af102b1e87 100644
--- a/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
+++ b/security/stunnel/src/etc/inc/plugins.inc.d/stunnel.inc
@@ -94,24 +94,14 @@ function stunnel_refresh_crls()
                         proc_close($process);
                     }
                     if ($ca_hash) {
-                        $crlres = openssl_crl_new($ca_crt, 0, 9999);
                         if (!empty($configObj->crl)) {
                             foreach ($configObj->crl as $crl) {
-                                if ($crl->caref == $cacert && !empty((string)$crl->cert)) {
-                                    foreach ($crl->cert as $cert) {
-                                        openssl_crl_revoke_cert(
-                                            $crlres,
-                                            base64_decode((string)$cert->crt),
-                                            (string)$cert->revoke_time,
-                                            (string)$cert->reason
-                                        );
-                                    }
+                                if ($crl->caref == $cacert && !empty((string)$crl->text)) {
+                                    file_put_contents("/var/run/stunnel/certs/{$ca_hash}.r0", (string)$crl->text);
+                                    break;
                                 }
                             }
                         }
-                        $crl_text = "";
-                        openssl_crl_export($crlres, $crl_text, $ca_key);
-                        file_put_contents("/var/run/stunnel/certs/{$ca_hash}.r0", $crl_text);
                     }
                 }
             }

From 1643b21115da6aa2d3ab4aef75957cbaba9933be Mon Sep 17 00:00:00 2001
From: Sean Kelly <xconverge@users.noreply.github.com>
Date: Sun, 23 Apr 2023 02:04:50 -0700
Subject: [PATCH 1431/3088] dns/ddclient: fix not returning ip address as a
 string (#3406)

---
 dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
index b5071214bf..16a755788f 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
@@ -91,7 +91,7 @@ def checkip(service, proto='https', timeout='10', interface=None):
                     try:
                         address = ipaddress.ip_address(parts[1])
                         if address.is_global:
-                            return address
+                            return str(address)
                     except ValueError:
                         continue
     else:

From 1a9727511668817d963037e5f581b6f399eaa4e1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 24 Apr 2023 07:22:50 +0200
Subject: [PATCH 1432/3088] security/stunnel: revision bump

---
 security/stunnel/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index 2f7b74f0c5..d771947df2 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		stunnel
 PLUGIN_VERSION=		1.0.5
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel

From 2460249bafd1db4b6aa57b2d009090743d4ded75 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 24 Apr 2023 07:25:21 +0200
Subject: [PATCH 1433/3088] dns/ddclient: prepare for next version

---
 dns/ddclient/Makefile  | 3 +--
 dns/ddclient/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 3ca84dd222..3eee7b353a 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.12
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.13
 PLUGIN_DEPENDS=		ddclient-devel
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 64ea28108c..586f76bdb8 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,11 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.13
+
+* Fix not returning IP address as a string in Python backend (contributed by Sean Kelly)
+* Fix PID file handling for Python backend
+
 1.12
 
 * Add cloudflare implementation for Python backend (contributed by Thomas Cekal)

From 22ed3972d2e94df58cf088198e2a51581e23087d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 Apr 2023 08:57:29 +0200
Subject: [PATCH 1434/3088] Framework: add metadata to annotations

PR: https://github.com/opnsense/core/issues/6374
---
 Makefile      | 2 +-
 Mk/plugins.mk | 9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index d01440b965..865656059a 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) 2015-2020 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2015-2023 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index ca9a51fc6d..16b71c55ed 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -132,6 +132,9 @@ manifest: check
 	done
 	@echo "}"
 .endif
+	@if [ -f ${WRKSRC}/usr/local/opnsense/version/${PLUGIN_NAME} ]; then \
+	    echo "annotations $$(cat ${WRKSRC}/usr/local/opnsense/version/${PLUGIN_NAME})"; \
+	fi
 
 scripts: check scripts-pre scripts-auto scripts-manual scripts-post
 
@@ -256,14 +259,14 @@ package: check
 .for DEP in ${PLUGIN_DEPENDS}
 	@if ! ${PKG} info ${DEP} > /dev/null; then ${PKG} install -yA ${DEP}; fi
 .endfor
-	@echo -n ">>> Generating metadata for ${PLUGIN_PKGNAME}-${PLUGIN_PKGVERSION}..."
-	@${MAKE} DESTDIR=${WRKSRC} metadata
-	@echo " done"
 	@echo -n ">>> Staging files for ${PLUGIN_PKGNAME}-${PLUGIN_PKGVERSION}..."
 	@${MAKE} DESTDIR=${WRKSRC} install
 	@echo " done"
 	@echo ">>> Generated version info for ${PLUGIN_PKGNAME}-${PLUGIN_PKGVERSION}:"
 	@cat ${WRKSRC}/usr/local/opnsense/version/${PLUGIN_NAME}
+	@echo -n ">>> Generating metadata for ${PLUGIN_PKGNAME}-${PLUGIN_PKGVERSION}..."
+	@${MAKE} DESTDIR=${WRKSRC} metadata
+	@echo " done"
 	@echo ">>> Packaging files for ${PLUGIN_PKGNAME}-${PLUGIN_PKGVERSION}:"
 	@${PKG} create -v -m ${WRKSRC} -r ${WRKSRC} \
 	    -p ${WRKSRC}/plist -o ${PKGDIR}

From e197ce3b3af2931d67a7b7b01e993bb3a0741b7a Mon Sep 17 00:00:00 2001
From: Jeremy Gutierrez <Jeremy.gutierrez@markt.de>
Date: Tue, 2 May 2023 15:06:55 +0200
Subject: [PATCH 1435/3088] security/acme: Add DNS.Services API for dns
 challenge type, closes #3399

---
 security/acme-client/pkg-descr                |  4 ++
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../LeValidation/DnsDnsservices.php           | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 4 files changed, 71 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnsservices.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index f00176d564..b38dd12cc9 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -7,6 +7,10 @@ WWW: https://github.com/acmesh-official/acme.sh
 
 Plugin Changelog
 ================
+3.17
+
+Added:
+* add DNS.net DNS API (#3399)
 
 3.16
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 8317542bd9..6c0fe26663 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -367,6 +367,21 @@
         <type>text</type>
         <help>Note that this is the account token not the user token.</help>
     </field>
+    <field>
+        <label>DNS.Services</label>
+        <type>header</type>
+        <style>table_dns table_dns_dnsservices</style>
+    </field>
+    <field>
+        <id>validation.dns_dnsservices_user</id>
+        <label>User</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_dnsservices_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
     <field>
         <label>Domain-Offensive LetsEncrypt</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnsservices.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnsservices.php
new file mode 100644
index 0000000000..b0ffed2038
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnsservices.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Jeremy Gutierrez
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * DNS.Services API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDnsservices extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DnsServices_Username'] = (string)$this->config->dns_dnsservices_user;
+        $this->acme_env['DnsServices_Password'] = (string)$this->config->dns_dnsservices_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index aa86eb9e60..6c92b6a758 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -440,6 +440,7 @@
                         <dns_dgon>DigitalOcean</dns_dgon>
                         <dns_da>DirectAdmin</dns_da>
                         <dns_dnsimple>DNSimple</dns_dnsimple>
+                        <dns_dnsservices>DNS.Services</dns_dnsservices>
                         <dns_domeneshop>Domeneshop</dns_domeneshop>
                         <dns_me>DNSMadeEasy.com</dns_me>
                         <dns_dp>DNSPod.cn</dns_dp>
@@ -606,6 +607,12 @@
                 <dns_dnsimple_token type="TextField">
                     <Required>N</Required>
                 </dns_dnsimple_token>
+                <dns_dnsservices_user type="TextField">
+                    <Required>N</Required>
+                </dns_dnsservices_user>
+                <dns_dnsservices_password type="TextField">
+                    <Required>N</Required>
+                </dns_dnsservices_password>
                 <dns_doapi_token type="TextField">
                     <Required>N</Required>
                 </dns_doapi_token>

From e5891e968f0a8a7773101b5b5f12aaa84c93b44b Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Wed, 3 May 2023 22:47:30 +0300
Subject: [PATCH 1436/3088] www/nginx: allow ports in upstream Host and XFH
 headers (#3387)

---
 .../controllers/OPNsense/Nginx/forms/upstream.xml  | 14 ++++++++++++++
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml        |  8 ++++++++
 .../service/templates/OPNsense/Nginx/location.conf |  4 ++--
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
index 15fa996024..c879b98831 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
@@ -23,6 +23,20 @@
     <advanced>true</advanced>
     <help>If you enable the proxy protocol, an upstream proxy or server will get the client IP and the server port before the real traffic is sent.</help>
   </field>
+  <field>
+    <id>upstream.host_port</id>
+    <label>Host header port</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Add this port value to the Host header. Not used by default.</help>
+  </field>
+  <field>
+    <id>upstream.x_forwarded_host_verbatim</id>
+    <label>XFH: Use original Host header</label>
+    <help>Use Host header value from the client request ($http_host) for X-Forwarded-Host header. $host variable is used by default. Enabling this may cause incorrect behavior in case of malicious requests such as incorrect hostnames being logged or invalid redirects being performed.</help>
+    <advanced>true</advanced>
+    <type>checkbox</type>
+  </field>
   <field>
     <id>upstream.tls_enable</id>
     <label>Enable TLS (HTTPS)</label>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index cf4487baaa..ea6932881d 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -120,6 +120,14 @@
         <BlankDesc>Weighted Round Robin</BlankDesc>
         <Required>N</Required>
       </load_balancing_algorithm>
+      <host_port type="IntegerField">
+        <MinimumValue>1</MinimumValue>
+        <Required>N</Required>
+      </host_port>
+      <x_forwarded_host_verbatim type="BooleanField">
+        <default>0</default>
+        <Required>Y</Required>
+      </x_forwarded_host_verbatim>
       <proxy_protocol type="BooleanField">
         <default>0</default>
         <Required>Y</Required>
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 0610d4fd5e..35145c75b2 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -120,7 +120,7 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
 {% endif%}
 {% if location.upstream is defined and (location.php_enable is not defined or location.php_enable != '1') %}
 {%   set upstream = helpers.getUUID(location.upstream) %}
-    proxy_set_header Host $host;
+    proxy_set_header Host $host{% if upstream.host_port is defined and upstream.host_port != '' %}:{{ upstream.host_port }}{% endif %};
 {%   if location.websocket is defined and location.websocket == '1' %}
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
@@ -164,7 +164,7 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header X-Forwarded-Port $server_port;
-    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Forwarded-Host {% if upstream.x_forwarded_host_verbatim is defined and upstream.x_forwarded_host_verbatim == '1'%}$http_host{% else %}$host{% endif %};
     proxy_set_header X-TLS-Client-Intercepted $tls_intercepted;
 {%   if location.proxy_read_timeout is defined and location.proxy_read_timeout != '' %}
     proxy_read_timeout {{ location.proxy_read_timeout }}s;

From 79c485c3373bbf1960eb4f6f39124683913f92ba Mon Sep 17 00:00:00 2001
From: Justin Horton <18197817+justinhorton@users.noreply.github.com>
Date: Wed, 3 May 2023 23:11:58 -0700
Subject: [PATCH 1437/3088] sysutils/smart: Don't color WHEN_FAILED column
 header (#3333)

---
 sysutils/smart/Makefile                                     | 1 +
 .../src/opnsense/mvc/app/views/OPNsense/Smart/index.volt    | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/sysutils/smart/Makefile b/sysutils/smart/Makefile
index ccc3474b27..b0863f9fb9 100644
--- a/sysutils/smart/Makefile
+++ b/sysutils/smart/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		smart
 PLUGIN_VERSION=		2.2
+PLUGIN_REVISION=		1
 PLUGIN_COMMENT=		SMART tools
 PLUGIN_DEPENDS=		smartmontools
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/sysutils/smart/src/opnsense/mvc/app/views/OPNsense/Smart/index.volt b/sysutils/smart/src/opnsense/mvc/app/views/OPNsense/Smart/index.volt
index 7a7beb14dd..acb740ffab 100644
--- a/sysutils/smart/src/opnsense/mvc/app/views/OPNsense/Smart/index.volt
+++ b/sysutils/smart/src/opnsense/mvc/app/views/OPNsense/Smart/index.volt
@@ -32,9 +32,9 @@
  // Highlights the words "PASSED", "FAILED", and "WARNING".
  function add_colors(text) {
      return text
-	 .replace(/PASSED/g, '<span class="text-success">{{ lang._('PASSED') }}</span>')
-	 .replace(/FAILED/g, '<span class="text-danger">{{ lang._('FAILED') }}</span>')
-	 .replace(/WARNING/g, '<span class="text-warning">{{ lang._('WARNING') }}</span>');
+	 .replace(/\bPASSED\b/g, '<span class="text-success">{{ lang._('PASSED') }}</span>')
+	 .replace(/\bFAILED\b/g, '<span class="text-danger">{{ lang._('FAILED') }}</span>')
+	 .replace(/\bWARNING\b/g, '<span class="text-warning">{{ lang._('WARNING') }}</span>');
  };
 
  // Appends options to select device.

From 6737b8c62c7a85e2c8a1992982ed795dbc1df80a Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 4 May 2023 09:54:31 +0200
Subject: [PATCH 1438/3088] status_services.php has moved to ui/core/service

---
 net/sslh/src/etc/inc/plugins.inc.d/sslh.inc                  | 5 ++---
 .../opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt    | 2 +-
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/sslh/src/etc/inc/plugins.inc.d/sslh.inc b/net/sslh/src/etc/inc/plugins.inc.d/sslh.inc
index 071cfd2da0..f53c29b24d 100644
--- a/net/sslh/src/etc/inc/plugins.inc.d/sslh.inc
+++ b/net/sslh/src/etc/inc/plugins.inc.d/sslh.inc
@@ -30,17 +30,16 @@
  * Function to register the plugin's service with OPNsense.
  *
  * This adds the service to the System: Diagnostics: Services page at
- * http://<opnsense>/status_services.php
+ * http://<opnsense>/ui/core/service
  *
  * The suffix "_services" allows this function to be picked up by
  * etc/inc/plugins.inc:plugins_services() and be included in the
- * $services array to be processed by status_services.php.
+ * $services array to be processed by /ui/core/service.
  *
  * @return array the array of attributes for this service
 */
 function sslh_services()
 {
-    // Create an array to be processed by www/status_services.php
     $service = array();
 
     // Load in our settings to get the enabled state of the plugin.
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
index 76decfbb4d..e1ceeaa903 100644
--- a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
@@ -124,7 +124,7 @@
 
         <p>
             Select the first three checkboxes: IDS, LAPI and IPS. Click Apply. If you need to restart, you can do so
-            from the <a href="/status_services.php">System > Diagnostics > Services</a> page.
+            from the <a href="/ui/core/service">System > Diagnostics > Services</a> page.
         </p>
 
         <h1>Test the plugin</h1>

From 51d6c762f5ff941fd710342576ff4369a71c0c79 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 8 May 2023 09:08:16 +0200
Subject: [PATCH 1439/3088] dns/bind: correct use of "any" address, small
 tweaks; closes #3417

---
 dns/bind/Makefile                             |  2 +-
 dns/bind/pkg-descr                            |  2 +-
 .../OPNsense/Bind/forms/general.xml           |  2 +-
 .../mvc/app/views/OPNsense/Bind/general.volt  | 60 +++++++++----------
 .../templates/OPNsense/Bind/named.conf        | 12 ++--
 5 files changed, 37 insertions(+), 41 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 5a305f72d4..2bcc8648dd 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.26
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index e8edd8be2f..f9466b3706 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -15,7 +15,7 @@ Plugin Changelog
 * Allow multiple ACLs to be selected for Transfers/Queries (contributed by Robbert Rijkse)
 * Rename Master/Slave to Primary/Secondary (contributed by Robbert Rijkse)
 * Add necessary hooks to allow the plugin to be used as a standalone core DNS server
-* Changed default listening addresses to 0.0.0.0/:: for new users
+* Changed default listening addresses to 0.0.0.0/:: for new users and interally translate these to "any"
 
 1.25
 
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index e40b6dc869..1a1d8c92a1 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -83,7 +83,7 @@
     </field>
     <field>
         <id>general.filteraaaaacl</id>
-        <label>ACl for filter-aaaa</label>
+        <label>ACL for filter-aaaa</label>
         <style>tokenize</style>
         <type>select_multiple</type>
         <allownew>true</allownew>
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index cf7991ec95..a016e3d68e 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -1,31 +1,30 @@
 {#
-
-OPNsense® is Copyright © 2014 – 2019 by Deciso B.V.
-This file is Copyright © 2018 - 2019 by Michael Muenz <m.muenz@gmail.com>
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-    this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-    this list of conditions and the following disclaimer in the documentation
-    and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
+ #
+ # Copyright (c) 2014-2029 Deciso B.V.
+ # Copyright (c) 2018-2019 Michael Muenz <m.muenz@gmail.com>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1.  Redistributions of source code must retain the above copyright notice,
+ #     this list of conditions and the following disclaimer.
+ #
+ # 2.  Redistributions in binary form must reproduce the above copyright notice,
+ #     this list of conditions and the following disclaimer in the documentation
+ #     and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
 
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
@@ -40,8 +39,7 @@ POSSIBILITY OF SUCH DAMAGE.
     <div id="general" class="tab-pane fade in active">
         <div class="content-box" style="padding-bottom: 1.5em;">
             {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-            <div class="col-md-12">
-                <hr />
+            <div class="col-md-12 __mt">
                 <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
             </div>
         </div>
@@ -49,8 +47,7 @@ POSSIBILITY OF SUCH DAMAGE.
     <div id="dnsbl" class="tab-pane fade in">
         <div class="content-box" style="padding-bottom: 1.5em;">
             {{ partial("layout_partials/base_form",['fields':dnsblForm,'id':'frm_dnsbl_settings'])}}
-            <div class="col-md-12">
-                <hr />
+            <div class="col-md-12 __mt">
                 <button class="btn btn-primary" id="saveAct_dnsbl" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_dnsbl_progress"></i></button>
             </div>
         </div>
@@ -182,7 +179,6 @@ POSSIBILITY OF SUCH DAMAGE.
             <div id="ChangeMessage" class="alert alert-info" style="display: none" role="alert">
                 {{ lang._('After changing settings, please remember to apply them with the button below') }}
             </div>
-            <hr />
             <button class="btn btn-primary saveAct_domain" type="button"><b>{{ lang._('Save') }}</b> <i class="saveAct_domain_progress"></i></button>
             <br /><br />
         </div>
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index b1364adf22..6f95e9812b 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -15,12 +15,12 @@ options {
         dump-file       "/var/dump/named_dump.db";
         statistics-file "/var/stats/named.stats";
 
-{% if helpers.exists('OPNsense.bind.general.listenv4') and OPNsense.bind.general.listenv4 != '' and helpers.exists('OPNsense.bind.general.port') and OPNsense.bind.general.port != '' %}
-        listen-on port {{ OPNsense.bind.general.port }} { {{ OPNsense.bind.general.listenv4.replace(',', '; ') }}; };
-{% endif %}
-{% if helpers.exists('OPNsense.bind.general.listenv6') and OPNsense.bind.general.listenv6 != '' and helpers.exists('OPNsense.bind.general.port') and OPNsense.bind.general.port != '' %}
-        listen-on-v6 port {{ OPNsense.bind.general.port }} { {{ OPNsense.bind.general.listenv6.replace(',', '; ') }}; };
-{% endif -%}
+{% for listenv4 in OPNsense.bind.general.listenv4.split(',') %}
+        listen-on port {{ OPNsense.bind.general.port }} { {% if listenv4 == '0.0.0.0' %}any{% else %}{{ listenv4 }}{% endif %}; };
+{% endfor %}
+{% for listenv6 in OPNsense.bind.general.listenv6.split(',') %}
+        listen-on-v6 port {{ OPNsense.bind.general.port }} { {% if listenv6 == '::' %}any{% else %}{{ listenv6 }}{% endif %}; };
+{% endfor %}
 
 {% if helpers.exists('OPNsense.bind.general.querysource') and OPNsense.bind.general.querysource != '' %}
         query-source {{ OPNsense.bind.general.querysource }};

From afec26dc6b86b9115fdc75e8cb8669e2567284cb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 8 May 2023 09:22:22 +0200
Subject: [PATCH 1440/3088] dns/bind: prevent port overlap

Although it's possible to use e.g. port 53 with selective listening
addresses its use is highly discouraged and leads to setup woes when
the user is not well-versed in these matters.  So we lock the port
in case another service is using it and if something needs to overlap
port forward rule use is highly encouraged to make that more clear.
---
 dns/bind/pkg-descr                            |  1 +
 .../mvc/app/models/OPNsense/Bind/General.php  | 75 +++++++++++++------
 2 files changed, 52 insertions(+), 24 deletions(-)

diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index f9466b3706..b995ce64f5 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -16,6 +16,7 @@ Plugin Changelog
 * Rename Master/Slave to Primary/Secondary (contributed by Robbert Rijkse)
 * Add necessary hooks to allow the plugin to be used as a standalone core DNS server
 * Changed default listening addresses to 0.0.0.0/:: for new users and interally translate these to "any"
+* Prevent using a port being used by another DNS service
 
 1.25
 
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.php b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.php
index 4d6a5bd0c7..b2cff5a82d 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.php
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.php
@@ -1,35 +1,62 @@
 <?php
 
 /*
-    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 namespace OPNsense\Bind;
 
 use OPNsense\Base\BaseModel;
+use OPNsense\Core\Backend;
+use Phalcon\Messages\Message;
 
 class General extends BaseModel
 {
+    public function performValidation($validateFullModel = false)
+    {
+        $messages = parent::performValidation($validateFullModel);
+
+        if (
+            ($validateFullModel || $this->enabled->isFieldChanged() || $this->port->isFieldChanged()) &&
+            !empty((string)$this->enabled)
+        ) {
+            foreach (json_decode((new Backend())->configdpRun('service list'), true) as $service) {
+                if (empty($service['dns_ports'])) {
+                    continue;
+                }
+                if ($service['name'] != 'named' && in_array((string)$this->port, $service['dns_ports'])) {
+                    $messages->appendMessage(new Message(
+                        sprintf(gettext('%s is currently using this port.'), $service['description']),
+                        $this->port->getInternalXMLTagName()
+                    ));
+                    break;
+                }
+            }
+        }
+
+        return $messages;
+    }
 }

From 470a4ba99507eff9ffc3c5c6e944494f352701a6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 8 May 2023 10:22:43 +0200
Subject: [PATCH 1441/3088] dns/dnscrypt-proxy: fix listening madness, why do
 DNS services reinvent wheels?

Also fix validation against other DNS services using the port already.

See: https://github.com/DNSCrypt/dnscrypt-proxy/issues/1217
---
 dns/dnscrypt-proxy/Makefile                   |  1 +
 dns/dnscrypt-proxy/pkg-descr                  |  3 +-
 .../etc/inc/plugins.inc.d/dnscryptproxy.inc   | 15 +--
 .../models/OPNsense/Dnscryptproxy/General.php | 98 ++++++++++++++-----
 .../models/OPNsense/Dnscryptproxy/General.xml |  4 +-
 .../views/OPNsense/Dnscryptproxy/general.volt | 68 ++++++-------
 6 files changed, 115 insertions(+), 74 deletions(-)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index 39d70dd46e..fd99efd4d9 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		dnscrypt-proxy
 PLUGIN_VERSION=		1.13
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index 76d19e885b..660be17e3b 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -8,7 +8,8 @@ Plugin Changelog
 1.13
 
 * Add necessary hooks to allow the plugin to be used as a standalone core DNS server
-* Changed default listening addresses to 0.0.0.0/:: for new users
+* Changed default listening addresses to 0.0.0.0 for new users
+* Prevent using a port being used by another DNS service
 
 1.12
 
diff --git a/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc b/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
index aeb8ef1ffc..e236cd6839 100644
--- a/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
+++ b/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc
@@ -51,25 +51,18 @@ function dnscryptproxy_services()
     $model = new \OPNsense\Dnscryptproxy\General();
     $ports = [];
 
-    /*
-     * DNS service is eligable for core use when both 0.0.0.0 and :: are set.
-     * In order to provide dual stack ports we need to intersect the resulting
-     * ports for each address family.
-     */
-    $localhost4 = [];
-    $localhost6 = [];
-
+    /* DNS service is eligable for core use when either 0.0.0.0 or :: are set */
     foreach (explode(',', (string)$model->listen_addresses) as $addrport) {
         if (preg_match('/^0\.0\.0\.0:([\d]+)$/', $addrport, $matches)) {
-            $localhost4[$matches[1]] = 1;
+            $ports[$matches[1]] = 1;
         } elseif (preg_match('/^\[::\]:([\d]+)$/', $addrport, $matches)) {
-            $localhost6[$matches[1]] = 1;
+            $ports[$matches[1]] = 1;
         }
     }
 
     $services[] = [
         /* the port may still be something other than 53, but it's safe to register a conflict for it */
-        'dns_ports' => array_keys(array_intersect_key($localhost4, $localhost6)),
+        'dns_ports' => array_keys($ports),
         'description' => gettext('DNSCrypt-Proxy'),
         'configd' => [
             'restart' => ['dnscryptproxy restart'],
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.php
index a10bb4ad9d..e8ddbafa38 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.php
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.php
@@ -1,35 +1,85 @@
 <?php
 
 /*
-    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 namespace OPNsense\Dnscryptproxy;
 
 use OPNsense\Base\BaseModel;
+use OPNsense\Core\Backend;
+use Phalcon\Messages\Message;
 
 class General extends BaseModel
 {
+    public function performValidation($validateFullModel = false)
+    {
+        $messages = parent::performValidation($validateFullModel);
+
+        if (
+            ($validateFullModel || $this->enabled->isFieldChanged() || $this->listen_addresses->isFieldChanged()) &&
+            !empty((string)$this->enabled)
+        ) {
+            $any4 = [];
+            $any6 = [];
+            $ports = [];
+
+            /* grab ALL ports to run a validation against, safer for user in the long run */
+            foreach (explode(',', (string)$this->listen_addresses) as $addrport) {
+                if (preg_match('/(.*):([\d]+)$/', $addrport, $matches)) {
+                    $ports[$matches[2]] = 1;
+                    if ($matches[1] == '0.0.0.0') {
+                        $any4[$matches[2]] = 1;
+                    } elseif ($matches[1] == '[::]') {
+                        $any6[$matches[2]] = 1;
+                    }
+                }
+            }
+
+            foreach (json_decode((new Backend())->configdpRun('service list'), true) as $service) {
+                if (empty($service['dns_ports'])) {
+                    continue;
+                }
+                if ($service['name'] != 'dnscrypt-proxy' && count(array_intersect(array_keys($ports), $service['dns_ports']))) {
+                    $messages->appendMessage(new Message(
+                        sprintf(gettext('%s is currently using one of these ports.'), $service['description']),
+                        $this->listen_addresses->getInternalXMLTagName()
+                    ));
+                    break;
+                }
+            }
+
+            if (count(array_keys(array_intersect_key($any4, $any6)))) {
+                $messages->appendMessage(new Message(
+                    gettext('Cannot configure on both "0.0.0.0" and "::" as the first occurence will be treated as dual-stack.'),
+                    $this->listen_addresses->getInternalXMLTagName()
+                ));
+            }
+        }
+
+        return $messages;
+    }
 }
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
index 4dd48bdfd6..0978e7a5ad 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
@@ -8,11 +8,11 @@
             <Required>Y</Required>
         </enabled>
         <listen_addresses type="CSVListField">
-            <default>0.0.0.0:5353,[::]:5353</default>
+            <default>0.0.0.0:5353</default>
             <Required>Y</Required>
         </listen_addresses>
         <allowprivileged type="BooleanField">
-            <default>0</default>
+            <default>1</default>
             <Required>Y</Required>
         </allowprivileged>
         <max_clients type="IntegerField">
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt b/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt
index c9106294bc..606b631960 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt
@@ -1,31 +1,29 @@
 {#
-
-OPNsense® is Copyright © 2014 – 2018 by Deciso B.V.
-This file is Copyright © 2018 by Michael Muenz <m.muenz@gmail.com>
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-    this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-    this list of conditions and the following disclaimer in the documentation
-    and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
+ # Copyright (c) 2014-2018 Deciso B.V.
+ # Copyright (c) 2018 Michael Muenz <m.muenz@gmail.com>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1.  Redistributions of source code must retain the above copyright notice,
+ #     this list of conditions and the following disclaimer.
+ #
+ # 2.  Redistributions in binary form must reproduce the above copyright notice,
+ #     this list of conditions and the following disclaimer in the documentation
+ #     and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
 
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
@@ -41,9 +39,8 @@ POSSIBILITY OF SUCH DAMAGE.
     <div id="general" class="tab-pane fade in active">
         <div class="content-box" style="padding-bottom: 1.5em;">
             {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-            <div class="col-md-12">
-                <hr />
-                <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Save') }}</b><i id="saveAct_progress"></i></button>
+            <div class="col-md-12 __mt">
+                <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
             </div>
         </div>
     </div>
@@ -71,7 +68,7 @@ POSSIBILITY OF SUCH DAMAGE.
         </table>
         <div class="col-md-12">
             <hr />
-            <button class="btn btn-primary"  id="saveAct_forward" type="button"><b>{{ lang._('Save') }}</b><i id="saveAct_forward_progress"></i></button>
+            <button class="btn btn-primary" id="saveAct_forward" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_forward_progress"></i></button>
             <br /><br />
         </div>
     </div>
@@ -99,7 +96,7 @@ POSSIBILITY OF SUCH DAMAGE.
         </table>
         <div class="col-md-12">
             <hr />
-            <button class="btn btn-primary"  id="saveAct_cloak" type="button"><b>{{ lang._('Save') }}</b><i id="saveAct_cloak_progress"></i></button>
+            <button class="btn btn-primary" id="saveAct_cloak" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_cloak_progress"></i></button>
             <br /><br />
         </div>
     </div>
@@ -126,7 +123,7 @@ POSSIBILITY OF SUCH DAMAGE.
         </table>
         <div class="col-md-12">
             <hr />
-            <button class="btn btn-primary"  id="saveAct_whitelist" type="button"><b>{{ lang._('Save') }}</b><i id="saveAct_whitelist_progress"></i></button>
+            <button class="btn btn-primary" id="saveAct_whitelist" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_whitelist_progress"></i></button>
             <br /><br />
         </div>
     </div>
@@ -154,15 +151,14 @@ POSSIBILITY OF SUCH DAMAGE.
         </table>
         <div class="col-md-12">
             <hr />
-            <button class="btn btn-primary"  id="saveAct_server" type="button"><b>{{ lang._('Save') }}</b><i id="saveAct_server_progress"></i></button>
+            <button class="btn btn-primary" id="saveAct_server" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_server_progress"></i></button>
             <br /><br />
         </div>
     </div>
     <div id="dnsbl" class="tab-pane fade in">
         <div class="content-box" style="padding-bottom: 1.5em;">
             {{ partial("layout_partials/base_form",['fields':dnsblForm,'id':'frm_dnsbl_settings'])}}
-            <div class="col-md-12">
-                <hr />
+            <div class="col-md-12 __mt">
                 <button class="btn btn-primary" id="saveAct_dnsbl" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_dnsbl_progress"></i></button>
             </div>
         </div>

From 055e30339398ee447c22fa02d92684517e413e50 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 8 May 2023 10:44:03 +0200
Subject: [PATCH 1442/3088] dns/bind: small typo

---
 .../OPNsense/Bind/Api/DomainController.php       | 16 ++++++++--------
 .../mvc/app/views/OPNsense/Bind/general.volt     |  2 +-
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
index 88a6605225..d91945f839 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
@@ -40,23 +40,23 @@ class DomainController extends ApiMutableModelControllerBase
     /* XXX backwards-compatibility for 22.7 and below */
     public function searchMasterDomainAction()
     {
-        return seachPrimaryDomainAction();
+        return $this->searchPrimaryDomainAction();
     }
 
     /* XXX backwards-compatibility for 22.7 and below */
     public function searchSlaveDomainAction()
     {
-        return seachSecondaryDomainAction();
+        return $this->searchSecondaryDomainAction();
     }
 
     public function searchPrimaryDomainAction()
     {
         return $this->searchBase(
             'domains.domain',
-            [   "enabled", "type", "domainname", "ttl", "refresh", "retry", "expire", "negative" ],
-            "domainname",
+            [ 'enabled', 'type', 'domainname', 'ttl', 'refresh', 'retry', 'expire', 'negative' ],
+            'domainname',
             function ($record) {
-                return $record->type->getNodeData()["primary"]["selected"] === 1;
+                return $record->type->getNodeData()['primary']['selected'] === 1;
             }
         );
     }
@@ -65,10 +65,10 @@ public function searchSecondaryDomainAction()
     {
         return $this->searchBase(
             'domains.domain',
-            [   "enabled", "type", "domainname", "primaryip" ],
-            "domainname",
+            [ 'enabled', 'type', 'domainname', 'primaryip' ],
+            'domainname',
             function ($record) {
-                return $record->type->getNodeData()["secondary"]["selected"] === 1;
+                return $record->type->getNodeData()['secondary']['selected'] === 1;
             }
         );
     }
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index a016e3d68e..e29bc64346 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -1,6 +1,6 @@
 {#
  #
- # Copyright (c) 2014-2029 Deciso B.V.
+ # Copyright (c) 2014-2019 Deciso B.V.
  # Copyright (c) 2018-2019 Michael Muenz <m.muenz@gmail.com>
  # All rights reserved.
  #

From 57a549f73bdf301de5397bd43542999e0c5c4824 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 8 May 2023 12:30:36 +0200
Subject: [PATCH 1443/3088] security/acme-client: bump version

---
 security/acme-client/pkg-descr                                | 4 +++-
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml         | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index cf1654cf29..931a9eb077 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -7,10 +7,12 @@ WWW: https://github.com/acmesh-official/acme.sh
 
 Plugin Changelog
 ================
+
 3.17
 
 Added:
-* add DNS.net DNS API (#3399)
+* add DNS.services DNS API (#3399)
+* add RegRu DNS API (#3359)
 
 3.16
 
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 3e3bb14b75..8aeea9d0bd 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -492,7 +492,7 @@
                         <dns_pdns>PowerDNS.com</dns_pdns>
                         <dns_pleskxml>Plesk</dns_pleskxml>
                         <dns_porkbun>Porkbun</dns_porkbun>
-                        <dns_regru>regru</dns_regru>
+                        <dns_regru>RegRu</dns_regru>
                         <dns_schlundtech>SchlundTech</dns_schlundtech>
                         <dns_selectel>selectel.com / selectel.ru</dns_selectel>
                         <dns_selfhost>Selfhost</dns_selfhost>

From 8f8b2f63db71213c92a957cc2070751642552023 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 8 May 2023 15:15:01 +0200
Subject: [PATCH 1444/3088] dns/bind: sidestep mismatch of value/label read

This was how it was done before primary/secondary change and
it shouldn't break anything.
---
 dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
index f7122536c6..7d89d9e16c 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
@@ -13,8 +13,8 @@
                     <default>primary</default>
                     <Required>Y</Required>
                     <OptionValues>
-                        <primary>Primary</primary>
-                        <secondary>Secondary</secondary>
+                        <primary>primary</primary>
+                        <secondary>secondary</secondary>
                     </OptionValues>
                 </type>
                 <primaryip type="NetworkField">

From 4d53ea703f2b5817e2c826b22474723e1549573f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 May 2023 08:00:51 +0200
Subject: [PATCH 1445/3088] net/sslh: bump revision

---
 net/sslh/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/sslh/Makefile b/net/sslh/Makefile
index e7a9d533dc..ab93b6163c 100644
--- a/net/sslh/Makefile
+++ b/net/sslh/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		sslh
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		sslh configuration front-end
 PLUGIN_DEPENDS=		sslh
 PLUGIN_MAINTAINER=	agh1467@protonmail.com

From 8245256fa8c89d35d433b7790699ed6ddea32390 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 May 2023 08:02:34 +0200
Subject: [PATCH 1446/3088] security/crowdsec: bump revision

---
 security/crowdsec/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index a731b72a77..751e3bf3f4 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		crowdsec
 PLUGIN_VERSION=		1.0.4
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		crowdsec
 PLUGIN_COMMENT=		Lightweight and collaborative security engine
 PLUGIN_MAINTAINER=	marco@crowdsec.net

From c5d27b9ab3fba7c763ed1bd3e96fde9d67305b31 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 9 May 2023 14:32:19 +0200
Subject: [PATCH 1447/3088] security/acme-client: bump version to 3.17

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 8091d14b88..216a92e59f 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.16
+PLUGIN_VERSION=		3.17
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 6340b8a1e2e1bc1e8050e2088d8c162c8ead7fd9 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 9 May 2023 21:12:16 +0200
Subject: [PATCH 1448/3088] dns/ddclient: move accounting of "last accessed
 timestamp' to poller, when execute() fails for whatever reason without an
 update, we want to prevent it looping to fast.

---
 .../src/opnsense/scripts/ddclient/lib/account/__init__.py      | 3 +--
 dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py       | 3 +++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
index de34627bdf..b74f08c3cc 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
@@ -128,6 +128,5 @@ def execute(self):
             # if current address doesn't equal the current state, propagate the fact
             return True
         else:
-            # unmodified, keep track of last access timestamp
-            self._last_accessed = time.time()
+            # unmodified, poller keeps track of last access timestamp
             return False
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py
index 4982055f8d..08bf5af477 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py
@@ -151,6 +151,9 @@ def run(self):
                             if self.is_verbose:
                                 syslog.syslog(syslog.LOG_NOTICE, "Account %s changed" % acc.description)
                             needs_flush = True
+                        else:
+                            # update last accessed timestamp
+                            acc.update_state(None)
                     except Exception as e:
                         # fatal exception, update atime so we're not going to retry too soon
                         acc.update_state(None)

From ec4d29100ccf3117fb68c341c8749cf1f1ba3b66 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 9 May 2023 21:33:39 +0200
Subject: [PATCH 1449/3088] dns/ddclient: cloudflare - read proxied attribute
 from hostname and send it back to prevent it being removed. closes
 https://github.com/opnsense/plugins/issues/3426

---
 .../ddclient/lib/account/cloudflare.py        | 20 ++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
index efd5f56128..774be44fa4 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
@@ -81,13 +81,13 @@ def execute(self):
                         syslog.LOG_ERR,
                         "Account %s error parsing JSON response [ZoneID] %s" % (self.description, response.text)
                     )
-                return
+                return False
             if not payload.get('success', False):
                 syslog.syslog(
                     syslog.LOG_ERR,
                     "Account %s error receiving ZoneID [%s]" % (self.description, json.dumps(payload.get('errors', {})))
                 )
-                return
+                return False
 
             zone_id = payload['result'][0]['id']
             if self.is_verbose:
@@ -123,9 +123,18 @@ def execute(self):
                         self.description, json.dumps(payload.get('errors', {}))
                     )
                 )
-                return
+                return False
+
+            if len(payload['result']) == 0:
+                syslog.syslog(
+                    syslog.LOG_ERR, "Account %s error locating hostname %s [%s]" % (
+                        self.description, self.settings.get('hostnames'), recordType
+                    )
+                )
+                return False
 
             record_id = payload['result'][0]['id']
+            proxied = payload['result'][0]['proxied']
             if self.is_verbose:
                 syslog.syslog(
                     syslog.LOG_NOTICE,
@@ -138,7 +147,8 @@ def execute(self):
                 'json': {
                     'type': recordType,
                     'name': self.settings.get('hostnames'),
-                    'content': str(self.current_address)
+                    'content': str(self.current_address),
+                    'proxied': proxied
                 },
                 'headers': req_opts['headers']
             }
@@ -152,7 +162,7 @@ def execute(self):
                         syslog.LOG_ERR,
                         "Account %s error parsing JSON response [UpdateIP] %s" % (self.description, response.text)
                     )
-                return
+                return False
             if payload.get('success', False):
                 syslog.syslog(
                     syslog.LOG_NOTICE,

From 08144eda8b75ef220499ac65491fe8102994eb63 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 12 May 2023 11:35:16 +0200
Subject: [PATCH 1450/3088] net/radsecproxy: wrong pid file location; closes
 #3437

---
 net/radsecproxy/Makefile                               |  1 +
 .../src/etc/inc/plugins.inc.d/radsecproxy.inc          | 10 +---------
 2 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/net/radsecproxy/Makefile b/net/radsecproxy/Makefile
index 7ee4427db0..4d2d3d1cfe 100644
--- a/net/radsecproxy/Makefile
+++ b/net/radsecproxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		radsecproxy
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
 PLUGIN_DEPENDS=		radsecproxy
 PLUGIN_MAINTAINER=	tobias@boehnert.dev
diff --git a/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc b/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
index a614e0bffc..19462cfb7e 100644
--- a/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
+++ b/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
@@ -37,14 +37,6 @@ function radsecproxy_enabled()
 
 function radsecproxy_syslog()
 {
-    // $syslogconf = array();
-
-    // $syslogconf['radsecproxy'] = array(
-    //     'facility' => array('radsecproxy'),
-    // );
-
-    // return $syslogconf;
-
     $logfacilities = array();
     $logfacilities['radsecproxy'] = array(
         'facility' => array('LOG_DAEMON'),
@@ -66,7 +58,7 @@ function radsecproxy_services()
                 'stop' => array('radsecproxy stop'),
             ),
             'name' => 'radsecproxy',
-            'pidfile' => '/var/run/radsecproxy/radsecproxy.pid'
+            'pidfile' => '/var/run/radsecproxy.pid'
         );
     }
     return $services;

From 02f273faafd43ae788cb54395bf0f30f9155ce43 Mon Sep 17 00:00:00 2001
From: Juan <juantxorena@gmail.com>
Date: Thu, 11 May 2023 18:25:09 +0200
Subject: [PATCH 1451/3088] use API token if available

If the username is "token", use the password as an API token instead of a global one
---
 dns/ddclient/Makefile                           |  1 +
 .../scripts/ddclient/lib/account/cloudflare.py  | 17 ++++++++++++-----
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 3eee7b353a..043bd829d1 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.13
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient-devel
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
index 774be44fa4..388c2b1471 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
@@ -60,16 +60,23 @@ def execute(self):
 
             # get ZoneID
             url = "https://%s/client/v4/zones" % self._services[self.settings.get('service')]
+
+            headers = {
+                'User-Agent': 'OPNsense-dyndns'
+            }
+            # switch between bearer and email/key authentication
+            if self.settings.get('username', '').find('@') == -1:
+                headers["Authorization"] = "Bearer " + self.settings.get('password')
+            else:
+                headers["X-Auth-Email"] = self.settings.get('username')
+                headers["X-Auth-Key"] = self.settings.get('password')
+
             req_opts = {
                 'url': url,
                 'params': {
                     'name': self.settings.get('zone')
                 },
-                'headers': {
-                    'User-Agent': 'OPNsense-dyndns',
-                    'X-Auth-Email': self.settings.get('username'),
-                    'X-Auth-Key': self.settings.get('password')
-                }
+                'headers': headers
             }
             response = requests.get(**req_opts)
             try:

From b84fa4af1ea131b01c66af5c964697195406083e Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Sun, 21 May 2023 09:55:45 +0200
Subject: [PATCH 1452/3088] crowdsec: update 1.0.5 - fix ban example (#3441)

---
 security/crowdsec/Makefile                                    | 3 +--
 security/crowdsec/pkg-descr                                   | 4 ++++
 .../src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml | 2 +-
 .../src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt | 2 +-
 4 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index 751e3bf3f4..161f3870d7 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		crowdsec
-PLUGIN_VERSION=		1.0.4
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.0.5
 PLUGIN_DEPENDS=		crowdsec
 PLUGIN_COMMENT=		Lightweight and collaborative security engine
 PLUGIN_MAINTAINER=	marco@crowdsec.net
diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index aba38f1c24..48e83b5ea1 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -8,6 +8,10 @@ WWW: https://crowdsec.net/
 Plugin Changelog
 ================
 
+1.0.5
+
+* fix ban example
+
 1.0.4
 
 * Add force_inotify option to aquire logs when /var/log is in RAM, otherwise
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
index fb2d210e37..71e67aa4c4 100644
--- a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
@@ -1,7 +1,7 @@
 <model>
   <mount>//OPNsense/crowdsec/general</mount>
   <description>CrowdSec general configuration</description>
-  <version>1.0.4</version>
+  <version>1.0.5</version>
   <items>
 
     <agent_enabled type="BooleanField">
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
index e1ceeaa903..7331309407 100644
--- a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
@@ -145,7 +145,7 @@
             connect, should anything go wrong.
 	</p>
 
-	<pre><code>[root@OPNsense ~]# cscli decisions add -t ban -d 2m -i </code></pre>
+	<pre><code>[root@OPNsense ~]# cscli decisions add -t ban -d 2m -i &lt;your_ip_address&gt;</code></pre>
 
 	<p>
 	    This is a more secure way to test than attempting to brute-force

From ca764101ad7d6d3745e49149a9cbbca7604cf854 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 25 May 2023 08:12:40 +0200
Subject: [PATCH 1453/3088] dns/ddclient: fix release notes

---
 dns/ddclient/pkg-descr | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 586f76bdb8..c868ea6242 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -10,6 +10,9 @@ Plugin Changelog
 
 * Fix not returning IP address as a string in Python backend (contributed by Sean Kelly)
 * Fix PID file handling for Python backend
+* Use API token for cloudflare Python backend if available (contributed by juantxorena)
+* Read proxied attribute from cloudflare hostname and send it back to prevent it being removed
+* Move accounting of "last accessed timestamp" to poller in Python backend
 
 1.12
 

From ff873cc2f1659f2bc0e7c30b1018b822208b5b5d Mon Sep 17 00:00:00 2001
From: Rhys Barrie <rhys.barrie@gmail.com>
Date: Tue, 30 May 2023 20:16:12 -0400
Subject: [PATCH 1454/3088] os-ddclient / update ddclient.conf interface
 template

---
 .../service/templates/OPNsense/ddclient/ddclient.conf         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 9989c794a5..4ac621862a 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -24,9 +24,9 @@ ssl=yes
 {%  for account in accounts %}
 {%     if account.checkip == 'if' %}
 {%        if not helpers.empty('OPNsense.DynDNS.general.allowipv6') %}
-usev6=ifv6, \
+usev6=ifv6, ifv6={{physical_interface(account.interface)}}, \
 {%        endif %}
-usev4=ifv4, if={{physical_interface(account.interface)}}, \
+usev4=ifv4, ifv4={{physical_interface(account.interface)}}, \
 {%      elif account.checkip.startswith('web_') %}
 {%          if account.interface %}
 use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -i {{physical_interface(account.interface)}} -t {{account.force_ssl}} -s {{account.checkip[4:]}} --timeout {{account.checkip_timeout|default('10')}}",

From 843c99f53fb61852ade474a120e1765e94fd2ad6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 31 May 2023 07:45:52 +0200
Subject: [PATCH 1455/3088] dns/ddclient: update for latest changes

---
 dns/ddclient/Makefile  | 2 +-
 dns/ddclient/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 043bd829d1..091f84ceee 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		ddclient-devel
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index c868ea6242..e6ad375a34 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 * Use API token for cloudflare Python backend if available (contributed by juantxorena)
 * Read proxied attribute from cloudflare hostname and send it back to prevent it being removed
 * Move accounting of "last accessed timestamp" to poller in Python backend
+* Change if= use to proper ifv4=/ifv6= use (contributed by Rhys Barrie)
 
 1.12
 

From b465377760dde6cd23e8976bda54d087b572ae4c Mon Sep 17 00:00:00 2001
From: Marco Mariani <marco@crowdsec.net>
Date: Thu, 1 Jun 2023 14:35:21 +0200
Subject: [PATCH 1456/3088] crowdsec: update 1.0.6 - correct option to detect
 changes from symlinks

---
 security/crowdsec/+POST_INSTALL.post                         | 3 +++
 security/crowdsec/Makefile                                   | 2 +-
 security/crowdsec/pkg-descr                                  | 5 +++++
 security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml    | 4 ++++
 .../opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml    | 2 +-
 .../opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt    | 5 +++++
 6 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/security/crowdsec/+POST_INSTALL.post b/security/crowdsec/+POST_INSTALL.post
index 4c5abec40a..fd090d0dcf 100755
--- a/security/crowdsec/+POST_INSTALL.post
+++ b/security/crowdsec/+POST_INSTALL.post
@@ -1,3 +1,6 @@
 #!/bin/sh
 
 configctl crowdsec reconfigure
+
+# apply new configuration immediately, don't wait for hub updates
+service crowdsec reload >/dev/null 2>&1 || :
diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index 161f3870d7..ca8b22e79e 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		crowdsec
-PLUGIN_VERSION=		1.0.5
+PLUGIN_VERSION=		1.0.6
 PLUGIN_DEPENDS=		crowdsec
 PLUGIN_COMMENT=		Lightweight and collaborative security engine
 PLUGIN_MAINTAINER=	marco@crowdsec.net
diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index 48e83b5ea1..8d635b67c5 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://crowdsec.net/
 Plugin Changelog
 ================
 
+1.0.6
+
+ * default acquis.d/opnsense.yaml to "poll_without_inotify=true" which is now required
+   to acquire content from symlinks.
+
 1.0.5
 
 * fix ban example
diff --git a/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml b/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml
index 7867ccdae7..98ec286d5f 100644
--- a/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml
+++ b/security/crowdsec/src/etc/crowdsec/acquis.d/opnsense.yaml
@@ -24,5 +24,9 @@ filenames:
 # but the option works with both.
 force_inotify: true
 
+# this option is required from crowdsec v1.5.0 to follow
+# changes in symlinks
+poll_without_inotify: true
+
 labels:
   type: syslog
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
index 71e67aa4c4..4349222b6c 100644
--- a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
@@ -1,7 +1,7 @@
 <model>
   <mount>//OPNsense/crowdsec/general</mount>
   <description>CrowdSec general configuration</description>
-  <version>1.0.5</version>
+  <version>1.0.6</version>
   <items>
 
     <agent_enabled type="BooleanField">
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
index 7331309407..9a00769330 100644
--- a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
@@ -77,6 +77,11 @@
         <p>A few remarks:</p>
 
         <ul>
+            <li>
+                New acquisition files go under <code>/usr/local/etc/crowdsec/acquis.d</code>. See opnsense.yaml for details.
+                The option <code>poll_without_inotify: true</code> is required if the acquitision targets are symlinks (which
+                is the case for most opnsense logs).
+            </li>
             <li>
                 If your OPNsense is &lt;22.1, you must check "Disable circular logs" in the Settings menu for the
                 ssh and web-auth parsers to work. If you upgrade to 22.1, it will be done automatically.

From 256843a93ac7b533f504e5d6ecbc8216a4d2c399 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 2 Jun 2023 10:39:05 +0200
Subject: [PATCH 1457/3088] net/frr: switch version

---
 net/frr/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index ff6f9271dd..9777e398b1 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.33
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
-PLUGIN_DEPENDS=		frr7
+PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 PLUGIN_TIER=		2
 

From 289e0c44dfcd4781674fec0f01f6ac106119dffe Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 2 Jun 2023 10:39:32 +0200
Subject: [PATCH 1458/3088] net/upnp: back to FreeBSD package on version 2.3.3

---
 net/upnp/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index 73c79af48d..69773cd84c 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		upnp
 PLUGIN_VERSION=		1.5
 PLUGIN_REVISION=	3
-PLUGIN_DEPENDS=		miniupnpd-devel
+PLUGIN_DEPENDS=		miniupnpd
 PLUGIN_COMMENT=		Universal Plug and Play Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
 

From 3c042ec9a86ccede98ea26cdb41dfb5e9199aa38 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 2 Jun 2023 10:46:16 +0200
Subject: [PATCH 1459/3088] security/acme-client: style sweep

---
 .../AcmeClient/LeValidation/DnsRegru.php         | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsRegru.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsRegru.php
index e9cc1f6595..9312c8c1df 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsRegru.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsRegru.php
@@ -35,11 +35,11 @@
   * RegRu DNS API
   * @package OPNsense\AcmeClient
   */
- class DnsRegru extends Base implements LeValidationInterface
- {
-     public function prepare()
-     {
-         $this->acme_env['REGRU_API_Username'] = (string)$this->config->dns_regru_username;
-         $this->acme_env['REGRU_API_Password'] = (string)$this->config->dns_regru_password;
-     }
- }
\ No newline at end of file
+class DnsRegru extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['REGRU_API_Username'] = (string)$this->config->dns_regru_username;
+        $this->acme_env['REGRU_API_Password'] = (string)$this->config->dns_regru_password;
+    }
+}

From fcf1b5d0ec8cfc6ff71c3a55df7f2e150254d776 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 13 Jun 2023 16:25:09 +0200
Subject: [PATCH 1460/3088] Zabbix Proxy 6.4 (#3460)

---
 net-mgmt/zabbix-proxy/Makefile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 36d3ebd475..480b98966b 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -3,7 +3,10 @@ PLUGIN_VERSION=		1.9
 PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_VARIANTS=	zabbix62 zabbix6 zabbix5 zabbix4
+PLUGIN_VARIANTS=	zabbix6 zabbix62 zabbix64 zabbix5 zabbix4
+
+zabbix64_NAME=		zabbix64-proxy
+zabbix64_DEPENDS=	zabbix64-proxy
 
 zabbix62_NAME=		zabbix62-proxy
 zabbix62_DEPENDS=	zabbix62-proxy

From 0ec00a4bd0175bbc9a683259c6c972da8fdaa4bd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 Jun 2023 08:43:14 +0200
Subject: [PATCH 1461/3088] www/nginx: for next version

---
 www/nginx/Makefile                                            | 2 +-
 www/nginx/pkg-descr                                           | 4 ++++
 .../src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml      | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 92f09f009c..4309e8b5db 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.32
+PLUGIN_VERSION=		1.32.1
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index f05159d2b3..f6cb169d0c 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,10 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.32.1
+
+* add "Host header port" and "use original Host header" options
+
 1.32
 
 * add support for resetting timed out connections and 444 responses (reset_timedout_connection)
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index ea6932881d..24a224a6b4 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.32</version>
+  <version>1.32.1</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>

From d26aaa7352f9b8fd4c4f00761edef57ec6914bfa Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 22 Jun 2023 11:55:11 +0200
Subject: [PATCH 1462/3088] www/nginx: load module?

PR: https://forum.opnsense.org/index.php?topic=34546.0
---
 www/nginx/Makefile                                               | 1 +
 .../src/opnsense/service/templates/OPNsense/Nginx/nginx.conf     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 4309e8b5db..58fc63363f 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.32.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx.conf
index fb8f660756..061e5a6e2a 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx.conf
@@ -5,6 +5,7 @@ load_module /usr/local/libexec/nginx/ngx_mail_module.so;
 load_module /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
 load_module /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;
 load_module /usr/local/libexec/nginx/ngx_http_js_module.so;
+load_module /usr/local/libexec/nginx/ngx_http_vhost_traffic_status_module.so
 {% if OPNsense.Nginx.http.headers_more_enable is defined and OPNsense.Nginx.http.headers_more_enable == '1' %}
 load_module /usr/local/libexec/nginx/ngx_http_headers_more_filter_module.so;
 {% endif %}

From 682780e6f61ba8650e0928b768078ebab65e6d71 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 22 Jun 2023 12:23:23 +0200
Subject: [PATCH 1463/3088] typo

---
 .../src/opnsense/service/templates/OPNsense/Nginx/nginx.conf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx.conf
index 061e5a6e2a..3c8f912b90 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/nginx.conf
@@ -5,7 +5,7 @@ load_module /usr/local/libexec/nginx/ngx_mail_module.so;
 load_module /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
 load_module /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;
 load_module /usr/local/libexec/nginx/ngx_http_js_module.so;
-load_module /usr/local/libexec/nginx/ngx_http_vhost_traffic_status_module.so
+load_module /usr/local/libexec/nginx/ngx_http_vhost_traffic_status_module.so;
 {% if OPNsense.Nginx.http.headers_more_enable is defined and OPNsense.Nginx.http.headers_more_enable == '1' %}
 load_module /usr/local/libexec/nginx/ngx_http_headers_more_filter_module.so;
 {% endif %}

From 25a1684452fa4850b412bc5163b787e96c2cef1f Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Mon, 29 May 2023 21:16:26 +0300
Subject: [PATCH 1464/3088] 'upstream' is undefined quickfix

dont try to set proxy_protocol value for sni mapped streams
---
 www/nginx/Makefile                                              | 2 +-
 .../src/opnsense/service/templates/OPNsense/Nginx/streams.conf  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 58fc63363f..6acc5bc261 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.32.1
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
index a2d306079c..8915f32653 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
@@ -96,11 +96,11 @@
 {%       endif %}
         proxy_ssl {% if upstream.tls_enable == '1' %}on{% else %}off{% endif %};
         proxy_pass upstream{{ server.upstream.replace('-','') }};
+        proxy_protocol {% if upstream.proxy_protocol == '1' %}on{% else %}off{% endif %};
 {%     endif %}
 {%   elif server.route_field == 'sni_upstream_map' %}
         proxy_pass $hostmap{{ server.sni_upstream_map.replace('-','') }};
 {%   endif %}
-        proxy_protocol {% if upstream.proxy_protocol == '1' %}on{% else %}off{% endif %};
 {%   if server.proxy_responses is defined and server.proxy_responses != '' %}
         proxy_responses {{ server.proxy_responses }};
 {%   endif%}

From 39bbffb928e2aa7ad582fb3e14a6de5538cb4853 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Mon, 26 Jun 2023 15:55:00 +0200
Subject: [PATCH 1465/3088] net/frr: Diagnostics overhaul (#3484)

* net/frr: Diagnostics overhaul [2] - https://github.com/opnsense/plugins/pull/3263
o new extensible template for tabbed views
o get rid of diagnostics form - was unused anyway
o get rid of lodash dependency
o the API output is HTML-encoded, this fixes resulting display issues
o move search functionality to controller.
o move bgp additional attributes inside the record set so people can show them on request (the tree functions might better to move into a core Javascript file to reduce duplication, but for now this is fine.)
o add formatters in bootgrid to mimic the previous behavior
o add interface names (descriptions) for easier reading in route endpoints
o cleanups, move bgp routerid and localAS to subtitle and offer a "generic" hook for endpoints. remove unused elements from the volt template.

---------

Co-authored-by: Marc Leuser <github@mleuser.de>
---
 .../Quagga/Api/DiagnosticsController.php      | 170 ++++++-
 .../OPNsense/Quagga/DiagnosticsController.php |  88 +++-
 .../OPNsense/Quagga/forms/diagnostics.xml     |   8 -
 .../views/OPNsense/Quagga/diagnostics.volt    | 341 +++++++++++++
 .../views/OPNsense/Quagga/diagnosticsbgp.volt | 143 ------
 .../OPNsense/Quagga/diagnosticsgeneral.volt   | 142 ------
 .../OPNsense/Quagga/diagnosticsospf.volt      | 475 ------------------
 .../scripts/frr/legacy-diagnostics.py         |   3 +-
 .../www/js/quagga/diagnostics_utils.js        | 207 ++++++++
 9 files changed, 801 insertions(+), 776 deletions(-)
 delete mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/diagnostics.xml
 create mode 100644 net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
 delete mode 100644 net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
 delete mode 100644 net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
 delete mode 100644 net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
 create mode 100644 net/frr/src/opnsense/www/js/quagga/diagnostics_utils.js

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
index a92a3d8e05..76f0cf6a2c 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
@@ -41,11 +41,27 @@
  */
 class DiagnosticsController extends ApiControllerBase
 {
+    private $allifnames = [];
+
+    public function initialize()
+    {
+        parent::initialize();
+        foreach (Config::getInstance()->object()->interfaces->children() as $key => $node) {
+            $this->allifnames[(string)$node->if] = !empty((string)$node->descr) ? (string)$node->descr : $key;
+        }
+    }
+
+    public function getIfDesc($ifname)
+    {
+           return !empty($this->allifnames[$ifname]) ? $this->allifnames[$ifname] : '';
+    }
+
     private function getInformation(string $daemon, string $name, string $format): array
     {
-        $backend = new Backend();
-        $response = $backend->configdRun("quagga diagnostics " . $daemon . "_" . $name . ($format === "json" ? "_json" : ""));
-        return array("response" => ($format === "json" ? json_decode($response) : $response));
+        $response = (new Backend())->configdRun(
+            "quagga diagnostics " . $daemon . "_" . $name . ($format === "json" ? "_json" : "")
+        );
+        return ["response" => ($format === "json" ? json_decode($response ?? '', true) : $response)];
     }
 
     public function generalrunningconfigAction(): array
@@ -53,6 +69,9 @@ public function generalrunningconfigAction(): array
         return $this->getInformation("general", "running-config", "plain");
     }
 
+    /**
+     * XXX: unused, deprecate in next major?
+     */
     public function generalrouteAction($format = "json"): array
     {
         $routes4 = $this->getInformation("general", "route4", $format)['response'];
@@ -69,11 +88,45 @@ public function generalroute4Action($format = "json"): array
         return $this->getInformation("general", "route4", $format);
     }
 
+    public function searchGeneralroute4Action(): array
+    {
+        $records = [];
+        foreach($this->getInformation("general", "route4", "json")['response'] as $routes) {
+            foreach ($routes as $route) {
+                foreach ($route['nexthops'] as $nexthop) {
+                    $nexthop = array_merge($route, $nexthop);
+                    unset($nexthop['nexthops']);
+                    $nexthop['via'] = !empty($nexthop['ip']) ? $nexthop['ip'] : 'Directly Attached';
+                    $nexthop['interfaceDescr'] = $this->getIfDesc($nexthop['interfaceName'] ?? '');
+                    $records[] = $nexthop;
+                }
+            }
+        }
+        return $this->searchRecordsetBase($records);
+    }
+
     public function generalroute6Action($format = "json"): array
     {
         return $this->getInformation("general", "route6", $format);
     }
 
+    public function searchGeneralroute6Action(): array
+    {
+        $records = [];
+        foreach($this->getInformation("general", "route6", "json")['response'] as $routes) {
+            foreach ($routes as $route) {
+                foreach ($route['nexthops'] as $nexthop) {
+                    $nexthop = array_merge($route, $nexthop);
+                    unset($nexthop['nexthops']);
+                    $nexthop['via'] = !empty($nexthop['ip']) ? $nexthop['ip'] : 'Directly Attached';
+                    $nexthop['interfaceDescr'] = $this->getIfDesc($nexthop['interfaceName'] ?? '');
+                    $records[] = $nexthop;
+                }
+            }
+        }
+        return $this->searchRecordsetBase($records);
+    }
+
     public function bgprouteAction($format = "json"): array
     {
         return $this->getInformation("bgp", "route", $format);
@@ -84,11 +137,83 @@ public function bgproute4Action($format = "json"): array
         return $this->getInformation("bgp", "route4", $format);
     }
 
+    public function searchBgproute4Action(): array
+    {
+        $records = [];
+        $payload = $this->getInformation("bgp", "route4", "json")['response'];
+        $baserecord = [];
+        foreach ($payload as $key => $value) {
+            if (!is_array($value)) {
+                $baserecord[$key] = $value;
+            }
+        }
+        if (!empty($payload['routes'])) {
+            foreach ($payload['routes'] as $routes) {
+                foreach ($routes as $route) {
+                    foreach ($route['nexthops'] as $nexthop) {
+                        $nexthop = array_merge($route, $nexthop);
+                        unset($nexthop['nexthops']);
+                        $nexthop['internal'] = !empty($nexthop['pathFrom']) && $nexthop['pathFrom'] == 'internal';
+                        $nexthop['path'] = !empty($nexthop['path']) ? $nexthop['path'] : 'Internal';
+                        $records[] = array_merge($baserecord, $nexthop);
+                    }
+                }
+            }
+        }
+        $result = $this->searchRecordsetBase($records);
+        if (!empty($baserecord)) {
+            $result['subtitle'] = sprintf(
+                '%s : %s , %s : %s',
+                gettext('routerId'),
+                $baserecord['routerId'],
+                gettext('localAS'),
+                $baserecord['localAS']
+            );
+        }
+        return $result;
+    }
+
     public function bgproute6Action($format = "json"): array
     {
         return $this->getInformation("bgp", "route6", $format);
     }
 
+    public function searchBgproute6Action(): array
+    {
+        $records = [];
+        $payload = $this->getInformation("bgp", "route6", "json")['response'];
+        $baserecord = [];
+        foreach ($payload as $key => $value) {
+            if (!is_array($value)) {
+                $baserecord[$key] = $value;
+            }
+        }
+        if (!empty($payload['routes'])) {
+            foreach ($payload['routes'] as $routes) {
+                foreach ($routes as $route) {
+                    foreach ($route['nexthops'] as $nexthop) {
+                        $nexthop = array_merge($route, $nexthop);
+                        unset($nexthop['nexthops']);
+                        $nexthop['internal'] = !empty($nexthop['pathFrom']) && $nexthop['pathFrom'] == 'internal';
+                        $nexthop['path'] = !empty($nexthop['path']) ? $nexthop['path'] : 'Internal';
+                        $records[] = array_merge($baserecord, $nexthop);
+                    }
+                }
+            }
+        }
+        $result = $this->searchRecordsetBase($records);
+        if (!empty($baserecord)) {
+            $result['subtitle'] = sprintf(
+                '%s : %s , %s : %s',
+                gettext('routerId'),
+                $baserecord['routerId'],
+                gettext('localAS'),
+                $baserecord['localAS']
+            );
+        }
+        return $result;
+    }
+
     public function bgpsummaryAction($format = "json"): array
     {
         return $this->getInformation("bgp", "summary", $format);
@@ -109,11 +234,50 @@ public function ospfneighborAction($format = "json"): array
         return $this->getInformation("ospf", "neighbor", $format);
     }
 
+    public function searchOspfneighborAction(): array
+    {
+        $records = [];
+        $payload = $this->getInformation("ospf", "neighbor", "json")['response'];
+        if (!empty($payload['neighbors'])) {
+            foreach ($payload['neighbors'] as $neighborid => $neighbor) {
+                foreach ($neighbor as $item) {
+                    $item['neighborid'] = $neighborid;
+                    $records[] = $item;
+                }
+            }
+        }
+        return $this->searchRecordsetBase($records);
+    }
+
     public function ospfrouteAction($format = "json"): array
     {
         return $this->getInformation("ospf", "route", $format);
     }
 
+    public function searchOspfrouteAction(): array
+    {
+        $records = [];
+        $payload = $this->getInformation("ospf", "route", "json")['response'];
+        foreach($payload as $net => $network) {
+            if (empty($network['nexthops'])) {
+                continue;
+            }
+            foreach ($network['nexthops'] as $nexthop) {
+                $records[] = [
+                    'type' => $network['routeType'],
+                    'network' => $net,
+                    'cost' => $network['cost'],
+                    'area' => $network['area'] ?? '',
+                    'via' => !empty($nexthop['via']) ? $nexthop['ip'] : 'Directly Attached',
+                    'viainterface' => !empty($nexthop['via']) ? $nexthop['via'] : $nexthop['directly attached to'],
+                    'viainterfaceDescr' =>  $this->getIfDesc($nexthop['via'] ?? $nexthop['directly attached to']),
+                ];
+            }
+        }
+
+        return $this->searchRecordsetBase($records);
+    }
+
     public function ospfdatabaseAction($format = "json"): array
     {
         return $this->getInformation("ospf", "database", $format);
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
index 4b74311840..923e0d3ede 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
@@ -29,12 +29,71 @@ class DiagnosticsController extends \OPNsense\Base\IndexController
 {
     public function bgpAction()
     {
-        $this->view->diagnosticsForm = $this->getForm("diagnostics");
-        $this->view->pick('OPNsense/Quagga/diagnosticsbgp');
+        $this->view->tabs = [
+            [
+                'name' => 'routing4',
+                'endpoint' => '/api/quagga/diagnostics/search_bgproute4',
+                'tabhead' => "IPv4 " . gettext('Routing Table'),
+                'type' => 'bgproutetable'
+            ],
+            [
+                'name' => 'routing6',
+                'endpoint' => '/api/quagga/diagnostics/search_bgproute6',
+                'tabhead' => "IPv6 " . gettext('Routing Table'),
+                'type' => 'bgproutetable'
+            ],
+            [
+                'name' => 'neighbors',
+                'endpoint' => '/api/quagga/diagnostics/bgpneighbors',
+                'tabhead' => gettext('Neighbors'),
+                'type' => 'tree'
+            ],
+            [
+                'name' => 'summary',
+                'endpoint' => '/api/quagga/diagnostics/bgpsummary',
+                'tabhead' => gettext('Summary'),
+                'type' => 'tree'
+            ]
+        ];
+        $this->view->default_tab = 'routing4';
+        $this->view->pick('OPNsense/Quagga/diagnostics');
     }
     public function ospfAction()
     {
-        $this->view->pick('OPNsense/Quagga/diagnosticsospf');
+        $this->view->tabs = [
+            [
+                'name' => 'overview',
+                'endpoint' => '/api/quagga/diagnostics/ospfoverview',
+                'tabhead' => gettext('Overview'),
+                'type' => 'tree'
+            ],
+            [
+                'name' => 'routing',
+                'endpoint' => '/api/quagga/diagnostics/search_ospfroute',
+                'tabhead' => gettext('Routing Table'),
+                'type' => 'ospfroutetable'
+            ],
+            [
+                'name' => 'database',
+                'endpoint' => '/api/quagga/diagnostics/ospfdatabase/plain',
+                'tabhead' => gettext('Database'),
+                'type' => 'text'
+            ],
+            [
+                'name' => 'neighbors',
+                'endpoint' => '/api/quagga/diagnostics/search_ospfneighbor',
+                'tabhead' => gettext('Neighbors'),
+                'type' => 'ospfneighbors'
+            ],
+            [
+                'name' => 'interfaces',
+                'endpoint' => '/api/quagga/diagnostics/ospfinterface',
+                'tabhead' => gettext('Interfaces'),
+                'type' => 'tree'
+            ]
+        ];
+        $this->view->default_tab = 'routing';
+        $this->view->pick('OPNsense/Quagga/diagnostics');
     }
     public function ospfv3Action()
     {
@@ -42,6 +101,27 @@ public function ospfv3Action()
     }
     public function generalAction()
     {
-        $this->view->pick('OPNsense/Quagga/diagnosticsgeneral');
+        $this->view->tabs = [
+            [
+                'name' => 'routing4',
+                'endpoint' => '/api/quagga/diagnostics/search_generalroute4',
+                'tabhead' => gettext('IPv4 Routes'),
+                'type' => 'generalroutetable'
+            ],
+            [
+                'name' => 'routing6',
+                'endpoint' => '/api/quagga/diagnostics/search_generalroute6',
+                'tabhead' => gettext('IPv6 Routes'),
+                'type' => 'generalroutetable'
+            ],
+            [
+                'name' => 'runningconfig',
+                'endpoint' => '/api/quagga/diagnostics/generalrunningconfig/plain',
+                'tabhead' => gettext('Running Configuration'),
+                'type' => 'text'
+            ]
+        ];
+        $this->view->default_tab = 'routing4';
+        $this->view->pick('OPNsense/Quagga/diagnostics');
     }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/diagnostics.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/diagnostics.xml
deleted file mode 100644
index 0c0fff2939..0000000000
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/diagnostics.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<form>
-    <field>
-        <id>diagnostics.bgpneighbor</id>
-        <label>BGP Neighbor</label>
-        <type>text</type>
-        <hint>One of the neighbor IPs</hint>
-    </field>
-</form>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
new file mode 100644
index 0000000000..2473173591
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
@@ -0,0 +1,341 @@
+{#
+
+OPNsense® is Copyright © 2014 – 2023 by Deciso B.V.
+Copyright (C) 2023 Marc Bartelt
+Copyright (C) 2017 Fabian Franz
+Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+    this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+    this list of conditions and the following disclaimer in the documentation
+    and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<script src="{{ cache_safe('/ui/js/quagga/diagnostics_utils.js') }}"></script>
+
+<style>
+    .searchbox {
+      margin: 8px;
+    }
+
+    .node-selected {
+        font-weight: bolder;
+    }
+
+    #page_frr_subtitle {
+        margin-left: -2px;
+        > span {
+            font-style: italic;
+        }
+    }
+  </style>
+  <link rel="stylesheet" type="text/css" href="{{ cache_safe(theme_file_or_default('/css/jqtree.css', ui_theme|default('opnsense'))) }}">
+  <script src="{{ cache_safe('/ui/js/tree.jquery.min.js') }}"></script>
+
+<script>
+    'use strict';
+
+    $( document ).ready(function() {
+        updateServiceControlUI('quagga');
+
+        /**
+         * only display the refresh button on the currently active tab
+         */
+        $('a[data-toggle="tab"]').on('shown.bs.tab', function (e) {
+          $(".tab-icon").removeClass("fa-refresh");
+          $("#"+e.target.id).find(".tab-icon").addClass("fa-refresh");
+        });
+
+        /**
+         * resize tree widgets on window resize
+         */
+        $(window).on('resize', resizeTreeWidget);
+
+        /**
+         * delayed search for tree widgets
+         */
+        $(".tree_search").keyup(treeSearchKeyUp);
+
+        let all_grids = [];
+
+        {% for tab in tabs %}
+            /**
+             * register refresh event handler for {{ tab['tabhead'] }}
+             */
+            $("#refresh-{{ tab['name'] }}").click(function () {
+            {% switch tab['type'] %}
+                {% case 'generalroutetable' %}
+                {% case 'bgproutetable' %}
+                {% case 'ospfroutetable' %}
+                {% case 'ospfneighbors' %}
+                    if (all_grids["{{ tab['name'] }}"] === undefined) {
+                        /**
+                         * initialize bootgrid table for {{ tab['tabhead'] }}
+                         */
+                        gridopt = {
+                            search: "{{ tab['endpoint'] }}",
+                            options:{
+                                formatters : {
+                                    general_route_code: function(column, row){
+                                        let protocols = {
+                                            'kernel' : {short: 'K', long: '{{ lang._('Kernel') }}'},
+                                            'connected': {short: 'C', long: '{{ lang._('Connected') }}'},
+                                            'bgp': {short: 'B', long: '{{ lang._('BGP') }}'},
+                                            'ospf': {short: 'O', long: '{{ lang._('OSPF') }}'},
+                                            'ospf6': {short: 'O', long: '{{ lang._('OSPFv3') }}'}
+                                        };
+                                        let field = $("<div/>");
+                                        if (protocols[row.protocol] !== undefined) {
+                                            let tmp = protocols[row.protocol];
+                                            field.append($("<abbr>").text(tmp.short).attr('title', tmp.long));
+                                        }
+                                        if(row.selected) {
+                                            field.append($("<abbr>").html("&gt;").attr('title', "{{ lang._('Selected') }}"));
+                                        }
+                                        if(row.installed) {
+                                            field.append($("<abbr>").html("&ast;").attr('title', "{{ lang._('FIB') }}"));
+                                        }
+                                        return field.html();
+                                    },
+                                    boolean: function (column, row) {
+                                        if (row[column.id]) {
+                                            return "<span class=\"fa fa-check\" data-value=\"1\" data-row-id=\"" + row.uuid + "\"></span>";
+                                        } else {
+                                            return "<span class=\"fa fa-times\" data-value=\"0\" data-row-id=\"" + row.uuid + "\"></span>";
+                                        }
+                                    },
+                                    origin: function(column, row) {
+                                        return (row[column.id] === 'incomplete' ? '<abbr title="{{ lang._('Incomplete') }}">&quest;</abbr>' : row[column.id]);
+                                    }
+                                },
+                                responseHandler: function (data) {
+                                    if (data.subtitle !== undefined) {
+                                        $("#page_frr_subtitle").empty();
+                                        $("#page_frr_subtitle").append('<i class="fa fa-fw fa-chevron-right" aria-hidden="true"></i>');
+                                        $("#page_frr_subtitle").append($("<span/>").text(data.subtitle));
+                                    }
+                                    console.log(data);
+                                    return data;
+                                }
+                            }
+                        };
+                        all_grids["{{ tab['name'] }}"] = $("#grid-{{ tab['name'] }}").UIBootgrid(gridopt);
+                        all_grids["{{ tab['name'] }}"].on("loaded.rs.jquery.bootgrid", function (e) {
+                            $("abbr").tooltip();
+                        });
+                    } else {
+                        all_grids["{{ tab['name'] }}"].bootgrid('reload');
+                    }
+                    {% break %}
+                {% case 'tree' %}
+                    ajaxGet("{{ tab['endpoint'] }}", {}, function (data, status) {
+                        if (status == "success") {
+                            let $tree = $("#tree-{{ tab['name'] }}");
+                            if ($("#tree-{{ tab['name'] }} > ul").length == 0) {
+                                $tree.tree({
+                                    data: dict_to_tree(data['response']),
+                                    autoOpen: false,
+                                    dragAndDrop: false,
+                                    selectable: false,
+                                    closedIcon: $('<i class="fa fa-plus-square-o"></i>'),
+                                    openedIcon: $('<i class="fa fa-minus-square-o"></i>'),
+                                    onCreateLi: function(node, $li) {
+                                        let n_title = $li.find('.jqtree-title');
+                                        n_title.text(n_title.text().replace('&gt;','\>').replace('&lt;','\<'));
+                                        if (node.value !== undefined) {
+                                            $li.find('.jqtree-element').append(
+                                                '&nbsp; <strong>:</strong> &nbsp;' + node.value
+                                            );
+                                        }
+                                        if (node.selected) {
+                                            $li.addClass("node-selected");
+                                        } else {
+                                            $li.removeClass("node-selected");
+                                        }
+                                    }
+                                });
+                                // initial view, collapse first level if there's only one node
+                                if (Object.keys(data['response']).length == 1) {
+                                    for (let key in data['response']) {
+                                        $tree.tree('openNode', $tree.tree('getNodeById', key));
+                                    }
+                                }
+                                //open node on label click
+                                $tree.bind('tree.click', function(e) {
+                                    $tree.tree('toggle', e.node);
+                                });
+                            } else {
+                                let curent_state = $tree.tree('getState');
+                                $tree.tree('loadData', dict_to_tree(data['response']));
+                                $tree.tree('setState', curent_state);
+                            }
+                        }
+                    });
+                    $(window).trigger('resize');
+                    {% break %}
+                {% case 'text' %}
+                    ajaxGet("{{ tab['endpoint'] }}", {}, function(data, status) {
+                        if (status == "success") {
+                            $('#text-{{ tab['name'] }}').html(data['response']);
+                        }
+                    });
+                    {% break %}
+            {% endswitch %}
+            });
+
+            /**
+             * perform data fetch via event handler
+             */
+            $("a[id='{{ tab['name'] }}_tab']").on("shown.bs.tab", function (event) {
+                $("#refresh-{{ tab['name'] }}").click();
+            });
+        {% endfor %}
+
+        /**
+         * add "sub title" heading
+         */
+        $("header.page-content-head > div:eq(0) > ul:eq(0) > li:eq(0)").append($("<span id='page_frr_subtitle'/>"));
+
+        /**
+         * activate the default tab
+         */
+        $("a[id='{{ default_tab }}_tab']").click();
+    });
+</script>
+
+<!-- Navigation bar -->
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    {% for tab in tabs %}
+        <li>
+            <a data-toggle="tab" href="#{{ tab['name'] }}" id="{{tab['name']}}_tab">
+                {{ tab['tabhead'] }} <span id="refresh-{{ tab['name'] }}" class="fa tab-icon fa-refresh" style="cursor: pointer"></span>
+            </a>
+        </li>
+    {% endfor %}
+</ul>
+
+<div class="content-box tab-content" style="padding-bottom: 1.5em;">
+    {% for tab in tabs %}
+        <div id="{{ tab['name'] }}" class="tab-pane fade">
+            {% switch tab['type'] %}
+                {% case 'generalroutetable' %}
+                    <div class="col-sm-12">
+                        <table id="grid-{{ tab['name'] }}" class="table table-condensed table-hover table-striped table-responsive">
+                            <thead>
+                            <tr>
+                                <th data-column-id="protocol" data-searchable="false" data-formatter="general_route_code" data-sortable="false">{{ lang._('Code') }}</th>
+                                <th data-column-id="selected" data-searchable="false" data-visible="false" data-sortable="false">{{ lang._('Selected') }}</th>
+                                <th data-column-id="installed" data-searchable="false" data-visible="false" data-sortable="false">{{ lang._('Installed') }}</th>
+                                <th data-column-id="prefix">{{ lang._('Network') }}</th>
+                                <th data-column-id="distance" data-searchable="false">{{ lang._('Administrative Distance') }}</th>
+                                <th data-column-id="metric" data-searchable="false">{{ lang._('Metric') }}</th>
+                                <th data-column-id="interfaceName">{{ lang._('Interface') }}</th>
+                                <th data-column-id="interfaceDescr">{{ lang._('Interface name') }}</th>
+                                <th data-column-id="via">{{ lang._('Via') }}</th>
+                                <th data-column-id="uptime" data-searchable="false">{{ lang._('Time') }}</th>
+                            </tr>
+                            </thead>
+                            <tbody>
+                            </tbody>
+                        </table>
+                    </div>
+                    {% break %}
+                {% case 'bgproutetable' %}
+                    <div class="col-sm-12">
+                        <table id="grid-{{ tab['name'] }}" class="table table-condensed table-hover table-striped table-responsive">
+                            <thead>
+                            <tr>
+                                <th data-column-id="valid" data-searchable="false" data-formatter="boolean" data-sortable="false">{{ lang._('Valid') }}</th>
+                                <th data-column-id="bestpath" data-searchable="false" data-formatter="boolean" data-sortable="false">{{ lang._('Best') }}</th>
+                                <th data-column-id="internal" data-searchable="false" data-formatter="boolean" data-sortable="false">{{ lang._('Internal') }}</th>
+                                <th data-column-id="network" data-width="15%">{{ lang._('Network') }}</th>
+                                <th data-column-id="ip" data-width="25%">{{ lang._('Next Hop') }}</th>
+                                <th data-column-id="metric" data-searchable="false">{{ lang._('Metric') }}</th>
+                                <th data-column-id="locPrf" data-searchable="false">{{ lang._('LocPrf') }}</th>
+                                <th data-column-id="weight" data-searchable="false">{{ lang._('Weight') }}</th>
+                                <th data-column-id="path" data-width="21%">{{ lang._('Path') }}</th>
+                                <th data-column-id="origin" data-width="10%" data-formatter="origin">{{ lang._('Origin') }}</th>
+                            </tr>
+                            </thead>
+                            <tbody>
+                            </tbody>
+                        </table>
+                    </div>
+                    {% break %}
+                {% case 'ospfroutetable' %}
+                    <div class="col-sm-12">
+                        <table id="grid-{{ tab['name'] }}" class="table table-condensed table-hover table-striped table-responsive">
+                            <thead>
+                            <tr>
+                                <th data-column-id="type" data-searchable="false" data-formatter="ospf_route_type" data-sortable="false">{{ lang._('Type') }}</th>
+                                <th data-column-id="network">{{ lang._('Network') }}</th>
+                                <th data-column-id="cost" data-searchable="false">{{ lang._('Cost') }}</th>
+                                <th data-column-id="area">{{ lang._('Area') }}</th>
+                                <th data-column-id="via">{{ lang._('Via') }}</th>
+                                <th data-column-id="viainterface">{{ lang._('Via interface') }}</th>
+                                <th data-column-id="viainterfaceDescr">{{ lang._('Via interface name') }}</th>
+                            </tr>
+                            </thead>
+                            <tbody>
+                            </tbody>
+                        </table>
+                    </div>
+                    {% break %}
+                {% case 'ospfneighbors' %}
+                    <div class="col-sm-12">
+                        <table id="grid-{{ tab['name'] }}" class="table table-condensed table-hover table-striped table-responsive">
+                            <thead>
+                            <tr>
+                                <th data-column-id="neighborid">{{ lang._('Neighbor ID') }}</th>
+                                <th data-column-id="priority" data-searchable="false">{{ lang._('Priority') }}</th>
+                                <th data-column-id="state">{{ lang._('State') }}</th>
+                                <th data-column-id="deadTimeMsecs" data-searchable="false">{{ lang._('Dead Time') }} &lsqb;ms&rsqb;</th>
+                                <th data-column-id="address">{{ lang._('Address') }}</th>
+                                <th data-column-id="ifaceName">{{ lang._('Interface') }}</th>
+                                <th data-column-id="retransmitCounter" data-searchable="false">{{ lang._('Retransmit Counter') }}</th>
+                                <th data-column-id="requestCounter" data-searchable="false">{{ lang._('Request Counter') }}</th>
+                                <th data-column-id="dbSummaryCounter" data-searchable="false">{{ lang._('DB Summary Counter') }}</th>
+                            </tr>
+                            </thead>
+                            <tbody>
+                            </tbody>
+                        </table>
+                    </div>
+                    {% break %}
+                {% case 'tree' %}
+                    <div class="searchbox">
+                        <input
+                            id="search-{{ tab['name'] }}"
+                            type="text"
+                            for="tree-{{tab['name']}}"
+                            class="tree_search"
+                            placeholder="{{ lang._('search') }}"
+                        ></input>
+                    </div>
+                    <div class="treewidget" style="padding: 8px; overflow-y: scroll; height:400px;" id="tree-{{ tab['name'] }}"></div>
+                    {% break %}
+                {% case 'text' %}
+                    <pre id="text-{{ tab['name'] }}"></pre>
+                    {% break %}
+            {% endswitch %}
+        </div>
+    {% endfor %}
+</div>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
deleted file mode 100644
index b0e196ce02..0000000000
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsbgp.volt
+++ /dev/null
@@ -1,143 +0,0 @@
-{#
-
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
-Copyright (C) 2017 Fabian Franz
-Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-    this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-    this list of conditions and the following disclaimer in the documentation
-    and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
-
-{#
-{{ partial("layout_partials/base_form",['fields':diagnosticsForm,'id':'frm_diagnostics_settings'])}}
-#}
-
-<script type="text/x-template" id="routestpl">
-  <h2>{{ lang._('Table Version') }}: <%= tableVersion %></h2>
-  <table class="table table-striped">
-    <thead>
-      <tr>
-        <th data-column-id="valid" data-type="boolean" data-formatter="boolean" data-width="5%">{{ lang._('Valid') }}</th>
-        <th data-column-id="best" data-type="boolean" data-formatter="boolean" data-width="5%">{{ lang._('Best') }}</th>
-        <th data-column-id="internal" data-type="boolean" data-formatter="boolean" data-width="6%">{{ lang._('Internal') }}</th>
-        <th data-column-id="network" data-type="string" data-width="21%">{{ lang._('Network') }}</th>
-        <th data-column-id="nexthop" data-type="string" data-width="21%">{{ lang._('Next Hop') }}</th>
-        <th data-column-id="metric" data-type="numeric" data-width="5%">{{ lang._('Metric') }}</th>
-        <th data-column-id="locprf" data-type="numeric" data-width="5%">{{ lang._('LocPrf') }}</th>
-        <th data-column-id="weight" data-type="numeric" data-width="6%">{{ lang._('Weight') }}</th>
-        <th data-column-id="path" data-type="string" data-width="16%">{{ lang._('Path') }}</th>
-        <th data-column-id="origin" data-type="string" data-formatter="origin" data-width="10%">{{ lang._('Origin') }}</th>
-      </tr>
-    </thead>
-    <tbody>
-      <% _.forEach(routes, function(route_array, network) { %>
-        <% _.forEach(route_array, function(route) { %>
-          <% _.forEach(route['nexthops'], function(nexthop) { %>
-            <tr>
-              <td><%= (typeof(route['valid']) != "undefined" && route['valid']) %></td>
-              <td><%= (typeof(route['bestpath']) != "undefined" && route['bestpath']) %></td>
-              <td><%= (typeof(route['pathFrom']) != "undefined" && route['pathFrom'] == 'internal') %></td>
-              <td><%= network %></td>
-              <td><%= nexthop['ip'] %></td>
-              <td><%= route['metric'] %></td>
-              <td><%= route['locPrf'] %></td>
-              <td><%= route['weight'] %></td>
-              <td><%= (route['path'] == "" ? "{{ lang._('Internal') }}" : route['path']) %></td>
-              <td><%= route['origin'] %></td>
-            </tr>
-          <% }); %>
-        <% }); %>
-      <% }); %>
-    </tbody>
-  </table>
-</script>
-
-<script type="text/javascript" src="/ui/js/quagga/lodash.js"></script>
-<script type="text/javascript">
-let dataconverters = {
-  boolean: {
-    from: function (value) { return (value == 'true') || (value == true); },
-    to: function (value) { return value; }
-  }
-}
-
-let dataformatters = {
-  boolean: function (column, row) {
-    if (row[column.id]) {
-        return "<span class=\"fa fa-check\" data-value=\"1\" data-row-id=\"" + row.uuid + "\"></span>";
-    } else {
-        return "<span class=\"fa fa-times\" data-value=\"0\" data-row-id=\"" + row.uuid + "\"></span>";
-    }
-  },
-  origin: function(column, row) {
-    return (row[column.id] === 'incomplete' ? '<abbr title="{{ lang._('Incomplete') }}">&quest;</abbr>' : row[column.id]);
-  }
-}
-
-$(document).ready(function() {
-  updateServiceControlUI('quagga');
-
-  ajaxCall(url="/api/quagga/diagnostics/bgproute4", sendData={}, callback=function(data, status) {
-    content = _.template($('#routestpl').html())(data['response']);
-    $('#routing').html(content);
-    $('#routing table').bootgrid({
-      formatters: dataformatters
-    });
-  });
-
-  ajaxCall(url="/api/quagga/diagnostics/bgproute6", sendData={}, callback=function(data, status) {
-    content = _.template($('#routestpl').html())(data['response']);
-    $('#routing6').html(content);
-    $('#routing6 table').bootgrid({
-      formatters: dataformatters
-    });
-  });
-
-  ajaxCall(url="/api/quagga/diagnostics/bgpneighbors/plain", sendData={}, callback=function(data, status) {
-    $('#neighborscontent').text(data['response']);
-  });
-
-  ajaxCall(url="/api/quagga/diagnostics/bgpsummary/plain", sendData={}, callback=function(data, status) {
-    $("#summarycontent").text(data['response']);
-  });
-});
-</script>
-
-<!-- Navigation bar -->
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-  <li class="active"><a data-toggle="tab" href="#routing">IPv4 {{ lang._('Routing Table') }}</a></li>
-  <li><a data-toggle="tab" href="#routing6">IPv6 {{ lang._('Routing Table') }}</a></li>
-  <li><a data-toggle="tab" href="#neighbors">{{ lang._('Neighbors') }}</a></li>
-  <li><a data-toggle="tab" href="#summary">{{ lang._('Summary') }}</a></li>
-</ul>
-
-<div class="tab-content content-box tab-content">
-  <div id="routing" class="tab-pane fade in active"></div>
-  <div id="routing6" class="tab-pane fade in"></div>
-  <div id="neighbors" class="tab-pane fade in">
-    <pre id="neighborscontent"></pre>
-  </div>
-  <div id="summary" class="tab-pane fade in">
-    <pre id="summarycontent"></pre>
-  </div>
-</div>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
deleted file mode 100644
index 16c1470190..0000000000
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsgeneral.volt
+++ /dev/null
@@ -1,142 +0,0 @@
-{#
-
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
-Copyright (C) 2017 Fabian Franz
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-    this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-    this list of conditions and the following disclaimer in the documentation
-    and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
-<script src="/ui/js/quagga/lodash.js"></script>
-<script type="text/x-template" id="routestpl">
-  <table class="table table-striped">
-    <thead>
-      <tr>
-        <th data-column-id="code" data-type="string" data-formatter="code">{{ lang._('Code') }}</th>
-        <th data-column-id="selected" data-type="boolean" data-visible="false">{{ lang._('Selected') }}</th>
-        <th data-column-id="installed" data-type="boolean" data-visible="false">{{ lang._('Installed') }}</th>
-        <th data-column-id="network" data-type="string">{{ lang._('Network') }}</th>
-        <th data-column-id="ad" data-type="numeric">{{ lang._('Administrative Distance') }}</th>
-        <th data-column-id="metric" data-type="numeric">{{ lang._('Metric') }}</th>
-        <th data-column-id="interface" data-type="string">{{ lang._('Interface') }}</th>
-        <th data-column-id="via" data-type="string">{{ lang._('Via') }}</th>
-        <th data-column-id="time" data-type="string">{{ lang._('Time') }}</th>
-      </tr>
-    </thead>
-    <tbody>
-      <% _.forEach(routes, function(route_array, network) { %>
-        <% _.forEach(route_array, function(route) { %>
-          <% _.forEach(route['nexthops'], function(nexthop) { %>
-            <tr>
-              <td><%= route['protocol'] %></td>
-              <td><%= (typeof(route['selected']) != "undefined" && route['selected']) %></td>
-              <td><%= (typeof(route['installed']) != "undefined" && route['installed']) %></td>
-              <td><%= network %></td>
-              <td><%= route['distance'] %></td>
-              <td><%= route['metric'] %></td>
-              <td><%= nexthop['interfaceName'] %></td>
-              <td><%= (typeof(nexthop['ip']) != "undefined" ? nexthop['ip'] : '{{ lang._('Directly Attached') }}') %></td>
-              <td><%= route['uptime'] %></td>
-            </tr>
-          <% }); %>
-        <% }); %>
-      <% }); %>
-    </tbody>
-  </table>
-</script>
-
-<script type="text/javascript">
-function translateProtocol(data) {
-  let tr = [];
-
-  // routing table tab
-  tr['kernel'] = {short: 'K', long: '{{ lang._('Kernel') }}'};
-  tr['connected'] = {short: 'C', long: '{{ lang._('Connected') }}'};
-  tr['bgp'] = {short: 'B', long: '{{ lang._('BGP') }}'};
-  tr['ospf'] = {short: 'O', long: '{{ lang._('OSPF') }}'};
-  tr['ospf6'] = {short: 'O', long: '{{ lang._('OSPFv3') }}'};
-
-  return _.has(tr,data) ? tr[data] : data;
-}
-
-let dataconverters = {
-  boolean: {
-    from: function (value) { return (value == 'true') || (value == true); },
-    to: function (value) { return value; }
-  }
-}
-
-let dataformatters = {
-  code: function(column, row) {
-    let result = row.code;
-    let protocol = translateProtocol(row.code);
-
-    if(typeof(protocol) != "string") result = '<abbr title="' + protocol['long'] + '">' + protocol['short'] + '</abbr> ';
-    if(row.selected) result += '<abbr title="{{ lang._('Selected') }}">&gt;</abbr> ';
-    if(row.installed) result += '<abbr title="{{ lang._('FIB') }}">&ast;</abbr>';
-
-    return result;
-  }
-};
-
-$(document).ready(function() {
-  updateServiceControlUI('quagga');
-
-  ajaxCall(url="/api/quagga/diagnostics/generalroute", sendData={}, callback=function(data, status) {
-    let content = _.template($('#routestpl').html())({
-      routes: data['response']['ipv4']
-    });
-    $('#routing').html(content);
-    $('#routing table').bootgrid({
-      converters: dataconverters,
-      formatters: dataformatters
-    });
-    content = _.template($('#routestpl').html())({
-      routes: data['response']['ipv6']
-    });
-    $('#routing6').html(content);
-    $('#routing6 table').bootgrid({
-      converters: dataconverters,
-      formatters: dataformatters
-    });
-  });
-
-  ajaxCall(url="/api/quagga/diagnostics/generalrunningconfig", sendData={}, callback=function(data, status) {
-      $("#runningconfig").text(data['response']);
-  });
-});
-</script>
-
-<!-- Navigation bar -->
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-  <li class="active"><a data-toggle="tab" href="#routing">{{ lang._('IPv4 Routes') }}</a></li>
-  <li><a data-toggle="tab" href="#routing6">{{ lang._('IPv6 Routes') }}</a></li>
-  <li><a data-toggle="tab" href="#showrun">{{ lang._('Running Configuration') }}</a></li>
-</ul>
-
-<div class="tab-content content-box tab-content">
-  <div id="routing" class="tab-pane fade in active"></div>
-  <div id="routing6" class="tab-pane fade in"></div>
-  <div id="showrun" class="tab-pane fade in">
-    <pre id="runningconfig"></pre>
-  </div>
-</div>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
deleted file mode 100644
index 1aa5e08576..0000000000
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospf.volt
+++ /dev/null
@@ -1,475 +0,0 @@
-{#
-
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
-Copyright (C) 2017 Fabian Franz
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-    this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-    this list of conditions and the following disclaimer in the documentation
-    and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
-
-<script type="text/x-template" id="overviewtpl">
-  <h2>{{ lang._('General') }}</h2>
-  <table class="table table-striped">
-    <tbody>
-      <tr>
-        <td>{{ lang._('RFC2328 Conform') }}</td>
-        <td><%= checkmark(rfc2328Conform) %></td>
-      </tr>
-      <tr>
-        <td>{{ lang._('ASBR') }}</td>
-        <td><%= checkmark(typeof asbrRouter != 'undefined' && asbrRouter == "injectingExternalRoutingInformation") %></td>
-      </tr>
-      <tr>
-        <td>{{ lang._('Router ID') }}</td>
-        <td><%= routerId %></td>
-      </tr>
-      <tr>
-        <td>{{ lang._('RFC1583 Compatibility') }}</td>
-        <td><%= checkmark(typeof rfc1583Compatibility != "undefined" && rfc1583Compatibility) %></td>
-      </tr>
-      <tr>
-        <td>{{ lang._('Opaque Capability') }}</td>
-        <td><%= checkmark(typeof opaqueCapable != "undefined" && opaqueCapable) %></td>
-      </tr>
-      <tr>
-        <td>{{ lang._('Initial SPF Scheduling Delay') }}</td>
-        <td><%= spfScheduleDelayMsecs %> {{ lang._('Milliseconds') }}</td>
-      </tr>
-      <tr>
-        <td>{{ lang._('Minimum Hold Time') }}</td>
-        <td><%= holdtimeMinMsecs %> {{ lang._('Milliseconds') }}</td>
-      </tr>
-      <tr>
-        <td>{{ lang._('Maximum Hold Time') }}</td>
-        <td><%= holdtimeMaxMsecs %> {{ lang._('Milliseconds') }}</td>
-      </tr>
-      <tr>
-        <td>{{ lang._('Current Hold Time Multipier') }}</td>
-        <td><%= holdtimeMultplier %></td>
-      </tr>
-      <tr>
-        <td>{{ lang._('Refresh Timer') }}</td>
-        <td><%= refreshTimerMsecs %> {{ lang._('Milliseconds') }}</td>
-      </tr>
-      <tr>
-        <td>{{ lang._('Areas Attached Count') }}</td>
-        <td><%= attachedAreaCounter %></td>
-      </tr>
-    </tbody>
-  </table>
-
-  <h2>{{ lang._('Link State Area') }}</h2>
-  <table class="table table-striped">
-    <thead>
-      <tr>
-        <th></th>
-        <th>{{ lang._('Count') }}</th>
-        <th>{{ lang._('Checksum') }}</th>
-      </tr>
-    </thead>
-    <tbody>
-      <tr>
-        <td>{{ lang._('External LSA') }}</td>
-        <td><%= lsaExternalCounter %></td>
-        <td><%= lsaExternalChecksum %></td>
-      </tr>
-      <tr>
-        <td>{{ lang._('Opaque AS LSA') }}</td>
-        <td><%= lsaAsopaqueCounter %></td>
-        <td><%= lsaAsOpaqueChecksum %></td>
-      </tr>
-    </tbody>
-  </table>
-
-  <% if (areas) { %>
-    <h2>{{ lang._('Areas') }}</h2>
-    <% _.forEach(areas, function(area, areaname) { %>
-      <br />
-      <table class="table table-striped">
-        <thead>
-          <tr>
-            <th><%= areaname %></th>
-            <th>{{ lang._('Count') }}</th>
-          </tr>
-        </thead>
-        <tbody>
-          <tr>
-            <td>{{ lang._('Interfaces: Total') }}</td>
-            <td><%= area['areaIfTotalCounter'] %></td>
-          </tr>
-          <tr>
-            <td>{{ lang._('Interfaces: Active') }}</td>
-            <td><%= area['areaIfActiveCounter'] %></td>
-          </tr>
-          <tr>
-            <td>{{ lang._('Fully Adjacent Neighbor Count') }}</td>
-            <td><%= area['nbrFullAdjacentCounter'] %></td>
-          </tr>
-          <tr>
-            <td>{{ lang._('SPF Execution Count') }}</td>
-            <td><%= area['spfExecutedCounter'] %></td>
-          </tr>
-        </tbody>
-      </table>
-      <table class="table table-striped">
-        <thead>
-          <tr>
-            <th>{{ lang._('LSA Type') }}</th>
-            <th>{{ lang._('Count') }}</th>
-            <th>{{ lang._('Checksum') }}</th>
-          </tr>
-        </thead>
-        <tbody>
-          <tr>
-            <td>{{ lang._('Router') }}</td>
-            <td><%= area['lsaRouterNumber'] %></td>
-            <td><%= area['lsaRouterChecksum'] %></td>
-          </tr>
-          <tr>
-            <td>{{ lang._('Network') }}</td>
-            <td><%= area['lsaNetworkNumber'] %></td>
-            <td><%= area['lsaNetworkChecksum'] %></td>
-          </tr>
-          <tr>
-            <td>{{ lang._('Summary') }}</td>
-            <td><%= area['lsaSummaryNumber'] %></td>
-            <td><%= area['lsaSummaryChecksum'] %></td>
-          </tr>
-          <tr>
-            <td>{{ lang._('ASBR Summary') }}</td>
-            <td><%= area['lsaAsbrNumber'] %></td>
-            <td><%= area['lsaAsbrChecksum'] %></td>
-          </tr>
-          <tr>
-            <td>{{ lang._('NSSA') }}</td>
-            <td><%= area['lsaNssaNumber'] %></td>
-            <td><%= area['lsaNssaChecksum'] %></td>
-          </tr>
-          <tr>
-            <td>{{ lang._('Opaque Link') }}</td>
-            <td><%= area['lsaOpaqueLinkNumber'] %></td>
-            <td><%= area['lsaOpaqueLinkChecksum'] %></td>
-          </tr>
-          <tr>
-            <td>{{ lang._('Opaque Area') }}</td>
-            <td><%= area['lsaOpaqueAreaNumber'] %></td>
-            <td><%= area['lsaOpaqueAreaNumber'] %></td>
-          </tr>
-        </tbody>
-      </table>
-    <% }); %>
-  <% } %>
-</script>
-<script type="text/x-template" id="databasetpl">
-<% _.each(_.keys(ospf_database), function(router_id) { %>
-  <h1>{{ lang._('Router ID:')}} <%= router_id %></h1>
-  <hr />
-  <h2>{{ lang._('Router Link State Area') }}</h2>
-  <% _.each(_.keys(ospf_database[router_id]['router_link_state_area']), function(area) { %>
-    <h3>Area <%= area %></h3>
-     <table class="table table-striped">
-      <thead>
-        <tr>
-          <th data-column-id="linkid" data-type="string">{{ lang._('Link ID') }}</th>
-          <th data-column-id="advrouter" data-type="string">{{ lang._('ADV Router') }}</th>
-          <th data-column-id="age" data-type="numeric">{{ lang._('Age') }}</th>
-          <th data-column-id="seqnr" data-type="string">{{ lang._('Sequence Number') }}</th>
-          <th data-column-id="cksum" data-type="string">{{ lang._('Checksum') }}</th>
-          <th data-column-id="linkcnt" data-type="numeric">{{ lang._('Link Count') }}</th>
-        </tr>
-      </thead>
-      <tbody>
-        <% _.each(ospf_database[router_id]['router_link_state_area'][area], function(entry) { %>
-          <tr>
-            <td><%= entry["Link ID"] %></td>
-            <td><%= entry["ADV Router"] %></td>
-            <td><%= entry["Age"] %></td>
-            <td><%= entry["Seq#"] %></td>
-            <td><%= entry["CkSum"] %></td>
-            <td><%= entry["Link count"] %></td>
-          </tr>
-        <% }); %>
-      </tbody>
-     </table>
-  <% }); %>
-  <h2>{{ lang._('Net Link State Area') }}</h2>
-  <% _.each(_.keys(ospf_database[router_id]['net_link_state_area']), function(area) { %>
-    <h3>{{ lang._('Area:') }} <%= area %></h3>
-     <table class="table table-striped">
-      <thead>
-        <tr>
-          <th data-column-id="linkid" data-type="string">{{ lang._('Link ID') }}</th>
-          <th data-column-id="advrouter" data-type="string">{{ lang._('ADV Router') }}</th>
-          <th data-column-id="age" data-type="numeric">{{ lang._('Age') }}</th>
-          <th data-column-id="seqnr" data-type="string">{{ lang._('Sequence Number') }}</th>
-          <th data-column-id="cksum" data-type="string">{{ lang._('Checksum') }}</th>
-        </tr>
-      </thead>
-      <tbody>
-        <% _.each(ospf_database[router_id]['net_link_state_area'][area], function(entry) { %>
-          <tr>
-            <td><%= entry["Link ID"] %></td>
-            <td><%= entry["ADV Router"] %></td>
-            <td><%= entry["Age"] %></td>
-            <td><%= entry["Seq#"] %></td>
-            <td><%= entry["CkSum"] %></td>
-          </tr>
-        <% }); %>
-      </tbody>
-     </table>
-  <% }); %>
-  <h2>{{ lang._('External States') }}</h2>
-   <table class="table table-striped">
-    <thead>
-      <tr>
-        <th data-column-id="linkid" data-type="string">{{ lang._('Link ID') }}</th>
-        <th data-column-id="advrouter" data-type="string">{{ lang._('ADV Router') }}</th>
-        <th data-column-id="age" data-type="numeric">{{ lang._('Age') }}</th>
-        <th data-column-id="seqnr" data-type="string">{{ lang._('Sequence Number') }}</th>
-        <th data-column-id="chsum" data-type="string">{{ lang._('Checksum') }}</th>
-        <th data-column-id="route" data-type="string">{{ lang._('Route') }}</th>
-      </tr>
-    </thead>
-    <tbody>
-      <% _.each(ospf_database[router_id]['external_states'], function(entry) { %>
-        <tr>
-          <td><%= entry["Link ID"] %></td>
-          <td><%= entry["ADV Router"] %></td>
-          <td><%= entry["Age"] %></td>
-          <td><%= entry["Seq#"] %></td>
-          <td><%= entry["CkSum"] %></td>
-          <td><%= entry["Route"] %></td>
-        </tr>
-      <% }); %>
-    </tbody>
-  </table>
-<% }); %>
-</script>
-<script type="text/x-template" id="routestpl">
-  <table class="table table-striped">
-  <thead>
-    <tr>
-      <th data-column-id="type" data-type="string" data-formatter="route_type">{{ lang._('Type') }}</th>
-      <th data-column-id="network" data-type="string">{{ lang._('Network') }}</th>
-      <th data-column-id="cost" data-type="numeric">{{ lang._('Cost') }}</th>
-      <th data-column-id="area" data-type="string">{{ lang._('Area') }}</th>
-      <th data-column-id="via" data-type="string">{{ lang._('Via') }}</th>
-      <th data-column-id="viainterface" data-type="string">{{ lang._('Via interface') }}</th>
-    </tr>
-  </thead>
-  <tbody>
-    <% _.forEach(routes, function(route, network) { %>
-      <tr>
-        <td><%= route['routeType'] %></td>
-        <td><%= network %></td>
-        <td><%= route['cost'] %></td>
-        <td><%= route['area'] %></td>
-        <td><%= (typeof route['nexthops'][0]['via'] != "undefined" ? route['nexthops'][0]['ip'] : translate('directly attached')) %></td>
-        <td><%= (typeof route['nexthops'][0]['via'] != "undefined" ? route['nexthops'][0]['via'] : route['nexthops'][0]['directly attached to']) %></td>
-      </tr>
-      <% route['nexthops'].shift(); %>
-      <% _.forEach(route['nexthops'], function(nexthop) { %>
-        <tr>
-          <td></td>
-          <td></td>
-          <td></td>
-          <td></td>
-          <td><%= (typeof nexthop['via'] != "undefined" ? nexthop['ip'] : translate('directly attached')) %></td>
-          <td><%= (typeof nexthop['via'] != "undefined" ? nexthop['via'] : nexthop['directly attached to']) %></td>
-        </tr>
-      <% }); %>
-    <% }); %>
-  </tbody>
-</table>
-</script>
-<script type="text/x-template" id="neighbortpl">
-  <table class="table table-striped">
-    <thead>
-      <tr>
-        <th data-column-id="neighborid" data-type="string">{{ lang._('Neighbor ID') }}</th>
-        <th data-column-id="priority" data-type="numeric">{{ lang._('Priority') }}</th>
-        <th data-column-id="state" data-type="string">{{ lang._('State') }}</th>
-        <th data-column-id="deadtime" data-type="string">{{ lang._('Dead Time') }} &lsqb;ms&rsqb;</th>
-        <th data-column-id="address" data-type="string">{{ lang._('Address') }}</th>
-        <th data-column-id="interface" data-type="string">{{ lang._('Interface') }}</th>
-        <th data-column-id="rxmtl" data-type="numeric">{{ lang._('Retransmit Counter') }}</th>
-        <th data-column-id="rqstl" data-type="numeric">{{ lang._('Request Counter') }}</th>
-        <th data-column-id="dbsml" data-type="numeric">{{ lang._('DB Summary Counter') }}</th>
-      </tr>
-    </thead>
-    <tbody>
-      <% _.forEach(neighbors, function(connections, neighborId) { %>
-        <% _.forEach(connections, function(connection) { %>
-          <tr>
-            <td><%= neighborId %></td>
-            <td><%= connection['priority'] %></td>
-            <td><%= translate(connection['state']) %></td>
-            <td><%= connection['deadTimeMsecs'] %></td>
-            <td><%= connection['address'] %></td>
-            <td><%= connection['ifaceName'] %></td>
-            <td><%= connection['retransmitCounter'] %></td>
-            <td><%= connection['requestCounter'] %></td>
-            <td><%= connection['dbSummaryCounter'] %></td>
-          </tr>
-        <% }); %>
-      <% }); %>
-    </tbody>
-  </table>
-</script>
-<script type="text/x-template" id="interfacetpl">
-  <% _.forEach(interfaces, function(interface, interfacename) { %>
-    <h2><%= interfacename %></h2>
-    <table class="table table-striped">
-      <tbody>
-        <% _.forEach(interface, function(propertyvalue, propertyname) { %>
-          <tr>
-            <td><%= translate(propertyname) %></td>
-            <td>
-              <% if (typeof(propertyvalue) == "boolean")  { %>
-                <%= checkmark(propertyvalue) %>
-              <% } else { %>
-                <%= translate(propertyvalue) %>
-              <% } %>
-            </td>
-          </tr>
-        <% }); %>
-      </tbody>
-    </table>
-  <% }); %>
-</script>
-<script type="text/javascript" src="/ui/js/quagga/lodash.js"></script>
-<script type="text/javascript">
-function translate(data) {
-  let tr = [];
-  // routing table tab
-  tr['N'] = '{{ lang._('Network') }}';
-  tr['R'] = '{{ lang._('Router') }}';
-  tr['IA'] = '{{ lang._('OSPF inter area') }}';
-  tr['N1'] = '{{ lang._('OSPF NSSA external type 1') }}';
-  tr['N2'] = '{{ lang._('OSPF NSSA external type 2') }}';
-  tr['E1'] = '{{ lang._('OSPF external type 1') }}';
-  tr['E2'] = '{{ lang._('OSPF external type 2') }}';
-  tr['directly attached'] = '{{ lang._('Directly Attached') }}';
-
-  // neighbor tab
-  tr['Full/DR'] = '{{ lang._('Full (Designated Router)') }}';
-
-  // interfaces tab
-  tr['ifUp'] = '{{ lang._('Up') }}';
-  tr['ifIndex'] = '{{ lang._('Index') }}';
-  tr['mtuBytes'] = '{{ lang._('MTU') }} &lsqb;{{ lang._('Bytes') }}&rsqb;';
-  tr['bandwidthMbit'] = '{{ lang._('Bandwidth') }} &lsqb;Mbit/s&rsqb;';
-  tr['ifFlags'] = '{{ lang._('Flags') }}';
-  tr['ospfEnabled'] = '{{ lang._('OSPF Enabled') }}';
-  tr['ipAddress'] = '{{ lang._('Address') }}';
-  tr['ipAddressPrefixlen'] = '{{ lang._('Prefix Length') }}';
-  tr['ospfIfType'] = '{{ lang._('Type') }}';
-  tr['localIfUsed'] = '{{ lang._('Local Interface') }}';
-  tr['area'] = '{{ lang._('Area') }}';
-  tr['routerId'] = '{{ lang._('Router ID') }}';
-  tr['networkType'] = '{{ lang._('Network Type') }}';
-  tr['cost'] = '{{ lang._('Cost') }}';
-  tr['transmitDelaySecs'] = '{{ lang._('Transmit Delay') }} &lsqb;s&rsqb;';
-  tr['state'] = '{{ lang._('State') }}';
-  tr['priority'] = '{{ lang._('Priority') }}';
-  tr['mcastMemberOspfAllRouters'] = '{{ lang._('Multicast') }} {{ lang._('Group') }} {{ lang._('Member') }} OSPFAllRouters';
-  tr['timerMsecs'] = '{{ lang._('Hello Timer') }} &lsqb;ms&rsqb;';
-  tr['timerDeadSecs'] = '{{ lang._('Dead Timer') }} &lsqb;s&rsqb;';
-  tr['timerWaitSecs'] = '{{ lang._('Wait Timer') }} &lsqb;s&rsqb;';
-  tr['timerRetransmitSecs'] = '{{ lang._('Retransmit Timer') }} &lsqb;s&rsqb;';
-  tr['timerPassiveIface'] = '{{ lang._('Passive Interface') }}';
-  tr['timerHelloInMsecs'] = '{{ lang._('Hello Due In') }} &lsqb;ms&rsqb;';
-  tr['nbrCount'] = '{{ lang._('Neighbor Count') }}';
-  tr['nbrAdjacentCount'] = '{{ lang._('Adjacent Neighbor Count') }}';
-
-  return _.has(tr,data) ? tr[data] : data;
-}
-
-function checkmark(bin) {
-  return "<i class=\"fa " + (bin ? "fa-check-square" : "fa-square") + " text-muted\"></i>";
-}
-
-dataformatters = {
-  route_type: function(column, row) {
-    let result = ''
-
-    _.forEach(row.type.split(' '), function(routeType) {
-      if(translate(routeType) == routeType) result += routeType;
-      else result += '<abbr title="' + translate(routeType) + '">' + routeType + '</abbr>';
-      result += ' ';
-    });
-
-    return result;
-  }
-};
-
-$(document).ready(function() {
-  updateServiceControlUI('quagga');
-
-  ajaxCall(url="/api/quagga/diagnostics/ospfoverview", sendData={}, callback=function(data, status) {
-    let content = _.template($('#overviewtpl').html())(data['response']);
-    $('#overview').html(content);
-  });
-  ajaxCall(url="/api/quagga/diagnostics/ospfdatabase", sendData={}, callback=function(data, status) {
-    let content = _.template($('#databasetpl').html())(data['response']);
-    $('#database').html(content);
-  });
-  ajaxCall(url="/api/quagga/diagnostics/ospfroute", sendData={}, callback=function(data, status) {
-    let content = _.template($('#routestpl').html())({
-      routes: data['response']
-    });
-    $('#routing').html(content);
-    $('#routing table').bootgrid({
-      formatters: dataformatters
-    });
-  });
-  ajaxCall(url="/api/quagga/diagnostics/ospfneighbor", sendData={}, callback=function(data, status) {
-    let content = _.template($('#neighbortpl').html())(data['response']);
-    $('#neighbor').html(content);
-    $('#neighbor table').bootgrid({
-      formatters: dataformatters
-    });
-  });
-  ajaxCall(url="/api/quagga/diagnostics/ospfinterface", sendData={}, callback=function(data, status) {
-    let content = _.template($('#interfacetpl').html())(data['response']);
-    $('#interface').html(content);
-  });
-});
-</script>
-
-<!-- Navigation bar -->
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-  <li class="active"><a data-toggle="tab" href="#overview">{{ lang._('Overview') }}</a></li>
-  <li><a data-toggle="tab" href="#routing">{{ lang._('Routing Table') }}</a></li>
-  <li><a data-toggle="tab" href="#database">{{ lang._('Database') }}</a></li>
-  <li><a data-toggle="tab" href="#neighbor">{{ lang._('Neighbor') }}</a></li>
-  <li><a data-toggle="tab" href="#interface">{{ lang._('Interface') }}</a></li>
-</ul>
-
-<div class="tab-content content-box tab-content">
-  <div id="overview" class="tab-pane fade in active"></div>
-  <div id="routing" class="tab-pane fade in"></div>
-  <div id="database" class="tab-pane fade in"></div>
-  <div id="neighbor" class="tab-pane fade in"></div>
-  <div id="interface" class="tab-pane fade in"></div>
-</div>
diff --git a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
index 73cb70d5ef..1567ace98d 100755
--- a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
+++ b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
@@ -404,7 +404,8 @@ def overview(self):
                     self.myre.search(r'SPF algorithm last executed (.*)', line) or \
                     self.myre.search(r'Last SPF duration (.*)', line) or \
                     self.myre.search(r'SPF last executed (.*)', line) or \
-                    self.myre.search(r'Number of Area scoped LSAs is (.*)', line):
+                    self.myre.search(r'Number of Area scoped LSAs is (.*)', line) or \
+                    self.myre.search(r'Adjacency changes are logged', line):
                 # skip these lines
                 pass
             else:
diff --git a/net/frr/src/opnsense/www/js/quagga/diagnostics_utils.js b/net/frr/src/opnsense/www/js/quagga/diagnostics_utils.js
new file mode 100644
index 0000000000..3d69d2cd94
--- /dev/null
+++ b/net/frr/src/opnsense/www/js/quagga/diagnostics_utils.js
@@ -0,0 +1,207 @@
+/*
+ * Copyright (C) 2015-2022 Deciso B.V.
+ * Copyright (C) 2023 Marc Bartelt
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+'use strict';
+
+/**
+ * shared options for bootgrid tables
+ */
+let gridopt = {
+    formatters: {
+        boolean: function(column, row) {
+            if (row[column.id]) {
+                return '<span class="fa fa-fw fa-check" data-value="1" data-row-id="' + row.uuid + '"></span>';
+            } else {
+                return '';
+            }
+        },
+        ospf_route_type: function(column, row) {
+            let result = '';
+
+            row[column.id].split(' ').forEach(function(routeType) {
+                let translatedRouteType = translateOSPFTerm(routeType)
+
+                if (translatedRouteType === routeType) {
+                    result += routeType;
+                } else {
+                    result += '<abbr title="' + translatedRouteType + '">' + routeType + '</abbr>';
+                }
+
+                result += ' ';
+            });
+
+            return result;
+        },
+        general_route_code: function(column, row) {
+            let result = row.code;
+            let protocol = translateZebraCode(row.code);
+
+            if(typeof(protocol) !== 'string') result = '<abbr title="' + protocol['long'] + '">' + protocol['short'] + '</abbr>';
+            if(row.selected) result += ' <abbr title="Selected">&gt;</abbr>';
+            if(row.installed) result += ' <abbr title="FIB">&ast;</abbr>';
+
+            return result;
+        }
+    }
+};
+
+/**
+ * zebra route codes - translation table
+ */
+function translateZebraCode(data) {
+    let tr = [];
+
+    // routing table tab
+    tr['kernel'] = {short: 'K', long: 'Kernel'};
+    tr['connected'] = {short: 'C', long: 'Connected'};
+    tr['bgp'] = {short: 'B', long: 'BGP'};
+    tr['ospf'] = {short: 'O', long: 'OSPF'};
+    tr['ospf6'] = {short: 'O', long: 'OSPFv3'};
+
+    return ((data in tr) ? tr[data] : data);
+}
+
+
+
+/**
+ * OSPF terms and abbreviations - translation table
+ **/
+function translateOSPFTerm(data) {
+    let tr = [];
+
+    // routing table tab
+    tr['N'] = 'Network';
+    tr['R'] = 'Router';
+    tr['IA'] = 'OSPF inter area';
+    tr['N1'] = 'OSPF NSSA external type 1';
+    tr['N2'] = 'OSPF NSSA external type 2';
+    tr['E1'] = 'OSPF external type 1';
+    tr['E2'] = 'OSPF external type 2';
+
+    return ((data in tr) ? tr[data] : data);
+}
+
+
+/**
+ * tree view: resize widget on window resize
+ */
+function resizeTreeWidget() {
+    let new_height = $(".page-foot").offset().top -
+                     ($(".page-content-head").offset().top + $(".page-content-head").height()) - 160;
+    $(".treewidget").height(new_height);
+    $(".treewidget").css('max-height', new_height + 'px');
+}
+
+/**
+ * tree view: delayed live-search
+ */
+let apply_tree_search_timer = null;
+function treeSearchKeyUp() {
+    let sender = $(this);
+
+    clearTimeout(apply_tree_search_timer);
+    apply_tree_search_timer = setTimeout(function() {
+        let searchTerm = sender.val().toLowerCase();
+        let target = $("#"+sender.attr('for'));
+        let tree = target.tree("getTree");
+        let selected = [];
+        if (tree !== null) {
+            tree.iterate((node) => {
+                let matched = false;
+                if (searchTerm !== "") {
+                    matched = node.name.toLowerCase().includes(searchTerm);
+                    if (!matched && typeof node.value === 'string') {
+                        matched = node.value.toLowerCase().includes(searchTerm);
+                    }
+                }
+                node["selected"] = matched;
+
+                if (matched) {
+                    selected.push(node);
+                    if (node.isFolder()) {
+                        node.is_open = true;
+                    }
+                    let parent = node.parent;
+                    while (parent) {
+                        parent.is_open = true;
+                        parent = parent.parent;
+                    }
+                } else if (node.isFolder()) {
+                    node.is_open = false;
+                }
+
+                return true;
+            });
+            target.tree("refresh");
+            if (selected.length > 0) {
+                target.tree('scrollToNode', selected[0]);
+            }
+        }
+    }, 500);
+}
+
+/**
+ * jqtree expects a list + dict type structure, transform key value store into expected output
+ * https://mbraak.github.io/jqTree/#general
+ */
+ function dict_to_tree(node, path) {
+    // some entries are lists, try use a name for the nodes in that case
+    let node_name_keys = ['name', 'interface-name'];
+    let result = [];
+    if ( path === undefined) {
+        path = "";
+    } else {
+        path = path + ".";
+    }
+    for (let key in node) {
+        if (typeof node[key] === "function") {
+            continue;
+        }
+        let item_path = path + key;
+        if (node[key] instanceof Object) {
+            let node_name = key;
+            for (let idx=0; idx < node_name_keys.length; ++idx) {
+                if (/^(0|[1-9]\d*)$/.test(node_name) && node[key][node_name_keys[idx]] !== undefined) {
+                    node_name = node[key][node_name_keys[idx]];
+                    break;
+                }
+            }
+            result.push({
+                name: node_name,
+                id: item_path,
+                children: dict_to_tree(node[key], item_path)
+            });
+        } else {
+            result.push({
+                name: key,
+                value: node[key],
+                id: item_path
+            });
+        }
+    }
+    return result;
+}

From 805db7f21c0c47e002163834b59a518603b34bc0 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 27 Jun 2023 07:29:02 +0200
Subject: [PATCH 1466/3088] Zabbix Agent 6.4 (#3461)

---
 net-mgmt/zabbix-agent/Makefile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index 696075de31..453f7a5fda 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -3,7 +3,10 @@ PLUGIN_VERSION=		1.13
 PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
-PLUGIN_VARIANTS=	zabbix62 zabbix6 zabbix5
+PLUGIN_VARIANTS=	zabbix6 zabbix62 zabbix64 zabbix5
+
+zabbix64_NAME=		zabbix64-agent
+zabbix64_DEPENDS=	zabbix64-agent
 
 zabbix62_NAME=		zabbix62-agent
 zabbix62_DEPENDS=	zabbix62-agent

From 8b4c189e09e086aeb1cc36e79263fd3d268949b3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 27 Jun 2023 08:40:54 +0200
Subject: [PATCH 1467/3088] net/frr: style sweep

---
 .../OPNsense/Quagga/Api/DiagnosticsController.php           | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
index 76f0cf6a2c..c9e7f3ff57 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
@@ -91,7 +91,7 @@ public function generalroute4Action($format = "json"): array
     public function searchGeneralroute4Action(): array
     {
         $records = [];
-        foreach($this->getInformation("general", "route4", "json")['response'] as $routes) {
+        foreach ($this->getInformation('general', 'route4', 'json')['response'] as $routes) {
             foreach ($routes as $route) {
                 foreach ($route['nexthops'] as $nexthop) {
                     $nexthop = array_merge($route, $nexthop);
@@ -113,7 +113,7 @@ public function generalroute6Action($format = "json"): array
     public function searchGeneralroute6Action(): array
     {
         $records = [];
-        foreach($this->getInformation("general", "route6", "json")['response'] as $routes) {
+        foreach ($this->getInformation('general', 'route6', 'json')['response'] as $routes) {
             foreach ($routes as $route) {
                 foreach ($route['nexthops'] as $nexthop) {
                     $nexthop = array_merge($route, $nexthop);
@@ -258,7 +258,7 @@ public function searchOspfrouteAction(): array
     {
         $records = [];
         $payload = $this->getInformation("ospf", "route", "json")['response'];
-        foreach($payload as $net => $network) {
+        foreach ($payload as $net => $network) {
             if (empty($network['nexthops'])) {
                 continue;
             }

From 6b2809053ccd42d1c79eb60ca6ac0f42ceadcbf9 Mon Sep 17 00:00:00 2001
From: Jan Winkler <jan.winkler@markt.de>
Date: Tue, 27 Jun 2023 16:32:57 +0200
Subject: [PATCH 1468/3088] security/acme: support TrueNAS Core Server
 deployhook, closes #3421

---
 security/acme-client/Makefile                 |  2 +-
 security/acme-client/pkg-descr                |  5 ++
 .../AcmeClient/forms/dialogAction.xml         | 23 +++++++++
 .../AcmeClient/LeAutomation/AcmeTruenas.php   | 47 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 20 ++++++++
 5 files changed, 96 insertions(+), 1 deletion(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenas.php

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 216a92e59f..6f2df7bd3d 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.17
+PLUGIN_VERSION=		3.18
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 931a9eb077..a2aafd3fb9 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.18
+
+Added:
+* add support for TrueNAS deployhook (#3421)
+
 3.17
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index 2059a2e67d..906dd9cdef 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -283,6 +283,29 @@
         <label>Host</label>
         <type>text</type>
     </field>
+    <field>
+        <label>Required Parameters</label>
+        <type>header</type>
+        <style>method_table method_table_acme_truenas</style>
+    </field>
+    <field>
+        <id>action.acme_truenas_apikey</id>
+        <label>TrueNAS API key</label>
+        <type>text</type>
+        <help>API key generated in the TrueNAS web UI.</help>
+    </field>
+    <field>
+        <id>action.acme_truenas_hostname</id>
+        <label>TrueNAS hostname</label>
+        <type>text</type>
+        <help>Hostname or IP adress of TrueNAS Core Server.</help>
+    </field>
+    <field>
+        <id>action.acme_truenas_scheme</id>
+        <label>TrueNAS scheme</label>
+        <type>dropdown</type>
+        <help>Connection scheme that will be used when uploading certificates to TrueNAS Core Server.</help>
+    </field>
     <field>
         <label>Required Parameters</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenas.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenas.php
new file mode 100644
index 0000000000..22cd3180b7
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenas.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Jan Winkler
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Run acme.sh deploy hook truenas
+ * @package OPNsense\AcmeClient
+ */
+class AcmeTruenas extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DEPLOY_TRUENAS_APIKEY'] = (string)$this->config->acme_truenas_apikey;
+        $this->acme_env['DEPLOY_TRUENAS_HOSTNAME'] = (string)$this->config->acme_truenas_hostname;
+        $this->acme_env['DEPLOY_TRUENAS_SCHEME'] = (string)$this->config->acme_truenas_scheme;
+        $this->acme_args[] = '--deploy-hook truenas --insecure';
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 8aeea9d0bd..1eca8d91b8 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1174,6 +1174,7 @@
                         <acme_panos>Upload certificate to Palo Alto Networks Firewall</acme_panos>
                         <acme_vault>Upload certificate to HashiCorp Vault</acme_vault>
                         <acme_synology_dsm>Upload certificate to Synology DSM</acme_synology_dsm>
+                        <acme_truenas>Upload certificate to TrueNAS Core Server</acme_truenas>
                         <acme_unifi>Update local Unifi keystore</acme_unifi>
                         <configd_generic>System or Plugin Command</configd_generic>
                     </OptionValues>
@@ -1380,6 +1381,25 @@
                     <mask>/^.{1,1024}$/u</mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_panos_host>
+                <acme_truenas_apikey type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_truenas_apikey>
+                <acme_truenas_hostname type="HostnameField">
+                    <default>localhost</default>
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_truenas_hostname>
+                <acme_truenas_scheme type="OptionField">
+                    <default>http</default>
+                    <Required>N</Required>
+                    <OptionValues>
+                        <http>HTTP [default]</http>
+                        <https>HTTPS</https>
+                    </OptionValues>
+                </acme_truenas_scheme>
                 <acme_unifi_keystore type="TextField">
                     <default>/usr/local/share/java/unifi/data/keystore</default>
                     <Required>N</Required>

From ca9bd30a95c5b47286aac46f5c7b99ab3d36650d Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Tue, 27 Jun 2023 17:48:24 +0200
Subject: [PATCH 1469/3088] net/frr - BFD diagnostics in new style (#3487)

* BFD diagnostics in new style.

* Add tree support for BFD diagnostics.

* net/frr - cleanups for BFD diagnostics (https://github.com/opnsense/plugins/pull/3485).

* net/frr - cleanups for BFD diagnostics (https://github.com/opnsense/plugins/pull/3485).

parse summary data and wrap into bootgrid.

* net/frr - cleanups for BFD diagnostics (https://github.com/opnsense/plugins/pull/3485).

trim frr summary info.

---------

Co-authored-by: Mark O. Stitson <mark@stitson.com>
---
 .../Quagga/Api/DiagnosticsController.php      | 42 ++++++++++++++++++-
 .../OPNsense/Quagga/DiagnosticsController.php | 25 +++++++++++
 .../app/models/OPNsense/Quagga/Menu/Menu.xml  |  1 +
 .../views/OPNsense/Quagga/diagnostics.volt    | 17 ++++++++
 .../conf/actions.d/actions_quagga.conf        | 18 ++++++++
 5 files changed, 102 insertions(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
index c9e7f3ff57..59d30d1a43 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
@@ -237,7 +237,7 @@ public function ospfneighborAction($format = "json"): array
     public function searchOspfneighborAction(): array
     {
         $records = [];
-        $payload = $this->getInformation("ospf", "neighbor", "json")['response'];
+        $payload = $this->getInformation("ospf", "neighbor", "json");
         if (!empty($payload['neighbors'])) {
             foreach ($payload['neighbors'] as $neighborid => $neighbor) {
                 foreach ($neighbor as $item) {
@@ -312,4 +312,44 @@ public function ospfv3interfaceAction($format = "json"): array
     {
         return $this->getInformation("ospfv3", "interface", $format);
     }
+
+    private function bfdTreeFetch($topic)
+    {
+        $records = [];
+        $payload = $this->getInformation("bfd", $topic, "json")['response'];
+        if (!empty($payload)) {
+            foreach ($payload as $peer) {
+                $peerid = $peer['peer'];
+                $records[$peerid] = $peer;
+            }
+        }
+        return  ["response" => $records];
+    }
+
+    public function bfdsummaryAction(): array
+    {
+        $records = [];
+        foreach (explode("\n", $this->getInformation("bfd", "summary", "plain")['response']) as $line) {
+            $parts = preg_split('/\s+/', trim($line));
+            if (count($parts) == 4 && filter_var($parts[0], FILTER_VALIDATE_INT) !== false) {
+                $records[] = [
+                    'id' => $parts[0],
+                    'local' => $parts[1],
+                    'peer' => $parts[2],
+                    'status' => $parts[3]
+                ];
+            }
+        }
+        return $this->searchRecordsetBase($records);
+    }
+
+    public function bfdneighborsAction(): array
+    {
+        return $this->bfdTreeFetch('neighbors');
+    }
+
+    public function bfdcountersAction(): array
+    {
+        return $this->bfdTreeFetch('counters');
+    }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
index 923e0d3ede..15b1e440b9 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
@@ -95,6 +95,31 @@ public function ospfAction()
         $this->view->default_tab = 'routing';
         $this->view->pick('OPNsense/Quagga/diagnostics');
     }
+    public function bfdAction()
+    {
+        $this->view->tabs = [
+            [
+                'name' => 'summary',
+                'endpoint' => '/api/quagga/diagnostics/bfdsummary',
+                'tabhead' => gettext('Summary'),
+                'type' => 'bfdsummary'
+            ],
+            [
+                'name' => 'neighbors',
+                'endpoint' => '/api/quagga/diagnostics/bfdneighbors',
+                'tabhead' => gettext('Neighbors'),
+                'type' => 'tree'
+            ],
+            [
+                'name' => 'counters',
+                'endpoint' => '/api/quagga/diagnostics/bfdcounters',
+                'tabhead' => gettext('Counters'),
+                'type' => 'tree'
+            ]
+	];
+        $this->view->default_tab = 'summary';
+        $this->view->pick('OPNsense/Quagga/diagnostics');
+    }
     public function ospfv3Action()
     {
         $this->view->pick('OPNsense/Quagga/diagnosticsospfv3');
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
index 450399f57a..2a0fc1634f 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
@@ -12,6 +12,7 @@
       <OSPF VisibleName="OSPF" url="/ui/quagga/diagnostics/ospf" order="20" />
       <OSPFv3 VisibleName="OSPFv3" url="/ui/quagga/diagnostics/ospfv3" order="25" />
       <BGP VisibleName="BGP" url="/ui/quagga/diagnostics/bgp" order="40" />
+      <BFD VisibleName="BFD" url="/ui/quagga/diagnostics/bfd" order="50" />
       <LOG VisibleName="Log" url="/ui/diagnostics/log/routing/frr" order="100" />
     </Diagnostics>
   </Routing>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
index 2473173591..9e8524b63b 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
@@ -86,6 +86,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 {% case 'bgproutetable' %}
                 {% case 'ospfroutetable' %}
                 {% case 'ospfneighbors' %}
+                {% case 'bfdsummary' %}
                     if (all_grids["{{ tab['name'] }}"] === undefined) {
                         /**
                          * initialize bootgrid table for {{ tab['tabhead'] }}
@@ -320,6 +321,22 @@ POSSIBILITY OF SUCH DAMAGE.
                         </table>
                     </div>
                     {% break %}
+                {% case 'bfdsummary' %}
+                    <div class="col-sm-12">
+                        <table id="grid-{{ tab['name'] }}" class="table table-condensed table-hover table-striped table-responsive">
+                            <thead>
+                            <tr>
+                                <th data-column-id="id">{{ lang._('SessionId') }}</th>
+                                <th data-column-id="local" data-searchable="false">{{ lang._('LocalAddress') }}</th>
+                                <th data-column-id="peer">{{ lang._('PeerAddress') }}</th>
+                                <th data-column-id="status" data-searchable="false">{{ lang._('Status') }}</th>
+                            </tr>
+                            </thead>
+                            <tbody>
+                            </tbody>
+                        </table>
+                    </div>
+                    {% break %}
                 {% case 'tree' %}
                     <div class="searchbox">
                         <input
diff --git a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
index e7dade6771..89a3822904 100644
--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@@ -221,6 +221,24 @@ parameters:
 type:script_output
 message:FRR diagnostics "show ip ospf interface json"
 
+[diagnostics.bfd_neighbors_json]
+command:/usr/local/bin/vtysh -c "show bfd peers json"
+parameters:
+type:script_output
+message:FRR diagnostics "show bfd peers json"
+
+[diagnostics.bfd_summary]
+command:/usr/local/bin/vtysh -c "show bfd peers brief"
+parameters:
+type:script_output
+message:FRR diagnostics "show bfd peers brief"
+
+[diagnostics.bfd_counters_json]
+command:/usr/local/bin/vtysh -c "show bfd peers counters json"
+parameters:
+type:script_output
+message:FRR diagnostics "show bfd peers counters json"
+
 [diagnostics.ospfv3_overview]
 command:/usr/local/bin/vtysh -c "show ipv6 ospf6"
 parameters:

From 92cbb2fd69063f28a25a6b4fe280fff0bc73c592 Mon Sep 17 00:00:00 2001
From: Gavin Chappell <gavin.chappell@gmail.com>
Date: Wed, 28 Jun 2023 09:22:37 +0100
Subject: [PATCH 1470/3088] net-mgmt/telegraf: don't set timeout for disabled
 InfluxDB v2 (#3313)

* net-mgmt/telegraf: don't set timeout for disabled InfluxDB v2

* forgot to version bump
---
 net-mgmt/telegraf/Makefile                                    | 2 +-
 net-mgmt/telegraf/pkg-descr                                   | 4 ++++
 .../service/templates/OPNsense/Telegraf/telegraf.conf         | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index 733b7e9b47..cf99371802 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.12.7
+PLUGIN_VERSION=		1.12.8
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 8af2c6b71d..1d198749ad 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 Plugin Changelog
 ================
 
+1.12.8
+
+* bug: fix InfluxDB v2 template to remove erroneous `timeout` value (issue #3265, contributed by Gavin Chappell)
+
 1.12.7
 
 * Add Influx v2 flush timeout
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index 489aadf80a..c814150b92 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -175,10 +175,10 @@
 {%   else %}
   insecure_skip_verify = false
 {%   endif %}
-{% endif %}
 {%   if helpers.exists('OPNsense.telegraf.output.influx_v2_timeout') and OPNsense.telegraf.output.influx_v2_timeout != '' %}
   timeout = "{{ OPNsense.telegraf.output.influx_v2_timeout }}s"
 {%   endif %}
+{% endif %}
 
 {% if helpers.exists('OPNsense.telegraf.input.cpu') and OPNsense.telegraf.input.cpu == '1' %}
 [[inputs.cpu]]

From fff781bb2f6105ea1204da6c4895db3a28cd31fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Victor=20H=C3=A4ggqvist?=
 <victorhaggqvist@users.noreply.github.com>
Date: Wed, 28 Jun 2023 10:24:57 +0200
Subject: [PATCH 1471/3088] net/wireguard: widget, fix/improve colum public key
 overlapping latest handshake (#3349)

fixes public key overlapping latest handshake, moving the ellipsis to
css to allow full display and fix current overlap
---
 net/wireguard/src/www/widgets/widgets/wireguard.widget.php | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/net/wireguard/src/www/widgets/widgets/wireguard.widget.php b/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
index 2821332162..6c704030a9 100644
--- a/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
+++ b/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
@@ -60,14 +60,12 @@
 $(window).on("load", function() {
     function wgGenerateRow(name, interface, peerName, publicKey, latestHandshake, status)
     {
-        publicKeyShort = publicKey.slice(0, 19) + '...';
-
         var tr = ''
         +'<tr>'
         +'    <td>' + name + '</td>'
         +'    <td>' + interface + '</td>'
         +'    <td>' + peerName  + '</td>'
-        +'    <td title="' + publicKey + '">' + publicKeyShort  + '</td>'
+        +'    <td style="overflow: hidden; text-overflow: ellipsis;" title="' + publicKey + '">' + publicKey  + '</td>'
         +'    <td>' + latestHandshake + '</td>'
         +'</tr>';
 

From cae1df1eca250e578e48990a8cb49b7511b38ba4 Mon Sep 17 00:00:00 2001
From: krbrs <57227244+krbrs@users.noreply.github.com>
Date: Wed, 28 Jun 2023 10:44:46 +0200
Subject: [PATCH 1472/3088] www/nginx - Update index.volt (#3464)

Fix width of commands column to display "delete" symbol again. Fixes https://github.com/opnsense/plugins/issues/3448
---
 .../mvc/app/views/OPNsense/Nginx/index.volt   | 38 +++++++++----------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
index 7a876e42ce..475ff2159c 100644
--- a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
+++ b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
@@ -234,7 +234,7 @@
                 <th data-column-id="sqli_block_score" data-type="string" data-sortable="true" data-visible="false">{{ lang._('SQLi Score') }}</th>
                 <th data-column-id="custom_policy" data-type="string" data-width="50%" data-sortable="true" data-visible="false">{{ lang._('WAF Policies') }}</th>
                 <th data-column-id="force_https" data-type="numeric" data-width="10em" data-sortable="true" data-visible="true" data-formatter="boolean">{{ lang._('Force HTTPS') }}</th>
-                <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
             </tr>
             </thead>
             <tbody>
@@ -260,7 +260,7 @@
                 <th data-column-id="server" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Server') }}</th>
                 <th data-column-id="port" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Port') }}</th>
                 <th data-column-id="priority" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Priority') }}</th>
-                <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
             </tr>
             </thead>
             <tbody>
@@ -287,7 +287,7 @@
                 <th data-column-id="serverentries" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Servers') }}</th>
                 <th data-column-id="load_balancing_algorithm" data-type="string" data-sortable="false" data-visible="false">{{ lang._('Load Balancing') }}</th>
                 <th data-column-id="tls_enable" data-type="numeric" data-width="12em" data-sortable="false" data-visible="true" data-formatter="boolean">{{ lang._('TLS Enabled') }}</th>
-                <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
             </tr>
             </thead>
             <tbody>
@@ -308,7 +308,7 @@
             <thead>
             <tr>
                 <th data-column-id="username" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Username') }}</th>
-                <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
             </tr>
             </thead>
             <tbody>
@@ -330,7 +330,7 @@
             <tr>
                 <th data-column-id="name" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Name') }}</th>
                 <th data-column-id="users" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Users') }}</th>
-                <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
             </tr>
             </thead>
             <tbody>
@@ -359,7 +359,7 @@
                     <th data-column-id="listen_http_address" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('HTTP Address') }}</th>
                     <th data-column-id="listen_https_address" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('HTTPS Address') }}</th>
                     <th data-column-id="default_server" data-type="numeric" data-width="7em" data-sortable="true" data-visible="true" data-formatter="boolean">{{ lang._('Default') }}</th>
-                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -383,7 +383,7 @@
                     <th data-column-id="certificate" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Certificate') }}</th>
                     <th data-column-id="udp" data-type="numeric" data-sortable="true" data-visible="true" data-formatter="boolean">{{ lang._('UDP') }}</th>
                     <th data-column-id="listen_address" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Address') }}</th>
-                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -407,7 +407,7 @@
                     <th data-column-id="source" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Source URL') }}</th>
                     <th data-column-id="destination" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Destination URL') }}</th>
                     <th data-column-id="flag" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Flag') }}</th>
-                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -442,7 +442,7 @@
                     <th data-column-id="value" data-type="string" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('Value') }}</th>
                     <th data-column-id="naxsi_rules" data-type="string" data-sortable="true" data-visible="false">{{ lang._('Rules') }}</th>
                     <th data-column-id="action" data-type="string" data-width="12em" data-sortable="true" data-visible="true">{{ lang._('Action') }}</th>
-                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -469,7 +469,7 @@
                     <th data-column-id="score" data-type="numeric" data-width="7em" data-sortable="true" data-visible="true">{{ lang._('Score') }}</th>
                     <th data-column-id="match_value" data-type="string" data-sortable="true" data-visible="false">{{ lang._('Value') }}</th>
                     <th data-column-id="message" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Message') }}</th>
-                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -495,7 +495,7 @@
                     <th data-column-id="hsts" data-type="string" data-sortable="true" data-visible="true">{{ lang._('HSTS') }}</th>
                     <th data-column-id="csp" data-type="string" data-sortable="true" data-visible="true">{{ lang._('CSP') }}</th>
                     <th data-column-id="csp_details" data-type="string" data-sortable="true" data-visible="false">{{ lang._('CSP Rules') }}</th>
-                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -519,7 +519,7 @@
                     <th data-column-id="size" data-type="numeric" data-sortable="true" data-visible="true">{{ lang._('Size') }}</th>
                     <th data-column-id="inactive" data-type="numeric" data-sortable="true" data-visible="true">{{ lang._('Inactive') }}</th>
                     <th data-column-id="max_size" data-type="numeric" data-sortable="true" data-visible="true">{{ lang._('Max Size') }}</th>
-                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -544,7 +544,7 @@
                     <th data-column-id="size" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Size') }}</th>
                     <th data-column-id="rate" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Rate') }}</th>
                     <th data-column-id="rate_unit" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Rate Unit') }}</th>
-                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -569,7 +569,7 @@
                     <th data-column-id="connection_count" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Connection Count') }}</th>
                     <th data-column-id="burst" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Burst') }}</th>
                     <th data-column-id="nodelay" data-type="string" data-sortable="true" data-visible="true">{{ lang._('No Delay') }}</th>
-                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -590,7 +590,7 @@
             <thead>
                 <tr>
                     <th data-column-id="description" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -611,7 +611,7 @@
             <thead>
                 <tr>
                     <th data-column-id="description" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -634,7 +634,7 @@
                     <th data-column-id="name" data-width="15%" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Name') }}</th>
                     <th data-column-id="statuscodes" data-type="string" data-formatter="statuscodes" data-sortable="false" data-visible="true">{{ lang._('Status Codes') }}</th>
                     <th data-column-id="response" data-width="13em" data-type="string" data-formatter="response" data-sortable="true">{{ lang._('Response') }}</th>
-                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -655,7 +655,7 @@
             <thead>
                 <tr>
                     <th data-column-id="description" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>
@@ -679,7 +679,7 @@
                     <th data-column-id="host" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Host') }}</th>
                     <th data-column-id="facility" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Facility') }}</th>
                     <th data-column-id="severity" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Severity') }}</th>
-                    <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
             <tbody>

From e9044ac811972c3bdac163dddd404d1c5611e2c3 Mon Sep 17 00:00:00 2001
From: Evgeny Grin <k2k@narod.ru>
Date: Thu, 22 Dec 2022 15:14:51 +0300
Subject: [PATCH 1473/3088] dns/dnscrypt-proxy: fix GUI with more than one
 disabled server

---
 dns/dnscrypt-proxy/pkg-descr                               | 4 ++++
 .../mvc/app/models/OPNsense/Dnscryptproxy/General.xml      | 7 +++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index 660be17e3b..aec6d08b15 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -5,6 +5,10 @@ such as DNSCrypt v2 and DNS-over-HTTPS.
 Plugin Changelog
 ================
 
+1.14
+
+* Fix display of the config with more than one disabled server in GUI (contributed by Evgeny Grin (karlson2k))
+
 1.13
 
 * Add necessary hooks to allow the plugin to be used as a standalone core DNS server
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
index 0978e7a5ad..f7a64b9072 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
@@ -140,12 +140,11 @@
             <default>1</default>
             <Required>Y</Required>
         </query_logs>
-        <disabled_serverlist type="TextField">
-            <mask>/^([a-z0-9.,\-]{1,70})$/</mask>
+        <disabled_serverlist type="CSVListField">
+            <mask>/^[A-Za-z0-9\._\-]{1,70}(,[A-Za-z0-9\._\-]{1,70})*$/</mask>
             <default></default>
             <Required>N</Required>
-            <FieldSeparator>,</FieldSeparator>
-            <asList>Y</asList>
+            <ValidationMessage>Please use valid server names.</ValidationMessage>
         </disabled_serverlist>
         <relaylist type="CSVListField">
             <Required>N</Required>

From f37375f4b8bf7ea20e9677d0bbeabb7ae97226ff Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 29 Jun 2023 09:29:45 +0200
Subject: [PATCH 1474/3088] sysutils/smart: use `smartctl --scan' as disk
 source; closes #3236

---
 sysutils/smart/Makefile                              |  2 +-
 .../opnsense/scripts/OPNsense/Smart/detailed_list.sh | 12 +++---------
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/sysutils/smart/Makefile b/sysutils/smart/Makefile
index b0863f9fb9..111cc3115f 100644
--- a/sysutils/smart/Makefile
+++ b/sysutils/smart/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		smart
 PLUGIN_VERSION=		2.2
-PLUGIN_REVISION=		1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		SMART tools
 PLUGIN_DEPENDS=		smartmontools
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/sysutils/smart/src/opnsense/scripts/OPNsense/Smart/detailed_list.sh b/sysutils/smart/src/opnsense/scripts/OPNsense/Smart/detailed_list.sh
index d8a3b55c18..73a2f65677 100755
--- a/sysutils/smart/src/opnsense/scripts/OPNsense/Smart/detailed_list.sh
+++ b/sysutils/smart/src/opnsense/scripts/OPNsense/Smart/detailed_list.sh
@@ -27,21 +27,15 @@
 
 RESULT=
 
-for DEV in $(sysctl -n kern.disks); do
+for DEV in $(smartctl --scan | awk '{ print $1 }'); do
     IDENT=$(/usr/sbin/diskinfo -s ${DEV})
-
-    if [ "${DEV#nvd}" != "${DEV}" ]; then
-        # the disk formerly know as nvdX
-        DEV="nvme${DEV#nvd}"
-    fi
-
-    STATE=$(/usr/local/sbin/smartctl -jH /dev/${DEV})
+    STATE=$(/usr/local/sbin/smartctl -jH ${DEV})
 
     if [ -n "${RESULT}" ]; then
         RESULT="${RESULT},";
     fi
 
-    RESULT="${RESULT}{\"device\":\"${DEV}\",\"ident\":\"${IDENT}\",\"state\":${STATE}}";
+    RESULT="${RESULT}{\"device\":\"${DEV##/dev/}\",\"ident\":\"${IDENT}\",\"state\":${STATE}}";
 done
 
 echo "[${RESULT}]"

From 14dda8a1d3593e11546c32e59c8da5b05bdc512d Mon Sep 17 00:00:00 2001
From: MarkStitson <mark@stitson.com>
Date: Sun, 2 Jul 2023 17:30:06 +0100
Subject: [PATCH 1475/3088] net/frr - BFD for OSPF (#3488)

* BFD for OSPF/OSPF6
---
 .../OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml      | 6 ++++++
 .../OPNsense/Quagga/forms/dialogEditOSPFInterface.xml       | 6 ++++++
 .../src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml    | 4 ++++
 .../src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml   | 4 ++++
 .../opnsense/service/templates/OPNsense/Quagga/bgpd.conf    | 4 ++--
 .../opnsense/service/templates/OPNsense/Quagga/ospf6d.conf  | 3 +++
 .../opnsense/service/templates/OPNsense/Quagga/ospfd.conf   | 3 +++
 7 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml
index 2ddc6d8160..ec7300f00e 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml
@@ -63,6 +63,12 @@
     <label>Priority</label>
     <type>text</type>
   </field>
+  <field>
+    <id>interface.bfd</id>
+    <label>BFD</label>
+    <type>checkbox</type>
+    <help>You can enable BFD support for this interface. You will also need to configure BFD peers.</help>
+  </field>
   <field>
     <id>interface.networktype</id>
     <label>Network Type</label>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
index 34842de349..d46200e626 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
@@ -74,6 +74,12 @@
     <label>Priority</label>
     <type>text</type>
   </field>
+  <field>
+    <id>interface.bfd</id>
+    <label>BFD</label>
+    <type>checkbox</type>
+    <help>You can enable BFD support for this interface. You will also need to configure BFD peers.</help>
+  </field>
   <field>
     <id>interface.networktype</id>
     <label>Network Type</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index 1a676a02c7..22f3cecc4d 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -217,6 +217,10 @@
                                 <MaximumValue>4294967295</MaximumValue>
                                 <ValidationMessage>Priority must be between 0 and 4294967295.</ValidationMessage>
                         </priority>
+			<bfd type="BooleanField">
+                                <default>0</default>
+                                <Required>N</Required>
+                        </bfd>
                         <networktype type="OptionField">
                                 <Required>N</Required>
                                 <multiple>N</multiple>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
index b6a9b1b65e..47da7c5d09 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
@@ -102,6 +102,10 @@
                                 <MaximumValue>4294967295</MaximumValue>
                                 <ValidationMessage>Priority must be between 0 and 4294967295.</ValidationMessage>
                         </priority>
+			<bfd type="BooleanField">
+                                <default>0</default>
+                                <Required>N</Required>
+                        </bfd>
                         <networktype type="OptionField">
                                 <Required>N</Required>
                                 <multiple>N</multiple>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index d608696c01..041f0b8e51 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -60,7 +60,7 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%     for neighbor in helpers.toList('OPNsense.quagga.bgp.neighbors.neighbor') %}
 {%       if neighbor.enabled == '1' %}
  neighbor {{ neighbor.address }} remote-as {{ neighbor.remoteas }}
-{%         if 'bfd' in neighbor and neighbor.bfd == '1' %}
+{%         if neighbor.bfd|default('') == '1' %}
  neighbor {{ neighbor.address }} bfd
 {%         endif %}
 {%         if 'password' in neighbor and neighbor.password != '' %}
@@ -107,7 +107,7 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
   network {{ network }}
 {%   endfor %}
 {%   for neighbor in neighbors[addressFamily] %}
-  neighbor {{ neighbor.address }} activate
+ neighbor {{ neighbor.address }} activate
 {%     if 'nexthopself' in neighbor and neighbor.nexthopself == '1' %}
   neighbor {{ neighbor.address }} next-hop-self {% if 'nexthopselfall' in neighbor and neighbor.nexthopselfall == '1' %}all{%  endif %}
 
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
index 92fb578d97..8aabfb7bce 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
@@ -25,6 +25,9 @@ agentx
 {%   for interface in helpers.toList('OPNsense.quagga.ospf6.interfaces.interface') %}
 {%     if interface.enabled == '1' %}
 interface {{ physical_interface(interface.interfacename) }}
+{%        if interface.bfd|default('') == '1' %}
+  ipv6 ospf6 bfd
+{%        endif %}
 {% if interface.networktype  %}
   ipv6 ospf6 network {{ interface.networktype }}
 {% endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
index 350f4925cb..0177496458 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
@@ -25,6 +25,9 @@ agentx
 {%   for interface in helpers.toList('OPNsense.quagga.ospf.interfaces.interface') %}
 {%     if interface.enabled == '1' %}
 interface {{ physical_interface(interface.interfacename) }}
+{%        if interface.bfd|default('') == '1' %}
+  ip ospf bfd
+{%        endif %}
 {% if interface.networktype %}
 {{       cline("network",interface.networktype)
 }}{% endif %}

From 5c3d27cc5162a9c46ed200a78f6e482cb9b08fd5 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Tue, 4 Jul 2023 11:23:59 +0200
Subject: [PATCH 1476/3088] net/frr: Add checkbox for bgp neighbor changes
 (#3490)

---
 net/frr/Makefile                                            | 2 +-
 net/frr/pkg-descr                                           | 4 ++++
 .../mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml       | 6 ++++++
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml | 4 ++++
 .../opnsense/service/templates/OPNsense/Quagga/bgpd.conf    | 3 +++
 5 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 9777e398b1..d07fdad5a8 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.33
+PLUGIN_VERSION=		1.34
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 00f77cfffd..f142eaecf2 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.34
+
+* Add checkbox to log BGP neighbor changes
+
 1.33
 
 * Allow both IPv4 and IPv6 in BGP via setkey (contributed by as8net)
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
index d759166c5c..37b182e1a6 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
@@ -40,6 +40,12 @@
         <advanced>true</advanced>
         <help>When enabled (default), BGP only announces networks set at 'Network' if they are present in the routers routing table (alternatively, you can also set a null-route via System -> Routes). If disabled, all configured networks will be announced.</help>
     </field>
+    <field>
+        <id>bgp.logneighborchanges</id>
+        <label>Log Neighbor Changes</label>
+        <type>checkbox</type>
+        <help>This will activate exetended logging of BGP neighbor changes.</help>
+    </field>
     <field>
         <id>bgp.redistribute</id>
         <label>Route Redistribution</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 626da2339a..c84a709438 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -25,6 +25,10 @@
             <default>1</default>
             <Required>Y</Required>
         </networkimportcheck>
+        <logneighborchanges type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </logneighborchanges>
         <networks type="CSVListField">
             <default></default>
             <Required>N</Required>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 041f0b8e51..45ad88f64c 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -43,6 +43,9 @@ frr defaults {{ OPNsense.quagga.general.profile }}
 !
 {% if helpers.exists('OPNsense.quagga.bgp.asnumber') and OPNsense.quagga.bgp.asnumber != '' %}
 router bgp {{ OPNsense.quagga.bgp.asnumber }}
+{%   if not helpers.empty('OPNsense.quagga.bgp.logneighborchanges') %}
+ bgp log-neighbor-changes
+{%   endif %}
  no bgp default ipv4-unicast
  no bgp ebgp-requires-policy
 {%   if helpers.exists('OPNsense.quagga.bgp.networkimportcheck') and OPNsense.quagga.bgp.networkimportcheck == '1' %}

From 4714943b188894f2d91c37b813780e9b7685b457 Mon Sep 17 00:00:00 2001
From: Alvaro Ardila <alvaro.ardila@gmail.com>
Date: Sat, 8 Jul 2023 15:20:34 -0400
Subject: [PATCH 1477/3088] security/acme-client: Add domains.google support
 Adds support for Google Domains DNS-01 ACME challenge API added to latest
 upstream acme.sh. This is separate from the Google Cloud API.

https://domains.google/learn/gts-acme/

See acmesh-official/acme.sh#4542
---
 security/acme-client/pkg-descr                |  4 ++
 .../AcmeClient/forms/dialogValidation.xml     | 15 ++++++
 .../LeValidation/DnsGoogledomains.php         | 49 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 4 files changed, 75 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGoogledomains.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index a2aafd3fb9..d631a8cd57 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -7,6 +7,10 @@ WWW: https://github.com/acmesh-official/acme.sh
 
 Plugin Changelog
 ================
+3.19
+
+Added:
+* add Google Domains DNS API
 
 3.18
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 48b932b127..63dcc1a3a1 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -556,6 +556,21 @@
         <label>Secret</label>
         <type>text</type>
     </field>
+    <field>
+        <label>Google Domains</label>
+        <type>header</type>
+        <style>table_dns table_dns_googledomains</style>
+    </field>
+    <field>
+        <id>validation.dns_googledomains_access_token</id>
+        <label>Access Token</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_googledomains_zone</id>
+        <label>Zone</label>
+        <type>text</type>
+    </field>
     <field>
         <label>hosting.de</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGoogledomains.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGoogledomains.php
new file mode 100644
index 0000000000..d6119cad62
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGoogledomains.php
@@ -0,0 +1,49 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Cannon Matthews <cannonmatthews@google.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Google Domains DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsGoogleDomains extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        // It is possible to override $GOOGLEDOMAINS_API env variable to
+        // control the endpoint acme.sh talks to. However there is only one
+        // option (https://acmedns.googleapis.com/v1/acmeChallengeSets) that is
+        // currently the default, so exposing this only adds to confusion and
+        // noise in the UI.
+        $this->acme_env['GOOGLEDOMAINS_ACCESS_TOKEN'] = (string)$this->config->dns_googledomains_access_token;
+        $this->acme_env['GOOGLEDOMAINS_ZONE'] = (string)$this->config->dns_googledomains_zone;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 1eca8d91b8..db9c0bc660 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -456,6 +456,7 @@
                         <dns_gandi_livedns>Gandi LiveDNS</dns_gandi_livedns>
                         <dns_gd>GoDaddy.com</dns_gd>
                         <dns_gcloud>Google Cloud DNS</dns_gcloud>
+                        <dns_googledomains>Google Domains</dns_googledomains>
                         <dns_gdnsdk>GratisDNS.dk</dns_gdnsdk>
                         <dns_hetzner>Hetzner</dns_hetzner>
                         <dns_hexonet>hexonet.com</dns_hexonet>
@@ -668,6 +669,12 @@
                 <dns_gcloud_key type="TextField">
                     <Required>N</Required>
                 </dns_gcloud_key>
+                <dns_googledomains_access_token type="TextField">
+                    <Required>N</Required>
+                </dns_googledomains_access_token>
+                <dns_googledomains_zone type="TextField">
+                    <Required>N</Required>
+                </dns_googledomains_zone>
                 <dns_gd_key type="TextField">
                     <Required>N</Required>
                 </dns_gd_key>

From 13797b7c178c483f8107a5b6acdb9704c3423260 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Mon, 10 Jul 2023 19:56:23 +0200
Subject: [PATCH 1478/3088] net/frr - cleanup unused endpoints for 23.7 and
 align with FRR8 for OPNsense 23.7 (#3498)

---
 .../Quagga/Api/DiagnosticsController.php      | 151 +++---
 .../OPNsense/Quagga/DiagnosticsController.php |  36 +-
 .../views/OPNsense/Quagga/diagnostics.volt    | 103 +++-
 .../OPNsense/Quagga/diagnosticsospfv3.volt    | 382 ---------------
 .../scripts/frr/legacy-diagnostics.py         | 446 ------------------
 .../conf/actions.d/actions_quagga.conf        | 271 +++--------
 .../www/js/quagga/diagnostics_utils.js        |  81 +---
 net/frr/src/opnsense/www/js/quagga/lodash.js  | 137 ------
 8 files changed, 263 insertions(+), 1344 deletions(-)
 delete mode 100644 net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospfv3.volt
 delete mode 100755 net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
 delete mode 100644 net/frr/src/opnsense/www/js/quagga/lodash.js

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
index 59d30d1a43..faac17d6ab 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
@@ -1,6 +1,7 @@
 <?php
 
 /**
+ *    Copyright (C) 2023 Deciso B.V.
  *    Copyright (C) 2017 Frank Wall
  *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
  *
@@ -56,42 +57,21 @@ public function getIfDesc($ifname)
            return !empty($this->allifnames[$ifname]) ? $this->allifnames[$ifname] : '';
     }
 
-    private function getInformation(string $daemon, string $name, string $format): array
+    private function configdJson($daemon, $name)
     {
-        $response = (new Backend())->configdRun(
-            "quagga diagnostics " . $daemon . "_" . $name . ($format === "json" ? "_json" : "")
-        );
-        return ["response" => ($format === "json" ? json_decode($response ?? '', true) : $response)];
+        $response = (new Backend())->configdpRun('quagga', ['diagnostics', $daemon . "_" . $name, 'json']);
+        return json_decode($response ?? '', true) ?? [];
     }
 
     public function generalrunningconfigAction(): array
     {
-        return $this->getInformation("general", "running-config", "plain");
-    }
-
-    /**
-     * XXX: unused, deprecate in next major?
-     */
-    public function generalrouteAction($format = "json"): array
-    {
-        $routes4 = $this->getInformation("general", "route4", $format)['response'];
-        $routes6 = $this->getInformation("general", "route6", $format)['response'];
-        if ($format === "json") {
-            return array("response" => array("ipv4" => $routes4, "ipv6" => $routes6));
-        } else {
-            return array("response" => $routes4 . $routes6);
-        }
-    }
-
-    public function generalroute4Action($format = "json"): array
-    {
-        return $this->getInformation("general", "route4", $format);
+        return ["response" => (new Backend())->configdpRun('quagga diagnostics general_running-config')];
     }
 
     public function searchGeneralroute4Action(): array
     {
         $records = [];
-        foreach ($this->getInformation('general', 'route4', 'json')['response'] as $routes) {
+        foreach ($this->configdJson('general', 'route4') as $routes) {
             foreach ($routes as $route) {
                 foreach ($route['nexthops'] as $nexthop) {
                     $nexthop = array_merge($route, $nexthop);
@@ -105,15 +85,10 @@ public function searchGeneralroute4Action(): array
         return $this->searchRecordsetBase($records);
     }
 
-    public function generalroute6Action($format = "json"): array
-    {
-        return $this->getInformation("general", "route6", $format);
-    }
-
     public function searchGeneralroute6Action(): array
     {
         $records = [];
-        foreach ($this->getInformation('general', 'route6', 'json')['response'] as $routes) {
+        foreach ($this->configdJson('general', 'route6') as $routes) {
             foreach ($routes as $route) {
                 foreach ($route['nexthops'] as $nexthop) {
                     $nexthop = array_merge($route, $nexthop);
@@ -127,20 +102,10 @@ public function searchGeneralroute6Action(): array
         return $this->searchRecordsetBase($records);
     }
 
-    public function bgprouteAction($format = "json"): array
-    {
-        return $this->getInformation("bgp", "route", $format);
-    }
-
-    public function bgproute4Action($format = "json"): array
-    {
-        return $this->getInformation("bgp", "route4", $format);
-    }
-
     public function searchBgproute4Action(): array
     {
         $records = [];
-        $payload = $this->getInformation("bgp", "route4", "json")['response'];
+        $payload = $this->configdJson("bgp", "route4");
         $baserecord = [];
         foreach ($payload as $key => $value) {
             if (!is_array($value)) {
@@ -173,15 +138,10 @@ public function searchBgproute4Action(): array
         return $result;
     }
 
-    public function bgproute6Action($format = "json"): array
-    {
-        return $this->getInformation("bgp", "route6", $format);
-    }
-
     public function searchBgproute6Action(): array
     {
         $records = [];
-        $payload = $this->getInformation("bgp", "route6", "json")['response'];
+        $payload = $this->configdJson("bgp", "route6");
         $baserecord = [];
         foreach ($payload as $key => $value) {
             if (!is_array($value)) {
@@ -214,30 +174,25 @@ public function searchBgproute6Action(): array
         return $result;
     }
 
-    public function bgpsummaryAction($format = "json"): array
+    public function bgpsummaryAction(): array
     {
-        return $this->getInformation("bgp", "summary", $format);
+        return ['response' => $this->configdJson("bgp", "summary")];
     }
 
-    public function bgpneighborsAction($format = "json"): array
+    public function bgpneighborsAction(): array
     {
-        return $this->getInformation("bgp", "neighbors", $format);
+        return ['response' => $this->configdJson("bgp", "neighbors")];
     }
 
-    public function ospfoverviewAction($format = "json"): array
+    public function ospfoverviewAction(): array
     {
-        return $this->getInformation("ospf", "overview", $format);
-    }
-
-    public function ospfneighborAction($format = "json"): array
-    {
-        return $this->getInformation("ospf", "neighbor", $format);
+        return ['response' => $this->configdJson("ospf", "overview")];
     }
 
     public function searchOspfneighborAction(): array
     {
         $records = [];
-        $payload = $this->getInformation("ospf", "neighbor", "json");
+        $payload = $this->configdJson("ospf", "neighbor");
         if (!empty($payload['neighbors'])) {
             foreach ($payload['neighbors'] as $neighborid => $neighbor) {
                 foreach ($neighbor as $item) {
@@ -249,15 +204,10 @@ public function searchOspfneighborAction(): array
         return $this->searchRecordsetBase($records);
     }
 
-    public function ospfrouteAction($format = "json"): array
-    {
-        return $this->getInformation("ospf", "route", $format);
-    }
-
     public function searchOspfrouteAction(): array
     {
         $records = [];
-        $payload = $this->getInformation("ospf", "route", "json")['response'];
+        $payload = $this->configdJson('ospf', 'route');
         foreach ($payload as $net => $network) {
             if (empty($network['nexthops'])) {
                 continue;
@@ -269,8 +219,8 @@ public function searchOspfrouteAction(): array
                     'cost' => $network['cost'],
                     'area' => $network['area'] ?? '',
                     'via' => !empty($nexthop['via']) ? $nexthop['ip'] : 'Directly Attached',
-                    'viainterface' => !empty($nexthop['via']) ? $nexthop['via'] : $nexthop['directly attached to'],
-                    'viainterfaceDescr' =>  $this->getIfDesc($nexthop['via'] ?? $nexthop['directly attached to']),
+                    'viainterface' => !empty($nexthop['via']) ? $nexthop['via'] : $nexthop['directlyAttachedTo'],
+                    'viainterfaceDescr' =>  $this->getIfDesc($nexthop['via'] ?? $nexthop['directlyAttachedTo']),
                 ];
             }
         }
@@ -278,45 +228,69 @@ public function searchOspfrouteAction(): array
         return $this->searchRecordsetBase($records);
     }
 
-    public function ospfdatabaseAction($format = "json"): array
-    {
-        return $this->getInformation("ospf", "database", $format);
-    }
-
-    public function ospfinterfaceAction($format = "json"): array
+    public function ospfdatabaseAction(): array
     {
-        return $this->getInformation("ospf", "interface", $format);
+        return ['response' => $this->configdJson("ospf", "database")];
     }
 
-    public function ospfv3overviewAction($format = "json"): array
+    public function ospfinterfaceAction(): array
     {
-        return $this->getInformation("ospfv3", "overview", $format);
+        return ['response' => $this->configdJson("ospf", "interface")];
     }
 
-    public function ospfv3neighborAction($format = "json"): array
+    public function ospfv3interfaceAction(): array
     {
-        return $this->getInformation("ospfv3", "neighbor", $format);
+        return ['response' => $this->configdJson("ospfv3", "interface")];
     }
 
-    public function ospfv3routeAction($format = "json"): array
+    public function ospfv3overviewAction(): array
     {
-        return $this->getInformation("ospfv3", "route", $format);
+        return ['response' => $this->configdJson("ospfv3", "overview")];
     }
 
-    public function ospfv3databaseAction($format = "json"): array
+    public function searchOspfv3routeAction($format = "json"): array
     {
-        return $this->getInformation("ospfv3", "database", $format);
+        $records = [];
+        $payload = $this->configdJson("ospfv3", "route");
+        if (!empty($payload['routes'])) {
+            foreach ($payload['routes'] as $net => $route) {
+                if (!empty($route['nextHops'])) {
+                    foreach ($route['nextHops'] as $nexthop) {
+                        $record = array_merge($route, $nexthop);
+                        $record['network'] = $net;
+                        $record['interfaceDescr'] = $this->getIfDesc($record['interfaceName']);
+                        $records[] = $record;
+                    }
+                }
+            }
+        }
+        return $this->searchRecordsetBase($records);
     }
 
-    public function ospfv3interfaceAction($format = "json"): array
+    public function searchOspfv3databaseAction(): array
     {
-        return $this->getInformation("ospfv3", "interface", $format);
+        $records = [];
+        $payload = $this->configdJson("ospfv3", "database") ;
+        foreach ($payload as $dbname => $database) {
+            foreach ($database as $topic) {
+                if (!empty($topic['lsa'])) {
+                    foreach ($topic['lsa'] as $record) {
+                        $record['dbname'] = $dbname;
+                        $record['interface'] = $topic['interface'] ?? '';
+                        $record['interfaceDescr'] = $this->getIfDesc($topic['interface'] ?? null);
+                        $record['areaId'] = $topic['areaId'] ?? '';
+                        $records[] = $record;
+                    }
+                }
+            }
+        }
+        return $this->searchRecordsetBase($records);
     }
 
     private function bfdTreeFetch($topic)
     {
         $records = [];
-        $payload = $this->getInformation("bfd", $topic, "json")['response'];
+        $payload = $this->configdJson("bfd", $topic);
         if (!empty($payload)) {
             foreach ($payload as $peer) {
                 $peerid = $peer['peer'];
@@ -329,7 +303,8 @@ private function bfdTreeFetch($topic)
     public function bfdsummaryAction(): array
     {
         $records = [];
-        foreach (explode("\n", $this->getInformation("bfd", "summary", "plain")['response']) as $line) {
+        $payload = (new Backend())->configdpRun('quagga diagnostics bfd_summary');
+        foreach (explode("\n", $payload) as $line) {
             $parts = preg_split('/\s+/', trim($line));
             if (count($parts) == 4 && filter_var($parts[0], FILTER_VALIDATE_INT) !== false) {
                 $records[] = [
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
index 15b1e440b9..75a3189ab7 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
@@ -75,9 +75,9 @@ public function ospfAction()
             ],
             [
                 'name' => 'database',
-                'endpoint' => '/api/quagga/diagnostics/ospfdatabase/plain',
+                'endpoint' => '/api/quagga/diagnostics/ospfdatabase',
                 'tabhead' => gettext('Database'),
-                'type' => 'text'
+                'type' => 'tree'
             ],
             [
                 'name' => 'neighbors',
@@ -116,13 +116,41 @@ public function bfdAction()
                 'tabhead' => gettext('Counters'),
                 'type' => 'tree'
             ]
-	];
+	    ];
         $this->view->default_tab = 'summary';
         $this->view->pick('OPNsense/Quagga/diagnostics');
     }
     public function ospfv3Action()
     {
-        $this->view->pick('OPNsense/Quagga/diagnosticsospfv3');
+        $this->view->tabs = [
+            [
+                'name' => 'overview',
+                'endpoint' => '/api/quagga/diagnostics/ospfv3overview',
+                'tabhead' => gettext('Overview'),
+                'type' => 'tree'
+
+            ],
+            [
+                'name' => 'routing',
+                'endpoint' => '/api/quagga/diagnostics/search_ospfv3route',
+                'tabhead' => gettext('Routing'),
+                'type' => 'ospfv3routetable'
+            ],
+            [
+                'name' => 'database',
+                'endpoint' => '/api/quagga/diagnostics/search_ospfv3database',
+                'tabhead' => gettext('Database'),
+                'type' => 'ospfv3databasetable'
+            ],
+            [
+                'name' => 'interface',
+                'endpoint' => '/api/quagga/diagnostics/ospfv3interface',
+                'tabhead' => gettext('Interface'),
+                'type' => 'tree'
+            ]
+	    ];
+        $this->view->default_tab = 'overview';
+        $this->view->pick('OPNsense/Quagga/diagnostics');
     }
     public function generalAction()
     {
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
index 9e8524b63b..6b15eb68f3 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
@@ -75,7 +75,6 @@ POSSIBILITY OF SUCH DAMAGE.
         $(".tree_search").keyup(treeSearchKeyUp);
 
         let all_grids = [];
-
         {% for tab in tabs %}
             /**
              * register refresh event handler for {{ tab['tabhead'] }}
@@ -85,13 +84,15 @@ POSSIBILITY OF SUCH DAMAGE.
                 {% case 'generalroutetable' %}
                 {% case 'bgproutetable' %}
                 {% case 'ospfroutetable' %}
+                {% case 'ospfv3routetable' %}
+                {% case 'ospfv3databasetable' %}
                 {% case 'ospfneighbors' %}
                 {% case 'bfdsummary' %}
                     if (all_grids["{{ tab['name'] }}"] === undefined) {
                         /**
                          * initialize bootgrid table for {{ tab['tabhead'] }}
                          */
-                        gridopt = {
+                        let gridopt = {
                             search: "{{ tab['endpoint'] }}",
                             options:{
                                 formatters : {
@@ -116,6 +117,61 @@ POSSIBILITY OF SUCH DAMAGE.
                                         }
                                         return field.html();
                                     },
+                                    ospf_route_type: function(column, row) {
+                                        let ospf_route_types = {
+                                            'N': "{{ lang._('Network') }}",
+                                            'IA': "{{ lang._('OSPF inter area') }}",
+                                            'N1': "{{ lang._('OSPF NSSA external type 1') }}",
+                                            'N2': "{{ lang._('OSPF NSSA external type 2') }}",
+                                            'E1': "{{ lang._('OSPF external type 1') }}",
+                                            'E2': "{{ lang._('OSPF external type 2') }}",
+                                        };
+                                        let field = $("<div/>");
+                                        row[column.id].split(' ').forEach(function(routeType) {
+                                            if (ospf_route_types[routeType] !== undefined) {
+                                                field.append($("<abbr>").text(routeType).attr('title', ospf_route_types[routeType]));
+                                            } else {
+                                                field.append($("<abbr>").text(routeType));
+                                            }
+                                            field.append('&nbsp;');
+                                        });
+
+                                        return field.html();
+                                    },
+                                    ospf6_dest_type: function(column, row){
+                                        let ospf6_dest_types = {
+                                            '?': "{{ lang._('Unknown') }}",
+                                            'R': "{{ lang._('Router') }}",
+                                            'N': "{{ lang._('Network') }}",
+                                            'D': "{{ lang._('Discard') }}",
+                                            'L': "{{ lang._('Linkstate') }}",
+                                            'A': "{{ lang._('AddressRange') }}",
+                                        };
+                                        let field = $("<div/>");
+                                        if (ospf6_dest_types[row[column.id]] !== undefined) {
+                                            field.append($("<abbr>").text(row[column.id]).attr('title', ospf6_dest_types[row[column.id]]));
+                                        } else {
+                                            field.append($("<abbr>").text(row[column.id]));
+                                        }
+
+                                        return field.html();
+                                    },
+                                    ospf6_path_type: function(column, row){
+                                        let ospf6_path_types = {
+                                            '??': "{{ lang._('UnknownRoute') }}",
+                                            'IA': "{{ lang._('IntraArea') }}",
+                                            'IE': "{{ lang._('InterArea') }}",
+                                            'E1': "{{ lang._('External1') }}",
+                                            'E2': "{{ lang._('External2') }}",
+                                        };
+                                        let field = $("<div/>");
+                                        if (ospf6_path_types[row[column.id]] !== undefined) {
+                                            field.append($("<abbr>").text(row[column.id]).attr('title', ospf6_path_types[row[column.id]]));
+                                        } else {
+                                            field.append($("<abbr>").text(row[column.id]));
+                                        }
+                                        return field.html();
+                                    },
                                     boolean: function (column, row) {
                                         if (row[column.id]) {
                                             return "<span class=\"fa fa-check\" data-value=\"1\" data-row-id=\"" + row.uuid + "\"></span>";
@@ -133,7 +189,6 @@ POSSIBILITY OF SUCH DAMAGE.
                                         $("#page_frr_subtitle").append('<i class="fa fa-fw fa-chevron-right" aria-hidden="true"></i>');
                                         $("#page_frr_subtitle").append($("<span/>").text(data.subtitle));
                                     }
-                                    console.log(data);
                                     return data;
                                 }
                             }
@@ -300,6 +355,26 @@ POSSIBILITY OF SUCH DAMAGE.
                         </table>
                     </div>
                     {% break %}
+                {% case 'ospfv3routetable' %}
+                    <div class="col-sm-12">
+                        <table id="grid-{{ tab['name'] }}" class="table table-condensed table-hover table-striped table-responsive">
+                            <thead>
+                            <tr>
+                                <th data-column-id="destinationType" data-width="5em" data-formatter="ospf6_dest_type" data-sortable="false">{{ lang._('Type') }}</th>
+                                <th data-column-id="isBestRoute" data-width="5em" data-formatter="boolean" data-searchable="false" data-sortable="false">{{ lang._('Best') }}</th>
+                                <th data-column-id="pathType" data-formatter="ospf6_path_type">{{ lang._('Path type') }}</th>
+                                <th data-column-id="network">{{ lang._('Network') }}</th>
+                                <th data-column-id="nextHop" data-type="string">{{ lang._('nextHop') }}</th>
+                                <th data-column-id="interfaceName" data-type="string">{{ lang._('Interface') }}</th>
+                                <th data-column-id="interfaceDescr">{{ lang._('interface name') }}</th>
+                                <th data-column-id="duration" data-type="string">{{ lang._('Time') }}</th>
+                            </tr>
+                            </thead>
+                            <tbody>
+                            </tbody>
+                        </table>
+                    </div>
+                    {% break %}
                 {% case 'ospfneighbors' %}
                     <div class="col-sm-12">
                         <table id="grid-{{ tab['name'] }}" class="table table-condensed table-hover table-striped table-responsive">
@@ -321,6 +396,28 @@ POSSIBILITY OF SUCH DAMAGE.
                         </table>
                     </div>
                     {% break %}
+                {% case 'ospfv3databasetable' %}
+                    <div class="col-sm-12">
+                        <table id="grid-{{ tab['name'] }}" class="table table-condensed table-hover table-striped table-responsive">
+                            <thead>
+                            <tr>
+                                <th data-column-id="dbname">{{ lang._('Database') }}</th>
+                                <th data-column-id="areaId">{{ lang._('Area') }}</th>
+                                <th data-column-id="interface">{{ lang._('Interface') }}</th>
+                                <th data-column-id="interfaceDescr">{{ lang._('interface name') }}</th>
+                                <th data-column-id="type">{{ lang._('Type') }}</th>
+                                <th data-column-id="lsId">{{ lang._('LS ID') }}</th>
+                                <th data-column-id="advRouter">{{ lang._('Advertising Router') }}</th>
+                                <th data-column-id="age">{{ lang._('Age') }}</th>
+                                <th data-column-id="seqNum">{{ lang._('Sequence Number') }}</th>
+                                <th data-column-id="payload">{{ lang._('Payload') }}</th>
+                            </tr>
+                            </thead>
+                            <tbody>
+                            </tbody>
+                        </table>
+                    </div>
+                    {% break %}
                 {% case 'bfdsummary' %}
                     <div class="col-sm-12">
                         <table id="grid-{{ tab['name'] }}" class="table table-condensed table-hover table-striped table-responsive">
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospfv3.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospfv3.volt
deleted file mode 100644
index 4f4662dbb9..0000000000
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnosticsospfv3.volt
+++ /dev/null
@@ -1,382 +0,0 @@
-{#
-
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
-Copyright (C) 2017 Fabian Franz
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-    this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-    this list of conditions and the following disclaimer in the documentation
-    and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
-
-<script type="text/x-template" id="overviewtpl">
-<h2>{{ lang._('General') }}</h2>
-<table class="table table-striped">
-  <tbody>
-    <tr>
-      <td>{{ lang._('Router ID') }}</td>
-      <td><%= ospfv3_overview['router_id'] %></td>
-    </tr>
-    <tr>
-      <td>{{ lang._('Routing Process') }}</td>
-      <td><%= ospfv3_overview['routing_process'] %></td>
-    </tr>
-    <tr>
-      <td>{{ lang._('Running Time') }}</td>
-      <td><%= ospfv3_overview['running_time'] %></td>
-    </tr>
-    <tr>
-      <td>{{ lang._('Initial SPF scheduling delay') }}</td>
-      <td><%= ospfv3_overview['intital_spf_scheduling_delay'] %></td>
-    </tr>
-    <tr>
-      <td>{{ lang._('Hold Time') }}</td>
-      <td>
-        {{ lang._('Minimum Hold Time') }} <%= ospfv3_overview['hold_time']['min'] %><br/>
-        {{ lang._('Maximum Hold Time:') }} <%= ospfv3_overview['hold_time']['max'] %>
-      </td>
-    </tr>
-    <tr>
-      <td>{{ lang._('SPF timer') }}</td>
-      <td><%= ospfv3_overview['spf_timer'] %></td>
-    </tr>
-    <tr>
-      <td>{{ lang._('Number Of Scoped AS') }}</td>
-      <td><%= ospfv3_overview['number_as_scoped'] %></td>
-    </tr>
-    <tr>
-      <td>{{ lang._('Number Of Areas') }}</td>
-      <td><%= ospfv3_overview['number_of_areas'] %></td>
-    </tr>
-  </tbody>
-</table>
-<h2>{{ lang._('Areas') }}</h2>
-<% if (ospfv3_overview['areas']) { %>
-  <% areas = ospfv3_overview['areas'] %>
-  <% _.each(_.keys(areas), function(areaname) { %>
-    <% area = areas[areaname] %>
-    <h3><%= areaname %></h3>
-    <table class="table table-striped">
-      <tbody>
-        <tr>
-          <td>{{ lang._('Number Of LSAs') }}</td>
-          <td><%= area['number_lsas'] %></td>
-        </tr>
-        <tr>
-          <td>{{ lang._('Interfaces') }}</td>
-          <td><%= _.join(area['interfaces'], ", ") %></td>
-        </tr>
-      </tbody>
-    </table>
-  <% }) %>
-<% } %>
-</script>
-
-<script type="text/x-template" id="routestpl">
-  <table>
-    <thead>
-      <tr>
-        <th data-column-id="flags1" data-type="string">{{ lang._('Flags 1') }}</th>
-        <th data-column-id="flags2" data-type="string">{{ lang._('Flags 2') }}</th>
-        <th data-column-id="network" data-type="string">{{ lang._('Network') }}</th>
-        <th data-column-id="gateway" data-type="string">{{ lang._('Gateway') }}</th>
-        <th data-column-id="interface" data-type="string">{{ lang._('Interface') }}</th>
-        <th data-column-id="time" data-type="string">{{ lang._('Time') }}</th>
-      </tr>
-    </thead>
-    <tbody>
-      <% _.each(ospfv3_route, function (route) { %>
-        <tr>
-          <td><%= route['f1'] %></td>
-          <td><%= route['f2'] %></td>
-          <td><%= route['network'] %></td>
-          <td><%= route['gateway'] %></td>
-          <td><%= route['interface'] %></td>
-          <td><%= route['time'] %></td>
-        </tr>
-      <% }) %>
-    </tbody>
-  </table>
-</script>
-
-<script type="text/x-template" id="databasetpl">
-  <% if(ospfv3_database['scoped_link_db']) { %>
-    <h2>{{ lang._('Scoped Link Database') }}</h2>
-    <% _.each(_.keys(ospfv3_database['scoped_link_db']), function(areaname) { %>
-      <% area = ospfv3_database['scoped_link_db'][areaname] %>
-      <h3><% areaname %></h3>
-      <table>
-        <thead>
-          <tr>
-            <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
-            <th data-column-id="lsid" data-type="string">{{ lang._('LS ID') }}</th>
-            <th data-column-id="advrouter" data-type="string">{{ lang._('Advertising Router') }}</th>
-            <th data-column-id="age" data-type="numeric">{{ lang._('Age') }}</th>
-            <th data-column-id="seqnr" data-type="string">{{ lang._('Sequence Number') }}</th>
-            <th data-column-id="payload" data-type="string">{{ lang._('Payload') }}</th>
-          </tr>
-        </thead>
-        <tbody>
-          <% _.each(area, function(entry) { %>
-            <tr>
-              <td><%= entry['Type'] %></td>
-              <td><%= entry['LSId'] %></td>
-              <td><%= entry['AdvRouter'] %></td>
-              <td><%= entry['Age'] %></td>
-              <td><%= entry['SeqNum'] %></td>
-              <td><%= entry['Payload'] %></td>
-            </tr>
-          <% }) %>
-        </tbody>
-      </table>
-    <% }) %>
-  <% } %>
-  <% if(ospfv3_database['if_scoped_link_state']) { %>
-    <h2>{{ lang._('Interface Scoped Link Database') }}</h2>
-    <% _.each(_.keys(ospfv3_database['if_scoped_link_state']), function(intfname) { %>
-      <% intf = ospfv3_database['if_scoped_link_state'][intfname] %>
-      <% _.each(_.keys(intf), function(areaname) { %>
-        <% area = intf[areaname] %>
-        <h3><%= intfname %> / <%= areaname %></h3>
-        <table>
-          <thead>
-            <tr>
-              <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
-              <th data-column-id="lsid" data-type="string">{{ lang._('LS ID') }}</th>
-              <th data-column-id="advrouter" data-type="string">{{ lang._('Advertising Router') }}</th>
-              <th data-column-id="age" data-type="numeric">{{ lang._('Age') }}</th>
-              <th data-column-id="seqnr" data-type="string">{{ lang._('Sequence Number') }}</th>
-              <th data-column-id="payload" data-type="string">{{ lang._('Payload') }}</th>
-            </tr>
-          </thead>
-          <tbody>
-            <% _.each(area, function(entry) { %>
-              <tr>
-                <td><%= entry['Type'] %></td>
-                <td><%= entry['LSId'] %></td>
-                <td><%= entry['AdvRouter'] %></td>
-                <td><%= entry['Age'] %></td>
-                <td><%= entry['SeqNum'] %></td>
-                <td><%= entry['Payload'] %></td>
-              </tr>
-            <% }) %>
-          </tbody>
-        </table>
-      <% }) %>
-    <% }) %>
-  <% } %>
-  <% if (ospfv3_database['as_scoped']) { %>
-    <h2>{{ lang._('AS Scoped') }}</h2>
-    <table>
-      <thead>
-        <tr>
-          <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
-          <th data-column-id="lsid" data-type="string">{{ lang._('LS ID') }}</th>
-          <th data-column-id="advrouter" data-type="string">{{ lang._('Advertising Router') }}</th>
-          <th data-column-id="age" data-type="numeric">{{ lang._('Age') }}</th>
-          <th data-column-id="seqnr" data-type="string">{{ lang._('Sequence Number') }}</th>
-          <th data-column-id="payload" data-type="string">{{ lang._('Payload') }}</th>
-        </tr>
-      </thead>
-      <tbody>
-        <% _.each(ospfv3_database['as_scoped'], function(entry) { %>
-          <tr>
-            <td><%= entry['Type'] %></td>
-            <td><%= entry['LSId'] %></td>
-            <td><%= entry['AdvRouter'] %></td>
-            <td><%= entry['Age'] %></td>
-            <td><%= entry['SeqNum'] %></td>
-            <td><%= entry['Payload'] %></td>
-          </tr>
-        <% }) %>
-      </tbody>
-    </table>
-  <% } %>
-</script>
-
-<script type="text/x-template" id="interfacetpl">
-<% _.each(_.keys(ospfv3_interface), function(interfacename) { %>
-  <% int = ospfv3_interface[interfacename] %>
-  <h2><%= interfacename %></h2>
-  <table class="table table-striped">
-    <tbody>
-      <% _.each(_.keys(int), function(propertyname) { %>
-        <% if (propertyname != 'pending_lsas' ) { %>
-          <tr>
-            <td><%= translate(propertyname) %></td>
-            <td>
-              <% if (int[propertyname] === false || int[propertyname] === true)  { %>
-                <%= checkmark(int[propertyname]) %>
-              <% } else if (propertyname == 'timers')  { %>
-                {{ lang._('Hello Timer:') }} <%= int[propertyname]['hello'] %><br />
-                {{ lang._('Dead Timer:') }} <%= int[propertyname]['dead'] %><br />
-                {{ lang._('Wait Timer:') }} <%= int[propertyname]['wait'] %><br />
-                {{ lang._('Retransmit Timer:') }} <%= int[propertyname]['retransmit'] %>
-              <% } else if (propertyname == 'IPv6' || propertyname == 'IPv4')  { %>
-                <%= _.join(int[propertyname],'<br />') %><br />
-              <% } else if (propertyname == 'area_cost')  { %>
-                <% _.each(int[propertyname], function (ac) { %>
-                  <%= ac['area'] %>: <%= ac['cost'] %><br />
-                <% }) %>
-              <% } else { %>
-                <%= translate(int[propertyname]) %>
-              <% } %>
-            </td>
-          </tr>
-        <% } else { %>
-          <% _.each(_.keys(int[propertyname]), function(lsa) { %>
-          <% mylsa = int[propertyname][lsa] %>
-            <tr>
-              <td><%= lsa %> {{ lang._('Time') }}</td>
-              <td><%= mylsa['time'] %> </td>
-            </tr>
-            <tr>
-              <td><%= lsa %> {{ lang._('Count') }}</td>
-              <td><%= mylsa['Count'] %> </td>
-            </tr>
-            <tr>
-              <td><%= lsa %> {{ lang._('Flags') }}</td>
-              <td><%= mylsa['flags'] %> </td>
-            </tr>
-          <% }) %>
-        <% } %>
-      <% }); %>
-    </tbody>
-  </table>
-<% }) %>
-</script>
-<script src="/ui/js/quagga/lodash.js"></script>
-<script>
-
-function translate(data)
-{
-  tr = []
-  tr['count'] = '{{ lang._('Count') }}'
-  tr['router'] = '{{ lang._('Router') }}'
-  tr['network'] = '{{ lang._('Network') }}'
-  tr['summary'] = '{{ lang._('Summary') }}'
-  tr['ASBR summary'] = '{{ lang._('ASBR summary') }}'
-  tr['NSSA'] = '{{ lang._('NSSA') }}'
-  tr['directly attached'] = '{{ lang._('Directly Attached') }}'
-  tr['Full/DR'] = '{{ lang._('Full (Designated Router)') }}'
-  tr['enabled'] = '{{ lang._('Enabled') }}'
-  tr['cost'] = '{{ lang._('Cost') }}'
-  tr['priority'] = '{{ lang._('Priority') }}'
-  tr['router_id'] = '{{ lang._('Router ID') }}'
-  tr['network_type'] = '{{ lang._('Network Type') }}'
-  tr['area'] = '{{ lang._('Area') }}'
-  tr['transmit_delay'] = '{{ lang._('Transmit Delay') }}'
-  tr['state'] = '{{ lang._('State') }}'
-  tr['broadcast'] = '{{ lang._('Broadcast') }}'
-  tr['mtu_mismatch_detection'] = '{{ lang._('MTU Mismatch Detection') }}'
-  tr['address'] = '{{ lang._('Address') }}'
-  tr['designated_router'] = '{{ lang._('Designated Router') }}'
-  tr['designated_router_interface_address'] = '{{ lang._('Designated Router Interface Address') }}'
-  tr['backup_designated_router'] = '{{ lang._('Backup Designated Router') }}'
-  tr['multicast_group_memberships'] = '{{ lang._('Multicast Group Memberships') }}'
-  tr['intervals'] = '{{ lang._('Intervals') }}'
-  tr['hello_due_in'] = '{{ lang._('Hello Due In') }}'
-  tr['neighbor_count'] = '{{ lang._('Neighbor Count') }}'
-  tr['adjacent_neighbor_count'] = '{{ lang._('Adjacent Neighbor Count') }}'
-  tr['timers'] = '{{ lang._('Timers') }}'
-  tr['number_if_scoped_lsas'] = '{{ lang._('Number Of Interface Scoped LSAs') }}'
-  tr['pending_lsas'] = '{{ lang._('Pending LSAs') }}'
-  tr['area_cost'] = '{{ lang._('Area Cost') }}'
-  tr['instance_id'] = '{{ lang._('Instance ID') }}'
-  tr['interface_mtu'] = '{{ lang._('Interface MTU') }}'
-  tr['type'] = '{{ lang._('Type') }}'
-  tr['id'] = '{{ lang._('ID') }}'
-  tr['up'] = '{{ lang._('Up') }}'
-  tr['DR'] = '{{ lang._('Designated Router') }}'
-  tr['BDR'] = '{{ lang._('Backup Designated Router') }}'
-  tr['BROADCAST'] = '{{ lang._('Broadcast') }}'
-  tr['UNKNOWN'] = '{{ lang._('Unknown') }}'
-  tr['POINTOPOINT'] = '{{ lang._('Point to Point') }}'
-  tr['LOOPBACK'] = '{{ lang._('Loopback') }}'
-  return _.has(tr,data) ? tr[data] : data
-}
-
-function checkmark(bin)
-{
-  return "<i class=\"fa " + (bin ? "fa-check-square" : "fa-square") + " text-muted\"></i>";
-}
-
-dataconverters = {
-    boolean: {
-        from: function (value) { return (value == 'true') || (value == true); },
-        to: function (value) { return checkmark(value) }
-    },
-    raw: {
-        from: function (value) { return value },
-        to: function (value) { return value }
-    }
-}
-
-$(document).ready(function() {
-  updateServiceControlUI('quagga');
-
-  ajaxCall(url="/api/quagga/diagnostics/ospfv3overview", sendData={}, callback=function(data,status) {
-    content = _.template($('#overviewtpl').html())(data['response'])
-    $('#overview').html(content)
-  });
-  ajaxCall(url="/api/quagga/diagnostics/ospfv3database", sendData={}, callback=function(data,status) {
-    content = _.template($('#databasetpl').html())(data['response'])
-    $('#database').html(content)
-    $('#database table').bootgrid()
-  });
-  ajaxCall(url="/api/quagga/diagnostics/ospfv3route", sendData={}, callback=function(data,status) {
-    content = _.template($('#routestpl').html())(data['response'])
-    $('#routing').html(content)
-    $('#routing table').bootgrid()
-  });
-  /*ajaxCall(url="/api/quagga/diagnostics/ospfv3neighbor", sendData={}, callback=function(data,status) {
-    content = _.template($('#neighbortpl').html())(data['response'])
-    $('#neighbor').html(content)
-  });*/
-  ajaxCall(url="/api/quagga/diagnostics/ospfv3interface", sendData={}, callback=function(data,status) {
-    content = _.template($('#interfacetpl').html())(data['response'])
-    $('#interface').html(content)
-  });
-
-
-});
-</script>
-
-<!-- Navigation bar -->
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#overview">{{ lang._('Overview') }}</a></li>
-    <li><a data-toggle="tab" href="#routing">{{ lang._('Routing Table') }}</a></li>
-    <li><a data-toggle="tab" href="#database">{{ lang._('Database') }}</a></li>
-    <!--<li><a data-toggle="tab" href="#neighbor">{{ lang._('Neighbor') }}</a></li>-->
-    <li><a data-toggle="tab" href="#interface">{{ lang._('Interface') }}</a></li>
-</ul>
-<div class="tab-content content-box tab-content">
-    <div id="overview" class="tab-pane fade in active">
-    </div>
-    <div id="routing" class="tab-pane fade in">
-    </div>
-    <div id="database" class="tab-pane fade in">
-    </div>
-    <div id="neighbor" class="tab-pane fade in">
-    </div>
-    <div id="interface" class="tab-pane fade in">
-    </div>
-</div>
diff --git a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py b/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
deleted file mode 100755
index 1567ace98d..0000000000
--- a/net/frr/src/opnsense/scripts/frr/legacy-diagnostics.py
+++ /dev/null
@@ -1,446 +0,0 @@
-#!/usr/local/bin/python3
-"""
-    Copyright (c) 2020 Marc Leuser
-    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-     this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-     notice, this list of conditions and the following disclaimer in the
-     documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-
-"""
-
-import argparse
-import ujson
-import re
-from typing import List, Dict
-from lib import VtySH
-
-
-class Re:
-    """ Custom regex helper class (source https://stackoverflow.com/a/4980181)
-        Use to conveniently build switch-case like constructs using if/elif
-    """
-
-    def __init__(self):
-        self.last_match = None
-
-    def match(self, pattern, text):
-        self.last_match = re.match(pattern, text)
-        return self.last_match
-
-    def search(self, pattern, text):
-        self.last_match = re.search(pattern, text)
-        return self.last_match
-
-
-class FRRTableReader:
-    def __init__(self, titles: List[str] = None):
-        self.titles = titles if titles is not None else list()
-        self.columns = list()
-
-    def read_header(self, line: str, start_without_title: bool = False, start_without_title_name: str = 'status'):
-        # we're going to create a list of columns. each entry contains title, start index and end index for easy parsing
-        self.columns = []
-
-        # the first column's title may sometimes be empty in FRR's output. we'll have to give it a name though
-        if start_without_title:
-            self.columns.append({
-                'title': start_without_title_name,
-                'start_index': 0,
-                'end_index': None
-            })
-
-        # fill the list with subsequent columns
-        for title in self.titles:
-            try:
-                # find the start index of the current title in the header
-                start_index = line.index(title)
-            except ValueError:
-                # just skip the column if it can't be found
-                continue
-
-            # last column's end index is this column's start index
-            if self.columns:
-                self.columns[-1]['end_index'] = start_index
-
-            # add the current column to the list
-            self.columns.append({
-                'title': title,
-                'start_index': start_index,
-                'end_index': None
-            })
-
-    def read_line(self, line: str) -> Dict[str, str]:
-        result = {}
-
-        # sanity check: the line has to be long enough to contain all columns,
-        # so its length must be greater than the last column's start index
-        if len(line) > self.columns[-1]['start_index']:
-            for column in self.columns:
-                # use the column's name as dict key and just extract the data from start to end index
-                result[column['title'].strip()] = line[column['start_index']:column['end_index']].strip()
-
-        return result
-
-
-class DaemonError(Exception):
-    pass
-
-
-class Daemon:
-    def __init__(self, vtysh: VtySH):
-        self.vtysh = vtysh
-        self.myre = Re()
-
-    def _show(self, suffix: str):
-        # execute the command and filter out empty lines so subsequent iterations don't have to  deal with them
-        return list(filter(None, self.vtysh.execute(command='show ' + suffix, translate=bytes.decode).split('\n')))
-
-
-class OSPF(Daemon):
-    def _show(self, suffix: str):
-        return super()._show('ip ospf ' + suffix)
-
-    def database(self):
-        db = {}
-        # table reader for Route Link States
-        rltr = FRRTableReader(titles=['Link ID', 'ADV Router', 'Age', 'Seq#', 'CkSum', 'Link count'])
-        # table reader for Net Link States
-        nltr = FRRTableReader(titles=['Link ID', 'ADV Router', 'Age', 'Seq#', 'CkSum'])
-        # table reader for Summary Link States
-        sltr = FRRTableReader(titles=['Link ID', 'ADV Router', 'Age', 'Seq#', 'CkSum', 'Route\n'])
-        # table reader for AS External Link States (columns are identical to Summary Link States)
-        eltr = sltr
-
-        # get the FRR output
-        lines = self._show('database')
-
-        # placeholder for the active table reader for the coming line
-        tr = None
-        # whether or not the header for the current section has already been parsed
-        header_parsed = False
-        # the current router
-        router = None
-        # the current area
-        area = None
-        # the current mode
-        mode = None
-
-        for line in lines:
-            if line.startswith(' '):
-                # this is a heading
-                heading = line.strip()
-                header_parsed = False
-
-                # this is going to be dirty
-                if self.myre.search(r'OSPF Router with ID \(([\.\d]+)\)', heading):
-                    router = self.myre.last_match.group(1)
-                    if router not in db:
-                        db[router] = {}
-                    mode = 'router'
-                elif self.myre.search(r'Router Link States \(Area ([\.\d]+)\)', heading):
-                    mode = 'router_link_state_area'
-                    area = self.myre.last_match.group(1)
-                    if mode not in db[router]:
-                        db[router][mode] = {}
-                    if area not in db[router][mode]:
-                        db[router][mode][area] = []
-                    tr = rltr
-                elif self.myre.search(r'Net Link States \(Area ([\.\d]+)\)', heading):
-                    mode = 'net_link_state_area'
-                    area = self.myre.last_match.group(1)
-                    if mode not in db[router]:
-                        db[router][mode] = {}
-                    if area not in db[router][mode]:
-                        db[router][mode][area] = []
-                    tr = nltr
-                elif self.myre.search(r'Summary Link States \(Area ([\.\d]+)\)', heading):
-                    mode = 'summary_link_state_area'
-                    area = self.myre.last_match.group(1)
-                    if mode not in db[router]:
-                        db[router][mode] = {}
-                    if area not in db[router][mode]:
-                        db[router][mode][area] = []
-                    tr = sltr
-                elif heading == 'AS External Link States':
-                    mode = 'external_states'
-                    if mode not in db[router]:
-                        db[router][mode] = []
-                    tr = eltr
-                else:
-                    raise DaemonError('failed to parse heading: ' + heading)
-                # told you.
-            else:
-                if not header_parsed:
-                    if mode in ['summary_link_state_area', 'external_states']:
-                        # workaround because "Route" matches on "Router" and breaks the offset parsing logic
-                        # stay consistent with the previous script, add a trailing newline
-                        line += '\n'
-                    tr.read_header(line)
-                    header_parsed = True
-                else:
-                    if mode == 'router':
-                        raise DaemonError(
-                            'attempting to parse a table row but the mode is \'router\'. '
-                            'please debug the FRR output:\n\n\n' + line
-                        )
-                    elif mode == 'external_states':
-                        db[router][mode].append(tr.read_line(line))
-                    else:
-                        db[router][mode][area].append(tr.read_line(line))
-
-        return db
-
-
-class OSPFv3(Daemon):
-    def _show(self, suffix: str):
-        return super()._show('ipv6 ospf6 ' + suffix)
-
-    def database(self):
-        database = {}
-        lines = map(str.strip, self._show('database'))
-
-        # table reader
-        tr = FRRTableReader(titles=["Type", "LSId", "AdvRouter", " Age", "  SeqNum", "                       Payload"])
-        header_parsed = False
-        interface = None
-        area = None
-        mode = None
-
-        for line in lines:
-            if self.myre.search(r'Area Scoped Link State Database \(Area (.*)\)', line):
-                header_parsed = False
-                mode = 'scoped_link_db'
-                area = self.myre.last_match.group(1)
-                if mode not in database:
-                    database[mode] = {}
-                if area not in database[mode]:
-                    database[mode][area] = []
-            elif self.myre.search(r'I\/F Scoped Link State Database \(I\/F (\S+) in Area (.*)\)', line):
-                header_parsed = False
-                mode = 'if_scoped_link_state'
-                interface = self.myre.last_match.group(1)
-                area = self.myre.last_match.group(2)
-                if mode not in database:
-                    database[mode] = {}
-                if interface not in database[mode]:
-                    database[mode][interface] = {}
-                if area not in database[mode][interface]:
-                    database[mode][interface][area] = []
-            elif line == 'AS Scoped Link State Database':
-                header_parsed = False
-                mode = 'as_scoped'
-                if mode not in database:
-                    database[mode] = []
-            else:
-                if not header_parsed:
-                    tr.read_header(line)
-                    header_parsed = True
-                else:
-                    if mode == 'scoped_link_db':
-                        database[mode][area].append(tr.read_line(line))
-                    elif mode == 'if_scoped_link_state':
-                        database[mode][interface][area].append(tr.read_line(line))
-                    elif mode == 'as_scoped':
-                        database[mode].append(tr.read_line(line))
-                    else:
-                        raise DaemonError('invalid mode, failed to parse line: ' + line)
-
-        return database
-
-    def route(self):
-        route = []
-        lines = map(str.strip, self._show('route'))
-
-        for line in lines:
-            columns = re.split(r'\s+', line)
-            route.append({
-                'f1': columns[0],
-                'f2': columns[1],
-                'network': columns[2],
-                'gateway': columns[3],
-                'interface': columns[4],
-                'time': columns[5],
-            })
-
-        return route
-
-    def interface(self):
-        interface = {}
-        lines = map(str.strip, self._show('interface'))
-
-        current_if = None
-        for line in lines:
-            if self.myre.search(r'(\S+) is (down|up), type ([A-Z]+)', line):
-                current_if = self.myre.last_match.group(1)
-                interface[current_if] = {
-                    'up': True if self.myre.last_match.group(2) == 'up' else False,
-                    'type': self.myre.last_match.group(3),
-                    'enabled': True
-                }
-            elif self.myre.search(r'Interface ID: (\d+)', line):
-                interface[current_if]['id'] = self.myre.last_match.group(1)
-            elif self.myre.search(r'OSPF not enabled on this interface', line):
-                interface[current_if]['enabled'] = False
-            elif self.myre.search(r'Instance ID (\d+), Interface MTU (\d+) \(autodetect: (\d+)\)', line):
-                interface[current_if]['instance_id'] = int(self.myre.last_match.group(1))
-                interface[current_if]['interface_mtu'] = int(self.myre.last_match.group(2))
-                interface[current_if]['interface_mtu_autodetect'] = int(self.myre.last_match.group(3))
-            elif self.myre.search(r'(inet |inet6): (\S+)', line):
-                family = 'IPv6' if self.myre.last_match.group(1) == 'inet6' else 'IPv4'
-                if family not in interface[current_if]:
-                    interface[current_if][family] = []
-                interface[current_if][family].append(self.myre.last_match.group(2))
-            elif self.myre.search(r'MTU mismatch detection: (en|dis)abled', line):
-                interface[current_if]['mtu_mismatch_detection'] = True if self.myre.last_match.group(
-                    1) == 'en' else False
-            elif self.myre.search(r'DR: (\S+) BDR: (\S+)', line):
-                interface[current_if]['designated_router'] = self.myre.last_match.group(1)
-                interface[current_if]['backup_designated_router'] = self.myre.last_match.group(2)
-            elif self.myre.search(r'State (\S+), Transmit Delay (\d+) sec, Priority (\d+)', line):
-                interface[current_if]['state'] = self.myre.last_match.group(1)
-                interface[current_if]['transmit_delay'] = int(self.myre.last_match.group(2))
-                interface[current_if]['priority'] = int(self.myre.last_match.group(3))
-            elif self.myre.search(r'Number of I\/F scoped LSAs is (\d+)', line):
-                interface[current_if]['number_if_scoped_lsas'] = int(self.myre.last_match.group(1))
-            elif self.myre.search(r'(\d+) Pending LSAs for (\S+) in Time ([\d:]+)(?: (.*))', line):
-                if 'pending_lsas' not in interface[current_if]:
-                    interface[current_if]['pending_lsas'] = {}
-                interface[current_if]['pending_lsas'][self.myre.last_match.group(2)] = {
-                    'time': self.myre.last_match.group(3),
-                    'count': self.myre.last_match.group(1),
-                    'flags': self.myre.last_match.group(4)
-                }
-            elif self.myre.search(r'Hello (\d+), Dead (\d+), Retransmit (\d+)', line):
-                interface[current_if]['timers'] = {
-                    'hello': int(self.myre.last_match.group(1)),
-                    'dead': int(self.myre.last_match.group(2)),
-                    'retransmit': int(self.myre.last_match.group(3))
-                }
-            elif self.myre.search(r'Area ID (\S+), Cost (\d+)', line):
-                if 'area_cost' not in interface[current_if]:
-                    interface[current_if]['area_cost'] = []
-                interface[current_if]['area_cost'].append({
-                    'area': self.myre.last_match.group(1),
-                    'cost': int(self.myre.last_match.group(2))
-                })
-            elif line in ['Internet Address:', 'Timer intervals configured:']:
-                # ignore these strings
-                pass
-            else:
-                raise DaemonError('failed to parse line: ' + line)
-
-        return interface
-
-    def neighbor(self):
-        neighbors = []
-        lines = self._show('neighbor')
-
-        tr = FRRTableReader(titles=['Neighbor ID', 'Pri', 'DeadTime', 'State/IfState', 'Duration I/F[State]'])
-        ll = lines.pop(0)
-        tr.read_header(ll)
-
-        for line in lines:
-            neighbor = tr.read_line(line)
-            neighbor['Pri'] = int(neighbor['Pri'])
-            neighbors.append(neighbor)
-
-        return neighbors
-
-    def overview(self):
-        overview = {'areas': {}}
-        lines = map(str.strip, self._show(''))
-
-        current_area = None
-
-        for line in lines:
-            if self.myre.search(r'OSPFv3 Routing Process \((\d+)\) with Router-ID ([\d\.]+)', line):
-                overview['router_id'] = self.myre.last_match.group(2)
-                overview['routing_process'] = int(self.myre.last_match.group(1))
-            elif self.myre.search(r'Initial SPF scheduling delay (\d+) millisec\(s\)', line):
-                overview['initial_spf_scheduling_delay'] = int(self.myre.last_match.group(1))
-            elif self.myre.search(r'(Min|Max)imum hold time between consecutive SPFs (\d+) milli?second\(s\)', line):
-                if 'hold_time' not in overview:
-                    overview['hold_time'] = {}
-                overview['hold_time'][self.myre.last_match.group(1).lower()] = int(self.myre.last_match.group(2))
-            elif line == 'This router is an ASBR (injecting external routing information)':
-                overview['asbr'] = True
-            elif self.myre.search(r'SPF timer is (.*)', line):
-                overview['spf_timer'] = self.myre.last_match.group(1)
-            elif self.myre.search(r'Running (.*)', line):
-                overview['running_time'] = self.myre.last_match.group(1)
-            elif self.myre.search(r'Number of AS scoped LSAs is (\d+)', line):
-                overview['number_as_scoped'] = int(self.myre.last_match.group(1))
-            elif self.myre.search(r'Hold time multiplier is currently (\d+)', line):
-                overview['current_hold_time_multipier'] = int(self.myre.last_match.group(1))
-            elif self.myre.search(r'Number of areas in this router is (\d+)', line):
-                overview['number_of_areas'] = int(self.myre.last_match.group(1))
-            elif self.myre.search(r'^Area ([\d\.]*)', line):
-                current_area = self.myre.last_match.group(1)
-                overview['areas'][current_area] = {}
-            elif self.myre.search(r'Interface attached to this area: (.*)', line):
-                overview['areas'][current_area]['interfaces'] = self.myre.last_match.group(1).split(' ')
-            elif self.myre.search(r'Number of Area scoped LSAs is (.*)', line):
-                overview['areas'][current_area]['number_lsas'] = int(self.myre.last_match.group(1))
-            elif self.myre.search(r'LSA minimum arrival (.*)', line) or \
-                    self.myre.search(r'SPF algorithm last executed (.*)', line) or \
-                    self.myre.search(r'Last SPF duration (.*)', line) or \
-                    self.myre.search(r'SPF last executed (.*)', line) or \
-                    self.myre.search(r'Number of Area scoped LSAs is (.*)', line) or \
-                    self.myre.search(r'Adjacency changes are logged', line):
-                # skip these lines
-                pass
-            else:
-                raise DaemonError('failed to parse line: ' + line)
-
-        return overview
-
-
-if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description='Python port of the OPNsense FRR output parser.')
-    parser.add_argument('-d', '--ospf-database', help='Prints the OSPF Database', action='store_true')
-    parser.add_argument('-D', '--ospfv3-database', help='Prints the OSPFv3 Database', action='store_true')
-    parser.add_argument('-t', '--ospfv3-route', help='Prints the OSPFv3 routing table', action='store_true')
-    parser.add_argument('-I', '--ospfv3-interface', help='Prints OSPFv3 interface information', action='store_true')
-    parser.add_argument('-N', '--ospfv3-neighbor', help='Prints OSPFv3 neighbor information', action='store_true')
-    parser.add_argument('-O', '--ospfv3-overview', help='Prints an OSPFv3 Summary', action='store_true')
-    args = parser.parse_args()
-
-    # initialize VtySH and parser objects
-    main_vtysh = VtySH()
-    ospf = OSPF(main_vtysh)
-    ospfv3 = OSPFv3(main_vtysh)
-
-    main_result = {}
-    if args.ospf_database:
-        main_result['ospf_database'] = ospf.database()
-    elif args.ospfv3_database:
-        main_result['ospfv3_database'] = ospfv3.database()
-    elif args.ospfv3_route:
-        main_result['ospfv3_route'] = ospfv3.route()
-    elif args.ospfv3_interface:
-        main_result['ospfv3_interface'] = ospfv3.interface()
-    elif args.ospfv3_neighbor:
-        main_result['ospfv3_neighbors'] = ospfv3.neighbor()
-    elif args.ospfv3_overview:
-        main_result['ospfv3_overview'] = ospfv3.overview()
-
-    print(ujson.dumps(main_result, escape_forward_slashes=False))
diff --git a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
index 89a3822904..7f5541a1bb 100644
--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@@ -30,271 +30,134 @@ type:script_output
 message:FRR diagnosticts "show running-config"
 
 [diagnostics.general_route4]
-command:/usr/local/bin/vtysh -c "show ip route"
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show ip route %s'
 type:script_output
 message:FRR diagnosticts "show ip route"
 
-[diagnostics.general_route4_json]
-command:/usr/local/bin/vtysh -c "show ip route json"
-parameters:
-type:script_output
-message:FRR diagnosticts "show ip route json"
-
 [diagnostics.general_route6]
-command:/usr/local/bin/vtysh -c "show ipv6 route"
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show ipv6 route %s'
 type:script_output
 message:FRR diagnosticts "show ipv6 route"
 
-[diagnostics.general_route6_json]
-command:/usr/local/bin/vtysh -c "show ipv6 route json"
-parameters:
-type:script_output
-message:FRR diagnosticts "show ipv6 route json"
-
-[diagnostics.bgp_route]
-command:exit 1
-parameters:
-type:script_output
-message:FRR diagnostics "show bgp all" (not implemented)
-
-[diagnostics.bgp_route_json]
-command:/usr/local/bin/vtysh -c "show bgp all json"
-parameters:
-type:script_output
-message:FRR diagnostics "show bgp all json" (not implemented)
-
 [diagnostics.bgp_route4]
-command:/usr/local/bin/vtysh -c "show bgp ipv4"
-parameters:
-type:script_output
-message:FRR diagnostics "show bgp ipv4"
-
-[diagnostics.bgp_route4_json]
-command:/usr/local/bin/vtysh -c "show bgp ipv4 json"
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show bgp ipv4 %s'
 type:script_output
-message:FRR diagnostics "show bgp ipv4 json"
+message:FRR diagnostics "show bgp ipv4 %s"
 
 [diagnostics.bgp_route6]
-command:/usr/local/bin/vtysh -c "show bgp ipv6"
-parameters:
-type:script_output
-message:FRR diagnostics "show bgp ipv6"
-
-[diagnostics.bgp_route6_json]
-command:/usr/local/bin/vtysh -c "show bgp ipv6 json"
-parameters:
+command:/usr/local/bin/vtysh
+parameters:-c 'show bgp ipv6 %s'
 type:script_output
-message:FRR diagnostics "show bgp ipv6 json"
+message:FRR diagnostics "show bgp ipv6 %s"
 
 [diagnostics.bgp_summary]
-command:/usr/local/bin/vtysh -c "show bgp summary"
-parameters:
-type:script_output
-message:FRR diagnostics "show bgp summary"
-
-[diagnostics.bgp_summary_json]
-command:/usr/local/bin/vtysh -c "show bgp summary json"
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show bgp summary %s'
 type:script_output
-message:FRR diagnostics "show bgp summary json"
+message:FRR diagnostics "show bgp summary %s"
 
 [diagnostics.bgp_summary4]
-command:/usr/local/bin/vtysh -c "show bgp ipv4 summary"
-parameters:
-type:script_output
-message:FRR diagnostics "show bgp ipv4 summary"
-
-[diagnostics.bgp_summary4_json]
-command:/usr/local/bin/vtysh -c "show bgp ipv4 summary json"
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show bgp ipv4 summary %s'
 type:script_output
-message:FRR diagnostics "show bgp ipv4 summary json"
+message:FRR diagnostics "show bgp ipv4 summary %s"
 
 [diagnostics.bgp_summary6]
-command:/usr/local/bin/vtysh -c "show bgp ipv6 summary"
-parameters:
-type:script_output
-message:FRR diagnostics "show bgp ipv6 summary"
-
-[diagnostics.bgp_summary6_json]
-command:/usr/local/bin/vtysh -c "show bgp ipv6 summary json"
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show bgp ipv6 summary %s'
 type:script_output
-message:FRR diagnostics "show bgp ipv6 summary json"
+message:FRR diagnostics "show bgp ipv6 summary %s"
 
 [diagnostics.bgp_neighbors]
-command:/usr/local/bin/vtysh -c "show bgp neighbors"
-parameters:
-type:script_output
-message:FRR diagnostics "show bgp neighbors"
-
-[diagnostics.bgp_neighbors_json]
-command:/usr/local/bin/vtysh -c "show bgp neighbors json"
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show bgp neighbors %s'
 type:script_output
-message:FRR diagnostics "show bgp neighbors json"
+message:FRR diagnostics "show bgp neighbors %s"
 
 [diagnostics.bgp_neighbors4]
-command:/usr/local/bin/vtysh -c "show bgp ipv4 neighbors"
-parameters:
-type:script_output
-message:FRR diagnostics "show bgp ipv4 neighbors"
-
-[diagnostics.bgp_neighbors4_json]
-command:/usr/local/bin/vtysh -c "show bgp ipv4 neighbors json"
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show bgp ipv4 neighbors %s'
 type:script_output
-message:FRR diagnostics "show bgp ipv4 neighbors json"
+message:FRR diagnostics "show bgp ipv4 neighbors %s"
 
 [diagnostics.bgp_neighbors6]
-command:/usr/local/bin/vtysh -c "show bgp ipv6 neighbors"
-parameters:
-type:script_output
-message:FRR diagnostics "show bgp ipv6 neighbors"
-
-[diagnostics.bgp_neighbors6_json]
-command:/usr/local/bin/vtysh -c "show bgp ipv6 neighbors json"
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show bgp ipv6 neighbors %s'
 type:script_output
-message:FRR diagnostics "show bgp ipv6 neighbors json"
+message:FRR diagnostics "show bgp ipv6 neighbors %s"
 
 [diagnostics.ospf_overview]
-command:/usr/local/bin/vtysh -c "show ip ospf"
-parameters:
-type:script_output
-message:FRR diagnostics "show ip ospf"
-
-[diagnostics.ospf_overview_json]
-command:/usr/local/bin/vtysh -c "show ip ospf json"
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show ip ospf %s'
 type:script_output
-message:FRR diagnostics "show ip ospf json"
+message:FRR diagnostics "show ip ospf %s"
 
 [diagnostics.ospf_neighbor]
-command:/usr/local/bin/vtysh -c "show ip ospf neighbor"
-parameters:
-type:script_output
-message:FRR diagnostics "show ip ospf neighbor"
-
-[diagnostics.ospf_neighbor_json]
-command:/usr/local/bin/vtysh -c "show ip ospf neighbor json"
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show ip ospf neighbor %s'
 type:script_output
-message:FRR diagnostics "show ip ospf neighbor json"
+message:FRR diagnostics "show ip ospf neighbor %s"
 
 [diagnostics.ospf_route]
-command:/usr/local/bin/vtysh -c "show ip ospf route"
-parameters:
-type:script_output
-message:FRR diagnostics "show ip ospf route"
-
-[diagnostics.ospf_route_json]
-command:/usr/local/bin/vtysh -c "show ip ospf route json"
-parameters:
-type:script_output
-message:FRR diagnostics "show ip ospf route json"
-
-[diagnostics.ospf_database]
-command:/usr/local/bin/vtysh -c "show ip ospf database"
-parameters:
-type:script_output
-message:FRR diagnostics "show ip ospf database"
-
-[diagnostics.ospf_database_json]
-command:/usr/local/opnsense/scripts/frr/legacy-diagnostics.py --ospf-database
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show ip ospf route %s'
 type:script_output
-message:FRR diagnostics "show ip ospf database json"
+message:FRR diagnostics "show ip ospf route %s"
 
 [diagnostics.ospf_interface]
-command:/usr/local/bin/vtysh -c "show ip ospf interface"
-parameters:
-type:script_output
-message:FRR diagnostics "show ip ospf interface"
-
-[diagnostics.ospf_interface_json]
-command:/usr/local/bin/vtysh -c "show ip ospf interface json"
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show ip ospf interface %s'
 type:script_output
-message:FRR diagnostics "show ip ospf interface json"
+message:FRR diagnostics "show ip ospf interface %s"
 
-[diagnostics.bfd_neighbors_json]
-command:/usr/local/bin/vtysh -c "show bfd peers json"
-parameters:
+[diagnostics.bfd_neighbors]
+command:/usr/local/bin/vtysh
+parameters: -c 'show bfd peers %s'
 type:script_output
-message:FRR diagnostics "show bfd peers json"
+message:FRR diagnostics "show bfd peers json %s"
 
 [diagnostics.bfd_summary]
-command:/usr/local/bin/vtysh -c "show bfd peers brief"
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show bfd peers brief %s'
 type:script_output
-message:FRR diagnostics "show bfd peers brief"
+message:FRR diagnostics "show bfd peers brief %s"
 
-[diagnostics.bfd_counters_json]
-command:/usr/local/bin/vtysh -c "show bfd peers counters json"
-parameters:
-type:script_output
-message:FRR diagnostics "show bfd peers counters json"
-
-[diagnostics.ospfv3_overview]
-command:/usr/local/bin/vtysh -c "show ipv6 ospf6"
-parameters:
-type:script_output
-message:FRR diagnostics "show ipv6 ospf6"
-
-[diagnostics.ospfv3_overview_json]
-command:/usr/local/opnsense/scripts/frr/legacy-diagnostics.py --ospfv3-overview
-parameters:
+[diagnostics.bfd_counters]
+command:/usr/local/bin/vtysh
+parameters: -c 'show bfd peers counters %s'
 type:script_output
-message:FRR diagnostics "show ipv6 ospf6 json"
+message:FRR diagnostics "show bfd peers counters %s"
 
-[diagnostics.ospfv3_neighbor]
-command:/usr/local/bin/vtysh -c "show ipv6 ospf6 neighbor"
-parameters:
+[diagnostics.ospf_database]
+command:/usr/local/bin/vtysh
+parameters: -c 'show ip ospf database %s'
 type:script_output
-message:FRR diagnostics "show ipv6 ospf6 neighbor"
+message:FRR diagnostics "show ip ospf database"
 
-[diagnostics.ospfv3_neighbor_json]
-command:/usr/local/opnsense/scripts/frr/legacy-diagnostics.py --ospfv3-neighbor
-parameters:
+[diagnostics.ospfv3_overview]
+command:/usr/local/bin/vtysh
+parameters: -c 'show ipv6 ospf6 %s'
 type:script_output
-message:FRR diagnostics "show ipv6 ospf6 neighbor json"
+message:FRR diagnostics "show ipv6 ospf6 %s"
 
 [diagnostics.ospfv3_route]
-command:/usr/local/bin/vtysh -c "show ipv6 ospf6 route"
-parameters:
-type:script_output
-message:FRR diagnostics "show ipv6 ospf6 route"
-
-[diagnostics.ospfv3_route_json]
-command:/usr/local/opnsense/scripts/frr/legacy-diagnostics.py --ospfv3-route
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show ipv6 ospf6 route %s'
 type:script_output
-message:FRR diagnostics "show ipv6 ospf6 route json"
+message:FRR diagnostics "show ipv6 ospf6 route %s"
 
 [diagnostics.ospfv3_database]
-command:/usr/local/bin/vtysh -c "show ipv6 ospf6 database"
-parameters:
-type:script_output
-message:FRR diagnostics "show ipv6 ospf6 database"
-
-[diagnostics.ospfv3_database_json]
-command:/usr/local/opnsense/scripts/frr/legacy-diagnostics.py --ospfv3-database
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show ipv6 ospf6 database %s'
 type:script_output
 message:FRR diagnostics "show ipv6 ospf6 database json"
 
 [diagnostics.ospfv3_interface]
-command:/usr/local/bin/vtysh -c "show ipv6 ospf6 interface"
-parameters:
+command:/usr/local/bin/vtysh
+parameters: -c 'show ipv6 ospf6 interface %s'
 type:script_output
-message:FRR diagnostics "show ipv6 ospf6 interface"
+message:FRR diagnostics "show ipv6 ospf6 interface %s"
 
-[diagnostics.ospfv3_interface_json]
-command:/usr/local/opnsense/scripts/frr/legacy-diagnostics.py --ospfv3-interface
-parameters:
-type:script_output
-message:FRR diagnostics "show ipv6 ospf6 interface json"
diff --git a/net/frr/src/opnsense/www/js/quagga/diagnostics_utils.js b/net/frr/src/opnsense/www/js/quagga/diagnostics_utils.js
index 3d69d2cd94..886a0bb627 100644
--- a/net/frr/src/opnsense/www/js/quagga/diagnostics_utils.js
+++ b/net/frr/src/opnsense/www/js/quagga/diagnostics_utils.js
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015-2022 Deciso B.V.
+ * Copyright (C) 2015-2023 Deciso B.V.
  * Copyright (C) 2023 Marc Bartelt
  * All rights reserved.
  *
@@ -27,85 +27,6 @@
 
 'use strict';
 
-/**
- * shared options for bootgrid tables
- */
-let gridopt = {
-    formatters: {
-        boolean: function(column, row) {
-            if (row[column.id]) {
-                return '<span class="fa fa-fw fa-check" data-value="1" data-row-id="' + row.uuid + '"></span>';
-            } else {
-                return '';
-            }
-        },
-        ospf_route_type: function(column, row) {
-            let result = '';
-
-            row[column.id].split(' ').forEach(function(routeType) {
-                let translatedRouteType = translateOSPFTerm(routeType)
-
-                if (translatedRouteType === routeType) {
-                    result += routeType;
-                } else {
-                    result += '<abbr title="' + translatedRouteType + '">' + routeType + '</abbr>';
-                }
-
-                result += ' ';
-            });
-
-            return result;
-        },
-        general_route_code: function(column, row) {
-            let result = row.code;
-            let protocol = translateZebraCode(row.code);
-
-            if(typeof(protocol) !== 'string') result = '<abbr title="' + protocol['long'] + '">' + protocol['short'] + '</abbr>';
-            if(row.selected) result += ' <abbr title="Selected">&gt;</abbr>';
-            if(row.installed) result += ' <abbr title="FIB">&ast;</abbr>';
-
-            return result;
-        }
-    }
-};
-
-/**
- * zebra route codes - translation table
- */
-function translateZebraCode(data) {
-    let tr = [];
-
-    // routing table tab
-    tr['kernel'] = {short: 'K', long: 'Kernel'};
-    tr['connected'] = {short: 'C', long: 'Connected'};
-    tr['bgp'] = {short: 'B', long: 'BGP'};
-    tr['ospf'] = {short: 'O', long: 'OSPF'};
-    tr['ospf6'] = {short: 'O', long: 'OSPFv3'};
-
-    return ((data in tr) ? tr[data] : data);
-}
-
-
-
-/**
- * OSPF terms and abbreviations - translation table
- **/
-function translateOSPFTerm(data) {
-    let tr = [];
-
-    // routing table tab
-    tr['N'] = 'Network';
-    tr['R'] = 'Router';
-    tr['IA'] = 'OSPF inter area';
-    tr['N1'] = 'OSPF NSSA external type 1';
-    tr['N2'] = 'OSPF NSSA external type 2';
-    tr['E1'] = 'OSPF external type 1';
-    tr['E2'] = 'OSPF external type 2';
-
-    return ((data in tr) ? tr[data] : data);
-}
-
-
 /**
  * tree view: resize widget on window resize
  */
diff --git a/net/frr/src/opnsense/www/js/quagga/lodash.js b/net/frr/src/opnsense/www/js/quagga/lodash.js
deleted file mode 100644
index 71226cfa05..0000000000
--- a/net/frr/src/opnsense/www/js/quagga/lodash.js
+++ /dev/null
@@ -1,137 +0,0 @@
-/**
- * @license
- * Lodash lodash.com/license | Underscore.js 1.8.3 underscorejs.org/LICENSE
- */
-;(function(){function n(n,t,r){switch(r.length){case 0:return n.call(t);case 1:return n.call(t,r[0]);case 2:return n.call(t,r[0],r[1]);case 3:return n.call(t,r[0],r[1],r[2])}return n.apply(t,r)}function t(n,t,r,e){for(var u=-1,i=null==n?0:n.length;++u<i;){var o=n[u];t(e,o,r(o),n)}return e}function r(n,t){for(var r=-1,e=null==n?0:n.length;++r<e&&false!==t(n[r],r,n););return n}function e(n,t){for(var r=null==n?0:n.length;r--&&false!==t(n[r],r,n););return n}function u(n,t){for(var r=-1,e=null==n?0:n.length;++r<e;)if(!t(n[r],r,n))return false;
-return true}function i(n,t){for(var r=-1,e=null==n?0:n.length,u=0,i=[];++r<e;){var o=n[r];t(o,r,n)&&(i[u++]=o)}return i}function o(n,t){return!(null==n||!n.length)&&-1<v(n,t,0)}function f(n,t,r){for(var e=-1,u=null==n?0:n.length;++e<u;)if(r(t,n[e]))return true;return false}function c(n,t){for(var r=-1,e=null==n?0:n.length,u=Array(e);++r<e;)u[r]=t(n[r],r,n);return u}function a(n,t){for(var r=-1,e=t.length,u=n.length;++r<e;)n[u+r]=t[r];return n}function l(n,t,r,e){var u=-1,i=null==n?0:n.length;for(e&&i&&(r=n[++u]);++u<i;)r=t(r,n[u],u,n);
-return r}function s(n,t,r,e){var u=null==n?0:n.length;for(e&&u&&(r=n[--u]);u--;)r=t(r,n[u],u,n);return r}function h(n,t){for(var r=-1,e=null==n?0:n.length;++r<e;)if(t(n[r],r,n))return true;return false}function p(n,t,r){var e;return r(n,function(n,r,u){if(t(n,r,u))return e=r,false}),e}function _(n,t,r,e){var u=n.length;for(r+=e?1:-1;e?r--:++r<u;)if(t(n[r],r,n))return r;return-1}function v(n,t,r){if(t===t)n:{--r;for(var e=n.length;++r<e;)if(n[r]===t){n=r;break n}n=-1}else n=_(n,d,r);return n}function g(n,t,r,e){
---r;for(var u=n.length;++r<u;)if(e(n[r],t))return r;return-1}function d(n){return n!==n}function y(n,t){var r=null==n?0:n.length;return r?m(n,t)/r:F}function b(n){return function(t){return null==t?T:t[n]}}function x(n){return function(t){return null==n?T:n[t]}}function j(n,t,r,e,u){return u(n,function(n,u,i){r=e?(e=false,n):t(r,n,u,i)}),r}function w(n,t){var r=n.length;for(n.sort(t);r--;)n[r]=n[r].c;return n}function m(n,t){for(var r,e=-1,u=n.length;++e<u;){var i=t(n[e]);i!==T&&(r=r===T?i:r+i)}return r;
-}function A(n,t){for(var r=-1,e=Array(n);++r<n;)e[r]=t(r);return e}function E(n,t){return c(t,function(t){return[t,n[t]]})}function k(n){return function(t){return n(t)}}function S(n,t){return c(t,function(t){return n[t]})}function O(n,t){return n.has(t)}function I(n,t){for(var r=-1,e=n.length;++r<e&&-1<v(t,n[r],0););return r}function R(n,t){for(var r=n.length;r--&&-1<v(t,n[r],0););return r}function z(n){return"\\"+Un[n]}function W(n){var t=-1,r=Array(n.size);return n.forEach(function(n,e){r[++t]=[e,n];
-}),r}function B(n,t){return function(r){return n(t(r))}}function L(n,t){for(var r=-1,e=n.length,u=0,i=[];++r<e;){var o=n[r];o!==t&&"__lodash_placeholder__"!==o||(n[r]="__lodash_placeholder__",i[u++]=r)}return i}function U(n){var t=-1,r=Array(n.size);return n.forEach(function(n){r[++t]=n}),r}function C(n){var t=-1,r=Array(n.size);return n.forEach(function(n){r[++t]=[n,n]}),r}function D(n){if(Rn.test(n)){for(var t=On.lastIndex=0;On.test(n);)++t;n=t}else n=Qn(n);return n}function M(n){return Rn.test(n)?n.match(On)||[]:n.split("");
-}var T,$=1/0,F=NaN,N=[["ary",128],["bind",1],["bindKey",2],["curry",8],["curryRight",16],["flip",512],["partial",32],["partialRight",64],["rearg",256]],P=/\b__p\+='';/g,Z=/\b(__p\+=)''\+/g,q=/(__e\(.*?\)|\b__t\))\+'';/g,V=/&(?:amp|lt|gt|quot|#39);/g,K=/[&<>"']/g,G=RegExp(V.source),H=RegExp(K.source),J=/<%-([\s\S]+?)%>/g,Y=/<%([\s\S]+?)%>/g,Q=/<%=([\s\S]+?)%>/g,X=/\.|\[(?:[^[\]]*|(["'])(?:(?!\1)[^\\]|\\.)*?\1)\]/,nn=/^\w*$/,tn=/[^.[\]]+|\[(?:(-?\d+(?:\.\d+)?)|(["'])((?:(?!\2)[^\\]|\\.)*?)\2)\]|(?=(?:\.|\[\])(?:\.|\[\]|$))/g,rn=/[\\^$.*+?()[\]{}|]/g,en=RegExp(rn.source),un=/^\s+|\s+$/g,on=/^\s+/,fn=/\s+$/,cn=/\{(?:\n\/\* \[wrapped with .+\] \*\/)?\n?/,an=/\{\n\/\* \[wrapped with (.+)\] \*/,ln=/,? & /,sn=/[^\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f]+/g,hn=/\\(\\)?/g,pn=/\$\{([^\\}]*(?:\\.[^\\}]*)*)\}/g,_n=/\w*$/,vn=/^[-+]0x[0-9a-f]+$/i,gn=/^0b[01]+$/i,dn=/^\[object .+?Constructor\]$/,yn=/^0o[0-7]+$/i,bn=/^(?:0|[1-9]\d*)$/,xn=/[\xc0-\xd6\xd8-\xf6\xf8-\xff\u0100-\u017f]/g,jn=/($^)/,wn=/['\n\r\u2028\u2029\\]/g,mn="[\\ufe0e\\ufe0f]?(?:[\\u0300-\\u036f\\ufe20-\\ufe2f\\u20d0-\\u20ff]|\\ud83c[\\udffb-\\udfff])?(?:\\u200d(?:[^\\ud800-\\udfff]|(?:\\ud83c[\\udde6-\\uddff]){2}|[\\ud800-\\udbff][\\udc00-\\udfff])[\\ufe0e\\ufe0f]?(?:[\\u0300-\\u036f\\ufe20-\\ufe2f\\u20d0-\\u20ff]|\\ud83c[\\udffb-\\udfff])?)*",An="(?:[\\u2700-\\u27bf]|(?:\\ud83c[\\udde6-\\uddff]){2}|[\\ud800-\\udbff][\\udc00-\\udfff])"+mn,En="(?:[^\\ud800-\\udfff][\\u0300-\\u036f\\ufe20-\\ufe2f\\u20d0-\\u20ff]?|[\\u0300-\\u036f\\ufe20-\\ufe2f\\u20d0-\\u20ff]|(?:\\ud83c[\\udde6-\\uddff]){2}|[\\ud800-\\udbff][\\udc00-\\udfff]|[\\ud800-\\udfff])",kn=RegExp("['\u2019]","g"),Sn=RegExp("[\\u0300-\\u036f\\ufe20-\\ufe2f\\u20d0-\\u20ff]","g"),On=RegExp("\\ud83c[\\udffb-\\udfff](?=\\ud83c[\\udffb-\\udfff])|"+En+mn,"g"),In=RegExp(["[A-Z\\xc0-\\xd6\\xd8-\\xde]?[a-z\\xdf-\\xf6\\xf8-\\xff]+(?:['\u2019](?:d|ll|m|re|s|t|ve))?(?=[\\xac\\xb1\\xd7\\xf7\\x00-\\x2f\\x3a-\\x40\\x5b-\\x60\\x7b-\\xbf\\u2000-\\u206f \\t\\x0b\\f\\xa0\\ufeff\\n\\r\\u2028\\u2029\\u1680\\u180e\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200a\\u202f\\u205f\\u3000]|[A-Z\\xc0-\\xd6\\xd8-\\xde]|$)|(?:[A-Z\\xc0-\\xd6\\xd8-\\xde]|[^\\ud800-\\udfff\\xac\\xb1\\xd7\\xf7\\x00-\\x2f\\x3a-\\x40\\x5b-\\x60\\x7b-\\xbf\\u2000-\\u206f \\t\\x0b\\f\\xa0\\ufeff\\n\\r\\u2028\\u2029\\u1680\\u180e\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200a\\u202f\\u205f\\u3000\\d+\\u2700-\\u27bfa-z\\xdf-\\xf6\\xf8-\\xffA-Z\\xc0-\\xd6\\xd8-\\xde])+(?:['\u2019](?:D|LL|M|RE|S|T|VE))?(?=[\\xac\\xb1\\xd7\\xf7\\x00-\\x2f\\x3a-\\x40\\x5b-\\x60\\x7b-\\xbf\\u2000-\\u206f \\t\\x0b\\f\\xa0\\ufeff\\n\\r\\u2028\\u2029\\u1680\\u180e\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200a\\u202f\\u205f\\u3000]|[A-Z\\xc0-\\xd6\\xd8-\\xde](?:[a-z\\xdf-\\xf6\\xf8-\\xff]|[^\\ud800-\\udfff\\xac\\xb1\\xd7\\xf7\\x00-\\x2f\\x3a-\\x40\\x5b-\\x60\\x7b-\\xbf\\u2000-\\u206f \\t\\x0b\\f\\xa0\\ufeff\\n\\r\\u2028\\u2029\\u1680\\u180e\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200a\\u202f\\u205f\\u3000\\d+\\u2700-\\u27bfa-z\\xdf-\\xf6\\xf8-\\xffA-Z\\xc0-\\xd6\\xd8-\\xde])|$)|[A-Z\\xc0-\\xd6\\xd8-\\xde]?(?:[a-z\\xdf-\\xf6\\xf8-\\xff]|[^\\ud800-\\udfff\\xac\\xb1\\xd7\\xf7\\x00-\\x2f\\x3a-\\x40\\x5b-\\x60\\x7b-\\xbf\\u2000-\\u206f \\t\\x0b\\f\\xa0\\ufeff\\n\\r\\u2028\\u2029\\u1680\\u180e\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200a\\u202f\\u205f\\u3000\\d+\\u2700-\\u27bfa-z\\xdf-\\xf6\\xf8-\\xffA-Z\\xc0-\\xd6\\xd8-\\xde])+(?:['\u2019](?:d|ll|m|re|s|t|ve))?|[A-Z\\xc0-\\xd6\\xd8-\\xde]+(?:['\u2019](?:D|LL|M|RE|S|T|VE))?|\\d*(?:1ST|2ND|3RD|(?![123])\\dTH)(?=\\b|[a-z_])|\\d*(?:1st|2nd|3rd|(?![123])\\dth)(?=\\b|[A-Z_])|\\d+",An].join("|"),"g"),Rn=RegExp("[\\u200d\\ud800-\\udfff\\u0300-\\u036f\\ufe20-\\ufe2f\\u20d0-\\u20ff\\ufe0e\\ufe0f]"),zn=/[a-z][A-Z]|[A-Z]{2}[a-z]|[0-9][a-zA-Z]|[a-zA-Z][0-9]|[^a-zA-Z0-9 ]/,Wn="Array Buffer DataView Date Error Float32Array Float64Array Function Int8Array Int16Array Int32Array Map Math Object Promise RegExp Set String Symbol TypeError Uint8Array Uint8ClampedArray Uint16Array Uint32Array WeakMap _ clearTimeout isFinite parseInt setTimeout".split(" "),Bn={};
-Bn["[object Float32Array]"]=Bn["[object Float64Array]"]=Bn["[object Int8Array]"]=Bn["[object Int16Array]"]=Bn["[object Int32Array]"]=Bn["[object Uint8Array]"]=Bn["[object Uint8ClampedArray]"]=Bn["[object Uint16Array]"]=Bn["[object Uint32Array]"]=true,Bn["[object Arguments]"]=Bn["[object Array]"]=Bn["[object ArrayBuffer]"]=Bn["[object Boolean]"]=Bn["[object DataView]"]=Bn["[object Date]"]=Bn["[object Error]"]=Bn["[object Function]"]=Bn["[object Map]"]=Bn["[object Number]"]=Bn["[object Object]"]=Bn["[object RegExp]"]=Bn["[object Set]"]=Bn["[object String]"]=Bn["[object WeakMap]"]=false;
-var Ln={};Ln["[object Arguments]"]=Ln["[object Array]"]=Ln["[object ArrayBuffer]"]=Ln["[object DataView]"]=Ln["[object Boolean]"]=Ln["[object Date]"]=Ln["[object Float32Array]"]=Ln["[object Float64Array]"]=Ln["[object Int8Array]"]=Ln["[object Int16Array]"]=Ln["[object Int32Array]"]=Ln["[object Map]"]=Ln["[object Number]"]=Ln["[object Object]"]=Ln["[object RegExp]"]=Ln["[object Set]"]=Ln["[object String]"]=Ln["[object Symbol]"]=Ln["[object Uint8Array]"]=Ln["[object Uint8ClampedArray]"]=Ln["[object Uint16Array]"]=Ln["[object Uint32Array]"]=true,
-Ln["[object Error]"]=Ln["[object Function]"]=Ln["[object WeakMap]"]=false;var Un={"\\":"\\","'":"'","\n":"n","\r":"r","\u2028":"u2028","\u2029":"u2029"},Cn=parseFloat,Dn=parseInt,Mn=typeof global=="object"&&global&&global.Object===Object&&global,Tn=typeof self=="object"&&self&&self.Object===Object&&self,$n=Mn||Tn||Function("return this")(),Fn=typeof exports=="object"&&exports&&!exports.nodeType&&exports,Nn=Fn&&typeof module=="object"&&module&&!module.nodeType&&module,Pn=Nn&&Nn.exports===Fn,Zn=Pn&&Mn.process,qn=function(){
-try{var n=Nn&&Nn.f&&Nn.f("util").types;return n?n:Zn&&Zn.binding&&Zn.binding("util")}catch(n){}}(),Vn=qn&&qn.isArrayBuffer,Kn=qn&&qn.isDate,Gn=qn&&qn.isMap,Hn=qn&&qn.isRegExp,Jn=qn&&qn.isSet,Yn=qn&&qn.isTypedArray,Qn=b("length"),Xn=x({"\xc0":"A","\xc1":"A","\xc2":"A","\xc3":"A","\xc4":"A","\xc5":"A","\xe0":"a","\xe1":"a","\xe2":"a","\xe3":"a","\xe4":"a","\xe5":"a","\xc7":"C","\xe7":"c","\xd0":"D","\xf0":"d","\xc8":"E","\xc9":"E","\xca":"E","\xcb":"E","\xe8":"e","\xe9":"e","\xea":"e","\xeb":"e","\xcc":"I",
-"\xcd":"I","\xce":"I","\xcf":"I","\xec":"i","\xed":"i","\xee":"i","\xef":"i","\xd1":"N","\xf1":"n","\xd2":"O","\xd3":"O","\xd4":"O","\xd5":"O","\xd6":"O","\xd8":"O","\xf2":"o","\xf3":"o","\xf4":"o","\xf5":"o","\xf6":"o","\xf8":"o","\xd9":"U","\xda":"U","\xdb":"U","\xdc":"U","\xf9":"u","\xfa":"u","\xfb":"u","\xfc":"u","\xdd":"Y","\xfd":"y","\xff":"y","\xc6":"Ae","\xe6":"ae","\xde":"Th","\xfe":"th","\xdf":"ss","\u0100":"A","\u0102":"A","\u0104":"A","\u0101":"a","\u0103":"a","\u0105":"a","\u0106":"C",
-"\u0108":"C","\u010a":"C","\u010c":"C","\u0107":"c","\u0109":"c","\u010b":"c","\u010d":"c","\u010e":"D","\u0110":"D","\u010f":"d","\u0111":"d","\u0112":"E","\u0114":"E","\u0116":"E","\u0118":"E","\u011a":"E","\u0113":"e","\u0115":"e","\u0117":"e","\u0119":"e","\u011b":"e","\u011c":"G","\u011e":"G","\u0120":"G","\u0122":"G","\u011d":"g","\u011f":"g","\u0121":"g","\u0123":"g","\u0124":"H","\u0126":"H","\u0125":"h","\u0127":"h","\u0128":"I","\u012a":"I","\u012c":"I","\u012e":"I","\u0130":"I","\u0129":"i",
-"\u012b":"i","\u012d":"i","\u012f":"i","\u0131":"i","\u0134":"J","\u0135":"j","\u0136":"K","\u0137":"k","\u0138":"k","\u0139":"L","\u013b":"L","\u013d":"L","\u013f":"L","\u0141":"L","\u013a":"l","\u013c":"l","\u013e":"l","\u0140":"l","\u0142":"l","\u0143":"N","\u0145":"N","\u0147":"N","\u014a":"N","\u0144":"n","\u0146":"n","\u0148":"n","\u014b":"n","\u014c":"O","\u014e":"O","\u0150":"O","\u014d":"o","\u014f":"o","\u0151":"o","\u0154":"R","\u0156":"R","\u0158":"R","\u0155":"r","\u0157":"r","\u0159":"r",
-"\u015a":"S","\u015c":"S","\u015e":"S","\u0160":"S","\u015b":"s","\u015d":"s","\u015f":"s","\u0161":"s","\u0162":"T","\u0164":"T","\u0166":"T","\u0163":"t","\u0165":"t","\u0167":"t","\u0168":"U","\u016a":"U","\u016c":"U","\u016e":"U","\u0170":"U","\u0172":"U","\u0169":"u","\u016b":"u","\u016d":"u","\u016f":"u","\u0171":"u","\u0173":"u","\u0174":"W","\u0175":"w","\u0176":"Y","\u0177":"y","\u0178":"Y","\u0179":"Z","\u017b":"Z","\u017d":"Z","\u017a":"z","\u017c":"z","\u017e":"z","\u0132":"IJ","\u0133":"ij",
-"\u0152":"Oe","\u0153":"oe","\u0149":"'n","\u017f":"s"}),nt=x({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"}),tt=x({"&amp;":"&","&lt;":"<","&gt;":">","&quot;":'"',"&#39;":"'"}),rt=function x(mn){function An(n){if(yu(n)&&!ff(n)&&!(n instanceof Un)){if(n instanceof On)return n;if(oi.call(n,"__wrapped__"))return Fe(n)}return new On(n)}function En(){}function On(n,t){this.__wrapped__=n,this.__actions__=[],this.__chain__=!!t,this.__index__=0,this.__values__=T}function Un(n){this.__wrapped__=n,
-this.__actions__=[],this.__dir__=1,this.__filtered__=false,this.__iteratees__=[],this.__takeCount__=4294967295,this.__views__=[]}function Mn(n){var t=-1,r=null==n?0:n.length;for(this.clear();++t<r;){var e=n[t];this.set(e[0],e[1])}}function Tn(n){var t=-1,r=null==n?0:n.length;for(this.clear();++t<r;){var e=n[t];this.set(e[0],e[1])}}function Fn(n){var t=-1,r=null==n?0:n.length;for(this.clear();++t<r;){var e=n[t];this.set(e[0],e[1])}}function Nn(n){var t=-1,r=null==n?0:n.length;for(this.__data__=new Fn;++t<r;)this.add(n[t]);
-}function Zn(n){this.size=(this.__data__=new Tn(n)).size}function qn(n,t){var r,e=ff(n),u=!e&&of(n),i=!e&&!u&&af(n),o=!e&&!u&&!i&&_f(n),u=(e=e||u||i||o)?A(n.length,ni):[],f=u.length;for(r in n)!t&&!oi.call(n,r)||e&&("length"==r||i&&("offset"==r||"parent"==r)||o&&("buffer"==r||"byteLength"==r||"byteOffset"==r)||Se(r,f))||u.push(r);return u}function Qn(n){var t=n.length;return t?n[ir(0,t-1)]:T}function et(n,t){return De(Ur(n),pt(t,0,n.length))}function ut(n){return De(Ur(n))}function it(n,t,r){(r===T||lu(n[t],r))&&(r!==T||t in n)||st(n,t,r);
-}function ot(n,t,r){var e=n[t];oi.call(n,t)&&lu(e,r)&&(r!==T||t in n)||st(n,t,r)}function ft(n,t){for(var r=n.length;r--;)if(lu(n[r][0],t))return r;return-1}function ct(n,t,r,e){return uo(n,function(n,u,i){t(e,n,r(n),i)}),e}function at(n,t){return n&&Cr(t,Wu(t),n)}function lt(n,t){return n&&Cr(t,Bu(t),n)}function st(n,t,r){"__proto__"==t&&Ai?Ai(n,t,{configurable:true,enumerable:true,value:r,writable:true}):n[t]=r}function ht(n,t){for(var r=-1,e=t.length,u=Ku(e),i=null==n;++r<e;)u[r]=i?T:Ru(n,t[r]);return u;
-}function pt(n,t,r){return n===n&&(r!==T&&(n=n<=r?n:r),t!==T&&(n=n>=t?n:t)),n}function _t(n,t,e,u,i,o){var f,c=1&t,a=2&t,l=4&t;if(e&&(f=i?e(n,u,i,o):e(n)),f!==T)return f;if(!du(n))return n;if(u=ff(n)){if(f=me(n),!c)return Ur(n,f)}else{var s=vo(n),h="[object Function]"==s||"[object GeneratorFunction]"==s;if(af(n))return Ir(n,c);if("[object Object]"==s||"[object Arguments]"==s||h&&!i){if(f=a||h?{}:Ae(n),!c)return a?Mr(n,lt(f,n)):Dr(n,at(f,n))}else{if(!Ln[s])return i?n:{};f=Ee(n,s,c)}}if(o||(o=new Zn),
-i=o.get(n))return i;o.set(n,f),pf(n)?n.forEach(function(r){f.add(_t(r,t,e,r,n,o))}):sf(n)&&n.forEach(function(r,u){f.set(u,_t(r,t,e,u,n,o))});var a=l?a?ve:_e:a?Bu:Wu,p=u?T:a(n);return r(p||n,function(r,u){p&&(u=r,r=n[u]),ot(f,u,_t(r,t,e,u,n,o))}),f}function vt(n){var t=Wu(n);return function(r){return gt(r,n,t)}}function gt(n,t,r){var e=r.length;if(null==n)return!e;for(n=Qu(n);e--;){var u=r[e],i=t[u],o=n[u];if(o===T&&!(u in n)||!i(o))return false}return true}function dt(n,t,r){if(typeof n!="function")throw new ti("Expected a function");
-return bo(function(){n.apply(T,r)},t)}function yt(n,t,r,e){var u=-1,i=o,a=true,l=n.length,s=[],h=t.length;if(!l)return s;r&&(t=c(t,k(r))),e?(i=f,a=false):200<=t.length&&(i=O,a=false,t=new Nn(t));n:for(;++u<l;){var p=n[u],_=null==r?p:r(p),p=e||0!==p?p:0;if(a&&_===_){for(var v=h;v--;)if(t[v]===_)continue n;s.push(p)}else i(t,_,e)||s.push(p)}return s}function bt(n,t){var r=true;return uo(n,function(n,e,u){return r=!!t(n,e,u)}),r}function xt(n,t,r){for(var e=-1,u=n.length;++e<u;){var i=n[e],o=t(i);if(null!=o&&(f===T?o===o&&!wu(o):r(o,f)))var f=o,c=i;
-}return c}function jt(n,t){var r=[];return uo(n,function(n,e,u){t(n,e,u)&&r.push(n)}),r}function wt(n,t,r,e,u){var i=-1,o=n.length;for(r||(r=ke),u||(u=[]);++i<o;){var f=n[i];0<t&&r(f)?1<t?wt(f,t-1,r,e,u):a(u,f):e||(u[u.length]=f)}return u}function mt(n,t){return n&&oo(n,t,Wu)}function At(n,t){return n&&fo(n,t,Wu)}function Et(n,t){return i(t,function(t){return _u(n[t])})}function kt(n,t){t=Sr(t,n);for(var r=0,e=t.length;null!=n&&r<e;)n=n[Me(t[r++])];return r&&r==e?n:T}function St(n,t,r){return t=t(n),
-ff(n)?t:a(t,r(n))}function Ot(n){if(null==n)n=n===T?"[object Undefined]":"[object Null]";else if(mi&&mi in Qu(n)){var t=oi.call(n,mi),r=n[mi];try{n[mi]=T;var e=true}catch(n){}var u=ai.call(n);e&&(t?n[mi]=r:delete n[mi]),n=u}else n=ai.call(n);return n}function It(n,t){return n>t}function Rt(n,t){return null!=n&&oi.call(n,t)}function zt(n,t){return null!=n&&t in Qu(n)}function Wt(n,t,r){for(var e=r?f:o,u=n[0].length,i=n.length,a=i,l=Ku(i),s=1/0,h=[];a--;){var p=n[a];a&&t&&(p=c(p,k(t))),s=Ci(p.length,s),
-l[a]=!r&&(t||120<=u&&120<=p.length)?new Nn(a&&p):T}var p=n[0],_=-1,v=l[0];n:for(;++_<u&&h.length<s;){var g=p[_],d=t?t(g):g,g=r||0!==g?g:0;if(v?!O(v,d):!e(h,d,r)){for(a=i;--a;){var y=l[a];if(y?!O(y,d):!e(n[a],d,r))continue n}v&&v.push(d),h.push(g)}}return h}function Bt(n,t,r){var e={};return mt(n,function(n,u,i){t(e,r(n),u,i)}),e}function Lt(t,r,e){return r=Sr(r,t),t=2>r.length?t:kt(t,hr(r,0,-1)),r=null==t?t:t[Me(Ve(r))],null==r?T:n(r,t,e)}function Ut(n){return yu(n)&&"[object Arguments]"==Ot(n)}function Ct(n){
-return yu(n)&&"[object ArrayBuffer]"==Ot(n)}function Dt(n){return yu(n)&&"[object Date]"==Ot(n)}function Mt(n,t,r,e,u){if(n===t)t=true;else if(null==n||null==t||!yu(n)&&!yu(t))t=n!==n&&t!==t;else n:{var i=ff(n),o=ff(t),f=i?"[object Array]":vo(n),c=o?"[object Array]":vo(t),f="[object Arguments]"==f?"[object Object]":f,c="[object Arguments]"==c?"[object Object]":c,a="[object Object]"==f,o="[object Object]"==c;if((c=f==c)&&af(n)){if(!af(t)){t=false;break n}i=true,a=false}if(c&&!a)u||(u=new Zn),t=i||_f(n)?se(n,t,r,e,Mt,u):he(n,t,f,r,e,Mt,u);else{
-if(!(1&r)&&(i=a&&oi.call(n,"__wrapped__"),f=o&&oi.call(t,"__wrapped__"),i||f)){n=i?n.value():n,t=f?t.value():t,u||(u=new Zn),t=Mt(n,t,r,e,u);break n}if(c)t:if(u||(u=new Zn),i=1&r,f=_e(n),o=f.length,c=_e(t).length,o==c||i){for(a=o;a--;){var l=f[a];if(!(i?l in t:oi.call(t,l))){t=false;break t}}if((c=u.get(n))&&u.get(t))t=c==t;else{c=true,u.set(n,t),u.set(t,n);for(var s=i;++a<o;){var l=f[a],h=n[l],p=t[l];if(e)var _=i?e(p,h,l,t,n,u):e(h,p,l,n,t,u);if(_===T?h!==p&&!Mt(h,p,r,e,u):!_){c=false;break}s||(s="constructor"==l);
-}c&&!s&&(r=n.constructor,e=t.constructor,r!=e&&"constructor"in n&&"constructor"in t&&!(typeof r=="function"&&r instanceof r&&typeof e=="function"&&e instanceof e)&&(c=false)),u.delete(n),u.delete(t),t=c}}else t=false;else t=false}}return t}function Tt(n){return yu(n)&&"[object Map]"==vo(n)}function $t(n,t,r,e){var u=r.length,i=u,o=!e;if(null==n)return!i;for(n=Qu(n);u--;){var f=r[u];if(o&&f[2]?f[1]!==n[f[0]]:!(f[0]in n))return false}for(;++u<i;){var f=r[u],c=f[0],a=n[c],l=f[1];if(o&&f[2]){if(a===T&&!(c in n))return false;
-}else{if(f=new Zn,e)var s=e(a,l,c,n,t,f);if(s===T?!Mt(l,a,3,e,f):!s)return false}}return true}function Ft(n){return!(!du(n)||ci&&ci in n)&&(_u(n)?hi:dn).test(Te(n))}function Nt(n){return yu(n)&&"[object RegExp]"==Ot(n)}function Pt(n){return yu(n)&&"[object Set]"==vo(n)}function Zt(n){return yu(n)&&gu(n.length)&&!!Bn[Ot(n)]}function qt(n){return typeof n=="function"?n:null==n?$u:typeof n=="object"?ff(n)?Jt(n[0],n[1]):Ht(n):Zu(n)}function Vt(n){if(!ze(n))return Li(n);var t,r=[];for(t in Qu(n))oi.call(n,t)&&"constructor"!=t&&r.push(t);
-return r}function Kt(n,t){return n<t}function Gt(n,t){var r=-1,e=su(n)?Ku(n.length):[];return uo(n,function(n,u,i){e[++r]=t(n,u,i)}),e}function Ht(n){var t=xe(n);return 1==t.length&&t[0][2]?We(t[0][0],t[0][1]):function(r){return r===n||$t(r,n,t)}}function Jt(n,t){return Ie(n)&&t===t&&!du(t)?We(Me(n),t):function(r){var e=Ru(r,n);return e===T&&e===t?zu(r,n):Mt(t,e,3)}}function Yt(n,t,r,e,u){n!==t&&oo(t,function(i,o){if(u||(u=new Zn),du(i)){var f=u,c=Le(n,o),a=Le(t,o),l=f.get(a);if(l)it(n,o,l);else{
-var l=e?e(c,a,o+"",n,t,f):T,s=l===T;if(s){var h=ff(a),p=!h&&af(a),_=!h&&!p&&_f(a),l=a;h||p||_?ff(c)?l=c:hu(c)?l=Ur(c):p?(s=false,l=Ir(a,true)):_?(s=false,l=zr(a,true)):l=[]:xu(a)||of(a)?(l=c,of(c)?l=Ou(c):du(c)&&!_u(c)||(l=Ae(a))):s=false}s&&(f.set(a,l),Yt(l,a,r,e,f),f.delete(a)),it(n,o,l)}}else f=e?e(Le(n,o),i,o+"",n,t,u):T,f===T&&(f=i),it(n,o,f)},Bu)}function Qt(n,t){var r=n.length;if(r)return t+=0>t?r:0,Se(t,r)?n[t]:T}function Xt(n,t,r){var e=-1;return t=c(t.length?t:[$u],k(ye())),n=Gt(n,function(n){return{
-a:c(t,function(t){return t(n)}),b:++e,c:n}}),w(n,function(n,t){var e;n:{e=-1;for(var u=n.a,i=t.a,o=u.length,f=r.length;++e<o;){var c=Wr(u[e],i[e]);if(c){e=e>=f?c:c*("desc"==r[e]?-1:1);break n}}e=n.b-t.b}return e})}function nr(n,t){return tr(n,t,function(t,r){return zu(n,r)})}function tr(n,t,r){for(var e=-1,u=t.length,i={};++e<u;){var o=t[e],f=kt(n,o);r(f,o)&&lr(i,Sr(o,n),f)}return i}function rr(n){return function(t){return kt(t,n)}}function er(n,t,r,e){var u=e?g:v,i=-1,o=t.length,f=n;for(n===t&&(t=Ur(t)),
-r&&(f=c(n,k(r)));++i<o;)for(var a=0,l=t[i],l=r?r(l):l;-1<(a=u(f,l,a,e));)f!==n&&xi.call(f,a,1),xi.call(n,a,1);return n}function ur(n,t){for(var r=n?t.length:0,e=r-1;r--;){var u=t[r];if(r==e||u!==i){var i=u;Se(u)?xi.call(n,u,1):xr(n,u)}}}function ir(n,t){return n+Ii(Ti()*(t-n+1))}function or(n,t){var r="";if(!n||1>t||9007199254740991<t)return r;do t%2&&(r+=n),(t=Ii(t/2))&&(n+=n);while(t);return r}function fr(n,t){return xo(Be(n,t,$u),n+"")}function cr(n){return Qn(Uu(n))}function ar(n,t){var r=Uu(n);
-return De(r,pt(t,0,r.length))}function lr(n,t,r,e){if(!du(n))return n;t=Sr(t,n);for(var u=-1,i=t.length,o=i-1,f=n;null!=f&&++u<i;){var c=Me(t[u]),a=r;if(u!=o){var l=f[c],a=e?e(l,c,f):T;a===T&&(a=du(l)?l:Se(t[u+1])?[]:{})}ot(f,c,a),f=f[c]}return n}function sr(n){return De(Uu(n))}function hr(n,t,r){var e=-1,u=n.length;for(0>t&&(t=-t>u?0:u+t),r=r>u?u:r,0>r&&(r+=u),u=t>r?0:r-t>>>0,t>>>=0,r=Ku(u);++e<u;)r[e]=n[e+t];return r}function pr(n,t){var r;return uo(n,function(n,e,u){return r=t(n,e,u),!r}),!!r}
-function _r(n,t,r){var e=0,u=null==n?e:n.length;if(typeof t=="number"&&t===t&&2147483647>=u){for(;e<u;){var i=e+u>>>1,o=n[i];null!==o&&!wu(o)&&(r?o<=t:o<t)?e=i+1:u=i}return u}return vr(n,t,$u,r)}function vr(n,t,r,e){t=r(t);for(var u=0,i=null==n?0:n.length,o=t!==t,f=null===t,c=wu(t),a=t===T;u<i;){var l=Ii((u+i)/2),s=r(n[l]),h=s!==T,p=null===s,_=s===s,v=wu(s);(o?e||_:a?_&&(e||h):f?_&&h&&(e||!p):c?_&&h&&!p&&(e||!v):p||v?0:e?s<=t:s<t)?u=l+1:i=l}return Ci(i,4294967294)}function gr(n,t){for(var r=-1,e=n.length,u=0,i=[];++r<e;){
-var o=n[r],f=t?t(o):o;if(!r||!lu(f,c)){var c=f;i[u++]=0===o?0:o}}return i}function dr(n){return typeof n=="number"?n:wu(n)?F:+n}function yr(n){if(typeof n=="string")return n;if(ff(n))return c(n,yr)+"";if(wu(n))return ro?ro.call(n):"";var t=n+"";return"0"==t&&1/n==-$?"-0":t}function br(n,t,r){var e=-1,u=o,i=n.length,c=true,a=[],l=a;if(r)c=false,u=f;else if(200<=i){if(u=t?null:so(n))return U(u);c=false,u=O,l=new Nn}else l=t?[]:a;n:for(;++e<i;){var s=n[e],h=t?t(s):s,s=r||0!==s?s:0;if(c&&h===h){for(var p=l.length;p--;)if(l[p]===h)continue n;
-t&&l.push(h),a.push(s)}else u(l,h,r)||(l!==a&&l.push(h),a.push(s))}return a}function xr(n,t){return t=Sr(t,n),n=2>t.length?n:kt(n,hr(t,0,-1)),null==n||delete n[Me(Ve(t))]}function jr(n,t,r,e){for(var u=n.length,i=e?u:-1;(e?i--:++i<u)&&t(n[i],i,n););return r?hr(n,e?0:i,e?i+1:u):hr(n,e?i+1:0,e?u:i)}function wr(n,t){var r=n;return r instanceof Un&&(r=r.value()),l(t,function(n,t){return t.func.apply(t.thisArg,a([n],t.args))},r)}function mr(n,t,r){var e=n.length;if(2>e)return e?br(n[0]):[];for(var u=-1,i=Ku(e);++u<e;)for(var o=n[u],f=-1;++f<e;)f!=u&&(i[u]=yt(i[u]||o,n[f],t,r));
-return br(wt(i,1),t,r)}function Ar(n,t,r){for(var e=-1,u=n.length,i=t.length,o={};++e<u;)r(o,n[e],e<i?t[e]:T);return o}function Er(n){return hu(n)?n:[]}function kr(n){return typeof n=="function"?n:$u}function Sr(n,t){return ff(n)?n:Ie(n,t)?[n]:jo(Iu(n))}function Or(n,t,r){var e=n.length;return r=r===T?e:r,!t&&r>=e?n:hr(n,t,r)}function Ir(n,t){if(t)return n.slice();var r=n.length,r=gi?gi(r):new n.constructor(r);return n.copy(r),r}function Rr(n){var t=new n.constructor(n.byteLength);return new vi(t).set(new vi(n)),
-t}function zr(n,t){return new n.constructor(t?Rr(n.buffer):n.buffer,n.byteOffset,n.length)}function Wr(n,t){if(n!==t){var r=n!==T,e=null===n,u=n===n,i=wu(n),o=t!==T,f=null===t,c=t===t,a=wu(t);if(!f&&!a&&!i&&n>t||i&&o&&c&&!f&&!a||e&&o&&c||!r&&c||!u)return 1;if(!e&&!i&&!a&&n<t||a&&r&&u&&!e&&!i||f&&r&&u||!o&&u||!c)return-1}return 0}function Br(n,t,r,e){var u=-1,i=n.length,o=r.length,f=-1,c=t.length,a=Ui(i-o,0),l=Ku(c+a);for(e=!e;++f<c;)l[f]=t[f];for(;++u<o;)(e||u<i)&&(l[r[u]]=n[u]);for(;a--;)l[f++]=n[u++];
-return l}function Lr(n,t,r,e){var u=-1,i=n.length,o=-1,f=r.length,c=-1,a=t.length,l=Ui(i-f,0),s=Ku(l+a);for(e=!e;++u<l;)s[u]=n[u];for(l=u;++c<a;)s[l+c]=t[c];for(;++o<f;)(e||u<i)&&(s[l+r[o]]=n[u++]);return s}function Ur(n,t){var r=-1,e=n.length;for(t||(t=Ku(e));++r<e;)t[r]=n[r];return t}function Cr(n,t,r,e){var u=!r;r||(r={});for(var i=-1,o=t.length;++i<o;){var f=t[i],c=e?e(r[f],n[f],f,r,n):T;c===T&&(c=n[f]),u?st(r,f,c):ot(r,f,c)}return r}function Dr(n,t){return Cr(n,po(n),t)}function Mr(n,t){return Cr(n,_o(n),t);
-}function Tr(n,r){return function(e,u){var i=ff(e)?t:ct,o=r?r():{};return i(e,n,ye(u,2),o)}}function $r(n){return fr(function(t,r){var e=-1,u=r.length,i=1<u?r[u-1]:T,o=2<u?r[2]:T,i=3<n.length&&typeof i=="function"?(u--,i):T;for(o&&Oe(r[0],r[1],o)&&(i=3>u?T:i,u=1),t=Qu(t);++e<u;)(o=r[e])&&n(t,o,e,i);return t})}function Fr(n,t){return function(r,e){if(null==r)return r;if(!su(r))return n(r,e);for(var u=r.length,i=t?u:-1,o=Qu(r);(t?i--:++i<u)&&false!==e(o[i],i,o););return r}}function Nr(n){return function(t,r,e){
-var u=-1,i=Qu(t);e=e(t);for(var o=e.length;o--;){var f=e[n?o:++u];if(false===r(i[f],f,i))break}return t}}function Pr(n,t,r){function e(){return(this&&this!==$n&&this instanceof e?i:n).apply(u?r:this,arguments)}var u=1&t,i=Vr(n);return e}function Zr(n){return function(t){t=Iu(t);var r=Rn.test(t)?M(t):T,e=r?r[0]:t.charAt(0);return t=r?Or(r,1).join(""):t.slice(1),e[n]()+t}}function qr(n){return function(t){return l(Mu(Du(t).replace(kn,"")),n,"")}}function Vr(n){return function(){var t=arguments;switch(t.length){
-case 0:return new n;case 1:return new n(t[0]);case 2:return new n(t[0],t[1]);case 3:return new n(t[0],t[1],t[2]);case 4:return new n(t[0],t[1],t[2],t[3]);case 5:return new n(t[0],t[1],t[2],t[3],t[4]);case 6:return new n(t[0],t[1],t[2],t[3],t[4],t[5]);case 7:return new n(t[0],t[1],t[2],t[3],t[4],t[5],t[6])}var r=eo(n.prototype),t=n.apply(r,t);return du(t)?t:r}}function Kr(t,r,e){function u(){for(var o=arguments.length,f=Ku(o),c=o,a=de(u);c--;)f[c]=arguments[c];return c=3>o&&f[0]!==a&&f[o-1]!==a?[]:L(f,a),
-o-=c.length,o<e?ue(t,r,Jr,u.placeholder,T,f,c,T,T,e-o):n(this&&this!==$n&&this instanceof u?i:t,this,f)}var i=Vr(t);return u}function Gr(n){return function(t,r,e){var u=Qu(t);if(!su(t)){var i=ye(r,3);t=Wu(t),r=function(n){return i(u[n],n,u)}}return r=n(t,r,e),-1<r?u[i?t[r]:r]:T}}function Hr(n){return pe(function(t){var r=t.length,e=r,u=On.prototype.thru;for(n&&t.reverse();e--;){var i=t[e];if(typeof i!="function")throw new ti("Expected a function");if(u&&!o&&"wrapper"==ge(i))var o=new On([],true)}for(e=o?e:r;++e<r;)var i=t[e],u=ge(i),f="wrapper"==u?ho(i):T,o=f&&Re(f[0])&&424==f[1]&&!f[4].length&&1==f[9]?o[ge(f[0])].apply(o,f[3]):1==i.length&&Re(i)?o[u]():o.thru(i);
-return function(){var n=arguments,e=n[0];if(o&&1==n.length&&ff(e))return o.plant(e).value();for(var u=0,n=r?t[u].apply(this,n):e;++u<r;)n=t[u].call(this,n);return n}})}function Jr(n,t,r,e,u,i,o,f,c,a){function l(){for(var d=arguments.length,y=Ku(d),b=d;b--;)y[b]=arguments[b];if(_){var x,j=de(l),b=y.length;for(x=0;b--;)y[b]===j&&++x}if(e&&(y=Br(y,e,u,_)),i&&(y=Lr(y,i,o,_)),d-=x,_&&d<a)return j=L(y,j),ue(n,t,Jr,l.placeholder,r,y,j,f,c,a-d);if(j=h?r:this,b=p?j[n]:n,d=y.length,f){x=y.length;for(var w=Ci(f.length,x),m=Ur(y);w--;){
-var A=f[w];y[w]=Se(A,x)?m[A]:T}}else v&&1<d&&y.reverse();return s&&c<d&&(y.length=c),this&&this!==$n&&this instanceof l&&(b=g||Vr(b)),b.apply(j,y)}var s=128&t,h=1&t,p=2&t,_=24&t,v=512&t,g=p?T:Vr(n);return l}function Yr(n,t){return function(r,e){return Bt(r,n,t(e))}}function Qr(n,t){return function(r,e){var u;if(r===T&&e===T)return t;if(r!==T&&(u=r),e!==T){if(u===T)return e;typeof r=="string"||typeof e=="string"?(r=yr(r),e=yr(e)):(r=dr(r),e=dr(e)),u=n(r,e)}return u}}function Xr(t){return pe(function(r){
-return r=c(r,k(ye())),fr(function(e){var u=this;return t(r,function(t){return n(t,u,e)})})})}function ne(n,t){t=t===T?" ":yr(t);var r=t.length;return 2>r?r?or(t,n):t:(r=or(t,Oi(n/D(t))),Rn.test(t)?Or(M(r),0,n).join(""):r.slice(0,n))}function te(t,r,e,u){function i(){for(var r=-1,c=arguments.length,a=-1,l=u.length,s=Ku(l+c),h=this&&this!==$n&&this instanceof i?f:t;++a<l;)s[a]=u[a];for(;c--;)s[a++]=arguments[++r];return n(h,o?e:this,s)}var o=1&r,f=Vr(t);return i}function re(n){return function(t,r,e){
-e&&typeof e!="number"&&Oe(t,r,e)&&(r=e=T),t=Au(t),r===T?(r=t,t=0):r=Au(r),e=e===T?t<r?1:-1:Au(e);var u=-1;r=Ui(Oi((r-t)/(e||1)),0);for(var i=Ku(r);r--;)i[n?r:++u]=t,t+=e;return i}}function ee(n){return function(t,r){return typeof t=="string"&&typeof r=="string"||(t=Su(t),r=Su(r)),n(t,r)}}function ue(n,t,r,e,u,i,o,f,c,a){var l=8&t,s=l?o:T;o=l?T:o;var h=l?i:T;return i=l?T:i,t=(t|(l?32:64))&~(l?64:32),4&t||(t&=-4),u=[n,t,u,h,s,i,o,f,c,a],r=r.apply(T,u),Re(n)&&yo(r,u),r.placeholder=e,Ue(r,n,t)}function ie(n){
-var t=Yu[n];return function(n,r){if(n=Su(n),(r=null==r?0:Ci(Eu(r),292))&&Wi(n)){var e=(Iu(n)+"e").split("e"),e=t(e[0]+"e"+(+e[1]+r)),e=(Iu(e)+"e").split("e");return+(e[0]+"e"+(+e[1]-r))}return t(n)}}function oe(n){return function(t){var r=vo(t);return"[object Map]"==r?W(t):"[object Set]"==r?C(t):E(t,n(t))}}function fe(n,t,r,e,u,i,o,f){var c=2&t;if(!c&&typeof n!="function")throw new ti("Expected a function");var a=e?e.length:0;if(a||(t&=-97,e=u=T),o=o===T?o:Ui(Eu(o),0),f=f===T?f:Eu(f),a-=u?u.length:0,
-64&t){var l=e,s=u;e=u=T}var h=c?T:ho(n);return i=[n,t,r,e,u,l,s,i,o,f],h&&(r=i[1],n=h[1],t=r|n,e=128==n&&8==r||128==n&&256==r&&i[7].length<=h[8]||384==n&&h[7].length<=h[8]&&8==r,131>t||e)&&(1&n&&(i[2]=h[2],t|=1&r?0:4),(r=h[3])&&(e=i[3],i[3]=e?Br(e,r,h[4]):r,i[4]=e?L(i[3],"__lodash_placeholder__"):h[4]),(r=h[5])&&(e=i[5],i[5]=e?Lr(e,r,h[6]):r,i[6]=e?L(i[5],"__lodash_placeholder__"):h[6]),(r=h[7])&&(i[7]=r),128&n&&(i[8]=null==i[8]?h[8]:Ci(i[8],h[8])),null==i[9]&&(i[9]=h[9]),i[0]=h[0],i[1]=t),n=i[0],
-t=i[1],r=i[2],e=i[3],u=i[4],f=i[9]=i[9]===T?c?0:n.length:Ui(i[9]-a,0),!f&&24&t&&(t&=-25),Ue((h?co:yo)(t&&1!=t?8==t||16==t?Kr(n,t,f):32!=t&&33!=t||u.length?Jr.apply(T,i):te(n,t,r,e):Pr(n,t,r),i),n,t)}function ce(n,t,r,e){return n===T||lu(n,ei[r])&&!oi.call(e,r)?t:n}function ae(n,t,r,e,u,i){return du(n)&&du(t)&&(i.set(t,n),Yt(n,t,T,ae,i),i.delete(t)),n}function le(n){return xu(n)?T:n}function se(n,t,r,e,u,i){var o=1&r,f=n.length,c=t.length;if(f!=c&&!(o&&c>f))return false;if((c=i.get(n))&&i.get(t))return c==t;
-var c=-1,a=true,l=2&r?new Nn:T;for(i.set(n,t),i.set(t,n);++c<f;){var s=n[c],p=t[c];if(e)var _=o?e(p,s,c,t,n,i):e(s,p,c,n,t,i);if(_!==T){if(_)continue;a=false;break}if(l){if(!h(t,function(n,t){if(!O(l,t)&&(s===n||u(s,n,r,e,i)))return l.push(t)})){a=false;break}}else if(s!==p&&!u(s,p,r,e,i)){a=false;break}}return i.delete(n),i.delete(t),a}function he(n,t,r,e,u,i,o){switch(r){case"[object DataView]":if(n.byteLength!=t.byteLength||n.byteOffset!=t.byteOffset)break;n=n.buffer,t=t.buffer;case"[object ArrayBuffer]":
-if(n.byteLength!=t.byteLength||!i(new vi(n),new vi(t)))break;return true;case"[object Boolean]":case"[object Date]":case"[object Number]":return lu(+n,+t);case"[object Error]":return n.name==t.name&&n.message==t.message;case"[object RegExp]":case"[object String]":return n==t+"";case"[object Map]":var f=W;case"[object Set]":if(f||(f=U),n.size!=t.size&&!(1&e))break;return(r=o.get(n))?r==t:(e|=2,o.set(n,t),t=se(f(n),f(t),e,u,i,o),o.delete(n),t);case"[object Symbol]":if(to)return to.call(n)==to.call(t)}
-return false}function pe(n){return xo(Be(n,T,Ze),n+"")}function _e(n){return St(n,Wu,po)}function ve(n){return St(n,Bu,_o)}function ge(n){for(var t=n.name+"",r=Gi[t],e=oi.call(Gi,t)?r.length:0;e--;){var u=r[e],i=u.func;if(null==i||i==n)return u.name}return t}function de(n){return(oi.call(An,"placeholder")?An:n).placeholder}function ye(){var n=An.iteratee||Fu,n=n===Fu?qt:n;return arguments.length?n(arguments[0],arguments[1]):n}function be(n,t){var r=n.__data__,e=typeof t;return("string"==e||"number"==e||"symbol"==e||"boolean"==e?"__proto__"!==t:null===t)?r[typeof t=="string"?"string":"hash"]:r.map;
-}function xe(n){for(var t=Wu(n),r=t.length;r--;){var e=t[r],u=n[e];t[r]=[e,u,u===u&&!du(u)]}return t}function je(n,t){var r=null==n?T:n[t];return Ft(r)?r:T}function we(n,t,r){t=Sr(t,n);for(var e=-1,u=t.length,i=false;++e<u;){var o=Me(t[e]);if(!(i=null!=n&&r(n,o)))break;n=n[o]}return i||++e!=u?i:(u=null==n?0:n.length,!!u&&gu(u)&&Se(o,u)&&(ff(n)||of(n)))}function me(n){var t=n.length,r=new n.constructor(t);return t&&"string"==typeof n[0]&&oi.call(n,"index")&&(r.index=n.index,r.input=n.input),r}function Ae(n){
-return typeof n.constructor!="function"||ze(n)?{}:eo(di(n))}function Ee(n,t,r){var e=n.constructor;switch(t){case"[object ArrayBuffer]":return Rr(n);case"[object Boolean]":case"[object Date]":return new e(+n);case"[object DataView]":return t=r?Rr(n.buffer):n.buffer,new n.constructor(t,n.byteOffset,n.byteLength);case"[object Float32Array]":case"[object Float64Array]":case"[object Int8Array]":case"[object Int16Array]":case"[object Int32Array]":case"[object Uint8Array]":case"[object Uint8ClampedArray]":
-case"[object Uint16Array]":case"[object Uint32Array]":return zr(n,r);case"[object Map]":return new e;case"[object Number]":case"[object String]":return new e(n);case"[object RegExp]":return t=new n.constructor(n.source,_n.exec(n)),t.lastIndex=n.lastIndex,t;case"[object Set]":return new e;case"[object Symbol]":return to?Qu(to.call(n)):{}}}function ke(n){return ff(n)||of(n)||!!(ji&&n&&n[ji])}function Se(n,t){var r=typeof n;return t=null==t?9007199254740991:t,!!t&&("number"==r||"symbol"!=r&&bn.test(n))&&-1<n&&0==n%1&&n<t;
-}function Oe(n,t,r){if(!du(r))return false;var e=typeof t;return!!("number"==e?su(r)&&Se(t,r.length):"string"==e&&t in r)&&lu(r[t],n)}function Ie(n,t){if(ff(n))return false;var r=typeof n;return!("number"!=r&&"symbol"!=r&&"boolean"!=r&&null!=n&&!wu(n))||(nn.test(n)||!X.test(n)||null!=t&&n in Qu(t))}function Re(n){var t=ge(n),r=An[t];return typeof r=="function"&&t in Un.prototype&&(n===r||(t=ho(r),!!t&&n===t[0]))}function ze(n){var t=n&&n.constructor;return n===(typeof t=="function"&&t.prototype||ei)}function We(n,t){
-return function(r){return null!=r&&(r[n]===t&&(t!==T||n in Qu(r)))}}function Be(t,r,e){return r=Ui(r===T?t.length-1:r,0),function(){for(var u=arguments,i=-1,o=Ui(u.length-r,0),f=Ku(o);++i<o;)f[i]=u[r+i];for(i=-1,o=Ku(r+1);++i<r;)o[i]=u[i];return o[r]=e(f),n(t,this,o)}}function Le(n,t){if(("constructor"!==t||"function"!=typeof n[t])&&"__proto__"!=t)return n[t]}function Ue(n,t,r){var e=t+"";t=xo;var u,i=$e;return u=(u=e.match(an))?u[1].split(ln):[],r=i(u,r),(i=r.length)&&(u=i-1,r[u]=(1<i?"& ":"")+r[u],
-r=r.join(2<i?", ":" "),e=e.replace(cn,"{\n/* [wrapped with "+r+"] */\n")),t(n,e)}function Ce(n){var t=0,r=0;return function(){var e=Di(),u=16-(e-r);if(r=e,0<u){if(800<=++t)return arguments[0]}else t=0;return n.apply(T,arguments)}}function De(n,t){var r=-1,e=n.length,u=e-1;for(t=t===T?e:t;++r<t;){var e=ir(r,u),i=n[e];n[e]=n[r],n[r]=i}return n.length=t,n}function Me(n){if(typeof n=="string"||wu(n))return n;var t=n+"";return"0"==t&&1/n==-$?"-0":t}function Te(n){if(null!=n){try{return ii.call(n)}catch(n){}
-return n+""}return""}function $e(n,t){return r(N,function(r){var e="_."+r[0];t&r[1]&&!o(n,e)&&n.push(e)}),n.sort()}function Fe(n){if(n instanceof Un)return n.clone();var t=new On(n.__wrapped__,n.__chain__);return t.__actions__=Ur(n.__actions__),t.__index__=n.__index__,t.__values__=n.__values__,t}function Ne(n,t,r){var e=null==n?0:n.length;return e?(r=null==r?0:Eu(r),0>r&&(r=Ui(e+r,0)),_(n,ye(t,3),r)):-1}function Pe(n,t,r){var e=null==n?0:n.length;if(!e)return-1;var u=e-1;return r!==T&&(u=Eu(r),u=0>r?Ui(e+u,0):Ci(u,e-1)),
-_(n,ye(t,3),u,true)}function Ze(n){return(null==n?0:n.length)?wt(n,1):[]}function qe(n){return n&&n.length?n[0]:T}function Ve(n){var t=null==n?0:n.length;return t?n[t-1]:T}function Ke(n,t){return n&&n.length&&t&&t.length?er(n,t):n}function Ge(n){return null==n?n:$i.call(n)}function He(n){if(!n||!n.length)return[];var t=0;return n=i(n,function(n){if(hu(n))return t=Ui(n.length,t),true}),A(t,function(t){return c(n,b(t))})}function Je(t,r){if(!t||!t.length)return[];var e=He(t);return null==r?e:c(e,function(t){
-return n(r,T,t)})}function Ye(n){return n=An(n),n.__chain__=true,n}function Qe(n,t){return t(n)}function Xe(){return this}function nu(n,t){return(ff(n)?r:uo)(n,ye(t,3))}function tu(n,t){return(ff(n)?e:io)(n,ye(t,3))}function ru(n,t){return(ff(n)?c:Gt)(n,ye(t,3))}function eu(n,t,r){return t=r?T:t,t=n&&null==t?n.length:t,fe(n,128,T,T,T,T,t)}function uu(n,t){var r;if(typeof t!="function")throw new ti("Expected a function");return n=Eu(n),function(){return 0<--n&&(r=t.apply(this,arguments)),1>=n&&(t=T),
-r}}function iu(n,t,r){return t=r?T:t,n=fe(n,8,T,T,T,T,T,t),n.placeholder=iu.placeholder,n}function ou(n,t,r){return t=r?T:t,n=fe(n,16,T,T,T,T,T,t),n.placeholder=ou.placeholder,n}function fu(n,t,r){function e(t){var r=c,e=a;return c=a=T,_=t,s=n.apply(e,r)}function u(n){var r=n-p;return n-=_,p===T||r>=t||0>r||g&&n>=l}function i(){var n=Go();if(u(n))return o(n);var r,e=bo;r=n-_,n=t-(n-p),r=g?Ci(n,l-r):n,h=e(i,r)}function o(n){return h=T,d&&c?e(n):(c=a=T,s)}function f(){var n=Go(),r=u(n);if(c=arguments,
-a=this,p=n,r){if(h===T)return _=n=p,h=bo(i,t),v?e(n):s;if(g)return lo(h),h=bo(i,t),e(p)}return h===T&&(h=bo(i,t)),s}var c,a,l,s,h,p,_=0,v=false,g=false,d=true;if(typeof n!="function")throw new ti("Expected a function");return t=Su(t)||0,du(r)&&(v=!!r.leading,l=(g="maxWait"in r)?Ui(Su(r.maxWait)||0,t):l,d="trailing"in r?!!r.trailing:d),f.cancel=function(){h!==T&&lo(h),_=0,c=p=a=h=T},f.flush=function(){return h===T?s:o(Go())},f}function cu(n,t){function r(){var e=arguments,u=t?t.apply(this,e):e[0],i=r.cache;
-return i.has(u)?i.get(u):(e=n.apply(this,e),r.cache=i.set(u,e)||i,e)}if(typeof n!="function"||null!=t&&typeof t!="function")throw new ti("Expected a function");return r.cache=new(cu.Cache||Fn),r}function au(n){if(typeof n!="function")throw new ti("Expected a function");return function(){var t=arguments;switch(t.length){case 0:return!n.call(this);case 1:return!n.call(this,t[0]);case 2:return!n.call(this,t[0],t[1]);case 3:return!n.call(this,t[0],t[1],t[2])}return!n.apply(this,t)}}function lu(n,t){return n===t||n!==n&&t!==t;
-}function su(n){return null!=n&&gu(n.length)&&!_u(n)}function hu(n){return yu(n)&&su(n)}function pu(n){if(!yu(n))return false;var t=Ot(n);return"[object Error]"==t||"[object DOMException]"==t||typeof n.message=="string"&&typeof n.name=="string"&&!xu(n)}function _u(n){return!!du(n)&&(n=Ot(n),"[object Function]"==n||"[object GeneratorFunction]"==n||"[object AsyncFunction]"==n||"[object Proxy]"==n)}function vu(n){return typeof n=="number"&&n==Eu(n)}function gu(n){return typeof n=="number"&&-1<n&&0==n%1&&9007199254740991>=n;
-}function du(n){var t=typeof n;return null!=n&&("object"==t||"function"==t)}function yu(n){return null!=n&&typeof n=="object"}function bu(n){return typeof n=="number"||yu(n)&&"[object Number]"==Ot(n)}function xu(n){return!(!yu(n)||"[object Object]"!=Ot(n))&&(n=di(n),null===n||(n=oi.call(n,"constructor")&&n.constructor,typeof n=="function"&&n instanceof n&&ii.call(n)==li))}function ju(n){return typeof n=="string"||!ff(n)&&yu(n)&&"[object String]"==Ot(n)}function wu(n){return typeof n=="symbol"||yu(n)&&"[object Symbol]"==Ot(n);
-}function mu(n){if(!n)return[];if(su(n))return ju(n)?M(n):Ur(n);if(wi&&n[wi]){n=n[wi]();for(var t,r=[];!(t=n.next()).done;)r.push(t.value);return r}return t=vo(n),("[object Map]"==t?W:"[object Set]"==t?U:Uu)(n)}function Au(n){return n?(n=Su(n),n===$||n===-$?1.7976931348623157e308*(0>n?-1:1):n===n?n:0):0===n?n:0}function Eu(n){n=Au(n);var t=n%1;return n===n?t?n-t:n:0}function ku(n){return n?pt(Eu(n),0,4294967295):0}function Su(n){if(typeof n=="number")return n;if(wu(n))return F;if(du(n)&&(n=typeof n.valueOf=="function"?n.valueOf():n,
-n=du(n)?n+"":n),typeof n!="string")return 0===n?n:+n;n=n.replace(un,"");var t=gn.test(n);return t||yn.test(n)?Dn(n.slice(2),t?2:8):vn.test(n)?F:+n}function Ou(n){return Cr(n,Bu(n))}function Iu(n){return null==n?"":yr(n)}function Ru(n,t,r){return n=null==n?T:kt(n,t),n===T?r:n}function zu(n,t){return null!=n&&we(n,t,zt)}function Wu(n){return su(n)?qn(n):Vt(n)}function Bu(n){if(su(n))n=qn(n,true);else if(du(n)){var t,r=ze(n),e=[];for(t in n)("constructor"!=t||!r&&oi.call(n,t))&&e.push(t);n=e}else{if(t=[],
-null!=n)for(r in Qu(n))t.push(r);n=t}return n}function Lu(n,t){if(null==n)return{};var r=c(ve(n),function(n){return[n]});return t=ye(t),tr(n,r,function(n,r){return t(n,r[0])})}function Uu(n){return null==n?[]:S(n,Wu(n))}function Cu(n){return $f(Iu(n).toLowerCase())}function Du(n){return(n=Iu(n))&&n.replace(xn,Xn).replace(Sn,"")}function Mu(n,t,r){return n=Iu(n),t=r?T:t,t===T?zn.test(n)?n.match(In)||[]:n.match(sn)||[]:n.match(t)||[]}function Tu(n){return function(){return n}}function $u(n){return n;
-}function Fu(n){return qt(typeof n=="function"?n:_t(n,1))}function Nu(n,t,e){var u=Wu(t),i=Et(t,u);null!=e||du(t)&&(i.length||!u.length)||(e=t,t=n,n=this,i=Et(t,Wu(t)));var o=!(du(e)&&"chain"in e&&!e.chain),f=_u(n);return r(i,function(r){var e=t[r];n[r]=e,f&&(n.prototype[r]=function(){var t=this.__chain__;if(o||t){var r=n(this.__wrapped__);return(r.__actions__=Ur(this.__actions__)).push({func:e,args:arguments,thisArg:n}),r.__chain__=t,r}return e.apply(n,a([this.value()],arguments))})}),n}function Pu(){}
-function Zu(n){return Ie(n)?b(Me(n)):rr(n)}function qu(){return[]}function Vu(){return false}mn=null==mn?$n:rt.defaults($n.Object(),mn,rt.pick($n,Wn));var Ku=mn.Array,Gu=mn.Date,Hu=mn.Error,Ju=mn.Function,Yu=mn.Math,Qu=mn.Object,Xu=mn.RegExp,ni=mn.String,ti=mn.TypeError,ri=Ku.prototype,ei=Qu.prototype,ui=mn["__core-js_shared__"],ii=Ju.prototype.toString,oi=ei.hasOwnProperty,fi=0,ci=function(){var n=/[^.]+$/.exec(ui&&ui.keys&&ui.keys.IE_PROTO||"");return n?"Symbol(src)_1."+n:""}(),ai=ei.toString,li=ii.call(Qu),si=$n._,hi=Xu("^"+ii.call(oi).replace(rn,"\\$&").replace(/hasOwnProperty|(function).*?(?=\\\()| for .+?(?=\\\])/g,"$1.*?")+"$"),pi=Pn?mn.Buffer:T,_i=mn.Symbol,vi=mn.Uint8Array,gi=pi?pi.g:T,di=B(Qu.getPrototypeOf,Qu),yi=Qu.create,bi=ei.propertyIsEnumerable,xi=ri.splice,ji=_i?_i.isConcatSpreadable:T,wi=_i?_i.iterator:T,mi=_i?_i.toStringTag:T,Ai=function(){
-try{var n=je(Qu,"defineProperty");return n({},"",{}),n}catch(n){}}(),Ei=mn.clearTimeout!==$n.clearTimeout&&mn.clearTimeout,ki=Gu&&Gu.now!==$n.Date.now&&Gu.now,Si=mn.setTimeout!==$n.setTimeout&&mn.setTimeout,Oi=Yu.ceil,Ii=Yu.floor,Ri=Qu.getOwnPropertySymbols,zi=pi?pi.isBuffer:T,Wi=mn.isFinite,Bi=ri.join,Li=B(Qu.keys,Qu),Ui=Yu.max,Ci=Yu.min,Di=Gu.now,Mi=mn.parseInt,Ti=Yu.random,$i=ri.reverse,Fi=je(mn,"DataView"),Ni=je(mn,"Map"),Pi=je(mn,"Promise"),Zi=je(mn,"Set"),qi=je(mn,"WeakMap"),Vi=je(Qu,"create"),Ki=qi&&new qi,Gi={},Hi=Te(Fi),Ji=Te(Ni),Yi=Te(Pi),Qi=Te(Zi),Xi=Te(qi),no=_i?_i.prototype:T,to=no?no.valueOf:T,ro=no?no.toString:T,eo=function(){
-function n(){}return function(t){return du(t)?yi?yi(t):(n.prototype=t,t=new n,n.prototype=T,t):{}}}();An.templateSettings={escape:J,evaluate:Y,interpolate:Q,variable:"",imports:{_:An}},An.prototype=En.prototype,An.prototype.constructor=An,On.prototype=eo(En.prototype),On.prototype.constructor=On,Un.prototype=eo(En.prototype),Un.prototype.constructor=Un,Mn.prototype.clear=function(){this.__data__=Vi?Vi(null):{},this.size=0},Mn.prototype.delete=function(n){return n=this.has(n)&&delete this.__data__[n],
-this.size-=n?1:0,n},Mn.prototype.get=function(n){var t=this.__data__;return Vi?(n=t[n],"__lodash_hash_undefined__"===n?T:n):oi.call(t,n)?t[n]:T},Mn.prototype.has=function(n){var t=this.__data__;return Vi?t[n]!==T:oi.call(t,n)},Mn.prototype.set=function(n,t){var r=this.__data__;return this.size+=this.has(n)?0:1,r[n]=Vi&&t===T?"__lodash_hash_undefined__":t,this},Tn.prototype.clear=function(){this.__data__=[],this.size=0},Tn.prototype.delete=function(n){var t=this.__data__;return n=ft(t,n),!(0>n)&&(n==t.length-1?t.pop():xi.call(t,n,1),
---this.size,true)},Tn.prototype.get=function(n){var t=this.__data__;return n=ft(t,n),0>n?T:t[n][1]},Tn.prototype.has=function(n){return-1<ft(this.__data__,n)},Tn.prototype.set=function(n,t){var r=this.__data__,e=ft(r,n);return 0>e?(++this.size,r.push([n,t])):r[e][1]=t,this},Fn.prototype.clear=function(){this.size=0,this.__data__={hash:new Mn,map:new(Ni||Tn),string:new Mn}},Fn.prototype.delete=function(n){return n=be(this,n).delete(n),this.size-=n?1:0,n},Fn.prototype.get=function(n){return be(this,n).get(n);
-},Fn.prototype.has=function(n){return be(this,n).has(n)},Fn.prototype.set=function(n,t){var r=be(this,n),e=r.size;return r.set(n,t),this.size+=r.size==e?0:1,this},Nn.prototype.add=Nn.prototype.push=function(n){return this.__data__.set(n,"__lodash_hash_undefined__"),this},Nn.prototype.has=function(n){return this.__data__.has(n)},Zn.prototype.clear=function(){this.__data__=new Tn,this.size=0},Zn.prototype.delete=function(n){var t=this.__data__;return n=t.delete(n),this.size=t.size,n},Zn.prototype.get=function(n){
-return this.__data__.get(n)},Zn.prototype.has=function(n){return this.__data__.has(n)},Zn.prototype.set=function(n,t){var r=this.__data__;if(r instanceof Tn){var e=r.__data__;if(!Ni||199>e.length)return e.push([n,t]),this.size=++r.size,this;r=this.__data__=new Fn(e)}return r.set(n,t),this.size=r.size,this};var uo=Fr(mt),io=Fr(At,true),oo=Nr(),fo=Nr(true),co=Ki?function(n,t){return Ki.set(n,t),n}:$u,ao=Ai?function(n,t){return Ai(n,"toString",{configurable:true,enumerable:false,value:Tu(t),writable:true})}:$u,lo=Ei||function(n){
-return $n.clearTimeout(n)},so=Zi&&1/U(new Zi([,-0]))[1]==$?function(n){return new Zi(n)}:Pu,ho=Ki?function(n){return Ki.get(n)}:Pu,po=Ri?function(n){return null==n?[]:(n=Qu(n),i(Ri(n),function(t){return bi.call(n,t)}))}:qu,_o=Ri?function(n){for(var t=[];n;)a(t,po(n)),n=di(n);return t}:qu,vo=Ot;(Fi&&"[object DataView]"!=vo(new Fi(new ArrayBuffer(1)))||Ni&&"[object Map]"!=vo(new Ni)||Pi&&"[object Promise]"!=vo(Pi.resolve())||Zi&&"[object Set]"!=vo(new Zi)||qi&&"[object WeakMap]"!=vo(new qi))&&(vo=function(n){
-var t=Ot(n);if(n=(n="[object Object]"==t?n.constructor:T)?Te(n):"")switch(n){case Hi:return"[object DataView]";case Ji:return"[object Map]";case Yi:return"[object Promise]";case Qi:return"[object Set]";case Xi:return"[object WeakMap]"}return t});var go=ui?_u:Vu,yo=Ce(co),bo=Si||function(n,t){return $n.setTimeout(n,t)},xo=Ce(ao),jo=function(n){n=cu(n,function(n){return 500===t.size&&t.clear(),n});var t=n.cache;return n}(function(n){var t=[];return 46===n.charCodeAt(0)&&t.push(""),n.replace(tn,function(n,r,e,u){
-t.push(e?u.replace(hn,"$1"):r||n)}),t}),wo=fr(function(n,t){return hu(n)?yt(n,wt(t,1,hu,true)):[]}),mo=fr(function(n,t){var r=Ve(t);return hu(r)&&(r=T),hu(n)?yt(n,wt(t,1,hu,true),ye(r,2)):[]}),Ao=fr(function(n,t){var r=Ve(t);return hu(r)&&(r=T),hu(n)?yt(n,wt(t,1,hu,true),T,r):[]}),Eo=fr(function(n){var t=c(n,Er);return t.length&&t[0]===n[0]?Wt(t):[]}),ko=fr(function(n){var t=Ve(n),r=c(n,Er);return t===Ve(r)?t=T:r.pop(),r.length&&r[0]===n[0]?Wt(r,ye(t,2)):[]}),So=fr(function(n){var t=Ve(n),r=c(n,Er);return(t=typeof t=="function"?t:T)&&r.pop(),
-r.length&&r[0]===n[0]?Wt(r,T,t):[]}),Oo=fr(Ke),Io=pe(function(n,t){var r=null==n?0:n.length,e=ht(n,t);return ur(n,c(t,function(n){return Se(n,r)?+n:n}).sort(Wr)),e}),Ro=fr(function(n){return br(wt(n,1,hu,true))}),zo=fr(function(n){var t=Ve(n);return hu(t)&&(t=T),br(wt(n,1,hu,true),ye(t,2))}),Wo=fr(function(n){var t=Ve(n),t=typeof t=="function"?t:T;return br(wt(n,1,hu,true),T,t)}),Bo=fr(function(n,t){return hu(n)?yt(n,t):[]}),Lo=fr(function(n){return mr(i(n,hu))}),Uo=fr(function(n){var t=Ve(n);return hu(t)&&(t=T),
-mr(i(n,hu),ye(t,2))}),Co=fr(function(n){var t=Ve(n),t=typeof t=="function"?t:T;return mr(i(n,hu),T,t)}),Do=fr(He),Mo=fr(function(n){var t=n.length,t=1<t?n[t-1]:T,t=typeof t=="function"?(n.pop(),t):T;return Je(n,t)}),To=pe(function(n){function t(t){return ht(t,n)}var r=n.length,e=r?n[0]:0,u=this.__wrapped__;return!(1<r||this.__actions__.length)&&u instanceof Un&&Se(e)?(u=u.slice(e,+e+(r?1:0)),u.__actions__.push({func:Qe,args:[t],thisArg:T}),new On(u,this.__chain__).thru(function(n){return r&&!n.length&&n.push(T),
-n})):this.thru(t)}),$o=Tr(function(n,t,r){oi.call(n,r)?++n[r]:st(n,r,1)}),Fo=Gr(Ne),No=Gr(Pe),Po=Tr(function(n,t,r){oi.call(n,r)?n[r].push(t):st(n,r,[t])}),Zo=fr(function(t,r,e){var u=-1,i=typeof r=="function",o=su(t)?Ku(t.length):[];return uo(t,function(t){o[++u]=i?n(r,t,e):Lt(t,r,e)}),o}),qo=Tr(function(n,t,r){st(n,r,t)}),Vo=Tr(function(n,t,r){n[r?0:1].push(t)},function(){return[[],[]]}),Ko=fr(function(n,t){if(null==n)return[];var r=t.length;return 1<r&&Oe(n,t[0],t[1])?t=[]:2<r&&Oe(t[0],t[1],t[2])&&(t=[t[0]]),
-Xt(n,wt(t,1),[])}),Go=ki||function(){return $n.Date.now()},Ho=fr(function(n,t,r){var e=1;if(r.length)var u=L(r,de(Ho)),e=32|e;return fe(n,e,t,r,u)}),Jo=fr(function(n,t,r){var e=3;if(r.length)var u=L(r,de(Jo)),e=32|e;return fe(t,e,n,r,u)}),Yo=fr(function(n,t){return dt(n,1,t)}),Qo=fr(function(n,t,r){return dt(n,Su(t)||0,r)});cu.Cache=Fn;var Xo=fr(function(t,r){r=1==r.length&&ff(r[0])?c(r[0],k(ye())):c(wt(r,1),k(ye()));var e=r.length;return fr(function(u){for(var i=-1,o=Ci(u.length,e);++i<o;)u[i]=r[i].call(this,u[i]);
-return n(t,this,u)})}),nf=fr(function(n,t){return fe(n,32,T,t,L(t,de(nf)))}),tf=fr(function(n,t){return fe(n,64,T,t,L(t,de(tf)))}),rf=pe(function(n,t){return fe(n,256,T,T,T,t)}),ef=ee(It),uf=ee(function(n,t){return n>=t}),of=Ut(function(){return arguments}())?Ut:function(n){return yu(n)&&oi.call(n,"callee")&&!bi.call(n,"callee")},ff=Ku.isArray,cf=Vn?k(Vn):Ct,af=zi||Vu,lf=Kn?k(Kn):Dt,sf=Gn?k(Gn):Tt,hf=Hn?k(Hn):Nt,pf=Jn?k(Jn):Pt,_f=Yn?k(Yn):Zt,vf=ee(Kt),gf=ee(function(n,t){return n<=t}),df=$r(function(n,t){
-if(ze(t)||su(t))Cr(t,Wu(t),n);else for(var r in t)oi.call(t,r)&&ot(n,r,t[r])}),yf=$r(function(n,t){Cr(t,Bu(t),n)}),bf=$r(function(n,t,r,e){Cr(t,Bu(t),n,e)}),xf=$r(function(n,t,r,e){Cr(t,Wu(t),n,e)}),jf=pe(ht),wf=fr(function(n,t){n=Qu(n);var r=-1,e=t.length,u=2<e?t[2]:T;for(u&&Oe(t[0],t[1],u)&&(e=1);++r<e;)for(var u=t[r],i=Bu(u),o=-1,f=i.length;++o<f;){var c=i[o],a=n[c];(a===T||lu(a,ei[c])&&!oi.call(n,c))&&(n[c]=u[c])}return n}),mf=fr(function(t){return t.push(T,ae),n(Of,T,t)}),Af=Yr(function(n,t,r){
-null!=t&&typeof t.toString!="function"&&(t=ai.call(t)),n[t]=r},Tu($u)),Ef=Yr(function(n,t,r){null!=t&&typeof t.toString!="function"&&(t=ai.call(t)),oi.call(n,t)?n[t].push(r):n[t]=[r]},ye),kf=fr(Lt),Sf=$r(function(n,t,r){Yt(n,t,r)}),Of=$r(function(n,t,r,e){Yt(n,t,r,e)}),If=pe(function(n,t){var r={};if(null==n)return r;var e=false;t=c(t,function(t){return t=Sr(t,n),e||(e=1<t.length),t}),Cr(n,ve(n),r),e&&(r=_t(r,7,le));for(var u=t.length;u--;)xr(r,t[u]);return r}),Rf=pe(function(n,t){return null==n?{}:nr(n,t);
-}),zf=oe(Wu),Wf=oe(Bu),Bf=qr(function(n,t,r){return t=t.toLowerCase(),n+(r?Cu(t):t)}),Lf=qr(function(n,t,r){return n+(r?"-":"")+t.toLowerCase()}),Uf=qr(function(n,t,r){return n+(r?" ":"")+t.toLowerCase()}),Cf=Zr("toLowerCase"),Df=qr(function(n,t,r){return n+(r?"_":"")+t.toLowerCase()}),Mf=qr(function(n,t,r){return n+(r?" ":"")+$f(t)}),Tf=qr(function(n,t,r){return n+(r?" ":"")+t.toUpperCase()}),$f=Zr("toUpperCase"),Ff=fr(function(t,r){try{return n(t,T,r)}catch(n){return pu(n)?n:new Hu(n)}}),Nf=pe(function(n,t){
-return r(t,function(t){t=Me(t),st(n,t,Ho(n[t],n))}),n}),Pf=Hr(),Zf=Hr(true),qf=fr(function(n,t){return function(r){return Lt(r,n,t)}}),Vf=fr(function(n,t){return function(r){return Lt(n,r,t)}}),Kf=Xr(c),Gf=Xr(u),Hf=Xr(h),Jf=re(),Yf=re(true),Qf=Qr(function(n,t){return n+t},0),Xf=ie("ceil"),nc=Qr(function(n,t){return n/t},1),tc=ie("floor"),rc=Qr(function(n,t){return n*t},1),ec=ie("round"),uc=Qr(function(n,t){return n-t},0);return An.after=function(n,t){if(typeof t!="function")throw new ti("Expected a function");
-return n=Eu(n),function(){if(1>--n)return t.apply(this,arguments)}},An.ary=eu,An.assign=df,An.assignIn=yf,An.assignInWith=bf,An.assignWith=xf,An.at=jf,An.before=uu,An.bind=Ho,An.bindAll=Nf,An.bindKey=Jo,An.castArray=function(){if(!arguments.length)return[];var n=arguments[0];return ff(n)?n:[n]},An.chain=Ye,An.chunk=function(n,t,r){if(t=(r?Oe(n,t,r):t===T)?1:Ui(Eu(t),0),r=null==n?0:n.length,!r||1>t)return[];for(var e=0,u=0,i=Ku(Oi(r/t));e<r;)i[u++]=hr(n,e,e+=t);return i},An.compact=function(n){for(var t=-1,r=null==n?0:n.length,e=0,u=[];++t<r;){
-var i=n[t];i&&(u[e++]=i)}return u},An.concat=function(){var n=arguments.length;if(!n)return[];for(var t=Ku(n-1),r=arguments[0];n--;)t[n-1]=arguments[n];return a(ff(r)?Ur(r):[r],wt(t,1))},An.cond=function(t){var r=null==t?0:t.length,e=ye();return t=r?c(t,function(n){if("function"!=typeof n[1])throw new ti("Expected a function");return[e(n[0]),n[1]]}):[],fr(function(e){for(var u=-1;++u<r;){var i=t[u];if(n(i[0],this,e))return n(i[1],this,e)}})},An.conforms=function(n){return vt(_t(n,1))},An.constant=Tu,
-An.countBy=$o,An.create=function(n,t){var r=eo(n);return null==t?r:at(r,t)},An.curry=iu,An.curryRight=ou,An.debounce=fu,An.defaults=wf,An.defaultsDeep=mf,An.defer=Yo,An.delay=Qo,An.difference=wo,An.differenceBy=mo,An.differenceWith=Ao,An.drop=function(n,t,r){var e=null==n?0:n.length;return e?(t=r||t===T?1:Eu(t),hr(n,0>t?0:t,e)):[]},An.dropRight=function(n,t,r){var e=null==n?0:n.length;return e?(t=r||t===T?1:Eu(t),t=e-t,hr(n,0,0>t?0:t)):[]},An.dropRightWhile=function(n,t){return n&&n.length?jr(n,ye(t,3),true,true):[];
-},An.dropWhile=function(n,t){return n&&n.length?jr(n,ye(t,3),true):[]},An.fill=function(n,t,r,e){var u=null==n?0:n.length;if(!u)return[];for(r&&typeof r!="number"&&Oe(n,t,r)&&(r=0,e=u),u=n.length,r=Eu(r),0>r&&(r=-r>u?0:u+r),e=e===T||e>u?u:Eu(e),0>e&&(e+=u),e=r>e?0:ku(e);r<e;)n[r++]=t;return n},An.filter=function(n,t){return(ff(n)?i:jt)(n,ye(t,3))},An.flatMap=function(n,t){return wt(ru(n,t),1)},An.flatMapDeep=function(n,t){return wt(ru(n,t),$)},An.flatMapDepth=function(n,t,r){return r=r===T?1:Eu(r),
-wt(ru(n,t),r)},An.flatten=Ze,An.flattenDeep=function(n){return(null==n?0:n.length)?wt(n,$):[]},An.flattenDepth=function(n,t){return null!=n&&n.length?(t=t===T?1:Eu(t),wt(n,t)):[]},An.flip=function(n){return fe(n,512)},An.flow=Pf,An.flowRight=Zf,An.fromPairs=function(n){for(var t=-1,r=null==n?0:n.length,e={};++t<r;){var u=n[t];e[u[0]]=u[1]}return e},An.functions=function(n){return null==n?[]:Et(n,Wu(n))},An.functionsIn=function(n){return null==n?[]:Et(n,Bu(n))},An.groupBy=Po,An.initial=function(n){
-return(null==n?0:n.length)?hr(n,0,-1):[]},An.intersection=Eo,An.intersectionBy=ko,An.intersectionWith=So,An.invert=Af,An.invertBy=Ef,An.invokeMap=Zo,An.iteratee=Fu,An.keyBy=qo,An.keys=Wu,An.keysIn=Bu,An.map=ru,An.mapKeys=function(n,t){var r={};return t=ye(t,3),mt(n,function(n,e,u){st(r,t(n,e,u),n)}),r},An.mapValues=function(n,t){var r={};return t=ye(t,3),mt(n,function(n,e,u){st(r,e,t(n,e,u))}),r},An.matches=function(n){return Ht(_t(n,1))},An.matchesProperty=function(n,t){return Jt(n,_t(t,1))},An.memoize=cu,
-An.merge=Sf,An.mergeWith=Of,An.method=qf,An.methodOf=Vf,An.mixin=Nu,An.negate=au,An.nthArg=function(n){return n=Eu(n),fr(function(t){return Qt(t,n)})},An.omit=If,An.omitBy=function(n,t){return Lu(n,au(ye(t)))},An.once=function(n){return uu(2,n)},An.orderBy=function(n,t,r,e){return null==n?[]:(ff(t)||(t=null==t?[]:[t]),r=e?T:r,ff(r)||(r=null==r?[]:[r]),Xt(n,t,r))},An.over=Kf,An.overArgs=Xo,An.overEvery=Gf,An.overSome=Hf,An.partial=nf,An.partialRight=tf,An.partition=Vo,An.pick=Rf,An.pickBy=Lu,An.property=Zu,
-An.propertyOf=function(n){return function(t){return null==n?T:kt(n,t)}},An.pull=Oo,An.pullAll=Ke,An.pullAllBy=function(n,t,r){return n&&n.length&&t&&t.length?er(n,t,ye(r,2)):n},An.pullAllWith=function(n,t,r){return n&&n.length&&t&&t.length?er(n,t,T,r):n},An.pullAt=Io,An.range=Jf,An.rangeRight=Yf,An.rearg=rf,An.reject=function(n,t){return(ff(n)?i:jt)(n,au(ye(t,3)))},An.remove=function(n,t){var r=[];if(!n||!n.length)return r;var e=-1,u=[],i=n.length;for(t=ye(t,3);++e<i;){var o=n[e];t(o,e,n)&&(r.push(o),
-u.push(e))}return ur(n,u),r},An.rest=function(n,t){if(typeof n!="function")throw new ti("Expected a function");return t=t===T?t:Eu(t),fr(n,t)},An.reverse=Ge,An.sampleSize=function(n,t,r){return t=(r?Oe(n,t,r):t===T)?1:Eu(t),(ff(n)?et:ar)(n,t)},An.set=function(n,t,r){return null==n?n:lr(n,t,r)},An.setWith=function(n,t,r,e){return e=typeof e=="function"?e:T,null==n?n:lr(n,t,r,e)},An.shuffle=function(n){return(ff(n)?ut:sr)(n)},An.slice=function(n,t,r){var e=null==n?0:n.length;return e?(r&&typeof r!="number"&&Oe(n,t,r)?(t=0,
-r=e):(t=null==t?0:Eu(t),r=r===T?e:Eu(r)),hr(n,t,r)):[]},An.sortBy=Ko,An.sortedUniq=function(n){return n&&n.length?gr(n):[]},An.sortedUniqBy=function(n,t){return n&&n.length?gr(n,ye(t,2)):[]},An.split=function(n,t,r){return r&&typeof r!="number"&&Oe(n,t,r)&&(t=r=T),r=r===T?4294967295:r>>>0,r?(n=Iu(n))&&(typeof t=="string"||null!=t&&!hf(t))&&(t=yr(t),!t&&Rn.test(n))?Or(M(n),0,r):n.split(t,r):[]},An.spread=function(t,r){if(typeof t!="function")throw new ti("Expected a function");return r=null==r?0:Ui(Eu(r),0),
-fr(function(e){var u=e[r];return e=Or(e,0,r),u&&a(e,u),n(t,this,e)})},An.tail=function(n){var t=null==n?0:n.length;return t?hr(n,1,t):[]},An.take=function(n,t,r){return n&&n.length?(t=r||t===T?1:Eu(t),hr(n,0,0>t?0:t)):[]},An.takeRight=function(n,t,r){var e=null==n?0:n.length;return e?(t=r||t===T?1:Eu(t),t=e-t,hr(n,0>t?0:t,e)):[]},An.takeRightWhile=function(n,t){return n&&n.length?jr(n,ye(t,3),false,true):[]},An.takeWhile=function(n,t){return n&&n.length?jr(n,ye(t,3)):[]},An.tap=function(n,t){return t(n),
-n},An.throttle=function(n,t,r){var e=true,u=true;if(typeof n!="function")throw new ti("Expected a function");return du(r)&&(e="leading"in r?!!r.leading:e,u="trailing"in r?!!r.trailing:u),fu(n,t,{leading:e,maxWait:t,trailing:u})},An.thru=Qe,An.toArray=mu,An.toPairs=zf,An.toPairsIn=Wf,An.toPath=function(n){return ff(n)?c(n,Me):wu(n)?[n]:Ur(jo(Iu(n)))},An.toPlainObject=Ou,An.transform=function(n,t,e){var u=ff(n),i=u||af(n)||_f(n);if(t=ye(t,4),null==e){var o=n&&n.constructor;e=i?u?new o:[]:du(n)&&_u(o)?eo(di(n)):{};
-}return(i?r:mt)(n,function(n,r,u){return t(e,n,r,u)}),e},An.unary=function(n){return eu(n,1)},An.union=Ro,An.unionBy=zo,An.unionWith=Wo,An.uniq=function(n){return n&&n.length?br(n):[]},An.uniqBy=function(n,t){return n&&n.length?br(n,ye(t,2)):[]},An.uniqWith=function(n,t){return t=typeof t=="function"?t:T,n&&n.length?br(n,T,t):[]},An.unset=function(n,t){return null==n||xr(n,t)},An.unzip=He,An.unzipWith=Je,An.update=function(n,t,r){return null==n?n:lr(n,t,kr(r)(kt(n,t)),void 0)},An.updateWith=function(n,t,r,e){
-return e=typeof e=="function"?e:T,null!=n&&(n=lr(n,t,kr(r)(kt(n,t)),e)),n},An.values=Uu,An.valuesIn=function(n){return null==n?[]:S(n,Bu(n))},An.without=Bo,An.words=Mu,An.wrap=function(n,t){return nf(kr(t),n)},An.xor=Lo,An.xorBy=Uo,An.xorWith=Co,An.zip=Do,An.zipObject=function(n,t){return Ar(n||[],t||[],ot)},An.zipObjectDeep=function(n,t){return Ar(n||[],t||[],lr)},An.zipWith=Mo,An.entries=zf,An.entriesIn=Wf,An.extend=yf,An.extendWith=bf,Nu(An,An),An.add=Qf,An.attempt=Ff,An.camelCase=Bf,An.capitalize=Cu,
-An.ceil=Xf,An.clamp=function(n,t,r){return r===T&&(r=t,t=T),r!==T&&(r=Su(r),r=r===r?r:0),t!==T&&(t=Su(t),t=t===t?t:0),pt(Su(n),t,r)},An.clone=function(n){return _t(n,4)},An.cloneDeep=function(n){return _t(n,5)},An.cloneDeepWith=function(n,t){return t=typeof t=="function"?t:T,_t(n,5,t)},An.cloneWith=function(n,t){return t=typeof t=="function"?t:T,_t(n,4,t)},An.conformsTo=function(n,t){return null==t||gt(n,t,Wu(t))},An.deburr=Du,An.defaultTo=function(n,t){return null==n||n!==n?t:n},An.divide=nc,An.endsWith=function(n,t,r){
-n=Iu(n),t=yr(t);var e=n.length,e=r=r===T?e:pt(Eu(r),0,e);return r-=t.length,0<=r&&n.slice(r,e)==t},An.eq=lu,An.escape=function(n){return(n=Iu(n))&&H.test(n)?n.replace(K,nt):n},An.escapeRegExp=function(n){return(n=Iu(n))&&en.test(n)?n.replace(rn,"\\$&"):n},An.every=function(n,t,r){var e=ff(n)?u:bt;return r&&Oe(n,t,r)&&(t=T),e(n,ye(t,3))},An.find=Fo,An.findIndex=Ne,An.findKey=function(n,t){return p(n,ye(t,3),mt)},An.findLast=No,An.findLastIndex=Pe,An.findLastKey=function(n,t){return p(n,ye(t,3),At);
-},An.floor=tc,An.forEach=nu,An.forEachRight=tu,An.forIn=function(n,t){return null==n?n:oo(n,ye(t,3),Bu)},An.forInRight=function(n,t){return null==n?n:fo(n,ye(t,3),Bu)},An.forOwn=function(n,t){return n&&mt(n,ye(t,3))},An.forOwnRight=function(n,t){return n&&At(n,ye(t,3))},An.get=Ru,An.gt=ef,An.gte=uf,An.has=function(n,t){return null!=n&&we(n,t,Rt)},An.hasIn=zu,An.head=qe,An.identity=$u,An.includes=function(n,t,r,e){return n=su(n)?n:Uu(n),r=r&&!e?Eu(r):0,e=n.length,0>r&&(r=Ui(e+r,0)),ju(n)?r<=e&&-1<n.indexOf(t,r):!!e&&-1<v(n,t,r);
-},An.indexOf=function(n,t,r){var e=null==n?0:n.length;return e?(r=null==r?0:Eu(r),0>r&&(r=Ui(e+r,0)),v(n,t,r)):-1},An.inRange=function(n,t,r){return t=Au(t),r===T?(r=t,t=0):r=Au(r),n=Su(n),n>=Ci(t,r)&&n<Ui(t,r)},An.invoke=kf,An.isArguments=of,An.isArray=ff,An.isArrayBuffer=cf,An.isArrayLike=su,An.isArrayLikeObject=hu,An.isBoolean=function(n){return true===n||false===n||yu(n)&&"[object Boolean]"==Ot(n)},An.isBuffer=af,An.isDate=lf,An.isElement=function(n){return yu(n)&&1===n.nodeType&&!xu(n)},An.isEmpty=function(n){
-if(null==n)return true;if(su(n)&&(ff(n)||typeof n=="string"||typeof n.splice=="function"||af(n)||_f(n)||of(n)))return!n.length;var t=vo(n);if("[object Map]"==t||"[object Set]"==t)return!n.size;if(ze(n))return!Vt(n).length;for(var r in n)if(oi.call(n,r))return false;return true},An.isEqual=function(n,t){return Mt(n,t)},An.isEqualWith=function(n,t,r){var e=(r=typeof r=="function"?r:T)?r(n,t):T;return e===T?Mt(n,t,T,r):!!e},An.isError=pu,An.isFinite=function(n){return typeof n=="number"&&Wi(n)},An.isFunction=_u,
-An.isInteger=vu,An.isLength=gu,An.isMap=sf,An.isMatch=function(n,t){return n===t||$t(n,t,xe(t))},An.isMatchWith=function(n,t,r){return r=typeof r=="function"?r:T,$t(n,t,xe(t),r)},An.isNaN=function(n){return bu(n)&&n!=+n},An.isNative=function(n){if(go(n))throw new Hu("Unsupported core-js use. Try https://npms.io/search?q=ponyfill.");return Ft(n)},An.isNil=function(n){return null==n},An.isNull=function(n){return null===n},An.isNumber=bu,An.isObject=du,An.isObjectLike=yu,An.isPlainObject=xu,An.isRegExp=hf,
-An.isSafeInteger=function(n){return vu(n)&&-9007199254740991<=n&&9007199254740991>=n},An.isSet=pf,An.isString=ju,An.isSymbol=wu,An.isTypedArray=_f,An.isUndefined=function(n){return n===T},An.isWeakMap=function(n){return yu(n)&&"[object WeakMap]"==vo(n)},An.isWeakSet=function(n){return yu(n)&&"[object WeakSet]"==Ot(n)},An.join=function(n,t){return null==n?"":Bi.call(n,t)},An.kebabCase=Lf,An.last=Ve,An.lastIndexOf=function(n,t,r){var e=null==n?0:n.length;if(!e)return-1;var u=e;if(r!==T&&(u=Eu(r),u=0>u?Ui(e+u,0):Ci(u,e-1)),
-t===t){for(r=u+1;r--&&n[r]!==t;);n=r}else n=_(n,d,u,true);return n},An.lowerCase=Uf,An.lowerFirst=Cf,An.lt=vf,An.lte=gf,An.max=function(n){return n&&n.length?xt(n,$u,It):T},An.maxBy=function(n,t){return n&&n.length?xt(n,ye(t,2),It):T},An.mean=function(n){return y(n,$u)},An.meanBy=function(n,t){return y(n,ye(t,2))},An.min=function(n){return n&&n.length?xt(n,$u,Kt):T},An.minBy=function(n,t){return n&&n.length?xt(n,ye(t,2),Kt):T},An.stubArray=qu,An.stubFalse=Vu,An.stubObject=function(){return{}},An.stubString=function(){
-return""},An.stubTrue=function(){return true},An.multiply=rc,An.nth=function(n,t){return n&&n.length?Qt(n,Eu(t)):T},An.noConflict=function(){return $n._===this&&($n._=si),this},An.noop=Pu,An.now=Go,An.pad=function(n,t,r){n=Iu(n);var e=(t=Eu(t))?D(n):0;return!t||e>=t?n:(t=(t-e)/2,ne(Ii(t),r)+n+ne(Oi(t),r))},An.padEnd=function(n,t,r){n=Iu(n);var e=(t=Eu(t))?D(n):0;return t&&e<t?n+ne(t-e,r):n},An.padStart=function(n,t,r){n=Iu(n);var e=(t=Eu(t))?D(n):0;return t&&e<t?ne(t-e,r)+n:n},An.parseInt=function(n,t,r){
-return r||null==t?t=0:t&&(t=+t),Mi(Iu(n).replace(on,""),t||0)},An.random=function(n,t,r){if(r&&typeof r!="boolean"&&Oe(n,t,r)&&(t=r=T),r===T&&(typeof t=="boolean"?(r=t,t=T):typeof n=="boolean"&&(r=n,n=T)),n===T&&t===T?(n=0,t=1):(n=Au(n),t===T?(t=n,n=0):t=Au(t)),n>t){var e=n;n=t,t=e}return r||n%1||t%1?(r=Ti(),Ci(n+r*(t-n+Cn("1e-"+((r+"").length-1))),t)):ir(n,t)},An.reduce=function(n,t,r){var e=ff(n)?l:j,u=3>arguments.length;return e(n,ye(t,4),r,u,uo)},An.reduceRight=function(n,t,r){var e=ff(n)?s:j,u=3>arguments.length;
-return e(n,ye(t,4),r,u,io)},An.repeat=function(n,t,r){return t=(r?Oe(n,t,r):t===T)?1:Eu(t),or(Iu(n),t)},An.replace=function(){var n=arguments,t=Iu(n[0]);return 3>n.length?t:t.replace(n[1],n[2])},An.result=function(n,t,r){t=Sr(t,n);var e=-1,u=t.length;for(u||(u=1,n=T);++e<u;){var i=null==n?T:n[Me(t[e])];i===T&&(e=u,i=r),n=_u(i)?i.call(n):i}return n},An.round=ec,An.runInContext=x,An.sample=function(n){return(ff(n)?Qn:cr)(n)},An.size=function(n){if(null==n)return 0;if(su(n))return ju(n)?D(n):n.length;
-var t=vo(n);return"[object Map]"==t||"[object Set]"==t?n.size:Vt(n).length},An.snakeCase=Df,An.some=function(n,t,r){var e=ff(n)?h:pr;return r&&Oe(n,t,r)&&(t=T),e(n,ye(t,3))},An.sortedIndex=function(n,t){return _r(n,t)},An.sortedIndexBy=function(n,t,r){return vr(n,t,ye(r,2))},An.sortedIndexOf=function(n,t){var r=null==n?0:n.length;if(r){var e=_r(n,t);if(e<r&&lu(n[e],t))return e}return-1},An.sortedLastIndex=function(n,t){return _r(n,t,true)},An.sortedLastIndexBy=function(n,t,r){return vr(n,t,ye(r,2),true);
-},An.sortedLastIndexOf=function(n,t){if(null==n?0:n.length){var r=_r(n,t,true)-1;if(lu(n[r],t))return r}return-1},An.startCase=Mf,An.startsWith=function(n,t,r){return n=Iu(n),r=null==r?0:pt(Eu(r),0,n.length),t=yr(t),n.slice(r,r+t.length)==t},An.subtract=uc,An.sum=function(n){return n&&n.length?m(n,$u):0},An.sumBy=function(n,t){return n&&n.length?m(n,ye(t,2)):0},An.template=function(n,t,r){var e=An.templateSettings;r&&Oe(n,t,r)&&(t=T),n=Iu(n),t=bf({},t,e,ce),r=bf({},t.imports,e.imports,ce);var u,i,o=Wu(r),f=S(r,o),c=0;
-r=t.interpolate||jn;var a="__p+='";r=Xu((t.escape||jn).source+"|"+r.source+"|"+(r===Q?pn:jn).source+"|"+(t.evaluate||jn).source+"|$","g");var l=oi.call(t,"sourceURL")?"//# sourceURL="+(t.sourceURL+"").replace(/[\r\n]/g," ")+"\n":"";if(n.replace(r,function(t,r,e,o,f,l){return e||(e=o),a+=n.slice(c,l).replace(wn,z),r&&(u=true,a+="'+__e("+r+")+'"),f&&(i=true,a+="';"+f+";\n__p+='"),e&&(a+="'+((__t=("+e+"))==null?'':__t)+'"),c=l+t.length,t}),a+="';",(t=oi.call(t,"variable")&&t.variable)||(a="with(obj){"+a+"}"),
-a=(i?a.replace(P,""):a).replace(Z,"$1").replace(q,"$1;"),a="function("+(t||"obj")+"){"+(t?"":"obj||(obj={});")+"var __t,__p=''"+(u?",__e=_.escape":"")+(i?",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,'')}":";")+a+"return __p}",t=Ff(function(){return Ju(o,l+"return "+a).apply(T,f)}),t.source=a,pu(t))throw t;return t},An.times=function(n,t){if(n=Eu(n),1>n||9007199254740991<n)return[];var r=4294967295,e=Ci(n,4294967295);for(t=ye(t),n-=4294967295,e=A(e,t);++r<n;)t(r);return e},An.toFinite=Au,
-An.toInteger=Eu,An.toLength=ku,An.toLower=function(n){return Iu(n).toLowerCase()},An.toNumber=Su,An.toSafeInteger=function(n){return n?pt(Eu(n),-9007199254740991,9007199254740991):0===n?n:0},An.toString=Iu,An.toUpper=function(n){return Iu(n).toUpperCase()},An.trim=function(n,t,r){return(n=Iu(n))&&(r||t===T)?n.replace(un,""):n&&(t=yr(t))?(n=M(n),r=M(t),t=I(n,r),r=R(n,r)+1,Or(n,t,r).join("")):n},An.trimEnd=function(n,t,r){return(n=Iu(n))&&(r||t===T)?n.replace(fn,""):n&&(t=yr(t))?(n=M(n),t=R(n,M(t))+1,
-Or(n,0,t).join("")):n},An.trimStart=function(n,t,r){return(n=Iu(n))&&(r||t===T)?n.replace(on,""):n&&(t=yr(t))?(n=M(n),t=I(n,M(t)),Or(n,t).join("")):n},An.truncate=function(n,t){var r=30,e="...";if(du(t))var u="separator"in t?t.separator:u,r="length"in t?Eu(t.length):r,e="omission"in t?yr(t.omission):e;n=Iu(n);var i=n.length;if(Rn.test(n))var o=M(n),i=o.length;if(r>=i)return n;if(i=r-D(e),1>i)return e;if(r=o?Or(o,0,i).join(""):n.slice(0,i),u===T)return r+e;if(o&&(i+=r.length-i),hf(u)){if(n.slice(i).search(u)){
-var f=r;for(u.global||(u=Xu(u.source,Iu(_n.exec(u))+"g")),u.lastIndex=0;o=u.exec(f);)var c=o.index;r=r.slice(0,c===T?i:c)}}else n.indexOf(yr(u),i)!=i&&(u=r.lastIndexOf(u),-1<u&&(r=r.slice(0,u)));return r+e},An.unescape=function(n){return(n=Iu(n))&&G.test(n)?n.replace(V,tt):n},An.uniqueId=function(n){var t=++fi;return Iu(n)+t},An.upperCase=Tf,An.upperFirst=$f,An.each=nu,An.eachRight=tu,An.first=qe,Nu(An,function(){var n={};return mt(An,function(t,r){oi.call(An.prototype,r)||(n[r]=t)}),n}(),{chain:false
-}),An.VERSION="4.17.14",r("bind bindKey curry curryRight partial partialRight".split(" "),function(n){An[n].placeholder=An}),r(["drop","take"],function(n,t){Un.prototype[n]=function(r){r=r===T?1:Ui(Eu(r),0);var e=this.__filtered__&&!t?new Un(this):this.clone();return e.__filtered__?e.__takeCount__=Ci(r,e.__takeCount__):e.__views__.push({size:Ci(r,4294967295),type:n+(0>e.__dir__?"Right":"")}),e},Un.prototype[n+"Right"]=function(t){return this.reverse()[n](t).reverse()}}),r(["filter","map","takeWhile"],function(n,t){
-var r=t+1,e=1==r||3==r;Un.prototype[n]=function(n){var t=this.clone();return t.__iteratees__.push({iteratee:ye(n,3),type:r}),t.__filtered__=t.__filtered__||e,t}}),r(["head","last"],function(n,t){var r="take"+(t?"Right":"");Un.prototype[n]=function(){return this[r](1).value()[0]}}),r(["initial","tail"],function(n,t){var r="drop"+(t?"":"Right");Un.prototype[n]=function(){return this.__filtered__?new Un(this):this[r](1)}}),Un.prototype.compact=function(){return this.filter($u)},Un.prototype.find=function(n){
-return this.filter(n).head()},Un.prototype.findLast=function(n){return this.reverse().find(n)},Un.prototype.invokeMap=fr(function(n,t){return typeof n=="function"?new Un(this):this.map(function(r){return Lt(r,n,t)})}),Un.prototype.reject=function(n){return this.filter(au(ye(n)))},Un.prototype.slice=function(n,t){n=Eu(n);var r=this;return r.__filtered__&&(0<n||0>t)?new Un(r):(0>n?r=r.takeRight(-n):n&&(r=r.drop(n)),t!==T&&(t=Eu(t),r=0>t?r.dropRight(-t):r.take(t-n)),r)},Un.prototype.takeRightWhile=function(n){
-return this.reverse().takeWhile(n).reverse()},Un.prototype.toArray=function(){return this.take(4294967295)},mt(Un.prototype,function(n,t){var r=/^(?:filter|find|map|reject)|While$/.test(t),e=/^(?:head|last)$/.test(t),u=An[e?"take"+("last"==t?"Right":""):t],i=e||/^find/.test(t);u&&(An.prototype[t]=function(){function t(n){return n=u.apply(An,a([n],f)),e&&h?n[0]:n}var o=this.__wrapped__,f=e?[1]:arguments,c=o instanceof Un,l=f[0],s=c||ff(o);s&&r&&typeof l=="function"&&1!=l.length&&(c=s=false);var h=this.__chain__,p=!!this.__actions__.length,l=i&&!h,c=c&&!p;
-return!i&&s?(o=c?o:new Un(this),o=n.apply(o,f),o.__actions__.push({func:Qe,args:[t],thisArg:T}),new On(o,h)):l&&c?n.apply(this,f):(o=this.thru(t),l?e?o.value()[0]:o.value():o)})}),r("pop push shift sort splice unshift".split(" "),function(n){var t=ri[n],r=/^(?:push|sort|unshift)$/.test(n)?"tap":"thru",e=/^(?:pop|shift)$/.test(n);An.prototype[n]=function(){var n=arguments;if(e&&!this.__chain__){var u=this.value();return t.apply(ff(u)?u:[],n)}return this[r](function(r){return t.apply(ff(r)?r:[],n)});
-}}),mt(Un.prototype,function(n,t){var r=An[t];if(r){var e=r.name+"";oi.call(Gi,e)||(Gi[e]=[]),Gi[e].push({name:t,func:r})}}),Gi[Jr(T,2).name]=[{name:"wrapper",func:T}],Un.prototype.clone=function(){var n=new Un(this.__wrapped__);return n.__actions__=Ur(this.__actions__),n.__dir__=this.__dir__,n.__filtered__=this.__filtered__,n.__iteratees__=Ur(this.__iteratees__),n.__takeCount__=this.__takeCount__,n.__views__=Ur(this.__views__),n},Un.prototype.reverse=function(){if(this.__filtered__){var n=new Un(this);
-n.__dir__=-1,n.__filtered__=true}else n=this.clone(),n.__dir__*=-1;return n},Un.prototype.value=function(){var n,t=this.__wrapped__.value(),r=this.__dir__,e=ff(t),u=0>r,i=e?t.length:0;n=i;for(var o=this.__views__,f=0,c=-1,a=o.length;++c<a;){var l=o[c],s=l.size;switch(l.type){case"drop":f+=s;break;case"dropRight":n-=s;break;case"take":n=Ci(n,f+s);break;case"takeRight":f=Ui(f,n-s)}}if(n={start:f,end:n},o=n.start,f=n.end,n=f-o,o=u?f:o-1,f=this.__iteratees__,c=f.length,a=0,l=Ci(n,this.__takeCount__),!e||!u&&i==n&&l==n)return wr(t,this.__actions__);
-e=[];n:for(;n--&&a<l;){for(o+=r,u=-1,i=t[o];++u<c;){var h=f[u],s=h.type,h=(0,h.iteratee)(i);if(2==s)i=h;else if(!h){if(1==s)continue n;break n}}e[a++]=i}return e},An.prototype.at=To,An.prototype.chain=function(){return Ye(this)},An.prototype.commit=function(){return new On(this.value(),this.__chain__)},An.prototype.next=function(){this.__values__===T&&(this.__values__=mu(this.value()));var n=this.__index__>=this.__values__.length;return{done:n,value:n?T:this.__values__[this.__index__++]}},An.prototype.plant=function(n){
-for(var t,r=this;r instanceof En;){var e=Fe(r);e.__index__=0,e.__values__=T,t?u.__wrapped__=e:t=e;var u=e,r=r.__wrapped__}return u.__wrapped__=n,t},An.prototype.reverse=function(){var n=this.__wrapped__;return n instanceof Un?(this.__actions__.length&&(n=new Un(this)),n=n.reverse(),n.__actions__.push({func:Qe,args:[Ge],thisArg:T}),new On(n,this.__chain__)):this.thru(Ge)},An.prototype.toJSON=An.prototype.valueOf=An.prototype.value=function(){return wr(this.__wrapped__,this.__actions__)},An.prototype.first=An.prototype.head,
-wi&&(An.prototype[wi]=Xe),An}();typeof define=="function"&&typeof define.amd=="object"&&define.amd?($n._=rt, define(function(){return rt})):Nn?((Nn.exports=rt)._=rt,Fn._=rt):$n._=rt}).call(this);

From 6b2127d40461db330441ae4d217f8004bf27140b Mon Sep 17 00:00:00 2001
From: Jan Winkler <jan.winkler@markt.de>
Date: Thu, 13 Jul 2023 11:29:10 +0200
Subject: [PATCH 1479/3088] security/acme: support for Proxmox VE deployhook,
 closes #3422

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogAction.xml         | 29 +++++++++++
 .../AcmeClient/LeAutomation/AcmeProxmoxve.php | 48 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 25 ++++++++++
 4 files changed, 103 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeProxmoxve.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index a2aafd3fb9..3dfd89e56a 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 
 Added:
 * add support for TrueNAS deployhook (#3421)
+* add support for Proxmox VE deployhook (#3422)
 
 3.17
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index 906dd9cdef..58d92f24c7 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -283,6 +283,35 @@
         <label>Host</label>
         <type>text</type>
     </field>
+    <field>
+        <label>Required Parameters</label>
+        <type>header</type>
+        <style>method_table method_table_acme_proxmoxve</style>
+    </field>
+    <field>
+        <id>action.acme_proxmoxve_user</id>
+        <label>Proxmox VE user</label>
+        <type>text</type>
+        <help>The user who owns the API key. Defaults to root.</help>
+    </field>
+    <field>
+        <id>action.acme_proxmoxve_realm</id>
+        <label>Proxmox VE realm</label>
+        <type>text</type>
+        <help>The authentication realm the user authenticates with. Defaults to pam.</help>
+    </field>
+    <field>
+        <id>action.acme_proxmoxve_tokenid</id>
+        <label>Proxmox VE token name</label>
+        <type>text</type>
+        <help>The name of the API token created for the user account. Defaults to acme.</help>
+    </field>
+    <field>
+        <id>action.acme_proxmoxve_tokenkey</id>
+        <label>Proxmox VE token key</label>
+        <type>text</type>
+        <help>The API token. Required.</help>
+    </field>
     <field>
         <label>Required Parameters</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeProxmoxve.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeProxmoxve.php
new file mode 100644
index 0000000000..6e4c8e16f0
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeProxmoxve.php
@@ -0,0 +1,48 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Jan Winkler
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Run acme.sh deploy hook proxmoxve
+ * @package OPNsense\AcmeClient
+ */
+class AcmeProxmoxve extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DEPLOY_PROXMOXVE_USER'] = (string)$this->config->acme_proxmoxve_user;
+        $this->acme_env['DEPLOY_PROXMOXVE_USER_REALM'] = (string)$this->config->acme_proxmoxve_realm;
+        $this->acme_env['DEPLOY_PROXMOXVE_API_TOKEN_NAME'] = (string)$this->config->acme_proxmoxve_tokenid;
+        $this->acme_env['DEPLOY_PROXMOXVE_API_TOKEN_KEY'] = (string)$this->config->acme_proxmoxve_tokenkey;
+        $this->acme_args[] = '--deploy-hook proxmoxve';
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 1eca8d91b8..c9e6f1befc 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1172,6 +1172,7 @@
                         <configd_remote_ssh>Remote Command via SSH</configd_remote_ssh>
                         <acme_fritzbox>Upload certificate to FRITZ!Box router</acme_fritzbox>
                         <acme_panos>Upload certificate to Palo Alto Networks Firewall</acme_panos>
+                        <acme_proxmoxve>Upload certificate to Proxmox VE</acme_proxmoxve>
                         <acme_vault>Upload certificate to HashiCorp Vault</acme_vault>
                         <acme_synology_dsm>Upload certificate to Synology DSM</acme_synology_dsm>
                         <acme_truenas>Upload certificate to TrueNAS Core Server</acme_truenas>
@@ -1381,6 +1382,30 @@
                     <mask>/^.{1,1024}$/u</mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_panos_host>
+                <acme_proxmoxve_user type="TextField">
+                    <default>root</default>
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_proxmoxve_user>
+                <acme_proxmoxve_realm type="TextField">
+                    <default>pam</default>
+                    <Required>N</Required>
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_proxmoxve_realm>
+                <acme_proxmoxve_tokenid type="TextField">
+                    <default>acme</default>
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_proxmoxve_tokenid>
+                <acme_proxmoxve_tokenkey type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_proxmoxve_tokenkey>
                 <acme_truenas_apikey type="TextField">
                     <Required>N</Required>
                     <mask>/^.{1,1024}$/u</mask>

From e187cb40e21823f1cb5b19c8ef66dc2c0c132e0a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Jul 2023 08:10:33 +0200
Subject: [PATCH 1480/3088] net-mgmt/zabbix-agent: remove 6.2 due to EoL

---
 net-mgmt/zabbix-agent/Makefile | 6 ++----
 net-mgmt/zabbix-proxy/Makefile | 5 +----
 2 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index 453f7a5fda..28005b0c59 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -3,17 +3,15 @@ PLUGIN_VERSION=		1.13
 PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
-PLUGIN_VARIANTS=	zabbix6 zabbix62 zabbix64 zabbix5
+PLUGIN_VARIANTS=	zabbix6 zabbix64 zabbix5
 
 zabbix64_NAME=		zabbix64-agent
 zabbix64_DEPENDS=	zabbix64-agent
 
-zabbix62_NAME=		zabbix62-agent
-zabbix62_DEPENDS=	zabbix62-agent
-
 zabbix6_NAME=		zabbix6-agent
 zabbix6_DEPENDS=	zabbix6-agent
 
 zabbix5_NAME=		zabbix-agent
 zabbix5_DEPENDS=	zabbix5-agent
+
 .include "../../Mk/plugins.mk"
diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 480b98966b..e5776a01ed 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -3,14 +3,11 @@ PLUGIN_VERSION=		1.9
 PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_VARIANTS=	zabbix6 zabbix62 zabbix64 zabbix5 zabbix4
+PLUGIN_VARIANTS=	zabbix6 zabbix64 zabbix5 zabbix4
 
 zabbix64_NAME=		zabbix64-proxy
 zabbix64_DEPENDS=	zabbix64-proxy
 
-zabbix62_NAME=		zabbix62-proxy
-zabbix62_DEPENDS=	zabbix62-proxy
-
 zabbix6_NAME=		zabbix6-proxy
 zabbix6_DEPENDS=	zabbix6-proxy
 

From c872e8a731dfe406ccde57eed65e1eec61fe7df7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Jul 2023 09:52:58 +0200
Subject: [PATCH 1481/3088] dns/dnscrypt-proxy: actually bump version

---
 dns/dnscrypt-proxy/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index fd99efd4d9..9002f978e5 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		dnscrypt-proxy
-PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.14
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 7776616f32d1b57b1ad2e82d49d10c3ce8465fe2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Jul 2023 09:57:56 +0200
Subject: [PATCH 1482/3088] net/frr: add missing changelog entries

---
 net/frr/pkg-descr | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index f142eaecf2..e50143c292 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -15,6 +15,9 @@ Plugin Changelog
 1.34
 
 * Add checkbox to log BGP neighbor changes
+* Add BFD support (contributed by Mark Stitson)
+* Switch to FRR version 8
+* Rewrote diagnostics API
 
 1.33
 

From e25a1619322b989e2926eb9f1d4f593f1f34b945 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Jul 2023 10:00:21 +0200
Subject: [PATCH 1483/3088] net/wireguard: update

---
 net/wireguard/Makefile  | 2 +-
 net/wireguard/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index e47403fecc..b1392614a8 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	5
+PLUGIN_REVISION=	6
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index fd85d2e032..5d84964c92 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -19,6 +19,7 @@ Changelog
 1.13
 
 * Reworked widget and assorted cleanups (contributed by Patrik Kernstock)
+* Improve widget public key overlapping (contributed by Victor Haggqvist)
 
 1.12
 

From e2fcc495bf8c5b4b796fa6b0b8af9e9cf5cfb302 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Jul 2023 10:06:20 +0200
Subject: [PATCH 1484/3088] security/acme-client: spacing

---
 security/acme-client/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index d631a8cd57..05104b706d 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -7,6 +7,7 @@ WWW: https://github.com/acmesh-official/acme.sh
 
 Plugin Changelog
 ================
+
 3.19
 
 Added:

From c2aa21b8c58779a82c9a4788b7ce149f46b71318 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Jul 2023 10:08:47 +0200
Subject: [PATCH 1485/3088] www/nginx: wrap up version change

---
 www/nginx/Makefile  | 2 +-
 www/nginx/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 6acc5bc261..eb1abd76d4 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.32.1
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index f6cb169d0c..e004fd20a5 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 1.32.1
 
 * add "Host header port" and "use original Host header" options
+* Fix width of commands column (contributed by krbrs)
 
 1.32
 

From 6adb47c4c934e1115ae29914ea78a9ac488d6d83 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Jul 2023 10:14:55 +0200
Subject: [PATCH 1486/3088] net/frr: style sweep

---
 .../controllers/OPNsense/Quagga/Api/DiagnosticsController.php | 2 +-
 .../app/controllers/OPNsense/Quagga/DiagnosticsController.php | 4 ++--
 .../src/opnsense/service/conf/actions.d/actions_quagga.conf   | 1 -
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
index faac17d6ab..a0625a40f3 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
@@ -270,7 +270,7 @@ public function searchOspfv3routeAction($format = "json"): array
     public function searchOspfv3databaseAction(): array
     {
         $records = [];
-        $payload = $this->configdJson("ospfv3", "database") ;
+        $payload = $this->configdJson("ospfv3", "database");
         foreach ($payload as $dbname => $database) {
             foreach ($database as $topic) {
                 if (!empty($topic['lsa'])) {
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
index 75a3189ab7..78b70e231d 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
@@ -116,7 +116,7 @@ public function bfdAction()
                 'tabhead' => gettext('Counters'),
                 'type' => 'tree'
             ]
-	    ];
+        ];
         $this->view->default_tab = 'summary';
         $this->view->pick('OPNsense/Quagga/diagnostics');
     }
@@ -148,7 +148,7 @@ public function ospfv3Action()
                 'tabhead' => gettext('Interface'),
                 'type' => 'tree'
             ]
-	    ];
+        ];
         $this->view->default_tab = 'overview';
         $this->view->pick('OPNsense/Quagga/diagnostics');
     }
diff --git a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
index 7f5541a1bb..4c5079cafb 100644
--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@@ -160,4 +160,3 @@ command:/usr/local/bin/vtysh
 parameters: -c 'show ipv6 ospf6 interface %s'
 type:script_output
 message:FRR diagnostics "show ipv6 ospf6 interface %s"
-

From 09616f6c6675efc88911e7825541d3a473885237 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Jul 2023 10:16:18 +0200
Subject: [PATCH 1487/3088] dns/dyndns: remove obsolete plugin

---
 dns/dyndns/Makefile                           |    7 -
 dns/dyndns/pkg-descr                          |   32 -
 .../src/etc/inc/plugins.inc.d/dyndns.inc      |  281 ---
 .../inc/plugins.inc.d/dyndns/phpDynDNS.inc    | 2042 -----------------
 .../src/etc/inc/plugins.inc.d/dyndns/r53.inc  |  777 -------
 dns/dyndns/src/etc/rc.dyndns                  |   50 -
 .../src/etc/rc.syshook.d/monitor/50-dyndns    |   38 -
 .../models/OPNsense/DynamicDNS/ACL/ACL.xml    |    9 -
 .../models/OPNsense/DynamicDNS/Menu/Menu.xml  |    7 -
 .../conf/actions.d/actions_dyndns.conf        |    6 -
 dns/dyndns/src/www/services_dyndns.php        |  203 --
 dns/dyndns/src/www/services_dyndns_edit.php   |  500 ----
 .../www/widgets/include/dyn_dns_status.inc    |    4 -
 .../widgets/widgets/dyn_dns_status.widget.php |  172 --
 14 files changed, 4128 deletions(-)
 delete mode 100644 dns/dyndns/Makefile
 delete mode 100644 dns/dyndns/pkg-descr
 delete mode 100644 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
 delete mode 100644 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
 delete mode 100644 dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/r53.inc
 delete mode 100755 dns/dyndns/src/etc/rc.dyndns
 delete mode 100755 dns/dyndns/src/etc/rc.syshook.d/monitor/50-dyndns
 delete mode 100644 dns/dyndns/src/opnsense/mvc/app/models/OPNsense/DynamicDNS/ACL/ACL.xml
 delete mode 100644 dns/dyndns/src/opnsense/mvc/app/models/OPNsense/DynamicDNS/Menu/Menu.xml
 delete mode 100644 dns/dyndns/src/opnsense/service/conf/actions.d/actions_dyndns.conf
 delete mode 100644 dns/dyndns/src/www/services_dyndns.php
 delete mode 100644 dns/dyndns/src/www/services_dyndns_edit.php
 delete mode 100644 dns/dyndns/src/www/widgets/include/dyn_dns_status.inc
 delete mode 100644 dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php

diff --git a/dns/dyndns/Makefile b/dns/dyndns/Makefile
deleted file mode 100644
index ee2bb7a736..0000000000
--- a/dns/dyndns/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-PLUGIN_NAME=		dyndns
-PLUGIN_VERSION=		1.27
-PLUGIN_REVISION=	3
-PLUGIN_COMMENT=		Dynamic DNS Support
-PLUGIN_MAINTAINER=	franco@opnsense.org
-
-.include "../../Mk/plugins.mk"
diff --git a/dns/dyndns/pkg-descr b/dns/dyndns/pkg-descr
deleted file mode 100644
index ff5dc2c1d9..0000000000
--- a/dns/dyndns/pkg-descr
+++ /dev/null
@@ -1,32 +0,0 @@
-Support for numerous Dynamic DNS services (DynDNS et al)
-
-Plugin Changelog
-================
-
-1.27
-
-* Add missing digitalocean-v6 switch case (contributed by zarcjap)
-* Fix GoDaddy IPv6 update (contributed by Team Rebellion)
-
-1.26
-
-* Add support for 1984 Hosting Company (contributed by Adrian Fedoreanu)
-* Add %HOST% support for custom dynamic DNS (contributed by Marc Collins)
-* Add PAYLOAD log and debug support for missing code spots
-
-1.25
-
-* Make regfish DynDNS work for IPv4 and IPv6 (contributed by DeepCoreSystem)
-* Add STRATO IPv6 to DynDNS (contributed by Jan Wiesemann)
-* Add desec.io wildcard support (contributed by Luca Zeug)
-* Accept wildcard entry for Hetzner
-
-1.24
-
-* Fix FreeDNS update in DynDNS plugin (contributed by rmrfus)
-* Add hetzner dns console to supported dyndns services (contributed by schreibubi)
-* Add support for deSEC.io (contributed by Michael Paul)
-* Add All-Inkl v4 and v6 DynDNS support (contributed by polkhigh33)
-* Add support for digitalocean v6 records (contributed by Jan Koppe)
-* Update No-Ip client code to use APIv2 (contributed by Victor Kislov)
-* Fix copy and paste unprotected JSON object access
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
deleted file mode 100644
index 455d68d7d1..0000000000
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns.inc
+++ /dev/null
@@ -1,281 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2017 Franco Fichtner <franco@opnsense.org>
- * Copyright (C) 2010 Ermal Luçi
- * Copyright (C) 2005-2006 Colin Smith <ethethlay@gmail.com>
- * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once('plugins.inc.d/dyndns/phpDynDNS.inc');
-require_once('plugins.inc.d/dyndns/r53.inc');
-
-function dyndns_configure()
-{
-    return [
-        'bootup' => ['dyndns_configure_do'],
-        'local' => ['dyndns_configure_do'],
-        'newwanip' => ['dyndns_configure_do:2'],
-    ];
-}
-
-function dyndns_enabled()
-{
-    global $config;
-
-    if (isset($config['dyndnses']['dyndns'])) {
-        foreach ($config['dyndnses']['dyndns'] as $conf) {
-            if (isset($conf['enable'])) {
-                return true;
-            }
-        }
-    }
-
-    return false;
-}
-
-function dyndns_services()
-{
-    $services = [];
-
-    if (dyndns_enabled()) {
-        $services[] = [
-            'description' => gettext('Dynamic DNS'),
-            'configd' => [ 'restart' => ['dyndns reload'] ],
-            'nocheck' => true,
-            'name' => 'dyndns',
-        ];
-    }
-
-    return $services;
-}
-
-function dyndns_cron()
-{
-    $jobs = [];
-
-    if (dyndns_enabled()) {
-        $jobs[]['autocron'] = ['/usr/local/etc/rc.dyndns', '11', '1'];
-    }
-
-    return $jobs;
-}
-
-function dyndns_list()
-{
-    /*
-     * XXX something like this would be cool:
-     *
-     * https://github.com/openwrt/packages/blob/master/net/ddns-scripts/files/services
-     */
-
-    return [
-        '1984-hosting' => '1984 Hosting Company',
-        '3322' => '3322',
-        'all-inkl' => 'All-Inkl',
-        'all-inkl-v6' => 'All-Inkl (v6)',
-        'azure' => 'Azure DNS',
-        'azurev6' => 'Azure DNS (v6)',
-        'citynetwork' => 'City Network',
-        'cloudflare' => 'Cloudflare',
-        'cloudflare-token' => 'Cloudflare API token',
-        'cloudflare-token-v6' => 'Cloudflare API token (v6)',
-        'cloudflare-v6' => 'Cloudflare (v6)',
-        'custom' => 'Custom',
-        'custom-v6' => 'Custom (v6)',
-        'desec' => 'deSEC',
-        'desec-v4-v6' => 'deSEC (v4+v6)',
-        'desec-v6' => 'deSEC (v6)',
-        'dhs' => 'DHS',
-        'digitalocean' => 'DigitalOcean',
-        'digitalocean-v6' => 'DigitalOcean (v6)',
-        'dnsexit' => 'DNSexit',
-        'dnsomatic' => 'DNS-O-Matic',
-        'duckdns' => 'Duck DNS',
-        'dyndns' => 'DynDNS (dynamic)',
-        'dyndns-custom' => 'DynDNS (custom)',
-        'dyndns-static' => 'DynDNS (static)',
-        'dyns' => 'DyNS',
-        'dynv6' => 'dynv6',
-        'dynv6-v6' => 'dynv6 (v6)',
-        'easydns' => 'easyDNS',
-        'eurodns' => 'EuroDNS',
-        'freedns' => 'freeDNS',
-        'gandi-livedns' => 'Gandi LiveDNS',
-        'godaddy' => 'GoDaddy',
-        'godaddy-v6' => 'GoDaddy (v6)',
-        'googledomains' => 'Google Domains',
-        'gratisdns' => 'GratisDNS',
-        'he-net' => 'HE.net',
-        'he-net-tunnelbroker' => 'HE.net Tunnelbroker',
-        'he-net-v6' => 'HE.net (v6)',
-        'hetzner' => 'Hetzner DNS Console',
-        'hetzner-v6' => 'Hetzner DNS Console (v6)',
-        'linode' => 'Linode',
-        'linode-v6' => 'Linode (v6)',
-        'loopia' => 'Loopia',
-        'namecheap' => 'Namecheap',
-        'noip' => 'No-IP',
-        'noip-free' => 'No-IP (free)',
-        'ods' => 'ODS.org',
-        'oray' => 'Oray',
-        'ovh-dynhost' => 'OVH DynHOST',
-        'regfish' => 'regfish',
-        'regfish-v6' => 'regfish (v6)',
-        'route53' => 'Route 53',
-        'route53-v6' => 'Route 53 (v6)',
-        'selfhost' => 'SelfHost',
-        'strato' => 'STRATO',
-        'strato-v6' => 'STRATO (v6)',
-        'zoneedit' => 'ZoneEdit',
-    ];
-}
-
-function dyndns_cache_file($conf, $ipver = 4)
-{
-    $ipver = $ipver == 6 ? '_v6' : '';
-
-    return "/var/cache/dyndns_{$conf['interface']}_{$conf['host']}_{$conf['id']}{$ipver}.cache";
-}
-
-function dyndns_configure_client($conf)
-{
-    if (!isset($conf['enable'])) {
-        return;
-    }
-
-    $dns = new updatedns(
-        $dnsService = $conf['type'],
-        $dnsHost = $conf['host'],
-        $dnsUser = $conf['username'],
-        $dnsPass = $conf['password'],
-        $dnsWilcard = $conf['wildcard'],
-        $dnsMX = $conf['mx'],
-        $dnsIf = "{$conf['interface']}",
-        $dnsBackMX = null,
-        $dnsServer = null,
-        $dnsPort = null,
-        $dnsUpdateURL = "{$conf['updateurl']}",
-        $forceUpdate = $conf['force'],
-        $dnsZoneID = $conf['zoneid'],
-        $dnsResourceID = $conf['resourceid'],
-        $dnsTTL = $conf['ttl'],
-        $dnsResultMatch = "{$conf['resultmatch']}",
-        $dnsRequestIf = "{$conf['requestif']}",
-        $dnsID = "{$conf['id']}",
-        $dnsVerboseLog = $conf['verboselog'],
-        $curlIpresolveV4 = $conf['curl_ipresolve_v4'],
-        $curlSslVerifypeer = $conf['curl_ssl_verifypeer']
-    );
-}
-
-function dyndns_configure_do($verbose = false, $int = '')
-{
-    global $config;
-
-    if (!dyndns_enabled()) {
-        return;
-    }
-
-    $dyndnscfg = $config['dyndnses']['dyndns'];
-    $gwgroups = return_gateway_groups_array();
-
-    service_log('Configuring dynamic DNS clients...', $verbose);
-
-    foreach ($dyndnscfg as $dyndns) {
-        if ((empty($int)) || ($int == $dyndns['interface']) || (is_array($gwgroups[$dyndns['interface']]))) {
-            $dyndns['verboselog'] = isset($dyndns['verboselog']);
-            $dyndns['curl_ipresolve_v4'] = isset($dyndns['curl_ipresolve_v4']);
-            $dyndns['curl_ssl_verifypeer'] = isset($dyndns['curl_ssl_verifypeer']);
-            dyndns_configure_client($dyndns);
-            sleep(1);
-        }
-    }
-
-    service_log("done.\n", $verbose);
-}
-
-function dyndns_failover_interface($interface, $family = 'all')
-{
-    global $config;
-
-    /* shortcut for known interfaces */
-    if (isset($config['interfaces'][$interface])) {
-        return get_real_interface($interface, $family);
-    }
-
-    /* compare against gateway groups */
-    $a_groups = return_gateway_groups_array();
-    if (isset($a_groups[$interface])) {
-        /* we found a gateway group, fetch the interface or vip */
-        if ($a_groups[$interface][0]['vip'] != '') {
-            return $a_groups[$interface][0]['vip'];
-        } else {
-            return $a_groups[$interface][0]['int'];
-        }
-    }
-
-    /* fall through to get real interface the hard way */
-    return get_real_interface($interface, $family);
-}
-
-
-function get_dyndns_ip_address($int, $ipver = 4)
-{
-    $ip_address = $ipver == 6 ? get_interface_ipv6($int) : get_interface_ip($int);
-    if (empty($ip_address)) {
-        log_error("Aborted IPv{$ipver} detection: no address for {$int}");
-        return 'down';
-    }
-
-    if ($ipver != 6 && is_private_ip($ip_address)) {
-        /* Chinese alternative is http://ip.3322.net/ */
-        $hosttocheck = 'http://checkip.dyndns.org';
-        $ip_ch = curl_init($hosttocheck);
-        curl_setopt($ip_ch, CURLOPT_RETURNTRANSFER, 1);
-        curl_setopt($ip_ch, CURLOPT_INTERFACE, $ip_address);
-        curl_setopt($ip_ch, CURLOPT_CONNECTTIMEOUT, 5);
-        curl_setopt($ip_ch, CURLOPT_TIMEOUT, 30);
-        curl_setopt($ip_ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
-        $ip_result = curl_exec($ip_ch);
-        if ($ip_result !== false) {
-            preg_match('=<body>Current IP Address: (.*)</body>=siU', $ip_result, $matches);
-            $ip_address = trim($matches[1]);
-        } else {
-            log_error('Aborted IPv4 detection: ' . curl_error($ip_ch));
-            $ip_address = '';
-        }
-        curl_close($ip_ch);
-    } elseif ($ipver == 6 && is_linklocal($ip_address)) {
-        log_error('Aborted IPv6 detection: cannot bind to link-local address');
-        $ip_address = '';
-    }
-
-    if (($ipver == 6 && !is_ipaddrv6($ip_address)) || ($ipver != 6 && !is_ipaddrv4($ip_address))) {
-        return 'down';
-    }
-
-    return $ip_address;
-}
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
deleted file mode 100644
index 0bf6908165..0000000000
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc
+++ /dev/null
@@ -1,2042 +0,0 @@
-<?php
-
-/*
- *  phpDynDNS
- *
- *  Public Functions
- *    - updatedns()
- *
- *  Private Functions
- *    - _update()
- *    - _checkStatus()
- *    - _error()
- *    - _detectChange()
- *    - _debug()
- *    - _checkIP()
- * +----------------------------------------------------+
- *  1984 Hosting Company        - Last Tested: 03 August 2020
- *  3322                        - Last Tested: 26 May 2017
- *  All-Inkl                    - Last Tested: 02 March 2020
- *  Amazon Route53              - Last Tested: 01 April 2012
- *  Amazon Route53 v6           - Last Tested: 19 November 2017
- *  Azure DNS                   - Last Tested: 16 October 2019
- *  City Network                - Last Tested: 13 November 2013
- *  Cloudflare                  - Last Tested: 16 April 2019
- *  Cloudflare IPv6             - Last Tested: 16 April 2019
- *  Cloudflare w/API token      - Last Tested: 13 June 2020
- *  DHS                         - Last Tested: 12 July 2005
- *  DNS-O-Matic                 - Last Tested: 9 September 2010
- *  DNSexit                     - Last Tested: 20 July 2008
- *  DigitalOcean                - Last Tested: 25 June 2019
- *  DigitalOcean v6             - Last Tested: 13 May 2020
- *  Duck DNS                    - Last Tested: 04 March 2015
- *  DynDNS Dynamic              - Last Tested: 12 July 2005
- *  EasyDNS                     - Last Tested: 20 July 2008
- *  Eurodns                     - Last Tested: 25 July 2018
- *  FreeDNS                     - Last Tested: 06 March 2021
- *  Gandi LiveDNS               - Last Tested: 24 August 2020
- *  GoDaddy                     - Last Tested: 10 July 2020
- *  GoDaddy v6                  - Last Tested: 10 July 2020
- *  Google Domains              - Last Tested: 20 February 2017
- *  GratisDNS                   - Last Tested: 26 January 2020
- *  HE.net                      - Last Tested: 7 July 2013
- *  HE.net IPv6                 - Last Tested: 7 July 2013
- *  HE.net Tunnel               - Last Tested: 28 June 2011
- *  Hetzner DNS Console         - Last Tested: 06 February 2021
- *  Hetzner DNS Console v6      - Last Tested: 06 February 2021
- *  HN.org                      - Last Tested: 12 July 2005
- *  Linode                      - Last Tested: 25 February 2020
- *  Linode v6                   - Last Tested: 25 February 2020
- *  Namecheap                   - Last Tested: 31 August 2010
- *  No-IP                       - Last Tested: 15 May 2020
- *  ODS                         - Last Tested: 02 August 2005
- *  Oray                        - Last Tested: 26 May 2017
- *  STRATO                      - Last Tested: 08 October 2021
- *  STRATO V6                   - Last Tested: 08 October 2021
- *  SelfHost                    - Last Tested: 26 December 2011
- *  StaticCling                 - Last Tested: 27 April 2006
- *  deSEC                       - Last Tested: 09 September 2020
- *  deSEC v6                    - Last Tested: 09 September 2020
- *  deSEC v4 + v6               - Last Tested: 09 September 2020
- *  dynv6                       - Last Tested: 25 June 2019
- *  dynv6 v6                    - Last Tested: 25 June 2019
- *  regfish                     - Last Tested: 15 August 2017
- *  regfish v6                  - Last Tested: 15 August 2017
- * +====================================================+
- *
- * @author    E.Kristensen
- * @link    http://www.idylldesigns.com/projects/phpdns/
- * @version    0.8
- * @updated    13 October 05 at 21:02:42 GMT
- *
- * DNSexit support and multiwan extension for pfSense by Ermal Luçi
- * Custom DNS support by Matt Corallo
- */
-
-class updatedns
-{
-    var $_cacheFile;
-    var $_cacheFile_v6;
-    var $_debugFile;
-    var $_UserAgent = 'User-Agent: phpDynDNS/0.8';
-    var $_errorVerbosity = 0;
-    var $_dnsService;
-    var $_dnsUser;
-    var $_dnsPass;
-    var $_dnsHost;
-    var $_dnsIP;
-    var $_dnsWildcard;
-    var $_dnsMX;
-    var $_dnsBackMX;
-    var $_dnsServer;
-    var $_dnsPort;
-    var $_dnsUpdateURL;
-    var $_dnsZoneID;
-    var $_dnsResourceID;
-    var $_dnsTTL;
-    var $status;
-    var $_debugID;
-    var $_if;
-    var $_dnsResultMatch;
-    var $_dnsRequestIf;
-    var $_dnsRequestIfIP;
-    var $_dnsVerboseLog;
-    var $_curlIpresolveV4;
-    var $_curlSslVerifypeer;
-    var $_dnsMaxCacheAgeDays;
-    var $_dnsDummyUpdateDone;
-    var $_forceUpdateNeeded;
-    var $_useIPv6;
-
-    /*
-     * Public Constructor Function (added 12 July 05) [beta]
-     *   - Gets the dice rolling for the update.
-     *   - $dnsResultMatch should only be used with $dnsService = 'custom'
-     *   -  $dnsResultMatch is parsed for '%IP%', which is the IP the provider was updated to,
-     *   -  it is otherwise expected to be exactly identical to what is returned by the Provider.
-     *   - $dnsUser, and $dnsPass indicate HTTP Auth for custom DNS, if they are needed in the URL (GET Variables), include them in $dnsUpdateURL.
-     *   - $For custom requests, $dnsUpdateURL is parsed for '%IP%', which is replaced with the new IP.
-     */
-    public function __construct(
-        $dnsService = '',
-        $dnsHost = '',
-        $dnsUser = '',
-        $dnsPass = '',
-        $dnsWildcard = 'OFF',
-        $dnsMX = '',
-        $dnsIf = '',
-        $dnsBackMX = '',
-        $dnsServer = '',
-        $dnsPort = '',
-        $dnsUpdateURL = '',
-        $forceUpdate = false,
-        $dnsZoneID = '',
-        $dnsResourceID = '',
-        $dnsTTL = '',
-        $dnsResultMatch = '',
-        $dnsRequestIf = '',
-        $dnsID = '',
-        $dnsVerboseLog = false,
-        $curlIpresolveV4 = false,
-        $curlSslVerifypeer = true
-    ) {
-
-        /* XXX because the call stack is upside down we need to reassemble config parts here... */
-        $conf = array('host' => $dnsHost, 'id' => $dnsID, 'interface' => $dnsIf);
-        $this->_cacheFile = dyndns_cache_file($conf, 4);
-        $this->_cacheFile_v6 = dyndns_cache_file($conf, 6);
-        $this->_debugFile = dyndns_cache_file($conf, 4) . '.debug';
-        $this->_dnsServiceList = dyndns_list();
-
-        $this->_curlIpresolveV4 = $curlIpresolveV4;
-        $this->_curlSslVerifypeer = $curlSslVerifypeer;
-        $this->_dnsVerboseLog = $dnsVerboseLog;
-        if ($this->_dnsVerboseLog) {
-            log_error("Dynamic DNS: updatedns() starting");
-        }
-
-        $dyndnslck = lock("DDNS" . $dnsID, LOCK_EX);
-
-        if (!$dnsService) {
-            $this->_error(2);
-        }
-        switch ($dnsService) {
-            case 'freedns':
-                if (!$dnsHost) {
-                    $this->_error(5);
-                }
-                break;
-            case 'linode':
-            case 'linode-v6':
-            case 'namecheap':
-            case '1984-hosting':
-                if (!$dnsPass) {
-                    $this->_error(4);
-                } elseif (!$dnsHost) {
-                    $this->_error(5);
-                }
-                break;
-            case 'route53':
-            case 'route53-v6':
-                if (!$dnsZoneID) {
-                    $this->_error(8);
-                } elseif (!$dnsTTL) {
-                    $this->_error(9);
-                }
-                break;
-            case 'custom':
-            case 'custom-v6':
-                if (!$dnsUpdateURL) {
-                    $this->_error(7);
-                }
-                break;
-            case 'duckdns':
-            case 'dynv6':
-            case 'dynv6-v6':
-            case 'regfish':
-            case 'regfish-v6':
-                if (!$dnsUser) {
-                    $this->_error(3);
-                } elseif (!$dnsHost) {
-                    $this->_error(5);
-                }
-                break;
-            case 'azure':
-            case 'azurev6':
-                if (!$dnsUser) {
-                    $this->_error(3);
-                } elseif (!$dnsPass) {
-                    $this->_error(4);
-                } elseif (!$dnsHost) {
-                    $this->_error(5);
-                } elseif (!$dnsResourceID) {
-                    $this->_error(8);
-                } elseif (!$dnsTTL) {
-                    $this->_error(9);
-                }
-                break;
-            case 'cloudflare-token':
-            case 'cloudflare-token-v6':
-            case 'hetzner':
-            case 'hetzner-v6':
-                if (!$dnsPass) {
-                    $this->_error(4);
-                } elseif (!$dnsHost) {
-                    $this->_error(5);
-                } elseif (!$dnsTTL) {
-                    $this->_error(9);
-                }
-                break;
-            case 'desec':
-            case 'desec-v4-v6':
-            case 'desec-v6':
-                if (!$dnsPass) {
-                    $this->_error(4);
-                } elseif (!$dnsHost) {
-                    $this->_error(5);
-                }
-                break;
-            default:
-                if (!$dnsUser) {
-                    $this->_error(3);
-                } elseif (!$dnsPass) {
-                    $this->_error(4);
-                } elseif (!$dnsHost) {
-                    $this->_error(5);
-                }
-                break;
-        }
-
-        switch ($dnsService) {
-            case 'all-inkl-v6':
-            case 'azurev6':
-            case 'cloudflare-token-v6':
-            case 'cloudflare-v6':
-            case 'custom-v6':
-            case 'desec-v4-v6':
-            case 'desec-v6':
-            case 'digitalocean-v6':
-            case 'dynv6-v6':
-            case 'godaddy-v6':
-            case 'he-net-v6':
-            case 'hetzner-v6':
-            case 'linode-v6':
-            case 'regfish-v6':
-            case 'route53-v6':
-            case 'strato-v6':
-                $this->_useIPv6 = true;
-                break;
-            default:
-                $this->_useIPv6 = false;
-        }
-        $this->_dnsService = strtolower($dnsService);
-        $this->_dnsUser = $dnsUser;
-        $this->_dnsPass = $dnsPass;
-        $this->_dnsHost = $dnsHost;
-        $this->_dnsServer = $dnsServer;
-        $this->_dnsPort = $dnsPort;
-        $this->_dnsWildcard = $dnsWildcard;
-        $this->_dnsMX = $dnsMX;
-        $this->_dnsZoneID = $dnsZoneID;
-        $this->_dnsResourceID = $dnsResourceID;
-        $this->_dnsTTL = $dnsTTL;
-        $this->_if = dyndns_failover_interface($dnsIf, $this->_useIPv6 ? 'inet6' : 'all');
-        $this->_checkIP();
-        $this->_dnsUpdateURL = $dnsUpdateURL;
-        $this->_dnsResultMatch = $dnsResultMatch;
-        $this->_dnsRequestIf = dyndns_failover_interface($dnsRequestIf, $this->_useIPv6 ? 'inet6' : 'all');
-        if ($this->_dnsVerboseLog) {
-            log_error("Dynamic DNS ({$this->_dnsHost}): running dyndns_failover_interface for {$dnsRequestIf}. found {$this->_dnsRequestIf}");
-        }
-        $this->_dnsRequestIfIP = $this->_useIPv6 ? get_interface_ipv6($this->_dnsRequestIf) : get_interface_ip($this->_dnsRequestIf);
-        $this->_dnsMaxCacheAgeDays = 25;
-        $this->_dnsDummyUpdateDone = false;
-        $this->_forceUpdateNeeded = $forceUpdate;
-
-        // Ensure that we were able to lookup the IP
-        if (!is_ipaddr($this->_dnsIP)) {
-            log_error("Dynamic DNS ({$this->_dnsHost}) There was an error trying to determine the public IP for interface - {$dnsIf}({$this->_if}). Probably interface is not a WAN interface.");
-            unlock($dyndnslck);
-            return;
-        }
-
-        $this->_debugID = rand(1000000, 9999999);
-
-        if ($forceUpdate == false && $this->_detectChange() == false) {
-            $this->_error(10);
-        } else {
-            switch ($this->_dnsService) {
-                case '1984-hosting':
-                case '3322':
-                case 'all-inkl':
-                case 'all-inkl-v6':
-                case 'azure':
-                case 'azurev6':
-                case 'citynetwork':
-                case 'cloudflare':
-                case 'cloudflare-v6':
-                case 'cloudflare-token':
-                case 'cloudflare-token-v6':
-                case 'custom':
-                case 'custom-v6':
-                case 'desec':
-                case 'desec-v4-v6':
-                case 'desec-v6':
-                case 'dhs':
-                case 'digitalocean':
-                case 'digitalocean-v6':
-                case 'gandi-livedns':
-                case 'dnsexit':
-                case 'dnsomatic':
-                case 'duckdns':
-                case 'dyndns':
-                case 'dyndns-custom':
-                case 'dyndns-static':
-                case 'dyns':
-                case 'dynv6':
-                case 'dynv6-v6':
-                case 'easydns':
-                case 'eurodns':
-                case 'freedns':
-                case 'godaddy':
-                case 'godaddy-v6':
-                case 'googledomains':
-                case 'gratisdns':
-                case 'he-net':
-                case 'he-net-tunnelbroker':
-                case 'he-net-v6':
-                case 'hetzner':
-                case 'hetzner-v6':
-                case 'hn':
-                case 'linode':
-                case 'linode-v6':
-                case 'loopia':
-                case 'namecheap':
-                case 'noip':
-                case 'noip-free':
-                case 'ods':
-                case 'oray':
-                case 'ovh-dynhost':
-                case 'regfish':
-                case 'regfish-v6':
-                case 'route53':
-                case 'route53-v6':
-                case 'selfhost':
-                case 'staticcling':
-                case 'strato':
-                case 'strato-v6':
-                case 'zoneedit':
-                    $this->_update();
-                    if ($this->_dnsDummyUpdateDone == true) {
-                        // If a dummy update was needed, then sleep a while and do the update again to put the proper address back.
-                        // Some providers (e.g. No-IP free accounts) need to have at least 1 address change every month.
-                        // If the address has not changed recently, or the user did "Force Update", then the code does
-                        // a dummy address change for providers like this.
-                        sleep(10);
-                        $this->_update();
-                    }
-                    break;
-                default:
-                    $this->_error(6);
-                    break;
-            }
-        }
-
-        unlock($dyndnslck);
-    }
-
-    /*
-     * Private Function (added 12 July 05) [beta]
-     *   Send Update To Selected Service.
-     */
-    function _update()
-    {
-        if ($this->_dnsVerboseLog) {
-            log_error("Dynamic DNS ({$this->_dnsHost} via {$this->_dnsServiceList[$this->_dnsService]}): _update() starting.");
-        }
-
-        if ($this->_dnsService != 'ods' and $this->_dnsService != 'route53' and $this->_dnsService != 'route53-v6') {
-            $ch = curl_init();
-            curl_setopt($ch, CURLOPT_HEADER, 0);
-            curl_setopt($ch, CURLOPT_USERAGENT, $this->_UserAgent);
-            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-            curl_setopt($ch, CURLOPT_INTERFACE, $this->_dnsRequestIfIP);
-            curl_setopt($ch, CURLOPT_TIMEOUT, 15);
-        }
-
-        switch ($this->_dnsService) {
-            case 'dyndns':
-            case 'dyndns-static':
-            case 'dyndns-custom':
-                if (isset($this->_dnsWildcard) && $this->_dnsWildcard != "OFF") {
-                    $this->_dnsWildcard = "ON";
-                }
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
-                $server = "https://members.dyndns.org/nic/update";
-                $port = "";
-                if ($this->_dnsServer) {
-                    $server = $this->_dnsServer;
-                }
-                if ($this->_dnsPort) {
-                    $port = ":" . $this->_dnsPort;
-                }
-                curl_setopt($ch, CURLOPT_URL, $server . $port . '?system=dyndns&hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard=' . $this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=NO');
-                break;
-            case 'dhs':
-                $post_data['hostscmd'] = 'edit';
-                $post_data['hostscmdstage'] = '2';
-                $post_data['type'] = '4';
-                $post_data['updatetype'] = 'Online';
-                $post_data['mx'] = $this->_dnsMX;
-                $post_data['mx2'] = '';
-                $post_data['txt'] = '';
-                $post_data['offline_url'] = '';
-                $post_data['cloak'] = 'Y';
-                $post_data['cloak_title'] = '';
-                $post_data['ip'] = $this->_dnsIP;
-                $post_data['domain'] = 'dyn.dhs.org';
-                $post_data['hostname'] = $this->_dnsHost;
-                $post_data['submit'] = 'Update';
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-                $server = "https://members.dhs.org/nic/hosts";
-                $port = "";
-                if ($this->_dnsServer) {
-                    $server = $this->_dnsServer;
-                }
-                if ($this->_dnsPort) {
-                    $port = ":" . $this->_dnsPort;
-                }
-                curl_setopt($ch, CURLOPT_URL, '{$server}{$port}');
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
-                curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
-                break;
-            case 'noip':
-            case 'noip-free':
-                curl_setopt_array($ch, [
-                    CURLOPT_SSL_VERIFYPEER => true,
-                    CURLOPT_USERPWD => $this->_dnsUser . ':' . $this->_dnsPass
-                ]);
-                $server = "https://dynupdate.no-ip.com/nic/update";
-                $port = "";
-                if ($this->_dnsServer) {
-                    $server = $this->_dnsServer;
-                }
-                if ($this->_dnsPort) {
-                    $port = ":" . $this->_dnsPort;
-                }
-                if (
-                    ($this->_dnsService == "noip-free") &&
-                    ($this->_forceUpdateNeeded == true) &&
-                    ($this->_dnsDummyUpdateDone == false)
-                ) {
-                    // Update the IP to a dummy value to force No-IP free accounts to see a change.
-                    $iptoset = "192.168.1.1";
-                    $this->_dnsDummyUpdateDone = true;
-                    log_error("Dynamic DNS ({$this->_dnsHost}): Processing dummy update on No-IP free account. IP temporarily set to " . $iptoset);
-                } else {
-                    $iptoset = $this->_dnsIP;
-                }
-                curl_setopt($ch, CURLOPT_URL, $server . $port . '?hostname=' . $this->_dnsHost . '&myip=' . $iptoset);
-                break;
-            case 'easydns':
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
-                $server = "https://members.easydns.com/dyn/dyndns.php";
-                $port = "";
-                if ($this->_dnsServer) {
-                    $server = $this->_dnsServer;
-                }
-                if ($this->_dnsPort) {
-                    $port = ":" . $this->_dnsPort;
-                }
-                curl_setopt($ch, CURLOPT_URL, $server . $port . '?hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard=' . $this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=' . $this->_dnsBackMX);
-                break;
-            case 'hn':
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
-                $server = "http://dup.hn.org/vanity/update";
-                $port = "";
-                if ($this->_dnsServer) {
-                    $server = $this->_dnsServer;
-                }
-                if ($this->_dnsPort) {
-                    $port = ":" . $this->_dnsPort;
-                }
-                curl_setopt($ch, CURLOPT_URL, $server . $port . '?ver=1&IP=' . $this->_dnsIP);
-                break;
-            case 'zoneedit':
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-                curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
-
-                $server = "https://dynamic.zoneedit.com/auth/dynamic.html";
-                $port = "";
-                if ($this->_dnsServer) {
-                    $server = $this->_dnsServer;
-                }
-                if ($this->_dnsPort) {
-                    $port = ":" . $this->_dnsPort;
-                }
-                curl_setopt($ch, CURLOPT_URL, "{$server}{$port}?host=" . $this->_dnsHost);
-                break;
-            case 'dyns':
-                /* XXX HTTPS is currently broken for them */
-                $server = 'http://www.dyns.cx/postscript011.php';
-                $port = '';
-                if ($this->_dnsServer) {
-                    $server = $this->_dnsServer;
-                }
-                if ($this->_dnsPort) {
-                    $port = ":" . $this->_dnsPort;
-                }
-                curl_setopt($ch, CURLOPT_URL, $server . $port . '?username=' . urlencode($this->_dnsUser) . '&password=' . $this->_dnsPass . '&host=' . $this->_dnsHost);
-                break;
-            case 'ods':
-                $misc_errno = 0;
-                $misc_error = "";
-                $server = "ods.org";
-                $port = "";
-                if ($this->_dnsServer) {
-                    $server = $this->_dnsServer;
-                }
-                if ($this->_dnsPort) {
-                    $port = ":" . $this->_dnsPort;
-                }
-                $this->con['socket'] = fsockopen("{$server}{$port}", "7070", $misc_errno, $misc_error, 30);
-                /* Check that we have connected */
-                if (!$this->con['socket']) {
-                    print "error! could not connect.";
-                    break;
-                }
-                /* Here is the loop. Read the incoming data (from the socket connection) */
-                while (!feof($this->con['socket'])) {
-                    $this->con['buffer']['all'] = trim(fgets($this->con['socket'], 4096));
-                    $code = substr($this->con['buffer']['all'], 0, 3);
-                    sleep(1);
-                    switch ($code) {
-                        case 100:
-                            fputs($this->con['socket'], "LOGIN " . $this->_dnsUser . " " . $this->_dnsPass . "\n");
-                            break;
-                        case 225:
-                            fputs($this->con['socket'], "DELRR " . $this->_dnsHost . " A\n");
-                            break;
-                        case 901:
-                            fputs($this->con['socket'], "ADDRR " . $this->_dnsHost . " A " . $this->_dnsIP . "\n");
-                            break;
-                        case 795:
-                            fputs($this->con['socket'], "QUIT\n");
-                            break;
-                    }
-                }
-                $this->_checkStatus(0, $code);
-                break;
-            case 'freedns':
-                curl_setopt($ch, CURLOPT_URL, 'https://sync.afraid.org/u/' . $this->_dnsPass . '/');
-                break;
-            case 'dnsexit':
-                curl_setopt($ch, CURLOPT_URL, 'https://update.dnsexit.com/RemoteUpdate.sv?login=' . urlencode($this->_dnsUser) . '&password=' . $this->_dnsPass . '&host=' . $this->_dnsHost . '&myip=' . $this->_dnsIP);
-                break;
-            case 'loopia':
-                $this->_dnsWildcard = (isset($this->_dnsWildcard) && $this->_dnsWildcard == true) ? 'ON' : 'OFF';
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
-                curl_setopt($ch, CURLOPT_URL, 'https://dns.loopia.se/XDynDNSServer/XDynDNS.php?hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard=' . $this->_dnsWildcard);
-                break;
-            case 'staticcling':
-                curl_setopt($ch, CURLOPT_URL, 'https://www.staticcling.org/update.html?login=' . urlencode($this->_dnsUser) . '&pass=' . $this->_dnsPass);
-                break;
-            case 'dnsomatic':
-                /* Example syntax
-                    https://username:password@updates.dnsomatic.com/nic/update?hostname=yourhostname&myip=ipaddress&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG
-                */
-                if (isset($this->_dnsWildcard) && $this->_dnsWildcard != "OFF") {
-                    $this->_dnsWildcard = "ON";
-                }
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-                /*
-                Reference: https://www.dnsomatic.com/wiki/api
-                    DNS-O-Matic usernames are 3-25 characters.
-                    DNS-O-Matic passwords are 6-20 characters.
-                    All ASCII letters and numbers accepted.
-                    Dots, dashes, and underscores allowed, but not at the beginning or end of the string.
-                Required: "rawurlencode" http://www.php.net/manual/en/function.rawurlencode.php
-                    Encodes the given string according to RFC 3986.
-                */
-                $server = "https://" . rawurlencode($this->_dnsUser) . ":" . rawurlencode($this->_dnsPass) . "@updates.dnsomatic.com/nic/update?hostname=";
-                if ($this->_dnsServer) {
-                    $server = $this->_dnsServer;
-                }
-                if ($this->_dnsPort) {
-                    $port = ":" . $this->_dnsPort;
-                }
-                curl_setopt($ch, CURLOPT_URL, $server . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard=' . $this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=NOCHG');
-                break;
-            case 'namecheap':
-                /* Example:
-                    https://dynamicdns.park-your-domain.com/update?host=[host_name]&domain=[domain.com]&password=[domain_password]&ip=[your_ip]
-                */
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-                $dparts = explode(".", trim($this->_dnsHost));
-                $domain_part_count = ($dparts[count($dparts) - 1] == "uk") ? 3 : 2;
-                $domain_offset = count($dparts) - $domain_part_count;
-                $hostname = implode(".", array_slice($dparts, 0, $domain_offset));
-                $domain = implode(".", array_slice($dparts, $domain_offset));
-                $dnspass = trim($this->_dnsPass);
-                $server = "https://dynamicdns.park-your-domain.com/update?host={$hostname}&domain={$domain}&password={$dnspass}&ip={$this->_dnsIP}";
-                curl_setopt($ch, CURLOPT_URL, $server);
-                break;
-            case 'he-net':
-            case 'he-net-v6':
-                $server = "https://dyn.dns.he.net/nic/update?";
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                curl_setopt($ch, CURLOPT_URL, $server . 'hostname=' . $this->_dnsHost . '&password=' . $this->_dnsPass . '&myip=' . $this->_dnsIP);
-                break;
-            case 'he-net-tunnelbroker':
-                $server = "https://ipv4.tunnelbroker.net/nic/update?";
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
-                curl_setopt($ch, CURLOPT_URL, $server . 'hostname=' . $this->_dnsHost);
-                break;
-            case 'digitalocean':
-            case 'digitalocean-v6':
-                /*
-                * dnsHost should be the root domain
-                * dnsUser should be the record ID
-                * dnsPass should be the API key
-                */
-                $server = "https://api.digitalocean.com/v2/domains/" . $this->_dnsHost . "/records/" . $this->_dnsUser;
-                $hostData = array("data" => "{$this->_dnsIP}");
-
-                /*
-                * DigitalOcean does not offer the API via IPv6, so we need
-                * to force sending the request using IPv4 when updating for IPv6
-                */
-                curl_setopt($ch, CURLOPT_INTERFACE, $this->_dnsRequestIf);
-                curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
-
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
-                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
-                curl_setopt($ch, CURLOPT_HTTPHEADER, array(
-                    "Authorization: Bearer {$this->_dnsPass}",
-                    'Content-Type: application/json'
-                ));
-                curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($hostData));
-                curl_setopt($ch, CURLOPT_URL, $server);
-                break;
-            case 'gandi-livedns':
-                /*
-                * https://github.com/vizion8-dan
-                * Tested on OPNsense 20.1.8_1-amd64 - IPv4 (A)
-                * dnsHost ("Hostname" field in OPNsense) should be the 2nd-level domain ("example.org")
-                * dnsUser ("Username" field in OPNsense) should be the subdomain / A-record ("myrecord" in 2nd-level domain)
-                * dnsPass should be the Gandi-API key
-                */
-                $server = "https://dns.api.gandi.net/api/v5/domains/" . $this->_dnsHost . "/records/" . $this->_dnsUser . "/A";
-
-                $body = '{"rrset_ttl":"' . "300" . '", "rrset_values":["' . $this->_dnsIP . '"]}';
-
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
-                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
-                curl_setopt($ch, CURLOPT_HTTPHEADER, array(
-                    "X-Api-Key: {$this->_dnsPass}",
-                    'Content-Type: application/json'
-                ));
-                curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
-                curl_setopt($ch, CURLOPT_URL, $server);
-                break;
-            case 'selfhost':
-                if (isset($this->_dnsWildcard) && $this->_dnsWildcard != "OFF") {
-                    $this->_dnsWildcard = "ON";
-                }
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
-                $server = "https://carol.selfhost.de/nic/update";
-                $port = "";
-                if ($this->_dnsServer) {
-                    $server = $this->_dnsServer;
-                }
-                if ($this->_dnsPort) {
-                    $port = ":" . $this->_dnsPort;
-                }
-                curl_setopt($ch, CURLOPT_URL, $server . $port . '?system=dyndns&hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard=' . $this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=NO');
-                break;
-            case 'route53':
-            case 'route53-v6':
-                /* Setting Variables */
-                $hostname = "{$this->_dnsHost}.";
-                $ZoneID = $this->_dnsZoneID;
-                $AccessKeyId = $this->_dnsUser;
-                $SecretAccessKey = $this->_dnsPass;
-                $NewIP = $this->_dnsIP;
-                $NewTTL = $this->_dnsTTL;
-                $RecordType = ($this->_useIPv6) ? "AAAA" : "A";
-
-                /* Set Amazon AWS Credentials for this record */
-                $r53 = new Route53($AccessKeyId, $SecretAccessKey);
-
-                /* Function to find old values of records in Route 53 */
-                if (!function_exists('Searchrecords')) {
-                    function SearchRecords($records, $name)
-                    {
-                        if (!is_array($records)) {
-                            return false;
-                        }
-                        $result = array();
-                        foreach ($records as $record) {
-                            if (strtolower($record['Name']) == strtolower($name)) {
-                                $result [] = $record;
-                            }
-                        }
-                        return ($result) ? $result : false;
-                    }
-                }
-
-                $records = $r53->listResourceRecordSets("/hostedzone/$ZoneID");
-
-                /* Get IP for your hostname in Route 53 */
-                if (false !== ($a_result = SearchRecords($records['ResourceRecordSets'], "$hostname"))) {
-                    /**
-                     * if hostname for ipv4 and ipv6 is the same, a_result contains more than 1 item
-                     * we need to get the item that corresponds to the record type
-                     */
-                    $oldTTLResult = null;
-                    $oldIPResult = null;
-                    foreach ($a_result as $resultItem) {
-                        if ($RecordType === $resultItem['Type']) {
-                            $oldTTLResult = $resultItem["TTL"];
-                            $oldIPResult = $resultItem["ResourceRecords"][0];
-                        }
-                    }
-
-                    $OldTTL = $oldTTLResult;
-                    $OldIP = $oldIPResult;
-                } else {
-                    $OldIP = "";
-                }
-
-                /* Check if we need to update DNS Record */
-                if ($OldIP !== $NewIP) {
-                    if (!empty($OldIP)) {
-                        /* Your Hostname already exists, deleting and creating it again */
-                        $changes = array();
-                        $changes[] = $r53->prepareChange("DELETE", $hostname, $RecordType, $OldTTL, $OldIP);
-                        $changes[] = $r53->prepareChange("CREATE", $hostname, $RecordType, $NewTTL, $NewIP);
-                        $result = $r53->changeResourceRecordSets("/hostedzone/$ZoneID", $changes);
-                    } else {
-                        /* Your Hostname does not exist yet, creating it */
-                        $changes = $r53->prepareChange("CREATE", $hostname, $RecordType, $NewTTL, $NewIP);
-                        $result = $r53->changeResourceRecordSets("/hostedzone/$ZoneID", $changes);
-                    }
-                }
-                $this->_checkStatus(0, $result);
-                break;
-            case 'custom':
-            case 'custom-v6':
-                if ($this->_curlIpresolveV4) {
-                    curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
-                }
-                if ($this->_curlSslVerifypeer) {
-                    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                } else {
-                    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-                }
-                if ($this->_dnsUser != '') {
-                    curl_setopt($ch, CURLOPT_USERPWD, "{$this->_dnsUser}:{$this->_dnsPass}");
-                }
-                $server = str_replace("%IP%", $this->_dnsIP, $this->_dnsUpdateURL);
-                $server = str_replace("%HOST%", $this->_dnsHost, $server);
-                curl_setopt($ch, CURLOPT_URL, $server);
-                break;
-            case 'cloudflare':
-            case 'cloudflare-v6':
-            case 'cloudflare-token':
-            case 'cloudflare-token-v6':
-                $baseUrl = 'https://api.cloudflare.com/client/v4';
-                $fqdn = str_replace(' ', '', $this->_dnsHost);
-                $recordType = ($this->_useIPv6) ? 'AAAA' : 'A';
-                $ttlData = intval($this->_dnsTTL) < 1 ? 1 : intval($this->_dnsTTL);
-                $hostData = array(
-                    "content" => "{$this->_dnsIP}",
-                    "type" => $recordType,
-                    "name" => $fqdn,
-                    "ttl" => $ttlData
-                );
-
-                // Determine if service is token based or user/password based and define appropriate header
-                if (strpos($this->_dnsService, 'token') !== false) {
-                    $headerAuth = array(
-                        "Authorization: Bearer {$this->_dnsPass}",
-                        'Content-Type: application/json'
-                    );
-                } else {
-                    $headerAuth = array(
-                        "X-Auth-Email: {$this->_dnsUser}",
-                        "X-Auth-Key: {$this->_dnsPass}",
-                        'Content-Type: application/json'
-                    );
-                }
-
-                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
-                curl_setopt($ch, CURLOPT_HTTPHEADER, $headerAuth);
-
-                // Get all zone info
-                $zonesUrl = "$baseUrl/zones";
-                curl_setopt($ch, CURLOPT_URL, $zonesUrl);
-                $output = json_decode(curl_exec($ch));
-                $zoneId = null; // Set default value
-
-                if (!empty($output->result)) {
-                    // Iterate zone objects, check if $fqdn is equal to or ends with zone name
-                    foreach ($output->result as $key => $zoneObj) {
-                        if (preg_match("/^{$zoneObj->name}$|\.{$zoneObj->name}$/", $fqdn)) {
-                            // Found matching zone
-                            $zoneId = $zoneObj->id;
-                            // Get $hostName from $fqdn, set $domainName
-                            // These are only really used for log messages.
-                            $hostName = preg_replace("/\.?{$zoneObj->name}$/", '', $fqdn);
-                            $domainName = $zoneObj->name;
-                            break;
-                        }
-                    }
-                }
-
-                if ($zoneId) { // If zone ID was found get host ID
-                    $dnsRecordsUrl = "$zonesUrl/$zoneId/dns_records";
-                    $getHostId = "$dnsRecordsUrl?name=$fqdn&type=$recordType";
-                    curl_setopt($ch, CURLOPT_URL, $getHostId);
-                    $output = json_decode(curl_exec($ch));
-                    $recordCount = !empty($output->result) ? count($output->result) : 0;
-                    if ($recordCount === 0) {
-                        // create record
-                        curl_setopt($ch, CURLOPT_URL, $dnsRecordsUrl);
-                        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
-                    } elseif ($recordCount >= 1) {
-                        // update record
-                        $recordId = $output->result[0]->id;
-                        $hostData["proxied"] = $output->result[0]->proxied;
-                        curl_setopt($ch, CURLOPT_URL, "$dnsRecordsUrl/$recordId");
-                        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
-                    }
-                    curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($hostData));
-                    if ($recordCount > 1) {
-                        log_error("Dynamic DNS ($fqdn): Warning: multiple records for $hostName found");
-                    }
-                }
-                break;
-            case 'hetzner':
-            case 'hetzner-v6':
-                $baseUrl = 'https://dns.hetzner.com/api/v1';
-                $fqdn = str_replace(' ', '', $this->_dnsHost);
-                $recordType = ($this->_useIPv6) ? 'AAAA' : 'A';
-                $ttlData = intval($this->_dnsTTL) < 1 ? 120 : intval($this->_dnsTTL);
-                $hostData = [
-                    "value" => "{$this->_dnsIP}",
-                    "type" => $recordType,
-                    "name" => "",
-                    "ttl" => $ttlData,
-                    "zone_id" => ""
-                ];
-
-                $headerAuth = [
-                    "Auth-API-Token: {$this->_dnsPass}",
-                    'Content-Type: application/json'
-                ];
-
-                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
-                curl_setopt($ch, CURLOPT_HTTPHEADER, $headerAuth);
-
-                // Get all zone info
-                $zonesUrl = "$baseUrl/zones";
-                curl_setopt($ch, CURLOPT_URL, $zonesUrl);
-                $output = json_decode(curl_exec($ch));
-                $zoneId = null; // Set default value
-
-                if (!empty($output->zones)) {
-                    // Iterate zone objects, check if $fqdn is equal to or ends with zone name
-                    foreach ($output->zones as $key => $zoneObj) {
-                        if (preg_match("/^{$zoneObj->name}$|\.{$zoneObj->name}$/", $fqdn)) {
-                            // Found matching zone
-                            $zoneId = $zoneObj->id;
-                            // Get $hostName from $fqdn, set $domainName
-                            // These are only really used for log messages.
-                            $hostName = preg_replace("/\.?{$zoneObj->name}$/", '', $fqdn);
-                            $domainName = $zoneObj->name;
-
-                            break;
-                        }
-                    }
-                }
-
-                if ($zoneId) { // If zone ID was found get host ID
-                    $dnsRecordsUrl = "$baseUrl/records?zone_id=$zoneId";
-                    curl_setopt($ch, CURLOPT_URL, $dnsRecordsUrl);
-                    $output = json_decode(curl_exec($ch));
-                    $recordId = null;
-
-                    if (!empty($output->records)) {
-                        // Iterate zone objects, check if $hostName exist of the same type
-                        foreach ($output->records as $key => $recordObj) {
-                            if (preg_match("/^{$recordObj->name}$/", $hostName)) {
-                                if ($recordObj->type == $recordType) {
-                                    // Found matching host
-                                    $recordId = $recordObj->id;
-                                    break;
-                                }
-                            }
-                        }
-                    }
-
-                    if ($recordId) { // If record ID was found, update record
-                        $setRecordUrl = "$baseUrl/records/$recordId";
-                        curl_setopt($ch, CURLOPT_URL, $setRecordUrl);
-                        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
-                    } else {
-                        $setRecordUrl = "$baseUrl/records";
-                        curl_setopt($ch, CURLOPT_URL, $setRecordUrl);
-                        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
-                    }
-
-                    $hostData["zone_id"] = $zoneId;
-                    $hostData["name"] = $hostName;
-
-                    curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($hostData));
-                }
-                break;
-            case 'eurodns':
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
-                $server = "https://update.eurodyndns.org/update/";
-                $port = "";
-                if ($this->_dnsPort) {
-                    $port = ":" . $this->_dnsPort;
-                }
-                curl_setopt($ch, CURLOPT_URL, $server . $port . '?hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP);
-                break;
-            case 'gratisdns':
-                $server = "https://admin.gratisdns.com/ddns.php";
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                if (substr_count($this->_dnsHost, ".") < 2) {
-                    $domain = $this->_dnsHost;
-                    $hostname = $this->_dnsHost;
-                } else {
-                    list($hostname, $domain) = explode(".", $this->_dnsHost, 2);
-                }
-                curl_setopt($ch, CURLOPT_URL, $server . '?u=' . urlencode($this->_dnsUser) . '&p=' . $this->_dnsPass . '&h=' . $this->_dnsHost . '&d=' . $domain . '&i=' . $this->_dnsIP);
-                break;
-            case 'ovh-dynhost':
-                if (isset($this->_dnsWildcard) && $this->_dnsWildcard != "OFF") {
-                    $this->_dnsWildcard = "ON";
-                }
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
-                $server = "https://www.ovh.com/nic/update";
-                $port = "";
-                if ($this->_dnsServer) {
-                    $server = $this->_dnsServer;
-                }
-                if ($this->_dnsPort) {
-                    $port = ":" . $this->_dnsPort;
-                }
-                curl_setopt($ch, CURLOPT_URL, $server . $port . '?system=dyndns&hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP . '&wildcard=' . $this->_dnsWildcard . '&mx=' . $this->_dnsMX . '&backmx=NO');
-                break;
-            case 'citynetwork':
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
-                $server = 'https://dyndns.citynetwork.se/nic/update';
-                $port = "";
-                if ($this->_dnsServer) {
-                    $server = $this->_dnsServer;
-                }
-                if ($this->_dnsPort) {
-                    $port = ":" . $this->_dnsPort;
-                }
-                curl_setopt($ch, CURLOPT_URL, $server . $port . '?hostname=' . $this->_dnsHost . '&myip=' . $this->_dnsIP);
-                break;
-            case 'duckdns':
-                $server = "https://www.duckdns.org/update";
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                curl_setopt($ch, CURLOPT_URL, $server . '?domains=' . str_replace('.duckdns.org', '', $this->_dnsHost) . '&token=' . urlencode($this->_dnsUser));
-                break;
-            case 'dynv6':
-                $server = "https://ipv4.dynv6.com/api/update";
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                curl_setopt($ch, CURLOPT_INTERFACE, $this->_dnsRequestIf);
-                curl_setopt($ch, CURLOPT_DNS_LOCAL_IP4, $this->_dnsIP);
-                curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
-                curl_setopt($ch, CURLOPT_URL, $server . '?hostname=' . $this->_dnsHost . '&ipv4=' . $this->_dnsIP . '&token=' . $this->_dnsUser);
-                break;
-            case 'dynv6-v6':
-                $server = "https://ipv6.dynv6.com/api/update";
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                curl_setopt($ch, CURLOPT_INTERFACE, $this->_dnsRequestIf);
-                curl_setopt($ch, CURLOPT_DNS_LOCAL_IP6, $this->_dnsIP);
-                curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V6);
-                curl_setopt($ch, CURLOPT_URL, $server . '?hostname=' . $this->_dnsHost . '&ipv6=' . $this->_dnsIP . '&token=' . $this->_dnsUser);
-                break;
-            case 'googledomains':
-                $server = "https://domains.google.com/nic/update";
-                $post_data['hostname'] = $this->_dnsHost;
-                $post_data['myip'] = $this->_dnsIP;
-                $post_data['offline'] = 'no';
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
-                curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
-                curl_setopt($ch, CURLOPT_URL, $server);
-                curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
-                break;
-            case 'strato':
-            case 'strato-v6':
-                $server = "https://dyndns.strato.com/nic/update?hostname={$this->_dnsHost}&myip={$this->_dnsIP}";
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
-                curl_setopt($ch, CURLOPT_URL, $server);
-                if ($this->_curlIpresolveV4) {
-                    curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
-                }
-                break;
-            case '1984-hosting':
-                $server = "https://api.1984.is/1.0/freedns/?apikey={$this->_dnsPass}&domain={$this->_dnsHost}&ip={$this->_dnsIP}";
-                curl_setopt($ch, CURLOPT_URL, $server);
-                curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
-                break;
-            case '3322':
-                $server = "http://members.3322.net/dyndns/update?hostname={$this->_dnsHost}&myip={$this->_dnsIP}";
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
-                curl_setopt($ch, CURLOPT_URL, $server);
-                curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
-                break;
-            case 'oray':
-                $server = "http://ddns.oray.com/ph/update?hostname={$this->_dnsHost}&myip={$this->_dnsIP}";
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
-                curl_setopt($ch, CURLOPT_URL, $server);
-                curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
-                break;
-            case 'regfish':
-                $server = "https://dyndns.regfish.de/?fqdn={$this->_dnsHost}&ipv4={$this->_dnsIP}&forcehost=1&token=" . urlencode($this->_dnsUser);
-                curl_setopt($ch, CURLOPT_URL, $server);
-                break;
-            case 'regfish-v6':
-                $server = "https://dyndns6.regfish.de/?fqdn={$this->_dnsHost}&ipv6={$this->_dnsIP}&forcehost=1&token=" . urlencode($this->_dnsUser);
-                curl_setopt($ch, CURLOPT_URL, $server);
-                break;
-            case 'linode':
-            case 'linode-v6':
-                $baseUrl = "https://api.linode.com/v4";
-                $fqdn = trim($this->_dnsHost);
-                $recordType = ($this->_useIPv6) ? 'AAAA' : 'A';
-
-                if ($this->_dnsWildcard == 'ON') {
-                    $fqdn = "*.$fqdn";
-                }
-
-                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
-                curl_setopt($ch, CURLOPT_HTTPHEADER, array(
-                    'Accept: application/json',
-                    'Authorization: Bearer ' . $this->_dnsPass,
-                    'Content-Type: application/json'
-                ));
-
-                $domainsUrl = "$baseUrl/domains";
-                curl_setopt($ch, CURLOPT_URL, $domainsUrl);
-                $output = json_decode(curl_exec($ch));
-                $domainId = null;
-
-                if (!empty($output->data)) {
-                    // Find matching domain and split the hostname part from it
-                    foreach ($output->data as $key => $domainObj) {
-                        if (preg_match("/^{$domainObj->domain}$|\.{$domainObj->domain}$/", $fqdn)) {
-                            $domainId = $domainObj->id;
-                            $hostName = preg_replace("/\.?{$domainObj->domain}$/", '', $fqdn);
-                            $domainName = $domainObj->domain;
-                            break;
-                        }
-                    }
-                }
-
-                if ($domainId) {
-                    if ($this->_dnsVerboseLog) {
-                        log_error("Dynamic DNS ($fqdn): Found domain name: $domainName, ID: $domainId");
-                    }
-
-                    $dnsRecordsUrl = "$domainsUrl/$domainId/records";
-                    curl_setopt($ch, CURLOPT_URL, $dnsRecordsUrl);
-                    $output = json_decode(curl_exec($ch));
-                    $recordId = null;
-
-                    if (!empty($output->data)) {
-                        // Find matching record
-                        foreach ($output->data as $key => $recordObj) {
-                            if ($recordObj->type == $recordType && $recordObj->name == $hostName) {
-                                $recordId = $recordObj->id;
-                                break;
-                            }
-                        }
-                    }
-
-                    $hostData = [ 'target' => "{$this->_dnsIP}" ];
-
-                    if ($recordId) {
-                        // Update record
-                        if ($this->_dnsVerboseLog) {
-                            log_error("Dynamic DNS ($fqdn): Updating existing record ID: $recordId");
-                        }
-
-                        curl_setopt($ch, CURLOPT_URL, "$dnsRecordsUrl/$recordId");
-                        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
-                    } else {
-                        // Create record
-                        if ($this->_dnsVerboseLog) {
-                            log_error("Dynamic DNS ($fqdn): Creating new record");
-                        }
-
-                        $hostData['type'] = $recordType;
-                        $hostData['name'] = $hostName;
-                        // Linode will round up to the nearest valid TTL
-                        $hostData['ttl_sec'] = 0;
-
-                        curl_setopt($ch, CURLOPT_URL, $dnsRecordsUrl);
-                        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
-                    }
-
-                    curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($hostData));
-                } else {
-                    log_error("Dynamic DNS($fqdn): No zone found for domain");
-                }
-                break;
-            case 'azurev6':
-            case 'azure':
-                $hostname = "{$this->_dnsHost}";
-                $resourceid = trim($this->_dnsResourceID);
-                $app_id = $this->_dnsUser;
-                $client_secret = $this->_dnsPass;
-                $newip = $this->_dnsIP;
-                $newttl = $this->_dnsTTL;
-                // ensure resourceid starts with / and has no trailing /
-                $resourceid = '/' . trim($resourceid, '/');
-                // extract subscription id from resource id
-                preg_match('/\\/subscriptions\\/(?<sid>[^\\/]*)/', $resourceid, $result);
-                $subscriptionid = isset($result['sid']) ? $result['sid'] : '';
-                if (isset($result['sid'])) {
-                    $subscriptionid = $result['sid'];
-                } else {
-                    log_error("Azure subscription id not found in resource id ({$resourceid})");
-                    return false;
-                }
-                // find tenant id from subscription id
-                curl_setopt($ch, CURLOPT_URL, "https://management.azure.com/subscriptions/" . $subscriptionid . "?api-version=2016-09-01");
-                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
-                curl_setopt($ch, CURLOPT_HEADER, 1);
-                curl_setopt($ch, CURLOPT_NOBODY, 1);
-                $output = curl_exec($ch);
-                $pattern = '/Bearer authorization_uri="https:\\/\\/login.windows.net\\/(?<tid>[^"]*)/i';
-                preg_match($pattern, $output, $result);
-                if (isset($result['tid'])) {
-                    $tenantid = $result['tid'];
-                } else {
-                    log_error("Tenant ID not found");
-                    return false;
-                }
-                 // get an bearer token
-                curl_setopt($ch, CURLOPT_URL, "https://login.microsoftonline.com/" . $tenantid . "/oauth2/token");
-                curl_setopt($ch, CURLOPT_POST, 1);
-                $body = "resource=" . urlencode("https://management.core.windows.net/") . "&grant_type=client_credentials&client_id=" . $app_id . "&client_secret=" . urlencode($client_secret);
-                curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
-                curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-                $server_output = curl_exec($ch);
-                $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
-                preg_match("/\"access_token\":\"(?<tok>[^\"]*)\"/", $server_output, $result);
-                if (isset($result['tok'])) {
-                    $bearertoken = $result['tok'];
-                } else {
-                    log_error("no valid bearer token");
-                    return false;
-                }
-                // Update the DNS record
-                if ($this->_useIPv6) {
-                    $url = "https://management.azure.com" . $resourceid . "/AAAA/" . $hostname . "?api-version=2017-09-01";
-                    $body = '{"properties":{"TTL":"' . $newttl . '", "AAAARecords":[{"ipv6Address":"' . $newip . '"}]}}';
-                } else {
-                    $url = "https://management.azure.com" . $resourceid . "/A/" . $hostname . "?api-version=2017-09-01";
-                    $body = '{"properties":{"TTL":"' . $newttl . '", "ARecords":[{"ipv4Address":"' . $newip . '"}]}}';
-                }
-                $request_headers = array();
-                $request_headers[] = 'Accept: application/json';
-                $request_headers[] = 'Authorization: Bearer ' . $bearertoken;
-                $request_headers[] = 'Content-Type: application/json';
-                curl_setopt($ch, CURLOPT_URL, $url);
-                curl_setopt($ch, CURLOPT_USERAGENT, $this->_UserAgent);
-                curl_setopt($ch, CURLOPT_HTTPHEADER, $request_headers);
-                curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
-                curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-                curl_setopt($ch, CURLOPT_HEADER, 1);
-                curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
-                break;
-            case 'all-inkl':
-            case 'all-inkl-v6':
-                $server = "https://dyndns.kasserver.com/";
-                $url = $server . '?myip=' . $this->_dnsIP;
-                curl_setopt($ch, CURLOPT_URL, $url);
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsUser . ':' . $this->_dnsPass);
-                // fix: All-Inkl dyndns.kasserver.com only supports v4
-                $ipv4 = get_interface_ip($this->_dnsRequestIf);
-                if (!is_ipaddr($ipv4)) {
-                    log_error("Dynamic DNS ({$this->_dnsHost}): (Error) Need a IPv4 address on $this->_dnsRequestIf!");
-                    return false;
-                }
-                curl_setopt($ch, CURLOPT_INTERFACE, $ipv4);
-                // fix end
-                break;
-            case 'godaddy':
-            case 'godaddy-v6':
-                /* Read https://developer.godaddy.com/ for API documentation */
-                $baseApiUrl = 'https://api.godaddy.com/v1/domains/';
-                $recordType = $this->_useIPv6 ? "AAAA" : "A";
-                $splitHost = explode('.', trim($this->_dnsHost));
-                $dnsDomain = '*';
-                if ($this->_dnsWildcard != 'ON') {
-                    $dnsDomain = array_shift($splitHost);
-                }
-                $dnsHost = implode('.', $splitHost);
-
-                $url = $baseApiUrl  . $dnsHost . '/records/' . $recordType . '/' . $dnsDomain;
-
-                /* body can contain multiple options (data, port, priority, service, ttl, weight) */
-                $data = array();
-                $data[] = array('data' => $this->_dnsIP);
-                if ($this->_dnsTTL) {
-                    $data[0]['ttl'] = $this->_dnsTTL;
-                } else {
-                    // minimum allowed by GoDaddy
-                    $data[0]['ttl'] = 600;
-                }
-                $jsonBody = json_encode($data);
-                if ($this->_dnsVerboseLog) {
-                    log_error("Dynamic DNS: calling $url with body: $jsonBody");
-                }
-
-                /* PUT JSON /v1/domains/{domain}/records/{type}/{name} */
-                curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-                curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "PUT");
-                curl_setopt($ch, CURLOPT_HTTPHEADER, array(
-                        'Accept: application/json',
-                        'Content-Type: application/json',
-                        'Authorization: sso-key ' . $this->_dnsUser . ':' . $this->_dnsPass
-                ));
-                curl_setopt($ch, CURLOPT_URL, $url);
-                curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonBody);
-                curl_setopt($ch, CURLOPT_INTERFACE, $this->_dnsRequestIf);
-                break;
-            case 'desec':
-                /*
-                * https://desec.readthedocs.io/en/latest/dyndns/update-api.html
-                * dnsHost should be the domain
-                * dnsPass should be the token, NOT the token id
-                * IPv6 is empty so deSEC API will not set this to the IPv6 of the sending interface if the connection is made via IPv6
-                */
-                $server = "https://update.dedyn.io/";
-                $url = '?hostname=' . $this->_dnsHost . '&myipv4=' . $this->_dnsIP . '&myipv6=""';
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsHost . ':' . $this->_dnsPass);
-                curl_setopt($ch, CURLOPT_URL, $server . $url);
-                break;
-            case 'desec-v4-v6':
-                /*
-                * https://desec.readthedocs.io/en/latest/dyndns/update-api.html
-                * dnsHost should be the domain
-                * dnsPass should be the token, NOT the 36-character token id (https://forum.netgate.com/post/930114)
-                * IPv4 is determined by deSEC API via the sending interface
-                */
-
-                // temporarily disable useIPv6 to get IPv4 Address
-                $this->_useIPv6 = false;
-                $ipv4 = $this->_checkIP();
-                $this->_useIPv6 = true;
-
-                $server = "https://update.dedyn.io/";
-                $url = '?hostname=' . $this->_dnsHost . '&myipv4=' . $ipv4 . '&myipv6=' . $this->_dnsIP;
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsHost . ':' . $this->_dnsPass);
-                curl_setopt($ch, CURLOPT_URL, $server . $url);
-                break;
-            case 'desec-v6':
-                /*
-                * https://desec.readthedocs.io/en/latest/dyndns/update-api.html
-                * dnsHost should be the domain
-                * dnsPass should be the token, NOT the 36-character token id (https://forum.netgate.com/post/930114)
-                */
-                $server = "https://update6.dedyn.io/";
-                $url = '?hostname=' . $this->_dnsHost . '&myipv6=' . $this->_dnsIP;
-                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
-                curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V6);
-                curl_setopt($ch, CURLOPT_USERPWD, $this->_dnsHost . ':' . $this->_dnsPass);
-                curl_setopt($ch, CURLOPT_URL, $server . $url);
-                break;
-            default:
-                break;
-        }
-        if ($this->_dnsService != 'ods' and $this->_dnsService != 'route53' and $this->_dnsService != 'route53-v6') {
-            $data = curl_exec($ch);
-            $this->_checkStatus($ch, $data);
-            @curl_close($ch);
-        }
-    }
-
-    /*
-     * Private Function (added 12 July 2005) [beta]
-     *   Retrieve Update Status
-     */
-    function _checkStatus($ch, $data)
-    {
-        if ($this->_dnsVerboseLog) {
-            log_error("Dynamic DNS ({$this->_dnsHost}): _checkStatus() starting.");
-            log_error("Dynamic DNS ({$this->_dnsHost}): Current Service: {$this->_dnsService}");
-        }
-        $successful_update = false;
-        if ($this->_dnsService != 'ods' and $this->_dnsService != 'route53' and $this->_dnsService != 'route53-v6' && @curl_error($ch)) {
-            $status = "Curl error occurred: " . curl_error($ch);
-            log_error($status);
-            $this->status = $status;
-            return;
-        }
-        switch ($this->_dnsService) {
-            case 'dhs':
-                break;
-            case 'noip':
-            case 'noip-free':
-                $noIpPrc = explode(' ', $data);
-                $code = $noIpPrc[0];
-                $ip = isset($noIpPrc[1]) ? $noIpPrc[1] : 'n/a';
-                switch ($code) {
-                    case 'good':
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Success) DNS hostname update successful.";
-                        $successful_update = true;
-                        break;
-                    case 'nochg':
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Success) IP address is current, no update performed.";
-                        $successful_update = true;
-                        break;
-                    case 'nohost':
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Hostname supplied does not exist.";
-                        break;
-                    case 'badauth':
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Invalid Username or Password.";
-                        break;
-                    case 'badagent':
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Client disabled. Client should exit and not perform any more updates without user intervention.";
-                        break;
-                    case '!donate':
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Requested update feature only available to Enhanced subscribers.";
-                        break;
-                    case '911':
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) No-IP servers currently experiencing outages. Retry no sooner than 30 minutes.";
-                        break;
-                    case 'abuse':
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Account disabled due to violation of No-IP terms of service.";
-                        break;
-                    default:
-                        $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
-                        log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                        $this->_debug("Unknown Response: " . $data);
-                        break;
-                }
-                break;
-            case 'easydns':
-                if (preg_match('/NOACCESS/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Authentication Failed: Username and/or Password was Incorrect.";
-                } elseif (preg_match('/NOSERVICE/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error) No Service: Dynamic DNS Service has been disabled for this domain.";
-                } elseif (preg_match('/ILLEGAL INPUT/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Illegal Input: Self-Explanatory";
-                } elseif (preg_match('/TOOSOON/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Too Soon: Not Enough Time Has Elapsed Since Last Update";
-                } elseif (preg_match('/NOERROR/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Success) IP Updated Successfully!";
-                    $successful_update = true;
-                } else {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
-                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'hn':
-                /* FIXME: add checks */
-                break;
-            case 'zoneedit':
-                if (preg_match('/799/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error 799) Update Failed!";
-                } elseif (preg_match('/700/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error 700) Update Failed!";
-                } elseif (preg_match('/200/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Success) IP Address Updated Successfully!";
-                    $successful_update = true;
-                } elseif (preg_match('/201/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Success) IP Address Updated Successfully!";
-                    $successful_update = true;
-                } else {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
-                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'dyns':
-                if (preg_match("/400/i", $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Bad Request - The URL was malformed. Required parameters were not provided.";
-                } elseif (preg_match('/402/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Update Too Soon - You have tried updating to quickly since last change.";
-                } elseif (preg_match('/403/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Database Error - There was a server-sided database error.";
-                } elseif (preg_match('/405/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Hostname Error - The hostname (" . $this->_dnsHost . ") doesn't belong to you.";
-                } elseif (preg_match('/200/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Success) IP Address Updated Successfully!";
-                    $successful_update = true;
-                } else {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
-                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'ods':
-                if (preg_match("/299/i", $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Success) IP Address Updated Successfully!";
-                    $successful_update = true;
-                } else {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
-                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'freedns':
-                if (preg_match("/No IP change detected.*skipping update/i", $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Success) No Change In IP Address";
-                    $successful_update = true;
-                } elseif (preg_match("/Updated/i", $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Success) IP Address Changed Successfully!";
-                    $successful_update = true;
-                } else {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
-                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'dnsexit':
-                if (preg_match("/IP not changed/i", $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Success) No Change In IP Address";
-                    $successful_update = true;
-                } elseif (preg_match("/Success/i", $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Success) IP Address Changed Successfully!";
-                    $successful_update = true;
-                } else {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
-                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'staticcling':
-                if (preg_match("/invalid ip/i", $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Bad Request - The IP provided was invalid.";
-                } elseif (preg_match('/required info missing/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Bad Request - Required parameters were not provided.";
-                } elseif (preg_match('/invalid characters/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Bad Request - Illegal characters in either the username or the password.";
-                } elseif (preg_match('/bad password/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Invalid password.";
-                } elseif (preg_match('/account locked/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error) This account has been administratively locked.";
-                } elseif (preg_match('/update too frequent/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Updating too frequently.";
-                } elseif (preg_match('/DB error/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Error) Server side error.";
-                } elseif (preg_match('/success/i', $data)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Success) IP Address Updated Successfully!";
-                    $successful_update = true;
-                } else {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
-                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'namecheap':
-                /* technically this is wrong but proves a point about the document being broken remotely */
-                $tmp = preg_replace('/(\<\?xml[^?]+?encoding=.?)utf-16([^?]+?\?\>)/i', '$1utf-8$2', $data);
-                $ncresponse = simplexml_load_string($tmp);
-                if (preg_match("/internal server error/i", $data)) {
-                    $status = "Dynamic DNS: (Error) Server side error.";
-                } elseif (preg_match("/request is badly formed/i", $data)) {
-                    $status = "Dynamic DNS: (Error) Badly Formed Request (check your settings).";
-                } elseif ((string)$ncresponse->ErrCount === "0") {
-                    $status = "Dynamic DNS: (Success) IP Address Updated Successfully!";
-                    $successful_update = true;
-                } elseif (isset($ncresponse->ErrCount) && is_numeric((string)$ncresponse->ErrCount) && (string)$ncresponse->ErrCount > 0) {
-                    $status = "Dynamic DNS: (Error) ";
-                    if (isset($ncresponse->errors)) {
-                        foreach ($ncresponse->errors->children() as $err) {
-                            $status .= (string)$err . " ";
-                        }
-                    }
-                    $successful_update = true;
-                } else {
-                    $status = "Dynamic DNS: (Unknown Response)";
-                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'route53':
-            case 'route53-v6':
-                $successful_update = true;
-                break;
-            case 'custom':
-            case 'custom-v6':
-                $successful_update = false;
-                if ($this->_dnsResultMatch == "") {
-                    $successful_update = true;
-                } else {
-                    $this->_dnsResultMatch = str_replace("%IP%", $this->_dnsIP, $this->_dnsResultMatch);
-                    $matches = preg_split("/(?<!\\\\)\\|/", $this->_dnsResultMatch);
-                    foreach ($matches as $match) {
-                        $match = str_replace("\\|", "|", $match);
-                        if (strcmp($match, trim($data, "\t\n\r")) == 0) {
-                            $successful_update = true;
-                        }
-                    }
-                    unset($matches);
-                }
-                if ($successful_update == true) {
-                    $status = "Dynamic DNS: (Success) IP Address Updated Successfully!";
-                } else {
-                    $status = "Dynamic DNS: (Error) Result did not match.";
-                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'cloudflare':
-            case 'cloudflare-v6':
-            case 'cloudflare-token':
-            case 'cloudflare-token-v6':
-                $output = json_decode($data);
-                if ($output->result->content === $this->_dnsIP) {
-                    $status = "Dynamic DNS: (Success) {$this->_dnsHost} updated to {$this->_dnsIP}";
-                    $successful_update = true;
-                } elseif ($output->errors[0]->code === 9103) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): ERROR - Invalid Credentials! Don't forget to use API Key for password field with Cloudflare.";
-                } elseif (($output->success) && (!$output->result[0]->id)) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): ERROR - Zone ID was not found.";
-                } else {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): UNKNOWN ERROR - {$output->errors[0]->message}";
-                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'hetzner':
-            case 'hetzner-v6':
-                $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
-                $output = json_decode($data);
-                if ($output->record->value === $this->_dnsIP) {
-                    $status = "Dynamic DNS: (Success) {$this->_dnsHost} updated to {$this->_dnsIP}";
-                    $successful_update = true;
-                } elseif ($http_code == 401) {
-                    $status = 'Dynamic DNS: (Error) Bad authentication attempt because of a wrong API Key.';
-                } elseif ($http_code == 403) {
-                    $status = 'Dynamic DNS: (Error) Access to the resource is denied. Mainly due to a lack of permissions to access it!';
-                } else {
-                    $status = 'Dynamic DNS: (Error) "Unknown Response"';
-                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'digitalocean':
-            case 'digitalocean-v6':
-                $output = json_decode($data);
-                if ($output->domain_record->data === $this->_dnsIP) {
-                    $status = "Dynamic DNS: (Success) Record ID {$this->_dnsUser} updated to {$this->_dnsIP}";
-                    $successful_update = true;
-                } else {
-                    $status = "Dynamic DNS Record ID ({$this->_dnsUser}): UNKNOWN ERROR";
-                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'gandi-livedns':
-                $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
-                if ($http_code == 401) {
-                    $status = 'Dynamic DNS: (Error) Bad authentication attempt because of a wrong API Key.';
-                } elseif ($http_code == 403) {
-                    $status = 'Dynamic DNS: (Error) Access to the resource is denied. Mainly due to a lack of permissions to access it!';
-                } elseif ($http_code == 201) {
-                    $status = 'Dynamic DNS: (Success) Record was created!';
-                    $successful_update = true;
-                } elseif ($http_code == 200) {
-                    $status = 'Dynamic DNS: (Success) Same record already exists. Nothing was changed!';
-                    $successful_update = true;
-                } else {
-                    $status = 'Dynamic DNS: (Error) "Unknown Response"';
-                    log_error("Dynamic DNS: HTTP Status: {$http_code}  PAYLOAD: {$data}");
-                    $this->_debug("Unknown HTTP status: " . $http_code);
-                }
-                break;
-            case 'gratisdns':
-                if (preg_match('/Forkerte værdier/i', $data)) {
-                        $status = "Dynamic DNS: (Error) Wrong values - Update could not be completed.";
-                } elseif (preg_match('/Bruger login: Bruger eksistere ikke/i', $data)) {
-                        $status = "Dynamic DNS: (Error) Unknown username - User does not exist.";
-                } elseif (preg_match('/Bruger login: 1Fejl i kodeord/i', $data)) {
-                        $status = "Dynamic DNS: (Error) Wrong password - Remember password is case sensitive.";
-                } elseif (preg_match('/Domæne kan IKKE administreres af bruger/i', $data)) {
-                        $status = "Dynamic DNS: (Error) User unable to administer the selected domain.";
-                } elseif (preg_match('/OK/i', $data)) {
-                        $status = "Dynamic DNS: (Success) IP Address Updated Successfully!";
-                        $successful_update = true;
-                } else {
-                        $status = "Dynamic DNS: (Unknown Response)";
-                        log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                        $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'duckdns':
-                if (preg_match('/OK/i', $data)) {
-                        $status = "Dynamic DNS: (Success) IP Address Updated Successfully!";
-                        $successful_update = true;
-                } else {
-                        $status = "Dynamic DNS: (Unknown Response)";
-                        log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                        $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'dynv6':
-            case 'dynv6-v6':
-                /* API-Documentation: https://dynv6.com/docs/apis */
-                if (preg_match('/addresses updated/i', $data)) {
-                        $status = "Dynamic DNS: (Success) IP Address Updated Successfully!";
-                        $successful_update = true;
-                } elseif (preg_match('/addresses unchanged/i', $data)) {
-                        $status = "Dynamic DNS: (Success) IP Address Unchanged!";
-                        $successful_update = true;
-                } else {
-                        $status = "Dynamic DNS: (Unknown Response)";
-                        log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                        $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case '1984-hosting':
-                $output = json_decode($data);
-                if ($output === null) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): ERROR - empty response.";
-                } elseif ($output->ok === true) {
-                    $status = "Dynamic DNS: (Success) {$this->_dnsHost} updated to {$this->_dnsIP}";
-                    $successful_update = true;
-                } elseif ($output->error) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): ERROR - Invalid Credentials! Don't forget to use API Key for password field with 1984 Hosting Company.";
-                } elseif ($output->lookup) {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): ERROR - Zone ID was not found.";
-                } else {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): UNKNOWN ERROR - {$output->errors[0]->message}";
-                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case '3322':
-            case 'citynetwork':
-            case 'dnsomatic':
-            case 'dyndns':
-            case 'dyndns-custom':
-            case 'dyndns-static':
-            case 'eurodns':
-            case 'googledomains':
-            case 'he-net':
-            case 'he-net-tunnelbroker':
-            case 'he-net-v6':
-            case 'loopia':
-            case 'oray':
-            case 'ovh-dynhost':
-            case 'selfhost':
-            case 'strato':
-            case 'strato-v6':
-                if (preg_match('/notfqdn/i', $data)) {
-                    $status = "Dynamic DNS: (Error) Not a FQDN";
-                } elseif (preg_match('/nochg/i', $data)) {
-                    $status = "Dynamic DNS: (Success) No change in IP address";
-                    $successful_update = true;
-                } elseif (preg_match('/good/i', $data)) {
-                    $status = "Dynamic DNS: (Success) IP address updated successfully ({$this->_dnsIP})";
-                    $successful_update = true;
-                } elseif (preg_match('/badauth/i', $data)) {
-                    $status = "Dynamic DNS: (Error) Authentication failed";
-                } elseif (preg_match("/badip/i", $data)) {
-                    $status = "Dynamic DNS: (Error) IP address provided is invalid";
-                } elseif (preg_match('/nohost/i', $data)) {
-                    $status = "Dynamic DNS: (Error) Hostname does not exist or does not have dynamic DNS enabled";
-                } elseif (preg_match('/numhost/i', $data)) {
-                    $status = "Dynamic DNS: (Error) You may update up to 20 hosts only";
-                } elseif (preg_match('/dnserr/i', $data)) {
-                    $status = "Dynamic DNS: (Error) DNS error, stop updating for 30 minutes.";
-                } elseif (preg_match('/badagent/i', $data)) {
-                    $status = "Dynamic DNS: (Error) Bad request";
-                } elseif (preg_match('/abuse/i', $data)) {
-                    $status = "Dynamic DNS: (Error) Access has been blocked for abuse";
-                } elseif (preg_match('/911/i', $data)) {
-                    $status = "Dynamic DNS: (Error) Server-side error or maintenance";
-                } elseif (preg_match('/yours/i', $data)) {
-                    $status = "Dynamic DNS: (Error) Specified hostname does not exist under this username";
-                } else {
-                    $status = "Dynamic DNS: (Unknown Response)";
-                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'regfish':
-            case 'regfish-v6':
-                if (preg_match('/\|100\|/', $data)) {
-                    $status = 'Dynamic DNS: (Success) Update successful';
-                    $successful_update = true;
-                } elseif (preg_match('/\|101\|/', $data)) {
-                    $status = 'Dynamic DNS: (Success) Still up-to-date';
-                    $successful_update = true;
-                } elseif (preg_match('/\|401\|/', $data)) {
-                    $status = 'Dynamic DNS: (Error) Standard authentication failed';
-                } elseif (preg_match('/\|402\|/', $data)) {
-                    $status = 'Dynamic DNS: (Error) Authentication failed';
-                } elseif (preg_match('/\|406\|/', $data)) {
-                    $status = 'Dynamic DNS: (Error) Invalid resource record';
-                } elseif (preg_match('/\|407\|/', $data)) {
-                    $status = 'Dynamic DNS: (Error) Invalid TTL range';
-                } elseif (preg_match('/\|408\|/', $data)) {
-                    $status = 'Dynamic DNS: (Error) Invalid IPv4';
-                } elseif (preg_match('/\|409\|/', $data)) {
-                    $status = 'Dynamic DNS: (Error) Invalid IPv6';
-                } elseif (preg_match('/\|410\|/', $data)) {
-                    $status = 'Dynamic DNS: (Error) Unknown authentication type';
-                } elseif (preg_match('/\|412\|/', $data)) {
-                    $status = 'Dynamic DNS: (Error) Domain format is wrong, missing trailing dot?';
-                } elseif (preg_match('/\|414\|/', $data)) {
-                    $status = 'Dynamic DNS: (Error) Unexpected error';
-                } elseif (preg_match('/\|415\|/', $data)) {
-                    $status = 'Dynamic DNS: (Error) Cannot update load balancer';
-                } else {
-                    $status = "Dynamic DNS: (Unknown Response)";
-                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-            case 'linode':
-            case 'linode-v6':
-                $fqdn = trim($this->_dnsHost);
-                if ($this->_dnsWildcard == 'ON') {
-                    $fqdn = "*.$fqdn";
-                }
-
-                $output = json_decode($data);
-                if ($output->target === $this->_dnsIP) {
-                    $status = "Dynamic DNS: (Success) $fqdn updated to {$this->_dnsIP}";
-                    $successful_update = true;
-                } elseif (!empty($output->errors)) {
-                    $status = "Dynamic DNS ($fqdn): ERROR - Reason: {$output->errors[0]->reason}";
-                } else {
-                    $status = "Dynamic DNS ($fqdn): UNKNOWN ERROR";
-                    log_error("Dynamic DNS ($fqdn): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'azure':
-            case 'azurev6':
-                $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
-                if ($http_code == 401) {
-                    $status = 'Dynamic DNS: (Error) User Authorization Failed';
-                } elseif ($http_code == 201) {
-                    $status = 'Dynamic DNS: (Success) IP Address Changed Successfully!';
-                    $successful_update = true;
-                } elseif ($http_code == 200) {
-                    $status = 'Dynamic DNS: (Success) IP Address Changed Successfully!';
-                    $successful_update = true;
-                } else {
-                    $status = 'Dynamic DNS: (Error) "Unknown Response"';
-                    log_error("Dynamic DNS: HTTP status: {$http_code} PAYLOAD: {$data}");
-                    $this->_debug("Unknown HTTP status: " . $http_code);
-                }
-                break;
-            case 'all-inkl':
-            case 'all-inkl-v6':
-                $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
-                if (preg_match('/good\s' . $this->_dnsIP . '/i', $data)) {
-                    $status = "Dynamic DNS: (Success) IP Update Successfully!";
-                    $successful_update = true;
-                } elseif ($http_code == 401) {
-                    $status = "Dynamic DNS: (Error) Authentication failed!";
-                } elseif (preg_match('/bad\s\(dyndns_target_ip_syntax_incorrect\)/i', $data)) {
-                    $status = "Dynamic DNS: (Error) IP Syntax incorrect ($this->_dnsIP)!";
-                } else {
-                    $status = "Dynamic DNS ({$this->_dnsHost}): (Unknown Response)";
-                    log_error("Dynamic DNS ({$this->_dnsHost}): PAYLOAD: {$data}");
-                    $this->_debug("Unknown Response: " . $data);
-                }
-                break;
-            case 'godaddy':
-            case 'godaddy-v6':
-                /* See https://developer.godaddy.com/ for API documentation, not all codes are handled. */
-                $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
-                $successful_update = false;
-                if ($http_code == 200) {
-                    $status = 'Dynamic DNS: (Success) IP Address Updated Successfully!';
-                    $successful_update = true;
-                } elseif ($http_code == 401) {
-                    $status = 'Dynamic DNS: (Error) Authentication info not sent or invalid';
-                } elseif ($http_code == 404) {
-                    $status = 'Dynamic DNS: (Error) Resource not found';
-                } else {
-                    $status = "Dynamic DNS: (Error) Repsonse not handled check the following: {$data}";
-                    log_error("Dynamic DNS: HTTP status: {$http_code} PAYLOAD: {$data}");
-                    $this->_debug("Unknown HTTP status: " . $http_code);
-                }
-                break;
-            case 'desec':
-            case 'desec-v4-v6':
-            case 'desec-v6':
-                $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
-                /*
-                * HTTP Code 404 should not be possible due to dnsUser == dnsHost, a wrong hostname should cause HTTP 401 Unauthorized.
-                */
-                if ($http_code == 401) {
-                    $status = 'Dynamic DNS: (Error) Bad authentication attempt because of a wrong Password.';
-                } elseif ($http_code == 403) {
-                    $status = 'Dynamic DNS: (Error) Access to the resource is denied. The selected hostname is not eligible for dynamic updates.';
-                } elseif ($http_code == 429) {
-                    $status = 'Dynamic DNS: (Error) Rate limit reached. Please don\'t try more than one request per minute.';
-                } elseif ($http_code == 200 && preg_match('/good/i', $data)) {
-                    $status = 'Dynamic DNS: (Success) IP Address Updated Successfully!';
-                    $successful_update = true;
-                } else {
-                    $status = "Dynamic DNS: (Error) Repsonse not handled check the following: {$data}";
-                    log_error("Dynamic DNS: HTTP status: {$http_code} PAYLOAD: {$data}");
-                    $this->_debug("Unknown HTTP status: " . $http_code);
-                }
-                break;
-            default:
-                break;
-        }
-
-        if ($successful_update == true) {
-            /* Write WAN IP to cache file */
-            $wan_ip = $this->_checkIP();
-            if ($this->_useIPv6 == false && $wan_ip > 0) {
-                $currentTime = time();
-                log_error("Dynamic DNS: updating cache file {$this->_cacheFile}: {$wan_ip}");
-                @file_put_contents($this->_cacheFile, "{$wan_ip}|{$currentTime}");
-            } else {
-                @unlink($this->_cacheFile);
-            }
-            if ($this->_useIPv6 == true && $wan_ip > 0) {
-                $currentTime = time();
-                log_error("Dynamic DNS: updating cache file {$this->_cacheFile_v6}: {$wan_ip}");
-                @file_put_contents($this->_cacheFile_v6, "{$wan_ip}|{$currentTime}");
-            } else {
-                @unlink($this->_cacheFile_v6);
-            }
-        }
-        $this->status = $status;
-        log_error($status);
-    }
-
-    /*
-     * Private Function (added 12 July 05) [beta]
-     *   Return Error, Set Last Error, and Die.
-     */
-    function _error($errorNumber = '1')
-    {
-        switch ($errorNumber) {
-            case 0:
-                break;
-            case 2:
-                $error = 'Dynamic DNS: (ERROR!) No Dynamic DNS Service provider was selected.';
-                break;
-            case 3:
-                $error = 'Dynamic DNS: (ERROR!) No Username Provided.';
-                break;
-            case 4:
-                $error = 'Dynamic DNS: (ERROR!) No Password Provided.';
-                break;
-            case 5:
-                $error = 'Dynamic DNS: (ERROR!) No Hostname Provided.';
-                break;
-            case 6:
-                $error = 'Dynamic DNS: (ERROR!) The Dynamic DNS Service provided is not yet supported.';
-                break;
-            case 7:
-                $error = 'Dynamic DNS: (ERROR!) No Update URL Provided.';
-                break;
-            case 8:
-                $status = "Route 53: (Error) Invalid ZoneID";
-                break;
-            case 9:
-                $status = "Route 53: (Error) Invalid TTL";
-                break;
-            case 10:
-                $error = "Dynamic DNS ({$this->_dnsHost}): No change in my IP address and/or " . $this->_dnsMaxCacheAgeDays . " days has not passed. Not updating dynamic DNS entry.";
-                break;
-            default:
-                $error = "Dynamic DNS: (ERROR!) Unknown Response.";
-                /* FIXME: $data isn't in scope here */
-                /* $this->_debug($data); */
-                break;
-        }
-        $this->lastError = $error;
-        log_error($error);
-    }
-
-    /*
-     * Private Function (added 12 July 05) [beta]
-     *   - Detect whether or not IP needs to be updated.
-     *      | Written Specifically for pfSense (https://www.pfsense.org) may
-     *      | work with other systems. pfSense base is FreeBSD.
-     */
-    function _detectChange()
-    {
-        $currentTime = time();
-
-        $wan_ip = $this->_checkIP();
-        if ($wan_ip == 0) {
-            log_error("Dynamic DNS ({$this->_dnsHost}): Current WAN IP could not be determined, skipping update process.");
-            return false;
-        }
-        $log_error = "Dynamic DNS ({$this->_dnsHost}): Current WAN IP: {$wan_ip} ";
-
-        if ($this->_useIPv6 == true) {
-            if (file_exists($this->_cacheFile_v6)) {
-                $contents = file_get_contents($this->_cacheFile_v6);
-                list($cacheIP,$cacheTime) = explode('|', $contents);
-                $this->_debug($cacheIP . '/' . $cacheTime);
-                $initial = false;
-                $log_error .= "Cached IPv6: {$cacheIP} ";
-            } else {
-                $cacheIP = '::';
-                @file_put_contents($this->_cacheFile, "::|{$currentTime}");
-                $cacheTime = $currentTime;
-                $initial = true;
-                $log_error .= "No Cached IPv6 found.";
-            }
-        } else {
-            if (file_exists($this->_cacheFile)) {
-                $contents = file_get_contents($this->_cacheFile);
-                list($cacheIP,$cacheTime) = explode('|', $contents);
-                $this->_debug($cacheIP . '/' . $cacheTime);
-                $initial = false;
-                $log_error .= "Cached IP: {$cacheIP} ";
-            } else {
-                $cacheIP = '0.0.0.0';
-                @file_put_contents($this->_cacheFile, "0.0.0.0|{$currentTime}");
-                $cacheTime = $currentTime;
-                $initial = true;
-                $log_error .= "No Cached IP found.";
-            }
-        }
-        if ($this->_dnsVerboseLog) {
-            log_error($log_error);
-        }
-
-        // Convert seconds = days * hr/day * min/hr * sec/min
-        $maxCacheAgeSecs = $this->_dnsMaxCacheAgeDays * 24 * 60 * 60;
-
-        $needs_updating = false;
-        /* lets determine if the item needs updating */
-        if ($cacheIP != $wan_ip) {
-            $needs_updating = true;
-            $update_reason = "Dynamic DNS: cacheIP != wan_ip.  Updating. ";
-            $update_reason .= "Cached IP: {$cacheIP} WAN IP: {$wan_ip} ";
-        }
-        if (($currentTime - $cacheTime) > $maxCacheAgeSecs) {
-            $needs_updating = true;
-            $this->_forceUpdateNeeded = true;
-            $update_reason = "Dynamic DNS: More than " . $this->_dnsMaxCacheAgeDays . " days.  Updating. ";
-            $update_reason .= "{$currentTime} - {$cacheTime} > {$maxCacheAgeSecs} ";
-        }
-        if ($initial == true) {
-            $needs_updating = true;
-            $update_reason .= "Initial update. ";
-        }
-
-        /*   finally if we need updating then store the
-         *   new cache value and return true
-         */
-        if ($needs_updating == true) {
-            if ($this->_dnsVerboseLog) {
-                log_error("Dynamic DNS ({$this->_dnsHost}): {$update_reason}");
-            }
-            return true;
-        }
-
-        return false;
-    }
-
-    /*
-     * Private Function (added 16 July 05) [beta]
-     *   - Writes debug information to a file.
-     *   - This function is only called when a unknown response
-     *   - status is returned from a dynamic DNS service provider.
-     */
-    function _debug($data)
-    {
-        $string = date('m-d-y h:i:s') . ' - (' . $this->_debugID . ') - [' . $this->_dnsService . '] - ' . $data . "\n";
-        $file = fopen($this->_debugFile, 'a');
-        fwrite($file, $string);
-        fclose($file);
-    }
-
-    function _checkIP()
-    {
-        $ip_address = get_dyndns_ip_address($this->_if, $this->_useIPv6 ? 6 : 4);
-        if (!is_ipaddr($ip_address)) {
-            if ($this->_dnsVerboseLog) {
-                log_error("Dynamic DNS ({$this->_dnsHost}): IP address could not be extracted");
-            }
-
-            $ip_address = 0;
-        } else {
-            if ($this->_dnsVerboseLog) {
-                log_error("Dynamic DNS ({$this->_dnsHost}): {$ip_address} extracted");
-            }
-
-            $this->_dnsIP = $ip_address;
-        }
-
-        return $ip_address;
-    }
-}
diff --git a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/r53.inc b/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/r53.inc
deleted file mode 100644
index 46a83a380a..0000000000
--- a/dns/dyndns/src/etc/inc/plugins.inc.d/dyndns/r53.inc
+++ /dev/null
@@ -1,777 +0,0 @@
-<?php
-
-/*
- * Copyright (c) 2011 Dan Myers
- * Copyright (c) 2008 Donovan Schonknecht
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- *
- * This is a modified BSD license (the third clause has been removed).
- * The BSD license may be found here:
- * http://www.opensource.org/licenses/bsd-license.php
- *
- * Amazon Route 53 is a trademark of Amazon.com, Inc. or its affiliates.
- *
- * Route53 is based on Donovan Schonknecht's Amazon S3 PHP class, found here:
- * http://undesigned.org.za/2007/10/22/amazon-s3-php-class
- */
-
-/**
-* Amazon Route53 PHP class
-*
-* @link http://sourceforge.net/projects/php-r53/
-* version 0.9.0
-*
-*/
-class Route53
-{
-    const API_VERSION = '2010-10-01';
-
-    protected $__accessKey; // AWS Access key
-    protected $__secretKey; // AWS Secret key
-    protected $__host;
-
-    public function getAccessKey()
-    {
-        return $this->__accessKey;
-    }
-    public function getSecretKey()
-    {
-        return $this->__secretKey;
-    }
-    public function getHost()
-    {
-        return $this->__host;
-    }
-
-    protected $__verifyHost = 1;
-    protected $__verifyPeer = 1;
-
-    // verifyHost and verifyPeer determine whether curl verifies ssl certificates.
-    // It may be necessary to disable these checks on certain systems.
-    // These only have an effect if SSL is enabled.
-    public function verifyHost()
-    {
-        return $this->__verifyHost;
-    }
-    public function enableVerifyHost($enable = true)
-    {
-        $this->__verifyHost = $enable;
-    }
-
-    public function verifyPeer()
-    {
-        return $this->__verifyPeer;
-    }
-    public function enableVerifyPeer($enable = true)
-    {
-        $this->__verifyPeer = $enable;
-    }
-
-    /**
-    * Constructor
-    *
-    * @param string $accessKey Access key
-    * @param string $secretKey Secret key
-    * @return void
-    */
-    public function __construct($accessKey = null, $secretKey = null, $host = 'route53.amazonaws.com')
-    {
-        if ($accessKey !== null && $secretKey !== null) {
-            $this->setAuth($accessKey, $secretKey);
-        }
-        $this->__host = $host;
-    }
-
-    /**
-    * Set AWS access key and secret key
-    *
-    * @param string $accessKey Access key
-    * @param string $secretKey Secret key
-    * @return void
-    */
-    public function setAuth($accessKey, $secretKey)
-    {
-        $this->__accessKey = $accessKey;
-        $this->__secretKey = $secretKey;
-    }
-
-    /**
-    * Lists the hosted zones on the account
-    *
-    * @param string marker A pagination marker returned by a previous truncated call
-    * @param int maxItems The maximum number of items per page.  The service uses min($maxItems, 100).
-    * @return A list of hosted zones
-    */
-    public function listHostedZones($marker = null, $maxItems = 100)
-    {
-        $rest = new Route53Request($this, 'hostedzone', 'GET');
-
-        if ($marker !== null) {
-            $rest->setParameter('marker', $marker);
-        }
-        if ($maxItems !== 100) {
-            $rest->setParameter('maxitems', $maxItems);
-        }
-
-        $rest = $rest->getResponse();
-        if ($rest->error === false && $rest->code !== 200) {
-            $rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
-        }
-        if ($rest->error !== false) {
-            $this->__triggerError('listHostedZones', $rest->error);
-            return false;
-        }
-
-        $response = array();
-        if (!isset($rest->body)) {
-            return $response;
-        }
-
-        $zones = array();
-        foreach ($rest->body->HostedZones->HostedZone as $z) {
-            $zones[] = $this->parseHostedZone($z);
-        }
-        $response['HostedZone'] = $zones;
-
-        if (isset($rest->body->MaxItems)) {
-            $response['MaxItems'] = (string)$rest->body->MaxItems;
-        }
-
-        if (isset($rest->body->IsTruncated)) {
-            $response['IsTruncated'] = (string)$rest->body->IsTruncated;
-            if ($response['IsTruncated'] == 'true') {
-                $response['NextMarker'] = (string)$rest->body->NextMarker;
-            }
-        }
-
-        return $response;
-    }
-
-    /**
-    * Retrieves information on a specified hosted zone
-    *
-    * @param string zoneId The id of the hosted zone, as returned by CreateHostedZoneResponse or ListHostedZoneResponse
-    *                      In other words, if ListHostedZoneResponse shows the zone's Id as '/hostedzone/Z1PA6795UKMFR9',
-    *                      then that full value should be passed here, including the '/hostedzone/' prefix.
-    * @return A data structure containing information about the specified zone
-    */
-    public function getHostedZone($zoneId)
-    {
-        // we'll strip off the leading forward slash, so we can use it as the action directly.
-        $zoneId = trim($zoneId, '/');
-
-        $rest = new Route53Request($this, $zoneId, 'GET');
-
-        $rest = $rest->getResponse();
-        if ($rest->error === false && $rest->code !== 200) {
-            $rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
-        }
-        if ($rest->error !== false) {
-            $this->__triggerError('getHostedZone', $rest->error);
-            return false;
-        }
-
-        $response = array();
-        if (!isset($rest->body)) {
-            return $response;
-        }
-
-        $response['HostedZone'] = $this->parseHostedZone($rest->body->HostedZone);
-        $response['NameServers'] = $this->parseDelegationSet($rest->body->DelegationSet);
-
-        return $response;
-    }
-
-    /**
-    * Creates a new hosted zone
-    *
-    * @param string name The name of the hosted zone (e.g. "example.com.")
-    * @param string reference A user-specified unique reference for this request
-    * @param string comment An optional user-specified comment to attach to the zone
-    * @return A data structure containing information about the newly created zone
-    */
-    public function createHostedZone($name, $reference, $comment = '')
-    {
-        // hosted zone names must end with a period, but people will forget this a lot...
-        if (strrpos($name, '.') != (strlen($name) - 1)) {
-            $name .= '.';
-        }
-
-        $data = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
-        $data .= '<CreateHostedZoneRequest xmlns="https://route53.amazonaws.com/doc/' . Route53::API_VERSION . "/\">\n";
-        $data .= '<Name>' . $name . "</Name>\n";
-        $data .= '<CallerReference>' . $reference . "</CallerReference>\n";
-        if (strlen($comment) > 0) {
-            $data .= "<HostedZoneConfig>\n";
-            $data .= '<Comment>' . $comment . "</Comment>\n";
-            $data .= "</HostedZoneConfig>\n";
-        }
-        $data .= "</CreateHostedZoneRequest>\n";
-
-        $rest = new Route53Request($this, 'hostedzone', 'POST', $data);
-
-        $rest = $rest->getResponse();
-
-        if ($rest->error === false && !in_array($rest->code, array(200, 201, 202, 204))) {
-            $rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
-        }
-        if ($rest->error !== false) {
-            $this->__triggerError('createHostedZone', $rest->error);
-            return false;
-        }
-
-        $response = array();
-        if (!isset($rest->body)) {
-            return $response;
-        }
-
-        $response['HostedZone'] = $this->parseHostedZone($rest->body->HostedZone);
-        $response['ChangeInfo'] = $this->parseChangeInfo($rest->body->ChangeInfo);
-        $response['NameServers'] = $this->parseDelegationSet($rest->body->DelegationSet);
-
-        return $response;
-    }
-
-    /**
-    * Retrieves information on a specified hosted zone
-    *
-    * @param string zoneId The id of the hosted zone, as returned by CreateHostedZoneResponse or ListHostedZoneResponse
-    *                      In other words, if ListHostedZoneResponse shows the zone's Id as '/hostedzone/Z1PA6795UKMFR9',
-    *                      then that full value should be passed here, including the '/hostedzone/' prefix.
-    * @return The change request data corresponding to this delete
-    */
-    public function deleteHostedZone($zoneId)
-    {
-        // we'll strip off the leading forward slash, so we can use it as the action directly.
-        $zoneId = trim($zoneId, '/');
-
-        $rest = new Route53Request($this, $zoneId, 'DELETE');
-
-        $rest = $rest->getResponse();
-        if ($rest->error === false && $rest->code !== 200) {
-            $rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
-        }
-        if ($rest->error !== false) {
-            $this->__triggerError('deleteHostedZone', $rest->error);
-            return false;
-        }
-
-        if (!isset($rest->body)) {
-            return array();
-        }
-
-        return $this->parseChangeInfo($rest->body->ChangeInfo);
-    }
-
-    /**
-    * Retrieves a list of resource record sets for a given zone
-    *
-    * @param string zoneId The id of the hosted zone, as returned by CreateHostedZoneResponse or ListHostedZoneResponse
-    *                      In other words, if ListHostedZoneResponse shows the zone's Id as '/hostedzone/Z1PA6795UKMFR9',
-    *                      then that full value should be passed here, including the '/hostedzone/' prefix.
-    * @param string type The type of resource record set to begin listing from. If this is specified, $name must also be specified.
-    *                    Must be one of: A, AAAA, CNAME, MX, NS, PTR, SOA, SPF, SRV, TXT
-    * @param string name The name at which to begin listing resource records (in the lexographic order of records).
-    * @param int maxItems The maximum number of results to return.  The service uses min($maxItems, 100).
-    * @return The list of matching resource record sets
-    */
-    public function listResourceRecordSets($zoneId, $type = '', $name = '', $maxItems = 100)
-    {
-        // we'll strip off the leading forward slash, so we can use it as the action directly.
-        $zoneId = trim($zoneId, '/');
-
-        $rest = new Route53Request($this, $zoneId . '/rrset', 'GET');
-
-        if (strlen($type) > 0) {
-            $rest->setParameter('type', $type);
-        }
-        if (strlen($name) > 0) {
-            $rest->setParameter('name', $name);
-        }
-        if ($maxItems != 100) {
-            $rest->setParameter('maxitems', $maxItems);
-        }
-
-        $rest = $rest->getResponse();
-        if ($rest->error === false && $rest->code !== 200) {
-            $rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
-        }
-        if ($rest->error !== false) {
-            $this->__triggerError('listResourceRecordSets', $rest->error);
-            return false;
-        }
-
-        $response = array();
-        if (!isset($rest->body)) {
-            return $response;
-        }
-
-        $recordSets = array();
-        foreach ($rest->body->ResourceRecordSets->ResourceRecordSet as $set) {
-            $recordSets[] = $this->parseResourceRecordSet($set);
-        }
-
-        $response['ResourceRecordSets'] = $recordSets;
-
-        if (isset($rest->body->MaxItems)) {
-            $response['MaxItems'] = (string)$rest->body->MaxItems;
-        }
-
-        if (isset($rest->body->IsTruncated)) {
-            $response['IsTruncated'] = (string)$rest->body->IsTruncated;
-            if ($response['IsTruncated'] == 'true') {
-                $response['NextRecordName'] = (string)$rest->body->NextRecordName;
-                $response['NextRecordType'] = (string)$rest->body->NextRecordType;
-            }
-        }
-
-        return $response;
-    }
-
-    /**
-    * Makes the specified resource record set changes (create or delete).
-    *
-    * @param string zoneId The id of the hosted zone, as returned by CreateHostedZoneResponse or ListHostedZoneResponse
-    *                      In other words, if ListHostedZoneResponse shows the zone's Id as '/hostedzone/Z1PA6795UKMFR9',
-    *                      then that full value should be passed here, including the '/hostedzone/' prefix.
-    * @param array changes An array of change objects, as they are returned by the prepareChange utility method.
-    *                      You may also pass a single change object.
-    * @param string comment An optional comment to attach to the change request
-    * @return The status of the change request
-    */
-    public function changeResourceRecordSets($zoneId, $changes, $comment = '')
-    {
-        // we'll strip off the leading forward slash, so we can use it as the action directly.
-        $zoneId = trim($zoneId, '/');
-
-        $data = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
-        $data .= '<ChangeResourceRecordSetsRequest xmlns="https://route53.amazonaws.com/doc/' . Route53::API_VERSION . "/\">\n";
-        $data .= "<ChangeBatch>\n";
-
-        if (strlen($comment) > 0) {
-            $data .= '<Comment>' . $comment . "</Comment>\n";
-        }
-
-        if (!is_array($changes)) {
-            $changes = array($changes);
-        }
-
-        $data .= "<Changes>\n";
-        foreach ($changes as $change) {
-            $data .= $change;
-        }
-        $data .= "</Changes>\n";
-
-        $data .= "</ChangeBatch>\n";
-        $data .= "</ChangeResourceRecordSetsRequest>\n";
-
-        $rest = new Route53Request($this, $zoneId . '/rrset', 'POST', $data);
-
-        $rest = $rest->getResponse();
-        if ($rest->error === false && !in_array($rest->code, array(200, 201, 202, 204))) {
-            $rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
-        }
-        if ($rest->error !== false) {
-            $this->__triggerError('changeResourceRecordSets', $rest->error);
-            return false;
-        }
-
-        if (!isset($rest->body)) {
-            return array();
-        }
-
-        return $this->parseChangeInfo($rest->body->ChangeInfo);
-    }
-
-    /**
-    * Retrieves information on a specified change request
-    *
-    * @param string changeId The id of the change, as returned by CreateHostedZoneResponse or ChangeResourceRecordSets
-    *                      In other words, if CreateHostedZoneResponse showed the change's Id as '/change/C2682N5HXP0BZ4',
-    *                      then that full value should be passed here, including the '/change/' prefix.
-    * @return The status of the change request
-    */
-    public function getChange($changeId)
-    {
-        // we'll strip off the leading forward slash, so we can use it as the action directly.
-        $zoneId = trim($changeId, '/');
-
-        $rest = new Route53Request($this, $changeId, 'GET');
-
-        $rest = $rest->getResponse();
-        if ($rest->error === false && $rest->code !== 200) {
-            $rest->error = array('code' => $rest->code, 'message' => 'Unexpected HTTP status');
-        }
-        if ($rest->error !== false) {
-            $this->__triggerError('getChange', $rest->error);
-            return false;
-        }
-
-        if (!isset($rest->body)) {
-            return array();
-        }
-
-        return $this->parseChangeInfo($rest->body->ChangeInfo);
-    }
-
-
-
-    /**
-    * Utility function to parse a HostedZone tag structure
-    */
-    private function parseHostedZone($tag)
-    {
-        $zone = array();
-        $zone['Id'] = (string)$tag->Id;
-        $zone['Name'] = (string)$tag->Name;
-        $zone['CallerReference'] = (string)$tag->CallerReference;
-
-        // these might always be set, but check just in case, since
-        // their values are option on CreateHostedZone requests
-        if (isset($tag->Config) && isset($tag->Config->Comment)) {
-            $zone['Config'] = array('Comment' => (string)$tag->Config->Comment);
-        }
-
-        return $zone;
-    }
-
-    /**
-    * Utility function to parse a ChangeInfo tag structure
-    */
-    private function parseChangeInfo($tag)
-    {
-        $info = array();
-        $info['Id'] = (string)$tag->Id;
-        $info['Status'] = (string)$tag->Status;
-        $info['SubmittedAt'] = (string)$tag->SubmittedAt;
-        return $info;
-    }
-
-    /**
-    * Utility function to parse a DelegationSet tag structure
-    */
-    private function parseDelegationSet($tag)
-    {
-        $servers = array();
-        foreach ($tag->NameServers->NameServer as $ns) {
-            $servers[] = (string)$ns;
-        }
-        return $servers;
-    }
-
-    /**
-    * Utility function to parse a ResourceRecordSet tag structure
-    */
-    private function parseResourceRecordSet($tag)
-    {
-        $rrs = array();
-        $rrs['Name'] = (string)$tag->Name;
-        $rrs['Type'] = (string)$tag->Type;
-        $rrs['TTL'] = (string)$tag->TTL;
-        $rrs['ResourceRecords'] = array();
-        foreach ($tag->ResourceRecords->ResourceRecord as $rr) {
-            $rrs['ResourceRecords'][] = (string)$rr->Value;
-        }
-        return $rrs;
-    }
-
-    /**
-    * Utility function to prepare a Change object for ChangeResourceRecordSets requests.
-    * All fields are required.
-    *
-    * @param string action The action to perform.  One of: CREATE, DELETE
-    * @param string name The name to perform the action on.
-    *                    If it does not end with '.', then AWS treats the name as relative to the zone root.
-    * @param string type The type of record being modified.
-    *                    Must be one of: A, AAAA, CNAME, MX, NS, PTR, SOA, SPF, SRV, TXT
-    * @param int ttl The time-to-live value for this record, in seconds.
-    * @param array records An array of resource records to attach to this change.
-    *                      Each member of this array can either be a string, or an array of strings.
-    *                      Passing an array of strings will attach multiple values to a single resource record.
-    *                      If a single string is passed as $records instead of an array,
-    *                      it will be treated as a single-member array.
-    * @return object An opaque object containing the change request.
-    *                Do not write code that depends on the contents of this object, as it may change at any time.
-    */
-    public function prepareChange($action, $name, $type, $ttl, $records)
-    {
-        $change = "<Change>\n";
-        $change .= '<Action>' . $action . "</Action>\n";
-        $change .= "<ResourceRecordSet>\n";
-        $change .= '<Name>' . $name . "</Name>\n";
-        $change .= '<Type>' . $type . "</Type>\n";
-        $change .= '<TTL>' . $ttl . "</TTL>\n";
-        $change .= "<ResourceRecords>\n";
-
-        if (!is_array($records)) {
-            $records = array($records);
-        }
-
-        foreach ($records as $record) {
-            $change .= "<ResourceRecord>\n";
-            if (is_array($record)) {
-                foreach ($record as $value) {
-                    $change .= '<Value>' . $value . "</Value>\n";
-                }
-            } else {
-                $change .= '<Value>' . $record . "</Value>\n";
-            }
-            $change .= "</ResourceRecord>\n";
-        }
-
-        $change .= "</ResourceRecords>\n";
-        $change .= "</ResourceRecordSet>\n";
-        $change .= "</Change>\n";
-
-        return $change;
-    }
-
-    /**
-    * Trigger an error message
-    *
-    * @internal Used by member functions to output errors
-    * @param array $error Array containing error information
-    * @return string
-    */
-    public function __triggerError($functionname, $error)
-    {
-        if ($error == false) {
-            log_error(sprintf("Route53::%s(): Encountered an error, but no description given", $functionname));
-        } elseif (isset($error['curl']) && $error['curl']) {
-            log_error(sprintf("Route53::%s(): %s %s", $functionname, $error['code'], $error['message']));
-        } elseif (isset($error['Error'])) {
-            $e = $error['Error'];
-            $message = sprintf("Route53::%s(): %s - %s: %s\nRequest Id: %s\n", $functionname, $e['Type'], $e['Code'], $e['Message'], $error['RequestId']);
-            log_error($message);
-        }
-    }
-
-    /**
-    * Callback handler for 503 retries.
-    *
-    * @internal Used by SimpleDBRequest to call the user-specified callback, if set
-    * @param $attempt The number of failed attempts so far
-    * @return The retry delay in microseconds, or 0 to stop retrying.
-    */
-    public function __executeServiceTemporarilyUnavailableRetryDelay($attempt)
-    {
-        if (is_callable($this->__serviceUnavailableRetryDelayCallback)) {
-            $callback = $this->__serviceUnavailableRetryDelayCallback;
-            return $callback($attempt);
-        }
-        return 0;
-    }
-}
-
-final class Route53Request
-{
-    private $r53, $action, $verb, $data, $parameters = array();
-    public $response;
-
-    /**
-    * Constructor
-    *
-    * @param string $r53 The Route53 object making this request
-    * @param string $action SimpleDB action
-    * @param string $verb HTTP verb
-    * @param string $data For POST requests, the data being posted (optional)
-    * @return mixed
-    */
-    function __construct($r53, $action, $verb, $data = '')
-    {
-        $this->r53 = $r53;
-        $this->action = $action;
-        $this->verb = $verb;
-        $this->data = $data;
-        $this->response = new STDClass();
-        $this->response->error = false;
-    }
-
-    /**
-    * Set request parameter
-    *
-    * @param string  $key Key
-    * @param string  $value Value
-    * @param boolean $replace Whether to replace the key if it already exists (default true)
-    * @return void
-    */
-    public function setParameter($key, $value, $replace = true)
-    {
-        if (!$replace && isset($this->parameters[$key])) {
-            $temp = (array)($this->parameters[$key]);
-            $temp[] = $value;
-            $this->parameters[$key] = $temp;
-        } else {
-            $this->parameters[$key] = $value;
-        }
-    }
-
-    /**
-    * Get the response
-    *
-    * @return object | false
-    */
-    public function getResponse()
-    {
-
-        $params = array();
-        foreach ($this->parameters as $var => $value) {
-            if (is_array($value)) {
-                foreach ($value as $v) {
-                    $params[] = $var . '=' . $this->__customUrlEncode($v);
-                }
-            } else {
-                $params[] = $var . '=' . $this->__customUrlEncode($value);
-            }
-        }
-
-        sort($params, SORT_STRING);
-
-        $query = implode('&', $params);
-
-        // must be in format 'Sun, 06 Nov 1994 08:49:37 GMT'
-        $date = gmdate('D, d M Y H:i:s e');
-
-        $headers = array();
-        $headers[] = 'Date: ' . $date;
-        $headers[] = 'Host: ' . $this->r53->getHost();
-
-        $auth = 'AWS3-HTTPS AWSAccessKeyId=' . $this->r53->getAccessKey();
-        $auth .= ',Algorithm=HmacSHA256,Signature=' . $this->__getSignature($date);
-        $headers[] = 'X-Amzn-Authorization: ' . $auth;
-
-        $url = 'https://' . $this->r53->getHost() . '/' . Route53::API_VERSION . '/' . $this->action . '?' . $query;
-
-        // Basic setup
-        $curl = curl_init();
-        curl_setopt($curl, CURLOPT_USERAGENT, 'Route53/php');
-
-        curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, ($this->r53->verifyHost() ? 1 : 0));
-        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, ($this->r53->verifyPeer() ? 1 : 0));
-
-        curl_setopt($curl, CURLOPT_URL, $url);
-        curl_setopt($curl, CURLOPT_RETURNTRANSFER, false);
-        curl_setopt($curl, CURLOPT_WRITEFUNCTION, array(&$this, '__responseWriteCallback'));
-        curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
-
-        // Request types
-        switch ($this->verb) {
-            case 'GET':
-                break;
-            case 'POST':
-                curl_setopt($curl, CURLOPT_CUSTOMREQUEST, $this->verb);
-                if (strlen($this->data) > 0) {
-                    curl_setopt($curl, CURLOPT_POSTFIELDS, $this->data);
-                    $headers[] = 'Content-Type: text/plain';
-                    $headers[] = 'Content-Length: ' . strlen($this->data);
-                }
-                break;
-            case 'DELETE':
-                curl_setopt($curl, CURLOPT_CUSTOMREQUEST, 'DELETE');
-                break;
-            default:
-                break;
-        }
-        curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
-        curl_setopt($curl, CURLOPT_HEADER, false);
-
-        // Execute, grab errors
-        if (curl_exec($curl)) {
-            $this->response->code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
-        } else {
-            $this->response->error = array(
-                'curl' => true,
-                'code' => curl_errno($curl),
-                'message' => curl_error($curl),
-                'resource' => $this->resource
-            );
-        }
-
-        @curl_close($curl);
-
-        // Parse body into XML
-        if ($this->response->error === false && isset($this->response->body)) {
-            $this->response->body = simplexml_load_string($this->response->body);
-
-            // Grab Route53 errors
-            if (
-                !in_array($this->response->code, array(200, 201, 202, 204))
-                && isset($this->response->body->Error)
-            ) {
-                $error = $this->response->body->Error;
-                $output = array();
-                $output['curl'] = false;
-                $output['Error'] = array();
-                $output['Error']['Type'] = (string)$error->Type;
-                $output['Error']['Code'] = (string)$error->Code;
-                $output['Error']['Message'] = (string)$error->Message;
-                $output['RequestId'] = (string)$this->response->body->RequestId;
-
-                $this->response->error = $output;
-                unset($this->response->body);
-            }
-        }
-
-        return $this->response;
-    }
-
-    /**
-    * CURL write callback
-    *
-    * @param resource &$curl CURL resource
-    * @param string &$data Data
-    * @return integer
-    */
-    private function __responseWriteCallback(&$curl, &$data)
-    {
-        $this->response->body .= $data;
-        return strlen($data);
-    }
-
-    /**
-    * Contributed by afx114
-    * URL encode the parameters as per http://docs.amazonwebservices.com/AWSECommerceService/latest/DG/index.html?Query_QueryAuth.html
-    * PHP's rawurlencode() follows RFC 1738, not RFC 3986 as required by Amazon. The only difference is the tilde (~), so convert it back after rawurlencode
-    * See: http://www.morganney.com/blog/API/AWS-Product-Advertising-API-Requires-a-Signed-Request.php
-    *
-    * @param string $var String to encode
-    * @return string
-    */
-    private function __customUrlEncode($var)
-    {
-        return str_replace('%7E', '~', rawurlencode($var));
-    }
-
-    /**
-    * Generate the auth string using Hmac-SHA256
-    *
-    * @internal Used by SimpleDBRequest::getResponse()
-    * @param string $string String to sign
-    * @return string
-    */
-    private function __getSignature($string)
-    {
-        return base64_encode(hash_hmac('sha256', $string, $this->r53->getSecretKey(), true));
-    }
-}
diff --git a/dns/dyndns/src/etc/rc.dyndns b/dns/dyndns/src/etc/rc.dyndns
deleted file mode 100755
index 5bdc013535..0000000000
--- a/dns/dyndns/src/etc/rc.dyndns
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/usr/local/bin/php
-<?php
-
-/*
- * Copyright (C) 2004 Scott Ullrich <sullrich@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("config.inc");
-require_once("interfaces.inc");
-require_once("util.inc");
-require_once("filter.inc");
-require_once("plugins.inc.d/dyndns.inc");
-
-if (isset($argv[1])) {
-    $argument = trim($argv[1], " \n");
-} else {
-    $argument = null;
-}
-
-if (empty($argument)) {
-    dyndns_configure_do(true);
-} else {
-    $interface = (new \OPNsense\Routing\Gateways(legacy_interfaces_details()))->getInterfaceName($argument);
-    if (empty($interface)) {
-        $interface = $argument;
-    }
-    dyndns_configure_do(true, $interface);
-}
diff --git a/dns/dyndns/src/etc/rc.syshook.d/monitor/50-dyndns b/dns/dyndns/src/etc/rc.syshook.d/monitor/50-dyndns
deleted file mode 100755
index 77511becc1..0000000000
--- a/dns/dyndns/src/etc/rc.syshook.d/monitor/50-dyndns
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/sh
-
-# Copyright (c) 2019 Franco Fichtner <franco@opnsense.org>
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-# 1. Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-#
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in the
-#    documentation and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-
-GATEWAY="${1}"
-
-if [ -z "${GATEWAY}" ]; then
-	# require a gateway
-	exit 1
-fi
-
-echo -n "Reloading DynDNS for ${GATEWAY}: "
-/usr/local/opnsense/service/configd_ctl.py dyndns reload ${GATEWAY}
-
-exit 0
diff --git a/dns/dyndns/src/opnsense/mvc/app/models/OPNsense/DynamicDNS/ACL/ACL.xml b/dns/dyndns/src/opnsense/mvc/app/models/OPNsense/DynamicDNS/ACL/ACL.xml
deleted file mode 100644
index 108e7e6537..0000000000
--- a/dns/dyndns/src/opnsense/mvc/app/models/OPNsense/DynamicDNS/ACL/ACL.xml
+++ /dev/null
@@ -1,9 +0,0 @@
-<acl>
-    <page-services-dynamicdnsclients>
-        <name>Services: Dynamic DNS clients</name>
-        <patterns>
-            <pattern>services_dyndns.php*</pattern>
-            <pattern>services_dyndns_edit.php*</pattern>
-        </patterns>
-    </page-services-dynamicdnsclients>
-</acl>
diff --git a/dns/dyndns/src/opnsense/mvc/app/models/OPNsense/DynamicDNS/Menu/Menu.xml b/dns/dyndns/src/opnsense/mvc/app/models/OPNsense/DynamicDNS/Menu/Menu.xml
deleted file mode 100644
index d2a7a40f2d..0000000000
--- a/dns/dyndns/src/opnsense/mvc/app/models/OPNsense/DynamicDNS/Menu/Menu.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-<menu>
-    <Services>
-        <DynamicDNSOld VisibleName="Dynamic DNS (legacy)" url="/services_dyndns.php" cssClass="fa fa-tags fa-fw">
-            <Edit url="/services_dyndns_edit.php*" visibility="hidden"/>
-        </DynamicDNSOld>
-    </Services>
-</menu>
diff --git a/dns/dyndns/src/opnsense/service/conf/actions.d/actions_dyndns.conf b/dns/dyndns/src/opnsense/service/conf/actions.d/actions_dyndns.conf
deleted file mode 100644
index 294b7da846..0000000000
--- a/dns/dyndns/src/opnsense/service/conf/actions.d/actions_dyndns.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-[reload]
-command:/usr/local/etc/rc.dyndns
-description:Dynamic DNS Update
-parameters:%s
-type:script
-message:updating dyndns %s
diff --git a/dns/dyndns/src/www/services_dyndns.php b/dns/dyndns/src/www/services_dyndns.php
deleted file mode 100644
index e699285599..0000000000
--- a/dns/dyndns/src/www/services_dyndns.php
+++ /dev/null
@@ -1,203 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2016 Deciso B.V.
- * Copyright (C) 2008 Ermal Luçi
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("guiconfig.inc");
-require_once("interfaces.inc");
-require_once("system.inc");
-require_once("plugins.inc.d/dyndns.inc");
-
-$a_dyndns = &config_read_array('dyndnses', 'dyndns');
-
-if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    if (isset($_POST['act']) && $_POST['act'] == "del" && isset($_POST['id'])) {
-        if (!empty($a_dyndns[$_POST['id']])) {
-            $conf = $a_dyndns[$_POST['id']];
-            @unlink(dyndns_cache_file($conf, 4));
-            @unlink(dyndns_cache_file($conf, 6));
-            unset($a_dyndns[$_POST['id']]);
-            write_config();
-            system_cron_configure();
-        }
-        exit;
-    } elseif (isset($_POST['act']) && $_POST['act'] == "toggle" && isset($_POST['id'])) {
-        if (!empty($a_dyndns[$_POST['id']])) {
-            if (!empty($a_dyndns[$_POST['id']]['enable'])) {
-                $a_dyndns[$_POST['id']]['enable'] = false;
-            } else {
-                $a_dyndns[$_POST['id']]['enable'] = true;
-            }
-            write_config();
-            system_cron_configure();
-            if ($a_dyndns[$_POST['id']]['enable']) {
-                $a_dyndns[$_POST['id']]['force'] = true;
-                dyndns_configure_client($a_dyndns[$_POST['id']]);
-            }
-        }
-        exit;
-    }
-}
-
-include("head.inc");
-
-legacy_html_escape_form_data($a_dyndns);
-
-?>
-<body>
-  <script>
-  $( document ).ready(function() {
-    // delete service action
-    $(".act_delete_service").click(function(event){
-      event.preventDefault();
-      var id = $(this).data("id");
-      BootstrapDialog.show({
-        type:BootstrapDialog.TYPE_DANGER,
-        title: "<?= gettext("Dynamic DNS");?>",
-        message: "<?=gettext("Do you really want to delete this entry?");?>",
-        buttons: [{
-                  label: "<?= gettext("No");?>",
-                  action: function(dialogRef) {
-                      dialogRef.close();
-                  }}, {
-                  label: "<?= gettext("Yes");?>",
-                  action: function(dialogRef) {
-                    $.post(window.location, {act: 'del', id:id}, function(data) {
-                        location.reload();
-                    });
-                }
-              }]
-      });
-    });
-    // link toggle buttons
-    $(".act_toggle").click(function(event){
-        event.preventDefault();
-        $.post(window.location, {act: 'toggle', id:$(this).data("id")}, function(data) {
-            location.reload();
-        });
-    });
-    // watch scroll position and set to last known on page load
-    watchScrollPosition();
-  });
-  </script>
-
-<?php include("fbegin.inc"); ?>
-  <section class="page-content-main">
-    <div class="container-fluid">
-      <div class="row">
-        <section class="col-xs-12">
-          <div class="alert alert-warning" role="alert">
-              <strong>
-                  <?=gettext("Please make sure to upgrade to os-ddclient before 23.7 is released as this plugin will be removed from our repository");?>
-              </strong>
-          </div>
-          <div class="tab-content content-box col-xs-12">
-            <form method="post" name="iform" id="iform">
-              <div class="table-responsive">
-                <table class="table table-striped">
-                  <thead>
-                    <tr>
-                      <th><?=gettext("Interface");?></th>
-                      <th><?=gettext("Service");?></th>
-                      <th><?=gettext("Hostname");?></th>
-                      <th><?=gettext("Cached IP");?></th>
-                      <th><?=gettext("Description");?></th>
-                      <th class="text-nowrap">
-                        <a href="services_dyndns_edit.php" class="btn btn-primary btn-xs" data-toggle="tooltip" title="<?= html_safe(gettext('Add')) ?>">
-                          <i class="fa fa-plus fa-fw"></i>
-                        </a>
-                      </th>
-                    </tr>
-                  </thead>
-                  <tbody>
-<?php
-                    $i = 0;
-                    foreach ($a_dyndns as $dyndns): ?>
-                    <tr>
-                      <td>
-                        <a href="#" class="act_toggle" data-id="<?=$i;?>" data-toggle="tooltip" title="<?=(!empty($dyndns['enable'])) ? gettext("Disable") : gettext("Enable");?>">
-                          <i class="fa fa-play fa-fw <?=(!empty($dyndns['enable'])) ? "text-success" : "text-muted";?>"></i>
-                        </a>
-                        <?=!empty($config['interfaces'][$dyndns['interface']]['descr']) ? $config['interfaces'][$dyndns['interface']]['descr'] : strtoupper($dyndns['interface']);?>
-                      </td>
-                      <td><?=dyndns_list()[$dyndns['type']];?></td>
-                      <td><?=$dyndns['host'];?></td>
-                      <td>
-<?php
-                      $filename = dyndns_cache_file($dyndns, 4);
-                      $fdata = '';
-                      if (file_exists($filename) && !empty($dyndns['enable'])) {
-                          $ipaddr = get_dyndns_ip_address(dyndns_failover_interface($dyndns['interface'], 'all'), 4);
-                          $fdata = @file_get_contents($filename);
-                      }
-
-                      $filename_v6 = dyndns_cache_file($dyndns, 6);
-                      $fdata6 = '';
-                      if (file_exists($filename_v6) && !empty($dyndns['enable'])) {
-                          $ipv6addr = get_dyndns_ip_address(dyndns_failover_interface($dyndns['interface'], 'inet6'), 6);
-                          $fdata6 = @file_get_contents($filename_v6);
-                      }
-
-                      if (!empty($fdata)) {
-                          $cached_ip_s = explode('|', $fdata);
-                          $cached_ip = $cached_ip_s[0];
-                          echo sprintf(
-                              '<font color="%s">%s</font>',
-                              $ipaddr != $cached_ip ? 'red' : 'green',
-                              htmlspecialchars($cached_ip)
-                          );
-                      } elseif (!empty($fdata6)) {
-                          $cached_ipv6_s = explode('|', $fdata6);
-                          $cached_ipv6 = $cached_ipv6_s[0];
-                          echo sprintf(
-                              '<font color="%s">%s</font>',
-                              $ipv6addr != $cached_ipv6 ? 'red' : 'green',
-                              htmlspecialchars($cached_ipv6)
-                          );
-                      } else {
-                          echo sprintf('<span class="text-muted">%s</span>', gettext('N/A'));
-                      }?>
-                      </td>
-                      <td><?=$dyndns['descr'];?></td>
-                      <td class="text-nowrap">
-                        <a href="services_dyndns_edit.php?id=<?=$i;?>" class="btn btn-default btn-xs"><i class="fa fa-pencil fa-fw"></i></a>
-                        <a href="#" data-id="<?=$i;?>" class="act_delete_service btn btn-xs btn-default"><i class="fa fa-trash fa-fw"></i></a>
-                      </td>
-                    </tr>
-<?php
-                      $i++;
-                    endforeach; ?>
-                  </tbody>
-                </table>
-              </div>
-            </form>
-          </div>
-        </section>
-      </div>
-    </div>
-  </section>
-<?php include("foot.inc"); ?>
diff --git a/dns/dyndns/src/www/services_dyndns_edit.php b/dns/dyndns/src/www/services_dyndns_edit.php
deleted file mode 100644
index 3b5d12cb6d..0000000000
--- a/dns/dyndns/src/www/services_dyndns_edit.php
+++ /dev/null
@@ -1,500 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2015 Deciso B.V.
- * Copyright (C) 2008 Ermal Luçi
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("guiconfig.inc");
-require_once("interfaces.inc");
-require_once("system.inc");
-require_once("plugins.inc.d/dyndns.inc");
-
-/* returns true if $uname is a valid dynamic DNS username */
-function is_dyndns_username($uname)
-{
-    if (!is_string($uname)) {
-        return false;
-    } elseif (preg_match("/[^a-z0-9\-.@_:+]/i", $uname)) {
-        return false;
-    } else {
-        return true;
-    }
-}
-
-$a_dyndns = &config_read_array('dyndnses', 'dyndns');
-
-if ($_SERVER['REQUEST_METHOD'] === 'GET') {
-    if (isset($_GET['id']) && !empty($a_dyndns[$_GET['id']])) {
-        $id = $_GET['id'];
-    }
-    $config_copy_fieldnames = array('username', 'password', 'host', 'mx', 'type', 'zoneid','resourceid', 'ttl', 'updateurl',
-                                    'resultmatch', 'requestif', 'descr', 'interface');
-    foreach ($config_copy_fieldnames as $fieldname) {
-        if (isset($id) && isset($a_dyndns[$id][$fieldname])) {
-            $pconfig[$fieldname] = $a_dyndns[$id][$fieldname];
-        } else {
-            $pconfig[$fieldname] = null;
-        }
-    }
-
-    if (isset($id)) {
-        $pconfig['enable'] = isset($a_dyndns[$id]['enable']);
-    } else {
-        $pconfig['enable'] = true;
-    }
-    $pconfig['wildcard'] = isset($id) && isset($a_dyndns[$id]['wildcard']);
-    $pconfig['verboselog'] = isset($id) && isset($a_dyndns[$id]['verboselog']);
-    $pconfig['curl_ipresolve_v4'] = isset($id) && isset($a_dyndns[$id]['curl_ipresolve_v4']);
-    $pconfig['curl_ssl_verifypeer'] = isset($id) && isset($a_dyndns[$id]['curl_ssl_verifypeer']);
-} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    if (isset($_POST['id']) && !empty($a_dyndns[$_POST['id']])) {
-        $id = $_POST['id'];
-    }
-    $input_errors = array();
-    $pconfig = $_POST;
-
-    if(($pconfig['type'] == "freedns" || $pconfig['type'] == "linode" || $pconfig['type'] == "linode-v6" || $pconfig['type'] == "namecheap" || $pconfig['type'] == "cloudflare-token" || $pconfig['type'] == "cloudflare-token-v6" || $pconfig['type'] == "desec" || $pconfig['type'] == "desec-v4-v6" || $pconfig['type'] == "desec-v6" || $pconfig['type'] == "1984-hosting") && $pconfig['username'] == "") {
-        $pconfig['username'] = "none";
-    }
-
-    /* input validation */
-    $reqdfields = array();
-    $reqdfieldsn = array();
-    $reqdfields = array('type');
-    $reqdfieldsn = array(gettext('Service type'));
-
-    if (in_array($pconfig['type'], array('azure', 'azurev6'))) {
-        $reqdfields[] = 'password';
-        $reqdfieldsn[] = gettext('Password');
-        $reqdfields[] = 'resourceid';
-        $reqdfieldsn[] = gettext('Resource Id');
-        $reqdfields[] = 'ttl';
-        $reqdfieldsn[] = gettext('TTL');
-    } elseif ($pconfig['type'] != 'custom' && $pconfig['type'] != 'custom-v6') {
-        $reqdfields[] = 'host';
-        $reqdfieldsn[] = gettext('Hostname');
-        $reqdfields[] = 'username';
-        $reqdfieldsn[] = gettext('Username');
-        if (!in_array($pconfig['type'], array('dynv6', 'dynv6-v6', 'duckdns', 'regfish', 'regfish-v6'))) {
-            $reqdfields[] = 'password';
-            $reqdfieldsn[] = gettext('Password');
-        }
-    } else {
-        $reqdfields[] = 'updateurl';
-        $reqdfieldsn[] = gettext('Update URL');
-    }
-
-    do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);
-
-    if (isset($pconfig['host']) && in_array('host', $reqdfields)) {
-        $host_to_check = $pconfig['host'];
-
-        switch ($pconfig['type']) {
-            case '1984-hosting':
-            case 'cloudflare':
-            case 'cloudflare-token':
-            case 'cloudflare-token-v6':
-            case 'cloudflare-v6':
-            case 'desec':
-            case 'desec-v4-v6':
-            case 'desec-v6':
-            case 'eurodns':
-            case 'godaddy':
-            case 'godaddy-v6':
-            case 'googledomains':
-            case 'hetzner':
-            case 'hetzner-v6':
-            case 'linode':
-            case 'linode-v6':
-            case 'namecheap':
-                $host_to_check = preg_replace('/^[@*]\./', '', $host_to_check);
-                break;
-            default:
-                break;
-        }
-
-        if (!is_domain($host_to_check)) {
-            $input_errors[] = gettext("The Hostname contains invalid characters.");
-        }
-    }
-
-    if (!empty($pconfig['mx']) && !is_domain($pconfig['mx'])) {
-        $input_errors[] = gettext("The MX contains invalid characters.");
-    }
-    if ((in_array("username", $reqdfields) && !empty($pconfig['username']) && !is_dyndns_username($pconfig['username'])) || ((in_array("username", $reqdfields)) && ($pconfig['username'] == ""))) {
-        $input_errors[] = gettext("The username contains invalid characters.");
-    }
-
-    if (!empty($pconfig['ttl']) && (string)((int)$pconfig['ttl']) != $pconfig['ttl']) {
-        $input_errors[] = gettext("The TTL value needs to be a valid integer number.");
-    }
-
-    if (count($input_errors) == 0) {
-        $dyndns = array();
-        $dyndns['type'] = $pconfig['type'];
-        $dyndns['username'] = $pconfig['username'];
-        $dyndns['password'] = $pconfig['password'];
-        $dyndns['host'] = $pconfig['host'];
-        $dyndns['mx'] = $pconfig['mx'];
-        $dyndns['wildcard'] = !empty($pconfig['wildcard']);
-        $dyndns['verboselog'] = !empty($pconfig['verboselog']);
-        $dyndns['curl_ipresolve_v4'] = !empty($pconfig['curl_ipresolve_v4']);
-        $dyndns['curl_ssl_verifypeer'] = !empty($pconfig['curl_ssl_verifypeer']);
-        $dyndns['enable'] = !empty($pconfig['enable']);
-        $dyndns['interface'] = $pconfig['interface'];
-        $dyndns['zoneid'] = $pconfig['zoneid'];
-        $dyndns['resourceid'] = $pconfig['resourceid'];
-        $dyndns['ttl'] = $pconfig['ttl'];
-        $dyndns['updateurl'] = $pconfig['updateurl'];
-        // Trim hard-to-type but sometimes returned characters
-        $dyndns['resultmatch'] = trim($pconfig['resultmatch'], "\t\n\r");
-        ($dyndns['type'] == "custom" || $dyndns['type'] == "custom-v6") ? $dyndns['requestif'] = $pconfig['requestif'] : $dyndns['requestif'] = $pconfig['interface'];
-        $dyndns['descr'] = $pconfig['descr'];
-        $dyndns['force'] = isset($pconfig['force']);
-        if ($dyndns['username'] == "none") {
-            $dyndns['username'] = "";
-        }
-
-        if (isset($id)) {
-            $a_dyndns[$id] = $dyndns;
-        } else {
-            $a_dyndns[] = $dyndns;
-            $id = count($a_dyndns) - 1;
-        }
-
-        $dyndns['id'] = $id;
-        for($i = 0; $i < count($a_dyndns); $i++) {
-            $a_dyndns[$i]['id'] = $i;
-        }
-
-        write_config();
-        system_cron_configure();
-
-        if ($dyndns['force']) {
-            dyndns_configure_client($dyndns);
-        }
-
-        header(url_safe('Location: /services_dyndns.php'));
-        exit;
-    }
-}
-
-legacy_html_escape_form_data($pconfig);
-
-include("head.inc");
-
-?>
-<body>
-<?php include("fbegin.inc"); ?>
- <script>
-  $( document ).ready(function() {
-      $("#type").change(function(){
-          $(".opt_field").hide();
-          switch ($(this).val()) {
-              case "custom":
-              case "custom-v6":
-                $(".type_custom").show();
-                break;
-              case "route53":
-              case "route53-v6":
-                $(".type_route53").show();
-                break;
-              case "azure":
-              case "azurev6":
-                $(".type_azure").show();
-                break;
-              case 'cloudflare':
-              case 'cloudflare-v6':
-                $(".type_default").show();
-                $(".type_cloudflare").show();
-                break;
-              case 'cloudflare-token':
-              case 'cloudflare-token-v6':
-                $(".type_cloudflare").show();
-                break;
-              default:
-                $(".type_default").show();
-                break;
-          }
-          $(window).resize(); // force zebra re-stripe (opnsense_standard_table_form)
-      });
-      $("#type").change();
-  });
-  </script>
-
-  <section class="page-content-main">
-    <div class="container-fluid">
-      <div class="row">
-        <?php if (isset($input_errors) && count($input_errors) > 0) print_input_errors($input_errors); ?>
-        <section class="col-xs-12">
-          <div class="content-box">
-            <form method="post" name="iform" id="iform">
-              <div class="table-responsive">
-                <table class="table table-striped opnsense_standard_table_form">
-                  <tr>
-                    <td style="width:22%"><strong><?= gettext("Dynamic DNS client") ?></strong></td>
-                    <td style="width:78%; text-align:right">
-                      <small><?= gettext("full help") ?> </small>
-                      <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page"></i>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?= gettext("Enable") ?></td>
-                    <td>
-                      <input name="enable" type="checkbox" id="enable" value="<?= gettext("yes") ?>" <?= empty($pconfig['enable']) ? '' : 'checked="checked"' ?> />
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?= gettext("Service type") ?></td>
-                    <td>
-                      <select name="type" class="selectpicker" id="type">
-<?php
-                        foreach (dyndns_list() as $value => $type):?>
-                                <option value="<?= $value ?>" <?= $value == $pconfig['type'] ? 'selected="selected"' : '' ?>>
-                                  <?= $type ?>
-                                </option>
-<?php
-                        endforeach;?>
-                      </select>
-                    </td>
-                  </tr>
-                  <tr>
-                     <td><i class="fa fa-info-circle text-muted"></i> <?= gettext("Interface to monitor") ?></td>
-                     <td>
-                       <select name="interface" class="selectpicker" id="interface">
-<?php
-                        $iflist = get_configured_interface_with_descr();
-                        $iflist = array_merge($iflist, return_gateway_groups_array());
-                        foreach ($iflist as $if => $ifdesc):?>
-                          <option value="<?= $if ?>" <?=$pconfig['interface'] == $if ? 'selected="selected"' : '';?>>
-                            <?= is_array($ifdesc) ? $if : htmlspecialchars($ifdesc) ?>
-                          </option>
-
-<?php
-                        endforeach;?>
-                        </select>
-                      </td>
-                  </tr>
-                  <tr class="opt_field type_custom">
-                    <td><a id="help_for_requestif" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Interface to send update from") ?></td>
-                    <td>
-                      <select name="requestif" class="selectpicker" id="requestif">
-<?php
-                       $iflist = get_configured_interface_with_descr();
-                       $iflist = array_merge($iflist, return_gateway_groups_array());
-                       foreach ($iflist as $if => $ifdesc):?>
-                         <option value="<?= $if ?>" <?= $pconfig['requestif'] == $if ? 'selected="selected"' : '' ?>>
-                           <?= is_array($ifdesc) ? $if : htmlspecialchars($ifdesc) ?>
-                         </option>
-
-<?php
-                       endforeach;?>
-                       </select>
-                       <div class="hidden" data-for="help_for_requestif">
-                         <?= gettext("Note: This is almost always the same as the Interface to Monitor.");?>
-                       </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_host" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Hostname") ?></td>
-                    <td>
-                      <input name="host" type="text" id="host" value="<?= $pconfig['host'] ?>" />
-                      <div class="hidden" data-for="help_for_host">
-                        <?= gettext("Enter the complete host/domain name. example: myhost.dyndns.org") ?><br />
-                        <?= gettext("For he.net tunnelbroker, enter your tunnel ID") ?><br />
-                        <?= gettext("For DigitalOcean, enter the zone/domain name.") ?>
-                        <?= gettext('Gandi LiveDNS: Enter the 2nd-level domain ("example.org").') ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr class="opt_field type_default type_route53">
-                    <td><a id="help_for_mx" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("MX") ?></td>
-                    <td>
-                      <input name="mx" type="text" id="mx" value="<?= $pconfig['mx'] ?>" />
-                      <div class="hidden" data-for="help_for_mx">
-                        <?= gettext("Note: With a dynamic DNS service you can only use a hostname, not an IP address.") ?>
-                        <br />
-                        <?= gettext("Set this option only if you need a special MX record. Not all services support this.") ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr class="opt_field type_default type_route53">
-                    <td><i class="fa fa-info-circle text-muted"></i> <?= gettext("Wildcards") ?></td>
-                    <td>
-                      <input name="wildcard" type="checkbox" id="wildcard" value="yes" <?= empty($pconfig['wildcard']) ? '' : 'checked="checked"' ?> />
-                      <strong><?= gettext("Enable Wildcard") ?></strong>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?= gettext("Verbose logging") ?></td>
-                    <td>
-                      <input name="verboselog" type="checkbox" id="verboselog" value="yes" <?= empty($pconfig['verboselog']) ? '' : 'checked="checked"' ?> />
-                      <strong><?= gettext("Enable verbose logging") ?></strong>
-                    </td>
-                  </tr>
-                  <tr class="opt_field type_custom">
-                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("CURL options"); ?></td>
-                    <td>
-                      <input name="curl_ipresolve_v4" type="checkbox" id="curl_ipresolve_v4" value="yes" <?= empty($pconfig['curl_ipresolve_v4']) ? '' : 'checked="checked"' ?> />
-                      <?= gettext("Force IPv4 resolving") ?><br />
-                      <input name="curl_ssl_verifypeer" type="checkbox" id="curl_ssl_verifypeer" value="yes" <?= empty($pconfig['curl_ssl_verifypeer']) ? '' : 'checked="checked"'  ?> />
-                      <?= gettext("Verify SSL peer") ?>
-                    </td>
-                  </tr>
-                  <tr class ="opt_field type_custom type_route53 type_azure type_default">
-                    <td><a id="help_for_username" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Username") ?></td>
-                    <td>
-                      <input name="username" type="text" id="username" value="<?= $pconfig['username'] ?>" />
-                      <div class="hidden" data-for="help_for_username">
-                        <?= gettext('Username is required except when stated otherwise.') ?>
-                        <br /><?= gettext('Route 53: Enter your Access Key ID.') ?>
-                        <br /><?= gettext('Duck DNS: Enter your Token.') ?>
-                        <br /><?= gettext('dynv6: Enter your Token.') ?>
-                        <br /><?= gettext('Azure: Enter your Azure AD application ID.') ?>
-                        <br /><?= gettext('DigitalOcean: Enter the domain record ID.') ?>
-                        <br /><?= gettext('For Custom Entries, Username and Password represent HTTP Authentication username and passwords.') ?>
-                        <br /><?= gettext('Gandi LiveDNS: The subdomain / record to update.') ?>
-                        <br /><?= gettext('GoDaddy: Enter your API Key Token.') ?>
-                        <br /><?= gettext('deSEC: no Username necessary. Your Hostname is used instead.') ?>
-                        <br /><?= gettext('FreeDNS: Leave blank.') ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><a id="help_for_password" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Password") ?></td>
-                    <td>
-                      <input name="password" type="password" id="password" value="<?= $pconfig['password'] ?>" />
-                      <div class="hidden" data-for="help_for_password">
-                        <?=gettext('FreeDNS (freedns.afraid.org): Enter your "Authentication Token" provided by FreeDNS.') ?>
-                        <br /><?= gettext('Route 53: Enter your Secret Access Key.') ?>
-                        <br /><?= gettext('Duck DNS: Leave blank.') ?>
-                        <br /><?= gettext('dynv6: Leave blank.') ?>
-                        <br /><?= gettext('Azure: client secret of the AD application') ?>
-                        <br /><?= gettext('Linode: Enter your Personal Access Token.') ?>
-                        <br /><?= gettext('DigitalOcean: Enter your Access Token.') ?>
-                        <br /><?= gettext('Cloudflare: Enter your API token or Global API key.') ?>
-                        <br /><?= gettext('Gandi LiveDNS: Enter your API token.') ?>
-                        <br /><?= gettext('GoDaddy: Enter your API Secret Token.') ?>
-                        <br /><?= gettext('deSEC: Enter your Token for your hostname, NOT the 36-character Token ID from the webinterface.') ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr class="opt_field type_route53">
-                    <td><a id="help_for_zoneid" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Zone ID") ?></td>
-                    <td>
-                      <input name="zoneid" type="text" id="zoneid" value="<?= $pconfig['zoneid'] ?>" />
-                      <div class="hidden" data-for="help_for_zoneid">
-                        <?= gettext("Enter Zone ID that you received when you created your domain in Route 53.") ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr class="opt_field type_azure">
-                    <td><a id="help_for_resourceid" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Resource Id') ?></td>
-                    <td>
-                      <input name="resourceid" type="text" id="resourceid" value="<?= $pconfig['resourceid'] ?>" />
-                      <div class="hidden" data-for="help_for_resourceid">
-                        <?= gettext("Enter the resource id of the DNS Zone in Azure.") ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr class="opt_field type_custom">
-                    <td><a id="help_for_updateurl" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Update URL") ?></td>
-                    <td>
-                      <input name="updateurl" type="text" id="updateurl" value="<?= $pconfig['updateurl'] ?>" />
-                      <div class="hidden" data-for="help_for_updateurl">
-                        <?= gettext("This is the only field required by for Custom Dynamic DNS, and is only used by Custom Entries.") ?>
-                        <br />
-                        <?= gettext("If you need the new IP to be included in the request, put %IP% in its place.") ?>
-                        <br />
-                        <?= gettext("If you need the new host to be included in the request, put %HOST% in its place.") ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr class="opt_field type_custom">
-                    <td><a id="help_for_resultmatch" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext("Result Match") ?></td>
-                    <td>
-                      <textarea name="resultmatch" class="formpre" id="resultmatch" cols="65" rows="7"><?= $pconfig['resultmatch'] ?></textarea>
-                      <div class="hidden" data-for="help_for_resultmatch">
-                        <?= gettext("This field is only used by Custom Dynamic DNS Entries.") ?>
-                        <br />
-                        <?= gettext("This field should be identical to what your dynamic DNS Provider will return if the update succeeds, leave it blank to disable checking of returned results.");?>
-                        <br />
-                        <?= gettext("If you need the new IP to be included in the request, put %IP% in its place.") ?>
-                        <br />
-                        <?= gettext("If you need the new host to be included in the request, put %HOST% in its place.") ?>
-                        <br />
-                        <?= gettext('If you need to include multiple possible values, separate them with a |. If your provider includes a |, escape it with \|') ?>
-                        <br />
-                        <?= gettext('Tabs (\t), newlines (\n) and carriage returns (\r) at the beginning or end of the returned results are removed before comparison.') ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr class="opt_field type_route53 type_azure type_cloudflare">
-                    <td><a id="help_for_ttl" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("TTL");?></td>
-                    <td>
-                      <input name="ttl" type="text" id="ttl" value="<?= $pconfig['ttl'] ?>" />
-                      <div class="hidden" data-for="help_for_ttl">
-                        <?= gettext("Choose TTL for your dns record.") ?>
-                        <br /><?= gettext('Cloudflare: value "1" means "Auto". Anything below 1 will be updated with value 1/Auto.') ?>
-                      </div>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?= gettext("Description") ?></td>
-                    <td>
-                      <input name="descr" type="text" id="descr" value="<?= $pconfig['descr'] ?>" />
-                    </td>
-                  </tr>
-                  <tr>
-                    <td>&nbsp;</td>
-                    <td>
-                      <button name="submit" type="submit" class="btn btn-primary" value="save"><?= gettext('Save') ?></button>
-<?php if (isset($id)): ?>
-                        <button name="force" type="submit" class="btn btn-primary" value="force"><?= gettext('Save and Force Update') ?></button>
-                        <input name="id" type="hidden" value="<?= $id ?>" />
-<?php endif ?>
-                      <a href="services_dyndns.php" class="btn btn-default"><?= gettext('Cancel') ?></a>
-                    </td>
-                  </tr>
-                  <tr>
-                    <td colspan="2">
-                      <?= sprintf(gettext('You must configure a DNS server in %sSystem: ' .
-                        'General setup%s or allow the DNS server list to be overridden ' .
-                        'by DHCP/PPP on WAN for dynamic DNS updates to work.'),
-                        '<a href="system_general.php">', '</a>'); ?>
-                    </td>
-                  </tr>
-                </table>
-              </div>
-            </form>
-          </div>
-        </section>
-      </div>
-    </div>
-  </section>
-<?php
-
-include("foot.inc");
diff --git a/dns/dyndns/src/www/widgets/include/dyn_dns_status.inc b/dns/dyndns/src/www/widgets/include/dyn_dns_status.inc
deleted file mode 100644
index dc5fb3e3b2..0000000000
--- a/dns/dyndns/src/www/widgets/include/dyn_dns_status.inc
+++ /dev/null
@@ -1,4 +0,0 @@
-<?php
-
-$dyn_dns_status_title = gettext('Dynamic DNS');
-$dyn_dns_status_title_link = 'services_dyndns.php';
diff --git a/dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php b/dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php
deleted file mode 100644
index 7d5333967c..0000000000
--- a/dns/dyndns/src/www/widgets/widgets/dyn_dns_status.widget.php
+++ /dev/null
@@ -1,172 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2016 Deciso B.V.
- * Copyright (C) 2008 Ermal Luçi
- * Copyright (C) 2013 Stanley P. Miller \ stan-qaz
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INClUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("guiconfig.inc");
-require_once("widgets/include/dyn_dns_status.inc");
-require_once("interfaces.inc");
-require_once("plugins.inc.d/dyndns.inc");
-
-$a_dyndns = &config_read_array('dyndnses', 'dyndns');
-
-if (!empty($_REQUEST['getdyndnsstatus'])) {
-    $first_entry = true;
-    foreach ($a_dyndns as $dyndns) {
-        if ($first_entry) {
-            $first_entry = false;
-        } else {
-            // Put a vertical bar delimiter between the echoed HTML for each entry processed.
-            echo '|';
-        }
-
-        $filename = dyndns_cache_file($dyndns, 4);
-        $fdata = '';
-        if (!empty($dyndns['enable']) && file_exists($filename)) {
-            $ipaddr = get_dyndns_ip_address(dyndns_failover_interface($dyndns['interface'], 'all'), 4);
-            $fdata = @file_get_contents($filename);
-        }
-
-        $filename_v6 = dyndns_cache_file($dyndns, 6);
-        $fdata6 = '';
-        if (!empty($dyndns['enable']) && file_exists($filename_v6)) {
-            $ipv6addr = get_dyndns_ip_address(dyndns_failover_interface($dyndns['interface'], 'inet6'), 6);
-            $fdata6 = @file_get_contents($filename_v6);
-        }
-
-        if (!empty($fdata)) {
-            $cached_ip_s = explode('|', $fdata);
-            $cached_ip = $cached_ip_s[0];
-            echo sprintf(
-                '<span class="%s">%s</span>',
-                $ipaddr != $cached_ip ? 'text-danger' : '',
-                htmlspecialchars($cached_ip)
-            );
-        } elseif (!empty($fdata6)) {
-            $cached_ipv6_s = explode('|', $fdata6);
-            $cached_ipv6 = $cached_ipv6_s[0];
-            echo sprintf(
-                '<span class="%s">%s</span>',
-                $ipv6addr != $cached_ipv6 ? 'text-danger' : '',
-                htmlspecialchars($cached_ipv6)
-            );
-        } else {
-            echo gettext('N/A');
-        }
-    }
-    exit;
-}
-
-?>
-
-<table class="table table-striped table-condensed">
-  <thead>
-    <tr>
-        <th colspan="4">
-          <div class="alert alert-warning" role="alert">
-              <strong>
-                  <?=gettext("Please make sure to upgrade to os-ddclient before 23.7 is released as this plugin will be removed from our repository");?>
-              </strong>
-          </div>
-        </th>
-    </tr>
-    <tr>
-      <th style="word-break:break-word;"><?=gettext("Interface");?></th>
-      <th style="word-break:break-word;"><?=gettext("Service");?></th>
-      <th style="word-break:break-word;"><?=gettext("Hostname");?></th>
-      <th style="word-break:break-word;"><?=gettext("Cached IP");?></th>
-    </tr>
-  </thead>
-  <tbody>
-<?php
-  $iflist = get_configured_interface_with_descr();
-  $types = dyndns_list();
-  $groupslist = return_gateway_groups_array();
-  foreach ($a_dyndns as $i => $dyndns) :?>
-    <tr ondblclick="document.location='services_dyndns_edit.php?id=<?=$i;?>'">
-      <td style="word-break:break-word;" <?= isset($dyndns['enable']) ? '' : 'class="text-muted"' ?>>
-<?php
-        foreach ($iflist as $if => $ifdesc) {
-            if ($dyndns['interface'] == $if) {
-                echo "{$ifdesc}";
-                break;
-            }
-        }
-        foreach ($groupslist as $if => $group) {
-            if ($dyndns['interface'] == $if) {
-                echo "{$if}";
-                break;
-            }
-        }?>
-      </td>
-      <td style="word-break:break-word;" <?= isset($dyndns['enable']) ? '' : 'class="text-muted"' ?>>
-<?php
-        if (isset($types[$dyndns['type']])) {
-            echo htmlspecialchars($types[$dyndns['type']]);
-        } else {
-            echo htmlspecialchars($dyndns['type']);
-        }
-?>
-      </td>
-      <td style="word-break:break-word;" <?= isset($dyndns['enable']) ? '' : 'class="text-muted"' ?>>
-        <?= htmlspecialchars($dyndns['host']) ?>
-      </td>
-      <td style="word-break:break-word;" <?= isset($dyndns['enable']) ? '' : 'class="text-muted"' ?>>
-        <div id='dyndnsstatus<?=$i;?>'>
-          <?= gettext('Checking...') ?>
-        </div>
-      </td>
-    </tr>
-<?php
-  endforeach;?>
-  </tbody>
-</table>
-<script>
-  function dyndns_getstatus()
-  {
-      scroll(0,0);
-      var url = "/widgets/widgets/dyn_dns_status.widget.php";
-      var pars = 'getdyndnsstatus=yes';
-      jQuery.ajax(url, {type: 'get', data: pars, complete: dyndnscallback});
-      // Refresh the status every 5 minutes
-      setTimeout('dyndns_getstatus()', 5*60*1000);
-  }
-  function dyndnscallback(transport)
-  {
-      // The server returns a string of statuses separated by vertical bars
-      var responseStrings = transport.responseText.split("|");
-      for (var count=0; count<responseStrings.length; count++) {
-          var divlabel = '#dyndnsstatus' + count;
-          jQuery(divlabel).prop('innerHTML',responseStrings[count]);
-      }
-  }
-  $(window).on("load", function() {
-    // Do the first status check 2 seconds after the dashboard opens
-    setTimeout('dyndns_getstatus()', 2000);
-  });
-</script>

From 096318e9a4783a95c786e6a0b387e0008e8ed94f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Jul 2023 10:19:57 +0200
Subject: [PATCH 1488/3088] plugins: sync

---
 LICENSE   | 7 ++++---
 README.md | 1 -
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/LICENSE b/LICENSE
index 5cf7f7c4db..32794d4e75 100644
--- a/LICENSE
+++ b/LICENSE
@@ -3,17 +3,17 @@ Copyright (c) 2022 agh1467 <agh1467@protonmail.com>
 Copyright (c) 2021 Alexander Noack
 Copyright (c) 2021 Andreas Stuerz
 Copyright (c) 2021 Axelrtgs
+Copyright (c) 2023 Cannon Matthews <cannonmatthews@google.com>
 Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
 Copyright (c) 2020 D. Domig
 Copyright (c) 2021 Dan Lundqvist
-Copyright (c) 2011 Dan Myers
 Copyright (c) 2021 David Berry
 Copyright (c) 2017-2018 David Harrigan
 Copyright (c) 2021 David Hughes
 Copyright (c) 2014-2023 Deciso B.V.
 Copyright (c) 2020 devNan0 <nan0@nan0.dev>
-Copyright (c) 2008 Donovan Schonknecht
+Copyright (c) 2023 Dmitry Shinkaruk
 Copyright (c) 2006 Eric Friesen
 Copyright (c) 2008-2010 Ermal Luçi
 Copyright (c) 2016-2019 EURO-LOG AG
@@ -24,6 +24,7 @@ Copyright (c) 2016-2023 Frank Wall
 Copyright (c) 2021 Github-jjw
 Copyright (c) 2016 IT-assistans Sverige AB
 Copyright (c) 2021-2023 Jan Winkler
+Copyright (c) 2023 Jeremy Gutierrez
 Copyright (c) 2010 Jim Pingle <jimp@pfsense.org>
 Copyright (c) 2015 Jos Schellevis
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>
@@ -31,7 +32,7 @@ Copyright (c) 2019-2022 Juergen Kellerer
 Copyright (c) 2020-2021 Manuel Faux
 Copyright (c) 2021 Manuel Hofmann
 Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>
-Copyright (c) 2020 Marc Leuser
+Copyright (c) 2023 Marc Bartelt
 Copyright (c) 2021 Marcel Koepfli
 Copyright (c) 2021 Markus Peter <mpeter@one-it.de>
 Copyright (c) 2022 Markus Reiter <me@reitermark.us>
diff --git a/README.md b/README.md
index 7c1cdc3696..63036e99ae 100644
--- a/README.md
+++ b/README.md
@@ -37,7 +37,6 @@ devel/helloworld -- A sample framework application
 dns/bind -- BIND domain name service
 dns/ddclient -- Dynamic DNS client
 dns/dnscrypt-proxy -- Flexible DNS proxy supporting DNSCrypt and DoH
-dns/dyndns -- Dynamic DNS Support
 dns/rfc2136 -- RFC-2136 Support
 emulators/qemu-guest-agent -- QEMU Guest Agent for OPNsense
 ftp/tftp -- TFTP server

From 8633ccb32b231df1e49781bdabb6aee1e0042786 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Jul 2023 10:28:02 +0200
Subject: [PATCH 1489/3088] plugins: switch to next version

---
 Mk/defaults.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index a26f74bfc6..178fbe0a4a 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -45,7 +45,7 @@ VERSIONBIN=	${LOCALBASE}/sbin/opnsense-version
 _PLUGIN_ABI!=	${VERSIONBIN} -a
 PLUGIN_ABI?=	${_PLUGIN_ABI}
 .else
-PLUGIN_ABI?=	23.1
+PLUGIN_ABI?=	23.7
 .endif
 
 PHPBIN=		${LOCALBASE}/bin/php

From 9afb89ba66b85dfde391a5e298983503c9603a80 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 20 Jul 2023 09:39:14 +0200
Subject: [PATCH 1490/3088] security/acme-client: no 3.19 yet and 3.18 includes
 this on RC1

---
 security/acme-client/pkg-descr | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 52b7fb2ee3..69c0bc07aa 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,16 +8,12 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
-3.19
-
-Added:
-* add Google Domains DNS API
-
 3.18
 
 Added:
 * add support for TrueNAS deployhook (#3421)
 * add support for Proxmox VE deployhook (#3422)
+* add Google Domains DNS API
 
 3.17
 

From dd511eaa590e83c7d8838ccb9bd3eb66495ef623 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 24 Jul 2023 10:37:59 +0200
Subject: [PATCH 1491/3088] dns/rfc2136: allow trailing dot in keyname #3510

---
 dns/rfc2136/Makefile                          | 1 +
 dns/rfc2136/src/www/services_rfc2136_edit.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/rfc2136/Makefile b/dns/rfc2136/Makefile
index dac21994a5..fa96105ebf 100644
--- a/dns/rfc2136/Makefile
+++ b/dns/rfc2136/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		rfc2136
 PLUGIN_VERSION=		1.8
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		RFC-2136 Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_DEPENDS=		bind-tools
diff --git a/dns/rfc2136/src/www/services_rfc2136_edit.php b/dns/rfc2136/src/www/services_rfc2136_edit.php
index 4e093462b4..8702129a37 100644
--- a/dns/rfc2136/src/www/services_rfc2136_edit.php
+++ b/dns/rfc2136/src/www/services_rfc2136_edit.php
@@ -87,7 +87,7 @@
     if (!empty($pconfig['ttl']) && !is_numericint($pconfig['ttl'])) {
         $input_errors[] = gettext("The DNS update TTL must be an integer.");
     }
-    if (!empty($pconfig['keyname']) && !is_domain($pconfig['keyname'])) {
+    if (!empty($pconfig['keyname']) && !is_domain(preg_replace('/\.$/', '', $pconfig['keyname']))) {
         $input_errors[] = gettext("The DNS update key name contains invalid characters.");
     }
     if (!in_array($pconfig['keyalgo'] , array_keys($nsukeyalgos))) {

From 8de007770cd948c7450edbbe95ca7390bdfb1588 Mon Sep 17 00:00:00 2001
From: Simon Fischer <simi.fischa@gmail.com>
Date: Tue, 25 Jul 2023 11:04:55 +0200
Subject: [PATCH 1492/3088] dns/bind: add DNAME support (#3509)

---
 dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml
index 733dda90bd..bd520cb797 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml
@@ -31,6 +31,7 @@
                         <AAAA>AAAA</AAAA>
                         <CAA>CAA</CAA>
                         <CNAME>CNAME</CNAME>
+                        <DNAME>DNAME</DNAME>
                         <DNSKEY>DNSKEY</DNSKEY>
                         <DS>DS</DS>
                         <MX>MX</MX>

From 3505919407f0864e3b4d9e44595bb18a09a99b0f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 Jul 2023 08:23:07 +0200
Subject: [PATCH 1493/3088] dns/bind: mini release

---
 dns/bind/Makefile  | 3 +--
 dns/bind/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 2bcc8648dd..e78625cad9 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.26
-PLUGIN_REVISION=	5
+PLUGIN_VERSION=		1.27
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index b995ce64f5..2b15382ee7 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -10,6 +10,10 @@ WWW: https://www.isc.org
 Plugin Changelog
 ================
 
+1.27
+
+* Add DNAME support (contributed by Simon Fischer)
+
 1.26
 
 * Allow multiple ACLs to be selected for Transfers/Queries (contributed by Robbert Rijkse)

From ce6803cd5c8c0671957ec2396232aa5ca1778df0 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 27 Jul 2023 16:14:38 +0200
Subject: [PATCH 1494/3088] net/firewall: Make interface optional (like
 floating) (#3512)

---
 net/firewall/Makefile                                         | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml  | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index d63450cecc..48b15d7f04 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		firewall
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		Firewall API supplemental package
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index 3655695e30..c34561e09e 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/Firewall/Filter</mount>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <migration_prefix>MFP</migration_prefix>
     <description>
         OPNsense firewall filter rules
@@ -33,7 +33,7 @@
                     <Required>Y</Required>
                 </quick>
                 <interface type="InterfaceField">
-                    <Required>Y</Required>
+                    <Required>N</Required>
                     <multiple>Y</multiple>
                     <default>lan</default>
                     <AllowDynamic>Y</AllowDynamic>

From 2ec2789a540f314c2fa75c8cd6223e52dfcb0c12 Mon Sep 17 00:00:00 2001
From: Oliver Hartl <hello@ohartl.de>
Date: Sun, 16 Jul 2023 16:22:39 +0200
Subject: [PATCH 1495/3088] security/acme-client: Add ipv64.net support Adds
 support for IPv64.net DNS-01 ACME challenge API added to latest upstream
 acme.sh.

https://ipv64.net/

see acmesh-official/acme.sh#4420
---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 10 +++++
 .../AcmeClient/LeValidation/DnsIpv64.php      | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 4 files changed, 59 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsIpv64.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 69c0bc07aa..f831d6b25d 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -14,6 +14,7 @@ Added:
 * add support for TrueNAS deployhook (#3421)
 * add support for Proxmox VE deployhook (#3422)
 * add Google Domains DNS API
+* add IPv64.net DNS API
 
 3.17
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 63dcc1a3a1..195f519f7b 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -648,6 +648,16 @@
         <label>Secret</label>
         <type>password</type>
     </field>
+    <field>
+        <label>IPv64.net API</label>
+        <type>header</type>
+        <style>table_dns table_dns_ipv64</style>
+    </field>
+    <field>
+        <id>validation.dns_ipv64_token</id>
+        <label>IPv64.net API Token</label>
+        <type>password</type>
+    </field>
     <field>
         <label>IPSConfig</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsIpv64.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsIpv64.php
new file mode 100644
index 0000000000..0320f3402c
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsIpv64.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Oliver Hartl
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * IPv64.net API
+ * @package OPNsense\AcmeClient
+ */
+class DnsIpv64 extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['IPv64_Token'] = (string)$this->config->dns_ipv64_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index ec0d1273f4..4d3a630551 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -466,6 +466,7 @@
                         <dns_infomaniak>Infomaniak</dns_infomaniak>
                         <dns_inwx>INWX XMLRPC</dns_inwx>
                         <dns_ionos>IONOS domain</dns_ionos>
+                        <dns_ipv64>IPv64.net</dns_ipv64>
                         <dns_ispconfig>ISPConfig 3.1+</dns_ispconfig>
                         <dns_jd>JD Cloud</dns_jd>
                         <dns_joker>Joker</dns_joker>
@@ -711,6 +712,9 @@
                 <dns_ionos_secret type="TextField">
                     <Required>N</Required>
                 </dns_ionos_secret>
+                <dns_ipv64_token type="TextField">
+                    <Required>N</Required>
+                </dns_ipv64_token>
                 <dns_ispconfig_user type="TextField">
                     <Required>N</Required>
                 </dns_ispconfig_user>

From c9c2a7546042f345b37cb006faddfb4c756c82b1 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 31 Jul 2023 15:29:28 +0200
Subject: [PATCH 1496/3088] dns/ddclient - add "post" protocol in custom
 service type. for https://github.com/opnsense/plugins/pull/3511

Explain __MYIP__ and __HOSTNAME__ usage in server help text, while here add some missing @staticmethod decorators in various accounts. Make sure the server fields either validates a domain or an uri, depending on the protocol selected.
---
 dns/ddclient/Makefile                         |  4 +-
 .../OPNsense/DynDNS/forms/dialogAccount.xml   |  5 +-
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.php | 44 ++++++++++++++++-
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml |  6 +--
 .../scripts/ddclient/lib/account/__init__.py  |  1 +
 .../scripts/ddclient/lib/account/azure.py     |  1 +
 .../ddclient/lib/account/cloudflare.py        |  1 +
 .../scripts/ddclient/lib/account/dyndns2.py   | 49 ++++++++++++-------
 8 files changed, 85 insertions(+), 26 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 091f84ceee..d2d3a3d02c 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.14
+#PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient-devel
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index c0aac07e9f..7afd4b9c47 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -27,7 +27,10 @@
         <id>account.server</id>
         <label>Server</label>
         <type>text</type>
-        <help>DynDNS Server</help>
+        <help>DynDNS Server hostname or uri to use (depending on the protocol).
+         When a URI is provided, the tag __MYIP__ will be replaced with the current detected address for this service
+         and __HOSTNAME__ will contain the (comma separated) list of hostnames provided.
+         </help>
         <style>optional_setting service_custom</style>
     </field>
     <field>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
index 00726445e7..969d526910 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2021 Deciso B.V.
+ * Copyright (C) 2021-2023 Deciso B.V.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28,6 +28,7 @@
 
  namespace OPNsense\DynDNS;
 
+ use Phalcon\Messages\Message;
  use OPNsense\Base\BaseModel;
 
  /**
@@ -36,4 +37,45 @@
   */
 class DynDNS extends BaseModel
 {
+    public function performValidation($validateFullModel = false)
+    {
+        $messages = parent::performValidation($validateFullModel);
+        $validate_servers = [];
+        foreach ($this->getFlatNodes() as $key => $node) {
+            $tagName = $node->getInternalXMLTagName();
+            $parentNode = $node->getParentNode();
+            if ($validateFullModel || $node->isFieldChanged()) {
+                if ($parentNode->getInternalXMLTagName() === 'account' && in_array($tagName, ['protocol', 'server'])) {
+                    $parentKey = $parentNode->__reference;
+                    $validate_servers[$parentKey] = $parentNode;
+                }
+            }
+        }
+        foreach ($validate_servers as $key => $node) {
+            if ((string)$node->service != 'custom') {
+                continue;
+            }
+            $srv = (string)$node->server;
+            if  ((string)$node->protocol == 'post') {
+                if (empty($srv) || filter_var($srv, FILTER_VALIDATE_URL) === false) {
+                    $messages->appendMessage(
+                        new Message(
+                            gettext("A valid URI is required."),
+                            $key . ".server"
+                        )
+                    );
+                }
+            } else {
+                if (empty($srv) || filter_var($srv, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) === false) {
+                    $messages->appendMessage(
+                        new Message(
+                            gettext("A valid domain is required."),
+                            $key . ".server"
+                        )
+                    );
+                }
+            }
+        }
+        return $messages;
+    }
 }
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index a04ca37949..1bc908dec0 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -93,11 +93,11 @@
                     <OptionValues>
                         <dyndns1>DynDns1</dyndns1>
                         <dyndns2>DynDns2</dyndns2>
+                        <post>custom POST</post>
                     </OptionValues>
                 </protocol>
-                <server type="HostnameField">
+                <server type="TextField">
                     <Required>N</Required>
-                    <IpAllowed>N</IpAllowed>
                 </server>
                 <username type="TextField">
                     <Required>N</Required>
@@ -105,7 +105,7 @@
                     <ValidationMessage>The username contains invalid characters.</ValidationMessage>
                 </username>
                 <password type="UpdateOnlyTextField">
-                    <Required>Y</Required>
+                    <Required>N</Required>
                     <mask>/^[^\n]*$/</mask>
                 </password>
                 <resourceId type="TextField">
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
index b74f08c3cc..e143cc28b3 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
@@ -120,6 +120,7 @@ def execute(self):
             interface = self.settings['interface'] if self.settings.get('interface' ,'').strip() != '' else None
         )
 
+
         if self._current_address != '' and (
                 self._state.get('ip') is None or
                 self._current_address != self._state.get('ip') or
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
index 11fd3c6370..64a635ab0c 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
@@ -84,6 +84,7 @@ def __init__(self, account: dict):
     def known_services():
         return  Azure._services
 
+    @staticmethod
     def match(account):
         return account.get('service') in Azure._services
 
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
index 388c2b1471..1fd15ada87 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
@@ -44,6 +44,7 @@ def __init__(self, account: dict):
     def known_services():
         return  Cloudflare._services.keys()
 
+    @staticmethod
     def match(account):
         return account.get('service') in Cloudflare._services
 
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
index e53b14c837..aef23eb435 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
@@ -55,35 +55,46 @@ def __init__(self, account: dict):
     def known_services():
         return  list(DynDNS2._services.keys()) + ['custom']
 
+    @staticmethod
     def match(account):
-        if account.get('service') in DynDNS2._services or (
-            account.get('server') is not None and account.get('protocol') in ['dyndns2', 'dyndns1']
-        ):
+        if account.get('service') in DynDNS2.known_services():
             return True
         else:
             return False
 
     def execute(self):
         if super().execute():
-            proto = 'https' if self.settings.get('force_ssl', False) else 'http'
-            if self.settings.get('service') in self._services:
-                url = "%s://%s/nic/update" % (proto, self._services[self.settings.get('service')])
+            protocol = self.settings.get('protocol', None)
+            if protocol == 'post':
+                url = self.settings.get('server')
+                url = url.replace('__MYIP__', self.current_address)
+                url = url.replace('__HOSTNAME__', self.settings.get('hostnames'))
+                req = requests.post(
+                    url=url,
+                    headers={'User-Agent': 'OPNsense-dyndns'},
+                    auth=HTTPBasicAuth(self.settings.get('username'), self.settings.get('password'))
+                )
             else:
-                url = "%s://%s/nic/update" % (proto, self.settings.get('server'))
+                uri_proto = 'https' if self.settings.get('force_ssl', False) else 'http'
+                if self.settings.get('service') in self._services:
+                    url = "%s://%s/nic/update" % (uri_proto, self._services[self.settings.get('service')])
+                else:
+                    url = "%s://%s/nic/update" % (uri_proto, self.settings.get('server'))
 
-            req_opts = {
-                'url': url,
-                'params': {
-                    'hostname': self.settings.get('hostnames'),
-                    'myip': self.current_address,
-                    'wildcard': 'ON' if self.settings.get('wildcard', False) else 'NOCHG'
-                },
-                'auth': HTTPBasicAuth(self.settings.get('username'), self.settings.get('password')),
-                'headers': {
-                    'User-Agent': 'OPNsense-dyndns'
+                req_opts = {
+                    'url': url,
+                    'params': {
+                        'hostname': self.settings.get('hostnames'),
+                        'myip': self.current_address,
+                        'wildcard': 'ON' if self.settings.get('wildcard', False) else 'NOCHG'
+                    },
+                    'auth': HTTPBasicAuth(self.settings.get('username'), self.settings.get('password')),
+                    'headers': {
+                        'User-Agent': 'OPNsense-dyndns'
+                    }
                 }
-            }
-            req = requests.get(**req_opts)
+                req = requests.get(**req_opts)
+
             if req.status_code == 200:
                 if self.is_verbose:
                     syslog.syslog(

From fea4f7eb188dbc540f6f019334bcdf50ab98140c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Aug 2023 08:42:31 +0200
Subject: [PATCH 1497/3088] dns/bind: safeguard this as well

---
 dns/bind/Makefile                                             | 1 +
 .../src/opnsense/mvc/app/models/OPNsense/Bind/General.php     | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index e78625cad9..f0efb83354 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.27
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.php b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.php
index b2cff5a82d..3f73c40c4f 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.php
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.php
@@ -47,6 +47,10 @@ public function performValidation($validateFullModel = false)
                 if (empty($service['dns_ports'])) {
                     continue;
                 }
+                if (!is_array($service['dns_ports'])) {
+                    syslog(LOG_ERR, sprintf('Service %s (%s) reported a faulty "dns_ports" entry.', $service['description'], $service['name']));
+                    continue;
+                }
                 if ($service['name'] != 'named' && in_array((string)$this->port, $service['dns_ports'])) {
                     $messages->appendMessage(new Message(
                         sprintf(gettext('%s is currently using this port.'), $service['description']),

From 135428113bc1b6387ca4076e7454fe84d4a86e75 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Aug 2023 08:43:30 +0200
Subject: [PATCH 1498/3088] dns/dnscrypt-proxy: safeguard

---
 dns/dnscrypt-proxy/Makefile                                   | 1 +
 .../mvc/app/models/OPNsense/Dnscryptproxy/General.php         | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index 9002f978e5..42bf7e5446 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		dnscrypt-proxy
 PLUGIN_VERSION=		1.14
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.php
index e8ddbafa38..7250e8d171 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.php
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.php
@@ -63,6 +63,10 @@ public function performValidation($validateFullModel = false)
                 if (empty($service['dns_ports'])) {
                     continue;
                 }
+                if (!is_array($service['dns_ports'])) {
+                    syslog(LOG_ERR, sprintf('Service %s (%s) reported a faulty "dns_ports" entry.', $service['description'], $service['name']));
+                    continue;
+                }
                 if ($service['name'] != 'dnscrypt-proxy' && count(array_intersect(array_keys($ports), $service['dns_ports']))) {
                     $messages->appendMessage(new Message(
                         sprintf(gettext('%s is currently using one of these ports.'), $service['description']),

From 7c51b8e6c98ea1c98b29f0c5c02459253b6831af Mon Sep 17 00:00:00 2001
From: Jan Winkler <jan.winkler@markt.de>
Date: Tue, 1 Aug 2023 17:18:07 +0200
Subject: [PATCH 1499/3088] security/acme: expose new values for TrueNAS
 deployhook, closes #3516

---
 security/acme-client/pkg-descr                 |  1 +
 .../OPNsense/AcmeClient/forms/dialogAction.xml | 18 ++++++++++++++++++
 .../AcmeClient/LeAutomation/AcmeProxmoxve.php  |  3 +++
 .../models/OPNsense/AcmeClient/AcmeClient.xml  | 15 ++++++++++++++-
 4 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 69c0bc07aa..66d3fc5891 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 Added:
 * add support for TrueNAS deployhook (#3421)
 * add support for Proxmox VE deployhook (#3422)
+* add server,port and node name values for Proxmox VE deployhook (#3516)
 * add Google Domains DNS API
 
 3.17
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index 58d92f24c7..905f1d49fb 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -294,6 +294,24 @@
         <type>text</type>
         <help>The user who owns the API key. Defaults to root.</help>
     </field>
+    <field>
+        <id>action.acme_proxmoxve_server</id>
+        <label>Proxmox VE server</label>
+        <type>text</type>
+        <help>The hostname of the proxmox ve node.</help>
+    </field>
+    <field>
+        <id>action.acme_proxmoxve_port</id>
+        <label>Proxmox VE server port</label>
+        <type>text</type>
+        <help>The port number the management interface is on. Defaults to 8006.</help>
+    </field>
+    <field>
+        <id>action.acme_proxmoxve_nodename</id>
+        <label>Proxmox VE node name</label>
+        <type>text</type>
+        <help>The name of the node we will be connecting to.</help>
+    </field>
     <field>
         <id>action.acme_proxmoxve_realm</id>
         <label>Proxmox VE realm</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeProxmoxve.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeProxmoxve.php
index 6e4c8e16f0..4ac4ba46e9 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeProxmoxve.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeProxmoxve.php
@@ -39,6 +39,9 @@ class AcmeProxmoxve extends Base implements LeAutomationInterface
     public function prepare()
     {
         $this->acme_env['DEPLOY_PROXMOXVE_USER'] = (string)$this->config->acme_proxmoxve_user;
+        $this->acme_env['DEPLOY_PROXMOXVE_SERVER'] = (string)$this->config->acme_proxmoxve_server;
+        $this->acme_env['DEPLOY_PROXMOXVE_SERVER_PORT'] = (string)$this->config->acme_proxmoxve_port;
+        $this->acme_env['DEPLOY_PROXMOXVE_NODE_NAME'] = (string)$this->config->acme_proxmoxve_nodename;
         $this->acme_env['DEPLOY_PROXMOXVE_USER_REALM'] = (string)$this->config->acme_proxmoxve_realm;
         $this->acme_env['DEPLOY_PROXMOXVE_API_TOKEN_NAME'] = (string)$this->config->acme_proxmoxve_tokenid;
         $this->acme_env['DEPLOY_PROXMOXVE_API_TOKEN_KEY'] = (string)$this->config->acme_proxmoxve_tokenkey;
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index ec0d1273f4..fd315ba4d0 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1395,10 +1395,23 @@
                     <mask>/^.{1,1024}$/u</mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxve_user>
+                <acme_proxmoxve_server type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_proxmoxve_server>
+                <acme_proxmoxve_port type="PortField">
+                    <default>8006</default>
+                    <Required>N</Required>
+                </acme_proxmoxve_port>
+                <acme_proxmoxve_nodename type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_proxmoxve_nodename>
                 <acme_proxmoxve_realm type="TextField">
                     <default>pam</default>
                     <Required>N</Required>
-                    <Required>N</Required>
                     <mask>/^.{1,1024}$/u</mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxve_realm>

From 93e60461e1a6f2133c7542e469d2966bfb3f7526 Mon Sep 17 00:00:00 2001
From: Kariton <67470612+Kariton@users.noreply.github.com>
Date: Thu, 3 Aug 2023 03:16:28 +0200
Subject: [PATCH 1500/3088] Add "friendly_name" to wg config for prom wg
 exporter

This adds '# friendly_name = {{ peerlist2_data.name }}" for each peer.
---
 .../service/templates/OPNsense/Wireguard/wireguard-server.conf   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
index e76aaf1fac..355ea0815f 100644
--- a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
+++ b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
@@ -30,6 +30,7 @@ PostDown = route {{- ' -6' if ':' in server_list.gateway }} del {{ server_list.g
 {%             if peerlist2_data != {} and peerlist2_data.enabled == '1' %}
 
 [Peer]
+# friendly_name = {{ peerlist2_data.name }}
 PublicKey = {{ peerlist2_data.pubkey }}
 {%               if peerlist2_data.psk|default('') != '' %}
 PresharedKey = {{ peerlist2_data.psk }}

From 3635417247d929086f9ecb550a3f2645190fe791 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 4 Aug 2023 14:13:28 +0200
Subject: [PATCH 1501/3088] security/acme-client: bump version, update
 changelog

---
 security/acme-client/Makefile  | 2 +-
 security/acme-client/pkg-descr | 9 ++++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 6f2df7bd3d..00a0327dea 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.18
+PLUGIN_VERSION=		3.19
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 2b4b77a796..b0adf45c98 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,14 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.19
+
+Added:
+* add IPv64.net DNS API (#3504)
+
+Fixed:
+* fix Proxmox VE deployhook (#3517)
+
 3.18
 
 Added:
@@ -15,7 +23,6 @@ Added:
 * add support for Proxmox VE deployhook (#3422)
 * add server,port and node name values for Proxmox VE deployhook (#3516)
 * add Google Domains DNS API
-* add IPv64.net DNS API
 
 3.17
 

From d50fc1f4a737e3e86ee8c65fc8f0a2f26eca23d5 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 5 Aug 2023 14:40:57 +0200
Subject: [PATCH 1502/3088] net/frr - fix rc issue, frr_setup isn't called, but
 _setup is called for each sub service. let's tag this on zebra_setup as this
 will always be executed first. for
 https://github.com/opnsense/plugins/issues/3521

---
 net/frr/Makefile                                           | 1 +
 net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index d07fdad5a8..7166744188 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.34
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
index d95013c2f3..a740765bc5 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
@@ -1,5 +1,5 @@
 {% if helpers.exists('OPNsense.quagga.general.enabled') and OPNsense.quagga.general.enabled == '1' %}
-frr_setup="/usr/local/opnsense/scripts/quagga/setup.sh"
+zebra_setup="/usr/local/opnsense/scripts/quagga/setup.sh"
 frr_enable="YES"
 {% if helpers.exists('OPNsense.quagga.general.enablecarp') and OPNsense.quagga.general.enablecarp == '1' %}
 start_precmd="ifconfig | grep 'carp: MASTER'"

From 41b34ced08150de66a05d2366aaf8d83abccd66b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 7 Aug 2023 08:14:19 +0200
Subject: [PATCH 1503/3088] dns/ddclient: prep for release

---
 dns/ddclient/Makefile  | 1 -
 dns/ddclient/pkg-descr | 4 ++++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index d2d3a3d02c..68ef2b8854 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.14
-#PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient-devel
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index e6ad375a34..7fd2112ef5 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,10 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.14
+
+* Add "post" protocol in custom service type
+
 1.13
 
 * Fix not returning IP address as a string in Python backend (contributed by Sean Kelly)

From eeb3852e18c48fa86546ac727ca91ab570ee5ca7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 7 Aug 2023 08:15:48 +0200
Subject: [PATCH 1504/3088] net/wireguard: revision bump

---
 net/wireguard/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index b1392614a8..72c6bf8975 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	6
+PLUGIN_REVISION=	7
 PLUGIN_COMMENT=		WireGuard VPN service
 PLUGIN_DEPENDS=		wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 2c943b4de4d5afaab83172e558479c632ee6dd4d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 7 Aug 2023 09:42:53 +0200
Subject: [PATCH 1505/3088] net/frr: annotate and fix weird rc.d handling

While here move two files out of legacy "quagga" dirs.
---
 net/frr/Makefile                              |  2 +-
 .../views/OPNsense/Quagga/diagnostics.volt    |  2 +-
 .../opnsense/scripts/{quagga => frr}/setup.sh |  0
 .../service/templates/OPNsense/Quagga/frr     | 20 ++++++++++++++-----
 .../js/{quagga => frr}/diagnostics_utils.js   |  0
 5 files changed, 17 insertions(+), 7 deletions(-)
 rename net/frr/src/opnsense/scripts/{quagga => frr}/setup.sh (100%)
 rename net/frr/src/opnsense/www/js/{quagga => frr}/diagnostics_utils.js (100%)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 7166744188..17444277b7 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
index 6b15eb68f3..0307fbbf26 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
@@ -29,7 +29,7 @@ POSSIBILITY OF SUCH DAMAGE.
 
 #}
 
-<script src="{{ cache_safe('/ui/js/quagga/diagnostics_utils.js') }}"></script>
+<script src="{{ cache_safe('/ui/js/frr/diagnostics_utils.js') }}"></script>
 
 <style>
     .searchbox {
diff --git a/net/frr/src/opnsense/scripts/quagga/setup.sh b/net/frr/src/opnsense/scripts/frr/setup.sh
similarity index 100%
rename from net/frr/src/opnsense/scripts/quagga/setup.sh
rename to net/frr/src/opnsense/scripts/frr/setup.sh
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
index a740765bc5..d85566ce8e 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
@@ -1,5 +1,7 @@
 {% if helpers.exists('OPNsense.quagga.general.enabled') and OPNsense.quagga.general.enabled == '1' %}
-zebra_setup="/usr/local/opnsense/scripts/quagga/setup.sh"
+# XXX rc.d/frr splits up defunct "frr" service into frr_daemons
+# and we always start "zebra" so for now this works:
+zebra_setup="/usr/local/opnsense/scripts/frr/setup.sh"
 frr_enable="YES"
 {% if helpers.exists('OPNsense.quagga.general.enablecarp') and OPNsense.quagga.general.enablecarp == '1' %}
 start_precmd="ifconfig | grep 'carp: MASTER'"
@@ -16,13 +18,21 @@ frr_carp_demote="{%
     if not helpers.empty('OPNsense.quagga.ospf.carp_demote') %} ospfd{% endif %}{%
     if not helpers.empty('OPNsense.quagga.ospf6.carp_demote') %} ospf6d{% endif
 %}"
-start_postcmd="/usr/local/opnsense/scripts/frr/carp_event_handler"
-{% else %}
-frr_enable="NO"
-{% endif %}
+start_postcmd='
+	# XXX rc.d/frr declares its own post command we need to hook first
+	start_postcmd
+	# XXX rc.d/frr iterates through daemons so we need to hook last one
+	if [ "${frr_daemons}" != "${frr_daemons% ${name}}" ]; then
+		echo "Starting CARP event handler now"
+		/usr/local/opnsense/scripts/frr/carp_event_handler
+	fi
+'
 {% if OPNsense.quagga.general.enablesnmp == '1' %}
 zebra_flags="${zebra_flags} -M snmp"
 bgpd_flags="${bgpd_flags} -M snmp"
 ospf_flags="${ospf_flags} -M snmp"
 ospf6_flags="${ospf6_flags} -M snmp"
 {% endif %}
+{% else %}
+frr_enable="NO"
+{% endif %}
diff --git a/net/frr/src/opnsense/www/js/quagga/diagnostics_utils.js b/net/frr/src/opnsense/www/js/frr/diagnostics_utils.js
similarity index 100%
rename from net/frr/src/opnsense/www/js/quagga/diagnostics_utils.js
rename to net/frr/src/opnsense/www/js/frr/diagnostics_utils.js

From b322618abb0b8769e8dc064ee03671a81ce95f7f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 8 Aug 2023 09:59:23 +0200
Subject: [PATCH 1506/3088] dns/ddclient: support new protocols; closes #2900

---
 dns/ddclient/pkg-descr                                        | 1 +
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml    | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 7fd2112ef5..4a1e2f9ab6 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 1.14
 
 * Add "post" protocol in custom service type
+* Add DNSExit API and regfish.de support
 
 1.13
 
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 1bc908dec0..7557c5fe46 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -51,7 +51,8 @@
                         <dinahosting>dinahosting</dinahosting>
                         <dnsmadeeasy>DNS Made Easy (digicert)</dnsmadeeasy>
                         <dns-o-matic>DNS-O-Matic</dns-o-matic>
-                        <dnsexit>DNSExit</dnsexit>
+                        <dnsexit2>DNSExit API</dnsexit2>
+                        <dnsexit>DNSExit Legacy</dnsexit>
                         <dyndns2>DynDNS.com</dyndns2>
                         <dnspark>DnsPark</dnspark>
                         <dslreports1>DSLReports</dslreports1>
@@ -77,6 +78,7 @@
                         <nsupdatev4>nsupdate.info (IPv4)</nsupdatev4>
                         <nsupdatev6>nsupdate.info (IPv6)</nsupdatev6>
                         <ovh>OVHcloud DynHost</ovh>
+                        <regfishde>regfish.de</regfishde>
                         <servercow>Servercow</servercow>
                         <sitelutions>Sitelutions</sitelutions>
                         <spdyn>spDYN</spdyn>

From c9c4f8d4d8a8b84a949cdd5b907889e5d6c3c1b6 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Tue, 8 Aug 2023 13:04:35 +0200
Subject: [PATCH 1507/3088] net/relayd - sync with OpenBSD  (#3527)

* net/relayd - sync with OpenBSD (https://github.com/freebsd/freebsd-ports/commit/c9ba90c07ddc5b9f4232f831cf301fdc939303f3)

* net/relayd - sync with OpenBSD [2] missing "check send" ssl as reported by @fbrendel
---
 net/relayd/Makefile                           |  2 +-
 .../OPNsense/Relayd/Api/StatusController.php  | 12 +++---
 .../OPNsense/Relayd/Migrations/M1_0_5.php     | 43 +++++++++++++++++++
 .../mvc/app/models/OPNsense/Relayd/Relayd.xml |  4 +-
 .../templates/OPNsense/Relayd/relayd.conf     |  9 ++--
 5 files changed, 58 insertions(+), 12 deletions(-)
 create mode 100644 net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Migrations/M1_0_5.php

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index 93bb7a3fda..f826734883 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		relayd
-PLUGIN_VERSION=		2.7
+PLUGIN_VERSION=		2.8
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com
diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
index 8f10376439..879bd22115 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
@@ -47,13 +47,13 @@ class StatusController extends ApiControllerBase
      */
     public function sumAction($wait = 0)
     {
-        $result = array("result" => "failed");
+        $result = ["result" => "failed"];
         $backend = new Backend();
         $relaydMdl = new Relayd();
 
         // when $wait is set, try for max 10 seconds to receive a sensible status (wait for unknowns to resolve)
         $max_tries = !empty($wait) ? 10 : 1;
-        $output = array();
+        $output = [];
         for ($i = 0; $i < $max_tries; $i++) {
             $output = explode("\n", trim($backend->configdRun('relayd summary')));
             $unknowns = 0;
@@ -75,8 +75,8 @@ public function sumAction($wait = 0)
         $virtualServerId = 0;
         $virtualServerType = '';
         $tableId = 0;
-        $virtualserver = array();
-        $rows = array();
+        $virtualserver = [];
+        $rows = [];
         foreach ($output as $line) {
             $words = array_map('trim', explode("\t", $line));
             $id = $words[0];
@@ -138,7 +138,7 @@ public function sumAction($wait = 0)
                 $virtualserver['id'] = $id;
                 $virtualserver['type'] = $type;
                 $virtualserver['name'] = $words[2];
-                $virtualserver['status'] = $words[4];
+                $virtualserver['status'] = $words[4] ?? null;
                 $objs = $relaydMdl->getObjectsByAttribute("virtualserver", "name", $virtualserver['name']);
                 if (count($objs) > 0) {
                     $obj = $objs[0];
@@ -200,7 +200,7 @@ public function sumAction($wait = 0)
      */
     public function toggleAction($nodeType = null, $id = null, $action = null)
     {
-        $result = array("result" => "failed", "function" => "toggle");
+        $result = ["result" => "failed", "function" => "toggle"];
         if ($this->request->isPost()) {
             $this->sessionClose();
             $backend = new Backend();
diff --git a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Migrations/M1_0_5.php b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Migrations/M1_0_5.php
new file mode 100644
index 0000000000..7c4664ae9e
--- /dev/null
+++ b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Migrations/M1_0_5.php
@@ -0,0 +1,43 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Relayd\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M1_0_5 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        foreach ($model->tablecheck->iterateItems() as $tablecheck) {
+            if ($tablecheck->type == 'ssl') {
+                $tablecheck->type = 'tls';
+            }
+        }
+    }
+}
diff --git a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
index 985f0e23de..258669c378 100644
--- a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
+++ b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
@@ -1,6 +1,6 @@
 <model>
    <mount>//OPNsense/relayd</mount>
-   <version>1.0.4</version>
+   <version>1.0.5</version>
    <description>Relayd settings</description>
    <items>
       <general>
@@ -113,7 +113,7 @@
             <OptionValues>
                <icmp>ICMP</icmp>
                <tcp>TCP</tcp>
-               <ssl>SSL</ssl>
+               <tls>TLS</tls>
                <send>SEND</send>
                <script>SCRIPT</script>
                <http>HTTP</http>
diff --git a/net/relayd/src/opnsense/service/templates/OPNsense/Relayd/relayd.conf b/net/relayd/src/opnsense/service/templates/OPNsense/Relayd/relayd.conf
index b4d3fb121e..bd25e98106 100644
--- a/net/relayd/src/opnsense/service/templates/OPNsense/Relayd/relayd.conf
+++ b/net/relayd/src/opnsense/service/templates/OPNsense/Relayd/relayd.conf
@@ -7,7 +7,10 @@
 interval {{ OPNsense.relayd.general.interval }}
 {%  endif %}
 {%  if helpers.exists('OPNsense.relayd.general.log') %}
-log {{ OPNsense.relayd.general.log }}
+log state changes
+{%    if OPNsense.relayd.general.log == 'all' %}
+log host checks
+{%    endif %}
 {%  endif %}
 {%  if helpers.exists('OPNsense.relayd.general.prefork') %}
 prefork {{ OPNsense.relayd.general.prefork }}
@@ -107,7 +110,7 @@ disable
 {%          elif tablecheck.type == 'send' and tablecheck.expect is defined %}
 {%            set _tablecheck = 'check ' ~ tablecheck.type ~ ' "' ~ tablecheck.data ~ '" expect "' ~ tablecheck.expect ~ '"' %}
 {%            if tablecheck.ssl|default('0') == '1' %}
-{%              set _tablecheck = _tablecheck ~ ' ssl' %}
+{%              set _tablecheck = _tablecheck ~ ' tls' %}
 {%            endif %}
 {%          else %}
 {%            set _tablecheck = 'check ' ~ tablecheck.type %}
@@ -142,7 +145,7 @@ disable
 {%          elif backuptablecheck.type == 'send' and backuptablecheck.expect is defined %}
 {%            set _backuptablecheck = 'check ' ~ backuptablecheck.type ~ ' "' ~ backuptablecheck.data ~ '" expect "' ~ backuptablecheck.expect ~ '"' %}
 {%            if backuptablecheck.ssl|default('0') == '1' %}
-{%              set _backuptablecheck = _backuptablecheck ~ ' ssl' %}
+{%              set _backuptablecheck = _backuptablecheck ~ ' tls' %}
 {%            endif %}
 {%          else %}
 {%            set _backuptablecheck = 'check ' ~ backuptablecheck.type %}

From 94fcdedf5f403df00ae490d189575344baa55424 Mon Sep 17 00:00:00 2001
From: Andrew <andrew.hotlab@hotmail.com>
Date: Tue, 8 Aug 2023 18:16:01 +0200
Subject: [PATCH 1508/3088] security/tinc: add support for "StrictSubnets"
 variable (#3528)

---
 .../controllers/OPNsense/Tinc/forms/dialogNetwork.xml    | 9 +++++++++
 .../src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml   | 4 ++++
 .../src/opnsense/scripts/OPNsense/Tinc/lib/objects.py    | 8 ++++++++
 .../service/templates/OPNsense/Tinc/tinc_deploy.xml      | 1 +
 4 files changed, 22 insertions(+)

diff --git a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
index 1b2087b947..2545c37308 100644
--- a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
+++ b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
@@ -32,6 +32,15 @@
           If the other end doesn't respond within this time, the connection is terminated, and the others will be notified of this.
         </help>
     </field>
+    <field>
+        <id>network.StrictSubnets</id>
+        <label>StrictSubnets</label>
+        <type>checkbox</type>
+        <help>When this option is enabled tinc will only use Subnet statements which are present in the host config files in the local /etc/tinc/netname/hosts/ directory.
+          Subnets learned via connections to other nodes and which are not present in the local host config files are ignored.
+        </help>
+        <advanced>true</advanced>
+    </field>
     <field>
       <id>network.cipher</id>
       <label>Cipher</label>
diff --git a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
index f3aa3805cf..91e71145af 100644
--- a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
+++ b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
@@ -60,6 +60,10 @@
                     <MaximumValue>65535</MaximumValue>
                     <ValidationMessage>Ping timeout must be between 1...65535</ValidationMessage>
                 </pingtimeout>
+                    <StrictSubnets type="BooleanField">
+                        <default>0</default>
+                        <Required>N</Required>
+                    </StrictSubnets>
                 <privkey type="TextField">
                     <Required>Y</Required>
                 </privkey>
diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
index d35db341ac..bd913af8d3 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
@@ -69,6 +69,7 @@ def __init__(self):
         self._payload['debuglevel'] = 'd0'
         self._payload['mode'] = 'switch'
         self._payload['PMTUDiscovery'] = 'yes'
+        self._payload['StrictSubnets'] = 'no'
         self._hosts = list()
 
     def get_id(self):
@@ -99,6 +100,12 @@ def set_PMTUDiscovery(self, value):
         else:
             self._payload['PMTUDiscovery'] = 'yes'
 
+    def set_StrictSubnets(self, value):
+        if value.text != '1':
+            self._payload['StrictSubnets'] = 'no'
+        else:
+            self._payload['StrictSubnets'] = 'yes'
+
     def config_text(self):
         result = list()
         result.append('AddressFamily=any')
@@ -106,6 +113,7 @@ def config_text(self):
         result.append('PMTUDiscovery=%(PMTUDiscovery)s' % self._payload)
         result.append('Port=%(port)s' % self._payload)
         result.append('PingTimeout=%(pingtimeout)s' % self._payload)
+        result.append('StrictSubnets=%(StrictSubnets)s' % self._payload)
         for host in self._hosts:
             if host.connect_to_this_host():
                 result.append('ConnectTo = %s' % (host.get_hostname(),))
diff --git a/security/tinc/src/opnsense/service/templates/OPNsense/Tinc/tinc_deploy.xml b/security/tinc/src/opnsense/service/templates/OPNsense/Tinc/tinc_deploy.xml
index 746cf3ece4..f8120fca1d 100644
--- a/security/tinc/src/opnsense/service/templates/OPNsense/Tinc/tinc_deploy.xml
+++ b/security/tinc/src/opnsense/service/templates/OPNsense/Tinc/tinc_deploy.xml
@@ -14,6 +14,7 @@
         <port>{{network.extport}}</port>
         <debuglevel>{{network.debuglevel}}</debuglevel>
         <pingtimeout>{{network.pingtimeout}}</pingtimeout>
+        <StrictSubnets>{{network.StrictSubnets}}</StrictSubnets>
         <hosts>
             <host>
                 <hostname>{{network.hostname}}</hostname>

From 1490e00a691073e46602dad4bfb80492c9cc04bc Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 8 Aug 2023 18:20:39 +0200
Subject: [PATCH 1509/3088] security/tinc: minor style fixes for
 https://github.com/opnsense/plugins/pull/3528

---
 .../mvc/app/models/OPNsense/Tinc/Tinc.xml         | 10 +++++-----
 .../opnsense/scripts/OPNsense/Tinc/lib/objects.py | 15 +++------------
 2 files changed, 8 insertions(+), 17 deletions(-)

diff --git a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
index 91e71145af..f2da9989db 100644
--- a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
+++ b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/Tinc</mount>
-    <version>1.0.3</version>
+    <version>1.0.4</version>
     <description>
         OPNsense Tinc VPN
     </description>
@@ -60,10 +60,10 @@
                     <MaximumValue>65535</MaximumValue>
                     <ValidationMessage>Ping timeout must be between 1...65535</ValidationMessage>
                 </pingtimeout>
-                    <StrictSubnets type="BooleanField">
-                        <default>0</default>
-                        <Required>N</Required>
-                    </StrictSubnets>
+                <StrictSubnets type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </StrictSubnets>
                 <privkey type="TextField">
                     <Required>Y</Required>
                 </privkey>
diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
index bd913af8d3..ae4a291aa4 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
@@ -82,10 +82,7 @@ def get_mode(self):
         return self._payload['mode']
 
     def get_debuglevel(self):
-        if len(self._payload['debuglevel']) > 1:
-            return self._payload['debuglevel'][1]
-        else:
-            return '0'
+        return self._payload['debuglevel'][1] if len(self._payload['debuglevel']) > 1 else '0'
 
     def set_hosts(self, hosts):
         for host in hosts:
@@ -95,16 +92,10 @@ def set_hosts(self, hosts):
             self._hosts.append(hostObj)
 
     def set_PMTUDiscovery(self, value):
-        if value.text != '1':
-            self._payload['PMTUDiscovery'] = 'no'
-        else:
-            self._payload['PMTUDiscovery'] = 'yes'
+        self._payload['PMTUDiscovery'] = 'no' if value.text != '1' else 'yes'
 
     def set_StrictSubnets(self, value):
-        if value.text != '1':
-            self._payload['StrictSubnets'] = 'no'
-        else:
-            self._payload['StrictSubnets'] = 'yes'
+        self._payload['StrictSubnets'] = 'no' if value.text != '1' else 'yes'
 
     def config_text(self):
         result = list()

From 8a51b2f61c810971be840fe030f3dd26496ffedc Mon Sep 17 00:00:00 2001
From: Clemens Hardewig <clemens.hardewig@crandale.de>
Date: Wed, 9 Aug 2023 19:23:50 +0200
Subject: [PATCH 1510/3088] dns/ddclient - Add desec service provider (#3533)

desec uses also dyndns2 protocol and can therefore directly added to the list of supported services. config is - Services: Dynamic DNS: Settings: Edit Account
Enabled [X]
Service [desec (v6)]
Protocol  [DynDNS2]
Username [Your Domain]
Password [Your DeSec Token]
Hostname(s) [Your Domain]
Check ip method [Interface [IPv6]]
Force SSL [X]
Interface to monitor [Your WAN Interface]

- Services: Dynamic DNS: Settings: Edit Account
Enabled [X]
Service [desec (v4)]
Protocol  [DynDNS2]
Username [Your Domain]
Password [Your DeSec Token]
Hostname(s) [Your Domain]
Check ip method [Interface [IPv4]]
Force SSL [X]
Interface to monitor [Your WAN Interface]
---
 .../src/opnsense/scripts/ddclient/lib/account/dyndns2.py        | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
index aef23eb435..dfd2ae2aa2 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
@@ -34,6 +34,8 @@ class DynDNS2(BaseAccount):
 
     _services = {
         'dyndns2': 'members.dyndns.org',
+        'desec-v4': 'update.dedyn.io',
+        'desec-v6': 'update6.dedyn.io',
         'dns-o-matic': 'updates.dnsomatic.com',
         'dynu': 'api.dynu.com',
         'he-net': 'dyn.dns.he.net',

From 69499ffc80c2a8819000bb3feca826065925d388 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Sat, 12 Aug 2023 16:36:56 +0200
Subject: [PATCH 1511/3088] NET/FRR: Added OSPFv3 firewall rules for floating
 ruleset / optional rules.  (#3537)

* Added OSPFv3 firewall rule generation for:
- OSPFv3 IPv6 Multicasts
  -- Router Multicasts fe02::5
  -- Designated Router Multicasts fe02::6
- OSPFv3 IPv6 Unicasts
  -- Local Link network fe80::0/10

* net/frr - add toggle to disable automatic firewall rules, simplify logic and make sure the gui reflects the proper descriptions. default logging should be hooked to choices in System: Settings: Logging. ref https://github.com/opnsense/plugins/pull/3531

---------

Co-authored-by: Bill Gertz <bill.gertz@blockfish.net>
---
 net/frr/src/etc/inc/plugins.inc.d/frr.inc     | 167 +++++++++++++-----
 .../OPNsense/Quagga/forms/general.xml         |   8 +
 .../app/models/OPNsense/Quagga/General.xml    |   6 +-
 3 files changed, 135 insertions(+), 46 deletions(-)

diff --git a/net/frr/src/etc/inc/plugins.inc.d/frr.inc b/net/frr/src/etc/inc/plugins.inc.d/frr.inc
index 3b546e8303..d6a0bd2a89 100644
--- a/net/frr/src/etc/inc/plugins.inc.d/frr.inc
+++ b/net/frr/src/etc/inc/plugins.inc.d/frr.inc
@@ -42,74 +42,151 @@ function frr_carp_enabled()
 
 function frr_firewall($fw)
 {
+    global $config;
+    if (empty((string)(new \OPNsense\Quagga\General())->fwrules)) {
+        // automatic rules disabled
+        return;
+    }
     $ospf = new \OPNsense\Quagga\OSPF();
 
     if ((string)$ospf->enabled == '1') {
+        $ospf_default = [
+            'ipprotocol'     => 'inet',
+            'protocol'       => 'ospf',
+            'statetype'      => 'keep',
+            'type'           => 'pass',
+            'disablereplyto' => 1,
+            'quick'          => true,
+            'log'            => !isset($config['syslog']['nologdefaultpass']),
+            '#ref'           => 'ui/quagga/general/index',
+        ];
         foreach ($ospf->networks->network->iterateItems() as $network) {
             if ((string)$network->enabled == '1') {
                 $fw->registerFilterRule(
                     1, /* priority */
-                    array(
-                        'ipprotocol'     => 'inet',
-                        'protocol'       => 'ospf',
-                        'statetype'      => 'keep',
-                        'label'          => 'Pass OSPF (autogenerated)',
+                    [
+                        'descr'          => 'Pass OSPF (autogenerated)',
                         'from'           => $network->ipaddr . '/' . $network->netmask,
                         'to'             => '224.0.0.0/24',
-                        'direction'      => 'in',
-                        'type'           => 'pass',
-                        'disablereplyto' => 1,
-                        'quick'          => true
-                    ),
-                    null
+                        'direction'      => 'in'
+                    ],
+                    $ospf_default
                 );
                 $fw->registerFilterRule(
                     1,
-                    array(
-                        'ipprotocol'     => 'inet',
-                        'protocol'       => 'ospf',
-                        'statetype'      => 'keep',
-                        'label'          => 'Pass OSPF UNICAST (autogenerated)',
+                    [
+                        'descr'          => 'Pass OSPF UNICAST (autogenerated)',
                         'from'           => $network->ipaddr . '/' . $network->netmask,
                         'to'             => '(self)',
-                        'direction'      => 'in',
-                        'type'           => 'pass',
-                        'disablereplyto' => 1,
-                        'quick'          => true
-                    ),
-                    null
+                        'direction'      => 'in'
+                    ],
+                    $ospf_default
                 );
                 $fw->registerFilterRule(
                     1,
-                    array(
-                        'ipprotocol'     => 'inet',
-                        'protocol'       => 'ospf',
-                        'statetype'      => 'keep',
-                        'label'          => 'Pass OSPF (autogenerated)',
-                        'from'           => '224.0.0.0/24',
-                        'to'             => $network->ipaddr . '/' . $network->netmask,
-                        'direction'      => 'out',
-                        'type'           => 'pass',
-                        'disablereplyto' => 1,
-                        'quick'          => true
-                    ),
-                    null
+                    [
+                        'descr'          => 'Pass OSPF (autogenerated)',
+                        'from'           => '(self)'
+                        'to'             => '224.0.0.0/24',
+                        'direction'      => 'out'
+                    ],
+                    $ospf_default
                 );
                 $fw->registerFilterRule(
                     1,
-                    array(
-                        'ipprotocol'     => 'inet',
-                        'protocol'       => 'ospf',
-                        'statetype'      => 'keep',
-                        'label'          => 'Pass OSPF UNICAST (autogenerated)',
+                    [
+                        'descr'          => 'Pass OSPF UNICAST (autogenerated)',
                         'from'           => '(self)',
                         'to'             => $network->ipaddr . '/' . $network->netmask,
                         'direction'      => 'out',
-                        'type'           => 'pass',
-                        'disablereplyto' => 1,
-                        'quick'          => true
-                    ),
-                    null
+                    ],
+                    $ospf_default
+                );
+            }
+        }
+    }
+
+    $ospf6 = new \OPNsense\Quagga\OSPF6();
+
+    if ((string)$ospf6->enabled == '1') {
+        $ospf6_default = [
+            'ipprotocol'     => 'inet6',
+            'protocol'       => 'ospf',
+            'statetype'      => 'keep',
+            'type'           => 'pass',
+            'disablereplyto' => 1,
+            'quick'          => true,
+            'log'            => !isset($config['syslog']['nologdefaultpass']),
+            '#ref'           => 'ui/quagga/general/index',
+        ];
+
+        foreach ($ospf6->interfaces->interface->iterateItems() as $interface) {
+            if ((string)$interface->enabled == '1') {
+                $fw->registerFilterRule(
+                    1, /* priority */
+                    [
+                        'interface'      => $interface->interfacename,
+                        'descr'          => 'Pass OSPF6 MULTICAST (autogenerated)',
+                        'from'           => 'fe80::0/10',
+                        'to'             => 'ff02::5/128',
+                        'direction'      => 'in'
+                    ],
+                    $ospf6_default
+                );
+                $fw->registerFilterRule(
+                    1, /* priority */
+                    [
+                        'interface'      => $interface->interfacename,
+                        'descr'          => 'Pass OSPF6 MULTICAST DR (autogenerated)',
+                        'from'           => 'fe80::0/10',
+                        'to'             => 'ff02::6/128',
+                        'direction'      => 'in'
+                    ],
+                    $ospf6_default
+                );
+                $fw->registerFilterRule(
+                    1,
+                    [
+                        'interface'      => $interface->interfacename,
+                        'descr'          => 'Pass OSPF6 UNICAST (autogenerated)',
+                        'from'           => 'fe80::0/10',
+                        'to'             => '(self)',
+                        'direction'      => 'in'
+                    ],
+                    $ospf6_default
+                );
+                $fw->registerFilterRule(
+                    1,
+                    [
+                        'interface'      => $interface->interfacename,
+                        'descr'          => 'Pass OSPF6 MULTICAST (autogenerated)',
+                        'from'           => '(self)',
+                        'to'             => 'ff02::5/128',
+                        'direction'      => 'out'
+                    ],
+                    $ospf6_default
+                );
+                $fw->registerFilterRule(
+                    1,
+                    [
+                        'interface'      => $interface->interfacename,
+                        'descr'          => 'Pass OSPF6 MULTICAST DR (autogenerated)',
+                        'from'           => '(self)',
+                        'to'             => 'ff02::6/128',
+                        'direction'      => 'out'
+                    ],
+                    $ospf6_default
+                );
+                $fw->registerFilterRule(
+                    1,
+                    [
+                        'interface'      => $interface->interfacename,
+                        'descr'          => 'Pass OSPF6 UNICAST (autogenerated)',
+                        'from'           => '(self)',
+                        'to'             => 'fe80::0/10',
+                        'direction'      => 'out'
+                    ],
+                    $ospf6_default
                 );
             }
         }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
index fc3d304c31..b3c2c1b7e0 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
@@ -36,4 +36,12 @@
         <type>dropdown</type>
         <help>This is the detail level of the log. A higher level means more data is logged.</help>
     </field>
+    <field>
+        <id>general.fwrules</id>
+        <label>Firewall rules</label>
+        <type>checkbox</type>
+        <help>Enable automatically created firewall rules, when additional policies are needed, disable this and define
+        your own custom policies in the Firewall section.
+        </help>
+    </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
index cc0b58304b..473e47bec5 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/general</mount>
     <description>Quagga Routing configuration</description>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -43,5 +43,9 @@
                 <debugging>Debugging</debugging>
             </OptionValues>
         </sysloglevel>
+        <fwrules type="BooleanField">
+            <default>1</default>
+            <Required>Y</Required>
+        </fwrules>
     </items>
 </model>

From 4eb295bf68c3f1c0ff84dda9ce658dee6a0e803a Mon Sep 17 00:00:00 2001
From: Andrew <35965851+ack100@users.noreply.github.com>
Date: Sat, 12 Aug 2023 14:41:48 -0400
Subject: [PATCH 1512/3088] Update DHCP Leases Status in wake_on_lan.widget.php
 (#3542)

---
 net/wol/src/www/widgets/widgets/wake_on_lan.widget.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wol/src/www/widgets/widgets/wake_on_lan.widget.php b/net/wol/src/www/widgets/widgets/wake_on_lan.widget.php
index 843341a657..c97fc9b70c 100644
--- a/net/wol/src/www/widgets/widgets/wake_on_lan.widget.php
+++ b/net/wol/src/www/widgets/widgets/wake_on_lan.widget.php
@@ -70,7 +70,7 @@
   </tbody>
   <tfoot>
     <tr>
-      <td colspan="4"><a href="status_dhcp_leases.php" class="navlink"><?= gettext('DHCP Leases Status') ?></a></td>
+      <td colspan="4"><a href="ui/dhcpv4/leases" class="navlink"><?= gettext('DHCP Leases Status') ?></a></td>
     </tr>
   </tfoot>
 </table>

From 014c4abc92fa5e60ab502229898b853647bd42cf Mon Sep 17 00:00:00 2001
From: Hannah Kiekens <hannahkiekens@gmail.com>
Date: Tue, 15 Aug 2023 09:26:01 +0200
Subject: [PATCH 1513/3088] benchmarks/iperf: add rubygem-rexml dependency
 (#3544)

---
 benchmarks/iperf/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/benchmarks/iperf/Makefile b/benchmarks/iperf/Makefile
index 4c72430699..1882a1ae75 100644
--- a/benchmarks/iperf/Makefile
+++ b/benchmarks/iperf/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		iperf
 PLUGIN_VERSION=		1.0
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Connection speed tester
-PLUGIN_DEPENDS=		iperf3 ruby
+PLUGIN_DEPENDS=		iperf3 ruby rubygem-rexml
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 
 .include "../../Mk/plugins.mk"

From 98e255d8ae6aa2f7269a3facef4bea6cf76e4d04 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Aug 2023 10:45:14 +0200
Subject: [PATCH 1514/3088] dns/ddclient: annotate change

---
 dns/ddclient/Makefile  | 1 +
 dns/ddclient/pkg-descr | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 68ef2b8854..bd849f880d 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.14
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient-devel
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 4a1e2f9ab6..a750396a76 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -9,7 +9,8 @@ Plugin Changelog
 1.14
 
 * Add "post" protocol in custom service type
-* Add DNSExit API and regfish.de support
+* Add DNSExit API and regfish.de support to ddclient backend
+* Add desec to OPNsense backend (contributed by Clemens Hardewig)
 
 1.13
 

From 551a452fdc9455809e62ae1bd0abd9fe46a9da72 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 6 Aug 2023 18:05:46 +0200
Subject: [PATCH 1515/3088] security/wazuh-agent - add initial wazuh agent
 plugin.

features available in this version:

o Pluggable ossec.conf sections in /usr/local/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/
o Selectable syslog applications (flushed to it's own log file using a format Wazuh understands)
o Suricata (IDPS) log shipping using localfile json parser
o Optional Password authentication (as specified in https://documentation.wazuh.com/current/user-manual/agent-enrollment/security-options/using-password-authentication.html)
o Active response support, including a custom firewall action (opnsense-fw)
o Ignore list for opnsense-fw, using a standard alias which contains networks to skip
o Toggle standard modules (wodle_syscollector, rootcheck, syscheck)
o Log views and format parsers for local insights. (ossec.log, active-responses.log)
o When searching for issues, a debug toggle is available which changes all debug options at once to the requested level
---
 security/wazuh-agent/+POST_DEINSTALL.post     |   1 +
 security/wazuh-agent/+POST_INSTALL.post       |   5 +
 security/wazuh-agent/Makefile                 |   8 +
 security/wazuh-agent/pkg-descr                |   3 +
 .../src/etc/inc/plugins.inc.d/wazuhagent.inc  |  61 +++++++
 .../WazuhAgent/Api/ServiceController.php      |  44 +++++
 .../WazuhAgent/Api/SettingsController.php     |  39 +++++
 .../OPNsense/WazuhAgent/IndexController.php   |  46 +++++
 .../OPNsense/WazuhAgent/forms/settings.xml    | 122 +++++++++++++
 .../Firewall/static_aliases/wazuh_agent.json  |   9 +
 .../models/OPNsense/WazuhAgent/ACL/ACL.xml    |   9 +
 .../models/OPNsense/WazuhAgent/Menu/Menu.xml  |   9 +
 .../models/OPNsense/WazuhAgent/WazuhAgent.php |  40 +++++
 .../models/OPNsense/WazuhAgent/WazuhAgent.xml |  93 ++++++++++
 .../app/views/OPNsense/WazuhAgent/index.volt  |  76 +++++++++
 .../scripts/syslog/logformats/wazuhagent.py   |  51 ++++++
 .../src/opnsense/scripts/wazuh/opnsense-fw    | 160 ++++++++++++++++++
 .../src/opnsense/scripts/wazuh/setup.php      |  61 +++++++
 .../conf/actions.d/actions_wazuh_agent.conf   |  25 +++
 .../templates/OPNsense/WazuhAgent/+TARGETS    |   6 +
 .../WazuhAgent/local_internal_options.conf    |  28 +++
 .../OPNsense/WazuhAgent/newsyslog.conf        |   4 +
 .../OPNsense/WazuhAgent/opnsense-fw.conf      |   4 +
 .../templates/OPNsense/WazuhAgent/ossec.conf  |  22 +++
 .../ossec_config.d/000-rootcheck.conf         |  16 ++
 .../001-wodle_syscollector.conf               |  13 ++
 .../ossec_config.d/002-syscheck.conf          |  55 ++++++
 .../ossec_config.d/003-localfile-generic.conf |  10 ++
 .../004-localfile-suricata.conf               |   9 +
 .../ossec_config.d/005-active-response.conf   |   4 +
 .../templates/OPNsense/WazuhAgent/rc.conf.d   |   2 +
 .../WazuhAgent/syslog-ng-wazuh-agent.conf     |  27 +++
 32 files changed, 1062 insertions(+)
 create mode 100644 security/wazuh-agent/+POST_DEINSTALL.post
 create mode 100644 security/wazuh-agent/+POST_INSTALL.post
 create mode 100644 security/wazuh-agent/Makefile
 create mode 100644 security/wazuh-agent/pkg-descr
 create mode 100644 security/wazuh-agent/src/etc/inc/plugins.inc.d/wazuhagent.inc
 create mode 100644 security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/Api/ServiceController.php
 create mode 100644 security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/Api/SettingsController.php
 create mode 100644 security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/IndexController.php
 create mode 100644 security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
 create mode 100644 security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/Firewall/static_aliases/wazuh_agent.json
 create mode 100644 security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/ACL/ACL.xml
 create mode 100644 security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/Menu/Menu.xml
 create mode 100644 security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.php
 create mode 100644 security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
 create mode 100644 security/wazuh-agent/src/opnsense/mvc/app/views/OPNsense/WazuhAgent/index.volt
 create mode 100644 security/wazuh-agent/src/opnsense/scripts/syslog/logformats/wazuhagent.py
 create mode 100755 security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw
 create mode 100755 security/wazuh-agent/src/opnsense/scripts/wazuh/setup.php
 create mode 100644 security/wazuh-agent/src/opnsense/service/conf/actions.d/actions_wazuh_agent.conf
 create mode 100644 security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/+TARGETS
 create mode 100644 security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/local_internal_options.conf
 create mode 100644 security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/newsyslog.conf
 create mode 100644 security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
 create mode 100644 security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
 create mode 100644 security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/000-rootcheck.conf
 create mode 100644 security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/001-wodle_syscollector.conf
 create mode 100644 security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/002-syscheck.conf
 create mode 100644 security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/003-localfile-generic.conf
 create mode 100644 security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/004-localfile-suricata.conf
 create mode 100644 security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/005-active-response.conf
 create mode 100644 security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/rc.conf.d
 create mode 100644 security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/syslog-ng-wazuh-agent.conf

diff --git a/security/wazuh-agent/+POST_DEINSTALL.post b/security/wazuh-agent/+POST_DEINSTALL.post
new file mode 100644
index 0000000000..6e1f1bc557
--- /dev/null
+++ b/security/wazuh-agent/+POST_DEINSTALL.post
@@ -0,0 +1 @@
+rm /var/ossec/active-response/bin/opnsense-fw
diff --git a/security/wazuh-agent/+POST_INSTALL.post b/security/wazuh-agent/+POST_INSTALL.post
new file mode 100644
index 0000000000..374cc76f41
--- /dev/null
+++ b/security/wazuh-agent/+POST_INSTALL.post
@@ -0,0 +1,5 @@
+echo -n 'reload filter to register alias: '
+/usr/local/sbin/configctl filter reload
+cp /usr/local/opnsense/scripts/wazuh/opnsense-fw  /var/ossec/active-response/bin/opnsense-fw
+chmod 750 /var/ossec/active-response/bin/opnsense-fw
+chown root:wazuh /var/ossec/active-response/bin/opnsense-fw
diff --git a/security/wazuh-agent/Makefile b/security/wazuh-agent/Makefile
new file mode 100644
index 0000000000..b9b8f19ed6
--- /dev/null
+++ b/security/wazuh-agent/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		wazuh-agent
+PLUGIN_VERSION=		1.0.0
+#PLUGIN_REVISION=	1
+PLUGIN_COMMENT=		Agent for the opensource security platform Wazuh
+PLUGIN_MAINTAINER=	ad@opnsense.org
+PLUGIN_TIER=		3
+
+.include "../../Mk/plugins.mk"
diff --git a/security/wazuh-agent/pkg-descr b/security/wazuh-agent/pkg-descr
new file mode 100644
index 0000000000..34fe48113c
--- /dev/null
+++ b/security/wazuh-agent/pkg-descr
@@ -0,0 +1,3 @@
+Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments.
+
+Using this plugin you can integrate your OPNsense firewall into the Wazuh solution.
diff --git a/security/wazuh-agent/src/etc/inc/plugins.inc.d/wazuhagent.inc b/security/wazuh-agent/src/etc/inc/plugins.inc.d/wazuhagent.inc
new file mode 100644
index 0000000000..0907f052d3
--- /dev/null
+++ b/security/wazuh-agent/src/etc/inc/plugins.inc.d/wazuhagent.inc
@@ -0,0 +1,61 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+
+function wazuhagent_services()
+{
+    $services = [];
+    if ((new \OPNsense\WazuhAgent\WazuhAgent())->general->enabled == '1') {
+        $service = [
+            'description' => gettext('Wazuh Agent'),
+            'configd' => [
+                'restart' => ['wazuh_agent restart'],
+                'start' => ['wazuh_agent start'],
+                'stop' => ['wazuh_agent stop'],
+            ],
+            'name' => 'wazuh-agentd',
+        ];
+        $services[] = $service;
+    }
+
+    return $services;
+}
+
+function wazuhagent_firewall($fw)
+{
+    global $config;
+    $defaults = ['block' => ['type' => 'block', 'log' => !isset($config['syslog']['nologdefaultblock'])]];
+    if ((new \OPNsense\WazuhAgent\WazuhAgent())->general->enabled == '1') {
+        //$fw->registerFilterRule();
+        $fw->registerFilterRule(
+            1,
+            ['from' => '<__wazuh_agent_drop>', 'descr' => 'Wazuh agent blocklist', '#ref' => 'ui/wazuhagent/'],
+            $defaults['block']
+        );
+    }
+}
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/Api/ServiceController.php b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/Api/ServiceController.php
new file mode 100644
index 0000000000..166a192ef1
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/Api/ServiceController.php
@@ -0,0 +1,44 @@
+<?php
+
+/**
+ *    Copyright (C) 2023 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\WazuhAgent\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+
+/**
+ * {@inheritdoc}
+ */
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\WazuhAgent\WazuhAgent';
+    protected static $internalServiceEnabled = 'general.enabled';
+    protected static $internalServiceTemplate = 'OPNsense/WazuhAgent';
+    protected static $internalServiceName = 'wazuh_agent';
+}
\ No newline at end of file
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/Api/SettingsController.php b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/Api/SettingsController.php
new file mode 100644
index 0000000000..2063a57809
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/Api/SettingsController.php
@@ -0,0 +1,39 @@
+<?php
+
+/**
+ *    Copyright (C) 2023 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\WazuhAgent\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class SettingsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'agent';
+    protected static $internalModelClass = 'OPNsense\WazuhAgent\WazuhAgent';
+}
\ No newline at end of file
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/IndexController.php b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/IndexController.php
new file mode 100644
index 0000000000..5a9b9397f3
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/IndexController.php
@@ -0,0 +1,46 @@
+<?php
+
+/**
+ *    Copyright (C) 2023 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\WazuhAgent;
+
+/**
+ * Class IndexController
+ * @package OPNsense\WazuhAgent
+ */
+class IndexController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        // link dialogs
+        $this->view->formSettings = $this->getForm("settings");
+        // choose template
+        $this->view->pick('OPNsense/WazuhAgent/index');
+    }
+}
\ No newline at end of file
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
new file mode 100644
index 0000000000..8be2d81fb7
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
@@ -0,0 +1,122 @@
+<form>
+    <field>
+        <type>header</type>
+        <label>General Settings</label>
+    </field>
+    <field>
+        <id>agent.general.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>Enable Wazuh Agent</help>
+    </field>
+    <field>
+        <id>agent.general.server_address</id>
+        <label>Manager hostname</label>
+        <type>text</type>
+        <help>Specifies the IP address or the hostname of the Wazuh manager.</help>
+    </field>
+    <field>
+        <id>agent.logcollector.syslog_programs</id>
+        <label>Applications</label>
+        <type>select_multiple</type>
+        <help>Choose which applications to forward to Wazuh.</help>
+    </field>
+    <field>
+        <id>agent.logcollector.suricata_eve_log</id>
+        <label>Intrusion detection events</label>
+        <type>checkbox</type>
+        <help>Send events from the intrusion detection engine to Wazuh (Suricata EVE log)</help>
+    </field>
+    <field>
+        <id>agent.logcollector.remote_commands</id>
+        <label>Logcollector remote commands</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>
+            Enable remote commands from the log collector, disabling this will ignore command and full_command log sources
+            and prevents Wazuh manager from running arbitrary commands on this node.
+        </help>
+    </field>
+    <field>
+        <id>agent.general.debug_level</id>
+        <advanced>true</advanced>
+        <label>Debug</label>
+        <type>dropdown</type>
+        <help>
+            Debug level for this agents services.
+        </help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Active response</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>agent.active_response.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>Enable Active response</help>
+    </field>
+    <field>
+        <id>agent.active_response.fw_alias_ignore</id>
+        <label>Firewall command ignore</label>
+        <type>dropdown</type>
+        <help>
+            Select an alias from which the items should be ignored when dropping ip addresses using the opnsense-fw
+            active-response action.
+        </help>
+    </field>
+    <field>
+        <id>agent.active_response.remote_commands</id>
+        <label>Wazuh remote commands</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>
+            Toggles whether Command Module should accept commands defined in the shared configuration or not.
+        </help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Authentication</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>agent.auth.password</id>
+        <label>Password</label>
+        <type>password</type>
+        <help>Password to use in authd.pass file.</help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Policy monitoring and anomaly detection</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>agent.rootcheck.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>Enable policy monitoring and anomaly detection</help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>System inventory</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>agent.syscollector.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>Enable syscollector</help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>File integrity monitoring</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>agent.syscheck.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>Enable file integrity monitoring</help>
+    </field>
+</form>
\ No newline at end of file
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/Firewall/static_aliases/wazuh_agent.json b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/Firewall/static_aliases/wazuh_agent.json
new file mode 100644
index 0000000000..ecf704abc6
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/Firewall/static_aliases/wazuh_agent.json
@@ -0,0 +1,9 @@
+{
+    "__wazuh_agent_drop": {
+      "enabled": "1",
+      "name": "__wazuh_agent_drop",
+      "type": "external",
+      "description": "Wazuh Agent blocklist (internal)",
+      "content": ""
+    }
+}
\ No newline at end of file
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/ACL/ACL.xml b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/ACL/ACL.xml
new file mode 100644
index 0000000000..0108ea9cb8
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+    <page-services-wazuh_agent>
+        <name>Services: Wazuh Agent</name>
+        <patterns>
+            <pattern>ui/wazuh_agent/*</pattern>
+            <pattern>api/wazuh_agent/*</pattern>
+        </patterns>
+    </page-services-wazuh_agent>
+</acl>
\ No newline at end of file
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/Menu/Menu.xml b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/Menu/Menu.xml
new file mode 100644
index 0000000000..02191e6042
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/Menu/Menu.xml
@@ -0,0 +1,9 @@
+<menu>
+    <Services>
+        <WazuhAgent VisibleName="Wazuh Agent" cssClass="fa fa-heartbeat fa-fw">
+            <Settings order="10" url="/ui/wazuhagent/"/>
+            <Ossec VisibleName="Logfile / ossec" order="20" url="/ui/diagnostics/log/wazuhagent/ossec" />
+            <ActiveResponses VisibleName="Logfile / active-responses" order="30" url="/ui/diagnostics/log/wazuhagent/activeresponses" />
+        </WazuhAgent>
+    </Services>
+</menu>
\ No newline at end of file
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.php b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.php
new file mode 100644
index 0000000000..add9f8114a
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.php
@@ -0,0 +1,40 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+ namespace OPNsense\WazuhAgent;
+
+ use Phalcon\Messages\Message;
+ use OPNsense\Base\BaseModel;
+
+ /**
+  * Class WazuhAgent
+  * @package OPNsense\WazuhAgent
+  */
+class WazuhAgent extends BaseModel
+{
+}
\ No newline at end of file
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
new file mode 100644
index 0000000000..1ae35d1e19
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
@@ -0,0 +1,93 @@
+<model>
+    <mount>//OPNsense/WazuhAgent</mount>
+    <version>1.0.0</version>
+    <description>
+        Wazuh Agent
+    </description>
+    <items>
+        <general>
+            <enabled type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </enabled>
+            <server_address type="HostnameField">
+                <Required>Y</Required>
+                <IpAllowed>Y</IpAllowed>
+            </server_address>
+            <debug_level type="OptionField">
+                <default>0</default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <val0 value="0">no debug</val0>
+                    <val1 value="1">first level of debug</val1>
+                    <val2 value="2">full debugging</val2>
+                </OptionValues>
+            </debug_level>
+        </general>
+        <auth>
+            <password type="TextField">
+            </password>
+        </auth>
+        <logcollector>
+            <remote_commands type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </remote_commands>
+            <syslog_programs type="JsonKeyValueStoreField">
+                <Required>N</Required>
+                <Multiple>Y</Multiple>
+                <default>filterlog,openvpn,unbound,audit,sshd</default>
+                <ConfigdPopulateAct>syslog list applications</ConfigdPopulateAct>
+                <SourceFile>/tmp/syslog_applications.json</SourceFile>
+                <ConfigdPopulateTTL>20</ConfigdPopulateTTL>
+                <SortByValue>Y</SortByValue>
+                <ValidationMessage>Specify valid source applications.</ValidationMessage>
+            </syslog_programs>
+            <suricata_eve_log type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </suricata_eve_log>
+        </logcollector>
+        <rootcheck>
+            <enabled type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </enabled>
+        </rootcheck>
+        <syscollector>
+            <enabled type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </enabled>
+        </syscollector>
+        <syscheck>
+            <enabled type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </enabled>
+        </syscheck>
+        <active_response>
+            <enabled type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </enabled>
+            <remote_commands type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </remote_commands>
+            <fw_alias_ignore type="ModelRelationField">
+                <Model>
+                    <alias>
+                        <source>OPNsense.Firewall.Alias</source>
+                        <items>aliases.alias</items>
+                        <display>name</display>
+                        <filters>
+                            <type>/[network|host]/</type>
+                        </filters>
+                    </alias>
+                </Model>
+                <Required>N</Required>
+            </fw_alias_ignore>
+        </active_response>
+    </items>
+</model>
\ No newline at end of file
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/views/OPNsense/WazuhAgent/index.volt b/security/wazuh-agent/src/opnsense/mvc/app/views/OPNsense/WazuhAgent/index.volt
new file mode 100644
index 0000000000..4830c677de
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/mvc/app/views/OPNsense/WazuhAgent/index.volt
@@ -0,0 +1,76 @@
+{#
+
+OPNsense® is Copyright © 2023 by Deciso B.V.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<script>
+    $( document ).ready(function() {
+        let data_get_map = {'frm_settings':"/api/wazuhagent/settings/get"};
+        mapDataToFormUI(data_get_map).done(function(){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('wazuhagent');
+        });
+
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/wazuhagent/settings/set", 'frm_settings', function(){
+                    dfObj.resolve();
+                });
+                return dfObj;
+            },
+            onAction: function(data, status) {
+                updateServiceControlUI('wazuhagent');
+            }
+        });
+    });
+</script>
+
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#settings" id="settings_tab">{{ lang._('Settings') }}</a></li>
+</ul>
+<div class="tab-content content-box">
+    <div id="settings"  class="tab-pane fade in active">
+        {{ partial("layout_partials/base_form",['fields':formSettings,'id':'frm_settings'])}}
+    </div>
+</div>
+
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint='/api/wazuhagent/service/reconfigure'
+                    data-label="{{ lang._('Apply') }}"
+                    data-service-widget="wazuh_agent"
+                    data-error-title="{{ lang._('Error reconfiguring Wazuh Agent') }}"
+                    type="button"
+            ></button>
+            <br/><br/>
+        </div>
+    </div>
+</section>
diff --git a/security/wazuh-agent/src/opnsense/scripts/syslog/logformats/wazuhagent.py b/security/wazuh-agent/src/opnsense/scripts/syslog/logformats/wazuhagent.py
new file mode 100644
index 0000000000..1982562918
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/scripts/syslog/logformats/wazuhagent.py
@@ -0,0 +1,51 @@
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import re
+import datetime
+from . import NewBaseLogFormat
+ossec_timeformat = r'^(\d{4}/\d{1,2}/\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}).*'
+
+class OssecLogFormat(NewBaseLogFormat):
+    def __init__(self, filename):
+        super().__init__(filename)
+        self._priority = 100
+
+    def match(self, line):
+        return self._filename.find('wazuhagent') > -1 and re.match(ossec_timeformat, line) is not  None
+
+    @property
+    def timestamp(self):
+        tmp = re.match(ossec_timeformat, self._line)
+        grp = tmp.group(1)
+        return datetime.datetime.strptime(grp, "%Y/%m/%d %H:%M:%S").isoformat()
+
+    @property
+    def process_name(self):
+        return self._line[19:].strip().split(':', 1)[0]
+
+    @property
+    def line(self):
+        return self._line[19:].strip().split(':', 1)[-1]
\ No newline at end of file
diff --git a/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw b/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw
new file mode 100755
index 0000000000..f2b349a250
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw
@@ -0,0 +1,160 @@
+#!/usr/local/bin/python3
+
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+
+import argparse
+import datetime
+import json
+import os
+import sys
+import subprocess
+import ipaddress
+from select import select
+from configparser import ConfigParser
+
+
+def send_log(line):
+    with open('/var/ossec/logs/active-responses.log', 'a') as handle:
+        handle.write(
+            str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) +
+            " " +
+            os.path.basename(__file__) +
+            ": " +
+            line +
+            "\n"
+        )
+
+
+def read_data(filename):
+    payload = []
+    with open(filename, 'rb') as fin:
+        while True:
+            rlist, _, _ = select([fin], [], [], 0.5)
+            if not rlist:
+                break
+            line = fin.readline()
+            if line == b'':
+                break
+            payload.append(line)
+
+    return b''.join(payload)
+
+
+def main(params):
+    send_log('Started')
+    skip_alias=''
+    if os.path.isfile('/var/ossec/etc/opnsense-fw.conf'):
+        cnf = ConfigParser()
+        cnf.read('/var/ossec/etc/opnsense-fw.conf')
+        skip_alias = cnf.get('general', 'skip_alias') if cnf.has_option('general', 'skip_alias') else ''
+    else:
+        send_log('Skip configuration')
+
+    event=None
+    try:
+        event=json.loads(read_data(params.input))
+    except ValueError:
+        pass
+    if event is None:
+        send_log('Decoding JSON has failed, invalid input format')
+        return -1
+    else:
+        send_log('Received : %s' % json.dumps(event))
+
+    command=event.get('command', None)
+    srcip=event
+    for token in ['parameters', 'alert', 'data', 'srcip']:
+        if type(srcip) is dict and token in srcip:
+            srcip = srcip[token]
+        else:
+            srcip = None
+            break
+
+    if srcip is None:
+        send_log('srcip not found')
+        return -1
+
+    try:
+        ipaddress.ip_address(srcip)
+    except ValueError:
+        send_log('Unable to process even, invalid srcip (%s)' % srcip)
+        return -1
+
+    if skip_alias != '' and command == 'add':
+        sp = subprocess.run(['/sbin/pfctl', '-t', skip_alias, '-Ttest', srcip], capture_output=True, text=True)
+        if sp.stderr.strip().find("1/1") == 0:
+            send_log('Skip event %s in alias %s' % (srcip, skip_alias))
+            return 0
+
+    if command == 'add':
+        # return rule id for timeout list
+        try:
+            print(json.dumps({
+                "version": 1,
+                "origin": {
+                    "name": sys.argv[0],
+                    "module":"active-response"
+                },
+                "command": "check_keys",
+                "parameters":{
+                    "keys": [event['parameters']['alert']['rule']['id']]
+                }
+            }))
+            sys.stdout.flush()
+        except KeyError:
+            pass
+        # When attached to stdin we're likely running inside the agent, in which case we will read a second event which
+        # may abort the first one.
+        if params.input == '/dev/stdin':
+            timeout_event = None
+            try:
+                timeout_event=json.loads(read_data(params.input))
+            except ValueError:
+                pass
+            if timeout_event:
+                send_log('Received : %s' % json.dumps(timeout_event))
+                if timeout_event.get('command') == 'abort':
+                    send_log('Aborted')
+                    return 0
+                elif timeout_event.get('command') != 'continue':
+                    send_log('Invalid command')
+                    return -1
+        # add to table and kill active sessions for this ip as well
+        subprocess.run(['/sbin/pfctl', '-t', '__wazuh_agent_drop', '-T', 'add', srcip], capture_output=True)
+        subprocess.run(['/sbin/pfctl', '-k', srcip], capture_output=True)
+    elif command == 'delete':
+        subprocess.run(['/sbin/pfctl', '-t', '__wazuh_agent_drop', '-T', 'delete', srcip], capture_output=True)
+
+    send_log('Active response executed (%s %s)' % (command, srcip))
+
+    return 0
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-input', help='read message from', default='/dev/stdin')
+    sys.exit(main(parser.parse_args()))
diff --git a/security/wazuh-agent/src/opnsense/scripts/wazuh/setup.php b/security/wazuh-agent/src/opnsense/scripts/wazuh/setup.php
new file mode 100755
index 0000000000..e294fd7236
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/scripts/wazuh/setup.php
@@ -0,0 +1,61 @@
+#!/usr/local/bin/php
+<?php
+/**
+ *    Copyright (C) 2023 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+require_once('script/load_phalcon.php');
+$authd_pass = '/var/ossec/etc/authd.pass';
+
+$mdl = new \OPNsense\WazuhAgent\WazuhAgent();
+
+/**
+ * Configure authentication when needed
+ */
+if (!empty((string)$mdl->auth->password)) {
+    $fhandle = fopen($authd_pass, 'a+');
+    if (flock($fhandle, LOCK_EX)) {
+        chown($authd_pass, 'root');
+        chgrp($authd_pass, 'wazuh');
+        chmod($authd_pass, 0640);
+        fseek($fhandle, 0);
+        ftruncate($fhandle, 0);
+        fwrite($fhandle, (string)$mdl->auth->password);
+        flock($fhandle, LOCK_UN);
+    }
+} elseif (file_exists($authd_pass)) {
+    unlink($authd_pass);
+}
+
+/***
+ * Temporary solution to link log files so we can view at least the last items in the file easily for debug purposes
+ * It looks like ossec is not able to log to syslog directly, which means our log files live outside our normal bounds
+ **/
+mkdir("/var/log/wazuhagent/ossec/", 0700, true);
+mkdir("/var/log/wazuhagent/activeresponses/", 0700, true);
+@symlink("/var/ossec/logs/ossec.log", "/var/log/wazuhagent/ossec/ossec_99991231.log");
+@symlink( "/var/ossec/logs/active-responses.log", "/var/log/wazuhagent/activeresponses/activeresponses_99991231.log");
diff --git a/security/wazuh-agent/src/opnsense/service/conf/actions.d/actions_wazuh_agent.conf b/security/wazuh-agent/src/opnsense/service/conf/actions.d/actions_wazuh_agent.conf
new file mode 100644
index 0000000000..33c1e1c4aa
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/service/conf/actions.d/actions_wazuh_agent.conf
@@ -0,0 +1,25 @@
+[start]
+command:
+    /usr/local/sbin/pluginctl -s syslog-ng restart;
+    /usr/local/etc/rc.d/wazuh-agent onestart
+type:script
+message:starting wazuh-agent
+
+[stop]
+command:/usr/local/etc/rc.d/wazuh-agent onestop
+type:script
+message:stopping wazuh-agent
+
+[status]
+command:
+    /usr/local/etc/rc.d/wazuh-agent status > /dev/null  2>&1 && echo "wazuh is running..." || echo "wazuh is not running...";
+    exit 0
+type:script_output
+message:get wazuh-agent status
+
+[restart]
+command:
+    /usr/local/sbin/pluginctl -s syslog-ng restart;
+    /usr/local/etc/rc.d/wazuh-agent onerestart
+type:script
+message:restarting wazuh-agent
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/+TARGETS b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/+TARGETS
new file mode 100644
index 0000000000..268450b041
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/+TARGETS
@@ -0,0 +1,6 @@
+ossec.conf:/var/ossec/etc/ossec.conf
+local_internal_options.conf:/var/ossec/etc/local_internal_options.conf
+rc.conf.d:/etc/rc.conf.d/wazuh_agent
+syslog-ng-wazuh-agent.conf:/usr/local/etc/syslog-ng.conf.d/syslog-ng-wazuh-agent.conf
+newsyslog.conf:/etc/newsyslog.conf.d/wazuh-agent.conf
+opnsense-fw.conf:/var/ossec/etc/opnsense-fw.conf
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/local_internal_options.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/local_internal_options.conf
new file mode 100644
index 0000000000..2ed6e9dded
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/local_internal_options.conf
@@ -0,0 +1,28 @@
+# local_internal_options.conf
+#
+# This file should be handled with care. It contains
+# run time modifications that can affect the use
+# of OSSEC. Only change it if you know what you
+# are doing. Look first at ossec.conf
+# for most of the things you want to change.
+#
+# This file will not be overwritten during upgrades.
+logcollector.remote_commands={% if not helpers.empty('OPNsense.WazuhAgent.logcollector.remote_commands') %}1{% else %}0{% endif +%}
+wazuh_command.remote_commandss={% if not helpers.empty('OPNsense.WazuhAgent.wazuh_command.remote_commands') %}1{% else %}0{% endif +%}
+
+
+{% if not helpers.empty('OPNsense.WazuhAgent.general.debug_level') %}
+windows.debug={{OPNsense.WazuhAgent.general.debug_level}}
+syscheck.debug={{OPNsense.WazuhAgent.general.debug_level}}
+remoted.debug={{OPNsense.WazuhAgent.general.debug_level}}
+analysisd.debug={{OPNsense.WazuhAgent.general.debug_level}}
+authd.debug={{OPNsense.WazuhAgent.general.debug_level}}
+execd.debug={{OPNsense.WazuhAgent.general.debug_level}}
+monitord.debug={{OPNsense.WazuhAgent.general.debug_level}}
+logcollector.debug={{OPNsense.WazuhAgent.general.debug_level}}
+integrator.debug={{OPNsense.WazuhAgent.general.debug_level}}
+agent.debug={{OPNsense.WazuhAgent.general.debug_level}}
+wazuh_db.debug={{OPNsense.WazuhAgent.general.debug_level}}
+wazuh_modules.debug={{OPNsense.WazuhAgent.general.debug_level}}
+wazuh_clusterd.debug={{OPNsense.WazuhAgent.general.debug_level}}
+{% endif %}
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/newsyslog.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/newsyslog.conf
new file mode 100644
index 0000000000..558d19da0e
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/newsyslog.conf
@@ -0,0 +1,4 @@
+# logfilename			                [owner:group]	mode	count	size	when	flags	[/pid_file]				[sig_num]
+{% if not helpers.empty('OPNsense.WazuhAgent.general.enabled') %}
+/var/ossec/logs/opnsense_syslog.log     root:wazuh      660     2       *       $D0     Z       /var/run/syslog-ng.pid
+{% endif %}
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
new file mode 100644
index 0000000000..073220f8fb
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
@@ -0,0 +1,4 @@
+[general]
+{% if not helpers.empty('OPNsense.WazuhAgent.wazuh_command.fw_alias_ignore') and helpers.getUUID(OPNsense.WazuhAgent.wazuh_command.fw_alias_ignore) %}
+skip_alias={{helpers.getUUID(OPNsense.WazuhAgent.wazuh_command.fw_alias_ignore).name}}
+{% endif %}
\ No newline at end of file
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
new file mode 100644
index 0000000000..1303029ae1
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
@@ -0,0 +1,22 @@
+<ossec_config>
+  <client>
+    <server>
+      <address>{{OPNsense.WazuhAgent.general.server_address}}</address>
+    </server>
+    <crypto_method>aes</crypto_method>
+  </client>
+
+  <client_buffer>
+    <!-- Agent buffer options -->
+    <disabled>no</disabled>
+    <queue_size>5000</queue_size>
+    <events_per_second>500</events_per_second>
+  </client_buffer>
+
+{%  for sfilename in helpers.glob("OPNsense/WazuhAgent/ossec_config.d/*.conf") %}{%
+        include sfilename without context
++%}
+
+{%  endfor %}
+
+</ossec_config>
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/000-rootcheck.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/000-rootcheck.conf
new file mode 100644
index 0000000000..e0f98ff468
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/000-rootcheck.conf
@@ -0,0 +1,16 @@
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>{% if not helpers.empty('OPNsense.WazuhAgent.rootcheck.enabled') %}no{% else %}yes{% endif %}</disabled>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
+
+    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
+    <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
+    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
+
+    <skip_nfs>yes</skip_nfs>
+  </rootcheck>
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/001-wodle_syscollector.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/001-wodle_syscollector.conf
new file mode 100644
index 0000000000..b3d32ce38a
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/001-wodle_syscollector.conf
@@ -0,0 +1,13 @@
+  <wodle name="syscollector">
+    <disabled>{% if not helpers.empty('OPNsense.WazuhAgent.syscollector.enabled') %}no{% else %}yes{% endif %}</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </wodle>
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/002-syscheck.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/002-syscheck.conf
new file mode 100644
index 0000000000..4285d50e07
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/002-syscheck.conf
@@ -0,0 +1,55 @@
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>{% if not helpers.empty('OPNsense.WazuhAgent.syscheck.enabled') %}no{% else %}yes{% endif %}</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories>/etc,/usr/bin,/usr/sbin</directories>
+    <directories>/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+    <ignore>/sys/kernel/security</ignore>
+    <ignore>/sys/kernel/debug</ignore>
+
+    <!-- File types to ignore -->
+    <ignore type="sregex">.log$|.swp$</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+    <skip_dev>yes</skip_dev>
+    <skip_proc>yes</skip_proc>
+    <skip_sys>yes</skip_sys>
+
+    <!-- Nice value for Syscheck process -->
+    <process_priority>10</process_priority>
+
+    <!-- Maximum output throughput -->
+    <max_eps>100</max_eps>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <response_timeout>30</response_timeout>
+      <queue_size>16384</queue_size>
+      <max_eps>10</max_eps>
+    </synchronization>
+  </syscheck>
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/003-localfile-generic.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/003-localfile-generic.conf
new file mode 100644
index 0000000000..6b337fca18
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/003-localfile-generic.conf
@@ -0,0 +1,10 @@
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/opnsense_syslog.log</location>
+  </localfile>
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/004-localfile-suricata.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/004-localfile-suricata.conf
new file mode 100644
index 0000000000..ec0b9ffce3
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/004-localfile-suricata.conf
@@ -0,0 +1,9 @@
+  <!-- Suricata -->
+{% if not helpers.empty('OPNsense.WazuhAgent.logcollector.suricata_eve_log') %}
+  <localfile>
+    <log_format>json</log_format>
+    <location>/var/log/suricata/eve.json</location>
+  </localfile>
+{% else %}
+  <!-- disabled -->
+{% endif %}
\ No newline at end of file
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/005-active-response.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/005-active-response.conf
new file mode 100644
index 0000000000..6627c9eac2
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/005-active-response.conf
@@ -0,0 +1,4 @@
+  <!-- Active response -->
+  <active-response>
+    <disabled>{% if not helpers.empty('OPNsense.WazuhAgent.active_response.enabled') %}no{% else %}yes{% endif %}</disabled>
+  </active-response>
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/rc.conf.d b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/rc.conf.d
new file mode 100644
index 0000000000..c1e4bbe5c2
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/rc.conf.d
@@ -0,0 +1,2 @@
+wazuh_agent_setup="/usr/local/opnsense/scripts/wazuh/setup.php"
+wazuh_agent_enable={% if not helpers.empty('OPNsense.WazuhAgent.general.enabled') %}"YES"{% else %}"NO"{% endif %}
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/syslog-ng-wazuh-agent.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/syslog-ng-wazuh-agent.conf
new file mode 100644
index 0000000000..649aa02214
--- /dev/null
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/syslog-ng-wazuh-agent.conf
@@ -0,0 +1,27 @@
+#######################################################################################################################
+# This syslog-ng output is a bit of a work-around. As Wazuh does only support RFC3164 format syslog data
+# (https://github.com/wazuh/wazuh/issues/2038), we do need to flush our syslog output twice.
+#
+# Ideally we should then send it to a pipe, but that seems to be a feature
+# currenty on the wishlist (https://github.com/wazuh/wazuh/issues/15178)
+#
+# So, we will flush relevant messages to /var/ossec/logs/opnsense_syslog.log, which newsyslog may rotate
+#
+#######################################################################################################################
+{% if not helpers.empty('OPNsense.WazuhAgent.general.enabled') and not helpers.empty('OPNsense.WazuhAgent.logcollector.syslog_programs') %}
+filter f_local_wazuhagent {
+{%      for prg in OPNsense.WazuhAgent.logcollector.syslog_programs.split(',') %}
+    program("{{prg}}") {% if loop.last %} ; {% else %} or {% endif +%}
+{%      endfor %}
+};
+
+destination d_local_wazuhagent {
+    file("/var/ossec/logs/opnsense_syslog.log");
+};
+
+log {
+    source(s_all);
+    filter(f_local_wazuhagent);
+    destination(d_local_wazuhagent);
+};
+{% endif %}
\ No newline at end of file

From f0f80033197d5e82b7e8b9cc23e65d724196009e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 17 Aug 2023 10:47:17 +0200
Subject: [PATCH 1516/3088] security/wazuh: small changes

@adschellevis doesn't seem to know about "make revision" ;)
---
 security/wazuh-agent/Makefile | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/security/wazuh-agent/Makefile b/security/wazuh-agent/Makefile
index b9b8f19ed6..d30039151e 100644
--- a/security/wazuh-agent/Makefile
+++ b/security/wazuh-agent/Makefile
@@ -1,8 +1,7 @@
 PLUGIN_NAME=		wazuh-agent
-PLUGIN_VERSION=		1.0.0
-#PLUGIN_REVISION=	1
-PLUGIN_COMMENT=		Agent for the opensource security platform Wazuh
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		Agent for the open source security platform Wazuh
+PLUGIN_DEPENDS=		wazuh-agent
 PLUGIN_MAINTAINER=	ad@opnsense.org
-PLUGIN_TIER=		3
 
 .include "../../Mk/plugins.mk"

From 301349705e8ecf51746f66057b0b6af729617824 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 17 Aug 2023 10:49:18 +0200
Subject: [PATCH 1517/3088] LICENSE/README: sync

---
 LICENSE   | 1 +
 README.md | 1 +
 2 files changed, 2 insertions(+)

diff --git a/LICENSE b/LICENSE
index 32794d4e75..a4baaaaca7 100644
--- a/LICENSE
+++ b/LICENSE
@@ -43,6 +43,7 @@ Copyright (c) 2012 mkirbst
 Copyright (c) 2021 Nicola Pellegrini
 Copyright (c) 2022 Nikolaj Brinch Jørgensen
 Copyright (c) 2021 Nim G
+Copyright (c) 2023 Oliver Hartl
 Copyright (c) 2022 Patrik Kernstock <patrik@kernstock.net>
 Copyright (c) 2022 Robbert Rijkse
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
diff --git a/README.md b/README.md
index 63036e99ae..4ae696ebae 100644
--- a/README.md
+++ b/README.md
@@ -91,6 +91,7 @@ security/softether -- Cross-platform Multi-protocol VPN Program (development onl
 security/stunnel -- Stunnel TLS proxy
 security/tinc -- Tinc VPN
 security/tor -- The Onion Router
+security/wazuh-agent -- Agent for the open source security platform Wazuh
 sysutils/apcupsd -- APCUPSD - APC UPS daemon
 sysutils/api-backup -- Provide the functionality to download the config.xml
 sysutils/apuled -- PC Engine APU LED control (development only)

From 16cddd15d27ebb1fe6b7784ff17d2755ad0d233e Mon Sep 17 00:00:00 2001
From: Greg Glockner <greg@glockners.net>
Date: Thu, 17 Aug 2023 02:22:14 -0700
Subject: [PATCH 1518/3088] dns/ddclient: AWS Route53 (#3550)

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 dns/ddclient/Makefile                         |  5 +-
 .../OPNsense/DynDNS/forms/dialogAccount.xml   |  9 ++-
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml |  6 ++
 .../scripts/ddclient/lib/account/aws.py       | 71 +++++++++++++++++++
 .../templates/OPNsense/ddclient/ddclient.json |  1 +
 5 files changed, 88 insertions(+), 4 deletions(-)
 create mode 100644 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/aws.py

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index bd849f880d..4b731c1249 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,7 +1,6 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.14
-PLUGIN_REVISION=	1
-PLUGIN_DEPENDS=		ddclient-devel
+PLUGIN_VERSION=		1.15
+PLUGIN_DEPENDS=		ddclient-devel py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
 
diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index 7afd4b9c47..12aedb288a 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -62,7 +62,7 @@
         <id>account.zone</id>
         <label>Zone</label>
         <type>text</type>
-        <style>optional_setting service_zoneedit1 service_cloudflare service_nsupdate service_gandi service_godaddy service_nfsn service_hetzner</style>
+        <style>optional_setting service_aws service_zoneedit1 service_cloudflare service_nsupdate service_gandi service_godaddy service_nfsn service_hetzner</style>
         <help>Zone containing the host entry.</help>
     </field>
     <field>
@@ -73,6 +73,13 @@
         <allownew>true</allownew>
         <help>Hostname to update</help>
     </field>
+    <field>
+        <id>account.ttl</id>
+        <label>TTL</label>
+        <type>text</type>
+        <style>optional_setting service_aws</style>
+        <help>Time to Live for the DNS entry</help>
+    </field>
     <field>
         <id>account.checkip</id>
         <label>Check ip method</label>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 7557c5fe46..5a3b4dd375 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -171,6 +171,12 @@
                     <default>1</default>
                     <Required>Y</Required>
                 </force_ssl>
+                <ttl type="IntegerField">
+                    <default>300</default>
+                    <Required>Y</Required>
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>604800</MaximumValue>
+                </ttl>
                 <interface type="InterfaceField">
                     <Required>N</Required>
                     <multiple>N</multiple>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/aws.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/aws.py
new file mode 100644
index 0000000000..7d66b0d196
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/aws.py
@@ -0,0 +1,71 @@
+"""
+    AWS Route53 DNS provider
+    Usage:
+      AWS access key: username
+      AWS secret key: password
+      Route53 Hosted Zone ID: resource ID (use advanced settings)
+"""
+import syslog
+import boto3
+from . import BaseAccount
+
+
+class AWS(BaseAccount):
+    _services = ['aws']
+
+    def __init__(self, account: dict):
+        super().__init__(account)
+
+    @staticmethod
+    def known_services():
+        return  AWS._services
+
+    @staticmethod
+    def match(account):
+        return account.get('service') in AWS._services
+
+    def execute(self):
+        """ AWS DNS update
+        """
+
+        if super().execute():
+            if not self.current_address:
+                syslog.syslog(
+                    syslog.LOG_WARNING,
+                    f"No address found for {self.description}"
+                )
+                return False
+            client = boto3.client('route53',
+                                  aws_access_key_id = self.settings.get('username'),
+                                  aws_secret_access_key = self.settings.get('password'))
+            ip = str(self.current_address)
+            if ':' in ip:
+                addrType = 'AAAA'
+            else:
+                addrType = 'A'
+            TTL = self.settings.get('ttl')
+            changeBatch = {
+                'Changes': [{
+                    'Action': 'UPSERT',
+                    'ResourceRecordSet': {
+                        'Name': host,
+                        'Type': addrType,
+                        'TTL': int(TTL),
+                        'ResourceRecords': [{'Value': ip}]
+                    }
+                } for host in self.settings.get('hostnames').split(",")]
+            }
+            try:
+                response = client.change_resource_record_sets(
+                    HostedZoneId = self.settings.get('zone'),
+                    ChangeBatch = changeBatch)
+            except Exception as e:
+                syslog.syslog(syslog.LOG_ERR, str(e))
+                return False
+
+            syslog.syslog(
+                syslog.LOG_NOTICE,
+                f"Account {self.description} set new ip {self.current_address}, ID {response['ChangeInfo']['Id']}")
+
+            self.update_state(address=self.current_address)
+            return True
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
index 3e2b8cfed1..97895c8090 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
@@ -24,6 +24,7 @@
           "checkip": "{{ account.checkip }}",
           "checkip_timeout": {{ account.checkip_timeout }},
           "force_ssl": {{ "true" if account.force_ssl  == '1' else "false"}},
+          "ttl": "{{ account.ttl }}",
           "interface": "{%if account.interface %}{{physical_interface(account.interface)}}{% endif%}",
           "description": "{{ account.description }}"
       }{{ "," if not loop.last else ""}}

From fe3fb2c1922cfa37886ccbb1a26d291c1292bc25 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 17 Aug 2023 11:25:04 +0200
Subject: [PATCH 1519/3088] dns/ddclient: add release notes

---
 dns/ddclient/pkg-descr | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index a750396a76..daada4836d 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,10 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.15
+
+* Add AWS Route53 to OPNsense backend (contributed by Greg Glockner)
+
 1.14
 
 * Add "post" protocol in custom service type

From 02e7cddf949b2c5d8f9b45f0b62d82292a15ccbf Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 17 Aug 2023 11:59:40 +0200
Subject: [PATCH 1520/3088] net/frr: wrap up 1.35 and fix syntax error

---
 net/frr/Makefile                          | 3 +--
 net/frr/pkg-descr                         | 4 ++++
 net/frr/src/etc/inc/plugins.inc.d/frr.inc | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 17444277b7..93dd07444c 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.35
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index e50143c292..0046123c28 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.35
+
+* Added automatic OSPFv3 firewall rules and opt-out automatic rule switch (contributed by Bill Gertz)
+
 1.34
 
 * Add checkbox to log BGP neighbor changes
diff --git a/net/frr/src/etc/inc/plugins.inc.d/frr.inc b/net/frr/src/etc/inc/plugins.inc.d/frr.inc
index d6a0bd2a89..f464480289 100644
--- a/net/frr/src/etc/inc/plugins.inc.d/frr.inc
+++ b/net/frr/src/etc/inc/plugins.inc.d/frr.inc
@@ -86,7 +86,7 @@ function frr_firewall($fw)
                     1,
                     [
                         'descr'          => 'Pass OSPF (autogenerated)',
-                        'from'           => '(self)'
+                        'from'           => '(self)',
                         'to'             => '224.0.0.0/24',
                         'direction'      => 'out'
                     ],

From bbfccfe734d4cdeeeba8852186bf53e102a2f75b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 17 Aug 2023 12:00:49 +0200
Subject: [PATCH 1521/3088] dns/ddclient: fix style and permission

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php      | 2 +-
 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/aws.py   | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 mode change 100644 => 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/aws.py

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
index 969d526910..b0b4970803 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
@@ -56,7 +56,7 @@ public function performValidation($validateFullModel = false)
                 continue;
             }
             $srv = (string)$node->server;
-            if  ((string)$node->protocol == 'post') {
+            if ((string)$node->protocol == 'post') {
                 if (empty($srv) || filter_var($srv, FILTER_VALIDATE_URL) === false) {
                     $messages->appendMessage(
                         new Message(
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/aws.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/aws.py
old mode 100644
new mode 100755

From caf466b7a75e8ed1241b52d3c7201c62a5f7682f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 17 Aug 2023 12:01:23 +0200
Subject: [PATCH 1522/3088] security/wazuh-agent: fix style and permission

---
 .../controllers/OPNsense/WazuhAgent/Api/ServiceController.php  | 2 +-
 .../controllers/OPNsense/WazuhAgent/Api/SettingsController.php | 2 +-
 .../app/controllers/OPNsense/WazuhAgent/IndexController.php    | 2 +-
 .../mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml | 2 +-
 .../models/OPNsense/Firewall/static_aliases/wazuh_agent.json   | 2 +-
 .../opnsense/mvc/app/models/OPNsense/WazuhAgent/ACL/ACL.xml    | 2 +-
 .../opnsense/mvc/app/models/OPNsense/WazuhAgent/Menu/Menu.xml  | 2 +-
 .../opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.php | 2 +-
 .../opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml | 2 +-
 .../src/opnsense/scripts/syslog/logformats/wazuhagent.py       | 2 +-
 security/wazuh-agent/src/opnsense/scripts/wazuh/setup.php      | 3 ++-
 .../service/templates/OPNsense/WazuhAgent/opnsense-fw.conf     | 2 +-
 .../WazuhAgent/ossec_config.d/004-localfile-suricata.conf      | 2 +-
 .../templates/OPNsense/WazuhAgent/syslog-ng-wazuh-agent.conf   | 2 +-
 14 files changed, 15 insertions(+), 14 deletions(-)
 mode change 100644 => 100755 security/wazuh-agent/src/opnsense/scripts/syslog/logformats/wazuhagent.py

diff --git a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/Api/ServiceController.php b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/Api/ServiceController.php
index 166a192ef1..9c74d7431d 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/Api/ServiceController.php
+++ b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/Api/ServiceController.php
@@ -41,4 +41,4 @@ class ServiceController extends ApiMutableServiceControllerBase
     protected static $internalServiceEnabled = 'general.enabled';
     protected static $internalServiceTemplate = 'OPNsense/WazuhAgent';
     protected static $internalServiceName = 'wazuh_agent';
-}
\ No newline at end of file
+}
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/Api/SettingsController.php b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/Api/SettingsController.php
index 2063a57809..68b75e0722 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/Api/SettingsController.php
+++ b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/Api/SettingsController.php
@@ -36,4 +36,4 @@ class SettingsController extends ApiMutableModelControllerBase
 {
     protected static $internalModelName = 'agent';
     protected static $internalModelClass = 'OPNsense\WazuhAgent\WazuhAgent';
-}
\ No newline at end of file
+}
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/IndexController.php b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/IndexController.php
index 5a9b9397f3..11e53e782b 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/IndexController.php
+++ b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/IndexController.php
@@ -43,4 +43,4 @@ public function indexAction()
         // choose template
         $this->view->pick('OPNsense/WazuhAgent/index');
     }
-}
\ No newline at end of file
+}
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
index 8be2d81fb7..0253a4fd17 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
@@ -119,4 +119,4 @@
         <type>checkbox</type>
         <help>Enable file integrity monitoring</help>
     </field>
-</form>
\ No newline at end of file
+</form>
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/Firewall/static_aliases/wazuh_agent.json b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/Firewall/static_aliases/wazuh_agent.json
index ecf704abc6..94c0bbb040 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/Firewall/static_aliases/wazuh_agent.json
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/Firewall/static_aliases/wazuh_agent.json
@@ -6,4 +6,4 @@
       "description": "Wazuh Agent blocklist (internal)",
       "content": ""
     }
-}
\ No newline at end of file
+}
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/ACL/ACL.xml b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/ACL/ACL.xml
index 0108ea9cb8..cb1abc5c3c 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/ACL/ACL.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/ACL/ACL.xml
@@ -6,4 +6,4 @@
             <pattern>api/wazuh_agent/*</pattern>
         </patterns>
     </page-services-wazuh_agent>
-</acl>
\ No newline at end of file
+</acl>
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/Menu/Menu.xml b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/Menu/Menu.xml
index 02191e6042..086ffad92b 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/Menu/Menu.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/Menu/Menu.xml
@@ -6,4 +6,4 @@
             <ActiveResponses VisibleName="Logfile / active-responses" order="30" url="/ui/diagnostics/log/wazuhagent/activeresponses" />
         </WazuhAgent>
     </Services>
-</menu>
\ No newline at end of file
+</menu>
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.php b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.php
index add9f8114a..478fb19e48 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.php
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.php
@@ -37,4 +37,4 @@
   */
 class WazuhAgent extends BaseModel
 {
-}
\ No newline at end of file
+}
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
index 1ae35d1e19..9a5b5de72c 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
@@ -90,4 +90,4 @@
             </fw_alias_ignore>
         </active_response>
     </items>
-</model>
\ No newline at end of file
+</model>
diff --git a/security/wazuh-agent/src/opnsense/scripts/syslog/logformats/wazuhagent.py b/security/wazuh-agent/src/opnsense/scripts/syslog/logformats/wazuhagent.py
old mode 100644
new mode 100755
index 1982562918..5a903264a2
--- a/security/wazuh-agent/src/opnsense/scripts/syslog/logformats/wazuhagent.py
+++ b/security/wazuh-agent/src/opnsense/scripts/syslog/logformats/wazuhagent.py
@@ -48,4 +48,4 @@ def process_name(self):
 
     @property
     def line(self):
-        return self._line[19:].strip().split(':', 1)[-1]
\ No newline at end of file
+        return self._line[19:].strip().split(':', 1)[-1]
diff --git a/security/wazuh-agent/src/opnsense/scripts/wazuh/setup.php b/security/wazuh-agent/src/opnsense/scripts/wazuh/setup.php
index e294fd7236..edeebf971d 100755
--- a/security/wazuh-agent/src/opnsense/scripts/wazuh/setup.php
+++ b/security/wazuh-agent/src/opnsense/scripts/wazuh/setup.php
@@ -1,5 +1,6 @@
 #!/usr/local/bin/php
 <?php
+
 /**
  *    Copyright (C) 2023 Deciso B.V.
  *
@@ -58,4 +59,4 @@
 mkdir("/var/log/wazuhagent/ossec/", 0700, true);
 mkdir("/var/log/wazuhagent/activeresponses/", 0700, true);
 @symlink("/var/ossec/logs/ossec.log", "/var/log/wazuhagent/ossec/ossec_99991231.log");
-@symlink( "/var/ossec/logs/active-responses.log", "/var/log/wazuhagent/activeresponses/activeresponses_99991231.log");
+@symlink("/var/ossec/logs/active-responses.log", "/var/log/wazuhagent/activeresponses/activeresponses_99991231.log");
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
index 073220f8fb..778b549609 100644
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
@@ -1,4 +1,4 @@
 [general]
 {% if not helpers.empty('OPNsense.WazuhAgent.wazuh_command.fw_alias_ignore') and helpers.getUUID(OPNsense.WazuhAgent.wazuh_command.fw_alias_ignore) %}
 skip_alias={{helpers.getUUID(OPNsense.WazuhAgent.wazuh_command.fw_alias_ignore).name}}
-{% endif %}
\ No newline at end of file
+{% endif %}
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/004-localfile-suricata.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/004-localfile-suricata.conf
index ec0b9ffce3..cb627a493a 100644
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/004-localfile-suricata.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/004-localfile-suricata.conf
@@ -6,4 +6,4 @@
   </localfile>
 {% else %}
   <!-- disabled -->
-{% endif %}
\ No newline at end of file
+{% endif %}
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/syslog-ng-wazuh-agent.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/syslog-ng-wazuh-agent.conf
index 649aa02214..562a646294 100644
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/syslog-ng-wazuh-agent.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/syslog-ng-wazuh-agent.conf
@@ -24,4 +24,4 @@ log {
     filter(f_local_wazuhagent);
     destination(d_local_wazuhagent);
 };
-{% endif %}
\ No newline at end of file
+{% endif %}

From d08fbe37e442ed3090eb8a94faef1afbd7b54d32 Mon Sep 17 00:00:00 2001
From: Greg Glockner <greg@glockners.net>
Date: Thu, 17 Aug 2023 23:02:01 -0700
Subject: [PATCH 1523/3088] dns/ddclient: DuckDNS (#3552)

---
 dns/ddclient/pkg-descr                        |  2 +-
 .../scripts/ddclient/lib/account/aws.py       | 26 +++++-
 .../scripts/ddclient/lib/account/duckdns.py   | 80 +++++++++++++++++++
 3 files changed, 106 insertions(+), 2 deletions(-)
 create mode 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/duckdns.py

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index daada4836d..3cfff7a53e 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -8,7 +8,7 @@ Plugin Changelog
 
 1.15
 
-* Add AWS Route53 to OPNsense backend (contributed by Greg Glockner)
+* Add AWS Route53 and DuckDNS to OPNsense backend (contributed by Greg Glockner)
 
 1.14
 
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/aws.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/aws.py
index 7d66b0d196..e80e4e0377 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/aws.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/aws.py
@@ -1,9 +1,33 @@
 """
+    Copyright (c) 2023 Greg Glockner <greg@glockners.net>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+    ----------------------------------------------------------------------------------------------------
     AWS Route53 DNS provider
     Usage:
       AWS access key: username
       AWS secret key: password
-      Route53 Hosted Zone ID: resource ID (use advanced settings)
+      Route53 Hosted Zone ID: zone
 """
 import syslog
 import boto3
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/duckdns.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/duckdns.py
new file mode 100755
index 0000000000..185daa112f
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/duckdns.py
@@ -0,0 +1,80 @@
+"""
+    Copyright (c) 2023 Greg Glockner <greg@glockners.net>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+    ----------------------------------------------------------------------------------------------------
+    DuckDNS updater
+    Token should be set via the password field
+"""
+import syslog
+import requests
+from . import BaseAccount
+
+
+class duckdns(BaseAccount):
+    _services = ['duckdns']
+
+    def __init__(self, account: dict):
+        super().__init__(account)
+
+    @staticmethod
+    def known_services():
+        return  duckdns._services
+
+    @staticmethod
+    def match(account):
+        return account.get('service') in duckdns._services
+
+    def execute(self):
+        """ Duck DNS update
+        """
+
+        if super().execute():
+            data = {
+                'domains': self.settings.get('hostnames'),
+                'token': self.settings.get('password')
+            }
+
+            ip = str(self.current_address)
+            if ':' in ip:
+                data['ipv6'] = ip
+            else:
+                data['ip'] = ip
+
+            proto = 'https' if self.settings.get('force_ssl', False) else 'http'
+
+            try:
+                response = requests.get(proto+'://www.duckdns.org/update', data)
+                if response.text.startswith('KO'):
+                    raise RuntimeError(
+                        f"DuckDNS update failed for {self.description} with ip {self.current_address} for domains {data['domains']}, response: {response.text}")
+            except Exception as e:
+                syslog.syslog(syslog.LOG_ERR, str(e))
+                return False
+
+            syslog.syslog(
+                syslog.LOG_NOTICE,
+                f"Account {self.description} set new ip {self.current_address} for domains {data['domains']}")
+
+            self.update_state(address=self.current_address)
+            return True

From 1bb7556868843ef2d212f7ae932fec9050ee5ab5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 18 Aug 2023 08:47:13 +0200
Subject: [PATCH 1524/3088] dns/ddclient: fix trailing comma issue with
 disabled accounts

selectattr seems like a good way to fix this.  While here reformat the JSON
and fix an error with empty stats causing a number of API errors being thrown.
---
 .../DynDNS/FieldTypes/AccountField.php        | 48 +++++++-------
 .../templates/OPNsense/ddclient/ddclient.json | 62 +++++++++----------
 2 files changed, 54 insertions(+), 56 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
index ce279e6268..32ec0c854c 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2022 Deciso B.V.
+/*
+ * Copyright (C) 2022 Deciso B.V.
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\DynDNS\FieldTypes;
@@ -49,8 +47,10 @@ private function addStatsFields($node)
         $current_mtime->setInternalIsVirtual();
         if (isset(self::$current_stats[$node->getAttribute('uuid')])) {
             $stats = self::$current_stats[$node->getAttribute('uuid')];
-            $current_ip->setValue($stats['ip']);
-            $current_mtime->setValue(date('c', (int)$stats['mtime']));
+            if (!empty($stats)) {
+                $current_ip->setValue($stats['ip']);
+                $current_mtime->setValue(date('c', (int)$stats['mtime']));
+            }
         } elseif (!empty((string)$node->hostnames)) {
             foreach (explode(",", (string)$node->hostnames) as $hostname) {
                 if (!empty(self::$current_stats[$hostname]) && !empty(self::$current_stats[$hostname]['ip'])) {
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
index 97895c8090..64e0ec7bc1 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
@@ -1,35 +1,33 @@
 {% from 'OPNsense/Macros/interface.macro' import physical_interface %}
 {
-  "general": {
-      "enabled": {{ "true" if not helpers.empty('OPNsense.DynDNS.general.enabled') else "false" }},
-      "verbose": {{ "true" if not helpers.empty('OPNsense.DynDNS.general.verbose') else "false" }},
-      "allowipv6": {{ "true" if not helpers.empty('OPNsense.DynDNS.general.allowipv6') else "false" }},
-      "daemon_delay": {{OPNsense.DynDNS.general.daemon_delay|default('300')}}
-  },
-  "accounts": [
-{%  if helpers.exists('OPNsense.DynDNS.accounts.account') %}
-{%     for account in helpers.toList('OPNsense.DynDNS.accounts.account') %}
-{%         if account.enabled  == '1' %}
-      {
-          "id": "{{ account['@uuid'] }}",
-          "service": "{{ account.service }}",
-          "protocol": "{{ account.protocol }}",
-          "server": "{{ account.server }}",
-          "resourceId": "{{ account.resourceId }}",
-          "username": "{{ account.username }}",
-          "password": "{{ account.password }}",
-          "hostnames": "{{ account.hostnames }}",
-          "wildcard": {{ "true" if account.wildcard  == '1' else "false"}},
-          "zone": "{{ account.zone }}",
-          "checkip": "{{ account.checkip }}",
-          "checkip_timeout": {{ account.checkip_timeout }},
-          "force_ssl": {{ "true" if account.force_ssl  == '1' else "false"}},
-          "ttl": "{{ account.ttl }}",
-          "interface": "{%if account.interface %}{{physical_interface(account.interface)}}{% endif%}",
-          "description": "{{ account.description }}"
-      }{{ "," if not loop.last else ""}}
-{%         endif %}
-{%     endfor %}
-{%  endif %}
-  ]
+    "general": {
+        "enabled": {{ "true" if not helpers.empty('OPNsense.DynDNS.general.enabled') else "false" }},
+        "verbose": {{ "true" if not helpers.empty('OPNsense.DynDNS.general.verbose') else "false" }},
+        "allowipv6": {{ "true" if not helpers.empty('OPNsense.DynDNS.general.allowipv6') else "false" }},
+        "daemon_delay": {{OPNsense.DynDNS.general.daemon_delay|default('300')}}
+    },
+    "accounts": [
+{% if helpers.exists('OPNsense.DynDNS.accounts.account') %}
+{%   for account in helpers.toList('OPNsense.DynDNS.accounts.account') | selectattr('enabled', 'equalto', '1') %}
+        {
+            "id": "{{ account['@uuid'] }}",
+            "service": "{{ account.service }}",
+            "protocol": "{{ account.protocol }}",
+            "server": "{{ account.server }}",
+            "resourceId": "{{ account.resourceId }}",
+            "username": "{{ account.username }}",
+            "password": "{{ account.password }}",
+            "hostnames": "{{ account.hostnames }}",
+            "wildcard": {{ "true" if account.wildcard == '1' else "false"}},
+            "zone": "{{ account.zone }}",
+            "checkip": "{{ account.checkip }}",
+            "checkip_timeout": {{ account.checkip_timeout }},
+            "force_ssl": {{ "true" if account.force_ssl == '1' else "false"}},
+            "ttl": "{{ account.ttl }}",
+            "interface": "{%if account.interface %}{{physical_interface(account.interface)}}{% endif%}",
+            "description": "{{ account.description }}"
+        }{{ "," if not loop.last else ""}}
+{%   endfor %}
+{% endif %}
+    ]
 }

From 73f1e8611c1662d3e9b0bb2ec8cdef8fd1772c8b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 18 Aug 2023 08:53:26 +0200
Subject: [PATCH 1525/3088] dns/ddclient: release notes

---
 dns/ddclient/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 3cfff7a53e..6b36009ab0 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 1.15
 
 * Add AWS Route53 and DuckDNS to OPNsense backend (contributed by Greg Glockner)
+* Fix JSON output with disabled trailing accounts and empty stats in AccountField
 
 1.14
 

From a2e956fd8e558bd298fdd2a59de6ebd416442b72 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 18 Aug 2023 08:56:23 +0200
Subject: [PATCH 1526/3088] LICENSE: sync

---
 LICENSE | 1 +
 1 file changed, 1 insertion(+)

diff --git a/LICENSE b/LICENSE
index a4baaaaca7..a2ba1d66bc 100644
--- a/LICENSE
+++ b/LICENSE
@@ -22,6 +22,7 @@ Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
 Copyright (c) 2014-2023 Franco Fichtner <franco@opnsense.org>
 Copyright (c) 2016-2023 Frank Wall
 Copyright (c) 2021 Github-jjw
+Copyright (c) 2023 Greg Glockner <greg@glockners.net>
 Copyright (c) 2016 IT-assistans Sverige AB
 Copyright (c) 2021-2023 Jan Winkler
 Copyright (c) 2023 Jeremy Gutierrez

From 9e9be78ee6263c3c377e737b186b893be6747540 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 18 Aug 2023 09:47:12 +0200
Subject: [PATCH 1527/3088] dns/ddclient: "OPNsense" backend renamed to
 "native"

---
 dns/ddclient/pkg-descr                        | 19 ++++++++++---------
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml |  2 +-
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 6b36009ab0..6c11a28864 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -8,34 +8,35 @@ Plugin Changelog
 
 1.15
 
-* Add AWS Route53 and DuckDNS to OPNsense backend (contributed by Greg Glockner)
+* Add AWS Route53 and DuckDNS to native backend (contributed by Greg Glockner)
 * Fix JSON output with disabled trailing accounts and empty stats in AccountField
+* Rename Python-based "OPNsense" backend to "native" to prevent ambiguity
 
 1.14
 
 * Add "post" protocol in custom service type
 * Add DNSExit API and regfish.de support to ddclient backend
-* Add desec to OPNsense backend (contributed by Clemens Hardewig)
+* Add desec to native backend (contributed by Clemens Hardewig)
 
 1.13
 
-* Fix not returning IP address as a string in Python backend (contributed by Sean Kelly)
-* Fix PID file handling for Python backend
-* Use API token for cloudflare Python backend if available (contributed by juantxorena)
+* Fix not returning IP address as a string in native backend (contributed by Sean Kelly)
+* Fix PID file handling for native backend
+* Use API token for cloudflare native backend if available (contributed by juantxorena)
 * Read proxied attribute from cloudflare hostname and send it back to prevent it being removed
-* Move accounting of "last accessed timestamp" to poller in Python backend
+* Move accounting of "last accessed timestamp" to poller in native backend
 * Change if= use to proper ifv4=/ifv6= use (contributed by Rhys Barrie)
 
 1.12
 
-* Add cloudflare implementation for Python backend (contributed by Thomas Cekal)
-* Allow custom target hostname for dyndns2 protocol in Python backend
+* Add cloudflare implementation for native backend (contributed by Thomas Cekal)
+* Allow custom target hostname for dyndns2 protocol in native backend
 * Adjust for missing ipv6= option including upstream patches for use=/usev4=/usev6=
 * Require a selected interface through validation when interface check method is used
 
 1.11
 
-* Add Python backend support for custom ddclient-like implementation using the same input
+* Add Python-based native backend support for custom ddclient-like implementation using the same input
 * Add AzureDNS backende using OAuth 2.0
 * Add dyndns2 backend using said API
 
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 5a3b4dd375..649ccc3fc9 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -30,7 +30,7 @@
                 <ValidationMessage>A backend is required.</ValidationMessage>
                 <OptionValues>
                     <ddclient>ddclient</ddclient>
-                    <opnsense>OPNsense</opnsense>
+                    <opnsense>native</opnsense>
                 </OptionValues>
             </backend>
         </general>

From 9894a03b79511e12648256e92a9db70522b06a84 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 18 Aug 2023 13:45:47 +0200
Subject: [PATCH 1528/3088] dns/ddclient: add missing dynurl for cloudns;
 closes #3430

* Remove the "default" handling for backend: it was properly migrated and
  is required.  It will make flipping to the native backend easier later.
* Make the ddclient.conf file easier to read: global block, then one block
  for each account.
* Adjust the templating to sprinke missing "\" at the end of the line and
  replace hardcoded values where we can easily use service.name.

Switching back and forth between backends is a bit annoying as the other
backend can break using the correct account data from the other one, because
not all the services are shared equally between the two.

Maybe long term it would be better to build a plugin variant for ddclient
and dyndns so we could revive os-dyndns and just share the code in this one
directory.  The backend switch would then be carried out over which plugin
is installed a bit similar to what WireGuard is doing.
---
 dns/ddclient/pkg-descr                        |  2 ++
 .../templates/OPNsense/ddclient/ddclient.conf | 25 +++++++++----------
 .../OPNsense/ddclient/ddclient_opn.rc.conf.d  |  2 +-
 .../templates/OPNsense/ddclient/rc.conf.d     |  2 +-
 4 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 6c11a28864..361b376249 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -11,6 +11,8 @@ Plugin Changelog
 * Add AWS Route53 and DuckDNS to native backend (contributed by Greg Glockner)
 * Fix JSON output with disabled trailing accounts and empty stats in AccountField
 * Rename Python-based "OPNsense" backend to "native" to prevent ambiguity
+* Fix ClouDNS missing dynurl= parameter
+* Clean up ddclient.conf template
 
 1.14
 
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 4ac621862a..3229e9b569 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -4,10 +4,9 @@ pid=/var/run/ddclient.pid   # record PID in file.
 {% if not helpers.empty('OPNsense.DynDNS.general.verbose') %}
 verbose=yes
 {% endif %}
-
 {%  set accounts = [] %}
 {%  set force_ssl = [] %}
-{%  if helpers.exists('OPNsense.DynDNS.accounts.account') and OPNsense.DynDNS.general.backend|default('ddclient') == 'ddclient' %}
+{%  if helpers.exists('OPNsense.DynDNS.accounts.account') and OPNsense.DynDNS.general.backend == 'ddclient' %}
 {%    for account in helpers.toList('OPNsense.DynDNS.accounts.account') %}
 {%        if account.enabled|default('0') == '1' %}
 {%            do accounts.append(account) %}
@@ -20,8 +19,8 @@ verbose=yes
 {%  if force_ssl %}
 ssl=yes
 {%  endif %}
-
 {%  for account in accounts %}
+
 {%     if account.checkip == 'if' %}
 {%        if not helpers.empty('OPNsense.DynDNS.general.allowipv6') %}
 usev6=ifv6, ifv6={{physical_interface(account.interface)}}, \
@@ -29,38 +28,39 @@ usev6=ifv6, ifv6={{physical_interface(account.interface)}}, \
 usev4=ifv4, ifv4={{physical_interface(account.interface)}}, \
 {%      elif account.checkip.startswith('web_') %}
 {%          if account.interface %}
-use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -i {{physical_interface(account.interface)}} -t {{account.force_ssl}} -s {{account.checkip[4:]}} --timeout {{account.checkip_timeout|default('10')}}",
+use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -i {{physical_interface(account.interface)}} -t {{account.force_ssl}} -s {{account.checkip[4:]}} --timeout {{account.checkip_timeout|default('10')}}", \
 {%          else %}
-use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -t {{account.force_ssl}} -s {{account.checkip[4:]}} --timeout {{account.checkip_timeout|default('10')}}",
+use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -t {{account.force_ssl}} -s {{account.checkip[4:]}} --timeout {{account.checkip_timeout|default('10')}}", \
 {%            endif %}
 {%      endif %}
 {%      if account.service == 'custom' %}
 protocol={{account.protocol}}, \
 server={{account.server}}, \
 {%      elif account.service == 'cloudflare' %}
-protocol=cloudflare, \
+protocol={{account.service}}, \
 zone={{account.zone}}, \
+{%      elif account.service == 'cloudns' %}
+protocol={{account.service}}, \
+dynurl=https://ipv4.cloudns.net/api/dynamicURL/?q={{account.password}}, \
 {%      elif account.service == 'hosting1984' %}
 protocol=1984, \
 {%      elif account.service == 'godaddy' %}
-protocol=godaddy, \
+protocol={{account.service}}, \
 zone={{account.zone}}, \
 {%      elif account.service == 'hetzner' %}
-protocol=hetzner, \
+protocol={{account.service}}, \
 zone={{account.zone}}, \
-{%      elif account.service == 'dnsmadeeasy' %}
-protocol=dnsmadeeasy, \
 {%      elif account.service == 'dns-o-matic' %}
 protocol=dyndns2, \
 server=updates.dnsomatic.com, \
 {%      elif account.service == 'freedns' %}
-protocol=freedns, \
+protocol={{account.service}}, \
 server=freedns.afraid.org, \
 {%      elif account.service == 'dynu' %}
 protocol=dyndns2, \
 server=api.dynu.com, \
 {%      elif account.service == 'gandi' %}
-protocol=gandi
+protocol={{account.service}}, \
 zone={{account.zone}}, \
 {%      elif account.service == 'he-net' %}
 protocol=dyndns2, \
@@ -103,5 +103,4 @@ login={{account.username}}, \
 {%      endif %}
 password={{account.password}} \
 {{account.hostnames}}
-
 {%  endfor %}
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient_opn.rc.conf.d b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient_opn.rc.conf.d
index 42ac2302cd..df8079f834 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient_opn.rc.conf.d
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient_opn.rc.conf.d
@@ -1,4 +1,4 @@
-{% if not helpers.empty('OPNsense.DynDNS.general.enabled') and OPNsense.DynDNS.general.backend|default('ddclient') == 'opnsense' %}
+{% if not helpers.empty('OPNsense.DynDNS.general.enabled') and OPNsense.DynDNS.general.backend == 'opnsense' %}
 ddclient_opn_enable="YES"
 {% else %}
 ddclient_opn_enable="NO"
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d
index 2453343983..dae5683f0f 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d
@@ -1,4 +1,4 @@
-{% if not helpers.empty('OPNsense.DynDNS.general.enabled') and OPNsense.DynDNS.general.backend|default('ddclient') == 'ddclient' %}
+{% if not helpers.empty('OPNsense.DynDNS.general.enabled') and OPNsense.DynDNS.general.backend == 'ddclient' %}
 ddclient_enable="YES"
 ddclient_flags="-daemon {{OPNsense.DynDNS.general.daemon_delay|default('300')}}"
 {% else %}

From c6e58ee64813bcd51b8f58fed7851d6ccf3d14af Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 18 Aug 2023 13:55:07 +0200
Subject: [PATCH 1529/3088] dns/ddclient: looks like the default

Configuration variables applicable to the 'freedns' protocol are:
  protocol=freedns             ##
  server=fqdn.of.service       ## defaults to freedns.afraid.org
  login=service-login          ## login name and password registered with the service
  password=service-password    ##
  fully.qualified.host         ## the host registered with the service.
---
 .../opnsense/service/templates/OPNsense/ddclient/ddclient.conf | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 3229e9b569..5255b43ac9 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -53,9 +53,6 @@ zone={{account.zone}}, \
 {%      elif account.service == 'dns-o-matic' %}
 protocol=dyndns2, \
 server=updates.dnsomatic.com, \
-{%      elif account.service == 'freedns' %}
-protocol={{account.service}}, \
-server=freedns.afraid.org, \
 {%      elif account.service == 'dynu' %}
 protocol=dyndns2, \
 server=api.dynu.com, \

From f5411260300b9da351f4b29389e2806e8f06cf9f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 21 Aug 2023 10:28:50 +0200
Subject: [PATCH 1530/3088] net/wireguard-go: make a copy in preparation for
 kmod improvements

The Go variant will be phased out in 24.1, but for 23.7.x it is retained
as such.  The kmod variant will be improved and rewritten to not require
wg-quick so it might eventually move into the core.
---
 README.md                                     |   3 +-
 net/wireguard-go/Makefile                     |  10 +
 net/wireguard-go/pkg-descr                    |  78 +++++++
 .../src/etc/inc/plugins.inc.d/wireguard.inc   | 102 +++++++++
 .../src/etc/rc.syshook.d/start/50-wireguard   |   4 +
 .../Wireguard/Api/ClientController.php        |  70 ++++++
 .../Wireguard/Api/GeneralController.php       | 138 ++++++++++++
 .../Wireguard/Api/ServerController.php        | 108 ++++++++++
 .../Wireguard/Api/ServiceController.php       |  76 +++++++
 .../OPNsense/Wireguard/GeneralController.php  |  40 ++++
 .../forms/dialogEditWireguardClient.xml       |  52 +++++
 .../forms/dialogEditWireguardServer.xml       |  82 ++++++++
 .../OPNsense/Wireguard/forms/general.xml      |   8 +
 .../app/models/OPNsense/Wireguard/ACL/ACL.xml |   9 +
 .../app/models/OPNsense/Wireguard/Client.php  |  31 +++
 .../app/models/OPNsense/Wireguard/Client.xml  |  47 +++++
 .../app/models/OPNsense/Wireguard/General.php |  35 +++
 .../app/models/OPNsense/Wireguard/General.xml |  11 +
 .../models/OPNsense/Wireguard/Menu/Menu.xml   |   5 +
 .../app/models/OPNsense/Wireguard/Server.php  |  31 +++
 .../app/models/OPNsense/Wireguard/Server.xml  |  77 +++++++
 .../app/views/OPNsense/Wireguard/general.volt | 199 ++++++++++++++++++
 .../scripts/OPNsense/Wireguard/genkey.sh      |  55 +++++
 .../scripts/OPNsense/Wireguard/post.sh        |  11 +
 .../OPNsense/Wireguard/resolve-dns.bash       |  45 ++++
 .../scripts/OPNsense/Wireguard/setup.sh       |   4 +
 .../conf/actions.d/actions_wireguard.conf     |  43 ++++
 .../templates/OPNsense/Wireguard/+TARGETS     |   2 +
 .../templates/OPNsense/Wireguard/wireguard    |  15 ++
 .../OPNsense/Wireguard/wireguard-server.conf  |  53 +++++
 .../src/www/widgets/include/wireguard.inc     |   4 +
 .../www/widgets/widgets/wireguard.widget.php  | 120 +++++++++++
 net/wireguard/Makefile                        |  12 +-
 33 files changed, 1570 insertions(+), 10 deletions(-)
 create mode 100644 net/wireguard-go/Makefile
 create mode 100644 net/wireguard-go/pkg-descr
 create mode 100644 net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc
 create mode 100755 net/wireguard-go/src/etc/rc.syshook.d/start/50-wireguard
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/GeneralController.php
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/general.xml
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.php
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.php
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
 create mode 100644 net/wireguard-go/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
 create mode 100755 net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/genkey.sh
 create mode 100755 net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/post.sh
 create mode 100755 net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
 create mode 100755 net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/setup.sh
 create mode 100644 net/wireguard-go/src/opnsense/service/conf/actions.d/actions_wireguard.conf
 create mode 100644 net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/+TARGETS
 create mode 100644 net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
 create mode 100644 net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
 create mode 100644 net/wireguard-go/src/www/widgets/include/wireguard.inc
 create mode 100644 net/wireguard-go/src/www/widgets/widgets/wireguard.widget.php

diff --git a/README.md b/README.md
index 4ae696ebae..0abae3c9f8 100644
--- a/README.md
+++ b/README.md
@@ -66,7 +66,8 @@ net/tayga -- Tayga NAT64
 net/udpbroadcastrelay -- Control ubpbroadcastrelay processes
 net/upnp -- Universal Plug and Play Service
 net/vnstat -- Network traffic monitor
-net/wireguard -- WireGuard VPN service
+net/wireguard -- WireGuard VPN service kernel implementation
+net/wireguard-go -- WireGuard VPN service Go implementation (pending removal)
 net/wol -- Wake on LAN Service
 net/zerotier -- Virtual Networks That Just Work
 net-mgmt/collectd -- Collect system and application performance metrics periodically
diff --git a/net/wireguard-go/Makefile b/net/wireguard-go/Makefile
new file mode 100644
index 0000000000..4215a2f196
--- /dev/null
+++ b/net/wireguard-go/Makefile
@@ -0,0 +1,10 @@
+PLUGIN_NAME=		wireguard-go
+PLUGIN_VERSION=		1.13
+PLUGIN_REVISION=	7
+PLUGIN_COMMENT=		WireGuard VPN service Go implementation
+PLUGIN_CONFLICTS=	wireguard
+PLUGIN_OBSOLETE=	yes
+PLUGIN_DEPENDS=		wireguard-go wireguard-tools 
+PLUGIN_MAINTAINER=	m.muenz@gmail.com
+
+.include "../../Mk/plugins.mk"
diff --git a/net/wireguard-go/pkg-descr b/net/wireguard-go/pkg-descr
new file mode 100644
index 0000000000..5d84964c92
--- /dev/null
+++ b/net/wireguard-go/pkg-descr
@@ -0,0 +1,78 @@
+WireGuard® is an extremely simple yet fast and modern VPN
+that utilizes state-of-the-art cryptography. It aims to be
+faster, simpler, leaner, and more useful than IPSec, while
+avoiding the massive headache. It intends to be considerably
+more performant than OpenVPN. WireGuard is designed as a
+general purpose VPN for running on embedded interfaces and
+super computers alike, fit for many different circumstances.
+Initially released for the Linux kernel, it is now
+cross-platform and widely deployable. It is currently under
+heavy development, but already it might be regarded as the
+most secure, easiest to use, and simplest VPN solution in
+the industry.
+
+WWW: https://www.wireguard.com/
+
+Changelog
+---------
+
+1.13
+
+* Reworked widget and assorted cleanups (contributed by Patrik Kernstock)
+* Improve widget public key overlapping (contributed by Victor Haggqvist)
+
+1.12
+
+* Adjust validation for naming local instance and endpoints
+
+1.11
+
+* Add script for renewal of Wireguard DNS-based entries for stale connections (#2956)
+* Trim whitespace around new public and private keys in config (#2982)
+
+1.10
+
+* Remove instance limit
+
+1.9
+
+* Rename interface label in filter rules (#2577)
+
+1.8
+
+* Empty port in Endpoint is allowed
+
+1.7
+
+* Make tunnel address (wg interface address) optional
+
+1.6
+
+* Move DNS setting to advanced
+* Make listen port optional
+
+1.5
+
+* Allow synchronization of config
+
+1.4
+
+* Add IPv6 gateway support (contributed by Alexander Korinek)
+
+1.3
+
+* Client/peer name validation to use HostnameField
+
+1.2
+
+* Dashboard widget (contributed by D. Domig)
+
+1.1
+
+* Allow adding interface route for PBR
+
+1.0
+
+* Support for most features like S2S, Roadwarrior
+* DNS, MTU, PSK
+* Allow to disable setting routes for PBR
diff --git a/net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc
new file mode 100644
index 0000000000..cc1e49ee8d
--- /dev/null
+++ b/net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -0,0 +1,102 @@
+<?php
+
+/*
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function wireguard_enabled()
+{
+    $model = new \OPNsense\Wireguard\General();
+    return (string)$model->enabled == '1';
+}
+
+function wireguard_services()
+{
+    $services = [];
+
+    if (!wireguard_enabled()) {
+        return $services;
+    }
+
+    $service = [
+        'description' => gettext('WireGuard VPN'),
+        'configd' => [
+            'restart' => ['wireguard restart'],
+            'start' => ['wireguard start'],
+            'stop' => ['wireguard stop'],
+        ],
+        'name' => 'wireguard-go',
+    ];
+
+    if (file_exists('/boot/modules/if_wg.ko') || file_exists('/boot/kernel/if_wg.ko')) {
+        $service['name'] = 'wireguard';
+        $service['nocheck'] = true;
+    }
+
+    $services[] = $service;
+
+    return $services;
+}
+
+function wireguard_interfaces()
+{
+    $interfaces = [];
+
+    if (!wireguard_enabled()) {
+        return $interfaces;
+    }
+
+    $interfaces['wireguard'] = [
+        'descr' => gettext('WireGuard (Group)'),
+        'if' => 'wireguard',
+        'virtual' => true,
+        'enable' => true,
+        'type' => 'group',
+        'networks' => [],
+    ];
+
+    return $interfaces;
+}
+
+function wireguard_xmlrpc_sync()
+{
+    $result = [];
+
+    $result['id'] = 'wireguard';
+    $result['section'] = 'OPNsense.wireguard';
+    $result['description'] = gettext('WireGuard');
+    $result['services'] = ['wireguard-go'];
+
+    if (file_exists('/boot/modules/if_wg.ko') || file_exists('/boot/kernel/if_wg.ko')) {
+        $result['services'] = ['wireguard'];
+    }
+
+    return [$result];
+}
+
+function wireguard_devices()
+{
+    return [['pattern' => '^wg', 'volatile' => true]];
+}
diff --git a/net/wireguard-go/src/etc/rc.syshook.d/start/50-wireguard b/net/wireguard-go/src/etc/rc.syshook.d/start/50-wireguard
new file mode 100755
index 0000000000..78ab228040
--- /dev/null
+++ b/net/wireguard-go/src/etc/rc.syshook.d/start/50-wireguard
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+# start again to fix problems with failed name resolution (no need to restart)
+configctl -dq wireguard start
diff --git a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
new file mode 100644
index 0000000000..ae7d84660d
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
@@ -0,0 +1,70 @@
+<?php
+
+/**
+ *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Wireguard\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class ClientController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'client';
+    protected static $internalModelClass = '\OPNsense\Wireguard\Client';
+
+    public function searchClientAction()
+    {
+        return $this->searchBase('clients.client', array("enabled", "name", "pubkey", "tunneladdress", "serveraddress", "serverport"));
+    }
+
+    public function getClientAction($uuid = null)
+    {
+        $this->sessionClose();
+        return $this->getBase('client', 'clients.client', $uuid);
+    }
+
+    public function addClientAction()
+    {
+        return $this->addBase('client', 'clients.client');
+    }
+
+    public function delClientAction($uuid)
+    {
+        return $this->delBase('clients.client', $uuid);
+    }
+
+    public function setClientAction($uuid)
+    {
+        return $this->setBase('client', 'clients.client', $uuid);
+    }
+
+    public function toggleClientAction($uuid)
+    {
+        return $this->toggleBase('clients.client', $uuid);
+    }
+}
diff --git a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
new file mode 100644
index 0000000000..1aca5548df
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
@@ -0,0 +1,138 @@
+<?php
+
+/**
+ *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ *    Copyright (C) 2022 Patrik Kernstock <patrik@kernstock.net>
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Wireguard\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Config;
+use OPNsense\Core\Backend;
+
+class GeneralController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelClass = '\OPNsense\Wireguard\General';
+    protected static $internalModelName = 'general';
+
+    public function getStatusAction()
+    {
+        // get wireguard configuration
+        $config = Config::getInstance()->object();
+        $config = $config->OPNsense->wireguard;
+
+        // craft peers array
+        $peers = [];
+        $peers_uuid_pubkey = [];
+        // enabled, name, pubkey
+        foreach ($config->client->clients->client as $client) {
+            $peerUuid = (string)$client->attributes()['uuid'];
+            $peers_uuid_pubkey[$peerUuid] = (string) $client->pubkey;
+            $peers[$peerUuid] = [
+                "name"      => (string)  $client->name,
+                "enabled"   => (int) $client->enabled,
+                "publicKey" => (string)  $client->pubkey,
+            ];
+        }
+
+        // prepare and initialize the server array
+        $status = [];
+        $peer_pubkey_reference = [];
+        foreach ($config->server->servers->server as $server) {
+            if ($server->enabled != "1") {
+                continue;
+            }
+
+            // build basic server array
+            $interface = "wg" . $server->instance;
+            $status[$interface] = [
+                "instance"  => (int) $server->instance,
+                "interface" => (string)  $interface,
+                "enabled"   => (int) $server->enabled,
+                "name"      => (string)  $server->name,
+                "peers"     => [],
+            ];
+
+            // parse and add peers with initial values to array
+            if (strlen($server->peers) > 0) {
+                // there is at least one peer defined
+                $serverPeers = explode(",", (string) $server->peers);
+                // iteriate over each peer uuid
+                foreach ($serverPeers as $peerUuid) {
+                    // skipping removed peer that is still referenced in server
+                    if (!isset($peers[$peerUuid])) {
+                        continue;
+                    }
+                    // remember interface and pubkey <> peer-uuid reference for referencing handshake logic below
+                    $peer_pubkey_reference[$interface][$peers_uuid_pubkey[$peerUuid]] = $peerUuid;
+                    // merge peer info and initial values for handshake data
+                    $status[$interface]["peers"][$peerUuid] = array_merge(
+                        $peers[$peerUuid],
+                        [
+                            "lastHandshake" => "0000-00-00 00:00:00+00:00",
+                        ]
+                    );
+                }
+            }
+        }
+
+        // Get latest handshakes by running CLI command locally
+        $data = (new Backend())->configdRun("wireguard showhandshake");
+
+        // parse and set handshake to status datastructure
+        $data = trim($data);
+        if (strlen($data) !== 0) {
+            $wgHandshakes = explode("\n", $data);
+            foreach ($wgHandshakes as $handshake) {
+                $item = explode("\t", trim($handshake));
+
+                // set interface name and publickey
+                $interface = trim($item[0]);
+                $pubkey = trim($item[1]);
+
+                // calculate handshake time based on local timezone
+                $epoch = $item[2];
+                if ($epoch > 0) {
+                    $dt = new \DateTime("@$epoch");
+                    $dt->setTimezone(new \DateTimeZone(date_default_timezone_get()));
+                    $latest = $dt->format("Y-m-d H:i:sP");
+
+                    // set handshake
+                    $peerUuid = $peer_pubkey_reference[$interface][$pubkey];
+                    if (!empty($peerUuid)) {
+                        $status[$interface]["peers"][$peerUuid]["lastHandshake"] = $latest;
+                    }
+                }
+            }
+        }
+
+        return [
+            "items" => $status
+        ];
+    }
+}
diff --git a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
new file mode 100644
index 0000000000..5bf57767a9
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
@@ -0,0 +1,108 @@
+<?php
+
+/*
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Wireguard\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
+
+class ServerController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'server';
+    protected static $internalModelClass = '\OPNsense\Wireguard\Server';
+
+    public function searchServerAction()
+    {
+        $search = $this->searchBase('servers.server', array("enabled", "instance", "peers", "name", "networks", "pubkey", "port", "tunneladdress"));
+        // prepend "wg" to all instance IDs to use as interface name
+        foreach ($search["rows"] as $key => $server) {
+            $search["rows"][$key]["interface"] = "wg" . $server["instance"];
+        }
+        return $search;
+    }
+
+    public function getServerAction($uuid = null)
+    {
+        $this->sessionClose();
+        return $this->getBase('server', 'servers.server', $uuid);
+    }
+
+    public function addServerAction($uuid = null)
+    {
+        if ($this->request->isPost() && $this->request->hasPost("server")) {
+            if ($uuid != null) {
+                $node = $this->getModel()->getNodeByReference('servers.server.' . $uuid);
+            } else {
+                $node = $this->getModel()->servers->server->Add();
+            }
+            $node->setNodes($this->request->getPost("server"));
+            if (empty((string)$node->pubkey) && empty((string)$node->privkey)) {
+                // generate new keypair
+                $backend = new Backend();
+                $keyspriv = $backend->configdpRun("wireguard genkey", 'private');
+                $keyspub = $backend->configdpRun("wireguard genkey", 'public');
+                $node->privkey = trim($keyspriv);
+                $node->pubkey = trim($keyspub);
+            }
+            return $this->validateAndSave($node, 'server');
+        }
+        return array("result" => "failed");
+    }
+
+    public function delServerAction($uuid)
+    {
+        return $this->delBase('servers.server', $uuid);
+    }
+
+    public function setServerAction($uuid = null)
+    {
+        if ($this->request->isPost() && $this->request->hasPost("server")) {
+            if ($uuid != null) {
+                $node = $this->getModel()->getNodeByReference('servers.server.' . $uuid);
+            } else {
+                $node = $this->getModel()->servers->server->Add();
+            }
+            $node->setNodes($this->request->getPost("server"));
+            if (empty((string)$node->pubkey) && empty((string)$node->privkey)) {
+                // generate new keypair
+                $backend = new Backend();
+                $keyspriv = $backend->configdpRun("wireguard genkey", 'private');
+                $keyspub = $backend->configdpRun("wireguard genkey", 'public');
+                $node->privkey = trim($keyspriv);
+                $node->pubkey = trim($keyspub);
+            }
+            return $this->validateAndSave($node, 'server');
+        }
+        return array("result" => "failed");
+    }
+
+    public function toggleServerAction($uuid)
+    {
+        return $this->toggleBase('servers.server', $uuid);
+    }
+}
diff --git a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
new file mode 100644
index 0000000000..627911beb4
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
@@ -0,0 +1,76 @@
+<?php
+
+/*
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Wireguard\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Backend;
+use OPNsense\Wireguard\General;
+
+/**
+ * Class ServiceController
+ * @package OPNsense\Wireguard
+ */
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Wireguard\General';
+    protected static $internalServiceTemplate = 'OPNsense/Wireguard';
+    protected static $internalServiceEnabled = 'enabled';
+    protected static $internalServiceName = 'wireguard';
+
+    /**
+     * hook group interface registration on reconfigure
+     * @return bool
+     */
+    protected function invokeInterfaceRegistration()
+    {
+        return true;
+    }
+
+    /**
+     * show wireguard config
+     * @return array
+     */
+    public function showconfAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun("wireguard showconf");
+        return array("response" => $response);
+    }
+
+    /**
+     * show wireguard handshakes
+     * @return array
+     */
+    public function showhandshakeAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun("wireguard showhandshake");
+        return array("response" => $response);
+    }
+}
diff --git a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/GeneralController.php b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/GeneralController.php
new file mode 100644
index 0000000000..404fce6823
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/GeneralController.php
@@ -0,0 +1,40 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Wireguard;
+
+class GeneralController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->generalForm = $this->getForm("general");
+        $this->view->formDialogEditWireguardClient = $this->getForm("dialogEditWireguardClient");
+        $this->view->formDialogEditWireguardServer = $this->getForm("dialogEditWireguardServer");
+        $this->view->pick('OPNsense/Wireguard/general');
+    }
+}
diff --git a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
new file mode 100644
index 0000000000..231e9c692a
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
@@ -0,0 +1,52 @@
+<form>
+    <field>
+        <id>client.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will enable or disable the client config.</help>
+    </field>
+    <field>
+        <id>client.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Set the name for this instance.</help>
+    </field>
+    <field>
+        <id>client.pubkey</id>
+        <label>Public Key</label>
+        <type>text</type>
+        <help>Public key of this instance.</help>
+    </field>
+    <field>
+        <id>client.psk</id>
+        <label>Shared Secret</label>
+        <type>text</type>
+        <help>Shared secret (PSK) for this peer. You can generate a key using "wg genpsk" on a client with WireGuard installed.</help>
+    </field>
+    <field>
+        <id>client.tunneladdress</id>
+        <label>Allowed IPs</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>List of addresses allowed to pass trough the tunnel adapter. Please use CIDR notation like 10.0.0.1/24.</help>
+    </field>
+    <field>
+        <id>client.serveraddress</id>
+        <label>Endpoint Address</label>
+        <type>text</type>
+        <help>Set public IP address the endpoint listens to.</help>
+    </field>
+    <field>
+        <id>client.serverport</id>
+        <label>Endpoint Port</label>
+        <type>text</type>
+        <help>Set port the endpoint listens to.</help>
+    </field>
+    <field>
+        <id>client.keepalive</id>
+        <label>Keepalive Interval</label>
+        <type>text</type>
+        <help>Set persistent keepalive interval in seconds.</help>
+    </field>
+</form>
diff --git a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
new file mode 100644
index 0000000000..eff1f9504c
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
@@ -0,0 +1,82 @@
+<form>
+    <field>
+        <id>server.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will enable or disable the server config.</help>
+    </field>
+    <field>
+        <id>server.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Set the name for this instance.</help>
+    </field>
+    <field>
+        <id>server.instance</id>
+        <label>Instance</label>
+        <type>info</type>
+        <help>This is the instance number to give the wg interface a unique name (wgX).</help>
+    </field>
+    <field>
+        <id>server.pubkey</id>
+        <label>Public Key</label>
+        <type>text</type>
+        <help>Public key of this instance. You can specify your own one, or a key will be generated after saving.</help>
+    </field>
+    <field>
+        <id>server.privkey</id>
+        <label>Private Key</label>
+        <type>text</type>
+        <help>Private key of this instance. You can specify your own one, or a key will be generated after saving. Please keep this key safe.</help>
+    </field>
+    <field>
+        <id>server.port</id>
+        <label>Listen Port</label>
+        <type>text</type>
+        <help>Optionally set a fixed port for this instance to listen on. The standard port range starts at 51820.</help>
+    </field>
+    <field>
+        <id>server.mtu</id>
+        <label>MTU</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the interface MTU for this interface. Leaving empty uses the MTU from main interface which is fine for most setups.</help>
+    </field>
+    <field>
+        <id>server.dns</id>
+        <label>DNS Server</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <advanced>true</advanced>
+        <help>Set the interface specific DNS server.</help>
+    </field>
+    <field>
+        <id>server.tunneladdress</id>
+        <label>Tunnel Address</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>List of addresses to configure on the tunnel adapter. Please use CIDR notation like 10.0.0.1/24.</help>
+    </field>
+    <field>
+        <id>server.peers</id>
+        <label>Peers</label>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>List of peers for this server.</help>
+    </field>
+    <field>
+        <id>server.disableroutes</id>
+        <label>Disable Routes</label>
+        <type>checkbox</type>
+        <help>This will prevent installing routes. Usually you only enable this to do own routing decisions via a local gateway and gateway rules.</help>
+    </field>
+    <field>
+        <id>server.gateway</id>
+        <label>Gateway</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the gateway IP here when using Disable Routes feature. You also have to add this as a gateway in OPNsense.</help>
+    </field>
+</form>
diff --git a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/general.xml b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/general.xml
new file mode 100644
index 0000000000..7a74ebf81b
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/general.xml
@@ -0,0 +1,8 @@
+<form>
+    <field>
+        <id>general.enabled</id>
+        <label>Enable WireGuard</label>
+        <type>checkbox</type>
+        <help>This will activate WireGuard and start all enabled instances.</help>
+    </field>
+</form>
diff --git a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml
new file mode 100644
index 0000000000..21012db805
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+   <page-wireguard-config>
+      <name>VPN: Wireguard</name>
+      <patterns>
+         <pattern>ui/wireguard/*</pattern>
+         <pattern>api/wireguard/*</pattern>
+      </patterns>
+   </page-wireguard-config>
+</acl>
diff --git a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.php b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.php
new file mode 100644
index 0000000000..b069a766d4
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.php
@@ -0,0 +1,31 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Wireguard;
+
+use OPNsense\Base\BaseModel;
+
+class Client extends BaseModel
+{
+}
diff --git a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
new file mode 100644
index 0000000000..69527a433a
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
@@ -0,0 +1,47 @@
+<model>
+    <mount>//OPNsense/wireguard/client</mount>
+    <description>Wireguard Client configuration</description>
+    <version>0.0.7</version>
+    <items>
+        <clients>
+            <client type="ArrayField">
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <name type="TextField">
+                    <default></default>
+                    <Required>Y</Required>
+                    <mask>/^([0-9a-zA-Z._\-]){1,64}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 64 characters. Allowed characters are alphanumeric characters, dash and underscores.</ValidationMessage>
+                </name>
+                <pubkey type="Base64Field">
+                    <Required>Y</Required>
+                    <ValidationMessage>Should be a base64-encoded 32 byte string.</ValidationMessage>
+                </pubkey>
+                <psk type="Base64Field">
+                    <Required>N</Required>
+                    <ValidationMessage>Should be a base64-encoded 32 byte string.</ValidationMessage>
+                </psk>
+                <tunneladdress type="NetworkField">
+                    <default></default>
+                    <FieldSeparator>,</FieldSeparator>
+                    <Required>Y</Required>
+                    <asList>Y</asList>
+                </tunneladdress>
+                <serveraddress type="HostnameField">
+                    <Required>N</Required>
+                </serveraddress>
+                <serverport type="PortField">
+                    <Required>N</Required>
+                </serverport>
+                <keepalive type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>86400</MaximumValue>
+                    <ValidationMessage>Please specify a value between 1 and 86400.</ValidationMessage>
+                    <Required>N</Required>
+                </keepalive>
+            </client>
+        </clients>
+    </items>
+</model>
diff --git a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.php b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.php
new file mode 100644
index 0000000000..6caf9eabaf
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Wireguard;
+
+use OPNsense\Base\BaseModel;
+
+class General extends BaseModel
+{
+}
diff --git a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml
new file mode 100644
index 0000000000..432fd654c2
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml
@@ -0,0 +1,11 @@
+<model>
+    <mount>//OPNsense/wireguard/general</mount>
+    <description>WireGuard configuration</description>
+    <version>0.0.1</version>
+    <items>
+        <enabled type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enabled>
+    </items>
+</model>
diff --git a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml
new file mode 100644
index 0000000000..a2934e1b07
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml
@@ -0,0 +1,5 @@
+<menu>
+    <VPN>
+      <WireGuard cssClass="fa fa-lock fa-fw" url="/ui/wireguard/general/index" order="150" />
+    </VPN>
+</menu>
diff --git a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php
new file mode 100644
index 0000000000..8fccdd577e
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php
@@ -0,0 +1,31 @@
+<?php
+
+/*
+    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Wireguard;
+
+use OPNsense\Base\BaseModel;
+
+class Server extends BaseModel
+{
+}
diff --git a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
new file mode 100644
index 0000000000..476091d238
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
@@ -0,0 +1,77 @@
+<model>
+    <mount>//OPNsense/wireguard/server</mount>
+    <description>Wireguard Server configuration</description>
+    <version>0.0.4</version>
+    <items>
+        <servers>
+            <server type="ArrayField">
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
+                <name type="TextField">
+                    <default></default>
+                    <Required>Y</Required>
+                    <mask>/^([0-9a-zA-Z._\-]){1,64}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 64 characters. Allowed characters are alphanumeric characters, dash and underscores.</ValidationMessage>
+                </name>
+                <instance type="AutoNumberField">
+                    <Required>Y</Required>
+                </instance>
+                <pubkey type="TextField">
+                    <Required>N</Required>
+                </pubkey>
+                <privkey type="TextField">
+                    <Required>N</Required>
+                </privkey>
+                <port type="PortField">
+                    <Required>N</Required>
+                </port>
+                <mtu type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>9300</MaximumValue>
+                    <Required>N</Required>
+                </mtu>
+                <dns type="CSVListField">
+                    <Required>N</Required>
+                    <mask>/^([a-fA-F0-9\.:\[\]]*?,)*([a-fA-F0-9\.:\[\]]*)$/</mask>
+                    <ValidationMessage>Please use valid IPv4 or IPv6 addresses.</ValidationMessage>
+                </dns>
+                <tunneladdress type="NetworkField">
+                    <default></default>
+                    <FieldSeparator>,</FieldSeparator>
+                    <Required>N</Required>
+                    <asList>Y</asList>
+                </tunneladdress>
+                <disableroutes type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>You have to enable Disable Routes option.</ValidationMessage>
+                            <type>DependConstraint</type>
+                            <addFields>
+                                <field1>gateway</field1>
+                            </addFields>
+                        </check001>
+                    </Constraints>
+                </disableroutes>
+                <gateway type="NetworkField">
+                    <Required>N</Required>
+                </gateway>
+                <peers type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.Wireguard.Client</source>
+                            <items>clients.client</items>
+                            <display>name</display>
+                        </template>
+                    </Model>
+                    <Multiple>Y</Multiple>
+                    <Required>N</Required>
+                    <ValidationMessage>Choose an Peer.</ValidationMessage>
+                </peers>
+            </server>
+        </servers>
+    </items>
+</model>
diff --git a/net/wireguard-go/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt b/net/wireguard-go/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
new file mode 100644
index 0000000000..8b0accd2d6
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
@@ -0,0 +1,199 @@
+{#
+ # OPNsense (c) 2014-2018 by Deciso B.V.
+ # OPNsense (c) 2018 Michael Muenz <m.muenz@gmail.com>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1.  Redistributions of source code must retain the above copyright notice,
+ #     this list of conditions and the following disclaimer.
+ #
+ # 2.  Redistributions in binary form must reproduce the above copyright notice,
+ #     this list of conditions and the following disclaimer in the documentation
+ #     and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<!-- Navigation bar -->
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
+    <li><a data-toggle="tab" href="#servers">{{ lang._('Local') }}</a></li>
+    <li><a data-toggle="tab" href="#clients">{{ lang._('Endpoints') }}</a></li>
+    <li><a data-toggle="tab" href="#showconf">{{ lang._('Status') }}</a></li>
+    <li><a data-toggle="tab" href="#showhandshake">{{ lang._('Handshakes') }}</a></li>
+</ul>
+
+<div class="tab-content content-box tab-content">
+    <div id="general" class="tab-pane fade in active">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
+            <div class="col-md-12">
+                <hr />
+                <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+            </div>
+        </div>
+    </div>
+    <div id="clients" class="tab-pane fade in">
+        <table id="grid-clients" class="table table-responsive" data-editDialog="dialogEditWireguardClient">
+            <thead>
+                <tr>
+                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
+                    <th data-column-id="serveraddress" data-type="string" data-visible="true">{{ lang._('Endpoint Address') }}</th>
+                    <th data-column-id="serverport" data-type="string" data-visible="true">{{ lang._('Endpoint Port') }}</th>
+                    <th data-column-id="tunneladdress" data-type="string" data-visible="true">{{ lang._('Allowed IPs') }}</th>
+                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td colspan="6"></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+        <div class="col-md-12">
+            <hr />
+            <button class="btn btn-primary" id="saveAct_client" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_client_progress"></i></button>
+            <br /><br />
+        </div>
+    </div>
+    <div id="servers" class="tab-pane fade in">
+        <table id="grid-servers" class="table table-responsive" data-editDialog="dialogEditWireguardServer">
+            <thead>
+                <tr>
+                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
+                    <th data-column-id="interface" data-type="string" data-visible="true">{{ lang._('Interface') }}</th>
+                    <th data-column-id="tunneladdress" data-type="string" data-visible="true">{{ lang._('Tunnel Address') }}</th>
+                    <th data-column-id="port" data-type="string" data-visible="true">{{ lang._('Port') }}</th>
+                    <th data-column-id="peers" data-type="string" data-visible="true">{{ lang._('Endpoints') }}</th>
+                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td colspan="7"></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+        <div class="col-md-12">
+            <hr />
+            <button class="btn btn-primary" id="saveAct_server" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_server_progress"></i></button>
+            <br /><br />
+        </div>
+    </div>
+    <div id="showconf" class="tab-pane fade in">
+      <pre id="listshowconf"></pre>
+    </div>
+    <div id="showhandshake" class="tab-pane fade in">
+      <pre id="listshowhandshake"></pre>
+    </div>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditWireguardClient,'id':'dialogEditWireguardClient','label':lang._('Edit Endpoint')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditWireguardServer,'id':'dialogEditWireguardServer','label':lang._('Edit Local Configuration')])}}
+
+<script>
+
+// Put API call into a function, needed for auto-refresh
+function update_showconf() {
+    ajaxCall(url="/api/wireguard/service/showconf", sendData={}, callback=function(data,status) {
+        $("#listshowconf").text(data['response']);
+    });
+}
+
+function update_showhandshake() {
+    ajaxCall(url="/api/wireguard/service/showhandshake", sendData={}, callback=function(data,status) {
+        $("#listshowhandshake").text(data['response']);
+    });
+}
+
+$( document ).ready(function() {
+    var data_get_map = {'frm_general_settings':"/api/wireguard/general/get"};
+    mapDataToFormUI(data_get_map).done(function(data){
+        formatTokenizersUI();
+        $('.selectpicker').selectpicker('refresh');
+    });
+
+    $("#grid-clients").UIBootgrid(
+        {
+            'search':'/api/wireguard/client/searchClient',
+            'get':'/api/wireguard/client/getClient/',
+            'set':'/api/wireguard/client/setClient/',
+            'add':'/api/wireguard/client/addClient/',
+            'del':'/api/wireguard/client/delClient/',
+            'toggle':'/api/wireguard/client/toggleClient/'
+        }
+    );
+
+    $("#grid-servers").UIBootgrid(
+        {
+            'search':'/api/wireguard/server/searchServer',
+            'get':'/api/wireguard/server/getServer/',
+            'set':'/api/wireguard/server/setServer/',
+            'add':'/api/wireguard/server/addServer/',
+            'del':'/api/wireguard/server/delServer/',
+            'toggle':'/api/wireguard/server/toggleServer/'
+        }
+    );
+
+    // Call update funcs once when page loaded
+    update_showconf();
+    update_showhandshake();
+
+    // Call function update_neighbor with a auto-refresh of 5 seconds
+    setInterval(update_showconf, 5000);
+    setInterval(update_showhandshake, 5000);
+
+    $("#saveAct").click(function(){
+        saveFormToEndpoint(url="/api/wireguard/general/set", formid='frm_general_settings',callback_ok=function(){
+        $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url="/api/wireguard/service/reconfigure", sendData={}, callback=function(data,status) {
+                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+            });
+        });
+    });
+
+    $("#saveAct_client").click(function(){
+        saveFormToEndpoint(url="/api/wireguard/client/set", formid='frm_general_settings',callback_ok=function(){
+        $("#saveAct_client_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url="/api/wireguard/service/reconfigure", sendData={}, callback=function(data,status) {
+                $("#saveAct_client_progress").removeClass("fa fa-spinner fa-pulse");
+            });
+        });
+    });
+
+    $("#saveAct_server").click(function(){
+        saveFormToEndpoint(url="/api/wireguard/server/set", formid='frm_general_settings',callback_ok=function(){
+        $("#saveAct_server_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url="/api/wireguard/service/reconfigure", sendData={}, callback=function(data,status) {
+                $("#saveAct_server_progress").removeClass("fa fa-spinner fa-pulse");
+            });
+        });
+    });
+
+});
+</script>
diff --git a/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/genkey.sh b/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/genkey.sh
new file mode 100755
index 0000000000..b580bf49dc
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/genkey.sh
@@ -0,0 +1,55 @@
+#!/bin/sh
+
+# Copyright (c) 2018 Michael Muenz <m.muenz@gmail.com>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+TMPDIR="/tmp"
+GENPRIV="/usr/local/bin/wg genkey"
+GENPUB="/usr/local/bin/wg pubkey"
+
+cleanup() {
+	# Delete old files
+	rm -f $TMPDIR/wireguard.*
+}
+
+private() {
+	# Generate a private key and put it to /tmp
+	umask 077 && ${GENPRIV} | tee ${TMPDIR}/wireguard.priv
+}
+
+public() {
+	# Generate a public key and put it to /tmp
+	${GENPUB} < ${TMPDIR}/wireguard.priv | tee ${TMPDIR}/wireguard.pub
+}
+
+case "$1" in
+private)
+	cleanup
+	private
+	;;
+public)
+	public
+	;;
+esac
diff --git a/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/post.sh b/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/post.sh
new file mode 100755
index 0000000000..375ca38359
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/post.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if [ -f /etc/rc.conf.d/wireguard ]; then
+	. /etc/rc.conf.d/wireguard
+fi
+
+for interface in ${wireguard_interfaces}; do
+	ifconfig ${interface} group wireguard
+done
+
+/usr/local/etc/rc.routing_configure
diff --git a/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash b/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
new file mode 100755
index 0000000000..b7faf881ad
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
@@ -0,0 +1,45 @@
+#!/usr/local/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+
+set -e
+shopt -s nocasematch
+shopt -s extglob
+export LC_ALL=C
+
+for CONFIG_FILE in /usr/local/etc/wireguard/*.conf; do
+
+    [[ $CONFIG_FILE =~ /?([a-zA-Z0-9_=+.-]{1,15})\.conf$ ]]
+    INTERFACE="${BASH_REMATCH[1]}"
+
+    process_peer() {
+        [[ $PEER_SECTION -ne 1 || -z $PUBLIC_KEY || -z $ENDPOINT ]] && return 0
+        [[ $(wg show "$INTERFACE" latest-handshakes) =~ ${PUBLIC_KEY//+/\\+}\	([0-9]+) ]] || return 0
+        (( ($EPOCHSECONDS - ${BASH_REMATCH[1]}) > 135 )) || return 0
+        wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"
+        reset_peer_section
+    }
+
+    reset_peer_section() {
+        PEER_SECTION=0
+        PUBLIC_KEY=""
+        ENDPOINT=""
+    }
+
+    reset_peer_section
+    while read -r line || [[ -n $line ]]; do
+        stripped="${line%%\#*}"
+        key="${stripped%%=*}"; key="${key##*([[:space:]])}"; key="${key%%*([[:space:]])}"
+        value="${stripped#*=}"; value="${value##*([[:space:]])}"; value="${value%%*([[:space:]])}"
+        [[ $key == "["* ]] && { process_peer; reset_peer_section; }
+        [[ $key == "[Peer]" ]] && PEER_SECTION=1
+        if [[ $PEER_SECTION -eq 1 ]]; then
+            case "$key" in
+                PublicKey) PUBLIC_KEY="$value"; continue ;;
+                Endpoint) ENDPOINT="$value"; continue ;;
+            esac
+        fi
+    done < "$CONFIG_FILE"
+    process_peer
+done
diff --git a/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/setup.sh b/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/setup.sh
new file mode 100755
index 0000000000..75ba580c99
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/setup.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+mkdir -p /var/run/wireguard
+chmod 755 /var/run/wireguard
diff --git a/net/wireguard-go/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard-go/src/opnsense/service/conf/actions.d/actions_wireguard.conf
new file mode 100644
index 0000000000..b2b96828f2
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/service/conf/actions.d/actions_wireguard.conf
@@ -0,0 +1,43 @@
+[start]
+command:/usr/local/etc/rc.d/wireguard start; /usr/local/opnsense/scripts/OPNsense/Wireguard/post.sh
+parameters:
+type:script
+message:Starting WireGuard
+
+[stop]
+command:/usr/local/etc/rc.d/wireguard stop
+parameters:
+type:script
+message:Stopping WireGuard
+
+[restart]
+command:/usr/local/etc/rc.d/wireguard restart; /usr/local/opnsense/scripts/OPNsense/Wireguard/post.sh
+parameters:
+type:script
+message:Restarting WireGuard
+description: Restart WireGuard
+
+[renew]
+command:/usr/local/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
+parameters:
+type:script
+message:Renew DNS for WireGuard
+description:Renew DNS for WireGuard on stale connections
+
+[genkey]
+command:/usr/local/opnsense/scripts/OPNsense/Wireguard/genkey.sh
+parameters: %s
+type:script_output
+message:Generating WireGuard keys
+
+[showconf]
+command:/usr/local/bin/wg show all
+parameters:
+type:script_output
+message:Show WireGuard config
+
+[showhandshake]
+command:/usr/local/bin/wg show all latest-handshakes
+parameters:
+type:script_output
+message:Show WireGuard handshakes
diff --git a/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/+TARGETS b/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/+TARGETS
new file mode 100644
index 0000000000..655def7d10
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/+TARGETS
@@ -0,0 +1,2 @@
+wireguard:/etc/rc.conf.d/wireguard
+wireguard-server.conf:/usr/local/etc/wireguard/wg[OPNsense.wireguard.server.servers.server.%.instance].conf
diff --git a/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/wireguard b/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
new file mode 100644
index 0000000000..c4c12667a4
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
@@ -0,0 +1,15 @@
+{% if helpers.exists('OPNsense.wireguard.general.enabled') and OPNsense.wireguard.general.enabled == '1' %}
+wireguard_setup="/usr/local/opnsense/scripts/OPNsense/Wireguard/setup.sh"
+wireguard_enable="YES"
+{%   if helpers.exists('OPNsense.wireguard.server.servers.server') %}
+{%   set activeservers=[] %}
+{%     for servers in helpers.toList('OPNsense.wireguard.server.servers.server') %}
+{%       if servers.enabled == '1' %}
+{%       do activeservers.append("wg" + servers.instance) %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+wireguard_interfaces="{{ activeservers | join(' ') }}"
+{% else %}
+wireguard_enable="NO"
+{% endif %}
diff --git a/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf b/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
new file mode 100644
index 0000000000..355ea0815f
--- /dev/null
+++ b/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
@@ -0,0 +1,53 @@
+{% if helpers.exists('OPNsense.wireguard.general.enabled') and OPNsense.wireguard.general.enabled == '1' %}
+{% if helpers.exists('OPNsense.wireguard.server.servers.server') %}
+{%   for server_list in helpers.toList('OPNsense.wireguard.server.servers.server') %}
+{%     if TARGET_FILTERS['OPNsense.wireguard.server.servers.server.' ~ loop.index0] or TARGET_FILTERS['OPNsense.wireguard.server.servers.server'] %}
+{%       if server_list.enabled == '1' %}
+[Interface]
+PrivateKey = {{ server_list.privkey }}
+{%         if server_list.tunneladdress|default('') != '' %}
+Address = {{ server_list.tunneladdress }}
+{%         endif %}
+{%         if server_list.port|default('') != '' %}
+ListenPort = {{ server_list.port }}
+{%         endif %}
+{%         if server_list.dns|default('') != '' %}
+DNS = {{ server_list.dns }}
+{%         endif %}
+{%         if server_list.mtu|default('') != '' %}
+MTU = {{ server_list.mtu }}
+{%         endif %}
+{%         if server_list.disableroutes == '1' %}
+Table = off
+{%         endif %}
+{%         if server_list.disableroutes == '1' and server_list.gateway|default('') != '' %}
+PostUp = route {{- ' -6' if ':' in server_list.gateway }} add {{ server_list.gateway }} -iface %i
+PostDown = route {{- ' -6' if ':' in server_list.gateway }} del {{ server_list.gateway }} -iface %i
+{%         endif %}
+{%         if server_list.peers|default('') != '' %}
+{%           for peerlist in server_list.peers.split(",") %}
+{%             set peerlist2_data = helpers.getUUID(peerlist) %}
+{%             if peerlist2_data != {} and peerlist2_data.enabled == '1' %}
+
+[Peer]
+# friendly_name = {{ peerlist2_data.name }}
+PublicKey = {{ peerlist2_data.pubkey }}
+{%               if peerlist2_data.psk|default('') != '' %}
+PresharedKey = {{ peerlist2_data.psk }}
+{%               endif %}
+{%               if peerlist2_data.serveraddress|default('') != '' %}
+Endpoint = {{ peerlist2_data.serveraddress }}{% if peerlist2_data.serverport|default('') != '' %}:{{ peerlist2_data.serverport }}{% else %}:51820{% endif %}
+{%               endif %}
+
+AllowedIPs = {{ peerlist2_data.tunneladdress }}
+{%               if peerlist2_data.keepalive|default('') != '' %}
+PersistentKeepalive = {{ peerlist2_data.keepalive }}
+{%               endif %}
+{%             endif %}
+{%           endfor %}
+{%         endif %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+{% endif %}
diff --git a/net/wireguard-go/src/www/widgets/include/wireguard.inc b/net/wireguard-go/src/www/widgets/include/wireguard.inc
new file mode 100644
index 0000000000..b95fc1fa6f
--- /dev/null
+++ b/net/wireguard-go/src/www/widgets/include/wireguard.inc
@@ -0,0 +1,4 @@
+<?php
+
+$wireguard_title = gettext('WireGuard');
+$wireguard_title_link = 'ui/wireguard/general/index';
diff --git a/net/wireguard-go/src/www/widgets/widgets/wireguard.widget.php b/net/wireguard-go/src/www/widgets/widgets/wireguard.widget.php
new file mode 100644
index 0000000000..6c704030a9
--- /dev/null
+++ b/net/wireguard-go/src/www/widgets/widgets/wireguard.widget.php
@@ -0,0 +1,120 @@
+<?php
+
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * Copyright (C) 2020 D. Domig
+ * Copyright (C) 2022 Patrik Kernstock <patrik@kernstock.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("widgets/include/wireguard.inc");
+
+$enabled = ($config["OPNsense"]["wireguard"]["general"]["enabled"] === "1" ? true : false);
+
+?>
+
+<table class="table table-striped table-condensed">
+    <thead>
+        <tr>
+            <th><?= gettext("Name") ?></th>
+            <th><?= gettext("Interface") ?></th>
+            <th><?= gettext("Endpoint") ?></th>
+            <th><?= gettext("Public Key") ?></th>
+            <th><?= gettext("Latest Handshake") ?></th>
+        </tr>
+    </thead>
+    <tbody id="wg-table-tbody">
+
+    <?php if (!$enabled): ?>
+    <tr>
+        <td colspan="5"><?= gettext("No WireGuard instance defined or enabled.") ?></td>
+    </tr>
+    <?php endif; ?>
+
+    </tbody>
+</table>
+
+<script>
+$(window).on("load", function() {
+    function wgGenerateRow(name, interface, peerName, publicKey, latestHandshake, status)
+    {
+        var tr = ''
+        +'<tr>'
+        +'    <td>' + name + '</td>'
+        +'    <td>' + interface + '</td>'
+        +'    <td>' + peerName  + '</td>'
+        +'    <td style="overflow: hidden; text-overflow: ellipsis;" title="' + publicKey + '">' + publicKey  + '</td>'
+        +'    <td>' + latestHandshake + '</td>'
+        +'</tr>';
+
+        return tr;
+    }
+
+    function wgUpdateStatusIf(obj)
+    {
+        // check if at least one peer is set. If not, ignore it.
+        if (Object.keys(obj.peers).length == 0) {
+            return '';
+        }
+
+        // generate row based on data
+        row = '';
+        for (var peerId in obj.peers) {
+            var peer = obj.peers[peerId];
+
+            // generate table row
+            row += wgGenerateRow(
+                obj.name,
+                obj.interface,
+                peer.name,
+                peer.publicKey,
+                peer.lastHandshake,
+                status
+            );
+        }
+
+        return row;
+    }
+
+    function wgUpdateStatus()
+    {
+        var table = '';
+        ajaxGet("/api/wireguard/general/getStatus", {}, function(data, status) {
+            if (status === 'success') {
+                for (var interface in data.items) {
+                    table += wgUpdateStatusIf(data.items[interface]);
+                }
+            }
+            // update table accordingly
+            document.getElementById("wg-table-tbody").innerHTML = table;
+            setTimeout(wgUpdateStatus, 10000);
+        });
+    };
+
+    <?php if ($enabled): ?>
+    wgUpdateStatus();
+    <?php endif; ?>
+});
+</script>
diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 72c6bf8975..9d7d9cf080 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,15 +1,9 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		1.13
 PLUGIN_REVISION=	7
-PLUGIN_COMMENT=		WireGuard VPN service
-PLUGIN_DEPENDS=		wireguard-tools
+PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
+PLUGIN_DEPENDS=		wireguard-kmod wireguard-tools
+PLUGIN_CONFLICTS=	wireguard-go
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_VARIANTS=	kmod go
-
-kmod_NAME=		wireguard
-kmod_DEPENDS=		wireguard-kmod
-
-go_NAME=		wireguard-go
-go_DEPENDS=		wireguard-go
 
 .include "../../Mk/plugins.mk"

From b95d15d26328a3145466cd6d6d09caae82e4d28e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 21 Aug 2023 10:45:46 +0200
Subject: [PATCH 1531/3088] net/wireguard-go: whitespace

---
 net/wireguard-go/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireguard-go/Makefile b/net/wireguard-go/Makefile
index 4215a2f196..9be4130ce7 100644
--- a/net/wireguard-go/Makefile
+++ b/net/wireguard-go/Makefile
@@ -4,7 +4,7 @@ PLUGIN_REVISION=	7
 PLUGIN_COMMENT=		WireGuard VPN service Go implementation
 PLUGIN_CONFLICTS=	wireguard
 PLUGIN_OBSOLETE=	yes
-PLUGIN_DEPENDS=		wireguard-go wireguard-tools 
+PLUGIN_DEPENDS=		wireguard-go wireguard-tools
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
 .include "../../Mk/plugins.mk"

From 24fd4c0e0c13395c6f18570ec8fe35a809850ea5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 22 Aug 2023 08:20:39 +0200
Subject: [PATCH 1532/3088] security/tinc: bump revision for now, might change
 version upon release

---
 security/tinc/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index 506eb42e93..ecc4f25f3b 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		tinc
 PLUGIN_VERSION=		1.6
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org

From dd58c387d8c27fb03b20c4b3a5e870b0cfa66a71 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 22 Aug 2023 08:47:21 +0200
Subject: [PATCH 1533/3088] dns/ddclient: escape text values without
 validation, protocol label tweak

---
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml        |  6 +++---
 .../templates/OPNsense/ddclient/ddclient.json        | 12 ++++++------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 649ccc3fc9..28b16314e1 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -93,9 +93,9 @@
                     <Required>N</Required>
                     <ValidationMessage>A protocol type is required.</ValidationMessage>
                     <OptionValues>
-                        <dyndns1>DynDns1</dyndns1>
-                        <dyndns2>DynDns2</dyndns2>
-                        <post>custom POST</post>
+                        <dyndns1>DynDNS 1</dyndns1>
+                        <dyndns2>DynDNS 2</dyndns2>
+                        <post>Custom POST</post>
                     </OptionValues>
                 </protocol>
                 <server type="TextField">
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
index 64e0ec7bc1..79cf6fbbd1 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
@@ -13,19 +13,19 @@
             "id": "{{ account['@uuid'] }}",
             "service": "{{ account.service }}",
             "protocol": "{{ account.protocol }}",
-            "server": "{{ account.server }}",
-            "resourceId": "{{ account.resourceId }}",
-            "username": "{{ account.username }}",
-            "password": "{{ account.password }}",
+            "server": {{ account.server | default('') | tojson }},
+            "resourceId": {{ account.resourceId | default('') | tojson }},
+            "username": {{ account.username | default('') | tojson }},
+            "password": {{ account.password | default('') | tojson }},
             "hostnames": "{{ account.hostnames }}",
             "wildcard": {{ "true" if account.wildcard == '1' else "false"}},
             "zone": "{{ account.zone }}",
             "checkip": "{{ account.checkip }}",
+            "interface": "{% if account.interface %}{{physical_interface(account.interface)}}{% endif %}",
             "checkip_timeout": {{ account.checkip_timeout }},
             "force_ssl": {{ "true" if account.force_ssl == '1' else "false"}},
             "ttl": "{{ account.ttl }}",
-            "interface": "{%if account.interface %}{{physical_interface(account.interface)}}{% endif%}",
-            "description": "{{ account.description }}"
+            "description": {{ account.description | default('') | tojson }}
         }{{ "," if not loop.last else ""}}
 {%   endfor %}
 {% endif %}

From be0ef6b7b927c0fec9971e69e205d7c6f0fe089d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 22 Aug 2023 09:47:59 +0200
Subject: [PATCH 1534/3088] dns/ddclient: stop trying to updat 'None' address

Looks like the type check was off leading to update an empty address.
Now instead check first and throw a warning.  The condition might be
transient but try to hint at the user that the setup is likely broken.
---
 .../opnsense/scripts/ddclient/lib/account/__init__.py  | 10 ++++++++--
 .../src/opnsense/scripts/ddclient/lib/poller.py        |  6 ++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
index e143cc28b3..a5cb502ea0 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
@@ -23,6 +23,7 @@
     ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
     POSSIBILITY OF SUCH DAMAGE.
 """
+import syslog
 import hashlib
 import uuid
 import time
@@ -120,8 +121,13 @@ def execute(self):
             interface = self.settings['interface'] if self.settings.get('interface' ,'').strip() != '' else None
         )
 
-
-        if self._current_address != '' and (
+        if self._current_address == None:
+            syslog.syslog(
+                syslog.LOG_WARNING,
+                "Account %s no global IP address detected, check config if warning persists" % (self.description)
+            )
+            return False
+        elif (
                 self._state.get('ip') is None or
                 self._current_address != self._state.get('ip') or
                 self.state.get('md5') != self.md5
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py
index 08bf5af477..d338ce569f 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py
@@ -145,13 +145,15 @@ def run(self):
             for acc in self._accounts.values():
                 if time.time() - acc.atime > self.poll_interval:
                     if self.is_verbose:
-                        syslog.syslog(syslog.LOG_NOTICE, "Account %s execute" % acc.description)
+                        syslog.syslog(syslog.LOG_NOTICE, "Account %s executing" % acc.description)
                     try:
                         if acc.execute():
                             if self.is_verbose:
-                                syslog.syslog(syslog.LOG_NOTICE, "Account %s changed" % acc.description)
+                                syslog.syslog(syslog.LOG_NOTICE, "Account %s updated" % acc.description)
                             needs_flush = True
                         else:
+                            if self.is_verbose:
+                                syslog.syslog(syslog.LOG_NOTICE, "Account %s not modified" % acc.description)
                             # update last accessed timestamp
                             acc.update_state(None)
                     except Exception as e:

From bac3bc407b7fafdc3afc076877e3b2815730a3a0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 22 Aug 2023 09:54:19 +0200
Subject: [PATCH 1535/3088] dns/ddclient: update release notes

---
 dns/ddclient/pkg-descr | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 361b376249..b06d191fc1 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -9,8 +9,9 @@ Plugin Changelog
 1.15
 
 * Add AWS Route53 and DuckDNS to native backend (contributed by Greg Glockner)
-* Fix JSON output with disabled trailing accounts and empty stats in AccountField
+* Fix JSON output with disabled trailing accounts/escaping and empty stats in AccountField
 * Rename Python-based "OPNsense" backend to "native" to prevent ambiguity
+* Do not update on native backend when IP detection failed and emit a warning instead
 * Fix ClouDNS missing dynurl= parameter
 * Clean up ddclient.conf template
 

From 86c9e5ccc87ca7ef477cee20b48049b9632078c9 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Tue, 22 Aug 2023 14:39:53 +0200
Subject: [PATCH 1536/3088] net/wireguard - remove wg-quick dependency and drop
 go support (#3556)

net/wireguard - removing wg-quick and go support.

This commits adds the following:

* Remove wireguard-go support and cleanup some go specific code as it's not being used anymore anyway
* Service control handler similar to OpenVPN, which offers control per instance/interface and keeps track of changed interfaces (configure only restarts the changed ones).
* Add some basic logging for the service handling and a view to inspect it.
* Configuration logs are being flushed to the correct log automatically as mwexecf() sends errors to syslog (which in this scope sends to wireguard)
* Reimplement https://github.com/WireGuard/wireguard-tools/tree/master/contrib/reresolve-dns using Python in reresolve-dns.py
* Enforce wireguard-tools rc script to be disabled when still installed, this should prevent bootup issues
* Move 'interface' calculated field to model for easy reusability
* Change plugin maintainer


---------

Co-authored-by: Franco Fichtner <franco@opnsense.org>
---
 net/wireguard/Makefile                        |   7 +-
 net/wireguard/pkg-descr                       |  11 ++
 .../src/etc/inc/plugins.inc.d/wireguard.inc   |  46 ++---
 .../src/etc/rc.syshook.d/start/50-wireguard   |   4 +-
 .../Wireguard/Api/ClientController.php        |   7 +-
 .../Wireguard/Api/ServerController.php        |  11 +-
 .../Wireguard/Api/ServiceController.php       |  24 ++-
 .../Wireguard/FieldTypes/ServerField.php      |  58 ++++++
 .../models/OPNsense/Wireguard/Menu/Menu.xml   |   5 +-
 .../app/models/OPNsense/Wireguard/Server.xml  |   2 +-
 .../app/views/OPNsense/Wireguard/general.volt | 173 ++++++++---------
 .../scripts/OPNsense/Wireguard/post.sh        |  11 --
 .../OPNsense/Wireguard/resolve-dns.bash       |  45 -----
 .../scripts/OPNsense/Wireguard/setup.sh       |   4 -
 .../{OPNsense => }/Wireguard/genkey.sh        |   0
 .../scripts/Wireguard/reresolve-dns.py        |  61 ++++++
 .../scripts/Wireguard/wg-service-control.php  | 180 ++++++++++++++++++
 .../conf/actions.d/actions_wireguard.conf     |  29 +--
 .../OPNsense/Syslog/local/wireguard.conf      |   6 +
 .../templates/OPNsense/Wireguard/wireguard    |  15 +-
 .../OPNsense/Wireguard/wireguard-server.conf  |  27 ++-
 21 files changed, 484 insertions(+), 242 deletions(-)
 create mode 100644 net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/FieldTypes/ServerField.php
 delete mode 100755 net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/post.sh
 delete mode 100755 net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
 delete mode 100755 net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/setup.sh
 rename net/wireguard/src/opnsense/scripts/{OPNsense => }/Wireguard/genkey.sh (100%)
 create mode 100755 net/wireguard/src/opnsense/scripts/Wireguard/reresolve-dns.py
 create mode 100755 net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
 create mode 100644 net/wireguard/src/opnsense/service/templates/OPNsense/Syslog/local/wireguard.conf

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 9d7d9cf080..29b00aa7c8 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,9 +1,8 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	7
+PLUGIN_VERSION=		2.0.d
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
-PLUGIN_DEPENDS=		wireguard-kmod wireguard-tools
+PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
-PLUGIN_MAINTAINER=	m.muenz@gmail.com
+PLUGIN_MAINTAINER=	ad@opnsense.org
 
 .include "../../Mk/plugins.mk"
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 5d84964c92..8a590fa7e5 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,17 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+2.0
+
+* Remove wireguard-go support and cleanup some go specific code as it's not being used anymore anyway
+* Service control handler similar to OpenVPN, which offers control per instance/interface and keeps track of changed interfaces (configure only restarts the changed ones).
+* Add some basic logging for the service handling and a view to inspect it.
+* Configuration logs are being flushed to the correct log automatically as mwexecf() sends errors to syslog (which in this scope sends to wireguard)
+* Reimplement https://github.com/WireGuard/wireguard-tools/tree/master/contrib/reresolve-dns using Python in reresolve-dns.py
+* Enforce wireguard-tools rc script to be disabled when still installed, this should prevent bootup issues
+* Move 'interface' calculated field to model for easy reusability
+* Change plugin maintainer
+
 1.13
 
 * Reworked widget and assorted cleanups (contributed by Patrik Kernstock)
diff --git a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
index cc1e49ee8d..aed2673825 100644
--- a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -1,6 +1,7 @@
 <?php
 
 /*
+ * Copyright (C) 2023 Deciso B.V.
  * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
  * All rights reserved.
  *
@@ -28,8 +29,7 @@
 
 function wireguard_enabled()
 {
-    $model = new \OPNsense\Wireguard\General();
-    return (string)$model->enabled == '1';
+    return (string)(new \OPNsense\Wireguard\General())->enabled == '1';
 }
 
 function wireguard_services()
@@ -40,26 +40,32 @@ function wireguard_services()
         return $services;
     }
 
-    $service = [
-        'description' => gettext('WireGuard VPN'),
-        'configd' => [
-            'restart' => ['wireguard restart'],
-            'start' => ['wireguard start'],
-            'stop' => ['wireguard stop'],
-        ],
-        'name' => 'wireguard-go',
-    ];
-
-    if (file_exists('/boot/modules/if_wg.ko') || file_exists('/boot/kernel/if_wg.ko')) {
-        $service['name'] = 'wireguard';
-        $service['nocheck'] = true;
+    foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $key => $node) {
+        if (!empty((string)$node->enabled)) {
+            $services[] = [
+                'description' => "Wireguard " . htmlspecialchars($node->name),
+                'configd' => [
+                    'start' => ["wireguard start {$key}"],
+                    'restart' => ["wireguard restart {$key}"],
+                    'stop' => ["wireguard stop {$key}"],
+                ],
+                'nocheck' => true, /* no daemon to check */
+                'id' => $key,
+                'name' => "wireguard"
+            ];
+        }
     }
 
-    $services[] = $service;
-
     return $services;
 }
 
+function wireguard_syslog()
+{
+    return [
+        'wireguard' => ['facility' => ['wireguard']]
+    ];
+}
+
 function wireguard_interfaces()
 {
     $interfaces = [];
@@ -87,11 +93,7 @@ function wireguard_xmlrpc_sync()
     $result['id'] = 'wireguard';
     $result['section'] = 'OPNsense.wireguard';
     $result['description'] = gettext('WireGuard');
-    $result['services'] = ['wireguard-go'];
-
-    if (file_exists('/boot/modules/if_wg.ko') || file_exists('/boot/kernel/if_wg.ko')) {
-        $result['services'] = ['wireguard'];
-    }
+    $result['services'] = ['wireguard'];
 
     return [$result];
 }
diff --git a/net/wireguard/src/etc/rc.syshook.d/start/50-wireguard b/net/wireguard/src/etc/rc.syshook.d/start/50-wireguard
index 78ab228040..826ba71cd8 100755
--- a/net/wireguard/src/etc/rc.syshook.d/start/50-wireguard
+++ b/net/wireguard/src/etc/rc.syshook.d/start/50-wireguard
@@ -1,4 +1,2 @@
 #!/bin/sh
-
-# start again to fix problems with failed name resolution (no need to restart)
-configctl -dq wireguard start
+configctl -dq wireguard configure
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
index ae7d84660d..f8a7585611 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
@@ -1,6 +1,7 @@
 <?php
 
 /**
+ *    Copyright (C) 2023 Deciso B.V.
  *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
  *
  *    All rights reserved.
@@ -39,12 +40,14 @@ class ClientController extends ApiMutableModelControllerBase
 
     public function searchClientAction()
     {
-        return $this->searchBase('clients.client', array("enabled", "name", "pubkey", "tunneladdress", "serveraddress", "serverport"));
+        return $this->searchBase(
+            'clients.client',
+            ["enabled", "name", "pubkey", "tunneladdress", "serveraddress", "serverport"]
+        );
     }
 
     public function getClientAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('client', 'clients.client', $uuid);
     }
 
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
index 5bf57767a9..416eb73be3 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
@@ -1,6 +1,7 @@
 <?php
 
 /*
+ * Copyright (C) 2023 Deciso B.V.
  * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
  * All rights reserved.
  *
@@ -38,17 +39,15 @@ class ServerController extends ApiMutableModelControllerBase
 
     public function searchServerAction()
     {
-        $search = $this->searchBase('servers.server', array("enabled", "instance", "peers", "name", "networks", "pubkey", "port", "tunneladdress"));
-        // prepend "wg" to all instance IDs to use as interface name
-        foreach ($search["rows"] as $key => $server) {
-            $search["rows"][$key]["interface"] = "wg" . $server["instance"];
-        }
+        $search = $this->searchBase(
+            'servers.server',
+            ["enabled", "instance", "peers", "name", "networks", "pubkey", "port", "tunneladdress", 'interface']
+        );
         return $search;
     }
 
     public function getServerAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('server', 'servers.server', $uuid);
     }
 
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
index 627911beb4..f71b3d0474 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
@@ -1,6 +1,7 @@
 <?php
 
 /*
+ * Copyright (C) 2023 Deciso B.V.
  * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
  * All rights reserved.
  *
@@ -52,14 +53,30 @@ protected function invokeInterfaceRegistration()
         return true;
     }
 
+    /**
+     * @return array
+     */
+    public function reconfigureAction()
+    {
+        if (!$this->request->isPost()) {
+            return ['result' => 'failed'];
+        }
+
+        $this->sessionClose();
+        $backend = new Backend();
+        $backend->configdRun('template reload ' . escapeshellarg(static::$internalServiceTemplate));
+        $backend->configdpRun('wireguard configure');
+
+        return ['result' => 'ok'];
+    }
+
     /**
      * show wireguard config
      * @return array
      */
     public function showconfAction()
     {
-        $backend = new Backend();
-        $response = $backend->configdRun("wireguard showconf");
+        $response = (new Backend())->configdRun("wireguard showconf");
         return array("response" => $response);
     }
 
@@ -69,8 +86,7 @@ public function showconfAction()
      */
     public function showhandshakeAction()
     {
-        $backend = new Backend();
-        $response = $backend->configdRun("wireguard showhandshake");
+        $response = (new Backend())->configdRun("wireguard showhandshake");
         return array("response" => $response);
     }
 }
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/FieldTypes/ServerField.php b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/FieldTypes/ServerField.php
new file mode 100644
index 0000000000..a327af5fb6
--- /dev/null
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/FieldTypes/ServerField.php
@@ -0,0 +1,58 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Wireguard\FieldTypes;
+
+use OPNsense\Base\FieldTypes\ArrayField;
+use OPNsense\Base\FieldTypes\TextField;
+
+class ServerField extends ArrayField
+{
+    /**
+     * push internal reusable properties as virtuals
+     */
+    protected function actionPostLoadingEvent()
+    {
+        foreach ($this->internalChildnodes as $node) {
+            if (!$node->getInternalIsVirtual()) {
+                $files = [
+                    'cnfFilename' => "/usr/local/etc/wireguard/wg{$node->instance}.conf",
+                    'statFilename' => "/usr/local/etc/wireguard/wg{$node->instance}.stat",
+                    'interface' => "wg{$node->instance}",
+                ];
+                foreach ($files as $name => $payload) {
+                    $new_item = new TextField();
+                    $new_item->setInternalIsVirtual();
+                    $new_item->setValue($payload);
+                    $node->addChildNode($name, $new_item);
+                }
+            }
+        }
+        return parent::actionPostLoadingEvent();
+    }
+}
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml
index a2934e1b07..8494a617f6 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml
@@ -1,5 +1,8 @@
 <menu>
     <VPN>
-      <WireGuard cssClass="fa fa-lock fa-fw" url="/ui/wireguard/general/index" order="150" />
+      <WireGuard cssClass="fa fa-lock fa-fw" order="150">
+          <Settings order="10" url="/ui/wireguard/general/index"/>
+          <LogFile order="70" VisibleName="Log File" url="/ui/diagnostics/log/core/wireguard"/>
+      </WireGuard>
     </VPN>
 </menu>
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
index 476091d238..af7164665f 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
@@ -4,7 +4,7 @@
     <version>0.0.4</version>
     <items>
         <servers>
-            <server type="ArrayField">
+            <server type=".\ServerField">
                 <enabled type="BooleanField">
                     <default>1</default>
                     <Required>Y</Required>
diff --git a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
index 8b0accd2d6..93a9897c41 100644
--- a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
+++ b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
@@ -1,5 +1,5 @@
 {#
- # OPNsense (c) 2014-2018 by Deciso B.V.
+ # OPNsense (c) 2014-2023 by Deciso B.V.
  # OPNsense (c) 2018 Michael Muenz <m.muenz@gmail.com>
  # All rights reserved.
  #
@@ -25,6 +25,66 @@
  # POSSIBILITY OF SUCH DAMAGE.
  #}
 
+ <script>
+    $( document ).ready(function() {
+        var data_get_map = {'frm_general_settings':"/api/wireguard/general/get"};
+        mapDataToFormUI(data_get_map).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+        });
+
+        $("#grid-clients").UIBootgrid(
+            {
+                'search':'/api/wireguard/client/searchClient',
+                'get':'/api/wireguard/client/getClient/',
+                'set':'/api/wireguard/client/setClient/',
+                'add':'/api/wireguard/client/addClient/',
+                'del':'/api/wireguard/client/delClient/',
+                'toggle':'/api/wireguard/client/toggleClient/'
+            }
+        );
+
+        $("#grid-servers").UIBootgrid(
+            {
+                'search':'/api/wireguard/server/searchServer',
+                'get':'/api/wireguard/server/getServer/',
+                'set':'/api/wireguard/server/setServer/',
+                'add':'/api/wireguard/server/addServer/',
+                'del':'/api/wireguard/server/delServer/',
+                'toggle':'/api/wireguard/server/toggleServer/'
+            }
+        );
+
+
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/wireguard/general/set", 'frm_general_settings', function(){
+                    dfObj.resolve();
+                });
+                return dfObj;
+            }
+        });
+
+        // Put API call into a function, needed for auto-refresh
+        function update_showconf() {
+            ajaxCall(url="/api/wireguard/service/showconf", sendData={}, callback=function(data,status) {
+                $("#listshowconf").text(data['response']);
+                setTimeout(update_showconf, 5000);
+            });
+        }
+
+        function update_showhandshake() {
+            ajaxCall(url="/api/wireguard/service/showhandshake", sendData={}, callback=function(data,status) {
+                $("#listshowhandshake").text(data['response']);
+                setTimeout(update_showhandshake, 5000);
+            });
+        }
+        // Call update funcs once when page loaded
+        update_showconf();
+        update_showhandshake();
+    });
+</script>
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
@@ -38,10 +98,6 @@
     <div id="general" class="tab-pane fade in active">
         <div class="content-box" style="padding-bottom: 1.5em;">
             {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-            <div class="col-md-12">
-                <hr />
-                <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
-            </div>
         </div>
     </div>
     <div id="clients" class="tab-pane fade in">
@@ -68,11 +124,6 @@
                 </tr>
             </tfoot>
         </table>
-        <div class="col-md-12">
-            <hr />
-            <button class="btn btn-primary" id="saveAct_client" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_client_progress"></i></button>
-            <br /><br />
-        </div>
     </div>
     <div id="servers" class="tab-pane fade in">
         <table id="grid-servers" class="table table-responsive" data-editDialog="dialogEditWireguardServer">
@@ -99,11 +150,6 @@
                 </tr>
             </tfoot>
         </table>
-        <div class="col-md-12">
-            <hr />
-            <button class="btn btn-primary" id="saveAct_server" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_server_progress"></i></button>
-            <br /><br />
-        </div>
     </div>
     <div id="showconf" class="tab-pane fade in">
       <pre id="listshowconf"></pre>
@@ -113,87 +159,20 @@
     </div>
 </div>
 
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint='/api/wireguard/service/reconfigure'
+                    data-label="{{ lang._('Apply') }}"
+                    data-error-title="{{ lang._('Error reconfiguring Wireguard') }}"
+                    type="button"
+            ></button>
+            <br/><br/>
+        </div>
+    </div>
+</section>
+
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditWireguardClient,'id':'dialogEditWireguardClient','label':lang._('Edit Endpoint')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditWireguardServer,'id':'dialogEditWireguardServer','label':lang._('Edit Local Configuration')])}}
-
-<script>
-
-// Put API call into a function, needed for auto-refresh
-function update_showconf() {
-    ajaxCall(url="/api/wireguard/service/showconf", sendData={}, callback=function(data,status) {
-        $("#listshowconf").text(data['response']);
-    });
-}
-
-function update_showhandshake() {
-    ajaxCall(url="/api/wireguard/service/showhandshake", sendData={}, callback=function(data,status) {
-        $("#listshowhandshake").text(data['response']);
-    });
-}
-
-$( document ).ready(function() {
-    var data_get_map = {'frm_general_settings':"/api/wireguard/general/get"};
-    mapDataToFormUI(data_get_map).done(function(data){
-        formatTokenizersUI();
-        $('.selectpicker').selectpicker('refresh');
-    });
-
-    $("#grid-clients").UIBootgrid(
-        {
-            'search':'/api/wireguard/client/searchClient',
-            'get':'/api/wireguard/client/getClient/',
-            'set':'/api/wireguard/client/setClient/',
-            'add':'/api/wireguard/client/addClient/',
-            'del':'/api/wireguard/client/delClient/',
-            'toggle':'/api/wireguard/client/toggleClient/'
-        }
-    );
-
-    $("#grid-servers").UIBootgrid(
-        {
-            'search':'/api/wireguard/server/searchServer',
-            'get':'/api/wireguard/server/getServer/',
-            'set':'/api/wireguard/server/setServer/',
-            'add':'/api/wireguard/server/addServer/',
-            'del':'/api/wireguard/server/delServer/',
-            'toggle':'/api/wireguard/server/toggleServer/'
-        }
-    );
-
-    // Call update funcs once when page loaded
-    update_showconf();
-    update_showhandshake();
-
-    // Call function update_neighbor with a auto-refresh of 5 seconds
-    setInterval(update_showconf, 5000);
-    setInterval(update_showhandshake, 5000);
-
-    $("#saveAct").click(function(){
-        saveFormToEndpoint(url="/api/wireguard/general/set", formid='frm_general_settings',callback_ok=function(){
-        $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall(url="/api/wireguard/service/reconfigure", sendData={}, callback=function(data,status) {
-                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-            });
-        });
-    });
-
-    $("#saveAct_client").click(function(){
-        saveFormToEndpoint(url="/api/wireguard/client/set", formid='frm_general_settings',callback_ok=function(){
-        $("#saveAct_client_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall(url="/api/wireguard/service/reconfigure", sendData={}, callback=function(data,status) {
-                $("#saveAct_client_progress").removeClass("fa fa-spinner fa-pulse");
-            });
-        });
-    });
-
-    $("#saveAct_server").click(function(){
-        saveFormToEndpoint(url="/api/wireguard/server/set", formid='frm_general_settings',callback_ok=function(){
-        $("#saveAct_server_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall(url="/api/wireguard/service/reconfigure", sendData={}, callback=function(data,status) {
-                $("#saveAct_server_progress").removeClass("fa fa-spinner fa-pulse");
-            });
-        });
-    });
-
-});
-</script>
diff --git a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/post.sh b/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/post.sh
deleted file mode 100755
index 375ca38359..0000000000
--- a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/post.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/sh
-
-if [ -f /etc/rc.conf.d/wireguard ]; then
-	. /etc/rc.conf.d/wireguard
-fi
-
-for interface in ${wireguard_interfaces}; do
-	ifconfig ${interface} group wireguard
-done
-
-/usr/local/etc/rc.routing_configure
diff --git a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash b/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
deleted file mode 100755
index b7faf881ad..0000000000
--- a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/usr/local/bin/bash
-# SPDX-License-Identifier: GPL-2.0
-#
-# Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
-
-set -e
-shopt -s nocasematch
-shopt -s extglob
-export LC_ALL=C
-
-for CONFIG_FILE in /usr/local/etc/wireguard/*.conf; do
-
-    [[ $CONFIG_FILE =~ /?([a-zA-Z0-9_=+.-]{1,15})\.conf$ ]]
-    INTERFACE="${BASH_REMATCH[1]}"
-
-    process_peer() {
-        [[ $PEER_SECTION -ne 1 || -z $PUBLIC_KEY || -z $ENDPOINT ]] && return 0
-        [[ $(wg show "$INTERFACE" latest-handshakes) =~ ${PUBLIC_KEY//+/\\+}\	([0-9]+) ]] || return 0
-        (( ($EPOCHSECONDS - ${BASH_REMATCH[1]}) > 135 )) || return 0
-        wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"
-        reset_peer_section
-    }
-
-    reset_peer_section() {
-        PEER_SECTION=0
-        PUBLIC_KEY=""
-        ENDPOINT=""
-    }
-
-    reset_peer_section
-    while read -r line || [[ -n $line ]]; do
-        stripped="${line%%\#*}"
-        key="${stripped%%=*}"; key="${key##*([[:space:]])}"; key="${key%%*([[:space:]])}"
-        value="${stripped#*=}"; value="${value##*([[:space:]])}"; value="${value%%*([[:space:]])}"
-        [[ $key == "["* ]] && { process_peer; reset_peer_section; }
-        [[ $key == "[Peer]" ]] && PEER_SECTION=1
-        if [[ $PEER_SECTION -eq 1 ]]; then
-            case "$key" in
-                PublicKey) PUBLIC_KEY="$value"; continue ;;
-                Endpoint) ENDPOINT="$value"; continue ;;
-            esac
-        fi
-    done < "$CONFIG_FILE"
-    process_peer
-done
diff --git a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/setup.sh b/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/setup.sh
deleted file mode 100755
index 75ba580c99..0000000000
--- a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/setup.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-mkdir -p /var/run/wireguard
-chmod 755 /var/run/wireguard
diff --git a/net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/genkey.sh b/net/wireguard/src/opnsense/scripts/Wireguard/genkey.sh
similarity index 100%
rename from net/wireguard/src/opnsense/scripts/OPNsense/Wireguard/genkey.sh
rename to net/wireguard/src/opnsense/scripts/Wireguard/genkey.sh
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/reresolve-dns.py b/net/wireguard/src/opnsense/scripts/Wireguard/reresolve-dns.py
new file mode 100755
index 0000000000..6b724abad1
--- /dev/null
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/reresolve-dns.py
@@ -0,0 +1,61 @@
+#!/usr/local/bin/python3
+
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+# Python implementation to re-resolve dns entries, for reference see:
+# https://github.com/WireGuard/wireguard-tools/tree/master/contrib/reresolve-dns
+import glob
+import os
+import subprocess
+
+
+for filename in glob.glob('/usr/local/etc/wireguard/*.conf'):
+    this_peer = {}
+    ifname = os.path.basename(filename).split('.')[0]
+    with open(filename, 'r') as fhandle:
+        for line in fhandle:
+            if line.startswith('[Peer]'):
+                this_peer = {}
+            elif line.startswith('PublicKey'):
+                this_peer['PublicKey'] = line.split('=', 1)[1].strip()
+            elif line.startswith('Endpoint'):
+                this_peer['Endpoint'] = line.split('=', 1)[1].strip()
+
+            if 'Endpoint' in this_peer and 'PublicKey' in this_peer:
+                subprocess.run(
+                    [
+                        '/usr/bin/wg',
+                        'set',
+                        ifname,
+                        'peer',
+                        this_peer['PublicKey'],
+                        'endpoint',
+                        this_peer['Endpoint']
+                    ],
+                    capture_output=True,
+                    text=True
+                )
+                this_peer = {}
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
new file mode 100755
index 0000000000..3f370398e7
--- /dev/null
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -0,0 +1,180 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once('script/load_phalcon.php');
+require_once('util.inc');
+require_once('interfaces.inc');
+
+/**
+ * mimic wg-quick behaviour, but bound to our config
+ */
+function wg_start($server, $fhandle)
+{
+    if (!does_interface_exist($server->interface)) {
+        mwexecf('/sbin/ifconfig wg create name %s', [$server->interface]);
+        mwexecf('/sbin/ifconfig %s group wireguard', [$server->interface]);
+    }
+    mwexecf('/usr/bin/wg setconf %s %s', [$server->interface, $server->cnfFilename]);
+
+    foreach (explode(',', (string)$server->tunneladdress) as $alias) {
+        mwexecf('/sbin/ifconfig %s %s alias', [$server->interface, $alias]);
+    }
+    if (!empty((string)$server->mtu)) {
+        mwexecf('/sbin/ifconfig %s mtu %s', [$server->interface, $server->mtu]);
+    }
+    mwexecf('/sbin/ifconfig %s up', [$server->interface]);
+
+    if (empty((string)$server->disableroutes)) {
+        /**
+         * Add routes for all configured peers, wg-quick seems to parse 'wg show wgX allowed-ips' for this,
+         * but this should logically congtain the same networks.
+         *
+         * XXX: For some reason these routes look a bit off, not very well integrated into OPNsense.
+         *      In the long run it might make sense to have some sort of pluggable model facility
+         *      where these (and maybe other) static routes hook into.
+         **/
+        $peers = explode(',', $server->peers);
+        $routes_to_add = ['inet'=> [], 'inet6' => []];
+        foreach ((new OPNsense\Wireguard\Client())->clients->client->iterateItems() as $key => $client) {
+            if (empty((string)$client->enabled) || !in_array($key, $peers)) {
+                continue;
+            }
+            foreach (explode(',', (string)$client->tunneladdress) as $tunneladdress) {
+                $ipproto = strpos($tunneladdress, ":") === false ? "inet" :  "inet6 ";
+                /* wg-quick seems to prevent /0 being routed and translates this automatically */
+                if (str_ends_with(trim($tunneladdress), '/0')) {
+                    if ($ipproto == 'inet') {
+                        array_push($routes_to_add[$ipproto], '0.0.0.0/1', '128.0.0.0/1');
+                    } else {
+                        array_push($routes_to_add[$ipproto], '::/1', '8000::/1');
+                    }
+                } else {
+                    $routes_to_add[$ipproto][] = $tunneladdress;
+                }
+            }
+        }
+        foreach ($routes_to_add as $ipproto => $routes) {
+            foreach (array_unique($routes) as $route) {
+                mwexecf('/sbin/route -q -n add -%s %s -interface %s', [$ipproto,  $route, $server->interface]);
+            }
+        }
+    } elseif (!empty((string)$server->gateway)) {
+        /* Only bind the gateway ip to the tunnel */
+        $ipprefix = strpos($tunneladdress, ":") === false ? "-4" :  "-6 ";
+        mwexecf('/sbin/route -q -n add -%s %s -iface %s', [$ipprefix, $server->gateway, $server->interface]);
+    }
+
+    // flush checksum to ease change detection
+    fseek($fhandle, 0);
+    ftruncate($fhandle, 0);
+    fwrite($fhandle, @md5_file($server->cnfFilename));
+    syslog(LOG_NOTICE, "Wireguard interface {$server->name} ({$server->interface}) started");
+}
+
+/**
+ * stop wireguard tunnel, kill the device, the routes should drop automatically.
+ */
+function wg_stop($server)
+{
+    if (does_interface_exist($server->interface)) {
+        legacy_interface_destroy($server->interface);
+    }
+    syslog(LOG_NOTICE, "Wireguard interface {$server->name} ({$server->interface}) stopped");
+}
+
+
+$opts = getopt('ah', [], $optind);
+$args = array_slice($argv, $optind);
+
+/* setup syslog logging */
+openlog("wireguard", LOG_ODELAY, LOG_AUTH);
+
+if (isset($opts['h']) || empty($args) || !in_array($args[0], ['start', 'stop', 'restart', 'configure'])) {
+    echo "Usage: wg-service-control.php [-a] [-h] [stop|start|restart|configure] [uuid]\n\n";
+    echo "\t-a all instances\n";
+} elseif (isset($opts['a']) || !empty($args[1])) {
+    $server_id = $args[1] ?? null;
+    $action = $args[0];
+
+    $server_devs = [];
+    if (!empty((string)(new OPNsense\Wireguard\General())->enabled)) {
+        foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $key => $node) {
+            if (empty((string)$node->enabled)) {
+                continue;
+            }
+            if ($server_id != null && $key != $server_id) {
+                continue;
+            }
+            $server_devs[] = (string)$node->interface;
+            $statHandle = fopen($node->statFilename, "a+");
+            if (flock($statHandle, LOCK_EX)) {
+                switch ($action) {
+                    case 'stop':
+                        wg_stop($node);
+                        break;
+                    case 'start':
+                        wg_start($node, $statHandle);
+                        break;
+                    case 'restart':
+                        wg_stop($node);
+                        wg_start($node, $statHandle);
+                        break;
+                    case 'configure':
+                        if (
+                            @md5_file($node->cnfFilename) != @file_get_contents($node->statFilename) ||
+                            !does_interface_exist((string)$node->interface)
+                        ) {
+                            wg_stop($node);
+                            wg_start($node, $statHandle);
+                        }
+                        break;
+                }
+                flock($statHandle, LOCK_UN);
+            }
+            fclose($statHandle);
+        }
+    }
+
+    /**
+     * When -a is specified, cleaup up old or disabled instances (files and interfaces)
+     */
+    if ($server_id == null) {
+        foreach (glob('/usr/local/etc/wireguard/wg*') as $filename) {
+            $this_dev = explode('.', basename($filename))[0];
+            if (!in_array($this_dev, $server_devs)) {
+                @unlink($filename);
+                if (does_interface_exist($this_dev)) {
+                    legacy_interface_destroy($this_dev);
+                }
+            }
+        }
+    }
+    mwexecf('/usr/local/etc/rc.routing_configure');
+}
+closelog();
diff --git a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
index b2b96828f2..a8c3b4878c 100644
--- a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
+++ b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
@@ -1,31 +1,36 @@
 [start]
-command:/usr/local/etc/rc.d/wireguard start; /usr/local/opnsense/scripts/OPNsense/Wireguard/post.sh
-parameters:
+command:/usr/local/opnsense/scripts/Wireguard/wg-service-control.php
+parameters: start %s
 type:script
-message:Starting WireGuard
+message: start wireguard instance %s
 
 [stop]
-command:/usr/local/etc/rc.d/wireguard stop
-parameters:
+command:/usr/local/opnsense/scripts/Wireguard/wg-service-control.php
+parameters: stop %s
 type:script
-message:Stopping WireGuard
+message: stop wireguard instance %s
 
 [restart]
-command:/usr/local/etc/rc.d/wireguard restart; /usr/local/opnsense/scripts/OPNsense/Wireguard/post.sh
-parameters:
+command:/usr/local/opnsense/scripts/Wireguard/wg-service-control.php
+parameters: restart %s
+type:script
+message: restart wireguard instance %s
+
+[configure]
+command:/usr/local/opnsense/scripts/Wireguard/wg-service-control.php
+parameters: -a configure
 type:script
-message:Restarting WireGuard
-description: Restart WireGuard
+message: configure wireguard instances
 
 [renew]
-command:/usr/local/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
+command:/usr/local/opnsense/scripts/Wireguard/reresolve-dns.py
 parameters:
 type:script
 message:Renew DNS for WireGuard
 description:Renew DNS for WireGuard on stale connections
 
 [genkey]
-command:/usr/local/opnsense/scripts/OPNsense/Wireguard/genkey.sh
+command:/usr/local/opnsense/scripts/Wireguard/genkey.sh
 parameters: %s
 type:script_output
 message:Generating WireGuard keys
diff --git a/net/wireguard/src/opnsense/service/templates/OPNsense/Syslog/local/wireguard.conf b/net/wireguard/src/opnsense/service/templates/OPNsense/Syslog/local/wireguard.conf
new file mode 100644
index 0000000000..c3ec362d49
--- /dev/null
+++ b/net/wireguard/src/opnsense/service/templates/OPNsense/Syslog/local/wireguard.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [wireguard].
+###################################################################
+filter f_local_wireguard {
+    program("wireguard");
+};
diff --git a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
index c4c12667a4..40a3c2f453 100644
--- a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
+++ b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
@@ -1,15 +1,2 @@
-{% if helpers.exists('OPNsense.wireguard.general.enabled') and OPNsense.wireguard.general.enabled == '1' %}
-wireguard_setup="/usr/local/opnsense/scripts/OPNsense/Wireguard/setup.sh"
-wireguard_enable="YES"
-{%   if helpers.exists('OPNsense.wireguard.server.servers.server') %}
-{%   set activeservers=[] %}
-{%     for servers in helpers.toList('OPNsense.wireguard.server.servers.server') %}
-{%       if servers.enabled == '1' %}
-{%       do activeservers.append("wg" + servers.instance) %}
-{%       endif %}
-{%     endfor %}
-{%   endif %}
-wireguard_interfaces="{{ activeservers | join(' ') }}"
-{% else %}
+# disable the wireguard rc scripts when installed, bootup handled via rc.syshook
 wireguard_enable="NO"
-{% endif %}
diff --git a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
index 355ea0815f..3c78652de7 100644
--- a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
+++ b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
@@ -3,27 +3,22 @@
 {%   for server_list in helpers.toList('OPNsense.wireguard.server.servers.server') %}
 {%     if TARGET_FILTERS['OPNsense.wireguard.server.servers.server.' ~ loop.index0] or TARGET_FILTERS['OPNsense.wireguard.server.servers.server'] %}
 {%       if server_list.enabled == '1' %}
+####################################################
+# Interface settings, not used by `wg`             #
+# Only used for reference and detection of changes #
+# in the configuration                             #
+####################################################
+# Address =  {{server_list.tunneladdress|default('')}}
+# DNS = {{ server_list.dns|default('')}}
+# MTU = {{ server_list.mtu|default('') }}
+# disableroutes = {{server_list.disableroutes}}
+# gateway = {{server_list.gateway}}
+
 [Interface]
 PrivateKey = {{ server_list.privkey }}
-{%         if server_list.tunneladdress|default('') != '' %}
-Address = {{ server_list.tunneladdress }}
-{%         endif %}
 {%         if server_list.port|default('') != '' %}
 ListenPort = {{ server_list.port }}
 {%         endif %}
-{%         if server_list.dns|default('') != '' %}
-DNS = {{ server_list.dns }}
-{%         endif %}
-{%         if server_list.mtu|default('') != '' %}
-MTU = {{ server_list.mtu }}
-{%         endif %}
-{%         if server_list.disableroutes == '1' %}
-Table = off
-{%         endif %}
-{%         if server_list.disableroutes == '1' and server_list.gateway|default('') != '' %}
-PostUp = route {{- ' -6' if ':' in server_list.gateway }} add {{ server_list.gateway }} -iface %i
-PostDown = route {{- ' -6' if ':' in server_list.gateway }} del {{ server_list.gateway }} -iface %i
-{%         endif %}
 {%         if server_list.peers|default('') != '' %}
 {%           for peerlist in server_list.peers.split(",") %}
 {%             set peerlist2_data = helpers.getUUID(peerlist) %}

From dc06d5837f38e80308ec1abb5bceb65422504020 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 22 Aug 2023 14:56:55 +0200
Subject: [PATCH 1537/3088] net/wireguard: small changes

---
 net/wireguard/src/opnsense/scripts/Wireguard/genkey.sh        | 4 ++--
 .../src/opnsense/scripts/Wireguard/wg-service-control.php     | 2 +-
 .../opnsense/service/conf/actions.d/actions_wireguard.conf    | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/genkey.sh b/net/wireguard/src/opnsense/scripts/Wireguard/genkey.sh
index b580bf49dc..803d76e8b3 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/genkey.sh
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/genkey.sh
@@ -26,8 +26,8 @@
 # SUCH DAMAGE.
 
 TMPDIR="/tmp"
-GENPRIV="/usr/local/bin/wg genkey"
-GENPUB="/usr/local/bin/wg pubkey"
+GENPRIV="/usr/bin/wg genkey"
+GENPUB="/usr/bin/wg pubkey"
 
 cleanup() {
 	# Delete old files
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index 3f370398e7..c5d2a4a066 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -60,7 +60,7 @@ function wg_start($server, $fhandle)
          *      where these (and maybe other) static routes hook into.
          **/
         $peers = explode(',', $server->peers);
-        $routes_to_add = ['inet'=> [], 'inet6' => []];
+        $routes_to_add = ['inet' => [], 'inet6' => []];
         foreach ((new OPNsense\Wireguard\Client())->clients->client->iterateItems() as $key => $client) {
             if (empty((string)$client->enabled) || !in_array($key, $peers)) {
                 continue;
diff --git a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
index a8c3b4878c..3372d474dd 100644
--- a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
+++ b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
@@ -36,13 +36,13 @@ type:script_output
 message:Generating WireGuard keys
 
 [showconf]
-command:/usr/local/bin/wg show all
+command:/usr/bin/wg show all
 parameters:
 type:script_output
 message:Show WireGuard config
 
 [showhandshake]
-command:/usr/local/bin/wg show all latest-handshakes
+command:/usr/bin/wg show all latest-handshakes
 parameters:
 type:script_output
 message:Show WireGuard handshakes

From 33ee5379a8bb31edcf85b06d1b7c63a3d75b291d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 23 Aug 2023 12:10:42 +0200
Subject: [PATCH 1538/3088] dns/ddclient: looks like this was misplaced

---
 dns/ddclient/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index b06d191fc1..6964b5001b 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 * Fix JSON output with disabled trailing accounts/escaping and empty stats in AccountField
 * Rename Python-based "OPNsense" backend to "native" to prevent ambiguity
 * Do not update on native backend when IP detection failed and emit a warning instead
+* Add desec to native backend (contributed by Clemens Hardewig)
 * Fix ClouDNS missing dynurl= parameter
 * Clean up ddclient.conf template
 
@@ -19,7 +20,6 @@ Plugin Changelog
 
 * Add "post" protocol in custom service type
 * Add DNSExit API and regfish.de support to ddclient backend
-* Add desec to native backend (contributed by Clemens Hardewig)
 
 1.13
 

From 15a3559d58a057d00b2e21c694ca727c1d81f8d8 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 27 Aug 2023 13:04:12 +0200
Subject: [PATCH 1539/3088] net/wireguard - refactor server keypair generation,
 add a button so the user can easily generate a new pair and copy the public
 key to the clipboard for reusage. This should also fix a possible race where
 two instances would try to store /tmp/wireguard.priv at the same time.

---
 .../Wireguard/Api/ServerController.php        | 43 +++------------
 .../app/models/OPNsense/Wireguard/Server.xml  |  6 +-
 .../app/views/OPNsense/Wireguard/general.volt | 18 ++++++
 .../opnsense/scripts/Wireguard/gen_keypair.py | 46 ++++++++++++++++
 .../src/opnsense/scripts/Wireguard/genkey.sh  | 55 -------------------
 .../conf/actions.d/actions_wireguard.conf     |  8 +--
 6 files changed, 79 insertions(+), 97 deletions(-)
 create mode 100755 net/wireguard/src/opnsense/scripts/Wireguard/gen_keypair.py
 delete mode 100755 net/wireguard/src/opnsense/scripts/Wireguard/genkey.sh

diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
index 416eb73be3..c810dd2ae9 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
@@ -37,6 +37,11 @@ class ServerController extends ApiMutableModelControllerBase
     protected static $internalModelName = 'server';
     protected static $internalModelClass = '\OPNsense\Wireguard\Server';
 
+    public function keyPairAction()
+    {
+        return json_decode((new Backend())->configdRun('wireguard gen_keypair'), true);
+    }
+
     public function searchServerAction()
     {
         $search = $this->searchBase(
@@ -53,24 +58,7 @@ public function getServerAction($uuid = null)
 
     public function addServerAction($uuid = null)
     {
-        if ($this->request->isPost() && $this->request->hasPost("server")) {
-            if ($uuid != null) {
-                $node = $this->getModel()->getNodeByReference('servers.server.' . $uuid);
-            } else {
-                $node = $this->getModel()->servers->server->Add();
-            }
-            $node->setNodes($this->request->getPost("server"));
-            if (empty((string)$node->pubkey) && empty((string)$node->privkey)) {
-                // generate new keypair
-                $backend = new Backend();
-                $keyspriv = $backend->configdpRun("wireguard genkey", 'private');
-                $keyspub = $backend->configdpRun("wireguard genkey", 'public');
-                $node->privkey = trim($keyspriv);
-                $node->pubkey = trim($keyspub);
-            }
-            return $this->validateAndSave($node, 'server');
-        }
-        return array("result" => "failed");
+        return $this->addBase('server', 'servers.server', $uuid);
     }
 
     public function delServerAction($uuid)
@@ -80,24 +68,7 @@ public function delServerAction($uuid)
 
     public function setServerAction($uuid = null)
     {
-        if ($this->request->isPost() && $this->request->hasPost("server")) {
-            if ($uuid != null) {
-                $node = $this->getModel()->getNodeByReference('servers.server.' . $uuid);
-            } else {
-                $node = $this->getModel()->servers->server->Add();
-            }
-            $node->setNodes($this->request->getPost("server"));
-            if (empty((string)$node->pubkey) && empty((string)$node->privkey)) {
-                // generate new keypair
-                $backend = new Backend();
-                $keyspriv = $backend->configdpRun("wireguard genkey", 'private');
-                $keyspub = $backend->configdpRun("wireguard genkey", 'public');
-                $node->privkey = trim($keyspriv);
-                $node->pubkey = trim($keyspub);
-            }
-            return $this->validateAndSave($node, 'server');
-        }
-        return array("result" => "failed");
+        return $this->setBase('server', 'servers.server', $uuid);
     }
 
     public function toggleServerAction($uuid)
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
index af7164665f..84c30fb95a 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
@@ -19,10 +19,12 @@
                     <Required>Y</Required>
                 </instance>
                 <pubkey type="TextField">
-                    <Required>N</Required>
+                    <Required>Y</Required>
+                    <ValidationMessage>A public key is required</ValidationMessage>
                 </pubkey>
                 <privkey type="TextField">
-                    <Required>N</Required>
+                    <Required>Y</Required>
+                    <ValidationMessage>A private key is required</ValidationMessage>
                 </privkey>
                 <port type="PortField">
                     <Required>N</Required>
diff --git a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
index 93a9897c41..84d598c6f5 100644
--- a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
+++ b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
@@ -66,6 +66,19 @@
             }
         });
 
+        /**
+         * Move keypair generation button inside the server form and hook api event
+         */
+        $("#control_label_server\\.pubkey").append($("#keygen_div").detach().show());
+        $("#keygen").click(function(){
+            ajaxGet("/api/wireguard/server/key_pair", {}, function(data, status){
+                if (data.status && data.status === 'ok') {
+                    $("#server\\.pubkey").val(data.pubkey);
+                    $("#server\\.privkey").val(data.privkey);
+                }
+            });
+        })
+
         // Put API call into a function, needed for auto-refresh
         function update_showconf() {
             ajaxCall(url="/api/wireguard/service/showconf", sendData={}, callback=function(data,status) {
@@ -126,6 +139,11 @@
         </table>
     </div>
     <div id="servers" class="tab-pane fade in">
+        <span id="keygen_div" style="display:none" class="pull-right">
+            <button id="keygen" type="button" class="btn btn-secondary" title="{{ lang._('Generate new keypair.') }}" data-toggle="tooltip">
+              <i class="fa fa-fw fa-gear"></i>
+            </button>
+        </span>
         <table id="grid-servers" class="table table-responsive" data-editDialog="dialogEditWireguardServer">
             <thead>
                 <tr>
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/gen_keypair.py b/net/wireguard/src/opnsense/scripts/Wireguard/gen_keypair.py
new file mode 100755
index 0000000000..beada99c76
--- /dev/null
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/gen_keypair.py
@@ -0,0 +1,46 @@
+#!/usr/local/bin/python3
+
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import subprocess
+import ujson
+
+
+def keypair():
+    sp = subprocess.run(['/usr/bin/wg', 'genkey'], capture_output=True, text=True)
+    if sp.returncode == 0:
+        privkey = sp.stdout.strip()
+        sp = subprocess.run(['/usr/bin/wg', 'pubkey'], input=privkey, capture_output=True, text=True)
+        if sp.returncode == 0:
+            return {'privkey': privkey, 'pubkey': sp.stdout.strip()}
+    return None
+
+response = keypair()
+if not response:
+    print(ujson.dumps({'status': 'failed'}))
+else:
+    response['status'] = 'ok'
+    print(ujson.dumps(response))
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/genkey.sh b/net/wireguard/src/opnsense/scripts/Wireguard/genkey.sh
deleted file mode 100755
index 803d76e8b3..0000000000
--- a/net/wireguard/src/opnsense/scripts/Wireguard/genkey.sh
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/bin/sh
-
-# Copyright (c) 2018 Michael Muenz <m.muenz@gmail.com>
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-# 1. Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-#
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in the
-#    documentation and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-
-TMPDIR="/tmp"
-GENPRIV="/usr/bin/wg genkey"
-GENPUB="/usr/bin/wg pubkey"
-
-cleanup() {
-	# Delete old files
-	rm -f $TMPDIR/wireguard.*
-}
-
-private() {
-	# Generate a private key and put it to /tmp
-	umask 077 && ${GENPRIV} | tee ${TMPDIR}/wireguard.priv
-}
-
-public() {
-	# Generate a public key and put it to /tmp
-	${GENPUB} < ${TMPDIR}/wireguard.priv | tee ${TMPDIR}/wireguard.pub
-}
-
-case "$1" in
-private)
-	cleanup
-	private
-	;;
-public)
-	public
-	;;
-esac
diff --git a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
index 3372d474dd..397ded4963 100644
--- a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
+++ b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
@@ -29,11 +29,11 @@ type:script
 message:Renew DNS for WireGuard
 description:Renew DNS for WireGuard on stale connections
 
-[genkey]
-command:/usr/local/opnsense/scripts/Wireguard/genkey.sh
-parameters: %s
+[gen_keypair]
+command:/usr/local/opnsense/scripts/Wireguard/gen_keypair.py
+parameters:
 type:script_output
-message:Generating WireGuard keys
+message:Generating WireGuard keypair
 
 [showconf]
 command:/usr/bin/wg show all

From 32a83e64877e1572441fa15af995b58c7e982bf1 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 27 Aug 2023 18:57:48 +0200
Subject: [PATCH 1540/3088] VPN: WireGuard: Diagnostics - remove diagnostics
 tabs from "VPN: WireGuard: Settings" and replace it for a searchable grid
 containing the same information at "VPN: WireGuard: Diagnostics". Keep text
 mode endpoints for backwards compatibility in case someone queries them (to
 be removed in 24.1).

---
 net/wireguard/pkg-descr                       |  2 +
 .../Wireguard/Api/ServiceController.php       | 36 ++++++++
 .../Wireguard/DiagnosticsController.php       | 37 ++++++++
 .../models/OPNsense/Wireguard/Menu/Menu.xml   |  3 +-
 .../views/OPNsense/Wireguard/diagnostics.volt | 89 +++++++++++++++++++
 .../app/views/OPNsense/Wireguard/general.volt | 26 ------
 .../src/opnsense/scripts/Wireguard/wg_show.py | 64 +++++++++++++
 .../conf/actions.d/actions_wireguard.conf     |  6 ++
 8 files changed, 236 insertions(+), 27 deletions(-)
 create mode 100644 net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/DiagnosticsController.php
 create mode 100644 net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
 create mode 100755 net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py

diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 8a590fa7e5..77e00f49ca 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -25,6 +25,8 @@ Changelog
 * Reimplement https://github.com/WireGuard/wireguard-tools/tree/master/contrib/reresolve-dns using Python in reresolve-dns.py
 * Enforce wireguard-tools rc script to be disabled when still installed, this should prevent bootup issues
 * Move 'interface' calculated field to model for easy reusability
+* Move diagnostics to VPN: WireGuard: Diagnostics
+* Change keypair generation to a separate API call and form button to ease copy/paste when adding new servers.
 * Change plugin maintainer
 
 1.13
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
index f71b3d0474..001c7890dc 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
@@ -32,6 +32,8 @@
 use OPNsense\Base\ApiMutableServiceControllerBase;
 use OPNsense\Core\Backend;
 use OPNsense\Wireguard\General;
+use OPNsense\Wireguard\Client;
+use OPNsense\Wireguard\Server;
 
 /**
  * Class ServiceController
@@ -72,6 +74,7 @@ public function reconfigureAction()
 
     /**
      * show wireguard config
+     * XXX: remove in 24.1
      * @return array
      */
     public function showconfAction()
@@ -82,6 +85,7 @@ public function showconfAction()
 
     /**
      * show wireguard handshakes
+     * XXX: remove in 24.1
      * @return array
      */
     public function showhandshakeAction()
@@ -89,4 +93,36 @@ public function showhandshakeAction()
         $response = (new Backend())->configdRun("wireguard showhandshake");
         return array("response" => $response);
     }
+
+    /**
+     * wg show all dump output
+     * @return array
+     */
+    public function showAction()
+    {
+        $payload = json_decode((new Backend())->configdRun("wireguard show") ?? '', true);
+        $records = !empty($payload) && !empty($payload['records']) ? $payload['records'] : [];
+        $key_descriptions = [];
+        foreach ((new Client())->clients->client->iterateItems() as $key => $client) {
+            $key_descriptions[(string)$client->pubkey] = (string)$client->name;
+        }
+        foreach ((new Server())->servers->server->iterateItems() as $key => $server) {
+            $key_descriptions[(string)$server->pubkey] = (string)$server->name;
+        }
+        foreach ($records as &$record) {
+            if (!empty($record['public-key']) && !empty($key_descriptions[$record['public-key']])) {
+                $record['name'] = $key_descriptions[$record['public-key']];
+            } else {
+                $record['name'] = '';
+            }
+        }
+        $filter_funct = null;
+        $types = $this->request->get('type');
+        if (!empty($types)) {
+            $filter_funct = function ($record) use ($types) {
+                return in_array($record['type'], $types);
+            };
+        }
+        return $this->searchRecordsetBase($records, null, null,  $filter_funct);
+    }
 }
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/DiagnosticsController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/DiagnosticsController.php
new file mode 100644
index 0000000000..852ea92acb
--- /dev/null
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/DiagnosticsController.php
@@ -0,0 +1,37 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Wireguard;
+
+class DiagnosticsController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/Wireguard/diagnostics');
+    }
+}
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml
index 8494a617f6..f2c15f4069 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml
@@ -1,7 +1,8 @@
 <menu>
     <VPN>
       <WireGuard cssClass="fa fa-lock fa-fw" order="150">
-          <Settings order="10" url="/ui/wireguard/general/index"/>
+          <Settings order="10" url="/ui/wireguard/general/"/>
+          <Diagnostics order="20" url="/ui/wireguard/diagnostics/"/>
           <LogFile order="70" VisibleName="Log File" url="/ui/diagnostics/log/core/wireguard"/>
       </WireGuard>
     </VPN>
diff --git a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
new file mode 100644
index 0000000000..ca0f8f9e82
--- /dev/null
+++ b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
@@ -0,0 +1,89 @@
+{#
+    # Copyright (c) 2023 Deciso B.V.
+    # All rights reserved.
+    #
+    # Redistribution and use in source and binary forms, with or without modification,
+    # are permitted provided that the following conditions are met:
+    #
+    # 1. Redistributions of source code must retain the above copyright notice,
+    #    this list of conditions and the following disclaimer.
+    #
+    # 2. Redistributions in binary form must reproduce the above copyright notice,
+    #    this list of conditions and the following disclaimer in the documentation
+    #    and/or other materials provided with the distribution.
+    #
+    # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    # POSSIBILITY OF SUCH DAMAGE.
+    #}
+
+   <script>
+       $( document ).ready(function() {
+
+            let grid_phase1 = $("#grid-sessions").UIBootgrid({
+                search:'/api/wireguard/service/show',
+                options:{
+                    multiSelect: false,
+                    rowSelect: false,
+                    selection: false,
+                    formatters:{
+                        bytes: function(column, row) {
+                            if (row[column.id] && row[column.id] > 0) {
+                                return byteFormat(row[column.id], 2);
+                            }
+                            return row[column.id];
+                        }
+                    },
+                    requestHandler: function(request){
+                        if ( $('#type_filter').val().length > 0) {
+                            request['type'] = $('#type_filter').val();
+                        }
+                        return request;
+                    },
+                }
+            });
+
+            $("#type_filter").change(function(){
+                $('#grid-sessions').bootgrid('reload');
+            });
+
+            $("#type_filter_container").detach().prependTo('#grid-sessions-header > .row > .actionBar > .actions');
+       });
+
+   </script>
+
+   <div class="tab-content content-box">
+       <div class="hidden">
+           <!-- filter per type container -->
+           <div id="type_filter_container" class="btn-group">
+               <select id="type_filter"  data-title="{{ lang._('Type') }}" class="selectpicker" multiple="multiple" data-width="200px">
+                    <option value="interface">{{ lang._('Interface') }}</option>
+                    <option value="peer">{{ lang._('Peer') }}</option>
+               </select>
+           </div>
+       </div>
+       <table id="grid-sessions" class="table table-condensed table-hover table-striped table-responsive">
+           <thead>
+             <tr>
+                 <th data-column-id="if" data-type="string" data-width="8em">{{ lang._('Interface') }}</th>
+                 <th data-column-id="type" data-type="string" data-width="8em" data-visible="false">{{ lang._('Type') }}</th>
+                 <th data-column-id="public-key" data-type="string" data-identifier="true">{{ lang._('Public key') }}</th>
+                 <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
+                 <th data-column-id="endpoint" data-type="string">{{ lang._('Port / Endpoint') }}</th>
+                 <th data-column-id="latest-handshake" data-type="numeric">{{ lang._('Handshake') }}</th>
+
+                 <th data-column-id="transfer-tx" data-formatter="bytes" data-type="numeric">{{ lang._('Send') }}</th>
+                 <th data-column-id="transfer-rx" data-formatter="bytes" data-type="numeric">{{ lang._('Received') }}</th>
+             </tr>
+           </thead>
+           <tbody>
+           </tbody>
+       </table>
+   </div>
\ No newline at end of file
diff --git a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
index 84d598c6f5..5960b3b2ba 100644
--- a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
+++ b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
@@ -78,24 +78,6 @@
                 }
             });
         })
-
-        // Put API call into a function, needed for auto-refresh
-        function update_showconf() {
-            ajaxCall(url="/api/wireguard/service/showconf", sendData={}, callback=function(data,status) {
-                $("#listshowconf").text(data['response']);
-                setTimeout(update_showconf, 5000);
-            });
-        }
-
-        function update_showhandshake() {
-            ajaxCall(url="/api/wireguard/service/showhandshake", sendData={}, callback=function(data,status) {
-                $("#listshowhandshake").text(data['response']);
-                setTimeout(update_showhandshake, 5000);
-            });
-        }
-        // Call update funcs once when page loaded
-        update_showconf();
-        update_showhandshake();
     });
 </script>
 <!-- Navigation bar -->
@@ -103,8 +85,6 @@
     <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
     <li><a data-toggle="tab" href="#servers">{{ lang._('Local') }}</a></li>
     <li><a data-toggle="tab" href="#clients">{{ lang._('Endpoints') }}</a></li>
-    <li><a data-toggle="tab" href="#showconf">{{ lang._('Status') }}</a></li>
-    <li><a data-toggle="tab" href="#showhandshake">{{ lang._('Handshakes') }}</a></li>
 </ul>
 
 <div class="tab-content content-box tab-content">
@@ -169,12 +149,6 @@
             </tfoot>
         </table>
     </div>
-    <div id="showconf" class="tab-pane fade in">
-      <pre id="listshowconf"></pre>
-    </div>
-    <div id="showhandshake" class="tab-pane fade in">
-      <pre id="listshowhandshake"></pre>
-    </div>
 </div>
 
 <section class="page-content-main">
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py b/net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py
new file mode 100755
index 0000000000..60973e10df
--- /dev/null
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py
@@ -0,0 +1,64 @@
+#!/usr/local/bin/python3
+
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import subprocess
+import ujson
+
+sp = subprocess.run(['/usr/bin/wg', 'show', 'all', 'dump'], capture_output=True, text=True)
+result = {'records': []}
+if sp.returncode == 0:
+    for line in sp.stdout.split("\n"):
+        record = {}
+        parts = line.split("\t")
+        # parse fields as explained in 'man wg'
+        record['if'] = parts[0] if len(parts) else None
+        if len(parts) == 5:
+            # intentially skip private key, should not expose it
+            record['type'] = 'interface'
+            record['public-key'] = parts[2]
+            record['listen-port'] = parts[3]
+            record['fwmark'] = parts[4]
+            # convenience, copy listen-port to endpoint
+            record['endpoint'] = parts[3]
+        elif len(parts) == 9:
+            record['type'] = 'peer'
+            record['public-key'] = parts[1]
+            # intentially skip preshared-key, should not expose it
+            record['endpoint'] = parts[3]
+            record['allowed-ips'] = parts[4]
+            record['latest-handshake'] = int(parts[5]) if parts[5].isdigit() else 0
+            record['transfer-rx'] = int(parts[6]) if parts[6].isdigit() else 0
+            record['transfer-tx'] = int(parts[7]) if parts[7].isdigit() else 0
+            record['persistent-keepalive'] = parts[8]
+        else:
+            continue
+        result['records'].append(record)
+    result['status'] = 'ok'
+else:
+    result['status'] = 'failed'
+
+print(ujson.dumps(result))
\ No newline at end of file
diff --git a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
index 397ded4963..44c925e865 100644
--- a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
+++ b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
@@ -35,6 +35,12 @@ parameters:
 type:script_output
 message:Generating WireGuard keypair
 
+[show]
+command:/usr/local/opnsense/scripts/Wireguard/wg_show.py
+parameters:
+type:script_output
+message:show WireGuard statistics [dump]
+
 [showconf]
 command:/usr/bin/wg show all
 parameters:

From 0eb690d74ba513bc0ed2e49b02f62d6e08bc85c4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 27 Aug 2023 21:17:11 +0200
Subject: [PATCH 1541/3088] net/wireguard: style sweep

---
 .../controllers/OPNsense/Wireguard/Api/ServiceController.php    | 2 +-
 .../opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt  | 2 +-
 net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py         | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
index 001c7890dc..68b81dd6a8 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
@@ -123,6 +123,6 @@ public function showAction()
                 return in_array($record['type'], $types);
             };
         }
-        return $this->searchRecordsetBase($records, null, null,  $filter_funct);
+        return $this->searchRecordsetBase($records, null, null, $filter_funct);
     }
 }
diff --git a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
index ca0f8f9e82..d44af57530 100644
--- a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
+++ b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
@@ -86,4 +86,4 @@
            <tbody>
            </tbody>
        </table>
-   </div>
\ No newline at end of file
+   </div>
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py b/net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py
index 60973e10df..6cfa6c4bcc 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py
@@ -61,4 +61,4 @@
 else:
     result['status'] = 'failed'
 
-print(ujson.dumps(result))
\ No newline at end of file
+print(ujson.dumps(result))

From 1814bc61f00dd00863c3829f01e8e9ae6524840e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 27 Aug 2023 21:18:26 +0200
Subject: [PATCH 1542/3088] net/wireguard: likely going to be released in
 23.7.3

---
 net/wireguard/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 29b00aa7c8..9f2520d7f0 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		2.0.d
+PLUGIN_VERSION=		2.0
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go

From ce34e4bb7558b8720cb90356d60a63672d41e675 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 29 Aug 2023 14:57:05 +0200
Subject: [PATCH 1543/3088] net/firewall - Add API support for port definitions
 in firewall plugin - closes https://github.com/opnsense/plugins/issues/3567

---
 net/firewall/Makefile                                  |  1 +
 .../mvc/app/models/OPNsense/Firewall/Filter.xml        | 10 ++++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index 48b15d7f04..fdae706e87 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		firewall
 PLUGIN_VERSION=		1.3
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Firewall API supplemental package
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index c34561e09e..87855d7d1e 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -67,11 +67,12 @@
                     <default>0</default>
                     <Required>Y</Required>
                 </source_not>
-                <!-- XXX: known limitation, aliases not supported by PortField -->
                 <source_port type="PortField">
                     <Required>N</Required>
                     <EnableWellKnown>Y</EnableWellKnown>
                     <EnableRanges>Y</EnableRanges>
+                    <EnableAlias>Y</EnableAlias>
+                    <ValidationMessage>Please specify a valid portnumber, name, alias or range</ValidationMessage>
                 </source_port>
                 <!-- XXX: should map internally to  'source' => array('destination' => destination_net, "not" => true|false) -->
                 <destination_net type="NetworkAliasField">
@@ -82,11 +83,12 @@
                     <default>0</default>
                     <Required>Y</Required>
                 </destination_not>
-                <!-- XXX: known limitation, aliases not supported by PortField -->
                 <destination_port type="PortField">
                     <Required>N</Required>
                     <EnableWellKnown>Y</EnableWellKnown>
                     <EnableRanges>Y</EnableRanges>
+                    <EnableAlias>Y</EnableAlias>
+                    <ValidationMessage>Please specify a valid portnumber, name, alias or range</ValidationMessage>
                 </destination_port>
                 <gateway type="JsonKeyValueStoreField">
                     <Required>N</Required>
@@ -152,6 +154,8 @@
                     <Required>N</Required>
                     <EnableWellKnown>Y</EnableWellKnown>
                     <EnableRanges>Y</EnableRanges>
+                    <EnableAlias>Y</EnableAlias>
+                    <ValidationMessage>Please specify a valid portnumber, name, alias or range</ValidationMessage>
                 </source_port>
                 <destination_net type="NetworkAliasField">
                     <default>any</default>
@@ -165,6 +169,8 @@
                     <Required>N</Required>
                     <EnableWellKnown>Y</EnableWellKnown>
                     <EnableRanges>Y</EnableRanges>
+                    <EnableAlias>Y</EnableAlias>
+                    <ValidationMessage>Please specify a valid portnumber, name, alias or range</ValidationMessage>
                 </destination_port>
                 <target type="NetworkAliasField">
                     <default>wanip</default>

From cc4309f21f5ec18c4100d9933f492ebc13eb7a03 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 29 Aug 2023 15:00:28 +0200
Subject: [PATCH 1544/3088] net/firewall: change version

---
 net/firewall/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index fdae706e87..7651367222 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		firewall
-PLUGIN_VERSION=		1.3
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.4
 PLUGIN_COMMENT=		Firewall API supplemental package
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2

From a5131fe214ed30429cc829ecbf241495913b5443 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 30 Aug 2023 15:10:11 +0200
Subject: [PATCH 1545/3088] net/wireguard - minor regressions in refactory. ref
 https://www.reddit.com/r/opnsense/comments/165cdep/comment/jyd6t0g/

---
 net/wireguard/Makefile                                       | 1 +
 .../src/opnsense/scripts/Wireguard/wg-service-control.php    | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 9f2520d7f0..34ce6b071c 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		2.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index c5d2a4a066..af0bbe7bd4 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -43,7 +43,8 @@ function wg_start($server, $fhandle)
     mwexecf('/usr/bin/wg setconf %s %s', [$server->interface, $server->cnfFilename]);
 
     foreach (explode(',', (string)$server->tunneladdress) as $alias) {
-        mwexecf('/sbin/ifconfig %s %s alias', [$server->interface, $alias]);
+        $proto = strpos($alias, ':') === false ? "inet" : "inet6";
+        mwexecf('/sbin/ifconfig %s %s %s alias', [$server->interface, $proto, $alias]);
     }
     if (!empty((string)$server->mtu)) {
         mwexecf('/sbin/ifconfig %s mtu %s', [$server->interface, $server->mtu]);
@@ -87,7 +88,7 @@ function wg_start($server, $fhandle)
     } elseif (!empty((string)$server->gateway)) {
         /* Only bind the gateway ip to the tunnel */
         $ipprefix = strpos($tunneladdress, ":") === false ? "-4" :  "-6 ";
-        mwexecf('/sbin/route -q -n add -%s %s -iface %s', [$ipprefix, $server->gateway, $server->interface]);
+        mwexecf('/sbin/route -q -n add %s %s -iface %s', [$ipprefix, $server->gateway, $server->interface]);
     }
 
     // flush checksum to ease change detection

From 20533c665138a3c97ee2aaf881f482d1bb4e7f8b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 30 Aug 2023 16:19:39 +0200
Subject: [PATCH 1546/3088] net/wireguard -  missed the time constraint in the
 previous bash script for reresolve-dns

---
 .../scripts/Wireguard/reresolve-dns.py        | 42 ++++++++++++-------
 1 file changed, 28 insertions(+), 14 deletions(-)

diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/reresolve-dns.py b/net/wireguard/src/opnsense/scripts/Wireguard/reresolve-dns.py
index 6b724abad1..219f6d5f2b 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/reresolve-dns.py
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/reresolve-dns.py
@@ -29,33 +29,47 @@
 # https://github.com/WireGuard/wireguard-tools/tree/master/contrib/reresolve-dns
 import glob
 import os
+import time
 import subprocess
 
 
+
+sp = subprocess.run(['/usr/bin/wg', 'show', 'all', 'latest-handshakes'], capture_output=True, text=True)
+ts_now = time.time()
+handshakes = {}
+for line in sp.stdout.split('\n'):
+    parts = line.split()
+    if len(parts) == 3 and parts[2].isdigit():
+        handshakes["%s-%s" % (parts[0], parts[1])] = ts_now - int(parts[2])
+
+
 for filename in glob.glob('/usr/local/etc/wireguard/*.conf'):
     this_peer = {}
     ifname = os.path.basename(filename).split('.')[0]
     with open(filename, 'r') as fhandle:
         for line in fhandle:
             if line.startswith('[Peer]'):
-                this_peer = {}
+                this_peer = {'ifname': ifname}
             elif line.startswith('PublicKey'):
                 this_peer['PublicKey'] = line.split('=', 1)[1].strip()
             elif line.startswith('Endpoint'):
                 this_peer['Endpoint'] = line.split('=', 1)[1].strip()
 
             if 'Endpoint' in this_peer and 'PublicKey' in this_peer:
-                subprocess.run(
-                    [
-                        '/usr/bin/wg',
-                        'set',
-                        ifname,
-                        'peer',
-                        this_peer['PublicKey'],
-                        'endpoint',
-                        this_peer['Endpoint']
-                    ],
-                    capture_output=True,
-                    text=True
-                )
+                peer_key = "%(ifname)s-%(PublicKey)s" % this_peer
+                if handshakes.get(peer_key, 999) > 135:
+                    # skip if there has been a handshake recently
+                    subprocess.run(
+                        [
+                            '/usr/bin/wg',
+                            'set',
+                            ifname,
+                            'peer',
+                            this_peer['PublicKey'],
+                            'endpoint',
+                            this_peer['Endpoint']
+                        ],
+                        capture_output=True,
+                        text=True
+                    )
                 this_peer = {}

From 90a16b1fb87c8b0a2866f7c070f4a3c82096344d Mon Sep 17 00:00:00 2001
From: rfrederick <rfrederick@users.noreply.github.com>
Date: Wed, 30 Aug 2023 15:54:12 -0500
Subject: [PATCH 1547/3088] net/wireguard - Remove trailing spaces to address
 additional regression in https://github.com/opnsense/plugins/issues/3571

---
 net/wireguard/Makefile                                        | 2 +-
 .../src/opnsense/scripts/Wireguard/wg-service-control.php     | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 34ce6b071c..e597f4f976 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		2.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index af0bbe7bd4..7e6c57a094 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -67,7 +67,7 @@ function wg_start($server, $fhandle)
                 continue;
             }
             foreach (explode(',', (string)$client->tunneladdress) as $tunneladdress) {
-                $ipproto = strpos($tunneladdress, ":") === false ? "inet" :  "inet6 ";
+                $ipproto = strpos($tunneladdress, ":") === false ? "inet" :  "inet6";
                 /* wg-quick seems to prevent /0 being routed and translates this automatically */
                 if (str_ends_with(trim($tunneladdress), '/0')) {
                     if ($ipproto == 'inet') {
@@ -87,7 +87,7 @@ function wg_start($server, $fhandle)
         }
     } elseif (!empty((string)$server->gateway)) {
         /* Only bind the gateway ip to the tunnel */
-        $ipprefix = strpos($tunneladdress, ":") === false ? "-4" :  "-6 ";
+        $ipprefix = strpos($tunneladdress, ":") === false ? "-4" :  "-6";
         mwexecf('/sbin/route -q -n add %s %s -iface %s', [$ipprefix, $server->gateway, $server->interface]);
     }
 

From 2caee070f99680c8fc6bda4d5198bba5bd421fd8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 31 Aug 2023 09:02:44 +0200
Subject: [PATCH 1548/3088] net/sslh: fix node names

---
 .../mvc/app/models/OPNsense/Sslh/Settings.xml | 28 +++++++++----------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml b/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml
index f22a524e27..0250057c9a 100644
--- a/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml
+++ b/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml
@@ -3,16 +3,16 @@
     <version>1.0.0</version>
     <items>
         <enabled type="BooleanField">
-            <required>Y</required>
+            <Required>Y</Required>
             <default>0</default>
         </enabled>
         <listen_addresses type="CSVListField">
-            <required>Y</required>
+            <Required>Y</Required>
             <default>localhost:443</default>
             <validationmessage>Please enter at least one hostname/IP:port combination.</validationmessage>
         </listen_addresses>
         <mode type="OptionField">
-            <required>Y</required>
+            <Required>Y</Required>
             <default>fork</default>
             <Multiple>N</Multiple>
             <OptionValues>
@@ -21,31 +21,31 @@
             </OptionValues>
         </mode>
         <timeout type="IntegerField">
-            <required>N</required>
+            <Required>N</Required>
         </timeout>
         <tls_target type="TextField">
-            <required>N</required>
+            <Required>N</Required>
         </tls_target>
         <ssh_target type="TextField">
-            <required>N</required>
+            <Required>N</Required>
         </ssh_target>
         <openvpn_target type="TextField">
-            <required>N</required>
+            <Required>N</Required>
         </openvpn_target>
         <http_target type="TextField">
-            <required>N</required>
+            <Required>N</Required>
         </http_target>
         <xmpp_target type="TextField">
-            <required>N</required>
+            <Required>N</Required>
         </xmpp_target>
         <tinc_target type="TextField">
-            <required>N</required>
+            <Required>N</Required>
         </tinc_target>
         <anyprot_target type="TextField">
-            <required>N</required>
+            <Required>N</Required>
         </anyprot_target>
         <on_timeout type="OptionField">
-            <required>Y</required>
+            <Required>Y</Required>
             <default>ssh</default>
             <Multiple>N</Multiple>
             <OptionValues>
@@ -58,10 +58,10 @@
             </OptionValues>
         </on_timeout>
         <verbose type="BooleanField">
-            <required>N</required>
+            <Required>N</Required>
         </verbose>
         <numeric type="BooleanField">
-            <required>N</required>
+            <Required>N</Required>
         </numeric>
     </items>
 </model>

From 7f99c4095dc042926e6cce4b93bb192061b92b76 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 31 Aug 2023 12:14:38 +0200
Subject: [PATCH 1549/3088] make: add lint-model for sanity checking

---
 Mk/plugins.mk | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 16b71c55ed..ee97ccbdfd 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -1,4 +1,4 @@
-# Copyright (c) 2015-2022 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2015-2023 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -313,6 +313,27 @@ lint-xml:
 	@find ${.CURDIR}/src \
 	    -name "*.xml" -type f -print0 | xargs -0 -n1 xmllint --noout
 
+lint-model:
+	# XXX "default" must be changed to upper case "Default"
+	@if [ -d ${.CURDIR}/src/opnsense/mvc/app/models ]; then for MODEL in $$(find ${.CURDIR}/src/opnsense/mvc/app/models -depth 3 \
+	    -name "*.xml"); do \
+		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and (not(Required) or Required="N") and default]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
+			echo "$${MODEL}: $${LINE} has a spurious default value set"; \
+		done; \
+		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and default=""]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
+			echo "$${MODEL}: $${LINE} has an empty default value set"; \
+		done; \
+		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and BlankDesc="None"]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
+			echo "$${MODEL}: $${LINE} blank description is the default"; \
+		done; \
+		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and BlankDesc and Required="Y"]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
+			echo "$${MODEL}: $${LINE} blank description not applicable on required field"; \
+		done; \
+		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and BlankDesc and Multiple="Y"]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
+			echo "$${MODEL}: $${LINE} blank description not applicable on multiple field"; \
+		done; \
+	done; fi
+
 lint-exec: check
 .for DIR in ${.CURDIR}/src/opnsense/scripts ${.CURDIR}/src/etc/rc.d ${.CURDIR}/src/etc/rc.syshook.d
 .if exists(${DIR})
@@ -337,7 +358,7 @@ lint-php: check
 	    -type f -print0 | xargs -0 -n1 php -l
 .endif
 
-lint: lint-desc lint-shell lint-xml lint-exec lint-php
+lint: lint-desc lint-shell lint-xml lint-model lint-exec lint-php
 
 sweep: check
 	find ${.CURDIR}/src -type f -name "*.map" -print0 | \

From 672bd4c7fafd90e194d6f6c81260556b8f1dfe10 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 31 Aug 2023 12:59:05 +0200
Subject: [PATCH 1550/3088] make: more model QA glue

---
 Mk/plugins.mk | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index ee97ccbdfd..0c617d1aa6 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -314,13 +314,12 @@ lint-xml:
 	    -name "*.xml" -type f -print0 | xargs -0 -n1 xmllint --noout
 
 lint-model:
-	# XXX "default" must be changed to upper case "Default"
 	@if [ -d ${.CURDIR}/src/opnsense/mvc/app/models ]; then for MODEL in $$(find ${.CURDIR}/src/opnsense/mvc/app/models -depth 3 \
 	    -name "*.xml"); do \
-		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and (not(Required) or Required="N") and default]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
+		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and (not(Required) or Required="N") and Default]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
 			echo "$${MODEL}: $${LINE} has a spurious default value set"; \
 		done; \
-		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and default=""]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
+		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and Default=""]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
 			echo "$${MODEL}: $${LINE} has an empty default value set"; \
 		done; \
 		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and BlankDesc="None"]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
@@ -332,6 +331,9 @@ lint-model:
 		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and BlankDesc and Multiple="Y"]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
 			echo "$${MODEL}: $${LINE} blank description not applicable on multiple field"; \
 		done; \
+		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and OptionValues[default[not(@value)] or multiple[not(@value)] or required[not(@value)]]]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
+			echo "$${MODEL}: $${LINE} option element default/multiple/required without value attribute"; \
+		done; \
 	done; fi
 
 lint-exec: check
@@ -407,6 +409,14 @@ style-python: check
 		pycodestyle --ignore=E501 ${.CURDIR}/src || true; \
 	fi
 
+style-model:
+	@for MODEL in $$(find ${.CURDIR}/src/opnsense/mvc/app/models -depth 3 \
+	    -name "*.xml"); do \
+		perl -i -pe 's/<default>(.*?)<\/default>/<Default>$$1<\/Default>/g' $${MODEL}; \
+		perl -i -pe 's/<multiple>(.*?)<\/multiple>/<Multiple>$$1<\/Multiple/g' $${MODEL}; \
+		perl -i -pe 's/<required>(.*?)<\/required>/<Required>$$1<\/Required>/g' $${MODEL}; \
+	done
+
 test: check
 	@if [ -d ${.CURDIR}/src/opnsense/mvc/tests ]; then \
 		cd /usr/local/opnsense/mvc/tests && \

From 0bb9d639ca30c55eee21e414743c880980668019 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 31 Aug 2023 13:02:19 +0200
Subject: [PATCH 1551/3088] net/wireguard: test-drive style-model + lint-model
 targets

Nothing fancy here.
---
 .../opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml   | 4 +---
 .../opnsense/mvc/app/models/OPNsense/Wireguard/General.xml  | 2 +-
 .../opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml   | 6 ++----
 3 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
index 69527a433a..5ac335f4ac 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
@@ -6,11 +6,10 @@
         <clients>
             <client type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <default></default>
                     <Required>Y</Required>
                     <mask>/^([0-9a-zA-Z._\-]){1,64}$/u</mask>
                     <ValidationMessage>Should be a string between 1 and 64 characters. Allowed characters are alphanumeric characters, dash and underscores.</ValidationMessage>
@@ -24,7 +23,6 @@
                     <ValidationMessage>Should be a base64-encoded 32 byte string.</ValidationMessage>
                 </psk>
                 <tunneladdress type="NetworkField">
-                    <default></default>
                     <FieldSeparator>,</FieldSeparator>
                     <Required>Y</Required>
                     <asList>Y</asList>
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml
index 432fd654c2..1868a8885e 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml
@@ -4,7 +4,7 @@
     <version>0.0.1</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
     </items>
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
index 84c30fb95a..1dfada39e1 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
@@ -6,11 +6,10 @@
         <servers>
             <server type=".\ServerField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <default></default>
                     <Required>Y</Required>
                     <mask>/^([0-9a-zA-Z._\-]){1,64}$/u</mask>
                     <ValidationMessage>Should be a string between 1 and 64 characters. Allowed characters are alphanumeric characters, dash and underscores.</ValidationMessage>
@@ -40,13 +39,12 @@
                     <ValidationMessage>Please use valid IPv4 or IPv6 addresses.</ValidationMessage>
                 </dns>
                 <tunneladdress type="NetworkField">
-                    <default></default>
                     <FieldSeparator>,</FieldSeparator>
                     <Required>N</Required>
                     <asList>Y</asList>
                 </tunneladdress>
                 <disableroutes type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                     <Constraints>
                         <check001>

From 6b4694282c59ecdd0b4ded6bec802656c5bc4173 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 31 Aug 2023 16:19:57 +0200
Subject: [PATCH 1552/3088] net/wireguard - make our service control a bit
 smarted in case of a [re]configure. If the endresult from the interface
 perspective is guaranteed the same as we used the last time, just omit the
 stop() operation and reload the configuration. This should warrant a fluent
 reload when only peers are added. for
 https://github.com/opnsense/plugins/pull/3358

---
 .../scripts/Wireguard/wg-service-control.php  | 51 +++++++++++++++++--
 1 file changed, 48 insertions(+), 3 deletions(-)

diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index 7e6c57a094..f6777a02cf 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -94,7 +94,7 @@ function wg_start($server, $fhandle)
     // flush checksum to ease change detection
     fseek($fhandle, 0);
     ftruncate($fhandle, 0);
-    fwrite($fhandle, @md5_file($server->cnfFilename));
+    fwrite($fhandle, @md5_file($server->cnfFilename) . "|". wg_reconfigure_hash($server));
     syslog(LOG_NOTICE, "Wireguard interface {$server->name} ({$server->interface}) started");
 }
 
@@ -110,6 +110,43 @@ function wg_stop($server)
 }
 
 
+/**
+ * Calculate a hash which determines if we are able to reconfigure without a restart of the tunnel.
+ * We currently assume if something changed on the interface or peer routes are being pushed, it's safer to
+ * restart then reload.
+ */
+function wg_reconfigure_hash($server)
+{
+    if (empty((string)$server->disableroutes)) {
+        return md5(uniqid('', true));   // random hash, should always reconfigure
+    }
+    return md5(
+        sprintf(
+            '%s|%s|%s',
+            $server->tunneladdress,
+            $server->mtu,
+            $server->gateway
+        )
+    );
+}
+
+/**
+ * The stat hash file answers two questions, [1] has anything changed, which is answered using an md5 hash of the
+ * configuration file. The second question, if something has changed, is it safe to only reload the configuration.
+ * This is answered by wg_reconfigure_hash() for the instance in question.
+ */
+function get_stat_hash($fhandle)
+{
+    fseek($fhandle, 0);
+    $payload = stream_get_contents($fhandle) ?? '';
+    $parts = explode('|', $payload);
+    return [
+        'file' => $parts[0] ?? '',
+        'interface' => $parts[1] ?? ''
+    ];
+
+}
+
 $opts = getopt('ah', [], $optind);
 $args = array_slice($argv, $optind);
 
@@ -148,10 +185,18 @@ function wg_stop($server)
                         break;
                     case 'configure':
                         if (
-                            @md5_file($node->cnfFilename) != @file_get_contents($node->statFilename) ||
+                            @md5_file($node->cnfFilename) != get_stat_hash($statHandle)['file'] ||
                             !does_interface_exist((string)$node->interface)
                         ) {
-                            wg_stop($node);
+                            if (get_stat_hash($statHandle)['interface'] != wg_reconfigure_hash($node)) {
+                                // Fluent reloading not supported for this instance, make sure the user is informed
+                                syslog(
+                                    LOG_NOTICE,
+                                    "Wireguard interface {$node->name} ({$node->interface}) ".
+                                    "can not reconfigure without stopping it first."
+                                );
+                                wg_stop($node);
+                            }
                             wg_start($node, $statHandle);
                         }
                         break;

From c8b02224f17acd2cc7af110cb8a717a5ecaf91bd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 1 Sep 2023 08:19:24 +0200
Subject: [PATCH 1553/3088] Framework: fix typo in style-model target

---
 Mk/plugins.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 0c617d1aa6..d0f02b06e6 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -413,7 +413,7 @@ style-model:
 	@for MODEL in $$(find ${.CURDIR}/src/opnsense/mvc/app/models -depth 3 \
 	    -name "*.xml"); do \
 		perl -i -pe 's/<default>(.*?)<\/default>/<Default>$$1<\/Default>/g' $${MODEL}; \
-		perl -i -pe 's/<multiple>(.*?)<\/multiple>/<Multiple>$$1<\/Multiple/g' $${MODEL}; \
+		perl -i -pe 's/<multiple>(.*?)<\/multiple>/<Multiple>$$1<\/Multiple>/g' $${MODEL}; \
 		perl -i -pe 's/<required>(.*?)<\/required>/<Required>$$1<\/Required>/g' $${MODEL}; \
 	done
 

From 3fda71c79eeed4e8df3c53eb4f994065bb05beb9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 1 Sep 2023 08:36:39 +0200
Subject: [PATCH 1554/3088] net/relayd: update model

---
 .../mvc/app/models/OPNsense/Relayd/Relayd.xml | 47 ++++++++-----------
 1 file changed, 19 insertions(+), 28 deletions(-)

diff --git a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
index 258669c378..9ee612cbe2 100644
--- a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
+++ b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
@@ -5,11 +5,10 @@
    <items>
       <general>
          <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
          </enabled>
          <interval type="IntegerField">
-            <default>10</default>
             <Required>N</Required>
             <MinimumValue>1</MinimumValue>
             <ValidationMessage>Check interval must be greater than 0</ValidationMessage>
@@ -22,13 +21,11 @@
             </OptionValues>
          </log>
          <prefork type="IntegerField">
-            <default>3</default>
             <Required>N</Required>
             <MinimumValue>1</MinimumValue>
             <ValidationMessage>Number of processes must be greater than 0</ValidationMessage>
          </prefork>
          <timeout type="IntegerField">
-            <default>200</default>
             <Required>N</Required>
             <MinimumValue>1</MinimumValue>
             <ValidationMessage>The timeout must be greater than 0</ValidationMessage>
@@ -36,7 +33,7 @@
       </general>
       <host type="ArrayField">
         <enabled type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
          </enabled>
          <name type="TextField">
@@ -85,7 +82,7 @@
             </Constraints>
          </name>
          <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
          </enabled>
          <hosts type="ModelRelationField">
@@ -97,7 +94,7 @@
                </template>
             </Model>
             <ValidationMessage>Host not found</ValidationMessage>
-            <multiple>Y</multiple>
+            <Multiple>Y</Multiple>
             <Required>Y</Required>
          </hosts>
       </table>
@@ -108,7 +105,7 @@
             <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
          </name>
          <type type="OptionField">
-            <default>icmp</default>
+            <Default>icmp</Default>
             <Required>Y</Required>
             <OptionValues>
                <icmp>ICMP</icmp>
@@ -158,11 +155,11 @@
             </Constraints>
          </name>
          <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
          </enabled>
          <type type="OptionField">
-            <default>relay</default>
+            <Default>relay</Default>
             <Required>Y</Required>
             <OptionValues>
                <relay>Relay</relay>
@@ -177,7 +174,7 @@
          </listen_address>
          <listen_proto type="OptionField">
              <Required>Y</Required>
-             <default>tcp</default>
+             <Default>tcp</Default>
              <OptionValues>
                  <tcp>TCP</tcp>
                  <udp>UDP</udp>
@@ -197,14 +194,14 @@
          </listen_endport>
          <listen_interface type="InterfaceField">
             <Required>N</Required>
-            <multiple>N</multiple>
+            <Multiple>N</Multiple>
             <filters>
                <enable>/^(?!0).*$/</enable>
                <ipaddr>/^((?!dhcp).)*$/</ipaddr>
             </filters>
          </listen_interface>
          <transport_type type="OptionField">
-            <default>forward</default>
+            <Default>forward</Default>
             <Required>Y</Required>
             <OptionValues>
                <forward>Forward</forward>
@@ -213,7 +210,7 @@
          </transport_type>
          <routing_interface type="InterfaceField">
             <Required>N</Required>
-            <multiple>N</multiple>
+            <Multiple>N</Multiple>
             <filters>
                <enable>/^(?!0).*$/</enable>
                <ipaddr>/^((?!dhcp).)*$/</ipaddr>
@@ -228,7 +225,7 @@
                </template>
             </Model>
             <ValidationMessage>Table not found</ValidationMessage>
-            <multiple>N</multiple>
+            <Multiple>N</Multiple>
             <Required>Y</Required>
          </transport_table>
          <transport_port type="PortField">
@@ -248,7 +245,6 @@
             <ValidationMessage>The timeout must be greater than 0</ValidationMessage>
          </transport_timeout>
          <transport_tablemode type="OptionField">
-            <default>roundrobin</default>
             <Required>N</Required>
             <OptionValues>
                <hash>Hash</hash>
@@ -268,7 +264,7 @@
                </template>
             </Model>
             <ValidationMessage>Table check not found</ValidationMessage>
-            <multiple>N</multiple>
+            <Multiple>N</Multiple>
             <Required>Y</Required>
          </transport_tablecheck>
          <backuptransport_table type="ModelRelationField">
@@ -280,7 +276,7 @@
                </template>
             </Model>
             <ValidationMessage>Table not found</ValidationMessage>
-            <multiple>N</multiple>
+            <Multiple>N</Multiple>
             <Required>N</Required>
          </backuptransport_table>
          <backuptransport_interval type="IntegerField">
@@ -302,7 +298,7 @@
                </template>
             </Model>
             <ValidationMessage>Table check not found</ValidationMessage>
-            <multiple>N</multiple>
+            <Multiple>N</Multiple>
             <Required>N</Required>
             <Constraints>
                 <check001>
@@ -315,7 +311,6 @@
             </Constraints>
          </backuptransport_tablecheck>
          <backuptransport_tablemode type="OptionField">
-            <default>roundrobin</default>
             <Required>N</Required>
             <OptionValues>
                <hash>Hash</hash>
@@ -327,16 +322,12 @@
             </OptionValues>
          </backuptransport_tablemode>
          <sessiontimeout type="IntegerField">
-            <default>600</default>
             <Required>N</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>2147483647</MaximumValue>
             <ValidationMessage>The timeout must be a number between 1 and 2147483647.</ValidationMessage>
          </sessiontimeout>
-         <stickyaddress type="BooleanField">
-            <default>0</default>
-            <Required>N</Required>
-         </stickyaddress>
+         <stickyaddress type="BooleanField"/>
          <protocol type="ModelRelationField">
             <Model>
                <template>
@@ -346,9 +337,9 @@
                </template>
             </Model>
             <ValidationMessage>Protocol not found</ValidationMessage>
-            <multiple>N</multiple>
+            <Multiple>N</Multiple>
             <Required>N</Required>
-         </protocol>-->
+         </protocol>
       </virtualserver>
       <protocol type="ArrayField">
          <name type="TextField">
@@ -357,7 +348,7 @@
             <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
          </name>
          <type type="OptionField">
-            <default>tcp</default>
+            <Default>tcp</Default>
             <Required>Y</Required>
             <OptionValues>
                <tcp>TCP</tcp>

From d3397d99cfc8c381673636fd59f61c431941a19c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 1 Sep 2023 08:39:53 +0200
Subject: [PATCH 1555/3088] net/firewall: update model

---
 .../app/models/OPNsense/Firewall/Filter.xml   | 51 +++++++++----------
 1 file changed, 25 insertions(+), 26 deletions(-)

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index 87855d7d1e..65262b536f 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -9,7 +9,7 @@
         <rules>
             <rule type=".\FilterRuleField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <sequence type="IntegerField">
@@ -17,11 +17,11 @@
                     <MaximumValue>99999</MaximumValue>
                     <ValidationMessage>provide a valid sequence for sorting</ValidationMessage>
                     <Required>Y</Required>
-                    <default>1</default>
+                    <Default>1</Default>
                 </sequence>
                 <action type="OptionField">
                     <Required>Y</Required>
-                    <default>pass</default>
+                    <Default>pass</Default>
                     <OptionValues>
                         <pass>Pass</pass>
                         <block>Block</block>
@@ -29,18 +29,17 @@
                     </OptionValues>
                 </action>
                 <quick type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </quick>
                 <interface type="InterfaceField">
                     <Required>N</Required>
-                    <multiple>Y</multiple>
-                    <default>lan</default>
+                    <Multiple>Y</Multiple>
                     <AllowDynamic>Y</AllowDynamic>
                 </interface>
                 <direction type="OptionField">
                     <Required>Y</Required>
-                    <default>in</default>
+                    <Default>in</Default>
                     <OptionValues>
                         <in>In</in>
                         <out>Out</out>
@@ -48,7 +47,7 @@
                 </direction>
                 <ipprotocol type="OptionField">
                     <Required>Y</Required>
-                    <default>inet</default>
+                    <Default>inet</Default>
                     <OptionValues>
                         <inet>IPv4</inet>
                         <inet6>IPv6</inet6>
@@ -56,15 +55,15 @@
                 </ipprotocol>
                 <protocol type="ProtocolField">
                     <Required>Y</Required>
-                    <default>any</default>
+                    <Default>any</Default>
                 </protocol>
                 <!-- XXX: should map internally to  'source' => array('network' => $source_net, "not" => true|false) -->
                 <source_net type="NetworkAliasField">
-                    <default>any</default>
+                    <Default>any</Default>
                     <Required>Y</Required>
                 </source_net>
                 <source_not type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </source_not>
                 <source_port type="PortField">
@@ -76,11 +75,11 @@
                 </source_port>
                 <!-- XXX: should map internally to  'source' => array('destination' => destination_net, "not" => true|false) -->
                 <destination_net type="NetworkAliasField">
-                    <default>any</default>
+                    <Default>any</Default>
                     <Required>Y</Required>
                 </destination_net>
                 <destination_not type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </destination_not>
                 <destination_port type="PortField">
@@ -98,7 +97,7 @@
                     <ValidationMessage>Specify a valid gateway from the list matching the networks ip protocol.</ValidationMessage>
                 </gateway>
                 <log type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </log>
                 <description type="TextField">
@@ -111,11 +110,11 @@
         <snatrules>
             <rule type=".\SourceNatRuleField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <nonat type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </nonat>
                 <sequence type="IntegerField">
@@ -123,16 +122,16 @@
                     <MaximumValue>99999</MaximumValue>
                     <ValidationMessage>provide a valid sequence for sorting</ValidationMessage>
                     <Required>Y</Required>
-                    <default>1</default>
+                    <Default>1</Default>
                 </sequence>
                 <interface type="InterfaceField">
                     <Required>Y</Required>
-                    <default>lan</default>
+                    <Default>lan</Default>
                     <AllowDynamic>Y</AllowDynamic>
                 </interface>
                 <ipprotocol type="OptionField">
                     <Required>Y</Required>
-                    <default>inet</default>
+                    <Default>inet</Default>
                     <OptionValues>
                         <inet>IPv4</inet>
                         <inet6>IPv6</inet6>
@@ -140,14 +139,14 @@
                 </ipprotocol>
                 <protocol type="ProtocolField">
                     <Required>Y</Required>
-                    <default>any</default>
+                    <Default>any</Default>
                 </protocol>
                 <source_net type="NetworkAliasField">
-                    <default>any</default>
+                    <Default>any</Default>
                     <Required>Y</Required>
                 </source_net>
                 <source_not type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </source_not>
                 <source_port type="PortField">
@@ -158,11 +157,11 @@
                     <ValidationMessage>Please specify a valid portnumber, name, alias or range</ValidationMessage>
                 </source_port>
                 <destination_net type="NetworkAliasField">
-                    <default>any</default>
+                    <Default>any</Default>
                     <Required>Y</Required>
                 </destination_net>
                 <destination_not type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </destination_not>
                 <destination_port type="PortField">
@@ -173,7 +172,7 @@
                     <ValidationMessage>Please specify a valid portnumber, name, alias or range</ValidationMessage>
                 </destination_port>
                 <target type="NetworkAliasField">
-                    <default>wanip</default>
+                    <Default>wanip</Default>
                     <Required>Y</Required>
                 </target>
                 <target_port type="PortField">
@@ -182,7 +181,7 @@
                     <EnableRanges>Y</EnableRanges>
                 </target_port>
                 <log type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </log>
                 <description type="TextField">

From 13fd1434fc55606a28f5d7d0393e677fdcf2cb6f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 1 Sep 2023 08:40:38 +0200
Subject: [PATCH 1556/3088] security/stunnel: update model

---
 .../app/models/OPNsense/Stunnel/Stunnel.xml   | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
index 13e2f02fd6..47970192db 100644
--- a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
+++ b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
@@ -7,22 +7,22 @@
     <items>
         <general>
             <enabled type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </enabled>
             <chroot type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </chroot>
             <enable_ident_server type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </enable_ident_server>
         </general>
         <services>
             <service type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <accept_port type="IntegerField">
@@ -34,7 +34,7 @@
                 <accept_address type="NetworkField">
                     <Required>Y</Required>
                     <NetMaskAllowed>N</NetMaskAllowed>
-                    <default>127.0.0.1</default>
+                    <Default>127.0.0.1</Default>
                 </accept_address>
                 <connect_address type="HostnameField">
                     <Required>Y</Required>
@@ -55,22 +55,22 @@
                 </protocol>
                 <cacert type="CertificateField">
                     <Required>N</Required>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <Type>ca</Type>
                     <ValidationMessage>Please select a valid certificate from the list</ValidationMessage>
                 </cacert>
                 <enableCRL type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </enableCRL>
                 <clientmode type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </clientmode>
                 <ciphers type="JsonKeyValueStoreField">
-                    <default>TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-GCM-SHA384</default>
+                    <Default>TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-GCM-SHA384</Default>
                     <Required>Y</Required>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <ConfigdPopulateAct>stunnel ssl ciphers</ConfigdPopulateAct>
                     <SourceFile>/tmp/stunnel_ciphers_list.json</SourceFile>
                     <ConfigdPopulateTTL>360</ConfigdPopulateTTL>

From e5ff7461631b551ff82262523c09b881f496df34 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 1 Sep 2023 08:41:38 +0200
Subject: [PATCH 1557/3088] sysutils/git-backup: update model

---
 .../opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml b/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
index 52c88d582a..7c18337709 100644
--- a/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
+++ b/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
@@ -4,7 +4,7 @@
     <description>OPNsense Git Backup Settings</description>
     <items>
         <enabled type="BooleanField">
-          <default>0</default>
+          <Default>0</Default>
           <Required>Y</Required>
           <Constraints>
               <check001>
@@ -30,7 +30,7 @@
             </Constraints>
         </url>
         <branch type="TextField">
-          <default>master</default>
+          <Default>master</Default>
           <Required>Y</Required>
         </branch>
         <privkey type="TextField">

From 8e07bd6471be3f83ec81058a0c430ad48f10df53 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 1 Sep 2023 08:42:48 +0200
Subject: [PATCH 1558/3088] security/tinc: update model

---
 .../mvc/app/models/OPNsense/Tinc/Tinc.xml     | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
index f2da9989db..b2021db4d2 100644
--- a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
+++ b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
@@ -29,7 +29,7 @@
                 </extaddress>
                 <extport type="IntegerField">
                     <Required>Y</Required>
-                    <default>655</default>
+                    <Default>655</Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>65535</MaximumValue>
                     <ValidationMessage>Port number must be between 1...65535</ValidationMessage>
@@ -55,13 +55,13 @@
                 </subnet>
                 <pingtimeout type="IntegerField">
                     <Required>Y</Required>
-                    <default>5</default>
+                    <Default>5</Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>65535</MaximumValue>
                     <ValidationMessage>Ping timeout must be between 1...65535</ValidationMessage>
                 </pingtimeout>
                 <StrictSubnets type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </StrictSubnets>
                 <privkey type="TextField">
@@ -75,11 +75,11 @@
                     <Multiple>N</Multiple>
                     <ConfigdPopulateAct>tinc list ciphers</ConfigdPopulateAct>
                     <SourceFile>/tmp/tinc_current_cipher_options.index</SourceFile>
-                    <default>aes-256-cbc</default>
+                    <Default>aes-256-cbc</Default>
                 </cipher>
                 <mode type="OptionField">
                   <Required>Y</Required>
-                  <default>router</default>
+                  <Default>router</Default>
                   <OptionValues>
                       <router>router</router>
                       <switch>switch</switch>
@@ -91,16 +91,16 @@
                   </Constraints>
                 </mode>
                 <PMTUDiscovery type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </PMTUDiscovery>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <debuglevel type="OptionField">
                     <Required>Y</Required>
-                    <default>ip</default>
+                    <Default>ip</Default>
                     <OptionValues>
                         <d0>[0] start/stop, serious errors</d0>
                         <d1>[1] +all connections</d1>
@@ -133,7 +133,7 @@
                 </hostname>
                 <extport type="IntegerField">
                     <Required>Y</Required>
-                    <default>655</default>
+                    <Default>655</Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>65535</MaximumValue>
                     <ValidationMessage>Port number must be between 1...65535</ValidationMessage>
@@ -167,10 +167,10 @@
                     <Multiple>N</Multiple>
                     <ConfigdPopulateAct>tinc list ciphers</ConfigdPopulateAct>
                     <SourceFile>/tmp/tinc_current_cipher_options.index</SourceFile>
-                    <default>aes-256-cbc</default>
+                    <Default>aes-256-cbc</Default>
                 </cipher>
                 <connectTo type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                     <Constraints>
                         <check001>
@@ -179,7 +179,7 @@
                     </Constraints>
                 </connectTo>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
             </host>

From 9693020709a8484ce3f06c8f3090de959dedf126 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 1 Sep 2023 09:00:01 +0200
Subject: [PATCH 1559/3088] dns/ddclient: update model

---
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml | 23 +++++++++----------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 28b16314e1..aeeaa90744 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -7,26 +7,26 @@
     <items>
         <general>
             <enabled type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </enabled>
             <verbose type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </verbose>
             <allowipv6 type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </allowipv6>
             <daemon_delay type="IntegerField">
-                <default>300</default>
+                <Default>300</Default>
                 <Required>Y</Required>
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>86400</MaximumValue>
             </daemon_delay>
             <backend type="OptionField">
                 <Required>Y</Required>
-                <default>ddclient</default>
+                <Default>ddclient</Default>
                 <ValidationMessage>A backend is required.</ValidationMessage>
                 <OptionValues>
                     <ddclient>ddclient</ddclient>
@@ -37,7 +37,7 @@
         <accounts>
             <account type=".\AccountField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <service type=".\ServiceField">
@@ -125,7 +125,7 @@
                     <FieldSeparator>,</FieldSeparator>
                 </hostnames>
                 <wildcard type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </wildcard>
                 <zone type="HostnameField">
@@ -134,7 +134,7 @@
                 </zone>
                 <checkip type=".\CheckipField">
                     <Required>Y</Required>
-                    <default>web_dyndns</default>
+                    <Default>web_dyndns</Default>
                     <ValidationMessage>An IP service type is required.</ValidationMessage>
                     <OptionValues>
                         <web_dyndns>dyndns</web_dyndns>
@@ -162,24 +162,23 @@
                     </Constraints>
                 </checkip>
                 <checkip_timeout type="IntegerField">
-                    <default>10</default>
+                    <Default>10</Default>
                     <Required>Y</Required>
                     <MinimumValue>10</MinimumValue>
                     <MaximumValue>60</MaximumValue>
                 </checkip_timeout>
                 <force_ssl type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </force_ssl>
                 <ttl type="IntegerField">
-                    <default>300</default>
+                    <Default>300</Default>
                     <Required>Y</Required>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>604800</MaximumValue>
                 </ttl>
                 <interface type="InterfaceField">
                     <Required>N</Required>
-                    <multiple>N</multiple>
                     <Constraints>
                         <check001>
                             <ValidationMessage>An interface is required for the selected check method</ValidationMessage>

From e59563b55ad8b14f2f1f2a11178b4984c64d0e83 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 1 Sep 2023 09:00:19 +0200
Subject: [PATCH 1560/3088] Framework: one more

---
 Mk/plugins.mk | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index d0f02b06e6..893a96a54d 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -331,6 +331,9 @@ lint-model:
 		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and BlankDesc and Multiple="Y"]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
 			echo "$${MODEL}: $${LINE} blank description not applicable on multiple field"; \
 		done; \
+		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and Multiple="N"]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
+			echo "$${MODEL}: $${LINE} Multiple=N is the default"; \
+		done; \
 		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and OptionValues[default[not(@value)] or multiple[not(@value)] or required[not(@value)]]]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
 			echo "$${MODEL}: $${LINE} option element default/multiple/required without value attribute"; \
 		done; \

From 3b08ddfc45ffefa9cb003cbdf9299910eea98f78 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 1 Sep 2023 09:00:35 +0200
Subject: [PATCH 1561/3088] net/relayd: update model again

---
 .../src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
index 9ee612cbe2..2e17e27dca 100644
--- a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
+++ b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
@@ -194,7 +194,6 @@
          </listen_endport>
          <listen_interface type="InterfaceField">
             <Required>N</Required>
-            <Multiple>N</Multiple>
             <filters>
                <enable>/^(?!0).*$/</enable>
                <ipaddr>/^((?!dhcp).)*$/</ipaddr>
@@ -210,7 +209,6 @@
          </transport_type>
          <routing_interface type="InterfaceField">
             <Required>N</Required>
-            <Multiple>N</Multiple>
             <filters>
                <enable>/^(?!0).*$/</enable>
                <ipaddr>/^((?!dhcp).)*$/</ipaddr>
@@ -225,7 +223,6 @@
                </template>
             </Model>
             <ValidationMessage>Table not found</ValidationMessage>
-            <Multiple>N</Multiple>
             <Required>Y</Required>
          </transport_table>
          <transport_port type="PortField">
@@ -264,7 +261,6 @@
                </template>
             </Model>
             <ValidationMessage>Table check not found</ValidationMessage>
-            <Multiple>N</Multiple>
             <Required>Y</Required>
          </transport_tablecheck>
          <backuptransport_table type="ModelRelationField">
@@ -276,7 +272,6 @@
                </template>
             </Model>
             <ValidationMessage>Table not found</ValidationMessage>
-            <Multiple>N</Multiple>
             <Required>N</Required>
          </backuptransport_table>
          <backuptransport_interval type="IntegerField">
@@ -298,7 +293,6 @@
                </template>
             </Model>
             <ValidationMessage>Table check not found</ValidationMessage>
-            <Multiple>N</Multiple>
             <Required>N</Required>
             <Constraints>
                 <check001>
@@ -337,7 +331,6 @@
                </template>
             </Model>
             <ValidationMessage>Protocol not found</ValidationMessage>
-            <Multiple>N</Multiple>
             <Required>N</Required>
          </protocol>
       </virtualserver>

From 37ea19d9130ffcf1ed462b52d729c23d3237fd52 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 1 Sep 2023 09:00:49 +0200
Subject: [PATCH 1562/3088] security/tinc: update model again

---
 .../tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml     | 2 --
 1 file changed, 2 deletions(-)

diff --git a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
index b2021db4d2..0d33dc7259 100644
--- a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
+++ b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
@@ -72,7 +72,6 @@
                 </pubkey>
                 <cipher type="JsonKeyValueStoreField">
                     <Required>Y</Required>
-                    <Multiple>N</Multiple>
                     <ConfigdPopulateAct>tinc list ciphers</ConfigdPopulateAct>
                     <SourceFile>/tmp/tinc_current_cipher_options.index</SourceFile>
                     <Default>aes-256-cbc</Default>
@@ -164,7 +163,6 @@
                 </pubkey>
                 <cipher type="JsonKeyValueStoreField">
                     <Required>Y</Required>
-                    <Multiple>N</Multiple>
                     <ConfigdPopulateAct>tinc list ciphers</ConfigdPopulateAct>
                     <SourceFile>/tmp/tinc_current_cipher_options.index</SourceFile>
                     <Default>aes-256-cbc</Default>

From 61333a74d8a68b2c0e10a62ef38389d3016d085c Mon Sep 17 00:00:00 2001
From: Jesse <jesse@helix360.de>
Date: Sat, 2 Sep 2023 10:01:58 +0200
Subject: [PATCH 1563/3088] dns/ddclient - add "get" protocol in custom service
 type (#3523)

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php   | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml   | 2 ++
 .../src/opnsense/scripts/ddclient/lib/account/dyndns2.py     | 5 +++--
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
index b0b4970803..9432b50620 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
@@ -56,7 +56,7 @@ public function performValidation($validateFullModel = false)
                 continue;
             }
             $srv = (string)$node->server;
-            if ((string)$node->protocol == 'post') {
+            if (in_array((string)$node->protocol, ['get', 'post', 'put'])) {
                 if (empty($srv) || filter_var($srv, FILTER_VALIDATE_URL) === false) {
                     $messages->appendMessage(
                         new Message(
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index aeeaa90744..62f707d38a 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -95,7 +95,9 @@
                     <OptionValues>
                         <dyndns1>DynDNS 1</dyndns1>
                         <dyndns2>DynDNS 2</dyndns2>
+                        <get>Custom GET</get>
                         <post>Custom POST</post>
+                        <put>Custom PUT</put>
                     </OptionValues>
                 </protocol>
                 <server type="TextField">
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
index dfd2ae2aa2..34d5feeb37 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
@@ -67,11 +67,12 @@ def match(account):
     def execute(self):
         if super().execute():
             protocol = self.settings.get('protocol', None)
-            if protocol == 'post':
+            if protocol in [ 'get', 'post', 'put' ]:
                 url = self.settings.get('server')
                 url = url.replace('__MYIP__', self.current_address)
                 url = url.replace('__HOSTNAME__', self.settings.get('hostnames'))
-                req = requests.post(
+                req = requests.request(
+                    method=protocol,
                     url=url,
                     headers={'User-Agent': 'OPNsense-dyndns'},
                     auth=HTTPBasicAuth(self.settings.get('username'), self.settings.get('password'))

From 7e42d0b5542c1b1b54cb304e740b8f865b300d23 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 3 Sep 2023 11:22:02 +0200
Subject: [PATCH 1564/3088] net/wireguard - refactor dashboard widget, use
 shared service diagnostics endpoint (/api/wireguard/service/show), mark old
 one for deprecation in 24.1 and fix latest-handshake presentation in
 diagnostics screen.

---
 .../Wireguard/Api/GeneralController.php       |   3 +
 .../Wireguard/Api/ServiceController.php       |   3 +
 .../Wireguard/DiagnosticsController.php       |   7 ++
 .../views/OPNsense/Wireguard/diagnostics.volt |  12 +-
 .../src/www/widgets/include/wireguard.inc     |   2 +-
 .../www/widgets/widgets/wireguard.widget.php  | 107 +++++++-----------
 6 files changed, 65 insertions(+), 69 deletions(-)

diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
index 1aca5548df..e02afcadf2 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
@@ -40,6 +40,9 @@ class GeneralController extends ApiMutableModelControllerBase
     protected static $internalModelClass = '\OPNsense\Wireguard\General';
     protected static $internalModelName = 'general';
 
+    /**
+     * XXX: remove in 24.1 unused
+     */
     public function getStatusAction()
     {
         // get wireguard configuration
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
index 68b81dd6a8..1812f83fbe 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
@@ -103,11 +103,13 @@ public function showAction()
         $payload = json_decode((new Backend())->configdRun("wireguard show") ?? '', true);
         $records = !empty($payload) && !empty($payload['records']) ? $payload['records'] : [];
         $key_descriptions = [];
+        $ifnames = [];
         foreach ((new Client())->clients->client->iterateItems() as $key => $client) {
             $key_descriptions[(string)$client->pubkey] = (string)$client->name;
         }
         foreach ((new Server())->servers->server->iterateItems() as $key => $server) {
             $key_descriptions[(string)$server->pubkey] = (string)$server->name;
+            $ifnames[(string)$server->interface] =  (string)$server->name;
         }
         foreach ($records as &$record) {
             if (!empty($record['public-key']) && !empty($key_descriptions[$record['public-key']])) {
@@ -115,6 +117,7 @@ public function showAction()
             } else {
                 $record['name'] = '';
             }
+            $record['ifname'] = $ifnames[$record['if']];
         }
         $filter_funct = null;
         $types = $this->request->get('type');
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/DiagnosticsController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/DiagnosticsController.php
index 852ea92acb..37f723f535 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/DiagnosticsController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/DiagnosticsController.php
@@ -30,6 +30,13 @@
 
 class DiagnosticsController extends \OPNsense\Base\IndexController
 {
+    protected function templateJSIncludes()
+    {
+        $result = parent::templateJSIncludes();
+        $result[] = '/ui/js/moment-with-locales.min.js';
+        return $result;
+    }
+
     public function indexAction()
     {
         $this->view->pick('OPNsense/Wireguard/diagnostics');
diff --git a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
index d44af57530..dc97ad14a5 100644
--- a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
+++ b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
@@ -27,7 +27,7 @@
    <script>
        $( document ).ready(function() {
 
-            let grid_phase1 = $("#grid-sessions").UIBootgrid({
+            $("#grid-sessions").UIBootgrid({
                 search:'/api/wireguard/service/show',
                 options:{
                     multiSelect: false,
@@ -39,6 +39,14 @@
                                 return byteFormat(row[column.id], 2);
                             }
                             return row[column.id];
+                        },
+                        epoch: function(column, row) {
+                            if (row[column.id]) {
+                                return moment.unix(row[column.id]).local().format('YYYY-MM-DD HH:mm:ss');
+                            } else {
+                                return '';
+                            }
+
                         }
                     },
                     requestHandler: function(request){
@@ -77,7 +85,7 @@
                  <th data-column-id="public-key" data-type="string" data-identifier="true">{{ lang._('Public key') }}</th>
                  <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
                  <th data-column-id="endpoint" data-type="string">{{ lang._('Port / Endpoint') }}</th>
-                 <th data-column-id="latest-handshake" data-type="numeric">{{ lang._('Handshake') }}</th>
+                 <th data-column-id="latest-handshake"  data-formatter="epoch" data-type="numeric">{{ lang._('Handshake') }}</th>
 
                  <th data-column-id="transfer-tx" data-formatter="bytes" data-type="numeric">{{ lang._('Send') }}</th>
                  <th data-column-id="transfer-rx" data-formatter="bytes" data-type="numeric">{{ lang._('Received') }}</th>
diff --git a/net/wireguard/src/www/widgets/include/wireguard.inc b/net/wireguard/src/www/widgets/include/wireguard.inc
index b95fc1fa6f..517182bc2e 100644
--- a/net/wireguard/src/www/widgets/include/wireguard.inc
+++ b/net/wireguard/src/www/widgets/include/wireguard.inc
@@ -1,4 +1,4 @@
 <?php
 
 $wireguard_title = gettext('WireGuard');
-$wireguard_title_link = 'ui/wireguard/general/index';
+$wireguard_title_link = 'ui/wireguard/general/';
diff --git a/net/wireguard/src/www/widgets/widgets/wireguard.widget.php b/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
index 6c704030a9..04ce75786c 100644
--- a/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
+++ b/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Deciso B.V.
+ * Copyright (C) 2020-2023 Deciso B.V.
  * Copyright (C) 2020 D. Domig
  * Copyright (C) 2022 Patrik Kernstock <patrik@kernstock.net>
  * All rights reserved.
@@ -27,94 +27,69 @@
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  */
-
-require_once("guiconfig.inc");
-require_once("widgets/include/wireguard.inc");
-
-$enabled = ($config["OPNsense"]["wireguard"]["general"]["enabled"] === "1" ? true : false);
-
 ?>
 
-<table class="table table-striped table-condensed">
+<table class="table table-striped table-condensed" id="wg-table">
     <thead>
         <tr>
-            <th><?= gettext("Name") ?></th>
             <th><?= gettext("Interface") ?></th>
             <th><?= gettext("Endpoint") ?></th>
             <th><?= gettext("Public Key") ?></th>
             <th><?= gettext("Latest Handshake") ?></th>
         </tr>
     </thead>
-    <tbody id="wg-table-tbody">
-
-    <?php if (!$enabled): ?>
-    <tr>
-        <td colspan="5"><?= gettext("No WireGuard instance defined or enabled.") ?></td>
-    </tr>
-    <?php endif; ?>
-
+    <tbody>
     </tbody>
+    <tfoot style="display: none;">
+        <tr>
+            <td colspan="4"><?= gettext("No WireGuard instance defined or enabled.") ?></td>
+        </tr>
+    </tfoot>
 </table>
 
-<script>
-$(window).on("load", function() {
-    function wgGenerateRow(name, interface, peerName, publicKey, latestHandshake, status)
-    {
-        var tr = ''
-        +'<tr>'
-        +'    <td>' + name + '</td>'
-        +'    <td>' + interface + '</td>'
-        +'    <td>' + peerName  + '</td>'
-        +'    <td style="overflow: hidden; text-overflow: ellipsis;" title="' + publicKey + '">' + publicKey  + '</td>'
-        +'    <td>' + latestHandshake + '</td>'
-        +'</tr>';
-
-        return tr;
+<style>
+    .psk_td {
+        max-width: 0;
+        overflow: hidden;
+        text-overflow: ellipsis;
+        white-space: nowrap;
+        cursor: pointer;
+        text-decoration: underline;
     }
+</style>
 
-    function wgUpdateStatusIf(obj)
-    {
-        // check if at least one peer is set. If not, ignore it.
-        if (Object.keys(obj.peers).length == 0) {
-            return '';
-        }
-
-        // generate row based on data
-        row = '';
-        for (var peerId in obj.peers) {
-            var peer = obj.peers[peerId];
-
-            // generate table row
-            row += wgGenerateRow(
-                obj.name,
-                obj.interface,
-                peer.name,
-                peer.publicKey,
-                peer.lastHandshake,
-                status
-            );
-        }
-
-        return row;
-    }
 
+<script>
+$(window).on("load", function() {
     function wgUpdateStatus()
     {
-        var table = '';
-        ajaxGet("/api/wireguard/general/getStatus", {}, function(data, status) {
-            if (status === 'success') {
-                for (var interface in data.items) {
-                    table += wgUpdateStatusIf(data.items[interface]);
+        ajaxGet("/api/wireguard/service/show", {}, function(data, status) {
+            let $target = $("#wg-table > tbody").empty();
+            if (data.rows !== undefined && data.rows.length > 0) {
+                $("#wg-table > tfoot").hide();
+                for (let i=0; data.rows.length > i; ++i) {
+                    let row = data.rows[i];
+                    let $tr = $("<tr/>");
+                    let ifname = row.ifname ? row.if + ' (' + row.ifname + ') ' : row.if;
+                    $tr.append($("<td>").append(ifname));
+                    $tr.append($("<td>").append(row.name));
+                    $tr.append($("<td class='psk_td'>").append(row['public-key']));
+                    let latest_handhake = '';
+                    if (row['latest-handshake']) {
+                        latest_handhake = moment.unix(row['latest-handshake']).local().format('YYYY-MM-DD HH:mm:ss');
+                    }
+                    $tr.append($("<td>").append(latest_handhake));
+                    $target.append($tr);
                 }
+                $(".psk_td").each(function(){
+                    $(this).tooltip({title: $(this).text(), container: 'body', trigger: 'hover'});
+                });
+            } else{
+                $("#wg-table > tfoot").show();
             }
-            // update table accordingly
-            document.getElementById("wg-table-tbody").innerHTML = table;
             setTimeout(wgUpdateStatus, 10000);
         });
     };
-
-    <?php if ($enabled): ?>
     wgUpdateStatus();
-    <?php endif; ?>
 });
 </script>

From a477a672a582ef57f6bad65c82f1064c334dbfbe Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 3 Sep 2023 19:52:23 +0200
Subject: [PATCH 1565/3088] net/frr - add default-information originate option
 for OSPFv3. closes https://github.com/opnsense/plugins/issues/3519

---
 net/frr/Makefile                              |  1 +
 .../OPNsense/Quagga/forms/ospf6.xml           | 21 ++++++++++++++++++
 .../mvc/app/models/OPNsense/Quagga/OSPF6.xml  | 16 +++++++++++++-
 .../mvc/app/views/OPNsense/Quagga/ospf6.volt  | 22 +++++++++++--------
 .../templates/OPNsense/Quagga/ospf6d.conf     |  4 ++++
 5 files changed, 54 insertions(+), 10 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 93dd07444c..b6afb6b3fc 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.35
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml
index 43bfb1b116..598f8eda8c 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml
@@ -28,4 +28,25 @@
         <type>text</type>
         <help>Router ID as IPv4 Address</help>
     </field>
+    <field>
+        <id>ospf6.originate</id>
+        <label>Advertise Default Gateway</label>
+        <type>checkbox</type>
+        <help>This will send the information that we have a default gateway.</help>
+        <style>opt_checkbox</style>
+    </field>
+    <field>
+        <id>ospf6.originatealways</id>
+        <label>Always Advertise Default Gateway</label>
+        <type>checkbox</type>
+        <help>This will send the information that we have a default gateway, regardless of if it is available.</help>
+        <style>ospf6_originate</style>
+    </field>
+    <field>
+        <id>ospf6.originatemetric</id>
+        <label>Advertise Default Gateway Metric</label>
+        <type>text</type>
+        <help>This let you manipulate the metric when advertising default gateway.</help>
+        <style>ospf6_originate</style>
+    </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
index 47da7c5d09..177e571550 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/ospf6</mount>
     <description>OSPFv3 Routing configuration</description>
-    <version>1.0.3</version>
+    <version>1.0.4</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -25,6 +25,20 @@
                 <Required>N</Required>
                 <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
         </routerid>
+        <originate type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </originate>
+        <originatealways type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </originatealways>
+        <originatemetric type="IntegerField">
+            <Required>N</Required>
+            <MinimumValue>0</MinimumValue>
+            <MaximumValue>16777214</MaximumValue>
+            <ValidationMessage>Must be a number between 0 and 16777214.</ValidationMessage>
+        </originatemetric>
         <interfaces>
                 <interface type="ArrayField">
                         <enabled type="BooleanField">
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
index e2a8ed98e4..6052ccd59b 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
@@ -1,6 +1,6 @@
 {#
 
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+OPNsense® is Copyright © 2014 – 2023 by Deciso B.V.
 This file is Copyright © 2017 by Fabian Franz
 This file is Copyright © 2017 by Michael Muenz <m.muenz@gmail.com>
 All rights reserved.
@@ -64,7 +64,6 @@ POSSIBILITY OF SUCH DAMAGE.
                     <td colspan="5"></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
                         <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
                     </td>
                 </tr>
@@ -76,10 +75,6 @@ POSSIBILITY OF SUCH DAMAGE.
 
 <script>
 
-function quagga_update_status() {
-  updateServiceControlUI('quagga');
-}
-
 $( document ).ready(function() {
   var data_get_map = {'frm_ospf6_settings':"/api/quagga/ospf6settings/get"};
   mapDataToFormUI(data_get_map).done(function(data){
@@ -87,14 +82,14 @@ $( document ).ready(function() {
       $('.selectpicker').selectpicker('refresh');
   });
 
-  quagga_update_status();
+  updateServiceControlUI('quagga');
 
   // link save button to API set action
   $("#saveAct").click(function(){
       saveFormToEndpoint(url="/api/quagga/ospf6settings/set",formid='frm_ospf6_settings',callback_ok=function(){
         $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
         ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-          quagga_update_status();
+          updateServiceControlUI('quagga');
           $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
         });
       });
@@ -104,7 +99,7 @@ $( document ).ready(function() {
   $('.reload_btn').click(function reload_handler() {
     $(".reloadAct_progress").addClass("fa-spin");
     ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-      quagga_update_status();
+      updateServiceControlUI('quagga');
       $(".reloadAct_progress").removeClass("fa-spin");
     });
   });
@@ -119,6 +114,15 @@ $( document ).ready(function() {
       'options':{selection:false, multiSelect:false}
     }
   );
+
+  // hook checkbox item with conditional options
+  $(".opt_checkbox").change(function(){
+      if ($(this).is(':checked')) {
+          $("." + $(this).attr('id').replace('.', '_')).closest('tr').show();
+      } else {
+          $("." + $(this).attr('id').replace('.', '_')).closest('tr').hide();
+      }
+  });
 });
 </script>
 
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
index 8aabfb7bce..b7e0a52e30 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
@@ -48,6 +48,10 @@ router ospf6
 {% if helpers.exists('OPNsense.quagga.ospf6.routerid') and OPNsense.quagga.ospf6.routerid != '' %}
  ospf6 router-id {{ OPNsense.quagga.ospf6.routerid }}
 {% endif %}
+{% if not helpers.empty('OPNsense.quagga.ospf6.originate') %}
+ default-information originate{% if not helpers.empty('OPNsense.quagga.ospf6.originatealways')  %} always {% endif %}{% if OPNsense.quagga.ospf6.originatemetric|default('') != '' %} metric {{ OPNsense.quagga.ospf6.originatemetric }}{% endif %}
+
+{% endif %}
 {% if helpers.exists('OPNsense.quagga.ospf6.redistribute') and OPNsense.quagga.ospf6.redistribute != '' %}
 {% for line in OPNsense.quagga.ospf6.redistribute.split(',') %}
  redistribute {{ line }}

From e3284aef64a58ca4e3507ed98d876a467fde55b5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 5 Sep 2023 07:47:28 +0200
Subject: [PATCH 1566/3088] net/wireguard: style sweep

---
 .../src/opnsense/scripts/Wireguard/wg-service-control.php    | 5 ++---
 net/wireguard/src/www/widgets/include/wireguard.inc          | 2 +-
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index f6777a02cf..6ba6eaab57 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -94,7 +94,7 @@ function wg_start($server, $fhandle)
     // flush checksum to ease change detection
     fseek($fhandle, 0);
     ftruncate($fhandle, 0);
-    fwrite($fhandle, @md5_file($server->cnfFilename) . "|". wg_reconfigure_hash($server));
+    fwrite($fhandle, @md5_file($server->cnfFilename) . "|" . wg_reconfigure_hash($server));
     syslog(LOG_NOTICE, "Wireguard interface {$server->name} ({$server->interface}) started");
 }
 
@@ -144,7 +144,6 @@ function get_stat_hash($fhandle)
         'file' => $parts[0] ?? '',
         'interface' => $parts[1] ?? ''
     ];
-
 }
 
 $opts = getopt('ah', [], $optind);
@@ -192,7 +191,7 @@ function get_stat_hash($fhandle)
                                 // Fluent reloading not supported for this instance, make sure the user is informed
                                 syslog(
                                     LOG_NOTICE,
-                                    "Wireguard interface {$node->name} ({$node->interface}) ".
+                                    "Wireguard interface {$node->name} ({$node->interface}) " .
                                     "can not reconfigure without stopping it first."
                                 );
                                 wg_stop($node);
diff --git a/net/wireguard/src/www/widgets/include/wireguard.inc b/net/wireguard/src/www/widgets/include/wireguard.inc
index 517182bc2e..f1bae7fe46 100644
--- a/net/wireguard/src/www/widgets/include/wireguard.inc
+++ b/net/wireguard/src/www/widgets/include/wireguard.inc
@@ -1,4 +1,4 @@
 <?php
 
 $wireguard_title = gettext('WireGuard');
-$wireguard_title_link = 'ui/wireguard/general/';
+$wireguard_title_link = 'ui/wireguard/general';

From 949fbaa4ba75512c62adc07feebe2056d7bd1552 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 31 Aug 2023 08:03:44 +0200
Subject: [PATCH 1567/3088] net/wireguard: hook up 'newwanip' and 'vpn'
 facilities #3565

---
 net/wireguard/Makefile                        |  3 +-
 .../src/etc/inc/plugins.inc.d/wireguard.inc   | 34 +++++++++++++++++++
 .../src/etc/rc.syshook.d/start/50-wireguard   |  2 --
 3 files changed, 35 insertions(+), 4 deletions(-)
 delete mode 100755 net/wireguard/src/etc/rc.syshook.d/start/50-wireguard

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index e597f4f976..4092c7e067 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		2.0
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		2.1
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
diff --git a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
index aed2673825..4474b40894 100644
--- a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -102,3 +102,37 @@ function wireguard_devices()
 {
     return [['pattern' => '^wg', 'volatile' => true]];
 }
+
+function wireguard_configure()
+{
+    return [
+        'newwanip' => ['wireguard_renew:2'],
+        'vpn' => ['wireguard_configure_do:2'],
+    ];
+}
+
+function wireguard_configure_do($verbose = false, $unused = '')
+{
+    if (!wireguard_enabled()) {
+        return;
+    }
+
+    service_log('Configuring WireGuard VPN...', $verbose);
+
+    configd_run('wireguard configure');
+
+    service_log("done.\n", $verbose);
+}
+
+function wireguard_renew($verbose = false, $unused = '')
+{
+    if (!wireguard_enabled()) {
+        return;
+    }
+
+    service_log('Renewing WireGuard VPN...', $verbose);
+
+    configd_run('wireguard renew');
+
+    service_log("done.\n", $verbose);
+}
diff --git a/net/wireguard/src/etc/rc.syshook.d/start/50-wireguard b/net/wireguard/src/etc/rc.syshook.d/start/50-wireguard
deleted file mode 100755
index 826ba71cd8..0000000000
--- a/net/wireguard/src/etc/rc.syshook.d/start/50-wireguard
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-configctl -dq wireguard configure

From 57ebc7510f3c3bcc38ffbc5e3a90f18adb12c206 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 6 Sep 2023 08:27:17 +0200
Subject: [PATCH 1568/3088] plugins: strip $FreeBSD$ since gone in src.git

---
 dns/ddclient/src/etc/rc.d/ddclient_opn                       | 2 --
 .../opnsense/service/templates/OPNsense/Netdata/netdata.conf | 2 --
 net/ftp-proxy/src/etc/rc.d/os-ftp-proxy                      | 3 ---
 net/relayd/src/etc/rc.d/os-relayd                            | 3 ---
 net/shadowsocks/src/etc/rc.d/opnsense-ss-local               | 5 +----
 net/tayga/src/etc/rc.d/opnsense-tayga                        | 3 ---
 net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay      | 3 ---
 security/acme-client/src/etc/rc.d/acme_http_challenge        | 2 --
 security/crowdsec/src/etc/rc.d/oscrowdsec                    | 3 ---
 security/maltrail/src/etc/rc.d/opnsense-maltrailsensor       | 3 ---
 security/maltrail/src/etc/rc.d/opnsense-maltrailserver       | 3 ---
 security/openconnect/src/etc/rc.d/opnsense-openconnect       | 3 ---
 security/stunnel/src/etc/rc.d/identd_stunnel                 | 3 ---
 security/tinc/src/etc/rc.d/opnsense-tincd                    | 3 ---
 14 files changed, 1 insertion(+), 40 deletions(-)

diff --git a/dns/ddclient/src/etc/rc.d/ddclient_opn b/dns/ddclient/src/etc/rc.d/ddclient_opn
index 15c12b8a84..791fbcb682 100755
--- a/dns/ddclient/src/etc/rc.d/ddclient_opn
+++ b/dns/ddclient/src/etc/rc.d/ddclient_opn
@@ -1,7 +1,5 @@
 #!/bin/sh
 #
-# $FreeBSD$
-#
 # PROVIDE: ddclient_py
 # REQUIRE: SERVERS
 # KEYWORD: shutdown
diff --git a/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata.conf b/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata.conf
index 8e2c769e37..98b5d52a14 100644
--- a/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata.conf
+++ b/net-mgmt/netdata/src/opnsense/service/templates/OPNsense/Netdata/netdata.conf
@@ -1,6 +1,4 @@
 {% if helpers.exists('OPNsense.netdata.general.enabled') and OPNsense.netdata.general.enabled == '1' %}
-# $FreeBSD$
-
 # netdata configuration
 #
 # You can uncomment and change any of the options below.
diff --git a/net/ftp-proxy/src/etc/rc.d/os-ftp-proxy b/net/ftp-proxy/src/etc/rc.d/os-ftp-proxy
index 76c45ddc8b..b462b6cade 100755
--- a/net/ftp-proxy/src/etc/rc.d/os-ftp-proxy
+++ b/net/ftp-proxy/src/etc/rc.d/os-ftp-proxy
@@ -1,8 +1,5 @@
 #!/bin/sh
 #
-# $FreeBSD$
-#
-
 # PROVIDE: os-ftp-proxy
 # REQUIRE: DAEMON pf
 # KEYWORD: shutdown
diff --git a/net/relayd/src/etc/rc.d/os-relayd b/net/relayd/src/etc/rc.d/os-relayd
index 04dade24f7..2bab72bcb9 100755
--- a/net/relayd/src/etc/rc.d/os-relayd
+++ b/net/relayd/src/etc/rc.d/os-relayd
@@ -1,8 +1,5 @@
 #!/bin/sh
 #
-# $FreeBSD$
-#
-
 # PROVIDE: os-relayd
 # REQUIRE: NETWORKING syslogd
 # BEFORE:  DAEMON
diff --git a/net/shadowsocks/src/etc/rc.d/opnsense-ss-local b/net/shadowsocks/src/etc/rc.d/opnsense-ss-local
index c68761d69a..f968c7c701 100755
--- a/net/shadowsocks/src/etc/rc.d/opnsense-ss-local
+++ b/net/shadowsocks/src/etc/rc.d/opnsense-ss-local
@@ -1,6 +1,5 @@
 #!/bin/sh
-# $FreeBSD$
-
+#
 # PROVIDE: ss-local
 # REQUIRE: LOGIN cleanvar
 # KEYWORD: shutdown
@@ -11,13 +10,11 @@
 # ss_local_config (path): Shadowsocks config file.
 #      Defaults to "/usr/local/etc/shadowsocks-libev/local.json"
 
-
 . /etc/rc.subr
 
 name="ss_local"
 rcvar=ss_local_enable
 
-
 load_rc_config $name
 
 : ${ss_local_enable:="NO"}
diff --git a/net/tayga/src/etc/rc.d/opnsense-tayga b/net/tayga/src/etc/rc.d/opnsense-tayga
index d911e8a692..1b4be79c94 100755
--- a/net/tayga/src/etc/rc.d/opnsense-tayga
+++ b/net/tayga/src/etc/rc.d/opnsense-tayga
@@ -1,11 +1,8 @@
 #!/bin/sh
 #
-# $FreeBSD$
-#
 # PROVIDE: opnsense-tayga
 # REQUIRE: SERVERS
 # KEYWORD: shutdown
-#
 
 . /etc/rc.subr
 
diff --git a/net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay b/net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay
index e16cab0c38..431191c467 100755
--- a/net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay
+++ b/net/udpbroadcastrelay/src/etc/rc.d/os-udpbroadcastrelay
@@ -1,8 +1,5 @@
 #!/bin/sh
 #
-# $FreeBSD$
-#
-
 # PROVIDE: osudpbroadcastrelay
 # KEYWORD: shutdown
 
diff --git a/security/acme-client/src/etc/rc.d/acme_http_challenge b/security/acme-client/src/etc/rc.d/acme_http_challenge
index 4eb01f559e..52ef66067a 100755
--- a/security/acme-client/src/etc/rc.d/acme_http_challenge
+++ b/security/acme-client/src/etc/rc.d/acme_http_challenge
@@ -1,7 +1,5 @@
 #!/bin/sh
 #
-# $FreeBSD$
-#
 # PROVIDE: acme_http_challenge
 # REQUIRE: DAEMON
 # KEYWORD: shutdown
diff --git a/security/crowdsec/src/etc/rc.d/oscrowdsec b/security/crowdsec/src/etc/rc.d/oscrowdsec
index 04a7e8c7b3..0d310efd6b 100755
--- a/security/crowdsec/src/etc/rc.d/oscrowdsec
+++ b/security/crowdsec/src/etc/rc.d/oscrowdsec
@@ -1,8 +1,5 @@
 #!/bin/sh
 #
-# $FreeBSD$
-#
-
 # PROVIDE: oscrowdsec
 # REQUIRE: NETWORKING syslogd
 # BEFORE:  DAEMON
diff --git a/security/maltrail/src/etc/rc.d/opnsense-maltrailsensor b/security/maltrail/src/etc/rc.d/opnsense-maltrailsensor
index b064c35b4d..70788ea780 100755
--- a/security/maltrail/src/etc/rc.d/opnsense-maltrailsensor
+++ b/security/maltrail/src/etc/rc.d/opnsense-maltrailsensor
@@ -1,11 +1,8 @@
 #!/bin/sh
 #
-# $FreeBSD$
-#
 # PROVIDE: opnsense-maltrailsensor
 # REQUIRE: SERVERS
 # KEYWORD: shutdown
-#
 
 . /etc/rc.subr
 
diff --git a/security/maltrail/src/etc/rc.d/opnsense-maltrailserver b/security/maltrail/src/etc/rc.d/opnsense-maltrailserver
index aa3de2883a..c32d698108 100755
--- a/security/maltrail/src/etc/rc.d/opnsense-maltrailserver
+++ b/security/maltrail/src/etc/rc.d/opnsense-maltrailserver
@@ -1,11 +1,8 @@
 #!/bin/sh
 #
-# $FreeBSD$
-#
 # PROVIDE: opnsense-maltrailserver
 # REQUIRE: SERVERS
 # KEYWORD: shutdown
-#
 
 . /etc/rc.subr
 
diff --git a/security/openconnect/src/etc/rc.d/opnsense-openconnect b/security/openconnect/src/etc/rc.d/opnsense-openconnect
index 518a83c7d4..3318f76673 100755
--- a/security/openconnect/src/etc/rc.d/opnsense-openconnect
+++ b/security/openconnect/src/etc/rc.d/opnsense-openconnect
@@ -1,11 +1,8 @@
 #!/bin/sh
 #
-# $FreeBSD$
-#
 # PROVIDE: opnsense-openconnect
 # REQUIRE: SERVERS
 # KEYWORD: shutdown
-#
 
 . /etc/rc.subr
 
diff --git a/security/stunnel/src/etc/rc.d/identd_stunnel b/security/stunnel/src/etc/rc.d/identd_stunnel
index 003c2c3c4a..19be1bcc58 100755
--- a/security/stunnel/src/etc/rc.d/identd_stunnel
+++ b/security/stunnel/src/etc/rc.d/identd_stunnel
@@ -1,11 +1,8 @@
 #!/bin/sh
 #
-# $FreeBSD$
-#
 # PROVIDE: identd_stunnel
 # REQUIRE: SERVERS
 # KEYWORD: shutdown
-#
 
 . /etc/rc.subr
 
diff --git a/security/tinc/src/etc/rc.d/opnsense-tincd b/security/tinc/src/etc/rc.d/opnsense-tincd
index 6a611bc1b1..c96b3bdec7 100755
--- a/security/tinc/src/etc/rc.d/opnsense-tincd
+++ b/security/tinc/src/etc/rc.d/opnsense-tincd
@@ -1,11 +1,8 @@
 #!/bin/sh
 #
-# $FreeBSD$
-#
 # PROVIDE: opnsense-tincd
 # REQUIRE: SERVERS
 # KEYWORD: shutdown
-#
 
 . /etc/rc.subr
 

From dcb8ace45f5424cddcbc072779e9d2d9a90ebee6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 6 Sep 2023 08:32:14 +0200
Subject: [PATCH 1569/3088] net/firewall: bump because of more intrusive model
 change

---
 net/firewall/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index 7651367222..f92f3329d4 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		firewall
 PLUGIN_VERSION=		1.4
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Firewall API supplemental package
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2

From 037bc63c8645bcf016ab28b1412563840ea13374 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 6 Sep 2023 08:34:03 +0200
Subject: [PATCH 1570/3088] net/relayd: revision bump due to model changes

---
 net/relayd/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index f826734883..139dd2abe5 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		relayd
 PLUGIN_VERSION=		2.8
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com

From 1baaa11fe99cd564206d0bece29fb830cab3f1e7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 6 Sep 2023 08:42:53 +0200
Subject: [PATCH 1571/3088] dns/ddclient: update changelog

---
 dns/ddclient/Makefile  | 2 +-
 dns/ddclient/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 4b731c1249..ad510c72ae 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.15
+PLUGIN_VERSION=		1.16
 PLUGIN_DEPENDS=		ddclient-devel py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 6964b5001b..a2039b1a79 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,10 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.16
+
+* Add custom GET/PUT protocols to native backend (contributed by DaCookie4u)
+
 1.15
 
 * Add AWS Route53 and DuckDNS to native backend (contributed by Greg Glockner)

From c6ad8a442bcc50a9e15228dfd9566a7dadf5c5a2 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 6 Sep 2023 15:16:04 +0200
Subject: [PATCH 1572/3088] security/tinc: add routes to remote subnets with
 "subnet-up" script. for https://github.com/opnsense/plugins/pull/3539

---
 security/tinc/Makefile                           |  2 +-
 .../src/opnsense/scripts/OPNsense/Tinc/tincd.py  | 16 +++++++++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index ecc4f25f3b..7d631fc778 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		tinc
 PLUGIN_VERSION=		1.6
-PLUGIN_REVISION=	5
+PLUGIN_REVISION=	6
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
index 3f5f887f49..d9020a76c8 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
@@ -30,10 +30,10 @@
 """
 import os
 import sys
-import tempfile
 import glob
 import pipes
 import xml.etree.ElementTree
+import shutil
 import subprocess
 import ipaddress
 from lib import objects
@@ -96,6 +96,20 @@ def deploy(config_filename):
         if_up.append("configctl interface %s %s" % (interface_configd, interface_name))
         write_file("%s/tinc-up" % network.get_basepath(), '\n'.join(if_up) + "\n", 0o700)
 
+        # write subnet-up file and ship required binaries into the chroot
+        chroot_needs = set(['/bin/sh', '/sbin/route', '/libexec/ld-elf.so.1'])
+        for item in list(chroot_needs):
+            for line in subprocess.run(['/usr/bin/ldd', item],  capture_output=True, text=True).stdout.split('\n'):
+                if line.find('=>') > 0:
+                    chroot_needs.add(line.split('=>')[1].strip().split()[0])
+        for filename in chroot_needs:
+            os.makedirs('%s%s' % (network.get_basepath(), os.path.dirname(filename)), exist_ok=True)
+            shutil.copy(filename, '%s/%s' % (network.get_basepath(), filename))
+        write_file("%s/subnet-up" % network.get_basepath(), '\n'.join([
+            "#!/bin/sh",
+            "route add $SUBNET -iface %s\n" % interface_name
+        ]), 0o700)
+
         # configure and rename new tun device, place all in group "tinc" symlink associated tun device
         if interface_name not in interfaces:
             tundev = subprocess.run(['/sbin/ifconfig', interface_type, 'create'],

From 226340ab718fa950bc2e719add960c61067de2f9 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 14 Sep 2023 00:56:00 +0200
Subject: [PATCH 1573/3088] net/haproxy: remove dead link

---
 .../src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 54dd719be3..c831ef9c8b 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -717,7 +717,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('Lastly, enable HAProxy using the %sService%s settings page.') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Please be aware that you need to %smanually%s add the required firewall rules for all configured services.') | format('<b>', '</b>') }}</p>
-            <p>{{ lang._('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="https://docs.opnsense.org/manual/how-tos/haproxy.html" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.6/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._('Further information is available in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="http://docs.haproxy.org/2.6/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>

From d260d55b51173b852f848d51c7bf95900489de0d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 14 Sep 2023 09:37:41 +0200
Subject: [PATCH 1574/3088] net/haproxy: bump for update

---
 net/haproxy/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index f400b0ba29..49233c6f06 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		4.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy26
 PLUGIN_MAINTAINER=	opnsense@moov.de

From 62cdab165b0021c09abfb9fd86382f8dbd29be99 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 14 Sep 2023 09:40:25 +0200
Subject: [PATCH 1575/3088] net/frr: bump version

---
 net/frr/Makefile  | 3 +--
 net/frr/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index b6afb6b3fc..5282890e65 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.35
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.36
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 0046123c28..ba4c220766 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.36
+
+* Added default-information originate option for OSPFv3
+
 1.35
 
 * Added automatic OSPFv3 firewall rules and opt-out automatic rule switch (contributed by Bill Gertz)

From e005b6b9cde5c7082a8e1c7206e29fecc1d057e9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 14 Sep 2023 09:44:00 +0200
Subject: [PATCH 1576/3088] net/wireguard: update changelog

---
 net/wireguard/pkg-descr | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 77e00f49ca..97bd55ffcc 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,12 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+2.1
+
+* Only reload when interface configuration did not change
+* Implement 'newwanip' and 'vpn' plugin facilities
+* Refactor dashboard widget
+
 2.0
 
 * Remove wireguard-go support and cleanup some go specific code as it's not being used anymore anyway

From 322862ef7148e48479d3f161e520c1c52a8fa2d5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 14 Sep 2023 09:45:07 +0200
Subject: [PATCH 1577/3088] security/tinc: update version

---
 security/tinc/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index 7d631fc778..19cc944ff2 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		tinc
-PLUGIN_VERSION=		1.6
-PLUGIN_REVISION=	6
+PLUGIN_VERSION=		1.7
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 28e8bc0cf0fedcc678c0935da65fa603f3805a90 Mon Sep 17 00:00:00 2001
From: Hasan UCAK <hasan.ucak@gmail.com>
Date: Sat, 16 Sep 2023 18:38:45 +0300
Subject: [PATCH 1578/3088] update repository hostname (#3586)

---
 vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.in b/vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.in
index c4c6acc7bb..4bc181315e 100644
--- a/vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.in
+++ b/vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.in
@@ -1,6 +1,6 @@
 SunnyValley: {
   fingerprints: "/usr/local/etc/pkg/fingerprints/SunnyValley",
-  url: "https://updates.sunnyvalley.io/opnsense/${ABI}/%%PLUGIN_ABI%%/OpenSSL/latest",
+  url: "https://updates.zenarmor.com/opnsense/${ABI}/%%PLUGIN_ABI%%/latest",
   signature_type: "fingerprints",
   priority: 7,
   enabled: yes

From f2413b5013dfbbc58ded9a74bef5dc23275cef7d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 18 Sep 2023 09:59:02 +0200
Subject: [PATCH 1579/3088] net/upnp: time to stop using get_interface_ip() in
 plugins

The function is opportunistic and has weird VIP glue which is not
needed in 98% of the code.
---
 net/upnp/Makefile                                | 2 +-
 net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index 69773cd84c..6be3288b4e 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		upnp
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_DEPENDS=		miniupnpd
 PLUGIN_COMMENT=		Universal Plug and Play Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index cf3233c6e5..bc667ab016 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -146,7 +146,7 @@ function miniupnpd_configure_do($verbose = false)
             $if = get_real_interface($iface);
             /* above function returns iface if fail */
             if ($if != $iface) {
-                $addr = get_interface_ip($iface);
+                list ($addr) = interfaces_primary_address($iface);
                 if (!empty($addr)) {
                     $config_text .= "listening_ip={$if}";
                     if (!empty($upnp_config['overridesubnet'])) {

From 3cbf6f1fbf40d415f909bdf9b0e9f10acf095f83 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 18 Sep 2023 10:00:37 +0200
Subject: [PATCH 1580/3088] vendor/sunnyvalley: version bump

---
 vendor/sunnyvalley/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/vendor/sunnyvalley/Makefile b/vendor/sunnyvalley/Makefile
index b9ff6023ff..9bd1c0ce8b 100644
--- a/vendor/sunnyvalley/Makefile
+++ b/vendor/sunnyvalley/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		sunnyvalley
-PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		Vendor Repository for Zenarmor (a.k.a Sensei, Next Generation Firewall Extensions)
 PLUGIN_MAINTAINER=	opensource@sunnyvalley.io
 PLUGIN_WWW=		https://www.sunnyvalley.io

From 834a0dfa55fb608e6126c1536db8a9070227154a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 18 Sep 2023 10:28:01 +0200
Subject: [PATCH 1581/3088] security/acme-client: avoid including
 interfaces.inc in MVC, use proper function/flow

---
 security/acme-client/Makefile                            | 1 +
 .../OPNsense/AcmeClient/LeValidation/HttpOpnsense.php    | 9 ++++-----
 .../OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php     | 9 ++++-----
 3 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 00a0327dea..1f3eaf6ce8 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		acme-client
 PLUGIN_VERSION=		3.19
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
index 3b2d7a3c97..c7a1672e34 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
@@ -28,8 +28,6 @@
 
 namespace OPNsense\AcmeClient\LeValidation;
 
-require_once("interfaces.inc");
-
 use OPNsense\AcmeClient\LeValidationInterface;
 use OPNsense\AcmeClient\LeUtils;
 use OPNsense\Core\Config;
@@ -74,9 +72,10 @@ public function prepare()
 
         // Add IP address from chosen interface
         if (!empty((string)$this->config->http_opn_interface)) {
-            $interface_ip = get_interface_ip((string)$this->config->http_opn_interface);
-            if (!empty($interface_ip)) {
-                $iplist[] = $interface_ip;
+            $backend = new \OPNsense\Core\Backend();
+            $response = $backend->configdpRun('interface address', [(string)$this->config->http_opn_interface]);
+            if (!empty($response['address'])) {
+                $iplist[] = $response['address'];
             }
         }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
index db8466892a..f849ffd405 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
@@ -28,8 +28,6 @@
 
 namespace OPNsense\AcmeClient\LeValidation;
 
-require_once("interfaces.inc");
-
 use OPNsense\AcmeClient\LeValidationInterface;
 use OPNsense\AcmeClient\LeUtils;
 use OPNsense\Core\Config;
@@ -75,9 +73,10 @@ public function prepare()
 
         // Add IP address from chosen interface
         if (!empty((string)$this->config->tlsalpn_acme_interface)) {
-            $interface_ip = get_interface_ip((string)$this->config->tlsalpn_acme_interface);
-            if (!empty($interface_ip)) {
-                $iplist[] = $interface_ip;
+            $backend = new \OPNsense\Core\Backend();
+            $response = $backend->configdpRun('interface address', [(string)$this->config->tlsalpn_acme_interface]);
+            if (!empty($response['address'])) {
+                $iplist[] = $response['address'];
             }
         }
 

From bea60a2883fb81a2fb213e98899265e477fa003b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 18 Sep 2023 11:09:58 +0200
Subject: [PATCH 1582/3088] dns/rfc2136: remove get_interface_ip(v6) use

---
 dns/rfc2136/Makefile                              |  2 +-
 dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc | 11 ++++-------
 dns/rfc2136/src/www/services_rfc2136.php          |  4 ++--
 3 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/dns/rfc2136/Makefile b/dns/rfc2136/Makefile
index fa96105ebf..f4ac272b23 100644
--- a/dns/rfc2136/Makefile
+++ b/dns/rfc2136/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		rfc2136
 PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		RFC-2136 Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_DEPENDS=		bind-tools
diff --git a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
index 2de4d43c10..25c3fc9141 100644
--- a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
+++ b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
@@ -151,7 +151,7 @@ function rfc2136_configure_do($verbose = false, $int = '', $updatehost = '', $fo
             if (isset($dnsupdate['usepublicip'])) {
                 $wanip = get_rfc2136_ip_address($dnsupdate['interface'], 4);
             } else {
-                $wanip = get_interface_ip($dnsupdate['interface']);
+                list ($wanip) = interfaces_primary_address($dnsupdate['interface']);
             }
             if (is_ipaddrv4($wanip)) {
                 if (($wanip != $cachedipv4) || (($currentTime - $cacheTimev4) > $maxCacheAgeSecs) || $forced) {
@@ -178,7 +178,7 @@ function rfc2136_configure_do($verbose = false, $int = '', $updatehost = '', $fo
             if (isset($dnsupdate['usepublicip'])) {
                 $wanipv6 = get_rfc2136_ip_address($dnsupdate['interface'], 6);
             } else {
-                $wanipv6 = get_interface_ipv6($dnsupdate['interface']);
+                list ($wanipv6) = interfaces_primary_address6($dnsupdate['interface']);
             }
             if (is_ipaddrv6($wanipv6)) {
                 if (($wanipv6 != $cachedipv6) || (($currentTime - $cacheTimev6) > $maxCacheAgeSecs) || $forced) {
@@ -216,19 +216,16 @@ function rfc2136_configure_do($verbose = false, $int = '', $updatehost = '', $fo
 
 function get_rfc2136_ip_address($int, $ipver = 4)
 {
-    $ip_address = $ipver == 6 ? get_interface_ipv6($int) : get_interface_ip($int);
+    list ($ip_address) = $ipver == 6 ? interfaces_primary_address6($int) : interfaces_primary_address($int);
     if (empty($ip_address)) {
         log_error("Aborted IPv{$ipver} detection: no address for {$int}");
         return 'down';
     }
 
     if ($ipver != 6 && is_private_ip($ip_address)) {
-        /* Chinese alternative is http://ip.3322.net/ */
-        $hosttocheck = 'http://checkip.dyndns.org';
-        $ip_ch = curl_init($hosttocheck);
+        $ip_ch = curl_init('http://checkip.dyndns.org');
         curl_setopt($ip_ch, CURLOPT_RETURNTRANSFER, 1);
         curl_setopt($ip_ch, CURLOPT_INTERFACE, $ip_address);
-        curl_setopt($ip_ch, CURLOPT_CONNECTTIMEOUT, 5);
         curl_setopt($ip_ch, CURLOPT_TIMEOUT, 30);
         curl_setopt($ip_ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
         $ip_result = curl_exec($ip_ch);
diff --git a/dns/rfc2136/src/www/services_rfc2136.php b/dns/rfc2136/src/www/services_rfc2136.php
index a7a5029bbb..4c7c385c07 100644
--- a/dns/rfc2136/src/www/services_rfc2136.php
+++ b/dns/rfc2136/src/www/services_rfc2136.php
@@ -148,7 +148,7 @@
                             if (isset($rfc2136['usepublicip'])) {
                                 $ipaddr = get_rfc2136_ip_address($rfc2136['interface'], 4);
                             } else {
-                                $ipaddr = get_interface_ip($rfc2136['interface']);
+                                list ($ipaddr) = interfaces_primary_address($rfc2136['interface']);
                             }
                             $cached_ip_s = explode("|", file_get_contents($filename));
                             $cached_ip = $cached_ip_s[0];
@@ -169,7 +169,7 @@
                             if (isset($rfc2136['usepublicip'])) {
                                 $ipaddr = get_rfc2136_ip_address($rfc2136['interface'], 6);
                             } else {
-                                $ipaddr = get_interface_ipv6($rfc2136['interface']);
+                                list ($ipaddr) = interfaces_primary_address6($rfc2136['interface']);
                             }
                             $cached_ip_s = explode("|", file_get_contents($filename6));
                             $cached_ip = $cached_ip_s[0];

From dd073fd6a651de5eecb173e3bb902279e703a1ef Mon Sep 17 00:00:00 2001
From: Andrew <andrew.hotlab@hotmail.com>
Date: Mon, 18 Sep 2023 14:35:13 +0200
Subject: [PATCH 1583/3088] security/tinc - subnet-down script was added to
 tinc plugin (#3591)

---
 security/tinc/Makefile                                    | 1 +
 security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index 19cc944ff2..ea9b6397ab 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		tinc
 PLUGIN_VERSION=		1.7
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
index d9020a76c8..2f73ae60b6 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
@@ -96,7 +96,7 @@ def deploy(config_filename):
         if_up.append("configctl interface %s %s" % (interface_configd, interface_name))
         write_file("%s/tinc-up" % network.get_basepath(), '\n'.join(if_up) + "\n", 0o700)
 
-        # write subnet-up file and ship required binaries into the chroot
+        # write subnet-{up|down} scripts and ship required binaries into the chroot
         chroot_needs = set(['/bin/sh', '/sbin/route', '/libexec/ld-elf.so.1'])
         for item in list(chroot_needs):
             for line in subprocess.run(['/usr/bin/ldd', item],  capture_output=True, text=True).stdout.split('\n'):
@@ -109,6 +109,10 @@ def deploy(config_filename):
             "#!/bin/sh",
             "route add $SUBNET -iface %s\n" % interface_name
         ]), 0o700)
+        write_file("%s/subnet-down" % network.get_basepath(), '\n'.join([
+            "#!/bin/sh",
+            "route delete $SUBNET -iface %s\n" % interface_name
+        ]), 0o700)
 
         # configure and rename new tun device, place all in group "tinc" symlink associated tun device
         if interface_name not in interfaces:

From d0ac0b3f9d527d23896c136157d5ff646f3bf3de Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 19 Sep 2023 13:13:41 +0200
Subject: [PATCH 1584/3088] misc: rename bootstrap-select files and bump
 version

PR: https://github.com/opnsense/core/issues/6849
---
 misc/theme-cicada/Makefile                    |   1 +
 ...lect-1.13.3.scss => bootstrap-select.scss} |   0
 ...elect-1.13.3.css => bootstrap-select1.css} |   0
 misc/theme-rebellion/Makefile                 |   1 +
 ...lect-1.13.3.scss => bootstrap-select.scss} |   0
 .../build/css/bootstrap-select-1.13.3.css     | 405 ------------------
 .../rebellion/build/css/bootstrap-select.css  | 262 ++++++++---
 misc/theme-tukan/Makefile                     |   1 +
 ...ect-1.13.3.scss => bootstrap-select1.scss} |   0
 .../build/css/bootstrap-select-1.13.3.css     | 398 -----------------
 .../tukan/build/css/bootstrap-select.css      | 258 +++++++----
 misc/theme-vicuna/Makefile                    |   1 +
 ...ect-1.13.3.scss => bootstrap-select1.scss} |   0
 .../build/css/bootstrap-select-1.13.3.css     | 398 -----------------
 .../vicuna/build/css/bootstrap-select.css     | 258 +++++++----
 15 files changed, 569 insertions(+), 1414 deletions(-)
 rename misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/{bootstrap-select-1.13.3.scss => bootstrap-select.scss} (100%)
 rename misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/{bootstrap-select-1.13.3.css => bootstrap-select1.css} (100%)
 rename misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/{bootstrap-select-1.13.3.scss => bootstrap-select.scss} (100%)
 delete mode 100644 misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/bootstrap-select-1.13.3.css
 rename misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/{bootstrap-select-1.13.3.scss => bootstrap-select1.scss} (100%)
 delete mode 100644 misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/bootstrap-select-1.13.3.css
 rename misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/{bootstrap-select-1.13.3.scss => bootstrap-select1.scss} (100%)
 delete mode 100644 misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/bootstrap-select-1.13.3.css

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index 2d7b418c35..2783100d16 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		theme-cicada
 PLUGIN_VERSION=		1.34
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/bootstrap-select-1.13.3.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/bootstrap-select.scss
similarity index 100%
rename from misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/bootstrap-select-1.13.3.scss
rename to misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/bootstrap-select.scss
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select-1.13.3.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select1.css
similarity index 100%
rename from misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select-1.13.3.css
rename to misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select1.css
diff --git a/misc/theme-rebellion/Makefile b/misc/theme-rebellion/Makefile
index b15ab9ea56..e4c0763f58 100644
--- a/misc/theme-rebellion/Makefile
+++ b/misc/theme-rebellion/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		theme-rebellion
 PLUGIN_VERSION=		1.8.8
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		A suitably dark theme
 PLUGIN_MAINTAINER=	team-rebellion@queens-park.com
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/bootstrap-select-1.13.3.scss b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/bootstrap-select.scss
similarity index 100%
rename from misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/bootstrap-select-1.13.3.scss
rename to misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/bootstrap-select.scss
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/bootstrap-select-1.13.3.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/bootstrap-select-1.13.3.css
deleted file mode 100644
index bbc5c29d9a..0000000000
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/bootstrap-select-1.13.3.css
+++ /dev/null
@@ -1,405 +0,0 @@
-/*!
- * Bootstrap-select v1.13.3 (https://developer.snapappointments.com/bootstrap-select)
- *
- * Copyright 2012-2018 SnapAppointments, LLC
- * Licensed under MIT (https://github.com/snapappointments/bootstrap-select/blob/master/LICENSE)
- */
-
-select.bs-select-hidden,
-.bootstrap-select > select.bs-select-hidden,
-select.selectpicker {
-  display: none !important;
-
-}
-.bootstrap-select {
-  width: 348px \0;
-  /*IE9 and below*/
-}
-.bootstrap-select > .dropdown-toggle {
-  position: relative;
-  width: 100%;
-
-  z-index: 1;
-  text-align: right;
-  white-space: nowrap;
-}
-.bootstrap-select > .dropdown-toggle.bs-placeholder,
-.bootstrap-select > .dropdown-toggle.bs-placeholder:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder:active {
-  color: #ccc;
-}
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:active {
-  color: rgba(0, 0, 0, 0.5);
-}
-.bootstrap-select > select {
-  position: absolute !important;
-  bottom: 0;
-  left: 50%;
-  display: block !important;
-  width: 0.5px !important;
-  height: 100% !important;
-  padding: 0 !important;
-  opacity: 0 !important;
-  border: none;
-}
-.bootstrap-select > select.mobile-device {
-  top: 0;
-  left: 0;
-  display: block !important;
-  width: 100% !important;
-  z-index: 2;
-}
-.has-error .bootstrap-select .dropdown-toggle,
-.error .bootstrap-select .dropdown-toggle,
-.bootstrap-select.is-invalid .dropdown-toggle,
-.was-validated .bootstrap-select .selectpicker:invalid + .dropdown-toggle {
-  border-color: #b94a48;
-}
-.bootstrap-select.is-valid .dropdown-toggle,
-.was-validated .bootstrap-select .selectpicker:valid + .dropdown-toggle {
-  border-color: #28a745;
-}
-.bootstrap-select.fit-width {
-  width: auto !important;
-}
-.bootstrap-select:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn) {
-  width: 348px;
-}
-.bootstrap-select > select.mobile-device:focus + .dropdown-toggle,
-.bootstrap-select .dropdown-toggle:focus {
-  outline: thin dotted #bbbbbb !important;
-  outline: 5px auto -webkit-focus-ring-color !important;
-  outline-offset: -2px;
-}
-.bootstrap-select.form-control {
-  margin-bottom: 0;
-  padding: 0;
-  border: none;
-}
-:not(.input-group) > .bootstrap-select.form-control:not([class*="col-"]) {
-  width: 100%;
-}
-.bootstrap-select.form-control.input-group-btn {
-  z-index: auto;
-}
-.bootstrap-select.form-control.input-group-btn:not(:first-child):not(:last-child) > .btn {
-  border-radius: 0;
-}
-.bootstrap-select:not(.input-group-btn),
-.bootstrap-select[class*="col-"] {
-  float: none;
-  display: inline-block;
-  margin-left: 0;
-}
-.bootstrap-select.dropdown-menu-right,
-.bootstrap-select[class*="col-"].dropdown-menu-right,
-.row .bootstrap-select[class*="col-"].dropdown-menu-right {
-  float: right;
-}
-.form-inline .bootstrap-select,
-.form-horizontal .bootstrap-select,
-.form-group .bootstrap-select {
-  margin-bottom: 0;
-}
-.form-group-lg .bootstrap-select.form-control,
-.form-group-sm .bootstrap-select.form-control {
-  padding: 0;
-}
-.form-group-lg .bootstrap-select.form-control .dropdown-toggle,
-.form-group-sm .bootstrap-select.form-control .dropdown-toggle {
-  height: 100%;
-  font-size: inherit;
-  line-height: inherit;
-  border-radius: inherit;
-}
-.bootstrap-select.form-control-sm .dropdown-toggle,
-.bootstrap-select.form-control-lg .dropdown-toggle {
-  font-size: inherit;
-  line-height: inherit;
-  border-radius: inherit;
-}
-.bootstrap-select.form-control-sm .dropdown-toggle {
-  padding: 0.25rem 0.5rem;
-}
-.bootstrap-select.form-control-lg .dropdown-toggle {
-  padding: 0.5rem 1rem;
-}
-.form-inline .bootstrap-select .form-control {
-  width: 100%;
-}
-.bootstrap-select.disabled,
-.bootstrap-select > .disabled {
-  cursor: not-allowed;
-}
-.bootstrap-select.disabled:focus,
-.bootstrap-select > .disabled:focus {
-  outline: none !important;
-}
-.bootstrap-select.bs-container {
-  position: absolute;
-  top: 0;
-  left: 0;
-  height: 0 !important;
-  padding: 0 !important;
-}
-.bootstrap-select.bs-container .dropdown-menu {
-  z-index: 1060;
-}
-.bootstrap-select .dropdown-toggle:before {
-  content: '';
-  display: inline-block;
-}
-.bootstrap-select .dropdown-toggle .filter-option {
-  position: absolute;
-  top: 0;
-  left: 0;
-  padding-top: inherit;
-  padding-right: inherit;
-  padding-bottom: inherit;
-  padding-left: inherit;
-  height: 100%;
-  width: 100%;
-  text-align: left;
-}
-.bootstrap-select .dropdown-toggle .filter-option-inner {
-  padding-right: inherit;
-}
-.bootstrap-select .dropdown-toggle .filter-option-inner-inner {
-  overflow: hidden;
-}
-.bootstrap-select .dropdown-toggle .caret {
-  position: absolute;
-  top: 50%;
-  right: 12px;
-  margin-top: -2px;
-  vertical-align: middle;
-}
-.input-group .bootstrap-select.form-control .dropdown-toggle {
-  border-radius: inherit;
-}
-.bootstrap-select[class*="col-"] .dropdown-toggle {
-  width: 100%;
-}
-.bootstrap-select .dropdown-menu {
-  min-width: 100%;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
-.bootstrap-select .dropdown-menu > .inner:focus {
-  outline: none !important;
-}
-.bootstrap-select .dropdown-menu.inner {
-  position: static;
-  float: none;
-  border: 0;
-  padding: 0;
-  margin: 0;
-  border-radius: 0;
-  -webkit-box-shadow: none;
-          box-shadow: none;
-}
-.bootstrap-select .dropdown-menu li {
-  position: relative;
-}
-.bootstrap-select .dropdown-menu li.active small {
-  color: rgba(255, 255, 255, 0.5) !important;
-}
-.bootstrap-select .dropdown-menu li.disabled a {
-  cursor: not-allowed;
-}
-.bootstrap-select .dropdown-menu li a {
-  cursor: pointer;
-  -webkit-user-select: none;
-     -moz-user-select: none;
-      -ms-user-select: none;
-          user-select: none;
-}
-.bootstrap-select .dropdown-menu li a.opt {
-  position: relative;
-  padding-left: 2.25em;
-}
-.bootstrap-select .dropdown-menu li a span.check-mark {
-  display: none;
-}
-.bootstrap-select .dropdown-menu li a span.text {
-  display: inline-block;
-}
-.bootstrap-select .dropdown-menu li small {
-  padding-left: 0.5em;
-}
-.bootstrap-select .dropdown-menu .notify {
-  position: absolute;
-  bottom: 5px;
-  width: 96%;
-  margin: 0 2%;
-  min-height: 26px;
-  padding: 3px 5px;
-  background: #151515;
-  border: 1px solid #232323;
-  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
-          box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
-  pointer-events: none;
-  opacity: 0.9;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
-.bootstrap-select .no-results {
-  padding: 3px;
-  background: #151515;
-  margin: 0 5px;
-  white-space: nowrap;
-}
-.bootstrap-select.fit-width .dropdown-toggle .filter-option {
-  position: static;
-  display: inline;
-  padding: 0;
-}
-.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner,
-.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner-inner {
-  display: inline;
-}
-.bootstrap-select.fit-width .dropdown-toggle .caret {
-  position: static;
-  top: auto;
-  margin-top: -1px;
-}
-.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
-  position: absolute;
-  display: inline-block;
-  right: 15px;
-  top: 5px;
-}
-.bootstrap-select.show-tick .dropdown-menu li a span.text {
-  margin-right: 34px;
-}
-.bootstrap-select .bs-ok-default:after {
-  content: '';
-  display: block;
-  width: 0.5em;
-  height: 1em;
-  border-style: solid;
-  border-width: 0 0.26em 0.26em 0;
-  -webkit-transform: rotate(45deg);
-      -ms-transform: rotate(45deg);
-       -o-transform: rotate(45deg);
-          transform: rotate(45deg);
-}
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle,
-.bootstrap-select.show-menu-arrow.show > .dropdown-toggle {
-  z-index: 1061;
-}
-.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:before {
-  content: '';
-  border-left: 7px solid transparent;
-  border-right: 7px solid transparent;
-  border-bottom: 7px solid rgba(204, 204, 204, 0.2);
-  position: absolute;
-  bottom: -4px;
-  left: 9px;
-  display: none;
-}
-.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:after {
-  content: '';
-  border-left: 6px solid transparent;
-  border-right: 6px solid transparent;
-  border-bottom: 6px solid white;
-  position: absolute;
-  bottom: -4px;
-  left: 10px;
-  display: none;
-}
-.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:before {
-  bottom: auto;
-  top: -4px;
-  border-top: 7px solid rgba(50, 50, 50, 0.2);
-  border-bottom: 0;
-}
-.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:after {
-  bottom: auto;
-  top: -4px;
-  border-top: 6px solid white;
-  border-bottom: 0;
-}
-.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:before {
-  right: 12px;
-  left: auto;
-}
-.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:after {
-  right: 13px;
-  left: auto;
-}
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:before,
-.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:before,
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:after,
-.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:after {
-  display: block;
-}
-.bs-searchbox,
-.bs-actionsbox,
-.bs-donebutton {
-  padding: 4px 8px;
-}
-.bs-actionsbox {
-  width: 100%;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
-.bs-actionsbox .btn-group button {
-  width: 50%;
-}
-.bs-donebutton {
-  float: left;
-  width: 100%;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
-.bs-donebutton .btn-group button {
-  width: 100%;
-}
-.bs-searchbox + .bs-actionsbox {
-  padding: 0 8px 4px;
-}
-.bs-searchbox .form-control {
-  margin-bottom: 0;
-  width: 100%;
-  float: none;
-}
-
-/* OPNsense edit to fix https://github.com/opnsense/core/issues/2612 :
- * Move checkmarks to left hand side of the dropdown.
- */
-.bootstrap-select .dropdown-menu > li > a {
-  padding: 3px 20px 3px 30px;
-}
-.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
-  left: 10px;
-}
-/* End OPNsense edit to fix #2612. */
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/bootstrap-select.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/bootstrap-select.css
index 819f88d592..bbc5c29d9a 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/bootstrap-select.css
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/bootstrap-select.css
@@ -1,29 +1,66 @@
 /*!
- * Bootstrap-select v1.9.3 (http://silviomoreto.github.io/bootstrap-select)
+ * Bootstrap-select v1.13.3 (https://developer.snapappointments.com/bootstrap-select)
  *
- * Copyright 2013-2015 bootstrap-select
- * Licensed under MIT (https://github.com/silviomoreto/bootstrap-select/blob/master/LICENSE)
+ * Copyright 2012-2018 SnapAppointments, LLC
+ * Licensed under MIT (https://github.com/snapappointments/bootstrap-select/blob/master/LICENSE)
  */
 
-/* set form-control on span height, which is used by liHeight to calculate height */
-span.form-control {
-  height: 34px !important;
-  padding: 6px 12px;
+select.bs-select-hidden,
+.bootstrap-select > select.bs-select-hidden,
+select.selectpicker {
+  display: none !important;
+
 }
 .bootstrap-select {
   width: 348px \0;
   /*IE9 and below*/
 }
 .bootstrap-select > .dropdown-toggle {
+  position: relative;
   width: 100%;
-  padding-right: 25px;
+
   z-index: 1;
+  text-align: right;
+  white-space: nowrap;
+}
+.bootstrap-select > .dropdown-toggle.bs-placeholder,
+.bootstrap-select > .dropdown-toggle.bs-placeholder:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder:active {
+  color: #ccc;
+}
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:active {
+  color: rgba(0, 0, 0, 0.5);
 }
 .bootstrap-select > select {
   position: absolute !important;
   bottom: 0;
   left: 50%;
-  width: 0.11px !important;
+  display: block !important;
+  width: 0.5px !important;
   height: 100% !important;
   padding: 0 !important;
   opacity: 0 !important;
@@ -37,17 +74,24 @@ span.form-control {
   z-index: 2;
 }
 .has-error .bootstrap-select .dropdown-toggle,
-.error .bootstrap-select .dropdown-toggle {
+.error .bootstrap-select .dropdown-toggle,
+.bootstrap-select.is-invalid .dropdown-toggle,
+.was-validated .bootstrap-select .selectpicker:invalid + .dropdown-toggle {
   border-color: #b94a48;
 }
+.bootstrap-select.is-valid .dropdown-toggle,
+.was-validated .bootstrap-select .selectpicker:valid + .dropdown-toggle {
+  border-color: #28a745;
+}
 .bootstrap-select.fit-width {
   width: auto !important;
 }
 .bootstrap-select:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn) {
   width: 348px;
 }
+.bootstrap-select > select.mobile-device:focus + .dropdown-toggle,
 .bootstrap-select .dropdown-toggle:focus {
-  outline: thin dotted #333333 !important;
+  outline: thin dotted #bbbbbb !important;
   outline: 5px auto -webkit-focus-ring-color !important;
   outline-offset: -2px;
 }
@@ -56,72 +100,120 @@ span.form-control {
   padding: 0;
   border: none;
 }
-.bootstrap-select.form-control:not([class*="col-"]) {
+:not(.input-group) > .bootstrap-select.form-control:not([class*="col-"]) {
   width: 100%;
 }
 .bootstrap-select.form-control.input-group-btn {
   z-index: auto;
 }
-.bootstrap-select.btn-group:not(.input-group-btn),
-.bootstrap-select.btn-group[class*="col-"] {
+.bootstrap-select.form-control.input-group-btn:not(:first-child):not(:last-child) > .btn {
+  border-radius: 0;
+}
+.bootstrap-select:not(.input-group-btn),
+.bootstrap-select[class*="col-"] {
   float: none;
   display: inline-block;
   margin-left: 0;
 }
-.bootstrap-select.btn-group.dropdown-menu-right,
-.bootstrap-select.btn-group[class*="col-"].dropdown-menu-right,
-.row .bootstrap-select.btn-group[class*="col-"].dropdown-menu-right {
+.bootstrap-select.dropdown-menu-right,
+.bootstrap-select[class*="col-"].dropdown-menu-right,
+.row .bootstrap-select[class*="col-"].dropdown-menu-right {
   float: right;
 }
-.form-inline .bootstrap-select.btn-group,
-.form-horizontal .bootstrap-select.btn-group,
-.form-group .bootstrap-select.btn-group {
+.form-inline .bootstrap-select,
+.form-horizontal .bootstrap-select,
+.form-group .bootstrap-select {
   margin-bottom: 0;
 }
-.form-group-lg .bootstrap-select.btn-group.form-control,
-.form-group-sm .bootstrap-select.btn-group.form-control {
+.form-group-lg .bootstrap-select.form-control,
+.form-group-sm .bootstrap-select.form-control {
   padding: 0;
 }
-.form-inline .bootstrap-select.btn-group .form-control {
+.form-group-lg .bootstrap-select.form-control .dropdown-toggle,
+.form-group-sm .bootstrap-select.form-control .dropdown-toggle {
+  height: 100%;
+  font-size: inherit;
+  line-height: inherit;
+  border-radius: inherit;
+}
+.bootstrap-select.form-control-sm .dropdown-toggle,
+.bootstrap-select.form-control-lg .dropdown-toggle {
+  font-size: inherit;
+  line-height: inherit;
+  border-radius: inherit;
+}
+.bootstrap-select.form-control-sm .dropdown-toggle {
+  padding: 0.25rem 0.5rem;
+}
+.bootstrap-select.form-control-lg .dropdown-toggle {
+  padding: 0.5rem 1rem;
+}
+.form-inline .bootstrap-select .form-control {
   width: 100%;
 }
-.bootstrap-select.btn-group.disabled,
-.bootstrap-select.btn-group > .disabled {
+.bootstrap-select.disabled,
+.bootstrap-select > .disabled {
   cursor: not-allowed;
 }
-.bootstrap-select.btn-group.disabled:focus,
-.bootstrap-select.btn-group > .disabled:focus {
+.bootstrap-select.disabled:focus,
+.bootstrap-select > .disabled:focus {
   outline: none !important;
 }
-.bootstrap-select.btn-group.bs-container {
+.bootstrap-select.bs-container {
   position: absolute;
+  top: 0;
+  left: 0;
+  height: 0 !important;
+  padding: 0 !important;
 }
-.bootstrap-select.btn-group.bs-container .dropdown-menu {
+.bootstrap-select.bs-container .dropdown-menu {
   z-index: 1060;
 }
-.bootstrap-select.btn-group .dropdown-toggle .filter-option {
+.bootstrap-select .dropdown-toggle:before {
+  content: '';
   display: inline-block;
-  overflow: hidden;
+}
+.bootstrap-select .dropdown-toggle .filter-option {
+  position: absolute;
+  top: 0;
+  left: 0;
+  padding-top: inherit;
+  padding-right: inherit;
+  padding-bottom: inherit;
+  padding-left: inherit;
+  height: 100%;
   width: 100%;
   text-align: left;
 }
-.bootstrap-select.btn-group .dropdown-toggle .caret {
+.bootstrap-select .dropdown-toggle .filter-option-inner {
+  padding-right: inherit;
+}
+.bootstrap-select .dropdown-toggle .filter-option-inner-inner {
+  overflow: hidden;
+}
+.bootstrap-select .dropdown-toggle .caret {
   position: absolute;
   top: 50%;
   right: 12px;
   margin-top: -2px;
   vertical-align: middle;
 }
-.bootstrap-select.btn-group[class*="col-"] .dropdown-toggle {
+.input-group .bootstrap-select.form-control .dropdown-toggle {
+  border-radius: inherit;
+}
+.bootstrap-select[class*="col-"] .dropdown-toggle {
   width: 100%;
 }
-.bootstrap-select.btn-group .dropdown-menu {
+.bootstrap-select .dropdown-menu {
   min-width: 100%;
   -webkit-box-sizing: border-box;
      -moz-box-sizing: border-box;
           box-sizing: border-box;
 }
-.bootstrap-select.btn-group .dropdown-menu.inner {
+.bootstrap-select .dropdown-menu > .inner:focus {
+  outline: none !important;
+}
+.bootstrap-select .dropdown-menu.inner {
   position: static;
   float: none;
   border: 0;
@@ -131,44 +223,44 @@ span.form-control {
   -webkit-box-shadow: none;
           box-shadow: none;
 }
-.bootstrap-select.btn-group .dropdown-menu li {
+.bootstrap-select .dropdown-menu li {
   position: relative;
 }
-.bootstrap-select.btn-group .dropdown-menu li.active small {
-  color: #fff;
+.bootstrap-select .dropdown-menu li.active small {
+  color: rgba(255, 255, 255, 0.5) !important;
 }
-.bootstrap-select.btn-group .dropdown-menu li.disabled a {
+.bootstrap-select .dropdown-menu li.disabled a {
   cursor: not-allowed;
 }
-.bootstrap-select.btn-group .dropdown-menu li a {
+.bootstrap-select .dropdown-menu li a {
   cursor: pointer;
   -webkit-user-select: none;
-  -moz-user-select: none;
-  -ms-user-select: none;
-  user-select: none;
+     -moz-user-select: none;
+      -ms-user-select: none;
+          user-select: none;
 }
-.bootstrap-select.btn-group .dropdown-menu li a.opt {
+.bootstrap-select .dropdown-menu li a.opt {
   position: relative;
   padding-left: 2.25em;
 }
-.bootstrap-select.btn-group .dropdown-menu li a span.check-mark {
+.bootstrap-select .dropdown-menu li a span.check-mark {
   display: none;
 }
-.bootstrap-select.btn-group .dropdown-menu li a span.text {
+.bootstrap-select .dropdown-menu li a span.text {
   display: inline-block;
 }
-.bootstrap-select.btn-group .dropdown-menu li small {
+.bootstrap-select .dropdown-menu li small {
   padding-left: 0.5em;
 }
-.bootstrap-select.btn-group .dropdown-menu .notify {
+.bootstrap-select .dropdown-menu .notify {
   position: absolute;
   bottom: 5px;
   width: 96%;
   margin: 0 2%;
   min-height: 26px;
   padding: 3px 5px;
-  background: #f5f5f5;
-  border: 1px solid #e3e3e3;
+  background: #151515;
+  border: 1px solid #232323;
   -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
           box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
   pointer-events: none;
@@ -177,33 +269,52 @@ span.form-control {
      -moz-box-sizing: border-box;
           box-sizing: border-box;
 }
-.bootstrap-select.btn-group .no-results {
+.bootstrap-select .no-results {
   padding: 3px;
-  background: #f5f5f5;
+  background: #151515;
   margin: 0 5px;
   white-space: nowrap;
 }
-.bootstrap-select.btn-group.fit-width .dropdown-toggle .filter-option {
+.bootstrap-select.fit-width .dropdown-toggle .filter-option {
   position: static;
+  display: inline;
+  padding: 0;
+}
+.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner,
+.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner-inner {
+  display: inline;
 }
-.bootstrap-select.btn-group.fit-width .dropdown-toggle .caret {
+.bootstrap-select.fit-width .dropdown-toggle .caret {
   position: static;
   top: auto;
   margin-top: -1px;
 }
-.bootstrap-select.btn-group.show-tick .dropdown-menu li.selected a span.check-mark {
+.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
   position: absolute;
   display: inline-block;
   right: 15px;
-  margin-top: 5px;
+  top: 5px;
 }
-.bootstrap-select.btn-group.show-tick .dropdown-menu li a span.text {
+.bootstrap-select.show-tick .dropdown-menu li a span.text {
   margin-right: 34px;
 }
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle {
+.bootstrap-select .bs-ok-default:after {
+  content: '';
+  display: block;
+  width: 0.5em;
+  height: 1em;
+  border-style: solid;
+  border-width: 0 0.26em 0.26em 0;
+  -webkit-transform: rotate(45deg);
+      -ms-transform: rotate(45deg);
+       -o-transform: rotate(45deg);
+          transform: rotate(45deg);
+}
+.bootstrap-select.show-menu-arrow.open > .dropdown-toggle,
+.bootstrap-select.show-menu-arrow.show > .dropdown-toggle {
   z-index: 1061;
 }
-.bootstrap-select.show-menu-arrow .dropdown-toggle:before {
+.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:before {
   content: '';
   border-left: 7px solid transparent;
   border-right: 7px solid transparent;
@@ -213,7 +324,7 @@ span.form-control {
   left: 9px;
   display: none;
 }
-.bootstrap-select.show-menu-arrow .dropdown-toggle:after {
+.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:after {
   content: '';
   border-left: 6px solid transparent;
   border-right: 6px solid transparent;
@@ -223,28 +334,30 @@ span.form-control {
   left: 10px;
   display: none;
 }
-.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:before {
+.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:before {
   bottom: auto;
-  top: -3px;
-  border-top: 7px solid rgba(204, 204, 204, 0.2);
+  top: -4px;
+  border-top: 7px solid rgba(50, 50, 50, 0.2);
   border-bottom: 0;
 }
-.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:after {
+.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:after {
   bottom: auto;
-  top: -3px;
+  top: -4px;
   border-top: 6px solid white;
   border-bottom: 0;
 }
-.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:before {
+.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:before {
   right: 12px;
   left: auto;
 }
-.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:after {
+.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:after {
   right: 13px;
   left: auto;
 }
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle:before,
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle:after {
+.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:before,
+.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:before,
+.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:after,
+.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:after {
   display: block;
 }
 .bs-searchbox,
@@ -279,3 +392,14 @@ span.form-control {
   width: 100%;
   float: none;
 }
+
+/* OPNsense edit to fix https://github.com/opnsense/core/issues/2612 :
+ * Move checkmarks to left hand side of the dropdown.
+ */
+.bootstrap-select .dropdown-menu > li > a {
+  padding: 3px 20px 3px 30px;
+}
+.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
+  left: 10px;
+}
+/* End OPNsense edit to fix #2612. */
diff --git a/misc/theme-tukan/Makefile b/misc/theme-tukan/Makefile
index 54f47d87c4..58302aefc0 100644
--- a/misc/theme-tukan/Makefile
+++ b/misc/theme-tukan/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		theme-tukan
 PLUGIN_VERSION=		1.27
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The tukan theme - blue/white
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/bootstrap-select-1.13.3.scss b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/bootstrap-select1.scss
similarity index 100%
rename from misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/bootstrap-select-1.13.3.scss
rename to misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/bootstrap-select1.scss
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/bootstrap-select-1.13.3.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/bootstrap-select-1.13.3.css
deleted file mode 100644
index 01c6683218..0000000000
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/bootstrap-select-1.13.3.css
+++ /dev/null
@@ -1,398 +0,0 @@
-/*!
- * Bootstrap-select v1.13.3 (https://developer.snapappointments.com/bootstrap-select)
- *
- * Copyright 2012-2018 SnapAppointments, LLC
- * Licensed under MIT (https://github.com/snapappointments/bootstrap-select/blob/master/LICENSE)
- */
-
-select.bs-select-hidden,
-.bootstrap-select > select.bs-select-hidden,
-select.selectpicker {
-  display: none !important;
-}
-.bootstrap-select {
-  width: 348px \0;
-  /*IE9 and below*/
-}
-.bootstrap-select > .dropdown-toggle {
-  position: relative;
-  width: 100%;
-  z-index: 1;
-  text-align: right;
-  white-space: nowrap;
-}
-.bootstrap-select > .dropdown-toggle.bs-placeholder,
-.bootstrap-select > .dropdown-toggle.bs-placeholder:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder:active {
-  color: #000;
-}
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:active {
-  color: #ffffff;
-}
-.bootstrap-select > select {
-  position: absolute !important;
-  bottom: 0;
-  left: 50%;
-  display: block !important;
-  width: 0.5px !important;
-  height: 100% !important;
-  padding: 0 !important;
-  opacity: 0 !important;
-  border: none;
-}
-.bootstrap-select > select.mobile-device {
-  top: 0;
-  left: 0;
-  display: block !important;
-  width: 100% !important;
-  z-index: 2;
-}
-.has-error .bootstrap-select .dropdown-toggle,
-.error .bootstrap-select .dropdown-toggle,
-.bootstrap-select.is-invalid .dropdown-toggle,
-.was-validated .bootstrap-select .selectpicker:invalid + .dropdown-toggle {
-  border-color: #b94a48;
-}
-.bootstrap-select.is-valid .dropdown-toggle,
-.was-validated .bootstrap-select .selectpicker:valid + .dropdown-toggle {
-  border-color: #28a745;
-}
-.bootstrap-select.fit-width {
-  width: auto !important;
-}
-.bootstrap-select:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn) {
-  width: 348px;
-}
-
-.bootstrap-select.form-control {
-  margin-bottom: 0;
-  padding: 0;
-  border: none;
-}
-:not(.input-group) > .bootstrap-select.form-control:not([class*="col-"]) {
-  width: 100%;
-}
-.bootstrap-select.form-control.input-group-btn {
-  z-index: auto;
-}
-.bootstrap-select.form-control.input-group-btn:not(:first-child):not(:last-child) > .btn {
-  border-radius: 0;
-}
-.bootstrap-select:not(.input-group-btn),
-.bootstrap-select[class*="col-"] {
-  float: none;
-  display: inline-block;
-  margin-left: 0;
-}
-.bootstrap-select.dropdown-menu-right,
-.bootstrap-select[class*="col-"].dropdown-menu-right,
-.row .bootstrap-select[class*="col-"].dropdown-menu-right {
-  float: right;
-}
-.form-inline .bootstrap-select,
-.form-horizontal .bootstrap-select,
-.form-group .bootstrap-select {
-  margin-bottom: 0;
-}
-.form-group-lg .bootstrap-select.form-control,
-.form-group-sm .bootstrap-select.form-control {
-  padding: 0;
-}
-.form-group-lg .bootstrap-select.form-control .dropdown-toggle,
-.form-group-sm .bootstrap-select.form-control .dropdown-toggle {
-  height: 100%;
-  font-size: inherit;
-  line-height: inherit;
-  border-radius: inherit;
-}
-.bootstrap-select.form-control-sm .dropdown-toggle,
-.bootstrap-select.form-control-lg .dropdown-toggle {
-  font-size: inherit;
-  line-height: inherit;
-  border-radius: inherit;
-}
-.bootstrap-select.form-control-sm .dropdown-toggle {
-  padding: 0.25rem 0.5rem;
-}
-.bootstrap-select.form-control-lg .dropdown-toggle {
-  padding: 0.5rem 1rem;
-}
-.form-inline .bootstrap-select .form-control {
-  width: 100%;
-}
-.bootstrap-select.disabled,
-.bootstrap-select > .disabled {
-  cursor: not-allowed;
-}
-.bootstrap-select.disabled:focus,
-.bootstrap-select > .disabled:focus {
-  outline: none !important;
-}
-.bootstrap-select.bs-container {
-  position: absolute;
-  top: 0;
-  left: 0;
-  height: 0 !important;
-  padding: 0 !important;
-}
-.bootstrap-select.bs-container .dropdown-menu {
-  z-index: 1060;
-}
-.bootstrap-select .dropdown-toggle:before {
-  content: '';
-  display: inline-block;
-}
-.bootstrap-select .dropdown-toggle .filter-option {
-  position: absolute;
-  top: 0;
-  left: 0;
-  padding-top: inherit;
-  padding-right: inherit;
-  padding-bottom: inherit;
-  padding-left: inherit;
-  height: 100%;
-  width: 100%;
-  text-align: left;
-}
-.bootstrap-select .dropdown-toggle .filter-option-inner {
-  padding-right: inherit;
-}
-.bootstrap-select .dropdown-toggle .filter-option-inner-inner {
-  overflow: hidden;
-}
-.bootstrap-select .dropdown-toggle .caret {
-  position: absolute;
-  top: 50%;
-  right: 12px;
-  margin-top: -2px;
-  vertical-align: middle;
-}
-.input-group .bootstrap-select.form-control .dropdown-toggle {
-  border-radius: inherit;
-}
-.bootstrap-select[class*="col-"] .dropdown-toggle {
-  width: 100%;
-}
-.bootstrap-select .dropdown-menu {
-  min-width: 100%;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
-.bootstrap-select .dropdown-menu > .inner:focus {
-  outline: none !important;
-}
-.bootstrap-select .dropdown-menu.inner {
-  position: static;
-  float: none;
-  border: 0;
-  padding: 0;
-  margin: 0;
-  border-radius: 0;
-  -webkit-box-shadow: none;
-          box-shadow: none;
-}
-.bootstrap-select .dropdown-menu li {
-  position: relative;
-}
-.bootstrap-select .dropdown-menu li.active small {
-  color: rgba(255, 255, 255, 0.5) !important;
-}
-.bootstrap-select .dropdown-menu li.disabled a {
-  cursor: not-allowed;
-}
-.bootstrap-select .dropdown-menu li a {
-  cursor: pointer;
-  -webkit-user-select: none;
-     -moz-user-select: none;
-      -ms-user-select: none;
-          user-select: none;
-}
-.bootstrap-select .dropdown-menu li a.opt {
-  position: relative;
-  padding-left: 2.25em;
-}
-.bootstrap-select .dropdown-menu li a span.check-mark {
-  display: none;
-}
-.bootstrap-select .dropdown-menu li a span.text {
-  display: inline-block;
-}
-.bootstrap-select .dropdown-menu li small {
-  padding-left: 0.5em;
-}
-.bootstrap-select .dropdown-menu .notify {
-  position: absolute;
-  bottom: 5px;
-  width: 96%;
-  margin: 0 2%;
-  min-height: 26px;
-  padding: 3px 5px;
-  background: #f5f5f5;
-  border: 1px solid #e3e3e3;
-  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
-          box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
-  pointer-events: none;
-  opacity: 0.9;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
-.bootstrap-select .no-results {
-  padding: 3px;
-  background: #f5f5f5;
-  margin: 0 5px;
-  white-space: nowrap;
-}
-.bootstrap-select.fit-width .dropdown-toggle .filter-option {
-  position: static;
-  display: inline;
-  padding: 0;
-}
-.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner,
-.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner-inner {
-  display: inline;
-}
-.bootstrap-select.fit-width .dropdown-toggle .caret {
-  position: static;
-  top: auto;
-  margin-top: -1px;
-}
-.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
-  position: absolute;
-  display: inline-block;
-  right: 15px;
-  top: 5px;
-}
-.bootstrap-select.show-tick .dropdown-menu li a span.text {
-  margin-right: 34px;
-}
-.bootstrap-select .bs-ok-default:after {
-  content: '';
-  display: block;
-  width: 0.5em;
-  height: 1em;
-  border-style: solid;
-  border-width: 0 0.26em 0.26em 0;
-  -webkit-transform: rotate(45deg);
-      -ms-transform: rotate(45deg);
-       -o-transform: rotate(45deg);
-          transform: rotate(45deg);
-}
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle,
-.bootstrap-select.show-menu-arrow.show > .dropdown-toggle {
-  z-index: 1061;
-}
-.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:before {
-  content: '';
-  border-left: 7px solid transparent;
-  border-right: 7px solid transparent;
-  border-bottom: 7px solid rgba(204, 204, 204, 0.2);
-  position: absolute;
-  bottom: -4px;
-  left: 9px;
-  display: none;
-}
-.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:after {
-  content: '';
-  border-left: 6px solid transparent;
-  border-right: 6px solid transparent;
-  border-bottom: 6px solid white;
-  position: absolute;
-  bottom: -4px;
-  left: 10px;
-  display: none;
-}
-.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:before {
-  bottom: auto;
-  top: -4px;
-  border-top: 7px solid rgba(204, 204, 204, 0.2);
-  border-bottom: 0;
-}
-.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:after {
-  bottom: auto;
-  top: -4px;
-  border-top: 6px solid white;
-  border-bottom: 0;
-}
-.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:before {
-  right: 12px;
-  left: auto;
-}
-.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:after {
-  right: 13px;
-  left: auto;
-}
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:before,
-.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:before,
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:after,
-.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:after {
-  display: block;
-}
-.bs-searchbox,
-.bs-actionsbox,
-.bs-donebutton {
-  padding: 4px 8px;
-}
-.bs-actionsbox {
-  width: 100%;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
-.bs-actionsbox .btn-group button {
-  width: 50%;
-}
-.bs-donebutton {
-  float: left;
-  width: 100%;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
-.bs-donebutton .btn-group button {
-  width: 100%;
-}
-.bs-searchbox + .bs-actionsbox {
-  padding: 0 8px 4px;
-}
-.bs-searchbox .form-control {
-  margin-bottom: 0;
-  width: 100%;
-  float: none;
-}
-
-/* OPNsense edit to fix https://github.com/opnsense/core/issues/2612 :
- * Move checkmarks to left hand side of the dropdown.
- */
-.bootstrap-select .dropdown-menu > li > a {
-  padding: 3px 20px 3px 30px;
-}
-.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
-  left: 10px;
-}
-/* End OPNsense edit to fix #2612. */
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/bootstrap-select.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/bootstrap-select.css
index 56214371e7..01c6683218 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/bootstrap-select.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/bootstrap-select.css
@@ -1,29 +1,64 @@
 /*!
- * Bootstrap-select v1.9.3 (http://silviomoreto.github.io/bootstrap-select)
+ * Bootstrap-select v1.13.3 (https://developer.snapappointments.com/bootstrap-select)
  *
- * Copyright 2013-2015 bootstrap-select
- * Licensed under MIT (https://github.com/silviomoreto/bootstrap-select/blob/master/LICENSE)
+ * Copyright 2012-2018 SnapAppointments, LLC
+ * Licensed under MIT (https://github.com/snapappointments/bootstrap-select/blob/master/LICENSE)
  */
 
-/* set form-control on span height, which is used by liHeight to calculate height */
-span.form-control {
-  height: 34px !important;
-  padding: 6px 12px;
+select.bs-select-hidden,
+.bootstrap-select > select.bs-select-hidden,
+select.selectpicker {
+  display: none !important;
 }
 .bootstrap-select {
   width: 348px \0;
   /*IE9 and below*/
 }
 .bootstrap-select > .dropdown-toggle {
+  position: relative;
   width: 100%;
-  padding-right: 25px;
   z-index: 1;
+  text-align: right;
+  white-space: nowrap;
+}
+.bootstrap-select > .dropdown-toggle.bs-placeholder,
+.bootstrap-select > .dropdown-toggle.bs-placeholder:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder:active {
+  color: #000;
+}
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:active {
+  color: #ffffff;
 }
 .bootstrap-select > select {
   position: absolute !important;
   bottom: 0;
   left: 50%;
-  width: 0.11px !important;
+  display: block !important;
+  width: 0.5px !important;
   height: 100% !important;
   padding: 0 !important;
   opacity: 0 !important;
@@ -37,133 +72,180 @@ span.form-control {
   z-index: 2;
 }
 .has-error .bootstrap-select .dropdown-toggle,
-.error .bootstrap-select .dropdown-toggle {
+.error .bootstrap-select .dropdown-toggle,
+.bootstrap-select.is-invalid .dropdown-toggle,
+.was-validated .bootstrap-select .selectpicker:invalid + .dropdown-toggle {
   border-color: #b94a48;
 }
+.bootstrap-select.is-valid .dropdown-toggle,
+.was-validated .bootstrap-select .selectpicker:valid + .dropdown-toggle {
+  border-color: #28a745;
+}
 .bootstrap-select.fit-width {
   width: auto !important;
 }
 .bootstrap-select:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn) {
   width: 348px;
 }
-.bootstrap-select .dropdown-toggle:focus {
-  color:#FFFFFF !important;
-  outline-offset: -2px;
-}
+
 .bootstrap-select.form-control {
   margin-bottom: 0;
   padding: 0;
   border: none;
 }
-.bootstrap-select.form-control:not([class*="col-"]) {
+:not(.input-group) > .bootstrap-select.form-control:not([class*="col-"]) {
   width: 100%;
 }
 .bootstrap-select.form-control.input-group-btn {
   z-index: auto;
 }
-.bootstrap-select.btn-group:not(.input-group-btn),
-.bootstrap-select.btn-group[class*="col-"] {
+.bootstrap-select.form-control.input-group-btn:not(:first-child):not(:last-child) > .btn {
+  border-radius: 0;
+}
+.bootstrap-select:not(.input-group-btn),
+.bootstrap-select[class*="col-"] {
   float: none;
   display: inline-block;
   margin-left: 0;
 }
-.bootstrap-select.btn-group.dropdown-menu-right,
-.bootstrap-select.btn-group[class*="col-"].dropdown-menu-right,
-.row .bootstrap-select.btn-group[class*="col-"].dropdown-menu-right {
+.bootstrap-select.dropdown-menu-right,
+.bootstrap-select[class*="col-"].dropdown-menu-right,
+.row .bootstrap-select[class*="col-"].dropdown-menu-right {
   float: right;
 }
-.form-inline .bootstrap-select.btn-group,
-.form-horizontal .bootstrap-select.btn-group,
-.form-group .bootstrap-select.btn-group {
+.form-inline .bootstrap-select,
+.form-horizontal .bootstrap-select,
+.form-group .bootstrap-select {
   margin-bottom: 0;
 }
-.form-group-lg .bootstrap-select.btn-group.form-control,
-.form-group-sm .bootstrap-select.btn-group.form-control {
+.form-group-lg .bootstrap-select.form-control,
+.form-group-sm .bootstrap-select.form-control {
   padding: 0;
 }
-.form-inline .bootstrap-select.btn-group .form-control {
+.form-group-lg .bootstrap-select.form-control .dropdown-toggle,
+.form-group-sm .bootstrap-select.form-control .dropdown-toggle {
+  height: 100%;
+  font-size: inherit;
+  line-height: inherit;
+  border-radius: inherit;
+}
+.bootstrap-select.form-control-sm .dropdown-toggle,
+.bootstrap-select.form-control-lg .dropdown-toggle {
+  font-size: inherit;
+  line-height: inherit;
+  border-radius: inherit;
+}
+.bootstrap-select.form-control-sm .dropdown-toggle {
+  padding: 0.25rem 0.5rem;
+}
+.bootstrap-select.form-control-lg .dropdown-toggle {
+  padding: 0.5rem 1rem;
+}
+.form-inline .bootstrap-select .form-control {
   width: 100%;
 }
-.bootstrap-select.btn-group.disabled,
-.bootstrap-select.btn-group > .disabled {
+.bootstrap-select.disabled,
+.bootstrap-select > .disabled {
   cursor: not-allowed;
 }
-.bootstrap-select.btn-group.disabled:focus,
-.bootstrap-select.btn-group > .disabled:focus {
+.bootstrap-select.disabled:focus,
+.bootstrap-select > .disabled:focus {
   outline: none !important;
 }
-.bootstrap-select.btn-group.bs-container {
+.bootstrap-select.bs-container {
   position: absolute;
+  top: 0;
+  left: 0;
+  height: 0 !important;
+  padding: 0 !important;
 }
-.bootstrap-select.btn-group.bs-container .dropdown-menu {
+.bootstrap-select.bs-container .dropdown-menu {
   z-index: 1060;
 }
-.bootstrap-select.btn-group .dropdown-toggle .filter-option {
+.bootstrap-select .dropdown-toggle:before {
+  content: '';
   display: inline-block;
-  overflow: hidden;
+}
+.bootstrap-select .dropdown-toggle .filter-option {
+  position: absolute;
+  top: 0;
+  left: 0;
+  padding-top: inherit;
+  padding-right: inherit;
+  padding-bottom: inherit;
+  padding-left: inherit;
+  height: 100%;
   width: 100%;
   text-align: left;
 }
-.bootstrap-select.btn-group .dropdown-toggle .caret {
+.bootstrap-select .dropdown-toggle .filter-option-inner {
+  padding-right: inherit;
+}
+.bootstrap-select .dropdown-toggle .filter-option-inner-inner {
+  overflow: hidden;
+}
+.bootstrap-select .dropdown-toggle .caret {
   position: absolute;
   top: 50%;
   right: 12px;
   margin-top: -2px;
   vertical-align: middle;
 }
-.bootstrap-select.btn-group[class*="col-"] .dropdown-toggle {
+.input-group .bootstrap-select.form-control .dropdown-toggle {
+  border-radius: inherit;
+}
+.bootstrap-select[class*="col-"] .dropdown-toggle {
   width: 100%;
 }
-.bootstrap-select.btn-group .dropdown-menu {
-  border-color:#1d1d1d !important;
-  -webkit-box-shadow: inset 0 1px 1px rgb(0, 0, 0), 0 0 8px rgba(0, 0, 0, 0.6);
-  box-shadow: inset 0 1px 1px rgb(0, 0, 0), 0 0 8px rgba(0, 0, 0, 0.6);
+.bootstrap-select .dropdown-menu {
   min-width: 100%;
   -webkit-box-sizing: border-box;
      -moz-box-sizing: border-box;
           box-sizing: border-box;
 }
-.bootstrap-select.btn-group .dropdown-menu.inner {
+.bootstrap-select .dropdown-menu > .inner:focus {
+  outline: none !important;
+}
+.bootstrap-select .dropdown-menu.inner {
   position: static;
   float: none;
   border: 0;
   padding: 0;
   margin: 0;
   border-radius: 0;
-  min-width: 50px;
   -webkit-box-shadow: none;
           box-shadow: none;
 }
-.bootstrap-select.btn-group .dropdown-menu li {
+.bootstrap-select .dropdown-menu li {
   position: relative;
 }
-.bootstrap-select.btn-group .dropdown-menu li.active small {
-  color: #fff;
+.bootstrap-select .dropdown-menu li.active small {
+  color: rgba(255, 255, 255, 0.5) !important;
 }
-.bootstrap-select.btn-group .dropdown-menu li.disabled a {
+.bootstrap-select .dropdown-menu li.disabled a {
   cursor: not-allowed;
 }
-.bootstrap-select.btn-group .dropdown-menu li a {
+.bootstrap-select .dropdown-menu li a {
   cursor: pointer;
   -webkit-user-select: none;
-  -moz-user-select: none;
-  -ms-user-select: none;
-  user-select: none;
+     -moz-user-select: none;
+      -ms-user-select: none;
+          user-select: none;
 }
-.bootstrap-select.btn-group .dropdown-menu li a.opt {
+.bootstrap-select .dropdown-menu li a.opt {
   position: relative;
   padding-left: 2.25em;
 }
-.bootstrap-select.btn-group .dropdown-menu li a span.check-mark {
+.bootstrap-select .dropdown-menu li a span.check-mark {
   display: none;
 }
-.bootstrap-select.btn-group .dropdown-menu li a span.text {
+.bootstrap-select .dropdown-menu li a span.text {
   display: inline-block;
 }
-.bootstrap-select.btn-group .dropdown-menu li small {
+.bootstrap-select .dropdown-menu li small {
   padding-left: 0.5em;
 }
-.bootstrap-select.btn-group .dropdown-menu .notify {
+.bootstrap-select .dropdown-menu .notify {
   position: absolute;
   bottom: 5px;
   width: 96%;
@@ -180,33 +262,52 @@ span.form-control {
      -moz-box-sizing: border-box;
           box-sizing: border-box;
 }
-.bootstrap-select.btn-group .no-results {
+.bootstrap-select .no-results {
   padding: 3px;
   background: #f5f5f5;
   margin: 0 5px;
   white-space: nowrap;
 }
-.bootstrap-select.btn-group.fit-width .dropdown-toggle .filter-option {
+.bootstrap-select.fit-width .dropdown-toggle .filter-option {
   position: static;
+  display: inline;
+  padding: 0;
+}
+.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner,
+.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner-inner {
+  display: inline;
 }
-.bootstrap-select.btn-group.fit-width .dropdown-toggle .caret {
+.bootstrap-select.fit-width .dropdown-toggle .caret {
   position: static;
   top: auto;
   margin-top: -1px;
 }
-.bootstrap-select.btn-group.show-tick .dropdown-menu li.selected a span.check-mark {
+.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
   position: absolute;
   display: inline-block;
   right: 15px;
-  margin-top: 5px;
+  top: 5px;
 }
-.bootstrap-select.btn-group.show-tick .dropdown-menu li a span.text {
+.bootstrap-select.show-tick .dropdown-menu li a span.text {
   margin-right: 34px;
 }
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle {
+.bootstrap-select .bs-ok-default:after {
+  content: '';
+  display: block;
+  width: 0.5em;
+  height: 1em;
+  border-style: solid;
+  border-width: 0 0.26em 0.26em 0;
+  -webkit-transform: rotate(45deg);
+      -ms-transform: rotate(45deg);
+       -o-transform: rotate(45deg);
+          transform: rotate(45deg);
+}
+.bootstrap-select.show-menu-arrow.open > .dropdown-toggle,
+.bootstrap-select.show-menu-arrow.show > .dropdown-toggle {
   z-index: 1061;
 }
-.bootstrap-select.show-menu-arrow .dropdown-toggle:before {
+.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:before {
   content: '';
   border-left: 7px solid transparent;
   border-right: 7px solid transparent;
@@ -216,7 +317,7 @@ span.form-control {
   left: 9px;
   display: none;
 }
-.bootstrap-select.show-menu-arrow .dropdown-toggle:after {
+.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:after {
   content: '';
   border-left: 6px solid transparent;
   border-right: 6px solid transparent;
@@ -226,28 +327,30 @@ span.form-control {
   left: 10px;
   display: none;
 }
-.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:before {
+.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:before {
   bottom: auto;
-  top: -3px;
+  top: -4px;
   border-top: 7px solid rgba(204, 204, 204, 0.2);
   border-bottom: 0;
 }
-.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:after {
+.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:after {
   bottom: auto;
-  top: -3px;
+  top: -4px;
   border-top: 6px solid white;
   border-bottom: 0;
 }
-.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:before {
+.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:before {
   right: 12px;
   left: auto;
 }
-.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:after {
+.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:after {
   right: 13px;
   left: auto;
 }
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle:before,
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle:after {
+.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:before,
+.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:before,
+.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:after,
+.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:after {
   display: block;
 }
 .bs-searchbox,
@@ -282,3 +385,14 @@ span.form-control {
   width: 100%;
   float: none;
 }
+
+/* OPNsense edit to fix https://github.com/opnsense/core/issues/2612 :
+ * Move checkmarks to left hand side of the dropdown.
+ */
+.bootstrap-select .dropdown-menu > li > a {
+  padding: 3px 20px 3px 30px;
+}
+.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
+  left: 10px;
+}
+/* End OPNsense edit to fix #2612. */
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index c6ef6b2acd..967d22e13b 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		theme-vicuna
 PLUGIN_VERSION=		1.45
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/bootstrap-select-1.13.3.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/bootstrap-select1.scss
similarity index 100%
rename from misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/bootstrap-select-1.13.3.scss
rename to misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/bootstrap-select1.scss
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/bootstrap-select-1.13.3.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/bootstrap-select-1.13.3.css
deleted file mode 100644
index d8cfa48d25..0000000000
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/bootstrap-select-1.13.3.css
+++ /dev/null
@@ -1,398 +0,0 @@
-/*!
- * Bootstrap-select v1.13.3 (https://developer.snapappointments.com/bootstrap-select)
- *
- * Copyright 2012-2018 SnapAppointments, LLC
- * Licensed under MIT (https://github.com/snapappointments/bootstrap-select/blob/master/LICENSE)
- */
-
-select.bs-select-hidden,
-.bootstrap-select > select.bs-select-hidden,
-select.selectpicker {
-  display: none !important;
-}
-.bootstrap-select {
-  width: 348px \0;
-  /*IE9 and below*/
-}
-.bootstrap-select > .dropdown-toggle {
-  position: relative;
-  width: 100%;
-  z-index: 1;
-  text-align: right;
-  white-space: nowrap;
-}
-.bootstrap-select > .dropdown-toggle.bs-placeholder,
-.bootstrap-select > .dropdown-toggle.bs-placeholder:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder:active {
-  color: #fff;
-}
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:active {
-  color: #ffffff;
-}
-.bootstrap-select > select {
-  position: absolute !important;
-  bottom: 0;
-  left: 50%;
-  display: block !important;
-  width: 0.5px !important;
-  height: 100% !important;
-  padding: 0 !important;
-  opacity: 0 !important;
-  border: none;
-}
-.bootstrap-select > select.mobile-device {
-  top: 0;
-  left: 0;
-  display: block !important;
-  width: 100% !important;
-  z-index: 2;
-}
-.has-error .bootstrap-select .dropdown-toggle,
-.error .bootstrap-select .dropdown-toggle,
-.bootstrap-select.is-invalid .dropdown-toggle,
-.was-validated .bootstrap-select .selectpicker:invalid + .dropdown-toggle {
-  border-color: #b94a48;
-}
-.bootstrap-select.is-valid .dropdown-toggle,
-.was-validated .bootstrap-select .selectpicker:valid + .dropdown-toggle {
-  border-color: #28a745;
-}
-.bootstrap-select.fit-width {
-  width: auto !important;
-}
-.bootstrap-select:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn) {
-  width: 348px;
-}
-
-.bootstrap-select.form-control {
-  margin-bottom: 0;
-  padding: 0;
-  border: none;
-}
-:not(.input-group) > .bootstrap-select.form-control:not([class*="col-"]) {
-  width: 100%;
-}
-.bootstrap-select.form-control.input-group-btn {
-  z-index: auto;
-}
-.bootstrap-select.form-control.input-group-btn:not(:first-child):not(:last-child) > .btn {
-  border-radius: 0;
-}
-.bootstrap-select:not(.input-group-btn),
-.bootstrap-select[class*="col-"] {
-  float: none;
-  display: inline-block;
-  margin-left: 0;
-}
-.bootstrap-select.dropdown-menu-right,
-.bootstrap-select[class*="col-"].dropdown-menu-right,
-.row .bootstrap-select[class*="col-"].dropdown-menu-right {
-  float: right;
-}
-.form-inline .bootstrap-select,
-.form-horizontal .bootstrap-select,
-.form-group .bootstrap-select {
-  margin-bottom: 0;
-}
-.form-group-lg .bootstrap-select.form-control,
-.form-group-sm .bootstrap-select.form-control {
-  padding: 0;
-}
-.form-group-lg .bootstrap-select.form-control .dropdown-toggle,
-.form-group-sm .bootstrap-select.form-control .dropdown-toggle {
-  height: 100%;
-  font-size: inherit;
-  line-height: inherit;
-  border-radius: inherit;
-}
-.bootstrap-select.form-control-sm .dropdown-toggle,
-.bootstrap-select.form-control-lg .dropdown-toggle {
-  font-size: inherit;
-  line-height: inherit;
-  border-radius: inherit;
-}
-.bootstrap-select.form-control-sm .dropdown-toggle {
-  padding: 0.25rem 0.5rem;
-}
-.bootstrap-select.form-control-lg .dropdown-toggle {
-  padding: 0.5rem 1rem;
-}
-.form-inline .bootstrap-select .form-control {
-  width: 100%;
-}
-.bootstrap-select.disabled,
-.bootstrap-select > .disabled {
-  cursor: not-allowed;
-}
-.bootstrap-select.disabled:focus,
-.bootstrap-select > .disabled:focus {
-  outline: none !important;
-}
-.bootstrap-select.bs-container {
-  position: absolute;
-  top: 0;
-  left: 0;
-  height: 0 !important;
-  padding: 0 !important;
-}
-.bootstrap-select.bs-container .dropdown-menu {
-  z-index: 1060;
-}
-.bootstrap-select .dropdown-toggle:before {
-  content: '';
-  display: inline-block;
-}
-.bootstrap-select .dropdown-toggle .filter-option {
-  position: absolute;
-  top: 0;
-  left: 0;
-  padding-top: inherit;
-  padding-right: inherit;
-  padding-bottom: inherit;
-  padding-left: inherit;
-  height: 100%;
-  width: 100%;
-  text-align: left;
-}
-.bootstrap-select .dropdown-toggle .filter-option-inner {
-  padding-right: inherit;
-}
-.bootstrap-select .dropdown-toggle .filter-option-inner-inner {
-  overflow: hidden;
-}
-.bootstrap-select .dropdown-toggle .caret {
-  position: absolute;
-  top: 50%;
-  right: 12px;
-  margin-top: -2px;
-  vertical-align: middle;
-}
-.input-group .bootstrap-select.form-control .dropdown-toggle {
-  border-radius: inherit;
-}
-.bootstrap-select[class*="col-"] .dropdown-toggle {
-  width: 100%;
-}
-.bootstrap-select .dropdown-menu {
-  min-width: 100%;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
-.bootstrap-select .dropdown-menu > .inner:focus {
-  outline: none !important;
-}
-.bootstrap-select .dropdown-menu.inner {
-  position: static;
-  float: none;
-  border: 0;
-  padding: 0;
-  margin: 0;
-  border-radius: 0;
-  -webkit-box-shadow: none;
-          box-shadow: none;
-}
-.bootstrap-select .dropdown-menu li {
-  position: relative;
-}
-.bootstrap-select .dropdown-menu li.active small {
-  color: rgba(255, 255, 255, 0.5) !important;
-}
-.bootstrap-select .dropdown-menu li.disabled a {
-  cursor: not-allowed;
-}
-.bootstrap-select .dropdown-menu li a {
-  cursor: pointer;
-  -webkit-user-select: none;
-     -moz-user-select: none;
-      -ms-user-select: none;
-          user-select: none;
-}
-.bootstrap-select .dropdown-menu li a.opt {
-  position: relative;
-  padding-left: 2.25em;
-}
-.bootstrap-select .dropdown-menu li a span.check-mark {
-  display: none;
-}
-.bootstrap-select .dropdown-menu li a span.text {
-  display: inline-block;
-}
-.bootstrap-select .dropdown-menu li small {
-  padding-left: 0.5em;
-}
-.bootstrap-select .dropdown-menu .notify {
-  position: absolute;
-  bottom: 5px;
-  width: 96%;
-  margin: 0 2%;
-  min-height: 26px;
-  padding: 3px 5px;
-  background: #f5f5f5;
-  border: 1px solid #e3e3e3;
-  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
-          box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
-  pointer-events: none;
-  opacity: 0.9;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
-.bootstrap-select .no-results {
-  padding: 3px;
-  background: #f5f5f5;
-  margin: 0 5px;
-  white-space: nowrap;
-}
-.bootstrap-select.fit-width .dropdown-toggle .filter-option {
-  position: static;
-  display: inline;
-  padding: 0;
-}
-.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner,
-.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner-inner {
-  display: inline;
-}
-.bootstrap-select.fit-width .dropdown-toggle .caret {
-  position: static;
-  top: auto;
-  margin-top: -1px;
-}
-.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
-  position: absolute;
-  display: inline-block;
-  right: 15px;
-  top: 5px;
-}
-.bootstrap-select.show-tick .dropdown-menu li a span.text {
-  margin-right: 34px;
-}
-.bootstrap-select .bs-ok-default:after {
-  content: '';
-  display: block;
-  width: 0.5em;
-  height: 1em;
-  border-style: solid;
-  border-width: 0 0.26em 0.26em 0;
-  -webkit-transform: rotate(45deg);
-      -ms-transform: rotate(45deg);
-       -o-transform: rotate(45deg);
-          transform: rotate(45deg);
-}
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle,
-.bootstrap-select.show-menu-arrow.show > .dropdown-toggle {
-  z-index: 1061;
-}
-.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:before {
-  content: '';
-  border-left: 7px solid transparent;
-  border-right: 7px solid transparent;
-  border-bottom: 7px solid rgba(204, 204, 204, 0.2);
-  position: absolute;
-  bottom: -4px;
-  left: 9px;
-  display: none;
-}
-.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:after {
-  content: '';
-  border-left: 6px solid transparent;
-  border-right: 6px solid transparent;
-  border-bottom: 6px solid white;
-  position: absolute;
-  bottom: -4px;
-  left: 10px;
-  display: none;
-}
-.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:before {
-  bottom: auto;
-  top: -4px;
-  border-top: 7px solid rgba(204, 204, 204, 0.2);
-  border-bottom: 0;
-}
-.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:after {
-  bottom: auto;
-  top: -4px;
-  border-top: 6px solid white;
-  border-bottom: 0;
-}
-.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:before {
-  right: 12px;
-  left: auto;
-}
-.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:after {
-  right: 13px;
-  left: auto;
-}
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:before,
-.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:before,
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:after,
-.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:after {
-  display: block;
-}
-.bs-searchbox,
-.bs-actionsbox,
-.bs-donebutton {
-  padding: 4px 8px;
-}
-.bs-actionsbox {
-  width: 100%;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
-.bs-actionsbox .btn-group button {
-  width: 50%;
-}
-.bs-donebutton {
-  float: left;
-  width: 100%;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
-.bs-donebutton .btn-group button {
-  width: 100%;
-}
-.bs-searchbox + .bs-actionsbox {
-  padding: 0 8px 4px;
-}
-.bs-searchbox .form-control {
-  margin-bottom: 0;
-  width: 100%;
-  float: none;
-}
-
-/* OPNsense edit to fix https://github.com/opnsense/core/issues/2612 :
- * Move checkmarks to left hand side of the dropdown.
- */
-.bootstrap-select .dropdown-menu > li > a {
-  padding: 3px 20px 3px 30px;
-}
-.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
-  left: 10px;
-}
-/* End OPNsense edit to fix #2612. */
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/bootstrap-select.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/bootstrap-select.css
index 56214371e7..d8cfa48d25 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/bootstrap-select.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/bootstrap-select.css
@@ -1,29 +1,64 @@
 /*!
- * Bootstrap-select v1.9.3 (http://silviomoreto.github.io/bootstrap-select)
+ * Bootstrap-select v1.13.3 (https://developer.snapappointments.com/bootstrap-select)
  *
- * Copyright 2013-2015 bootstrap-select
- * Licensed under MIT (https://github.com/silviomoreto/bootstrap-select/blob/master/LICENSE)
+ * Copyright 2012-2018 SnapAppointments, LLC
+ * Licensed under MIT (https://github.com/snapappointments/bootstrap-select/blob/master/LICENSE)
  */
 
-/* set form-control on span height, which is used by liHeight to calculate height */
-span.form-control {
-  height: 34px !important;
-  padding: 6px 12px;
+select.bs-select-hidden,
+.bootstrap-select > select.bs-select-hidden,
+select.selectpicker {
+  display: none !important;
 }
 .bootstrap-select {
   width: 348px \0;
   /*IE9 and below*/
 }
 .bootstrap-select > .dropdown-toggle {
+  position: relative;
   width: 100%;
-  padding-right: 25px;
   z-index: 1;
+  text-align: right;
+  white-space: nowrap;
+}
+.bootstrap-select > .dropdown-toggle.bs-placeholder,
+.bootstrap-select > .dropdown-toggle.bs-placeholder:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder:active {
+  color: #fff;
+}
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:active {
+  color: #ffffff;
 }
 .bootstrap-select > select {
   position: absolute !important;
   bottom: 0;
   left: 50%;
-  width: 0.11px !important;
+  display: block !important;
+  width: 0.5px !important;
   height: 100% !important;
   padding: 0 !important;
   opacity: 0 !important;
@@ -37,133 +72,180 @@ span.form-control {
   z-index: 2;
 }
 .has-error .bootstrap-select .dropdown-toggle,
-.error .bootstrap-select .dropdown-toggle {
+.error .bootstrap-select .dropdown-toggle,
+.bootstrap-select.is-invalid .dropdown-toggle,
+.was-validated .bootstrap-select .selectpicker:invalid + .dropdown-toggle {
   border-color: #b94a48;
 }
+.bootstrap-select.is-valid .dropdown-toggle,
+.was-validated .bootstrap-select .selectpicker:valid + .dropdown-toggle {
+  border-color: #28a745;
+}
 .bootstrap-select.fit-width {
   width: auto !important;
 }
 .bootstrap-select:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn) {
   width: 348px;
 }
-.bootstrap-select .dropdown-toggle:focus {
-  color:#FFFFFF !important;
-  outline-offset: -2px;
-}
+
 .bootstrap-select.form-control {
   margin-bottom: 0;
   padding: 0;
   border: none;
 }
-.bootstrap-select.form-control:not([class*="col-"]) {
+:not(.input-group) > .bootstrap-select.form-control:not([class*="col-"]) {
   width: 100%;
 }
 .bootstrap-select.form-control.input-group-btn {
   z-index: auto;
 }
-.bootstrap-select.btn-group:not(.input-group-btn),
-.bootstrap-select.btn-group[class*="col-"] {
+.bootstrap-select.form-control.input-group-btn:not(:first-child):not(:last-child) > .btn {
+  border-radius: 0;
+}
+.bootstrap-select:not(.input-group-btn),
+.bootstrap-select[class*="col-"] {
   float: none;
   display: inline-block;
   margin-left: 0;
 }
-.bootstrap-select.btn-group.dropdown-menu-right,
-.bootstrap-select.btn-group[class*="col-"].dropdown-menu-right,
-.row .bootstrap-select.btn-group[class*="col-"].dropdown-menu-right {
+.bootstrap-select.dropdown-menu-right,
+.bootstrap-select[class*="col-"].dropdown-menu-right,
+.row .bootstrap-select[class*="col-"].dropdown-menu-right {
   float: right;
 }
-.form-inline .bootstrap-select.btn-group,
-.form-horizontal .bootstrap-select.btn-group,
-.form-group .bootstrap-select.btn-group {
+.form-inline .bootstrap-select,
+.form-horizontal .bootstrap-select,
+.form-group .bootstrap-select {
   margin-bottom: 0;
 }
-.form-group-lg .bootstrap-select.btn-group.form-control,
-.form-group-sm .bootstrap-select.btn-group.form-control {
+.form-group-lg .bootstrap-select.form-control,
+.form-group-sm .bootstrap-select.form-control {
   padding: 0;
 }
-.form-inline .bootstrap-select.btn-group .form-control {
+.form-group-lg .bootstrap-select.form-control .dropdown-toggle,
+.form-group-sm .bootstrap-select.form-control .dropdown-toggle {
+  height: 100%;
+  font-size: inherit;
+  line-height: inherit;
+  border-radius: inherit;
+}
+.bootstrap-select.form-control-sm .dropdown-toggle,
+.bootstrap-select.form-control-lg .dropdown-toggle {
+  font-size: inherit;
+  line-height: inherit;
+  border-radius: inherit;
+}
+.bootstrap-select.form-control-sm .dropdown-toggle {
+  padding: 0.25rem 0.5rem;
+}
+.bootstrap-select.form-control-lg .dropdown-toggle {
+  padding: 0.5rem 1rem;
+}
+.form-inline .bootstrap-select .form-control {
   width: 100%;
 }
-.bootstrap-select.btn-group.disabled,
-.bootstrap-select.btn-group > .disabled {
+.bootstrap-select.disabled,
+.bootstrap-select > .disabled {
   cursor: not-allowed;
 }
-.bootstrap-select.btn-group.disabled:focus,
-.bootstrap-select.btn-group > .disabled:focus {
+.bootstrap-select.disabled:focus,
+.bootstrap-select > .disabled:focus {
   outline: none !important;
 }
-.bootstrap-select.btn-group.bs-container {
+.bootstrap-select.bs-container {
   position: absolute;
+  top: 0;
+  left: 0;
+  height: 0 !important;
+  padding: 0 !important;
 }
-.bootstrap-select.btn-group.bs-container .dropdown-menu {
+.bootstrap-select.bs-container .dropdown-menu {
   z-index: 1060;
 }
-.bootstrap-select.btn-group .dropdown-toggle .filter-option {
+.bootstrap-select .dropdown-toggle:before {
+  content: '';
   display: inline-block;
-  overflow: hidden;
+}
+.bootstrap-select .dropdown-toggle .filter-option {
+  position: absolute;
+  top: 0;
+  left: 0;
+  padding-top: inherit;
+  padding-right: inherit;
+  padding-bottom: inherit;
+  padding-left: inherit;
+  height: 100%;
   width: 100%;
   text-align: left;
 }
-.bootstrap-select.btn-group .dropdown-toggle .caret {
+.bootstrap-select .dropdown-toggle .filter-option-inner {
+  padding-right: inherit;
+}
+.bootstrap-select .dropdown-toggle .filter-option-inner-inner {
+  overflow: hidden;
+}
+.bootstrap-select .dropdown-toggle .caret {
   position: absolute;
   top: 50%;
   right: 12px;
   margin-top: -2px;
   vertical-align: middle;
 }
-.bootstrap-select.btn-group[class*="col-"] .dropdown-toggle {
+.input-group .bootstrap-select.form-control .dropdown-toggle {
+  border-radius: inherit;
+}
+.bootstrap-select[class*="col-"] .dropdown-toggle {
   width: 100%;
 }
-.bootstrap-select.btn-group .dropdown-menu {
-  border-color:#1d1d1d !important;
-  -webkit-box-shadow: inset 0 1px 1px rgb(0, 0, 0), 0 0 8px rgba(0, 0, 0, 0.6);
-  box-shadow: inset 0 1px 1px rgb(0, 0, 0), 0 0 8px rgba(0, 0, 0, 0.6);
+.bootstrap-select .dropdown-menu {
   min-width: 100%;
   -webkit-box-sizing: border-box;
      -moz-box-sizing: border-box;
           box-sizing: border-box;
 }
-.bootstrap-select.btn-group .dropdown-menu.inner {
+.bootstrap-select .dropdown-menu > .inner:focus {
+  outline: none !important;
+}
+.bootstrap-select .dropdown-menu.inner {
   position: static;
   float: none;
   border: 0;
   padding: 0;
   margin: 0;
   border-radius: 0;
-  min-width: 50px;
   -webkit-box-shadow: none;
           box-shadow: none;
 }
-.bootstrap-select.btn-group .dropdown-menu li {
+.bootstrap-select .dropdown-menu li {
   position: relative;
 }
-.bootstrap-select.btn-group .dropdown-menu li.active small {
-  color: #fff;
+.bootstrap-select .dropdown-menu li.active small {
+  color: rgba(255, 255, 255, 0.5) !important;
 }
-.bootstrap-select.btn-group .dropdown-menu li.disabled a {
+.bootstrap-select .dropdown-menu li.disabled a {
   cursor: not-allowed;
 }
-.bootstrap-select.btn-group .dropdown-menu li a {
+.bootstrap-select .dropdown-menu li a {
   cursor: pointer;
   -webkit-user-select: none;
-  -moz-user-select: none;
-  -ms-user-select: none;
-  user-select: none;
+     -moz-user-select: none;
+      -ms-user-select: none;
+          user-select: none;
 }
-.bootstrap-select.btn-group .dropdown-menu li a.opt {
+.bootstrap-select .dropdown-menu li a.opt {
   position: relative;
   padding-left: 2.25em;
 }
-.bootstrap-select.btn-group .dropdown-menu li a span.check-mark {
+.bootstrap-select .dropdown-menu li a span.check-mark {
   display: none;
 }
-.bootstrap-select.btn-group .dropdown-menu li a span.text {
+.bootstrap-select .dropdown-menu li a span.text {
   display: inline-block;
 }
-.bootstrap-select.btn-group .dropdown-menu li small {
+.bootstrap-select .dropdown-menu li small {
   padding-left: 0.5em;
 }
-.bootstrap-select.btn-group .dropdown-menu .notify {
+.bootstrap-select .dropdown-menu .notify {
   position: absolute;
   bottom: 5px;
   width: 96%;
@@ -180,33 +262,52 @@ span.form-control {
      -moz-box-sizing: border-box;
           box-sizing: border-box;
 }
-.bootstrap-select.btn-group .no-results {
+.bootstrap-select .no-results {
   padding: 3px;
   background: #f5f5f5;
   margin: 0 5px;
   white-space: nowrap;
 }
-.bootstrap-select.btn-group.fit-width .dropdown-toggle .filter-option {
+.bootstrap-select.fit-width .dropdown-toggle .filter-option {
   position: static;
+  display: inline;
+  padding: 0;
+}
+.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner,
+.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner-inner {
+  display: inline;
 }
-.bootstrap-select.btn-group.fit-width .dropdown-toggle .caret {
+.bootstrap-select.fit-width .dropdown-toggle .caret {
   position: static;
   top: auto;
   margin-top: -1px;
 }
-.bootstrap-select.btn-group.show-tick .dropdown-menu li.selected a span.check-mark {
+.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
   position: absolute;
   display: inline-block;
   right: 15px;
-  margin-top: 5px;
+  top: 5px;
 }
-.bootstrap-select.btn-group.show-tick .dropdown-menu li a span.text {
+.bootstrap-select.show-tick .dropdown-menu li a span.text {
   margin-right: 34px;
 }
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle {
+.bootstrap-select .bs-ok-default:after {
+  content: '';
+  display: block;
+  width: 0.5em;
+  height: 1em;
+  border-style: solid;
+  border-width: 0 0.26em 0.26em 0;
+  -webkit-transform: rotate(45deg);
+      -ms-transform: rotate(45deg);
+       -o-transform: rotate(45deg);
+          transform: rotate(45deg);
+}
+.bootstrap-select.show-menu-arrow.open > .dropdown-toggle,
+.bootstrap-select.show-menu-arrow.show > .dropdown-toggle {
   z-index: 1061;
 }
-.bootstrap-select.show-menu-arrow .dropdown-toggle:before {
+.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:before {
   content: '';
   border-left: 7px solid transparent;
   border-right: 7px solid transparent;
@@ -216,7 +317,7 @@ span.form-control {
   left: 9px;
   display: none;
 }
-.bootstrap-select.show-menu-arrow .dropdown-toggle:after {
+.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:after {
   content: '';
   border-left: 6px solid transparent;
   border-right: 6px solid transparent;
@@ -226,28 +327,30 @@ span.form-control {
   left: 10px;
   display: none;
 }
-.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:before {
+.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:before {
   bottom: auto;
-  top: -3px;
+  top: -4px;
   border-top: 7px solid rgba(204, 204, 204, 0.2);
   border-bottom: 0;
 }
-.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:after {
+.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:after {
   bottom: auto;
-  top: -3px;
+  top: -4px;
   border-top: 6px solid white;
   border-bottom: 0;
 }
-.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:before {
+.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:before {
   right: 12px;
   left: auto;
 }
-.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:after {
+.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:after {
   right: 13px;
   left: auto;
 }
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle:before,
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle:after {
+.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:before,
+.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:before,
+.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:after,
+.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:after {
   display: block;
 }
 .bs-searchbox,
@@ -282,3 +385,14 @@ span.form-control {
   width: 100%;
   float: none;
 }
+
+/* OPNsense edit to fix https://github.com/opnsense/core/issues/2612 :
+ * Move checkmarks to left hand side of the dropdown.
+ */
+.bootstrap-select .dropdown-menu > li > a {
+  padding: 3px 20px 3px 30px;
+}
+.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
+  left: 10px;
+}
+/* End OPNsense edit to fix #2612. */

From 0ce2b67e52c790bbc81c1a7852d101cf2a3ec4c6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 19 Sep 2023 19:47:39 +0200
Subject: [PATCH 1585/3088] security/clamav: consistency in spelling

PR: https://github.com/opnsense/lang/issues/62
---
 .../mvc/app/controllers/OPNsense/ClamAV/forms/general.xml       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/forms/general.xml b/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/forms/general.xml
index 0bc9d75bbf..aa7841f34d 100644
--- a/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/forms/general.xml
+++ b/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/forms/general.xml
@@ -121,7 +121,7 @@
         <id>general.scanhtml</id>
         <label>Scan HTML</label>
         <type>checkbox</type>
-        <help>Perform HTML normalisation and decryption of MS Script Encoder code.</help>
+        <help>Perform HTML normalization and decryption of MS Script Encoder code.</help>
     </field>
     <field>
         <id>general.scanarchive</id>

From 9787d508064bc4ab6de70aed1a190beaea606e64 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 26 Sep 2023 20:55:17 +0200
Subject: [PATCH 1586/3088] net/wireguard - offer CARP vhid tracking support,
 closes https://github.com/opnsense/plugins/issues/3579

When the the selected vhid is in BACKUP or INIT mode, the wireguard interface in question will be set to "down", in which case communication stops and the new master may take over. The advantage of this strategy is that switching is relatively quick as only the interface flag need to be changed.
---
 net/wireguard/Makefile                        |  2 +-
 net/wireguard/pkg-descr                       |  4 ++
 .../src/etc/rc.syshook.d/carp/20-wireguard    |  3 +
 .../forms/dialogEditWireguardServer.xml       |  7 +++
 .../app/models/OPNsense/Wireguard/Server.xml  |  5 ++
 .../views/OPNsense/Wireguard/diagnostics.volt |  1 +
 .../scripts/Wireguard/wg-service-control.php  | 58 +++++++++++++++++--
 .../src/opnsense/scripts/Wireguard/wg_show.py |  8 +++
 8 files changed, 81 insertions(+), 7 deletions(-)
 create mode 100755 net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 4092c7e067..4bbfb22475 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		2.1
+PLUGIN_VERSION=		2.2
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 97bd55ffcc..1b9ba24a00 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,10 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+2.2
+
+* add vhid (carp) tracking support
+
 2.1
 
 * Only reload when interface configuration did not change
diff --git a/net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard b/net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard
new file mode 100755
index 0000000000..d8337b6bfb
--- /dev/null
+++ b/net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+configctl -dq wireguard configure
\ No newline at end of file
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
index eff1f9504c..04bb1a71bd 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
@@ -59,6 +59,13 @@
         <allownew>true</allownew>
         <help>List of addresses to configure on the tunnel adapter. Please use CIDR notation like 10.0.0.1/24.</help>
     </field>
+    <field>
+        <id>server.carp_depend_on</id>
+        <label>Depend on (carp)</label>
+        <type>dropdown</type>
+        <help>The carp VHID to depend on, when this virtual address is not in master state,
+        the instance will be shutdown.</help>
+    </field>
     <field>
         <id>server.peers</id>
         <label>Peers</label>
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
index 1dfada39e1..fe738e8af0 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
@@ -59,6 +59,11 @@
                 <gateway type="NetworkField">
                     <Required>N</Required>
                 </gateway>
+                <carp_depend_on type="VirtualIPField">
+                    <type>carp</type>
+                    <Required>N</Required>
+                    <key>mvc</key>
+                </carp_depend_on>
                 <peers type="ModelRelationField">
                     <Model>
                         <template>
diff --git a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
index dc97ad14a5..a8d870f839 100644
--- a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
+++ b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
@@ -82,6 +82,7 @@
              <tr>
                  <th data-column-id="if" data-type="string" data-width="8em">{{ lang._('Interface') }}</th>
                  <th data-column-id="type" data-type="string" data-width="8em" data-visible="false">{{ lang._('Type') }}</th>
+                 <th data-column-id="status" data-type="string" data-width="8em" >{{ lang._('Status') }}</th>
                  <th data-column-id="public-key" data-type="string" data-identifier="true">{{ lang._('Public key') }}</th>
                  <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
                  <th data-column-id="endpoint" data-type="string">{{ lang._('Port / Endpoint') }}</th>
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index 6ba6eaab57..9e56b04050 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -31,10 +31,35 @@
 require_once('util.inc');
 require_once('interfaces.inc');
 
+/**
+ * collect carp status per vhid
+ */
+function get_vhid_status()
+{
+    $vhids = [];
+    $uuids = [];
+    foreach ((new OPNsense\Interfaces\Vip())->vip->iterateItems() as $id => $item) {
+        if ($item->mode == 'carp') {
+            $uuids[(string)$item->vhid] =  $id;
+        }
+    }
+    foreach (legacy_interfaces_details() as $ifdata) {
+        if (!empty($ifdata['carp'])) {
+            foreach ($ifdata['carp'] as $data) {
+                if (isset($uuids[$data['vhid']])) {
+                    $vhids[$uuids[$data['vhid']]] = $data['status'];
+                }
+            }
+        }
+    }
+    return $vhids;
+}
+
+
 /**
  * mimic wg-quick behaviour, but bound to our config
  */
-function wg_start($server, $fhandle)
+function wg_start($server, $fhandle, $ifcfgflag='up')
 {
     if (!does_interface_exist($server->interface)) {
         mwexecf('/sbin/ifconfig wg create name %s', [$server->interface]);
@@ -49,7 +74,7 @@ function wg_start($server, $fhandle)
     if (!empty((string)$server->mtu)) {
         mwexecf('/sbin/ifconfig %s mtu %s', [$server->interface, $server->mtu]);
     }
-    mwexecf('/sbin/ifconfig %s up', [$server->interface]);
+    mwexecf('/sbin/ifconfig %s %s', [$server->interface, $ifcfgflag]);
 
     if (empty((string)$server->disableroutes)) {
         /**
@@ -161,6 +186,8 @@ function get_stat_hash($fhandle)
 
     $server_devs = [];
     if (!empty((string)(new OPNsense\Wireguard\General())->enabled)) {
+        $ifdetails = legacy_interfaces_details();
+        $vhids = get_vhid_status();
         foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $key => $node) {
             if (empty((string)$node->enabled)) {
                 continue;
@@ -168,6 +195,19 @@ function get_stat_hash($fhandle)
             if ($server_id != null && $key != $server_id) {
                 continue;
             }
+            /**
+             * CARP may influence the interface status (up or down).
+             * In order to fluently switch between roles, one should only have to change the interface flag in this
+             * case, which means we can still reconfigure an interface in the usual way and just omit sending traffic
+             * when in BACKUP or INIT mode.
+             */
+            $carp_if_flag = 'up';
+            if (
+                !empty($vhids[(string)$node->carp_depend_on]) &&
+                $vhids[(string)$node->carp_depend_on] != 'MASTER'
+            ) {
+                $carp_if_flag = 'down';
+            }
             $server_devs[] = (string)$node->interface;
             $statHandle = fopen($node->statFilename, "a+");
             if (flock($statHandle, LOCK_EX)) {
@@ -176,16 +216,16 @@ function get_stat_hash($fhandle)
                         wg_stop($node);
                         break;
                     case 'start':
-                        wg_start($node, $statHandle);
+                        wg_start($node, $statHandle, $carp_if_flag);
                         break;
                     case 'restart':
                         wg_stop($node);
-                        wg_start($node, $statHandle);
+                        wg_start($node, $statHandle, $carp_if_flag);
                         break;
                     case 'configure':
                         if (
                             @md5_file($node->cnfFilename) != get_stat_hash($statHandle)['file'] ||
-                            !does_interface_exist((string)$node->interface)
+                            !isset($ifdetails[(string)$node->interface])
                         ) {
                             if (get_stat_hash($statHandle)['interface'] != wg_reconfigure_hash($node)) {
                                 // Fluent reloading not supported for this instance, make sure the user is informed
@@ -196,7 +236,13 @@ function get_stat_hash($fhandle)
                                 );
                                 wg_stop($node);
                             }
-                            wg_start($node, $statHandle);
+                            wg_start($node, $statHandle, $carp_if_flag);
+                        } else {
+                            // when triggered via a CARP event, check our interface status [UP|DOWN]
+                            $tmp = in_array('up', $ifdetails[(string)$node->interface]['flags']) ? 'up' : 'down';
+                            if ($tmp !=  $carp_if_flag) {
+                                mwexecf('/sbin/ifconfig %s %s', [$node->interface, $carp_if_flag]);
+                            }
                         }
                         break;
                 }
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py b/net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py
index 6cfa6c4bcc..987efb4433 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py
@@ -28,6 +28,13 @@
 import subprocess
 import ujson
 
+
+interfaces = {}
+for line in subprocess.run(['/sbin/ifconfig'], capture_output=True, text=True).stdout.split("\n"):
+    if not line.startswith('\t') and line.find('<') > -1:
+        ifname = line.split(':')[0]
+        interfaces[ifname] = 'up' if 'UP' in line.split('<')[1].split('>')[0].split(',') else 'down'
+
 sp = subprocess.run(['/usr/bin/wg', 'show', 'all', 'dump'], capture_output=True, text=True)
 result = {'records': []}
 if sp.returncode == 0:
@@ -44,6 +51,7 @@
             record['fwmark'] = parts[4]
             # convenience, copy listen-port to endpoint
             record['endpoint'] = parts[3]
+            record['status'] = interfaces.get(record['if'], 'down')
         elif len(parts) == 9:
             record['type'] = 'peer'
             record['public-key'] = parts[1]

From 415d43cd7f8cd89c7f9ec26411b2fd4b82200341 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 28 Sep 2023 17:07:41 +0200
Subject: [PATCH 1587/3088] net/wireguard: small style update

---
 net/wireguard/pkg-descr                                      | 2 +-
 net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard         | 2 +-
 .../OPNsense/Wireguard/forms/dialogEditWireguardServer.xml   | 5 ++---
 .../src/opnsense/scripts/Wireguard/wg-service-control.php    | 2 +-
 4 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 1b9ba24a00..71b66866a0 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -18,7 +18,7 @@ Changelog
 
 2.2
 
-* add vhid (carp) tracking support
+* Add VHID (CARP) tracking support
 
 2.1
 
diff --git a/net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard b/net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard
index d8337b6bfb..8c69f6f959 100755
--- a/net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard
+++ b/net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard
@@ -1,3 +1,3 @@
 #!/bin/sh
 
-configctl -dq wireguard configure
\ No newline at end of file
+configctl -dq wireguard configure
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
index 04bb1a71bd..8c9b757619 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
@@ -61,10 +61,9 @@
     </field>
     <field>
         <id>server.carp_depend_on</id>
-        <label>Depend on (carp)</label>
+        <label>Depend on (CARP)</label>
         <type>dropdown</type>
-        <help>The carp VHID to depend on, when this virtual address is not in master state,
-        the instance will be shutdown.</help>
+        <help>The CARP VHID to depend on. When this virtual address is not in master state, then the instance will be shutdown.</help>
     </field>
     <field>
         <id>server.peers</id>
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index 9e56b04050..e51e05a07a 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -59,7 +59,7 @@ function get_vhid_status()
 /**
  * mimic wg-quick behaviour, but bound to our config
  */
-function wg_start($server, $fhandle, $ifcfgflag='up')
+function wg_start($server, $fhandle, $ifcfgflag = 'up')
 {
     if (!does_interface_exist($server->interface)) {
         mwexecf('/sbin/ifconfig wg create name %s', [$server->interface]);

From a6bc27b242c6768566cb29b2ce32d28b376bffe6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 28 Sep 2023 17:19:13 +0200
Subject: [PATCH 1588/3088] misc: drop spurious "bootstrap-select1" files

---
 .../cicada/build/css/bootstrap-select1.css    | 398 ---------------
 .../assets/stylesheets/bootstrap-select1.scss | 468 ------------------
 .../assets/stylesheets/bootstrap-select1.scss | 468 ------------------
 3 files changed, 1334 deletions(-)
 delete mode 100644 misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select1.css
 delete mode 100644 misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/bootstrap-select1.scss
 delete mode 100644 misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/bootstrap-select1.scss

diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select1.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select1.css
deleted file mode 100644
index d8cfa48d25..0000000000
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select1.css
+++ /dev/null
@@ -1,398 +0,0 @@
-/*!
- * Bootstrap-select v1.13.3 (https://developer.snapappointments.com/bootstrap-select)
- *
- * Copyright 2012-2018 SnapAppointments, LLC
- * Licensed under MIT (https://github.com/snapappointments/bootstrap-select/blob/master/LICENSE)
- */
-
-select.bs-select-hidden,
-.bootstrap-select > select.bs-select-hidden,
-select.selectpicker {
-  display: none !important;
-}
-.bootstrap-select {
-  width: 348px \0;
-  /*IE9 and below*/
-}
-.bootstrap-select > .dropdown-toggle {
-  position: relative;
-  width: 100%;
-  z-index: 1;
-  text-align: right;
-  white-space: nowrap;
-}
-.bootstrap-select > .dropdown-toggle.bs-placeholder,
-.bootstrap-select > .dropdown-toggle.bs-placeholder:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder:active {
-  color: #fff;
-}
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:hover,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:focus,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:active,
-.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:active {
-  color: #ffffff;
-}
-.bootstrap-select > select {
-  position: absolute !important;
-  bottom: 0;
-  left: 50%;
-  display: block !important;
-  width: 0.5px !important;
-  height: 100% !important;
-  padding: 0 !important;
-  opacity: 0 !important;
-  border: none;
-}
-.bootstrap-select > select.mobile-device {
-  top: 0;
-  left: 0;
-  display: block !important;
-  width: 100% !important;
-  z-index: 2;
-}
-.has-error .bootstrap-select .dropdown-toggle,
-.error .bootstrap-select .dropdown-toggle,
-.bootstrap-select.is-invalid .dropdown-toggle,
-.was-validated .bootstrap-select .selectpicker:invalid + .dropdown-toggle {
-  border-color: #b94a48;
-}
-.bootstrap-select.is-valid .dropdown-toggle,
-.was-validated .bootstrap-select .selectpicker:valid + .dropdown-toggle {
-  border-color: #28a745;
-}
-.bootstrap-select.fit-width {
-  width: auto !important;
-}
-.bootstrap-select:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn) {
-  width: 348px;
-}
-
-.bootstrap-select.form-control {
-  margin-bottom: 0;
-  padding: 0;
-  border: none;
-}
-:not(.input-group) > .bootstrap-select.form-control:not([class*="col-"]) {
-  width: 100%;
-}
-.bootstrap-select.form-control.input-group-btn {
-  z-index: auto;
-}
-.bootstrap-select.form-control.input-group-btn:not(:first-child):not(:last-child) > .btn {
-  border-radius: 0;
-}
-.bootstrap-select:not(.input-group-btn),
-.bootstrap-select[class*="col-"] {
-  float: none;
-  display: inline-block;
-  margin-left: 0;
-}
-.bootstrap-select.dropdown-menu-right,
-.bootstrap-select[class*="col-"].dropdown-menu-right,
-.row .bootstrap-select[class*="col-"].dropdown-menu-right {
-  float: right;
-}
-.form-inline .bootstrap-select,
-.form-horizontal .bootstrap-select,
-.form-group .bootstrap-select {
-  margin-bottom: 0;
-}
-.form-group-lg .bootstrap-select.form-control,
-.form-group-sm .bootstrap-select.form-control {
-  padding: 0;
-}
-.form-group-lg .bootstrap-select.form-control .dropdown-toggle,
-.form-group-sm .bootstrap-select.form-control .dropdown-toggle {
-  height: 100%;
-  font-size: inherit;
-  line-height: inherit;
-  border-radius: inherit;
-}
-.bootstrap-select.form-control-sm .dropdown-toggle,
-.bootstrap-select.form-control-lg .dropdown-toggle {
-  font-size: inherit;
-  line-height: inherit;
-  border-radius: inherit;
-}
-.bootstrap-select.form-control-sm .dropdown-toggle {
-  padding: 0.25rem 0.5rem;
-}
-.bootstrap-select.form-control-lg .dropdown-toggle {
-  padding: 0.5rem 1rem;
-}
-.form-inline .bootstrap-select .form-control {
-  width: 100%;
-}
-.bootstrap-select.disabled,
-.bootstrap-select > .disabled {
-  cursor: not-allowed;
-}
-.bootstrap-select.disabled:focus,
-.bootstrap-select > .disabled:focus {
-  outline: none !important;
-}
-.bootstrap-select.bs-container {
-  position: absolute;
-  top: 0;
-  left: 0;
-  height: 0 !important;
-  padding: 0 !important;
-}
-.bootstrap-select.bs-container .dropdown-menu {
-  z-index: 1060;
-}
-.bootstrap-select .dropdown-toggle:before {
-  content: '';
-  display: inline-block;
-}
-.bootstrap-select .dropdown-toggle .filter-option {
-  position: absolute;
-  top: 0;
-  left: 0;
-  padding-top: inherit;
-  padding-right: inherit;
-  padding-bottom: inherit;
-  padding-left: inherit;
-  height: 100%;
-  width: 100%;
-  text-align: left;
-}
-.bootstrap-select .dropdown-toggle .filter-option-inner {
-  padding-right: inherit;
-}
-.bootstrap-select .dropdown-toggle .filter-option-inner-inner {
-  overflow: hidden;
-}
-.bootstrap-select .dropdown-toggle .caret {
-  position: absolute;
-  top: 50%;
-  right: 12px;
-  margin-top: -2px;
-  vertical-align: middle;
-}
-.input-group .bootstrap-select.form-control .dropdown-toggle {
-  border-radius: inherit;
-}
-.bootstrap-select[class*="col-"] .dropdown-toggle {
-  width: 100%;
-}
-.bootstrap-select .dropdown-menu {
-  min-width: 100%;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
-.bootstrap-select .dropdown-menu > .inner:focus {
-  outline: none !important;
-}
-.bootstrap-select .dropdown-menu.inner {
-  position: static;
-  float: none;
-  border: 0;
-  padding: 0;
-  margin: 0;
-  border-radius: 0;
-  -webkit-box-shadow: none;
-          box-shadow: none;
-}
-.bootstrap-select .dropdown-menu li {
-  position: relative;
-}
-.bootstrap-select .dropdown-menu li.active small {
-  color: rgba(255, 255, 255, 0.5) !important;
-}
-.bootstrap-select .dropdown-menu li.disabled a {
-  cursor: not-allowed;
-}
-.bootstrap-select .dropdown-menu li a {
-  cursor: pointer;
-  -webkit-user-select: none;
-     -moz-user-select: none;
-      -ms-user-select: none;
-          user-select: none;
-}
-.bootstrap-select .dropdown-menu li a.opt {
-  position: relative;
-  padding-left: 2.25em;
-}
-.bootstrap-select .dropdown-menu li a span.check-mark {
-  display: none;
-}
-.bootstrap-select .dropdown-menu li a span.text {
-  display: inline-block;
-}
-.bootstrap-select .dropdown-menu li small {
-  padding-left: 0.5em;
-}
-.bootstrap-select .dropdown-menu .notify {
-  position: absolute;
-  bottom: 5px;
-  width: 96%;
-  margin: 0 2%;
-  min-height: 26px;
-  padding: 3px 5px;
-  background: #f5f5f5;
-  border: 1px solid #e3e3e3;
-  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
-          box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
-  pointer-events: none;
-  opacity: 0.9;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
-.bootstrap-select .no-results {
-  padding: 3px;
-  background: #f5f5f5;
-  margin: 0 5px;
-  white-space: nowrap;
-}
-.bootstrap-select.fit-width .dropdown-toggle .filter-option {
-  position: static;
-  display: inline;
-  padding: 0;
-}
-.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner,
-.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner-inner {
-  display: inline;
-}
-.bootstrap-select.fit-width .dropdown-toggle .caret {
-  position: static;
-  top: auto;
-  margin-top: -1px;
-}
-.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
-  position: absolute;
-  display: inline-block;
-  right: 15px;
-  top: 5px;
-}
-.bootstrap-select.show-tick .dropdown-menu li a span.text {
-  margin-right: 34px;
-}
-.bootstrap-select .bs-ok-default:after {
-  content: '';
-  display: block;
-  width: 0.5em;
-  height: 1em;
-  border-style: solid;
-  border-width: 0 0.26em 0.26em 0;
-  -webkit-transform: rotate(45deg);
-      -ms-transform: rotate(45deg);
-       -o-transform: rotate(45deg);
-          transform: rotate(45deg);
-}
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle,
-.bootstrap-select.show-menu-arrow.show > .dropdown-toggle {
-  z-index: 1061;
-}
-.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:before {
-  content: '';
-  border-left: 7px solid transparent;
-  border-right: 7px solid transparent;
-  border-bottom: 7px solid rgba(204, 204, 204, 0.2);
-  position: absolute;
-  bottom: -4px;
-  left: 9px;
-  display: none;
-}
-.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:after {
-  content: '';
-  border-left: 6px solid transparent;
-  border-right: 6px solid transparent;
-  border-bottom: 6px solid white;
-  position: absolute;
-  bottom: -4px;
-  left: 10px;
-  display: none;
-}
-.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:before {
-  bottom: auto;
-  top: -4px;
-  border-top: 7px solid rgba(204, 204, 204, 0.2);
-  border-bottom: 0;
-}
-.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:after {
-  bottom: auto;
-  top: -4px;
-  border-top: 6px solid white;
-  border-bottom: 0;
-}
-.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:before {
-  right: 12px;
-  left: auto;
-}
-.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:after {
-  right: 13px;
-  left: auto;
-}
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:before,
-.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:before,
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:after,
-.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:after {
-  display: block;
-}
-.bs-searchbox,
-.bs-actionsbox,
-.bs-donebutton {
-  padding: 4px 8px;
-}
-.bs-actionsbox {
-  width: 100%;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
-.bs-actionsbox .btn-group button {
-  width: 50%;
-}
-.bs-donebutton {
-  float: left;
-  width: 100%;
-  -webkit-box-sizing: border-box;
-     -moz-box-sizing: border-box;
-          box-sizing: border-box;
-}
-.bs-donebutton .btn-group button {
-  width: 100%;
-}
-.bs-searchbox + .bs-actionsbox {
-  padding: 0 8px 4px;
-}
-.bs-searchbox .form-control {
-  margin-bottom: 0;
-  width: 100%;
-  float: none;
-}
-
-/* OPNsense edit to fix https://github.com/opnsense/core/issues/2612 :
- * Move checkmarks to left hand side of the dropdown.
- */
-.bootstrap-select .dropdown-menu > li > a {
-  padding: 3px 20px 3px 30px;
-}
-.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
-  left: 10px;
-}
-/* End OPNsense edit to fix #2612. */
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/bootstrap-select1.scss b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/bootstrap-select1.scss
deleted file mode 100644
index 6d3fa13e9f..0000000000
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/bootstrap-select1.scss
+++ /dev/null
@@ -1,468 +0,0 @@
-/*!
- * Bootstrap-select v1.13.3 (https://developer.snapappointments.com/bootstrap-select)
- *
- * Copyright 2012-2018 SnapAppointments, LLC
- * Licensed under MIT (https://github.com/snapappointments/bootstrap-select/blob/master/LICENSE)
- */
-
-select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.selectpicker {
-  display: none !important;
-}
-
-.bootstrap-select {
-  width: 348px \0;
-
-  /*IE9 and below*/
-
-  > {
-    .dropdown-toggle {
-      position: relative;
-      width: 100%;
-      z-index: 1;
-      text-align: right;
-      white-space: nowrap;
-
-      &.bs-placeholder {
-        color: #000;
-
-        &:hover, &:focus, &:active {
-          color: #000;
-        }
-
-        &.btn-primary, &.btn-secondary, &.btn-success, &.btn-danger, &.btn-info, &.btn-dark, &.btn-primary:hover, &.btn-secondary:hover, &.btn-success:hover, &.btn-danger:hover, &.btn-info:hover, &.btn-dark:hover, &.btn-primary:focus, &.btn-secondary:focus, &.btn-success:focus, &.btn-danger:focus, &.btn-info:focus, &.btn-dark:focus, &.btn-primary:active, &.btn-secondary:active, &.btn-success:active, &.btn-danger:active, &.btn-info:active, &.btn-dark:active {
-          color: #ffffff;
-        }
-      }
-    }
-
-    select {
-      position: absolute !important;
-      bottom: 0;
-      left: 50%;
-      display: block !important;
-      width: 0.5px !important;
-      height: 100% !important;
-      padding: 0 !important;
-      opacity: 0 !important;
-      border: none;
-
-      &.mobile-device {
-        top: 0;
-        left: 0;
-        display: block !important;
-        width: 100% !important;
-        z-index: 2;
-      }
-    }
-  }
-}
-
-.has-error .bootstrap-select .dropdown-toggle, .error .bootstrap-select .dropdown-toggle, .bootstrap-select.is-invalid .dropdown-toggle, .was-validated .bootstrap-select .selectpicker:invalid + .dropdown-toggle {
-  border-color: #b94a48;
-}
-
-.bootstrap-select.is-valid .dropdown-toggle, .was-validated .bootstrap-select .selectpicker:valid + .dropdown-toggle {
-  border-color: #28a745;
-}
-
-.bootstrap-select {
-  &.fit-width {
-    width: auto !important;
-  }
-
-  &:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn) {
-    width: 348px;
-  }
-
-  &.form-control {
-    margin-bottom: 0;
-    padding: 0;
-    border: none;
-  }
-}
-
-:not(.input-group) > .bootstrap-select.form-control:not([class*="col-"]) {
-  width: 100%;
-}
-
-.bootstrap-select {
-  &.form-control.input-group-btn {
-    z-index: auto;
-
-    &:not(:first-child):not(:last-child) > .btn {
-      border-radius: 0;
-    }
-  }
-
-  &:not(.input-group-btn), &[class*="col-"] {
-    float: none;
-    display: inline-block;
-    margin-left: 0;
-  }
-
-  &.dropdown-menu-right, &[class*="col-"].dropdown-menu-right {
-    float: right;
-  }
-}
-
-.row .bootstrap-select[class*="col-"].dropdown-menu-right {
-  float: right;
-}
-
-.form-inline .bootstrap-select, .form-horizontal .bootstrap-select, .form-group .bootstrap-select {
-  margin-bottom: 0;
-}
-
-.form-group-lg .bootstrap-select.form-control, .form-group-sm .bootstrap-select.form-control {
-  padding: 0;
-}
-
-.form-group-lg .bootstrap-select.form-control .dropdown-toggle, .form-group-sm .bootstrap-select.form-control .dropdown-toggle {
-  height: 100%;
-  font-size: inherit;
-  line-height: inherit;
-  border-radius: inherit;
-}
-
-.bootstrap-select {
-  &.form-control-sm .dropdown-toggle, &.form-control-lg .dropdown-toggle {
-    font-size: inherit;
-    line-height: inherit;
-    border-radius: inherit;
-  }
-
-  &.form-control-sm .dropdown-toggle {
-    padding: 0.25rem 0.5rem;
-  }
-
-  &.form-control-lg .dropdown-toggle {
-    padding: 0.5rem 1rem;
-  }
-}
-
-.form-inline .bootstrap-select .form-control {
-  width: 100%;
-}
-
-.bootstrap-select {
-  &.disabled {
-    cursor: not-allowed;
-
-    &:focus {
-      outline: none !important;
-    }
-  }
-
-  > .disabled {
-    cursor: not-allowed;
-  }
-
-  > .disabled:focus {
-    outline: none !important;
-  }
-
-  &.bs-container {
-    position: absolute;
-    top: 0;
-    left: 0;
-    height: 0 !important;
-    padding: 0 !important;
-
-    .dropdown-menu {
-      z-index: 1060;
-    }
-  }
-
-  .dropdown-toggle {
-    &:before {
-      content: '';
-      display: inline-block;
-    }
-
-    .filter-option {
-      position: absolute;
-      top: 0;
-      left: 0;
-      padding-top: inherit;
-      padding-right: inherit;
-      padding-bottom: inherit;
-      padding-left: inherit;
-      height: 100%;
-      width: 100%;
-      text-align: left;
-    }
-
-    .filter-option-inner {
-      padding-right: inherit;
-    }
-
-    .filter-option-inner-inner {
-      overflow: hidden;
-    }
-
-    .caret {
-      position: absolute;
-      top: 50%;
-      right: 12px;
-      margin-top: -2px;
-      vertical-align: middle;
-    }
-  }
-}
-
-.input-group .bootstrap-select.form-control .dropdown-toggle {
-  border-radius: inherit;
-}
-
-.bootstrap-select {
-  &[class*="col-"] .dropdown-toggle {
-    width: 100%;
-  }
-
-  .dropdown-menu {
-    min-width: 100%;
-    -webkit-box-sizing: border-box;
-    -moz-box-sizing: border-box;
-    box-sizing: border-box;
-
-    > .inner:focus {
-      outline: none !important;
-    }
-
-    &.inner {
-      position: static;
-      float: none;
-      border: 0;
-      padding: 0;
-      margin: 0;
-      border-radius: 0;
-      -webkit-box-shadow: none;
-      box-shadow: none;
-    }
-
-    li {
-      position: relative;
-
-      &.active small {
-        color: rgba(255, 255, 255, 0.5) !important;
-      }
-
-      &.disabled a {
-        cursor: not-allowed;
-      }
-
-      a {
-        cursor: pointer;
-        -webkit-user-select: none;
-        -moz-user-select: none;
-        -ms-user-select: none;
-        user-select: none;
-
-        &.opt {
-          position: relative;
-          padding-left: 2.25em;
-        }
-
-        span {
-          &.check-mark {
-            display: none;
-          }
-
-          &.text {
-            display: inline-block;
-          }
-        }
-      }
-
-      small {
-        padding-left: 0.5em;
-      }
-    }
-
-    .notify {
-      position: absolute;
-      bottom: 5px;
-      width: 96%;
-      margin: 0 2%;
-      min-height: 26px;
-      padding: 3px 5px;
-      background: #f5f5f5;
-      border: 1px solid #e3e3e3;
-      -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
-      box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
-      pointer-events: none;
-      opacity: 0.9;
-      -webkit-box-sizing: border-box;
-      -moz-box-sizing: border-box;
-      box-sizing: border-box;
-    }
-  }
-
-  .no-results {
-    padding: 3px;
-    background: #f5f5f5;
-    margin: 0 5px;
-    white-space: nowrap;
-  }
-
-  &.fit-width .dropdown-toggle {
-    .filter-option {
-      position: static;
-      display: inline;
-      padding: 0;
-    }
-
-    .filter-option-inner, .filter-option-inner-inner {
-      display: inline;
-    }
-
-    .caret {
-      position: static;
-      top: auto;
-      margin-top: -1px;
-    }
-  }
-
-  &.show-tick .dropdown-menu {
-    .selected span.check-mark {
-      position: absolute;
-      display: inline-block;
-      right: 15px;
-      top: 5px;
-    }
-
-    li a span.text {
-      margin-right: 34px;
-    }
-  }
-
-  .bs-ok-default:after {
-    content: '';
-    display: block;
-    width: 0.5em;
-    height: 1em;
-    border-style: solid;
-    border-width: 0 0.26em 0.26em 0;
-    -webkit-transform: rotate(45deg);
-    -ms-transform: rotate(45deg);
-    -o-transform: rotate(45deg);
-    transform: rotate(45deg);
-  }
-
-  &.show-menu-arrow {
-    &.open > .dropdown-toggle, &.show > .dropdown-toggle {
-      z-index: 1061;
-    }
-
-    .dropdown-toggle .filter-option {
-      &:before {
-        content: '';
-        border-left: 7px solid transparent;
-        border-right: 7px solid transparent;
-        border-bottom: 7px solid rgba(204, 204, 204, 0.2);
-        position: absolute;
-        bottom: -4px;
-        left: 9px;
-        display: none;
-      }
-
-      &:after {
-        content: '';
-        border-left: 6px solid transparent;
-        border-right: 6px solid transparent;
-        border-bottom: 6px solid white;
-        position: absolute;
-        bottom: -4px;
-        left: 10px;
-        display: none;
-      }
-    }
-
-    &.dropup .dropdown-toggle .filter-option {
-      &:before {
-        bottom: auto;
-        top: -4px;
-        border-top: 7px solid rgba(204, 204, 204, 0.2);
-        border-bottom: 0;
-      }
-
-      &:after {
-        bottom: auto;
-        top: -4px;
-        border-top: 6px solid white;
-        border-bottom: 0;
-      }
-    }
-
-    &.pull-right .dropdown-toggle .filter-option {
-      &:before {
-        right: 12px;
-        left: auto;
-      }
-
-      &:after {
-        right: 13px;
-        left: auto;
-      }
-    }
-
-    &.open > .dropdown-toggle .filter-option:before, &.show > .dropdown-toggle .filter-option:before, &.open > .dropdown-toggle .filter-option:after, &.show > .dropdown-toggle .filter-option:after {
-      display: block;
-    }
-  }
-}
-
-.bs-searchbox, .bs-actionsbox, .bs-donebutton {
-  padding: 4px 8px;
-}
-
-.bs-actionsbox {
-  width: 100%;
-  -webkit-box-sizing: border-box;
-  -moz-box-sizing: border-box;
-  box-sizing: border-box;
-
-  .btn-group button {
-    width: 50%;
-  }
-}
-
-.bs-donebutton {
-  float: left;
-  width: 100%;
-  -webkit-box-sizing: border-box;
-  -moz-box-sizing: border-box;
-  box-sizing: border-box;
-
-  .btn-group button {
-    width: 100%;
-  }
-}
-
-.bs-searchbox {
-  + .bs-actionsbox {
-    padding: 0 8px 4px;
-  }
-
-  .form-control {
-    margin-bottom: 0;
-    width: 100%;
-    float: none;
-  }
-}
-
-/* OPNsense edit to fix https://github.com/opnsense/core/issues/2612 :
- * Move checkmarks to left hand side of the dropdown.
- */
-
-.bootstrap-select {
-  .dropdown-menu > li > a {
-    padding: 3px 20px 3px 30px;
-  }
-
-  &.show-tick .dropdown-menu .selected span.check-mark {
-    left: 10px;
-  }
-}
-
-/* End OPNsense edit to fix #2612. */
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/bootstrap-select1.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/bootstrap-select1.scss
deleted file mode 100644
index 7e1d6b3719..0000000000
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/bootstrap-select1.scss
+++ /dev/null
@@ -1,468 +0,0 @@
-/*!
- * Bootstrap-select v1.13.3 (https://developer.snapappointments.com/bootstrap-select)
- *
- * Copyright 2012-2018 SnapAppointments, LLC
- * Licensed under MIT (https://github.com/snapappointments/bootstrap-select/blob/master/LICENSE)
- */
-
-select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.selectpicker {
-  display: none !important;
-}
-
-.bootstrap-select {
-  width: 348px \0;
-
-  /*IE9 and below*/
-
-  > {
-    .dropdown-toggle {
-      position: relative;
-      width: 100%;
-      z-index: 1;
-      text-align: right;
-      white-space: nowrap;
-
-      &.bs-placeholder {
-        color: #fff;
-
-        &:hover, &:focus, &:active {
-          color: #fff;
-        }
-
-        &.btn-primary, &.btn-secondary, &.btn-success, &.btn-danger, &.btn-info, &.btn-dark, &.btn-primary:hover, &.btn-secondary:hover, &.btn-success:hover, &.btn-danger:hover, &.btn-info:hover, &.btn-dark:hover, &.btn-primary:focus, &.btn-secondary:focus, &.btn-success:focus, &.btn-danger:focus, &.btn-info:focus, &.btn-dark:focus, &.btn-primary:active, &.btn-secondary:active, &.btn-success:active, &.btn-danger:active, &.btn-info:active, &.btn-dark:active {
-          color: #ffffff;
-        }
-      }
-    }
-
-    select {
-      position: absolute !important;
-      bottom: 0;
-      left: 50%;
-      display: block !important;
-      width: 0.5px !important;
-      height: 100% !important;
-      padding: 0 !important;
-      opacity: 0 !important;
-      border: none;
-
-      &.mobile-device {
-        top: 0;
-        left: 0;
-        display: block !important;
-        width: 100% !important;
-        z-index: 2;
-      }
-    }
-  }
-}
-
-.has-error .bootstrap-select .dropdown-toggle, .error .bootstrap-select .dropdown-toggle, .bootstrap-select.is-invalid .dropdown-toggle, .was-validated .bootstrap-select .selectpicker:invalid + .dropdown-toggle {
-  border-color: #b94a48;
-}
-
-.bootstrap-select.is-valid .dropdown-toggle, .was-validated .bootstrap-select .selectpicker:valid + .dropdown-toggle {
-  border-color: #28a745;
-}
-
-.bootstrap-select {
-  &.fit-width {
-    width: auto !important;
-  }
-
-  &:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn) {
-    width: 348px;
-  }
-
-  &.form-control {
-    margin-bottom: 0;
-    padding: 0;
-    border: none;
-  }
-}
-
-:not(.input-group) > .bootstrap-select.form-control:not([class*="col-"]) {
-  width: 100%;
-}
-
-.bootstrap-select {
-  &.form-control.input-group-btn {
-    z-index: auto;
-
-    &:not(:first-child):not(:last-child) > .btn {
-      border-radius: 0;
-    }
-  }
-
-  &:not(.input-group-btn), &[class*="col-"] {
-    float: none;
-    display: inline-block;
-    margin-left: 0;
-  }
-
-  &.dropdown-menu-right, &[class*="col-"].dropdown-menu-right {
-    float: right;
-  }
-}
-
-.row .bootstrap-select[class*="col-"].dropdown-menu-right {
-  float: right;
-}
-
-.form-inline .bootstrap-select, .form-horizontal .bootstrap-select, .form-group .bootstrap-select {
-  margin-bottom: 0;
-}
-
-.form-group-lg .bootstrap-select.form-control, .form-group-sm .bootstrap-select.form-control {
-  padding: 0;
-}
-
-.form-group-lg .bootstrap-select.form-control .dropdown-toggle, .form-group-sm .bootstrap-select.form-control .dropdown-toggle {
-  height: 100%;
-  font-size: inherit;
-  line-height: inherit;
-  border-radius: inherit;
-}
-
-.bootstrap-select {
-  &.form-control-sm .dropdown-toggle, &.form-control-lg .dropdown-toggle {
-    font-size: inherit;
-    line-height: inherit;
-    border-radius: inherit;
-  }
-
-  &.form-control-sm .dropdown-toggle {
-    padding: 0.25rem 0.5rem;
-  }
-
-  &.form-control-lg .dropdown-toggle {
-    padding: 0.5rem 1rem;
-  }
-}
-
-.form-inline .bootstrap-select .form-control {
-  width: 100%;
-}
-
-.bootstrap-select {
-  &.disabled {
-    cursor: not-allowed;
-
-    &:focus {
-      outline: none !important;
-    }
-  }
-
-  > .disabled {
-    cursor: not-allowed;
-  }
-
-  > .disabled:focus {
-    outline: none !important;
-  }
-
-  &.bs-container {
-    position: absolute;
-    top: 0;
-    left: 0;
-    height: 0 !important;
-    padding: 0 !important;
-
-    .dropdown-menu {
-      z-index: 1060;
-    }
-  }
-
-  .dropdown-toggle {
-    &:before {
-      content: '';
-      display: inline-block;
-    }
-
-    .filter-option {
-      position: absolute;
-      top: 0;
-      left: 0;
-      padding-top: inherit;
-      padding-right: inherit;
-      padding-bottom: inherit;
-      padding-left: inherit;
-      height: 100%;
-      width: 100%;
-      text-align: left;
-    }
-
-    .filter-option-inner {
-      padding-right: inherit;
-    }
-
-    .filter-option-inner-inner {
-      overflow: hidden;
-    }
-
-    .caret {
-      position: absolute;
-      top: 50%;
-      right: 12px;
-      margin-top: -2px;
-      vertical-align: middle;
-    }
-  }
-}
-
-.input-group .bootstrap-select.form-control .dropdown-toggle {
-  border-radius: inherit;
-}
-
-.bootstrap-select {
-  &[class*="col-"] .dropdown-toggle {
-    width: 100%;
-  }
-
-  .dropdown-menu {
-    min-width: 100%;
-    -webkit-box-sizing: border-box;
-    -moz-box-sizing: border-box;
-    box-sizing: border-box;
-
-    > .inner:focus {
-      outline: none !important;
-    }
-
-    &.inner {
-      position: static;
-      float: none;
-      border: 0;
-      padding: 0;
-      margin: 0;
-      border-radius: 0;
-      -webkit-box-shadow: none;
-      box-shadow: none;
-    }
-
-    li {
-      position: relative;
-
-      &.active small {
-        color: rgba(255, 255, 255, 0.5) !important;
-      }
-
-      &.disabled a {
-        cursor: not-allowed;
-      }
-
-      a {
-        cursor: pointer;
-        -webkit-user-select: none;
-        -moz-user-select: none;
-        -ms-user-select: none;
-        user-select: none;
-
-        &.opt {
-          position: relative;
-          padding-left: 2.25em;
-        }
-
-        span {
-          &.check-mark {
-            display: none;
-          }
-
-          &.text {
-            display: inline-block;
-          }
-        }
-      }
-
-      small {
-        padding-left: 0.5em;
-      }
-    }
-
-    .notify {
-      position: absolute;
-      bottom: 5px;
-      width: 96%;
-      margin: 0 2%;
-      min-height: 26px;
-      padding: 3px 5px;
-      background: #f5f5f5;
-      border: 1px solid #e3e3e3;
-      -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
-      box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
-      pointer-events: none;
-      opacity: 0.9;
-      -webkit-box-sizing: border-box;
-      -moz-box-sizing: border-box;
-      box-sizing: border-box;
-    }
-  }
-
-  .no-results {
-    padding: 3px;
-    background: #f5f5f5;
-    margin: 0 5px;
-    white-space: nowrap;
-  }
-
-  &.fit-width .dropdown-toggle {
-    .filter-option {
-      position: static;
-      display: inline;
-      padding: 0;
-    }
-
-    .filter-option-inner, .filter-option-inner-inner {
-      display: inline;
-    }
-
-    .caret {
-      position: static;
-      top: auto;
-      margin-top: -1px;
-    }
-  }
-
-  &.show-tick .dropdown-menu {
-    .selected span.check-mark {
-      position: absolute;
-      display: inline-block;
-      right: 15px;
-      top: 5px;
-    }
-
-    li a span.text {
-      margin-right: 34px;
-    }
-  }
-
-  .bs-ok-default:after {
-    content: '';
-    display: block;
-    width: 0.5em;
-    height: 1em;
-    border-style: solid;
-    border-width: 0 0.26em 0.26em 0;
-    -webkit-transform: rotate(45deg);
-    -ms-transform: rotate(45deg);
-    -o-transform: rotate(45deg);
-    transform: rotate(45deg);
-  }
-
-  &.show-menu-arrow {
-    &.open > .dropdown-toggle, &.show > .dropdown-toggle {
-      z-index: 1061;
-    }
-
-    .dropdown-toggle .filter-option {
-      &:before {
-        content: '';
-        border-left: 7px solid transparent;
-        border-right: 7px solid transparent;
-        border-bottom: 7px solid rgba(204, 204, 204, 0.2);
-        position: absolute;
-        bottom: -4px;
-        left: 9px;
-        display: none;
-      }
-
-      &:after {
-        content: '';
-        border-left: 6px solid transparent;
-        border-right: 6px solid transparent;
-        border-bottom: 6px solid white;
-        position: absolute;
-        bottom: -4px;
-        left: 10px;
-        display: none;
-      }
-    }
-
-    &.dropup .dropdown-toggle .filter-option {
-      &:before {
-        bottom: auto;
-        top: -4px;
-        border-top: 7px solid rgba(204, 204, 204, 0.2);
-        border-bottom: 0;
-      }
-
-      &:after {
-        bottom: auto;
-        top: -4px;
-        border-top: 6px solid white;
-        border-bottom: 0;
-      }
-    }
-
-    &.pull-right .dropdown-toggle .filter-option {
-      &:before {
-        right: 12px;
-        left: auto;
-      }
-
-      &:after {
-        right: 13px;
-        left: auto;
-      }
-    }
-
-    &.open > .dropdown-toggle .filter-option:before, &.show > .dropdown-toggle .filter-option:before, &.open > .dropdown-toggle .filter-option:after, &.show > .dropdown-toggle .filter-option:after {
-      display: block;
-    }
-  }
-}
-
-.bs-searchbox, .bs-actionsbox, .bs-donebutton {
-  padding: 4px 8px;
-}
-
-.bs-actionsbox {
-  width: 100%;
-  -webkit-box-sizing: border-box;
-  -moz-box-sizing: border-box;
-  box-sizing: border-box;
-
-  .btn-group button {
-    width: 50%;
-  }
-}
-
-.bs-donebutton {
-  float: left;
-  width: 100%;
-  -webkit-box-sizing: border-box;
-  -moz-box-sizing: border-box;
-  box-sizing: border-box;
-
-  .btn-group button {
-    width: 100%;
-  }
-}
-
-.bs-searchbox {
-  + .bs-actionsbox {
-    padding: 0 8px 4px;
-  }
-
-  .form-control {
-    margin-bottom: 0;
-    width: 100%;
-    float: none;
-  }
-}
-
-/* OPNsense edit to fix https://github.com/opnsense/core/issues/2612 :
- * Move checkmarks to left hand side of the dropdown.
- */
-
-.bootstrap-select {
-  .dropdown-menu > li > a {
-    padding: 3px 20px 3px 30px;
-  }
-
-  &.show-tick .dropdown-menu .selected span.check-mark {
-    left: 10px;
-  }
-}
-
-/* End OPNsense edit to fix #2612. */

From 1eb1b19cdf3746c139041943ede5606771096880 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 29 Sep 2023 08:21:05 +0200
Subject: [PATCH 1589/3088] Revert "sysutils/smart: use `smartctl --scan' as
 disk source; closes #3236"

This reverts commit f37375f4b8bf7ea20e9677d0bbeabb7ae97226ff.
---
 sysutils/smart/Makefile                              |  2 +-
 .../opnsense/scripts/OPNsense/Smart/detailed_list.sh | 12 +++++++++---
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/sysutils/smart/Makefile b/sysutils/smart/Makefile
index 111cc3115f..8a0c576f28 100644
--- a/sysutils/smart/Makefile
+++ b/sysutils/smart/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		smart
 PLUGIN_VERSION=		2.2
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		SMART tools
 PLUGIN_DEPENDS=		smartmontools
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/sysutils/smart/src/opnsense/scripts/OPNsense/Smart/detailed_list.sh b/sysutils/smart/src/opnsense/scripts/OPNsense/Smart/detailed_list.sh
index 73a2f65677..d8a3b55c18 100755
--- a/sysutils/smart/src/opnsense/scripts/OPNsense/Smart/detailed_list.sh
+++ b/sysutils/smart/src/opnsense/scripts/OPNsense/Smart/detailed_list.sh
@@ -27,15 +27,21 @@
 
 RESULT=
 
-for DEV in $(smartctl --scan | awk '{ print $1 }'); do
+for DEV in $(sysctl -n kern.disks); do
     IDENT=$(/usr/sbin/diskinfo -s ${DEV})
-    STATE=$(/usr/local/sbin/smartctl -jH ${DEV})
+
+    if [ "${DEV#nvd}" != "${DEV}" ]; then
+        # the disk formerly know as nvdX
+        DEV="nvme${DEV#nvd}"
+    fi
+
+    STATE=$(/usr/local/sbin/smartctl -jH /dev/${DEV})
 
     if [ -n "${RESULT}" ]; then
         RESULT="${RESULT},";
     fi
 
-    RESULT="${RESULT}{\"device\":\"${DEV##/dev/}\",\"ident\":\"${IDENT}\",\"state\":${STATE}}";
+    RESULT="${RESULT}{\"device\":\"${DEV}\",\"ident\":\"${IDENT}\",\"state\":${STATE}}";
 done
 
 echo "[${RESULT}]"

From 6bd5eec5ccc07fd42f4c9e616cccae92d189863c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 29 Sep 2023 08:23:49 +0200
Subject: [PATCH 1590/3088] net/wireguard: set to obsolete now

---
 net/wireguard/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 4bbfb22475..ac064fec61 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -3,6 +3,7 @@ PLUGIN_VERSION=		2.2
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
+PLUGIN_OBSOLETE=	yes
 PLUGIN_MAINTAINER=	ad@opnsense.org
 
 .include "../../Mk/plugins.mk"

From 786814ce2db8e690ece08017e69ceeecec0675c2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 29 Sep 2023 08:26:00 +0200
Subject: [PATCH 1591/3088] README: sync

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 0abae3c9f8..897cb651a8 100644
--- a/README.md
+++ b/README.md
@@ -66,7 +66,7 @@ net/tayga -- Tayga NAT64
 net/udpbroadcastrelay -- Control ubpbroadcastrelay processes
 net/upnp -- Universal Plug and Play Service
 net/vnstat -- Network traffic monitor
-net/wireguard -- WireGuard VPN service kernel implementation
+net/wireguard -- WireGuard VPN service kernel implementation (pending removal)
 net/wireguard-go -- WireGuard VPN service Go implementation (pending removal)
 net/wol -- Wake on LAN Service
 net/zerotier -- Virtual Networks That Just Work

From df24bc2427ce08669351e9094ae8eb9b0995aa13 Mon Sep 17 00:00:00 2001
From: "Patrick M. Hausen" <hausen@punkt.de>
Date: Thu, 28 Sep 2023 10:44:44 +0200
Subject: [PATCH 1592/3088] security/crowdsec - add option
 `retry_initial_connect` to bouncer configuration for more robust startup

---
 security/crowdsec/Makefile                                    | 2 +-
 security/crowdsec/pkg-descr                                   | 4 ++++
 .../src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py     | 1 +
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index ca8b22e79e..621a919091 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		crowdsec
-PLUGIN_VERSION=		1.0.6
+PLUGIN_VERSION=		1.0.7
 PLUGIN_DEPENDS=		crowdsec
 PLUGIN_COMMENT=		Lightweight and collaborative security engine
 PLUGIN_MAINTAINER=	marco@crowdsec.net
diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index 8d635b67c5..456dce4551 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -8,6 +8,10 @@ WWW: https://crowdsec.net/
 Plugin Changelog
 ================
 
+1.0.7
+
+* Add option `retry_initial_connect` to bouncer configuration for more robust startup. The option was introduced in Crowdsec 1.5.4.
+
 1.0.6
 
  * default acquis.d/opnsense.yaml to "poll_without_inotify=true" which is now required
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
index 6f012249b4..20c5724392 100755
--- a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
@@ -69,6 +69,7 @@ def configure_bouncer(settings):
     config['log_dir'] = '/var/log/crowdsec'
     config['blacklists_ipv4'] = 'crowdsec_blacklists'
     config['blacklists_ipv6'] = 'crowdsec6_blacklists'
+    config['retry_initial_connect'] = True
     config['pf'] = {'anchor_name': ''}
 
     if not int(settings.get('lapi_manual_configuration', '0')):

From d2ad811cca7485e835d3efb9b7c84f7f2e9f5625 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 29 Sep 2023 23:52:59 +0200
Subject: [PATCH 1593/3088] net/wol: bump was missing

PR: https://forum.opnsense.org/index.php?topic=36219.0
---
 net/wol/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wol/Makefile b/net/wol/Makefile
index 2cb9a50e81..08a4a492c6 100644
--- a/net/wol/Makefile
+++ b/net/wol/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wol
 PLUGIN_VERSION=		2.4
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		wol
 PLUGIN_COMMENT=		Wake on LAN Service
 PLUGIN_MAINTAINER=	franco@opnsense.org

From 07b652f22c74e20eed595140345806d71a934908 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 2 Oct 2023 13:47:25 +0200
Subject: [PATCH 1594/3088] net/frr - explicit case "interface" in automatic
 firewall rules, functionally this doesn't change anything, but makes it
 easier to debug filter rules as they're not being referenced anymore

---
 net/frr/src/etc/inc/plugins.inc.d/frr.inc | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/frr/src/etc/inc/plugins.inc.d/frr.inc b/net/frr/src/etc/inc/plugins.inc.d/frr.inc
index f464480289..19ff9f038a 100644
--- a/net/frr/src/etc/inc/plugins.inc.d/frr.inc
+++ b/net/frr/src/etc/inc/plugins.inc.d/frr.inc
@@ -125,7 +125,7 @@ function frr_firewall($fw)
                 $fw->registerFilterRule(
                     1, /* priority */
                     [
-                        'interface'      => $interface->interfacename,
+                        'interface'      => (string)$interface->interfacename,
                         'descr'          => 'Pass OSPF6 MULTICAST (autogenerated)',
                         'from'           => 'fe80::0/10',
                         'to'             => 'ff02::5/128',
@@ -136,7 +136,7 @@ function frr_firewall($fw)
                 $fw->registerFilterRule(
                     1, /* priority */
                     [
-                        'interface'      => $interface->interfacename,
+                        'interface'      => (string)$interface->interfacename,
                         'descr'          => 'Pass OSPF6 MULTICAST DR (autogenerated)',
                         'from'           => 'fe80::0/10',
                         'to'             => 'ff02::6/128',
@@ -147,7 +147,7 @@ function frr_firewall($fw)
                 $fw->registerFilterRule(
                     1,
                     [
-                        'interface'      => $interface->interfacename,
+                        'interface'      => (string)$interface->interfacename,
                         'descr'          => 'Pass OSPF6 UNICAST (autogenerated)',
                         'from'           => 'fe80::0/10',
                         'to'             => '(self)',
@@ -158,7 +158,7 @@ function frr_firewall($fw)
                 $fw->registerFilterRule(
                     1,
                     [
-                        'interface'      => $interface->interfacename,
+                        'interface'      => (string)$interface->interfacename,
                         'descr'          => 'Pass OSPF6 MULTICAST (autogenerated)',
                         'from'           => '(self)',
                         'to'             => 'ff02::5/128',
@@ -169,7 +169,7 @@ function frr_firewall($fw)
                 $fw->registerFilterRule(
                     1,
                     [
-                        'interface'      => $interface->interfacename,
+                        'interface'      => (string)$interface->interfacename,
                         'descr'          => 'Pass OSPF6 MULTICAST DR (autogenerated)',
                         'from'           => '(self)',
                         'to'             => 'ff02::6/128',
@@ -180,7 +180,7 @@ function frr_firewall($fw)
                 $fw->registerFilterRule(
                     1,
                     [
-                        'interface'      => $interface->interfacename,
+                        'interface'      => (string)$interface->interfacename,
                         'descr'          => 'Pass OSPF6 UNICAST (autogenerated)',
                         'from'           => '(self)',
                         'to'             => 'fe80::0/10',

From a7a94cce56bd03890458938add291743e6cd1e88 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 4 Oct 2023 18:23:25 +0200
Subject: [PATCH 1595/3088] VPN: WireGuard  - hook wireguard empty devices
 during bootup, using wireguard_devices() plugin system. This should make sure
 services and components, such as the firewall, are able to use the device
 before being setup. closes https://github.com/opnsense/core/issues/6909

A minor modification was needed in wg-service-control.php to make sure a configure would be executed if wgX exists without configuration
---
 .../src/etc/inc/plugins.inc.d/wireguard.inc   | 25 ++++++++++++++++++-
 .../scripts/Wireguard/wg-service-control.php  |  6 ++++-
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
index 4474b40894..a24eb716fa 100644
--- a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -100,7 +100,30 @@ function wireguard_xmlrpc_sync()
 
 function wireguard_devices()
 {
-    return [['pattern' => '^wg', 'volatile' => true]];
+    $names = [];
+    foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $key => $node) {
+        if (!empty((string)$node->enabled)) {
+            $names[(string)$node->interface] = [
+                'descr' => sprintf('%s (Wireguard - %s)', (string)$node->interface, (string)$node->name),
+                'ifdescr' => (string)$node->name,
+                'name' => (string)$node->interface
+            ];
+        }
+    }
+    return [[
+        'function' => 'wireguard_prepare', /* XXX only (empty) device creation */
+        'configurable' => false,
+        'pattern' => '^wg',
+        'type' => 'wireguard',
+        'volatile' => true,
+        'names' => $names,
+    ]];
+}
+
+function wireguard_prepare($device)
+{
+    mwexecf('/sbin/ifconfig wg create name %s', $device);
+    mwexecf('/sbin/ifconfig %s group wireguard', $device);
 }
 
 function wireguard_configure()
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index e51e05a07a..e3ab3fc3be 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -225,7 +225,11 @@ function get_stat_hash($fhandle)
                     case 'configure':
                         if (
                             @md5_file($node->cnfFilename) != get_stat_hash($statHandle)['file'] ||
-                            !isset($ifdetails[(string)$node->interface])
+                            !isset($ifdetails[(string)$node->interface]) || (
+                                // Interface has been setup, but without configuration
+                                empty($ifdetails[(string)$node->interface]['ipv4']) &&
+                                empty($ifdetails[(string)$node->interface]['ipv6'])
+                            )
                         ) {
                             if (get_stat_hash($statHandle)['interface'] != wg_reconfigure_hash($node)) {
                                 // Fluent reloading not supported for this instance, make sure the user is informed

From 3dd19e92f9f68ceec906143102b74e48637c892f Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sun, 8 Oct 2023 09:23:18 +0200
Subject: [PATCH 1596/3088] net-mgmt/telegraf: Add mqtt output (#3607)

---
 net-mgmt/telegraf/Makefile                    |  2 +-
 net-mgmt/telegraf/pkg-descr                   |  4 ++
 .../OPNsense/Telegraf/forms/output.xml        | 60 +++++++++++++++++++
 .../app/models/OPNsense/Telegraf/Output.xml   | 53 +++++++++++++++-
 .../templates/OPNsense/Telegraf/telegraf.conf | 33 ++++++++++
 5 files changed, 150 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index cf99371802..9704c0c8f9 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.12.8
+PLUGIN_VERSION=		1.12.9
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 1d198749ad..190772affe 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 Plugin Changelog
 ================
 
+1.12.9
+
+* Add MQTT output
+
 1.12.8
 
 * bug: fix InfluxDB v2 template to remove erroneous `timeout` value (issue #3265, contributed by Gavin Chappell)
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
index 2ea1ee342b..9b17933184 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
@@ -215,4 +215,64 @@
         <type>text</type>
         <help>Set the API Key for accessing Datadog.</help>
     </field>
+    <field>
+        <id>output.mqtt_enable</id>
+        <label>Enable MQTT</label>
+        <type>checkbox</type>
+        <help>This will enable writes to a MQTT Broker acting as a mqtt Producer.</help>
+    </field>
+    <field>
+        <id>output.mqtt_topic_prefix</id>
+        <label>MQTT topic</label>
+        <type>text</type>
+        <help>Topic for producer messages.</help>
+    </field>
+    <field>
+        <id>output.mqtt_servers</id>
+        <label>MQTT brokers</label>
+        <type>text</type>
+        <help>URLs of mqtt brokers. Format is without square brackets, just like localhost:8083.</help>
+    </field>
+    <field>
+        <id>output.mqtt_qos</id>
+        <label>MQTT QoS</label>
+        <type>text</type>
+        <help>QoS policy for messages. 0 = at most once, 1 = at least once, 2 = exactly once. Defaults to 2. </help>
+    </field>
+    <field>
+        <id>output.mqtt_username</id>
+        <label>MQTT Username</label>
+        <type>text</type>
+        <help>Set the username for authentication.</help>
+    </field>
+    <field>
+        <id>output.mqtt_password</id>
+        <label>MQTT Password</label>
+        <type>text</type>
+        <help>Set the password for authentication.</help>
+    </field>
+    <field>
+        <id>output.mqtt_client_id</id>
+        <label>MQTT Client ID</label>
+        <type>text</type>
+        <help>Client ID, if not set a random ID is generated.</help>
+    </field>
+    <field>
+        <id>output.mqtt_timeout</id>
+        <label>MQTT Timeout</label>
+        <type>text</type>
+        <help>Timeout for write operations. Default is 5s. </help>
+    </field>
+    <field>
+        <id>output.mqtt_insecure_skip_verify</id>
+        <label>MQTT Client ID</label>
+        <type>checkbox</type>
+        <help>Use TLS, but skip chain and host verification.</help>
+    </field>
+    <field>
+        <id>output.mqtt_format</id>
+        <label>MQTT Format</label>
+        <type>text</type>
+        <help>Data format to output. Defaults to "influx".</help>
+    </field>
 </form>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index 46015f2261..baee0a02a7 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/telegraf/output</mount>
     <description>Telegraf outputs configuration</description>
-    <version>1.4.2</version>
+    <version>1.4.3</version>
     <items>
         <influx_enable type="BooleanField">
             <default>0</default>
@@ -139,5 +139,56 @@
             <default></default>
             <Required>N</Required>
         </datadog_apikey>
+        <mqtt_enable type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </mqtt_enable>
+        <mqtt_topic_prefix type="TextField">
+            <default></default>
+            <Required>N</Required>
+            <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
+            <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen allowed. Do not use more than 128 characters.</ValidationMessage>
+        </mqtt_topic_prefix>
+        <mqtt_servers type="TextField">
+            <default></default>
+            <Required>N</Required>
+        </mqtt_servers>
+        <mqtt_client_id type="TextField">
+            <default></default>
+            <Required>N</Required>
+            <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
+            <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen allowed. Do not use more than 128 characters.</ValidationMessage>
+        </mqtt_client_id>
+        <mqtt_qos type="IntegerField">
+            <default></default>
+            <Required>N</Required>
+            <MinimumValue>0</MinimumValue>
+            <MaximumValue>2</MaximumValue>
+            <ValidationMessage>Allowed values are 0-2</ValidationMessage>
+        </mqtt_qos>
+        <mqtt_timeout type="IntegerField">
+            <default>5</default>
+            <Required>N</Required>
+        </mqtt_timeout>
+        <mqtt_username type="TextField">
+            <default></default>
+            <Required>N</Required>
+            <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
+            <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen allowed. Do not use more than 128 characters.</ValidationMessage>
+        </mqtt_username>
+        <mqtt_password type="TextField">
+            <default></default>
+            <Required>N</Required>
+        </mqtt_password>
+        <mqtt_insecure_skip_verify type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </mqtt_insecure_skip_verify>
+        <mqtt_format type="TextField">
+            <default></default>
+            <Required>N</Required>
+            <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
+            <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen allowed. Do not use more than 128 characters.</ValidationMessage>
+        </mqtt_format>
     </items>
 </model>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index c814150b92..355eb96a95 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -91,6 +91,39 @@
   timeout = "5s"
 {% endif %}
 
+{% if helpers.exists('OPNsense.telegraf.output.mqtt_enable') and OPNsense.telegraf.output.mqtt_enable == '1' %}
+[[outputs.mqtt]]
+{%   if helpers.exists('OPNsense.telegraf.output.mqtt_servers') and OPNsense.telegraf.output.mqtt_servers != '' %}
+  servers = ["{{ OPNsense.telegraf.output.mqtt_servers }}"]
+{%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.mqtt_topic_prefix') and OPNsense.telegraf.output.mqtt_topic_prefix != '' %}
+  topic_prefix = "{{ OPNsense.telegraf.output.mqtt_topic_prefix }}"
+{%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.mqtt_qos') and OPNsense.telegraf.output.mqtt_qos != '' %}
+  topic_prefix = "{{ OPNsense.telegraf.output.mqtt_qos }}"
+{%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.mqtt_client_id') and OPNsense.telegraf.output.mqtt_client_id != '' %}
+  client_id = "{{ OPNsense.telegraf.output.mqtt_client_id }}"
+{%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.mqtt_timeout') and OPNsense.telegraf.output.mqtt_timeout != '' %}
+  timeout = "{{ OPNsense.telegraf.output.mqtt_timeout }}s"
+{%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.mqtt_username') and OPNsense.telegraf.output.mqtt_username != '' %}
+  username = "{{ OPNsense.telegraf.output.mqtt_username }}"
+{%   endif %}
+{% if helpers.exists('OPNsense.telegraf.output.mqtt_password') and OPNsense.telegraf.output.mqtt_password != '' %}
+  password = "{{ OPNsense.telegraf.output.mqtt_password }}"
+{%   endif %}
+{% if helpers.exists('OPNsense.telegraf.output.mqtt_insecure_skip_verify') and OPNsense.telegraf.output.mqtt_insecure_skip_verify == '1' %}
+  insecure_skip_verify = true
+{%   else %}
+  insecure_skip_verify = false
+{%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.mqtt_data_format') and OPNsense.telegraf.output.mqtt_data_format != '' %}
+  data_format = "{{ OPNsense.telegraf.output.mqtt_data_format }}"
+{%   endif %}
+{% endif %}
+
 {% if helpers.exists('OPNsense.telegraf.output.graphite_enable') and OPNsense.telegraf.output.graphite_enable == '1' %}
 [[outputs.graphite]]
 {%   if helpers.exists('OPNsense.telegraf.output.graphite_server') and OPNsense.telegraf.output.graphite_server != '' %}

From 24771a4d6e05dd29017cc82ac8f1307cb1674cdf Mon Sep 17 00:00:00 2001
From: Martin Wasley <mjwasley@queens-park.com>
Date: Tue, 10 Oct 2023 08:01:56 +0100
Subject: [PATCH 1597/3088] misc/theme-rebellion: reporting Unbound DNS fix
 (#3612)

---
 misc/theme-rebellion/Makefile                 |    3 +-
 .../rebellion/assets/stylesheets/main.scss    |  888 +-
 .../rebellion/build/css/dns-overview.css      |  182 +
 .../www/themes/rebellion/build/css/main.css   | 8917 ++++++++---------
 4 files changed, 4951 insertions(+), 5039 deletions(-)
 create mode 100644 misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dns-overview.css

diff --git a/misc/theme-rebellion/Makefile b/misc/theme-rebellion/Makefile
index e4c0763f58..859aeb249a 100644
--- a/misc/theme-rebellion/Makefile
+++ b/misc/theme-rebellion/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		theme-rebellion
-PLUGIN_VERSION=		1.8.8
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.8.9
 PLUGIN_COMMENT=		A suitably dark theme
 PLUGIN_MAINTAINER=	team-rebellion@queens-park.com
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
index da4ca7c79c..58bc450832 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
@@ -8,14 +8,17 @@
   padding-right: 1px !important;
   padding-left: 5px !important;
   min-height: 25px !important;
+
   .btn-group .btn {
     color: #C1C1c1 !important;
     background: #454545 !important;
     border: 0px;
+
     .glyphicon {
       color: #C1C1c1 !important;
     }
   }
+
   .list-inline li > h3 {
     padding-top: 4px;
   }
@@ -26,19 +29,16 @@
   src: url("/ui/themes/opnsense/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.woff") format("woff"), url("/ui/themes/opnsense/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.ttf") format("truetype");
 }
 
-
 @font-face {
   font-family: "SourceSansProSemibold";
   src: url("/ui/themes/opnsense/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.woff") format("woff"), url("/ui/themes/opnsense/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.ttf") format("truetype");
 }
 
-
 @font-face {
   font-family: "SourceSansProRegular";
   src: url("/ui/themes/opnsense/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff") format("woff"), url("/ui/themes/opnsense/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf") format("truetype");
 }
 
-
 /*! normalize.css v3.0.1 | MIT License | git.io/normalize */
 
 html {
@@ -71,6 +71,7 @@ audio:not([controls]) {
 
 a {
   background: transparent;
+
   &:active, &:hover {
     outline: 0;
   }
@@ -189,21 +190,26 @@ input {
     border: 0;
     padding: 0;
   }
+
   line-height: normal;
+
   &[type=checkbox], &[type=radio] {
     box-sizing: border-box;
     padding: 0;
   }
+
   &[type=number] {
     &::-webkit-inner-spin-button, &::-webkit-outer-spin-button {
       height: auto;
     }
   }
+
   &[type=search] {
     -webkit-appearance: textfield;
     -moz-box-sizing: content-box;
     -webkit-box-sizing: content-box;
     box-sizing: content-box;
+
     &::-webkit-search-cancel-button, &::-webkit-search-decoration {
       -webkit-appearance: none;
     }
@@ -245,64 +251,82 @@ td, th {
     background: transparent !important;
     box-shadow: none !important;
   }
+
   a {
     text-decoration: underline;
+
     &:visited {
       text-decoration: underline;
     }
+
     &[href]:after {
       content: " (" attr(href) ")";
     }
   }
+
   abbr[title]:after {
     content: " (" attr(title) ")";
   }
+
   a {
     &[href^="javascript:"]:after, &[href^="#"]:after {
       content: "";
     }
   }
+
   pre, blockquote {
     border: 1px solid #999;
     page-break-inside: avoid;
   }
+
   thead {
     display: table-header-group;
   }
+
   tr {
     page-break-inside: avoid;
   }
+
   img {
     page-break-inside: avoid;
     max-width: 100% !important;
   }
+
   p, h2, h3 {
     orphans: 3;
     widows: 3;
   }
+
   h2, h3 {
     page-break-after: avoid;
   }
+
   select {
     background: #555 !important;
   }
+
   .navbar {
     display: none;
   }
+
   .table {
     td, th {
       background-color: #444 !important;
     }
   }
+
   .btn > .caret, .dropup > .btn > .caret {
     border-top-color: #ddd !important;
   }
+
   .label {
     border: 1px solid #aaa;
   }
+
   .table {
     border-collapse: collapse !important;
   }
+
   .table-bordered {
     th, td {
       border: 1px solid #666 !important;
@@ -316,7 +340,6 @@ td, th {
   src: url("../fonts/bootstrap/glyphicons-halflings-regular.eot?#iefix") format("embedded-opentype"), url("../fonts/bootstrap/glyphicons-halflings-regular.woff") format("woff"), url("../fonts/bootstrap/glyphicons-halflings-regular.ttf") format("truetype"), url("../fonts/bootstrap/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") format("svg");
 }
 
-
 .glyphicon {
   position: relative;
   top: 1px;
@@ -1133,6 +1156,7 @@ td, th {
   -webkit-box-sizing: border-box;
   -moz-box-sizing: border-box;
   box-sizing: border-box;
+
   &:before, &:after {
     -webkit-box-sizing: border-box;
     -moz-box-sizing: border-box;
@@ -1162,10 +1186,12 @@ input, button, select, textarea {
 a {
   color: #EA7105;
   text-decoration: none;
+
   &:hover {
     color: #9f4d03;
     text-decoration: underline;
   }
+
   &:focus {
     color: #9f4d03;
     text-decoration: underline;
@@ -1630,6 +1656,7 @@ ol {
   padding-left: 0;
   list-style: none;
   margin-left: -5px;
+
   > li {
     float: left;
     padding-left: 5px;
@@ -1659,6 +1686,7 @@ dd {
     content: " ";
     display: table;
   }
+
   &:after {
     content: " ";
     display: table;
@@ -1677,6 +1705,7 @@ dd {
       text-overflow: ellipsis;
       white-space: nowrap;
     }
+
     dd {
       margin-left: 180px;
     }
@@ -1700,15 +1729,18 @@ blockquote {
   margin: 0 0 20px;
   font-size: 17.5px;
   border-left: 5px solid #1a1a1a;
+
   p:last-child, ul:last-child, ol:last-child {
     margin-bottom: 0;
   }
+
   footer, small, .small {
     display: block;
     font-size: 80%;
     line-height: 1.428571429;
     color: #DDd;
   }
+
   footer:before, small:before, .small:before {
     content: "— ";
   }
@@ -1746,6 +1778,7 @@ blockquote {
       content: " —";
     }
   }
+
   &:before, &:after {
     content: "";
   }
@@ -1776,6 +1809,7 @@ kbd {
   background-color: #333;
   border-radius: 3px;
   box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.25);
+
   kbd {
     padding: 0;
     font-size: 100%;
@@ -1795,6 +1829,7 @@ pre {
   background-color: #484848;
   border: 1px solid #ccc;
   border-radius: 3px;
+
   code {
     padding: 0;
     font-size: inherit;
@@ -1815,10 +1850,12 @@ pre {
   margin-left: auto;
   padding-left: 20px;
   padding-right: 20px;
+
   &:before {
     content: " ";
     display: table;
   }
+
   &:after {
     content: " ";
     display: table;
@@ -1847,10 +1884,12 @@ pre {
 .row {
   margin-left: -20px;
   margin-right: -20px;
+
   &:before {
     content: " ";
     display: table;
   }
+
   &:after {
     content: " ";
     display: table;
@@ -2077,156 +2116,207 @@ pre {
   .col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12 {
     float: left;
   }
+
   .col-sm-1 {
     width: 8.3333333333%;
   }
+
   .col-sm-2 {
     width: 16.6666666667%;
   }
+
   .col-sm-3 {
     width: 25%;
   }
+
   .col-sm-4 {
     width: 33.3333333333%;
   }
+
   .col-sm-5 {
     width: 41.6666666667%;
   }
+
   .col-sm-6 {
     width: 50%;
   }
+
   .col-sm-7 {
     width: 58.3333333333%;
   }
+
   .col-sm-8 {
     width: 66.6666666667%;
   }
+
   .col-sm-9 {
     width: 75%;
   }
+
   .col-sm-10 {
     width: 83.3333333333%;
   }
+
   .col-sm-11 {
     width: 91.6666666667%;
   }
+
   .col-sm-12 {
     width: 100%;
   }
+
   .col-sm-pull-0 {
     right: auto;
   }
+
   .col-sm-pull-1 {
     right: 8.3333333333%;
   }
+
   .col-sm-pull-2 {
     right: 16.6666666667%;
   }
+
   .col-sm-pull-3 {
     right: 25%;
   }
+
   .col-sm-pull-4 {
     right: 33.3333333333%;
   }
+
   .col-sm-pull-5 {
     right: 41.6666666667%;
   }
+
   .col-sm-pull-6 {
     right: 50%;
   }
+
   .col-sm-pull-7 {
     right: 58.3333333333%;
   }
+
   .col-sm-pull-8 {
     right: 66.6666666667%;
   }
+
   .col-sm-pull-9 {
     right: 75%;
   }
+
   .col-sm-pull-10 {
     right: 83.3333333333%;
   }
+
   .col-sm-pull-11 {
     right: 91.6666666667%;
   }
+
   .col-sm-pull-12 {
     right: 100%;
   }
+
   .col-sm-push-0 {
     left: auto;
   }
+
   .col-sm-push-1 {
     left: 8.3333333333%;
   }
+
   .col-sm-push-2 {
     left: 16.6666666667%;
   }
+
   .col-sm-push-3 {
     left: 25%;
   }
+
   .col-sm-push-4 {
     left: 33.3333333333%;
   }
+
   .col-sm-push-5 {
     left: 41.6666666667%;
   }
+
   .col-sm-push-6 {
     left: 50%;
   }
+
   .col-sm-push-7 {
     left: 58.3333333333%;
   }
+
   .col-sm-push-8 {
     left: 66.6666666667%;
   }
+
   .col-sm-push-9 {
     left: 75%;
   }
+
   .col-sm-push-10 {
     left: 83.3333333333%;
   }
+
   .col-sm-push-11 {
     left: 91.6666666667%;
   }
+
   .col-sm-push-12 {
     left: 100%;
   }
+
   .col-sm-offset-0 {
     margin-left: 0%;
   }
+
   .col-sm-offset-1 {
     margin-left: 8.3333333333%;
   }
+
   .col-sm-offset-2 {
     margin-left: 16.6666666667%;
   }
+
   .col-sm-offset-3 {
     margin-left: 25%;
   }
+
   .col-sm-offset-4 {
     margin-left: 33.3333333333%;
   }
+
   .col-sm-offset-5 {
     margin-left: 41.6666666667%;
   }
+
   .col-sm-offset-6 {
     margin-left: 50%;
   }
+
   .col-sm-offset-7 {
     margin-left: 58.3333333333%;
   }
+
   .col-sm-offset-8 {
     margin-left: 66.6666666667%;
   }
+
   .col-sm-offset-9 {
     margin-left: 75%;
   }
+
   .col-sm-offset-10 {
     margin-left: 83.3333333333%;
   }
+
   .col-sm-offset-11 {
     margin-left: 91.6666666667%;
   }
+
   .col-sm-offset-12 {
     margin-left: 100%;
   }
@@ -2236,156 +2326,207 @@ pre {
   .col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12 {
     float: left;
   }
+
   .col-md-1 {
     width: 8.3333333333%;
   }
+
   .col-md-2 {
     width: 16.6666666667%;
   }
+
   .col-md-3 {
     width: 25%;
   }
+
   .col-md-4 {
     width: 33.3333333333%;
   }
+
   .col-md-5 {
     width: 41.6666666667%;
   }
+
   .col-md-6 {
     width: 50%;
   }
+
   .col-md-7 {
     width: 58.3333333333%;
   }
+
   .col-md-8 {
     width: 66.6666666667%;
   }
+
   .col-md-9 {
     width: 75%;
   }
+
   .col-md-10 {
     width: 83.3333333333%;
   }
+
   .col-md-11 {
     width: 91.6666666667%;
   }
+
   .col-md-12 {
     width: 100%;
   }
+
   .col-md-pull-0 {
     right: auto;
   }
+
   .col-md-pull-1 {
     right: 8.3333333333%;
   }
+
   .col-md-pull-2 {
     right: 16.6666666667%;
   }
+
   .col-md-pull-3 {
     right: 25%;
   }
+
   .col-md-pull-4 {
     right: 33.3333333333%;
   }
+
   .col-md-pull-5 {
     right: 41.6666666667%;
   }
+
   .col-md-pull-6 {
     right: 50%;
   }
+
   .col-md-pull-7 {
     right: 58.3333333333%;
   }
+
   .col-md-pull-8 {
     right: 66.6666666667%;
   }
+
   .col-md-pull-9 {
     right: 75%;
   }
+
   .col-md-pull-10 {
     right: 83.3333333333%;
   }
+
   .col-md-pull-11 {
     right: 91.6666666667%;
   }
+
   .col-md-pull-12 {
     right: 100%;
   }
+
   .col-md-push-0 {
     left: auto;
   }
+
   .col-md-push-1 {
     left: 8.3333333333%;
   }
+
   .col-md-push-2 {
     left: 16.6666666667%;
   }
+
   .col-md-push-3 {
     left: 25%;
   }
+
   .col-md-push-4 {
     left: 33.3333333333%;
   }
+
   .col-md-push-5 {
     left: 41.6666666667%;
   }
+
   .col-md-push-6 {
     left: 50%;
   }
+
   .col-md-push-7 {
     left: 58.3333333333%;
   }
+
   .col-md-push-8 {
     left: 66.6666666667%;
   }
+
   .col-md-push-9 {
     left: 75%;
   }
+
   .col-md-push-10 {
     left: 83.3333333333%;
   }
+
   .col-md-push-11 {
     left: 91.6666666667%;
   }
+
   .col-md-push-12 {
     left: 100%;
   }
+
   .col-md-offset-0 {
     margin-left: 0%;
   }
+
   .col-md-offset-1 {
     margin-left: 8.3333333333%;
   }
+
   .col-md-offset-2 {
     margin-left: 16.6666666667%;
   }
+
   .col-md-offset-3 {
     margin-left: 25%;
   }
+
   .col-md-offset-4 {
     margin-left: 33.3333333333%;
   }
+
   .col-md-offset-5 {
     margin-left: 41.6666666667%;
   }
+
   .col-md-offset-6 {
     margin-left: 50%;
   }
+
   .col-md-offset-7 {
     margin-left: 58.3333333333%;
   }
+
   .col-md-offset-8 {
     margin-left: 66.6666666667%;
   }
+
   .col-md-offset-9 {
     margin-left: 75%;
   }
+
   .col-md-offset-10 {
     margin-left: 83.3333333333%;
   }
+
   .col-md-offset-11 {
     margin-left: 91.6666666667%;
   }
+
   .col-md-offset-12 {
     margin-left: 100%;
   }
@@ -2395,156 +2536,207 @@ pre {
   .col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12 {
     float: left;
   }
+
   .col-lg-1 {
     width: 8.3333333333%;
   }
+
   .col-lg-2 {
     width: 16.6666666667%;
   }
+
   .col-lg-3 {
     width: 25%;
   }
+
   .col-lg-4 {
     width: 33.3333333333%;
   }
+
   .col-lg-5 {
     width: 41.6666666667%;
   }
+
   .col-lg-6 {
     width: 50%;
   }
+
   .col-lg-7 {
     width: 58.3333333333%;
   }
+
   .col-lg-8 {
     width: 66.6666666667%;
   }
+
   .col-lg-9 {
     width: 75%;
   }
+
   .col-lg-10 {
     width: 83.3333333333%;
   }
+
   .col-lg-11 {
     width: 91.6666666667%;
   }
+
   .col-lg-12 {
     width: 100%;
   }
+
   .col-lg-pull-0 {
     right: auto;
   }
+
   .col-lg-pull-1 {
     right: 8.3333333333%;
   }
+
   .col-lg-pull-2 {
     right: 16.6666666667%;
   }
+
   .col-lg-pull-3 {
     right: 25%;
   }
+
   .col-lg-pull-4 {
     right: 33.3333333333%;
   }
+
   .col-lg-pull-5 {
     right: 41.6666666667%;
   }
+
   .col-lg-pull-6 {
     right: 50%;
   }
+
   .col-lg-pull-7 {
     right: 58.3333333333%;
   }
+
   .col-lg-pull-8 {
     right: 66.6666666667%;
   }
+
   .col-lg-pull-9 {
     right: 75%;
   }
+
   .col-lg-pull-10 {
     right: 83.3333333333%;
   }
+
   .col-lg-pull-11 {
     right: 91.6666666667%;
   }
+
   .col-lg-pull-12 {
     right: 100%;
   }
+
   .col-lg-push-0 {
     left: auto;
   }
+
   .col-lg-push-1 {
     left: 8.3333333333%;
   }
+
   .col-lg-push-2 {
     left: 16.6666666667%;
   }
+
   .col-lg-push-3 {
     left: 25%;
   }
+
   .col-lg-push-4 {
     left: 33.3333333333%;
   }
+
   .col-lg-push-5 {
     left: 41.6666666667%;
   }
+
   .col-lg-push-6 {
     left: 50%;
   }
+
   .col-lg-push-7 {
     left: 58.3333333333%;
   }
+
   .col-lg-push-8 {
     left: 66.6666666667%;
   }
+
   .col-lg-push-9 {
     left: 75%;
   }
+
   .col-lg-push-10 {
     left: 83.3333333333%;
   }
+
   .col-lg-push-11 {
     left: 91.6666666667%;
   }
+
   .col-lg-push-12 {
     left: 100%;
   }
+
   .col-lg-offset-0 {
     margin-left: 0%;
   }
+
   .col-lg-offset-1 {
     margin-left: 8.3333333333%;
   }
+
   .col-lg-offset-2 {
     margin-left: 16.6666666667%;
   }
+
   .col-lg-offset-3 {
     margin-left: 25%;
   }
+
   .col-lg-offset-4 {
     margin-left: 33.3333333333%;
   }
+
   .col-lg-offset-5 {
     margin-left: 41.6666666667%;
   }
+
   .col-lg-offset-6 {
     margin-left: 50%;
   }
+
   .col-lg-offset-7 {
     margin-left: 58.3333333333%;
   }
+
   .col-lg-offset-8 {
     margin-left: 66.6666666667%;
   }
+
   .col-lg-offset-9 {
     margin-left: 75%;
   }
+
   .col-lg-offset-10 {
     margin-left: 83.3333333333%;
   }
+
   .col-lg-offset-11 {
     margin-left: 91.6666666667%;
   }
+
   .col-lg-offset-12 {
     margin-left: 100%;
   }
@@ -2563,6 +2755,7 @@ th {
   width: 100%;
   max-width: 100%;
   margin-bottom: 20px;
+
   > {
     thead > tr > {
       th, td {
@@ -2572,6 +2765,7 @@ th {
         border-top: 1px solid #111;
       }
     }
+
     tbody > tr > {
       th, td {
         padding: 10px 0px 10px 20px;
@@ -2580,6 +2774,7 @@ th {
         border-top: 1px solid #111;
       }
     }
+
     tfoot > tr > {
       th, td {
         padding: 10px 0px 10px 20px;
@@ -2588,10 +2783,12 @@ th {
         border-top: 1px solid #111;
       }
     }
+
     thead > tr > th {
       vertical-align: bottom;
       border-bottom: 1px solid #111;
     }
+
     caption + thead > tr:first-child > {
       th, td {
         border-top: 0;
@@ -2599,6 +2796,7 @@ th {
         font-weight: normal;
       }
     }
+
     colgroup + thead > tr:first-child > {
       th, td {
         border-top: 0;
@@ -2606,6 +2804,7 @@ th {
         font-weight: normal;
       }
     }
+
     thead:first-child > tr:first-child > {
       th, td {
         border-top: 0;
@@ -2613,10 +2812,12 @@ th {
         font-weight: normal;
       }
     }
+
     tbody + tbody {
       border-top: 2px solid #111;
     }
   }
+
   .table {
     background-color: #333;
   }
@@ -2628,11 +2829,13 @@ th {
       padding: 5px;
     }
   }
+
   tbody > tr > {
     th, td {
       padding: 5px;
     }
   }
+
   tfoot > tr > {
     th, td {
       padding: 5px;
@@ -2642,22 +2845,26 @@ th {
 
 .table-bordered {
   border: 1px solid #111;
+
   > {
     thead > tr > {
       th, td {
         border: 1px solid #111;
       }
     }
+
     tbody > tr > {
       th, td {
         border: 1px solid #111;
       }
     }
+
     tfoot > tr > {
       th, td {
         border: 1px solid #111;
       }
     }
+
     thead > tr > {
       th, td {
         border-bottom-width: 2px;
@@ -2684,6 +2891,7 @@ table {
     float: none;
     display: table-column;
   }
+
   td[class*=col-], th[class*=col-] {
     position: static;
     float: none;
@@ -2698,30 +2906,35 @@ table {
         background-color: #484848;
       }
     }
+
     &.active > {
       td, th {
         background-color: #484848;
       }
     }
   }
+
   tbody > tr {
     > {
       td.active, th.active {
         background-color: #484848;
       }
     }
+
     &.active > {
       td, th {
         background-color: #484848;
       }
     }
   }
+
   tfoot > tr {
     > {
       td.active, th.active {
         background-color: #484848;
       }
     }
+
     &.active > {
       td, th {
         background-color: #484848;
@@ -2736,6 +2949,7 @@ table {
       background-color: #3b3b3b;
     }
   }
+
   &.active:hover > td, &:hover > .active, &.active:hover > th {
     background-color: #3b3b3b;
   }
@@ -2748,30 +2962,35 @@ table {
         background-color: #7Ba255;
       }
     }
+
     &.success > {
       td, th {
         background-color: #7Ba255;
       }
     }
   }
+
   tbody > tr {
     > {
       td.success, th.success {
         background-color: #7Ba255;
       }
     }
+
     &.success > {
       td, th {
         background-color: #7Ba255;
       }
     }
   }
+
   tfoot > tr {
     > {
       td.success, th.success {
         background-color: #7Ba255;
       }
     }
+
     &.success > {
       td, th {
         background-color: #7Ba255;
@@ -2786,6 +3005,7 @@ table {
       background-color: #6e914c;
     }
   }
+
   &.success:hover > td, &:hover > .success, &.success:hover > th {
     background-color: #6e914c;
   }
@@ -2798,30 +3018,35 @@ table {
         background-color: #4545a7;
       }
     }
+
     &.info > {
       td, th {
         background-color: #4545a7;
       }
     }
   }
+
   tbody > tr {
     > {
       td.info, th.info {
         background-color: #4545a7;
       }
     }
+
     &.info > {
       td, th {
         background-color: #4545a7;
       }
     }
   }
+
   tfoot > tr {
     > {
       td.info, th.info {
         background-color: #4545a7;
       }
     }
+
     &.info > {
       td, th {
         background-color: #4545a7;
@@ -2836,6 +3061,7 @@ table {
       background-color: #3e3e95;
     }
   }
+
   &.info:hover > td, &:hover > .info, &.info:hover > th {
     background-color: #3e3e95;
   }
@@ -2845,36 +3071,41 @@ table {
   thead > tr {
     > {
       td.warning, th.warning {
-        background-color: #fcf8e3;
+        background-color: #B93F25;
       }
     }
+
     &.warning > {
       td, th {
-        background-color: #fcf8e3;
+        background-color: #B93F25;
       }
     }
   }
+
   tbody > tr {
     > {
       td.warning, th.warning {
-        background-color: #fcf8e3;
+        background-color: #B93F25;
       }
     }
+
     &.warning > {
       td, th {
-        background-color: #fcf8e3;
+        background-color: #B93F25;
       }
     }
   }
+
   tfoot > tr {
     > {
       td.warning, th.warning {
-        background-color: #fcf8e3;
+        background-color: #B93F25;
       }
     }
+
     &.warning > {
       td, th {
-        background-color: #fcf8e3;
+        background-color: #B93F25;
       }
     }
   }
@@ -2883,11 +3114,12 @@ table {
 .table-hover > tbody > tr {
   > {
     td.warning:hover, th.warning:hover {
-      background-color: #faf2cc;
+      background-color: #C94F35;
     }
   }
+
   &.warning:hover > td, &:hover > .warning, &.warning:hover > th {
-    background-color: #faf2cc;
+    background-color: #C94F35;
   }
 }
 
@@ -2898,30 +3130,35 @@ table {
         background-color: #F05050;
       }
     }
+
     &.danger > {
       td, th {
         background-color: #F05050;
       }
     }
   }
+
   tbody > tr {
     > {
       td.danger, th.danger {
         background-color: #F05050;
       }
     }
+
     &.danger > {
       td, th {
         background-color: #F05050;
       }
     }
   }
+
   tfoot > tr {
     > {
       td.danger, th.danger {
         background-color: #F05050;
       }
     }
+
     &.danger > {
       td, th {
         background-color: #F05050;
@@ -2936,6 +3173,7 @@ table {
       background-color: #ee3939;
     }
   }
+
   &.danger:hover > td, &:hover > .danger, &.danger:hover > th {
     background-color: #ee3939;
   }
@@ -2948,50 +3186,81 @@ table {
     overflow-y: hidden;
     overflow-x: auto;
     -ms-overflow-style: -ms-autohiding-scrollbar;
+
     /*     border: 1px solid $table-border-color; */
     -webkit-overflow-scrolling: touch;
+
     > {
       .table {
         margin-bottom: 0;
-      }
-      .table-bordered {
-        border: 0;
+
         > {
           thead > tr > {
-            th:first-child, td:first-child {
-              border-left: 0;
+            th, td {
+              white-space: nowrap;
             }
           }
+
+          tbody > tr > {
+            th, td {
+              white-space: nowrap;
+            }
+          }
+
+          tfoot > tr > {
+            th, td {
+              white-space: nowrap;
+            }
+          }
+        }
+      }
+
+      .table-bordered {
+        border: 0;
+
+        > {
+          thead > tr > {
+            th:first-child, td:first-child {
+              border-left: 0;
+            }
+          }
+
           tbody > tr > {
             th:first-child, td:first-child {
               border-left: 0;
             }
           }
+
           tfoot > tr > {
             th:first-child, td:first-child {
               border-left: 0;
             }
           }
+
           thead > tr > {
             th:last-child, td:last-child {
               border-right: 0;
             }
           }
+
           tbody > tr > {
             th:last-child, td:last-child {
               border-right: 0;
             }
           }
+
           tfoot > tr > {
             th:last-child, td:last-child {
               border-right: 0;
             }
           }
+
           tbody > tr:last-child > {
             th, td {
               border-bottom: 0;
             }
           }
+
           tfoot > tr:last-child > {
             th, td {
               border-bottom: 0;
@@ -3035,14 +3304,17 @@ input {
     -moz-box-sizing: border-box;
     box-sizing: border-box;
   }
+
   &[type=radio], &[type=checkbox] {
     margin: 4px 0 0;
     margin-top: 1px \9;
     line-height: normal;
   }
+
   &[type=file] {
     display: block;
   }
+
   &[type=range] {
     display: block;
     width: 100%;
@@ -3391,10 +3663,12 @@ input {
   &[type=search] {
     -webkit-appearance: none;
   }
+
   &[type=date], &[type=time], &[type=datetime-local], &[type=month] {
     line-height: 34px;
     line-height: 1.428571429 \0;
   }
+
   &[type=date].input-sm {
     line-height: 30px;
   }
@@ -3406,6 +3680,7 @@ input {
       line-height: 30px;
     }
   }
+
   .input-group-btn > input[type=date].btn {
     line-height: 30px;
   }
@@ -3421,6 +3696,7 @@ input {
       line-height: 30px;
     }
   }
+
   .input-group-btn > input[type=time].btn {
     line-height: 30px;
   }
@@ -3436,6 +3712,7 @@ input {
       line-height: 30px;
     }
   }
+
   .input-group-btn > input[type=datetime-local].btn {
     line-height: 30px;
   }
@@ -3451,6 +3728,7 @@ input {
       line-height: 30px;
     }
   }
+
   .input-group-btn > input[type=month].btn {
     line-height: 30px;
   }
@@ -3470,6 +3748,7 @@ input[type=date].input-lg {
       line-height: 46px;
     }
   }
+
   .input-group-btn > input[type=date].btn {
     line-height: 46px;
   }
@@ -3485,6 +3764,7 @@ input[type=date].input-lg {
       line-height: 46px;
     }
   }
+
   .input-group-btn > input[type=time].btn {
     line-height: 46px;
   }
@@ -3500,6 +3780,7 @@ input[type=date].input-lg {
       line-height: 46px;
     }
   }
+
   .input-group-btn > input[type=datetime-local].btn {
     line-height: 46px;
   }
@@ -3515,6 +3796,7 @@ input[type=date].input-lg {
       line-height: 46px;
     }
   }
+
   .input-group-btn > input[type=month].btn {
     line-height: 46px;
   }
@@ -3591,6 +3873,7 @@ fieldset[disabled] input[type=checkbox], .radio-inline.disabled, fieldset[disabl
   padding-top: 7px;
   padding-bottom: 7px;
   margin-bottom: 0;
+
   &.input-lg {
     padding-left: 0;
     padding-right: 0;
@@ -3604,6 +3887,7 @@ fieldset[disabled] input[type=checkbox], .radio-inline.disabled, fieldset[disabl
       padding-right: 0;
     }
   }
+
   .input-group-btn > .form-control-static.btn {
     padding-left: 0;
     padding-right: 0;
@@ -3622,6 +3906,7 @@ fieldset[disabled] input[type=checkbox], .radio-inline.disabled, fieldset[disabl
       padding-right: 0;
     }
   }
+
   .input-group-btn > .form-control-static.btn {
     padding-left: 0;
     padding-right: 0;
@@ -3671,6 +3956,7 @@ select.input-sm {
       line-height: 30px;
     }
   }
+
   .input-group-btn > select.btn {
     height: 30px;
     line-height: 30px;
@@ -3692,6 +3978,7 @@ textarea.input-sm {
       height: auto;
     }
   }
+
   .input-group-btn > textarea.btn {
     height: auto;
   }
@@ -3707,6 +3994,7 @@ textarea.input-sm {
       height: auto;
     }
   }
+
   .input-group-btn > select[multiple].btn {
     height: auto;
   }
@@ -3754,6 +4042,7 @@ select.input-lg {
       line-height: 46px;
     }
   }
+
   .input-group-btn > select.btn {
     height: 46px;
     line-height: 46px;
@@ -3775,6 +4064,7 @@ textarea.input-lg {
       height: auto;
     }
   }
+
   .input-group-btn > textarea.btn {
     height: auto;
   }
@@ -3790,6 +4080,7 @@ textarea.input-lg {
       height: auto;
     }
   }
+
   .input-group-btn > select[multiple].btn {
     height: auto;
   }
@@ -3801,6 +4092,7 @@ textarea.input-lg {
 
 .has-feedback {
   position: relative;
+
   .form-control {
     padding-right: 42.5px;
   }
@@ -3862,21 +4154,25 @@ textarea.input-lg {
   .help-block, .control-label, .radio, .checkbox, .radio-inline, .checkbox-inline {
     color: #7Ba255;
   }
+
   .form-control {
     border-color: #7Ba255;
     -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
     box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+
     &:focus {
       border-color: #628143;
       -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #aec895;
       box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #aec895;
     }
   }
+
   .input-group-addon {
     color: #7Ba255;
     border-color: #7Ba255;
     background-color: #7Ba255;
   }
+
   .form-control-feedback {
     color: #7Ba255;
   }
@@ -3886,21 +4182,25 @@ textarea.input-lg {
   .help-block, .control-label, .radio, .checkbox, .radio-inline, .checkbox-inline {
     color: #f0ad4e;
   }
+
   .form-control {
     border-color: #f0ad4e;
     -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
     box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+
     &:focus {
       border-color: #ec971f;
       -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac;
       box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac;
     }
   }
+
   .input-group-addon {
     color: #f0ad4e;
     border-color: #f0ad4e;
     background-color: #fcf8e3;
   }
+
   .form-control-feedback {
     color: #f0ad4e;
   }
@@ -3910,21 +4210,25 @@ textarea.input-lg {
   .help-block, .control-label, .radio, .checkbox, .radio-inline, .checkbox-inline {
     color: #F05050;
   }
+
   .form-control {
     border-color: #F05050;
     -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
     box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+
     &:focus {
       border-color: #ec2121;
       -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae;
       box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae;
     }
   }
+
   .input-group-addon {
     color: #F05050;
     border-color: #F05050;
     background-color: #F05050;
   }
+
   .form-control-feedback {
     color: #F05050;
   }
@@ -3947,38 +4251,47 @@ textarea.input-lg {
     margin-bottom: 0;
     vertical-align: middle;
   }
+
   .form-inline .form-control, .navbar-form .form-control {
     display: inline-block;
     width: auto;
     vertical-align: middle;
   }
+
   .form-inline .input-group, .navbar-form .input-group {
     display: inline-table;
     vertical-align: middle;
   }
+
   .form-inline .input-group .input-group-addon, .navbar-form .input-group .input-group-addon, .form-inline .input-group .input-group-btn, .navbar-form .input-group .input-group-btn, .form-inline .input-group .form-control, .navbar-form .input-group .form-control {
     width: auto;
   }
+
   .form-inline .input-group > .form-control, .navbar-form .input-group > .form-control {
     width: 100%;
   }
+
   .form-inline .control-label, .navbar-form .control-label {
     margin-bottom: 0;
     vertical-align: middle;
   }
+
   .form-inline .radio, .navbar-form .radio, .form-inline .checkbox, .navbar-form .checkbox {
     display: inline-block;
     margin-top: 0;
     margin-bottom: 0;
     vertical-align: middle;
   }
+
   .form-inline .radio label, .navbar-form .radio label, .form-inline .checkbox label, .navbar-form .checkbox label {
     padding-left: 0;
   }
+
   .form-inline .radio input[type=radio], .navbar-form .radio input[type=radio], .form-inline .checkbox input[type=checkbox], .navbar-form .checkbox input[type=checkbox] {
     position: relative;
     margin-left: 0;
   }
+
   .form-inline .has-feedback .form-control-feedback, .navbar-form .has-feedback .form-control-feedback {
     top: 0;
   }
@@ -3990,22 +4303,27 @@ textarea.input-lg {
     margin-bottom: 0;
     padding-top: 7px;
   }
+
   .radio, .checkbox {
     min-height: 27px;
   }
+
   .form-group {
     margin-left: -20px;
     margin-right: -20px;
+
     &:before {
       content: " ";
       display: table;
     }
+
     &:after {
       content: " ";
       display: table;
       clear: both;
     }
   }
+
   .has-feedback control-feedback {
     top: 0;
     right: 20px;
@@ -4053,6 +4371,7 @@ textarea.input-lg {
   color: #eee;
   background-color: #656565;
   border-color: #e5e5e5;
+
   &:hover, &:focus, &:active, &.active {
     color: #eee;
     background-color: #4c4c4c;
@@ -4080,14 +4399,17 @@ textarea.input-lg {
   &.disabled {
     background-color: #656565;
     border-color: #e5e5e5;
+
     &:hover, &:focus, &:active, &.active {
       background-color: #656565;
       border-color: #e5e5e5;
     }
   }
+
   &[disabled] {
     background-color: #656565;
     border-color: #e5e5e5;
+
     &:hover, &:focus, &:active, &.active {
       background-color: #656565;
       border-color: #e5e5e5;
@@ -4098,6 +4420,7 @@ textarea.input-lg {
 fieldset[disabled] .btn {
   background-color: #656565;
   border-color: #e5e5e5;
+
   &:hover, &:focus, &:active, &.active {
     background-color: #656565;
     border-color: #e5e5e5;
@@ -4109,21 +4432,25 @@ fieldset[disabled] .btn {
     color: #656565;
     background-color: #eee;
   }
+
   &:focus, &:active:focus, &.active:focus {
     outline: thin dotted;
     outline: 5px auto -webkit-focus-ring-color;
     outline-offset: -2px;
   }
+
   &:hover, &:focus {
     color: #eee;
     text-decoration: none;
   }
+
   &:active, &.active {
     outline: 0;
     background-image: none;
     -webkit-box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);
     box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);
   }
+
   &.disabled, &[disabled] {
     cursor: not-allowed;
     pointer-events: none;
@@ -4147,6 +4474,7 @@ fieldset[disabled] .btn {
   color: #eee;
   background-color: #656565;
   border-color: #e5e5e5;
+
   &:hover, &:focus, &:active, &.active {
     color: #eee;
     background-color: #4c4c4c;
@@ -4174,14 +4502,17 @@ fieldset[disabled] .btn {
   &.disabled {
     background-color: #656565;
     border-color: #e5e5e5;
+
     &:hover, &:focus, &:active, &.active {
       background-color: #656565;
       border-color: #e5e5e5;
     }
   }
+
   &[disabled] {
     background-color: #656565;
     border-color: #e5e5e5;
+
     &:hover, &:focus, &:active, &.active {
       background-color: #656565;
       border-color: #e5e5e5;
@@ -4192,6 +4523,7 @@ fieldset[disabled] .btn {
 fieldset[disabled] .btn-default {
   background-color: #656565;
   border-color: #e5e5e5;
+
   &:hover, &:focus, &:active, &.active {
     background-color: #656565;
     border-color: #e5e5e5;
@@ -4207,6 +4539,7 @@ fieldset[disabled] .btn-default {
   color: #eee;
   background-color: #EA7105;
   border-color: #D95100;
+
   &:hover, &:focus, &:active, &.active {
     color: #eee;
     background-color: #b85904;
@@ -4234,14 +4567,17 @@ fieldset[disabled] .btn-default {
   &.disabled {
     background-color: #EA7105;
     border-color: #D95100;
+
     &:hover, &:focus, &:active, &.active {
       background-color: #EA7105;
       border-color: #D95100;
     }
   }
+
   &[disabled] {
     background-color: #EA7105;
     border-color: #D95100;
+
     &:hover, &:focus, &:active, &.active {
       background-color: #EA7105;
       border-color: #D95100;
@@ -4252,6 +4588,7 @@ fieldset[disabled] .btn-default {
 fieldset[disabled] .btn-primary {
   background-color: #EA7105;
   border-color: #D95100;
+
   &:hover, &:focus, &:active, &.active {
     background-color: #EA7105;
     border-color: #D95100;
@@ -4267,6 +4604,7 @@ fieldset[disabled] .btn-primary {
   color: #eee;
   background-color: #7Ba255;
   border-color: #6e914c;
+
   &:hover, &:focus, &:active, &.active {
     color: #eee;
     background-color: #628143;
@@ -4294,14 +4632,17 @@ fieldset[disabled] .btn-primary {
   &.disabled {
     background-color: #7Ba255;
     border-color: #6e914c;
+
     &:hover, &:focus, &:active, &.active {
       background-color: #7Ba255;
       border-color: #6e914c;
     }
   }
+
   &[disabled] {
     background-color: #7Ba255;
     border-color: #6e914c;
+
     &:hover, &:focus, &:active, &.active {
       background-color: #7Ba255;
       border-color: #6e914c;
@@ -4312,6 +4653,7 @@ fieldset[disabled] .btn-primary {
 fieldset[disabled] .btn-success {
   background-color: #7Ba255;
   border-color: #6e914c;
+
   &:hover, &:focus, &:active, &.active {
     background-color: #7Ba255;
     border-color: #6e914c;
@@ -4327,6 +4669,7 @@ fieldset[disabled] .btn-success {
   color: #eee;
   background-color: #B0CDDB;
   border-color: #9ec2d3;
+
   &:hover, &:focus, &:active, &.active {
     color: #eee;
     background-color: #8db7cb;
@@ -4354,14 +4697,17 @@ fieldset[disabled] .btn-success {
   &.disabled {
     background-color: #B0CDDB;
     border-color: #9ec2d3;
+
     &:hover, &:focus, &:active, &.active {
       background-color: #B0CDDB;
       border-color: #9ec2d3;
     }
   }
+
   &[disabled] {
     background-color: #B0CDDB;
     border-color: #9ec2d3;
+
     &:hover, &:focus, &:active, &.active {
       background-color: #B0CDDB;
       border-color: #9ec2d3;
@@ -4372,6 +4718,7 @@ fieldset[disabled] .btn-success {
 fieldset[disabled] .btn-info {
   background-color: #B0CDDB;
   border-color: #9ec2d3;
+
   &:hover, &:focus, &:active, &.active {
     background-color: #B0CDDB;
     border-color: #9ec2d3;
@@ -4387,6 +4734,7 @@ fieldset[disabled] .btn-info {
   color: #eee;
   background-color: #f0ad4e;
   border-color: #eea236;
+
   &:hover, &:focus, &:active, &.active {
     color: #eee;
     background-color: #ec971f;
@@ -4414,14 +4762,17 @@ fieldset[disabled] .btn-info {
   &.disabled {
     background-color: #f0ad4e;
     border-color: #eea236;
+
     &:hover, &:focus, &:active, &.active {
       background-color: #f0ad4e;
       border-color: #eea236;
     }
   }
+
   &[disabled] {
     background-color: #f0ad4e;
     border-color: #eea236;
+
     &:hover, &:focus, &:active, &.active {
       background-color: #f0ad4e;
       border-color: #eea236;
@@ -4432,6 +4783,7 @@ fieldset[disabled] .btn-info {
 fieldset[disabled] .btn-warning {
   background-color: #f0ad4e;
   border-color: #eea236;
+
   &:hover, &:focus, &:active, &.active {
     background-color: #f0ad4e;
     border-color: #eea236;
@@ -4447,6 +4799,7 @@ fieldset[disabled] .btn-warning {
   color: #eee;
   background-color: #F05050;
   border-color: #ee3939;
+
   &:hover, &:focus, &:active, &.active {
     color: #eee;
     background-color: #ec2121;
@@ -4474,14 +4827,17 @@ fieldset[disabled] .btn-warning {
   &.disabled {
     background-color: #F05050;
     border-color: #ee3939;
+
     &:hover, &:focus, &:active, &.active {
       background-color: #F05050;
       border-color: #ee3939;
     }
   }
+
   &[disabled] {
     background-color: #F05050;
     border-color: #ee3939;
+
     &:hover, &:focus, &:active, &.active {
       background-color: #F05050;
       border-color: #ee3939;
@@ -4492,6 +4848,7 @@ fieldset[disabled] .btn-warning {
 fieldset[disabled] .btn-danger {
   background-color: #F05050;
   border-color: #ee3939;
+
   &:hover, &:focus, &:active, &.active {
     background-color: #F05050;
     border-color: #ee3939;
@@ -4511,6 +4868,7 @@ fieldset[disabled] .btn-danger {
   background-color: transparent;
   -webkit-box-shadow: none;
   box-shadow: none;
+
   &:active, &[disabled] {
     background-color: transparent;
     -webkit-box-shadow: none;
@@ -4526,14 +4884,17 @@ fieldset[disabled] .btn-link {
 
 .btn-link {
   border-color: transparent;
+
   &:hover, &:focus, &:active {
     border-color: transparent;
   }
+
   &:hover, &:focus {
     color: #9f4d03;
     text-decoration: underline;
     background-color: transparent;
   }
+
   &[disabled] {
     &:hover, &:focus {
       color: #DDd;
@@ -4573,6 +4934,7 @@ fieldset[disabled] .btn-link {
 .btn-block {
   display: block;
   width: 100%;
+
   + .btn-block {
     margin-top: 5px;
   }
@@ -4589,6 +4951,7 @@ input {
   -webkit-transition: opacity 0.15s linear;
   -o-transition: opacity 0.15s linear;
   transition: opacity 0.15s linear;
+
   &.in {
     opacity: 1;
   }
@@ -4596,6 +4959,7 @@ input {
 
 .collapse {
   display: none;
+
   &.in {
     display: block;
   }
@@ -4657,16 +5021,19 @@ tbody.collapse.in {
   -webkit-box-shadow: 0 6px 12px rgba(0, 0, 0, 0.175);
   box-shadow: 0 6px 12px rgba(0, 0, 0, 0.175);
   background-clip: padding-box;
+
   &.pull-right {
     right: 0;
     left: auto;
   }
+
   .divider {
     height: 1px;
     margin: 9px 0;
     overflow: hidden;
     background-color: #262626;
   }
+
   > {
     li > a {
       display: block;
@@ -4676,17 +5043,20 @@ tbody.collapse.in {
       line-height: 1.428571429;
       color: #bbb;
       white-space: nowrap;
+
       &:hover, &:focus {
         text-decoration: none;
         color: #f66;
         background-color: #353535;
       }
     }
+
     .active > a {
       color: #555;
       text-decoration: none;
       outline: 0;
       background-color: #EA7105;
+
       &:hover, &:focus {
         color: #555;
         text-decoration: none;
@@ -4694,11 +5064,14 @@ tbody.collapse.in {
         background-color: #EA7105;
       }
     }
+
     .disabled > a {
       color: #DDd;
+
       &:hover, &:focus {
         color: #DDd;
       }
+
       &:hover, &:focus {
         text-decoration: none;
         background-color: transparent;
@@ -4714,6 +5087,7 @@ tbody.collapse.in {
   .dropdown-menu {
     display: block;
   }
+
   a {
     outline: 0;
   }
@@ -4770,6 +5144,7 @@ tbody.collapse.in {
       right: 0;
       left: auto;
     }
+
     .dropdown-menu-left {
       left: 0;
       right: auto;
@@ -4810,6 +5185,7 @@ tbody.collapse.in {
       margin-left: -1px;
     }
   }
+
   .btn-group + {
     .btn, .btn-group {
       margin-left: -1px;
@@ -4819,18 +5195,22 @@ tbody.collapse.in {
 
 .btn-toolbar {
   margin-left: -5px;
+
   &:before {
     content: " ";
     display: table;
   }
+
   &:after {
     content: " ";
     display: table;
     clear: both;
   }
+
   .btn-group, .input-group {
     float: left;
   }
+
   > {
     .btn, .btn-group, .input-group {
       margin-left: 5px;
@@ -4844,47 +5224,58 @@ tbody.collapse.in {
       &:not(:first-child):not(:last-child):not(.dropdown-toggle) {
         border-radius: 0;
       }
+
       &:first-child {
         margin-left: 0;
+
         &:not(:last-child):not(.dropdown-toggle) {
           border-bottom-right-radius: 0;
           border-top-right-radius: 0;
         }
       }
+
       &:last-child:not(:first-child) {
         border-bottom-left-radius: 0;
         border-top-left-radius: 0;
       }
     }
+
     .dropdown-toggle:not(:first-child) {
       border-bottom-left-radius: 0;
       border-top-left-radius: 0;
     }
+
     .btn-group {
       float: left;
+
       &:not(:first-child):not(:last-child) > .btn {
         border-radius: 0;
       }
+
       &:first-child > {
         .btn:last-child, .dropdown-toggle {
           border-bottom-right-radius: 0;
           border-top-right-radius: 0;
         }
       }
+
       &:last-child > .btn:first-child {
         border-bottom-left-radius: 0;
         border-top-left-radius: 0;
       }
     }
   }
+
   .dropdown-toggle:active, &.open .dropdown-toggle {
     outline: 0;
   }
+
   > {
     .btn + .dropdown-toggle {
       padding-left: 8px;
       padding-right: 8px;
     }
+
     .btn-lg + .dropdown-toggle {
       padding-left: 12px;
       padding-right: 12px;
@@ -4900,6 +5291,7 @@ tbody.collapse.in {
 .btn-group.open .dropdown-toggle {
   -webkit-box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);
   box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);
+
   &.btn-link {
     -webkit-box-shadow: none;
     box-shadow: none;
@@ -4928,67 +5320,80 @@ tbody.collapse.in {
     width: 100%;
     max-width: 100%;
   }
+
   .btn-group {
     display: block;
     float: none;
     width: 100%;
     max-width: 100%;
+
     > .btn {
       display: block;
       float: none;
       width: 100%;
       max-width: 100%;
     }
+
     &:before {
       content: " ";
       display: table;
     }
+
     &:after {
       content: " ";
       display: table;
       clear: both;
     }
+
     > .btn {
       float: none;
     }
   }
+
   .btn + {
     .btn, .btn-group {
       margin-top: -1px;
       margin-left: 0;
     }
   }
+
   .btn-group + {
     .btn, .btn-group {
       margin-top: -1px;
       margin-left: 0;
     }
   }
+
   .btn {
     &:not(:first-child):not(:last-child) {
       border-radius: 0;
     }
+
     &:first-child:not(:last-child) {
       border-top-right-radius: 3px;
       border-bottom-right-radius: 0;
       border-bottom-left-radius: 0;
     }
+
     &:last-child:not(:first-child) {
       border-bottom-left-radius: 3px;
       border-top-right-radius: 0;
       border-top-left-radius: 0;
     }
   }
+
   .btn-group {
     &:not(:first-child):not(:last-child) > .btn {
       border-radius: 0;
     }
+
     &:first-child:not(:last-child) > {
       .btn:last-child, .dropdown-toggle {
         border-bottom-right-radius: 0;
         border-bottom-left-radius: 0;
       }
     }
+
     &:last-child:not(:first-child) > .btn:first-child {
       border-top-right-radius: 0;
       border-top-left-radius: 0;
@@ -5001,19 +5406,23 @@ tbody.collapse.in {
   width: 100%;
   table-layout: fixed;
   border-collapse: separate;
+
   > {
     .btn {
       float: none;
       display: table-cell;
       width: 1%;
     }
+
     .btn-group {
       float: none;
       display: table-cell;
       width: 1%;
+
       .btn {
         width: 100%;
       }
+
       .dropdown-menu {
         left: auto;
       }
@@ -5034,11 +5443,13 @@ tbody.collapse.in {
   position: relative;
   display: table;
   border-collapse: separate;
+
   &[class*=col-] {
     float: none;
     padding-left: 0;
     padding-right: 0;
   }
+
   .form-control {
     position: relative;
     z-index: 2;
@@ -5072,6 +5483,7 @@ tbody.collapse.in {
   background-color: #1a1a1a;
   border: 1px solid #ccc;
   border-radius: 3px;
+
   &.input-sm {
     padding: 5px 10px;
     font-size: 12px;
@@ -5125,6 +5537,7 @@ tbody.collapse.in {
       border-top-right-radius: 0;
     }
   }
+
   &:last-child > {
     .btn:not(:last-child):not(.dropdown-toggle), .btn-group:not(:last-child) > .btn {
       border-bottom-right-radius: 0;
@@ -5149,6 +5562,7 @@ tbody.collapse.in {
       border-top-left-radius: 0;
     }
   }
+
   &:first-child > {
     .btn:not(:first-child), .btn-group:not(:first-child) > .btn {
       border-bottom-left-radius: 0;
@@ -5165,20 +5579,25 @@ tbody.collapse.in {
   position: relative;
   font-size: 0;
   white-space: nowrap;
+
   > .btn {
     position: relative;
+
     + .btn {
       margin-left: -1px;
     }
+
     &:hover, &:focus, &:active {
       z-index: 2;
     }
   }
+
   &:first-child > {
     .btn, .btn-group {
       margin-right: -1px;
     }
   }
+
   &:last-child > {
     .btn, .btn-group {
       margin-left: -1px;
@@ -5190,29 +5609,36 @@ tbody.collapse.in {
   margin-bottom: 0;
   padding-left: 0;
   list-style: none;
+
   &:before {
     content: " ";
     display: table;
   }
+
   &:after {
     content: " ";
     display: table;
     clear: both;
   }
+
   > li {
     position: relative;
     display: block;
+
     > a {
       position: relative;
       display: block;
       padding: 10px 15px;
+
       &:hover, &:focus {
         text-decoration: none;
         background-color: #1a1a1a;
       }
     }
+
     &.disabled > a {
       color: #DDd;
+
       &:hover, &:focus {
         color: #DDd;
         text-decoration: none;
@@ -5221,20 +5647,24 @@ tbody.collapse.in {
       }
     }
   }
+
   .open > a {
     background-color: #1a1a1a;
     border-color: #EA7105;
+
     &:hover, &:focus {
       background-color: #1a1a1a;
       border-color: #EA7105;
     }
   }
+
   .nav-divider {
     height: 1px;
     margin: 9px 0;
     overflow: hidden;
     background-color: #e5e5e5;
   }
+
   > li > a > img {
     max-width: none;
   }
@@ -5242,24 +5672,29 @@ tbody.collapse.in {
 
 .nav-tabs {
   border-bottom: 1px solid #E5E5E5;
+
   > li {
     float: left;
     margin-bottom: -1px;
+
     > a {
       margin-right: 2px;
       line-height: 1.428571429;
       border: 1px solid transparent;
       border-radius: 3px 3px 0 0;
+
       &:hover {
         border-color: #1a1a1a #1a1a1a #E5E5E5;
       }
     }
+
     &.active > a {
       color: #eee;
       background-color: #333;
       border: 1px solid #ddd;
       border-bottom-color: transparent;
       cursor: default;
+
       &:hover, &:focus {
         color: #eee;
         background-color: #333;
@@ -5273,12 +5708,15 @@ tbody.collapse.in {
 
 .nav-pills > li {
   float: left;
+
   > a {
     border-radius: 0;
   }
+
   &.active > a {
     color: #555;
     background-color: #EA7105;
+
     &:hover, &:focus {
       color: #555;
       background-color: #EA7105;
@@ -5288,6 +5726,7 @@ tbody.collapse.in {
 
 .nav-stacked > li {
   float: none;
+
   + li {
     margin-top: 2px;
     margin-left: 0;
@@ -5317,6 +5756,7 @@ tbody.collapse.in {
     display: table-cell;
     width: 1%;
   }
+
   .nav-justified > li > a, .nav-tabs.nav-justified > li > a {
     margin-bottom: 0;
   }
@@ -5346,9 +5786,11 @@ tbody.collapse.in {
     border-bottom: 1px solid #ddd;
     border-radius: 3px 3px 0 0;
   }
+
   .nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a {
     border-bottom-color: #333;
   }
+
   .nav-tabs-justified > .active > a {
     &:hover, &:focus {
       border-bottom-color: #333;
@@ -5360,6 +5802,7 @@ tbody.collapse.in {
   .tab-pane {
     display: none;
   }
+
   .active {
     display: block;
   }
@@ -5376,10 +5819,12 @@ tbody.collapse.in {
   min-height: 50px;
   margin-bottom: 0;
   border: 1px solid transparent;
+
   &:before {
     content: " ";
     display: table;
   }
+
   &:after {
     content: " ";
     display: table;
@@ -5398,6 +5843,7 @@ tbody.collapse.in {
     content: " ";
     display: table;
   }
+
   &:after {
     content: " ";
     display: table;
@@ -5418,15 +5864,18 @@ tbody.collapse.in {
   border-top: 1px solid transparent;
   box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1);
   -webkit-overflow-scrolling: touch;
+
   &:before {
     content: " ";
     display: table;
   }
+
   &:after {
     content: " ";
     display: table;
     clear: both;
   }
+
   &.in {
     overflow-y: auto;
   }
@@ -5437,16 +5886,19 @@ tbody.collapse.in {
     width: auto;
     border-top: 0;
     box-shadow: none;
+
     &.collapse {
       display: block !important;
       height: auto !important;
       padding-bottom: 0;
       overflow: visible !important;
     }
+
     &.in {
       overflow-y: visible;
     }
   }
+
   .navbar-fixed-top .navbar-collapse, .navbar-static-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
     padding-left: 0;
     padding-right: 0;
@@ -5484,6 +5936,7 @@ tbody.collapse.in {
       margin-left: 0;
     }
   }
+
   .container-fluid > {
     .navbar-header, .navbar-collapse {
       margin-right: 0;
@@ -5534,6 +5987,7 @@ tbody.collapse.in {
   padding: 15px 20px;
   font-size: 18px;
   height: 50px;
+
   &:hover, &:focus {
     text-decoration: none;
   }
@@ -5558,14 +6012,17 @@ tbody.collapse.in {
   background-image: none;
   border: 1px solid transparent;
   border-radius: 3px;
+
   &:focus {
     outline: 0;
   }
+
   .icon-bar {
     display: block;
     width: 22px;
     height: 2px;
     border-radius: 1px;
+
     + .icon-bar {
       margin-top: 4px;
     }
@@ -5580,6 +6037,7 @@ tbody.collapse.in {
 
 .navbar-nav {
   margin: 7.5px -20px;
+
   > li > a {
     padding-top: 10px;
     padding-bottom: 10px;
@@ -5596,11 +6054,14 @@ tbody.collapse.in {
     background-color: transparent;
     border: 0;
     box-shadow: none;
+
     > li > a, .dropdown-header {
       padding: 5px 15px 5px 25px;
     }
+
     > li > a {
       line-height: 20px;
+
       &:hover, &:focus {
         background-image: none;
       }
@@ -5612,13 +6073,16 @@ tbody.collapse.in {
   .navbar-nav {
     float: left;
     margin: 0;
+
     > li {
       float: left;
+
       > a {
         padding-top: 15px;
         padding-bottom: 15px;
       }
     }
+
     &.navbar-right:last-child {
       margin-right: -20px;
     }
@@ -5629,6 +6093,7 @@ tbody.collapse.in {
   .navbar-left {
     float: left !important;
   }
+
   .navbar-right {
     float: right !important;
   }
@@ -5662,6 +6127,7 @@ tbody.collapse.in {
     padding-bottom: 0;
     -webkit-box-shadow: none;
     box-shadow: none;
+
     &.navbar-right:last-child {
       margin-right: -20px;
     }
@@ -5682,6 +6148,7 @@ tbody.collapse.in {
 .navbar-btn {
   margin-top: 8px;
   margin-bottom: 8px;
+
   &.btn-sm {
     margin-top: 10px;
     margin-bottom: 10px;
@@ -5708,6 +6175,7 @@ tbody.collapse.in {
     float: left;
     margin-left: 20px;
     margin-right: 20px;
+
     &.navbar-right:last-child {
       margin-right: 0;
     }
@@ -5717,72 +6185,92 @@ tbody.collapse.in {
 .navbar-default {
   background-color: #404040;
   border-color: #2f2f2f;
+
   .navbar-brand {
     color: #C1C1c1;
+
     &:hover, &:focus {
       color: #a8a8a8;
       background-color: transparent;
     }
   }
+
   .navbar-text {
-    color: #AAAAAA;
+    color: #aaaaaa;
   }
+
   .navbar-nav > {
     li > a {
       color: #C1C1c1;
+
       &:hover, &:focus {
         color: #EA7105;
         background-color: transparent;
       }
     }
+
     .active > a {
       color: #aaa;
       background-color: #2f2f2f;
+
       &:hover, &:focus {
         color: #aaa;
         background-color: #2f2f2f;
       }
     }
+
     .disabled > a {
       color: #ccc;
       background-color: transparent;
+
       &:hover, &:focus {
         color: #ccc;
         background-color: transparent;
       }
     }
   }
+
   .navbar-toggle {
     border-color: #FFF;
+
     &:hover, &:focus {
       background-color: #555;
     }
+
     .icon-bar {
       background-color: #FFF;
     }
   }
+
   .navbar-collapse, .navbar-form {
     border-color: #2f2f2f;
   }
+
   .navbar-nav > .open > a {
     background-color: #2f2f2f;
     color: #aaa;
+
     &:hover, &:focus {
       background-color: #2f2f2f;
       color: #aaa;
     }
   }
+
   .navbar-link {
     color: #C1C1c1;
+
     &:hover {
       color: #EA7105;
     }
   }
+
   .btn-link {
     color: #C1C1c1;
+
     &:hover, &:focus {
       color: #EA7105;
     }
+
     &[disabled] {
       &:hover, &:focus {
         color: #ccc;
@@ -5795,22 +6283,27 @@ tbody.collapse.in {
   .navbar-default .navbar-nav .open .dropdown-menu > {
     li > a {
       color: #C1C1c1;
+
       &:hover, &:focus {
         color: #EA7105;
         background-color: transparent;
       }
     }
+
     .active > a {
       color: #aaa;
       background-color: #2f2f2f;
+
       &:hover, &:focus {
         color: #aaa;
         background-color: #2f2f2f;
       }
     }
+
     .disabled > a {
       color: #ccc;
       background-color: transparent;
+
       &:hover, &:focus {
         color: #ccc;
         background-color: transparent;
@@ -5828,72 +6321,92 @@ fieldset[disabled] .navbar-default .btn-link {
 .navbar-inverse {
   background-color: #333;
   border-color: #1a1a1a;
+
   .navbar-brand {
     color: #DDd;
+
     &:hover, &:focus {
       color: #fff;
       background-color: transparent;
     }
   }
+
   .navbar-text {
     color: #DDd;
   }
+
   .navbar-nav > {
     li > a {
       color: #DDd;
+
       &:hover, &:focus {
         color: #888;
         background-color: transparent;
       }
     }
+
     .active > a {
       color: #888;
       background-color: #1a1a1a;
+
       &:hover, &:focus {
         color: #888;
         background-color: #1a1a1a;
       }
     }
+
     .disabled > a {
       color: #33a;
       background-color: transparent;
+
       &:hover, &:focus {
         color: #33a;
         background-color: transparent;
       }
     }
   }
+
   .navbar-toggle {
     border-color: #333;
+
     &:hover, &:focus {
       background-color: #333;
     }
+
     .icon-bar {
       background-color: #fff;
     }
   }
+
   .navbar-collapse, .navbar-form {
     border-color: #212121;
   }
+
   .navbar-nav > .open > a {
     background-color: #1a1a1a;
     color: #888;
+
     &:hover, &:focus {
       background-color: #1a1a1a;
       color: #888;
     }
   }
+
   .navbar-link {
     color: #DDd;
+
     &:hover {
       color: #888;
     }
   }
+
   .btn-link {
     color: #DDd;
+
     &:hover, &:focus {
       color: #888;
     }
+
     &[disabled] {
       &:hover, &:focus {
         color: #33a;
@@ -5907,28 +6420,35 @@ fieldset[disabled] .navbar-default .btn-link {
     > .dropdown-header {
       border-color: #1a1a1a;
     }
+
     .divider {
       background-color: #1a1a1a;
     }
+
     > {
       li > a {
         color: #DDd;
+
         &:hover, &:focus {
           color: #888;
           background-color: transparent;
         }
       }
+
       .active > a {
         color: #888;
         background-color: #1a1a1a;
+
         &:hover, &:focus {
           color: #888;
           background-color: #1a1a1a;
         }
       }
+
       .disabled > a {
         color: #33a;
         background-color: transparent;
+
         &:hover, &:focus {
           color: #33a;
           background-color: transparent;
@@ -5950,15 +6470,18 @@ fieldset[disabled] .navbar-inverse .btn-link {
   list-style: none;
   background-color: #484848;
   border-radius: 3px;
+
   > {
     li {
       display: inline-block;
+
       + li:before {
         content: "/ ";
         padding: 0 5px;
         color: #ccc;
       }
     }
+
     .active {
       color: #DDd;
     }
@@ -5970,9 +6493,11 @@ fieldset[disabled] .navbar-inverse .btn-link {
   padding-left: 0;
   margin: 20px 0;
   border-radius: 3px;
+
   > {
     li {
       display: inline;
+
       > {
         a, span {
           position: relative;
@@ -5986,6 +6511,7 @@ fieldset[disabled] .navbar-inverse .btn-link {
           margin-left: -1px;
         }
       }
+
       &:first-child > {
         a, span {
           margin-left: 0;
@@ -5993,12 +6519,14 @@ fieldset[disabled] .navbar-inverse .btn-link {
           border-top-left-radius: 3px;
         }
       }
+
       &:last-child > {
         a, span {
           border-bottom-right-radius: 3px;
           border-top-right-radius: 3px;
         }
       }
+
       > {
         a {
           &:hover, &:focus {
@@ -6007,6 +6535,7 @@ fieldset[disabled] .navbar-inverse .btn-link {
             border-color: #ddd;
           }
         }
+
         span {
           &:hover, &:focus {
             color: #9f4d03;
@@ -6016,6 +6545,7 @@ fieldset[disabled] .navbar-inverse .btn-link {
         }
       }
     }
+
     .active > {
       a {
         z-index: 2;
@@ -6023,6 +6553,7 @@ fieldset[disabled] .navbar-inverse .btn-link {
         background-color: #EA7105;
         border-color: #EA7105;
         cursor: default;
+
         &:hover, &:focus {
           z-index: 2;
           color: #fff;
@@ -6031,12 +6562,14 @@ fieldset[disabled] .navbar-inverse .btn-link {
           cursor: default;
         }
       }
+
       span {
         z-index: 2;
         color: #fff;
         background-color: #EA7105;
         border-color: #EA7105;
         cursor: default;
+
         &:hover, &:focus {
           z-index: 2;
           color: #fff;
@@ -6046,12 +6579,14 @@ fieldset[disabled] .navbar-inverse .btn-link {
         }
       }
     }
+
     .disabled > {
       span {
         color: #DDd;
         background-color: #222;
         border-color: #ddd;
         cursor: not-allowed;
+
         &:hover, &:focus {
           color: #DDd;
           background-color: #222;
@@ -6059,11 +6594,13 @@ fieldset[disabled] .navbar-inverse .btn-link {
           cursor: not-allowed;
         }
       }
+
       a {
         color: #DDd;
         background-color: #222;
         border-color: #ddd;
         cursor: not-allowed;
+
         &:hover, &:focus {
           color: #DDd;
           background-color: #222;
@@ -6082,12 +6619,14 @@ fieldset[disabled] .navbar-inverse .btn-link {
       font-size: 18px;
     }
   }
+
   &:first-child > {
     a, span {
       border-bottom-left-radius: 6px;
       border-top-left-radius: 6px;
     }
   }
+
   &:last-child > {
     a, span {
       border-bottom-right-radius: 6px;
@@ -6103,12 +6642,14 @@ fieldset[disabled] .navbar-inverse .btn-link {
       font-size: 12px;
     }
   }
+
   &:first-child > {
     a, span {
       border-bottom-left-radius: 3px;
       border-top-left-radius: 3px;
     }
   }
+
   &:last-child > {
     a, span {
       border-bottom-right-radius: 3px;
@@ -6122,17 +6663,21 @@ fieldset[disabled] .navbar-inverse .btn-link {
   margin: 20px 0;
   list-style: none;
   text-align: center;
+
   &:before {
     content: " ";
     display: table;
   }
+
   &:after {
     content: " ";
     display: table;
     clear: both;
   }
+
   li {
     display: inline;
+
     > {
       a, span {
         display: inline-block;
@@ -6141,6 +6686,7 @@ fieldset[disabled] .navbar-inverse .btn-link {
         border: 1px solid #ddd;
         border-radius: 15px;
       }
+
       a {
         &:hover, &:focus {
           text-decoration: none;
@@ -6149,27 +6695,32 @@ fieldset[disabled] .navbar-inverse .btn-link {
       }
     }
   }
+
   .next > {
     a, span {
       float: right;
     }
   }
+
   .previous > {
     a, span {
       float: left;
     }
   }
+
   .disabled > {
     a {
       color: #DDd;
       background-color: #222;
       cursor: not-allowed;
+
       &:hover, &:focus {
         color: #DDd;
         background-color: #222;
         cursor: not-allowed;
       }
     }
+
     span {
       color: #DDd;
       background-color: #222;
@@ -6189,6 +6740,7 @@ fieldset[disabled] .navbar-inverse .btn-link {
   white-space: nowrap;
   vertical-align: baseline;
   border-radius: 0.25em;
+
   &:empty {
     display: none;
   }
@@ -6209,6 +6761,7 @@ a.label {
 
 .label-default {
   background-color: #DDd;
+
   &[href] {
     &:hover, &:focus {
       background-color: #c4c4c4;
@@ -6218,6 +6771,7 @@ a.label {
 
 .label-primary {
   background-color: #EA7105;
+
   &[href] {
     &:hover, &:focus {
       background-color: #b85904;
@@ -6227,6 +6781,7 @@ a.label {
 
 .label-success {
   background-color: #7Ba255;
+
   &[href] {
     &:hover, &:focus {
       background-color: #628143;
@@ -6236,6 +6791,7 @@ a.label {
 
 .label-info {
   background-color: #B0CDDB;
+
   &[href] {
     &:hover, &:focus {
       background-color: #8db7cb;
@@ -6245,6 +6801,7 @@ a.label {
 
 .label-warning {
   background-color: #f0ad4e;
+
   &[href] {
     &:hover, &:focus {
       background-color: #ec971f;
@@ -6254,6 +6811,7 @@ a.label {
 
 .label-danger {
   background-color: #F05050;
+
   &[href] {
     &:hover, &:focus {
       background-color: #ec2121;
@@ -6274,6 +6832,7 @@ a.label {
   text-align: center;
   background-color: #DDd;
   border-radius: 10px;
+
   &:empty {
     display: none;
   }
@@ -6299,6 +6858,7 @@ a.list-group-item.active > .badge {
     color: #EA7105;
     background-color: #443;
   }
+
   li > a > .badge {
     margin-left: 3px;
   }
@@ -6317,14 +6877,17 @@ a.badge {
   margin-bottom: 30px;
   color: inherit;
   background-color: #1a1a1a;
+
   h1, .h1 {
     color: inherit;
   }
+
   p {
     margin-bottom: 15px;
     font-size: 21px;
     font-weight: 200;
   }
+
   > hr {
     border-top-color: black;
   }
@@ -6343,10 +6906,12 @@ a.badge {
     padding-top: 48px;
     padding-bottom: 48px;
   }
+
   .container .jumbotron {
     padding-left: 60px;
     padding-right: 60px;
   }
+
   .jumbotron {
     h1, .h1 {
       font-size: 63px;
@@ -6365,6 +6930,7 @@ a.badge {
   -webkit-transition: all 0.2s ease-in-out;
   -o-transition: all 0.2s ease-in-out;
   transition: all 0.2s ease-in-out;
+
   > img, a > img {
     display: block;
     width: 100% \9;
@@ -6373,6 +6939,7 @@ a.badge {
     margin-left: auto;
     margin-right: auto;
   }
+
   .caption {
     padding: 9px;
     color: #C1C1c1;
@@ -6390,17 +6957,21 @@ a.thumbnail {
   margin-bottom: 20px;
   border: 1px solid transparent;
   border-radius: 3px;
+
   h4 {
     margin-top: 0;
     color: inherit;
   }
+
   .alert-link {
     font-weight: bold;
   }
+
   > {
     p, ul {
       margin-bottom: 0;
     }
+
     p + p {
       margin-top: 5px;
     }
@@ -6422,9 +6993,11 @@ a.thumbnail {
   background-color: #7Ba255;
   border-color: #7Ba255;
   color: #485f32;
+
   hr {
     border-top-color: #6e914c;
   }
+
   .alert-link {
     color: #55703b;
   }
@@ -6434,9 +7007,11 @@ a.thumbnail {
   background-color: #4545a7;
   border-color: #3b488e;
   color: #cccccc;
+
   hr {
     border-top-color: #333f7c;
   }
+
   .alert-link {
     color: #d9d9d9;
   }
@@ -6446,9 +7021,11 @@ a.thumbnail {
   background-color: #fcf8e3;
   border-color: #faebcc;
   color: #c77c11;
+
   hr {
     border-top-color: #f7e1b5;
   }
+
   .alert-link {
     color: #df8a13;
   }
@@ -6458,9 +7035,11 @@ a.thumbnail {
   background-color: #F05050;
   border-color: #F05050;
   color: #c91111;
+
   hr {
     border-top-color: #ee3939;
   }
+
   .alert-link {
     color: #e01313;
   }
@@ -6476,7 +7055,6 @@ a.thumbnail {
   }
 }
 
-
 @keyframes progress-bar-stripes {
   from {
     background-position: 40px 0;
@@ -6487,7 +7065,6 @@ a.thumbnail {
   }
 }
 
-
 .progress {
   overflow: hidden;
   height: 20px;
@@ -6535,9 +7112,11 @@ a.thumbnail {
     -o-animation: progress-bar-stripes 2s linear infinite;
     animation: progress-bar-stripes 2s linear infinite;
   }
+
   &[aria-valuenow="1"], &[aria-valuenow="2"] {
     min-width: 30px;
   }
+
   &[aria-valuenow="0"] {
     color: #DDd;
     min-width: 30px;
@@ -6594,9 +7173,11 @@ a.thumbnail {
 
 .media {
   margin-top: 15px;
+
   .media {
     margin-top: 15px;
   }
+
   &:first-child {
     margin-top: 0;
   }
@@ -6614,6 +7195,7 @@ a.thumbnail {
   .pull-left {
     margin-right: 10px;
   }
+
   .pull-right {
     margin-left: 10px;
   }
@@ -6635,11 +7217,14 @@ a.thumbnail {
   padding: 6px 8px;
   margin-bottom: -1px;
   background-color: #222;
+
   &:last-child {
     margin-bottom: 0;
   }
+
   > .badge {
     float: right;
+
     + .badge {
       margin-right: 5px;
     }
@@ -6649,14 +7234,17 @@ a.thumbnail {
 a.list-group-item {
   color: #C1C1c1;
   border-radius: 0;
+
   .list-group-item-heading {
     color: #333;
   }
+
   &:hover, &:focus {
     text-decoration: none;
     color: #EA7105;
     background-color: #484848;
   }
+
   &:hover:before, &:focus:before {
     background: #EA7105;
     content: "";
@@ -6672,22 +7260,28 @@ a.list-group-item {
   &.disabled {
     background-color: #1a1a1a;
     color: #DDd;
+
     &:hover, &:focus {
       background-color: #1a1a1a;
       color: #DDd;
     }
+
     .list-group-item-heading, &:hover .list-group-item-heading, &:focus .list-group-item-heading {
       color: inherit;
     }
+
     .list-group-item-text, &:hover .list-group-item-text, &:focus .list-group-item-text {
       color: #DDd;
     }
   }
+
   &.active {
     z-index: 2;
+
     &:hover, &:focus {
       z-index: 2;
     }
+
     &:before, &:hover:before, &:focus:before {
       background: #EA7105;
       content: "";
@@ -6697,33 +7291,41 @@ a.list-group-item {
       top: 0px;
       width: 3px;
     }
+
     .list-group-item-heading {
       color: inherit;
+
       > {
         small, .small {
           color: inherit;
         }
       }
     }
+
     &:hover .list-group-item-heading {
       color: inherit;
+
       > {
         small, .small {
           color: inherit;
         }
       }
     }
+
     &:focus .list-group-item-heading {
       color: inherit;
+
       > {
         small, .small {
           color: inherit;
         }
       }
     }
+
     .list-group-item-text, &:hover .list-group-item-text, &:focus .list-group-item-text {
       color: #fedcbd;
     }
+
     + .collapse > .list-group-item:before, &:hover + .collapse > .list-group-item:before, &:focus + .collapse > .list-group-item:before {
       background: #EA7105;
       content: "";
@@ -6743,17 +7345,21 @@ a.list-group-item {
 
 a.list-group-item-success {
   color: #7Ba255;
+
   .list-group-item-heading {
     color: inherit;
   }
+
   &:hover, &:focus {
     color: #7Ba255;
     background-color: #6e914c;
   }
+
   &.active {
     color: #222;
     background-color: #7Ba255;
     border-color: #7Ba255;
+
     &:hover, &:focus {
       color: #222;
       background-color: #7Ba255;
@@ -6769,17 +7375,21 @@ a.list-group-item-success {
 
 a.list-group-item-info {
   color: #ffffff;
+
   .list-group-item-heading {
     color: inherit;
   }
+
   &:hover, &:focus {
     color: #ffffff;
     background-color: #3e3e95;
   }
+
   &.active {
     color: #222;
     background-color: #ffffff;
     border-color: #ffffff;
+
     &:hover, &:focus {
       color: #222;
       background-color: #ffffff;
@@ -6795,17 +7405,21 @@ a.list-group-item-info {
 
 a.list-group-item-warning {
   color: #f0ad4e;
+
   .list-group-item-heading {
     color: inherit;
   }
+
   &:hover, &:focus {
     color: #f0ad4e;
     background-color: #faf2cc;
   }
+
   &.active {
     color: #222;
     background-color: #f0ad4e;
     border-color: #f0ad4e;
+
     &:hover, &:focus {
       color: #222;
       background-color: #f0ad4e;
@@ -6821,17 +7435,21 @@ a.list-group-item-warning {
 
 a.list-group-item-danger {
   color: #F05050;
+
   .list-group-item-heading {
     color: inherit;
   }
+
   &:hover, &:focus {
     color: #F05050;
     background-color: #ee3939;
   }
+
   &.active {
     color: #222;
     background-color: #F05050;
     border-color: #F05050;
+
     &:hover, &:focus {
       color: #222;
       background-color: #F05050;
@@ -6861,10 +7479,12 @@ a.list-group-item-danger {
 
 .panel-body {
   padding: 15px;
+
   &:before {
     content: " ";
     display: table;
   }
+
   &:after {
     content: " ";
     display: table;
@@ -6877,6 +7497,7 @@ a.list-group-item-danger {
   border-bottom: 1px solid transparent;
   border-top-right-radius: 2px;
   border-top-left-radius: 2px;
+
   > .dropdown .dropdown-toggle {
     color: inherit;
   }
@@ -6887,6 +7508,7 @@ a.list-group-item-danger {
   margin-bottom: 0;
   font-size: 16px;
   color: inherit;
+
   > a {
     color: inherit;
   }
@@ -6902,15 +7524,18 @@ a.list-group-item-danger {
 
 .panel > .list-group {
   margin-bottom: 0;
+
   .list-group-item {
     border-width: 1px 0;
     border-radius: 0;
   }
+
   &:first-child .list-group-item:first-child {
     border-top: 0;
     border-top-right-radius: 2px;
     border-top-left-radius: 2px;
   }
+
   &:last-child .list-group-item:last-child {
     border-bottom: 0;
     border-bottom-right-radius: 2px;
@@ -6926,227 +7551,267 @@ a.list-group-item-danger {
   .table, .table-responsive > .table, .panel-collapse > .table {
     margin-bottom: 0;
   }
+
   .table:first-child, .table-responsive:first-child > .table:first-child {
     border-top-right-radius: 2px;
     border-top-left-radius: 2px;
   }
+
   .table:first-child > {
     thead:first-child > tr:first-child {
       td:first-child, th:first-child {
         border-top-left-radius: 2px;
       }
     }
+
     tbody:first-child > tr:first-child {
       td:first-child, th:first-child {
         border-top-left-radius: 2px;
       }
     }
   }
+
   .table-responsive:first-child > .table:first-child > {
     thead:first-child > tr:first-child {
       td:first-child, th:first-child {
         border-top-left-radius: 2px;
       }
     }
+
     tbody:first-child > tr:first-child {
       td:first-child, th:first-child {
         border-top-left-radius: 2px;
       }
     }
   }
+
   .table:first-child > {
     thead:first-child > tr:first-child {
       td:last-child, th:last-child {
         border-top-right-radius: 2px;
       }
     }
+
     tbody:first-child > tr:first-child {
       td:last-child, th:last-child {
         border-top-right-radius: 2px;
       }
     }
   }
+
   .table-responsive:first-child > .table:first-child > {
     thead:first-child > tr:first-child {
       td:last-child, th:last-child {
         border-top-right-radius: 2px;
       }
     }
+
     tbody:first-child > tr:first-child {
       td:last-child, th:last-child {
         border-top-right-radius: 2px;
       }
     }
   }
+
   .table:last-child, .table-responsive:last-child > .table:last-child {
     border-bottom-right-radius: 2px;
     border-bottom-left-radius: 2px;
   }
+
   .table:last-child > {
     tbody:last-child > tr:last-child {
       td:first-child, th:first-child {
         border-bottom-left-radius: 2px;
       }
     }
+
     tfoot:last-child > tr:last-child {
       td:first-child, th:first-child {
         border-bottom-left-radius: 2px;
       }
     }
   }
+
   .table-responsive:last-child > .table:last-child > {
     tbody:last-child > tr:last-child {
       td:first-child, th:first-child {
         border-bottom-left-radius: 2px;
       }
     }
+
     tfoot:last-child > tr:last-child {
       td:first-child, th:first-child {
         border-bottom-left-radius: 2px;
       }
     }
   }
+
   .table:last-child > {
     tbody:last-child > tr:last-child {
       td:last-child, th:last-child {
         border-bottom-right-radius: 2px;
       }
     }
+
     tfoot:last-child > tr:last-child {
       td:last-child, th:last-child {
         border-bottom-right-radius: 2px;
       }
     }
   }
+
   .table-responsive:last-child > .table:last-child > {
     tbody:last-child > tr:last-child {
       td:last-child, th:last-child {
         border-bottom-right-radius: 2px;
       }
     }
+
     tfoot:last-child > tr:last-child {
       td:last-child, th:last-child {
         border-bottom-right-radius: 2px;
       }
     }
   }
+
   .panel-body + {
     .table, .table-responsive {
       border-top: 1px solid #111;
     }
   }
+
   .table > tbody:first-child > tr:first-child {
     th, td {
       border-top: 0;
     }
   }
+
   .table-bordered, .table-responsive > .table-bordered {
     border: 0;
   }
+
   .table-bordered > {
     thead > tr > {
       th:first-child, td:first-child {
         border-left: 0;
       }
     }
+
     tbody > tr > {
       th:first-child, td:first-child {
         border-left: 0;
       }
     }
+
     tfoot > tr > {
       th:first-child, td:first-child {
         border-left: 0;
       }
     }
   }
+
   .table-responsive > .table-bordered > {
     thead > tr > {
       th:first-child, td:first-child {
         border-left: 0;
       }
     }
+
     tbody > tr > {
       th:first-child, td:first-child {
         border-left: 0;
       }
     }
+
     tfoot > tr > {
       th:first-child, td:first-child {
         border-left: 0;
       }
     }
   }
+
   .table-bordered > {
     thead > tr > {
       th:last-child, td:last-child {
         border-right: 0;
       }
     }
+
     tbody > tr > {
       th:last-child, td:last-child {
         border-right: 0;
       }
     }
+
     tfoot > tr > {
       th:last-child, td:last-child {
         border-right: 0;
       }
     }
   }
+
   .table-responsive > .table-bordered > {
     thead > tr > {
       th:last-child, td:last-child {
         border-right: 0;
       }
     }
+
     tbody > tr > {
       th:last-child, td:last-child {
         border-right: 0;
       }
     }
+
     tfoot > tr > {
       th:last-child, td:last-child {
         border-right: 0;
       }
     }
   }
+
   .table-bordered > {
     thead > tr:first-child > {
       td, th {
         border-bottom: 0;
       }
     }
+
     tbody > tr:first-child > {
       td, th {
         border-bottom: 0;
       }
     }
   }
+
   .table-responsive > .table-bordered > {
     thead > tr:first-child > {
       td, th {
         border-bottom: 0;
       }
     }
+
     tbody > tr:first-child > {
       td, th {
         border-bottom: 0;
       }
     }
   }
+
   .table-bordered > {
     tbody > tr:last-child > {
       td, th {
         border-bottom: 0;
       }
     }
+
     tfoot > tr:last-child > {
       td, th {
         border-bottom: 0;
       }
     }
   }
+
   .table-responsive {
     > .table-bordered > {
       tbody > tr:last-child > {
@@ -7154,12 +7819,14 @@ a.list-group-item-danger {
           border-bottom: 0;
         }
       }
+
       tfoot > tr:last-child > {
         td, th {
           border-bottom: 0;
         }
       }
     }
+
     border: 0;
     margin-bottom: 0;
   }
@@ -7167,21 +7834,27 @@ a.list-group-item-danger {
 
 .panel-group {
   margin-bottom: 20px;
+
   .panel {
     margin-bottom: 0;
     border-radius: 3px;
+
     + .panel {
       margin-top: 5px;
     }
   }
+
   .panel-heading {
     border-bottom: 0;
+
     + .panel-collapse > .panel-body {
       border-top: 1px solid #ddd;
     }
   }
+
   .panel-footer {
     border-top: 0;
+
     + .panel-collapse .panel-body {
       border-bottom: 1px solid #ddd;
     }
@@ -7190,19 +7863,23 @@ a.list-group-item-danger {
 
 .panel-default {
   border-color: #ddd;
+
   > {
     .panel-heading {
       color: #c1c1c1;
       background-color: #484848;
       border-color: #ddd;
+
       + .panel-collapse > .panel-body {
         border-top-color: #ddd;
       }
+
       .badge {
         color: #484848;
         background-color: #c1c1c1;
       }
     }
+
     .panel-footer + .panel-collapse > .panel-body {
       border-bottom-color: #ddd;
     }
@@ -7211,19 +7888,23 @@ a.list-group-item-danger {
 
 .panel-primary {
   border-color: #EA7105;
+
   > {
     .panel-heading {
       color: #fff;
       background-color: #EA7105;
       border-color: #EA7105;
+
       + .panel-collapse > .panel-body {
         border-top-color: #EA7105;
       }
+
       .badge {
         color: #EA7105;
         background-color: #fff;
       }
     }
+
     .panel-footer + .panel-collapse > .panel-body {
       border-bottom-color: #EA7105;
     }
@@ -7232,19 +7913,23 @@ a.list-group-item-danger {
 
 .panel-success {
   border-color: #7Ba255;
+
   > {
     .panel-heading {
       color: #7Ba255;
       background-color: #7Ba255;
       border-color: #7Ba255;
+
       + .panel-collapse > .panel-body {
         border-top-color: #7Ba255;
       }
+
       .badge {
         color: #7Ba255;
         background-color: #7Ba255;
       }
     }
+
     .panel-footer + .panel-collapse > .panel-body {
       border-bottom-color: #7Ba255;
     }
@@ -7253,19 +7938,23 @@ a.list-group-item-danger {
 
 .panel-info {
   border-color: #3b488e;
+
   > {
     .panel-heading {
       color: #ffffff;
       background-color: #4545a7;
       border-color: #3b488e;
+
       + .panel-collapse > .panel-body {
         border-top-color: #3b488e;
       }
+
       .badge {
         color: #4545a7;
         background-color: #ffffff;
       }
     }
+
     .panel-footer + .panel-collapse > .panel-body {
       border-bottom-color: #3b488e;
     }
@@ -7274,19 +7963,23 @@ a.list-group-item-danger {
 
 .panel-warning {
   border-color: #faebcc;
+
   > {
     .panel-heading {
       color: #f0ad4e;
       background-color: #fcf8e3;
       border-color: #faebcc;
+
       + .panel-collapse > .panel-body {
         border-top-color: #faebcc;
       }
+
       .badge {
         color: #fcf8e3;
         background-color: #f0ad4e;
       }
     }
+
     .panel-footer + .panel-collapse > .panel-body {
       border-bottom-color: #faebcc;
     }
@@ -7295,19 +7988,23 @@ a.list-group-item-danger {
 
 .panel-danger {
   border-color: #F05050;
+
   > {
     .panel-heading {
       color: #F05050;
       background-color: #F05050;
       border-color: #F05050;
+
       + .panel-collapse > .panel-body {
         border-top-color: #F05050;
       }
+
       .badge {
         color: #F05050;
         background-color: #F05050;
       }
     }
+
     .panel-footer + .panel-collapse > .panel-body {
       border-bottom-color: #F05050;
     }
@@ -7320,6 +8017,7 @@ a.list-group-item-danger {
   height: 0;
   padding: 0;
   overflow: hidden;
+
   .embed-responsive-item, iframe, embed, object {
     position: absolute;
     top: 0;
@@ -7329,9 +8027,11 @@ a.list-group-item-danger {
     width: 100%;
     border: 0;
   }
+
   &.embed-responsive-16by9 {
     padding-bottom: 56.25%;
   }
+
   &.embed-responsive-4by3 {
     padding-bottom: 75%;
   }
@@ -7346,6 +8046,7 @@ a.list-group-item-danger {
   border-radius: 3px;
   -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
   box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
+
   blockquote {
     border-color: #ddd;
     border-color: rgba(0, 0, 0, 0.15);
@@ -7371,6 +8072,7 @@ a.list-group-item-danger {
   text-shadow: 0 1px 0 #fff;
   opacity: 0.2;
   filter: alpha(opacity = 20);
+
   &:hover, &:focus {
     color: #000;
     text-decoration: none;
@@ -7403,6 +8105,7 @@ button.close {
   z-index: 1050;
   -webkit-overflow-scrolling: touch;
   outline: 0;
+
   &.fade .modal-dialog {
     -webkit-transform: translate3d(0, -25%, 0);
     transform: translate3d(0, -25%, 0);
@@ -7411,6 +8114,7 @@ button.close {
     -o-transition: -o-transform 0.3s ease-out;
     transition: transform 0.3s ease-out;
   }
+
   &.in .modal-dialog {
     -webkit-transform: translate3d(0, 0, 0);
     transform: translate3d(0, 0, 0);
@@ -7448,10 +8152,12 @@ button.close {
   left: 0;
   z-index: 1040;
   background-color: #000;
+
   &.fade {
     opacity: 0;
     filter: alpha(opacity = 0);
   }
+
   &.in {
     opacity: 0.5;
     filter: alpha(opacity = 50);
@@ -7462,6 +8168,7 @@ button.close {
   padding: 15px;
   border-bottom: 1px solid #e5e5e5;
   min-height: 16.428571429px;
+
   .close {
     margin-top: -2px;
   }
@@ -7481,22 +8188,27 @@ button.close {
   padding: 15px;
   text-align: right;
   border-top: 1px solid #e5e5e5;
+
   &:before {
     content: " ";
     display: table;
   }
+
   &:after {
     content: " ";
     display: table;
     clear: both;
   }
+
   .btn + .btn {
     margin-left: 5px;
     margin-bottom: 0;
   }
+
   .btn-group .btn + .btn {
     margin-left: -1px;
   }
+
   .btn-block + .btn-block {
     margin-left: 0;
   }
@@ -7515,10 +8227,12 @@ button.close {
     width: 600px;
     margin: 82px auto 30px auto;
   }
+
   .modal-content {
     -webkit-box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5);
     box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5);
   }
+
   .modal-sm {
     width: 300px;
   }
@@ -7539,22 +8253,27 @@ button.close {
   line-height: 1.4;
   opacity: 0;
   filter: alpha(opacity = 0);
+
   &.in {
     opacity: 0.9;
     filter: alpha(opacity = 90);
   }
+
   &.top {
     margin-top: -3px;
     padding: 5px 0;
   }
+
   &.right {
     margin-left: 3px;
     padding: 0 5px;
   }
+
   &.bottom {
     margin-top: 3px;
     padding: 5px 0;
   }
+
   &.left {
     margin-left: -3px;
     padding: 0 5px;
@@ -7587,18 +8306,21 @@ button.close {
     border-width: 5px 5px 0;
     border-top-color: #000;
   }
+
   &.top-left .tooltip-arrow {
     bottom: 0;
     left: 5px;
     border-width: 5px 5px 0;
     border-top-color: #000;
   }
+
   &.top-right .tooltip-arrow {
     bottom: 0;
     right: 5px;
     border-width: 5px 5px 0;
     border-top-color: #000;
   }
+
   &.right .tooltip-arrow {
     top: 50%;
     left: 0;
@@ -7606,6 +8328,7 @@ button.close {
     border-width: 5px 5px 5px 0;
     border-right-color: #000;
   }
+
   &.left .tooltip-arrow {
     top: 50%;
     right: 0;
@@ -7613,6 +8336,7 @@ button.close {
     border-width: 5px 0 5px 5px;
     border-left-color: #000;
   }
+
   &.bottom .tooltip-arrow {
     top: 0;
     left: 50%;
@@ -7620,12 +8344,14 @@ button.close {
     border-width: 0 5px 5px;
     border-bottom-color: #000;
   }
+
   &.bottom-left .tooltip-arrow {
     top: 0;
     left: 5px;
     border-width: 0 5px 5px;
     border-bottom-color: #000;
   }
+
   &.bottom-right .tooltip-arrow {
     top: 0;
     right: 5px;
@@ -7651,15 +8377,19 @@ button.close {
   -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.2);
   box-shadow: 0 5px 10px rgba(0, 0, 0, 0.2);
   white-space: normal;
+
   &.top {
     margin-top: -10px;
   }
+
   &.right {
     margin-left: 10px;
   }
+
   &.bottom {
     margin-top: 10px;
   }
+
   &.left {
     margin-left: -10px;
   }
@@ -7688,6 +8418,7 @@ button.close {
     height: 0;
     border-color: transparent;
     border-style: solid;
+
     &:after {
       position: absolute;
       display: block;
@@ -7698,8 +8429,10 @@ button.close {
       border-width: 10px;
       content: "";
     }
+
     border-width: 11px;
   }
+
   &.top > .arrow {
     left: 50%;
     margin-left: -11px;
@@ -7707,6 +8440,7 @@ button.close {
     border-top-color: #999999;
     border-top-color: rgba(0, 0, 0, 0.25);
     bottom: -11px;
+
     &:after {
       content: " ";
       bottom: 1px;
@@ -7715,6 +8449,7 @@ button.close {
       border-top-color: #fff;
     }
   }
+
   &.right > .arrow {
     top: 50%;
     left: -11px;
@@ -7722,6 +8457,7 @@ button.close {
     border-left-width: 0;
     border-right-color: #999999;
     border-right-color: rgba(0, 0, 0, 0.25);
+
     &:after {
       content: " ";
       left: 1px;
@@ -7730,6 +8466,7 @@ button.close {
       border-right-color: #fff;
     }
   }
+
   &.bottom > .arrow {
     left: 50%;
     margin-left: -11px;
@@ -7737,6 +8474,7 @@ button.close {
     border-bottom-color: #999999;
     border-bottom-color: rgba(0, 0, 0, 0.25);
     top: -11px;
+
     &:after {
       content: " ";
       top: 1px;
@@ -7745,6 +8483,7 @@ button.close {
       border-bottom-color: #fff;
     }
   }
+
   &.left > .arrow {
     top: 50%;
     right: -11px;
@@ -7752,6 +8491,7 @@ button.close {
     border-right-width: 0;
     border-left-color: #999999;
     border-left-color: rgba(0, 0, 0, 0.25);
+
     &:after {
       content: " ";
       right: 1px;
@@ -7770,6 +8510,7 @@ button.close {
   position: relative;
   overflow: hidden;
   width: 100%;
+
   > {
     .item {
       display: none;
@@ -7777,6 +8518,7 @@ button.close {
       -webkit-transition: 0.6s ease-in-out left;
       -o-transition: 0.6s ease-in-out left;
       transition: 0.6s ease-in-out left;
+
       > {
         img, a > img {
           display: block;
@@ -7787,30 +8529,38 @@ button.close {
         }
       }
     }
+
     .active, .next, .prev {
       display: block;
     }
+
     .active {
       left: 0;
     }
+
     .next, .prev {
       position: absolute;
       top: 0;
       width: 100%;
     }
+
     .next {
       left: 100%;
     }
+
     .prev {
       left: -100%;
     }
+
     .next.left, .prev.right {
       left: 0;
     }
+
     .active {
       &.left {
         left: -100%;
       }
+
       &.right {
         left: 100%;
       }
@@ -7830,6 +8580,7 @@ button.close {
   color: #fff;
   text-align: center;
   text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6);
+
   &.left {
     background-image: -webkit-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
     background-image: -o-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
@@ -7837,6 +8588,7 @@ button.close {
     background-repeat: repeat-x;
     filter: progid:DXImageTransform.Microsoft.gradient(startColorstr="#80000000", endColorstr="#00000000", GradientType=1);
   }
+
   &.right {
     left: auto;
     right: 0;
@@ -7846,6 +8598,7 @@ button.close {
     background-repeat: repeat-x;
     filter: progid:DXImageTransform.Microsoft.gradient(startColorstr="#00000000", endColorstr="#80000000", GradientType=1);
   }
+
   &:hover, &:focus {
     outline: 0;
     color: #fff;
@@ -7853,29 +8606,35 @@ button.close {
     opacity: 0.9;
     filter: alpha(opacity = 90);
   }
+
   .icon-prev, .icon-next, .glyphicon-chevron-left, .glyphicon-chevron-right {
     position: absolute;
     top: 50%;
     z-index: 5;
     display: inline-block;
   }
+
   .icon-prev, .glyphicon-chevron-left {
     left: 50%;
     margin-left: -10px;
   }
+
   .icon-next, .glyphicon-chevron-right {
     right: 50%;
     margin-right: -10px;
   }
+
   .icon-prev, .icon-next {
     width: 20px;
     height: 20px;
     margin-top: -10px;
     font-family: serif;
   }
+
   .icon-prev:before {
     content: "‹";
   }
+
   .icon-next:before {
     content: "›";
   }
@@ -7891,6 +8650,7 @@ button.close {
   padding-left: 0;
   list-style: none;
   text-align: center;
+
   li {
     display: inline-block;
     width: 10px;
@@ -7903,6 +8663,7 @@ button.close {
     background-color: #000 \9;
     background-color: rgba(0, 0, 0, 0);
   }
+
   .active {
     margin: 0;
     width: 12px;
@@ -7922,6 +8683,7 @@ button.close {
   color: #fff;
   text-align: center;
   text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6);
+
   .btn {
     text-shadow: none;
   }
@@ -7935,18 +8697,22 @@ button.close {
       margin-top: -15px;
       font-size: 30px;
     }
+
     .glyphicon-chevron-left, .icon-prev {
       margin-left: -15px;
     }
+
     .glyphicon-chevron-right, .icon-next {
       margin-right: -15px;
     }
   }
+
   .carousel-caption {
     left: 20%;
     right: 20%;
     padding-bottom: 30px;
   }
+
   .carousel-indicators {
     bottom: 20px;
   }
@@ -8010,7 +8776,6 @@ button.close {
   width: device-width;
 }
 
-
 .visible-xs, .visible-sm, .visible-md, .visible-lg, .visible-xs-block, .visible-xs-inline, .visible-xs-inline-block, .visible-sm-block, .visible-sm-inline, .visible-sm-inline-block, .visible-md-block, .visible-md-inline, .visible-md-inline-block, .visible-lg-block, .visible-lg-inline, .visible-lg-inline-block, .visible-print, .visible-print-block, .visible-print-inline, .visible-print-inline-block {
   display: none !important;
 }
@@ -8019,12 +8784,15 @@ button.close {
   .visible-xs {
     display: block !important;
   }
+
   table.visible-xs {
     display: table;
   }
+
   tr.visible-xs {
     display: table-row !important;
   }
+
   th.visible-xs, td.visible-xs {
     display: table-cell !important;
   }
@@ -8052,12 +8820,15 @@ button.close {
   .visible-sm {
     display: block !important;
   }
+
   table.visible-sm {
     display: table;
   }
+
   tr.visible-sm {
     display: table-row !important;
   }
+
   th.visible-sm, td.visible-sm {
     display: table-cell !important;
   }
@@ -8085,12 +8856,15 @@ button.close {
   .visible-md {
     display: block !important;
   }
+
   table.visible-md {
     display: table;
   }
+
   tr.visible-md {
     display: table-row !important;
   }
+
   th.visible-md, td.visible-md {
     display: table-cell !important;
   }
@@ -8118,12 +8892,15 @@ button.close {
   .visible-lg {
     display: block !important;
   }
+
   table.visible-lg {
     display: table;
   }
+
   tr.visible-lg {
     display: table-row !important;
   }
+
   th.visible-lg, td.visible-lg {
     display: table-cell !important;
   }
@@ -8183,12 +8960,15 @@ button.close {
   .visible-print {
     display: block !important;
   }
+
   table.visible-print {
     display: table;
   }
+
   tr.visible-print {
     display: table-row !important;
   }
+
   th.visible-print, td.visible-print {
     display: table-cell !important;
   }
@@ -8248,6 +9028,7 @@ body {
   padding-top: 52px;
   position: relative;
   z-index: 1;
+
   > .row {
     height: 100%;
   }
@@ -8308,6 +9089,7 @@ section.page-content-main {
   div.tab-content {
     border-top: 1px solid #999999 !important;
   }
+
   ul + div.tab-content {
     border-top: 0px !important;
   }
@@ -8326,16 +9108,18 @@ section.page-content-main {
 .tab-content {
   border-top: 0px;
   padding: 0px 0;
+
   > .tab-content {
     margin-bottom: 0;
     padding: 0 15px;
   }
+
   .tab-content:last-child {
     margin-bottom: 0;
   }
 }
 
-.page-content-main [class^=col-] + [class^=col-] {
+.page-content-main section[class^=col-] + section[class^=col-] {
   padding-top: 20px;
 }
 
@@ -8379,9 +9163,11 @@ section.page-content-main {
 
 .page-login {
   background: #2B2B2B;
+
   .container {
     min-height: 100%;
     margin-bottom: -60px;
+
     &:after {
       height: 60px;
     }
@@ -8414,9 +9200,11 @@ section.page-content-main {
   border-top: 1px solid #E5E5E5;
   height: 60px;
   padding: 20px 20px 0 20px;
+
   a {
     color: #7D7D7D;
     text-decoration: none;
+
     &:hover {
       color: #646464;
       text-decoration: underline;
@@ -8448,6 +9236,7 @@ section.page-content-main {
 .list-group-item {
   border-left: none;
   border-right: none;
+
   &.collapsed .caret {
     border-bottom: 4px solid green;
     border-top: 0;
@@ -8464,9 +9253,11 @@ main.page-content.col-lg-12 {
   width: 70px;
   background-color: transparent !important;
   overflow: hidden;
+
   > div {
     &.row {
       height: 100% !important;
+
       > nav.page-side-nav {
         width: 70px;
         background-color: #222222 !important;
@@ -8474,6 +9265,7 @@ main.page-content.col-lg-12 {
         border-right: 1px solid #000000;
       }
     }
+
     > nav > #mainmenu > div > {
       a.list-group-item {
         font-size: 12px;
@@ -8484,17 +9276,20 @@ main.page-content.col-lg-12 {
         padding-right: 0px;
         padding-top: 12px;
         border-bottom: 2px solid #lightergrey;
+
         > span {
           &.fa, &.glyphicon {
             visibility: visible;
             font-size: 20px;
           }
+
           &.__iconspacer {
             width: 50px;
             height: 25px;
             padding: 0px;
           }
         }
+
         width: 70px;
         height: 70px;
         padding-left: 0px;
@@ -8502,6 +9297,7 @@ main.page-content.col-lg-12 {
         padding-top: 15px;
         border-bottom: 2px solid #000000;
       }
+
       div {
         &.collapsing > a.list-group-item {
           padding-left: 10px !important;
@@ -8510,6 +9306,7 @@ main.page-content.col-lg-12 {
           position: absolute !important;
           left: 70px !important;
         }
+
         &.collapse.in > div.collapsing > a.list-group-item {
           padding-left: 10px !important;
           font-size: 14px !important;
@@ -8518,6 +9315,7 @@ main.page-content.col-lg-12 {
           left: 166px !important;
         }
       }
+
       a.list-group-item.active-menu-title {
         color: #CCC !important;
         background-color: #111 !important;
@@ -8536,6 +9334,7 @@ a.list-group-item.active-menu-title.collapsed {
     color: #CCC !important;
     background-color: #111 !important;
   }
+
   div {
     &.collapse {
       &.in {
@@ -8545,6 +9344,7 @@ a.list-group-item.active-menu-title.collapsed {
             background-color: #111 !important;
           }
         }
+
         > div.collapse.in > a.list-group-item {
           padding-left: 10px !important;
           font-size: 14px !important;
@@ -8552,27 +9352,32 @@ a.list-group-item.active-menu-title.collapsed {
           opacity: 1.0;
         }
       }
+
       > a.list-group-item {
         padding-left: 10px !important;
         font-size: 14px !important;
         background-color: #333333 !important;
         opacity: 1.0;
       }
+
       > div.collapse > a.list-group-item {
         padding-left: 10px !important;
         font-size: 14px !important;
       }
     }
+
     &.collapsed > a.list-group-item {
       padding-left: 10px !important;
       font-size: 14px !important;
     }
+
     &.collapse {
       > {
         a.list-group-item, div.collapse > a.list-group-item {
           padding: 3px 8px !important;
         }
       }
+
       &.in > div.collapse.in > a.list-group-item:hover {
         text-decoration: none !important;
         color: #ea7105 !important;
@@ -8607,10 +9412,12 @@ a.list-group-item:focus {
       background-color: #111 !important;
     }
   }
+
   &.active-menu.collapse.in > a.list-group-item.active {
     color: #ea7105 !important;
     background-color: #111 !important;
   }
+
   &.collapse.in {
     width: 168px;
     font-size: 14px;
@@ -8622,6 +9429,7 @@ a.list-group-item:focus {
     -webkit-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 1);
     -moz-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 1);
     box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 1);
+
     > div.collapse.in {
       width: 168px;
       font-size: 14px;
@@ -8635,6 +9443,7 @@ a.list-group-item:focus {
       box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 1);
     }
   }
+
   &.collapsing, &.collapse.in > div.collapsing {
     display: none;
   }
@@ -8671,10 +9480,12 @@ button.toggle-sidebar {
 .nav-tabs {
   margin-right: 1px;
   border-bottom: 1px solid #999999;
+
   > li {
     border-radius: 0px;
     border-top-right-radius: 10px;
     margin-right: 2px;
+
     > a {
       background: #232323;
       border-radius: 0px;
@@ -8684,6 +9495,7 @@ button.toggle-sidebar {
       border-top: 1px solid #161616;
       border-left: 1px solid #161616;
       border-bottom: 1px solid #999999;
+
       &:hover, &:focus {
         border-right: 1px solid #161616;
         border-top: 1px solid #161616;
@@ -8691,23 +9503,27 @@ button.toggle-sidebar {
         border-bottom: 1px solid #999999;
       }
     }
+
     &.active > a {
       background: #555 !important;
       border-right: 1px solid #999999;
       border-top: 1px solid #999999;
       border-left: 1px solid #999999;
+
       &:hover, &:focus {
         border-right: 1px solid #999999;
         border-top: 1px solid #999999;
         border-left: 1px solid #999999;
       }
     }
+
     > a.visible-lg-inline-block {
       &:not(.pull-right) {
         border-top-right-radius: 0px !important;
         padding-left: 10px !important;
         padding-right: 5px !important;
       }
+
       &.pull-right {
         border-left: 0px !important;
         padding-left: 5px !important;
@@ -8715,14 +9531,17 @@ button.toggle-sidebar {
       }
     }
   }
+
   &.nav-justified {
     border-right: 1px solid #E5E5E5;
+
     > li {
       border-bottom: 1px solid #E5E5E5;
       border-top: 1px solid #E5E5E5;
       border-left: 1px solid #E5E5E5;
       border-radius: 0px;
       background: #2B2B2B;
+
       > a {
         color: #C1C1c1;
         font-family: "SourceSansProSemibold";
@@ -8825,14 +9644,17 @@ table {
 .list-group-item {
   overflow: hidden;
   text-overflow: ellipsis;
+
   + div {
     &.collapse {
       margin-bottom: -1px;
     }
+
     > a {
       padding-left: 44px;
     }
   }
+
   &:before {
     background: #EA7105;
     content: "";
@@ -8871,6 +9693,7 @@ table {
   &.active {
     background-color: #454545;
   }
+
   &:before {
     background: #ED9A50;
   }
@@ -8927,6 +9750,7 @@ table {
   background: #e5e5e5;
   border: thin solid #e5e5e5;
   border-radius: 0px;
+
   &:hover {
     background: #e5e5e5;
   }
@@ -8956,17 +9780,20 @@ select {
 @media screen and (max-width: 767px) {
   .table-responsive {
     margin-bottom: 0;
+
     > .table > {
       thead > tr > {
         th, td {
           white-space: normal;
         }
       }
+
       tbody > tr > {
         th, td {
           white-space: normal;
         }
       }
+
       tfoot > tr > {
         th, td {
           white-space: normal;
@@ -8991,13 +9818,16 @@ div[data-for*=help_for] {
   label[for^=act] {
     margin-right: 1.5em;
   }
+
   table > tbody > tr > td {
     vertical-align: middle;
   }
+
   select {
     &#filterlogentries, &#filterlogentriesupdateinterval {
       width: 5em;
     }
+
     &#filterlogentriesinterfaces {
       min-width: 100%;
       max-width: 100%;
@@ -9028,9 +9858,11 @@ div[data-for*=help_for] {
   #ipsec-mobile, #ipsec-tunnel, #ipsec-overview {
     background-color: #333333;
   }
+
   .ipsec-tab {
     background-color: #555555;
     color: black;
+
     &.activetab {
       background-color: #888888;
       color: #eeeeee;
@@ -9048,6 +9880,7 @@ textarea#update_status {
   -webkit-box-shadow: none !important;
   box-shadow: none !important;
   border: none !important;
+
   &:hover {
     color: inherit !important;
     background-color: none !important;
@@ -9108,10 +9941,12 @@ h3 {
     color: #FFFFFF;
     text-decoration: none;
   }
+
   &:link {
     color: #FFFFFF;
     text-decoration: underline;
   }
+
   &:hover, &:focus {
     color: #ec6d12;
     text-decoration: underline;
@@ -9151,6 +9986,7 @@ ul.TokensContainer {
   -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
   -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
   transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
+
   li.Token {
     color: #FFFFFF !important;
   }
@@ -9161,9 +9997,11 @@ div.Tokenize ul {
     border: 1px solid #5a5a5a !important;
     background-color: #2a2a2a !important;
     color: #FFFFFF !important;
+
     li.TokenSearch {
       color: #FFFFFF !important;
     }
+
     &:hover, &:focus {
       border-color: #ec6d12 !important;
       background-color: #2a2a2a !important;
@@ -9171,19 +10009,23 @@ div.Tokenize ul {
       box-shadow: inset 0 1px 1px black, 0 0 8px rgba(0, 0, 0, 0.6);
     }
   }
+
   &.Dropdown {
     border: 1px solid #5a5a5a !important;
     background-color: #2a2a2a !important;
     color: #FFFFFF !important;
   }
+
   &.TokensContainer li {
     &.Token {
       background-color: #ce671c !important;
       border: 1px solid #303030 !important;
     }
+
     &.Placeholder {
       color: #505050 !important;
     }
+
     &.Token a.Close {
       color: #FFFFFF !important;
     }
@@ -9193,12 +10035,14 @@ div.Tokenize ul {
 .bootgrid-table th {
   > .column-header-anchor {
     color: #fff !important;
+
     > {
       .icon, .glyphicon {
         color: #fff !important;
       }
     }
   }
+
   &:hover {
     background-color: #4b4b4b !important;
   }
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dns-overview.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dns-overview.css
new file mode 100644
index 0000000000..fba9c7f80b
--- /dev/null
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dns-overview.css
@@ -0,0 +1,182 @@
+.tab-content {
+    padding: 10px;
+    border-top: 1px solid #E5E5E5;
+}
+
+.banner {
+    width: 25%;
+}
+
+.stats-element {
+    height: 5em;
+    background: #101010;
+    overflow: hidden;
+    display: flex;
+    justify-content: flex-start;
+    border-radius: .3em;
+    margin:auto;
+    border: 1px solid rgba(200, 200, 244, 0.2);
+}
+
+.stats-icon {
+    height: auto;
+    width: 50%;
+    object-fit:cover;
+    background: #222222;
+    border-radius: 0 2em 2em 0 / 0 3em 3em 0;
+    box-shadow: 3px 5px 1px 3px rgba(22,22,22,0.25);
+}
+
+.large-icon {
+    position: relative;
+    top: 50%;
+    left: 50%;
+    transform: translate(-50%, -50%);
+    font-size: 2em;
+}
+
+.stats-text {
+    height: 5em;
+    width: 15em;
+    display: flex;
+    justify-content: center;
+    text-align: center;
+    align-items: center;
+    flex-direction: column;
+}
+
+.stats-counter-text {
+    margin: 0;
+    padding: 0;
+    text-align: center;
+    font-size: 15px;
+}
+
+.stats-inner-text {
+    margin: 0;
+    padding: 0;
+    text-align: center;
+    font-size: 15px;
+}
+
+#bannersub {
+    text-align: center;
+    margin: 5px;
+}
+
+.list-group-wrapper {
+    margin: 0px;
+    padding-top: 10px;
+    padding-bottom: 10px;
+}
+
+.list-item-domain {
+    height: 2.5em;
+}
+
+.list-group-item-border {
+    border: 1px solid #ddd;
+}
+
+.list-group-item-border:first-child {
+    border-top-left-radius: 4px;
+    border-top-right-radius: 4px;
+    border-bottom: 2px solid black;
+}
+
+.list-group-item-border:last-child {
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+}
+.btn.pull-right {
+    margin-left: 3px;
+}
+
+.odd-bg {
+    background: #f7f7f7;
+}
+
+.top-item {
+    display: flex;
+    white-space: nowrap;
+}
+
+.group-p {
+    overflow: hidden;
+    height: 20px;
+    margin-right: 5px;
+    text-overflow: ellipsis;
+}
+
+.counter {
+    position: relative;
+    top: -3px;
+    color: #f06060;
+    font-size: 14px;
+    line-height: 1.4;
+    flex: 1;
+    text-align: right;
+}
+
+.vertical-center {
+    margin: 0;
+    position: absolute;
+    top: 50%;
+    -ms-transform: translateY(-50%);
+    transform: translateY(-50%);
+}
+
+#maintabs > li > a {
+    border: 1px solid #E5E5E5;
+}
+
+.query-success {
+    background-color: #43664b;
+}
+
+.query-info {
+    background-color: #334623;
+}
+
+.query-danger {
+    background-color: #750505;
+}
+
+.query-warning {
+    background-color: #c62d00;
+}
+
+.query-error {
+    background-color: #951515;
+}
+
+#searchFilter {
+    display: inline-block;
+    margin: 0 20px 0 0;
+    vertical-align: middle;
+}
+
+.tag {
+    font-size: 14px;
+    padding: .3em .4em .4em;
+    margin: 0 .1em;
+}
+
+.tag a {
+  color: #bbb;
+  cursor: pointer;
+  opacity: 0.9;
+}
+
+.tag a {
+  margin: 0 0 0 .3em;
+}
+
+.tag a fa-times {
+  color: #fff;
+  margin-bottom: 2px;
+}
+
+.tooltip-inner {
+  max-width: 1000px !important;
+}
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
index caa98b644d..340427f840 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
@@ -6,345 +6,231 @@
   padding-top: 1px !important;
   padding-right: 1px !important;
   padding-left: 5px !important;
-  min-height: 25px !important;
-}
-.widgetdiv .content-box-head .btn-group .btn {
-  color: #C1C1c1 !important;
-  background: #454545 !important;
-  border: 0px;
-}
-.widgetdiv .content-box-head .btn-group .btn .glyphicon {
-  color: #C1C1c1 !important;
-}
-.widgetdiv .content-box-head .list-inline li > h3 {
-  padding-top: 4px;
-}
+  min-height: 25px !important; }
+  .widgetdiv .content-box-head .btn-group .btn {
+    color: #C1C1c1 !important;
+    background: #454545 !important;
+    border: 0px; }
+    .widgetdiv .content-box-head .btn-group .btn .glyphicon {
+      color: #C1C1c1 !important; }
+  .widgetdiv .content-box-head .list-inline li > h3 {
+    padding-top: 4px; }
 
 @font-face {
   font-family: "SourceSansProBold";
-  src: url("/ui/themes/opnsense/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.woff") format("woff"), url("/ui/themes/opnsense/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.ttf") format("truetype");
-}
+  src: url("/ui/themes/opnsense/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.woff") format("woff"), url("/ui/themes/opnsense/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.ttf") format("truetype"); }
+
 @font-face {
   font-family: "SourceSansProSemibold";
-  src: url("/ui/themes/opnsense/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.woff") format("woff"), url("/ui/themes/opnsense/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.ttf") format("truetype");
-}
+  src: url("/ui/themes/opnsense/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.woff") format("woff"), url("/ui/themes/opnsense/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.ttf") format("truetype"); }
+
 @font-face {
   font-family: "SourceSansProRegular";
-  src: url("/ui/themes/opnsense/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff") format("woff"), url("/ui/themes/opnsense/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf") format("truetype");
-}
+  src: url("/ui/themes/opnsense/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff") format("woff"), url("/ui/themes/opnsense/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf") format("truetype"); }
+
 /*! normalize.css v3.0.1 | MIT License | git.io/normalize */
 html {
   font-family: sans-serif;
   -ms-text-size-adjust: 100%;
-  -webkit-text-size-adjust: 100%;
-}
+  -webkit-text-size-adjust: 100%; }
 
 body {
-  margin: 0;
-}
-
-article,
-aside,
-details,
-figcaption,
-figure,
-footer,
-header,
-hgroup,
-main,
-nav,
-section,
-summary {
-  display: block;
-}
+  margin: 0; }
 
-audio,
-canvas,
-progress,
-video {
+article, aside, details, figcaption, figure, footer, header, hgroup, main, nav, section, summary {
+  display: block; }
+
+audio, canvas, progress, video {
   display: inline-block;
-  vertical-align: baseline;
-}
+  vertical-align: baseline; }
 
 audio:not([controls]) {
   display: none;
-  height: 0;
-}
+  height: 0; }
 
-[hidden],
-template {
-  display: none;
-}
+[hidden], template {
+  display: none; }
 
 a {
-  background: transparent;
-}
-
-a:active,
-a:hover {
-  outline: 0;
-}
+  background: transparent; }
+  a:active, a:hover {
+    outline: 0; }
 
 abbr[title] {
-  border-bottom: 1px dotted;
-}
+  border-bottom: 1px dotted; }
 
-b,
-strong {
-  font-weight: bold;
-}
+b, strong {
+  font-weight: bold; }
 
 dfn {
-  font-style: italic;
-}
+  font-style: italic; }
 
 h1 {
   font-size: 2em;
-  margin: 0.67em 0;
-}
+  margin: 0.67em 0; }
 
 mark {
   background: #ff0;
-  color: #ccc;
-}
+  color: #ccc; }
 
 small {
-  font-size: 80%;
-}
+  font-size: 80%; }
 
-sub,
-sup {
+sub {
   font-size: 75%;
   line-height: 0;
   position: relative;
-  vertical-align: baseline;
-}
+  vertical-align: baseline; }
 
 sup {
-  top: -0.5em;
-}
+  font-size: 75%;
+  line-height: 0;
+  position: relative;
+  vertical-align: baseline;
+  top: -0.5em; }
 
 sub {
-  bottom: -0.25em;
-}
+  bottom: -0.25em; }
 
 img {
-  border: 0;
-}
+  border: 0; }
 
 svg:not(:root) {
-  overflow: hidden;
-}
+  overflow: hidden; }
 
 figure {
-  margin: 1em 40px;
-}
+  margin: 1em 40px; }
 
 hr {
   -moz-box-sizing: content-box;
   box-sizing: content-box;
-  height: 0;
-}
+  height: 0; }
 
 pre {
-  overflow: auto;
-}
+  overflow: auto; }
 
-code,
-kbd,
-pre,
-samp {
+code, kbd, pre, samp {
   font-family: monospace, monospace;
-  font-size: 1em;
-}
+  font-size: 1em; }
 
-button,
-input,
-optgroup,
-select,
-textarea {
+button, input, optgroup, select, textarea {
   color: inherit;
   font: inherit;
-  margin: 0;
-}
+  margin: 0; }
 
 button {
   overflow: visible;
-}
+  text-transform: none; }
 
-button,
 select {
-  text-transform: none;
-}
+  text-transform: none; }
 
-button,
-html input[type=button],
-input[type=reset],
-input[type=submit] {
+button, html input[type=button] {
   -webkit-appearance: button;
-  cursor: pointer;
-}
+  cursor: pointer; }
+
+input[type=reset], input[type=submit] {
+  -webkit-appearance: button;
+  cursor: pointer; }
 
-button[disabled],
-html input[disabled] {
-  cursor: default;
-}
+button[disabled], html input[disabled] {
+  cursor: default; }
 
-button::-moz-focus-inner,
-input::-moz-focus-inner {
+button::-moz-focus-inner {
   border: 0;
-  padding: 0;
-}
+  padding: 0; }
 
 input {
-  line-height: normal;
-}
-
-input[type=checkbox],
-input[type=radio] {
-  box-sizing: border-box;
-  padding: 0;
-}
-
-input[type=number]::-webkit-inner-spin-button,
-input[type=number]::-webkit-outer-spin-button {
-  height: auto;
-}
-
-input[type=search] {
-  -webkit-appearance: textfield;
-  -moz-box-sizing: content-box;
-  -webkit-box-sizing: content-box;
-  box-sizing: content-box;
-}
-
-input[type=search]::-webkit-search-cancel-button,
-input[type=search]::-webkit-search-decoration {
-  -webkit-appearance: none;
-}
+  line-height: normal; }
+  input::-moz-focus-inner {
+    border: 0;
+    padding: 0; }
+  input[type=checkbox], input[type=radio] {
+    box-sizing: border-box;
+    padding: 0; }
+  input[type=number]::-webkit-inner-spin-button, input[type=number]::-webkit-outer-spin-button {
+    height: auto; }
+  input[type=search] {
+    -webkit-appearance: textfield;
+    -moz-box-sizing: content-box;
+    -webkit-box-sizing: content-box;
+    box-sizing: content-box; }
+    input[type=search]::-webkit-search-cancel-button, input[type=search]::-webkit-search-decoration {
+      -webkit-appearance: none; }
 
 fieldset {
   border: 1px solid #c0c0c0;
   margin: 0 2px;
-  padding: 0.35em 0.625em 0.75em;
-}
+  padding: 0.35em 0.625em 0.75em; }
 
 legend {
   border: 0;
-  padding: 0;
-}
+  padding: 0; }
 
 textarea {
-  overflow: auto;
-}
+  overflow: auto; }
 
 optgroup {
-  font-weight: bold;
-}
+  font-weight: bold; }
 
 table {
   border-collapse: collapse;
-  border-spacing: 0;
-}
+  border-spacing: 0; }
 
-td,
-th {
-  padding: 0;
-}
+td, th {
+  padding: 0; }
 
 @media print {
   * {
     text-shadow: none !important;
     color: #ccc !important;
     background: transparent !important;
-    box-shadow: none !important;
-  }
-
-  a,
-a:visited {
-    text-decoration: underline;
-  }
-
-  a[href]:after {
-    content: " (" attr(href) ")";
-  }
-
+    box-shadow: none !important; }
+  a {
+    text-decoration: underline; }
+    a:visited {
+      text-decoration: underline; }
+    a[href]:after {
+      content: " (" attr(href) ")"; }
   abbr[title]:after {
-    content: " (" attr(title) ")";
-  }
-
-  a[href^="javascript:"]:after,
-a[href^="#"]:after {
-    content: "";
-  }
-
-  pre,
-blockquote {
+    content: " (" attr(title) ")"; }
+  a[href^="javascript:"]:after, a[href^="#"]:after {
+    content: ""; }
+  pre, blockquote {
     border: 1px solid #999;
-    page-break-inside: avoid;
-  }
-
+    page-break-inside: avoid; }
   thead {
-    display: table-header-group;
-  }
-
-  tr,
-img {
-    page-break-inside: avoid;
-  }
-
+    display: table-header-group; }
+  tr {
+    page-break-inside: avoid; }
   img {
-    max-width: 100% !important;
-  }
-
-  p,
-h2,
-h3 {
+    page-break-inside: avoid;
+    max-width: 100% !important; }
+  p, h2, h3 {
     orphans: 3;
-    widows: 3;
-  }
-
-  h2,
-h3 {
-    page-break-after: avoid;
-  }
-
+    widows: 3; }
+  h2, h3 {
+    page-break-after: avoid; }
   select {
-    background: #555 !important;
-  }
-
+    background: #555 !important; }
   .navbar {
-    display: none;
-  }
-
-  .table td,
-.table th {
-    background-color: #444 !important;
-  }
-
-  .btn > .caret,
-.dropup > .btn > .caret {
-    border-top-color: #ddd !important;
-  }
-
+    display: none; }
+  .table td, .table th {
+    background-color: #444 !important; }
+  .btn > .caret, .dropup > .btn > .caret {
+    border-top-color: #ddd !important; }
   .label {
-    border: 1px solid #aaa;
-  }
-
+    border: 1px solid #aaa; }
   .table {
-    border-collapse: collapse !important;
-  }
-
-  .table-bordered th,
-.table-bordered td {
-    border: 1px solid #666 !important;
-  }
-}
+    border-collapse: collapse !important; }
+  .table-bordered th, .table-bordered td {
+    border: 1px solid #666 !important; } }
+
 @font-face {
   font-family: "Glyphicons Halflings";
   src: url("../fonts/bootstrap/glyphicons-halflings-regular.eot");
-  src: url("../fonts/bootstrap/glyphicons-halflings-regular.eot?#iefix") format("embedded-opentype"), url("../fonts/bootstrap/glyphicons-halflings-regular.woff") format("woff"), url("../fonts/bootstrap/glyphicons-halflings-regular.ttf") format("truetype"), url("../fonts/bootstrap/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") format("svg");
-}
+  src: url("../fonts/bootstrap/glyphicons-halflings-regular.eot?#iefix") format("embedded-opentype"), url("../fonts/bootstrap/glyphicons-halflings-regular.woff") format("woff"), url("../fonts/bootstrap/glyphicons-halflings-regular.ttf") format("truetype"), url("../fonts/bootstrap/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") format("svg"); }
+
 .glyphicon {
   position: relative;
   top: 1px;
@@ -354,876 +240,660 @@ h3 {
   font-weight: normal;
   line-height: 1;
   -webkit-font-smoothing: antialiased;
-  -moz-osx-font-smoothing: grayscale;
-}
+  -moz-osx-font-smoothing: grayscale; }
 
 .glyphicon-asterisk:before {
-  content: "*";
-}
+  content: "*"; }
 
 .glyphicon-plus:before {
-  content: "+";
-}
+  content: "+"; }
 
 .glyphicon-euro:before {
-  content: "€";
-}
+  content: "€"; }
 
 .glyphicon-minus:before {
-  content: "−";
-}
+  content: "−"; }
 
 .glyphicon-cloud:before {
-  content: "☁";
-}
+  content: "☁"; }
 
 .glyphicon-envelope:before {
-  content: "✉";
-}
+  content: "✉"; }
 
 .glyphicon-pencil:before {
-  content: "✏";
-}
+  content: "✏"; }
 
 .glyphicon-glass:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-music:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-search:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-heart:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-star:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-star-empty:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-user:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-film:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-th-large:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-th:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-th-list:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-ok:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-remove:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-zoom-in:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-zoom-out:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-off:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-signal:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-cog:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-trash:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-home:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-file:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-time:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-road:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-download-alt:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-download:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-upload:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-inbox:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-play-circle:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-repeat:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-refresh:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-list-alt:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-lock:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-flag:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-headphones:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-volume-off:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-volume-down:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-volume-up:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-qrcode:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-barcode:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-tag:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-tags:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-book:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-bookmark:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-print:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-camera:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-font:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-bold:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-italic:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-text-height:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-text-width:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-align-left:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-align-center:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-align-right:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-align-justify:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-list:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-indent-left:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-indent-right:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-facetime-video:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-picture:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-map-marker:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-adjust:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-tint:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-edit:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-share:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-check:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-move:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-step-backward:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-fast-backward:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-backward:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-play:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-pause:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-stop:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-forward:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-fast-forward:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-step-forward:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-eject:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-chevron-left:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-chevron-right:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-plus-sign:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-minus-sign:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-remove-sign:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-ok-sign:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-question-sign:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-info-sign:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-screenshot:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-remove-circle:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-ok-circle:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-ban-circle:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-arrow-left:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-arrow-right:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-arrow-up:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-arrow-down:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-share-alt:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-resize-full:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-resize-small:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-exclamation-sign:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-gift:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-leaf:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-fire:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-eye-open:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-eye-close:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-warning-sign:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-plane:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-calendar:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-random:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-comment:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-magnet:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-chevron-up:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-chevron-down:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-retweet:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-shopping-cart:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-folder-close:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-folder-open:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-resize-vertical:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-resize-horizontal:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-hdd:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-bullhorn:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-bell:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-certificate:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-thumbs-up:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-thumbs-down:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-hand-right:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-hand-left:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-hand-up:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-hand-down:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-circle-arrow-right:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-circle-arrow-left:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-circle-arrow-up:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-circle-arrow-down:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-globe:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-wrench:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-tasks:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-filter:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-briefcase:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-fullscreen:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-dashboard:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-paperclip:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-heart-empty:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-link:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-phone:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-pushpin:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-usd:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-gbp:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-sort:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-sort-by-alphabet:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-sort-by-alphabet-alt:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-sort-by-order:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-sort-by-order-alt:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-sort-by-attributes:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-sort-by-attributes-alt:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-unchecked:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-expand:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-collapse-down:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-collapse-up:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-log-in:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-flash:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-log-out:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-new-window:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-record:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-save:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-open:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-saved:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-import:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-export:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-send:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-floppy-disk:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-floppy-saved:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-floppy-remove:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-floppy-save:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-floppy-open:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-credit-card:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-transfer:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-cutlery:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-header:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-compressed:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-earphone:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-phone-alt:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-tower:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-stats:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-sd-video:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-hd-video:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-subtitles:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-sound-stereo:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-sound-dolby:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-sound-5-1:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-sound-6-1:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-sound-7-1:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-copyright-mark:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-registration-mark:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-cloud-download:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-cloud-upload:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-tree-conifer:before {
-  content: "";
-}
+  content: ""; }
 
 .glyphicon-tree-deciduous:before {
-  content: "";
-}
+  content: ""; }
 
 * {
   -webkit-box-sizing: border-box;
   -moz-box-sizing: border-box;
-  box-sizing: border-box;
-}
-
-*:before,
-*:after {
-  -webkit-box-sizing: border-box;
-  -moz-box-sizing: border-box;
-  box-sizing: border-box;
-}
+  box-sizing: border-box; }
+  *:before, *:after {
+    -webkit-box-sizing: border-box;
+    -moz-box-sizing: border-box;
+    box-sizing: border-box; }
 
 html {
   font-size: 10px;
-  -webkit-tap-highlight-color: rgba(0, 0, 0, 0);
-}
+  -webkit-tap-highlight-color: rgba(0, 0, 0, 0); }
 
 body {
   font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
   font-size: 14px;
   line-height: 1.428571429;
   color: #C1C1c1;
-  background-color: #333;
-}
+  background-color: #333; }
 
-input,
-button,
-select,
-textarea {
+input, button, select, textarea {
   font-family: inherit;
   font-size: inherit;
-  line-height: inherit;
-}
+  line-height: inherit; }
 
 a {
   color: #EA7105;
-  text-decoration: none;
-}
-a:hover, a:focus {
-  color: #9f4d03;
-  text-decoration: underline;
-}
-a:focus {
-  outline: thin dotted;
-  outline: 5px auto -webkit-focus-ring-color;
-  outline-offset: -2px;
-}
+  text-decoration: none; }
+  a:hover {
+    color: #9f4d03;
+    text-decoration: underline; }
+  a:focus {
+    color: #9f4d03;
+    text-decoration: underline;
+    outline: thin dotted;
+    outline: 5px auto -webkit-focus-ring-color;
+    outline-offset: -2px; }
 
 figure {
-  margin: 0;
-}
+  margin: 0; }
 
 img {
-  vertical-align: middle;
-}
+  vertical-align: middle; }
 
 .img-responsive {
   display: block;
   width: 100% \9;
   max-width: 100%;
-  height: auto;
-}
+  height: auto; }
 
 .img-rounded {
-  border-radius: 6px;
-}
+  border-radius: 6px; }
 
 .img-thumbnail {
   padding: 4px;
@@ -1237,19 +907,16 @@ img {
   display: inline-block;
   width: 100% \9;
   max-width: 100%;
-  height: auto;
-}
+  height: auto; }
 
 .img-circle {
-  border-radius: 50%;
-}
+  border-radius: 50%; }
 
 hr {
   margin-top: 20px;
   margin-bottom: 20px;
   border: 0;
-  border-top: 1px solid #1a1a1a;
-}
+  border-top: 1px solid #1a1a1a; }
 
 .sr-only {
   position: absolute;
@@ -1259,8 +926,7 @@ hr {
   padding: 0;
   overflow: hidden;
   clip: rect(0, 0, 0, 0);
-  border: 0;
-}
+  border: 0; }
 
 .sr-only-focusable:active, .sr-only-focusable:focus {
   position: static;
@@ -1268,303 +934,297 @@ hr {
   height: auto;
   margin: 0;
   overflow: visible;
-  clip: auto;
-}
+  clip: auto; }
 
-h1, h2, h3, h4, h5, h6,
-.h1, .h2, .h3, .h4, .h5, .h6 {
+h1, h2, h3, h4, h5, h6, .h1, .h2, .h3, .h4, .h5, .h6 {
   font-family: "SourceSansProSemiBold";
   font-weight: 100;
   line-height: 1.4;
-  color: inherit;
-}
-h1 small,
-h1 .small, h2 small,
-h2 .small, h3 small,
-h3 .small, h4 small,
-h4 .small, h5 small,
-h5 .small, h6 small,
-h6 .small,
-.h1 small,
-.h1 .small, .h2 small,
-.h2 .small, .h3 small,
-.h3 .small, .h4 small,
-.h4 .small, .h5 small,
-.h5 .small, .h6 small,
-.h6 .small {
+  color: inherit; }
+
+h1 small, h1 .small {
   font-weight: normal;
   line-height: 1;
-  color: #DDd;
-}
+  color: #DDd; }
 
-h1, .h1,
-h2, .h2,
-h3, .h3 {
+h2 small, h2 .small {
+  font-weight: normal;
+  line-height: 1;
+  color: #DDd; }
+
+h3 small, h3 .small {
+  font-weight: normal;
+  line-height: 1;
+  color: #DDd; }
+
+h4 small, h4 .small {
+  font-weight: normal;
+  line-height: 1;
+  color: #DDd; }
+
+h5 small, h5 .small {
+  font-weight: normal;
+  line-height: 1;
+  color: #DDd; }
+
+h6 small, h6 .small {
+  font-weight: normal;
+  line-height: 1;
+  color: #DDd; }
+
+.h1 small, .h1 .small {
+  font-weight: normal;
+  line-height: 1;
+  color: #DDd; }
+
+.h2 small, .h2 .small {
+  font-weight: normal;
+  line-height: 1;
+  color: #DDd; }
+
+.h3 small, .h3 .small {
+  font-weight: normal;
+  line-height: 1;
+  color: #DDd; }
+
+.h4 small, .h4 .small {
+  font-weight: normal;
+  line-height: 1;
+  color: #DDd; }
+
+.h5 small, .h5 .small {
+  font-weight: normal;
+  line-height: 1;
+  color: #DDd; }
+
+.h6 small, .h6 .small {
+  font-weight: normal;
+  line-height: 1;
+  color: #DDd; }
+
+h1, .h1, h2, .h2, h3, .h3 {
   margin-top: 20px;
-  margin-bottom: 10px;
-}
-h1 small,
-h1 .small, .h1 small,
-.h1 .small,
-h2 small,
-h2 .small, .h2 small,
-.h2 .small,
-h3 small,
-h3 .small, .h3 small,
-.h3 .small {
-  font-size: 65%;
-}
-
-h4, .h4,
-h5, .h5,
-h6, .h6 {
+  margin-bottom: 10px; }
+
+h1 small, h1 .small {
+  font-size: 65%; }
+
+.h1 small, .h1 .small {
+  font-size: 65%; }
+
+h2 small, h2 .small {
+  font-size: 65%; }
+
+.h2 small, .h2 .small {
+  font-size: 65%; }
+
+h3 small, h3 .small {
+  font-size: 65%; }
+
+.h3 small, .h3 .small {
+  font-size: 65%; }
+
+h4, .h4, h5, .h5, h6, .h6 {
   margin-top: 10px;
-  margin-bottom: 10px;
-}
-h4 small,
-h4 .small, .h4 small,
-.h4 .small,
-h5 small,
-h5 .small, .h5 small,
-.h5 .small,
-h6 small,
-h6 .small, .h6 small,
-.h6 .small {
-  font-size: 75%;
-}
+  margin-bottom: 10px; }
+
+h4 small, h4 .small {
+  font-size: 75%; }
+
+.h4 small, .h4 .small {
+  font-size: 75%; }
+
+h5 small, h5 .small {
+  font-size: 75%; }
+
+.h5 small, .h5 .small {
+  font-size: 75%; }
+
+h6 small, h6 .small {
+  font-size: 75%; }
+
+.h6 small, .h6 .small {
+  font-size: 75%; }
 
 h1, .h1 {
-  font-size: 23px;
-}
+  font-size: 23px; }
 
 h2, .h2 {
-  font-size: 16px;
-}
+  font-size: 16px; }
 
 h3, .h3 {
-  font-size: 14px;
-}
+  font-size: 14px; }
 
 h4, .h4 {
-  font-size: 18px;
-}
+  font-size: 18px; }
 
 h5, .h5 {
-  font-size: 14px;
-}
+  font-size: 14px; }
 
 h6, .h6 {
-  font-size: 12px;
-}
+  font-size: 12px; }
 
 p {
-  margin: 0 0 10px;
-}
+  margin: 0 0 10px; }
 
 .lead {
   margin-bottom: 20px;
   font-size: 16px;
   font-weight: 300;
-  line-height: 1.4;
-}
+  line-height: 1.4; }
+
 @media (min-width: 768px) {
   .lead {
-    font-size: 21px;
-  }
-}
+    font-size: 21px; } }
 
-small,
-.small {
-  font-size: 85%;
-}
+small, .small {
+  font-size: 85%; }
 
 cite {
-  font-style: normal;
-}
+  font-style: normal; }
 
-mark,
-.mark {
+mark, .mark {
   background-color: #fcf8e3;
-  padding: 0.2em;
-}
+  padding: 0.2em; }
 
 .text-left {
-  text-align: left;
-}
+  text-align: left; }
 
 .text-right {
-  text-align: right;
-}
+  text-align: right; }
 
 .text-center {
-  text-align: center;
-}
+  text-align: center; }
 
 .text-justify {
-  text-align: justify;
-}
+  text-align: justify; }
 
 .text-nowrap {
-  white-space: nowrap;
-}
+  white-space: nowrap; }
 
 .text-lowercase {
-  text-transform: lowercase;
-}
+  text-transform: lowercase; }
 
 .text-uppercase {
-  text-transform: uppercase;
-}
+  text-transform: uppercase; }
 
 .text-capitalize {
-  text-transform: capitalize;
-}
+  text-transform: capitalize; }
 
 .text-muted {
-  color: #DDd;
-}
+  color: #DDd; }
 
 .text-primary {
-  color: #EA7105;
-}
+  color: #EA7105; }
 
 a.text-primary:hover {
-  color: #b85904;
-}
+  color: #b85904; }
 
 .text-success {
-  color: #7Ba255;
-}
+  color: #7Ba255; }
 
 a.text-success:hover {
-  color: #628143;
-}
+  color: #628143; }
 
 .text-info {
-  color: #00ffff;
-}
+  color: #00ffff; }
 
 a.text-info:hover {
-  color: #e6e6e6;
-}
+  color: #e6e6e6; }
 
 .text-warning {
-  color: #f0ad4e;
-}
+  color: #f0ad4e; }
 
 a.text-warning:hover {
-  color: #ec971f;
-}
+  color: #ec971f; }
 
 .text-danger {
-  color: #F05050;
-}
+  color: #F05050; }
 
 a.text-danger:hover {
-  color: #ec2121;
-}
+  color: #ec2121; }
 
 .bg-primary {
   color: #333;
-}
-
-.bg-primary {
-  background-color: #EA7105;
-}
+  background-color: #EA7105; }
 
 a.bg-primary:hover {
-  background-color: #b85904;
-}
+  background-color: #b85904; }
 
 .bg-success {
-  background-color: #7Ba255;
-}
+  background-color: #7Ba255; }
 
 a.bg-success:hover {
-  background-color: #628143;
-}
+  background-color: #628143; }
 
 .bg-info {
-  background-color: #4545a7;
-}
+  background-color: #4545a7; }
 
 a.bg-info:hover {
-  background-color: #363683;
-}
+  background-color: #363683; }
 
 .bg-warning {
-  background-color: #fcf8e3;
-}
+  background-color: #fcf8e3; }
 
 a.bg-warning:hover {
-  background-color: #f7ecb5;
-}
+  background-color: #f7ecb5; }
 
 .bg-danger {
-  background-color: #F05050;
-}
+  background-color: #F05050; }
 
 a.bg-danger:hover {
-  background-color: #ec2121;
-}
+  background-color: #ec2121; }
 
 .page-header {
   padding-bottom: 9px;
   margin: 40px 0 20px;
-  border-bottom: 1px solid #1a1a1a;
-}
+  border-bottom: 1px solid #1a1a1a; }
 
-ul,
-ol {
+ul, ol {
   margin-top: 0;
-  margin-bottom: 10px;
-}
-ul ul,
-ul ol,
-ol ul,
-ol ol {
-  margin-bottom: 0;
-}
+  margin-bottom: 10px; }
+
+ul ul, ul ol {
+  margin-bottom: 0; }
 
-.list-unstyled, .list-inline {
+ol ul, ol ol {
+  margin-bottom: 0; }
+
+.list-unstyled {
   padding-left: 0;
-  list-style: none;
-}
+  list-style: none; }
 
 .list-inline {
-  margin-left: -5px;
-}
-.list-inline > li {
-  float: left;
-  padding-left: 5px;
-  padding-right: 5px;
-}
+  padding-left: 0;
+  list-style: none;
+  margin-left: -5px; }
+  .list-inline > li {
+    float: left;
+    padding-left: 5px;
+    padding-right: 5px; }
 
 dl {
   margin-top: 0;
-  margin-bottom: 20px;
-}
+  margin-bottom: 20px; }
 
-dt,
-dd {
-  line-height: 1.428571429;
-}
+dt, dd {
+  line-height: 1.428571429; }
 
 dt {
-  font-weight: bold;
-}
+  font-weight: bold; }
 
 dd {
-  margin-left: 0;
-}
+  margin-left: 0; }
 
-.dl-horizontal dd:before, .dl-horizontal dd:after {
+.dl-horizontal dd:before {
   content: " ";
-  display: table;
-}
+  display: table; }
+
 .dl-horizontal dd:after {
-  clear: both;
-}
+  content: " ";
+  display: table;
+  clear: both; }
+
 @media (min-width: 768px) {
   .dl-horizontal dt {
     float: left;
@@ -1573,99 +1233,69 @@ dd {
     text-align: right;
     overflow: hidden;
     text-overflow: ellipsis;
-    white-space: nowrap;
-  }
+    white-space: nowrap; }
   .dl-horizontal dd {
-    margin-left: 180px;
-  }
-}
+    margin-left: 180px; } }
 
-abbr[title],
-abbr[data-original-title] {
+abbr[title], abbr[data-original-title] {
   cursor: help;
-  border-bottom: 1px dotted #DDd;
-}
+  border-bottom: 1px dotted #DDd; }
 
 .initialism {
   font-size: 90%;
-  text-transform: uppercase;
-}
+  text-transform: uppercase; }
 
 blockquote {
   padding: 10px 20px;
   margin: 0 0 20px;
   font-size: 17.5px;
-  border-left: 5px solid #1a1a1a;
-}
-blockquote p:last-child,
-blockquote ul:last-child,
-blockquote ol:last-child {
-  margin-bottom: 0;
-}
-blockquote footer,
-blockquote small,
-blockquote .small {
-  display: block;
-  font-size: 80%;
-  line-height: 1.428571429;
-  color: #DDd;
-}
-blockquote footer:before,
-blockquote small:before,
-blockquote .small:before {
-  content: "— ";
-}
-
-.blockquote-reverse,
-blockquote.pull-right {
+  border-left: 5px solid #1a1a1a; }
+  blockquote p:last-child, blockquote ul:last-child, blockquote ol:last-child {
+    margin-bottom: 0; }
+  blockquote footer, blockquote small, blockquote .small {
+    display: block;
+    font-size: 80%;
+    line-height: 1.428571429;
+    color: #DDd; }
+  blockquote footer:before, blockquote small:before, blockquote .small:before {
+    content: "— "; }
+
+.blockquote-reverse, blockquote.pull-right {
   padding-right: 15px;
   padding-left: 0;
   border-right: 5px solid #1a1a1a;
   border-left: 0;
-  text-align: right;
-}
-.blockquote-reverse footer:before,
-.blockquote-reverse small:before,
-.blockquote-reverse .small:before,
-blockquote.pull-right footer:before,
-blockquote.pull-right small:before,
-blockquote.pull-right .small:before {
-  content: "";
-}
-.blockquote-reverse footer:after,
-.blockquote-reverse small:after,
-.blockquote-reverse .small:after,
-blockquote.pull-right footer:after,
-blockquote.pull-right small:after,
-blockquote.pull-right .small:after {
-  content: " —";
-}
-
-blockquote:before,
-blockquote:after {
-  content: "";
-}
+  text-align: right; }
+
+.blockquote-reverse footer:before, .blockquote-reverse small:before, .blockquote-reverse .small:before {
+  content: ""; }
+
+blockquote.pull-right footer:before, blockquote.pull-right small:before, blockquote.pull-right .small:before {
+  content: ""; }
+
+.blockquote-reverse footer:after, .blockquote-reverse small:after, .blockquote-reverse .small:after {
+  content: " —"; }
+
+blockquote.pull-right footer:after, blockquote.pull-right small:after, blockquote.pull-right .small:after {
+  content: " —"; }
+
+blockquote:before, blockquote:after {
+  content: ""; }
 
 address {
   margin-bottom: 20px;
   font-style: normal;
-  line-height: 1.428571429;
-}
+  line-height: 1.428571429; }
 
-code,
-kbd,
-pre,
-samp {
-  font-family: Menlo, Monaco, Consolas, "Courier New", monospace;
-}
+code, kbd, pre, samp {
+  font-family: Menlo, Monaco, Consolas, "Courier New", monospace; }
 
 code {
   padding: 2px 4px;
   font-size: 90%;
   color: #c7254e;
   background-color: #f9f2f4;
-  border-radius: 3px;
-}
+  border-radius: 3px; }
 
 kbd {
   padding: 2px 4px;
@@ -1673,13 +1303,11 @@ kbd {
   color: #fff;
   background-color: #333;
   border-radius: 3px;
-  box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.25);
-}
-kbd kbd {
-  padding: 0;
-  font-size: 100%;
-  box-shadow: none;
-}
+  box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.25); }
+  kbd kbd {
+    padding: 0;
+    font-size: 100%;
+    box-shadow: none; }
 
 pre {
   display: block;
@@ -1692,1102 +1320,736 @@ pre {
   color: #d1d1d1;
   background-color: #484848;
   border: 1px solid #ccc;
-  border-radius: 3px;
-}
-pre code {
-  padding: 0;
-  font-size: inherit;
-  color: inherit;
-  white-space: pre-wrap;
-  background-color: transparent;
-  border-radius: 0;
-}
+  border-radius: 3px; }
+  pre code {
+    padding: 0;
+    font-size: inherit;
+    color: inherit;
+    white-space: pre-wrap;
+    background-color: transparent;
+    border-radius: 0; }
 
 .pre-scrollable {
   max-height: 340px;
-  overflow-y: scroll;
-}
+  overflow-y: scroll; }
 
-.container {
+.container, .container-fluid {
   margin-right: auto;
   margin-left: auto;
   padding-left: 20px;
-  padding-right: 20px;
-}
-.container:before, .container:after {
-  content: " ";
-  display: table;
-}
-.container:after {
-  clear: both;
-}
+  padding-right: 20px; }
+  .container:before, .container-fluid:before {
+    content: " ";
+    display: table; }
+  .container:after, .container-fluid:after {
+    content: " ";
+    display: table;
+    clear: both; }
+
 @media (min-width: 768px) {
   .container {
-    width: 760px;
-  }
-}
+    width: 760px; } }
+
 @media (min-width: 992px) {
   .container {
-    width: 980px;
-  }
-}
+    width: 980px; } }
+
 @media (min-width: 1200px) {
   .container {
-    width: 1180px;
-  }
-}
-
-.container-fluid {
-  margin-right: auto;
-  margin-left: auto;
-  padding-left: 20px;
-  padding-right: 20px;
-}
-.container-fluid:before, .container-fluid:after {
-  content: " ";
-  display: table;
-}
-.container-fluid:after {
-  clear: both;
-}
+    width: 1180px; } }
 
 .row {
   margin-left: -20px;
-  margin-right: -20px;
-}
-.row:before, .row:after {
-  content: " ";
-  display: table;
-}
-.row:after {
-  clear: both;
-}
+  margin-right: -20px; }
+  .row:before {
+    content: " ";
+    display: table; }
+  .row:after {
+    content: " ";
+    display: table;
+    clear: both; }
 
 .col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12 {
   position: relative;
   min-height: 1px;
   padding-left: 20px;
-  padding-right: 20px;
-}
+  padding-right: 20px; }
 
 .col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12 {
-  float: left;
-}
+  float: left; }
 
 .col-xs-1 {
-  width: 8.3333333333%;
-}
+  width: 8.3333333333%; }
 
 .col-xs-2 {
-  width: 16.6666666667%;
-}
+  width: 16.6666666667%; }
 
 .col-xs-3 {
-  width: 25%;
-}
+  width: 25%; }
 
 .col-xs-4 {
-  width: 33.3333333333%;
-}
+  width: 33.3333333333%; }
 
 .col-xs-5 {
-  width: 41.6666666667%;
-}
+  width: 41.6666666667%; }
 
 .col-xs-6 {
-  width: 50%;
-}
+  width: 50%; }
 
 .col-xs-7 {
-  width: 58.3333333333%;
-}
+  width: 58.3333333333%; }
 
 .col-xs-8 {
-  width: 66.6666666667%;
-}
+  width: 66.6666666667%; }
 
 .col-xs-9 {
-  width: 75%;
-}
+  width: 75%; }
 
 .col-xs-10 {
-  width: 83.3333333333%;
-}
+  width: 83.3333333333%; }
 
 .col-xs-11 {
-  width: 91.6666666667%;
-}
+  width: 91.6666666667%; }
 
 .col-xs-12 {
-  width: 100%;
-}
+  width: 100%; }
 
 .col-xs-pull-0 {
-  right: auto;
-}
+  right: auto; }
 
 .col-xs-pull-1 {
-  right: 8.3333333333%;
-}
+  right: 8.3333333333%; }
 
 .col-xs-pull-2 {
-  right: 16.6666666667%;
-}
+  right: 16.6666666667%; }
 
 .col-xs-pull-3 {
-  right: 25%;
-}
+  right: 25%; }
 
 .col-xs-pull-4 {
-  right: 33.3333333333%;
-}
+  right: 33.3333333333%; }
 
 .col-xs-pull-5 {
-  right: 41.6666666667%;
-}
+  right: 41.6666666667%; }
 
 .col-xs-pull-6 {
-  right: 50%;
-}
+  right: 50%; }
 
 .col-xs-pull-7 {
-  right: 58.3333333333%;
-}
+  right: 58.3333333333%; }
 
 .col-xs-pull-8 {
-  right: 66.6666666667%;
-}
+  right: 66.6666666667%; }
 
 .col-xs-pull-9 {
-  right: 75%;
-}
+  right: 75%; }
 
 .col-xs-pull-10 {
-  right: 83.3333333333%;
-}
+  right: 83.3333333333%; }
 
 .col-xs-pull-11 {
-  right: 91.6666666667%;
-}
+  right: 91.6666666667%; }
 
 .col-xs-pull-12 {
-  right: 100%;
-}
+  right: 100%; }
 
 .col-xs-push-0 {
-  left: auto;
-}
+  left: auto; }
 
 .col-xs-push-1 {
-  left: 8.3333333333%;
-}
+  left: 8.3333333333%; }
 
 .col-xs-push-2 {
-  left: 16.6666666667%;
-}
+  left: 16.6666666667%; }
 
 .col-xs-push-3 {
-  left: 25%;
-}
+  left: 25%; }
 
 .col-xs-push-4 {
-  left: 33.3333333333%;
-}
+  left: 33.3333333333%; }
 
 .col-xs-push-5 {
-  left: 41.6666666667%;
-}
+  left: 41.6666666667%; }
 
 .col-xs-push-6 {
-  left: 50%;
-}
+  left: 50%; }
 
 .col-xs-push-7 {
-  left: 58.3333333333%;
-}
+  left: 58.3333333333%; }
 
 .col-xs-push-8 {
-  left: 66.6666666667%;
-}
+  left: 66.6666666667%; }
 
 .col-xs-push-9 {
-  left: 75%;
-}
+  left: 75%; }
 
 .col-xs-push-10 {
-  left: 83.3333333333%;
-}
+  left: 83.3333333333%; }
 
 .col-xs-push-11 {
-  left: 91.6666666667%;
-}
+  left: 91.6666666667%; }
 
 .col-xs-push-12 {
-  left: 100%;
-}
+  left: 100%; }
 
 .col-xs-offset-0 {
-  margin-left: 0%;
-}
+  margin-left: 0%; }
 
 .col-xs-offset-1 {
-  margin-left: 8.3333333333%;
-}
+  margin-left: 8.3333333333%; }
 
 .col-xs-offset-2 {
-  margin-left: 16.6666666667%;
-}
+  margin-left: 16.6666666667%; }
 
 .col-xs-offset-3 {
-  margin-left: 25%;
-}
+  margin-left: 25%; }
 
 .col-xs-offset-4 {
-  margin-left: 33.3333333333%;
-}
+  margin-left: 33.3333333333%; }
 
 .col-xs-offset-5 {
-  margin-left: 41.6666666667%;
-}
+  margin-left: 41.6666666667%; }
 
 .col-xs-offset-6 {
-  margin-left: 50%;
-}
+  margin-left: 50%; }
 
 .col-xs-offset-7 {
-  margin-left: 58.3333333333%;
-}
+  margin-left: 58.3333333333%; }
 
 .col-xs-offset-8 {
-  margin-left: 66.6666666667%;
-}
+  margin-left: 66.6666666667%; }
 
 .col-xs-offset-9 {
-  margin-left: 75%;
-}
+  margin-left: 75%; }
 
 .col-xs-offset-10 {
-  margin-left: 83.3333333333%;
-}
+  margin-left: 83.3333333333%; }
 
 .col-xs-offset-11 {
-  margin-left: 91.6666666667%;
-}
+  margin-left: 91.6666666667%; }
 
 .col-xs-offset-12 {
-  margin-left: 100%;
-}
+  margin-left: 100%; }
 
 @media (min-width: 768px) {
   .col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12 {
-    float: left;
-  }
-
+    float: left; }
   .col-sm-1 {
-    width: 8.3333333333%;
-  }
-
+    width: 8.3333333333%; }
   .col-sm-2 {
-    width: 16.6666666667%;
-  }
-
+    width: 16.6666666667%; }
   .col-sm-3 {
-    width: 25%;
-  }
-
+    width: 25%; }
   .col-sm-4 {
-    width: 33.3333333333%;
-  }
-
+    width: 33.3333333333%; }
   .col-sm-5 {
-    width: 41.6666666667%;
-  }
-
+    width: 41.6666666667%; }
   .col-sm-6 {
-    width: 50%;
-  }
-
+    width: 50%; }
   .col-sm-7 {
-    width: 58.3333333333%;
-  }
-
+    width: 58.3333333333%; }
   .col-sm-8 {
-    width: 66.6666666667%;
-  }
-
+    width: 66.6666666667%; }
   .col-sm-9 {
-    width: 75%;
-  }
-
+    width: 75%; }
   .col-sm-10 {
-    width: 83.3333333333%;
-  }
-
+    width: 83.3333333333%; }
   .col-sm-11 {
-    width: 91.6666666667%;
-  }
-
+    width: 91.6666666667%; }
   .col-sm-12 {
-    width: 100%;
-  }
-
+    width: 100%; }
   .col-sm-pull-0 {
-    right: auto;
-  }
-
+    right: auto; }
   .col-sm-pull-1 {
-    right: 8.3333333333%;
-  }
-
+    right: 8.3333333333%; }
   .col-sm-pull-2 {
-    right: 16.6666666667%;
-  }
-
+    right: 16.6666666667%; }
   .col-sm-pull-3 {
-    right: 25%;
-  }
-
+    right: 25%; }
   .col-sm-pull-4 {
-    right: 33.3333333333%;
-  }
-
+    right: 33.3333333333%; }
   .col-sm-pull-5 {
-    right: 41.6666666667%;
-  }
-
+    right: 41.6666666667%; }
   .col-sm-pull-6 {
-    right: 50%;
-  }
-
+    right: 50%; }
   .col-sm-pull-7 {
-    right: 58.3333333333%;
-  }
-
+    right: 58.3333333333%; }
   .col-sm-pull-8 {
-    right: 66.6666666667%;
-  }
-
+    right: 66.6666666667%; }
   .col-sm-pull-9 {
-    right: 75%;
-  }
-
+    right: 75%; }
   .col-sm-pull-10 {
-    right: 83.3333333333%;
-  }
-
+    right: 83.3333333333%; }
   .col-sm-pull-11 {
-    right: 91.6666666667%;
-  }
-
+    right: 91.6666666667%; }
   .col-sm-pull-12 {
-    right: 100%;
-  }
-
+    right: 100%; }
   .col-sm-push-0 {
-    left: auto;
-  }
-
+    left: auto; }
   .col-sm-push-1 {
-    left: 8.3333333333%;
-  }
-
+    left: 8.3333333333%; }
   .col-sm-push-2 {
-    left: 16.6666666667%;
-  }
-
+    left: 16.6666666667%; }
   .col-sm-push-3 {
-    left: 25%;
-  }
-
+    left: 25%; }
   .col-sm-push-4 {
-    left: 33.3333333333%;
-  }
-
+    left: 33.3333333333%; }
   .col-sm-push-5 {
-    left: 41.6666666667%;
-  }
-
+    left: 41.6666666667%; }
   .col-sm-push-6 {
-    left: 50%;
-  }
-
+    left: 50%; }
   .col-sm-push-7 {
-    left: 58.3333333333%;
-  }
-
+    left: 58.3333333333%; }
   .col-sm-push-8 {
-    left: 66.6666666667%;
-  }
-
+    left: 66.6666666667%; }
   .col-sm-push-9 {
-    left: 75%;
-  }
-
+    left: 75%; }
   .col-sm-push-10 {
-    left: 83.3333333333%;
-  }
-
+    left: 83.3333333333%; }
   .col-sm-push-11 {
-    left: 91.6666666667%;
-  }
-
+    left: 91.6666666667%; }
   .col-sm-push-12 {
-    left: 100%;
-  }
-
+    left: 100%; }
   .col-sm-offset-0 {
-    margin-left: 0%;
-  }
-
+    margin-left: 0%; }
   .col-sm-offset-1 {
-    margin-left: 8.3333333333%;
-  }
-
+    margin-left: 8.3333333333%; }
   .col-sm-offset-2 {
-    margin-left: 16.6666666667%;
-  }
-
+    margin-left: 16.6666666667%; }
   .col-sm-offset-3 {
-    margin-left: 25%;
-  }
-
+    margin-left: 25%; }
   .col-sm-offset-4 {
-    margin-left: 33.3333333333%;
-  }
-
+    margin-left: 33.3333333333%; }
   .col-sm-offset-5 {
-    margin-left: 41.6666666667%;
-  }
-
+    margin-left: 41.6666666667%; }
   .col-sm-offset-6 {
-    margin-left: 50%;
-  }
-
+    margin-left: 50%; }
   .col-sm-offset-7 {
-    margin-left: 58.3333333333%;
-  }
-
+    margin-left: 58.3333333333%; }
   .col-sm-offset-8 {
-    margin-left: 66.6666666667%;
-  }
-
+    margin-left: 66.6666666667%; }
   .col-sm-offset-9 {
-    margin-left: 75%;
-  }
-
+    margin-left: 75%; }
   .col-sm-offset-10 {
-    margin-left: 83.3333333333%;
-  }
-
+    margin-left: 83.3333333333%; }
   .col-sm-offset-11 {
-    margin-left: 91.6666666667%;
-  }
-
+    margin-left: 91.6666666667%; }
   .col-sm-offset-12 {
-    margin-left: 100%;
-  }
-}
+    margin-left: 100%; } }
+
 @media (min-width: 992px) {
   .col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12 {
-    float: left;
-  }
-
+    float: left; }
   .col-md-1 {
-    width: 8.3333333333%;
-  }
-
+    width: 8.3333333333%; }
   .col-md-2 {
-    width: 16.6666666667%;
-  }
-
+    width: 16.6666666667%; }
   .col-md-3 {
-    width: 25%;
-  }
-
+    width: 25%; }
   .col-md-4 {
-    width: 33.3333333333%;
-  }
-
+    width: 33.3333333333%; }
   .col-md-5 {
-    width: 41.6666666667%;
-  }
-
+    width: 41.6666666667%; }
   .col-md-6 {
-    width: 50%;
-  }
-
+    width: 50%; }
   .col-md-7 {
-    width: 58.3333333333%;
-  }
-
+    width: 58.3333333333%; }
   .col-md-8 {
-    width: 66.6666666667%;
-  }
-
+    width: 66.6666666667%; }
   .col-md-9 {
-    width: 75%;
-  }
-
+    width: 75%; }
   .col-md-10 {
-    width: 83.3333333333%;
-  }
-
+    width: 83.3333333333%; }
   .col-md-11 {
-    width: 91.6666666667%;
-  }
-
+    width: 91.6666666667%; }
   .col-md-12 {
-    width: 100%;
-  }
-
+    width: 100%; }
   .col-md-pull-0 {
-    right: auto;
-  }
-
+    right: auto; }
   .col-md-pull-1 {
-    right: 8.3333333333%;
-  }
-
+    right: 8.3333333333%; }
   .col-md-pull-2 {
-    right: 16.6666666667%;
-  }
-
+    right: 16.6666666667%; }
   .col-md-pull-3 {
-    right: 25%;
-  }
-
+    right: 25%; }
   .col-md-pull-4 {
-    right: 33.3333333333%;
-  }
-
+    right: 33.3333333333%; }
   .col-md-pull-5 {
-    right: 41.6666666667%;
-  }
-
+    right: 41.6666666667%; }
   .col-md-pull-6 {
-    right: 50%;
-  }
-
+    right: 50%; }
   .col-md-pull-7 {
-    right: 58.3333333333%;
-  }
-
+    right: 58.3333333333%; }
   .col-md-pull-8 {
-    right: 66.6666666667%;
-  }
-
+    right: 66.6666666667%; }
   .col-md-pull-9 {
-    right: 75%;
-  }
-
+    right: 75%; }
   .col-md-pull-10 {
-    right: 83.3333333333%;
-  }
-
+    right: 83.3333333333%; }
   .col-md-pull-11 {
-    right: 91.6666666667%;
-  }
-
+    right: 91.6666666667%; }
   .col-md-pull-12 {
-    right: 100%;
-  }
-
+    right: 100%; }
   .col-md-push-0 {
-    left: auto;
-  }
-
+    left: auto; }
   .col-md-push-1 {
-    left: 8.3333333333%;
-  }
-
+    left: 8.3333333333%; }
   .col-md-push-2 {
-    left: 16.6666666667%;
-  }
-
+    left: 16.6666666667%; }
   .col-md-push-3 {
-    left: 25%;
-  }
-
+    left: 25%; }
   .col-md-push-4 {
-    left: 33.3333333333%;
-  }
-
+    left: 33.3333333333%; }
   .col-md-push-5 {
-    left: 41.6666666667%;
-  }
-
+    left: 41.6666666667%; }
   .col-md-push-6 {
-    left: 50%;
-  }
-
+    left: 50%; }
   .col-md-push-7 {
-    left: 58.3333333333%;
-  }
-
+    left: 58.3333333333%; }
   .col-md-push-8 {
-    left: 66.6666666667%;
-  }
-
+    left: 66.6666666667%; }
   .col-md-push-9 {
-    left: 75%;
-  }
-
+    left: 75%; }
   .col-md-push-10 {
-    left: 83.3333333333%;
-  }
-
+    left: 83.3333333333%; }
   .col-md-push-11 {
-    left: 91.6666666667%;
-  }
-
+    left: 91.6666666667%; }
   .col-md-push-12 {
-    left: 100%;
-  }
-
+    left: 100%; }
   .col-md-offset-0 {
-    margin-left: 0%;
-  }
-
+    margin-left: 0%; }
   .col-md-offset-1 {
-    margin-left: 8.3333333333%;
-  }
-
+    margin-left: 8.3333333333%; }
   .col-md-offset-2 {
-    margin-left: 16.6666666667%;
-  }
-
+    margin-left: 16.6666666667%; }
   .col-md-offset-3 {
-    margin-left: 25%;
-  }
-
+    margin-left: 25%; }
   .col-md-offset-4 {
-    margin-left: 33.3333333333%;
-  }
-
+    margin-left: 33.3333333333%; }
   .col-md-offset-5 {
-    margin-left: 41.6666666667%;
-  }
-
+    margin-left: 41.6666666667%; }
   .col-md-offset-6 {
-    margin-left: 50%;
-  }
-
+    margin-left: 50%; }
   .col-md-offset-7 {
-    margin-left: 58.3333333333%;
-  }
-
+    margin-left: 58.3333333333%; }
   .col-md-offset-8 {
-    margin-left: 66.6666666667%;
-  }
-
+    margin-left: 66.6666666667%; }
   .col-md-offset-9 {
-    margin-left: 75%;
-  }
-
+    margin-left: 75%; }
   .col-md-offset-10 {
-    margin-left: 83.3333333333%;
-  }
-
+    margin-left: 83.3333333333%; }
   .col-md-offset-11 {
-    margin-left: 91.6666666667%;
-  }
-
+    margin-left: 91.6666666667%; }
   .col-md-offset-12 {
-    margin-left: 100%;
-  }
-}
+    margin-left: 100%; } }
+
 @media (min-width: 1200px) {
   .col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12 {
-    float: left;
-  }
-
+    float: left; }
   .col-lg-1 {
-    width: 8.3333333333%;
-  }
-
+    width: 8.3333333333%; }
   .col-lg-2 {
-    width: 16.6666666667%;
-  }
-
+    width: 16.6666666667%; }
   .col-lg-3 {
-    width: 25%;
-  }
-
+    width: 25%; }
   .col-lg-4 {
-    width: 33.3333333333%;
-  }
-
+    width: 33.3333333333%; }
   .col-lg-5 {
-    width: 41.6666666667%;
-  }
-
+    width: 41.6666666667%; }
   .col-lg-6 {
-    width: 50%;
-  }
-
+    width: 50%; }
   .col-lg-7 {
-    width: 58.3333333333%;
-  }
-
+    width: 58.3333333333%; }
   .col-lg-8 {
-    width: 66.6666666667%;
-  }
-
+    width: 66.6666666667%; }
   .col-lg-9 {
-    width: 75%;
-  }
-
+    width: 75%; }
   .col-lg-10 {
-    width: 83.3333333333%;
-  }
-
+    width: 83.3333333333%; }
   .col-lg-11 {
-    width: 91.6666666667%;
-  }
-
+    width: 91.6666666667%; }
   .col-lg-12 {
-    width: 100%;
-  }
-
+    width: 100%; }
   .col-lg-pull-0 {
-    right: auto;
-  }
-
+    right: auto; }
   .col-lg-pull-1 {
-    right: 8.3333333333%;
-  }
-
+    right: 8.3333333333%; }
   .col-lg-pull-2 {
-    right: 16.6666666667%;
-  }
-
+    right: 16.6666666667%; }
   .col-lg-pull-3 {
-    right: 25%;
-  }
-
+    right: 25%; }
   .col-lg-pull-4 {
-    right: 33.3333333333%;
-  }
-
+    right: 33.3333333333%; }
   .col-lg-pull-5 {
-    right: 41.6666666667%;
-  }
-
+    right: 41.6666666667%; }
   .col-lg-pull-6 {
-    right: 50%;
-  }
-
+    right: 50%; }
   .col-lg-pull-7 {
-    right: 58.3333333333%;
-  }
-
+    right: 58.3333333333%; }
   .col-lg-pull-8 {
-    right: 66.6666666667%;
-  }
-
+    right: 66.6666666667%; }
   .col-lg-pull-9 {
-    right: 75%;
-  }
-
+    right: 75%; }
   .col-lg-pull-10 {
-    right: 83.3333333333%;
-  }
-
+    right: 83.3333333333%; }
   .col-lg-pull-11 {
-    right: 91.6666666667%;
-  }
-
+    right: 91.6666666667%; }
   .col-lg-pull-12 {
-    right: 100%;
-  }
-
+    right: 100%; }
   .col-lg-push-0 {
-    left: auto;
-  }
-
+    left: auto; }
   .col-lg-push-1 {
-    left: 8.3333333333%;
-  }
-
+    left: 8.3333333333%; }
   .col-lg-push-2 {
-    left: 16.6666666667%;
-  }
-
+    left: 16.6666666667%; }
   .col-lg-push-3 {
-    left: 25%;
-  }
-
+    left: 25%; }
   .col-lg-push-4 {
-    left: 33.3333333333%;
-  }
-
+    left: 33.3333333333%; }
   .col-lg-push-5 {
-    left: 41.6666666667%;
-  }
-
+    left: 41.6666666667%; }
   .col-lg-push-6 {
-    left: 50%;
-  }
-
+    left: 50%; }
   .col-lg-push-7 {
-    left: 58.3333333333%;
-  }
-
+    left: 58.3333333333%; }
   .col-lg-push-8 {
-    left: 66.6666666667%;
-  }
-
+    left: 66.6666666667%; }
   .col-lg-push-9 {
-    left: 75%;
-  }
-
+    left: 75%; }
   .col-lg-push-10 {
-    left: 83.3333333333%;
-  }
-
+    left: 83.3333333333%; }
   .col-lg-push-11 {
-    left: 91.6666666667%;
-  }
-
+    left: 91.6666666667%; }
   .col-lg-push-12 {
-    left: 100%;
-  }
-
+    left: 100%; }
   .col-lg-offset-0 {
-    margin-left: 0%;
-  }
-
+    margin-left: 0%; }
   .col-lg-offset-1 {
-    margin-left: 8.3333333333%;
-  }
-
+    margin-left: 8.3333333333%; }
   .col-lg-offset-2 {
-    margin-left: 16.6666666667%;
-  }
-
+    margin-left: 16.6666666667%; }
   .col-lg-offset-3 {
-    margin-left: 25%;
-  }
-
+    margin-left: 25%; }
   .col-lg-offset-4 {
-    margin-left: 33.3333333333%;
-  }
-
+    margin-left: 33.3333333333%; }
   .col-lg-offset-5 {
-    margin-left: 41.6666666667%;
-  }
-
+    margin-left: 41.6666666667%; }
   .col-lg-offset-6 {
-    margin-left: 50%;
-  }
-
+    margin-left: 50%; }
   .col-lg-offset-7 {
-    margin-left: 58.3333333333%;
-  }
-
+    margin-left: 58.3333333333%; }
   .col-lg-offset-8 {
-    margin-left: 66.6666666667%;
-  }
-
+    margin-left: 66.6666666667%; }
   .col-lg-offset-9 {
-    margin-left: 75%;
-  }
-
+    margin-left: 75%; }
   .col-lg-offset-10 {
-    margin-left: 83.3333333333%;
-  }
-
+    margin-left: 83.3333333333%; }
   .col-lg-offset-11 {
-    margin-left: 91.6666666667%;
-  }
-
+    margin-left: 91.6666666667%; }
   .col-lg-offset-12 {
-    margin-left: 100%;
-  }
-}
+    margin-left: 100%; } }
+
 table {
   background-color: transparent;
-  color: #ccc;
-}
+  color: #ccc; }
 
 th {
-  text-align: left;
-}
+  text-align: left; }
 
 .table {
   width: 100%;
   max-width: 100%;
-  margin-bottom: 20px;
-}
-.table > thead > tr > th,
-.table > thead > tr > td,
-.table > tbody > tr > th,
-.table > tbody > tr > td,
-.table > tfoot > tr > th,
-.table > tfoot > tr > td {
-  padding: 10px 0px 10px 20px;
-  line-height: 1.428571429;
-  vertical-align: top;
-  border-top: 1px solid #111;
-}
-.table > thead > tr > th {
-  vertical-align: bottom;
-  border-bottom: 1px solid #111;
-}
-.table > caption + thead > tr:first-child > th,
-.table > caption + thead > tr:first-child > td,
-.table > colgroup + thead > tr:first-child > th,
-.table > colgroup + thead > tr:first-child > td,
-.table > thead:first-child > tr:first-child > th,
-.table > thead:first-child > tr:first-child > td {
-  border-top: 0;
-  font-family: "SourceSansProSemibold";
-  font-weight: normal;
-}
-.table > tbody + tbody {
-  border-top: 2px solid #111;
-}
-.table .table {
-  background-color: #333;
-}
-
-.table-condensed > thead > tr > th,
-.table-condensed > thead > tr > td,
-.table-condensed > tbody > tr > th,
-.table-condensed > tbody > tr > td,
-.table-condensed > tfoot > tr > th,
-.table-condensed > tfoot > tr > td {
-  padding: 5px;
-}
+  margin-bottom: 20px; }
+  .table > thead > tr > th, .table > thead > tr > td {
+    padding: 10px 0px 10px 20px;
+    line-height: 1.428571429;
+    vertical-align: top;
+    border-top: 1px solid #111; }
+  .table > tbody > tr > th, .table > tbody > tr > td {
+    padding: 10px 0px 10px 20px;
+    line-height: 1.428571429;
+    vertical-align: top;
+    border-top: 1px solid #111; }
+  .table > tfoot > tr > th, .table > tfoot > tr > td {
+    padding: 10px 0px 10px 20px;
+    line-height: 1.428571429;
+    vertical-align: top;
+    border-top: 1px solid #111; }
+  .table > thead > tr > th {
+    vertical-align: bottom;
+    border-bottom: 1px solid #111; }
+  .table > caption + thead > tr:first-child > th, .table > caption + thead > tr:first-child > td {
+    border-top: 0;
+    font-family: "SourceSansProSemibold";
+    font-weight: normal; }
+  .table > colgroup + thead > tr:first-child > th, .table > colgroup + thead > tr:first-child > td {
+    border-top: 0;
+    font-family: "SourceSansProSemibold";
+    font-weight: normal; }
+  .table > thead:first-child > tr:first-child > th, .table > thead:first-child > tr:first-child > td {
+    border-top: 0;
+    font-family: "SourceSansProSemibold";
+    font-weight: normal; }
+  .table > tbody + tbody {
+    border-top: 2px solid #111; }
+  .table .table {
+    background-color: #333; }
+
+.table-condensed > thead > tr > th, .table-condensed > thead > tr > td {
+  padding: 5px; }
+
+.table-condensed > tbody > tr > th, .table-condensed > tbody > tr > td {
+  padding: 5px; }
+
+.table-condensed > tfoot > tr > th, .table-condensed > tfoot > tr > td {
+  padding: 5px; }
 
 .table-bordered {
-  border: 1px solid #111;
-}
-.table-bordered > thead > tr > th,
-.table-bordered > thead > tr > td,
-.table-bordered > tbody > tr > th,
-.table-bordered > tbody > tr > td,
-.table-bordered > tfoot > tr > th,
-.table-bordered > tfoot > tr > td {
-  border: 1px solid #111;
-}
-.table-bordered > thead > tr > th,
-.table-bordered > thead > tr > td {
-  border-bottom-width: 2px;
-}
-
-.table-striped > tbody > tr:nth-child(odd) > td,
-.table-striped > tbody > tr:nth-child(odd) > th {
-  background-color: #232323;
-}
-
-.table-hover > tbody > tr:hover > td,
-.table-hover > tbody > tr:hover > th {
-  background-color: #484848;
-}
+  border: 1px solid #111; }
+  .table-bordered > thead > tr > th, .table-bordered > thead > tr > td {
+    border: 1px solid #111; }
+  .table-bordered > tbody > tr > th, .table-bordered > tbody > tr > td {
+    border: 1px solid #111; }
+  .table-bordered > tfoot > tr > th, .table-bordered > tfoot > tr > td {
+    border: 1px solid #111; }
+  .table-bordered > thead > tr > th, .table-bordered > thead > tr > td {
+    border-bottom-width: 2px; }
+
+.table-striped > tbody > tr:nth-child(odd) > td, .table-striped > tbody > tr:nth-child(odd) > th {
+  background-color: #232323; }
+
+.table-hover > tbody > tr:hover > td, .table-hover > tbody > tr:hover > th {
+  background-color: #484848; }
 
 table col[class*=col-] {
   position: static;
   float: none;
-  display: table-column;
-}
+  display: table-column; }
 
-table td[class*=col-],
-table th[class*=col-] {
+table td[class*=col-], table th[class*=col-] {
   position: static;
   float: none;
-  display: table-cell;
-}
-
-.table > thead > tr > td.active,
-.table > thead > tr > th.active, .table > thead > tr.active > td, .table > thead > tr.active > th,
-.table > tbody > tr > td.active,
-.table > tbody > tr > th.active,
-.table > tbody > tr.active > td,
-.table > tbody > tr.active > th,
-.table > tfoot > tr > td.active,
-.table > tfoot > tr > th.active,
-.table > tfoot > tr.active > td,
-.table > tfoot > tr.active > th {
-  background-color: #484848;
-}
-
-.table-hover > tbody > tr > td.active:hover,
-.table-hover > tbody > tr > th.active:hover, .table-hover > tbody > tr.active:hover > td, .table-hover > tbody > tr:hover > .active, .table-hover > tbody > tr.active:hover > th {
-  background-color: #3b3b3b;
-}
-
-.table > thead > tr > td.success,
-.table > thead > tr > th.success, .table > thead > tr.success > td, .table > thead > tr.success > th,
-.table > tbody > tr > td.success,
-.table > tbody > tr > th.success,
-.table > tbody > tr.success > td,
-.table > tbody > tr.success > th,
-.table > tfoot > tr > td.success,
-.table > tfoot > tr > th.success,
-.table > tfoot > tr.success > td,
-.table > tfoot > tr.success > th {
-  background-color: #7Ba255;
-}
-
-.table-hover > tbody > tr > td.success:hover,
-.table-hover > tbody > tr > th.success:hover, .table-hover > tbody > tr.success:hover > td, .table-hover > tbody > tr:hover > .success, .table-hover > tbody > tr.success:hover > th {
-  background-color: #6e914c;
-}
-
-.table > thead > tr > td.info,
-.table > thead > tr > th.info, .table > thead > tr.info > td, .table > thead > tr.info > th,
-.table > tbody > tr > td.info,
-.table > tbody > tr > th.info,
-.table > tbody > tr.info > td,
-.table > tbody > tr.info > th,
-.table > tfoot > tr > td.info,
-.table > tfoot > tr > th.info,
-.table > tfoot > tr.info > td,
-.table > tfoot > tr.info > th {
-  background-color: #4545a7;
-}
-
-.table-hover > tbody > tr > td.info:hover,
-.table-hover > tbody > tr > th.info:hover, .table-hover > tbody > tr.info:hover > td, .table-hover > tbody > tr:hover > .info, .table-hover > tbody > tr.info:hover > th {
-  background-color: #3e3e95;
-}
-
-.table > thead > tr > td.warning,
-.table > thead > tr > th.warning, .table > thead > tr.warning > td, .table > thead > tr.warning > th,
-.table > tbody > tr > td.warning,
-.table > tbody > tr > th.warning,
-.table > tbody > tr.warning > td,
-.table > tbody > tr.warning > th,
-.table > tfoot > tr > td.warning,
-.table > tfoot > tr > th.warning,
-.table > tfoot > tr.warning > td,
-.table > tfoot > tr.warning > th {
-  background-color: #B93F25;
-}
-
-.table-hover > tbody > tr > td.warning:hover,
-.table-hover > tbody > tr > th.warning:hover, .table-hover > tbody > tr.warning:hover > td, .table-hover > tbody > tr:hover > .warning, .table-hover > tbody > tr.warning:hover > th {
-  background-color: #C94F35;
-}
-
-.table > thead > tr > td.danger,
-.table > thead > tr > th.danger, .table > thead > tr.danger > td, .table > thead > tr.danger > th,
-.table > tbody > tr > td.danger,
-.table > tbody > tr > th.danger,
-.table > tbody > tr.danger > td,
-.table > tbody > tr.danger > th,
-.table > tfoot > tr > td.danger,
-.table > tfoot > tr > th.danger,
-.table > tfoot > tr.danger > td,
-.table > tfoot > tr.danger > th {
-  background-color: #F05050;
-}
+  display: table-cell; }
+
+.table > thead > tr > td.active, .table > thead > tr > th.active {
+  background-color: #484848; }
+
+.table > thead > tr.active > td, .table > thead > tr.active > th {
+  background-color: #484848; }
+
+.table > tbody > tr > td.active, .table > tbody > tr > th.active {
+  background-color: #484848; }
+
+.table > tbody > tr.active > td, .table > tbody > tr.active > th {
+  background-color: #484848; }
+
+.table > tfoot > tr > td.active, .table > tfoot > tr > th.active {
+  background-color: #484848; }
+
+.table > tfoot > tr.active > td, .table > tfoot > tr.active > th {
+  background-color: #484848; }
+
+.table-hover > tbody > tr > td.active:hover, .table-hover > tbody > tr > th.active:hover {
+  background-color: #3b3b3b; }
+
+.table-hover > tbody > tr.active:hover > td, .table-hover > tbody > tr:hover > .active, .table-hover > tbody > tr.active:hover > th {
+  background-color: #3b3b3b; }
+
+.table > thead > tr > td.success, .table > thead > tr > th.success {
+  background-color: #7Ba255; }
+
+.table > thead > tr.success > td, .table > thead > tr.success > th {
+  background-color: #7Ba255; }
+
+.table > tbody > tr > td.success, .table > tbody > tr > th.success {
+  background-color: #7Ba255; }
+
+.table > tbody > tr.success > td, .table > tbody > tr.success > th {
+  background-color: #7Ba255; }
+
+.table > tfoot > tr > td.success, .table > tfoot > tr > th.success {
+  background-color: #7Ba255; }
+
+.table > tfoot > tr.success > td, .table > tfoot > tr.success > th {
+  background-color: #7Ba255; }
+
+.table-hover > tbody > tr > td.success:hover, .table-hover > tbody > tr > th.success:hover {
+  background-color: #6e914c; }
+
+.table-hover > tbody > tr.success:hover > td, .table-hover > tbody > tr:hover > .success, .table-hover > tbody > tr.success:hover > th {
+  background-color: #6e914c; }
+
+.table > thead > tr > td.info, .table > thead > tr > th.info {
+  background-color: #4545a7; }
+
+.table > thead > tr.info > td, .table > thead > tr.info > th {
+  background-color: #4545a7; }
+
+.table > tbody > tr > td.info, .table > tbody > tr > th.info {
+  background-color: #4545a7; }
+
+.table > tbody > tr.info > td, .table > tbody > tr.info > th {
+  background-color: #4545a7; }
+
+.table > tfoot > tr > td.info, .table > tfoot > tr > th.info {
+  background-color: #4545a7; }
+
+.table > tfoot > tr.info > td, .table > tfoot > tr.info > th {
+  background-color: #4545a7; }
+
+.table-hover > tbody > tr > td.info:hover, .table-hover > tbody > tr > th.info:hover {
+  background-color: #3e3e95; }
+
+.table-hover > tbody > tr.info:hover > td, .table-hover > tbody > tr:hover > .info, .table-hover > tbody > tr.info:hover > th {
+  background-color: #3e3e95; }
+
+.table > thead > tr > td.warning, .table > thead > tr > th.warning {
+  background-color: #B93F25; }
+
+.table > thead > tr.warning > td, .table > thead > tr.warning > th {
+  background-color: #B93F25; }
+
+.table > tbody > tr > td.warning, .table > tbody > tr > th.warning {
+  background-color: #B93F25; }
+
+.table > tbody > tr.warning > td, .table > tbody > tr.warning > th {
+  background-color: #B93F25; }
 
-.table-hover > tbody > tr > td.danger:hover,
-.table-hover > tbody > tr > th.danger:hover, .table-hover > tbody > tr.danger:hover > td, .table-hover > tbody > tr:hover > .danger, .table-hover > tbody > tr.danger:hover > th {
-  background-color: #ee3939;
-}
+.table > tfoot > tr > td.warning, .table > tfoot > tr > th.warning {
+  background-color: #B93F25; }
+
+.table > tfoot > tr.warning > td, .table > tfoot > tr.warning > th {
+  background-color: #B93F25; }
+
+.table-hover > tbody > tr > td.warning:hover, .table-hover > tbody > tr > th.warning:hover {
+  background-color: #C94F35; }
+
+.table-hover > tbody > tr.warning:hover > td, .table-hover > tbody > tr:hover > .warning, .table-hover > tbody > tr.warning:hover > th {
+  background-color: #C94F35; }
+
+.table > thead > tr > td.danger, .table > thead > tr > th.danger {
+  background-color: #F05050; }
+
+.table > thead > tr.danger > td, .table > thead > tr.danger > th {
+  background-color: #F05050; }
+
+.table > tbody > tr > td.danger, .table > tbody > tr > th.danger {
+  background-color: #F05050; }
+
+.table > tbody > tr.danger > td, .table > tbody > tr.danger > th {
+  background-color: #F05050; }
+
+.table > tfoot > tr > td.danger, .table > tfoot > tr > th.danger {
+  background-color: #F05050; }
+
+.table > tfoot > tr.danger > td, .table > tfoot > tr.danger > th {
+  background-color: #F05050; }
+
+.table-hover > tbody > tr > td.danger:hover, .table-hover > tbody > tr > th.danger:hover {
+  background-color: #ee3939; }
+
+.table-hover > tbody > tr.danger:hover > td, .table-hover > tbody > tr:hover > .danger, .table-hover > tbody > tr.danger:hover > th {
+  background-color: #ee3939; }
 
 @media screen and (max-width: 767px) {
   .table-responsive {
@@ -2797,44 +2059,39 @@ table th[class*=col-] {
     overflow-x: auto;
     -ms-overflow-style: -ms-autohiding-scrollbar;
     /*     border: 1px solid $table-border-color; */
-    -webkit-overflow-scrolling: touch;
-  }
-  .table-responsive > .table {
-    margin-bottom: 0;
-  }
-  .table-responsive > .table-bordered {
-    border: 0;
-  }
-  .table-responsive > .table-bordered > thead > tr > th:first-child,
-.table-responsive > .table-bordered > thead > tr > td:first-child,
-.table-responsive > .table-bordered > tbody > tr > th:first-child,
-.table-responsive > .table-bordered > tbody > tr > td:first-child,
-.table-responsive > .table-bordered > tfoot > tr > th:first-child,
-.table-responsive > .table-bordered > tfoot > tr > td:first-child {
-    border-left: 0;
-  }
-  .table-responsive > .table-bordered > thead > tr > th:last-child,
-.table-responsive > .table-bordered > thead > tr > td:last-child,
-.table-responsive > .table-bordered > tbody > tr > th:last-child,
-.table-responsive > .table-bordered > tbody > tr > td:last-child,
-.table-responsive > .table-bordered > tfoot > tr > th:last-child,
-.table-responsive > .table-bordered > tfoot > tr > td:last-child {
-    border-right: 0;
-  }
-  .table-responsive > .table-bordered > tbody > tr:last-child > th,
-.table-responsive > .table-bordered > tbody > tr:last-child > td,
-.table-responsive > .table-bordered > tfoot > tr:last-child > th,
-.table-responsive > .table-bordered > tfoot > tr:last-child > td {
-    border-bottom: 0;
-  }
-}
+    -webkit-overflow-scrolling: touch; }
+    .table-responsive > .table {
+      margin-bottom: 0; }
+      .table-responsive > .table > thead > tr > th, .table-responsive > .table > thead > tr > td {
+        white-space: nowrap; }
+      .table-responsive > .table > tbody > tr > th, .table-responsive > .table > tbody > tr > td {
+        white-space: nowrap; }
+      .table-responsive > .table > tfoot > tr > th, .table-responsive > .table > tfoot > tr > td {
+        white-space: nowrap; }
+    .table-responsive > .table-bordered {
+      border: 0; }
+      .table-responsive > .table-bordered > thead > tr > th:first-child, .table-responsive > .table-bordered > thead > tr > td:first-child {
+        border-left: 0; }
+      .table-responsive > .table-bordered > tbody > tr > th:first-child, .table-responsive > .table-bordered > tbody > tr > td:first-child {
+        border-left: 0; }
+      .table-responsive > .table-bordered > tfoot > tr > th:first-child, .table-responsive > .table-bordered > tfoot > tr > td:first-child {
+        border-left: 0; }
+      .table-responsive > .table-bordered > thead > tr > th:last-child, .table-responsive > .table-bordered > thead > tr > td:last-child {
+        border-right: 0; }
+      .table-responsive > .table-bordered > tbody > tr > th:last-child, .table-responsive > .table-bordered > tbody > tr > td:last-child {
+        border-right: 0; }
+      .table-responsive > .table-bordered > tfoot > tr > th:last-child, .table-responsive > .table-bordered > tfoot > tr > td:last-child {
+        border-right: 0; }
+      .table-responsive > .table-bordered > tbody > tr:last-child > th, .table-responsive > .table-bordered > tbody > tr:last-child > td {
+        border-bottom: 0; }
+      .table-responsive > .table-bordered > tfoot > tr:last-child > th, .table-responsive > .table-bordered > tfoot > tr:last-child > td {
+        border-bottom: 0; } }
 
 fieldset {
   padding: 0;
   margin: 0;
   border: 0;
-  min-width: 0;
-}
+  min-width: 0; }
 
 legend {
   display: block;
@@ -2845,75 +2102,65 @@ legend {
   line-height: inherit;
   color: #333333;
   border: 0;
-  border-bottom: 1px solid #e5e5e5;
-}
+  border-bottom: 1px solid #e5e5e5; }
 
 label {
   display: inline-block;
   max-width: 100%;
   margin-bottom: 5px;
-  font-weight: normal;
-}
+  font-weight: normal; }
 
 input[type=search] {
   -webkit-box-sizing: border-box;
   -moz-box-sizing: border-box;
-  box-sizing: border-box;
-}
+  box-sizing: border-box; }
 
-input[type=radio],
-input[type=checkbox] {
+input[type=radio], input[type=checkbox] {
   margin: 4px 0 0;
   margin-top: 1px \9;
-  line-height: normal;
-}
+  line-height: normal; }
 
 input[type=file] {
-  display: block;
-}
+  display: block; }
 
 input[type=range] {
   display: block;
-  width: 100%;
-}
+  width: 100%; }
 
-select[multiple],
-select[size] {
-  height: auto;
-}
+select[multiple], select[size] {
+  height: auto; }
 
-input[type=file]:focus,
-input[type=radio]:focus,
-input[type=checkbox]:focus {
+input[type=file]:focus, input[type=radio]:focus, input[type=checkbox]:focus {
   outline: thin dotted;
   outline: 5px auto -webkit-focus-ring-color;
-  outline-offset: -2px;
-}
+  outline-offset: -2px; }
 
 output {
   display: block;
   padding-top: 7px;
   font-size: 14px;
   line-height: 1.428571429;
+  color: #ccc; }
+
+select, textarea {
+  display: block;
+  width: 100%;
+  height: 34px;
+  padding: 6px 12px;
+  font-size: 14px;
+  line-height: 1.428571429;
   color: #ccc;
-}
-
-select,
-textarea,
-input[type=text],
-input[type=password],
-input[type=datetime],
-input[type=datetime-local],
-input[type=date],
-input[type=month],
-input[type=time],
-input[type=week],
-input[type=number],
-input[type=email],
-input[type=url],
-input[type=search],
-input[type=tel],
-input[type=color] {
+  background-color: #333;
+  background-image: none;
+  border: 1px solid #ccc;
+  border-radius: 3px;
+  text-overflow: ellipsis;
+  max-width: 348px;
+  -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
+  -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
+  transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s; }
+
+input[type=text], input[type=password], input[type=datetime], input[type=datetime-local], input[type=date], input[type=month], input[type=time], input[type=week], input[type=number], input[type=email], input[type=url], input[type=search], input[type=tel], input[type=color] {
   display: block;
   width: 100%;
   height: 34px;
@@ -2929,336 +2176,488 @@ input[type=color] {
   max-width: 348px;
   -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
   -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
-  transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
-}
-select:focus,
-textarea:focus,
-input[type=text]:focus,
-input[type=password]:focus,
-input[type=datetime]:focus,
-input[type=datetime-local]:focus,
-input[type=date]:focus,
-input[type=month]:focus,
-input[type=time]:focus,
-input[type=week]:focus,
-input[type=number]:focus,
-input[type=email]:focus,
-input[type=url]:focus,
-input[type=search]:focus,
-input[type=tel]:focus,
-input[type=color]:focus {
+  transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s; }
+
+select:focus, textarea:focus {
   border-color: #66afe9;
   outline: 0;
   -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 8px rgba(102, 175, 233, 0.6);
-  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 8px rgba(102, 175, 233, 0.6);
-}
-select::-moz-placeholder,
-textarea::-moz-placeholder,
-input[type=text]::-moz-placeholder,
-input[type=password]::-moz-placeholder,
-input[type=datetime]::-moz-placeholder,
-input[type=datetime-local]::-moz-placeholder,
-input[type=date]::-moz-placeholder,
-input[type=month]::-moz-placeholder,
-input[type=time]::-moz-placeholder,
-input[type=week]::-moz-placeholder,
-input[type=number]::-moz-placeholder,
-input[type=email]::-moz-placeholder,
-input[type=url]::-moz-placeholder,
-input[type=search]::-moz-placeholder,
-input[type=tel]::-moz-placeholder,
-input[type=color]::-moz-placeholder {
-  color: #DDd;
-  opacity: 1;
-}
-select:-ms-input-placeholder,
-textarea:-ms-input-placeholder,
-input[type=text]:-ms-input-placeholder,
-input[type=password]:-ms-input-placeholder,
-input[type=datetime]:-ms-input-placeholder,
-input[type=datetime-local]:-ms-input-placeholder,
-input[type=date]:-ms-input-placeholder,
-input[type=month]:-ms-input-placeholder,
-input[type=time]:-ms-input-placeholder,
-input[type=week]:-ms-input-placeholder,
-input[type=number]:-ms-input-placeholder,
-input[type=email]:-ms-input-placeholder,
-input[type=url]:-ms-input-placeholder,
-input[type=search]:-ms-input-placeholder,
-input[type=tel]:-ms-input-placeholder,
-input[type=color]:-ms-input-placeholder {
+  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 8px rgba(102, 175, 233, 0.6); }
+
+input[type=text]:focus, input[type=password]:focus, input[type=datetime]:focus, input[type=datetime-local]:focus, input[type=date]:focus, input[type=month]:focus, input[type=time]:focus, input[type=week]:focus, input[type=number]:focus, input[type=email]:focus, input[type=url]:focus, input[type=search]:focus, input[type=tel]:focus, input[type=color]:focus {
+  border-color: #66afe9;
+  outline: 0;
+  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 8px rgba(102, 175, 233, 0.6);
+  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 8px rgba(102, 175, 233, 0.6); }
+
+select::-moz-placeholder, textarea::-moz-placeholder {
   color: #DDd;
-}
-select::-webkit-input-placeholder,
-textarea::-webkit-input-placeholder,
-input[type=text]::-webkit-input-placeholder,
-input[type=password]::-webkit-input-placeholder,
-input[type=datetime]::-webkit-input-placeholder,
-input[type=datetime-local]::-webkit-input-placeholder,
-input[type=date]::-webkit-input-placeholder,
-input[type=month]::-webkit-input-placeholder,
-input[type=time]::-webkit-input-placeholder,
-input[type=week]::-webkit-input-placeholder,
-input[type=number]::-webkit-input-placeholder,
-input[type=email]::-webkit-input-placeholder,
-input[type=url]::-webkit-input-placeholder,
-input[type=search]::-webkit-input-placeholder,
-input[type=tel]::-webkit-input-placeholder,
-input[type=color]::-webkit-input-placeholder {
+  opacity: 1; }
+
+input[type=text]::-moz-placeholder, input[type=password]::-moz-placeholder, input[type=datetime]::-moz-placeholder, input[type=datetime-local]::-moz-placeholder, input[type=date]::-moz-placeholder, input[type=month]::-moz-placeholder, input[type=time]::-moz-placeholder, input[type=week]::-moz-placeholder, input[type=number]::-moz-placeholder, input[type=email]::-moz-placeholder, input[type=url]::-moz-placeholder, input[type=search]::-moz-placeholder, input[type=tel]::-moz-placeholder, input[type=color]::-moz-placeholder {
   color: #DDd;
-}
-select[disabled], select[readonly], fieldset[disabled] select,
-textarea[disabled],
-textarea[readonly],
-fieldset[disabled] textarea,
-input[type=text][disabled],
-input[type=text][readonly],
-fieldset[disabled] input[type=text],
-input[type=password][disabled],
-input[type=password][readonly],
-fieldset[disabled] input[type=password],
-input[type=datetime][disabled],
-input[type=datetime][readonly],
-fieldset[disabled] input[type=datetime],
-input[type=datetime-local][disabled],
-input[type=datetime-local][readonly],
-fieldset[disabled] input[type=datetime-local],
-input[type=date][disabled],
-input[type=date][readonly],
-fieldset[disabled] input[type=date],
-input[type=month][disabled],
-input[type=month][readonly],
-fieldset[disabled] input[type=month],
-input[type=time][disabled],
-input[type=time][readonly],
-fieldset[disabled] input[type=time],
-input[type=week][disabled],
-input[type=week][readonly],
-fieldset[disabled] input[type=week],
-input[type=number][disabled],
-input[type=number][readonly],
-fieldset[disabled] input[type=number],
-input[type=email][disabled],
-input[type=email][readonly],
-fieldset[disabled] input[type=email],
-input[type=url][disabled],
-input[type=url][readonly],
-fieldset[disabled] input[type=url],
-input[type=search][disabled],
-input[type=search][readonly],
-fieldset[disabled] input[type=search],
-input[type=tel][disabled],
-input[type=tel][readonly],
-fieldset[disabled] input[type=tel],
-input[type=color][disabled],
-input[type=color][readonly],
+  opacity: 1; }
+
+select:-ms-input-placeholder, textarea:-ms-input-placeholder {
+  color: #DDd; }
+
+input[type=text]:-ms-input-placeholder, input[type=password]:-ms-input-placeholder, input[type=datetime]:-ms-input-placeholder, input[type=datetime-local]:-ms-input-placeholder, input[type=date]:-ms-input-placeholder, input[type=month]:-ms-input-placeholder, input[type=time]:-ms-input-placeholder, input[type=week]:-ms-input-placeholder, input[type=number]:-ms-input-placeholder, input[type=email]:-ms-input-placeholder, input[type=url]:-ms-input-placeholder, input[type=search]:-ms-input-placeholder, input[type=tel]:-ms-input-placeholder, input[type=color]:-ms-input-placeholder {
+  color: #DDd; }
+
+select::-webkit-input-placeholder, textarea::-webkit-input-placeholder {
+  color: #DDd; }
+
+input[type=text]::-webkit-input-placeholder, input[type=password]::-webkit-input-placeholder, input[type=datetime]::-webkit-input-placeholder, input[type=datetime-local]::-webkit-input-placeholder, input[type=date]::-webkit-input-placeholder, input[type=month]::-webkit-input-placeholder, input[type=time]::-webkit-input-placeholder, input[type=week]::-webkit-input-placeholder, input[type=number]::-webkit-input-placeholder, input[type=email]::-webkit-input-placeholder, input[type=url]::-webkit-input-placeholder, input[type=search]::-webkit-input-placeholder, input[type=tel]::-webkit-input-placeholder, input[type=color]::-webkit-input-placeholder {
+  color: #DDd; }
+
+select[disabled], select[readonly] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+fieldset[disabled] select {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+textarea[disabled], textarea[readonly] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+fieldset[disabled] textarea {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+input[type=text][disabled], input[type=text][readonly] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+fieldset[disabled] input[type=text] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+input[type=password][disabled], input[type=password][readonly] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+fieldset[disabled] input[type=password] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+input[type=datetime][disabled], input[type=datetime][readonly] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+fieldset[disabled] input[type=datetime] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+input[type=datetime-local][disabled], input[type=datetime-local][readonly] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+fieldset[disabled] input[type=datetime-local] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+input[type=date][disabled], input[type=date][readonly] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+fieldset[disabled] input[type=date] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+input[type=month][disabled], input[type=month][readonly] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+fieldset[disabled] input[type=month] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+input[type=time][disabled], input[type=time][readonly] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+fieldset[disabled] input[type=time] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+input[type=week][disabled], input[type=week][readonly] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+fieldset[disabled] input[type=week] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+input[type=number][disabled], input[type=number][readonly] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+fieldset[disabled] input[type=number] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+input[type=email][disabled], input[type=email][readonly] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+fieldset[disabled] input[type=email] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+input[type=url][disabled], input[type=url][readonly] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+fieldset[disabled] input[type=url] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+input[type=search][disabled], input[type=search][readonly] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+fieldset[disabled] input[type=search] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+input[type=tel][disabled], input[type=tel][readonly] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+fieldset[disabled] input[type=tel] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
+input[type=color][disabled], input[type=color][readonly] {
+  cursor: not-allowed;
+  background-color: #1a1a1a;
+  opacity: 1; }
+
 fieldset[disabled] input[type=color] {
   cursor: not-allowed;
   background-color: #1a1a1a;
-  opacity: 1;
-}
+  opacity: 1; }
 
 textarea {
-  height: auto;
-}
+  height: auto; }
 
 input[type=search] {
-  -webkit-appearance: none;
-}
+  -webkit-appearance: none; }
 
-input[type=date],
-input[type=time],
-input[type=datetime-local],
-input[type=month] {
+input[type=date], input[type=time], input[type=datetime-local], input[type=month] {
   line-height: 34px;
-  line-height: 1.428571429 \0;
-}
-input[type=date].input-sm, .input-group-sm > input[type=date].form-control,
-.input-group-sm > input[type=date].input-group-addon,
-.input-group-sm > .input-group-btn > input[type=date].btn, .form-horizontal .form-group-sm input[type=date].form-control,
-input[type=time].input-sm,
-.input-group-sm > input[type=time].form-control,
-.input-group-sm > input[type=time].input-group-addon,
-.input-group-sm > .input-group-btn > input[type=time].btn,
-.form-horizontal .form-group-sm input[type=time].form-control,
-input[type=datetime-local].input-sm,
-.input-group-sm > input[type=datetime-local].form-control,
-.input-group-sm > input[type=datetime-local].input-group-addon,
-.input-group-sm > .input-group-btn > input[type=datetime-local].btn,
-.form-horizontal .form-group-sm input[type=datetime-local].form-control,
-input[type=month].input-sm,
-.input-group-sm > input[type=month].form-control,
-.input-group-sm > input[type=month].input-group-addon,
-.input-group-sm > .input-group-btn > input[type=month].btn,
+  line-height: 1.428571429 \0; }
+
+input[type=date].input-sm {
+  line-height: 30px; }
+
+.input-group-sm > input[type=date].form-control, .input-group-sm > input[type=date].input-group-addon {
+  line-height: 30px; }
+
+.input-group-sm > .input-group-btn > input[type=date].btn {
+  line-height: 30px; }
+
+.form-horizontal .form-group-sm input[type=date].form-control, input[type=time].input-sm {
+  line-height: 30px; }
+
+.input-group-sm > input[type=time].form-control, .input-group-sm > input[type=time].input-group-addon {
+  line-height: 30px; }
+
+.input-group-sm > .input-group-btn > input[type=time].btn {
+  line-height: 30px; }
+
+.form-horizontal .form-group-sm input[type=time].form-control, input[type=datetime-local].input-sm {
+  line-height: 30px; }
+
+.input-group-sm > input[type=datetime-local].form-control, .input-group-sm > input[type=datetime-local].input-group-addon {
+  line-height: 30px; }
+
+.input-group-sm > .input-group-btn > input[type=datetime-local].btn {
+  line-height: 30px; }
+
+.form-horizontal .form-group-sm input[type=datetime-local].form-control, input[type=month].input-sm {
+  line-height: 30px; }
+
+.input-group-sm > input[type=month].form-control, .input-group-sm > input[type=month].input-group-addon {
+  line-height: 30px; }
+
+.input-group-sm > .input-group-btn > input[type=month].btn {
+  line-height: 30px; }
+
 .form-horizontal .form-group-sm input[type=month].form-control {
-  line-height: 30px;
-}
-input[type=date].input-lg, .input-group-lg > input[type=date].form-control,
-.input-group-lg > input[type=date].input-group-addon,
-.input-group-lg > .input-group-btn > input[type=date].btn, .form-horizontal .form-group-lg input[type=date].form-control,
-input[type=time].input-lg,
-.input-group-lg > input[type=time].form-control,
-.input-group-lg > input[type=time].input-group-addon,
-.input-group-lg > .input-group-btn > input[type=time].btn,
-.form-horizontal .form-group-lg input[type=time].form-control,
-input[type=datetime-local].input-lg,
-.input-group-lg > input[type=datetime-local].form-control,
-.input-group-lg > input[type=datetime-local].input-group-addon,
-.input-group-lg > .input-group-btn > input[type=datetime-local].btn,
-.form-horizontal .form-group-lg input[type=datetime-local].form-control,
-input[type=month].input-lg,
-.input-group-lg > input[type=month].form-control,
-.input-group-lg > input[type=month].input-group-addon,
-.input-group-lg > .input-group-btn > input[type=month].btn,
+  line-height: 30px; }
+
+input[type=date].input-lg {
+  line-height: 46px; }
+
+.input-group-lg > input[type=date].form-control, .input-group-lg > input[type=date].input-group-addon {
+  line-height: 46px; }
+
+.input-group-lg > .input-group-btn > input[type=date].btn {
+  line-height: 46px; }
+
+.form-horizontal .form-group-lg input[type=date].form-control, input[type=time].input-lg {
+  line-height: 46px; }
+
+.input-group-lg > input[type=time].form-control, .input-group-lg > input[type=time].input-group-addon {
+  line-height: 46px; }
+
+.input-group-lg > .input-group-btn > input[type=time].btn {
+  line-height: 46px; }
+
+.form-horizontal .form-group-lg input[type=time].form-control, input[type=datetime-local].input-lg {
+  line-height: 46px; }
+
+.input-group-lg > input[type=datetime-local].form-control, .input-group-lg > input[type=datetime-local].input-group-addon {
+  line-height: 46px; }
+
+.input-group-lg > .input-group-btn > input[type=datetime-local].btn {
+  line-height: 46px; }
+
+.form-horizontal .form-group-lg input[type=datetime-local].form-control, input[type=month].input-lg {
+  line-height: 46px; }
+
+.input-group-lg > input[type=month].form-control, .input-group-lg > input[type=month].input-group-addon {
+  line-height: 46px; }
+
+.input-group-lg > .input-group-btn > input[type=month].btn {
+  line-height: 46px; }
+
 .form-horizontal .form-group-lg input[type=month].form-control {
-  line-height: 46px;
-}
+  line-height: 46px; }
 
 .form-group {
-  margin-bottom: 15px;
-}
+  margin-bottom: 15px; }
 
-.radio,
-.checkbox {
+.radio, .checkbox {
   position: relative;
   display: block;
   min-height: 20px;
   margin-top: 10px;
-  margin-bottom: 10px;
-}
-.radio label,
-.checkbox label {
+  margin-bottom: 10px; }
+
+.radio label, .checkbox label {
   padding-left: 20px;
   margin-bottom: 0;
   font-weight: normal;
-  cursor: pointer;
-}
+  cursor: pointer; }
 
-.radio input[type=radio],
-.radio-inline input[type=radio],
-.checkbox input[type=checkbox],
-.checkbox-inline input[type=checkbox] {
+.radio input[type=radio], .radio-inline input[type=radio], .checkbox input[type=checkbox], .checkbox-inline input[type=checkbox] {
   position: absolute;
   margin-left: -20px;
-  margin-top: 4px \9;
-}
+  margin-top: 4px \9; }
 
-.radio + .radio,
-.checkbox + .checkbox {
-  margin-top: -5px;
-}
+.radio + .radio, .checkbox + .checkbox {
+  margin-top: -5px; }
 
-.radio-inline,
-.checkbox-inline {
+.radio-inline, .checkbox-inline {
   display: inline-block;
   padding-left: 20px;
   margin-bottom: 0;
   vertical-align: middle;
   font-weight: normal;
-  cursor: pointer;
-}
+  cursor: pointer; }
 
-.radio-inline + .radio-inline,
-.checkbox-inline + .checkbox-inline {
+.radio-inline + .radio-inline, .checkbox-inline + .checkbox-inline {
   margin-top: 0;
-  margin-left: 10px;
-}
+  margin-left: 10px; }
 
-input[type=radio][disabled], input[type=radio].disabled, fieldset[disabled] input[type=radio],
-input[type=checkbox][disabled],
-input[type=checkbox].disabled,
-fieldset[disabled] input[type=checkbox] {
-  cursor: not-allowed;
-}
+input[type=radio][disabled], input[type=radio].disabled {
+  cursor: not-allowed; }
 
-.radio-inline.disabled, fieldset[disabled] .radio-inline,
-.checkbox-inline.disabled,
-fieldset[disabled] .checkbox-inline {
-  cursor: not-allowed;
-}
+fieldset[disabled] input[type=radio] {
+  cursor: not-allowed; }
 
-.radio.disabled label, fieldset[disabled] .radio label,
-.checkbox.disabled label,
-fieldset[disabled] .checkbox label {
-  cursor: not-allowed;
-}
+input[type=checkbox][disabled], input[type=checkbox].disabled {
+  cursor: not-allowed; }
+
+fieldset[disabled] input[type=checkbox], .radio-inline.disabled, fieldset[disabled] .radio-inline, .checkbox-inline.disabled, fieldset[disabled] .checkbox-inline, .radio.disabled label, fieldset[disabled] .radio label, .checkbox.disabled label, fieldset[disabled] .checkbox label {
+  cursor: not-allowed; }
 
 .form-control-static {
   padding-top: 7px;
   padding-bottom: 7px;
-  margin-bottom: 0;
-}
-.form-control-static.input-lg, .input-group-lg > .form-control-static.form-control,
-.input-group-lg > .form-control-static.input-group-addon,
-.input-group-lg > .input-group-btn > .form-control-static.btn, .form-horizontal .form-group-lg .form-control-static.form-control, .form-control-static.input-sm, .input-group-sm > .form-control-static.form-control,
-.input-group-sm > .form-control-static.input-group-addon,
-.input-group-sm > .input-group-btn > .form-control-static.btn, .form-horizontal .form-group-sm .form-control-static.form-control {
+  margin-bottom: 0; }
+  .form-control-static.input-lg {
+    padding-left: 0;
+    padding-right: 0; }
+
+.input-group-lg > .form-control-static.form-control, .input-group-lg > .form-control-static.input-group-addon {
+  padding-left: 0;
+  padding-right: 0; }
+
+.input-group-lg > .input-group-btn > .form-control-static.btn {
+  padding-left: 0;
+  padding-right: 0; }
+
+.form-horizontal .form-group-lg .form-control-static.form-control, .form-control-static.input-sm {
+  padding-left: 0;
+  padding-right: 0; }
+
+.input-group-sm > .form-control-static.form-control, .input-group-sm > .form-control-static.input-group-addon {
   padding-left: 0;
-  padding-right: 0;
-}
+  padding-right: 0; }
 
-.input-sm, .input-group-sm > .form-control,
-.input-group-sm > .input-group-addon,
-.input-group-sm > .input-group-btn > .btn, .form-horizontal .form-group-sm .form-control {
+.input-group-sm > .input-group-btn > .form-control-static.btn {
+  padding-left: 0;
+  padding-right: 0; }
+
+.form-horizontal .form-group-sm .form-control-static.form-control {
+  padding-left: 0;
+  padding-right: 0; }
+
+.input-sm {
   height: 30px;
   padding: 5px 10px;
   font-size: 12px;
   line-height: 1.5;
-  border-radius: 3px;
-}
+  border-radius: 3px; }
+
+.input-group-sm > .form-control, .input-group-sm > .input-group-addon, .input-group-sm > .input-group-btn > .btn {
+  height: 30px;
+  padding: 5px 10px;
+  font-size: 12px;
+  line-height: 1.5;
+  border-radius: 3px; }
 
-select.input-sm, .input-group-sm > select.form-control,
-.input-group-sm > select.input-group-addon,
-.input-group-sm > .input-group-btn > select.btn, .form-horizontal .form-group-sm select.form-control {
+.form-horizontal .form-group-sm .form-control {
   height: 30px;
-  line-height: 30px;
-}
-
-textarea.input-sm, .input-group-sm > textarea.form-control,
-.input-group-sm > textarea.input-group-addon,
-.input-group-sm > .input-group-btn > textarea.btn, .form-horizontal .form-group-sm textarea.form-control,
-select[multiple].input-sm,
-.input-group-sm > select[multiple].form-control,
-.input-group-sm > select[multiple].input-group-addon,
-.input-group-sm > .input-group-btn > select[multiple].btn,
+  padding: 5px 10px;
+  font-size: 12px;
+  line-height: 1.5;
+  border-radius: 3px; }
+
+select.input-sm {
+  height: 30px;
+  line-height: 30px; }
+
+.input-group-sm > select.form-control, .input-group-sm > select.input-group-addon {
+  height: 30px;
+  line-height: 30px; }
+
+.input-group-sm > .input-group-btn > select.btn {
+  height: 30px;
+  line-height: 30px; }
+
+.form-horizontal .form-group-sm select.form-control {
+  height: 30px;
+  line-height: 30px; }
+
+textarea.input-sm {
+  height: auto; }
+
+.input-group-sm > textarea.form-control, .input-group-sm > textarea.input-group-addon {
+  height: auto; }
+
+.input-group-sm > .input-group-btn > textarea.btn {
+  height: auto; }
+
+.form-horizontal .form-group-sm textarea.form-control, select[multiple].input-sm {
+  height: auto; }
+
+.input-group-sm > select[multiple].form-control, .input-group-sm > select[multiple].input-group-addon {
+  height: auto; }
+
+.input-group-sm > .input-group-btn > select[multiple].btn {
+  height: auto; }
+
 .form-horizontal .form-group-sm select[multiple].form-control {
-  height: auto;
-}
+  height: auto; }
 
-.input-lg, .input-group-lg > .form-control,
-.input-group-lg > .input-group-addon,
-.input-group-lg > .input-group-btn > .btn, .form-horizontal .form-group-lg .form-control {
+.input-lg {
   height: 46px;
   padding: 10px 16px;
   font-size: 18px;
   line-height: 1.33;
-  border-radius: 6px;
-}
+  border-radius: 6px; }
+
+.input-group-lg > .form-control, .input-group-lg > .input-group-addon, .input-group-lg > .input-group-btn > .btn {
+  height: 46px;
+  padding: 10px 16px;
+  font-size: 18px;
+  line-height: 1.33;
+  border-radius: 6px; }
+
+.form-horizontal .form-group-lg .form-control {
+  height: 46px;
+  padding: 10px 16px;
+  font-size: 18px;
+  line-height: 1.33;
+  border-radius: 6px; }
 
-select.input-lg, .input-group-lg > select.form-control,
-.input-group-lg > select.input-group-addon,
-.input-group-lg > .input-group-btn > select.btn, .form-horizontal .form-group-lg select.form-control {
+select.input-lg {
   height: 46px;
-  line-height: 46px;
-}
-
-textarea.input-lg, .input-group-lg > textarea.form-control,
-.input-group-lg > textarea.input-group-addon,
-.input-group-lg > .input-group-btn > textarea.btn, .form-horizontal .form-group-lg textarea.form-control,
-select[multiple].input-lg,
-.input-group-lg > select[multiple].form-control,
-.input-group-lg > select[multiple].input-group-addon,
-.input-group-lg > .input-group-btn > select[multiple].btn,
+  line-height: 46px; }
+
+.input-group-lg > select.form-control, .input-group-lg > select.input-group-addon {
+  height: 46px;
+  line-height: 46px; }
+
+.input-group-lg > .input-group-btn > select.btn {
+  height: 46px;
+  line-height: 46px; }
+
+.form-horizontal .form-group-lg select.form-control {
+  height: 46px;
+  line-height: 46px; }
+
+textarea.input-lg {
+  height: auto; }
+
+.input-group-lg > textarea.form-control, .input-group-lg > textarea.input-group-addon {
+  height: auto; }
+
+.input-group-lg > .input-group-btn > textarea.btn {
+  height: auto; }
+
+.form-horizontal .form-group-lg textarea.form-control, select[multiple].input-lg {
+  height: auto; }
+
+.input-group-lg > select[multiple].form-control, .input-group-lg > select[multiple].input-group-addon {
+  height: auto; }
+
+.input-group-lg > .input-group-btn > select[multiple].btn {
+  height: auto; }
+
 .form-horizontal .form-group-lg select[multiple].form-control {
-  height: auto;
-}
+  height: auto; }
 
 .has-feedback {
-  position: relative;
-}
-.has-feedback .form-control {
-  padding-right: 42.5px;
-}
+  position: relative; }
+  .has-feedback .form-control {
+    padding-right: 42.5px; }
 
 .form-control-feedback {
   position: absolute;
@@ -3269,214 +2668,176 @@ select[multiple].input-lg,
   width: 34px;
   height: 34px;
   line-height: 34px;
-  text-align: center;
-}
+  text-align: center; }
+
+.input-lg + .form-control-feedback {
+  width: 46px;
+  height: 46px;
+  line-height: 46px; }
 
-.input-lg + .form-control-feedback, .input-group-lg > .form-control + .form-control-feedback,
-.input-group-lg > .input-group-addon + .form-control-feedback,
-.input-group-lg > .input-group-btn > .btn + .form-control-feedback, .form-horizontal .form-group-lg .form-control + .form-control-feedback {
+.input-group-lg > .form-control + .form-control-feedback, .input-group-lg > .input-group-addon + .form-control-feedback, .input-group-lg > .input-group-btn > .btn + .form-control-feedback {
   width: 46px;
   height: 46px;
-  line-height: 46px;
-}
+  line-height: 46px; }
 
-.input-sm + .form-control-feedback, .input-group-sm > .form-control + .form-control-feedback,
-.input-group-sm > .input-group-addon + .form-control-feedback,
-.input-group-sm > .input-group-btn > .btn + .form-control-feedback, .form-horizontal .form-group-sm .form-control + .form-control-feedback {
+.form-horizontal .form-group-lg .form-control + .form-control-feedback {
+  width: 46px;
+  height: 46px;
+  line-height: 46px; }
+
+.input-sm + .form-control-feedback {
   width: 30px;
   height: 30px;
-  line-height: 30px;
-}
-
-.has-success .help-block,
-.has-success .control-label,
-.has-success .radio,
-.has-success .checkbox,
-.has-success .radio-inline,
-.has-success .checkbox-inline {
-  color: #7Ba255;
-}
+  line-height: 30px; }
+
+.input-group-sm > .form-control + .form-control-feedback, .input-group-sm > .input-group-addon + .form-control-feedback, .input-group-sm > .input-group-btn > .btn + .form-control-feedback {
+  width: 30px;
+  height: 30px;
+  line-height: 30px; }
+
+.form-horizontal .form-group-sm .form-control + .form-control-feedback {
+  width: 30px;
+  height: 30px;
+  line-height: 30px; }
+
+.has-success .help-block, .has-success .control-label, .has-success .radio, .has-success .checkbox, .has-success .radio-inline, .has-success .checkbox-inline {
+  color: #7Ba255; }
+
 .has-success .form-control {
   border-color: #7Ba255;
   -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-}
-.has-success .form-control:focus {
-  border-color: #628143;
-  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #aec895;
-  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #aec895;
-}
+  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); }
+  .has-success .form-control:focus {
+    border-color: #628143;
+    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #aec895;
+    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #aec895; }
+
 .has-success .input-group-addon {
   color: #7Ba255;
   border-color: #7Ba255;
-  background-color: #7Ba255;
-}
+  background-color: #7Ba255; }
+
 .has-success .form-control-feedback {
-  color: #7Ba255;
-}
-
-.has-warning .help-block,
-.has-warning .control-label,
-.has-warning .radio,
-.has-warning .checkbox,
-.has-warning .radio-inline,
-.has-warning .checkbox-inline {
-  color: #f0ad4e;
-}
+  color: #7Ba255; }
+
+.has-warning .help-block, .has-warning .control-label, .has-warning .radio, .has-warning .checkbox, .has-warning .radio-inline, .has-warning .checkbox-inline {
+  color: #f0ad4e; }
+
 .has-warning .form-control {
   border-color: #f0ad4e;
   -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-}
-.has-warning .form-control:focus {
-  border-color: #ec971f;
-  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac;
-  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac;
-}
+  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); }
+  .has-warning .form-control:focus {
+    border-color: #ec971f;
+    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac;
+    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac; }
+
 .has-warning .input-group-addon {
   color: #f0ad4e;
   border-color: #f0ad4e;
-  background-color: #fcf8e3;
-}
+  background-color: #fcf8e3; }
+
 .has-warning .form-control-feedback {
-  color: #f0ad4e;
-}
-
-.has-error .help-block,
-.has-error .control-label,
-.has-error .radio,
-.has-error .checkbox,
-.has-error .radio-inline,
-.has-error .checkbox-inline {
-  color: #F05050;
-}
+  color: #f0ad4e; }
+
+.has-error .help-block, .has-error .control-label, .has-error .radio, .has-error .checkbox, .has-error .radio-inline, .has-error .checkbox-inline {
+  color: #F05050; }
+
 .has-error .form-control {
   border-color: #F05050;
   -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-}
-.has-error .form-control:focus {
-  border-color: #ec2121;
-  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae;
-  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae;
-}
+  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); }
+  .has-error .form-control:focus {
+    border-color: #ec2121;
+    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae;
+    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae; }
+
 .has-error .input-group-addon {
   color: #F05050;
   border-color: #F05050;
-  background-color: #F05050;
-}
+  background-color: #F05050; }
+
 .has-error .form-control-feedback {
-  color: #F05050;
-}
+  color: #F05050; }
 
 .has-feedback label.sr-only ~ .form-control-feedback {
-  top: 0;
-}
+  top: 0; }
 
 .help-block {
   display: block;
   margin-top: 5px;
   margin-bottom: 10px;
-  color: white;
-}
+  color: white; }
 
 @media (min-width: 768px) {
   .form-inline .form-group, .navbar-form .form-group {
     display: inline-block;
     margin-bottom: 0;
-    vertical-align: middle;
-  }
+    vertical-align: middle; }
   .form-inline .form-control, .navbar-form .form-control {
     display: inline-block;
     width: auto;
-    vertical-align: middle;
-  }
+    vertical-align: middle; }
   .form-inline .input-group, .navbar-form .input-group {
     display: inline-table;
-    vertical-align: middle;
-  }
-  .form-inline .input-group .input-group-addon, .navbar-form .input-group .input-group-addon,
-.form-inline .input-group .input-group-btn,
-.navbar-form .input-group .input-group-btn,
-.form-inline .input-group .form-control,
-.navbar-form .input-group .form-control {
-    width: auto;
-  }
+    vertical-align: middle; }
+  .form-inline .input-group .input-group-addon, .navbar-form .input-group .input-group-addon, .form-inline .input-group .input-group-btn, .navbar-form .input-group .input-group-btn, .form-inline .input-group .form-control, .navbar-form .input-group .form-control {
+    width: auto; }
   .form-inline .input-group > .form-control, .navbar-form .input-group > .form-control {
-    width: 100%;
-  }
+    width: 100%; }
   .form-inline .control-label, .navbar-form .control-label {
     margin-bottom: 0;
-    vertical-align: middle;
-  }
-  .form-inline .radio, .navbar-form .radio,
-.form-inline .checkbox,
-.navbar-form .checkbox {
+    vertical-align: middle; }
+  .form-inline .radio, .navbar-form .radio, .form-inline .checkbox, .navbar-form .checkbox {
     display: inline-block;
     margin-top: 0;
     margin-bottom: 0;
-    vertical-align: middle;
-  }
-  .form-inline .radio label, .navbar-form .radio label,
-.form-inline .checkbox label,
-.navbar-form .checkbox label {
-    padding-left: 0;
-  }
-  .form-inline .radio input[type=radio], .navbar-form .radio input[type=radio],
-.form-inline .checkbox input[type=checkbox],
-.navbar-form .checkbox input[type=checkbox] {
+    vertical-align: middle; }
+  .form-inline .radio label, .navbar-form .radio label, .form-inline .checkbox label, .navbar-form .checkbox label {
+    padding-left: 0; }
+  .form-inline .radio input[type=radio], .navbar-form .radio input[type=radio], .form-inline .checkbox input[type=checkbox], .navbar-form .checkbox input[type=checkbox] {
     position: relative;
-    margin-left: 0;
-  }
+    margin-left: 0; }
   .form-inline .has-feedback .form-control-feedback, .navbar-form .has-feedback .form-control-feedback {
-    top: 0;
-  }
-}
+    top: 0; } }
 
-.form-horizontal .radio,
-.form-horizontal .checkbox,
-.form-horizontal .radio-inline,
-.form-horizontal .checkbox-inline {
+.form-horizontal .radio, .form-horizontal .checkbox, .form-horizontal .radio-inline, .form-horizontal .checkbox-inline {
   margin-top: 0;
   margin-bottom: 0;
-  padding-top: 7px;
-}
-.form-horizontal .radio,
-.form-horizontal .checkbox {
-  min-height: 27px;
-}
+  padding-top: 7px; }
+
+.form-horizontal .radio, .form-horizontal .checkbox {
+  min-height: 27px; }
+
 .form-horizontal .form-group {
   margin-left: -20px;
-  margin-right: -20px;
-}
-.form-horizontal .form-group:before, .form-horizontal .form-group:after {
-  content: " ";
-  display: table;
-}
-.form-horizontal .form-group:after {
-  clear: both;
-}
+  margin-right: -20px; }
+  .form-horizontal .form-group:before {
+    content: " ";
+    display: table; }
+  .form-horizontal .form-group:after {
+    content: " ";
+    display: table;
+    clear: both; }
+
+.form-horizontal .has-feedback control-feedback {
+  top: 0;
+  right: 20px; }
+
 @media (min-width: 768px) {
   .form-horizontal .control-label {
     text-align: right;
     margin-bottom: 0;
-    padding-top: 7px;
-  }
-}
-.form-horizontal .has-feedback control-feedback {
-  top: 0;
-  right: 20px;
-}
+    padding-top: 7px; } }
+
 @media (min-width: 768px) {
   .form-horizontal .form-group-lg .control-label {
-    padding-top: 14.3px;
-  }
-}
+    padding-top: 14.3px; } }
+
 @media (min-width: 768px) {
   .form-horizontal .form-group-sm .control-label {
-    padding-top: 6px;
-  }
-}
+    padding-top: 6px; } }
+
 .btn {
   display: inline-block;
   margin-bottom: 0;
@@ -3497,264 +2858,428 @@ select[multiple].input-lg,
   user-select: none;
   color: #eee;
   background-color: #656565;
-  border-color: #e5e5e5;
-}
-.btn:hover, .btn:focus, .btn:active, .btn.active, .open > .btn.dropdown-toggle {
+  border-color: #e5e5e5; }
+  .btn:hover, .btn:focus, .btn:active, .btn.active {
+    color: #eee;
+    background-color: #4c4c4c;
+    border-color: #c6c6c6; }
+
+.open > .btn.dropdown-toggle {
   color: #eee;
   background-color: #4c4c4c;
-  border-color: #c6c6c6;
-}
-.btn:active, .btn.active, .open > .btn.dropdown-toggle {
-  background-image: none;
-}
-.btn.disabled, .btn.disabled:hover, .btn.disabled:focus, .btn.disabled:active, .btn.disabled.active, .btn[disabled], .btn[disabled]:hover, .btn[disabled]:focus, .btn[disabled]:active, .btn[disabled].active, fieldset[disabled] .btn, fieldset[disabled] .btn:hover, fieldset[disabled] .btn:focus, fieldset[disabled] .btn:active, fieldset[disabled] .btn.active {
+  border-color: #c6c6c6; }
+
+.btn:active, .btn.active {
+  background-image: none; }
+
+.open > .btn.dropdown-toggle {
+  background-image: none; }
+
+.btn.disabled {
+  background-color: #656565;
+  border-color: #e5e5e5; }
+  .btn.disabled:hover, .btn.disabled:focus, .btn.disabled:active, .btn.disabled.active {
+    background-color: #656565;
+    border-color: #e5e5e5; }
+
+.btn[disabled] {
   background-color: #656565;
-  border-color: #e5e5e5;
-}
+  border-color: #e5e5e5; }
+  .btn[disabled]:hover, .btn[disabled]:focus, .btn[disabled]:active, .btn[disabled].active {
+    background-color: #656565;
+    border-color: #e5e5e5; }
+
+fieldset[disabled] .btn {
+  background-color: #656565;
+  border-color: #e5e5e5; }
+  fieldset[disabled] .btn:hover, fieldset[disabled] .btn:focus, fieldset[disabled] .btn:active, fieldset[disabled] .btn.active {
+    background-color: #656565;
+    border-color: #e5e5e5; }
+
 .btn .badge {
   color: #656565;
-  background-color: #eee;
-}
+  background-color: #eee; }
+
 .btn:focus, .btn:active:focus, .btn.active:focus {
   outline: thin dotted;
   outline: 5px auto -webkit-focus-ring-color;
-  outline-offset: -2px;
-}
+  outline-offset: -2px; }
+
 .btn:hover, .btn:focus {
   color: #eee;
-  text-decoration: none;
-}
+  text-decoration: none; }
+
 .btn:active, .btn.active {
   outline: 0;
   background-image: none;
   -webkit-box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);
-  box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);
-}
-.btn.disabled, .btn[disabled], fieldset[disabled] .btn {
+  box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125); }
+
+.btn.disabled, .btn[disabled] {
   cursor: not-allowed;
   pointer-events: none;
   opacity: 0.65;
   filter: alpha(opacity=65);
   -webkit-box-shadow: none;
-  box-shadow: none;
-}
+  box-shadow: none; }
+
+fieldset[disabled] .btn {
+  cursor: not-allowed;
+  pointer-events: none;
+  opacity: 0.65;
+  filter: alpha(opacity=65);
+  -webkit-box-shadow: none;
+  box-shadow: none; }
 
 .btn-default {
   color: #eee;
   background-color: #656565;
-  border-color: #e5e5e5;
-}
-.btn-default:hover, .btn-default:focus, .btn-default:active, .btn-default.active, .open > .btn-default.dropdown-toggle {
+  border-color: #e5e5e5; }
+  .btn-default:hover, .btn-default:focus, .btn-default:active, .btn-default.active {
+    color: #eee;
+    background-color: #4c4c4c;
+    border-color: #c6c6c6; }
+
+.open > .btn-default.dropdown-toggle {
   color: #eee;
   background-color: #4c4c4c;
-  border-color: #c6c6c6;
-}
-.btn-default:active, .btn-default.active, .open > .btn-default.dropdown-toggle {
-  background-image: none;
-}
-.btn-default.disabled, .btn-default.disabled:hover, .btn-default.disabled:focus, .btn-default.disabled:active, .btn-default.disabled.active, .btn-default[disabled], .btn-default[disabled]:hover, .btn-default[disabled]:focus, .btn-default[disabled]:active, .btn-default[disabled].active, fieldset[disabled] .btn-default, fieldset[disabled] .btn-default:hover, fieldset[disabled] .btn-default:focus, fieldset[disabled] .btn-default:active, fieldset[disabled] .btn-default.active {
+  border-color: #c6c6c6; }
+
+.btn-default:active, .btn-default.active {
+  background-image: none; }
+
+.open > .btn-default.dropdown-toggle {
+  background-image: none; }
+
+.btn-default.disabled {
+  background-color: #656565;
+  border-color: #e5e5e5; }
+  .btn-default.disabled:hover, .btn-default.disabled:focus, .btn-default.disabled:active, .btn-default.disabled.active {
+    background-color: #656565;
+    border-color: #e5e5e5; }
+
+.btn-default[disabled] {
+  background-color: #656565;
+  border-color: #e5e5e5; }
+  .btn-default[disabled]:hover, .btn-default[disabled]:focus, .btn-default[disabled]:active, .btn-default[disabled].active {
+    background-color: #656565;
+    border-color: #e5e5e5; }
+
+fieldset[disabled] .btn-default {
   background-color: #656565;
-  border-color: #e5e5e5;
-}
+  border-color: #e5e5e5; }
+  fieldset[disabled] .btn-default:hover, fieldset[disabled] .btn-default:focus, fieldset[disabled] .btn-default:active, fieldset[disabled] .btn-default.active {
+    background-color: #656565;
+    border-color: #e5e5e5; }
+
 .btn-default .badge {
   color: #656565;
-  background-color: #eee;
-}
+  background-color: #eee; }
 
 .btn-primary {
   color: #eee;
   background-color: #EA7105;
-  border-color: #D95100;
-}
-.btn-primary:hover, .btn-primary:focus, .btn-primary:active, .btn-primary.active, .open > .btn-primary.dropdown-toggle {
+  border-color: #D95100; }
+  .btn-primary:hover, .btn-primary:focus, .btn-primary:active, .btn-primary.active {
+    color: #eee;
+    background-color: #b85904;
+    border-color: #9c3a00; }
+
+.open > .btn-primary.dropdown-toggle {
   color: #eee;
   background-color: #b85904;
-  border-color: #9c3a00;
-}
-.btn-primary:active, .btn-primary.active, .open > .btn-primary.dropdown-toggle {
-  background-image: none;
-}
-.btn-primary.disabled, .btn-primary.disabled:hover, .btn-primary.disabled:focus, .btn-primary.disabled:active, .btn-primary.disabled.active, .btn-primary[disabled], .btn-primary[disabled]:hover, .btn-primary[disabled]:focus, .btn-primary[disabled]:active, .btn-primary[disabled].active, fieldset[disabled] .btn-primary, fieldset[disabled] .btn-primary:hover, fieldset[disabled] .btn-primary:focus, fieldset[disabled] .btn-primary:active, fieldset[disabled] .btn-primary.active {
+  border-color: #9c3a00; }
+
+.btn-primary:active, .btn-primary.active {
+  background-image: none; }
+
+.open > .btn-primary.dropdown-toggle {
+  background-image: none; }
+
+.btn-primary.disabled {
+  background-color: #EA7105;
+  border-color: #D95100; }
+  .btn-primary.disabled:hover, .btn-primary.disabled:focus, .btn-primary.disabled:active, .btn-primary.disabled.active {
+    background-color: #EA7105;
+    border-color: #D95100; }
+
+.btn-primary[disabled] {
+  background-color: #EA7105;
+  border-color: #D95100; }
+  .btn-primary[disabled]:hover, .btn-primary[disabled]:focus, .btn-primary[disabled]:active, .btn-primary[disabled].active {
+    background-color: #EA7105;
+    border-color: #D95100; }
+
+fieldset[disabled] .btn-primary {
   background-color: #EA7105;
-  border-color: #D95100;
-}
+  border-color: #D95100; }
+  fieldset[disabled] .btn-primary:hover, fieldset[disabled] .btn-primary:focus, fieldset[disabled] .btn-primary:active, fieldset[disabled] .btn-primary.active {
+    background-color: #EA7105;
+    border-color: #D95100; }
+
 .btn-primary .badge {
   color: #EA7105;
-  background-color: #eee;
-}
+  background-color: #eee; }
 
 .btn-success {
   color: #eee;
   background-color: #7Ba255;
-  border-color: #6e914c;
-}
-.btn-success:hover, .btn-success:focus, .btn-success:active, .btn-success.active, .open > .btn-success.dropdown-toggle {
+  border-color: #6e914c; }
+  .btn-success:hover, .btn-success:focus, .btn-success:active, .btn-success.active {
+    color: #eee;
+    background-color: #628143;
+    border-color: #506937; }
+
+.open > .btn-success.dropdown-toggle {
   color: #eee;
   background-color: #628143;
-  border-color: #506937;
-}
-.btn-success:active, .btn-success.active, .open > .btn-success.dropdown-toggle {
-  background-image: none;
-}
-.btn-success.disabled, .btn-success.disabled:hover, .btn-success.disabled:focus, .btn-success.disabled:active, .btn-success.disabled.active, .btn-success[disabled], .btn-success[disabled]:hover, .btn-success[disabled]:focus, .btn-success[disabled]:active, .btn-success[disabled].active, fieldset[disabled] .btn-success, fieldset[disabled] .btn-success:hover, fieldset[disabled] .btn-success:focus, fieldset[disabled] .btn-success:active, fieldset[disabled] .btn-success.active {
+  border-color: #506937; }
+
+.btn-success:active, .btn-success.active {
+  background-image: none; }
+
+.open > .btn-success.dropdown-toggle {
+  background-image: none; }
+
+.btn-success.disabled {
+  background-color: #7Ba255;
+  border-color: #6e914c; }
+  .btn-success.disabled:hover, .btn-success.disabled:focus, .btn-success.disabled:active, .btn-success.disabled.active {
+    background-color: #7Ba255;
+    border-color: #6e914c; }
+
+.btn-success[disabled] {
+  background-color: #7Ba255;
+  border-color: #6e914c; }
+  .btn-success[disabled]:hover, .btn-success[disabled]:focus, .btn-success[disabled]:active, .btn-success[disabled].active {
+    background-color: #7Ba255;
+    border-color: #6e914c; }
+
+fieldset[disabled] .btn-success {
   background-color: #7Ba255;
-  border-color: #6e914c;
-}
+  border-color: #6e914c; }
+  fieldset[disabled] .btn-success:hover, fieldset[disabled] .btn-success:focus, fieldset[disabled] .btn-success:active, fieldset[disabled] .btn-success.active {
+    background-color: #7Ba255;
+    border-color: #6e914c; }
+
 .btn-success .badge {
   color: #7Ba255;
-  background-color: #eee;
-}
+  background-color: #eee; }
 
 .btn-info {
   color: #eee;
   background-color: #B0CDDB;
-  border-color: #9ec2d3;
-}
-.btn-info:hover, .btn-info:focus, .btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
+  border-color: #9ec2d3; }
+  .btn-info:hover, .btn-info:focus, .btn-info:active, .btn-info.active {
+    color: #eee;
+    background-color: #8db7cb;
+    border-color: #74a7c0; }
+
+.open > .btn-info.dropdown-toggle {
   color: #eee;
   background-color: #8db7cb;
-  border-color: #74a7c0;
-}
-.btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
-  background-image: none;
-}
-.btn-info.disabled, .btn-info.disabled:hover, .btn-info.disabled:focus, .btn-info.disabled:active, .btn-info.disabled.active, .btn-info[disabled], .btn-info[disabled]:hover, .btn-info[disabled]:focus, .btn-info[disabled]:active, .btn-info[disabled].active, fieldset[disabled] .btn-info, fieldset[disabled] .btn-info:hover, fieldset[disabled] .btn-info:focus, fieldset[disabled] .btn-info:active, fieldset[disabled] .btn-info.active {
+  border-color: #74a7c0; }
+
+.btn-info:active, .btn-info.active {
+  background-image: none; }
+
+.open > .btn-info.dropdown-toggle {
+  background-image: none; }
+
+.btn-info.disabled {
+  background-color: #B0CDDB;
+  border-color: #9ec2d3; }
+  .btn-info.disabled:hover, .btn-info.disabled:focus, .btn-info.disabled:active, .btn-info.disabled.active {
+    background-color: #B0CDDB;
+    border-color: #9ec2d3; }
+
+.btn-info[disabled] {
+  background-color: #B0CDDB;
+  border-color: #9ec2d3; }
+  .btn-info[disabled]:hover, .btn-info[disabled]:focus, .btn-info[disabled]:active, .btn-info[disabled].active {
+    background-color: #B0CDDB;
+    border-color: #9ec2d3; }
+
+fieldset[disabled] .btn-info {
   background-color: #B0CDDB;
-  border-color: #9ec2d3;
-}
+  border-color: #9ec2d3; }
+  fieldset[disabled] .btn-info:hover, fieldset[disabled] .btn-info:focus, fieldset[disabled] .btn-info:active, fieldset[disabled] .btn-info.active {
+    background-color: #B0CDDB;
+    border-color: #9ec2d3; }
+
 .btn-info .badge {
   color: #B0CDDB;
-  background-color: #eee;
-}
+  background-color: #eee; }
 
 .btn-warning {
   color: #eee;
   background-color: #f0ad4e;
-  border-color: #eea236;
-}
-.btn-warning:hover, .btn-warning:focus, .btn-warning:active, .btn-warning.active, .open > .btn-warning.dropdown-toggle {
+  border-color: #eea236; }
+  .btn-warning:hover, .btn-warning:focus, .btn-warning:active, .btn-warning.active {
+    color: #eee;
+    background-color: #ec971f;
+    border-color: #d58512; }
+
+.open > .btn-warning.dropdown-toggle {
   color: #eee;
   background-color: #ec971f;
-  border-color: #d58512;
-}
-.btn-warning:active, .btn-warning.active, .open > .btn-warning.dropdown-toggle {
-  background-image: none;
-}
-.btn-warning.disabled, .btn-warning.disabled:hover, .btn-warning.disabled:focus, .btn-warning.disabled:active, .btn-warning.disabled.active, .btn-warning[disabled], .btn-warning[disabled]:hover, .btn-warning[disabled]:focus, .btn-warning[disabled]:active, .btn-warning[disabled].active, fieldset[disabled] .btn-warning, fieldset[disabled] .btn-warning:hover, fieldset[disabled] .btn-warning:focus, fieldset[disabled] .btn-warning:active, fieldset[disabled] .btn-warning.active {
+  border-color: #d58512; }
+
+.btn-warning:active, .btn-warning.active {
+  background-image: none; }
+
+.open > .btn-warning.dropdown-toggle {
+  background-image: none; }
+
+.btn-warning.disabled {
+  background-color: #f0ad4e;
+  border-color: #eea236; }
+  .btn-warning.disabled:hover, .btn-warning.disabled:focus, .btn-warning.disabled:active, .btn-warning.disabled.active {
+    background-color: #f0ad4e;
+    border-color: #eea236; }
+
+.btn-warning[disabled] {
+  background-color: #f0ad4e;
+  border-color: #eea236; }
+  .btn-warning[disabled]:hover, .btn-warning[disabled]:focus, .btn-warning[disabled]:active, .btn-warning[disabled].active {
+    background-color: #f0ad4e;
+    border-color: #eea236; }
+
+fieldset[disabled] .btn-warning {
   background-color: #f0ad4e;
-  border-color: #eea236;
-}
+  border-color: #eea236; }
+  fieldset[disabled] .btn-warning:hover, fieldset[disabled] .btn-warning:focus, fieldset[disabled] .btn-warning:active, fieldset[disabled] .btn-warning.active {
+    background-color: #f0ad4e;
+    border-color: #eea236; }
+
 .btn-warning .badge {
   color: #f0ad4e;
-  background-color: #eee;
-}
+  background-color: #eee; }
 
 .btn-danger {
   color: #eee;
   background-color: #F05050;
-  border-color: #ee3939;
-}
-.btn-danger:hover, .btn-danger:focus, .btn-danger:active, .btn-danger.active, .open > .btn-danger.dropdown-toggle {
+  border-color: #ee3939; }
+  .btn-danger:hover, .btn-danger:focus, .btn-danger:active, .btn-danger.active {
+    color: #eee;
+    background-color: #ec2121;
+    border-color: #d71212; }
+
+.open > .btn-danger.dropdown-toggle {
   color: #eee;
   background-color: #ec2121;
-  border-color: #d71212;
-}
-.btn-danger:active, .btn-danger.active, .open > .btn-danger.dropdown-toggle {
-  background-image: none;
-}
-.btn-danger.disabled, .btn-danger.disabled:hover, .btn-danger.disabled:focus, .btn-danger.disabled:active, .btn-danger.disabled.active, .btn-danger[disabled], .btn-danger[disabled]:hover, .btn-danger[disabled]:focus, .btn-danger[disabled]:active, .btn-danger[disabled].active, fieldset[disabled] .btn-danger, fieldset[disabled] .btn-danger:hover, fieldset[disabled] .btn-danger:focus, fieldset[disabled] .btn-danger:active, fieldset[disabled] .btn-danger.active {
+  border-color: #d71212; }
+
+.btn-danger:active, .btn-danger.active {
+  background-image: none; }
+
+.open > .btn-danger.dropdown-toggle {
+  background-image: none; }
+
+.btn-danger.disabled {
+  background-color: #F05050;
+  border-color: #ee3939; }
+  .btn-danger.disabled:hover, .btn-danger.disabled:focus, .btn-danger.disabled:active, .btn-danger.disabled.active {
+    background-color: #F05050;
+    border-color: #ee3939; }
+
+.btn-danger[disabled] {
+  background-color: #F05050;
+  border-color: #ee3939; }
+  .btn-danger[disabled]:hover, .btn-danger[disabled]:focus, .btn-danger[disabled]:active, .btn-danger[disabled].active {
+    background-color: #F05050;
+    border-color: #ee3939; }
+
+fieldset[disabled] .btn-danger {
   background-color: #F05050;
-  border-color: #ee3939;
-}
+  border-color: #ee3939; }
+  fieldset[disabled] .btn-danger:hover, fieldset[disabled] .btn-danger:focus, fieldset[disabled] .btn-danger:active, fieldset[disabled] .btn-danger.active {
+    background-color: #F05050;
+    border-color: #ee3939; }
+
 .btn-danger .badge {
   color: #F05050;
-  background-color: #eee;
-}
+  background-color: #eee; }
 
 .btn-link {
   color: #EA7105;
   font-weight: normal;
   cursor: pointer;
   border-radius: 0;
-}
-.btn-link, .btn-link:active, .btn-link[disabled], fieldset[disabled] .btn-link {
   background-color: transparent;
   -webkit-box-shadow: none;
-  box-shadow: none;
-}
-.btn-link, .btn-link:hover, .btn-link:focus, .btn-link:active {
-  border-color: transparent;
-}
-.btn-link:hover, .btn-link:focus {
-  color: #9f4d03;
-  text-decoration: underline;
+  box-shadow: none; }
+  .btn-link:active, .btn-link[disabled] {
+    background-color: transparent;
+    -webkit-box-shadow: none;
+    box-shadow: none; }
+
+fieldset[disabled] .btn-link {
   background-color: transparent;
-}
-.btn-link[disabled]:hover, .btn-link[disabled]:focus, fieldset[disabled] .btn-link:hover, fieldset[disabled] .btn-link:focus {
+  -webkit-box-shadow: none;
+  box-shadow: none; }
+
+.btn-link {
+  border-color: transparent; }
+  .btn-link:hover, .btn-link:focus, .btn-link:active {
+    border-color: transparent; }
+  .btn-link:hover, .btn-link:focus {
+    color: #9f4d03;
+    text-decoration: underline;
+    background-color: transparent; }
+  .btn-link[disabled]:hover, .btn-link[disabled]:focus {
+    color: #DDd;
+    text-decoration: none; }
+
+fieldset[disabled] .btn-link:hover, fieldset[disabled] .btn-link:focus {
   color: #DDd;
-  text-decoration: none;
-}
+  text-decoration: none; }
 
 .btn-lg, .btn-group-lg > .btn {
   padding: 10px 16px;
   font-size: 18px;
   line-height: 1.33;
-  border-radius: 6px;
-}
+  border-radius: 6px; }
 
 .btn-sm, .btn-group-sm > .btn {
   padding: 5px 10px;
   font-size: 12px;
   line-height: 1.5;
-  border-radius: 3px;
-}
+  border-radius: 3px; }
 
 .btn-xs, .btn-group-xs > .btn {
   padding: 1px 5px;
   font-size: 12px;
   line-height: 1.5;
-  border-radius: 3px;
-}
+  border-radius: 3px; }
 
 .btn-block {
   display: block;
-  width: 100%;
-}
-
-.btn-block + .btn-block {
-  margin-top: 5px;
-}
+  width: 100%; }
+  .btn-block + .btn-block {
+    margin-top: 5px; }
 
-input[type=submit].btn-block,
-input[type=reset].btn-block,
-input[type=button].btn-block {
-  width: 100%;
-}
+input[type=submit].btn-block, input[type=reset].btn-block, input[type=button].btn-block {
+  width: 100%; }
 
 .fade {
   opacity: 0;
   -webkit-transition: opacity 0.15s linear;
   -o-transition: opacity 0.15s linear;
-  transition: opacity 0.15s linear;
-}
-.fade.in {
-  opacity: 1;
-}
+  transition: opacity 0.15s linear; }
+  .fade.in {
+    opacity: 1; }
 
 .collapse {
-  display: none;
-}
-.collapse.in {
-  display: block;
-}
+  display: none; }
+  .collapse.in {
+    display: block; }
 
 tr.collapse.in {
-  display: table-row;
-}
+  display: table-row; }
 
 tbody.collapse.in {
-  display: table-row-group;
-}
+  display: table-row-group; }
 
 .collapsing {
   position: relative;
@@ -3762,8 +3287,7 @@ tbody.collapse.in {
   overflow: hidden;
   -webkit-transition: height 0.35s ease;
   -o-transition: height 0.35s ease;
-  transition: height 0.35s ease;
-}
+  transition: height 0.35s ease; }
 
 .caret {
   display: inline-block;
@@ -3773,16 +3297,13 @@ tbody.collapse.in {
   vertical-align: middle;
   border-top: 4px solid;
   border-right: 4px solid transparent;
-  border-left: 4px solid transparent;
-}
+  border-left: 4px solid transparent; }
 
 .dropdown {
-  position: relative;
-}
+  position: relative; }
 
 .dropdown-toggle:focus {
-  outline: 0;
-}
+  outline: 0; }
 
 .dropdown-menu {
   position: absolute;
@@ -3803,69 +3324,61 @@ tbody.collapse.in {
   border-radius: 3px;
   -webkit-box-shadow: 0 6px 12px rgba(0, 0, 0, 0.175);
   box-shadow: 0 6px 12px rgba(0, 0, 0, 0.175);
-  background-clip: padding-box;
-}
-.dropdown-menu.pull-right {
-  right: 0;
-  left: auto;
-}
-.dropdown-menu .divider {
-  height: 1px;
-  margin: 9px 0;
-  overflow: hidden;
-  background-color: #262626;
-}
-.dropdown-menu > li > a {
-  display: block;
-  padding: 3px 20px;
-  clear: both;
-  font-weight: normal;
-  line-height: 1.428571429;
-  color: #bbb;
-  white-space: nowrap;
-}
-
-.dropdown-menu > li > a:hover, .dropdown-menu > li > a:focus {
-  text-decoration: none;
-  color: #f66;
-  background-color: #353535;
-}
-
-.dropdown-menu > .active > a, .dropdown-menu > .active > a:hover, .dropdown-menu > .active > a:focus {
-  color: #555;
-  text-decoration: none;
-  outline: 0;
-  background-color: #EA7105;
-}
-
-.dropdown-menu > .disabled > a, .dropdown-menu > .disabled > a:hover, .dropdown-menu > .disabled > a:focus {
-  color: #DDd;
-}
-
-.dropdown-menu > .disabled > a:hover, .dropdown-menu > .disabled > a:focus {
-  text-decoration: none;
-  background-color: transparent;
-  background-image: none;
-  filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
-  cursor: not-allowed;
-}
+  background-clip: padding-box; }
+  .dropdown-menu.pull-right {
+    right: 0;
+    left: auto; }
+  .dropdown-menu .divider {
+    height: 1px;
+    margin: 9px 0;
+    overflow: hidden;
+    background-color: #262626; }
+  .dropdown-menu > li > a {
+    display: block;
+    padding: 3px 20px;
+    clear: both;
+    font-weight: normal;
+    line-height: 1.428571429;
+    color: #bbb;
+    white-space: nowrap; }
+    .dropdown-menu > li > a:hover, .dropdown-menu > li > a:focus {
+      text-decoration: none;
+      color: #f66;
+      background-color: #353535; }
+  .dropdown-menu > .active > a {
+    color: #555;
+    text-decoration: none;
+    outline: 0;
+    background-color: #EA7105; }
+    .dropdown-menu > .active > a:hover, .dropdown-menu > .active > a:focus {
+      color: #555;
+      text-decoration: none;
+      outline: 0;
+      background-color: #EA7105; }
+  .dropdown-menu > .disabled > a {
+    color: #DDd; }
+    .dropdown-menu > .disabled > a:hover, .dropdown-menu > .disabled > a:focus {
+      color: #DDd; }
+    .dropdown-menu > .disabled > a:hover, .dropdown-menu > .disabled > a:focus {
+      text-decoration: none;
+      background-color: transparent;
+      background-image: none;
+      filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
+      cursor: not-allowed; }
 
 .open > .dropdown-menu {
-  display: block;
-}
+  display: block; }
+
 .open > a {
-  outline: 0;
-}
+  outline: 0; }
 
 .dropdown-menu-right {
   left: auto;
-  right: 0;
-}
+  right: 0; }
 
 .dropdown-menu-left {
   left: 0;
-  right: auto;
-}
+  right: auto; }
 
 .dropdown-header {
   display: block;
@@ -3873,8 +3386,7 @@ tbody.collapse.in {
   font-size: 12px;
   line-height: 1.428571429;
   color: #DDd;
-  white-space: nowrap;
-}
+  white-space: nowrap; }
 
 .dropdown-backdrop {
   position: fixed;
@@ -3882,278 +3394,235 @@ tbody.collapse.in {
   right: 0;
   bottom: 0;
   top: 0;
-  z-index: 990;
-}
+  z-index: 990; }
 
 .pull-right > .dropdown-menu {
   right: 0;
-  left: auto;
-}
+  left: auto; }
 
-.dropup .caret,
-.navbar-fixed-bottom .dropdown .caret {
+.dropup .caret, .navbar-fixed-bottom .dropdown .caret {
   border-top: 0;
   border-bottom: 4px solid;
-  content: "";
-}
-.dropup .dropdown-menu,
-.navbar-fixed-bottom .dropdown .dropdown-menu {
+  content: ""; }
+
+.dropup .dropdown-menu, .navbar-fixed-bottom .dropdown .dropdown-menu {
   top: auto;
   bottom: 100%;
-  margin-bottom: 1px;
-}
+  margin-bottom: 1px; }
 
 @media (min-width: 768px) {
   .navbar-right .dropdown-menu {
     right: 0;
-    left: auto;
-  }
+    left: auto; }
   .navbar-right .dropdown-menu-left {
     left: 0;
-    right: auto;
-  }
-}
-.btn-group,
-.btn-group-vertical {
+    right: auto; } }
+
+.btn-group, .btn-group-vertical {
   position: relative;
   display: inline-block;
-  vertical-align: middle;
-}
-.btn-group > .btn,
-.btn-group-vertical > .btn {
+  vertical-align: middle; }
+
+.btn-group > .btn, .btn-group-vertical > .btn {
   position: relative;
-  float: left;
-}
-.btn-group > .btn:hover, .btn-group > .btn:focus, .btn-group > .btn:active, .btn-group > .btn.active,
-.btn-group-vertical > .btn:hover,
-.btn-group-vertical > .btn:focus,
-.btn-group-vertical > .btn:active,
-.btn-group-vertical > .btn.active {
-  z-index: 2;
-}
-.btn-group > .btn:focus,
-.btn-group-vertical > .btn:focus {
-  outline: 0;
-}
+  float: left; }
 
-.btn-group .btn + .btn,
-.btn-group .btn + .btn-group,
-.btn-group .btn-group + .btn,
-.btn-group .btn-group + .btn-group {
-  margin-left: -1px;
-}
+.btn-group > .btn:hover, .btn-group > .btn:focus, .btn-group > .btn:active, .btn-group > .btn.active {
+  z-index: 2; }
+
+.btn-group-vertical > .btn:hover, .btn-group-vertical > .btn:focus, .btn-group-vertical > .btn:active, .btn-group-vertical > .btn.active {
+  z-index: 2; }
+
+.btn-group > .btn:focus, .btn-group-vertical > .btn:focus {
+  outline: 0; }
+
+.btn-group .btn + .btn, .btn-group .btn + .btn-group {
+  margin-left: -1px; }
+
+.btn-group .btn-group + .btn, .btn-group .btn-group + .btn-group {
+  margin-left: -1px; }
 
 .btn-toolbar {
-  margin-left: -5px;
-}
-.btn-toolbar:before, .btn-toolbar:after {
-  content: " ";
-  display: table;
-}
-.btn-toolbar:after {
-  clear: both;
-}
-.btn-toolbar .btn-group,
-.btn-toolbar .input-group {
-  float: left;
-}
-.btn-toolbar > .btn,
-.btn-toolbar > .btn-group,
-.btn-toolbar > .input-group {
-  margin-left: 5px;
-}
+  margin-left: -5px; }
+  .btn-toolbar:before {
+    content: " ";
+    display: table; }
+  .btn-toolbar:after {
+    content: " ";
+    display: table;
+    clear: both; }
+  .btn-toolbar .btn-group, .btn-toolbar .input-group {
+    float: left; }
+  .btn-toolbar > .btn, .btn-toolbar > .btn-group, .btn-toolbar > .input-group {
+    margin-left: 5px; }
 
 .btn-group > .btn:not(:first-child):not(:last-child):not(.dropdown-toggle) {
-  border-radius: 0;
-}
+  border-radius: 0; }
 
 .btn-group > .btn:first-child {
-  margin-left: 0;
-}
-.btn-group > .btn:first-child:not(:last-child):not(.dropdown-toggle) {
-  border-bottom-right-radius: 0;
-  border-top-right-radius: 0;
-}
+  margin-left: 0; }
+  .btn-group > .btn:first-child:not(:last-child):not(.dropdown-toggle) {
+    border-bottom-right-radius: 0;
+    border-top-right-radius: 0; }
 
-.btn-group > .btn:last-child:not(:first-child),
-.btn-group > .dropdown-toggle:not(:first-child) {
+.btn-group > .btn:last-child:not(:first-child) {
   border-bottom-left-radius: 0;
-  border-top-left-radius: 0;
-}
-
-.btn-group > .btn-group {
-  float: left;
-}
+  border-top-left-radius: 0; }
 
-.btn-group > .btn-group:not(:first-child):not(:last-child) > .btn {
-  border-radius: 0;
-}
-
-.btn-group > .btn-group:first-child > .btn:last-child,
-.btn-group > .btn-group:first-child > .dropdown-toggle {
-  border-bottom-right-radius: 0;
-  border-top-right-radius: 0;
-}
-
-.btn-group > .btn-group:last-child > .btn:first-child {
+.btn-group > .dropdown-toggle:not(:first-child) {
   border-bottom-left-radius: 0;
-  border-top-left-radius: 0;
-}
+  border-top-left-radius: 0; }
 
-.btn-group .dropdown-toggle:active,
-.btn-group.open .dropdown-toggle {
-  outline: 0;
-}
+.btn-group > .btn-group {
+  float: left; }
+  .btn-group > .btn-group:not(:first-child):not(:last-child) > .btn {
+    border-radius: 0; }
+  .btn-group > .btn-group:first-child > .btn:last-child, .btn-group > .btn-group:first-child > .dropdown-toggle {
+    border-bottom-right-radius: 0;
+    border-top-right-radius: 0; }
+  .btn-group > .btn-group:last-child > .btn:first-child {
+    border-bottom-left-radius: 0;
+    border-top-left-radius: 0; }
+
+.btn-group .dropdown-toggle:active, .btn-group.open .dropdown-toggle {
+  outline: 0; }
 
 .btn-group > .btn + .dropdown-toggle {
   padding-left: 8px;
-  padding-right: 8px;
-}
+  padding-right: 8px; }
+
+.btn-group > .btn-lg + .dropdown-toggle {
+  padding-left: 12px;
+  padding-right: 12px; }
 
-.btn-group > .btn-lg + .dropdown-toggle, .btn-group-lg.btn-group > .btn + .dropdown-toggle {
+.btn-group-lg.btn-group > .btn + .dropdown-toggle {
   padding-left: 12px;
-  padding-right: 12px;
-}
+  padding-right: 12px; }
 
 .btn-group.open .dropdown-toggle {
   -webkit-box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);
-  box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125);
-}
-.btn-group.open .dropdown-toggle.btn-link {
-  -webkit-box-shadow: none;
-  box-shadow: none;
-}
+  box-shadow: inset 0 3px 5px rgba(0, 0, 0, 0.125); }
+  .btn-group.open .dropdown-toggle.btn-link {
+    -webkit-box-shadow: none;
+    box-shadow: none; }
 
 .btn .caret {
-  margin-left: 0;
-}
+  margin-left: 0; }
 
 .btn-lg .caret, .btn-group-lg > .btn .caret {
   border-width: 5px 5px 0;
-  border-bottom-width: 0;
-}
+  border-bottom-width: 0; }
 
 .dropup .btn-lg .caret, .dropup .btn-group-lg > .btn .caret {
-  border-width: 0 5px 5px;
-}
+  border-width: 0 5px 5px; }
 
-.btn-group-vertical > .btn,
-.btn-group-vertical > .btn-group,
-.btn-group-vertical > .btn-group > .btn {
+.btn-group-vertical > .btn {
   display: block;
   float: none;
   width: 100%;
-  max-width: 100%;
-}
-.btn-group-vertical > .btn-group:before, .btn-group-vertical > .btn-group:after {
-  content: " ";
-  display: table;
-}
-.btn-group-vertical > .btn-group:after {
-  clear: both;
-}
-.btn-group-vertical > .btn-group > .btn {
+  max-width: 100%; }
+
+.btn-group-vertical > .btn-group {
+  display: block;
   float: none;
-}
-.btn-group-vertical > .btn + .btn,
-.btn-group-vertical > .btn + .btn-group,
-.btn-group-vertical > .btn-group + .btn,
-.btn-group-vertical > .btn-group + .btn-group {
+  width: 100%;
+  max-width: 100%; }
+  .btn-group-vertical > .btn-group > .btn {
+    display: block;
+    float: none;
+    width: 100%;
+    max-width: 100%; }
+  .btn-group-vertical > .btn-group:before {
+    content: " ";
+    display: table; }
+  .btn-group-vertical > .btn-group:after {
+    content: " ";
+    display: table;
+    clear: both; }
+  .btn-group-vertical > .btn-group > .btn {
+    float: none; }
+
+.btn-group-vertical > .btn + .btn, .btn-group-vertical > .btn + .btn-group {
+  margin-top: -1px;
+  margin-left: 0; }
+
+.btn-group-vertical > .btn-group + .btn, .btn-group-vertical > .btn-group + .btn-group {
   margin-top: -1px;
-  margin-left: 0;
-}
+  margin-left: 0; }
 
 .btn-group-vertical > .btn:not(:first-child):not(:last-child) {
-  border-radius: 0;
-}
+  border-radius: 0; }
+
 .btn-group-vertical > .btn:first-child:not(:last-child) {
   border-top-right-radius: 3px;
   border-bottom-right-radius: 0;
-  border-bottom-left-radius: 0;
-}
+  border-bottom-left-radius: 0; }
+
 .btn-group-vertical > .btn:last-child:not(:first-child) {
   border-bottom-left-radius: 3px;
   border-top-right-radius: 0;
-  border-top-left-radius: 0;
-}
+  border-top-left-radius: 0; }
 
 .btn-group-vertical > .btn-group:not(:first-child):not(:last-child) > .btn {
-  border-radius: 0;
-}
+  border-radius: 0; }
 
-.btn-group-vertical > .btn-group:first-child:not(:last-child) > .btn:last-child,
-.btn-group-vertical > .btn-group:first-child:not(:last-child) > .dropdown-toggle {
+.btn-group-vertical > .btn-group:first-child:not(:last-child) > .btn:last-child, .btn-group-vertical > .btn-group:first-child:not(:last-child) > .dropdown-toggle {
   border-bottom-right-radius: 0;
-  border-bottom-left-radius: 0;
-}
+  border-bottom-left-radius: 0; }
 
 .btn-group-vertical > .btn-group:last-child:not(:first-child) > .btn:first-child {
   border-top-right-radius: 0;
-  border-top-left-radius: 0;
-}
+  border-top-left-radius: 0; }
 
 .btn-group-justified {
   display: table;
   width: 100%;
   table-layout: fixed;
-  border-collapse: separate;
-}
-.btn-group-justified > .btn,
-.btn-group-justified > .btn-group {
-  float: none;
-  display: table-cell;
-  width: 1%;
-}
-.btn-group-justified > .btn-group .btn {
-  width: 100%;
-}
-.btn-group-justified > .btn-group .dropdown-menu {
-  left: auto;
-}
+  border-collapse: separate; }
+  .btn-group-justified > .btn {
+    float: none;
+    display: table-cell;
+    width: 1%; }
+  .btn-group-justified > .btn-group {
+    float: none;
+    display: table-cell;
+    width: 1%; }
+    .btn-group-justified > .btn-group .btn {
+      width: 100%; }
+    .btn-group-justified > .btn-group .dropdown-menu {
+      left: auto; }
 
-[data-toggle=buttons] > .btn > input[type=radio],
-[data-toggle=buttons] > .btn > input[type=checkbox] {
+[data-toggle=buttons] > .btn > input[type=radio], [data-toggle=buttons] > .btn > input[type=checkbox] {
   position: absolute;
   z-index: -1;
   opacity: 0;
-  filter: alpha(opacity=0);
-}
+  filter: alpha(opacity=0); }
 
 .input-group {
   position: relative;
   display: table;
-  border-collapse: separate;
-}
-.input-group[class*=col-] {
-  float: none;
-  padding-left: 0;
-  padding-right: 0;
-}
-.input-group .form-control {
-  position: relative;
-  z-index: 2;
-  float: left;
-  width: 100%;
-  margin-bottom: 0;
-}
-
-.input-group-addon,
-.input-group-btn,
-.input-group .form-control {
-  display: table-cell;
-}
-.input-group-addon:not(:first-child):not(:last-child),
-.input-group-btn:not(:first-child):not(:last-child),
-.input-group .form-control:not(:first-child):not(:last-child) {
-  border-radius: 0;
-}
+  border-collapse: separate; }
+  .input-group[class*=col-] {
+    float: none;
+    padding-left: 0;
+    padding-right: 0; }
+  .input-group .form-control {
+    position: relative;
+    z-index: 2;
+    float: left;
+    width: 100%;
+    margin-bottom: 0; }
+
+.input-group-addon, .input-group-btn, .input-group .form-control {
+  display: table-cell; }
 
-.input-group-addon,
-.input-group-btn {
+.input-group-addon:not(:first-child):not(:last-child), .input-group-btn:not(:first-child):not(:last-child), .input-group .form-control:not(:first-child):not(:last-child) {
+  border-radius: 0; }
+
+.input-group-addon, .input-group-btn {
   width: 1%;
   white-space: nowrap;
-  vertical-align: middle;
-}
+  vertical-align: middle; }
 
 .input-group-addon {
   padding: 6px 12px;
@@ -4164,262 +3633,247 @@ tbody.collapse.in {
   text-align: center;
   background-color: #1a1a1a;
   border: 1px solid #ccc;
-  border-radius: 3px;
-}
-.input-group-addon.input-sm, .form-horizontal .form-group-sm .input-group-addon.form-control,
-.input-group-sm > .input-group-addon,
-.input-group-sm > .input-group-btn > .input-group-addon.btn {
+  border-radius: 3px; }
+  .input-group-addon.input-sm {
+    padding: 5px 10px;
+    font-size: 12px;
+    border-radius: 3px; }
+
+.form-horizontal .form-group-sm .input-group-addon.form-control {
   padding: 5px 10px;
   font-size: 12px;
-  border-radius: 3px;
-}
-.input-group-addon.input-lg, .form-horizontal .form-group-lg .input-group-addon.form-control,
-.input-group-lg > .input-group-addon,
-.input-group-lg > .input-group-btn > .input-group-addon.btn {
+  border-radius: 3px; }
+
+.input-group-sm > .input-group-addon, .input-group-sm > .input-group-btn > .input-group-addon.btn {
+  padding: 5px 10px;
+  font-size: 12px;
+  border-radius: 3px; }
+
+.input-group-addon.input-lg, .form-horizontal .form-group-lg .input-group-addon.form-control {
   padding: 10px 16px;
   font-size: 18px;
-  border-radius: 6px;
-}
-.input-group-addon input[type=radio],
-.input-group-addon input[type=checkbox] {
-  margin-top: 0;
-}
-
-.input-group .form-control:first-child,
-.input-group-addon:first-child,
-.input-group-btn:first-child > .btn,
-.input-group-btn:first-child > .btn-group > .btn,
-.input-group-btn:first-child > .dropdown-toggle,
-.input-group-btn:last-child > .btn:not(:last-child):not(.dropdown-toggle),
-.input-group-btn:last-child > .btn-group:not(:last-child) > .btn {
+  border-radius: 6px; }
+
+.input-group-lg > .input-group-addon, .input-group-lg > .input-group-btn > .input-group-addon.btn {
+  padding: 10px 16px;
+  font-size: 18px;
+  border-radius: 6px; }
+
+.input-group-addon input[type=radio], .input-group-addon input[type=checkbox] {
+  margin-top: 0; }
+
+.input-group .form-control:first-child, .input-group-addon:first-child {
   border-bottom-right-radius: 0;
-  border-top-right-radius: 0;
-}
+  border-top-right-radius: 0; }
+
+.input-group-btn:first-child > .btn, .input-group-btn:first-child > .btn-group > .btn, .input-group-btn:first-child > .dropdown-toggle {
+  border-bottom-right-radius: 0;
+  border-top-right-radius: 0; }
+
+.input-group-btn:last-child > .btn:not(:last-child):not(.dropdown-toggle), .input-group-btn:last-child > .btn-group:not(:last-child) > .btn {
+  border-bottom-right-radius: 0;
+  border-top-right-radius: 0; }
 
 .input-group-addon:first-child {
-  border-right: 0;
-}
-
-.input-group .form-control:last-child,
-.input-group-addon:last-child,
-.input-group-btn:last-child > .btn,
-.input-group-btn:last-child > .btn-group > .btn,
-.input-group-btn:last-child > .dropdown-toggle,
-.input-group-btn:first-child > .btn:not(:first-child),
-.input-group-btn:first-child > .btn-group:not(:first-child) > .btn {
+  border-right: 0; }
+
+.input-group .form-control:last-child, .input-group-addon:last-child {
+  border-bottom-left-radius: 0;
+  border-top-left-radius: 0; }
+
+.input-group-btn:last-child > .btn, .input-group-btn:last-child > .btn-group > .btn, .input-group-btn:last-child > .dropdown-toggle {
+  border-bottom-left-radius: 0;
+  border-top-left-radius: 0; }
+
+.input-group-btn:first-child > .btn:not(:first-child), .input-group-btn:first-child > .btn-group:not(:first-child) > .btn {
   border-bottom-left-radius: 0;
-  border-top-left-radius: 0;
-}
+  border-top-left-radius: 0; }
 
 .input-group-addon:last-child {
-  border-left: 0;
-}
+  border-left: 0; }
 
 .input-group-btn {
   position: relative;
   font-size: 0;
-  white-space: nowrap;
-}
-.input-group-btn > .btn {
-  position: relative;
-}
-.input-group-btn > .btn + .btn {
-  margin-left: -1px;
-}
-.input-group-btn > .btn:hover, .input-group-btn > .btn:focus, .input-group-btn > .btn:active {
-  z-index: 2;
-}
-.input-group-btn:first-child > .btn,
-.input-group-btn:first-child > .btn-group {
-  margin-right: -1px;
-}
-.input-group-btn:last-child > .btn,
-.input-group-btn:last-child > .btn-group {
-  margin-left: -1px;
-}
+  white-space: nowrap; }
+  .input-group-btn > .btn {
+    position: relative; }
+    .input-group-btn > .btn + .btn {
+      margin-left: -1px; }
+    .input-group-btn > .btn:hover, .input-group-btn > .btn:focus, .input-group-btn > .btn:active {
+      z-index: 2; }
+  .input-group-btn:first-child > .btn, .input-group-btn:first-child > .btn-group {
+    margin-right: -1px; }
+  .input-group-btn:last-child > .btn, .input-group-btn:last-child > .btn-group {
+    margin-left: -1px; }
 
 .nav {
   margin-bottom: 0;
   padding-left: 0;
-  list-style: none;
-}
-.nav:before, .nav:after {
-  content: " ";
-  display: table;
-}
-.nav:after {
-  clear: both;
-}
-.nav > li {
-  position: relative;
-  display: block;
-}
-.nav > li > a {
-  position: relative;
-  display: block;
-  padding: 10px 15px;
-}
-.nav > li > a:hover, .nav > li > a:focus {
-  text-decoration: none;
-  background-color: #1a1a1a;
-}
-.nav > li.disabled > a {
-  color: #DDd;
-}
-.nav > li.disabled > a:hover, .nav > li.disabled > a:focus {
-  color: #DDd;
-  text-decoration: none;
-  background-color: transparent;
-  cursor: not-allowed;
-}
-.nav .open > a, .nav .open > a:hover, .nav .open > a:focus {
-  background-color: #1a1a1a;
-  border-color: #EA7105;
-}
-.nav .nav-divider {
-  height: 1px;
-  margin: 9px 0;
-  overflow: hidden;
-  background-color: #e5e5e5;
-}
-.nav > li > a > img {
-  max-width: none;
-}
+  list-style: none; }
+  .nav:before {
+    content: " ";
+    display: table; }
+  .nav:after {
+    content: " ";
+    display: table;
+    clear: both; }
+  .nav > li {
+    position: relative;
+    display: block; }
+    .nav > li > a {
+      position: relative;
+      display: block;
+      padding: 10px 15px; }
+      .nav > li > a:hover, .nav > li > a:focus {
+        text-decoration: none;
+        background-color: #1a1a1a; }
+    .nav > li.disabled > a {
+      color: #DDd; }
+      .nav > li.disabled > a:hover, .nav > li.disabled > a:focus {
+        color: #DDd;
+        text-decoration: none;
+        background-color: transparent;
+        cursor: not-allowed; }
+  .nav .open > a {
+    background-color: #1a1a1a;
+    border-color: #EA7105; }
+    .nav .open > a:hover, .nav .open > a:focus {
+      background-color: #1a1a1a;
+      border-color: #EA7105; }
+  .nav .nav-divider {
+    height: 1px;
+    margin: 9px 0;
+    overflow: hidden;
+    background-color: #e5e5e5; }
+  .nav > li > a > img {
+    max-width: none; }
 
 .nav-tabs {
-  border-bottom: 1px solid #E5E5E5;
-}
-.nav-tabs > li {
-  float: left;
-  margin-bottom: -1px;
-}
-.nav-tabs > li > a {
-  margin-right: 2px;
-  line-height: 1.428571429;
-  border: 1px solid transparent;
-  border-radius: 3px 3px 0 0;
-}
-.nav-tabs > li > a:hover {
-  border-color: #1a1a1a #1a1a1a #E5E5E5;
-}
-.nav-tabs > li.active > a, .nav-tabs > li.active > a:hover, .nav-tabs > li.active > a:focus {
-  color: #eee;
-  background-color: #333;
-  border: 1px solid #ddd;
-  border-bottom-color: transparent;
-  cursor: default;
-}
+  border-bottom: 1px solid #E5E5E5; }
+  .nav-tabs > li {
+    float: left;
+    margin-bottom: -1px; }
+    .nav-tabs > li > a {
+      margin-right: 2px;
+      line-height: 1.428571429;
+      border: 1px solid transparent;
+      border-radius: 3px 3px 0 0; }
+      .nav-tabs > li > a:hover {
+        border-color: #1a1a1a #1a1a1a #E5E5E5; }
+    .nav-tabs > li.active > a {
+      color: #eee;
+      background-color: #333;
+      border: 1px solid #ddd;
+      border-bottom-color: transparent;
+      cursor: default; }
+      .nav-tabs > li.active > a:hover, .nav-tabs > li.active > a:focus {
+        color: #eee;
+        background-color: #333;
+        border: 1px solid #ddd;
+        border-bottom-color: transparent;
+        cursor: default; }
+
 .nav-pills > li {
-  float: left;
-}
-.nav-pills > li > a {
-  border-radius: 0;
-}
-.nav-pills > li.active > a, .nav-pills > li.active > a:hover, .nav-pills > li.active > a:focus {
-  color: #555;
-  background-color: #EA7105;
-}
+  float: left; }
+  .nav-pills > li > a {
+    border-radius: 0; }
+  .nav-pills > li.active > a {
+    color: #555;
+    background-color: #EA7105; }
+    .nav-pills > li.active > a:hover, .nav-pills > li.active > a:focus {
+      color: #555;
+      background-color: #EA7105; }
 
 .nav-stacked > li {
-  float: none;
-}
-.nav-stacked > li + li {
-  margin-top: 2px;
-  margin-left: 0;
-}
+  float: none; }
+  .nav-stacked > li + li {
+    margin-top: 2px;
+    margin-left: 0; }
 
 .nav-justified, .nav-tabs.nav-justified {
-  width: 100%;
-}
+  width: 100%; }
+
 .nav-justified > li, .nav-tabs.nav-justified > li {
-  float: none;
-}
+  float: none; }
+
 .nav-justified > li > a, .nav-tabs.nav-justified > li > a {
   text-align: left;
-  margin-bottom: 5px;
-}
+  margin-bottom: 5px; }
+
 .nav-justified > .dropdown .dropdown-menu {
   top: auto;
-  left: auto;
-}
+  left: auto; }
+
 @media (min-width: 768px) {
   .nav-justified > li, .nav-tabs.nav-justified > li {
     display: table-cell;
-    width: 1%;
-  }
+    width: 1%; }
   .nav-justified > li > a, .nav-tabs.nav-justified > li > a {
-    margin-bottom: 0;
-  }
-}
+    margin-bottom: 0; } }
 
 .nav-tabs-justified, .nav-tabs.nav-justified {
-  border-bottom: 0;
-}
+  border-bottom: 0; }
+
 .nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
   margin-right: 0;
-  border-radius: 3px;
-}
-.nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a,
-.nav-tabs-justified > .active > a:hover,
-.nav-tabs-justified > .active > a:focus {
-  border: 1px solid #ddd;
-}
+  border-radius: 3px; }
+
+.nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a {
+  border: 1px solid #ddd; }
+
+.nav-tabs-justified > .active > a:hover, .nav-tabs-justified > .active > a:focus {
+  border: 1px solid #ddd; }
+
 @media (min-width: 768px) {
   .nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
     border-bottom: 1px solid #ddd;
-    border-radius: 3px 3px 0 0;
-  }
-  .nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a,
-.nav-tabs-justified > .active > a:hover,
-.nav-tabs-justified > .active > a:focus {
-    border-bottom-color: #333;
-  }
-}
+    border-radius: 3px 3px 0 0; }
+  .nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a {
+    border-bottom-color: #333; }
+  .nav-tabs-justified > .active > a:hover, .nav-tabs-justified > .active > a:focus {
+    border-bottom-color: #333; } }
 
 .tab-content > .tab-pane {
-  display: none;
-}
+  display: none; }
+
 .tab-content > .active {
-  display: block;
-}
+  display: block; }
 
 .nav-tabs .dropdown-menu {
   margin-top: -1px;
   border-top-right-radius: 0;
-  border-top-left-radius: 0;
-}
+  border-top-left-radius: 0; }
 
 .navbar {
   position: relative;
   min-height: 50px;
   margin-bottom: 0;
-  border: 1px solid transparent;
-}
-.navbar:before, .navbar:after {
-  content: " ";
-  display: table;
-}
-.navbar:after {
-  clear: both;
-}
+  border: 1px solid transparent; }
+  .navbar:before {
+    content: " ";
+    display: table; }
+  .navbar:after {
+    content: " ";
+    display: table;
+    clear: both; }
+
 @media (min-width: 768px) {
   .navbar {
-    border-radius: 0;
-  }
-}
+    border-radius: 0; } }
 
-.navbar-header:before, .navbar-header:after {
+.navbar-header:before {
   content: " ";
-  display: table;
-}
+  display: table; }
+
 .navbar-header:after {
-  clear: both;
-}
+  content: " ";
+  display: table;
+  clear: both; }
+
 @media (min-width: 768px) {
   .navbar-header {
-    float: left;
-  }
-}
+    float: left; } }
 
 .navbar-collapse {
   overflow-x: visible;
@@ -4427,118 +3881,96 @@ tbody.collapse.in {
   padding-left: 20px;
   border-top: 1px solid transparent;
   box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1);
-  -webkit-overflow-scrolling: touch;
-}
-.navbar-collapse:before, .navbar-collapse:after {
-  content: " ";
-  display: table;
-}
-.navbar-collapse:after {
-  clear: both;
-}
-.navbar-collapse.in {
-  overflow-y: auto;
-}
+  -webkit-overflow-scrolling: touch; }
+  .navbar-collapse:before {
+    content: " ";
+    display: table; }
+  .navbar-collapse:after {
+    content: " ";
+    display: table;
+    clear: both; }
+  .navbar-collapse.in {
+    overflow-y: auto; }
+
 @media (min-width: 768px) {
   .navbar-collapse {
     width: auto;
     border-top: 0;
-    box-shadow: none;
-  }
-  .navbar-collapse.collapse {
-    display: block !important;
-    height: auto !important;
-    padding-bottom: 0;
-    overflow: visible !important;
-  }
-  .navbar-collapse.in {
-    overflow-y: visible;
-  }
+    box-shadow: none; }
+    .navbar-collapse.collapse {
+      display: block !important;
+      height: auto !important;
+      padding-bottom: 0;
+      overflow: visible !important; }
+    .navbar-collapse.in {
+      overflow-y: visible; }
   .navbar-fixed-top .navbar-collapse, .navbar-static-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
     padding-left: 0;
-    padding-right: 0;
-  }
-}
+    padding-right: 0; } }
+
+.navbar-fixed-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
+  max-height: 340px; }
 
-.navbar-fixed-top .navbar-collapse,
-.navbar-fixed-bottom .navbar-collapse {
-  max-height: 340px;
-}
 @media (max-width: 480px) and (orientation: landscape) {
-  .navbar-fixed-top .navbar-collapse,
-.navbar-fixed-bottom .navbar-collapse {
-    max-height: 200px;
-  }
-}
-
-.container > .navbar-header,
-.container > .navbar-collapse,
-.container-fluid > .navbar-header,
-.container-fluid > .navbar-collapse {
+  .navbar-fixed-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
+    max-height: 200px; } }
+
+.container > .navbar-header, .container > .navbar-collapse {
   margin-right: -20px;
-  margin-left: -20px;
-}
+  margin-left: -20px; }
+
+.container-fluid > .navbar-header, .container-fluid > .navbar-collapse {
+  margin-right: -20px;
+  margin-left: -20px; }
+
 @media (min-width: 768px) {
-  .container > .navbar-header,
-.container > .navbar-collapse,
-.container-fluid > .navbar-header,
-.container-fluid > .navbar-collapse {
+  .container > .navbar-header, .container > .navbar-collapse {
     margin-right: 0;
-    margin-left: 0;
-  }
-}
+    margin-left: 0; }
+  .container-fluid > .navbar-header, .container-fluid > .navbar-collapse {
+    margin-right: 0;
+    margin-left: 0; } }
 
 .navbar-static-top {
   z-index: 1000;
-  border-width: 0 0 1px;
-}
+  border-width: 0 0 1px; }
+
 @media (min-width: 768px) {
   .navbar-static-top {
-    border-radius: 0;
-  }
-}
+    border-radius: 0; } }
 
-.navbar-fixed-top,
-.navbar-fixed-bottom {
+.navbar-fixed-top, .navbar-fixed-bottom {
   position: fixed;
   right: 0;
   left: 0;
   z-index: 1030;
   -webkit-transform: translate3d(0, 0, 0);
-  transform: translate3d(0, 0, 0);
-}
+  transform: translate3d(0, 0, 0); }
+
 @media (min-width: 768px) {
-  .navbar-fixed-top,
-.navbar-fixed-bottom {
-    border-radius: 0;
-  }
-}
+  .navbar-fixed-top, .navbar-fixed-bottom {
+    border-radius: 0; } }
 
 .navbar-fixed-top {
   top: 0;
-  border-width: 0 0 1px;
-}
+  border-width: 0 0 1px; }
 
 .navbar-fixed-bottom {
   bottom: 0;
   margin-bottom: 0;
-  border-width: 1px 0 0;
-}
+  border-width: 1px 0 0; }
 
 .navbar-brand {
   float: left;
   padding: 15px 20px;
   font-size: 18px;
-  height: 50px;
-}
-.navbar-brand:hover, .navbar-brand:focus {
-  text-decoration: none;
-}
+  height: 50px; }
+  .navbar-brand:hover, .navbar-brand:focus {
+    text-decoration: none; }
+
 @media (min-width: 768px) {
   .navbar > .container .navbar-brand, .navbar > .container-fluid .navbar-brand {
-    margin-left: -20px;
-  }
-}
+    margin-left: -20px; } }
 
 .navbar-toggle {
   position: relative;
@@ -4550,34 +3982,28 @@ tbody.collapse.in {
   background-color: transparent;
   background-image: none;
   border: 1px solid transparent;
-  border-radius: 3px;
-}
-.navbar-toggle:focus {
-  outline: 0;
-}
-.navbar-toggle .icon-bar {
-  display: block;
-  width: 22px;
-  height: 2px;
-  border-radius: 1px;
-}
-.navbar-toggle .icon-bar + .icon-bar {
-  margin-top: 4px;
-}
+  border-radius: 3px; }
+  .navbar-toggle:focus {
+    outline: 0; }
+  .navbar-toggle .icon-bar {
+    display: block;
+    width: 22px;
+    height: 2px;
+    border-radius: 1px; }
+    .navbar-toggle .icon-bar + .icon-bar {
+      margin-top: 4px; }
+
 @media (min-width: 768px) {
   .navbar-toggle {
-    display: none;
-  }
-}
+    display: none; } }
 
 .navbar-nav {
-  margin: 7.5px -20px;
-}
-.navbar-nav > li > a {
-  padding-top: 10px;
-  padding-bottom: 10px;
-  line-height: 20px;
-}
+  margin: 7.5px -20px; }
+  .navbar-nav > li > a {
+    padding-top: 10px;
+    padding-bottom: 10px;
+    line-height: 20px; }
+
 @media (max-width: 767px) {
   .navbar-nav .open .dropdown-menu {
     position: static;
@@ -4586,45 +4012,32 @@ tbody.collapse.in {
     margin-top: 0;
     background-color: transparent;
     border: 0;
-    box-shadow: none;
-  }
-  .navbar-nav .open .dropdown-menu > li > a,
-.navbar-nav .open .dropdown-menu .dropdown-header {
-    padding: 5px 15px 5px 25px;
-  }
-  .navbar-nav .open .dropdown-menu > li > a {
-    line-height: 20px;
-  }
-  .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-nav .open .dropdown-menu > li > a:focus {
-    background-image: none;
-  }
-}
+    box-shadow: none; }
+    .navbar-nav .open .dropdown-menu > li > a, .navbar-nav .open .dropdown-menu .dropdown-header {
+      padding: 5px 15px 5px 25px; }
+    .navbar-nav .open .dropdown-menu > li > a {
+      line-height: 20px; }
+      .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-nav .open .dropdown-menu > li > a:focus {
+        background-image: none; } }
+
 @media (min-width: 768px) {
   .navbar-nav {
     float: left;
-    margin: 0;
-  }
-  .navbar-nav > li {
-    float: left;
-  }
-  .navbar-nav > li > a {
-    padding-top: 15px;
-    padding-bottom: 15px;
-  }
-  .navbar-nav.navbar-right:last-child {
-    margin-right: -20px;
-  }
-}
+    margin: 0; }
+    .navbar-nav > li {
+      float: left; }
+      .navbar-nav > li > a {
+        padding-top: 15px;
+        padding-bottom: 15px; }
+    .navbar-nav.navbar-right:last-child {
+      margin-right: -20px; } }
 
 @media (min-width: 768px) {
   .navbar-left {
-    float: left !important;
-  }
-
+    float: left !important; }
   .navbar-right {
-    float: right !important;
-  }
-}
+    float: right !important; } }
+
 .navbar-form {
   margin-left: -20px;
   margin-right: -20px;
@@ -4634,13 +4047,12 @@ tbody.collapse.in {
   -webkit-box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1), 0 1px 0 rgba(255, 255, 255, 0.1);
   box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1), 0 1px 0 rgba(255, 255, 255, 0.1);
   margin-top: 8px;
-  margin-bottom: 8px;
-}
+  margin-bottom: 8px; }
+
 @media (max-width: 767px) {
   .navbar-form .form-group {
-    margin-bottom: 5px;
-  }
-}
+    margin-bottom: 5px; } }
+
 @media (min-width: 768px) {
   .navbar-form {
     width: auto;
@@ -4650,373 +4062,353 @@ tbody.collapse.in {
     padding-top: 0;
     padding-bottom: 0;
     -webkit-box-shadow: none;
-    box-shadow: none;
-  }
-  .navbar-form.navbar-right:last-child {
-    margin-right: -20px;
-  }
-}
+    box-shadow: none; }
+    .navbar-form.navbar-right:last-child {
+      margin-right: -20px; } }
 
 .navbar-nav > li > .dropdown-menu {
   margin-top: 0;
   border-top-right-radius: 0;
-  border-top-left-radius: 0;
-}
+  border-top-left-radius: 0; }
 
 .navbar-fixed-bottom .navbar-nav > li > .dropdown-menu {
   border-bottom-right-radius: 0;
-  border-bottom-left-radius: 0;
-}
+  border-bottom-left-radius: 0; }
 
 .navbar-btn {
   margin-top: 8px;
-  margin-bottom: 8px;
-}
-.navbar-btn.btn-sm, .btn-group-sm > .navbar-btn.btn {
+  margin-bottom: 8px; }
+  .navbar-btn.btn-sm {
+    margin-top: 10px;
+    margin-bottom: 10px; }
+
+.btn-group-sm > .navbar-btn.btn {
   margin-top: 10px;
-  margin-bottom: 10px;
-}
+  margin-bottom: 10px; }
+
 .navbar-btn.btn-xs, .btn-group-xs > .navbar-btn.btn {
   margin-top: 14px;
-  margin-bottom: 14px;
-}
+  margin-bottom: 14px; }
 
 .navbar-text {
   margin-top: 15px;
-  margin-bottom: 15px;
-}
+  margin-bottom: 15px; }
+
 @media (min-width: 768px) {
   .navbar-text {
     float: left;
     margin-left: 20px;
-    margin-right: 20px;
-  }
-  .navbar-text.navbar-right:last-child {
-    margin-right: 0;
-  }
-}
+    margin-right: 20px; }
+    .navbar-text.navbar-right:last-child {
+      margin-right: 0; } }
 
 .navbar-default {
   background-color: #404040;
-  border-color: #2f2f2f;
-}
-.navbar-default .navbar-brand {
-  color: #C1C1c1;
-}
-.navbar-default .navbar-brand:hover, .navbar-default .navbar-brand:focus {
-  color: #a8a8a8;
-  background-color: transparent;
-}
-.navbar-default .navbar-text {
-  color: #aaaaaa;
-}
-.navbar-default .navbar-nav > li > a {
-  color: #C1C1c1;
-}
-.navbar-default .navbar-nav > li > a:hover, .navbar-default .navbar-nav > li > a:focus {
-  color: #EA7105;
-  background-color: transparent;
-}
-.navbar-default .navbar-nav > .active > a, .navbar-default .navbar-nav > .active > a:hover, .navbar-default .navbar-nav > .active > a:focus {
-  color: #aaa;
-  background-color: #2f2f2f;
-}
-.navbar-default .navbar-nav > .disabled > a, .navbar-default .navbar-nav > .disabled > a:hover, .navbar-default .navbar-nav > .disabled > a:focus {
-  color: #ccc;
-  background-color: transparent;
-}
-.navbar-default .navbar-toggle {
-  border-color: #FFF;
-}
-.navbar-default .navbar-toggle:hover, .navbar-default .navbar-toggle:focus {
-  background-color: #555;
-}
-.navbar-default .navbar-toggle .icon-bar {
-  background-color: #FFF;
-}
-.navbar-default .navbar-collapse,
-.navbar-default .navbar-form {
-  border-color: #2f2f2f;
-}
-.navbar-default .navbar-nav > .open > a, .navbar-default .navbar-nav > .open > a:hover, .navbar-default .navbar-nav > .open > a:focus {
-  background-color: #2f2f2f;
-  color: #aaa;
-}
+  border-color: #2f2f2f; }
+  .navbar-default .navbar-brand {
+    color: #C1C1c1; }
+    .navbar-default .navbar-brand:hover, .navbar-default .navbar-brand:focus {
+      color: #a8a8a8;
+      background-color: transparent; }
+  .navbar-default .navbar-text {
+    color: #aaaaaa; }
+  .navbar-default .navbar-nav > li > a {
+    color: #C1C1c1; }
+    .navbar-default .navbar-nav > li > a:hover, .navbar-default .navbar-nav > li > a:focus {
+      color: #EA7105;
+      background-color: transparent; }
+  .navbar-default .navbar-nav > .active > a {
+    color: #aaa;
+    background-color: #2f2f2f; }
+    .navbar-default .navbar-nav > .active > a:hover, .navbar-default .navbar-nav > .active > a:focus {
+      color: #aaa;
+      background-color: #2f2f2f; }
+  .navbar-default .navbar-nav > .disabled > a {
+    color: #ccc;
+    background-color: transparent; }
+    .navbar-default .navbar-nav > .disabled > a:hover, .navbar-default .navbar-nav > .disabled > a:focus {
+      color: #ccc;
+      background-color: transparent; }
+  .navbar-default .navbar-toggle {
+    border-color: #FFF; }
+    .navbar-default .navbar-toggle:hover, .navbar-default .navbar-toggle:focus {
+      background-color: #555; }
+    .navbar-default .navbar-toggle .icon-bar {
+      background-color: #FFF; }
+  .navbar-default .navbar-collapse, .navbar-default .navbar-form {
+    border-color: #2f2f2f; }
+  .navbar-default .navbar-nav > .open > a {
+    background-color: #2f2f2f;
+    color: #aaa; }
+    .navbar-default .navbar-nav > .open > a:hover, .navbar-default .navbar-nav > .open > a:focus {
+      background-color: #2f2f2f;
+      color: #aaa; }
+  .navbar-default .navbar-link {
+    color: #C1C1c1; }
+    .navbar-default .navbar-link:hover {
+      color: #EA7105; }
+  .navbar-default .btn-link {
+    color: #C1C1c1; }
+    .navbar-default .btn-link:hover, .navbar-default .btn-link:focus {
+      color: #EA7105; }
+    .navbar-default .btn-link[disabled]:hover, .navbar-default .btn-link[disabled]:focus {
+      color: #ccc; }
+
 @media (max-width: 767px) {
   .navbar-default .navbar-nav .open .dropdown-menu > li > a {
-    color: #C1C1c1;
-  }
-  .navbar-default .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > li > a:focus {
-    color: #EA7105;
-    background-color: transparent;
-  }
-  .navbar-default .navbar-nav .open .dropdown-menu > .active > a, .navbar-default .navbar-nav .open .dropdown-menu > .active > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > .active > a:focus {
+    color: #C1C1c1; }
+    .navbar-default .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > li > a:focus {
+      color: #EA7105;
+      background-color: transparent; }
+  .navbar-default .navbar-nav .open .dropdown-menu > .active > a {
     color: #aaa;
-    background-color: #2f2f2f;
-  }
-  .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a, .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:focus {
+    background-color: #2f2f2f; }
+    .navbar-default .navbar-nav .open .dropdown-menu > .active > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > .active > a:focus {
+      color: #aaa;
+      background-color: #2f2f2f; }
+  .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a {
     color: #ccc;
-    background-color: transparent;
-  }
-}
-.navbar-default .navbar-link {
-  color: #C1C1c1;
-}
-.navbar-default .navbar-link:hover {
-  color: #EA7105;
-}
-.navbar-default .btn-link {
-  color: #C1C1c1;
-}
-.navbar-default .btn-link:hover, .navbar-default .btn-link:focus {
-  color: #EA7105;
-}
-.navbar-default .btn-link[disabled]:hover, .navbar-default .btn-link[disabled]:focus, fieldset[disabled] .navbar-default .btn-link:hover, fieldset[disabled] .navbar-default .btn-link:focus {
-  color: #ccc;
-}
+    background-color: transparent; }
+    .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:focus {
+      color: #ccc;
+      background-color: transparent; } }
+
+fieldset[disabled] .navbar-default .btn-link:hover, fieldset[disabled] .navbar-default .btn-link:focus {
+  color: #ccc; }
 
 .navbar-inverse {
   background-color: #333;
-  border-color: #1a1a1a;
-}
-.navbar-inverse .navbar-brand {
-  color: #DDd;
-}
-.navbar-inverse .navbar-brand:hover, .navbar-inverse .navbar-brand:focus {
-  color: #fff;
-  background-color: transparent;
-}
-.navbar-inverse .navbar-text {
-  color: #DDd;
-}
-.navbar-inverse .navbar-nav > li > a {
-  color: #DDd;
-}
-.navbar-inverse .navbar-nav > li > a:hover, .navbar-inverse .navbar-nav > li > a:focus {
-  color: #888;
-  background-color: transparent;
-}
-.navbar-inverse .navbar-nav > .active > a, .navbar-inverse .navbar-nav > .active > a:hover, .navbar-inverse .navbar-nav > .active > a:focus {
-  color: #888;
-  background-color: #1a1a1a;
-}
-.navbar-inverse .navbar-nav > .disabled > a, .navbar-inverse .navbar-nav > .disabled > a:hover, .navbar-inverse .navbar-nav > .disabled > a:focus {
-  color: #33a;
-  background-color: transparent;
-}
-.navbar-inverse .navbar-toggle {
-  border-color: #333;
-}
-.navbar-inverse .navbar-toggle:hover, .navbar-inverse .navbar-toggle:focus {
-  background-color: #333;
-}
-.navbar-inverse .navbar-toggle .icon-bar {
-  background-color: #fff;
-}
-.navbar-inverse .navbar-collapse,
-.navbar-inverse .navbar-form {
-  border-color: #212121;
-}
-.navbar-inverse .navbar-nav > .open > a, .navbar-inverse .navbar-nav > .open > a:hover, .navbar-inverse .navbar-nav > .open > a:focus {
-  background-color: #1a1a1a;
-  color: #888;
-}
+  border-color: #1a1a1a; }
+  .navbar-inverse .navbar-brand {
+    color: #DDd; }
+    .navbar-inverse .navbar-brand:hover, .navbar-inverse .navbar-brand:focus {
+      color: #fff;
+      background-color: transparent; }
+  .navbar-inverse .navbar-text {
+    color: #DDd; }
+  .navbar-inverse .navbar-nav > li > a {
+    color: #DDd; }
+    .navbar-inverse .navbar-nav > li > a:hover, .navbar-inverse .navbar-nav > li > a:focus {
+      color: #888;
+      background-color: transparent; }
+  .navbar-inverse .navbar-nav > .active > a {
+    color: #888;
+    background-color: #1a1a1a; }
+    .navbar-inverse .navbar-nav > .active > a:hover, .navbar-inverse .navbar-nav > .active > a:focus {
+      color: #888;
+      background-color: #1a1a1a; }
+  .navbar-inverse .navbar-nav > .disabled > a {
+    color: #33a;
+    background-color: transparent; }
+    .navbar-inverse .navbar-nav > .disabled > a:hover, .navbar-inverse .navbar-nav > .disabled > a:focus {
+      color: #33a;
+      background-color: transparent; }
+  .navbar-inverse .navbar-toggle {
+    border-color: #333; }
+    .navbar-inverse .navbar-toggle:hover, .navbar-inverse .navbar-toggle:focus {
+      background-color: #333; }
+    .navbar-inverse .navbar-toggle .icon-bar {
+      background-color: #fff; }
+  .navbar-inverse .navbar-collapse, .navbar-inverse .navbar-form {
+    border-color: #212121; }
+  .navbar-inverse .navbar-nav > .open > a {
+    background-color: #1a1a1a;
+    color: #888; }
+    .navbar-inverse .navbar-nav > .open > a:hover, .navbar-inverse .navbar-nav > .open > a:focus {
+      background-color: #1a1a1a;
+      color: #888; }
+  .navbar-inverse .navbar-link {
+    color: #DDd; }
+    .navbar-inverse .navbar-link:hover {
+      color: #888; }
+  .navbar-inverse .btn-link {
+    color: #DDd; }
+    .navbar-inverse .btn-link:hover, .navbar-inverse .btn-link:focus {
+      color: #888; }
+    .navbar-inverse .btn-link[disabled]:hover, .navbar-inverse .btn-link[disabled]:focus {
+      color: #33a; }
+
 @media (max-width: 767px) {
   .navbar-inverse .navbar-nav .open .dropdown-menu > .dropdown-header {
-    border-color: #1a1a1a;
-  }
+    border-color: #1a1a1a; }
   .navbar-inverse .navbar-nav .open .dropdown-menu .divider {
-    background-color: #1a1a1a;
-  }
+    background-color: #1a1a1a; }
   .navbar-inverse .navbar-nav .open .dropdown-menu > li > a {
-    color: #DDd;
-  }
-  .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:focus {
-    color: #888;
-    background-color: transparent;
-  }
-  .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a, .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:focus {
+    color: #DDd; }
+    .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:focus {
+      color: #888;
+      background-color: transparent; }
+  .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a {
     color: #888;
-    background-color: #1a1a1a;
-  }
-  .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a, .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:focus {
+    background-color: #1a1a1a; }
+    .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:focus {
+      color: #888;
+      background-color: #1a1a1a; }
+  .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a {
     color: #33a;
-    background-color: transparent;
-  }
-}
-.navbar-inverse .navbar-link {
-  color: #DDd;
-}
-.navbar-inverse .navbar-link:hover {
-  color: #888;
-}
-.navbar-inverse .btn-link {
-  color: #DDd;
-}
-.navbar-inverse .btn-link:hover, .navbar-inverse .btn-link:focus {
-  color: #888;
-}
-.navbar-inverse .btn-link[disabled]:hover, .navbar-inverse .btn-link[disabled]:focus, fieldset[disabled] .navbar-inverse .btn-link:hover, fieldset[disabled] .navbar-inverse .btn-link:focus {
-  color: #33a;
-}
+    background-color: transparent; }
+    .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:focus {
+      color: #33a;
+      background-color: transparent; } }
+
+fieldset[disabled] .navbar-inverse .btn-link:hover, fieldset[disabled] .navbar-inverse .btn-link:focus {
+  color: #33a; }
 
 .breadcrumb {
   padding: 8px 15px;
   margin-bottom: 20px;
   list-style: none;
   background-color: #484848;
-  border-radius: 3px;
-}
-.breadcrumb > li {
-  display: inline-block;
-}
-.breadcrumb > li + li:before {
-  content: "/ ";
-  padding: 0 5px;
-  color: #ccc;
-}
-.breadcrumb > .active {
-  color: #DDd;
-}
+  border-radius: 3px; }
+  .breadcrumb > li {
+    display: inline-block; }
+    .breadcrumb > li + li:before {
+      content: "/ ";
+      padding: 0 5px;
+      color: #ccc; }
+  .breadcrumb > .active {
+    color: #DDd; }
 
 .pagination {
   display: inline-block;
   padding-left: 0;
   margin: 20px 0;
-  border-radius: 3px;
-}
-.pagination > li {
-  display: inline;
-}
-.pagination > li > a,
-.pagination > li > span {
-  position: relative;
-  float: left;
-  padding: 6px 12px;
-  line-height: 1.428571429;
-  text-decoration: none;
-  color: #EA7105;
-  background-color: #222;
-  border: 1px solid #ddd;
-  margin-left: -1px;
-}
-.pagination > li:first-child > a,
-.pagination > li:first-child > span {
-  margin-left: 0;
-  border-bottom-left-radius: 3px;
-  border-top-left-radius: 3px;
-}
-.pagination > li:last-child > a,
-.pagination > li:last-child > span {
-  border-bottom-right-radius: 3px;
-  border-top-right-radius: 3px;
-}
-.pagination > li > a:hover, .pagination > li > a:focus,
-.pagination > li > span:hover,
-.pagination > li > span:focus {
-  color: #9f4d03;
-  background-color: #1a1a1a;
-  border-color: #ddd;
-}
-.pagination > .active > a, .pagination > .active > a:hover, .pagination > .active > a:focus,
-.pagination > .active > span,
-.pagination > .active > span:hover,
-.pagination > .active > span:focus {
-  z-index: 2;
-  color: #fff;
-  background-color: #EA7105;
-  border-color: #EA7105;
-  cursor: default;
-}
-.pagination > .disabled > span,
-.pagination > .disabled > span:hover,
-.pagination > .disabled > span:focus,
-.pagination > .disabled > a,
-.pagination > .disabled > a:hover,
-.pagination > .disabled > a:focus {
-  color: #DDd;
-  background-color: #222;
-  border-color: #ddd;
-  cursor: not-allowed;
-}
-
-.pagination-lg > li > a,
-.pagination-lg > li > span {
+  border-radius: 3px; }
+  .pagination > li {
+    display: inline; }
+    .pagination > li > a, .pagination > li > span {
+      position: relative;
+      float: left;
+      padding: 6px 12px;
+      line-height: 1.428571429;
+      text-decoration: none;
+      color: #EA7105;
+      background-color: #222;
+      border: 1px solid #ddd;
+      margin-left: -1px; }
+    .pagination > li:first-child > a, .pagination > li:first-child > span {
+      margin-left: 0;
+      border-bottom-left-radius: 3px;
+      border-top-left-radius: 3px; }
+    .pagination > li:last-child > a, .pagination > li:last-child > span {
+      border-bottom-right-radius: 3px;
+      border-top-right-radius: 3px; }
+    .pagination > li > a:hover, .pagination > li > a:focus {
+      color: #9f4d03;
+      background-color: #1a1a1a;
+      border-color: #ddd; }
+    .pagination > li > span:hover, .pagination > li > span:focus {
+      color: #9f4d03;
+      background-color: #1a1a1a;
+      border-color: #ddd; }
+  .pagination > .active > a {
+    z-index: 2;
+    color: #fff;
+    background-color: #EA7105;
+    border-color: #EA7105;
+    cursor: default; }
+    .pagination > .active > a:hover, .pagination > .active > a:focus {
+      z-index: 2;
+      color: #fff;
+      background-color: #EA7105;
+      border-color: #EA7105;
+      cursor: default; }
+  .pagination > .active > span {
+    z-index: 2;
+    color: #fff;
+    background-color: #EA7105;
+    border-color: #EA7105;
+    cursor: default; }
+    .pagination > .active > span:hover, .pagination > .active > span:focus {
+      z-index: 2;
+      color: #fff;
+      background-color: #EA7105;
+      border-color: #EA7105;
+      cursor: default; }
+  .pagination > .disabled > span {
+    color: #DDd;
+    background-color: #222;
+    border-color: #ddd;
+    cursor: not-allowed; }
+    .pagination > .disabled > span:hover, .pagination > .disabled > span:focus {
+      color: #DDd;
+      background-color: #222;
+      border-color: #ddd;
+      cursor: not-allowed; }
+  .pagination > .disabled > a {
+    color: #DDd;
+    background-color: #222;
+    border-color: #ddd;
+    cursor: not-allowed; }
+    .pagination > .disabled > a:hover, .pagination > .disabled > a:focus {
+      color: #DDd;
+      background-color: #222;
+      border-color: #ddd;
+      cursor: not-allowed; }
+
+.pagination-lg > li > a, .pagination-lg > li > span {
   padding: 10px 16px;
-  font-size: 18px;
-}
-.pagination-lg > li:first-child > a,
-.pagination-lg > li:first-child > span {
+  font-size: 18px; }
+
+.pagination-lg > li:first-child > a, .pagination-lg > li:first-child > span {
   border-bottom-left-radius: 6px;
-  border-top-left-radius: 6px;
-}
-.pagination-lg > li:last-child > a,
-.pagination-lg > li:last-child > span {
+  border-top-left-radius: 6px; }
+
+.pagination-lg > li:last-child > a, .pagination-lg > li:last-child > span {
   border-bottom-right-radius: 6px;
-  border-top-right-radius: 6px;
-}
+  border-top-right-radius: 6px; }
 
-.pagination-sm > li > a,
-.pagination-sm > li > span {
+.pagination-sm > li > a, .pagination-sm > li > span {
   padding: 5px 10px;
-  font-size: 12px;
-}
-.pagination-sm > li:first-child > a,
-.pagination-sm > li:first-child > span {
+  font-size: 12px; }
+
+.pagination-sm > li:first-child > a, .pagination-sm > li:first-child > span {
   border-bottom-left-radius: 3px;
-  border-top-left-radius: 3px;
-}
-.pagination-sm > li:last-child > a,
-.pagination-sm > li:last-child > span {
+  border-top-left-radius: 3px; }
+
+.pagination-sm > li:last-child > a, .pagination-sm > li:last-child > span {
   border-bottom-right-radius: 3px;
-  border-top-right-radius: 3px;
-}
+  border-top-right-radius: 3px; }
 
 .pager {
   padding-left: 0;
   margin: 20px 0;
   list-style: none;
-  text-align: center;
-}
-.pager:before, .pager:after {
-  content: " ";
-  display: table;
-}
-.pager:after {
-  clear: both;
-}
-.pager li {
-  display: inline;
-}
-.pager li > a,
-.pager li > span {
-  display: inline-block;
-  padding: 5px 14px;
-  background-color: #222;
-  border: 1px solid #ddd;
-  border-radius: 15px;
-}
-.pager li > a:hover,
-.pager li > a:focus {
-  text-decoration: none;
-  background-color: #1a1a1a;
-}
-.pager .next > a,
-.pager .next > span {
-  float: right;
-}
-.pager .previous > a,
-.pager .previous > span {
-  float: left;
-}
-.pager .disabled > a,
-.pager .disabled > a:hover,
-.pager .disabled > a:focus,
-.pager .disabled > span {
-  color: #DDd;
-  background-color: #222;
-  cursor: not-allowed;
-}
+  text-align: center; }
+  .pager:before {
+    content: " ";
+    display: table; }
+  .pager:after {
+    content: " ";
+    display: table;
+    clear: both; }
+  .pager li {
+    display: inline; }
+    .pager li > a, .pager li > span {
+      display: inline-block;
+      padding: 5px 14px;
+      background-color: #222;
+      border: 1px solid #ddd;
+      border-radius: 15px; }
+    .pager li > a:hover, .pager li > a:focus {
+      text-decoration: none;
+      background-color: #1a1a1a; }
+  .pager .next > a, .pager .next > span {
+    float: right; }
+  .pager .previous > a, .pager .previous > span {
+    float: left; }
+  .pager .disabled > a {
+    color: #DDd;
+    background-color: #222;
+    cursor: not-allowed; }
+    .pager .disabled > a:hover, .pager .disabled > a:focus {
+      color: #DDd;
+      background-color: #222;
+      cursor: not-allowed; }
+  .pager .disabled > span {
+    color: #DDd;
+    background-color: #222;
+    cursor: not-allowed; }
 
 .label {
   display: inline;
@@ -5028,63 +4420,48 @@ tbody.collapse.in {
   text-align: center;
   white-space: nowrap;
   vertical-align: baseline;
-  border-radius: 0.25em;
-}
-.label:empty {
-  display: none;
-}
+  border-radius: 0.25em; }
+  .label:empty {
+    display: none; }
+
 .btn .label {
   position: relative;
-  top: -1px;
-}
+  top: -1px; }
 
 a.label:hover, a.label:focus {
   color: #fff;
   text-decoration: none;
-  cursor: pointer;
-}
+  cursor: pointer; }
 
 .label-default {
-  background-color: #DDd;
-}
-.label-default[href]:hover, .label-default[href]:focus {
-  background-color: #c4c4c4;
-}
+  background-color: #DDd; }
+  .label-default[href]:hover, .label-default[href]:focus {
+    background-color: #c4c4c4; }
 
 .label-primary {
-  background-color: #EA7105;
-}
-.label-primary[href]:hover, .label-primary[href]:focus {
-  background-color: #b85904;
-}
+  background-color: #EA7105; }
+  .label-primary[href]:hover, .label-primary[href]:focus {
+    background-color: #b85904; }
 
 .label-success {
-  background-color: #7Ba255;
-}
-.label-success[href]:hover, .label-success[href]:focus {
-  background-color: #628143;
-}
+  background-color: #7Ba255; }
+  .label-success[href]:hover, .label-success[href]:focus {
+    background-color: #628143; }
 
 .label-info {
-  background-color: #B0CDDB;
-}
-.label-info[href]:hover, .label-info[href]:focus {
-  background-color: #8db7cb;
-}
+  background-color: #B0CDDB; }
+  .label-info[href]:hover, .label-info[href]:focus {
+    background-color: #8db7cb; }
 
 .label-warning {
-  background-color: #f0ad4e;
-}
-.label-warning[href]:hover, .label-warning[href]:focus {
-  background-color: #ec971f;
-}
+  background-color: #f0ad4e; }
+  .label-warning[href]:hover, .label-warning[href]:focus {
+    background-color: #ec971f; }
 
-.label-danger {
-  background-color: #F05050;
-}
-.label-danger[href]:hover, .label-danger[href]:focus {
-  background-color: #ec2121;
-}
+.label-danger {
+  background-color: #F05050; }
+  .label-danger[href]:hover, .label-danger[href]:focus {
+    background-color: #ec2121; }
 
 .badge {
   display: inline-block;
@@ -5098,71 +4475,63 @@ a.label:hover, a.label:focus {
   white-space: nowrap;
   text-align: center;
   background-color: #DDd;
-  border-radius: 10px;
-}
-.badge:empty {
-  display: none;
-}
+  border-radius: 10px; }
+  .badge:empty {
+    display: none; }
+
 .btn .badge {
   position: relative;
-  top: -1px;
-}
+  top: -1px; }
+
 .btn-xs .badge, .btn-group-xs > .btn .badge {
   top: 0;
-  padding: 1px 5px;
-}
-a.list-group-item.active > .badge, .nav-pills > .active > a > .badge {
+  padding: 1px 5px; }
+
+a.list-group-item.active > .badge {
+  color: #EA7105;
+  background-color: #443; }
+
+.nav-pills > .active > a > .badge {
   color: #EA7105;
-  background-color: #443;
-}
+  background-color: #443; }
+
 .nav-pills > li > a > .badge {
-  margin-left: 3px;
-}
+  margin-left: 3px; }
 
 a.badge:hover, a.badge:focus {
   color: #443;
   text-decoration: none;
-  cursor: pointer;
-}
+  cursor: pointer; }
 
 .jumbotron {
   padding: 30px;
   margin-bottom: 30px;
   color: inherit;
-  background-color: #1a1a1a;
-}
-.jumbotron h1,
-.jumbotron .h1 {
-  color: inherit;
-}
-.jumbotron p {
-  margin-bottom: 15px;
-  font-size: 21px;
-  font-weight: 200;
-}
-.jumbotron > hr {
-  border-top-color: black;
-}
+  background-color: #1a1a1a; }
+  .jumbotron h1, .jumbotron .h1 {
+    color: inherit; }
+  .jumbotron p {
+    margin-bottom: 15px;
+    font-size: 21px;
+    font-weight: 200; }
+  .jumbotron > hr {
+    border-top-color: black; }
+
 .container .jumbotron {
-  border-radius: 6px;
-}
+  border-radius: 6px; }
+
 .jumbotron .container {
-  max-width: 100%;
-}
+  max-width: 100%; }
+
 @media screen and (min-width: 768px) {
   .jumbotron {
     padding-top: 48px;
-    padding-bottom: 48px;
-  }
+    padding-bottom: 48px; }
   .container .jumbotron {
     padding-left: 60px;
-    padding-right: 60px;
-  }
-  .jumbotron h1,
-.jumbotron .h1 {
-    font-size: 63px;
-  }
-}
+    padding-right: 60px; }
+  .jumbotron h1, .jumbotron .h1 {
+    font-size: 63px; } }
 
 .thumbnail {
   display: block;
@@ -5174,125 +4543,93 @@ a.badge:hover, a.badge:focus {
   border-radius: 3px;
   -webkit-transition: all 0.2s ease-in-out;
   -o-transition: all 0.2s ease-in-out;
-  transition: all 0.2s ease-in-out;
-}
-.thumbnail > img,
-.thumbnail a > img {
-  display: block;
-  width: 100% \9;
-  max-width: 100%;
-  height: auto;
-  margin-left: auto;
-  margin-right: auto;
-}
-.thumbnail .caption {
-  padding: 9px;
-  color: #C1C1c1;
-}
-
-a.thumbnail:hover,
-a.thumbnail:focus,
-a.thumbnail.active {
-  border-color: #EA7105;
-}
+  transition: all 0.2s ease-in-out; }
+  .thumbnail > img, .thumbnail a > img {
+    display: block;
+    width: 100% \9;
+    max-width: 100%;
+    height: auto;
+    margin-left: auto;
+    margin-right: auto; }
+  .thumbnail .caption {
+    padding: 9px;
+    color: #C1C1c1; }
+
+a.thumbnail:hover, a.thumbnail:focus, a.thumbnail.active {
+  border-color: #EA7105; }
 
 .alert {
   padding: 15px;
   margin-bottom: 20px;
   border: 1px solid transparent;
-  border-radius: 3px;
-}
-.alert h4 {
-  margin-top: 0;
-  color: inherit;
-}
-.alert .alert-link {
-  font-weight: bold;
-}
-.alert > p,
-.alert > ul {
-  margin-bottom: 0;
-}
-.alert > p + p {
-  margin-top: 5px;
-}
-
-.alert-dismissable,
-.alert-dismissible {
-  padding-right: 35px;
-}
-.alert-dismissable .close,
-.alert-dismissible .close {
+  border-radius: 3px; }
+  .alert h4 {
+    margin-top: 0;
+    color: inherit; }
+  .alert .alert-link {
+    font-weight: bold; }
+  .alert > p, .alert > ul {
+    margin-bottom: 0; }
+  .alert > p + p {
+    margin-top: 5px; }
+
+.alert-dismissable, .alert-dismissible {
+  padding-right: 35px; }
+
+.alert-dismissable .close, .alert-dismissible .close {
   position: relative;
   top: -2px;
   right: -21px;
-  color: inherit;
-}
+  color: inherit; }
 
 .alert-success {
   background-color: #7Ba255;
   border-color: #7Ba255;
-  color: #485f32;
-}
-.alert-success hr {
-  border-top-color: #6e914c;
-}
-.alert-success .alert-link {
-  color: #55703b;
-}
+  color: #485f32; }
+  .alert-success hr {
+    border-top-color: #6e914c; }
+  .alert-success .alert-link {
+    color: #55703b; }
 
 .alert-info {
   background-color: #4545a7;
   border-color: #3b488e;
-  color: #cccccc;
-}
-.alert-info hr {
-  border-top-color: #333f7c;
-}
-.alert-info .alert-link {
-  color: #d9d9d9;
-}
+  color: #cccccc; }
+  .alert-info hr {
+    border-top-color: #333f7c; }
+  .alert-info .alert-link {
+    color: #d9d9d9; }
 
 .alert-warning {
   background-color: #fcf8e3;
   border-color: #faebcc;
-  color: #c77c11;
-}
-.alert-warning hr {
-  border-top-color: #f7e1b5;
-}
-.alert-warning .alert-link {
-  color: #df8a13;
-}
+  color: #c77c11; }
+  .alert-warning hr {
+    border-top-color: #f7e1b5; }
+  .alert-warning .alert-link {
+    color: #df8a13; }
 
 .alert-danger {
   background-color: #F05050;
   border-color: #F05050;
-  color: #c91111;
-}
-.alert-danger hr {
-  border-top-color: #ee3939;
-}
-.alert-danger .alert-link {
-  color: #e01313;
-}
+  color: #c91111; }
+  .alert-danger hr {
+    border-top-color: #ee3939; }
+  .alert-danger .alert-link {
+    color: #e01313; }
 
 @-webkit-keyframes progress-bar-stripes {
   from {
-    background-position: 40px 0;
-  }
+    background-position: 40px 0; }
   to {
-    background-position: 0 0;
-  }
-}
+    background-position: 0 0; } }
+
 @keyframes progress-bar-stripes {
   from {
-    background-position: 40px 0;
-  }
+    background-position: 40px 0; }
   to {
-    background-position: 0 0;
-  }
-}
+    background-position: 0 0; } }
+
 .progress {
   overflow: hidden;
   height: 20px;
@@ -5300,8 +4637,7 @@ a.thumbnail.active {
   border-radius: 3px;
   position: relative;
   -webkit-box-shadow: inset 0 1px 2px rgba(0, 0, 0, 0.1);
-  box-shadow: inset 0 1px 2px rgba(0, 0, 0, 0.1);
-}
+  box-shadow: inset 0 1px 2px rgba(0, 0, 0, 0.1); }
 
 .progress-bar {
   float: left;
@@ -5318,287 +4654,261 @@ a.thumbnail.active {
   box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.15);
   -webkit-transition: width 0.6s ease;
   -o-transition: width 0.6s ease;
-  transition: width 0.6s ease;
-}
+  transition: width 0.6s ease; }
 
-.progress-striped .progress-bar,
-.progress-bar-striped {
+.progress-striped .progress-bar, .progress-bar-striped {
   background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
   background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
   background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-  background-size: 40px 40px;
-}
+  background-size: 40px 40px; }
+
+.progress.active .progress-bar {
+  -webkit-animation: progress-bar-stripes 2s linear infinite;
+  -o-animation: progress-bar-stripes 2s linear infinite;
+  animation: progress-bar-stripes 2s linear infinite; }
 
-.progress.active .progress-bar,
 .progress-bar.active {
   -webkit-animation: progress-bar-stripes 2s linear infinite;
   -o-animation: progress-bar-stripes 2s linear infinite;
-  animation: progress-bar-stripes 2s linear infinite;
-}
+  animation: progress-bar-stripes 2s linear infinite; }
 
 .progress-bar[aria-valuenow="1"], .progress-bar[aria-valuenow="2"] {
-  min-width: 30px;
-}
+  min-width: 30px; }
+
 .progress-bar[aria-valuenow="0"] {
   color: #DDd;
   min-width: 30px;
   background-color: transparent;
   background-image: none;
-  box-shadow: none;
-}
+  box-shadow: none; }
 
 .progress-bar-success {
-  background-color: #7Ba255;
-}
+  background-color: #7Ba255; }
+
 .progress-striped .progress-bar-success {
   background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
   background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-}
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
 
 .progress-bar-info {
-  background-color: #B0CDDB;
-}
+  background-color: #B0CDDB; }
+
 .progress-striped .progress-bar-info {
   background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
   background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-}
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
 
 .progress-bar-warning {
-  background-color: #f0ad4e;
-}
+  background-color: #f0ad4e; }
+
 .progress-striped .progress-bar-warning {
   background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
   background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-}
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
 
 .progress-bar-danger {
-  background-color: #F05050;
-}
+  background-color: #F05050; }
+
 .progress-striped .progress-bar-danger {
   background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
   background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-}
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
 
-.media,
-.media-body {
+.media, .media-body {
   overflow: hidden;
-  zoom: 1;
-}
-
-.media,
-.media .media {
-  margin-top: 15px;
-}
+  zoom: 1; }
 
-.media:first-child {
-  margin-top: 0;
-}
+.media {
+  margin-top: 15px; }
+  .media .media {
+    margin-top: 15px; }
+  .media:first-child {
+    margin-top: 0; }
 
 .media-object {
-  display: block;
-}
+  display: block; }
 
 .media-heading {
-  margin: 0 0 5px;
-}
+  margin: 0 0 5px; }
 
 .media > .pull-left {
-  margin-right: 10px;
-}
+  margin-right: 10px; }
+
 .media > .pull-right {
-  margin-left: 10px;
-}
+  margin-left: 10px; }
 
 .media-list {
   padding-left: 0;
-  list-style: none;
-}
+  list-style: none; }
 
 .list-group {
   margin-bottom: 20px;
-  padding-left: 0;
-}
+  padding-left: 0; }
 
 .list-group-item {
   position: relative;
   display: block;
   padding: 6px 8px;
   margin-bottom: -1px;
-  background-color: #222;
-}
-.list-group-item:last-child {
-  margin-bottom: 0;
-}
-.list-group-item > .badge {
-  float: right;
-}
-.list-group-item > .badge + .badge {
-  margin-right: 5px;
-}
+  background-color: #222; }
+  .list-group-item:last-child {
+    margin-bottom: 0; }
+  .list-group-item > .badge {
+    float: right; }
+    .list-group-item > .badge + .badge {
+      margin-right: 5px; }
 
 a.list-group-item {
   color: #C1C1c1;
-  border-radius: 0;
-}
-a.list-group-item .list-group-item-heading {
-  color: #333;
-}
-a.list-group-item:hover, a.list-group-item:focus {
-  text-decoration: none;
-  color: #EA7105;
-  background-color: #484848;
-}
-a.list-group-item:hover:before, a.list-group-item:focus:before {
-  background: #EA7105;
-  content: "";
-  height: 42px;
-  left: 0;
-  position: absolute;
-  top: 0;
-  width: 3px;
-}
+  border-radius: 0; }
+  a.list-group-item .list-group-item-heading {
+    color: #333; }
+  a.list-group-item:hover, a.list-group-item:focus {
+    text-decoration: none;
+    color: #EA7105;
+    background-color: #484848; }
+  a.list-group-item:hover:before, a.list-group-item:focus:before {
+    background: #EA7105;
+    content: "";
+    height: 42px;
+    left: 0;
+    position: absolute;
+    top: 0;
+    width: 3px; }
 
-.list-group-item.disabled, .list-group-item.disabled:hover, .list-group-item.disabled:focus {
+.list-group-item.disabled {
   background-color: #1a1a1a;
-  color: #DDd;
-}
-.list-group-item.disabled .list-group-item-heading, .list-group-item.disabled:hover .list-group-item-heading, .list-group-item.disabled:focus .list-group-item-heading {
-  color: inherit;
-}
-.list-group-item.disabled .list-group-item-text, .list-group-item.disabled:hover .list-group-item-text, .list-group-item.disabled:focus .list-group-item-text {
-  color: #DDd;
-}
-.list-group-item.active, .list-group-item.active:hover, .list-group-item.active:focus {
-  z-index: 2;
-}
-.list-group-item.active:before, .list-group-item.active:hover:before, .list-group-item.active:focus:before {
-  background: #EA7105;
-  content: "";
-  height: 42px;
-  left: 0;
-  position: absolute;
-  top: 0px;
-  width: 3px;
-}
-.list-group-item.active .list-group-item-heading,
-.list-group-item.active .list-group-item-heading > small,
-.list-group-item.active .list-group-item-heading > .small, .list-group-item.active:hover .list-group-item-heading,
-.list-group-item.active:hover .list-group-item-heading > small,
-.list-group-item.active:hover .list-group-item-heading > .small, .list-group-item.active:focus .list-group-item-heading,
-.list-group-item.active:focus .list-group-item-heading > small,
-.list-group-item.active:focus .list-group-item-heading > .small {
-  color: inherit;
-}
-.list-group-item.active .list-group-item-text, .list-group-item.active:hover .list-group-item-text, .list-group-item.active:focus .list-group-item-text {
-  color: #fedcbd;
-}
-.list-group-item.active + .collapse > .list-group-item:before, .list-group-item.active:hover + .collapse > .list-group-item:before, .list-group-item.active:focus + .collapse > .list-group-item:before {
-  background: #EA7105;
-  content: "";
-  height: 42px;
-  left: 0;
-  position: absolute;
-  top: 0px;
-  width: 3px;
-}
+  color: #DDd; }
+  .list-group-item.disabled:hover, .list-group-item.disabled:focus {
+    background-color: #1a1a1a;
+    color: #DDd; }
+  .list-group-item.disabled .list-group-item-heading, .list-group-item.disabled:hover .list-group-item-heading, .list-group-item.disabled:focus .list-group-item-heading {
+    color: inherit; }
+  .list-group-item.disabled .list-group-item-text, .list-group-item.disabled:hover .list-group-item-text, .list-group-item.disabled:focus .list-group-item-text {
+    color: #DDd; }
+
+.list-group-item.active {
+  z-index: 2; }
+  .list-group-item.active:hover, .list-group-item.active:focus {
+    z-index: 2; }
+  .list-group-item.active:before, .list-group-item.active:hover:before, .list-group-item.active:focus:before {
+    background: #EA7105;
+    content: "";
+    height: 42px;
+    left: 0;
+    position: absolute;
+    top: 0px;
+    width: 3px; }
+  .list-group-item.active .list-group-item-heading {
+    color: inherit; }
+    .list-group-item.active .list-group-item-heading > small, .list-group-item.active .list-group-item-heading > .small {
+      color: inherit; }
+  .list-group-item.active:hover .list-group-item-heading {
+    color: inherit; }
+    .list-group-item.active:hover .list-group-item-heading > small, .list-group-item.active:hover .list-group-item-heading > .small {
+      color: inherit; }
+  .list-group-item.active:focus .list-group-item-heading {
+    color: inherit; }
+    .list-group-item.active:focus .list-group-item-heading > small, .list-group-item.active:focus .list-group-item-heading > .small {
+      color: inherit; }
+  .list-group-item.active .list-group-item-text, .list-group-item.active:hover .list-group-item-text, .list-group-item.active:focus .list-group-item-text {
+    color: #fedcbd; }
+  .list-group-item.active + .collapse > .list-group-item:before, .list-group-item.active:hover + .collapse > .list-group-item:before, .list-group-item.active:focus + .collapse > .list-group-item:before {
+    background: #EA7105;
+    content: "";
+    height: 42px;
+    left: 0;
+    position: absolute;
+    top: 0px;
+    width: 3px; }
 
 .list-group-item-success {
   color: #7Ba255;
-  background-color: #7Ba255;
-}
+  background-color: #7Ba255; }
 
 a.list-group-item-success {
-  color: #7Ba255;
-}
-a.list-group-item-success .list-group-item-heading {
-  color: inherit;
-}
-a.list-group-item-success:hover, a.list-group-item-success:focus {
-  color: #7Ba255;
-  background-color: #6e914c;
-}
-a.list-group-item-success.active, a.list-group-item-success.active:hover, a.list-group-item-success.active:focus {
-  color: #222;
-  background-color: #7Ba255;
-  border-color: #7Ba255;
-}
+  color: #7Ba255; }
+  a.list-group-item-success .list-group-item-heading {
+    color: inherit; }
+  a.list-group-item-success:hover, a.list-group-item-success:focus {
+    color: #7Ba255;
+    background-color: #6e914c; }
+  a.list-group-item-success.active {
+    color: #222;
+    background-color: #7Ba255;
+    border-color: #7Ba255; }
+    a.list-group-item-success.active:hover, a.list-group-item-success.active:focus {
+      color: #222;
+      background-color: #7Ba255;
+      border-color: #7Ba255; }
 
 .list-group-item-info {
   color: #ffffff;
-  background-color: #4545a7;
-}
+  background-color: #4545a7; }
 
 a.list-group-item-info {
-  color: #ffffff;
-}
-a.list-group-item-info .list-group-item-heading {
-  color: inherit;
-}
-a.list-group-item-info:hover, a.list-group-item-info:focus {
-  color: #ffffff;
-  background-color: #3e3e95;
-}
-a.list-group-item-info.active, a.list-group-item-info.active:hover, a.list-group-item-info.active:focus {
-  color: #222;
-  background-color: #ffffff;
-  border-color: #ffffff;
-}
+  color: #ffffff; }
+  a.list-group-item-info .list-group-item-heading {
+    color: inherit; }
+  a.list-group-item-info:hover, a.list-group-item-info:focus {
+    color: #ffffff;
+    background-color: #3e3e95; }
+  a.list-group-item-info.active {
+    color: #222;
+    background-color: #ffffff;
+    border-color: #ffffff; }
+    a.list-group-item-info.active:hover, a.list-group-item-info.active:focus {
+      color: #222;
+      background-color: #ffffff;
+      border-color: #ffffff; }
 
 .list-group-item-warning {
   color: #f0ad4e;
-  background-color: #fcf8e3;
-}
+  background-color: #fcf8e3; }
 
 a.list-group-item-warning {
-  color: #f0ad4e;
-}
-a.list-group-item-warning .list-group-item-heading {
-  color: inherit;
-}
-a.list-group-item-warning:hover, a.list-group-item-warning:focus {
-  color: #f0ad4e;
-  background-color: #faf2cc;
-}
-a.list-group-item-warning.active, a.list-group-item-warning.active:hover, a.list-group-item-warning.active:focus {
-  color: #222;
-  background-color: #f0ad4e;
-  border-color: #f0ad4e;
-}
+  color: #f0ad4e; }
+  a.list-group-item-warning .list-group-item-heading {
+    color: inherit; }
+  a.list-group-item-warning:hover, a.list-group-item-warning:focus {
+    color: #f0ad4e;
+    background-color: #faf2cc; }
+  a.list-group-item-warning.active {
+    color: #222;
+    background-color: #f0ad4e;
+    border-color: #f0ad4e; }
+    a.list-group-item-warning.active:hover, a.list-group-item-warning.active:focus {
+      color: #222;
+      background-color: #f0ad4e;
+      border-color: #f0ad4e; }
 
 .list-group-item-danger {
   color: #F05050;
-  background-color: #F05050;
-}
+  background-color: #F05050; }
 
 a.list-group-item-danger {
-  color: #F05050;
-}
-a.list-group-item-danger .list-group-item-heading {
-  color: inherit;
-}
-a.list-group-item-danger:hover, a.list-group-item-danger:focus {
-  color: #F05050;
-  background-color: #ee3939;
-}
-a.list-group-item-danger.active, a.list-group-item-danger.active:hover, a.list-group-item-danger.active:focus {
-  color: #222;
-  background-color: #F05050;
-  border-color: #F05050;
-}
+  color: #F05050; }
+  a.list-group-item-danger .list-group-item-heading {
+    color: inherit; }
+  a.list-group-item-danger:hover, a.list-group-item-danger:focus {
+    color: #F05050;
+    background-color: #ee3939; }
+  a.list-group-item-danger.active {
+    color: #222;
+    background-color: #F05050;
+    border-color: #F05050; }
+    a.list-group-item-danger.active:hover, a.list-group-item-danger.active:focus {
+      color: #222;
+      background-color: #F05050;
+      border-color: #F05050; }
 
 .list-group-item-heading {
   margin-top: 0;
-  margin-bottom: 5px;
-}
+  margin-bottom: 5px; }
 
 .list-group-item-text {
   margin-bottom: 0;
-  line-height: 1.3;
-}
+  line-height: 1.3; }
 
 .panel {
   margin-bottom: 20px;
@@ -5606,356 +4916,306 @@ a.list-group-item-danger.active, a.list-group-item-danger.active:hover, a.list-g
   border: 1px solid transparent;
   border-radius: 3px;
   -webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, 0.05);
-  box-shadow: 0 1px 1px rgba(0, 0, 0, 0.05);
-}
+  box-shadow: 0 1px 1px rgba(0, 0, 0, 0.05); }
 
 .panel-body {
-  padding: 15px;
-}
-.panel-body:before, .panel-body:after {
-  content: " ";
-  display: table;
-}
-.panel-body:after {
-  clear: both;
-}
+  padding: 15px; }
+  .panel-body:before {
+    content: " ";
+    display: table; }
+  .panel-body:after {
+    content: " ";
+    display: table;
+    clear: both; }
 
 .panel-heading {
   padding: 10px 15px;
   border-bottom: 1px solid transparent;
   border-top-right-radius: 2px;
-  border-top-left-radius: 2px;
-}
-.panel-heading > .dropdown .dropdown-toggle {
-  color: inherit;
-}
+  border-top-left-radius: 2px; }
+  .panel-heading > .dropdown .dropdown-toggle {
+    color: inherit; }
 
 .panel-title {
   margin-top: 0;
   margin-bottom: 0;
   font-size: 16px;
-  color: inherit;
-}
-.panel-title > a {
-  color: inherit;
-}
+  color: inherit; }
+  .panel-title > a {
+    color: inherit; }
 
 .panel-footer {
   padding: 10px 15px;
   background-color: #484848;
   border-top: 1px solid #ddd;
   border-bottom-right-radius: 2px;
-  border-bottom-left-radius: 2px;
-}
+  border-bottom-left-radius: 2px; }
 
 .panel > .list-group {
-  margin-bottom: 0;
-}
-.panel > .list-group .list-group-item {
-  border-width: 1px 0;
-  border-radius: 0;
-}
-.panel > .list-group:first-child .list-group-item:first-child {
-  border-top: 0;
-  border-top-right-radius: 2px;
-  border-top-left-radius: 2px;
-}
-.panel > .list-group:last-child .list-group-item:last-child {
-  border-bottom: 0;
-  border-bottom-right-radius: 2px;
-  border-bottom-left-radius: 2px;
-}
+  margin-bottom: 0; }
+  .panel > .list-group .list-group-item {
+    border-width: 1px 0;
+    border-radius: 0; }
+  .panel > .list-group:first-child .list-group-item:first-child {
+    border-top: 0;
+    border-top-right-radius: 2px;
+    border-top-left-radius: 2px; }
+  .panel > .list-group:last-child .list-group-item:last-child {
+    border-bottom: 0;
+    border-bottom-right-radius: 2px;
+    border-bottom-left-radius: 2px; }
 
-.panel-heading + .list-group .list-group-item:first-child {
-  border-top-width: 0;
-}
+.panel-heading + .list-group .list-group-item:first-child, .list-group + .panel-footer {
+  border-top-width: 0; }
 
-.list-group + .panel-footer {
-  border-top-width: 0;
-}
+.panel > .table, .panel > .table-responsive > .table, .panel > .panel-collapse > .table {
+  margin-bottom: 0; }
 
-.panel > .table,
-.panel > .table-responsive > .table,
-.panel > .panel-collapse > .table {
-  margin-bottom: 0;
-}
-.panel > .table:first-child,
-.panel > .table-responsive:first-child > .table:first-child {
-  border-top-right-radius: 2px;
-  border-top-left-radius: 2px;
-}
-.panel > .table:first-child > thead:first-child > tr:first-child td:first-child,
-.panel > .table:first-child > thead:first-child > tr:first-child th:first-child,
-.panel > .table:first-child > tbody:first-child > tr:first-child td:first-child,
-.panel > .table:first-child > tbody:first-child > tr:first-child th:first-child,
-.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:first-child,
-.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:first-child,
-.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:first-child,
-.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:first-child {
-  border-top-left-radius: 2px;
-}
-.panel > .table:first-child > thead:first-child > tr:first-child td:last-child,
-.panel > .table:first-child > thead:first-child > tr:first-child th:last-child,
-.panel > .table:first-child > tbody:first-child > tr:first-child td:last-child,
-.panel > .table:first-child > tbody:first-child > tr:first-child th:last-child,
-.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:last-child,
-.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:last-child,
-.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:last-child,
-.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:last-child {
+.panel > .table:first-child, .panel > .table-responsive:first-child > .table:first-child {
   border-top-right-radius: 2px;
-}
-.panel > .table:last-child,
-.panel > .table-responsive:last-child > .table:last-child {
-  border-bottom-right-radius: 2px;
-  border-bottom-left-radius: 2px;
-}
-.panel > .table:last-child > tbody:last-child > tr:last-child td:first-child,
-.panel > .table:last-child > tbody:last-child > tr:last-child th:first-child,
-.panel > .table:last-child > tfoot:last-child > tr:last-child td:first-child,
-.panel > .table:last-child > tfoot:last-child > tr:last-child th:first-child,
-.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:first-child,
-.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:first-child,
-.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:first-child,
-.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:first-child {
-  border-bottom-left-radius: 2px;
-}
-.panel > .table:last-child > tbody:last-child > tr:last-child td:last-child,
-.panel > .table:last-child > tbody:last-child > tr:last-child th:last-child,
-.panel > .table:last-child > tfoot:last-child > tr:last-child td:last-child,
-.panel > .table:last-child > tfoot:last-child > tr:last-child th:last-child,
-.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:last-child,
-.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:last-child,
-.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:last-child,
-.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:last-child {
+  border-top-left-radius: 2px; }
+
+.panel > .table:first-child > thead:first-child > tr:first-child td:first-child, .panel > .table:first-child > thead:first-child > tr:first-child th:first-child {
+  border-top-left-radius: 2px; }
+
+.panel > .table:first-child > tbody:first-child > tr:first-child td:first-child, .panel > .table:first-child > tbody:first-child > tr:first-child th:first-child {
+  border-top-left-radius: 2px; }
+
+.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:first-child, .panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:first-child {
+  border-top-left-radius: 2px; }
+
+.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:first-child, .panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:first-child {
+  border-top-left-radius: 2px; }
+
+.panel > .table:first-child > thead:first-child > tr:first-child td:last-child, .panel > .table:first-child > thead:first-child > tr:first-child th:last-child {
+  border-top-right-radius: 2px; }
+
+.panel > .table:first-child > tbody:first-child > tr:first-child td:last-child, .panel > .table:first-child > tbody:first-child > tr:first-child th:last-child {
+  border-top-right-radius: 2px; }
+
+.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:last-child, .panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:last-child {
+  border-top-right-radius: 2px; }
+
+.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:last-child, .panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:last-child {
+  border-top-right-radius: 2px; }
+
+.panel > .table:last-child, .panel > .table-responsive:last-child > .table:last-child {
   border-bottom-right-radius: 2px;
-}
-.panel > .panel-body + .table,
-.panel > .panel-body + .table-responsive {
-  border-top: 1px solid #111;
-}
-.panel > .table > tbody:first-child > tr:first-child th,
-.panel > .table > tbody:first-child > tr:first-child td {
-  border-top: 0;
-}
-.panel > .table-bordered,
-.panel > .table-responsive > .table-bordered {
-  border: 0;
-}
-.panel > .table-bordered > thead > tr > th:first-child,
-.panel > .table-bordered > thead > tr > td:first-child,
-.panel > .table-bordered > tbody > tr > th:first-child,
-.panel > .table-bordered > tbody > tr > td:first-child,
-.panel > .table-bordered > tfoot > tr > th:first-child,
-.panel > .table-bordered > tfoot > tr > td:first-child,
-.panel > .table-responsive > .table-bordered > thead > tr > th:first-child,
-.panel > .table-responsive > .table-bordered > thead > tr > td:first-child,
-.panel > .table-responsive > .table-bordered > tbody > tr > th:first-child,
-.panel > .table-responsive > .table-bordered > tbody > tr > td:first-child,
-.panel > .table-responsive > .table-bordered > tfoot > tr > th:first-child,
-.panel > .table-responsive > .table-bordered > tfoot > tr > td:first-child {
-  border-left: 0;
-}
-.panel > .table-bordered > thead > tr > th:last-child,
-.panel > .table-bordered > thead > tr > td:last-child,
-.panel > .table-bordered > tbody > tr > th:last-child,
-.panel > .table-bordered > tbody > tr > td:last-child,
-.panel > .table-bordered > tfoot > tr > th:last-child,
-.panel > .table-bordered > tfoot > tr > td:last-child,
-.panel > .table-responsive > .table-bordered > thead > tr > th:last-child,
-.panel > .table-responsive > .table-bordered > thead > tr > td:last-child,
-.panel > .table-responsive > .table-bordered > tbody > tr > th:last-child,
-.panel > .table-responsive > .table-bordered > tbody > tr > td:last-child,
-.panel > .table-responsive > .table-bordered > tfoot > tr > th:last-child,
-.panel > .table-responsive > .table-bordered > tfoot > tr > td:last-child {
-  border-right: 0;
-}
-.panel > .table-bordered > thead > tr:first-child > td,
-.panel > .table-bordered > thead > tr:first-child > th,
-.panel > .table-bordered > tbody > tr:first-child > td,
-.panel > .table-bordered > tbody > tr:first-child > th,
-.panel > .table-responsive > .table-bordered > thead > tr:first-child > td,
-.panel > .table-responsive > .table-bordered > thead > tr:first-child > th,
-.panel > .table-responsive > .table-bordered > tbody > tr:first-child > td,
-.panel > .table-responsive > .table-bordered > tbody > tr:first-child > th {
-  border-bottom: 0;
-}
-.panel > .table-bordered > tbody > tr:last-child > td,
-.panel > .table-bordered > tbody > tr:last-child > th,
-.panel > .table-bordered > tfoot > tr:last-child > td,
-.panel > .table-bordered > tfoot > tr:last-child > th,
-.panel > .table-responsive > .table-bordered > tbody > tr:last-child > td,
-.panel > .table-responsive > .table-bordered > tbody > tr:last-child > th,
-.panel > .table-responsive > .table-bordered > tfoot > tr:last-child > td,
-.panel > .table-responsive > .table-bordered > tfoot > tr:last-child > th {
-  border-bottom: 0;
-}
+  border-bottom-left-radius: 2px; }
+
+.panel > .table:last-child > tbody:last-child > tr:last-child td:first-child, .panel > .table:last-child > tbody:last-child > tr:last-child th:first-child {
+  border-bottom-left-radius: 2px; }
+
+.panel > .table:last-child > tfoot:last-child > tr:last-child td:first-child, .panel > .table:last-child > tfoot:last-child > tr:last-child th:first-child {
+  border-bottom-left-radius: 2px; }
+
+.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:first-child, .panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:first-child {
+  border-bottom-left-radius: 2px; }
+
+.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:first-child, .panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:first-child {
+  border-bottom-left-radius: 2px; }
+
+.panel > .table:last-child > tbody:last-child > tr:last-child td:last-child, .panel > .table:last-child > tbody:last-child > tr:last-child th:last-child {
+  border-bottom-right-radius: 2px; }
+
+.panel > .table:last-child > tfoot:last-child > tr:last-child td:last-child, .panel > .table:last-child > tfoot:last-child > tr:last-child th:last-child {
+  border-bottom-right-radius: 2px; }
+
+.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:last-child, .panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:last-child {
+  border-bottom-right-radius: 2px; }
+
+.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:last-child, .panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:last-child {
+  border-bottom-right-radius: 2px; }
+
+.panel > .panel-body + .table, .panel > .panel-body + .table-responsive {
+  border-top: 1px solid #111; }
+
+.panel > .table > tbody:first-child > tr:first-child th, .panel > .table > tbody:first-child > tr:first-child td {
+  border-top: 0; }
+
+.panel > .table-bordered, .panel > .table-responsive > .table-bordered {
+  border: 0; }
+
+.panel > .table-bordered > thead > tr > th:first-child, .panel > .table-bordered > thead > tr > td:first-child {
+  border-left: 0; }
+
+.panel > .table-bordered > tbody > tr > th:first-child, .panel > .table-bordered > tbody > tr > td:first-child {
+  border-left: 0; }
+
+.panel > .table-bordered > tfoot > tr > th:first-child, .panel > .table-bordered > tfoot > tr > td:first-child {
+  border-left: 0; }
+
+.panel > .table-responsive > .table-bordered > thead > tr > th:first-child, .panel > .table-responsive > .table-bordered > thead > tr > td:first-child {
+  border-left: 0; }
+
+.panel > .table-responsive > .table-bordered > tbody > tr > th:first-child, .panel > .table-responsive > .table-bordered > tbody > tr > td:first-child {
+  border-left: 0; }
+
+.panel > .table-responsive > .table-bordered > tfoot > tr > th:first-child, .panel > .table-responsive > .table-bordered > tfoot > tr > td:first-child {
+  border-left: 0; }
+
+.panel > .table-bordered > thead > tr > th:last-child, .panel > .table-bordered > thead > tr > td:last-child {
+  border-right: 0; }
+
+.panel > .table-bordered > tbody > tr > th:last-child, .panel > .table-bordered > tbody > tr > td:last-child {
+  border-right: 0; }
+
+.panel > .table-bordered > tfoot > tr > th:last-child, .panel > .table-bordered > tfoot > tr > td:last-child {
+  border-right: 0; }
+
+.panel > .table-responsive > .table-bordered > thead > tr > th:last-child, .panel > .table-responsive > .table-bordered > thead > tr > td:last-child {
+  border-right: 0; }
+
+.panel > .table-responsive > .table-bordered > tbody > tr > th:last-child, .panel > .table-responsive > .table-bordered > tbody > tr > td:last-child {
+  border-right: 0; }
+
+.panel > .table-responsive > .table-bordered > tfoot > tr > th:last-child, .panel > .table-responsive > .table-bordered > tfoot > tr > td:last-child {
+  border-right: 0; }
+
+.panel > .table-bordered > thead > tr:first-child > td, .panel > .table-bordered > thead > tr:first-child > th {
+  border-bottom: 0; }
+
+.panel > .table-bordered > tbody > tr:first-child > td, .panel > .table-bordered > tbody > tr:first-child > th {
+  border-bottom: 0; }
+
+.panel > .table-responsive > .table-bordered > thead > tr:first-child > td, .panel > .table-responsive > .table-bordered > thead > tr:first-child > th {
+  border-bottom: 0; }
+
+.panel > .table-responsive > .table-bordered > tbody > tr:first-child > td, .panel > .table-responsive > .table-bordered > tbody > tr:first-child > th {
+  border-bottom: 0; }
+
+.panel > .table-bordered > tbody > tr:last-child > td, .panel > .table-bordered > tbody > tr:last-child > th {
+  border-bottom: 0; }
+
+.panel > .table-bordered > tfoot > tr:last-child > td, .panel > .table-bordered > tfoot > tr:last-child > th {
+  border-bottom: 0; }
+
 .panel > .table-responsive {
   border: 0;
-  margin-bottom: 0;
-}
+  margin-bottom: 0; }
+  .panel > .table-responsive > .table-bordered > tbody > tr:last-child > td, .panel > .table-responsive > .table-bordered > tbody > tr:last-child > th {
+    border-bottom: 0; }
+  .panel > .table-responsive > .table-bordered > tfoot > tr:last-child > td, .panel > .table-responsive > .table-bordered > tfoot > tr:last-child > th {
+    border-bottom: 0; }
 
 .panel-group {
-  margin-bottom: 20px;
-}
-.panel-group .panel {
-  margin-bottom: 0;
-  border-radius: 3px;
-}
-.panel-group .panel + .panel {
-  margin-top: 5px;
-}
-.panel-group .panel-heading {
-  border-bottom: 0;
-}
-.panel-group .panel-heading + .panel-collapse > .panel-body {
-  border-top: 1px solid #ddd;
-}
-.panel-group .panel-footer {
-  border-top: 0;
-}
-.panel-group .panel-footer + .panel-collapse .panel-body {
-  border-bottom: 1px solid #ddd;
-}
+  margin-bottom: 20px; }
+  .panel-group .panel {
+    margin-bottom: 0;
+    border-radius: 3px; }
+    .panel-group .panel + .panel {
+      margin-top: 5px; }
+  .panel-group .panel-heading {
+    border-bottom: 0; }
+    .panel-group .panel-heading + .panel-collapse > .panel-body {
+      border-top: 1px solid #ddd; }
+  .panel-group .panel-footer {
+    border-top: 0; }
+    .panel-group .panel-footer + .panel-collapse .panel-body {
+      border-bottom: 1px solid #ddd; }
 
 .panel-default {
-  border-color: #ddd;
-}
-.panel-default > .panel-heading {
-  color: #c1c1c1;
-  background-color: #484848;
-  border-color: #ddd;
-}
-.panel-default > .panel-heading + .panel-collapse > .panel-body {
-  border-top-color: #ddd;
-}
-.panel-default > .panel-heading .badge {
-  color: #484848;
-  background-color: #c1c1c1;
-}
-.panel-default > .panel-footer + .panel-collapse > .panel-body {
-  border-bottom-color: #ddd;
-}
+  border-color: #ddd; }
+  .panel-default > .panel-heading {
+    color: #c1c1c1;
+    background-color: #484848;
+    border-color: #ddd; }
+    .panel-default > .panel-heading + .panel-collapse > .panel-body {
+      border-top-color: #ddd; }
+    .panel-default > .panel-heading .badge {
+      color: #484848;
+      background-color: #c1c1c1; }
+  .panel-default > .panel-footer + .panel-collapse > .panel-body {
+    border-bottom-color: #ddd; }
 
 .panel-primary {
-  border-color: #EA7105;
-}
-.panel-primary > .panel-heading {
-  color: #fff;
-  background-color: #EA7105;
-  border-color: #EA7105;
-}
-.panel-primary > .panel-heading + .panel-collapse > .panel-body {
-  border-top-color: #EA7105;
-}
-.panel-primary > .panel-heading .badge {
-  color: #EA7105;
-  background-color: #fff;
-}
-.panel-primary > .panel-footer + .panel-collapse > .panel-body {
-  border-bottom-color: #EA7105;
-}
+  border-color: #EA7105; }
+  .panel-primary > .panel-heading {
+    color: #fff;
+    background-color: #EA7105;
+    border-color: #EA7105; }
+    .panel-primary > .panel-heading + .panel-collapse > .panel-body {
+      border-top-color: #EA7105; }
+    .panel-primary > .panel-heading .badge {
+      color: #EA7105;
+      background-color: #fff; }
+  .panel-primary > .panel-footer + .panel-collapse > .panel-body {
+    border-bottom-color: #EA7105; }
 
 .panel-success {
-  border-color: #7Ba255;
-}
-.panel-success > .panel-heading {
-  color: #7Ba255;
-  background-color: #7Ba255;
-  border-color: #7Ba255;
-}
-.panel-success > .panel-heading + .panel-collapse > .panel-body {
-  border-top-color: #7Ba255;
-}
-.panel-success > .panel-heading .badge {
-  color: #7Ba255;
-  background-color: #7Ba255;
-}
-.panel-success > .panel-footer + .panel-collapse > .panel-body {
-  border-bottom-color: #7Ba255;
-}
+  border-color: #7Ba255; }
+  .panel-success > .panel-heading {
+    color: #7Ba255;
+    background-color: #7Ba255;
+    border-color: #7Ba255; }
+    .panel-success > .panel-heading + .panel-collapse > .panel-body {
+      border-top-color: #7Ba255; }
+    .panel-success > .panel-heading .badge {
+      color: #7Ba255;
+      background-color: #7Ba255; }
+  .panel-success > .panel-footer + .panel-collapse > .panel-body {
+    border-bottom-color: #7Ba255; }
 
 .panel-info {
-  border-color: #3b488e;
-}
-.panel-info > .panel-heading {
-  color: #ffffff;
-  background-color: #4545a7;
-  border-color: #3b488e;
-}
-.panel-info > .panel-heading + .panel-collapse > .panel-body {
-  border-top-color: #3b488e;
-}
-.panel-info > .panel-heading .badge {
-  color: #4545a7;
-  background-color: #ffffff;
-}
-.panel-info > .panel-footer + .panel-collapse > .panel-body {
-  border-bottom-color: #3b488e;
-}
+  border-color: #3b488e; }
+  .panel-info > .panel-heading {
+    color: #ffffff;
+    background-color: #4545a7;
+    border-color: #3b488e; }
+    .panel-info > .panel-heading + .panel-collapse > .panel-body {
+      border-top-color: #3b488e; }
+    .panel-info > .panel-heading .badge {
+      color: #4545a7;
+      background-color: #ffffff; }
+  .panel-info > .panel-footer + .panel-collapse > .panel-body {
+    border-bottom-color: #3b488e; }
 
 .panel-warning {
-  border-color: #faebcc;
-}
-.panel-warning > .panel-heading {
-  color: #f0ad4e;
-  background-color: #fcf8e3;
-  border-color: #faebcc;
-}
-.panel-warning > .panel-heading + .panel-collapse > .panel-body {
-  border-top-color: #faebcc;
-}
-.panel-warning > .panel-heading .badge {
-  color: #fcf8e3;
-  background-color: #f0ad4e;
-}
-.panel-warning > .panel-footer + .panel-collapse > .panel-body {
-  border-bottom-color: #faebcc;
-}
+  border-color: #faebcc; }
+  .panel-warning > .panel-heading {
+    color: #f0ad4e;
+    background-color: #fcf8e3;
+    border-color: #faebcc; }
+    .panel-warning > .panel-heading + .panel-collapse > .panel-body {
+      border-top-color: #faebcc; }
+    .panel-warning > .panel-heading .badge {
+      color: #fcf8e3;
+      background-color: #f0ad4e; }
+  .panel-warning > .panel-footer + .panel-collapse > .panel-body {
+    border-bottom-color: #faebcc; }
 
 .panel-danger {
-  border-color: #F05050;
-}
-.panel-danger > .panel-heading {
-  color: #F05050;
-  background-color: #F05050;
-  border-color: #F05050;
-}
-.panel-danger > .panel-heading + .panel-collapse > .panel-body {
-  border-top-color: #F05050;
-}
-.panel-danger > .panel-heading .badge {
-  color: #F05050;
-  background-color: #F05050;
-}
-.panel-danger > .panel-footer + .panel-collapse > .panel-body {
-  border-bottom-color: #F05050;
-}
+  border-color: #F05050; }
+  .panel-danger > .panel-heading {
+    color: #F05050;
+    background-color: #F05050;
+    border-color: #F05050; }
+    .panel-danger > .panel-heading + .panel-collapse > .panel-body {
+      border-top-color: #F05050; }
+    .panel-danger > .panel-heading .badge {
+      color: #F05050;
+      background-color: #F05050; }
+  .panel-danger > .panel-footer + .panel-collapse > .panel-body {
+    border-bottom-color: #F05050; }
 
 .embed-responsive {
   position: relative;
   display: block;
   height: 0;
   padding: 0;
-  overflow: hidden;
-}
-.embed-responsive .embed-responsive-item,
-.embed-responsive iframe,
-.embed-responsive embed,
-.embed-responsive object {
-  position: absolute;
-  top: 0;
-  left: 0;
-  bottom: 0;
-  height: 100%;
-  width: 100%;
-  border: 0;
-}
-.embed-responsive.embed-responsive-16by9 {
-  padding-bottom: 56.25%;
-}
-.embed-responsive.embed-responsive-4by3 {
-  padding-bottom: 75%;
-}
+  overflow: hidden; }
+  .embed-responsive .embed-responsive-item, .embed-responsive iframe, .embed-responsive embed, .embed-responsive object {
+    position: absolute;
+    top: 0;
+    left: 0;
+    bottom: 0;
+    height: 100%;
+    width: 100%;
+    border: 0; }
+  .embed-responsive.embed-responsive-16by9 {
+    padding-bottom: 56.25%; }
+  .embed-responsive.embed-responsive-4by3 {
+    padding-bottom: 75%; }
 
 .well {
   min-height: 20px;
@@ -5965,22 +5225,18 @@ a.list-group-item-danger.active, a.list-group-item-danger.active:hover, a.list-g
   border: 1px solid #363636;
   border-radius: 3px;
   -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
-  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
-}
-.well blockquote {
-  border-color: #ddd;
-  border-color: rgba(0, 0, 0, 0.15);
-}
+  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05); }
+  .well blockquote {
+    border-color: #ddd;
+    border-color: rgba(0, 0, 0, 0.15); }
 
 .well-lg {
   padding: 24px;
-  border-radius: 6px;
-}
+  border-radius: 6px; }
 
 .well-sm {
   padding: 9px;
-  border-radius: 3px;
-}
+  border-radius: 3px; }
 
 .close {
   float: right;
@@ -5990,27 +5246,23 @@ a.list-group-item-danger.active, a.list-group-item-danger.active:hover, a.list-g
   color: #000;
   text-shadow: 0 1px 0 #fff;
   opacity: 0.2;
-  filter: alpha(opacity=20);
-}
-.close:hover, .close:focus {
-  color: #000;
-  text-decoration: none;
-  cursor: pointer;
-  opacity: 0.5;
-  filter: alpha(opacity=50);
-}
+  filter: alpha(opacity=20); }
+  .close:hover, .close:focus {
+    color: #000;
+    text-decoration: none;
+    cursor: pointer;
+    opacity: 0.5;
+    filter: alpha(opacity=50); }
 
 button.close {
   padding: 0;
   cursor: pointer;
   background: transparent;
   border: 0;
-  -webkit-appearance: none;
-}
+  -webkit-appearance: none; }
 
 .modal-open {
-  overflow: hidden;
-}
+  overflow: hidden; }
 
 .modal {
   display: none;
@@ -6022,31 +5274,26 @@ button.close {
   left: 0;
   z-index: 1050;
   -webkit-overflow-scrolling: touch;
-  outline: 0;
-}
-.modal.fade .modal-dialog {
-  -webkit-transform: translate3d(0, -25%, 0);
-  transform: translate3d(0, -25%, 0);
-  -webkit-transition: -webkit-transform 0.3s ease-out;
-  -moz-transition: -moz-transform 0.3s ease-out;
-  -o-transition: -o-transform 0.3s ease-out;
-  transition: transform 0.3s ease-out;
-}
-.modal.in .modal-dialog {
-  -webkit-transform: translate3d(0, 0, 0);
-  transform: translate3d(0, 0, 0);
-}
+  outline: 0; }
+  .modal.fade .modal-dialog {
+    -webkit-transform: translate3d(0, -25%, 0);
+    transform: translate3d(0, -25%, 0);
+    -webkit-transition: -webkit-transform 0.3s ease-out;
+    -moz-transition: -moz-transform 0.3s ease-out;
+    -o-transition: -o-transform 0.3s ease-out;
+    transition: transform 0.3s ease-out; }
+  .modal.in .modal-dialog {
+    -webkit-transform: translate3d(0, 0, 0);
+    transform: translate3d(0, 0, 0); }
 
 .modal-open .modal {
   overflow-x: hidden;
-  overflow-y: auto;
-}
+  overflow-y: auto; }
 
 .modal-dialog {
   position: relative;
   width: auto;
-  margin: 62px 10px 10px 10px;
-}
+  margin: 62px 10px 10px 10px; }
 
 .modal-content {
   position: relative;
@@ -6057,8 +5304,7 @@ button.close {
   -webkit-box-shadow: 0 3px 9px rgba(0, 0, 0, 0.5);
   box-shadow: 0 3px 9px rgba(0, 0, 0, 0.5);
   background-clip: padding-box;
-  outline: 0;
-}
+  outline: 0; }
 
 .modal-backdrop {
   position: fixed;
@@ -6067,88 +5313,69 @@ button.close {
   bottom: 0;
   left: 0;
   z-index: 1040;
-  background-color: #000;
-}
-.modal-backdrop.fade {
-  opacity: 0;
-  filter: alpha(opacity=0);
-}
-.modal-backdrop.in {
-  opacity: 0.5;
-  filter: alpha(opacity=50);
-}
+  background-color: #000; }
+  .modal-backdrop.fade {
+    opacity: 0;
+    filter: alpha(opacity=0); }
+  .modal-backdrop.in {
+    opacity: 0.5;
+    filter: alpha(opacity=50); }
 
 .modal-header {
   padding: 15px;
   border-bottom: 1px solid #e5e5e5;
-  min-height: 16.428571429px;
-}
-
-.modal-header .close {
-  margin-top: -2px;
-}
+  min-height: 16.428571429px; }
+  .modal-header .close {
+    margin-top: -2px; }
 
 .modal-title {
   margin: 0;
-  line-height: 1.428571429;
-}
+  line-height: 1.428571429; }
 
 .modal-body {
   position: relative;
-  padding: 15px;
-}
+  padding: 15px; }
 
 .modal-footer {
   padding: 15px;
   text-align: right;
-  border-top: 1px solid #e5e5e5;
-}
-.modal-footer:before, .modal-footer:after {
-  content: " ";
-  display: table;
-}
-.modal-footer:after {
-  clear: both;
-}
-.modal-footer .btn + .btn {
-  margin-left: 5px;
-  margin-bottom: 0;
-}
-.modal-footer .btn-group .btn + .btn {
-  margin-left: -1px;
-}
-.modal-footer .btn-block + .btn-block {
-  margin-left: 0;
-}
+  border-top: 1px solid #e5e5e5; }
+  .modal-footer:before {
+    content: " ";
+    display: table; }
+  .modal-footer:after {
+    content: " ";
+    display: table;
+    clear: both; }
+  .modal-footer .btn + .btn {
+    margin-left: 5px;
+    margin-bottom: 0; }
+  .modal-footer .btn-group .btn + .btn {
+    margin-left: -1px; }
+  .modal-footer .btn-block + .btn-block {
+    margin-left: 0; }
 
 .modal-scrollbar-measure {
   position: absolute;
   top: -9999px;
   width: 50px;
   height: 50px;
-  overflow: scroll;
-}
+  overflow: scroll; }
 
 @media (min-width: 768px) {
   .modal-dialog {
     width: 600px;
-    margin: 82px auto 30px auto;
-  }
-
+    margin: 82px auto 30px auto; }
   .modal-content {
     -webkit-box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5);
-    box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5);
-  }
-
+    box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5); }
   .modal-sm {
-    width: 300px;
-  }
-}
+    width: 300px; } }
+
 @media (min-width: 992px) {
   .modal-lg {
-    width: 900px;
-  }
-}
+    width: 900px; } }
+
 .tooltip {
   position: absolute;
   z-index: 1070;
@@ -6157,28 +5384,22 @@ button.close {
   font-size: 12px;
   line-height: 1.4;
   opacity: 0;
-  filter: alpha(opacity=0);
-}
-.tooltip.in {
-  opacity: 0.9;
-  filter: alpha(opacity=90);
-}
-.tooltip.top {
-  margin-top: -3px;
-  padding: 5px 0;
-}
-.tooltip.right {
-  margin-left: 3px;
-  padding: 0 5px;
-}
-.tooltip.bottom {
-  margin-top: 3px;
-  padding: 5px 0;
-}
-.tooltip.left {
-  margin-left: -3px;
-  padding: 0 5px;
-}
+  filter: alpha(opacity=0); }
+  .tooltip.in {
+    opacity: 0.9;
+    filter: alpha(opacity=90); }
+  .tooltip.top {
+    margin-top: -3px;
+    padding: 5px 0; }
+  .tooltip.right {
+    margin-left: 3px;
+    padding: 0 5px; }
+  .tooltip.bottom {
+    margin-top: 3px;
+    padding: 5px 0; }
+  .tooltip.left {
+    margin-left: -3px;
+    padding: 0 5px; }
 
 .tooltip-inner {
   max-width: 200px;
@@ -6187,69 +5408,66 @@ button.close {
   text-align: center;
   text-decoration: none;
   background-color: #000;
-  border-radius: 3px;
-}
+  border-radius: 3px; }
 
 .tooltip-arrow {
   position: absolute;
   width: 0;
   height: 0;
   border-color: transparent;
-  border-style: solid;
-}
+  border-style: solid; }
 
 .tooltip.top .tooltip-arrow {
   bottom: 0;
   left: 50%;
   margin-left: -5px;
   border-width: 5px 5px 0;
-  border-top-color: #000;
-}
+  border-top-color: #000; }
+
 .tooltip.top-left .tooltip-arrow {
   bottom: 0;
   left: 5px;
   border-width: 5px 5px 0;
-  border-top-color: #000;
-}
+  border-top-color: #000; }
+
 .tooltip.top-right .tooltip-arrow {
   bottom: 0;
   right: 5px;
   border-width: 5px 5px 0;
-  border-top-color: #000;
-}
+  border-top-color: #000; }
+
 .tooltip.right .tooltip-arrow {
   top: 50%;
   left: 0;
   margin-top: -5px;
   border-width: 5px 5px 5px 0;
-  border-right-color: #000;
-}
+  border-right-color: #000; }
+
 .tooltip.left .tooltip-arrow {
   top: 50%;
   right: 0;
   margin-top: -5px;
   border-width: 5px 0 5px 5px;
-  border-left-color: #000;
-}
+  border-left-color: #000; }
+
 .tooltip.bottom .tooltip-arrow {
   top: 0;
   left: 50%;
   margin-left: -5px;
   border-width: 0 5px 5px;
-  border-bottom-color: #000;
-}
+  border-bottom-color: #000; }
+
 .tooltip.bottom-left .tooltip-arrow {
   top: 0;
   left: 5px;
   border-width: 0 5px 5px;
-  border-bottom-color: #000;
-}
+  border-bottom-color: #000; }
+
 .tooltip.bottom-right .tooltip-arrow {
   top: 0;
   right: 5px;
   border-width: 0 5px 5px;
-  border-bottom-color: #000;
-}
+  border-bottom-color: #000; }
 
 .popover {
   position: absolute;
@@ -6267,20 +5485,15 @@ button.close {
   border-radius: 6px;
   -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.2);
   box-shadow: 0 5px 10px rgba(0, 0, 0, 0.2);
-  white-space: normal;
-}
-.popover.top {
-  margin-top: -10px;
-}
-.popover.right {
-  margin-left: 10px;
-}
-.popover.bottom {
-  margin-top: 10px;
-}
-.popover.left {
-  margin-left: -10px;
-}
+  white-space: normal; }
+  .popover.top {
+    margin-top: -10px; }
+  .popover.right {
+    margin-left: 10px; }
+  .popover.bottom {
+    margin-top: 10px; }
+  .popover.left {
+    margin-left: -10px; }
 
 .popover-title {
   margin: 0;
@@ -6290,30 +5503,28 @@ button.close {
   line-height: 18px;
   background-color: #f7f7f7;
   border-bottom: 1px solid #ebebeb;
-  border-radius: 5px 5px 0 0;
-}
+  border-radius: 5px 5px 0 0; }
 
 .popover-content {
-  padding: 9px 14px;
-}
+  padding: 9px 14px; }
 
-.popover > .arrow, .popover > .arrow:after {
+.popover > .arrow {
   position: absolute;
   display: block;
   width: 0;
   height: 0;
   border-color: transparent;
   border-style: solid;
-}
-
-.popover > .arrow {
-  border-width: 11px;
-}
-
-.popover > .arrow:after {
-  border-width: 10px;
-  content: "";
-}
+  border-width: 11px; }
+  .popover > .arrow:after {
+    position: absolute;
+    display: block;
+    width: 0;
+    height: 0;
+    border-color: transparent;
+    border-style: solid;
+    border-width: 10px;
+    content: ""; }
 
 .popover.top > .arrow {
   left: 50%;
@@ -6321,115 +5532,93 @@ button.close {
   border-bottom-width: 0;
   border-top-color: #999999;
   border-top-color: rgba(0, 0, 0, 0.25);
-  bottom: -11px;
-}
-.popover.top > .arrow:after {
-  content: " ";
-  bottom: 1px;
-  margin-left: -10px;
-  border-bottom-width: 0;
-  border-top-color: #fff;
-}
+  bottom: -11px; }
+  .popover.top > .arrow:after {
+    content: " ";
+    bottom: 1px;
+    margin-left: -10px;
+    border-bottom-width: 0;
+    border-top-color: #fff; }
+
 .popover.right > .arrow {
   top: 50%;
   left: -11px;
   margin-top: -11px;
   border-left-width: 0;
   border-right-color: #999999;
-  border-right-color: rgba(0, 0, 0, 0.25);
-}
-.popover.right > .arrow:after {
-  content: " ";
-  left: 1px;
-  bottom: -10px;
-  border-left-width: 0;
-  border-right-color: #fff;
-}
+  border-right-color: rgba(0, 0, 0, 0.25); }
+  .popover.right > .arrow:after {
+    content: " ";
+    left: 1px;
+    bottom: -10px;
+    border-left-width: 0;
+    border-right-color: #fff; }
+
 .popover.bottom > .arrow {
   left: 50%;
   margin-left: -11px;
   border-top-width: 0;
   border-bottom-color: #999999;
   border-bottom-color: rgba(0, 0, 0, 0.25);
-  top: -11px;
-}
-.popover.bottom > .arrow:after {
-  content: " ";
-  top: 1px;
-  margin-left: -10px;
-  border-top-width: 0;
-  border-bottom-color: #fff;
-}
+  top: -11px; }
+  .popover.bottom > .arrow:after {
+    content: " ";
+    top: 1px;
+    margin-left: -10px;
+    border-top-width: 0;
+    border-bottom-color: #fff; }
+
 .popover.left > .arrow {
   top: 50%;
   right: -11px;
   margin-top: -11px;
   border-right-width: 0;
   border-left-color: #999999;
-  border-left-color: rgba(0, 0, 0, 0.25);
-}
-.popover.left > .arrow:after {
-  content: " ";
-  right: 1px;
-  border-right-width: 0;
-  border-left-color: #fff;
-  bottom: -10px;
-}
+  border-left-color: rgba(0, 0, 0, 0.25); }
+  .popover.left > .arrow:after {
+    content: " ";
+    right: 1px;
+    border-right-width: 0;
+    border-left-color: #fff;
+    bottom: -10px; }
 
 .carousel {
-  position: relative;
-}
+  position: relative; }
 
 .carousel-inner {
   position: relative;
   overflow: hidden;
-  width: 100%;
-}
-.carousel-inner > .item {
-  display: none;
-  position: relative;
-  -webkit-transition: 0.6s ease-in-out left;
-  -o-transition: 0.6s ease-in-out left;
-  transition: 0.6s ease-in-out left;
-}
-.carousel-inner > .item > img,
-.carousel-inner > .item > a > img {
-  display: block;
-  width: 100% \9;
-  max-width: 100%;
-  height: auto;
-  line-height: 1;
-}
-.carousel-inner > .active,
-.carousel-inner > .next,
-.carousel-inner > .prev {
-  display: block;
-}
-.carousel-inner > .active {
-  left: 0;
-}
-.carousel-inner > .next,
-.carousel-inner > .prev {
-  position: absolute;
-  top: 0;
-  width: 100%;
-}
-.carousel-inner > .next {
-  left: 100%;
-}
-.carousel-inner > .prev {
-  left: -100%;
-}
-.carousel-inner > .next.left,
-.carousel-inner > .prev.right {
-  left: 0;
-}
-.carousel-inner > .active.left {
-  left: -100%;
-}
-.carousel-inner > .active.right {
-  left: 100%;
-}
+  width: 100%; }
+  .carousel-inner > .item {
+    display: none;
+    position: relative;
+    -webkit-transition: 0.6s ease-in-out left;
+    -o-transition: 0.6s ease-in-out left;
+    transition: 0.6s ease-in-out left; }
+    .carousel-inner > .item > img, .carousel-inner > .item > a > img {
+      display: block;
+      width: 100% \9;
+      max-width: 100%;
+      height: auto;
+      line-height: 1; }
+  .carousel-inner > .active, .carousel-inner > .next, .carousel-inner > .prev {
+    display: block; }
+  .carousel-inner > .active {
+    left: 0; }
+  .carousel-inner > .next, .carousel-inner > .prev {
+    position: absolute;
+    top: 0;
+    width: 100%; }
+  .carousel-inner > .next {
+    left: 100%; }
+  .carousel-inner > .prev {
+    left: -100%; }
+  .carousel-inner > .next.left, .carousel-inner > .prev.right {
+    left: 0; }
+  .carousel-inner > .active.left {
+    left: -100%; }
+  .carousel-inner > .active.right {
+    left: 100%; }
 
 .carousel-control {
   position: absolute;
@@ -6442,63 +5631,47 @@ button.close {
   font-size: 20px;
   color: #fff;
   text-align: center;
-  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6);
-}
-.carousel-control.left {
-  background-image: -webkit-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
-  background-image: -o-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
-  background-image: linear-gradient(to right, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
-  background-repeat: repeat-x;
-  filter: progid:DXImageTransform.Microsoft.gradient(startColorstr="#80000000", endColorstr="#00000000", GradientType=1);
-}
-.carousel-control.right {
-  left: auto;
-  right: 0;
-  background-image: -webkit-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);
-  background-image: -o-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);
-  background-image: linear-gradient(to right, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);
-  background-repeat: repeat-x;
-  filter: progid:DXImageTransform.Microsoft.gradient(startColorstr="#00000000", endColorstr="#80000000", GradientType=1);
-}
-.carousel-control:hover, .carousel-control:focus {
-  outline: 0;
-  color: #fff;
-  text-decoration: none;
-  opacity: 0.9;
-  filter: alpha(opacity=90);
-}
-.carousel-control .icon-prev,
-.carousel-control .icon-next,
-.carousel-control .glyphicon-chevron-left,
-.carousel-control .glyphicon-chevron-right {
-  position: absolute;
-  top: 50%;
-  z-index: 5;
-  display: inline-block;
-}
-.carousel-control .icon-prev,
-.carousel-control .glyphicon-chevron-left {
-  left: 50%;
-  margin-left: -10px;
-}
-.carousel-control .icon-next,
-.carousel-control .glyphicon-chevron-right {
-  right: 50%;
-  margin-right: -10px;
-}
-.carousel-control .icon-prev,
-.carousel-control .icon-next {
-  width: 20px;
-  height: 20px;
-  margin-top: -10px;
-  font-family: serif;
-}
-.carousel-control .icon-prev:before {
-  content: "‹";
-}
-.carousel-control .icon-next:before {
-  content: "›";
-}
+  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6); }
+  .carousel-control.left {
+    background-image: -webkit-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
+    background-image: -o-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
+    background-image: linear-gradient(to right, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
+    background-repeat: repeat-x;
+    filter: progid:DXImageTransform.Microsoft.gradient(startColorstr="#80000000", endColorstr="#00000000", GradientType=1); }
+  .carousel-control.right {
+    left: auto;
+    right: 0;
+    background-image: -webkit-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);
+    background-image: -o-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);
+    background-image: linear-gradient(to right, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);
+    background-repeat: repeat-x;
+    filter: progid:DXImageTransform.Microsoft.gradient(startColorstr="#00000000", endColorstr="#80000000", GradientType=1); }
+  .carousel-control:hover, .carousel-control:focus {
+    outline: 0;
+    color: #fff;
+    text-decoration: none;
+    opacity: 0.9;
+    filter: alpha(opacity=90); }
+  .carousel-control .icon-prev, .carousel-control .icon-next, .carousel-control .glyphicon-chevron-left, .carousel-control .glyphicon-chevron-right {
+    position: absolute;
+    top: 50%;
+    z-index: 5;
+    display: inline-block; }
+  .carousel-control .icon-prev, .carousel-control .glyphicon-chevron-left {
+    left: 50%;
+    margin-left: -10px; }
+  .carousel-control .icon-next, .carousel-control .glyphicon-chevron-right {
+    right: 50%;
+    margin-right: -10px; }
+  .carousel-control .icon-prev, .carousel-control .icon-next {
+    width: 20px;
+    height: 20px;
+    margin-top: -10px;
+    font-family: serif; }
+  .carousel-control .icon-prev:before {
+    content: "‹"; }
+  .carousel-control .icon-next:before {
+    content: "›"; }
 
 .carousel-indicators {
   position: absolute;
@@ -6509,26 +5682,23 @@ button.close {
   margin-left: -30%;
   padding-left: 0;
   list-style: none;
-  text-align: center;
-}
-.carousel-indicators li {
-  display: inline-block;
-  width: 10px;
-  height: 10px;
-  margin: 1px;
-  text-indent: -999px;
-  border: 1px solid #fff;
-  border-radius: 10px;
-  cursor: pointer;
-  background-color: #000 \9;
-  background-color: rgba(0, 0, 0, 0);
-}
-.carousel-indicators .active {
-  margin: 0;
-  width: 12px;
-  height: 12px;
-  background-color: #fff;
-}
+  text-align: center; }
+  .carousel-indicators li {
+    display: inline-block;
+    width: 10px;
+    height: 10px;
+    margin: 1px;
+    text-indent: -999px;
+    border: 1px solid #fff;
+    border-radius: 10px;
+    cursor: pointer;
+    background-color: #000 \9;
+    background-color: rgba(0, 0, 0, 0); }
+  .carousel-indicators .active {
+    margin: 0;
+    width: 12px;
+    height: 12px;
+    background-color: #fff; }
 
 .carousel-caption {
   position: absolute;
@@ -6540,354 +5710,224 @@ button.close {
   padding-bottom: 20px;
   color: #fff;
   text-align: center;
-  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6);
-}
-.carousel-caption .btn {
-  text-shadow: none;
-}
+  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6); }
+  .carousel-caption .btn {
+    text-shadow: none; }
 
 @media screen and (min-width: 768px) {
-  .carousel-control .glyphicon-chevron-left,
-.carousel-control .glyphicon-chevron-right,
-.carousel-control .icon-prev,
-.carousel-control .icon-next {
+  .carousel-control .glyphicon-chevron-left, .carousel-control .glyphicon-chevron-right, .carousel-control .icon-prev, .carousel-control .icon-next {
     width: 30px;
     height: 30px;
     margin-top: -15px;
-    font-size: 30px;
-  }
-  .carousel-control .glyphicon-chevron-left,
-.carousel-control .icon-prev {
-    margin-left: -15px;
-  }
-  .carousel-control .glyphicon-chevron-right,
-.carousel-control .icon-next {
-    margin-right: -15px;
-  }
-
+    font-size: 30px; }
+  .carousel-control .glyphicon-chevron-left, .carousel-control .icon-prev {
+    margin-left: -15px; }
+  .carousel-control .glyphicon-chevron-right, .carousel-control .icon-next {
+    margin-right: -15px; }
   .carousel-caption {
     left: 20%;
     right: 20%;
-    padding-bottom: 30px;
-  }
-
+    padding-bottom: 30px; }
   .carousel-indicators {
-    bottom: 20px;
-  }
-}
+    bottom: 20px; } }
+
 .clearfix:before, .content-box:before, .clearfix:after, .content-box:after {
   content: " ";
-  display: table;
-}
+  display: table; }
+
 .clearfix:after, .content-box:after {
-  clear: both;
-}
+  clear: both; }
 
 .center-block {
   display: block;
   margin-left: auto;
-  margin-right: auto;
-}
+  margin-right: auto; }
 
 .pull-right {
-  float: right !important;
-}
+  float: right !important; }
 
 .pull-left {
-  float: left !important;
-}
+  float: left !important; }
 
 .hide {
-  display: none !important;
-}
+  display: none !important; }
 
 .show {
-  display: block !important;
-}
+  display: block !important; }
 
 .invisible {
-  visibility: hidden;
-}
+  visibility: hidden; }
 
 .text-hide {
   font: 0/0 a;
   color: transparent;
   text-shadow: none;
   background-color: transparent;
-  border: 0;
-}
+  border: 0; }
 
 .hidden {
   display: none !important;
-  visibility: hidden !important;
-}
+  visibility: hidden !important; }
 
 .affix {
   position: fixed;
   -webkit-transform: translate3d(0, 0, 0);
-  transform: translate3d(0, 0, 0);
-}
+  transform: translate3d(0, 0, 0); }
 
 @-ms-viewport {
-  width: device-width;
-}
-.visible-xs, .visible-sm, .visible-md, .visible-lg {
-  display: none !important;
-}
-
-.visible-xs-block,
-.visible-xs-inline,
-.visible-xs-inline-block,
-.visible-sm-block,
-.visible-sm-inline,
-.visible-sm-inline-block,
-.visible-md-block,
-.visible-md-inline,
-.visible-md-inline-block,
-.visible-lg-block,
-.visible-lg-inline,
-.visible-lg-inline-block {
-  display: none !important;
-}
+  width: device-width; }
+
+.visible-xs, .visible-sm, .visible-md, .visible-lg, .visible-xs-block, .visible-xs-inline, .visible-xs-inline-block, .visible-sm-block, .visible-sm-inline, .visible-sm-inline-block, .visible-md-block, .visible-md-inline, .visible-md-inline-block, .visible-lg-block, .visible-lg-inline, .visible-lg-inline-block, .visible-print, .visible-print-block, .visible-print-inline, .visible-print-inline-block {
+  display: none !important; }
 
 @media (max-width: 767px) {
   .visible-xs {
-    display: block !important;
-  }
-
+    display: block !important; }
   table.visible-xs {
-    display: table;
-  }
-
+    display: table; }
   tr.visible-xs {
-    display: table-row !important;
-  }
-
-  th.visible-xs,
-td.visible-xs {
-    display: table-cell !important;
-  }
-}
+    display: table-row !important; }
+  th.visible-xs, td.visible-xs {
+    display: table-cell !important; } }
+
 @media (max-width: 767px) {
   .visible-xs-block {
-    display: block !important;
-  }
-}
+    display: block !important; } }
 
 @media (max-width: 767px) {
   .visible-xs-inline {
-    display: inline !important;
-  }
-}
+    display: inline !important; } }
 
 @media (max-width: 767px) {
   .visible-xs-inline-block {
-    display: inline-block !important;
-  }
-}
+    display: inline-block !important; } }
 
 @media (min-width: 768px) and (max-width: 991px) {
   .visible-sm {
-    display: block !important;
-  }
-
+    display: block !important; }
   table.visible-sm {
-    display: table;
-  }
-
+    display: table; }
   tr.visible-sm {
-    display: table-row !important;
-  }
-
-  th.visible-sm,
-td.visible-sm {
-    display: table-cell !important;
-  }
-}
+    display: table-row !important; }
+  th.visible-sm, td.visible-sm {
+    display: table-cell !important; } }
+
 @media (min-width: 768px) and (max-width: 991px) {
   .visible-sm-block {
-    display: block !important;
-  }
-}
+    display: block !important; } }
 
 @media (min-width: 768px) and (max-width: 991px) {
   .visible-sm-inline {
-    display: inline !important;
-  }
-}
+    display: inline !important; } }
 
 @media (min-width: 768px) and (max-width: 991px) {
   .visible-sm-inline-block {
-    display: inline-block !important;
-  }
-}
+    display: inline-block !important; } }
 
 @media (min-width: 992px) and (max-width: 1199px) {
   .visible-md {
-    display: block !important;
-  }
-
+    display: block !important; }
   table.visible-md {
-    display: table;
-  }
-
+    display: table; }
   tr.visible-md {
-    display: table-row !important;
-  }
-
-  th.visible-md,
-td.visible-md {
-    display: table-cell !important;
-  }
-}
+    display: table-row !important; }
+  th.visible-md, td.visible-md {
+    display: table-cell !important; } }
+
 @media (min-width: 992px) and (max-width: 1199px) {
   .visible-md-block {
-    display: block !important;
-  }
-}
+    display: block !important; } }
 
 @media (min-width: 992px) and (max-width: 1199px) {
   .visible-md-inline {
-    display: inline !important;
-  }
-}
+    display: inline !important; } }
 
 @media (min-width: 992px) and (max-width: 1199px) {
   .visible-md-inline-block {
-    display: inline-block !important;
-  }
-}
+    display: inline-block !important; } }
 
 @media (min-width: 1200px) {
   .visible-lg {
-    display: block !important;
-  }
-
+    display: block !important; }
   table.visible-lg {
-    display: table;
-  }
-
+    display: table; }
   tr.visible-lg {
-    display: table-row !important;
-  }
-
-  th.visible-lg,
-td.visible-lg {
-    display: table-cell !important;
-  }
-}
+    display: table-row !important; }
+  th.visible-lg, td.visible-lg {
+    display: table-cell !important; } }
+
 @media (min-width: 1200px) {
   .visible-lg-block {
-    display: block !important;
-  }
-}
+    display: block !important; } }
 
 @media (min-width: 1200px) {
   .visible-lg-inline {
-    display: inline !important;
-  }
-}
+    display: inline !important; } }
 
 @media (min-width: 1200px) {
   .visible-lg-inline-block {
-    display: inline-block !important;
-  }
-}
+    display: inline-block !important; } }
 
 @media (max-width: 767px) {
   .hidden-xs, .page-side {
-    display: none !important;
-  }
-}
+    display: none !important; } }
+
 @media (min-width: 768px) and (max-width: 991px) {
   .hidden-sm {
-    display: none !important;
-  }
-}
+    display: none !important; } }
+
 /* COLLAPSE SIDEBAR @media*/
 @media (max-width: 768px), (max-height: 669px) {
   .toggle-sidebar {
-    display: none !important;
-  }
-}
+    display: none !important; } }
+
 /* COLLAPSE SIDEBAR @media END*/
 @media (min-width: 992px) and (max-width: 1199px) {
   .hidden-md {
-    display: none !important;
-  }
-}
+    display: none !important; } }
+
 @media (min-width: 1200px) {
   .hidden-lg {
-    display: none !important;
-  }
-}
-.visible-print {
-  display: none !important;
-}
+    display: none !important; } }
 
 @media print {
   .visible-print {
-    display: block !important;
-  }
-
+    display: block !important; }
   table.visible-print {
-    display: table;
-  }
-
+    display: table; }
   tr.visible-print {
-    display: table-row !important;
-  }
-
-  th.visible-print,
-td.visible-print {
-    display: table-cell !important;
-  }
-}
-.visible-print-block {
-  display: none !important;
-}
+    display: table-row !important; }
+  th.visible-print, td.visible-print {
+    display: table-cell !important; } }
+
 @media print {
   .visible-print-block {
-    display: block !important;
-  }
-}
+    display: block !important; } }
 
-.visible-print-inline {
-  display: none !important;
-}
 @media print {
   .visible-print-inline {
-    display: inline !important;
-  }
-}
+    display: inline !important; } }
 
-.visible-print-inline-block {
-  display: none !important;
-}
 @media print {
   .visible-print-inline-block {
-    display: inline-block !important;
-  }
-}
+    display: inline-block !important; } }
 
 @media print {
   .hidden-print {
-    display: none !important;
-  }
-}
+    display: none !important; } }
+
 * {
-  -webkit-font-smoothing: antialiased;
-}
+  -webkit-font-smoothing: antialiased; }
 
-html, body {
+html {
   height: 100%;
-  font-family: "SourceSansProRegular";
-}
+  font-family: "SourceSansProRegular"; }
 
 body {
+  height: 100%;
+  font-family: "SourceSansProRegular";
   touch-action: manipulation;
-  min-width: 320px;
-}
+  min-width: 320px; }
 
 .page-head {
   background: #404040;
@@ -6895,38 +5935,33 @@ body {
   left: 0;
   position: fixed;
   width: 100%;
-  z-index: 2;
-}
+  z-index: 2; }
 
 .page-content {
   height: calc(100% - 52px);
   padding-top: 52px;
   position: relative;
-  z-index: 1;
-}
-.page-content > .row {
-  height: 100%;
-}
+  z-index: 1; }
+  .page-content > .row {
+    height: 100%; }
 
 .page-content-head, .content-box-head {
   background: #232323;
   border-bottom: 1px solid rgba(217, 217, 217, 0.5);
   padding-bottom: 15px;
-  padding-top: 20px;
-}
+  padding-top: 20px; }
+
 .page-content-head .navbar-nav, .content-box-head .navbar-nav {
-  width: 100%;
-}
+  width: 100%; }
+
 .page-content-head h1, .content-box-head h1, .page-content-head h2, .content-box-head h2, .page-content-head h3, .content-box-head h3 {
   line-height: 1;
-  margin: 0;
-}
+  margin: 0; }
 
 .page-content-main {
   background: #2B2B2B;
   min-height: calc(100% - 64px);
-  padding: 15px 0 73px;
-}
+  padding: 15px 0 73px; }
 
 .page-side {
   background: #222;
@@ -6938,13 +5973,11 @@ body {
   margin-top: 52px;
   position: fixed;
   top: 0;
-  z-index: 3;
-}
+  z-index: 3; }
 
 .page-side-nav--active {
   background: #2B2B2B;
-  border-left: 3px solid #EA7105;
-}
+  border-left: 3px solid #EA7105; }
 
 .page-foot {
   background: #232323;
@@ -6954,529 +5987,446 @@ body {
   padding: 20px 0;
   position: fixed;
   width: 100%;
-  z-index: 2;
-}
+  z-index: 2; }
 
 section.page-content-main div.tab-content {
-  border-top: 1px solid #999999 !important;
-}
+  border-top: 1px solid #999999 !important; }
+
 section.page-content-main ul + div.tab-content {
-  border-top: 0px !important;
-}
+  border-top: 0px !important; }
 
 .content-box {
   background: #333;
-  border: 1px solid #E5E5E5;
-}
+  border: 1px solid #E5E5E5; }
+
 .content-box-main {
   padding-bottom: 15px;
-  padding-top: 15px;
-}
+  padding-top: 15px; }
 
 .tab-content {
   border-top: 0px;
-  padding: 0px 0;
-}
-.tab-content > .tab-content {
-  margin-bottom: 0;
-  padding: 0 15px;
-}
-.tab-content .tab-content:last-child {
-  margin-bottom: 0;
-}
+  padding: 0px 0; }
+  .tab-content > .tab-content {
+    margin-bottom: 0;
+    padding: 0 15px; }
+  .tab-content .tab-content:last-child {
+    margin-bottom: 0; }
 
-.page-content-main [class^=col-] + [class^=col-] {
-  padding-top: 20px;
-}
+.page-content-main section[class^=col-] + section[class^=col-] {
+  padding-top: 20px; }
 
 .brand-logo {
-  display: none;
-}
+  display: none; }
+
 @media (min-width: 768px) {
   .brand-logo {
-    display: inline-block;
-  }
-}
+    display: inline-block; } }
 
 .brand-icon {
-  display: inline-block;
-}
+  display: inline-block; }
+
 @media (min-width: 768px) {
   .brand-icon {
-    display: none;
-  }
-}
+    display: none; } }
 
 @media (min-width: 768px) {
   .col-sm-disable-spacer {
-    padding-top: 0 !important;
-  }
-}
+    padding-top: 0 !important; } }
 
 @media (min-width: 992px) {
   .col-md-disable-spacer {
-    padding-top: 0 !important;
-  }
-}
+    padding-top: 0 !important; } }
 
 @media (min-width: 1200px) {
   .col-lg-disable-spacer {
-    padding-top: 0 !important;
-  }
-}
+    padding-top: 0 !important; } }
 
 .page-login {
-  background: #2B2B2B;
-}
-.page-login .container {
-  min-height: 100%;
-  margin-bottom: -60px;
-}
-.page-login .container:after {
-  height: 60px;
-}
+  background: #2B2B2B; }
+  .page-login .container {
+    min-height: 100%;
+    margin-bottom: -60px; }
+    .page-login .container:after {
+      height: 60px; }
 
 .login-foot {
-  font-size: 12px;
-}
+  font-size: 12px; }
 
 .login-modal-container {
   background: #222;
   border: 1px solid #E5E5E5;
   max-width: 400px;
-  margin: 100px auto 15px auto;
-}
+  margin: 100px auto 15px auto; }
+
 .login-modal-head {
   background: #C1C1c1;
   height: 75px;
-  padding: 0 20px;
-}
+  padding: 0 20px; }
+
 .login-modal-content {
-  padding: 20px 20px 20px 20px;
-}
+  padding: 20px 20px 20px 20px; }
+
 .login-modal-foot {
   background: #2B2B2B;
   border-top: 1px solid #E5E5E5;
   height: 60px;
-  padding: 20px 20px 0 20px;
-}
-.login-modal-foot a {
-  color: #7D7D7D;
-  text-decoration: none;
-}
-.login-modal-foot a:hover {
-  color: #646464;
-  text-decoration: underline;
-}
+  padding: 20px 20px 0 20px; }
+  .login-modal-foot a {
+    color: #7D7D7D;
+    text-decoration: none; }
+    .login-modal-foot a:hover {
+      color: #646464;
+      text-decoration: underline; }
 
 @media (min-width: 768px) {
   .list-inline .btn-group-container {
-    float: right;
-  }
-}
+    float: right; } }
 
 .btn.btn-fixed {
   max-width: 174px;
-  width: 100%;
-}
+  width: 100%; }
 
 .progress-bar-placeholder {
   font-size: 12px;
   position: absolute;
   text-align: center;
   width: 100%;
-  z-index: 1;
-}
+  z-index: 1; }
 
 /* BOOTSTRAP EDIT */
 .list-group-item {
   border-left: none;
-  border-right: none;
-}
-.list-group-item.collapsed .caret {
-  border-bottom: 4px solid green;
-  border-top: 0;
-}
+  border-right: none; }
+  .list-group-item.collapsed .caret {
+    border-bottom: 4px solid green;
+    border-top: 0; }
 
 /* COLLAPSE SIDEBAR */
 main.page-content.col-lg-12 {
-  padding-left: 90px;
-}
+  padding-left: 90px; }
 
 #navigation.col-sidebar-left {
-  width:70px;
+  width: 70px;
   background-color: transparent !important;
-  overflow: hidden;
-}
-
-#navigation.col-sidebar-left > div.row {
-  height:100% !important;
-}
+  overflow: hidden; }
+  #navigation.col-sidebar-left > div.row {
+    height: 100% !important; }
+    #navigation.col-sidebar-left > div.row > nav.page-side-nav {
+      width: 70px;
+      background-color: #222222 !important;
+      height: 100% !important;
+      border-right: 1px solid #000000; }
+  #navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item {
+    font-size: 12px;
+    text-align: center;
+    width: 70px;
+    height: 70px;
+    padding-left: 0px;
+    padding-right: 0px;
+    padding-top: 12px;
+    border-bottom: 2px solid #lightergrey;
+    width: 70px;
+    height: 70px;
+    padding-left: 0px;
+    padding-right: 0px;
+    padding-top: 15px;
+    border-bottom: 2px solid #000000; }
+    #navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.fa, #navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.glyphicon {
+      visibility: visible;
+      font-size: 20px; }
+    #navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.__iconspacer {
+      width: 50px;
+      height: 25px;
+      padding: 0px; }
+  #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsing > a.list-group-item {
+    padding-left: 10px !important;
+    font-size: 14px !important;
+    display: block !important;
+    position: absolute !important;
+    left: 70px !important; }
+  #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapsing > a.list-group-item {
+    padding-left: 10px !important;
+    font-size: 14px !important;
+    display: block !important;
+    position: absolute !important;
+    left: 166px !important; }
+  #navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item.active-menu-title {
+    color: #CCC !important;
+    background-color: #111 !important; }
 
-#navigation.col-sidebar-left > div.row > nav.page-side-nav {
-  width:70px;
-  background-color:#222222 !important;
-  height:100% !important;
-  border-right: 1px solid #000000;
-}
+a.list-group-item.active-menu-title.collapsed {
+  color: #CCC !important;
+  background-color: #111 !important; }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item {
-  font-size: 12px;
-  text-align: center;
-  width: 70px;
-  height: 70px;
-  padding-left: 0px;
-  padding-right: 0px;
-  padding-top:12px;
-  border-bottom: 2px solid #lightergrey;
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.fa,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.glyphicon {
-  visibility: visible;
-  font-size:20px;
-}
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item[aria-expanded="true"] {
+  color: #CCC !important;
+  background-color: #111 !important; }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.__iconspacer {
-  width:50px;
-  height:25px;
-  padding:0px;
-}
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item[aria-expanded="true"], #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item.menu-level-3-item.active {
+  color: #CCC !important;
+  background-color: #111 !important; }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item {
-  width: 70px;
-  height: 70px;
-  padding-left: 0px;
-  padding-right: 0px;
-  padding-top:15px;
-  border-bottom:2px solid #000000;
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsing > a.list-group-item {
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item {
   padding-left: 10px !important;
   font-size: 14px !important;
-  display: block !important;
-  position: absolute !important;
-  left: 70px !important;
-}
+  background-color: #333333 !important;
+  opacity: 1.0; }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapsing > a.list-group-item {
-  padding-left: 10px !important;
-  font-size: 14px !important;
-  display: block !important;
-  position: absolute !important;
-  left: 166px !important;
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item.active-menu-title, a.list-group-item.active-menu-title.collapsed,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item[aria-expanded="true"],
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item[aria-expanded="true"],
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item.menu-level-3-item.active {
-  color: #CCC!important;
-  background-color: #111 !important;
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > a.list-group-item,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item {
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > a.list-group-item {
   padding-left: 10px !important;
   font-size: 14px !important;
   background-color: #333333 !important;
-  opacity: 1.0;
-}
+  opacity: 1.0; }
+
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > div.collapse > a.list-group-item {
+  padding-left: 10px !important;
+  font-size: 14px !important; }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > div.collapse > a.list-group-item,
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsed > a.list-group-item {
   padding-left: 10px !important;
-  font-size: 14px !important;
-}
+  font-size: 14px !important; }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > a.list-group-item,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > div.collapse > a.list-group-item {
-  padding: 3px 8px !important;
-}
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > a.list-group-item, #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > div.collapse > a.list-group-item {
+  padding: 3px 8px !important; }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item:hover, a.list-group-item:focus {
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item:hover {
   text-decoration: none !important;
-  color: #ea7105!important;
-  background-color: #111 !important;
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item.active-menu-title,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item:hover, a.list-group-item:focus,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item.collapsed:focus,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item:focus,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.active-menu.collapse.in >a.list-group-item.active {
-  color: #ea7105!important;
-  background-color: #111 !important;
-}
+  color: #ea7105 !important;
+  background-color: #111 !important; }
+
+a.list-group-item:focus {
+  text-decoration: none !important;
+  color: #ea7105 !important;
+  background-color: #111 !important; }
+
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item.active-menu-title, #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item:hover {
+  color: #ea7105 !important;
+  background-color: #111 !important; }
+
+a.list-group-item:focus {
+  color: #ea7105 !important;
+  background-color: #111 !important; }
+
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item.collapsed:focus, #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item:focus {
+  color: #ea7105 !important;
+  background-color: #111 !important; }
+
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.active-menu.collapse.in > a.list-group-item.active {
+  color: #ea7105 !important;
+  background-color: #111 !important; }
 
-/* Sub Level One */
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in {
-  width:168px;
-  font-size:14px;
+  width: 168px;
+  font-size: 14px;
   z-index: 10;
   position: absolute;
   left: 70px;
-  margin-top:-70px;
-  border:1px solid #000000;
-  -webkit-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 1);
-  -moz-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 1);
-  box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 1);
-}
+  margin-top: -70px;
+  border: 1px solid #000000;
+  -webkit-box-shadow: 5px 5px 6px 0px black;
+  -moz-box-shadow: 5px 5px 6px 0px black;
+  box-shadow: 5px 5px 6px 0px black; }
+  #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in {
+    width: 168px;
+    font-size: 14px;
+    z-index: 10;
+    position: absolute;
+    left: 166px;
+    margin-top: -26px;
+    border: 1px solid #1f3a4a;
+    -webkit-box-shadow: 5px 5px 6px 0px black;
+    -moz-box-shadow: 5px 5px 6px 0px black;
+    box-shadow: 5px 5px 6px 0px black; }
+
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsing, #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapsing {
+  display: none; }
 
+/* Sub Level One */
 /* Sub Level Two */
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in {
-  width:168px;
-  font-size:14px;
-  z-index: 10;
-  position: absolute;
-  left: 166px;
-  margin-top:-26px;
-  border:1px solid #1f3a4a;
-  -webkit-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 1);
-  -moz-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 1);
-  box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 1);
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsing,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapsing {
-  display:none;
-}
-
 button.toggle-sidebar {
-  color:#FFF;
-  background-color:transparent;
-  font-size:14px;
-  border:none;
+  color: #FFF;
+  background-color: transparent;
+  font-size: 14px;
+  border: none;
   margin-top: 18px;
-  float:left;
-  outline:none;
-}
+  float: left;
+  outline: none; }
 
 /* COLLAPSE SIDEBAR END*/
 #navigation.collapse.in {
-  display: block !important;
-}
+  display: block !important; }
 
-.list-group-submenu .list-group-item:last-child,
-.collapse .list-group-item:last-child {
-  border-bottom: none;
-}
+.list-group-submenu .list-group-item:last-child, .collapse .list-group-item:last-child {
+  border-bottom: none; }
 
-.dropdown-menu > li > a,
-.dropdown-header {
-  padding: 3px 10px;
-}
+.dropdown-menu > li > a, .dropdown-header {
+  padding: 3px 10px; }
 
 .nav-tabs {
   margin-right: 1px;
-  border-bottom: 1px solid #999999;
-}
-
-.nav-tabs > li {
-  border-radius: 0px;
-  border-top-right-radius: 10px;
-  margin-right: 2px;
-}
-
-.nav-tabs > li > a {
-  background: #232323;
-  border-radius: 0px;
-  border-top-right-radius: 10px;
-  margin-right: 0px;
-}
-
-.nav-tabs > li > a,
-.nav-tabs > li > a:hover,
-.nav-tabs > li > a:focus {
-  border-right: 1px solid #161616;
-  border-top: 1px solid #161616;
-  border-left: 1px solid #161616;
-  border-bottom: 1px solid #999999;
-}
-
-.nav-tabs > li.active > a {
-  background: #555 !important;
-}
-
-.nav-tabs > li.active > a,
-.nav-tabs > li.active > a:hover,
-.nav-tabs > li.active > a:focus {
-  border-right: 1px solid #999999;
-  border-top: 1px solid #999999;
-  border-left: 1px solid #999999;
-}
-
-.nav-tabs > li > a.visible-lg-inline-block:not(.pull-right) {
-  border-top-right-radius: 0px !important;
-  padding-left: 10px !important;
-  padding-right: 5px !important;
-}
+  border-bottom: 1px solid #999999; }
+  .nav-tabs > li {
+    border-radius: 0px;
+    border-top-right-radius: 10px;
+    margin-right: 2px; }
+    .nav-tabs > li > a {
+      background: #232323;
+      border-radius: 0px;
+      border-top-right-radius: 10px;
+      margin-right: 0px;
+      border-right: 1px solid #161616;
+      border-top: 1px solid #161616;
+      border-left: 1px solid #161616;
+      border-bottom: 1px solid #999999; }
+      .nav-tabs > li > a:hover, .nav-tabs > li > a:focus {
+        border-right: 1px solid #161616;
+        border-top: 1px solid #161616;
+        border-left: 1px solid #161616;
+        border-bottom: 1px solid #999999; }
+    .nav-tabs > li.active > a {
+      background: #555 !important;
+      border-right: 1px solid #999999;
+      border-top: 1px solid #999999;
+      border-left: 1px solid #999999; }
+      .nav-tabs > li.active > a:hover, .nav-tabs > li.active > a:focus {
+        border-right: 1px solid #999999;
+        border-top: 1px solid #999999;
+        border-left: 1px solid #999999; }
+    .nav-tabs > li > a.visible-lg-inline-block:not(.pull-right) {
+      border-top-right-radius: 0px !important;
+      padding-left: 10px !important;
+      padding-right: 5px !important; }
+    .nav-tabs > li > a.visible-lg-inline-block.pull-right {
+      border-left: 0px !important;
+      padding-left: 5px !important;
+      padding-right: 10px !important; }
+  .nav-tabs.nav-justified {
+    border-right: 1px solid #E5E5E5; }
+    .nav-tabs.nav-justified > li {
+      border-bottom: 1px solid #E5E5E5;
+      border-top: 1px solid #E5E5E5;
+      border-left: 1px solid #E5E5E5;
+      border-radius: 0px;
+      background: #2B2B2B; }
+      .nav-tabs.nav-justified > li > a {
+        color: #C1C1c1;
+        font-family: "SourceSansProSemibold"; }
 
-.nav-tabs > li > a.visible-lg-inline-block.pull-right {
-  border-left: 0px !important;
-  padding-left: 5px !important;
-  padding-right: 10px !important;
-}
-
-.nav-tabs.nav-justified {
-  border-right: 1px solid #E5E5E5;
-}
-.nav-tabs.nav-justified > li {
-  border-bottom: 1px solid #E5E5E5;
-  border-top: 1px solid #E5E5E5;
-  border-left: 1px solid #E5E5E5;
-  border-radius: 0px;
-  background: #2B2B2B;
-}
-.nav-tabs.nav-justified > li > a {
-  color: #C1C1c1;
-  font-family: "SourceSansProSemibold";
-}
 @media (min-width: 768px) {
   .nav-tabs.nav-justified > li > a {
-    border-bottom: 1px solid transparent;
-  }
-}
+    border-bottom: 1px solid transparent; } }
+
 @media (max-width: 767px) {
   .nav-tabs.nav-justified > li.active > a {
-    border-right: 0 !important;
-  }
-}
+    border-right: 0 !important; } }
 
 @media (min-width: 768px) {
   > li.active + li > a {
-    border-left: 1px solid transparent;
-  }
-}
+    border-left: 1px solid transparent; } }
 
 > li:last-child > a {
-  border-right: 1px solid transparent !important;
-}
+  border-right: 1px solid transparent !important; }
+
 @media (max-width: 767px) {
   > li:last-child > a {
-    margin-bottom: 0;
-  }
-}
+    margin-bottom: 0; } }
 
 .btn .glyphicon {
-  vertical-align: -1px;
-}
+  vertical-align: -1px; }
 
 .btn-default .glyphicon {
-  color: #A1A1S1;
-}
+  color: #A1A1S1; }
 
 table {
-  width: 100%;
-}
+  width: 100%; }
 
 .table {
-  margin-bottom: 0px !important;
-}
+  margin-bottom: 0px !important; }
 
 .nav-tabs-justified .nav-tabs.nav-justified > .active > a:focus, .nav-tabs.nav-justified .nav-tabs.nav-justified > .active > a:focus {
-  border: 0px !important;
-}
+  border: 0px !important; }
 
 .table th, strong, b {
   font-family: "SourceSansProSemibold";
-  font-weight: normal;
-}
+  font-weight: normal; }
 
 .table > tbody > tr > td:last-child {
-  padding-right: 15px;
-}
+  padding-right: 15px; }
 
 /* helpers */
 .__nowrap {
-  white-space: nowrap;
-}
+  white-space: nowrap; }
 
 .__nomb {
-  margin-bottom: 0;
-}
+  margin-bottom: 0; }
 
 .__mb {
-  margin-bottom: 15px;
-}
+  margin-bottom: 15px; }
 
 .__mt {
-  margin-top: 15px;
-}
+  margin-top: 15px; }
 
 .__ml {
-  margin-left: 15px;
-}
+  margin-left: 15px; }
 
 .__mr {
-  margin-right: 15px;
-}
+  margin-right: 15px; }
 
 .__iconspacer {
-  padding-right: 10px;
-}
+  padding-right: 10px; }
 
 #mainmenu .glyphicon {
-  vertical-align: -2px;
-}
+  vertical-align: -2px; }
 
 .list-group-item {
   overflow: hidden;
-  text-overflow: ellipsis;
-}
-.list-group-item + div.collapse {
-  margin-bottom: -1px;
-}
-.list-group-item + div > a {
-  padding-left: 44px;
-}
-.list-group-item:before {
-  background: #EA7105;
-  content: "";
-  height: 42px;
-  min-height: 100%;
-  left: 0;
-  position: absolute;
-  top: 0px;
-  width: 0;
-  -webkit-transition: width 0.2s;
-  -moz-transition: width 0.2s;
-  -o-transition: width 0.2s;
-  transition: width 0.2s;
-}
+  text-overflow: ellipsis; }
+  .list-group-item + div.collapse {
+    margin-bottom: -1px; }
+  .list-group-item + div > a {
+    padding-left: 44px; }
+  .list-group-item:before {
+    background: #EA7105;
+    content: "";
+    height: 42px;
+    min-height: 100%;
+    left: 0;
+    position: absolute;
+    top: 0px;
+    width: 0;
+    -webkit-transition: width 0.2s;
+    -moz-transition: width 0.2s;
+    -o-transition: width 0.2s;
+    transition: width 0.2s; }
 
 .list-group-submenu a {
-  padding-left: 56px;
-}
+  padding-left: 56px; }
 
 .active-menu-title, .active-menu a {
   text-decoration: none;
   position: relative;
-  background-color: #262626;
-}
+  background-color: #262626; }
+
 .active-menu-title:before, .active-menu a:before {
-  width: 3px;
-}
-.active-menu-title.active, .active-menu a.active {
-  background-color: #454545;
-}
+  width: 3px; }
+
+.active-menu-title.active {
+  background-color: #454545; }
+
+.active-menu a.active {
+  background-color: #454545; }
 
 .active-menu a:before {
-  background: #ED9A50;
-}
+  background: #ED9A50; }
 
 .alert.alert-danger {
-  color: #FFF !important;
-}
+  color: #FFF !important; }
 
 .nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
-  border-radius: 0 !important;
-}
+  border-radius: 0 !important; }
 
 .navbar-brand {
-  padding: 10px 20px;
-}
+  padding: 10px 20px; }
 
 .label-opnsense {
   /* emulates btn */
@@ -7485,48 +6435,38 @@ table {
   vertical-align: middle;
   font-size: 12px;
   line-height: 1.5;
-  border-radius: 3px;
-}
+  border-radius: 3px; }
 
 .label-opnsense-sm {
   /* emulates btn-sm */
-  padding: 5px 10px;
-}
+  padding: 5px 10px; }
 
 .label-opnsense-xs {
   /* emulates btn-xs */
-  padding: 1px 5px;
-}
+  padding: 1px 5px; }
 
 ::-webkit-scrollbar {
-  width: 8px;
-}
+  width: 8px; }
 
 ::-webkit-scrollbar-button {
   width: 8px;
-  height: 5px;
-}
+  height: 5px; }
 
 ::-webkit-scrollbar-track {
   background: #2B2B2B;
   box-shadow: 0px 0px 0px;
-  border-radius: 0;
-}
+  border-radius: 0; }
 
 ::-webkit-scrollbar-thumb {
   background: #e5e5e5;
   border: thin solid #e5e5e5;
-  border-radius: 0px;
-}
-
-::-webkit-scrollbar-thumb:hover {
-  background: #e5e5e5;
-}
+  border-radius: 0px; }
+  ::-webkit-scrollbar-thumb:hover {
+    background: #e5e5e5; }
 
 .widgetdiv {
   padding-top: 0px !important;
-  padding-bottom: 20px;
-}
+  padding-bottom: 20px; }
 
 select {
   overflow: hidden;
@@ -7537,68 +6477,50 @@ select {
   cursor: pointer;
   background-repeat: no-repeat;
   background-position: right;
-  background-image: url(/ui/themes/opnsense/build/images/caret.png) !important;
-}
+  background-image: url(/ui/themes/opnsense/build/images/caret.png) !important; }
 
-#grid-log th[data-column-id=__timestamp__],
-#filter-log-entries th[data-column-id=__timestamp__] {
-  min-width: 3.5em;
-}
+#grid-log th[data-column-id=__timestamp__], #filter-log-entries th[data-column-id=__timestamp__] {
+  min-width: 3.5em; }
 
 @media screen and (max-width: 767px) {
   .table-responsive {
-    margin-bottom: 0;
-  }
-  .table-responsive > .table > thead > tr > th,
-.table-responsive > .table > thead > tr > td,
-.table-responsive > .table > tbody > tr > th,
-.table-responsive > .table > tbody > tr > td,
-.table-responsive > .table > tfoot > tr > th,
-.table-responsive > .table > tfoot > tr > td {
-    white-space: normal;
-  }
-}
-
-label > input[type=checkbox],
-label > input[type=radio] {
+    margin-bottom: 0; }
+    .table-responsive > .table > thead > tr > th, .table-responsive > .table > thead > tr > td {
+      white-space: normal; }
+    .table-responsive > .table > tbody > tr > th, .table-responsive > .table > tbody > tr > td {
+      white-space: normal; }
+    .table-responsive > .table > tfoot > tr > th, .table-responsive > .table > tfoot > tr > td {
+      white-space: normal; } }
+
+label > input[type=checkbox], label > input[type=radio] {
   margin-right: 0.4em;
-  float: left;
-}
+  float: left; }
 
 div[data-for*=help_for] {
-  padding-top: 0.4em;
-}
+  padding-top: 0.4em; }
 
 #log-settings label[for^=act] {
-  margin-right: 1.5em;
-}
+  margin-right: 1.5em; }
 
 #log-settings table > tbody > tr > td {
-  vertical-align: middle;
-}
+  vertical-align: middle; }
 
-#log-settings select#filterlogentries,
-#log-settings select#filterlogentriesupdateinterval {
-  width: 5em;
-}
+#log-settings select#filterlogentries, #log-settings select#filterlogentriesupdateinterval {
+  width: 5em; }
 
 #log-settings select#filterlogentriesinterfaces {
   min-width: 100%;
-  max-width: 100%;
-}
+  max-width: 100%; }
 
 /* fields in firewall schedule */
 [data-state=lightcoral] {
-  background-color: lightcoral;
-}
+  background-color: lightcoral; }
 
 [data-state=white] {
-  background-color: inherit;
-}
+  background-color: inherit; }
 
 [data-state=red] {
-  background-color: #ec6d12;
-}
+  background-color: #ec6d12; }
 
 .tokens-container {
   margin-top: 0px;
@@ -7606,221 +6528,186 @@ div[data-for*=help_for] {
 
 #ipsec #ipsec-mobile, #ipsec #ipsec-tunnel, #ipsec #ipsec-overview {
   background-color: #333333; }
+
 #ipsec .ipsec-tab {
   background-color: #555555;
   color: black; }
-#ipsec .ipsec-tab.activetab {
-  background-color: #888888;
-  color: #eeeeee; }
+  #ipsec .ipsec-tab.activetab {
+    background-color: #888888;
+    color: #eeeeee; }
+
 #tab_1 #maintabs {
-  border-bottom: 1px solid #565656;
-}
+  border-bottom: 1px solid #565656; }
 
 textarea#update_status {
   color: inherit !important;
   background-color: none !important;
   -webkit-box-shadow: none !important;
   box-shadow: none !important;
-  border: none !important;
-}
-textarea#update_status:hover {
-  color: inherit !important;
-  background-color: none !important;
-  -webkit-box-shadow: none !important;
-  box-shadow: none !important;
-  border: none !important;
-}
+  border: none !important; }
+  textarea#update_status:hover {
+    color: inherit !important;
+    background-color: none !important;
+    -webkit-box-shadow: none !important;
+    box-shadow: none !important;
+    border: none !important; }
 
 .fa-toggle-off::before {
   color: #ec6d12 !important;
-  outline: none !important;
-}
+  outline: none !important; }
 
 .fa-toggle-on::before {
-  outline: none !important;
-}
+  outline: none !important; }
 
 .fa-search, .glyphicon-search::before {
   content: "";
-  color: #FFFFFF !important;
-}
+  color: #FFFFFF !important; }
 
 .fa-times-circle::before {
-  content: "";
-}
+  content: ""; }
 
 .fa-refresh::before {
   content: "";
-  color: #FFF;
-}
+  color: #FFF; }
 
 .fa-question-circle::before {
   content: "";
   cursor: pointer;
-  color: #ec6d12;
-}
+  color: #ec6d12; }
 
 #navigation > .fa-search::before, .fa-refresh::before {
-  color: inherit !important;
-}
+  color: inherit !important; }
 
 #totals .fa-search::before {
   color: #FFF !important;
   background-color: #ec6d12;
   padding: 5px;
   border-radius: 4px;
-  border: 1px solid #5A5A5A;
-}
+  border: 1px solid #5A5A5A; }
 
 .panel-heading h3:hover {
   color: #FFFFFF;
-  text-decoration: none;
-}
+  text-decoration: none; }
 
 h3:focus {
   color: #FFFFFF;
-  text-decoration: none;
-}
+  text-decoration: none; }
+
 h3:link {
   color: #FFFFFF;
-  text-decoration: underline;
-}
+  text-decoration: underline; }
+
 h3:hover, h3:focus {
   color: #ec6d12;
-  text-decoration: underline;
-}
+  text-decoration: underline; }
 
 text.nvd3, text.nv-axislabel, text.nv-legend-text {
-  fill: #FFFFFF;
-}
+  fill: #FFFFFF; }
 
 .nvd3 .nv-axis {
-  fill: #FFFFFF;
-}
+  fill: #FFFFFF; }
 
 .nv-series-0 {
   stroke-opacity: 1;
   stroke-width: 1.5;
   fill-opacity: 0.5;
   fill: #0097ff !important;
-  stroke: #0097ff !important;
-}
+  stroke: #0097ff !important; }
 
 .nv-controlsWrap.nvd3-svg circle.nv-legend-symbol {
   stroke-width: 1 !important;
   fill: #8f8f8f !important;
-  stroke: #8f8f8f !important;
-}
+  stroke: #8f8f8f !important; }
 
 .table-condensed.table-hover {
-  border: 1px solid #515151;
-}
+  border: 1px solid #515151; }
 
 ul.TokensContainer {
   border-radius: 3px;
   -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
   -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
-  transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
-}
-ul.TokensContainer li.Token {
-  color: #FFFFFF !important;
-}
+  transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s; }
+  ul.TokensContainer li.Token {
+    color: #FFFFFF !important; }
 
 div.Tokenize ul.TokensContainer {
   border: 1px solid #5a5a5a !important;
   background-color: #2a2a2a !important;
-  color: #FFFFFF !important;
-}
-div.Tokenize ul.TokensContainer li.TokenSearch {
-  color: #FFFFFF !important;
-}
-div.Tokenize ul.TokensContainer:hover, div.Tokenize ul.TokensContainer:focus {
-  border-color: #ec6d12 !important;
-  background-color: #2a2a2a !important;
-  -webkit-box-shadow: inset 0 1px 1px black, 0 0 8px rgba(0, 0, 0, 0.6);
-  box-shadow: inset 0 1px 1px black, 0 0 8px rgba(0, 0, 0, 0.6);
-}
+  color: #FFFFFF !important; }
+  div.Tokenize ul.TokensContainer li.TokenSearch {
+    color: #FFFFFF !important; }
+  div.Tokenize ul.TokensContainer:hover, div.Tokenize ul.TokensContainer:focus {
+    border-color: #ec6d12 !important;
+    background-color: #2a2a2a !important;
+    -webkit-box-shadow: inset 0 1px 1px black, 0 0 8px rgba(0, 0, 0, 0.6);
+    box-shadow: inset 0 1px 1px black, 0 0 8px rgba(0, 0, 0, 0.6); }
+
 div.Tokenize ul.Dropdown {
   border: 1px solid #5a5a5a !important;
   background-color: #2a2a2a !important;
-  color: #FFFFFF !important;
-}
+  color: #FFFFFF !important; }
+
 div.Tokenize ul.TokensContainer li.Token {
   background-color: #ce671c !important;
-  border: 1px solid #303030 !important;
-}
+  border: 1px solid #303030 !important; }
+
 div.Tokenize ul.TokensContainer li.Placeholder {
-  color: #505050 !important;
-}
+  color: #505050 !important; }
+
 div.Tokenize ul.TokensContainer li.Token a.Close {
-  color: #FFFFFF !important;
-}
+  color: #FFFFFF !important; }
 
 .bootgrid-table th > .column-header-anchor {
-  color: #fff !important;
-}
-.bootgrid-table th > .column-header-anchor > .icon, .bootgrid-table th > .column-header-anchor > .glyphicon {
-  color: #fff !important;
-}
+  color: #fff !important; }
+  .bootgrid-table th > .column-header-anchor > .icon, .bootgrid-table th > .column-header-anchor > .glyphicon {
+    color: #fff !important; }
+
 .bootgrid-table th:hover {
-  background-color: #4b4b4b !important;
-}
+  background-color: #4b4b4b !important; }
 
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu, .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu {
   color: #fff;
   background-color: #2a2a2a;
-  border-color: #1d1d1d;
-}
+  border-color: #1d1d1d; }
 
 .btn-group.bootstrap-select.open, .btn-group.bootstrap-select:hover {
   border-color: #323232 !important;
   color: #FFFFFF !important;
-  background-color: #2d2d2d !important;
-}
+  background-color: #2d2d2d !important; }
 
 .bootgrid-table td.loading, .bootgrid-table td.no-results {
-  background: none !important;
-}
+  background: none !important; }
 
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item:hover, .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item:hover, .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item:focus, .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item:focus {
   color: #FFF !important;
   text-decoration: none !important;
-  background-color: #ec6d12 !important;
-}
+  background-color: #ec6d12 !important; }
 
 .bootgrid-header .search .glyphicon, .bootgrid-footer .search .glyphicon, .input-group-addon {
   top: 0;
   background-color: #ec6d12 !important;
-  border: 1px solid #ec6d12 !important;
-}
+  border: 1px solid #ec6d12 !important; }
 
 .nvtooltip {
   background-color: #3c3c3c !important;
   color: black !important;
-  border: 1px solid #ff7f0e !important;
-}
+  border: 1px solid #ff7f0e !important; }
 
 .glyphicon.glyphicon-play.text-muted, .glyphicon.glyphicon-remove.text-muted, .glyphicon.glyphicon-remove-sign.text-muted, .glyphicon.glyphicon-info-sign.text-muted {
-  color: #eac80a !important;
-}
+  color: #eac80a !important; }
 
 .fa.fa-play.text-muted::before {
-  color: #eac80a !important;
-}
+  color: #eac80a !important; }
 
 #system_log-widgets.content-box {
-  border: none;
-}
+  border: none; }
 
 #chart, #chart_intf_in, #chart_intf_out, #chart_top_ports, #chart_top_sources, #traffic_graph_widget_chart_in, #traffic_graph_widget_chart_out {
   background-color: #292929;
-  border: 1px solid #515151;
-}
+  border: 1px solid #515151; }
 
 .image_invertible {
-        filter: invert(1);
-}
+  filter: invert(1); }
 
 .phase1_tr td {
-  background-color: #282828 !important;
-}
+  background-color: #282828 !important; }

From c6bd73e301b5ab49774d22b9ceeefadab83ec2fc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Oct 2023 10:28:15 +0200
Subject: [PATCH 1598/3088] net/wireguard: merge changes from core, wrap up
 next version

---
 net/wireguard/Makefile                        |  2 +-
 net/wireguard/pkg-descr                       |  5 ++
 .../Wireguard/Api/ClientController.php        | 44 ++++++++-------
 .../Wireguard/Api/GeneralController.php       | 44 ++++++++-------
 .../OPNsense/Wireguard/GeneralController.php  | 47 ++++++++--------
 .../forms/dialogEditWireguardClient.xml       | 18 +++----
 .../forms/dialogEditWireguardServer.xml       | 26 ++++-----
 .../app/models/OPNsense/Wireguard/Client.php  | 44 ++++++++-------
 .../app/models/OPNsense/Wireguard/Client.xml  | 17 ++----
 .../app/models/OPNsense/Wireguard/General.php | 48 ++++++++---------
 .../app/models/OPNsense/Wireguard/Server.php  | 44 ++++++++-------
 .../app/models/OPNsense/Wireguard/Server.xml  | 15 ++----
 .../views/OPNsense/Wireguard/diagnostics.volt | 53 +++++++++----------
 .../app/views/OPNsense/Wireguard/general.volt | 35 ++++++------
 .../www/widgets/widgets/wireguard.widget.php  |  4 +-
 15 files changed, 218 insertions(+), 228 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index ac064fec61..821184b80d 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		2.2
+PLUGIN_VERSION=		2.3
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 71b66866a0..e9f0c211ff 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,11 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+2.3
+
+* Create WireGuard devices earlier to allow of to pick up NAT rules correctly
+* Consolidate the GUI with regard to WireGuard terminology
+
 2.2
 
 * Add VHID (CARP) tracking support
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
index f8a7585611..d4f2bf4f0b 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2023 Deciso B.V.
- *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Wireguard\Api;
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
index e02afcadf2..b461b9f6a7 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- *    Copyright (C) 2022 Patrik Kernstock <patrik@kernstock.net>
+/*
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * Copyright (C) 2022 Patrik Kernstock <patrik@kernstock.net>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Wireguard\Api;
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/GeneralController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/GeneralController.php
index 404fce6823..0683a6e8e6 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/GeneralController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/GeneralController.php
@@ -1,30 +1,29 @@
 <?php
 
 /*
-    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 namespace OPNsense\Wireguard;
 
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
index 231e9c692a..e71c4ff5f0 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
@@ -3,25 +3,25 @@
         <id>client.enabled</id>
         <label>Enabled</label>
         <type>checkbox</type>
-        <help>This will enable or disable the client config.</help>
+        <help>This will enable or disable the peer.</help>
     </field>
     <field>
         <id>client.name</id>
         <label>Name</label>
         <type>text</type>
-        <help>Set the name for this instance.</help>
+        <help>Set the name for this peer.</help>
     </field>
     <field>
         <id>client.pubkey</id>
-        <label>Public Key</label>
+        <label>Public key</label>
         <type>text</type>
-        <help>Public key of this instance.</help>
+        <help>Public key of this peer. You can generate the key using the private key piped to "wg pubkey".</help>
     </field>
     <field>
         <id>client.psk</id>
-        <label>Shared Secret</label>
+        <label>Pre-shared key</label>
         <type>text</type>
-        <help>Shared secret (PSK) for this peer. You can generate a key using "wg genpsk" on a client with WireGuard installed.</help>
+        <help>Shared secret (PSK) for this peer. You can generate a key using "wg genpsk".</help>
     </field>
     <field>
         <id>client.tunneladdress</id>
@@ -33,19 +33,19 @@
     </field>
     <field>
         <id>client.serveraddress</id>
-        <label>Endpoint Address</label>
+        <label>Endpoint address</label>
         <type>text</type>
         <help>Set public IP address the endpoint listens to.</help>
     </field>
     <field>
         <id>client.serverport</id>
-        <label>Endpoint Port</label>
+        <label>Endpoint port</label>
         <type>text</type>
         <help>Set port the endpoint listens to.</help>
     </field>
     <field>
         <id>client.keepalive</id>
-        <label>Keepalive Interval</label>
+        <label>Keepalive interval</label>
         <type>text</type>
         <help>Set persistent keepalive interval in seconds.</help>
     </field>
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
index 8c9b757619..4c2fe27f0c 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
@@ -3,7 +3,7 @@
         <id>server.enabled</id>
         <label>Enabled</label>
         <type>checkbox</type>
-        <help>This will enable or disable the server config.</help>
+        <help>This will enable or disable the instance.</help>
     </field>
     <field>
         <id>server.name</id>
@@ -15,23 +15,23 @@
         <id>server.instance</id>
         <label>Instance</label>
         <type>info</type>
-        <help>This is the instance number to give the wg interface a unique name (wgX).</help>
+        <help>This is the instance number to give the WireGuard device a unique name (wgX).</help>
     </field>
     <field>
         <id>server.pubkey</id>
-        <label>Public Key</label>
+        <label>Public key</label>
         <type>text</type>
         <help>Public key of this instance. You can specify your own one, or a key will be generated after saving.</help>
     </field>
     <field>
         <id>server.privkey</id>
-        <label>Private Key</label>
+        <label>Private key</label>
         <type>text</type>
         <help>Private key of this instance. You can specify your own one, or a key will be generated after saving. Please keep this key safe.</help>
     </field>
     <field>
         <id>server.port</id>
-        <label>Listen Port</label>
+        <label>Listen port</label>
         <type>text</type>
         <help>Optionally set a fixed port for this instance to listen on. The standard port range starts at 51820.</help>
     </field>
@@ -40,24 +40,24 @@
         <label>MTU</label>
         <type>text</type>
         <advanced>true</advanced>
-        <help>Set the interface MTU for this interface. Leaving empty uses the MTU from main interface which is fine for most setups.</help>
+        <help>Set a specific device MTU for this instance.</help>
     </field>
     <field>
         <id>server.dns</id>
-        <label>DNS Server</label>
+        <label>DNS servers</label>
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
         <advanced>true</advanced>
-        <help>Set the interface specific DNS server.</help>
+        <help>Set specific DNS servers for this instance. Use with care.</help>
     </field>
     <field>
         <id>server.tunneladdress</id>
-        <label>Tunnel Address</label>
+        <label>Tunnel address</label>
         <style>tokenize</style>
         <type>select_multiple</type>
         <allownew>true</allownew>
-        <help>List of addresses to configure on the tunnel adapter. Please use CIDR notation like 10.0.0.1/24.</help>
+        <help>List of addresses to configure on the device. Please use CIDR notation like 10.0.0.1/24.</help>
     </field>
     <field>
         <id>server.carp_depend_on</id>
@@ -70,11 +70,11 @@
         <label>Peers</label>
         <type>select_multiple</type>
         <allownew>true</allownew>
-        <help>List of peers for this server.</help>
+        <help>List of peers for this instance.</help>
     </field>
     <field>
         <id>server.disableroutes</id>
-        <label>Disable Routes</label>
+        <label>Disable routes</label>
         <type>checkbox</type>
         <help>This will prevent installing routes. Usually you only enable this to do own routing decisions via a local gateway and gateway rules.</help>
     </field>
@@ -83,6 +83,6 @@
         <label>Gateway</label>
         <type>text</type>
         <advanced>true</advanced>
-        <help>Set the gateway IP here when using Disable Routes feature. You also have to add this as a gateway in OPNsense.</help>
+        <help>Set the gateway IP here when using "Disable routes" feature. You also have to add this as a system gateway.</help>
     </field>
 </form>
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.php b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.php
index b069a766d4..fbe1917bf2 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.php
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.php
@@ -1,26 +1,30 @@
 <?php
 
 /*
-    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 namespace OPNsense\Wireguard;
 
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
index 5ac335f4ac..c64e13c25a 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/wireguard/client</mount>
-    <description>Wireguard Client configuration</description>
+    <description>Wireguard peer configuration</description>
     <version>0.0.7</version>
     <items>
         <clients>
@@ -16,28 +16,19 @@
                 </name>
                 <pubkey type="Base64Field">
                     <Required>Y</Required>
-                    <ValidationMessage>Should be a base64-encoded 32 byte string.</ValidationMessage>
                 </pubkey>
-                <psk type="Base64Field">
-                    <Required>N</Required>
-                    <ValidationMessage>Should be a base64-encoded 32 byte string.</ValidationMessage>
-                </psk>
+                <psk type="Base64Field"/>
                 <tunneladdress type="NetworkField">
                     <FieldSeparator>,</FieldSeparator>
                     <Required>Y</Required>
                     <asList>Y</asList>
                 </tunneladdress>
-                <serveraddress type="HostnameField">
-                    <Required>N</Required>
-                </serveraddress>
-                <serverport type="PortField">
-                    <Required>N</Required>
-                </serverport>
+                <serveraddress type="HostnameField"/>
+                <serverport type="PortField"/>
                 <keepalive type="IntegerField">
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>86400</MaximumValue>
                     <ValidationMessage>Please specify a value between 1 and 86400.</ValidationMessage>
-                    <Required>N</Required>
                 </keepalive>
             </client>
         </clients>
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.php b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.php
index 6caf9eabaf..09358565a3 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.php
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.php
@@ -1,30 +1,30 @@
 <?php
 
 /*
-    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 namespace OPNsense\Wireguard;
 
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php
index 8fccdd577e..6b4c136efa 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php
@@ -1,26 +1,30 @@
 <?php
 
 /*
-    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 namespace OPNsense\Wireguard;
 
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
index fe738e8af0..2dda2c0efa 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/wireguard/server</mount>
-    <description>Wireguard Server configuration</description>
+    <description>WireGuard instance configuration</description>
     <version>0.0.4</version>
     <items>
         <servers>
@@ -25,22 +25,17 @@
                     <Required>Y</Required>
                     <ValidationMessage>A private key is required</ValidationMessage>
                 </privkey>
-                <port type="PortField">
-                    <Required>N</Required>
-                </port>
+                <port type="PortField"/>
                 <mtu type="IntegerField">
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>9300</MaximumValue>
-                    <Required>N</Required>
                 </mtu>
                 <dns type="CSVListField">
-                    <Required>N</Required>
                     <mask>/^([a-fA-F0-9\.:\[\]]*?,)*([a-fA-F0-9\.:\[\]]*)$/</mask>
                     <ValidationMessage>Please use valid IPv4 or IPv6 addresses.</ValidationMessage>
                 </dns>
                 <tunneladdress type="NetworkField">
                     <FieldSeparator>,</FieldSeparator>
-                    <Required>N</Required>
                     <asList>Y</asList>
                 </tunneladdress>
                 <disableroutes type="BooleanField">
@@ -56,12 +51,9 @@
                         </check001>
                     </Constraints>
                 </disableroutes>
-                <gateway type="NetworkField">
-                    <Required>N</Required>
-                </gateway>
+                <gateway type="NetworkField"/>
                 <carp_depend_on type="VirtualIPField">
                     <type>carp</type>
-                    <Required>N</Required>
                     <key>mvc</key>
                 </carp_depend_on>
                 <peers type="ModelRelationField">
@@ -73,7 +65,6 @@
                         </template>
                     </Model>
                     <Multiple>Y</Multiple>
-                    <Required>N</Required>
                     <ValidationMessage>Choose an Peer.</ValidationMessage>
                 </peers>
             </server>
diff --git a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
index a8d870f839..1f812c463d 100644
--- a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
+++ b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
@@ -1,28 +1,28 @@
 {#
-    # Copyright (c) 2023 Deciso B.V.
-    # All rights reserved.
-    #
-    # Redistribution and use in source and binary forms, with or without modification,
-    # are permitted provided that the following conditions are met:
-    #
-    # 1. Redistributions of source code must retain the above copyright notice,
-    #    this list of conditions and the following disclaimer.
-    #
-    # 2. Redistributions in binary form must reproduce the above copyright notice,
-    #    this list of conditions and the following disclaimer in the documentation
-    #    and/or other materials provided with the distribution.
-    #
-    # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    # POSSIBILITY OF SUCH DAMAGE.
-    #}
+ # Copyright (c) 2023 Deciso B.V.
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
 
    <script>
        $( document ).ready(function() {
@@ -72,7 +72,7 @@
            <!-- filter per type container -->
            <div id="type_filter_container" class="btn-group">
                <select id="type_filter"  data-title="{{ lang._('Type') }}" class="selectpicker" multiple="multiple" data-width="200px">
-                    <option value="interface">{{ lang._('Interface') }}</option>
+                    <option value="interface">{{ lang._('Instance') }}</option>
                     <option value="peer">{{ lang._('Peer') }}</option>
                </select>
            </div>
@@ -80,14 +80,13 @@
        <table id="grid-sessions" class="table table-condensed table-hover table-striped table-responsive">
            <thead>
              <tr>
-                 <th data-column-id="if" data-type="string" data-width="8em">{{ lang._('Interface') }}</th>
+                 <th data-column-id="if" data-type="string" data-width="8em">{{ lang._('Device') }}</th>
                  <th data-column-id="type" data-type="string" data-width="8em" data-visible="false">{{ lang._('Type') }}</th>
                  <th data-column-id="status" data-type="string" data-width="8em" >{{ lang._('Status') }}</th>
                  <th data-column-id="public-key" data-type="string" data-identifier="true">{{ lang._('Public key') }}</th>
                  <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
                  <th data-column-id="endpoint" data-type="string">{{ lang._('Port / Endpoint') }}</th>
                  <th data-column-id="latest-handshake"  data-formatter="epoch" data-type="numeric">{{ lang._('Handshake') }}</th>
-
                  <th data-column-id="transfer-tx" data-formatter="bytes" data-type="numeric">{{ lang._('Send') }}</th>
                  <th data-column-id="transfer-rx" data-formatter="bytes" data-type="numeric">{{ lang._('Received') }}</th>
              </tr>
diff --git a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
index 5960b3b2ba..2647b46f18 100644
--- a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
+++ b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
@@ -1,6 +1,6 @@
 {#
- # OPNsense (c) 2014-2023 by Deciso B.V.
- # OPNsense (c) 2018 Michael Muenz <m.muenz@gmail.com>
+ # Copyright (c) 2014-2023 Deciso B.V.
+ # Copyright (c) 2018 Michael Muenz <m.muenz@gmail.com>
  # All rights reserved.
  #
  # Redistribution and use in source and binary forms, with or without modification,
@@ -33,7 +33,7 @@
             $('.selectpicker').selectpicker('refresh');
         });
 
-        $("#grid-clients").UIBootgrid(
+        $("#grid-peers").UIBootgrid(
             {
                 'search':'/api/wireguard/client/searchClient',
                 'get':'/api/wireguard/client/getClient/',
@@ -44,7 +44,7 @@
             }
         );
 
-        $("#grid-servers").UIBootgrid(
+        $("#grid-instances").UIBootgrid(
             {
                 'search':'/api/wireguard/server/searchServer',
                 'get':'/api/wireguard/server/getServer/',
@@ -67,7 +67,7 @@
         });
 
         /**
-         * Move keypair generation button inside the server form and hook api event
+         * Move keypair generation button inside the instance form and hook api event
          */
         $("#control_label_server\\.pubkey").append($("#keygen_div").detach().show());
         $("#keygen").click(function(){
@@ -80,11 +80,12 @@
         })
     });
 </script>
+
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
-    <li><a data-toggle="tab" href="#servers">{{ lang._('Local') }}</a></li>
-    <li><a data-toggle="tab" href="#clients">{{ lang._('Endpoints') }}</a></li>
+    <li><a data-toggle="tab" href="#instances">{{ lang._('Instances') }}</a></li>
+    <li><a data-toggle="tab" href="#peers">{{ lang._('Peers') }}</a></li>
 </ul>
 
 <div class="tab-content content-box tab-content">
@@ -93,14 +94,14 @@
             {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
         </div>
     </div>
-    <div id="clients" class="tab-pane fade in">
-        <table id="grid-clients" class="table table-responsive" data-editDialog="dialogEditWireguardClient">
+    <div id="peers" class="tab-pane fade in">
+        <table id="grid-peers" class="table table-responsive" data-editDialog="dialogEditWireguardClient">
             <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                     <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="serveraddress" data-type="string" data-visible="true">{{ lang._('Endpoint Address') }}</th>
-                    <th data-column-id="serverport" data-type="string" data-visible="true">{{ lang._('Endpoint Port') }}</th>
+                    <th data-column-id="serveraddress" data-type="string" data-visible="true">{{ lang._('Endpoint address') }}</th>
+                    <th data-column-id="serverport" data-type="string" data-visible="true">{{ lang._('Endpoint port') }}</th>
                     <th data-column-id="tunneladdress" data-type="string" data-visible="true">{{ lang._('Allowed IPs') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
@@ -118,21 +119,21 @@
             </tfoot>
         </table>
     </div>
-    <div id="servers" class="tab-pane fade in">
+    <div id="instances" class="tab-pane fade in">
         <span id="keygen_div" style="display:none" class="pull-right">
             <button id="keygen" type="button" class="btn btn-secondary" title="{{ lang._('Generate new keypair.') }}" data-toggle="tooltip">
               <i class="fa fa-fw fa-gear"></i>
             </button>
         </span>
-        <table id="grid-servers" class="table table-responsive" data-editDialog="dialogEditWireguardServer">
+        <table id="grid-instances" class="table table-responsive" data-editDialog="dialogEditWireguardServer">
             <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                     <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="interface" data-type="string" data-visible="true">{{ lang._('Interface') }}</th>
+                    <th data-column-id="interface" data-type="string" data-visible="true">{{ lang._('Device') }}</th>
                     <th data-column-id="tunneladdress" data-type="string" data-visible="true">{{ lang._('Tunnel Address') }}</th>
                     <th data-column-id="port" data-type="string" data-visible="true">{{ lang._('Port') }}</th>
-                    <th data-column-id="peers" data-type="string" data-visible="true">{{ lang._('Endpoints') }}</th>
+                    <th data-column-id="peers" data-type="string" data-visible="true">{{ lang._('Peers') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
@@ -166,5 +167,5 @@
     </div>
 </section>
 
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditWireguardClient,'id':'dialogEditWireguardClient','label':lang._('Edit Endpoint')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditWireguardServer,'id':'dialogEditWireguardServer','label':lang._('Edit Local Configuration')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditWireguardClient,'id':'dialogEditWireguardClient','label':lang._('Edit peer')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditWireguardServer,'id':'dialogEditWireguardServer','label':lang._('Edit instance')])}}
diff --git a/net/wireguard/src/www/widgets/widgets/wireguard.widget.php b/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
index 04ce75786c..a4927a8139 100644
--- a/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
+++ b/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
@@ -32,8 +32,8 @@
 <table class="table table-striped table-condensed" id="wg-table">
     <thead>
         <tr>
-            <th><?= gettext("Interface") ?></th>
-            <th><?= gettext("Endpoint") ?></th>
+            <th><?= gettext("Instance") ?></th>
+            <th><?= gettext("Peer") ?></th>
             <th><?= gettext("Public Key") ?></th>
             <th><?= gettext("Latest Handshake") ?></th>
         </tr>

From a076f0fbb0e4378da5a4f50da3b8304148735b13 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Oct 2023 10:30:04 +0200
Subject: [PATCH 1599/3088] net/wireguard: missed this cleanup

---
 .../src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
index c64e13c25a..2d472d8381 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
@@ -11,7 +11,7 @@
                 </enabled>
                 <name type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z._\-]){1,64}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-]){1,64}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 64 characters. Allowed characters are alphanumeric characters, dash and underscores.</ValidationMessage>
                 </name>
                 <pubkey type="Base64Field">
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
index 2dda2c0efa..3fe0a0153c 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
@@ -11,7 +11,7 @@
                 </enabled>
                 <name type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z._\-]){1,64}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-]){1,64}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 64 characters. Allowed characters are alphanumeric characters, dash and underscores.</ValidationMessage>
                 </name>
                 <instance type="AutoNumberField">
@@ -31,7 +31,7 @@
                     <MaximumValue>9300</MaximumValue>
                 </mtu>
                 <dns type="CSVListField">
-                    <mask>/^([a-fA-F0-9\.:\[\]]*?,)*([a-fA-F0-9\.:\[\]]*)$/</mask>
+                    <Mask>/^([a-fA-F0-9\.:\[\]]*?,)*([a-fA-F0-9\.:\[\]]*)$/</Mask>
                     <ValidationMessage>Please use valid IPv4 or IPv6 addresses.</ValidationMessage>
                 </dns>
                 <tunneladdress type="NetworkField">

From 6c7fd0cc7b80eacfc7b786c97489d548881617ff Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Oct 2023 10:31:50 +0200
Subject: [PATCH 1600/3088] net/frr: minor change revision bump

---
 net/frr/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 5282890e65..8cdba41d58 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.36
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 1eacc53767e3ec0ac31a68473251f0fc4c7e30f0 Mon Sep 17 00:00:00 2001
From: itNGO <68963439+JSuenram@users.noreply.github.com>
Date: Tue, 10 Oct 2023 13:14:36 +0200
Subject: [PATCH 1601/3088] Update multimap.conf (#3611)

Reworked, make local whitelist by E-Mail-Adress possible....
---
 .../service/templates/OPNsense/Rspamd/multimap.conf | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/multimap.conf b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/multimap.conf
index 7875d94872..8926ee13d2 100644
--- a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/multimap.conf
+++ b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/multimap.conf
@@ -9,12 +9,21 @@ extension_blacklist {
   map = "/${LOCAL_CONFDIR}/local.d/bad_file_extensions.map";
   symbol = "FILENAME_BLACKLISTED";
   score 1000;
-}
+  }
 
 WHITELIST_SENDER_DOMAIN {
   type = "from";
   filter = "email:domain";
   map = "/${LOCAL_CONFDIR}/local.d/whitelist_sender_domains.map";
-  score = -1000
+  score = -1000;
   }
+
+local_wl_from {
+  type = "from";
+  map = "$CONFDIR/maps.d/local_wl_from.inc";
+  symbol = "LOCAL_WL_FROM";
+  description = "Whitelist map for LOCAL_WL_FROM";
+  score = -1000;
+  }
+
 {% endif %}

From c00805fd25f0c8b14dfd75d7b38827c50949dbfc Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Tue, 10 Oct 2023 14:17:00 +0300
Subject: [PATCH 1602/3088] www/nginx: add columns select button to the log
 viewer (#3411)

---
 www/nginx/src/opnsense/www/css/nginx/logs.css |  19 +++-
 .../www/js/nginx/dist/logviewer.min.js        |   2 +-
 .../www/js/nginx/src/controller/LogView.js    |  97 +++++++++++++---
 .../www/js/nginx/src/models/LogColumn.js      |   5 +
 .../js/nginx/src/templates/AccessLogLine.html |   9 --
 .../js/nginx/src/templates/ErrorLogLine.html  |   5 -
 .../www/js/nginx/src/templates/LogColumn.html |   6 +
 .../www/js/nginx/src/templates/LogLine.html   |   3 +
 .../src/templates/StreamAccessLogLine.html    |   6 -
 .../www/js/nginx/src/templates/logviewer.html | 105 +++++-------------
 10 files changed, 142 insertions(+), 115 deletions(-)
 create mode 100644 www/nginx/src/opnsense/www/js/nginx/src/models/LogColumn.js
 delete mode 100644 www/nginx/src/opnsense/www/js/nginx/src/templates/AccessLogLine.html
 delete mode 100644 www/nginx/src/opnsense/www/js/nginx/src/templates/ErrorLogLine.html
 create mode 100644 www/nginx/src/opnsense/www/js/nginx/src/templates/LogColumn.html
 create mode 100644 www/nginx/src/opnsense/www/js/nginx/src/templates/LogLine.html
 delete mode 100644 www/nginx/src/opnsense/www/js/nginx/src/templates/StreamAccessLogLine.html

diff --git a/www/nginx/src/opnsense/www/css/nginx/logs.css b/www/nginx/src/opnsense/www/css/nginx/logs.css
index a5ea942e99..9501c1b0d5 100644
--- a/www/nginx/src/opnsense/www/css/nginx/logs.css
+++ b/www/nginx/src/opnsense/www/css/nginx/logs.css
@@ -26,7 +26,11 @@
 
 thead.sticky-top th {
     position: sticky;
-    top: 80px;
+    top: 50px;
+}
+
+tr.filter > th {
+    padding: 10px 10px 10px 10px !important;
 }
 
 thead.sticky-top tr:first-child th {
@@ -38,4 +42,17 @@ tfoot.sticky-bottom th {
     bottom: 50px;
     font-weight: normal;
     font-family: inherit;
+    padding: 10px 10px 10px 10px !important;
+}
+
+td.referer, td.request_line {
+    word-break: break-all;
+}
+
+.ngx-dropdown-item {
+    cursor: pointer;
+    display: block;
+    margin: 0;
+    padding: 3px 20px;
+    white-space: nowrap;
 }
diff --git a/www/nginx/src/opnsense/www/js/nginx/dist/logviewer.min.js b/www/nginx/src/opnsense/www/js/nginx/dist/logviewer.min.js
index 57b3898188..9833831fb4 100644
--- a/www/nginx/src/opnsense/www/js/nginx/dist/logviewer.min.js
+++ b/www/nginx/src/opnsense/www/js/nginx/dist/logviewer.min.js
@@ -1 +1 @@
-!function(e){var t={};function n(i){if(t[i])return t[i].exports;var l=t[i]={i:i,l:!1,exports:{}};return e[i].call(l.exports,l,l.exports,n),l.l=!0,l.exports}n.m=e,n.c=t,n.d=function(e,t,i){n.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:i})},n.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.t=function(e,t){if(1&t&&(e=n(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var i=Object.create(null);if(n.r(i),Object.defineProperty(i,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var l in e)n.d(i,l,function(t){return e[t]}.bind(null,l));return i},n.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return n.d(t,"a",t),t},n.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},n.p="",n(n.s=26)}([function(e,t,n){var i=n(2),l=n(4),a=/[&<>"']/g,o=RegExp(a.source);e.exports=function(e){return(e=l(e))&&o.test(e)?e.replace(a,i):e}},function(e,t,n){var i=n(6).Symbol;e.exports=i},function(e,t,n){var i=n(3)({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"});e.exports=i},function(e,t){e.exports=function(e){return function(t){return null==e?void 0:e[t]}}},function(e,t,n){var i=n(5);e.exports=function(e){return null==e?"":i(e)}},function(e,t,n){var i=n(1),l=n(9),a=n(10),o=n(11),s=1/0,r=i?i.prototype:void 0,_=r?r.toString:void 0;e.exports=function e(t){if("string"==typeof t)return t;if(a(t))return l(t,e)+"";if(o(t))return _?_.call(t):"";var n=t+"";return"0"==n&&1/t==-s?"-0":n}},function(e,t,n){var i=n(7),l="object"==typeof self&&self&&self.Object===Object&&self,a=i||l||Function("return this")();e.exports=a},function(e,t,n){(function(t){var n="object"==typeof t&&t&&t.Object===Object&&t;e.exports=n}).call(this,n(8))},function(e,t){var n;n=function(){return this}();try{n=n||new Function("return this")()}catch(e){"object"==typeof window&&(n=window)}e.exports=n},function(e,t){e.exports=function(e,t){for(var n=-1,i=null==e?0:e.length,l=Array(i);++n<i;)l[n]=t(e[n],n,e);return l}},function(e,t){var n=Array.isArray;e.exports=n},function(e,t,n){var i=n(12),l=n(15),a="[object Symbol]";e.exports=function(e){return"symbol"==typeof e||l(e)&&i(e)==a}},function(e,t,n){var i=n(1),l=n(13),a=n(14),o="[object Null]",s="[object Undefined]",r=i?i.toStringTag:void 0;e.exports=function(e){return null==e?void 0===e?s:o:r&&r in Object(e)?l(e):a(e)}},function(e,t,n){var i=n(1),l=Object.prototype,a=l.hasOwnProperty,o=l.toString,s=i?i.toStringTag:void 0;e.exports=function(e){var t=a.call(e,s),n=e[s];try{e[s]=void 0;var i=!0}catch(e){}var l=o.call(e);return i&&(t?e[s]=n:delete e[s]),l}},function(e,t){var n=Object.prototype.toString;e.exports=function(e){return n.call(e)}},function(e,t){e.exports=function(e){return null!=e&&"object"==typeof e}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='\n<a data-toggle="dropdown"\n   href="#"\n   class="dropdown-toggle pull-right visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block"\n   role="button">\n    <b><span class="caret"></span></b>\n</a>\n<a data-toggle="tab"\n   class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"\n   style="border-right: 0px;"><b>'+(null==(__t=_.escape(name))?"":__t)+'</b></a>\n<ul class="dropdown-menu" role="menu" id="tab_'+(null==(__t=_.escape(id))?"":__t)+'">\n    ',model.forEach(function(e){__p+='\n    <li>\n        <a data-toggle="tab"\n           class="menuEntry"\n           data-model-cid="'+(null==(__t=e.cid)?"":__t)+'"\n           data-model-uuid="'+(null==(__t=_.escape(id))?"":__t)+'"\n           data-model-fileno="'+(null==(__t=e.escape("number"))?"":__t)+'"\n           id="subtab_item_'+(null==(__t=_.escape(id))?"":__t)+"_"+(null==(__t=e.escape("number"))?"":__t)+'"\n           href="#subtab_'+(null==(__t=_.escape(id))?"":__t)+'">'+(null==(__t=e.escape("date"))?"":__t)+"</a>\n    </li>\n    "}),__p+="\n</ul>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='\n<a data-toggle="tab"\n   class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"\n   style="border-top-right-radius: 10px !important; padding-right: 10px !important;">\n    <b>'+(null==(__t=_.escape(name))?"":__t)+"</b>\n</a>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="remote_ip">'+(null==(__t=model.escape("remote_ip"))?"":__t)+'</td>\n<td class="username">'+(null==(__t=model.escape("username"))?"":__t)+'</td>\n<td class="status">'+(null==(__t=model.escape("status"))?"":__t)+'</td>\n<td class="size">'+(null==(__t=model.escape("size"))?"":__t)+'</td>\n<td class="referer">'+(null==(__t=model.escape("http_referer"))?"":__t)+'</td>\n<td class="user_agent">'+(null==(__t=model.escape("user_agent"))?"":__t)+'</td>\n<td class="forwarded_for">'+(null==(__t=model.escape("forwarded_for"))?"":__t)+'</td>\n<td class="request_line">'+(null==(__t=model.escape("request_line"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="remote_ip">'+(null==(__t=model.escape("remote_ip"))?"":__t)+'</td>\n<td class="status">'+(null==(__t=model.escape("status"))?"":__t)+'</td>\n<td class="bytes_sent">'+(null==(__t=model.escape("bytes_sent"))?"":__t)+'</td>\n<td class="bytes_received">'+(null==(__t=model.escape("bytes_received"))?"":__t)+'</td>\n<td class="session_time">'+(null==(__t=model.escape("session_time"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<td class="date">'+(null==(__t=model.escape("date"))?"":__t)+'</td>\n<td class="time">'+(null==(__t=model.escape("time"))?"":__t)+'</td>\n<td class="severity">'+(null==(__t=model.escape("severity"))?"":__t)+'</td>\n<td class="number">'+(null==(__t=model.escape("number"))?"":__t)+'</td>\n<td class="message">'+(null==(__t=model.escape("message"))?"":__t)+"</td>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj){let count=0;__p+='<table class="table table-striped">\n    <thead class="sticky-top">\n        <tr>\n            ',"errors"===log_type||"stream_errors"===log_type?(count=5,__p+="\n            <th>Date</th>\n            <th>Time</th>\n            <th>Severity</th>\n            <th>Number</th>\n            <th>Message</th>\n            "):"accesses"===log_type?(count=9,__p+="\n            <th>Time</th>\n            <th>Remote IP</th>\n            <th>Username</th>\n            <th>Status</th>\n            <th>Size</th>\n            <th>Referer</th>\n            <th>User Agent</th>\n            <th>Forwarded For</th>\n            <th>Request Line</th>\n            "):(count=6,__p+="\n            <th>Time</th>\n            <th>Remote IP</th>\n            <th>Status</th>\n            <th>Bytes Sent</th>\n            <th>Bytes Received</th>\n            <th>Session Time</th>\n            "),__p+='\n        </tr>\n        <tr class="filter">\n            ',"errors"===log_type||"stream_errors"===log_type?__p+='\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("date"))?"":__t)+'" name="date" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("severity"))?"":__t)+'" name="severity" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("number"))?"":__t)+'" name="number" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("message"))?"":__t)+'" name="message" /></th>\n            ':"accesses"===log_type?__p+='\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("remote_ip"))?"":__t)+'" name="remote_ip" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("username"))?"":__t)+'" name="username" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("status"))?"":__t)+'" name="status" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("size"))?"":__t)+'" name="size" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("http_referer"))?"":__t)+'" name="http_referer" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("user_agent"))?"":__t)+'" name="user_agent" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("forwarded_for"))?"":__t)+'" name="forwarded_for" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("request_line"))?"":__t)+'" name="request_line" /></th>\n            ':__p+='\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("time"))?"":__t)+'" name="time" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("remote_ip"))?"":__t)+'" name="remote_ip" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("status"))?"":__t)+'" name="status" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("bytes_sent"))?"":__t)+'" name="bytes_sent" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("bytes_received"))?"":__t)+'" name="bytes_received" /></th>\n            <th class="active"><input type="text" value="'+(null==(__t=model.escape("session_time"))?"":__t)+'" name="session_time" /></th>\n            ',__p+='\n        </tr>\n    </thead>\n    <tbody>\n    </tbody>\n    <tfoot class="sticky-bottom">\n        <tr>\n            <th class="text-nowrap active">\n                <button class="btn btn-primary" id="paging_first" title="First Page"><i class="fa fa-fast-backward" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="paging_back" title="Previous Page"><i class="fa fa-step-backward" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="refresh" title="Refresh"><i class="fa fa-refresh" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="paging_forward" title="Next Page"><i class="fa fa-step-forward" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="paging_last" title="Last Page"><i class="fa fa-fast-forward " aria-hidden="true"></i></button>\n            </th>\n            <th class="active">\n                Page <span id="currentpage">1</span>/<span id="pagecount">0</span>\n            </th>\n            <th class="active" colspan="2">\n                <label for="entrycount"><span id="entrycountdisplay">100</span> lines per page</label>\n                <input type="range" list="tickmarks" min="5" max="1000" step="5" id="entrycount" value="100" />\n                <datalist id="tickmarks">\n                    <option value="5" label="5">\n                    <option value="100" label="100">\n                    <option value="200" label="200">\n                    <option value="300">\n                    <option value="400">\n                    <option value="500" label="500">\n                    <option value="600">\n                    <option value="700">\n                    <option value="800">\n                    <option value="900">\n                    <option value="1000" label="1000">\n                </datalist>\n            </th>\n            <th class="active" colspan="'+(null==(__t=count-4)?"":__t)+'">Found lines: <span id="resultcount">0</span>/<span id="totalcount">0</span></th>\n        </tr>\n    </tfoot>\n</table>\n'}return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<div style="text-align: center;">\n    No data available...\n</div>\n';return __p}},,,,function(e,t,n){"use strict";n.r(t);var i=Backbone.Model.extend({});var l=Backbone.Collection.extend({model:i,url:function(){return`/api/nginx/logs/${this.logType}`},initialize:function(e){this.logType=e.logType}}),a=Backbone.Model.extend({});var o=Backbone.Collection.extend({model:a,url:function(){return`/api/nginx/logs/${this.logType}/${this.uuid}`},initialize:function(e){this.logType=e.logType,this.uuid=e.uuid}}),s=n(16),r=n.n(s);var _=Backbone.View.extend({tagName:"li",events:{"click .mainentry":"mainMenuClick","click .menuEntry":"menuEntryClick","click .dropdown-toggle":"menuDropdownClick"},initialize:function(e){this.listenTo(this.collection,"update",this.render),this.logType=e.logType,this.logview=e.logview,this.render()},render:function(){this.$el.html(""),this.renderCollection()},renderCollection:function(){this.$el.addClass("dropdown"),"global"==this.model.get("id")&&(this.$el.addClass("active"),this.logview.get_log("errors","global",-1)),this.$el.html(""),this.$el.append(r()({model:this.collection,id:this.model.get("id"),name:this.model.has("server_name")?this.model.get("server_name"):"Port "+this.model.get("port")}))},mainMenuClick:function(){this.collection.models[0]&&(this.handleElementClick(this.model.get("id"),-1),$(`#tab_${this.model.get("id")} li`).removeClass("active"),$(`#subtab_item_${this.model.get("id")}_${this.collection.models[0].get("number")}`).parent().addClass("active"))},menuDropdownClick:function(e){this.collection.fetch()},menuEntryClick:function(e){this.handleElementClick(e.target.dataset.modelUuid,e.target.dataset.modelFileno)},handleElementClick:function(e,t){this.logview.get_log(this.logType,e,t)}}),c=n(17),u=n.n(c);Backbone.View.extend({tagName:"li",initialize:function(e){this.logview=e.logview,this.log_name=e.log_name,this.visible_name=e.visible_name,this.log_type=e.log_type},events:{"click .mainentry":"handleElementClick"},log_name:null,log_type:null,visible_name:null,render:function(){this.$el.html(u()({name:this.visible_name}))},handleElementClick:function(){this.logview.get_log(this.log_type,this.log_name)}});var p=Backbone.View.extend({tagName:"ul",className:"nav nav-tabs",initialize:function(e){this.listenTo(this.collection,"update",this.render),this.logview=e.logview,this.logType=e.logType},render:function(){this.$el.attr("role","tablist"),this.$el.html(""),"global"==this.logType?this.render_global_error_tab():this.collection.forEach(e=>this.render_one_server(e))},render_one_server:function(e){const t=new o({uuid:e.get("id"),logType:this.logType}),n=new _({collection:t,model:e,logType:this.logType,logview:this.logview});this.$el.append(n.$el)},render_global_error_tab:function(){const e=new o({uuid:"global",logType:"errors"}),t=new _({collection:e,model:new Backbone.Model({server_name:"Global Error Log",id:"global"}),logType:"errors",logview:this.logview});this.$el.append(t.$el),e.fetch()}}),d=n(18),h=n.n(d),m=n(19),g=n.n(m),b=n(20),f=n.n(b),v=n(21),y=n.n(v);var w=Backbone.Model.extend({});var x=Backbone.Collection.extend({model:w,url:function(){return`/api/nginx/logs/${this.logType}/${this.uuid}/${this.fileNo}/${this.page}/${this.pageSize}/${this.create_filter()}`},initialize:function(){this.logType="none",this.uuid="none",this.fileNo=-1,this.page=0,this.pageSize=0,this.filter_model=new Backbone.Model},parse:function(e){return"error"in e?[]:(this.page_count=e.pages,this.total_entries=e.total,this.displayed_entries=e.found,e.lines)},create_filter:function(){return encodeURIComponent(JSON.stringify(this.filter_model))}}),k=n(22),j=n.n(k);const T=Backbone.View.extend({tagName:"tr",initialize:function(e){this.type=e.type},render:function(){this.$el.html(this.get_template()({model:this.model}))},get_template:function(){return"accesses"===this.type?h.a:"stream_accesses"===this.type?g.a:f.a}});const C=new(Backbone.View.extend({tagName:"div",className:"content-box tab-content",events:{"keyup .filter input":"update_filter","click #paging_first":"page_first","click #paging_back":"page_back","click #refresh":"update","click #paging_forward":"page_forward","click #paging_last":"page_last","change #entrycount":"change_entry_count"},page_entry_count:100,filter_delay:-1,initialize:function(){this.collection=new x,this.listenTo(this.collection,"sync",this.render),this.listenTo(this.collection,"update",this.render),this.listenTo(this.collection.filter_model,"change",this.render),this.type=""},render:function(){let e=this.$("tbody");e.length<1?0!==this.collection.length?(this.$el.html(y()({log_type:this.type,model:this.collection.filter_model})),e=this.$("tbody")):this.$el.html(j.a):e.html(""),0!==this.collection.length&&null==this.current_filtered_collection&&this.collection.forEach(t=>this.render_one(e,t)),this.$("#entrycountdisplay").html(this.page_entry_count),this.$("#currentpage").html(this.current_page+1),this.$("#pagecount").html(this.collection.page_count),this.$("#totalcount").html(this.collection.total_entries),this.$("#resultcount").html(this.collection.displayed_entries),this.current_page>=this.collection.page_count-1?(this.$("#paging_last").addClass("disabled"),this.$("#paging_forward").addClass("disabled")):(this.$("#paging_last").removeClass("disabled"),this.$("#paging_forward").removeClass("disabled")),this.current_page<=0?(this.$("#paging_back").addClass("disabled"),this.$("#paging_first").addClass("disabled")):(this.$("#paging_back").removeClass("disabled"),this.$("#paging_first").removeClass("disabled"))},render_one:function(e,t){const n=new T({type:this.type,model:t});n.render(),e.append(n.$el)},get_log:function(e,t,n){this.collection.uuid=t,this.collection.logType=e,this.collection.fileNo=n,this.type=e,this.current_page=0,this.$el.html(""),this.collection.filter_model.clear(),this.update()},update:function(){this.collection.page=this.current_page,this.collection.pageSize=this.page_entry_count,this.collection.fetch()},update_filter:function(e){clearTimeout(this.filter_delay);const t=e.target;this.collection.filter_model.set(t.name,$(t).val()),this.current_page=0,this.filter_delay=setTimeout(function(e){e.update()},500,this)},page_first:function(){this.current_page=0,this.update()},page_back:function(){this.current_page>0&&(this.current_page--,this.update())},page_forward:function(){this.current_page<this.collection.page_count&&(this.current_page++,this.update())},page_last:function(){this.current_page=this.collection.page_count-1,this.update()},change_entry_count:function(e){this.page_entry_count=e.target.value,this.current_page=0,this.update()}})),S=$("#logapplication").data("log"),q=new l({logType:S}),z=new p({collection:q,logview:C,logType:S});$("#logapplication").append(z.$el).append(C.$el),"global"!=S?q.fetch():z.render()}]);
\ No newline at end of file
+!function(e){var t={};function i(n){if(t[n])return t[n].exports;var l=t[n]={i:n,l:!1,exports:{}};return e[n].call(l.exports,l,l.exports,i),l.l=!0,l.exports}i.m=e,i.c=t,i.d=function(e,t,n){i.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:n})},i.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},i.t=function(e,t){if(1&t&&(e=i(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var n=Object.create(null);if(i.r(n),Object.defineProperty(n,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var l in e)i.d(n,l,function(t){return e[t]}.bind(null,l));return n},i.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return i.d(t,"a",t),t},i.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},i.p="",i(i.s=25)}([function(e,t,i){var n=i(2),l=i(4),o=/[&<>"']/g,a=RegExp(o.source);e.exports=function(e){return(e=l(e))&&a.test(e)?e.replace(o,n):e}},function(e,t,i){var n=i(6).Symbol;e.exports=n},function(e,t,i){var n=i(3)({"&":"&amp;","<":"&lt;",">":"&gt;",'"':"&quot;","'":"&#39;"});e.exports=n},function(e,t){e.exports=function(e){return function(t){return null==e?void 0:e[t]}}},function(e,t,i){var n=i(5);e.exports=function(e){return null==e?"":n(e)}},function(e,t,i){var n=i(1),l=i(9),o=i(10),a=i(11),s=1/0,r=n?n.prototype:void 0,c=r?r.toString:void 0;e.exports=function e(t){if("string"==typeof t)return t;if(o(t))return l(t,e)+"";if(a(t))return c?c.call(t):"";var i=t+"";return"0"==i&&1/t==-s?"-0":i}},function(e,t,i){var n=i(7),l="object"==typeof self&&self&&self.Object===Object&&self,o=n||l||Function("return this")();e.exports=o},function(e,t,i){(function(t){var i="object"==typeof t&&t&&t.Object===Object&&t;e.exports=i}).call(this,i(8))},function(e,t){var i;i=function(){return this}();try{i=i||new Function("return this")()}catch(e){"object"==typeof window&&(i=window)}e.exports=i},function(e,t){e.exports=function(e,t){for(var i=-1,n=null==e?0:e.length,l=Array(n);++i<n;)l[i]=t(e[i],i,e);return l}},function(e,t){var i=Array.isArray;e.exports=i},function(e,t,i){var n=i(12),l=i(15),o="[object Symbol]";e.exports=function(e){return"symbol"==typeof e||l(e)&&n(e)==o}},function(e,t,i){var n=i(1),l=i(13),o=i(14),a="[object Null]",s="[object Undefined]",r=n?n.toStringTag:void 0;e.exports=function(e){return null==e?void 0===e?s:a:r&&r in Object(e)?l(e):o(e)}},function(e,t,i){var n=i(1),l=Object.prototype,o=l.hasOwnProperty,a=l.toString,s=n?n.toStringTag:void 0;e.exports=function(e){var t=o.call(e,s),i=e[s];try{e[s]=void 0;var n=!0}catch(e){}var l=a.call(e);return n&&(t?e[s]=i:delete e[s]),l}},function(e,t){var i=Object.prototype.toString;e.exports=function(e){return i.call(e)}},function(e,t){e.exports=function(e){return null!=e&&"object"==typeof e}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='\n<a data-toggle="dropdown"\n   href="#"\n   class="dropdown-toggle pull-right visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block"\n   role="button">\n    <b><span class="caret"></span></b>\n</a>\n<a data-toggle="tab"\n   class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"\n   style="border-right: 0px;"><b>'+(null==(__t=_.escape(name))?"":__t)+'</b></a>\n<ul class="dropdown-menu" role="menu" id="tab_'+(null==(__t=_.escape(id))?"":__t)+'">\n    ',model.forEach(function(e){__p+='\n    <li>\n        <a data-toggle="tab"\n           class="menuEntry"\n           data-model-cid="'+(null==(__t=e.cid)?"":__t)+'"\n           data-model-uuid="'+(null==(__t=_.escape(id))?"":__t)+'"\n           data-model-fileno="'+(null==(__t=e.escape("number"))?"":__t)+'"\n           id="subtab_item_'+(null==(__t=_.escape(id))?"":__t)+"_"+(null==(__t=e.escape("number"))?"":__t)+'"\n           href="#subtab_'+(null==(__t=_.escape(id))?"":__t)+'">'+(null==(__t=e.escape("date"))?"":__t)+"</a>\n    </li>\n    "}),__p+="\n</ul>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='\n<a data-toggle="tab"\n   class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block mainentry"\n   style="border-top-right-radius: 10px !important; padding-right: 10px !important;">\n    <b>'+(null==(__t=_.escape(name))?"":__t)+"</b>\n</a>\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)log_fields_visible.forEach(e=>{__p+='\n<td class="'+(null==(__t=_.escape(e.id))?"":__t)+'">'+(null==(__t=model.escape(e.id))?"":__t)+"</td>\n"}),__p+="\n";return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<th class="active">\n    <div class="form-group" style="margin-bottom: unset;">\n        <label for="'+(null==(__t=_.escape(field.id))?"":__t)+'">'+(null==(__t=_.escape(field.header))?"":__t)+'</label>\n        <input type="text" class="form-control" id="'+(null==(__t=_.escape(field.id))?"":__t)+'" value="'+(null==(__t=model.escape(field.id))?"":__t)+'" name="'+(null==(__t=_.escape(field.id))?"":__t)+'" />\n    </div>\n</th>\n';return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="",__j=Array.prototype.join;function print(){__p+=__j.call(arguments,"")}with(obj)__p+='<table class="table table-striped">\n    <thead class="sticky-top">\n    </thead>\n    <tbody>\n    </tbody>\n    <tfoot class="sticky-bottom">\n        <tr>\n            <th class="text-nowrap active" colspan="100">\n                <div class="btn-group dropup"><button type="button" class="btn btn-primary dropdown-toggle" data-toggle="dropdown" aria-expanded="false"><span class="dropdown-text"><span class="icon glyphicon glyphicon-th-list"></span></span> <span class="caret"></span></button>\n                   <ul class="dropdown-menu">\n                       ',log_fields.forEach(e=>{__p+='\n                       <li><label class="ngx-dropdown-item"><input type="checkbox" class="option" value="'+(null==(__t=_.escape(e.id))?"":__t)+'" '+(null==(__t=!0===e.visible?'checked="checked"':"")?"":__t)+"/> "+(null==(__t=_.escape(e.header))?"":__t)+"</label></li>\n                       "}),__p+='\n                   </ul>\n                </div>\n                <button class="btn btn-primary" id="paging_first" title="First Page"><i class="fa fa-fast-backward" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="paging_back" title="Previous Page"><i class="fa fa-step-backward" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="refresh" title="Refresh"><i class="fa fa-refresh" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="paging_forward" title="Next Page"><i class="fa fa-step-forward" aria-hidden="true"></i></button>\n                <button class="btn btn-primary" id="paging_last" title="Last Page"><i class="fa fa-fast-forward " aria-hidden="true"></i></button>\n                <span style="padding-left: 10px;">Page </span><span id="currentpage">1</span>/<span id="pagecount">0</span>\n                <div style="float: right; display: flex;">\n                    <label for="entrycount"><span id="entrycountdisplay">100</span> lines per page</label><input type="range" list="tickmarks" min="5" max="1000" step="5" id="entrycount" value="100" style="width: 200px;" />\n                    <datalist id="tickmarks">\n                        <option value="5" label="5">\n                        <option value="100" label="100">\n                        <option value="200" label="200">\n                        <option value="300">\n                        <option value="400">\n                        <option value="500" label="500">\n                        <option value="600">\n                        <option value="700">\n                        <option value="800">\n                        <option value="900">\n                        <option value="1000" label="1000">\n                    </datalist>\n                </div>\n                <span style="padding-left: 10px;">Found lines: </span><span id="resultcount">0</span>/<span id="totalcount">0</span>\n            </th>\n        </tr>\n    </tfoot>\n</table>\n';return __p}},function(module,exports,__webpack_require__){var _={escape:__webpack_require__(0)};module.exports=function(obj){obj||(obj={});var __t,__p="";with(obj)__p+='<div style="text-align: center;">\n    No data available...\n</div>\n';return __p}},,,,function(e,t,i){"use strict";i.r(t);var n=Backbone.Model.extend({});var l=Backbone.Collection.extend({model:n,url:function(){return`/api/nginx/logs/${this.logType}`},initialize:function(e){this.logType=e.logType}}),o=Backbone.Model.extend({});var a=Backbone.Collection.extend({model:o,url:function(){return`/api/nginx/logs/${this.logType}/${this.uuid}`},initialize:function(e){this.logType=e.logType,this.uuid=e.uuid}}),s=i(16),r=i.n(s);var c=Backbone.View.extend({tagName:"li",events:{"click .mainentry":"mainMenuClick","click .menuEntry":"menuEntryClick","click .dropdown-toggle":"menuDropdownClick"},initialize:function(e){this.listenTo(this.collection,"update",this.render),this.logType=e.logType,this.logview=e.logview,this.render()},render:function(){this.$el.html(""),this.renderCollection()},renderCollection:function(){this.$el.addClass("dropdown"),"global"==this.model.get("id")&&(this.$el.addClass("active"),this.logview.get_log("errors","global",-1)),this.$el.html(""),this.$el.append(r()({model:this.collection,id:this.model.get("id"),name:this.model.has("server_name")?this.model.get("server_name"):"Port "+this.model.get("port")}))},mainMenuClick:function(){this.collection.models[0]&&(this.handleElementClick(this.model.get("id"),-1),$(`#tab_${this.model.get("id")} li`).removeClass("active"),$(`#subtab_item_${this.model.get("id")}_${this.collection.models[0].get("number")}`).parent().addClass("active"))},menuDropdownClick:function(e){this.collection.fetch()},menuEntryClick:function(e){this.handleElementClick(e.target.dataset.modelUuid,e.target.dataset.modelFileno)},handleElementClick:function(e,t){this.logview.get_log(this.logType,e,t)}}),d=i(17),u=i.n(d);Backbone.View.extend({tagName:"li",initialize:function(e){this.logview=e.logview,this.log_name=e.log_name,this.visible_name=e.visible_name,this.log_type=e.log_type},events:{"click .mainentry":"handleElementClick"},log_name:null,log_type:null,visible_name:null,render:function(){this.$el.html(u()({name:this.visible_name}))},handleElementClick:function(){this.logview.get_log(this.log_type,this.log_name)}});var p=Backbone.View.extend({tagName:"ul",className:"nav nav-tabs",initialize:function(e){this.listenTo(this.collection,"update",this.render),this.logview=e.logview,this.logType=e.logType},render:function(){this.$el.attr("role","tablist"),this.$el.html(""),"global"==this.logType?this.render_global_error_tab():this.collection.forEach(e=>this.render_one_server(e))},render_one_server:function(e){const t=new a({uuid:e.get("id"),logType:this.logType}),i=new c({collection:t,model:e,logType:this.logType,logview:this.logview});this.$el.append(i.$el)},render_global_error_tab:function(){const e=new a({uuid:"global",logType:"errors"}),t=new c({collection:e,model:new Backbone.Model({server_name:"Global Error Log",id:"global"}),logType:"errors",logview:this.logview});this.$el.append(t.$el),e.fetch()}}),h=i(18),g=i.n(h),b=i(19),f=i.n(b),m=i(20),v=i.n(m);var y=Backbone.Model.extend({});var w=Backbone.Collection.extend({model:y,url:function(){return`/api/nginx/logs/${this.logType}/${this.uuid}/${this.fileNo}/${this.page}/${this.pageSize}/${this.create_filter()}`},initialize:function(){this.logType="none",this.uuid="none",this.fileNo=-1,this.page=0,this.pageSize=0,this.filter_model=new Backbone.Model},parse:function(e){return"error"in e?[]:(this.page_count=e.pages,this.total_entries=e.total,this.displayed_entries=e.found,e.lines)},create_filter:function(){return encodeURIComponent(JSON.stringify(this.filter_model))}});Backbone.Model.extend({});var k=i(21),x=i.n(k);const j=Backbone.View.extend({tagName:"tr",initialize:function(e){this.type=e.type,this.log_fields_visible=e.log_fields_visible},render:function(){this.$el.html(g()({log_fields_visible:this.log_fields_visible,model:this.model}))}}),T=Backbone.View.extend({tagName:"tr",className:"filter",initialize:function(e){this.log_fields_visible=e.log_fields_visible},render:function(){this.log_fields_visible.forEach(e=>this.$el.append(f()({field:e,model:this.model})))}});const C=new(Backbone.View.extend({tagName:"div",className:"content-box tab-content",events:{"keyup .filter input":"update_filter","click #paging_first":"page_first","click #paging_back":"page_back","click #refresh":"update","click #paging_forward":"page_forward","click #paging_last":"page_last","change #entrycount":"change_entry_count","click .ngx-dropdown-item":"toggle_column"},page_entry_count:100,filter_delay:-1,initialize:function(){this.collection=new w,this.listenTo(this.collection,"sync",this.render),this.listenTo(this.collection,"update",this.render),this.listenTo(this.collection.filter_model,"change",this.render),this.type=""},render:function(){this.logFields=[];let e=this.collection.uuid,t=this.type;switch(t){case"accesses":this.logFields.push({id:"time",header:"Time"},{id:"remote_ip",header:"Remote IP"},{id:"username",header:"Username"},{id:"status",header:"Status"},{id:"size",header:"Size"},{id:"referer",header:"Referer"},{id:"user_agent",header:"User Agent"},{id:"forwarded_for",header:"Forwarded For"},{id:"request_line",header:"Request Line"});break;case"errors":case"stream_errors":this.logFields.push({id:"date",header:"Date"},{id:"time",header:"Time"},{id:"severity",header:"Severity"},{id:"number",header:"Number"},{id:"message",header:"Message"});break;default:this.logFields.push({id:"time",header:"Time"},{id:"remote_ip",header:"Remote IP"},{id:"status",header:"Status"},{id:"bytes_sent",header:"Bytes Sent"},{id:"bytes_received",header:"Bytes Rcvd"},{id:"session_time",header:"Session Time"})}this.logFields.forEach(i=>{i.visible="false"!==localStorage.getItem("visibleColumns["+t+"]["+e+"]["+i.id+"]")}),this.logFieldsVisible=_.filter(this.logFields,["visible",!0]);let i=this.$("thead");if(i.children().length<1){const e=new T({log_fields_visible:this.logFieldsVisible,model:this.collection.filter_model});e.render(),i.html(e.$el)}let n=this.$("tbody");n.length<1?0!==this.collection.length?(this.$el.html(v()({log_type:this.type,log_fields:this.logFields,log_fields_visible:this.logFieldsVisible,model:this.collection.filter_model})),n=this.$("tbody")):this.$el.html(x.a):n.html(""),0!==this.collection.length&&null==this.current_filtered_collection&&this.collection.forEach(e=>this.render_one(n,e)),this.$("#entrycountdisplay").html(this.page_entry_count),this.$("#currentpage").html(this.current_page+1),this.$("#pagecount").html(this.collection.page_count),this.$("#totalcount").html(this.collection.total_entries),this.$("#resultcount").html(this.collection.displayed_entries),this.current_page>=this.collection.page_count-1?(this.$("#paging_last").addClass("disabled"),this.$("#paging_forward").addClass("disabled")):(this.$("#paging_last").removeClass("disabled"),this.$("#paging_forward").removeClass("disabled")),this.current_page<=0?(this.$("#paging_back").addClass("disabled"),this.$("#paging_first").addClass("disabled")):(this.$("#paging_back").removeClass("disabled"),this.$("#paging_first").removeClass("disabled"))},render_one:function(e,t){const i=new j({type:this.type,log_fields_visible:this.logFieldsVisible,model:t});i.render(),e.append(i.$el)},get_log:function(e,t,i){this.collection.uuid=t,this.collection.logType=e,this.collection.fileNo=i,this.type=e,this.current_page=0,this.$el.html(""),this.collection.filter_model.clear(),this.update()},update:function(){this.collection.page=this.current_page,this.collection.pageSize=this.page_entry_count,this.collection.fetch()},update_filter:function(e){clearTimeout(this.filter_delay);const t=e.target;this.collection.filter_model.set(t.name,$(t).val()),this.current_page=0,this.filter_delay=setTimeout(function(e){e.update()},500,this)},page_first:function(){this.current_page=0,this.update()},page_back:function(){this.current_page>0&&(this.current_page--,this.update())},page_forward:function(){this.current_page<this.collection.page_count&&(this.current_page++,this.update())},page_last:function(){this.current_page=this.collection.page_count-1,this.update()},change_entry_count:function(e){this.page_entry_count=e.target.value,this.current_page=0,this.update()},toggle_column:function(e){e.stopPropagation();let t=this.collection.uuid,i=this.type,n=$(e.currentTarget).find("input").prop("value");localStorage.setItem("visibleColumns["+i+"]["+t+"]["+n+"]",!_.find(this.logFields,{id:n}).visible),this.collection.filter_model.unset(n,{silent:!0}),this.$("thead").html(""),this.update()}})),S=$("#logapplication").data("log"),F=new l({logType:S}),E=new p({collection:F,logview:C,logType:S});$("#logapplication").append(E.$el).append(C.$el),"global"!=S?F.fetch():E.render()}]);
\ No newline at end of file
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/controller/LogView.js b/www/nginx/src/opnsense/www/js/nginx/src/controller/LogView.js
index 01011c0a14..d00a0ccc62 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/controller/LogView.js
+++ b/www/nginx/src/opnsense/www/js/nginx/src/controller/LogView.js
@@ -1,30 +1,32 @@
-import accessLogLine from '../templates/AccessLogLine.html';
-import streamAccessLogLine from '../templates/StreamAccessLogLine.html';
-import errorLogLine from '../templates/ErrorLogLine.html';
+import LogLine from '../templates/LogLine.html';
+import LogColumn from '../templates/LogColumn.html';
 import logViewer from '../templates/logviewer.html';
 import LogLinesCollection from "../models/LogLinesCollection";
+import LogColumnModel from "../models/LogColumn";
 import noDataAvailable from '../templates/noDataAvailable.html';
 
-
 const LogViewLine = Backbone.View.extend({
     tagName: 'tr',
     initialize: function (data) {
         this.type = data.type;
+        this.log_fields_visible = data.log_fields_visible;
     },
 
     render: function () {
-        this.$el.html(this.get_template()({model: this.model}));
+        this.$el.html(LogLine({log_fields_visible: this.log_fields_visible, model: this.model}));
     },
+});
 
-    get_template: function() {
-        if (this.type === 'accesses') {
-            return accessLogLine;
-        } else if (this.type === 'stream_accesses') {
-            return streamAccessLogLine;
-        } else {
-            return errorLogLine;
-        }
+const LogViewColumns = Backbone.View.extend({
+    tagName: 'tr',
+    className: 'filter',
+    initialize: function (data) {
+        this.log_fields_visible = data.log_fields_visible;
     },
+
+    render: function() {
+        this.log_fields_visible.forEach((field) => this.$el.append(LogColumn({field: field, model: this.model})));
+    }
 });
 
 const LogView = Backbone.View.extend({
@@ -39,6 +41,7 @@ const LogView = Backbone.View.extend({
         "click #paging_forward": "page_forward",
         "click #paging_last": "page_last",
         "change #entrycount": "change_entry_count",
+        "click .ngx-dropdown-item": "toggle_column",
     },
     page_entry_count: 100,
     filter_delay: -1,
@@ -52,10 +55,60 @@ const LogView = Backbone.View.extend({
     },
 
     render: function() {
+        // set logline fields
+        // all the fields are visible by default
+        // users choice is stored in browser localStorage
+        this.logFields = [];
+        let uid = this.collection.uuid;
+        let type = this.type;
+        switch (type) {
+            case 'accesses':
+                this.logFields.push({id: "time", header: "Time"},
+                                    {id: "remote_ip", header: "Remote IP"},
+                                    {id: "username", header: "Username"},
+                                    {id: "status", header: "Status"},
+                                    {id: "size", header: "Size"},
+                                    {id: "referer", header: "Referer"},
+                                    {id: "user_agent", header: "User Agent"},
+                                    {id: "forwarded_for", header: "Forwarded For"},
+                                    {id: "request_line", header: "Request Line"});
+                break;
+            case 'errors':
+            case 'stream_errors':
+                this.logFields.push({id: "date", header: "Date"},
+                                    {id: "time", header: "Time"},
+                                    {id: "severity", header: "Severity"},
+                                    {id: "number", header: "Number"},
+                                    {id: "message", header: "Message"});
+                break;
+            default:
+                // stream access
+                this.logFields.push({id: "time", header: "Time"},
+                                    {id: "remote_ip", header: "Remote IP"},
+                                    {id: "status", header: "Status"},
+                                    {id: "bytes_sent", header: "Bytes Sent"},
+                                    {id: "bytes_received", header: "Bytes Rcvd"},
+                                    {id: "session_time", header: "Session Time"});
+        }
+        this.logFields.forEach( (field) => {
+            field.visible = localStorage.getItem('visibleColumns[' + type + '][' + uid + '][' + field.id + ']') !== 'false';
+        });
+
+        this.logFieldsVisible = _.filter(this.logFields, ['visible', true]);
+        // fields are ready
+
+        // create/update column headers
+        let thead = this.$('thead');
+        if (thead.children().length < 1) {
+            const logColumns = new LogViewColumns({log_fields_visible: this.logFieldsVisible, model: this.collection.filter_model});
+            logColumns.render();
+            thead.html(logColumns.$el);
+        }
+
         let tbody = this.$('tbody');
         if (tbody.length < 1) {
             if (this.collection.length !== 0) {
-                this.$el.html(logViewer({log_type: this.type, model: this.collection.filter_model}));
+                this.$el.html(logViewer({log_type: this.type, log_fields: this.logFields, log_fields_visible: this.logFieldsVisible, model: this.collection.filter_model}));
                 tbody = this.$('tbody');
             } else {
                 this.$el.html(noDataAvailable);
@@ -99,7 +152,7 @@ const LogView = Backbone.View.extend({
     },
 
     render_one: function(parent_element, model) {
-        const logline = new LogViewLine({type: this.type, model: model});
+        const logline = new LogViewLine({type: this.type, log_fields_visible: this.logFieldsVisible, model: model});
         logline.render();
         parent_element.append(logline.$el);
     },
@@ -161,6 +214,20 @@ const LogView = Backbone.View.extend({
         this.page_entry_count = event.target.value;
         this.current_page = 0;
         this.update();
+    },
+
+    toggle_column: function (event) {
+        event.stopPropagation();
+        let uid = this.collection.uuid;
+        let type = this.type;
+        let field = $(event.currentTarget).find('input').prop('value');
+        // toggle visibility
+        localStorage.setItem('visibleColumns[' + type + '][' + uid + '][' + field + ']', !_.find(this.logFields, { 'id': field }).visible);
+        // unset filter for this column (if any) so as not to confuse the user
+        this.collection.filter_model.unset(field, {silent: true});
+        // reset table header and update data
+        this.$('thead').html('');
+        this.update();
     }
 });
 
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/models/LogColumn.js b/www/nginx/src/opnsense/www/js/nginx/src/models/LogColumn.js
new file mode 100644
index 0000000000..40e01a1556
--- /dev/null
+++ b/www/nginx/src/opnsense/www/js/nginx/src/models/LogColumn.js
@@ -0,0 +1,5 @@
+
+const LogColumnModel = Backbone.Model.extend({
+});
+
+export default LogColumnModel;
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/templates/AccessLogLine.html b/www/nginx/src/opnsense/www/js/nginx/src/templates/AccessLogLine.html
deleted file mode 100644
index adde3d4d7c..0000000000
--- a/www/nginx/src/opnsense/www/js/nginx/src/templates/AccessLogLine.html
+++ /dev/null
@@ -1,9 +0,0 @@
-<td class="time"><%= model.escape('time') %></td>
-<td class="remote_ip"><%= model.escape('remote_ip') %></td>
-<td class="username"><%= model.escape('username') %></td>
-<td class="status"><%= model.escape('status') %></td>
-<td class="size"><%= model.escape('size') %></td>
-<td class="referer"><%= model.escape('http_referer') %></td>
-<td class="user_agent"><%= model.escape('user_agent') %></td>
-<td class="forwarded_for"><%= model.escape('forwarded_for') %></td>
-<td class="request_line"><%= model.escape('request_line') %></td>
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/templates/ErrorLogLine.html b/www/nginx/src/opnsense/www/js/nginx/src/templates/ErrorLogLine.html
deleted file mode 100644
index ec99b42328..0000000000
--- a/www/nginx/src/opnsense/www/js/nginx/src/templates/ErrorLogLine.html
+++ /dev/null
@@ -1,5 +0,0 @@
-<td class="date"><%= model.escape('date') %></td>
-<td class="time"><%= model.escape('time') %></td>
-<td class="severity"><%= model.escape('severity') %></td>
-<td class="number"><%= model.escape('number') %></td>
-<td class="message"><%= model.escape('message') %></td>
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/templates/LogColumn.html b/www/nginx/src/opnsense/www/js/nginx/src/templates/LogColumn.html
new file mode 100644
index 0000000000..92f303ef29
--- /dev/null
+++ b/www/nginx/src/opnsense/www/js/nginx/src/templates/LogColumn.html
@@ -0,0 +1,6 @@
+<th class="active">
+    <div class="form-group" style="margin-bottom: unset;">
+        <label for="<%= _.escape(field.id) %>"><%= _.escape(field.header) %></label>
+        <input type="text" class="form-control" id="<%= _.escape(field.id) %>" value="<%= model.escape(field.id) %>" name="<%= _.escape(field.id) %>" />
+    </div>
+</th>
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/templates/LogLine.html b/www/nginx/src/opnsense/www/js/nginx/src/templates/LogLine.html
new file mode 100644
index 0000000000..b7b7881f41
--- /dev/null
+++ b/www/nginx/src/opnsense/www/js/nginx/src/templates/LogLine.html
@@ -0,0 +1,3 @@
+<% log_fields_visible.forEach( (field) => { %>
+<td class="<%= _.escape(field.id) %>"><%= model.escape(field.id) %></td>
+<% }) %>
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/templates/StreamAccessLogLine.html b/www/nginx/src/opnsense/www/js/nginx/src/templates/StreamAccessLogLine.html
deleted file mode 100644
index 54cfd87895..0000000000
--- a/www/nginx/src/opnsense/www/js/nginx/src/templates/StreamAccessLogLine.html
+++ /dev/null
@@ -1,6 +0,0 @@
-<td class="time"><%= model.escape('time') %></td>
-<td class="remote_ip"><%= model.escape('remote_ip') %></td>
-<td class="status"><%= model.escape('status') %></td>
-<td class="bytes_sent"><%= model.escape('bytes_sent') %></td>
-<td class="bytes_received"><%= model.escape('bytes_received') %></td>
-<td class="session_time"><%= model.escape('session_time') %></td>
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/templates/logviewer.html b/www/nginx/src/opnsense/www/js/nginx/src/templates/logviewer.html
index a92d60c6e1..a1b7e64321 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/templates/logviewer.html
+++ b/www/nginx/src/opnsense/www/js/nginx/src/templates/logviewer.html
@@ -1,93 +1,42 @@
-<% let count = 0; %><table class="table table-striped">
+<table class="table table-striped">
     <thead class="sticky-top">
-        <tr>
-            <% if (log_type === 'errors' || log_type === 'stream_errors') {
-            count = 5; %>
-            <th>Date</th>
-            <th>Time</th>
-            <th>Severity</th>
-            <th>Number</th>
-            <th>Message</th>
-            <% } else if (log_type === 'accesses') {
-            count = 9; %>
-            <th>Time</th>
-            <th>Remote IP</th>
-            <th>Username</th>
-            <th>Status</th>
-            <th>Size</th>
-            <th>Referer</th>
-            <th>User Agent</th>
-            <th>Forwarded For</th>
-            <th>Request Line</th>
-            <% } else {
-            count = 6; %>
-            <th>Time</th>
-            <th>Remote IP</th>
-            <th>Status</th>
-            <th>Bytes Sent</th>
-            <th>Bytes Received</th>
-            <th>Session Time</th>
-            <% } %>
-        </tr>
-        <tr class="filter">
-            <% if (log_type === 'errors' || log_type === 'stream_errors') { %>
-            <th class="active"><input type="text" value="<%= model.escape('date') %>" name="date" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('time') %>" name="time" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('severity') %>" name="severity" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('number') %>" name="number" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('message') %>" name="message" /></th>
-            <% } else if (log_type === 'accesses') { %>
-            <th class="active"><input type="text" value="<%= model.escape('time') %>" name="time" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('remote_ip') %>" name="remote_ip" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('username') %>" name="username" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('status') %>" name="status" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('size') %>" name="size" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('http_referer') %>" name="http_referer" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('user_agent') %>" name="user_agent" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('forwarded_for') %>" name="forwarded_for" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('request_line') %>" name="request_line" /></th>
-            <% } else { %>
-            <th class="active"><input type="text" value="<%= model.escape('time') %>" name="time" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('remote_ip') %>" name="remote_ip" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('status') %>" name="status" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('bytes_sent') %>" name="bytes_sent" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('bytes_received') %>" name="bytes_received" /></th>
-            <th class="active"><input type="text" value="<%= model.escape('session_time') %>" name="session_time" /></th>
-            <% } %>
-        </tr>
     </thead>
     <tbody>
     </tbody>
     <tfoot class="sticky-bottom">
         <tr>
-            <th class="text-nowrap active">
+            <th class="text-nowrap active" colspan="100">
+                <div class="btn-group dropup"><button type="button" class="btn btn-primary dropdown-toggle" data-toggle="dropdown" aria-expanded="false"><span class="dropdown-text"><span class="icon glyphicon glyphicon-th-list"></span></span> <span class="caret"></span></button>
+                   <ul class="dropdown-menu">
+                       <% log_fields.forEach( (field) => { %>
+                       <li><label class="ngx-dropdown-item"><input type="checkbox" class="option" value="<%= _.escape(field.id) %>" <%= field.visible === true ? 'checked="checked"' : '' %>/> <%= _.escape(field.header) %></label></li>
+                       <% }) %>
+                   </ul>
+                </div>
                 <button class="btn btn-primary" id="paging_first" title="First Page"><i class="fa fa-fast-backward" aria-hidden="true"></i></button>
                 <button class="btn btn-primary" id="paging_back" title="Previous Page"><i class="fa fa-step-backward" aria-hidden="true"></i></button>
                 <button class="btn btn-primary" id="refresh" title="Refresh"><i class="fa fa-refresh" aria-hidden="true"></i></button>
                 <button class="btn btn-primary" id="paging_forward" title="Next Page"><i class="fa fa-step-forward" aria-hidden="true"></i></button>
                 <button class="btn btn-primary" id="paging_last" title="Last Page"><i class="fa fa-fast-forward " aria-hidden="true"></i></button>
+                <span style="padding-left: 10px;">Page </span><span id="currentpage">1</span>/<span id="pagecount">0</span>
+                <div style="float: right; display: flex;">
+                    <label for="entrycount"><span id="entrycountdisplay">100</span> lines per page</label><input type="range" list="tickmarks" min="5" max="1000" step="5" id="entrycount" value="100" style="width: 200px;" />
+                    <datalist id="tickmarks">
+                        <option value="5" label="5">
+                        <option value="100" label="100">
+                        <option value="200" label="200">
+                        <option value="300">
+                        <option value="400">
+                        <option value="500" label="500">
+                        <option value="600">
+                        <option value="700">
+                        <option value="800">
+                        <option value="900">
+                        <option value="1000" label="1000">
+                    </datalist>
+                </div>
+                <span style="padding-left: 10px;">Found lines: </span><span id="resultcount">0</span>/<span id="totalcount">0</span>
             </th>
-            <th class="active">
-                Page <span id="currentpage">1</span>/<span id="pagecount">0</span>
-            </th>
-            <th class="active" colspan="2">
-                <label for="entrycount"><span id="entrycountdisplay">100</span> lines per page</label>
-                <input type="range" list="tickmarks" min="5" max="1000" step="5" id="entrycount" value="100" />
-                <datalist id="tickmarks">
-                    <option value="5" label="5">
-                    <option value="100" label="100">
-                    <option value="200" label="200">
-                    <option value="300">
-                    <option value="400">
-                    <option value="500" label="500">
-                    <option value="600">
-                    <option value="700">
-                    <option value="800">
-                    <option value="900">
-                    <option value="1000" label="1000">
-                </datalist>
-            </th>
-            <th class="active" colspan="<%= count - 4 %>">Found lines: <span id="resultcount">0</span>/<span id="totalcount">0</span></th>
         </tr>
     </tfoot>
 </table>

From 863411646d36198da46600d96defcf94d737e77f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Oct 2023 13:56:48 +0200
Subject: [PATCH 1603/3088] mail/rspamd: bump

---
 mail/rspamd/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mail/rspamd/Makefile b/mail/rspamd/Makefile
index 382a18cf22..64c79a22ad 100644
--- a/mail/rspamd/Makefile
+++ b/mail/rspamd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		rspamd
 PLUGIN_VERSION=		1.12
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Protect your network from spam
 PLUGIN_DEPENDS=		rspamd
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From fb14a0e04d2f31bee69a33c325a0e96830605f41 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Oct 2023 13:57:39 +0200
Subject: [PATCH 1604/3088] www/nginx: bump

---
 www/nginx/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index eb1abd76d4..2372c0d764 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.32.1
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 2d900d4c4f40764c74a51ab66f03a782f664bcb3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Oct 2023 14:09:42 +0200
Subject: [PATCH 1605/3088] Framework: allow license override

---
 Mk/plugins.mk | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 893a96a54d..d00a5f5fc7 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -44,6 +44,7 @@ PLUGIN_SCRIPTS=		+PRE_INSTALL +POST_INSTALL \
 			+PRE_DEINSTALL +POST_DEINSTALL
 
 PLUGIN_WWW?=		https://opnsense.org/
+PLUGIN_LICENSE?=	BSD2CLAUSE
 PLUGIN_TIER?=		3
 PLUGIN_REVISION?=	0
 
@@ -116,7 +117,7 @@ manifest: check
 	@echo "www: \"${PLUGIN_WWW}\""
 	@echo "prefix: \"${LOCALBASE}\""
 	@echo "licenselogic: \"single\""
-	@echo "licenses: [ \"BSD2CLAUSE\" ]"
+	@echo "licenses: [ \"${PLUGIN_LICENSE}\" ]"
 .if defined(PLUGIN_NO_ABI)
 	@echo "arch: \"${OSABIPREFIX:tl}:*:*\""
 	@echo "abi: \"${OSABIPREFIX}:*:*\""

From c9f3c7b79205bb9f98fc92e49978ee53753cd27d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Oct 2023 08:27:26 +0200
Subject: [PATCH 1606/3088] misc/theme-cicada: fix faulty dropdown style

---
 misc/theme-cicada/Makefile                    |   2 +-
 .../cicada/assets/stylesheets/main.scss       |   1 -
 .../cicada/build/css/bootstrap-select.css     | 269 +++++++++++++-----
 .../www/themes/cicada/build/css/main.css      |   1 -
 4 files changed, 194 insertions(+), 79 deletions(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index 2783100d16..b223882430 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		theme-cicada
 PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index 0d42c65b12..5e317a4565 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -5335,7 +5335,6 @@ tbody.collapse.in {
 }
 
 .dropdown-menu {
-  position: absolute;
   top: 100%;
   left: 0;
   z-index: 1000;
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select.css
index a36cc2eaaf..bbc5c29d9a 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select.css
@@ -1,29 +1,66 @@
 /*!
- * Bootstrap-select v1.9.3 (http://silviomoreto.github.io/bootstrap-select)
+ * Bootstrap-select v1.13.3 (https://developer.snapappointments.com/bootstrap-select)
  *
- * Copyright 2013-2015 bootstrap-select
- * Licensed under MIT (https://github.com/silviomoreto/bootstrap-select/blob/master/LICENSE)
+ * Copyright 2012-2018 SnapAppointments, LLC
+ * Licensed under MIT (https://github.com/snapappointments/bootstrap-select/blob/master/LICENSE)
  */
 
-/* set form-control on span height, which is used by liHeight to calculate height */
-span.form-control {
-  height: 34px !important;
-  padding: 6px 12px;
+select.bs-select-hidden,
+.bootstrap-select > select.bs-select-hidden,
+select.selectpicker {
+  display: none !important;
+
 }
 .bootstrap-select {
   width: 348px \0;
   /*IE9 and below*/
 }
 .bootstrap-select > .dropdown-toggle {
+  position: relative;
   width: 100%;
-  padding-right: 25px;
+
   z-index: 1;
+  text-align: right;
+  white-space: nowrap;
+}
+.bootstrap-select > .dropdown-toggle.bs-placeholder,
+.bootstrap-select > .dropdown-toggle.bs-placeholder:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder:active {
+  color: #ccc;
+}
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:active,
+.bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:active {
+  color: rgba(0, 0, 0, 0.5);
 }
 .bootstrap-select > select {
   position: absolute !important;
   bottom: 0;
   left: 50%;
-  width: 0.11px !important;
+  display: block !important;
+  width: 0.5px !important;
   height: 100% !important;
   padding: 0 !important;
   opacity: 0 !important;
@@ -37,20 +74,24 @@ span.form-control {
   z-index: 2;
 }
 .has-error .bootstrap-select .dropdown-toggle,
-.error .bootstrap-select .dropdown-toggle {
+.error .bootstrap-select .dropdown-toggle,
+.bootstrap-select.is-invalid .dropdown-toggle,
+.was-validated .bootstrap-select .selectpicker:invalid + .dropdown-toggle {
   border-color: #b94a48;
 }
+.bootstrap-select.is-valid .dropdown-toggle,
+.was-validated .bootstrap-select .selectpicker:valid + .dropdown-toggle {
+  border-color: #28a745;
+}
 .bootstrap-select.fit-width {
   width: auto !important;
 }
 .bootstrap-select:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn) {
   width: 348px;
 }
+.bootstrap-select > select.mobile-device:focus + .dropdown-toggle,
 .bootstrap-select .dropdown-toggle:focus {
-  color:#FFFFFF !important;
-  border:1px solid #ee7822 !important;
-  -webkit-box-shadow: inset 0 0px 1px rgb(0, 0, 0), 0 0 8px rgba(0, 0, 0, 0.6);
-  box-shadow: inset 0 0px 1px rgb(0, 0, 0), 0 0 8px rgba(0, 0, 0, 0.6);
+  outline: thin dotted #bbbbbb !important;
   outline: 5px auto -webkit-focus-ring-color !important;
   outline-offset: -2px;
 }
@@ -59,123 +100,167 @@ span.form-control {
   padding: 0;
   border: none;
 }
-.bootstrap-select.form-control:not([class*="col-"]) {
+:not(.input-group) > .bootstrap-select.form-control:not([class*="col-"]) {
   width: 100%;
 }
 .bootstrap-select.form-control.input-group-btn {
   z-index: auto;
 }
-.bootstrap-select.btn-group:not(.input-group-btn),
-.bootstrap-select.btn-group[class*="col-"] {
+.bootstrap-select.form-control.input-group-btn:not(:first-child):not(:last-child) > .btn {
+  border-radius: 0;
+}
+.bootstrap-select:not(.input-group-btn),
+.bootstrap-select[class*="col-"] {
   float: none;
   display: inline-block;
   margin-left: 0;
 }
-.bootstrap-select.btn-group.dropdown-menu-right,
-.bootstrap-select.btn-group[class*="col-"].dropdown-menu-right,
-.row .bootstrap-select.btn-group[class*="col-"].dropdown-menu-right {
+.bootstrap-select.dropdown-menu-right,
+.bootstrap-select[class*="col-"].dropdown-menu-right,
+.row .bootstrap-select[class*="col-"].dropdown-menu-right {
   float: right;
 }
-.form-inline .bootstrap-select.btn-group,
-.form-horizontal .bootstrap-select.btn-group,
-.form-group .bootstrap-select.btn-group {
+.form-inline .bootstrap-select,
+.form-horizontal .bootstrap-select,
+.form-group .bootstrap-select {
   margin-bottom: 0;
 }
-.form-group-lg .bootstrap-select.btn-group.form-control,
-.form-group-sm .bootstrap-select.btn-group.form-control {
+.form-group-lg .bootstrap-select.form-control,
+.form-group-sm .bootstrap-select.form-control {
   padding: 0;
 }
-.form-inline .bootstrap-select.btn-group .form-control {
+.form-group-lg .bootstrap-select.form-control .dropdown-toggle,
+.form-group-sm .bootstrap-select.form-control .dropdown-toggle {
+  height: 100%;
+  font-size: inherit;
+  line-height: inherit;
+  border-radius: inherit;
+}
+.bootstrap-select.form-control-sm .dropdown-toggle,
+.bootstrap-select.form-control-lg .dropdown-toggle {
+  font-size: inherit;
+  line-height: inherit;
+  border-radius: inherit;
+}
+.bootstrap-select.form-control-sm .dropdown-toggle {
+  padding: 0.25rem 0.5rem;
+}
+.bootstrap-select.form-control-lg .dropdown-toggle {
+  padding: 0.5rem 1rem;
+}
+.form-inline .bootstrap-select .form-control {
   width: 100%;
 }
-.bootstrap-select.btn-group.disabled,
-.bootstrap-select.btn-group > .disabled {
+.bootstrap-select.disabled,
+.bootstrap-select > .disabled {
   cursor: not-allowed;
 }
-.bootstrap-select.btn-group.disabled:focus,
-.bootstrap-select.btn-group > .disabled:focus {
+.bootstrap-select.disabled:focus,
+.bootstrap-select > .disabled:focus {
   outline: none !important;
 }
-.bootstrap-select.btn-group.bs-container {
+.bootstrap-select.bs-container {
   position: absolute;
+  top: 0;
+  left: 0;
+  height: 0 !important;
+  padding: 0 !important;
 }
-.bootstrap-select.btn-group.bs-container .dropdown-menu {
+.bootstrap-select.bs-container .dropdown-menu {
   z-index: 1060;
 }
-.bootstrap-select.btn-group .dropdown-toggle .filter-option {
+.bootstrap-select .dropdown-toggle:before {
+  content: '';
   display: inline-block;
-  overflow: hidden;
+}
+.bootstrap-select .dropdown-toggle .filter-option {
+  position: absolute;
+  top: 0;
+  left: 0;
+  padding-top: inherit;
+  padding-right: inherit;
+  padding-bottom: inherit;
+  padding-left: inherit;
+  height: 100%;
   width: 100%;
   text-align: left;
 }
-.bootstrap-select.btn-group .dropdown-toggle .caret {
+.bootstrap-select .dropdown-toggle .filter-option-inner {
+  padding-right: inherit;
+}
+.bootstrap-select .dropdown-toggle .filter-option-inner-inner {
+  overflow: hidden;
+}
+.bootstrap-select .dropdown-toggle .caret {
   position: absolute;
   top: 50%;
   right: 12px;
   margin-top: -2px;
   vertical-align: middle;
 }
-.bootstrap-select.btn-group[class*="col-"] .dropdown-toggle {
+.input-group .bootstrap-select.form-control .dropdown-toggle {
+  border-radius: inherit;
+}
+.bootstrap-select[class*="col-"] .dropdown-toggle {
   width: 100%;
 }
-.bootstrap-select.btn-group .dropdown-menu {
-  border-color:#1d1d1d !important;
-  -webkit-box-shadow: inset 0 1px 1px rgb(0, 0, 0), 0 0 8px rgba(0, 0, 0, 0.6);
-  box-shadow: inset 0 1px 1px rgb(0, 0, 0), 0 0 8px rgba(0, 0, 0, 0.6);
+.bootstrap-select .dropdown-menu {
   min-width: 100%;
   -webkit-box-sizing: border-box;
      -moz-box-sizing: border-box;
           box-sizing: border-box;
 }
-.bootstrap-select.btn-group .dropdown-menu.inner {
+.bootstrap-select .dropdown-menu > .inner:focus {
+  outline: none !important;
+}
+.bootstrap-select .dropdown-menu.inner {
   position: static;
   float: none;
   border: 0;
   padding: 0;
   margin: 0;
   border-radius: 0;
-  min-width: 50px;
   -webkit-box-shadow: none;
           box-shadow: none;
 }
-.bootstrap-select.btn-group .dropdown-menu li {
+.bootstrap-select .dropdown-menu li {
   position: relative;
 }
-.bootstrap-select.btn-group .dropdown-menu li.active small {
-  color: #fff;
+.bootstrap-select .dropdown-menu li.active small {
+  color: rgba(255, 255, 255, 0.5) !important;
 }
-.bootstrap-select.btn-group .dropdown-menu li.disabled a {
+.bootstrap-select .dropdown-menu li.disabled a {
   cursor: not-allowed;
 }
-.bootstrap-select.btn-group .dropdown-menu li a {
+.bootstrap-select .dropdown-menu li a {
   cursor: pointer;
   -webkit-user-select: none;
-  -moz-user-select: none;
-  -ms-user-select: none;
-  user-select: none;
+     -moz-user-select: none;
+      -ms-user-select: none;
+          user-select: none;
 }
-.bootstrap-select.btn-group .dropdown-menu li a.opt {
+.bootstrap-select .dropdown-menu li a.opt {
   position: relative;
   padding-left: 2.25em;
 }
-.bootstrap-select.btn-group .dropdown-menu li a span.check-mark {
+.bootstrap-select .dropdown-menu li a span.check-mark {
   display: none;
 }
-.bootstrap-select.btn-group .dropdown-menu li a span.text {
+.bootstrap-select .dropdown-menu li a span.text {
   display: inline-block;
 }
-.bootstrap-select.btn-group .dropdown-menu li small {
+.bootstrap-select .dropdown-menu li small {
   padding-left: 0.5em;
 }
-.bootstrap-select.btn-group .dropdown-menu .notify {
+.bootstrap-select .dropdown-menu .notify {
   position: absolute;
   bottom: 5px;
   width: 96%;
   margin: 0 2%;
   min-height: 26px;
   padding: 3px 5px;
-  background: #f5f5f5;
-  border: 1px solid #e3e3e3;
+  background: #151515;
+  border: 1px solid #232323;
   -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
           box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
   pointer-events: none;
@@ -184,33 +269,52 @@ span.form-control {
      -moz-box-sizing: border-box;
           box-sizing: border-box;
 }
-.bootstrap-select.btn-group .no-results {
+.bootstrap-select .no-results {
   padding: 3px;
-  background: #f5f5f5;
+  background: #151515;
   margin: 0 5px;
   white-space: nowrap;
 }
-.bootstrap-select.btn-group.fit-width .dropdown-toggle .filter-option {
+.bootstrap-select.fit-width .dropdown-toggle .filter-option {
   position: static;
+  display: inline;
+  padding: 0;
+}
+.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner,
+.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner-inner {
+  display: inline;
 }
-.bootstrap-select.btn-group.fit-width .dropdown-toggle .caret {
+.bootstrap-select.fit-width .dropdown-toggle .caret {
   position: static;
   top: auto;
   margin-top: -1px;
 }
-.bootstrap-select.btn-group.show-tick .dropdown-menu li.selected a span.check-mark {
+.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
   position: absolute;
   display: inline-block;
   right: 15px;
-  margin-top: 5px;
+  top: 5px;
 }
-.bootstrap-select.btn-group.show-tick .dropdown-menu li a span.text {
+.bootstrap-select.show-tick .dropdown-menu li a span.text {
   margin-right: 34px;
 }
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle {
+.bootstrap-select .bs-ok-default:after {
+  content: '';
+  display: block;
+  width: 0.5em;
+  height: 1em;
+  border-style: solid;
+  border-width: 0 0.26em 0.26em 0;
+  -webkit-transform: rotate(45deg);
+      -ms-transform: rotate(45deg);
+       -o-transform: rotate(45deg);
+          transform: rotate(45deg);
+}
+.bootstrap-select.show-menu-arrow.open > .dropdown-toggle,
+.bootstrap-select.show-menu-arrow.show > .dropdown-toggle {
   z-index: 1061;
 }
-.bootstrap-select.show-menu-arrow .dropdown-toggle:before {
+.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:before {
   content: '';
   border-left: 7px solid transparent;
   border-right: 7px solid transparent;
@@ -220,7 +324,7 @@ span.form-control {
   left: 9px;
   display: none;
 }
-.bootstrap-select.show-menu-arrow .dropdown-toggle:after {
+.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:after {
   content: '';
   border-left: 6px solid transparent;
   border-right: 6px solid transparent;
@@ -230,28 +334,30 @@ span.form-control {
   left: 10px;
   display: none;
 }
-.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:before {
+.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:before {
   bottom: auto;
-  top: -3px;
-  border-top: 7px solid rgba(204, 204, 204, 0.2);
+  top: -4px;
+  border-top: 7px solid rgba(50, 50, 50, 0.2);
   border-bottom: 0;
 }
-.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle:after {
+.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:after {
   bottom: auto;
-  top: -3px;
+  top: -4px;
   border-top: 6px solid white;
   border-bottom: 0;
 }
-.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:before {
+.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:before {
   right: 12px;
   left: auto;
 }
-.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle:after {
+.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:after {
   right: 13px;
   left: auto;
 }
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle:before,
-.bootstrap-select.show-menu-arrow.open > .dropdown-toggle:after {
+.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:before,
+.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:before,
+.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:after,
+.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:after {
   display: block;
 }
 .bs-searchbox,
@@ -286,3 +392,14 @@ span.form-control {
   width: 100%;
   float: none;
 }
+
+/* OPNsense edit to fix https://github.com/opnsense/core/issues/2612 :
+ * Move checkmarks to left hand side of the dropdown.
+ */
+.bootstrap-select .dropdown-menu > li > a {
+  padding: 3px 20px 3px 30px;
+}
+.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
+  left: 10px;
+}
+/* End OPNsense edit to fix #2612. */
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index 842b9ada4e..81019ce5a8 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -3164,7 +3164,6 @@ tbody.collapse.in {
   outline: 0; }
 
 .dropdown-menu {
-  position: absolute;
   top: 100%;
   left: 0;
   z-index: 1000;

From 40785d2ec1cfd1512ae64e34e3f81a95c0ef7c69 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Oct 2023 16:20:38 +0200
Subject: [PATCH 1607/3088] plugins: relax shebang requirement

---
 Mk/plugins.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index d00a5f5fc7..7b96d0ec87 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -304,7 +304,7 @@ lint-desc: check
 
 lint-shell:
 	@for FILE in $$(find ${.CURDIR}/src -name "*.sh" -type f); do \
-	    if [ "$$(head $${FILE} | grep -cx '#!\/bin\/sh')" == "0" ]; then \
+	    if [ "$$(head $${FILE} | grep -c '^#!\/)" == "0" ]; then \
 	        echo "Missing shebang in $${FILE}"; exit 1; \
 	    fi; \
 	    sh -n $${FILE} || exit 1; \

From 905214458f656c3f59167dc088e9a4f5d985756d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Oct 2023 16:23:59 +0200
Subject: [PATCH 1608/3088] plugins: sorry, typo

---
 Mk/plugins.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 7b96d0ec87..5fa657dad6 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -304,7 +304,7 @@ lint-desc: check
 
 lint-shell:
 	@for FILE in $$(find ${.CURDIR}/src -name "*.sh" -type f); do \
-	    if [ "$$(head $${FILE} | grep -c '^#!\/)" == "0" ]; then \
+	    if [ "$$(head $${FILE} | grep -c '^#!\/')" == "0" ]; then \
 	        echo "Missing shebang in $${FILE}"; exit 1; \
 	    fi; \
 	    sh -n $${FILE} || exit 1; \

From 7c6fccdde0bc12d6521e25c64d49978b65113e28 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 12 Oct 2023 19:55:55 +0200
Subject: [PATCH 1609/3088] dns/ddclient - accept response codes between 200
 and 300, closes https://github.com/opnsense/plugins/pull/3618

---
 dns/ddclient/Makefile                                           | 1 +
 .../src/opnsense/scripts/ddclient/lib/account/dyndns2.py        | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index ad510c72ae..a8952749ea 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.16
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient-devel py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
index 34d5feeb37..975c94770b 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
@@ -98,7 +98,7 @@ def execute(self):
                 }
                 req = requests.get(**req_opts)
 
-            if req.status_code == 200:
+            if 200 >= req.status_code < 300:
                 if self.is_verbose:
                     syslog.syslog(
                         syslog.LOG_NOTICE,

From b276276aeb94c1d4914208712d133fe311c5d123 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 13 Oct 2023 16:02:07 +0200
Subject: [PATCH 1610/3088] misc/theme-cicada: apparently the other change was
 the only change...

... needed and the browser cache was playing tricks on me too.
---
 misc/theme-cicada/Makefile                                      | 2 +-
 .../src/opnsense/www/themes/cicada/assets/stylesheets/main.scss | 1 +
 .../src/opnsense/www/themes/cicada/build/css/main.css           | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index b223882430..0f23fe297c 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		theme-cicada
 PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index 5e317a4565..0d42c65b12 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -5335,6 +5335,7 @@ tbody.collapse.in {
 }
 
 .dropdown-menu {
+  position: absolute;
   top: 100%;
   left: 0;
   z-index: 1000;
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index 81019ce5a8..842b9ada4e 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -3164,6 +3164,7 @@ tbody.collapse.in {
   outline: 0; }
 
 .dropdown-menu {
+  position: absolute;
   top: 100%;
   left: 0;
   z-index: 1000;

From f3695f92d405c338535e9ff14306923474bf3cda Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Oct 2023 08:21:13 +0200
Subject: [PATCH 1611/3088] net/wireguard: different approach to bootup
 handling

---
 net/wireguard/Makefile                        |  1 +
 .../src/etc/inc/plugins.inc.d/wireguard.inc   | 19 +++++++++++++++++--
 .../scripts/Wireguard/wg-service-control.php  |  9 +--------
 3 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 821184b80d..dbf82fd5da 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		2.3
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
diff --git a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
index a24eb716fa..ed933a375e 100644
--- a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -122,8 +122,23 @@ function wireguard_devices()
 
 function wireguard_prepare($device)
 {
-    mwexecf('/sbin/ifconfig wg create name %s', $device);
-    mwexecf('/sbin/ifconfig %s group wireguard', $device);
+    foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $node) {
+        if ($device != (string)$node->interface) {
+            continue;
+        }
+
+        /* deleting the stat file marks the interface for eventual reconfiguration */
+        @unlink((string)$node->statFilename);
+
+        if (!does_interface_exist($device)) {
+            mwexecf('/sbin/ifconfig wg create name %s', $device);
+            mwexecf('/sbin/ifconfig %s group wireguard', $device);
+        }
+
+        return $device;
+    }
+
+    return null;
 }
 
 function wireguard_configure()
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index e3ab3fc3be..0d58a729be 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -223,14 +223,7 @@ function get_stat_hash($fhandle)
                         wg_start($node, $statHandle, $carp_if_flag);
                         break;
                     case 'configure':
-                        if (
-                            @md5_file($node->cnfFilename) != get_stat_hash($statHandle)['file'] ||
-                            !isset($ifdetails[(string)$node->interface]) || (
-                                // Interface has been setup, but without configuration
-                                empty($ifdetails[(string)$node->interface]['ipv4']) &&
-                                empty($ifdetails[(string)$node->interface]['ipv6'])
-                            )
-                        ) {
+                        if (@md5_file($node->cnfFilename) != get_stat_hash($statHandle)['file']) {
                             if (get_stat_hash($statHandle)['interface'] != wg_reconfigure_hash($node)) {
                                 // Fluent reloading not supported for this instance, make sure the user is informed
                                 syslog(

From 7992ad2f2b59ba701bcc762fadfa162cf68e56f4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Oct 2023 08:24:42 +0200
Subject: [PATCH 1612/3088] dns/ddclient: adjust accordingly

---
 dns/ddclient/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index a2039b1a79..9c56e6f7c1 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 1.16
 
 * Add custom GET/PUT protocols to native backend (contributed by DaCookie4u)
+* Consider all 2xx status codes as success in native dyndns2 implementation
 
 1.15
 

From 228d07711ab5c40c3f5dfad9696d21bcc3818657 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Oct 2023 08:26:44 +0200
Subject: [PATCH 1613/3088] www/nginx: ready for next release

---
 www/nginx/Makefile  | 3 +--
 www/nginx/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 2372c0d764..337fbac2cb 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.32.1
-PLUGIN_REVISION=	4
+PLUGIN_VERSION=		1.32.2
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index e004fd20a5..60d89e3b89 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,10 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.32.2
+
+* Add columns select button to the log viewer (contributed by kulikov-a)
+
 1.32.1
 
 * add "Host header port" and "use original Host header" options

From ea6550812aeb257d38e276dc7d7b9700e3299adb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Oct 2023 14:33:50 +0200
Subject: [PATCH 1614/3088] sysutils/api-backup: mark obsolete

---
 README.md                    | 2 +-
 sysutils/api-backup/Makefile | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 897cb651a8..5cc779f630 100644
--- a/README.md
+++ b/README.md
@@ -94,7 +94,7 @@ security/tinc -- Tinc VPN
 security/tor -- The Onion Router
 security/wazuh-agent -- Agent for the open source security platform Wazuh
 sysutils/apcupsd -- APCUPSD - APC UPS daemon
-sysutils/api-backup -- Provide the functionality to download the config.xml
+sysutils/api-backup -- EoL, core endpoint is /api/core/backup/download (pending removal)
 sysutils/apuled -- PC Engine APU LED control (development only)
 sysutils/dmidecode -- Display hardware information on the dashboard
 sysutils/git-backup -- Track config changes using git
diff --git a/sysutils/api-backup/Makefile b/sysutils/api-backup/Makefile
index 55131b846f..f4663d3b4b 100644
--- a/sysutils/api-backup/Makefile
+++ b/sysutils/api-backup/Makefile
@@ -1,6 +1,7 @@
 PLUGIN_NAME=		api-backup
 PLUGIN_VERSION=		1.1
-PLUGIN_COMMENT=		Provide the functionality to download the config.xml
+PLUGIN_OBSOLETE=	yes
+PLUGIN_COMMENT=		EoL, core endpoint is /api/core/backup/download
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 
 .include "../../Mk/plugins.mk"

From c45755f6dc2272f21f64102cd8befafc20edb8ad Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 18 Oct 2023 20:01:28 +0200
Subject: [PATCH 1615/3088] net/firewall: hide menu hints from page search

---
 net/firewall/Makefile                                         | 2 +-
 .../opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index f92f3329d4..08572205a6 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		firewall
 PLUGIN_VERSION=		1.4
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Firewall API supplemental package
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
index a551652542..2889f9bff0 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
@@ -2,10 +2,10 @@
     <Firewall>
         <Automation order="1000" cssClass="fa fa-gear">
             <Filter order="50" url="/ui/firewall/filter/">
-                <FilterRef url="/ui/firewall/filter#*"/>
+                <FilterRef url="/ui/firewall/filter#*" visibility="hidden"/>
             </Filter>
             <SourceNat order="100" VisibleName="Source NAT" url="/ui/firewall/source_nat/">
-                <FilterRef url="/ui/firewall/source_nat#*"/>
+                <FilterRef url="/ui/firewall/source_nat#*" visibility="hidden"/>
             </SourceNat>
         </Automation>
     </Firewall>

From 7ff3c44957f7cf99e204c821e4e7343453bff736 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 20 Oct 2023 10:56:06 +0200
Subject: [PATCH 1616/3088] net/mdns-repeater: note the recent docs change

https://github.com/opnsense/docs/commit/2f1b56bc93619acc08d864fe7d86218a9653d2c2

It would be nice to have a constraint for this, but it's
probably not worth the work in this case although the validation
should be stating this, not the help text and documentation.
---
 net/mdns-repeater/Makefile                                | 1 +
 .../controllers/OPNsense/MDNSRepeater/forms/general.xml   | 2 +-
 .../mvc/app/models/OPNsense/MDNSRepeater/MDNSRepeater.xml | 8 ++++----
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/net/mdns-repeater/Makefile b/net/mdns-repeater/Makefile
index a1febb5539..8fc5683f4a 100644
--- a/net/mdns-repeater/Makefile
+++ b/net/mdns-repeater/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		mdns-repeater
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Proxy multicast DNS between networks
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 PLUGIN_DEPENDS=		mdns-repeater
diff --git a/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/forms/general.xml b/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/forms/general.xml
index d7a8bea2ca..7a565757fe 100644
--- a/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/forms/general.xml
+++ b/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/forms/general.xml
@@ -15,6 +15,6 @@
     <id>mdnsrepeater.interfaces</id>
     <label>Listen Interfaces</label>
     <type>select_multiple</type>
-    <help>At least two interfaces must be selected.</help>
+    <help>At least 2 interfaces must be selected. The maximum number of supported interfaces by the daemon is 5.</help>
   </field>
 </form>
diff --git a/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/MDNSRepeater.xml b/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/MDNSRepeater.xml
index b3affd1764..85015e3d67 100644
--- a/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/MDNSRepeater.xml
+++ b/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/MDNSRepeater.xml
@@ -4,17 +4,17 @@
   <description>mdns-repeater settings</description>
   <items>
     <enabled type="BooleanField">
-      <default>0</default>
+      <Default>0</Default>
       <Required>Y</Required>
     </enabled>
     <enablecarp type="BooleanField">
-      <default>0</default>
+      <Default>0</Default>
       <Required>Y</Required>
     </enablecarp>
     <interfaces type="InterfaceField">
-      <default>lan</default>
+      <Default>lan</Default>
       <Required>Y</Required>
-      <multiple>Y</multiple>
+      <Multiple>Y</Multiple>
     </interfaces>
   </items>
 </model>

From 0558d48493a477ac4a06d0d9a45deb34ae4a54d6 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 20 Oct 2023 17:57:51 +0200
Subject: [PATCH 1617/3088] net/wireguard - import
 https://github.com/opnsense/core/commit/c2d07aeef6965a22d4119f815b7afc6bb9d1db09
 and
 https://github.com/opnsense/core/commit/4bef809bd031f0aa3d55963e57a82d988fd2d45a
 from core

---
 .../OPNsense/Wireguard/Api/ServiceController.php       | 10 +---------
 .../opnsense/scripts/Wireguard/wg-service-control.php  |  3 ++-
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
index 1812f83fbe..eab3998151 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
@@ -46,15 +46,6 @@ class ServiceController extends ApiMutableServiceControllerBase
     protected static $internalServiceEnabled = 'enabled';
     protected static $internalServiceName = 'wireguard';
 
-    /**
-     * hook group interface registration on reconfigure
-     * @return bool
-     */
-    protected function invokeInterfaceRegistration()
-    {
-        return true;
-    }
-
     /**
      * @return array
      */
@@ -66,6 +57,7 @@ public function reconfigureAction()
 
         $this->sessionClose();
         $backend = new Backend();
+        $backend->configdRun('interface invoke registration');
         $backend->configdRun('template reload ' . escapeshellarg(static::$internalServiceTemplate));
         $backend->configdpRun('wireguard configure');
 
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index 0d58a729be..79835fa933 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -29,6 +29,7 @@
 
 require_once('script/load_phalcon.php');
 require_once('util.inc');
+require_once('config.inc');
 require_once('interfaces.inc');
 
 /**
@@ -121,6 +122,7 @@ function wg_start($server, $fhandle, $ifcfgflag = 'up')
     ftruncate($fhandle, 0);
     fwrite($fhandle, @md5_file($server->cnfFilename) . "|" . wg_reconfigure_hash($server));
     syslog(LOG_NOTICE, "Wireguard interface {$server->name} ({$server->interface}) started");
+    interfaces_restart_by_device(false, [(string)$server->interface], false);
 }
 
 /**
@@ -263,6 +265,5 @@ function get_stat_hash($fhandle)
             }
         }
     }
-    mwexecf('/usr/local/etc/rc.routing_configure');
 }
 closelog();

From 3d4c6735adbf3319d8e3950b0490b31c07120ff2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 23 Oct 2023 08:13:47 +0200
Subject: [PATCH 1618/3088] net/upnp: fix a typo

PR: https://github.com/opnsense/lang/issues/64
---
 net/upnp/src/www/services_upnp.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/upnp/src/www/services_upnp.php b/net/upnp/src/www/services_upnp.php
index 3a73b5700b..5ca0754f16 100644
--- a/net/upnp/src/www/services_upnp.php
+++ b/net/upnp/src/www/services_upnp.php
@@ -390,7 +390,7 @@ function miniupnpd_validate_port($port)
                         <input name="<?= html_safe($permuser) ?>" type="text" value="<?= $pconfig[$permuser] ?>" />
 <?php if ($i == 1): ?>
                         <div class="hidden" data-for="help_for_permuser">
-                          <?=gettext("Format: [allow or deny] [ext port or range] [int ipaddr or ipaddr/cdir] [int port or range]");?><br/>
+                          <?=gettext("Format: [allow or deny] [ext port or range] [int ipaddr or ipaddr/cidr] [int port or range]");?><br/>
                           <?=gettext("Example: allow 1024-65535 192.168.0.0/24 1024-65535");?>
                         </div>
 <?php endif ?>

From 26d96b96c71c3a99b273becec0a6455443b30968 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Mon, 23 Oct 2023 17:02:45 +0200
Subject: [PATCH 1619/3088] net/radsecproxy: cleanup service control.
 os-radsecproxy wasn't used, so we're removing it and hook the required
 settings in rc.conf.d. To make the grids a bit more usable, make sure to wrap
 a container arount it. Final change is to hook syslog properly and add a menu
 item for it. (#3628)

---
 net/radsecproxy/Makefile                      |  2 +-
 .../src/etc/inc/plugins.inc.d/radsecproxy.inc | 36 ++++++------
 net/radsecproxy/src/etc/rc.d/os-radsecproxy   | 46 ----------------
 .../models/OPNsense/RadSecProxy/Menu/Menu.xml |  1 +
 .../views/OPNsense/RadSecProxy/clients.volt   | 54 +++++++++---------
 .../views/OPNsense/RadSecProxy/realms.volt    | 52 +++++++++---------
 .../views/OPNsense/RadSecProxy/rewrites.volt  | 50 +++++++++--------
 .../views/OPNsense/RadSecProxy/servers.volt   | 55 ++++++++++---------
 .../app/views/OPNsense/RadSecProxy/tls.volt   | 53 +++++++++---------
 .../scripts/OPNsense/RadSecProxy/setup.sh     |  7 +--
 .../conf/actions.d/actions_radsecproxy.conf   | 12 +---
 .../OPNsense/RadSecProxy/radsecproxy.conf     |  2 -
 .../templates/OPNsense/RadSecProxy/rc.conf.d  |  3 +-
 .../OPNsense/Syslog/local/radsecproxy.conf    |  6 ++
 14 files changed, 166 insertions(+), 213 deletions(-)
 delete mode 100755 net/radsecproxy/src/etc/rc.d/os-radsecproxy
 create mode 100644 net/radsecproxy/src/opnsense/service/templates/OPNsense/Syslog/local/radsecproxy.conf

diff --git a/net/radsecproxy/Makefile b/net/radsecproxy/Makefile
index 4d2d3d1cfe..e358659a05 100644
--- a/net/radsecproxy/Makefile
+++ b/net/radsecproxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		radsecproxy
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
 PLUGIN_DEPENDS=		radsecproxy
 PLUGIN_MAINTAINER=	tobias@boehnert.dev
diff --git a/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc b/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
index 19462cfb7e..3b4d464b5b 100644
--- a/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
+++ b/net/radsecproxy/src/etc/inc/plugins.inc.d/radsecproxy.inc
@@ -1,6 +1,7 @@
 <?php
 
 /*
+ * Copyright (C) 2023 Deciso B.V.
  * Copyright (C) 2020 Tobias Boehnert
  * All rights reserved.
  *
@@ -27,39 +28,34 @@
 
 function radsecproxy_enabled()
 {
-    $model = new \OPNsense\RadSecProxy\RadSecProxy();
-    if ((string)$model->general->enabled == '1') {
-        return true;
-    }
-
-    return false;
+    return (string)(new \OPNsense\RadSecProxy\RadSecProxy())->general->enabled == '1';
 }
 
 function radsecproxy_syslog()
 {
-    $logfacilities = array();
-    $logfacilities['radsecproxy'] = array(
-        'facility' => array('LOG_DAEMON'),
-    );
-    return $logfacilities;
+    return [
+        'radsecproxy' => [
+            'facility' => ['radsecproxy']
+        ]
+    ];
 }
 
 
 function radsecproxy_services()
 {
-    $services = array();
+    $services = [];
 
     if (radsecproxy_enabled()) {
-        $services[] = array(
+        $services[] = [
             'description' => gettext('Radius Secure Proxy'),
-            'configd' => array(
-                'restart' => array('radsecproxy restart'),
-                'start' => array('radsecproxy start'),
-                'stop' => array('radsecproxy stop'),
-            ),
+            'configd' => [
+                'restart' => ['radsecproxy restart'],
+                'start' => ['radsecproxy start'],
+                'stop' => ['radsecproxy stop'],
+            ],
             'name' => 'radsecproxy',
-            'pidfile' => '/var/run/radsecproxy.pid'
-        );
+            'pidfile' => '/var/run/radsecproxy/radsecproxy.pid'
+        ];
     }
     return $services;
 }
diff --git a/net/radsecproxy/src/etc/rc.d/os-radsecproxy b/net/radsecproxy/src/etc/rc.d/os-radsecproxy
deleted file mode 100755
index cb79588f7e..0000000000
--- a/net/radsecproxy/src/etc/rc.d/os-radsecproxy
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/sh
-
-# PROVIDE: radsecproxy
-# REQUIRE: LOGIN
-# KEYWORD: shutdown
-
-# Add the following line to /etc/rc.conf.local or /etc/rc.conf
-# to enable this service:
-#
-# radsecproxy_enable (bool): Set to NO by default.
-#               Set it to YES to enable radsecproxy.
-
-. /etc/rc.subr
-
-name="radsecproxy"
-rcvar=radsecproxy_enable
-
-: ${radsecproxy_enable:="NO"}
-: ${radsecproxy_user:="root"}
-: ${radsecproxy_group:="wheel"}
-: ${radsecproxy_pidfile:="/var/run/radsecproxy.pid"}
-
-user=${radsecproxy_user}
-group=${radsecproxy_group}
-pidfile=${radsecproxy_pidfile}
-required_files=/usr/local/etc/radsecproxy.conf
-
-command="/usr/local/sbin/${name}"
-command_args="-c /usr/local/etc/radsecproxy.conf -i ${pidfile}"
-
-start_precmd="radsecproxy_prestart"
-stop_postcmd="radsecproxy_poststop"
-
-radsecproxy_prestart()
-{
-	mkdir -p $(dirname $pidfile)
-	chown ${user}:${group} $(dirname $pidfile)
-}
-
-radsecproxy_poststop()
-{
-	rm -f ${pidfile}
-}
-
-load_rc_config $name
-run_rc_command "$1"
diff --git a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml
index 38211fc76c..707b620ca0 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml
+++ b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml
@@ -7,6 +7,7 @@
             <Realms VisibleName="Realms" order="40" url="/ui/radsecproxy/realms" />
             <Tls VisibleName="TLS" order="50" url="/ui/radsecproxy/tls" />
             <Rewrites VisibleName="Rewrite-Rules" order="60" url="/ui/radsecproxy/rewrites" />
+             <Log  order="100" VisibleName="Log File" url="/ui/diagnostics/log/core/radsecproxy" />
         </RadSecProxy>
     </Services>
 </menu>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt
index c03c5d45b1..ea71368b58 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt
@@ -24,33 +24,35 @@
     });
 </script>
 
-<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogClient">
-    <thead>
-        <tr>
-            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
-            <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-            <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
-            <th data-column-id="host" data-type="string">{{ lang._('Host') }}</th>
-            <th data-column-id="identifier" data-type="string">{{ lang._('Identifier') }}</th>
-            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-        </tr>
-    </thead>
-    <tbody>
-    </tbody>
-    <tfoot>
-        <tr>
-            <td></td>
-            <td>
-                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-            </td>
-        </tr>
-    </tfoot>
-</table>
+<div class="tab-content content-box">
+    <table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogClient">
+        <thead>
+            <tr>
+                <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
+                <th data-column-id="host" data-type="string">{{ lang._('Host') }}</th>
+                <th data-column-id="identifier" data-type="string">{{ lang._('Identifier') }}</th>
+                <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+            </tr>
+        </thead>
+        <tbody>
+        </tbody>
+        <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+        </tfoot>
+    </table>
 
-<div class="col-md-12">
-    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+    <div class="col-md-12">
+        <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+    </div>
 </div>
 
 {{ partial("layout_partials/base_dialog",['fields':formDialogClient,'id':'DialogClient','label':lang._('Edit client')])}}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt
index 85453ec79d..9afdea0380 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt
@@ -23,32 +23,32 @@
         });
     });
 </script>
+<div class="tab-content content-box">
+    <table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogRealm">
+        <thead>
+            <tr>
+                <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="realm" data-type="string">{{ lang._('Realm') }}</th>
+                <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+            </tr>
+        </thead>
+        <tbody>
+        </tbody>
+        <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+        </tfoot>
+    </table>
 
-<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogRealm">
-    <thead>
-        <tr>
-            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
-            <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-            <th data-column-id="realm" data-type="string">{{ lang._('Realm') }}</th>
-            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-        </tr>
-    </thead>
-    <tbody>
-    </tbody>
-    <tfoot>
-        <tr>
-            <td></td>
-            <td>
-                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-            </td>
-        </tr>
-    </tfoot>
-</table>
-
-<div class="col-md-12">
-    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+    <div class="col-md-12">
+        <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+    </div>
 </div>
-
 {{ partial("layout_partials/base_dialog",['fields':formDialogRealm,'id':'DialogRealm','label':lang._('Edit realm')])}}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt
index 0da6b6612c..a6283441e6 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt
@@ -24,31 +24,33 @@
     });
 </script>
 
-<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogRewrite">
-    <thead>
-        <tr>
-            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
-            <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-            <th data-column-id="name" data-type="string">{{ lang._('Type') }}</th>
-            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-        </tr>
-    </thead>
-    <tbody>
-    </tbody>
-    <tfoot>
-        <tr>
-            <td></td>
-            <td>
-                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-            </td>
-        </tr>
-    </tfoot>
-</table>
+<div class="tab-content content-box">
+    <table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogRewrite">
+        <thead>
+            <tr>
+                <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="name" data-type="string">{{ lang._('Type') }}</th>
+                <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+            </tr>
+        </thead>
+        <tbody>
+        </tbody>
+        <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+        </tfoot>
+    </table>
 
-<div class="col-md-12">
-    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+    <div class="col-md-12">
+        <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+    </div>
 </div>
 
 {{ partial("layout_partials/base_dialog",['fields':formDialogRewrite,'id':'DialogRewrite','label':lang._('Edit rewrite-rule')])}}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt
index b394b1e5ad..86a51c1ffd 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt
@@ -24,33 +24,34 @@
     });
 </script>
 
-<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogServer">
-    <thead>
-        <tr>
-            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
-            <th data-column-id="host" data-type="string">{{ lang._('Host') }}</th>
-            <th data-column-id="identifier" data-type="string">{{ lang._('Identifier') }}</th>
-            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-            <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
-            <th data-column-id="tlsConfig" data-type="string">{{ lang._('TLS-Config') }}</th>
-            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-        </tr>
-    </thead>
-    <tbody>
-    </tbody>
-    <tfoot>
-        <tr>
-            <td></td>
-            <td>
-                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-            </td>
-        </tr>
-    </tfoot>
-</table>
+<div class="tab-content content-box">
+    <table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogServer">
+        <thead>
+            <tr>
+                <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+                <th data-column-id="host" data-type="string">{{ lang._('Host') }}</th>
+                <th data-column-id="identifier" data-type="string">{{ lang._('Identifier') }}</th>
+                <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
+                <th data-column-id="tlsConfig" data-type="string">{{ lang._('TLS-Config') }}</th>
+                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+            </tr>
+        </thead>
+        <tbody>
+        </tbody>
+        <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+        </tfoot>
+    </table>
 
-<div class="col-md-12">
-    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+    <div class="col-md-12">
+        <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+    </div>
 </div>
-
 {{ partial("layout_partials/base_dialog",['fields':formDialogServer,'id':'DialogServer','label':lang._('Edit server')])}}
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt
index cc63e0c747..5aedde0847 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt
@@ -24,32 +24,33 @@
     });
 </script>
 
-<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogTls">
-    <thead>
-        <tr>
-            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
-            <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
-            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-            <th data-column-id="caCertificateRefId" data-type="string">{{ lang._('CA-certificate') }}</th>
-            <th data-column-id="proxyCertificateRefId" data-type="string">{{ lang._('Proxy-certificate') }}</th>
-            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-        </tr>
-    </thead>
-    <tbody>
-    </tbody>
-    <tfoot>
-        <tr>
-            <td></td>
-            <td>
-                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-            </td>
-        </tr>
-    </tfoot>
-</table>
+<div class="tab-content content-box">
+    <table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogTls">
+        <thead>
+            <tr>
+                <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+                <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
+                <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                <th data-column-id="caCertificateRefId" data-type="string">{{ lang._('CA-certificate') }}</th>
+                <th data-column-id="proxyCertificateRefId" data-type="string">{{ lang._('Proxy-certificate') }}</th>
+                <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+            </tr>
+        </thead>
+        <tbody>
+        </tbody>
+        <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+        </tfoot>
+    </table>
 
-<div class="col-md-12">
-    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+    <div class="col-md-12">
+        <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
+    </div>
 </div>
-
 {{ partial("layout_partials/base_dialog",['fields':formDialogTls,'id':'DialogTls','label':lang._('Edit TLS-config')])}}
diff --git a/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/setup.sh b/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/setup.sh
index cd09c51f98..420c0e62f1 100755
--- a/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/setup.sh
+++ b/net/radsecproxy/src/opnsense/scripts/OPNsense/RadSecProxy/setup.sh
@@ -1,10 +1,10 @@
 #!/bin/sh
 
-RADSECPROXY_DIRS="/usr/local/etc/radsecproxy.d /usr/local/etc/radsecproxy.d/certs"
+RADSECPROXY_DIRS="/usr/local/etc/radsecproxy.d/certs"
 
 for directory in ${RADSECPROXY_DIRS}; do
     mkdir -p ${directory}
-    chown -R www:www ${directory}
+    chown -R root:wheel ${directory}
     chmod -R 750 ${directory}
 done
 
@@ -12,7 +12,4 @@ done
 # export required certs to filesystem
 /usr/local/opnsense/scripts/OPNsense/RadSecProxy/generate_certs.php > /dev/null 2>&1
 
-# remove logfile - sometimes it will stop radsecproxy from starting
-#rm /var/log/radsecproxy.log
-
 exit 0
diff --git a/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf b/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf
index 79ca190462..6f7d0908f1 100644
--- a/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf
+++ b/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf
@@ -1,11 +1,5 @@
-[setup]
-command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;
-parameters:
-type:script
-message:setup radsecproxy service requirements
-
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;/usr/local/etc/rc.d/radsecproxy start;
+command:/usr/local/etc/rc.d/radsecproxy start
 parameters:
 type:script
 message:starting radsecproxy
@@ -17,13 +11,13 @@ type:script
 message:stopping radsecproxy
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;/usr/local/etc/rc.d/radsecproxy restart;
+command:/usr/local/etc/rc.d/radsecproxy restart;
 parameters:
 type:script
 message:restarting radsecproxy
 
 [reload]
-command:/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh;/usr/local/etc/rc.d/radsecproxy restart;
+command:/usr/local/etc/rc.d/radsecproxy restart;
 parameters:
 type:script
 message:reloading radsecproxy
diff --git a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf
index bdb62ce381..45dcc4c3ab 100644
--- a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf
+++ b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf
@@ -5,8 +5,6 @@
 # GENERAL
 ###########################################
 
-#PidFile /var/run/radsecproxy.pid
-#LogDestination file:///var/log/radsecproxy.log
 LogDestination x-syslog:///LOG_DAEMON
 
 {% if OPNsense.radsecproxy.general.logLevel is defined and OPNsense.radsecproxy.general.logLevel != "" %}
diff --git a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d
index 35042a335c..aa0daa9288 100644
--- a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d
+++ b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d
@@ -1,7 +1,8 @@
-{% if helpers.exists('OPNsense.radsecproxy.general.enabled') and OPNsense.radsecproxy.general.enabled == '1' %}
+{% if not helpers.empty('OPNsense.radsecproxy.general.enabled') %}
 radsecproxy_enable="YES"
 {% else %}
 radsecproxy_enable="NO"
 {% endif %}
 radsecproxy_user="root"
 radsecproxy_group="wheel"
+radsecproxy_setup="/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh"
diff --git a/net/radsecproxy/src/opnsense/service/templates/OPNsense/Syslog/local/radsecproxy.conf b/net/radsecproxy/src/opnsense/service/templates/OPNsense/Syslog/local/radsecproxy.conf
new file mode 100644
index 0000000000..2133f76f55
--- /dev/null
+++ b/net/radsecproxy/src/opnsense/service/templates/OPNsense/Syslog/local/radsecproxy.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [radsecproxy].
+###################################################################
+filter f_local_radsecproxy {
+    program("radsecproxy");
+};

From cb4cf0cf2d3214554731da1654e72aa86e8ec767 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 24 Oct 2023 12:23:16 +0200
Subject: [PATCH 1620/3088] mail/rspamd: new version

---
 mail/rspamd/Makefile  | 3 +--
 mail/rspamd/pkg-descr | 5 ++++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/mail/rspamd/Makefile b/mail/rspamd/Makefile
index 64c79a22ad..b72d9f6058 100644
--- a/mail/rspamd/Makefile
+++ b/mail/rspamd/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		rspamd
-PLUGIN_VERSION=		1.12
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.13
 PLUGIN_COMMENT=		Protect your network from spam
 PLUGIN_DEPENDS=		rspamd
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/mail/rspamd/pkg-descr b/mail/rspamd/pkg-descr
index 944931b608..80f7d7b76f 100644
--- a/mail/rspamd/pkg-descr
+++ b/mail/rspamd/pkg-descr
@@ -5,11 +5,14 @@ lua.
 Plugin Changelog
 ----------------
 
+1.13
+
+* Make local whitelist by e-mail address possible (contributed by itNGO)
+
 1.12
 
 * Adjusting the multimap setting to make the multimap whitelist work
 
-
 1.11
 
 * Fix Milter Protocol by binding to Unix Sockets

From 5a912c4edb062bc92e48d2234c70292c57618da2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 24 Oct 2023 12:24:46 +0200
Subject: [PATCH 1621/3088] net/wireguard: make it a full version

---
 net/wireguard/Makefile  | 3 +--
 net/wireguard/pkg-descr | 6 ++++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index dbf82fd5da..b338d74054 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		2.3
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		2.4
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index e9f0c211ff..f9c144085d 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,12 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+2.4
+
+* Only invoke routes for attached WireGuard instances
+* Make bootup device creation more robust
+* Correct interface group registration
+
 2.3
 
 * Create WireGuard devices earlier to allow of to pick up NAT rules correctly

From e474d4b17b1de9640d605be5a10aa17ab273c7f5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 24 Oct 2023 12:37:57 +0200
Subject: [PATCH 1622/3088] net/radsecproxy: style scrubbing

---
 .../app/models/OPNsense/RadSecProxy/Menu/Menu.xml  | 14 +++++++-------
 .../conf/actions.d/actions_radsecproxy.conf        |  8 ++++----
 .../templates/OPNsense/RadSecProxy/rc.conf.d       |  6 +++---
 3 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml
index 707b620ca0..274409397b 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml
+++ b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/Menu/Menu.xml
@@ -1,13 +1,13 @@
 <menu>
     <Services>
         <RadSecProxy VisibleName="RadSecProxy" cssClass="fa fa-shield fa-fw">
-            <Basic VisibleName="General" order="10" url="/ui/radsecproxy/general" />
-            <Clients VisibleName="Clients" order="20" url="/ui/radsecproxy/clients" />
-            <Servers VisibleName="Servers" order="30" url="/ui/radsecproxy/servers" />
-            <Realms VisibleName="Realms" order="40" url="/ui/radsecproxy/realms" />
-            <Tls VisibleName="TLS" order="50" url="/ui/radsecproxy/tls" />
-            <Rewrites VisibleName="Rewrite-Rules" order="60" url="/ui/radsecproxy/rewrites" />
-             <Log  order="100" VisibleName="Log File" url="/ui/diagnostics/log/core/radsecproxy" />
+            <General order="10" url="/ui/radsecproxy/general"/>
+            <Clients order="20" url="/ui/radsecproxy/clients"/>
+            <Servers order="30" url="/ui/radsecproxy/servers"/>
+            <Realms order="40" url="/ui/radsecproxy/realms"/>
+            <TLS order="50" url="/ui/radsecproxy/tls"/>
+            <Rewrites order="60" VisibleName="Rewrite-Rules" url="/ui/radsecproxy/rewrites"/>
+            <Log order="100" VisibleName="Log File" url="/ui/diagnostics/log/core/radsecproxy"/>
         </RadSecProxy>
     </Services>
 </menu>
diff --git a/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf b/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf
index 6f7d0908f1..0d60ddcf77 100644
--- a/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf
+++ b/net/radsecproxy/src/opnsense/service/conf/actions.d/actions_radsecproxy.conf
@@ -5,25 +5,25 @@ type:script
 message:starting radsecproxy
 
 [stop]
-command:/usr/local/etc/rc.d/radsecproxy stop;
+command:/usr/local/etc/rc.d/radsecproxy stop
 parameters:
 type:script
 message:stopping radsecproxy
 
 [restart]
-command:/usr/local/etc/rc.d/radsecproxy restart;
+command:/usr/local/etc/rc.d/radsecproxy restart
 parameters:
 type:script
 message:restarting radsecproxy
 
 [reload]
-command:/usr/local/etc/rc.d/radsecproxy restart;
+command:/usr/local/etc/rc.d/radsecproxy restart
 parameters:
 type:script
 message:reloading radsecproxy
 
 [status]
-command:/usr/local/etc/rc.d/radsecproxy status;exit 0;
+command:/usr/local/etc/rc.d/radsecproxy status; exit 0
 parameters:
 type:script_output
 message:radsecproxy status
diff --git a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d
index aa0daa9288..7f32bf52ab 100644
--- a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d
+++ b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/rc.conf.d
@@ -1,8 +1,8 @@
 {% if not helpers.empty('OPNsense.radsecproxy.general.enabled') %}
 radsecproxy_enable="YES"
-{% else %}
-radsecproxy_enable="NO"
-{% endif %}
 radsecproxy_user="root"
 radsecproxy_group="wheel"
 radsecproxy_setup="/usr/local/opnsense/scripts/OPNsense/RadSecProxy/setup.sh"
+{% else %}
+radsecproxy_enable="NO"
+{% endif %}

From ea205682724c97cd51238458734e4b84ecf11878 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 25 Oct 2023 09:27:34 +0200
Subject: [PATCH 1623/3088] security/intrusion-detection-content-et-open -
 deprecate version 4 rules (6 should be minimum now)

---
 security/intrusion-detection-content-et-open/Makefile         | 2 +-
 .../scripts/suricata/metadata/rules/et-open-extra.xml         | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/security/intrusion-detection-content-et-open/Makefile b/security/intrusion-detection-content-et-open/Makefile
index cb93113e2b..453c803cc9 100644
--- a/security/intrusion-detection-content-et-open/Makefile
+++ b/security/intrusion-detection-content-et-open/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		intrusion-detection-content-et-open
 PLUGIN_VERSION=		1.0.1
-#PLUGIN_REVISION=	1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://rules.emergingthreats.net/
diff --git a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
index af9114aa4f..ae9c0bffc1 100644
--- a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
+++ b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0"?>
 <ruleset documentation_url="https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ">
-    <location url="https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz" prefix="ET open"/>
-    <version url="https://rules.emergingthreats.net/open/suricata-4.0/version.txt"/>
+    <location url="https://rules.emergingthreats.net/open/suricata-6.0/emerging.rules.tar.gz" prefix="ET open"/>
+    <version url="https://rules.emergingthreats.net/open/suricata-6.0/version.txt"/>
     <files>
         <file description="botcc.portgrouped" url="inline::rules/botcc.portgrouped.rules">et_open-botcc.portgrouped.rules</file>
         <file description="botcc" url="inline::rules/botcc.rules">et_open.botcc.rules</file>

From 186ec0713fe49e730372c6e03547e89449baad26 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 25 Oct 2023 14:55:28 +0200
Subject: [PATCH 1624/3088] net/wireguard - startup missing import (bug)

---
 net/wireguard/Makefile                                           | 1 +
 .../src/opnsense/scripts/Wireguard/wg-service-control.php        | 1 +
 2 files changed, 2 insertions(+)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index b338d74054..5454ec51c4 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		2.4
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index 79835fa933..742119c7f5 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -31,6 +31,7 @@
 require_once('util.inc');
 require_once('config.inc');
 require_once('interfaces.inc');
+require_once('system.inc');
 
 /**
  * collect carp status per vhid

From 19eac172c83b3b4fbda9fa23a03dc3564057a74d Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 26 Oct 2023 13:49:02 +0200
Subject: [PATCH 1625/3088] wg - fix error when empty tunnel address in
 instance (#3638)

---
 .../src/opnsense/scripts/Wireguard/wg-service-control.php      | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index 742119c7f5..f66d0a08e3 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -69,7 +69,8 @@ function wg_start($server, $fhandle, $ifcfgflag = 'up')
     }
     mwexecf('/usr/bin/wg setconf %s %s', [$server->interface, $server->cnfFilename]);
 
-    foreach (explode(',', (string)$server->tunneladdress) as $alias) {
+    /* The tunneladdress can be empty, so array_filter without callback filters empty strings out. */
+    foreach (array_filter(explode(',', (string)$server->tunneladdress)) as $alias) {
         $proto = strpos($alias, ':') === false ? "inet" : "inet6";
         mwexecf('/sbin/ifconfig %s %s %s alias', [$server->interface, $proto, $alias]);
     }

From 354d4348aa7e2cd94bdcba85a15dab0c1f69e0ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Sat, 28 Oct 2023 11:42:08 +0200
Subject: [PATCH 1626/3088] Update bootstrap-select.css (#3642)

---
 .../opnsense/www/themes/cicada/build/css/bootstrap-select.css | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select.css
index bbc5c29d9a..15d668797b 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select.css
@@ -91,9 +91,7 @@ select.selectpicker {
 }
 .bootstrap-select > select.mobile-device:focus + .dropdown-toggle,
 .bootstrap-select .dropdown-toggle:focus {
-  outline: thin dotted #bbbbbb !important;
-  outline: 5px auto -webkit-focus-ring-color !important;
-  outline-offset: -2px;
+  outline: none !important;
 }
 .bootstrap-select.form-control {
   margin-bottom: 0;

From 806fb05c1cf5781005c001e6f6444edfcc0bdb8f Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 30 Oct 2023 18:47:12 +0100
Subject: [PATCH 1627/3088] net/wireguard: Some improvements in carp event
 handing for https://github.com/opnsense/plugins/issues/3579

This commit addresses a couple of possible issues.

1. When a sequence of carp events is being processed and these processes lock eachother, its possible that collected interface state via legacy_interfaces_details() doesn't match the active one anymore. To prevent this from happening, only fetch the wireguard interface we're interested in inside the lock.

2. To limit the number of events being handled in wg-service-control.php it's likely cleaner to push the vhid as well when we're handling carp events. This means that we should switch between server id (current parameter) and vhid by looking at its format.

3. In case the target (wg) interface doesn't exist, make sure to create it. Although in practice this shouldn't happen (as the stat file is being removed on boot), dropping an interface manually should preferably lead to a funcitonal setup anyway (otherwise it will crash trying to pull it up)

4. When a vhid is passed and affects the interface in question, log relevant information to syslog.
---
 net/wireguard/Makefile                        |  2 +-
 .../src/etc/rc.syshook.d/carp/20-wireguard    |  2 +-
 .../scripts/Wireguard/wg-service-control.php  | 63 +++++++++++++------
 .../conf/actions.d/actions_wireguard.conf     |  4 +-
 4 files changed, 49 insertions(+), 22 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 5454ec51c4..a7ffd83b3c 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		2.4
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
diff --git a/net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard b/net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard
index 8c69f6f959..5e5e42d67f 100755
--- a/net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard
+++ b/net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard
@@ -1,3 +1,3 @@
 #!/bin/sh
 
-configctl -dq wireguard configure
+configctl -dq wireguard configure $1
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index f66d0a08e3..2ac781a968 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -49,7 +49,7 @@ function get_vhid_status()
         if (!empty($ifdata['carp'])) {
             foreach ($ifdata['carp'] as $data) {
                 if (isset($uuids[$data['vhid']])) {
-                    $vhids[$uuids[$data['vhid']]] = $data['status'];
+                    $vhids[$uuids[$data['vhid']]] = ['status' => $data['status'], 'vhid' => $data['vhid']];
                 }
             }
         }
@@ -123,7 +123,7 @@ function wg_start($server, $fhandle, $ifcfgflag = 'up')
     fseek($fhandle, 0);
     ftruncate($fhandle, 0);
     fwrite($fhandle, @md5_file($server->cnfFilename) . "|" . wg_reconfigure_hash($server));
-    syslog(LOG_NOTICE, "Wireguard interface {$server->name} ({$server->interface}) started");
+    syslog(LOG_NOTICE, "wireguard instance {$server->name} ({$server->interface}) started");
     interfaces_restart_by_device(false, [(string)$server->interface], false);
 }
 
@@ -135,7 +135,7 @@ function wg_stop($server)
     if (does_interface_exist($server->interface)) {
         legacy_interface_destroy($server->interface);
     }
-    syslog(LOG_NOTICE, "Wireguard interface {$server->name} ({$server->interface}) stopped");
+    syslog(LOG_NOTICE, "wireguard instance {$server->name} ({$server->interface}) stopped");
 }
 
 
@@ -182,21 +182,29 @@ function get_stat_hash($fhandle)
 openlog("wireguard", LOG_ODELAY, LOG_AUTH);
 
 if (isset($opts['h']) || empty($args) || !in_array($args[0], ['start', 'stop', 'restart', 'configure'])) {
-    echo "Usage: wg-service-control.php [-a] [-h] [stop|start|restart|configure] [uuid]\n\n";
+    echo "Usage: wg-service-control.php [-a] [-h] [stop|start|restart|configure] [uuid|vhid]\n\n";
     echo "\t-a all instances\n";
 } elseif (isset($opts['a']) || !empty($args[1])) {
-    $server_id = $args[1] ?? null;
+    // either a server id (uuid) or a vhid could be offered
+    $server_id = $vhid = null;
+    if (preg_match('/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/', $args[1] ?? '') == 1) {
+        $server_id = $args[1];
+    } elseif (!empty($args[1])) {
+        $vhid = explode('@', $args[1])[0];
+    }
+
     $action = $args[0];
 
     $server_devs = [];
     if (!empty((string)(new OPNsense\Wireguard\General())->enabled)) {
-        $ifdetails = legacy_interfaces_details();
         $vhids = get_vhid_status();
         foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $key => $node) {
+            $carp_depend_on = (string)$node->carp_depend_on;
             if (empty((string)$node->enabled)) {
                 continue;
-            }
-            if ($server_id != null && $key != $server_id) {
+            } elseif ($server_id != null && $key != $server_id) {
+                continue;
+            } elseif ($vhid != null && (!empty($vhids[$carp_depend_on]) && $vhids[$carp_depend_on]['vhid'] != $vhid)) {
                 continue;
             }
             /**
@@ -206,15 +214,13 @@ function get_stat_hash($fhandle)
              * when in BACKUP or INIT mode.
              */
             $carp_if_flag = 'up';
-            if (
-                !empty($vhids[(string)$node->carp_depend_on]) &&
-                $vhids[(string)$node->carp_depend_on] != 'MASTER'
-            ) {
+            if (!empty($vhids[$carp_depend_on]) && $vhids[$carp_depend_on]['status'] != 'MASTER') {
                 $carp_if_flag = 'down';
             }
             $server_devs[] = (string)$node->interface;
             $statHandle = fopen($node->statFilename, "a+");
             if (flock($statHandle, LOCK_EX)) {
+                $ifdetails = legacy_interfaces_details((string)$node->interface);
                 switch ($action) {
                     case 'stop':
                         wg_stop($node);
@@ -227,12 +233,34 @@ function get_stat_hash($fhandle)
                         wg_start($node, $statHandle, $carp_if_flag);
                         break;
                     case 'configure':
-                        if (@md5_file($node->cnfFilename) != get_stat_hash($statHandle)['file']) {
+                        $ifstatus = '-';
+                        if (!empty($ifdetails[(string)$node->interface])) {
+                            $ifstatus = in_array('up', $ifdetails[(string)$node->interface]['flags']) ? 'up' : 'down';
+                        }
+
+                        if (!empty($carp_depend_on) && !empty($vhid)) {
+                            // CARP event traceability when a vhid is being passed
+                            syslog(
+                                LOG_NOTICE,
+                                sprintf(
+                                    "Wireguard configure event instance %s (%s) vhid: %s carp: %s interface: %s",
+                                    $node->name,
+                                    $node->interface,
+                                    $vhid,
+                                    !empty($vhids[$carp_depend_on]) ? $vhids[$carp_depend_on]['status'] : '-',
+                                    $ifstatus
+                                )
+                            );
+                        }
+                        if (
+                            @md5_file($node->cnfFilename) != get_stat_hash($statHandle)['file'] ||
+                            empty($ifdetails[(string)$node->interface])
+                        ) {
                             if (get_stat_hash($statHandle)['interface'] != wg_reconfigure_hash($node)) {
                                 // Fluent reloading not supported for this instance, make sure the user is informed
                                 syslog(
                                     LOG_NOTICE,
-                                    "Wireguard interface {$node->name} ({$node->interface}) " .
+                                    "wireguard instance {$node->name} ({$node->interface}) " .
                                     "can not reconfigure without stopping it first."
                                 );
                                 wg_stop($node);
@@ -240,8 +268,7 @@ function get_stat_hash($fhandle)
                             wg_start($node, $statHandle, $carp_if_flag);
                         } else {
                             // when triggered via a CARP event, check our interface status [UP|DOWN]
-                            $tmp = in_array('up', $ifdetails[(string)$node->interface]['flags']) ? 'up' : 'down';
-                            if ($tmp !=  $carp_if_flag) {
+                            if ($ifstatus !=  $carp_if_flag) {
                                 mwexecf('/sbin/ifconfig %s %s', [$node->interface, $carp_if_flag]);
                             }
                         }
@@ -254,9 +281,9 @@ function get_stat_hash($fhandle)
     }
 
     /**
-     * When -a is specified, cleaup up old or disabled instances (files and interfaces)
+     * When -a is specified, cleanup up old or disabled instances (files and interfaces)
      */
-    if ($server_id == null) {
+    if ($server_id == null && $vhid == null) {
         foreach (glob('/usr/local/etc/wireguard/wg*') as $filename) {
             $this_dev = explode('.', basename($filename))[0];
             if (!in_array($this_dev, $server_devs)) {
diff --git a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
index 44c925e865..555afb2cd7 100644
--- a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
+++ b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
@@ -18,9 +18,9 @@ message: restart wireguard instance %s
 
 [configure]
 command:/usr/local/opnsense/scripts/Wireguard/wg-service-control.php
-parameters: -a configure
+parameters: -a configure %s
 type:script
-message: configure wireguard instances
+message: configure wireguard instances (%s)
 
 [renew]
 command:/usr/local/opnsense/scripts/Wireguard/reresolve-dns.py

From d1eb2185ad2864078dfc8923d3dc08fc6e0f73c5 Mon Sep 17 00:00:00 2001
From: 0nnyx <54419678+0nnyx@users.noreply.github.com>
Date: Tue, 31 Oct 2023 10:43:25 +0100
Subject: [PATCH 1628/3088] Full ET open ruleset as open-extra (#3644)

* Full ET open ruleset as open-extra

Follow up on #3635 to have full ET open ruleset as plugin

* Update et-open-extra.xml
---
 .../Makefile                                  |  4 +-
 .../pkg-descr                                 |  4 +-
 .../suricata/metadata/rules/et-open-extra.xml | 64 ++++++++++++++++---
 3 files changed, 58 insertions(+), 14 deletions(-)

diff --git a/security/intrusion-detection-content-et-open/Makefile b/security/intrusion-detection-content-et-open/Makefile
index 453c803cc9..e3b185e588 100644
--- a/security/intrusion-detection-content-et-open/Makefile
+++ b/security/intrusion-detection-content-et-open/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		intrusion-detection-content-et-open
-PLUGIN_VERSION=		1.0.1
+PLUGIN_VERSION=		1.0.2
 PLUGIN_REVISION=	1
-PLUGIN_COMMENT=		IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition
+PLUGIN_COMMENT=		IDS Proofpoint full ET open ruleset complementary subset for ET Pro Telemetry edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://rules.emergingthreats.net/
 
diff --git a/security/intrusion-detection-content-et-open/pkg-descr b/security/intrusion-detection-content-et-open/pkg-descr
index 7065fc3ed4..ef686238dc 100644
--- a/security/intrusion-detection-content-et-open/pkg-descr
+++ b/security/intrusion-detection-content-et-open/pkg-descr
@@ -1,5 +1,5 @@
-IDS Proofpoint ET open ruleset duplicates rule files which are being
-delivered empty in ET Pro Telemetry edition so both can be installed.
+IDS Proofpoint ET open full ruleset to complement ET Pro Telemetry edition.
+This plugin will trigger duplicate rules warnings in suricata logs when selecting the same categories for both ET open and ET Telemetry.
 
 LICENSE: https://www.proofpoint.com/us/license
 WWW: https://www.proofpoint.com/us/blog/threat-insight
diff --git a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
index ae9c0bffc1..e421e8796f 100644
--- a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
+++ b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
@@ -1,15 +1,59 @@
 <?xml version="1.0"?>
 <ruleset documentation_url="https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ">
-    <location url="https://rules.emergingthreats.net/open/suricata-6.0/emerging.rules.tar.gz" prefix="ET open"/>
-    <version url="https://rules.emergingthreats.net/open/suricata-6.0/version.txt"/>
+    <location url="https://rules.emergingthreats.net/open/suricata-7.0/emerging.rules.tar.gz" prefix="ET open"/>
+    <version url="https://rules.emergingthreats.net/open/suricata-7.0/version.txt"/>
     <files>
-        <file description="botcc.portgrouped" url="inline::rules/botcc.portgrouped.rules">et_open-botcc.portgrouped.rules</file>
-        <file description="botcc" url="inline::rules/botcc.rules">et_open.botcc.rules</file>
-        <file description="ciarmy" url="inline::rules/ciarmy.rules">et_open.ciarmy.rules</file>
-        <file description="compromised" url="inline::rules/compromised.rules">et_open.compromised.rules</file>
-        <file description="drop" url="inline::rules/drop.rules">et_open.drop.rules</file>
-        <file description="dshield" url="inline::rules/dshield.rules">et_open.dshield.rules</file>
-        <file description="tor" url="inline::rules/tor.rules">et_open.tor.rules</file>
-        <file description="emerging-inappropriate" url="inline::rules/emerging-inappropriate.rules">et_open.emerging-inappropriate.rules</file>
+        <file description="3coresec" url="inline::rules/3coresec.rules">3coresec.rules</file>
+        <file description="botcc.portgrouped" url="inline::rules/botcc.portgrouped.rules">botcc.portgrouped.rules</file>
+        <file description="botcc" url="inline::rules/botcc.rules">botcc.rules</file>
+        <file description="ciarmy" url="inline::rules/ciarmy.rules">ciarmy.rules</file>
+        <file description="compromised" url="inline::rules/compromised.rules">compromised.rules</file>
+        <file description="drop" url="inline::rules/drop.rules">drop.rules</file>
+        <file description="dshield" url="inline::rules/dshield.rules">dshield.rules</file>
+        <file description="emerging-activex" url="inline::rules/emerging-activex.rules">emerging-activex.rules</file>
+        <file description="emerging-adware_pup" url="inline::rules/emerging-adware_pup.rules">emerging-adware_pup.rules</file>
+        <file description="emerging-attack_response" url="inline::rules/emerging-attack_response.rules">emerging-attack_response.rules</file>
+        <file description="emerging-chat" url="inline::rules/emerging-chat.rules">emerging-chat.rules</file>
+        <file description="emerging-coinminer" url="inline::rules/emerging-coinminer.rules">emerging-coinminer.rules</file>
+        <file description="emerging-current_events" url="inline::rules/emerging-current_events.rules">emerging-current_events.rules</file>
+        <file description="emerging-deleted" url="inline::rules/emerging-deleted.rules">emerging-deleted.rules</file>
+        <file description="emerging-dns" url="inline::rules/emerging-dns.rules">emerging-dns.rules</file>
+        <file description="emerging-dos" url="inline::rules/emerging-dos.rules">emerging-dos.rules</file>
+        <file description="emerging-exploit" url="inline::rules/emerging-exploit.rules">emerging-exploit.rules</file>
+        <file description="emerging-exploit_kit" url="inline::rules/emerging-exploit_kit.rules">emerging-exploit_kit.rules</file>
+        <file description="emerging-ftp" url="inline::rules/emerging-ftp.rules">emerging-ftp.rules</file>
+        <file description="emerging-games" url="inline::rules/emerging-games.rules">emerging-games.rules</file>
+        <file description="emerging-hunting" url="inline::rules/emerging-hunting.rules">emerging-hunting.rules</file>
+        <file description="emerging-icmp" url="inline::rules/emerging-icmp.rules">emerging-icmp.rules</file>
+        <file description="emerging-icmp_info" url="inline::rules/emerging-icmp_info.rules">emerging-icmp_info.rules</file>
+        <file description="emerging-imap" url="inline::rules/emerging-imap.rules">emerging-imap.rules</file>
+        <file description="emerging-inappropriate" url="inline::rules/emerging-inappropriate.rules">emerging-inappropriate.rules</file>
+        <file description="emerging-info" url="inline::rules/emerging-info.rules">emerging-info.rules</file>
+        <file description="emerging-ja3" url="inline::rules/emerging-ja3.rules">emerging-ja3.rules</file>
+        <file description="emerging-malware" url="inline::rules/emerging-malware.rules">emerging-malware.rules</file>
+        <file description="emerging-misc" url="inline::rules/emerging-misc.rules">emerging-misc.rules</file>
+        <file description="emerging-mobile_malware" url="inline::rules/emerging-mobile_malware.rules">emerging-mobile_malware.rules</file>
+        <file description="emerging-netbios" url="inline::rules/emerging-netbios.rules">emerging-netbios.rules</file>
+        <file description="emerging-p2p" url="inline::rules/emerging-p2p.rules">emerging-p2p.rules</file>
+        <file description="emerging-phishing" url="inline::rules/emerging-phishing.rules">emerging-phishing.rules</file>
+        <file description="emerging-policy" url="inline::rules/emerging-policy.rules">emerging-policy.rules</file>
+        <file description="emerging-pop3" url="inline::rules/emerging-pop3.rules">emerging-pop3.rules</file>
+        <file description="emerging-rpc" url="inline::rules/emerging-rpc.rules">emerging-rpc.rules</file>
+        <file description="emerging-scada" url="inline::rules/emerging-scada.rules">emerging-scada.rules</file>
+        <file description="emerging-scan" url="inline::rules/emerging-scan.rules">emerging-scan.rules</file>
+        <file description="emerging-shellcode" url="inline::rules/emerging-shellcode.rules">emerging-shellcode.rules</file>
+        <file description="emerging-smtp" url="inline::rules/emerging-smtp.rules">emerging-smtp.rules</file>
+        <file description="emerging-snmp" url="inline::rules/emerging-snmp.rules">emerging-snmp.rules</file>
+        <file description="emerging-sql" url="inline::rules/emerging-sql.rules">emerging-sql.rules</file>
+        <file description="emerging-telnet" url="inline::rules/emerging-telnet.rules">emerging-telnet.rules</file>
+        <file description="emerging-tftp" url="inline::rules/emerging-tftp.rules">emerging-tftp.rules</file>
+        <file description="emerging-user_agents" url="inline::rules/emerging-user_agents.rules">emerging-user_agents.rules</file>
+        <file description="emerging-voip" url="inline::rules/emerging-voip.rules">emerging-voip.rules</file>
+        <file description="emerging-web_client" url="inline::rules/emerging-web_client.rules">emerging-web_client.rules</file>
+        <file description="emerging-web_server" url="inline::rules/emerging-web_server.rules">emerging-web_server.rules</file>
+        <file description="emerging-web_specific_apps" url="inline::rules/emerging-web_specific_apps.rules">emerging-web_specific_apps.rules</file>
+        <file description="emerging-worm" url="inline::rules/emerging-worm.rules">emerging-worm.rules</file>
+        <file description="tor" url="inline::rules/tor.rules">tor.rules</file>
+        <file description="threatview_CS_c2" url="inline::rules/threatview_CS_c2.rules">threatview_CS_c2.rules</file>
     </files>
 </ruleset>

From 8ecf7830a69e42ac52181f2ce28629636b6bc071 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 31 Oct 2023 22:41:14 +0100
Subject: [PATCH 1629/3088] security/intrusion-detection-content-et-open: fix
 revision

---
 security/intrusion-detection-content-et-open/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/security/intrusion-detection-content-et-open/Makefile b/security/intrusion-detection-content-et-open/Makefile
index e3b185e588..acf629bc8a 100644
--- a/security/intrusion-detection-content-et-open/Makefile
+++ b/security/intrusion-detection-content-et-open/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		intrusion-detection-content-et-open
 PLUGIN_VERSION=		1.0.2
-PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		IDS Proofpoint full ET open ruleset complementary subset for ET Pro Telemetry edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://rules.emergingthreats.net/

From af80514ad843bc2ed2aa102f3766f95cadf625ec Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 31 Oct 2023 11:36:00 +0100
Subject: [PATCH 1630/3088] net/wireguard: use syncconf on newwanip event

---
 .../src/etc/inc/plugins.inc.d/wireguard.inc   | 26 ++++++++++++++++---
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
index ed933a375e..08f344cd83 100644
--- a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -144,7 +144,7 @@ function wireguard_prepare($device)
 function wireguard_configure()
 {
     return [
-        'newwanip' => ['wireguard_renew:2'],
+        'newwanip' => ['wireguard_sync:2'],
         'vpn' => ['wireguard_configure_do:2'],
     ];
 }
@@ -162,15 +162,33 @@ function wireguard_configure_do($verbose = false, $unused = '')
     service_log("done.\n", $verbose);
 }
 
-function wireguard_renew($verbose = false, $unused = '')
+function wireguard_sync($verbose = false, $unused = '')
 {
     if (!wireguard_enabled()) {
         return;
     }
 
-    service_log('Renewing WireGuard VPN...', $verbose);
+    $instances = [];
+    foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $node) {
+        if (!empty((string)$node->enabled)) {
+            $instances[(string)$node->interface] = (string)$node->cnfFilename;
+        }
+    }
+
+    if (!count($instances)) {
+        return;
+    }
+
+    service_log('Synchronizing WireGuard VPN...', $verbose);
+
+    openlog('wireguard', LOG_ODELAY, LOG_AUTH);
+
+    foreach ($instances as $device => $config) {
+        mwexecf('/usr/bin/wg syncconf %s %s', [$device, $config]);
+    }
 
-    configd_run('wireguard renew');
+    closelog();
+    reopenlog();
 
     service_log("done.\n", $verbose);
 }

From 9af41b126b198e3126c2c9f151eb009fc6fbc0e4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 31 Oct 2023 22:43:08 +0100
Subject: [PATCH 1631/3088] net/wireguard: bump version

---
 net/wireguard/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index a7ffd83b3c..f77b3b923f 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		2.4
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		2.5
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go

From 06d0969eb25e7fb7a94b66834cea86cd88061566 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 1 Nov 2023 08:21:18 +0100
Subject: [PATCH 1632/3088] net/wireguard: allow instance selection from peer

---
 .../Wireguard/Api/ClientController.php        | 42 ++++++++++++++++++-
 .../forms/dialogEditWireguardClient.xml       |  6 +++
 .../forms/dialogEditWireguardServer.xml       |  1 -
 3 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
index d4f2bf4f0b..8299f6fe20 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
@@ -30,6 +30,8 @@
 namespace OPNsense\Wireguard\Api;
 
 use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Config;
+use OPNsense\Wireguard\Server;
 
 class ClientController extends ApiMutableModelControllerBase
 {
@@ -46,12 +48,22 @@ public function searchClientAction()
 
     public function getClientAction($uuid = null)
     {
-        return $this->getBase('client', 'clients.client', $uuid);
+        $result = $this->getBase('client', 'clients.client', $uuid);
+        if (!empty($result['client'])) {
+            $result['client']['servers'] = [];
+            foreach ((new Server())->servers->server->iterateItems() as $key => $node) {
+                $result['client']['servers'][$key] = [
+                    'value' => (string)$node->name,
+                    'selected' => in_array($uuid, explode(',', (string)$node->peers)) ? '1' : '0'
+                ];
+            }
+        }
+        return $result;
     }
 
     public function addClientAction()
     {
-        return $this->addBase('client', 'clients.client');
+        return $this->setClientAction(null);
     }
 
     public function delClientAction($uuid)
@@ -61,6 +73,32 @@ public function delClientAction($uuid)
 
     public function setClientAction($uuid)
     {
+        if (!empty($this->request->getPost(static::$internalModelName)) && $this->request->isPost()) {
+            $servers = [];
+            if (!empty($this->request->getPost(static::$internalModelName)['servers'])) {
+                $servers = explode(',', $this->request->getPost(static::$internalModelName)['servers']);
+            }
+            Config::getInstance()->lock();
+            $mdl = new Server();
+            if (empty($uuid)) {
+                // add new client, generate uuid
+                $uuid = $mdl->servers->generateUUID();
+            }
+            foreach ($mdl->servers->server->iterateItems() as $key => $node) {
+                $peers = array_filter(explode(',', (string)$node->peers));
+                if (in_array($uuid, $peers) && !in_array($key, $servers)) {
+                    $node->peers = implode(',', array_diff($peers, [$uuid]));
+                } elseif (!in_array($uuid, $peers) && in_array($key, $servers)) {
+                    $node->peers = implode(',', array_merge($peers, [$uuid]));
+                }
+            }
+            /**
+             * Save to in memory model.
+             * Ignore validations as $uuid might be new or trigger an existing validation issue.
+             * Persisting the data is handled by setBase()
+             */
+            $mdl->serializeToConfig(false, true);
+        }
         return $this->setBase('client', 'clients.client', $uuid);
     }
 
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
index e71c4ff5f0..ff303f842c 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
@@ -43,6 +43,12 @@
         <type>text</type>
         <help>Set port the endpoint listens to.</help>
     </field>
+    <field>
+        <id>client.servers</id>
+        <label>Instances</label>
+        <type>select_multiple</type>
+        <help>List of instances this peer belongs to.</help>
+    </field>
     <field>
         <id>client.keepalive</id>
         <label>Keepalive interval</label>
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
index 4c2fe27f0c..3b23f056f5 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
@@ -69,7 +69,6 @@
         <id>server.peers</id>
         <label>Peers</label>
         <type>select_multiple</type>
-        <allownew>true</allownew>
         <help>List of peers for this instance.</help>
     </field>
     <field>

From ab9d902df8ddaaaae4c6647a47156cd792405a79 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 1 Nov 2023 08:21:44 +0100
Subject: [PATCH 1633/3088] net/wireguard: UX and wording

---
 .../src/etc/inc/plugins.inc.d/wireguard.inc        |  4 ++--
 .../mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml  |  2 +-
 .../mvc/app/models/OPNsense/Wireguard/Client.xml   |  2 +-
 .../mvc/app/views/OPNsense/Wireguard/general.volt  | 14 ++++++++------
 4 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
index 08f344cd83..e935fa4b50 100644
--- a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -43,7 +43,7 @@ function wireguard_services()
     foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $key => $node) {
         if (!empty((string)$node->enabled)) {
             $services[] = [
-                'description' => "Wireguard " . htmlspecialchars($node->name),
+                'description' => 'WireGuard ' . htmlspecialchars($node->name),
                 'configd' => [
                     'start' => ["wireguard start {$key}"],
                     'restart' => ["wireguard restart {$key}"],
@@ -104,7 +104,7 @@ function wireguard_devices()
     foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $key => $node) {
         if (!empty((string)$node->enabled)) {
             $names[(string)$node->interface] = [
-                'descr' => sprintf('%s (Wireguard - %s)', (string)$node->interface, (string)$node->name),
+                'descr' => sprintf('%s (WireGuard - %s)', (string)$node->interface, (string)$node->name),
                 'ifdescr' => (string)$node->name,
                 'name' => (string)$node->interface
             ];
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml
index 21012db805..94360e7762 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml
@@ -1,6 +1,6 @@
 <acl>
    <page-wireguard-config>
-      <name>VPN: Wireguard</name>
+      <name>VPN: WireGuard</name>
       <patterns>
          <pattern>ui/wireguard/*</pattern>
          <pattern>api/wireguard/*</pattern>
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
index 2d472d8381..82c24d1d53 100644
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
+++ b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/wireguard/client</mount>
-    <description>Wireguard peer configuration</description>
+    <description>WireGuard peer configuration</description>
     <version>0.0.7</version>
     <items>
         <clients>
diff --git a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
index 2647b46f18..5cc1f6d627 100644
--- a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
+++ b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
@@ -90,14 +90,13 @@
 
 <div class="tab-content content-box tab-content">
     <div id="general" class="tab-pane fade in active">
-        <div class="content-box" style="padding-bottom: 1.5em;">
-            {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-        </div>
+        {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
     </div>
     <div id="peers" class="tab-pane fade in">
-        <table id="grid-peers" class="table table-responsive" data-editDialog="dialogEditWireguardClient">
+        <table id="grid-peers" class="table table-condensed table-hover table-striped" data-editDialog="dialogEditWireguardClient">
             <thead>
                 <tr>
+                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                     <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
                     <th data-column-id="serveraddress" data-type="string" data-visible="true">{{ lang._('Endpoint address') }}</th>
@@ -114,6 +113,7 @@
                     <td colspan="6"></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-fw fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -125,9 +125,10 @@
               <i class="fa fa-fw fa-gear"></i>
             </button>
         </span>
-        <table id="grid-instances" class="table table-responsive" data-editDialog="dialogEditWireguardServer">
+        <table id="grid-instances" class="table table-condensed table-hover table-striped" data-editDialog="dialogEditWireguardServer">
             <thead>
                 <tr>
+                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                     <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
                     <th data-column-id="interface" data-type="string" data-visible="true">{{ lang._('Device') }}</th>
@@ -145,6 +146,7 @@
                     <td colspan="7"></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-fw fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -159,7 +161,7 @@
             <button class="btn btn-primary" id="reconfigureAct"
                     data-endpoint='/api/wireguard/service/reconfigure'
                     data-label="{{ lang._('Apply') }}"
-                    data-error-title="{{ lang._('Error reconfiguring Wireguard') }}"
+                    data-error-title="{{ lang._('Error reconfiguring WireGuard') }}"
                     type="button"
             ></button>
             <br/><br/>

From 82860aadeb0af8318c78affdb7bc908eb6db7cf2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 1 Nov 2023 08:25:11 +0100
Subject: [PATCH 1634/3088] net/wireguard: changelog

---
 net/wireguard/pkg-descr | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index f9c144085d..9b1576529a 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,14 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+2.5
+
+* Fix error with empty tunnel address in instance (contributed by Monviech)
+* Allow instance selection from peer
+* Use "syncconf" on newwanip event
+* CARP event handling improvements
+* Minor UX and woring improvements
+
 2.4
 
 * Only invoke routes for attached WireGuard instances

From 1d4122b5a118a6c923d31b43d75f1364e056586e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 1 Nov 2023 08:27:08 +0100
Subject: [PATCH 1635/3088] misc/theme-cicada: bump revision

---
 misc/theme-cicada/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index 0f23fe297c..b6755843b9 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		theme-cicada
 PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes

From f1c56492b85a859013f746232bf47131555f6282 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 1 Nov 2023 08:27:45 +0100
Subject: [PATCH 1636/3088] security/intrusion-detection-content-et-open: tweak
 description

---
 security/intrusion-detection-content-et-open/pkg-descr | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/intrusion-detection-content-et-open/pkg-descr b/security/intrusion-detection-content-et-open/pkg-descr
index ef686238dc..5b7ad62ece 100644
--- a/security/intrusion-detection-content-et-open/pkg-descr
+++ b/security/intrusion-detection-content-et-open/pkg-descr
@@ -1,5 +1,6 @@
 IDS Proofpoint ET open full ruleset to complement ET Pro Telemetry edition.
-This plugin will trigger duplicate rules warnings in suricata logs when selecting the same categories for both ET open and ET Telemetry.
+This plugin will trigger duplicate rules warnings in Suricata logs when
+selecting the same categories for both ET open and ET Telemetry.
 
 LICENSE: https://www.proofpoint.com/us/license
 WWW: https://www.proofpoint.com/us/blog/threat-insight

From a5f7a2773ca18147f8c368fdeb1fb983b41e39c4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 6 Nov 2023 09:10:18 +0100
Subject: [PATCH 1637/3088] security/openconnect: support more user name chars;
 closes #3428

---
 security/openconnect/Makefile                 |  2 +-
 security/openconnect/pkg-descr                |  4 ++
 .../models/OPNsense/Openconnect/General.xml   | 24 ++++-----
 .../views/OPNsense/Openconnect/general.volt   | 54 +++++++++----------
 4 files changed, 42 insertions(+), 42 deletions(-)

diff --git a/security/openconnect/Makefile b/security/openconnect/Makefile
index 6ccfbb0c53..9296d2ffcc 100644
--- a/security/openconnect/Makefile
+++ b/security/openconnect/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		openconnect
-PLUGIN_VERSION=		1.4.4
+PLUGIN_VERSION=		1.4.5
 PLUGIN_COMMENT=		OpenConnect Client
 PLUGIN_DEPENDS=		openconnect
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/openconnect/pkg-descr b/security/openconnect/pkg-descr
index 77338528ce..9d18d3a10f 100644
--- a/security/openconnect/pkg-descr
+++ b/security/openconnect/pkg-descr
@@ -6,6 +6,10 @@ the Juniper SSL VPN which is now known as Pulse Connect Secure.
 Plugin Changelog
 ================
 
+1.4.5
+
+* Allow ":" and "/" characters in user name
+
 1.4.4
 
 * Improve compatibility via useragent="AnyConnect"
diff --git a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
index 647d9accd3..9b9560a56b 100644
--- a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
+++ b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
@@ -4,33 +4,32 @@
     <version>1.0.3</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <server type="TextField">
-            <default>server</default>
+            <Default>server</Default>
             <Required>Y</Required>
-            <mask>/\S*/</mask>
+            <Mask>/\S*/</Mask>
             <ValidationMessage>Please provide IP or hostname (no spaces allowed).</ValidationMessage>
         </server>
         <user type="TextField">
-            <default>user</default>
+            <Default>user</Default>
             <Required>Y</Required>
-            <mask>/^[a-zA-Z0-9.\@_-]{1,64}$/</mask>
-            <ValidationMessage>Please provide a valid username. Allowed characters are a-zA-Z0-9._-@ and it has to be 1-64 characters long.</ValidationMessage>
+            <Mask>/^[a-zA-Z0-9.\@_\-:\/]{1,64}$/</Mask>
+            <ValidationMessage>Please provide a valid username. Allowed characters are a-zA-Z0-9.@_-:/ and it has to be 1-64 characters long.</ValidationMessage>
         </user>
         <password type="TextField">
-            <default>password</default>
+            <Default>password</Default>
             <Required>Y</Required>
         </password>
         <servercert type="TextField">
             <Required>N</Required>
-            <mask>/^([a-zA-Z0-9\/\+\=]){40,64}$/u</mask>
+            <Mask>/^([a-zA-Z0-9\/\+\=]){40,64}$/u</Mask>
             <ValidationMessage>Please provide a valid hash.</ValidationMessage>
         </servercert>
         <hash type="OptionField">
-            <default>sha256</default>
-            <multiple>N</multiple>
+            <Default>sha256</Default>
             <Required>Y</Required>
                 <OptionValues>
                     <sha256>SHA256</sha256>
@@ -40,7 +39,7 @@
         </hash>
         <group type="TextField">
             <Required>N</Required>
-            <mask>/^[() a-zA-Z0-9._-]{1,64}$/</mask>
+            <Mask>/^[() a-zA-Z0-9._-]{1,64}$/</Mask>
             <ValidationMessage>Please provide a valid group name. Allowed are at most 64 characters from a-zA-Z0-9._-() and space.</ValidationMessage>
         </group>
         <clientcertificate type="CertificateField">
@@ -60,8 +59,7 @@
             <Required>N</Required>
         </tokensecret>
         <protocol type="OptionField">
-            <default>anyconnect</default>
-            <multiple>N</multiple>
+            <Default>anyconnect</Default>
             <Required>Y</Required>
                 <OptionValues>
                     <anyconnect>Cisco AnyConnect</anyconnect>
diff --git a/security/openconnect/src/opnsense/mvc/app/views/OPNsense/Openconnect/general.volt b/security/openconnect/src/opnsense/mvc/app/views/OPNsense/Openconnect/general.volt
index 2f876fdf0f..5faec528a5 100644
--- a/security/openconnect/src/opnsense/mvc/app/views/OPNsense/Openconnect/general.volt
+++ b/security/openconnect/src/opnsense/mvc/app/views/OPNsense/Openconnect/general.volt
@@ -1,35 +1,33 @@
 {#
+ # Copyright (c) 2014-2018 Deciso B.V.
+ # Copyright (c) 2018 Michael Muenz <m.muenz@gmail.com>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
 
-OPNsense® is Copyright © 2014 – 2018 by Deciso B.V.
-This file is Copyright © 2018 by Michael Muenz <m.muenz@gmail.com>
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-    this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-    this list of conditions and the following disclaimer in the documentation
-    and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
 <div class="content-box" style="padding-bottom: 1.5em;">
     {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-    <div class="col-md-12">
-        <hr />
+    <div class="col-md-12 __mt">
         <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
     </div>
 </div>

From 3881ab12d7f10c4bcc84b905860600134c15f19f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 6 Nov 2023 09:11:13 +0100
Subject: [PATCH 1638/3088] README: sync

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 5cc779f630..5036da85ce 100644
--- a/README.md
+++ b/README.md
@@ -82,7 +82,7 @@ security/acme-client -- ACME Client
 security/clamav -- Antivirus engine for detecting malicious threats
 security/crowdsec -- Lightweight and collaborative security engine
 security/etpro-telemetry -- ET Pro Telemetry Edition
-security/intrusion-detection-content-et-open -- IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition
+security/intrusion-detection-content-et-open -- IDS Proofpoint full ET open ruleset complementary subset for ET Pro Telemetry edition
 security/intrusion-detection-content-et-pro -- IDS Proofpoint ET Pro ruleset (needs a valid subscription)
 security/intrusion-detection-content-pt-open -- IDS PT Research ruleset (only for non-commercial use)
 security/intrusion-detection-content-snort-vrt -- IDS Snort VRT ruleset (needs registration or subscription)

From 69bc636cd5fb8a08597dcd1e1a409a20fcf62434 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 6 Nov 2023 09:14:28 +0100
Subject: [PATCH 1639/3088] security/tor: add rexml; closes #3655

---
 security/tor/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/tor/Makefile b/security/tor/Makefile
index b5f01436f0..ba90fb86f0 100644
--- a/security/tor/Makefile
+++ b/security/tor/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		tor
 PLUGIN_VERSION=		1.9
 PLUGIN_COMMENT=		The Onion Router
-PLUGIN_DEPENDS=		tor ruby
+PLUGIN_DEPENDS=		tor ruby rubygem-rexml
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 
 .include "../../Mk/plugins.mk"

From 8e57555345db9ccf347d3286da14229347f4bf60 Mon Sep 17 00:00:00 2001
From: doktornotor <1075960+doktornotor@users.noreply.github.com>
Date: Mon, 6 Nov 2023 09:21:58 +0100
Subject: [PATCH 1640/3088] [os-bind] #3650 - break-dnssec toggle needed for
 Enable filter-aaaa on IPv4/IPv6 clients (#3651)

If DNSSEC validation is disabled, filter-aaaa-on-v4 or filter-aaaa-on-v6 is set to break-dnssec
instead of yes, then AAAA records will be omitted even if they are signed.

See https://github.com/opnsense/plugins/issues/3650
---
 .../mvc/app/controllers/OPNsense/Bind/forms/general.xml   | 4 ++--
 .../opnsense/service/templates/OPNsense/Bind/named.conf   | 8 ++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index 1a1d8c92a1..52929b3ef0 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -73,13 +73,13 @@
         <id>general.filteraaaav4</id>
         <label>Enable filter-aaaa on IPv4 Clients</label>
         <type>checkbox</type>
-        <help>This will filter AAAA records on IPv4 Clients</help>
+        <help>This will filter AAAA records on IPv4 Clients. Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.</help>
     </field>
     <field>
         <id>general.filteraaaav6</id>
         <label>Enable filter-aaaa on IPv6 Clients</label>
         <type>checkbox</type>
-        <help>This will filter AAAA records on IPv6 Clients</help>
+        <help>This will filter AAAA records on IPv6 Clients. Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.</help>
     </field>
     <field>
         <id>general.filteraaaaacl</id>
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 6f95e9812b..b92aaf6d50 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -222,10 +222,18 @@ logging {
 {% if helpers.exists('OPNsense.bind.general.filteraaaav4') and OPNsense.bind.general.filteraaaav4 == '1' or helpers.exists('OPNsense.bind.general.filteraaaav6') and OPNsense.bind.general.filteraaaav6 == '1' %}
 plugin query "/usr/local/lib/bind/filter-aaaa.so" {
 {% if helpers.exists('OPNsense.bind.general.filteraaaav4') and OPNsense.bind.general.filteraaaav4 == '1' %}
+{%   if OPNsense.bind.general.dnssecvalidation == 'no' %}
+                   filter-aaaa-on-v4 break-dnssec;
+{%   else %}
                    filter-aaaa-on-v4 yes;
+{%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.filteraaaav6') and OPNsense.bind.general.filteraaaav6 == '1' %}
+{%   if OPNsense.bind.general.dnssecvalidation == 'no' %}
+                   filter-aaaa-on-v6 break-dnssec;
+{%   else %}
                    filter-aaaa-on-v6 yes;
+{%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.filteraaaaacl') and OPNsense.bind.general.filteraaaaacl != '' %}
         filter-aaaa    { {{ OPNsense.bind.general.filteraaaaacl.replace(',', '; ') }}; };

From 9b0f5edf567fa0abbac3ce731d9a6cbcdeb70007 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 6 Nov 2023 14:27:38 +0100
Subject: [PATCH 1641/3088] net-mgmt/nrpe: switch to supported version

---
 net-mgmt/nrpe/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/nrpe/Makefile b/net-mgmt/nrpe/Makefile
index 26c5479963..864ade0cfa 100644
--- a/net-mgmt/nrpe/Makefile
+++ b/net-mgmt/nrpe/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		nrpe
 PLUGIN_VERSION=		1.0
 PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Execute nagios plugins
-PLUGIN_DEPENDS=		nrpe3
+PLUGIN_DEPENDS=		nrpe
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
 .include "../../Mk/plugins.mk"

From f6f72bb52427c3bb1b1b8a24f7fe84ed4e0b86a0 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 7 Nov 2023 09:21:00 +0100
Subject: [PATCH 1642/3088] dns/ddclient - fix logic issue in
 https://github.com/opnsense/plugins/commit/7c6fccdde0bc12d6521e25c64d49978b65113e28
 (https://github.com/opnsense/plugins/pull/3618)

---
 dns/ddclient/Makefile                                           | 2 +-
 .../src/opnsense/scripts/ddclient/lib/account/dyndns2.py        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index a8952749ea..1be74d80e9 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.16
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		ddclient-devel py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
index 975c94770b..d2753255aa 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
@@ -98,7 +98,7 @@ def execute(self):
                 }
                 req = requests.get(**req_opts)
 
-            if 200 >= req.status_code < 300:
+            if 200 <= req.status_code < 300:
                 if self.is_verbose:
                     syslog.syslog(
                         syslog.LOG_NOTICE,

From 85e4a256df0936fd4f15dcf23b781c8d078d4994 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 7 Nov 2023 11:10:57 +0100
Subject: [PATCH 1643/3088] dns/ddclient - handle empty response (req.text) in
 dyndns2, for https://github.com/opnsense/plugins/pull/3618

---
 .../src/opnsense/scripts/ddclient/lib/account/dyndns2.py        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
index d2753255aa..f712a3f6f1 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
@@ -105,7 +105,7 @@ def execute(self):
                         "Account %s set new ip %s [%s]" % (self.description, self.current_address, req.text.strip())
                     )
 
-                self.update_state(address=self.current_address, status=req.text.split()[0])
+                self.update_state(address=self.current_address, status=req.text.split()[0] if req.text else '')
                 return True
             else:
                 syslog.syslog(

From 7a7b5a5c9ce7144b567684a91ec24b4945e4aa52 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 7 Nov 2023 18:24:51 +0100
Subject: [PATCH 1644/3088] net/wireguard - replace setconf with syncconf in
 service control for more fluent reloading.
 (https://github.com/opnsense/plugins/pull/3358)

---
 net/wireguard/Makefile                                          | 1 +
 .../src/opnsense/scripts/Wireguard/wg-service-control.php       | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index f77b3b923f..f6ce57bbdf 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		2.5
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index 2ac781a968..249e6f606a 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -67,7 +67,7 @@ function wg_start($server, $fhandle, $ifcfgflag = 'up')
         mwexecf('/sbin/ifconfig wg create name %s', [$server->interface]);
         mwexecf('/sbin/ifconfig %s group wireguard', [$server->interface]);
     }
-    mwexecf('/usr/bin/wg setconf %s %s', [$server->interface, $server->cnfFilename]);
+    mwexecf('/usr/bin/wg syncconf %s %s', [$server->interface, $server->cnfFilename]);
 
     /* The tunneladdress can be empty, so array_filter without callback filters empty strings out. */
     foreach (array_filter(explode(',', (string)$server->tunneladdress)) as $alias) {

From 57639ea4873e212b1cf528c1d16dc444d62cbaec Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 7 Nov 2023 19:44:37 +0100
Subject: [PATCH 1645/3088] net/wireguard: not released yet

---
 net/wireguard/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index f6ce57bbdf..f77b3b923f 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		2.5
-PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go

From 77fa2dce42a33523d8889f5cb2974aaca06204a3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 7 Nov 2023 19:48:08 +0100
Subject: [PATCH 1646/3088] net/wireguard: last one

---
 net/wireguard/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 9b1576529a..57bbbedb31 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -19,6 +19,7 @@ Changelog
 2.5
 
 * Fix error with empty tunnel address in instance (contributed by Monviech)
+* Switch "setconf" to "syncconf" on (re)configuration
 * Allow instance selection from peer
 * Use "syncconf" on newwanip event
 * CARP event handling improvements

From 8cab26f71672396204963ef78fe1c5dc499ae2fe Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 7 Nov 2023 19:54:33 +0100
Subject: [PATCH 1647/3088] dns/bind: wrap new version

---
 dns/bind/Makefile  | 3 +--
 dns/bind/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index f0efb83354..d5a3705c8d 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.27
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.28
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 2b15382ee7..2eb158b7e7 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -10,6 +10,10 @@ WWW: https://www.isc.org
 Plugin Changelog
 ================
 
+1.28
+
+* Add break-dnssec toggle when using filter-aaaa on IPv4/IPv6 clients (contributed by doktornotor)
+
 1.27
 
 * Add DNAME support (contributed by Simon Fischer)

From 2e42daed1ce7b621ba1ebdac2c87049d8d46627b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 9 Nov 2023 07:33:19 +0100
Subject: [PATCH 1648/3088] mail/postfix: move to newer postfix version

---
 mail/postfix/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index 8ffb1be91d..659bcd8c19 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		postfix
 PLUGIN_VERSION=		1.23
 PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		SMTP mail relay
-PLUGIN_DEPENDS=		postfix35
+PLUGIN_DEPENDS=		postfix
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
 .include "../../Mk/plugins.mk"

From 07133a134ae3065df76daf3b27e1461ab0488adc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 9 Nov 2023 09:25:58 +0100
Subject: [PATCH 1649/3088] sysutils/api-backup: update endpoint after
 improvement

---
 README.md                    | 2 +-
 sysutils/api-backup/Makefile | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 5036da85ce..b0d8aec2b3 100644
--- a/README.md
+++ b/README.md
@@ -94,7 +94,7 @@ security/tinc -- Tinc VPN
 security/tor -- The Onion Router
 security/wazuh-agent -- Agent for the open source security platform Wazuh
 sysutils/apcupsd -- APCUPSD - APC UPS daemon
-sysutils/api-backup -- EoL, core endpoint is /api/core/backup/download (pending removal)
+sysutils/api-backup -- EoL, core endpoint is /api/core/backup/download/this (pending removal)
 sysutils/apuled -- PC Engine APU LED control (development only)
 sysutils/dmidecode -- Display hardware information on the dashboard
 sysutils/git-backup -- Track config changes using git
diff --git a/sysutils/api-backup/Makefile b/sysutils/api-backup/Makefile
index f4663d3b4b..759fd29cc3 100644
--- a/sysutils/api-backup/Makefile
+++ b/sysutils/api-backup/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		api-backup
 PLUGIN_VERSION=		1.1
 PLUGIN_OBSOLETE=	yes
-PLUGIN_COMMENT=		EoL, core endpoint is /api/core/backup/download
+PLUGIN_COMMENT=		EoL, core endpoint is /api/core/backup/download/this
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 
 .include "../../Mk/plugins.mk"

From 47ccdcc078f7a58432a7cf1350ec9700863416cb Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 10 Nov 2023 18:46:37 +0100
Subject: [PATCH 1650/3088] net/wireguard - minor regression in addClient, not
 adding created uuid. closes https://github.com/opnsense/plugins/issues/3663

---
 net/wireguard/Makefile                                    | 1 +
 .../OPNsense/Wireguard/Api/ClientController.php           | 8 +++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index f77b3b923f..f6ce57bbdf 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		2.5
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
index 8299f6fe20..90e4ed4c5f 100644
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
+++ b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
@@ -73,6 +73,7 @@ public function delClientAction($uuid)
 
     public function setClientAction($uuid)
     {
+        $add_uuid = null;
         if (!empty($this->request->getPost(static::$internalModelName)) && $this->request->isPost()) {
             $servers = [];
             if (!empty($this->request->getPost(static::$internalModelName)['servers'])) {
@@ -83,6 +84,7 @@ public function setClientAction($uuid)
             if (empty($uuid)) {
                 // add new client, generate uuid
                 $uuid = $mdl->servers->generateUUID();
+                $add_uuid = $uuid;
             }
             foreach ($mdl->servers->server->iterateItems() as $key => $node) {
                 $peers = array_filter(explode(',', (string)$node->peers));
@@ -99,7 +101,11 @@ public function setClientAction($uuid)
              */
             $mdl->serializeToConfig(false, true);
         }
-        return $this->setBase('client', 'clients.client', $uuid);
+        $result = $this->setBase('client', 'clients.client', $uuid);
+        if (!empty($add_uuid) && $result['result'] == 'saved') {
+            $result['uuid'] = $add_uuid;
+        }
+        return $result;
     }
 
     public function toggleClientAction($uuid)

From db616c0f006c8d877ded48bb562154cddc40e3f7 Mon Sep 17 00:00:00 2001
From: macaddict89 <macaddict89@gmail.com>
Date: Sat, 11 Nov 2023 03:23:50 -0500
Subject: [PATCH 1651/3088] Update general.volt (#3665)

security\crowdsec: fixed typo
---
 .../src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
index 9a00769330..ed1b89b7dc 100644
--- a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
@@ -124,7 +124,7 @@
 
         <p>
             On the Settings tab, you can expose CrowdSec to the LAN for other servers by changing `LAPI listen address`.
-            Otherwise, leave the defualt value.
+            Otherwise, leave the default value.
         </p>
 
         <p>

From 028ee4c65392f6282055b473c7dfcd9ad6f2e02b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 11 Nov 2023 15:43:57 +0100
Subject: [PATCH 1652/3088] remove OpenSSL flavor from bug template
 (https://github.com/opnsense/src/pull/189)

---
 .github/ISSUE_TEMPLATE/bug_report.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index c06ec63b26..b77b481693 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -42,6 +42,6 @@ Add any other context about the problem here.
 Software version used and hardware type if relevant.
 e.g.:
 
-OPNsense 19.1.1 (amd64, OpenSSL).
+OPNsense 23.7.8 (amd64).
 Intel® Xeon™ E3-1225V5 3.3Ghz Quad Core
 Network Intel® I210-AT

From 5bcc4d5410b84625b2378ad0ac037ebf304fd3fa Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 13 Nov 2023 09:53:20 +0100
Subject: [PATCH 1653/3088] net-mgmt/os-nrpe (#3668)

---
 net-mgmt/nrpe/Makefile                                    | 3 +--
 net-mgmt/nrpe/pkg-descr                                   | 7 +++++++
 net-mgmt/nrpe/src/etc/inc/plugins.inc.d/nrpe.inc          | 2 +-
 net-mgmt/nrpe/src/opnsense/scripts/OPNsense/Nrpe/setup.sh | 4 ++--
 .../src/opnsense/service/conf/actions.d/actions_nrpe.conf | 8 ++++----
 .../src/opnsense/service/templates/OPNsense/Nrpe/+TARGETS | 2 +-
 .../src/opnsense/service/templates/OPNsense/Nrpe/nrpe     | 6 +++---
 .../src/opnsense/service/templates/OPNsense/Nrpe/nrpe.cfg | 2 +-
 8 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/net-mgmt/nrpe/Makefile b/net-mgmt/nrpe/Makefile
index 864ade0cfa..abb4f51bd2 100644
--- a/net-mgmt/nrpe/Makefile
+++ b/net-mgmt/nrpe/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		nrpe
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Execute nagios plugins
 PLUGIN_DEPENDS=		nrpe
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/nrpe/pkg-descr b/net-mgmt/nrpe/pkg-descr
index 483177b58d..787e80023b 100644
--- a/net-mgmt/nrpe/pkg-descr
+++ b/net-mgmt/nrpe/pkg-descr
@@ -7,3 +7,10 @@ the plugin requests to the remote host. Requires that nrpe be running on the
 remote host (either as a standalone daemon or as a service under inetd).
 
 WWW: http://www.nagios.org/
+
+Plugin Changelog:
+-----------------
+
+1.1
+
+* Make plugin compatbile with nrpe (v4)
diff --git a/net-mgmt/nrpe/src/etc/inc/plugins.inc.d/nrpe.inc b/net-mgmt/nrpe/src/etc/inc/plugins.inc.d/nrpe.inc
index 59a70977d6..e5d1eaed64 100644
--- a/net-mgmt/nrpe/src/etc/inc/plugins.inc.d/nrpe.inc
+++ b/net-mgmt/nrpe/src/etc/inc/plugins.inc.d/nrpe.inc
@@ -47,7 +47,7 @@ function nrpe_services()
             'start' => array('nrpe start'),
             'stop' => array('nrpe stop'),
         ),
-        'name' => 'nrpe3',
+        'name' => 'nrpe',
         'pid' => '/var/run/nrpe.pid'
     );
 
diff --git a/net-mgmt/nrpe/src/opnsense/scripts/OPNsense/Nrpe/setup.sh b/net-mgmt/nrpe/src/opnsense/scripts/OPNsense/Nrpe/setup.sh
index 667c70099d..48665e1408 100755
--- a/net-mgmt/nrpe/src/opnsense/scripts/OPNsense/Nrpe/setup.sh
+++ b/net-mgmt/nrpe/src/opnsense/scripts/OPNsense/Nrpe/setup.sh
@@ -1,4 +1,4 @@
 #!/bin/sh
 
-mkdir -p /var/run/nrpe3
-chown -R nagios:nagios /var/run/nrpe3
+mkdir -p /var/run/nrpe
+chown -R nagios:nagios /var/run/nrpe
diff --git a/net-mgmt/nrpe/src/opnsense/service/conf/actions.d/actions_nrpe.conf b/net-mgmt/nrpe/src/opnsense/service/conf/actions.d/actions_nrpe.conf
index 89b66602a7..d089ece296 100644
--- a/net-mgmt/nrpe/src/opnsense/service/conf/actions.d/actions_nrpe.conf
+++ b/net-mgmt/nrpe/src/opnsense/service/conf/actions.d/actions_nrpe.conf
@@ -1,23 +1,23 @@
 [start]
-command:/usr/local/etc/rc.d/nrpe3 start
+command:/usr/local/etc/rc.d/nrpe start
 parameters:
 type:script
 message:starting nrpe
 
 [stop]
-command:/usr/local/etc/rc.d/nrpe3 stop
+command:/usr/local/etc/rc.d/nrpe stop
 parameters:
 type:script
 message:stopping nrpe
 
 [restart]
-command:/usr/local/etc/rc.d/nrpe3 restart
+command:/usr/local/etc/rc.d/nrpe restart
 parameters:
 type:script
 message:restarting nrpe
 
 [status]
-command:/usr/local/etc/rc.d/nrpe3 status; exit 0
+command:/usr/local/etc/rc.d/nrpe status; exit 0
 parameters:
 type:script_output
 message:request nrpe status
diff --git a/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/+TARGETS b/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/+TARGETS
index f0f1041965..d3154ecddc 100644
--- a/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/+TARGETS
+++ b/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/+TARGETS
@@ -1,3 +1,3 @@
-nrpe:/etc/rc.conf.d/nrpe3
+nrpe:/etc/rc.conf.d/nrpe
 nrpe.cfg:/usr/local/etc/nrpe.cfg
 nrpe_commands.cfg:/usr/local/etc/nrpe_commands.cfg
diff --git a/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe b/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe
index dc85ed6ac8..25419b71ff 100644
--- a/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe
+++ b/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe
@@ -1,6 +1,6 @@
 {% if helpers.exists('OPNsense.nrpe.general.enabled') and OPNsense.nrpe.general.enabled == '1' %}
-nrpe3_setup="/usr/local/opnsense/scripts/OPNsense/Nrpe/setup.sh"
-nrpe3_enable="YES"
+nrpe_setup="/usr/local/opnsense/scripts/OPNsense/Nrpe/setup.sh"
+nrpe_enable="YES"
 {% else %}
-nrpe3_enable="NO"
+nrpe_enable="NO"
 {% endif %}
diff --git a/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe.cfg b/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe.cfg
index 3a439d537d..68c437209c 100644
--- a/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe.cfg
+++ b/net-mgmt/nrpe/src/opnsense/service/templates/OPNsense/Nrpe/nrpe.cfg
@@ -3,7 +3,7 @@
 log_facility=daemon
 log_file=/var/log/nrpe.log
 debug=0
-pid_file=/var/run/nrpe3/nrpe.pid
+pid_file=/var/run/nrpe/nrpe.pid
 nrpe_user=nagios
 nrpe_group=nagios
 

From 2cfee828188ea9b7f33abfc57452a024ea37a310 Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Mon, 13 Nov 2023 10:28:32 +0100
Subject: [PATCH 1654/3088] www/c-icap: fix locahost ACL (#3667)

---
 .../opnsense/service/templates/OPNsense/CICAP/c-icap.conf   | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf b/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf
index 37580540ae..6fe06dbe98 100644
--- a/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf
+++ b/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf
@@ -46,7 +46,8 @@ ServerName {{ system.hostname }}
 {%      if helpers.exists('OPNsense.proxy.forward.icap.SendUsername') and OPNsense.proxy.forward.icap.SendUsername == '1' %}
 RemoteProxyUsers on
 acl AUTH auth *
-icap_access allow AUTH 127.0.0.1
+acl localserver srvip 127.0.0.1   
+icap_access allow AUTH localserver
 {%      else %}
 RemoteProxyUsers off
 {%      endif %}
@@ -61,7 +62,8 @@ RemoteProxyUserHeader {{OPNsense.proxy.forward.icap.UsernameHeader}}
 {% else %}
 RemoteProxyUsers on
 acl AUTH auth *
-icap_access allow AUTH 127.0.0.1
+acl localserver srvip 127.0.0.1   
+icap_access allow AUTH localserver
 RemoteProxyUserHeaderEncoded on
 RemoteProxyUserHeader X-Authenticated-User
 {% endif %}

From 966069f3634d9510ea3c18dcbe8412e478b27c1a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 13 Nov 2023 10:46:14 +0100
Subject: [PATCH 1655/3088] www/c-ipcap: bump revision

---
 www/c-icap/Makefile                                           | 2 +-
 .../src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/www/c-icap/Makefile b/www/c-icap/Makefile
index 095dfd1622..575fb3e90a 100644
--- a/www/c-icap/Makefile
+++ b/www/c-icap/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		c-icap
 PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		c-icap connects the web proxy with a virus scanner
 PLUGIN_DEPENDS=		c-icap c-icap-modules
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf b/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf
index 6fe06dbe98..27b16b44ef 100644
--- a/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf
+++ b/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf
@@ -46,7 +46,7 @@ ServerName {{ system.hostname }}
 {%      if helpers.exists('OPNsense.proxy.forward.icap.SendUsername') and OPNsense.proxy.forward.icap.SendUsername == '1' %}
 RemoteProxyUsers on
 acl AUTH auth *
-acl localserver srvip 127.0.0.1   
+acl localserver srvip 127.0.0.1
 icap_access allow AUTH localserver
 {%      else %}
 RemoteProxyUsers off
@@ -62,7 +62,7 @@ RemoteProxyUserHeader {{OPNsense.proxy.forward.icap.UsernameHeader}}
 {% else %}
 RemoteProxyUsers on
 acl AUTH auth *
-acl localserver srvip 127.0.0.1   
+acl localserver srvip 127.0.0.1
 icap_access allow AUTH localserver
 RemoteProxyUserHeaderEncoded on
 RemoteProxyUserHeader X-Authenticated-User

From 52de9c3412613819f2e143f035de452aba637ada Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Fri, 17 Nov 2023 09:23:34 +0100
Subject: [PATCH 1656/3088] net/frr: Add Adjacency logging (#3675)

---
 net/frr/Makefile                                             | 3 +--
 net/frr/pkg-descr                                            | 4 ++++
 .../mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml       | 5 +++++
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml | 5 +++++
 .../opnsense/service/templates/OPNsense/Quagga/ospfd.conf    | 3 +++
 5 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 8cdba41d58..6edb0abf95 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.36
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.37
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index ba4c220766..71f40d5151 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.37
+
+* Add Adjacency Logging to OSPF
+
 1.36
 
 * Added default-information originate option for OSPFv3
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml
index ba766ee930..7a1fb79db0 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml
@@ -49,6 +49,11 @@
         <type>dropdown</type>
         <help>Route Map to set for Redistribution.</help>
     </field>
+    <field>
+        <id>ospf.logadjacencychanges</id>
+        <label>Log Adjacency Changes</label>
+        <type>checkbox</type>
+    </field>
     <field>
         <id>ospf.originate</id>
         <label>Advertise Default Gateway</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index 22f3cecc4d..cc19aa602f 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -22,10 +22,15 @@
             <MaximumValue>4294967</MaximumValue>
             <ValidationMessage>Must be a number between 1 and 4294967.</ValidationMessage>
         </costreference>
+	<logadjacencychanges type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </logadjacencychanges>
         <originate type="BooleanField">
             <default>0</default>
             <Required>Y</Required>
         </originate>
+	    
         <originatealways type="BooleanField">
             <default>0</default>
             <Required>Y</Required>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
index 0177496458..91c282218e 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
@@ -47,6 +47,9 @@ interface {{ physical_interface(interface.interfacename) }}
 {% endif %}
 !
 router ospf
+{% if helpers.exists('OPNsense.quagga.ospf.logadjacencychanges') and OPNsense.quagga.ospf.logadjacencychanges == '1' %}
+ log-adjacency-changes
+{% endif %}
 {% if helpers.exists('OPNsense.quagga.ospf.costreference') and OPNsense.quagga.ospf.costreference != '' %}
  auto-cost reference-bandwidth {{ OPNsense.quagga.ospf.costreference }}
 {% endif %}

From e8a3897fc254560b55e8d1e9bccf736f9fa2052c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 Nov 2023 16:36:34 +0100
Subject: [PATCH 1657/3088] www/squid: add a squid (web proxy) meta port

---
 README.md           | 1 +
 www/squid/Makefile  | 8 ++++++++
 www/squid/pkg-descr | 3 +++
 3 files changed, 12 insertions(+)
 create mode 100644 www/squid/Makefile
 create mode 100644 www/squid/pkg-descr

diff --git a/README.md b/README.md
index b0d8aec2b3..5e39602c7d 100644
--- a/README.md
+++ b/README.md
@@ -114,6 +114,7 @@ vendor/sunnyvalley -- Vendor Repository for Zenarmor (a.k.a Sensei, Next Generat
 www/c-icap -- c-icap connects the web proxy with a virus scanner
 www/cache -- Webserver cache
 www/nginx -- Nginx HTTP server and reverse proxy
+www/squid -- Squid is a caching proxy for the web
 www/web-proxy-sso -- Kerberos authentication module
 ```
 
diff --git a/www/squid/Makefile b/www/squid/Makefile
new file mode 100644
index 0000000000..639759f605
--- /dev/null
+++ b/www/squid/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		squid
+PLUGIN_VERSION=		1.0.d
+PLUGIN_COMMENT=		Squid is a caching proxy for the web
+PLUGIN_DEPENDS=		squid squid-langpack
+PLUGIN_TIER=		2
+PLUGIN_MAINTAINER=	franco@opnsense.org
+
+.include "../../Mk/plugins.mk"
diff --git a/www/squid/pkg-descr b/www/squid/pkg-descr
new file mode 100644
index 0000000000..b725ff7f67
--- /dev/null
+++ b/www/squid/pkg-descr
@@ -0,0 +1,3 @@
+Squid is a fully-featured HTTP, HTTPS, FTP, etc. proxy offering rich access
+control, authorization and logging environment to develop web proxy and
+content serving applications.

From 5a4000d7a7b9948bcafbf7f9c3b46468a2a0283b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 14 Nov 2023 10:14:59 +0100
Subject: [PATCH 1658/3088] dns/ddclient: dnsexit legacy was removed in
 ddclient 3.11.x

---
 dns/ddclient/Makefile                                         | 3 +--
 dns/ddclient/pkg-descr                                        | 4 ++++
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml    | 3 +--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 1be74d80e9..567fd84b00 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.16
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.17
 PLUGIN_DEPENDS=		ddclient-devel py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 9c56e6f7c1..f06c77db05 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,10 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.17
+
+* Update to ddclient 3.11.1 (dnsexit legacy support removed)
+
 1.16
 
 * Add custom GET/PUT protocols to native backend (contributed by DaCookie4u)
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 62f707d38a..7104462f0c 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -51,8 +51,7 @@
                         <dinahosting>dinahosting</dinahosting>
                         <dnsmadeeasy>DNS Made Easy (digicert)</dnsmadeeasy>
                         <dns-o-matic>DNS-O-Matic</dns-o-matic>
-                        <dnsexit2>DNSExit API</dnsexit2>
-                        <dnsexit>DNSExit Legacy</dnsexit>
+                        <dnsexit2>DNSExit</dnsexit2>
                         <dyndns2>DynDNS.com</dyndns2>
                         <dnspark>DnsPark</dnspark>
                         <dslreports1>DSLReports</dslreports1>

From c65c6532ac08fc0c3ee9b06fe89e05017ba10631 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 Nov 2023 16:47:50 +0100
Subject: [PATCH 1659/3088] Framework: ignore missing src for meta packages

---
 Mk/plugins.mk | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 5fa657dad6..ff75a2d42e 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -204,7 +204,7 @@ scripts-post:
 
 install: check
 	@mkdir -p ${DESTDIR}${LOCALBASE}/opnsense/version
-	@(cd ${.CURDIR}/src; find * -type f) | while read FILE; do \
+	@(cd ${.CURDIR}/src 2> /dev/null && find * -type f) | while read FILE; do \
 		tar -C ${.CURDIR}/src -cpf - $${FILE} | \
 		    tar -C ${DESTDIR}${LOCALBASE} -xpf -; \
 		if [ "$${FILE%%.in}" != "$${FILE}" ]; then \
@@ -215,7 +215,7 @@ install: check
 	@cat ${TEMPLATESDIR}/version | sed ${SED_REPLACE} > "${DESTDIR}${LOCALBASE}/opnsense/version/${PLUGIN_NAME}"
 
 plist: check
-	@(cd ${.CURDIR}/src; find * -type f) | while read FILE; do \
+	@(cd ${.CURDIR}/src 2> /dev/null && find * -type f) | while read FILE; do \
 		if [ -f "$${FILE}.in" ]; then continue; fi; \
 		FILE="$${FILE%%.in}"; \
 		echo ${LOCALBASE}/$${FILE}; \
@@ -235,16 +235,16 @@ metadata: check
 	@${MAKE} DESTDIR=${DESTDIR} plist > ${DESTDIR}/plist
 
 collect: check
-	@(cd ${.CURDIR}/src; find * -type f) | while read FILE; do \
+	@(cd ${.CURDIR}/src 2> /dev/null && find * -type f) | while read FILE; do \
 		tar -C ${DESTDIR}${LOCALBASE} -cpf - $${FILE} | \
 		    tar -C ${.CURDIR}/src -xpf -; \
 	done
 
 remove: check
-	@(cd ${.CURDIR}/src; find * -type f) | while read FILE; do \
+	@(cd ${.CURDIR}/src 2> /dev/null && find * -type f) | while read FILE; do \
 		rm -f ${DESTDIR}${LOCALBASE}/$${FILE}; \
 	done
-	@(cd ${.CURDIR}/src; find * -type d -depth) | while read DIR; do \
+	@(cd ${.CURDIR}/src 2> /dev/null && find * -type d -depth) | while read DIR; do \
 		if [ -d ${DESTDIR}${LOCALBASE}/$${DIR} ]; then \
 			rmdir ${DESTDIR}${LOCALBASE}/$${DIR} 2> /dev/null || true; \
 		fi; \

From cad482687a9734bf3a765b9d36165840a0face85 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 Nov 2023 17:04:05 +0100
Subject: [PATCH 1660/3088] net/frr: lint

---
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index cc19aa602f..5db827fdd7 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -30,7 +30,6 @@
             <default>0</default>
             <Required>Y</Required>
         </originate>
-	    
         <originatealways type="BooleanField">
             <default>0</default>
             <Required>Y</Required>

From 0dec112d17303b80ec35e64730ca5d4672462be4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 22 Nov 2023 07:44:15 +0100
Subject: [PATCH 1661/3088] net/frr: forgot version bump

---
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index 5db827fdd7..924ac3cdaf 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/ospf</mount>
     <description>OSPF Routing configuration</description>
-    <version>1.0.4</version>
+    <version>1.0.5</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>

From 8da84037c2228e00ab66fc9beba4c5b6d06bbe4a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 24 Nov 2023 11:00:20 +0100
Subject: [PATCH 1662/3088] net/upnp: add newwanip hook

This could potentially disrupt operation for no apparent reason
since this wasn't included and asked for for a long time now.

PR: https://forum.opnsense.org/index.php?topic=36912.0
---
 net/upnp/Makefile                                | 2 +-
 net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index 6be3288b4e..b43908434a 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		upnp
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_DEPENDS=		miniupnpd
 PLUGIN_COMMENT=		Universal Plug and Play Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index bc667ab016..411c57f66b 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -88,7 +88,10 @@ function miniupnpd_stop()
 
 function miniupnpd_configure()
 {
-    return ['bootup' => ['miniupnpd_configure_do']];
+    return [
+        'bootup' => ['miniupnpd_configure_do'],
+        'newwanip' => ['miniupnpd_configure_do'],
+    ];
 }
 
 function miniupnpd_uuid()

From 837b403b7a71f872105eed2a84c9eefee99f0548 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 24 Nov 2023 14:32:02 +0100
Subject: [PATCH 1663/3088] net/wireguard-go: pull all names into device
 registration after core change

PR: https://forum.opnsense.org/index.php?topic=37189.0
---
 net/wireguard-go/Makefile                     |  2 +-
 .../src/etc/inc/plugins.inc.d/wireguard.inc   | 27 ++++++++++++-------
 2 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/net/wireguard-go/Makefile b/net/wireguard-go/Makefile
index 9be4130ce7..e2fda10612 100644
--- a/net/wireguard-go/Makefile
+++ b/net/wireguard-go/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wireguard-go
 PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	7
+PLUGIN_REVISION=	8
 PLUGIN_COMMENT=		WireGuard VPN service Go implementation
 PLUGIN_CONFLICTS=	wireguard
 PLUGIN_OBSOLETE=	yes
diff --git a/net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc
index cc1e49ee8d..7cc6f8bc2b 100644
--- a/net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -50,11 +50,6 @@ function wireguard_services()
         'name' => 'wireguard-go',
     ];
 
-    if (file_exists('/boot/modules/if_wg.ko') || file_exists('/boot/kernel/if_wg.ko')) {
-        $service['name'] = 'wireguard';
-        $service['nocheck'] = true;
-    }
-
     $services[] = $service;
 
     return $services;
@@ -89,14 +84,26 @@ function wireguard_xmlrpc_sync()
     $result['description'] = gettext('WireGuard');
     $result['services'] = ['wireguard-go'];
 
-    if (file_exists('/boot/modules/if_wg.ko') || file_exists('/boot/kernel/if_wg.ko')) {
-        $result['services'] = ['wireguard'];
-    }
-
     return [$result];
 }
 
 function wireguard_devices()
 {
-    return [['pattern' => '^wg', 'volatile' => true]];
+    $names = [];
+    foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $key => $node) {
+        if (!empty((string)$node->enabled)) {
+            $names[(string)$node->interface] = [
+                'descr' => sprintf('%s (WireGuard - %s)', (string)$node->interface, (string)$node->name),
+                'ifdescr' => (string)$node->name,
+                'name' => (string)$node->interface
+            ];
+        }
+    }
+    return [[
+        'configurable' => false,
+        'pattern' => '^wg',
+        'type' => 'wireguard',
+        'volatile' => true,
+        'names' => $names,
+    ]];
 }

From 2c2644e54e873474948509ec0b84382bcd0f273a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 24 Nov 2023 14:48:26 +0100
Subject: [PATCH 1664/3088] net/wireguard: $node->interface doesn't exist yet

---
 net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc
index 7cc6f8bc2b..ad234adcfd 100644
--- a/net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -92,10 +92,11 @@ function wireguard_devices()
     $names = [];
     foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $key => $node) {
         if (!empty((string)$node->enabled)) {
-            $names[(string)$node->interface] = [
-                'descr' => sprintf('%s (WireGuard - %s)', (string)$node->interface, (string)$node->name),
+            $device = 'wg' . $node->instance;
+            $names[$device] = [
+                'descr' => sprintf('%s (WireGuard - %s)', $device, (string)$node->name),
                 'ifdescr' => (string)$node->name,
-                'name' => (string)$node->interface
+                'name' => $device,
             ];
         }
     }

From aba4bd20e8a6d9c297c90fd8f832041342205ab8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 27 Nov 2023 10:04:38 +0100
Subject: [PATCH 1665/3088] dns/ddclient: moving back to FreeBSD port

---
 dns/ddclient/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 567fd84b00..f21eeef035 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.17
-PLUGIN_DEPENDS=		ddclient-devel py${PLUGIN_PYTHON}-boto3
+PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
 

From 0e0ff854dbbdba8ea57b6d190acc7b66a9d57605 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 27 Nov 2023 11:36:06 +0100
Subject: [PATCH 1666/3088] dns/ddclient: more changes for a full 1.18; also
 closes #3685

---
 dns/ddclient/Makefile                                      | 2 +-
 dns/ddclient/pkg-descr                                     | 6 ++++++
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml | 6 ++----
 dns/ddclient/src/opnsense/scripts/ddclient/setup.sh        | 5 +++++
 .../opnsense/service/conf/actions.d/actions_ddclient.conf  | 7 ++-----
 .../templates/OPNsense/ddclient/ddclient_opn.rc.conf.d     | 1 +
 .../opnsense/service/templates/OPNsense/ddclient/rc.conf.d | 1 +
 7 files changed, 18 insertions(+), 10 deletions(-)
 create mode 100755 dns/ddclient/src/opnsense/scripts/ddclient/setup.sh

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index f21eeef035..b01fe14d4d 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.17
+PLUGIN_VERSION=		1.18
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index f06c77db05..434055d291 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,12 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.18
+
+* Update to ddclient 3.11.2 FreeBSD ports version
+* Default to native backend for new installs
+* Fix permission of ddclient.json
+
 1.17
 
 * Update to ddclient 3.11.1 (dnsexit legacy support removed)
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 7104462f0c..a3ae3beae5 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -1,9 +1,7 @@
 <model>
     <mount>//OPNsense/DynDNS</mount>
     <version>1.5.1</version>
-    <description>
-        Dynamic DNS client
-    </description>
+    <description>Dynamic DNS client</description>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -26,7 +24,7 @@
             </daemon_delay>
             <backend type="OptionField">
                 <Required>Y</Required>
-                <Default>ddclient</Default>
+                <Default>opnsense</Default>
                 <ValidationMessage>A backend is required.</ValidationMessage>
                 <OptionValues>
                     <ddclient>ddclient</ddclient>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/setup.sh b/dns/ddclient/src/opnsense/scripts/ddclient/setup.sh
new file mode 100755
index 0000000000..7cf7b8d4ad
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/setup.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+for CONF in /usr/local/etc/ddclient.conf /usr/local/etc/ddclient.json; do
+	chmod 0600 ${CONF}
+done
diff --git a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
index ce63a7ef8d..8500bfa483 100644
--- a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
@@ -1,7 +1,6 @@
 [start]
 command:
-    chmod 600 /usr/local/etc/ddclient.conf;
-    /usr/local/etc/rc.d/ddclient start ;
+    /usr/local/etc/rc.d/ddclient start;
     /usr/local/etc/rc.d/ddclient_opn start
 type:script
 message:starting ddclient
@@ -18,9 +17,8 @@ message:get ddclient status
 
 [restart]
 command:
-    chmod 600 /usr/local/etc/ddclient.conf;
     pkill -F /var/run/ddclient.pid 2> /dev/null;
-    /usr/local/etc/rc.d/ddclient restart ;
+    /usr/local/etc/rc.d/ddclient restart;
     /usr/local/etc/rc.d/ddclient_opn restart
 type:script
 message:restarting ddclient
@@ -28,7 +26,6 @@ description:Restart ddclient service
 
 [force]
 command:
-    chmod 600 /usr/local/etc/ddclient.conf;
     rm /var/tmp/ddclient_opn.status 2>/dev/null;
     /usr/local/etc/rc.d/ddclient_opn restart 2>/dev/null;
     /usr/local/sbin/ddclient -force
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient_opn.rc.conf.d b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient_opn.rc.conf.d
index df8079f834..b6a9cf0140 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient_opn.rc.conf.d
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient_opn.rc.conf.d
@@ -1,5 +1,6 @@
 {% if not helpers.empty('OPNsense.DynDNS.general.enabled') and OPNsense.DynDNS.general.backend == 'opnsense' %}
 ddclient_opn_enable="YES"
+ddclient_opn_setup="/usr/local/opnsense/scripts/ddclient/setup.sh"
 {% else %}
 ddclient_opn_enable="NO"
 {% endif %}
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d
index dae5683f0f..ecb315a717 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/rc.conf.d
@@ -1,5 +1,6 @@
 {% if not helpers.empty('OPNsense.DynDNS.general.enabled') and OPNsense.DynDNS.general.backend == 'ddclient' %}
 ddclient_enable="YES"
+ddclient_setup="/usr/local/opnsense/scripts/ddclient/setup.sh"
 ddclient_flags="-daemon {{OPNsense.DynDNS.general.daemon_delay|default('300')}}"
 {% else %}
 ddclient_enable="NO"

From 0b70e35c8c1e07c0b04ad9a1719b0c7e13131564 Mon Sep 17 00:00:00 2001
From: Stephan de Wit <stephan.de.wit@deciso.com>
Date: Wed, 29 Nov 2023 09:54:20 +0100
Subject: [PATCH 1667/3088] dec-hw: dual power supply status for Deciso
 appliances (#3687)

- API endpoint to query the current power supply status
- small dashboard widget
---
 sysutils/dec-hw/+POST_INSTALL                 |  1 +
 sysutils/dec-hw/Makefile                      |  8 ++
 sysutils/dec-hw/pkg-descr                     |  4 +
 .../src/etc/rc.syshook.d/early/30-powerstat   | 13 +++
 .../OPNsense/dechw/Api/InfoController.php     | 57 +++++++++++
 .../src/opnsense/scripts/dec-hw/powerstat     | 15 +++
 .../service/conf/actions.d/actions_dechw.conf |  5 +
 .../dec-hw/src/www/widgets/include/dechw.inc  |  3 +
 .../src/www/widgets/widgets/dechw.widget.php  | 94 +++++++++++++++++++
 9 files changed, 200 insertions(+)
 create mode 100644 sysutils/dec-hw/+POST_INSTALL
 create mode 100644 sysutils/dec-hw/Makefile
 create mode 100644 sysutils/dec-hw/pkg-descr
 create mode 100755 sysutils/dec-hw/src/etc/rc.syshook.d/early/30-powerstat
 create mode 100644 sysutils/dec-hw/src/opnsense/mvc/app/controllers/OPNsense/dechw/Api/InfoController.php
 create mode 100755 sysutils/dec-hw/src/opnsense/scripts/dec-hw/powerstat
 create mode 100644 sysutils/dec-hw/src/opnsense/service/conf/actions.d/actions_dechw.conf
 create mode 100644 sysutils/dec-hw/src/www/widgets/include/dechw.inc
 create mode 100644 sysutils/dec-hw/src/www/widgets/widgets/dechw.widget.php

diff --git a/sysutils/dec-hw/+POST_INSTALL b/sysutils/dec-hw/+POST_INSTALL
new file mode 100644
index 0000000000..a9ba080244
--- /dev/null
+++ b/sysutils/dec-hw/+POST_INSTALL
@@ -0,0 +1 @@
+/usr/local/etc/rc.syshook.d/early/30-powerstat
diff --git a/sysutils/dec-hw/Makefile b/sysutils/dec-hw/Makefile
new file mode 100644
index 0000000000..326b548953
--- /dev/null
+++ b/sysutils/dec-hw/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		dec-hw
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		Deciso Hardware specific information
+PLUGIN_MAINTAINER=	stephan.de.wit@deciso.com
+PLUGIN_TIER=		2
+
+.include "../../Mk/plugins.mk"
+
diff --git a/sysutils/dec-hw/pkg-descr b/sysutils/dec-hw/pkg-descr
new file mode 100644
index 0000000000..c8f40a55ed
--- /dev/null
+++ b/sysutils/dec-hw/pkg-descr
@@ -0,0 +1,4 @@
+This package allows fetching the current power status for Deciso
+appliances with dual power supplies via an API call and includes a simple
+dashboard widget.
+
diff --git a/sysutils/dec-hw/src/etc/rc.syshook.d/early/30-powerstat b/sysutils/dec-hw/src/etc/rc.syshook.d/early/30-powerstat
new file mode 100755
index 0000000000..df63a9fc32
--- /dev/null
+++ b/sysutils/dec-hw/src/etc/rc.syshook.d/early/30-powerstat
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+AMDGPIO="/boot/kernel/amdgpio.ko"
+
+if [ ! -e "$AMDGPIO" ]; then
+    echo "Error: amdpgio kernel module missing"
+    logger -t "dec-hw" "Error: amdpgio kernel module missing"
+	exit 1
+fi
+
+kldload "$AMDGPIO" 2>&1
+
+exit 0
diff --git a/sysutils/dec-hw/src/opnsense/mvc/app/controllers/OPNsense/dechw/Api/InfoController.php b/sysutils/dec-hw/src/opnsense/mvc/app/controllers/OPNsense/dechw/Api/InfoController.php
new file mode 100644
index 0000000000..9581cc1012
--- /dev/null
+++ b/sysutils/dec-hw/src/opnsense/mvc/app/controllers/OPNsense/dechw/Api/InfoController.php
@@ -0,0 +1,57 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\dechw\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\Core\Backend;
+
+class InfoController extends ApiControllerBase
+{
+    public function powerStatusAction()
+    {
+        $result = [
+            "status" => "failed",
+            "status_translated" => gettext("Power status could not be fetched. 
+                This widget is only applicable to Deciso hardware with dual power supplies.")
+        ];
+        $status = parse_ini_string((new Backend())->configdRun('dechw power'));
+
+        if (!empty($status)) {
+            $result["status"] = "OK";
+            unset($result["status_translated"]);
+
+            foreach (['pwr1', 'pwr2'] as $key) {
+                $result[$key . '_translated'] = $status[$key] === '1' ? gettext('On') : gettext('Off');
+            }
+            $result = array_merge($result, $status);
+        }
+
+        return $result; 
+    }
+}
diff --git a/sysutils/dec-hw/src/opnsense/scripts/dec-hw/powerstat b/sysutils/dec-hw/src/opnsense/scripts/dec-hw/powerstat
new file mode 100755
index 0000000000..08773e4513
--- /dev/null
+++ b/sysutils/dec-hw/src/opnsense/scripts/dec-hw/powerstat
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+GPIOC="/dev/gpioc0"
+
+if [ ! -e "$GPIOC" ]; then
+	logger -t "dec-hw" "Error: GPIO device does not exist, exiting."
+	exit 0
+fi
+
+i=1
+for PIN in 4 5; do
+	STATUS=$(gpioctl -f "$GPIOC" "$PIN")
+	printf "pwr%d=%d\n" "$i" "$STATUS"
+	i=$((i + 1)) 
+done
diff --git a/sysutils/dec-hw/src/opnsense/service/conf/actions.d/actions_dechw.conf b/sysutils/dec-hw/src/opnsense/service/conf/actions.d/actions_dechw.conf
new file mode 100644
index 0000000000..7483a404db
--- /dev/null
+++ b/sysutils/dec-hw/src/opnsense/service/conf/actions.d/actions_dechw.conf
@@ -0,0 +1,5 @@
+[power]
+command:/usr/local/opnsense/scripts/dec-hw/powerstat
+parameters:
+type:script_output
+message:Deciso PWR LED state
diff --git a/sysutils/dec-hw/src/www/widgets/include/dechw.inc b/sysutils/dec-hw/src/www/widgets/include/dechw.inc
new file mode 100644
index 0000000000..64b6114020
--- /dev/null
+++ b/sysutils/dec-hw/src/www/widgets/include/dechw.inc
@@ -0,0 +1,3 @@
+<?php
+
+$dechw_title = gettext('Deciso Hardware Information');
diff --git a/sysutils/dec-hw/src/www/widgets/widgets/dechw.widget.php b/sysutils/dec-hw/src/www/widgets/widgets/dechw.widget.php
new file mode 100644
index 0000000000..61ee170ec2
--- /dev/null
+++ b/sysutils/dec-hw/src/www/widgets/widgets/dechw.widget.php
@@ -0,0 +1,94 @@
+<?php
+
+/**
+ *    Copyright (C) 2023 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+?>
+
+<script>
+    $(document).ready(function() {
+        ajaxGet('/api/dechw/info/powerStatus', {}, function(data, status) {
+            if (data['status'] === 'failed') {
+                $('#status').html(data['status_translated']);
+                $('.pwr-container').hide();
+                return;
+            }
+
+            ['pwr1', 'pwr2'].forEach(function(key) {
+                let status = data[key];
+                let status_translated = data[key + '_translated'];
+                let $power = $('<span data-toggle="tooltip" title=""></span>').addClass('power fa fa-power-off fa-lg');
+                $power.css('color', status === '1' ? 'blue' : 'red');
+                $power.attr('title', status_translated);
+                $('#'+key).append($power);
+            })
+
+            $(".circle").tooltip({container: 'body', trigger: 'hover'});
+        });
+    });
+</script>
+
+<style>
+    #status {
+        margin: 10px;
+    }
+
+    .power {
+      margin: 5px;
+      float: right;
+    }
+
+    .power:hover {
+      opacity: 0.5;
+    }
+
+    .pwr-container {
+      margin: 5px;
+      display: flex;
+      justify-content: center;
+      align-items: center;
+    }
+
+    .data-item {
+      padding: 10px;
+      border: 1px solid #ddd;
+      margin: 5px;
+      width: 50%;
+      display: inline-block;
+    }
+</style>
+
+<div id="status"></div>
+<div class="pwr-container">
+    <div id="pwr1" class="data-item">
+        <strong><?=gettext("Power Supply 1");?></strong>
+    </div>
+    <div id="pwr2" class="data-item">
+        <strong><?=gettext("Power Supply 2");?></strong>
+    </div>
+</div>

From 7b94f91a5f3c99b907db8cad38e99141ea9f8f3a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Nov 2023 10:30:50 +0100
Subject: [PATCH 1668/3088] net/wireguard: add a filter reload if something was
 reconfigured

PR: https://forum.opnsense.org/index.php?topic=37248.0
---
 net/wireguard/Makefile                                        | 2 +-
 net/wireguard/pkg-descr                                       | 2 ++
 .../src/opnsense/scripts/Wireguard/wg-service-control.php     | 4 ++++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index f6ce57bbdf..ab8782ab78 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		2.5
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 57bbbedb31..0d5c694c16 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -20,6 +20,8 @@ Changelog
 
 * Fix error with empty tunnel address in instance (contributed by Monviech)
 * Switch "setconf" to "syncconf" on (re)configuration
+* Fix regression of UUID return in setClientAction()
+* Reload the packet filter after reconfiguration
 * Allow instance selection from peer
 * Use "syncconf" on newwanip event
 * CARP event handling improvements
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index 249e6f606a..0e09a98a60 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -294,5 +294,9 @@ function get_stat_hash($fhandle)
             }
         }
     }
+
+    if (count($server_devs)) {
+        configd_run('filter reload'); /* XXX required for NAT rules, but needs coalescing */
+    }
 }
 closelog();

From 88673948cd8cb09ce40df3fcb4350d151ab778fc Mon Sep 17 00:00:00 2001
From: Pierre Christen <404111+netadvanced@users.noreply.github.com>
Date: Thu, 30 Nov 2023 07:26:06 +0100
Subject: [PATCH 1669/3088] [net-mgmt/telegraf] Fixed #3633 + additional UI
 cleanup (#3652)

---
 .../OPNsense/Telegraf/forms/output.xml        | 80 +++++++++++++++----
 .../app/models/OPNsense/Telegraf/Input.xml    |  2 +-
 .../app/models/OPNsense/Telegraf/Output.xml   | 70 +++++++++++-----
 .../templates/OPNsense/Telegraf/telegraf.conf | 35 +++++---
 4 files changed, 143 insertions(+), 44 deletions(-)

diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
index 9b17933184..4f085287fb 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
@@ -1,4 +1,8 @@
 <form>
+    <field>
+        <label>InfluxDB</label>
+        <type>header</type>
+    </field>
     <field>
         <id>output.influx_enable</id>
         <label>Enable Influx Output</label>
@@ -41,6 +45,10 @@
         <type>checkbox</type>
         <help>This will skip chain and host verification.</help>
     </field>
+    <field>
+        <label>InfluxDB v2</label>
+        <type>header</type>
+    </field>
     <field>
         <id>output.influx_v2_enable</id>
         <label>Enable Influx v2 Output</label>
@@ -83,6 +91,10 @@
         <type>text</type>
         <help>Flush timeout for the v2 Telegraf output in seconds, formatted as a string. If not provided, will default to 5. 0 means no timeout, but is not recommended. Increase if you get timeout errors.</help>
     </field>
+    <field>
+        <label>Graphite</label>
+        <type>header</type>
+    </field>
     <field>
         <id>output.graphite_enable</id>
         <label>Enable Graphite Output</label>
@@ -125,6 +137,10 @@
         <type>checkbox</type>
         <help>This will enable support for tags.</help>
     </field>
+    <field>
+        <label>Graylog</label>
+        <type>header</type>
+    </field>
     <field>
         <id>output.graylog_enable</id>
         <label>Enable Graylog Output</label>
@@ -137,6 +153,10 @@
         <type>text</type>
         <help>Set the IP and port where metrics shoud be sent to.</help>
     </field>
+    <field>
+        <label>Elasticsearch</label>
+        <type>header</type>
+    </field>
     <field>
         <id>output.elastic_enable</id>
         <label>Enable Elasticsearch Output</label>
@@ -155,7 +175,7 @@
         <type>text</type>
         <help>Optional HTTP basic authentication details for Elasticsearch.</help>
     </field>
-        <field>
+    <field>
         <id>output.elastic_password</id>
         <label>Elasticsearch Password</label>
         <type>text</type>
@@ -173,6 +193,10 @@
         <type>text</type>
         <help>Set the index name.</help>
     </field>
+    <field>
+        <label>Prometheus</label>
+        <type>header</type>
+    </field>
     <field>
         <id>output.prometheus_enable</id>
         <label>Enable Prometheus Output</label>
@@ -197,6 +221,10 @@
         <type>checkbox</type>
         <help>Send string metrics as Prometheus labels.</help>
     </field>
+    <field>
+        <label>Datadog</label>
+        <type>header</type>
+    </field>
     <field>
         <id>output.datadog_enable</id>
         <label>Enable Datadog Output</label>
@@ -215,6 +243,10 @@
         <type>text</type>
         <help>Set the API Key for accessing Datadog.</help>
     </field>
+    <field>
+        <label>MQTT</label>
+        <type>header</type>
+    </field>
     <field>
         <id>output.mqtt_enable</id>
         <label>Enable MQTT</label>
@@ -223,21 +255,41 @@
     </field>
     <field>
         <id>output.mqtt_topic_prefix</id>
-        <label>MQTT topic</label>
+        <label>MQTT Topic Prefix</label>
         <type>text</type>
-        <help>Topic for producer messages.</help>
+        <help>MQTT Topic Prefix - Will be overidden by the Topic if defined below.</help>
+    </field>
+    <field>
+        <id>output.mqtt_topic</id>
+        <label>MQTT Topic</label>
+        <type>text</type>
+        <help>MQTT Topic for produced messages. if left blank, will default to [ mqtt_topic_prefix/{{ .Hostname }}/{{ .PluginName }} ]</help>
     </field>
     <field>
         <id>output.mqtt_servers</id>
         <label>MQTT brokers</label>
-        <type>text</type>
-        <help>URLs of mqtt brokers. Format is without square brackets, just like localhost:8083.</help>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>URL of MQTT brokers. Format is without square brackets, just like localhost:8083 or mqtts://server.net:8883. The same credentials will be used when defining multiple brokers.</help>
+    </field>
+    <field>
+        <id>output.mqtt_insecure_skip_verify</id>
+        <label>Skip TLS verification</label>
+        <type>checkbox</type>
+        <help>Use TLS, but skip chain and host verification.</help>
     </field>
     <field>
         <id>output.mqtt_qos</id>
         <label>MQTT QoS</label>
-        <type>text</type>
-        <help>QoS policy for messages. 0 = at most once, 1 = at least once, 2 = exactly once. Defaults to 2. </help>
+        <type>dropdown</type>
+        <help>QoS policy for messages. 0 = at most once, 1 = at least once, 2 = exactly once. Defaults to 2.</help>
+    </field>
+    <field>
+        <id>output.mqtt_retain</id>
+        <label>MQTT Retain</label>
+        <type>checkbox</type>
+        <help>When selected, metrics will have the RETAIN flag set.</help>
     </field>
     <field>
         <id>output.mqtt_username</id>
@@ -261,18 +313,18 @@
         <id>output.mqtt_timeout</id>
         <label>MQTT Timeout</label>
         <type>text</type>
-        <help>Timeout for write operations. Default is 5s. </help>
+        <help>Timeout for write operations. Default is 5s.</help>
     </field>
     <field>
-        <id>output.mqtt_insecure_skip_verify</id>
-        <label>MQTT Client ID</label>
-        <type>checkbox</type>
-        <help>Use TLS, but skip chain and host verification.</help>
+        <id>output.mqtt_layout</id>
+        <label>MQTT Layout</label>
+        <type>dropdown</type>
+        <help>Data layout to output. Defaults to "non-batch".</help>
     </field>
     <field>
-        <id>output.mqtt_format</id>
+        <id>output.mqtt_data_format</id>
         <label>MQTT Format</label>
-        <type>text</type>
+        <type>dropdown</type>
         <help>Data format to output. Defaults to "influx".</help>
     </field>
 </form>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
index 95e8efdf82..51b8e4645d 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
@@ -35,7 +35,7 @@
             <default>1</default>
             <Required>N</Required>
         </diskio>
-       <internet_speed type="BooleanField">
+        <internet_speed type="BooleanField">
             <default>0</default>
             <Required>N</Required>
         </internet_speed>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index baee0a02a7..634145ed9a 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/telegraf/output</mount>
     <description>Telegraf outputs configuration</description>
-    <version>1.4.3</version>
+    <version>1.4.5</version>
     <items>
         <influx_enable type="BooleanField">
             <default>0</default>
@@ -147,25 +147,42 @@
             <default></default>
             <Required>N</Required>
             <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
-            <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen allowed. Do not use more than 128 characters.</ValidationMessage>
+            <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen are allowed. Do not use more than 128 characters.</ValidationMessage>
         </mqtt_topic_prefix>
-        <mqtt_servers type="TextField">
+        <mqtt_topic type="TextField">
             <default></default>
             <Required>N</Required>
+            <mask>/^([0-9a-zA-Z._\-\/{}]){1,200}$/u</mask>
+            <ValidationMessage>Only characters, numbers, a dot, underscore, hyphen, slash and curly braces are allowed. Do not use more than 200 characters.</ValidationMessage>
+        </mqtt_topic>
+        <mqtt_servers type="CSVListField">
+            <Required>N</Required>
+            <AsList>Y</AsList>
+            <FieldSeparator>,</FieldSeparator>
         </mqtt_servers>
+        <mqtt_insecure_skip_verify type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </mqtt_insecure_skip_verify>
         <mqtt_client_id type="TextField">
             <default></default>
             <Required>N</Required>
             <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
             <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen allowed. Do not use more than 128 characters.</ValidationMessage>
         </mqtt_client_id>
-        <mqtt_qos type="IntegerField">
+        <mqtt_qos type="OptionField">
+            <default>2</default>
+            <Required>Y</Required>
+            <OptionValues>
+                <qos0 value="0">(0) At most once</qos0>
+                <qos1 value="1">(1) At least once</qos1>
+                <qos2 value="2">(2) Exactly once</qos2>
+            </OptionValues>
+        </mqtt_qos>
+        <mqtt_retain type="BooleanField">
             <default></default>
             <Required>N</Required>
-            <MinimumValue>0</MinimumValue>
-            <MaximumValue>2</MaximumValue>
-            <ValidationMessage>Allowed values are 0-2</ValidationMessage>
-        </mqtt_qos>
+        </mqtt_retain>
         <mqtt_timeout type="IntegerField">
             <default>5</default>
             <Required>N</Required>
@@ -180,15 +197,32 @@
             <default></default>
             <Required>N</Required>
         </mqtt_password>
-        <mqtt_insecure_skip_verify type="BooleanField">
-            <default>0</default>
-            <Required>N</Required>
-        </mqtt_insecure_skip_verify>
-        <mqtt_format type="TextField">
-            <default></default>
-            <Required>N</Required>
-            <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
-            <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen allowed. Do not use more than 128 characters.</ValidationMessage>
-        </mqtt_format>
+        <mqtt_layout type="OptionField">
+            <default>non-batch</default>
+            <Required>Y</Required>
+            <OptionValues>
+                <non-batch>(non-batch) send individual messages, one for each metric</non-batch>
+                <batch>(batch) send all metric as a single message per MQTT topic</batch>
+                <field >(field) send individual messages for each field</field>
+            </OptionValues>
+        </mqtt_layout>
+        <mqtt_data_format type="OptionField">
+            <default>influx</default>
+            <Required>Y</Required>
+            <OptionValues>
+                <carbon2>Carbon2</carbon2>
+                <cloudevents>CloudEvents</cloudevents>
+                <csv>CSV</csv>
+                <graphite>Graphite</graphite>
+                <influx>Influx</influx>
+                <json>Json</json>
+                <msgpack>MsgPack</msgpack>
+                <nowmetric>NowMetric</nowmetric>
+                <prometheus>Prometheus</prometheus>
+                <prometheusremotewrite>PrometheusRemoteWrite</prometheusremotewrite>
+                <splunkmetric>SplunkMetric</splunkmetric>
+                <wavefront>Wavefront</wavefront>
+            </OptionValues>
+        </mqtt_data_format>
     </items>
 </model>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index 355eb96a95..a0ac2ca8be 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -1,7 +1,6 @@
 {% if helpers.exists('OPNsense.telegraf.general.enabled') and OPNsense.telegraf.general.enabled == '1' %}
 
 [global_tags]
-
 {% if helpers.exists('OPNsense.telegraf.key.keys.key') %}
 {%   for key_list in helpers.toList('OPNsense.telegraf.key.keys.key') %}
 {%     if key_list.enabled == '1' %}
@@ -94,13 +93,24 @@
 {% if helpers.exists('OPNsense.telegraf.output.mqtt_enable') and OPNsense.telegraf.output.mqtt_enable == '1' %}
 [[outputs.mqtt]]
 {%   if helpers.exists('OPNsense.telegraf.output.mqtt_servers') and OPNsense.telegraf.output.mqtt_servers != '' %}
-  servers = ["{{ OPNsense.telegraf.output.mqtt_servers }}"]
+  servers = [{{ '"' + ('","'.join(OPNsense.telegraf.output.mqtt_servers.split(","))) + '"' }}]
 {%   endif %}
-{%   if helpers.exists('OPNsense.telegraf.output.mqtt_topic_prefix') and OPNsense.telegraf.output.mqtt_topic_prefix != '' %}
-  topic_prefix = "{{ OPNsense.telegraf.output.mqtt_topic_prefix }}"
+{%   if helpers.exists('OPNsense.telegraf.output.mqtt_topic') and OPNsense.telegraf.output.mqtt_topic != '' %}
+  topic = "{{ OPNsense.telegraf.output.mqtt_topic }}"
+{%   else %}
+{%     if helpers.exists('OPNsense.telegraf.output.mqtt_topic_prefix') and OPNsense.telegraf.output.mqtt_topic_prefix != '' %}
+  topic = "{{ OPNsense.telegraf.output.mqtt_topic_prefix + '/{{ .Hostname }}/{{ .PluginName }}' }}"
+{%     else %}
+  topic = "{{ 'telegraf/{{ .Hostname }}/{{ .PluginName }}' }}"
+{%     endif %}
 {%   endif %}
 {%   if helpers.exists('OPNsense.telegraf.output.mqtt_qos') and OPNsense.telegraf.output.mqtt_qos != '' %}
-  topic_prefix = "{{ OPNsense.telegraf.output.mqtt_qos }}"
+  qos = {{ OPNsense.telegraf.output.mqtt_qos }}
+{%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.mqtt_retain') and OPNsense.telegraf.output.mqtt_retain == '1' %}
+  retain = true
+{%   else %}
+  retain = false
 {%   endif %}
 {%   if helpers.exists('OPNsense.telegraf.output.mqtt_client_id') and OPNsense.telegraf.output.mqtt_client_id != '' %}
   client_id = "{{ OPNsense.telegraf.output.mqtt_client_id }}"
@@ -111,14 +121,17 @@
 {%   if helpers.exists('OPNsense.telegraf.output.mqtt_username') and OPNsense.telegraf.output.mqtt_username != '' %}
   username = "{{ OPNsense.telegraf.output.mqtt_username }}"
 {%   endif %}
-{% if helpers.exists('OPNsense.telegraf.output.mqtt_password') and OPNsense.telegraf.output.mqtt_password != '' %}
+{%   if helpers.exists('OPNsense.telegraf.output.mqtt_password') and OPNsense.telegraf.output.mqtt_password != '' %}
   password = "{{ OPNsense.telegraf.output.mqtt_password }}"
 {%   endif %}
-{% if helpers.exists('OPNsense.telegraf.output.mqtt_insecure_skip_verify') and OPNsense.telegraf.output.mqtt_insecure_skip_verify == '1' %}
+{%   if helpers.exists('OPNsense.telegraf.output.mqtt_insecure_skip_verify') and OPNsense.telegraf.output.mqtt_insecure_skip_verify == '1' %}
   insecure_skip_verify = true
 {%   else %}
   insecure_skip_verify = false
 {%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.mqtt_layout') and OPNsense.telegraf.output.mqtt_layout != '' %}
+  layout = "{{ OPNsense.telegraf.output.mqtt_layout }}"
+{%   endif %}
 {%   if helpers.exists('OPNsense.telegraf.output.mqtt_data_format') and OPNsense.telegraf.output.mqtt_data_format != '' %}
   data_format = "{{ OPNsense.telegraf.output.mqtt_data_format }}"
 {%   endif %}
@@ -333,10 +346,10 @@
 
 {% if helpers.exists('OPNsense.telegraf.input.unbound') and OPNsense.telegraf.input.unbound == '1' %}
 [[inputs.unbound]]
-   binary = "/usr/local/sbin/unbound-control"
-   config_file = "/var/unbound/unbound.conf"
-   thread_as_tag = true
-   timeout = "5s"
+  binary = "/usr/local/sbin/unbound-control"
+  config_file = "/var/unbound/unbound.conf"
+  thread_as_tag = true
+  timeout = "5s"
 {% endif %}
 
 {% if helpers.exists('OPNsense.telegraf.input.apcupsd') and OPNsense.telegraf.input.apcupsd == '1' %}

From 766804aa08af1c4edadaf77a9884f00dca1d0b7b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 30 Nov 2023 07:55:32 +0100
Subject: [PATCH 1670/3088] net-mgmt/telegraf: bump version and changelog

---
 net-mgmt/telegraf/Makefile  | 2 +-
 net-mgmt/telegraf/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index 9704c0c8f9..c9cc2cfb21 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.12.9
+PLUGIN_VERSION=		1.12.10
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 190772affe..2d83a444a1 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 Plugin Changelog
 ================
 
+1.12.10
+
+* Fix MQTT output and additional UI cleanup (contributed by Pierre Christen)
+
 1.12.9
 
 * Add MQTT output

From 1ee95029f0ee47aa71174958e4b06c7d88264dc6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 30 Nov 2023 08:11:33 +0100
Subject: [PATCH 1671/3088] sysutils/dec-hw: style sweep

---
 sysutils/dec-hw/Makefile                                      | 1 -
 sysutils/dec-hw/pkg-descr                                     | 1 -
 .../mvc/app/controllers/OPNsense/dechw/Api/InfoController.php | 4 ++--
 sysutils/dec-hw/src/opnsense/scripts/dec-hw/powerstat         | 2 +-
 4 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/sysutils/dec-hw/Makefile b/sysutils/dec-hw/Makefile
index 326b548953..5ac268775e 100644
--- a/sysutils/dec-hw/Makefile
+++ b/sysutils/dec-hw/Makefile
@@ -5,4 +5,3 @@ PLUGIN_MAINTAINER=	stephan.de.wit@deciso.com
 PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"
-
diff --git a/sysutils/dec-hw/pkg-descr b/sysutils/dec-hw/pkg-descr
index c8f40a55ed..30378c6218 100644
--- a/sysutils/dec-hw/pkg-descr
+++ b/sysutils/dec-hw/pkg-descr
@@ -1,4 +1,3 @@
 This package allows fetching the current power status for Deciso
 appliances with dual power supplies via an API call and includes a simple
 dashboard widget.
-
diff --git a/sysutils/dec-hw/src/opnsense/mvc/app/controllers/OPNsense/dechw/Api/InfoController.php b/sysutils/dec-hw/src/opnsense/mvc/app/controllers/OPNsense/dechw/Api/InfoController.php
index 9581cc1012..ad0393ba4f 100644
--- a/sysutils/dec-hw/src/opnsense/mvc/app/controllers/OPNsense/dechw/Api/InfoController.php
+++ b/sysutils/dec-hw/src/opnsense/mvc/app/controllers/OPNsense/dechw/Api/InfoController.php
@@ -37,7 +37,7 @@ public function powerStatusAction()
     {
         $result = [
             "status" => "failed",
-            "status_translated" => gettext("Power status could not be fetched. 
+            "status_translated" => gettext("Power status could not be fetched.
                 This widget is only applicable to Deciso hardware with dual power supplies.")
         ];
         $status = parse_ini_string((new Backend())->configdRun('dechw power'));
@@ -52,6 +52,6 @@ public function powerStatusAction()
             $result = array_merge($result, $status);
         }
 
-        return $result; 
+        return $result;
     }
 }
diff --git a/sysutils/dec-hw/src/opnsense/scripts/dec-hw/powerstat b/sysutils/dec-hw/src/opnsense/scripts/dec-hw/powerstat
index 08773e4513..81c24a015f 100755
--- a/sysutils/dec-hw/src/opnsense/scripts/dec-hw/powerstat
+++ b/sysutils/dec-hw/src/opnsense/scripts/dec-hw/powerstat
@@ -11,5 +11,5 @@ i=1
 for PIN in 4 5; do
 	STATUS=$(gpioctl -f "$GPIOC" "$PIN")
 	printf "pwr%d=%d\n" "$i" "$STATUS"
-	i=$((i + 1)) 
+	i=$((i + 1))
 done

From 111564a35eb240d3a27e6dd6d15ac4cdde8d0ef2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 30 Nov 2023 08:40:05 +0100
Subject: [PATCH 1672/3088] README: sync

---
 README.md                | 1 +
 sysutils/dec-hw/Makefile | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 5e39602c7d..5da2442d40 100644
--- a/README.md
+++ b/README.md
@@ -96,6 +96,7 @@ security/wazuh-agent -- Agent for the open source security platform Wazuh
 sysutils/apcupsd -- APCUPSD - APC UPS daemon
 sysutils/api-backup -- EoL, core endpoint is /api/core/backup/download/this (pending removal)
 sysutils/apuled -- PC Engine APU LED control (development only)
+sysutils/dec-hw -- Deciso hardware specific information
 sysutils/dmidecode -- Display hardware information on the dashboard
 sysutils/git-backup -- Track config changes using git
 sysutils/hw-probe -- Collect hardware diagnostics
diff --git a/sysutils/dec-hw/Makefile b/sysutils/dec-hw/Makefile
index 5ac268775e..e605779641 100644
--- a/sysutils/dec-hw/Makefile
+++ b/sysutils/dec-hw/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		dec-hw
 PLUGIN_VERSION=		1.0
-PLUGIN_COMMENT=		Deciso Hardware specific information
+PLUGIN_COMMENT=		Deciso hardware specific information
 PLUGIN_MAINTAINER=	stephan.de.wit@deciso.com
 PLUGIN_TIER=		2
 

From 6b4680f58fb2c889a9e87a8c188b8b0ff78f3e0d Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 5 Dec 2023 23:17:58 +0100
Subject: [PATCH 1673/3088] net/haproxy: fix typo in cert sync script

---
 net/haproxy/pkg-descr                                          | 3 +++
 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 22d70bfaea..def41ade07 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,9 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+Fixed:
+* fix typo in cert sync script
+
 4.1
 
 Fixed:
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
index cf8ac67975..f4932a0cdb 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
@@ -357,7 +357,7 @@ def sync(self):
                     for message in cert['messages']:
                         print("    " + repr(message))
 
-            for cert in sync['delete']:
+            for cert in sync['deleted']:
                 print(f"\n  DEL: {cert['cert']}")
                 for message in cert['messages']:
                     print("    " + repr(message))

From 13ab16cd96dda236c9e4c6481e6b09662e8f2179 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 5 Dec 2023 23:23:53 +0100
Subject: [PATCH 1674/3088] net/haproxy: replace bundled haproxyctl library

The bundled library is a modified version of haproxyctl:
https://github.com/neurogeek/haproxyctl

Now a proper fork was created:
https://github.com/markt-de/haproxy-cli

The FreeBSD port is pending approval:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=275562
---
 net/haproxy/Makefile                          |   2 +-
 net/haproxy/pkg-descr                         |   3 +
 .../OPNsense/HAProxy/lib/haproxy/__init__.py  |   3 -
 .../OPNsense/HAProxy/lib/haproxy/cmds.py      | 335 ------------------
 .../OPNsense/HAProxy/lib/haproxy/conn.py      |  83 -----
 .../OPNsense/HAProxy/lib/haproxy/const.py     |   7 -
 .../HAProxy/lib/haproxy/tests/__init__.py     |   0
 .../HAProxy/lib/haproxy/tests/test_cmds.py    | 291 ---------------
 .../HAProxy/lib/haproxy/tests/test_conn.py    |  59 ---
 .../scripts/OPNsense/HAProxy/socketCommand.py |   1 -
 .../scripts/OPNsense/HAProxy/syncCerts.py     |   1 -
 11 files changed, 4 insertions(+), 781 deletions(-)
 delete mode 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/__init__.py
 delete mode 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
 delete mode 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/conn.py
 delete mode 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/const.py
 delete mode 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/__init__.py
 delete mode 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
 delete mode 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_conn.py

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 49233c6f06..95013f8e1b 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		4.1
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
-PLUGIN_DEPENDS=		haproxy26
+PLUGIN_DEPENDS=		haproxy26 py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de
 
 .include "../../Mk/plugins.mk"
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index def41ade07..2681b9f8d8 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -9,6 +9,9 @@ Plugin Changelog
 Fixed:
 * fix typo in cert sync script
 
+Changed:
+* replace bundled haproxyctl library with haproxy-cli
+
 4.1
 
 Fixed:
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/__init__.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/__init__.py
deleted file mode 100755
index c7f37eafa1..0000000000
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/__init__.py
+++ /dev/null
@@ -1,3 +0,0 @@
-"""haproxy lib for socket commands.
-Based on: https://github.com/neurogeek/haproxyctl"""
-__version__ = "1.0"
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
deleted file mode 100755
index 733daf113b..0000000000
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/cmds.py
+++ /dev/null
@@ -1,335 +0,0 @@
-"""cmds.py - Implementations of the different HAProxy commands"""
-import re
-import csv
-import json
-from collections import OrderedDict
-from io import StringIO
-
-class Cmd():
-    """Cmd - Command base class"""
-    req_args = []
-    args = {}
-    cmdTxt = ""
-    helpTxt = ""
-
-    # pylint: disable=unused-argument
-    def __init__(self, *args, **kwargs):
-        """Argument to the command are given in kwargs only. We ignore *args."""
-        self.args = kwargs
-        valid_kwargs = [k for (k, v) in kwargs.items() if v is not None]
-
-        if not all([a in valid_kwargs for a in self.req_args]):
-            raise Exception(f"Wrong number of arguments. Required arguments are: {self.WhatArgs()}")
-
-    def WhatArgs(self):
-        """Returns a formatted string of arguments to this command."""
-        return ",".join(self.req_args)
-
-    @classmethod
-    def getHelp(cls):
-        """Get formatted help string for this command."""
-        txtArgs = ",".join(cls.req_args)
-
-        if not txtArgs:
-            txtArgs = "None"
-        return " ".join((cls.helpTxt, "Arguments: %s" % txtArgs))
-
-    def getCmd(self):
-        """Gets the command line for this command.
-        The default behavior is to apply the args dict to cmdTxt
-        """
-        return self.cmdTxt % self.args
-
-    def getBootstrapOutput(self, resObj):
-        """ Returns results gathered from HAProxy as jquery bootstrap output """
-        args = {
-            "rows": resObj,
-            "page": int(self.args['page']) if self.args['page'] != None else 1,
-            "page_rows": int(self.args['page_rows']) if self.args['page_rows'] != None else len(rows),
-            "search": self.args['search'],
-            "sort_col": self.args['sort_col'] if self.args['sort_col'] else 'id',
-            "sort_dir": self.args['sort_dir'],
-        }
-        rows = args['rows']
-        # search
-        if args['search']:
-            filtered_rows = []
-            for row in rows:
-                def inner(row):
-                    for k, v in row.items():
-                        if args['search'] in v:
-                            return row
-                    return None
-
-                match = inner(row)
-                if match:
-                    filtered_rows.append(match)
-            rows = filtered_rows
-
-        # sort
-        rows.sort(key=lambda k: k[args['sort_col']], reverse=True if args['sort_dir'] == 'desc' else False)
-
-        # pager
-        total = len(rows)
-        pages = [rows[i:i + args['page_rows']] for i in range(0, total, args['page_rows'])]
-        if pages and (args['page'] > len(pages) or args['page'] < 1):
-            raise KeyError(f"Current page {args['page']} does not exist. Available pages: {len(pages)}")
-        page = pages[args['page'] - 1] if pages else []
-
-        return json.dumps({
-            "rows": page,
-            "total": total,
-            "rowCount": args['page_rows'],
-            "current": args['page']
-        })
-
-    def getJsonOutput(self, resObj):
-        """Returns results gathered from HAProxy as json"""
-        return json.dumps(resObj)
-
-    def getResult(self, res):
-        """Returns raw results gathered from HAProxy"""
-        if res == '\n':
-            res = None
-
-        if self.args['output'] == 'json':
-            return self.getJsonOutput(self.getResultObj(res))
-
-        if self.args['output'] == 'bootstrap':
-            return self.getBootstrapOutput(self.getResultObj(res))
-
-        return res
-
-    def getResultObj(self, res):
-        """Returns refined output from HAProxy, packed inside a Python obj i.e. a dict()"""
-        return res
-
-class setServerAgent(Cmd):
-    cmdTxt = "set server %(backend)s/%(server)s agent %(value)s\r\n"
-    req_args = ['backend', 'server', 'value']
-    helpTxt = "Force a server's agent to a new state."
-
-class setServerHealth(Cmd):
-    cmdTxt = "set server %(backend)s/%(server)s health %(value)s\r\n"
-    req_args = ['backend', 'server', 'value']
-    helpTxt = "Force a server's health to a new state."
-
-class setServerState(Cmd):
-    cmdTxt = "set server %(backend)s/%(server)s state %(value)s\r\n"
-    req_args = ['backend', 'server', 'value']
-    helpTxt = "Force a server's administrative state to a new state."
-
-class setServerWeight(Cmd):
-    cmdTxt = "set server %(backend)s/%(server)s weight %(value)s\r\n"
-    req_args = ['backend', 'server', 'value']
-    helpTxt = "Force a server's weight to a new state."
-
-class showSslCrtLists(Cmd):
-    cmdTxt = "show ssl crt-list\r\n"
-    helpTxt = "Show the list of crt-lists."
-
-    def getResultObj(self, res):
-        result = { "crt_lists": []}
-        for line in res.split("\n"):
-            if line.startswith('/'):
-                result["crt_lists"].append(line)
-        return result
-
-class showSslCrtList(Cmd):
-    cmdTxt = "show ssl crt-list -n %(crt_list)s\r\n"
-    req_args = ['crt_list']
-    helpTxt = "Show the the content of a crt-list."
-
-    def getResultObj(self, res):
-        result = {}
-        list_id = None
-        for line in res.split("\n"):
-            if line.startswith('# '):
-                list_id = line.split("# ")[1]
-                result["certs"] = []
-
-            if list_id and line.startswith('/'):
-                result["certs"].append(line)
-
-        if result:
-           return result
-
-        return {"error": res.strip()}
-
-class showSslCerts(Cmd):
-    cmdTxt = "show ssl cert\r\n"
-    helpTxt = "Display the SSL certificates used in memory."
-
-    def getResultObj(self, res):
-        result = {
-            "transaction": [],
-            "filename": []
-        }
-        for line in res.split("\n"):
-            if line.startswith('*'):
-                result['transaction'].append(line)
-            elif line.startswith('/'):
-                result['filename'].append(line)
-        return result
-
-class showSslCert(Cmd):
-    cmdTxt = "show ssl cert %(certfile)s\r\n"
-    req_args = ['certfile']
-    helpTxt = "Display the details of a SSL certificate used in memory."
-
-    def getResultObj(self, res):
-        result = {}
-        cert_id = None
-        for line in res.split("\n"):
-            if line:
-                key = line.split(":")[0]
-                val = line.split(":")[1].strip()
-
-                if key == 'Filename':
-                    cert_id = val
-
-                if cert_id:
-                    result[key] = val
-
-        if result:
-            return result
-
-        return {"error": res.strip()}
-
-class addToSslCrtList(Cmd):
-    cmdTxt = "add ssl crt-list %(crt_list)s %(certfile)s\r\n"
-    req_args = ['crt_list', 'certfile']
-    helpTxt = "Add a ssl cert to a crt-list."
-
-class delFromSslCrtList(Cmd):
-    cmdTxt = "del ssl crt-list %(crt_list)s %(certfile)s\r\n"
-    req_args = ['crt_list', 'certfile']
-    helpTxt = "Delete a ssl cert from a crt-list."
-
-class newSslCrt(Cmd):
-    """" Create an empty slot for the certificate in HAProxy’s memory """
-    cmdTxt = "new ssl cert %(certfile)s\r\n"
-    req_args = ['certfile']
-    helpTxt = "Create a new certificate file to be used in a crt-list or a directory."
-
-class updateSslCrt(Cmd):
-    """" Begin a transaction to upload the certificate into a slot in HAProxy’s memory """
-    cmdTxt = "set ssl cert %(certfile)s <<\n%(payload)s\r\n"
-    req_args = ['certfile', 'payload']
-    helpTxt = "Replace a certificate file."
-
-class delSslCrt(Cmd):
-    """" Begin a transaction to remove the certificate from a slot in HAProxy’s memory """
-    cmdTxt = "del ssl cert %(certfile)s\r\n"
-    req_args = ['certfile']
-    helpTxt = "Delete delete an unused certificate file."
-
-class commitSslCrt(Cmd):
-    """ Commit the transaction so HAProxy detects the change. """
-    cmdTxt = "commit ssl cert %(certfile)s\r\n"
-    req_args = ['certfile']
-    helpTxt = "Commit a certificate file."
-
-class abortSslCrt(Cmd):
-    cmdTxt = "abort ssl cert %(certfile)s\r\n"
-    req_args = ['certfile']
-    helpTxt = "Abort a transaction for a certificate file."
-
-class showFBEnds(Cmd):
-    """Base class for getting a listing Frontends and Backends"""
-    switch = ""
-    cmdTxt = "show stat\r\n"
-
-    def getResult(self, res):
-        return "\n".join(self._getResult(res))
-
-    def getResultObj(self, res):
-        return self._getResult(res)
-
-    def _getResult(self, res):
-        """Show Frontend/Backends. To do this, we extract info from
-           the stat command and filter out by a specific
-           switch (FRONTEND/BACKEND)"""
-
-        if not self.switch:
-            raise Exception("No action specified")
-
-        result = []
-        lines = res.split('\n')
-        cl = re.compile("^[^,].+," + self.switch.upper() + ",.*$")
-
-        for e in lines:
-            me = re.match(cl, e)
-            if me:
-                print(e)
-                result.append(e.split(",")[0])
-        return result
-
-class showFrontends(showFBEnds):
-    """Show frontends command."""
-    switch = "frontend"
-    helpTxt = "List all Frontends."
-
-class showBackends(showFBEnds):
-    """Show backends command."""
-    switch = "backend"
-    helpTxt = "List all Backends."
-
-class showInfo(Cmd):
-    """Show info HAProxy command"""
-    cmdTxt = "show info\r\n"
-    helpTxt = "Show info on HAProxy instance."
-
-    def getResultObj(self, res):
-        resDict = {}
-        for line in res.split('\n'):
-            k, v = line.split(':')
-            resDict[k] = v
-
-        return resDict
-
-class showSessions(Cmd):
-    """Show sess HAProxy command"""
-    cmdTxt = "show sess\r\n"
-    helpTxt = "Show HAProxy sessions."
-
-    def getResultObj(self, res):
-        return res.split('\n')
-
-class baseStat(Cmd):
-    """Base class for stats commands."""
-
-    def getDict(self, res):
-        # clean response
-        res = re.sub(r'^# ', '', res, re.MULTILINE)
-        res = re.sub(r',\n', '\n', res, re.MULTILINE)
-        res = re.sub(r',\n\n', '\n', res, re.MULTILINE)
-
-        csv_string = StringIO(res)
-        return csv.DictReader(csv_string, delimiter=',')
-
-class showServers(baseStat):
-    """Show all servers. If backend is given, show only servers for this backend. """
-    cmdTxt = "show stat\r\n"
-    helpTxt = "Lists all servers. Filter for servers in backend, if set."
-
-    def getResultObj(self, res):
-        servers = []
-
-        reader = self.getDict(res)
-        for row in reader:
-            row = OrderedDict(row)
-            # show only server
-            if row['svname'] in ['BACKEND', 'FRONTEND']:
-                continue
-
-            # filter server for given backend
-            if self.args['backend'] and row['pxname'] != self.args['backend']:
-                continue
-
-            # add id
-            row['id'] = f"{row['pxname']}/{row['svname']}"
-            row.move_to_end('id', last=False)
-            servers.append(dict(row))
-
-        return servers
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/conn.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/conn.py
deleted file mode 100755
index 0c38673c16..0000000000
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/conn.py
+++ /dev/null
@@ -1,83 +0,0 @@
-# pylint: disable=locally-disabled, too-few-public-methods, no-self-use, invalid-name
-"""conn.py - Connection module."""
-import re
-from socket import socket, AF_INET, AF_UNIX, SOCK_STREAM
-from haproxy import const
-
-class HapError(Exception):
-    """Generic exception for haproxyctl."""
-    pass
-
-class HaPConn(object):
-    """HAProxy Socket object.
-       This class abstract the socket interface so
-       commands can be sent to HAProxy and results received and
-       parse by the command objects"""
-
-    def __init__(self, sfile, socket_module=socket):
-        """Initializes an HAProxy and opens a connection to it
-           (sfile, type) -> Path for the UNIX socket"""
-
-        self.sock = None
-        sfile = sfile.strip()
-        stype = AF_UNIX
-        self.socket_module = socket_module
-
-        mobj = re.match(
-            '(?P<proto>unix://|tcp://)(?P<addr>[^:]+):*(?P<port>[0-9]*)$', sfile)
-
-        if mobj:
-            proto = mobj.groupdict().get('proto', None)
-            addr = mobj.groupdict().get('addr', None)
-            port = mobj.groupdict().get('port', '')
-
-            if not addr or not proto:
-                raise HapError('Could not determine type of socket.')
-
-            if proto == const.HAP_TCP_PATH:
-                if not port:
-                    raise HapError('When using a tcp socket, a port is needed.')
-                stype = AF_INET
-                sfile = (addr, int(port))
-
-            if proto == const.HAP_UNIX_PATH:
-                stype = AF_UNIX
-                sfile = addr
-
-        # Fallback should be sfile/AF_UNIX by default
-        self.sfile = (sfile, stype)
-        self.open()
-
-    def open(self):
-        """Opens a connection for the socket.
-           This function should only be called if
-           self.closed() method was called"""
-
-        sfile, stype = self.sfile
-        self.sock = self.socket_module(stype, SOCK_STREAM)
-        self.sock.connect(sfile)
-
-    def sendCmd(self, cmd, objectify=False):
-        """Receives a command obj and sends it to the socket. Receives the output and passes it
-           through the command to parse it.
-           objectify -> Return an object instead of plain text"""
-
-        res = ""
-        try:
-            self.sock.send(cmd.getCmd())
-        except TypeError:
-            self.sock.send(bytearray(cmd.getCmd(), 'ASCII'))
-        output = self.sock.recv(const.HAP_BUFSIZE)
-
-        while output:
-            res += output.decode('UTF-8')
-            output = self.sock.recv(const.HAP_BUFSIZE)
-
-        if objectify:
-            return cmd.getResultObj(res)
-
-        return cmd.getResult(res)
-
-    def close(self):
-        """Closes the socket"""
-        self.sock.close()
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/const.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/const.py
deleted file mode 100755
index ebd60d8c89..0000000000
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/const.py
+++ /dev/null
@@ -1,7 +0,0 @@
-"""const.py - Constants for haproxyctl."""
-HAP_OK = 1
-HAP_ERR = 2
-HAP_SOCK_ERR = 3
-HAP_BUFSIZE = 8192
-HAP_UNIX_PATH = 'unix://'
-HAP_TCP_PATH = 'tcp://'
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/__init__.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/__init__.py
deleted file mode 100755
index e69de29bb2..0000000000
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
deleted file mode 100755
index 3277871636..0000000000
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_cmds.py
+++ /dev/null
@@ -1,291 +0,0 @@
-# pylint: disable=star-args, locally-disabled, too-few-public-methods, no-self-use, invalid-name
-"""test_cmds.py - Unittests related to command implementations."""
-import sys, os, unittest
-
-sys.path.append(os.path.join(os.path.dirname(__file__), '..', '..'))
-from haproxy import cmds
-
-
-class TestCommands(unittest.TestCase):
-    """Tests all of the  commands."""
-
-    def setUp(self):
-        self.maxDiff = None
-        self.pem_cert_content = """
-        -----BEGIN CERTIFICATE-----
-        MIIGNjCCBR6gAwIBAgITAPoWnilNUBNcAb8iJ2dgK1eXeTANBgkqhkiG9w0BAQsF
-        ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0yMTAyMDMw
-        ODQ2MTBaFw0yMTA1MDQwODQ2MTBaMBoxGDAWBgNVBAMTD3Rlc3QuYW5kZW1hbi5k
-        ZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL7DSlOfRdoKZdX825O4
-        Q+uEN85NYR/SJtSLDfaaRebanbDzxp90PEIHCqZyf0q7Zz5eF6qd2ycldtJSVk8b
-        lVOyJjPIOLUrUAeF6I07b/AOBO/8DU9G3lARSOQkPmC80ahGAW3F1eaccf08qncW
-        CGxKKXmeL9mbAsA4k6+6pIq8YRBqMCE2bkRQ/scAa8pL7ms5hceONWfqjHC12zIp
-        yavvnfNVZ6z7QlwHEh3Rajk1IaHLyE7+9+oQ3zXqFtM6sBvXlvVhwsizgkH3ZodN
-        81ycvHoP1MWqHGHX0klREQ9qRrHuSuqHsjJHX8gtbqI2Z9DVOUUEunbIkImTwqYj
-        e5tp7g4RQJUgAdsauyN02NTdeUeci+JDvA3FHJpAtA7tDXIeNcyPjRho17i4VUIc
-        Yasu5JDF0iSPDT/Srxt6EsDntDFDco1HXMsFqUhMbY2+gUWC3P0n98VWSO+BCtAd
-        Fbc4+N3QEM8RnQKI86WHR/vnVDoigOhALupXa6czjLGMjaSLDI0nyJ5M81r8ZuBZ
-        Wu2Q6HTikNmoWl3w6x+9WvY6TQd9OpCjQUu13UMVAco8CGEOj0ZqhhLTccX8dxPK
-        /01bXMtFRivJfe6vML+O0N54JbI5caXmaEdcEuazAVJWt1ZPGFTMjiw/O0S6Hb0V
-        YJKXqjJs9t95O5MpL9W4YvGxAgMBAAGjggJrMIICZzAOBgNVHQ8BAf8EBAMCBaAw
-        HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
-        VR0OBBYEFHQLXiD/GxQD11ocGiFauejS5RRmMB8GA1UdIwQYMBaAFMDMA0a5WCDM
-        XHJw8+EuyyCm9Wg6MHcGCCsGAQUFBwEBBGswaTAyBggrBgEFBQcwAYYmaHR0cDov
-        L29jc3Auc3RnLWludC14MS5sZXRzZW5jcnlwdC5vcmcwMwYIKwYBBQUHMAKGJ2h0
-        dHA6Ly9jZXJ0LnN0Zy1pbnQteDEubGV0c2VuY3J5cHQub3JnLzAaBgNVHREEEzAR
-        gg90ZXN0LmFuZGVtYW4uZGUwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC
-        3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcw
-        ggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQAW6GnB0ZXq18P4lxrj8HYB94zhtp0x
-        qFIYtoN/MagVCAAAAXdnSPbpAAAEAwBGMEQCICAST5iJD7DVrcKRvu9rvNVVnkOW
-        hAYUgihWr/1Gu6VdAiAcRcZYBP0hIHmFExM9ehJ+J7YmqM35SyiC7s0chsNdHQB2
-        AN2ZNPyl5ySAyVZofYE0mQhJskn3tWnYx7yrP1zB825kAAABd2dI+N0AAAQDAEcw
-        RQIgaaUndm8O3+nCl5OHTf6rOdi9VF9szVckdgDargdWKkgCIQCAjW4UvuMIv4Bt
-        c6auowPcpdqHjL8XRcztJA3XUGRGHTANBgkqhkiG9w0BAQsFAAOCAQEABza4/ocY
-        J/XwN8PP+Ane7fVerqL7mRfhzJhxz4mbCPfv4Drq3kUu9fnhR/vaGgdaNdnO83a9
-        PUBCm6FCPMcVwX0uKDJ9J4Xj+SVjnVu4+7uhS5LyygtaegoBZyMb5ppxWH1n5r47
-        10ug+KptERFf1datb8/jsEVF7rYCtPXBygjfGAbGuCxViakr4BNcOBPNL+MusfvP
-        qpH8kEyPAIwHX02XvvpLTy77qiyTpQSuFOusOJptNNqBUeBehqpf8FHn01fnKkcW
-        pKmFJ2e2VSnTZIBJvD58HMR+WNAEp7tHffHk2z/mPPtdRdxW5Zieoe5+6+HDtwgG
-        +VCAIWMkC36Dvg==
-        -----END CERTIFICATE-----
-
-        -----BEGIN RSA PRIVATE KEY-----
-        MIIJKgIBAAKCAgEAvsNKU59F2gpl1fzbk7hD64Q3zk1hH9Im1IsN9ppF5tqdsPPG
-        n3Q8QgcKpnJ/SrtnPl4Xqp3bJyV20lJWTxuVU7ImM8g4tStQB4XojTtv8A4E7/wN
-        T0beUBFI5CQ+YLzRqEYBbcXV5pxx/TyqdxYIbEopeZ4v2ZsCwDiTr7qkirxhEGow
-        ITZuRFD+xwBrykvuazmFx441Z+qMcLXbMinJq++d81VnrPtCXAcSHdFqOTUhocvI
-        Tv736hDfNeoW0zqwG9eW9WHCyLOCQfdmh03zXJy8eg/UxaocYdfSSVERD2pGse5K
-        6oeyMkdfyC1uojZn0NU5RQS6dsiQiZPCpiN7m2nuDhFAlSAB2xq7I3TY1N15R5yL
-        4kO8DcUcmkC0Du0Nch41zI+NGGjXuLhVQhxhqy7kkMXSJI8NP9KvG3oSwOe0MUNy
-        jUdcywWpSExtjb6BRYLc/Sf3xVZI74EK0B0Vtzj43dAQzxGdAojzpYdH++dUOiKA
-        6EAu6ldrpzOMsYyNpIsMjSfInkzzWvxm4Fla7ZDodOKQ2ahaXfDrH71a9jpNB306
-        kKNBS7XdQxUByjwIYQ6PRmqGEtNxxfx3E8r/TVtcy0VGK8l97q8wv47Q3nglsjlx
-        peZoR1wS5rMBUla3Vk8YVMyOLD87RLodvRVgkpeqMmz233k7kykv1bhi8bECAwEA
-        AQKCAgEAswbSPXJPetahRdcdNyAKVgBq4ykJinSOTpAF1bZo/cOTlFrjwAe0+X5k
-        R1tTDQ6dURG7AjtNTgrB3Za6O1m2paqeYaB5X8U7QSQx4EG0xsRRa+vPjeQDhX8D
-        OmCtTdpGpLa2Zo/xM5EFBVUm4cYCt6ZOED4dyAnK5hzytUvjWfR6343Yh4LurxyY
-        TqidgGgMZALDA0n54wFjNe/lu8kt5Ddns9MmDlhrqbRVEzjSiMfNPWvjHAf7IGcf
-        JBkBvNDqL+b/XGCYDgUxrLkDNt44E2VhGOi8lZkVM9n5FyeGbEIgAKKTGlGpMbh8
-        MoA4wPFwMrO5IIXUfN+zjfnnBkZsnAomGQYDh/hrsQPwU7MoyfO0Wzw+RzLWK8JH
-        EnjR7O/Lgh+A2AdLhCLiRC5td2uuJ2yLRIRUlcQPsCsYnCCL6Ip9IwK1idmQySGw
-        bG83decXNSJUv5h3qF6f3fl+JPrHnAbviBzEJ67xAf1MdHbFxwYvRFVfEHj9RZ3W
-        z+cw7ofD8XVHTfXn0XipvYqI/bVsitMXI35pOt+/ZV8rjJlXopw+IV6U9/60cBkk
-        BXC7ONDyH2pNwxPbRgcLm2sEK0L9qhxRzCj0iD1WyOAiFJX4ytVbJhR7pt0goiun
-        i2XDh2l8hoK1lKZNS/yJ+VhnbX595mdqScmIXD8utlgK8f0bLfECggEBAORXimSK
-        gzegnsBjieTtzC6MmRRxxN46vnMZ2LCeLMxhs3vM7LBcBfsQYqbt/FVFtYBRpr+d
-        TGTmfPXqKuSqbtAbghxAMo/lECXzALa0nQSsz1fFhX8B7slFarsDmmCb1GmXF/kG
-        ku/Uoa7jmY3htBj5rjVHjDKPZFVetU+2wbuwlU17Bj4nlSzqud4NMlu56pm3FZ/1
-        BAhMxm3z6dLnOgqJzpN1QmKZHNkjLmi8fza/HQM5pP3DpQcPiyuLzywGIqHaO1qT
-        OIdpZfLEvNpMV7bJ2bagv5nX3TVRWWsBkh0HCAuH30qqaVPpQvkPem1zsM3x+D5q
-        +PhMIPGpbQiUyCUCggEBANXefd0ZcJymG15WJyO44eFwzgMz9ezfdB8INa+vCOiZ
-        Y7FtYDgEKu4uzBxtMjO4mQO6DCkfi7JwTJFN4ag3dJEJNGmrf7Xe84IAImJQk0Of
-        BojAXCFAuNf1Xl3prkvnvtzNirwQMHCUbv5wYzOqglgj2i/hjIj3/Wbt91riq5j+
-        4qQT4kkw/XgCtbQ27HohKIcC/mXbHchEi7NtXrGoM1xqmu1mGH1uul3LQ6p5VwHc
-        ZFiIAC0awsx9Qe9khZ5EGpZuS0tqJsREcv8ygYMvWcPJEv8aMQM7Nj4biA5rKEgo
-        L+66ibpntldvbz2qntEvJ2rKzGci0RDUQHy4sW8/d50CggEBAKCZaX7ZZPzk/YL2
-        /2+CSQ+cV7ZnZj2fN4Ag96UROxTsyp4SPY60yogQuDIMRGN9SfDcfNlcOvTkn5Me
-        hdiafqHkFxjjlixawYbPaPsYAS/ek156UDBKHbZ2GmE6YYP9VeKGIJhHpWUFOkqV
-        TdTaoB7IzVwv3E1bSQg6Om+8bHoj8n6yPmvMz0DuPpgM1BRrqLNAb/c3DwT/ari+
-        ywBJHSt4TVCtMmnCouWdtvB3U0ogFLnF+2N4DUPwDMQt6yJdllIb+Y706NdkrA2Z
-        jfJDq5WmVnf6i4gaqTzs4GVAj5HW9jOV9ti/DqGz+CTQXB1LN1lCDIVqG34XnTwb
-        G9LjQfkCggEAZwYAt4tTtgJGWNFDlW+wT/sZIm3bX7ncpD4+Ll0w+2s4nPXFTfaj
-        /4zHgkIP1t5rx2HODdlGYDS8jZpow7HDE0LN3sFgienWf5808QtDhWWLrkCLoPEe
-        mdl3FeJFtgby6EaTODjMPM8kEKlvACp5E6BhsIMEQc7EYNrtNvjOFKtj3go+DWfu
-        EeusQB3dGI/0h+UnS0WcOSbb7RkYbphJ9ZDdBNMTpQi7+ga6l9pP0XOrWwJYo2Gq
-        yPrl0j4oJ69C54hF+RQvjIg0pT5dKSacJTYtUnn5dkcFwDFe/yMbinbhcCynwAXJ
-        zqC9g4U3cCk44bbDdENPVr4IOox13NND+QKCAQEAilm2oMZoP3WGkBMTSzJl6OGd
-        F8NnE95noleknNFYuThhCT6T4Z1s28VpxXV7d0DTNOtXj+TzeZq4jrwkgOSZbif0
-        8ky4gRZmm0iFwvAu8ZXk1olHbhMZnCOfh0Qhd4bU2tSoWgWVIAQWEHUhDI7Q1rsX
-        s4sCjYHKuNMEKdfYvxtKeiunoFqdmT65hwM9o3TfvJfm/RChb7i/nVruXQ6IhPEM
-        9WYZS7hlKyqVBESJuonR15biy7Xov5ELl6A821cskZO3vTwtlBSeCDiqaeVLpKR3
-        aYwf5YZo7v+N8KBSLEdLNjoKK4PfXUdczD7uOUllbd4/MRgCn4EmFvmpljGiEQ==
-        -----END RSA PRIVATE KEY-----
-
-        -----BEGIN CERTIFICATE-----
-        MIIEqzCCApOgAwIBAgIRAIvhKg5ZRO08VGQx8JdhT+UwDQYJKoZIhvcNAQELBQAw
-        GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDUyMzIyMDc1OVoXDTM2
-        MDUyMzIyMDc1OVowIjEgMB4GA1UEAwwXRmFrZSBMRSBJbnRlcm1lZGlhdGUgWDEw
-        ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtWKySDn7rWZc5ggjz3ZB0
-        8jO4xti3uzINfD5sQ7Lj7hzetUT+wQob+iXSZkhnvx+IvdbXF5/yt8aWPpUKnPym
-        oLxsYiI5gQBLxNDzIec0OIaflWqAr29m7J8+NNtApEN8nZFnf3bhehZW7AxmS1m0
-        ZnSsdHw0Fw+bgixPg2MQ9k9oefFeqa+7Kqdlz5bbrUYV2volxhDFtnI4Mh8BiWCN
-        xDH1Hizq+GKCcHsinDZWurCqder/afJBnQs+SBSL6MVApHt+d35zjBD92fO2Je56
-        dhMfzCgOKXeJ340WhW3TjD1zqLZXeaCyUNRnfOmWZV8nEhtHOFbUCU7r/KkjMZO9
-        AgMBAAGjgeMwgeAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAw
-        HQYDVR0OBBYEFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHoGCCsGAQUFBwEBBG4wbDA0
-        BggrBgEFBQcwAYYoaHR0cDovL29jc3Auc3RnLXJvb3QteDEubGV0c2VuY3J5cHQu
-        b3JnLzA0BggrBgEFBQcwAoYoaHR0cDovL2NlcnQuc3RnLXJvb3QteDEubGV0c2Vu
-        Y3J5cHQub3JnLzAfBgNVHSMEGDAWgBTBJnSkikSg5vogKNhcI5pFiBh54DANBgkq
-        hkiG9w0BAQsFAAOCAgEABYSu4Il+fI0MYU42OTmEj+1HqQ5DvyAeyCA6sGuZdwjF
-        UGeVOv3NnLyfofuUOjEbY5irFCDtnv+0ckukUZN9lz4Q2YjWGUpW4TTu3ieTsaC9
-        AFvCSgNHJyWSVtWvB5XDxsqawl1KzHzzwr132bF2rtGtazSqVqK9E07sGHMCf+zp
-        DQVDVVGtqZPHwX3KqUtefE621b8RI6VCl4oD30Olf8pjuzG4JKBFRFclzLRjo/h7
-        IkkfjZ8wDa7faOjVXx6n+eUQ29cIMCzr8/rNWHS9pYGGQKJiY2xmVC9h12H99Xyf
-        zWE9vb5zKP3MVG6neX1hSdo7PEAb9fqRhHkqVsqUvJlIRmvXvVKTwNCP3eCjRCCI
-        PTAvjV+4ni786iXwwFYNz8l3PmPLCyQXWGohnJ8iBm+5nk7O2ynaPVW0U2W+pt2w
-        SVuvdDM5zGv2f9ltNWUiYZHJ1mmO97jSY/6YfdOUH66iRtQtDkHBRdkNBsMbD+Em
-        2TgBldtHNSJBfB3pm9FblgOcJ0FSWcUDWJ7vO0+NTXlgrRofRT6pVywzxVo6dND0
-        WzYlTWeUVsO40xJqhgUQRER9YLOLxJ0O6C8i0xFxAMKOtSdodMB3RIwt7RFQ0uyt
-        n5Z5MqkYhlMI3J1tPRTp1nEt9fyGspBOO05gi148Qasp+3N+svqKomoQglNoAxU=
-        -----END CERTIFICATE-----
-        """
-
-        self.Resp = {
-            "disable": "disable server redis-ro/redis-ro0",
-            "set-server-agent": "set server redis-ro/redis-ro0 agent up",
-            "set-server-health": "set server redis-ro/redis-ro0 health stopping",
-            "set-server-state": "set server redis-ro/redis-ro0 state drain",
-            "set-server-weight": "set server redis-ro/redis-ro0 weight 10",
-            "frontends": "show stat",
-            "info": "show info",
-            "sessions": "show sess",
-            "servers": "show stat",
-            "show-ssl-crt-lists": "show ssl crt-list",
-            "show-ssl-crt-list": "show ssl crt-list -n /tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
-            "show-ssl-certs": "show ssl cert",
-            "show-ssl-cert": "show ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
-            "add-to-crt-list": "add ssl crt-list /tmp/haproxy/ssl/601a7392cc9984.99301413.certlist /tmp/haproxy/ssl/601a70e4844b0.pem",
-            "del-from-crt-list": "del ssl crt-list /tmp/haproxy/ssl/601a7392cc9984.99301413.certlist /tmp/haproxy/ssl/601a70e4844b0.pem",
-            "new-ssl-cert": "new ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
-            "update-ssl-cert": "set ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem <<\n%s" % self.pem_cert_content,
-            "del-ssl-cert": "del ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
-            "commit-ssl-cert": "commit ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
-            "abort-ssl-cert": "abort ssl cert /tmp/haproxy/ssl/601a70e4844b0.pem",
-        }
-
-        self.Resp = dict([(k, v + "\r\n") for k, v in self.Resp.items()])
-
-    def test_setServerAgent(self):
-        """Test 'set server agent' command"""
-        args = {"backend": "redis-ro", "server": "redis-ro0", "value": "up"}
-        cmdOutput = cmds.setServerAgent(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["set-server-agent"])
-
-    def test_setServerHealth(self):
-        """Test 'set server health' command"""
-        args = {"backend": "redis-ro", "server": "redis-ro0", "value": "stopping"}
-        cmdOutput = cmds.setServerHealth(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["set-server-health"])
-
-    def test_setServerState(self):
-        """Test 'set server state' command"""
-        args = {"backend": "redis-ro", "server": "redis-ro0", "value": "drain"}
-        cmdOutput = cmds.setServerState(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["set-server-state"])
-
-    def test_setServerWeight(self):
-        """Test 'set server weight' command"""
-        args = {"backend": "redis-ro", "server": "redis-ro0", "value": "10"}
-        cmdOutput = cmds.setServerWeight(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["set-server-weight"])
-
-    def test_showFrontends(self):
-        """Test 'frontends/backends' commands"""
-        args = {}
-        cmdOutput = cmds.showFrontends(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["frontends"])
-
-    def test_showInfo(self):
-        """Test 'show info' command"""
-        cmdOutput = cmds.showInfo().getCmd()
-        self.assertEqual(cmdOutput, self.Resp["info"])
-
-    def test_showSessions(self):
-        """Test 'show sess' command"""
-        cmdOutput = cmds.showSessions().getCmd()
-        self.assertEqual(cmdOutput, self.Resp["sessions"])
-
-    def test_showServers(self):
-        """Test 'show stat' command"""
-        args = {"backend": "redis-ro"}
-        cmdOutput = cmds.showServers(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["servers"])
-
-    def test_showSslCrtLists(self):
-        """Test 'show ssl crt-list' command"""
-        cmdOutput = cmds.showSslCrtLists().getCmd()
-        self.assertEqual(cmdOutput, self.Resp["show-ssl-crt-lists"])
-
-    def test_showSslCrtList(self):
-        """Test 'show ssl crt-list <crt-list>' command"""
-        args = {
-            "crt_list": "/tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
-        }
-        cmdOutput = cmds.showSslCrtList(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["show-ssl-crt-list"])
-
-    def test_showSslCerts(self):
-        """Test 'show ssl cert' command"""
-        cmdOutput = cmds.showSslCerts().getCmd()
-        self.assertEqual(cmdOutput, self.Resp["show-ssl-certs"])
-
-    def test_showSslCert(self):
-        """Test 'show ssl cert <certfile>' command"""
-        args = {
-            "certfile": "/tmp/haproxy/ssl/601a70e4844b0.pem"
-        }
-        cmdOutput = cmds.showSslCert(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["show-ssl-cert"])
-
-    def test_addToSslCrtList(self):
-        """Test 'add ssl crt-list <crt-list> <certfile>' command"""
-        args = {
-            "crt_list": "/tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
-            "certfile": "/tmp/haproxy/ssl/601a70e4844b0.pem"
-        }
-        cmdOutput = cmds.addToSslCrtList(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["add-to-crt-list"])
-
-    def test_delFromSslCrtList(self):
-        """Test 'del ssl crt-list <crt-list> <certfile>' command"""
-        args = {
-            "crt_list": "/tmp/haproxy/ssl/601a7392cc9984.99301413.certlist",
-            "certfile": "/tmp/haproxy/ssl/601a70e4844b0.pem"
-        }
-        cmdOutput = cmds.delFromSslCrtList(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["del-from-crt-list"])
-
-    def test_newSslCrt(self):
-        """Test 'new ssl cert <certfile>' command"""
-        args = {
-            "certfile": "/tmp/haproxy/ssl/601a70e4844b0.pem",
-        }
-        cmdOutput = cmds.newSslCrt(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["new-ssl-cert"])
-
-    def test_updateSslCrt(self):
-        """Test 'set ssl cert <certfile> <payload>' command"""
-        args = {
-            "certfile": "/tmp/haproxy/ssl/601a70e4844b0.pem",
-            "payload": "%s" % self.pem_cert_content
-        }
-        cmdOutput = cmds.updateSslCrt(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["update-ssl-cert"])
-
-    def test_delSslCrt(self):
-        """Test 'del ssl cert <certfile>' command"""
-        args = {
-            "certfile": "/tmp/haproxy/ssl/601a70e4844b0.pem",
-        }
-        cmdOutput = cmds.delSslCrt(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["del-ssl-cert"])
-
-    def test_commitSslCrt(self):
-        """Test 'commit ssl cert <certfile>' command"""
-        args = {
-            "certfile": "/tmp/haproxy/ssl/601a70e4844b0.pem",
-        }
-        cmdOutput = cmds.commitSslCrt(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["commit-ssl-cert"])
-
-    def test_abortSslCrt(self):
-        """Test 'abort ssl cert <certfile>' command"""
-        args = {
-            "certfile": "/tmp/haproxy/ssl/601a70e4844b0.pem",
-        }
-        cmdOutput = cmds.abortSslCrt(**args).getCmd()
-        self.assertEqual(cmdOutput, self.Resp["abort-ssl-cert"])
-
-
-if __name__ == '__main__':
-    unittest.main()
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_conn.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_conn.py
deleted file mode 100755
index ea8c15f607..0000000000
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/lib/haproxy/tests/test_conn.py
+++ /dev/null
@@ -1,59 +0,0 @@
-# pylint: disable=locally-disabled, too-few-public-methods, no-self-use, invalid-name, broad-except
-"""test_conn.py - Unittests related to connections to HAProxy."""
-import sys, os
-sys.path.append(os.path.join(os.path.dirname(__file__), '..', '..'))
-from haproxy import conn
-import unittest
-from socket import AF_INET, AF_UNIX
-
-class SimpleConnMock(object):
-    """Simple socket mock."""
-    def __init__(self, stype, stream):
-        self.stype = stype
-        self.stream = stream
-
-    def connect(self, addr):
-        """Mocked socket.connect method."""
-        pass
-
-class TestConnection(unittest.TestCase):
-    """Tests different aspects of haproxyctl's connections to HAProxy."""
-
-    def testConnSimple(self):
-        """Tests that connection to non-protocol path works and fallsback to UNIX socket."""
-        sfile = "/some/path/to/socket.sock"
-        c = conn.HaPConn(sfile, socket_module=SimpleConnMock)
-        addr, stype = c.sfile
-        self.assertEqual(sfile, addr)
-        self.assertEqual(stype, AF_UNIX)
-
-    def testConnUnixString(self):
-        """Tests that unix:// protocol works and connects to a socket."""
-        sfile = "unix:///some/path/to/socket.socket"
-        c = conn.HaPConn(sfile, socket_module=SimpleConnMock)
-        addr, stype = c.sfile
-        self.assertEqual("/some/path/to/socket.socket", addr)
-        self.assertEqual(stype, AF_UNIX)
-
-    def testConnTCPString(self):
-        """Tests that tcp:// protocol works and connects to an IP."""
-        sfile = "tcp://1.2.3.4:8080"
-        c = conn.HaPConn(sfile, socket_module=SimpleConnMock)
-        addr, stype = c.sfile
-        ip, port = addr
-        self.assertEqual("1.2.3.4", ip)
-        self.assertEqual(8080, port)
-        self.assertEqual(stype, AF_INET)
-
-    def testConnTCPStringNoPort(self):
-        """Tests that passing a tcp:// address with no port, raises an Exception."""
-        sfile = "tcp://1.2.3.4"
-        # Not using assertRaises because we still support 2.6
-        try:
-            conn.HaPConn(sfile, socket_module=SimpleConnMock)
-            raise Exception('Connection should have thrown an exception')
-        except conn.HapError:
-            pass
-
-if __name__ == '__main__':
-    unittest.main()
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
index 554db684aa..bcf407c36f 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/socketCommand.py
@@ -4,7 +4,6 @@
 import argparse
 import traceback
 
-sys.path.append(os.path.join(os.path.dirname(__file__), 'lib'))
 from haproxy.conn import HaPConn
 from haproxy import cmds
 
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
index f4932a0cdb..8df8543f3b 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
@@ -9,7 +9,6 @@
 import json
 from typing import List
 
-sys.path.append(os.path.join(os.path.dirname(__file__), 'lib'))
 from haproxy.conn import HaPConn
 from haproxy import cmds
 

From bbec7f3afcda438aceb90ec71ae3c86058361aca Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 7 Dec 2023 10:59:32 +0100
Subject: [PATCH 1675/3088] Framework: add keyword support for sample/shadow
 like in core

---
 Keywords/sample.ucl | 57 +++++++++++++++++++++++++++++++++++++++++++++
 Keywords/shadow.ucl | 48 ++++++++++++++++++++++++++++++++++++++
 Mk/plugins.mk       | 17 +++++++++++---
 3 files changed, 119 insertions(+), 3 deletions(-)
 create mode 100644 Keywords/sample.ucl
 create mode 100644 Keywords/shadow.ucl

diff --git a/Keywords/sample.ucl b/Keywords/sample.ucl
new file mode 100644
index 0000000000..ea5bf5db18
--- /dev/null
+++ b/Keywords/sample.ucl
@@ -0,0 +1,57 @@
+# MAINTAINER: portmgr@FreeBSD.org
+#
+# @sample etc/somefile.conf.sample
+# or
+# @sample file1 file2
+#
+# Where file1 is considered as a sample file and file2 the target file
+#
+# This will install the somefile.conf.sample and automatically copy to
+# somefile.conf if it doesn't exist. On deinstall it will remove the
+# somefile.conf if it still matches the sample, otherwise it is
+# kept.
+#
+# This replaces the old pattern:
+#  @unexec if cmp -s %D/etc/pkgtools.conf %D/etc/pkgtools.conf.sample; then rm -f %D/etc/pkgtools.conf; fi
+#  etc/pkgtools.conf.sample
+#  @exec [ -f %B/pkgtools.conf ] || cp %B/%f %B/pkgtools.conf
+
+actions: [file(1)]
+arguments: true
+post-install: <<EOD
+  case "%1" in
+  /*) sample_file="%1" ;;
+  *) sample_file="%D/%1" ;;
+  esac
+  target_file="${sample_file%.sample}"
+  set -- %@
+  if [ $# -eq 2 ]; then
+      target_file=${2}
+  fi
+  case "${target_file}" in
+  /*) target_file="${target_file}" ;;
+  *) target_file="%D/${target_file}" ;;
+  esac
+  if ! [ -f "${target_file}" ]; then
+    /bin/cp -p "${sample_file}" "${target_file}"
+  fi
+EOD
+pre-deinstall: <<EOD
+  case "%1" in
+  /*) sample_file="%1" ;;
+  *) sample_file="%D/%1" ;;
+  esac
+  target_file="${sample_file%.sample}"
+  set -- %@
+  if [ $# -eq 2 ]; then
+      set -- %@
+      target_file=${2}
+  fi
+  case "${target_file}" in
+  /*) target_file="${target_file}" ;;
+  *) target_file="%D/${target_file}" ;;
+  esac
+  if cmp -s "${target_file}" "${sample_file}"; then
+    rm -f "${target_file}"
+  fi
+EOD
diff --git a/Keywords/shadow.ucl b/Keywords/shadow.ucl
new file mode 100644
index 0000000000..039b8d3b66
--- /dev/null
+++ b/Keywords/shadow.ucl
@@ -0,0 +1,48 @@
+# MAINTAINER: franco@opnsense.org
+#
+# @shadow etc/somefile.conf.sample
+# or
+# @shadow file1 file2
+#
+# Where file1 is considered as a sample file and file2 the target file
+#
+# This will install the somefile.conf.sample and automatically copy to
+# somefile.conf if it doesn't exist. On deinstall it will be removed.
+
+actions: [file(1)]
+arguments: true
+post-install: <<EOD
+  case "%1" in
+  /*) sample_file="%1" ;;
+  *) sample_file="%D/%1" ;;
+  esac
+  target_file="${sample_file%.sample}"
+  set -- %@
+  if [ $# -eq 2 ]; then
+      target_file=${2}
+  fi
+  case "${target_file}" in
+  /*) target_file="${target_file}" ;;
+  *) target_file="%D/${target_file}" ;;
+  esac
+  if ! [ -f "${target_file}" ]; then
+    /bin/cp -p "${sample_file}" "${target_file}"
+  fi
+EOD
+pre-deinstall: <<EOD
+  case "%1" in
+  /*) sample_file="%1" ;;
+  *) sample_file="%D/%1" ;;
+  esac
+  target_file="${sample_file%.sample}"
+  set -- %@
+  if [ $# -eq 2 ]; then
+      set -- %@
+      target_file=${2}
+  fi
+  case "${target_file}" in
+  /*) target_file="${target_file}" ;;
+  *) target_file="%D/${target_file}" ;;
+  esac
+  rm -f "${target_file}"
+EOD
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index ff75a2d42e..3481c34de5 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -210,6 +210,11 @@ install: check
 		if [ "$${FILE%%.in}" != "$${FILE}" ]; then \
 			sed -i '' ${SED_REPLACE} "${DESTDIR}${LOCALBASE}/$${FILE}"; \
 			mv "${DESTDIR}${LOCALBASE}/$${FILE}" "${DESTDIR}${LOCALBASE}/$${FILE%%.in}"; \
+			FILE="$${FILE%%.in}"; \
+		fi; \
+		if [ "$${FILE%%.shadow}" != "$${FILE}" ]; then \
+			mv "${DESTDIR}${LOCALBASE}/$${FILE}" \
+			    "${DESTDIR}${LOCALBASE}/$${FILE%%.shadow}.sample"; \
 		fi; \
 	done
 	@cat ${TEMPLATESDIR}/version | sed ${SED_REPLACE} > "${DESTDIR}${LOCALBASE}/opnsense/version/${PLUGIN_NAME}"
@@ -217,8 +222,14 @@ install: check
 plist: check
 	@(cd ${.CURDIR}/src 2> /dev/null && find * -type f) | while read FILE; do \
 		if [ -f "$${FILE}.in" ]; then continue; fi; \
-		FILE="$${FILE%%.in}"; \
-		echo ${LOCALBASE}/$${FILE}; \
+		FILE="$${FILE%%.in}"; PREFIX=""; \
+		if [ "$${FILE%%.sample}" != "$${FILE}" ]; then \
+			PREFIX="@sample "; \
+		elif [ "$${FILE%%.shadow}" != "$${FILE}" ]; then \
+			FILE="$${FILE%%.shadow}.sample"; \
+			PREFIX="@shadow "; \
+		fi; \
+		echo "$${PREFIX}${LOCALBASE}/$${FILE}"; \
 	done
 	@echo "${LOCALBASE}/opnsense/version/${PLUGIN_NAME}"
 
@@ -269,7 +280,7 @@ package: check
 	@${MAKE} DESTDIR=${WRKSRC} metadata
 	@echo " done"
 	@echo ">>> Packaging files for ${PLUGIN_PKGNAME}-${PLUGIN_PKGVERSION}:"
-	@${PKG} create -v -m ${WRKSRC} -r ${WRKSRC} \
+	@PORTSDIR=${PLUGINSDIR} ${PKG} create -v -m ${WRKSRC} -r ${WRKSRC} \
 	    -p ${WRKSRC}/plist -o ${PKGDIR}
 
 upgrade-check: check

From d714e8fc24b233c93556c16c33ac17f26b2cfde1 Mon Sep 17 00:00:00 2001
From: doktornotor <1075960+doktornotor@users.noreply.github.com>
Date: Sat, 9 Dec 2023 14:03:25 +0100
Subject: [PATCH 1676/3088] Fix mib_indexes directory path (#3700)

---
 .../net-snmp/src/opnsense/scripts/OPNsense/Netsnmp/setup.sh     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/net-snmp/src/opnsense/scripts/OPNsense/Netsnmp/setup.sh b/net-mgmt/net-snmp/src/opnsense/scripts/OPNsense/Netsnmp/setup.sh
index 3f497afafd..dc9a65242c 100755
--- a/net-mgmt/net-snmp/src/opnsense/scripts/OPNsense/Netsnmp/setup.sh
+++ b/net-mgmt/net-snmp/src/opnsense/scripts/OPNsense/Netsnmp/setup.sh
@@ -5,5 +5,5 @@ chown -R root:wheel /var/net-snmp
 chmod 755 /var/net-snmp
 
 mkdir -p /var/net-snmp/mib_indexes
-chown -R root:wheel /var/mib_indexes
+chown -R root:wheel /var/net-snmp/mib_indexes
 chmod 700 /var/net-snmp/mib_indexes

From 25940b512c0764f58107392fa5916877c739a5e3 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 10 Dec 2023 16:07:20 +0100
Subject: [PATCH 1677/3088] net/frr - reuse opnsense-treeview.js from core to
 ease maintanance and offer the same functionality.

---
 .../OPNsense/Quagga/DiagnosticsController.php |  19 +++
 .../views/OPNsense/Quagga/diagnostics.volt    |  97 +++++--------
 .../opnsense/www/js/frr/diagnostics_utils.js  | 128 ------------------
 3 files changed, 54 insertions(+), 190 deletions(-)
 delete mode 100644 net/frr/src/opnsense/www/js/frr/diagnostics_utils.js

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
index 78b70e231d..7cb40b2320 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
@@ -27,6 +27,25 @@
 
 class DiagnosticsController extends \OPNsense\Base\IndexController
 {
+    /**
+     * {@inheritdoc}
+     */
+    protected function templateJSIncludes()
+    {
+        return array_merge(parent::templateJSIncludes(), [
+            '/ui/js/tree.jquery.min.js',
+            '/ui/js/opnsense-treeview.js'
+        ]);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function templateCSSIncludes()
+    {
+        return array_merge(parent::templateCSSIncludes(), ['/css/jqtree.css']);
+    }
+
     public function bgpAction()
     {
         $this->view->tabs = [
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
index 0307fbbf26..8c3f69d670 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
@@ -29,8 +29,6 @@ POSSIBILITY OF SUCH DAMAGE.
 
 #}
 
-<script src="{{ cache_safe('/ui/js/frr/diagnostics_utils.js') }}"></script>
-
 <style>
     .searchbox {
       margin: 8px;
@@ -46,9 +44,24 @@ POSSIBILITY OF SUCH DAMAGE.
             font-style: italic;
         }
     }
-  </style>
-  <link rel="stylesheet" type="text/css" href="{{ cache_safe(theme_file_or_default('/css/jqtree.css', ui_theme|default('opnsense'))) }}">
-  <script src="{{ cache_safe('/ui/js/tree.jquery.min.js') }}"></script>
+    .bootstrap-dialog-body {
+        overflow-x: auto;
+    }
+    .modal-dialog,
+    .modal-content {
+        height: 80%;
+    }
+
+    .modal-body {
+        height: calc(100% - 120px);
+        overflow-y: scroll;
+    }
+    @media (min-width: 768px) {
+        .modal-dialog {
+            width: 90%;
+        }
+    }
+</style>
 
 <script>
     'use strict';
@@ -60,26 +73,26 @@ POSSIBILITY OF SUCH DAMAGE.
          * only display the refresh button on the currently active tab
          */
         $('a[data-toggle="tab"]').on('shown.bs.tab', function (e) {
-          $(".tab-icon").removeClass("fa-refresh");
-          $("#"+e.target.id).find(".tab-icon").addClass("fa-refresh");
+            $(".tab-icon").removeClass("fa-refresh");
+            $("#"+e.target.id).find(".tab-icon").addClass("fa-refresh");
         });
 
         /**
          * resize tree widgets on window resize
          */
-        $(window).on('resize', resizeTreeWidget);
-
-        /**
-         * delayed search for tree widgets
-         */
-        $(".tree_search").keyup(treeSearchKeyUp);
+        $(window).on('resize', function(){
+            let new_height = $(".page-foot").offset().top -
+                ($(".page-content-head").offset().top + $(".page-content-head").height()) - 160;
+            $(".treewidget").height(new_height);
+            $(".treewidget").css('max-height', new_height + 'px');
+        });
 
         let all_grids = [];
         {% for tab in tabs %}
             /**
              * register refresh event handler for {{ tab['tabhead'] }}
              */
-            $("#refresh-{{ tab['name'] }}").click(function () {
+            $("#{{ tab['name'] }}_tab").click(function () {
             {% switch tab['type'] %}
                 {% case 'generalroutetable' %}
                 {% case 'bgproutetable' %}
@@ -203,46 +216,8 @@ POSSIBILITY OF SUCH DAMAGE.
                     {% break %}
                 {% case 'tree' %}
                     ajaxGet("{{ tab['endpoint'] }}", {}, function (data, status) {
-                        if (status == "success") {
-                            let $tree = $("#tree-{{ tab['name'] }}");
-                            if ($("#tree-{{ tab['name'] }} > ul").length == 0) {
-                                $tree.tree({
-                                    data: dict_to_tree(data['response']),
-                                    autoOpen: false,
-                                    dragAndDrop: false,
-                                    selectable: false,
-                                    closedIcon: $('<i class="fa fa-plus-square-o"></i>'),
-                                    openedIcon: $('<i class="fa fa-minus-square-o"></i>'),
-                                    onCreateLi: function(node, $li) {
-                                        let n_title = $li.find('.jqtree-title');
-                                        n_title.text(n_title.text().replace('&gt;','\>').replace('&lt;','\<'));
-                                        if (node.value !== undefined) {
-                                            $li.find('.jqtree-element').append(
-                                                '&nbsp; <strong>:</strong> &nbsp;' + node.value
-                                            );
-                                        }
-                                        if (node.selected) {
-                                            $li.addClass("node-selected");
-                                        } else {
-                                            $li.removeClass("node-selected");
-                                        }
-                                    }
-                                });
-                                // initial view, collapse first level if there's only one node
-                                if (Object.keys(data['response']).length == 1) {
-                                    for (let key in data['response']) {
-                                        $tree.tree('openNode', $tree.tree('getNodeById', key));
-                                    }
-                                }
-                                //open node on label click
-                                $tree.bind('tree.click', function(e) {
-                                    $tree.tree('toggle', e.node);
-                                });
-                            } else {
-                                let curent_state = $tree.tree('getState');
-                                $tree.tree('loadData', dict_to_tree(data['response']));
-                                $tree.tree('setState', curent_state);
-                            }
+                        if (status == "success" && data.response) {
+                            update_tree(data.response, "#tree-{{ tab['name'] }}");
                         }
                     });
                     $(window).trigger('resize');
@@ -257,14 +232,10 @@ POSSIBILITY OF SUCH DAMAGE.
             {% endswitch %}
             });
 
-            /**
-             * perform data fetch via event handler
-             */
-            $("a[id='{{ tab['name'] }}_tab']").on("shown.bs.tab", function (event) {
-                $("#refresh-{{ tab['name'] }}").click();
-            });
         {% endfor %}
 
+        $(".tree_search").keyup(tree_delayed_live_search);
+
         /**
          * add "sub title" heading
          */
@@ -282,7 +253,7 @@ POSSIBILITY OF SUCH DAMAGE.
     {% for tab in tabs %}
         <li>
             <a data-toggle="tab" href="#{{ tab['name'] }}" id="{{tab['name']}}_tab">
-                {{ tab['tabhead'] }} <span id="refresh-{{ tab['name'] }}" class="fa tab-icon fa-refresh" style="cursor: pointer"></span>
+                {{ tab['tabhead'] }} <span class="fa tab-icon fa-refresh" style="cursor: pointer"></span>
             </a>
         </li>
     {% endfor %}
@@ -435,6 +406,7 @@ POSSIBILITY OF SUCH DAMAGE.
                     </div>
                     {% break %}
                 {% case 'tree' %}
+                  <section class="col-xs-12">
                     <div class="searchbox">
                         <input
                             id="search-{{ tab['name'] }}"
@@ -444,7 +416,8 @@ POSSIBILITY OF SUCH DAMAGE.
                             placeholder="{{ lang._('search') }}"
                         ></input>
                     </div>
-                    <div class="treewidget" style="padding: 8px; overflow-y: scroll; height:400px;" id="tree-{{ tab['name'] }}"></div>
+                    <div class="treewidget" style="padding: 8px; overflow-y: scroll; height:400px;" id="tree-{{tab['name']}}"></div>
+                  </section>
                     {% break %}
                 {% case 'text' %}
                     <pre id="text-{{ tab['name'] }}"></pre>
diff --git a/net/frr/src/opnsense/www/js/frr/diagnostics_utils.js b/net/frr/src/opnsense/www/js/frr/diagnostics_utils.js
deleted file mode 100644
index 886a0bb627..0000000000
--- a/net/frr/src/opnsense/www/js/frr/diagnostics_utils.js
+++ /dev/null
@@ -1,128 +0,0 @@
-/*
- * Copyright (C) 2015-2023 Deciso B.V.
- * Copyright (C) 2023 Marc Bartelt
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-'use strict';
-
-/**
- * tree view: resize widget on window resize
- */
-function resizeTreeWidget() {
-    let new_height = $(".page-foot").offset().top -
-                     ($(".page-content-head").offset().top + $(".page-content-head").height()) - 160;
-    $(".treewidget").height(new_height);
-    $(".treewidget").css('max-height', new_height + 'px');
-}
-
-/**
- * tree view: delayed live-search
- */
-let apply_tree_search_timer = null;
-function treeSearchKeyUp() {
-    let sender = $(this);
-
-    clearTimeout(apply_tree_search_timer);
-    apply_tree_search_timer = setTimeout(function() {
-        let searchTerm = sender.val().toLowerCase();
-        let target = $("#"+sender.attr('for'));
-        let tree = target.tree("getTree");
-        let selected = [];
-        if (tree !== null) {
-            tree.iterate((node) => {
-                let matched = false;
-                if (searchTerm !== "") {
-                    matched = node.name.toLowerCase().includes(searchTerm);
-                    if (!matched && typeof node.value === 'string') {
-                        matched = node.value.toLowerCase().includes(searchTerm);
-                    }
-                }
-                node["selected"] = matched;
-
-                if (matched) {
-                    selected.push(node);
-                    if (node.isFolder()) {
-                        node.is_open = true;
-                    }
-                    let parent = node.parent;
-                    while (parent) {
-                        parent.is_open = true;
-                        parent = parent.parent;
-                    }
-                } else if (node.isFolder()) {
-                    node.is_open = false;
-                }
-
-                return true;
-            });
-            target.tree("refresh");
-            if (selected.length > 0) {
-                target.tree('scrollToNode', selected[0]);
-            }
-        }
-    }, 500);
-}
-
-/**
- * jqtree expects a list + dict type structure, transform key value store into expected output
- * https://mbraak.github.io/jqTree/#general
- */
- function dict_to_tree(node, path) {
-    // some entries are lists, try use a name for the nodes in that case
-    let node_name_keys = ['name', 'interface-name'];
-    let result = [];
-    if ( path === undefined) {
-        path = "";
-    } else {
-        path = path + ".";
-    }
-    for (let key in node) {
-        if (typeof node[key] === "function") {
-            continue;
-        }
-        let item_path = path + key;
-        if (node[key] instanceof Object) {
-            let node_name = key;
-            for (let idx=0; idx < node_name_keys.length; ++idx) {
-                if (/^(0|[1-9]\d*)$/.test(node_name) && node[key][node_name_keys[idx]] !== undefined) {
-                    node_name = node[key][node_name_keys[idx]];
-                    break;
-                }
-            }
-            result.push({
-                name: node_name,
-                id: item_path,
-                children: dict_to_tree(node[key], item_path)
-            });
-        } else {
-            result.push({
-                name: key,
-                value: node[key],
-                id: item_path
-            });
-        }
-    }
-    return result;
-}

From 787f2616668552562e728383d351d823fbc72bc2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 12 Dec 2023 08:11:23 +0100
Subject: [PATCH 1678/3088] net-mgmt/net-snmp: bump rev

---
 net-mgmt/net-snmp/Makefile  | 2 +-
 net-mgmt/net-snmp/pkg-descr | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/net-snmp/Makefile b/net-mgmt/net-snmp/Makefile
index 53525c05b5..942edba72e 100644
--- a/net-mgmt/net-snmp/Makefile
+++ b/net-mgmt/net-snmp/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		net-snmp
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Net-SNMP is a daemon for the SNMP protocol
 PLUGIN_DEPENDS=		net-snmp
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/net-snmp/pkg-descr b/net-mgmt/net-snmp/pkg-descr
index c61e6d62df..bead1bf838 100644
--- a/net-mgmt/net-snmp/pkg-descr
+++ b/net-mgmt/net-snmp/pkg-descr
@@ -13,7 +13,8 @@ Plugin Changelog
 
 1.5
 
-* Add support for agentx.
+* Add support for agentx
+* Fixed directory mismatch in setup.sh (contributed by doktornotor)
 
 1.4
 

From eee355929db3141c4377868246720e51be4752e8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 12 Dec 2023 08:12:53 +0100
Subject: [PATCH 1679/3088] net/frr: bump rev

---
 net/frr/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 6edb0abf95..7f76d6b8ab 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.37
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 1cd458e891ad2047a9b580531409b5c7d2467e44 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Fri, 15 Dec 2023 17:09:23 +0300
Subject: [PATCH 1680/3088] template fix (#3704)

fix template error if there is no 'records' in config at all
---
 .../opnsense/service/templates/OPNsense/Bind/domain.db | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/domain.db b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/domain.db
index a27c9e5623..bce3a9ffdd 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/domain.db
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/domain.db
@@ -5,11 +5,13 @@
 {%         if domaindb.enabled == '1' and domaindb.type == 'primary' %}
 $TTL {{ domaindb.ttl }}
 @       IN      SOA    {{ domaindb.dnsserver }}. {{ domaindb.mailadmin|replace('@', '.') }}. ( {{ domaindb.serial|trim }} {{ domaindb.refresh }} {{ domaindb.retry }} {{ domaindb.expire }} {{ domaindb.negative }} )
-{%           for record in helpers.sortDictList(OPNsense.bind.record.records.record, 'name', 'type' ) %}
-{%             if record.domain == domaindb['@uuid'] %}
+{%           if helpers.exists('OPNsense.bind.record.records.record') %}
+{%             for record in helpers.sortDictList(OPNsense.bind.record.records.record, 'name', 'type' ) %}
+{%               if record.domain == domaindb['@uuid'] %}
 {{ record.name }}                {{ record.type }} {{ record.value }}
-{%             endif %}
-{%           endfor %}
+{%               endif %}
+{%             endfor %}
+{%           endif %}
 {%         endif %}
 {%       endif %}
 {%     endfor %}

From ac824e3d02e631e05a646b99ab00ae5eb35cbbf9 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 16 Dec 2023 23:17:38 +0100
Subject: [PATCH 1681/3088] net/haproxy: add support for built-in OCSP update
 feature

---
 net/haproxy/pkg-descr                         |  7 ++
 .../HAProxy/forms/generalSettings.xml         |  6 --
 .../OPNsense/HAProxy/forms/generalTuning.xml  | 22 ++++++
 .../HAProxy/forms/maintenanceCronjobs.xml     | 11 ---
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 22 +++++-
 .../OPNsense/HAProxy/Migrations/M4_1_0.php    | 59 ++++++++++++++
 .../scripts/OPNsense/HAProxy/exportCerts.php  |  7 +-
 .../scripts/OPNsense/HAProxy/setup.sh         |  5 --
 .../scripts/OPNsense/HAProxy/updateOcsp.sh    | 76 -------------------
 .../conf/actions.d/actions_haproxy.conf       |  7 --
 .../templates/OPNsense/HAProxy/haproxy.conf   |  9 +++
 .../templates/OPNsense/HAProxy/rc.conf.d      |  5 --
 12 files changed, 124 insertions(+), 112 deletions(-)
 create mode 100644 net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_1_0.php
 delete mode 100755 net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 2681b9f8d8..e0f6044fee 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,12 +6,19 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+Added:
+* add support for built-in OCSP update feature
+
 Fixed:
 * fix typo in cert sync script
 
 Changed:
+* move OCSP settings from "Service" to "Global" section
 * replace bundled haproxyctl library with haproxy-cli
 
+Removed:
+* remove OSCP update cron job
+
 4.1
 
 Fixed:
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
index b9934dd6a4..6c6a1a22e6 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalSettings.xml
@@ -33,12 +33,6 @@
         <type>checkbox</type>
         <help><![CDATA[HAProxy will handle service restarts in a way that no connections are dropped. This is the best restart mode, because it has no impact on user experience. That being said, there might be edge cases where seamless reloads lead to unexpected behaviour.]]></help>
     </field>
-    <field>
-        <id>haproxy.general.storeOcsp</id>
-        <label>Store OCSP responses</label>
-        <type>checkbox</type>
-        <help><![CDATA[Retrieve OCSP data everytime when starting or restarting HAProxy. For every certificate, the OCSP response will be fetched and stored in filesystem, and automatically picked-up by HAProxy on startup. However, depending on the number of certificates and other circumstances, this may noticeably increase the time required to start/restart the HAProxy service. Note that this only updates the OCSP responses once during start/restart, you need to setup a cron job to periodically update this data too.]]></help>
-    </field>
     <field>
         <id>haproxy.general.showIntro</id>
         <label>Show introduction pages</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
index 0bef8a78bd..364cf6032d 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -67,6 +67,28 @@
         <help><![CDATA[These lines will be added to the global settings of to the HAProxy configuration file.<br/><div class="text-info"><b>NOTE:</b> The syntax will not be checked, use at your own risk!</div>]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <label>SSL settings</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.ocspUpdateEnabled</id>
+        <label>Automatic OCSP updates</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable automatic OCSP response updates. Each OCSP response will be updated at least once an hour, and even more frequently if a given OCSP response has an expire date earlier than this one hour limit.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.ocspUpdateMinDelay</id>
+        <label>Minimum OCSP Interval</label>
+        <type>text</type>
+        <help><![CDATA[Sets the minimum interval (in seconds) between two automatic updates of the same OCSP response.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.ocspUpdateMaxDelay</id>
+        <label>Maximum OCSP Interval</label>
+        <type>text</type>
+        <help><![CDATA[Sets the maximum interval (in seconds) between two automatic updates of the same OCSP response.]]></help>
+    </field>
     <field>
         <label>SSL default settings</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/maintenanceCronjobs.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/maintenanceCronjobs.xml
index f9c4edf83f..1924980d29 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/maintenanceCronjobs.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/maintenanceCronjobs.xml
@@ -10,17 +10,6 @@
         <type>checkbox</type>
         <help><![CDATA[Periodically sync SSL certificate changes into the running HAProxy service. This is most useful when using short-lived Let's Encrypt certificates, but changes to other certificates will also be synced. Note that when using the Let's Encrypt plugin, it is also possible to use an <a target="_blank" href="/ui/acmeclient/actions">Automation</a> instead of this cron job.]]></help>
     </field>
-    <field>
-        <label>Update OCSP data for SSL certificates</label>
-        <type>header</type>
-        <style>table_cron table_cron_updateOcsp</style>
-    </field>
-    <field>
-        <id>haproxy.maintenance.cronjobs.updateOcsp</id>
-        <label>Enable</label>
-        <type>checkbox</type>
-        <help><![CDATA[Periodically fetch OCSP data for all configured SSL certificates. Note that OCSP support needs to be enabled in <a target="_blank" href="/ui/haproxy#general-settings">HAProxy service settings</a>.]]></help>
-    </field>
     <field>
         <label>Reload HAProxy service</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index baf4277b33..5c42f7c201 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/HAProxy</mount>
-    <version>4.0.0</version>
+    <version>4.1.0</version>
     <description>the HAProxy load balancer</description>
     <items>
         <general>
@@ -27,6 +27,7 @@
                 <default>0</default>
                 <Required>Y</Required>
             </seamlessReload>
+            <!-- XXX: old value, required for model migration to 4.1.0 -->
             <storeOcsp type="BooleanField">
                 <default>0</default>
                 <Required>N</Required>
@@ -128,6 +129,24 @@
                 <customOptions type="TextField">
                     <Required>N</Required>
                 </customOptions>
+                <ocspUpdateEnabled type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </ocspUpdateEnabled>
+                <ocspUpdateMinDelay type="IntegerField">
+                    <default>300</default>
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>86400</MaximumValue>
+                    <ValidationMessage>Please specify a value between 1 and 86400.</ValidationMessage>
+                    <Required>N</Required>
+                </ocspUpdateMinDelay>
+                <ocspUpdateMaxDelay type="IntegerField">
+                    <default>3600</default>
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>86400</MaximumValue>
+                    <ValidationMessage>Please specify a value between 1 and 86400.</ValidationMessage>
+                    <Required>N</Required>
+                </ocspUpdateMaxDelay>
                 <ssl_defaultsEnabled type="BooleanField">
                     <default>0</default>
                     <Required>Y</Required>
@@ -3027,6 +3046,7 @@
                     <ValidationMessage>Related cron not found.</ValidationMessage>
                     <Required>N</Required>
                 </syncCertsCron>
+                <!-- XXX: old value, required for model migration to 4.1.0 -->
                 <updateOcsp type="BooleanField">
                     <default>0</default>
                     <Required>N</Required>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_1_0.php b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_1_0.php
new file mode 100644
index 0000000000..22f91c8fe4
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_1_0.php
@@ -0,0 +1,59 @@
+<?php
+
+/**
+ *    Copyright (C) 2023 Frank Wall
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\HAProxy\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+use OPNsense\Core\Config;
+use OPNsense\Cron\Cron;
+
+class M4_1_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        // Get old OCSP config item and map to new value
+        $old_ocsp = (string)$model->general->storeOcsp;
+        $model->general->tuning->ocspUpdateEnabled = $old_ocsp;
+
+        // Remove obsolete OCSP cron job
+        if ((string)$model->maintenance->cronjobs->updateOcspCron != "") {
+            $cron_uuid = (string)$model->maintenance->cronjobs->updateOcspCron;
+            $model->maintenance->cronjobs->updateOcspCron = "";
+
+            // Delete the cronjob item
+            $mdlCron = new Cron();
+            if ($mdlCron->jobs->job->del($cron_uuid)) {
+                $mdlCron->serializeToConfig();
+                $model->serializeToConfig($validateFullModel = false, $disable_validation = true);
+                Config::getInstance()->save();
+            }
+        }
+    }
+}
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
index 0dfa7bd262..c2e052f607 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
@@ -95,7 +95,12 @@
                                             file_put_contents($output_pem_filename, $pem_content);
                                             chmod($output_pem_filename, 0600);
                                             echo "exported $type to " . $output_pem_filename . "\n";
-                                            $crtlist[] = $output_pem_filename;
+                                            // Check if automatic OCSP updates are enabled.
+                                            if (isset($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled) and ($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled == '1')) {
+                                              $crtlist[] = $output_pem_filename . " ocsp-update on";
+                                            } else {
+                                              $crtlist[] = $output_pem_filename;
+                                            }
                                         } else {
                                             // In contrast to certificates, CA/CRL content needs to be put in a single file.
                                             // A list of individual files is not supported by HAproxy.
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
index 0e07ab1ba7..5c74fd2792 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
@@ -22,11 +22,6 @@ find /var/haproxy -type d -exec chmod 550 {} \;
 /usr/local/opnsense/scripts/OPNsense/HAProxy/exportErrorFiles.php > /dev/null 2>&1
 /usr/local/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php > /dev/null 2>&1
 
-# update OCSP data
-if [ "${haproxy_ocsp}" == "YES" ]; then
-  /usr/local/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh > /dev/null 2>&1
-fi
-
 # deploy new config
 case "$1" in
 deploy)
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh
deleted file mode 100755
index 6bf8af9283..0000000000
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/bin/sh
-# This file is based on:
-# https://github.com/acmesh-official/acme.sh/blob/master/deploy/haproxy.sh
-#
-# Copyright (C) 2021 Neil Pang
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-HAPROXY_DIR="/tmp/haproxy/ssl"
-HAPROXY_SOCKET="/var/run/haproxy.socket"
-
-for _pem in "$HAPROXY_DIR"/*.pem; do
-    cert_file="$(basename "$_pem")"
-    _issuer="${HAPROXY_DIR}/${cert_file%.pem}.issuer"
-    _ocsp="${_pem}.ocsp"
-    cert_cn="$(openssl x509 -in "$_pem" -noout -text | sed -nE 's/.*Subject:.*CN = ([^,]*)(,.*)?$/\1/p')"
-
-    if [ ! -f "$_issuer" ]; then
-        continue
-    fi
-
-    if [ -r "${_issuer}" ]; then
-        _ocsp_url="$(openssl x509 -noout -ocsp_uri -in "$_pem")"
-        if [ -n "$_ocsp_url" ]; then
-            _ocsp_host="$(echo "$_ocsp_url" | cut -d/ -f3)"
-            subjectdn="$(openssl x509 -in "$_issuer" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)"
-            issuerdn="$(openssl x509 -in "$_issuer" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)"
-            if [ "$subjectdn" = "$issuerdn" ]; then
-                _cafile_argument="-CAfile \"${_issuer}\""
-            else
-                _cafile_argument=""
-            fi
-            _openssl_version=$(openssl version | cut -d' ' -f2)
-            _openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1)
-            _openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2)
-            if [ "${_openssl_major}" -eq "1" ] && [ "${_openssl_minor}" -ge "1" ] || [ "${_openssl_major}" -ge "2" ]; then
-                _header_sep="="
-            else
-                _header_sep=" "
-            fi
-
-            _openssl_ocsp_cmd="openssl ocsp \
-                -issuer \"${_issuer}\" \
-                -cert \"${_pem}\" \
-                -url \"${_ocsp_url}\" \
-                -header Host${_header_sep}\"${_ocsp_host}\" \
-                -respout \"${_ocsp}\" \
-                -verify_other \"${_issuer}\" \
-                ${_cafile_argument} \
-                | grep -q \"${_pem}: good\""
-
-            eval "${_openssl_ocsp_cmd}"
-            _ret=$?
-
-            if [ "${_ret}" != "0" ]; then
-                echo "Updating OCSP stapling failed with return code ${_ret}"
-            else
-                _update="$(openssl enc -base64 -A -in "${_ocsp}")"
-                if ! echo "set ssl ocsp-response ${_update}" | socat stdio $HAPROXY_SOCKET; then
-                    echo "Updating haproxy OCSP stapling via socket failed"
-                fi
-            fi
-        fi
-    fi
-done
diff --git a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
index 9ca6d13dd7..ab181dd8ac 100644
--- a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
+++ b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
@@ -126,10 +126,3 @@ command:/usr/bin/diff -Naur /usr/local/etc/haproxy.conf /usr/local/etc/haproxy.c
 parameters:
 type:script_output
 message:diff haproxy config
-
-[update_ocsp]
-command:/usr/local/opnsense/scripts/OPNsense/HAProxy/updateOcsp.sh
-parameters:
-type:script_output
-description:Update HAProxy OCSP data
-message:update haproxy ocsp data
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index ab08e8f3a6..bcfc4c6e26 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -982,6 +982,15 @@ global
 {% if helpers.exists('OPNsense.HAProxy.general.tuning.maxConnections') %}
     maxconn                     {{OPNsense.HAProxy.general.tuning.maxConnections}}
 {% endif %}
+{# # check if OCSP is enabled #}
+{% if OPNsense.HAProxy.general.tuning.ocspUpdateEnabled|default('') == '1' %}
+{%   if helpers.exists('OPNsense.HAProxy.general.tuning.ocspUpdateMinDelay') %}
+    tune.ssl.ocsp-update.mindelay {{OPNsense.HAProxy.general.tuning.ocspUpdateMinDelay}}
+{%   endif %}
+{%   if helpers.exists('OPNsense.HAProxy.general.tuning.ocspUpdateMaxDelay') %}
+    tune.ssl.ocsp-update.maxdelay {{OPNsense.HAProxy.general.tuning.ocspUpdateMaxDelay}}
+{%   endif %}
+{% endif %}
 {% if helpers.exists('OPNsense.HAProxy.general.tuning.maxDHSize') %}
     tune.ssl.default-dh-param   {{OPNsense.HAProxy.general.tuning.maxDHSize}}
 {% endif %}
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d
index 2e20906703..1aa2b759cb 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/rc.conf.d
@@ -3,11 +3,6 @@ haproxy_enable=YES
 haproxy_setup="/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh"
 haproxy_pidfile="/var/run/haproxy.pid"
 haproxy_config="/usr/local/etc/haproxy.conf"
-{% if helpers.exists('OPNsense.HAProxy.general.storeOcsp') and OPNsense.HAProxy.general.storeOcsp|default("0") == "1" %}
-haproxy_ocsp=YES
-{% else %}
-haproxy_ocsp=NO
-{% endif %}
 {% if helpers.exists('OPNsense.HAProxy.general.gracefulStop') and OPNsense.HAProxy.general.gracefulStop|default("0") == "1" %}
 haproxy_hardstop=NO
 {% else %}

From 961bca02443b5f683fdbda5bafbb49dd8bfa14e8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 18 Dec 2023 09:59:19 +0100
Subject: [PATCH 1682/3088] dns/bind: bump revision after fix

---
 dns/bind/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index d5a3705c8d..8717b2f01d 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.28
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From af9f4ab28f5f45b9c5207a7b55120e3958a92863 Mon Sep 17 00:00:00 2001
From: "hasan.ucak" <hasan@sunnyvalley.io>
Date: Mon, 6 Nov 2023 15:58:04 +0300
Subject: [PATCH 1683/3088] Update Sensei words to zenarmor and use shadow
 keyword #3695

---
 vendor/sunnyvalley/Makefile                                    | 3 ++-
 vendor/sunnyvalley/pkg-descr                                   | 2 --
 .../repos/{SunnyValley.conf.in => SunnyValley.conf.shadow.in}  | 0
 3 files changed, 2 insertions(+), 3 deletions(-)
 rename vendor/sunnyvalley/src/etc/pkg/repos/{SunnyValley.conf.in => SunnyValley.conf.shadow.in} (100%)

diff --git a/vendor/sunnyvalley/Makefile b/vendor/sunnyvalley/Makefile
index 9bd1c0ce8b..21e844e8e7 100644
--- a/vendor/sunnyvalley/Makefile
+++ b/vendor/sunnyvalley/Makefile
@@ -1,7 +1,8 @@
 PLUGIN_NAME=		sunnyvalley
 PLUGIN_VERSION=		1.3
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Vendor Repository for Zenarmor (a.k.a Sensei, Next Generation Firewall Extensions)
 PLUGIN_MAINTAINER=	opensource@sunnyvalley.io
-PLUGIN_WWW=		https://www.sunnyvalley.io
+PLUGIN_WWW=		https://www.zenarmor.com
 
 .include "../../Mk/plugins.mk"
diff --git a/vendor/sunnyvalley/pkg-descr b/vendor/sunnyvalley/pkg-descr
index 18686981a6..76d286396e 100644
--- a/vendor/sunnyvalley/pkg-descr
+++ b/vendor/sunnyvalley/pkg-descr
@@ -14,5 +14,3 @@ Zenarmor for OPNsense features:
 * User based filtering
 * Policy based filtering
 * Active Directory/LDAP Integration
-
-WWW: https://www.sunnyvalley.io/sensei
diff --git a/vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.in b/vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.shadow.in
similarity index 100%
rename from vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.in
rename to vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.shadow.in

From 54a0e443fbf1102a85b15306acd30eff66751805 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 19 Dec 2023 15:13:04 +0100
Subject: [PATCH 1684/3088] www/squid: fill with source code

PR: https://github.com/opnsense/core/issues/7030
---
 www/squid/Makefile                            |   1 +
 www/squid/src/etc/inc/plugins.inc.d/squid.inc |  79 ++
 .../ERR_ACCESS_DENIED.html                    |  42 ++
 .../ERR_ACL_TIME_QUOTA_EXCEEDED.html          |  43 ++
 .../ERR_AGENT_CONFIGURE.html                  |  64 ++
 .../template_error_pages/ERR_AGENT_WPAD.html  |  64 ++
 .../ERR_CACHE_ACCESS_DENIED.html              |  43 ++
 .../ERR_CACHE_MGR_ACCESS_DENIED.html          |  43 ++
 .../ERR_CANNOT_FORWARD.html                   |  50 ++
 .../ERR_CONFLICT_HOST.html                    |  48 ++
 .../ERR_CONNECT_FAIL.html                     |  45 ++
 .../template_error_pages/ERR_DIR_LISTING.html |  46 ++
 .../template_error_pages/ERR_DNS_FAIL.html    |  47 ++
 .../proxy/template_error_pages/ERR_ESI.html   |  47 ++
 .../ERR_FORWARDING_DENIED.html                |  43 ++
 .../ERR_FTP_DISABLED.html                     |  43 ++
 .../template_error_pages/ERR_FTP_FAILURE.html |  47 ++
 .../ERR_FTP_FORBIDDEN.html                    |  47 ++
 .../ERR_FTP_NOT_FOUND.html                    |  49 ++
 .../ERR_FTP_PUT_CREATED.html                  |  31 +
 .../ERR_FTP_PUT_ERROR.html                    |  48 ++
 .../ERR_FTP_PUT_MODIFIED.html                 |  31 +
 .../ERR_FTP_UNAVAILABLE.html                  |  48 ++
 .../ERR_GATEWAY_FAILURE.html                  |  44 ++
 .../ERR_ICAP_FAILURE.html                     |  49 ++
 .../template_error_pages/ERR_INVALID_REQ.html |  57 ++
 .../ERR_INVALID_RESP.html                     |  44 ++
 .../template_error_pages/ERR_INVALID_URL.html |  50 ++
 .../ERR_LIFETIME_EXP.html                     |  42 ++
 .../template_error_pages/ERR_NO_RELAY.html    |  42 ++
 .../ERR_ONLY_IF_CACHED_MISS.html              |  42 ++
 .../ERR_PRECONDITION_FAILED.html              |  44 ++
 .../ERR_PROTOCOL_UNKNOWN.html                 |  42 ++
 .../template_error_pages/ERR_READ_ERROR.html  |  44 ++
 .../ERR_READ_TIMEOUT.html                     |  44 ++
 .../ERR_SECURE_CONNECT_FAIL.html              |  50 ++
 .../ERR_SHUTTING_DOWN.html                    |  38 +
 .../ERR_SOCKET_FAILURE.html                   |  44 ++
 .../template_error_pages/ERR_TOO_BIG.html     |  44 ++
 .../ERR_UNSUP_HTTPVERSION.html                |  42 ++
 .../template_error_pages/ERR_UNSUP_REQ.html   |  42 ++
 .../template_error_pages/ERR_URN_RESOLVE.html |  42 ++
 .../template_error_pages/ERR_WRITE_ERROR.html |  44 ++
 .../ERR_ZERO_SIZE_OBJECT.html                 |  42 ++
 .../template_error_pages/error-details.txt    | 227 ++++++
 .../proxy/template_error_pages/errorpage.css  | 104 +++
 .../OPNsense/Proxy/Api/ServiceController.php  | 157 ++++
 .../OPNsense/Proxy/Api/SettingsController.php | 334 +++++++++
 .../OPNsense/Proxy/Api/TemplateController.php | 102 +++
 .../OPNsense/Proxy/IndexController.php        |  52 ++
 .../Proxy/forms/dialogEditBlacklist.xml       |  51 ++
 .../Proxy/forms/dialogEditPACMatch.xml        |  92 +++
 .../Proxy/forms/dialogEditPACProxy.xml        |  26 +
 .../Proxy/forms/dialogEditPACRule.xml         |  40 +
 .../controllers/OPNsense/Proxy/forms/main.xml | 634 ++++++++++++++++
 .../library/OPNsense/Auth/Services/Squid.php  | 105 +++
 .../mvc/app/models/OPNsense/Proxy/ACL/ACL.xml |  11 +
 .../app/models/OPNsense/Proxy/Menu/Menu.xml   |  23 +
 .../OPNsense/Proxy/Migrations/M1_0_0.php      |  37 +
 .../mvc/app/models/OPNsense/Proxy/Proxy.php   |  90 +++
 .../mvc/app/models/OPNsense/Proxy/Proxy.xml   | 686 ++++++++++++++++++
 .../mvc/app/views/OPNsense/Proxy/index.volt   | 602 +++++++++++++++
 .../scripts/proxy/deploy_error_pages.py       |  54 ++
 .../scripts/proxy/download_error_pages.py     |  53 ++
 .../src/opnsense/scripts/proxy/fetchACLs.py   | 381 ++++++++++
 .../opnsense/scripts/proxy/generate_cert.php  |  53 ++
 .../opnsense/scripts/proxy/lib/__init__.py    | 141 ++++
 www/squid/src/opnsense/scripts/proxy/setup.sh |  42 ++
 .../scripts/syslog/logformats/squid.py        | 107 +++
 .../service/conf/actions.d/actions_proxy.conf |  82 +++
 .../service/templates/OPNsense/Proxy/+TARGETS |  15 +
 .../templates/OPNsense/Proxy/auth.conf        |   3 +
 .../templates/OPNsense/Proxy/ca.pem.id        |   3 +
 .../templates/OPNsense/Proxy/cache.active     |   5 +
 .../OPNsense/Proxy/error_directory_in         |   7 +
 .../OPNsense/Proxy/externalACLs.conf          |  16 +
 .../templates/OPNsense/Proxy/newsyslog.conf   |   6 +
 .../templates/OPNsense/Proxy/nobumpsites.acl  |   5 +
 .../templates/OPNsense/Proxy/parentproxy.conf |  24 +
 .../templates/OPNsense/Proxy/post-auth.conf   |   3 +
 .../templates/OPNsense/Proxy/pre-auth.conf    |   3 +
 .../templates/OPNsense/Proxy/rc.conf.d        |   6 +
 .../templates/OPNsense/Proxy/snmp.conf        |   5 +
 .../templates/OPNsense/Proxy/squid.acl.conf   | 248 +++++++
 .../templates/OPNsense/Proxy/squid.conf       | 487 +++++++++++++
 .../templates/OPNsense/Proxy/squid.pam        |   5 +
 .../OPNsense/Proxy/squid.user.local_auth.conf |  13 +
 .../service/templates/OPNsense/Proxy/wpad.dat | 104 +++
 .../OPNsense/Syslog/local/squid_access.conf   |   6 +
 89 files changed, 7231 insertions(+)
 create mode 100644 www/squid/src/etc/inc/plugins.inc.d/squid.inc
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ACCESS_DENIED.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ACL_TIME_QUOTA_EXCEEDED.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_AGENT_CONFIGURE.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_AGENT_WPAD.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CACHE_ACCESS_DENIED.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CACHE_MGR_ACCESS_DENIED.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CANNOT_FORWARD.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CONFLICT_HOST.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CONNECT_FAIL.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_DIR_LISTING.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_DNS_FAIL.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ESI.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FORWARDING_DENIED.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_DISABLED.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_FAILURE.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_FORBIDDEN.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_NOT_FOUND.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_CREATED.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_ERROR.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_MODIFIED.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_UNAVAILABLE.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_GATEWAY_FAILURE.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ICAP_FAILURE.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_REQ.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_RESP.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_URL.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_LIFETIME_EXP.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_NO_RELAY.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ONLY_IF_CACHED_MISS.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_PRECONDITION_FAILED.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_PROTOCOL_UNKNOWN.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_READ_ERROR.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_READ_TIMEOUT.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SECURE_CONNECT_FAIL.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SHUTTING_DOWN.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SOCKET_FAILURE.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_TOO_BIG.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_UNSUP_HTTPVERSION.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_UNSUP_REQ.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_URN_RESOLVE.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_WRITE_ERROR.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ZERO_SIZE_OBJECT.html
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/error-details.txt
 create mode 100644 www/squid/src/opnsense/data/proxy/template_error_pages/errorpage.css
 create mode 100644 www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php
 create mode 100644 www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
 create mode 100644 www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php
 create mode 100644 www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/IndexController.php
 create mode 100644 www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditBlacklist.xml
 create mode 100644 www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACMatch.xml
 create mode 100644 www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACProxy.xml
 create mode 100644 www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACRule.xml
 create mode 100644 www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
 create mode 100644 www/squid/src/opnsense/mvc/app/library/OPNsense/Auth/Services/Squid.php
 create mode 100644 www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/ACL/ACL.xml
 create mode 100644 www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Menu/Menu.xml
 create mode 100644 www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Migrations/M1_0_0.php
 create mode 100644 www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.php
 create mode 100644 www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
 create mode 100644 www/squid/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt
 create mode 100755 www/squid/src/opnsense/scripts/proxy/deploy_error_pages.py
 create mode 100755 www/squid/src/opnsense/scripts/proxy/download_error_pages.py
 create mode 100755 www/squid/src/opnsense/scripts/proxy/fetchACLs.py
 create mode 100755 www/squid/src/opnsense/scripts/proxy/generate_cert.php
 create mode 100755 www/squid/src/opnsense/scripts/proxy/lib/__init__.py
 create mode 100755 www/squid/src/opnsense/scripts/proxy/setup.sh
 create mode 100755 www/squid/src/opnsense/scripts/syslog/logformats/squid.py
 create mode 100644 www/squid/src/opnsense/service/conf/actions.d/actions_proxy.conf
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/auth.conf
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/ca.pem.id
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/cache.active
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/error_directory_in
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/externalACLs.conf
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/newsyslog.conf
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/nobumpsites.acl
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/parentproxy.conf
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/post-auth.conf
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/pre-auth.conf
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/snmp.conf
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.pam
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.user.local_auth.conf
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Proxy/wpad.dat
 create mode 100644 www/squid/src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf

diff --git a/www/squid/Makefile b/www/squid/Makefile
index 639759f605..c37bfef729 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		squid
 PLUGIN_VERSION=		1.0.d
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_TIER=		2
diff --git a/www/squid/src/etc/inc/plugins.inc.d/squid.inc b/www/squid/src/etc/inc/plugins.inc.d/squid.inc
new file mode 100644
index 0000000000..87948be2bd
--- /dev/null
+++ b/www/squid/src/etc/inc/plugins.inc.d/squid.inc
@@ -0,0 +1,79 @@
+<?php
+
+/*
+ * Copyright (C) 2016 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function squid_services()
+{
+    global $config;
+
+    $services = array();
+
+    if (
+        isset($config['OPNsense']['proxy']['general']['enabled']) &&
+        $config['OPNsense']['proxy']['general']['enabled'] == 1
+    ) {
+        $services[] = array(
+            'description' => gettext('Squid Web Proxy'),
+            'configd' => array(
+                'restart' => array('proxy restart'),
+                'start' => array('proxy start'),
+                'stop' => array('proxy stop'),
+            ),
+            'pidfile' => '/var/run/squid/squid.pid',
+            'name' => 'squid',
+        );
+    }
+
+    return $services;
+}
+
+function squid_xmlrpc_sync()
+{
+    $result = array();
+
+    $result[] = array(
+        'description' => gettext('Squid Web Proxy'),
+        'section' => 'OPNsense.proxy',
+        'id' => 'squid',
+        'services' => ["squid"],
+    );
+
+    return $result;
+}
+
+/**
+ * our squid instance by default logs to file, when syslog is selected, we need a target definition to catch traffic.
+ * which flushes our local traffic to /var/log/squid.log (which would otherwise end up in /var/log/squid/access.log)
+ */
+function squid_syslog()
+{
+    $logfacilities = array();
+    $logfacilities['squid'] = array(
+        'facility' => array('(squid-1)')
+    );
+    return $logfacilities;
+}
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ACCESS_DENIED.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ACCESS_DENIED.html
new file mode 100644
index 0000000000..063b01a50f
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ACCESS_DENIED.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Access Denied.</b></p>
+</blockquote>
+
+<p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ACL_TIME_QUOTA_EXCEEDED.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ACL_TIME_QUOTA_EXCEEDED.html
new file mode 100644
index 0000000000..b9cc38a12a
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ACL_TIME_QUOTA_EXCEEDED.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Time Quota Exceeded.</b></p>
+</blockquote>
+
+<p>This proxy limits your time online with a quota. Your time budget is now empty but will be refilled when the configured time period starts again.</p>
+<p>These limits have been established by the Internet Service Provider who operates this cache. Please contact them directly if you feel this is an error.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_AGENT_CONFIGURE.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_AGENT_CONFIGURE.html
new file mode 100644
index 0000000000..8bb900dd4e
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_AGENT_CONFIGURE.html
@@ -0,0 +1,64 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>Web Browser Configuration</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>Web Browser Configuration</h2>
+</div>
+<hr>
+
+<div id="content">
+<blockquote id="error">
+<p>Your Web Browser configuration needs to be corrected to use this network.</p>
+</blockquote>
+
+<p>How to find these settings in your browser:</p>
+
+<div id="firefox">
+For Firefox browsers go to:
+<ul>
+<li>Tools -&gt; Options -&gt; Advanced -&gt; Network -&gt; Connection Settings</li>
+<li>In the HTTP proxy box type the proxy name %h and port %b.</li>
+</ul>
+</div>
+
+<div id="microsoft">
+For Internet Explorer browsers go to:
+<ul>
+<li>Tools -&gt; Internet Options -&gt; Connection -&gt; LAN Settings -&gt;Proxy</li>
+<li>In the HTTP proxy box type the proxy name %h and port %b.</li>
+</ul>
+</div>
+
+<div id="opera">
+For Opera browsers go to:
+<ul>
+<li>Tools -&gt; Preferences -&gt; Advanced -&gt; Network -&gt; Proxy Servers</li>
+<li>In the HTTP proxy box type the proxy name %h and port %b.</li>
+</ul>
+</div>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_AGENT_WPAD.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_AGENT_WPAD.html
new file mode 100644
index 0000000000..a1ea43a2ad
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_AGENT_WPAD.html
@@ -0,0 +1,64 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>Web Browser Configuration</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>Web Browser Configuration</h2>
+</div>
+<hr>
+
+<div id="content">
+<blockquote id="error">
+<p>Your Web Browser configuration needs to be corrected to use this network.</p>
+</blockquote>
+
+<p>How to find these settings in your browser:</p>
+
+<div id="firefox">
+For Firefox browsers go to:
+<ul>
+<li>Tools -&gt; Options -&gt; Advanced -&gt; Network -&gt; Connection Settings</li>
+<li>Select Auto-detect proxy settings for this network</li>
+</ul>
+</div>
+
+<div id="microsoft">
+For Internet Explorer browsers go to:
+<ul>
+<li>Tools -&gt; Internet Options -&gt; Connection -&gt; LAN Settings -&gt;Proxy</li>
+<li>Select Automatically detect settings</li>
+</ul>
+</div>
+
+<div id="opera">
+For Opera browsers go to:
+<ul>
+<li>Tools -&gt; Preferences -&gt; Advanced -&gt; Network -&gt; Proxy Servers</li>
+<li>Select Use Automatic proxy configuration</li>
+</ul>
+</div>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CACHE_ACCESS_DENIED.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CACHE_ACCESS_DENIED.html
new file mode 100644
index 0000000000..576d19ca72
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CACHE_ACCESS_DENIED.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: Cache Access Denied</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>Cache Access Denied.</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Cache Access Denied.</b></p>
+</blockquote>
+
+<p>Sorry, you are not currently allowed to request %U from this cache until you have authenticated yourself.</p>
+
+<p>Please contact the <a href="mailto:%w%W">cache administrator</a> if you have difficulties authenticating yourself.</p>
+
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CACHE_MGR_ACCESS_DENIED.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CACHE_MGR_ACCESS_DENIED.html
new file mode 100644
index 0000000000..dcd746392d
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CACHE_MGR_ACCESS_DENIED.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: Cache Manager Access Denied</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>Cache Manager Access Denied.</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Cache Manager Access Denied.</b></p>
+</blockquote>
+
+<p>Sorry, you are not currently allowed to request %U from this cache manager until you have authenticated yourself.</p>
+
+<p>Please contact the <a href="mailto:%w%W">cache administrator</a> if you have difficulties authenticating yourself or, if you <em>are</em> the administrator, read Squid documentation on cache manager interface and check cache log for more detailed error messages.</p>
+
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CANNOT_FORWARD.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CANNOT_FORWARD.html
new file mode 100644
index 0000000000..620cdc8ebd
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CANNOT_FORWARD.html
@@ -0,0 +1,50 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Unable to forward this request at this time.</b></p>
+</blockquote>
+
+<p>This request could not be forwarded to the origin server or to any parent caches.</p>
+
+<p>Some possible problems are:</p>
+<ul>
+<li id="network-down">An Internet connection needed to access this domains origin servers may be down.</li>
+<li id="no-peer">All configured parent caches may be currently unreachable.</li>
+<li id="permission-denied">The administrator may not allow this cache to make direct connections to origin servers.</li>
+</ul>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CONFLICT_HOST.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CONFLICT_HOST.html
new file mode 100644
index 0000000000..d926dbf1c9
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CONFLICT_HOST.html
@@ -0,0 +1,48 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="data">
+<pre>URI Host Conflict</pre>
+</blockquote>
+
+<p>This means the domain name you are trying to access apparently no longer exists on the machine you are requesting it from.</p>
+
+<p>Some possible problems are:</p>
+<ul>
+<li>The domain may have moved very recently. Trying again will resolve that.</li>
+<li>The website may require you to use a local country-based version. Using your ISP provided DNS server(s) should resolve that.</li>
+</ul>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CONNECT_FAIL.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CONNECT_FAIL.html
new file mode 100644
index 0000000000..3bc06e9598
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CONNECT_FAIL.html
@@ -0,0 +1,45 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" CONTENT="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Connection to %I failed.</b></p>
+</blockquote>
+
+<p id="sysmsg">The system returned: <i>%E</i></p>
+
+<p>The remote host or network may be down. Please try the request again.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_DIR_LISTING.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_DIR_LISTING.html
new file mode 100644
index 0000000000..22a56f024c
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_DIR_LISTING.html
@@ -0,0 +1,46 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>Directory: %U</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h2>Directory: <a href="%U">%U</a>/</h2>
+</div>
+<hr>
+
+<div id="content">
+<h4>Directory Content:</h4>
+
+<blockquote id="data">
+<pre id="dirmsg">%z</pre>
+</blockquote>
+
+<table id="dirlisting" summary="Directory Listing">
+<tr>
+<th><a href="../"><img border="0" src="/squid-internal-static/icons/silk/arrow_up.png" alt=""></a></th>
+<th nowrap="nowrap"><a href="../">Parent Directory</a> (<a href="/">Root Directory</a>)</th>
+</tr>
+
+%g
+
+</table>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_DNS_FAIL.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_DNS_FAIL.html
new file mode 100644
index 0000000000..a1e97c2249
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_DNS_FAIL.html
@@ -0,0 +1,47 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Unable to determine IP address from host name <q>%H</q></b></p>
+</blockquote>
+
+<p>The DNS server returned:</p>
+<blockquote id="data">
+<pre>%z</pre>
+</blockquote>
+
+<p>This means that the cache was not able to resolve the hostname presented in the URL. Check if the address is correct.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ESI.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ESI.html
new file mode 100644
index 0000000000..c847b3a81e
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ESI.html
@@ -0,0 +1,47 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>ESI Processing failed.</b></p>
+</blockquote>
+
+<p>The ESI processor returned:</p>
+<blockquote id="data">
+<pre>%Z</pre>
+</blockquote>
+
+<p>This means that the surrogate was not able to process the ESI template. Please report this error to the webmaster.</p>
+
+<p>Your webmaster is <a href="mailto:%w">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FORWARDING_DENIED.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FORWARDING_DENIED.html
new file mode 100644
index 0000000000..1ee086629e
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FORWARDING_DENIED.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Forwarding Denied.</b></p>
+</blockquote>
+
+<p>This cache will not forward your request because it is trying to enforce a sibling relationship. Perhaps the client at %i is a cache which has been misconfigured.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_DISABLED.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_DISABLED.html
new file mode 100644
index 0000000000..ae10566417
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_DISABLED.html
@@ -0,0 +1,43 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>FTP is Disabled</b></p>
+</blockquote>
+
+<p>This cache does not support FTP.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_FAILURE.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_FAILURE.html
new file mode 100644
index 0000000000..ba440432aa
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_FAILURE.html
@@ -0,0 +1,47 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>An FTP protocol error occurred while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<p>Squid sent the following FTP command:</p>
+<blockquote id="data">
+<pre>%f</pre>
+</blockquote>
+
+<p>The server responded with:</p>
+<blockquote id="error">
+<pre>%F</pre>
+<pre>%g</pre>
+</blockquote>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_FORBIDDEN.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_FORBIDDEN.html
new file mode 100644
index 0000000000..9e14d57817
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_FORBIDDEN.html
@@ -0,0 +1,47 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>An FTP authentication failure occurred while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<p>Squid sent the following FTP command:</p>
+<blockquote id="data">
+<pre>%f</pre>
+</blockquote>
+
+<p>The server responded with:</p>
+<blockquote id="sysmsg">
+<pre>%F</pre>
+<pre>%g</pre>
+</blockquote>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_NOT_FOUND.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_NOT_FOUND.html
new file mode 100644
index 0000000000..ae526a61e8
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_NOT_FOUND.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following URL could not be retrieved: <a href="%U">%U</a></p>
+
+<p>Squid sent the following FTP command:</p>
+<blockquote id="data">
+<pre>%f</pre>
+</blockquote>
+
+<p>The server responded with:</p>
+<blockquote id="sysmsg">
+<pre>%F</pre>
+<pre>%g</pre>
+</blockquote>
+
+<p>This might be caused by an FTP URL with an absolute path (which does not comply with RFC 1738). If this is the cause, then the file can be found at <a href="%B">%B</a>.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_CREATED.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_CREATED.html
new file mode 100644
index 0000000000..e379e827b4
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_CREATED.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>FTP PUT Successful.</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1 id="ftpsuccess">Operation successful</h1>
+<h2>File created</h2>
+</div>
+<hr>
+
+<br>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_ERROR.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_ERROR.html
new file mode 100644
index 0000000000..ba24c81d8e
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_ERROR.html
@@ -0,0 +1,48 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: FTP upload failed</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>FTP PUT upload failed</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>An FTP protocol error occurred while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<p>Squid sent the following FTP command:</p>
+<blockquote id="data">
+<pre>%f</pre>
+</blockquote>
+
+<p>The server responded with:</p>
+<blockquote id="sysmsg">
+<pre>%F</pre>
+</blockquote>
+
+<p>This means that the FTP server may not have permission or space to store the file. Check the path, permissions, diskspace and try again.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_MODIFIED.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_MODIFIED.html
new file mode 100644
index 0000000000..103e5303d6
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_MODIFIED.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>FTP PUT Successful.</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1 id="ftpsuccess">Operation successful</h1>
+<h2>File updated</h2>
+</div>
+<hr>
+
+<br>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_UNAVAILABLE.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_UNAVAILABLE.html
new file mode 100644
index 0000000000..e2be1df13d
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_UNAVAILABLE.html
@@ -0,0 +1,48 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The FTP server was too busy to retrieve the URL: <a href="%U">%U</a></p>
+
+<p>Squid sent the following FTP command:</p>
+
+<blockquote id="data">
+<pre>%f</pre>
+</blockquote>
+
+<p>The server responded with:</p>
+<blockquote id="sysmsg">
+<pre>%F</pre>
+<pre>%g</pre>
+</blockquote>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_GATEWAY_FAILURE.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_GATEWAY_FAILURE.html
new file mode 100644
index 0000000000..25db70133c
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_GATEWAY_FAILURE.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Gateway Proxy Failure</b></p>
+</blockquote>
+
+<p>A non-recoverable internal failure or configuration problem prevents this request from being completed.</p>
+
+<p>This may be due to limits established by the Internet Service Provider who operates this cache. Please contact them directly for more information.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ICAP_FAILURE.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ICAP_FAILURE.html
new file mode 100644
index 0000000000..ded668d641
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ICAP_FAILURE.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>ICAP protocol error.</b></p>
+</blockquote>
+
+<p id="sysmsg">The system returned: <i>%E</i></p>
+
+<p>This means that some aspect of the ICAP communication failed.</p>
+
+<p>Some possible problems are:</p>
+<ul>
+<li><p>The ICAP server is not reachable.</p></li>
+<li><p>An Illegal response was received from the ICAP server.</p></li>
+</ul>
+
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_REQ.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_REQ.html
new file mode 100644
index 0000000000..63287aeb44
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_REQ.html
@@ -0,0 +1,57 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p><b>Invalid Request</b> error was encountered while trying to process the request:</p>
+
+<blockquote id="data">
+<pre>%R</pre>
+</blockquote>
+
+<p>Some possible problems are:</p>
+<ul>
+<li id="missing-method"><p>Missing or unknown request method.</p></li>
+<li id="missing-url"><p>Missing URL.</p></li>
+<li id="missing-protocol"><p>Missing HTTP Identifier (HTTP/1.0).</p></li>
+<li><p>Request is too large.</p></li>
+<li><p>Content-Length missing for POST or PUT requests.</p></li>
+<li><p>Illegal character in hostname; underscores are not allowed.</p></li>
+<li><p>HTTP/1.1 <q>Expect:</q> feature is being asked from an HTTP/1.0 software.</p></li>
+</ul>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<script language="javascript">
+if ('%M' != '[unknown method]') document.getElementById('missing-method').style.display = 'none';
+if ('%u' != '[no URL]') document.getElementById('missing-url').style.display = 'none';
+if ('%P' != '[unknown protocol]') document.getElementById('missing-protocol').style.display = 'none';
+</script>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_RESP.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_RESP.html
new file mode 100644
index 0000000000..72a381dfd3
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_RESP.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p><b>Invalid Response</b> error was encountered while trying to process the request:</p>
+
+<blockquote id="data">
+<pre>%R</pre>
+</blockquote>
+
+<p>The HTTP Response message received from the contacted server could not be understood or was otherwise malformed. Please contact the site operator.</p>
+
+<p>Your cache administrator may be able to provide you with more details about the exact nature of the problem if needed.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_URL.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_URL.html
new file mode 100644
index 0000000000..e13755f45b
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_URL.html
@@ -0,0 +1,50 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Invalid URL</b></p>
+</blockquote>
+
+<p>Some aspect of the requested URL is incorrect.</p>
+
+<p>Some possible problems are:</p>
+<ul>
+<li><p>Missing or incorrect access protocol (should be <q>http://</q> or similar)</p></li>
+<li><p>Missing hostname</p></li>
+<li><p>Illegal double-escape in the URL-Path</p></li>
+<li><p>Illegal character in hostname; underscores are not allowed.</p></li>
+</ul>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_LIFETIME_EXP.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_LIFETIME_EXP.html
new file mode 100644
index 0000000000..100e75f229
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_LIFETIME_EXP.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Connection Lifetime Expired</b></p>
+</blockquote>
+
+<p>Squid has terminated the request because it has exceeded the maximum connection lifetime.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_NO_RELAY.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_NO_RELAY.html
new file mode 100644
index 0000000000..7068131b2e
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_NO_RELAY.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>No Wais Relay</b></p>
+</blockquote>
+
+<p>There is no WAIS Relay host defined for this Cache! Yell at the administrator.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ONLY_IF_CACHED_MISS.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ONLY_IF_CACHED_MISS.html
new file mode 100644
index 0000000000..f91c79e9fd
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ONLY_IF_CACHED_MISS.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Valid document was not found in the cache and <q>only-if-cached</q> directive was specified.</b></p>
+</blockquote>
+
+<p>You have issued a request with a <q>only-if-cached</q> cache control directive. The document was not found in the cache, <em>or</em> it required revalidation prohibited by the <q>only-if-cached</q> directive.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_PRECONDITION_FAILED.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_PRECONDITION_FAILED.html
new file mode 100644
index 0000000000..c34728485c
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_PRECONDITION_FAILED.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Precondition Failed.</b></p>
+</blockquote>
+
+<p>This means:</p>
+<blockquote>
+    <p>At least one precondition specified by the HTTP client in the request header has failed.</p>
+</blockquote>
+
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_PROTOCOL_UNKNOWN.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_PROTOCOL_UNKNOWN.html
new file mode 100644
index 0000000000..b61de9c99c
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_PROTOCOL_UNKNOWN.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Unsupported Protocol</b></p>
+</blockquote>
+
+<p>Squid does not support some access protocols. For example, the SSH protocol is currently not supported.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_READ_ERROR.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_READ_ERROR.html
new file mode 100644
index 0000000000..b699225a8e
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_READ_ERROR.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Read Error</b></p>
+</blockquote>
+
+<p id="sysmsg">The system returned: <i>%E</i></p>
+
+<p>An error condition occurred while reading data from the network. Please retry your request.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_READ_TIMEOUT.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_READ_TIMEOUT.html
new file mode 100644
index 0000000000..2576ffa58e
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_READ_TIMEOUT.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Read Timeout</b></p>
+</blockquote>
+
+<p id="sysmsg">The system returned: <i>%E</i></p>
+
+<p>A Timeout occurred while waiting to read data from the network. The network or server may be down or congested. Please retry your request.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SECURE_CONNECT_FAIL.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SECURE_CONNECT_FAIL.html
new file mode 100644
index 0000000000..0046c8e1ce
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SECURE_CONNECT_FAIL.html
@@ -0,0 +1,50 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Failed to establish a secure connection to %I</b></p>
+</blockquote>
+
+<div id="sysmsg">
+<p>The system returned:</p>
+<blockquote id="data">
+<pre>%E (TLS code: %x)</pre>
+<p>%D</p>
+</blockquote>
+</div>
+
+<p>This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SHUTTING_DOWN.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SHUTTING_DOWN.html
new file mode 100644
index 0000000000..3a668ea148
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SHUTTING_DOWN.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<p>This cache is in the process of shutting down and can not service your request at this time. Please retry your request again soon.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SOCKET_FAILURE.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SOCKET_FAILURE.html
new file mode 100644
index 0000000000..025c0f77d3
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SOCKET_FAILURE.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Socket Failure</b></p>
+</blockquote>
+
+<p id="sysmsg">The system returned: <i>%E</i></p>
+
+<p>Squid is unable to create a TCP socket, presumably due to excessive load. Please retry your request.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_TOO_BIG.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_TOO_BIG.html
new file mode 100644
index 0000000000..b12de395b0
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_TOO_BIG.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>The request or reply is too large.</b></p>
+</blockquote>
+
+<p>If you are making a POST or PUT request, then the item you are trying to upload is too large.</p>
+<p>If you are making a GET request, then the item you are trying to download is too large.</p>
+<p>These limits have been established by the Internet Service Provider who operates this cache. Please contact them directly if you feel this is an error.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_UNSUP_HTTPVERSION.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_UNSUP_HTTPVERSION.html
new file mode 100644
index 0000000000..457bc200e0
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_UNSUP_HTTPVERSION.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>Unsupported HTTP version</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Unsupported HTTP version</b></p>
+</blockquote>
+
+<p>This Squid does not accept the HTTP version you are attempting to use.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_UNSUP_REQ.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_UNSUP_REQ.html
new file mode 100644
index 0000000000..589691eca1
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_UNSUP_REQ.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Unsupported Request Method and Protocol</b></p>
+</blockquote>
+
+<p>Squid does not support all request methods for all access protocols.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_URN_RESOLVE.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_URN_RESOLVE.html
new file mode 100644
index 0000000000..d260dfe32c
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_URN_RESOLVE.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URN could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>A URL for the requested URN could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URN: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Cannot Resolve URN</b></p>
+</blockquote>
+
+<p>Hey, don't expect too much from URNs on %T :)</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_WRITE_ERROR.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_WRITE_ERROR.html
new file mode 100644
index 0000000000..b7414f3401
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_WRITE_ERROR.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Write Error</b></p>
+</blockquote>
+
+<p id="sysmsg">The system returned: <i>%E</i></p>
+
+<p>An error condition occurred while writing to the network. Please retry your request.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ZERO_SIZE_OBJECT.html b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ZERO_SIZE_OBJECT.html
new file mode 100644
index 0000000000..0fca1a8ef1
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ZERO_SIZE_OBJECT.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html><head>
+<meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>ERROR: The requested URL could not be retrieved</title>
+<!--EMBED:start-->
+<!-- leave this block as is, our parser will convert links to inline content -->
+<link rel="stylesheet" type="text/css" href="errorpage.css">
+<!--EMBED:end -->
+<style type="text/css"><!--
+ %l
+
+body
+:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya, sans-serif; float: right; }
+:lang(he) { direction: rtl; }
+ --></style>
+</head><body id=%c>
+<div id="titles">
+<h1>ERROR</h1>
+<h2>The requested URL could not be retrieved</h2>
+</div>
+<hr>
+
+<div id="content">
+<p>The following error was encountered while trying to retrieve the URL: <a href="%U">%U</a></p>
+
+<blockquote id="error">
+<p><b>Zero Sized Reply</b></p>
+</blockquote>
+
+<p>Squid did not receive any data for this request.</p>
+
+<p>Your cache administrator is <a href="mailto:%w%W">%w</a>.</p>
+<br>
+</div>
+
+<hr>
+<div id="footer">
+<p>Generated %T by %h (%s)</p>
+<!-- %c -->
+</div>
+</body></html>
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/error-details.txt b/www/squid/src/opnsense/data/proxy/template_error_pages/error-details.txt
new file mode 100644
index 0000000000..881add9909
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/error-details.txt
@@ -0,0 +1,227 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
+name: SQUID_TLS_ERR_ACCEPT
+detail: "%ssl_error_descr: %ssl_lib_error"
+descr: "Failed to accept a secure connection"
+
+name: SQUID_TLS_ERR_CONNECT
+detail: "%ssl_error_descr: %ssl_lib_error"
+descr: "Failed to establish a secure connection"
+
+name: SQUID_X509_V_ERR_DOMAIN_MISMATCH
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Certificate does not match domainname"
+
+name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
+detail: "SSL Certificate error: certificate issuer (CA) not known: %ssl_ca_name"
+descr: "Unable to get issuer certificate"
+
+name: X509_V_ERR_UNABLE_TO_GET_CRL
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unable to get certificate CRL"
+
+name: X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unable to decrypt certificate's signature"
+
+name: X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unable to decrypt CRL's signature"
+
+name: X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
+detail: "Unable to decode issuer (CA) public key: %ssl_ca_name"
+descr: "Unable to decode issuer public key"
+
+name: X509_V_ERR_CERT_SIGNATURE_FAILURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Certificate signature failure"
+
+name: X509_V_ERR_CRL_SIGNATURE_FAILURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL signature failure"
+
+name: X509_V_ERR_CERT_NOT_YET_VALID
+detail: "SSL Certificate is not valid before: %ssl_notbefore"
+descr: "Certificate is not yet valid"
+
+name: X509_V_ERR_CERT_HAS_EXPIRED
+detail: "SSL Certificate expired on: %ssl_notafter"
+descr: "Certificate has expired"
+
+name: X509_V_ERR_CRL_NOT_YET_VALID
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL is not yet valid"
+
+name: X509_V_ERR_CRL_HAS_EXPIRED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL has expired"
+
+name: X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
+detail: "SSL Certificate has invalid start date (the 'not before' field): %ssl_subject"
+descr: "Format error in certificate's notBefore field"
+
+name: X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
+detail: "SSL Certificate has invalid expiration date (the 'not after' field): %ssl_subject"
+descr: "Format error in certificate's notAfter field"
+
+name: X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Format error in CRL's lastUpdate field"
+
+name: X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Format error in CRL's nextUpdate field"
+
+name: X509_V_ERR_OUT_OF_MEM
+detail: "%ssl_error_descr"
+descr: "Out of memory"
+
+name: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
+detail: "Self-signed SSL Certificate: %ssl_subject"
+descr: "Self signed certificate"
+
+name: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
+detail: "Self-signed SSL Certificate in chain: %ssl_subject"
+descr: "Self signed certificate in certificate chain"
+
+name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
+detail: "SSL Certificate error: certificate issuer (CA) not known: %ssl_ca_name"
+descr: "Unable to get local issuer certificate"
+
+name: X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unable to verify the first certificate"
+
+name: X509_V_ERR_CERT_CHAIN_TOO_LONG
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Certificate chain too long"
+
+name: X509_V_ERR_CERT_REVOKED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Certificate revoked"
+
+name: X509_V_ERR_INVALID_CA
+detail: "%ssl_error_descr: %ssl_ca_name"
+descr: "Invalid CA certificate"
+
+name: X509_V_ERR_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Path length constraint exceeded"
+
+name: X509_V_ERR_INVALID_PURPOSE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported certificate purpose"
+
+name: X509_V_ERR_CERT_UNTRUSTED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Certificate not trusted"
+
+name: X509_V_ERR_CERT_REJECTED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Certificate rejected"
+
+name: X509_V_ERR_SUBJECT_ISSUER_MISMATCH
+detail: "%ssl_error_descr: %ssl_ca_name"
+descr: "Subject issuer mismatch"
+
+name: X509_V_ERR_AKID_SKID_MISMATCH
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Authority and subject key identifier mismatch"
+
+name: X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH
+detail: "%ssl_error_descr: %ssl_ca_name"
+descr: "Authority and issuer serial number mismatch"
+
+name: X509_V_ERR_KEYUSAGE_NO_CERTSIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Key usage does not include certificate signing"
+
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
+name: X509_V_ERR_APPLICATION_VERIFICATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Application verification failure"
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/errorpage.css b/www/squid/src/opnsense/data/proxy/template_error_pages/errorpage.css
new file mode 100644
index 0000000000..1efbf0e059
--- /dev/null
+++ b/www/squid/src/opnsense/data/proxy/template_error_pages/errorpage.css
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
+ *
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
+ */
+
+/*
+ Stylesheet for Squid Error pages
+ Adapted from design by Free CSS Templates
+ http://www.freecsstemplates.org
+ Released for free under a Creative Commons Attribution 2.5 License
+*/
+
+/* Page basics */
+* {
+	font-family: verdana, sans-serif;
+}
+
+html body {
+	margin: 0;
+	padding: 0;
+	background: #efefef;
+	font-size: 12px;
+	color: #1e1e1e;
+}
+
+/* Page displayed title area */
+#titles {
+	margin-left: 15px;
+	padding: 10px;
+	padding-left: 130px;
+	background: url('data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+CjwhRE9DVFlQRSBzdmcgUFVCTElDICItLy9XM0MvL0RURCBTVkcgMS4xLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL0dyYXBoaWNzL1NWRy8xLjEvRFREL3N2ZzExLmR0ZCI+Cjxzdmcgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwJSIgdmlld0JveD0iMCAwIDk1IDk4IiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHhtbDpzcGFjZT0icHJlc2VydmUiIHhtbG5zOnNlcmlmPSJodHRwOi8vd3d3LnNlcmlmLmNvbS8iIHN0eWxlPSJmaWxsLXJ1bGU6ZXZlbm9kZDtjbGlwLXJ1bGU6ZXZlbm9kZDtzdHJva2UtbGluZWpvaW46cm91bmQ7c3Ryb2tlLW1pdGVybGltaXQ6MS40MTQyMTsiPgogICAgPGcgdHJhbnNmb3JtPSJtYXRyaXgoMSwwLDAsMSwwLC0wLjAwNDE1NDcxKSI+CiAgICAgICAgPHBhdGggZD0iTTk0Ljc0Nyw5LjAxMUw4Ny40NTcsOS4wMTFMODcuNDU3LDcuNDk1TDEwLjc2OCw3LjQ5NUMxMC40NTYsNy40OTUgMTAuMjEsNy41MzkgOS44OTgsNy42MDZMOS44NzYsNy42MDZMOS40OTcsNy43NEw5LjQzLDcuNzYyTDkuMzg2LDcuNzg1TDkuMzE5LDcuODI5TDkuMDI5LDcuOTg1TDguOTYyLDguMDA3TDguOTYyLDguMDNMOC44MjgsOC4wOTdMOC43MTcsOC4xODZMOC42NzIsOC4yM0w4LjYwNSw4LjI3NUw4LjU2MSw4LjI5N0w4LjU2MSw4LjMyTDguNTE2LDguMzY0TDguNDQ5LDguNDA5TDguNDA1LDguNDUzTDguMzYsOC40OThMOC4yNDksOC42MDlMOC4yMjYsOC42NTRMOC4xNTksOC43MjFMOC4xMTUsOC43NDNMOC4xMzcsOC43NDNMOC4wNyw4LjgxTDguMDQ4LDguODMyTDguMDQ4LDguODU1TDguMDAzLDguODk5TDguMDAzLDguOTIyTDcuOTU5LDguOTY2TDcuOTM2LDkuMDExTDAuMjksOS4wMTFMMC4yOSw4LjQ5OEMxLjQyNywzLjYzOCA1LjcwNywwLjAwNCAxMC43NjgsMC4wMDRMOTQuNzQ3LDAuMDA0TDk0Ljc0Nyw5LjAxMVoiIHN0eWxlPSJmaWxsOnJnYigyMjcsMjI4LDIyOSk7ZmlsbC1ydWxlOm5vbnplcm87Ii8+CiAgICA8L2c+CiAgICA8ZyB0cmFuc2Zvcm09Im1hdHJpeCgxLDAsMCwxLDAsLTAuMDA0MTU0NzEpIj4KICAgICAgICA8cGF0aCBkPSJNODcuNDU3LDcuNTE3TDk0Ljc0NywzLjU5M0w5NC43NDcsMTEuMDg0TDg3LjQ3OSwxNC45ODVMODcuNDU3LDE0Ljk4NUw4Ny40NTcsNy41MTdaIiBzdHlsZT0iZmlsbDp1cmwoI19MaW5lYXIxKTtmaWxsLXJ1bGU6bm9uemVybzsiLz4KICAgIDwvZz4KICAgIDxnIHRyYW5zZm9ybT0ibWF0cml4KDEsMCwwLDEsMCwtMC4wMDQxNTQ3MSkiPgogICAgICAgIDxwYXRoIGQ9Ik0yLjAwNiw0LjY2M0w4LjY3Miw4LjIzTDguNjA1LDguMjc1TDguNTYxLDguMjk3TDguNTYxLDguMzJMOC41MTYsOC4zNjRMOC40NDksOC40MDlMOC40MDUsOC40NTNMOC4zNiw4LjQ5OEw4LjI0OSw4LjYwOUw4LjIyNiw4LjY1NEw4LjE1OSw4LjcyMUw4LjExNSw4Ljc0M0w4LjEzNyw4Ljc0M0w4LjA3LDguODFMOC4wNDgsOC44MzJMOC4wNDgsOC44NTVMOC4wMDMsOC44OTlMOC4wMDMsOC45MjJMNy45NTksOC45NjZMNy44OTIsOS4wNzhMNy44Nyw5LjFMNy44MDMsOS4yMTFMNy43NTgsOS4yNzhMNy43NTgsOS4zTDcuNjAyLDkuNTY4TDcuNjAyLDkuNTlMNy41OCw5LjY1N0w3LjU1Nyw5LjcwMkw3LjUzNSw5Ljc0Nkw3LjUzNSw5Ljc2OUw3LjQwMSwxMC4xOTJDNy40MDEsMTAuMTcgNy4yOSwxMC43NzIgNy4yOSwxMS4wNjJMNy4yOSwxNC45ODVMMCwxMS4wODRMMCwxMS4wNjJDMCw4LjY3NiAwLjczNiw2LjQ2OSAyLjAwNiw0LjY2M1oiIHN0eWxlPSJmaWxsOnVybCgjX0xpbmVhcjIpO2ZpbGwtcnVsZTpub256ZXJvOyIvPgogICAgPC9nPgogICAgPGcgdHJhbnNmb3JtPSJtYXRyaXgoMSwwLDAsMSwwLC0wLjAwNDE1NDcxKSI+CiAgICAgICAgPHJlY3QgeD0iMTQuNTgiIHk9IjE0Ljk4NSIgd2lkdGg9IjY1LjU4NyIgaGVpZ2h0PSI3LjQ5MSIgc3R5bGU9ImZpbGw6cmdiKDE0NywxNDYsMTQ2KTtmaWxsLXJ1bGU6bm9uemVybzsiLz4KICAgIDwvZz4KICAgIDxnIHRyYW5zZm9ybT0ibWF0cml4KDEsMCwwLDEsMCwtMC4wMDQxNTQ3MSkiPgogICAgICAgIDxwYXRoIGQ9Ik0wLDg4LjM3NUw3LjI5LDg4LjM3NUw3LjI5LDg5Ljg2OUw4My45NzksODkuODY5Qzg0LjI5MSw4OS44NjkgODQuNTM3LDg5Ljg0NyA4NC44MjYsODkuNzU3TDg0Ljg0OSw4OS43NTdMODUuMjUsODkuNjI0TDg1LjI5NSw4OS42MDFMODUuMzM5LDg5LjU3OUw4NS40MjgsODkuNTU3TDg1LjY5Niw4OS40MDFMODUuNzYzLDg5LjM1Nkw4NS43ODUsODkuMzU2TDg1Ljg5Niw4OS4yNjdMODYuMDA4LDg5LjJMODYuMDA4LDg5LjE3OEw4Ni4wNzUsODkuMTMzTDg2LjE0Miw4OS4wODlMODYuMTY0LDg5LjA2Nkw4Ni4yMzEsODkuMDIyTDg2LjI5OCw4OC45NTVMODYuMzIsODguOTMzTDg2LjMyLDg4LjkxTDg2LjM2NSw4OC44ODhMODYuNDc2LDg4Ljc3Nkw4Ni40NzYsODguNzU0TDg2LjUyMSw4OC43MzJMODYuNTY1LDg4LjY2NUw4Ni42MSw4OC42Mkw4Ni42NTQsODguNTU0TDg2LjY3Nyw4OC41MzFMODYuNzIxLDg4LjQ2NEw4Ni43NjYsODguMzk3TDg2Ljc4OCw4OC4zOTdMODYuODEsODguMzc1TDk0LjQzNSw4OC4zNzVMOTQuNDM1LDg4Ljg4OEM5My4yOTgsOTMuNzQ4IDg5LjA0LDk3LjM1OSA4My45NzksOTcuMzU5TDAsOTcuMzU5TDAsODkuOTU4TDAsODkuODY5TDAsODguMzc1WiIgc3R5bGU9ImZpbGw6cmdiKDIyNywyMjgsMjI5KTtmaWxsLXJ1bGU6bm9uemVybzsiLz4KICAgIDwvZz4KICAgIDxnIHRyYW5zZm9ybT0ibWF0cml4KDEsMCwwLDEsMCwtMC4wMDQxNTQ3MSkiPgogICAgICAgIDxwYXRoIGQ9Ik03LjI5LDg5Ljg2OUwwLDkzLjc3TDAsODkuOTU4TDAsODkuODY5TDAsODYuMjhMNy4yNDUsODIuMzc4TDcuMjksODIuMzc4TDcuMjksODkuODY5WiIgc3R5bGU9ImZpbGw6dXJsKCNfTGluZWFyMyk7ZmlsbC1ydWxlOm5vbnplcm87Ii8+CiAgICA8L2c+CiAgICA8ZyB0cmFuc2Zvcm09Im1hdHJpeCgxLDAsMCwxLDAsLTAuMDA0MTU0NzEpIj4KICAgICAgICA8cGF0aCBkPSJNOTIuNzQxLDkyLjdMODYuMDc1LDg5LjEzM0w4Ni4xNDIsODkuMDg5TDg2LjE2NCw4OS4wNjZMODYuMjMxLDg5LjAyMkw4Ni4yOTgsODguOTU1TDg2LjMyLDg4LjkzM0w4Ni4zMiw4OC45MUw4Ni4zNjUsODguODg4TDg2LjQ3Niw4OC43NzZMODYuNDc2LDg4Ljc1NEw4Ni41MjEsODguNzMyTDg2LjU2NSw4OC42NjVMODYuNjEsODguNjJMODYuNjU0LDg4LjU1NEw4Ni42NzcsODguNTMxTDg2LjcyMSw4OC40NjRMODYuNzY2LDg4LjM5N0w4Ni43ODgsODguMzk3TDg2Ljg1NSw4OC4yODZMODYuOTQ0LDg4LjE1Mkw4Ni45ODksODguMDg1TDg3LjEyMyw4Ny43OTZMODcuMTQ1LDg3Ljc3M0w4Ny4xNjcsODcuNzI5TDg3LjE2Nyw4Ny43MDZMODcuMTg5LDg3LjY2Mkw4Ny4xODksODcuNjM5TDg3LjIxMiw4Ny42MTdMODcuMzQ2LDg3LjE5NEM4Ny4zNDYsODcuMTk0IDg3LjQ1Nyw4Ni41OTIgODcuNDU3LDg2LjMwMkw4Ny40NTcsODIuNDAxTDk0Ljc0Nyw4Ni4yOEw5NC43NDcsODYuMzAyQzk0LjcyNSw4OC42ODcgOTMuOTg5LDkwLjg5NCA5Mi43NDEsOTIuN1oiIHN0eWxlPSJmaWxsOnVybCgjX0xpbmVhcjQpO2ZpbGwtcnVsZTpub256ZXJvOyIvPgogICAgPC9nPgogICAgPGcgdHJhbnNmb3JtPSJtYXRyaXgoMSwwLDAsMSwwLC0wLjAwNDE1NDcxKSI+CiAgICAgICAgPHJlY3QgeD0iNy4yOSIgeT0iMjkuOTY2IiB3aWR0aD0iMjguMDIzIiBoZWlnaHQ9IjcuNDkxIiBzdHlsZT0iZmlsbDpyZ2IoMTcwLDE3MSwxNzEpO2ZpbGwtcnVsZTpub256ZXJvOyIvPgogICAgPC9nPgogICAgPGcgdHJhbnNmb3JtPSJtYXRyaXgoMSwwLDAsMSwwLC0wLjAwNDE1NDcxKSI+CiAgICAgICAgPHBhdGggZD0iTTIxLjE1NiwzNy40NTdMNy4yOSwzMC4wMTFMNy4yOSwyOS45NjZMMjEuNDAyLDI5Ljk2NkwzNS4zMTMsMzcuNDEyTDM1LjMxMywzNy40NTdMMjEuMTU2LDM3LjQ1N1oiIHN0eWxlPSJmaWxsOnVybCgjX0xpbmVhcjUpO2ZpbGwtcnVsZTpub256ZXJvOyIvPgogICAgPC9nPgogICAgPGcgdHJhbnNmb3JtPSJtYXRyaXgoMSwwLDAsMSwwLC0wLjAwNDE1NDcxKSI+CiAgICAgICAgPHJlY3QgeD0iNTkuNDEyIiB5PSIyOS45NjYiIHdpZHRoPSIyOC4wNDUiIGhlaWdodD0iNy40OTEiIHN0eWxlPSJmaWxsOnJnYigxNzAsMTcxLDE3MSk7ZmlsbC1ydWxlOm5vbnplcm87Ii8+CiAgICA8L2c+CiAgICA8ZyB0cmFuc2Zvcm09Im1hdHJpeCgxLDAsMCwxLDAsLTAuMDA0MTU0NzEpIj4KICAgICAgICA8cGF0aCBkPSJNNzMuNTY4LDM3LjQ1N0w4Ny40NTcsMzAuMDExTDg3LjQ1NywyOS45NjZMNzMuMzIzLDI5Ljk2Nkw1OS40MTIsMzcuNDEyTDU5LjQxMiwzNy40NTdMNzMuNTY4LDM3LjQ1N1oiIHN0eWxlPSJmaWxsOnVybCgjX0xpbmVhcjYpO2ZpbGwtcnVsZTpub256ZXJvOyIvPgogICAgPC9nPgogICAgPGcgdHJhbnNmb3JtPSJtYXRyaXgoMSwwLDAsMSwwLC0wLjAwNDE1NDcxKSI+CiAgICAgICAgPHJlY3QgeD0iNTkuNDEyIiB5PSI1OS45MjkiIHdpZHRoPSIyOC4wNDUiIGhlaWdodD0iNy40OTEiIHN0eWxlPSJmaWxsOnJnYigxNzAsMTcxLDE3MSk7ZmlsbC1ydWxlOm5vbnplcm87Ii8+CiAgICA8L2c+CiAgICA8ZyB0cmFuc2Zvcm09Im1hdHJpeCgxLDAsMCwxLDAsLTAuMDA0MTU0NzEpIj4KICAgICAgICA8cGF0aCBkPSJNNzMuNTY4LDU5LjkyOUw4Ny40NTcsNjcuMzUyTDg3LjQ1Nyw2Ny40MTlMNzMuMzIzLDY3LjQxOUw1OS40MTIsNTkuOTUxTDU5LjQxMiw1OS45MjlMNzMuNTY4LDU5LjkyOVoiIHN0eWxlPSJmaWxsOnVybCgjX0xpbmVhcjcpO2ZpbGwtcnVsZTpub256ZXJvOyIvPgogICAgPC9nPgogICAgPGcgdHJhbnNmb3JtPSJtYXRyaXgoMSwwLDAsMSwwLC0wLjAwNDE1NDcxKSI+CiAgICAgICAgPHJlY3QgeD0iNy4yOSIgeT0iNTkuOTI5IiB3aWR0aD0iMjguMDIzIiBoZWlnaHQ9IjcuNDkxIiBzdHlsZT0iZmlsbDpyZ2IoMTcwLDE3MSwxNzEpO2ZpbGwtcnVsZTpub256ZXJvOyIvPgogICAgPC9nPgogICAgPGcgdHJhbnNmb3JtPSJtYXRyaXgoMSwwLDAsMSwwLC0wLjAwNDE1NDcxKSI+CiAgICAgICAgPHBhdGggZD0iTTIxLjE1Niw1OS45MjlMNy4yOSw2Ny4zNTJMNy4yOSw2Ny40MTlMMjEuNDAyLDY3LjQxOUwzNS4zMTMsNTkuOTUxTDM1LjMxMyw1OS45MjlMMjEuMTU2LDU5LjkyOVoiIHN0eWxlPSJmaWxsOnVybCgjX0xpbmVhcjgpO2ZpbGwtcnVsZTpub256ZXJvOyIvPgogICAgPC9nPgogICAgPGcgdHJhbnNmb3JtPSJtYXRyaXgoMSwwLDAsMSwwLC0wLjAwNDE1NDcxKSI+CiAgICAgICAgPHBhdGggZD0iTTM1LjMxMywzNy40NTdMMCwxOC41NTJMMCwxMS4wNjJMMzUuMzEzLDI5Ljk2NkwzNS4zMTMsMzcuNDU3WiIgc3R5bGU9ImZpbGw6dXJsKCNfTGluZWFyOSk7ZmlsbC1ydWxlOm5vbnplcm87Ii8+CiAgICA8L2c+CiAgICA8ZyB0cmFuc2Zvcm09Im1hdHJpeCgxLDAsMCwxLDAsLTAuMDA0MTU0NzEpIj4KICAgICAgICA8cGF0aCBkPSJNNTkuNDEyLDM3LjQ1N0w5NC43NDcsMTguNTUyTDk0Ljc0NywxMS4wNjJMNTkuNDEyLDI5Ljk2Nkw1OS40MTIsMzcuNDU3WiIgc3R5bGU9ImZpbGw6dXJsKCNfTGluZWFyMTApO2ZpbGwtcnVsZTpub256ZXJvOyIvPgogICAgPC9nPgogICAgPGcgdHJhbnNmb3JtPSJtYXRyaXgoMSwwLDAsMSwwLC0wLjAwNDE1NDcxKSI+CiAgICAgICAgPHJlY3QgeD0iMTQuNzE0IiB5PSI3NC45MSIgd2lkdGg9IjY1LjU4NyIgaGVpZ2h0PSI3LjQ2OCIgc3R5bGU9ImZpbGw6cmdiKDE0NywxNDYsMTQ2KTtmaWxsLXJ1bGU6bm9uemVybzsiLz4KICAgIDwvZz4KICAgIDxnIHRyYW5zZm9ybT0ibWF0cml4KDEsMCwwLDEsMCwtMC4wMDQxNTQ3MSkiPgogICAgICAgIDxwYXRoIGQ9Ik01OS40MTIsNTkuOTI5TDk0Ljc0Nyw3OC44MTFMOTQuNzQ3LDg2LjMwMkw1OS40MTIsNjcuNDE5TDU5LjQxMiw1OS45MjlaIiBzdHlsZT0iZmlsbDp1cmwoI19MaW5lYXIxMSk7ZmlsbC1ydWxlOm5vbnplcm87Ii8+CiAgICA8L2c+CiAgICA8ZyB0cmFuc2Zvcm09Im1hdHJpeCgxLDAsMCwxLDAsLTAuMDA0MTU0NzEpIj4KICAgICAgICA8cGF0aCBkPSJNMzUuMzEzLDU5LjkyOUwwLDc4LjgxMUwwLDg2LjMwMkwzNS4zMTMsNjcuNDE5TDM1LjMxMyw1OS45MjlaIiBzdHlsZT0iZmlsbDp1cmwoI19MaW5lYXIxMik7ZmlsbC1ydWxlOm5vbnplcm87Ii8+CiAgICA8L2c+CiAgICA8ZyB0cmFuc2Zvcm09Im1hdHJpeCgxLDAsMCwxLDAsLTAuMDA0MTU0NzEpIj4KICAgICAgICA8cGF0aCBkPSJNOTQuNzQ3LDQ0Ljk0OEw3My40MTIsNDQuOTQ4TDgwLjE0NSw0MS4zMzZMODAuMTQ1LDMzLjg0Nkw1OS40MTIsNDQuOTQ4TDU5LjQxMiw1Mi40MzhMNTkuNDM0LDUyLjQzOEw4MC4xNjcsNjMuNTE4TDgwLjE2Nyw1Ni4wMjdMNzMuNDM0LDUyLjQzOEw5NC43NDcsNTIuNDM4TDk0Ljc0Nyw0NC45NDhaIiBzdHlsZT0iZmlsbDpyZ2IoMjE3LDc5LDApO2ZpbGwtcnVsZTpub256ZXJvOyIvPgogICAgPC9nPgogICAgPGcgdHJhbnNmb3JtPSJtYXRyaXgoMSwwLDAsMSwwLC0wLjAwNDE1NDcxKSI+CiAgICAgICAgPHBhdGggZD0iTTE0LjU4LDMzLjg0NkwxNC41OCw0MS4zMzZMMjEuMzM1LDQ0Ljk0OEwwLDQ0Ljk0OEwwLDUyLjQzOEwyMS4zMTIsNTIuNDM4TDE0LjU4LDU2LjAyN0wxNC41OCw2My41MThMMzUuMzEzLDUyLjQzOEwzNS4zMTMsNTIuNDE2TDM1LjMxMyw0NC45NDhMMTQuNTgsMzMuODQ2WiIgc3R5bGU9ImZpbGw6cmdiKDIxNyw3OSwwKTtmaWxsLXJ1bGU6bm9uemVybzsiLz4KICAgIDwvZz4KICAgIDxkZWZzPgogICAgICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iX0xpbmVhcjEiIHgxPSIwIiB5MT0iMCIgeDI9IjEiIHkyPSIwIiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSIgZ3JhZGllbnRUcmFuc2Zvcm09Im1hdHJpeCgxLjY1ODQxLDUuODQwNTYsLTUuODQwNTYsMS42NTg0MSw5MC4yNjM1LDYuMzY5MTIpIj48c3RvcCBvZmZzZXQ9IjAiIHN0eWxlPSJzdG9wLWNvbG9yOnJnYigyMjgsMjI4LDIyOCk7c3RvcC1vcGFjaXR5OjEiLz48c3RvcCBvZmZzZXQ9IjEiIHN0eWxlPSJzdG9wLWNvbG9yOnJnYigxNjIsMTYyLDE2Mik7c3RvcC1vcGFjaXR5OjEiLz48L2xpbmVhckdyYWRpZW50PgogICAgICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iX0xpbmVhcjIiIHgxPSIwIiB5MT0iMCIgeDI9IjEiIHkyPSIwIiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSIgZ3JhZGllbnRUcmFuc2Zvcm09Im1hdHJpeCgtMi4yOTE1NCw1LjgxOTU4LC01LjgxOTU4LC0yLjI5MTU0LDUuNDc2ODYsNi45MTQ1KSI+PHN0b3Agb2Zmc2V0PSIwIiBzdHlsZT0ic3RvcC1jb2xvcjpyZ2IoMjI4LDIyOCwyMjgpO3N0b3Atb3BhY2l0eToxIi8+PHN0b3Agb2Zmc2V0PSIxIiBzdHlsZT0ic3RvcC1jb2xvcjpyZ2IoMTYyLDE2MiwxNjIpO3N0b3Atb3BhY2l0eToxIi8+PC9saW5lYXJHcmFkaWVudD4KICAgICAgICA8bGluZWFyR3JhZGllbnQgaWQ9Il9MaW5lYXIzIiB4MT0iMCIgeTE9IjAiIHgyPSIxIiB5Mj0iMCIgZ3JhZGllbnRVbml0cz0idXNlclNwYWNlT25Vc2UiIGdyYWRpZW50VHJhbnNmb3JtPSJtYXRyaXgoLTEuNjU4ODUsLTUuODM5MzEsNS44MzkzMSwtMS42NTg4NSw0LjQ3MzEsOTEuMDAyNykiPjxzdG9wIG9mZnNldD0iMCIgc3R5bGU9InN0b3AtY29sb3I6cmdiKDIyOCwyMjgsMjI4KTtzdG9wLW9wYWNpdHk6MSIvPjxzdG9wIG9mZnNldD0iMSIgc3R5bGU9InN0b3AtY29sb3I6cmdiKDE2MiwxNjIsMTYyKTtzdG9wLW9wYWNpdHk6MSIvPjwvbGluZWFyR3JhZGllbnQ+CiAgICAgICAgPGxpbmVhckdyYWRpZW50IGlkPSJfTGluZWFyNCIgeDE9IjAiIHkxPSIwIiB4Mj0iMSIgeTI9IjAiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIiBncmFkaWVudFRyYW5zZm9ybT0ibWF0cml4KDIuMjkxMzEsLTUuODE5MjQsNS44MTkyNCwyLjI5MTMxLDg5LjI1OTQsOTAuNDU3NikiPjxzdG9wIG9mZnNldD0iMCIgc3R5bGU9InN0b3AtY29sb3I6cmdiKDIyOCwyMjgsMjI4KTtzdG9wLW9wYWNpdHk6MSIvPjxzdG9wIG9mZnNldD0iMSIgc3R5bGU9InN0b3AtY29sb3I6cmdiKDE2MiwxNjIsMTYyKTtzdG9wLW9wYWNpdHk6MSIvPjwvbGluZWFyR3JhZGllbnQ+CiAgICAgICAgPGxpbmVhckdyYWRpZW50IGlkPSJfTGluZWFyNSIgeDE9IjAiIHkxPSIwIiB4Mj0iMSIgeTI9IjAiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIiBncmFkaWVudFRyYW5zZm9ybT0ibWF0cml4KC00Ni4xODUsLTEyLjAxNjgsMTIuMDE2OCwtNDYuMTg1LDQ0LjM5MzcsMzkuNzE1NikiPjxzdG9wIG9mZnNldD0iMCIgc3R5bGU9InN0b3AtY29sb3I6cmdiKDE3MCwxNzEsMTcxKTtzdG9wLW9wYWNpdHk6MSIvPjxzdG9wIG9mZnNldD0iMC4xIiBzdHlsZT0ic3RvcC1jb2xvcjpyZ2IoMTcwLDE3MSwxNzEpO3N0b3Atb3BhY2l0eToxIi8+PHN0b3Agb2Zmc2V0PSIxIiBzdHlsZT0ic3RvcC1jb2xvcjpyZ2IoNzgsNzgsNzgpO3N0b3Atb3BhY2l0eToxIi8+PC9saW5lYXJHcmFkaWVudD4KICAgICAgICA8bGluZWFyR3JhZGllbnQgaWQ9Il9MaW5lYXI2IiB4MT0iMCIgeTE9IjAiIHgyPSIxIiB5Mj0iMCIgZ3JhZGllbnRVbml0cz0idXNlclNwYWNlT25Vc2UiIGdyYWRpZW50VHJhbnNmb3JtPSJtYXRyaXgoNDYuMTg2MSwtMTIuMDE1OSwxMi4wMTU5LDQ2LjE4NjEsNTAuMzQyLDM5LjcxNTIpIj48c3RvcCBvZmZzZXQ9IjAiIHN0eWxlPSJzdG9wLWNvbG9yOnJnYigxNzAsMTcxLDE3MSk7c3RvcC1vcGFjaXR5OjEiLz48c3RvcCBvZmZzZXQ9IjAuMSIgc3R5bGU9InN0b3AtY29sb3I6cmdiKDE3MCwxNzEsMTcxKTtzdG9wLW9wYWNpdHk6MSIvPjxzdG9wIG9mZnNldD0iMSIgc3R5bGU9InN0b3AtY29sb3I6cmdiKDc4LDc4LDc4KTtzdG9wLW9wYWNpdHk6MSIvPjwvbGluZWFyR3JhZGllbnQ+CiAgICAgICAgPGxpbmVhckdyYWRpZW50IGlkPSJfTGluZWFyNyIgeDE9IjAiIHkxPSIwIiB4Mj0iMSIgeTI9IjAiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIiBncmFkaWVudFRyYW5zZm9ybT0ibWF0cml4KDQ2LjE4NTQsMTIuMDE1OSwtMTIuMDE1OSw0Ni4xODU0LDUwLjM0MjUsNTcuNjU2OSkiPjxzdG9wIG9mZnNldD0iMCIgc3R5bGU9InN0b3AtY29sb3I6cmdiKDE3MCwxNzEsMTcxKTtzdG9wLW9wYWNpdHk6MSIvPjxzdG9wIG9mZnNldD0iMC4xIiBzdHlsZT0ic3RvcC1jb2xvcjpyZ2IoMTcwLDE3MSwxNzEpO3N0b3Atb3BhY2l0eToxIi8+PHN0b3Agb2Zmc2V0PSIxIiBzdHlsZT0ic3RvcC1jb2xvcjpyZ2IoNzgsNzgsNzgpO3N0b3Atb3BhY2l0eToxIi8+PC9saW5lYXJHcmFkaWVudD4KICAgICAgICA8bGluZWFyR3JhZGllbnQgaWQ9Il9MaW5lYXI4IiB4MT0iMCIgeTE9IjAiIHgyPSIxIiB5Mj0iMCIgZ3JhZGllbnRVbml0cz0idXNlclNwYWNlT25Vc2UiIGdyYWRpZW50VHJhbnNmb3JtPSJtYXRyaXgoLTQ2LjE4NDQsMTIuMDE2NiwtMTIuMDE2NiwtNDYuMTg0NCw0NC4zOTM1LDU3LjY1NjQpIj48c3RvcCBvZmZzZXQ9IjAiIHN0eWxlPSJzdG9wLWNvbG9yOnJnYigxNzAsMTcxLDE3MSk7c3RvcC1vcGFjaXR5OjEiLz48c3RvcCBvZmZzZXQ9IjAuMSIgc3R5bGU9InN0b3AtY29sb3I6cmdiKDE3MCwxNzEsMTcxKTtzdG9wLW9wYWNpdHk6MSIvPjxzdG9wIG9mZnNldD0iMSIgc3R5bGU9InN0b3AtY29sb3I6cmdiKDc4LDc4LDc4KTtzdG9wLW9wYWNpdHk6MSIvPjwvbGluZWFyR3JhZGllbnQ+CiAgICAgICAgPGxpbmVhckdyYWRpZW50IGlkPSJfTGluZWFyOSIgeDE9IjAiIHkxPSIwIiB4Mj0iMSIgeTI9IjAiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIiBncmFkaWVudFRyYW5zZm9ybT0ibWF0cml4KDM1LjMxNTUsMCwwLDM1LjMxNTUsLTAuMDAwMjgzNDY3LDI0LjI1ODcpIj48c3RvcCBvZmZzZXQ9IjAiIHN0eWxlPSJzdG9wLWNvbG9yOnJnYigyNTQsMjU0LDI1NCk7c3RvcC1vcGFjaXR5OjEiLz48c3RvcCBvZmZzZXQ9IjAuMjMiIHN0eWxlPSJzdG9wLWNvbG9yOnJnYigyNTQsMjU0LDI1NCk7c3RvcC1vcGFjaXR5OjEiLz48c3RvcCBvZmZzZXQ9IjEiIHN0eWxlPSJzdG9wLWNvbG9yOnJnYigxNzYsMTc2LDE3Nik7c3RvcC1vcGFjaXR5OjEiLz48L2xpbmVhckdyYWRpZW50PgogICAgICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iX0xpbmVhcjEwIiB4MT0iMCIgeTE9IjAiIHgyPSIxIiB5Mj0iMCIgZ3JhZGllbnRVbml0cz0idXNlclNwYWNlT25Vc2UiIGdyYWRpZW50VHJhbnNmb3JtPSJtYXRyaXgoLTM1LjMxNTQsNC4zMjQ4OWUtMTUsLTQuMzI0ODllLTE1LC0zNS4zMTU0LDk0LjczNiwyNC4yNTg3KSI+PHN0b3Agb2Zmc2V0PSIwIiBzdHlsZT0ic3RvcC1jb2xvcjpyZ2IoMjU0LDI1NCwyNTQpO3N0b3Atb3BhY2l0eToxIi8+PHN0b3Agb2Zmc2V0PSIwLjIzIiBzdHlsZT0ic3RvcC1jb2xvcjpyZ2IoMjU0LDI1NCwyNTQpO3N0b3Atb3BhY2l0eToxIi8+PHN0b3Agb2Zmc2V0PSIxIiBzdHlsZT0ic3RvcC1jb2xvcjpyZ2IoMTc2LDE3NiwxNzYpO3N0b3Atb3BhY2l0eToxIi8+PC9saW5lYXJHcmFkaWVudD4KICAgICAgICA8bGluZWFyR3JhZGllbnQgaWQ9Il9MaW5lYXIxMSIgeDE9IjAiIHkxPSIwIiB4Mj0iMSIgeTI9IjAiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIiBncmFkaWVudFRyYW5zZm9ybT0ibWF0cml4KC0zNS4zMTU0LDQuMzI0ODllLTE1LC00LjMyNDg5ZS0xNSwtMzUuMzE1NCw5NC43MzYsNzMuMTEzMykiPjxzdG9wIG9mZnNldD0iMCIgc3R5bGU9InN0b3AtY29sb3I6cmdiKDI1NCwyNTQsMjU0KTtzdG9wLW9wYWNpdHk6MSIvPjxzdG9wIG9mZnNldD0iMC4yMyIgc3R5bGU9InN0b3AtY29sb3I6cmdiKDI1NCwyNTQsMjU0KTtzdG9wLW9wYWNpdHk6MSIvPjxzdG9wIG9mZnNldD0iMSIgc3R5bGU9InN0b3AtY29sb3I6cmdiKDE3NiwxNzYsMTc2KTtzdG9wLW9wYWNpdHk6MSIvPjwvbGluZWFyR3JhZGllbnQ+CiAgICAgICAgPGxpbmVhckdyYWRpZW50IGlkPSJfTGluZWFyMTIiIHgxPSIwIiB5MT0iMCIgeDI9IjEiIHkyPSIwIiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSIgZ3JhZGllbnRUcmFuc2Zvcm09Im1hdHJpeCgzNS4zMTU1LDAsMCwzNS4zMTU1LC0wLjAwMDI4MzQ2Nyw3My4xMTMzKSI+PHN0b3Agb2Zmc2V0PSIwIiBzdHlsZT0ic3RvcC1jb2xvcjpyZ2IoMjU0LDI1NCwyNTQpO3N0b3Atb3BhY2l0eToxIi8+PHN0b3Agb2Zmc2V0PSIwLjIzIiBzdHlsZT0ic3RvcC1jb2xvcjpyZ2IoMjU0LDI1NCwyNTQpO3N0b3Atb3BhY2l0eToxIi8+PHN0b3Agb2Zmc2V0PSIxIiBzdHlsZT0ic3RvcC1jb2xvcjpyZ2IoMTc2LDE3NiwxNzYpO3N0b3Atb3BhY2l0eToxIi8+PC9saW5lYXJHcmFkaWVudD4KICAgIDwvZGVmcz4KPC9zdmc+Cg==') no-repeat left;
+}
+
+/* initial title */
+#titles h1 {
+	color: #000000;
+}
+#titles h2 {
+	color: #000000;
+}
+
+/* special event: FTP success page titles */
+#titles ftpsuccess {
+	background-color:#00ff00;
+	width:100%;
+}
+
+/* Page displayed body content area */
+#content {
+	padding: 10px;
+	background: #ffffff;
+}
+
+/* General text */
+p {
+}
+
+/* error brief description */
+#error p {
+}
+
+/* some data which may have caused the problem */
+#data {
+}
+
+/* the error message received from the system or other software */
+#sysmsg {
+}
+
+pre {
+}
+
+/* special event: FTP / Gopher directory listing */
+#dirmsg {
+    font-family: courier, monospace;
+    color: black;
+    font-size: 10pt;
+}
+#dirlisting {
+    margin-left: 2%;
+    margin-right: 2%;
+}
+#dirlisting tr.entry td.icon,td.filename,td.size,td.date {
+    border-bottom: groove;
+}
+#dirlisting td.size {
+    width: 50px;
+    text-align: right;
+    padding-right: 5px;
+}
+
+/* horizontal lines */
+hr {
+	margin: 0;
+}
+
+/* page displayed footer area */
+#footer {
+	font-size: 9px;
+	padding-left: 10px;
+}
diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php
new file mode 100644
index 0000000000..3fa2f25a55
--- /dev/null
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php
@@ -0,0 +1,157 @@
+<?php
+
+/*
+ * Copyright (C) 2015 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Proxy\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Base\UserException;
+use OPNsense\Core\Backend;
+use OPNsense\Proxy\Proxy;
+
+/**
+ * Class ServiceController
+ * @package OPNsense\Proxy
+ */
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Proxy\Proxy';
+    protected static $internalServiceEnabled = 'general.enabled';
+    protected static $internalServiceTemplate = 'OPNsense/Proxy';
+    protected static $internalServiceName = 'proxy';
+
+    protected function reconfigureForceRestart()
+    {
+        $mdlProxy = new Proxy();
+
+        // some operations can not be performed by a squid -k reconfigure,
+        // try to determine if we need a stop/start here
+        $prev_sslbump_cert = trim(@file_get_contents('/var/squid/ssl_crtd.id'));
+        $prev_cache_active = !empty(trim(@file_get_contents('/var/squid/cache/active')));
+
+        return (((string)$mdlProxy->forward->sslcertificate) != $prev_sslbump_cert) ||
+            (!empty((string)$mdlProxy->general->cache->local->enabled) != $prev_cache_active);
+    }
+
+    private function hookStartErrorHandler($result)
+    {
+        if (preg_match('/__ok__$/', $result['response'])) {
+            $result['response'] = "ok";
+        } else {
+            throw new UserException($result['response'], gettext("proxy load error"));
+        }
+        return $result;
+    }
+
+    public function startAction()
+    {
+        return $this->hookStartErrorHandler(parent::startAction());
+    }
+
+    public function restartAction()
+    {
+        return $this->hookStartErrorHandler(parent::restartAction());
+    }
+
+    /**
+     * reload template only (for example PAC does not need to change squid configuration)
+     * @return array
+     */
+    public function resetAction()
+    {
+        if ($this->request->isPost()) {
+            // close session for long running action
+            $this->sessionClose();
+            $backend = new Backend();
+            return array('status' => $backend->configdRun('proxy reset'));
+        } else {
+            return array('error' => 'This API endpoint must be called via POST',
+                         'status' => 'error');
+        }
+    }
+
+    /**
+     * reload template only (for example PAC does not need to change squid configuration)
+     * @return array
+     */
+    public function refreshTemplateAction()
+    {
+        if ($this->request->isPost()) {
+            // close session for long running action
+            $this->sessionClose();
+            $backend = new Backend();
+            return array('status' => $backend->configdRun('template reload OPNsense/Proxy'));
+        } else {
+            return array('error' => 'This API endpoint must be called via POST',
+                         'status' => 'error');
+        }
+    }
+
+    /**
+     * fetch acls (download + install)
+     * @return array
+     */
+    public function fetchaclsAction()
+    {
+        if ($this->request->isPost()) {
+            // close session for long running action
+            $this->sessionClose();
+
+            $backend = new Backend();
+            // generate template
+            $backend->configdRun('template reload OPNsense/Proxy');
+
+            // fetch files
+            $response = $backend->configdRun("proxy fetchacls");
+            return array("response" => $response,"status" => "ok");
+        } else {
+            return array("response" => array());
+        }
+    }
+
+    /**
+     * download (only) acls
+     * @return array
+     */
+    public function downloadaclsAction()
+    {
+        if ($this->request->isPost()) {
+            // close session for long running action
+            $this->sessionClose();
+
+            $backend = new Backend();
+            // generate template
+            $backend->configdRun('template reload OPNsense/Proxy');
+
+            // download files
+            $response = $backend->configdRun("proxy downloadacls");
+            return array("response" => $response,"status" => "ok");
+        } else {
+            return array("response" => array());
+        }
+    }
+}
diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
new file mode 100644
index 0000000000..386c117f40
--- /dev/null
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
@@ -0,0 +1,334 @@
+<?php
+
+/**
+ *    Copyright (C) 2015 Jos Schellevis <jos@opnsense.org>
+ *    Copyright (C) 2017 Fabian Franz
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Proxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Cron\Cron;
+use OPNsense\Core\Config;
+use OPNsense\Base\UIModelGrid;
+
+/**
+ * Class SettingsController
+ * @package OPNsense\Proxy
+ */
+class SettingsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'proxy';
+    protected static $internalModelClass = '\OPNsense\Proxy\Proxy';
+
+    /**
+     *
+     * search remote blacklists
+     * @return array
+     */
+    public function searchRemoteBlacklistsAction()
+    {
+        $this->sessionClose();
+        $mdlProxy = $this->getModel();
+        $grid = new UIModelGrid($mdlProxy->forward->acl->remoteACLs->blacklists->blacklist);
+        return $grid->fetchBindRequest(
+            $this->request,
+            array("enabled", "filename", "url", "description"),
+            "description"
+        );
+    }
+
+    /**
+     * retrieve remote blacklist settings or return defaults
+     * @param $uuid item unique id
+     * @return array
+     */
+    public function getRemoteBlacklistAction($uuid = null)
+    {
+        return $this->getBase("blacklist", "forward.acl.remoteACLs.blacklists.blacklist", $uuid);
+    }
+
+    /**
+     * update remote blacklist item
+     * @param string $uuid
+     * @return array result status
+     * @throws \Phalcon\Filter\Validation\Exception
+     */
+    public function setRemoteBlacklistAction($uuid)
+    {
+        return $this->setBase('blacklist', 'forward.acl.remoteACLs.blacklists.blacklist', $uuid);
+    }
+
+    /**
+     * add new blacklist and set with attributes from post
+     * @return array
+     */
+    public function addRemoteBlacklistAction()
+    {
+        return $this->addBase('blacklist', 'forward.acl.remoteACLs.blacklists.blacklist');
+    }
+
+    /**
+     * delete blacklist by uuid
+     * @param $uuid item unique id
+     * @return array status
+     */
+    public function delRemoteBlacklistAction($uuid)
+    {
+        return $this->delBase('forward.acl.remoteACLs.blacklists.blacklist', $uuid);
+    }
+
+    /**
+     * toggle blacklist by uuid (enable/disable)
+     * @param $uuid item unique id
+     * @return array status
+     */
+    public function toggleRemoteBlacklistAction($uuid)
+    {
+        return $this->toggleBase('forward.acl.remoteACLs.blacklists.blacklist', $uuid);
+    }
+
+    /**
+     * create new cron item for remote acl or return already available one
+     * @return array status action
+     */
+    public function fetchRBCronAction()
+    {
+        $result = array("result" => "failed");
+
+        if ($this->request->isPost()) {
+            $mdlProxy = $this->getModel();
+            if ((string)$mdlProxy->forward->acl->remoteACLs->UpdateCron == "") {
+                $mdlCron = new Cron();
+                // update cron relation (if this doesn't break consistency)
+                $uuid = $mdlCron->newDailyJob("Proxy", "proxy fetchacls", "fetch proxy acls", "1");
+                $mdlProxy->forward->acl->remoteACLs->UpdateCron = $uuid;
+
+                if ($mdlCron->performValidation()->count() == 0) {
+                    $mdlCron->serializeToConfig();
+                    // save data to config, do not validate because the current in memory model doesn't know about the
+                    // cron item just created.
+                    $mdlProxy->serializeToConfig($validateFullModel = false, $disable_validation = true);
+                    Config::getInstance()->save();
+                    $result['result'] = "new";
+                    $result['uuid'] = $uuid;
+                } else {
+                    $result['result'] = "unable to add cron";
+                }
+            } else {
+                $result['result'] = "existing";
+                $result['uuid'] = (string)$mdlProxy->forward->acl->remoteACLs->UpdateCron;
+            }
+        }
+
+        return $result;
+    }
+
+    /**
+     *
+     * search PAC Rule
+     * @return array
+     */
+    public function searchPACRuleAction()
+    {
+        $this->sessionClose();
+        return $this->searchBase('pac.rule', array("enabled", "description", "proxies", "matches"), "description");
+    }
+
+    /**
+     * retrieve PAC Rule or return defaults
+     * @param $uuid item unique id
+     * @return array
+     */
+    public function getPACRuleAction($uuid = null)
+    {
+        $this->sessionClose();
+        return array("pac" => $this->getBase('rule', 'pac.rule', $uuid));
+    }
+
+    /**
+     * add new PAC Rule and set with attributes from post
+     * @return array
+     */
+    public function addPACRuleAction()
+    {
+        $this->pac_set_helper();
+        return $this->addBase('rule', 'pac.rule');
+    }
+
+    /**
+     * update PAC Rule
+     * @param string $uuid
+     * @return array result status
+     * @throws \Phalcon\Filter\Validation\Exception
+     */
+    public function setPACRuleAction($uuid)
+    {
+        $this->pac_set_helper();
+        return $this->setBase('rule', 'pac.rule', $uuid);
+    }
+
+    /**
+     * toggle PAC Rule by uuid (enable/disable)
+     * @param $uuid item unique id
+     * @return array status
+     */
+    public function togglePACRuleAction($uuid)
+    {
+        return $this->toggleBase('pac.rule', $uuid);
+    }
+
+    /**
+     * delete PAC Rule by uuid
+     * @param $uuid item unique id
+     * @return array status
+     */
+    public function delPACRuleAction($uuid)
+    {
+        return $this->delBase('pac.rule', $uuid);
+    }
+
+    /**
+     *
+     * search PAC Proxy
+     * @return array
+     */
+    public function searchPACProxyAction()
+    {
+        $this->sessionClose();
+        return $this->searchBase('pac.proxy', array("enabled","proxy_type", "name", "url", "description"), "description");
+    }
+
+    /**
+     * retrieve PAC Proxy or return defaults
+     * @param $uuid item unique id
+     * @return array
+     */
+    public function getPACProxyAction($uuid = null)
+    {
+        $this->sessionClose();
+        return array("pac" => $this->getBase('proxy', 'pac.proxy', $uuid));
+    }
+
+    /**
+     * add new PAC Proxy and set with attributes from post
+     * @return array
+     */
+    public function addPACProxyAction()
+    {
+        $this->pac_set_helper();
+        return $this->addBase('proxy', 'pac.proxy');
+    }
+
+    /**
+     * update PAC Proxy
+     * @param string $uuid
+     * @return array result status
+     * @throws \Phalcon\Filter\Validation\Exception
+     */
+    public function setPACProxyAction($uuid)
+    {
+        $this->pac_set_helper();
+        return $this->setBase('proxy', 'pac.proxy', $uuid);
+    }
+
+    /**
+     * delete PAC Proxy by uuid
+     * @param $uuid item unique id
+     * @return array status
+     */
+    public function delPACProxyAction($uuid)
+    {
+        return $this->delBase('pac.proxy', $uuid);
+    }
+
+    /**
+     * search PAC Match
+     * @return array
+     */
+    public function searchPACMatchAction()
+    {
+        $this->sessionClose();
+        return $this->searchBase('pac.match', array("enabled", "name", "description", "negate", "match_type"), "name");
+    }
+
+    /**
+     * retrieve PAC Match or return defaults
+     * @param $uuid item unique id
+     * @return array
+     */
+    public function getPACMatchAction($uuid = null)
+    {
+        $this->sessionClose();
+        return array("pac" => $this->getBase('match', 'pac.match', $uuid));
+    }
+
+    /**
+     * add new PAC Proxy and set with attributes from post
+     * @return array
+     */
+    public function addPACMatchAction()
+    {
+        $this->pac_set_helper();
+        return $this->addBase('match', 'pac.match');
+    }
+
+    /**
+     * update PAC Rule
+     * @param string $uuid
+     * @return array result status
+     * @throws \Phalcon\Filter\Validation\Exception
+     */
+    public function setPACMatchAction($uuid)
+    {
+        $this->pac_set_helper();
+        return $this->setBase('match', 'pac.match', $uuid);
+    }
+
+    /**
+     * delete PAC Match by uuid
+     * @param $uuid item unique id
+     * @return array status
+     */
+    public function delPACMatchAction($uuid)
+    {
+        return $this->delBase('pac.match', $uuid);
+    }
+
+    /**
+     * flatten post data structure
+     */
+    private function pac_set_helper()
+    {
+        if ($this->request->isPost() && $this->request->hasPost("pac")) {
+            $pac_data = $this->request->getPost('pac');
+            if (is_array($pac_data)) {
+                foreach ($pac_data as $key => $value) {
+                    $_POST[$key] = $value;
+                }
+            }
+        }
+    }
+}
diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php
new file mode 100644
index 0000000000..d6f5c04d3a
--- /dev/null
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php
@@ -0,0 +1,102 @@
+<?php
+
+/**
+ *    Copyright (C) 2020 Deciso B.V.
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Proxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
+
+/**
+ * Class TemplateController
+ * @package OPNsense\Proxy
+ */
+class TemplateController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'proxy';
+    protected static $internalModelClass = '\OPNsense\Proxy\Proxy';
+
+    /**
+     * save template
+     * @return array status
+     * @throws \Phalcon\Filter\Validation\Exception on validation issues
+     * @throws \ReflectionException when binding to the model class fails
+     * @throws UserException when denied write access
+     */
+    public function setAction()
+    {
+        if ($this->request->isPost() && $this->request->hasPost("content")) {
+            $this->sessionClose();
+            $mdl = $this->getModel();
+            $mdl->error_pages->template = $this->request->getPost("content", "striptags");
+            $result = $this->validate();
+            if (empty($result['validations'])) {
+                // save config if validated correctly
+                $this->save();
+                $result = array("result" => "saved");
+            } else {
+                $result["result"] = "failed";
+            }
+            return $result;
+        } else {
+            return array("result" => "failed");
+        }
+    }
+
+    /**
+     * reset error_pages template
+     */
+    public function resetAction()
+    {
+        if ($this->request->isPost()) {
+            $mdl = $this->getModel();
+            $mdl->error_pages->template = null;
+            $this->save();
+            return array("result" => "saved");
+        }
+        return array("result" => "failed");
+    }
+
+    /**
+     * retrieve error pages template, overlay provided template zip file on top of OPNsense error pages
+     * using configd calls
+     */
+    public function getAction()
+    {
+        $backend = new Backend();
+        $backend->configdRun("template reload OPNsense/Proxy");
+        $result = json_decode($backend->configdRun("proxy download_error_pages"), true);
+        if ($result != null) {
+            $this->response->setRawHeader("Content-Type: application/octet-stream");
+            $this->response->setRawHeader("Content-Disposition: attachment; filename=proxy_template.zip");
+            return base64_decode($result['payload']);
+        } else {
+            // return empty response on error
+            return "";
+        }
+    }
+}
diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/IndexController.php b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/IndexController.php
new file mode 100644
index 0000000000..7e9c7a6f11
--- /dev/null
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/IndexController.php
@@ -0,0 +1,52 @@
+<?php
+
+/**
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Proxy;
+
+/**
+ * Class IndexController
+ * @package OPNsense\Proxy
+ */
+class IndexController extends \OPNsense\Base\IndexController
+{
+    /**
+     * proxy index page
+     * @throws \Exception
+     */
+    public function indexAction()
+    {
+        $this->view->mainForm = $this->getForm("main");
+        $this->view->formDialogEditPACMatch = $this->getForm("dialogEditPACMatch");
+        $this->view->formDialogEditPACRule = $this->getForm("dialogEditPACRule");
+        $this->view->formDialogEditPACProxy = $this->getForm("dialogEditPACProxy");
+        $this->view->formDialogEditBlacklist = $this->getForm("dialogEditBlacklist");
+        $this->view->pick('OPNsense/Proxy/index');
+    }
+}
diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditBlacklist.xml b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditBlacklist.xml
new file mode 100644
index 0000000000..3080848291
--- /dev/null
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditBlacklist.xml
@@ -0,0 +1,51 @@
+<form>
+    <field>
+        <id>blacklist.enabled</id>
+        <label>enabled</label>
+        <type>checkbox</type>
+        <help>Select if job is enabled or not</help>
+    </field>
+    <field>
+        <id>blacklist.filename</id>
+        <label>Filename</label>
+        <type>text</type>
+        <help>Enter a filename for storing the blacklist.</help>
+    </field>
+    <field>
+        <id>blacklist.url</id>
+        <label>URL</label>
+        <type>text</type>
+        <help>Enter an url to fetch the blacklist from.</help>
+    </field>
+    <field>
+        <id>blacklist.username</id>
+        <label>username (optional)</label>
+        <type>text</type>
+        <help>(optional) user credentials.</help>
+    </field>
+    <field>
+        <id>blacklist.password</id>
+        <label>password (optional)</label>
+        <type>password</type>
+        <help>(optional) user credentials.</help>
+    </field>
+    <field>
+        <id>blacklist.filter</id>
+        <label>categories (if available)</label>
+        <type>select_multiple</type>
+        <nbDropdownElements>300</nbDropdownElements>
+        <help><![CDATA[select categories to use, leave empty for all. Categories are visible after initial download.]]></help>
+    </field>
+    <field>
+        <id>blacklist.sslNoVerify</id>
+        <label>ssl ignore cert</label>
+        <type>checkbox</type>
+        <help>Ignore SSL certificate validation (for self-signed certificates)</help>
+    </field>
+    <field>
+        <id>blacklist.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Enter a description to explain what this blacklist is intended for.</help>
+    </field>
+</form>
diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACMatch.xml b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACMatch.xml
new file mode 100644
index 0000000000..68ae6fd226
--- /dev/null
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACMatch.xml
@@ -0,0 +1,92 @@
+<form>
+    <field>
+        <id>pac.match.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Select a name for this match.</help>
+    </field>
+    <field>
+        <id>pac.match.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Enter a description for this rule. The description should help you to identify this rule.</help>
+    </field>
+    <field>
+        <id>pac.match.negate</id>
+        <label>Negate</label>
+        <type>checkbox</type>
+        <help>Negate this match. For example you can match if a host is not inside a network.</help>
+    </field>
+    <field>
+        <id>pac.match.match_type</id>
+        <label>Match Type</label>
+        <type>dropdown</type>
+        <help>Select the type of the match. Depending on the match, you will need different arguments.</help>
+    </field>
+    <field>
+        <id>pac.match.network</id>
+        <label>Network</label>
+        <type>text</type>
+        <help>Enter the network address to match in CIDR notation for example like 127.0.0.1/8 or ::1/128</help>
+    </field>
+    <field>
+        <id>pac.match.hostname</id>
+        <label>Host Pattern</label>
+        <type>text</type>
+        <help>Enter a hostname pattern like *.opnsense.org.</help>
+    </field>
+    <field>
+        <id>pac.match.url</id>
+        <label>URL Pattern</label>
+        <type>text</type>
+        <help>Enter a URL pattern like forum.opnsense.org/index*.</help>
+    </field>
+    <field>
+        <id>pac.match.domain_level_from</id>
+        <label>Domain Level From</label>
+        <type>text</type>
+        <help>Enter the minimum amount of dots in the domain name.</help>
+    </field>
+    <field>
+        <id>pac.match.domain_level_to</id>
+        <label>Domain Level To</label>
+        <type>text</type>
+        <help>Enter the maximum amount of dots in the domain name.</help>
+    </field>
+    <field>
+        <id>pac.match.time_from</id>
+        <label>Beginning Hour</label>
+        <type>text</type>
+        <help>Enter start hour (minimum 0).</help>
+    </field>
+    <field>
+        <id>pac.match.time_to</id>
+        <label>Last Hour</label>
+        <type>text</type>
+        <help>Enter the end time (maximum 23, minimum 0 or start time).</help>
+    </field>
+    <field>
+        <id>pac.match.date_from</id>
+        <label>From Month</label>
+        <type>dropdown</type>
+        <help>Enter the first month.</help>
+    </field>
+    <field>
+        <id>pac.match.date_to</id>
+        <label>To Month</label>
+        <type>dropdown</type>
+        <help>Enter the last month (maximum December, minimum January or From Month).</help>
+    </field>
+    <field>
+        <id>pac.match.weekday_from</id>
+        <label>From Day</label>
+        <type>dropdown</type>
+        <help>Enter the first day of the week.</help>
+    </field>
+    <field>
+        <id>pac.match.weekday_to</id>
+        <label>To Day</label>
+        <type>dropdown</type>
+        <help>Enter the last day of the week.</help>
+    </field>
+</form>
diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACProxy.xml b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACProxy.xml
new file mode 100644
index 0000000000..d07bf44061
--- /dev/null
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACProxy.xml
@@ -0,0 +1,26 @@
+<form>
+    <field>
+        <id>pac.proxy.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Enter a name for this match.</help>
+    </field>
+    <field>
+        <id>pac.proxy.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Enter a description for this proxy for your reference.</help>
+    </field>
+    <field>
+        <id>pac.proxy.proxy_type</id>
+        <label>Proxy Type</label>
+        <type>dropdown</type>
+        <help>Choose a proxy type. Usually you should use Direct for a direct connection or Proxy for a Proxy.</help>
+    </field>
+    <field>
+        <id>pac.proxy.url</id>
+        <label>URL</label>
+        <type>text</type>
+        <help>Enter a proxy URL in the form proxy.example.com:3128.</help>
+    </field>
+</form>
diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACRule.xml b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACRule.xml
new file mode 100644
index 0000000000..3e901766c2
--- /dev/null
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogEditPACRule.xml
@@ -0,0 +1,40 @@
+<form>
+    <field>
+        <id>pac.rule.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>Please select if this rule should be added to the PAC file.</help>
+    </field>
+    <field>
+        <id>pac.rule.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Enter a description for this rule. The description should help you to identify this rule.</help>
+    </field>
+    <field>
+        <id>pac.rule.matches</id>
+        <label>Matches</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <help>Select some matches you want to use in this rule. This matches are joined using the selected separator.</help>
+    </field>
+    <field>
+        <id>pac.rule.join_type</id>
+        <label>Join Type</label>
+        <type>dropdown</type>
+        <help>Please select a separator to join the matches. Or means any mach can be true which can be used to configure the same proxy for multiple networks while And means all matches must be true which can be used to assign the proxy in a more detailed way.</help>
+    </field>
+    <field>
+        <id>pac.rule.match_type</id>
+        <label>Match Type</label>
+        <type>dropdown</type>
+        <help>Choose If in case any case you want to ensure a match to evaluate as is, else choose unless if you want the negated version. Unless is used if you want to use the proxy for every host but not for some special ones.</help>
+    </field>
+    <field>
+        <id>pac.rule.proxies</id>
+        <label>Proxies</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <sortable>true</sortable>
+    </field>
+</form>
diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
new file mode 100644
index 0000000000..1db7c2fd7f
--- /dev/null
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -0,0 +1,634 @@
+<form>
+    <tab id="proxy-general" description="General Proxy Settings">
+        <subtab id="proxy-general-settings" description="General Proxy Settings">
+            <field>
+                <id>proxy.general.enabled</id>
+                <label>Enable proxy</label>
+                <type>checkbox</type>
+                <help>Enable or disable the proxy service.</help>
+            </field>
+            <field>
+                <id>proxy.general.error_pages</id>
+                <label>User error pages</label>
+                <type>dropdown</type>
+                <help>
+                  The proxy error pages can be altered, default layout uses OPNsense content, when Squid is selected
+                  the content for the selected language will be used (standard squid layout), Custom offers the possibility
+                  to upload your own theme content.
+                </help>
+            </field>
+            <field>
+                <id>proxy.general.icpPort</id>
+                <label>ICP port</label>
+                <type>text</type>
+                <help>The port number where Squid sends and receives ICP queries to and from neighbor caches. Leave blank to disable (default). The standard UDP port for ICP is 3130.</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.logging.enable.accessLog</id>
+                <label>Enable access logging</label>
+                <type>checkbox</type>
+                <help>Enable access logging.</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.logging.target</id>
+                <label>Access log target</label>
+                <type>dropdown</type>
+                <help>Send log data to the selected target. When syslog is selected, facility local 4 will be used to send messages of info level for these logs.</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.logging.enable.storeLog</id>
+                <label>Enable store logging</label>
+                <type>checkbox</type>
+                <help>Enable store logging.</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.logging.ignoreLogACL</id>
+                <label>Ignore hosts in access.log</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <help>Type subnets/addresses you want to ignore for the access.log.</help>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.alternateDNSservers</id>
+                <label>Use alternate DNS-servers</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <help>Type IPs of alternative DNS servers you like to use.</help>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.useViaHeader</id>
+                <label>Use Via header</label>
+                <type>checkbox</type>
+                <help>If set (default), Squid will include a Via header in requests and replies as required by RFC2616.</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.forwardedForHandling</id>
+                <label>X-Forwarded-For header handling</label>
+                <type>dropdown</type>
+                <help>Select what to do with X-Forwarded-For header. If set to: "on", Squid will append your client's IP address in the HTTP requests it forwards. By default it looks like X-Forwarded-For: 192.1.2.3; If set to: "off", it will appear as X-Forwarded-For: unknown; "transparent", Squid will not alter the X-Forwarded-For header in any way; If set to: "delete", Squid will delete the entire X-Forwarded-For header; If set to: "truncate", Squid will remove all existing X-Forwarded-For entries, and place the client IP as the sole entry.</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.VisibleHostname</id>
+                <label>Visible Hostname</label>
+                <type>text</type>
+                <help>This is the hostname to be displayed in proxy server error messages.</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.VisibleEmail</id>
+                <label>Administrator's Email</label>
+                <type>text</type>
+                <help>This is the email address displayed in error messages to the users.</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.suppressVersion</id>
+                <label>Suppress version string</label>
+                <type>checkbox</type>
+                <help>Suppress Squid version string info in HTTP headers and HTML error pages.</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.connecttimeout</id>
+                <label>Connection Timeout</label>
+                <type>text</type>
+                <help>This can help you when having connection issues with IPv6 enabled servers. Set a value in seconds</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.uriWhitespaceHandling</id>
+                <label>Whitespace handling of URI</label>
+                <type>dropdown</type>
+                <help>Select what to do with URI that contain whitespaces. The current Squid implementation of encode and chop violates RFC2616 by not using a 301 redirect after altering the URL.</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.enablePinger</id>
+                <label>Enable pinger</label>
+                <type>checkbox</type>
+                <help>Toggles the Squid pinger service. This service is used in the selection of the best parent proxy.</help>
+                <advanced>true</advanced>
+            </field>
+        </subtab>
+        <subtab id="proxy-general-cache-local" description="Local Cache Settings">
+            <field>
+                <id>proxy.general.cache.local.cache_mem</id>
+                <label>Memory Cache size in Megabytes</label>
+                <type>text</type>
+                <help>Enter the cache memory size to use or zero to disable completely.</help>
+            </field>
+            <field>
+                <id>proxy.general.cache.local.enabled</id>
+                <label>Enable local cache</label>
+                <type>checkbox</type>
+                <help>Enable or disable the local cache. Only UFS directory cache type is supported. Do not enable on embedded systems with SD or CF cards as this will wear down your drive.</help>
+            </field>
+            <field>
+                <id>proxy.general.cache.local.size</id>
+                <label>Cache size in Megabytes</label>
+                <type>text</type>
+                <help>Enter the storage size for the local cache (default is 100).</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.cache.local.directory</id>
+                <label>Cache directory location</label>
+                <type>text</type>
+                <help>Enter the directory location for the local cache (default is /var/squid/cache).</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.cache.local.l1</id>
+                <label>Number of first-level subdirectories</label>
+                <type>text</type>
+                <help>Enter the number of first-level subdirectories for the local cache (default is 16).</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.cache.local.l2</id>
+                <label>Number of second-level subdirectories</label>
+                <type>text</type>
+                <help>Enter the number of second-level subdirectories for the local cache (default is 256).</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.cache.local.maximum_object_size</id>
+                <label>Maximum object size (MB)</label>
+                <type>text</type>
+                <help>Set the maximum object size (default 4MB when left empty).</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.cache.local.maximum_object_size_in_memory</id>
+                <label>Maximum object size in memory (KB)</label>
+                <type>text</type>
+                <help>Set the maximum object size in memory (default 512KB when left empty).</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.cache.local.memory_cache_mode</id>
+                <label>Memory cache mode</label>
+                <type>dropdown</type>
+                <help>
+                    Controls which objects to keep in the memory cache (cache_mem)
+                    always:	Keep most recently fetched objects in memory (default)
+                    disk: Only disk cache hits are kept in memory, which means an object must first be cached on disk and then hit a second time before cached in memory.
+                    network: Only objects fetched from network is kept in memory
+                </help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.cache.local.cache_linux_packages</id>
+                <label>Enable Linux Package Cache</label>
+                <type>checkbox</type>
+                <help>Enable or disable the caching of packages for linux distributions. This makes sense if you have multiple servers in your network and do not host your own package mirror. This will reduce internet traffic usage but increase disk access.</help>
+            </field>
+            <field>
+                <id>proxy.general.cache.local.cache_windows_updates</id>
+                <label>Enable Windows Update Cache</label>
+                <type>checkbox</type>
+                <help>Enable or disable the caching of Windows updates. This makes sense if you don't have a WSUS server. If you can setup a WSUS server, this solution should be preferred.</help>
+            </field>
+        </subtab>
+        <subtab id="proxy-general-traffic" description="Traffic Management Settings">
+            <field>
+                <id>proxy.general.traffic.enabled</id>
+                <label>Enable traffic management.</label>
+                <type>checkbox</type>
+                <help>Enable or disable traffic management.</help>
+            </field>
+            <field>
+                <id>proxy.general.traffic.maxDownloadSize</id>
+                <label>Maximum download size (kB)</label>
+                <type>text</type>
+                <help>Enter the maximum size for downloads in kilobytes (leave empty to disable).</help>
+            </field>
+            <field>
+                <id>proxy.general.traffic.maxUploadSize</id>
+                <label>Maximum upload size (kB)</label>
+                <type>text</type>
+                <help>Enter the maximum size for uploads in kilobytes (leave empty to disable).</help>
+            </field>
+            <field>
+                <id>proxy.general.traffic.OverallBandwidthTrotteling</id>
+                <label>Overall bandwidth throttling (kbps)</label>
+                <type>text</type>
+                <help>Enter the allowed overall bandwidth in kilobits per second (leave empty to disable).</help>
+            </field>
+            <field>
+                <id>proxy.general.traffic.perHostTrotteling</id>
+                <label>Per host bandwidth throttling (kbps)</label>
+                <type>text</type>
+                <help>Enter the allowed per host bandwidth in kilobits per second (leave empty to disable).</help>
+            </field>
+        </subtab>
+        <subtab id="proxy-general-parentproxy" description="Parent Proxy Settings">
+            <field>
+                <id>proxy.general.parentproxy.enabled</id>
+                <label>Enable Parent Proxy</label>
+                <type>checkbox</type>
+                <help>Enable parent proxy feature.</help>
+            </field>
+            <field>
+                <id>proxy.general.parentproxy.host</id>
+                <label>Host</label>
+                <type>text</type>
+                <help>Parent proxy IP address or hostname.</help>
+            </field>
+            <field>
+                <id>proxy.general.parentproxy.port</id>
+                <label>Port</label>
+                <type>text</type>
+                <help>Parent proxy port.</help>
+            </field>
+            <field>
+                <id>proxy.general.parentproxy.enableauth</id>
+                <label>Enable Authentication</label>
+                <type>checkbox</type>
+                <help>Enable authentication against the parent proxy.</help>
+            </field>
+            <field>
+                <id>proxy.general.parentproxy.user</id>
+                <label>Username</label>
+                <type>text</type>
+                <help>Set a username if parent proxy requires authentication.</help>
+            </field>
+            <field>
+                <id>proxy.general.parentproxy.password</id>
+                <label>Password</label>
+                <type>password</type>
+                <help>Set a password if parent proxy requires authentication.</help>
+            </field>
+            <field>
+                <id>proxy.general.parentproxy.localdomains</id>
+                <label>Local Domains</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <allownew>true</allownew>
+                <help>List of domains not to be sent via parent proxy.</help>
+            </field>
+            <field>
+                <id>proxy.general.parentproxy.localips</id>
+                <label>Local IPs</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <allownew>true</allownew>
+                <help>List of IP addresses not to be sent via parent proxy.</help>
+            </field>
+        </subtab>
+    </tab>
+    <tab id="proxy-forward" description="Forward Proxy">
+        <subtab id="proxy-forward-general" description="General Forward Settings">
+            <field>
+                <id>proxy.forward.interfaces</id>
+                <label>Proxy interfaces</label>
+                <type>select_multiple</type>
+                <help>Select interface(s) the proxy will bind to.</help>
+            </field>
+            <field>
+                <id>proxy.forward.port</id>
+                <label>Proxy port</label>
+                <type>text</type>
+                <help>The port the proxy service will listen to.</help>
+            </field>
+            <field>
+                <id>proxy.forward.transparentMode</id>
+                <label>Enable Transparent HTTP proxy</label>
+                <type>checkbox</type>
+                <help><![CDATA[Enable transparent proxy mode. You will need a firewall rule to forward traffic from the firewall to the proxy server. You may leave the proxy interfaces empty, but remember to set a valid ACL in that case. <a href="/firewall_nat_edit.php?template=transparent_proxy"> Add a new firewall rule </a>]]></help>
+            </field>
+            <field>
+                <id>proxy.forward.sslbump</id>
+                <label>Enable SSL inspection</label>
+                <type>checkbox</type>
+                <help><![CDATA[Enable SSL inspection mode, which allows to log HTTPS connections information, such as requested URL and/or make the proxy act as a man in the middle between the internet and your clients. Be aware of the security implications before enabling this option. If you plan to use transparent HTTPS mode, you need nat rules to reflect your traffic.<a href="/firewall_nat_edit.php?template=transparent_proxy&https=1">Add a new firewall rule </a>]]></help>
+            </field>
+            <field>
+                <id>proxy.forward.sslurlonly</id>
+                <label>Log SNI information only</label>
+                <type>checkbox</type>
+                <help>Do not decode and/or filter SSL content, only log requested domains and IP addresses. Some old servers may not provide SNI, so their addresses will not be indicated.</help>
+            </field>
+            <field>
+                <id>proxy.forward.sslbumpport</id>
+                <label>SSL Proxy port</label>
+                <type>text</type>
+                <help>The port the ssl proxy service will listen to.</help>
+            </field>
+            <field>
+                <id>proxy.forward.sslcertificate</id>
+                <label>CA to use</label>
+                <type>dropdown</type>
+                <help><![CDATA[Select a Certificate Authority to use. To create a CA, go to <a href="/system_camanager.php">CA Manager</a>.]]></help>
+            </field>
+            <field>
+                <id>proxy.forward.sslnobumpsites</id>
+                <label>SSL no bump sites</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <allownew>true</allownew>
+                <help>Create a list of sites which may not be inspected, for example bank sites. Prefix the domain with a . to accept all subdomains (e.g. .google.com).</help>
+            </field>
+            <field>
+                <id>proxy.forward.ssl_crtd_storage_max_size</id>
+                <label>SSL cache size</label>
+                <type>text</type>
+                <help>Enter the maximum size (in MB) to use for SSL certificates.</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.sslcrtd_children</id>
+                <label>SSL cert workers</label>
+                <type>text</type>
+                <help>Enter the number of ssl certificate workers to use (sslcrtd_children).</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.addACLforInterfaceSubnets</id>
+                <label>Allow interface subnets</label>
+                <type>checkbox</type>
+                <help>When enabled the subnets of the selected interfaces will be added to the allow access list.</help>
+                <advanced>true</advanced>
+            </field>
+        </subtab>
+        <subtab id="proxy-forward-ftp" description="FTP Proxy Settings">
+            <field>
+                <id>proxy.forward.ftpInterfaces</id>
+                <label>FTP proxy interfaces</label>
+                <type>select_multiple</type>
+                <help>Select interface(s) the ftp proxy will bind to.</help>
+            </field>
+            <field>
+                <id>proxy.forward.ftpPort</id>
+                <label>FTP proxy port</label>
+                <type>text</type>
+                <help>The port the proxy service will listen to.</help>
+            </field>
+            <field>
+                <id>proxy.forward.ftpTransparentMode</id>
+                <label>Enable Transparent mode</label>
+                <type>checkbox</type>
+                <help>Enable transparent ftp proxy mode to forward all requests for destination port 21 to the proxy server without any additional configuration.</help>
+            </field>
+        </subtab>
+        <subtab id="proxy-forward-acl" description="Access Control List">
+            <field>
+                <id>proxy.forward.acl.allowedSubnets</id>
+                <label>Allowed Subnets</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <help>Type subnets you want to allow access to the proxy server.</help>
+                <allownew>true</allownew>
+            </field>
+            <field>
+                <id>proxy.forward.acl.unrestricted</id>
+                <label>Unrestricted IP addresses</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <help>Type IP addresses you want to allow access to the proxy server.</help>
+                <allownew>true</allownew>
+            </field>
+            <field>
+                <id>proxy.forward.acl.bannedHosts</id>
+                <label>Banned host IP addresses</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <help>Type IP addresses you want to deny access to the proxy server.</help>
+                <allownew>true</allownew>
+            </field>
+            <field>
+                <id>proxy.forward.acl.whiteList</id>
+                <label>Whitelist</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <help>Whitelist destination domains. You may use a regular expression, use a comma or press Enter for new item. Examples: "mydomain.com" matches on "*.mydomain.com"; "^https?:\/\/([a-zA-Z]+)\.mydomain\." matches on "http(s)://textONLY.mydomain.*"; "\.gif$" matches on "\*.gif" but not on "\*.gif\test"; "\[0-9]+\.gif$" matches on "\123.gif" but not on "\test.gif"</help>
+                <allownew>true</allownew>
+            </field>
+            <field>
+                <id>proxy.forward.acl.blackList</id>
+                <label>Blacklist</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <help>Blacklist destination domains. You may use a regular expression, use a comma or press Enter for new item. Examples: "mydomain.com" matches on "*.mydomain.com"; "^https?:\/\/([a-zA-Z]+)\.mydomain\." matches on "http(s)://textONLY.mydomain.*"; "\.gif$" matches on "*.gif" but not on "\*.gif\test"; "\[0-9]+\.gif$" matches on "\123.gif" but not on "\test.gif"</help>
+                <allownew>true</allownew>
+            </field>
+            <field>
+                <id>proxy.forward.acl.browser</id>
+                <label>Block browser/user-agents</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <help>Block user-agents. You may use a regular expression, use a comma or press Enter for new item. Examples: "^(.)+Macintosh(.)+Firefox/37\.0" matches on "Macintosh version of Firefox revision 37.0"; "^Mozilla" matches on "all Mozilla based browsers"</help>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.acl.mimeType</id>
+                <label>Block specific MIME type reply</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <help>Block specific MIME type reply. You may use a regular expression, use a comma or press Enter for new item. Examples: "video/flv" matches on "Flash Video"; "application/x-javascript" matches on "javascripts"</help>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.acl.googleapps</id>
+                <label>Google GSuite restricted</label>
+                <type>text</type>
+                <advanced>true</advanced>
+                <help><![CDATA[Insert here the domain that will be allowed to use Google GSuite.
+                All accounts that are not in this domain will be blocked to use it.]]></help>
+            </field>
+            <field>
+                <id>proxy.forward.acl.youtube</id>
+                <label>YouTube Filter</label>
+                <type>dropdown</type>
+                <advanced>true</advanced>
+                <help><![CDATA[Select the Youtube filter level.]]></help>
+            </field>
+            <field>
+                <id>proxy.forward.acl.safePorts</id>
+                <label>Allowed destination TCP port</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <help>Allowed destination TCP ports, you may use ranges (ex. 222-226) and add comments with colon (ex. 22:ssh).</help>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.acl.sslPorts</id>
+                <label>Allowed SSL ports</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <help>Allowed destination SSL ports, you may use ranges (ex. 222-226) and add comments with colon (ex. 22:ssh).</help>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+        </subtab>
+        <subtab id="proxy-icap" description="ICAP Settings">
+            <field>
+                <id>proxy.forward.icap.enable</id>
+                <label>Enable ICAP</label>
+                <type>checkbox</type>
+                <style>tokenize</style>
+                <help>If this checkbox is checked, you can use an ICAP server to filter or replace content.</help>
+                <allownew>true</allownew>
+                <advanced>false</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.RequestURL</id>
+                <label>Request Modify URL</label>
+                <type>text</type>
+                <style>tokenize</style>
+                <help>Enter the url where the REQMOD requests should be sent to.</help>
+                <allownew>true</allownew>
+                <advanced>false</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.ResponseURL</id>
+                <label>Response Modify URL</label>
+                <type>text</type>
+                <style>tokenize</style>
+                <help>Enter the url where the RESPMOD requests should be sent to.</help>
+                <allownew>true</allownew>
+                <advanced>false</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.OptionsTTL</id>
+                <label>Default Options TTL</label>
+                <type>text</type>
+                <style>tokenize</style>
+                <help>Default ttl</help>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.SendClientIP</id>
+                <label>Send Client IP</label>
+                <type>checkbox</type>
+                <style>tokenize</style>
+                <help>If you enable this option, the client IP address will be sent to the ICAP server. This can be useful if you want to filter traffic based on IP addresses.</help>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.SendUsername</id>
+                <label>Send Username</label>
+                <type>checkbox</type>
+                <style>tokenize</style>
+                <help>If you enable this option, the username of the client will be sent to the ICAP server. This can be useful if you want to filter traffic based on usernames. Authentication is required to use usernames.</help>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.EncodeUsername</id>
+                <label>Encode Username</label>
+                <type>checkbox</type>
+                <style>tokenize</style>
+                <help>Use this option if your usernames need to be encoded.</help>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.UsernameHeader</id>
+                <label>Username Header</label>
+                <type>text</type>
+                <style>tokenize</style>
+                <help>The header which should be used to send the username to the ICAP server.</help>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.EnablePreview</id>
+                <label>Enable Preview</label>
+                <type>checkbox</type>
+                <style>tokenize</style>
+                <help>If you use previews, only a part of the data is sent to the ICAP server. Setting this option can improve the performance.</help>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.PreviewSize</id>
+                <label>Preview Size</label>
+                <type>text</type>
+                <style>tokenize</style>
+                <help>Enter the size of the preview which is sent to the ICAP server.</help>
+                <allownew>true</allownew>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.icap.exclude</id>
+                <label>Exclusion List</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <help>Exclusion list destination domains.You may use a regular expression, use a comma or press Enter for new item. Examples: "mydomain.com" matches on "*.mydomain.com"; "https://([a-zA-Z]+)\.mydomain\." matches on "http(s)://textONLY.mydomain.*"; "\.gif$" matches on "\*.gif" but not on "\*.gif\test"; "\[0-9]+\.gif$" matches on "\123.gif" but not on "\test.gif"</help>
+                <allownew>true</allownew>
+            </field>
+        </subtab>
+        <subtab id="proxy-general-authentication" description="Authentication Settings">
+            <field>
+                <id>proxy.forward.authentication.method</id>
+                <label>Authentication method</label>
+                <type>select_multiple</type>
+                <help>Select Authentication method</help>
+            </field>
+            <field>
+                <id>proxy.forward.authentication.authEnforceGroup</id>
+                <label>Enforce local group</label>
+                <type>select_multiple</type>
+                <help><![CDATA[Restrict access to users in the selected (local)group. <br/>
+                <b>NOTE:</b> please be aware that users (or vouchers) which aren't administered locally will be denied when using this option.]]>
+                </help>
+            </field>
+            <field>
+                <id>proxy.forward.authentication.realm</id>
+                <label>Authentication Prompt</label>
+                <type>text</type>
+                <help>The prompt will be displayed in the authentication request window.</help>
+            </field>
+            <field>
+                <id>proxy.forward.authentication.credentialsttl</id>
+                <label>Authentication TTL (hours)</label>
+                <type>text</type>
+                <help>This specifies for how long (in hours) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.</help>
+            </field>
+            <field>
+                <id>proxy.forward.authentication.children</id>
+                <label>Authentication processes</label>
+                <type>text</type>
+                <help>The total number of authenticator processes to spawn.</help>
+            </field>
+        </subtab>
+        <subtab id="proxy-forward-snmp" description="SNMP Agent Settings">
+            <field>
+                <id>proxy.forward.snmp_enable</id>
+                <label>Enable SNMP Agent</label>
+                <type>checkbox</type>
+                <help>Enable or disable the squid SNMP Agent.</help>
+            </field>
+            <field>
+                <id>proxy.forward.snmp_port</id>
+                <label>SNMP port</label>
+                <type>text</type>
+                <help>The port number where Squid listens for SNMP requests. To enable SNMP support set this to a suitable port number. Port number 3401 is often used for the Squid SNMP agent.</help>
+            </field>
+            <field>
+                <id>proxy.forward.snmp_password</id>
+                <label>SNMP password</label>
+                <type>text</type>
+                <help>The password for access to SNMP agent</help>
+            </field>
+        </subtab>
+    </tab>
+
+    <activetab>proxy-general-settings</activetab>
+</form>
diff --git a/www/squid/src/opnsense/mvc/app/library/OPNsense/Auth/Services/Squid.php b/www/squid/src/opnsense/mvc/app/library/OPNsense/Auth/Services/Squid.php
new file mode 100644
index 0000000000..1c5f0b44d9
--- /dev/null
+++ b/www/squid/src/opnsense/mvc/app/library/OPNsense/Auth/Services/Squid.php
@@ -0,0 +1,105 @@
+<?php
+
+/*
+ * Copyright (C) 2019 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Auth\Services;
+
+use OPNsense\Core\ACL;
+use OPNsense\Core\Config;
+use OPNsense\Auth\IService;
+
+/**
+ * Proxy service
+ * @package OPNsense\Auth
+ */
+class Squid implements IService
+{
+    /**
+     * @var string username for the current request
+     */
+    private $username;
+
+    /**
+     * {@inheritdoc}
+     */
+    public static function aliases()
+    {
+        return [];
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function supportedAuthenticators()
+    {
+        $result = array();
+        $configObj = Config::getInstance()->object();
+
+        if (!empty((string)$configObj->OPNsense->proxy->forward->authentication->method)) {
+            $result = explode(',', (string)$configObj->OPNsense->proxy->forward->authentication->method);
+        } else {
+            $result[] = 'Local Database';
+        }
+        return $result;
+    }
+
+     /**
+      * {@inheritdoc}
+      */
+    public function setUserName($username)
+    {
+        $this->username = $username;
+    }
+
+     /**
+      * {@inheritdoc}
+      */
+    public function getUserName()
+    {
+        return $this->username;
+    }
+
+     /**
+      * {@inheritdoc}
+      */
+    public function checkConstraints()
+    {
+        $configObj = Config::getInstance()->object();
+        if (!empty((string)$configObj->OPNsense->proxy->forward->authentication->authEnforceGroup)) {
+            $groups = explode(',', (string)$configObj->OPNsense->proxy->forward->authentication->authEnforceGroup);
+            $acl = new ACL();
+            foreach ($groups as $local_group) {
+                if ($acl->inGroup($this->getUserName(), $local_group, false)) {
+                    return true;
+                }
+            }
+            return false;
+        } else {
+            return true;
+        }
+    }
+}
diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/ACL/ACL.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/ACL/ACL.xml
new file mode 100644
index 0000000000..220b30a9ab
--- /dev/null
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/ACL/ACL.xml
@@ -0,0 +1,11 @@
+<acl>
+    <page-services-proxy>
+        <name>Services: Proxy</name>
+        <patterns>
+            <pattern>ui/proxy/*</pattern>
+            <pattern>api/proxy/*</pattern>
+            <pattern>ui/diagnostics/log/squid/*</pattern>
+            <pattern>api/diagnostics/log/squid/*</pattern>
+        </patterns>
+    </page-services-proxy>
+</acl>
diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Menu/Menu.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Menu/Menu.xml
new file mode 100644
index 0000000000..71280faf76
--- /dev/null
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Menu/Menu.xml
@@ -0,0 +1,23 @@
+<menu>
+    <Services>
+      <SquidWebProxy VisibleName="Squid Web Proxy" cssClass="fa fa-bolt fa-fw">
+          <Administration url="/ui/proxy">
+            <ACL VisibleName="ACL" url="/ui/proxy#subtab_proxy-forward-acl"/>
+            <Authentication VisibleName="Auth" url="/ui/proxy#subtab_proxy-general-authentication"/>
+            <FTP VisibleName="FTP" url="/ui/proxy#subtab_proxy-forward-ftp"/>
+            <Forward VisibleName="Forward" url="/ui/proxy#subtab_proxy-forward-general"/>
+            <GeneralSettings VisibleName="General" url="/ui/proxy#subtab_proxy-general-settings"/>
+            <ICAP VisibleName="ICAP" url="/ui/proxy#subtab_proxy-icap"/>
+            <LocalCache VisibleName="Cache" url="/ui/proxy#subtab_proxy-general-cache-local"/>
+            <PACMatches VisibleName="PAC Matches" url="/ui/proxy#subtab_pac_matches"/>
+            <PACProxies VisibleName="PAC Proxies" url="/ui/proxy#subtab_pac_proxies"/>
+            <PACRules VisibleName="PAC Rules" url="/ui/proxy#subtab_pac_rules"/>
+            <RemoteACL VisibleName="Remote ACL" url="/ui/proxy#remote_acls"/>
+            <TrafficManagement VisibleName="Traffic Mgmt" url="/ui/proxy#subtab_proxy-general-traffic"/>
+          </Administration>
+          <Cache order="20" VisibleName="Cache Log" url="/ui/diagnostics/log/squid/cache"/>
+          <Access order="30" VisibleName="Access Log" url="/ui/diagnostics/log/squid/access"/>
+          <Store order="40" VisibleName="Store Log" url="/ui/diagnostics/log/squid/store"/>
+      </SquidWebProxy>
+    </Services>
+</menu>
diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Migrations/M1_0_0.php b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Migrations/M1_0_0.php
new file mode 100644
index 0000000000..bbf52d2f23
--- /dev/null
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Migrations/M1_0_0.php
@@ -0,0 +1,37 @@
+<?php
+
+/**
+ *    Copyright (C) 2016 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Proxy\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M1_0_0 extends BaseModelMigration
+{
+}
diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.php b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.php
new file mode 100644
index 0000000000..b2401c6374
--- /dev/null
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.php
@@ -0,0 +1,90 @@
+<?php
+
+/*
+ * Copyright (C) 2015 Deciso B.V.
+ * Copyright (C) 2017 Fabian Franz
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Proxy;
+
+use OPNsense\Base\BaseModel;
+
+/**
+ * Class Proxy
+ * @package OPNsense\Proxy
+ */
+class Proxy extends BaseModel
+{
+    public function performValidation($validateFullModel = false)
+    {
+        // perform standard validations
+        $result = parent::performValidation($validateFullModel);
+        // add validation for PAC match
+        foreach ($this->getFlatNodes() as $key => $node) {
+            if ($validateFullModel || $node->isFieldChanged()) {
+                // if match_type has changed we need to make some fields required
+                if ($node->getInternalXMLTagName() == "match_type") {
+                    $match = $node->getParentNode();
+                    $match_type = (string)$match->match_type;
+                    switch ($match_type) {
+                        case 'url_matches':
+                            if (strlen((string)$match->url) == 0) {
+                                $result->appendMessage(new \Phalcon\Messages\Message(
+                                    gettext('URL must be set.'),
+                                    'pac.match.url'
+                                ));
+                            }
+                            break;
+                        case 'hostname_matches':
+                        case 'dns_domain_is':
+                        case 'is_resolvable':
+                            if (strlen((string)$match->hostname) == 0) {
+                                $result->appendMessage(new \Phalcon\Messages\Message(
+                                    gettext('Hostname must be set.'),
+                                    'pac.match.hostname'
+                                ));
+                            }
+                            break;
+                        case 'destination_in_net':
+                        case 'my_ip_in_net':
+                            if (strlen((string)$match->network) == 0) {
+                                $result->appendMessage(new \Phalcon\Messages\Message(
+                                    gettext('Network must be set.'),
+                                    'pac.match.network'
+                                ));
+                            }
+                        case 'plain_hostname':
+                        case 'dns_domain_levels':
+                        case 'weekday_range':
+                        case 'date_range':
+                        case 'time_range':
+                            break; // no special validation
+                    }
+                }
+            }
+        }
+        return $result;
+    }
+}
diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
new file mode 100644
index 0000000000..d7d2ed578e
--- /dev/null
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -0,0 +1,686 @@
+<model>
+    <mount>//OPNsense/proxy</mount>
+    <version>1.0.6</version>
+    <description>Squid web proxy settings</description>
+    <items>
+        <general>
+            <enabled type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enabled>
+            <error_pages type="OptionField">
+                <BlankDesc>Squid</BlankDesc>
+                <OptionValues>
+                    <opnsense>OPNsense</opnsense>
+                    <custom>Custom</custom>
+                </OptionValues>
+            </error_pages>
+            <icpPort type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>ICP port needs to be an integer value between 1 and 65535</ValidationMessage>
+            </icpPort>
+            <logging>
+                <enable>
+                    <accessLog type="BooleanField">
+                        <Default>1</Default>
+                        <Required>Y</Required>
+                    </accessLog>
+                    <storeLog type="BooleanField">
+                        <Default>1</Default>
+                        <Required>Y</Required>
+                    </storeLog>
+                </enable>
+                <ignoreLogACL type="CSVListField">
+                    <Mask>/^([\/0-9a-fA-F.:,])*/u</Mask>
+                </ignoreLogACL>
+                <target type="OptionField">
+                    <BlankDesc>File</BlankDesc>
+                    <OptionValues>
+                        <file_extendend>File (Extended)</file_extendend>
+                        <file_json>File (Json)</file_json>
+                        <syslog>Syslog</syslog>
+                        <syslog_json>Syslog (Json)</syslog_json>
+                    </OptionValues>
+                </target>
+            </logging>
+            <alternateDNSservers type="CSVListField">
+                <Mask>/^([\/0-9a-fA-F.:,])*/u</Mask>
+            </alternateDNSservers>
+            <forwardedForHandling type="OptionField">
+                <BlankDesc>Default</BlankDesc>
+                <OptionValues>
+                    <on>Append client's IP (on)</on>
+                    <off>Set forward header to unknown (off)</off>
+                    <transparent>Do not alter forward header (transparent)</transparent>
+                    <delete>Remove forward header (delete)</delete>
+                    <truncate>Replace all with client's IP (truncate)</truncate>
+                </OptionValues>
+            </forwardedForHandling>
+            <uriWhitespaceHandling type="OptionField">
+                <BlankDesc>Default</BlankDesc>
+                <OptionValues>
+                    <strip>Strip whitespaces</strip>
+                    <deny>Deny request</deny>
+                    <allow>Allow whitespaces</allow>
+                    <encode>Encode whitespaces (RFC1738)</encode>
+                    <chop>Chop URI at first whitespace</chop>
+                </OptionValues>
+            </uriWhitespaceHandling>
+            <enablePinger type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </enablePinger>
+            <useViaHeader type="BooleanField"/>
+            <suppressVersion type="BooleanField"/>
+            <connecttimeout type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>120</MaximumValue>
+            </connecttimeout>
+            <VisibleEmail type="EmailField">
+                <ValidationMessage>Please enter a valid email address.</ValidationMessage>
+            </VisibleEmail>
+            <VisibleHostname type="TextField">
+                <Mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</Mask>
+                <ValidationMessage>Please enter a valid servername, ip address or leave this option blank.</ValidationMessage>
+            </VisibleHostname>
+            <cache>
+                <local>
+                    <enabled type="BooleanField">
+                        <Default>0</Default>
+                        <Required>Y</Required>
+                    </enabled>
+                    <directory type="TextField">
+                        <Default>/var/squid/cache</Default>
+                        <Required>Y</Required>
+                    </directory>
+                    <cache_mem type="IntegerField">
+                        <Default>256</Default>
+                        <MinimumValue>0</MinimumValue>
+                        <ValidationMessage>Specify a positive memory cache size. (number of MB's)</ValidationMessage>
+                        <Required>Y</Required>
+                    </cache_mem>
+                    <maximum_object_size type="IntegerField">
+                      <MinimumValue>1</MinimumValue>
+                      <MaximumValue>99999</MaximumValue>
+                      <ValidationMessage>Specify a maximum object size. (number of MB's)</ValidationMessage>
+                    </maximum_object_size>
+                    <maximum_object_size_in_memory type="IntegerField">
+                      <MinimumValue>1</MinimumValue>
+                      <MaximumValue>99999</MaximumValue>
+                      <ValidationMessage>Specify a maximum object size in memory. (number of KB's)</ValidationMessage>
+                    </maximum_object_size_in_memory>
+                    <memory_cache_mode type="OptionField">
+                        <BlankDesc>Default</BlankDesc>
+                        <OptionValues>
+                            <always>Keep all most recent files (always)</always>
+                            <disk>Keep most recent HIT files(disk)</disk>
+                            <network>Keep only files fetched from network (network)</network>
+                        </OptionValues>
+                    </memory_cache_mode>
+                    <size type="IntegerField">
+                        <Default>100</Default>
+                        <MinimumValue>1</MinimumValue>
+                        <ValidationMessage>Specify a positive cache size. (number of MB's)</ValidationMessage>
+                        <Required>Y</Required>
+                    </size>
+                    <l1 type="IntegerField">
+                        <Default>16</Default>
+                        <MinimumValue>1</MinimumValue>
+                        <ValidationMessage>Specify a positive number of first-level subdirectories.</ValidationMessage>
+                        <Required>Y</Required>
+                    </l1>
+                    <l2 type="IntegerField">
+                        <Default>256</Default>
+                        <MinimumValue>1</MinimumValue>
+                        <ValidationMessage>Specify a positive number of second-level subdirectories.</ValidationMessage>
+                        <Required>Y</Required>
+                    </l2>
+                    <cache_linux_packages type="BooleanField">
+                        <Default>0</Default>
+                        <Required>Y</Required>
+                    </cache_linux_packages>
+                    <cache_windows_updates type="BooleanField">
+                        <Default>0</Default>
+                        <Required>Y</Required>
+                    </cache_windows_updates>
+                </local>
+            </cache>
+            <traffic>
+                <enabled type="BooleanField">
+                    <Default>0</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <maxDownloadSize type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>Specify the maximum download size (kB).</ValidationMessage>
+                </maxDownloadSize>
+                <maxUploadSize type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>Specify the maximum upload size (kB).</ValidationMessage>
+                </maxUploadSize>
+                <OverallBandwidthTrotteling type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>Specify the overall bandwidth for downloads in kilobits per second.</ValidationMessage>
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>Both throttling parameters should either be filled or empty</ValidationMessage>
+                            <type>AllOrNoneConstraint</type>
+                            <addFields>
+                                <field1>perHostTrotteling</field1>
+                            </addFields>
+                        </check001>
+                    </Constraints>
+                </OverallBandwidthTrotteling>
+                <perHostTrotteling type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>Specify the per host bandwidth for downloads in kilobits per second.</ValidationMessage>
+                    <Constraints>
+                        <check001>
+                            <reference>OverallBandwidthTrotteling.check001</reference>
+                        </check001>
+                    </Constraints>
+                </perHostTrotteling>
+            </traffic>
+            <parentproxy>
+                <enabled type="BooleanField">
+                    <Default>0</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <host type="HostnameField">
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>A host must be set.</ValidationMessage>
+                            <type>DependConstraint</type>
+                            <addFields>
+                                <field1>enabled</field1>
+                            </addFields>
+                        </check001>
+                    </Constraints>
+                </host>
+                <enableauth type="BooleanField">
+                    <Default>0</Default>
+                    <Required>Y</Required>
+                </enableauth>
+                <user type="TextField">
+                    <Default>username</Default>
+                    <Required>Y</Required>
+                    <Mask>/^([0-9a-zA-Z\._\-%@]){1,128}$/u</Mask>
+                    <ValidationMessage>Username can be up to 128 signs long. Alphanumeric characters and also dot, dash, percent sign (for URL escapes), at sign and underscore allowed.</ValidationMessage>
+                </user>
+                <password type="TextField">
+                    <Default>password</Default>
+                    <Required>Y</Required>
+                    <Mask>/^([0-9a-zA-Z\._\-%]){1,128}$/u</Mask>
+                    <ValidationMessage>Password can be up to 128 signs long. Alphanumeric characters and also dot, dash, percent sign (for URL escapes) and underscore allowed.</ValidationMessage>
+                </password>
+                <port type="PortField">
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>A port must be set.</ValidationMessage>
+                            <type>DependConstraint</type>
+                            <addFields>
+                                <field1>enabled</field1>
+                            </addFields>
+                        </check001>
+                    </Constraints>
+                </port>
+                <localdomains type="CSVListField"/>
+                <localips type="CSVListField"/>
+            </parentproxy>
+        </general>
+        <forward>
+            <interfaces type="InterfaceField">
+                <Multiple>Y</Multiple>
+                <AllowDynamic>S</AllowDynamic>
+                <filters>
+                    <enable>/^(?!0).*$/</enable>
+                    <ipaddr>/^((?!dhcp).)*$/</ipaddr>
+                </filters>
+            </interfaces>
+            <port type="IntegerField">
+                <Default>3128</Default>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
+                <Required>Y</Required>
+            </port>
+            <sslbumpport type="IntegerField">
+                <Default>3129</Default>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>SSL Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
+                <Required>Y</Required>
+            </sslbumpport>
+            <sslbump type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+                <Constraints>
+                    <check001>
+                        <ValidationMessage>When enabling "Log SNI information only", SSL inspection must also be enabled</ValidationMessage>
+                        <type>DependConstraint</type>
+                        <addFields>
+                            <field1>sslurlonly</field1>
+                        </addFields>
+                    </check001>
+                </Constraints>
+            </sslbump>
+            <sslurlonly type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+                <Constraints>
+                    <check001>
+                        <reference>sslbump.check001</reference>
+                    </check001>
+                </Constraints>
+            </sslurlonly>
+            <sslcertificate type="CertificateField">
+                <Type>ca</Type>
+                <ValidationMessage>Please select a valid certificate from the list</ValidationMessage>
+            </sslcertificate>
+            <sslnobumpsites type="CSVListField">
+              <Mask>/^([a-zA-Z0-9\.:\[\]\s\-]*?,)*([a-zA-Z0-9\.:\[\]\s\-]*)$/</Mask>
+              <ValidationMessage>Please enter ip addresses or domain names here</ValidationMessage>
+            </sslnobumpsites>
+            <ssl_crtd_storage_max_size type="IntegerField">
+              <Required>Y</Required>
+              <Default>4</Default>
+              <MinimumValue>1</MinimumValue>
+              <MaximumValue>65535</MaximumValue>
+              <ValidationMessage>max size needs to be an integer value between 1 and 65535</ValidationMessage>
+            </ssl_crtd_storage_max_size>
+            <sslcrtd_children type="IntegerField">
+              <Required>Y</Required>
+              <Default>5</Default>
+              <MinimumValue>1</MinimumValue>
+              <MaximumValue>32</MaximumValue>
+              <ValidationMessage>the number of sslrtd children needs to be an integer value between 1 and 32</ValidationMessage>
+            </sslcrtd_children>
+            <snmp_enable type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </snmp_enable>
+            <snmp_port type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>SNMP port needs to be an integer value between 1 and 65535</ValidationMessage>
+                <Required>Y</Required>
+                <Default>3401</Default>
+            </snmp_port>
+            <snmp_password type="TextField">
+                <Default>public</Default>
+                <Required>Y</Required>
+            </snmp_password>
+            <ftpInterfaces type="InterfaceField">
+                <Multiple>Y</Multiple>
+                <filters>
+                    <enable>/^(?!0).*$/</enable>
+                    <ipaddr>/^((?!dhcp).)*$/</ipaddr>
+                </filters>
+            </ftpInterfaces>
+            <ftpPort type="IntegerField">
+                <Default>2121</Default>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>FTP Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
+                <Required>Y</Required>
+            </ftpPort>
+            <ftpTransparentMode type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </ftpTransparentMode>
+            <addACLforInterfaceSubnets type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </addACLforInterfaceSubnets>
+            <transparentMode type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </transparentMode>
+            <acl>
+                <allowedSubnets type="CSVListField">
+                    <Mask>/^([\/0-9a-fA-F.:,])*/u</Mask>
+                </allowedSubnets>
+                <unrestricted type="CSVListField">
+                    <Mask>/^([\/0-9a-fA-F.:,])*/u</Mask>
+                </unrestricted>
+                <bannedHosts type="CSVListField">
+                    <Mask>/^([\/0-9a-fA-F.:,])*/u</Mask>
+                </bannedHosts>
+                <whiteList type="CSVListField"/>
+                <blackList type="CSVListField"/>
+                <browser type="CSVListField"/>
+                <mimeType type="CSVListField"/>
+                <googleapps type="HostnameField">
+                    <Mask>/^([a-zA-Z0-9]){0,}\.([a-zA-Z0-9].){0,}/</Mask>
+                    <ValidationMessage>Please enter a valid domain name here</ValidationMessage>
+                </googleapps>
+                <youtube type="OptionField">
+                    <OptionValues>
+                        <strict>Strict</strict>
+                        <moderate>Moderate</moderate>
+                    </OptionValues>
+                </youtube>
+                <safePorts type="CSVListField">
+                    <Mask>/^([ \-0-9a-zA-Z:,])*/u</Mask>
+                </safePorts>
+                <sslPorts type="CSVListField">
+                    <Mask>/^([ \-0-9a-zA-Z:,])*/u</Mask>
+                </sslPorts>
+                <remoteACLs>
+                    <blacklists>
+                        <blacklist type="ArrayField">
+                            <enabled type="BooleanField">
+                                <Default>1</Default>
+                                <Required>Y</Required>
+                            </enabled>
+                            <filename type="TextField">
+                                <Required>Y</Required>
+                                <Mask>/^[a-zA-Z0-9]{1,245}\.?[a-zA-z0-9]{1,10}$/</Mask>
+                                <ValidationMessage>The filename may only contain letters, digits and one dot (not required).</ValidationMessage>
+                                <Constraints>
+                                    <check001>
+                                        <ValidationMessage>Filename should be unique</ValidationMessage>
+                                        <type>UniqueConstraint</type>
+                                    </check001>
+                                </Constraints>
+                            </filename>
+                            <url type="UrlField">
+                                <Required>Y</Required>
+                            </url>
+                            <username type="TextField">
+                                <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+                            </username>
+                            <password type="TextField">
+                                <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+                            </password>
+                            <filter type="JsonKeyValueStoreField">
+                                <SourceField>filename</SourceField>
+                                <SourceFile>/usr/local/etc/squid/acl/%s.index</SourceFile>
+                                <SelectAll>Y</SelectAll>
+                                <Multiple>Y</Multiple>
+                            </filter>
+                            <sslNoVerify type="BooleanField">
+                                <Default>0</Default>
+                                <Required>Y</Required>
+                            </sslNoVerify>
+                            <description type="TextField">
+                                <Required>Y</Required>
+                                <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+                            </description>
+                        </blacklist>
+                    </blacklists>
+                    <UpdateCron type="ModelRelationField">
+                        <Model>
+                            <queues>
+                                <source>OPNsense.Cron.Cron</source>
+                                <items>jobs.job</items>
+                                <display>description</display>
+                                <filters>
+                                    <origin>/Proxy/</origin>
+                                </filters>
+                            </queues>
+                        </Model>
+                        <ValidationMessage>Related cron not found</ValidationMessage>
+                    </UpdateCron>
+                </remoteACLs>
+            </acl>
+            <icap>
+                <enable type="BooleanField">
+                    <Default>0</Default>
+                    <Required>Y</Required>
+                </enable>
+                <RequestURL type="TextField"/>
+                <ResponseURL type="TextField"/>
+                <SendClientIP type="BooleanField">
+                    <Required>Y</Required>
+                    <Default>1</Default>
+                </SendClientIP>
+                <SendUsername type="BooleanField">
+                    <Default>0</Default>
+                    <Required>Y</Required>
+                </SendUsername>
+                <EncodeUsername type="BooleanField">
+                    <Default>0</Default>
+                    <Required>Y</Required>
+                </EncodeUsername>
+                <UsernameHeader type="TextField">
+                    <Required>Y</Required>
+                    <Default>X-Username</Default>
+                    <Mask>/^([a-zA-Z-]+)$/</Mask>
+                </UsernameHeader>
+                <EnablePreview type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </EnablePreview>
+                <PreviewSize type="IntegerField">
+                    <Default>1024</Default>
+                    <Required>Y</Required>
+                </PreviewSize>
+                <OptionsTTL type="IntegerField">
+                    <Default>60</Default>
+                    <Required>Y</Required>
+                </OptionsTTL>
+                <exclude type="CSVListField"/>
+            </icap>
+            <authentication>
+                <method type="AuthenticationServerField">
+                    <Multiple>Y</Multiple>
+                </method>
+                <authEnforceGroup type="AuthGroupField">
+                    <Multiple>Y</Multiple>
+                </authEnforceGroup>
+                <realm type="TextField">
+                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){0,255}$/u</Mask>
+                </realm>
+                <credentialsttl type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>Credentials TTL needs to be an integer value above 0</ValidationMessage>
+                </credentialsttl>
+                <children type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>Number of children needs to be an integer value above 0</ValidationMessage>
+                </children>
+            </authentication>
+        </forward>
+        <pac>
+          <proxy type="ArrayField">
+              <name type="TextField">
+                  <Required>Y</Required>
+                  <ValidationMessage>The proxy name must be set.</ValidationMessage>
+                  <Constraints>
+                      <check001>
+                          <ValidationMessage>Proxy name should be unique</ValidationMessage>
+                          <type>UniqueConstraint</type>
+                      </check001>
+                  </Constraints>
+              </name>
+              <proxy_type type="OptionField">
+                  <Required>Y</Required>
+                  <OptionValues>
+                      <PROXY>Proxy</PROXY>
+                      <DIRECT>Direct Connection (no Proxy)</DIRECT>
+                      <HTTP>HTTP Proxy</HTTP>
+                      <HTTPS>HTTPS Proxy</HTTPS>
+                      <SOCKS>SOCKS</SOCKS>
+                      <SOCKS4>SOCKS Version 4</SOCKS4>
+                      <SOCKS5>SOCKS Version 5</SOCKS5>
+                  </OptionValues>
+              </proxy_type>
+              <url type="TextField">
+                  <ValidationMessage>This does not look like a valid proxy or direct connection.</ValidationMessage>
+              </url>
+              <description type="TextField">
+                  <Mask>/^([\t\n\v\f\r 0-9a-zA-Z\-.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+              </description>
+          </proxy>
+          <match type="ArrayField">
+              <name type="TextField">
+                  <Required>Y</Required>
+                  <ValidationMessage>The match name must be set.</ValidationMessage>
+                  <Constraints>
+                      <check001>
+                          <ValidationMessage>Match name should be unique</ValidationMessage>
+                          <type>UniqueConstraint</type>
+                      </check001>
+                  </Constraints>
+              </name>
+              <description type="TextField">
+                  <Mask>/^([\t\n\v\f\r 0-9a-zA-Z\-.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+              </description>
+              <negate type="BooleanField">
+                  <Default>0</Default>
+                  <Required>Y</Required>
+              </negate>
+              <match_type type="OptionField">
+                  <Required>Y</Required>
+                  <OptionValues>
+                      <url_matches>URL Matches</url_matches>
+                      <hostname_matches>Hostname Matches</hostname_matches>
+                      <dns_domain_is>DNS Domain Is</dns_domain_is>
+                      <destination_in_net>IP Is In Network</destination_in_net>
+                      <my_ip_in_net>My IP Is In Network</my_ip_in_net>
+                      <plain_hostname>Plain Hostname (No Dots Inside)</plain_hostname>
+                      <is_resolvable>Is Resolvable</is_resolvable>
+                      <dns_domain_levels>DNS Domain Levels (Count Of Dots)</dns_domain_levels>
+                      <weekday_range>Weekday Range</weekday_range>
+                      <date_range>Date Range</date_range>
+                      <time_range>Time Range</time_range>
+                  </OptionValues>
+              </match_type>
+              <hostname type="TextField"/>
+              <url type="TextField">
+                  <Mask>/^[^"]*$/</Mask>
+              </url>
+              <network type="NetworkField"/>
+              <domain_level_from type="IntegerField">
+                  <MinimumValue>0</MinimumValue>
+                  <ValidationMessage>Minimum domain level must be bigger than 0.</ValidationMessage>
+              </domain_level_from>
+              <domain_level_to type="IntegerField">
+                  <MinimumValue>0</MinimumValue>
+                  <ValidationMessage>A hostname cannot have a negative count of levels.</ValidationMessage>
+              </domain_level_to>
+              <time_from type="IntegerField">
+                  <MinimumValue>0</MinimumValue>
+                  <ValidationMessage>The first hour of the day is 0.</ValidationMessage>
+              </time_from>
+              <time_to type="IntegerField">
+                  <MinimumValue>0</MinimumValue>
+                  <MaximumValue>23</MaximumValue>
+                  <ValidationMessage>The last hour of the day is 23!</ValidationMessage>
+              </time_to>
+              <date_from type="OptionField">
+                  <Required>Y</Required>
+                  <OptionValues>
+                      <JAN>January</JAN>
+                      <FEB>February</FEB>
+                      <MAR>March</MAR>
+                      <APR>April</APR>
+                      <MAY>May</MAY>
+                      <JUN>June</JUN>
+                      <JUL>July</JUL>
+                      <AUG>August</AUG>
+                      <SEP>September</SEP>
+                      <OCT>October</OCT>
+                      <NOV>November</NOV>
+                      <DEC>December</DEC>
+                  </OptionValues>
+              </date_from>
+              <date_to type="OptionField">
+                  <Required>Y</Required>
+                  <OptionValues>
+                      <JAN>January</JAN>
+                      <FEB>February</FEB>
+                      <MAR>March</MAR>
+                      <APR>April</APR>
+                      <MAY>May</MAY>
+                      <JUN>June</JUN>
+                      <JUL>July</JUL>
+                      <AUG>August</AUG>
+                      <SEP>September</SEP>
+                      <OCT>October</OCT>
+                      <NOV>November</NOV>
+                      <DEC>December</DEC>
+                  </OptionValues>
+              </date_to>
+              <weekday_from type="OptionField">
+                  <Required>Y</Required>
+                  <OptionValues>
+                      <MON>Monday</MON>
+                      <TUE>Tuesday</TUE>
+                      <WED>Wednesday</WED>
+                      <THU>Thursday</THU>
+                      <FRI>Friday</FRI>
+                      <SAT>Saturday</SAT>
+                      <SUN>Sunday</SUN>
+                  </OptionValues>
+              </weekday_from>
+              <weekday_to type="OptionField">
+                  <Required>Y</Required>
+                  <OptionValues>
+                      <MON>Monday</MON>
+                      <TUE>Tuesday</TUE>
+                      <WED>Wednesday</WED>
+                      <THU>Thursday</THU>
+                      <FRI>Friday</FRI>
+                      <SAT>Saturday</SAT>
+                      <SUN>Sunday</SUN>
+                  </OptionValues>
+              </weekday_to>
+          </match>
+          <rule type="ArrayField">
+              <enabled type="BooleanField">
+                  <Default>1</Default>
+                  <Required>Y</Required>
+              </enabled>
+              <description type="TextField">
+                  <Mask>/^([\t\n\v\f\r 0-9a-zA-Z\-.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+              </description>
+              <matches type="ModelRelationField">
+                  <Model>
+                      <queues>
+                          <source>OPNsense.Proxy.Proxy</source>
+                          <items>pac.match</items>
+                          <display>name</display>
+                      </queues>
+                  </Model>
+                  <Required>Y</Required>
+                  <Multiple>Y</Multiple>
+              </matches>
+              <join_type type="OptionField">
+                  <Required>Y</Required>
+                  <OptionValues>
+                      <and>And</and>
+                      <or>Or</or>
+                  </OptionValues>
+              </join_type>
+              <match_type type="OptionField">
+                  <Required>Y</Required>
+                  <OptionValues>
+                      <if>If</if>
+                      <unless>Unless</unless>
+                  </OptionValues>
+              </match_type>
+              <proxies type="ModelRelationField">
+                  <Sorted>Y</Sorted>
+                  <Model>
+                      <queues>
+                          <source>OPNsense.Proxy.Proxy</source>
+                          <items>pac.proxy</items>
+                          <display>name</display>
+                      </queues>
+                  </Model>
+                  <Required>Y</Required>
+                  <Multiple>Y</Multiple>
+              </proxies>
+          </rule>
+        </pac>
+        <error_pages>
+          <template type="TextField">
+              <Mask>/[0-9a-zA-Z\+\=\/]{20,}/u</Mask>
+              <ValidationMessage>File content should be in (base64 encoded) zip format</ValidationMessage>
+          </template>
+        </error_pages>
+    </items>
+</model>
diff --git a/www/squid/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt b/www/squid/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt
new file mode 100644
index 0000000000..bda232e0d4
--- /dev/null
+++ b/www/squid/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt
@@ -0,0 +1,602 @@
+{#
+ # Copyright (c) 2014-2015 Deciso B.V.
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1.  Redistributions of source code must retain the above copyright notice,
+ #     this list of conditions and the following disclaimer.
+ #
+ # 2.  Redistributions in binary form must reproduce the above copyright notice,
+ #     this list of conditions and the following disclaimer in the documentation
+ #     and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script>
+
+    $( document ).ready(function() {
+
+        var data_get_map = {'frm_proxy':"/api/proxy/settings/get"};
+
+        // show/hide error pages tab when applicable
+        $("#proxy\\.general\\.error_pages").change(function(e){
+            if ($(this).val() == 'custom') {
+                $("#subtab_error_pages").show();
+            } else {
+                $("#subtab_error_pages").hide();
+            }
+        });
+
+        // load initial data
+        mapDataToFormUI(data_get_map).done(function(){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+            // request service status on load and update status box
+            updateServiceControlUI('proxy');
+        });
+
+        /*************************************************************************************************************
+         * link grid actions
+         *************************************************************************************************************/
+
+        $("#grid-remote-blacklists").UIBootgrid(
+                {   'search':'/api/proxy/settings/searchRemoteBlacklists',
+                    'get':'/api/proxy/settings/getRemoteBlacklist/',
+                    'set':'/api/proxy/settings/setRemoteBlacklist/',
+                    'add':'/api/proxy/settings/addRemoteBlacklist/',
+                    'del':'/api/proxy/settings/delRemoteBlacklist/',
+                    'toggle':'/api/proxy/settings/toggleRemoteBlacklist/'
+                }
+        );
+        $("#grid-pac-match").UIBootgrid(
+                {   'search':'/api/proxy/settings/searchPACMatch',
+                    'get':'/api/proxy/settings/getPACMatch/',
+                    'set':'/api/proxy/settings/setPACMatch/',
+                    'add':'/api/proxy/settings/addPACMatch/',
+                    'del':'/api/proxy/settings/delPACMatch/',
+                    'options': {
+                        responseHandler: function (response) {
+                            // concatenate fields for not.
+                            if ('rows' in response) {
+                                for (var i = 0; i < response.rowCount; i++) {
+                                    response.rows[i]['display_match_type'] = {'not':response.rows[i].negate == '1',
+                                                                      'val':response.rows[i].match_type}
+                                }
+                            }
+                            return response;
+                        }
+                    }
+                }
+        );
+        $("#grid-pac-rule").UIBootgrid(
+                {   'search':'/api/proxy/settings/searchPACRule',
+                    'get':'/api/proxy/settings/getPACRule/',
+                    'set':'/api/proxy/settings/setPACRule/',
+                    'add':'/api/proxy/settings/addPACRule/',
+                    'del':'/api/proxy/settings/delPACRule/',
+                    'toggle':'/api/proxy/settings/togglePACRule/'
+                }
+        );
+        $("#grid-pac-proxy").UIBootgrid(
+                {   'search':'/api/proxy/settings/searchPACProxy',
+                    'get':'/api/proxy/settings/getPACProxy/',
+                    'set':'/api/proxy/settings/setPACProxy/',
+                    'add':'/api/proxy/settings/addPACProxy/',
+                    'del':'/api/proxy/settings/delPACProxy/'
+                }
+        );
+
+        function update_pac_match_view(event) {
+            function show_line(the_id) {
+                $('tr[for=' + the_id + ']').show();
+            }
+            let value = $("#pac\\.match\\.match_type").val();
+            if (!value) {
+                // retry later
+                setTimeout(update_pac_match_view, 100);
+                return;
+            }
+            // hide tr of the element if not needed
+            ["pac\\.match\\.network",
+             "pac\\.match\\.hostname",
+             "pac\\.match\\.url",
+             "pac\\.match\\.domain_level_from",
+             "pac\\.match\\.domain_level_to",
+             "pac\\.match\\.time_from",
+             "pac\\.match\\.time_to",
+             "pac\\.match\\.date_from",
+             "pac\\.match\\.date_to",
+             "pac\\.match\\.weekday_from",
+             "pac\\.match\\.weekday_to"].forEach (function (the_id) {
+                $('tr[for=' + the_id + ']').hide();
+            });
+            switch (value) {
+                case 'hostname_matches':
+                    show_line("pac\\.match\\.hostname");
+                    break;
+                case "url_matches":
+                    show_line("pac\\.match\\.url");
+                    break;
+                case "dns_domain_is":
+                    show_line("pac\\.match\\.hostname");
+                    break;
+                case "destination_in_net":
+                case "my_ip_in_net":
+                    show_line("pac\\.match\\.network");
+                    break;
+                case "plain_hostname":
+                    break; // has no option
+                case "is_resolvable":
+                    show_line("pac\\.match\\.hostname");
+                    break;
+                case "dns_domain_levels":
+                    show_line("pac\\.match\\.domain_level_from");
+                    show_line("pac\\.match\\.domain_level_to");
+                    break;
+                case "weekday_range":
+                    show_line("pac\\.match\\.weekday_from");
+                    show_line("pac\\.match\\.weekday_to");
+                    break;
+                case "date_range":
+                    show_line("pac\\.match\\.date_from");
+                    show_line("pac\\.match\\.date_to");
+                    break;
+                case "time_range":
+                    show_line("pac\\.match\\.time_from");
+                    show_line("pac\\.match\\.time_to");
+                    break;
+            }
+
+        }
+        // when a modal is created, update the
+        $("#DialogEditPACMatch").on("opnsense_bootgrid_mapped", update_pac_match_view);
+        $("#pac\\.match\\.match_type").change(update_pac_match_view);
+
+        $('.reload-pac-btn').click(function () {
+            $('.reload-pac-btn .fa-refresh').addClass('fa-spin');
+            ajaxCall("/api/proxy/service/refreshTemplate", {}, function(data,status) {
+                $('.reload-pac-btn .fa-refresh').removeClass('fa-spin');
+            });
+        });
+
+        /**
+         * Reconfigure proxy - activate changes
+         */
+        $("#reconfigureAct").SimpleActionButton();
+
+        /**
+         * Download ACLs and reconfigure poxy - activate changes
+         */
+        $("#fetchandreconfigureAct").SimpleActionButton();
+
+        /**
+         *
+         * Download ACLs, no reconfigure
+         */
+        $("#downloadAct").SimpleActionButton();
+
+        /**
+         * setup cron item
+         */
+        $("#ScheduleAct").click(function() {
+            $("#scheduleAct_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall("/api/proxy/settings/fetchRBCron", {}, function(data,status) {
+                $("#scheduleAct_progress").removeClass("fa fa-spinner fa-pulse");
+                if (data.uuid !=undefined) {
+                    // redirect to cron page
+                    $(location).attr('href',"/ui/cron/item/open/"+data.uuid);
+                }
+            });
+        });
+
+        // form save event handlers for all defined forms
+        $('[id*="save_"]').each(function(){
+            $(this).click(function() {
+                var frm_id = $(this).closest("form").attr("id");
+                var frm_title = $(this).closest("form").attr("data-title");
+                // save data for General TAB
+                saveFormToEndpoint("/api/proxy/settings/set", frm_id, function(){
+                    // on correct save, perform reconfigure. set progress animation when reloading
+                    $("#"+frm_id+"_progress").addClass("fa fa-spinner fa-pulse");
+
+                    ajaxCall("/api/proxy/service/reconfigure", {}, function(data,status){
+                        // when done, disable progress animation.
+                        $("#"+frm_id+"_progress").removeClass("fa fa-spinner fa-pulse");
+
+                        if (status != "success" || data['status'] != 'ok' ) {
+                            // fix error handling
+                            BootstrapDialog.show({
+                                type:BootstrapDialog.TYPE_WARNING,
+                                title: frm_title,
+                                message: JSON.stringify(data),
+                                draggable: true
+                            });
+                        } else {
+                            updateServiceControlUI('proxy');
+                        }
+                    });
+                });
+            });
+        });
+
+        $("#resetAct").click(function() {
+            BootstrapDialog.show({
+                type:BootstrapDialog.TYPE_DANGER,
+                title: '{{ lang._('Reset') }} ',
+                message: '{{ lang._('Are you sure you want to flush all generated content and restart the proxy?') }}',
+                buttons: [{
+                    label: '{{ lang._('Yes') }}',
+                    cssClass: 'btn-primary',
+                    action: function(dlg){
+                        dlg.close();
+                        $("#resetAct_progress").addClass("fa fa-spinner fa-pulse");
+                        ajaxCall("/api/proxy/service/reset", {}, function(data,status) {
+                            $("#resetAct_progress").removeClass("fa fa-spinner fa-pulse");
+                            updateServiceControlUI('proxy');
+                        });
+                    }
+                }, {
+                    label: '{{ lang._('No') }}',
+                    action: function(dlg){
+                        dlg.close();
+                    }
+                }]
+            });
+
+        });
+
+        /**
+         * Error page template actions
+         */
+         $("#error_pages_content_filename").click(function(evt) {
+             $("#error_pages_content_progress").addClass("fa fa-spinner fa-pulse");
+             $("#error_pages_content_icon").hide();
+             this.value = null;
+         });
+         $("#error_pages_content_filename").change(function(evt) {
+             if (evt.target.files[0]) {
+                 var reader = new FileReader();
+                 reader.onload = function(readerEvt) {
+                     $("#error_pages_content_name").val(evt.target.files[0].name);
+                     $("#error_pages_content").val(btoa(readerEvt.target.result));
+                     $("#error_pages_content_progress").removeClass("fa fa-spinner fa-pulse");
+                     $("#error_pages_content_icon").show();
+                 };
+                 reader.readAsBinaryString(evt.target.files[0]);
+             } else {
+                 $("#error_pages_content_progress").removeClass("fa fa-spinner fa-pulse");
+                 $("#error_pages_content_icon").show();
+             }
+         });
+         $("#error_pages_download").click(function(){
+            window.open('/api/proxy/template/get', 'downloadTemplate');
+         });
+         $("#error_pages_upload").click(function(){
+             if ($("#error_pages_content").val().length > 2) {
+                ajaxCall("/api/proxy/template/set", {'content': $("#error_pages_content").val()}, function(data,status) {
+                    if (data['error'] !== undefined) {
+                        // error saving
+                        BootstrapDialog.show({
+                            type: BootstrapDialog.TYPE_WARNING,
+                            title: "{{ lang._('Error uploading template') }}",
+                            message: data['error'],
+                            draggable: true
+                        });
+                    } else {
+                        $("#error_pages_content_name").val("{{ lang._('saved') }}");
+                    }
+                });
+             }
+         });
+         $("#error_pages_reset").click(function(){
+              BootstrapDialog.show({
+                title: "{{ lang._('Reset custom template') }}",
+                message: "{{ lang._('Are you sure you want to flush the configured template (back to defaults)?') }}",
+                type: BootstrapDialog.TYPE_INFO,
+                draggable: true,
+                buttons: [{
+                    label: '<i class="fa fa-check" aria-hidden="true"></i>',
+                    action: function(sender){
+                        ajaxCall("/api/proxy/template/reset", {});
+                        sender.close();
+                    }
+                },{
+                   label:  '<i class="fa fa-close" aria-hidden="true"></i>',
+                   action: function(sender){
+                      sender.close();
+                   }
+                 }]
+              });
+         });
+
+        // update history on tab state and implement navigation
+        if(window.location.hash != "") {
+            $('a[href="' + window.location.hash + '"]').click()
+        }
+        $('.nav-tabs a').on('shown.bs.tab', function (e) {
+            history.pushState(null, null, e.target.hash);
+        });
+    });
+
+
+</script>
+
+<ul class="nav nav-tabs" role="tablist" id="maintabs">
+    {{ partial("layout_partials/base_tabs_header",['formData':mainForm]) }}
+    {# add custom content #}
+    <li role="presentation" class="dropdown">
+        <a data-toggle="dropdown" href="#" class="dropdown-toggle pull-right visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block" role="button">
+            <b><span class="caret"></span></b>
+        </a>
+        <a data-toggle="tab" onclick="$('#subtab_item_pac_rules').click();" class="visible-lg-inline-block visible-md-inline-block visible-xs-inline-block visible-sm-inline-block" style="border-right:0px;"><b>{{ lang._('Proxy Auto-Config') }}</b></a>
+        <ul class="dropdown-menu" role="menu">
+            <li>
+                <a data-toggle="tab" id="subtab_item_pac_rules" href="#subtab_pac_rules">{{ lang._('Rules') }}</a>
+            </li>
+            <li>
+                <a data-toggle="tab" id="subtab_item_pac_rules" href="#subtab_pac_proxies">{{ lang._('Proxies') }}</a>
+            </li>
+            <li>
+                <a data-toggle="tab" id="subtab_item_pac_rules" href="#subtab_pac_matches">{{ lang._('Matches') }}</a>
+            </li>
+        </ul>
+    </li>
+    <li><a data-toggle="tab" href="#remote_acls"><b>{{ lang._('Remote Access Control Lists') }}</b></a></li>
+    <li><a data-toggle="tab" href="#support"><b>{{ lang._('Support') }}</b></a></li>
+    <li><a data-toggle="tab" id="subtab_error_pages" style="display:none" href="#error_pages"><b>{{ lang._('Error Pages') }}</b></a></li>
+</ul>
+
+<div class="content-box tab-content">
+    {{ partial("layout_partials/base_tabs_content",['formData':mainForm]) }}
+    <div id="subtab_pac_matches" class="tab-pane fade">
+        <table id="grid-pac-match" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogEditPACMatch">
+            <thead>
+                <tr>
+                    <th data-column-id="name" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Name') }}</th>
+                    <th data-column-id="description" data-type="string" data-sortable="false"  data-visible="true">{{ lang._('Description') }}</th>
+                    <th data-column-id="display_match_type" data-type="notprefixable" data-sortable="false"  data-visible="true">{{ lang._('Match Type') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Action') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td colspan="3"></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus fa-fw"></span></button>
+                        <button type="button" class="btn btn-xs btn-primary reload-pac-btn" data-toggle="tooltip" title="{{ lang._('Reload') }}"><span class="fa fa-repeat fa-fw"></span></button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
+    <div id="subtab_pac_rules" class="tab-pane fade">
+        <table id="grid-pac-rule" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogEditPACRule">
+            <thead>
+                <tr>
+                    <th data-column-id="enabled" data-formatter="rowtoggle" data-sortable="false"  data-width="6em">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="description" data-type="string" data-sortable="false"  data-visible="true">{{ lang._('Description') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Actions') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td colspan="2"></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus fa-fw"></span></button>
+                        <button type="button" class="btn btn-xs btn-primary reload-pac-btn" data-toggle="tooltip" title="{{ lang._('Reload') }}"><span class="fa fa-repeat fa-fw"></span></button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
+    <div id="subtab_pac_proxies" class="tab-pane fade">
+        <table id="grid-pac-proxy" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogEditPACProxy">
+            <thead>
+                <tr>
+                    <th data-column-id="name" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Name') }}</th>
+                    <th data-column-id="proxy_type" data-type="string" data-sortable="false" data-visible="true">{{ lang._('Type') }}</th>
+                    <th data-column-id="url" data-type="string" data-sortable="false" data-visible="true">{{ lang._('URL') }}</th>
+                    <th data-column-id="description" data-type="string" data-sortable="false"  data-visible="true">{{ lang._('Description') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Actions') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td colspan="3"></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus fa-fw"></span></button>
+                        <button type="button" class="btn btn-xs btn-primary reload-pac-btn" data-toggle="tooltip" title="{{ lang._('Reload') }}"><span class="fa fa-repeat fa-fw"></span></button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
+
+    <div id="remote_acls" class="tab-pane fade">
+        <table class="table table-striped table-condensed table-responsive">
+            <colgroup>
+                <col class="col-md-3"/>
+                <col class="col-md-9"/>
+            </colgroup>
+            <tbody>
+            <tr>
+                <td colspan="2" style="text-align:right">
+                    <small>{{ lang._('full help') }} </small><a href="#"><i class="fa fa-toggle-off text-danger" id="show_all_help_show_all_help_frm_proxy-forward-acl-remoteACLS"></i></a>
+                </td>
+            </tr>
+            <tr>
+                <td><div class="control-label">
+                    <a id="help_for_proxy.forward.acl.remoteACLs.blacklist" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>
+                    <b>{{ lang._('Remote Blacklist') }}</b>
+                </div>
+                </td>
+                <td>
+                  <div class="hidden" data-for="help_for_proxy.forward.acl.remoteACLs.blacklist">
+                      <small>
+                      {{ lang._('Add an item to the table to fetch a remote acl for blacklisting.%s
+                      You can enable or disable the blacklist list.%s
+                      The active blacklists will be merged with the settings under %sForward Proxy -> Access Control List%s.') |
+                           format('<br/>','<br/>','<b>','</b>') }}
+                      </small>
+                  </div>
+                </td>
+            </tr>
+            <tr>
+                <td colspan="2">
+                    <div id="remoteACLchangeMessage" class="alert alert-info" style="display: none" role="alert">
+                        {{ lang._('After changing categories, please remember to download the ACL again to apply your new settings') }}
+                    </div>
+                    <table id="grid-remote-blacklists" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogEditBlacklist" data-editAlert="remoteACLchangeMessage">
+                        <thead>
+                        <tr>
+                            <th data-column-id="enabled" data-formatter="rowtoggle" data-sortable="false"  data-width="6em">{{ lang._('Enabled') }}</th>
+                            <th data-column-id="filename" data-type="string" data-sortable="false"  data-visible="true">{{ lang._('Filename') }}</th>
+                            <th data-column-id="url" data-type="string" data-sortable="false"  data-visible="true">{{ lang._('URL') }}</th>
+                            <th data-column-id="description" data-type="string" data-sortable="false"  data-visible="true">{{ lang._('Description') }}</th>
+                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Edit | Delete') }}</th>
+                        </tr>
+                        </thead>
+                        <tbody>
+                        </tbody>
+                        <tfoot>
+                        <tr>
+                            <td></td>
+                            <td>
+                                <button data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus fa-fw"></span></button>
+                            </td>
+                        </tr>
+                        </tfoot>
+                    </table>
+                    <div class="col-md-12">
+                        <hr/>
+                        <button class="btn btn-primary" id="reconfigureAct"
+                                data-endpoint='/api/proxy/service/reconfigure'
+                                data-label="{{ lang._('Apply') }}"
+                                data-error-title="{{ lang._('Error reconfiguring proxy') }}"
+                                type="button"
+                        ></button>
+                        <button class="btn btn-primary" id="fetchandreconfigureAct"
+                                data-endpoint='/api/proxy/service/fetchacls'
+                                data-label="{{ lang._('Download ACLs & Apply') }}"
+                                data-error-title="{{ lang._('Error fetching remote acls') }}"
+                                type="button"
+                        ></button>
+                        <button class="btn btn-primary" id="downloadAct"
+                                data-endpoint='/api/proxy/service/downloadacls'
+                                data-label="{{ lang._('Download ACLs') }}"
+                                data-error-title="{{ lang._('Error fetching remote acls') }}"
+                                type="button"
+                        ></button>
+                        <button class="btn btn-primary" id="ScheduleAct" type="button">
+                            <b>{{ lang._('Schedule with Cron') }}</b><i id="scheduleAct_progress" class=""></i>
+                        </button>
+                    </div>
+                </td>
+            </tr>
+            </tbody>
+        </table>
+    </div>
+    <div id="support" class="tab-pane fade">
+        <table class="table table-striped table-condensed">
+            <thead>
+                <tr>
+                    <th>{{ lang._('Action')}}</th>
+                    <th></th>
+                </tr>
+            </thead>
+            <tbody>
+              <tr>
+                  <td>
+                      <button class="btn btn-primary" id="resetAct" type="button">{{ lang._('Reset') }}<i id="resetAct_progress" class=""></button>
+                  </td>
+                  <td>
+                      {{ lang._('Reset all generated content (cached files and certificates included) and restart the proxy.') }}
+                  </td>
+              </tr>
+            </tbody>
+        </table>
+    </div>
+    <div id="error_pages" class="tab-pane fade">
+      <form id="frm_proxy-error_pages" data-title="{{ lang._('Error pages')}}">
+        <table class="table table-striped table-condensed">
+            <thead>
+                <tr>
+                    <th>{{ lang._('Action')}}</th>
+                </tr>
+            </thead>
+            <tbody>
+                <tr>
+                  <td>
+                    <button class="btn btn-default" style="padding-bottom: 7px;" id="error_pages_download" title="{{ lang._('Download')}}" data-toggle="tooltip">
+                      <i class="fa fa-fw fa-download"></i>
+                    </button>
+                  </td>
+                </tr>
+                <tr>
+                    <td>
+                      <textarea id="error_pages_content" class="hidden form-control"></textarea>
+                      <div class="input-group">
+                          <label class="input-group-btn">
+                              <label class="btn btn-default" style="padding-bottom: 7px;">
+                                  <i class="fa fa-fw fa-folder-o" id="error_pages_content_icon"></i>
+                                  <i id="error_pages_content_progress"></i>
+                                  <input type="file" id="error_pages_content_filename" style="display: none;">
+                              </label>
+                          </label>
+                          <input type="text" class="form-control" readonly="" for="error_pages_content" id="error_pages_content_name">
+                          <button class="btn btn-default" id="error_pages_upload" style="padding-bottom: 7px;" title="{{ lang._('Upload selected file')}}" data-toggle="tooltip">
+                            <i class="fa fa-fw fa-upload"></i>
+                          </button>
+                      </div>
+                    </td>
+                </tr>
+                <tr>
+                  <td>
+                    <button class="btn btn-default" style="padding-bottom: 7px;" id="error_pages_reset" title="{{ lang._('Reset')}}" data-toggle="tooltip">
+                      <i class="fa fa-fw fa-remove"></i>
+                    </button>
+                  </td>
+                </tr>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td>
+                        {{ lang._('Download and upload custom error pages, if no (new) files are provided our defaults are used.')}}
+                    </td>
+                </tr>
+                <tr>
+                    <td>
+                        <button class="btn btn-primary" id="save_proxy-error_pages" type="button">
+                          <b>{{ lang._('Apply')}}</b>
+                          <i id="frm_proxy-error_pages_progress" class=""></i>
+                        </button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+      </form>
+    </div>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBlacklist,'id':'DialogEditBlacklist','label':lang._('Edit blacklist')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditPACProxy,'id':'DialogEditPACProxy','label':lang._('Edit Proxy')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditPACMatch,'id':'DialogEditPACMatch','label':lang._('Edit Match')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditPACRule,'id':'DialogEditPACRule','label':lang._('Edit Rule')])}}
diff --git a/www/squid/src/opnsense/scripts/proxy/deploy_error_pages.py b/www/squid/src/opnsense/scripts/proxy/deploy_error_pages.py
new file mode 100755
index 0000000000..f6e63c8aa5
--- /dev/null
+++ b/www/squid/src/opnsense/scripts/proxy/deploy_error_pages.py
@@ -0,0 +1,54 @@
+#!/usr/local/bin/python3
+
+"""
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+"""
+import ujson
+import os
+import re
+from lib import ProxyTemplates
+target_directory = "/usr/local/etc/squid/errors/local"
+
+if __name__ == '__main__':
+    proxy_templates = ProxyTemplates()
+
+    # install error_pages into target_directory
+    if not os.path.isdir(target_directory):
+        os.mkdir(target_directory)
+    for filename, data in proxy_templates.templates(proxy_templates.overlay_enabled()):
+        match = proxy_templates.css_section(data)
+        if match:
+            inline_css = list()
+            for dep_filename in proxy_templates.css_dependencies(filename, proxy_templates.overlay_enabled()):
+                css_content = proxy_templates.get_file(dep_filename, proxy_templates.overlay_enabled())
+                if css_content:
+                    inline_css.append(b'<style type="text/css">\n%s\n</style>' % css_content)
+            data = b"%s%s%s" % (data[0:match.start()], b"\n".join(inline_css), data[match.end():])
+        with open("%s/%s" % (target_directory, os.path.splitext(filename)[0]), "wb") as target_fh:
+            target_fh.write(data)
+    print(ujson.dumps({
+        'overlay_status': proxy_templates.get_overlay_status()
+    }))
diff --git a/www/squid/src/opnsense/scripts/proxy/download_error_pages.py b/www/squid/src/opnsense/scripts/proxy/download_error_pages.py
new file mode 100755
index 0000000000..4c786a8dd2
--- /dev/null
+++ b/www/squid/src/opnsense/scripts/proxy/download_error_pages.py
@@ -0,0 +1,53 @@
+#!/usr/local/bin/python3
+
+"""
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+"""
+import base64
+import ujson
+import os
+import re
+import zipfile
+from io import BytesIO
+from lib import ProxyTemplates
+
+if __name__ == '__main__':
+    root_dir = "/proxy_template"
+    proxy_templates = ProxyTemplates()
+    output_data = BytesIO()
+    processed = list()
+    with zipfile.ZipFile(output_data, mode='w', compression=zipfile.ZIP_DEFLATED) as zf:
+        for filename, data in proxy_templates.templates(True):
+            zf.writestr("%s/%s" % (root_dir, filename), data)
+            for dep_filename in proxy_templates.css_dependencies(filename, True):
+                if dep_filename not in processed:
+                    zf.writestr("%s/%s" % (root_dir, dep_filename), proxy_templates.get_file(dep_filename, True))
+                    processed.append(dep_filename)
+
+    response = dict()
+    response['payload'] = base64.b64encode(output_data.getvalue()).decode()
+    response['size'] = len(response['payload'])
+    print(ujson.dumps(response))
diff --git a/www/squid/src/opnsense/scripts/proxy/fetchACLs.py b/www/squid/src/opnsense/scripts/proxy/fetchACLs.py
new file mode 100755
index 0000000000..af59239976
--- /dev/null
+++ b/www/squid/src/opnsense/scripts/proxy/fetchACLs.py
@@ -0,0 +1,381 @@
+#!/usr/local/bin/python3
+
+"""
+    Copyright (c) 2016-2019 Ad Schellevis <ad@opnsense.org>
+    Copyright (c) 2015 Jos Schellevis <jos@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+
+import tempfile
+import os
+import sys
+import json
+import glob
+import os.path
+import tarfile
+import gzip
+import zipfile
+import syslog
+import urllib3
+from configparser import ConfigParser
+from urllib.request import urlopen
+from urllib.error import URLError
+from urllib.error import HTTPError
+import requests
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+acl_config_fn = '/usr/local/etc/squid/externalACLs.conf'
+acl_target_dir = '/usr/local/etc/squid/acl'
+acl_max_timeout = 30
+
+
+class Downloader(object):
+    """ Download helper
+    """
+
+    def __init__(self, url,username, password, timeout, ssl_no_verify=False):
+        """ init new
+            :param url: source url
+            :param timeout: timeout in seconds
+        """
+        self._url = url.strip()
+        self._timeout = timeout
+        self._source_handle = None
+        self._username = username
+        self._password = password
+        self._ssl_no_verify = ssl_no_verify
+
+    def fetch(self):
+        """ fetch (raw) source data into tempfile using self._source_handle
+        """
+        self._source_handle = None
+        if self._url.lower().startswith('http://') or self._url.lower().startswith('https://'):
+            # HTTP(S) download
+            req_opts = dict()
+            req_opts['url'] = self._url
+            req_opts['stream'] = True
+            req_opts['timeout'] = self._timeout
+            if self._ssl_no_verify:
+                req_opts['verify'] = False
+            if self._username is not None:
+                req_opts['auth'] = (self._username, self._password)
+            req = requests.get(**req_opts)
+            if req.status_code == 200:
+                req.raw.decode_content = True
+                self._source_handle = tempfile.NamedTemporaryFile('wb+', 10240)
+                while True:
+                    data = req.raw.read(10240)
+                    if not data:
+                        break
+                    else:
+                         self._source_handle.write(data)
+                self._source_handle.seek(0)
+            else:
+                syslog.syslog(syslog.LOG_ERR, 'proxy acl: error downloading %s (http code: %s)' % (self._url,
+                                                                                                   req.status_code))
+        elif self._url.lower().startswith('ftp://'):
+            # FTP download
+            try:
+                f = urlopen(self._url, timeout=self._timeout)
+                self._source_handle = tempfile.NamedTemporaryFile('wb+', 10240)
+                while True:
+                    data = f.read(10240)
+                    if not data:
+                        break
+                    else:
+                         self._source_handle.write(data)
+                self._source_handle.seek(0)
+                f.close()
+            except (URLError, HTTPError, IOError) as e:
+                 syslog.syslog(syslog.LOG_ERR, 'proxy acl: error downloading %s' % self._url)
+        else:
+            syslog.syslog(syslog.LOG_ERR, 'proxy acl: unsupported protocol for %s' % self._url)
+
+    def get_files(self):
+        """ process downloaded data, handle compression
+            :return: iterator filename, file handle
+        """
+        if self._source_handle is not None:
+            # handle compressed data
+            if (len(self._url) > 8 and self._url[-7:] == '.tar.gz') \
+                    or (len(self._url) > 4 and self._url[-4:] == '.tgz'):
+                # source is in tar.gz format, extract all into a single string
+                try:
+                    tf = tarfile.open(fileobj=self._source_handle)
+                    for tf_file in tf.getmembers():
+                        if tf_file.isfile():
+                            yield tf_file.name, tf.extractfile(tf_file)
+                except IOError as e:
+                    syslog.syslog(syslog.LOG_ERR, 'proxy acl: error downloading %s (%s)' % (self._url, e))
+            elif len(self._url) > 4 and self._url[-3:] == '.gz':
+                # source is in .gz format unpack
+                try:
+                    gf = gzip.GzipFile(mode='r', fileobj=self._source_handle)
+                    yield os.path.basename(self._url), gf
+                except IOError as e:
+                    syslog.syslog(syslog.LOG_ERR, 'proxy acl: error downloading %s (%s)' % (self._url, e))
+            elif len(self._url) > 5 and self._url[-4:] == '.zip':
+                # source is in .zip format, extract all into a single string
+                with zipfile.ZipFile(self._source_handle,
+                                     mode='r',
+                                     compression=zipfile.ZIP_DEFLATED) as zf:
+                    for item in zf.infolist():
+                        if item.file_size > 0:
+                            yield item.filename, zf.open(item)
+            else:
+                yield os.path.basename(self._url), self._source_handle
+
+    def download(self):
+        """ download / unpack ACL
+            :return: iterator filename, type, content
+        """
+        self.fetch()
+        for filename, filehandle in self.get_files():
+            basefilename = os.path.basename(filename).lower()
+            file_ext = filename.split('.')[-1].lower()
+            while True:
+                line = filehandle.readline().decode(encoding='utf-8', errors='ignore')
+                if not line:
+                    break
+                yield filename, basefilename, file_ext, line
+
+
+class DomainSorter(object):
+    """ Helper class for building sorted squid domain acl list.
+        Use as file type object, close flushes the actual (sorted) data to disc
+    """
+
+    def __init__(self, filename=None):
+        """ new sorted output file, uses an acl record in reverse order as sort key
+            :param filename: target filename
+            :param mode: file open mode
+        """
+        self._num_targets = 20
+        self._separator = '|'
+        self._buckets = dict()
+        self._sort_map = dict()
+        # setup target
+        self._target_filename = filename
+        # setup temp files
+        self.generate_targets()
+
+    def generate_targets(self):
+        """ generate ordered targets
+        """
+        sets = 255
+        for i in range(sets):
+            target = chr(i + 1)
+            setid = int(i / (sets / self._num_targets))
+            if setid not in self._buckets:
+                self._buckets[setid] = tempfile.NamedTemporaryFile('wb+', 10240)
+            self._sort_map[target] = self._buckets[setid]
+
+    def write(self, data):
+        """ save content, send reverse sorted to buffers
+            :param data: line to write
+        """
+        line = data.strip().lower()
+        if len(line) > 0:
+            # Calculate sort key, which is the reversed url with dots (.) replaced by spaces.
+            # We need to replace dots (.) here to avoid having a wrong sorting order when dashes
+            # or similar characters are used inside the url.
+            # (The process writing out the domains checks for domain overlaps)
+            sort_key = line[::-1].replace('.', ' ')
+            self.add(sort_key, line)
+
+    def add(self, key, value):
+        """ spool data to temp
+            :param key: key to use
+            :param value: value to store
+        """
+        target = key[0]
+        if target in self._sort_map:
+            for part in (key, self._separator, value, '\n'):
+                self._sort_map[target].write(part.encode('utf-8'))
+        else:
+            # not supposed to happen, every key should have a calculated target pool
+            pass
+
+    def reader(self):
+        """ read reverse
+        """
+        for target in sorted(self._buckets):
+            self._buckets[target].seek(0)
+            set_content = dict()
+            while True:
+                line = self._buckets[target].readline().decode()
+                if not line:
+                    break
+                else:
+                    set_content[line.split('|')[0]] = '|'.join(line.split('|')[1:])
+            for itemkey in sorted(set_content, reverse=True):
+                yield set_content[itemkey]
+
+    @staticmethod
+    def is_domain(tag):
+        """ check if tag is probably a domain name
+            :param tag: tag to inspect
+            :return: boolean
+        """
+        has_chars = False
+        for tag_item in tag:
+            if not tag_item.isdigit() and tag_item not in ('.', ',', '|', '/', '\n'):
+                has_chars = True
+            elif tag_item in (':', '|', '/'):
+                return False
+        if has_chars:
+            return True
+        else:
+            return False
+
+    def close(self):
+        """ close and dump content
+        """
+        if self._target_filename is not None:
+            # flush to file on close
+            with open(self._target_filename, 'wb', buffering=10240) as f_out:
+                prev_line = None
+                for line in self.reader():
+                    line = line.lstrip('.')
+                    if prev_line == line:
+                        # duplicate, skip
+                        continue
+                    if self.is_domain(line):
+                        # prefix domain, if this domain is different then the previous one
+                        if prev_line is None or '.%s' % line not in prev_line:
+                            f_out.write(b'.')
+                    f_out.write(line.encode())
+                    prev_line = line
+
+
+def filename_in_ignorelist(bfilename, filename_ext):
+    """ ignore certain files from processing.
+        :param bfilename: basefilename to inspect
+        :param filename_ext: extension of the filename
+    """
+    if filename_ext in ['pdf', 'txt', 'doc']:
+        return True
+    elif bfilename in ('readme', 'license', 'usage', 'categories'):
+        return True
+    return False
+
+
+def main():
+    # parse OPNsense external ACLs config
+    if os.path.exists(acl_config_fn):
+        # create acl directory (if new)
+        if not os.path.exists(acl_target_dir):
+            os.mkdir(acl_target_dir)
+        else:
+            # remove index files
+            for filename in glob.glob('%s/*.index' % acl_target_dir):
+                os.remove(filename)
+        # read config and download per section
+        cnf = ConfigParser()
+        cnf.read(acl_config_fn)
+        for section in cnf.sections():
+            target_filename = acl_target_dir + '/' + section
+            if cnf.has_option(section, 'url'):
+                # collect filters to apply
+                acl_filters = list()
+                if cnf.has_option(section, 'filter'):
+                    for acl_filter in cnf.get(section, 'filter').strip().split(','):
+                        if len(acl_filter.strip()) > 0:
+                            acl_filters.append(acl_filter)
+
+                # define target(s)
+                targets = {'domain': {'filename': target_filename, 'handle': None, 'class': DomainSorter}}
+
+                # only generate files if enabled, otherwise dump empty files
+                if cnf.has_option(section, 'enabled') and cnf.get(section, 'enabled') == '1':
+                    download_url = cnf.get(section, 'url')
+                    if cnf.has_option(section, 'username'):
+                        download_username = cnf.get(section, 'username')
+                        download_password = cnf.get(section, 'password')
+                    else:
+                        download_username = None
+                        download_password = None
+                    if cnf.has_option(section, 'sslNoVerify') and cnf.get(section, 'sslNoVerify') == '1':
+                        sslNoVerify = True
+                    else:
+                        sslNoVerify = False
+                    acl = Downloader(download_url, download_username, download_password, acl_max_timeout, sslNoVerify)
+                    all_filenames = list()
+                    for filename, basefilename, file_ext, line in acl.download():
+                        if filename_in_ignorelist(basefilename, file_ext):
+                            # ignore documents, licenses and readme's
+                            continue
+
+                        # detect output type
+                        if '/' in line or '|' in line:
+                            filetype = 'url'
+                        elif line.startswith('#'):
+                            filetype = 'comment'
+                        else:
+                            filetype = 'domain'
+
+                        if filename not in all_filenames:
+                            all_filenames.append(filename)
+
+                        if len(acl_filters) > 0:
+                            acl_found = False
+                            for acl_filter in acl_filters:
+                                if acl_filter in filename:
+                                    acl_found = True
+                                    break
+                            if not acl_found:
+                                # skip this acl entry
+                                continue
+
+                        if filetype in targets and targets[filetype]['handle'] is None:
+                            targets[filetype]['handle'] = targets[filetype]['class'](targets[filetype]['filename'])
+                        if filetype in targets:
+                            targets[filetype]['handle'].write(line)
+                            targets[filetype]['handle'].write('\n')
+                    # save index to disc
+                    with open('%s.index' % target_filename, 'w', buffering=10240) as idx_out:
+                        index_data = dict()
+                        for filename in all_filenames:
+                            if len(filename.split('/')) > 2:
+                                index_key = '/'.join(filename.split('/')[1:-1])
+                                if index_key not in index_data:
+                                    index_data[index_key] = index_key
+                        idx_out.write(json.dumps(index_data))
+
+                # cleanup
+                for filetype in targets:
+                    if targets[filetype]['handle'] is not None:
+                        targets[filetype]['handle'].close()
+                    elif cnf.has_option(section, 'enabled') and cnf.get(section, 'enabled') != '1':
+                        if os.path.isfile(targets[filetype]['filename']):
+                            # disabled, remove previous data
+                            os.remove(targets[filetype]['filename'])
+                    elif not os.path.isfile(targets[filetype]['filename']):
+                        # no data fetched and no file available, create new empty file
+                        with open(targets[filetype]['filename'], 'w') as target_out:
+                            target_out.write("")
+
+
+# execute downloader
+main()
diff --git a/www/squid/src/opnsense/scripts/proxy/generate_cert.php b/www/squid/src/opnsense/scripts/proxy/generate_cert.php
new file mode 100755
index 0000000000..b2df4aabf7
--- /dev/null
+++ b/www/squid/src/opnsense/scripts/proxy/generate_cert.php
@@ -0,0 +1,53 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2016 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* XXX use legacy code to generate certs and CAs */
+
+require_once("config.inc");
+require_once("certs.inc");
+
+use OPNsense\Core\Config;
+
+// Our template systems stores the ca certid into /usr/local/etc/squid/ca.pem.id
+// Which makes it easier for the setup script to detect cert changes (which should flush the stored cache)
+if (is_file('/usr/local/etc/squid/ca.pem.id')) {
+    $cert_refid = trim(file_get_contents('/usr/local/etc/squid/ca.pem.id'));
+    if (!empty($config['ca'])) {
+        foreach ($config['ca'] as $ca) {
+            if (isset($ca['refid']) && $ca['refid'] == $cert_refid) {
+                $pem_contents = '';
+                $pem_contents .= trim(base64_decode($ca['prv'])) . "\n";
+                $pem_contents .= trim(base64_decode($ca['crt'])) . "\n";
+                $pem_contents .= ca_chain($ca);
+                echo "certificate generated\n";
+                file_put_contents('/var/squid/ssl/ca.pem', $pem_contents);
+            }
+        }
+    }
+}
diff --git a/www/squid/src/opnsense/scripts/proxy/lib/__init__.py b/www/squid/src/opnsense/scripts/proxy/lib/__init__.py
new file mode 100755
index 0000000000..5fd16676b1
--- /dev/null
+++ b/www/squid/src/opnsense/scripts/proxy/lib/__init__.py
@@ -0,0 +1,141 @@
+"""
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+"""
+import ujson
+import os
+import base64
+import binascii
+import re
+import zipfile
+import glob
+from io import BytesIO
+
+class ProxyTemplates:
+    error_config = "/usr/local/etc/squid/error_directory.in"
+
+    def __init__(self):
+        self._all_src_files = dict()
+        self._all_ovl_files = dict()
+        self._overlay_status = None
+        self._install_overlay = False
+        self._overlay_data = None
+        self._load_config()
+        self.load()
+
+    def _load_config(self):
+        """ initialize configuration
+        """
+        if os.path.isfile(self.error_config):
+            error_cfg = ujson.loads(open(self.error_config, 'rb').read())
+            self._install_overlay = 'install' not in error_cfg or error_cfg['install'] != 'opnsense'
+            self._overlay_data = error_cfg['content'] if 'content' in error_cfg else None
+
+    def load(self):
+        """ load (custom) error pages in memory
+        """
+        self._overlay_status = None
+        self._all_src_files = dict()
+        self._all_ovl_files = dict()
+        # base (OPNsense) template
+        for filename in glob.glob("/usr/local/opnsense/data/proxy/template_error_pages/*"):
+            bfilename = os.path.basename(filename)
+            with open(filename, "rb") as f_in:
+                self._all_src_files[bfilename] = f_in.read()
+
+        # when a (valid) overlay is provided, read it's contents
+        if self._overlay_data and self._install_overlay:
+            try:
+                input_data = BytesIO(base64.b64decode(self._overlay_data))
+                root_dir = ""
+                with zipfile.ZipFile(input_data, mode='r', compression=zipfile.ZIP_DEFLATED) as zf_in:
+                    for zf_info in zf_in.infolist():
+                        if not root_dir and zf_info.filename.endswith('/'):
+                            root_dir = zf_info.filename
+                        else:
+                            self._all_ovl_files[zf_info.filename.replace(root_dir, "")] = zf_in.read(zf_info.filename)
+            except binascii.Error:
+                self._overlay_status = 'Not a base64 encoded file'
+            except zipfile.BadZipFile:
+                self._overlay_status = 'Illegal zip file'
+            except IOError:
+                self._overlay_status = 'Error reading file'
+
+    def templates(self, overlay=False):
+        """ return template html files
+            :param overlay: consider custom theme files when applicable
+            :rtype: [string, bytes]
+        """
+        for filename in self._all_src_files:
+            if filename.endswith('.html'):
+                if overlay and filename in self._all_ovl_files:
+                    yield filename, self._all_ovl_files[filename]
+                else:
+                    yield filename, self._all_src_files[filename]
+
+    def get_file(self, filename, overlay=False):
+        """ return file content
+            :param filename: source filename
+            :param overlay: consider custom theme files when applicable
+            :return: string
+        """
+        if filename in self._all_src_files:
+            if overlay and filename in self._all_ovl_files:
+                return self._all_ovl_files[filename]
+            else:
+                return self._all_src_files[filename]
+
+    @staticmethod
+    def css_section(data):
+        """ extract css definition block from provided data
+            :param data: html data
+            :return: MatchObject
+        """
+        return re.search(b'(<!--[\s]*EMBED:start.*?EMBED:end[\s]*-->)', data, re.DOTALL)
+
+    def css_dependencies(self, filename, overlay=False):
+        """ extract css dependencies from provided filename
+            :param filename: source filename
+            :param overlay: consider custom theme files when applicable
+            :rtype: list
+        """
+        data = self.get_file(filename, overlay)
+        if filename.endswith('.html') and data:
+            match = self.css_section(data)
+            if match:
+                for href in re.findall(b"(href[\s]*=[\s]*[\"|'])(.*?)([\"|'])" ,match.group(0)):
+                    yield href[1].decode()
+
+    def overlay_enabled(self):
+        """ when deploying files, should we consider an overlay
+            :return: bool
+        """
+        return self._install_overlay
+
+    def get_overlay_status(self):
+        """ return validity of the installed overlay
+            :return: string
+        """
+        return self._overlay_status
diff --git a/www/squid/src/opnsense/scripts/proxy/setup.sh b/www/squid/src/opnsense/scripts/proxy/setup.sh
new file mode 100755
index 0000000000..795ebdd0d9
--- /dev/null
+++ b/www/squid/src/opnsense/scripts/proxy/setup.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+
+SQUID_DIRS="/var/log/squid /var/run/squid /var/squid /var/squid/cache /var/squid/ssl /var/squid/logs /usr/local/etc/squid/errors/local"
+
+for SQUID_DIR in ${SQUID_DIRS}; do
+    mkdir -p ${SQUID_DIR}
+    chown -R squid:squid ${SQUID_DIR}
+    chmod -R 750 ${SQUID_DIR}
+done
+/usr/sbin/pw groupmod proxy -m squid
+/usr/local/sbin/squid -z -N > /dev/null 2>&1
+
+# remove ssl certificate store in case the user changed the CA
+if [ -f /usr/local/etc/squid/ca.pem.id ]; then
+    current_cert=`cat /usr/local/etc/squid/ca.pem.id`
+    if [ -d /var/squid/ssl_crtd ]; then
+        if [ -f /var/squid/ssl_crtd.id ]; then
+          running_cert=`cat /var/squid/ssl_crtd.id`
+        else
+          running_cert=""
+        fi
+        if [ "$current_cert" != "$running_cert" ]; then
+            rm -rf /var/squid/ssl_crtd
+        fi
+    fi
+fi
+
+# create ssl certificate store, in case sslbump is enabled we need this
+if [ ! -d /var/squid/ssl_crtd ]; then
+    /usr/local/libexec/squid/security_file_certgen -c -s /var/squid/ssl_crtd -M 10 > /dev/null 2>&1
+    chown -R squid:squid /var/squid/ssl_crtd
+    chmod -R 750 /var/squid/ssl_crtd
+    if [ -f /usr/local/etc/squid/ca.pem.id ]; then
+        cat /usr/local/etc/squid/ca.pem.id > /var/squid/ssl_crtd.id
+    fi
+fi
+
+# generate SSL bump certificate
+/usr/local/opnsense/scripts/proxy/generate_cert.php > /dev/null 2>&1
+
+# install theme files
+/usr/local/opnsense/scripts/proxy/deploy_error_pages.py > /dev/null 2>&1
diff --git a/www/squid/src/opnsense/scripts/syslog/logformats/squid.py b/www/squid/src/opnsense/scripts/syslog/logformats/squid.py
new file mode 100755
index 0000000000..e5dca0c66d
--- /dev/null
+++ b/www/squid/src/opnsense/scripts/syslog/logformats/squid.py
@@ -0,0 +1,107 @@
+"""
+    Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import re
+import datetime
+from . import NewBaseLogFormat
+squid_ext_timeformat = r'.*(\[\d{1,2}/[A-Za-z]{3}/\d{4}:\d{1,2}:\d{1,2}:\d{1,2} \+\d{4}\]).*'
+squid_timeformat = r'^(\d{4}/\d{1,2}/\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}).*'
+
+
+class SquidLogFormat(NewBaseLogFormat):
+    def __init__(self, filename):
+        super().__init__(filename)
+        self._priority = 100
+
+    def match(self, line):
+        return self._filename.find('squid') > -1 and re.match(squid_timeformat, line) is not  None
+
+    @property
+    def timestamp(self):
+        tmp = re.match(squid_timeformat, self._line)
+        grp = tmp.group(1)
+        return datetime.datetime.strptime(grp, "%Y/%m/%d %H:%M:%S").isoformat()
+
+    @property
+    def process_name(self):
+        return "squid"
+
+    @property
+    def line(self):
+        return self._line[19:].strip()
+
+
+class SquidExtLogFormat(NewBaseLogFormat):
+    def __init__(self, filename):
+        super().__init__(filename)
+        self._priority = 120
+
+    def match(self, line):
+        return self._filename.find('squid') > -1 and re.match(squid_ext_timeformat, line) is not  None
+
+    @property
+    def timestamp(self):
+        tmp = re.match(squid_ext_timeformat, self._line)
+        grp = tmp.group(1)
+        return datetime.datetime.strptime(grp[1:].split()[0], "%d/%b/%Y:%H:%M:%S").isoformat()
+
+    @property
+    def process_name(self):
+        return "squid"
+
+    @property
+    def line(self):
+        tmp = re.match(squid_ext_timeformat, self._line)
+        grp = tmp.group(1)
+        return self._line.replace(grp, '')
+
+
+class SquidJsonLogFormat(NewBaseLogFormat):
+    def __init__(self, filename):
+        super().__init__(filename)
+        self._priority = 140
+        local_now = datetime.datetime.now()
+        utc_now = datetime.datetime.utcnow()
+        self._localtimezone = datetime.timezone(local_now - utc_now)
+
+    def match(self, line):
+        return self._filename.find('squid') > -1 and line.find('"@timestamp"') > -1
+
+    @property
+    def timestamp(self, line):
+        tmp = line[line.find('"@timestamp"')+13:].split(',')[0].strip().strip('"')
+        try:
+            return datetime.datetime.strptime(tmp, "%Y-%m-%dT%H:%M:%S%z")\
+                    .astimezone(self._localtimezone).isoformat().split('.')[0].split('+')[0]
+        except ValueError:
+            return None
+
+    @property
+    def process_name(self):
+        return "squid"
+
+    @property
+    def line(self):
+        return self._line
diff --git a/www/squid/src/opnsense/service/conf/actions.d/actions_proxy.conf b/www/squid/src/opnsense/service/conf/actions.d/actions_proxy.conf
new file mode 100644
index 0000000000..6082fc81d7
--- /dev/null
+++ b/www/squid/src/opnsense/service/conf/actions.d/actions_proxy.conf
@@ -0,0 +1,82 @@
+[start]
+command:
+    /usr/local/sbin/pluginctl -c webproxy start;
+    /usr/local/etc/rc.d/squid start 2>&1 && echo "__ok__"; exit 0
+parameters:
+type:script_output
+message:starting proxy
+
+[stop]
+command:
+    /usr/local/etc/rc.d/squid stop;
+    /usr/bin/killall squid;
+    /usr/local/sbin/pluginctl -c webproxy stop;
+    exit 0
+parameters:
+type:script
+message:stopping proxy
+
+[restart]
+command:
+    /usr/local/sbin/pluginctl -c webproxy restart;
+    /usr/local/etc/rc.d/squid restart 2>&1 && echo "__ok__"; exit 0
+parameters:
+type:script_output
+message:restarting proxy
+description:Restart Web Proxy service
+
+[reset]
+command:
+    /usr/bin/killall -9 squid;
+    rm /var/run/squid/squid.pid;
+    rm -rf /var/squid/*;
+    /usr/local/sbin/pluginctl -c webproxy start;
+    /usr/local/etc/rc.d/squid start
+parameters:
+type:script
+message:reset and restart proxy
+
+[reload]
+command:
+    /usr/local/sbin/pluginctl -c webproxy reload;
+    /usr/local/opnsense/scripts/proxy/deploy_error_pages.py;
+    /usr/local/etc/rc.d/squid reload
+parameters:
+type:script
+message:reload proxy
+
+[status]
+command:/usr/local/etc/rc.d/squid status;exit 0
+parameters:
+type:script_output
+message:request proxy status
+
+[fetchacls]
+command:
+    /usr/local/bin/flock -n -E 0 -o /tmp/fetchACLs.lock /usr/local/opnsense/scripts/proxy/fetchACLs.py && (
+        /usr/local/sbin/pluginctl -c webproxy reload;
+        /usr/local/etc/rc.d/squid reload
+    )
+parameters:
+type:script
+message:download and reload proxy ACLs from remote locations
+description:Download and reload external proxy ACLs
+
+[downloadacls]
+command:/usr/local/bin/flock -n -E 0 -o /tmp/fetchACLs.lock /usr/local/opnsense/scripts/proxy/fetchACLs.py
+parameters:
+type:script
+message:download proxy ACLs from remote locations
+description:Download external proxy ACLs
+
+[deploy_error_pages]
+command:/usr/local/opnsense/scripts/proxy/deploy_error_pages.py
+parameters:
+type:script_output
+message:deploy error pages
+
+[download_error_pages]
+command:/usr/local/opnsense/scripts/proxy/download_error_pages.py
+parameters:
+type:script_output
+message:download error pages
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/+TARGETS b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
new file mode 100644
index 0000000000..113237f505
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
@@ -0,0 +1,15 @@
+auth.conf:/usr/local/etc/squid/auth/dummy.conf
+ca.pem.id:/usr/local/etc/squid/ca.pem.id
+cache.active:/var/squid/cache/active
+error_directory_in:/usr/local/etc/squid/error_directory.in
+externalACLs.conf:/usr/local/etc/squid/externalACLs.conf
+newsyslog.conf:/etc/newsyslog.conf.d/squid
+nobumpsites.acl:/usr/local/etc/squid/nobumpsites.acl
+parentproxy.conf:/usr/local/etc/squid/pre-auth/parentproxy.conf
+post-auth.conf:/usr/local/etc/squid/post-auth/dummy.conf
+pre-auth.conf:/usr/local/etc/squid/pre-auth/dummy.conf
+rc.conf.d:/etc/rc.conf.d/squid/squid
+snmp.conf:/usr/local/etc/squid/pre-auth/40-snmp.conf
+squid.conf:/usr/local/etc/squid/squid.conf
+squid.pam:/etc/pam.d/squid
+wpad.dat:/usr/local/www/wpad.dat
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/auth.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/auth.conf
new file mode 100644
index 0000000000..d0ef53e5ef
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/auth.conf
@@ -0,0 +1,3 @@
+# AUTOGENERATED FILE. DO NOT EDIT.
+# DO NOT REMOVE THIS FILE!
+# This directory is for auth config files
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/ca.pem.id b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/ca.pem.id
new file mode 100644
index 0000000000..e907aec5e9
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/ca.pem.id
@@ -0,0 +1,3 @@
+{% if helpers.exists('OPNsense.proxy.forward.sslcertificate') %}
+{{ OPNsense.proxy.forward.sslcertificate }}
+{% endif %}
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/cache.active b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/cache.active
new file mode 100644
index 0000000000..e8eac9df14
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/cache.active
@@ -0,0 +1,5 @@
+{% if helpers.exists('OPNsense.proxy.general.cache.local') %}
+{%   if OPNsense.proxy.general.cache.local.enabled == '1' %}
+yes
+{%   endif %}
+{% endif %}
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/error_directory_in b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/error_directory_in
new file mode 100644
index 0000000000..f9d52ca004
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/error_directory_in
@@ -0,0 +1,7 @@
+{#
+    base64 encoded zip archive containing template overrides
+#}
+{
+  "install": "{{ OPNsense.proxy.general.error_pages|default('opnsense') }}",
+  "content": "{% if not helpers.empty('OPNsense.proxy.error_pages.template') %}{{ OPNsense.proxy.error_pages.template }}{% endif %}"
+}
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/externalACLs.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/externalACLs.conf
new file mode 100644
index 0000000000..5db85f5320
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/externalACLs.conf
@@ -0,0 +1,16 @@
+#
+# Automatic generated configuration for fetching remote ACLs.
+# Do not edit this file manually.
+{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
+{%   for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') %}
+[{{blacklist.filename}}]
+url:{{blacklist.url}}
+enabled:{{blacklist.enabled}}
+filter:{{blacklist.filter|default('')}}
+{% if blacklist.username|default('') != '' %}
+username={{blacklist.username}}
+password={{blacklist.password|default('')}}
+{% endif %}
+sslNoVerify={{blacklist.sslNoVerify|default('0')}}
+{%   endfor %}
+{% endif %}
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/newsyslog.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/newsyslog.conf
new file mode 100644
index 0000000000..db392ab305
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/newsyslog.conf
@@ -0,0 +1,6 @@
+# logfilename                   [owner:group]   mode    count size      when    flags   [/pid_file]               [sig_num]
+{% if helpers.exists('OPNsense.proxy.general.enabled') and OPNsense.proxy.general.enabled|default("0") == "1" %}
+/var/log/squid/access.log   squid:squid     644     14       *      @T00     ZB      /var/run/squid/squid.pid       30
+/var/log/squid/cache.log    squid:squid     644     2       *       @T00     ZB      /var/run/squid/squid.pid       30
+/var/log/squid/store.log    squid:squid     644     2       *       @T00     ZB      /var/run/squid/squid.pid       30
+{% endif %}
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/nobumpsites.acl b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/nobumpsites.acl
new file mode 100644
index 0000000000..0bf00cd387
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/nobumpsites.acl
@@ -0,0 +1,5 @@
+{% if helpers.exists('OPNsense.proxy.forward.sslnobumpsites') and OPNsense.proxy.forward.sslnobumpsites != '' %}
+{% for line in OPNsense.proxy.forward.sslnobumpsites.split(',') %}
+{{ line }}
+{% endfor %}
+{% endif %}
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/parentproxy.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/parentproxy.conf
new file mode 100644
index 0000000000..1dafefa75f
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/parentproxy.conf
@@ -0,0 +1,24 @@
+{% if helpers.exists('OPNsense.proxy.general.parentproxy.enabled') and OPNsense.proxy.general.parentproxy.enabled == '1' %}
+cache_peer {{ OPNsense.proxy.general.parentproxy.host }} parent {{ OPNsense.proxy.general.parentproxy.port }} 0 no-query default {% if helpers.exists('OPNsense.proxy.general.parentproxy.enableauth') and OPNsense.proxy.general.parentproxy.enableauth == '1' %} login={{ OPNsense.proxy.general.parentproxy.user }}:{{ OPNsense.proxy.general.parentproxy.password }}{% endif %}
+
+{%   if helpers.exists('OPNsense.proxy.general.parentproxy.localdomains') and OPNsense.proxy.general.parentproxy.localdomains != '' %}
+acl ExcludePPDomains dstdomain {{ OPNsense.proxy.general.parentproxy.localdomains.replace(',', ' ') }}
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.general.parentproxy.localips') and OPNsense.proxy.general.parentproxy.localips != '' %}
+acl ExcludePPIPs dst {{ OPNsense.proxy.general.parentproxy.localips.replace(',', ' ') }}
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.general.parentproxy.localdomains') and OPNsense.proxy.general.parentproxy.localdomains != '' %}
+cache_peer_access {{ OPNsense.proxy.general.parentproxy.host }} deny ExcludePPDomains
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.general.parentproxy.localips') and OPNsense.proxy.general.parentproxy.localips != '' %}
+cache_peer_access {{ OPNsense.proxy.general.parentproxy.host }} deny ExcludePPIPs
+{%   endif %}
+cache_peer_access {{ OPNsense.proxy.general.parentproxy.host }} allow all
+{%   if helpers.exists('OPNsense.proxy.general.parentproxy.localdomains') and OPNsense.proxy.general.parentproxy.localdomains != '' %}
+never_direct deny ExcludePPDomains
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.general.parentproxy.localips') and OPNsense.proxy.general.parentproxy.localips != '' %}
+never_direct deny ExcludePPIPs
+{%   endif %}
+never_direct allow all
+{% endif %}
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/post-auth.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/post-auth.conf
new file mode 100644
index 0000000000..5b91051e90
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/post-auth.conf
@@ -0,0 +1,3 @@
+# AUTOGENERATED FILE. DO NOT EDIT.
+# DO NOT REMOVE THIS FILE!
+# This directory is for post-auth config files
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/pre-auth.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/pre-auth.conf
new file mode 100644
index 0000000000..6a0794e4fc
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/pre-auth.conf
@@ -0,0 +1,3 @@
+# AUTOGENERATED FILE. DO NOT EDIT.
+# DO NOT REMOVE THIS FILE!
+# This directory is for pre-auth config files
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d
new file mode 100644
index 0000000000..2a1dc037fd
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d
@@ -0,0 +1,6 @@
+{% if helpers.exists('OPNsense.proxy.general.enabled') and OPNsense.proxy.general.enabled|default("0") == "1" %}
+squid_setup="/usr/local/opnsense/scripts/proxy/setup.sh"
+squid_enable="YES"
+{% else %}
+squid_enable="NO"
+{% endif %}
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/snmp.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/snmp.conf
new file mode 100644
index 0000000000..610e23ca37
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/snmp.conf
@@ -0,0 +1,5 @@
+{% if helpers.exists('OPNsense.proxy.forward.snmp_enable') and OPNsense.proxy.forward.snmp_enable == '1' %}
+snmp_port {{ OPNsense.proxy.forward.snmp_port }}
+acl snmppublic snmp_community {{ OPNsense.proxy.forward.snmp_password }}
+snmp_access allow snmppublic
+{% endif %}
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
new file mode 100644
index 0000000000..b9e1f87873
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
@@ -0,0 +1,248 @@
+
+{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
+
+# ALLOW UNRESTRICTED
+# ACL list (Allow) unrestricted
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod allow unrestricted
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod allow unrestricted
+{%   endif %}
+{% endif %}
+http_access allow unrestricted
+{% endif %}
+
+{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
+
+# ACL list (Allow) whitelist
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod allow whiteList
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod allow whiteList
+{%   endif %}
+{% endif %}
+http_access allow whiteList
+{% endif %}
+
+{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
+
+#
+# ACL list (Deny) blacklist
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod deny blackList
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod deny blackList
+{%   endif %}
+{% endif %}
+http_access deny blackList
+{% endif %}
+
+{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
+{%   for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') if blacklist.enabled=='1' %}
+# ACL list (Deny) remoteblacklist_{{blacklist.filename}}
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod deny remoteblacklist_{{blacklist.filename}}
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod deny remoteblacklist_{{blacklist.filename}}
+{%   endif %}
+{% endif %}
+http_access deny remoteblacklist_{{blacklist.filename}}
+{%   endfor %}
+{% endif %}
+
+{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
+
+# ACL list (Deny) blockuseragent
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod deny blockuseragents
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod deny blockuseragents
+{%   endif %}
+{% endif %}
+http_access deny blockuseragents
+{% endif %}
+
+{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
+
+# ACL list (Deny) blockmimetypes
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
+{%   endif %}
+
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
+{%   endif %}
+
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
+{%   endif %}
+
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
+{%   endif %}
+
+{% endif %}
+http_reply_access deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
+
+http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
+
+{% endif %}
+
+# Google Suite Filter
+{% if not helpers.empty('OPNsense.proxy.forward.acl.googleapps') %}
+request_header_add X-GoogApps-Allowed-Domains {{OPNsense.proxy.forward.acl.googleapps}}
+{%    endif %}
+
+# YouTube Filter
+{% if helpers.exists('OPNsense.proxy.forward.acl.youtube') and OPNsense.proxy.forward.acl.youtube|default('') != '' %}
+request_header_add YouTube-Restrict {{OPNsense.proxy.forward.acl.youtube}}
+{%    endif %}
+
+# Deny requests to certain unsafe ports
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+{%   endif %}
+
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+{%   endif %}
+{% endif %}
+
+http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+
+# Deny CONNECT to other than secure SSL ports
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+{%   endif %}
+
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+{%   endif %}
+{% endif %}
+
+http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+
+{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod deny bannedHosts
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod deny bannedHosts
+{%   endif %}
+{% endif %}
+http_access deny bannedHosts
+{% endif %}
+
+# Only allow cachemgr access from localhost
+http_access allow localhost manager
+http_access deny manager
+
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod deny to_localhost
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod deny to_localhost
+{%   endif %}
+{% endif %}
+http_access deny to_localhost
+
+{% if helpers.exists('OPNsense.proxy.forward.icap.exclude') %}
+# ACL - Whitelist - User defined (whiteList)
+{%  for element in OPNsense.proxy.forward.icap.exclude.split(",") %}
+{%      if '^' in element or '\\' in element or '$' in element or '[' in element %}
+acl exclude_icap url_regex {{element|encode_idna}}
+{%      else %}
+acl exclude_icap url_regex {{element|encode_idna|replace(".","\.")}}
+{%      endif %}
+{%  endfor %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod deny exclude_icap
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod deny exclude_icap
+{%   endif %}
+{% endif %}
+
+# Auth plugins
+include /usr/local/etc/squid/auth/*.conf
+
+#
+# Access Permission configuration:
+#
+# Deny request from unauthorized clients
+{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method != '' %}
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod allow local_auth
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod allow local_auth
+{%   endif %}
+{% endif %}
+http_access allow local_auth
+{% endif %}
+
+#
+# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod allow localnet
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod allow localnet
+{%   endif %}
+{% endif %}
+http_access allow localnet
+
+# ACL - localhost
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod allow localhost
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod allow localhost
+{%   endif %}
+{% endif %}
+http_access allow localhost
+{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
+
+# ACL list (Allow) subnets
+{%   if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod allow subnets
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod allow subnets
+{%   endif %}
+{%   endif %}
+http_access allow subnets
+{% endif %}
+
+# Deny all other access to this proxy
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod deny all
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod deny all
+{%   endif %}
+{% endif %}
+http_access deny all
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
new file mode 100644
index 0000000000..4b334cd3f0
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -0,0 +1,487 @@
+#
+# Automatic generated configuration for Squid.
+# Do not edit this file manually.
+#
+
+{# wrap listener configuration for reuse #}
+{% macro listener_config(network, port='3129', tags='', protocol='') -%}
+{%     if protocol == 'ssl' %}
+{%         set listener_type = 'https_port' %}
+{%     else %}
+{%         set listener_type = 'http_port' %}
+{%     endif %}
+{%     set sslparams = '' %}
+{%     if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
+{%         set sslparams = 'ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on' %}
+{%     endif %}
+{{listener_type}} {{network}}:{{port}} {{tags}} {{sslparams}}
+{%- endmacro %}
+
+{% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %}
+# Setup transparent mode listeners on loopback interfaces
+{{ listener_config('127.0.0.1', OPNsense.proxy.forward.port, 'intercept') }}
+{{ listener_config('[::1]', OPNsense.proxy.forward.port, 'intercept') }}
+{%     if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
+{{ listener_config('127.0.0.1', OPNsense.proxy.forward.sslbumpport, 'intercept', 'ssl') }}
+{{ listener_config('[::1]', OPNsense.proxy.forward.sslbumpport, 'intercept', 'ssl') }}
+{%     endif %}
+{% endif %}
+
+# Setup regular listeners configuration
+{% if helpers.exists('OPNsense.proxy.forward.interfaces') %}
+{%     for interface in OPNsense.proxy.forward.interfaces.split(",") %}
+{%         for intf_key,intf_item in interfaces.items() %}
+{%             if intf_key == interface and intf_item.ipaddr and intf_item.ipaddr != 'dhcp' %}
+{{ listener_config(intf_item.ipaddr, OPNsense.proxy.forward.port) }}
+{%             endif %}
+{%             if intf_key == interface and intf_item.ipaddrv6 and intf_item.ipaddrv6.find(':') > -1 %}
+{{ listener_config('['+intf_item.ipaddrv6+']', OPNsense.proxy.forward.port) }}
+{%             endif %}
+{%         endfor %}
+{# virtual ip's #}
+{%         if helpers.exists('virtualip') %}
+{%             for intf_item in helpers.toList('virtualip.vip') %}
+{%                 if intf_item.interface == interface and intf_item.mode in ['carp', 'ipalias'] %}
+{%                     if intf_item.subnet.find(':') > -1 %}
+{{ listener_config('['+intf_item.subnet+']', OPNsense.proxy.forward.port) }}
+{%                     else %}
+{{ listener_config(intf_item.subnet, OPNsense.proxy.forward.port) }}
+{%                     endif %}
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+{%     endfor %}
+{% endif %}
+
+{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
+# setup ssl re-cert
+sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M {{ OPNsense.proxy.forward.ssl_crtd_storage_max_size|default('4') }}MB
+sslcrtd_children {{ OPNsense.proxy.forward.sslcrtd_children|default('5') }}
+
+tls_outgoing_options options=NO_TLSv1 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
+
+# setup ssl bump acl's
+acl bump_step1 at_step SslBump1
+acl bump_step2 at_step SslBump2
+acl bump_step3 at_step SslBump3
+acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
+
+# configure bump
+{% if helpers.exists('OPNsense.proxy.forward.sslurlonly') and OPNsense.proxy.forward.sslurlonly == '1' %}
+ssl_bump peek bump_step1 all
+ssl_bump splice all
+ssl_bump peek bump_step2 all
+ssl_bump splice bump_step3 all
+ssl_bump bump
+
+{% else %}
+ssl_bump peek bump_step1 all
+ssl_bump peek bump_step2 bump_nobumpsites
+ssl_bump splice bump_step3 bump_nobumpsites
+ssl_bump stare bump_step2
+ssl_bump bump bump_step3
+{% endif %}
+
+sslproxy_cert_error deny all
+{% endif %}
+
+acl ftp proto FTP
+http_access allow ftp
+
+{% if helpers.exists('OPNsense.proxy.forward.ftpTransparentMode') and OPNsense.proxy.forward.ftpTransparentMode == '1' %}
+# transparent mode, listen on localhost
+ftp_port 127.0.0.1:{{ OPNsense.proxy.forward.ftpPort }} intercept
+ftp_port [::1]:{{ OPNsense.proxy.forward.ftpPort }} intercept
+{% endif %}
+
+# Setup ftp proxy
+{% if helpers.exists('OPNsense.proxy.forward.ftpInterfaces') %}
+{%   for interface in OPNsense.proxy.forward.ftpInterfaces.split(",") %}
+{%      for intf_key,intf_item in interfaces.items() %}
+{%          if intf_key == interface and intf_item.ipaddr and intf_item.ipaddr != 'dhcp' %}
+ftp_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.ftpPort }} accel ftp-track-dirs protocol=HTTP
+{%          endif %}
+{%      endfor %}
+{# virtual ip's #}
+{%      if helpers.exists('virtualip') %}
+{%          for intf_key,intf_item in virtualip.items() %}
+{%              if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
+ftp_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.ftpPort }} accel ftp-track-dirs protocol=HTTP
+{%              endif %}
+{%          endfor %}
+{%      endif %}
+{%   endfor %}
+{% endif %}
+
+# Rules allowing access from your local networks.
+# Generated list of (internal) IP networks from where browsing
+# should be allowed. (Allow interface subnets).
+{% if helpers.exists('OPNsense.proxy.forward.interfaces') %}
+{%  if helpers.exists('OPNsense.proxy.forward.addACLforInterfaceSubnets') %}
+{%      if OPNsense.proxy.forward.addACLforInterfaceSubnets == '1' %}
+{%      for interface in OPNsense.proxy.forward.interfaces.split(",") %}
+{%          for intf_key,intf_item in interfaces.items() %}
+{%              if intf_key == interface and intf_item.ipaddr and intf_item.ipaddr != 'dhcp' %}
+acl localnet src {{ helpers.getIPNetwork(intf_item.ipaddr+'/'+intf_item.subnet)[0].format() }}/{{intf_item.subnet}} # Possible internal network (interfaces v4)
+{%              endif %}
+{%              if intf_key == interface and intf_item.ipaddrv6 and intf_item.ipaddrv6.find(':') > -1 %}
+acl localnet src {{helpers.getIPNetwork(intf_item.ipaddrv6+'/'+intf_item.subnetv6)[0].format()}}/{{intf_item.subnetv6}} # Possible internal network (interfaces v6)
+{%		endif %}
+{%          endfor %}
+{%          if helpers.exists('virtualip.vip') %}
+{%              for intf_item in helpers.toList('virtualip.vip') %}
+{%                  if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
+acl localnet src {{intf_item.subnet}}/{{intf_item.subnet_bits}} # Possible internal network (aliases)
+{%                  endif %}
+{%              endfor %}
+{%          endif %}
+{%      endfor %}
+{%      endif %}
+{%  endif %}
+{% endif %}
+# Default allow for local-link and private networks
+acl localnet src fc00::/7       # RFC 4193 local private network range
+acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
+
+# ACL - Allow localhost for PURGE cache if enabled
+{% if helpers.exists('OPNsense.proxy.general.cache.local') and OPNsense.proxy.general.cache.local.enabled == '1' %}
+acl PURGE method PURGE
+http_access allow localhost PURGE
+http_access deny PURGE
+{% endif %}
+
+# ACL lists
+{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
+
+# ACL - Allow Subnets - User defined (subnets)
+{%  for network in OPNsense.proxy.forward.acl.allowedSubnets.split(",") %}
+acl subnets src {{network}}
+{%  endfor %}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
+
+# ACL - Unrestricted IPs - User defined (unrestricted)
+{%  for ip in OPNsense.proxy.forward.acl.unrestricted.split(",") %}
+acl unrestricted src {{ip}}
+{%  endfor %}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
+
+# ACL - Banned Hosts - User defined (bannedHosts)
+{%  for ip in OPNsense.proxy.forward.acl.bannedHosts.split(",") %}
+acl bannedHosts src {{ip}}
+{%  endfor %}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
+# ACL - Whitelist - User defined (whiteList)
+{%  for element in OPNsense.proxy.forward.acl.whiteList.split(",") %}
+{%      if '^' in element or '\\' in element or '$' in element or '[' in element %}
+acl whiteList url_regex {{element|encode_idna}}
+{%      else %}
+acl whiteList url_regex {{element|encode_idna|replace(".","\.")}}
+{%      endif %}
+{%  endfor %}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
+
+# ACL - Blacklist - User defined (blackList)
+{%  for element in OPNsense.proxy.forward.acl.blackList.split(",") %}
+{%      if '^' in element or '\\' in element or '$' in element or '[' in element %}
+acl blackList url_regex {{element|encode_idna}}
+{%      else %}
+acl blackList url_regex {{element|encode_idna|replace(".","\.")}}
+{%      endif %}
+{%  endfor %}
+{% endif %}
+
+# ACL - Remote fetched Blacklist (remoteblacklist)
+{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
+{%   for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') %}
+{%      if blacklist.enabled=='1' %}
+acl remoteblacklist_{{blacklist.filename}} dstdomain "/usr/local/etc/squid/acl/{{blacklist.filename}}"
+{%      endif %}
+{%   endfor %}
+{% endif %}
+
+# ACL - Block browser/user-agent - User defined (browser)
+{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
+{%  for element in OPNsense.proxy.forward.acl.browser.split(",") %}
+acl blockuseragents browser {{element}}
+{%  endfor %}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
+
+# ACL - Block MIME types - User defined (mimetype)
+{%  for element in OPNsense.proxy.forward.acl.mimeType.split(",") %}
+acl blockmimetypes rep_mime_type {{element}}
+acl blockmimetypes_requests req_mime_type {{element}}
+{%  endfor %}
+{% endif %}
+
+# ACL - SSL ports, default are configured in config.xml
+# Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!):
+{% if helpers.exists('OPNsense.proxy.forward.acl.sslPorts') %}
+{%  for element in OPNsense.proxy.forward.acl.sslPorts.split(",") %}
+acl SSL_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}}
+{%  endfor %}
+{% endif %}
+
+# Default Safe ports are now defined in config.xml
+# Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!):
+{% if helpers.exists('OPNsense.proxy.forward.acl.safePorts') %}
+# ACL - Safe_ports
+{%  for element in OPNsense.proxy.forward.acl.safePorts.split(",") %}
+acl Safe_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}}
+{%  endfor %}
+{% endif %}
+acl CONNECT method CONNECT
+
+# ICAP SETTINGS
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+# enable icap
+icap_enable on
+{%   if helpers.exists('OPNsense.proxy.forward.icap.OptionsTTL') %}
+icap_default_options_ttl {{OPNsense.proxy.forward.icap.OptionsTTL}}
+{%   endif %}
+
+# send user information to the icap server
+{%   if helpers.exists('OPNsense.proxy.forward.icap.SendClientIP') and OPNsense.proxy.forward.icap.SendClientIP == '1' %}
+adaptation_send_client_ip on
+{%   else %}
+adaptation_send_client_ip off
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.SendUsername') and OPNsense.proxy.forward.icap.SendUsername == '1' %}
+adaptation_send_username on
+{%   else %}
+adaptation_send_username off
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.EncodeUsername') and OPNsense.proxy.forward.icap.EncodeUsername == '1' %}
+icap_client_username_encode on
+{%   else %}
+icap_client_username_encode off
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.UsernameHeader') and OPNsense.proxy.forward.icap.UsernameHeader != '' %}
+icap_client_username_header {{OPNsense.proxy.forward.icap.UsernameHeader}}
+{%   endif %}
+
+# preview
+{%   if helpers.exists('OPNsense.proxy.forward.icap.EnablePreview') and OPNsense.proxy.forward.icap.EnablePreview == '1' %}
+icap_preview_enable on
+{%   else %}
+icap_preview_enable off
+{%   endif %}
+{% if helpers.exists('OPNsense.proxy.forward.icap.PreviewSize') %}
+icap_preview_size {{OPNsense.proxy.forward.icap.PreviewSize}}
+{%   endif %}
+
+# add the servers
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+icap_service response_mod respmod_precache {{OPNsense.proxy.forward.icap.ResponseURL}}
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+icap_service request_mod reqmod_precache {{OPNsense.proxy.forward.icap.RequestURL}}
+{%   endif %}
+
+{% else %}
+# disable icap
+icap_enable off
+{% endif %}
+
+# Pre-auth plugins
+include /usr/local/etc/squid/pre-auth/*.conf
+
+# Authentication Settings
+{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method != '' %}
+{% include ['OPNsense/Proxy/squid.user.alt_auth.conf', 'OPNsense/Proxy/squid.user.local_auth.conf'] %}
+{% endif %}
+
+{% include "OPNsense/Proxy/squid.acl.conf" ignore missing with context %}
+
+# Post-auth plugins
+include /usr/local/etc/squid/post-auth/*.conf
+
+# Caching settings
+{% if helpers.exists('OPNsense.proxy.general.cache.local') %}
+{%  if OPNsense.proxy.general.cache.local.cache_mem|default('256')|int == 0 and OPNsense.proxy.general.cache.local.enabled == '0' %}
+cache deny all
+cache_mem 0
+{%  else %}
+cache_mem {{ OPNsense.proxy.general.cache.local.cache_mem|default('256') }} MB
+{%   if OPNsense.proxy.general.cache.local.maximum_object_size|default('') != '' %}
+maximum_object_size {{OPNsense.proxy.general.cache.local.maximum_object_size}} MB
+{%    if OPNsense.proxy.general.cache.local.maximum_object_size|int > 4 %}
+cache_replacement_policy heap LFUDA
+{%    endif %}
+{%   endif %}
+{%  if OPNsense.proxy.general.cache.local.maximum_object_size_in_memory|default('') != '' %}
+maximum_object_size_in_memory {{OPNsense.proxy.general.cache.local.maximum_object_size_in_memory}} KB
+{%  endif %}
+{%  if OPNsense.proxy.general.cache.local.memory_cache_mode|default('always') != 'always' %}
+memory_cache_mode {{OPNsense.proxy.general.cache.local.memory_cache_mode}}
+{%  endif %}
+{%   if OPNsense.proxy.general.cache.local.enabled == '1' %}
+cache_dir ufs {{OPNsense.proxy.general.cache.local.directory}} {{OPNsense.proxy.general.cache.local.size}} {{OPNsense.proxy.general.cache.local.l1}} {{OPNsense.proxy.general.cache.local.l2}}
+{%   endif %}
+{%  endif %}
+{% endif %}
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/squid/cache
+
+#
+# Add any of your own refresh_pattern entries above these.
+#
+
+{% if helpers.exists('OPNsense.proxy.general.cache.local.cache_linux_packages') and OPNsense.proxy.general.cache.local.cache_linux_packages == '1' %}
+# Linux package cache:
+refresh_pattern pkg\.tar\.zst$  0       20%     4320 refresh-ims
+refresh_pattern d?rpm$          0       20%     4320 refresh-ims
+refresh_pattern deb$            0       20%     4320 refresh-ims
+refresh_pattern udeb$           0       20%     4320 refresh-ims
+refresh_pattern Packages\.bz2$  0       20%     4320 refresh-ims
+refresh_pattern Sources\.bz2$   0       20%     4320 refresh-ims
+refresh_pattern Release\.gpg$   0       20%     4320 refresh-ims
+refresh_pattern Release$        0       20%     4320 refresh-ims
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.general.cache.local.cache_windows_updates') and OPNsense.proxy.general.cache.local.cache_windows_updates == '1' %}
+# http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
+refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd)     4320 80% 129600 reload-into-ims
+refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd) 4320 80% 129600 reload-into-ims
+refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd)       4320 80% 129600 reload-into-ims
+{% endif %}
+
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern .		0	20%	4320
+
+# Squid Options
+{% if helpers.empty('OPNsense.proxy.general.enablePinger') %}
+pinger_enable off
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.general.logging.enable.accessLog') %}
+{%      if OPNsense.proxy.general.logging.enable.accessLog == '0' %}
+# Disable access logging
+access_log none
+{%      else %}
+{%          if OPNsense.proxy.general.logging.ignoreLogACL|default('') != '' %}
+# ignore source hosts from access.log
+acl accesslog_ignore src {{ OPNsense.proxy.general.logging.ignoreLogACL.replace(',', ' ') }}
+{%          endif %}
+{%          if OPNsense.proxy.general.logging.target|default('') == 'syslog' %}
+access_log syslog:local4.info {% if not helpers.empty('OPNsense.proxy.general.logging.ignoreLogACL') %}!accesslog_ignore {% endif %}
+{%          elif OPNsense.proxy.general.logging.target|default('') == 'file_extendend' %}
+logformat opnsense      %>a %[ui %>eui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
+access_log stdio:/var/log/squid/access.log opnsense {% if not helpers.empty('OPNsense.proxy.general.logging.ignoreLogACL') %}!accesslog_ignore {% endif %}
+{%          elif OPNsense.proxy.general.logging.target|default('') in ('file_json', 'syslog_json') %}
+logformat opnsense {% raw %} {"@timestamp":"%{%Y-%m-%dT%H:%M:%S%z}tg","ecs":{"version":"1.0.0"},"event":{"id":"%{X-Request-Event-Id}>ha","dataset":"squid.access","duration":"%tr"},"http":{"version":"%rv","request":{"method":"%rm","referrer":"%{Referer}>h"},"response":{"bytes": %<st, "body":{"status_code": %>Hs}}},"host":{"hostname":"%>A"},"service":{"name":"proxy","type":"squid"},"source":{"ip":"%>a"},"url":{"original":"%ru"},"user":{"name":"%un"},"user_agent":{"original":"%{User-Agent}>h"},"labels":{"request_status":"%Ss","hierarchy_status":"%Sh"},"message":"%rm %ru HTTP/%rv"} {% endraw %}
+
+{%              if  OPNsense.proxy.general.logging.target == 'file_json'%}
+access_log stdio:/var/log/squid/access.log opnsense {% if not helpers.empty('OPNsense.proxy.general.logging.ignoreLogACL') %}!accesslog_ignore {% endif %}
+{%              else %}
+access_log syslog:local4.info opnsense {% if not helpers.empty('OPNsense.proxy.general.logging.ignoreLogACL') %}!accesslog_ignore {% endif %}
+{%              endif %}
+{%          else %}
+access_log stdio:/var/log/squid/access.log squid {% if not helpers.empty('OPNsense.proxy.general.logging.ignoreLogACL') %}!accesslog_ignore {% endif %}
+{%          endif %}
+{%      endif %}
+{% endif %}
+
+{% if helpers.exists('OPNsense.proxy.general.logging.enable.storeLog') %}
+{%      if OPNsense.proxy.general.logging.enable.storeLog == '0' %}
+# Disable cache store log
+cache_store_log none
+{%      else %}
+cache_store_log stdio:/var/log/squid/store.log
+{%      endif %}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.general.alternateDNSservers' ) %}
+{%   for dns in OPNsense.proxy.general.alternateDNSservers.split(",") %}
+dns_nameservers {{dns}}
+{%   endfor %}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.general.useViaHeader') %}
+{%      if OPNsense.proxy.general.useViaHeader == '0' %}
+# Disable via Header
+via off
+{%      endif %}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.general.suppressVersion') %}
+{%      if OPNsense.proxy.general.suppressVersion == '1' %}
+# Suppress http version string (default=off)
+httpd_suppress_version_string on
+{%      endif %}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.general.icpPort') %}
+{%      if OPNsense.proxy.general.icpPort != '' %}
+icp_port {{OPNsense.proxy.general.icpPort}}
+{%      endif %}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.general.uriWhitespaceHandling') %}
+# URI handling with Whitespaces (default=strip)
+uri_whitespace {{OPNsense.proxy.general.uriWhitespaceHandling}}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.general.forwardedForHandling') %}
+# X-Forwarded header handling (default=on)
+forwarded_for {{OPNsense.proxy.general.forwardedForHandling}}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.general.traffic.enabled') and OPNsense.proxy.general.traffic.enabled == '1' %}
+{%  if helpers.exists('OPNsense.proxy.general.traffic.maxDownloadSize') %}
+# Define max download size
+reply_body_max_size {{OPNsense.proxy.general.traffic.maxDownloadSize}} KB
+{%  endif %}
+{%  if helpers.exists('OPNsense.proxy.general.traffic.maxUploadSize') %}
+# Define max upload size
+request_body_max_size {{OPNsense.proxy.general.traffic.maxUploadSize}} KB
+{%  endif %}
+{%  if helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %}
+delay_pools 1
+delay_class 1 3
+delay_access 1 allow all
+{%      if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') %}
+# Define PerHost and Overall Bandwidth Trotteling
+delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}} -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}
+{%      else %}
+# Define PerHost Trotteling
+delay_parameters -1/-1 {{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.perHostTrotteling|int // 8 * 1000}}
+{%      endif %}
+{%  endif %}
+{%  if helpers.exists('OPNsense.proxy.general.traffic.OverallBandwidthTrotteling') and not helpers.exists('OPNsense.proxy.general.traffic.perHostTrotteling') %}
+# Define Overall Bandwidth Trotteling
+delay_pools 1
+delay_class 1 1
+delay_access 1 allow all
+delay_parameters 1 {{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}/{{OPNsense.proxy.general.traffic.OverallBandwidthTrotteling|int // 8 * 1000}}
+{%  endif %}
+{% endif %}
+# Disable squid logfile rotate to use system defaults
+logfile_rotate 0
+{% if helpers.exists('OPNsense.proxy.general.VisibleHostname') %}
+# Define visible hostname
+visible_hostname {{OPNsense.proxy.general.VisibleHostname}}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.general.VisibleEmail') %}
+# Define visible email
+cache_mgr {{OPNsense.proxy.general.VisibleEmail}}
+{% endif %}
+{% if not helpers.empty('OPNsense.proxy.general.connecttimeout') %}
+# Set connection timeout
+connect_timeout {{OPNsense.proxy.general.connecttimeout}} seconds
+{% endif %}
+
+# Set error directory language
+{% set lang = namespace(dirs = [], done = false) %}
+{% if not helpers.empty('OPNsense.proxy.general.error_pages') %}
+{%   do lang.dirs.append('/usr/local/etc/squid/errors/local') %}
+{% elif helpers.exists('system.language') and system.language != "" %}
+{%   set langdir = system.language|lower|replace('_', '-') %}
+{%   do lang.dirs.append('/usr/local/share/squid-langpack/' + langdir) %}
+{%   do lang.dirs.append('/usr/local/share/squid-langpack/' + langdir[:2]) %}
+{% endif %}
+{% do lang.dirs.append('/usr/local/share/squid-langpack/en') %}
+{% for langdir in lang.dirs %}
+{%   if not lang.done and helpers.file_exists(langdir) %}
+{%     set lang.done = true %}
+error_directory {{ langdir }}
+{%   endif %}
+{% endfor %}
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.pam b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.pam
new file mode 100644
index 0000000000..eee0a90568
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.pam
@@ -0,0 +1,5 @@
+# auth
+auth		sufficient	pam_opnsense.so
+
+# account
+account		sufficient	pam_opnsense.so
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.user.local_auth.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.user.local_auth.conf
new file mode 100644
index 0000000000..7cd8e8c5ab
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.user.local_auth.conf
@@ -0,0 +1,13 @@
+# Configure Local User Authentication helper
+auth_param basic program /usr/local/libexec/squid/basic_pam_auth -o
+{% if helpers.exists('OPNsense.proxy.forward.authentication.realm') %}
+auth_param basic realm {{OPNsense.proxy.forward.authentication.realm}}
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.forward.authentication.credentialsttl') %}
+auth_param basic credentialsttl {{OPNsense.proxy.forward.authentication.credentialsttl}} hours
+{% endif %}
+{% if helpers.exists('OPNsense.proxy.forward.authentication.children') %}
+auth_param basic children {{OPNsense.proxy.forward.authentication.children}}
+{% endif %}
+# ACL - Local Authorized Users - local_auth
+acl local_auth proxy_auth REQUIRED
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/wpad.dat b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/wpad.dat
new file mode 100644
index 0000000000..cd4aeaabc1
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/wpad.dat
@@ -0,0 +1,104 @@
+/*
+  PAC file created via OPNsense
+  To use this file you have to enter its URL into your browsers network settings.
+*/
+function FindProxyForURL(url, host) {
+{% if helpers.exists('OPNsense.proxy.pac.rule') %}
+{# define only if needed as because of performance issues #}
+{% set data = {'dl' : '', 'dstip' : '', 'is_resolvable' : '' } %}
+{% set dstip = '' %}
+{% set is_resolvable = '' %}
+{% for match in helpers.toList('OPNsense.proxy.pac.match') %}
+{%   if match.match_type == 'dns_domain_levels' %}
+{%     do data.update({ 'dl': 'var dl =  dnsDomainLevels(host);'}) %}
+{%   endif %}
+{%   if match.match_type == 'dns_domain_levels' or match.match_type == 'destination_in_net' %}
+{%     do data.update({ 'dstip': 'var dstip = dnsResolve(host);'}) %}
+{%   endif %}
+{%   if match.match_type == 'is_resolvable' %}
+{%     do data.update({ 'is_resolvable': 'var is_resolvable = isResolvable(host);'}) %}
+{%   endif %}
+{% endfor %}
+{{ data.values()|join("\n") }}
+
+{% if helpers.exists('OPNsense.proxy.pac.rule') %}
+{%   for rule in helpers.toList('OPNsense.proxy.pac.rule') %}
+{%     if not rule.enabled == '1' %}
+{%       continue %}
+{%     endif %}
+{%     set expression = [] %}
+{# Join type is used to join the checks of the if statement #}
+{%     set join_type = ' && ' %}
+{%     if rule.join_type == 'or' %}
+{%       set join_type = ' || ' %}
+{%     endif %}
+{%     for match_uuid in rule.matches.split(',') %}
+{%       set match = helpers.getUUID(match_uuid) %}
+{#       be sure it has not been deleted yet #}
+{%       if match != None %}
+{%         set match_script = '(' %}
+{%         if match.negate == '1' %}
+{%           set match_script = match_script + '!' %}
+{%         endif %}
+{%         if match.match_type == 'url_matches' %}
+{%           set match_script = match_script + 'shExpMatch(url, "' + match.url + '")' %}
+{%         endif %}
+{%         if match.match_type == 'hostname_matches' %}
+{%           set match_script = match_script + 'shExpMatch(host, "' + match.hostname + '")' %}
+{%         endif %}
+{%         if match.match_type == 'dns_domain_is' %}
+{%           set match_script = match_script + 'dnsDomainIs(host, "' + match.hostname + '")' %}
+{%         endif %}
+{%         if match.match_type == 'destination_in_net' %}
+{%           set tmp_net = helpers.getIPNetwork(match.network) %}
+{%           set match_script = match_script + 'isInNet(dstip, "' + tmp_net.network.__str__() + '", "' + tmp_net.netmask.__str__() + '")' %}
+{%         endif %}
+{%         if match.match_type == 'my_ip_in_net' %}
+{%           set tmp_net = helpers.getIPNetwork(match.network) %}
+{%           set match_script = match_script + 'isInNet(myIpAddress(), "' + tmp_net.network.__str__() + '", "' + tmp_net.netmask.__str__() + '")' %}
+{%         endif %}
+{%         if match.match_type == 'plain_hostname' %}
+{%           set match_script = match_script + 'isPlainHostName(host)' %}
+{%         endif %}
+{%         if match.match_type == 'is_resolvable' %}
+{%           set match_script = match_script + 'is_resolvable' %}
+{%         endif %}
+{%         if match.match_type == 'dns_domain_levels' %}
+{%           set match_script = match_script + '(' + match.domain_level_from + ' <= dl) && (' + match.domain_level_to + ' >= dl)' %}
+{%         endif %}
+{%         if match.match_type == 'weekday_range' %}
+{%           set match_script = match_script + 'weekdayRange("' + match.weekday_from + '", "' + match.weekday_to + '")' %}
+{%         endif %}
+{%         if match.match_type == 'date_range' %}
+{%           set match_script = match_script + 'dateRange("' + match.date_from + '", "' + match.date_to + '")' %}
+{%         endif %}
+{%         if match.match_type == 'time_range' %}
+{%           set match_script = match_script + 'timeRange(' + match.time_from + ', ' + match.time_to + ')' %}
+{%         endif %}
+{%         set match_script = match_script + ')' %}
+{%         do expression.append(match_script) %}
+{%       endif %}
+{%     endfor %}
+if ({% if rule.match_type == 'unless' %}!{% endif %}({{ expression|join(join_type) }})) {
+{%     set proxylist = [] %}
+{%     for proxy_uuid in rule.proxies.split(',') %}
+{%       set proxy = helpers.getUUID(proxy_uuid) %}
+{%       if proxy != None %}
+{%         if proxy.proxy_type == 'DIRECT' %}
+{%           do proxylist.append("DIRECT") %}
+{%         else %}
+{%           do proxylist.append(proxy.proxy_type + ' ' + proxy.url) %}
+{%         endif %}
+{%       endif %}
+{%     endfor %}
+return "{{ proxylist|join(';') }}";
+}
+{%   endfor %}
+{% else %}
+/* no rules active or defined*/
+{% endif %}
+
+{% endif %}
+   // If no rule exists - use a direct connection
+   return "DIRECT";
+}
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf b/www/squid/src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf
new file mode 100644
index 0000000000..0f742e2a14
--- /dev/null
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [squid_access].
+###################################################################
+filter f_local_squid_access {
+    program("(squid-1)");
+};

From 8e65fdc09f8f0a2158e048504058e49da65fa237 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 19 Dec 2023 15:23:38 +0100
Subject: [PATCH 1685/3088] LICENSE: sync and fix Jos' mail address

---
 LICENSE                                                         | 2 +-
 .../controllers/OPNsense/Quagga/Api/Ospf6settingsController.php | 2 +-
 .../mvc/app/controllers/OPNsense/Tor/Api/GeneralController.php  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/LICENSE b/LICENSE
index a2ba1d66bc..54c5ba4521 100644
--- a/LICENSE
+++ b/LICENSE
@@ -27,7 +27,7 @@ Copyright (c) 2016 IT-assistans Sverige AB
 Copyright (c) 2021-2023 Jan Winkler
 Copyright (c) 2023 Jeremy Gutierrez
 Copyright (c) 2010 Jim Pingle <jimp@pfsense.org>
-Copyright (c) 2015 Jos Schellevis
+Copyright (c) 2015 Jos Schellevis <jos@opnsense.org>
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>
 Copyright (c) 2019-2022 Juergen Kellerer
 Copyright (c) 2020-2021 Manuel Faux
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php
index 5c35e9ff13..0046b5df7a 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php
@@ -2,7 +2,7 @@
 
 /*
  *    Copyright (C) 2015-2017 Deciso B.V.
- *    Copyright (C) 2015 Jos Schellevis
+ *    Copyright (C) 2015 Jos Schellevis <jos@opnsense.org>
  *    Copyright (C) 2017 Fabian Franz
  *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
  *    All rights reserved.
diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/GeneralController.php b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/GeneralController.php
index 2a36f3ab6e..b87068681e 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/GeneralController.php
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/GeneralController.php
@@ -2,7 +2,7 @@
 
 /*
  * Copyright (C) 2017 Fabian Franz
- * Copyright (C) 2015 Jos Schellevis
+ * Copyright (C) 2015 Jos Schellevis <jos@opnsense.org>
  * Copyright (C) 2015-2017 Deciso B.V.
  * All rights reserved.
  *

From 8636a1f883c62907508a44eb96e7b55243772215 Mon Sep 17 00:00:00 2001
From: Liam Steckler <553265+buckbanzai@users.noreply.github.com>
Date: Tue, 19 Dec 2023 16:11:17 -0800
Subject: [PATCH 1686/3088] Add support for Bunny DNS API

---
 security/acme-client/pkg-descr                |  4 ++
 .../AcmeClient/forms/dialogValidation.xml     | 10 +++++
 .../AcmeClient/LeValidation/DnsBunny.php      | 43 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 4 files changed, 61 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsBunny.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index b0adf45c98..1c99960d9d 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,10 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+3.20
+Added:
+* add Bunny DNS API
+
 3.19
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 195f519f7b..c0f26f73bc 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -226,6 +226,16 @@
         <label>Client Secret</label>
         <type>text</type>
     </field>
+    <field>
+        <label>Bunny</label>
+        <type>header</type>
+        <style>table_dns table_dns_bunny</style>
+    </field>
+    <field>
+        <id>validation.dns_bunny_api_key</id>
+        <label>API Key</label>
+        <type>text</type>
+    </field>
     <field>
         <label>Cloudflare</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsBunny.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsBunny.php
new file mode 100644
index 0000000000..092d621609
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsBunny.php
@@ -0,0 +1,43 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Liam Steckler <liam@liamsteckler.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Bunny DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsBunny extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['BUNNY_API_KEY'] = (string)$this->config->dns_bunny_api_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 7f80fb1647..82c4d397ef 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -429,6 +429,7 @@
                         <dns_autodns>AutoDNS (InterNetX)</dns_autodns>
                         <dns_aws>AWS Route 53</dns_aws>
                         <dns_azure>Azure DNS</dns_azure>
+                        <dns_bunny>Bunny</dns_bunny>
                         <dns_cloudns>ClouDNS</dns_cloudns>
                         <dns_cf>CloudFlare.com</dns_cf>
                         <dns_cx>CloudXNS.com</dns_cx>
@@ -558,6 +559,9 @@
                 <dns_azuredns_clientsecret type="TextField">
                     <Required>N</Required>
                 </dns_azuredns_clientsecret>
+                <dns_bunny_api_key type="TextField">
+                    <Required>N</Required>
+                </dns_bunny_api_key>
                 <dns_cf_email type="TextField">
                     <Required>N</Required>
                 </dns_cf_email>

From 1a1630b875af10a7f928470acc6df1ae022e9851 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 20 Dec 2023 15:28:04 +0100
Subject: [PATCH 1687/3088] net/haproxy: add support for forwarded header
 (RFC7239)

---
 net/haproxy/pkg-descr                           |  1 +
 .../OPNsense/HAProxy/forms/dialogBackend.xml    | 15 +++++++++++++++
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml | 17 +++++++++++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf     |  9 +++++++++
 4 files changed, 42 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index e0f6044fee..056cc01d92 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -8,6 +8,7 @@ Plugin Changelog
 
 Added:
 * add support for built-in OCSP update feature
+* add support for forwarded header (RFC7239)
 
 Fixed:
 * fix typo in cert sync script
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index c7babd3a7a..5895c1013a 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -173,6 +173,21 @@
         <sortable>true</sortable>
         <help><![CDATA[When using the TLS ALPN extension, HAProxy advertises the specified protocol list as supported on top of ALPN. TLS must be enabled.]]></help>
     </field>
+    <field>
+        <id>backend.forwardedHeader</id>
+        <label>Forwarded header (RFC7239)</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable insertion of the RFC7239 forwarded header in requests sent to servers.]]></help>
+    </field>
+    <field>
+        <id>backend.forwardedHeaderParameters</id>
+        <label>Forwarded header parameters</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <sortable>true</sortable>
+        <help><![CDATA[This may be used to add more information to the forwarded header. Default behavior enables proto parameter and injects original client IP. See he <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#option forwarded">HAProxy documentation</a> for a full description.]]></help>
+    </field>
     <field>
         <label>Persistence</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 5c42f7c201..c4eff76bc2 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1053,6 +1053,23 @@
                         <http10>HTTP/1.0</http10>
                     </OptionValues>
                 </ba_advertised_protocols>
+                <forwardedHeader type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </forwardedHeader>
+                <forwardedHeaderParameters type="OptionField">
+                    <Required>N</Required>
+                    <Sorted>Y</Sorted>
+                    <Multiple>Y</Multiple>
+                    <OptionValues>
+                        <proto>proto</proto>
+                        <host>host</host>
+                        <by>by</by>
+                        <by_port>by_port</by_port>
+                        <for>for</for>
+                        <for_port>for_port</for_port>
+                    </OptionValues>
+                </forwardedHeaderParameters>
                 <persistence type="OptionField">
                     <Required>N</Required>
                     <default>sticktable</default>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index bcfc4c6e26..19b5c50ea1 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1686,6 +1686,15 @@ backend {{backend.name}}
 {%       if backend.tuning_httpreuse|default("") != "" and backend.mode == "http" %}
     http-reuse {{backend.tuning_httpreuse}}
 {%       endif %}
+{%       if backend.forwardedHeader == '1' and backend.mode == 'http' %}
+{%         set forwarded_params = [] %}
+{%         if backend.forwardedHeaderParameters|default("") != "" %}
+{%           for fwd_param in backend.forwardedHeaderParameters.split(",") %}
+{%             do forwarded_params.append(fwd_param) %}
+{%           endfor %}
+{%         endif %}
+    option forwarded {{forwarded_params|join(' ')}}
+{%       endif %}
 {%       if helpers.exists('OPNsense.HAProxy.general.cache') and OPNsense.HAProxy.general.cache.enabled|default("") == "1" and backend.tuning_caching|default("") == "1" and backend.mode == "http" %}
     http-request cache-use opnsense-haproxy-cache
     http-response cache-store opnsense-haproxy-cache

From 79aec1ccb4b02227e2d32625802adfb95b426d8a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 20 Dec 2023 15:46:16 +0100
Subject: [PATCH 1688/3088] net/haproxy: add forwardfor option to backend
 settings

---
 net/haproxy/pkg-descr                                       | 4 ++++
 .../controllers/OPNsense/HAProxy/forms/dialogBackend.xml    | 6 ++++++
 .../controllers/OPNsense/HAProxy/forms/dialogFrontend.xml   | 4 ++--
 .../opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml    | 5 +++++
 .../service/templates/OPNsense/HAProxy/haproxy.conf         | 3 +++
 5 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 056cc01d92..da3d9d987a 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 Added:
 * add support for built-in OCSP update feature
 * add support for forwarded header (RFC7239)
+* add option "X-Forwarded-For Header" to backend settings
 
 Fixed:
 * fix typo in cert sync script
@@ -17,6 +18,9 @@ Changed:
 * move OCSP settings from "Service" to "Global" section
 * replace bundled haproxyctl library with haproxy-cli
 
+Deprecated:
+* frontend option "X-Forwarded-For Header" (the backend option should be used)
+
 Removed:
 * remove OSCP update cron job
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index 5895c1013a..73bb33ce61 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -188,6 +188,12 @@
         <sortable>true</sortable>
         <help><![CDATA[This may be used to add more information to the forwarded header. Default behavior enables proto parameter and injects original client IP. See he <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#option forwarded">HAProxy documentation</a> for a full description.]]></help>
     </field>
+    <field>
+        <id>backend.forwardFor</id>
+        <label>X-Forwarded-For header</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable insertion of the X-Forwarded-For header to requests sent to servers.]]></help>
+    </field>
     <field>
         <label>Persistence</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 2a4c492a52..d21e258f9b 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -207,9 +207,9 @@
     </field>
     <field>
         <id>frontend.forwardFor</id>
-        <label>X-Forwarded-For header</label>
+        <label>X-Forwarded-For (DEPRECATED)</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable insertion of the X-Forwarded-For header to requests sent to servers.]]></help>
+        <help><![CDATA[This option is DEPRECATED and should no longer be used. A new option is available in backend pool settings.]]></help>
     </field>
     <field>
         <id>frontend.prometheus_enabled</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index c4eff76bc2..01e1eb4deb 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -814,6 +814,7 @@
                         <http10>HTTP/1.0</http10>
                     </OptionValues>
                 </advertised_protocols>
+                <!-- XXX: deprecated option (scheduled removal in os-haproxy 5.0) -->
                 <forwardFor type="BooleanField">
                     <default>0</default>
                     <Required>Y</Required>
@@ -1053,6 +1054,10 @@
                         <http10>HTTP/1.0</http10>
                     </OptionValues>
                 </ba_advertised_protocols>
+                <forwardFor type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </forwardFor>
                 <forwardedHeader type="BooleanField">
                     <default>0</default>
                     <Required>N</Required>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 19b5c50ea1..13754b1116 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1695,6 +1695,9 @@ backend {{backend.name}}
 {%         endif %}
     option forwarded {{forwarded_params|join(' ')}}
 {%       endif %}
+{%       if backend.forwardFor == '1' and backend.mode == 'http' %}
+    option forwardfor
+{%       endif %}
 {%       if helpers.exists('OPNsense.HAProxy.general.cache') and OPNsense.HAProxy.general.cache.enabled|default("") == "1" and backend.tuning_caching|default("") == "1" and backend.mode == "http" %}
     http-request cache-use opnsense-haproxy-cache
     http-response cache-store opnsense-haproxy-cache

From 0da31a9e95caba60bc1317509ded87ba38b1771b Mon Sep 17 00:00:00 2001
From: bernhardfrenking <58109356+bernhardfrenking@users.noreply.github.com>
Date: Tue, 26 Dec 2023 11:21:37 +0100
Subject: [PATCH 1689/3088] dns/ddclient: add native service Domeneshop (#3714)

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 .../ddclient/lib/account/domeneshop.py        | 93 +++++++++++++++++++
 1 file changed, 93 insertions(+)
 create mode 100644 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py
new file mode 100644
index 0000000000..2448cd5092
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py
@@ -0,0 +1,93 @@
+"""
+    Copyright (c) 2023 Bernhard Frenking <bernhard@frenking.eu>
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+    ----------------------------------------------------------------------------------------------------
+    Domeneshop DNS updater
+    Token should be set via the username field
+    Secret should be set via the password field
+"""
+import syslog
+import requests
+from requests.auth import HTTPBasicAuth
+from . import BaseAccount
+
+
+class Domeneshop(BaseAccount):
+
+    _services = {
+        'domeneshop': 'api.domeneshop.no'
+    }
+
+    def __init__(self, account: dict):
+        super().__init__(account)
+
+    @staticmethod
+    def known_services():
+        return  Domeneshop._services.keys()
+
+    @staticmethod
+    def match(account):
+        return account.get('service') in Domeneshop._services
+
+    def execute(self):
+        if super().execute():
+            hostnames = self.settings.get('hostnames')
+            
+            # DNS update request using the "IP update protocol"
+            url = f'https://api.domeneshop.no/v0/dyndns/update?hostnames={hostnames}&myip={str(self.current_address)}'
+            req_opts = {
+                'url': url,
+                'auth': HTTPBasicAuth(self.settings.get('username'), self.settings.get('password')),
+                'headers': {
+                    'User-Agent': 'OPNsense-dyndns'
+                }
+            }
+            response = requests.get(**req_opts)            
+            
+            # Parse response and update state and log
+            if response.status_code is 204:
+                if self.is_verbose:
+                    syslog.syslog(
+                        syslog.LOG_NOTICE,
+                        "Account %s set new ip %s [%s] for %s" % (self.description, self.current_address, response.text.strip(), hostnames)
+                    )
+                self.update_state(address=self.current_address, status=response.text.split()[0] if response.text else '')
+                return True
+            elif response.status_code is 404:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Account %s failed to set new ip %s [%d - %s], because %s could not be found" % (
+                        self.description, self.current_address, response.status_code, response.text.replace('\n', ''), hostnames
+                    )
+                )
+            else:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Account %s failed to set new ip %s [%d - %s] for %s" % (
+                        self.description, self.current_address, response.status_code, response.text.replace('\n', ''), hostnames
+                    )
+                )
+
+        return False

From a186956c52eb5716b92f28a99177e46e6457a547 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 26 Dec 2023 12:38:23 +0100
Subject: [PATCH 1690/3088] security/stunnel - fix regression caused by changed
 parent save() method
 (https://github.com/opnsense/core/commit/e36123c99f4ff2a518a927f1807be51186f78577)

---
 security/stunnel/Makefile                                     | 2 +-
 .../controllers/OPNsense/Stunnel/Api/ServicesController.php   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index d771947df2..a7e42ae0dc 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		stunnel
 PLUGIN_VERSION=		1.0.5
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel
diff --git a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
index 0083aec567..5db04eb871 100644
--- a/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
+++ b/security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/Api/ServicesController.php
@@ -35,7 +35,7 @@ class ServicesController extends ApiMutableModelControllerBase
     protected static $internalModelName = 'stunnel';
     protected static $internalModelClass = 'OPNsense\Stunnel\Stunnel';
 
-    protected function save()
+    protected function save($validateFullModel = false, $disable_validation = false)
     {
         // hook service enable status on enabled tunnels
         $this->getModel()->general->enabled = "0";
@@ -45,7 +45,7 @@ protected function save()
                 break;
             }
         }
-        return parent::save();
+        return parent::save($validateFullModel, $disable_validation);
     }
 
     public function searchItemAction()

From 785893d347b8108aa6a92d8415c60e9c8eb7e0a2 Mon Sep 17 00:00:00 2001
From: Michael Leinartas <mleinartas@gmail.com>
Date: Tue, 26 Dec 2023 12:37:32 -0600
Subject: [PATCH 1691/3088] Add EasyDNS support to acme-client

---
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsEasydns.php    | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 3 files changed, 67 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsEasydns.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 195f519f7b..4731b47e8b 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1386,6 +1386,21 @@
         <id>validation.dns_schlundtech_password</id>
         <label>Password</label>
         <type>password</type>
+    </field>
+     <field>
+        <label>EasyDNS</label>
+        <type>header</type>
+        <style>table_dns table_dns_easydns</style>
+    </field>
+    <field>
+        <id>validation.dns_easydns_apitoken</id>
+        <label>API Token</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_easydns_apikey</id>
+        <label>Api Key</label>
+        <type>password</type>
     </field>
     <field>
         <label>EUserv</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsEasydns.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsEasydns.php
new file mode 100644
index 0000000000..59d4a759ad
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsEasydns.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2023 mleinart
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Selfhost API
+ * @package OPNsense\AcmeClient
+ */
+class DnsEasydns extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env[EASYDNS_Key] = (string)$this->config->dns_easydns_apikey;
+        $this->acme_env[EASYDNS_Token] = (string)$this->config->dns_easydns_apitoken;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 7f80fb1647..cade8f5c82 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -451,6 +451,7 @@
                         <dns_dyn>Dyn Managed</dns_dyn>
                         <dns_dynu>Dynu</dns_dynu>
                         <dns_dynv6>dynv6</dns_dynv6>
+                        <dns_easydns>EasyDNS</dns_easydns>
                         <dns_euserv>EUserv</dns_euserv>
                         <dns_freedns>FreeDNS</dns_freedns>
                         <dns_gandi_livedns>Gandi LiveDNS</dns_gandi_livedns>
@@ -1071,6 +1072,12 @@
                 <dns_schlundtech_password type="TextField">
                     <Required>N</Required>
                 </dns_schlundtech_password>
+                <dns_easydns_apitoken type="TextField">
+                    <Required>N</Required>
+                </dns_easydns_apitoken>
+                <dns_easydns_apikey type="TextField">
+                    <Required>N</Required>
+                </dns_easydns_apikey>
                 <dns_euserv_user type="TextField">
                     <Required>N</Required>
                 </dns_euserv_user>

From f6f324891261d8a1f75eeb0cd9bb0736e7a4403a Mon Sep 17 00:00:00 2001
From: Russ Kubes <rkubes@users.noreply.github.com>
Date: Thu, 28 Dec 2023 02:44:06 -0500
Subject: [PATCH 1692/3088] sysutils/smart: add word break to ident in widget
 (#3726)

Add word-breaking to the "Ident" column of the SMART Dashboard widget, to prevent long device names from causing the table to extend outside of the widget's div.
---
 sysutils/smart/src/www/widgets/widgets/smart_status.widget.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/smart/src/www/widgets/widgets/smart_status.widget.php b/sysutils/smart/src/www/widgets/widgets/smart_status.widget.php
index 52d951f5fe..976be530d1 100644
--- a/sysutils/smart/src/www/widgets/widgets/smart_status.widget.php
+++ b/sysutils/smart/src/www/widgets/widgets/smart_status.widget.php
@@ -64,7 +64,7 @@
 
     <tr>
       <td><?= html_safe($dev->device) ?></td>
-      <td><?= html_safe($dev->ident) ?></td>
+      <td style="word-break: break-word;"><?= html_safe($dev->ident) ?></td>
       <td><span class="label label-<?= $color ?>"><?= html_safe($dev_state_translated) ?></span></td>
     </tr>
 

From a57e2a3ccd00f721401d1b3cc7890c3493bf0502 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 28 Dec 2023 22:00:04 +0100
Subject: [PATCH 1693/3088] net/haproxy: adjust HTTP/2 settings to adopt
 HAProxy 2.8 defaults

---
 net/haproxy/pkg-descr                                         | 2 ++
 .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml  | 4 ++--
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf  | 3 +++
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index da3d9d987a..18eeccabac 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -15,6 +15,8 @@ Fixed:
 * fix typo in cert sync script
 
 Changed:
+* change default for HTTP/2 to enabled (only new frontends/backends)
+* add "no-alpn" option if HTTP/2 is not enabled (TLS-enabled frontends)
 * move OCSP settings from "Service" to "Global" section
 * replace bundled haproxyctl library with haproxy-cli
 
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 01e1eb4deb..ed8670c42e 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -796,7 +796,7 @@
                     <Required>N</Required>
                 </stickiness_bytesOutRatePeriod>
                 <http2Enabled type="BooleanField">
-                    <default>0</default>
+                    <default>1</default>
                     <Required>N</Required>
                 </http2Enabled>
                 <http2Enabled_nontls type="BooleanField">
@@ -1036,7 +1036,7 @@
                     <Required>N</Required>
                 </linkedMailer>
                 <http2Enabled type="BooleanField">
-                    <default>0</default>
+                    <default>1</default>
                     <Required>N</Required>
                 </http2Enabled>
                 <http2Enabled_nontls type="BooleanField">
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 13754b1116..571562c8d8 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1369,6 +1369,9 @@ frontend {{frontend.name}}
 {#           # convert protocols to HAProxy-compatible format #}
 {%           set alpn_options = frontend.advertised_protocols|replace('http10', 'http/1.0')|replace('http11', 'http/1.1') %}
 {%           do ssl_options.append('alpn ' ~ alpn_options) %}
+{%         else %}
+{#           # disable ALPN to enforce the GUI settings #}
+{%           do ssl_options.append('no-alpn') %}
 {%         endif %}
 {#       # HTTP/2 without TLS #}
 {%       elif frontend.http2Enabled|default("") == '1' and frontend.http2Enabled_nontls|default("") == '1' %}

From 557f02a684ee0c92929172e0452a1841eeb94d13 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 28 Dec 2023 22:36:55 +0100
Subject: [PATCH 1694/3088] net/haproxy: add HTTP/2 performance settings

---
 net/haproxy/pkg-descr                         |  1 +
 .../OPNsense/HAProxy/forms/generalTuning.xml  | 40 +++++++++++++++++++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 36 +++++++++++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf   | 18 +++++++++
 4 files changed, 95 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 18eeccabac..44cb5c9525 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -10,6 +10,7 @@ Added:
 * add support for built-in OCSP update feature
 * add support for forwarded header (RFC7239)
 * add option "X-Forwarded-For Header" to backend settings
+* add options for HTTP/2 performance tuning
 
 Fixed:
 * fix typo in cert sync script
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
index 364cf6032d..f20d662dc5 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -132,4 +132,44 @@
         <sortable>true</sortable>
         <help><![CDATA[Used to enforce or disable certain SSL options.]]></help>
     </field>
+    <field>
+        <label>HTTP/2 Performance</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.h2_initialWindowSize</id>
+        <label>Initial window size</label>
+        <type>text</type>
+        <help><![CDATA[Sets the default value for the HTTP/2 initial window size, on both incoming and outgoing connections. The default value is 65536.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.h2_initialWindowSizeOutgoing</id>
+        <label>Initial window size (outgoing)</label>
+        <type>text</type>
+        <help><![CDATA[Sets the HTTP/2 initial window size for outgoing connections, which is the number of bytes the server can respond to before waiting for an acknowledgment from HAProxy.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.h2_initialWindowSizeIncoming</id>
+        <label>Initial window size (incoming)</label>
+        <type>text</type>
+        <help><![CDATA[Sets the HTTP/2 initial window size for incoming connections, which is the number of bytes the client can upload before waiting for an acknowledgment from HAProxy.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.h2_maxConcurrentStreams</id>
+        <label>Max concurrent streams</label>
+        <type>text</type>
+        <help><![CDATA[Sets the default HTTP/2 maximum number of concurrent streams per connection (i.e. the number of outstanding requests on a single connection). The default value is 100.]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.h2_maxConcurrentStreamsOutgoing</id>
+        <label>Max concurrent streams (outgoing)</label>
+        <type>text</type>
+        <help><![CDATA[Sets the HTTP/2 maximum number of concurrent streams per outgoing connection (i.e. the number of outstanding requests on a single connection to a server).]]></help>
+    </field>
+    <field>
+        <id>haproxy.general.tuning.h2_maxConcurrentStreamsIncoming</id>
+        <label>Max concurrent streams (incoming)</label>
+        <type>text</type>
+        <help><![CDATA[Sets the HTTP/2 maximum number of concurrent streams per incoming connection (i.e. the number of outstanding requests on a single connection from a client).]]></help>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index ed8670c42e..3e90be2f2b 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -201,6 +201,42 @@
                     <default>TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256</default>
                     <Required>N</Required>
                 </ssl_cipherSuites>
+                <h2_initialWindowSize type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>10000000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 10000000.</ValidationMessage>
+                    <Required>N</Required>
+                </h2_initialWindowSize>
+                <h2_initialWindowSizeOutgoing type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>10000000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 10000000.</ValidationMessage>
+                    <Required>N</Required>
+                </h2_initialWindowSizeOutgoing>
+                <h2_initialWindowSizeIncoming type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>10000000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 10000000.</ValidationMessage>
+                    <Required>N</Required>
+                </h2_initialWindowSizeIncoming>
+                <h2_maxConcurrentStreams type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>10000000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 10000000.</ValidationMessage>
+                    <Required>N</Required>
+                </h2_maxConcurrentStreams>
+                <h2_maxConcurrentStreamsOutgoing type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>10000000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 10000000.</ValidationMessage>
+                    <Required>N</Required>
+                </h2_maxConcurrentStreamsOutgoing>
+                <h2_maxConcurrentStreamsIncoming type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>10000000</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 10000000.</ValidationMessage>
+                    <Required>N</Required>
+                </h2_maxConcurrentStreamsIncoming>
             </tuning>
             <defaults>
                 <maxConnections type="IntegerField">
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 571562c8d8..4ee9337003 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1011,6 +1011,24 @@ global
 {% if OPNsense.HAProxy.general.tuning.luaMaxMem|default("") != "" %}
     tune.lua.maxmem             {{OPNsense.HAProxy.general.tuning.luaMaxMem}}
 {% endif %}
+{% if OPNsense.HAProxy.general.tuning.h2_initialWindowSize|default("") != "" %}
+    tune.h2.initial-window-size       {{OPNsense.HAProxy.general.tuning.h2_initialWindowSize}}
+{% endif %}
+{% if OPNsense.HAProxy.general.tuning.h2_initialWindowSizeOutgoing|default("") != "" %}
+    tune.h2.be.initial-window-size    {{OPNsense.HAProxy.general.tuning.h2_initialWindowSizeOutgoing}}
+{% endif %}
+{% if OPNsense.HAProxy.general.tuning.h2_initialWindowSizeIncoming|default("") != "" %}
+    tune.h2.fe.initial-window-size    {{OPNsense.HAProxy.general.tuning.h2_initialWindowSizeIncoming}}
+{% endif %}
+{% if OPNsense.HAProxy.general.tuning.h2_maxConcurrentStreams|default("") != "" %}
+    tune.h2.max-concurrent-streams    {{OPNsense.HAProxy.general.tuning.h2_maxConcurrentStreams}}
+{% endif %}
+{% if OPNsense.HAProxy.general.tuning.h2_maxConcurrentStreamsOutgoing|default("") != "" %}
+    tune.h2.be.max-concurrent-streams {{OPNsense.HAProxy.general.tuning.h2_maxConcurrentStreamsOutgoing}}
+{% endif %}
+{% if OPNsense.HAProxy.general.tuning.h2_maxConcurrentStreamsIncoming|default("") != "" %}
+    tune.h2.fe.max-concurrent-streams {{OPNsense.HAProxy.general.tuning.h2_maxConcurrentStreamsIncoming}}
+{% endif %}
 {# # logging configuration #}
 {% set logging = [] %}
 {% if OPNsense.HAProxy.general.logging.host != '127.0.0.1' %}

From 3d42eb6a9956d98836838baa8d15936b684535b9 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 28 Dec 2023 22:51:37 +0100
Subject: [PATCH 1695/3088] net/haproxy: switch to HAProxy 2.8, refs #3459

---
 net/haproxy/Makefile                                 |  2 +-
 net/haproxy/pkg-descr                                |  1 +
 .../OPNsense/HAProxy/forms/dialogAction.xml          | 12 ++++++------
 .../OPNsense/HAProxy/forms/dialogBackend.xml         | 10 +++++-----
 .../OPNsense/HAProxy/forms/dialogFcgi.xml            |  2 +-
 .../OPNsense/HAProxy/forms/dialogFrontend.xml        |  6 +++---
 .../OPNsense/HAProxy/forms/dialogMapfile.xml         |  2 +-
 .../mvc/app/views/OPNsense/HAProxy/index.volt        | 10 +++++-----
 8 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 95013f8e1b..14dccc7afa 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		4.1
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
-PLUGIN_DEPENDS=		haproxy26 py${PLUGIN_PYTHON}-haproxy-cli
+PLUGIN_DEPENDS=		haproxy py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de
 
 .include "../../Mk/plugins.mk"
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 44cb5c9525..8eb91e61da 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -16,6 +16,7 @@ Fixed:
 * fix typo in cert sync script
 
 Changed:
+* upgrade to HAProxy 2.8 release series (#3459)
 * change default for HTTP/2 to enabled (only new frontends/backends)
 * add "no-alpn" option if HTTP/2 is not enabled (TLS-enabled frontends)
 * move OCSP settings from "Service" to "Global" section
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index e03c3632bf..7945ded643 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -89,7 +89,7 @@
         <id>action.http_request_redirect</id>
         <label>HTTP Redirect</label>
         <type>text</type>
-        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. See <a href="http://docs.haproxy.org/2.6/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. See <a href="http://docs.haproxy.org/2.8/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -128,7 +128,7 @@
         <id>action.http_request_add_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.6/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.8/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -145,7 +145,7 @@
         <id>action.http_request_set_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.6/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.8/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -251,7 +251,7 @@
         <id>action.http_response_add_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.6/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.8/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -268,7 +268,7 @@
         <id>action.http_response_set_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.6/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.8/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -468,6 +468,6 @@
         <id>action.fcgi_set_param</id>
         <label>Parameter</label>
         <type>text</type>
-        <help><![CDATA[Set a FastCGI parameter that should be passed to the application. Its value must follow HAProxy's <a href="http://docs.haproxy.org/2.6/configuration.html#8.2.4">Custom Log format rules</a>. With this directive, it is possible to overwrite the value of default FastCGI parameters.]]></help>
+        <help><![CDATA[Set a FastCGI parameter that should be passed to the application. Its value must follow HAProxy's <a href="http://docs.haproxy.org/2.8/configuration.html#8.2.4">Custom Log format rules</a>. With this directive, it is possible to overwrite the value of default FastCGI parameters.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index 73bb33ce61..8411a6ad93 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -28,7 +28,7 @@
         <id>backend.algorithm</id>
         <label>Balancing Algorithm</label>
         <type>dropdown</type>
-        <help><![CDATA[Define the load balancing algorithm to be used in a Backend Pool. See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#balance">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Define the load balancing algorithm to be used in a Backend Pool. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#balance">HAProxy documentation</a> for a full description.]]></help>
         <hint>Choose a load balancing algorithm.</hint>
     </field>
     <field>
@@ -42,7 +42,7 @@
         <id>backend.proxyProtocol</id>
         <label>Proxy Protocol</label>
         <type>dropdown</type>
-        <help><![CDATA[Enforces use of the PROXY protocol over any connection established to the configured servers. The PROXY protocol informs the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the servers are not aware of the PROXY protocol. See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#send-proxy">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Enforces use of the PROXY protocol over any connection established to the configured servers. The PROXY protocol informs the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the servers are not aware of the PROXY protocol. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#send-proxy">HAProxy documentation</a> for a full description.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
@@ -213,7 +213,7 @@
         <id>backend.persistence_cookiemode</id>
         <label>Cookie handling</label>
         <type>dropdown</type>
-        <help><![CDATA[Usually it is better to reuse an existing cookie. In this case HAProxy prefixes the cookie with the required information. See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#4.2-cookie">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Usually it is better to reuse an existing cookie. In this case HAProxy prefixes the cookie with the required information. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#4.2-cookie">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.persistence_cookiename</id>
@@ -235,14 +235,14 @@
         <id>backend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
+        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
         <hint>Choose a persistence type.</hint>
     </field>
     <field>
         <id>backend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.stickiness_expire</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
index fd6e48bfd3..c02327bcea 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
@@ -33,7 +33,7 @@
         <id>fcgi.path_info</id>
         <label>Path Info</label>
         <type>text</type>
-        <help><![CDATA[Define a regular expression to extract the script-name and the path-info from the URL-decoded path, see <a href="http://docs.haproxy.org/2.6/configuration.html#10.1.1-path-info">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[Define a regular expression to extract the script-name and the path-info from the URL-decoded path, see <a href="http://docs.haproxy.org/2.8/configuration.html#10.1.1-path-info">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <id>fcgi.log_stderr</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index d21e258f9b..2268abe723 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -350,14 +350,14 @@
         <id>frontend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
+        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
         <hint>Choose a stick-table type.</hint>
     </field>
     <field>
         <id>frontend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>frontend.stickiness_expire</id>
@@ -384,7 +384,7 @@
         <id>frontend.stickiness_counter_key</id>
         <label>Sticky counter key</label>
         <type>text</type>
-        <help><![CDATA[It describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters. Defaults to "src" to track elements of the source IP. See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#tcp-request connection">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[It describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters. Defaults to "src" to track elements of the source IP. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#tcp-request connection">HAProxy documentation</a> for a full description.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
index 6b8e712a38..4955c8519a 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
@@ -15,6 +15,6 @@
         <id>mapfile.content</id>
         <label>Content</label>
         <type>textbox</type>
-        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://docs.haproxy.org/2.6/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index c831ef9c8b..932c8814f3 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -717,7 +717,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('Lastly, enable HAProxy using the %sService%s settings page.') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Please be aware that you need to %smanually%s add the required firewall rules for all configured services.') | format('<b>', '</b>') }}</p>
-            <p>{{ lang._('Further information is available in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="http://docs.haproxy.org/2.6/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._('Further information is available in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="http://docs.haproxy.org/2.8/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -759,7 +759,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('%sConditions:%s HAProxy is capable of extracting data from requests, responses and other connection data and match it against predefined patterns. Use these powerful patterns to compose a condition that may be used in multiple Rules.') | format('<b>', '</b>') }}</li>
               <li>{{ lang._('%sRules:%s Perform a large set of actions if one or more %sConditions%s match. These Rules may be used in %sBackend Pools%s as well as %sPublic Services%s.') | format('<b>', '</b>', '<b>', '</b>', '<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/2.6/configuration.html#7" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/2.8/configuration.html#7" target="_blank">', '</a>') }}</p>
             <p>{{ lang._('Note that it is possible to directly add options to the HAProxy configuration by using the "option pass-through", a setting that is available for several configuration items. It allows you to implement configurations that are currently not officially supported by this plugin. It is strongly discouraged to rely on this feature. Please report missing features on our GitHub page!') | format('<b>', '</b>') }}</p>
             <br/>
         </div>
@@ -774,7 +774,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('%sGroup:%s A optional list containing one or more users. Groups usually make it easier to manage permissions for a large number of users') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Note that users and groups must be selected from the Backend Pool or Public Service configuration in order to be used for authentication. In addition to this users and groups may also be used in Rules/Conditions.') }}</p>
-            <p>{{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/2.6/configuration.html#3.4" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/2.8/configuration.html#3.4" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -792,7 +792,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sCache:%s HAProxy's cache which was designed to perform cache on small objects (favicon, css, etc.). This is a minimalist low-maintenance cache which runs in RAM.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sPeers:%s Configure a communication channel between two HAProxy instances. This will propagate entries of any data-types in stick-tables between these HAProxy instances over TCP connections in a multi-master fashion. Useful when aiming for a seamless failover in a HA setup.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://docs.haproxy.org/2.6/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.6/configuration.html#10" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.6/configuration.html#3.5" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://docs.haproxy.org/2.8/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.8/configuration.html#10" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.8/configuration.html#3.5" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -810,7 +810,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sResolvers:%s This feature allows in-depth configuration of how HAProxy handles name resolution and interacts with name resolvers (DNS). Each resolver configuration can be used in %sBackend Pools%s to apply individual name resolution configurations.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sE-Mail Alerts:%s It is possible to send email alerts when the state of servers changes. Each configuration can be used in %sBackend Pools%s to send e-mail alerts to the configured recipient.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://docs.haproxy.org/2.6/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.6/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.6/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.6/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.6/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.6/configuration.html#process" target="_blank">', '</a>','<a href="http://docs.haproxy.org/2.6/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://docs.haproxy.org/2.8/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.8/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.8/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.8/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.8/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.8/configuration.html#process" target="_blank">', '</a>','<a href="http://docs.haproxy.org/2.8/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>

From de900c2c5786bdc660b85ceba1131a2d1d72e12e Mon Sep 17 00:00:00 2001
From: Sattam <sattamjh@gmail.com>
Date: Sat, 30 Dec 2023 18:23:28 +0300
Subject: [PATCH 1696/3088] security/acme-client: Add support for DNSExit
 (#3732)

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 20 ++++++++
 .../AcmeClient/LeValidation/DnsDnsexit.php    | 47 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 10 ++++
 4 files changed, 78 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnsexit.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 1c99960d9d..11a6d4150e 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -11,6 +11,7 @@ Plugin Changelog
 3.20
 Added:
 * add Bunny DNS API
+* add support for DNSExit
 
 3.19
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index c4bbcd4533..9eecd5f2ef 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -366,6 +366,26 @@
         <label>API Key</label>
         <type>text</type>
     </field>
+    <field>
+        <label>DNSExit</label>
+        <type>header</type>
+        <style>table_dns table_dns_dnsexit</style>
+    </field>
+    <field>
+        <id>validation.dns_dnsexit_auth_user</id>
+        <label>User</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_dnsexit_auth_pass</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
+    <field>
+        <id>validation.dns_dnsexit_api</id>
+        <label>API Key</label>
+        <type>text</type>
+    </field>
     <field>
         <label>DNSimple</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnsexit.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnsexit.php
new file mode 100644
index 0000000000..8943f1baa3
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnsexit.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * Copyright (C) 2023 sattamjh
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Dnsexit DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDnsexit extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DNSEXIT_AUTH_USER'] = (string)$this->config->dns_dnsexit_auth_user;
+        $this->acme_env['DNSEXIT_AUTH_PASS'] = (string)$this->config->dns_dnsexit_auth_pass;
+        $this->acme_env['DNSEXIT_API_KEY'] = (string)$this->config->dns_dnsexit_api;
+        
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 019844738c..65adfcef4c 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -440,6 +440,7 @@
                         <dns_desec>deSEC.io</dns_desec>
                         <dns_dgon>DigitalOcean</dns_dgon>
                         <dns_da>DirectAdmin</dns_da>
+                        <dns_dnsexit>DNSExit</dns_dnsexit>
                         <dns_dnsimple>DNSimple</dns_dnsimple>
                         <dns_dnsservices>DNS.Services</dns_dnsservices>
                         <dns_domeneshop>Domeneshop</dns_domeneshop>
@@ -612,6 +613,15 @@
                 <dns_dgon_key type="TextField">
                     <Required>N</Required>
                 </dns_dgon_key>
+                <dns_dnsexit_auth_user type="TextField">
+                    <Required>N</Required>
+                </dns_dnsexit_auth_user>
+                <dns_dnsexit_auth_pass type="TextField">
+                    <Required>N</Required>
+                </dns_dnsexit_auth_pass>
+                <dns_dnsexit_api type="TextField">
+                    <Required>N</Required>
+                </dns_dnsexit_api>
                 <dns_dnsimple_token type="TextField">
                     <Required>N</Required>
                 </dns_dnsimple_token>

From 0caa6d7a3a872b3b7545e490893bc8170f243f26 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 30 Dec 2023 16:41:54 +0100
Subject: [PATCH 1697/3088] security/acme-client: add world4you DNS API, closes
 #3722

---
 security/acme-client/pkg-descr                |  2 +
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsWorld4you.php  | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 4 files changed, 68 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsWorld4you.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 11a6d4150e..696ed56245 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -9,9 +9,11 @@ Plugin Changelog
 ================
 
 3.20
+
 Added:
 * add Bunny DNS API
 * add support for DNSExit
+* add World4You DNS API (#3722)
 
 3.19
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 9eecd5f2ef..382086ecae 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1656,4 +1656,19 @@
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>World4You</label>
+        <type>header</type>
+        <style>table_dns table_dns_world4you</style>
+    </field>
+    <field>
+        <id>validation.dns_world4you_username</id>
+        <label>User</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_world4you_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsWorld4you.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsWorld4you.php
new file mode 100644
index 0000000000..192c8d63e1
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsWorld4you.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Frank Wall
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * World4You DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsWorld4you extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['WORLD4YOU_USERNAME'] = (string)$this->config->dns_world4you_username;
+        $this->acme_env['WORLD4YOU_PASSWORD'] = (string)$this->config->dns_world4you_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 65adfcef4c..980c0b9587 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -509,6 +509,7 @@
                         <dns_variomedia>Variomedia.de</dns_variomedia>
                         <dns_vscale>Vscale</dns_vscale>
                         <dns_vultr>Vultr</dns_vultr>
+                        <dns_world4you>World4You</dns_world4you>
                         <dns_yandex>Yandex PDD</dns_yandex>
                         <dns_zilore>Zilore</dns_zilore>
                         <dns_zone>Zone.eu</dns_zone>
@@ -1172,6 +1173,12 @@
                 <dns_regru_password type="TextField">
                     <Required>N</Required>
                 </dns_regru_password>
+                <dns_world4you_username type="TextField">
+                    <Required>N</Required>
+                </dns_world4you_username>
+                <dns_world4you_password type="TextField">
+                    <Required>N</Required>
+                </dns_world4you_password>
             </validation>
         </validations>
         <actions>

From 2aed162fa6dde8ee22d112f775bea7b550a7dec7 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 30 Dec 2023 16:48:35 +0100
Subject: [PATCH 1698/3088] security/acme-client: remove support for defunct
 highwinds CDN (#3626)

---
 security/acme-client/pkg-descr                |   3 +
 .../AcmeClient/forms/dialogAction.xml         |  17 --
 .../LeAutomation/ConfigdUploadHighwinds.php   |  45 ----
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  13 +-
 .../OPNsense/AcmeClient/upload_highwinds.php  | 254 ------------------
 .../conf/actions.d/actions_acmeclient.conf    |   6 -
 6 files changed, 4 insertions(+), 334 deletions(-)
 delete mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdUploadHighwinds.php
 delete mode 100755 security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_highwinds.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 696ed56245..a9b8d64296 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -15,6 +15,9 @@ Added:
 * add support for DNSExit
 * add World4You DNS API (#3722)
 
+Removed:
+* remove automation: Highwinds CDN (#3626)
+
 3.19
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index 905f1d49fb..c05efa9835 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -23,23 +23,6 @@
         <type>dropdown</type>
         <help>Pre-defined commands for this automation.</help>
     </field>
-    <field>
-        <label>Required Parameters</label>
-        <type>header</type>
-        <style>method_table method_table_configd_upload_highwinds</style>
-    </field>
-    <field>
-        <id>action.highwinds_account_hash</id>
-        <label>Account Hash</label>
-        <type>text</type>
-        <help>Account hash for Highwinds API.</help>
-    </field>
-    <field>
-        <id>action.highwinds_access_token</id>
-        <label>Access Token</label>
-        <type>text</type>
-        <help>Access token for Highwinds API.</help>
-    </field>
     <field>
         <label>Required Parameters</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdUploadHighwinds.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdUploadHighwinds.php
deleted file mode 100644
index a17197815f..0000000000
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdUploadHighwinds.php
+++ /dev/null
@@ -1,45 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020-2021 Frank Wall
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\AcmeClient\LeAutomation;
-
-use OPNsense\AcmeClient\LeAutomationInterface;
-
-/**
- * Upload certificate to Highwinds CDN API
- * @package OPNsense\AcmeClient
- */
-class ConfigdUploadHighwinds extends Base implements LeAutomationInterface
-{
-    public function prepare()
-    {
-        $command = 'acmeclient upload_highwinds ' . $this->cert_id . ' ' . $this->config->id;
-        $this->command = $command;
-        return true;
-    }
-}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 980c0b9587..f4f434d5e3 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>3.4.0</version>
+    <version>3.5.0</version>
     <description>A secure ACME Client plugin</description>
     <items>
         <settings>
@@ -1206,7 +1206,6 @@
                         <configd_restart_gui>Restart OPNsense Web UI</configd_restart_gui>
                         <configd_restart_haproxy>Restart HAProxy (OPNsense plugin)</configd_restart_haproxy>
                         <configd_restart_nginx>Restart Nginx (OPNsense plugin)</configd_restart_nginx>
-                        <configd_upload_highwinds>Upload certificate to Highwinds CDN</configd_upload_highwinds>
                         <configd_upload_sftp>Upload certificate via SFTP</configd_upload_sftp>
                         <configd_remote_ssh>Remote Command via SSH</configd_remote_ssh>
                         <acme_fritzbox>Upload certificate to FRITZ!Box router</acme_fritzbox>
@@ -1219,16 +1218,6 @@
                         <configd_generic>System or Plugin Command</configd_generic>
                     </OptionValues>
                 </type>
-                <highwinds_account_hash type="TextField">
-                    <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
-                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
-                </highwinds_account_hash>
-                <highwinds_access_token type="TextField">
-                    <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
-                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
-                </highwinds_access_token>
                 <sftp_host type="TextField">
                     <Required>N</Required>
                     <mask>/^.{1,255}$/u</mask>
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_highwinds.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_highwinds.php
deleted file mode 100755
index 2819626a45..0000000000
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_highwinds.php
+++ /dev/null
@@ -1,254 +0,0 @@
-#!/usr/local/bin/php
-<?php
-
-/*
- * Copyright (C) 2019 Frank Wall
- * Copyright (C) 2015 Deciso B.V.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("config.inc");
-require_once("certs.inc");
-require_once("legacy_bindings.inc");
-require_once("util.inc");
-
-use OPNsense\Core\Backend;
-use OPNsense\Core\Config;
-use OPNsense\Base;
-use OPNsense\AcmeClient\AcmeClient;
-
-$HIGHWINDS_API_URL = 'https://striketracker.highwinds.com/api/v1/accounts';
-
-function find_certificate($acme_cert_id)
-{
-    $modelObj = new OPNsense\AcmeClient\AcmeClient();
-    $configObj = Config::getInstance()->object();
-    if (isset($configObj->OPNsense->AcmeClient->certificates) && $configObj->OPNsense->AcmeClient->certificates->count() > 0) {
-        foreach ($configObj->OPNsense->AcmeClient->certificates->children() as $certObj) {
-            $cert_id = (string)$certObj->id;
-            $cert_name = (string)$certObj->name;
-            if ($cert_id == $acme_cert_id) {
-                if ($certObj->enabled == 0) {
-                    log_error("AcmeClient: certificate ${cert_name} is disabled, ignoring upload request");
-                    return 'None';
-                }
-                if (isset($certObj->certRefId)) {
-                    $data = array();
-                    $data['name'] = $cert_name;
-                    $data['refid'] = (string)$certObj->certRefId;
-                    return $data;
-                } else {
-                    log_error("AcmeClient: certificate ${cert_name} could not be found in trust storage, ignoring upload request");
-                    break;
-                }
-            }
-        }
-        return 'None';
-    }
-}
-
-function export_certificate($cert_refid)
-{
-    $configObj = Config::getInstance()->object();
-    foreach ($configObj->cert as $cert) {
-        if ($cert_refid == (string)$cert->refid) {
-            $cert_content = str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->crt)));
-            $key_content = str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->prv)));
-            // check if a CA is linked
-            if (!empty((string)$cert->caref)) {
-                $cert = (array)$cert;
-                $ca = ca_chain($cert);
-                $ca_content = $ca;
-            }
-            $result = array();
-            $result['cert'] = $cert_content;
-            $result['key'] = $key_content;
-            $result['ca'] = $ca_content;
-            return $result;
-        }
-    }
-    log_error("AcmeClient: cert with refid ${cert_refid} not found in trust storage");
-    return 'None';
-}
-
-function upload_certificate($cert_name, $cert_refid, $acme_cert_id, $acme_automation_id)
-{
-    $modelObj = new OPNsense\AcmeClient\AcmeClient();
-    $configObj = Config::getInstance()->object();
-    if (isset($configObj->OPNsense->AcmeClient->actions) && $configObj->OPNsense->AcmeClient->actions->count() > 0) {
-        foreach ($configObj->OPNsense->AcmeClient->actions->children() as $automObj) {
-            $autom_id = (string)$automObj->id;
-            if ($autom_id == $acme_automation_id) {
-                if ($automObj->enabled == 0) {
-                    log_error("AcmeClient: ignoring disabled upload job for cert ${cert_name}");
-                    return 'None';
-                }
-                if (isset($automObj->highwinds_account_hash) && isset($automObj->highwinds_access_token)) {
-                    $hw_account_hash = (string)$automObj->highwinds_account_hash;
-                    $hw_access_token = (string)$automObj->highwinds_access_token;
-                    $cert_data = export_certificate($cert_refid);
-                    if ($cert_data !== 'None') {
-                        $hw_result = hw_upload_certificate($hw_account_hash, $hw_access_token, $cert_name, $cert_data);
-                        if ($hw_result !== 'None') {
-                            return true;
-                        }
-                    }
-                } else {
-                    log_error("AcmeClient: upload job for cert ${cert_name} is incomplete, missing Highwinds configuration");
-                    return 'None';
-                }
-            }
-        }
-        return 'None';
-    }
-}
-
-function hw_list_certificates($account_hash, $access_token)
-{
-    global $HIGHWINDS_API_URL;
-    $curl = curl_init();
-    curl_setopt_array($curl, array(
-        CURLOPT_URL => "${HIGHWINDS_API_URL}/${account_hash}/certificates",
-        CURLOPT_CUSTOMREQUEST => 'GET',
-        CURLOPT_RETURNTRANSFER => true,
-        CURLOPT_MAXREDIRS => 1,
-        CURLOPT_TIMEOUT => 10,
-        CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
-        CURLOPT_HTTPHEADER => array(
-            "Authorization: Bearer ${access_token}",
-            "Content-Type: application/json",
-            "User-Agent: OPNsense Firewall",
-            "X-Application-Id: OPNsense Firewall"
-        )
-    ));
-    $response = curl_exec($curl);
-    $err = curl_error($curl);
-    $info = curl_getinfo($curl);
-    curl_close($curl);
-    $http_code = $info['http_code'];
-    if ($http_code != 200 || $err) {
-        log_error("AcmeClient: failed to access Highwinds API, HTTP Code: ${http_code}, error ${err}");
-        return 'None';
-    }
-    return json_decode($response);
-}
-
-function hw_get_certificate($account_hash, $access_token, $cert_name)
-{
-    $certificates = hw_list_certificates($account_hash, $access_token);
-    if ($certificates !== 'None') {
-        foreach ($certificates->list as $cert) {
-            if ($cert->commonName == $cert_name) {
-                return $cert;
-            }
-        }
-    }
-    return 'None';
-}
-
-function hw_upload_certificate($account_hash, $access_token, $cert_name, $cert_data)
-{
-    global $HIGHWINDS_API_URL;
-    // Check current status of certificate at Highwinds
-    $hw_cert = hw_get_certificate($account_hash, $access_token, $cert_name);
-    $hw_url = 'certificates';
-    $hw_method = 'POST';
-    if ($hw_cert == 'None') {
-        log_error("AcmeClient: cert for ${cert_name} not found in Highwinds API, starting upload...");
-    } else {
-        log_error("AcmeClient: cert for ${cert_name} found in Highwinds API");
-        $hw_method = 'PUT';
-
-        // Extract certificate details
-        $cert = openssl_x509_parse($cert_data['cert']);
-        $cert_sn = (string)$cert['serialNumber'];
-        $hw_cert_sn = (string)$hw_cert->certificateInformation->serialNumber;
-        $hw_cert_id = $hw_cert->id;
-
-        // Compare local and remote certificates
-        if ($cert_sn == $hw_cert_sn) {
-            log_error("AcmeClient: cert ${cert_name} has same serial in Highwinds API, not updating (${cert_sn})");
-            return 'None';
-        }
-        log_error("AcmeClient: cert serial is different in Highwinds API, updating...");
-        $hw_url = "${hw_url}/${hw_cert_id}";
-    }
-
-    // adjust data format for Highwinds API
-    $cert_post = json_encode(array('certificate' => $cert_data['cert'], 'key' => $cert_data['key'], 'caBundle' => $cert_data['ca']));
-
-    $curl = curl_init();
-    curl_setopt_array($curl, array(
-        CURLOPT_URL => "${HIGHWINDS_API_URL}/${account_hash}/${hw_url}",
-        CURLOPT_CUSTOMREQUEST => $hw_method,
-        CURLOPT_POSTFIELDS => (string)$cert_post,
-        CURLOPT_RETURNTRANSFER => true,
-        CURLOPT_MAXREDIRS => 1,
-        CURLOPT_TIMEOUT => 10,
-        CURLOPT_SAFE_UPLOAD => true,
-        CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
-        CURLOPT_HTTPHEADER => array(
-            "Authorization: Bearer ${access_token}",
-            "Content-Type: application/json",
-            "User-Agent: OPNsense Firewall",
-            "X-Application-Id: OPNsense Firewall",
-            "Expect:"
-        )
-    ));
-    $response = curl_exec($curl);
-    $err = curl_error($curl);
-    $info = curl_getinfo($curl);
-    curl_close($curl);
-    $http_code = $info['http_code'];
-    if ($http_code != 200 || $err) {
-        log_error("AcmeClient: Failed to upload cert ${cert_name} to Highwinds API, HTTP Code: ${http_code}, error ${err}");
-        return 'None';
-    }
-    return json_decode($response);
-}
-
-// Evaluate CLI arguments
-$options = getopt("a:c:");
-if (!isset($options["a"]) or !isset($options["c"])) {
-    print "ERROR: not enough arguments\n";
-    exit(1);
-}
-$acme_cert_id = $options["c"];
-$acme_automation_id = $options["a"];
-
-// Search certificate in configuration
-$cert_data = find_certificate($acme_cert_id);
-if ($cert_data == 'None') {
-    log_error("AcmeClient: ignoring cert ID ${acme_cert_id}");
-    exit(1);
-} else {
-    // Upload certificate (if required)
-    $upload_result = upload_certificate($cert_data['name'], $cert_data['refid'], $acme_cert_id, $acme_automation_id);
-    if ($upload_result === 'None') {
-        log_error("AcmeClient: cert ID ${acme_cert_id} was neither uploaded nor updated");
-    } else {
-        log_error("AcmeClient: cert ID ${acme_cert_id} was uploaded or updated");
-    }
-}
-exit(0);
diff --git a/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf b/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
index 7c47bdf858..c58df0bef8 100644
--- a/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
+++ b/security/acme-client/src/opnsense/service/conf/actions.d/actions_acmeclient.conf
@@ -91,12 +91,6 @@ parameters:%s
 type:script
 message:registering an account
 
-[upload_highwinds]
-command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_highwinds.php
-parameters:-c %s -a %s
-type:script
-message:uploading a certificate to highwinds
-
 [upload-sftp]
 command:/usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
 parameters:--certificates=%s --automation-id=%s

From a087b1a135cf1298e934ab1947b95dab017ac258 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 30 Dec 2023 17:10:48 +0100
Subject: [PATCH 1699/3088] security/acme-client: fix 2FA support in Synology
 deployhook, closes #3627

---
 security/acme-client/pkg-descr                              | 3 +++
 .../controllers/OPNsense/AcmeClient/forms/dialogAction.xml  | 6 ++++++
 .../OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php    | 5 ++++-
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml       | 5 +++++
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index a9b8d64296..4223241535 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -15,6 +15,9 @@ Added:
 * add support for DNSExit
 * add World4You DNS API (#3722)
 
+Fixed:
+* fix 2FA support in Synology deployhook (#3627)
+
 Removed:
 * remove automation: Highwinds CDN (#3626)
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index c05efa9835..5fa9e700dd 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -219,6 +219,12 @@
         <type>text</type>
         <help>If Synology DSM has OTP enabled, then the device ID has to be provided so that no OTP is required when running the automation.</help>
     </field>
+    <field>
+        <id>action.acme_synology_dsm_devicename</id>
+        <label>Device Name</label>
+        <type>text</type>
+        <help>If Synology DSM has OTP enabled, then the device name has to be provided so that no OTP is required when running the automation.</help>
+    </field>
     <field>
         <id>action.acme_synology_dsm_create</id>
         <label>Create certificates</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php
index c1fb58a0a1..3194f57450 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php
@@ -48,7 +48,10 @@ public function prepare()
             $this->acme_env['SYNO_Create'] = (string)$this->config->acme_synology_dsm_create;
         }
         if (!empty((string)$this->config->acme_synology_dsm_deviceid)) {
-            $this->acme_env['SYNO_DID'] = (string)$this->config->acme_synology_dsm_deviceid;
+            $this->acme_env['SYNO_Device_ID'] = (string)$this->config->acme_synology_dsm_deviceid;
+        }
+        if (!empty((string)$this->config->acme_synology_dsm_devicename)) {
+            $this->acme_env['SYNO_Device_Name'] = (string)$this->config->acme_synology_dsm_devicename;
         }
         $this->acme_args[] = '--deploy-hook synology_dsm';
         return true;
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index f4f434d5e3..b5339d9383 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1380,6 +1380,11 @@
                     <mask>/^.{1,1024}$/u</mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_synology_dsm_deviceid>
+                <acme_synology_dsm_devicename type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_synology_dsm_devicename>
                 <acme_fritzbox_url type="TextField">
                     <Required>N</Required>
                     <mask>/^.{1,1024}$/u</mask>

From 2c725f15e68aedd447182100384944012aea9bae Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 30 Dec 2023 17:20:37 +0100
Subject: [PATCH 1700/3088] security/acme-client: bump version

---
 security/acme-client/Makefile  | 3 +--
 security/acme-client/pkg-descr | 6 +++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 1f3eaf6ce8..d9e7b6a6a0 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.19
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		3.20
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 4223241535..f9bc03d723 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -11,12 +11,12 @@ Plugin Changelog
 3.20
 
 Added:
-* add Bunny DNS API
-* add support for DNSExit
+* add Bunny DNS API (#3715)
+* add DNSExit DNS API (#3724)
 * add World4You DNS API (#3722)
 
 Fixed:
-* fix 2FA support in Synology deployhook (#3627)
+* fix 2FA support in Synology automation (#3627)
 
 Removed:
 * remove automation: Highwinds CDN (#3626)

From ab0d4a95848b170ab7d524d3fd8ee7d0f436f750 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 28 Dec 2023 22:58:14 +0100
Subject: [PATCH 1701/3088] net/haproxy: bump version

---
 net/haproxy/Makefile  | 5 ++---
 net/haproxy/pkg-descr | 6 ++++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 14dccc7afa..7ea41d9365 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,8 +1,7 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		4.1
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		4.2
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
-PLUGIN_DEPENDS=		haproxy py${PLUGIN_PYTHON}-haproxy-cli
+PLUGIN_DEPENDS=		haproxy28 py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de
 
 .include "../../Mk/plugins.mk"
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 8eb91e61da..f692d8110e 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,8 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+4.2
+
 Added:
 * add support for built-in OCSP update feature
 * add support for forwarded header (RFC7239)
@@ -13,12 +15,12 @@ Added:
 * add options for HTTP/2 performance tuning
 
 Fixed:
-* fix typo in cert sync script
+* fix SSL sync cron job (bulk sync was never working properly)
 
 Changed:
 * upgrade to HAProxy 2.8 release series (#3459)
 * change default for HTTP/2 to enabled (only new frontends/backends)
-* add "no-alpn" option if HTTP/2 is not enabled (TLS-enabled frontends)
+* add "no-alpn" option if HTTP/2 is not enabled (only TLS-enabled frontends)
 * move OCSP settings from "Service" to "Global" section
 * replace bundled haproxyctl library with haproxy-cli
 

From d9a5fe0e05242534fb016aab89eb38dcae65f7b9 Mon Sep 17 00:00:00 2001
From: Brian <brian@durksen.me>
Date: Sat, 30 Dec 2023 14:37:08 -0500
Subject: [PATCH 1702/3088] dns/ddclient: Add Porkbun ddns support

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml    | 1 +
 .../service/templates/OPNsense/ddclient/ddclient.conf         | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index a3ae3beae5..ea00f4a7fc 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -75,6 +75,7 @@
                         <nsupdatev4>nsupdate.info (IPv4)</nsupdatev4>
                         <nsupdatev6>nsupdate.info (IPv6)</nsupdatev6>
                         <ovh>OVHcloud DynHost</ovh>
+                        <porkbun>Porkbun</porkbun>
                         <regfishde>regfish.de</regfishde>
                         <servercow>Servercow</servercow>
                         <sitelutions>Sitelutions</sitelutions>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 5255b43ac9..bed35365b9 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -89,6 +89,10 @@ server=dyndns.strato.com, \
 {%      elif account.service == 'ovh' %}
 protocol=dyndns2, \
 server=www.ovh.com, \
+{%      elif account.service == 'porkbun' %}
+protocol={{account.service}}, \
+apikey={{account.username}}, \
+secretapikey={{account.password}}, \
 {%      else %}
 protocol={{account.service}}, \
 {%      endif %}

From 1f6e20f19780ed71cf7121ec481697ccb10f8828 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 30 Dec 2023 21:25:36 +0100
Subject: [PATCH 1703/3088] security/acme-client: support token authentication
 in Gandi LiveDNS, closes #3526 (#3740)

---
 security/acme-client/pkg-descr                            | 3 +++
 .../OPNsense/AcmeClient/forms/dialogValidation.xml        | 8 +++++++-
 .../OPNsense/AcmeClient/LeValidation/DnsGandiLivedns.php  | 6 +++++-
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml     | 3 +++
 4 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index f9bc03d723..41b68f69d4 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -15,6 +15,9 @@ Added:
 * add DNSExit DNS API (#3724)
 * add World4You DNS API (#3722)
 
+Changed:
+* support token authentication in Gandi LiveDNS (#3526)
+
 Fixed:
 * fix 2FA support in Synology automation (#3627)
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 382086ecae..7df74ee392 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -542,10 +542,16 @@
         <type>header</type>
         <style>table_dns table_dns_gandi_livedns</style>
     </field>
+    <field>
+        <id>validation.dns_gandi_livedns_token</id>
+        <label>Personal Access Token</label>
+        <type>text</type>
+    </field>
     <field>
         <id>validation.dns_gandi_livedns_key</id>
-        <label>Key</label>
+        <label>API Key (DEPRECATED)</label>
         <type>text</type>
+        <help>The API Key is the previous mechanism that was replaced with Personal Access Tokens. API Keys should no longer be used.</help>
     </field>
     <field>
         <label>Google Cloud DNS</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGandiLivedns.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGandiLivedns.php
index afebc94825..928cf65742 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGandiLivedns.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGandiLivedns.php
@@ -39,6 +39,10 @@ class DnsGandiLivedns extends Base implements LeValidationInterface
 {
     public function prepare()
     {
-        $this->acme_env['GANDI_LIVEDNS_KEY'] = (string)$this->config->dns_gandi_livedns_key;
+        if (!empty((string)$this->config->dns_gandi_livedns_token)) {
+            $this->acme_env['GANDI_LIVEDNS_TOKEN'] = (string)$this->config->dns_gandi_livedns_token;
+        } else {
+            $this->acme_env['GANDI_LIVEDNS_KEY'] = (string)$this->config->dns_gandi_livedns_key;
+        }
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index b5339d9383..ae10ea3e19 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -683,6 +683,9 @@
                 <dns_gandi_livedns_key type="TextField">
                     <Required>N</Required>
                 </dns_gandi_livedns_key>
+                <dns_gandi_livedns_token type="TextField">
+                    <Required>N</Required>
+                </dns_gandi_livedns_token>
                 <dns_gcloud_key type="TextField">
                     <Required>N</Required>
                 </dns_gcloud_key>

From 88e0745a4624fb20ce73009a4d5414f0687e8081 Mon Sep 17 00:00:00 2001
From: Niklas Femerstrand <niklas.femerstrand@gmail.com>
Date: Sat, 30 Dec 2023 22:50:13 +0100
Subject: [PATCH 1704/3088] etpro_telemetry: Fixes unimplemented "insecure"
 sensor_info argument (#3737)

---
 .../src/opnsense/scripts/etpro_telemetry/sensor_info.py         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/sensor_info.py b/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/sensor_info.py
index 9cec122d0c..762fa70d90 100755
--- a/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/sensor_info.py
+++ b/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/sensor_info.py
@@ -45,7 +45,7 @@
 cnf = telemetry.get_config(args.config)
 if cnf.token is not None:
     try:
-        req = requests.get(args.endpoint, headers={'Authorization': 'Bearer %s' % cnf.token})
+        req = requests.get(args.endpoint, headers={'Authorization': 'Bearer %s' % cnf.token}, verify=not args.insecure)
         if req.status_code == 200:
             response = ujson.loads(req.text)
             response['status'] = 'ok'

From 9ff64a3e41428a2b23ae55846a5b92d498d47245 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 31 Dec 2023 13:28:12 +0100
Subject: [PATCH 1705/3088] net/wireguard - handle disabled carp vhid's by
 initialising to 'DISABLED'. closes
 https://github.com/opnsense/plugins/issues/3741

---
 net/wireguard/Makefile                                          | 2 +-
 .../src/opnsense/scripts/Wireguard/wg-service-control.php       | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index ab8782ab78..032c929bf5 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		2.5
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index 0e09a98a60..b0cd9c13da 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -43,6 +43,7 @@ function get_vhid_status()
     foreach ((new OPNsense\Interfaces\Vip())->vip->iterateItems() as $id => $item) {
         if ($item->mode == 'carp') {
             $uuids[(string)$item->vhid] =  $id;
+            $vhids[$id] = ['status' => 'DISABLED', 'vhid' => (string)$item->vhid];
         }
     }
     foreach (legacy_interfaces_details() as $ifdata) {

From c6e16e54f366dcb207f415818eac0b8cc7063da9 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 1 Jan 2024 17:14:09 +0100
Subject: [PATCH 1706/3088] net/firewall - add NPTv6 for
 https://github.com/opnsense/core/issues/6383

---
 .../src/etc/inc/plugins.inc.d/pfplugin.inc    |  3 +
 .../Firewall/Api/FilterBaseController.php     | 40 +++++++++++
 .../Firewall/Api/FilterController.php         |  8 ++-
 .../OPNsense/Firewall/Api/NptController.php   | 67 +++++++++++++++++++
 .../Firewall/Api/SourceNatController.php      |  8 ++-
 .../OPNsense/Firewall/NptController.php       | 38 +++++++++++
 .../Firewall/forms/dialogFilterRule.xml       |  8 ++-
 .../OPNsense/Firewall/forms/dialogNptRule.xml | 40 +++++++++++
 .../Firewall/forms/dialogSNatRule.xml         |  7 ++
 .../app/models/OPNsense/Firewall/Filter.xml   | 55 +++++++++++++++
 .../models/OPNsense/Firewall/Menu/Menu.xml    |  3 +
 .../app/views/OPNsense/Firewall/filter.volt   | 59 ++++++++++++++--
 12 files changed, 327 insertions(+), 9 deletions(-)
 create mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php
 create mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php
 create mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml

diff --git a/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc b/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc
index cdb25a5de4..3c9aa2fceb 100644
--- a/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc
+++ b/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc
@@ -42,4 +42,7 @@ function pfplugin_firewall($fw)
     foreach ($mdlFilter->snatrules->rule->sortedBy(["sequence"]) as $key => $rule) {
          $fw->registerSNatRule(50, $rule->serialize());
     }
+    foreach ($mdlFilter->npt->rule->sortedBy(["sequence"]) as $key => $rule) {
+         $fw->registerNptRule(50, $rule->serialize());
+    }
 }
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php
index 789ae9a89e..3162d985f1 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php
@@ -30,6 +30,7 @@
 use OPNsense\Base\ApiMutableModelControllerBase;
 use OPNsense\Core\Backend;
 use OPNsense\Core\Config;
+use OPNsense\Firewall\Category;
 
 /**
  * Class FilterBaseController implements actions for various types
@@ -39,6 +40,45 @@ abstract class FilterBaseController extends ApiMutableModelControllerBase
 {
     protected static $internalModelName = 'filter';
     protected static $internalModelClass = 'OPNsense\Firewall\Filter';
+    protected static $categorysource = null;
+
+    /**
+     * list categories and usage
+     * @return array
+     */
+    public function listCategoriesAction()
+    {
+        $response = ['rows' => []];
+        $catcount = [];
+        if (!empty(static::$categorysource)) {
+            $node = $this->getModel();
+            foreach (explode('.', static::$categorysource) as $ref) {
+                $node = $node->$ref;
+            }
+            foreach ($node->iterateItems() as $item) {
+                if (!empty((string)$item->categories)) {
+                    foreach (explode(',', (string)$item->categories) as $cat) {
+                        if (!isset($catcount[$cat])) {
+                            $catcount[$cat] = 0;
+                        }
+                        $catcount[$cat] += 1;
+                    }
+                }
+            }
+        }
+        foreach ((new Category())->categories->category->iterateItems() as $key => $category) {
+            $response['rows'][] = [
+                "uuid" => $key,
+                "name" => (string)$category->name,
+                "color" => (string)$category->color,
+                "used" => isset($catcount[$key]) ? $catcount[$key] : 0
+            ];
+        }
+        array_multisort(array_column($response['rows'], "name"), SORT_ASC, SORT_NATURAL, $response['rows']);
+
+        return $response;
+    }
+
 
     public function applyAction($rollback_revision = null)
     {
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
index 225a07b723..7af4676eb9 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
@@ -29,9 +29,15 @@
 
 class FilterController extends FilterBaseController
 {
+    protected static $categorysource = "rules.rule";
+
     public function searchRuleAction()
     {
-        return $this->searchBase("rules.rule", array('enabled', 'sequence', 'description'), "sequence");
+        $category = $this->request->get('category');
+        $filter_funct = function ($record) use ($category) {
+            return empty($category) || array_intersect(explode(',', $record->categories), $category);
+        };
+        return $this->searchBase("rules.rule", ['enabled', 'sequence', 'description'], "sequence", $filter_funct);
     }
 
     public function setRuleAction($uuid)
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php
new file mode 100644
index 0000000000..61b1d5705e
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+namespace OPNsense\Firewall\Api;
+
+class NptController extends FilterBaseController
+{
+    protected static $categorysource = "npt.rule";
+
+    public function searchRuleAction()
+    {
+        $category = $this->request->get('category');
+        $filter_funct = function ($record) use ($category) {
+            return empty($category) || array_intersect(explode(',', $record->categories), $category);
+        };
+        return $this->searchBase("npt.rule", ['enabled', 'sequence', 'description'], "sequence", $filter_funct);
+    }
+
+    public function setRuleAction($uuid)
+    {
+        return $this->setBase("rule", "npt.rule", $uuid);
+    }
+
+    public function addRuleAction()
+    {
+        return $this->addBase("rule", "npt.rule");
+    }
+
+    public function getRuleAction($uuid = null)
+    {
+        return $this->getBase("rule", "npt.rule", $uuid);
+    }
+
+    public function delRuleAction($uuid)
+    {
+        return $this->delBase("npt.rule", $uuid);
+    }
+
+    public function toggleRuleAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("npt.rule", $uuid, $enabled);
+    }
+}
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php
index 151bf14db6..5833225d96 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php
@@ -29,9 +29,15 @@
 
 class SourceNatController extends FilterBaseController
 {
+    protected static $categorysource = "snatrules.rule";
+
     public function searchRuleAction()
     {
-        return $this->searchBase("snatrules.rule", array('enabled', 'sequence', 'description'), "sequence");
+        $category = $this->request->get('category');
+        $filter_funct = function ($record) use ($category) {
+            return empty($category) || array_intersect(explode(',', $record->categories), $category);
+        };
+        return $this->searchBase("snatrules.rule", ['enabled', 'sequence', 'description'], "sequence", $filter_funct);
     }
 
     public function setRuleAction($uuid)
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php
new file mode 100644
index 0000000000..07b1c7efda
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+namespace OPNsense\Firewall;
+
+class NptController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/Firewall/filter');
+        $this->view->ruleController = "npt";
+        $this->view->formDialogFilterRule = $this->getForm("dialogNptRule");
+    }
+}
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
index f299cc1c42..af4cda9bcf 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
@@ -99,7 +99,13 @@
         <type>checkbox</type>
         <help>Log packets that are handled by this rule</help>
     </field>
-
+    <field>
+        <id>rule.categories</id>
+        <label>Categories</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <help>For grouping purposes you may select multiple groups here to organize items.</help>
+    </field>
     <field>
         <id>rule.description</id>
         <label>Description</label>
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
new file mode 100644
index 0000000000..abfe782dfd
--- /dev/null
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
@@ -0,0 +1,40 @@
+<form>
+    <field>
+        <id>rule.enabled</id>
+        <label>enabled</label>
+        <type>checkbox</type>
+        <help>Enable this rule</help>
+    </field>
+    <field>
+        <id>rule.sequence</id>
+        <label>Sequence</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>rule.interface</id>
+        <label>Interface</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>rule.source_net</id>
+        <label>Source</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>rule.destination_net</id>
+        <label>Destination</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>rule.categories</id>
+        <label>Categories</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <help>For grouping purposes you may select multiple groups here to organize items.</help>
+    </field>
+    <field>
+        <id>rule.description</id>
+        <label>Description</label>
+        <type>text</type>
+    </field>
+</form>
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml
index 0c87b04503..90dc7a90ba 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml
@@ -86,6 +86,13 @@
         <type>checkbox</type>
         <help>Log packets that are handled by this rule</help>
     </field>
+    <field>
+        <id>rule.categories</id>
+        <label>Categories</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <help>For grouping purposes you may select multiple groups here to organize items.</help>
+    </field>
     <field>
         <id>rule.description</id>
         <label>Description</label>
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index 65262b536f..ca30b9f982 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -100,6 +100,17 @@
                     <Default>0</Default>
                     <Required>Y</Required>
                 </log>
+                <categories type="ModelRelationField">
+                    <Model>
+                        <rulesets>
+                            <source>OPNsense.Firewall.Category</source>
+                            <items>categories.category</items>
+                            <display>name</display>
+                        </rulesets>
+                    </Model>
+                    <Multiple>Y</Multiple>
+                    <ValidationMessage>Related category not found.</ValidationMessage>
+                </categories>
                 <description type="TextField">
                     <Required>N</Required>
                     <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){0,255}$/u</mask>
@@ -184,6 +195,17 @@
                     <Default>0</Default>
                     <Required>Y</Required>
                 </log>
+                <categories type="ModelRelationField">
+                    <Model>
+                        <rulesets>
+                            <source>OPNsense.Firewall.Category</source>
+                            <items>categories.category</items>
+                            <display>name</display>
+                        </rulesets>
+                    </Model>
+                    <Multiple>Y</Multiple>
+                    <ValidationMessage>Related category not found.</ValidationMessage>
+                </categories>
                 <description type="TextField">
                     <Required>N</Required>
                     <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){0,255}$/u</mask>
@@ -191,5 +213,38 @@
                 </description>
             </rule>
         </snatrules>
+        <npt>
+            <rule type=".\SourceNatRuleField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <interface type="InterfaceField">
+                    <Required>Y</Required>
+                    <Default>lan</Default>
+                    <AllowDynamic>Y</AllowDynamic>
+                </interface>
+                <source_net type="NetworkAliasField">
+                    <Required>Y</Required>
+                </source_net>
+                <destination_net type="NetworkAliasField"/>
+                <categories type="ModelRelationField">
+                    <Model>
+                        <rulesets>
+                            <source>OPNsense.Firewall.Category</source>
+                            <items>categories.category</items>
+                            <display>name</display>
+                        </rulesets>
+                    </Model>
+                    <Multiple>Y</Multiple>
+                    <ValidationMessage>Related category not found.</ValidationMessage>
+                </categories>
+                <description type="TextField">
+                    <Required>N</Required>
+                    <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){0,255}$/u</mask>
+                    <ValidationMessage>Description should be a string between 1 and 255 characters</ValidationMessage>
+                </description>
+            </rule>
+        </npt>
     </items>
 </model>
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
index 2889f9bff0..476e1f38b8 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
@@ -7,6 +7,9 @@
             <SourceNat order="100" VisibleName="Source NAT" url="/ui/firewall/source_nat/">
                 <FilterRef url="/ui/firewall/source_nat#*" visibility="hidden"/>
             </SourceNat>
+            <Npt order="100" VisibleName="NPTv6" url="/ui/firewall/npt/">
+                <FilterRef url="/ui/firewall/npt#*" visibility="hidden"/>
+            </Npt>
         </Automation>
     </Firewall>
 </menu>
diff --git a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
index 567eff3362..34622514c9 100644
--- a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
+++ b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
@@ -2,12 +2,47 @@
     $( document ).ready(function() {
         let initial_load = true;
         let grid = $("#grid-rules").UIBootgrid({
-            search:'/api/firewall/{{ruleController}}/searchRule/',
-            get:'/api/firewall/{{ruleController}}/getRule/',
-            set:'/api/firewall/{{ruleController}}/setRule/',
-            add:'/api/firewall/{{ruleController}}/addRule/',
-            del:'/api/firewall/{{ruleController}}/delRule/',
-            toggle:'/api/firewall/{{ruleController}}/toggleRule/'
+            search:'/api/firewall/{{ruleController}}/search_rule/',
+            get:'/api/firewall/{{ruleController}}/get_rule/',
+            set:'/api/firewall/{{ruleController}}/set_rule/',
+            add:'/api/firewall/{{ruleController}}/add_rule/',
+            del:'/api/firewall/{{ruleController}}/del_rule/',
+            toggle:'/api/firewall/{{ruleController}}/toggle_rule/',
+            options:{
+                requestHandler: function(request){
+                    if ( $('#category_filter').val().length > 0) {
+                        request['category'] = $('#category_filter').val();
+                    }
+                    return request;
+                }
+            }
+        });
+        grid.on("loaded.rs.jquery.bootgrid", function (e){
+            // reload categories before grid load
+            ajaxCall('/api/firewall/{{ruleController}}/list_categories', {}, function(data, status){
+                if (data.rows !== undefined) {
+                    let current_selection = $("#category_filter").val();
+                    $("#category_filter").empty();
+                    for (i=0; i < data.rows.length ; ++i) {
+                        let row = data.rows[i];
+                        let opt_val = $('<div/>').html(row.name).text();
+                        let bgcolor = row.color != "" ? row.color : '31708f;'; // set category color
+                        let option = $("<option/>").val(row.uuid).html(row.name);
+                        if (row.used > 0) {
+                            option.attr(
+                              'data-content',
+                              "<span>"+opt_val + "</span>"+
+                              "<span style='background:#"+bgcolor+";' class='badge pull-right'>" + row.used + "</span>"
+                            );
+                            option.attr('id', row.uuid);
+                        }
+
+                        $("#category_filter").append(option);
+                    }
+                    $("#category_filter").val(current_selection);
+                    $("#category_filter").selectpicker('refresh');
+                }
+            });
         });
 
         // open edit dialog when opened with a uuid reference
@@ -62,6 +97,11 @@
                 }
             });
         });
+        // move filter into action header
+        $("#type_filter_container").detach().prependTo('#grid-rules-header > .row > .actionBar > .actions');
+        $("#category_filter").change(function(){
+            $('#grid-rules').bootgrid('reload');
+        });
     });
 </script>
 
@@ -71,6 +111,13 @@
 </ul>
 <div class="tab-content content-box">
     <div id="rules" class="tab-pane fade in active">
+        <div class="hidden">
+            <!-- filter per type container -->
+            <div id="type_filter_container" class="btn-group">
+                <select id="category_filter"  data-title="{{ lang._('Categories') }}" class="selectpicker" data-live-search="true" data-size="5"  multiple data-width="200px">
+                </select>
+            </div>
+        </div>
         <!-- tab page "rules" -->
         <table id="grid-rules" class="table table-condensed table-hover table-striped" data-editDialog="DialogFilterRule" data-editAlert="FilterRuleChangeMessage">
             <thead>

From 32cf8b7b06dac20fafe6ec8cb1587a07d0078536 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 2 Jan 2024 08:36:35 +0100
Subject: [PATCH 1707/3088] plugins: style sweep

---
 .../src/opnsense/scripts/ddclient/lib/account/domeneshop.py | 6 +++---
 .../library/OPNsense/AcmeClient/LeValidation/DnsDnsexit.php | 1 -
 2 files changed, 3 insertions(+), 4 deletions(-)
 mode change 100644 => 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py
old mode 100644
new mode 100755
index 2448cd5092..3d51381c2a
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py
@@ -54,7 +54,7 @@ def match(account):
     def execute(self):
         if super().execute():
             hostnames = self.settings.get('hostnames')
-            
+
             # DNS update request using the "IP update protocol"
             url = f'https://api.domeneshop.no/v0/dyndns/update?hostnames={hostnames}&myip={str(self.current_address)}'
             req_opts = {
@@ -64,8 +64,8 @@ def execute(self):
                     'User-Agent': 'OPNsense-dyndns'
                 }
             }
-            response = requests.get(**req_opts)            
-            
+            response = requests.get(**req_opts)
+
             # Parse response and update state and log
             if response.status_code is 204:
                 if self.is_verbose:
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnsexit.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnsexit.php
index 8943f1baa3..239e8ef89e 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnsexit.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnsexit.php
@@ -42,6 +42,5 @@ public function prepare()
         $this->acme_env['DNSEXIT_AUTH_USER'] = (string)$this->config->dns_dnsexit_auth_user;
         $this->acme_env['DNSEXIT_AUTH_PASS'] = (string)$this->config->dns_dnsexit_auth_pass;
         $this->acme_env['DNSEXIT_API_KEY'] = (string)$this->config->dns_dnsexit_api;
-        
     }
 }

From ad9cdc3eabee172680d1bf4b05c9f97f40ba4b36 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 2 Jan 2024 08:38:16 +0100
Subject: [PATCH 1708/3088] sysutils/smart: bump revision

---
 sysutils/smart/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/smart/Makefile b/sysutils/smart/Makefile
index 8a0c576f28..9a73a14739 100644
--- a/sysutils/smart/Makefile
+++ b/sysutils/smart/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		smart
 PLUGIN_VERSION=		2.2
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		SMART tools
 PLUGIN_DEPENDS=		smartmontools
 PLUGIN_MAINTAINER=	franco@opnsense.org

From cae5e22a8d51144b65a30f7ed51563e8ac61d033 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 2 Jan 2024 08:40:24 +0100
Subject: [PATCH 1709/3088] net/wireguard: small feature fix

---
 net/wireguard/Makefile  | 3 +--
 net/wireguard/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index 032c929bf5..f2958e8ffa 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		2.5
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		2.6
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 0d5c694c16..c045449d1e 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -16,6 +16,10 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+2.6
+
+* Consider missing CARP VHID as disabled
+
 2.5
 
 * Fix error with empty tunnel address in instance (contributed by Monviech)

From 8431d9e61b056b23847e4e7af5608eed7432a27d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 2 Jan 2024 08:42:37 +0100
Subject: [PATCH 1710/3088] security/etpro-telemetry: bump revision after
 change

---
 security/etpro-telemetry/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index f23b64f881..a9bf88a2ab 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		etpro-telemetry
 PLUGIN_VERSION=		1.6
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html

From 4fe8e8731cd4aeac2652be85f4f8ef223f2a34f4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 2 Jan 2024 10:30:12 +0100
Subject: [PATCH 1711/3088] security/tor: remove unused macro import

---
 security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc b/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc
index 977761eb84..8e0e112404 100644
--- a/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc
+++ b/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc
@@ -1,4 +1,3 @@
-{% from 'OPNsense/Macros/interface.macro' import physical_interface %}
 ##
 ## OPNsense autogenerated config file.
 ## Don't change it because your changes get lost.

From 1cd950f95ca31649a887288317d1e81692415940 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 2 Jan 2024 21:14:31 +0100
Subject: [PATCH 1712/3088] net/firewall - add "net_selector" in template for
 an easy alias/network selection or manual address input. for
 https://github.com/opnsense/core/issues/6383

---
 .../Firewall/Api/FilterBaseController.php     | 39 ++++++++++
 .../OPNsense/Firewall/forms/dialogNptRule.xml |  2 +
 .../app/views/OPNsense/Firewall/filter.volt   | 72 +++++++++++++++++++
 3 files changed, 113 insertions(+)

diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php
index 3162d985f1..56cfeff770 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php
@@ -30,6 +30,7 @@
 use OPNsense\Base\ApiMutableModelControllerBase;
 use OPNsense\Core\Backend;
 use OPNsense\Core\Config;
+use OPNsense\Firewall\Alias;
 use OPNsense\Firewall\Category;
 
 /**
@@ -79,6 +80,44 @@ public function listCategoriesAction()
         return $response;
     }
 
+    /**
+     * list of available network options
+     * @return array
+     */
+    public function listNetworkSelectOptionsAction()
+    {
+        $result = [
+            'single' => [
+                'label' => gettext("Single host or Network")
+            ],
+            'aliases' => [
+                'label' => gettext("Aliases"),
+                'items' => []
+            ],
+            'networks' => [
+                'label' => gettext("Networks"),
+                'items' => [
+                    'any' => gettext('any'),
+                    '(self)' => gettext("This Firewall")
+                ]
+            ]
+        ];
+        foreach ((Config::getInstance()->object())->interfaces->children() as $ifname => $ifdetail) {
+            $descr = htmlspecialchars(!empty($ifdetail->descr) ? $ifdetail->descr : strtoupper($ifname));
+            $result['networks']['items'][$ifname] = $descr . " " . gettext("net");
+            if (!isset($ifdetail->virtual)) {
+                $result['networks']['items'][$ifname . "ip"] = $descr . " " . gettext("address");
+            }
+        }
+        foreach ((new Alias())->aliases->alias->iterateItems() as $alias) {
+            if (strpos((string)$alias->type, "port") === false) {
+                $result['aliases']['items'][(string)$alias->name] = (string)$alias->name;
+            }
+        }
+
+        return $result;
+    }
+
 
     public function applyAction($rollback_revision = null)
     {
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
index abfe782dfd..fc9f7c66f3 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
@@ -18,11 +18,13 @@
     <field>
         <id>rule.source_net</id>
         <label>Source</label>
+        <style>net_selector</style>
         <type>text</type>
     </field>
     <field>
         <id>rule.destination_net</id>
         <label>Destination</label>
+        <style>net_selector</style>
         <type>text</type>
     </field>
     <field>
diff --git a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
index 34622514c9..d8caac9e64 100644
--- a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
+++ b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
@@ -102,6 +102,62 @@
         $("#category_filter").change(function(){
             $('#grid-rules').bootgrid('reload');
         });
+
+        // replace all "net" selectors with details retrieved from "list_network_select_options" endpoint
+        ajaxGet('/api/firewall/{{ruleController}}/list_network_select_options', [], function(data, status){
+            // fetch options
+            let options = [];
+            if (data.single) {
+                Object.keys(data).forEach((key, idx) => {
+                    if (data[key].items !== undefined) {
+                        let optgrp = $("<optgroup/>").attr('label', data[key].label);
+                        Object.keys(data[key].items).forEach((key2, idx2) => {
+                            let this_item = data[key].items[key2];
+                            optgrp.append($("<option/>").val(key2).text(this_item));
+                        });
+                        options.push(optgrp);
+                    } else {
+                        options.push($("<option/>").val('').text(data[key].label));
+                    }
+                });
+            }
+            if (options.length == 0) {
+                // unable to fetch options.
+                return;
+            }
+            $(".net_selector").each(function(){
+                let $items = $("#network_select").clone().show();
+                let $this_input = $items.find('input');
+                let $this_select = $items.find('select');
+                for (i=0; i < options.length; ++i) {
+                    $this_select.append(options[i].clone());
+                }
+                $this_select.attr('for', $(this).attr('id')).selectpicker();
+                $this_select.change(function(){
+                    let $value = $(this).val();
+                    if ($value !== '') {
+                        $this_input.val($value);
+                        $this_input.hide();
+                    } else {
+                        $this_input.show();
+                    }
+                });
+                $this_input.attr('id', $(this).attr('id'));
+                $this_input.change(function(){
+                    $this_select.val($(this).val());
+                    if ($this_select.val() === null || $this_select.val() == '') {
+                        $this_select.val('');
+                        $this_input.show();
+                    } else {
+                        $this_input.hide();
+                    }
+                    $this_select.selectpicker('refresh');
+                });
+                $this_input.show();
+                $(this).replaceWith($items);
+            });
+
+        });
     });
 </script>
 
@@ -169,4 +225,20 @@
     </div>
 </div>
 
+<div id="network_select" style="display: none;" >
+    <table style="max-width: 348px">
+        <tr>
+            <td>
+                <select data-live-search="true" data-size="5" data-width="348px">
+                </select>
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <input style="display:none;" type="text"/>
+            </td>
+        </tr>
+    </table>
+</div>
+
 {{ partial("layout_partials/base_dialog",['fields':formDialogFilterRule,'id':'DialogFilterRule','label':lang._('Edit rule')])}}

From d1bbaf1b48f6a364e922483bf780586dd4bf421c Mon Sep 17 00:00:00 2001
From: lug-gh <lug@gecko.de>
Date: Wed, 3 Jan 2024 11:13:21 +0100
Subject: [PATCH 1713/3088] Update max value (#3742)

---
 .../controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
index d8f0bfd3c6..ddeda0b173 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
@@ -56,7 +56,7 @@
         <id>certificate.renewInterval</id>
         <label>Renewal Interval</label>
         <type>text</type>
-        <help><![CDATA[Specifies the days to renew the cert. The max value is 60 days.]]></help>
+        <help><![CDATA[Specifies the days to renew the cert. The max value is 5000 days.]]></help>
     </field>
     <field>
         <label>Security Settings</label>

From dcf8e66a60e71ee20a80c0bd048f394393ad54f1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 3 Jan 2024 13:59:22 +0100
Subject: [PATCH 1714/3088] net/firewall: bump revision for now, more tweaks
 needed

---
 net/firewall/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index 08572205a6..6293ad1b5b 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		firewall
 PLUGIN_VERSION=		1.4
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Firewall API supplemental package
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2

From 5094348c8937e11f64f711e3aea89c83b74cf126 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 3 Jan 2024 14:13:51 +0100
Subject: [PATCH 1715/3088] dns/bind: annotate fix

---
 dns/bind/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 2eb158b7e7..500ed4c02a 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 1.28
 
 * Add break-dnssec toggle when using filter-aaaa on IPv4/IPv6 clients (contributed by doktornotor)
+* Fix template error if there is no 'records' in config at all (contributed by kulikov-a)
 
 1.27
 

From 99a7d00643e5705cafce5af952603516c8892b6f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 3 Jan 2024 14:18:35 +0100
Subject: [PATCH 1716/3088] dns/ddclient: new version

---
 dns/ddclient/Makefile  | 2 +-
 dns/ddclient/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index b01fe14d4d..4c2567f9f7 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.18
+PLUGIN_VERSION=		1.19
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 434055d291..f11405ea49 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,11 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.19
+
+* Add Porkbun support (contributed by briandur)
+* Add native service for Domeneshop (contributed by Bernhard Frenking)
+
 1.18
 
 * Update to ddclient 3.11.2 FreeBSD ports version

From b07f9ee7bf17e5dff0ebb078933f020f01b7b753 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Wed, 3 Jan 2024 15:52:46 +0100
Subject: [PATCH 1717/3088] net/frr - add "soft-reconfiguration inbound"
 neighbor option, should fix  https://github.com/opnsense/plugins/issues/3728
 (#3730)

---
 net/frr/Makefile                                            | 2 +-
 .../OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml         | 6 ++++++
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml | 6 +++++-
 .../opnsense/service/templates/OPNsense/Quagga/bgpd.conf    | 5 ++++-
 4 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 7f76d6b8ab..2503cfe0a6 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.37
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index b00c504803..4a30acbe78 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -88,6 +88,12 @@
     <label>Route Reflector Client</label>
     <type>checkbox</type>
   </field>
+  <field>
+    <id>neighbor.soft_reconfiguration_inbound</id>
+    <label>Soft reconfiguration inbound</label>
+    <type>checkbox</type>
+    <help>This option allows changing policies without clearing the BGP session.</help>
+  </field>
   <field>
     <id>neighbor.bfd</id>
     <label>BFD</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index c84a709438..63f3059630 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/bgp</mount>
     <description>BGP Routing configuration</description>
-    <version>1.0.7</version>
+    <version>1.0.8</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -115,6 +115,10 @@
                                 <default>0</default>
                                 <Required>N</Required>
                         </rrclient>
+                        <soft_reconfiguration_inbound type="BooleanField">
+                                <default>0</default>
+                                <Required>N</Required>
+                        </soft_reconfiguration_inbound>
                         <bfd type="BooleanField">
                                 <default>0</default>
                                 <Required>N</Required>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 45ad88f64c..0592986bcf 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -110,7 +110,7 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
   network {{ network }}
 {%   endfor %}
 {%   for neighbor in neighbors[addressFamily] %}
- neighbor {{ neighbor.address }} activate
+  neighbor {{ neighbor.address }} activate
 {%     if 'nexthopself' in neighbor and neighbor.nexthopself == '1' %}
   neighbor {{ neighbor.address }} next-hop-self {% if 'nexthopselfall' in neighbor and neighbor.nexthopselfall == '1' %}all{%  endif %}
 
@@ -118,6 +118,9 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%     if 'rrclient' in neighbor and neighbor.rrclient == '1' %}
   neighbor {{ neighbor.address }} route-reflector-client
 {%     endif %}
+{%     if  neighbor.soft_reconfiguration_inbound|default('0') == '1' %}
+  neighbor {{ neighbor.address }} soft-reconfiguration inbound
+{%     endif %}
 {%     if 'defaultoriginate' in neighbor and neighbor.defaultoriginate == '1' %}
   neighbor {{ neighbor.address }} default-originate
 {%     endif %}

From f6deef2617d3a1675d2f5dc9dff6b0ba6590ddbb Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 3 Jan 2024 20:59:47 +0100
Subject: [PATCH 1718/3088] net/firewall - NPTv6 work for
 https://github.com/opnsense/core/issues/6383 , rearange template.

---
 .../OPNsense/Firewall/Api/NptController.php   |  7 ++++++-
 .../OPNsense/Firewall/FilterController.php    | 11 ++++++++++
 .../OPNsense/Firewall/NptController.php       | 19 ++++++++++++++++++
 .../OPNsense/Firewall/SourceNatController.php | 11 ++++++++++
 .../OPNsense/Firewall/forms/dialogNptRule.xml |  6 ++----
 .../app/models/OPNsense/Firewall/Filter.php   | 20 +++++++++++++------
 .../app/models/OPNsense/Firewall/Filter.xml   | 18 +++++++++++++++--
 .../app/views/OPNsense/Firewall/filter.volt   | 14 +++++++++----
 8 files changed, 89 insertions(+), 17 deletions(-)

diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php
index 61b1d5705e..1f8f4819e0 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php
@@ -37,7 +37,12 @@ public function searchRuleAction()
         $filter_funct = function ($record) use ($category) {
             return empty($category) || array_intersect(explode(',', $record->categories), $category);
         };
-        return $this->searchBase("npt.rule", ['enabled', 'sequence', 'description'], "sequence", $filter_funct);
+        return $this->searchBase(
+            "npt.rule",
+            ['enabled', 'sequence', 'source_net', 'destination_net', 'description'],
+            "sequence",
+            $filter_funct
+        );
     }
 
     public function setRuleAction($uuid)
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
index 74c0479b3b..461f990a56 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
@@ -33,6 +33,17 @@ public function indexAction()
     {
         $this->view->pick('OPNsense/Firewall/filter');
         $this->view->ruleController = "filter";
+        $this->view->gridFields = [
+            [
+                'id' => 'enabled', 'formatter' => 'rowtoggle' ,'width' => '6em', 'heading' => gettext('Enabled')
+            ],
+            [
+                'id' => 'sequence','width' => '9em', 'heading' => gettext('Sequence')
+            ],
+            [
+                'id' => 'description', 'heading' => gettext('Description')
+            ]
+        ];
         $this->view->formDialogFilterRule = $this->getForm("dialogFilterRule");
     }
 }
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php
index 07b1c7efda..50661eaae7 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php
@@ -33,6 +33,25 @@ public function indexAction()
     {
         $this->view->pick('OPNsense/Firewall/filter');
         $this->view->ruleController = "npt";
+        $this->view->hideSavePointBtns = true;
+        $this->view->gridFields = [
+            [
+                'id' => 'enabled', 'formatter' => 'rowtoggle' ,'width' => '6em', 'heading' => gettext('Enabled')
+            ],
+            [
+                'id' => 'sequence','width' => '9em', 'heading' => gettext('Sequence')
+            ],
+            [
+                'id' => 'source_net', 'heading' => gettext('Internal IPv6 Prefix')
+            ],
+            [
+                'id' => 'destination_net', 'heading' => gettext('External IPv6 Prefix')
+            ],
+            [
+                'id' => 'description', 'heading' => gettext('Description')
+            ]
+        ];
+
         $this->view->formDialogFilterRule = $this->getForm("dialogNptRule");
     }
 }
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/SourceNatController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/SourceNatController.php
index 5b5927a064..7bc2c632f5 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/SourceNatController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/SourceNatController.php
@@ -33,6 +33,17 @@ public function indexAction()
     {
         $this->view->pick('OPNsense/Firewall/filter');
         $this->view->ruleController = "source_nat";
+        $this->view->gridFields = [
+            [
+                'id' => 'enabled', 'formatter' => 'rowtoggle' ,'width' => '6em', 'heading' => gettext('Enabled')
+            ],
+            [
+                'id' => 'sequence','width' => '9em', 'heading' => gettext('Sequence')
+            ],
+            [
+                'id' => 'description', 'heading' => gettext('Description')
+            ]
+        ];
         $this->view->formDialogFilterRule = $this->getForm("dialogSNatRule");
     }
 }
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
index fc9f7c66f3..051dc40613 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
@@ -17,14 +17,12 @@
     </field>
     <field>
         <id>rule.source_net</id>
-        <label>Source</label>
-        <style>net_selector</style>
+        <label>Internal IPv6 Prefix (source)</label>
         <type>text</type>
     </field>
     <field>
         <id>rule.destination_net</id>
-        <label>Destination</label>
-        <style>net_selector</style>
+        <label>External IPv6 Prefix (target)</label>
         <type>text</type>
     </field>
     <field>
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index ed631c16aa..98edce4fd3 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -44,12 +44,7 @@ public function performValidation($validateFullModel = false)
         $messages = parent::performValidation($validateFullModel);
         foreach ([$this->rules->rule, $this->snatrules->rule] as $rules) {
             foreach ($rules->iterateItems() as $rule) {
-                // validate changed rules
-                $rule_changed = false;
-                foreach ($rule->iterateItems() as $field) {
-                    $rule_changed = $rule_changed ? $rule_changed : $field->isFieldChanged();
-                }
-                if ($validateFullModel || $rule_changed) {
+                if ($validateFullModel || $rule->isFieldChanged()) {
                     // port / protocol validation
                     if (!empty((string)$rule->source_port) && !in_array($rule->protocol, ['TCP', 'UDP'])) {
                         $messages->appendMessage(new Message(
@@ -100,6 +95,19 @@ public function performValidation($validateFullModel = false)
                 }
             }
         }
+        foreach ($this->npt->rule->iterateItems() as $rule) {
+            if ($validateFullModel || $rule->isFieldChanged()) {
+                $src_is_addr = Util::isSubnet($rule->source_net) || Util::isIpAddress($rule->source_net);
+                $src_proto = strpos($rule->source_net, ':') === false ? "inet" : "inet6";
+                if ($src_is_addr && $src_proto != 'inet6') {
+                    $messages->appendMessage(new Message(
+                        gettext("You can not use IPv4 addresses in IPv6 rules."),
+                        $rule->source_net->__reference
+                    ));
+                }
+
+            }
+        }
         return $messages;
     }
 
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index ca30b9f982..e18a1caa71 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -219,15 +219,29 @@
                     <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
+                <sequence type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>99999</MaximumValue>
+                    <ValidationMessage>provide a valid sequence for sorting</ValidationMessage>
+                    <Required>Y</Required>
+                    <Default>1</Default>
+                </sequence>
                 <interface type="InterfaceField">
                     <Required>Y</Required>
                     <Default>lan</Default>
                     <AllowDynamic>Y</AllowDynamic>
                 </interface>
-                <source_net type="NetworkAliasField">
+                <source_net type="NetworkField">
                     <Required>Y</Required>
+                    <AddressFamily>ipv6</AddressFamily>
+                    <NetMaskRequired>Y</NetMaskRequired>
+                    <WildcardEnabled>N</WildcardEnabled>
                 </source_net>
-                <destination_net type="NetworkAliasField"/>
+                <destination_net type="NetworkField">
+                    <AddressFamily>ipv6</AddressFamily>
+                    <NetMaskRequired>Y</NetMaskRequired>
+                    <WildcardEnabled>N</WildcardEnabled>
+                </destination_net>
                 <categories type="ModelRelationField">
                     <Model>
                         <rulesets>
diff --git a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
index d8caac9e64..717453fe91 100644
--- a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
+++ b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
@@ -179,9 +179,14 @@
             <thead>
                 <tr>
                     <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="sequence" data-type="string">{{ lang._('Sequence') }}</th>
-                    <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+{% for fieldlist in gridFields %}
+                    <th
+                        data-column-id="{{fieldlist['id']}}"
+                        data-width="{{fieldlist['width']|default('')}}"
+                        data-type="{{fieldlist['type']|default('string')}}"
+                        data-formatter="{{fieldlist['formatter']|default('')}}"
+                    >{{fieldlist['heading']|default('')}}</th>
+{% endfor %}
                     <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
             </thead>
@@ -208,7 +213,7 @@
                 data-error-title="{{ lang._('Filter load error') }}"
                 type="button"
         ></button>
-
+{% if not hideSavePointBtns|default(false) %}
         <div class="pull-right">
             <button class="btn" id="savepointAct"
                     data-endpoint='/api/firewall/{{ruleController}}/savepoint'
@@ -220,6 +225,7 @@
                 {{ lang._('Revert') }}
             </button>
         </div>
+{% endif %}
         <br/><br/>
     </div>
     </div>

From e1ce22a52003a83a96c36d53cb3c58f9144c8f67 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 4 Jan 2024 08:20:23 +0100
Subject: [PATCH 1719/3088] Framework: allow phony `plist-fix' target for core
 compat

---
 Makefile      | 4 ++--
 Mk/plugins.mk | 6 ++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 865656059a..d6aebe498c 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) 2015-2023 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2015-2024 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -44,7 +44,7 @@ list:
 .endfor
 
 # shared targets that are sane to run from the root directory
-TARGETS=	clean lint revision style style-fix style-python sweep test
+TARGETS=	clean lint plist-fix revision style style-fix style-python sweep test
 
 .for TARGET in ${TARGETS}
 ${TARGET}:
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 3481c34de5..2b3b9cb7ce 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -1,4 +1,4 @@
-# Copyright (c) 2015-2023 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2015-2024 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -377,6 +377,8 @@ lint-php: check
 
 lint: lint-desc lint-shell lint-xml lint-model lint-exec lint-php
 
+plist-fix:
+
 sweep: check
 	find ${.CURDIR}/src -type f -name "*.map" -print0 | \
 	    xargs -0 -n1 rm
@@ -439,4 +441,4 @@ test: check
 		    ${.CURDIR}/src/opnsense/mvc/tests; \
 	fi
 
-.PHONY:	check
+.PHONY:	check plist-fix

From e4ec51fd3521ea4a33888a294bcf605844325f39 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 4 Jan 2024 08:20:50 +0100
Subject: [PATCH 1720/3088] LICENSE: sync

---
 LICENSE | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index 54c5ba4521..dd377bc74a 100644
--- a/LICENSE
+++ b/LICENSE
@@ -3,6 +3,7 @@ Copyright (c) 2022 agh1467 <agh1467@protonmail.com>
 Copyright (c) 2021 Alexander Noack
 Copyright (c) 2021 Andreas Stuerz
 Copyright (c) 2021 Axelrtgs
+Copyright (c) 2023 Bernhard Frenking <bernhard@frenking.eu>
 Copyright (c) 2023 Cannon Matthews <cannonmatthews@google.com>
 Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
@@ -19,7 +20,7 @@ Copyright (c) 2008-2010 Ermal Luçi
 Copyright (c) 2016-2019 EURO-LOG AG
 Copyright (c) 2017-2020 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
-Copyright (c) 2014-2023 Franco Fichtner <franco@opnsense.org>
+Copyright (c) 2014-2024 Franco Fichtner <franco@opnsense.org>
 Copyright (c) 2016-2023 Frank Wall
 Copyright (c) 2021 Github-jjw
 Copyright (c) 2023 Greg Glockner <greg@glockners.net>
@@ -30,6 +31,7 @@ Copyright (c) 2010 Jim Pingle <jimp@pfsense.org>
 Copyright (c) 2015 Jos Schellevis <jos@opnsense.org>
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>
 Copyright (c) 2019-2022 Juergen Kellerer
+Copyright (c) 2023 Liam Steckler <liam@liamsteckler.com>
 Copyright (c) 2020-2021 Manuel Faux
 Copyright (c) 2021 Manuel Hofmann
 Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>
@@ -41,12 +43,14 @@ Copyright (c) 2020 Martin Wasley
 Copyright (c) 2022 Marvo2011
 Copyright (c) 2017-2021 Michael Muenz <m.muenz@gmail.com>
 Copyright (c) 2012 mkirbst
+Copyright (c) 2023 mleinart
 Copyright (c) 2021 Nicola Pellegrini
 Copyright (c) 2022 Nikolaj Brinch Jørgensen
 Copyright (c) 2021 Nim G
 Copyright (c) 2023 Oliver Hartl
 Copyright (c) 2022 Patrik Kernstock <patrik@kernstock.net>
 Copyright (c) 2022 Robbert Rijkse
+Copyright (c) 2023 sattamjh
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
 Copyright (c) 2010 Seth Mos <seth.mos@dds.nl>
 Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>

From e8a83cb4cda4a90805e18652711d5ec8afbd8991 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 4 Jan 2024 08:50:42 +0100
Subject: [PATCH 1721/3088] net/firewall: style update

---
 .../src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php     | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index 98edce4fd3..310a65a23a 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -105,7 +105,6 @@ public function performValidation($validateFullModel = false)
                         $rule->source_net->__reference
                     ));
                 }
-
             }
         }
         return $messages;

From 6143ea9bf709abb52eed422c1b7ff0a84fa673f7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 4 Jan 2024 08:52:09 +0100
Subject: [PATCH 1722/3088] net-mgmt/nrpe: improve changelog

---
 net-mgmt/nrpe/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/nrpe/pkg-descr b/net-mgmt/nrpe/pkg-descr
index 787e80023b..4f74afccd5 100644
--- a/net-mgmt/nrpe/pkg-descr
+++ b/net-mgmt/nrpe/pkg-descr
@@ -13,4 +13,4 @@ Plugin Changelog:
 
 1.1
 
-* Make plugin compatbile with nrpe (v4)
+* Make plugin compatible with NRPE version 4

From ab8853c434d85563c6807437a36f59fd490b9eb9 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 4 Jan 2024 11:59:31 +0100
Subject: [PATCH 1723/3088] net/firewall - NPTv6 add track interface and
 validations for https://github.com/opnsense/core/issues/6383

---
 .../OPNsense/Firewall/Api/NptController.php    |  2 +-
 .../OPNsense/Firewall/NptController.php        |  3 +++
 .../OPNsense/Firewall/forms/dialogNptRule.xml  | 13 +++++++++++++
 .../app/models/OPNsense/Firewall/Filter.php    | 18 +++++++++++++-----
 .../app/models/OPNsense/Firewall/Filter.xml    |  6 ++++++
 5 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php
index 1f8f4819e0..9b04139d2e 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php
@@ -39,7 +39,7 @@ public function searchRuleAction()
         };
         return $this->searchBase(
             "npt.rule",
-            ['enabled', 'sequence', 'source_net', 'destination_net', 'description'],
+            ['enabled', 'sequence', 'source_net', 'destination_net', 'trackif', 'description'],
             "sequence",
             $filter_funct
         );
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php
index 50661eaae7..0e69ca4fe3 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php
@@ -47,6 +47,9 @@ public function indexAction()
             [
                 'id' => 'destination_net', 'heading' => gettext('External IPv6 Prefix')
             ],
+            [
+                'id' => 'trackif', 'heading' => gettext('Track if')
+            ],
             [
                 'id' => 'description', 'heading' => gettext('Description')
             ]
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
index 051dc40613..4c68b0e40b 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
@@ -10,6 +10,12 @@
         <label>Sequence</label>
         <type>text</type>
     </field>
+    <field>
+        <id>rule.log</id>
+        <label>Log</label>
+        <type>checkbox</type>
+        <help>Log packets that are handled by this rule</help>
+    </field>
     <field>
         <id>rule.interface</id>
         <label>Interface</label>
@@ -24,6 +30,13 @@
         <id>rule.destination_net</id>
         <label>External IPv6 Prefix (target)</label>
         <type>text</type>
+        <help>Enter the external IPv6 prefix for this network prefix translation. Leave empty to auto-detect the prefix address using the specified tracking interface instead. The prefix size specified for the internal prefix will also be applied to the external prefix.</help>
+    </field>
+    <field>
+        <id>rule.trackif</id>
+        <label>Track interface</label>
+        <type>dropdown</type>
+        <help>Use prefix defined on the selected interface instead of the interface this rule applies to when target prefix is not provided.</help>
     </field>
     <field>
         <id>rule.categories</id>
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index 310a65a23a..6ca0fd4e68 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -97,14 +97,22 @@ public function performValidation($validateFullModel = false)
         }
         foreach ($this->npt->rule->iterateItems() as $rule) {
             if ($validateFullModel || $rule->isFieldChanged()) {
-                $src_is_addr = Util::isSubnet($rule->source_net) || Util::isIpAddress($rule->source_net);
-                $src_proto = strpos($rule->source_net, ':') === false ? "inet" : "inet6";
-                if ($src_is_addr && $src_proto != 'inet6') {
+                if (!empty((string)$rule->destination_net) && !empty((string)$rule->trackif)) {
                     $messages->appendMessage(new Message(
-                        gettext("You can not use IPv4 addresses in IPv6 rules."),
-                        $rule->source_net->__reference
+                        gettext("A track interface is only allowed without an extrenal prefix."),
+                        $rule->trackif->__reference
                     ));
                 }
+                if (!empty((string)$rule->destination_net) && !empty((string)$rule->source_net)) {
+                    $dparts = explode('/', (string)$rule->destination_net);
+                    $sparts = explode('/', (string)$rule->source_net);
+                    if (count($dparts) == 2 && count($sparts) == 2 && $dparts[1] != $sparts[1]) {
+                        $messages->appendMessage(new Message(
+                            gettext("External subnet should match internal subnet."),
+                            $rule->destination_net->__reference
+                        ));
+                    }
+                }
             }
         }
         return $messages;
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index e18a1caa71..3e93bded07 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -219,6 +219,10 @@
                     <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
+                <log type="BooleanField">
+                    <Default>0</Default>
+                    <Required>Y</Required>
+                </log>
                 <sequence type="IntegerField">
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>99999</MaximumValue>
@@ -242,6 +246,8 @@
                     <NetMaskRequired>Y</NetMaskRequired>
                     <WildcardEnabled>N</WildcardEnabled>
                 </destination_net>
+                <trackif type="InterfaceField">
+                </trackif>
                 <categories type="ModelRelationField">
                     <Model>
                         <rulesets>

From f7837735ede0fd4c377a8c18cefe550ccc32bea9 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 6 Jan 2024 16:36:53 +0100
Subject: [PATCH 1724/3088] security/acme-client: use common function to run
 shell commands

---
 .../library/OPNsense/AcmeClient/LeAccount.php | 68 +++++--------------
 .../OPNsense/AcmeClient/LeAutomation/Base.php | 28 ++------
 .../OPNsense/AcmeClient/LeCertificate.php     | 63 ++++-------------
 .../library/OPNsense/AcmeClient/LeUtils.php   |  6 +-
 .../OPNsense/AcmeClient/LeValidation/Base.php | 33 +++------
 5 files changed, 49 insertions(+), 149 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
index 94a91008d7..1186dbccb5 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020-2021 Frank Wall
+ * Copyright (C) 2020-2024 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -29,6 +29,7 @@
 namespace OPNsense\AcmeClient;
 
 use OPNsense\Core\Config;
+use OPNsense\AcmeClient\LeUtils;
 
 /**
  * Manage ACME CA accounts with acme.sh
@@ -104,40 +105,23 @@ public function generateKey()
                 return true;
             } else {
                 LeUtils::log_debug('generating a new account key for ' . (string)$this->config->name, $this->debug);
+
                 // Preparation to run acme client
-                $proc_env = $this->acme_env; // env variables for proc_open()
+                $proc_env = $this->acme_env; // add env variables
                 $proc_env['PATH'] = $this::ACME_ENV_PATH;
-                $proc_desc = array(  // descriptor array for proc_open()
-                    0 => array("pipe", "r"), // stdin
-                    1 => array("pipe", "w"), // stdout
-                    2 => array("pipe", "w")  // stderr
-                );
-                $proc_pipes = array();
-
-                // Run acme client to generate a account key
+
+                // Prepare acme.sh command to generate a account key
                 $acmecmd = '/usr/local/sbin/acme.sh '
                   . '--createAccountKey '
                   . implode(' ', $this->acme_args) . ' '
                   . LeUtils::execSafe('--accountkeylength %s', self::ACME_ACCOUNT_KEY_LENGTH) . ' '
                   . LeUtils::execSafe('--accountconf %s', $account_conf_file);
                 LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
-                $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
-
-                // Make sure the resource could be setup properly
-                if (is_resource($proc)) {
-                    // Close all pipes
-                    fclose($proc_pipes[0]);
-                    fclose($proc_pipes[1]);
-                    fclose($proc_pipes[2]);
-                    // Get exit code
-                    $result = proc_close($proc);
-                } else {
-                    LeUtils::log_error('unable to start acme client process');
-                    $this->setStatus(500);
-                    return false;
-                }
 
-                // Check exit code
+                // Run acme.sh command
+                $result = LeUtils::run_shell_command($acmecmd, $proc_env);
+
+                // Check acme.sh result
                 if ($result) {
                     LeUtils::log_error('failed to create a new account key for ' . (string)$this->config->name);
                     $this->setStatus(300);
@@ -220,38 +204,20 @@ public function register()
             }
 
             // Preparation to run acme client
-            $proc_env = $this->acme_env; // env variables for proc_open()
+            $proc_env = $this->acme_env; // add env variables
             $proc_env['PATH'] = $this::ACME_ENV_PATH;
-            $proc_desc = array(  // descriptor array for proc_open()
-                0 => array("pipe", "r"), // stdin
-                1 => array("pipe", "w"), // stdout
-                2 => array("pipe", "w")  // stderr
-            );
-            $proc_pipes = array();
-
-            // Run acme client
+
+            // Prepare acme.sh command to register an account
             $acmecmd = '/usr/local/sbin/acme.sh '
               . '--registeraccount '
               . implode(' ', $this->acme_args) . ' '
               . LeUtils::execSafe('--accountconf %s', $this->account_conf_file);
             LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
-            $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
-
-            // Make sure the resource could be setup properly
-            if (is_resource($proc)) {
-                // Close all pipes
-                fclose($proc_pipes[0]);
-                fclose($proc_pipes[1]);
-                fclose($proc_pipes[2]);
-                // Get exit code
-                $result = proc_close($proc);
-            } else {
-                LeUtils::log_error('unable to start acme client process');
-                $this->setStatus(500);
-                return false;
-            }
 
-            // Check validation result
+            // Run acme.sh command
+            $result = LeUtils::run_shell_command($acmecmd, $proc_env);
+
+            // Check acme.sh result
             if ($result) {
                 LeUtils::log_error('account registration failed for ' . $this->config->name);
                 $this->setStatus(400);
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
index 4f79aa4712..fc31195802 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020-2021 Frank Wall
+ * Copyright (C) 2020-2024 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * Copyright (C) 2018 Franco Fichtner <franco@opnsense.org>
  * All rights reserved.
@@ -120,16 +120,10 @@ public function runAcme()
         LeUtils::log('running automation (acme.sh): ' . $this->config->name);
 
         // Preparation to run acme client
-        $proc_env = $this->acme_env; // env variables for proc_open()
+        $proc_env = $this->acme_env; // add env variables
         $proc_env['PATH'] = $this::ACME_ENV_PATH;
-        $proc_desc = array(  // descriptor array for proc_open()
-            0 => array("pipe", "r"), // stdin
-            1 => array("pipe", "w"), // stdout
-            2 => array("pipe", "w")  // stderr
-        );
-        $proc_pipes = array();
-
-        // Run acme client
+
+        // Prepare acme.sh command to run a deploy hook
         $acmecmd = self::ACME_CMD
           . ' '
           . '--deploy '
@@ -137,18 +131,8 @@ public function runAcme()
         LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
         $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
 
-        // Make sure the resource could be setup properly
-        if (is_resource($proc)) {
-            // Close all pipes
-            fclose($proc_pipes[0]);
-            fclose($proc_pipes[1]);
-            fclose($proc_pipes[2]);
-            // Get exit code
-            $result = proc_close($proc);
-        } else {
-            LeUtils::log_error('unable to start acme client process');
-            return false;
-        }
+        // Run acme.sh command
+        $result = LeUtils::run_shell_command($acmecmd, $proc_env);
 
         // acme.sh records the last used deploy hook and would automatically
         // use it on the next run. This information must be removed from the
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 06e406b579..bf16c5fb54 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020-2021 Frank Wall
+ * Copyright (C) 2020-2024 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -35,6 +35,7 @@
 use OPNsense\AcmeClient\LeAccount;
 use OPNsense\AcmeClient\LeAutomationFactory;
 use OPNsense\AcmeClient\LeValidationFactory;
+use OPNsense\AcmeClient\LeUtils;
 
 /**
  * Manage ACME certificates with acme.sh
@@ -474,37 +475,20 @@ public function remove()
         LeUtils::log('wiping certificate config: ' . (string)$this->config->name);
 
         // Preparation to run acme client
-        $proc_env = $this->acme_env; // env variables for proc_open()
+        $proc_env = $this->acme_env; // add env variables
         $proc_env['PATH'] = $this::ACME_ENV_PATH;
-        $proc_desc = array(  // descriptor array for proc_open()
-            0 => array("pipe", "r"), // stdin
-            1 => array("pipe", "w"), // stdout
-            2 => array("pipe", "w")  // stderr
-        );
-        $proc_pipes = array();
-
-        // Run acme client to remove certificate and related config
+
+        // Prepare acme.sh command to remove certificate and related config
         $acmecmd = '/usr/local/sbin/acme.sh '
           . '--remove '
           . implode(' ', $this->acme_args) . ' '
           . LeUtils::execSafe('--domain %s', (string)$this->config->name);
         LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
-        $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
-
-        // Make sure the resource could be setup properly
-        if (is_resource($proc)) {
-            // Close all pipes
-            fclose($proc_pipes[0]);
-            fclose($proc_pipes[1]);
-            fclose($proc_pipes[2]);
-            // Get exit code
-            $result = proc_close($proc);
-        } else {
-            LeUtils::log_error('unable to start acme client process');
-            return false;
-        }
 
-        // Check exit code
+        // Run acme.sh command
+        $result = LeUtils::run_shell_command($acmecmd, $proc_env);
+
+        // Check acme.sh result
         if ($result) {
             LeUtils::log_error('error removing certificate ' . (string)$this->config->name);
             return false;
@@ -565,36 +549,19 @@ public function revoke()
         $account_conf_file = $account_conf_dir . '/account.conf';
 
         // Preparation to run acme client
-        $proc_env = $this->acme_env; // env variables for proc_open()
+        $proc_env = $this->acme_env; // add env variables
         $proc_env['PATH'] = $this::ACME_ENV_PATH;
-        $proc_desc = array(  // descriptor array for proc_open()
-            0 => array("pipe", "r"), // stdin
-            1 => array("pipe", "w"), // stdout
-            2 => array("pipe", "w")  // stderr
-        );
-        $proc_pipes = array();
-
-        // Run acme client to revoke certificate
+
+        // Prepare acme.sh command to revoke certificate
         $acmecmd = '/usr/local/sbin/acme.sh '
           . '--revoke '
           . implode(' ', $this->acme_args) . ' '
           . LeUtils::execSafe('--domain %s', (string)$this->config->name) . ' '
           . LeUtils::execSafe('--accountconf %s', $account_conf_file);
         LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
-        $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
-
-        // Make sure the resource could be setup properly
-        if (is_resource($proc)) {
-            // Close all pipes
-            fclose($proc_pipes[0]);
-            fclose($proc_pipes[1]);
-            fclose($proc_pipes[2]);
-            // Get exit code
-            $result = proc_close($proc);
-        } else {
-            LeUtils::log_error('unable to start acme client process');
-            return false;
-        }
+
+        // Run acme.sh command
+        $result = LeUtils::run_shell_command($acmecmd, $proc_env);
 
         // Check exit code
         if ($result) {
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
index ab4d46c85b..f7c497c78c 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2017-2020 Frank Wall
+ * Copyright (C) 2017-2024 Frank Wall
  * Copyright (C) 2015 Deciso B.V.
  * Copyright (C) 2010 Jim Pingle <jimp@pfsense.org>
  * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
@@ -200,11 +200,11 @@ public static function run_shell_command($proc_cmd, $proc_env = array())
             fclose($proc_pipes[2]);
             // Get exit code
             $result = proc_close($proc);
-            log_error(sprintf("AcmeClient: The shell command '%s' returned exit code '%d'", $proc_cmd, $result));
+            log_error(sprintf("AcmeClient: The shell command returned exit code '%d': '%s'", $result, $proc_cmd));
             return($result);
         } else {
             log_error(sprintf("AcmeClient: Unable to prepare shell command '%s'", $proc_cmd));
-            return false;
+            return(-999);
         }
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index b516343d67..1af7c8dfe1 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020-2021 Frank Wall
+ * Copyright (C) 2020-2024 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * Copyright (C) 2018 Franco Fichtner <franco@opnsense.org>
  * All rights reserved.
@@ -154,16 +154,10 @@ public function run(bool $renew = false)
         $account_conf_file = $account_conf_dir . '/account.conf';
 
         // Preparation to run acme client
-        $proc_env = $this->acme_env; // env variables for proc_open()
+        $proc_env = $this->acme_env; // add env variables
         $proc_env['PATH'] = $this::ACME_ENV_PATH;
-        $proc_desc = array(  // descriptor array for proc_open()
-            0 => array("pipe", "r"), // stdin
-            1 => array("pipe", "w"), // stdout
-            2 => array("pipe", "w")  // stderr
-        );
-        $proc_pipes = array();
-
-        // Run acme client
+
+        // Prepare acme.sh command
         // NOTE: We "export" certificates to our own directory, so we don't have to deal
         // with domain names in filesystem, but instead can use the ID of our certObj, which
         // will never change.
@@ -173,25 +167,14 @@ public function run(bool $renew = false)
           . implode(' ', $this->acme_args) . ' '
           . LeUtils::execSafe('--accountconf %s', $account_conf_file);
         LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
-        $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
-
-        // Make sure the resource could be setup properly
-        if (is_resource($proc)) {
-            // Close all pipes
-            fclose($proc_pipes[0]);
-            fclose($proc_pipes[1]);
-            fclose($proc_pipes[2]);
-            // Get exit code
-            $result = proc_close($proc);
-        } else {
-            LeUtils::log_error('unable to start acme client process');
-            return false;
-        }
+
+        // Run acme.sh command
+        $result = LeUtils::run_shell_command($acmecmd, $proc_env);
 
         // Run optional cleanup tasks.
         $this->cleanup();
 
-        // Check validation result
+        // Check acme.sh result
         if ($result) {
             LeUtils::log_error('domain validation failed (' . $this->getMethod() . ')');
             return false;

From 9d8564c8554ea3299ea8884b8b243c675718827b Mon Sep 17 00:00:00 2001
From: Mathias Schneuwly <mathias@schneuwlys.ch>
Date: Sat, 6 Jan 2024 17:40:38 +0100
Subject: [PATCH 1725/3088] Add Digitalocean ddns support (#3748)

---
 .../mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml      | 1 +
 .../opnsense/service/templates/OPNsense/ddclient/ddclient.conf  | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index 12aedb288a..f0e889a1c8 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -62,7 +62,7 @@
         <id>account.zone</id>
         <label>Zone</label>
         <type>text</type>
-        <style>optional_setting service_aws service_zoneedit1 service_cloudflare service_nsupdate service_gandi service_godaddy service_nfsn service_hetzner</style>
+        <style>optional_setting service_aws service_zoneedit1 service_cloudflare service_nsupdate service_gandi service_godaddy service_nfsn service_hetzner service_digitalocean</style>
         <help>Zone containing the host entry.</help>
     </field>
     <field>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index ea00f4a7fc..3416fdf40a 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -46,6 +46,7 @@
                         <changeip>Changeip</changeip>
                         <cloudflare>Cloudflare</cloudflare>
                         <cloudns>ClouDNS</cloudns>
+                        <digitalocean>Digitalocean</digitalocean>
                         <dinahosting>dinahosting</dinahosting>
                         <dnsmadeeasy>DNS Made Easy (digicert)</dnsmadeeasy>
                         <dns-o-matic>DNS-O-Matic</dns-o-matic>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index bed35365b9..333d478a83 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -36,7 +36,7 @@ use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -t {{account.force_ss
 {%      if account.service == 'custom' %}
 protocol={{account.protocol}}, \
 server={{account.server}}, \
-{%      elif account.service == 'cloudflare' %}
+{%      elif account.service in ['cloudflare', 'digitalocean'] %}
 protocol={{account.service}}, \
 zone={{account.zone}}, \
 {%      elif account.service == 'cloudns' %}

From 580300c9b218e5810d7d9167c8aa2f17425e7145 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 7 Jan 2024 21:07:54 +0100
Subject: [PATCH 1726/3088] net/firewall: not for 24.1 anymore

---
 net/firewall/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index 6293ad1b5b..eec978a634 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -2,6 +2,7 @@ PLUGIN_NAME=		firewall
 PLUGIN_VERSION=		1.4
 PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Firewall API supplemental package
+PLUGIN_OBSOLETE=	yes
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2
 

From ff1ffbdf320ca54ab40d1689c5e366ae6eecb688 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 7 Jan 2024 21:08:46 +0100
Subject: [PATCH 1727/3088] README: sync

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 5da2442d40..197bce5a2e 100644
--- a/README.md
+++ b/README.md
@@ -47,7 +47,7 @@ misc/theme-rebellion -- A suitably dark theme
 misc/theme-tukan -- The tukan theme - blue/white
 misc/theme-vicuna -- The vicuna theme - blue sapphire
 net/chrony -- Chrony time synchronisation
-net/firewall -- Firewall API supplemental package
+net/firewall -- Firewall API supplemental package (pending removal)
 net/freeradius -- RADIUS Authentication, Authorization and Accounting Server
 net/frr -- The FRRouting Protocol Suite
 net/ftp-proxy -- Control ftp-proxy processes

From 89c9255d38bd58ec10271d1bce8699b74fc2db98 Mon Sep 17 00:00:00 2001
From: Jonatan <jonatan@jsteuernagel.de>
Date: Mon, 8 Jan 2024 16:07:42 +0100
Subject: [PATCH 1728/3088] sysutils/node_exporter: Allow setting IPv6 address
 as Listen Address (#3707)

* Node Exporter: Allow setting IPv6 listenaddress

* Node Exporter: Change IntegerField to PortField

* Node Exporter: Increment version and add changelog
---
 sysutils/node_exporter/Makefile                      |  2 +-
 sysutils/node_exporter/pkg-descr                     |  4 ++++
 .../mvc/app/models/OPNsense/NodeExporter/General.xml | 12 +++++-------
 .../templates/OPNsense/NodeExporter/node_exporter    |  8 +++++++-
 4 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/sysutils/node_exporter/Makefile b/sysutils/node_exporter/Makefile
index 985de5c2e2..bb52769b48 100644
--- a/sysutils/node_exporter/Makefile
+++ b/sysutils/node_exporter/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		node_exporter
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		Prometheus exporter for machine metrics
 PLUGIN_DEPENDS=		node_exporter
 PLUGIN_MAINTAINER=	jkegh@k123.eu
diff --git a/sysutils/node_exporter/pkg-descr b/sysutils/node_exporter/pkg-descr
index 16c736a183..862f318098 100644
--- a/sysutils/node_exporter/pkg-descr
+++ b/sysutils/node_exporter/pkg-descr
@@ -7,6 +7,10 @@ WWW: https://github.com/prometheus/node_exporter
 Changelog
 ---------
 
+1.2
+
+* Allow setting IPv6 addresses as ListenAddress
+
 1.1
 
 * Allow to toggle the "zfs" collector
diff --git a/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml b/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml
index c47915f10b..4f1d24539d 100644
--- a/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml
+++ b/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml
@@ -3,23 +3,21 @@
     <description>
         node_exporter - Prometheus exporter for hardware and OS metrics.
     </description>
-    <version>0.1.0</version>
+    <version>0.2.0</version>
     <items>
         <enabled type="BooleanField">
           <default>0</default>
           <Required>Y</Required>
         </enabled>
-        <listenaddress type="TextField">
+        <listenaddress type="NetworkField">
           <default>0.0.0.0</default>
           <Required>Y</Required>
-          <mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</mask>
-          <ValidationMessage>Please provide a valid IPv4 address.</ValidationMessage>
+          <NetMaskAllowed>N</NetMaskAllowed>
+          <ValidationMessage>Please provide a valid IP address.</ValidationMessage>
         </listenaddress>
-        <listenport type="IntegerField">
+        <listenport type="PortField">
           <default>9100</default>
           <Required>Y</Required>
-          <MinimumValue>1</MinimumValue>
-          <MaximumValue>65535</MaximumValue>
           <ValidationMessage>Please provide a valid port number between 1 and 65535. Port 9100 is the default.</ValidationMessage>
         </listenport>
         <cpu type="BooleanField">
diff --git a/sysutils/node_exporter/src/opnsense/service/templates/OPNsense/NodeExporter/node_exporter b/sysutils/node_exporter/src/opnsense/service/templates/OPNsense/NodeExporter/node_exporter
index a5d3b02fcc..e7ea96fbc6 100644
--- a/sysutils/node_exporter/src/opnsense/service/templates/OPNsense/NodeExporter/node_exporter
+++ b/sysutils/node_exporter/src/opnsense/service/templates/OPNsense/NodeExporter/node_exporter
@@ -46,8 +46,14 @@
     {%- set zfs = no_collector + "zfs " -%}
 {%- endif -%}
 
+{%- if ':' in OPNsense.NodeExporter.listenaddress -%}
+  {%- set listenaddress = '[' + OPNsense.NodeExporter.listenaddress + ']' -%}
+{%- else -%}
+  {%- set listenaddress = OPNsense.NodeExporter.listenaddress -%}
+{%- endif -%}
+
 node_exporter_args="{{ cpu }}{{ exec }}{{ filesystem }}{{ loadavg }}{{ meminfo }}{{ netdev }}{{ ntp }}{{ time }}{{ devstat }}{{ zfs }}"
-node_exporter_listen_address="{{ OPNsense.NodeExporter.listenaddress }}:{{ OPNsense.NodeExporter.listenport }}"
+node_exporter_listen_address="{{ listenaddress }}:{{ OPNsense.NodeExporter.listenport }}"
 node_exporter_enable="YES"
 
 {%- else -%}

From e6742e3169ff269120ca39abff7ea2758218312a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 6 Jan 2024 17:40:41 +0100
Subject: [PATCH 1729/3088] security/acme-client: fix command failure with
 gcloud, refs #3745

---
 security/acme-client/pkg-descr                        |  3 +++
 .../mvc/app/library/OPNsense/AcmeClient/LeUtils.php   | 11 ++++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 41b68f69d4..bfec3433cf 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,9 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+Fixed:
+* fix sporadic command failure with gcloud DNS API (#3745)
+
 3.20
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
index f7c497c78c..cca7ce55ed 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
@@ -194,10 +194,19 @@ public static function run_shell_command($proc_cmd, $proc_env = array())
 
         // Make sure the resource could be setup properly
         if (is_resource($proc)) {
-            // Close all pipes
+            // This workaround ensures that the accurate return code
+            // is reliably returned.
             fclose($proc_pipes[0]);
+            $output = array();
+            while (!feof($proc_pipes[1])) {
+                $output[] = rtrim(fgets($proc_pipes[1], 1024), "\n");
+            }
             fclose($proc_pipes[1]);
+            while (!feof($proc_pipes[2])) {
+                $output[] = rtrim(fgets($proc_pipes[2], 1024), "\n");
+            }
             fclose($proc_pipes[2]);
+
             // Get exit code
             $result = proc_close($proc);
             log_error(sprintf("AcmeClient: The shell command returned exit code '%d': '%s'", $result, $proc_cmd));

From d92bb27d87dc2d0f1c441aa04651204ce37b37b7 Mon Sep 17 00:00:00 2001
From: Greg Glockner <greg@glockners.net>
Date: Tue, 9 Jan 2024 08:25:05 -0800
Subject: [PATCH 1730/3088] Fix crash on ACME automations (#3752)

---
 .../library/OPNsense/AcmeClient/LeCertificate.php    | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index bf16c5fb54..1776518535 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -598,10 +598,14 @@ public function runAutomations()
         foreach ($automations as $auto_uuid) {
             $autoFactory = new LeAutomationFactory();
             $automation = $autoFactory->getAutomation($auto_uuid);
-            $automation->init($this->getId(), (string)$this->config->name, (string)$this->config->account, $this->cert_ecc);
-            // Ignore invalid automations.
-            if ($automation->prepare()) {
-                $automation->run();
+            // Skip invalid automations.
+            if (!is_null($automation)) {
+                $automation->init($this->getId(), (string)$this->config->name, (string)$this->config->account, $this->cert_ecc);
+                if ($automation->prepare()) {
+                    $automation->run();
+                }
+            } else {
+                LeUtils::log_error("ignoring invalid automation: ${auto_uuid}");
             }
         }
 

From cfac344e4a6382936d0393e42c916cc615fe48f5 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Tue, 9 Jan 2024 19:33:44 +0300
Subject: [PATCH 1731/3088] dns/bind: check&preview primary zone, log to syslog
 with desired severity (#3708)

* dns/bind: check&preview primary zone, log to syslog with desired severity

and make grids responsive also

* ver bump

and remove foreign part from template

* Update dns/bind/src/etc/inc/plugins.inc.d/bind.inc

* Update dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml

* cleanup

-prettify js, actions naming, phalcon post payload handling.
-Error message if Check&Preview button clicked for disabled Zone
-dont show Copy button if not supported

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 dns/bind/Makefile                             |   3 +-
 dns/bind/pkg-descr                            |   5 +
 dns/bind/src/etc/inc/plugins.inc.d/bind.inc   |  13 +
 .../OPNsense/Bind/Api/GeneralController.php   |  23 +
 .../OPNsense/Bind/forms/general.xml           |   9 +-
 .../mvc/app/models/OPNsense/Bind/General.xml  |  16 +-
 .../mvc/app/views/OPNsense/Bind/general.volt  | 431 ++++++++++++------
 .../mvc/app/views/OPNsense/Bind/logs.volt     |  41 +-
 .../scripts/OPNsense/Bind/zoneCheck.sh        |  14 +
 .../scripts/OPNsense/Bind/zoneShow.py         |  27 ++
 .../service/conf/actions.d/actions_bind.conf  |  10 +
 .../templates/OPNsense/Bind/named.conf        |  15 +-
 .../OPNsense/Syslog/local/named.conf          |   6 +
 13 files changed, 438 insertions(+), 175 deletions(-)
 create mode 100644 dns/bind/src/opnsense/scripts/OPNsense/Bind/zoneCheck.sh
 create mode 100644 dns/bind/src/opnsense/scripts/OPNsense/Bind/zoneShow.py
 create mode 100644 dns/bind/src/opnsense/service/templates/OPNsense/Syslog/local/named.conf

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 8717b2f01d..773381a4c8 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.28
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.29
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 500ed4c02a..160e424f59 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -10,6 +10,11 @@ WWW: https://www.isc.org
 Plugin Changelog
 ================
 
+1.29
+
+* Migrate General Log to Syslog
+* Add Check & Preview button to Primary Zones grid
+
 1.28
 
 * Add break-dnssec toggle when using filter-aaaa on IPv4/IPv6 clients (contributed by doktornotor)
diff --git a/dns/bind/src/etc/inc/plugins.inc.d/bind.inc b/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
index 627e108083..e1d8b1b2cf 100644
--- a/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
+++ b/dns/bind/src/etc/inc/plugins.inc.d/bind.inc
@@ -99,3 +99,16 @@ function bind_configure_do($verbose)
 
     service_log("done.\n", $verbose);
 }
+
+/**
+ *  register syslog facilities
+ * @return array
+ */
+function bind_syslog()
+{
+    $syslogconf = [];
+
+    $syslogconf['bind'] = ['facility' => ['named']];
+
+    return $syslogconf;
+}
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/GeneralController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/GeneralController.php
index d712f7fde9..cbcb0e7c28 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/GeneralController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/GeneralController.php
@@ -31,9 +31,32 @@
 namespace OPNsense\Bind\Api;
 
 use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
 
 class GeneralController extends ApiMutableModelControllerBase
 {
     protected static $internalModelClass = '\OPNsense\Bind\General';
     protected static $internalModelName = 'general';
+
+    public function zonetestAction($zonename = null)
+    {
+        $response = "request error";
+        if ($this->request->hasPost("zone")) {
+            $zonename = $this->request->getPost("zone");
+            $backend = new Backend();
+            $response = trim($backend->configdpRun("bind zone check", [$zonename]));
+        }
+        return array("response" => $response);
+    }
+    
+    public function zoneshowAction($zonename = null)
+    {
+        $response = "request error";
+        if ($this->request->hasPost("zone")) {
+            $zonename = $this->request->getPost("zone");
+            $backend = new Backend();
+            $response = json_decode($backend->configdpRun("bind zone show", [$zonename]), true);
+        }
+        return $response;
+    }
 }
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index 52929b3ef0..5be009dac0 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -93,7 +93,14 @@
         <id>general.logsize</id>
         <label>Logsize in MB</label>
         <type>text</type>
-        <help>Set the amount how big a logfile can growth.</help>
+        <help>Set the amount how big a logfile can growth. For Query and Blocked logs.</help>
+    </field>
+    <field>
+        <id>general.general_log_level</id>
+        <label>General Log level</label>
+        <style>selectpicker</style>
+        <type>dropdown</type>
+        <help>Select General Log level. Log levels are listed in the order of increasing verbosity. Setting a certain log level will cause all messages of the specified and more severe log levels to be logged.</help>
     </field>
     <field>
         <id>general.maxcachesize</id>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index 35e193df39..8ab42f3c62 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/bind/general</mount>
     <description>BIND configuration</description>
-    <version>1.0.10</version>
+    <version>1.0.11</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -76,6 +76,20 @@
             <MaximumValue>1000</MaximumValue>
             <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
         </logsize>
+        <general_log_level type="OptionField">
+            <OptionValues>
+                <emerg value="emerg">Emergency</emerg>
+                <alert value="alert">Alert</alert>
+                <crit value="crit">Critical</crit>
+                <error value="error">Error</error>
+                <warn value="warn">Warning</warn>
+                <notice value="notice">Notice</notice>
+                <info value="info">Informational</info>
+                <debug value="debug">Debug</debug>
+            </OptionValues>
+            <Required>Y</Required>
+            <default>info</default>
+        </general_log_level>
         <maxcachesize type="IntegerField">
             <default>80</default>
             <Required>Y</Required>
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index e29bc64346..0649c0eb2c 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -53,28 +53,30 @@
         </div>
     </div>
     <div id="acls" class="tab-pane fade in">
-        <table id="grid-acls" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="dialogEditBindAcl">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="networks" data-type="string" data-visible="true">{{ lang._('Networks') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td colspan="5"></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
+        <div id="acls-area" class="table-responsive">
+            <table id="grid-acls" class="table table-condensed table-hover table-striped" data-editDialog="dialogEditBindAcl">
+                <thead>
+                    <tr>
+                        <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                        <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
+                        <th data-column-id="networks" data-type="string" data-visible="true" data-css-class="long-str">{{ lang._('Networks') }}</th>
+                        <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                        <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    </tr>
+                </thead>
+                <tbody>
+                </tbody>
+                <tfoot>
+                    <tr>
+                        <td colspan="5"></td>
+                        <td>
+                            <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                            <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                        </td>
+                    </tr>
+                </tfoot>
+            </table>
+        </div>
         <div class="col-md-12">
             <hr />
             <button class="btn btn-primary" id="saveAct_acl" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_acl_progress"></i></button>
@@ -85,44 +87,46 @@
         <div class="col-md-12">
             <h2>{{ lang._('Zones') }}</h2>
         </div>
-        <table id="grid-primary-domains" class="table table-condensed table-hover table-striped table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindPrimaryDomain">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="domainname" data-type="string" data-visible="true">{{ lang._('Zone') }}</th>
-                    <th data-column-id="ttl" data-type="string" data-visible="true">{{ lang._('TTL') }}</th>
-                    <th data-column-id="refresh" data-type="string" data-visible="true">{{ lang._('Refresh') }}</th>
-                    <th data-column-id="retry" data-type="string" data-visible="true">{{ lang._('Retry') }}</th>
-                    <th data-column-id="expire" data-type="string" data-visible="true">{{ lang._('Expire') }}</th>
-                    <th data-column-id="negative" data-type="string" data-visible="true">{{ lang._('Negative TTL') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td colspan="5"></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
+        <div id="primary-domains-area" class="table-responsive">
+            <table id="grid-primary-domains" class="table table-condensed table-hover table-striped" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindPrimaryDomain">
+                <thead>
+                    <tr>
+                        <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                        <th data-column-id="domainname" data-type="string" data-visible="true" data-css-class="zonename">{{ lang._('Zone') }}</th>
+                        <th data-column-id="ttl" data-type="string" data-visible="true">{{ lang._('TTL') }}</th>
+                        <th data-column-id="refresh" data-type="string" data-visible="true">{{ lang._('Refresh') }}</th>
+                        <th data-column-id="retry" data-type="string" data-visible="true">{{ lang._('Retry') }}</th>
+                        <th data-column-id="expire" data-type="string" data-visible="true">{{ lang._('Expire') }}</th>
+                        <th data-column-id="negative" data-type="string" data-visible="true">{{ lang._('Negative TTL') }}</th>
+                        <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                        <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    </tr>
+                </thead>
+                <tbody>
+                </tbody>
+                <tfoot>
+                    <tr>
+                        <td colspan="5"></td>
+                        <td>
+                            <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        </td>
+                    </tr>
+                </tfoot>
+            </table>
+        </div>
         <hr/>
-        <div id="primary-record-area">
-            <div class="col-md-12">
-                <h2>{{ lang._('Records') }}</h2>
-            </div>
-            <table id="grid-primary-records" class="table table-condensed table-hover table-striped table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindRecord">
+        <div class="col-md-12">
+            <h2>{{ lang._('Records') }}</h2>
+        </div>
+        <div id="primary-record-area" class="table-responsive">
+            <table id="grid-primary-records" class="table table-condensed table-hover table-striped" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindRecord">
                 <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                     <th data-column-id="domain" data-type="string" data-visible="true">{{ lang._('Zone') }}</th>
                     <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
                     <th data-column-id="type" data-type="string" data-visible="true">{{ lang._('Type') }}</th>
-                    <th data-column-id="value" data-type="string" data-visible="true">{{ lang._('Value') }}</th>
+                    <th data-column-id="value" data-type="string" data-visible="true" data-css-class="long-str">{{ lang._('Value') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
@@ -153,27 +157,29 @@
         <div class="col-md-12">
             <h2>{{ lang._('Zones') }}</h2>
         </div>
-        <table id="grid-secondary-domains" class="table table-condensed table-hover table-striped table-responsive" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindSecondaryDomain">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="domainname" data-type="string" data-visible="true">{{ lang._('Zone') }}</th>
-                    <th data-column-id="primaryip" data-type="string" data-visible="true">{{ lang._('Primary IPs') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td colspan="5"></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
+        <div id="secondary-domains-area" class="table-responsive">
+            <table id="grid-secondary-domains" class="table table-condensed table-hover table-striped" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindSecondaryDomain">
+                <thead>
+                    <tr>
+                        <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                        <th data-column-id="domainname" data-type="string" data-visible="true">{{ lang._('Zone') }}</th>
+                        <th data-column-id="primaryip" data-type="string" data-visible="true">{{ lang._('Primary IPs') }}</th>
+                        <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                        <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    </tr>
+                </thead>
+                <tbody>
+                </tbody>
+                <tfoot>
+                    <tr>
+                        <td colspan="5"></td>
+                        <td>
+                            <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        </td>
+                    </tr>
+                </tfoot>
+            </table>
+        </div>
         <hr/>
         <div class="col-md-12">
             <div id="ChangeMessage" class="alert alert-info" style="display: none" role="alert">
@@ -190,50 +196,217 @@
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBindSecondaryDomain,'id':'dialogEditBindSecondaryDomain','label':lang._('Edit Secondary Zone')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBindRecord,'id':'dialogEditBindRecord','label':lang._('Edit Record')])}}
 
+<style>
+    #zone-content {
+        overflow-x: auto;
+    }
+    #zone-table {
+        display: grid;
+        max-height: 400px;
+        overflow-y: auto;
+        white-space: pre-wrap;
+        word-break: break-word;
+        padding-right: 20px;
+    }
+    .l-number {
+        position: relative;
+        width: 1%;
+        min-width: 40px;
+        padding-right: 20px;
+        padding-left: 1px;
+        font-family: ui-monospace,monospace;
+        text-align: right;
+        white-space: nowrap;
+        vertical-align: top;
+        user-select: none;
+        filter: brightness(2.0);
+        filter: contrast(0.3);
+    }
+    .long-str {
+        word-break: break-word;
+    }
+    .copy-button {
+        display: none;
+    }
+</style>
 <script>
-$( document ).ready(function() {
-    let data_get_map = {'frm_general_settings':"/api/bind/general/get"};
-    mapDataToFormUI(data_get_map).done(function(data){
+function zone_test(zonename) {
+    let payload = {
+        'zone': zonename,
+    };
+    ajaxCall(url = "/api/bind/general/zonetest/", payload, callback = function(data, status) {
+        if (data['response'].indexOf('Zone check completed successfully') == -1) {
+            BootstrapDialog.show({
+                type: BootstrapDialog.TYPE_DANGER,
+                closeByBackdrop: false,
+                title: "{{ lang._('Primay zone check failed') }}",
+                message: data['response'],
+                buttons: [{
+                        label: "{{ lang._('Show zone content') }}",
+                        action: function(dlg) {
+                            $(this).closest(".modal-dialog").find("div.bootstrap-dialog-body").append('<div id="zone-wait">{{ lang._("Loading zone content..") }}<div>');
+                            zone_show(payload);
+                        },
+                    },
+                    {
+                        label: 'Ok',
+                        action: function(dlg) {
+                            dlg.close();
+                        },
+                    }
+                ]
+            });
+        } else {
+            BootstrapDialog.show({
+                type: BootstrapDialog.TYPE_INFO,
+                title: "{{ lang._('Zone check completed successfully') }}",
+                message: data['response'],
+                buttons: [{
+                        label: "{{ lang._('Show zone content') }}",
+                        action: function(dlg) {
+                            $(this).closest(".modal-dialog").find("div.bootstrap-dialog-body").append('<div id="zone-wait">{{ lang._("Loading zone content..") }}<div>');
+                            zone_show(payload);
+                        },
+                    },
+                    {
+                        label: 'Ok',
+                        action: function(dlg) {
+                            dlg.close();
+                        },
+                    }
+                ]
+            });
+        }
+    });
+}
+
+function zone_show(payload) {
+    ajaxCall(url = "/api/bind/general/zoneshow/", payload, callback = function(data, status) {
+        if (data['time'] && data['zone_content']) {
+            $("#zone-wait").remove();
+            let L = 0;
+            let content = [];
+            content.push('<tr><td class="l-number"></td><td class="conf-line">; zone file dump from ' + data['path'] + '</td></tr>');
+            content.push('<tr><td class="l-number"></td><td class="conf-line">; zone file created at ' + data['time'] + '</td></tr>');
+            $.each(data['zone_content'], function(index, line) {
+                L += 1;
+                content.push('<tr><td class="l-number">' + L.toString() + '</td><td class="conf-line">' + line + '</td></tr>');
+            });
+            BootstrapDialog.show({
+                type: BootstrapDialog.TYPE_INFO,
+                title: "{{ lang._('Zone loaded successfully') }}",
+                message: '<div id="zone-content"><table><tbody id="zone-table">' + content.join('') + '</tbody></table></div>',
+                onshown: function(dialogRef) {
+                    if ((typeof navigator.clipboard === 'object') && (typeof navigator.clipboard.writeText === 'function')) {
+                        $(".copy-button").show();
+                    }
+                },
+                buttons: [{
+                        label: '<i id="copy-progress" class="fa fa-spinner fa-pulse" style="display: none"></i> {{ lang._("Copy to clipboard") }}',
+                        cssClass: 'copy-button',
+                        action: function() {
+                            zone_copy();
+                        }
+                    },
+                    {
+                        label: 'Ok',
+                        action: function(dlg) {
+                            dlg.close();
+                        }
+                    }
+                ]
+            });
+        } else {
+            $("#zone-wait").text("{{ lang._('Empty response from the backend. Please check logs.') }}");
+        }
+    });
+}
+
+function zone_copy(dlg) {
+    $('#copy-progress').show();
+    let conf_to_clipboard = [];
+    $('.conf-line').each(function() {
+        conf_to_clipboard.push($(this).text())
+    });
+    navigator.clipboard.writeText(conf_to_clipboard.join('\n'));
+    setTimeout(() => {
+        $("#copy-progress").hide();
+    }, 1000);
+}
+
+$(document).ready(function() {
+    let data_get_map = {
+        'frm_general_settings': "/api/bind/general/get"
+    };
+    mapDataToFormUI(data_get_map).done(function(data) {
         formatTokenizersUI();
         $('.selectpicker').selectpicker('refresh');
     });
 
-    let data_get_map2 = {'frm_dnsbl_settings':"/api/bind/dnsbl/get"};
-    mapDataToFormUI(data_get_map2).done(function(data){
+    let data_get_map2 = {
+        'frm_dnsbl_settings': "/api/bind/dnsbl/get"
+    };
+    mapDataToFormUI(data_get_map2).done(function(data) {
         formatTokenizersUI();
         $('.selectpicker').selectpicker('refresh');
     });
 
     updateServiceControlUI('bind');
 
-    $("#grid-acls").UIBootgrid(
-        {   'search':'/api/bind/acl/searchAcl',
-            'get':'/api/bind/acl/getAcl/',
-            'set':'/api/bind/acl/setAcl/',
-            'add':'/api/bind/acl/addAcl/',
-            'del':'/api/bind/acl/delAcl/',
-            'toggle':'/api/bind/acl/toggleAcl/'
-        }
-    );
+    $("#grid-acls").UIBootgrid({
+        'search': '/api/bind/acl/searchAcl',
+        'get': '/api/bind/acl/getAcl/',
+        'set': '/api/bind/acl/setAcl/',
+        'add': '/api/bind/acl/addAcl/',
+        'del': '/api/bind/acl/delAcl/',
+        'toggle': '/api/bind/acl/toggleAcl/'
+    });
 
     $("#grid-primary-domains").UIBootgrid({
-        'search':'/api/bind/domain/searchPrimaryDomain',
-        'get':'/api/bind/domain/getDomain/',
-        'set':'/api/bind/domain/setDomain/',
-        'add':'/api/bind/domain/addPrimaryDomain/',
-        'del':'/api/bind/domain/delDomain/',
-        'toggle':'/api/bind/domain/toggleDomain/',
-        options:{
+        'search': '/api/bind/domain/searchPrimaryDomain',
+        'get': '/api/bind/domain/getDomain/',
+        'set': '/api/bind/domain/setDomain/',
+        'add': '/api/bind/domain/addPrimaryDomain/',
+        'del': '/api/bind/domain/delDomain/',
+        'toggle': '/api/bind/domain/toggleDomain/',
+        commands: {
+            'bind-checkzone': {
+                'title': "Check & preview",
+                'classname': "fa fa-fw fa-stethoscope  ",
+                'sequence': 300,
+            },
+        },
+        options: {
             selection: true,
             multiSelect: false,
             rowSelect: true,
-            rowCount: [3,7,14,20,50,100,-1]
+            rowCount: [3, 7, 14, 20, 50, 100, -1]
         }
     }).on("selected.rs.jquery.bootgrid", function(e, rows) {
         $("#grid-primary-records").bootgrid('reload');
     }).on("deselected.rs.jquery.bootgrid", function(e, rows) {
         $("#grid-primary-records").bootgrid('reload');
-    }).on("loaded.rs.jquery.bootgrid", function (e) {
+    }).on("loaded.rs.jquery.bootgrid", function(e) {
+        // Checkzone button
+        $("#grid-primary-domains").find(".command-bind-checkzone").off("click").on("click", function(ev) {
+            if (!$(this).closest("tr").hasClass("text-muted")) {
+                let zonename = $(this).closest('tr').find('td.zonename').text();
+                zone_test(zonename);
+            } else {
+                BootstrapDialog.show({
+                    type: BootstrapDialog.TYPE_DANGER,
+                    title: "{{ lang._('Error') }}",
+                    message: "{{ lang._('For zone Check and Show to work, the zone must be enabled and the configuration applied.') }}",
+                    buttons: [{
+                        label: 'Ok',
+                        action: function(dlg) {
+                            dlg.close();
+                        },
+                    }]
+                });
+            }
+        });
+
         let ids = $("#grid-primary-domains").bootgrid("getCurrentRows");
         if (ids.length > 0) {
             $("#grid-primary-domains").bootgrid('select', [ids[0].uuid]);
@@ -241,19 +414,19 @@ $( document ).ready(function() {
     });
 
     $("#grid-secondary-domains").UIBootgrid({
-        'search':'/api/bind/domain/searchSecondaryDomain',
-        'get':'/api/bind/domain/getDomain/',
-        'set':'/api/bind/domain/setDomain/',
-        'add':'/api/bind/domain/addSecondaryDomain/',
-        'del':'/api/bind/domain/delDomain/',
-        'toggle':'/api/bind/domain/toggleDomain/',
-        options:{
+        'search': '/api/bind/domain/searchSecondaryDomain',
+        'get': '/api/bind/domain/getDomain/',
+        'set': '/api/bind/domain/setDomain/',
+        'add': '/api/bind/domain/addSecondaryDomain/',
+        'del': '/api/bind/domain/delDomain/',
+        'toggle': '/api/bind/domain/toggleDomain/',
+        options: {
             selection: false,
             multiSelect: false,
             rowSelect: false,
-            rowCount: [7,14,20,50,100,-1]
+            rowCount: [7, 14, 20, 50, 100, -1]
         }
-    }).on("loaded.rs.jquery.bootgrid", function (e) {
+    }).on("loaded.rs.jquery.bootgrid", function(e) {
         let ids = $("#grid-secondary-domains").bootgrid("getCurrentRows");
         if (ids.length > 0) {
             $("#grid-secondary-domains").bootgrid('select', [ids[0].uuid]);
@@ -261,13 +434,13 @@ $( document ).ready(function() {
     });
 
     $("#grid-primary-records").UIBootgrid({
-        'search':'/api/bind/record/searchRecord',
-        'get':'/api/bind/record/getRecord/',
-        'set':'/api/bind/record/setRecord/',
-        'add':'/api/bind/record/addRecord/',
-        'del':'/api/bind/record/delRecord/',
-        'toggle':'/api/bind/record/toggleRecord/',
-        options:{
+        'search': '/api/bind/record/searchRecord',
+        'get': '/api/bind/record/getRecord/',
+        'set': '/api/bind/record/setRecord/',
+        'add': '/api/bind/record/addRecord/',
+        'del': '/api/bind/record/delRecord/',
+        'toggle': '/api/bind/record/toggleRecord/',
+        options: {
             useRequestHandlerOnGet: true,
             requestHandler: function(request) {
                 let ids = $("#grid-primary-domains").bootgrid("getSelectedRows");
@@ -287,21 +460,21 @@ $( document ).ready(function() {
         }
     });
 
-    $("#saveAct").click(function(){
-        saveFormToEndpoint(url="/api/bind/general/set", formid='frm_general_settings',callback_ok=function(){
-        $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall(url="/api/bind/service/reconfigure", sendData={}, callback=function(data,status) {
+    $("#saveAct").click(function() {
+        saveFormToEndpoint(url = "/api/bind/general/set", formid = 'frm_general_settings', callback_ok = function() {
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url = "/api/bind/service/reconfigure", sendData = {}, callback = function(data, status) {
                 updateServiceControlUI('bind');
                 $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
             });
         });
     });
 
-    $("#saveAct_dnsbl").click(function(){
-        saveFormToEndpoint(url="/api/bind/dnsbl/set", formid='frm_dnsbl_settings',callback_ok=function(){
-        $("#saveAct_dnsbl_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall(url="/api/bind/service/dnsbl", sendData={}, callback=function(data,status) {
-                ajaxCall(url="/api/bind/service/reconfigure", sendData={}, callback=function(data,status) {
+    $("#saveAct_dnsbl").click(function() {
+        saveFormToEndpoint(url = "/api/bind/dnsbl/set", formid = 'frm_dnsbl_settings', callback_ok = function() {
+            $("#saveAct_dnsbl_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url = "/api/bind/service/dnsbl", sendData = {}, callback = function(data, status) {
+                ajaxCall(url = "/api/bind/service/reconfigure", sendData = {}, callback = function(data, status) {
                     updateServiceControlUI('bind');
                     $("#saveAct_dnsbl_progress").removeClass("fa fa-spinner fa-pulse");
                 });
@@ -309,19 +482,19 @@ $( document ).ready(function() {
         });
     });
 
-    $("#saveAct_acl").click(function(){
-        saveFormToEndpoint(url="/api/bind/acl/set", formid='frm_general_settings',callback_ok=function(){
+    $("#saveAct_acl").click(function() {
+        saveFormToEndpoint(url = "/api/bind/acl/set", formid = 'frm_general_settings', callback_ok = function() {
             $("#saveAct_acl_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall(url="/api/bind/service/reconfigure", sendData={}, callback=function(data,status) {
+            ajaxCall(url = "/api/bind/service/reconfigure", sendData = {}, callback = function(data, status) {
                 updateServiceControlUI('bind');
                 $("#saveAct_acl_progress").removeClass("fa fa-spinner fa-pulse");
             });
         });
     });
 
-    $(".saveAct_domain").click(function(){
+    $(".saveAct_domain").click(function() {
         $(".saveAct_domain_progress").addClass("fa fa-spinner fa-pulse");
-        ajaxCall("/api/bind/service/reconfigure", {}, function(data,status) {
+        ajaxCall("/api/bind/service/reconfigure", {}, function(data, status) {
             updateServiceControlUI('bind');
             $(".saveAct_domain_progress").removeClass("fa fa-spinner fa-pulse");
         });
@@ -336,10 +509,10 @@ $( document ).ready(function() {
     });
 
     // update history on tab state and implement navigation
-    if(window.location.hash != "") {
+    if (window.location.hash != "") {
         $('a[href="' + window.location.hash + '"]').click()
     }
-    $('.nav-tabs a').on('shown.bs.tab', function (e) {
+    $('.nav-tabs a').on('shown.bs.tab', function(e) {
         history.pushState(null, null, e.target.hash);
     });
 });
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/logs.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/logs.volt
index 33f0442152..e50125f615 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/logs.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/logs.volt
@@ -27,16 +27,6 @@
 
 <script>
     $( document ).ready(function() {
-      // get entries from named/named.log
-      let grid_generallog = $("#grid-generallog").UIBootgrid({
-          options:{
-              sorting:false,
-              rowSelect: false,
-              selection: false,
-              rowCount:[20,50,100,200,500,1000,-1],
-          },
-          search:'/api/diagnostics/log/named/named'
-      });
 
       // get entries from named/query.log
       let grid_querylog = $("#grid-querylog").UIBootgrid({
@@ -60,19 +50,6 @@
           search:'/api/diagnostics/log/named/rpz'
       });
 
-      grid_generallog.on("loaded.rs.jquery.bootgrid", function(){
-          $(".action-page").click(function(event){
-              event.preventDefault();
-              $("#grid-generallog").bootgrid("search",  "");
-              let new_page = parseInt((parseInt($(this).data('row-id')) / $("#grid-log").bootgrid("getRowCount")))+1;
-              $("input.search-field").val("");
-              // XXX: a bit ugly, but clearing the filter triggers a load event.
-              setTimeout(function(){
-                  $("ul.pagination > li:last > a").data('page', new_page).click();
-              }, 100);
-          });
-      });
-
       grid_querylog.on("loaded.rs.jquery.bootgrid", function(){
           $(".action-page").click(function(event){
               event.preventDefault();
@@ -112,22 +89,7 @@
 <div class="content-box tab-content">
 
     <div id="generallog" class="tab-pane fade in active">
-        <div class="content-box" style="padding-bottom: 1.5em;">
-            <div  class="col-sm-12">
-                <table id="grid-generallog" class="table table-condensed table-hover table-striped table-responsive" data-store-selection="true">
-                    <thead>
-                    <tr>
-                        <th data-column-id="timestamp" data-width="15em" data-type="string">{{ lang._('Date') }}</th>
-                        <th data-column-id="process_name" data-width="9em" data-type="string">{{ lang._('Type') }}</th>
-                        <th data-column-id="severity" data-width="11em" data-type="string">{{ lang._('Level')}}</th>
-                        <th data-column-id="line" data-type="string">{{ lang._('Line') }}</th>
-                    </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                </table>
-            </div>
-        </div>
+        {{ partial("OPNsense/Diagnostics/log",['module':'core','scope':'named'])}}
     </div>
 
     <div id="querylog" class="tab-pane fade">
@@ -169,5 +131,4 @@
             </div>
         </div>
     </div>
-
 </div>
diff --git a/dns/bind/src/opnsense/scripts/OPNsense/Bind/zoneCheck.sh b/dns/bind/src/opnsense/scripts/OPNsense/Bind/zoneCheck.sh
new file mode 100644
index 0000000000..db3e85dac8
--- /dev/null
+++ b/dns/bind/src/opnsense/scripts/OPNsense/Bind/zoneCheck.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+# check the primary zone file validity
+
+ZONENAME=${1}
+ZONEPATH="/usr/local/etc/namedb/primary/${ZONENAME}.db"
+if checkzone_errors=$(named-checkzone ${ZONENAME} ${ZONEPATH} 2>&1); then
+    echo "Zone check completed successfully"
+    echo "$checkzone_errors"
+else
+    echo "$checkzone_errors"
+fi
+
+exit 0
diff --git a/dns/bind/src/opnsense/scripts/OPNsense/Bind/zoneShow.py b/dns/bind/src/opnsense/scripts/OPNsense/Bind/zoneShow.py
new file mode 100644
index 0000000000..38af91d4df
--- /dev/null
+++ b/dns/bind/src/opnsense/scripts/OPNsense/Bind/zoneShow.py
@@ -0,0 +1,27 @@
+#!/usr/bin/env python3
+
+# send primary zone file content to stdout
+
+import sys
+import os.path
+import glob
+import ujson
+
+zone_name = sys.argv[1]
+result = dict()
+zone_config = []
+zone_files_root = '/usr/local/etc/namedb/primary/'
+zone_file = zone_files_root + zone_name + '.db'
+
+def load_db_file(zone_file):
+    """ load db-file
+    """
+    for line in open(zone_file, 'r').read().split('\n'):
+        zone_config.append(line.rstrip())
+
+if os.path.isfile(zone_file):
+    result['path'] = zone_file
+    result['time'] = os.path.getmtime(zone_file)
+    load_db_file(zone_file)
+    result['zone_content'] = zone_config
+print(ujson.dumps(result))
diff --git a/dns/bind/src/opnsense/service/conf/actions.d/actions_bind.conf b/dns/bind/src/opnsense/service/conf/actions.d/actions_bind.conf
index d4f93e2577..c3d4a47a5e 100644
--- a/dns/bind/src/opnsense/service/conf/actions.d/actions_bind.conf
+++ b/dns/bind/src/opnsense/service/conf/actions.d/actions_bind.conf
@@ -40,3 +40,13 @@ parameters:
 type:script
 message:fetching DNSBLs and restart
 description: Download BIND DNSBLs and restart
+
+[zone.check]
+command:/usr/local/opnsense/scripts/OPNsense/Bind/zoneCheck.sh
+parameters: %s
+type:script_output
+
+[zone.show]
+command:/usr/local/opnsense/scripts/OPNsense/Bind/zoneShow.py
+parameters: %s
+type:script_output
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index b92aaf6d50..d6cf8515c9 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -201,6 +201,14 @@ logging {
                 print-category yes;
         };
 
+        channel default_syslog {
+                print-time yes;
+                print-category yes;
+                print-severity yes;
+                syslog daemon;
+                severity {% if helpers.exists('OPNsense.bind.general.general_log_level') %}{{ OPNsense.bind.general.general_log_level }}{% else %}info{% endif %};
+        };
+
         channel query_log {
                 file "/var/log/named/query.log" versions 3 size {{ OPNsense.bind.general.logsize }}m;
                 print-time yes;
@@ -211,8 +219,11 @@ logging {
                 print-time yes;
         };
 
-        category default { default_log; };
-        category general { default_log; };
+        category default { default_syslog; };
+        category general { default_syslog; };
+        category config { default_syslog; };
+        category dispatch { default_syslog; };
+        category network { default_syslog; };
         category queries { query_log; };
         category rpz { rpz_log; };
         category lame-servers { null; };
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Syslog/local/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Syslog/local/named.conf
new file mode 100644
index 0000000000..d301237e4a
--- /dev/null
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Syslog/local/named.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [named].
+###################################################################
+filter f_local_named {
+    program("named");
+};

From 666a1877de66849048de56c8ab4cabeb4fd03110 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Jan 2024 15:06:03 +0100
Subject: [PATCH 1732/3088] LICENSE: sync

---
 LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index dd377bc74a..f547fcf09b 100644
--- a/LICENSE
+++ b/LICENSE
@@ -21,7 +21,7 @@ Copyright (c) 2016-2019 EURO-LOG AG
 Copyright (c) 2017-2020 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
 Copyright (c) 2014-2024 Franco Fichtner <franco@opnsense.org>
-Copyright (c) 2016-2023 Frank Wall
+Copyright (c) 2016-2024 Frank Wall
 Copyright (c) 2021 Github-jjw
 Copyright (c) 2023 Greg Glockner <greg@glockners.net>
 Copyright (c) 2016 IT-assistans Sverige AB

From 5418f6803891a0516ba39b38c811aac6889be5bd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Jan 2024 16:24:21 +0100
Subject: [PATCH 1733/3088] dns/bind: style sweep

---
 .../mvc/app/controllers/OPNsense/Bind/Api/GeneralController.php | 2 +-
 dns/bind/src/opnsense/scripts/OPNsense/Bind/zoneCheck.sh        | 0
 dns/bind/src/opnsense/scripts/OPNsense/Bind/zoneShow.py         | 0
 3 files changed, 1 insertion(+), 1 deletion(-)
 mode change 100644 => 100755 dns/bind/src/opnsense/scripts/OPNsense/Bind/zoneCheck.sh
 mode change 100644 => 100755 dns/bind/src/opnsense/scripts/OPNsense/Bind/zoneShow.py

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/GeneralController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/GeneralController.php
index cbcb0e7c28..b0d385cfb0 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/GeneralController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/GeneralController.php
@@ -48,7 +48,7 @@ public function zonetestAction($zonename = null)
         }
         return array("response" => $response);
     }
-    
+
     public function zoneshowAction($zonename = null)
     {
         $response = "request error";
diff --git a/dns/bind/src/opnsense/scripts/OPNsense/Bind/zoneCheck.sh b/dns/bind/src/opnsense/scripts/OPNsense/Bind/zoneCheck.sh
old mode 100644
new mode 100755
diff --git a/dns/bind/src/opnsense/scripts/OPNsense/Bind/zoneShow.py b/dns/bind/src/opnsense/scripts/OPNsense/Bind/zoneShow.py
old mode 100644
new mode 100755

From 96d83941cd9807b309f04d2445514b9ce4adac3e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Jan 2024 16:24:48 +0100
Subject: [PATCH 1734/3088] www/squid: appears to be ready

---
 www/squid/Makefile  | 3 +--
 www/squid/pkg-descr | 7 +++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index c37bfef729..1a40fe8707 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		squid
-PLUGIN_VERSION=		1.0.d
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_TIER=		2
diff --git a/www/squid/pkg-descr b/www/squid/pkg-descr
index b725ff7f67..ca3da4095d 100644
--- a/www/squid/pkg-descr
+++ b/www/squid/pkg-descr
@@ -1,3 +1,10 @@
 Squid is a fully-featured HTTP, HTTPS, FTP, etc. proxy offering rich access
 control, authorization and logging environment to develop web proxy and
 content serving applications.
+
+Plugin Changelog
+================
+
+1.0
+
+* Initial version based on the OPNsense 23.7.11 core code

From c637e59a9e02209845cc973e45b6c50e1889f485 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Jan 2024 16:35:05 +0100
Subject: [PATCH 1735/3088] net/frr: add a changelog entry

---
 net/frr/Makefile  | 3 +--
 net/frr/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 2503cfe0a6..744d9dfebf 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.37
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.38
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 71f40d5151..a404283f78 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.38
+
+* Add "soft-reconfiguration inbound" neighbor option
+
 1.37
 
 * Add Adjacency Logging to OSPF

From 192b9fa1850dd7d4abd1d37f6dcae34b88a5f5d7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Jan 2024 16:38:45 +0100
Subject: [PATCH 1736/3088] dns/ddclient: changelog

---
 dns/ddclient/Makefile  | 2 +-
 dns/ddclient/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 4c2567f9f7..b5c549e80b 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.19
+PLUGIN_VERSION=		1.20
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index f11405ea49..949d8042e6 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,10 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.20
+
+* Add Digitalocean support (contributed by Mathias Schneuwly)
+
 1.19
 
 * Add Porkbun support (contributed by briandur)

From 7f8612f80082549145eafd371084e7f6b48f286b Mon Sep 17 00:00:00 2001
From: Mihail <49451608+CreatorHRS@users.noreply.github.com>
Date: Thu, 11 Jan 2024 02:24:09 +0300
Subject: [PATCH 1737/3088] security/acme-client: Add nic API dns challenge
 type (#3684)

---
 .../AcmeClient/forms/dialogValidation.xml     | 27 ++++++++++-
 .../AcmeClient/LeValidation/DnsNic.php        | 47 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 13 +++++
 3 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNic.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 7df74ee392..c714ce8ed7 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1662,6 +1662,31 @@
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>nic.ru</label>
+        <type>header</type>
+        <style>table_dns table_dns_nic</style>
+    </field>
+    <field>
+        <id>validation.dns_nic_username</id>
+        <label>User</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_nic_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
+    <field>
+        <id>validation.dns_nic_client</id>
+        <label>ClientId</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_nic_secret</id>
+        <label>ClientSecret</label>
+        <type>password</type>
+    </field>
     <field>
         <label>World4You</label>
         <type>header</type>
@@ -1677,4 +1702,4 @@
         <label>Password</label>
         <type>password</type>
     </field>
-</form>
+</form>
\ No newline at end of file
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNic.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNic.php
new file mode 100644
index 0000000000..15ea83635c
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNic.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Mikhail Kharisov
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+ namespace OPNsense\AcmeClient\LeValidation;
+
+ use OPNsense\AcmeClient\LeValidationInterface;
+ use OPNsense\Core\Config;
+
+ /**
+  * Nic DNS API
+  * @package OPNsense\AcmeClient
+  */
+ class DnsNic extends Base implements LeValidationInterface
+ {
+     public function prepare()
+     {
+         $this->acme_env['NIC_Username'] = (string)$this->config->dns_nic_username;
+         $this->acme_env['NIC_Password'] = (string)$this->config->dns_nic_password;
+         $this->acme_env['NIC_ClientID'] = (string)$this->config->dns_nic_client;
+         $this->acme_env['NIC_ClientSecret'] = (string)$this->config->dns_nic_secret;
+     }
+ }
\ No newline at end of file
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index ae10ea3e19..a174304f8f 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -488,6 +488,7 @@
                         <dns_namesilo>Namesilo.com</dns_namesilo>
                         <dns_nederhost>Nederhost</dns_nederhost>
                         <dns_netcup>netcup</dns_netcup>
+                        <dns_nic>nic.ru</dns_nic>
                         <dns_njalla>Njalla</dns_njalla>
                         <dns_nsone>NS1.com</dns_nsone>
                         <dns_nsupdate>nsupdate (RFC 2136)</dns_nsupdate>
@@ -1176,6 +1177,18 @@
                 <dns_regru_password type="TextField">
                     <Required>N</Required>
                 </dns_regru_password>
+                <dns_nic_username type="TextField">
+                    <Required>N</Required>
+                </dns_nic_username>
+                <dns_nic_password type="TextField">
+                    <Required>N</Required>
+                </dns_nic_password>
+                <dns_nic_client type="TextField">
+                    <Required>N</Required>
+                </dns_nic_client>
+                <dns_nic_secret type="TextField">
+                    <Required>N</Required>
+                </dns_nic_secret>
                 <dns_world4you_username type="TextField">
                     <Required>N</Required>
                 </dns_world4you_username>

From 7e73d5ab875e924695300e4fa3160af264f0616d Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 6 Jan 2024 23:13:59 +0100
Subject: [PATCH 1738/3088] security/acme-client: add support for duplicate
 common names, fixes #3127

---
 security/acme-client/pkg-descr                |  10 ++
 .../library/OPNsense/AcmeClient/LeAccount.php |  33 ++++++
 .../OPNsense/AcmeClient/LeAutomation/Base.php |   1 +
 .../OPNsense/AcmeClient/LeCertificate.php     |   1 +
 .../library/OPNsense/AcmeClient/LeCommon.php  |   3 +-
 .../OPNsense/AcmeClient/LeValidation/Base.php |   1 +
 .../models/OPNsense/AcmeClient/AcmeClient.xml |   2 +-
 .../OPNsense/AcmeClient/Migrations/M1_6_0.php |   2 +-
 .../OPNsense/AcmeClient/Migrations/M4_0_0.php | 107 ++++++++++++++++++
 .../scripts/OPNsense/AcmeClient/setup.sh      |   4 +-
 10 files changed, 159 insertions(+), 5 deletions(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_0_0.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index bfec3433cf..a7435246c8 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,8 +8,18 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.0
+
+NOTE: This is a new major release with backwards-incompatible changes.
+Downgrade to older releases is not supported. Be sure to create a
+full backup and include /var/etc/acme-client.
+
+Changed:
+* use a dedicated acme.sh runtime directory for every cert (#3127)
+
 Fixed:
 * fix sporadic command failure with gcloud DNS API (#3745)
+* fix errors when the same Common Name is used multiple times (#3127)
 
 3.20
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
index 1186dbccb5..7ff90ceda9 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
@@ -224,6 +224,9 @@ public function register()
                 return false;
             }
 
+            // Fix account config
+            $this->fixConfig();
+
             // Update account status.
             LeUtils::log_error('account registration successful for ' . $this->config->name);
             $this->setStatus(200);
@@ -233,4 +236,34 @@ public function register()
 
         return true;
     }
+
+    /**
+     * Remove CERT_HOME property from account config,
+     * otherwise --cert-home will be ignored by acme.sh.
+     */
+    public function fixConfig()
+    {
+        $account_conf_dir = self::ACME_BASE_ACCOUNT_DIR . '/' . (string)$this->config->id . '_' . $this->ca_compat;
+        $account_conf_file = $account_conf_dir . '/account.conf';
+
+        if (is_dir($account_conf_dir)) {
+            if (is_file($account_conf_file)) {
+                // Parse config file and remove property
+                $account_conf = parse_ini_file($account_conf_file);
+                if (isset($account_conf['CERT_HOME'])) {
+                    unset($account_conf['CERT_HOME']);
+                }
+
+                // Convert array back to ini file format
+                $new_account_conf = array();
+                foreach ($account_conf as $key => $value) {
+                    $new_account_conf[] = "${key}='${value}'";
+                }
+
+                // Write changes back to file
+                file_put_contents($account_conf_file, implode("\n", $new_account_conf) . "\n");
+                chmod($account_conf_file, 0600);
+            }
+        }
+    }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
index fc31195802..f85a23d14d 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
@@ -71,6 +71,7 @@ public function init(string $certid, string $certname, string $accountuuid, bool
 
         // Store acme filenames
         $this->acme_args[] = LeUtils::execSafe('--home %s', self::ACME_HOME_DIR);
+        $this->acme_args[] = LeUtils::execSafe('--cert-home %s', sprintf(self::ACME_CERT_HOME_DIR, $this->cert_id));
         $this->acme_args[] = LeUtils::execSafe('--certpath %s', sprintf(self::ACME_CERT_FILE, $this->cert_id));
         $this->acme_args[] = LeUtils::execSafe('--keypath %s', sprintf(self::ACME_KEY_FILE, $this->cert_id));
         $this->acme_args[] = LeUtils::execSafe('--capath %s', sprintf(self::ACME_CHAIN_FILE, $this->cert_id));
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 1776518535..0b319d34b1 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -95,6 +95,7 @@ public function __construct(string $uuid, bool $force = false, bool $cron = fals
 
         // Store acme filenames
         $this->acme_args[] = LeUtils::execSafe('--home %s', self::ACME_HOME_DIR);
+        $this->acme_args[] = LeUtils::execSafe('--cert-home %s', sprintf(self::ACME_CERT_HOME_DIR, $this->config->id));
         $this->acme_args[] = LeUtils::execSafe('--certpath %s', $this->cert_file);
         $this->acme_args[] = LeUtils::execSafe('--keypath %s', $this->cert_key_file);
         $this->acme_args[] = LeUtils::execSafe('--capath %s', $this->cert_chain_file);
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
index bf278b7aae..f7237bfcc6 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020-2021 Frank Wall
+ * Copyright (C) 2020-2024 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -53,6 +53,7 @@ abstract class LeCommon
     // Filenames for certs, configs, ...
     public const ACME_CERT_DIR = '/var/etc/acme-client/certs/%s/';
     public const ACME_CERT_FILE = '/var/etc/acme-client/certs/%s/cert.pem';
+    public const ACME_CERT_HOME_DIR = '/var/etc/acme-client/cert-home/%s';
     public const ACME_CHAIN_FILE = '/var/etc/acme-client/certs/%s/chain.pem';
     public const ACME_CONFIG_DIR = '/var/etc/acme-client/configs/%s/';
     public const ACME_FULLCHAIN_FILE = '/var/etc/acme-client/certs/%s/fullchain.pem';
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index 1af7c8dfe1..03e229f01c 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -94,6 +94,7 @@ public function init(string $certid, string $accountuuid, bool $certecc = false)
 
         // Store acme filenames
         $this->acme_args[] = LeUtils::execSafe('--home %s', self::ACME_HOME_DIR);
+        $this->acme_args[] = LeUtils::execSafe('--cert-home %s', sprintf(self::ACME_CERT_HOME_DIR, $this->cert_id));
         $this->acme_args[] = LeUtils::execSafe('--certpath %s', sprintf(self::ACME_CERT_FILE, $this->cert_id));
         $this->acme_args[] = LeUtils::execSafe('--keypath %s', sprintf(self::ACME_KEY_FILE, $this->cert_id));
         $this->acme_args[] = LeUtils::execSafe('--capath %s', sprintf(self::ACME_CHAIN_FILE, $this->cert_id));
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index a174304f8f..b69d95fb3b 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>3.5.0</version>
+    <version>4.0.0</version>
     <description>A secure ACME Client plugin</description>
     <items>
         <settings>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M1_6_0.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M1_6_0.php
index 22bb910018..f6982d2362 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M1_6_0.php
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M1_6_0.php
@@ -75,7 +75,7 @@ public function run($model)
                     }
 
                     // Write changes back to file
-                    file_put_contents($account_file, implode("\r\n", $new_account_conf) . "\n");
+                    file_put_contents($account_file, implode("\n", $new_account_conf) . "\n");
                     chmod($account_file, 0600);
 
                     // Finally, rename account directory
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_0_0.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_0_0.php
new file mode 100644
index 0000000000..2a776cbe96
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_0_0.php
@@ -0,0 +1,107 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Frank Wall
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\AcmeClient\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M4_0_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        $acme_account_dir = '/var/etc/acme-client/accounts/';
+        $old_acme_home = '/var/etc/acme-client/home/';
+        $new_acme_home = '/var/etc/acme-client/cert-home/';
+
+        // Remove CERT_HOME property from all account configs
+        if (is_dir($acme_account_dir)) {
+            $account_files = glob($acme_account_dir . '*/account.conf');
+            foreach ($account_files as $account_file) {
+                if (is_file($account_file)) {
+                    // Parse config file and remove property
+                    $account_conf = parse_ini_file($account_file);
+                    if (isset($account_conf['CERT_HOME'])) {
+                        unset($account_conf['CERT_HOME']);
+                    }
+
+                    // Convert array back to ini file format
+                    $new_account_conf = array();
+                    foreach ($account_conf as $key => $value) {
+                        $new_account_conf[] = "${key}='${value}'";
+                    }
+
+                    // Write changes back to file
+                    file_put_contents($account_file, implode("\n", $new_account_conf) . "\n");
+                    chmod($account_file, 0600);
+                }
+            }
+        }
+
+        // Create new acme home directory
+        if (!is_dir($new_acme_home)) {
+            mkdir($new_acme_home, 0750);
+        }
+
+        // Migrate all certificates to new directory
+        // OLD: /var/etc/acme-client/home/opnsense.example.com
+        // NEW: /var/etc/acme-client/cert-home/659971be677b69.19708532/opnsense.example.com
+        foreach ($model->getNodeByReference('certificates.certificate')->iterateItems() as $cert) {
+            $cert_id = (string)$cert->id;
+            $cert_name = (string)$cert->name;
+
+            $old_cert_home = $old_acme_home . $cert_name;
+            $new_cert_home = $new_acme_home . $cert_id . '/' . $cert_name;
+            $old_cert_home_ecc = $old_acme_home . $cert_name . '_ecc';
+            $new_cert_home_ecc = $new_acme_home . $cert_id . '/' . $cert_name . '_ecc';
+            $_parent_dir = $new_acme_home . $cert_id;
+
+            // Check if cert home directory exists
+            // Certs that haven't been issued yet don't need to be migrated.
+            if (is_dir($old_cert_home)) {
+                // Create parent directory
+                if (!is_dir($_parent_dir)) {
+                    mkdir($_parent_dir, 0750);
+                }
+                // Rename cert home directory
+                rename($old_cert_home, $new_cert_home);
+            }
+
+            // Migrate ECC certs
+            if (is_dir($old_cert_home_ecc)) {
+                // Create parent directory
+                if (!is_dir($_parent_dir)) {
+                    mkdir($_parent_dir, 0750);
+                }
+                // Rename cert home directory
+                rename($old_cert_home_ecc, $new_cert_home_ecc);
+            }
+        }
+    }
+}
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh
index fd9b734256..20a65224b4 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh
@@ -1,9 +1,9 @@
 #!/bin/sh
 
 ACME_BASE="/var/etc/acme-client"
-ACME_DIRS="/var/etc/acme-client/certs /var/etc/acme-client/keys /var/etc/acme-client/configs /var/etc/acme-client/challenges /var/etc/acme-client/home"
+ACME_DIRS="/var/etc/acme-client/certs /var/etc/acme-client/keys /var/etc/acme-client/configs /var/etc/acme-client/challenges /var/etc/acme-client/home /var/etc/acme-client/cert-home"
 
-# Generate required directories and set owner/mode recursively.
+# Create required directories and set owner/mode recursively.
 for directory in ${ACME_DIRS}; do
     mkdir -p ${directory}
     chown -R root:wheel ${directory}

From 64f2f3f0827f7af901f8e6293b4fce072eb9b4e1 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 9 Jan 2024 17:07:34 +0100
Subject: [PATCH 1739/3088] security/acme-client: fix shell processes getting
 stuck, refs #3745

This deals with the following issues that occured while performing
extensive testing:
- acme.sh processes got stuck forever
- PHP memory exhaustion
- PHP processes with high CPU usage
---
 .../mvc/app/library/OPNsense/AcmeClient/LeUtils.php  | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
index cca7ce55ed..abc57c4e58 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
@@ -197,14 +197,14 @@ public static function run_shell_command($proc_cmd, $proc_env = array())
             // This workaround ensures that the accurate return code
             // is reliably returned.
             fclose($proc_pipes[0]);
-            $output = array();
-            while (!feof($proc_pipes[1])) {
-                $output[] = rtrim(fgets($proc_pipes[1], 1024), "\n");
+            stream_set_blocking($proc_pipes[1], false);
+            stream_set_blocking($proc_pipes[2], false);
+            while (!feof($proc_pipes[1]) || !feof($proc_pipes[2])) {
+                $stdout = fread($proc_pipes[1], 1024);
+                $stderr = fread($proc_pipes[2], 1024);
+                usleep(50000);
             }
             fclose($proc_pipes[1]);
-            while (!feof($proc_pipes[2])) {
-                $output[] = rtrim(fgets($proc_pipes[2], 1024), "\n");
-            }
             fclose($proc_pipes[2]);
 
             // Get exit code

From cd327d04b21ad5cb64596afc5a1dc608d0f18fea Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 9 Jan 2024 17:28:49 +0100
Subject: [PATCH 1740/3088] security/acme-client: update changelog, refs #3752

---
 security/acme-client/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index a7435246c8..3e7a9aefba 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -20,6 +20,7 @@ Changed:
 Fixed:
 * fix sporadic command failure with gcloud DNS API (#3745)
 * fix errors when the same Common Name is used multiple times (#3127)
+* fix crash on invalid automations (#3752)
 
 3.20
 

From 2ce4b5ca38ca85c80ac8c00f1d1fea96ed808407 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 10 Jan 2024 23:24:25 +0100
Subject: [PATCH 1741/3088] security/acme-client: add support for Aurora DNS
 API

---
 security/acme-client/pkg-descr                |  3 ++
 .../AcmeClient/forms/dialogValidation.xml     | 17 ++++++-
 .../AcmeClient/LeValidation/DnsAurora.php     | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 4 files changed, 70 insertions(+), 1 deletion(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAurora.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 3e7a9aefba..1696ab3f68 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -14,6 +14,9 @@ NOTE: This is a new major release with backwards-incompatible changes.
 Downgrade to older releases is not supported. Be sure to create a
 full backup and include /var/etc/acme-client.
 
+Added:
+* add Aurora DNS API
+
 Changed:
 * use a dedicated acme.sh runtime directory for every cert (#3127)
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index c714ce8ed7..204ed2bf67 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1702,4 +1702,19 @@
         <label>Password</label>
         <type>password</type>
     </field>
-</form>
\ No newline at end of file
+    <field>
+        <label>Aurora (PCextreme/Versio)</label>
+        <type>header</type>
+        <style>table_dns table_dns_aurora</style>
+    </field>
+    <field>
+        <id>validation.dns_aurora_key</id>
+        <label>Key</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_aurora_secret</id>
+        <label>Secret</label>
+        <type>password</type>
+    </field>
+</form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAurora.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAurora.php
new file mode 100644
index 0000000000..64dd256228
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAurora.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Frank Wall
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Aurora API
+ * @package OPNsense\AcmeClient
+ */
+class DnsAurora extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['AURORA_Key'] = (string)$this->config->dns_aurora_key;
+        $this->acme_env['AURORA_Secret'] = (string)$this->config->dns_aurora_secret;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index b69d95fb3b..24770735a4 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -426,6 +426,7 @@
                         <dns_ali>aliyun.com</dns_ali>
                         <dns_kas>All-Inkl.com</dns_kas>
                         <dns_arvan>ArvanCloud</dns_arvan>
+                        <dns_aurora>Aurora (PCextreme/Versio)</dns_aurora>
                         <dns_autodns>AutoDNS (InterNetX)</dns_autodns>
                         <dns_aws>AWS Route 53</dns_aws>
                         <dns_azure>Azure DNS</dns_azure>
@@ -1195,6 +1196,12 @@
                 <dns_world4you_password type="TextField">
                     <Required>N</Required>
                 </dns_world4you_password>
+                <dns_aurora_key type="TextField">
+                    <Required>N</Required>
+                </dns_aurora_key>
+                <dns_aurora_secret type="TextField">
+                    <Required>N</Required>
+                </dns_aurora_secret>
             </validation>
         </validations>
         <actions>

From 2b8c1f667985a77b29805e518d91c1e4847409bb Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 10 Jan 2024 23:36:06 +0100
Subject: [PATCH 1742/3088] security/acme-client: add support for ConoHa DNS
 API

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 25 ++++++++++
 .../AcmeClient/LeValidation/DnsConoha.php     | 46 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 14 ++++++
 4 files changed, 86 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsConoha.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 1696ab3f68..c9429ff871 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -16,6 +16,7 @@ full backup and include /var/etc/acme-client.
 
 Added:
 * add Aurora DNS API
+* add ConoHa DNS API
 
 Changed:
 * use a dedicated acme.sh runtime directory for every cert (#3127)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 204ed2bf67..7f6addf3dd 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1717,4 +1717,29 @@
         <label>Secret</label>
         <type>password</type>
     </field>
+    <field>
+        <label>ConoHa</label>
+        <type>header</type>
+        <style>table_dns table_dns_conoha</style>
+    </field>
+    <field>
+        <id>validation.dns_conoha_user</id>
+        <label>User</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_conoha_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
+    <field>
+        <id>validation.dns_conoha_tenantid</id>
+        <label>Tenant ID</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_conoha_idapi</id>
+        <label>Identity Service API</label>
+        <type>text</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsConoha.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsConoha.php
new file mode 100644
index 0000000000..f1c46fc514
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsConoha.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Frank Wall
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * ConoHa API
+ * @package OPNsense\AcmeClient
+ */
+class DnsConoha extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['CONOHA_Username'] = (string)$this->config->dns_conoha_user;
+        $this->acme_env['CONOHA_Password'] = (string)$this->config->dns_conoha_password;
+        $this->acme_env['CONOHA_TenantId'] = (string)$this->config->dns_conoha_tenantid;
+        $this->acme_env['CONOHA_IdentityServiceApi'] = (string)$this->config->dns_conoha_idapi;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 24770735a4..82bad6b75f 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -435,6 +435,7 @@
                         <dns_cf>CloudFlare.com</dns_cf>
                         <dns_cx>CloudXNS.com</dns_cx>
                         <dns_cn>Core-Networks</dns_cn>
+                        <dns_conoha>ConoHa</dns_conoha>
                         <dns_cpanel>cPanel</dns_cpanel>
                         <dns_cyon>cyon.ch</dns_cyon>
                         <dns_ddnss>DDNSS</dns_ddnss>
@@ -1202,6 +1203,19 @@
                 <dns_aurora_secret type="TextField">
                     <Required>N</Required>
                 </dns_aurora_secret>
+                <dns_conoha_user type="TextField">
+                    <Required>N</Required>
+                </dns_conoha_user>
+                <dns_conoha_password type="TextField">
+                    <Required>N</Required>
+                </dns_conoha_password>
+                <dns_conoha_tenantid type="TextField">
+                    <Required>N</Required>
+                </dns_conoha_tenantid>
+                <dns_conoha_idapi type="TextField">
+                    <Required>N</Required>
+                    <default>https://identity.xxxx.conoha.io/v2.0</default>
+                </dns_conoha_idapi>
             </validation>
         </validations>
         <actions>

From 6db88d7ce0f07c473c617aa16b60e3b5122b7f3d Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 10 Jan 2024 23:40:54 +0100
Subject: [PATCH 1743/3088] security/acme-client: add support for Constellix
 DNS API

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsConstellix.php | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 4 files changed, 67 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsConstellix.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index c9429ff871..219c7a8e15 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -17,6 +17,7 @@ full backup and include /var/etc/acme-client.
 Added:
 * add Aurora DNS API
 * add ConoHa DNS API
+* add Constellix DNS API
 
 Changed:
 * use a dedicated acme.sh runtime directory for every cert (#3127)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 7f6addf3dd..6babbccd54 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1742,4 +1742,19 @@
         <label>Identity Service API</label>
         <type>text</type>
     </field>
+    <field>
+        <label>Constellix</label>
+        <type>header</type>
+        <style>table_dns table_dns_constellix</style>
+    </field>
+    <field>
+        <id>validation.dns_constellix_key</id>
+        <label>Key</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_constellix_secret</id>
+        <label>Secret</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsConstellix.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsConstellix.php
new file mode 100644
index 0000000000..6d6e536997
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsConstellix.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Frank Wall
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Constellix API
+ * @package OPNsense\AcmeClient
+ */
+class DnsConstellix extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['CONSTELLIX_Key'] = (string)$this->config->dns_constellix_key;
+        $this->acme_env['CONSTELLIX_Secret'] = (string)$this->config->dns_constellix_secret;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 82bad6b75f..13c804c077 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -436,6 +436,7 @@
                         <dns_cx>CloudXNS.com</dns_cx>
                         <dns_cn>Core-Networks</dns_cn>
                         <dns_conoha>ConoHa</dns_conoha>
+                        <dns_constellix>Constellix</dns_constellix>
                         <dns_cpanel>cPanel</dns_cpanel>
                         <dns_cyon>cyon.ch</dns_cyon>
                         <dns_ddnss>DDNSS</dns_ddnss>
@@ -1216,6 +1217,12 @@
                     <Required>N</Required>
                     <default>https://identity.xxxx.conoha.io/v2.0</default>
                 </dns_conoha_idapi>
+                <dns_constellix_key type="TextField">
+                    <Required>N</Required>
+                </dns_constellix_key>
+                <dns_constellix_secret type="TextField">
+                    <Required>N</Required>
+                </dns_constellix_secret>
             </validation>
         </validations>
         <actions>

From 80206e3d6f2ef1b284869e0795b1ee2c08bb5a62 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 10 Jan 2024 23:45:58 +0100
Subject: [PATCH 1744/3088] security/acme-client: add support for Exoscale DNS
 API

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsExoscale.php   | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 4 files changed, 67 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsExoscale.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 219c7a8e15..c4183c106b 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -18,6 +18,7 @@ Added:
 * add Aurora DNS API
 * add ConoHa DNS API
 * add Constellix DNS API
+* add Exoscale DNS API
 
 Changed:
 * use a dedicated acme.sh runtime directory for every cert (#3127)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 6babbccd54..3ec67c0954 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1757,4 +1757,19 @@
         <label>Secret</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Exoscale</label>
+        <type>header</type>
+        <style>table_dns table_dns_exoscale</style>
+    </field>
+    <field>
+        <id>validation.dns_exoscale_key</id>
+        <label>API Key</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_exoscale_secret</id>
+        <label>Secret Key</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsExoscale.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsExoscale.php
new file mode 100644
index 0000000000..f3204e2164
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsExoscale.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Frank Wall
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Exoscale API
+ * @package OPNsense\AcmeClient
+ */
+class DnsExoscale extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['EXOSCALE_API_KEY'] = (string)$this->config->dns_exoscale_key;
+        $this->acme_env['EXOSCALE_SECRET_KEY'] = (string)$this->config->dns_exoscale_secret;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 13c804c077..b4470c4658 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -458,6 +458,7 @@
                         <dns_dynv6>dynv6</dns_dynv6>
                         <dns_easydns>EasyDNS</dns_easydns>
                         <dns_euserv>EUserv</dns_euserv>
+                        <dns_exoscale>Exoscale</dns_exoscale>
                         <dns_freedns>FreeDNS</dns_freedns>
                         <dns_gandi_livedns>Gandi LiveDNS</dns_gandi_livedns>
                         <dns_gd>GoDaddy.com</dns_gd>
@@ -1223,6 +1224,12 @@
                 <dns_constellix_secret type="TextField">
                     <Required>N</Required>
                 </dns_constellix_secret>
+                <dns_exoscale_key type="TextField">
+                    <Required>N</Required>
+                </dns_exoscale_key>
+                <dns_exoscale_secret type="TextField">
+                    <Required>N</Required>
+                </dns_exoscale_secret>
             </validation>
         </validations>
         <actions>

From 8a4f7ac2fd0e0b470faa3464a6c68dff2691da26 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 10 Jan 2024 23:51:36 +0100
Subject: [PATCH 1745/3088] security/acme-client: add support for
 internetbs.net DNS API

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsInternetbs.php | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 4 files changed, 67 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInternetbs.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index c4183c106b..0eb8aefa2a 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -19,6 +19,7 @@ Added:
 * add ConoHa DNS API
 * add Constellix DNS API
 * add Exoscale DNS API
+* add internetbs.net DNS API
 
 Changed:
 * use a dedicated acme.sh runtime directory for every cert (#3127)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 3ec67c0954..321d5d8287 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1772,4 +1772,19 @@
         <label>Secret Key</label>
         <type>password</type>
     </field>
+    <field>
+        <label>internetbs.net</label>
+        <type>header</type>
+        <style>table_dns table_dns_internetbs</style>
+    </field>
+    <field>
+        <id>validation.dns_internetbs_key</id>
+        <label>API Key</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_internetbs_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInternetbs.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInternetbs.php
new file mode 100644
index 0000000000..3d9f40e80b
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInternetbs.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Frank Wall
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * internetbs.net API
+ * @package OPNsense\AcmeClient
+ */
+class DnsInternetbs extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['INTERNETBS_API_KEY'] = (string)$this->config->dns_internetbs_key;
+        $this->acme_env['INTERNETBS_API_PASSWORD'] = (string)$this->config->dns_internetbs_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index b4470c4658..4327f6d392 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -471,6 +471,7 @@
                         <dns_he>Hurricane Electric</dns_he>
                         <dns_infoblox>Infoblox</dns_infoblox>
                         <dns_infomaniak>Infomaniak</dns_infomaniak>
+                        <dns_internetbs>internetbs.net</dns_internetbs>
                         <dns_inwx>INWX XMLRPC</dns_inwx>
                         <dns_ionos>IONOS domain</dns_ionos>
                         <dns_ipv64>IPv64.net</dns_ipv64>
@@ -1230,6 +1231,12 @@
                 <dns_exoscale_secret type="TextField">
                     <Required>N</Required>
                 </dns_exoscale_secret>
+                <dns_internetbs_key type="TextField">
+                    <Required>N</Required>
+                </dns_internetbs_key>
+                <dns_internetbs_password type="TextField">
+                    <Required>N</Required>
+                </dns_internetbs_password>
             </validation>
         </validations>
         <actions>

From b76b978fe7c78b1ee2adcb2dd0a7b33fd754ad7d Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 10 Jan 2024 23:59:24 +0100
Subject: [PATCH 1746/3088] security/acme-client: add support for PointHQ DNS
 API

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsPointhq.php    | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 4 files changed, 67 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsPointhq.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 0eb8aefa2a..c3d32cbdb3 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -20,6 +20,7 @@ Added:
 * add Constellix DNS API
 * add Exoscale DNS API
 * add internetbs.net DNS API
+* add PointHQ DNS API
 
 Changed:
 * use a dedicated acme.sh runtime directory for every cert (#3127)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 321d5d8287..dbebb23543 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1787,4 +1787,19 @@
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>PointHQ</label>
+        <type>header</type>
+        <style>table_dns table_dns_pointhq</style>
+    </field>
+    <field>
+        <id>validation.dns_pointhq_key</id>
+        <label>API Key</label>
+        <type>password</type>
+    </field>
+    <field>
+        <id>validation.dns_pointhq_email</id>
+        <label>E-Mail</label>
+        <type>text</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsPointhq.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsPointhq.php
new file mode 100644
index 0000000000..6abc9deb98
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsPointhq.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Frank Wall
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * PointHQ API
+ * @package OPNsense\AcmeClient
+ */
+class DnsPointhq extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['PointHQ_Key'] = (string)$this->config->dns_pointhq_key;
+        $this->acme_env['exportPointHQ_Email'] = (string)$this->config->dns_pointhq_email;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 4327f6d392..02b2b894fa 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -502,6 +502,7 @@
                         <dns_ovh>OVH, kimsufi, soyoustart and runabove</dns_ovh>
                         <dns_pdns>PowerDNS.com</dns_pdns>
                         <dns_pleskxml>Plesk</dns_pleskxml>
+                        <dns_pointhq>PointHQ</dns_pointhq>
                         <dns_porkbun>Porkbun</dns_porkbun>
                         <dns_regru>RegRu</dns_regru>
                         <dns_schlundtech>SchlundTech</dns_schlundtech>
@@ -1237,6 +1238,12 @@
                 <dns_internetbs_password type="TextField">
                     <Required>N</Required>
                 </dns_internetbs_password>
+                <dns_pointhq_key type="TextField">
+                    <Required>N</Required>
+                </dns_pointhq_key>
+                <dns_pointhq_email type="TextField">
+                    <Required>N</Required>
+                </dns_pointhq_email>
             </validation>
         </validations>
         <actions>

From 0da8174c36e6eea277cc1a6820a3962feaf33186 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 11 Jan 2024 00:03:17 +0100
Subject: [PATCH 1747/3088] security/acme-client: add support for Rackspace DNS
 API

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsRackspace.php  | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 4 files changed, 67 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsRackspace.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index c3d32cbdb3..4e952cc420 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -21,6 +21,7 @@ Added:
 * add Exoscale DNS API
 * add internetbs.net DNS API
 * add PointHQ DNS API
+* add Rackspace DNS API
 
 Changed:
 * use a dedicated acme.sh runtime directory for every cert (#3127)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index dbebb23543..0b33d093b1 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1802,4 +1802,19 @@
         <label>E-Mail</label>
         <type>text</type>
     </field>
+    <field>
+        <label>Rackspace</label>
+        <type>header</type>
+        <style>table_dns table_dns_rackspace</style>
+    </field>
+    <field>
+        <id>validation.dns_rackspace_user</id>
+        <label>Username</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_rackspace_key</id>
+        <label>API Key</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsRackspace.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsRackspace.php
new file mode 100644
index 0000000000..1b4c1e6a1b
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsRackspace.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Frank Wall
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Rackspace API
+ * @package OPNsense\AcmeClient
+ */
+class DnsRackspace extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['RACKSPACE_Username'] = (string)$this->config->dns_rackspace_user;
+        $this->acme_env['RACKSPACE_Apikey'] = (string)$this->config->dns_rackspace_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 02b2b894fa..a168bb8246 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -504,6 +504,7 @@
                         <dns_pleskxml>Plesk</dns_pleskxml>
                         <dns_pointhq>PointHQ</dns_pointhq>
                         <dns_porkbun>Porkbun</dns_porkbun>
+                        <dns_rackspace>Rackspace</dns_rackspace>
                         <dns_regru>RegRu</dns_regru>
                         <dns_schlundtech>SchlundTech</dns_schlundtech>
                         <dns_selectel>selectel.com / selectel.ru</dns_selectel>
@@ -1244,6 +1245,12 @@
                 <dns_pointhq_email type="TextField">
                     <Required>N</Required>
                 </dns_pointhq_email>
+                <dns_rackspace_user type="TextField">
+                    <Required>N</Required>
+                </dns_rackspace_user>
+                <dns_rackspace_key type="TextField">
+                    <Required>N</Required>
+                </dns_rackspace_key>
             </validation>
         </validations>
         <actions>

From 225173a56297c7d05b1b474df56c8a4480bcb192 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 11 Jan 2024 00:07:02 +0100
Subject: [PATCH 1748/3088] security/acme-client: add support for rage4 DNS API

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsRage4.php      | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 4 files changed, 67 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsRage4.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 4e952cc420..a1e577a1f3 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -22,6 +22,7 @@ Added:
 * add internetbs.net DNS API
 * add PointHQ DNS API
 * add Rackspace DNS API
+* add rage4 DNS API
 
 Changed:
 * use a dedicated acme.sh runtime directory for every cert (#3127)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 0b33d093b1..4fd1fd5d41 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1817,4 +1817,19 @@
         <label>API Key</label>
         <type>password</type>
     </field>
+    <field>
+        <label>rage4</label>
+        <type>header</type>
+        <style>table_dns table_dns_rage4</style>
+    </field>
+    <field>
+        <id>validation.dns_rage4_user</id>
+        <label>Username</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_rage4_token</id>
+        <label>Token</label>
+        <type>password</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsRage4.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsRage4.php
new file mode 100644
index 0000000000..86e598a72f
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsRage4.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Frank Wall
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * rage4 API
+ * @package OPNsense\AcmeClient
+ */
+class DnsRage4 extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['RAGE4_TOKEN'] = (string)$this->config->dns_rage4_user;
+        $this->acme_env['RAGE4_USERNAME'] = (string)$this->config->dns_rage4_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index a168bb8246..bc0a32b0a0 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -505,6 +505,7 @@
                         <dns_pointhq>PointHQ</dns_pointhq>
                         <dns_porkbun>Porkbun</dns_porkbun>
                         <dns_rackspace>Rackspace</dns_rackspace>
+                        <dns_rage4>rage4</dns_rage4>
                         <dns_regru>RegRu</dns_regru>
                         <dns_schlundtech>SchlundTech</dns_schlundtech>
                         <dns_selectel>selectel.com / selectel.ru</dns_selectel>
@@ -1251,6 +1252,12 @@
                 <dns_rackspace_key type="TextField">
                     <Required>N</Required>
                 </dns_rackspace_key>
+                <dns_rage4_token type="TextField">
+                    <Required>N</Required>
+                </dns_rage4_token>
+                <dns_rage4_user type="TextField">
+                    <Required>N</Required>
+                </dns_rage4_user>
             </validation>
         </validations>
         <actions>

From a99bfebb71bfd6bbc976d7dd63dd00f984aa0df2 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 11 Jan 2024 00:29:44 +0100
Subject: [PATCH 1749/3088] security/acme-client: update changelog, refs #3684

---
 security/acme-client/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index a1e577a1f3..d943ce1d03 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -15,6 +15,7 @@ Downgrade to older releases is not supported. Be sure to create a
 full backup and include /var/etc/acme-client.
 
 Added:
+* add nic.ru DNS API (#3684)
 * add Aurora DNS API
 * add ConoHa DNS API
 * add Constellix DNS API

From d4b94cfdb53be4f655d00f8d5ac6bf3654c0888d Mon Sep 17 00:00:00 2001
From: Hasan UCAK <hasan@sunnyvalley.io>
Date: Fri, 12 Jan 2024 16:28:34 +0300
Subject: [PATCH 1750/3088] =?UTF-8?q?SunnyValley.php=20under=20src/script/?=
 =?UTF-8?q?firmware/repos=20folder.=20This=20folder's=E2=80=A6=20(#3758)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../scripts/firmware/repos/SunnyValley.php    | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100755 vendor/sunnyvalley/src/opnsense/scripts/firmware/repos/SunnyValley.php

diff --git a/vendor/sunnyvalley/src/opnsense/scripts/firmware/repos/SunnyValley.php b/vendor/sunnyvalley/src/opnsense/scripts/firmware/repos/SunnyValley.php
new file mode 100755
index 0000000000..9866efbc56
--- /dev/null
+++ b/vendor/sunnyvalley/src/opnsense/scripts/firmware/repos/SunnyValley.php
@@ -0,0 +1,42 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2024 Hasan Ucak <hasan@sunnyvalley.io>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once 'util.inc';
+
+$conf = '/usr/local/etc/pkg/repos/SunnyValley.conf';
+$uuidPattern = '/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/';
+
+if (file_exists($conf . '.shadow') && file_exists('/usr/local/zenarmor/bin/eastpect')) {
+    $node_uuid = shell_safe('/usr/local/zenarmor/bin/eastpect -s');
+    if ($node_uuid != '') {
+        $fileContents = file_get_contents($conf . '.shadow');
+        $fileContents = str_replace('/latest"', '/' . $node_uuid . '"', $fileContents);
+        file_put_contents($conf, $fileContents);
+    }
+}

From 993a69436a8f99967ac0f29001eac36c9535366e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 12 Jan 2024 15:31:09 +0100
Subject: [PATCH 1751/3088] vendor/sunnyvalley: simplify previous, make sure to
 rewrite

We do want to rewrite the plain file even if the binary is not
found.  Same behaviour as with the other repo scripts.
---
 .../scripts/firmware/repos/SunnyValley.php    | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/vendor/sunnyvalley/src/opnsense/scripts/firmware/repos/SunnyValley.php b/vendor/sunnyvalley/src/opnsense/scripts/firmware/repos/SunnyValley.php
index 9866efbc56..badc4f46be 100755
--- a/vendor/sunnyvalley/src/opnsense/scripts/firmware/repos/SunnyValley.php
+++ b/vendor/sunnyvalley/src/opnsense/scripts/firmware/repos/SunnyValley.php
@@ -30,13 +30,18 @@
 require_once 'util.inc';
 
 $conf = '/usr/local/etc/pkg/repos/SunnyValley.conf';
-$uuidPattern = '/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/';
 
-if (file_exists($conf . '.shadow') && file_exists('/usr/local/zenarmor/bin/eastpect')) {
-    $node_uuid = shell_safe('/usr/local/zenarmor/bin/eastpect -s');
-    if ($node_uuid != '') {
-        $fileContents = file_get_contents($conf . '.shadow');
-        $fileContents = str_replace('/latest"', '/' . $node_uuid . '"', $fileContents);
-        file_put_contents($conf, $fileContents);
+if (!file_exists($conf . '.shadow')) {
+    exit(0);
+}
+
+$fileContents = file_get_contents($conf . '.shadow');
+
+if (file_exists('/usr/local/zenarmor/bin/eastpect')) {
+    $uuid = shell_safe('/usr/local/zenarmor/bin/eastpect -s');
+    if ($uuid != '') {
+        $fileContents = str_replace('/latest"', '/' . $uuid . '"', $fileContents);
     }
 }
+
+file_put_contents($conf, $fileContents);

From dd16cdbb9ec9c23a76d74c79817e6030cc00fd8f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 12 Jan 2024 15:35:53 +0100
Subject: [PATCH 1752/3088] vendor/sunnyvalley: update for new version

---
 vendor/sunnyvalley/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/vendor/sunnyvalley/Makefile b/vendor/sunnyvalley/Makefile
index 21e844e8e7..c243deef0a 100644
--- a/vendor/sunnyvalley/Makefile
+++ b/vendor/sunnyvalley/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		sunnyvalley
-PLUGIN_VERSION=		1.3
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.4
 PLUGIN_COMMENT=		Vendor Repository for Zenarmor (a.k.a Sensei, Next Generation Firewall Extensions)
 PLUGIN_MAINTAINER=	opensource@sunnyvalley.io
 PLUGIN_WWW=		https://www.zenarmor.com

From 439e82f8ac555b1ba8cd07621fa01b822c008079 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 12 Jan 2024 15:36:15 +0100
Subject: [PATCH 1753/3088] LICENSE: sync

---
 LICENSE | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/LICENSE b/LICENSE
index f547fcf09b..581d813349 100644
--- a/LICENSE
+++ b/LICENSE
@@ -24,6 +24,7 @@ Copyright (c) 2014-2024 Franco Fichtner <franco@opnsense.org>
 Copyright (c) 2016-2024 Frank Wall
 Copyright (c) 2021 Github-jjw
 Copyright (c) 2023 Greg Glockner <greg@glockners.net>
+Copyright (c) 2024 Hasan Ucak <hasan@sunnyvalley.io>
 Copyright (c) 2016 IT-assistans Sverige AB
 Copyright (c) 2021-2023 Jan Winkler
 Copyright (c) 2023 Jeremy Gutierrez
@@ -42,6 +43,7 @@ Copyright (c) 2022 Markus Reiter <me@reitermark.us>
 Copyright (c) 2020 Martin Wasley
 Copyright (c) 2022 Marvo2011
 Copyright (c) 2017-2021 Michael Muenz <m.muenz@gmail.com>
+Copyright (c) 2023 Mikhail Kharisov
 Copyright (c) 2012 mkirbst
 Copyright (c) 2023 mleinart
 Copyright (c) 2021 Nicola Pellegrini

From f55eea120fa6b28e1d840111757d2e9433a1474a Mon Sep 17 00:00:00 2001
From: PeterF <peter@peter-francis.org>
Date: Mon, 15 Jan 2024 13:12:23 +0000
Subject: [PATCH 1754/3088] Update DynDNS.xml to provide access to Mythic
 Beasts dynamic dns service via their API V2 (#3762)

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml       | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 3416fdf40a..63b6eca8d5 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -69,6 +69,7 @@
                         <inwx>INWX</inwx>
                         <keysystems>Key-Systems</keysystems>
                         <loopia>Loopia</loopia>
+                        <mythicdyn>Mythic Beasts</mythicdyn>
                         <namecheap>NameCheap</namecheap>
                         <nfsn>NearlyFreeSpeech.net</nfsn>
                         <njalla>Njalla</njalla>

From c81fb304bbe187363c567226f52481eb841ac047 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 15 Jan 2024 17:00:56 +0100
Subject: [PATCH 1755/3088] dns/ddclient: update release

---
 dns/ddclient/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 949d8042e6..4de70f3866 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 1.20
 
 * Add Digitalocean support (contributed by Mathias Schneuwly)
+* Add Mythin Beasts support (contributed by PeterF)
 
 1.19
 

From 3d4673df1f0651cc21ec2c014847b81851ee3e98 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 16 Jan 2024 09:07:37 +0100
Subject: [PATCH 1756/3088] net/firewall: adjust the code almost as bundled in
 core

One point of contention in releasing this is how npt rules
will be added from the old layout to the new if new rules
have already been added.
---
 net/firewall/Makefile                         |  3 +-
 .../OPNsense/Firewall/FilterController.php    |  1 +
 .../OPNsense/Firewall/NptController.php       |  1 -
 .../OPNsense/Firewall/SourceNatController.php |  1 +
 .../app/models/OPNsense/Firewall/ACL/ACL.xml  | 11 ++++-
 .../Firewall/FieldTypes/FilterRuleField.php   | 42 +++++++++----------
 .../FieldTypes/SourceNatRuleField.php         | 42 +++++++++----------
 .../app/models/OPNsense/Firewall/Filter.php   | 35 ++++++++++++----
 .../app/models/OPNsense/Firewall/Filter.xml   | 11 +----
 .../models/OPNsense/Firewall/Menu/Menu.xml    |  4 +-
 .../app/views/OPNsense/Firewall/filter.volt   |  2 +-
 11 files changed, 84 insertions(+), 69 deletions(-)

diff --git a/net/firewall/Makefile b/net/firewall/Makefile
index eec978a634..4b2543eaa6 100644
--- a/net/firewall/Makefile
+++ b/net/firewall/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		firewall
-PLUGIN_VERSION=		1.4
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.5
 PLUGIN_COMMENT=		Firewall API supplemental package
 PLUGIN_OBSOLETE=	yes
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
index 461f990a56..e558fe813e 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
@@ -32,6 +32,7 @@ class FilterController extends \OPNsense\Base\IndexController
     public function indexAction()
     {
         $this->view->pick('OPNsense/Firewall/filter');
+        $this->view->SavePointBtns = true;
         $this->view->ruleController = "filter";
         $this->view->gridFields = [
             [
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php
index 0e69ca4fe3..d701a8003d 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php
@@ -33,7 +33,6 @@ public function indexAction()
     {
         $this->view->pick('OPNsense/Firewall/filter');
         $this->view->ruleController = "npt";
-        $this->view->hideSavePointBtns = true;
         $this->view->gridFields = [
             [
                 'id' => 'enabled', 'formatter' => 'rowtoggle' ,'width' => '6em', 'heading' => gettext('Enabled')
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/SourceNatController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/SourceNatController.php
index 7bc2c632f5..9e24cc700d 100644
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/SourceNatController.php
+++ b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/SourceNatController.php
@@ -32,6 +32,7 @@ class SourceNatController extends \OPNsense\Base\IndexController
     public function indexAction()
     {
         $this->view->pick('OPNsense/Firewall/filter');
+        $this->view->SavePointBtns = true;
         $this->view->ruleController = "source_nat";
         $this->view->gridFields = [
             [
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/ACL/ACL.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/ACL/ACL.xml
index 070ce99e95..c8a66f358c 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/ACL/ACL.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/ACL/ACL.xml
@@ -1,16 +1,23 @@
 <acl>
     <page-filter-api>
-        <name>Firewall: Rules: API</name>
+        <name>Firewall: Automation: Filter</name>
         <patterns>
             <pattern>ui/firewall/filter/*</pattern>
             <pattern>api/firewall/filter/*</pattern>
         </patterns>
     </page-filter-api>
     <page-filter-snat-api>
-        <name>Firewall: SourceNat: API</name>
+        <name>Firewall: Automation: Source NAT</name>
         <patterns>
             <pattern>ui/firewall/source_nat/*</pattern>
             <pattern>api/firewall/source_nat/*</pattern>
         </patterns>
     </page-filter-snat-api>
+    <page-firewall-nat-npt>
+        <name>Firewall: Automation: NPTv6</name>
+        <patterns>
+            <pattern>ui/firewall/npt/*</pattern>
+            <pattern>api/firewall/npt/*</pattern>
+        </patterns>
+    </page-firewall-nat-npt>
 </acl>
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
index 70996125ed..a3c69c53ca 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2020 Deciso B.V.
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Firewall\FieldTypes;
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
index de1e1ad91f..b26c5d6022 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2020 Deciso B.V.
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Firewall\FieldTypes;
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
index 6ca0fd4e68..03978bc450 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -40,6 +40,8 @@ class Filter extends BaseModel
      */
     public function performValidation($validateFullModel = false)
     {
+        $config = Config::getInstance()->object();
+
         // standard model validations
         $messages = parent::performValidation($validateFullModel);
         foreach ([$this->rules->rule, $this->snatrules->rule] as $rules) {
@@ -95,18 +97,35 @@ public function performValidation($validateFullModel = false)
                 }
             }
         }
+
         foreach ($this->npt->rule->iterateItems() as $rule) {
             if ($validateFullModel || $rule->isFieldChanged()) {
-                if (!empty((string)$rule->destination_net) && !empty((string)$rule->trackif)) {
-                    $messages->appendMessage(new Message(
-                        gettext("A track interface is only allowed without an extrenal prefix."),
-                        $rule->trackif->__reference
-                    ));
+                if (!empty((string)$rule->trackif)) {
+                    if (!empty((string)$rule->destination_net)) {
+                        $messages->appendMessage(new Message(
+                            gettext('A track interface is only allowed without an external prefix.'),
+                            $rule->trackif->__reference
+                        ));
+                    }
+
+                    if (
+                        (empty($config->interfaces->{$rule->interface}->ipaddrv6) ||
+                        $config->interfaces->{$rule->interface}->ipaddrv6 != 'dhcp6') ||
+                        empty($config->interfaces->{$rule->trackif}->{'track6-interface'}) ||
+                        $config->interfaces->{$rule->trackif}->{'track6-interface'} != (string)$rule->interface
+                    ) {
+                        $messages->appendMessage(new Message(
+                            gettext('This interface is not tracking the current rule interface.'),
+                            $rule->trackif->__reference
+                        ));
+                    }
                 }
+
                 if (!empty((string)$rule->destination_net) && !empty((string)$rule->source_net)) {
-                    $dparts = explode('/', (string)$rule->destination_net);
-                    $sparts = explode('/', (string)$rule->source_net);
-                    if (count($dparts) == 2 && count($sparts) == 2 && $dparts[1] != $sparts[1]) {
+                    /* defaults to /128 */
+                    $dparts = explode('/', (string)$rule->destination_net . '/128');
+                    $sparts = explode('/', (string)$rule->source_net . '/128');
+                    if ($dparts[1] != $sparts[1]) {
                         $messages->appendMessage(new Message(
                             gettext("External subnet should match internal subnet."),
                             $rule->destination_net->__reference
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
index 3e93bded07..dc7399beb9 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -33,7 +33,6 @@
                     <Required>Y</Required>
                 </quick>
                 <interface type="InterfaceField">
-                    <Required>N</Required>
                     <Multiple>Y</Multiple>
                     <AllowDynamic>Y</AllowDynamic>
                 </interface>
@@ -67,7 +66,6 @@
                     <Required>Y</Required>
                 </source_not>
                 <source_port type="PortField">
-                    <Required>N</Required>
                     <EnableWellKnown>Y</EnableWellKnown>
                     <EnableRanges>Y</EnableRanges>
                     <EnableAlias>Y</EnableAlias>
@@ -83,14 +81,12 @@
                     <Required>Y</Required>
                 </destination_not>
                 <destination_port type="PortField">
-                    <Required>N</Required>
                     <EnableWellKnown>Y</EnableWellKnown>
                     <EnableRanges>Y</EnableRanges>
                     <EnableAlias>Y</EnableAlias>
                     <ValidationMessage>Please specify a valid portnumber, name, alias or range</ValidationMessage>
                 </destination_port>
                 <gateway type="JsonKeyValueStoreField">
-                    <Required>N</Required>
                     <ConfigdPopulateAct>interface gateways list</ConfigdPopulateAct>
                     <SourceFile>/tmp/gateway_list.json</SourceFile>
                     <ConfigdPopulateTTL>20</ConfigdPopulateTTL>
@@ -161,7 +157,6 @@
                     <Required>Y</Required>
                 </source_not>
                 <source_port type="PortField">
-                    <Required>N</Required>
                     <EnableWellKnown>Y</EnableWellKnown>
                     <EnableRanges>Y</EnableRanges>
                     <EnableAlias>Y</EnableAlias>
@@ -176,7 +171,6 @@
                     <Required>Y</Required>
                 </destination_not>
                 <destination_port type="PortField">
-                    <Required>N</Required>
                     <EnableWellKnown>Y</EnableWellKnown>
                     <EnableRanges>Y</EnableRanges>
                     <EnableAlias>Y</EnableAlias>
@@ -187,7 +181,6 @@
                     <Required>Y</Required>
                 </target>
                 <target_port type="PortField">
-                    <Required>N</Required>
                     <EnableWellKnown>Y</EnableWellKnown>
                     <EnableRanges>Y</EnableRanges>
                 </target_port>
@@ -238,12 +231,12 @@
                 <source_net type="NetworkField">
                     <Required>Y</Required>
                     <AddressFamily>ipv6</AddressFamily>
-                    <NetMaskRequired>Y</NetMaskRequired>
+                    <NetMaskRequired>N</NetMaskRequired>
                     <WildcardEnabled>N</WildcardEnabled>
                 </source_net>
                 <destination_net type="NetworkField">
                     <AddressFamily>ipv6</AddressFamily>
-                    <NetMaskRequired>Y</NetMaskRequired>
+                    <NetMaskRequired>N</NetMaskRequired>
                     <WildcardEnabled>N</WildcardEnabled>
                 </destination_net>
                 <trackif type="InterfaceField">
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
index 476e1f38b8..455d065463 100644
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
+++ b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
@@ -1,13 +1,13 @@
 <menu>
     <Firewall>
-        <Automation order="1000" cssClass="fa fa-gear">
+        <Automation cssClass="fa fa-gear">
             <Filter order="50" url="/ui/firewall/filter/">
                 <FilterRef url="/ui/firewall/filter#*" visibility="hidden"/>
             </Filter>
             <SourceNat order="100" VisibleName="Source NAT" url="/ui/firewall/source_nat/">
                 <FilterRef url="/ui/firewall/source_nat#*" visibility="hidden"/>
             </SourceNat>
-            <Npt order="100" VisibleName="NPTv6" url="/ui/firewall/npt/">
+            <Npt order="150" VisibleName="NPTv6" url="/ui/firewall/npt/">
                 <FilterRef url="/ui/firewall/npt#*" visibility="hidden"/>
             </Npt>
         </Automation>
diff --git a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
index 717453fe91..1b3abb3972 100644
--- a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
+++ b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
@@ -213,7 +213,7 @@
                 data-error-title="{{ lang._('Filter load error') }}"
                 type="button"
         ></button>
-{% if not hideSavePointBtns|default(false) %}
+{% if SavePointBtns is defined %}
         <div class="pull-right">
             <button class="btn" id="savepointAct"
                     data-endpoint='/api/firewall/{{ruleController}}/savepoint'

From 48cf401fa6a558df830a0fdb723c2a0b0510f58f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 16 Jan 2024 15:35:57 +0100
Subject: [PATCH 1757/3088] vendor/sunnyvalley: fix typo

---
 vendor/sunnyvalley/Makefile                                   | 1 +
 .../src/opnsense/scripts/firmware/repos/SunnyValley.php       | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/vendor/sunnyvalley/Makefile b/vendor/sunnyvalley/Makefile
index c243deef0a..494123197f 100644
--- a/vendor/sunnyvalley/Makefile
+++ b/vendor/sunnyvalley/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		sunnyvalley
 PLUGIN_VERSION=		1.4
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Vendor Repository for Zenarmor (a.k.a Sensei, Next Generation Firewall Extensions)
 PLUGIN_MAINTAINER=	opensource@sunnyvalley.io
 PLUGIN_WWW=		https://www.zenarmor.com
diff --git a/vendor/sunnyvalley/src/opnsense/scripts/firmware/repos/SunnyValley.php b/vendor/sunnyvalley/src/opnsense/scripts/firmware/repos/SunnyValley.php
index badc4f46be..30c902a561 100755
--- a/vendor/sunnyvalley/src/opnsense/scripts/firmware/repos/SunnyValley.php
+++ b/vendor/sunnyvalley/src/opnsense/scripts/firmware/repos/SunnyValley.php
@@ -31,11 +31,11 @@
 
 $conf = '/usr/local/etc/pkg/repos/SunnyValley.conf';
 
-if (!file_exists($conf . '.shadow')) {
+if (!file_exists($conf . '.sample')) {
     exit(0);
 }
 
-$fileContents = file_get_contents($conf . '.shadow');
+$fileContents = file_get_contents($conf . '.sample');
 
 if (file_exists('/usr/local/zenarmor/bin/eastpect')) {
     $uuid = shell_safe('/usr/local/zenarmor/bin/eastpect -s');

From c888c851d783025308dbe3e0596147d9938680ad Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 17 Jan 2024 08:46:53 +0100
Subject: [PATCH 1758/3088] Framework: load firmware repo scripts on post
 update

The procedure can be risky if dependent on the availability of
binaries not directly depended on by the plugin, but that's not
a problem of the plugin code providing this feature.

While here use LOCALBASE where possible.
---
 Mk/plugins.mk | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 2b3b9cb7ce..3aec5eb19b 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -133,8 +133,8 @@ manifest: check
 	done
 	@echo "}"
 .endif
-	@if [ -f ${WRKSRC}/usr/local/opnsense/version/${PLUGIN_NAME} ]; then \
-	    echo "annotations $$(cat ${WRKSRC}/usr/local/opnsense/version/${PLUGIN_NAME})"; \
+	@if [ -f ${WRKSRC}${LOCALBASE}/opnsense/version/${PLUGIN_NAME} ]; then \
+	    echo "annotations $$(cat ${WRKSRC}${LOCALBASE}/opnsense/version/${PLUGIN_NAME})"; \
 	fi
 
 scripts: check scripts-pre scripts-auto scripts-manual scripts-post
@@ -187,6 +187,12 @@ scripts-auto:
 			    ${DESTDIR}/+POST_INSTALL; \
 		done; \
 	fi
+	@if [ -d ${.CURDIR}/src/opnsense/scripts/firmware/repos ]; then \
+		for FILE in $$(cd ${.CURDIR} && find -s \
+		    src/opnsense/scripts/firmware/repos -type f); do \
+			echo "${LOCALBASE}/$${FILE#.}" >> ${DESTDIR}/+POST_INSTALL; \
+		done \
+	fi
 
 scripts-manual:
 	@for SCRIPT in ${PLUGIN_SCRIPTS}; do \
@@ -275,7 +281,7 @@ package: check
 	@${MAKE} DESTDIR=${WRKSRC} install
 	@echo " done"
 	@echo ">>> Generated version info for ${PLUGIN_PKGNAME}-${PLUGIN_PKGVERSION}:"
-	@cat ${WRKSRC}/usr/local/opnsense/version/${PLUGIN_NAME}
+	@cat ${WRKSRC}${LOCALBASE}/opnsense/version/${PLUGIN_NAME}
 	@echo -n ">>> Generating metadata for ${PLUGIN_PKGNAME}-${PLUGIN_PKGVERSION}..."
 	@${MAKE} DESTDIR=${WRKSRC} metadata
 	@echo " done"
@@ -436,7 +442,7 @@ style-model:
 
 test: check
 	@if [ -d ${.CURDIR}/src/opnsense/mvc/tests ]; then \
-		cd /usr/local/opnsense/mvc/tests && \
+		cd ${LOCALBASE}/opnsense/mvc/tests && \
 		    phpunit --configuration PHPunit.xml \
 		    ${.CURDIR}/src/opnsense/mvc/tests; \
 	fi

From 015eec4b4ce8ac61868629e6955096f6eb842955 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 17 Jan 2024 08:49:40 +0100
Subject: [PATCH 1759/3088] vendor/sunnyvalley: bump version to benefit from
 change c888c851d783

---
 vendor/sunnyvalley/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vendor/sunnyvalley/Makefile b/vendor/sunnyvalley/Makefile
index 494123197f..2a04ede247 100644
--- a/vendor/sunnyvalley/Makefile
+++ b/vendor/sunnyvalley/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		sunnyvalley
 PLUGIN_VERSION=		1.4
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Vendor Repository for Zenarmor (a.k.a Sensei, Next Generation Firewall Extensions)
 PLUGIN_MAINTAINER=	opensource@sunnyvalley.io
 PLUGIN_WWW=		https://www.zenarmor.com

From 1eae27c69f3843f833b801097337c79eaf9e9652 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 15 Jan 2024 01:05:13 +0100
Subject: [PATCH 1760/3088] security/acme-client: deprecate lexicon, refs #2920

---
 security/acme-client/pkg-descr                |  54 ++++
 .../AcmeClient/forms/dialogValidation.xml     |   7 +-
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 100 +++----
 .../OPNsense/AcmeClient/Migrations/M4_1_0.php | 266 ++++++++++++++++++
 4 files changed, 371 insertions(+), 56 deletions(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_1_0.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index d943ce1d03..2a5039e661 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -14,6 +14,10 @@ NOTE: This is a new major release with backwards-incompatible changes.
 Downgrade to older releases is not supported. Be sure to create a
 full backup and include /var/etc/acme-client.
 
+NOTE: Lexicon is deprecated and most configurations are converted
+to native acme.sh DNS APIs. However, in some case manual reconfiguration
+may be necessary.
+
 Added:
 * add nic.ru DNS API (#3684)
 * add Aurora DNS API
@@ -27,12 +31,62 @@ Added:
 
 Changed:
 * use a dedicated acme.sh runtime directory for every cert (#3127)
+* migrate lexicon provider aliyun to acme.sh DNS API (#2920)
+* migrate lexicon provider aurora to acme.sh DNS API (#2920)
+* migrate lexicon provider azure to acme.sh DNS API (#2920)
+* migrate lexicon provider cloudflare to acme.sh DNS API (#2920)
+* migrate lexicon provider cloudns to acme.sh DNS API (#2920)
+* migrate lexicon provider cloudxns to acme.sh DNS API (#2920)
+* migrate lexicon provider conoha to acme.sh DNS API (#2920)
+* migrate lexicon provider constellix to acme.sh DNS API (#2920)
+* migrate lexicon provider digitalocean to acme.sh DNS API (#2920)
+* migrate lexicon provider directadmin to acme.sh DNS API (#2920)
+* migrate lexicon provider dnsimple to acme.sh DNS API (#2920)
+* migrate lexicon provider dnsmadeeasy to acme.sh DNS API (#2920)
+* migrate lexicon provider dnspod to acme.sh DNS API (#2920)
+* migrate lexicon provider dreamhost to acme.sh DNS API (#2920)
+* migrate lexicon provider easydns to acme.sh DNS API (#2920)
+* migrate lexicon provider exoscale to acme.sh DNS API (#2920)
+* migrate lexicon provider gandi to acme.sh DNS API (#2920)
+* migrate lexicon provider godaddy to acme.sh DNS API (#2920)
+* migrate lexicon provider googleclouddns to acme.sh DNS API (#2920)
+* migrate lexicon provider gratisdns to acme.sh DNS API (#2920)
+* migrate lexicon provider henet to acme.sh DNS API (#2920)
+* migrate lexicon provider hetzner to acme.sh DNS API (#2920)
+* migrate lexicon provider infoblox to acme.sh DNS API (#2920)
+* migrate lexicon provider internetbs to acme.sh DNS API (#2920)
+* migrate lexicon provider inwx to acme.sh DNS API (#2920)
+* migrate lexicon provider linode to acme.sh DNS API (#2920)
+* migrate lexicon provider linode4 to acme.sh DNS API (#2920)
+* migrate lexicon provider luadns to acme.sh DNS API (#2920)
+* migrate lexicon provider namecheap to acme.sh DNS API (#2920)
+* migrate lexicon provider namesilo to acme.sh DNS API (#2920)
+* migrate lexicon provider netcup to acme.sh DNS API (#2920)
+* migrate lexicon provider nfsn to acme.sh DNS API (#2920)
+* migrate lexicon provider nsone to acme.sh DNS API (#2920)
+* migrate lexicon provider online to acme.sh DNS API (#2920)
+* migrate lexicon provider ovh to acme.sh DNS API (#2920)
+* migrate lexicon provider plesk to acme.sh DNS API (#2920)
+* migrate lexicon provider pointhq to acme.sh DNS API (#2920)
+* migrate lexicon provider powerdns to acme.sh DNS API (#2920)
+* migrate lexicon provider rackspace to acme.sh DNS API (#2920)
+* migrate lexicon provider rage4 to acme.sh DNS API (#2920)
+* migrate lexicon provider route53 to acme.sh DNS API (#2920)
+* migrate lexicon provider transip to acme.sh DNS API (#2920)
+* migrate lexicon provider vultr to acme.sh DNS API (#2920)
+* migrate lexicon provider yandex to acme.sh DNS API (#2920)
+* migrate lexicon provider zeit to acme.sh DNS API (#2920)
+* migrate lexicon provider zilore to acme.sh DNS API (#2920)
+* migrate lexicon provider zonomi to acme.sh DNS API (#2920)
 
 Fixed:
 * fix sporadic command failure with gcloud DNS API (#3745)
 * fix errors when the same Common Name is used multiple times (#3127)
 * fix crash on invalid automations (#3752)
 
+Deprecated:
+* deprecate support for lexicon DNS APIs (no removal date yet)
+
 3.20
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 4fd1fd5d41..98fdc7e56c 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -788,12 +788,7 @@
         <help>Specify the location of the generated TSIG Key inside the TSIG file using grep and cut, example: grep \# /etc/knot/acme.key | cut -d' ' -f2</help>
     </field>
     <field>
-        <label>lexicon</label>
-        <type>header</type>
-        <style>table_dns table_dns_lexicon</style>
-    </field>
-    <field>
-        <label>NOTE: A DNS sleep time of at least 1000 may be required.</label>
+        <label>lexicon (DEPRECATED)</label>
         <type>header</type>
         <style>table_dns table_dns_lexicon</style>
     </field>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index bc0a32b0a0..a583d068bd 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>4.0.0</version>
+    <version>4.1.0</version>
     <description>A secure ACME Client plugin</description>
     <items>
         <settings>
@@ -481,7 +481,7 @@
                         <dns_kinghost>KingHost</dns_kinghost>
                         <dns_knot>Knot (knsupdate)</dns_knot>
                         <dns_leaseweb>LeaseWeb</dns_leaseweb>
-                        <dns_lexicon>lexicon</dns_lexicon>
+                        <dns_lexicon>lexicon (DEPRECATED)</dns_lexicon>
                         <dns_linode>Linode (v3 / Deprecated)</dns_linode>
                         <dns_linode_v4>Linode (v4)</dns_linode_v4>
                         <dns_loopia>Loopia</dns_loopia>
@@ -787,67 +787,67 @@
                     <Required>N</Required>
                     <default>cloudflare</default>
                     <OptionValues>
-                        <aliyun>Aliyun.com</aliyun>
-                        <aurora>AuroraDNS</aurora>
+                        <aliyun>Aliyun.com (UNSUPPORTED)</aliyun>
+                        <aurora>AuroraDNS (UNSUPPORTED)</aurora>
                         <auto>Auto API</auto>
-                        <azure>Azure</azure>
-                        <cloudflare>CloudFlare</cloudflare>
-                        <cloudns>ClouDNS</cloudns>
-                        <cloudxns>CloudXNS</cloudxns>
-                        <conoha>ConoHa</conoha>
-                        <constellix>Constellix</constellix>
-                        <digitalocean>DigitalOcean</digitalocean>
-                        <dinahosting>Dinahosting</dinahosting>
-                        <directadmin>DirectAdmin</directadmin>
-                        <dnsimple>DNSimple</dnsimple>
-                        <dnsmadeeasy>DnsMadeEasy</dnsmadeeasy>
+                        <azure>Azure (UNSUPPORTED)</azure>
+                        <cloudflare>CloudFlare (UNSUPPORTED)</cloudflare>
+                        <cloudns>ClouDNS (UNSUPPORTED)</cloudns>
+                        <cloudxns>CloudXNS (UNSUPPORTED)</cloudxns>
+                        <conoha>ConoHa (UNSUPPORTED)</conoha>
+                        <constellix>Constellix (UNSUPPORTED)</constellix>
+                        <digitalocean>DigitalOcean (UNSUPPORTED)</digitalocean>
+                        <dinahosting>Dinahosting (UNSUPPORTED)</dinahosting>
+                        <directadmin>DirectAdmin (UNSUPPORTED)</directadmin>
+                        <dnsimple>DNSimple (UNSUPPORTED)</dnsimple>
+                        <dnsmadeeasy>DnsMadeEasy (UNSUPPORTED)</dnsmadeeasy>
                         <dnspark>DNSPark</dnspark>
-                        <dnspod>DNSPod</dnspod>
-                        <dreamhost>Dreamhost</dreamhost>
-                        <easydns>EasyDNS</easydns>
+                        <dnspod>DNSPod (UNSUPPORTED)</dnspod>
+                        <dreamhost>Dreamhost (UNSUPPORTED)</dreamhost>
+                        <easydns>EasyDNS (UNSUPPORTED)</easydns>
                         <easyname>Easyname</easyname>
-                        <exoscale>ExoScale</exoscale>
-                        <gandi>Gandi</gandi>
+                        <exoscale>ExoScale (UNSUPPORTED)</exoscale>
+                        <gandi>Gandi (UNSUPPORTED)</gandi>
                         <gehirn>Gehirn</gehirn>
                         <glesys>Glesys</glesys>
-                        <godaddy>GoDaddy</godaddy>
-                        <googleclouddns>Google Cloud</googleclouddns>
-                        <gratisdns>GratisDNS</gratisdns>
-                        <henet>Hurricane Electric</henet>
-                        <hetzner>Hetzner</hetzner>
+                        <godaddy>GoDaddy (UNSUPPORTED)</godaddy>
+                        <googleclouddns>Google Cloud (UNSUPPORTED)</googleclouddns>
+                        <gratisdns>GratisDNS (UNSUPPORTED)</gratisdns>
+                        <henet>Hurricane Electric (UNSUPPORTED)</henet>
+                        <hetzner>Hetzner (UNSUPPORTED)</hetzner>
                         <hover>Hover</hover>
-                        <infoblox>Infoblox</infoblox>
-                        <internetbs>Internet.bs</internetbs>
-                        <inwx>INWX</inwx>
-                        <linode>Linode (v3 / Deprecated)</linode>
-                        <linode4>Linode (v4)</linode4>
+                        <infoblox>Infoblox (UNSUPPORTED)</infoblox>
+                        <internetbs>Internet.bs (UNSUPPORTED)</internetbs>
+                        <inwx>INWX (UNSUPPORTED)</inwx>
+                        <linode>Linode v3 (UNSUPPORTED)</linode>
+                        <linode4>Linode v4 (UNSUPPORTED)</linode4>
                         <localzone>Localzone</localzone>
-                        <luadns>LuaDNS</luadns>
+                        <luadns>LuaDNS (UNSUPPORTED)</luadns>
                         <memset>Memset</memset>
-                        <namecheap>Namecheap</namecheap>
-                        <namesilo>Namesilo</namesilo>
-                        <netcup>Netcup</netcup>
-                        <nfsn>NFSN</nfsn>
-                        <nsone>NS1</nsone>
+                        <namecheap>Namecheap (UNSUPPORTED)</namecheap>
+                        <namesilo>Namesilo (UNSUPPORTED)</namesilo>
+                        <netcup>Netcup (UNSUPPORTED)</netcup>
+                        <nfsn>NFSN (UNSUPPORTED)</nfsn>
+                        <nsone>NS1 (UNSUPPORTED)</nsone>
                         <onapp>OnApp</onapp>
-                        <online>Online</online>
-                        <ovh>OVH</ovh>
-                        <plesk>Plesk</plesk>
-                        <pointhq>PointHQ</pointhq>
-                        <powerdns>PowerDNS</powerdns>
-                        <rackspace>Rackspace</rackspace>
-                        <rage4>Rage4</rage4>
-                        <route53>Route 53</route53>
+                        <online>Online (UNSUPPORTED)</online>
+                        <ovh>OVH (UNSUPPORTED)</ovh>
+                        <plesk>Plesk (UNSUPPORTED)</plesk>
+                        <pointhq>PointHQ (UNSUPPORTED)</pointhq>
+                        <powerdns>PowerDNS (UNSUPPORTED)</powerdns>
+                        <rackspace>Rackspace (UNSUPPORTED)</rackspace>
+                        <rage4>Rage4 (UNSUPPORTED)</rage4>
+                        <route53>Route 53 (UNSUPPORTED)</route53>
                         <safedns>SafeDNS</safedns>
                         <sakuracloud>SakuraCloud</sakuracloud>
                         <softlayer>Softlayer</softlayer>
                         <subreg>Subreg</subreg>
-                        <transip>Transip</transip>
-                        <vultr>Vultr</vultr>
-                        <yandex>Yandex</yandex>
-                        <zeit>Zeit</zeit>
-                        <zilore>Zilore</zilore>
-                        <zonomi>Zonomi</zonomi>
+                        <transip>Transip (UNSUPPORTED)</transip>
+                        <vultr>Vultr (UNSUPPORTED)</vultr>
+                        <yandex>Yandex (UNSUPPORTED)</yandex>
+                        <zeit>Zeit (UNSUPPORTED)</zeit>
+                        <zilore>Zilore (UNSUPPORTED)</zilore>
+                        <zonomi>Zonomi (UNSUPPORTED)</zonomi>
                     </OptionValues>
                 </dns_lexicon_provider>
                 <dns_lexicon_user type="TextField">
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_1_0.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_1_0.php
new file mode 100644
index 0000000000..a28ae71f44
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_1_0.php
@@ -0,0 +1,266 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Frank Wall
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\AcmeClient\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M4_1_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        // Migrate validations from "lexicon" to native acme.sh DNS API
+        foreach ($model->getNodeByReference('validations.validation')->iterateItems() as $validation) {
+            $dns_service = (string)$validation->dns_service;
+            $dns_lexicon_provider = (string)$validation->dns_lexicon_provider;
+
+            if (!empty($dns_lexicon_provider) && ($dns_service === 'dns_lexicon')) {
+                // Migrate old lexicon values to DNS API values.
+                switch ($dns_lexicon_provider) {
+                    case 'aliyun':
+                        $validation->dns_service = 'dns_ali';
+                        $validation->dns_ali_key = (string)$validation->dns_lexicon_user;
+                        $validation->dns_ali_secret = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'aurora':
+                        $validation->dns_service = 'dns_aurora';
+                        $validation->dns_aurora_key = (string)$validation->dns_lexicon_user;
+                        $validation->dns_aurora_secret = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'cloudflare':
+                        $validation->dns_service = 'dns_cf';
+                        $validation->dns_cf_key = (string)$validation->dns_lexicon_user;
+                        $validation->dns_cf_token = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'cloudns':
+                        $validation->dns_service = 'dns_cloudns';
+                        $validation->dns_cloudns_auth_id = (string)$validation->dns_lexicon_user;
+                        $validation->dns_cloudns_auth_password = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'cloudxns':
+                        $validation->dns_service = 'dns_cx';
+                        $validation->dns_cx_key = (string)$validation->dns_lexicon_user;
+                        $validation->dns_cx_secret = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'conoha':
+                        $validation->dns_service = 'dns_conoha';
+                        $validation->dns_conoha_user = (string)$validation->dns_lexicon_user;
+                        $validation->dns_conoha_password = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'constellix':
+                        $validation->dns_service = 'dns_constellix';
+                        $validation->dns_constellix_key = (string)$validation->dns_lexicon_user;
+                        $validation->dns_constellix_secret = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'digitalocean':
+                        $validation->dns_service = 'dns_dgon';
+                        $validation->dns_dgon_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'directadmin':
+                        $validation->dns_service = 'dns_da';
+                        $validation->dns_da_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'dnsimple':
+                        $validation->dns_service = 'dns_dnsimple';
+                        $validation->dns_dnsimple_token = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'dnsmadeeasy':
+                        $validation->dns_service = 'dns_me';
+                        $validation->dns_me_key = (string)$validation->dns_lexicon_user;
+                        $validation->dns_me_secret = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'dnspod':
+                        $validation->dns_service = 'dns_dp';
+                        $validation->dns_dp_id = (string)$validation->dns_lexicon_user;
+                        $validation->dns_dp_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'dreamhost':
+                        $validation->dns_service = 'dns_dreamhost';
+                        // FIXME: parameter prefix should match $dns_service
+                        $validation->dns_dh_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'easydns':
+                        $validation->dns_service = 'dns_easydns';
+                        $validation->dns_easydns_apikey = (string)$validation->dns_lexicon_user;
+                        $validation->dns_easydns_apitoken = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'exoscale':
+                        $validation->dns_service = 'dns_exoscale';
+                        $validation->dns_exoscale_key = (string)$validation->dns_lexicon_user;
+                        $validation->dns_exoscale_secret = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'gandi':
+                        $validation->dns_service = 'dns_gandi_livedns';
+                        $validation->dns_gandi_livedns_key = (string)$validation->dns_lexicon_user;
+                        $validation->dns_gandi_livedns_token = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'godaddy':
+                        $validation->dns_service = 'dns_gd';
+                        $validation->dns_gd_key = (string)$validation->dns_lexicon_user;
+                        $validation->dns_gd_secret = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'googleclouddns':
+                        $validation->dns_service = 'dns_gcloud';
+                        $validation->dns_gcloud_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'gratisdns':
+                        $validation->dns_service = 'dns_gdnsdk';
+                        $validation->dns_gdnsdk_user = (string)$validation->dns_lexicon_user;
+                        $validation->dns_gdnsdk_password = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'henet':
+                        $validation->dns_service = 'dns_he';
+                        $validation->dns_he_user = (string)$validation->dns_lexicon_user;
+                        $validation->dns_he_password = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'hetzner':
+                        $validation->dns_service = 'dns_hetzner';
+                        $validation->dns_hetzner_token = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'infoblox':
+                        $validation->dns_service = 'dns_infoblox';
+                        $validation->dns_infoblox_credentials = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'internetbs':
+                        $validation->dns_service = 'dns_internetbs';
+                        $validation->dns_internetbs_key = (string)$validation->dns_lexicon_user;
+                        $validation->dns_internetbs_password = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'inwx':
+                        $validation->dns_service = 'dns_inwx';
+                        $validation->dns_inwx_user = (string)$validation->dns_lexicon_user;
+                        $validation->dns_inwx_password = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'linode':
+                        $validation->dns_service = 'dns_linode';
+                        $validation->dns_linode_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'linode4':
+                        $validation->dns_service = 'dns_linode_v4';
+                        $validation->dns_linode_v4_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'luadns':
+                        $validation->dns_service = 'dns_lua';
+                        $validation->dns_lua_email = (string)$validation->dns_lexicon_user;
+                        $validation->dns_lua_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'namecheap':
+                        $validation->dns_service = 'dns_namecheap';
+                        $validation->dns_namecheap_user = (string)$validation->dns_lexicon_user;
+                        $validation->dns_namecheap_api = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'namesilo':
+                        $validation->dns_service = 'dns_namesilo';
+                        $validation->dns_namesilo_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'netcup':
+                        $validation->dns_service = 'dns_netcup';
+                        $validation->dns_netcup_key = (string)$validation->dns_lexicon_user;
+                        $validation->dns_netcup_pw = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'nfsn':
+                        $validation->dns_service = 'dns_njalla';
+                        $validation->dns_njalla_token = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'nsone':
+                        $validation->dns_service = 'dns_nsone';
+                        $validation->dns_nsone_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'online':
+                        $validation->dns_service = 'dns_online';
+                        $validation->dns_online_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'ovh':
+                        $validation->dns_service = 'dns_ovh';
+                        $validation->dns_ovh_app_key = (string)$validation->dns_lexicon_user;
+                        $validation->dns_ovh_app_secret = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'plesk':
+                        $validation->dns_service = 'dns_pleskxml';
+                        $validation->dns_pleskxml_user = (string)$validation->dns_lexicon_user;
+                        $validation->dns_pleskxml_pass = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'pointhq':
+                        $validation->dns_service = 'dns_pointhq';
+                        $validation->dns_pointhq_email = (string)$validation->dns_lexicon_user;
+                        $validation->dns_pointhq_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'powerdns':
+                        $validation->dns_service = 'dns_pdns';
+                        $validation->dns_pdns_serverid = (string)$validation->dns_lexicon_user;
+                        $validation->dns_pdns_token = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'rackspace':
+                        $validation->dns_service = 'dns_rackspace';
+                        $validation->dns_rackspace_user = (string)$validation->dns_lexicon_user;
+                        $validation->dns_rackspace_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'rage4':
+                        $validation->dns_service = 'dns_rage4';
+                        $validation->dns_rage4_user = (string)$validation->dns_lexicon_user;
+                        $validation->dns_rage4_token = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'route53':
+                        $validation->dns_service = 'dns_aws';
+                        $validation->dns_aws_id = (string)$validation->dns_lexicon_user;
+                        $validation->dns_aws_secret = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'transip':
+                        $validation->dns_service = 'dns_transip';
+                        $validation->dns_transip_username = (string)$validation->dns_lexicon_user;
+                        $validation->dns_transip_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'vultr':
+                        $validation->dns_service = 'dns_vultr';
+                        $validation->dns_vultr_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'yandex':
+                        $validation->dns_service = 'dns_yandex';
+                        $validation->dns_yandex_token = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'zeit':
+                        // URL points to zilore, so we'll use this DNS API as a replacement.
+                        $validation->dns_service = 'dns_zilore';
+                        $validation->dns_zilore_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'zilore':
+                        $validation->dns_service = 'dns_zilore';
+                        $validation->dns_zilore_key = (string)$validation->dns_lexicon_token;
+                        break;
+                    case 'zonomi':
+                        $validation->dns_service = 'dns_zonomi';
+                        // FIXME: parameter prefix should match $dns_service
+                        $validation->dns_zm_key = (string)$validation->dns_lexicon_token;
+                        break;
+                }
+            }
+        }
+    }
+}

From 1ade0ef804cd44ce37d004739e327cb36eb4dd4f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 18 Jan 2024 13:22:37 +0100
Subject: [PATCH 1761/3088] Framework: fix a directory mismatch

Reported by: hasan@sunnyvalley.io
---
 Mk/plugins.mk | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 3aec5eb19b..ba49c9d1a1 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -188,8 +188,8 @@ scripts-auto:
 		done; \
 	fi
 	@if [ -d ${.CURDIR}/src/opnsense/scripts/firmware/repos ]; then \
-		for FILE in $$(cd ${.CURDIR} && find -s \
-		    src/opnsense/scripts/firmware/repos -type f); do \
+		for FILE in $$(cd ${.CURDIR}/src && find -s \
+		    opnsense/scripts/firmware/repos -type f); do \
 			echo "${LOCALBASE}/$${FILE#.}" >> ${DESTDIR}/+POST_INSTALL; \
 		done \
 	fi

From 47d7a77e893e29b262bfc0aa35c3a4fdb8f8a5dc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 18 Jan 2024 13:24:00 +0100
Subject: [PATCH 1762/3088] vendor/sunnyvalley: bump again, small issue with
 previous

---
 vendor/sunnyvalley/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vendor/sunnyvalley/Makefile b/vendor/sunnyvalley/Makefile
index 2a04ede247..4a44d5a877 100644
--- a/vendor/sunnyvalley/Makefile
+++ b/vendor/sunnyvalley/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		sunnyvalley
 PLUGIN_VERSION=		1.4
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Vendor Repository for Zenarmor (a.k.a Sensei, Next Generation Firewall Extensions)
 PLUGIN_MAINTAINER=	opensource@sunnyvalley.io
 PLUGIN_WWW=		https://www.zenarmor.com

From d5ae01f361962c510172a5dec004fe0a13ac7309 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 19 Jan 2024 08:57:33 +0100
Subject: [PATCH 1763/3088] www/squid: change to the EoL release for clarity

---
 www/squid/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/squid/pkg-descr b/www/squid/pkg-descr
index ca3da4095d..2e0b72da45 100644
--- a/www/squid/pkg-descr
+++ b/www/squid/pkg-descr
@@ -7,4 +7,4 @@ Plugin Changelog
 
 1.0
 
-* Initial version based on the OPNsense 23.7.11 core code
+* Initial version based on the OPNsense 23.7.12 core code

From 0919e8e06ce9f7121650eb0b560fd2eb1f0b41c6 Mon Sep 17 00:00:00 2001
From: Jakub Gargul <jakub.gargul+github@gmail.com>
Date: Tue, 23 Jan 2024 09:32:47 +0100
Subject: [PATCH 1764/3088] dns/ddclient: add system parameter to native
 dyndns2 request; fixes #3679 (#3696)

---
 .../src/opnsense/scripts/ddclient/lib/account/dyndns2.py         | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
index f712a3f6f1..e93d0e5abe 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dyndns2.py
@@ -89,6 +89,7 @@ def execute(self):
                     'params': {
                         'hostname': self.settings.get('hostnames'),
                         'myip': self.current_address,
+                        'system': 'dyndns',
                         'wildcard': 'ON' if self.settings.get('wildcard', False) else 'NOCHG'
                     },
                     'auth': HTTPBasicAuth(self.settings.get('username'), self.settings.get('password')),

From 25dd47d77603459d0dbdf54e89f2bc5cfe25b146 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 24 Jan 2024 15:53:36 +0100
Subject: [PATCH 1765/3088] net/frr: Add plain password authentication to OSPF
 (#3770)

---
 .../src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml | 1 +
 .../service/templates/OPNsense/Quagga/ospfd.conf         | 9 ++++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index 924ac3cdaf..333670a562 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -149,6 +149,7 @@
                                 <default></default>
                                 <OptionValues>
                                         <message-digest>MD5</message-digest>
+					<plain>plain</plain>
                                 </OptionValues>
                         </authtype>
                         <authkey type="TextField">
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
index 91c282218e..03f648c2f1 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
@@ -31,9 +31,12 @@ interface {{ physical_interface(interface.interfacename) }}
 {% if interface.networktype %}
 {{       cline("network",interface.networktype)
 }}{% endif %}
-{{       cline("authentication",interface.authtype)
-}}{% if interface.authtype and interface.authtype == 'message-digest'
-%}{{       cline("message-digest-key " + interface.authkey_id + " md5",interface.authkey)
+{% if interface.authtype and interface.authtype == 'message-digest'
+%}{{       cline("authentication",interface.authtype)
+}}{{       cline("message-digest-key " + interface.authkey_id + " md5",interface.authkey)
+}}{% elif interface.authtype and interface.authtype == 'plain'
+%}{{       cline("authentication",' ')
+}}{{       cline("authentication-key",interface.authkey)
 }}{% endif
 %}{{       cline("area",interface.area)
 }}{{       cline("cost",interface.cost)

From c52839436a5bfc6d53eec8916312298e048ff364 Mon Sep 17 00:00:00 2001
From: Self-Hosting-Group
 <155233284+Self-Hosting-Group@users.noreply.github.com>
Date: Wed, 24 Jan 2024 17:20:36 +0100
Subject: [PATCH 1766/3088] net/upnp: Update plugin wording to include PCP as
 supported (#3769)

and also mention `UPnP IGD` as `UPnP` is probably not specific enough.

Port Control Protocol (PCP) is the successor to NAT-PMP and has similar
protocol concepts and packet formats, but adds IPv6 support.
PCP standard:
https://datatracker.ietf.org/doc/html/rfc6887
https://en.wikipedia.org/wiki/Port_Control_Protocol
NAT-PMP std. (see 9.1 Simplicity - 9.3 for some diff. to UPnP IGD):
https://datatracker.ietf.org/doc/html/rfc6886
---
 net/upnp/Makefile                              |  4 ++--
 net/upnp/pkg-descr                             |  8 ++++----
 .../src/etc/inc/plugins.inc.d/miniupnpd.inc    |  2 +-
 net/upnp/src/www/services_upnp.php             | 18 +++++++++---------
 4 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index b43908434a..ad55189cf8 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,8 +1,8 @@
 PLUGIN_NAME=		upnp
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	5
+PLUGIN_REVISION=	6
 PLUGIN_DEPENDS=		miniupnpd
-PLUGIN_COMMENT=		Universal Plug and Play Service
+PLUGIN_COMMENT=		Universal Plug and Play (UPnP IGD & PCP/NAT-PMP) Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
 .include "../../Mk/plugins.mk"
diff --git a/net/upnp/pkg-descr b/net/upnp/pkg-descr
index fc73e6b009..283b27ae7b 100644
--- a/net/upnp/pkg-descr
+++ b/net/upnp/pkg-descr
@@ -1,8 +1,8 @@
-Mini UPnPd is a lightweight implementation of a UPnP IGD daemon. This is
-supposed to be run on your gateway machine to allow client systems to redirect
-ports and punch holes in the firewall.
+MiniUPnPd is a lightweight implementation of a UPnP IGD & PCP/NAT-PMP daemon.
+This is supposed to be run on your gateway machine to allow client systems to
+map ports and punch holes in the firewall.
 
-WWW: http://miniupnp.free.fr/
+WWW: https://miniupnp.tuxfamily.org/
 
 Plugin Changelog
 ================
diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 411c57f66b..54a44a6c67 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -230,7 +230,7 @@ function miniupnpd_configure_do($verbose = false)
                 $config_text .= "deny 0-65535 0.0.0.0/0 0-65535\n";
             }
 
-            /* Allow UPnP or NAT-PMP as requested */
+            /* Allow UPnP IGD or PCP/NAT-PMP as requested */
             $config_text .= "enable_upnp="   . ( $upnp_config['enable_upnp']   ? "yes\n" : "no\n" );
             $config_text .= "enable_natpmp=" . ( $upnp_config['enable_natpmp'] ? "yes\n" : "no\n" );
 
diff --git a/net/upnp/src/www/services_upnp.php b/net/upnp/src/www/services_upnp.php
index 5ca0754f16..077c3bae77 100644
--- a/net/upnp/src/www/services_upnp.php
+++ b/net/upnp/src/www/services_upnp.php
@@ -102,7 +102,7 @@ function miniupnpd_validate_port($port)
 
     // validate form data
     if (!empty($pconfig['enable']) && (empty($pconfig['enable_upnp']) && empty($pconfig['enable_natpmp']))) {
-        $input_errors[] = gettext('At least one of \'UPnP\' or \'NAT-PMP\' must be allowed');
+        $input_errors[] = gettext('At least one of \'UPnP IGD\' or \'PCP/NAT-PMP\' must be allowed');
     }
     if (!empty($pconfig['iface_array'])) {
         foreach($pconfig['iface_array'] as $iface) {
@@ -210,7 +210,7 @@ function miniupnpd_validate_port($port)
                   <thead>
                     <tr>
                       <td style="width:22%">
-                        <strong><?=gettext("UPnP and NAT-PMP Settings");?></strong>
+                        <strong><?=gettext("UPnP IGD & PCP/NAT-PMP Settings");?></strong>
                       </td>
                       <td style="width:78%; text-align:right">
                         <small><?=gettext("full help"); ?> </small>
@@ -227,7 +227,7 @@ function miniupnpd_validate_port($port)
                       </td>
                     </tr>
                     <tr>
-                      <td><a id="help_for_enable_upnp" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Allow UPnP Port Mapping");?></td>
+                      <td><a id="help_for_enable_upnp" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Allow UPnP IGD Port Mapping");?></td>
                       <td>
                        <input name="enable_upnp" type="checkbox" value="yes" <?=!empty($pconfig['enable_upnp']) ? "checked=\"checked\"" : ""; ?> />
                        <div class="hidden" data-for="help_for_enable_upnp">
@@ -236,7 +236,7 @@ function miniupnpd_validate_port($port)
                       </td>
                     </tr>
                     <tr>
-                      <td><a id="help_for_enable_natpmp" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Allow NAT-PMP Port Mapping");?></td>
+                      <td><a id="help_for_enable_natpmp" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Allow PCP/NAT-PMP Port Mapping");?></td>
                       <td>
                        <input name="enable_natpmp" type="checkbox" value="yes" <?=!empty($pconfig['enable_natpmp']) ? "checked=\"checked\"" : ""; ?> />
                        <div class="hidden" data-for="help_for_enable_natpmp">
@@ -291,7 +291,7 @@ function miniupnpd_validate_port($port)
 <?php endfor ?>
                         </select>
                         <div class="hidden" data-for="help_for_overridesubnet">
-                          <?=gettext("You can override a single LAN interface subnet here. Useful if you are rebroadcasting UPNP traffic across networks.");?>
+                          <?=gettext("You can override a single LAN interface subnet here. Useful if you are rebroadcasting service traffic across networks.");?>
                         </div>
                       </td>
                     </tr>
@@ -338,11 +338,11 @@ function miniupnpd_validate_port($port)
                       </td>
                     </tr>
                     <tr>
-                      <td><a id="help_for_logpackets" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Log NAT-PMP");?></td>
+                      <td><a id="help_for_logpackets" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Log packets");?></td>
                       <td>
                        <input name="logpackets" type="checkbox" value="yes" <?=!empty($pconfig['logpackets']) ? "checked=\"checked\"" : ""; ?> />
                        <div class="hidden" data-for="help_for_logpackets">
-                         <?=gettext("Log packets handled by UPnP and NAT-PMP rules?");?>
+                         <?=gettext("Log packets handled by service rules?");?>
                        </div>
                       </td>
                     </tr>
@@ -351,7 +351,7 @@ function miniupnpd_validate_port($port)
                       <td>
                        <input name="sysuptime" type="checkbox" value="yes" <?=!empty($pconfig['sysuptime']) ? "checked=\"checked\"" : ""; ?> />
                        <div class="hidden" data-for="help_for_sysuptime">
-                         <?=gettext("Use system uptime instead of UPnP and NAT-PMP service uptime?");?>
+                         <?=gettext("Use system uptime instead of service uptime?");?>
                        </div>
                       </td>
                     </tr>
@@ -360,7 +360,7 @@ function miniupnpd_validate_port($port)
                       <td>
                        <input name="permdefault" type="checkbox" value="yes" <?=!empty($pconfig['permdefault']) ? "checked=\"checked\"" : ""; ?> />
                        <div class="hidden" data-for="help_for_permdefault">
-                         <?=gettext("By default deny access to UPnP and NAT-PMP?");?>
+                         <?=gettext("By default deny access to service?");?>
                        </div>
                       </td>
                     </tr>

From e96c38421209307c2ca1d159eba260701e8f600f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 25 Jan 2024 15:59:34 +0100
Subject: [PATCH 1767/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index d9e7b6a6a0..2018025bf2 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		3.20
+PLUGIN_VERSION=		4.0
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From c4c0c2b4af21428941304f47e3926655fdaa5cb4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 25 Jan 2024 17:13:02 +0100
Subject: [PATCH 1768/3088] src: style sweep

---
 .../scripts/OPNsense/HAProxy/exportCerts.php  |  4 ++--
 .../AcmeClient/LeValidation/DnsNic.php        | 20 +++++++++----------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
index c2e052f607..935160b42b 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
@@ -97,9 +97,9 @@
                                             echo "exported $type to " . $output_pem_filename . "\n";
                                             // Check if automatic OCSP updates are enabled.
                                             if (isset($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled) and ($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled == '1')) {
-                                              $crtlist[] = $output_pem_filename . " ocsp-update on";
+                                                $crtlist[] = $output_pem_filename . " ocsp-update on";
                                             } else {
-                                              $crtlist[] = $output_pem_filename;
+                                                $crtlist[] = $output_pem_filename;
                                             }
                                         } else {
                                             // In contrast to certificates, CA/CRL content needs to be put in a single file.
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNic.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNic.php
index 15ea83635c..bd16440483 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNic.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNic.php
@@ -35,13 +35,13 @@
   * Nic DNS API
   * @package OPNsense\AcmeClient
   */
- class DnsNic extends Base implements LeValidationInterface
- {
-     public function prepare()
-     {
-         $this->acme_env['NIC_Username'] = (string)$this->config->dns_nic_username;
-         $this->acme_env['NIC_Password'] = (string)$this->config->dns_nic_password;
-         $this->acme_env['NIC_ClientID'] = (string)$this->config->dns_nic_client;
-         $this->acme_env['NIC_ClientSecret'] = (string)$this->config->dns_nic_secret;
-     }
- }
\ No newline at end of file
+class DnsNic extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['NIC_Username'] = (string)$this->config->dns_nic_username;
+        $this->acme_env['NIC_Password'] = (string)$this->config->dns_nic_password;
+        $this->acme_env['NIC_ClientID'] = (string)$this->config->dns_nic_client;
+        $this->acme_env['NIC_ClientSecret'] = (string)$this->config->dns_nic_secret;
+    }
+}

From b8aa264c3b555575379aa7ca71593f7041ca981f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 25 Jan 2024 17:16:12 +0100
Subject: [PATCH 1769/3088] dns/ddclient: document and bump

---
 dns/ddclient/Makefile  | 1 +
 dns/ddclient/pkg-descr | 1 +
 2 files changed, 2 insertions(+)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index b5c549e80b..4d766d71c7 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.20
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 4de70f3866..ef258de9c8 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -8,6 +8,7 @@ Plugin Changelog
 
 1.20
 
+* Add system parameter to native dyndns2 requesto (contributed by Jakub Gargul)
 * Add Digitalocean support (contributed by Mathias Schneuwly)
 * Add Mythin Beasts support (contributed by PeterF)
 

From 1beca17cb9a26ada2df1b511e13b9e94448b540e Mon Sep 17 00:00:00 2001
From: Mike Bishop <mbishop@evequefou.be>
Date: Thu, 25 Jan 2024 14:38:16 -0500
Subject: [PATCH 1770/3088] [os-tor] MyFamily (#3698)

---
 security/tor/Makefile                                      | 2 +-
 .../mvc/app/controllers/OPNsense/Tor/forms/relay.xml       | 7 +++++++
 .../tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml | 5 +++++
 .../tor/src/opnsense/service/templates/OPNsense/Tor/torrc  | 6 ++++++
 4 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/security/tor/Makefile b/security/tor/Makefile
index ba90fb86f0..b6fb0bfe8f 100644
--- a/security/tor/Makefile
+++ b/security/tor/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		tor
-PLUGIN_VERSION=		1.9
+PLUGIN_VERSION=		1.10
 PLUGIN_COMMENT=		The Onion Router
 PLUGIN_DEPENDS=		tor ruby rubygem-rexml
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/relay.xml b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/relay.xml
index 5997b877d2..40f86a2681 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/relay.xml
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/relay.xml
@@ -54,6 +54,13 @@
     <type>text</type>
     <help>You can enter a publicly visible (obfuscated) email address into this field to allow other users to notify you if there are issues with your relay.</help>
   </field>
+  <field>
+    <id>relay.family</id>
+    <label>Family</label>
+    <type>text</type>
+    <help>Fingerprints of other relays controlled or administered by the same group or organization. Do not list any bridge relay as it would compromise its concealment.</help>
+    <advanced>true</advanced>
+  </field>
   <field>
     <id>relay.bandwithrate</id>
     <label>Bandwith Rate</label>
diff --git a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml
index c81f06f8ec..2d4ced170e 100644
--- a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml
+++ b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml
@@ -54,6 +54,11 @@
       <Required>N</Required>
       <mask><![CDATA[/^[a-zA-Z0-9 !§$%\/\(\)\\@,;.:_\-#+~*\?&<>]+$/]]></mask>
     </contact_info>
+    <family type="TextField">
+      <Required>N</Required>
+      <!-- series of hex arrays -->
+      <mask>/^[a-fA-F0-9,]+$/</mask>
+    </family>
     <bandwithrate type="IntegerField">
       <Required>N</Required>
     </bandwithrate>
diff --git a/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc b/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc
index 8e0e112404..c92807af0f 100644
--- a/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc
+++ b/security/tor/src/opnsense/service/templates/OPNsense/Tor/torrc
@@ -171,6 +171,12 @@ OutboundBindAddress {{ OPNsense.tor.relay.outboundbindv6 }}
 Nickname {{ OPNsense.tor.relay.nick }}
 {% endif %}
 
+{% if helpers.exists('OPNsense.tor.relay.family') and OPNsense.tor.relay.family != '' %}
+{%   if OPNsense.tor.relay.relay|default('1') != '1' %}
+MyFamily {{ OPNsense.tor.relay.family }}
+{%   endif %}
+{% endif %}
+
 {% if helpers.exists('OPNsense.tor.relay.contact_info') and OPNsense.tor.relay.contact_info != '' %}
 ContactInfo {{ OPNsense.tor.relay.contact_info }}
 {% endif %}

From 6eb9417ac55009a57aa51cb5f2db35d87c18430f Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Fri, 26 Jan 2024 11:42:57 +0100
Subject: [PATCH 1771/3088] net/ntopng: Allow interface selection (#3774)

---
 net/ntopng/Makefile                                          | 3 +--
 net/ntopng/pkg-descr                                         | 4 ++++
 .../mvc/app/controllers/OPNsense/Ntopng/forms/general.xml    | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Ntopng/General.xml  | 5 +++--
 .../opnsense/service/templates/OPNsense/Ntopng/ntopng.conf   | 4 +++-
 5 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/net/ntopng/Makefile b/net/ntopng/Makefile
index ac7da5a1ad..5da05c18f5 100644
--- a/net/ntopng/Makefile
+++ b/net/ntopng/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ntopng
-PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		Traffic Analysis and Flow Collection
 PLUGIN_DEPENDS=		ntopng
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/ntopng/pkg-descr b/net/ntopng/pkg-descr
index 5ea68cabd8..968b0f6607 100644
--- a/net/ntopng/pkg-descr
+++ b/net/ntopng/pkg-descr
@@ -8,6 +8,10 @@ and on Windows as well.
 Plugin Changelog
 ================
 
+1.3
+
+* Change interface selection to multiselect
+
 1.2
 
 * Changed data directory to avoid warning
diff --git a/net/ntopng/src/opnsense/mvc/app/controllers/OPNsense/Ntopng/forms/general.xml b/net/ntopng/src/opnsense/mvc/app/controllers/OPNsense/Ntopng/forms/general.xml
index e417cd9f63..b334d3ad09 100644
--- a/net/ntopng/src/opnsense/mvc/app/controllers/OPNsense/Ntopng/forms/general.xml
+++ b/net/ntopng/src/opnsense/mvc/app/controllers/OPNsense/Ntopng/forms/general.xml
@@ -8,7 +8,7 @@
     <field>
         <id>general.interface</id>
         <label>Interfaces</label>
-        <type>dropdown</type>
+        <type>select_multiple</type>
         <advanced>true</advanced>
         <help>Select the interface to listen to. Set to none if you want to choose the interface via ntopng UI.</help>
     </field>
diff --git a/net/ntopng/src/opnsense/mvc/app/models/OPNsense/Ntopng/General.xml b/net/ntopng/src/opnsense/mvc/app/models/OPNsense/Ntopng/General.xml
index 822fc38dc6..dea24b7d2e 100644
--- a/net/ntopng/src/opnsense/mvc/app/models/OPNsense/Ntopng/General.xml
+++ b/net/ntopng/src/opnsense/mvc/app/models/OPNsense/Ntopng/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/ntopng/general</mount>
     <description>ntopng configuration</description>
-    <version>0.0.1</version>
+    <version>0.0.2</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -9,7 +9,8 @@
         </enabled>
         <interface type="InterfaceField">
             <Required>N</Required>
-            <Multiple>N</Multiple>
+            <Multiple>Y</Multiple>
+            <AllowDynamic>Y</AllowDynamic>
         </interface>
         <httpport type="PortField">
             <Required>Y</Required>
diff --git a/net/ntopng/src/opnsense/service/templates/OPNsense/Ntopng/ntopng.conf b/net/ntopng/src/opnsense/service/templates/OPNsense/Ntopng/ntopng.conf
index 47749eeeb4..48def3ea32 100644
--- a/net/ntopng/src/opnsense/service/templates/OPNsense/Ntopng/ntopng.conf
+++ b/net/ntopng/src/opnsense/service/templates/OPNsense/Ntopng/ntopng.conf
@@ -1,7 +1,9 @@
 {% if helpers.exists('OPNsense.ntopng.general.enabled') and OPNsense.ntopng.general.enabled == '1' %}
 {% from 'OPNsense/Macros/interface.macro' import physical_interface %}
 {%   if helpers.exists('OPNsense.ntopng.general.interface') and OPNsense.ntopng.general.interface != '' %}
--i={{ physical_interface(OPNsense.ntopng.general.interface) }}
+{%     for iface in OPNsense.ntopng.general.interface.split(',') %}
+-i={{ physical_interface(iface) }}
+{%     endfor %}
 {%   endif %}
 {%   if helpers.exists('OPNsense.ntopng.general.httpport') and OPNsense.ntopng.general.httpport != '' %}
 -w={{ OPNsense.ntopng.general.httpport }}

From 404c19f6e75427bbb310e8c3e114848c1c228b3c Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 30 Jan 2024 22:49:22 +0100
Subject: [PATCH 1772/3088] net/haproxy: fix SNI when OCSP is enabled, closes
 #3779

---
 net/haproxy/pkg-descr                                 | 11 +++++++++++
 .../OPNsense/HAProxy/forms/generalTuning.xml          |  6 ++++++
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml       |  8 ++++++++
 .../opnsense/scripts/OPNsense/HAProxy/exportCerts.php |  9 +++++++--
 .../service/templates/OPNsense/HAProxy/haproxy.conf   |  5 +++++
 5 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index f692d8110e..667d5fc216 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,17 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+4.3
+
+Added:
+* Add new global parameter: DNS prefer IP family (#3779)
+
+Fixed:
+* SNI not working when automatic OCSP updates are enabled (#3779)
+
+Changed:
+* prefer IPv4 results when resolving DNS names (#3779)
+
 4.2
 
 Added:
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
index f20d662dc5..069dea4ad8 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -22,6 +22,12 @@
         <type>text</type>
         <help><![CDATA[Sets the maximum number of concurrent connections per HAProxy process.<br/><div class="text-info"><b>NOTE:</b> Consider raising the settings for kern.maxfiles and kern.maxfilesperproc in <a target="_blank" href="/system_advanced_sysctl.php">System: Settings: Tunables</a>, otherwise HAProxy will fail to open the specified number of connections.</div>]]></help>
     </field>
+    <field>
+        <id>haproxy.general.tuning.resolversPrefer</id>
+        <label>DNS prefer IP family</label>
+        <type>dropdown</type>
+        <help><![CDATA[This option allows to choose which IP family is preferred when resolving DNS names. This is useful when IPv6 or IPv4 is not available. It solves a common issue with OCSP updates.]]></help>
+    </field>
     <field>
         <id>haproxy.general.tuning.sslServerVerify</id>
         <label>Verify SSL Server Certificates</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 3e90be2f2b..92270f886d 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -85,6 +85,14 @@
                     <ValidationMessage>Please specify a value between 1 and 1024.</ValidationMessage>
                     <Required>N</Required>
                 </nbthread>
+                <resolversPrefer type="OptionField">
+                    <Required>N</Required>
+                    <default>ipv4</default>
+                    <OptionValues>
+                        <ipv4>IPv4</ipv4>
+                        <ipv6>IPv6</ipv6>
+                    </OptionValues>
+                </resolversPrefer>
                 <sslServerVerify type="OptionField">
                     <Required>Y</Required>
                     <default>ignore</default>
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
index 935160b42b..3eae885bb1 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
@@ -97,7 +97,7 @@
                                             echo "exported $type to " . $output_pem_filename . "\n";
                                             // Check if automatic OCSP updates are enabled.
                                             if (isset($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled) and ($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled == '1')) {
-                                                $crtlist[] = $output_pem_filename . " ocsp-update on";
+                                                $crtlist[] = $output_pem_filename . " [ocsp-update on]";
                                             } else {
                                                 $crtlist[] = $output_pem_filename;
                                             }
@@ -125,7 +125,12 @@
                             // check if a default certificate is configured
                             if (($type == 'cert') and isset($child->ssl_default_certificate) and (string)$child->ssl_default_certificate != "") {
                                 $default_cert = (string)$child->ssl_default_certificate;
-                                $default_cert_filename = $export_path . $default_cert . ".pem";
+                                // Check if automatic OCSP updates are enabled.
+                                if (isset($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled) and ($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled == '1')) {
+                                    $default_cert_filename = $export_path . $default_cert . ".pem [ocsp-update on]";
+                                } else {
+                                    $default_cert_filename = $export_path . $default_cert . ".pem";
+                                }
                                 // ensure that the default certificate is the first entry on the list
                                 $crtlist = array_diff($crtlist, [$default_cert_filename]);
                                 array_unshift($crtlist, $default_cert_filename);
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 4ee9337003..847091b70a 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -991,6 +991,11 @@ global
     tune.ssl.ocsp-update.maxdelay {{OPNsense.HAProxy.general.tuning.ocspUpdateMaxDelay}}
 {%   endif %}
 {% endif %}
+{% if helpers.exists('OPNsense.HAProxy.general.tuning.resolversPrefer') %}
+    httpclient.resolvers.prefer   {{OPNsense.HAProxy.general.tuning.resolversPrefer}}
+{% else %}
+    httpclient.resolvers.prefer   ipv4
+{% endif %}
 {% if helpers.exists('OPNsense.HAProxy.general.tuning.maxDHSize') %}
     tune.ssl.default-dh-param   {{OPNsense.HAProxy.general.tuning.maxDHSize}}
 {% endif %}

From 943a8c3fac6addbecb95c9083629a6dc96dca220 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 31 Jan 2024 00:21:28 +0100
Subject: [PATCH 1773/3088] net/haproxy: bump version

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 7ea41d9365..65573b469e 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		4.2
+PLUGIN_VERSION=		4.3
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy28 py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de

From 69f3f03b289a165545f6031adaf7c3ad9c4f3afc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 31 Jan 2024 08:03:13 +0100
Subject: [PATCH 1774/3088] plugins: remove obsolete, switch to 24.1 branch,
 sync

---
 LICENSE                                       |   2 -
 Mk/defaults.mk                                |   2 +-
 README.md                                     |   6 +-
 net/firewall/Makefile                         |   8 -
 net/firewall/pkg-descr                        |   4 -
 .../src/etc/inc/plugins.inc.d/pfplugin.inc    |  48 ---
 .../Firewall/Api/FilterBaseController.php     | 178 ----------
 .../Firewall/Api/FilterController.php         |  67 ----
 .../OPNsense/Firewall/Api/NptController.php   |  72 -----
 .../Firewall/Api/SourceNatController.php      |  67 ----
 .../OPNsense/Firewall/FilterController.php    |  50 ---
 .../OPNsense/Firewall/NptController.php       |  59 ----
 .../OPNsense/Firewall/SourceNatController.php |  50 ---
 .../Firewall/forms/dialogFilterRule.xml       | 114 -------
 .../OPNsense/Firewall/forms/dialogNptRule.xml |  53 ---
 .../Firewall/forms/dialogSNatRule.xml         | 101 ------
 .../app/models/OPNsense/Firewall/ACL/ACL.xml  |  23 --
 .../Firewall/FieldTypes/FilterRuleField.php   | 138 --------
 .../FieldTypes/SourceNatRuleField.php         | 111 -------
 .../app/models/OPNsense/Firewall/Filter.php   | 164 ----------
 .../app/models/OPNsense/Firewall/Filter.xml   | 263 ---------------
 .../models/OPNsense/Firewall/Menu/Menu.xml    |  15 -
 .../OPNsense/Firewall/Migrations/MFP1_0_0.php |  59 ----
 .../app/views/OPNsense/Firewall/filter.volt   | 250 ---------------
 .../opnsense/scripts/pfplugin/rollback_cancel |  40 ---
 .../opnsense/scripts/pfplugin/rollback_timer  |  54 ----
 .../conf/actions.d/actions_pfplugin.conf      |  11 -
 net/wireguard-go/Makefile                     |  10 -
 net/wireguard-go/pkg-descr                    |  78 -----
 .../src/etc/inc/plugins.inc.d/wireguard.inc   | 110 -------
 .../src/etc/rc.syshook.d/start/50-wireguard   |   4 -
 .../Wireguard/Api/ClientController.php        |  70 ----
 .../Wireguard/Api/GeneralController.php       | 138 --------
 .../Wireguard/Api/ServerController.php        | 108 -------
 .../Wireguard/Api/ServiceController.php       |  76 -----
 .../OPNsense/Wireguard/GeneralController.php  |  40 ---
 .../forms/dialogEditWireguardClient.xml       |  52 ---
 .../forms/dialogEditWireguardServer.xml       |  82 -----
 .../OPNsense/Wireguard/forms/general.xml      |   8 -
 .../app/models/OPNsense/Wireguard/ACL/ACL.xml |   9 -
 .../app/models/OPNsense/Wireguard/Client.php  |  31 --
 .../app/models/OPNsense/Wireguard/Client.xml  |  47 ---
 .../app/models/OPNsense/Wireguard/General.php |  35 --
 .../app/models/OPNsense/Wireguard/General.xml |  11 -
 .../models/OPNsense/Wireguard/Menu/Menu.xml   |   5 -
 .../app/models/OPNsense/Wireguard/Server.php  |  31 --
 .../app/models/OPNsense/Wireguard/Server.xml  |  77 -----
 .../app/views/OPNsense/Wireguard/general.volt | 199 ------------
 .../scripts/OPNsense/Wireguard/genkey.sh      |  55 ----
 .../scripts/OPNsense/Wireguard/post.sh        |  11 -
 .../OPNsense/Wireguard/resolve-dns.bash       |  45 ---
 .../scripts/OPNsense/Wireguard/setup.sh       |   4 -
 .../conf/actions.d/actions_wireguard.conf     |  43 ---
 .../templates/OPNsense/Wireguard/+TARGETS     |   2 -
 .../templates/OPNsense/Wireguard/wireguard    |  15 -
 .../OPNsense/Wireguard/wireguard-server.conf  |  53 ---
 .../src/www/widgets/include/wireguard.inc     |   4 -
 .../www/widgets/widgets/wireguard.widget.php  | 120 -------
 net/wireguard/Makefile                        |   9 -
 net/wireguard/pkg-descr                       | 127 --------
 .../src/etc/inc/plugins.inc.d/wireguard.inc   | 194 -----------
 .../src/etc/rc.syshook.d/carp/20-wireguard    |   3 -
 .../Wireguard/Api/ClientController.php        | 115 -------
 .../Wireguard/Api/GeneralController.php       | 139 --------
 .../Wireguard/Api/ServerController.php        |  78 -----
 .../Wireguard/Api/ServiceController.php       | 123 -------
 .../Wireguard/DiagnosticsController.php       |  44 ---
 .../OPNsense/Wireguard/GeneralController.php  |  39 ---
 .../forms/dialogEditWireguardClient.xml       |  58 ----
 .../forms/dialogEditWireguardServer.xml       |  87 -----
 .../OPNsense/Wireguard/forms/general.xml      |   8 -
 .../app/models/OPNsense/Wireguard/ACL/ACL.xml |   9 -
 .../app/models/OPNsense/Wireguard/Client.php  |  35 --
 .../app/models/OPNsense/Wireguard/Client.xml  |  36 ---
 .../Wireguard/FieldTypes/ServerField.php      |  58 ----
 .../app/models/OPNsense/Wireguard/General.php |  35 --
 .../app/models/OPNsense/Wireguard/General.xml |  11 -
 .../models/OPNsense/Wireguard/Menu/Menu.xml   |   9 -
 .../app/models/OPNsense/Wireguard/Server.php  |  35 --
 .../app/models/OPNsense/Wireguard/Server.xml  |  73 -----
 .../views/OPNsense/Wireguard/diagnostics.volt |  97 ------
 .../app/views/OPNsense/Wireguard/general.volt | 173 ----------
 .../opnsense/scripts/Wireguard/gen_keypair.py |  46 ---
 .../scripts/Wireguard/reresolve-dns.py        |  75 -----
 .../scripts/Wireguard/wg-service-control.php  | 303 ------------------
 .../src/opnsense/scripts/Wireguard/wg_show.py |  72 -----
 .../conf/actions.d/actions_wireguard.conf     |  54 ----
 .../OPNsense/Syslog/local/wireguard.conf      |   6 -
 .../templates/OPNsense/Wireguard/+TARGETS     |   2 -
 .../templates/OPNsense/Wireguard/wireguard    |   2 -
 .../OPNsense/Wireguard/wireguard-server.conf  |  48 ---
 .../src/www/widgets/include/wireguard.inc     |   4 -
 .../www/widgets/widgets/wireguard.widget.php  |  95 ------
 sysutils/api-backup/Makefile                  |   7 -
 sysutils/api-backup/pkg-descr                 |  12 -
 .../OPNsense/Backup/Api/BackupController.php  |  90 ------
 .../app/models/OPNsense/Backup/ACL/ACL.xml    |   8 -
 97 files changed, 2 insertions(+), 5999 deletions(-)
 delete mode 100644 net/firewall/Makefile
 delete mode 100644 net/firewall/pkg-descr
 delete mode 100644 net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc
 delete mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php
 delete mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
 delete mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php
 delete mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php
 delete mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
 delete mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php
 delete mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/SourceNatController.php
 delete mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
 delete mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
 delete mode 100644 net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml
 delete mode 100644 net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/ACL/ACL.xml
 delete mode 100644 net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
 delete mode 100644 net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
 delete mode 100644 net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
 delete mode 100644 net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
 delete mode 100644 net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
 delete mode 100644 net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php
 delete mode 100644 net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
 delete mode 100755 net/firewall/src/opnsense/scripts/pfplugin/rollback_cancel
 delete mode 100755 net/firewall/src/opnsense/scripts/pfplugin/rollback_timer
 delete mode 100644 net/firewall/src/opnsense/service/conf/actions.d/actions_pfplugin.conf
 delete mode 100644 net/wireguard-go/Makefile
 delete mode 100644 net/wireguard-go/pkg-descr
 delete mode 100644 net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc
 delete mode 100755 net/wireguard-go/src/etc/rc.syshook.d/start/50-wireguard
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/GeneralController.php
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/general.xml
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.php
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.php
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
 delete mode 100644 net/wireguard-go/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
 delete mode 100755 net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/genkey.sh
 delete mode 100755 net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/post.sh
 delete mode 100755 net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
 delete mode 100755 net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/setup.sh
 delete mode 100644 net/wireguard-go/src/opnsense/service/conf/actions.d/actions_wireguard.conf
 delete mode 100644 net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/+TARGETS
 delete mode 100644 net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
 delete mode 100644 net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
 delete mode 100644 net/wireguard-go/src/www/widgets/include/wireguard.inc
 delete mode 100644 net/wireguard-go/src/www/widgets/widgets/wireguard.widget.php
 delete mode 100644 net/wireguard/Makefile
 delete mode 100644 net/wireguard/pkg-descr
 delete mode 100644 net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
 delete mode 100755 net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/DiagnosticsController.php
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/GeneralController.php
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/general.xml
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.php
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/FieldTypes/ServerField.php
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.php
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
 delete mode 100644 net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
 delete mode 100755 net/wireguard/src/opnsense/scripts/Wireguard/gen_keypair.py
 delete mode 100755 net/wireguard/src/opnsense/scripts/Wireguard/reresolve-dns.py
 delete mode 100755 net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
 delete mode 100755 net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py
 delete mode 100644 net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
 delete mode 100644 net/wireguard/src/opnsense/service/templates/OPNsense/Syslog/local/wireguard.conf
 delete mode 100644 net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/+TARGETS
 delete mode 100644 net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
 delete mode 100644 net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
 delete mode 100644 net/wireguard/src/www/widgets/include/wireguard.inc
 delete mode 100644 net/wireguard/src/www/widgets/widgets/wireguard.widget.php
 delete mode 100644 sysutils/api-backup/Makefile
 delete mode 100644 sysutils/api-backup/pkg-descr
 delete mode 100644 sysutils/api-backup/src/opnsense/mvc/app/controllers/OPNsense/Backup/Api/BackupController.php
 delete mode 100644 sysutils/api-backup/src/opnsense/mvc/app/models/OPNsense/Backup/ACL/ACL.xml

diff --git a/LICENSE b/LICENSE
index 581d813349..f2a880a17d 100644
--- a/LICENSE
+++ b/LICENSE
@@ -7,7 +7,6 @@ Copyright (c) 2023 Bernhard Frenking <bernhard@frenking.eu>
 Copyright (c) 2023 Cannon Matthews <cannonmatthews@google.com>
 Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
-Copyright (c) 2020 D. Domig
 Copyright (c) 2021 Dan Lundqvist
 Copyright (c) 2021 David Berry
 Copyright (c) 2017-2018 David Harrigan
@@ -50,7 +49,6 @@ Copyright (c) 2021 Nicola Pellegrini
 Copyright (c) 2022 Nikolaj Brinch Jørgensen
 Copyright (c) 2021 Nim G
 Copyright (c) 2023 Oliver Hartl
-Copyright (c) 2022 Patrik Kernstock <patrik@kernstock.net>
 Copyright (c) 2022 Robbert Rijkse
 Copyright (c) 2023 sattamjh
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 178fbe0a4a..f1a2f19ad5 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -45,7 +45,7 @@ VERSIONBIN=	${LOCALBASE}/sbin/opnsense-version
 _PLUGIN_ABI!=	${VERSIONBIN} -a
 PLUGIN_ABI?=	${_PLUGIN_ABI}
 .else
-PLUGIN_ABI?=	23.7
+PLUGIN_ABI?=	24.1
 .endif
 
 PHPBIN=		${LOCALBASE}/bin/php
diff --git a/README.md b/README.md
index 197bce5a2e..0e8e71402b 100644
--- a/README.md
+++ b/README.md
@@ -47,7 +47,6 @@ misc/theme-rebellion -- A suitably dark theme
 misc/theme-tukan -- The tukan theme - blue/white
 misc/theme-vicuna -- The vicuna theme - blue sapphire
 net/chrony -- Chrony time synchronisation
-net/firewall -- Firewall API supplemental package (pending removal)
 net/freeradius -- RADIUS Authentication, Authorization and Accounting Server
 net/frr -- The FRRouting Protocol Suite
 net/ftp-proxy -- Control ftp-proxy processes
@@ -64,10 +63,8 @@ net/siproxd -- Siproxd is a proxy daemon for the SIP protocol
 net/sslh -- sslh configuration front-end
 net/tayga -- Tayga NAT64
 net/udpbroadcastrelay -- Control ubpbroadcastrelay processes
-net/upnp -- Universal Plug and Play Service
+net/upnp -- Universal Plug and Play (UPnP IGD & PCP/NAT-PMP) Service
 net/vnstat -- Network traffic monitor
-net/wireguard -- WireGuard VPN service kernel implementation (pending removal)
-net/wireguard-go -- WireGuard VPN service Go implementation (pending removal)
 net/wol -- Wake on LAN Service
 net/zerotier -- Virtual Networks That Just Work
 net-mgmt/collectd -- Collect system and application performance metrics periodically
@@ -94,7 +91,6 @@ security/tinc -- Tinc VPN
 security/tor -- The Onion Router
 security/wazuh-agent -- Agent for the open source security platform Wazuh
 sysutils/apcupsd -- APCUPSD - APC UPS daemon
-sysutils/api-backup -- EoL, core endpoint is /api/core/backup/download/this (pending removal)
 sysutils/apuled -- PC Engine APU LED control (development only)
 sysutils/dec-hw -- Deciso hardware specific information
 sysutils/dmidecode -- Display hardware information on the dashboard
diff --git a/net/firewall/Makefile b/net/firewall/Makefile
deleted file mode 100644
index 4b2543eaa6..0000000000
--- a/net/firewall/Makefile
+++ /dev/null
@@ -1,8 +0,0 @@
-PLUGIN_NAME=		firewall
-PLUGIN_VERSION=		1.5
-PLUGIN_COMMENT=		Firewall API supplemental package
-PLUGIN_OBSOLETE=	yes
-PLUGIN_MAINTAINER=	ad@opnsense.org
-PLUGIN_TIER=		2
-
-.include "../../Mk/plugins.mk"
diff --git a/net/firewall/pkg-descr b/net/firewall/pkg-descr
deleted file mode 100644
index 30776806e4..0000000000
--- a/net/firewall/pkg-descr
+++ /dev/null
@@ -1,4 +0,0 @@
-This package extends the standard OPNsense firewall system with endpoints for machine to machine management tasks.
-Gui components are initially only intended to ease testing and to explain current functionality.
-
-In the long term this might replace the default firewall in OPNsense.
diff --git a/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc b/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc
deleted file mode 100644
index 3c9aa2fceb..0000000000
--- a/net/firewall/src/etc/inc/plugins.inc.d/pfplugin.inc
+++ /dev/null
@@ -1,48 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Deciso B.V.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-
- /**
-  * @param $fw
-  */
-function pfplugin_firewall($fw)
-{
-    $mdlFilter = new OPNsense\Firewall\Filter();
-    foreach ($mdlFilter->rules->rule->sortedBy(["sequence"]) as $key => $rule) {
-         $content = $rule->serialize();
-         $content["#ref"] = "ui/firewall/filter#" . (string)$rule->getAttributes()['uuid'];
-         $fw->registerFilterRule($rule->getPriority(), $content);
-    }
-
-    foreach ($mdlFilter->snatrules->rule->sortedBy(["sequence"]) as $key => $rule) {
-         $fw->registerSNatRule(50, $rule->serialize());
-    }
-    foreach ($mdlFilter->npt->rule->sortedBy(["sequence"]) as $key => $rule) {
-         $fw->registerNptRule(50, $rule->serialize());
-    }
-}
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php
deleted file mode 100644
index 56cfeff770..0000000000
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php
+++ /dev/null
@@ -1,178 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Deciso B.V.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-namespace OPNsense\Firewall\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-use OPNsense\Core\Backend;
-use OPNsense\Core\Config;
-use OPNsense\Firewall\Alias;
-use OPNsense\Firewall\Category;
-
-/**
- * Class FilterBaseController implements actions for various types
- * @package OPNsense\Firewall\Api
- */
-abstract class FilterBaseController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelName = 'filter';
-    protected static $internalModelClass = 'OPNsense\Firewall\Filter';
-    protected static $categorysource = null;
-
-    /**
-     * list categories and usage
-     * @return array
-     */
-    public function listCategoriesAction()
-    {
-        $response = ['rows' => []];
-        $catcount = [];
-        if (!empty(static::$categorysource)) {
-            $node = $this->getModel();
-            foreach (explode('.', static::$categorysource) as $ref) {
-                $node = $node->$ref;
-            }
-            foreach ($node->iterateItems() as $item) {
-                if (!empty((string)$item->categories)) {
-                    foreach (explode(',', (string)$item->categories) as $cat) {
-                        if (!isset($catcount[$cat])) {
-                            $catcount[$cat] = 0;
-                        }
-                        $catcount[$cat] += 1;
-                    }
-                }
-            }
-        }
-        foreach ((new Category())->categories->category->iterateItems() as $key => $category) {
-            $response['rows'][] = [
-                "uuid" => $key,
-                "name" => (string)$category->name,
-                "color" => (string)$category->color,
-                "used" => isset($catcount[$key]) ? $catcount[$key] : 0
-            ];
-        }
-        array_multisort(array_column($response['rows'], "name"), SORT_ASC, SORT_NATURAL, $response['rows']);
-
-        return $response;
-    }
-
-    /**
-     * list of available network options
-     * @return array
-     */
-    public function listNetworkSelectOptionsAction()
-    {
-        $result = [
-            'single' => [
-                'label' => gettext("Single host or Network")
-            ],
-            'aliases' => [
-                'label' => gettext("Aliases"),
-                'items' => []
-            ],
-            'networks' => [
-                'label' => gettext("Networks"),
-                'items' => [
-                    'any' => gettext('any'),
-                    '(self)' => gettext("This Firewall")
-                ]
-            ]
-        ];
-        foreach ((Config::getInstance()->object())->interfaces->children() as $ifname => $ifdetail) {
-            $descr = htmlspecialchars(!empty($ifdetail->descr) ? $ifdetail->descr : strtoupper($ifname));
-            $result['networks']['items'][$ifname] = $descr . " " . gettext("net");
-            if (!isset($ifdetail->virtual)) {
-                $result['networks']['items'][$ifname . "ip"] = $descr . " " . gettext("address");
-            }
-        }
-        foreach ((new Alias())->aliases->alias->iterateItems() as $alias) {
-            if (strpos((string)$alias->type, "port") === false) {
-                $result['aliases']['items'][(string)$alias->name] = (string)$alias->name;
-            }
-        }
-
-        return $result;
-    }
-
-
-    public function applyAction($rollback_revision = null)
-    {
-        if ($this->request->isPost()) {
-            if ($rollback_revision != null) {
-                // background rollback timer
-                (new Backend())->configdpRun('pfplugin rollback_timer', [$rollback_revision], true);
-            }
-            return array("status" => (new Backend())->configdRun('filter reload'));
-        } else {
-            return array("status" => "error");
-        }
-    }
-
-    public function cancelRollbackAction($rollback_revision)
-    {
-        if ($this->request->isPost()) {
-            return array(
-                "status" => (new Backend())->configdpRun('pfplugin cancel_rollback', [$rollback_revision])
-            );
-        } else {
-            return array("status" => "error");
-        }
-    }
-
-    public function savepointAction()
-    {
-        if ($this->request->isPost()) {
-            // trigger a save, so we know revision->time matches our running config
-            Config::getInstance()->save();
-            return array(
-                "status" => "ok",
-                "retention" => (string)Config::getInstance()->backupCount(),
-                "revision" => (string)Config::getInstance()->object()->revision->time
-            );
-        } else {
-            return array("status" => "error");
-        }
-    }
-
-    public function revertAction($revision)
-    {
-        if ($this->request->isPost()) {
-            Config::getInstance()->lock();
-            $filename = Config::getInstance()->getBackupFilename($revision);
-            if (!$filename) {
-                Config::getInstance()->unlock();
-                return ["status" => gettext("unknown (or removed) savepoint")];
-            }
-            $this->getModel()->rollback($revision);
-            Config::getInstance()->unlock();
-            (new Backend())->configdRun('filter reload');
-            return ["status" => "ok"];
-        } else {
-            return array("status" => "error");
-        }
-    }
-}
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
deleted file mode 100644
index 7af4676eb9..0000000000
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
+++ /dev/null
@@ -1,67 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Deciso B.V.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-namespace OPNsense\Firewall\Api;
-
-class FilterController extends FilterBaseController
-{
-    protected static $categorysource = "rules.rule";
-
-    public function searchRuleAction()
-    {
-        $category = $this->request->get('category');
-        $filter_funct = function ($record) use ($category) {
-            return empty($category) || array_intersect(explode(',', $record->categories), $category);
-        };
-        return $this->searchBase("rules.rule", ['enabled', 'sequence', 'description'], "sequence", $filter_funct);
-    }
-
-    public function setRuleAction($uuid)
-    {
-        return $this->setBase("rule", "rules.rule", $uuid);
-    }
-
-    public function addRuleAction()
-    {
-        return $this->addBase("rule", "rules.rule");
-    }
-
-    public function getRuleAction($uuid = null)
-    {
-        return $this->getBase("rule", "rules.rule", $uuid);
-    }
-
-    public function delRuleAction($uuid)
-    {
-        return $this->delBase("rules.rule", $uuid);
-    }
-
-    public function toggleRuleAction($uuid, $enabled = null)
-    {
-        return $this->toggleBase("rules.rule", $uuid, $enabled);
-    }
-}
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php
deleted file mode 100644
index 9b04139d2e..0000000000
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php
+++ /dev/null
@@ -1,72 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2023 Deciso B.V.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-namespace OPNsense\Firewall\Api;
-
-class NptController extends FilterBaseController
-{
-    protected static $categorysource = "npt.rule";
-
-    public function searchRuleAction()
-    {
-        $category = $this->request->get('category');
-        $filter_funct = function ($record) use ($category) {
-            return empty($category) || array_intersect(explode(',', $record->categories), $category);
-        };
-        return $this->searchBase(
-            "npt.rule",
-            ['enabled', 'sequence', 'source_net', 'destination_net', 'trackif', 'description'],
-            "sequence",
-            $filter_funct
-        );
-    }
-
-    public function setRuleAction($uuid)
-    {
-        return $this->setBase("rule", "npt.rule", $uuid);
-    }
-
-    public function addRuleAction()
-    {
-        return $this->addBase("rule", "npt.rule");
-    }
-
-    public function getRuleAction($uuid = null)
-    {
-        return $this->getBase("rule", "npt.rule", $uuid);
-    }
-
-    public function delRuleAction($uuid)
-    {
-        return $this->delBase("npt.rule", $uuid);
-    }
-
-    public function toggleRuleAction($uuid, $enabled = null)
-    {
-        return $this->toggleBase("npt.rule", $uuid, $enabled);
-    }
-}
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php
deleted file mode 100644
index 5833225d96..0000000000
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php
+++ /dev/null
@@ -1,67 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Deciso B.V.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-namespace OPNsense\Firewall\Api;
-
-class SourceNatController extends FilterBaseController
-{
-    protected static $categorysource = "snatrules.rule";
-
-    public function searchRuleAction()
-    {
-        $category = $this->request->get('category');
-        $filter_funct = function ($record) use ($category) {
-            return empty($category) || array_intersect(explode(',', $record->categories), $category);
-        };
-        return $this->searchBase("snatrules.rule", ['enabled', 'sequence', 'description'], "sequence", $filter_funct);
-    }
-
-    public function setRuleAction($uuid)
-    {
-        return $this->setBase("rule", "snatrules.rule", $uuid);
-    }
-
-    public function addRuleAction()
-    {
-        return $this->addBase("rule", "snatrules.rule");
-    }
-
-    public function getRuleAction($uuid = null)
-    {
-        return $this->getBase("rule", "snatrules.rule", $uuid);
-    }
-
-    public function delRuleAction($uuid)
-    {
-        return $this->delBase("snatrules.rule", $uuid);
-    }
-
-    public function toggleRuleAction($uuid, $enabled = null)
-    {
-        return $this->toggleBase("snatrules.rule", $uuid, $enabled);
-    }
-}
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
deleted file mode 100644
index e558fe813e..0000000000
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/FilterController.php
+++ /dev/null
@@ -1,50 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Deciso B.V.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-namespace OPNsense\Firewall;
-
-class FilterController extends \OPNsense\Base\IndexController
-{
-    public function indexAction()
-    {
-        $this->view->pick('OPNsense/Firewall/filter');
-        $this->view->SavePointBtns = true;
-        $this->view->ruleController = "filter";
-        $this->view->gridFields = [
-            [
-                'id' => 'enabled', 'formatter' => 'rowtoggle' ,'width' => '6em', 'heading' => gettext('Enabled')
-            ],
-            [
-                'id' => 'sequence','width' => '9em', 'heading' => gettext('Sequence')
-            ],
-            [
-                'id' => 'description', 'heading' => gettext('Description')
-            ]
-        ];
-        $this->view->formDialogFilterRule = $this->getForm("dialogFilterRule");
-    }
-}
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php
deleted file mode 100644
index d701a8003d..0000000000
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php
+++ /dev/null
@@ -1,59 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2023 Deciso B.V.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-namespace OPNsense\Firewall;
-
-class NptController extends \OPNsense\Base\IndexController
-{
-    public function indexAction()
-    {
-        $this->view->pick('OPNsense/Firewall/filter');
-        $this->view->ruleController = "npt";
-        $this->view->gridFields = [
-            [
-                'id' => 'enabled', 'formatter' => 'rowtoggle' ,'width' => '6em', 'heading' => gettext('Enabled')
-            ],
-            [
-                'id' => 'sequence','width' => '9em', 'heading' => gettext('Sequence')
-            ],
-            [
-                'id' => 'source_net', 'heading' => gettext('Internal IPv6 Prefix')
-            ],
-            [
-                'id' => 'destination_net', 'heading' => gettext('External IPv6 Prefix')
-            ],
-            [
-                'id' => 'trackif', 'heading' => gettext('Track if')
-            ],
-            [
-                'id' => 'description', 'heading' => gettext('Description')
-            ]
-        ];
-
-        $this->view->formDialogFilterRule = $this->getForm("dialogNptRule");
-    }
-}
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/SourceNatController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/SourceNatController.php
deleted file mode 100644
index 9e24cc700d..0000000000
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/SourceNatController.php
+++ /dev/null
@@ -1,50 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Deciso B.V.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-namespace OPNsense\Firewall;
-
-class SourceNatController extends \OPNsense\Base\IndexController
-{
-    public function indexAction()
-    {
-        $this->view->pick('OPNsense/Firewall/filter');
-        $this->view->SavePointBtns = true;
-        $this->view->ruleController = "source_nat";
-        $this->view->gridFields = [
-            [
-                'id' => 'enabled', 'formatter' => 'rowtoggle' ,'width' => '6em', 'heading' => gettext('Enabled')
-            ],
-            [
-                'id' => 'sequence','width' => '9em', 'heading' => gettext('Sequence')
-            ],
-            [
-                'id' => 'description', 'heading' => gettext('Description')
-            ]
-        ];
-        $this->view->formDialogFilterRule = $this->getForm("dialogSNatRule");
-    }
-}
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
deleted file mode 100644
index af4cda9bcf..0000000000
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogFilterRule.xml
+++ /dev/null
@@ -1,114 +0,0 @@
-<form>
-    <field>
-        <id>rule.enabled</id>
-        <label>enabled</label>
-        <type>checkbox</type>
-        <help>Enable this rule</help>
-    </field>
-    <field>
-        <id>rule.sequence</id>
-        <label>Sequence</label>
-        <type>text</type>
-    </field>
-    <field>
-        <id>rule.action</id>
-        <label>Action</label>
-        <type>dropdown</type>
-        <help>Choose what to do with packets that match the criteria specified below.
-            Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded.
-        </help>
-    </field>
-    <field>
-        <id>rule.quick</id>
-        <label>Quick</label>
-        <type>checkbox</type>
-        <help>
-            If a packet matches a rule specifying quick, then that rule is considered the last matching rule and the specified action is taken.
-            When a rule does not have quick enabled, the last matching rule wins.
-        </help>
-    </field>
-    <field>
-        <id>rule.interface</id>
-        <label>Interface</label>
-        <type>select_multiple</type>
-    </field>
-    <field>
-        <id>rule.direction</id>
-        <label>Direction</label>
-        <type>dropdown</type>
-        <help>
-            Direction of the traffic. The default policy is to filter inbound traffic, which sets the policy to the interface originally receiving the traffic.
-        </help>
-    </field>
-    <field>
-        <id>rule.ipprotocol</id>
-        <label>TCP/IP Version</label>
-        <type>dropdown</type>
-    </field>
-    <field>
-        <id>rule.protocol</id>
-        <label>Protocol</label>
-        <type>dropdown</type>
-    </field>
-    <field>
-        <id>rule.source_net</id>
-        <label>Source</label>
-        <type>text</type>
-    </field>
-    <field>
-        <id>rule.source_port</id>
-        <label>Source port</label>
-        <type>text</type>
-        <advanced>true</advanced>
-        <help>Source port number or well known name (imap, imaps, http, https, ...), for ranges use a dash</help>
-    </field>
-    <field>
-        <id>rule.source_not</id>
-        <label>Source / Invert</label>
-        <type>checkbox</type>
-        <help>Use this option to invert the sense of the match.</help>
-    </field>
-    <field>
-        <id>rule.destination_net</id>
-        <label>Destination</label>
-        <type>text</type>
-    </field>
-    <field>
-        <id>rule.destination_not</id>
-        <label>Destination / Invert</label>
-        <type>checkbox</type>
-        <help>Use this option to invert the sense of the match.</help>
-    </field>
-    <field>
-        <id>rule.destination_port</id>
-        <label>Destination port</label>
-        <type>text</type>
-        <help>Destination port number or well known name (imap, imaps, http, https, ...), for ranges use a dash</help>
-    </field>
-    <field>
-        <id>rule.gateway</id>
-        <label>Gateway</label>
-        <type>dropdown</type>
-        <help>
-            Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.
-        </help>
-    </field>
-    <field>
-        <id>rule.log</id>
-        <label>Log</label>
-        <type>checkbox</type>
-        <help>Log packets that are handled by this rule</help>
-    </field>
-    <field>
-        <id>rule.categories</id>
-        <label>Categories</label>
-        <type>select_multiple</type>
-        <style>tokenize</style>
-        <help>For grouping purposes you may select multiple groups here to organize items.</help>
-    </field>
-    <field>
-        <id>rule.description</id>
-        <label>Description</label>
-        <type>text</type>
-    </field>
-</form>
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
deleted file mode 100644
index 4c68b0e40b..0000000000
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
+++ /dev/null
@@ -1,53 +0,0 @@
-<form>
-    <field>
-        <id>rule.enabled</id>
-        <label>enabled</label>
-        <type>checkbox</type>
-        <help>Enable this rule</help>
-    </field>
-    <field>
-        <id>rule.sequence</id>
-        <label>Sequence</label>
-        <type>text</type>
-    </field>
-    <field>
-        <id>rule.log</id>
-        <label>Log</label>
-        <type>checkbox</type>
-        <help>Log packets that are handled by this rule</help>
-    </field>
-    <field>
-        <id>rule.interface</id>
-        <label>Interface</label>
-        <type>dropdown</type>
-    </field>
-    <field>
-        <id>rule.source_net</id>
-        <label>Internal IPv6 Prefix (source)</label>
-        <type>text</type>
-    </field>
-    <field>
-        <id>rule.destination_net</id>
-        <label>External IPv6 Prefix (target)</label>
-        <type>text</type>
-        <help>Enter the external IPv6 prefix for this network prefix translation. Leave empty to auto-detect the prefix address using the specified tracking interface instead. The prefix size specified for the internal prefix will also be applied to the external prefix.</help>
-    </field>
-    <field>
-        <id>rule.trackif</id>
-        <label>Track interface</label>
-        <type>dropdown</type>
-        <help>Use prefix defined on the selected interface instead of the interface this rule applies to when target prefix is not provided.</help>
-    </field>
-    <field>
-        <id>rule.categories</id>
-        <label>Categories</label>
-        <type>select_multiple</type>
-        <style>tokenize</style>
-        <help>For grouping purposes you may select multiple groups here to organize items.</help>
-    </field>
-    <field>
-        <id>rule.description</id>
-        <label>Description</label>
-        <type>text</type>
-    </field>
-</form>
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml
deleted file mode 100644
index 90dc7a90ba..0000000000
--- a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml
+++ /dev/null
@@ -1,101 +0,0 @@
-<form>
-    <field>
-        <id>rule.enabled</id>
-        <label>enabled</label>
-        <type>checkbox</type>
-        <help>Enable this rule</help>
-    </field>
-    <field>
-        <id>rule.nonat</id>
-        <label>Do not NAT</label>
-        <type>checkbox</type>
-        <help>Enabling this option will disable NAT for traffic matching this rule and stop processing Outbound NAT rules.</help>
-    </field>
-    <field>
-        <id>rule.sequence</id>
-        <label>Sequence</label>
-        <type>text</type>
-    </field>
-    <field>
-        <id>rule.interface</id>
-        <label>Interface</label>
-        <type>dropdown</type>
-    </field>
-    <field>
-        <id>rule.ipprotocol</id>
-        <label>TCP/IP Version</label>
-        <type>dropdown</type>
-    </field>
-    <field>
-        <id>rule.protocol</id>
-        <label>Protocol</label>
-        <type>dropdown</type>
-    </field>
-    <field>
-        <id>rule.source_net</id>
-        <label>Source</label>
-        <type>text</type>
-    </field>
-    <field>
-        <id>rule.source_port</id>
-        <label>Source port</label>
-        <type>text</type>
-        <advanced>true</advanced>
-        <help>Source port number or well known name (imap, imaps, http, https, ...), for ranges use a dash</help>
-    </field>
-    <field>
-        <id>rule.source_not</id>
-        <label>Source / Invert</label>
-        <type>checkbox</type>
-        <help>Use this option to invert the sense of the match.</help>
-    </field>
-    <field>
-        <id>rule.destination_net</id>
-        <label>Destination</label>
-        <type>text</type>
-    </field>
-    <field>
-        <id>rule.destination_not</id>
-        <label>Destination / Invert</label>
-        <type>checkbox</type>
-        <help>Use this option to invert the sense of the match.</help>
-    </field>
-    <field>
-        <id>rule.destination_port</id>
-        <label>Destination port</label>
-        <type>text</type>
-        <help>Destination port number or well known name (imap, imaps, http, https, ...), for ranges use a dash</help>
-    </field>
-    <field>
-        <id>rule.target</id>
-        <label>Translation / target</label>
-        <type>text</type>
-        <help>
-            Packets matching this rule will be mapped to the IP address given here.
-        </help>
-    </field>
-    <field>
-        <id>rule.target_port</id>
-        <label>Translation port</label>
-        <type>text</type>
-        <help>Destination port number or well known name (imap, imaps, http, https, ...)</help>
-    </field>
-    <field>
-        <id>rule.log</id>
-        <label>Log</label>
-        <type>checkbox</type>
-        <help>Log packets that are handled by this rule</help>
-    </field>
-    <field>
-        <id>rule.categories</id>
-        <label>Categories</label>
-        <type>select_multiple</type>
-        <style>tokenize</style>
-        <help>For grouping purposes you may select multiple groups here to organize items.</help>
-    </field>
-    <field>
-        <id>rule.description</id>
-        <label>Description</label>
-        <type>text</type>
-    </field>
-</form>
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/ACL/ACL.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/ACL/ACL.xml
deleted file mode 100644
index c8a66f358c..0000000000
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/ACL/ACL.xml
+++ /dev/null
@@ -1,23 +0,0 @@
-<acl>
-    <page-filter-api>
-        <name>Firewall: Automation: Filter</name>
-        <patterns>
-            <pattern>ui/firewall/filter/*</pattern>
-            <pattern>api/firewall/filter/*</pattern>
-        </patterns>
-    </page-filter-api>
-    <page-filter-snat-api>
-        <name>Firewall: Automation: Source NAT</name>
-        <patterns>
-            <pattern>ui/firewall/source_nat/*</pattern>
-            <pattern>api/firewall/source_nat/*</pattern>
-        </patterns>
-    </page-filter-snat-api>
-    <page-firewall-nat-npt>
-        <name>Firewall: Automation: NPTv6</name>
-        <patterns>
-            <pattern>ui/firewall/npt/*</pattern>
-            <pattern>api/firewall/npt/*</pattern>
-        </patterns>
-    </page-firewall-nat-npt>
-</acl>
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
deleted file mode 100644
index a3c69c53ca..0000000000
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/FilterRuleField.php
+++ /dev/null
@@ -1,138 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Deciso B.V.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Firewall\FieldTypes;
-
-use OPNsense\Core\Config;
-use OPNsense\Base\FieldTypes\ArrayField;
-use OPNsense\Base\FieldTypes\ContainerField;
-
-/**
- * Class FilterRuleContainerField
- * @package OPNsense\Firewall\FieldTypes
- */
-class FilterRuleContainerField extends ContainerField
-{
-    /**
-     * map rules
-     * @return array
-     */
-    public function serialize()
-    {
-        $result = array();
-        $map_manual = ['source_net', 'source_not', 'source_port', 'destination_net', 'destination_not',
-            'destination_port', 'enabled', 'description', 'sequence', 'action'];
-        // 1-on-1 map (with type conversion if needed)
-        foreach ($this->iterateItems() as $key => $node) {
-            if (!in_array($key, $map_manual)) {
-                if (is_a($node, "OPNsense\\Base\\FieldTypes\\BooleanField")) {
-                    $result[$key] = !empty((string)$node);
-                } elseif (is_a($node, "OPNsense\\Base\\FieldTypes\\ProtocolField")) {
-                    if ((string)$node != 'any') {
-                        $result[$key] = (string)$node;
-                    }
-                } else {
-                    $result[$key] = (string)$node;
-                }
-            }
-        }
-        // source / destination mapping
-        $result['source'] = array();
-        if (!empty((string)$this->source_net)) {
-            $result['source']['network'] = (string)$this->source_net;
-            if (!empty((string)$this->source_not)) {
-                $result['source']['not'] = true;
-            }
-            if (!empty((string)$this->source_port)) {
-                $result['source']['port'] = (string)$this->source_port;
-            }
-        }
-        $result['destination'] = array();
-        if (!empty((string)$this->destination_net)) {
-            $result['destination']['network'] = (string)$this->destination_net;
-            if (!empty((string)$this->destination_not)) {
-                $result['destination']['not'] = true;
-            }
-            if (!empty((string)$this->destination_port)) {
-                $result['destination']['port'] = (string)$this->destination_port;
-            }
-        }
-        // field mappings and differences
-        $result['disabled'] = empty((string)$this->enabled);
-        $result['descr'] = (string)$this->description;
-        $result['type'] = (string)$this->action;
-        if (strpos((string)$this->interface, ",") !== false) {
-            $result['floating'] = true;
-        }
-        return $result;
-    }
-
-    /**
-     * rule priority is threaded equally to the legacy rules, first "floating" then groups and single interface
-     * rules are handled last
-     * @return int priority in the ruleset, sequence should determine sort order.
-     */
-    public function getPriority()
-    {
-        $configObj = Config::getInstance()->object();
-        $interface = (string)$this->interface;
-        if (strpos($interface, ",") !== false) {
-            // floating (multiple interfaces involved)
-            return 1000;
-        } elseif (
-            !empty($configObj->interfaces) &&
-            !empty($configObj->interfaces->$interface) &&
-            !empty($configObj->interfaces->$interface->type) &&
-            $configObj->interfaces->$interface->type == 'group'
-        ) {
-            // group type
-            return 2000;
-        } else {
-            // default
-            return 3000;
-        }
-    }
-}
-
-/**
- * Class FilterRuleField
- * @package OPNsense\Firewall\FieldTypes
- */
-class FilterRuleField extends ArrayField
-{
-    /**
-     * @inheritDoc
-     */
-    public function newContainerField($ref, $tagname)
-    {
-        $container_node = new FilterRuleContainerField($ref, $tagname);
-        $parentmodel = $this->getParentModel();
-        $container_node->setParentModel($parentmodel);
-        return $container_node;
-    }
-}
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
deleted file mode 100644
index b26c5d6022..0000000000
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/SourceNatRuleField.php
+++ /dev/null
@@ -1,111 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Deciso B.V.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Firewall\FieldTypes;
-
-use OPNsense\Base\FieldTypes\ArrayField;
-use OPNsense\Base\FieldTypes\ContainerField;
-
-/**
- * Class SourceNatRuleContainerField
- * @package OPNsense\Firewall\FieldTypes
- */
-class SourceNatRuleContainerField extends ContainerField
-{
-    /**
-     * map source nat rules
-     * @return array
-     */
-    public function serialize()
-    {
-        $result = [];
-        $source_mapper = [
-            'enabled' => false,
-            'source_net' => false,
-            'source_not' => false,
-            'source_port' => 'sourceport',
-            'destination_net' => false,
-            'destination_not' => false,
-            'destination_port' => 'dstport',
-            'target_port' => 'natport',
-            'description' => 'descr'
-        ];
-        // 1-on-1 map (with type conversion if needed)
-        foreach ($this->iterateItems() as $key => $node) {
-            $target_fieldname = isset($source_mapper[$key]) ? $source_mapper[$key] : $key;
-            if ($target_fieldname) {
-                if (is_a($node, "OPNsense\\Base\\FieldTypes\\BooleanField")) {
-                    $result[$target_fieldname] = !empty((string)$node);
-                } elseif (is_a($node, "OPNsense\\Base\\FieldTypes\\ProtocolField")) {
-                    if ((string)$node != 'any') {
-                        $result[$target_fieldname] = (string)$node;
-                    }
-                } else {
-                    $result[$target_fieldname] = (string)$node;
-                }
-            }
-        }
-
-        $result['disabled'] = empty((string)$this->enabled);
-        // source / destination mapping, doesn't use port construct like it would for rules.
-        $result['source'] = array();
-        if (!empty((string)$this->source_net)) {
-            $result['source']['network'] = (string)$this->source_net;
-            if (!empty((string)$this->source_not)) {
-                $result['source']['not'] = true;
-            }
-        }
-        $result['destination'] = array();
-        if (!empty((string)$this->destination_net)) {
-            $result['destination']['network'] = (string)$this->destination_net;
-            if (!empty((string)$this->destination_not)) {
-                $result['destination']['not'] = true;
-            }
-        }
-
-        return $result;
-    }
-}
-
-/**
- * Class SourceNatRuleField
- * @package OPNsense\Firewall\FieldTypes
- */
-class SourceNatRuleField extends ArrayField
-{
-    /**
-     * @inheritDoc
-     */
-    public function newContainerField($ref, $tagname)
-    {
-        $container_node = new SourceNatRuleContainerField($ref, $tagname);
-        $parentmodel = $this->getParentModel();
-        $container_node->setParentModel($parentmodel);
-        return $container_node;
-    }
-}
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
deleted file mode 100644
index 03978bc450..0000000000
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+++ /dev/null
@@ -1,164 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Deciso B.V.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Firewall;
-
-use OPNsense\Core\Config;
-use Phalcon\Messages\Message;
-use OPNsense\Base\BaseModel;
-use OPNsense\Firewall\Util;
-
-class Filter extends BaseModel
-{
-    /**
-     * @inheritDoc
-     */
-    public function performValidation($validateFullModel = false)
-    {
-        $config = Config::getInstance()->object();
-
-        // standard model validations
-        $messages = parent::performValidation($validateFullModel);
-        foreach ([$this->rules->rule, $this->snatrules->rule] as $rules) {
-            foreach ($rules->iterateItems() as $rule) {
-                if ($validateFullModel || $rule->isFieldChanged()) {
-                    // port / protocol validation
-                    if (!empty((string)$rule->source_port) && !in_array($rule->protocol, ['TCP', 'UDP'])) {
-                        $messages->appendMessage(new Message(
-                            gettext("Source ports are only valid for tcp or udp type rules."),
-                            $rule->source_port->__reference
-                        ));
-                    }
-                    if (!empty((string)$rule->destination_port) && !in_array($rule->protocol, ['TCP', 'UDP'])) {
-                        $messages->appendMessage(new Message(
-                            gettext("Destination ports are only valid for tcp or udp type rules."),
-                            $rule->destination_port->__reference
-                        ));
-                    }
-                    // validate protocol family
-                    $dest_is_addr = Util::isSubnet($rule->destination_net) || Util::isIpAddress($rule->destination_net);
-                    $dest_proto = strpos($rule->destination_net, ':') === false ? "inet" : "inet6";
-                    if ($dest_is_addr && $dest_proto != $rule->ipprotocol) {
-                        $messages->appendMessage(new Message(
-                            gettext("Destination address type should match selected TCP/IP protocol version."),
-                            $rule->destination_net->__reference
-                        ));
-                    }
-                    $src_is_addr = Util::isSubnet($rule->source_net) || Util::isIpAddress($rule->source_net);
-                    $src_proto = strpos($rule->source_net, ':') === false ? "inet" : "inet6";
-                    if ($src_is_addr && $src_proto != $rule->ipprotocol) {
-                        $messages->appendMessage(new Message(
-                            gettext("Source address type should match selected TCP/IP protocol version."),
-                            $rule->source_net->__reference
-                        ));
-                    }
-                    // Additional source nat validations
-                    if ($rule->target !== null) {
-                        $target_is_addr = Util::isSubnet($rule->target) || Util::isIpAddress($rule->target);
-                        $target_proto = strpos($rule->target, ':') === false ? "inet" : "inet6";
-                        if ($target_is_addr && $target_proto != $rule->ipprotocol) {
-                            $messages->appendMessage(new Message(
-                                gettext("Target address type should match selected TCP/IP protocol version."),
-                                $rule->target->__reference
-                            ));
-                        }
-                        if (!empty((string)$rule->target_port) && !in_array($rule->protocol, ['TCP', 'UDP'])) {
-                            $messages->appendMessage(new Message(
-                                gettext("Target ports are only valid for tcp or udp type rules."),
-                                $rule->target_port->__reference
-                            ));
-                        }
-                    }
-                }
-            }
-        }
-
-        foreach ($this->npt->rule->iterateItems() as $rule) {
-            if ($validateFullModel || $rule->isFieldChanged()) {
-                if (!empty((string)$rule->trackif)) {
-                    if (!empty((string)$rule->destination_net)) {
-                        $messages->appendMessage(new Message(
-                            gettext('A track interface is only allowed without an external prefix.'),
-                            $rule->trackif->__reference
-                        ));
-                    }
-
-                    if (
-                        (empty($config->interfaces->{$rule->interface}->ipaddrv6) ||
-                        $config->interfaces->{$rule->interface}->ipaddrv6 != 'dhcp6') ||
-                        empty($config->interfaces->{$rule->trackif}->{'track6-interface'}) ||
-                        $config->interfaces->{$rule->trackif}->{'track6-interface'} != (string)$rule->interface
-                    ) {
-                        $messages->appendMessage(new Message(
-                            gettext('This interface is not tracking the current rule interface.'),
-                            $rule->trackif->__reference
-                        ));
-                    }
-                }
-
-                if (!empty((string)$rule->destination_net) && !empty((string)$rule->source_net)) {
-                    /* defaults to /128 */
-                    $dparts = explode('/', (string)$rule->destination_net . '/128');
-                    $sparts = explode('/', (string)$rule->source_net . '/128');
-                    if ($dparts[1] != $sparts[1]) {
-                        $messages->appendMessage(new Message(
-                            gettext("External subnet should match internal subnet."),
-                            $rule->destination_net->__reference
-                        ));
-                    }
-                }
-            }
-        }
-        return $messages;
-    }
-
-    /**
-     * Rollback this model to a previous version.
-     * Make sure to remove this object afterwards, since its contents won't be updated.
-     * @param $revision float|string revision number
-     * @return bool action performed (backup revision existed)
-     */
-    public function rollback($revision)
-    {
-        $filename = Config::getInstance()->getBackupFilename($revision);
-        if ($filename) {
-            // fiddle with the dom, copy OPNsense->Firewall->Filter from backup to current config
-            $sourcexml = simplexml_load_file($filename);
-            if ($sourcexml->OPNsense->Firewall->Filter) {
-                $sourcedom = dom_import_simplexml($sourcexml->OPNsense->Firewall->Filter);
-                $targetxml = Config::getInstance()->object();
-                $targetdom = dom_import_simplexml($targetxml->OPNsense->Firewall->Filter);
-                $node = $targetdom->ownerDocument->importNode($sourcedom, true);
-                $targetdom->parentNode->replaceChild($node, $targetdom);
-                Config::getInstance()->save();
-                return true;
-            }
-        }
-        return false;
-    }
-}
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
deleted file mode 100644
index dc7399beb9..0000000000
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+++ /dev/null
@@ -1,263 +0,0 @@
-<model>
-    <mount>//OPNsense/Firewall/Filter</mount>
-    <version>1.0.2</version>
-    <migration_prefix>MFP</migration_prefix>
-    <description>
-        OPNsense firewall filter rules
-    </description>
-    <items>
-        <rules>
-            <rule type=".\FilterRuleField">
-                <enabled type="BooleanField">
-                    <Default>1</Default>
-                    <Required>Y</Required>
-                </enabled>
-                <sequence type="IntegerField">
-                    <MinimumValue>1</MinimumValue>
-                    <MaximumValue>99999</MaximumValue>
-                    <ValidationMessage>provide a valid sequence for sorting</ValidationMessage>
-                    <Required>Y</Required>
-                    <Default>1</Default>
-                </sequence>
-                <action type="OptionField">
-                    <Required>Y</Required>
-                    <Default>pass</Default>
-                    <OptionValues>
-                        <pass>Pass</pass>
-                        <block>Block</block>
-                        <reject>Reject</reject>
-                    </OptionValues>
-                </action>
-                <quick type="BooleanField">
-                    <Default>1</Default>
-                    <Required>Y</Required>
-                </quick>
-                <interface type="InterfaceField">
-                    <Multiple>Y</Multiple>
-                    <AllowDynamic>Y</AllowDynamic>
-                </interface>
-                <direction type="OptionField">
-                    <Required>Y</Required>
-                    <Default>in</Default>
-                    <OptionValues>
-                        <in>In</in>
-                        <out>Out</out>
-                    </OptionValues>
-                </direction>
-                <ipprotocol type="OptionField">
-                    <Required>Y</Required>
-                    <Default>inet</Default>
-                    <OptionValues>
-                        <inet>IPv4</inet>
-                        <inet6>IPv6</inet6>
-                    </OptionValues>
-                </ipprotocol>
-                <protocol type="ProtocolField">
-                    <Required>Y</Required>
-                    <Default>any</Default>
-                </protocol>
-                <!-- XXX: should map internally to  'source' => array('network' => $source_net, "not" => true|false) -->
-                <source_net type="NetworkAliasField">
-                    <Default>any</Default>
-                    <Required>Y</Required>
-                </source_net>
-                <source_not type="BooleanField">
-                    <Default>0</Default>
-                    <Required>Y</Required>
-                </source_not>
-                <source_port type="PortField">
-                    <EnableWellKnown>Y</EnableWellKnown>
-                    <EnableRanges>Y</EnableRanges>
-                    <EnableAlias>Y</EnableAlias>
-                    <ValidationMessage>Please specify a valid portnumber, name, alias or range</ValidationMessage>
-                </source_port>
-                <!-- XXX: should map internally to  'source' => array('destination' => destination_net, "not" => true|false) -->
-                <destination_net type="NetworkAliasField">
-                    <Default>any</Default>
-                    <Required>Y</Required>
-                </destination_net>
-                <destination_not type="BooleanField">
-                    <Default>0</Default>
-                    <Required>Y</Required>
-                </destination_not>
-                <destination_port type="PortField">
-                    <EnableWellKnown>Y</EnableWellKnown>
-                    <EnableRanges>Y</EnableRanges>
-                    <EnableAlias>Y</EnableAlias>
-                    <ValidationMessage>Please specify a valid portnumber, name, alias or range</ValidationMessage>
-                </destination_port>
-                <gateway type="JsonKeyValueStoreField">
-                    <ConfigdPopulateAct>interface gateways list</ConfigdPopulateAct>
-                    <SourceFile>/tmp/gateway_list.json</SourceFile>
-                    <ConfigdPopulateTTL>20</ConfigdPopulateTTL>
-                    <ValidationMessage>Specify a valid gateway from the list matching the networks ip protocol.</ValidationMessage>
-                </gateway>
-                <log type="BooleanField">
-                    <Default>0</Default>
-                    <Required>Y</Required>
-                </log>
-                <categories type="ModelRelationField">
-                    <Model>
-                        <rulesets>
-                            <source>OPNsense.Firewall.Category</source>
-                            <items>categories.category</items>
-                            <display>name</display>
-                        </rulesets>
-                    </Model>
-                    <Multiple>Y</Multiple>
-                    <ValidationMessage>Related category not found.</ValidationMessage>
-                </categories>
-                <description type="TextField">
-                    <Required>N</Required>
-                    <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){0,255}$/u</mask>
-                    <ValidationMessage>Description should be a string between 1 and 255 characters</ValidationMessage>
-                </description>
-            </rule>
-        </rules>
-        <snatrules>
-            <rule type=".\SourceNatRuleField">
-                <enabled type="BooleanField">
-                    <Default>1</Default>
-                    <Required>Y</Required>
-                </enabled>
-                <nonat type="BooleanField">
-                    <Default>0</Default>
-                    <Required>Y</Required>
-                </nonat>
-                <sequence type="IntegerField">
-                    <MinimumValue>1</MinimumValue>
-                    <MaximumValue>99999</MaximumValue>
-                    <ValidationMessage>provide a valid sequence for sorting</ValidationMessage>
-                    <Required>Y</Required>
-                    <Default>1</Default>
-                </sequence>
-                <interface type="InterfaceField">
-                    <Required>Y</Required>
-                    <Default>lan</Default>
-                    <AllowDynamic>Y</AllowDynamic>
-                </interface>
-                <ipprotocol type="OptionField">
-                    <Required>Y</Required>
-                    <Default>inet</Default>
-                    <OptionValues>
-                        <inet>IPv4</inet>
-                        <inet6>IPv6</inet6>
-                    </OptionValues>
-                </ipprotocol>
-                <protocol type="ProtocolField">
-                    <Required>Y</Required>
-                    <Default>any</Default>
-                </protocol>
-                <source_net type="NetworkAliasField">
-                    <Default>any</Default>
-                    <Required>Y</Required>
-                </source_net>
-                <source_not type="BooleanField">
-                    <Default>0</Default>
-                    <Required>Y</Required>
-                </source_not>
-                <source_port type="PortField">
-                    <EnableWellKnown>Y</EnableWellKnown>
-                    <EnableRanges>Y</EnableRanges>
-                    <EnableAlias>Y</EnableAlias>
-                    <ValidationMessage>Please specify a valid portnumber, name, alias or range</ValidationMessage>
-                </source_port>
-                <destination_net type="NetworkAliasField">
-                    <Default>any</Default>
-                    <Required>Y</Required>
-                </destination_net>
-                <destination_not type="BooleanField">
-                    <Default>0</Default>
-                    <Required>Y</Required>
-                </destination_not>
-                <destination_port type="PortField">
-                    <EnableWellKnown>Y</EnableWellKnown>
-                    <EnableRanges>Y</EnableRanges>
-                    <EnableAlias>Y</EnableAlias>
-                    <ValidationMessage>Please specify a valid portnumber, name, alias or range</ValidationMessage>
-                </destination_port>
-                <target type="NetworkAliasField">
-                    <Default>wanip</Default>
-                    <Required>Y</Required>
-                </target>
-                <target_port type="PortField">
-                    <EnableWellKnown>Y</EnableWellKnown>
-                    <EnableRanges>Y</EnableRanges>
-                </target_port>
-                <log type="BooleanField">
-                    <Default>0</Default>
-                    <Required>Y</Required>
-                </log>
-                <categories type="ModelRelationField">
-                    <Model>
-                        <rulesets>
-                            <source>OPNsense.Firewall.Category</source>
-                            <items>categories.category</items>
-                            <display>name</display>
-                        </rulesets>
-                    </Model>
-                    <Multiple>Y</Multiple>
-                    <ValidationMessage>Related category not found.</ValidationMessage>
-                </categories>
-                <description type="TextField">
-                    <Required>N</Required>
-                    <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){0,255}$/u</mask>
-                    <ValidationMessage>Description should be a string between 1 and 255 characters</ValidationMessage>
-                </description>
-            </rule>
-        </snatrules>
-        <npt>
-            <rule type=".\SourceNatRuleField">
-                <enabled type="BooleanField">
-                    <Default>1</Default>
-                    <Required>Y</Required>
-                </enabled>
-                <log type="BooleanField">
-                    <Default>0</Default>
-                    <Required>Y</Required>
-                </log>
-                <sequence type="IntegerField">
-                    <MinimumValue>1</MinimumValue>
-                    <MaximumValue>99999</MaximumValue>
-                    <ValidationMessage>provide a valid sequence for sorting</ValidationMessage>
-                    <Required>Y</Required>
-                    <Default>1</Default>
-                </sequence>
-                <interface type="InterfaceField">
-                    <Required>Y</Required>
-                    <Default>lan</Default>
-                    <AllowDynamic>Y</AllowDynamic>
-                </interface>
-                <source_net type="NetworkField">
-                    <Required>Y</Required>
-                    <AddressFamily>ipv6</AddressFamily>
-                    <NetMaskRequired>N</NetMaskRequired>
-                    <WildcardEnabled>N</WildcardEnabled>
-                </source_net>
-                <destination_net type="NetworkField">
-                    <AddressFamily>ipv6</AddressFamily>
-                    <NetMaskRequired>N</NetMaskRequired>
-                    <WildcardEnabled>N</WildcardEnabled>
-                </destination_net>
-                <trackif type="InterfaceField">
-                </trackif>
-                <categories type="ModelRelationField">
-                    <Model>
-                        <rulesets>
-                            <source>OPNsense.Firewall.Category</source>
-                            <items>categories.category</items>
-                            <display>name</display>
-                        </rulesets>
-                    </Model>
-                    <Multiple>Y</Multiple>
-                    <ValidationMessage>Related category not found.</ValidationMessage>
-                </categories>
-                <description type="TextField">
-                    <Required>N</Required>
-                    <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){0,255}$/u</mask>
-                    <ValidationMessage>Description should be a string between 1 and 255 characters</ValidationMessage>
-                </description>
-            </rule>
-        </npt>
-    </items>
-</model>
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
deleted file mode 100644
index 455d065463..0000000000
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.xml
+++ /dev/null
@@ -1,15 +0,0 @@
-<menu>
-    <Firewall>
-        <Automation cssClass="fa fa-gear">
-            <Filter order="50" url="/ui/firewall/filter/">
-                <FilterRef url="/ui/firewall/filter#*" visibility="hidden"/>
-            </Filter>
-            <SourceNat order="100" VisibleName="Source NAT" url="/ui/firewall/source_nat/">
-                <FilterRef url="/ui/firewall/source_nat#*" visibility="hidden"/>
-            </SourceNat>
-            <Npt order="150" VisibleName="NPTv6" url="/ui/firewall/npt/">
-                <FilterRef url="/ui/firewall/npt#*" visibility="hidden"/>
-            </Npt>
-        </Automation>
-    </Firewall>
-</menu>
diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php
deleted file mode 100644
index 2e33d2f7c4..0000000000
--- a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Migrations/MFP1_0_0.php
+++ /dev/null
@@ -1,59 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2020 Deciso B.V.
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-namespace OPNsense\Firewall\Migrations;
-
-use OPNsense\Core\Config;
-use OPNsense\Base\BaseModelMigration;
-
-class MFP1_0_0 extends BaseModelMigration
-{
-    public function post($model)
-    {
-        // Move OPNsense->Firewall->FilterRule ---> OPNsense->Firewall->Filter
-        $cfgObj = Config::getInstance()->object();
-        if (
-            !empty($cfgObj->OPNsense) && !empty($cfgObj->OPNsense->Firewall)
-                && !empty($cfgObj->OPNsense->Firewall->FilterRule)
-        ) {
-            // model migration created a new, empty rules section
-            if (empty($cfgObj->OPNsense->Firewall->Filter->rules)) {
-                unset($cfgObj->OPNsense->Firewall->Filter->rules);
-                $targetdom = dom_import_simplexml($cfgObj->OPNsense->Firewall->Filter);
-                foreach ($cfgObj->OPNsense->Firewall->FilterRule->children() as $child) {
-                    $sourcedom = dom_import_simplexml($child);
-                    $targetdom->appendChild($sourcedom);
-                }
-                unset($cfgObj->OPNsense->Firewall->FilterRule);
-                Config::getInstance()->save();
-            }
-        }
-    }
-}
diff --git a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt b/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
deleted file mode 100644
index 1b3abb3972..0000000000
--- a/net/firewall/src/opnsense/mvc/app/views/OPNsense/Firewall/filter.volt
+++ /dev/null
@@ -1,250 +0,0 @@
-<script>
-    $( document ).ready(function() {
-        let initial_load = true;
-        let grid = $("#grid-rules").UIBootgrid({
-            search:'/api/firewall/{{ruleController}}/search_rule/',
-            get:'/api/firewall/{{ruleController}}/get_rule/',
-            set:'/api/firewall/{{ruleController}}/set_rule/',
-            add:'/api/firewall/{{ruleController}}/add_rule/',
-            del:'/api/firewall/{{ruleController}}/del_rule/',
-            toggle:'/api/firewall/{{ruleController}}/toggle_rule/',
-            options:{
-                requestHandler: function(request){
-                    if ( $('#category_filter').val().length > 0) {
-                        request['category'] = $('#category_filter').val();
-                    }
-                    return request;
-                }
-            }
-        });
-        grid.on("loaded.rs.jquery.bootgrid", function (e){
-            // reload categories before grid load
-            ajaxCall('/api/firewall/{{ruleController}}/list_categories', {}, function(data, status){
-                if (data.rows !== undefined) {
-                    let current_selection = $("#category_filter").val();
-                    $("#category_filter").empty();
-                    for (i=0; i < data.rows.length ; ++i) {
-                        let row = data.rows[i];
-                        let opt_val = $('<div/>').html(row.name).text();
-                        let bgcolor = row.color != "" ? row.color : '31708f;'; // set category color
-                        let option = $("<option/>").val(row.uuid).html(row.name);
-                        if (row.used > 0) {
-                            option.attr(
-                              'data-content',
-                              "<span>"+opt_val + "</span>"+
-                              "<span style='background:#"+bgcolor+";' class='badge pull-right'>" + row.used + "</span>"
-                            );
-                            option.attr('id', row.uuid);
-                        }
-
-                        $("#category_filter").append(option);
-                    }
-                    $("#category_filter").val(current_selection);
-                    $("#category_filter").selectpicker('refresh');
-                }
-            });
-        });
-
-        // open edit dialog when opened with a uuid reference
-        if (window.location.hash !== "" && window.location.hash.split("-").length >= 4) {
-            grid.on('loaded.rs.jquery.bootgrid', function(){
-                if (initial_load) {
-                    $(".command-edit:eq(0)").clone(true).data('row-id', window.location.hash.substr(1)).click();
-                    initial_load = false;
-                }
-            });
-        }
-
-        $("#reconfigureAct").SimpleActionButton();
-        $("#savepointAct").SimpleActionButton({
-            onAction: function(data, status){
-                stdDialogInform(
-                    "{{ lang._('Savepoint created') }}",
-                    data['revision'],
-                    "{{ lang._('Close') }}"
-                );
-            }
-        });
-
-        $("#revertAction").on('click', function(){
-            BootstrapDialog.show({
-                type: BootstrapDialog.TYPE_DEFAULT,
-                title: "{{ lang._('Revert to savepoint') }}",
-                message: "<p>{{ lang._('Enter a savepoint to rollback to.') }}</p>" +
-                    '<div class="form-group" style="display: block;">' +
-                    '<input id="revertToTime" type="text" class="form-control"/>' +
-                    '<span class="error text-danger" id="revertToTimeError"></span>'+
-                    '</div>',
-                buttons: [{
-                    label: "{{ lang._('Revert') }}",
-                    cssClass: 'btn-primary',
-                    action: function(dialogRef) {
-                        ajaxCall("/api/firewall/{{ruleController}}/revert/" + $("#revertToTime").val(), {}, function (data, status) {
-                            if (data.status !== "ok") {
-                                $("#revertToTime").parent().addClass("has-error");
-                                $("#revertToTimeError").html(data.status);
-                            } else {
-                                std_bootgrid_reload("grid-rules");
-                                dialogRef.close();
-                            }
-                        });
-                    }
-                }],
-                onshown: function(dialogRef) {
-                    $("#revertToTime").parent().removeClass("has-error");
-                    $("#revertToTimeError").html("");
-                    $("#revertToTime").val("");
-                }
-            });
-        });
-        // move filter into action header
-        $("#type_filter_container").detach().prependTo('#grid-rules-header > .row > .actionBar > .actions');
-        $("#category_filter").change(function(){
-            $('#grid-rules').bootgrid('reload');
-        });
-
-        // replace all "net" selectors with details retrieved from "list_network_select_options" endpoint
-        ajaxGet('/api/firewall/{{ruleController}}/list_network_select_options', [], function(data, status){
-            // fetch options
-            let options = [];
-            if (data.single) {
-                Object.keys(data).forEach((key, idx) => {
-                    if (data[key].items !== undefined) {
-                        let optgrp = $("<optgroup/>").attr('label', data[key].label);
-                        Object.keys(data[key].items).forEach((key2, idx2) => {
-                            let this_item = data[key].items[key2];
-                            optgrp.append($("<option/>").val(key2).text(this_item));
-                        });
-                        options.push(optgrp);
-                    } else {
-                        options.push($("<option/>").val('').text(data[key].label));
-                    }
-                });
-            }
-            if (options.length == 0) {
-                // unable to fetch options.
-                return;
-            }
-            $(".net_selector").each(function(){
-                let $items = $("#network_select").clone().show();
-                let $this_input = $items.find('input');
-                let $this_select = $items.find('select');
-                for (i=0; i < options.length; ++i) {
-                    $this_select.append(options[i].clone());
-                }
-                $this_select.attr('for', $(this).attr('id')).selectpicker();
-                $this_select.change(function(){
-                    let $value = $(this).val();
-                    if ($value !== '') {
-                        $this_input.val($value);
-                        $this_input.hide();
-                    } else {
-                        $this_input.show();
-                    }
-                });
-                $this_input.attr('id', $(this).attr('id'));
-                $this_input.change(function(){
-                    $this_select.val($(this).val());
-                    if ($this_select.val() === null || $this_select.val() == '') {
-                        $this_select.val('');
-                        $this_input.show();
-                    } else {
-                        $this_input.hide();
-                    }
-                    $this_select.selectpicker('refresh');
-                });
-                $this_input.show();
-                $(this).replaceWith($items);
-            });
-
-        });
-    });
-</script>
-
-
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#rules">{{ lang._('Rules') }}</a></li>
-</ul>
-<div class="tab-content content-box">
-    <div id="rules" class="tab-pane fade in active">
-        <div class="hidden">
-            <!-- filter per type container -->
-            <div id="type_filter_container" class="btn-group">
-                <select id="category_filter"  data-title="{{ lang._('Categories') }}" class="selectpicker" data-live-search="true" data-size="5"  multiple data-width="200px">
-                </select>
-            </div>
-        </div>
-        <!-- tab page "rules" -->
-        <table id="grid-rules" class="table table-condensed table-hover table-striped" data-editDialog="DialogFilterRule" data-editAlert="FilterRuleChangeMessage">
-            <thead>
-                <tr>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
-{% for fieldlist in gridFields %}
-                    <th
-                        data-column-id="{{fieldlist['id']}}"
-                        data-width="{{fieldlist['width']|default('')}}"
-                        data-type="{{fieldlist['type']|default('string')}}"
-                        data-formatter="{{fieldlist['formatter']|default('')}}"
-                    >{{fieldlist['heading']|default('')}}</th>
-{% endfor %}
-                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
-        <div class="col-md-12">
-        <div id="FilterRuleChangeMessage" class="alert alert-info" style="display: none" role="alert">
-            {{ lang._('After changing settings, please remember to apply them with the button below') }}
-        </div>
-        <hr/>
-        <button class="btn btn-primary" id="reconfigureAct"
-                data-endpoint='/api/firewall/{{ruleController}}/apply'
-                data-label="{{ lang._('Apply') }}"
-                data-error-title="{{ lang._('Filter load error') }}"
-                type="button"
-        ></button>
-{% if SavePointBtns is defined %}
-        <div class="pull-right">
-            <button class="btn" id="savepointAct"
-                    data-endpoint='/api/firewall/{{ruleController}}/savepoint'
-                    data-label="{{ lang._('Savepoint') }}"
-                    data-error-title="{{ lang._('snapshot error') }}"
-                    type="button"
-            ></button>
-            <button  class="btn" id="revertAction">
-                {{ lang._('Revert') }}
-            </button>
-        </div>
-{% endif %}
-        <br/><br/>
-    </div>
-    </div>
-</div>
-
-<div id="network_select" style="display: none;" >
-    <table style="max-width: 348px">
-        <tr>
-            <td>
-                <select data-live-search="true" data-size="5" data-width="348px">
-                </select>
-            </td>
-        </tr>
-        <tr>
-            <td>
-                <input style="display:none;" type="text"/>
-            </td>
-        </tr>
-    </table>
-</div>
-
-{{ partial("layout_partials/base_dialog",['fields':formDialogFilterRule,'id':'DialogFilterRule','label':lang._('Edit rule')])}}
diff --git a/net/firewall/src/opnsense/scripts/pfplugin/rollback_cancel b/net/firewall/src/opnsense/scripts/pfplugin/rollback_cancel
deleted file mode 100755
index c47f74b074..0000000000
--- a/net/firewall/src/opnsense/scripts/pfplugin/rollback_cancel
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/usr/local/bin/php
-<?php
-
-/*
- *    Copyright (C) 2020 Deciso B.V.
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- */
-
-if (count($argv) >= 2) {
-    $revision = preg_replace("/[^0-9.]/", "", $argv[1]);
-    if (!empty($revision)) {
-        $lckfile = "/tmp/pfplugin_{$revision}.lock";
-        if (file_exists($lckfile)) {
-            unlink($lckfile);
-            exit(0);
-        }
-    }
-}
-exit(1);
diff --git a/net/firewall/src/opnsense/scripts/pfplugin/rollback_timer b/net/firewall/src/opnsense/scripts/pfplugin/rollback_timer
deleted file mode 100755
index 819a1f12cf..0000000000
--- a/net/firewall/src/opnsense/scripts/pfplugin/rollback_timer
+++ /dev/null
@@ -1,54 +0,0 @@
-#!/usr/local/bin/php
-<?php
-
-/*
- *    Copyright (C) 2020 Deciso B.V.
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once('script/load_phalcon.php');
-
-if (count($argv) >= 2) {
-    $revision = preg_replace("/[^0-9.]/", "", $argv[1]);
-    if (!empty($revision)) {
-        $lckfile = "/tmp/pfplugin_{$revision}.lock";
-        file_put_contents($lckfile, "");
-        // give the api 60 seconds to callback
-        for ($i=0; $i < 60 ; ++$i) {
-            if (!file_exists($lckfile)) {
-                // got feedback
-                exit(0);
-            }
-            sleep(1);
-        }
-        @unlink($lckfile);
-        // no feedback, revert
-        $mdlFilter = new OPNsense\Firewall\Filter();
-        if ($mdlFilter->rollback($revision)) {
-            (new OPNsense\Core\Backend())->configdRun('filter reload');
-        } else {
-            syslog(LOG_WARNING, "unable to revert to unexisting revision : {$revision}");
-        }
-    }
-}
diff --git a/net/firewall/src/opnsense/service/conf/actions.d/actions_pfplugin.conf b/net/firewall/src/opnsense/service/conf/actions.d/actions_pfplugin.conf
deleted file mode 100644
index 61a13f477a..0000000000
--- a/net/firewall/src/opnsense/service/conf/actions.d/actions_pfplugin.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-[rollback_timer]
-command:/usr/local/bin/flock -n -E 0 -o /tmp/pfplugin_rollback_timer.lock /usr/local/opnsense/scripts/pfplugin/rollback_timer
-parameters: %s
-type:script
-message:wait for api feedback or revert to previous filter plugin config
-
-[cancel_rollback]
-command: /usr/local/opnsense/scripts/pfplugin/rollback_cancel
-parameters: %s
-type:script_output
-message:cancel pfplugin rollback
diff --git a/net/wireguard-go/Makefile b/net/wireguard-go/Makefile
deleted file mode 100644
index e2fda10612..0000000000
--- a/net/wireguard-go/Makefile
+++ /dev/null
@@ -1,10 +0,0 @@
-PLUGIN_NAME=		wireguard-go
-PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	8
-PLUGIN_COMMENT=		WireGuard VPN service Go implementation
-PLUGIN_CONFLICTS=	wireguard
-PLUGIN_OBSOLETE=	yes
-PLUGIN_DEPENDS=		wireguard-go wireguard-tools
-PLUGIN_MAINTAINER=	m.muenz@gmail.com
-
-.include "../../Mk/plugins.mk"
diff --git a/net/wireguard-go/pkg-descr b/net/wireguard-go/pkg-descr
deleted file mode 100644
index 5d84964c92..0000000000
--- a/net/wireguard-go/pkg-descr
+++ /dev/null
@@ -1,78 +0,0 @@
-WireGuard® is an extremely simple yet fast and modern VPN
-that utilizes state-of-the-art cryptography. It aims to be
-faster, simpler, leaner, and more useful than IPSec, while
-avoiding the massive headache. It intends to be considerably
-more performant than OpenVPN. WireGuard is designed as a
-general purpose VPN for running on embedded interfaces and
-super computers alike, fit for many different circumstances.
-Initially released for the Linux kernel, it is now
-cross-platform and widely deployable. It is currently under
-heavy development, but already it might be regarded as the
-most secure, easiest to use, and simplest VPN solution in
-the industry.
-
-WWW: https://www.wireguard.com/
-
-Changelog
----------
-
-1.13
-
-* Reworked widget and assorted cleanups (contributed by Patrik Kernstock)
-* Improve widget public key overlapping (contributed by Victor Haggqvist)
-
-1.12
-
-* Adjust validation for naming local instance and endpoints
-
-1.11
-
-* Add script for renewal of Wireguard DNS-based entries for stale connections (#2956)
-* Trim whitespace around new public and private keys in config (#2982)
-
-1.10
-
-* Remove instance limit
-
-1.9
-
-* Rename interface label in filter rules (#2577)
-
-1.8
-
-* Empty port in Endpoint is allowed
-
-1.7
-
-* Make tunnel address (wg interface address) optional
-
-1.6
-
-* Move DNS setting to advanced
-* Make listen port optional
-
-1.5
-
-* Allow synchronization of config
-
-1.4
-
-* Add IPv6 gateway support (contributed by Alexander Korinek)
-
-1.3
-
-* Client/peer name validation to use HostnameField
-
-1.2
-
-* Dashboard widget (contributed by D. Domig)
-
-1.1
-
-* Allow adding interface route for PBR
-
-1.0
-
-* Support for most features like S2S, Roadwarrior
-* DNS, MTU, PSK
-* Allow to disable setting routes for PBR
diff --git a/net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc
deleted file mode 100644
index ad234adcfd..0000000000
--- a/net/wireguard-go/src/etc/inc/plugins.inc.d/wireguard.inc
+++ /dev/null
@@ -1,110 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-function wireguard_enabled()
-{
-    $model = new \OPNsense\Wireguard\General();
-    return (string)$model->enabled == '1';
-}
-
-function wireguard_services()
-{
-    $services = [];
-
-    if (!wireguard_enabled()) {
-        return $services;
-    }
-
-    $service = [
-        'description' => gettext('WireGuard VPN'),
-        'configd' => [
-            'restart' => ['wireguard restart'],
-            'start' => ['wireguard start'],
-            'stop' => ['wireguard stop'],
-        ],
-        'name' => 'wireguard-go',
-    ];
-
-    $services[] = $service;
-
-    return $services;
-}
-
-function wireguard_interfaces()
-{
-    $interfaces = [];
-
-    if (!wireguard_enabled()) {
-        return $interfaces;
-    }
-
-    $interfaces['wireguard'] = [
-        'descr' => gettext('WireGuard (Group)'),
-        'if' => 'wireguard',
-        'virtual' => true,
-        'enable' => true,
-        'type' => 'group',
-        'networks' => [],
-    ];
-
-    return $interfaces;
-}
-
-function wireguard_xmlrpc_sync()
-{
-    $result = [];
-
-    $result['id'] = 'wireguard';
-    $result['section'] = 'OPNsense.wireguard';
-    $result['description'] = gettext('WireGuard');
-    $result['services'] = ['wireguard-go'];
-
-    return [$result];
-}
-
-function wireguard_devices()
-{
-    $names = [];
-    foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $key => $node) {
-        if (!empty((string)$node->enabled)) {
-            $device = 'wg' . $node->instance;
-            $names[$device] = [
-                'descr' => sprintf('%s (WireGuard - %s)', $device, (string)$node->name),
-                'ifdescr' => (string)$node->name,
-                'name' => $device,
-            ];
-        }
-    }
-    return [[
-        'configurable' => false,
-        'pattern' => '^wg',
-        'type' => 'wireguard',
-        'volatile' => true,
-        'names' => $names,
-    ]];
-}
diff --git a/net/wireguard-go/src/etc/rc.syshook.d/start/50-wireguard b/net/wireguard-go/src/etc/rc.syshook.d/start/50-wireguard
deleted file mode 100755
index 78ab228040..0000000000
--- a/net/wireguard-go/src/etc/rc.syshook.d/start/50-wireguard
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-# start again to fix problems with failed name resolution (no need to restart)
-configctl -dq wireguard start
diff --git a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
deleted file mode 100644
index ae7d84660d..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
+++ /dev/null
@@ -1,70 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-namespace OPNsense\Wireguard\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-
-class ClientController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelName = 'client';
-    protected static $internalModelClass = '\OPNsense\Wireguard\Client';
-
-    public function searchClientAction()
-    {
-        return $this->searchBase('clients.client', array("enabled", "name", "pubkey", "tunneladdress", "serveraddress", "serverport"));
-    }
-
-    public function getClientAction($uuid = null)
-    {
-        $this->sessionClose();
-        return $this->getBase('client', 'clients.client', $uuid);
-    }
-
-    public function addClientAction()
-    {
-        return $this->addBase('client', 'clients.client');
-    }
-
-    public function delClientAction($uuid)
-    {
-        return $this->delBase('clients.client', $uuid);
-    }
-
-    public function setClientAction($uuid)
-    {
-        return $this->setBase('client', 'clients.client', $uuid);
-    }
-
-    public function toggleClientAction($uuid)
-    {
-        return $this->toggleBase('clients.client', $uuid);
-    }
-}
diff --git a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
deleted file mode 100644
index 1aca5548df..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
+++ /dev/null
@@ -1,138 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- *    Copyright (C) 2022 Patrik Kernstock <patrik@kernstock.net>
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-namespace OPNsense\Wireguard\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-use OPNsense\Core\Config;
-use OPNsense\Core\Backend;
-
-class GeneralController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelClass = '\OPNsense\Wireguard\General';
-    protected static $internalModelName = 'general';
-
-    public function getStatusAction()
-    {
-        // get wireguard configuration
-        $config = Config::getInstance()->object();
-        $config = $config->OPNsense->wireguard;
-
-        // craft peers array
-        $peers = [];
-        $peers_uuid_pubkey = [];
-        // enabled, name, pubkey
-        foreach ($config->client->clients->client as $client) {
-            $peerUuid = (string)$client->attributes()['uuid'];
-            $peers_uuid_pubkey[$peerUuid] = (string) $client->pubkey;
-            $peers[$peerUuid] = [
-                "name"      => (string)  $client->name,
-                "enabled"   => (int) $client->enabled,
-                "publicKey" => (string)  $client->pubkey,
-            ];
-        }
-
-        // prepare and initialize the server array
-        $status = [];
-        $peer_pubkey_reference = [];
-        foreach ($config->server->servers->server as $server) {
-            if ($server->enabled != "1") {
-                continue;
-            }
-
-            // build basic server array
-            $interface = "wg" . $server->instance;
-            $status[$interface] = [
-                "instance"  => (int) $server->instance,
-                "interface" => (string)  $interface,
-                "enabled"   => (int) $server->enabled,
-                "name"      => (string)  $server->name,
-                "peers"     => [],
-            ];
-
-            // parse and add peers with initial values to array
-            if (strlen($server->peers) > 0) {
-                // there is at least one peer defined
-                $serverPeers = explode(",", (string) $server->peers);
-                // iteriate over each peer uuid
-                foreach ($serverPeers as $peerUuid) {
-                    // skipping removed peer that is still referenced in server
-                    if (!isset($peers[$peerUuid])) {
-                        continue;
-                    }
-                    // remember interface and pubkey <> peer-uuid reference for referencing handshake logic below
-                    $peer_pubkey_reference[$interface][$peers_uuid_pubkey[$peerUuid]] = $peerUuid;
-                    // merge peer info and initial values for handshake data
-                    $status[$interface]["peers"][$peerUuid] = array_merge(
-                        $peers[$peerUuid],
-                        [
-                            "lastHandshake" => "0000-00-00 00:00:00+00:00",
-                        ]
-                    );
-                }
-            }
-        }
-
-        // Get latest handshakes by running CLI command locally
-        $data = (new Backend())->configdRun("wireguard showhandshake");
-
-        // parse and set handshake to status datastructure
-        $data = trim($data);
-        if (strlen($data) !== 0) {
-            $wgHandshakes = explode("\n", $data);
-            foreach ($wgHandshakes as $handshake) {
-                $item = explode("\t", trim($handshake));
-
-                // set interface name and publickey
-                $interface = trim($item[0]);
-                $pubkey = trim($item[1]);
-
-                // calculate handshake time based on local timezone
-                $epoch = $item[2];
-                if ($epoch > 0) {
-                    $dt = new \DateTime("@$epoch");
-                    $dt->setTimezone(new \DateTimeZone(date_default_timezone_get()));
-                    $latest = $dt->format("Y-m-d H:i:sP");
-
-                    // set handshake
-                    $peerUuid = $peer_pubkey_reference[$interface][$pubkey];
-                    if (!empty($peerUuid)) {
-                        $status[$interface]["peers"][$peerUuid]["lastHandshake"] = $latest;
-                    }
-                }
-            }
-        }
-
-        return [
-            "items" => $status
-        ];
-    }
-}
diff --git a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
deleted file mode 100644
index 5bf57767a9..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
+++ /dev/null
@@ -1,108 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Wireguard\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-use OPNsense\Core\Backend;
-
-class ServerController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelName = 'server';
-    protected static $internalModelClass = '\OPNsense\Wireguard\Server';
-
-    public function searchServerAction()
-    {
-        $search = $this->searchBase('servers.server', array("enabled", "instance", "peers", "name", "networks", "pubkey", "port", "tunneladdress"));
-        // prepend "wg" to all instance IDs to use as interface name
-        foreach ($search["rows"] as $key => $server) {
-            $search["rows"][$key]["interface"] = "wg" . $server["instance"];
-        }
-        return $search;
-    }
-
-    public function getServerAction($uuid = null)
-    {
-        $this->sessionClose();
-        return $this->getBase('server', 'servers.server', $uuid);
-    }
-
-    public function addServerAction($uuid = null)
-    {
-        if ($this->request->isPost() && $this->request->hasPost("server")) {
-            if ($uuid != null) {
-                $node = $this->getModel()->getNodeByReference('servers.server.' . $uuid);
-            } else {
-                $node = $this->getModel()->servers->server->Add();
-            }
-            $node->setNodes($this->request->getPost("server"));
-            if (empty((string)$node->pubkey) && empty((string)$node->privkey)) {
-                // generate new keypair
-                $backend = new Backend();
-                $keyspriv = $backend->configdpRun("wireguard genkey", 'private');
-                $keyspub = $backend->configdpRun("wireguard genkey", 'public');
-                $node->privkey = trim($keyspriv);
-                $node->pubkey = trim($keyspub);
-            }
-            return $this->validateAndSave($node, 'server');
-        }
-        return array("result" => "failed");
-    }
-
-    public function delServerAction($uuid)
-    {
-        return $this->delBase('servers.server', $uuid);
-    }
-
-    public function setServerAction($uuid = null)
-    {
-        if ($this->request->isPost() && $this->request->hasPost("server")) {
-            if ($uuid != null) {
-                $node = $this->getModel()->getNodeByReference('servers.server.' . $uuid);
-            } else {
-                $node = $this->getModel()->servers->server->Add();
-            }
-            $node->setNodes($this->request->getPost("server"));
-            if (empty((string)$node->pubkey) && empty((string)$node->privkey)) {
-                // generate new keypair
-                $backend = new Backend();
-                $keyspriv = $backend->configdpRun("wireguard genkey", 'private');
-                $keyspub = $backend->configdpRun("wireguard genkey", 'public');
-                $node->privkey = trim($keyspriv);
-                $node->pubkey = trim($keyspub);
-            }
-            return $this->validateAndSave($node, 'server');
-        }
-        return array("result" => "failed");
-    }
-
-    public function toggleServerAction($uuid)
-    {
-        return $this->toggleBase('servers.server', $uuid);
-    }
-}
diff --git a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
deleted file mode 100644
index 627911beb4..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
+++ /dev/null
@@ -1,76 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Wireguard\Api;
-
-use OPNsense\Base\ApiMutableServiceControllerBase;
-use OPNsense\Core\Backend;
-use OPNsense\Wireguard\General;
-
-/**
- * Class ServiceController
- * @package OPNsense\Wireguard
- */
-class ServiceController extends ApiMutableServiceControllerBase
-{
-    protected static $internalServiceClass = '\OPNsense\Wireguard\General';
-    protected static $internalServiceTemplate = 'OPNsense/Wireguard';
-    protected static $internalServiceEnabled = 'enabled';
-    protected static $internalServiceName = 'wireguard';
-
-    /**
-     * hook group interface registration on reconfigure
-     * @return bool
-     */
-    protected function invokeInterfaceRegistration()
-    {
-        return true;
-    }
-
-    /**
-     * show wireguard config
-     * @return array
-     */
-    public function showconfAction()
-    {
-        $backend = new Backend();
-        $response = $backend->configdRun("wireguard showconf");
-        return array("response" => $response);
-    }
-
-    /**
-     * show wireguard handshakes
-     * @return array
-     */
-    public function showhandshakeAction()
-    {
-        $backend = new Backend();
-        $response = $backend->configdRun("wireguard showhandshake");
-        return array("response" => $response);
-    }
-}
diff --git a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/GeneralController.php b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/GeneralController.php
deleted file mode 100644
index 404fce6823..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/GeneralController.php
+++ /dev/null
@@ -1,40 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-namespace OPNsense\Wireguard;
-
-class GeneralController extends \OPNsense\Base\IndexController
-{
-    public function indexAction()
-    {
-        $this->view->generalForm = $this->getForm("general");
-        $this->view->formDialogEditWireguardClient = $this->getForm("dialogEditWireguardClient");
-        $this->view->formDialogEditWireguardServer = $this->getForm("dialogEditWireguardServer");
-        $this->view->pick('OPNsense/Wireguard/general');
-    }
-}
diff --git a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
deleted file mode 100644
index 231e9c692a..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
+++ /dev/null
@@ -1,52 +0,0 @@
-<form>
-    <field>
-        <id>client.enabled</id>
-        <label>Enabled</label>
-        <type>checkbox</type>
-        <help>This will enable or disable the client config.</help>
-    </field>
-    <field>
-        <id>client.name</id>
-        <label>Name</label>
-        <type>text</type>
-        <help>Set the name for this instance.</help>
-    </field>
-    <field>
-        <id>client.pubkey</id>
-        <label>Public Key</label>
-        <type>text</type>
-        <help>Public key of this instance.</help>
-    </field>
-    <field>
-        <id>client.psk</id>
-        <label>Shared Secret</label>
-        <type>text</type>
-        <help>Shared secret (PSK) for this peer. You can generate a key using "wg genpsk" on a client with WireGuard installed.</help>
-    </field>
-    <field>
-        <id>client.tunneladdress</id>
-        <label>Allowed IPs</label>
-        <style>tokenize</style>
-        <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>List of addresses allowed to pass trough the tunnel adapter. Please use CIDR notation like 10.0.0.1/24.</help>
-    </field>
-    <field>
-        <id>client.serveraddress</id>
-        <label>Endpoint Address</label>
-        <type>text</type>
-        <help>Set public IP address the endpoint listens to.</help>
-    </field>
-    <field>
-        <id>client.serverport</id>
-        <label>Endpoint Port</label>
-        <type>text</type>
-        <help>Set port the endpoint listens to.</help>
-    </field>
-    <field>
-        <id>client.keepalive</id>
-        <label>Keepalive Interval</label>
-        <type>text</type>
-        <help>Set persistent keepalive interval in seconds.</help>
-    </field>
-</form>
diff --git a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
deleted file mode 100644
index eff1f9504c..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
+++ /dev/null
@@ -1,82 +0,0 @@
-<form>
-    <field>
-        <id>server.enabled</id>
-        <label>Enabled</label>
-        <type>checkbox</type>
-        <help>This will enable or disable the server config.</help>
-    </field>
-    <field>
-        <id>server.name</id>
-        <label>Name</label>
-        <type>text</type>
-        <help>Set the name for this instance.</help>
-    </field>
-    <field>
-        <id>server.instance</id>
-        <label>Instance</label>
-        <type>info</type>
-        <help>This is the instance number to give the wg interface a unique name (wgX).</help>
-    </field>
-    <field>
-        <id>server.pubkey</id>
-        <label>Public Key</label>
-        <type>text</type>
-        <help>Public key of this instance. You can specify your own one, or a key will be generated after saving.</help>
-    </field>
-    <field>
-        <id>server.privkey</id>
-        <label>Private Key</label>
-        <type>text</type>
-        <help>Private key of this instance. You can specify your own one, or a key will be generated after saving. Please keep this key safe.</help>
-    </field>
-    <field>
-        <id>server.port</id>
-        <label>Listen Port</label>
-        <type>text</type>
-        <help>Optionally set a fixed port for this instance to listen on. The standard port range starts at 51820.</help>
-    </field>
-    <field>
-        <id>server.mtu</id>
-        <label>MTU</label>
-        <type>text</type>
-        <advanced>true</advanced>
-        <help>Set the interface MTU for this interface. Leaving empty uses the MTU from main interface which is fine for most setups.</help>
-    </field>
-    <field>
-        <id>server.dns</id>
-        <label>DNS Server</label>
-        <type>select_multiple</type>
-        <style>tokenize</style>
-        <allownew>true</allownew>
-        <advanced>true</advanced>
-        <help>Set the interface specific DNS server.</help>
-    </field>
-    <field>
-        <id>server.tunneladdress</id>
-        <label>Tunnel Address</label>
-        <style>tokenize</style>
-        <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>List of addresses to configure on the tunnel adapter. Please use CIDR notation like 10.0.0.1/24.</help>
-    </field>
-    <field>
-        <id>server.peers</id>
-        <label>Peers</label>
-        <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>List of peers for this server.</help>
-    </field>
-    <field>
-        <id>server.disableroutes</id>
-        <label>Disable Routes</label>
-        <type>checkbox</type>
-        <help>This will prevent installing routes. Usually you only enable this to do own routing decisions via a local gateway and gateway rules.</help>
-    </field>
-    <field>
-        <id>server.gateway</id>
-        <label>Gateway</label>
-        <type>text</type>
-        <advanced>true</advanced>
-        <help>Set the gateway IP here when using Disable Routes feature. You also have to add this as a gateway in OPNsense.</help>
-    </field>
-</form>
diff --git a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/general.xml b/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/general.xml
deleted file mode 100644
index 7a74ebf81b..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/general.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<form>
-    <field>
-        <id>general.enabled</id>
-        <label>Enable WireGuard</label>
-        <type>checkbox</type>
-        <help>This will activate WireGuard and start all enabled instances.</help>
-    </field>
-</form>
diff --git a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml
deleted file mode 100644
index 21012db805..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml
+++ /dev/null
@@ -1,9 +0,0 @@
-<acl>
-   <page-wireguard-config>
-      <name>VPN: Wireguard</name>
-      <patterns>
-         <pattern>ui/wireguard/*</pattern>
-         <pattern>api/wireguard/*</pattern>
-      </patterns>
-   </page-wireguard-config>
-</acl>
diff --git a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.php b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.php
deleted file mode 100644
index b069a766d4..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.php
+++ /dev/null
@@ -1,31 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-namespace OPNsense\Wireguard;
-
-use OPNsense\Base\BaseModel;
-
-class Client extends BaseModel
-{
-}
diff --git a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
deleted file mode 100644
index 69527a433a..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
+++ /dev/null
@@ -1,47 +0,0 @@
-<model>
-    <mount>//OPNsense/wireguard/client</mount>
-    <description>Wireguard Client configuration</description>
-    <version>0.0.7</version>
-    <items>
-        <clients>
-            <client type="ArrayField">
-                <enabled type="BooleanField">
-                    <default>1</default>
-                    <Required>Y</Required>
-                </enabled>
-                <name type="TextField">
-                    <default></default>
-                    <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z._\-]){1,64}$/u</mask>
-                    <ValidationMessage>Should be a string between 1 and 64 characters. Allowed characters are alphanumeric characters, dash and underscores.</ValidationMessage>
-                </name>
-                <pubkey type="Base64Field">
-                    <Required>Y</Required>
-                    <ValidationMessage>Should be a base64-encoded 32 byte string.</ValidationMessage>
-                </pubkey>
-                <psk type="Base64Field">
-                    <Required>N</Required>
-                    <ValidationMessage>Should be a base64-encoded 32 byte string.</ValidationMessage>
-                </psk>
-                <tunneladdress type="NetworkField">
-                    <default></default>
-                    <FieldSeparator>,</FieldSeparator>
-                    <Required>Y</Required>
-                    <asList>Y</asList>
-                </tunneladdress>
-                <serveraddress type="HostnameField">
-                    <Required>N</Required>
-                </serveraddress>
-                <serverport type="PortField">
-                    <Required>N</Required>
-                </serverport>
-                <keepalive type="IntegerField">
-                    <MinimumValue>1</MinimumValue>
-                    <MaximumValue>86400</MaximumValue>
-                    <ValidationMessage>Please specify a value between 1 and 86400.</ValidationMessage>
-                    <Required>N</Required>
-                </keepalive>
-            </client>
-        </clients>
-    </items>
-</model>
diff --git a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.php b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.php
deleted file mode 100644
index 6caf9eabaf..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.php
+++ /dev/null
@@ -1,35 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-namespace OPNsense\Wireguard;
-
-use OPNsense\Base\BaseModel;
-
-class General extends BaseModel
-{
-}
diff --git a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml
deleted file mode 100644
index 432fd654c2..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<model>
-    <mount>//OPNsense/wireguard/general</mount>
-    <description>WireGuard configuration</description>
-    <version>0.0.1</version>
-    <items>
-        <enabled type="BooleanField">
-            <default>0</default>
-            <Required>Y</Required>
-        </enabled>
-    </items>
-</model>
diff --git a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml
deleted file mode 100644
index a2934e1b07..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml
+++ /dev/null
@@ -1,5 +0,0 @@
-<menu>
-    <VPN>
-      <WireGuard cssClass="fa fa-lock fa-fw" url="/ui/wireguard/general/index" order="150" />
-    </VPN>
-</menu>
diff --git a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php
deleted file mode 100644
index 8fccdd577e..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php
+++ /dev/null
@@ -1,31 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-namespace OPNsense\Wireguard;
-
-use OPNsense\Base\BaseModel;
-
-class Server extends BaseModel
-{
-}
diff --git a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml b/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
deleted file mode 100644
index 476091d238..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
+++ /dev/null
@@ -1,77 +0,0 @@
-<model>
-    <mount>//OPNsense/wireguard/server</mount>
-    <description>Wireguard Server configuration</description>
-    <version>0.0.4</version>
-    <items>
-        <servers>
-            <server type="ArrayField">
-                <enabled type="BooleanField">
-                    <default>1</default>
-                    <Required>Y</Required>
-                </enabled>
-                <name type="TextField">
-                    <default></default>
-                    <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z._\-]){1,64}$/u</mask>
-                    <ValidationMessage>Should be a string between 1 and 64 characters. Allowed characters are alphanumeric characters, dash and underscores.</ValidationMessage>
-                </name>
-                <instance type="AutoNumberField">
-                    <Required>Y</Required>
-                </instance>
-                <pubkey type="TextField">
-                    <Required>N</Required>
-                </pubkey>
-                <privkey type="TextField">
-                    <Required>N</Required>
-                </privkey>
-                <port type="PortField">
-                    <Required>N</Required>
-                </port>
-                <mtu type="IntegerField">
-                    <MinimumValue>1</MinimumValue>
-                    <MaximumValue>9300</MaximumValue>
-                    <Required>N</Required>
-                </mtu>
-                <dns type="CSVListField">
-                    <Required>N</Required>
-                    <mask>/^([a-fA-F0-9\.:\[\]]*?,)*([a-fA-F0-9\.:\[\]]*)$/</mask>
-                    <ValidationMessage>Please use valid IPv4 or IPv6 addresses.</ValidationMessage>
-                </dns>
-                <tunneladdress type="NetworkField">
-                    <default></default>
-                    <FieldSeparator>,</FieldSeparator>
-                    <Required>N</Required>
-                    <asList>Y</asList>
-                </tunneladdress>
-                <disableroutes type="BooleanField">
-                    <default>0</default>
-                    <Required>Y</Required>
-                    <Constraints>
-                        <check001>
-                            <ValidationMessage>You have to enable Disable Routes option.</ValidationMessage>
-                            <type>DependConstraint</type>
-                            <addFields>
-                                <field1>gateway</field1>
-                            </addFields>
-                        </check001>
-                    </Constraints>
-                </disableroutes>
-                <gateway type="NetworkField">
-                    <Required>N</Required>
-                </gateway>
-                <peers type="ModelRelationField">
-                    <Model>
-                        <template>
-                            <source>OPNsense.Wireguard.Client</source>
-                            <items>clients.client</items>
-                            <display>name</display>
-                        </template>
-                    </Model>
-                    <Multiple>Y</Multiple>
-                    <Required>N</Required>
-                    <ValidationMessage>Choose an Peer.</ValidationMessage>
-                </peers>
-            </server>
-        </servers>
-    </items>
-</model>
diff --git a/net/wireguard-go/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt b/net/wireguard-go/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
deleted file mode 100644
index 8b0accd2d6..0000000000
--- a/net/wireguard-go/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
+++ /dev/null
@@ -1,199 +0,0 @@
-{#
- # OPNsense (c) 2014-2018 by Deciso B.V.
- # OPNsense (c) 2018 Michael Muenz <m.muenz@gmail.com>
- # All rights reserved.
- #
- # Redistribution and use in source and binary forms, with or without modification,
- # are permitted provided that the following conditions are met:
- #
- # 1.  Redistributions of source code must retain the above copyright notice,
- #     this list of conditions and the following disclaimer.
- #
- # 2.  Redistributions in binary form must reproduce the above copyright notice,
- #     this list of conditions and the following disclaimer in the documentation
- #     and/or other materials provided with the distribution.
- #
- # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- # POSSIBILITY OF SUCH DAMAGE.
- #}
-
-<!-- Navigation bar -->
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
-    <li><a data-toggle="tab" href="#servers">{{ lang._('Local') }}</a></li>
-    <li><a data-toggle="tab" href="#clients">{{ lang._('Endpoints') }}</a></li>
-    <li><a data-toggle="tab" href="#showconf">{{ lang._('Status') }}</a></li>
-    <li><a data-toggle="tab" href="#showhandshake">{{ lang._('Handshakes') }}</a></li>
-</ul>
-
-<div class="tab-content content-box tab-content">
-    <div id="general" class="tab-pane fade in active">
-        <div class="content-box" style="padding-bottom: 1.5em;">
-            {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-            <div class="col-md-12">
-                <hr />
-                <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_progress"></i></button>
-            </div>
-        </div>
-    </div>
-    <div id="clients" class="tab-pane fade in">
-        <table id="grid-clients" class="table table-responsive" data-editDialog="dialogEditWireguardClient">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="serveraddress" data-type="string" data-visible="true">{{ lang._('Endpoint Address') }}</th>
-                    <th data-column-id="serverport" data-type="string" data-visible="true">{{ lang._('Endpoint Port') }}</th>
-                    <th data-column-id="tunneladdress" data-type="string" data-visible="true">{{ lang._('Allowed IPs') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td colspan="6"></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
-        <div class="col-md-12">
-            <hr />
-            <button class="btn btn-primary" id="saveAct_client" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_client_progress"></i></button>
-            <br /><br />
-        </div>
-    </div>
-    <div id="servers" class="tab-pane fade in">
-        <table id="grid-servers" class="table table-responsive" data-editDialog="dialogEditWireguardServer">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="interface" data-type="string" data-visible="true">{{ lang._('Interface') }}</th>
-                    <th data-column-id="tunneladdress" data-type="string" data-visible="true">{{ lang._('Tunnel Address') }}</th>
-                    <th data-column-id="port" data-type="string" data-visible="true">{{ lang._('Port') }}</th>
-                    <th data-column-id="peers" data-type="string" data-visible="true">{{ lang._('Endpoints') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td colspan="7"></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
-        <div class="col-md-12">
-            <hr />
-            <button class="btn btn-primary" id="saveAct_server" type="button"><b>{{ lang._('Apply') }}</b> <i id="saveAct_server_progress"></i></button>
-            <br /><br />
-        </div>
-    </div>
-    <div id="showconf" class="tab-pane fade in">
-      <pre id="listshowconf"></pre>
-    </div>
-    <div id="showhandshake" class="tab-pane fade in">
-      <pre id="listshowhandshake"></pre>
-    </div>
-</div>
-
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditWireguardClient,'id':'dialogEditWireguardClient','label':lang._('Edit Endpoint')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditWireguardServer,'id':'dialogEditWireguardServer','label':lang._('Edit Local Configuration')])}}
-
-<script>
-
-// Put API call into a function, needed for auto-refresh
-function update_showconf() {
-    ajaxCall(url="/api/wireguard/service/showconf", sendData={}, callback=function(data,status) {
-        $("#listshowconf").text(data['response']);
-    });
-}
-
-function update_showhandshake() {
-    ajaxCall(url="/api/wireguard/service/showhandshake", sendData={}, callback=function(data,status) {
-        $("#listshowhandshake").text(data['response']);
-    });
-}
-
-$( document ).ready(function() {
-    var data_get_map = {'frm_general_settings':"/api/wireguard/general/get"};
-    mapDataToFormUI(data_get_map).done(function(data){
-        formatTokenizersUI();
-        $('.selectpicker').selectpicker('refresh');
-    });
-
-    $("#grid-clients").UIBootgrid(
-        {
-            'search':'/api/wireguard/client/searchClient',
-            'get':'/api/wireguard/client/getClient/',
-            'set':'/api/wireguard/client/setClient/',
-            'add':'/api/wireguard/client/addClient/',
-            'del':'/api/wireguard/client/delClient/',
-            'toggle':'/api/wireguard/client/toggleClient/'
-        }
-    );
-
-    $("#grid-servers").UIBootgrid(
-        {
-            'search':'/api/wireguard/server/searchServer',
-            'get':'/api/wireguard/server/getServer/',
-            'set':'/api/wireguard/server/setServer/',
-            'add':'/api/wireguard/server/addServer/',
-            'del':'/api/wireguard/server/delServer/',
-            'toggle':'/api/wireguard/server/toggleServer/'
-        }
-    );
-
-    // Call update funcs once when page loaded
-    update_showconf();
-    update_showhandshake();
-
-    // Call function update_neighbor with a auto-refresh of 5 seconds
-    setInterval(update_showconf, 5000);
-    setInterval(update_showhandshake, 5000);
-
-    $("#saveAct").click(function(){
-        saveFormToEndpoint(url="/api/wireguard/general/set", formid='frm_general_settings',callback_ok=function(){
-        $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall(url="/api/wireguard/service/reconfigure", sendData={}, callback=function(data,status) {
-                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-            });
-        });
-    });
-
-    $("#saveAct_client").click(function(){
-        saveFormToEndpoint(url="/api/wireguard/client/set", formid='frm_general_settings',callback_ok=function(){
-        $("#saveAct_client_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall(url="/api/wireguard/service/reconfigure", sendData={}, callback=function(data,status) {
-                $("#saveAct_client_progress").removeClass("fa fa-spinner fa-pulse");
-            });
-        });
-    });
-
-    $("#saveAct_server").click(function(){
-        saveFormToEndpoint(url="/api/wireguard/server/set", formid='frm_general_settings',callback_ok=function(){
-        $("#saveAct_server_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall(url="/api/wireguard/service/reconfigure", sendData={}, callback=function(data,status) {
-                $("#saveAct_server_progress").removeClass("fa fa-spinner fa-pulse");
-            });
-        });
-    });
-
-});
-</script>
diff --git a/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/genkey.sh b/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/genkey.sh
deleted file mode 100755
index b580bf49dc..0000000000
--- a/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/genkey.sh
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/bin/sh
-
-# Copyright (c) 2018 Michael Muenz <m.muenz@gmail.com>
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-# 1. Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-#
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in the
-#    documentation and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-
-TMPDIR="/tmp"
-GENPRIV="/usr/local/bin/wg genkey"
-GENPUB="/usr/local/bin/wg pubkey"
-
-cleanup() {
-	# Delete old files
-	rm -f $TMPDIR/wireguard.*
-}
-
-private() {
-	# Generate a private key and put it to /tmp
-	umask 077 && ${GENPRIV} | tee ${TMPDIR}/wireguard.priv
-}
-
-public() {
-	# Generate a public key and put it to /tmp
-	${GENPUB} < ${TMPDIR}/wireguard.priv | tee ${TMPDIR}/wireguard.pub
-}
-
-case "$1" in
-private)
-	cleanup
-	private
-	;;
-public)
-	public
-	;;
-esac
diff --git a/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/post.sh b/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/post.sh
deleted file mode 100755
index 375ca38359..0000000000
--- a/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/post.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/sh
-
-if [ -f /etc/rc.conf.d/wireguard ]; then
-	. /etc/rc.conf.d/wireguard
-fi
-
-for interface in ${wireguard_interfaces}; do
-	ifconfig ${interface} group wireguard
-done
-
-/usr/local/etc/rc.routing_configure
diff --git a/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash b/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
deleted file mode 100755
index b7faf881ad..0000000000
--- a/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/usr/local/bin/bash
-# SPDX-License-Identifier: GPL-2.0
-#
-# Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
-
-set -e
-shopt -s nocasematch
-shopt -s extglob
-export LC_ALL=C
-
-for CONFIG_FILE in /usr/local/etc/wireguard/*.conf; do
-
-    [[ $CONFIG_FILE =~ /?([a-zA-Z0-9_=+.-]{1,15})\.conf$ ]]
-    INTERFACE="${BASH_REMATCH[1]}"
-
-    process_peer() {
-        [[ $PEER_SECTION -ne 1 || -z $PUBLIC_KEY || -z $ENDPOINT ]] && return 0
-        [[ $(wg show "$INTERFACE" latest-handshakes) =~ ${PUBLIC_KEY//+/\\+}\	([0-9]+) ]] || return 0
-        (( ($EPOCHSECONDS - ${BASH_REMATCH[1]}) > 135 )) || return 0
-        wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"
-        reset_peer_section
-    }
-
-    reset_peer_section() {
-        PEER_SECTION=0
-        PUBLIC_KEY=""
-        ENDPOINT=""
-    }
-
-    reset_peer_section
-    while read -r line || [[ -n $line ]]; do
-        stripped="${line%%\#*}"
-        key="${stripped%%=*}"; key="${key##*([[:space:]])}"; key="${key%%*([[:space:]])}"
-        value="${stripped#*=}"; value="${value##*([[:space:]])}"; value="${value%%*([[:space:]])}"
-        [[ $key == "["* ]] && { process_peer; reset_peer_section; }
-        [[ $key == "[Peer]" ]] && PEER_SECTION=1
-        if [[ $PEER_SECTION -eq 1 ]]; then
-            case "$key" in
-                PublicKey) PUBLIC_KEY="$value"; continue ;;
-                Endpoint) ENDPOINT="$value"; continue ;;
-            esac
-        fi
-    done < "$CONFIG_FILE"
-    process_peer
-done
diff --git a/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/setup.sh b/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/setup.sh
deleted file mode 100755
index 75ba580c99..0000000000
--- a/net/wireguard-go/src/opnsense/scripts/OPNsense/Wireguard/setup.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-mkdir -p /var/run/wireguard
-chmod 755 /var/run/wireguard
diff --git a/net/wireguard-go/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard-go/src/opnsense/service/conf/actions.d/actions_wireguard.conf
deleted file mode 100644
index b2b96828f2..0000000000
--- a/net/wireguard-go/src/opnsense/service/conf/actions.d/actions_wireguard.conf
+++ /dev/null
@@ -1,43 +0,0 @@
-[start]
-command:/usr/local/etc/rc.d/wireguard start; /usr/local/opnsense/scripts/OPNsense/Wireguard/post.sh
-parameters:
-type:script
-message:Starting WireGuard
-
-[stop]
-command:/usr/local/etc/rc.d/wireguard stop
-parameters:
-type:script
-message:Stopping WireGuard
-
-[restart]
-command:/usr/local/etc/rc.d/wireguard restart; /usr/local/opnsense/scripts/OPNsense/Wireguard/post.sh
-parameters:
-type:script
-message:Restarting WireGuard
-description: Restart WireGuard
-
-[renew]
-command:/usr/local/opnsense/scripts/OPNsense/Wireguard/resolve-dns.bash
-parameters:
-type:script
-message:Renew DNS for WireGuard
-description:Renew DNS for WireGuard on stale connections
-
-[genkey]
-command:/usr/local/opnsense/scripts/OPNsense/Wireguard/genkey.sh
-parameters: %s
-type:script_output
-message:Generating WireGuard keys
-
-[showconf]
-command:/usr/local/bin/wg show all
-parameters:
-type:script_output
-message:Show WireGuard config
-
-[showhandshake]
-command:/usr/local/bin/wg show all latest-handshakes
-parameters:
-type:script_output
-message:Show WireGuard handshakes
diff --git a/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/+TARGETS b/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/+TARGETS
deleted file mode 100644
index 655def7d10..0000000000
--- a/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/+TARGETS
+++ /dev/null
@@ -1,2 +0,0 @@
-wireguard:/etc/rc.conf.d/wireguard
-wireguard-server.conf:/usr/local/etc/wireguard/wg[OPNsense.wireguard.server.servers.server.%.instance].conf
diff --git a/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/wireguard b/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
deleted file mode 100644
index c4c12667a4..0000000000
--- a/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
+++ /dev/null
@@ -1,15 +0,0 @@
-{% if helpers.exists('OPNsense.wireguard.general.enabled') and OPNsense.wireguard.general.enabled == '1' %}
-wireguard_setup="/usr/local/opnsense/scripts/OPNsense/Wireguard/setup.sh"
-wireguard_enable="YES"
-{%   if helpers.exists('OPNsense.wireguard.server.servers.server') %}
-{%   set activeservers=[] %}
-{%     for servers in helpers.toList('OPNsense.wireguard.server.servers.server') %}
-{%       if servers.enabled == '1' %}
-{%       do activeservers.append("wg" + servers.instance) %}
-{%       endif %}
-{%     endfor %}
-{%   endif %}
-wireguard_interfaces="{{ activeservers | join(' ') }}"
-{% else %}
-wireguard_enable="NO"
-{% endif %}
diff --git a/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf b/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
deleted file mode 100644
index 355ea0815f..0000000000
--- a/net/wireguard-go/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
+++ /dev/null
@@ -1,53 +0,0 @@
-{% if helpers.exists('OPNsense.wireguard.general.enabled') and OPNsense.wireguard.general.enabled == '1' %}
-{% if helpers.exists('OPNsense.wireguard.server.servers.server') %}
-{%   for server_list in helpers.toList('OPNsense.wireguard.server.servers.server') %}
-{%     if TARGET_FILTERS['OPNsense.wireguard.server.servers.server.' ~ loop.index0] or TARGET_FILTERS['OPNsense.wireguard.server.servers.server'] %}
-{%       if server_list.enabled == '1' %}
-[Interface]
-PrivateKey = {{ server_list.privkey }}
-{%         if server_list.tunneladdress|default('') != '' %}
-Address = {{ server_list.tunneladdress }}
-{%         endif %}
-{%         if server_list.port|default('') != '' %}
-ListenPort = {{ server_list.port }}
-{%         endif %}
-{%         if server_list.dns|default('') != '' %}
-DNS = {{ server_list.dns }}
-{%         endif %}
-{%         if server_list.mtu|default('') != '' %}
-MTU = {{ server_list.mtu }}
-{%         endif %}
-{%         if server_list.disableroutes == '1' %}
-Table = off
-{%         endif %}
-{%         if server_list.disableroutes == '1' and server_list.gateway|default('') != '' %}
-PostUp = route {{- ' -6' if ':' in server_list.gateway }} add {{ server_list.gateway }} -iface %i
-PostDown = route {{- ' -6' if ':' in server_list.gateway }} del {{ server_list.gateway }} -iface %i
-{%         endif %}
-{%         if server_list.peers|default('') != '' %}
-{%           for peerlist in server_list.peers.split(",") %}
-{%             set peerlist2_data = helpers.getUUID(peerlist) %}
-{%             if peerlist2_data != {} and peerlist2_data.enabled == '1' %}
-
-[Peer]
-# friendly_name = {{ peerlist2_data.name }}
-PublicKey = {{ peerlist2_data.pubkey }}
-{%               if peerlist2_data.psk|default('') != '' %}
-PresharedKey = {{ peerlist2_data.psk }}
-{%               endif %}
-{%               if peerlist2_data.serveraddress|default('') != '' %}
-Endpoint = {{ peerlist2_data.serveraddress }}{% if peerlist2_data.serverport|default('') != '' %}:{{ peerlist2_data.serverport }}{% else %}:51820{% endif %}
-{%               endif %}
-
-AllowedIPs = {{ peerlist2_data.tunneladdress }}
-{%               if peerlist2_data.keepalive|default('') != '' %}
-PersistentKeepalive = {{ peerlist2_data.keepalive }}
-{%               endif %}
-{%             endif %}
-{%           endfor %}
-{%         endif %}
-{%       endif %}
-{%     endif %}
-{%   endfor %}
-{% endif %}
-{% endif %}
diff --git a/net/wireguard-go/src/www/widgets/include/wireguard.inc b/net/wireguard-go/src/www/widgets/include/wireguard.inc
deleted file mode 100644
index b95fc1fa6f..0000000000
--- a/net/wireguard-go/src/www/widgets/include/wireguard.inc
+++ /dev/null
@@ -1,4 +0,0 @@
-<?php
-
-$wireguard_title = gettext('WireGuard');
-$wireguard_title_link = 'ui/wireguard/general/index';
diff --git a/net/wireguard-go/src/www/widgets/widgets/wireguard.widget.php b/net/wireguard-go/src/www/widgets/widgets/wireguard.widget.php
deleted file mode 100644
index 6c704030a9..0000000000
--- a/net/wireguard-go/src/www/widgets/widgets/wireguard.widget.php
+++ /dev/null
@@ -1,120 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020 Deciso B.V.
- * Copyright (C) 2020 D. Domig
- * Copyright (C) 2022 Patrik Kernstock <patrik@kernstock.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("guiconfig.inc");
-require_once("widgets/include/wireguard.inc");
-
-$enabled = ($config["OPNsense"]["wireguard"]["general"]["enabled"] === "1" ? true : false);
-
-?>
-
-<table class="table table-striped table-condensed">
-    <thead>
-        <tr>
-            <th><?= gettext("Name") ?></th>
-            <th><?= gettext("Interface") ?></th>
-            <th><?= gettext("Endpoint") ?></th>
-            <th><?= gettext("Public Key") ?></th>
-            <th><?= gettext("Latest Handshake") ?></th>
-        </tr>
-    </thead>
-    <tbody id="wg-table-tbody">
-
-    <?php if (!$enabled): ?>
-    <tr>
-        <td colspan="5"><?= gettext("No WireGuard instance defined or enabled.") ?></td>
-    </tr>
-    <?php endif; ?>
-
-    </tbody>
-</table>
-
-<script>
-$(window).on("load", function() {
-    function wgGenerateRow(name, interface, peerName, publicKey, latestHandshake, status)
-    {
-        var tr = ''
-        +'<tr>'
-        +'    <td>' + name + '</td>'
-        +'    <td>' + interface + '</td>'
-        +'    <td>' + peerName  + '</td>'
-        +'    <td style="overflow: hidden; text-overflow: ellipsis;" title="' + publicKey + '">' + publicKey  + '</td>'
-        +'    <td>' + latestHandshake + '</td>'
-        +'</tr>';
-
-        return tr;
-    }
-
-    function wgUpdateStatusIf(obj)
-    {
-        // check if at least one peer is set. If not, ignore it.
-        if (Object.keys(obj.peers).length == 0) {
-            return '';
-        }
-
-        // generate row based on data
-        row = '';
-        for (var peerId in obj.peers) {
-            var peer = obj.peers[peerId];
-
-            // generate table row
-            row += wgGenerateRow(
-                obj.name,
-                obj.interface,
-                peer.name,
-                peer.publicKey,
-                peer.lastHandshake,
-                status
-            );
-        }
-
-        return row;
-    }
-
-    function wgUpdateStatus()
-    {
-        var table = '';
-        ajaxGet("/api/wireguard/general/getStatus", {}, function(data, status) {
-            if (status === 'success') {
-                for (var interface in data.items) {
-                    table += wgUpdateStatusIf(data.items[interface]);
-                }
-            }
-            // update table accordingly
-            document.getElementById("wg-table-tbody").innerHTML = table;
-            setTimeout(wgUpdateStatus, 10000);
-        });
-    };
-
-    <?php if ($enabled): ?>
-    wgUpdateStatus();
-    <?php endif; ?>
-});
-</script>
diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
deleted file mode 100644
index f2958e8ffa..0000000000
--- a/net/wireguard/Makefile
+++ /dev/null
@@ -1,9 +0,0 @@
-PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		2.6
-PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
-PLUGIN_DEPENDS=		wireguard-kmod
-PLUGIN_CONFLICTS=	wireguard-go
-PLUGIN_OBSOLETE=	yes
-PLUGIN_MAINTAINER=	ad@opnsense.org
-
-.include "../../Mk/plugins.mk"
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
deleted file mode 100644
index c045449d1e..0000000000
--- a/net/wireguard/pkg-descr
+++ /dev/null
@@ -1,127 +0,0 @@
-WireGuard® is an extremely simple yet fast and modern VPN
-that utilizes state-of-the-art cryptography. It aims to be
-faster, simpler, leaner, and more useful than IPSec, while
-avoiding the massive headache. It intends to be considerably
-more performant than OpenVPN. WireGuard is designed as a
-general purpose VPN for running on embedded interfaces and
-super computers alike, fit for many different circumstances.
-Initially released for the Linux kernel, it is now
-cross-platform and widely deployable. It is currently under
-heavy development, but already it might be regarded as the
-most secure, easiest to use, and simplest VPN solution in
-the industry.
-
-WWW: https://www.wireguard.com/
-
-Changelog
----------
-
-2.6
-
-* Consider missing CARP VHID as disabled
-
-2.5
-
-* Fix error with empty tunnel address in instance (contributed by Monviech)
-* Switch "setconf" to "syncconf" on (re)configuration
-* Fix regression of UUID return in setClientAction()
-* Reload the packet filter after reconfiguration
-* Allow instance selection from peer
-* Use "syncconf" on newwanip event
-* CARP event handling improvements
-* Minor UX and woring improvements
-
-2.4
-
-* Only invoke routes for attached WireGuard instances
-* Make bootup device creation more robust
-* Correct interface group registration
-
-2.3
-
-* Create WireGuard devices earlier to allow of to pick up NAT rules correctly
-* Consolidate the GUI with regard to WireGuard terminology
-
-2.2
-
-* Add VHID (CARP) tracking support
-
-2.1
-
-* Only reload when interface configuration did not change
-* Implement 'newwanip' and 'vpn' plugin facilities
-* Refactor dashboard widget
-
-2.0
-
-* Remove wireguard-go support and cleanup some go specific code as it's not being used anymore anyway
-* Service control handler similar to OpenVPN, which offers control per instance/interface and keeps track of changed interfaces (configure only restarts the changed ones).
-* Add some basic logging for the service handling and a view to inspect it.
-* Configuration logs are being flushed to the correct log automatically as mwexecf() sends errors to syslog (which in this scope sends to wireguard)
-* Reimplement https://github.com/WireGuard/wireguard-tools/tree/master/contrib/reresolve-dns using Python in reresolve-dns.py
-* Enforce wireguard-tools rc script to be disabled when still installed, this should prevent bootup issues
-* Move 'interface' calculated field to model for easy reusability
-* Move diagnostics to VPN: WireGuard: Diagnostics
-* Change keypair generation to a separate API call and form button to ease copy/paste when adding new servers.
-* Change plugin maintainer
-
-1.13
-
-* Reworked widget and assorted cleanups (contributed by Patrik Kernstock)
-* Improve widget public key overlapping (contributed by Victor Haggqvist)
-
-1.12
-
-* Adjust validation for naming local instance and endpoints
-
-1.11
-
-* Add script for renewal of Wireguard DNS-based entries for stale connections (#2956)
-* Trim whitespace around new public and private keys in config (#2982)
-
-1.10
-
-* Remove instance limit
-
-1.9
-
-* Rename interface label in filter rules (#2577)
-
-1.8
-
-* Empty port in Endpoint is allowed
-
-1.7
-
-* Make tunnel address (wg interface address) optional
-
-1.6
-
-* Move DNS setting to advanced
-* Make listen port optional
-
-1.5
-
-* Allow synchronization of config
-
-1.4
-
-* Add IPv6 gateway support (contributed by Alexander Korinek)
-
-1.3
-
-* Client/peer name validation to use HostnameField
-
-1.2
-
-* Dashboard widget (contributed by D. Domig)
-
-1.1
-
-* Allow adding interface route for PBR
-
-1.0
-
-* Support for most features like S2S, Roadwarrior
-* DNS, MTU, PSK
-* Allow to disable setting routes for PBR
diff --git a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc b/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
deleted file mode 100644
index e935fa4b50..0000000000
--- a/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc
+++ /dev/null
@@ -1,194 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2023 Deciso B.V.
- * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-function wireguard_enabled()
-{
-    return (string)(new \OPNsense\Wireguard\General())->enabled == '1';
-}
-
-function wireguard_services()
-{
-    $services = [];
-
-    if (!wireguard_enabled()) {
-        return $services;
-    }
-
-    foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $key => $node) {
-        if (!empty((string)$node->enabled)) {
-            $services[] = [
-                'description' => 'WireGuard ' . htmlspecialchars($node->name),
-                'configd' => [
-                    'start' => ["wireguard start {$key}"],
-                    'restart' => ["wireguard restart {$key}"],
-                    'stop' => ["wireguard stop {$key}"],
-                ],
-                'nocheck' => true, /* no daemon to check */
-                'id' => $key,
-                'name' => "wireguard"
-            ];
-        }
-    }
-
-    return $services;
-}
-
-function wireguard_syslog()
-{
-    return [
-        'wireguard' => ['facility' => ['wireguard']]
-    ];
-}
-
-function wireguard_interfaces()
-{
-    $interfaces = [];
-
-    if (!wireguard_enabled()) {
-        return $interfaces;
-    }
-
-    $interfaces['wireguard'] = [
-        'descr' => gettext('WireGuard (Group)'),
-        'if' => 'wireguard',
-        'virtual' => true,
-        'enable' => true,
-        'type' => 'group',
-        'networks' => [],
-    ];
-
-    return $interfaces;
-}
-
-function wireguard_xmlrpc_sync()
-{
-    $result = [];
-
-    $result['id'] = 'wireguard';
-    $result['section'] = 'OPNsense.wireguard';
-    $result['description'] = gettext('WireGuard');
-    $result['services'] = ['wireguard'];
-
-    return [$result];
-}
-
-function wireguard_devices()
-{
-    $names = [];
-    foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $key => $node) {
-        if (!empty((string)$node->enabled)) {
-            $names[(string)$node->interface] = [
-                'descr' => sprintf('%s (WireGuard - %s)', (string)$node->interface, (string)$node->name),
-                'ifdescr' => (string)$node->name,
-                'name' => (string)$node->interface
-            ];
-        }
-    }
-    return [[
-        'function' => 'wireguard_prepare', /* XXX only (empty) device creation */
-        'configurable' => false,
-        'pattern' => '^wg',
-        'type' => 'wireguard',
-        'volatile' => true,
-        'names' => $names,
-    ]];
-}
-
-function wireguard_prepare($device)
-{
-    foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $node) {
-        if ($device != (string)$node->interface) {
-            continue;
-        }
-
-        /* deleting the stat file marks the interface for eventual reconfiguration */
-        @unlink((string)$node->statFilename);
-
-        if (!does_interface_exist($device)) {
-            mwexecf('/sbin/ifconfig wg create name %s', $device);
-            mwexecf('/sbin/ifconfig %s group wireguard', $device);
-        }
-
-        return $device;
-    }
-
-    return null;
-}
-
-function wireguard_configure()
-{
-    return [
-        'newwanip' => ['wireguard_sync:2'],
-        'vpn' => ['wireguard_configure_do:2'],
-    ];
-}
-
-function wireguard_configure_do($verbose = false, $unused = '')
-{
-    if (!wireguard_enabled()) {
-        return;
-    }
-
-    service_log('Configuring WireGuard VPN...', $verbose);
-
-    configd_run('wireguard configure');
-
-    service_log("done.\n", $verbose);
-}
-
-function wireguard_sync($verbose = false, $unused = '')
-{
-    if (!wireguard_enabled()) {
-        return;
-    }
-
-    $instances = [];
-    foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $node) {
-        if (!empty((string)$node->enabled)) {
-            $instances[(string)$node->interface] = (string)$node->cnfFilename;
-        }
-    }
-
-    if (!count($instances)) {
-        return;
-    }
-
-    service_log('Synchronizing WireGuard VPN...', $verbose);
-
-    openlog('wireguard', LOG_ODELAY, LOG_AUTH);
-
-    foreach ($instances as $device => $config) {
-        mwexecf('/usr/bin/wg syncconf %s %s', [$device, $config]);
-    }
-
-    closelog();
-    reopenlog();
-
-    service_log("done.\n", $verbose);
-}
diff --git a/net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard b/net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard
deleted file mode 100755
index 5e5e42d67f..0000000000
--- a/net/wireguard/src/etc/rc.syshook.d/carp/20-wireguard
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-configctl -dq wireguard configure $1
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
deleted file mode 100644
index 90e4ed4c5f..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php
+++ /dev/null
@@ -1,115 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2023 Deciso B.V.
- * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Wireguard\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-use OPNsense\Core\Config;
-use OPNsense\Wireguard\Server;
-
-class ClientController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelName = 'client';
-    protected static $internalModelClass = '\OPNsense\Wireguard\Client';
-
-    public function searchClientAction()
-    {
-        return $this->searchBase(
-            'clients.client',
-            ["enabled", "name", "pubkey", "tunneladdress", "serveraddress", "serverport"]
-        );
-    }
-
-    public function getClientAction($uuid = null)
-    {
-        $result = $this->getBase('client', 'clients.client', $uuid);
-        if (!empty($result['client'])) {
-            $result['client']['servers'] = [];
-            foreach ((new Server())->servers->server->iterateItems() as $key => $node) {
-                $result['client']['servers'][$key] = [
-                    'value' => (string)$node->name,
-                    'selected' => in_array($uuid, explode(',', (string)$node->peers)) ? '1' : '0'
-                ];
-            }
-        }
-        return $result;
-    }
-
-    public function addClientAction()
-    {
-        return $this->setClientAction(null);
-    }
-
-    public function delClientAction($uuid)
-    {
-        return $this->delBase('clients.client', $uuid);
-    }
-
-    public function setClientAction($uuid)
-    {
-        $add_uuid = null;
-        if (!empty($this->request->getPost(static::$internalModelName)) && $this->request->isPost()) {
-            $servers = [];
-            if (!empty($this->request->getPost(static::$internalModelName)['servers'])) {
-                $servers = explode(',', $this->request->getPost(static::$internalModelName)['servers']);
-            }
-            Config::getInstance()->lock();
-            $mdl = new Server();
-            if (empty($uuid)) {
-                // add new client, generate uuid
-                $uuid = $mdl->servers->generateUUID();
-                $add_uuid = $uuid;
-            }
-            foreach ($mdl->servers->server->iterateItems() as $key => $node) {
-                $peers = array_filter(explode(',', (string)$node->peers));
-                if (in_array($uuid, $peers) && !in_array($key, $servers)) {
-                    $node->peers = implode(',', array_diff($peers, [$uuid]));
-                } elseif (!in_array($uuid, $peers) && in_array($key, $servers)) {
-                    $node->peers = implode(',', array_merge($peers, [$uuid]));
-                }
-            }
-            /**
-             * Save to in memory model.
-             * Ignore validations as $uuid might be new or trigger an existing validation issue.
-             * Persisting the data is handled by setBase()
-             */
-            $mdl->serializeToConfig(false, true);
-        }
-        $result = $this->setBase('client', 'clients.client', $uuid);
-        if (!empty($add_uuid) && $result['result'] == 'saved') {
-            $result['uuid'] = $add_uuid;
-        }
-        return $result;
-    }
-
-    public function toggleClientAction($uuid)
-    {
-        return $this->toggleBase('clients.client', $uuid);
-    }
-}
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
deleted file mode 100644
index b461b9f6a7..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/GeneralController.php
+++ /dev/null
@@ -1,139 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- * Copyright (C) 2022 Patrik Kernstock <patrik@kernstock.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Wireguard\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-use OPNsense\Core\Config;
-use OPNsense\Core\Backend;
-
-class GeneralController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelClass = '\OPNsense\Wireguard\General';
-    protected static $internalModelName = 'general';
-
-    /**
-     * XXX: remove in 24.1 unused
-     */
-    public function getStatusAction()
-    {
-        // get wireguard configuration
-        $config = Config::getInstance()->object();
-        $config = $config->OPNsense->wireguard;
-
-        // craft peers array
-        $peers = [];
-        $peers_uuid_pubkey = [];
-        // enabled, name, pubkey
-        foreach ($config->client->clients->client as $client) {
-            $peerUuid = (string)$client->attributes()['uuid'];
-            $peers_uuid_pubkey[$peerUuid] = (string) $client->pubkey;
-            $peers[$peerUuid] = [
-                "name"      => (string)  $client->name,
-                "enabled"   => (int) $client->enabled,
-                "publicKey" => (string)  $client->pubkey,
-            ];
-        }
-
-        // prepare and initialize the server array
-        $status = [];
-        $peer_pubkey_reference = [];
-        foreach ($config->server->servers->server as $server) {
-            if ($server->enabled != "1") {
-                continue;
-            }
-
-            // build basic server array
-            $interface = "wg" . $server->instance;
-            $status[$interface] = [
-                "instance"  => (int) $server->instance,
-                "interface" => (string)  $interface,
-                "enabled"   => (int) $server->enabled,
-                "name"      => (string)  $server->name,
-                "peers"     => [],
-            ];
-
-            // parse and add peers with initial values to array
-            if (strlen($server->peers) > 0) {
-                // there is at least one peer defined
-                $serverPeers = explode(",", (string) $server->peers);
-                // iteriate over each peer uuid
-                foreach ($serverPeers as $peerUuid) {
-                    // skipping removed peer that is still referenced in server
-                    if (!isset($peers[$peerUuid])) {
-                        continue;
-                    }
-                    // remember interface and pubkey <> peer-uuid reference for referencing handshake logic below
-                    $peer_pubkey_reference[$interface][$peers_uuid_pubkey[$peerUuid]] = $peerUuid;
-                    // merge peer info and initial values for handshake data
-                    $status[$interface]["peers"][$peerUuid] = array_merge(
-                        $peers[$peerUuid],
-                        [
-                            "lastHandshake" => "0000-00-00 00:00:00+00:00",
-                        ]
-                    );
-                }
-            }
-        }
-
-        // Get latest handshakes by running CLI command locally
-        $data = (new Backend())->configdRun("wireguard showhandshake");
-
-        // parse and set handshake to status datastructure
-        $data = trim($data);
-        if (strlen($data) !== 0) {
-            $wgHandshakes = explode("\n", $data);
-            foreach ($wgHandshakes as $handshake) {
-                $item = explode("\t", trim($handshake));
-
-                // set interface name and publickey
-                $interface = trim($item[0]);
-                $pubkey = trim($item[1]);
-
-                // calculate handshake time based on local timezone
-                $epoch = $item[2];
-                if ($epoch > 0) {
-                    $dt = new \DateTime("@$epoch");
-                    $dt->setTimezone(new \DateTimeZone(date_default_timezone_get()));
-                    $latest = $dt->format("Y-m-d H:i:sP");
-
-                    // set handshake
-                    $peerUuid = $peer_pubkey_reference[$interface][$pubkey];
-                    if (!empty($peerUuid)) {
-                        $status[$interface]["peers"][$peerUuid]["lastHandshake"] = $latest;
-                    }
-                }
-            }
-        }
-
-        return [
-            "items" => $status
-        ];
-    }
-}
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
deleted file mode 100644
index c810dd2ae9..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php
+++ /dev/null
@@ -1,78 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2023 Deciso B.V.
- * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Wireguard\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-use OPNsense\Core\Backend;
-
-class ServerController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelName = 'server';
-    protected static $internalModelClass = '\OPNsense\Wireguard\Server';
-
-    public function keyPairAction()
-    {
-        return json_decode((new Backend())->configdRun('wireguard gen_keypair'), true);
-    }
-
-    public function searchServerAction()
-    {
-        $search = $this->searchBase(
-            'servers.server',
-            ["enabled", "instance", "peers", "name", "networks", "pubkey", "port", "tunneladdress", 'interface']
-        );
-        return $search;
-    }
-
-    public function getServerAction($uuid = null)
-    {
-        return $this->getBase('server', 'servers.server', $uuid);
-    }
-
-    public function addServerAction($uuid = null)
-    {
-        return $this->addBase('server', 'servers.server', $uuid);
-    }
-
-    public function delServerAction($uuid)
-    {
-        return $this->delBase('servers.server', $uuid);
-    }
-
-    public function setServerAction($uuid = null)
-    {
-        return $this->setBase('server', 'servers.server', $uuid);
-    }
-
-    public function toggleServerAction($uuid)
-    {
-        return $this->toggleBase('servers.server', $uuid);
-    }
-}
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
deleted file mode 100644
index eab3998151..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php
+++ /dev/null
@@ -1,123 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2023 Deciso B.V.
- * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Wireguard\Api;
-
-use OPNsense\Base\ApiMutableServiceControllerBase;
-use OPNsense\Core\Backend;
-use OPNsense\Wireguard\General;
-use OPNsense\Wireguard\Client;
-use OPNsense\Wireguard\Server;
-
-/**
- * Class ServiceController
- * @package OPNsense\Wireguard
- */
-class ServiceController extends ApiMutableServiceControllerBase
-{
-    protected static $internalServiceClass = '\OPNsense\Wireguard\General';
-    protected static $internalServiceTemplate = 'OPNsense/Wireguard';
-    protected static $internalServiceEnabled = 'enabled';
-    protected static $internalServiceName = 'wireguard';
-
-    /**
-     * @return array
-     */
-    public function reconfigureAction()
-    {
-        if (!$this->request->isPost()) {
-            return ['result' => 'failed'];
-        }
-
-        $this->sessionClose();
-        $backend = new Backend();
-        $backend->configdRun('interface invoke registration');
-        $backend->configdRun('template reload ' . escapeshellarg(static::$internalServiceTemplate));
-        $backend->configdpRun('wireguard configure');
-
-        return ['result' => 'ok'];
-    }
-
-    /**
-     * show wireguard config
-     * XXX: remove in 24.1
-     * @return array
-     */
-    public function showconfAction()
-    {
-        $response = (new Backend())->configdRun("wireguard showconf");
-        return array("response" => $response);
-    }
-
-    /**
-     * show wireguard handshakes
-     * XXX: remove in 24.1
-     * @return array
-     */
-    public function showhandshakeAction()
-    {
-        $response = (new Backend())->configdRun("wireguard showhandshake");
-        return array("response" => $response);
-    }
-
-    /**
-     * wg show all dump output
-     * @return array
-     */
-    public function showAction()
-    {
-        $payload = json_decode((new Backend())->configdRun("wireguard show") ?? '', true);
-        $records = !empty($payload) && !empty($payload['records']) ? $payload['records'] : [];
-        $key_descriptions = [];
-        $ifnames = [];
-        foreach ((new Client())->clients->client->iterateItems() as $key => $client) {
-            $key_descriptions[(string)$client->pubkey] = (string)$client->name;
-        }
-        foreach ((new Server())->servers->server->iterateItems() as $key => $server) {
-            $key_descriptions[(string)$server->pubkey] = (string)$server->name;
-            $ifnames[(string)$server->interface] =  (string)$server->name;
-        }
-        foreach ($records as &$record) {
-            if (!empty($record['public-key']) && !empty($key_descriptions[$record['public-key']])) {
-                $record['name'] = $key_descriptions[$record['public-key']];
-            } else {
-                $record['name'] = '';
-            }
-            $record['ifname'] = $ifnames[$record['if']];
-        }
-        $filter_funct = null;
-        $types = $this->request->get('type');
-        if (!empty($types)) {
-            $filter_funct = function ($record) use ($types) {
-                return in_array($record['type'], $types);
-            };
-        }
-        return $this->searchRecordsetBase($records, null, null, $filter_funct);
-    }
-}
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/DiagnosticsController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/DiagnosticsController.php
deleted file mode 100644
index 37f723f535..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/DiagnosticsController.php
+++ /dev/null
@@ -1,44 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2023 Deciso B.V.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Wireguard;
-
-class DiagnosticsController extends \OPNsense\Base\IndexController
-{
-    protected function templateJSIncludes()
-    {
-        $result = parent::templateJSIncludes();
-        $result[] = '/ui/js/moment-with-locales.min.js';
-        return $result;
-    }
-
-    public function indexAction()
-    {
-        $this->view->pick('OPNsense/Wireguard/diagnostics');
-    }
-}
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/GeneralController.php b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/GeneralController.php
deleted file mode 100644
index 0683a6e8e6..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/GeneralController.php
+++ /dev/null
@@ -1,39 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Wireguard;
-
-class GeneralController extends \OPNsense\Base\IndexController
-{
-    public function indexAction()
-    {
-        $this->view->generalForm = $this->getForm("general");
-        $this->view->formDialogEditWireguardClient = $this->getForm("dialogEditWireguardClient");
-        $this->view->formDialogEditWireguardServer = $this->getForm("dialogEditWireguardServer");
-        $this->view->pick('OPNsense/Wireguard/general');
-    }
-}
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
deleted file mode 100644
index ff303f842c..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardClient.xml
+++ /dev/null
@@ -1,58 +0,0 @@
-<form>
-    <field>
-        <id>client.enabled</id>
-        <label>Enabled</label>
-        <type>checkbox</type>
-        <help>This will enable or disable the peer.</help>
-    </field>
-    <field>
-        <id>client.name</id>
-        <label>Name</label>
-        <type>text</type>
-        <help>Set the name for this peer.</help>
-    </field>
-    <field>
-        <id>client.pubkey</id>
-        <label>Public key</label>
-        <type>text</type>
-        <help>Public key of this peer. You can generate the key using the private key piped to "wg pubkey".</help>
-    </field>
-    <field>
-        <id>client.psk</id>
-        <label>Pre-shared key</label>
-        <type>text</type>
-        <help>Shared secret (PSK) for this peer. You can generate a key using "wg genpsk".</help>
-    </field>
-    <field>
-        <id>client.tunneladdress</id>
-        <label>Allowed IPs</label>
-        <style>tokenize</style>
-        <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>List of addresses allowed to pass trough the tunnel adapter. Please use CIDR notation like 10.0.0.1/24.</help>
-    </field>
-    <field>
-        <id>client.serveraddress</id>
-        <label>Endpoint address</label>
-        <type>text</type>
-        <help>Set public IP address the endpoint listens to.</help>
-    </field>
-    <field>
-        <id>client.serverport</id>
-        <label>Endpoint port</label>
-        <type>text</type>
-        <help>Set port the endpoint listens to.</help>
-    </field>
-    <field>
-        <id>client.servers</id>
-        <label>Instances</label>
-        <type>select_multiple</type>
-        <help>List of instances this peer belongs to.</help>
-    </field>
-    <field>
-        <id>client.keepalive</id>
-        <label>Keepalive interval</label>
-        <type>text</type>
-        <help>Set persistent keepalive interval in seconds.</help>
-    </field>
-</form>
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
deleted file mode 100644
index 3b23f056f5..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/dialogEditWireguardServer.xml
+++ /dev/null
@@ -1,87 +0,0 @@
-<form>
-    <field>
-        <id>server.enabled</id>
-        <label>Enabled</label>
-        <type>checkbox</type>
-        <help>This will enable or disable the instance.</help>
-    </field>
-    <field>
-        <id>server.name</id>
-        <label>Name</label>
-        <type>text</type>
-        <help>Set the name for this instance.</help>
-    </field>
-    <field>
-        <id>server.instance</id>
-        <label>Instance</label>
-        <type>info</type>
-        <help>This is the instance number to give the WireGuard device a unique name (wgX).</help>
-    </field>
-    <field>
-        <id>server.pubkey</id>
-        <label>Public key</label>
-        <type>text</type>
-        <help>Public key of this instance. You can specify your own one, or a key will be generated after saving.</help>
-    </field>
-    <field>
-        <id>server.privkey</id>
-        <label>Private key</label>
-        <type>text</type>
-        <help>Private key of this instance. You can specify your own one, or a key will be generated after saving. Please keep this key safe.</help>
-    </field>
-    <field>
-        <id>server.port</id>
-        <label>Listen port</label>
-        <type>text</type>
-        <help>Optionally set a fixed port for this instance to listen on. The standard port range starts at 51820.</help>
-    </field>
-    <field>
-        <id>server.mtu</id>
-        <label>MTU</label>
-        <type>text</type>
-        <advanced>true</advanced>
-        <help>Set a specific device MTU for this instance.</help>
-    </field>
-    <field>
-        <id>server.dns</id>
-        <label>DNS servers</label>
-        <type>select_multiple</type>
-        <style>tokenize</style>
-        <allownew>true</allownew>
-        <advanced>true</advanced>
-        <help>Set specific DNS servers for this instance. Use with care.</help>
-    </field>
-    <field>
-        <id>server.tunneladdress</id>
-        <label>Tunnel address</label>
-        <style>tokenize</style>
-        <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>List of addresses to configure on the device. Please use CIDR notation like 10.0.0.1/24.</help>
-    </field>
-    <field>
-        <id>server.carp_depend_on</id>
-        <label>Depend on (CARP)</label>
-        <type>dropdown</type>
-        <help>The CARP VHID to depend on. When this virtual address is not in master state, then the instance will be shutdown.</help>
-    </field>
-    <field>
-        <id>server.peers</id>
-        <label>Peers</label>
-        <type>select_multiple</type>
-        <help>List of peers for this instance.</help>
-    </field>
-    <field>
-        <id>server.disableroutes</id>
-        <label>Disable routes</label>
-        <type>checkbox</type>
-        <help>This will prevent installing routes. Usually you only enable this to do own routing decisions via a local gateway and gateway rules.</help>
-    </field>
-    <field>
-        <id>server.gateway</id>
-        <label>Gateway</label>
-        <type>text</type>
-        <advanced>true</advanced>
-        <help>Set the gateway IP here when using "Disable routes" feature. You also have to add this as a system gateway.</help>
-    </field>
-</form>
diff --git a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/general.xml b/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/general.xml
deleted file mode 100644
index 7a74ebf81b..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/forms/general.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<form>
-    <field>
-        <id>general.enabled</id>
-        <label>Enable WireGuard</label>
-        <type>checkbox</type>
-        <help>This will activate WireGuard and start all enabled instances.</help>
-    </field>
-</form>
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml
deleted file mode 100644
index 94360e7762..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/ACL/ACL.xml
+++ /dev/null
@@ -1,9 +0,0 @@
-<acl>
-   <page-wireguard-config>
-      <name>VPN: WireGuard</name>
-      <patterns>
-         <pattern>ui/wireguard/*</pattern>
-         <pattern>api/wireguard/*</pattern>
-      </patterns>
-   </page-wireguard-config>
-</acl>
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.php b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.php
deleted file mode 100644
index fbe1917bf2..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.php
+++ /dev/null
@@ -1,35 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Wireguard;
-
-use OPNsense\Base\BaseModel;
-
-class Client extends BaseModel
-{
-}
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
deleted file mode 100644
index 82c24d1d53..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
+++ /dev/null
@@ -1,36 +0,0 @@
-<model>
-    <mount>//OPNsense/wireguard/client</mount>
-    <description>WireGuard peer configuration</description>
-    <version>0.0.7</version>
-    <items>
-        <clients>
-            <client type="ArrayField">
-                <enabled type="BooleanField">
-                    <Default>1</Default>
-                    <Required>Y</Required>
-                </enabled>
-                <name type="TextField">
-                    <Required>Y</Required>
-                    <Mask>/^([0-9a-zA-Z._\-]){1,64}$/u</Mask>
-                    <ValidationMessage>Should be a string between 1 and 64 characters. Allowed characters are alphanumeric characters, dash and underscores.</ValidationMessage>
-                </name>
-                <pubkey type="Base64Field">
-                    <Required>Y</Required>
-                </pubkey>
-                <psk type="Base64Field"/>
-                <tunneladdress type="NetworkField">
-                    <FieldSeparator>,</FieldSeparator>
-                    <Required>Y</Required>
-                    <asList>Y</asList>
-                </tunneladdress>
-                <serveraddress type="HostnameField"/>
-                <serverport type="PortField"/>
-                <keepalive type="IntegerField">
-                    <MinimumValue>1</MinimumValue>
-                    <MaximumValue>86400</MaximumValue>
-                    <ValidationMessage>Please specify a value between 1 and 86400.</ValidationMessage>
-                </keepalive>
-            </client>
-        </clients>
-    </items>
-</model>
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/FieldTypes/ServerField.php b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/FieldTypes/ServerField.php
deleted file mode 100644
index a327af5fb6..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/FieldTypes/ServerField.php
+++ /dev/null
@@ -1,58 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2023 Deciso B.V.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Wireguard\FieldTypes;
-
-use OPNsense\Base\FieldTypes\ArrayField;
-use OPNsense\Base\FieldTypes\TextField;
-
-class ServerField extends ArrayField
-{
-    /**
-     * push internal reusable properties as virtuals
-     */
-    protected function actionPostLoadingEvent()
-    {
-        foreach ($this->internalChildnodes as $node) {
-            if (!$node->getInternalIsVirtual()) {
-                $files = [
-                    'cnfFilename' => "/usr/local/etc/wireguard/wg{$node->instance}.conf",
-                    'statFilename' => "/usr/local/etc/wireguard/wg{$node->instance}.stat",
-                    'interface' => "wg{$node->instance}",
-                ];
-                foreach ($files as $name => $payload) {
-                    $new_item = new TextField();
-                    $new_item->setInternalIsVirtual();
-                    $new_item->setValue($payload);
-                    $node->addChildNode($name, $new_item);
-                }
-            }
-        }
-        return parent::actionPostLoadingEvent();
-    }
-}
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.php b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.php
deleted file mode 100644
index 09358565a3..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.php
+++ /dev/null
@@ -1,35 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Wireguard;
-
-use OPNsense\Base\BaseModel;
-
-class General extends BaseModel
-{
-}
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml
deleted file mode 100644
index 1868a8885e..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<model>
-    <mount>//OPNsense/wireguard/general</mount>
-    <description>WireGuard configuration</description>
-    <version>0.0.1</version>
-    <items>
-        <enabled type="BooleanField">
-            <Default>0</Default>
-            <Required>Y</Required>
-        </enabled>
-    </items>
-</model>
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml
deleted file mode 100644
index f2c15f4069..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml
+++ /dev/null
@@ -1,9 +0,0 @@
-<menu>
-    <VPN>
-      <WireGuard cssClass="fa fa-lock fa-fw" order="150">
-          <Settings order="10" url="/ui/wireguard/general/"/>
-          <Diagnostics order="20" url="/ui/wireguard/diagnostics/"/>
-          <LogFile order="70" VisibleName="Log File" url="/ui/diagnostics/log/core/wireguard"/>
-      </WireGuard>
-    </VPN>
-</menu>
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php
deleted file mode 100644
index 6b4c136efa..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.php
+++ /dev/null
@@ -1,35 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Wireguard;
-
-use OPNsense\Base\BaseModel;
-
-class Server extends BaseModel
-{
-}
diff --git a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml b/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
deleted file mode 100644
index 3fe0a0153c..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml
+++ /dev/null
@@ -1,73 +0,0 @@
-<model>
-    <mount>//OPNsense/wireguard/server</mount>
-    <description>WireGuard instance configuration</description>
-    <version>0.0.4</version>
-    <items>
-        <servers>
-            <server type=".\ServerField">
-                <enabled type="BooleanField">
-                    <Default>1</Default>
-                    <Required>Y</Required>
-                </enabled>
-                <name type="TextField">
-                    <Required>Y</Required>
-                    <Mask>/^([0-9a-zA-Z._\-]){1,64}$/u</Mask>
-                    <ValidationMessage>Should be a string between 1 and 64 characters. Allowed characters are alphanumeric characters, dash and underscores.</ValidationMessage>
-                </name>
-                <instance type="AutoNumberField">
-                    <Required>Y</Required>
-                </instance>
-                <pubkey type="TextField">
-                    <Required>Y</Required>
-                    <ValidationMessage>A public key is required</ValidationMessage>
-                </pubkey>
-                <privkey type="TextField">
-                    <Required>Y</Required>
-                    <ValidationMessage>A private key is required</ValidationMessage>
-                </privkey>
-                <port type="PortField"/>
-                <mtu type="IntegerField">
-                    <MinimumValue>1</MinimumValue>
-                    <MaximumValue>9300</MaximumValue>
-                </mtu>
-                <dns type="CSVListField">
-                    <Mask>/^([a-fA-F0-9\.:\[\]]*?,)*([a-fA-F0-9\.:\[\]]*)$/</Mask>
-                    <ValidationMessage>Please use valid IPv4 or IPv6 addresses.</ValidationMessage>
-                </dns>
-                <tunneladdress type="NetworkField">
-                    <FieldSeparator>,</FieldSeparator>
-                    <asList>Y</asList>
-                </tunneladdress>
-                <disableroutes type="BooleanField">
-                    <Default>0</Default>
-                    <Required>Y</Required>
-                    <Constraints>
-                        <check001>
-                            <ValidationMessage>You have to enable Disable Routes option.</ValidationMessage>
-                            <type>DependConstraint</type>
-                            <addFields>
-                                <field1>gateway</field1>
-                            </addFields>
-                        </check001>
-                    </Constraints>
-                </disableroutes>
-                <gateway type="NetworkField"/>
-                <carp_depend_on type="VirtualIPField">
-                    <type>carp</type>
-                    <key>mvc</key>
-                </carp_depend_on>
-                <peers type="ModelRelationField">
-                    <Model>
-                        <template>
-                            <source>OPNsense.Wireguard.Client</source>
-                            <items>clients.client</items>
-                            <display>name</display>
-                        </template>
-                    </Model>
-                    <Multiple>Y</Multiple>
-                    <ValidationMessage>Choose an Peer.</ValidationMessage>
-                </peers>
-            </server>
-        </servers>
-    </items>
-</model>
diff --git a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
deleted file mode 100644
index 1f812c463d..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/diagnostics.volt
+++ /dev/null
@@ -1,97 +0,0 @@
-{#
- # Copyright (c) 2023 Deciso B.V.
- # All rights reserved.
- #
- # Redistribution and use in source and binary forms, with or without modification,
- # are permitted provided that the following conditions are met:
- #
- # 1. Redistributions of source code must retain the above copyright notice,
- #    this list of conditions and the following disclaimer.
- #
- # 2. Redistributions in binary form must reproduce the above copyright notice,
- #    this list of conditions and the following disclaimer in the documentation
- #    and/or other materials provided with the distribution.
- #
- # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- # POSSIBILITY OF SUCH DAMAGE.
- #}
-
-   <script>
-       $( document ).ready(function() {
-
-            $("#grid-sessions").UIBootgrid({
-                search:'/api/wireguard/service/show',
-                options:{
-                    multiSelect: false,
-                    rowSelect: false,
-                    selection: false,
-                    formatters:{
-                        bytes: function(column, row) {
-                            if (row[column.id] && row[column.id] > 0) {
-                                return byteFormat(row[column.id], 2);
-                            }
-                            return row[column.id];
-                        },
-                        epoch: function(column, row) {
-                            if (row[column.id]) {
-                                return moment.unix(row[column.id]).local().format('YYYY-MM-DD HH:mm:ss');
-                            } else {
-                                return '';
-                            }
-
-                        }
-                    },
-                    requestHandler: function(request){
-                        if ( $('#type_filter').val().length > 0) {
-                            request['type'] = $('#type_filter').val();
-                        }
-                        return request;
-                    },
-                }
-            });
-
-            $("#type_filter").change(function(){
-                $('#grid-sessions').bootgrid('reload');
-            });
-
-            $("#type_filter_container").detach().prependTo('#grid-sessions-header > .row > .actionBar > .actions');
-       });
-
-   </script>
-
-   <div class="tab-content content-box">
-       <div class="hidden">
-           <!-- filter per type container -->
-           <div id="type_filter_container" class="btn-group">
-               <select id="type_filter"  data-title="{{ lang._('Type') }}" class="selectpicker" multiple="multiple" data-width="200px">
-                    <option value="interface">{{ lang._('Instance') }}</option>
-                    <option value="peer">{{ lang._('Peer') }}</option>
-               </select>
-           </div>
-       </div>
-       <table id="grid-sessions" class="table table-condensed table-hover table-striped table-responsive">
-           <thead>
-             <tr>
-                 <th data-column-id="if" data-type="string" data-width="8em">{{ lang._('Device') }}</th>
-                 <th data-column-id="type" data-type="string" data-width="8em" data-visible="false">{{ lang._('Type') }}</th>
-                 <th data-column-id="status" data-type="string" data-width="8em" >{{ lang._('Status') }}</th>
-                 <th data-column-id="public-key" data-type="string" data-identifier="true">{{ lang._('Public key') }}</th>
-                 <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
-                 <th data-column-id="endpoint" data-type="string">{{ lang._('Port / Endpoint') }}</th>
-                 <th data-column-id="latest-handshake"  data-formatter="epoch" data-type="numeric">{{ lang._('Handshake') }}</th>
-                 <th data-column-id="transfer-tx" data-formatter="bytes" data-type="numeric">{{ lang._('Send') }}</th>
-                 <th data-column-id="transfer-rx" data-formatter="bytes" data-type="numeric">{{ lang._('Received') }}</th>
-             </tr>
-           </thead>
-           <tbody>
-           </tbody>
-       </table>
-   </div>
diff --git a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt b/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
deleted file mode 100644
index 5cc1f6d627..0000000000
--- a/net/wireguard/src/opnsense/mvc/app/views/OPNsense/Wireguard/general.volt
+++ /dev/null
@@ -1,173 +0,0 @@
-{#
- # Copyright (c) 2014-2023 Deciso B.V.
- # Copyright (c) 2018 Michael Muenz <m.muenz@gmail.com>
- # All rights reserved.
- #
- # Redistribution and use in source and binary forms, with or without modification,
- # are permitted provided that the following conditions are met:
- #
- # 1.  Redistributions of source code must retain the above copyright notice,
- #     this list of conditions and the following disclaimer.
- #
- # 2.  Redistributions in binary form must reproduce the above copyright notice,
- #     this list of conditions and the following disclaimer in the documentation
- #     and/or other materials provided with the distribution.
- #
- # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- # POSSIBILITY OF SUCH DAMAGE.
- #}
-
- <script>
-    $( document ).ready(function() {
-        var data_get_map = {'frm_general_settings':"/api/wireguard/general/get"};
-        mapDataToFormUI(data_get_map).done(function(data){
-            formatTokenizersUI();
-            $('.selectpicker').selectpicker('refresh');
-        });
-
-        $("#grid-peers").UIBootgrid(
-            {
-                'search':'/api/wireguard/client/searchClient',
-                'get':'/api/wireguard/client/getClient/',
-                'set':'/api/wireguard/client/setClient/',
-                'add':'/api/wireguard/client/addClient/',
-                'del':'/api/wireguard/client/delClient/',
-                'toggle':'/api/wireguard/client/toggleClient/'
-            }
-        );
-
-        $("#grid-instances").UIBootgrid(
-            {
-                'search':'/api/wireguard/server/searchServer',
-                'get':'/api/wireguard/server/getServer/',
-                'set':'/api/wireguard/server/setServer/',
-                'add':'/api/wireguard/server/addServer/',
-                'del':'/api/wireguard/server/delServer/',
-                'toggle':'/api/wireguard/server/toggleServer/'
-            }
-        );
-
-
-        $("#reconfigureAct").SimpleActionButton({
-            onPreAction: function() {
-                const dfObj = new $.Deferred();
-                saveFormToEndpoint("/api/wireguard/general/set", 'frm_general_settings', function(){
-                    dfObj.resolve();
-                });
-                return dfObj;
-            }
-        });
-
-        /**
-         * Move keypair generation button inside the instance form and hook api event
-         */
-        $("#control_label_server\\.pubkey").append($("#keygen_div").detach().show());
-        $("#keygen").click(function(){
-            ajaxGet("/api/wireguard/server/key_pair", {}, function(data, status){
-                if (data.status && data.status === 'ok') {
-                    $("#server\\.pubkey").val(data.pubkey);
-                    $("#server\\.privkey").val(data.privkey);
-                }
-            });
-        })
-    });
-</script>
-
-<!-- Navigation bar -->
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
-    <li><a data-toggle="tab" href="#instances">{{ lang._('Instances') }}</a></li>
-    <li><a data-toggle="tab" href="#peers">{{ lang._('Peers') }}</a></li>
-</ul>
-
-<div class="tab-content content-box tab-content">
-    <div id="general" class="tab-pane fade in active">
-        {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-    </div>
-    <div id="peers" class="tab-pane fade in">
-        <table id="grid-peers" class="table table-condensed table-hover table-striped" data-editDialog="dialogEditWireguardClient">
-            <thead>
-                <tr>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="serveraddress" data-type="string" data-visible="true">{{ lang._('Endpoint address') }}</th>
-                    <th data-column-id="serverport" data-type="string" data-visible="true">{{ lang._('Endpoint port') }}</th>
-                    <th data-column-id="tunneladdress" data-type="string" data-visible="true">{{ lang._('Allowed IPs') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td colspan="6"></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-fw fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
-    </div>
-    <div id="instances" class="tab-pane fade in">
-        <span id="keygen_div" style="display:none" class="pull-right">
-            <button id="keygen" type="button" class="btn btn-secondary" title="{{ lang._('Generate new keypair.') }}" data-toggle="tooltip">
-              <i class="fa fa-fw fa-gear"></i>
-            </button>
-        </span>
-        <table id="grid-instances" class="table table-condensed table-hover table-striped" data-editDialog="dialogEditWireguardServer">
-            <thead>
-                <tr>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="interface" data-type="string" data-visible="true">{{ lang._('Device') }}</th>
-                    <th data-column-id="tunneladdress" data-type="string" data-visible="true">{{ lang._('Tunnel Address') }}</th>
-                    <th data-column-id="port" data-type="string" data-visible="true">{{ lang._('Port') }}</th>
-                    <th data-column-id="peers" data-type="string" data-visible="true">{{ lang._('Peers') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td colspan="7"></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-fw fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
-    </div>
-</div>
-
-<section class="page-content-main">
-    <div class="content-box">
-        <div class="col-md-12">
-            <br/>
-            <button class="btn btn-primary" id="reconfigureAct"
-                    data-endpoint='/api/wireguard/service/reconfigure'
-                    data-label="{{ lang._('Apply') }}"
-                    data-error-title="{{ lang._('Error reconfiguring WireGuard') }}"
-                    type="button"
-            ></button>
-            <br/><br/>
-        </div>
-    </div>
-</section>
-
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditWireguardClient,'id':'dialogEditWireguardClient','label':lang._('Edit peer')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditWireguardServer,'id':'dialogEditWireguardServer','label':lang._('Edit instance')])}}
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/gen_keypair.py b/net/wireguard/src/opnsense/scripts/Wireguard/gen_keypair.py
deleted file mode 100755
index beada99c76..0000000000
--- a/net/wireguard/src/opnsense/scripts/Wireguard/gen_keypair.py
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/usr/local/bin/python3
-
-"""
-    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-     this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-     notice, this list of conditions and the following disclaimer in the
-     documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-"""
-import subprocess
-import ujson
-
-
-def keypair():
-    sp = subprocess.run(['/usr/bin/wg', 'genkey'], capture_output=True, text=True)
-    if sp.returncode == 0:
-        privkey = sp.stdout.strip()
-        sp = subprocess.run(['/usr/bin/wg', 'pubkey'], input=privkey, capture_output=True, text=True)
-        if sp.returncode == 0:
-            return {'privkey': privkey, 'pubkey': sp.stdout.strip()}
-    return None
-
-response = keypair()
-if not response:
-    print(ujson.dumps({'status': 'failed'}))
-else:
-    response['status'] = 'ok'
-    print(ujson.dumps(response))
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/reresolve-dns.py b/net/wireguard/src/opnsense/scripts/Wireguard/reresolve-dns.py
deleted file mode 100755
index 219f6d5f2b..0000000000
--- a/net/wireguard/src/opnsense/scripts/Wireguard/reresolve-dns.py
+++ /dev/null
@@ -1,75 +0,0 @@
-#!/usr/local/bin/python3
-
-"""
-    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-     this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-     notice, this list of conditions and the following disclaimer in the
-     documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-"""
-# Python implementation to re-resolve dns entries, for reference see:
-# https://github.com/WireGuard/wireguard-tools/tree/master/contrib/reresolve-dns
-import glob
-import os
-import time
-import subprocess
-
-
-
-sp = subprocess.run(['/usr/bin/wg', 'show', 'all', 'latest-handshakes'], capture_output=True, text=True)
-ts_now = time.time()
-handshakes = {}
-for line in sp.stdout.split('\n'):
-    parts = line.split()
-    if len(parts) == 3 and parts[2].isdigit():
-        handshakes["%s-%s" % (parts[0], parts[1])] = ts_now - int(parts[2])
-
-
-for filename in glob.glob('/usr/local/etc/wireguard/*.conf'):
-    this_peer = {}
-    ifname = os.path.basename(filename).split('.')[0]
-    with open(filename, 'r') as fhandle:
-        for line in fhandle:
-            if line.startswith('[Peer]'):
-                this_peer = {'ifname': ifname}
-            elif line.startswith('PublicKey'):
-                this_peer['PublicKey'] = line.split('=', 1)[1].strip()
-            elif line.startswith('Endpoint'):
-                this_peer['Endpoint'] = line.split('=', 1)[1].strip()
-
-            if 'Endpoint' in this_peer and 'PublicKey' in this_peer:
-                peer_key = "%(ifname)s-%(PublicKey)s" % this_peer
-                if handshakes.get(peer_key, 999) > 135:
-                    # skip if there has been a handshake recently
-                    subprocess.run(
-                        [
-                            '/usr/bin/wg',
-                            'set',
-                            ifname,
-                            'peer',
-                            this_peer['PublicKey'],
-                            'endpoint',
-                            this_peer['Endpoint']
-                        ],
-                        capture_output=True,
-                        text=True
-                    )
-                this_peer = {}
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
deleted file mode 100755
index b0cd9c13da..0000000000
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ /dev/null
@@ -1,303 +0,0 @@
-#!/usr/local/bin/php
-<?php
-
-/*
- * Copyright (C) 2023 Deciso B.V.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once('script/load_phalcon.php');
-require_once('util.inc');
-require_once('config.inc');
-require_once('interfaces.inc');
-require_once('system.inc');
-
-/**
- * collect carp status per vhid
- */
-function get_vhid_status()
-{
-    $vhids = [];
-    $uuids = [];
-    foreach ((new OPNsense\Interfaces\Vip())->vip->iterateItems() as $id => $item) {
-        if ($item->mode == 'carp') {
-            $uuids[(string)$item->vhid] =  $id;
-            $vhids[$id] = ['status' => 'DISABLED', 'vhid' => (string)$item->vhid];
-        }
-    }
-    foreach (legacy_interfaces_details() as $ifdata) {
-        if (!empty($ifdata['carp'])) {
-            foreach ($ifdata['carp'] as $data) {
-                if (isset($uuids[$data['vhid']])) {
-                    $vhids[$uuids[$data['vhid']]] = ['status' => $data['status'], 'vhid' => $data['vhid']];
-                }
-            }
-        }
-    }
-    return $vhids;
-}
-
-
-/**
- * mimic wg-quick behaviour, but bound to our config
- */
-function wg_start($server, $fhandle, $ifcfgflag = 'up')
-{
-    if (!does_interface_exist($server->interface)) {
-        mwexecf('/sbin/ifconfig wg create name %s', [$server->interface]);
-        mwexecf('/sbin/ifconfig %s group wireguard', [$server->interface]);
-    }
-    mwexecf('/usr/bin/wg syncconf %s %s', [$server->interface, $server->cnfFilename]);
-
-    /* The tunneladdress can be empty, so array_filter without callback filters empty strings out. */
-    foreach (array_filter(explode(',', (string)$server->tunneladdress)) as $alias) {
-        $proto = strpos($alias, ':') === false ? "inet" : "inet6";
-        mwexecf('/sbin/ifconfig %s %s %s alias', [$server->interface, $proto, $alias]);
-    }
-    if (!empty((string)$server->mtu)) {
-        mwexecf('/sbin/ifconfig %s mtu %s', [$server->interface, $server->mtu]);
-    }
-    mwexecf('/sbin/ifconfig %s %s', [$server->interface, $ifcfgflag]);
-
-    if (empty((string)$server->disableroutes)) {
-        /**
-         * Add routes for all configured peers, wg-quick seems to parse 'wg show wgX allowed-ips' for this,
-         * but this should logically congtain the same networks.
-         *
-         * XXX: For some reason these routes look a bit off, not very well integrated into OPNsense.
-         *      In the long run it might make sense to have some sort of pluggable model facility
-         *      where these (and maybe other) static routes hook into.
-         **/
-        $peers = explode(',', $server->peers);
-        $routes_to_add = ['inet' => [], 'inet6' => []];
-        foreach ((new OPNsense\Wireguard\Client())->clients->client->iterateItems() as $key => $client) {
-            if (empty((string)$client->enabled) || !in_array($key, $peers)) {
-                continue;
-            }
-            foreach (explode(',', (string)$client->tunneladdress) as $tunneladdress) {
-                $ipproto = strpos($tunneladdress, ":") === false ? "inet" :  "inet6";
-                /* wg-quick seems to prevent /0 being routed and translates this automatically */
-                if (str_ends_with(trim($tunneladdress), '/0')) {
-                    if ($ipproto == 'inet') {
-                        array_push($routes_to_add[$ipproto], '0.0.0.0/1', '128.0.0.0/1');
-                    } else {
-                        array_push($routes_to_add[$ipproto], '::/1', '8000::/1');
-                    }
-                } else {
-                    $routes_to_add[$ipproto][] = $tunneladdress;
-                }
-            }
-        }
-        foreach ($routes_to_add as $ipproto => $routes) {
-            foreach (array_unique($routes) as $route) {
-                mwexecf('/sbin/route -q -n add -%s %s -interface %s', [$ipproto,  $route, $server->interface]);
-            }
-        }
-    } elseif (!empty((string)$server->gateway)) {
-        /* Only bind the gateway ip to the tunnel */
-        $ipprefix = strpos($tunneladdress, ":") === false ? "-4" :  "-6";
-        mwexecf('/sbin/route -q -n add %s %s -iface %s', [$ipprefix, $server->gateway, $server->interface]);
-    }
-
-    // flush checksum to ease change detection
-    fseek($fhandle, 0);
-    ftruncate($fhandle, 0);
-    fwrite($fhandle, @md5_file($server->cnfFilename) . "|" . wg_reconfigure_hash($server));
-    syslog(LOG_NOTICE, "wireguard instance {$server->name} ({$server->interface}) started");
-    interfaces_restart_by_device(false, [(string)$server->interface], false);
-}
-
-/**
- * stop wireguard tunnel, kill the device, the routes should drop automatically.
- */
-function wg_stop($server)
-{
-    if (does_interface_exist($server->interface)) {
-        legacy_interface_destroy($server->interface);
-    }
-    syslog(LOG_NOTICE, "wireguard instance {$server->name} ({$server->interface}) stopped");
-}
-
-
-/**
- * Calculate a hash which determines if we are able to reconfigure without a restart of the tunnel.
- * We currently assume if something changed on the interface or peer routes are being pushed, it's safer to
- * restart then reload.
- */
-function wg_reconfigure_hash($server)
-{
-    if (empty((string)$server->disableroutes)) {
-        return md5(uniqid('', true));   // random hash, should always reconfigure
-    }
-    return md5(
-        sprintf(
-            '%s|%s|%s',
-            $server->tunneladdress,
-            $server->mtu,
-            $server->gateway
-        )
-    );
-}
-
-/**
- * The stat hash file answers two questions, [1] has anything changed, which is answered using an md5 hash of the
- * configuration file. The second question, if something has changed, is it safe to only reload the configuration.
- * This is answered by wg_reconfigure_hash() for the instance in question.
- */
-function get_stat_hash($fhandle)
-{
-    fseek($fhandle, 0);
-    $payload = stream_get_contents($fhandle) ?? '';
-    $parts = explode('|', $payload);
-    return [
-        'file' => $parts[0] ?? '',
-        'interface' => $parts[1] ?? ''
-    ];
-}
-
-$opts = getopt('ah', [], $optind);
-$args = array_slice($argv, $optind);
-
-/* setup syslog logging */
-openlog("wireguard", LOG_ODELAY, LOG_AUTH);
-
-if (isset($opts['h']) || empty($args) || !in_array($args[0], ['start', 'stop', 'restart', 'configure'])) {
-    echo "Usage: wg-service-control.php [-a] [-h] [stop|start|restart|configure] [uuid|vhid]\n\n";
-    echo "\t-a all instances\n";
-} elseif (isset($opts['a']) || !empty($args[1])) {
-    // either a server id (uuid) or a vhid could be offered
-    $server_id = $vhid = null;
-    if (preg_match('/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/', $args[1] ?? '') == 1) {
-        $server_id = $args[1];
-    } elseif (!empty($args[1])) {
-        $vhid = explode('@', $args[1])[0];
-    }
-
-    $action = $args[0];
-
-    $server_devs = [];
-    if (!empty((string)(new OPNsense\Wireguard\General())->enabled)) {
-        $vhids = get_vhid_status();
-        foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $key => $node) {
-            $carp_depend_on = (string)$node->carp_depend_on;
-            if (empty((string)$node->enabled)) {
-                continue;
-            } elseif ($server_id != null && $key != $server_id) {
-                continue;
-            } elseif ($vhid != null && (!empty($vhids[$carp_depend_on]) && $vhids[$carp_depend_on]['vhid'] != $vhid)) {
-                continue;
-            }
-            /**
-             * CARP may influence the interface status (up or down).
-             * In order to fluently switch between roles, one should only have to change the interface flag in this
-             * case, which means we can still reconfigure an interface in the usual way and just omit sending traffic
-             * when in BACKUP or INIT mode.
-             */
-            $carp_if_flag = 'up';
-            if (!empty($vhids[$carp_depend_on]) && $vhids[$carp_depend_on]['status'] != 'MASTER') {
-                $carp_if_flag = 'down';
-            }
-            $server_devs[] = (string)$node->interface;
-            $statHandle = fopen($node->statFilename, "a+");
-            if (flock($statHandle, LOCK_EX)) {
-                $ifdetails = legacy_interfaces_details((string)$node->interface);
-                switch ($action) {
-                    case 'stop':
-                        wg_stop($node);
-                        break;
-                    case 'start':
-                        wg_start($node, $statHandle, $carp_if_flag);
-                        break;
-                    case 'restart':
-                        wg_stop($node);
-                        wg_start($node, $statHandle, $carp_if_flag);
-                        break;
-                    case 'configure':
-                        $ifstatus = '-';
-                        if (!empty($ifdetails[(string)$node->interface])) {
-                            $ifstatus = in_array('up', $ifdetails[(string)$node->interface]['flags']) ? 'up' : 'down';
-                        }
-
-                        if (!empty($carp_depend_on) && !empty($vhid)) {
-                            // CARP event traceability when a vhid is being passed
-                            syslog(
-                                LOG_NOTICE,
-                                sprintf(
-                                    "Wireguard configure event instance %s (%s) vhid: %s carp: %s interface: %s",
-                                    $node->name,
-                                    $node->interface,
-                                    $vhid,
-                                    !empty($vhids[$carp_depend_on]) ? $vhids[$carp_depend_on]['status'] : '-',
-                                    $ifstatus
-                                )
-                            );
-                        }
-                        if (
-                            @md5_file($node->cnfFilename) != get_stat_hash($statHandle)['file'] ||
-                            empty($ifdetails[(string)$node->interface])
-                        ) {
-                            if (get_stat_hash($statHandle)['interface'] != wg_reconfigure_hash($node)) {
-                                // Fluent reloading not supported for this instance, make sure the user is informed
-                                syslog(
-                                    LOG_NOTICE,
-                                    "wireguard instance {$node->name} ({$node->interface}) " .
-                                    "can not reconfigure without stopping it first."
-                                );
-                                wg_stop($node);
-                            }
-                            wg_start($node, $statHandle, $carp_if_flag);
-                        } else {
-                            // when triggered via a CARP event, check our interface status [UP|DOWN]
-                            if ($ifstatus !=  $carp_if_flag) {
-                                mwexecf('/sbin/ifconfig %s %s', [$node->interface, $carp_if_flag]);
-                            }
-                        }
-                        break;
-                }
-                flock($statHandle, LOCK_UN);
-            }
-            fclose($statHandle);
-        }
-    }
-
-    /**
-     * When -a is specified, cleanup up old or disabled instances (files and interfaces)
-     */
-    if ($server_id == null && $vhid == null) {
-        foreach (glob('/usr/local/etc/wireguard/wg*') as $filename) {
-            $this_dev = explode('.', basename($filename))[0];
-            if (!in_array($this_dev, $server_devs)) {
-                @unlink($filename);
-                if (does_interface_exist($this_dev)) {
-                    legacy_interface_destroy($this_dev);
-                }
-            }
-        }
-    }
-
-    if (count($server_devs)) {
-        configd_run('filter reload'); /* XXX required for NAT rules, but needs coalescing */
-    }
-}
-closelog();
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py b/net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py
deleted file mode 100755
index 987efb4433..0000000000
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg_show.py
+++ /dev/null
@@ -1,72 +0,0 @@
-#!/usr/local/bin/python3
-
-"""
-    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-     this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-     notice, this list of conditions and the following disclaimer in the
-     documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-"""
-import subprocess
-import ujson
-
-
-interfaces = {}
-for line in subprocess.run(['/sbin/ifconfig'], capture_output=True, text=True).stdout.split("\n"):
-    if not line.startswith('\t') and line.find('<') > -1:
-        ifname = line.split(':')[0]
-        interfaces[ifname] = 'up' if 'UP' in line.split('<')[1].split('>')[0].split(',') else 'down'
-
-sp = subprocess.run(['/usr/bin/wg', 'show', 'all', 'dump'], capture_output=True, text=True)
-result = {'records': []}
-if sp.returncode == 0:
-    for line in sp.stdout.split("\n"):
-        record = {}
-        parts = line.split("\t")
-        # parse fields as explained in 'man wg'
-        record['if'] = parts[0] if len(parts) else None
-        if len(parts) == 5:
-            # intentially skip private key, should not expose it
-            record['type'] = 'interface'
-            record['public-key'] = parts[2]
-            record['listen-port'] = parts[3]
-            record['fwmark'] = parts[4]
-            # convenience, copy listen-port to endpoint
-            record['endpoint'] = parts[3]
-            record['status'] = interfaces.get(record['if'], 'down')
-        elif len(parts) == 9:
-            record['type'] = 'peer'
-            record['public-key'] = parts[1]
-            # intentially skip preshared-key, should not expose it
-            record['endpoint'] = parts[3]
-            record['allowed-ips'] = parts[4]
-            record['latest-handshake'] = int(parts[5]) if parts[5].isdigit() else 0
-            record['transfer-rx'] = int(parts[6]) if parts[6].isdigit() else 0
-            record['transfer-tx'] = int(parts[7]) if parts[7].isdigit() else 0
-            record['persistent-keepalive'] = parts[8]
-        else:
-            continue
-        result['records'].append(record)
-    result['status'] = 'ok'
-else:
-    result['status'] = 'failed'
-
-print(ujson.dumps(result))
diff --git a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf b/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
deleted file mode 100644
index 555afb2cd7..0000000000
--- a/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf
+++ /dev/null
@@ -1,54 +0,0 @@
-[start]
-command:/usr/local/opnsense/scripts/Wireguard/wg-service-control.php
-parameters: start %s
-type:script
-message: start wireguard instance %s
-
-[stop]
-command:/usr/local/opnsense/scripts/Wireguard/wg-service-control.php
-parameters: stop %s
-type:script
-message: stop wireguard instance %s
-
-[restart]
-command:/usr/local/opnsense/scripts/Wireguard/wg-service-control.php
-parameters: restart %s
-type:script
-message: restart wireguard instance %s
-
-[configure]
-command:/usr/local/opnsense/scripts/Wireguard/wg-service-control.php
-parameters: -a configure %s
-type:script
-message: configure wireguard instances (%s)
-
-[renew]
-command:/usr/local/opnsense/scripts/Wireguard/reresolve-dns.py
-parameters:
-type:script
-message:Renew DNS for WireGuard
-description:Renew DNS for WireGuard on stale connections
-
-[gen_keypair]
-command:/usr/local/opnsense/scripts/Wireguard/gen_keypair.py
-parameters:
-type:script_output
-message:Generating WireGuard keypair
-
-[show]
-command:/usr/local/opnsense/scripts/Wireguard/wg_show.py
-parameters:
-type:script_output
-message:show WireGuard statistics [dump]
-
-[showconf]
-command:/usr/bin/wg show all
-parameters:
-type:script_output
-message:Show WireGuard config
-
-[showhandshake]
-command:/usr/bin/wg show all latest-handshakes
-parameters:
-type:script_output
-message:Show WireGuard handshakes
diff --git a/net/wireguard/src/opnsense/service/templates/OPNsense/Syslog/local/wireguard.conf b/net/wireguard/src/opnsense/service/templates/OPNsense/Syslog/local/wireguard.conf
deleted file mode 100644
index c3ec362d49..0000000000
--- a/net/wireguard/src/opnsense/service/templates/OPNsense/Syslog/local/wireguard.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-###################################################################
-# Local syslog-ng configuration filter definition [wireguard].
-###################################################################
-filter f_local_wireguard {
-    program("wireguard");
-};
diff --git a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/+TARGETS b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/+TARGETS
deleted file mode 100644
index 655def7d10..0000000000
--- a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/+TARGETS
+++ /dev/null
@@ -1,2 +0,0 @@
-wireguard:/etc/rc.conf.d/wireguard
-wireguard-server.conf:/usr/local/etc/wireguard/wg[OPNsense.wireguard.server.servers.server.%.instance].conf
diff --git a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
deleted file mode 100644
index 40a3c2f453..0000000000
--- a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard
+++ /dev/null
@@ -1,2 +0,0 @@
-# disable the wireguard rc scripts when installed, bootup handled via rc.syshook
-wireguard_enable="NO"
diff --git a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf b/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
deleted file mode 100644
index 3c78652de7..0000000000
--- a/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf
+++ /dev/null
@@ -1,48 +0,0 @@
-{% if helpers.exists('OPNsense.wireguard.general.enabled') and OPNsense.wireguard.general.enabled == '1' %}
-{% if helpers.exists('OPNsense.wireguard.server.servers.server') %}
-{%   for server_list in helpers.toList('OPNsense.wireguard.server.servers.server') %}
-{%     if TARGET_FILTERS['OPNsense.wireguard.server.servers.server.' ~ loop.index0] or TARGET_FILTERS['OPNsense.wireguard.server.servers.server'] %}
-{%       if server_list.enabled == '1' %}
-####################################################
-# Interface settings, not used by `wg`             #
-# Only used for reference and detection of changes #
-# in the configuration                             #
-####################################################
-# Address =  {{server_list.tunneladdress|default('')}}
-# DNS = {{ server_list.dns|default('')}}
-# MTU = {{ server_list.mtu|default('') }}
-# disableroutes = {{server_list.disableroutes}}
-# gateway = {{server_list.gateway}}
-
-[Interface]
-PrivateKey = {{ server_list.privkey }}
-{%         if server_list.port|default('') != '' %}
-ListenPort = {{ server_list.port }}
-{%         endif %}
-{%         if server_list.peers|default('') != '' %}
-{%           for peerlist in server_list.peers.split(",") %}
-{%             set peerlist2_data = helpers.getUUID(peerlist) %}
-{%             if peerlist2_data != {} and peerlist2_data.enabled == '1' %}
-
-[Peer]
-# friendly_name = {{ peerlist2_data.name }}
-PublicKey = {{ peerlist2_data.pubkey }}
-{%               if peerlist2_data.psk|default('') != '' %}
-PresharedKey = {{ peerlist2_data.psk }}
-{%               endif %}
-{%               if peerlist2_data.serveraddress|default('') != '' %}
-Endpoint = {{ peerlist2_data.serveraddress }}{% if peerlist2_data.serverport|default('') != '' %}:{{ peerlist2_data.serverport }}{% else %}:51820{% endif %}
-{%               endif %}
-
-AllowedIPs = {{ peerlist2_data.tunneladdress }}
-{%               if peerlist2_data.keepalive|default('') != '' %}
-PersistentKeepalive = {{ peerlist2_data.keepalive }}
-{%               endif %}
-{%             endif %}
-{%           endfor %}
-{%         endif %}
-{%       endif %}
-{%     endif %}
-{%   endfor %}
-{% endif %}
-{% endif %}
diff --git a/net/wireguard/src/www/widgets/include/wireguard.inc b/net/wireguard/src/www/widgets/include/wireguard.inc
deleted file mode 100644
index f1bae7fe46..0000000000
--- a/net/wireguard/src/www/widgets/include/wireguard.inc
+++ /dev/null
@@ -1,4 +0,0 @@
-<?php
-
-$wireguard_title = gettext('WireGuard');
-$wireguard_title_link = 'ui/wireguard/general';
diff --git a/net/wireguard/src/www/widgets/widgets/wireguard.widget.php b/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
deleted file mode 100644
index a4927a8139..0000000000
--- a/net/wireguard/src/www/widgets/widgets/wireguard.widget.php
+++ /dev/null
@@ -1,95 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2020-2023 Deciso B.V.
- * Copyright (C) 2020 D. Domig
- * Copyright (C) 2022 Patrik Kernstock <patrik@kernstock.net>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-?>
-
-<table class="table table-striped table-condensed" id="wg-table">
-    <thead>
-        <tr>
-            <th><?= gettext("Instance") ?></th>
-            <th><?= gettext("Peer") ?></th>
-            <th><?= gettext("Public Key") ?></th>
-            <th><?= gettext("Latest Handshake") ?></th>
-        </tr>
-    </thead>
-    <tbody>
-    </tbody>
-    <tfoot style="display: none;">
-        <tr>
-            <td colspan="4"><?= gettext("No WireGuard instance defined or enabled.") ?></td>
-        </tr>
-    </tfoot>
-</table>
-
-<style>
-    .psk_td {
-        max-width: 0;
-        overflow: hidden;
-        text-overflow: ellipsis;
-        white-space: nowrap;
-        cursor: pointer;
-        text-decoration: underline;
-    }
-</style>
-
-
-<script>
-$(window).on("load", function() {
-    function wgUpdateStatus()
-    {
-        ajaxGet("/api/wireguard/service/show", {}, function(data, status) {
-            let $target = $("#wg-table > tbody").empty();
-            if (data.rows !== undefined && data.rows.length > 0) {
-                $("#wg-table > tfoot").hide();
-                for (let i=0; data.rows.length > i; ++i) {
-                    let row = data.rows[i];
-                    let $tr = $("<tr/>");
-                    let ifname = row.ifname ? row.if + ' (' + row.ifname + ') ' : row.if;
-                    $tr.append($("<td>").append(ifname));
-                    $tr.append($("<td>").append(row.name));
-                    $tr.append($("<td class='psk_td'>").append(row['public-key']));
-                    let latest_handhake = '';
-                    if (row['latest-handshake']) {
-                        latest_handhake = moment.unix(row['latest-handshake']).local().format('YYYY-MM-DD HH:mm:ss');
-                    }
-                    $tr.append($("<td>").append(latest_handhake));
-                    $target.append($tr);
-                }
-                $(".psk_td").each(function(){
-                    $(this).tooltip({title: $(this).text(), container: 'body', trigger: 'hover'});
-                });
-            } else{
-                $("#wg-table > tfoot").show();
-            }
-            setTimeout(wgUpdateStatus, 10000);
-        });
-    };
-    wgUpdateStatus();
-});
-</script>
diff --git a/sysutils/api-backup/Makefile b/sysutils/api-backup/Makefile
deleted file mode 100644
index 759fd29cc3..0000000000
--- a/sysutils/api-backup/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-PLUGIN_NAME=		api-backup
-PLUGIN_VERSION=		1.1
-PLUGIN_OBSOLETE=	yes
-PLUGIN_COMMENT=		EoL, core endpoint is /api/core/backup/download/this
-PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
-
-.include "../../Mk/plugins.mk"
diff --git a/sysutils/api-backup/pkg-descr b/sysutils/api-backup/pkg-descr
deleted file mode 100644
index 2a2a1cfe6b..0000000000
--- a/sysutils/api-backup/pkg-descr
+++ /dev/null
@@ -1,12 +0,0 @@
-Provide the functionality to download the config.xml
-
-Plugin Changelog
-================
-
-1.1
-
-* add json download functionality
-
-1.0
-
-* initial release
diff --git a/sysutils/api-backup/src/opnsense/mvc/app/controllers/OPNsense/Backup/Api/BackupController.php b/sysutils/api-backup/src/opnsense/mvc/app/controllers/OPNsense/Backup/Api/BackupController.php
deleted file mode 100644
index d23675582d..0000000000
--- a/sysutils/api-backup/src/opnsense/mvc/app/controllers/OPNsense/Backup/Api/BackupController.php
+++ /dev/null
@@ -1,90 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2023 Frank Wall
- * Copyright (C) 2018 Fabian Franz
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Backup\Api;
-
-use OPNsense\Base\ApiControllerBase;
-
-class BackupController extends ApiControllerBase
-{
-    const CONFIG_XML = '/conf/config.xml';
-
-    /**
-     * download system config
-     * @param string $format set to 'json' to get a base64 encoded config backup
-     * @return array|mixed
-     */
-    public function downloadAction($format = 'plain')
-    {
-        $data = file_get_contents(self::CONFIG_XML);
-        $status = $data === false ? 'error' : 'success';
-
-        if ($format == 'json') {
-            $response = array(
-              'status' => $status,
-              'filename' => 'config.xml',
-              'filetype' => 'application/xml',
-              'content' => base64_encode($data),
-            );
-            return $response;
-        } else {
-            $this->response->setStatusCode(200, "OK");
-            $this->response->setContentType('application/xml', 'UTF-8');
-            $this->response->setHeader("Content-Disposition", "attachment; filename=\"config.xml\"");
-            $data = file_get_contents(self::CONFIG_XML);
-            $this->response->setContent($data);
-        }
-    }
-
-    /**
-     * process API results, serialize return data to json.
-     * @param $dispatcher
-     * @return string json data
-     */
-    public function afterExecuteRoute($dispatcher)
-    {
-        // check if reponse headers are already set
-        if ($this->response->getHeaders()->get("Status") != null) {
-            // Headers already set, send unmodified response.
-        } else {
-            // process response, serialize to json object
-            $data = $dispatcher->getReturnedValue();
-            if (is_array($data)) {
-                $this->response->setContentType('application/json', 'UTF-8');
-                if ($this->isExternalClient()) {
-                    $this->response->setContent(json_encode($data));
-                } else {
-                    $this->response->setContent(htmlspecialchars(json_encode($data), ENT_NOQUOTES));
-                }
-            }
-        }
-
-        return $this->response->send();
-    }
-}
diff --git a/sysutils/api-backup/src/opnsense/mvc/app/models/OPNsense/Backup/ACL/ACL.xml b/sysutils/api-backup/src/opnsense/mvc/app/models/OPNsense/Backup/ACL/ACL.xml
deleted file mode 100644
index 2a1b837657..0000000000
--- a/sysutils/api-backup/src/opnsense/mvc/app/models/OPNsense/Backup/ACL/ACL.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<acl>
-  <page-Backup>
-    <name>Backup API</name>
-    <patterns>
-      <pattern>api/backup/*</pattern>
-    </patterns>
-  </page-Backup>
-</acl>

From e5427ce1ff637bf79ee79a3c76d2820e7dc058d8 Mon Sep 17 00:00:00 2001
From: bernhardfrenking <58109356+bernhardfrenking@users.noreply.github.com>
Date: Thu, 1 Feb 2024 13:01:24 +0100
Subject: [PATCH 1775/3088] dns/ddclient: fix dyndns domeneshop hostname
 parameter name (#3784)

---
 .../src/opnsense/scripts/ddclient/lib/account/domeneshop.py     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py
index 3d51381c2a..621ec1ce76 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py
@@ -56,7 +56,7 @@ def execute(self):
             hostnames = self.settings.get('hostnames')
 
             # DNS update request using the "IP update protocol"
-            url = f'https://api.domeneshop.no/v0/dyndns/update?hostnames={hostnames}&myip={str(self.current_address)}'
+            url = f'https://api.domeneshop.no/v0/dyndns/update?hostname={hostnames}&myip={str(self.current_address)}'
             req_opts = {
                 'url': url,
                 'auth': HTTPBasicAuth(self.settings.get('username'), self.settings.get('password')),

From 3c4c1b3d15294035c36ddb3f57aade2ae6710cc5 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 1 Feb 2024 13:38:54 +0100
Subject: [PATCH 1776/3088] net/haproxy: check cert OCSP data before enabling
 OCSP updates, refs #3779

---
 net/haproxy/pkg-descr                         |  2 ++
 .../scripts/OPNsense/HAProxy/exportCerts.php  | 28 +++++++++++++++++--
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 667d5fc216..4f59e884f1 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -13,9 +13,11 @@ Added:
 
 Fixed:
 * SNI not working when automatic OCSP updates are enabled (#3779)
+* HAProxy error: has an OCSP URI but an error occurred (#3779)
 
 Changed:
 * prefer IPv4 results when resolving DNS names (#3779)
+* disable OCSP updates if cert contains no OCSP data (#3779)
 
 4.2
 
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
index 3eae885bb1..20b72fd3d3 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
@@ -2,7 +2,7 @@
 <?php
 
 /*
- * Copyright (C) 2016-2021 Frank Wall
+ * Copyright (C) 2016-2024 Frank Wall
  * Copyright (C) 2015 Deciso B.V.
  * All rights reserved.
  *
@@ -37,6 +37,17 @@
 
 $export_path = '/tmp/haproxy/ssl/';
 
+function hasOcspInfo($cert_content)
+{
+    $cert_info = @openssl_x509_parse($cert_content);
+    if (!empty($cert_info['name'])) {
+        if (!empty($cert_info['extensions']) and !empty($cert_info['extensions']['authorityInfoAccess'])) {
+            return 1;
+        }
+    }
+    return 0;
+}
+
 // configure ssl elements
 $configNodes = [
     'frontends' => ['ssl_certificates', 'ssl_clientAuthCAs', 'ssl_clientAuthCRLs', 'ssl_default_certificate'],
@@ -68,6 +79,7 @@
                                 foreach ($configObj->$type as $cert) {
                                     if ($cert_refid == (string)$cert->refid) {
                                         $pem_content = '';
+                                        $ocsp_conf = '';
                                         // CRLs require special export
                                         if ($type == 'crl') {
                                             $crl =& lookup_crl($cert_refid);
@@ -75,6 +87,8 @@
                                         } else {
                                             $pem_content = str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->crt)));
                                             $pem_content .= "\n" . str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->prv)));
+                                            // Get OCSP status
+                                            $ocsp_conf = hasOcspInfo($pem_content) ? ' [ocsp-update on]' : '';
                                             // check if a CA is linked
                                             if (!empty((string)$cert->caref)) {
                                                 $cert = (array)$cert;
@@ -97,7 +111,7 @@
                                             echo "exported $type to " . $output_pem_filename . "\n";
                                             // Check if automatic OCSP updates are enabled.
                                             if (isset($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled) and ($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled == '1')) {
-                                                $crtlist[] = $output_pem_filename . " [ocsp-update on]";
+                                                $crtlist[] = $output_pem_filename . $ocsp_conf;
                                             } else {
                                                 $crtlist[] = $output_pem_filename;
                                             }
@@ -125,9 +139,17 @@
                             // check if a default certificate is configured
                             if (($type == 'cert') and isset($child->ssl_default_certificate) and (string)$child->ssl_default_certificate != "") {
                                 $default_cert = (string)$child->ssl_default_certificate;
+                                // Get OCSP status
+                                $ocsp_conf = '';
+                                foreach ($configObj->cert as $cert) {
+                                    if ($default_cert == (string)$cert->refid) {
+                                        $pem_content = str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->crt)));
+                                        $ocsp_conf = hasOcspInfo($pem_content) ? ' [ocsp-update on]' : '';
+                                    }
+                                }
                                 // Check if automatic OCSP updates are enabled.
                                 if (isset($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled) and ($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled == '1')) {
-                                    $default_cert_filename = $export_path . $default_cert . ".pem [ocsp-update on]";
+                                    $default_cert_filename = $export_path . $default_cert . ".pem" . $ocsp_conf;
                                 } else {
                                     $default_cert_filename = $export_path . $default_cert . ".pem";
                                 }

From 0942fa8e83a6131e38414790d6148a69ae013a89 Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Sat, 3 Feb 2024 18:36:48 +0100
Subject: [PATCH 1777/3088] Fix path in menu (#3791)

---
 .../opnsense/mvc/app/models/OPNsense/ProxySSO/Menu/Menu.xml   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/Menu/Menu.xml b/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/Menu/Menu.xml
index 5cba07e348..4206975d64 100644
--- a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/Menu/Menu.xml
+++ b/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/Menu/Menu.xml
@@ -1,7 +1,7 @@
 <menu>
     <Services>
-        <WebProxy>
+        <SquidWebProxy>
             <ProxySSO VisibleName="Single Sign-On" order="26" url="/ui/proxysso" />
-        </WebProxy>
+        </SquidWebProxy>
     </Services>
 </menu>

From 6c0f6d90495946d28ecfe82b560f91a0211c8ee8 Mon Sep 17 00:00:00 2001
From: 0nnyx <54419678+0nnyx@users.noreply.github.com>
Date: Sun, 4 Feb 2024 20:06:51 +0100
Subject: [PATCH 1778/3088] Update et-open-extra.xml (#3794)

---
 .../suricata/metadata/rules/et-open-extra.xml | 104 +++++++++---------
 1 file changed, 52 insertions(+), 52 deletions(-)

diff --git a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
index e421e8796f..16c75ae969 100644
--- a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
+++ b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
@@ -3,57 +3,57 @@
     <location url="https://rules.emergingthreats.net/open/suricata-7.0/emerging.rules.tar.gz" prefix="ET open"/>
     <version url="https://rules.emergingthreats.net/open/suricata-7.0/version.txt"/>
     <files>
-        <file description="3coresec" url="inline::rules/3coresec.rules">3coresec.rules</file>
-        <file description="botcc.portgrouped" url="inline::rules/botcc.portgrouped.rules">botcc.portgrouped.rules</file>
-        <file description="botcc" url="inline::rules/botcc.rules">botcc.rules</file>
-        <file description="ciarmy" url="inline::rules/ciarmy.rules">ciarmy.rules</file>
-        <file description="compromised" url="inline::rules/compromised.rules">compromised.rules</file>
-        <file description="drop" url="inline::rules/drop.rules">drop.rules</file>
-        <file description="dshield" url="inline::rules/dshield.rules">dshield.rules</file>
-        <file description="emerging-activex" url="inline::rules/emerging-activex.rules">emerging-activex.rules</file>
-        <file description="emerging-adware_pup" url="inline::rules/emerging-adware_pup.rules">emerging-adware_pup.rules</file>
-        <file description="emerging-attack_response" url="inline::rules/emerging-attack_response.rules">emerging-attack_response.rules</file>
-        <file description="emerging-chat" url="inline::rules/emerging-chat.rules">emerging-chat.rules</file>
-        <file description="emerging-coinminer" url="inline::rules/emerging-coinminer.rules">emerging-coinminer.rules</file>
-        <file description="emerging-current_events" url="inline::rules/emerging-current_events.rules">emerging-current_events.rules</file>
-        <file description="emerging-deleted" url="inline::rules/emerging-deleted.rules">emerging-deleted.rules</file>
-        <file description="emerging-dns" url="inline::rules/emerging-dns.rules">emerging-dns.rules</file>
-        <file description="emerging-dos" url="inline::rules/emerging-dos.rules">emerging-dos.rules</file>
-        <file description="emerging-exploit" url="inline::rules/emerging-exploit.rules">emerging-exploit.rules</file>
-        <file description="emerging-exploit_kit" url="inline::rules/emerging-exploit_kit.rules">emerging-exploit_kit.rules</file>
-        <file description="emerging-ftp" url="inline::rules/emerging-ftp.rules">emerging-ftp.rules</file>
-        <file description="emerging-games" url="inline::rules/emerging-games.rules">emerging-games.rules</file>
-        <file description="emerging-hunting" url="inline::rules/emerging-hunting.rules">emerging-hunting.rules</file>
-        <file description="emerging-icmp" url="inline::rules/emerging-icmp.rules">emerging-icmp.rules</file>
-        <file description="emerging-icmp_info" url="inline::rules/emerging-icmp_info.rules">emerging-icmp_info.rules</file>
-        <file description="emerging-imap" url="inline::rules/emerging-imap.rules">emerging-imap.rules</file>
-        <file description="emerging-inappropriate" url="inline::rules/emerging-inappropriate.rules">emerging-inappropriate.rules</file>
-        <file description="emerging-info" url="inline::rules/emerging-info.rules">emerging-info.rules</file>
-        <file description="emerging-ja3" url="inline::rules/emerging-ja3.rules">emerging-ja3.rules</file>
-        <file description="emerging-malware" url="inline::rules/emerging-malware.rules">emerging-malware.rules</file>
-        <file description="emerging-misc" url="inline::rules/emerging-misc.rules">emerging-misc.rules</file>
-        <file description="emerging-mobile_malware" url="inline::rules/emerging-mobile_malware.rules">emerging-mobile_malware.rules</file>
-        <file description="emerging-netbios" url="inline::rules/emerging-netbios.rules">emerging-netbios.rules</file>
-        <file description="emerging-p2p" url="inline::rules/emerging-p2p.rules">emerging-p2p.rules</file>
-        <file description="emerging-phishing" url="inline::rules/emerging-phishing.rules">emerging-phishing.rules</file>
-        <file description="emerging-policy" url="inline::rules/emerging-policy.rules">emerging-policy.rules</file>
-        <file description="emerging-pop3" url="inline::rules/emerging-pop3.rules">emerging-pop3.rules</file>
-        <file description="emerging-rpc" url="inline::rules/emerging-rpc.rules">emerging-rpc.rules</file>
-        <file description="emerging-scada" url="inline::rules/emerging-scada.rules">emerging-scada.rules</file>
-        <file description="emerging-scan" url="inline::rules/emerging-scan.rules">emerging-scan.rules</file>
-        <file description="emerging-shellcode" url="inline::rules/emerging-shellcode.rules">emerging-shellcode.rules</file>
-        <file description="emerging-smtp" url="inline::rules/emerging-smtp.rules">emerging-smtp.rules</file>
-        <file description="emerging-snmp" url="inline::rules/emerging-snmp.rules">emerging-snmp.rules</file>
-        <file description="emerging-sql" url="inline::rules/emerging-sql.rules">emerging-sql.rules</file>
-        <file description="emerging-telnet" url="inline::rules/emerging-telnet.rules">emerging-telnet.rules</file>
-        <file description="emerging-tftp" url="inline::rules/emerging-tftp.rules">emerging-tftp.rules</file>
-        <file description="emerging-user_agents" url="inline::rules/emerging-user_agents.rules">emerging-user_agents.rules</file>
-        <file description="emerging-voip" url="inline::rules/emerging-voip.rules">emerging-voip.rules</file>
-        <file description="emerging-web_client" url="inline::rules/emerging-web_client.rules">emerging-web_client.rules</file>
-        <file description="emerging-web_server" url="inline::rules/emerging-web_server.rules">emerging-web_server.rules</file>
-        <file description="emerging-web_specific_apps" url="inline::rules/emerging-web_specific_apps.rules">emerging-web_specific_apps.rules</file>
-        <file description="emerging-worm" url="inline::rules/emerging-worm.rules">emerging-worm.rules</file>
-        <file description="tor" url="inline::rules/tor.rules">tor.rules</file>
-        <file description="threatview_CS_c2" url="inline::rules/threatview_CS_c2.rules">threatview_CS_c2.rules</file>
+        <file description="3coresec" url="inline::rules/3coresec.rules">et_open.3coresec.rules</file>
+        <file description="botcc.portgrouped" url="inline::rules/botcc.portgrouped.rules">et_open-botcc.portgrouped.rules</file>
+        <file description="botcc" url="inline::rules/botcc.rules">et_open.botcc.rules</file>
+        <file description="ciarmy" url="inline::rules/ciarmy.rules">et_open.ciarmy.rules</file>
+        <file description="compromised" url="inline::rules/compromised.rules">et_open.compromised.rules</file>
+        <file description="drop" url="inline::rules/drop.rules">et_open.drop.rules</file>
+        <file description="dshield" url="inline::rules/dshield.rules">et_open.dshield.rules</file>
+        <file description="emerging-activex" url="inline::rules/emerging-activex.rules">et_open.emerging-activex.rules</file>
+        <file description="emerging-adware_pup" url="inline::rules/emerging-adware_pup.rules">et_open.emerging-adware_pup.rules</file>
+        <file description="emerging-attack_response" url="inline::rules/emerging-attack_response.rules">et_open.emerging-attack_response.rules</file>
+        <file description="emerging-chat" url="inline::rules/emerging-chat.rules">et_open.emerging-chat.rules</file>
+        <file description="emerging-coinminer" url="inline::rules/emerging-coinminer.rules">et_open.emerging-coinminer.rules</file>
+        <file description="emerging-current_events" url="inline::rules/emerging-current_events.rules">et_open.emerging-current_events.rules</file>
+        <file description="emerging-deleted" url="inline::rules/emerging-deleted.rules">et_open.emerging-deleted.rules</file>
+        <file description="emerging-dns" url="inline::rules/emerging-dns.rules">et_open.emerging-dns.rules</file>
+        <file description="emerging-dos" url="inline::rules/emerging-dos.rules">et_open.emerging-dos.rules</file>
+        <file description="emerging-exploit" url="inline::rules/emerging-exploit.rules">et_open.emerging-exploit.rules</file>
+        <file description="emerging-exploit_kit" url="inline::rules/emerging-exploit_kit.rules">et_open.emerging-exploit_kit.rules</file>
+        <file description="emerging-ftp" url="inline::rules/emerging-ftp.rules">et_open.emerging-ftp.rules</file>
+        <file description="emerging-games" url="inline::rules/emerging-games.rules">et_open.emerging-games.rules</file>
+        <file description="emerging-hunting" url="inline::rules/emerging-hunting.rules">et_open.emerging-hunting.rules</file>
+        <file description="emerging-icmp" url="inline::rules/emerging-icmp.rules">et_open.emerging-icmp.rules</file>
+        <file description="emerging-icmp_info" url="inline::rules/emerging-icmp_info.rules">et_open.emerging-icmp_info.rules</file>
+        <file description="emerging-imap" url="inline::rules/emerging-imap.rules">et_open.emerging-imap.rules</file>
+        <file description="emerging-inappropriate" url="inline::rules/emerging-inappropriate.rules">et_open.emerging-inappropriate.rules</file>
+        <file description="emerging-info" url="inline::rules/emerging-info.rules">et_open.emerging-info.rules</file>
+        <file description="emerging-ja3" url="inline::rules/emerging-ja3.rules">et_open.emerging-ja3.rules</file>
+        <file description="emerging-malware" url="inline::rules/emerging-malware.rules">et_open.emerging-malware.rules</file>
+        <file description="emerging-misc" url="inline::rules/emerging-misc.rules">et_open.emerging-misc.rules</file>
+        <file description="emerging-mobile_malware" url="inline::rules/emerging-mobile_malware.rules">et_open.emerging-mobile_malware.rules</file>
+        <file description="emerging-netbios" url="inline::rules/emerging-netbios.rules">et_open.emerging-netbios.rules</file>
+        <file description="emerging-p2p" url="inline::rules/emerging-p2p.rules">et_open.emerging-p2p.rules</file>
+        <file description="emerging-phishing" url="inline::rules/emerging-phishing.rules">et_open.emerging-phishing.rules</file>
+        <file description="emerging-policy" url="inline::rules/emerging-policy.rules">et_open.emerging-policy.rules</file>
+        <file description="emerging-pop3" url="inline::rules/emerging-pop3.rules">et_open.emerging-pop3.rules</file>
+        <file description="emerging-rpc" url="inline::rules/emerging-rpc.rules">et_open.emerging-rpc.rules</file>
+        <file description="emerging-scada" url="inline::rules/emerging-scada.rules">et_open.emerging-scada.rules</file>
+        <file description="emerging-scan" url="inline::rules/emerging-scan.rules">et_open.emerging-scan.rules</file>
+        <file description="emerging-shellcode" url="inline::rules/emerging-shellcode.rules">et_open.emerging-shellcode.rules</file>
+        <file description="emerging-smtp" url="inline::rules/emerging-smtp.rules">et_open.emerging-smtp.rules</file>
+        <file description="emerging-snmp" url="inline::rules/emerging-snmp.rules">et_open.emerging-snmp.rules</file>
+        <file description="emerging-sql" url="inline::rules/emerging-sql.rules">et_open.emerging-sql.rules</file>
+        <file description="emerging-telnet" url="inline::rules/emerging-telnet.rules">et_open.emerging-telnet.rules</file>
+        <file description="emerging-tftp" url="inline::rules/emerging-tftp.rules">et_open.emerging-tftp.rules</file>
+        <file description="emerging-user_agents" url="inline::rules/emerging-user_agents.rules">et_open.emerging-user_agents.rules</file>
+        <file description="emerging-voip" url="inline::rules/emerging-voip.rules">et_open.emerging-voip.rules</file>
+        <file description="emerging-web_client" url="inline::rules/emerging-web_client.rules">et_open.emerging-web_client.rules</file>
+        <file description="emerging-web_server" url="inline::rules/emerging-web_server.rules">et_open.emerging-web_server.rules</file>
+        <file description="emerging-web_specific_apps" url="inline::rules/emerging-web_specific_apps.rules">et_open.emerging-web_specific_apps.rules</file>
+        <file description="emerging-worm" url="inline::rules/emerging-worm.rules">et_open.emerging-worm.rules</file>
+        <file description="tor" url="inline::rules/tor.rules">et_open.tor.rules</file>
+        <file description="threatview_CS_c2" url="inline::rules/threatview_CS_c2.rules">et_open.threatview_CS_c2.rules</file>
     </files>
 </ruleset>

From 60d35cf8bce36b7dc5189257094b5bf2535efc11 Mon Sep 17 00:00:00 2001
From: 0nnyx <54419678+0nnyx@users.noreply.github.com>
Date: Mon, 5 Feb 2024 09:21:32 +0100
Subject: [PATCH 1779/3088] Update et-open-extra.xml (#3795)

Avoid duplicate 3coresec and threatview_CS_c2
Tested and working properly now :
	ET open/3coresec	not installed
	ET open/botcc	not installed
	ET open/botcc.portgrouped	not installed
	ET open/ciarmy	not installed
	ET open/compromised	not installed
	ET open/drop	not installed
	ET open/dshield	not installed
	ET open/emerging-activex	not installed
	ET open/emerging-adware_pup	not installed
	ET open/emerging-attack_response	not installed
	ET open/emerging-chat	not installed
	ET open/emerging-coinminer	not installed
	ET open/emerging-current_events	not installed
	ET open/emerging-deleted	not installed
	ET open/emerging-dns	not installed
	ET open/emerging-dos	not installed
	ET open/emerging-exploit	not installed
	ET open/emerging-exploit_kit	not installed
	ET open/emerging-ftp	not installed
	ET open/emerging-games	not installed
	ET open/emerging-hunting	not installed
	ET open/emerging-icmp	not installed
	ET open/emerging-icmp_info	not installed
	ET open/emerging-imap	not installed
	ET open/emerging-inappropriate	not installed
	ET open/emerging-info	not installed
	ET open/emerging-ja3	not installed
	ET open/emerging-malware	not installed
	ET open/emerging-misc	not installed
	ET open/emerging-mobile_malware	not installed
	ET open/emerging-netbios	not installed
	ET open/emerging-p2p	not installed
	ET open/emerging-phishing	not installed
	ET open/emerging-policy	not installed
	ET open/emerging-pop3	not installed
	ET open/emerging-rpc	not installed
	ET open/emerging-scada	not installed
	ET open/emerging-scan	not installed
	ET open/emerging-shellcode	not installed
	ET open/emerging-smtp	not installed
	ET open/emerging-snmp	not installed
	ET open/emerging-sql	not installed
	ET open/emerging-telnet	not installed
	ET open/emerging-tftp	not installed
	ET open/emerging-user_agents	not installed
	ET open/emerging-voip	not installed
	ET open/emerging-web_client	not installed
	ET open/emerging-web_server	not installed
	ET open/emerging-web_specific_apps	not installed
	ET open/emerging-worm	not installed
	ET open/threatview_CS_c2	not installed
	ET open/tor	not installed
---
 .../scripts/suricata/metadata/rules/et-open-extra.xml         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
index 16c75ae969..4c88989382 100644
--- a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
+++ b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
@@ -3,7 +3,7 @@
     <location url="https://rules.emergingthreats.net/open/suricata-7.0/emerging.rules.tar.gz" prefix="ET open"/>
     <version url="https://rules.emergingthreats.net/open/suricata-7.0/version.txt"/>
     <files>
-        <file description="3coresec" url="inline::rules/3coresec.rules">et_open.3coresec.rules</file>
+        <file description="3coresec" url="inline::rules/3coresec.rules">3coresec.rules</file>
         <file description="botcc.portgrouped" url="inline::rules/botcc.portgrouped.rules">et_open-botcc.portgrouped.rules</file>
         <file description="botcc" url="inline::rules/botcc.rules">et_open.botcc.rules</file>
         <file description="ciarmy" url="inline::rules/ciarmy.rules">et_open.ciarmy.rules</file>
@@ -54,6 +54,6 @@
         <file description="emerging-web_specific_apps" url="inline::rules/emerging-web_specific_apps.rules">et_open.emerging-web_specific_apps.rules</file>
         <file description="emerging-worm" url="inline::rules/emerging-worm.rules">et_open.emerging-worm.rules</file>
         <file description="tor" url="inline::rules/tor.rules">et_open.tor.rules</file>
-        <file description="threatview_CS_c2" url="inline::rules/threatview_CS_c2.rules">et_open.threatview_CS_c2.rules</file>
+        <file description="threatview_CS_c2" url="inline::rules/threatview_CS_c2.rules">threatview_CS_c2.rules</file>
     </files>
 </ruleset>

From 32fd9927a3ddd0811e3d056458200751ec35da37 Mon Sep 17 00:00:00 2001
From: mvmazijk <114065872+mvmazijk@users.noreply.github.com>
Date: Mon, 5 Feb 2024 17:33:16 +0100
Subject: [PATCH 1780/3088] Update et-telemetry.xml (#3797)

Fixed typo in emerging-botcc_portgrouped.rules
---
 .../opnsense/scripts/suricata/metadata/rules/et-telemetry.xml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/etpro-telemetry/src/opnsense/scripts/suricata/metadata/rules/et-telemetry.xml b/security/etpro-telemetry/src/opnsense/scripts/suricata/metadata/rules/et-telemetry.xml
index cbccbfc01a..f221080542 100644
--- a/security/etpro-telemetry/src/opnsense/scripts/suricata/metadata/rules/et-telemetry.xml
+++ b/security/etpro-telemetry/src/opnsense/scripts/suricata/metadata/rules/et-telemetry.xml
@@ -8,7 +8,6 @@
     <files>
         <file url="inline::rules/telemetry_sids.txt" required="true">telemetry_sids.txt</file>
         <file url="https://opnsense.emergingthreats.net/api/v1/ruleset/version" required="true">telemetry_version.json</file>
-        <file description="botcc.portgrouped" url="inline::rules/botcc.portgrouped.rules">botcc.portgrouped.rules</file>
         <file description="botcc" url="inline::rules/botcc.rules">botcc.rules</file>
         <file description="ciarmy" url="inline::rules/ciarmy.rules">ciarmy.rules</file>
         <file description="compromised" url="inline::rules/compromised.rules">compromised.rules</file>
@@ -17,6 +16,7 @@
         <file description="emerging-activex" url="inline::rules/emerging-activex.rules">emerging-activex.rules</file>
         <file description="emerging-adware_pup" url="inline::rules/emerging-adware_pup.rules">emerging-adware_pup.rules</file>
         <file description="emerging-attack_response" url="inline::rules/emerging-attack_response.rules">emerging-attack_response.rules</file>
+        <file description="emerging-botcc_portgrouped" url="inline::rules/emerging-botcc_portgrouped.rules">emerging-botcc_portgrouped.rules</file>
         <file description="emerging-chat" url="inline::rules/emerging-chat.rules">emerging-chat.rules</file>
         <file description="emerging-coinminer" url="inline::rules/emerging-coinminer.rules">emerging-coinminer.rules</file>
         <file description="emerging-current_events" url="inline::rules/emerging-current_events.rules">emerging-current_events.rules</file>

From 8926790273ad4d316494d1f65fe7517799c77689 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Feb 2024 08:53:03 +0100
Subject: [PATCH 1781/3088] dns/ddclient: bump

---
 dns/ddclient/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 4d766d71c7..6fc6309f5c 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.20
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From f1f5fbb20b37c556708e7b3c213f304c5f412288 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Feb 2024 08:55:50 +0100
Subject: [PATCH 1782/3088] www/web-proxy-sso: bump

---
 www/web-proxy-sso/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/web-proxy-sso/Makefile b/www/web-proxy-sso/Makefile
index 7eb73383aa..cbfbf3e00f 100644
--- a/www/web-proxy-sso/Makefile
+++ b/www/web-proxy-sso/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		web-proxy-sso
 PLUGIN_VERSION=		2.2
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Kerberos authentication module
 PLUGIN_DEPENDS=		msktutil cyrus-sasl-gssapi
 PLUGIN_MAINTAINER=	evbevz@gmail.com

From 88024301550a8babd96d42440fc71410f51c650a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Feb 2024 08:58:37 +0100
Subject: [PATCH 1783/3088] security/intrusion-detection-content-et-open: bump

---
 security/intrusion-detection-content-et-open/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/intrusion-detection-content-et-open/Makefile b/security/intrusion-detection-content-et-open/Makefile
index acf629bc8a..e3b185e588 100644
--- a/security/intrusion-detection-content-et-open/Makefile
+++ b/security/intrusion-detection-content-et-open/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		intrusion-detection-content-et-open
 PLUGIN_VERSION=		1.0.2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		IDS Proofpoint full ET open ruleset complementary subset for ET Pro Telemetry edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://rules.emergingthreats.net/

From 5dcd95278fb5ad98672043d1da5c01c8dfbce13b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Feb 2024 08:59:57 +0100
Subject: [PATCH 1784/3088] security/etpro-telemetry: bump

---
 security/etpro-telemetry/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index a9bf88a2ab..2c8601a2c8 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		etpro-telemetry
 PLUGIN_VERSION=		1.6
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html

From 8f256d38431e89bea171d28abd5b0f8ea5e47270 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Feb 2024 09:02:13 +0100
Subject: [PATCH 1785/3088] net/frr: wrap up next version

---
 net/frr/Makefile                                            | 2 +-
 net/frr/pkg-descr                                           | 4 ++++
 .../src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml    | 6 +++---
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 744d9dfebf..539fe923ee 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.38
+PLUGIN_VERSION=		1.39
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index a404283f78..ecd0b8e524 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.39
+
+* Add plain password authentication to OSPF
+
 1.38
 
 * Add "soft-reconfiguration inbound" neighbor option
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index 333670a562..755d553c79 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -22,7 +22,7 @@
             <MaximumValue>4294967</MaximumValue>
             <ValidationMessage>Must be a number between 1 and 4294967.</ValidationMessage>
         </costreference>
-	<logadjacencychanges type="BooleanField">
+        <logadjacencychanges type="BooleanField">
             <default>0</default>
             <Required>Y</Required>
         </logadjacencychanges>
@@ -149,7 +149,7 @@
                                 <default></default>
                                 <OptionValues>
                                         <message-digest>MD5</message-digest>
-					<plain>plain</plain>
+                                        <plain>plain</plain>
                                 </OptionValues>
                         </authtype>
                         <authkey type="TextField">
@@ -222,7 +222,7 @@
                                 <MaximumValue>4294967295</MaximumValue>
                                 <ValidationMessage>Priority must be between 0 and 4294967295.</ValidationMessage>
                         </priority>
-			<bfd type="BooleanField">
+                        <bfd type="BooleanField">
                                 <default>0</default>
                                 <Required>N</Required>
                         </bfd>

From 81a10d1b5eb928635b5617f24300c0e8a7462d61 Mon Sep 17 00:00:00 2001
From: mvmazijk <114065872+mvmazijk@users.noreply.github.com>
Date: Tue, 6 Feb 2024 21:29:08 +0100
Subject: [PATCH 1786/3088] Update et-open-extra.xml (#3802)

Because of the changes in #3797 the etpro-telemetry group botcc_portgrouped got renamed to "emerging-botcc_portgrouped".
This caused a double entry for
"ET open/botcc.portgrouped" when both the et-open and etpro-temetry ruleset are installed.

This PR fixes that double entry.
---
 .../opnsense/scripts/suricata/metadata/rules/et-open-extra.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
index 4c88989382..10c7a0f9ab 100644
--- a/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
+++ b/security/intrusion-detection-content-et-open/src/opnsense/scripts/suricata/metadata/rules/et-open-extra.xml
@@ -4,7 +4,7 @@
     <version url="https://rules.emergingthreats.net/open/suricata-7.0/version.txt"/>
     <files>
         <file description="3coresec" url="inline::rules/3coresec.rules">3coresec.rules</file>
-        <file description="botcc.portgrouped" url="inline::rules/botcc.portgrouped.rules">et_open-botcc.portgrouped.rules</file>
+        <file description="botcc.portgrouped" url="inline::rules/botcc.portgrouped.rules">botcc.portgrouped.rules</file>
         <file description="botcc" url="inline::rules/botcc.rules">et_open.botcc.rules</file>
         <file description="ciarmy" url="inline::rules/ciarmy.rules">et_open.ciarmy.rules</file>
         <file description="compromised" url="inline::rules/compromised.rules">et_open.compromised.rules</file>

From 91633cc55643c9231bd4a950b6157ae338129636 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 7 Feb 2024 08:47:35 +0100
Subject: [PATCH 1787/3088] security/intrusion-detection-content-pt-open -
 remove deprecated ruleset. closes
 https://github.com/opnsense/plugins/issues/3803

---
 README.md                                              |  1 -
 security/intrusion-detection-content-pt-open/Makefile  |  8 --------
 security/intrusion-detection-content-pt-open/pkg-descr |  3 ---
 security/intrusion-detection-content-pt-open/pkg-plist |  9 ---------
 .../scripts/suricata/metadata/rules/pt-research.xml    | 10 ----------
 5 files changed, 31 deletions(-)
 delete mode 100644 security/intrusion-detection-content-pt-open/Makefile
 delete mode 100644 security/intrusion-detection-content-pt-open/pkg-descr
 delete mode 100644 security/intrusion-detection-content-pt-open/pkg-plist
 delete mode 100644 security/intrusion-detection-content-pt-open/src/opnsense/scripts/suricata/metadata/rules/pt-research.xml

diff --git a/README.md b/README.md
index 0e8e71402b..1d3a70e882 100644
--- a/README.md
+++ b/README.md
@@ -81,7 +81,6 @@ security/crowdsec -- Lightweight and collaborative security engine
 security/etpro-telemetry -- ET Pro Telemetry Edition
 security/intrusion-detection-content-et-open -- IDS Proofpoint full ET open ruleset complementary subset for ET Pro Telemetry edition
 security/intrusion-detection-content-et-pro -- IDS Proofpoint ET Pro ruleset (needs a valid subscription)
-security/intrusion-detection-content-pt-open -- IDS PT Research ruleset (only for non-commercial use)
 security/intrusion-detection-content-snort-vrt -- IDS Snort VRT ruleset (needs registration or subscription)
 security/maltrail -- Malicious traffic detection system
 security/openconnect -- OpenConnect Client
diff --git a/security/intrusion-detection-content-pt-open/Makefile b/security/intrusion-detection-content-pt-open/Makefile
deleted file mode 100644
index 255baf5fe9..0000000000
--- a/security/intrusion-detection-content-pt-open/Makefile
+++ /dev/null
@@ -1,8 +0,0 @@
-PLUGIN_NAME=		intrusion-detection-content-pt-open
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
-PLUGIN_COMMENT=		IDS PT Research ruleset (only for non-commercial use)
-PLUGIN_MAINTAINER=	ad@opnsense.org
-PLUGIN_WWW=		https://www.ptsecurity.com/ww-en/
-
-.include "../../Mk/plugins.mk"
diff --git a/security/intrusion-detection-content-pt-open/pkg-descr b/security/intrusion-detection-content-pt-open/pkg-descr
deleted file mode 100644
index 27eb4adcf5..0000000000
--- a/security/intrusion-detection-content-pt-open/pkg-descr
+++ /dev/null
@@ -1,3 +0,0 @@
-The Attack Detection Team searches for new vulnerabilities and 0-days,
-reproduces it and creates PoC exploits to understand how these security
-flaws work and how related attacks can be detected on the network layer.
diff --git a/security/intrusion-detection-content-pt-open/pkg-plist b/security/intrusion-detection-content-pt-open/pkg-plist
deleted file mode 100644
index 3091d0d167..0000000000
--- a/security/intrusion-detection-content-pt-open/pkg-plist
+++ /dev/null
@@ -1,9 +0,0 @@
-The Attack Detection Team searches for new vulnerabilities and 0-days,
-reproduces it and creates PoC exploits to understand how these security
-flaws work and how related attacks can be detected on the network layer.
-Additionally, we are interested in malware and hackers’ TTPs, so we
-develop Suricata rules for detecting all sorts of such activities.
-
-LICENSE: https://github.com/ptresearch/AttackDetection/blob/master/LICENSE
-
-WWW: https://github.com/ptresearch/AttackDetection/
diff --git a/security/intrusion-detection-content-pt-open/src/opnsense/scripts/suricata/metadata/rules/pt-research.xml b/security/intrusion-detection-content-pt-open/src/opnsense/scripts/suricata/metadata/rules/pt-research.xml
deleted file mode 100644
index 1e1b21b65f..0000000000
--- a/security/intrusion-detection-content-pt-open/src/opnsense/scripts/suricata/metadata/rules/pt-research.xml
+++ /dev/null
@@ -1,10 +0,0 @@
-<?xml version="1.0"?>
-<ruleset>
-    <location url="https://github.com/ptresearch/AttackDetection/raw/master/" prefix="Non-Free"/>
-    <files>
-        <file url="https://github.com/ptresearch/AttackDetection/raw/master/pt.rules.tar.gz"
-              description="PT Research ruleset"
-              documentation_url="https://github.com/ptresearch/AttackDetection"
-        >pt.research.rules</file>
-    </files>
-</ruleset>

From 84644d4ad824a8fea8bba4712d9949adc9af3d67 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 7 Feb 2024 10:45:08 +0100
Subject: [PATCH 1788/3088] security/acme-client: remove dead code, refs #3790

---
 security/acme-client/pkg-descr                                 | 3 +++
 .../mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php  | 3 +--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 2a5039e661..2a4ab7279a 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,9 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+Fixed:
+* proc_open(): Argument #2 ($descriptor_spec) must be of type array
+
 4.0
 
 NOTE: This is a new major release with backwards-incompatible changes.
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
index f85a23d14d..138d64d814 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
@@ -129,10 +129,9 @@ public function runAcme()
           . ' '
           . '--deploy '
           . implode(' ', $this->acme_args);
-        LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
-        $proc = proc_open($acmecmd, $proc_desc, $proc_pipes, null, $proc_env);
 
         // Run acme.sh command
+        LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
         $result = LeUtils::run_shell_command($acmecmd, $proc_env);
 
         // acme.sh records the last used deploy hook and would automatically

From 20b7e65bc83360e48add15f91688c317f0ddd992 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 7 Feb 2024 10:47:59 +0100
Subject: [PATCH 1789/3088] security/acme-client: bump version

---
 security/acme-client/Makefile  | 2 +-
 security/acme-client/pkg-descr | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 2018025bf2..3bc52eb066 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.0
+PLUGIN_VERSION=		4.1
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 2a4ab7279a..45364147d1 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,8 +8,10 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.1
+
 Fixed:
-* proc_open(): Argument #2 ($descriptor_spec) must be of type array
+* automation does not start (#3790)
 
 4.0
 

From 1eec51a655c9804a3301d38496953ee21718012c Mon Sep 17 00:00:00 2001
From: Adrian Fedoreanu <phedoreanu@users.noreply.github.com>
Date: Wed, 7 Feb 2024 14:48:51 +0100
Subject: [PATCH 1790/3088] bugfix/fallback resolver dnscrypt deprecated
 (#3801)

---
 .../templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
index 61260c00e3..bc5db4c935 100644
--- a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
@@ -89,7 +89,7 @@ tls_disable_session_tickets = true
 tls_disable_session_tickets = false
 {%   endif %}
 
-fallback_resolver = '{{ OPNsense.dnscryptproxy.general.fallback_resolver }}'
+bootstrap_resolvers = '{{ OPNsense.dnscryptproxy.general.fallback_resolver }}'
 
 {%   if helpers.exists('OPNsense.dnscryptproxy.general.ignore_system_dns') and OPNsense.dnscryptproxy.general.ignore_system_dns == '1' %}
 ignore_system_dns = true

From 2dce81a09f19fe71d6d06c72409f5b6fcfb07c6e Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 8 Feb 2024 17:20:56 +0100
Subject: [PATCH 1791/3088] dns/dnscrypt-proxy: make plugin compatible with 2.1
 (#3810)

merged, thanks!
---
 dns/dnscrypt-proxy/Makefile                                   | 3 +--
 dns/dnscrypt-proxy/pkg-descr                                  | 4 ++++
 .../templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml      | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index 42bf7e5446..8f93604abc 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		dnscrypt-proxy
-PLUGIN_VERSION=		1.14
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.15
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index aec6d08b15..0c110e3490 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -5,6 +5,10 @@ such as DNSCrypt v2 and DNS-over-HTTPS.
 Plugin Changelog
 ================
 
+1.15
+
+* Update plugin for dnscrypt-proxy 2.1
+
 1.14
 
 * Fix display of the config with more than one disabled server in GUI (contributed by Evgeny Grin (karlson2k))
diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
index bc5db4c935..ce67f33cd2 100644
--- a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
@@ -89,7 +89,7 @@ tls_disable_session_tickets = true
 tls_disable_session_tickets = false
 {%   endif %}
 
-bootstrap_resolvers = '{{ OPNsense.dnscryptproxy.general.fallback_resolver }}'
+bootstrap_resolvers = ['{{ OPNsense.dnscryptproxy.general.fallback_resolver }}']
 
 {%   if helpers.exists('OPNsense.dnscryptproxy.general.ignore_system_dns') and OPNsense.dnscryptproxy.general.ignore_system_dns == '1' %}
 ignore_system_dns = true

From 2689644b739474af57b76fc1da0f58d218e18ff2 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Thu, 8 Feb 2024 22:04:30 +0300
Subject: [PATCH 1792/3088] http/tlsapln libs typos

json_decode backend response before use;
strict type
---
 .../OPNsense/AcmeClient/LeValidation/HttpOpnsense.php     | 8 ++++----
 .../OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php      | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
index c7a1672e34..7c133f44b0 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
@@ -50,7 +50,7 @@ public function prepare()
         $iplist = array();
 
         // Add IP addresses from auto-discovery feature
-        if ($this->config->http_opn_autodiscovery == 1) {
+        if ($this->config->http_opn_autodiscovery == '1') {
             $dnslist = explode(',', $this->cert_altnames);
             $dnslist[] = $this->cert_name;
             foreach ($dnslist as $fqdn) {
@@ -73,9 +73,9 @@ public function prepare()
         // Add IP address from chosen interface
         if (!empty((string)$this->config->http_opn_interface)) {
             $backend = new \OPNsense\Core\Backend();
-            $response = $backend->configdpRun('interface address', [(string)$this->config->http_opn_interface]);
-            if (!empty($response['address'])) {
-                $iplist[] = $response['address'];
+            $response = json_decode($backend->configdpRun('interface address', [(string)$this->config->http_opn_interface]));
+            if (!empty($response->address)) {
+                $iplist[] = $response->address;
             }
         }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
index f849ffd405..d0fbbfd9c3 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
@@ -51,7 +51,7 @@ public function prepare()
         $iplist = array();
 
         // Add IP addresses from auto-discovery feature
-        if ($this->config->tlsalpn_acme_autodiscovery == 1) {
+        if ($this->config->tlsalpn_acme_autodiscovery == '1') {
             $dnslist = explode(',', $this->cert_altnames);
             $dnslist[] = $this->cert_name;
             foreach ($dnslist as $fqdn) {
@@ -74,9 +74,9 @@ public function prepare()
         // Add IP address from chosen interface
         if (!empty((string)$this->config->tlsalpn_acme_interface)) {
             $backend = new \OPNsense\Core\Backend();
-            $response = $backend->configdpRun('interface address', [(string)$this->config->tlsalpn_acme_interface]);
-            if (!empty($response['address'])) {
-                $iplist[] = $response['address'];
+            $response = json_decode($backend->configdpRun('interface address', [(string)$this->config->tlsalpn_acme_interface]));
+            if (!empty($response->address)) {
+                $iplist[] = $response->address;
             }
         }
 

From 50faea3476c08af113aeda014d738f4ced42f744 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 7 Feb 2024 22:06:41 +0100
Subject: [PATCH 1793/3088] dns/ddclient: add Netcup DNS API

Netcup is a German hosting provider who offers an API for DNS
manipulation which this plugin makes use of, see:
- Wiki: https://www.netcup-wiki.de/wiki/DNS_API
- Technical documentation: https://ccp.netcup.net/run/webservice/servers/endpoint.php
---
 .../OPNsense/DynDNS/forms/dialogAccount.xml   |   2 +-
 .../scripts/ddclient/lib/account/netcup.py    | 185 ++++++++++++++++++
 2 files changed, 186 insertions(+), 1 deletion(-)
 create mode 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index f0e889a1c8..28d40b7e42 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -77,7 +77,7 @@
         <id>account.ttl</id>
         <label>TTL</label>
         <type>text</type>
-        <style>optional_setting service_aws</style>
+        <style>optional_setting service_aws service_netcup</style>
         <help>Time to Live for the DNS entry</help>
     </field>
     <field>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py
new file mode 100755
index 0000000000..9260179a19
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py
@@ -0,0 +1,185 @@
+"""
+    Copyright (c) 2023 Ingo Lafrenz <opnsense@der-ingo.de>
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+    ----------------------------------------------------------------------------------------------------
+    Netcup DNS provider, see https://ccp.netcup.net/run/webservice/servers/endpoint.php
+
+"""
+import syslog
+import requests
+from . import BaseAccount
+
+
+class Netcup(BaseAccount):
+    _services = ['netcup']
+
+    def __init__(self, account: dict):
+        super().__init__(account)
+        self.settings['APIPassword'] = None
+        self.settings['APIKey'] = None
+        # min TTL set to 300
+        self.settings['ttl'] = max(int(self.settings['ttl']) if self.settings.get('ttl', '').isdigit() else 0, 300)
+
+
+    @staticmethod
+    def known_services():
+        return Netcup._services
+
+    @staticmethod
+    def match(account):
+        return account.get('service') in Netcup._services
+
+    def execute(self):
+        if super().execute():
+            if self.settings['hostnames'].find(',') > -1:
+                self.settings['hostnames'] = self.settings['hostnames'].split(',')[0]
+                syslog.syslog(
+                    syslog.LOG_WARNING,
+                    "Multiple hostnames detected, ignoring all except first. "+
+                    "Consider using CNAMEs or create separate DynDNS instances for each hostname."
+                )
+            if self.settings['hostnames'].find('.') == -1:
+                syslog.syslog(syslog.LOG_ERR, "Incomplete FQDN offerred %s" % self.settings['hostnames'])
+                return False
+
+            self.hostname, self.domain = self.settings['hostnames'].split('.', 1)
+
+            if self.settings['password'].count(':') > 1:
+                if self.settings['password'].count('\\:') == 1:
+                    self.settings['APIPassword'], self.settings['APIKey'] = self.settings['password'].split('\\:')
+            elif self.settings['password'].count(':') == 1:
+                self.settings['APIPassword'], self.settings['APIKey'] = self.settings['password'].split(':')
+
+            if self.settings['APIPassword'] is None or self.settings['APIKey'] is None:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Unable to parse APIPassword:APIKey, when colons are used, make sure to escape the separator (\:)."
+                )
+                return False
+
+            self.netcupAPISessionID = self._login()
+            if not self.netcupAPISessionID:
+                return False
+            dnsZoneInfo = self._sendRequest(self._createRequestPayload('infoDnsZone'))
+            if not dnsZoneInfo:
+                return False
+            if str(self.settings['ttl']) != dnsZoneInfo['ttl']:
+                dnsZoneInfo['ttl'] = str(self.settings['ttl'])
+                self._sendRequest(self._createRequestPayload('updateDnsZone', {'dnszone': dnsZoneInfo}))
+            dnsRecordsInfo = self._sendRequest(self._createRequestPayload('infoDnsRecords'))
+            if not dnsRecordsInfo:
+                return False
+            recordType = 'AAAA' if ':' in self.current_address else 'A'
+            self._updateIpAddress(recordType, dnsRecordsInfo)
+            self._logout()
+            self.update_state(address=self.current_address)
+            return True
+
+    def _login(self):
+        requestPayload = {
+            'action': 'login',
+            'param': {
+                'customernumber': self.settings['username'],
+                'apikey': self.settings['APIKey'],
+                'apipassword': self.settings['APIPassword']
+            }
+        }
+        return self._sendRequest(requestPayload).get('apisessionid', None)
+
+    def _updateDnsRecords(self, hostRecord):
+        return self._sendRequest(
+            self._createRequestPayload(
+                'updateDnsRecords',
+                {'dnsrecordset': {'dnsrecords': [hostRecord]}}
+            )
+        )
+
+    def _logout(self):
+        requestPayload = {
+            'action': 'logout',
+            'param': {
+                'customernumber': self._account['username'],
+                'apikey': self.netcupAPIKey,
+                'apisessionid': self.netcupAPISessionID
+            }
+        }
+        return self._sendRequest(requestPayload)
+
+    def _updateIpAddress(self, recordType, dnsRecordsInfo):
+        matchingRecords = [
+            r for r in dnsRecordsInfo['dnsrecords'] if r['type'] == recordType and r['hostname'] == self.hostname
+        ]
+        if len(matchingRecords) > 1:
+            raise Exception(f'Too many {recordType} records for hostname {self.hostname} in DNS zone {self.domain}.')
+        if matchingRecords:
+            hostRecord = matchingRecords[0]
+        else:
+            hostRecord = {
+                'hostname': self.hostname,
+                'type': recordType,
+                'destination': None
+            }
+        currentNetcupIPAddress = hostRecord['destination']
+        if self.current_address != currentNetcupIPAddress:
+            syslog.syslog(
+                syslog.LOG_NOTICE,
+                f'IP address change detected. Old IP: {currentNetcupIPAddress}, new IP: {self.current_address}'
+            )
+            hostRecord['destination'] = self.current_address
+            if self._updateDnsRecords(hostRecord):
+                syslog.syslog(
+                    syslog.LOG_NOTICE,
+                    f'Successfully updated {recordType} record for {self.hostname}.{self.domain} to {self.current_address}'
+                )
+        else:
+            syslog.syslog(syslog.LOG_NOTICE, 'IP address has not changed. Nothing to do.')
+
+    def _createRequestPayload(self, action, extraParameters={}):
+        requestPayload = {
+            'action': action,
+            'param': {
+                'domainname': self.domain,
+                'customernumber': self._account['username'],
+                'apikey': self.netcupAPIKey,
+                'apisessionid': self.netcupAPISessionID,
+            }
+        }
+        requestPayload['param'].update(extraParameters)
+        return requestPayload
+
+    def _sendRequest(self, payload):
+        req = requests.post(url='https://ccp.netcup.net/run/webservice/servers/endpoint.php?JSON', json=payload)
+        try:
+            resp = req.json()
+        except requests.exceptions.JSONDecodeError:
+            resp = {}
+        if resp.get('status', '') == 'success' and resp.get('responsedata', None):
+            return resp['responsedata']
+        else:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                f"{payload['action']} failed with status {resp['status']}. response: {resp}"
+            )
+            return {}

From 85d432ade2e9f3fa7d2023fa2426c87b3fcfc6db Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 8 Feb 2024 09:13:43 +0100
Subject: [PATCH 1794/3088] dns/ddclient - import netcup dns api additions
 discussed in https://github.com/opnsense/plugins/pull/3549

---
 .../src/opnsense/scripts/ddclient/lib/account/netcup.py   | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py
index 9260179a19..91e5ae1f9f 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py
@@ -121,7 +121,7 @@ def _logout(self):
             'action': 'logout',
             'param': {
                 'customernumber': self._account['username'],
-                'apikey': self.netcupAPIKey,
+                'apikey': self.settings['APIKey'],
                 'apisessionid': self.netcupAPISessionID
             }
         }
@@ -162,7 +162,7 @@ def _createRequestPayload(self, action, extraParameters={}):
             'param': {
                 'domainname': self.domain,
                 'customernumber': self._account['username'],
-                'apikey': self.netcupAPIKey,
+                'apikey': self.settings['APIKey'],
                 'apisessionid': self.netcupAPISessionID,
             }
         }
@@ -175,8 +175,8 @@ def _sendRequest(self, payload):
             resp = req.json()
         except requests.exceptions.JSONDecodeError:
             resp = {}
-        if resp.get('status', '') == 'success' and resp.get('responsedata', None):
-            return resp['responsedata']
+        if resp.get('status', '') == 'success':
+            return resp.get('responsedata', {})
         else:
             syslog.syslog(
                 syslog.LOG_ERR,

From cab29219d7fb43bc77bbffd8224a8a2cddb59b22 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 11 Feb 2024 18:43:17 +0100
Subject: [PATCH 1795/3088] dns/ddclient - change netcup separator as discussed
  closes https://github.com/opnsense/plugins/pull/3549

---
 .../opnsense/scripts/ddclient/lib/account/netcup.py  | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py
index 91e5ae1f9f..9bb775c1e1 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py
@@ -66,17 +66,11 @@ def execute(self):
 
             self.hostname, self.domain = self.settings['hostnames'].split('.', 1)
 
-            if self.settings['password'].count(':') > 1:
-                if self.settings['password'].count('\\:') == 1:
-                    self.settings['APIPassword'], self.settings['APIKey'] = self.settings['password'].split('\\:')
-            elif self.settings['password'].count(':') == 1:
-                self.settings['APIPassword'], self.settings['APIKey'] = self.settings['password'].split(':')
+            if self.settings['password'].count('|') == 1:
+                self.settings['APIPassword'], self.settings['APIKey'] = self.settings['password'].split('|')
 
             if self.settings['APIPassword'] is None or self.settings['APIKey'] is None:
-                syslog.syslog(
-                    syslog.LOG_ERR,
-                    "Unable to parse APIPassword:APIKey, when colons are used, make sure to escape the separator (\:)."
-                )
+                syslog.syslog(syslog.LOG_ERR, "Unable to parse APIPassword|APIKey.")
                 return False
 
             self.netcupAPISessionID = self._login()

From a555133fd8c012a212b953b021065d68b7847919 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 Feb 2024 07:06:54 +0100
Subject: [PATCH 1796/3088] dns/ddclient: new version

---
 LICENSE                | 1 +
 dns/ddclient/Makefile  | 3 +--
 dns/ddclient/pkg-descr | 4 ++++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/LICENSE b/LICENSE
index f2a880a17d..c3a812e87f 100644
--- a/LICENSE
+++ b/LICENSE
@@ -24,6 +24,7 @@ Copyright (c) 2016-2024 Frank Wall
 Copyright (c) 2021 Github-jjw
 Copyright (c) 2023 Greg Glockner <greg@glockners.net>
 Copyright (c) 2024 Hasan Ucak <hasan@sunnyvalley.io>
+Copyright (c) 2023 Ingo Lafrenz <opnsense@der-ingo.de>
 Copyright (c) 2016 IT-assistans Sverige AB
 Copyright (c) 2021-2023 Jan Winkler
 Copyright (c) 2023 Jeremy Gutierrez
diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 6fc6309f5c..d6aaa06484 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.20
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.21
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index ef258de9c8..c15f9eb47f 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,10 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.21
+
+* Add Netcup support (contributed by Ingo Lafrenz)
+
 1.20
 
 * Add system parameter to native dyndns2 requesto (contributed by Jakub Gargul)

From a9ac58d7e44939a98b9bbb91d4aade827221480d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 Feb 2024 07:08:49 +0100
Subject: [PATCH 1797/3088] security/intrusion-detection-content-et-open:
 revision bump

---
 security/intrusion-detection-content-et-open/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/intrusion-detection-content-et-open/Makefile b/security/intrusion-detection-content-et-open/Makefile
index e3b185e588..e71a634738 100644
--- a/security/intrusion-detection-content-et-open/Makefile
+++ b/security/intrusion-detection-content-et-open/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		intrusion-detection-content-et-open
 PLUGIN_VERSION=		1.0.2
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		IDS Proofpoint full ET open ruleset complementary subset for ET Pro Telemetry edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://rules.emergingthreats.net/

From c8a3470cda9ca7e160af962cf9b0a524cca4e05e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 Feb 2024 07:10:21 +0100
Subject: [PATCH 1798/3088] dns/dnscrypt-proxy: small adjustment to changelog

---
 dns/dnscrypt-proxy/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index 0c110e3490..90d55760d8 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -7,7 +7,7 @@ Plugin Changelog
 
 1.15
 
-* Update plugin for dnscrypt-proxy 2.1
+* Update plugin for dnscrypt-proxy 2.1 (contributed by Adrian Fedoreanu and Michael Muenz)
 
 1.14
 

From eca61b7d00fadecfc6cc5d2fc2e14e3cbec0c842 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 16 Feb 2024 08:29:20 +0100
Subject: [PATCH 1799/3088] net-mgmt/zabbix-proxy: remove zabbix4 variant due
 to EoL

---
 net-mgmt/zabbix-proxy/Makefile | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index e5776a01ed..a9cf15b2b8 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -3,7 +3,7 @@ PLUGIN_VERSION=		1.9
 PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_VARIANTS=	zabbix6 zabbix64 zabbix5 zabbix4
+PLUGIN_VARIANTS=	zabbix6 zabbix64 zabbix5
 
 zabbix64_NAME=		zabbix64-proxy
 zabbix64_DEPENDS=	zabbix64-proxy
@@ -14,7 +14,4 @@ zabbix6_DEPENDS=	zabbix6-proxy
 zabbix5_NAME=		zabbix5-proxy
 zabbix5_DEPENDS=	zabbix5-proxy
 
-zabbix4_NAME=		zabbix4-proxy
-zabbix4_DEPENDS=	zabbix4-proxy
-
 .include "../../Mk/plugins.mk"

From 79100ac003ef34e1e8228b63f0aca2e4cff0a58a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 19 Feb 2024 18:21:27 +0100
Subject: [PATCH 1800/3088] security/acme-client: update changelog, refs #3813

---
 security/acme-client/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 45364147d1..537abdbc8e 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 
 Fixed:
 * automation does not start (#3790)
+* bugfixes for HTTP-01 and TLS-ALPN-01 challenge types (#3813)
 
 4.0
 

From a19de553aa2d1760ec73b034c28734539d8e3ece Mon Sep 17 00:00:00 2001
From: lin-xianming <108489988+lin-xianming@users.noreply.github.com>
Date: Sun, 25 Feb 2024 05:05:30 -0500
Subject: [PATCH 1801/3088] ddclient: Cloudflare - update DNS record instead of
 overwriting (#3837)

Updating the record preserves proxied status, TTL, comment, and such.
---
 .../src/opnsense/scripts/ddclient/lib/account/cloudflare.py   | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
index 1fd15ada87..f5bd716bae 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
@@ -142,7 +142,6 @@ def execute(self):
                 return False
 
             record_id = payload['result'][0]['id']
-            proxied = payload['result'][0]['proxied']
             if self.is_verbose:
                 syslog.syslog(
                     syslog.LOG_NOTICE,
@@ -156,11 +155,10 @@ def execute(self):
                     'type': recordType,
                     'name': self.settings.get('hostnames'),
                     'content': str(self.current_address),
-                    'proxied': proxied
                 },
                 'headers': req_opts['headers']
             }
-            response = requests.put(**req_opts)
+            response = requests.patch(**req_opts)
             try:
                 payload = response.json()
             except requests.exceptions.JSONDecodeError:

From 808e7b542f24fce30f1efab306bf97d86b8e1007 Mon Sep 17 00:00:00 2001
From: Sohum <31165513+ssmendon@users.noreply.github.com>
Date: Mon, 26 Feb 2024 08:14:18 -0700
Subject: [PATCH 1802/3088] ddclient: Domeneshop - use '==' instead of 'is'
 (#3841)

Since Python 3.8, 'is' and 'is not' produce warnings when its
behavior is undefined by the language spec.

See: https://docs.python.org/3.8/whatsnew/3.8.html#changes-in-python-behavior
---
 .../src/opnsense/scripts/ddclient/lib/account/domeneshop.py   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py
index 621ec1ce76..91bbe27f58 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/domeneshop.py
@@ -67,7 +67,7 @@ def execute(self):
             response = requests.get(**req_opts)
 
             # Parse response and update state and log
-            if response.status_code is 204:
+            if response.status_code == 204:
                 if self.is_verbose:
                     syslog.syslog(
                         syslog.LOG_NOTICE,
@@ -75,7 +75,7 @@ def execute(self):
                     )
                 self.update_state(address=self.current_address, status=response.text.split()[0] if response.text else '')
                 return True
-            elif response.status_code is 404:
+            elif response.status_code == 404:
                 syslog.syslog(
                     syslog.LOG_ERR,
                     "Account %s failed to set new ip %s [%d - %s], because %s could not be found" % (

From 4e835d15518d47015f99dc8a06ab4107f72a2a95 Mon Sep 17 00:00:00 2001
From: Cogan Ng Jun Lin <32700815+Comstepr@users.noreply.github.com>
Date: Tue, 27 Feb 2024 19:39:29 +0800
Subject: [PATCH 1803/3088] net/frr: set multihop value to 255 (#3829)

---
 .../src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 0592986bcf..ef975a7f3c 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -82,7 +82,7 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
  neighbor {{ neighbor.address }} interface {{ physical_interface(neighbor.linklocalinterface) }}
 {%         endif %}
 {%         if 'multihop' in neighbor and neighbor.multihop == '1' %}
- neighbor {{ neighbor.address }} ebgp-multihop
+ neighbor {{ neighbor.address }} ebgp-multihop 255
 {%         endif %}
 {%         if 'keepalive' in neighbor and neighbor.keepalive != '' %}
 {%           if 'holddown' in neighbor and neighbor.holddown != '' %}

From 9ec4d831405ecfb2147b27f22a0322fd040e1f19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Tue, 27 Feb 2024 13:48:20 +0100
Subject: [PATCH 1804/3088] ACME Command Button fix (#3843)

ACME Command Button fix and some other little fixes
---
 misc/theme-cicada/Makefile                            |  3 +--
 .../www/themes/cicada/assets/stylesheets/main.scss    | 11 +++--------
 .../src/opnsense/www/themes/cicada/build/css/main.css | 11 +++--------
 misc/theme-rebellion/Makefile                         |  2 +-
 .../www/themes/rebellion/assets/stylesheets/main.scss |  2 +-
 .../opnsense/www/themes/rebellion/build/css/main.css  |  2 +-
 6 files changed, 10 insertions(+), 21 deletions(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index b6755843b9..41211e3486 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	4
+PLUGIN_VERSION=		1.35
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index 0d42c65b12..a95348ce0b 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -5256,7 +5256,7 @@ fieldset[disabled] .btn-link {
 }
 
 .btn-xs, .btn-group-xs > .btn {
-  padding: 1px 5px;
+  padding: 1px 4px;
   font-size: 12px;
   line-height: 1.5;
   border-radius: 3px;
@@ -8530,13 +8530,13 @@ button.close {
   position: relative;
   width: auto;
   margin: 62px 10px 10px 10px;
-  border: 1px solid #303030;
+  border: none;
 }
 
 .modal-content {
   position: relative;
   background-color: #383838;
-  border: 1px solid #191919;
+  border: none;
   border-radius: 3px;
   -webkit-box-shadow: 0 5px 15px rgb(30, 30, 30);
   box-shadow: 0 5px 15px rgb(5, 5, 5);
@@ -10582,11 +10582,6 @@ label.btn.au-target {
   color: #EAC80A !important;
 }
 
-.btn-secondary {
-  background-color: #262626 !important;
-  border-color: #191919 !important;
-}
-
 .disabled {
   color: #bfbfbf !important;
 }
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index 842b9ada4e..de7b81b29e 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -3100,7 +3100,7 @@ select[multiple].input-lg,
   border-radius: 3px; }
 
 .btn-xs, .btn-group-xs > .btn {
-  padding: 1px 5px;
+  padding: 1px 4px;
   font-size: 12px;
   line-height: 1.5;
   border-radius: 3px; }
@@ -5038,12 +5038,12 @@ button.close {
   position: relative;
   width: auto;
   margin: 62px 10px 10px 10px;
-  border: 1px solid #303030;}
+  border: none;}
 
 .modal-content {
   position: relative;
   background-color: #383838;
-  border: 1px solid #191919;
+  border: none;
   border-radius: 3px;
   -webkit-box-shadow: 0 5px 15px rgb(30, 30, 30);
   box-shadow: 0 5px 15px rgb(5, 5, 5);
@@ -6559,11 +6559,6 @@ label.btn.au-target {
   color: #EAC80A !important;
 }
 
-.btn-secondary {
-  background-color:#262626 !important;
-  border-color: #191919 !important;
-}
-
 .disabled {
   color: #bfbfbf !important;
 }
diff --git a/misc/theme-rebellion/Makefile b/misc/theme-rebellion/Makefile
index 859aeb249a..848931e2b5 100644
--- a/misc/theme-rebellion/Makefile
+++ b/misc/theme-rebellion/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-rebellion
-PLUGIN_VERSION=		1.8.9
+PLUGIN_VERSION=		1.8.10
 PLUGIN_COMMENT=		A suitably dark theme
 PLUGIN_MAINTAINER=	team-rebellion@queens-park.com
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
index 58bc450832..02f5ee6612 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/assets/stylesheets/main.scss
@@ -4925,7 +4925,7 @@ fieldset[disabled] .btn-link {
 }
 
 .btn-xs, .btn-group-xs > .btn {
-  padding: 1px 5px;
+  padding: 1px 4px;
   font-size: 12px;
   line-height: 1.5;
   border-radius: 3px;
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
index 340427f840..90ee518d4d 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
@@ -3248,7 +3248,7 @@ fieldset[disabled] .btn-link:hover, fieldset[disabled] .btn-link:focus {
   border-radius: 3px; }
 
 .btn-xs, .btn-group-xs > .btn {
-  padding: 1px 5px;
+  padding: 1px 4px;
   font-size: 12px;
   line-height: 1.5;
   border-radius: 3px; }

From e6ceff0fe134ff17d2ed9f7f5731f4ec8664b16a Mon Sep 17 00:00:00 2001
From: Joachim Friberg <friberg.joachim@gmail.com>
Date: Tue, 27 Feb 2024 16:45:36 +0100
Subject: [PATCH 1805/3088] dns/bind: allow RNDC key updates (#3830)

---
 dns/bind/Makefile                                            | 2 +-
 dns/bind/pkg-descr                                           | 4 ++++
 .../OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml      | 5 +++++
 .../src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml     | 4 ++++
 dns/bind/src/opnsense/scripts/OPNsense/Bind/setup.sh         | 4 ++++
 .../src/opnsense/service/templates/OPNsense/Bind/named.conf  | 5 +++++
 6 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 773381a4c8..c7dbfdf425 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.29
+PLUGIN_VERSION=		1.30
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 160e424f59..fc882fdcde 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -10,6 +10,10 @@ WWW: https://www.isc.org
 Plugin Changelog
 ================
 
+1.30
+
+* Add ability for RNDC key updates from other nameservers
+
 1.29
 
 * Migrate General Log to Syslog
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
index f22169f61e..143c95d276 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
@@ -23,6 +23,11 @@
         <type>select_multiple</type>
         <help>Define the ACLs where you allow which client are allowed to query this zone.</help>
     </field>
+    <id>domain.allowrndcupdate</id>  
+        <label>Allow RDNC key update</label> 
+        <type>checkbox</type>        
+        <help>Allow updates via the RDNC key named "rndc-key". The key is shown in the general tab.</help>
+    </field>  
     <field>
         <id>domain.ttl</id>
         <label>TTL</label>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
index 7d89d9e16c..e6ea2505d0 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
@@ -72,6 +72,10 @@
                     <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </allowquery>
+                <allowrndcupdate type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </allowrndcupdate>
                 <serial type="TextField">
                     <Required>N</Required>
                 </serial>
diff --git a/dns/bind/src/opnsense/scripts/OPNsense/Bind/setup.sh b/dns/bind/src/opnsense/scripts/OPNsense/Bind/setup.sh
index e46b77b4bd..47a5e15497 100755
--- a/dns/bind/src/opnsense/scripts/OPNsense/Bind/setup.sh
+++ b/dns/bind/src/opnsense/scripts/OPNsense/Bind/setup.sh
@@ -15,3 +15,7 @@ chmod 755 /var/stats
 mkdir -p /var/log/named
 chown -R bind:bind /var/log/named
 chmod 755 /var/log/named
+
+mkdir -p /usr/local/etc/namedb/primary
+chown -R bind:bind /usr/local/etc/namedb/primary
+chmod 755 /usr/local/etc/namedb/primary
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index d6cf8515c9..b0de3585d2 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -180,6 +180,11 @@ zone "{{ domain.domainname }}" {
 {%              endfor %}
         };
 {%      endif %}
+{%      if domain.allowrndcupdate is defined and domain.allowrndc == "1" %}
+        update-policy {
+		grant rndc-key zonesub ANY;
+        };
+{%      endif %}
 };
 {%       if domain.type == 'secondary' and domain.transferkey is defined and not(domain.transferkeyname in usedkeys) %}
 {%         do usedkeys.append(domain.transferkeyname) %}

From aeade543b61751f47fef7769211a6722807f2716 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 27 Feb 2024 16:47:55 +0100
Subject: [PATCH 1806/3088] dns/bind: fold this into a single loop

---
 .../opnsense/scripts/OPNsense/Bind/setup.sh   | 24 ++++---------------
 1 file changed, 5 insertions(+), 19 deletions(-)

diff --git a/dns/bind/src/opnsense/scripts/OPNsense/Bind/setup.sh b/dns/bind/src/opnsense/scripts/OPNsense/Bind/setup.sh
index 47a5e15497..64b2fd7083 100755
--- a/dns/bind/src/opnsense/scripts/OPNsense/Bind/setup.sh
+++ b/dns/bind/src/opnsense/scripts/OPNsense/Bind/setup.sh
@@ -1,21 +1,7 @@
 #!/bin/sh
 
-mkdir -p /var/run/named
-chown -R bind:bind /var/run/named
-chmod 755 /var/run/named
-
-mkdir -p /var/dump
-chown -R bind:bind /var/dump
-chmod 755 /var/dump
-
-mkdir -p /var/stats
-chown -R bind:bind /var/stats
-chmod 755 /var/stats
-
-mkdir -p /var/log/named
-chown -R bind:bind /var/log/named
-chmod 755 /var/log/named
-
-mkdir -p /usr/local/etc/namedb/primary
-chown -R bind:bind /usr/local/etc/namedb/primary
-chmod 755 /usr/local/etc/namedb/primary
+for DIR in /var/run/named /var/dump /var/stats /var/log/named /usr/local/etc/namedb/primary; do
+	mkdir -p ${DIR}
+	chown -R bind:bind ${DIR}
+	chmod 755 ${DIR}
+done

From 643f5de0875e5ea878e6f80e8fcca30fc1c93e9a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 27 Feb 2024 16:53:23 +0100
Subject: [PATCH 1807/3088] dns/bind: fix XML

---
 .../OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml  | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
index 143c95d276..3a296f636d 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
@@ -23,11 +23,12 @@
         <type>select_multiple</type>
         <help>Define the ACLs where you allow which client are allowed to query this zone.</help>
     </field>
-    <id>domain.allowrndcupdate</id>  
-        <label>Allow RDNC key update</label> 
-        <type>checkbox</type>        
+    <field>
+        <id>domain.allowrndcupdate</id>
+        <label>Allow RDNC key update</label>
+        <type>checkbox</type>
         <help>Allow updates via the RDNC key named "rndc-key". The key is shown in the general tab.</help>
-    </field>  
+    </field>
     <field>
         <id>domain.ttl</id>
         <label>TTL</label>

From 0c9f53b94286aeade3984b3b0941e18dfa50dc91 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 5 Mar 2024 17:23:56 +0100
Subject: [PATCH 1808/3088] net/frr: bump revision for change

---
 net/frr/Makefile  | 1 +
 net/frr/pkg-descr | 1 +
 2 files changed, 2 insertions(+)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 539fe923ee..dc4543e128 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.39
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index ecd0b8e524..78f2520ca4 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -15,6 +15,7 @@ Plugin Changelog
 1.39
 
 * Add plain password authentication to OSPF
+* Set multihop value to 255 (contributed by Cogan Ng Jun Lin)
 
 1.38
 

From 5801da41d763552965ae9b067f262d2a17c924a3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 5 Mar 2024 17:32:53 +0100
Subject: [PATCH 1809/3088] dns/ddclient: new version

---
 dns/ddclient/Makefile  | 1 +
 dns/ddclient/pkg-descr | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index d6aaa06484..9bb1936a3a 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.21
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index c15f9eb47f..7ca2b5b793 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -9,6 +9,8 @@ Plugin Changelog
 1.21
 
 * Add Netcup support (contributed by Ingo Lafrenz)
+* Use '==' instead of 'is' in Domeneshop Python support (contributed by ssmendon)
+* Update DNS record instead of overwriting in Cloudflare Python support (contributed by lin-xianming)
 
 1.20
 

From 67fb503a710712260f67407e705bd981866c24d8 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 8 Mar 2024 12:52:21 +0100
Subject: [PATCH 1810/3088] www/caddy: include os-caddy into OPNsense plugins
 (#3840)

---
 www/caddy/Makefile                            |   8 +
 www/caddy/README.md                           | 205 +++++++
 www/caddy/pkg-descr                           |  40 ++
 www/caddy/src/etc/inc/plugins.inc.d/caddy.inc |  64 ++
 www/caddy/src/etc/syslog-ng.conf.d/caddy.conf |  48 ++
 .../OPNsense/Caddy/Api/GeneralController.php  |  41 ++
 .../Caddy/Api/ReverseProxyController.php      | 215 +++++++
 .../OPNsense/Caddy/Api/ServiceController.php  |  67 ++
 .../OPNsense/Caddy/GeneralController.php      |  47 ++
 .../OPNsense/Caddy/ReverseProxyController.php |  45 ++
 .../OPNsense/Caddy/forms/dialogAccessList.xml |  28 +
 .../OPNsense/Caddy/forms/dialogBasicAuth.xml  |  20 +
 .../OPNsense/Caddy/forms/dialogHandle.xml     |  91 +++
 .../Caddy/forms/dialogReverseProxy.xml        |  71 +++
 .../OPNsense/Caddy/forms/dialogSubdomain.xml  |  57 ++
 .../OPNsense/Caddy/forms/dnsprovider.xml      |  63 ++
 .../OPNsense/Caddy/forms/dynamicdns.xml       |  34 ++
 .../OPNsense/Caddy/forms/general.xml          |  33 +
 .../OPNsense/Caddy/forms/logsettings.xml      |  23 +
 .../mvc/app/models/OPNsense/Caddy/ACL/ACL.xml |  18 +
 .../mvc/app/models/OPNsense/Caddy/Caddy.php   | 160 +++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 330 ++++++++++
 .../app/models/OPNsense/Caddy/Menu/Menu.xml   |   9 +
 .../OPNsense/Caddy/Migrations/M1_1_3.php      |  80 +++
 .../mvc/app/views/OPNsense/Caddy/general.volt | 194 ++++++
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 351 +++++++++++
 .../scripts/OPNsense/Caddy/caddy_certs.php    |  86 +++
 .../scripts/OPNsense/Caddy/caddy_control.py   |  80 +++
 .../opnsense/scripts/OPNsense/Caddy/setup.sh  |  38 ++
 .../service/conf/actions.d/actions_caddy.conf |  29 +
 .../service/templates/OPNsense/Caddy/+TARGETS |   2 +
 .../templates/OPNsense/Caddy/Caddyfile        | 573 ++++++++++++++++++
 .../templates/OPNsense/Caddy/rc.conf.d/caddy  |  13 +
 33 files changed, 3163 insertions(+)
 create mode 100644 www/caddy/Makefile
 create mode 100644 www/caddy/README.md
 create mode 100644 www/caddy/pkg-descr
 create mode 100644 www/caddy/src/etc/inc/plugins.inc.d/caddy.inc
 create mode 100644 www/caddy/src/etc/syslog-ng.conf.d/caddy.conf
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/GeneralController.php
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/GeneralController.php
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml
 create mode 100644 www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml
 create mode 100644 www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
 create mode 100644 www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
 create mode 100644 www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml
 create mode 100644 www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php
 create mode 100644 www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
 create mode 100644 www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
 create mode 100755 www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
 create mode 100755 www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
 create mode 100755 www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
 create mode 100644 www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
 create mode 100644 www/caddy/src/opnsense/service/templates/OPNsense/Caddy/+TARGETS
 create mode 100644 www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
 create mode 100644 www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
new file mode 100644
index 0000000000..31f2035bdd
--- /dev/null
+++ b/www/caddy/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=            caddy
+PLUGIN_VERSION=         1.5.1
+PLUGIN_REVISION=        2
+PLUGIN_DEPENDS=         caddy-custom
+PLUGIN_COMMENT=         Easy to configure Reverse Proxy based on Caddy with Automatic HTTPS and Dynamic DNS	 
+PLUGIN_MAINTAINER=      cedrik@pischem.com
+
+.include "../../Mk/plugins.mk"
diff --git a/www/caddy/README.md b/www/caddy/README.md
new file mode 100644
index 0000000000..a1ba325cb5
--- /dev/null
+++ b/www/caddy/README.md
@@ -0,0 +1,205 @@
+# Caddy Plugin for OPNsense
+
+- This project provides a simple yet powerful plugin for [OPNsense](https://github.com/opnsense) to enable support for [Caddy](https://github.com/caddyserver/caddy).
+- The scope is the reverse proxy features.
+- The main goal is an easy to configure plugin. Most options that aren't generally needed are hidden behind the advanced mode for this reason.
+- The feature set is complete for now.
+
+## Main Features
+
+- Modern and fast Reverse Proxy based on [Caddy](https://caddyserver.com/)
+- Automatic Let's Encrypt and ZeroSSL Certificates without configuration with HTTP-01 and TLS-ALPN-01
+- ACME DNS-01 challenge with configuration (requires supported DNS Provider)
+- Dynamic DNS (DynDns) with configuration (requires supported DNS Provider)
+- Supported DNS Providers in GUI: ```cloudflare, duckdns, digitalocean, dnspod, hetzner, godaddy, gandi, ionos, desec, porkbun, route53, acmedns, alidns, googleclouddns, azure, openstack-designate, ovh, namecheap, netlify, namesilo, powerdns, vercel, ddnss, njalla, metaname, linode, tencentcloud, dinahosting, hexonet, mailinabox```
+- Use custom certificates from OPNsense certificate store
+- Normal domains, wildcard domains and subdomains
+- Access Lists to restrict access based on static networks
+- Basic Auth to restrict access by username and password
+- Syslog-ng integration and HTTP Access Log
+- NTLM Transport for Exchange Server
+
+## License
+
+- This project is licensed under the BSD 2-Clause "Simplified" license. See the LICENSE file for details. 
+- Caddy is licensed under the Apache License, Version 2.0. 
+- OPNsense is licensed under the BSD 2-Clause “Simplified” license.
+
+## Acknowledgments
+
+- Thanks to the Caddy community/developers for creating a fantastic open source web server.
+- Thanks to the OPNsense community/developers for creating a powerful and flexible open source firewall and routing platform.
+- Additional big **Thank You** in no particular order: [AdShellevis](https://github.com/Adschellevis), [mimugmail](https://forum.opnsense.org/index.php?action=profile;u=15464), [gspannu](https://github.com/gspannu), [francislavoie](https://caddy.community/u/francislavoie/summary), [matt](https://caddy.community/u/matt/summary), [fichtner](https://github.com/fichtner)
+
+# How to install
+
+- Install "os-caddy" from the OPNsense Plugins.
+
+## Prepare Caddy for use after the installation
+
+**Attention**, additional preparation of OPNsense needed:
+- Make sure that port `80` and `443` aren't occupied. You have to change the default listen port to `8443` for example. Go to `System: Settings: Administration` to change the `TCP Port`. Then also enable `HTTP Redirect - Disable web GUI redirect rule`. 
+- If you have other reverse proxy or webserver plugins installed, make sure they don't use the same ports as Caddy
+- Create Firewall rules that allow 80 and 443 TCP to "This Firewall" on WAN and (optionally) LAN, OPT1 etc...
+- There is a lot of input validation. If you read all the hints, help texts and error messages, its unlikely that you create a configuration that won't work.
+- **Attention**: If you use this in HA (High Availability), only use your own custom certificates. Caddy needs a shared storage for the ACME challenges to work on two or more firewalls in HA at the same time. This is out of scope, since offering shared storage on firewalls where one can potentially fail, would leave the other without storage for Caddy to work with.
+
+# Available Settings in "Services - Caddy Web Server"
+**Please note that some options are hidden in advanced mode.**
+## General Settings - General
+- `Enable` or `disable` Caddy
+- `ACME Email`: e.g. `info@example.com`, it's optional.
+- `Auto HTTPS`: `On (default)` creates automatic Let's Encrypt Certificates for all Domains that don't have more specific options set, like custom certificates.
+- `Trusted Proxies`: Leave empty if you don't use a CDN in front of your OPNsense. If you use Cloudflare or another CDN provider, create an access list with the IP addresses of that CDN and add it here. Add the same Access List to the domain this CDN tries to reach.
+- `Abort Connections`: This option, when enabled, aborts all connections to the Reverse Proxy Domain that don't match any specified handler or access list. This setting doesn't affect Let's Encrypt's ability to issue certificates, ensuring secure connections regardless of the option's status. If unchecked, the Reverse Proxy Domain remains accessible even without a matching handler, allowing for connectivity and certificate checks, even in the absence of a configured Backend Server. When using Access Lists, enabling this option is recommended to reject unauthorized connections outright. Without this option, unmatched IP addresses will encounter an empty page instead of an explicit rejection, though the Access Lists continue to function and restrict access.
+
+## General Settings - DNS Provider
+- `DNS Provider`: Select the DNS provider for the DNS-01 Challenge and Dynamic DNS. This is optional, since certificates will be requested from Let's Encrypt via HTTP-01 or TLS-ALPN-01 Challenge when this option is unset. You mostly need this for Wildcard Certificates, and for Dynamic DNS. To use the DNS-01 Challenge and Dynamic DNS, enable the checkbox in a Reverse Proxy Domain or Subdomain. For more information: https://github.com/caddy-dns
+- `DNS API Standard Field`: This is the standard field for the API Key. Field can be left empty if optional: Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", DNSPod "auth_token", Hetzner "api_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Namesilo "api_token", Njalla "api_token", Vercel "api_token",  Google Cloud DNS "gcp_project", Alidns "access_key_id", Azure "tenant_id", OpenStack Designate "region_name", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Metaname "api_key", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url".
+- `DNS API Additional Field 1`: Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Alidns "access_key_secret", Azure "client_id", OpenStack Designate "tenant_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Metaname "account_reference", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address".
+- `DNS API Additional Field 2`: Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "max_retries", ACME-DNS "subdomain", Azure "client_secret", OpenStack Designate "identity_api_version", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password".
+- `DNS API Additional Field 3`: Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "aws_profile", ACME-DNS "server_url", Azure "subscription_id", OpenStack Designate "password", OVH "consumer_key", Namecheap "client_ip", DDNS "password".
+- `DNS API Additional Field 4`: Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "region", Azure "resource_group_name", OpenStack Designate "username".
+- `DNS API Additional Field 5`: Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "token", OpenStack Designate "tenant_name".
+- `DNS API Additional Field 6`: Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: OpenStack Designate "auth_url".
+- `DNS API Additional Field 7`: Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: OpenStack Designate "endpoint_type".
+
+## General Settings - Dynamic DNS
+- `DynDns Check Http`: Optionally, enter an URL to test the current IP address of the firewall via HTTP procotol. Generally, this is not needed. Caddy uses default providers to test the current IP addresses. If you rather use your own, enter the https:// link to an IP address testing website.
+- `DynDns Check Interface`: Optionally, select an interface to extract the current IP address of the firewall. Attention, all IP addresses will be read from this interface. Only choose this option if you know the implications.
+- `DynDns Check Interval`: Interval to poll for changes of the IP address. The default is 5 minutes. Can be a number between 1 to 1440 minutes. 
+- `DynDns IP Version`: Leave on None to set IPv4 A-Records and IPv6 AAAA-Records. Select "Ipv4 only" for setting A-Records. Select "IPv6 only" for setting AAAA-Records.
+- `DynDns TTL`: Set the TTL (time to live) for DNS Records. The default is 1 hour. Can be a number between 1 to 24 hours.
+
+## General Settings - Log Settings
+- `Log Credentials`: Log all Cookies and Authorization in HTTP request logging. Use combined with HTTP Access Log in the Reverse Proxy Domain. Enable this option only for troubleshooting.
+- `Log Access in Plain Format`: Don't send HTTP(S) access logs to the central OPNsense logging facility but save them in plain Caddy JSON format in a subdirectory instead. Only effective for Reverse Proxy Domains that have HTTP Access Log enabled. The feature is intended to have access log files processed by e.g. CrowdSec. They can be found in `/var/log/caddy/access`.
+- `Keep Plain Access Logs for (days)`: How many days until the plain format log files are deleted.
+
+## Reverse Proxy - Domains
+- Press `+` to create a new Reverse Proxy Domain
+- `Enable` this new entry
+- `Reverse Proxy Domain`: Can either be a domain name or an IP address. If a domain name is chosen, Caddy will automatically try to get an ACME certificate, and the header will be automatically passed to the Server in the backend.
+- `Reverse Proxy Port`: Should be the port the OPNsense will listen on. Don't forget to create Firewall rules that allow traffic to this port on `WAN` or `LAN` to `This Firewall`. You can leave this empty if you want to use the default ports of Caddy (`80` and `443`) with automatic redirection from HTTP to HTTPS.
+- `Access List`: Restrict the access to this domain to a list of IP addresses you define in the `Access` Tab. This doesn't influence the Let's Encrypt certificate generation, so you can be as restrictive as you want here.
+- `Basic Auth`: Restrict the access to this domain to one or multiple users you define in the `Access` Tab. This doesn't influence the Let's Encrypt certificate generation, so you can be as restrictive as you want here.
+- `DNS-01 challenge`: Enable this if you want to use the `DNS-01` ACME challenge instead of HTTP challenge. This can be set per entry, so you can have both types of challenges at the same time for different entries. This option needs the `General Settings` - `DNS Provider` and `API KEY` set.
+- `Dynamic DNS`: Enable Dynamic DNS, please configure DNS Provider and API Key in General Settings. The DNS Records of this domain will be automatically updated with your DNS Provider. 
+- `Custom Certificate`: Use a Certificate you imported or generated in `System - Trust - Certificates`. The chain is generated automatically. `Certificate + Intermediate CA + Root CA`, `Certificate + Root CA` and `self signed Certificate` are all fully supported.
+- `HTTP Access Log`: Enable the HTTP request logging for this domain and its subdomains. This option is mostly for troubleshooting since it will log every single request.
+- `Description`: The description is mandatory. Create descriptions for each domain. Since there could be multiples of the same domain with different ports, do it like this: `foo.example.com` and `foo.example.com.8443`.
+
+## Reverse Proxy - Subdomains
+- Press `+` to create a new Reverse Proxy Subdomain
+- `Reverse Proxy Domain` - Choose a wildcard domain you prepared in "Reverse Proxy - Domains", it has to be formatted like `*.example.com`
+- `Reverse Proxy Subdomain` - Create a name that is seated under the Wildcard domain, for example `foo.example.com` and `bar.example.com`.
+- For the other options refer to Domains.
+
+## Reverse Proxy - Handler
+Please note that the order that handlers are saved in the scope of each domain or domain/subdomain can influence functionality - The first matching handler wins. So if you put /ui* in front of a more specific handler like /ui/opnsense, the /ui* will match first and /ui/opnsense won't ever match (in the scope of their domain). Right now there isn't an easy way to move the position of handlers in the grid, so you have to clone them if you want to change their order, and delete the old entries afterwards. Most of the time, creating just one empty catch-all handler is the best choice. The template logic makes sure that catch-all handlers are always placed last, after all other handlers.
+- Press `+` to create a new `Handler`. A Handler is like a location in nginx.
+- `Enable` this new entry.
+- `Reverse Proxy Domain`: Select the domain you have created in `Reverse Proxy Domains`.
+- `Reverse Proxy Subdomain`: Leave this on `None`. It is not needed without having a wildcard certificate, or a `*.example.com` Domain.
+- `Handle Type`: `Handle` or `Handle Path` can be chosen. If in doubt, always use `Handle`, the most common option. `Handle Path` is used to strip the path from the URI. For example if you have example.com/opnsense internally, but want to call it with just example.com externally.
+- `Handle Path`: Leave this empty if you want to create a catch all location. You can create multiple Handler entries, and have each of them point at different locations like `/foo/*` or `/foo/bar/*` or `/foo*`.
+- `Backend Server Domain`: Should be an internal domain name or an IP Address of the Backend Server that should receive the traffic of the `Reverse Proxy Domain`.
+- `Backend Server Port`: Should be the port the Backend Server listens on. This can be left empty to use Caddy default ports 80 and 443.
+- `Backend Server Path`: In case the backend application resides in a sub-path of the web root and you don't want this path visible in the frontend URL you can use this setting to prepend an initial path starting with '/' to every backend request. Java applications running in a servlet container like Tomcat are known to behave this way, so you can set it to e.g. '/guacamole' to access Apache Guacamole at the frontend root URL without needing a redirect.
+- `TLS`: If your Backend Server only accepts HTTPS, enable this option. If the Backend Server has a globally trusted certificate, this is all you need.
+- `TLS Trusted CA Certificates`: Choose a CA certificate to trust for the Backend Server connection. Import your self-signed certificate or your CA certificate into the OPNsense "System - Trust - Authorities" store, and select it here.
+- `TLS Server Name`: If the SAN (Subject Alternative Names) of the offered trusted CA certificate or self-signed certificate doesn't match with the IP address or hostname of the `Backend Server Domain`, you can enter it here. This will change the SNI (Server Name Identification) of Caddy to the `TLS Server Name`. IP address e.g. `192.168.1.1` or hostname e.g. `localhost` or `opnsense.local` are all valid choices. Only if the SAN and SNI match, the TLS connection will work, otherwise an error is logged that can be used to troubleshoot.
+- `NTLM`: If your Backend Server needs NTLM authentication, enable this option together with `TLS`. For example, Exchange Server.
+
+**Attention**: The GUI doesn't allow "tls_insecure_skip_verify" due to safety reasons, as the Caddy documentation states not to use it. Use the `TLS Trusted CA Certificates` and `TLS Server Name` options instead to get a **secure TLS connection** to your Backend Server. Otherwise, use HTTP. If you really need to use "tls_insecure_skip_verify" and know the implications, use the import statements of custom configuration files.
+
+## Reverse Proxy - Access - Access Lists
+- Press `+` to create a new Access List
+- `Access List name`: Choose a name for the Access List, for example `private_ips`.
+- `Client IP Addresses`: Enter any number of IPv4 and IPv6 addresses or networks that this access list should contain. For example for matching only internal networks, add `192.168.0.0/16` `172.16.0.0/12` `10.0.0.0/8` `127.0.0.1/8` `fd00::/8` `::1`.
+- `Invert List`: Invert the logic of the access list. If unchecked, the Client IP Addresses will be ALLOWED, all other IP addresses will be blocked. When checked, the Client IP Addresses will be BLOCKED, all other IP addresses will be allowed.
+- Afterwards, go back to Domains or Subdomains and add the Access List you have created to them (advanced mode). All handlers created under these Domains will get an additional matcher. That means, the requests still reach Caddy, but if the IP Addresses don't match with the Access List logic, the request doesn't match any handler and will be dropped before being reverse proxied to any Backend Server. If you are using a CDN, make sure the Access List in General - Trusted Proxies and on each Domain used for that CDN are the same.
+
+## Reverse Proxy - Access - Basic Auth
+- Press `+` to create a new User for Basic Auth
+- `User`: Enter a username. Afterwards, you can select it in Reverse Proxy Domains or Subdomains to restrict access with basic auth. Usernames are only allowed to have alphanumeric characters.
+- `Password`: Enter a password. Write it down. It will be hashed with bcrypt. It can only be set and changed but won't be visible anymore. The hash can't be turned back into the original password.
+- Afterwards, go back to Domains or Subdomains and add the one or multiple basic auth users you have created to them (advanced mode). The basic auth matches after access lists, so you can set both to first restrict access by IP address, and then additionally by username and password. Please note that if you delete a user before deselecting it in a domain, the basic auth will stay with no user. If that happens you have to select the "clear all" in the domain or subdomain and save. Don't set basic auth on top of a wildcard domain directly, always set it on the subdomains instead.
+
+# HOW TO Section:
+
+## HOW TO: Create an easy reverse proxy
+**Services - Caddy Web Server - General Settings:**
+- `Enable` Caddy and press `Apply`
+
+**Services - Caddy Web Server - Reverse Proxy - Domain:**
+- Press `+` to create a new Reverse Proxy Domain
+- `Reverse Proxy Domain` - `foo.example.com`
+- `Description` - `foo.example.com`
+- `Save`
+
+**Services - Caddy Web Server - Reverse Proxy - Handler:**
+- Press `+` to create a new Handler
+- `Reverse Proxy Domain` - `foo.example.com`
+- `Backend Server Domain` - `192.168.10.1`
+- `Save`
+- `Apply`
+
+Done, leave all other fields to default or empty. You don't need the advanced mode options. After just a few seconds the Let's Encrypt Certificate will be installed and everything just works. Check the Logfile for that.
+Now you have a "Internet <-- HTTPS --> OPNsense (Caddy) <-- HTTP --> Backend Server" Reverse Proxy.
+
+## HOW TO: Create a wildcard subdomain reverse proxy
+- Do everything the same as above, but create your Reverse Proxy Domain like this `*.example.com` and activate the `DNS-01` challenge checkbox.
+- OR - `Custom Certificate` - Use a Certificate you imported or generated in `System - Trust - Certificates`. It has to be a wildcard certificate.
+- Go to the `Reverse Proxy Subdomain` Tab and create all subdomains that you need in relation to the `*.example.com` domain. So for example `foo.example.com` and `bar.example.com`.
+- Create descriptions for each subdomain. Since there could be multiples of the same subdomain with different ports, do it like this: `foo.example.com` and `foo.example.com.8443`.
+- In the `Handler` Tab you can now select your `*.example.com` `Reverse Proxy Domain`, and if `Reverse Proxy Subdomain` is `None`, the Handlers are added to the base `Reverse Proxy Domain`. For example, if you want a catch all Handler for all non referenced subdomains.
+- If you create a Handler with `*.example.com` as `Reverse Proxy Domain` and `foo.example.com` as `Reverse Proxy Subdomain`, a nested Handler will be generated. You can do all the same configurations as if the subdomain is a normal domain, with multiple Handlers and Handler paths.
+
+## HOW TO: Create a Handle with TLS and a trusted self-signed Certificate
+**Example: Reverse Proxy the OPNsense Configuration GUI Website with Caddy**
+- Open your OPNsense GUI in a Browser (e.g. Chrome or Firefox). Inspect the certificate. Copy the SAN for later use, for example `OPNsense.localdomain`.
+- Save the certificate in your Browser as PEM file. Open it up with a text editor, and copy the contents into a new entry in `System - Trust - Authorities`. Name the certificate e.g. `opnsense-selfsigned`.
+- Add a new Reverse Proxy Domain, for example `opn.example.com`. Make sure the name is externally resolvable to the IP of your OPNsense Firewall with Caddy.
+- Add a new Handler with the following options (enable advanced mode):
+- `Reverse Proxy Domain`: `opn.example.com`
+- `Backend Server Domain`: `127.0.0.1`
+- `Backend Server Port`: `8443` (Enter the port of your OPNsense GUI. You have changed it from 443 to a different port, since Caddy needs port 443.)
+- `TLS`: `X`
+- `TLS Trusted CA Certificates`: `opnsense-selfsigned` (The certificate you have saved in `System - Trust - Authorities`)
+- `TLS Server Name`: `OPNsense.localdomain` (The SAN of the certificate)
+- Save
+- Apply
+- Open `https://opn.example.com` and it should serve the reverse proxied OPNsense Configuration GUI Website. Check the log file for errors if it doesn't work, most of the time the `TLS Server Name` doesn't match the SAN of the `TLS Trusted CA Certificates`. Please note that Caddy doesn't support CN (Common Name) in certificate since it's been deprecated since many years.
+- Additionally, you can create an access list to limit access to the GUI only from trusted IP addresses (recommended). Add that access list to the domain `opn.example.com` in advanced mode. Also, enable `Abort Connections` in the `General` Settings to abort all connections immediately that don't match the access list or the handler.
+
+# Troubleshooting
+- You can always test if your current Caddyfile is valid by invoking `/api/caddy/service/validate` - This is also done automatically each time `Apply` is pressed. If you have an invalid configuration, Caddy will refuse to start and show the exact error message.
+- Check `/var/log/caddy/caddy.log` or `@latest.log` to find errors. There is also a Caddy Log File in the GUI.
+- A good indicator that Caddy is indeed running is this log entry: `serving initial configuration`
+- Check the Service Widget and the "General Settings" Service Control buttons. If everything works they should show a green "Play" sign. If Caddy is stopped there is a red "Stop" sign. If Caddy is disabled, there is no widget and no control buttons.
+
+# Build caddy and os-caddy from source
+- As build system use a FreeBSD 13.2 - https://github.com/opnsense/tools
+- Use xcaddy to build your own caddy binary. Additonal Caddy plugins can be compiled in, here is an example: [Additional Plugins](https://github.com/opnsense/tools/blob/a555d25b11486835460a136af0b8ad2e517ae96b/config/24.1/make.conf#L94)
+- Check the +MANIFEST file and put all dependant files into the right paths on your build system. Make sure to check your own file hashes with ```sha256 /path/to/file```. 
+- Use ```pkg create -M ./+MANIFEST``` in the folder of the ```+MANIFEST``` file.
+- For os-caddy.pkg make sure you have the OPNsense tools build system properly set up. 
+- Build the os-caddy.pkg by going into /usr/plugins/devel/caddy/ and invoking ```make package``` 
+
+# Custom configuration files
+- The Caddyfile has an additional import from the path ```/usr/local/etc/caddy/caddy.d/```. You can place your own custom configuration files inside that adhere to the Caddyfile syntax.
+- ```*.global``` will be imported into the global block of the Caddyfile. Global options can be found here: [Global Options Block](https://caddyserver.com/docs/caddyfile/options)
+- ```*.conf``` will be imported at the end of the Caddyfile, you can put your own reverse_proxy or other settings there. Don't forget to test your custom configuration with `caddy run --config /usr/local/etc/caddy/Caddyfile`.
+
+# Using the REST API to control the plugin:
+The Rest API is now fully integreated with the OPNsense syntax.
+https://docs.opnsense.org/development/api.html
+
+All API Actions can be found in the API Controller files ```/usr/local/opnsense/mvc/app/controllers/Pischem/Caddy/Api```
+
+Examples:
+- /api/caddy/ReverseProxy/get
+- /api/caddy/General/get
+- /api/caddy/service/status
+- /api/caddy/service/validate
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
new file mode 100644
index 0000000000..f06e6c4311
--- /dev/null
+++ b/www/caddy/pkg-descr
@@ -0,0 +1,40 @@
+Caddy - The Ultimate Server - makes your sites more secure, more reliable, and more scalable than any other solution. 
+By default, Caddy automatically obtains and renews TLS certificates for all your sites. 
+It's the most advanced HTTPS server in the world.
+
+Reverse Proxy HTTP, HTTPS, FastCGI, WebSockets, gRPC, FastCGI (usually PHP), and more!
+
+WWW: https://caddyserver.com/
+
+Main features of this plugin:
+
+* Easy to configure and reliable! Reverse Proxy any HTTP/HTTPS or WebSocket application in minutes.
+* Hard to break! Extensive validations of the configuration on each save and apply.
+* Automatic Let's Encrypt and ZeroSSL Certificates with HTTP-01 and TLS-ALPN-01 challenge
+* DNS-01 challenge and Dynamic DNS with supported DNS Providers built right in
+* Use custom certificates from OPNsense certificate store
+* Wildcard Domain and Subdomain support
+* Access Lists to restrict access based on static networks
+* Basic Auth to restrict access by username and password
+* Syslog-ng integration and HTTP Access Log
+* NTLM Transport
+
+Plugin Changelog
+================
+
+1.5.1
+
+* More DNS Providers added: netlify, namesilo, njalla, vercel, googleclouddns, alidns, powerdns, tencentcloud, dinahosting, metaname, hexonet, ddnss, linode, mailinabox, ovh, namecheap, azure, openstack-designate.
+* More input fields and better documentation added for the DNS Provider API Keys.
+* Changed rc.d script to standard freebsd poudriere one packaged with the caddy-custom binary, included setup.sh script to rc.conf.d/caddy.
+* Updated dependancy to caddy-custom instead of caddy.
+* Removed +POST_DEINSTALL.post and +POST_INSTALL.post.
+* Turned syslog-ng configuration from template to static file.
+* A few typos in the general.volt and reverse_proxy.volt corrected.
+* The RealInterfaceField custom Fieldtype was removed and replaced with an OPNsense integrated template function to read the interface name.
+* Enable $internalModelUseSafeDelete in ReverseProxyController.php - Items can only be deleted when they are not referenced by other items, making deleting in the GUI safer since there can't be any orphaned configuration left behind.
+* Migration script M1_1_3 from "Description" to "description" added. Lower case description is needed to be in line with some OPNsense integrated functions. 
+
+1.5.0
+
+* Initial release
diff --git a/www/caddy/src/etc/inc/plugins.inc.d/caddy.inc b/www/caddy/src/etc/inc/plugins.inc.d/caddy.inc
new file mode 100644
index 0000000000..a04d784d93
--- /dev/null
+++ b/www/caddy/src/etc/inc/plugins.inc.d/caddy.inc
@@ -0,0 +1,64 @@
+<?php
+
+/*
+ * Copyright (C) 2023-2024 Cedrik Pischem
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function caddy_services()
+{
+    global $config;
+
+    $services = array();
+
+    if (isset($config['Pischem']['caddy']['general']['enabled']) &&
+        $config['Pischem']['caddy']['general']['enabled'] == 1) {
+        $services[] = array(
+            'description' => gettext('Caddy Web Server'),
+            'configd' => array(
+                'restart' => array('caddy restart'),
+                'start' => array('caddy start'),
+                'stop' => array('caddy stop'),
+            ),
+            'name' => 'caddy',
+            'pidfile' => '/var/run/caddy/caddy.pid'
+        );
+    }
+
+    return $services;
+}
+
+function caddy_xmlrpc_sync()
+{
+    $result = array();
+
+    $result[] = array(
+        'description' => gettext('Caddy Web Server'),
+        'section' => 'Pischem.caddy',
+        'id' => 'caddy',
+        'services' => ["caddy"],
+    );
+
+    return $result;
+}
diff --git a/www/caddy/src/etc/syslog-ng.conf.d/caddy.conf b/www/caddy/src/etc/syslog-ng.conf.d/caddy.conf
new file mode 100644
index 0000000000..11c96c45da
--- /dev/null
+++ b/www/caddy/src/etc/syslog-ng.conf.d/caddy.conf
@@ -0,0 +1,48 @@
+###################################################################
+# Local syslog-ng configuration [caddy].
+###################################################################
+# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
+#
+# Define Unix socket source for Caddy
+source s_caddy {
+    unix-dgram("/var/caddy/var/run/log");
+};
+
+# Parser for Caddy log levels
+parser p_caddy_levels {
+    channel {
+        filter {
+            message(".*debug.*") or
+            message(".*info.*") or
+            message(".*warn.*") or
+            message(".*error.*") or
+            message(".*panic.*") or
+            message(".*fatal.*");
+        };
+        rewrite {
+            set-severity("7" condition(message(".*debug.*")));  # DEBUG -> Debug
+            set-severity("6" condition(message(".*info.*")));   # INFO -> Informational
+            set-severity("4" condition(message(".*warn.*")));   # WARN -> Warning
+            set-severity("3" condition(message(".*error.*")));  # ERROR -> Error
+            set-severity("2" condition(message(".*panic.*")));  # PANIC -> Critical
+            set-severity("1" condition(message(".*fatal.*")));  # FATAL -> Alert
+        };
+    };
+};
+
+# Destination for Caddy logs
+destination d_local_caddy {
+    file(
+        "/var/log/caddy/caddy_${YEAR}${MONTH}${DAY}.log"
+        create-dirs(yes)
+        flags(syslog-protocol)
+    );
+};
+
+# Log path for processing Caddy logs
+log {
+    source(s_caddy);
+    parser(p_caddy_levels);
+    rewrite { set("caddy" value("PROGRAM")); };
+    destination(d_local_caddy);
+};
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/GeneralController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/GeneralController.php
new file mode 100644
index 0000000000..21238afa1d
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/GeneralController.php
@@ -0,0 +1,41 @@
+<?php
+
+/**
+ *    Copyright (C) 2023-2024 Cedrik Pischem
+ *    Copyright (C) 2015 Deciso B.V.
+ * 
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Caddy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Config;
+
+class GeneralController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'caddy';
+    protected static $internalModelClass = 'OPNsense\Caddy\Caddy';
+}
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
new file mode 100644
index 0000000000..4415203b51
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
@@ -0,0 +1,215 @@
+<?php
+
+/**
+ *    Copyright (C) 2023-2024 Cedrik Pischem
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Caddy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class ReverseProxyController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'caddy';
+    protected static $internalModelClass = 'OPNsense\Caddy\Caddy';
+    protected static $internalModelUseSafeDelete = true;
+
+    /*ReverseProxy Section*/
+
+    public function searchReverseProxyAction()
+    {
+        return $this->searchBase("reverseproxy.reverse", ['enabled', 'FromDomain', 'FromPort', 'accesslist', 'basicauth', 'DnsChallenge', 'CustomCertificate', 'AccessLog', 'DynDns', 'description']);
+    }
+
+    public function setReverseProxyAction($uuid)
+    {
+        return $this->setBase("reverse", "reverseproxy.reverse", $uuid);
+    }
+
+    public function addReverseProxyAction()
+    {
+        return $this->addBase("reverse", "reverseproxy.reverse");
+    }
+
+    public function getReverseProxyAction($uuid = null)
+    {
+        return $this->getBase("reverse", "reverseproxy.reverse", $uuid);
+    }
+
+    public function delReverseProxyAction($uuid)
+    {
+        return $this->delBase("reverseproxy.reverse", $uuid);
+    }
+
+    public function toggleReverseProxyAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("reverseproxy.reverse", $uuid, $enabled);
+    }
+
+
+    /*Subdomain Section*/
+
+    public function searchSubdomainAction()
+    {
+        return $this->searchBase("reverseproxy.subdomain", ['enabled', 'reverse', 'FromDomain', 'FromPort', 'accesslist', 'basicauth', 'DynDns', 'description']);
+    }
+
+    public function setSubdomainAction($uuid)
+    {
+        return $this->setBase("subdomain", "reverseproxy.subdomain", $uuid);
+    }
+
+    public function addSubdomainAction()
+    {
+        return $this->addBase("subdomain", "reverseproxy.subdomain");
+    }
+
+    public function getSubdomainAction($uuid = null)
+    {
+        return $this->getBase("subdomain", "reverseproxy.subdomain", $uuid);
+    }
+
+    public function delSubdomainAction($uuid)
+    {
+        return $this->delBase("reverseproxy.subdomain", $uuid);
+    }
+
+    public function toggleSubdomainAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("reverseproxy.subdomain", $uuid, $enabled);
+    }
+
+
+    /*Handler Section*/
+
+    public function searchHandleAction()
+    {
+        return $this->searchBase("reverseproxy.handle", ['enabled', 'reverse', 'subdomain', 'HandleType', 'HandlePath', 'ToDomain', 'ToPort', 'ToPath', 'HttpTls', 'HttpTlsTrustedCaCerts', 'HttpTlsServerName', 'HttpNtlm', 'description']);
+    }
+
+    public function setHandleAction($uuid)
+    {
+        return $this->setBase("handle", "reverseproxy.handle", $uuid);
+    }
+
+    public function addHandleAction()
+    {
+        return $this->addBase("handle", "reverseproxy.handle");
+    }
+
+    public function getHandleAction($uuid = null)
+    {
+        return $this->getBase("handle", "reverseproxy.handle", $uuid);
+    }
+
+    public function delHandleAction($uuid)
+    {
+        return $this->delBase("reverseproxy.handle", $uuid);
+    }
+
+    public function toggleHandleAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("reverseproxy.handle", $uuid, $enabled);
+    }
+    
+    
+    /* AccessList Section */
+
+    public function searchAccessListAction()
+    {
+        return $this->searchBase("reverseproxy.accesslist", ['accesslistName', 'clientIps', 'accesslistInvert', 'description']);
+    }
+
+    public function setAccessListAction($uuid)
+    {
+        return $this->setBase("accesslist", "reverseproxy.accesslist", $uuid);
+    }
+
+    public function addAccessListAction()
+    {
+        return $this->addBase("accesslist", "reverseproxy.accesslist");
+    }
+
+    public function getAccessListAction($uuid = null)
+    {
+        return $this->getBase("accesslist", "reverseproxy.accesslist", $uuid);
+    }
+
+    public function delAccessListAction($uuid)
+    {
+        return $this->delBase("reverseproxy.accesslist", $uuid);
+    }
+    
+    
+    /* BasicAuth Section */
+
+    public function searchBasicAuthAction()
+    {
+        return $this->searchBase("reverseproxy.basicauth", ['basicauthuser', 'basicauthpass', 'description']);
+    }
+
+    public function setBasicAuthAction($uuid)
+    {
+        if ($this->request->isPost()) {
+            $postData = $this->request->getPost();
+
+            if (isset($postData['basicauth']['basicauthpass']) && !empty(trim($postData['basicauth']['basicauthpass']))) {
+                $plainPassword = $postData['basicauth']['basicauthpass'];
+                $hashedPassword = password_hash($plainPassword, PASSWORD_BCRYPT);
+                $_POST['basicauth']['basicauthpass'] = $hashedPassword;
+            }
+        }
+
+        return $this->setBase("basicauth", "reverseproxy.basicauth", $uuid);
+    }
+
+    public function addBasicAuthAction()
+    {
+        if ($this->request->isPost()) {
+            $postData = $this->request->getPost();
+    
+            if (isset($postData['basicauth']['basicauthpass']) && !empty(trim($postData['basicauth']['basicauthpass']))) {
+                $plainPassword = $postData['basicauth']['basicauthpass'];
+                $hashedPassword = password_hash($plainPassword, PASSWORD_BCRYPT);
+                $_POST['basicauth']['basicauthpass'] = $hashedPassword;
+            }
+        }
+
+        return $this->addBase("basicauth", "reverseproxy.basicauth");
+    }
+
+    public function getBasicAuthAction($uuid = null)
+    {
+        return $this->getBase("basicauth", "reverseproxy.basicauth", $uuid);
+    }
+
+    public function delBasicAuthAction($uuid)
+    {
+        return $this->delBase("reverseproxy.basicauth", $uuid);
+    }
+}
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
new file mode 100644
index 0000000000..fa1b43842b
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
@@ -0,0 +1,67 @@
+<?php
+
+/**
+ *    Copyright (C) 2023-2024 Cedrik Pischem
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Caddy\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Backend;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Caddy\Caddy';
+    protected static $internalServiceTemplate = 'OPNsense/Caddy';
+    protected static $internalServiceEnabled = 'general.enabled';
+    protected static $internalServiceName = 'caddy';
+
+    public function validateAction()
+    {
+        $backend = new Backend();
+
+        // First, reload the template to ensure the latest configuration is used
+        $backend->configdRun("template reload " . self::$internalServiceTemplate);
+
+        // Validate the Caddyfile
+        $validateResult = trim($backend->configdRun('caddy validate'));
+
+        // Attempt to parse the JSON output from the validation result
+        if (($jsonStartPos = strpos($validateResult, '{"message":')) !== false) {
+            $jsonOutput = substr($validateResult, $jsonStartPos);
+            $result = json_decode($jsonOutput, true);
+
+            if (is_array($result) && isset($result['status'])) {
+                return ["status" => $result['status'], "message" => $result['message']];
+            }
+        }
+
+        // If unable to parse the expected JSON output, return a generic error message
+        return ["status" => "failed", "message" => "Unable to parse the validation result."];
+    }
+}
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/GeneralController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/GeneralController.php
new file mode 100644
index 0000000000..6d64473de8
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/GeneralController.php
@@ -0,0 +1,47 @@
+<?php
+
+/**
+ *    Copyright (C) 2023-2024 Cedrik Pischem
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Caddy;
+
+use OPNsense\Base\IndexController;
+
+class GeneralController extends IndexController
+{
+    public function indexAction()
+    {
+        // Assign the general settings form to the view
+        $this->view->pick('OPNsense/Caddy/general');
+        $this->view->generalForm = $this->getForm("general");
+        $this->view->dnsproviderForm = $this->getForm("dnsprovider");
+        $this->view->dynamicdnsForm = $this->getForm("dynamicdns");
+        $this->view->logsettingsForm = $this->getForm("logsettings");
+    }
+}
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
new file mode 100644
index 0000000000..d6727b48d2
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
@@ -0,0 +1,45 @@
+<?php
+
+/**
+ *    Copyright (C) 2023-2024 Cedrik Pischem
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Caddy;
+
+use OPNsense\Base\IndexController;
+
+class ReverseProxyController extends IndexController {
+    public function indexAction() {
+        $this->view->pick('OPNsense/Caddy/reverse_proxy');
+        $this->view->formDialogReverseProxy = $this->getForm("dialogReverseProxy");
+        $this->view->formDialogSubdomain = $this->getForm("dialogSubdomain");
+        $this->view->formDialogHandle = $this->getForm("dialogHandle");
+        $this->view->formDialogAccessList = $this->getForm("dialogAccessList");
+        $this->view->formDialogBasicAuth = $this->getForm("dialogBasicAuth");
+    }
+}
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
new file mode 100644
index 0000000000..b38a67826c
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
@@ -0,0 +1,28 @@
+<form>
+    <field>
+        <id>accesslist.accesslistName</id>
+        <label>Access List Name</label>
+        <type>text</type>
+        <help><![CDATA[Enter a name for this access list.]]></help>
+    </field>
+    <field>
+        <id>accesslist.clientIps</id>
+        <label>Client IP Addresses</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[Enter the client IP addresses or networks for this access list. Accepts multiple IPv4/IPv6 addresses or networks.]]></help>
+    </field>
+    <field>
+        <id>accesslist.accesslistInvert</id>
+        <label>Invert List</label>
+        <type>checkbox</type>
+        <help><![CDATA[If checked, the access list logic will be inverted (i.e., the listed IPs will be blocked instead of allowed).]]></help>
+    </field>
+    <field>
+        <id>accesslist.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help><![CDATA[Enter a description for this access list.]]></help>
+    </field>
+</form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml
new file mode 100644
index 0000000000..18482bb3fe
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml
@@ -0,0 +1,20 @@
+<form>
+    <field>
+        <id>basicauth.basicauthuser</id>
+        <label>User</label>
+        <type>text</type>
+        <help><![CDATA[Enter a username. Afterwards, you can select it in Reverse Proxy Domains or Subdomains to restrict access with basic auth.]]></help>
+    </field>
+    <field>
+        <id>basicauth.basicauthpass</id>
+        <label>Password</label>
+        <type>text</type>
+        <help><![CDATA[Enter a password. It will be hashed with bcrypt. It can only be set and changed but won't be visible anymore.]]></help>
+    </field>
+    <field>
+        <id>basicauth.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help><![CDATA[Enter a description for this user.]]></help>
+    </field>
+</form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
new file mode 100644
index 0000000000..26bb9cacbc
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -0,0 +1,91 @@
+<form>
+    <field>
+        <id>handle.enabled</id>
+        <label>enabled</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable this handler.]]></help>
+    </field>
+    <field>
+        <id>handle.reverse</id>
+        <label>Reverse Proxy Domain</label>
+        <type>dropdown</type>
+        <help><![CDATA[Select a reverse proxy domain to which this handler should be added.]]></help>
+    </field>
+    <field>
+        <id>handle.subdomain</id>
+        <label>Reverse Proxy Subdomain</label>
+        <type>dropdown</type>
+        <help><![CDATA[Optionally, select a reverse proxy subdomain to which this handler should be added. In most cases, leaving this as "None" will be the best choice.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.HandleType</id>
+        <label>Handle Type</label>
+        <type>dropdown</type>
+        <help><![CDATA[Select the handler type. In most cases, leaving this as "handle" will be the best choice.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.HandlePath</id>
+        <label>Handle Path</label>
+        <type>text</type>
+        <help><![CDATA[Enter a handler like '/*' or '/example/*', or leave blank for a catch-all handler (recommended). You can define multiple handlers per domain/subdomain by creating additional entries. Save more specific handlers first, as the first matching handler is prioritized. Blank handlers are processed last automatically. To reorder, clone handlers in the desired sequence and delete old ones.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.ToDomain</id>
+        <label>Backend Server Domain</label>
+        <type>text</type>
+        <hint>192.168.1.1</hint>
+        <help><![CDATA[Enter the internal domain name or IP address of the backend server destination for this handler.]]></help>
+    </field>
+    <field>
+        <id>handle.ToPort</id>
+        <label>Backend Server Port</label>
+        <type>text</type>
+        <hint>443</hint>
+        <help><![CDATA[Enter the port number of the backend server. Leave this empty for bind to port 80. For HTTPS, use 443.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.ToPath</id>
+        <label>Backend Path</label>
+        <type>text</type>
+        <help><![CDATA[Enter a path prefix like '/guacamole' that should be prepended to the backend request because the application demands it.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.HttpTls</id>
+        <label>TLS</label>
+        <type>checkbox</type>
+        <help><![CDATA[Use HTTP over TLS (HTTPS) to communicate with the Backend Server. In most cases, leaving this unchecked will be the best choice. Caddy uses HTTP for communication with the Backend Server by default.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.HttpTlsTrustedCaCerts</id>
+        <label>TLS Trusted CA Certificate</label>
+        <type>dropdown</type>
+        <help><![CDATA[If TLS is enabled, and you are not using a globally trusted server certificate on your Backend Server, you can choose a CA certificate or self-signed certificate to trust from "System - Trust - Authorities".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.HttpTlsServerName</id>
+        <label>TLS Server Name</label>
+        <type>text</type>
+        <help><![CDATA[Optionally, specify a hostname or IP address that matches the SAN of the "TLS Trusted CA Certificate". Please note that only SAN certificates are supported; CN will not work.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.HttpNtlm</id>
+        <label>NTLM</label>
+        <type>checkbox</type>
+        <help><![CDATA[If "TLS" has been checked, check "NTLM" in addition for reverse proxying an Exchange Server. In most other cases, leaving this unchecked will be the best choice.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help><![CDATA[Enter a description for this handler.]]></help>
+    </field>
+</form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
new file mode 100644
index 0000000000..16699cf3a6
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -0,0 +1,71 @@
+<form>
+    <field>
+        <id>reverse.enabled</id>
+        <label>enabled</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable this reverse proxy domain.]]></help>
+    </field>
+    <field>
+        <id>reverse.FromDomain</id>
+        <label>Reverse Proxy Domain</label>
+        <type>text</type>
+        <hint>example.com</hint>
+        <help><![CDATA[Enter a domain name or IP address. For a wildcard domain, use *.example.com. Only use wildcard domains with a wildcard certificate. Don't forget to create a firewall rule that allows port 80 and 443 to "This Firewall".]]></help>
+    </field>
+    <field>
+        <id>reverse.FromPort</id>
+        <label>Reverse Proxy Port</label>
+        <type>text</type>
+        <hint>443</hint>
+        <help><![CDATA[Enter the port number. Leave this empty to bind to port 80 and 443 with automatic redirection. Don't forget to create a firewall rule that allows this port to "This Firewall".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>reverse.accesslist</id>
+        <label>Access List</label>
+        <type>dropdown</type>
+        <help><![CDATA[Optionally, select an Access List to restrict access to this domain. If left as "None", any local or remote client is allowed access. In most cases, leaving this as "None" will be the best choice.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>reverse.basicauth</id>
+        <label>Basic Auth</label>
+        <type>select_multiple</type>
+        <size>5</size>
+        <help><![CDATA[Optionally, select Users to restrict access to this domain. Basic Auth matches after Access Lists. If left as "None", any client is allowed access. In most cases, leaving this as "None" will be the best choice.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>reverse.DnsChallenge</id>
+        <label>DNS-01 challenge</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable DNS-01 challenge for ACME, please configure DNS Provider and API Key in General Settings. In most cases, leaving this option unchecked will be the best choice. The automatic Let's Encrypt HTTP challenge will be used if this option is unchecked, which needs no further configuration.]]></help>
+    </field>
+    <field>
+        <id>reverse.DynDns</id>
+        <label>Dynamic DNS</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable Dynamic DNS, please configure DNS Provider and API Key in General Settings. The DNS Records of this domain will be automatically updated with your DNS Provider.]]></help>
+    </field>
+    <field>
+        <id>reverse.CustomCertificate</id>
+        <label>Custom Certificate</label>
+        <type>dropdown</type>
+        <help><![CDATA[Choose your own certificate from System Trust Certificates. Make sure you have imported the full chain. In most cases, leaving this as "None" will be the best choice.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>reverse.AccessLog</id>
+        <label>HTTP Access Log</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable the HTTP request logging for this domain and its subdomains. This option is mostly for troubleshooting since it will log every single request.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>reverse.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <hint>example.com.443</hint>
+        <help><![CDATA[Enter a description for this reverse proxy domain.]]></help>
+    </field>
+</form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
new file mode 100644
index 0000000000..a43e961eee
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -0,0 +1,57 @@
+<form>
+    <field>
+        <id>subdomain.enabled</id>
+        <label>enabled</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable this reverse proxy subdomain.]]></help>
+    </field>
+    <field>
+        <id>subdomain.reverse</id>
+        <label>Reverse Proxy Domain</label>
+        <type>dropdown</type>
+        <help><![CDATA[Select a domain, to which this subdomain should be added.]]></help>
+    </field>
+    <field>
+        <id>subdomain.FromDomain</id>
+        <label>Reverse Proxy Subdomain</label>
+        <type>text</type>
+        <hint>opn.example.com</hint>
+        <help><![CDATA[Enter the subdomain name (e.g., 'opn.example.com' if your wildcard domain is '*.example.com').]]></help>
+    </field>
+    <field>
+        <id>subdomain.FromPort</id>
+        <label>Reverse Proxy Port</label>
+        <type>text</type>
+        <hint>443</hint>
+        <help><![CDATA[Enter the port number. Leave this empty to bind to port 80 and 443 with automatic redirection. Don't forget to create a firewall rule that allows this destination port to "This Firewall".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>subdomain.accesslist</id>
+        <label>Access List</label>
+        <type>dropdown</type>
+        <help><![CDATA[Optionally, select an Access List to restrict access to this subdomain. If left as "None", any local or remote client is allowed access. In most cases, leaving this as "None" will be the best choice.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>subdomain.basicauth</id>
+        <label>Basic Auth</label>
+        <type>select_multiple</type>
+        <size>5</size>
+        <help><![CDATA[Optionally, select Users to restrict access to this subdomain. Basic Auth matches after Access Lists. If left as "None", any client is allowed access. In most cases, leaving this as "None" will be the best choice.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>subdomain.DynDns</id>
+        <label>Dynamic DNS</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable Dynamic DNS, please configure DNS Provider and API Key in General Settings. The DNS Records of this subdomain will be automatically updated with your DNS Provider.]]></help>
+    </field>
+    <field>
+        <id>subdomain.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <hint>opn.example.com.443</hint>
+        <help><![CDATA[Enter a description for this reverse proxy subdomain.]]></help>
+    </field>
+</form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
new file mode 100644
index 0000000000..ad963b984b
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
@@ -0,0 +1,63 @@
+<form>
+    <field>
+        <id>caddy.general.TlsDnsProvider</id>
+        <label>DNS Provider</label>
+        <type>dropdown</type>
+        <help><![CDATA[Select the DNS provider for the DNS-01 Challenge and Dynamic DNS. This is optional, since certificates will be requested from Let's Encrypt via HTTP Challenge when this option is unset. You mostly need this for Wildcard Certificates, and for Dynamic DNS. To use the DNS-01 Challenge and Dynamic DNS, enable the checkbox in a Reverse Proxy Domain or Subdomain. For more information: https://github.com/caddy-dns]]></help>
+    </field>
+    <field>
+        <id>caddy.general.TlsDnsApiKey</id>
+        <label>DNS API Standard Field</label>
+        <type>text</type>
+        <help><![CDATA[This is the standard field for the API Key. Field can be left empty if optional: Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", DNSPod "auth_token", Hetzner "api_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Namesilo "api_token", Njalla "api_token", Vercel "api_token",  Google Cloud DNS "gcp_project", Alidns "access_key_id", Azure "tenant_id", OpenStack Designate "region_name", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Metaname "api_key", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url".]]></help>
+    </field>
+    <field>
+        <id>caddy.general.TlsDnsSecretApiKey</id>
+        <label>DNS API Additional Field 1</label>
+        <type>text</type>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Alidns "access_key_secret", Azure "client_id", OpenStack Designate "tenant_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Metaname "account_reference", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>caddy.general.TlsDnsOptionalField1</id>
+        <label>DNS API Additional Field 2</label>
+        <type>text</type>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "max_retries", ACME-DNS "subdomain", Azure "client_secret", OpenStack Designate "identity_api_version", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>caddy.general.TlsDnsOptionalField2</id>
+        <label>DNS API Additional Field 3</label>
+        <type>text</type>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "aws_profile", ACME-DNS "server_url", Azure "subscription_id", OpenStack Designate "password", OVH "consumer_key", Namecheap "client_ip", DDNS "password".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>caddy.general.TlsDnsOptionalField3</id>
+        <label>DNS API Additional Field 4</label>
+        <type>text</type>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "region", Azure "resource_group_name", OpenStack Designate "username".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>caddy.general.TlsDnsOptionalField4</id>
+        <label>DNS API Additional Field 5</label>
+        <type>text</type>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "token", OpenStack Designate "tenant_name".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>caddy.general.TlsDnsOptionalField5</id>
+        <label>DNS API Additional Field 6</label>
+        <type>text</type>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: OpenStack Designate "auth_url".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>caddy.general.TlsDnsOptionalField6</id>
+        <label>DNS API Additional Field 7</label>
+        <type>text</type>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: OpenStack Designate "endpoint_type".]]></help>
+        <advanced>true</advanced>
+    </field>
+</form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
new file mode 100644
index 0000000000..8361549102
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
@@ -0,0 +1,34 @@
+<form>    
+    <field>
+        <id>caddy.general.DynDnsSimpleHttp</id>
+        <label>DynDns Check Http</label>
+        <type>text</type>
+        <help><![CDATA[Optionally, enter a URL to test the current IP address of the firewall via HTTP protocol. Generally, this is not needed. Caddy uses default providers to test the current IP addresses. If you'd rather use your own, enter the https:// link to an IP address testing website.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>caddy.general.DynDnsInterface</id>
+        <label>DynDns Check Interface</label>
+        <type>dropdown</type>
+        <help><![CDATA[Optionally, select an interface to extract the current IP address of the firewall. Attention, all IP addresses will be read from this interface. Only choose this option if you know the implications.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>caddy.general.DynDnsCheckInterval</id>
+        <label>DynDns Check Interval</label>
+        <type>text</type>
+        <help><![CDATA[Interval to poll for changes of the IP address. The default is 5 minutes. Can be a number between 1 to 1440 minutes.]]></help>
+    </field>
+    <field>
+        <id>caddy.general.DynDnsIpVersions</id>
+        <label>DynDns IP Version</label>
+        <type>dropdown</type>
+        <help><![CDATA[Leave on None to set IPv4 A-Records and IPv6 AAAA-Records. Select "IPv4 only" for setting A-Records. Select "IPv6 only" for setting AAAA-Records.]]></help>
+    </field>
+    <field>
+        <id>caddy.general.DynDnsTTL</id>
+        <label>DynDns TTL</label>
+        <type>text</type>
+        <help><![CDATA[Set the TTL (time to live) for DNS Records. The default is 1 hour. Can be a number between 1 to 24 hours.]]></help>
+    </field>
+</form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
new file mode 100644
index 0000000000..b00d7085eb
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -0,0 +1,33 @@
+<form>
+    <field>
+        <id>caddy.general.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable or disable the Caddy web server.]]></help>
+    </field>
+    <field>
+        <id>caddy.general.TlsEmail</id>
+        <label>ACME Email</label>
+        <type>text</type>
+        <hint>info@example.com</hint>
+        <help><![CDATA[Enter the email address for certificate notifications.]]></help>
+    </field>
+    <field>
+        <id>caddy.general.TlsAutoHttps</id>
+        <label>Auto HTTPS</label>
+        <type>dropdown</type>
+        <help><![CDATA[Select the auto HTTPS option. "On" (default) creates automatic certificates using Let's Encrypt or ZeroSSL without needing any configuration.]]></help>
+    </field>
+    <field>
+        <id>caddy.general.abort</id>
+        <label>Abort Connections</label>
+        <type>checkbox</type>
+        <help><![CDATA[Abort all connections that don't have a matching handle or access list. This option doesn't conflict with Let's Encrypt. Disable it for troubleshooting purposes, e.g., testing if the Reverse Proxy Domain works and the Certificate has been installed. For production use, enabling this option is recommended.]]></help>
+    </field>
+    <field>
+        <id>caddy.general.accesslist</id>
+        <label>Trusted Proxies</label>
+        <type>dropdown</type>
+        <help><![CDATA[Select an Access List of Trusted Proxies. If Caddy is not the first server being connected to by your clients (for example when a CDN is in front of Caddy), you may configure trusted_proxies with a list of IP ranges (CIDRs) from which incoming requests are trusted to have sent good values for these headers. Additionally, set the same Access List to the Domains your Trusted Proxy connects to.]]></help>
+    </field>
+</form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml
new file mode 100644
index 0000000000..5af8a9a146
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml
@@ -0,0 +1,23 @@
+<form>
+    <field>
+        <id>caddy.general.LogCredentials</id>
+        <label>Log Credentials</label>
+        <type>checkbox</type>
+        <help><![CDATA[Log all Cookies and Authorization in HTTP request logging. Use combined with HTTP Access Log in the Reverse Proxy Domain. Enable this option only for troubleshooting.]]></help>
+    </field>
+    <field>
+        <id>caddy.general.LogAccessPlain</id>
+        <label>Log HTTP Access in JSON Format</label>
+        <type>checkbox</type>
+        <help><![CDATA[Log HTTP access in a standard JSON logfile per domain, e.g for processing by CrowdSec. Use combined with HTTP Access Log in the Reverse Proxy Domain. Enabling this will make the HTTP Access Log dissappear from the standard "Log File" in the GUI. They can be found in the filesystem "/var/log/caddy/access/"]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>caddy.general.LogAccessPlainKeep</id>
+        <label>Keep HTTP Access JSON Logs for (days)</label>
+        <hint>10</hint>
+        <type>text</type>
+        <help><![CDATA[How many days to keep the JSON access logs.]]></help>
+        <advanced>true</advanced>
+    </field>
+</form>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml
new file mode 100644
index 0000000000..c98f84a7e0
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml
@@ -0,0 +1,18 @@
+<acl>
+    <page-caddy-general>
+        <name>Services: Caddy Web Server: General Settings</name>
+        <description>Allow access to Caddy General Settings</description>
+        <patterns>
+            <pattern>ui/caddy/general/*</pattern>
+            <pattern>api/caddy/general/*</pattern>
+        </patterns>
+    </page-caddy-general>
+    <page-caddy-reverse-proxy>
+        <name>Services: Caddy Web Server: Reverse Proxy</name>
+        <description>Allow access to Caddy Reverse Proxy</description>
+        <patterns>
+            <pattern>ui/caddy/reverse_proxy/*</pattern>
+            <pattern>api/caddy/reverse_proxy/*</pattern>
+        </patterns>
+    </page-caddy-reverse-proxy>
+</acl>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
new file mode 100644
index 0000000000..e9bbb97dfe
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -0,0 +1,160 @@
+<?php
+
+/**
+ *    Copyright (C) 2023-2024 Cedrik Pischem
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Caddy;
+
+use OPNsense\Base\BaseModel;
+use Phalcon\Messages\Message;
+
+class Caddy extends BaseModel
+{
+    // 1. Check domain-port combinations
+    // 2. Check subdomain-port combinations
+    private function checkForUniquePortCombos($items, $messages, $type = 'domain')
+    {
+        $combos = [];
+        foreach ($items as $item) {
+            $key = $item->__reference; // Dynamic key based on item reference
+            $fromDomainOrSubdomain = (string) $item->FromDomain;
+            $fromPort = (string) $item->FromPort;
+
+            if ($fromPort === '') {
+                $defaultPorts = ['80', '443'];
+            } else {
+                $defaultPorts = [$fromPort];
+            }
+
+            foreach ($defaultPorts as $port) {
+                // Create a unique key for domain/subdomain-port combination
+                $comboKey = $fromDomainOrSubdomain . ':' . $port;
+
+                // Check for duplicate combinations
+                if (isset($combos[$comboKey])) {
+                    // Use dynamic $key for message referencing
+                    $messages->appendMessage(new Message(
+                        "Duplicate entry: The combination of $type '$fromDomainOrSubdomain' and port '$port' is already used. Each $type and port pairing must be unique.",
+                        $type === 'domain' ? $key . ".FromDomain" : $key . ".FromDomain", // Adjusted to use dynamic key
+                        "Duplicate" . ucfirst($type) . "Port"
+                    ));
+                } else {
+                    $combos[$comboKey] = true;
+                }
+            }
+        }
+    }
+
+    // 3. Check that subdomains are under a wildcard or exact domain
+    private function checkSubdomainsAgainstDomains($subdomains, $domains, $messages)
+    {
+        $wildcardDomainList = [];
+        foreach ($domains as $domain) {
+            if ((string) $domain->enabled === '1') {
+                $domainName = (string) $domain->FromDomain;
+                if (str_starts_with($domainName, '*.')) {
+                    $wildcardBase = substr($domainName, 2);
+                    $wildcardDomainList[$wildcardBase] = $domainName;
+                }
+            }
+        }
+
+        foreach ($subdomains as $subdomain) {
+            if ((string) $subdomain->enabled === '1') {
+                $subdomainName = (string) $subdomain->FromDomain;
+                $isValid = false;
+                foreach ($wildcardDomainList as $baseDomain => $wildcardDomain) {
+                    if (str_ends_with($subdomainName, $baseDomain)) {
+                        $isValid = true;
+                        break;
+                    }
+                }
+
+                if (!$isValid) {
+                    $key = $subdomain->__reference; // Dynamic key based on subdomain reference
+                    $messages->appendMessage(new Message(
+                        "Invalid subdomain configuration: '$subdomainName' does not fall under any configured wildcard domain.",
+                        $key . ".FromDomain", // Use dynamic key for message referencing
+                        "InvalidSubdomain"
+                    ));
+                }
+            }
+        }
+    }
+
+    // 4. Check for conflicts between wildcard and base domains
+    private function checkForWildcardAndBaseDomainConflicts($domains, $messages)
+    {
+        $domainList = [];
+        foreach ($domains as $domain) {
+            if ((string) $domain->enabled === '1') {
+                $domainName = (string) $domain->FromDomain;
+                $domainList[$domainName] = true;
+
+                // Check for wildcard or base domain conflict
+                if (str_starts_with($domainName, '*.')) {
+                    $baseDomain = substr($domainName, 2);
+                    if (isset($domainList[$baseDomain])) {
+                        $key = $domain->__reference; // Dynamic key based on domain reference
+                        $messages->appendMessage(new Message(
+                            "Invalid domain configuration: Cannot create wildcard domain '$domainName' because base domain '$baseDomain' exists.",
+                            $key . ".FromDomain", // Use dynamic key for message referencing
+                            "WildcardBaseConflict"
+                        ));
+                    }
+                } else {
+                    $wildcardDomain = '*.' . $domainName;
+                    if (isset($domainList[$wildcardDomain])) {
+                        $key = $domain->__reference; // Dynamic key based on domain reference
+                        $messages->appendMessage(new Message(
+                            "Invalid domain configuration: Cannot create base domain '$domainName' because wildcard domain '$wildcardDomain' exists.",
+                            $key . ".FromDomain", // Use dynamic key for message referencing
+                            "BaseWildcardConflict"
+                        ));
+                    }
+                }
+            }
+        }
+    }
+
+    // Perform the actual validation
+    public function performValidation($validateFullModel = false)
+    {
+        $messages = parent::performValidation($validateFullModel);
+        // 1. Check domain-port combinations
+        $this->checkForUniquePortCombos($this->reverseproxy->reverse->iterateItems(), $messages, 'domain');
+        // 2. Check subdomain-port combinations
+        $this->checkForUniquePortCombos($this->reverseproxy->subdomain->iterateItems(), $messages, 'subdomain');
+        // 3. Check that subdomains are under a wildcard or exact domain
+        $this->checkSubdomainsAgainstDomains($this->reverseproxy->subdomain->iterateItems(), $this->reverseproxy->reverse->iterateItems(), $messages);
+        // 4. Check for conflicts between wildcard and base domains
+        $this->checkForWildcardAndBaseDomainConflicts($this->reverseproxy->reverse->iterateItems(), $messages);
+
+        return $messages;
+    }
+}
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
new file mode 100644
index 0000000000..0c95d2b7df
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -0,0 +1,330 @@
+<model>
+    <mount>//Pischem/caddy</mount>
+    <description>A GUI model for configuring a reverse proxy in the Caddy web server.</description>
+    <version>1.1.3</version>
+    <items>
+        <general>
+            <enabled type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enabled>
+            <TlsEmail type="EmailField">
+                <ValidationMessage>Please enter a valid email address.</ValidationMessage>
+            </TlsEmail>
+            <TlsAutoHttps type="OptionField">
+                <Default>on</Default>
+                <OptionValues>
+                    <on>On (default)</on>
+                    <off>Off</off>
+                    <disable_redirects>Disable Redirects</disable_redirects>
+                    <disable_certs>Disable Certs</disable_certs>
+                    <ignore_loaded_certs>Ignore Loaded Certs</ignore_loaded_certs>
+                </OptionValues>
+            </TlsAutoHttps>
+            <TlsDnsProvider type="OptionField">
+                <OptionValues>
+                    <none>None (default)</none>
+                    <cloudflare>Cloudflare</cloudflare>
+                    <duckdns>Duck DNS</duckdns>
+                    <digitalocean>DigitalOcean</digitalocean>
+                    <dnspod>DNSPod</dnspod>
+                    <hetzner>Hetzner</hetzner>
+                    <godaddy>GoDaddy</godaddy>
+                    <gandi>Gandi</gandi>
+                    <ionos>IONOS</ionos>
+                    <desec>Desec</desec>
+                    <porkbun>Porkbun</porkbun>
+                    <route53>Route53</route53>
+                    <acmedns>ACME-DNS</acmedns>
+                    <alidns>Alidns</alidns>
+                    <googleclouddns>Google Cloud DNS</googleclouddns>
+                    <azure>Azure</azure>
+                    <openstack-designate>OpenStack Designate</openstack-designate>
+                    <ovh>OVH</ovh>
+                    <namecheap>Namecheap</namecheap>
+                    <netlify>Netlify</netlify>
+                    <namesilo>Namesilo</namesilo>
+                    <powerdns>PowerDNS</powerdns>
+                    <vercel>Vercel</vercel>
+                    <ddnss>DDNSS</ddnss>
+                    <njalla>Njalla</njalla>
+                    <metaname>Metaname</metaname>
+                    <linode>Linode</linode>
+                    <tencentcloud>Tencent Cloud</tencentcloud>
+                    <dinahosting>Dinahosting</dinahosting>
+                    <hexonet>Hexonet</hexonet>
+                    <mailinabox>Mail-in-a-Box</mailinabox>
+                </OptionValues>
+            </TlsDnsProvider>
+            <TlsDnsApiKey type="TextField"/>
+            <TlsDnsSecretApiKey type="TextField"/>
+            <TlsDnsOptionalField1 type="TextField"/>
+            <TlsDnsOptionalField2 type="TextField"/>
+            <TlsDnsOptionalField3 type="TextField"/>
+            <TlsDnsOptionalField4 type="TextField"/>
+            <TlsDnsOptionalField5 type="TextField"/>
+            <TlsDnsOptionalField6 type="TextField"/>
+            <accesslist type="ModelRelationField">
+                <Model>
+                    <reverseproxy>
+                        <source>OPNsense.Caddy.Caddy</source>
+                        <items>reverseproxy.accesslist</items>
+                        <display>accesslistName</display>
+                    </reverseproxy>
+                </Model>
+            </accesslist>
+            <abort type="BooleanField">
+                <Default>0</Default>
+            </abort>
+            <LogCredentials type="BooleanField">
+                <Default>0</Default>
+            </LogCredentials>
+            <LogAccessPlain type="BooleanField">
+                <Default>0</Default>
+            </LogAccessPlain>
+            <LogAccessPlainKeep type="IntegerField">
+                <Default>10</Default>
+                <MinimumValue>1</MinimumValue>
+                <ValidationMessage>Please enter a valid number of 1 or larger.</ValidationMessage>
+            </LogAccessPlainKeep>
+            <DynDnsSimpleHttp type="UrlField">
+                <ValidationMessage>Please enter a valid URL, starting with http or https.</ValidationMessage>
+            </DynDnsSimpleHttp>
+            <DynDnsInterface type="InterfaceField"/>
+            <DynDnsCheckInterval type="IntegerField">
+                <Default>5</Default>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>1440</MaximumValue>
+                <ValidationMessage>Please enter a valid number from 1 to 1440 minutes.</ValidationMessage>
+            </DynDnsCheckInterval>
+            <DynDnsIpVersions type="OptionField">
+                <Default>ipv4</Default>
+                <OptionValues>
+                    <ipv4>IPv4 only</ipv4>
+                    <ipv6>IPv6 only</ipv6>
+                </OptionValues>
+            </DynDnsIpVersions>
+            <DynDnsTTL type="IntegerField">
+                <Default>1</Default>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>24</MaximumValue>
+                <ValidationMessage>Please enter a valid number from 1 to 24 hours.</ValidationMessage>
+            </DynDnsTTL>
+        </general>
+        <reverseproxy>
+            <reverse type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <FromDomain type="HostnameField">
+                    <Required>Y</Required>
+                    <ValidationMessage>Please enter a valid 'from' domain or IP address.</ValidationMessage>
+                    <IpAllowed>Y</IpAllowed>
+                    <HostWildcardAllowed>Y</HostWildcardAllowed>
+                    <FqdnWildcardAllowed>Y</FqdnWildcardAllowed>
+                    <ZoneRootAllowed>N</ZoneRootAllowed>
+                </FromDomain>
+                <FromPort type="PortField">
+                    <ValidationMessage>Please enter a valid 'from' port number.</ValidationMessage>
+                    <EnableWellKnown>Y</EnableWellKnown>
+                    <EnableRanges>N</EnableRanges>
+                </FromPort>
+                <accesslist type="ModelRelationField">
+                    <Model>
+                        <reverseproxy>
+                            <source>OPNsense.Caddy.Caddy</source>
+                            <items>reverseproxy.accesslist</items>
+                            <display>accesslistName</display>
+                        </reverseproxy>
+                    </Model>
+                </accesslist>
+                <basicauth type="ModelRelationField">
+                    <Model>
+                        <reverseproxy>
+                            <source>OPNsense.Caddy.Caddy</source>
+                            <items>reverseproxy.basicauth</items>
+                            <display>basicauthuser</display>
+                        </reverseproxy>
+                    </Model>
+                    <Multiple>Y</Multiple>
+                </basicauth>
+                <description type="TextField">
+                    <Required>Y</Required>
+                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_*-\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+                    <ValidationMessage>Please provide a valid description.</ValidationMessage>
+                </description>
+                <DnsChallenge type="BooleanField">
+                    <Default>0</Default>
+                </DnsChallenge>
+                <CustomCertificate type="CertificateField"/>
+                <AccessLog type="BooleanField">
+                    <Default>0</Default>
+                </AccessLog>
+                <DynDns type="BooleanField">
+                    <Default>0</Default>
+                </DynDns>
+            </reverse>
+            <subdomain type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <reverse type="ModelRelationField">
+                    <Required>Y</Required>
+                    <Model>
+                        <reverseproxy>
+                            <source>OPNsense.Caddy.Caddy</source>
+                            <items>reverseproxy.reverse</items>
+                            <display>description</display>
+                        </reverseproxy>
+                    </Model>
+                </reverse>
+                <FromDomain type="HostnameField">
+                    <Required>Y</Required>
+                    <ValidationMessage>Please enter a valid 'from' Subdomain that is based upon the wildcard domain.</ValidationMessage>
+                    <ZoneRootAllowed>N</ZoneRootAllowed>
+                </FromDomain>
+                <FromPort type="PortField">
+                    <ValidationMessage>Please enter a valid 'from' port number.</ValidationMessage>
+                    <EnableWellKnown>Y</EnableWellKnown>
+                    <EnableRanges>N</EnableRanges>
+                </FromPort>
+                <accesslist type="ModelRelationField">
+                    <Model>
+                        <reverseproxy>
+                            <source>OPNsense.Caddy.Caddy</source>
+                            <items>reverseproxy.accesslist</items>
+                            <display>accesslistName</display>
+                        </reverseproxy>
+                    </Model>
+                </accesslist>
+                <basicauth type="ModelRelationField">
+                    <Model>
+                        <reverseproxy>
+                            <source>OPNsense.Caddy.Caddy</source>
+                            <items>reverseproxy.basicauth</items>
+                            <display>basicauthuser</display>
+                        </reverseproxy>
+                    </Model>
+                    <Multiple>Y</Multiple>
+                </basicauth>
+                <description type="TextField">
+                    <Required>Y</Required>
+                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_-\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+                    <ValidationMessage>Please provide a valid description.</ValidationMessage>
+                </description>
+                <DynDns type="BooleanField">
+                    <Default>0</Default>
+                </DynDns>
+            </subdomain>
+            <handle type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <reverse type="ModelRelationField">
+                    <Required>Y</Required>
+                    <Model>
+                        <reverseproxy>
+                            <source>OPNsense.Caddy.Caddy</source>
+                            <items>reverseproxy.reverse</items>
+                            <display>description</display>
+                        </reverseproxy>
+                    </Model>
+                </reverse>
+                <subdomain type="ModelRelationField">
+                    <Model>
+                        <reverseproxy>
+                            <source>OPNsense.Caddy.Caddy</source>
+                            <items>reverseproxy.subdomain</items>
+                            <display>description</display>
+                        </reverseproxy>
+                    </Model>
+                </subdomain>
+                <HandleType type="OptionField">
+                    <Required>Y</Required>
+                    <Default>handle</Default>
+                    <OptionValues>
+                        <handle>handle</handle>
+                        <handle_path>handle_path</handle_path>
+                    </OptionValues>
+                </HandleType>
+                <HandlePath type="TextField">
+                    <Mask>/^(\/.*)?$/u</Mask>
+                    <ValidationMessage>Please enter a valid 'Handle Path' that starts with '/'.</ValidationMessage>
+                </HandlePath>
+                <ToDomain type="HostnameField">
+                    <Required>Y</Required>
+                    <ValidationMessage>Please enter a valid 'to' domain or IP address.</ValidationMessage>
+                    <IpAllowed>Y</IpAllowed>
+                </ToDomain>
+                <ToPort type="PortField">
+                    <ValidationMessage>Please enter a valid 'to' port number.</ValidationMessage>
+                    <EnableWellKnown>Y</EnableWellKnown>
+                    <EnableRanges>N</EnableRanges>
+                </ToPort>
+                <ToPath type="TextField">
+                    <Mask>/^(\/.*)?$/u</Mask>
+                    <ValidationMessage>Please enter a valid 'Backend Path' that starts with '/'.</ValidationMessage>
+                </ToPath>
+                <HttpTls type="BooleanField">
+                    <Default>0</Default>
+                </HttpTls>
+                <HttpNtlm type="BooleanField">
+                    <Default>0</Default>
+                </HttpNtlm>
+                <HttpTlsTrustedCaCerts type="CertificateField">
+                    <Type>ca</Type>
+                </HttpTlsTrustedCaCerts>
+                <HttpTlsServerName type="HostnameField">
+                    <ValidationMessage>Please enter a valid hostname or IP address.</ValidationMessage>
+                    <IpAllowed>Y</IpAllowed>
+                    <HostWildcardAllowed>Y</HostWildcardAllowed>
+                    <FqdnWildcardAllowed>Y</FqdnWildcardAllowed>
+                    <ZoneRootAllowed>N</ZoneRootAllowed>
+                </HttpTlsServerName>
+                <description type="TextField">
+                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_-\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+                    <ValidationMessage>Please provide a valid description.</ValidationMessage>
+                </description>
+            </handle>
+            <accesslist type="ArrayField">
+                <accesslistName type="TextField">
+                    <Required>Y</Required>
+                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_*-\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+                <ValidationMessage>Please provide a valid Access List Name.</ValidationMessage>
+                </accesslistName>
+                <clientIps type="NetworkField">
+                    <Required>Y</Required>
+                    <NetMaskAllowed>Y</NetMaskAllowed>
+                    <FieldSeparator>,</FieldSeparator>
+                    <AsList>Y</AsList>
+                    <Strict>Y</Strict>
+                    <ValidationMessage>Please enter valid IP address(es) or network(s), separated by commas.</ValidationMessage>
+                </clientIps>
+                <accesslistInvert type="BooleanField">
+                    <Default>0</Default>
+                </accesslistInvert>
+                <description type="TextField">
+                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_*-\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+                    <ValidationMessage>Please provide a valid description.</ValidationMessage>
+                </description>
+            </accesslist>
+            <basicauth type="ArrayField">
+                <basicauthuser type="TextField">
+                    <Required>Y</Required>
+                    <Mask>/^([0-9a-zA-Z]{2,72})$/u</Mask>
+                    <ValidationMessage>A user name must only contain numbers and letters and must be between 2 and 72 characters.</ValidationMessage>
+                </basicauthuser>
+                <basicauthpass type="UpdateOnlyTextField">
+                    <Required>Y</Required>
+                </basicauthpass>
+                <description type="TextField">
+                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_-\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+                    <ValidationMessage>Please provide a valid description.</ValidationMessage>
+                </description>
+            </basicauth>
+        </reverseproxy>
+    </items>
+</model>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml
new file mode 100644
index 0000000000..60886d550e
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml
@@ -0,0 +1,9 @@
+<menu>
+    <Services>
+        <Caddy VisibleName="Caddy Web Server" cssClass="fa fa-globe fa-fw">
+            <General VisibleName="General Settings" order="10" url="/ui/caddy/general"/>
+            <ReverseProxy VisibleName="Reverse Proxy" order="20" url="/ui/caddy/reverse_proxy"/>
+            <Log VisibleName="Log File" order="30" url="/ui/diagnostics/log/core/caddy"/>
+        </Caddy>
+    </Services>
+</menu>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php
new file mode 100644
index 0000000000..a08a403b16
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php
@@ -0,0 +1,80 @@
+<?php
+
+/*
+ *    Copyright (C) 2024 Cedrik Pischem
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Caddy\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+use OPNsense\Core\Config;
+
+class M1_1_3 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        // Load the current system configuration
+        $config = Config::getInstance()->object();
+
+        // Ensure there are reverse proxy configurations to process
+        if (!empty($config->Pischem->caddy->reverseproxy)) {
+        
+            // Loop through each reverse proxy configuration in the stored configuration config.xml
+            foreach ($config->Pischem->caddy->reverseproxy->children() as $configNode) {
+            
+                // Extract the UUID attribute to identify the configuration item
+                $uuid = (string)$configNode->attributes()->uuid;
+                
+                // Check if the current configuration item has a 'Description' to migrate
+                if (!empty($configNode->Description)) {
+                
+                    // Store the value of 'Description' for migration
+                    $descriptionValue = (string)$configNode->Description;
+
+                    // Attempt to locate the corresponding node in the model using the UUID
+                    $modelNode = null;
+                    
+                    // Retrieve reverse proxy items from the model for matching UUID
+                    $reverseProxies = $model->getNodeByReference('reverseproxy')->iterateItems();
+                    foreach ($reverseProxies as $item) {
+                        foreach ($item->iterateItems() as $modelUuid => $node) {
+                            if ($uuid === $modelUuid) {
+                                $modelNode = $node;
+                                break 2; // Break from both loops once the node is found
+                            }
+                        }
+                    }
+
+                    // If a matching node is found in the model, migrate the 'Description' value to 'description' value
+                    if ($modelNode !== null) {
+                        $modelNode->description = $descriptionValue;
+                    }
+                }
+            }
+        }
+
+        // Model is saved by 'run_migrations.php'
+    }
+}
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
new file mode 100644
index 0000000000..0b07581a40
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
@@ -0,0 +1,194 @@
+{#
+ # Copyright (c) 2023-2024 Cedrik Pischem
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script type="text/javascript">
+    $(document).ready(function() {
+        var data_get_map = {'frm_GeneralSettings':"/api/caddy/General/get"};
+        mapDataToFormUI(data_get_map).done(function(data){
+            // console.log("Fetched data:", data); // Log the fetched data
+            var generalSettings = data.frm_GeneralSettings.caddy.general;
+
+            // Populate TlsAutoHttps dropdown
+            var tlsAutoHttpsSelect = $('#caddy\\.general\\.TlsAutoHttps');
+            tlsAutoHttpsSelect.empty(); // Clear existing options
+            $.each(generalSettings.TlsAutoHttps, function(key, option) {
+                if (key !== "") {  // Filter out the unwanted "None" option
+                    tlsAutoHttpsSelect.append(new Option(option.value, key, false, option.selected === 1));
+                }
+            });
+
+            // Populate TlsDnsProvider dropdown
+            var tlsDnsProviderSelect = $('#caddy\\.general\\.TlsDnsProvider');
+            tlsDnsProviderSelect.empty(); // Clear existing options
+            $.each(generalSettings.TlsDnsProvider, function(key, option) {
+                if (key !== "") {  // Filter out the unwanted "None" option
+                    tlsDnsProviderSelect.append(new Option(option.value, key, false, option.selected === 1));
+                }
+            });
+
+            // Populate Trusted Proxies dropdown
+            var accesslistSelect = $('#caddy\\.general\\.accesslist');
+            accesslistSelect.empty(); // Clear existing options
+            $.each(generalSettings.accesslist, function(key, option) {
+                accesslistSelect.append(new Option(option.value, key, false, option.selected === 1));
+            });
+
+            // Refresh selectpicker for these dropdowns
+            $('.selectpicker').selectpicker('refresh');
+
+            // Function to show alerts in the HTML message area
+            function showAlert(message, type = "error") {
+                var alertClass = type === "error" ? "alert-danger" : "alert-success";
+                var messageArea = $("#messageArea");
+
+                // Stop any current animation, clear the queue, and immediately hide the element
+                messageArea.stop(true, true).hide();
+
+                // Now set the class and message
+                messageArea.removeClass("alert-success alert-danger").addClass(alertClass).html(message);
+
+                // Use fadeIn to make the message appear smoothly, then fadeOut after a delay
+                messageArea.fadeIn(500).delay(5000).fadeOut(500, function() {
+                    // Clear the message after fading out to ensure it's clean for the next message
+                    $(this).html('');
+                });
+            }
+
+            // Hide message area when starting new actions
+            $('input, select, textarea').on('change', function() {
+                $("#messageArea").hide();
+            });
+            
+            // Reconfigure the Caddy service, additional validation with a validation API is made beforehand
+            $("#reconfigureAct").SimpleActionButton({
+                onPreAction: function() {
+                    const dfObj = $.Deferred();
+
+                    // Directly proceed to validation
+                    $.ajax({
+                        url: "/api/caddy/service/validate",
+                        type: "GET",
+                        dataType: "json",
+                        success: function(data) {
+                            if (data && data['status'].toLowerCase() === 'ok') {
+                                // If configuration is valid, resolve the Deferred object to proceed
+                                dfObj.resolve();
+                            } else {
+                                // If configuration is invalid, show alert using showAlert
+                                showAlert(data['message'], "Validation Error");
+                                dfObj.reject();
+                            }
+                        },
+                        error: function(xhr, status, error) {
+                            // On AJAX error, show alert using showAlert
+                            showAlert("Validation request failed: " + error, "Validation Error");
+                            dfObj.reject();
+                        }
+                    });
+
+                    return dfObj.promise();
+                },
+                onAction: function(data, status) {
+                    if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
+                        // Configuration is valid and applied, possibly refresh UI or notify user
+                        showAlert("Configuration applied successfully.", "Apply Success");
+                        updateServiceControlUI('caddy');
+                    } else {
+                        // Handle errors or unsuccessful application
+                        showAlert("An error occurred while applying the configuration.", "Error");
+                    }
+                }
+            });
+
+            // Adding Save functionality, so saving can be done independantly from applying
+            $("#saveSettings").click(function() {
+                saveFormToEndpoint("/api/caddy/general/set", 'frm_GeneralSettings', function() {
+                    // Callback function on successful save, optional
+                    showAlert("Configuration saved successfully. Please don't forget to apply the configuration.", "Save Successful");
+                }, function() {
+                    // Callback function on save failure
+                    showAlert("Failed to save configuration.", "Error");
+                });
+            });
+
+            // Initialize the service control UI for 'caddy'
+            updateServiceControlUI('caddy');
+
+        });
+    });
+</script>
+
+<!-- Tab Navigation -->
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#generalTab">General</a></li>
+    <li><a data-toggle="tab" href="#dnsProviderTab">DNS Provider</a></li>
+    <li><a data-toggle="tab" href="#dynamicDnsTab">Dynamic DNS</a></li>
+    <li><a data-toggle="tab" href="#logSettingsTab">Log Settings</a></li>
+</ul>
+
+<!-- Tab Content -->
+<div class="tab-content content-box">
+    <!-- General Tab -->
+    <div id="generalTab" class="tab-pane fade in active">
+        {{ partial("layout_partials/base_form", ['fields': generalForm, 'action': '/ui/caddy/general', 'id': 'frm_GeneralSettings']) }}
+    </div>
+    <!-- DNS Provider Tab -->
+    <div id="dnsProviderTab" class="tab-pane fade">
+        {{ partial("layout_partials/base_form", ['fields': dnsproviderForm, 'action': '/ui/caddy/general', 'id': 'frm_GeneralSettings']) }}
+    </div>
+    <!-- Dynamic DNS Tab -->
+    <div id="dynamicDnsTab" class="tab-pane fade">
+        {{ partial("layout_partials/base_form", ['fields': dynamicdnsForm, 'action': '/ui/caddy/general', 'id': 'frm_GeneralSettings']) }}
+    </div>
+    <!-- Log Settings Tab -->
+    <div id="logSettingsTab" class="tab-pane fade">
+        {{ partial("layout_partials/base_form", ['fields': logsettingsForm, 'action': '/ui/caddy/general', 'id': 'frm_GeneralSettings']) }}
+    </div>
+</div>
+
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <!-- Reconfigure Button with Pre-Action -->
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint="/api/caddy/service/reconfigure"
+                    data-label="{{ lang._('Apply') }}"
+                    data-error-title="{{ lang._('Error reconfiguring Caddy') }}"
+                    type="button"
+            ></button>
+            <button class="btn btn-primary" id="saveSettings"
+                    data-endpoint="/api/caddy/general/set"
+                    data-label="{{ lang._('Save') }}"
+                    type="button"
+                    style="margin-left: 2px;"
+            >{{ lang._('Save') }}</button>
+            <br/><br/>
+            <!-- Message Area for error/success messages -->
+        <div id="messageArea" class="alert alert-info" style="display: none;"></div>
+        </div>
+    </div>
+</section>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
new file mode 100644
index 0000000000..4c9750ee20
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -0,0 +1,351 @@
+{#
+ # Copyright (c) 2023-2024 Cedrik Pischem
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script>
+    $(document).ready(function() {
+        $("#reverseProxyGrid").UIBootgrid({
+            search:'/api/caddy/ReverseProxy/searchReverseProxy/',
+            get:'/api/caddy/ReverseProxy/getReverseProxy/',
+            set:'/api/caddy/ReverseProxy/setReverseProxy/',
+            add:'/api/caddy/ReverseProxy/addReverseProxy/',
+            del:'/api/caddy/ReverseProxy/delReverseProxy/',
+            toggle:'/api/caddy/ReverseProxy/toggleReverseProxy/',
+        });
+
+        $("#reverseSubdomainGrid").UIBootgrid({
+            search:'/api/caddy/ReverseProxy/searchSubdomain/',
+            get:'/api/caddy/ReverseProxy/getSubdomain/',
+            set:'/api/caddy/ReverseProxy/setSubdomain/',
+            add:'/api/caddy/ReverseProxy/addSubdomain/',
+            del:'/api/caddy/ReverseProxy/delSubdomain/',
+            toggle:'/api/caddy/ReverseProxy/toggleSubdomain/',
+        });
+
+        $("#reverseHandleGrid").UIBootgrid({
+            search:'/api/caddy/ReverseProxy/searchHandle/',
+            get:'/api/caddy/ReverseProxy/getHandle/',
+            set:'/api/caddy/ReverseProxy/setHandle/',
+            add:'/api/caddy/ReverseProxy/addHandle/',
+            del:'/api/caddy/ReverseProxy/delHandle/',
+            toggle:'/api/caddy/ReverseProxy/toggleHandle/',
+        });
+        
+        $("#accessListGrid").UIBootgrid({
+            search:'/api/caddy/ReverseProxy/searchAccessList/',
+            get:'/api/caddy/ReverseProxy/getAccessList/',
+            set:'/api/caddy/ReverseProxy/setAccessList/',
+            add:'/api/caddy/ReverseProxy/addAccessList/',
+            del:'/api/caddy/ReverseProxy/delAccessList/',
+        });
+        
+        $("#basicAuthGrid").UIBootgrid({
+            search:'/api/caddy/ReverseProxy/searchBasicAuth/',
+            get:'/api/caddy/ReverseProxy/getBasicAuth/',
+            set:'/api/caddy/ReverseProxy/setBasicAuth/',
+            add:'/api/caddy/ReverseProxy/addBasicAuth/',
+            del:'/api/caddy/ReverseProxy/delBasicAuth/',
+        });
+
+        // Function to show alerts in the HTML message area
+        function showAlert(message, type = "error") {
+            var alertClass = type === "error" ? "alert-danger" : "alert-success";
+            var messageArea = $("#messageArea");
+
+            // Stop any current animation, clear the queue, and immediately hide the element
+            messageArea.stop(true, true).hide();
+
+            // Now set the class and message
+            messageArea.removeClass("alert-success alert-danger").addClass(alertClass).html(message);
+
+            // Use fadeIn to make the message appear smoothly, then fadeOut after a delay
+            messageArea.fadeIn(500).delay(5000).fadeOut(500, function() {
+                // Clear the message after fading out to ensure it's clean for the next message
+                $(this).html('');
+            });
+        }
+
+        // Hide message area when starting new actions
+        $('input, select, textarea').on('change', function() {
+            $("#messageArea").hide();
+        });        
+
+        // Adjusting the Reconfigure button to include validation in onPreAction
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+
+                // Perform configuration validation
+                $.ajax({
+                    url: "/api/caddy/service/validate",
+                    type: "GET",
+                    dataType: "json",
+                    success: function(data) {
+                        if (data && data['status'].toLowerCase() === 'ok') {
+                            // If configuration is valid, resolve the Deferred object to proceed
+                            dfObj.resolve();
+                        } else {
+                            // If configuration is invalid, show alert and reject the Deferred object
+                            showAlert(data['message'], "Validation Failed");
+                            dfObj.reject();
+                        }
+                    },
+                    error: function(xhr, status, error) {
+                        // On AJAX error, show alert and reject the Deferred object
+                        showAlert("Validation request failed: " + error, "Error");
+                        dfObj.reject();
+                    }
+                });
+
+                return dfObj.promise();
+            },
+            onAction: function(data, status) {
+                // Check if the action was successful
+                if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
+                    // Update only the service control UI for 'caddy'
+                    showAlert("Configuration applied successfully.", "Apply Success");
+                    updateServiceControlUI('caddy');
+                } else {
+                    console.error("Action was not successful or an error occurred:", data);
+                }
+            }
+        });
+
+        // Initialize the service control UI for 'caddy'
+        updateServiceControlUI('caddy');
+
+    });
+</script>
+
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#domainsTab">Domains</a></li>
+    <li><a data-toggle="tab" href="#handlesTab">Handlers</a></li>
+    <li><a data-toggle="tab" href="#accessTab">Access</a></li>
+</ul>
+
+<div class="tab-content content-box">
+
+    <!-- Reverse Proxy Tab -->
+    <div id="domainsTab" class="tab-pane fade in active">
+        <div style="padding-left: 16px;">
+            <!-- Reverse Proxy -->
+            <h1>Domains</h1>
+            <div style="display: block;"> <!-- Common container -->
+                <table id="reverseProxyGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogReverseProxy" data-editAlert="ConfigurationChangeMessage">
+                    <thead>
+                        <tr>
+                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">ID</th>
+                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">Enabled</th>
+                            <th data-column-id="FromDomain" data-type="string">Domain</th>
+                            <th data-column-id="FromPort" data-type="string">Port</th>
+                            <th data-column-id="accesslist" data-type="string" data-visible="false">Access List</th>
+                            <th data-column-id="basicauth" data-type="string" data-visible="false">Basic Auth</th>
+                            <th data-column-id="DnsChallenge" data-type="boolean" data-formatter="boolean" data-visible="false">DNS-01</th>
+                            <th data-column-id="DynDns" data-type="boolean" data-formatter="boolean" data-visible="false">Dynamic DNS</th>
+                            <th data-column-id="AccessLog" data-type="boolean" data-formatter="boolean" data-visible="false">HTTP Access Log</th>
+                            <th data-column-id="CustomCertificate" data-type="string" data-visible="false">Custom Certificate</th>
+                            <th data-column-id="description" data-type="string">Description</th>
+                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                    </tbody>
+                    <tfoot>
+                        <tr>
+                            <td></td>
+                            <td>
+                                <button id="addReverseProxyBtn" data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                            </td>
+                        </tr>
+                    </tfoot>
+                </table>
+            </div>
+        </div>
+        <div style="padding-left: 16px;">
+            <!-- Subdomains -->
+            <h1>Subdomains</h1>
+            <div style="display: block;"> <!-- Common container -->
+                <table id="reverseSubdomainGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogSubdomain" data-editAlert="ConfigurationChangeMessage">
+                    <thead>
+                        <tr>
+                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">ID</th>
+                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">Enabled</th>
+                            <th data-column-id="reverse" data-type="string">Domain</th>
+                            <th data-column-id="FromDomain" data-type="string">Subdomain</th>
+                            <th data-column-id="FromPort" data-type="string">Port</th>
+                            <th data-column-id="accesslist" data-type="string" data-visible="false">Access List</th>
+                            <th data-column-id="basicauth" data-type="string" data-visible="false">Basic Auth</th>
+                            <th data-column-id="DynDns" data-type="boolean" data-formatter="boolean" data-visible="false">Dynamic DNS</th>
+                            <th data-column-id="description" data-type="string">Description</th>
+                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                    </tbody>
+                    <tfoot>
+                        <tr>
+                            <td></td>
+                            <td>
+                                <button id="addSubdomainBtn" data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                            </td>
+                        </tr>
+                    </tfoot>
+                </table>
+            </div>
+        </div>
+    </div>
+
+    <!-- Handle Tab -->
+    <div id="handlesTab" class="tab-pane fade">
+        <div style="padding-left: 16px;">
+            <h1>Handlers</h1>
+            <div style="display: block;"> <!-- Common container -->
+                <table id="reverseHandleGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHandle" data-editAlert="ConfigurationChangeMessage">
+                    <thead>
+                        <tr>
+                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">ID</th>
+                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">Enabled</th>
+                            <th data-column-id="reverse" data-type="string">Domain</th>
+                            <th data-column-id="subdomain" data-type="string">Subdomain</th>
+                            <th data-column-id="HandleType" data-type="string" data-visible="false">Handle Type</th>
+                            <th data-column-id="HandlePath" data-type="string">Handle Path</th>
+                            <th data-column-id="ToDomain" data-type="string">Backend Domain</th>
+                            <th data-column-id="ToPort" data-type="string">Backend Port</th>
+                            <th data-column-id="ToPath" data-type="string" data-visible="false">Backend Path</th>
+                            <th data-column-id="HttpTls" data-type="boolean" data-formatter="boolean" data-visible="false">TLS</th>
+                            <th data-column-id="HttpTlsTrustedCaCerts" data-type="string" data-visible="false">TLS CA</th>
+                            <th data-column-id="HttpTlsServerName" data-type="string" data-visible="false">TLS Server Name</th>
+                            <th data-column-id="HttpNtlm" data-type="boolean" data-formatter="boolean" data-visible="false">NTLM</th>
+                            <th data-column-id="description" data-type="string">Description</th>
+                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                    </tbody>
+                    <tfoot>
+                        <tr>
+                            <td></td>
+                            <td>
+                                <button id="addReverseHandleBtn" data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                            </td>
+                        </tr>
+                    </tfoot>
+                </table>
+            </div>
+        </div>
+    </div>
+    
+    <!-- New Combined Access Tab -->
+    <div id="accessTab" class="tab-pane fade">
+        <!-- Access Lists Section -->
+        <div style="padding-left: 16px;">
+            <h1>Access Lists</h1>
+            <div style="display: block;">
+                <table id="accessListGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogAccessList" data-editAlert="ConfigurationChangeMessage">
+                    <thead>
+                        <tr>
+                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">ID</th>
+                            <th data-column-id="accesslistName" data-type="string">Name</th>
+                            <th data-column-id="clientIps" data-type="string">Client IPs</th>
+                            <th data-column-id="accesslistInvert" data-type="boolean" data-formatter="boolean">Invert</th>
+                            <th data-column-id="description" data-type="string">Description</th>
+                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                    </tbody>
+                    <tfoot>
+                        <tr>
+                            <td></td>
+                            <td>
+                                <button id="addAccessListBtn" data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                            </td>
+                        </tr>
+                    </tfoot>
+                </table>
+            </div>
+        </div>
+
+        <!-- Basic Auth Section -->
+        <div style="padding-left: 16px;">
+            <h1>Basic Auth</h1>
+            <div style="display: block;">
+                <table id="basicAuthGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogBasicAuth" data-editAlert="ConfigurationChangeMessage">
+                    <thead>
+                        <tr>
+                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">ID</th>
+                            <th data-column-id="basicauthuser" data-type="string">User</th>
+                            <th data-column-id="description" data-type="string">Description</th>
+                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                    </tbody>
+                    <tfoot>
+                        <tr>
+                            <td></td>
+                            <td>
+                                <button id="addBasicAuthBtn" data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                            </td>
+                        </tr>
+                    </tfoot>
+                </table>
+            </div>
+        </div>
+    </div>
+</div>
+
+<!-- Reconfigure Button -->
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint="/api/caddy/service/reconfigure"
+                    data-label="{{ lang._('Apply') }}"
+                    data-error-title="{{ lang._('Error reconfiguring Caddy') }}"
+                    type="button"
+            ></button>
+            <br/><br/>
+            <!-- Message Area for error/success messages -->
+            <div id="messageArea" class="alert alert-info" style="display: none;"></div>
+            <!-- Message Area to hint user to apply changes when data is changed in bootgrids -->
+            <div id="ConfigurationChangeMessage" class="alert alert-info" style="display: none;">
+            Please don't forget to apply the configuration.
+            </div>
+        </div>
+    </div>
+</section>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogReverseProxy,'id':'DialogReverseProxy','label':lang._('Edit Reverse Proxy Domain')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogSubdomain,'id':'DialogSubdomain','label':lang._('Edit Reverse Proxy Subdomain')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogHandle,'id':'DialogHandle','label':lang._('Edit Handler')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogAccessList,'id':'DialogAccessList','label':lang._('Edit Access List')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogBasicAuth,'id':'DialogBasicAuth','label':lang._('Edit Basic Auth')])}}
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
new file mode 100755
index 0000000000..df8550d337
--- /dev/null
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
@@ -0,0 +1,86 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ *    Copyright (C) 2023-2024 Cedrik Pischem
+ *    Copyright (C) 2015 Deciso B.V.
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("config.inc");
+require_once("certs.inc");
+require_once("legacy_bindings.inc");
+
+use OPNsense\Core\Config;
+
+$configObj = Config::getInstance()->object();
+$temp_dir = '/usr/local/etc/caddy/certificates/temp/';
+
+function extract_and_save_certificates($configObj, $temp_dir) {
+    // Traverse through certificates
+    foreach ($configObj->cert as $cert) {
+        $cert_refid = (string)$cert->refid;
+        $cert_content = base64_decode((string)$cert->crt);
+        $key_content = base64_decode((string)$cert->prv);
+        $cert_chain = $cert_content;
+
+        // Handle CA and possible intermediate CA to create a certificate bundle
+        if (!empty($cert->caref)) {
+            foreach ($configObj->ca as $ca) {
+                if ((string)$cert->caref == (string)$ca->refid) {
+                    $ca_content = base64_decode((string)$ca->crt);
+                    $cert_chain .= "\n" . $ca_content;
+
+                    if (!empty($ca->caref)) {
+                        foreach ($configObj->ca as $parent_ca) {
+                            if ((string)$ca->caref == (string)$parent_ca->refid) {
+                                $parent_ca_content = base64_decode((string)$parent_ca->crt);
+                                $cert_chain .= "\n" . $parent_ca_content;
+                                break;
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        // Save the certificate chain and private key
+        file_put_contents($temp_dir . $cert_refid . '.pem', $cert_chain);
+        chmod($temp_dir . $cert_refid . '.pem', 0600);
+        file_put_contents($temp_dir . $cert_refid . '.key', $key_content);
+        chmod($temp_dir . $cert_refid . '.key', 0600);
+    }
+
+    // Traverse through CA certificates and save them
+    foreach ($configObj->ca as $ca) {
+        $ca_refid = (string)$ca->refid;
+        $ca_content = base64_decode((string)$ca->crt);
+
+        // Save the CA certificate
+        file_put_contents($temp_dir . $ca_refid . '.pem', $ca_content);
+        chmod($temp_dir . $ca_refid . '.pem', 0600);
+    }
+}
+
+extract_and_save_certificates($configObj, $temp_dir);
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
new file mode 100755
index 0000000000..2fc795ab44
--- /dev/null
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
@@ -0,0 +1,80 @@
+#!/usr/local/bin/python3
+
+#
+# Copyright (c) 2023-2024 Cedrik Pischem
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice,
+#    this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+#    this list of conditions and the following disclaimer in the documentation
+#    and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+import subprocess
+import json
+import sys
+
+def run_service_command(action, action_message):
+    result = {"message": action_message}
+    
+    if action == "validate":
+        try:
+            # Call Setup script
+            subprocess.run(["/usr/local/opnsense/scripts/OPNsense/Caddy/setup.sh"], check=True)
+            # Validate the Caddyfile with explicit --config flag, capturing both stdout and stderr
+            validation_output = subprocess.check_output(["caddy", "validate", "--config", "/usr/local/etc/caddy/Caddyfile"], stderr=subprocess.STDOUT, text=True)
+            if "Valid configuration" in validation_output:
+                result["status"] = "ok"
+                result["message"] = "Caddy configuration is valid."
+            else:
+                # Search for the specific error message
+                error_msg = next((line for line in validation_output.split('\n') if line.startswith("Error:")), "Caddy configuration is not valid.")
+                result["status"] = "failed"
+                result["message"] = error_msg
+        except subprocess.CalledProcessError as e:
+            # Extracting only the specific "Error: ..." line from the output
+            error_msg = next((line for line in e.output.split('\n') if line.startswith("Error:")), "Validation failed.")
+            result["status"] = "failed"
+            result["message"] = error_msg
+    else:
+        try:
+            subprocess.run(["service", "caddy", action], check=True)
+            result["status"] = "ok"
+        except subprocess.CalledProcessError as e:
+            result["status"] = "failed"
+            result["message"] = str(e)
+
+    return json.dumps(result)
+
+# Updated actions dictionary
+actions = {
+    "start": "onestart",
+    "stop": "onestop",
+    "restart": "onerestart",
+    "validate": "validate"  # Validate action
+}
+
+if __name__ == "__main__":
+    action = sys.argv[1]  # Get the action from the command-line argument
+    if action in actions:
+        service_action = actions[action]
+        message = f"{action.capitalize()}ing Caddy service" if action != "validate" else "Validating Caddy configuration"
+        print(run_service_command(service_action, message))
+    else:
+        print(json.dumps({"status": "failed", "message": f"Unknown action: {action}"}))
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
new file mode 100755
index 0000000000..6ee35ebb7b
--- /dev/null
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# Define directories
+CADDY_DIR="/usr/local/etc/caddy"
+CADDY_ACME_DIR="${CADDY_DIR}/acme"
+CADDY_CERTS_DIR="${CADDY_DIR}/certificates/temp"
+CADDY_OCSP_DIR="${CADDY_DIR}/ocsp"
+CADDY_LOCKS_DIR="${CADDY_DIR}/locks"
+CADDY_LOG_DIR="/var/log/caddy/access"
+CADDY_CONF_DIR="${CADDY_DIR}/caddy.d"
+
+# Create Caddy configuration directories with appropriate permissions
+mkdir -p "${CADDY_DIR}"
+mkdir -p "${CADDY_ACME_DIR}"
+mkdir -p "${CADDY_CERTS_DIR}"
+mkdir -p "${CADDY_OCSP_DIR}"
+mkdir -p "${CADDY_LOCKS_DIR}"
+mkdir -p "${CADDY_CONF_DIR}"
+
+# Set permissions for Caddy configuration directories
+chown -R root:wheel "${CADDY_DIR}"
+chmod -R 750 "${CADDY_DIR}"
+
+# Create Caddy log directory
+mkdir -p "${CADDY_LOG_DIR}"
+
+# Set permissions for Caddy log directory
+chown -R root:wheel "${CADDY_LOG_DIR}"
+chmod -R 750 "${CADDY_LOG_DIR}"
+
+# Format and overwrite the Caddyfile
+(cd "${CADDY_DIR}" && /usr/local/bin/caddy fmt --overwrite)
+
+# Write custom certs from the OPNsense Trust Store into a directory where Caddy can read them
+/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
+
+# Optional Debug message
+# echo "Caddy installation completed. All caddy directories and files created successfully."
diff --git a/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf b/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
new file mode 100644
index 0000000000..764809f8e8
--- /dev/null
+++ b/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
@@ -0,0 +1,29 @@
+[start]
+command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py start
+parameters:
+type:script
+message:Starting Caddy service
+
+[stop]
+command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py stop
+parameters:
+type:script
+message:Stopping Caddy service
+
+[restart]
+command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py restart
+parameters:
+type:script
+message:Reloading Caddy configuration
+
+[validate]
+command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py validate
+parameters:
+type:script_output
+message:Validating Caddy configuration
+
+[status]
+command:/usr/local/sbin/pluginctl -s caddy status
+parameters:
+type:script_output
+message:Request Caddy status
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/+TARGETS b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/+TARGETS
new file mode 100644
index 0000000000..194242c0ab
--- /dev/null
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/+TARGETS
@@ -0,0 +1,2 @@
+Caddyfile:/usr/local/etc/caddy/Caddyfile
+rc.conf.d/caddy:/etc/rc.conf.d/caddy
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
new file mode 100644
index 0000000000..95892a5908
--- /dev/null
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -0,0 +1,573 @@
+# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
+
+{% set generalSettings = helpers.getNodeByTag('Pischem.caddy.general') %}
+
+# Global Options
+{
+    storage file_system {
+        root /usr/local/etc/caddy
+    }
+    log {
+        {% if generalSettings.LogAccessPlain|default("0") == "0" %}
+        {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
+        {% if reverse.enabled|default("0") == "1" and reverse.AccessLog|default("0") == "1" %}
+        include http.log.access.{{ reverse['@uuid'] }}
+        {% endif %}
+        {% endfor %}
+        {% endif %}
+        output net unixgram//var/caddy/var/run/log {
+        }
+        format json {
+            time_format rfc3339
+        }
+    }
+
+    {% set accessListUuid = generalSettings.accesslist %}
+    {% set logCredentials = generalSettings.LogCredentials %}
+
+    {% set hasAccessList = false %}
+    {% set hasLogCredentials = false %}
+
+    {% if accessListUuid %}
+        {% set accessList = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', accessListUuid) | first %}
+        {% if accessList %}
+            {% set hasAccessList = true %}
+        {% endif %}
+    {% endif %}
+
+    {% if logCredentials == '1' %}
+        {% set hasLogCredentials = true %}
+    {% endif %}
+
+    {% if hasAccessList or hasLogCredentials %}
+    servers {
+        {% if hasAccessList %}
+        trusted_proxies static {{ accessList.clientIps.split(',') | join(' ') }}
+        {% endif %}
+        {% if hasLogCredentials %}
+        log_credentials
+        {% endif %}
+    }
+    {% endif %}
+
+    {% set dnsProvider = helpers.toList('Pischem.caddy.general.TlsDnsProvider') | first %}
+    {% set dnsApiKey = generalSettings.TlsDnsApiKey %}
+    {% set dnsSecretApiKey = generalSettings.TlsDnsSecretApiKey %}
+    {% set dnsOptionalField1 = generalSettings.TlsDnsOptionalField1 %}
+    {% set dnsOptionalField2 = generalSettings.TlsDnsOptionalField2 %}
+    {% set dnsOptionalField3 = generalSettings.TlsDnsOptionalField3 %}
+    {% set dnsOptionalField4 = generalSettings.TlsDnsOptionalField4 %}
+    {% set dnsOptionalField5 = generalSettings.TlsDnsOptionalField5 %}
+    {% set dnsOptionalField6 = generalSettings.TlsDnsOptionalField6 %}
+    {% set dynDnsSimpleHttp = generalSettings.DynDnsSimpleHttp %}
+    {% set dynDnsInterface = generalSettings.DynDnsInterface %}
+    {% set dynDnsCheckInterval = generalSettings.DynDnsCheckInterval %}
+    {% set dynDnsIpVersions = generalSettings.DynDnsIpVersions %}
+    {% set dynDnsTTL = generalSettings.DynDnsTTL %}
+    {% set dynDnsDomains = [] %}
+
+    {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
+        {% if reverse.enabled|default("0") == "1" and reverse.DynDns|default("0") == "1" %}
+            {% set cleanedDomain = reverse.FromDomain | replace("*.","") %}
+            {% do dynDnsDomains.append(cleanedDomain + " @") %}
+        {% endif %}
+
+        {% for subdomain in helpers.toList('Pischem.caddy.reverseproxy.subdomain') %}
+            {% if subdomain.enabled|default("0") == "1" and subdomain.DynDns|default("0") == "1" and subdomain.reverse == reverse['@uuid'] %}
+                {% set fullSubdomain = subdomain.FromDomain %}
+                {% set baseDomain = fullSubdomain.split('.')[1:] | join('.') %}
+                {% set subDomainPart = fullSubdomain.split('.')[0] %}
+                {% set subdomainEntry = baseDomain + " " + subDomainPart %}
+                {% do dynDnsDomains.append(subdomainEntry) %}
+            {% endif %}
+        {% endfor %}
+    {% endfor %}
+
+    {% if dnsProvider and dnsProvider != "none" and dnsProvider != "acmedns" and dynDnsDomains|length > 0 %}
+        dynamic_dns {
+            {% if dnsProvider in ['porkbun', 'desec', 'route53', 'alidns', 'googleclouddns', 'azure', 'openstack-designate', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox'] %}
+                provider {{ dnsProvider }} {
+                    {% if dnsProvider == 'porkbun' %}
+                        {% if dnsApiKey %}api_key {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}api_secret_key {{ dnsSecretApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'desec' %}
+                        {% if dnsApiKey %}token {{ dnsApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'route53' %}
+                        {% if dnsApiKey %}access_key_id {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}secret_access_key {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}max_retries {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}aws_profile {{ dnsOptionalField2 }}
+                        {% endif %}
+                        {% if dnsOptionalField3 %}region {{ dnsOptionalField3 }}
+                        {% endif %}
+                        {% if dnsOptionalField4 %}token {{ dnsOptionalField4 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'alidns' %}
+                        {% if dnsApiKey %}access_key_id {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}access_key_secret {{ dnsSecretApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'googleclouddns' %}
+                        {% if dnsApiKey %}gcp_project {{ dnsApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'azure' %}
+                        {% if dnsApiKey %}tenant_id {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}client_id {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}client_secret {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}subscription_id {{ dnsOptionalField2 }}
+                        {% endif %}
+                        {% if dnsOptionalField3 %}resource_group_name {{ dnsOptionalField3 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'openstack-designate' %}
+                        {% if dnsApiKey %}region_name {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}tenant_id {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}identity_api_version {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}password {{ dnsOptionalField2 }}
+                        {% endif %}
+                        {% if dnsOptionalField3 %}username {{ dnsOptionalField3 }}
+                        {% endif %}
+                        {% if dnsOptionalField4 %}tenant_name {{ dnsOptionalField4 }}
+                        {% endif %}
+                        {% if dnsOptionalField5 %}auth_url {{ dnsOptionalField5 }}
+                        {% endif %}
+                        {% if dnsOptionalField6 %}endpoint_type {{ dnsOptionalField6 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'ovh' %}
+                        {% if dnsApiKey %}endpoint {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}application_key {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}application_secret {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}consumer_key {{ dnsOptionalField2 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'namecheap' %}
+                        {% if dnsApiKey %}api_key {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}user {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}api_endpoint {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}client_ip {{ dnsOptionalField2 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'powerdns' %}
+                        {% if dnsApiKey %}server_url {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}api_token {{ dnsSecretApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'ddnss' %}
+                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}username {{ dnsSecretApiKey }}
+                        {% endif %}
+                        password {{ dnsOptionalField1 }}
+                    {% elif dnsProvider == 'linode' %}
+                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}api_url {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}api_version {{ dnsOptionalField1 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'tencentcloud' %}
+                        {% if dnsApiKey %}secret_id {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}secret_key {{ dnsSecretApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'dinahosting' %}
+                        {% if dnsApiKey %}username {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'hexonet' %}
+                        {% if dnsApiKey %}username {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'mailinabox' %}
+                        {% if dnsApiKey %}api_url {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}email_address {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}password {{ dnsOptionalField1 }}
+                        {% endif %}
+                    {% endif %}
+                }
+            {% elif dnsProvider in ['metaname'] %}
+                provider {{ dnsProvider }} {{ dnsApiKey }} {{ dnsSecretApiKey }}
+            {% else %}
+                provider {{ dnsProvider }} {{ dnsApiKey }}
+            {% endif %}
+            domains {
+                {% for domain in dynDnsDomains %}
+                {{ domain }}
+                {% endfor %}
+            }
+        {% if dynDnsSimpleHttp %}
+        ip_source simple_http {{ dynDnsSimpleHttp }}
+        {% endif %}
+        {% if dynDnsInterface %}
+            {% set physicalInterfaceNames = [] %}
+            {% for intfName in dynDnsInterface.split(',') %}
+                {% do physicalInterfaceNames.append(helpers.physical_interface(intfName)) %}
+            {% endfor %}
+            ip_source interface {{ physicalInterfaceNames | join(',') }}
+        {% endif %}
+        {% if dynDnsCheckInterval %}
+        check_interval {{ dynDnsCheckInterval }}m
+        {% endif %}
+        {% if dynDnsIpVersions %}
+        versions {{ dynDnsIpVersions }}
+        {% endif %}
+        {% if dynDnsTTL %}
+        ttl {{ dynDnsTTL }}h
+        {% endif %}
+    }
+    {% endif %}
+
+    {% set emailValue = helpers.toList('Pischem.caddy.general.TlsEmail') | first %}
+    {% if emailValue %}
+    email {{ emailValue }}
+    {% endif %}
+    {% set autoHttpsValue = helpers.toList('Pischem.caddy.general.TlsAutoHttps') | first %}
+    {% if autoHttpsValue != "on" %}
+    auto_https {{ autoHttpsValue }}
+    {% endif %}
+    import /usr/local/etc/caddy/caddy.d/*.global
+}
+
+# Reverse Proxy Configuration
+{% macro tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4, TlsDnsOptionalField5, TlsDnsOptionalField6) %}
+    {% if dnsChallenge == "1" and dnsProvider and dnsProvider != "none" %}
+        {% if dnsProvider in ['duckdns', 'porkbun', 'desec', 'route53', 'acmedns', 'alidns', 'googleclouddns', 'azure', 'openstack-designate', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox'] %}
+            tls {
+                dns {{ dnsProvider }} {
+                    {% if dnsProvider == 'duckdns' %}
+                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}override_domain {{ dnsSecretApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'porkbun' %}
+                        {% if dnsApiKey %}api_key {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}api_secret_key {{ dnsSecretApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'desec' %}
+                        {% if dnsApiKey %}token {{ dnsApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'route53' %}
+                        {% if dnsApiKey %}access_key_id {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}secret_access_key {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}max_retries {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}aws_profile {{ dnsOptionalField2 }}
+                        {% endif %}
+                        {% if dnsOptionalField3 %}region {{ dnsOptionalField3 }}
+                        {% endif %}
+                        {% if dnsOptionalField4 %}token {{ dnsOptionalField4 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'acmedns' %}
+                        {% if dnsApiKey %}username {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}subdomain {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}server_url {{ dnsOptionalField2 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'alidns' %}
+                        {% if dnsApiKey %}access_key_id {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}access_key_secret {{ dnsSecretApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'googleclouddns' %}
+                        {% if dnsApiKey %}gcp_project {{ dnsApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'azure' %}
+                        {% if dnsApiKey %}tenant_id {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}client_id {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}client_secret {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}subscription_id {{ dnsOptionalField2 }}
+                        {% endif %}
+                        {% if dnsOptionalField3 %}resource_group_name {{ dnsOptionalField3 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'openstack-designate' %}
+                        {% if dnsApiKey %}region_name {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}tenant_id {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}identity_api_version {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}password {{ dnsOptionalField2 }}
+                        {% endif %}
+                        {% if dnsOptionalField3 %}username {{ dnsOptionalField3 }}
+                        {% endif %}
+                        {% if dnsOptionalField4 %}tenant_name {{ dnsOptionalField4 }}
+                        {% endif %}
+                        {% if dnsOptionalField5 %}auth_url {{ dnsOptionalField5 }}
+                        {% endif %}
+                        {% if dnsOptionalField6 %}endpoint_type {{ dnsOptionalField6 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'ovh' %}
+                        {% if dnsApiKey %}endpoint {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}application_key {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}application_secret {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}consumer_key {{ dnsOptionalField2 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'namecheap' %}
+                        {% if dnsApiKey %}api_key {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}user {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}api_endpoint {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}client_ip {{ dnsOptionalField2 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'powerdns' %}
+                        {% if dnsApiKey %}server_url {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}api_token {{ dnsSecretApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'ddnss' %}
+                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}username {{ dnsSecretApiKey }}
+                        {% endif %}
+                        password {{ dnsOptionalField1 }}
+                    {% elif dnsProvider == 'linode' %}
+                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}api_url {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}api_version {{ dnsOptionalField1 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'tencentcloud' %}
+                        {% if dnsApiKey %}secret_id {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}secret_key {{ dnsSecretApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'dinahosting' %}
+                        {% if dnsApiKey %}username {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'hexonet' %}
+                        {% if dnsApiKey %}username {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'mailinabox' %}
+                        {% if dnsApiKey %}api_url {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}email_address {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}password {{ dnsOptionalField1 }}
+                        {% endif %}
+                    {% endif %}
+                }
+            }
+        {% elif dnsProvider in ['metaname'] %}
+            tls {
+                dns {{ dnsProvider }} {{ dnsApiKey }} {{ dnsSecretApiKey }}
+            }
+        {% else %}
+            tls {
+                dns {{ dnsProvider }} {{ dnsApiKey }}
+            }
+        {% endif %}
+    {% endif %}
+    {% if customCert %}
+        tls /usr/local/etc/caddy/certificates/temp/{{ customCert }}.pem /usr/local/etc/caddy/certificates/temp/{{ customCert }}.key
+    {% endif %}
+{% endmacro %}
+
+{% macro reverse_proxy_configuration(handle) %}
+    {{ handle.HandleType }} {{ handle.HandlePath|default("") }} {
+        {% if handle.ToPath|default("") != "" %}
+        rewrite * {{ handle.ToPath }}{uri}
+        {% endif %}
+        reverse_proxy {{ handle.ToDomain }}{% if handle.ToPort %}:{{ handle.ToPort }}{% endif %} {
+            {% if handle.HttpTls|default("0") == "1" %}
+            {% if handle.HttpNtlm|default("0") == "1" %}
+            transport http_ntlm {
+                tls
+                {% if handle.HttpTlsTrustedCaCerts %}
+                tls_trusted_ca_certs /usr/local/etc/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
+                {% endif %}
+                {% if handle.HttpTlsServerName %}
+                tls_server_name {{ handle.HttpTlsServerName }}
+                {% endif %}
+            }
+            {% else %}
+            transport http {
+                tls
+                {% if handle.HttpTlsTrustedCaCerts %}
+                tls_trusted_ca_certs /usr/local/etc/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
+                {% endif %}
+                {% if handle.HttpTlsServerName %}
+                tls_server_name {{ handle.HttpTlsServerName }}
+                {% endif %}
+            }
+            {% endif %}
+            {% endif %}
+        }
+    }
+{% endmacro %}
+
+{% macro access_list_configuration(accesslist, invert) %}
+    {% set client_ips = accesslist.clientIps.split(',') %}
+    {% set client_ips_space_separated = client_ips | join(' ') %}
+    @{{ accesslist['@uuid'] }} {
+        {{ 'not' if invert else '' }} client_ip {{ client_ips_space_separated }}
+    }
+{% endmacro %}
+
+{% macro basicauth_configuration(basicauth_uuids) %}
+    {% if basicauth_uuids %}
+    basicauth {
+        {% for uuid in basicauth_uuids.split(',') %}
+            {% set basicauth = helpers.toList('Pischem.caddy.reverseproxy.basicauth') | selectattr('@uuid', 'equalto', uuid) | first %}
+            {% if basicauth %}
+                {{ basicauth.basicauthuser }} {{ basicauth.basicauthpass }}
+            {% endif %}
+        {% endfor %}
+    }
+    {% endif %}
+{% endmacro %}
+
+{% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
+{% if reverse.enabled|default("0") == "1" %}
+# Reverse Proxy Domain: "{{ reverse['@uuid'] }}"
+{{ reverse.FromDomain|default("") }}{% if reverse.FromPort %}:{{ reverse.FromPort }}{% endif %} {
+    {% if reverse.AccessLog|default("0") == "1" %}
+    {% if generalSettings.LogAccessPlain|default("0") == "0" %}
+    log {{ reverse['@uuid'] }}
+    {% else %}
+    log {
+        output file /var/log/caddy/access/{{ reverse['@uuid'] }}.log {
+            roll_keep_for {{ generalSettings.LogAccessPlainKeep|default("10") }}d
+        }        
+    }
+    {% endif %}
+    {% endif %}
+    {% set customCert = reverse.CustomCertificate|default("") %}
+    {% set dnsChallenge = reverse.DnsChallenge|default("0") %}
+    {{ tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4, TlsDnsOptionalField5, TlsDnsOptionalField6) }}
+    
+    {% if not reverse.accesslist %}
+        {% set basicauth_uuids = reverse.basicauth %}
+        {{ basicauth_configuration(basicauth_uuids) }}
+    {% endif %}
+    
+    {% for subdomain in helpers.toList('Pischem.caddy.reverseproxy.subdomain') %}
+    {% if subdomain.enabled|default("0") == "1" and subdomain.reverse == reverse['@uuid'] %}
+    @{{ subdomain['@uuid'] }} {
+        host {{ subdomain.FromDomain }}{% if subdomain.FromPort %}:{{ subdomain.FromPort }}{% endif %}
+    }
+    handle @{{ subdomain['@uuid'] }} {
+    
+        {% if not subdomain.accesslist %}
+            {% set subdomain_basicauth_uuids = subdomain.basicauth %}
+            {{ basicauth_configuration(subdomain_basicauth_uuids) }}
+        {% endif %}
+    
+        {% if subdomain.accesslist %}
+        {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', subdomain.accesslist) | first %}
+        {{ access_list_configuration(accesslist, accesslist.accesslistInvert|default("0") == "1") }}
+        handle @{{ accesslist['@uuid'] }} {
+        
+            {% set subdomain_basicauth_uuids = subdomain.basicauth %}
+            {{ basicauth_configuration(subdomain_basicauth_uuids) }}
+        
+            {% set subdomain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('subdomain', 'equalto', subdomain['@uuid']) | list %}
+            {% for handle in subdomain_handles %}
+            {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
+                {{ reverse_proxy_configuration(handle) }}
+            {% endif %}
+            {% endfor %}
+            {% for handle in subdomain_handles %}
+            {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
+                {{ reverse_proxy_configuration(handle) }}
+            {% endif %}
+            {% endfor %}
+        }
+        {% else %}
+        {% set subdomain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('subdomain', 'equalto', subdomain['@uuid']) | list %}
+        {% for handle in subdomain_handles %}
+        {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
+            {{ reverse_proxy_configuration(handle) }}
+        {% endif %}
+        {% endfor %}
+        {% for handle in subdomain_handles %}
+        {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
+            {{ reverse_proxy_configuration(handle) }}
+        {% endif %}
+        {% endfor %}
+        {% endif %}
+        {% if Pischem.caddy.general.abort|default("0") == "1" %}
+        abort
+        {% endif %}
+    }
+    {% endif %}
+    {% endfor %}
+
+    {% if reverse.accesslist %}
+    {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', reverse.accesslist) | first %}
+    {{ access_list_configuration(accesslist, accesslist.accesslistInvert|default("0") == "1") }}
+    handle @{{ accesslist['@uuid'] }} {
+    
+        {% set basicauth_uuids = reverse.basicauth %}
+        {{ basicauth_configuration(basicauth_uuids) }}
+    
+        {% set wildcard_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('reverse', 'equalto', reverse['@uuid']) | selectattr('subdomain', 'undefined') | list %}
+        {% for handle in wildcard_handles %}
+        {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
+            {{ reverse_proxy_configuration(handle) }}
+        {% endif %}
+        {% endfor %}
+        {% for handle in wildcard_handles %}
+        {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
+            {{ reverse_proxy_configuration(handle) }}
+        {% endif %}
+        {% endfor %}
+    }
+    {% else %}
+    {% set wildcard_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('reverse', 'equalto', reverse['@uuid']) | selectattr('subdomain', 'undefined') | list %}
+    {% for handle in wildcard_handles %}
+    {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
+        {{ reverse_proxy_configuration(handle) }}
+    {% endif %}
+    {% endfor %}
+    {% for handle in wildcard_handles %}
+    {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
+        {{ reverse_proxy_configuration(handle) }}
+    {% endif %}
+    {% endfor %}
+    {% endif %}
+    {% if Pischem.caddy.general.abort|default("0") == "1" %}
+    abort
+    {% endif %}
+}
+{% endif %}
+{% endfor %}
+
+import /usr/local/etc/caddy/caddy.d/*.conf
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy
new file mode 100644
index 0000000000..503f7da6f0
--- /dev/null
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy
@@ -0,0 +1,13 @@
+# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
+{% if helpers.exists('Pischem.caddy.general.enabled') %}
+    {%- set general_enabled = helpers.toList('Pischem.caddy.general.enabled') | first %}
+    {%- if general_enabled == '1' %}
+caddy_enable="YES"
+# Path to the Caddy setup script
+caddy_setup="/usr/local/opnsense/scripts/OPNsense/Caddy/setup.sh"
+    {%- else %}
+caddy_enable="NO"
+    {%- endif %}
+{%- else %}
+caddy_enable="NO"
+{% endif %}

From 518e1fbd3efdc76cfefbbf37e5cc2ea90b2b32b2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 8 Mar 2024 12:55:12 +0100
Subject: [PATCH 1811/3088] www/caddy: a quick whitespace sweep (no functional
 changes)

---
 www/caddy/Makefile                             | 12 ++++++------
 www/caddy/README.md                            | 16 ++++++++--------
 www/caddy/pkg-descr                            |  6 +++---
 .../OPNsense/Caddy/Api/GeneralController.php   |  2 +-
 .../Caddy/Api/ReverseProxyController.php       | 10 +++++-----
 .../OPNsense/Caddy/forms/dynamicdns.xml        |  2 +-
 .../OPNsense/Caddy/Migrations/M1_1_3.php       | 10 +++++-----
 .../mvc/app/views/OPNsense/Caddy/general.volt  |  2 +-
 .../views/OPNsense/Caddy/reverse_proxy.volt    |  8 ++++----
 .../scripts/OPNsense/Caddy/caddy_control.py    |  2 +-
 .../service/templates/OPNsense/Caddy/Caddyfile | 18 +++++++++---------
 11 files changed, 44 insertions(+), 44 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 31f2035bdd..7059ebe9dc 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,8 +1,8 @@
-PLUGIN_NAME=            caddy
-PLUGIN_VERSION=         1.5.1
-PLUGIN_REVISION=        2
-PLUGIN_DEPENDS=         caddy-custom
-PLUGIN_COMMENT=         Easy to configure Reverse Proxy based on Caddy with Automatic HTTPS and Dynamic DNS	 
-PLUGIN_MAINTAINER=      cedrik@pischem.com
+PLUGIN_NAME=		caddy
+PLUGIN_VERSION=		1.5.1
+PLUGIN_REVISION=	2
+PLUGIN_DEPENDS=		caddy-custom
+PLUGIN_COMMENT=		Easy to configure Reverse Proxy based on Caddy with Automatic HTTPS and Dynamic DNS
+PLUGIN_MAINTAINER=	cedrik@pischem.com
 
 .include "../../Mk/plugins.mk"
diff --git a/www/caddy/README.md b/www/caddy/README.md
index a1ba325cb5..3dbfc9571a 100644
--- a/www/caddy/README.md
+++ b/www/caddy/README.md
@@ -21,8 +21,8 @@
 
 ## License
 
-- This project is licensed under the BSD 2-Clause "Simplified" license. See the LICENSE file for details. 
-- Caddy is licensed under the Apache License, Version 2.0. 
+- This project is licensed under the BSD 2-Clause "Simplified" license. See the LICENSE file for details.
+- Caddy is licensed under the Apache License, Version 2.0.
 - OPNsense is licensed under the BSD 2-Clause “Simplified” license.
 
 ## Acknowledgments
@@ -38,7 +38,7 @@
 ## Prepare Caddy for use after the installation
 
 **Attention**, additional preparation of OPNsense needed:
-- Make sure that port `80` and `443` aren't occupied. You have to change the default listen port to `8443` for example. Go to `System: Settings: Administration` to change the `TCP Port`. Then also enable `HTTP Redirect - Disable web GUI redirect rule`. 
+- Make sure that port `80` and `443` aren't occupied. You have to change the default listen port to `8443` for example. Go to `System: Settings: Administration` to change the `TCP Port`. Then also enable `HTTP Redirect - Disable web GUI redirect rule`.
 - If you have other reverse proxy or webserver plugins installed, make sure they don't use the same ports as Caddy
 - Create Firewall rules that allow 80 and 443 TCP to "This Firewall" on WAN and (optionally) LAN, OPT1 etc...
 - There is a lot of input validation. If you read all the hints, help texts and error messages, its unlikely that you create a configuration that won't work.
@@ -67,7 +67,7 @@
 ## General Settings - Dynamic DNS
 - `DynDns Check Http`: Optionally, enter an URL to test the current IP address of the firewall via HTTP procotol. Generally, this is not needed. Caddy uses default providers to test the current IP addresses. If you rather use your own, enter the https:// link to an IP address testing website.
 - `DynDns Check Interface`: Optionally, select an interface to extract the current IP address of the firewall. Attention, all IP addresses will be read from this interface. Only choose this option if you know the implications.
-- `DynDns Check Interval`: Interval to poll for changes of the IP address. The default is 5 minutes. Can be a number between 1 to 1440 minutes. 
+- `DynDns Check Interval`: Interval to poll for changes of the IP address. The default is 5 minutes. Can be a number between 1 to 1440 minutes.
 - `DynDns IP Version`: Leave on None to set IPv4 A-Records and IPv6 AAAA-Records. Select "Ipv4 only" for setting A-Records. Select "IPv6 only" for setting AAAA-Records.
 - `DynDns TTL`: Set the TTL (time to live) for DNS Records. The default is 1 hour. Can be a number between 1 to 24 hours.
 
@@ -84,7 +84,7 @@
 - `Access List`: Restrict the access to this domain to a list of IP addresses you define in the `Access` Tab. This doesn't influence the Let's Encrypt certificate generation, so you can be as restrictive as you want here.
 - `Basic Auth`: Restrict the access to this domain to one or multiple users you define in the `Access` Tab. This doesn't influence the Let's Encrypt certificate generation, so you can be as restrictive as you want here.
 - `DNS-01 challenge`: Enable this if you want to use the `DNS-01` ACME challenge instead of HTTP challenge. This can be set per entry, so you can have both types of challenges at the same time for different entries. This option needs the `General Settings` - `DNS Provider` and `API KEY` set.
-- `Dynamic DNS`: Enable Dynamic DNS, please configure DNS Provider and API Key in General Settings. The DNS Records of this domain will be automatically updated with your DNS Provider. 
+- `Dynamic DNS`: Enable Dynamic DNS, please configure DNS Provider and API Key in General Settings. The DNS Records of this domain will be automatically updated with your DNS Provider.
 - `Custom Certificate`: Use a Certificate you imported or generated in `System - Trust - Certificates`. The chain is generated automatically. `Certificate + Intermediate CA + Root CA`, `Certificate + Root CA` and `self signed Certificate` are all fully supported.
 - `HTTP Access Log`: Enable the HTTP request logging for this domain and its subdomains. This option is mostly for troubleshooting since it will log every single request.
 - `Description`: The description is mandatory. Create descriptions for each domain. Since there could be multiples of the same domain with different ports, do it like this: `foo.example.com` and `foo.example.com.8443`.
@@ -182,10 +182,10 @@ Now you have a "Internet <-- HTTPS --> OPNsense (Caddy) <-- HTTP --> Backend Ser
 # Build caddy and os-caddy from source
 - As build system use a FreeBSD 13.2 - https://github.com/opnsense/tools
 - Use xcaddy to build your own caddy binary. Additonal Caddy plugins can be compiled in, here is an example: [Additional Plugins](https://github.com/opnsense/tools/blob/a555d25b11486835460a136af0b8ad2e517ae96b/config/24.1/make.conf#L94)
-- Check the +MANIFEST file and put all dependant files into the right paths on your build system. Make sure to check your own file hashes with ```sha256 /path/to/file```. 
+- Check the +MANIFEST file and put all dependant files into the right paths on your build system. Make sure to check your own file hashes with ```sha256 /path/to/file```.
 - Use ```pkg create -M ./+MANIFEST``` in the folder of the ```+MANIFEST``` file.
-- For os-caddy.pkg make sure you have the OPNsense tools build system properly set up. 
-- Build the os-caddy.pkg by going into /usr/plugins/devel/caddy/ and invoking ```make package``` 
+- For os-caddy.pkg make sure you have the OPNsense tools build system properly set up.
+- Build the os-caddy.pkg by going into /usr/plugins/devel/caddy/ and invoking ```make package```
 
 # Custom configuration files
 - The Caddyfile has an additional import from the path ```/usr/local/etc/caddy/caddy.d/```. You can place your own custom configuration files inside that adhere to the Caddyfile syntax.
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index f06e6c4311..46d05631d5 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -1,5 +1,5 @@
-Caddy - The Ultimate Server - makes your sites more secure, more reliable, and more scalable than any other solution. 
-By default, Caddy automatically obtains and renews TLS certificates for all your sites. 
+Caddy - The Ultimate Server - makes your sites more secure, more reliable, and more scalable than any other solution.
+By default, Caddy automatically obtains and renews TLS certificates for all your sites.
 It's the most advanced HTTPS server in the world.
 
 Reverse Proxy HTTP, HTTPS, FastCGI, WebSockets, gRPC, FastCGI (usually PHP), and more!
@@ -33,7 +33,7 @@ Plugin Changelog
 * A few typos in the general.volt and reverse_proxy.volt corrected.
 * The RealInterfaceField custom Fieldtype was removed and replaced with an OPNsense integrated template function to read the interface name.
 * Enable $internalModelUseSafeDelete in ReverseProxyController.php - Items can only be deleted when they are not referenced by other items, making deleting in the GUI safer since there can't be any orphaned configuration left behind.
-* Migration script M1_1_3 from "Description" to "description" added. Lower case description is needed to be in line with some OPNsense integrated functions. 
+* Migration script M1_1_3 from "Description" to "description" added. Lower case description is needed to be in line with some OPNsense integrated functions.
 
 1.5.0
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/GeneralController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/GeneralController.php
index 21238afa1d..299603a905 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/GeneralController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/GeneralController.php
@@ -3,7 +3,7 @@
 /**
  *    Copyright (C) 2023-2024 Cedrik Pischem
  *    Copyright (C) 2015 Deciso B.V.
- * 
+ *
  *    All rights reserved.
  *
  *    Redistribution and use in source and binary forms, with or without
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
index 4415203b51..a1d71c8312 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
@@ -136,8 +136,8 @@ public function toggleHandleAction($uuid, $enabled = null)
     {
         return $this->toggleBase("reverseproxy.handle", $uuid, $enabled);
     }
-    
-    
+
+
     /* AccessList Section */
 
     public function searchAccessListAction()
@@ -164,8 +164,8 @@ public function delAccessListAction($uuid)
     {
         return $this->delBase("reverseproxy.accesslist", $uuid);
     }
-    
-    
+
+
     /* BasicAuth Section */
 
     public function searchBasicAuthAction()
@@ -192,7 +192,7 @@ public function addBasicAuthAction()
     {
         if ($this->request->isPost()) {
             $postData = $this->request->getPost();
-    
+
             if (isset($postData['basicauth']['basicauthpass']) && !empty(trim($postData['basicauth']['basicauthpass']))) {
                 $plainPassword = $postData['basicauth']['basicauthpass'];
                 $hashedPassword = password_hash($plainPassword, PASSWORD_BCRYPT);
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
index 8361549102..0ed65411f3 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
@@ -1,4 +1,4 @@
-<form>    
+<form>
     <field>
         <id>caddy.general.DynDnsSimpleHttp</id>
         <label>DynDns Check Http</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php
index a08a403b16..b8948233c2 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php
@@ -40,22 +40,22 @@ public function run($model)
 
         // Ensure there are reverse proxy configurations to process
         if (!empty($config->Pischem->caddy->reverseproxy)) {
-        
+
             // Loop through each reverse proxy configuration in the stored configuration config.xml
             foreach ($config->Pischem->caddy->reverseproxy->children() as $configNode) {
-            
+
                 // Extract the UUID attribute to identify the configuration item
                 $uuid = (string)$configNode->attributes()->uuid;
-                
+
                 // Check if the current configuration item has a 'Description' to migrate
                 if (!empty($configNode->Description)) {
-                
+
                     // Store the value of 'Description' for migration
                     $descriptionValue = (string)$configNode->Description;
 
                     // Attempt to locate the corresponding node in the model using the UUID
                     $modelNode = null;
-                    
+
                     // Retrieve reverse proxy items from the model for matching UUID
                     $reverseProxies = $model->getNodeByReference('reverseproxy')->iterateItems();
                     foreach ($reverseProxies as $item) {
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
index 0b07581a40..fe8ecfe148 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
@@ -81,7 +81,7 @@
             $('input, select, textarea').on('change', function() {
                 $("#messageArea").hide();
             });
-            
+
             // Reconfigure the Caddy service, additional validation with a validation API is made beforehand
             $("#reconfigureAct").SimpleActionButton({
                 onPreAction: function() {
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 4c9750ee20..f152a356dd 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -52,7 +52,7 @@
             del:'/api/caddy/ReverseProxy/delHandle/',
             toggle:'/api/caddy/ReverseProxy/toggleHandle/',
         });
-        
+
         $("#accessListGrid").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchAccessList/',
             get:'/api/caddy/ReverseProxy/getAccessList/',
@@ -60,7 +60,7 @@
             add:'/api/caddy/ReverseProxy/addAccessList/',
             del:'/api/caddy/ReverseProxy/delAccessList/',
         });
-        
+
         $("#basicAuthGrid").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchBasicAuth/',
             get:'/api/caddy/ReverseProxy/getBasicAuth/',
@@ -90,7 +90,7 @@
         // Hide message area when starting new actions
         $('input, select, textarea').on('change', function() {
             $("#messageArea").hide();
-        });        
+        });
 
         // Adjusting the Reconfigure button to include validation in onPreAction
         $("#reconfigureAct").SimpleActionButton({
@@ -259,7 +259,7 @@
             </div>
         </div>
     </div>
-    
+
     <!-- New Combined Access Tab -->
     <div id="accessTab" class="tab-pane fade">
         <!-- Access Lists Section -->
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
index 2fc795ab44..da949afefb 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
@@ -32,7 +32,7 @@
 
 def run_service_command(action, action_message):
     result = {"message": action_message}
-    
+
     if action == "validate":
         try:
             # Call Setup script
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 95892a5908..079d3a19e1 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -465,39 +465,39 @@
     log {
         output file /var/log/caddy/access/{{ reverse['@uuid'] }}.log {
             roll_keep_for {{ generalSettings.LogAccessPlainKeep|default("10") }}d
-        }        
+        }
     }
     {% endif %}
     {% endif %}
     {% set customCert = reverse.CustomCertificate|default("") %}
     {% set dnsChallenge = reverse.DnsChallenge|default("0") %}
     {{ tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4, TlsDnsOptionalField5, TlsDnsOptionalField6) }}
-    
+
     {% if not reverse.accesslist %}
         {% set basicauth_uuids = reverse.basicauth %}
         {{ basicauth_configuration(basicauth_uuids) }}
     {% endif %}
-    
+
     {% for subdomain in helpers.toList('Pischem.caddy.reverseproxy.subdomain') %}
     {% if subdomain.enabled|default("0") == "1" and subdomain.reverse == reverse['@uuid'] %}
     @{{ subdomain['@uuid'] }} {
         host {{ subdomain.FromDomain }}{% if subdomain.FromPort %}:{{ subdomain.FromPort }}{% endif %}
     }
     handle @{{ subdomain['@uuid'] }} {
-    
+
         {% if not subdomain.accesslist %}
             {% set subdomain_basicauth_uuids = subdomain.basicauth %}
             {{ basicauth_configuration(subdomain_basicauth_uuids) }}
         {% endif %}
-    
+
         {% if subdomain.accesslist %}
         {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', subdomain.accesslist) | first %}
         {{ access_list_configuration(accesslist, accesslist.accesslistInvert|default("0") == "1") }}
         handle @{{ accesslist['@uuid'] }} {
-        
+
             {% set subdomain_basicauth_uuids = subdomain.basicauth %}
             {{ basicauth_configuration(subdomain_basicauth_uuids) }}
-        
+
             {% set subdomain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('subdomain', 'equalto', subdomain['@uuid']) | list %}
             {% for handle in subdomain_handles %}
             {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
@@ -534,10 +534,10 @@
     {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', reverse.accesslist) | first %}
     {{ access_list_configuration(accesslist, accesslist.accesslistInvert|default("0") == "1") }}
     handle @{{ accesslist['@uuid'] }} {
-    
+
         {% set basicauth_uuids = reverse.basicauth %}
         {{ basicauth_configuration(basicauth_uuids) }}
-    
+
         {% set wildcard_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('reverse', 'equalto', reverse['@uuid']) | selectattr('subdomain', 'undefined') | list %}
         {% for handle in wildcard_handles %}
         {% if handle.enabled|default("0") == "1" and handle.HandlePath %}

From 3ab564626d59c84a7cffa9e09a97bd7573472b97 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 8 Mar 2024 12:56:06 +0100
Subject: [PATCH 1812/3088] LICENSE/README: sync

---
 LICENSE   | 1 +
 README.md | 1 +
 2 files changed, 2 insertions(+)

diff --git a/LICENSE b/LICENSE
index c3a812e87f..61caa7c55e 100644
--- a/LICENSE
+++ b/LICENSE
@@ -5,6 +5,7 @@ Copyright (c) 2021 Andreas Stuerz
 Copyright (c) 2021 Axelrtgs
 Copyright (c) 2023 Bernhard Frenking <bernhard@frenking.eu>
 Copyright (c) 2023 Cannon Matthews <cannonmatthews@google.com>
+Copyright (c) 2023-2024 Cedrik Pischem
 Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
 Copyright (c) 2021 Dan Lundqvist
diff --git a/README.md b/README.md
index 1d3a70e882..2afccc1887 100644
--- a/README.md
+++ b/README.md
@@ -109,6 +109,7 @@ sysutils/xen -- Xen guest utilities
 vendor/sunnyvalley -- Vendor Repository for Zenarmor (a.k.a Sensei, Next Generation Firewall Extensions)
 www/c-icap -- c-icap connects the web proxy with a virus scanner
 www/cache -- Webserver cache
+www/caddy -- Easy to configure Reverse Proxy based on Caddy with Automatic HTTPS and Dynamic DNS
 www/nginx -- Nginx HTTP server and reverse proxy
 www/squid -- Squid is a caching proxy for the web
 www/web-proxy-sso -- Kerberos authentication module

From 0d569516ec2c1a98dc665cd5a5faa0a28435692f Mon Sep 17 00:00:00 2001
From: Joachim Friberg <friberg.joachim@gmail.com>
Date: Mon, 11 Mar 2024 11:07:44 +0100
Subject: [PATCH 1813/3088] Update named.conf (#3852)

Fixed bug, allowrndcupdate in the named.conf
---
 .../src/opnsense/service/templates/OPNsense/Bind/named.conf     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index b0de3585d2..0c091b00ed 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -180,7 +180,7 @@ zone "{{ domain.domainname }}" {
 {%              endfor %}
         };
 {%      endif %}
-{%      if domain.allowrndcupdate is defined and domain.allowrndc == "1" %}
+{%      if domain.allowrndcupdate is defined and domain.allowrndcupdate == "1" %}
         update-policy {
 		grant rndc-key zonesub ANY;
         };

From 9999bf14722a0ec288d49cd970f666aca2dc1ea7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 11 Mar 2024 11:08:19 +0100
Subject: [PATCH 1814/3088] dns/bind: bump revision

---
 dns/bind/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index c7dbfdf425..9ef5a09dfe 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.30
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 6fbc5137d352f7a3a34cf2fe826b6b14f20e50d6 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 13 Mar 2024 19:39:27 +0100
Subject: [PATCH 1815/3088] dns/ddclient - prevent model usage in
 ddclient_services()

The ddclient model uses configd for additional info, which makes model initialization a bit slower than usual.
When only checking if the module is used, accessing the config object saves a lot of time.
---
 dns/ddclient/Makefile                               |  2 +-
 dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc | 10 +++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 9bb1936a3a..fcf1873f72 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.21
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc b/dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc
index 8e087a38e4..2a45595e5f 100644
--- a/dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc
+++ b/dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc
@@ -30,9 +30,13 @@
 function ddclient_services()
 {
     $services = [];
+    $cnf = \OPNsense\Core\Config::getInstance()->object();
+    $is_enabled = false;
+    if ($cnf->OPNsense && $cnf->OPNsense->DynDNS && $cnf->OPNsense->DynDNS->general){
+       $is_enabled = $cnf->OPNsense->DynDNS->general->enabled == '1';
+    }
 
-    $mdl = new \OPNsense\DynDNS\DynDNS();
-    if ($mdl->general->enabled == '1') {
+    if ($is_enabled) {
         $service = [
             'description' => gettext('ddclient'),
             'configd' => [
@@ -42,7 +46,7 @@ function ddclient_services()
             ],
             'name' => 'ddclient',
         ];
-        $service['pidfile'] = (string)$mdl->general->backend != 'opnsense' ? '/var/run/ddclient.pid' : '/var/run/ddclient_opn.pid';
+        $service['pidfile'] = $cnf->OPNsense->DynDNS->general->backend != 'opnsense' ? '/var/run/ddclient.pid' : '/var/run/ddclient_opn.pid';
         $services[] = $service;
     }
 

From f1b3c4216a1d0633d3a527f7fada5d0eb0ae45b7 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 13 Mar 2024 19:56:24 +0100
Subject: [PATCH 1816/3088] security/wazuh-agent -  prevent model usage in
 wazuhagent_services()

The wazuh model uses configd for additional info, which makes model initialization a bit slower than usual.
When only checking if the module is used, accessing the config object saves a lot of time.
---
 security/wazuh-agent/Makefile                             | 1 +
 .../wazuh-agent/src/etc/inc/plugins.inc.d/wazuhagent.inc  | 8 +++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/security/wazuh-agent/Makefile b/security/wazuh-agent/Makefile
index d30039151e..cd1e3dbccd 100644
--- a/security/wazuh-agent/Makefile
+++ b/security/wazuh-agent/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		wazuh-agent
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Agent for the open source security platform Wazuh
 PLUGIN_DEPENDS=		wazuh-agent
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/security/wazuh-agent/src/etc/inc/plugins.inc.d/wazuhagent.inc b/security/wazuh-agent/src/etc/inc/plugins.inc.d/wazuhagent.inc
index 0907f052d3..132dfd5dc5 100644
--- a/security/wazuh-agent/src/etc/inc/plugins.inc.d/wazuhagent.inc
+++ b/security/wazuh-agent/src/etc/inc/plugins.inc.d/wazuhagent.inc
@@ -30,7 +30,13 @@
 function wazuhagent_services()
 {
     $services = [];
-    if ((new \OPNsense\WazuhAgent\WazuhAgent())->general->enabled == '1') {
+    $cnf = \OPNsense\Core\Config::getInstance()->object();
+    $is_enabled = false;
+    if ($cnf->OPNsense && $cnf->OPNsense->WazuhAgent && $cnf->OPNsense->WazuhAgent->general){
+        $is_enabled = $cnf->OPNsense->WazuhAgent->general->enabled == '1';
+    }
+
+    if ($is_enabled) {
         $service = [
             'description' => gettext('Wazuh Agent'),
             'configd' => [

From f3ed2695fe14f6aa890d599a92ed740a0349c9ae Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 14 Mar 2024 08:32:50 +0100
Subject: [PATCH 1817/3088] www/caddy: Version 1.5.2 (#3851)

* Update pkg-descr

Added Version changelog from first stable to current release (also making sure contributors other than me are named)

* Update Caddy.xml

Add remaining caddy-dns providers. Gotta catch em all.

* Update Caddyfile

Add DNS Providers with special configuration to Caddyfile template, others are caught by the catch all for DNS Providers (which only need 1 api_token) at the end of the if statement.

* Update dnsprovider.xml

Added helptext for the remaining DNS Providers.

* Update pkg-descr

Added changelog for DNS Providers

* Update Makefile

Bump version to 1.5.2

* Update Caddyfile

Even though Civo has only one api_token it demands special configuration, fixed.

* Update general.volt

- Add additional save functionality to apply button to prevent user error from forgetting to save the form with the save button.
- Increase the timeout of the message area so users can see validation errors longer.

* Update reverse_proxy.volt

Same as general.volt

* Update Caddyfile

Fixed directadmin configuration keys

* Update pkg-descr

Added changes to changelog

* Revert DNS Provider changes due to compilation problems of binary to last good known state.

* Satisfy Lint by making sure Defaults are either required, or deleted if not needed.

* Update pkg-descr

* Update dynamicdns.xml

Made help text about the DynDns Interface more concise because the bug upstream has been fixed that also extracted private IP ranges.

Now only GUA and non-RFC1918 addresses are extracted, making this option a valid choice.

https://github.com/mholt/caddy-dynamicdns/issues/59

* Update pkg-descr

* Delete www/caddy/README.md

It's being turned into a doc article so this can be deleted here.
---
 www/caddy/Makefile                            |   3 +-
 www/caddy/README.md                           | 205 ------------------
 www/caddy/pkg-descr                           |  70 +++++-
 .../OPNsense/Caddy/forms/dynamicdns.xml       |   2 +-
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  47 ++--
 .../mvc/app/views/OPNsense/Caddy/general.volt |  46 ++--
 .../views/OPNsense/Caddy/reverse_proxy.volt   |   2 +-
 7 files changed, 112 insertions(+), 263 deletions(-)
 delete mode 100644 www/caddy/README.md

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 7059ebe9dc..95dd8078a2 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.5.1
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.5.2
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Easy to configure Reverse Proxy based on Caddy with Automatic HTTPS and Dynamic DNS
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/README.md b/www/caddy/README.md
deleted file mode 100644
index 3dbfc9571a..0000000000
--- a/www/caddy/README.md
+++ /dev/null
@@ -1,205 +0,0 @@
-# Caddy Plugin for OPNsense
-
-- This project provides a simple yet powerful plugin for [OPNsense](https://github.com/opnsense) to enable support for [Caddy](https://github.com/caddyserver/caddy).
-- The scope is the reverse proxy features.
-- The main goal is an easy to configure plugin. Most options that aren't generally needed are hidden behind the advanced mode for this reason.
-- The feature set is complete for now.
-
-## Main Features
-
-- Modern and fast Reverse Proxy based on [Caddy](https://caddyserver.com/)
-- Automatic Let's Encrypt and ZeroSSL Certificates without configuration with HTTP-01 and TLS-ALPN-01
-- ACME DNS-01 challenge with configuration (requires supported DNS Provider)
-- Dynamic DNS (DynDns) with configuration (requires supported DNS Provider)
-- Supported DNS Providers in GUI: ```cloudflare, duckdns, digitalocean, dnspod, hetzner, godaddy, gandi, ionos, desec, porkbun, route53, acmedns, alidns, googleclouddns, azure, openstack-designate, ovh, namecheap, netlify, namesilo, powerdns, vercel, ddnss, njalla, metaname, linode, tencentcloud, dinahosting, hexonet, mailinabox```
-- Use custom certificates from OPNsense certificate store
-- Normal domains, wildcard domains and subdomains
-- Access Lists to restrict access based on static networks
-- Basic Auth to restrict access by username and password
-- Syslog-ng integration and HTTP Access Log
-- NTLM Transport for Exchange Server
-
-## License
-
-- This project is licensed under the BSD 2-Clause "Simplified" license. See the LICENSE file for details.
-- Caddy is licensed under the Apache License, Version 2.0.
-- OPNsense is licensed under the BSD 2-Clause “Simplified” license.
-
-## Acknowledgments
-
-- Thanks to the Caddy community/developers for creating a fantastic open source web server.
-- Thanks to the OPNsense community/developers for creating a powerful and flexible open source firewall and routing platform.
-- Additional big **Thank You** in no particular order: [AdShellevis](https://github.com/Adschellevis), [mimugmail](https://forum.opnsense.org/index.php?action=profile;u=15464), [gspannu](https://github.com/gspannu), [francislavoie](https://caddy.community/u/francislavoie/summary), [matt](https://caddy.community/u/matt/summary), [fichtner](https://github.com/fichtner)
-
-# How to install
-
-- Install "os-caddy" from the OPNsense Plugins.
-
-## Prepare Caddy for use after the installation
-
-**Attention**, additional preparation of OPNsense needed:
-- Make sure that port `80` and `443` aren't occupied. You have to change the default listen port to `8443` for example. Go to `System: Settings: Administration` to change the `TCP Port`. Then also enable `HTTP Redirect - Disable web GUI redirect rule`.
-- If you have other reverse proxy or webserver plugins installed, make sure they don't use the same ports as Caddy
-- Create Firewall rules that allow 80 and 443 TCP to "This Firewall" on WAN and (optionally) LAN, OPT1 etc...
-- There is a lot of input validation. If you read all the hints, help texts and error messages, its unlikely that you create a configuration that won't work.
-- **Attention**: If you use this in HA (High Availability), only use your own custom certificates. Caddy needs a shared storage for the ACME challenges to work on two or more firewalls in HA at the same time. This is out of scope, since offering shared storage on firewalls where one can potentially fail, would leave the other without storage for Caddy to work with.
-
-# Available Settings in "Services - Caddy Web Server"
-**Please note that some options are hidden in advanced mode.**
-## General Settings - General
-- `Enable` or `disable` Caddy
-- `ACME Email`: e.g. `info@example.com`, it's optional.
-- `Auto HTTPS`: `On (default)` creates automatic Let's Encrypt Certificates for all Domains that don't have more specific options set, like custom certificates.
-- `Trusted Proxies`: Leave empty if you don't use a CDN in front of your OPNsense. If you use Cloudflare or another CDN provider, create an access list with the IP addresses of that CDN and add it here. Add the same Access List to the domain this CDN tries to reach.
-- `Abort Connections`: This option, when enabled, aborts all connections to the Reverse Proxy Domain that don't match any specified handler or access list. This setting doesn't affect Let's Encrypt's ability to issue certificates, ensuring secure connections regardless of the option's status. If unchecked, the Reverse Proxy Domain remains accessible even without a matching handler, allowing for connectivity and certificate checks, even in the absence of a configured Backend Server. When using Access Lists, enabling this option is recommended to reject unauthorized connections outright. Without this option, unmatched IP addresses will encounter an empty page instead of an explicit rejection, though the Access Lists continue to function and restrict access.
-
-## General Settings - DNS Provider
-- `DNS Provider`: Select the DNS provider for the DNS-01 Challenge and Dynamic DNS. This is optional, since certificates will be requested from Let's Encrypt via HTTP-01 or TLS-ALPN-01 Challenge when this option is unset. You mostly need this for Wildcard Certificates, and for Dynamic DNS. To use the DNS-01 Challenge and Dynamic DNS, enable the checkbox in a Reverse Proxy Domain or Subdomain. For more information: https://github.com/caddy-dns
-- `DNS API Standard Field`: This is the standard field for the API Key. Field can be left empty if optional: Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", DNSPod "auth_token", Hetzner "api_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Namesilo "api_token", Njalla "api_token", Vercel "api_token",  Google Cloud DNS "gcp_project", Alidns "access_key_id", Azure "tenant_id", OpenStack Designate "region_name", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Metaname "api_key", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url".
-- `DNS API Additional Field 1`: Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Alidns "access_key_secret", Azure "client_id", OpenStack Designate "tenant_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Metaname "account_reference", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address".
-- `DNS API Additional Field 2`: Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "max_retries", ACME-DNS "subdomain", Azure "client_secret", OpenStack Designate "identity_api_version", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password".
-- `DNS API Additional Field 3`: Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "aws_profile", ACME-DNS "server_url", Azure "subscription_id", OpenStack Designate "password", OVH "consumer_key", Namecheap "client_ip", DDNS "password".
-- `DNS API Additional Field 4`: Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "region", Azure "resource_group_name", OpenStack Designate "username".
-- `DNS API Additional Field 5`: Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "token", OpenStack Designate "tenant_name".
-- `DNS API Additional Field 6`: Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: OpenStack Designate "auth_url".
-- `DNS API Additional Field 7`: Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: OpenStack Designate "endpoint_type".
-
-## General Settings - Dynamic DNS
-- `DynDns Check Http`: Optionally, enter an URL to test the current IP address of the firewall via HTTP procotol. Generally, this is not needed. Caddy uses default providers to test the current IP addresses. If you rather use your own, enter the https:// link to an IP address testing website.
-- `DynDns Check Interface`: Optionally, select an interface to extract the current IP address of the firewall. Attention, all IP addresses will be read from this interface. Only choose this option if you know the implications.
-- `DynDns Check Interval`: Interval to poll for changes of the IP address. The default is 5 minutes. Can be a number between 1 to 1440 minutes.
-- `DynDns IP Version`: Leave on None to set IPv4 A-Records and IPv6 AAAA-Records. Select "Ipv4 only" for setting A-Records. Select "IPv6 only" for setting AAAA-Records.
-- `DynDns TTL`: Set the TTL (time to live) for DNS Records. The default is 1 hour. Can be a number between 1 to 24 hours.
-
-## General Settings - Log Settings
-- `Log Credentials`: Log all Cookies and Authorization in HTTP request logging. Use combined with HTTP Access Log in the Reverse Proxy Domain. Enable this option only for troubleshooting.
-- `Log Access in Plain Format`: Don't send HTTP(S) access logs to the central OPNsense logging facility but save them in plain Caddy JSON format in a subdirectory instead. Only effective for Reverse Proxy Domains that have HTTP Access Log enabled. The feature is intended to have access log files processed by e.g. CrowdSec. They can be found in `/var/log/caddy/access`.
-- `Keep Plain Access Logs for (days)`: How many days until the plain format log files are deleted.
-
-## Reverse Proxy - Domains
-- Press `+` to create a new Reverse Proxy Domain
-- `Enable` this new entry
-- `Reverse Proxy Domain`: Can either be a domain name or an IP address. If a domain name is chosen, Caddy will automatically try to get an ACME certificate, and the header will be automatically passed to the Server in the backend.
-- `Reverse Proxy Port`: Should be the port the OPNsense will listen on. Don't forget to create Firewall rules that allow traffic to this port on `WAN` or `LAN` to `This Firewall`. You can leave this empty if you want to use the default ports of Caddy (`80` and `443`) with automatic redirection from HTTP to HTTPS.
-- `Access List`: Restrict the access to this domain to a list of IP addresses you define in the `Access` Tab. This doesn't influence the Let's Encrypt certificate generation, so you can be as restrictive as you want here.
-- `Basic Auth`: Restrict the access to this domain to one or multiple users you define in the `Access` Tab. This doesn't influence the Let's Encrypt certificate generation, so you can be as restrictive as you want here.
-- `DNS-01 challenge`: Enable this if you want to use the `DNS-01` ACME challenge instead of HTTP challenge. This can be set per entry, so you can have both types of challenges at the same time for different entries. This option needs the `General Settings` - `DNS Provider` and `API KEY` set.
-- `Dynamic DNS`: Enable Dynamic DNS, please configure DNS Provider and API Key in General Settings. The DNS Records of this domain will be automatically updated with your DNS Provider.
-- `Custom Certificate`: Use a Certificate you imported or generated in `System - Trust - Certificates`. The chain is generated automatically. `Certificate + Intermediate CA + Root CA`, `Certificate + Root CA` and `self signed Certificate` are all fully supported.
-- `HTTP Access Log`: Enable the HTTP request logging for this domain and its subdomains. This option is mostly for troubleshooting since it will log every single request.
-- `Description`: The description is mandatory. Create descriptions for each domain. Since there could be multiples of the same domain with different ports, do it like this: `foo.example.com` and `foo.example.com.8443`.
-
-## Reverse Proxy - Subdomains
-- Press `+` to create a new Reverse Proxy Subdomain
-- `Reverse Proxy Domain` - Choose a wildcard domain you prepared in "Reverse Proxy - Domains", it has to be formatted like `*.example.com`
-- `Reverse Proxy Subdomain` - Create a name that is seated under the Wildcard domain, for example `foo.example.com` and `bar.example.com`.
-- For the other options refer to Domains.
-
-## Reverse Proxy - Handler
-Please note that the order that handlers are saved in the scope of each domain or domain/subdomain can influence functionality - The first matching handler wins. So if you put /ui* in front of a more specific handler like /ui/opnsense, the /ui* will match first and /ui/opnsense won't ever match (in the scope of their domain). Right now there isn't an easy way to move the position of handlers in the grid, so you have to clone them if you want to change their order, and delete the old entries afterwards. Most of the time, creating just one empty catch-all handler is the best choice. The template logic makes sure that catch-all handlers are always placed last, after all other handlers.
-- Press `+` to create a new `Handler`. A Handler is like a location in nginx.
-- `Enable` this new entry.
-- `Reverse Proxy Domain`: Select the domain you have created in `Reverse Proxy Domains`.
-- `Reverse Proxy Subdomain`: Leave this on `None`. It is not needed without having a wildcard certificate, or a `*.example.com` Domain.
-- `Handle Type`: `Handle` or `Handle Path` can be chosen. If in doubt, always use `Handle`, the most common option. `Handle Path` is used to strip the path from the URI. For example if you have example.com/opnsense internally, but want to call it with just example.com externally.
-- `Handle Path`: Leave this empty if you want to create a catch all location. You can create multiple Handler entries, and have each of them point at different locations like `/foo/*` or `/foo/bar/*` or `/foo*`.
-- `Backend Server Domain`: Should be an internal domain name or an IP Address of the Backend Server that should receive the traffic of the `Reverse Proxy Domain`.
-- `Backend Server Port`: Should be the port the Backend Server listens on. This can be left empty to use Caddy default ports 80 and 443.
-- `Backend Server Path`: In case the backend application resides in a sub-path of the web root and you don't want this path visible in the frontend URL you can use this setting to prepend an initial path starting with '/' to every backend request. Java applications running in a servlet container like Tomcat are known to behave this way, so you can set it to e.g. '/guacamole' to access Apache Guacamole at the frontend root URL without needing a redirect.
-- `TLS`: If your Backend Server only accepts HTTPS, enable this option. If the Backend Server has a globally trusted certificate, this is all you need.
-- `TLS Trusted CA Certificates`: Choose a CA certificate to trust for the Backend Server connection. Import your self-signed certificate or your CA certificate into the OPNsense "System - Trust - Authorities" store, and select it here.
-- `TLS Server Name`: If the SAN (Subject Alternative Names) of the offered trusted CA certificate or self-signed certificate doesn't match with the IP address or hostname of the `Backend Server Domain`, you can enter it here. This will change the SNI (Server Name Identification) of Caddy to the `TLS Server Name`. IP address e.g. `192.168.1.1` or hostname e.g. `localhost` or `opnsense.local` are all valid choices. Only if the SAN and SNI match, the TLS connection will work, otherwise an error is logged that can be used to troubleshoot.
-- `NTLM`: If your Backend Server needs NTLM authentication, enable this option together with `TLS`. For example, Exchange Server.
-
-**Attention**: The GUI doesn't allow "tls_insecure_skip_verify" due to safety reasons, as the Caddy documentation states not to use it. Use the `TLS Trusted CA Certificates` and `TLS Server Name` options instead to get a **secure TLS connection** to your Backend Server. Otherwise, use HTTP. If you really need to use "tls_insecure_skip_verify" and know the implications, use the import statements of custom configuration files.
-
-## Reverse Proxy - Access - Access Lists
-- Press `+` to create a new Access List
-- `Access List name`: Choose a name for the Access List, for example `private_ips`.
-- `Client IP Addresses`: Enter any number of IPv4 and IPv6 addresses or networks that this access list should contain. For example for matching only internal networks, add `192.168.0.0/16` `172.16.0.0/12` `10.0.0.0/8` `127.0.0.1/8` `fd00::/8` `::1`.
-- `Invert List`: Invert the logic of the access list. If unchecked, the Client IP Addresses will be ALLOWED, all other IP addresses will be blocked. When checked, the Client IP Addresses will be BLOCKED, all other IP addresses will be allowed.
-- Afterwards, go back to Domains or Subdomains and add the Access List you have created to them (advanced mode). All handlers created under these Domains will get an additional matcher. That means, the requests still reach Caddy, but if the IP Addresses don't match with the Access List logic, the request doesn't match any handler and will be dropped before being reverse proxied to any Backend Server. If you are using a CDN, make sure the Access List in General - Trusted Proxies and on each Domain used for that CDN are the same.
-
-## Reverse Proxy - Access - Basic Auth
-- Press `+` to create a new User for Basic Auth
-- `User`: Enter a username. Afterwards, you can select it in Reverse Proxy Domains or Subdomains to restrict access with basic auth. Usernames are only allowed to have alphanumeric characters.
-- `Password`: Enter a password. Write it down. It will be hashed with bcrypt. It can only be set and changed but won't be visible anymore. The hash can't be turned back into the original password.
-- Afterwards, go back to Domains or Subdomains and add the one or multiple basic auth users you have created to them (advanced mode). The basic auth matches after access lists, so you can set both to first restrict access by IP address, and then additionally by username and password. Please note that if you delete a user before deselecting it in a domain, the basic auth will stay with no user. If that happens you have to select the "clear all" in the domain or subdomain and save. Don't set basic auth on top of a wildcard domain directly, always set it on the subdomains instead.
-
-# HOW TO Section:
-
-## HOW TO: Create an easy reverse proxy
-**Services - Caddy Web Server - General Settings:**
-- `Enable` Caddy and press `Apply`
-
-**Services - Caddy Web Server - Reverse Proxy - Domain:**
-- Press `+` to create a new Reverse Proxy Domain
-- `Reverse Proxy Domain` - `foo.example.com`
-- `Description` - `foo.example.com`
-- `Save`
-
-**Services - Caddy Web Server - Reverse Proxy - Handler:**
-- Press `+` to create a new Handler
-- `Reverse Proxy Domain` - `foo.example.com`
-- `Backend Server Domain` - `192.168.10.1`
-- `Save`
-- `Apply`
-
-Done, leave all other fields to default or empty. You don't need the advanced mode options. After just a few seconds the Let's Encrypt Certificate will be installed and everything just works. Check the Logfile for that.
-Now you have a "Internet <-- HTTPS --> OPNsense (Caddy) <-- HTTP --> Backend Server" Reverse Proxy.
-
-## HOW TO: Create a wildcard subdomain reverse proxy
-- Do everything the same as above, but create your Reverse Proxy Domain like this `*.example.com` and activate the `DNS-01` challenge checkbox.
-- OR - `Custom Certificate` - Use a Certificate you imported or generated in `System - Trust - Certificates`. It has to be a wildcard certificate.
-- Go to the `Reverse Proxy Subdomain` Tab and create all subdomains that you need in relation to the `*.example.com` domain. So for example `foo.example.com` and `bar.example.com`.
-- Create descriptions for each subdomain. Since there could be multiples of the same subdomain with different ports, do it like this: `foo.example.com` and `foo.example.com.8443`.
-- In the `Handler` Tab you can now select your `*.example.com` `Reverse Proxy Domain`, and if `Reverse Proxy Subdomain` is `None`, the Handlers are added to the base `Reverse Proxy Domain`. For example, if you want a catch all Handler for all non referenced subdomains.
-- If you create a Handler with `*.example.com` as `Reverse Proxy Domain` and `foo.example.com` as `Reverse Proxy Subdomain`, a nested Handler will be generated. You can do all the same configurations as if the subdomain is a normal domain, with multiple Handlers and Handler paths.
-
-## HOW TO: Create a Handle with TLS and a trusted self-signed Certificate
-**Example: Reverse Proxy the OPNsense Configuration GUI Website with Caddy**
-- Open your OPNsense GUI in a Browser (e.g. Chrome or Firefox). Inspect the certificate. Copy the SAN for later use, for example `OPNsense.localdomain`.
-- Save the certificate in your Browser as PEM file. Open it up with a text editor, and copy the contents into a new entry in `System - Trust - Authorities`. Name the certificate e.g. `opnsense-selfsigned`.
-- Add a new Reverse Proxy Domain, for example `opn.example.com`. Make sure the name is externally resolvable to the IP of your OPNsense Firewall with Caddy.
-- Add a new Handler with the following options (enable advanced mode):
-- `Reverse Proxy Domain`: `opn.example.com`
-- `Backend Server Domain`: `127.0.0.1`
-- `Backend Server Port`: `8443` (Enter the port of your OPNsense GUI. You have changed it from 443 to a different port, since Caddy needs port 443.)
-- `TLS`: `X`
-- `TLS Trusted CA Certificates`: `opnsense-selfsigned` (The certificate you have saved in `System - Trust - Authorities`)
-- `TLS Server Name`: `OPNsense.localdomain` (The SAN of the certificate)
-- Save
-- Apply
-- Open `https://opn.example.com` and it should serve the reverse proxied OPNsense Configuration GUI Website. Check the log file for errors if it doesn't work, most of the time the `TLS Server Name` doesn't match the SAN of the `TLS Trusted CA Certificates`. Please note that Caddy doesn't support CN (Common Name) in certificate since it's been deprecated since many years.
-- Additionally, you can create an access list to limit access to the GUI only from trusted IP addresses (recommended). Add that access list to the domain `opn.example.com` in advanced mode. Also, enable `Abort Connections` in the `General` Settings to abort all connections immediately that don't match the access list or the handler.
-
-# Troubleshooting
-- You can always test if your current Caddyfile is valid by invoking `/api/caddy/service/validate` - This is also done automatically each time `Apply` is pressed. If you have an invalid configuration, Caddy will refuse to start and show the exact error message.
-- Check `/var/log/caddy/caddy.log` or `@latest.log` to find errors. There is also a Caddy Log File in the GUI.
-- A good indicator that Caddy is indeed running is this log entry: `serving initial configuration`
-- Check the Service Widget and the "General Settings" Service Control buttons. If everything works they should show a green "Play" sign. If Caddy is stopped there is a red "Stop" sign. If Caddy is disabled, there is no widget and no control buttons.
-
-# Build caddy and os-caddy from source
-- As build system use a FreeBSD 13.2 - https://github.com/opnsense/tools
-- Use xcaddy to build your own caddy binary. Additonal Caddy plugins can be compiled in, here is an example: [Additional Plugins](https://github.com/opnsense/tools/blob/a555d25b11486835460a136af0b8ad2e517ae96b/config/24.1/make.conf#L94)
-- Check the +MANIFEST file and put all dependant files into the right paths on your build system. Make sure to check your own file hashes with ```sha256 /path/to/file```.
-- Use ```pkg create -M ./+MANIFEST``` in the folder of the ```+MANIFEST``` file.
-- For os-caddy.pkg make sure you have the OPNsense tools build system properly set up.
-- Build the os-caddy.pkg by going into /usr/plugins/devel/caddy/ and invoking ```make package```
-
-# Custom configuration files
-- The Caddyfile has an additional import from the path ```/usr/local/etc/caddy/caddy.d/```. You can place your own custom configuration files inside that adhere to the Caddyfile syntax.
-- ```*.global``` will be imported into the global block of the Caddyfile. Global options can be found here: [Global Options Block](https://caddyserver.com/docs/caddyfile/options)
-- ```*.conf``` will be imported at the end of the Caddyfile, you can put your own reverse_proxy or other settings there. Don't forget to test your custom configuration with `caddy run --config /usr/local/etc/caddy/Caddyfile`.
-
-# Using the REST API to control the plugin:
-The Rest API is now fully integreated with the OPNsense syntax.
-https://docs.opnsense.org/development/api.html
-
-All API Actions can be found in the API Controller files ```/usr/local/opnsense/mvc/app/controllers/Pischem/Caddy/Api```
-
-Examples:
-- /api/caddy/ReverseProxy/get
-- /api/caddy/General/get
-- /api/caddy/service/status
-- /api/caddy/service/validate
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 46d05631d5..311733b3cd 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -22,6 +22,13 @@ Main features of this plugin:
 Plugin Changelog
 ================
 
+1.5.2
+
+* Increased timeout of message area in reverse_proxy.volt and general.volt to 15 seconds.
+* When pressing Apply, the form is saved automatically before the reconfigure action.
+* Cleaned up Caddy.xml model to satisfy make lint.
+* When selecting an interface in Dynamic DNS, at most one IPv6 GUA and IPv4 non-RFC1918 address will be extracted. Fixes all IP addresses being read. 
+
 1.5.1
 
 * More DNS Providers added: netlify, namesilo, njalla, vercel, googleclouddns, alidns, powerdns, tencentcloud, dinahosting, metaname, hexonet, ddnss, linode, mailinabox, ovh, namecheap, azure, openstack-designate.
@@ -37,4 +44,65 @@ Plugin Changelog
 
 1.5.0
 
-* Initial release
+* Omit vultr from DNS-Providers since it can't be built without errors.
+* General view cleanup by seperating options into different tabs.
+* Added ACME-DNS Provider for custom ACME Server support.
+* When pressing save, a hint will appear that changes should be applied. Apply and Save now give feedback on success.
+* Create ACL for Caddy
+* Code consistency improved.
+
+1.4.5
+
+* New validate api action when pressing apply that validates the Caddyfile + Validation model fix.
+* Added configuration option to log HTTP access to plain JSON files. [contributed by @pmhausen]
+* Added backend path prepend feature to handler configuration. [contributed by @pmhausen]
+
+1.4.4
+
+* Route53 DNS Provider added
+* Dark Mode GUI fix
+
+1.4.2
+
+* Added Basic Auth as additional access restriction, multiple users can be set per domain and subdomain.
+* Made views cleaner: Seperated General Settings and DNS Provider Settings, joined Access List and Basic Auth in new Access Tab.
+* Fixed template generation of Caddyfile for new DNS Providers deSEC.
+* Added Porkbun DNS Provider for GUI configuration with additional DNS Secret Api Key input field.
+* Cleaned up some code and fixed some typos.
+
+1.4.0
+
+* DynDNS (Dynamic DNS) Feature added.
+* Logging refactored to syslog-ng.
+* HTTP Access Logs can be enabled.
+* More DNS Providers added: Cloudflare, Duck DNS, DigitalOcean, DNSPod, Hetzner, GoDaddy, Gandi, Vultr, IONOS, deSEC
+
+1.3.4
+
+* Added abort statement to close all connections that don't match any handle.
+* Added tls_server_name to model
+* Fixes DNS Challenge not adhering to the status of the DNS-01 Checkbox
+
+1.3.3
+
+* Swapped processing order in template from wildcard domains -> subdomains to subdomains -> wildcard domains
+
+1.3.2
+
+* Added inline loop logic to template to always print empty handles last in the Caddyfile before specific handles.
+
+1.3.1
+
+* Added AccessList functionality.
+* Small constraint to handle added. Handles have to start at least with / when they're not empty, or Caddy won't start.
+* Add reload for the ServiceControlUI after pressing Apply.
+
+1.3.0
+
+* Initial first stable release.
+* Create easy Reverse Proxy entries, use the HTTP or DNS-01 Challenge to get quick and easy ACME Certificates with Let's Encrypt.
+* Control Caddy and view the Logfile in the OPNsense GUI.
+* Create more complicated nested handle structures with wildcard domains, subdomains, handles and catch all handles.
+* Use your own certificates where needed.
+* Use TLS, NTLM and CA certificates to communicate with your Backend Servers.
+* Use Caddy with two OPNsense Firewalls in HA - only fully supported with custom certificates from OPNsense trust store.
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
index 0ed65411f3..d57c17e575 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
@@ -10,7 +10,7 @@
         <id>caddy.general.DynDnsInterface</id>
         <label>DynDns Check Interface</label>
         <type>dropdown</type>
-        <help><![CDATA[Optionally, select an interface to extract the current IP address of the firewall. Attention, all IP addresses will be read from this interface. Only choose this option if you know the implications.]]></help>
+        <help><![CDATA[Optionally, select an interface to extract the current IP addresses of the firewall. At most, one IPv6 Global Unicast Address and one IPv4 non-RFC1918 Address will be extracted. This depends on the DynDns IP Version that's specified.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 0c95d2b7df..89bc764fbb 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>A GUI model for configuring a reverse proxy in the Caddy web server.</description>
-    <version>1.1.3</version>
+    <version>1.1.4</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -12,7 +12,6 @@
                 <ValidationMessage>Please enter a valid email address.</ValidationMessage>
             </TlsEmail>
             <TlsAutoHttps type="OptionField">
-                <Default>on</Default>
                 <OptionValues>
                     <on>On (default)</on>
                     <off>Off</off>
@@ -73,19 +72,14 @@
                     </reverseproxy>
                 </Model>
             </accesslist>
-            <abort type="BooleanField">
-                <Default>0</Default>
-            </abort>
-            <LogCredentials type="BooleanField">
-                <Default>0</Default>
-            </LogCredentials>
-            <LogAccessPlain type="BooleanField">
-                <Default>0</Default>
-            </LogAccessPlain>
+            <abort type="BooleanField"/>
+            <LogCredentials type="BooleanField"/>
+            <LogAccessPlain type="BooleanField"/>
             <LogAccessPlainKeep type="IntegerField">
                 <Default>10</Default>
                 <MinimumValue>1</MinimumValue>
                 <ValidationMessage>Please enter a valid number of 1 or larger.</ValidationMessage>
+                <Required>Y</Required>
             </LogAccessPlainKeep>
             <DynDnsSimpleHttp type="UrlField">
                 <ValidationMessage>Please enter a valid URL, starting with http or https.</ValidationMessage>
@@ -96,6 +90,7 @@
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>1440</MaximumValue>
                 <ValidationMessage>Please enter a valid number from 1 to 1440 minutes.</ValidationMessage>
+                <Required>Y</Required>
             </DynDnsCheckInterval>
             <DynDnsIpVersions type="OptionField">
                 <Default>ipv4</Default>
@@ -103,12 +98,14 @@
                     <ipv4>IPv4 only</ipv4>
                     <ipv6>IPv6 only</ipv6>
                 </OptionValues>
+                <Required>Y</Required>
             </DynDnsIpVersions>
             <DynDnsTTL type="IntegerField">
                 <Default>1</Default>
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>24</MaximumValue>
                 <ValidationMessage>Please enter a valid number from 1 to 24 hours.</ValidationMessage>
+                <Required>Y</Required>
             </DynDnsTTL>
         </general>
         <reverseproxy>
@@ -154,16 +151,10 @@
                     <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_*-\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
                     <ValidationMessage>Please provide a valid description.</ValidationMessage>
                 </description>
-                <DnsChallenge type="BooleanField">
-                    <Default>0</Default>
-                </DnsChallenge>
+                <DnsChallenge type="BooleanField"/>
                 <CustomCertificate type="CertificateField"/>
-                <AccessLog type="BooleanField">
-                    <Default>0</Default>
-                </AccessLog>
-                <DynDns type="BooleanField">
-                    <Default>0</Default>
-                </DynDns>
+                <AccessLog type="BooleanField"/>
+                <DynDns type="BooleanField"/>
             </reverse>
             <subdomain type="ArrayField">
                 <enabled type="BooleanField">
@@ -214,9 +205,7 @@
                     <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_-\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
                     <ValidationMessage>Please provide a valid description.</ValidationMessage>
                 </description>
-                <DynDns type="BooleanField">
-                    <Default>0</Default>
-                </DynDns>
+                <DynDns type="BooleanField"/>
             </subdomain>
             <handle type="ArrayField">
                 <enabled type="BooleanField">
@@ -268,12 +257,8 @@
                     <Mask>/^(\/.*)?$/u</Mask>
                     <ValidationMessage>Please enter a valid 'Backend Path' that starts with '/'.</ValidationMessage>
                 </ToPath>
-                <HttpTls type="BooleanField">
-                    <Default>0</Default>
-                </HttpTls>
-                <HttpNtlm type="BooleanField">
-                    <Default>0</Default>
-                </HttpNtlm>
+                <HttpTls type="BooleanField"/>
+                <HttpNtlm type="BooleanField"/>
                 <HttpTlsTrustedCaCerts type="CertificateField">
                     <Type>ca</Type>
                 </HttpTlsTrustedCaCerts>
@@ -303,9 +288,7 @@
                     <Strict>Y</Strict>
                     <ValidationMessage>Please enter valid IP address(es) or network(s), separated by commas.</ValidationMessage>
                 </clientIps>
-                <accesslistInvert type="BooleanField">
-                    <Default>0</Default>
-                </accesslistInvert>
+                <accesslistInvert type="BooleanField"/>
                 <description type="TextField">
                     <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_*-\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
                     <ValidationMessage>Please provide a valid description.</ValidationMessage>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
index fe8ecfe148..9fcca897b1 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
@@ -71,7 +71,7 @@
                 messageArea.removeClass("alert-success alert-danger").addClass(alertClass).html(message);
 
                 // Use fadeIn to make the message appear smoothly, then fadeOut after a delay
-                messageArea.fadeIn(500).delay(5000).fadeOut(500, function() {
+                messageArea.fadeIn(500).delay(15000).fadeOut(500, function() {
                     // Clear the message after fading out to ensure it's clean for the next message
                     $(this).html('');
                 });
@@ -82,31 +82,35 @@
                 $("#messageArea").hide();
             });
 
-            // Reconfigure the Caddy service, additional validation with a validation API is made beforehand
+            // Reconfigure the Caddy service, additional form save and validation with a validation API is made beforehand
             $("#reconfigureAct").SimpleActionButton({
                 onPreAction: function() {
                     const dfObj = $.Deferred();
 
-                    // Directly proceed to validation
-                    $.ajax({
-                        url: "/api/caddy/service/validate",
-                        type: "GET",
-                        dataType: "json",
-                        success: function(data) {
-                            if (data && data['status'].toLowerCase() === 'ok') {
-                                // If configuration is valid, resolve the Deferred object to proceed
-                                dfObj.resolve();
-                            } else {
-                                // If configuration is invalid, show alert using showAlert
-                                showAlert(data['message'], "Validation Error");
-                                dfObj.reject();
+                    // Save the form before continue
+                    saveFormToEndpoint("/api/caddy/general/set", 'frm_GeneralSettings', function() {
+                        // After successful save, proceed with validation
+                        $.ajax({
+                            url: "/api/caddy/service/validate",
+                            type: "GET",
+                            dataType: "json",
+                            success: function(data) {
+                                if (data && data['status'].toLowerCase() === 'ok') {
+                                    dfObj.resolve(); // Configuration is valid
+                                } else {
+                                    showAlert(data['message'], "Validation Error");
+                                    dfObj.reject(); // Configuration is invalid
+                                }
+                            },
+                            error: function(xhr, status, error) {
+                                showAlert("Validation request failed: " + error, "Validation Error");
+                                dfObj.reject(); // AJAX request failed
                             }
-                        },
-                        error: function(xhr, status, error) {
-                            // On AJAX error, show alert using showAlert
-                            showAlert("Validation request failed: " + error, "Validation Error");
-                            dfObj.reject();
-                        }
+                        });
+                    }, function() {
+                        // If save fails, reject the deferred object to stop the reconfigure action
+                        showAlert("Failed to save configuration.", "Error");
+                        dfObj.reject();
                     });
 
                     return dfObj.promise();
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index f152a356dd..1ba868a24c 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -81,7 +81,7 @@
             messageArea.removeClass("alert-success alert-danger").addClass(alertClass).html(message);
 
             // Use fadeIn to make the message appear smoothly, then fadeOut after a delay
-            messageArea.fadeIn(500).delay(5000).fadeOut(500, function() {
+            messageArea.fadeIn(500).delay(15000).fadeOut(500, function() {
                 // Clear the message after fading out to ensure it's clean for the next message
                 $(this).html('');
             });

From 85a27147c4b1308102134acf136ba8dde9e8b0f6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 14 Mar 2024 08:49:45 +0100
Subject: [PATCH 1818/3088] plugins: style sweep

---
 dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc         | 4 ++--
 .../wazuh-agent/src/etc/inc/plugins.inc.d/wazuhagent.inc    | 2 +-
 www/caddy/pkg-descr                                         | 2 +-
 www/caddy/src/etc/inc/plugins.inc.d/caddy.inc               | 6 ++++--
 .../controllers/OPNsense/Caddy/ReverseProxyController.php   | 6 ++++--
 .../mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php     | 3 ---
 .../src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php     | 3 ++-
 7 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc b/dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc
index 2a45595e5f..e41cb18354 100644
--- a/dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc
+++ b/dns/ddclient/src/etc/inc/plugins.inc.d/ddclient.inc
@@ -32,8 +32,8 @@ function ddclient_services()
     $services = [];
     $cnf = \OPNsense\Core\Config::getInstance()->object();
     $is_enabled = false;
-    if ($cnf->OPNsense && $cnf->OPNsense->DynDNS && $cnf->OPNsense->DynDNS->general){
-       $is_enabled = $cnf->OPNsense->DynDNS->general->enabled == '1';
+    if ($cnf->OPNsense && $cnf->OPNsense->DynDNS && $cnf->OPNsense->DynDNS->general) {
+        $is_enabled = $cnf->OPNsense->DynDNS->general->enabled == '1';
     }
 
     if ($is_enabled) {
diff --git a/security/wazuh-agent/src/etc/inc/plugins.inc.d/wazuhagent.inc b/security/wazuh-agent/src/etc/inc/plugins.inc.d/wazuhagent.inc
index 132dfd5dc5..ce7d94ade4 100644
--- a/security/wazuh-agent/src/etc/inc/plugins.inc.d/wazuhagent.inc
+++ b/security/wazuh-agent/src/etc/inc/plugins.inc.d/wazuhagent.inc
@@ -32,7 +32,7 @@ function wazuhagent_services()
     $services = [];
     $cnf = \OPNsense\Core\Config::getInstance()->object();
     $is_enabled = false;
-    if ($cnf->OPNsense && $cnf->OPNsense->WazuhAgent && $cnf->OPNsense->WazuhAgent->general){
+    if ($cnf->OPNsense && $cnf->OPNsense->WazuhAgent && $cnf->OPNsense->WazuhAgent->general) {
         $is_enabled = $cnf->OPNsense->WazuhAgent->general->enabled == '1';
     }
 
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 311733b3cd..483ce846cb 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -27,7 +27,7 @@ Plugin Changelog
 * Increased timeout of message area in reverse_proxy.volt and general.volt to 15 seconds.
 * When pressing Apply, the form is saved automatically before the reconfigure action.
 * Cleaned up Caddy.xml model to satisfy make lint.
-* When selecting an interface in Dynamic DNS, at most one IPv6 GUA and IPv4 non-RFC1918 address will be extracted. Fixes all IP addresses being read. 
+* When selecting an interface in Dynamic DNS, at most one IPv6 GUA and IPv4 non-RFC1918 address will be extracted. Fixes all IP addresses being read.
 
 1.5.1
 
diff --git a/www/caddy/src/etc/inc/plugins.inc.d/caddy.inc b/www/caddy/src/etc/inc/plugins.inc.d/caddy.inc
index a04d784d93..78da119b7c 100644
--- a/www/caddy/src/etc/inc/plugins.inc.d/caddy.inc
+++ b/www/caddy/src/etc/inc/plugins.inc.d/caddy.inc
@@ -32,8 +32,10 @@ function caddy_services()
 
     $services = array();
 
-    if (isset($config['Pischem']['caddy']['general']['enabled']) &&
-        $config['Pischem']['caddy']['general']['enabled'] == 1) {
+    if (
+        isset($config['Pischem']['caddy']['general']['enabled']) &&
+        $config['Pischem']['caddy']['general']['enabled'] == 1
+    ) {
         $services[] = array(
             'description' => gettext('Caddy Web Server'),
             'configd' => array(
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
index d6727b48d2..4a9947d759 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
@@ -33,8 +33,10 @@
 
 use OPNsense\Base\IndexController;
 
-class ReverseProxyController extends IndexController {
-    public function indexAction() {
+class ReverseProxyController extends IndexController
+{
+    public function indexAction()
+    {
         $this->view->pick('OPNsense/Caddy/reverse_proxy');
         $this->view->formDialogReverseProxy = $this->getForm("dialogReverseProxy");
         $this->view->formDialogSubdomain = $this->getForm("dialogSubdomain");
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php
index b8948233c2..c103f8d48b 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php
@@ -40,16 +40,13 @@ public function run($model)
 
         // Ensure there are reverse proxy configurations to process
         if (!empty($config->Pischem->caddy->reverseproxy)) {
-
             // Loop through each reverse proxy configuration in the stored configuration config.xml
             foreach ($config->Pischem->caddy->reverseproxy->children() as $configNode) {
-
                 // Extract the UUID attribute to identify the configuration item
                 $uuid = (string)$configNode->attributes()->uuid;
 
                 // Check if the current configuration item has a 'Description' to migrate
                 if (!empty($configNode->Description)) {
-
                     // Store the value of 'Description' for migration
                     $descriptionValue = (string)$configNode->Description;
 
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
index df8550d337..f4f0f6bf60 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
@@ -37,7 +37,8 @@
 $configObj = Config::getInstance()->object();
 $temp_dir = '/usr/local/etc/caddy/certificates/temp/';
 
-function extract_and_save_certificates($configObj, $temp_dir) {
+function extract_and_save_certificates($configObj, $temp_dir)
+{
     // Traverse through certificates
     foreach ($configObj->cert as $cert) {
         $cert_refid = (string)$cert->refid;

From 6ba4fb33c165a703b8cfe4bdb190148f012db044 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 14 Mar 2024 08:59:35 +0100
Subject: [PATCH 1819/3088] security/wazuh-agent: update changelog

---
 security/wazuh-agent/pkg-descr | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/security/wazuh-agent/pkg-descr b/security/wazuh-agent/pkg-descr
index 34fe48113c..d131468862 100644
--- a/security/wazuh-agent/pkg-descr
+++ b/security/wazuh-agent/pkg-descr
@@ -1,3 +1,14 @@
-Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments.
+Wazuh is a free and open source platform used for threat prevention, detection,
+and response. It is capable of protecting workloads across on-premises,
+virtualized, containerized, and cloud-based environments.
 
-Using this plugin you can integrate your OPNsense firewall into the Wazuh solution.
+Using this plugin you can integrate your OPNsense firewall into the Wazuh
+solution.
+
+Plugin Changelog
+================
+
+1.0
+
+* Initial version
+* Improve service information fetch by avoiding creation of a model

From 0c3df9dcca595c5b89db00841e3802a3e12ca39b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 14 Mar 2024 08:59:51 +0100
Subject: [PATCH 1820/3088] dns/ddclient: update changelog

---
 dns/ddclient/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 7ca2b5b793..a54d3b5708 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -11,6 +11,7 @@ Plugin Changelog
 * Add Netcup support (contributed by Ingo Lafrenz)
 * Use '==' instead of 'is' in Domeneshop Python support (contributed by ssmendon)
 * Update DNS record instead of overwriting in Cloudflare Python support (contributed by lin-xianming)
+* Improve service information fetch by avoiding creation of a model
 
 1.20
 

From ed456b2c36d5378b9f5ccf8b73c904e559799db3 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 20 Mar 2024 09:56:13 +0100
Subject: [PATCH 1821/3088] net/relayd - make sure required items are required
 and enable new items when created for ease of use. closes
 https://github.com/opnsense/plugins/issues/3850

---
 .../opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
index 2e17e27dca..56baf5eed7 100644
--- a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
+++ b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
@@ -82,7 +82,7 @@
             </Constraints>
          </name>
          <enabled type="BooleanField">
-            <Default>0</Default>
+            <Default>1</Default>
             <Required>Y</Required>
          </enabled>
          <hosts type="ModelRelationField">
@@ -155,7 +155,7 @@
             </Constraints>
          </name>
          <enabled type="BooleanField">
-            <Default>0</Default>
+            <Default>1</Default>
             <Required>Y</Required>
          </enabled>
          <type type="OptionField">
@@ -242,7 +242,8 @@
             <ValidationMessage>The timeout must be greater than 0</ValidationMessage>
          </transport_timeout>
          <transport_tablemode type="OptionField">
-            <Required>N</Required>
+            <Required>Y</Required>
+            <default>roundrobin</default>
             <OptionValues>
                <hash>Hash</hash>
                <least-states>Least States</least-states>
@@ -305,7 +306,8 @@
             </Constraints>
          </backuptransport_tablecheck>
          <backuptransport_tablemode type="OptionField">
-            <Required>N</Required>
+            <Required>Y</Required>
+            <default>roundrobin</default>
             <OptionValues>
                <hash>Hash</hash>
                <least-states>Least States</least-states>

From 715b17679fe064065f67edc77cd8e5db6be70cb1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 20 Mar 2024 10:10:40 +0100
Subject: [PATCH 1822/3088] net/relayd: bump revision

---
 net/relayd/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index 139dd2abe5..c370db7956 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		relayd
 PLUGIN_VERSION=		2.8
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com

From cf4fa70cd24a09dd7729420809c1968f030c0a5c Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 20 Mar 2024 11:38:53 +0100
Subject: [PATCH 1823/3088] net/relayd - move validation responsibility to the
 model, for https://github.com/opnsense/plugins/issues/3850

@fbrendel fyi
---
 .../Relayd/Api/SettingsController.php         |  92 +---------------
 .../mvc/app/models/OPNsense/Relayd/Relayd.php | 102 ++++++++++++++++++
 2 files changed, 105 insertions(+), 89 deletions(-)

diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
index c47153d922..fee390f1f4 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
@@ -98,7 +98,7 @@ public function getAction($nodeType = null, $uuid = null)
      */
     public function setAction($nodeType = null, $uuid = null)
     {
-        $result = array('result' => 'failed', 'validations' => array());
+        $result = array('result' => 'failed', 'validations' => []);
         if ($this->request->isPost() && $this->request->hasPost('relayd') && $nodeType != null) {
             $this->validateNodeType($nodeType);
             if ($nodeType == 'general') {
@@ -111,93 +111,7 @@ public function setAction($nodeType = null, $uuid = null)
                 }
             }
             if ($node != null) {
-                $relaydInfo = $this->request->getPost('relayd');
-
-                // perform plugin specific validations
-                if ($nodeType == 'virtualserver') {
-                    // preset defaults for validations
-                    if (empty($relaydInfo[$nodeType]['type'])) {
-                        $relaydInfo[$nodeType]['type'] = $node->type->__toString();
-                    }
-                    if (empty($relaydInfo[$nodeType]['transport_tablemode'])) {
-                        $relaydInfo[$nodeType]['transport_tablemode'] = $node->transport_tablemode->__toString();
-                    }
-                    if (empty($relaydInfo[$nodeType]['backuptransport_tablemode'])) {
-                        $relaydInfo[$nodeType]['backuptransport_tablemode'] =
-                        $node->backuptransport_tablemode->__toString();
-                    }
-
-                    if ($relaydInfo[$nodeType]['type'] == 'redirect') {
-                        if (
-                            $relaydInfo[$nodeType]['transport_tablemode'] != 'least-states' &&
-                            $relaydInfo[$nodeType]['transport_tablemode'] != 'roundrobin'
-                        ) {
-                                $result['validations']['relayd.virtualserver.transport_tablemode'] = sprintf(
-                                    gettext('Scheduler "%s" not supported for redirects.'),
-                                    $relaydInfo[$nodeType]['transport_tablemode']
-                                );
-                        }
-                        if (
-                            $relaydInfo[$nodeType]['backuptransport_tablemode'] != 'least-states' &&
-                            $relaydInfo[$nodeType]['backuptransport_tablemode'] != 'roundrobin'
-                        ) {
-                                $result['validations']['relayd.virtualserver.backuptransport_tablemode'] = sprintf(
-                                    gettext('Scheduler "%s" not supported for redirects.'),
-                                    $relaydInfo[$nodeType]['backuptransport_tablemode']
-                                );
-                        }
-                        if (
-                            $relaydInfo[$nodeType]['transport_type'] == 'route' &&
-                            empty($relaydInfo[$nodeType]['routing_interface'])
-                        ) {
-                                $result['validations']['relayd.virtualserver.routing_interface'] =
-                                    gettext('Routing interface cannot be empty');
-                        }
-                    }
-                    if ($relaydInfo[$nodeType]['type'] == 'relay') {
-                        if ($relaydInfo[$nodeType]['transport_tablemode'] == 'least-states') {
-                            $result['validations']['relayd.virtualserver.transport_tablemode'] = sprintf(
-                                gettext('Scheduler "%s" not supported for relays.'),
-                                $relaydInfo[$nodeType]['transport_tablemode']
-                            );
-                        }
-                        if ($relaydInfo[$nodeType]['backuptransport_tablemode'] == 'least-states') {
-                            $result['validations']['relayd.virtualserver.backuptransport_tablemode'] = sprintf(
-                                gettext('Scheduler "%s" not supported for relays.'),
-                                $relaydInfo[$nodeType]['backuptransport_tablemode']
-                            );
-                        }
-                    }
-                } elseif ($nodeType == 'tablecheck') {
-                    switch ($relaydInfo[$nodeType]['type']) {
-                        case 'send':
-                            if (empty($relaydInfo[$nodeType]['expect'])) {
-                                $result['validations']['relayd.tablecheck.expect'] =
-                                gettext('Expect Pattern cannot be empty.');
-                            }
-                            break;
-                        case 'script':
-                            if (empty($relaydInfo[$nodeType]['path'])) {
-                                $result['validations']['relayd.tablecheck.path'] =
-                                gettext('Script path cannot be empty.');
-                            }
-                            break;
-                        case 'http':
-                            if (empty($relaydInfo[$nodeType]['path'])) {
-                                $result['validations']['relayd.tablecheck.path'] =
-                                gettext('Path cannot be empty.');
-                            }
-                            if (empty($relaydInfo[$nodeType]['code']) && empty($relaydInfo[$nodeType]['digest'])) {
-                                $result['validations']['relayd.tablecheck.code'] =
-                                gettext('Provide one of Response Code or Message Digest.');
-                                $result['validations']['relayd.tablecheck.digest'] =
-                                gettext('Provide one of Response Code or Message Digest.');
-                            }
-                            break;
-                    }
-                }
-
-                $node->setNodes($relaydInfo[$nodeType]);
+                $node->setNodes($this->request->getPost('relayd')[$nodeType]);
                 $valMsgs = $this->getModel()->performValidation();
                 foreach ($valMsgs as $field => $msg) {
                     $fieldnm = str_replace($node->__reference, "relayd." . $nodeType, $msg->getField());
@@ -330,7 +244,7 @@ public function searchAction($nodeType = null)
         if ($this->request->isPost() && $nodeType != null) {
             $this->validateNodeType($nodeType);
             $grid = new UIModelGrid($this->getModel()->$nodeType);
-            $fields = array();
+            $fields = [];
             switch ($nodeType) {
                 case 'host':
                     $fields = ['enabled', 'name', 'address'];
diff --git a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.php b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.php
index 0669849ed4..37e495b0f5 100644
--- a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.php
+++ b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.php
@@ -31,6 +31,7 @@
 namespace OPNsense\Relayd;
 
 use OPNsense\Base\BaseModel;
+use OPNsense\Base\Messages\Message;
 
 /**
  * Class Relayd
@@ -65,6 +66,107 @@ public function configClean()
         return @unlink("/tmp/relayd.dirty");
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function performValidation($validateFullModel = false)
+    {
+        $messages = parent::performValidation($validateFullModel);
+        foreach ($this->virtualserver->iterateItems() as $node) {
+            if (!$validateFullModel && !$node->isFieldChanged()) {
+                continue;
+            }
+            $key = $node->__reference;
+            if ($node->type == 'redirect') {
+                if (!in_array((string)$node->transport_tablemode, ['least-states', 'roundrobin'])) {
+                    $messages->appendMessage(
+                        new Message(
+                            sprintf(gettext('Scheduler "%s" not supported for redirects.'), $node->transport_tablemode),
+                            $key . ".transport_tablemode"
+                        )
+                    );
+                }
+                if (!in_array((string)$node->backuptransport_tablemode, ['least-states', 'roundrobin'])) {
+                    $messages->appendMessage(
+                        new Message(
+                            sprintf(gettext('Scheduler "%s" not supported for redirects.'), $node->transport_tablemode),
+                            $key . ".backuptransport_tablemode"
+                        )
+                    );
+                }
+                if ($node->transport_type == 'route' && empty((string)$node->routing_interface)) {
+                    $messages->appendMessage(
+                        new Message(gettext('Routing interface cannot be empty'), $key . ".routing_interface")
+                    );
+                }
+            } elseif ($node->type == 'relay') {
+                if ($node->transport_tablemode == 'least-states') {
+                    $messages->appendMessage(
+                        new Message(
+                            sprintf(gettext('Scheduler "%s" not supported for relays.'), $node->transport_tablemode),
+                            $key . ".transport_tablemode"
+                        )
+                    );
+                }
+                if ($node->backuptransport_tablemode == 'least-states') {
+                    $messages->appendMessage(
+                        new Message(
+                            sprintf(
+                                gettext('Scheduler "%s" not supported for relays.'),
+                                $node->backuptransport_tablemode
+                            ),
+                            $key . ".backuptransport_tablemode"
+                        )
+                    );
+                }
+            }
+            foreach ($this->tablecheck->iterateItems() as $node) {
+                if (!$validateFullModel && !$node->isFieldChanged()) {
+                    continue;
+                }
+                $key = $node->__reference;
+                switch ((string)$node->type) {
+                    case 'send':
+                        if (empty((string)$node->expect)) {
+                            $messages->appendMessage(
+                                new Message(gettext('Expect Pattern cannot be empty.'),  $key . ".expect")
+                            );
+                        }
+                        break;
+                    case 'script':
+                        if (empty((string)$node->path)) {
+                            $messages->appendMessage(
+                                new Message(gettext('Script path cannot be empty.'),  $key . ".path")
+                            );
+                        }
+                        break;
+                    case 'http':
+                        if (empty((string)$node->path)) {
+                            $messages->appendMessage(
+                                new Message(gettext('Path cannot be empty.'),  $key . ".path")
+                            );
+                        }
+                        if (empty((string)$node->code) && empty((string)$node->digest)) {
+                            $messages->appendMessage(
+                                new Message(
+                                    gettext('Provide one of Response Code or Message Digest.'),
+                                    $key . ".code"
+                                )
+                            );
+                            $messages->appendMessage(
+                                new Message(
+                                    gettext('Provide one of Response Code or Message Digest.'),
+                                    $key . ".digest"
+                                )
+                            );
+                        }
+                        break;
+                }
+            }
+        }
+        return $messages;
+    }
+
     /**
      * @param string $type type of object (host, table, virtualserver)
      * @param string $name name of the attribute

From e18f0ef182b49f2e2ec000d847363e4e6cbeb548 Mon Sep 17 00:00:00 2001
From: Michael Klein <m.klein@mvz-labor-lb.de>
Date: Wed, 20 Mar 2024 16:11:31 +0100
Subject: [PATCH 1824/3088] security/acme-client: add support for ArtFiles DNS
 API

---
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsArtfiles.php   | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 3 files changed, 67 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsArtfiles.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 98fdc7e56c..151eec1a6d 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1483,6 +1483,21 @@
         <label>API Token</label>
         <type>password</type>
     </field>
+    <field>
+        <label>ArtFiles DNS API</label>
+        <type>header</type>
+        <style>table_dns table_dns_artfiles</style>
+    </field>
+    <field>
+        <id>validation.dns_artfiles_username</id>
+        <label>API Username</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_artfiles_password</id>
+        <label>API Password</label>
+        <type>password</type>
+    </field>
     <field>
         <label>Hetzner DNS API</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsArtfiles.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsArtfiles.php
new file mode 100644
index 0000000000..2c6e5eca80
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsArtfiles.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2024 MVZ Labor Ludwigsburg GbR
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Artfiles DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsArtfiles extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['AF_API_USERNAME'] = (string)$this->config->dns_artfiles_username;
+        $this->acme_env['AF_API_PASSWORD'] = (string)$this->config->dns_artfiles_password;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index a583d068bd..b2e378a9d3 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -426,6 +426,7 @@
                         <dns_ali>aliyun.com</dns_ali>
                         <dns_kas>All-Inkl.com</dns_kas>
                         <dns_arvan>ArvanCloud</dns_arvan>
+                        <dns_artfiles>ArtFiles</dns_artfiles>
                         <dns_aurora>Aurora (PCextreme/Versio)</dns_aurora>
                         <dns_autodns>AutoDNS (InterNetX)</dns_autodns>
                         <dns_aws>AWS Route 53</dns_aws>
@@ -1123,6 +1124,12 @@
                 <dns_arvan_token type="TextField">
                     <Required>N</Required>
                 </dns_arvan_token>
+                <dns_artfiles_username type="TextField">
+                    <Required>N</Required>
+                </dns_artfiles_username>
+                <dns_artfiles_password type="TextField">
+                    <Required>N</Required>
+                </dns_artfiles_password>
                 <dns_hetzner_token type="TextField">
                     <Required>N</Required>
                 </dns_hetzner_token>

From b258cab9bd8ebbb6310868ca72ff6ff3d5e000d0 Mon Sep 17 00:00:00 2001
From: Brendan Bank <63699049+brendanbank@users.noreply.github.com>
Date: Wed, 27 Mar 2024 09:05:33 +0100
Subject: [PATCH 1825/3088] dns:bind: do not add the update-policy if the zone
 type is secondary (#3873)

---
 .../src/opnsense/service/templates/OPNsense/Bind/named.conf     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 0c091b00ed..23839cf437 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -180,7 +180,7 @@ zone "{{ domain.domainname }}" {
 {%              endfor %}
         };
 {%      endif %}
-{%      if domain.allowrndcupdate is defined and domain.allowrndcupdate == "1" %}
+{%      if domain.allowrndcupdate is defined and domain.allowrndcupdate == "1" and domain.type != 'secondary' %}
         update-policy {
 		grant rndc-key zonesub ANY;
         };

From 3835878b5f034107cbaebc05a52174d79fd6c85c Mon Sep 17 00:00:00 2001
From: stuart-mclaren <8805659+stuart-mclaren@users.noreply.github.com>
Date: Fri, 29 Mar 2024 07:37:32 +0000
Subject: [PATCH 1826/3088] net/freeradius: Support NT hash of user password
 (#3828)

* net/freeradius: Support NT hash of user password

To improve security provide an "advanced" option to avoid storing
users' radius passwords in plaintext.

The default behaviour is unchanged.

Tested using an openwrt access point as a client with the opnsense
freeradius plugin set to use PEAP.

Compare: https://github.com/pfsense/FreeBSD-ports/pull/822

* net/freeradius: Bump user model version

To reflect NT password hash change.

---------

Co-authored-by: Stuart McLaren <stuart-mclaren@users.noreply.github.com>
---
 .../Freeradius/forms/dialogEditFreeRADIUSUser.xml     |  7 +++++++
 .../mvc/app/models/OPNsense/Freeradius/User.xml       | 11 ++++++++++-
 .../service/templates/OPNsense/Freeradius/users       |  2 +-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
index ea4848a834..e6fc8d7484 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
@@ -17,6 +17,13 @@
         <type>password</type>
         <help>Set the password for the user. Allowed characters are 0-9, a-z, A-Z, and ,._-!$%/()+#= with up to 128 characters.</help>
     </field>
+    <field>
+        <id>user.passwordencryption</id>
+        <label>Password Encryption</label>
+        <type>dropdown</type>
+        <advanced>true</advanced>
+        <help><![CDATA[Set encryption or hash for stored password.<br/><b>Cleartext-Password</b> The password will be stored in plaintext. This may be less secure than alternatives. Works with all RADIUS authentication protocols.<br/><b>NT-Password (pre-hashed)</b> An NT hash of the password will be stored. First the NT hash of the password should be generated; this will be a string such as 469DCB69D4A58A5F29272787713D96F8. Then the hash (not the password) should be entered into the password field above. A command such as <code>smbencrypt secret123</code> may be used to generate the pre-hashed NT Password. Works with the following RADIUS authentication protocols: PEAP, EAP-MSCHAPv2, EAP-GTC, PAP, MS-CHAP, Cisco LEAP.]]></help>
+    </field>
     <field>
         <id>user.description</id>
         <label>Description</label>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
index 616b946b9e..506ab2d3f9 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/freeradius/user</mount>
     <description>FreeRADIUS user configuration</description>
-    <version>1.0.3</version>
+    <version>1.0.4</version>
     <items>
         <users>
             <user type="ArrayField">
@@ -17,6 +17,15 @@
                     <Required>Y</Required>
                     <mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}]){1,128}$/u</mask>
                 </password>
+                <passwordencryption type="OptionField">
+                    <default>Cleartext-Password</default>
+                    <Required>Y</Required>
+                    <multiple>N</multiple>
+                    <OptionValues>
+                        <cleartext value="Cleartext-Password">Cleartext-Password</cleartext>
+                        <ntprehashed value="NT-Password">NT-Password (pre-hashed)</ntprehashed>
+                    </OptionValues>
+                </passwordencryption>
                 <description type="TextField">
                     <Required>N</Required>
                 </description>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
index a7c46550e6..ff9a97916f 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
@@ -3,7 +3,7 @@
 {%     for user_list in helpers.toList('OPNsense.freeradius.user.users.user') %}
 {%       if user_list.enabled == '1' %}
 
-{{ user_list.username }}  Cleartext-Password := "{{ user_list.password }}"{% if helpers.exists('OPNsense.freeradius.general.sessionlimit') and OPNsense.freeradius.general.sessionlimit == '1' %}{% if user_list.sessionlimit_max_session_limit is defined %}, Max-Daily-Session := {{ user_list.sessionlimit_max_session_limit }}{% endif %}{% endif %}{% if user_list.simuse is defined %}, Simultaneous-Use := "{{ user_list.simuse }}"{% endif %}{% if user_list.logintime is defined %}, Login-Time := "{{ user_list.logintime }}"{% endif %}
+{{ user_list.username }} {{ user_list.passwordencryption }} := "{{ user_list.password }}"{% if helpers.exists('OPNsense.freeradius.general.sessionlimit') and OPNsense.freeradius.general.sessionlimit == '1' %}{% if user_list.sessionlimit_max_session_limit is defined %}, Max-Daily-Session := {{ user_list.sessionlimit_max_session_limit }}{% endif %}{% endif %}{% if user_list.simuse is defined %}, Simultaneous-Use := "{{ user_list.simuse }}"{% endif %}{% if user_list.logintime is defined %}, Login-Time := "{{ user_list.logintime }}"{% endif %}
 
 {%       if user_list.ip is defined %}
        Framed-IP-Address = {{ user_list.ip }},

From 26e6379874d56190e409c07c37cb12a58679c1ff Mon Sep 17 00:00:00 2001
From: Malte Rabenseifner <mail@malte-rabenseifner.de>
Date: Fri, 29 Mar 2024 10:53:29 +0100
Subject: [PATCH 1827/3088] net-mgmt/zabbix-proxy: Add logging options (#3711)

---
 .../OPNsense/Zabbixproxy/forms/general.xml    | 19 +++++++++++++++
 .../models/OPNsense/Zabbixproxy/General.xml   | 24 ++++++++++++++++++-
 .../OPNsense/Zabbixproxy/zabbix_proxy.conf.in | 11 +++++++++
 3 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
index 168f981c3c..efef9db911 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
@@ -153,6 +153,25 @@
         <allownew>true</allownew>
         <help>IP address of host allowed to retrieve proxy statistics.</help>
     </field>
+    <field>
+        <id>general.syslogEnable</id>
+        <label>Log To Syslog</label>
+        <type>checkbox</type>
+        <help>Use syslog instead of logging to a file.</help>
+    </field>
+    <field>
+        <id>general.logFileSize</id>
+        <label>Log File Size</label>
+        <type>text</type>
+        <help>Maximum size of log file (in MB).</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>general.debugLevel</id>
+        <label>Debug Level</label>
+        <type>dropdown</type>
+        <help>Specifies the debug level for the proxy.</help>
+    </field>
     <field>
         <id>general.encryption</id>
         <label>PSK based encryption</label>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
index ab55fb06cc..e9a060522f 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/zabbixproxy/general</mount>
     <description>Zabbix Proxy configuration</description>
-    <version>2.0.3</version>
+    <version>2.0.4</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -106,6 +106,28 @@
             <asList>Y</asList>
             <Required>N</Required>
         </statsip>
+        <syslogEnable type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </syslogEnable>
+        <logFileSize type="IntegerField">
+            <default>100</default>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>1024</MaximumValue>
+            <Required>Y</Required>
+        </logFileSize>
+        <debugLevel type="OptionField">
+            <default>val_3</default>
+            <OptionValues>
+                <val_0>basic information (0)</val_0>
+                <val_1>critical information (1)</val_1>
+                <val_2>error information (2)</val_2>
+                <val_3>warnings (3, default)</val_3>
+                <val_4>debugging (4)</val_4>
+                <val_5>extended debugging (5)</val_5>
+            </OptionValues>
+            <Required>Y</Required>
+        </debugLevel>
         <encryption type="BooleanField">
             <default>0</default>
             <Required>Y</Required>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
index 3ee03b5dc1..23d9f5cb3c 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
@@ -25,7 +25,18 @@ ListenPort={{ OPNsense.zabbixproxy.general.listenport }}
 {% if helpers.exists('OPNsense.zabbixproxy.general.sourceip') and OPNsense.zabbixproxy.general.sourceip != '' %}
 SourceIP={{ OPNsense.zabbixproxy.general.sourceip }}
 {% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.syslogEnable') and OPNsense.zabbixproxy.general.syslogEnable == '1' %}
+LogType=system
+{% else %}
+LogType=file
 LogFile=/var/log/zabbix/zabbix_proxy.log
+{% if helpers.exists('OPNsense.zabbixproxy.general.logFileSize') %}
+LogFileSize={{OPNsense.zabbixproxy.general.logFileSize}}
+{% endif %}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.debugLevel')
+DebugLevel={{OPNsense.zabbixproxy.general.debugLevel|replace("val_", "")}}
+{% endif %}
 PidFile=/var/run/zabbix/zabbix_proxy.pid
 DBName=/var/db/zabbix/%%PLUGIN_VARIANT%%_proxy.db
 {% if helpers.exists('OPNsense.zabbixproxy.general.proxyofflinebuffer') and OPNsense.zabbixproxy.general.proxyofflinebuffer != '' %}

From a2ccdcc65ef005ca365b6da447444f37195bb68a Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Sat, 30 Mar 2024 08:43:03 +0300
Subject: [PATCH 1828/3088] adjust severity levels

---
 .../opnsense/mvc/app/models/OPNsense/Bind/General.xml    | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index 8ab42f3c62..9935dbae45 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/bind/general</mount>
     <description>BIND configuration</description>
-    <version>1.0.11</version>
+    <version>1.0.12</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -78,14 +78,13 @@
         </logsize>
         <general_log_level type="OptionField">
             <OptionValues>
-                <emerg value="emerg">Emergency</emerg>
-                <alert value="alert">Alert</alert>
-                <crit value="crit">Critical</crit>
+                <crit value="critical">Critical</crit>
                 <error value="error">Error</error>
-                <warn value="warn">Warning</warn>
+                <warn value="warning">Warning</warn>
                 <notice value="notice">Notice</notice>
                 <info value="info">Informational</info>
                 <debug value="debug">Debug</debug>
+                <dynamic value="dynamic">Dynamic</dynamic>
             </OptionValues>
             <Required>Y</Required>
             <default>info</default>

From 354782cf9beff470c46580859556d8e070aa2416 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 2 Apr 2024 12:36:18 +0200
Subject: [PATCH 1829/3088] www/caddy: v1.5.3 (#3865)

---
 www/caddy/Makefile                            |   4 +-
 www/caddy/pkg-descr                           |  13 ++
 .../Caddy/Api/ReverseProxyController.php      |   4 +-
 .../OPNsense/Caddy/forms/dialogHandle.xml     |  74 +++++-----
 .../Caddy/forms/dialogReverseProxy.xml        |  72 ++++++----
 .../OPNsense/Caddy/forms/dialogSubdomain.xml  |  45 +++---
 .../OPNsense/Caddy/forms/dnsprovider.xml      |  36 ++---
 .../OPNsense/Caddy/forms/dynamicdns.xml       |  37 ++---
 .../OPNsense/Caddy/forms/general.xml          |  12 +-
 .../OPNsense/Caddy/forms/logsettings.xml      |   2 -
 .../mvc/app/models/OPNsense/Caddy/Caddy.php   |   2 +-
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  39 ++----
 .../views/OPNsense/Caddy/reverse_proxy.volt   |  10 +-
 .../scripts/OPNsense/Caddy/caddy_certs.php    |   7 +-
 .../opnsense/scripts/OPNsense/Caddy/setup.sh  |  28 ++--
 .../service/conf/actions.d/actions_caddy.conf |   1 +
 .../templates/OPNsense/Caddy/Caddyfile        | 130 +++++++-----------
 17 files changed, 244 insertions(+), 272 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 95dd8078a2..138ee9fee6 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.5.2
+PLUGIN_VERSION=		1.5.3
 PLUGIN_DEPENDS=		caddy-custom
-PLUGIN_COMMENT=		Easy to configure Reverse Proxy based on Caddy with Automatic HTTPS and Dynamic DNS
+PLUGIN_COMMENT=		Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
 PLUGIN_MAINTAINER=	cedrik@pischem.com
 
 .include "../../Mk/plugins.mk"
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 483ce846cb..72f60a2dac 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -19,9 +19,22 @@ Main features of this plugin:
 * Syslog-ng integration and HTTP Access Log
 * NTLM Transport
 
+DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
+
 Plugin Changelog
 ================
 
+1.5.3
+
+* Change from "Phalcon Messages" to "OPNsense Messages" in Caddy.php.
+* Change default storage location from /usr/local/etc/caddy to /var/db/caddy/data/caddy/.
+* Change description from "TextField" to "DescriptionField" in Caddy.xml model.
+* Add tls_insecure_skip_verify to handlers.
+* Add possibility to restart Caddy with the ACME Client by using "Automations - Run Command - System or Plugin Command".
+* Add option to redirect the ACME HTTP-01 challenge to an upstream destination as advanced option in domains.
+* Remove unmaintained DNS Providers: dnspod, hetzner, namesilo, vercel, alidns, metaname, openstack-designate.
+* Cleanup dialogs and UI to present all options better.
+
 1.5.2
 
 * Increased timeout of message area in reverse_proxy.volt and general.volt to 15 seconds.
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
index a1d71c8312..5236dfba93 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
@@ -43,7 +43,7 @@ class ReverseProxyController extends ApiMutableModelControllerBase
 
     public function searchReverseProxyAction()
     {
-        return $this->searchBase("reverseproxy.reverse", ['enabled', 'FromDomain', 'FromPort', 'accesslist', 'basicauth', 'DnsChallenge', 'CustomCertificate', 'AccessLog', 'DynDns', 'description']);
+        return $this->searchBase("reverseproxy.reverse", ['enabled', 'FromDomain', 'FromPort', 'accesslist', 'basicauth', 'DnsChallenge', 'CustomCertificate', 'AccessLog', 'DynDns', 'AcmePassthrough', 'description']);
     }
 
     public function setReverseProxyAction($uuid)
@@ -109,7 +109,7 @@ public function toggleSubdomainAction($uuid, $enabled = null)
 
     public function searchHandleAction()
     {
-        return $this->searchBase("reverseproxy.handle", ['enabled', 'reverse', 'subdomain', 'HandleType', 'HandlePath', 'ToDomain', 'ToPort', 'ToPath', 'HttpTls', 'HttpTlsTrustedCaCerts', 'HttpTlsServerName', 'HttpNtlm', 'description']);
+        return $this->searchBase("reverseproxy.handle", ['enabled', 'reverse', 'subdomain', 'HandleType', 'HandlePath', 'ToDomain', 'ToPort', 'ToPath', 'HttpTls', 'HttpTlsTrustedCaCerts', 'HttpTlsServerName', 'HttpNtlm', 'HttpTlsInsecureSkipVerify', 'description']);
     }
 
     public function setHandleAction($uuid)
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 26bb9cacbc..68ac76a59b 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -7,85 +7,95 @@
     </field>
     <field>
         <id>handle.reverse</id>
-        <label>Reverse Proxy Domain</label>
+        <label>Domain</label>
         <type>dropdown</type>
         <help><![CDATA[Select a reverse proxy domain to which this handler should be added.]]></help>
     </field>
     <field>
         <id>handle.subdomain</id>
-        <label>Reverse Proxy Subdomain</label>
+        <label>Subdomain</label>
         <type>dropdown</type>
-        <help><![CDATA[Optionally, select a reverse proxy subdomain to which this handler should be added. In most cases, leaving this as "None" will be the best choice.]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Optionally, select a reverse proxy subdomain to which this handler should be added. If not using subdomains, leaving this as "None" will be the best choice.]]></help>
     </field>
     <field>
         <id>handle.HandleType</id>
         <label>Handle Type</label>
         <type>dropdown</type>
-        <help><![CDATA[Select the handler type. In most cases, leaving this as "handle" will be the best choice.]]></help>
+        <help><![CDATA[In most cases, leaving this as "handle" will be the best choice.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
         <id>handle.HandlePath</id>
         <label>Handle Path</label>
         <type>text</type>
-        <help><![CDATA[Enter a handler like '/*' or '/example/*', or leave blank for a catch-all handler (recommended). You can define multiple handlers per domain/subdomain by creating additional entries. Save more specific handlers first, as the first matching handler is prioritized. Blank handlers are processed last automatically. To reorder, clone handlers in the desired sequence and delete old ones.]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Enter a handler like '/*' or '/example/*', or leave blank for a catch-all handler (recommended). Any request matching this handler will be reverse proxied to the upstream destination.]]></help>
+    </field>
+    <field>
+        <id>handle.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help><![CDATA[Enter a description for this handler.]]></help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Upstream</label>
     </field>
     <field>
         <id>handle.ToDomain</id>
-        <label>Backend Server Domain</label>
+        <label>Upstream Domain</label>
         <type>text</type>
         <hint>192.168.1.1</hint>
-        <help><![CDATA[Enter the internal domain name or IP address of the backend server destination for this handler.]]></help>
+        <help><![CDATA[Enter the internal domain name or IP address of the upstream destination for this handler.]]></help>
     </field>
     <field>
         <id>handle.ToPort</id>
-        <label>Backend Server Port</label>
+        <label>Upstream Port</label>
         <type>text</type>
-        <hint>443</hint>
-        <help><![CDATA[Enter the port number of the backend server. Leave this empty for bind to port 80. For HTTPS, use 443.]]></help>
-        <advanced>true</advanced>
+        <hint>80</hint>
+        <help><![CDATA[Enter the port number of the upstream destination. Leave this empty to use port 80.]]></help>
     </field>
     <field>
         <id>handle.ToPath</id>
-        <label>Backend Path</label>
+        <label>Upstream Path</label>
         <type>text</type>
-        <help><![CDATA[Enter a path prefix like '/guacamole' that should be prepended to the backend request because the application demands it.]]></help>
+        <help><![CDATA[Enter a path prefix like '/guacamole' that should be prepended to the upstream request because the application demands it.]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <type>header</type>
+        <label>Trust</label>
+        <collapse>true</collapse>
+    </field>
     <field>
         <id>handle.HttpTls</id>
         <label>TLS</label>
         <type>checkbox</type>
-        <help><![CDATA[Use HTTP over TLS (HTTPS) to communicate with the Backend Server. In most cases, leaving this unchecked will be the best choice. Caddy uses HTTP for communication with the Backend Server by default.]]></help>
+        <help><![CDATA[Use HTTP over TLS (HTTPS) to communicate with the upstream destination. In most cases, leaving this unchecked will be the best choice. Caddy uses HTTP for communication with the upstream destination by default.]]></help>
+    </field>
+    <field>
+        <id>handle.HttpNtlm</id>
+        <label>NTLM</label>
+        <type>checkbox</type>
+        <help><![CDATA[If "TLS" has been checked, check "NTLM" in addition for reverse proxying an Exchange Server. In most other cases, leaving this unchecked will be the best choice.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.HttpTlsInsecureSkipVerify</id>
+        <label>TLS Insecure Skip Verify</label>
+        <type>checkbox</type>
+        <help><![CDATA[Turns off TLS handshake verification, making the connection insecure and vulnerable to man-in-the-middle attacks. Do not use in production.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
         <id>handle.HttpTlsTrustedCaCerts</id>
         <label>TLS Trusted CA Certificate</label>
         <type>dropdown</type>
-        <help><![CDATA[If TLS is enabled, and you are not using a globally trusted server certificate on your Backend Server, you can choose a CA certificate or self-signed certificate to trust from "System - Trust - Authorities".]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Optionally, if TLS is enabled, choose a CA certificate or self-signed certificate to trust from "System - Trust - Authorities".]]></help>
     </field>
     <field>
         <id>handle.HttpTlsServerName</id>
         <label>TLS Server Name</label>
         <type>text</type>
         <help><![CDATA[Optionally, specify a hostname or IP address that matches the SAN of the "TLS Trusted CA Certificate". Please note that only SAN certificates are supported; CN will not work.]]></help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <id>handle.HttpNtlm</id>
-        <label>NTLM</label>
-        <type>checkbox</type>
-        <help><![CDATA[If "TLS" has been checked, check "NTLM" in addition for reverse proxying an Exchange Server. In most other cases, leaving this unchecked will be the best choice.]]></help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <id>handle.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <help><![CDATA[Enter a description for this handler.]]></help>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index 16699cf3a6..a849f3593b 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -7,33 +7,41 @@
     </field>
     <field>
         <id>reverse.FromDomain</id>
-        <label>Reverse Proxy Domain</label>
+        <label>Domain</label>
         <type>text</type>
         <hint>example.com</hint>
         <help><![CDATA[Enter a domain name or IP address. For a wildcard domain, use *.example.com. Only use wildcard domains with a wildcard certificate. Don't forget to create a firewall rule that allows port 80 and 443 to "This Firewall".]]></help>
     </field>
     <field>
         <id>reverse.FromPort</id>
-        <label>Reverse Proxy Port</label>
+        <label>Port</label>
         <type>text</type>
         <hint>443</hint>
         <help><![CDATA[Enter the port number. Leave this empty to bind to port 80 and 443 with automatic redirection. Don't forget to create a firewall rule that allows this port to "This Firewall".]]></help>
-        <advanced>true</advanced>
     </field>
     <field>
-        <id>reverse.accesslist</id>
-        <label>Access List</label>
-        <type>dropdown</type>
-        <help><![CDATA[Optionally, select an Access List to restrict access to this domain. If left as "None", any local or remote client is allowed access. In most cases, leaving this as "None" will be the best choice.]]></help>
-        <advanced>true</advanced>
+        <id>reverse.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <hint>example.com.443</hint>
+        <help><![CDATA[Enter a description for this reverse proxy domain.]]></help>
     </field>
     <field>
-        <id>reverse.basicauth</id>
-        <label>Basic Auth</label>
-        <type>select_multiple</type>
-        <size>5</size>
-        <help><![CDATA[Optionally, select Users to restrict access to this domain. Basic Auth matches after Access Lists. If left as "None", any client is allowed access. In most cases, leaving this as "None" will be the best choice.]]></help>
-        <advanced>true</advanced>
+        <type>header</type>
+        <label>DNS</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>reverse.DynDns</id>
+        <label>Dynamic DNS</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable Dynamic DNS, please configure DNS Provider and API Key in General Settings. The DNS Records of this domain wi
+ll be automatically updated with your DNS Provider.]]></help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Trust</label>
+        <collapse>true</collapse>
     </field>
     <field>
         <id>reverse.DnsChallenge</id>
@@ -42,30 +50,40 @@
         <help><![CDATA[Enable DNS-01 challenge for ACME, please configure DNS Provider and API Key in General Settings. In most cases, leaving this option unchecked will be the best choice. The automatic Let's Encrypt HTTP challenge will be used if this option is unchecked, which needs no further configuration.]]></help>
     </field>
     <field>
-        <id>reverse.DynDns</id>
-        <label>Dynamic DNS</label>
-        <type>checkbox</type>
-        <help><![CDATA[Enable Dynamic DNS, please configure DNS Provider and API Key in General Settings. The DNS Records of this domain will be automatically updated with your DNS Provider.]]></help>
+        <id>reverse.AcmePassthrough</id>
+        <label>HTTP-01 challenge redirection</label>
+        <type>text</type>
+        <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables a server behind Caddy to serve "/.well-known/acme-challenge/". Caddy will issue a certificate for the same domain using the TLS-ALPN-01 challenge or DNS-01 challenge instead.]]></help>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>reverse.CustomCertificate</id>
         <label>Custom Certificate</label>
         <type>dropdown</type>
         <help><![CDATA[Choose your own certificate from System Trust Certificates. Make sure you have imported the full chain. In most cases, leaving this as "None" will be the best choice.]]></help>
-        <advanced>true</advanced>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Access</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>reverse.accesslist</id>
+        <label>Access List</label>
+        <type>dropdown</type>
+        <help><![CDATA[Optionally, select an Access List to restrict access to this domain. If left as "None", any local or remote client is allowed access. In most cases, leaving this as "None" will be the best choice.]]></help>
+    </field>
+    <field>
+        <id>reverse.basicauth</id>
+        <label>Basic Auth</label>
+        <type>select_multiple</type>
+        <size>5</size>
+        <help><![CDATA[Optionally, select Users to restrict access to this domain. Basic Auth matches after Access Lists. If left as "None", any client is allowed access. In most cases, leaving this as "None" will be the best choice.]]></help>
     </field>
     <field>
         <id>reverse.AccessLog</id>
         <label>HTTP Access Log</label>
         <type>checkbox</type>
         <help><![CDATA[Enable the HTTP request logging for this domain and its subdomains. This option is mostly for troubleshooting since it will log every single request.]]></help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <id>reverse.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <hint>example.com.443</hint>
-        <help><![CDATA[Enter a description for this reverse proxy domain.]]></help>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
index a43e961eee..4aeace28a4 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -7,31 +7,52 @@
     </field>
     <field>
         <id>subdomain.reverse</id>
-        <label>Reverse Proxy Domain</label>
+        <label>Domain</label>
         <type>dropdown</type>
         <help><![CDATA[Select a domain, to which this subdomain should be added.]]></help>
     </field>
     <field>
         <id>subdomain.FromDomain</id>
-        <label>Reverse Proxy Subdomain</label>
+        <label>Subdomain</label>
         <type>text</type>
         <hint>opn.example.com</hint>
         <help><![CDATA[Enter the subdomain name (e.g., 'opn.example.com' if your wildcard domain is '*.example.com').]]></help>
     </field>
     <field>
         <id>subdomain.FromPort</id>
-        <label>Reverse Proxy Port</label>
+        <label>Port</label>
         <type>text</type>
         <hint>443</hint>
         <help><![CDATA[Enter the port number. Leave this empty to bind to port 80 and 443 with automatic redirection. Don't forget to create a firewall rule that allows this destination port to "This Firewall".]]></help>
-        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>subdomain.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <hint>opn.example.com.443</hint>
+        <help><![CDATA[Enter a description for this reverse proxy subdomain.]]></help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>DNS</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>subdomain.DynDns</id>
+        <label>Dynamic DNS</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable Dynamic DNS, please configure DNS Provider and API Key in General Settings. The DNS Records of this subdomain will be automatically updated with your DNS Provider.]]></help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Access</label>
+        <collapse>true</collapse>
     </field>
     <field>
         <id>subdomain.accesslist</id>
         <label>Access List</label>
         <type>dropdown</type>
         <help><![CDATA[Optionally, select an Access List to restrict access to this subdomain. If left as "None", any local or remote client is allowed access. In most cases, leaving this as "None" will be the best choice.]]></help>
-        <advanced>true</advanced>
     </field>
     <field>
         <id>subdomain.basicauth</id>
@@ -39,19 +60,5 @@
         <type>select_multiple</type>
         <size>5</size>
         <help><![CDATA[Optionally, select Users to restrict access to this subdomain. Basic Auth matches after Access Lists. If left as "None", any client is allowed access. In most cases, leaving this as "None" will be the best choice.]]></help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <id>subdomain.DynDns</id>
-        <label>Dynamic DNS</label>
-        <type>checkbox</type>
-        <help><![CDATA[Enable Dynamic DNS, please configure DNS Provider and API Key in General Settings. The DNS Records of this subdomain will be automatically updated with your DNS Provider.]]></help>
-    </field>
-    <field>
-        <id>subdomain.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <hint>opn.example.com.443</hint>
-        <help><![CDATA[Enter a description for this reverse proxy subdomain.]]></help>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
index ad963b984b..cd6f75bf78 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
@@ -9,55 +9,41 @@
         <id>caddy.general.TlsDnsApiKey</id>
         <label>DNS API Standard Field</label>
         <type>text</type>
-        <help><![CDATA[This is the standard field for the API Key. Field can be left empty if optional: Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", DNSPod "auth_token", Hetzner "api_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Namesilo "api_token", Njalla "api_token", Vercel "api_token",  Google Cloud DNS "gcp_project", Alidns "access_key_id", Azure "tenant_id", OpenStack Designate "region_name", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Metaname "api_key", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url".]]></help>
+        <help><![CDATA[This is the standard field for the API Key. Field can be left empty if optional: Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Njalla "api_token", Google Cloud DNS "gcp_project", Azure "tenant_id", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url".]]></help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Additional Fields</label>
+        <collapse>true</collapse>
     </field>
     <field>
         <id>caddy.general.TlsDnsSecretApiKey</id>
         <label>DNS API Additional Field 1</label>
         <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Alidns "access_key_secret", Azure "client_id", OpenStack Designate "tenant_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Metaname "account_reference", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address".]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Azure "client_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address".]]></help>
     </field>
     <field>
         <id>caddy.general.TlsDnsOptionalField1</id>
         <label>DNS API Additional Field 2</label>
         <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "max_retries", ACME-DNS "subdomain", Azure "client_secret", OpenStack Designate "identity_api_version", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password".]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "max_retries", ACME-DNS "subdomain", Azure "client_secret", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password".]]></help>
     </field>
     <field>
         <id>caddy.general.TlsDnsOptionalField2</id>
         <label>DNS API Additional Field 3</label>
         <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "aws_profile", ACME-DNS "server_url", Azure "subscription_id", OpenStack Designate "password", OVH "consumer_key", Namecheap "client_ip", DDNS "password".]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "aws_profile", ACME-DNS "server_url", Azure "subscription_id", OVH "consumer_key", Namecheap "client_ip", DDNS "password".]]></help>
     </field>
     <field>
         <id>caddy.general.TlsDnsOptionalField3</id>
         <label>DNS API Additional Field 4</label>
         <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "region", Azure "resource_group_name", OpenStack Designate "username".]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "region", Azure "resource_group_name".]]></help>
     </field>
     <field>
         <id>caddy.general.TlsDnsOptionalField4</id>
         <label>DNS API Additional Field 5</label>
         <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "token", OpenStack Designate "tenant_name".]]></help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <id>caddy.general.TlsDnsOptionalField5</id>
-        <label>DNS API Additional Field 6</label>
-        <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: OpenStack Designate "auth_url".]]></help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <id>caddy.general.TlsDnsOptionalField6</id>
-        <label>DNS API Additional Field 7</label>
-        <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: OpenStack Designate "endpoint_type".]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "token".]]></help>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
index d57c17e575..d7fa66ef17 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
@@ -1,17 +1,9 @@
 <form>
     <field>
-        <id>caddy.general.DynDnsSimpleHttp</id>
-        <label>DynDns Check Http</label>
-        <type>text</type>
-        <help><![CDATA[Optionally, enter a URL to test the current IP address of the firewall via HTTP protocol. Generally, this is not needed. Caddy uses default providers to test the current IP addresses. If you'd rather use your own, enter the https:// link to an IP address testing website.]]></help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <id>caddy.general.DynDnsInterface</id>
-        <label>DynDns Check Interface</label>
+        <id>caddy.general.DynDnsIpVersions</id>
+        <label>DynDns IP Version</label>
         <type>dropdown</type>
-        <help><![CDATA[Optionally, select an interface to extract the current IP addresses of the firewall. At most, one IPv6 Global Unicast Address and one IPv4 non-RFC1918 Address will be extracted. This depends on the DynDns IP Version that's specified.]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Leave on None to set IPv4 A-Records and IPv6 AAAA-Records. Select "IPv4 only" for setting A-Records. Select "IPv6 only" for setting AAAA-Records.]]></help>
     </field>
     <field>
         <id>caddy.general.DynDnsCheckInterval</id>
@@ -19,16 +11,27 @@
         <type>text</type>
         <help><![CDATA[Interval to poll for changes of the IP address. The default is 5 minutes. Can be a number between 1 to 1440 minutes.]]></help>
     </field>
-    <field>
-        <id>caddy.general.DynDnsIpVersions</id>
-        <label>DynDns IP Version</label>
-        <type>dropdown</type>
-        <help><![CDATA[Leave on None to set IPv4 A-Records and IPv6 AAAA-Records. Select "IPv4 only" for setting A-Records. Select "IPv6 only" for setting AAAA-Records.]]></help>
-    </field>
     <field>
         <id>caddy.general.DynDnsTTL</id>
         <label>DynDns TTL</label>
         <type>text</type>
         <help><![CDATA[Set the TTL (time to live) for DNS Records. The default is 1 hour. Can be a number between 1 to 24 hours.]]></help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Additional Checks</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>caddy.general.DynDnsSimpleHttp</id>
+        <label>DynDns Check Http</label>
+        <type>text</type>
+        <help><![CDATA[Optionally, enter a URL to test the current IP address of the firewall via HTTP protocol. Generally, this is not needed. Caddy uses default providers to test the current IP addresses. If you'd rather use your own, enter the https:// link to an IP address testing website.]]></help>
+    </field>
+    <field>
+        <id>caddy.general.DynDnsInterface</id>
+        <label>DynDns Check Interface</label>
+        <type>dropdown</type>
+        <help><![CDATA[Optionally, select an interface to extract the current IP addresses of the firewall. At most, one IPv6 Global Unicast Address and one IPv4 non-RFC1918 Address will be extracted. This depends on the DynDns IP Version that's specified.]]></help>
+    </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index b00d7085eb..e17e870261 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -18,16 +18,16 @@
         <type>dropdown</type>
         <help><![CDATA[Select the auto HTTPS option. "On" (default) creates automatic certificates using Let's Encrypt or ZeroSSL without needing any configuration.]]></help>
     </field>
-    <field>
-        <id>caddy.general.abort</id>
-        <label>Abort Connections</label>
-        <type>checkbox</type>
-        <help><![CDATA[Abort all connections that don't have a matching handle or access list. This option doesn't conflict with Let's Encrypt. Disable it for troubleshooting purposes, e.g., testing if the Reverse Proxy Domain works and the Certificate has been installed. For production use, enabling this option is recommended.]]></help>
-    </field>
     <field>
         <id>caddy.general.accesslist</id>
         <label>Trusted Proxies</label>
         <type>dropdown</type>
         <help><![CDATA[Select an Access List of Trusted Proxies. If Caddy is not the first server being connected to by your clients (for example when a CDN is in front of Caddy), you may configure trusted_proxies with a list of IP ranges (CIDRs) from which incoming requests are trusted to have sent good values for these headers. Additionally, set the same Access List to the Domains your Trusted Proxy connects to.]]></help>
     </field>
+    <field>
+        <id>caddy.general.abort</id>
+        <label>Abort Connections</label>
+        <type>checkbox</type>
+        <help><![CDATA[Abort all connections that don't have a matching handle or access list. This option doesn't conflict with Let's Encrypt. Disable it for troubleshooting purposes, e.g., testing if the Reverse Proxy Domain works and the Certificate has been installed. For production use, enabling this option is recommended.]]></help>
+    </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml
index 5af8a9a146..022ce6ca01 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml
@@ -10,7 +10,6 @@
         <label>Log HTTP Access in JSON Format</label>
         <type>checkbox</type>
         <help><![CDATA[Log HTTP access in a standard JSON logfile per domain, e.g for processing by CrowdSec. Use combined with HTTP Access Log in the Reverse Proxy Domain. Enabling this will make the HTTP Access Log dissappear from the standard "Log File" in the GUI. They can be found in the filesystem "/var/log/caddy/access/"]]></help>
-        <advanced>true</advanced>
     </field>
     <field>
         <id>caddy.general.LogAccessPlainKeep</id>
@@ -18,6 +17,5 @@
         <hint>10</hint>
         <type>text</type>
         <help><![CDATA[How many days to keep the JSON access logs.]]></help>
-        <advanced>true</advanced>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index e9bbb97dfe..953f284fb1 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -31,7 +31,7 @@
 namespace OPNsense\Caddy;
 
 use OPNsense\Base\BaseModel;
-use Phalcon\Messages\Message;
+use OPNsense\Base\Messages\Message;
 
 class Caddy extends BaseModel
 {
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 89bc764fbb..3d8497fd33 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>A GUI model for configuring a reverse proxy in the Caddy web server.</description>
-    <version>1.1.4</version>
+    <version>1.1.5</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -26,8 +26,6 @@
                     <cloudflare>Cloudflare</cloudflare>
                     <duckdns>Duck DNS</duckdns>
                     <digitalocean>DigitalOcean</digitalocean>
-                    <dnspod>DNSPod</dnspod>
-                    <hetzner>Hetzner</hetzner>
                     <godaddy>GoDaddy</godaddy>
                     <gandi>Gandi</gandi>
                     <ionos>IONOS</ionos>
@@ -35,19 +33,14 @@
                     <porkbun>Porkbun</porkbun>
                     <route53>Route53</route53>
                     <acmedns>ACME-DNS</acmedns>
-                    <alidns>Alidns</alidns>
                     <googleclouddns>Google Cloud DNS</googleclouddns>
                     <azure>Azure</azure>
-                    <openstack-designate>OpenStack Designate</openstack-designate>
                     <ovh>OVH</ovh>
                     <namecheap>Namecheap</namecheap>
                     <netlify>Netlify</netlify>
-                    <namesilo>Namesilo</namesilo>
                     <powerdns>PowerDNS</powerdns>
-                    <vercel>Vercel</vercel>
                     <ddnss>DDNSS</ddnss>
                     <njalla>Njalla</njalla>
-                    <metaname>Metaname</metaname>
                     <linode>Linode</linode>
                     <tencentcloud>Tencent Cloud</tencentcloud>
                     <dinahosting>Dinahosting</dinahosting>
@@ -61,8 +54,6 @@
             <TlsDnsOptionalField2 type="TextField"/>
             <TlsDnsOptionalField3 type="TextField"/>
             <TlsDnsOptionalField4 type="TextField"/>
-            <TlsDnsOptionalField5 type="TextField"/>
-            <TlsDnsOptionalField6 type="TextField"/>
             <accesslist type="ModelRelationField">
                 <Model>
                     <reverseproxy>
@@ -146,15 +137,17 @@
                     </Model>
                     <Multiple>Y</Multiple>
                 </basicauth>
-                <description type="TextField">
+                <description type="DescriptionField">
                     <Required>Y</Required>
-                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_*-\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
-                    <ValidationMessage>Please provide a valid description.</ValidationMessage>
                 </description>
                 <DnsChallenge type="BooleanField"/>
                 <CustomCertificate type="CertificateField"/>
                 <AccessLog type="BooleanField"/>
                 <DynDns type="BooleanField"/>
+                <AcmePassthrough type="HostnameField">
+                    <ValidationMessage>Please enter a valid 'to' domain or IP address.</ValidationMessage>
+                    <IpAllowed>Y</IpAllowed>
+                </AcmePassthrough>
             </reverse>
             <subdomain type="ArrayField">
                 <enabled type="BooleanField">
@@ -200,10 +193,8 @@
                     </Model>
                     <Multiple>Y</Multiple>
                 </basicauth>
-                <description type="TextField">
+                <description type="DescriptionField">
                     <Required>Y</Required>
-                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_-\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
-                    <ValidationMessage>Please provide a valid description.</ValidationMessage>
                 </description>
                 <DynDns type="BooleanField"/>
             </subdomain>
@@ -259,6 +250,7 @@
                 </ToPath>
                 <HttpTls type="BooleanField"/>
                 <HttpNtlm type="BooleanField"/>
+                <HttpTlsInsecureSkipVerify type="BooleanField"/>
                 <HttpTlsTrustedCaCerts type="CertificateField">
                     <Type>ca</Type>
                 </HttpTlsTrustedCaCerts>
@@ -269,10 +261,7 @@
                     <FqdnWildcardAllowed>Y</FqdnWildcardAllowed>
                     <ZoneRootAllowed>N</ZoneRootAllowed>
                 </HttpTlsServerName>
-                <description type="TextField">
-                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_-\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
-                    <ValidationMessage>Please provide a valid description.</ValidationMessage>
-                </description>
+                <description type="DescriptionField"/>
             </handle>
             <accesslist type="ArrayField">
                 <accesslistName type="TextField">
@@ -289,10 +278,7 @@
                     <ValidationMessage>Please enter valid IP address(es) or network(s), separated by commas.</ValidationMessage>
                 </clientIps>
                 <accesslistInvert type="BooleanField"/>
-                <description type="TextField">
-                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_*-\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
-                    <ValidationMessage>Please provide a valid description.</ValidationMessage>
-                </description>
+                <description type="DescriptionField"/>
             </accesslist>
             <basicauth type="ArrayField">
                 <basicauthuser type="TextField">
@@ -303,10 +289,7 @@
                 <basicauthpass type="UpdateOnlyTextField">
                     <Required>Y</Required>
                 </basicauthpass>
-                <description type="TextField">
-                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_-\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
-                    <ValidationMessage>Please provide a valid description.</ValidationMessage>
-                </description>
+                <description type="DescriptionField"/>
             </basicauth>
         </reverseproxy>
     </items>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 1ba868a24c..92aaac25d0 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -166,6 +166,7 @@
                             <th data-column-id="DynDns" data-type="boolean" data-formatter="boolean" data-visible="false">Dynamic DNS</th>
                             <th data-column-id="AccessLog" data-type="boolean" data-formatter="boolean" data-visible="false">HTTP Access Log</th>
                             <th data-column-id="CustomCertificate" data-type="string" data-visible="false">Custom Certificate</th>
+                            <th data-column-id="AcmePassthrough" data-type="string" data-visible="false">HTTP-01 redirection</th>
                             <th data-column-id="description" data-type="string">Description</th>
                             <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
                         </tr>
@@ -232,14 +233,15 @@
                             <th data-column-id="reverse" data-type="string">Domain</th>
                             <th data-column-id="subdomain" data-type="string">Subdomain</th>
                             <th data-column-id="HandleType" data-type="string" data-visible="false">Handle Type</th>
-                            <th data-column-id="HandlePath" data-type="string">Handle Path</th>
-                            <th data-column-id="ToDomain" data-type="string">Backend Domain</th>
-                            <th data-column-id="ToPort" data-type="string">Backend Port</th>
-                            <th data-column-id="ToPath" data-type="string" data-visible="false">Backend Path</th>
+                            <th data-column-id="HandlePath" data-type="string" data-visible="false">Handle Path</th>
+                            <th data-column-id="ToDomain" data-type="string">Upstream Domain</th>
+                            <th data-column-id="ToPort" data-type="string">Upstream Port</th>
+                            <th data-column-id="ToPath" data-type="string" data-visible="false">Upstream Path</th>
                             <th data-column-id="HttpTls" data-type="boolean" data-formatter="boolean" data-visible="false">TLS</th>
                             <th data-column-id="HttpTlsTrustedCaCerts" data-type="string" data-visible="false">TLS CA</th>
                             <th data-column-id="HttpTlsServerName" data-type="string" data-visible="false">TLS Server Name</th>
                             <th data-column-id="HttpNtlm" data-type="boolean" data-formatter="boolean" data-visible="false">NTLM</th>
+                            <th data-column-id="HttpTlsInsecureSkipVerify" data-type="boolean" data-formatter="boolean" data-visible="false">TLS Insecure Skip Verify</th>
                             <th data-column-id="description" data-type="string">Description</th>
                             <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
                         </tr>
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
index f4f0f6bf60..0f6078b466 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
@@ -29,13 +29,11 @@
  */
 
 require_once("config.inc");
-require_once("certs.inc");
-require_once("legacy_bindings.inc");
 
 use OPNsense\Core\Config;
 
 $configObj = Config::getInstance()->object();
-$temp_dir = '/usr/local/etc/caddy/certificates/temp/';
+$temp_dir = '/var/db/caddy/data/caddy/certificates/temp/';
 
 function extract_and_save_certificates($configObj, $temp_dir)
 {
@@ -68,9 +66,7 @@ function extract_and_save_certificates($configObj, $temp_dir)
 
         // Save the certificate chain and private key
         file_put_contents($temp_dir . $cert_refid . '.pem', $cert_chain);
-        chmod($temp_dir . $cert_refid . '.pem', 0600);
         file_put_contents($temp_dir . $cert_refid . '.key', $key_content);
-        chmod($temp_dir . $cert_refid . '.key', 0600);
     }
 
     // Traverse through CA certificates and save them
@@ -80,7 +76,6 @@ function extract_and_save_certificates($configObj, $temp_dir)
 
         // Save the CA certificate
         file_put_contents($temp_dir . $ca_refid . '.pem', $ca_content);
-        chmod($temp_dir . $ca_refid . '.pem', 0600);
     }
 }
 
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
index 6ee35ebb7b..334bd5672b 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
@@ -2,37 +2,25 @@
 
 # Define directories
 CADDY_DIR="/usr/local/etc/caddy"
-CADDY_ACME_DIR="${CADDY_DIR}/acme"
-CADDY_CERTS_DIR="${CADDY_DIR}/certificates/temp"
-CADDY_OCSP_DIR="${CADDY_DIR}/ocsp"
-CADDY_LOCKS_DIR="${CADDY_DIR}/locks"
+CADDY_CERTS_DIR="/var/db/caddy/data/caddy/certificates/temp"
 CADDY_LOG_DIR="/var/log/caddy/access"
 CADDY_CONF_DIR="${CADDY_DIR}/caddy.d"
 
-# Create Caddy configuration directories with appropriate permissions
-mkdir -p "${CADDY_DIR}"
-mkdir -p "${CADDY_ACME_DIR}"
+# Create custom directories with appropriate permissions
 mkdir -p "${CADDY_CERTS_DIR}"
-mkdir -p "${CADDY_OCSP_DIR}"
-mkdir -p "${CADDY_LOCKS_DIR}"
-mkdir -p "${CADDY_CONF_DIR}"
-
-# Set permissions for Caddy configuration directories
-chown -R root:wheel "${CADDY_DIR}"
-chmod -R 750 "${CADDY_DIR}"
+chown -R root:wheel "${CADDY_CERTS_DIR}"
+chmod -R 600 "${CADDY_CERTS_DIR}"
 
-# Create Caddy log directory
 mkdir -p "${CADDY_LOG_DIR}"
-
-# Set permissions for Caddy log directory
 chown -R root:wheel "${CADDY_LOG_DIR}"
 chmod -R 750 "${CADDY_LOG_DIR}"
 
+mkdir -p "${CADDY_CONF_DIR}"
+chown -R root:wheel "${CADDY_CONF_DIR}"
+chmod -R 750 "${CADDY_CONF_DIR}"
+
 # Format and overwrite the Caddyfile
 (cd "${CADDY_DIR}" && /usr/local/bin/caddy fmt --overwrite)
 
 # Write custom certs from the OPNsense Trust Store into a directory where Caddy can read them
 /usr/local/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
-
-# Optional Debug message
-# echo "Caddy installation completed. All caddy directories and files created successfully."
diff --git a/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf b/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
index 764809f8e8..28b10be8d5 100644
--- a/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
+++ b/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
@@ -15,6 +15,7 @@ command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py restart
 parameters:
 type:script
 message:Reloading Caddy configuration
+description:Restart Caddy service
 
 [validate]
 command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py validate
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 079d3a19e1..e0e84bc72b 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -4,9 +4,6 @@
 
 # Global Options
 {
-    storage file_system {
-        root /usr/local/etc/caddy
-    }
     log {
         {% if generalSettings.LogAccessPlain|default("0") == "0" %}
         {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
@@ -57,8 +54,6 @@
     {% set dnsOptionalField2 = generalSettings.TlsDnsOptionalField2 %}
     {% set dnsOptionalField3 = generalSettings.TlsDnsOptionalField3 %}
     {% set dnsOptionalField4 = generalSettings.TlsDnsOptionalField4 %}
-    {% set dnsOptionalField5 = generalSettings.TlsDnsOptionalField5 %}
-    {% set dnsOptionalField6 = generalSettings.TlsDnsOptionalField6 %}
     {% set dynDnsSimpleHttp = generalSettings.DynDnsSimpleHttp %}
     {% set dynDnsInterface = generalSettings.DynDnsInterface %}
     {% set dynDnsCheckInterval = generalSettings.DynDnsCheckInterval %}
@@ -85,7 +80,7 @@
 
     {% if dnsProvider and dnsProvider != "none" and dnsProvider != "acmedns" and dynDnsDomains|length > 0 %}
         dynamic_dns {
-            {% if dnsProvider in ['porkbun', 'desec', 'route53', 'alidns', 'googleclouddns', 'azure', 'openstack-designate', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox'] %}
+            {% if dnsProvider in ['porkbun', 'desec', 'route53', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox'] %}
                 provider {{ dnsProvider }} {
                     {% if dnsProvider == 'porkbun' %}
                         {% if dnsApiKey %}api_key {{ dnsApiKey }}
@@ -108,11 +103,6 @@
                         {% endif %}
                         {% if dnsOptionalField4 %}token {{ dnsOptionalField4 }}
                         {% endif %}
-                    {% elif dnsProvider == 'alidns' %}
-                        {% if dnsApiKey %}access_key_id {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}access_key_secret {{ dnsSecretApiKey }}
-                        {% endif %}
                     {% elif dnsProvider == 'googleclouddns' %}
                         {% if dnsApiKey %}gcp_project {{ dnsApiKey }}
                         {% endif %}
@@ -127,23 +117,6 @@
                         {% endif %}
                         {% if dnsOptionalField3 %}resource_group_name {{ dnsOptionalField3 }}
                         {% endif %}
-                    {% elif dnsProvider == 'openstack-designate' %}
-                        {% if dnsApiKey %}region_name {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}tenant_id {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}identity_api_version {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}password {{ dnsOptionalField2 }}
-                        {% endif %}
-                        {% if dnsOptionalField3 %}username {{ dnsOptionalField3 }}
-                        {% endif %}
-                        {% if dnsOptionalField4 %}tenant_name {{ dnsOptionalField4 }}
-                        {% endif %}
-                        {% if dnsOptionalField5 %}auth_url {{ dnsOptionalField5 }}
-                        {% endif %}
-                        {% if dnsOptionalField6 %}endpoint_type {{ dnsOptionalField6 }}
-                        {% endif %}
                     {% elif dnsProvider == 'ovh' %}
                         {% if dnsApiKey %}endpoint {{ dnsApiKey }}
                         {% endif %}
@@ -204,8 +177,6 @@
                         {% endif %}
                     {% endif %}
                 }
-            {% elif dnsProvider in ['metaname'] %}
-                provider {{ dnsProvider }} {{ dnsApiKey }} {{ dnsSecretApiKey }}
             {% else %}
                 provider {{ dnsProvider }} {{ dnsApiKey }}
             {% endif %}
@@ -248,9 +219,24 @@
 }
 
 # Reverse Proxy Configuration
-{% macro tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4, TlsDnsOptionalField5, TlsDnsOptionalField6) %}
+
+{% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
+    {% if reverse.enabled|default("0") == "1" and reverse.AcmePassthrough %}
+        # HTTP-01 challenge redirection for domain: "{{ reverse['@uuid'] }}"
+        http://{{ reverse.FromDomain|default("") }} {
+            handle /.well-known/acme-challenge/* {
+                reverse_proxy {{ reverse.AcmePassthrough }}
+            }
+            handle {
+                redir https://{host}{uri} 308
+            }
+        }
+    {% endif %}
+{% endfor %}
+
+{% macro tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4) %}
     {% if dnsChallenge == "1" and dnsProvider and dnsProvider != "none" %}
-        {% if dnsProvider in ['duckdns', 'porkbun', 'desec', 'route53', 'acmedns', 'alidns', 'googleclouddns', 'azure', 'openstack-designate', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox'] %}
+        {% if dnsProvider in ['duckdns', 'porkbun', 'desec', 'route53', 'acmedns', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox'] %}
             tls {
                 dns {{ dnsProvider }} {
                     {% if dnsProvider == 'duckdns' %}
@@ -288,11 +274,6 @@
                         {% endif %}
                         {% if dnsOptionalField2 %}server_url {{ dnsOptionalField2 }}
                         {% endif %}
-                    {% elif dnsProvider == 'alidns' %}
-                        {% if dnsApiKey %}access_key_id {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}access_key_secret {{ dnsSecretApiKey }}
-                        {% endif %}
                     {% elif dnsProvider == 'googleclouddns' %}
                         {% if dnsApiKey %}gcp_project {{ dnsApiKey }}
                         {% endif %}
@@ -307,23 +288,6 @@
                         {% endif %}
                         {% if dnsOptionalField3 %}resource_group_name {{ dnsOptionalField3 }}
                         {% endif %}
-                    {% elif dnsProvider == 'openstack-designate' %}
-                        {% if dnsApiKey %}region_name {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}tenant_id {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}identity_api_version {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}password {{ dnsOptionalField2 }}
-                        {% endif %}
-                        {% if dnsOptionalField3 %}username {{ dnsOptionalField3 }}
-                        {% endif %}
-                        {% if dnsOptionalField4 %}tenant_name {{ dnsOptionalField4 }}
-                        {% endif %}
-                        {% if dnsOptionalField5 %}auth_url {{ dnsOptionalField5 }}
-                        {% endif %}
-                        {% if dnsOptionalField6 %}endpoint_type {{ dnsOptionalField6 }}
-                        {% endif %}
                     {% elif dnsProvider == 'ovh' %}
                         {% if dnsApiKey %}endpoint {{ dnsApiKey }}
                         {% endif %}
@@ -385,10 +349,6 @@
                     {% endif %}
                 }
             }
-        {% elif dnsProvider in ['metaname'] %}
-            tls {
-                dns {{ dnsProvider }} {{ dnsApiKey }} {{ dnsSecretApiKey }}
-            }
         {% else %}
             tls {
                 dns {{ dnsProvider }} {{ dnsApiKey }}
@@ -396,7 +356,7 @@
         {% endif %}
     {% endif %}
     {% if customCert %}
-        tls /usr/local/etc/caddy/certificates/temp/{{ customCert }}.pem /usr/local/etc/caddy/certificates/temp/{{ customCert }}.key
+        tls /var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.pem /var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.key
     {% endif %}
 {% endmacro %}
 
@@ -406,28 +366,36 @@
         rewrite * {{ handle.ToPath }}{uri}
         {% endif %}
         reverse_proxy {{ handle.ToDomain }}{% if handle.ToPort %}:{{ handle.ToPort }}{% endif %} {
-            {% if handle.HttpTls|default("0") == "1" %}
-            {% if handle.HttpNtlm|default("0") == "1" %}
-            transport http_ntlm {
-                tls
-                {% if handle.HttpTlsTrustedCaCerts %}
-                tls_trusted_ca_certs /usr/local/etc/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
-                {% endif %}
-                {% if handle.HttpTlsServerName %}
-                tls_server_name {{ handle.HttpTlsServerName }}
-                {% endif %}
-            }
-            {% else %}
-            transport http {
-                tls
-                {% if handle.HttpTlsTrustedCaCerts %}
-                tls_trusted_ca_certs /usr/local/etc/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
-                {% endif %}
-                {% if handle.HttpTlsServerName %}
-                tls_server_name {{ handle.HttpTlsServerName }}
+            {% if handle.HttpTls|default("0") == "1" or handle.HttpTlsInsecureSkipVerify|default("0") == "1" %}
+                {% if handle.HttpNtlm|default("0") == "1" %}
+                transport http_ntlm {
+                    {% if handle.HttpTlsInsecureSkipVerify|default("0") == "1" %}
+                    tls_insecure_skip_verify
+                    {% else %}
+                    tls
+                    {% if handle.HttpTlsTrustedCaCerts %}
+                    tls_trusted_ca_certs /var/db/caddy/data/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
+                    {% endif %}
+                    {% if handle.HttpTlsServerName %}
+                    tls_server_name {{ handle.HttpTlsServerName }}
+                    {% endif %}
+                    {% endif %}
+                }
+                {% else %}
+                transport http {
+                    {% if handle.HttpTlsInsecureSkipVerify|default("0") == "1" %}
+                    tls_insecure_skip_verify
+                    {% else %}
+                    tls
+                    {% if handle.HttpTlsTrustedCaCerts %}
+                    tls_trusted_ca_certs /var/db/caddy/data/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
+                    {% endif %}
+                    {% if handle.HttpTlsServerName %}
+                    tls_server_name {{ handle.HttpTlsServerName }}
+                    {% endif %}
+                    {% endif %}
+                }
                 {% endif %}
-            }
-            {% endif %}
             {% endif %}
         }
     }
@@ -471,7 +439,7 @@
     {% endif %}
     {% set customCert = reverse.CustomCertificate|default("") %}
     {% set dnsChallenge = reverse.DnsChallenge|default("0") %}
-    {{ tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4, TlsDnsOptionalField5, TlsDnsOptionalField6) }}
+    {{ tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4) }}
 
     {% if not reverse.accesslist %}
         {% set basicauth_uuids = reverse.basicauth %}

From 1618fc6190f25d493f527a903de9796844b9afe8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 3 Apr 2024 12:24:48 +0200
Subject: [PATCH 1830/3088] net/relayd: bump revision

---
 net/relayd/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index c370db7956..6a3a1aba62 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		relayd
 PLUGIN_VERSION=		2.8
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com

From 38c731888d8687542d2317b765e1d37bd2cc59bf Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 3 Apr 2024 12:28:10 +0200
Subject: [PATCH 1831/3088] dns/bind: new version

---
 dns/bind/Makefile  | 3 +--
 dns/bind/pkg-descr | 8 ++++++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 9ef5a09dfe..abb2e5fa59 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.30
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.31
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index fc882fdcde..98b8af40f5 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -6,13 +6,17 @@ necessary for asking and answering name service questions.
 
 WWW: https://www.isc.org
 
-
 Plugin Changelog
 ================
 
+1.31
+
+* Do not add the update-policy if the zone type is secondary (contributed by Brendan Bank)
+* Adjust severity log levels (contributed by kulikov-a)
+
 1.30
 
-* Add ability for RNDC key updates from other nameservers
+* Add ability for RNDC key updates from other nameservers (contributed by Joachim Friberg)
 
 1.29
 

From 4f60a949e2684983188f250d2122f40121a8eb07 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 3 Apr 2024 12:30:19 +0200
Subject: [PATCH 1832/3088] net-mgmt/zabbix-proxy: new version

---
 net-mgmt/zabbix-proxy/Makefile  | 3 +--
 net-mgmt/zabbix-proxy/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index a9cf15b2b8..c86a78b96b 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		zabbix-proxy
-PLUGIN_VERSION=		1.9
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.10
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 PLUGIN_VARIANTS=	zabbix6 zabbix64 zabbix5
diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index 1af3a44a85..391046febb 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.10
+
+* Add logging options (contributed by Malte Rabenseifner)
+
 1.9
 
 * Add plugin variant for Zabbix Proxy 6.2

From 57ae4626a2c02ec251c92ef0909e453febc25ce4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 3 Apr 2024 12:32:03 +0200
Subject: [PATCH 1833/3088] net/freeradius: next version

---
 net/freeradius/Makefile  | 2 +-
 net/freeradius/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 0d7330d4fb..ae9ecd3b7b 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.22
+PLUGIN_VERSION=		1.9.23
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index beae3fa10f..3d8d1afa8f 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,10 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.23
+
+* Support NT hash of user password (contributed by Stuart McLaren)
+
 1.9.22
 
 * Add Proxy configuration page: HomeServer, HomeServerPool, Realm

From e15b18a565ad2901dd564cf1dd4e853233fcad2b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 8 Apr 2024 10:56:51 +0200
Subject: [PATCH 1834/3088] www/OPNProxy - move proxy access management feature
 to the community version.

This plugin uses squid's external acl helpers and redis to query policies quicker and more lightweight.
It has been part of the business edition for some time, but due to recent changes, it makes sense to add it to the community version as well.

Due to the redis requirement, we keep it a separate plugin, so existing setups won't start to pull redis in unexpected.

current documentation: https://docs.opnsense.org/vendor/deciso/opnproxy.html
---
 www/OPNProxy/+POST_DEINSTALL.post             |   2 +
 www/OPNProxy/Makefile                         |  10 +
 www/OPNProxy/pkg-descr                        |  10 +
 .../src/etc/inc/plugins.inc.d/opnproxy.inc    |  50 ++++
 .../OPNsense/Proxy/AclController.php          |  40 ++++
 .../OPNsense/Proxy/Api/AclController.php      | 131 +++++++++++
 .../Proxy/forms/dialogCustomPolicy.xml        |  40 ++++
 .../Proxy/forms/dialogDefaultPolicy.xml       |  39 ++++
 .../mvc/app/models/Deciso/Proxy/ACL.php       |  35 +++
 .../mvc/app/models/Deciso/Proxy/ACL.xml       | 132 +++++++++++
 .../Proxy/FieldTypes/CustomPolicyField.php    |  94 ++++++++
 .../Proxy/FieldTypes/UserGroupField.php       |  76 ++++++
 .../mvc/app/models/Deciso/Proxy/Menu/Menu.xml |   8 +
 .../mvc/app/views/Deciso/Proxy/acl.volt       | 191 +++++++++++++++
 .../scripts/OPNProxy/download_cleanse_ut1.py  |  93 ++++++++
 .../opnsense/scripts/OPNProxy/lib/__init__.py | 135 +++++++++++
 .../OPNProxy/policies_to_redis_proto.py       | 100 ++++++++
 .../scripts/OPNProxy/redis_sync_users.py      |  76 ++++++
 .../scripts/OPNProxy/squid_acl_helper.py      | 217 ++++++++++++++++++
 .../conf/actions.d/actions_opnproxy.conf      |  21 ++
 .../service/templates/Deciso/Proxy/+TARGETS   |   2 +
 .../Deciso/Proxy/10-opnproxy-ext.auth.conf    |  43 ++++
 .../Deciso/Proxy/proxy_policies.conf          |  30 +++
 23 files changed, 1575 insertions(+)
 create mode 100644 www/OPNProxy/+POST_DEINSTALL.post
 create mode 100644 www/OPNProxy/Makefile
 create mode 100644 www/OPNProxy/pkg-descr
 create mode 100644 www/OPNProxy/src/etc/inc/plugins.inc.d/opnproxy.inc
 create mode 100644 www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/AclController.php
 create mode 100644 www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/AclController.php
 create mode 100644 www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogCustomPolicy.xml
 create mode 100644 www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogDefaultPolicy.xml
 create mode 100644 www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/ACL.php
 create mode 100644 www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/ACL.xml
 create mode 100644 www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/FieldTypes/CustomPolicyField.php
 create mode 100644 www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/FieldTypes/UserGroupField.php
 create mode 100644 www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/Menu/Menu.xml
 create mode 100644 www/OPNProxy/src/opnsense/mvc/app/views/Deciso/Proxy/acl.volt
 create mode 100755 www/OPNProxy/src/opnsense/scripts/OPNProxy/download_cleanse_ut1.py
 create mode 100755 www/OPNProxy/src/opnsense/scripts/OPNProxy/lib/__init__.py
 create mode 100755 www/OPNProxy/src/opnsense/scripts/OPNProxy/policies_to_redis_proto.py
 create mode 100755 www/OPNProxy/src/opnsense/scripts/OPNProxy/redis_sync_users.py
 create mode 100755 www/OPNProxy/src/opnsense/scripts/OPNProxy/squid_acl_helper.py
 create mode 100644 www/OPNProxy/src/opnsense/service/conf/actions.d/actions_opnproxy.conf
 create mode 100644 www/OPNProxy/src/opnsense/service/templates/Deciso/Proxy/+TARGETS
 create mode 100644 www/OPNProxy/src/opnsense/service/templates/Deciso/Proxy/10-opnproxy-ext.auth.conf
 create mode 100644 www/OPNProxy/src/opnsense/service/templates/Deciso/Proxy/proxy_policies.conf

diff --git a/www/OPNProxy/+POST_DEINSTALL.post b/www/OPNProxy/+POST_DEINSTALL.post
new file mode 100644
index 0000000000..5630e0114a
--- /dev/null
+++ b/www/OPNProxy/+POST_DEINSTALL.post
@@ -0,0 +1,2 @@
+#!/bin/sh
+rm /usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf
diff --git a/www/OPNProxy/Makefile b/www/OPNProxy/Makefile
new file mode 100644
index 0000000000..3cc481e385
--- /dev/null
+++ b/www/OPNProxy/Makefile
@@ -0,0 +1,10 @@
+PLUGIN_NAME=		OPNProxy
+PLUGIN_VERSION=		1.0.5
+PLUGIN_COMMENT=		OPNsense proxy additions
+PLUGIN_DEPENDS=		os-redis${PLUGIN_PKGSUFFIX} \
+			os-squid${PLUGIN_PKGSUFFIX} \
+			py${PLUGIN_PYTHON}-redis
+PLUGIN_MAINTAINER=	ad@opnsense.org
+PLUGIN_TIER=		2
+
+.include "../../Mk/plugins.mk"
diff --git a/www/OPNProxy/pkg-descr b/www/OPNProxy/pkg-descr
new file mode 100644
index 0000000000..c731c51c9f
--- /dev/null
+++ b/www/OPNProxy/pkg-descr
@@ -0,0 +1,10 @@
+OPNsense proxy additions to support more fine grained access management
+
+1.0.5
+
+* Prepare for community release
+
+1.0.4:
+
+* Remove ident support as by default it is denied anyway nowadays
+
diff --git a/www/OPNProxy/src/etc/inc/plugins.inc.d/opnproxy.inc b/www/OPNProxy/src/etc/inc/plugins.inc.d/opnproxy.inc
new file mode 100644
index 0000000000..96f00a995a
--- /dev/null
+++ b/www/OPNProxy/src/etc/inc/plugins.inc.d/opnproxy.inc
@@ -0,0 +1,50 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function opnproxy_configure()
+{
+    return array(
+        'user_changed' => ['opnproxy_user_changed:2'],
+        'webproxy' => ['opnproxy_webproxy:2'],
+    );
+}
+
+
+function opnproxy_user_changed($verbose = false, $username = '')
+{
+    exec("/usr/local/opnsense/scripts/OPNProxy/redis_sync_users.py " . escapeshellarg($username));
+}
+
+
+function opnproxy_webproxy($verbose = false, $action = null)
+{
+    $response = configd_run('template reload Deciso/Proxy');
+    if ($verbose) {
+        printf("template reload Deciso/Proxy: %s\n", trim($response));
+    }
+}
diff --git a/www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/AclController.php b/www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/AclController.php
new file mode 100644
index 0000000000..c0be1fa08c
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/AclController.php
@@ -0,0 +1,40 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+
+namespace OPNsense\Proxy;
+
+class AclController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('Deciso/Proxy/acl');
+        $this->view->formDialogDefaultPolicy = $this->getForm("dialogDefaultPolicy");
+        $this->view->formDialogCustomPolicy = $this->getForm("dialogCustomPolicy");
+    }
+}
diff --git a/www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/AclController.php b/www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/AclController.php
new file mode 100644
index 0000000000..80a7563ff4
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/AclController.php
@@ -0,0 +1,131 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+
+namespace OPNsense\Proxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
+
+class AclController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'proxy';
+    protected static $internalModelClass = 'Deciso\Proxy\ACL';
+
+    public function searchPolicyAction()
+    {
+        return $this->searchBase("policies.policy", array('enabled', 'description', 'action'), "description");
+    }
+
+    public function setPolicyAction($uuid)
+    {
+        return $this->setBase("policy", "policies.policy", $uuid);
+    }
+
+    public function addPolicyAction()
+    {
+        return $this->addBase("policy", "policies.policy");
+    }
+
+    public function getPolicyAction($uuid = null)
+    {
+        return $this->getBase("policy", "policies.policy", $uuid);
+    }
+
+    public function delPolicyAction($uuid)
+    {
+        return $this->delBase("policies.policy", $uuid);
+    }
+
+    public function togglePolicyAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("policies.policy", $uuid, $enabled);
+    }
+    public function searchCustomPolicyAction()
+    {
+        return $this->searchBase("custom_policies.policy", array('enabled', 'description', 'action'), "description");
+    }
+
+    public function setCustomPolicyAction($uuid)
+    {
+        return $this->setBase("custom_policy", "custom_policies.policy", $uuid);
+    }
+
+    public function addCustomPolicyAction()
+    {
+        return $this->addBase("custom_policy", "custom_policies.policy");
+    }
+
+    public function getCustomPolicyAction($uuid = null)
+    {
+        return $this->getBase("custom_policy", "custom_policies.policy", $uuid);
+    }
+
+    public function delCustomPolicyAction($uuid)
+    {
+        return $this->delBase("custom_policies.policy", $uuid);
+    }
+
+    public function toggleCustomPolicyAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("custom_policies.policy", $uuid, $enabled);
+    }
+
+    public function applyAction()
+    {
+        if ($this->request->isPost()) {
+            $this->sessionClose();
+            $backend = new Backend();
+            $backend->configdRun('template reload Deciso/Proxy');
+            $backend->configdRun('opnproxy sync_users');
+            return array("status" => trim($backend->configdRun('opnproxy apply_policies')));
+        } else {
+            return array("status" => "error");
+        }
+    }
+
+    public function testAction()
+    {
+        if ($this->request->isPost() && $this->request->hasPost('uri')) {
+            $src = $this->request->getPost('src', 'striptags', '');
+            $src = !empty($src) ? $src : "-";
+            $user = $this->request->getPost('user', null, '');
+            $user = !empty($user) ? $user : "-";
+            $this->sessionClose();
+            $backend = new Backend();
+            $response = $backend->configdpRun('opnproxy user test', [
+                $user, $this->request->getPost('uri'), $src
+            ]);
+            $respose = json_decode($response, true);
+            if (!empty($response)) {
+                return $respose;
+            }
+        }
+        return array("status" => "error");
+    }
+}
diff --git a/www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogCustomPolicy.xml b/www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogCustomPolicy.xml
new file mode 100644
index 0000000000..f7ad32c89b
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogCustomPolicy.xml
@@ -0,0 +1,40 @@
+<form>
+    <field>
+        <id>custom_policy.enabled</id>
+        <label>enabled</label>
+        <type>checkbox</type>
+        <help>Enable this item</help>
+    </field>
+    <field>
+        <id>custom_policy.applies_on</id>
+        <label>User / Group</label>
+        <type>select_multiple</type>
+        <help>ACL applies on selected users and groups. Users are prefixed with *, best use groups to structure policies</help>
+    </field>
+    <field>
+        <id>custom_policy.source_net</id>
+        <label>Source</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>source ip or network, examples 10.0.0.0/24, 10.0.0.1</help>
+    </field>
+    <field>
+        <id>custom_policy.action</id>
+        <label>Action</label>
+        <type>dropdown</type>
+        <help>Action to perform.</help>
+    </field>
+    <field>
+        <id>custom_policy.content</id>
+        <label>Content</label>
+        <type>textbox</type>
+        <help>List of domains and path entries, prefix with . to include subdomains (e.g. .com to block all .com domains). To match all use *</help>
+        <allownew>true</allownew>
+    </field>
+    <field>
+        <id>custom_policy.description</id>
+        <label>Description</label>
+        <type>text</type>
+    </field>
+</form>
diff --git a/www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogDefaultPolicy.xml b/www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogDefaultPolicy.xml
new file mode 100644
index 0000000000..275b6b6576
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/dialogDefaultPolicy.xml
@@ -0,0 +1,39 @@
+<form>
+    <field>
+        <id>policy.enabled</id>
+        <label>enabled</label>
+        <type>checkbox</type>
+        <help>Enable this item</help>
+    </field>
+    <field>
+        <id>policy.applies_on</id>
+        <label>User / Group</label>
+        <type>select_multiple</type>
+        <help>ACL applies on selected users and groups. Users are prefixed with *, best use groups to structure policies</help>
+    </field>
+    <field>
+        <id>policy.source_net</id>
+        <label>Source</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>source ip or network, examples 10.0.0.0/24, 10.0.0.1</help>
+    </field>
+    <field>
+        <id>policy.action</id>
+        <label>Action</label>
+        <type>dropdown</type>
+        <help>Action to perform.</help>
+    </field>
+    <field>
+        <id>policy.content</id>
+        <label>Content</label>
+        <type>select_multiple</type>
+        <help>List of standard categories</help>
+    </field>
+    <field>
+        <id>policy.description</id>
+        <label>Description</label>
+        <type>text</type>
+    </field>
+</form>
diff --git a/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/ACL.php b/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/ACL.php
new file mode 100644
index 0000000000..3f5bfa84f7
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/ACL.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace Deciso\Proxy;
+
+use OPNsense\Base\BaseModel;
+
+class ACL extends BaseModel
+{
+}
diff --git a/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/ACL.xml b/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/ACL.xml
new file mode 100644
index 0000000000..345959ae33
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/ACL.xml
@@ -0,0 +1,132 @@
+<model>
+    <mount>//Deciso/Proxy/ACL</mount>
+    <version>1.0.0</version>
+    <description>
+        OPNsense central management / Proxy module
+    </description>
+    <items>
+        <policies>
+            <policy type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <action type="OptionField">
+                    <Required>Y</Required>
+                    <Default>deny</Default>
+                    <OptionValues>
+                        <deny>Deny</deny>
+                        <allow>Allow</allow>
+                    </OptionValues>
+                </action>
+                <content type="OptionField">
+                    <Required>Y</Required>
+                    <Multiple>Y</Multiple>
+                    <OptionValues>
+                        <adult>adult</adult>
+                        <aggressive>aggressive</aggressive>
+                        <astrology>astrology</astrology>
+                        <audio-video>audio-video</audio-video>
+                        <bank>bank</bank>
+                        <bitcoin>bitcoin</bitcoin>
+                        <blog>blog</blog>
+                        <celebrity>celebrity</celebrity>
+                        <chat>chat</chat>
+                        <child>child</child>
+                        <cleaning>cleaning</cleaning>
+                        <cooking>cooking</cooking>
+                        <cryptojacking>cryptojacking</cryptojacking>
+                        <dangerous_material>dangerous_material</dangerous_material>
+                        <dating>dating</dating>
+                        <ddos>ddos</ddos>
+                        <doh>doh</doh>
+                        <download>download</download>
+                        <drugs>drugs</drugs>
+                        <educational_games>educational_games</educational_games>
+                        <filehosting>filehosting</filehosting>
+                        <financial>financial</financial>
+                        <forums>forums</forums>
+                        <gambling>gambling</gambling>
+                        <games>games</games>
+                        <hacking>hacking</hacking>
+                        <jobsearch>jobsearch</jobsearch>
+                        <lingerie>lingerie</lingerie>
+                        <malware>malware</malware>
+                        <manga>manga</manga>
+                        <marketingware>marketingware</marketingware>
+                        <mixed_adult>mixed_adult</mixed_adult>
+                        <mobile-phone>mobile-phone</mobile-phone>
+                        <phishing>phishing</phishing>
+                        <press>press</press>
+                        <advertisements>advertisements</advertisements>
+                        <radio>radio</radio>
+                        <redirector>redirector</redirector>
+                        <remote-control>remote-control</remote-control>
+                        <sexual_education>sexual_education</sexual_education>
+                        <shopping>shopping</shopping>
+                        <shortener>shortener</shortener>
+                        <social_networks>social_networks</social_networks>
+                        <sports>sports</sports>
+                        <stalkerware>stalkerware</stalkerware>
+                        <translation>translation</translation>
+                        <update>update</update>
+                        <vpn>vpn</vpn>
+                        <warez>warez</warez>
+                        <webmail>webmail</webmail>
+                    </OptionValues>
+                </content>
+                <applies_on type=".\UserGroupField">
+                    <Multiple>Y</Multiple>
+                    <Required>N</Required>
+                    <ValidationMessage>You need to select at least one user or group for who this list applies</ValidationMessage>
+                </applies_on>
+                <source_net type="NetworkField">
+                    <Required>N</Required>
+                    <WildcardEnabled>N</WildcardEnabled>
+                    <FieldSeparator>,</FieldSeparator>
+                    <asList>Y</asList>
+                </source_net>
+                <description type="TextField">
+                    <Required>Y</Required>
+                    <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){1,255}$/u</mask>
+                    <ValidationMessage>Description should be a string between 1 and 255 characters</ValidationMessage>
+                </description>
+            </policy>
+        </policies>
+        <custom_policies>
+            <policy type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <action type="OptionField">
+                    <Required>Y</Required>
+                    <Default>deny</Default>
+                    <OptionValues>
+                        <deny>Deny</deny>
+                        <allow>Allow</allow>
+                    </OptionValues>
+                </action>
+                <content type=".\CustomPolicyField">
+                    <Required>Y</Required>
+                </content>
+                <applies_on type=".\UserGroupField">
+                    <Multiple>Y</Multiple>
+                    <Required>N</Required>
+                    <ValidationMessage>You need to select at least one user or group for who this list applies</ValidationMessage>
+                </applies_on>
+                <source_net type="NetworkField">
+                    <Required>N</Required>
+                    <WildcardEnabled>N</WildcardEnabled>
+                    <FieldSeparator>,</FieldSeparator>
+                    <asList>Y</asList>
+                </source_net>
+                <description type="TextField">
+                    <Required>Y</Required>
+                    <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){1,255}$/u</mask>
+                    <ValidationMessage>Description should be a string between 1 and 255 characters</ValidationMessage>
+                </description>
+            </policy>
+        </custom_policies>
+    </items>
+</model>
diff --git a/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/FieldTypes/CustomPolicyField.php b/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/FieldTypes/CustomPolicyField.php
new file mode 100644
index 0000000000..15637602a2
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/FieldTypes/CustomPolicyField.php
@@ -0,0 +1,94 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace Deciso\Proxy\FieldTypes;
+
+use OPNsense\Base\FieldTypes\BaseField;
+use OPNsense\Base\Validators\CallbackValidator;
+use OPNsense\Core\Config;
+
+/**
+ * Class UserGroupField
+ */
+class CustomPolicyField extends BaseField
+{
+    protected $internalIsContainer = false;
+    protected $internalValidationMessage = "invalid domain and path combination";
+    private $separatorchar = "\n";
+
+    /**
+     * split and yield items
+     * @param array $data to validate
+     * @return \Generator
+     */
+    private function getItems($data)
+    {
+        foreach (explode($this->separatorchar, trim($data)) as $value) {
+            yield $value;
+        }
+    }
+
+    /**
+     * retrieve field validators for this field type
+     * @return array
+     */
+    public function getValidators()
+    {
+        $validators = parent::getValidators();
+        if ($this->internalValue != null) {
+            $validators[] = new CallbackValidator(["callback" => function ($data) {
+                $messages = array();
+                foreach ($this->getItems($data) as $item) {
+                    $parts = explode("/", $item, 2);
+                    $domain = substr($parts[0], 0, 1) == "." ? substr($parts[0], 1) : $parts[0];
+                    if ($item == "*") {
+                        // explicit wildcard
+                        continue;
+                    } elseif (
+                        filter_var($domain, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) === false &&
+                        filter_var($domain, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6) === false
+                    ) {
+                        $messages[] = sprintf(
+                            gettext('Entry "%s" does not contain a valid domain or address.'),
+                            $item
+                        );
+                    } elseif (filter_var("https://{$domain}", FILTER_VALIDATE_URL) === false) {
+                        $messages[] = sprintf(
+                            gettext('Entry "%s" does not contain a valid path.'),
+                            $item
+                        );
+                        continue;
+                    }
+                }
+                return $messages;
+            }
+            ]);
+        }
+        return $validators;
+    }
+}
diff --git a/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/FieldTypes/UserGroupField.php b/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/FieldTypes/UserGroupField.php
new file mode 100644
index 0000000000..b50ce32192
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/FieldTypes/UserGroupField.php
@@ -0,0 +1,76 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace Deciso\Proxy\FieldTypes;
+
+use OPNsense\Base\FieldTypes\BaseListField;
+use OPNsense\Core\Config;
+
+/**
+ * Class UserGroupField
+ */
+class UserGroupField extends BaseListField
+{
+    /**
+     * @var array collected options
+     */
+    private static $internalCacheOptionList = array();
+
+    /**
+     * @return string identifying selected options
+     */
+    private function optionSetId()
+    {
+        return "0";
+    }
+
+    /**
+     * generate validation data (list of countries)
+     */
+    protected function actionPostLoadingEvent()
+    {
+        $setid = $this->optionSetId();
+        if (!isset(self::$internalCacheOptionList[$setid])) {
+            self::$internalCacheOptionList[$setid] =  array();
+        }
+        if (empty(self::$internalCacheOptionList[$setid])) {
+            $cnf = Config::getInstance()->object();
+            foreach (['group', 'user'] as $topic) {
+                if (!empty($cnf->system->$topic)) {
+                    foreach ($cnf->system->$topic as $node) {
+                        $prefix = $topic == "user" ? "*" : "";
+                        $tp = $topic == "user" ? "u" : "g";
+                        self::$internalCacheOptionList[$setid][$tp . ":" . $node->name] = $prefix . $node->name;
+                    }
+                }
+            }
+            ksort(self::$internalCacheOptionList[$setid]);
+        }
+        $this->internalOptionList = self::$internalCacheOptionList[$setid];
+    }
+}
diff --git a/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/Menu/Menu.xml b/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/Menu/Menu.xml
new file mode 100644
index 0000000000..54400fe64e
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/Menu/Menu.xml
@@ -0,0 +1,8 @@
+<menu>
+    <Services>
+        <SquidWebProxy>
+            <ACL VisibleName="Access control" order="15" url="/ui/proxy/acl">
+            </ACL>
+        </SquidWebProxy>
+    </Services>
+</menu>
diff --git a/www/OPNProxy/src/opnsense/mvc/app/views/Deciso/Proxy/acl.volt b/www/OPNProxy/src/opnsense/mvc/app/views/Deciso/Proxy/acl.volt
new file mode 100644
index 0000000000..9d25467fdf
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/mvc/app/views/Deciso/Proxy/acl.volt
@@ -0,0 +1,191 @@
+<script>
+    $( document ).ready(function() {
+        $('a[data-toggle="tab"]').on('shown.bs.tab', function (e) {
+            $("#apply_div").show();
+            if (e.target.id == 'policies_tab') {
+                $("#grid-policies").UIBootgrid(
+                    {   search:'/api/proxy/acl/searchPolicy/',
+                        get:'/api/proxy/acl/getPolicy/',
+                        set:'/api/proxy/acl/setPolicy/',
+                        add:'/api/proxy/acl/addPolicy/',
+                        del:'/api/proxy/acl/delPolicy/',
+                        toggle:'/api/proxy/acl/togglePolicy/'
+                    }
+                );
+            } else if (e.target.id == 'custom_policies_tab') {
+                $("#grid-custom_policies").UIBootgrid(
+                    {   search:'/api/proxy/acl/searchCustomPolicy/',
+                        get:'/api/proxy/acl/getCustomPolicy/',
+                        set:'/api/proxy/acl/setCustomPolicy/',
+                        add:'/api/proxy/acl/addCustomPolicy/',
+                        del:'/api/proxy/acl/delCustomPolicy/',
+                        toggle:'/api/proxy/acl/toggleCustomPolicy/'
+                    }
+                );
+            } else if (e.target.id == 'policy_tester_tab') {
+                $("#apply_div").hide();
+            }
+        });
+
+        $("#reconfigureAct").SimpleActionButton();
+        $("#tester_exec").click(function(){
+            $("#tester_exec_spinner").show();
+            ajaxCall('/api/proxy/acl/test', {'user': $("#tester_name").val(), 'uri': $("#tester_uri").val(), 'src': $("#tester_src").val()}, function(data, status){
+                $("#policy_tester_result").empty();
+                $("#policy_tester_result").append($("<span/>").text("{{lang._('Result')}}"));
+                if (data.user !== undefined || data.message !== undefined) {
+                    $("#policy_tester_result").append($("<pre  style='white-space: pre-wrap; word-break: keep-all;'/>").text(JSON.stringify(data, null, 2)));
+                } else {
+                    $("#policy_tester_result").append($("<span/>").text("-"));
+                }
+                $("#tester_exec_spinner").hide();
+            });
+        });
+
+        // update history on tab state and implement navigation
+        if (window.location.hash != "") {
+            $('a[href="' + window.location.hash + '"]').click();
+        } else {
+            $('a[href="#policies"]').click();
+        }
+
+        $('.nav-tabs a').on('shown.bs.tab', function (e) {
+            history.pushState(null, null, e.target.hash);
+        });
+
+        // Extended policies depend on redis
+        ajaxGet('/api/redis/service/status', {}, function(data, status){
+            if (data.status !== "running") {
+                BootstrapDialog.show({
+                    type:BootstrapDialog.TYPE_WARNING,
+                    title: "{{ lang._('ACL')}}",
+                    message: $("#redis_message").html()
+                });
+            }
+        });
+
+    });
+</script>
+<style>
+  #custom_policy\.content {
+      white-space: nowrap;
+      height: 300px;
+  }
+</style>
+<div id="redis_message" style="display:none">
+    {{ lang._('The Redis service is not active, make sure to configure it via : %s Services -> Redis %s first')|format('<a href="/ui/redis">', '</a>') }}
+</div>
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li><a data-toggle="tab" id="policies_tab" href="#policies">{{ lang._('Default Policies') }}</a></li>
+    <li><a data-toggle="tab" id="custom_policies_tab" href="#custom_policies">{{ lang._('Custom policies') }}</a></li>
+    <li><a data-toggle="tab" id="policy_tester_tab" href="#policy_tester">{{ lang._('Policy tester') }}</a></li>
+</ul>
+<div class="tab-content content-box">
+    <div id="policies" class="tab-pane fade in">
+        <!-- tab page "standard policies" -->
+        <table id="grid-policies" class="table table-condensed table-hover table-striped" data-editDialog="DialogDefaultPolicy" data-editAlert="PolicyChangeMessage">
+            <thead>
+                <tr>
+                    <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                    <th data-column-id="action" data-type="string">{{ lang._('Action') }}</th>
+                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+    </div>
+    <div id="custom_policies" class="tab-pane fade in">
+        <!-- tab page "custom_policies" -->
+        <table id="grid-custom_policies" class="table table-condensed table-hover table-striped" data-editDialog="DialogCustomPolicy" data-editAlert="PolicyChangeMessage">
+            <thead>
+                <tr>
+                    <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                    <th data-column-id="action" data-type="string">{{ lang._('Action') }}</th>
+                    <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+    </div>
+    <div id="policy_tester" class="tab-pane fade in">
+        <div class="col-md-12">
+            <table class="table table-condensed table-striped">
+                <thead>
+                  <tr>
+                    <th>{{ lang._('Property') }}</th>
+                    <th>{{ lang._('Value') }}</th>
+                  </tr>
+                </thead>
+                <tbody>
+                    <tr>
+                        <td>{{ lang._('Username') }}</td>
+                        <td><input type="text" id='tester_name'></td>
+                    </tr>
+                    <tr>
+                        <td>{{ lang._('Source') }}</td>
+                        <td><input type="text"  id='tester_src'></td>
+                    </tr>
+                    <tr>
+                        <td>{{ lang._('Uri') }}</td>
+                        <td><input type="text"  id='tester_uri'></td>
+                    </tr>
+                </tbody>
+                <tfoot>
+                    <tr>
+                        <td></td>
+                        <td>
+                            <button class="btn btn-primary" id="tester_exec">
+                              {{ lang._('Test') }}
+                              <i id="tester_exec_spinner" class="fa fa-spinner fa-pulse" aria-hidden="true" style="display:none;"></i>
+                            </button>
+                        </td>
+                    </tr>
+                </tfoot>
+              </table>
+              <div id="policy_tester_result">
+              </div>
+            </table>
+        </div>
+    </div>
+    <div class="col-md-12" id="apply_div">
+        <div id="PolicyChangeMessage" class="alert alert-info" style="display: none" role="alert">
+            {{ lang._('After changing settings, please remember to apply them with the button below') }}
+        </div>
+        <hr/>
+        <button class="btn btn-primary" id="reconfigureAct"
+                data-endpoint='/api/proxy/acl/apply'
+                data-label="{{ lang._('Apply') }}"
+                data-error-title="{{ lang._('Error configuring policies') }}"
+                type="button"
+        ></button>
+        <br/><br/>
+    </div>
+</div>
+
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogDefaultPolicy,'id':'DialogDefaultPolicy','label':lang._('Edit List')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogCustomPolicy,'id':'DialogCustomPolicy','label':lang._('Edit List')])}}
diff --git a/www/OPNProxy/src/opnsense/scripts/OPNProxy/download_cleanse_ut1.py b/www/OPNProxy/src/opnsense/scripts/OPNProxy/download_cleanse_ut1.py
new file mode 100755
index 0000000000..75cf4d94e6
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/scripts/OPNProxy/download_cleanse_ut1.py
@@ -0,0 +1,93 @@
+#!/usr/bin/env python3
+# coding=utf-8
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import argparse
+import os
+import shutil
+import sys
+import tempfile
+import tarfile
+import io
+import requests
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser()
+    parser.add_argument('filename', help='output filename')
+    cmd_args = parser.parse_args()
+
+    req_opts = {
+        'url': 'http://dsi.ut-capitole.fr/blacklists/download/blacklists.tar.gz',
+        'timeout': 120,
+        'stream': True
+    }
+    try:
+        req = requests.get(**req_opts)
+    except Exception as e:
+        print("unable to download %s" % req_opts['url'])
+        sys.exit(99)
+
+    directory_map = {
+        'blacklists/agressif': 'blacklists/aggressive',
+        'blacklists/publicite': 'blacklists/advertisements',
+        'blacklists/drogue': 'blacklists/drugs',
+        'blacklists/tricheur': None,
+        'blacklists/arjel': None,
+        'blacklists/associations_religieuses': None,
+        'blacklists/dialer': None,
+        'blacklists/liste_bu': None,
+        'blacklists/reaffected': None,
+        'blacklists/strict_redirector': None,
+        'blacklists/strong_redirector': None,
+        'blacklists/sect': None,
+
+    }
+    filenames = ['urls', 'domains', 'README', 'global_usage', 'cc-by-sa-4-0.pdf', 'LICENSE.pdf']
+
+    if 200 <= req.status_code <= 299:
+        with tempfile.NamedTemporaryFile() as tmp_stream:
+            shutil.copyfileobj(req.raw, tmp_stream)
+            tmp_stream.seek(0)
+            tf = tarfile.open(fileobj=tmp_stream)
+            with tarfile.open(cmd_args.filename, "w:gz") as tar_handle:
+                for tf_file in tf.getmembers():
+                    filename = os.path.basename(tf_file.name)
+                    if tf_file.isreg() and filename in filenames:
+                        target = tf_file.name
+                        dirname = os.path.dirname(tf_file.name)
+                        if dirname in directory_map:
+                            if directory_map[dirname] is None:
+                                continue
+                            else:
+                                target = "%s/%s" % (directory_map[dirname], filename)
+                        fhandle = tf.extractfile(tf_file)
+                        info = tarfile.TarInfo(target)
+                        fhandle.seek(0, io.SEEK_END)
+                        info.size = fhandle.tell()
+                        fhandle.seek(0, io.SEEK_SET)
+                        tar_handle.addfile(info, fhandle)
+
+                tar_handle.close()
diff --git a/www/OPNProxy/src/opnsense/scripts/OPNProxy/lib/__init__.py b/www/OPNProxy/src/opnsense/scripts/OPNProxy/lib/__init__.py
new file mode 100755
index 0000000000..95988b247e
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/scripts/OPNProxy/lib/__init__.py
@@ -0,0 +1,135 @@
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import copy
+import tarfile
+import os
+import stat
+import syslog
+import time
+import requests
+from configparser import ConfigParser
+
+
+class Policy:
+    def __init__(self, policy_filename):
+        self._policy_config = policy_filename
+        self._domain_entries = dict()
+        self._policy_settings = dict()
+        self._tf = None
+        self.load()
+
+    def load(self):
+        """ load policy database
+        :return:
+        """
+        self._domain_entries = dict()
+        self._policy_settings = dict()
+        # collect all policies per domain, so we can safely overwrite existing content when it exists
+        cnf = ConfigParser()
+        cnf.read(self._policy_config)
+        if cnf.has_section('source'):
+            blocklist_filename = cnf.get('source', 'blocklist')
+            if cnf.has_option('source', 'blocklist_download_uri'):
+                blocklist_ttl = cnf.getint('source', 'blocklist_ttl')
+                if not os.path.isfile(blocklist_filename) or \
+                        time.time() - os.stat(blocklist_filename)[stat.ST_MTIME] > blocklist_ttl:
+                    try:
+                        response = requests.get(cnf.get('source', 'blocklist_download_uri'), stream=True)
+                        response.raise_for_status()
+                        with open(blocklist_filename, 'wb') as handle:
+                            for block in response.iter_content(1024):
+                                handle.write(block)
+                    except requests.exceptions.RequestException as e:
+                        # we are unable to download a new blocklist, if a previous version still exists keep using that
+                        syslog.syslog(syslog.LOG_ERR, 'unable to download new blocklist (%s)' % e)
+
+            if os.path.isfile(blocklist_filename) and tarfile.is_tarfile(blocklist_filename):
+                self._tf = tarfile.open(fileobj=open(blocklist_filename, "rb"))
+            else:
+                syslog.syslog(syslog.LOG_ERR, 'default policy rules not available (%s missing)' % blocklist_filename)
+
+        for section in cnf.sections():
+            if cnf.has_option(section, 'policy_type') and cnf.has_option(section, 'content'):
+                self._policy_settings[section] = {
+                    'action': cnf.get(section, 'action'),
+                    'id': section.split('_', 1)[-1],
+                    'applies_on': cnf.get(section, 'applies_on').split(','),
+                    'source_net': cnf.get(section, 'source_net').split(','),
+                    'policy_type': cnf.get(section, 'policy_type'),
+                    'description': cnf.get(section, 'description')
+                }
+                ittr_method = self._itr_default if cnf.get(section, 'policy_type') == "default" else self._itr_custom
+                split_char = ',' if cnf.get(section, 'policy_type') == "default" else '\n'
+                for is_wildcard, item in ittr_method(cnf.get(section, 'content').split(split_char)):
+                    parts = item.split('/', 1)
+                    domain = parts[0]
+                    if domain not in self._domain_entries:
+                        self._domain_entries[domain] = list()
+                    self._domain_entries[domain].append([
+                        section,
+                        "/%s" % parts[1] if len(parts) > 1 else "/",
+                        is_wildcard
+                    ])
+
+    def _itr_default(self, items: list):
+        if self._tf:
+            for tf_file in self._tf.getmembers():
+                if tf_file.isreg():
+                    fhandle = self._tf.extractfile(tf_file)
+                    if tf_file.name.count('/') >= 2 and tf_file.name.split('/')[-2] in items:
+                        filename = os.path.basename(tf_file.name)
+                        if filename in ['urls', 'domains']:
+                            for line in fhandle.read().decode().split('\n'):
+                                line = line.strip()
+                                if line:
+                                    # assume domains are wildcards (e.g. youtube.com --> .youtube.com)
+                                    yield line.find('/') == -1, line
+
+    @staticmethod
+    def _itr_custom(items: list):
+        for line in items:
+            if line.startswith('.') or line.startswith('*'):
+                # wildcard search, e.g. matches all subdomains of given domain, where * is the absolute toplevel (root)
+                yield True, line.lstrip('.')
+            else:
+                yield False, line
+
+    def __iter__(self):
+        for domain in self._domain_entries:
+            # prepare domain policies
+            policy = {
+                'domain': domain,
+                'items': []
+            }
+            for entry in self._domain_entries[domain]:
+                politem = copy.deepcopy(self._policy_settings[entry[0]])
+                politem['path'] = entry[1]
+                politem['wildcard'] = entry[2]
+                policy['items'].append(politem)
+            yield policy
+
+    def exists(self, domain):
+        return domain.split(':')[-1] in self._domain_entries
diff --git a/www/OPNProxy/src/opnsense/scripts/OPNProxy/policies_to_redis_proto.py b/www/OPNProxy/src/opnsense/scripts/OPNProxy/policies_to_redis_proto.py
new file mode 100755
index 0000000000..0e4599d6c4
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/scripts/OPNProxy/policies_to_redis_proto.py
@@ -0,0 +1,100 @@
+#!/usr/local/bin/python3
+# -*- coding: utf-8 -*-
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import argparse
+import fcntl
+import time
+import ujson
+from lib import Policy
+import redis
+
+
+def redis_proto_parser(*args):
+    """
+    https://redis.io/topics/protocol
+    :return:
+    """
+    response = ["*%d\r\n$%d\r\n%s\r\n" % (len(args), len(args[0]), args[0])]
+    for item in args[1:]:
+        response.append("$%d\r\n%s\r\n" % (len(item), item))
+    return "".join(response)
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        '--redis_host',
+        help='redis hostname to read keys from (default: 127.0.0.1)',
+        default='127.0.0.1'
+    )
+    parser.add_argument(
+        '--redis_port',
+        help='redis port number (default: 6379)',
+        type=int,
+        default=6379
+    )
+    parser.add_argument(
+        '--proxy_policies',
+        help='proxy policies configuration file',
+        default='/usr/local/etc/squid/proxy_policies.conf'
+    )
+    parser.add_argument('--output', help='output filename', default='/dev/stdout')
+
+    cmd_args = parser.parse_args()
+
+    try:
+        lck = open('/tmp/policies_to_redis_proto.LCK', 'w+')
+        fcntl.flock(lck, fcntl.LOCK_EX | fcntl.LOCK_NB)
+    except IOError:
+        # already running, exit status 99
+        sys.exit(99)
+
+    policy = Policy(cmd_args.proxy_policies)
+
+    # fetch current domain keys from redis
+    try:
+        existing_domains = redis.StrictRedis(
+            host=cmd_args.redis_host, port=cmd_args.redis_port, db=0, decode_responses=True
+        ).keys('domain:*')
+    except (redis.exceptions.ConnectionError, redis.exceptions.BusyLoadingError) as e:
+        existing_domains = list()
+
+    with open(cmd_args.output, 'w') as output_stream:
+        statistics = {'domains': 0, 'policies': 0, 'generated': time.time()}
+        # generate delete statements for non existing keys
+        for domain in existing_domains:
+            domain = domain.split(':')[-1]
+            if not policy.exists(domain):
+                output_stream.write(redis_proto_parser("DEL", "domain:%s" % domain))
+
+        # generate set statements for new data (upsert)
+        for item in policy:
+            statistics['domains'] += 1
+            statistics['policies'] += len(item['items'])
+            output_stream.write(redis_proto_parser("SET", "domain:%s" % item['domain'], ujson.dumps(item)))
+
+        output_stream.write(redis_proto_parser("SET", "domain_statistics", ujson.dumps(statistics)))
diff --git a/www/OPNProxy/src/opnsense/scripts/OPNProxy/redis_sync_users.py b/www/OPNProxy/src/opnsense/scripts/OPNProxy/redis_sync_users.py
new file mode 100755
index 0000000000..3e22e09099
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/scripts/OPNProxy/redis_sync_users.py
@@ -0,0 +1,76 @@
+#!/usr/local/bin/python3
+# -*- coding: utf-8 -*-
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import argparse
+import fcntl
+import sys
+import syslog
+import redis
+import ujson
+import xml.etree.ElementTree as ET
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser()
+    parser.add_argument('--redis_host', help='redis hostname (default: 127.0.0.1)', default='127.0.0.1')
+    parser.add_argument('--redis_port', help='redis port number (default: 6379)', type=int, default=6379)
+    parser.add_argument('username', help='optional username', nargs='?', default=None)
+    args = parser.parse_args()
+
+    # wait for other redis_sync_users sync events to complete
+    lck = open('/tmp/redis_sync_users.LCK', 'w+')
+    fcntl.flock(lck, fcntl.LOCK_EX)
+
+    redisdb = redis.Redis(host=args.redis_host, port=args.redis_port, db=0)
+
+    # ideally we would flush config data using the template system first, but since user settings may change
+    # more rappidly we opt to read the raw source here.
+    try:
+        tree = ET.parse('/conf/config.xml')
+        xmlroot = tree.getroot()
+    except (FileNotFoundError, ET.ParseError):
+        syslog.syslog(syslog.LOG_ERR, 'enable to open /conf/config.xml')
+        sys.exit(1)
+
+    # merge group membership into user object and flush to redis
+    membership = dict()
+    for group in xmlroot.findall('./system/group'):
+        for member in group.findall('member'):
+            if member.text not in membership:
+                membership[member.text] = list()
+            membership[member.text].append(group.findtext('name'))
+
+    for user in xmlroot.findall('./system/user'):
+        if args.username is None or args.username == user.findtext('name'):
+            user_object = dict()
+            user_object['uid'] = user.findtext('name')
+            user_object['id'] = user.findtext('uid')
+            user_object['applies_on'] = ["u:%s" % user.findtext('name')]
+            if user_object['id'] in membership:
+                for group in membership[user_object['id']]:
+                    user_object['applies_on'].append("g:%s" % group)
+            redisdb.set('user:%s' % user_object['uid'], ujson.dumps(user_object))
diff --git a/www/OPNProxy/src/opnsense/scripts/OPNProxy/squid_acl_helper.py b/www/OPNProxy/src/opnsense/scripts/OPNProxy/squid_acl_helper.py
new file mode 100755
index 0000000000..17d4d87fa6
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/scripts/OPNProxy/squid_acl_helper.py
@@ -0,0 +1,217 @@
+#!/usr/local/bin/python3
+# -*- coding: utf-8 -*-
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import argparse
+import decimal
+import sys
+import syslog
+import traceback
+from urllib.parse import urlparse
+import redis
+import ujson
+import ipaddress
+
+
+class RedisAuth:
+    def __init__(self, host, port):
+        self._redis = redis.Redis(host=host, port=port, db=0)
+
+    def domain_policy_iterator(self, r_fqdn):
+        """ traverse domain policies
+        :param r_fqdn: fqdn
+        :return:
+        """
+        try:
+            tmp = self._redis.get("domain:%s" % r_fqdn)
+            if tmp:
+                domain_policy = ujson.loads(tmp.decode())
+            else:
+                return
+        except Exception as e:
+            # connectivity or parse issue, log and return
+            syslog.syslog(syslog.LOG_ERR, traceback.format_exc().replace('\n', ' '))
+            return
+
+        if type(domain_policy.get('items', None)) is list:
+            for policy in domain_policy['items']:
+                if type(policy) is dict:
+                    for fieldname in ['id', 'path', 'wildcard', 'action', 'applies_on', 'source_net']:
+                        if fieldname not in policy:
+                            policy[fieldname] = None
+                    yield policy
+
+    def get_user(self, uid):
+        if uid == "-":
+            return {'applies_on': set('-')}
+        try:
+            tmp = self._redis.get("user:%s" % uid)
+            if not tmp:
+                return None
+            udata = ujson.loads(tmp.decode())
+            # cleanse data
+            udata['applies_on'] = set(udata['applies_on']) if 'applies_on' in udata else set()
+        except Exception:
+            syslog.syslog(syslog.LOG_ERR, traceback.format_exc().replace('\n', ' '))
+            return None
+
+        return udata
+
+def in_network(src, networks):
+    if networks is None or type(networks) is not list or src == '-':
+        return True
+    try:
+        src_net = ipaddress.ip_network(src)
+    except ValueError:
+        syslog.syslog(syslog.LOG_ERR, traceback.format_exc().replace('\n', ' '))
+        return False
+    for network in networks:
+        try:
+            if src_net.overlaps(ipaddress.ip_network(network)):
+                return True
+        except ValueError:
+            syslog.syslog(syslog.LOG_ERR, traceback.format_exc().replace('\n', ' '))
+
+    return False
+
+def match_policy(acl, ident, src, method, uri, sslurlonly=False):
+    # default response, invalid user
+    match_res = {'message': "ERR message=\"no (valid) IDENT %s\"\n" % ident}
+    if uri.find('://') == -1:
+        base_domain = uri.split(':')[0]
+        request_path = '/'
+    else:
+        uri_parsed = urlparse(uri)
+        base_domain = uri_parsed.netloc.split(':')[0]
+        request_path = uri_parsed.path if uri_parsed.path else '/'
+
+    syslog.syslog(
+        syslog.LOG_NOTICE,
+        "ACL-REQ |%s| |%s| |%s| |%s| |%s| %s" % (acl, ident, src, method, uri, 'SNI only' if sslurlonly else '')
+    )
+    fqdn = base_domain
+    user_data = redis_auth.get_user(ident)
+    if user_data:
+        acl_decisions = dict()
+        # traverse domain upwards until either a policy is found or no matches are possible
+        # matches are prioritized on best path match and accept (higher) or deny.
+        while len(acl_decisions) == 0:
+            for this_policy in redis_auth.domain_policy_iterator(fqdn):
+                is_parent = base_domain != fqdn
+                match_parent = this_policy['path'] == '/' and is_parent and this_policy['wildcard']
+                match_main = request_path.find(this_policy['path']) == 0 and not is_parent
+                if (match_parent or match_main) and set(this_policy['applies_on']) & user_data['applies_on']:
+                    if not in_network(src, this_policy['source_net']):
+                        continue
+                    tp = 0 if this_policy['action'] == 'deny' else 1
+                    this_prio = decimal.Decimal("%d.%d" % (len(this_policy['path']), tp))
+                    acl_decisions[this_prio] = this_policy
+                    acl_decisions[this_prio]['domain'] = fqdn
+
+            if fqdn.find('.') == -1:
+                if fqdn == '*':
+                    break
+                else:
+                    # top level wildcard (add extra level)
+                    fqdn = '*'
+            else:
+                fqdn = fqdn.split('.', maxsplit=1)[1]
+
+        match_res['user'] = user_data
+        match_res['user']['applies_on'] = list(user_data['applies_on'])
+
+        if not sslurlonly and method.lower() == 'connect':
+            # skip connect when full ssl bump is enabled
+            match_res['policy'] = {'action': 'allow', 'policy_type': 'fallback'}
+            match_res['message'] = "OK user=\"%s\"\n" % ident
+        elif len(acl_decisions) > 0:
+            acl_decision = acl_decisions[sorted(acl_decisions.keys(), reverse=True)[0]]
+            match_res['policy'] = acl_decision
+            if match_res['policy']['action'] == 'deny':
+                 match_res['message'] = "ERR message=\"reason:%s policy_type:%s\" user=\"%s\"\n" % (
+                    acl_decision['id'], acl_decision['policy_type'], ident
+                )
+            else:
+                match_res['message'] = "OK message=\"whitelisted %s\" user=\"%s\"\n" % (acl_decision['id'], ident)
+        elif ident != '-':
+            # network only authentication needs an explicit policy, user-based allows by default
+            match_res['policy'] = {'action': 'allow', 'policy_type': 'fallback'}
+            match_res['message'] = "OK user=\"%s\"\n" % ident
+
+    return match_res
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser()
+    parser.add_argument('--test_user', help='test mode (singleshot), username')
+    parser.add_argument('--test_uri', help='test mode (singleshot), uri')
+    parser.add_argument('--test_src', help='test mode (singleshot), source address', default='-')
+    parser.add_argument('--redis_host', help='redis hostname (default: 127.0.0.1)', default='127.0.0.1')
+    parser.add_argument('--redis_port', help='redis port number (default: 6379)', type=int, default=6379)
+    parser.add_argument('--sslurlonly', help='Log SNI information only enabled', action="store_true", default=False)
+    parser.add_argument(
+        '--no_ident',
+        help='Do not expect iden/user information in the message line',
+        action="store_true",
+        default=False
+    )
+
+    args = parser.parse_args()
+    syslog.openlog('squid', facility=syslog.LOG_LOCAL2)
+    redis_auth = RedisAuth(args.redis_host, args.redis_port)
+    if args.test_user and args.test_uri:
+        # test mode, dump raw json object to stdout
+        result = match_policy(acl='-', ident=args.test_user, src=args.test_src, method='-', uri=args.test_uri)
+        print (ujson.dumps(result))
+    else:
+        # squid worker mode
+        while True:
+            try:
+                # accept messages like:
+                # my_ext_acl user 127.0.0.2 GET https://requested.domain/path/
+                line = sys.stdin.readline().strip()
+                if line == "":
+                    sys.exit()
+                if line:
+                    try:
+                        acl_parts = line.split()
+                    except ValueError:
+                        sys.stdout.write("ERR message=\"missing input\"\n")
+                        break
+                    offset = -1 if args.no_ident else 0
+                    result = match_policy(
+                        acl=acl_parts[0],
+                        ident='-' if args.no_ident else acl_parts[1],
+                        src=acl_parts[2+offset],
+                        method=acl_parts[3+offset],
+                        uri=acl_parts[4+offset],
+                        sslurlonly=args.sslurlonly
+                    )
+                    sys.stdout.write(result['message'])
+
+                sys.stdout.flush()
+            except IOError:
+                pass
diff --git a/www/OPNProxy/src/opnsense/service/conf/actions.d/actions_opnproxy.conf b/www/OPNProxy/src/opnsense/service/conf/actions.d/actions_opnproxy.conf
new file mode 100644
index 0000000000..bafa0f6993
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/service/conf/actions.d/actions_opnproxy.conf
@@ -0,0 +1,21 @@
+[apply_policies]
+command:
+  /usr/local/opnsense/scripts/OPNProxy/policies_to_redis_proto.py | redis-cli --pipe &&
+  /usr/local/sbin/squid -k reconfigure
+parameters:
+type:script
+message:download proxy policies and apply to redisdb
+description:OPNProxy apply policies
+
+
+[sync_users]
+command: /usr/local/opnsense/scripts/OPNProxy/redis_sync_users.py
+parameters:
+type:script
+message:synchronise proxy users
+
+[user.test]
+command: /usr/local/opnsense/scripts/OPNProxy/squid_acl_helper.py
+parameters: --test_user %s --test_uri %s --test_src %s
+type:script_output
+message:test user login
diff --git a/www/OPNProxy/src/opnsense/service/templates/Deciso/Proxy/+TARGETS b/www/OPNProxy/src/opnsense/service/templates/Deciso/Proxy/+TARGETS
new file mode 100644
index 0000000000..b9419e8aee
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/service/templates/Deciso/Proxy/+TARGETS
@@ -0,0 +1,2 @@
+proxy_policies.conf:/usr/local/etc/squid/proxy_policies.conf
+10-opnproxy-ext.auth.conf:/usr/local/etc/squid/auth/10-opnproxy-ext.auth.conf
diff --git a/www/OPNProxy/src/opnsense/service/templates/Deciso/Proxy/10-opnproxy-ext.auth.conf b/www/OPNProxy/src/opnsense/service/templates/Deciso/Proxy/10-opnproxy-ext.auth.conf
new file mode 100644
index 0000000000..408895ad80
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/service/templates/Deciso/Proxy/10-opnproxy-ext.auth.conf
@@ -0,0 +1,43 @@
+external_acl_type ext_opnproxy_helper_net ttl=30 negative_ttl=5 %ACL %SRC %METHOD %URI /usr/local/opnsense/scripts/OPNProxy/squid_acl_helper.py --no_ident {% if not helpers.empty('OPNsense.proxy.forward.sslurlonly') %} --sslurlonly {% endif %}
+
+acl opnproxy_ext_acl_net external ext_opnproxy_helper_net
+http_access allow opnproxy_ext_acl_net
+
+{% if not helpers.empty('OPNsense.proxy.forward.authentication.method') %}
+# Login based authentication
+external_acl_type ext_opnproxy_helper_usr ttl=30 negative_ttl=5 %ACL %LOGIN %SRC %METHOD %URI /usr/local/opnsense/scripts/OPNProxy/squid_acl_helper.py {% if not helpers.empty('OPNsense.proxy.forward.sslurlonly') %} --sslurlonly {% endif %}
+
+acl opnproxy_ext_acl_usr external ext_opnproxy_helper_usr
+http_access allow opnproxy_ext_acl_usr
+{% endif %}
+
+
+{% if not helpers.empty('OPNsense.proxy.forward.icap.enable') %}
+{%   if not helpers.empty('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod allow opnproxy_ext_acl_net
+{% if not helpers.empty('OPNsense.proxy.forward.authentication.method') %}
+adaptation_access response_mod allow opnproxy_ext_acl_usr
+{% endif %}
+{%   endif %}
+{%   if not helpers.empty('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod allow opnproxy_ext_acl_net
+{% if not helpers.empty('OPNsense.proxy.forward.authentication.method') %}
+adaptation_access request_mod allow opnproxy_ext_acl_usr
+{% endif %}
+{%   endif %}
+{% endif %}
+
+{% if not helpers.empty('OPNsense.proxy.forward.authentication.method') %}
+# explicit disable default allow authenticated users clause
+http_access deny local_auth all
+{%   if not helpers.empty('OPNsense.proxy.forward.icap.enable') %}
+{%       if not helpers.empty('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod deny local_auth
+{%       endif %}
+{%       if not helpers.empty('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod deny local_auth
+{%       endif %}
+{%   endif %}
+{%   else %}
+http_access deny localnet
+{% endif %}
diff --git a/www/OPNProxy/src/opnsense/service/templates/Deciso/Proxy/proxy_policies.conf b/www/OPNProxy/src/opnsense/service/templates/Deciso/Proxy/proxy_policies.conf
new file mode 100644
index 0000000000..ce330f22d5
--- /dev/null
+++ b/www/OPNProxy/src/opnsense/service/templates/Deciso/Proxy/proxy_policies.conf
@@ -0,0 +1,30 @@
+{% for policy in helpers.toList('Deciso.Proxy.ACL.policies.policy') %}
+{%   if policy.enabled|default('0') == '1' %}
+[policy_{{ policy['@uuid'] }}]
+policy_type=default
+description={{ policy.description }}
+content={{ policy.content }}
+applies_on={{ policy.applies_on|default('-') }}
+source_net={{ policy.source_net }}
+action={{ policy.action }}
+{%   endif %}
+
+{% endfor %}
+
+{% for policy in helpers.toList('Deciso.Proxy.ACL.custom_policies.policy') %}
+{%   if policy.enabled|default('0') == '1' %}
+[policy_{{ policy['@uuid'] }}]
+policy_type=custom
+description={{ policy.description }}
+content={{ policy.content.replace('\n', '\n\t') }}
+applies_on={{ policy.applies_on|default('-') }}
+source_net={{ policy.source_net }}
+action={{ policy.action }}
+{%   endif %}
+
+{% endfor %}
+
+[source]
+blocklist=/usr/local/opnsense/data/proxy/blocklists.tar.gz
+blocklist_download_uri=https://rulesets.opnsense.org/proxy/blocklists.tar.gz
+blocklist_ttl=86300

From 0eb9557470bf18b0a7b14ec1e118cec17ea61911 Mon Sep 17 00:00:00 2001
From: realizelol <bsw.bsw@gmx.de>
Date: Mon, 8 Apr 2024 23:21:42 +0200
Subject: [PATCH 1835/3088] security/acme-client: Add support for dnshome DNS
 API (#3882)

* Add DNSHome to AcmeClient
---
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsDnshome.php    | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 3 files changed, 67 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnshome.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 151eec1a6d..9e14eb5bbc 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -386,6 +386,21 @@
         <label>API Key</label>
         <type>text</type>
     </field>
+    <field>
+        <label>dnsHome</label>
+        <type>header</type>
+        <style>table_dns table_dns_dnshome</style>
+    </field>
+    <field>
+        <id>validation.dns_dnshome_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
+    <field>
+        <id>validation.dns_dnshome_subdomain</id>
+        <label>Subdomain</label>
+        <type>text</type>
+    </field>
     <field>
         <label>DNSimple</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnshome.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnshome.php
new file mode 100644
index 0000000000..2e7facd9ca
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsDnshome.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2024 realizelol
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * DnsHome API
+ * @package OPNsense\AcmeClient
+ */
+class DnsDnshome extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DNSHOME_SubdomainPassword'] = (string)$this->config->dns_dnshome_password;
+        $this->acme_env['DNSHOME_Subdomain'] = (string)$this->config->dns_dnshome_subdomain;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index b2e378a9d3..f30465009d 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -445,6 +445,7 @@
                         <dns_dgon>DigitalOcean</dns_dgon>
                         <dns_da>DirectAdmin</dns_da>
                         <dns_dnsexit>DNSExit</dns_dnsexit>
+                        <dns_dnshome>dnsHome</dns_dnshome>
                         <dns_dnsimple>DNSimple</dns_dnsimple>
                         <dns_dnsservices>DNS.Services</dns_dnsservices>
                         <dns_domeneshop>Domeneshop</dns_domeneshop>
@@ -633,6 +634,12 @@
                 <dns_dnsexit_api type="TextField">
                     <Required>N</Required>
                 </dns_dnsexit_api>
+                <dns_dnshome_password type="TextField">
+                    <Required>N</Required>
+                </dns_dnshome_password>
+                <dns_dnshome_subdomain type="TextField">
+                    <Required>N</Required>
+                </dns_dnshome_subdomain>
                 <dns_dnsimple_token type="TextField">
                     <Required>N</Required>
                 </dns_dnsimple_token>

From f6422ce2f66fdc14bafbfa5a24a5d2fe00ff9d39 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 8 Apr 2024 23:33:04 +0200
Subject: [PATCH 1836/3088] security/acme-client: fix PHP deprecation warnings,
 closes #3892

---
 .../OPNsense/AcmeClient/Api/SettingsController.php   |  4 ++--
 .../models/OPNsense/AcmeClient/Migrations/M1_6_0.php | 12 ++++++------
 .../models/OPNsense/AcmeClient/Migrations/M4_0_0.php |  2 +-
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
index d91f9cfd3f..f631fb8bb1 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
@@ -347,14 +347,14 @@ public function fetchHAProxyIntegrationAction()
                                     // Link to ACME Action is currently missing: add it!
                                     if (!empty((string)$_actions)) {
                                         // Extend existing string.
-                                        $_actions .= ",${action_ref}";
+                                        $_actions .= ",{$action_ref}";
                                     } else {
                                         // First linked Action for this frontend.
                                         $_actions = $action_ref;
                                     }
                                     // Add modified list of linked Actions to frontend.
                                     $frontend->linkedActions = $_actions;
-                                    $this->getLogger()->error("AcmeClient: HAProxy integration: updating frontend ${_frontend}");
+                                    $this->getLogger()->error("AcmeClient: HAProxy integration: updating frontend {$_frontend}");
                                     // We need to write changes to config.
                                     $integration_changes = true;
                                 }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M1_6_0.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M1_6_0.php
index f6982d2362..f2718c91f2 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M1_6_0.php
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M1_6_0.php
@@ -44,26 +44,26 @@ public function run($model)
         foreach ($model->getNodeByReference('accounts.account')->iterateItems() as $account) {
             $account_id = (string)$account->id;
             $account_dir = $dir . $account_id;
-            $new_account_dir = "${dir}${account_id}_${env}";
+            $new_account_dir = "{$dir}{$account_id}_{$env}";
 
             // Check if account directory exists
             // Accounts that haven't been used yet don't need to be migrated.
             if (is_dir($account_dir)) {
                 // Check if account configuration can be found.
-                $account_file = "${account_dir}/account.conf";
+                $account_file = "{$account_dir}/account.conf";
                 if (is_file($account_file)) {
                     // Parse config file and modify path information
                     $account_conf = parse_ini_file($account_file);
                     foreach ($account_conf as $key => $value) {
                         switch ($key) {
                             case 'ACCOUNT_KEY_PATH':
-                                $account_conf[$key] = "${new_account_dir}/account.key";
+                                $account_conf[$key] = "{$new_account_dir}/account.key";
                                 break;
                             case 'ACCOUNT_JSON_PATH':
-                                $account_conf[$key] = "${new_account_dir}/account.json";
+                                $account_conf[$key] = "{$new_account_dir}/account.json";
                                 break;
                             case 'CA_CONF':
-                                $account_conf[$key] = "${new_account_dir}/ca.conf";
+                                $account_conf[$key] = "{$new_account_dir}/ca.conf";
                                 break;
                         }
                     }
@@ -71,7 +71,7 @@ public function run($model)
                     // Convert array back to ini file format
                     $new_account_conf = array();
                     foreach ($account_conf as $key => $value) {
-                        $new_account_conf[] = "${key}='${value}'";
+                        $new_account_conf[] = "{$key}='{$value}'";
                     }
 
                     // Write changes back to file
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_0_0.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_0_0.php
index 2a776cbe96..51b3817707 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_0_0.php
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_0_0.php
@@ -54,7 +54,7 @@ public function run($model)
                     // Convert array back to ini file format
                     $new_account_conf = array();
                     foreach ($account_conf as $key => $value) {
-                        $new_account_conf[] = "${key}='${value}'";
+                        $new_account_conf[] = "{$key}='{$value}'";
                     }
 
                     // Write changes back to file

From 0262a19125ca67c540d342cdfed3255c4618cd59 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 8 Apr 2024 23:37:26 +0200
Subject: [PATCH 1837/3088] security/acme-client: bump version, update
 changelog

---
 security/acme-client/Makefile  | 2 +-
 security/acme-client/pkg-descr | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 3bc52eb066..b95b600127 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.1
+PLUGIN_VERSION=		4.2
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 537abdbc8e..fb222939bf 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,15 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.2
+
+Added:
+* add ArtFiles DNS API (#3866)
+* add dnsHome DNS API (#3882)
+
+Fixed:
+* fix PHP deprecation messages (#3892)
+
 4.1
 
 Fixed:

From d1d17ce43facaf2254b98f7bf6f5ad86d5ce5744 Mon Sep 17 00:00:00 2001
From: Alex <alex@smith.is>
Date: Tue, 9 Apr 2024 21:58:10 +1200
Subject: [PATCH 1838/3088] security/acme-client: add support for Oracle Cloud
 Infrastructure DNS API (#3901)

* Add support for Oracle Cloud (OCI)
---
 .../AcmeClient/forms/dialogValidation.xml     | 26 ++++++++++
 .../AcmeClient/LeValidation/DnsOci.php        | 47 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 13 +++++
 3 files changed, 86 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsOci.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 9e14eb5bbc..6ec14b57b4 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1108,6 +1108,32 @@
         <label><![CDATA[Please manually install the plugin "os-bind" to enable support for it.]]></label>
         <type>info</type>
     </field>
+    <field>
+        <label>Oracle Cloud Infrastructure (OCI)</label>
+        <type>header</type>
+        <style>table_dns table_dns_oci</style>
+    </field>
+    <field>
+        <id>validation.dns_oci_cli_user</id>
+        <label>OCID of the user calling the API</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_oci_cli_tenancy</id>
+        <label>OCID of your tenancy</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_oci_cli_region</id>
+        <label>Your OCI region</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_oci_cli_key</id>
+        <label>API Signing key in PEM format</label>
+        <type>textbox</type>
+        <help><![CDATA[Please refer to the <a href="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Oracle-Cloud-Infrastructure-DNS">acme.sh documentation</a> for further information.]]></help>
+    </field>
     <field>
         <label>OVH</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsOci.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsOci.php
new file mode 100644
index 0000000000..aada37b84c
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsOci.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Alex Smith
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * OCI - Oracle Cloud Infrastructure API
+ * @package OPNsense\AcmeClient
+ */
+class DnsOci extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['OCI_CLI_USER'] = (string)$this->config->dns_oci_cli_user;
+        $this->acme_env['OCI_CLI_TENANCY'] = (string)$this->config->dns_oci_cli_tenancy;
+        $this->acme_env['OCI_CLI_REGION'] = (string)$this->config->dns_oci_cli_region;
+        $this->acme_env['OCI_CLI_KEY'] = (string)$this->config->dns_oci_cli_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index f30465009d..e39b8dd18b 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -501,6 +501,7 @@
                         <dns_nsupdate>nsupdate (RFC 2136)</dns_nsupdate>
                         <dns_online>online.net</dns_online>
                         <dns_opnsense>OPNsense BIND Plugin</dns_opnsense>
+                        <dns_oci>Oracle Cloud Infrastructure (OCI)</dns_oci>
                         <dns_ovh>OVH, kimsufi, soyoustart and runabove</dns_ovh>
                         <dns_pdns>PowerDNS.com</dns_pdns>
                         <dns_pleskxml>Plesk</dns_pleskxml>
@@ -953,6 +954,18 @@
                 <dns_nsupdate_key type="TextField">
                     <Required>N</Required>
                 </dns_nsupdate_key>
+                <dns_oci_cli_user type="TextField">
+                    <Required>N</Required>
+                </dns_oci_cli_user>
+                <dns_oci_cli_tenancy type="TextField">
+                    <Required>N</Required>
+                </dns_oci_cli_tenancy>
+                <dns_oci_cli_region type="TextField">
+                    <Required>N</Required>
+                </dns_oci_cli_region>
+                <dns_oci_cli_key type="TextField">
+                    <Required>N</Required>
+                </dns_oci_cli_key>
                 <dns_online_key type="TextField">
                     <Required>N</Required>
                 </dns_online_key>

From 5877048d985226732e621210e06f7f60850dee1f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 9 Apr 2024 12:03:40 +0200
Subject: [PATCH 1839/3088] security/acme-client: update changelog

---
 security/acme-client/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index fb222939bf..462328d2ef 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 Added:
 * add ArtFiles DNS API (#3866)
 * add dnsHome DNS API (#3882)
+* add Oracle Cloud Infrastructure DNS API (#3901)
 
 Fixed:
 * fix PHP deprecation messages (#3892)

From bbebfd3e5082484ed35951957b8afe0eb6f00dbc Mon Sep 17 00:00:00 2001
From: skidoodle <contact@albert.lol>
Date: Tue, 9 Apr 2024 20:35:51 +0200
Subject: [PATCH 1840/3088] Update net/udpbroadcastrelay: fix typo (#3903)

---
 README.md                       | 2 +-
 net/udpbroadcastrelay/Makefile  | 2 +-
 net/udpbroadcastrelay/pkg-descr | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 2afccc1887..460c2f7392 100644
--- a/README.md
+++ b/README.md
@@ -62,7 +62,7 @@ net/shadowsocks -- Secure socks5 proxy
 net/siproxd -- Siproxd is a proxy daemon for the SIP protocol
 net/sslh -- sslh configuration front-end
 net/tayga -- Tayga NAT64
-net/udpbroadcastrelay -- Control ubpbroadcastrelay processes
+net/udpbroadcastrelay -- Control udpbroadcastrelay processes
 net/upnp -- Universal Plug and Play (UPnP IGD & PCP/NAT-PMP) Service
 net/vnstat -- Network traffic monitor
 net/wol -- Wake on LAN Service
diff --git a/net/udpbroadcastrelay/Makefile b/net/udpbroadcastrelay/Makefile
index 850085eb92..938cadc201 100644
--- a/net/udpbroadcastrelay/Makefile
+++ b/net/udpbroadcastrelay/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		udpbroadcastrelay
 PLUGIN_VERSION=		1.0
 PLUGIN_REVISION=	3
-PLUGIN_COMMENT=		Control ubpbroadcastrelay processes
+PLUGIN_COMMENT=		Control udpbroadcastrelay processes
 PLUGIN_DEPENDS=		udpbroadcastrelay
 PLUGIN_MAINTAINER=	mjwasley@gmail.com
 
diff --git a/net/udpbroadcastrelay/pkg-descr b/net/udpbroadcastrelay/pkg-descr
index bd8f32978d..b2aad18334 100644
--- a/net/udpbroadcastrelay/pkg-descr
+++ b/net/udpbroadcastrelay/pkg-descr
@@ -1,4 +1,4 @@
-udbproadcastrelay is a UDP multicast relayer. Its intended use is to
+udpbroadcastrelay is a UDP multicast relayer. Its intended use is to
 rebroadbcast udp packets on a specific port across interfaces, be those
 interfaces physical or VLAN.
 

From cb2e7d3e6ec555aeb247b0a381b23089f60ddbaf Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 11 Apr 2024 10:24:43 +0200
Subject: [PATCH 1841/3088] www/caddy: v1.5.4 (#3891)

* Update ReverseProxyController.php

Update searchBase() for easier maintainability:

Requires: https://github.com/opnsense/core/commit/2d45b78f744059089078d56b3c108765b2d23608

* Update caddy_control.py - Change onerestart and other actions to restart

Might fix: https://github.com/opnsense/plugins/issues/3887

* Update Caddy.xml - Model Relation Fields

to allow displaying multiple elements instead of only the description. This prevents duplicates being displayed without being able to know which entry is which.

Possibly fixes:
https://github.com/opnsense/plugins/issues/3885
https://github.com/opnsense/plugins/issues/3884

Also, since the descriptions are used by "internalModelUseSafeDelete", it's better to make them all required.

* Update actions_caddy.conf - Add reload action

The rc.d file communicates directly with the caddy admin endpoint, and can reload the configuration with the /var/run/caddy/caddy.sock without restarting the whole caddy process.

* Update caddy_control.py - Add reload action

The rc.d file communicates directly with the caddy admin endpoint, and can reload the configuration with the /var/run/caddy/caddy.sock without restarting the whole caddy process.

* Update ServiceController.php - Turn off the ForceRestart

Since caddy can use a reload instead

* Add option to set a custom HTTP response code and message instead of using abort. This option can only be set globally in general settings.

* Update pkg-descr - Add 1.5.4

* Update Makefile - Bump to 1.5.4

* Tether the HTTP repond logic to the Access List for more flexibility.

* Update Caddy.xml - Change HTTPResponseCode and Message from general to accesslist

* Add configuration framework for setting custom headers. WIP for opnsense/plugins#3881

* Update Caddy.xml - This shouldn't be here anymore...

* Update Caddy.xml - Another mistake has sneaked in, fixed.

* Update reverse_proxy.volt - Add new fields to bootgrid

* Add template logic for header manipulation. WIP for opnsense/plugins#3881

* Update pkg-descr

* Move selectpicker empty option to model in general.volt, using BlankDesc. This fixes the option IPv4+IPv6 not appearing in Dynamic DNS.

* Update Caddyfile - Added some much needed comments the the most important sections and macros of the template. This should improve maintainability.

* Update Caddyfile - Improve Comments, add Copyright header

* Update Caddyfile - Improve comments
---
 www/caddy/Makefile                            |   3 +-
 www/caddy/pkg-descr                           |  11 +
 .../Caddy/Api/ReverseProxyController.php      |  48 +++-
 .../OPNsense/Caddy/Api/ServiceController.php  |   6 +
 .../OPNsense/Caddy/ReverseProxyController.php |   1 +
 .../OPNsense/Caddy/forms/dialogAccessList.xml |  16 ++
 .../OPNsense/Caddy/forms/dialogHandle.xml     |  13 ++
 .../OPNsense/Caddy/forms/dialogHeader.xml     |  34 +++
 .../OPNsense/Caddy/forms/dynamicdns.xml       |   2 +-
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  88 ++++++--
 .../mvc/app/views/OPNsense/Caddy/general.volt |  27 ---
 .../views/OPNsense/Caddy/reverse_proxy.volt   |  46 ++++
 .../scripts/OPNsense/Caddy/caddy_control.py   |   7 +-
 .../service/conf/actions.d/actions_caddy.conf |   9 +-
 .../templates/OPNsense/Caddy/Caddyfile        | 211 +++++++++++++++++-
 15 files changed, 456 insertions(+), 66 deletions(-)
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 138ee9fee6..208aef7c0d 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.5.3
+PLUGIN_VERSION=		1.5.4
+PLUGIN_REVISION=        1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 72f60a2dac..93d02a5395 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -18,12 +18,23 @@ Main features of this plugin:
 * Basic Auth to restrict access by username and password
 * Syslog-ng integration and HTTP Access Log
 * NTLM Transport
+* Header manipulation with header_up and header_down
 
 DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 
 Plugin Changelog
 ================
 
+1.5.4
+
+* Fix: When pressing Apply, the Caddy service will be reloaded instead of restarted. This fixes long restart times and service interruptions.
+* Change: All Description Fields are now required to be populated.
+* Change: Model Relation Fields now display two values instead of one to make most options appear unique.
+* Add: HTTP response code and HTTP response message can be set per access list in advanced mode.
+* Add: Header functionality added. Multiple header manipulations can be set per handler.
+* Cleanup: Update searchBase() in ReverseProxyController.php for easier maintainability.
+* Fix: Move selectpicker empty option to model in general.volt, using BlankDesc. This fixes the option IPv4+IPv6 not appearing in Dynamic DNS. 
+
 1.5.3
 
 * Change from "Phalcon Messages" to "OPNsense Messages" in Caddy.php.
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
index 5236dfba93..140330a06b 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
@@ -41,9 +41,9 @@ class ReverseProxyController extends ApiMutableModelControllerBase
 
     /*ReverseProxy Section*/
 
-    public function searchReverseProxyAction()
+    public function searchReverseProxyAction($add_empty='0')
     {
-        return $this->searchBase("reverseproxy.reverse", ['enabled', 'FromDomain', 'FromPort', 'accesslist', 'basicauth', 'DnsChallenge', 'CustomCertificate', 'AccessLog', 'DynDns', 'AcmePassthrough', 'description']);
+        return $this->searchBase("reverseproxy.reverse", null, 'description');
     }
 
     public function setReverseProxyAction($uuid)
@@ -74,9 +74,9 @@ public function toggleReverseProxyAction($uuid, $enabled = null)
 
     /*Subdomain Section*/
 
-    public function searchSubdomainAction()
+    public function searchSubdomainAction($add_empty='0')
     {
-        return $this->searchBase("reverseproxy.subdomain", ['enabled', 'reverse', 'FromDomain', 'FromPort', 'accesslist', 'basicauth', 'DynDns', 'description']);
+        return $this->searchBase("reverseproxy.subdomain", null, 'description');
     }
 
     public function setSubdomainAction($uuid)
@@ -107,9 +107,9 @@ public function toggleSubdomainAction($uuid, $enabled = null)
 
     /*Handler Section*/
 
-    public function searchHandleAction()
+    public function searchHandleAction($add_empty='0')
     {
-        return $this->searchBase("reverseproxy.handle", ['enabled', 'reverse', 'subdomain', 'HandleType', 'HandlePath', 'ToDomain', 'ToPort', 'ToPath', 'HttpTls', 'HttpTlsTrustedCaCerts', 'HttpTlsServerName', 'HttpNtlm', 'HttpTlsInsecureSkipVerify', 'description']);
+        return $this->searchBase("reverseproxy.handle", null, 'description');
     }
 
     public function setHandleAction($uuid)
@@ -140,9 +140,9 @@ public function toggleHandleAction($uuid, $enabled = null)
 
     /* AccessList Section */
 
-    public function searchAccessListAction()
+    public function searchAccessListAction($add_empty='0')
     {
-        return $this->searchBase("reverseproxy.accesslist", ['accesslistName', 'clientIps', 'accesslistInvert', 'description']);
+        return $this->searchBase("reverseproxy.accesslist", null, 'description');
     }
 
     public function setAccessListAction($uuid)
@@ -168,9 +168,9 @@ public function delAccessListAction($uuid)
 
     /* BasicAuth Section */
 
-    public function searchBasicAuthAction()
+    public function searchBasicAuthAction($add_empty='0')
     {
-        return $this->searchBase("reverseproxy.basicauth", ['basicauthuser', 'basicauthpass', 'description']);
+        return $this->searchBase("reverseproxy.basicauth", null, 'description');
     }
 
     public function setBasicAuthAction($uuid)
@@ -212,4 +212,32 @@ public function delBasicAuthAction($uuid)
     {
         return $this->delBase("reverseproxy.basicauth", $uuid);
     }
+
+
+    /* Header Section */
+
+    public function searchHeaderAction($add_empty='0')
+    {
+        return $this->searchBase("reverseproxy.header", null, 'description');
+    }
+
+    public function setHeaderAction($uuid)
+    {
+        return $this->setBase("header", "reverseproxy.header", $uuid);
+    }
+
+    public function addHeaderAction()
+    {
+        return $this->addBase("header", "reverseproxy.header");
+    }
+
+    public function getHeaderAction($uuid = null)
+    {
+        return $this->getBase("header", "reverseproxy.header", $uuid);
+    }
+
+    public function delHeaderAction($uuid)
+    {
+        return $this->delBase("reverseproxy.header", $uuid);
+    }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
index fa1b43842b..f719a74d9b 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
@@ -41,6 +41,12 @@ class ServiceController extends ApiMutableServiceControllerBase
     protected static $internalServiceEnabled = 'general.enabled';
     protected static $internalServiceName = 'caddy';
 
+    protected function reconfigureForceRestart()
+    {
+        // Caddy can use a reload action instead
+        return 0;
+    }
+    
     public function validateAction()
     {
         $backend = new Backend();
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
index 4a9947d759..fde12d63c7 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
@@ -43,5 +43,6 @@ public function indexAction()
         $this->view->formDialogHandle = $this->getForm("dialogHandle");
         $this->view->formDialogAccessList = $this->getForm("dialogAccessList");
         $this->view->formDialogBasicAuth = $this->getForm("dialogBasicAuth");
+        $this->view->formDialogHeader = $this->getForm("dialogHeader");
     }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
index b38a67826c..8fff82b7ea 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
@@ -19,6 +19,22 @@
         <type>checkbox</type>
         <help><![CDATA[If checked, the access list logic will be inverted (i.e., the listed IPs will be blocked instead of allowed).]]></help>
     </field>
+    <field>
+        <id>accesslist.HttpResponseCode</id>
+        <label>HTTP Response Code</label>
+        <type>text</type>
+        <hint>403</hint>
+        <help><![CDATA[Set a custom HTTP response code that should be returned to the requesting client when the access list doesn't match. Setting this will replace "Abort Connections", all clients will stay connected but will receive the response code.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>accesslist.HttpResponseMessage</id>
+        <label>HTTP Response Message</label>
+        <type>text</type>
+        <hint>Forbidden</hint>
+        <help><![CDATA[Set a custom HTTP response message in addition to the HTTP response code.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>accesslist.description</id>
         <label>Description</label>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 68ac76a59b..51bf040773 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -36,6 +36,19 @@
         <type>text</type>
         <help><![CDATA[Enter a description for this handler.]]></help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Header</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>handle.header</id>
+        <label>Header Manipulation</label>
+        <type>dropdown</type>
+        <type>select_multiple</type>
+        <size>5</size>
+        <help><![CDATA[Select one or multiple header manipulations. These will be set to this handler. Generally this is not needed. Setting a wrong configuration can be a security risk or break functionality.]]></help>
+    </field>
     <field>
         <type>header</type>
         <label>Upstream</label>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
new file mode 100644
index 0000000000..585ddf5124
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
@@ -0,0 +1,34 @@
+<form>
+    <field>
+        <id>header.HeaderUpDown</id>
+        <label>Header</label>
+        <type>dropdown</type>
+        <help><![CDATA[header_up sets, adds (with the + prefix), deletes (with the - prefix), or performs a replacement (by using two arguments, a search and replacement) in a request header going upstream to the backend. header_down sets, adds (with the + prefix), deletes (with the - prefix), or performs a replacement (by using two arguments, a search and replacement) in a response header coming downstream from the backend. For more information: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#headers]]></help>
+    </field>
+    <field>
+        <id>header.HeaderType</id>
+        <label>Header Type</label>
+        <hint>Host</hint>
+        <type>text</type>
+        <help><![CDATA[Enter a header, for example "Host". Use the + or - prefix to add or remove this header, for example "-Host" or "+Host". A suffix match like "-Host-*" is also supported. To replace a header, use "Some-Header" without + or -.]]></help>
+    </field>
+    <field>
+        <id>header.HeaderValue</id>
+        <label>Header Value</label>
+        <hint>{upstream_hostport}</hint>
+        <type>text</type>
+        <help><![CDATA[Enter a value for the above header. One of the most common options is "{upstream_hostport}". It's also possible to use a regular expression to search for a specific value in a header. For example: "^prefix-([A-Za-z0-9]*)$" which uses the regular expression language RE2 included in Go.]]></help>
+    </field>
+    <field>
+        <id>header.HeaderReplace</id>
+        <label>Header Replace</label>
+        <type>text</type>
+        <help><![CDATA[If a regular expression is used to search for a Header Value, here the replacement string can be set. For example: "replaced-$1-suffix" which expands the replacement string, allowing the use of captured values, $1 being the first capture group.]]></help>
+    </field>
+    <field>
+        <id>header.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help><![CDATA[Enter a description for this header.]]></help>
+    </field>
+</form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
index d7fa66ef17..a0a3630952 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
@@ -3,7 +3,7 @@
         <id>caddy.general.DynDnsIpVersions</id>
         <label>DynDns IP Version</label>
         <type>dropdown</type>
-        <help><![CDATA[Leave on None to set IPv4 A-Records and IPv6 AAAA-Records. Select "IPv4 only" for setting A-Records. Select "IPv6 only" for setting AAAA-Records.]]></help>
+        <help><![CDATA[Select "IPv4+IPv6" to set IPv4 A-Records and IPv6 AAAA-Records, "IPv4 only" for only A-Records, "IPv6 only" for only AAAA-Records.]]></help>
     </field>
     <field>
         <id>caddy.general.DynDnsCheckInterval</id>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 3d8497fd33..d967254ef4 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>A GUI model for configuring a reverse proxy in the Caddy web server.</description>
-    <version>1.1.5</version>
+    <version>1.1.7</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -12,8 +12,8 @@
                 <ValidationMessage>Please enter a valid email address.</ValidationMessage>
             </TlsEmail>
             <TlsAutoHttps type="OptionField">
+                <BlankDesc>On (default)</BlankDesc>
                 <OptionValues>
-                    <on>On (default)</on>
                     <off>Off</off>
                     <disable_redirects>Disable Redirects</disable_redirects>
                     <disable_certs>Disable Certs</disable_certs>
@@ -21,8 +21,8 @@
                 </OptionValues>
             </TlsAutoHttps>
             <TlsDnsProvider type="OptionField">
+                <BlankDesc>None (default)</BlankDesc>
                 <OptionValues>
-                    <none>None (default)</none>
                     <cloudflare>Cloudflare</cloudflare>
                     <duckdns>Duck DNS</duckdns>
                     <digitalocean>DigitalOcean</digitalocean>
@@ -59,7 +59,8 @@
                     <reverseproxy>
                         <source>OPNsense.Caddy.Caddy</source>
                         <items>reverseproxy.accesslist</items>
-                        <display>accesslistName</display>
+                        <display>accesslistName,description</display>
+                        <display_format>%s - %s</display_format> 
                     </reverseproxy>
                 </Model>
             </accesslist>
@@ -84,12 +85,11 @@
                 <Required>Y</Required>
             </DynDnsCheckInterval>
             <DynDnsIpVersions type="OptionField">
-                <Default>ipv4</Default>
+                <BlankDesc>IPv4+IPv6</BlankDesc>
                 <OptionValues>
                     <ipv4>IPv4 only</ipv4>
                     <ipv6>IPv6 only</ipv6>
                 </OptionValues>
-                <Required>Y</Required>
             </DynDnsIpVersions>
             <DynDnsTTL type="IntegerField">
                 <Default>1</Default>
@@ -123,7 +123,8 @@
                         <reverseproxy>
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.accesslist</items>
-                            <display>accesslistName</display>
+                            <display>accesslistName,description</display>
+                            <display_format>%s - %s</display_format> 
                         </reverseproxy>
                     </Model>
                 </accesslist>
@@ -132,7 +133,8 @@
                         <reverseproxy>
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.basicauth</items>
-                            <display>basicauthuser</display>
+                            <display>basicauthuser,description</display>
+                            <display_format>%s - %s</display_format>
                         </reverseproxy>
                     </Model>
                     <Multiple>Y</Multiple>
@@ -160,7 +162,8 @@
                         <reverseproxy>
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.reverse</items>
-                            <display>description</display>
+                            <display>FromDomain,FromPort</display>
+                            <display_format>%s:%s</display_format>
                         </reverseproxy>
                     </Model>
                 </reverse>
@@ -179,7 +182,8 @@
                         <reverseproxy>
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.accesslist</items>
-                            <display>accesslistName</display>
+                            <display>accesslistName,description</display>
+                            <display_format>%s - %s</display_format>
                         </reverseproxy>
                     </Model>
                 </accesslist>
@@ -188,7 +192,8 @@
                         <reverseproxy>
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.basicauth</items>
-                            <display>basicauthuser</display>
+                            <display>basicauthuser,description</display>
+                            <display_format>%s - %s</display_format>
                         </reverseproxy>
                     </Model>
                     <Multiple>Y</Multiple>
@@ -209,7 +214,8 @@
                         <reverseproxy>
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.reverse</items>
-                            <display>description</display>
+                            <display>FromDomain,FromPort</display>
+                            <display_format>%s:%s</display_format>
                         </reverseproxy>
                     </Model>
                 </reverse>
@@ -218,7 +224,8 @@
                         <reverseproxy>
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.subdomain</items>
-                            <display>description</display>
+                            <display>FromDomain,FromPort</display>
+                            <display_format>%s:%s</display_format>
                         </reverseproxy>
                     </Model>
                 </subdomain>
@@ -234,6 +241,17 @@
                     <Mask>/^(\/.*)?$/u</Mask>
                     <ValidationMessage>Please enter a valid 'Handle Path' that starts with '/'.</ValidationMessage>
                 </HandlePath>
+                <header type="ModelRelationField">
+                    <Model>
+                        <reverseproxy>
+                            <source>OPNsense.Caddy.Caddy</source>
+                            <items>reverseproxy.header</items>
+                            <display>HeaderUpDown,HeaderType,HeaderValue,description</display>
+                            <display_format>%s %s %s - %s</display_format>
+                        </reverseproxy>
+                    </Model>
+                    <Multiple>Y</Multiple>
+                </header>
                 <ToDomain type="HostnameField">
                     <Required>Y</Required>
                     <ValidationMessage>Please enter a valid 'to' domain or IP address.</ValidationMessage>
@@ -261,7 +279,9 @@
                     <FqdnWildcardAllowed>Y</FqdnWildcardAllowed>
                     <ZoneRootAllowed>N</ZoneRootAllowed>
                 </HttpTlsServerName>
-                <description type="DescriptionField"/>
+                <description type="DescriptionField">
+                    <Required>Y</Required>
+                </description>
             </handle>
             <accesslist type="ArrayField">
                 <accesslistName type="TextField">
@@ -278,7 +298,15 @@
                     <ValidationMessage>Please enter valid IP address(es) or network(s), separated by commas.</ValidationMessage>
                 </clientIps>
                 <accesslistInvert type="BooleanField"/>
-                <description type="DescriptionField"/>
+                <HttpResponseCode type="IntegerField">
+                    <MinimumValue>100</MinimumValue>
+                    <MaximumValue>599</MaximumValue>
+                    <ValidationMessage>Please enter a valid HTTP response code between 100 and 599</ValidationMessage>
+                </HttpResponseCode>
+                <HttpResponseMessage type="DescriptionField"/>
+                <description type="DescriptionField">
+                    <Required>Y</Required>
+                </description>
             </accesslist>
             <basicauth type="ArrayField">
                 <basicauthuser type="TextField">
@@ -289,8 +317,36 @@
                 <basicauthpass type="UpdateOnlyTextField">
                     <Required>Y</Required>
                 </basicauthpass>
-                <description type="DescriptionField"/>
+                <description type="DescriptionField">
+                    <Required>Y</Required>
+                </description>
             </basicauth>
+            <header type="ArrayField">
+                <HeaderUpDown type="OptionField">
+                    <Default>header_up</Default>
+                    <OptionValues>
+                        <header_up>header_up</header_up>
+                        <header_down>header_down</header_down>
+                    </OptionValues>
+                    <Required>Y</Required>
+                </HeaderUpDown>
+                <HeaderType type="TextField">
+                    <Required>Y</Required>
+                    <Mask>/^([^"]{0,1024})$/u</Mask>
+                    <ValidationMessage>The header type must not contain quotation marks (") and must be less than 1024 characters.</ValidationMessage>
+                </HeaderType>
+                <HeaderValue type="TextField">
+                    <Mask>/^([^"]{0,1024})$/u</Mask>
+                    <ValidationMessage>The header value must not contain quotation marks (") and must be less than 1024 characters.</ValidationMessage>
+                </HeaderValue>
+                <HeaderReplace type="TextField">
+                    <Mask>/^([^"]{0,1024})$/u</Mask>
+                    <ValidationMessage>The header replacement must not contain quotation marks (") and must be less than 1024 characters.</ValidationMessage>
+                </HeaderReplace>
+                <description type="DescriptionField">
+                    <Required>Y</Required>
+                </description>
+            </header>
         </reverseproxy>
     </items>
 </model>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
index 9fcca897b1..eac7320b6b 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
@@ -28,33 +28,6 @@
     $(document).ready(function() {
         var data_get_map = {'frm_GeneralSettings':"/api/caddy/General/get"};
         mapDataToFormUI(data_get_map).done(function(data){
-            // console.log("Fetched data:", data); // Log the fetched data
-            var generalSettings = data.frm_GeneralSettings.caddy.general;
-
-            // Populate TlsAutoHttps dropdown
-            var tlsAutoHttpsSelect = $('#caddy\\.general\\.TlsAutoHttps');
-            tlsAutoHttpsSelect.empty(); // Clear existing options
-            $.each(generalSettings.TlsAutoHttps, function(key, option) {
-                if (key !== "") {  // Filter out the unwanted "None" option
-                    tlsAutoHttpsSelect.append(new Option(option.value, key, false, option.selected === 1));
-                }
-            });
-
-            // Populate TlsDnsProvider dropdown
-            var tlsDnsProviderSelect = $('#caddy\\.general\\.TlsDnsProvider');
-            tlsDnsProviderSelect.empty(); // Clear existing options
-            $.each(generalSettings.TlsDnsProvider, function(key, option) {
-                if (key !== "") {  // Filter out the unwanted "None" option
-                    tlsDnsProviderSelect.append(new Option(option.value, key, false, option.selected === 1));
-                }
-            });
-
-            // Populate Trusted Proxies dropdown
-            var accesslistSelect = $('#caddy\\.general\\.accesslist');
-            accesslistSelect.empty(); // Clear existing options
-            $.each(generalSettings.accesslist, function(key, option) {
-                accesslistSelect.append(new Option(option.value, key, false, option.selected === 1));
-            });
 
             // Refresh selectpicker for these dropdowns
             $('.selectpicker').selectpicker('refresh');
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 92aaac25d0..7f397b615c 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -69,6 +69,14 @@
             del:'/api/caddy/ReverseProxy/delBasicAuth/',
         });
 
+        $("#reverseHeaderGrid").UIBootgrid({
+            search:'/api/caddy/ReverseProxy/searchHeader/',
+            get:'/api/caddy/ReverseProxy/getHeader/',
+            set:'/api/caddy/ReverseProxy/setHeader/',
+            add:'/api/caddy/ReverseProxy/addHeader/',
+            del:'/api/caddy/ReverseProxy/delHeader/',
+        });
+
         // Function to show alerts in the HTML message area
         function showAlert(message, type = "error") {
             var alertClass = type === "error" ? "alert-danger" : "alert-success";
@@ -143,6 +151,7 @@
     <li class="active"><a data-toggle="tab" href="#domainsTab">Domains</a></li>
     <li><a data-toggle="tab" href="#handlesTab">Handlers</a></li>
     <li><a data-toggle="tab" href="#accessTab">Access</a></li>
+    <li><a data-toggle="tab" href="#headerTab">Headers</a></li>
 </ul>
 
 <div class="tab-content content-box">
@@ -234,6 +243,7 @@
                             <th data-column-id="subdomain" data-type="string">Subdomain</th>
                             <th data-column-id="HandleType" data-type="string" data-visible="false">Handle Type</th>
                             <th data-column-id="HandlePath" data-type="string" data-visible="false">Handle Path</th>
+                            <th data-column-id="header" data-type="string" data-visible="false">Header</th>
                             <th data-column-id="ToDomain" data-type="string">Upstream Domain</th>
                             <th data-column-id="ToPort" data-type="string">Upstream Port</th>
                             <th data-column-id="ToPath" data-type="string" data-visible="false">Upstream Path</th>
@@ -275,6 +285,8 @@
                             <th data-column-id="accesslistName" data-type="string">Name</th>
                             <th data-column-id="clientIps" data-type="string">Client IPs</th>
                             <th data-column-id="accesslistInvert" data-type="boolean" data-formatter="boolean">Invert</th>
+                            <th data-column-id="HttpResponseCode" data-type="string" data-visible="false">HTTP Code</th>
+                            <th data-column-id="HttpResponseMessage" data-type="string" data-visible="false">HTTP Message</th>
                             <th data-column-id="description" data-type="string">Description</th>
                             <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
                         </tr>
@@ -322,6 +334,39 @@
             </div>
         </div>
     </div>
+
+    <!-- Header Tab -->
+    <div id="headerTab" class="tab-pane fade">
+        <div style="padding-left: 16px;">
+            <h1>Headers</h1>
+            <div style="display: block;"> <!-- Common container -->
+                <table id="reverseHeaderGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHeader" data-editAlert="ConfigurationChangeMessage">
+                    <thead>
+                        <tr>
+                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">ID</th>
+                            <th data-column-id="HeaderUpDown" data-type="string">Header</th>
+                            <th data-column-id="HeaderType" data-type="string">Header Type</th>
+                            <th data-column-id="HeaderValue" data-type="string" data-visible="false">Header Value</th>
+                            <th data-column-id="HeaderReplace" data-type="string" data-visible="false">Header Replace</th>
+                            <th data-column-id="description" data-type="string">Description</th>
+                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                    </tbody>
+                    <tfoot>
+                        <tr>
+                            <td></td>
+                            <td>
+                                <button id="addReverseHeaderBtn" data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                            </td>
+                        </tr>
+                    </tfoot>
+                </table>
+            </div>
+        </div>
+    </div>
 </div>
 
 <!-- Reconfigure Button -->
@@ -351,3 +396,4 @@
 {{ partial("layout_partials/base_dialog",['fields':formDialogHandle,'id':'DialogHandle','label':lang._('Edit Handler')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogAccessList,'id':'DialogAccessList','label':lang._('Edit Access List')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogBasicAuth,'id':'DialogBasicAuth','label':lang._('Edit Basic Auth')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogHeader,'id':'DialogHeader','label':lang._('Edit Header')])}}
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
index da949afefb..6598926dc1 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
@@ -64,9 +64,10 @@ def run_service_command(action, action_message):
 
 # Updated actions dictionary
 actions = {
-    "start": "onestart",
-    "stop": "onestop",
-    "restart": "onerestart",
+    "start": "start",
+    "stop": "stop",
+    "restart": "restart",
+    "reload": "reload",
     "validate": "validate"  # Validate action
 }
 
diff --git a/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf b/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
index 28b10be8d5..cd5f1b2f66 100644
--- a/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
+++ b/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
@@ -14,9 +14,16 @@ message:Stopping Caddy service
 command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py restart
 parameters:
 type:script
-message:Reloading Caddy configuration
+message:Restarting Caddy service
 description:Restart Caddy service
 
+[reload]
+command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py reload
+parameters:
+type:script
+message:Reloading Caddy configuration
+description:Reload Caddy service
+
 [validate]
 command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py validate
 parameters:
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index e0e84bc72b..6a4272fb25 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -1,9 +1,40 @@
+{#
+# Copyright (c) 2023-2024 Cedrik Pischem
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice,
+#    this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+#    this list of conditions and the following disclaimer in the documentation
+#    and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#}
+
 # DO NOT EDIT THIS FILE -- OPNsense auto-generated file
 
 {% set generalSettings = helpers.getNodeByTag('Pischem.caddy.general') %}
 
 # Global Options
 {
+    {#
+    #   Section: Global Log Settings
+    #   Purpose: Sets up global log settings. The time format and unix socket make Caddy compatible
+    #            with the syslog-ng instance running on the OPNsense.
+    #}
     log {
         {% if generalSettings.LogAccessPlain|default("0") == "0" %}
         {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
@@ -19,6 +50,11 @@
         }
     }
 
+    {#
+    #   Section: Global Trusted Proxy and Credential Logging
+    #   Purpose: The trusted proxy section is important when using CDNs so that headers are trusted.
+    #            Credential logging is useful for troubleshooting basic auth.
+    #}
     {% set accessListUuid = generalSettings.accesslist %}
     {% set logCredentials = generalSettings.LogCredentials %}
 
@@ -47,6 +83,26 @@
     }
     {% endif %}
 
+    {#
+    #   Section: Dynamic DNS Global Configuration
+    #   Purpose: Sets up global configuration for Dynamic DNS. Caddy needs to be compiled with 
+    #            https://github.com/mholt/caddy-dynamicdns and https://github.com/caddy-dns. Otherwise the
+    #            generated Caddyfile won't run. Each DNS Provider that is added below has to be compiled in.
+    #            Some Providers don't support setting A and AAAA-Records, like acmedns.
+    #            Most need specific configurations. Since only one provider can be used at the same time,
+    #            they all share the same fields for configuration.
+    #   Parameters:
+    #   - @param dnsProvider (string): Specifies the DNS provider for DDNS updates.
+    #   - @param dnsApiKey (string): The API key for authenticating with the DNS provider.
+    #   - @param dnsSecretApiKey (string): A secret API key or token for additional authentication security.
+    #   - @param dnsOptionalField1 to 4 (string): Optional configuration field for the DNS provider.
+    #   - @param dynDnsSimpleHttp (string): URL for a simple HTTP-based service to discover the server's public IP.
+    #   - @param dynDnsInterface (string): Network interface(s) to use for IP discovery.
+    #   - @param dynDnsCheckInterval (integer): Interval in minutes to check for IP changes.
+    #   - @param dynDnsIpVersions (string): The IP version(s) (IPv4, IPv6) for the DDNS update.
+    #   - @param dynDnsTTL (integer): Time-To-Live for the DNS records, in hours.
+    #   - @param dynDnsDomains (list): Domains and subdomains list for which DDNS updates are enabled.
+    #}
     {% set dnsProvider = helpers.toList('Pischem.caddy.general.TlsDnsProvider') | first %}
     {% set dnsApiKey = generalSettings.TlsDnsApiKey %}
     {% set dnsSecretApiKey = generalSettings.TlsDnsSecretApiKey %}
@@ -78,7 +134,7 @@
         {% endfor %}
     {% endfor %}
 
-    {% if dnsProvider and dnsProvider != "none" and dnsProvider != "acmedns" and dynDnsDomains|length > 0 %}
+    {% if dnsProvider and dnsProvider != "acmedns" and dynDnsDomains|length > 0 %}
         dynamic_dns {
             {% if dnsProvider in ['porkbun', 'desec', 'route53', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox'] %}
                 provider {{ dnsProvider }} {
@@ -207,12 +263,18 @@
     }
     {% endif %}
 
+    {#
+    #   Section: ACME Email, Auto HTTPS selection and global import statement
+    #   Purpose: The ACME email is optional for receiving certificate notices.
+    #            Auto HTTPS is optional, the default is on (which means the section is empty).
+    #            The import statement is for user specific configuration out of scope of this template.
+    #}
     {% set emailValue = helpers.toList('Pischem.caddy.general.TlsEmail') | first %}
     {% if emailValue %}
     email {{ emailValue }}
     {% endif %}
     {% set autoHttpsValue = helpers.toList('Pischem.caddy.general.TlsAutoHttps') | first %}
-    {% if autoHttpsValue != "on" %}
+    {% if autoHttpsValue %}
     auto_https {{ autoHttpsValue }}
     {% endif %}
     import /usr/local/etc/caddy/caddy.d/*.global
@@ -220,6 +282,11 @@
 
 # Reverse Proxy Configuration
 
+{#
+#   Section: HTTP-01 Challenge Redirection
+#   Purpose: A small premade reverse_proxy section 
+#            that can redirect the HTTP-01 challenge to a different webserver.
+#}
 {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
     {% if reverse.enabled|default("0") == "1" and reverse.AcmePassthrough %}
         # HTTP-01 challenge redirection for domain: "{{ reverse['@uuid'] }}"
@@ -234,8 +301,21 @@
     {% endif %}
 {% endfor %}
 
+{#
+#   Macro: tls_configuration
+#   Purpose: Configures TLS settings based on the DNS provider, API keys, and optional fields.
+#            Sets up the Caddyfile to update TXT Records with the chosen DNS Provider and receive
+#            certificates with the DNS-01 challenge. Refer to Dynamic DNS section for more details.
+#   Parameters:
+#   - @param dnsProvider (string): The DNS provider used for the DNS challenge.
+#   - @param dnsApiKey (string): API key for the DNS provider, essential for authentication.
+#   - @param customCert (string, optional): The config extracted name of a certificate.
+#   - @param dnsChallenge (boolean): Indicates if a DNS challenge is used for certificate authentication.
+#   - @param dnsSecretApiKey (string, optional): A secret API key or token for additional security, depending on the provider.
+#   - @param TlsDnsOptionalField1 to 4 (string, optional): Additional fields for specific DNS provider configurations.
+#}
 {% macro tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4) %}
-    {% if dnsChallenge == "1" and dnsProvider and dnsProvider != "none" %}
+    {% if dnsChallenge == "1" and dnsProvider %}
         {% if dnsProvider in ['duckdns', 'porkbun', 'desec', 'route53', 'acmedns', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox'] %}
             tls {
                 dns {{ dnsProvider }} {
@@ -360,12 +440,74 @@
     {% endif %}
 {% endmacro %}
 
+{#
+#   Macro: header_manipulation
+#   Purpose: Customizes HTTP headers for requests or responses; to add, remove, or modify headers. 
+#            It uses a 'handle' object that specifies which headers to manipulate based on their @UUIDs.
+#            Each handle can have multiple of these HTTP headers assigned.
+#   Parameters:
+#   @param handle (@object):
+#       - @uuid (@string)
+#       - HeaderUpDown (string): Determines the direction of the header.
+#       - HeaderType (string): Specifies the name of the header.
+#       - HeaderValue (string, optional): The new value to set for the header, if any.
+#       - HeaderReplace (string, optional): Specifies a value to replace in the header.
+#}
+{% macro header_manipulation(handle) %}
+    {% if handle.header %}
+        {% for header_uuid in handle.header.split(',') %}
+            {% set header = helpers.toList('Pischem.caddy.reverseproxy.header') | selectattr('@uuid', 'equalto', header_uuid) | first %}
+            {# Generate directive only if HeaderUpDown and HeaderType are present #}
+            {% if header.HeaderUpDown and header.HeaderType %}
+                {# Prepare variables, making HeaderValue and HeaderReplace optional #}
+                {% set header_value = header.HeaderValue | default('') %}
+                {% set header_replace = header.HeaderReplace | default('') %}
+                {# Adjust output formatting based on the presence and style of HeaderValue #}
+                {% if header.HeaderReplace and header.HeaderValue %}
+                    {% if header_value.startswith('{') %}
+                        {{ header.HeaderUpDown }} {{ header.HeaderType }} {{ header_value }} "{{ header_replace }}"
+                    {% else %}
+                        {{ header.HeaderUpDown }} {{ header.HeaderType }} "{{ header_value }}" "{{ header_replace }}"
+                    {% endif %}
+                {% elif header.HeaderValue %}
+                    {% if header_value.startswith('{') %}
+                        {{ header.HeaderUpDown }} {{ header.HeaderType }} {{ header_value }}
+                    {% else %}
+                        {{ header.HeaderUpDown }} {{ header.HeaderType }} "{{ header_value }}"
+                    {% endif %}
+                {% else %}
+                    {{ header.HeaderUpDown }} {{ header.HeaderType }}
+                {% endif %}
+            {% endif %}
+        {% endfor %}
+    {% endif %}
+{% endmacro %}
+
+{#
+#   Macro: reverse_proxy_configuration
+#   Purpose: Sets up the handle with the reverse proxy configurations. The TLS Settings are generated here for the Upstream.
+#   Integrated Macros: header_manipulation
+#   Parameters:
+#   @param handle (@object):
+#       - @uuid (@string)
+#       - HandleType (string): Specifies the handling strategy.
+#       - HandlePath (string, optional): The path the handle should match on.
+#       - ToDomain (string): Target domain for the reverse proxy.
+#       - ToPort (string, optional): Target port on the ToDomain.
+#       - ToPath (string, optional): Destination path on the ToDomain.
+#       - HttpTls (boolean, optional): Enable TLS for the connection.
+#       - HttpNtlm (boolean, optional): Enable NTLM authentication for the connection.
+#       - HttpTlsInsecureSkipVerify (boolean, optional): If true, the server's SSL certificate is not verified.
+#       - HttpTlsTrustedCaCerts (string, optional): The config extracted name of a CA certificate.
+#       - HttpTlsServerName (string, optional): Specifies the server name for the TLS handshake.
+#}
 {% macro reverse_proxy_configuration(handle) %}
     {{ handle.HandleType }} {{ handle.HandlePath|default("") }} {
         {% if handle.ToPath|default("") != "" %}
         rewrite * {{ handle.ToPath }}{uri}
         {% endif %}
         reverse_proxy {{ handle.ToDomain }}{% if handle.ToPort %}:{{ handle.ToPort }}{% endif %} {
+            {{ header_manipulation(handle) }}
             {% if handle.HttpTls|default("0") == "1" or handle.HttpTlsInsecureSkipVerify|default("0") == "1" %}
                 {% if handle.HttpNtlm|default("0") == "1" %}
                 transport http_ntlm {
@@ -401,6 +543,18 @@
     }
 {% endmacro %}
 
+{#
+#   Macro: access_list_configuration
+#   Purpose: Defines access lists based on client IP addresses. The standard logic is "allow these IP addresses, deny all others."
+#            A handle with an @ matcher is created that will put the reverse_proxy_configuration inside. That means, the traffic will
+#            only get to the reverse proxy, when the access list matches. Invert is also possible, to explicitely deny IPs.
+#            The assembly is handled by the "Section: Reverse Proxy Configurations".
+#   Parameters:
+#   @param accesslist (@object):
+#       - @uuid (@string)
+#       - clientIps (@string): A comma-separated list of client IP addresses
+#       - invert (@boolean): A flag that inverts the logic of the access list
+#}
 {% macro access_list_configuration(accesslist, invert) %}
     {% set client_ips = accesslist.clientIps.split(',') %}
     {% set client_ips_space_separated = client_ips | join(' ') %}
@@ -409,6 +563,16 @@
     }
 {% endmacro %}
 
+{#
+#   Macro: basicauth_configuration
+#   Purpose: Implements basic authentication with a username and password for access.
+#   Parameters:
+#   @param basicauth_uuids (@string): A comma-separated list of UUIDs, each UUID corresponding to 
+#                                     a specific user credentials (username and password).
+#       - @uuid (@string)
+#       - basicauthuser (@string): The username required for authentication.
+#       - basicauthpass (@string): The password associated with the username.
+#}
 {% macro basicauth_configuration(basicauth_uuids) %}
     {% if basicauth_uuids %}
     basicauth {
@@ -422,6 +586,20 @@
     {% endif %}
 {% endmacro %}
 
+{#
+#   Section: Reverse Proxy Configurations
+#   Purpose: Assembles reverse proxy configurations using predefined macros. 
+#            This is the main logic of the whole template, handle with care.
+#   Macros Used:
+#   - tls_configuration
+#   - basicauth_configuration
+#   - access_list_configuration
+#   - reverse_proxy_configuration
+#   - indirect: header_manipulation
+#   Important Details: 
+#   - Order of Path specific Handles - Prioritizes order of specific path handles over catch-all handles.
+#   - Order of Wildcard Domains and Subdomains: Handles for wildcard domains come after all subdomains.
+#}
 {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
 {% if reverse.enabled|default("0") == "1" %}
 # Reverse Proxy Domain: "{{ reverse['@uuid'] }}"
@@ -491,8 +669,17 @@
         {% endif %}
         {% endfor %}
         {% endif %}
-        {% if Pischem.caddy.general.abort|default("0") == "1" %}
-        abort
+
+        {% if subdomain.accesslist %}
+            {% if accesslist.HttpResponseCode or accesslist.HttpResponseMessage %}
+            respond {{ '"' + accesslist.HttpResponseMessage|default('') + '"' if accesslist.HttpResponseMessage else '' }} {{ accesslist.HttpResponseCode|default(403) }}
+            {% elif Pischem.caddy.general.abort|default("0") == "1" %}
+            abort
+            {% endif %}
+        {% else %}
+            {% if Pischem.caddy.general.abort|default("0") == "1" %}
+            abort
+            {% endif %}
         {% endif %}
     }
     {% endif %}
@@ -531,8 +718,18 @@
     {% endif %}
     {% endfor %}
     {% endif %}
-    {% if Pischem.caddy.general.abort|default("0") == "1" %}
-    abort
+
+    {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', reverse.accesslist) | first %}
+    {% if accesslist %}
+        {% if accesslist.HttpResponseCode or accesslist.HttpResponseMessage %}
+        respond {{ '"' + accesslist.HttpResponseMessage|default('') + '"' if accesslist.HttpResponseMessage else '' }} {{ accesslist.HttpResponseCode|default(403) }}
+        {% elif Pischem.caddy.general.abort|default("0") == "1" %}
+        abort
+        {% endif %}
+    {% else %}
+        {% if Pischem.caddy.general.abort|default("0") == "1" %}
+        abort
+        {% endif %}
     {% endif %}
 }
 {% endif %}

From 971b4da0cfb6730c3c482161db001c80162584e3 Mon Sep 17 00:00:00 2001
From: Robert Zaage <robert@zaage.it>
Date: Sun, 11 Feb 2024 20:31:20 +0100
Subject: [PATCH 1842/3088] os-openconnect: Added option to enable the use of
 insecure ciphers

Committer: Robert Zaage <robert@zaage.it>
---
 .../app/controllers/OPNsense/Openconnect/forms/general.xml  | 6 ++++++
 .../mvc/app/models/OPNsense/Openconnect/General.xml         | 4 ++++
 .../service/templates/OPNsense/Openconnect/openconnect.conf | 3 +++
 3 files changed, 13 insertions(+)

diff --git a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
index 0e13339b86..a40a423e0a 100644
--- a/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
+++ b/security/openconnect/src/opnsense/mvc/app/controllers/OPNsense/Openconnect/forms/general.xml
@@ -59,6 +59,12 @@
         <type>text</type>
         <help>Enter a secret to use with one-time password generation.</help>
     </field>
+    <field>
+        <id>general.allowinsecure</id>
+        <label>Allow Insecure Ciphers</label>
+        <type>checkbox</type>
+        <help>This option allows the use of insecure ciphers.</help>
+    </field>
     <field>
         <id>general.protocol</id>
         <label>Protocol</label>
diff --git a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
index 9b9560a56b..e3de23d1c7 100644
--- a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
+++ b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
@@ -58,6 +58,10 @@
         <tokensecret type="TextField">
             <Required>N</Required>
         </tokensecret>
+        <allowinsecure type="BooleanField">
+            <Default>0</Default>
+            <Required>N</Required>
+        </allowinsecure>
         <protocol type="OptionField">
             <Default>anyconnect</Default>
             <Required>Y</Required>
diff --git a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
index 32d13a2866..f04b3e5061 100644
--- a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
+++ b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
@@ -25,6 +25,9 @@ token-mode={{ OPNsense.openconnect.general.tokenmode }}
 token-secret={{ OPNsense.openconnect.general.tokensecret }}
 {%     endif %}
 {%   endif %}
+{%   if OPNsense.openconnect.general.allowinsecure|default('0') == '1' %}
+allow-insecure-crypto
+{%   endif %}
 {%   if helpers.exists('OPNsense.openconnect.general.protocol') and OPNsense.openconnect.general.protocol != '' %}
 protocol={{ OPNsense.openconnect.general.protocol }}
 {%     if OPNsense.openconnect.general.protocol == 'anyconnect' %}

From 447b8cd5cc19f90f728013ff94a692c5fae9e506 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 12 Apr 2024 09:27:12 +0200
Subject: [PATCH 1843/3088] security/openconnect - template safety and
 versioning for https://github.com/opnsense/plugins/pull/3815

---
 security/openconnect/Makefile                                 | 2 +-
 security/openconnect/pkg-descr                                | 4 ++++
 .../opnsense/mvc/app/models/OPNsense/Openconnect/General.xml  | 2 +-
 .../service/templates/OPNsense/Openconnect/openconnect.conf   | 2 +-
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/security/openconnect/Makefile b/security/openconnect/Makefile
index 9296d2ffcc..9c0c4721ae 100644
--- a/security/openconnect/Makefile
+++ b/security/openconnect/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		openconnect
-PLUGIN_VERSION=		1.4.5
+PLUGIN_VERSION=		1.4.6
 PLUGIN_COMMENT=		OpenConnect Client
 PLUGIN_DEPENDS=		openconnect
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/openconnect/pkg-descr b/security/openconnect/pkg-descr
index 9d18d3a10f..57081e80df 100644
--- a/security/openconnect/pkg-descr
+++ b/security/openconnect/pkg-descr
@@ -6,6 +6,10 @@ the Juniper SSL VPN which is now known as Pulse Connect Secure.
 Plugin Changelog
 ================
 
+1.4.6
+
+* add allowinsecure
+
 1.4.5
 
 * Allow ":" and "/" characters in user name
diff --git a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
index e3de23d1c7..0bd610eba8 100644
--- a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
+++ b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/openconnect/general</mount>
     <description>Openconnect configuration</description>
-    <version>1.0.3</version>
+    <version>1.0.4</version>
     <items>
         <enabled type="BooleanField">
             <Default>0</Default>
diff --git a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
index f04b3e5061..69d7a51ea0 100644
--- a/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
+++ b/security/openconnect/src/opnsense/service/templates/OPNsense/Openconnect/openconnect.conf
@@ -25,7 +25,7 @@ token-mode={{ OPNsense.openconnect.general.tokenmode }}
 token-secret={{ OPNsense.openconnect.general.tokensecret }}
 {%     endif %}
 {%   endif %}
-{%   if OPNsense.openconnect.general.allowinsecure|default('0') == '1' %}
+{%   if not helpers.empty('OPNsense.openconnect.general.allowinsecure') %}
 allow-insecure-crypto
 {%   endif %}
 {%   if helpers.exists('OPNsense.openconnect.general.protocol') and OPNsense.openconnect.general.protocol != '' %}

From 5c1ecf0ba5779c4a1f4b183ae20b195d93647ea3 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 12 Apr 2024 11:41:33 +0200
Subject: [PATCH 1844/3088] security/openconnect - minot model fix for
 https://github.com/opnsense/plugins/pull/3815

---
 .../opnsense/mvc/app/models/OPNsense/Openconnect/General.xml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
index 0bd610eba8..b9713f044d 100644
--- a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
+++ b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
@@ -60,7 +60,7 @@
         </tokensecret>
         <allowinsecure type="BooleanField">
             <Default>0</Default>
-            <Required>N</Required>
+            <Required>Y</Required>
         </allowinsecure>
         <protocol type="OptionField">
             <Default>anyconnect</Default>

From 74c1c75491948645bef117e8b573374ef6533464 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Sat, 13 Apr 2024 14:56:04 +0200
Subject: [PATCH 1845/3088] Add staticd to routing suite (#3904)

---------

Co-authored-by: Mike Shuey <shuey@fmepnet.org>
---
 .../OPNsense/Quagga/Api/StaticController.php  |  69 +++++++++++
 .../OPNsense/Quagga/StaticController.php      |  41 +++++++
 .../Quagga/forms/dialogEditSTATICRoute.xml    |  25 ++++
 .../OPNsense/Quagga/forms/static.xml          |   8 ++
 .../app/models/OPNsense/Quagga/Menu/Menu.xml  |   3 +-
 .../app/models/OPNsense/Quagga/STATICd.php    |  69 +++++++++++
 .../app/models/OPNsense/Quagga/STATICd.xml    |  36 ++++++
 .../views/OPNsense/Quagga/diagnostics.volt    |   3 +-
 .../mvc/app/views/OPNsense/Quagga/static.volt | 113 ++++++++++++++++++
 .../templates/OPNsense/Quagga/+TARGETS        |   1 +
 .../service/templates/OPNsense/Quagga/frr     |   1 +
 .../templates/OPNsense/Quagga/staticd.conf    |  18 +++
 12 files changed, 385 insertions(+), 2 deletions(-)
 create mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/StaticController.php
 create mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/StaticController.php
 create mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditSTATICRoute.xml
 create mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/static.xml
 create mode 100644 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.php
 create mode 100644 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.xml
 create mode 100644 net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
 create mode 100644 net/frr/src/opnsense/service/templates/OPNsense/Quagga/staticd.conf

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/StaticController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/StaticController.php
new file mode 100644
index 0000000000..802d279834
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/StaticController.php
@@ -0,0 +1,69 @@
+<?php
+/**
+ *    Copyright (C) 2024 Deciso B.V.
+ *    Copyright (C) 2024 Mike Shuey
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Quagga\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class StaticController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'staticd';
+    protected static $internalModelClass = '\OPNsense\Quagga\STATICd';
+
+    public function searchRouteAction()
+    {
+	    return $this->searchBase('routes.route');
+    }
+
+    public function getRouteAction($uuid = null)
+    {
+	    return $this->getBase('route', 'routes.route', $uuid);
+    }
+
+    public function setRouteAction($uuid)
+    {
+	    return $this->setBase('route', 'routes.route', $uuid);
+    }
+
+    public function addRouteAction()
+    {
+	    return $this->addBase('route', 'routes.route');
+    }
+
+    public function delRouteAction($uuid)
+    {
+	    return $this->delBase('routes.route', $uuid);
+    }
+
+    public function toggleRouteAction($uuid)
+    {
+	    return $this->toggleBase('routes.route', $uuid);
+    }
+}
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/StaticController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/StaticController.php
new file mode 100644
index 0000000000..5798e168e5
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/StaticController.php
@@ -0,0 +1,41 @@
+<?php
+/**
+ *    Copyright (C) 2024 Deciso B.V.
+ *    Copyright (C) 2024 Mike Shuey
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Quagga;
+
+class StaticController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->staticForm = $this->getForm("static");
+        $this->view->formDialogEditSTATICRoute = $this->getForm("dialogEditSTATICRoute");
+        $this->view->pick('OPNsense/Quagga/static');
+    }
+}
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditSTATICRoute.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditSTATICRoute.xml
new file mode 100644
index 0000000000..adbbeb2d4f
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditSTATICRoute.xml
@@ -0,0 +1,25 @@
+<form>
+  <field>
+    <id>route.enabled</id>
+    <label>Enabled</label>
+    <type>checkbox</type>
+  </field>
+  <field>
+    <id>route.network</id>
+    <label>Network</label>
+    <type>text</type>
+    <help>Defines the target for the static route, in CIDR notation.</help>
+  </field>
+  <field>
+    <id>route.gateway</id>
+    <label>Gateway (optional)</label>
+    <type>text</type>
+    <help>Optional gateway IP address for this route.</help>
+  </field>
+  <field>
+    <id>route.interfacename</id>
+    <label>Interface</label>
+    <type>dropdown</type>
+    <help>Select an interface where this settings apply to.</help>
+  </field>
+</form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/static.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/static.xml
new file mode 100644
index 0000000000..0a766e8f63
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/static.xml
@@ -0,0 +1,8 @@
+<form>
+    <field>
+        <id>staticd.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>This will activate the staticd service if the support of routing protocols is enabled in "General".</help>
+    </field>
+</form>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
index 2a0fc1634f..e63c3a58eb 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
@@ -7,7 +7,8 @@
     <!--<ISIS VisibleName="IS-IS" cssClass="fa fa-bolt fa-fw" url="/ui/quagga/isis/index" order="30" />-->
     <BGP VisibleName="BGP" cssClass="fa fa-globe fa-fw" url="/ui/quagga/bgp/index" order="40" />
     <BFD VisibleName="BFD" cssClass="fa fa-exchange fa-fw" url="/ui/quagga/bfd/index" order="50" />
-    <Diagnostics VisibleName="Diagnostics" cssClass="fa fa-medkit fa-fw" order="50">
+    <STATIC VisibleName="STATIC" cssClass="fa fa-expand fa-fw" url="/ui/quagga/static/index" order="60" />
+    <Diagnostics VisibleName="Diagnostics" cssClass="fa fa-medkit fa-fw" order="70">
       <General VisibleName="General" url="/ui/quagga/diagnostics/general" order="1" />
       <OSPF VisibleName="OSPF" url="/ui/quagga/diagnostics/ospf" order="20" />
       <OSPFv3 VisibleName="OSPFv3" url="/ui/quagga/diagnostics/ospfv3" order="25" />
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.php b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.php
new file mode 100644
index 0000000000..b365c62f04
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.php
@@ -0,0 +1,69 @@
+<?php
+/**
+ *    Copyright (C) 2024 Deciso B.V.
+ *    Copyright (C) 2024 Mike Shuey
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+namespace OPNsense\Quagga;
+
+use OPNsense\Base\Messages\Message;
+use OPNsense\Base\BaseModel;
+
+/* For consistency with the other frr models, this model should be named STATIC, which is a reserved keyword */
+class STATICd extends BaseModel
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function performValidation($validateFullModel = false)
+    {
+        $messages = parent::performValidation($validateFullModel);
+        foreach ($this->routes->route->iterateItems() as $route) {
+            if (!$validateFullModel && !$route->isFieldChanged()) {
+                continue;
+            }
+            $key = $route->__reference;
+            if (!empty((string)$route->network) && !empty((string)$route->gateway)) {
+                $net_proto = str_contains($route->network, ':') ? 'inet6' : 'inet';
+                $gw_proto = str_contains($route->gateway, ':') ? 'inet6' : 'inet';
+                if ($net_proto != $gw_proto) {
+                    $messages->appendMessage(
+                        new Message(gettext("Gateway IP protocol should match network protocol"), $key . ".gateway")
+                    );
+                }
+            }
+            if (empty((string)$route->gateway) && empty((string)$route->interfacename)) {
+                $messages->appendMessage(
+                    new Message(
+                        gettext("When no interface is provided, at least a gateway must be offered"),
+                        $key . ".gateway"
+                    )
+                );
+            }
+        }
+        return $messages;
+    }
+}
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.xml
new file mode 100644
index 0000000000..f0c7d37c24
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.xml
@@ -0,0 +1,36 @@
+<model>
+    <mount>//OPNsense/quagga/static</mount>
+    <description>Staticd Routing configuration</description>
+    <version>1.0.0</version>
+    <items>
+		<enabled type="BooleanField">
+			<default>0</default>
+			<Required>Y</Required>
+		</enabled>
+		<routes>
+			<route type="ArrayField">
+				<enabled type="BooleanField">
+					<default>1</default>
+					<Required>Y</Required>
+				</enabled>
+				<network type="NetworkField">
+					<NetMaskRequired>Y</NetMaskRequired>
+					<Required>Y</Required>
+					<ValidationMessage>Specify a valid network matching the gateways ip protocol.</ValidationMessage>
+				</network>
+				<gateway type="NetworkField">
+					<NetMaskAllowed>N</NetMaskAllowed>
+					<Required>N</Required>
+				</gateway>
+				<interfacename type="InterfaceField">
+					<multiple>N</multiple>
+					<AllowDynamic>Y</AllowDynamic>
+					<filters>
+						<enable>/^(?!0).*$/</enable>
+						<type>/^(?!group).*$/</type>
+					</filters>
+				</interfacename>
+			</route>
+		</routes>
+    </items>
+</model>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
index 8c3f69d670..289f2bbf57 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
@@ -115,7 +115,8 @@ POSSIBILITY OF SUCH DAMAGE.
                                             'connected': {short: 'C', long: '{{ lang._('Connected') }}'},
                                             'bgp': {short: 'B', long: '{{ lang._('BGP') }}'},
                                             'ospf': {short: 'O', long: '{{ lang._('OSPF') }}'},
-                                            'ospf6': {short: 'O', long: '{{ lang._('OSPFv3') }}'}
+                                            'ospf6': {short: 'O', long: '{{ lang._('OSPFv3') }}'},
+                                            'static': {short: 'S', long: '{{ lang._('STATIC') }}'},
                                         };
                                         let field = $("<div/>");
                                         if (protocols[row.protocol] !== undefined) {
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
new file mode 100644
index 0000000000..5de53fc3e8
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
@@ -0,0 +1,113 @@
+{#
+ # Copyright (c) 2024 Deciso B.V.
+ # Copyright (c) 2024 by Mike Shuey
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script>
+  $( document ).ready(function() {
+      let data_get_map = {'frm_static_settings':"/api/quagga/static/get"};
+      mapDataToFormUI(data_get_map).done(function(data){
+          formatTokenizersUI();
+          $('.selectpicker').selectpicker('refresh');
+          updateServiceControlUI('quagga');
+      });
+
+      $("#grid-iproutes").UIBootgrid({
+          'search':'/api/quagga/static/searchRoute',
+          'get':'/api/quagga/static/getRoute/',
+          'set':'/api/quagga/static/setRoute/',
+          'add':'/api/quagga/static/addRoute/',
+          'del':'/api/quagga/static/delRoute/',
+          'toggle':'/api/quagga/static/toggleRoute/'
+      });
+
+      $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/quagga/static/set", 'frm_static_settings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
+                return dfObj;
+            },
+            onAction: function(data, status) {
+                updateServiceControlUI('quagga');
+            }
+      });
+  });
+</script>
+
+<!-- Navigation bar -->
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
+    <li><a data-toggle="tab" href="#iproute">{{ lang._('Routes') }}</a></li>
+</ul>
+
+<div class="tab-content content-box">
+    <!-- general settings  -->
+    <div id="general"  class="tab-pane fade in active">
+        {{ partial("layout_partials/base_form",['fields':staticForm,'id':'frm_static_settings'])}}
+    </div>
+    <!-- Tab: Routes -->
+    <div id="iproute" class="tab-pane fade in">
+      <table id="grid-iproutes" class="table table-responsive" data-editDialog="DialogEditSTATICRoute">
+        <thead>
+          <tr>
+              <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+              <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+              <th data-column-id="network" data-type="string">{{ lang._('Network') }}</th>
+              <th data-column-id="gateway" data-type="string">{{ lang._('Gateway') }}</th>
+              <th data-column-id="interfacename" data-type="string">{{ lang._('Interface') }}</th>
+              <th data-column-id="commands" data-formatter="commands">{{ lang._('Commands') }}</th>
+          </tr>
+        </thead>
+        <tbody>
+        </tbody>
+        <tfoot>
+          <tr>
+            <td></td>
+            <td>
+              <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+              <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+            </td>
+          </tr>
+        </tfoot>
+      </table>
+    </div>
+</div>
+
+<section class="page-content-main">
+  <div class="content-box">
+      <div class="col-md-12">
+          <br/>
+          <button class="btn btn-primary" id="reconfigureAct"
+                  data-endpoint='/api/quagga/service/reconfigure'
+                  data-label="{{ lang._('Apply') }}"
+                  data-error-title="{{ lang._('Error reconfiguring STATIC') }}"
+                  type="button"
+          ></button>
+          <br/><br/>
+      </div>
+  </div>
+</section>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditSTATICRoute,'id':'DialogEditSTATICRoute','label':lang._('Edit Routes')])}}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
index ea22bda2da..430e871671 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
@@ -6,6 +6,7 @@ ospf6d.conf:/usr/local/etc/frr/ospf6d.conf
 ospf6d_carp.conf:/usr/local/etc/frr/ospf6d_carp.conf
 ripd.conf:/usr/local/etc/frr/ripd.conf
 sa_policies.conf:/usr/local/etc/frr/sa_policies.conf
+staticd.conf:/usr/local/etc/frr/staticd.conf
 frr:/etc/rc.conf.d/frr
 zebra.conf:/usr/local/etc/frr/zebra.conf
 vtysh.conf:/usr/local/etc/frr/vtysh.conf
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
index d85566ce8e..4347dd76cc 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
@@ -13,6 +13,7 @@ if helpers.exists('OPNsense.quagga.bfd.enabled') and OPNsense.quagga.bfd.enabled
 if helpers.exists('OPNsense.quagga.bgp.enabled') and OPNsense.quagga.bgp.enabled == '1' %} bgpd{% endif %}{%
 if helpers.exists('OPNsense.quagga.ospf6.enabled') and OPNsense.quagga.ospf6.enabled == '1' %} ospf6d{% endif %}{%
 if helpers.exists('OPNsense.quagga.ripng.enabled') and OPNsense.quagga.ripng.enabled == '1' %} ripngd{% endif %}{%
+if helpers.exists('OPNsense.quagga.staticd.enabled') and OPNsense.quagga.staticd.enabled == '1' %} staticd{% endif %}{%
 if helpers.exists('OPNsense.quagga.isis.enabled') and OPNsense.quagga.isis.enabled == '1' %} isisd{% endif %}"
 frr_carp_demote="{%
     if not helpers.empty('OPNsense.quagga.ospf.carp_demote') %} ospfd{% endif %}{%
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/staticd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/staticd.conf
new file mode 100644
index 0000000000..099a06ea72
--- /dev/null
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/staticd.conf
@@ -0,0 +1,18 @@
+!
+! staticd Zebra config autogenerated by OPNsense
+!
+{% if not helpers.empty('OPNsense.quagga.static.enabled') %}
+{%    if not helpers.empty('OPNsense.quagga.general') %}
+log syslog {{ OPNsense.quagga.general.sysloglevel }}
+{%    endif %}
+{%    if not helpers.empty('OPNsense.quagga.general.profile') %}
+frr defaults {{ OPNsense.quagga.general.profile }}
+{%    endif %}
+!
+{%    for route in helpers.toList('OPNsense.quagga.static.routes.route') %}
+{%        if route.enabled == '1' %}
+{% if ':' in route.network %}ipv6{% else %}ip{% endif %} route {{ route.network }} {{ route.gateway|default('')}} {{ helpers.physical_interface(route.interfacename) }}
+{%        endif %}
+{%    endfor %}
+!
+{% endif %}

From 7a5c968dc5c977e2fc6814b01564d215fb578386 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sat, 13 Apr 2024 14:58:42 +0200
Subject: [PATCH 1846/3088] www/caddy: Add simple load balancing (#3911)

* Add: Simple Load Balancing support of Upstreams with the random policy, by allowing multiple Upstream Domains in Handlers.

* Add passive health fail duration test. It enables unhealthy upstreams to be sorted when simple load balancing is enabled.

* Update pkg-descr
---
 www/caddy/pkg-descr                                 |  3 +++
 .../OPNsense/Caddy/forms/dialogHandle.xml           | 13 +++++++++++--
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml         |  7 +++++++
 .../mvc/app/views/OPNsense/Caddy/reverse_proxy.volt |  1 +
 .../service/templates/OPNsense/Caddy/Caddyfile      |  9 ++++++++-
 5 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 93d02a5395..452ecabe8d 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -19,6 +19,7 @@ Main features of this plugin:
 * Syslog-ng integration and HTTP Access Log
 * NTLM Transport
 * Header manipulation with header_up and header_down
+* Simple load balancing with passive health check
 
 DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 
@@ -34,6 +35,8 @@ Plugin Changelog
 * Add: Header functionality added. Multiple header manipulations can be set per handler.
 * Cleanup: Update searchBase() in ReverseProxyController.php for easier maintainability.
 * Fix: Move selectpicker empty option to model in general.volt, using BlankDesc. This fixes the option IPv4+IPv6 not appearing in Dynamic DNS. 
+* Add: Simple Load Balancing support with the default random policy, by allowing to add multiple Upstream Domains in Handlers.
+* Add: Passive Health check for load balancing (Upstream Fail Duration) in Handlers.
 
 1.5.3
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 51bf040773..4a6d5ee509 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -56,9 +56,11 @@
     <field>
         <id>handle.ToDomain</id>
         <label>Upstream Domain</label>
-        <type>text</type>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
         <hint>192.168.1.1</hint>
-        <help><![CDATA[Enter the internal domain name or IP address of the upstream destination for this handler.]]></help>
+        <help><![CDATA[Enter the internal domain name or IP address of the upstream destination for this handler. If multiple upstream destinations are chosen, they will be load balanced with the default random policy.]]></help>
     </field>
     <field>
         <id>handle.ToPort</id>
@@ -74,6 +76,13 @@
         <help><![CDATA[Enter a path prefix like '/guacamole' that should be prepended to the upstream request because the application demands it.]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>handle.PassiveHealthFailDuration</id>
+        <label>Upstream Fail Duration</label>
+        <type>text</type>
+        <help><![CDATA[Enables a passive health check when multiple upstream destinations have been defined for load balancing. "fail_duration" is a duration value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking; the default is empty (off). A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <type>header</type>
         <label>Trust</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index d967254ef4..acfc075d9e 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -256,6 +256,8 @@
                     <Required>Y</Required>
                     <ValidationMessage>Please enter a valid 'to' domain or IP address.</ValidationMessage>
                     <IpAllowed>Y</IpAllowed>
+                    <FieldSeparator>,</FieldSeparator>
+                    <AsList>Y</AsList>
                 </ToDomain>
                 <ToPort type="PortField">
                     <ValidationMessage>Please enter a valid 'to' port number.</ValidationMessage>
@@ -266,6 +268,11 @@
                     <Mask>/^(\/.*)?$/u</Mask>
                     <ValidationMessage>Please enter a valid 'Backend Path' that starts with '/'.</ValidationMessage>
                 </ToPath>
+                <PassiveHealthFailDuration type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>100</MaximumValue>
+                    <ValidationMessage>Please enter a value between 1 to 100.</ValidationMessage>
+                </PassiveHealthFailDuration>
                 <HttpTls type="BooleanField"/>
                 <HttpNtlm type="BooleanField"/>
                 <HttpTlsInsecureSkipVerify type="BooleanField"/>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 7f397b615c..5d9ebc4069 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -247,6 +247,7 @@
                             <th data-column-id="ToDomain" data-type="string">Upstream Domain</th>
                             <th data-column-id="ToPort" data-type="string">Upstream Port</th>
                             <th data-column-id="ToPath" data-type="string" data-visible="false">Upstream Path</th>
+                            <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">Fail Duration</th>
                             <th data-column-id="HttpTls" data-type="boolean" data-formatter="boolean" data-visible="false">TLS</th>
                             <th data-column-id="HttpTlsTrustedCaCerts" data-type="string" data-visible="false">TLS CA</th>
                             <th data-column-id="HttpTlsServerName" data-type="string" data-visible="false">TLS Server Name</th>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 6a4272fb25..178c3ea781 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -500,14 +500,21 @@
 #       - HttpTlsInsecureSkipVerify (boolean, optional): If true, the server's SSL certificate is not verified.
 #       - HttpTlsTrustedCaCerts (string, optional): The config extracted name of a CA certificate.
 #       - HttpTlsServerName (string, optional): Specifies the server name for the TLS handshake.
+#       - PassiveHealthFailDuration (integer, optional): Enables passive health checks when set > 0.
 #}
 {% macro reverse_proxy_configuration(handle) %}
     {{ handle.HandleType }} {{ handle.HandlePath|default("") }} {
         {% if handle.ToPath|default("") != "" %}
         rewrite * {{ handle.ToPath }}{uri}
         {% endif %}
-        reverse_proxy {{ handle.ToDomain }}{% if handle.ToPort %}:{{ handle.ToPort }}{% endif %} {
+        reverse_proxy {% for domain in handle.ToDomain.split(',') %}
+            {# For each domain/IP, append the port if it's specified, followed by a space #}
+            {{- domain -}}{% if handle.ToPort %}:{{ handle.ToPort }}{% endif %}{% if not loop.last %} {% endif %}
+        {% endfor %}{
             {{ header_manipulation(handle) }}
+            {% if handle.PassiveHealthFailDuration|default("") %}
+            fail_duration {{ handle.PassiveHealthFailDuration }}s
+            {% endif %}
             {% if handle.HttpTls|default("0") == "1" or handle.HttpTlsInsecureSkipVerify|default("0") == "1" %}
                 {% if handle.HttpNtlm|default("0") == "1" %}
                 transport http_ntlm {

From cfc2bdf89cc965e2bd23b4148148157643287064 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 13 Apr 2024 17:59:05 +0200
Subject: [PATCH 1847/3088] Squashed commit of the following:

commit 5087edf5211a41dc903c4ceca90e39c2d36616f6
Author: Ad Schellevis <ad@opnsense.org>
Date:   Sat Apr 13 17:56:09 2024 +0200

    net/frr - style cleanups for https://github.com/opnsense/plugins/pull/3759 , including the use of https://github.com/opnsense/core/commit/2d45b78f744059089078d56b3c108765b2d23608 to return all fields on search for the controller in question.

commit c121bb855d29cbb8cbf649b234d642c2120faa8c
Author: Franco Fichtner <franco@opnsense.org>
Date:   Tue Mar 5 17:23:56 2024 +0100

    net/frr: bump revision for change

commit 0091d4679d237dfb7d67f9817c65a040c1207d51
Author: Franco Fichtner <franco@opnsense.org>
Date:   Tue Feb 6 09:02:13 2024 +0100

    net/frr: wrap up next version

commit 41d7c2d12203ef5abdc15c8634c986f95e955f27
Author: Michael <m.muenz@gmail.com>
Date:   Fri Jan 26 06:42:52 2024 +0100

    Update bgpd.conf

commit 63e4be87d070c8847582bf50186b2438b33f49ee
Author: Michael <m.muenz@gmail.com>
Date:   Fri Jan 12 16:56:01 2024 +0100

    Update bgp.xml

commit 22880d7d4d248f4e8e00296d180572b0839b9a5a
Author: Michael <m.muenz@gmail.com>
Date:   Fri Jan 12 16:50:16 2024 +0100

    Update bgpd.conf

commit e5b5ee38198d13dfb1be995acd75c7eb98fbb113
Author: Michael <m.muenz@gmail.com>
Date:   Fri Jan 12 16:44:26 2024 +0100

    Update bgpd.conf

commit f7d7630d76766425aab780d7f1712d52dc9d8a08
Author: Michael <m.muenz@gmail.com>
Date:   Fri Jan 12 16:42:43 2024 +0100

    add distance

commit 30e479ee559a04a9c32d53ce46db77899b5555ab
Author: Michael <m.muenz@gmail.com>
Date:   Fri Jan 12 16:22:25 2024 +0100

    Update bgpd.conf

commit fbc89c7aeb88b73ac155e49b85a097bd2d527b7e
Author: Michael <m.muenz@gmail.com>
Date:   Fri Jan 12 09:38:47 2024 +0100

    Update BGP.xml

commit f18d80733661da36ffc6bf1c0c7006b211a6b21c
Author: Michael <m.muenz@gmail.com>
Date:   Fri Jan 12 09:36:21 2024 +0100

    Update BGP.xml

commit b10a53ac52f3d1c38be90d389892eb390ef0439a
Author: Michael <m.muenz@gmail.com>
Date:   Fri Jan 12 08:33:33 2024 +0100

    typos

commit fd2d9d71b11e801ad52bb66e08be61aa1622917e
Author: Michael <m.muenz@gmail.com>
Date:   Fri Jan 12 07:58:49 2024 +0100

    bgp-group support
---
 net/frr/pkg-descr                             |   4 +
 .../OPNsense/Quagga/Api/BgpController.php     |  83 +++++++-------
 .../OPNsense/Quagga/BgpController.php         |   3 +-
 .../controllers/OPNsense/Quagga/forms/bgp.xml |   7 ++
 .../Quagga/forms/dialogEditBGPNeighbor.xml    |   6 ++
 .../Quagga/forms/dialogEditBGPPeergroups.xml  |  59 ++++++++++
 .../mvc/app/models/OPNsense/Quagga/BGP.xml    |  93 +++++++++++++++-
 .../mvc/app/views/OPNsense/Quagga/bgp.volt    | 101 ++++++++++++------
 .../templates/OPNsense/Quagga/bgpd.conf       |  59 ++++++++++
 9 files changed, 336 insertions(+), 79 deletions(-)
 create mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 78f2520ca4..e07ba54025 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -14,6 +14,10 @@ Plugin Changelog
 
 1.39
 
+* Add plain password authentication to OSPF
+* Set multihop value to 255 (contributed by Cogan Ng Jun Lin)
+* Add distance to BGP
+* Add BGP peer-group support
 * Add plain password authentication to OSPF
 * Set multihop value to 255 (contributed by Cogan Ng Jun Lin)
 
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
index 79de7caf46..2d1759dcec 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
@@ -1,9 +1,9 @@
 <?php
 
 /*
- * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2015-2024 Deciso B.V.
  * Copyright (C) 2017 Fabian Franz
- * Copyright (C) 2017-2020 Michael Muenz <m.muenz@gmail.com>
+ * Copyright (C) 2017-2024 Michael Muenz <m.muenz@gmail.com>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -39,32 +39,11 @@ class BgpController extends ApiMutableModelControllerBase
 
     public function searchNeighborAction()
     {
-        return $this->searchBase(
-            'neighbors.neighbor',
-            array("enabled",
-                  "description",
-                  "address",
-                  "remoteas",
-                  "password",
-                  "localip",
-                  "updatesource",
-                  "nexthopself",
-                  "multihop",
-                  "keepalive",
-                  "holddown",
-                  "connecttimer",
-                  "defaultoriginate",
-                  "asoverride",
-                  "linkedPrefixlistIn",
-                  "linkedPrefixlistOut",
-                  "linkedRoutemapIn",
-                  "linkedRoutemapOut")
-        );
+        return $this->searchBase('neighbors.neighbor');
     }
 
     public function getNeighborAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('neighbor', 'neighbors.neighbor', $uuid);
     }
 
@@ -85,15 +64,11 @@ public function setNeighborAction($uuid)
 
     public function searchAspathAction()
     {
-        return $this->searchBase(
-            'aspaths.aspath',
-            array("enabled", "description", "number", "action", "as" )
-        );
+        return $this->searchBase('aspaths.aspath');
     }
 
     public function getAspathAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('aspath', 'aspaths.aspath', $uuid);
     }
 
@@ -114,14 +89,11 @@ public function setAspathAction($uuid)
 
     public function searchPrefixlistAction()
     {
-        return $this->searchBase(
-            'prefixlists.prefixlist',
-            array("enabled", "description", "name", "seqnumber", "action", "network" )
-        );
+        return $this->searchBase('prefixlists.prefixlist');
     }
+
     public function getPrefixlistAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('prefixlist', 'prefixlists.prefixlist', $uuid);
     }
 
@@ -142,14 +114,11 @@ public function setPrefixlistAction($uuid)
 
     public function searchCommunitylistAction()
     {
-        return $this->searchBase(
-            'communitylists.communitylist',
-            array("enabled", "description", "number", "seqnumber", "action", "community" )
-        );
+        return $this->searchBase('communitylists.communitylist');
     }
+
     public function getCommunitylistAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('communitylist', 'communitylists.communitylist', $uuid);
     }
 
@@ -170,15 +139,11 @@ public function setCommunitylistAction($uuid)
 
     public function searchRoutemapAction()
     {
-        return $this->searchBase(
-            'routemaps.routemap',
-            array("enabled", "description", "name", "action", "id", "match", "match2", "set")
-        );
+        return $this->searchBase('routemaps.routemap');
     }
 
     public function getRoutemapAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('routemap', 'routemaps.routemap', $uuid);
     }
 
@@ -197,6 +162,31 @@ public function setRoutemapAction($uuid)
         return $this->setBase('routemap', 'routemaps.routemap', $uuid);
     }
 
+    public function searchPeergroupAction()
+    {
+        return $this->searchBase('peergroups.peergroup');
+    }
+
+    public function getPeergroupAction($uuid = null)
+    {
+        return $this->getBase('peergroup', 'peergroups.peergroup', $uuid);
+    }
+
+    public function addPeergroupAction()
+    {
+        return $this->addBase('peergroup', 'peergroups.peergroup');
+    }
+
+    public function delPeergroupAction($uuid)
+    {
+        return $this->delBase('peergroups.peergroup', $uuid);
+    }
+
+    public function setPeergroupAction($uuid)
+    {
+        return $this->setBase('peergroup', 'peergroups.peergroup', $uuid);
+    }
+
     public function toggleCommunitylistAction($uuid)
     {
         return $this->toggleBase('communitylists.communitylist', $uuid);
@@ -221,4 +211,9 @@ public function toggleRoutemapAction($uuid)
     {
         return $this->toggleBase('routemaps.routemap', $uuid);
     }
+
+    public function togglePeergroupAction($uuid)
+    {
+        return $this->toggleBase('peergroups.peergroup', $uuid);
+    }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
index 373d4bea4c..0b34cfd6c2 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
@@ -2,7 +2,7 @@
 
 /*
  * Copyright (C) 2017 Fabian Franz
- * Copyright (C) 2017-2020 Michael Muenz <m.muenz@gmail.com>
+ * Copyright (C) 2017-2024 Michael Muenz <m.muenz@gmail.com>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -38,6 +38,7 @@ public function indexAction()
         $this->view->formDialogEditBGPPrefixLists = $this->getForm("dialogEditBGPPrefixLists");
         $this->view->formDialogEditBGPCommunityLists = $this->getForm("dialogEditBGPCommunityLists");
         $this->view->formDialogEditBGPRouteMaps = $this->getForm("dialogEditBGPRouteMaps");
+        $this->view->formDialogEditBGPPeergroups = $this->getForm("dialogEditBGPPeergroups");
         $this->view->pick('OPNsense/Quagga/bgp');
     }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
index 37b182e1a6..8cb5f97590 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
@@ -11,6 +11,13 @@
         <type>text</type>
         <help>Your AS Number here</help>
     </field>
+    <field>
+        <id>bgp.distance</id>
+        <label>BGP AD Distance</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>BGP routes usually have an administrative distance of 20. Here you can adjust these values, e.g. when you want to prefer OSPF learned routes.</help>
+    </field>
     <field>
         <id>bgp.routerid</id>
         <label>Router ID</label>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 4a30acbe78..7b326faecf 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -169,4 +169,10 @@
     <type>dropdown</type>
     <help>Route-Map for outbound direction</help>
   </field>
+  <field>
+    <id>neighbor.peergroup</id>
+    <label>Peer Group</label>
+    <type>dropdown</type>
+    <help>Peer Group this neighbor belongs to.</help>
+  </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml
new file mode 100644
index 0000000000..ea19cf0c05
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml
@@ -0,0 +1,59 @@
+<form>
+  <field>
+    <id>peergroup.enabled</id>
+    <label>Enabled</label>
+    <type>checkbox</type>
+  </field>
+  <field>
+    <id>peergroup.name</id>
+    <label>Name</label>
+    <type>text</type>
+    <help>Specify the name of this peergroup.</help>
+  </field>
+  <field>
+    <id>peergroup.remoteas</id>
+    <label>Remote AS</label>
+    <type>text</type>
+    <help>Remote AS for tthis peergroup.</help>
+  </field>
+  <field>
+    <id>peergroup.updatesource</id>
+    <label>Update-Source Interface</label>
+    <type>dropdown</type>
+    <help><![CDATA[Physical name of the IPv4 interface facing the peer. Please refer to the <a href="http://docs.frrouting.org/en/stable-7.4/bgp.html#clicmd-[no]neighborPEERupdate-source%3CIFNAME|ADDRESS%3E">FRR documentation</a> for more information.]]></help>
+  </field>
+  <field>
+    <id>peergroup.nexthopself</id>
+    <label>Next-Hop-Self</label>
+    <type>checkbox</type>
+  </field>
+    <field>
+    <id>peergroup.defaultoriginate</id>
+    <label>Send Defaultroute</label>
+    <type>checkbox</type>
+  </field>
+  <field>
+    <id>peergroup.linkedPrefixlistIn</id>
+    <label>Prefix-List In</label>
+    <type>dropdown</type>
+    <help>Prefix-List for inbound direction.</help>
+  </field>
+  <field>
+    <id>peergroup.linkedPrefixlistOut</id>
+    <label>Prefix-List Out</label>
+    <type>dropdown</type>
+    <help>Prefix-List for outbound direction.</help>
+  </field>
+  <field>
+    <id>peergroup.linkedRoutemapIn</id>
+    <label>Route-Map In</label>
+    <type>dropdown</type>
+    <help>Route-Map for inbound direction.</help>
+  </field>
+  <field>
+    <id>peergroup.linkedRoutemapOut</id>
+    <label>Route-Map Out</label>
+    <type>dropdown</type>
+    <help>Route-Map for outbound direction.</help>
+  </field>
+</form>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 63f3059630..a7239218ec 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/bgp</mount>
     <description>BGP Routing configuration</description>
-    <version>1.0.8</version>
+    <version>1.0.9</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -13,6 +13,10 @@
             <MinimumValue>1</MinimumValue>
             <MaximumValue>4294967295</MaximumValue>
         </asnumber>
+        <distance type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>255</MaximumValue>
+        </distance>
         <routerid type="TextField">
             <Required>N</Required>
             <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
@@ -60,8 +64,6 @@
                                 <Required>Y</Required>
                         </address>
                         <remoteas type="IntegerField">
-                                <default></default>
-                                <Required>Y</Required>
                                 <MinimumValue>1</MinimumValue>
                                 <MaximumValue>4294967295</MaximumValue>
                         </remoteas>
@@ -211,7 +213,19 @@
                                 <Multiple>N</Multiple>
                                 <Required>N</Required>
                         </linkedRoutemapOut>
-            </neighbor>
+                        <peergroup type="ModelRelationField">
+                                <Model>
+                                        <template>
+                                                <source>OPNsense.quagga.bgp</source>
+                                                <items>peergroups.peergroup</items>
+                                                <display>name</display>
+                                                <group>name</group>
+                                        </template>
+                                </Model>
+                                <ValidationMessage>Related Peer Group item not found</ValidationMessage>
+                                <Multiple>N</Multiple>
+                        </peergroup>
+                </neighbor>
         </neighbors>
         <aspaths>
                 <aspath type="ArrayField">
@@ -395,5 +409,76 @@
                         </set>
                 </routemap>
         </routemaps>
+        <peergroups>
+                <peergroup type="ArrayField">
+                        <enabled type="BooleanField">
+                                <default>1</default>
+                                <Required>Y</Required>
+                        </enabled>
+                        <name type="TextField">
+                                <Required>Y</Required>
+                        </name>
+                        <remoteas type="IntegerField">
+                                <Required>Y</Required>
+                                <MinimumValue>1</MinimumValue>
+                                <MaximumValue>4294967295</MaximumValue>
+                        </remoteas>
+                        <updatesource type="InterfaceField">
+                                <AllowDynamic>Y</AllowDynamic>
+                                <filters>
+                                        <enable>/^(?!0).*$/</enable>
+                                        <type>/^(?!group).*$/</type>
+                                </filters>
+                        </updatesource>
+                        <nexthopself type="BooleanField"/>
+                        <defaultoriginate type="BooleanField"/>
+                        <linkedPrefixlistIn type="ModelRelationField">
+                                <Model>
+                                        <template>
+                                                <source>OPNsense.quagga.bgp</source>
+                                                <items>prefixlists.prefixlist</items>
+                                                <display>name</display>
+                                                <group>name</group>
+                                        </template>
+                                </Model>
+                                <ValidationMessage>Related Prefix-List item not found</ValidationMessage>
+                        </linkedPrefixlistIn>
+                        <linkedPrefixlistOut type="ModelRelationField">
+                                <Model>
+                                        <template>
+                                                <source>OPNsense.quagga.bgp</source>
+                                                <items>prefixlists.prefixlist</items>
+                                                <display>name</display>
+                                                <group>name</group>
+                                        </template>
+                                </Model>
+                                <ValidationMessage>Related Prefix-List item not found</ValidationMessage>
+                                <Multiple>N</Multiple>
+                                <Required>N</Required>
+                        </linkedPrefixlistOut>
+                        <linkedRoutemapIn type="ModelRelationField">
+                                <Model>
+                                        <template>
+                                                <source>OPNsense.quagga.bgp</source>
+                                                <items>routemaps.routemap</items>
+                                                <display>name</display>
+                                                <group>name</group>
+                                        </template>
+                                </Model>
+                                <ValidationMessage>Related Route-Map item not found</ValidationMessage>
+                        </linkedRoutemapIn>
+                        <linkedRoutemapOut type="ModelRelationField">
+                                <Model>
+                                        <template>
+                                                <source>OPNsense.quagga.bgp</source>
+                                                <items>routemaps.routemap</items>
+                                                <display>name</display>
+                                                <group>name</group>
+                                        </template>
+                                </Model>
+                                <ValidationMessage>Related Route-Map item not found</ValidationMessage>
+                        </linkedRoutemapOut>
+            </peergroup>
+        </peergroups>
     </items>
 </model>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
index 6fe6af7acf..82e62cfe63 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
@@ -1,6 +1,6 @@
 {#
 
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+OPNsense® is Copyright © 2014 – 2024 by Deciso B.V.
 Copyright (C) 2017 Fabian Franz
 Copyright (C) 2017 - 2020 Michael Muenz <m.muenz@gmail.com>
 All rights reserved.
@@ -35,6 +35,7 @@ POSSIBILITY OF SUCH DAMAGE.
     <li><a data-toggle="tab" href="#prefixlists">{{ lang._('Prefix Lists') }}</a></li>
     <li><a data-toggle="tab" href="#communitylists">{{ lang._('Community Lists') }}</a></li>
     <li><a data-toggle="tab" href="#routemaps">{{ lang._('Route Maps') }}</a></li>
+    <li><a data-toggle="tab" href="#peergroups">{{ lang._('Peer Groups') }}</a></li>
 </ul>
 <div class="tab-content content-box tab-content">
     <div id="general" class="tab-pane fade in active">
@@ -51,13 +52,13 @@ POSSIBILITY OF SUCH DAMAGE.
             <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="description" data-type="string" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="address" data-type="string" data-visible="true">{{ lang._('Neighbor Address') }}</th>
-                    <th data-column-id="remoteas" data-type="string" data-visible="true">{{ lang._('Remote AS') }}</th>
-                    <th data-column-id="linkedPrefixlistIn" data-type="string" data-visible="true">{{ lang._('Prefix List inbound') }}</th>
-                    <th data-column-id="linkedPrefixlistOut" data-type="string" data-visible="true">{{ lang._('Prefix List outbound') }}</th>
-                    <th data-column-id="linkedRoutemapIn" data-type="string" data-visible="true">{{ lang._('Route Map inbound') }}</th>
-                    <th data-column-id="linkedRoutemapOut" data-type="string" data-visible="true">{{ lang._('Route Map outbound') }}</th>
+                    <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                    <th data-column-id="address" data-type="string">{{ lang._('Neighbor Address') }}</th>
+                    <th data-column-id="remoteas" data-type="string">{{ lang._('Remote AS') }}</th>
+                    <th data-column-id="linkedPrefixlistIn" data-type="string">{{ lang._('Prefix List inbound') }}</th>
+                    <th data-column-id="linkedPrefixlistOut" data-type="string">{{ lang._('Prefix List outbound') }}</th>
+                    <th data-column-id="linkedRoutemapIn" data-type="string">{{ lang._('Route Map inbound') }}</th>
+                    <th data-column-id="linkedRoutemapOut" data-type="string">{{ lang._('Route Map outbound') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
@@ -81,10 +82,10 @@ POSSIBILITY OF SUCH DAMAGE.
             <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle" data-sortable="false">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="description" data-type="string" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="number" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Number') }}</th>
-                    <th data-column-id="action" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Action') }}</th>
-                    <th data-column-id="as" data-type="string" data-visible="true" data-sortable="false">{{ lang._('AS Number') }}</th>
+                    <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                    <th data-column-id="number" data-type="string" data-sortable="true">{{ lang._('Number') }}</th>
+                    <th data-column-id="action" data-type="string" data-sortable="false">{{ lang._('Action') }}</th>
+                    <th data-column-id="as" data-type="string" data-sortable="false">{{ lang._('AS Number') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
@@ -108,11 +109,11 @@ POSSIBILITY OF SUCH DAMAGE.
             <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle" data-sortable="false">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="name" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="description" data-type="string" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="seqnumber" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Sequence Number') }}</th>
-                    <th data-column-id="action" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Action') }}</th>
-                    <th data-column-id="network" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Network') }}</th>
+                    <th data-column-id="name" data-type="string" data-sortable="true">{{ lang._('Name') }}</th>
+                    <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                    <th data-column-id="seqnumber" data-type="string" data-sortable="true">{{ lang._('Sequence Number') }}</th>
+                    <th data-column-id="action" data-type="string" data-sortable="false">{{ lang._('Action') }}</th>
+                    <th data-column-id="network" data-type="string" data-sortable="false">{{ lang._('Network') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
@@ -136,11 +137,11 @@ POSSIBILITY OF SUCH DAMAGE.
             <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle" data-sortable="false">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="number" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Number') }}</th>
-                    <th data-column-id="description" data-type="string" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="seqnumber" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Secquence Number') }}</th>
-                    <th data-column-id="action" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Action') }}</th>
-                    <th data-column-id="community" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Community') }}</th>
+                    <th data-column-id="number" data-type="string" data-sortable="true">{{ lang._('Number') }}</th>
+                    <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                    <th data-column-id="seqnumber" data-type="string" data-sortable="true">{{ lang._('Secquence Number') }}</th>
+                    <th data-column-id="action" data-type="string" data-sortable="false">{{ lang._('Action') }}</th>
+                    <th data-column-id="community" data-type="string" data-sortable="false">{{ lang._('Community') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
@@ -164,14 +165,14 @@ POSSIBILITY OF SUCH DAMAGE.
             <thead>
                 <tr>
                     <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="description" data-type="string" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="action" data-type="string" data-visible="true">{{ lang._('Action') }}</th>
-                    <th data-column-id="id" data-type="string" data-visible="true">{{ lang._('ID') }}</th>
-                    <th data-column-id="match" data-type="string" data-visible="true">{{ lang._('AS Path List') }}</th>
-                    <th data-column-id="match2" data-type="string" data-visible="true">{{ lang._('Prefix List') }}</th>
-                    <th data-column-id="match3" data-type="string" data-visible="true">{{ lang._('Community List') }}</th>
-                    <th data-column-id="set" data-type="string" data-visible="true">{{ lang._('Set') }}</th>
+                    <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
+                    <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                    <th data-column-id="action" data-type="string">{{ lang._('Action') }}</th>
+                    <th data-column-id="id" data-type="string">{{ lang._('ID') }}</th>
+                    <th data-column-id="match" data-type="string">{{ lang._('AS Path List') }}</th>
+                    <th data-column-id="match2" data-type="string">{{ lang._('Prefix List') }}</th>
+                    <th data-column-id="match3" data-type="string">{{ lang._('Community List') }}</th>
+                    <th data-column-id="set" data-type="string">{{ lang._('Set') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                 </tr>
@@ -189,6 +190,35 @@ POSSIBILITY OF SUCH DAMAGE.
             </tfoot>
         </table>
     </div>
+    <div id="peergroups" class="tab-pane fade in">
+        <table id="grid-peergroups" class="table table-responsive" data-editDialog="DialogEditBGPPeergroups">
+            <thead>
+                <tr>
+                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
+                    <th data-column-id="nexthopself" data-type="string" data-formatter="boolean">{{ lang._('Next Hop Self') }}</th>
+                    <th data-column-id="defaultoriginate" data-type="string" data-formatter="boolean">{{ lang._('Default Originate') }}</th>
+                    <th data-column-id="linkedPrefixlistIn" data-type="string">{{ lang._('Prefix List inbound') }}</th>
+                    <th data-column-id="linkedPrefixlistOut" data-type="string">{{ lang._('Prefix List outbound') }}</th>
+                    <th data-column-id="linkedRoutemapIn" data-type="string">{{ lang._('Route Map inbound') }}</th>
+                    <th data-column-id="linkedRoutemapOut" data-type="string">{{ lang._('Route Map outbound') }}</th>
+                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td colspan="10"></td>
+                    <td colspan="1">
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span></button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
 </div>
 
 <script>
@@ -274,6 +304,16 @@ $(document).ready(function() {
       'toggle':'/api/quagga/bgp/toggleRoutemap/',
       'options':{selection:false, multiSelect:false}
     }
+  );
+  $("#grid-peergroups").UIBootgrid(
+    { 'search':'/api/quagga/bgp/searchPeergroup',
+      'get':'/api/quagga/bgp/getPeergroup/',
+      'set':'/api/quagga/bgp/setPeergroup/',
+      'add':'/api/quagga/bgp/addPeergroup/',
+      'del':'/api/quagga/bgp/delPeergroup/',
+      'toggle':'/api/quagga/bgp/togglePeergroup/',
+      'options':{selection:false, multiSelect:false}
+    }
   );
     });
 </script>
@@ -283,3 +323,4 @@ $(document).ready(function() {
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPPrefixLists,'id':'DialogEditBGPPrefixLists','label':lang._('Edit Prefix Lists')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPCommunityLists,'id':'DialogEditBGPCommunityLists','label':lang._('Edit Community Lists')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPRouteMaps,'id':'DialogEditBGPRouteMaps','label':lang._('Edit Route Maps')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPPeergroups,'id':'DialogEditBGPPeergroups','label':lang._('Edit Peer Groups')])}}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index ef975a7f3c..12fc2b9a7a 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -59,10 +59,65 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%   if helpers.exists('OPNsense.quagga.bgp.routerid') and OPNsense.quagga.bgp.routerid != '' %}
  bgp router-id {{ OPNsense.quagga.bgp.routerid }}
 {%   endif %}
+{%   if helpers.exists('OPNsense.quagga.bgp.distance') and OPNsense.quagga.bgp.distance != '' %}
+ distance bgp {{ OPNsense.quagga.bgp.distance }} {{ OPNsense.quagga.bgp.distance }} {{ OPNsense.quagga.bgp.distance }}
+{%   endif %}
+{%   for peergroup in helpers.toList('OPNsense.quagga.bgp.peergroups.peergroup') %}
+{%     if peergroup.enabled == '1' %}
+ neighbor {{ peergroup.name }} peer-group
+{%       if 'remoteas' in peergroup and peergroup.remoteas != '' %}
+ neighbor {{ peergroup.name }} remote-as {{ peergroup.remoteas }}
+{%       endif %}
+{%       if peergroup.updatesource|default('0') == '1' %}
+ neighbor {{ peergroup.name }} update-source {{ physical_interface(peergroup.updatesource) }}
+{%       endif %}
+ neighbor {{ peergroup.name }} activate
+{%       if  peergroup.nexthopself|default('0') == '1' %}
+ neighbor {{ peergroup.name }} next-hop-self
+{%       endif %}
+{%       if peergroup.defaultoriginate|default('0') == '1' %}
+ neighbor {{ peergroup.name }} default-originate
+{%       endif %}
+{%       if peergroup.linkedPrefixlistIn|default("") != "" %}
+{%         for prefixlist in peergroup.linkedPrefixlistIn.split(",") %}
+{%           set prefixlist2_data = helpers.getUUID(prefixlist) %}
+{%           if prefixlist2_data != {} and prefixlist2_data.enabled == '1' %}
+ neighbor {{ peergroup.name }} prefix-list {{ prefixlist2_data.name }} in
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%       if peergroup.linkedPrefixlistOut|default("") != "" %}
+{%         for prefixlist in peergroup.linkedPrefixlistOut.split(",") %}
+{%           set prefixlist_data = helpers.getUUID(prefixlist) %}
+{%           if prefixlist_data != {} and prefixlist_data.enabled == '1' %}
+ neighbor {{ peergroup.name }} prefix-list {{ prefixlist_data.name }} out
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%       if peergroup.linkedRoutemapIn|default("") != "" %}
+{%         for aspath in peergroup.linkedRoutemapIn.split(",") %}
+{%           set routemap2_data = helpers.getUUID(aspath) %}
+{%           if routemap2_data != {} and routemap2_data.enabled == '1' %}
+ neighbor {{ peergroup.name }} route-map {{ routemap2_data.name }} in
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%       if peergroup.linkedRoutemapOut|default("") != "" %}
+{%         for aspath in peergroup.linkedRoutemapOut.split(",") %}
+{%           set routemap_data = helpers.getUUID(aspath) %}
+{%           if routemap_data != {} and routemap_data.enabled == '1' %}
+ neighbor {{ peergroup.name }} route-map {{ routemap_data.name }} out
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
 {%   if helpers.exists('OPNsense.quagga.bgp.neighbors.neighbor') %}
 {%     for neighbor in helpers.toList('OPNsense.quagga.bgp.neighbors.neighbor') %}
 {%       if neighbor.enabled == '1' %}
+{%         if 'remoteas' in neighbor and neighbor.remoteas != '' %}
  neighbor {{ neighbor.address }} remote-as {{ neighbor.remoteas }}
+{%         endif %}
 {%         if neighbor.bfd|default('') == '1' %}
  neighbor {{ neighbor.address }} bfd
 {%         endif %}
@@ -95,6 +150,10 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%         if 'attributeunchanged' in neighbor and neighbor.attributeunchanged != '' %}
  neighbor {{ neighbor.address }} attribute-unchanged {{ neighbor.attributeunchanged }}
 {%         endif %}
+{%         if neighbor.peergroup|default('') != '' %}
+{%         set pgname = helpers.getUUID(neighbor.peergroup) %}
+ neighbor {{ neighbor.address }} peer-group {{ pgname.name }}
+{%         endif %}
 {%       endif %}
 {%     endfor %}
 {%   endif %}

From 8f2490aa8a1a1d057d1de2a30521d0037cc3c519 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 15 Apr 2024 21:39:57 +0200
Subject: [PATCH 1848/3088] LICENSE/README: sync

---
 LICENSE                                                   | 8 ++++++--
 README.md                                                 | 3 ++-
 .../opnsense/mvc/app/views/OPNsense/Quagga/static.volt    | 2 +-
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/LICENSE b/LICENSE
index 61caa7c55e..fccf40525f 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,5 +1,6 @@
 Copyright (c) 2015-2023 Ad Schellevis <ad@opnsense.org>
 Copyright (c) 2022 agh1467 <agh1467@protonmail.com>
+Copyright (c) 2024 Alex Smith
 Copyright (c) 2021 Alexander Noack
 Copyright (c) 2021 Andreas Stuerz
 Copyright (c) 2021 Axelrtgs
@@ -12,7 +13,7 @@ Copyright (c) 2021 Dan Lundqvist
 Copyright (c) 2021 David Berry
 Copyright (c) 2017-2018 David Harrigan
 Copyright (c) 2021 David Hughes
-Copyright (c) 2014-2023 Deciso B.V.
+Copyright (c) 2014-2024 Deciso B.V.
 Copyright (c) 2020 devNan0 <nan0@nan0.dev>
 Copyright (c) 2023 Dmitry Shinkaruk
 Copyright (c) 2006 Eric Friesen
@@ -43,14 +44,17 @@ Copyright (c) 2021 Markus Peter <mpeter@one-it.de>
 Copyright (c) 2022 Markus Reiter <me@reitermark.us>
 Copyright (c) 2020 Martin Wasley
 Copyright (c) 2022 Marvo2011
-Copyright (c) 2017-2021 Michael Muenz <m.muenz@gmail.com>
+Copyright (c) 2017-2024 Michael Muenz <m.muenz@gmail.com>
+Copyright (c) 2024 Mike Shuey
 Copyright (c) 2023 Mikhail Kharisov
 Copyright (c) 2012 mkirbst
 Copyright (c) 2023 mleinart
+Copyright (c) 2024 MVZ Labor Ludwigsburg GbR
 Copyright (c) 2021 Nicola Pellegrini
 Copyright (c) 2022 Nikolaj Brinch Jørgensen
 Copyright (c) 2021 Nim G
 Copyright (c) 2023 Oliver Hartl
+Copyright (c) 2024 realizelol
 Copyright (c) 2022 Robbert Rijkse
 Copyright (c) 2023 sattamjh
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
diff --git a/README.md b/README.md
index 460c2f7392..02fc2fb69b 100644
--- a/README.md
+++ b/README.md
@@ -107,9 +107,10 @@ sysutils/virtualbox -- VirtualBox guest additions
 sysutils/vmware -- VMware tools
 sysutils/xen -- Xen guest utilities
 vendor/sunnyvalley -- Vendor Repository for Zenarmor (a.k.a Sensei, Next Generation Firewall Extensions)
+www/OPNProxy -- OPNsense proxy additions
 www/c-icap -- c-icap connects the web proxy with a virus scanner
 www/cache -- Webserver cache
-www/caddy -- Easy to configure Reverse Proxy based on Caddy with Automatic HTTPS and Dynamic DNS
+www/caddy -- Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
 www/nginx -- Nginx HTTP server and reverse proxy
 www/squid -- Squid is a caching proxy for the web
 www/web-proxy-sso -- Kerberos authentication module
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
index 5de53fc3e8..f699b7d2cd 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
@@ -1,6 +1,6 @@
 {#
  # Copyright (c) 2024 Deciso B.V.
- # Copyright (c) 2024 by Mike Shuey
+ # Copyright (c) 2024 Mike Shuey
  # All rights reserved.
  #
  # Redistribution and use in source and binary forms, with or without modification,

From 7e6bc0ae490a90a195d2b07f5d2a09805be2fab4 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 16 Apr 2024 15:22:31 +0200
Subject: [PATCH 1849/3088] www/caddy: Fix input validation - allow wildcard
 domains and base domains at the same time (#3915)

* Update Caddy.php - Remove validation that checks for conflicts between wildcard and base domain

If a user creates a wildcard domain, the base domain won't be represented under it, so the base domain has to be created additionally. This validation prevented this from happening, even though it's a valid configuration.

* Update pkg-descr - included fix
---
 www/caddy/pkg-descr                           |  1 +
 .../mvc/app/models/OPNsense/Caddy/Caddy.php   | 37 -------------------
 2 files changed, 1 insertion(+), 37 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 452ecabe8d..c3c9030dca 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -37,6 +37,7 @@ Plugin Changelog
 * Fix: Move selectpicker empty option to model in general.volt, using BlankDesc. This fixes the option IPv4+IPv6 not appearing in Dynamic DNS. 
 * Add: Simple Load Balancing support with the default random policy, by allowing to add multiple Upstream Domains in Handlers.
 * Add: Passive Health check for load balancing (Upstream Fail Duration) in Handlers.
+* Fix: Input validation so a base domain like "example.com" and a wildcard domain like "*.example.com" can now be created at the same time in domains.
 
 1.5.3
 
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index 953f284fb1..5313912134 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -107,41 +107,6 @@ private function checkSubdomainsAgainstDomains($subdomains, $domains, $messages)
         }
     }
 
-    // 4. Check for conflicts between wildcard and base domains
-    private function checkForWildcardAndBaseDomainConflicts($domains, $messages)
-    {
-        $domainList = [];
-        foreach ($domains as $domain) {
-            if ((string) $domain->enabled === '1') {
-                $domainName = (string) $domain->FromDomain;
-                $domainList[$domainName] = true;
-
-                // Check for wildcard or base domain conflict
-                if (str_starts_with($domainName, '*.')) {
-                    $baseDomain = substr($domainName, 2);
-                    if (isset($domainList[$baseDomain])) {
-                        $key = $domain->__reference; // Dynamic key based on domain reference
-                        $messages->appendMessage(new Message(
-                            "Invalid domain configuration: Cannot create wildcard domain '$domainName' because base domain '$baseDomain' exists.",
-                            $key . ".FromDomain", // Use dynamic key for message referencing
-                            "WildcardBaseConflict"
-                        ));
-                    }
-                } else {
-                    $wildcardDomain = '*.' . $domainName;
-                    if (isset($domainList[$wildcardDomain])) {
-                        $key = $domain->__reference; // Dynamic key based on domain reference
-                        $messages->appendMessage(new Message(
-                            "Invalid domain configuration: Cannot create base domain '$domainName' because wildcard domain '$wildcardDomain' exists.",
-                            $key . ".FromDomain", // Use dynamic key for message referencing
-                            "BaseWildcardConflict"
-                        ));
-                    }
-                }
-            }
-        }
-    }
-
     // Perform the actual validation
     public function performValidation($validateFullModel = false)
     {
@@ -152,8 +117,6 @@ public function performValidation($validateFullModel = false)
         $this->checkForUniquePortCombos($this->reverseproxy->subdomain->iterateItems(), $messages, 'subdomain');
         // 3. Check that subdomains are under a wildcard or exact domain
         $this->checkSubdomainsAgainstDomains($this->reverseproxy->subdomain->iterateItems(), $this->reverseproxy->reverse->iterateItems(), $messages);
-        // 4. Check for conflicts between wildcard and base domains
-        $this->checkForWildcardAndBaseDomainConflicts($this->reverseproxy->reverse->iterateItems(), $messages);
 
         return $messages;
     }

From cca59e7e4ac1611030473d75c5f07e3b1042f0f8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 16 Apr 2024 16:54:23 +0200
Subject: [PATCH 1850/3088] plugins: style sweep

---
 .../OPNsense/Quagga/Api/StaticController.php        | 13 +++++++------
 .../OPNsense/Quagga/StaticController.php            |  1 +
 .../mvc/app/models/OPNsense/Quagga/STATICd.php      |  2 ++
 .../mvc/app/models/OPNsense/Relayd/Relayd.php       |  6 +++---
 www/OPNProxy/pkg-descr                              |  1 -
 www/caddy/pkg-descr                                 |  2 +-
 .../OPNsense/Caddy/Api/ReverseProxyController.php   | 12 ++++++------
 .../OPNsense/Caddy/Api/ServiceController.php        |  2 +-
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml         |  4 ++--
 .../service/templates/OPNsense/Caddy/Caddyfile      | 12 ++++++------
 10 files changed, 29 insertions(+), 26 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/StaticController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/StaticController.php
index 802d279834..9a616cdb5f 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/StaticController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/StaticController.php
@@ -1,4 +1,5 @@
 <?php
+
 /**
  *    Copyright (C) 2024 Deciso B.V.
  *    Copyright (C) 2024 Mike Shuey
@@ -39,31 +40,31 @@ class StaticController extends ApiMutableModelControllerBase
 
     public function searchRouteAction()
     {
-	    return $this->searchBase('routes.route');
+        return $this->searchBase('routes.route');
     }
 
     public function getRouteAction($uuid = null)
     {
-	    return $this->getBase('route', 'routes.route', $uuid);
+        return $this->getBase('route', 'routes.route', $uuid);
     }
 
     public function setRouteAction($uuid)
     {
-	    return $this->setBase('route', 'routes.route', $uuid);
+        return $this->setBase('route', 'routes.route', $uuid);
     }
 
     public function addRouteAction()
     {
-	    return $this->addBase('route', 'routes.route');
+        return $this->addBase('route', 'routes.route');
     }
 
     public function delRouteAction($uuid)
     {
-	    return $this->delBase('routes.route', $uuid);
+        return $this->delBase('routes.route', $uuid);
     }
 
     public function toggleRouteAction($uuid)
     {
-	    return $this->toggleBase('routes.route', $uuid);
+        return $this->toggleBase('routes.route', $uuid);
     }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/StaticController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/StaticController.php
index 5798e168e5..a6888d4693 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/StaticController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/StaticController.php
@@ -1,4 +1,5 @@
 <?php
+
 /**
  *    Copyright (C) 2024 Deciso B.V.
  *    Copyright (C) 2024 Mike Shuey
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.php b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.php
index b365c62f04..c336b3ad22 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.php
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.php
@@ -1,4 +1,5 @@
 <?php
+
 /**
  *    Copyright (C) 2024 Deciso B.V.
  *    Copyright (C) 2024 Mike Shuey
@@ -27,6 +28,7 @@
  *    POSSIBILITY OF SUCH DAMAGE.
  *
  */
+
 namespace OPNsense\Quagga;
 
 use OPNsense\Base\Messages\Message;
diff --git a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.php b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.php
index 37e495b0f5..f9d33c6254 100644
--- a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.php
+++ b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.php
@@ -129,21 +129,21 @@ public function performValidation($validateFullModel = false)
                     case 'send':
                         if (empty((string)$node->expect)) {
                             $messages->appendMessage(
-                                new Message(gettext('Expect Pattern cannot be empty.'),  $key . ".expect")
+                                new Message(gettext('Expect Pattern cannot be empty.'), $key . ".expect")
                             );
                         }
                         break;
                     case 'script':
                         if (empty((string)$node->path)) {
                             $messages->appendMessage(
-                                new Message(gettext('Script path cannot be empty.'),  $key . ".path")
+                                new Message(gettext('Script path cannot be empty.'), $key . ".path")
                             );
                         }
                         break;
                     case 'http':
                         if (empty((string)$node->path)) {
                             $messages->appendMessage(
-                                new Message(gettext('Path cannot be empty.'),  $key . ".path")
+                                new Message(gettext('Path cannot be empty.'), $key . ".path")
                             );
                         }
                         if (empty((string)$node->code) && empty((string)$node->digest)) {
diff --git a/www/OPNProxy/pkg-descr b/www/OPNProxy/pkg-descr
index c731c51c9f..c5033a435d 100644
--- a/www/OPNProxy/pkg-descr
+++ b/www/OPNProxy/pkg-descr
@@ -7,4 +7,3 @@ OPNsense proxy additions to support more fine grained access management
 1.0.4:
 
 * Remove ident support as by default it is denied anyway nowadays
-
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index c3c9030dca..e59ec80758 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -34,7 +34,7 @@ Plugin Changelog
 * Add: HTTP response code and HTTP response message can be set per access list in advanced mode.
 * Add: Header functionality added. Multiple header manipulations can be set per handler.
 * Cleanup: Update searchBase() in ReverseProxyController.php for easier maintainability.
-* Fix: Move selectpicker empty option to model in general.volt, using BlankDesc. This fixes the option IPv4+IPv6 not appearing in Dynamic DNS. 
+* Fix: Move selectpicker empty option to model in general.volt, using BlankDesc. This fixes the option IPv4+IPv6 not appearing in Dynamic DNS.
 * Add: Simple Load Balancing support with the default random policy, by allowing to add multiple Upstream Domains in Handlers.
 * Add: Passive Health check for load balancing (Upstream Fail Duration) in Handlers.
 * Fix: Input validation so a base domain like "example.com" and a wildcard domain like "*.example.com" can now be created at the same time in domains.
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
index 140330a06b..4dcd01ce6d 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
@@ -41,7 +41,7 @@ class ReverseProxyController extends ApiMutableModelControllerBase
 
     /*ReverseProxy Section*/
 
-    public function searchReverseProxyAction($add_empty='0')
+    public function searchReverseProxyAction($add_empty = '0')
     {
         return $this->searchBase("reverseproxy.reverse", null, 'description');
     }
@@ -74,7 +74,7 @@ public function toggleReverseProxyAction($uuid, $enabled = null)
 
     /*Subdomain Section*/
 
-    public function searchSubdomainAction($add_empty='0')
+    public function searchSubdomainAction($add_empty = '0')
     {
         return $this->searchBase("reverseproxy.subdomain", null, 'description');
     }
@@ -107,7 +107,7 @@ public function toggleSubdomainAction($uuid, $enabled = null)
 
     /*Handler Section*/
 
-    public function searchHandleAction($add_empty='0')
+    public function searchHandleAction($add_empty = '0')
     {
         return $this->searchBase("reverseproxy.handle", null, 'description');
     }
@@ -140,7 +140,7 @@ public function toggleHandleAction($uuid, $enabled = null)
 
     /* AccessList Section */
 
-    public function searchAccessListAction($add_empty='0')
+    public function searchAccessListAction($add_empty = '0')
     {
         return $this->searchBase("reverseproxy.accesslist", null, 'description');
     }
@@ -168,7 +168,7 @@ public function delAccessListAction($uuid)
 
     /* BasicAuth Section */
 
-    public function searchBasicAuthAction($add_empty='0')
+    public function searchBasicAuthAction($add_empty = '0')
     {
         return $this->searchBase("reverseproxy.basicauth", null, 'description');
     }
@@ -216,7 +216,7 @@ public function delBasicAuthAction($uuid)
 
     /* Header Section */
 
-    public function searchHeaderAction($add_empty='0')
+    public function searchHeaderAction($add_empty = '0')
     {
         return $this->searchBase("reverseproxy.header", null, 'description');
     }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
index f719a74d9b..e522dc52dd 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
@@ -46,7 +46,7 @@ protected function reconfigureForceRestart()
         // Caddy can use a reload action instead
         return 0;
     }
-    
+
     public function validateAction()
     {
         $backend = new Backend();
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index acfc075d9e..843e60d75d 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -60,7 +60,7 @@
                         <source>OPNsense.Caddy.Caddy</source>
                         <items>reverseproxy.accesslist</items>
                         <display>accesslistName,description</display>
-                        <display_format>%s - %s</display_format> 
+                        <display_format>%s - %s</display_format>
                     </reverseproxy>
                 </Model>
             </accesslist>
@@ -124,7 +124,7 @@
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.accesslist</items>
                             <display>accesslistName,description</display>
-                            <display_format>%s - %s</display_format> 
+                            <display_format>%s - %s</display_format>
                         </reverseproxy>
                     </Model>
                 </accesslist>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 178c3ea781..2e7e7f37e1 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -85,7 +85,7 @@
 
     {#
     #   Section: Dynamic DNS Global Configuration
-    #   Purpose: Sets up global configuration for Dynamic DNS. Caddy needs to be compiled with 
+    #   Purpose: Sets up global configuration for Dynamic DNS. Caddy needs to be compiled with
     #            https://github.com/mholt/caddy-dynamicdns and https://github.com/caddy-dns. Otherwise the
     #            generated Caddyfile won't run. Each DNS Provider that is added below has to be compiled in.
     #            Some Providers don't support setting A and AAAA-Records, like acmedns.
@@ -284,7 +284,7 @@
 
 {#
 #   Section: HTTP-01 Challenge Redirection
-#   Purpose: A small premade reverse_proxy section 
+#   Purpose: A small premade reverse_proxy section
 #            that can redirect the HTTP-01 challenge to a different webserver.
 #}
 {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
@@ -442,7 +442,7 @@
 
 {#
 #   Macro: header_manipulation
-#   Purpose: Customizes HTTP headers for requests or responses; to add, remove, or modify headers. 
+#   Purpose: Customizes HTTP headers for requests or responses; to add, remove, or modify headers.
 #            It uses a 'handle' object that specifies which headers to manipulate based on their @UUIDs.
 #            Each handle can have multiple of these HTTP headers assigned.
 #   Parameters:
@@ -574,7 +574,7 @@
 #   Macro: basicauth_configuration
 #   Purpose: Implements basic authentication with a username and password for access.
 #   Parameters:
-#   @param basicauth_uuids (@string): A comma-separated list of UUIDs, each UUID corresponding to 
+#   @param basicauth_uuids (@string): A comma-separated list of UUIDs, each UUID corresponding to
 #                                     a specific user credentials (username and password).
 #       - @uuid (@string)
 #       - basicauthuser (@string): The username required for authentication.
@@ -595,7 +595,7 @@
 
 {#
 #   Section: Reverse Proxy Configurations
-#   Purpose: Assembles reverse proxy configurations using predefined macros. 
+#   Purpose: Assembles reverse proxy configurations using predefined macros.
 #            This is the main logic of the whole template, handle with care.
 #   Macros Used:
 #   - tls_configuration
@@ -603,7 +603,7 @@
 #   - access_list_configuration
 #   - reverse_proxy_configuration
 #   - indirect: header_manipulation
-#   Important Details: 
+#   Important Details:
 #   - Order of Path specific Handles - Prioritizes order of specific path handles over catch-all handles.
 #   - Order of Wildcard Domains and Subdomains: Handles for wildcard domains come after all subdomains.
 #}

From aa1994d4c92378ada61969796817122dd8f35ba6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 17 Apr 2024 13:23:18 +0200
Subject: [PATCH 1851/3088] www/caddy: release as intitial 1.5.4

The devlopment version was also at 1.5.3 in 24.1.5.
---
 www/caddy/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 208aef7c0d..a2694d60aa 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		1.5.4
-PLUGIN_REVISION=        1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
 PLUGIN_MAINTAINER=	cedrik@pischem.com

From aa92218d6ad59092bf405e07c28146f9ac7ffe96 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 17 Apr 2024 13:27:57 +0200
Subject: [PATCH 1852/3088] net/frr: bump for recent changes

changelog is a bit over the place, but looking into this with the next
frr release
---
 net/frr/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index dc4543e128..cfcb6bb7e8 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.39
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From e7602ec2ad5a0af568526aa9ada142afb19a6ef2 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 17 Apr 2024 16:58:59 +0200
Subject: [PATCH 1853/3088] net/relayd - limit virtual server names to 31
 characters, closes https://github.com/opnsense/plugins/issues/3916

---
 net/relayd/Makefile                                         | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml  | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index 6a3a1aba62..2730625558 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		relayd
 PLUGIN_VERSION=		2.8
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com
diff --git a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
index 56baf5eed7..59e4e82365 100644
--- a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
+++ b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
@@ -1,6 +1,6 @@
 <model>
    <mount>//OPNsense/relayd</mount>
-   <version>1.0.5</version>
+   <version>1.0.6</version>
    <description>Relayd settings</description>
    <items>
       <general>
@@ -145,8 +145,8 @@
       <virtualserver type="ArrayField">
          <name type="TextField">
             <Required>Y</Required>
-            <mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</mask>
-            <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
+            <mask>/^([0-9a-zA-Z\._\- ]){1,31}$/u</mask>
+            <ValidationMessage>Should be a string between 1 and 31 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
             <Constraints>
                 <check001>
                     <ValidationMessage>Virtual server names should be unique.</ValidationMessage>

From 1897803d1f8820cde8af05ec261c14e3f411f9bd Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 22 Apr 2024 08:28:43 +0200
Subject: [PATCH 1854/3088] www/caddy: Create Migration script that fixes issue
 with Caddy not being able to start. (Regression in 1.5.4) (#3931)

* Create M1_1_7.php

This migration script empties out "on" and "none" options that were replaced with empty values by this pull request. It fixes the regression that Caddy will refuse to start because invalid values for AutoHttps and DnsProvider will remain stored in the config without a manual config change from the user.

Compare to: https://github.com/opnsense/plugins/commit/a628ebfc0682c0f27ec59b6a605dbeff8bd52765

Issue was tracked multiple times:
https://forum.opnsense.org/index.php?topic=40075.0
https://github.com/opnsense/plugins/pull/3930
https://github.com/opnsense/plugins/issues/3917#issuecomment-2064230068

* Bump Migration script and Model version to 1.1.8
---
 www/caddy/Makefile                            |  1 +
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  2 +-
 .../OPNsense/Caddy/Migrations/M1_1_8.php      | 71 +++++++++++++++++++
 3 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_8.php

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index a2694d60aa..2623a74790 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		1.5.4
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 843e60d75d..af002c9ead 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>A GUI model for configuring a reverse proxy in the Caddy web server.</description>
-    <version>1.1.7</version>
+    <version>1.1.8</version>
     <items>
         <general>
             <enabled type="BooleanField">
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_8.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_8.php
new file mode 100644
index 0000000000..0687d49abc
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_8.php
@@ -0,0 +1,71 @@
+<?php
+
+/*
+ *    Copyright (C) 2024 Cedrik Pischem
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Caddy\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+use OPNsense\Core\Config;
+
+class M1_1_8 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        // Load the current system configuration
+        $config = Config::getInstance()->object();
+
+        // Read and migrate TlsAutoHttps setting if necessary
+        if (!empty($config->Pischem->caddy->general->TlsAutoHttps)) {
+            $tlsAutoHttpsValue = (string)$config->Pischem->caddy->general->TlsAutoHttps;
+            // Check if the current value is 'on' and needs to be migrated
+            if ($tlsAutoHttpsValue === 'on') {
+                // Locate the corresponding node in the model
+                $modelNode = $model->getNodeByReference('general.TlsAutoHttps');
+                if ($modelNode != null) {
+                    // Set to empty value in the model, migration from 'on' to ''
+                    $modelNode->setValue('');
+                }
+            }
+        }
+
+        // Read and migrate TlsDnsProvider setting if necessary
+        if (!empty($config->Pischem->caddy->general->TlsDnsProvider)) {
+            $tlsDnsProviderValue = (string)$config->Pischem->caddy->general->TlsDnsProvider;
+            // Check if the current value is 'none' and needs to be migrated
+            if ($tlsDnsProviderValue === 'none') {
+                // Locate the corresponding node in the model
+                $modelNode = $model->getNodeByReference('general.TlsDnsProvider');
+                if ($modelNode != null) {
+                    // Set to empty value in the model, migration from 'none' to ''
+                    $modelNode->setValue('');
+                }
+            }
+        }
+
+        // Model is saved by 'run_migrations.php'
+    }
+}

From 4a39ea0d0c284df16a9234321ccaecb05584077d Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 22 Apr 2024 09:39:35 +0200
Subject: [PATCH 1855/3088] www/caddy: Change display of domain and port
 combination in Model Relation Field (#3927)

* Update Caddy.xml - Replace ":" with "." in Model Relation Field.

Since a stray ":" when leaving the port empty could cause confusion, I have opted to replace it with a "."

This adheres to the standard of FQDNs ending with a "DOT" at the end (RFC 1034). Note: This changes only what is displayed, not the stored data itself.

This change makes an empty port in the GUI look like this:

example.com.

And with a port, like this:

example.com.443

(Compare to: https://github.com/opnsense/plugins/issues/3917#issuecomment-2064230068 )

* Update Makefile - Bump revision to 1

* Actually just use a space, that one causes the least confusion.

* Update www/caddy/Makefile

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 .../src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index af002c9ead..1aa9308fc5 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -163,7 +163,7 @@
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.reverse</items>
                             <display>FromDomain,FromPort</display>
-                            <display_format>%s:%s</display_format>
+                            <display_format>%s %s</display_format>
                         </reverseproxy>
                     </Model>
                 </reverse>
@@ -215,7 +215,7 @@
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.reverse</items>
                             <display>FromDomain,FromPort</display>
-                            <display_format>%s:%s</display_format>
+                            <display_format>%s %s</display_format>
                         </reverseproxy>
                     </Model>
                 </reverse>
@@ -225,7 +225,7 @@
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.subdomain</items>
                             <display>FromDomain,FromPort</display>
-                            <display_format>%s:%s</display_format>
+                            <display_format>%s %s</display_format>
                         </reverseproxy>
                     </Model>
                 </subdomain>

From 750465b75b0ee4e25db357ebf2dbf8c7a3d595e6 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 22 Apr 2024 10:55:03 +0200
Subject: [PATCH 1856/3088] net-mgmt/zabbix-proxy: fix syntax error, closes
 #3921 (#3932)

Regression was introduced in 26e6379874d56190e409c07c37cb12a58679c1ff.
---
 net-mgmt/zabbix-proxy/Makefile                                  | 1 +
 .../service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index c86a78b96b..4d3916f3cc 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		zabbix-proxy
 PLUGIN_VERSION=		1.10
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 PLUGIN_VARIANTS=	zabbix6 zabbix64 zabbix5
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
index 23d9f5cb3c..80373b0e1e 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
@@ -34,7 +34,7 @@ LogFile=/var/log/zabbix/zabbix_proxy.log
 LogFileSize={{OPNsense.zabbixproxy.general.logFileSize}}
 {% endif %}
 {% endif %}
-{% if helpers.exists('OPNsense.zabbixproxy.general.debugLevel')
+{% if helpers.exists('OPNsense.zabbixproxy.general.debugLevel') %}
 DebugLevel={{OPNsense.zabbixproxy.general.debugLevel|replace("val_", "")}}
 {% endif %}
 PidFile=/var/run/zabbix/zabbix_proxy.pid

From 37429a46d2220cadff096f7d2b75e6dee39278ca Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 24 Apr 2024 09:23:48 +0200
Subject: [PATCH 1857/3088] net/relayd: make new version

---
 net/relayd/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index 2730625558..bb65570d65 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		relayd
-PLUGIN_VERSION=		2.8
-PLUGIN_REVISION=	4
+PLUGIN_VERSION=		2.9
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com

From ee0f83169a519c35780b0ae13cd2d911c31aeccb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 24 Apr 2024 09:26:20 +0200
Subject: [PATCH 1858/3088] security/openconnect: fiddle with wording

---
 security/openconnect/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/openconnect/pkg-descr b/security/openconnect/pkg-descr
index 57081e80df..974ae1c81e 100644
--- a/security/openconnect/pkg-descr
+++ b/security/openconnect/pkg-descr
@@ -8,7 +8,7 @@ Plugin Changelog
 
 1.4.6
 
-* add allowinsecure
+* Add otion to allow insecure ciphers
 
 1.4.5
 

From 666662ff91d6a81ea6f1d6454bef951beb4a3a4c Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Fri, 26 Apr 2024 08:49:52 +0200
Subject: [PATCH 1859/3088] net-mgmt/telegraf (#3777)

---
 net-mgmt/telegraf/Makefile                    |  2 +-
 net-mgmt/telegraf/pkg-descr                   |  4 +++
 .../OPNsense/Telegraf/forms/output.xml        | 34 +++++++++++++++++++
 .../app/models/OPNsense/Telegraf/Output.xml   | 23 +++++++++++++
 .../templates/OPNsense/Telegraf/telegraf.conf | 18 ++++++++++
 5 files changed, 80 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index c9cc2cfb21..bfd8b96006 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.12.10
+PLUGIN_VERSION=		1.12.11
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 2d83a444a1..33d82d4b0c 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 Plugin Changelog
 ================
 
+1.12.11
+
+* Add OpenTelemetry output
+
 1.12.10
 
 * Fix MQTT output and additional UI cleanup (contributed by Pierre Christen)
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
index 4f085287fb..056f64a929 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
@@ -327,4 +327,38 @@
         <type>dropdown</type>
         <help>Data format to output. Defaults to "influx".</help>
     </field>
+    <field>
+        <label>OpenTelemetry</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>output.opentelemetry_enable</id>
+        <label>Enable OpenTelemetry Output</label>
+        <type>checkbox</type>
+        <help>This will enable OpenTelemetry as output.</help>
+    </field>
+    <field>
+        <id>output.opentelemetry_server</id>
+        <label>OpenTelemetry Server</label>
+        <type>text</type>
+        <help>Set the IP and port where metrics shoud be sent to, e.g. 192.168.0.1:4317.</help>
+    </field>
+    <field>
+        <id>output.opentelemetry_compression</id>
+        <label>Compression</label>
+        <type>dropdown</type>
+        <help>Set the compression mode.</help>
+    </field>
+    <field>
+        <id>output.opentelemetry_timeout</id>
+        <label>Timeout</label>
+        <type>text</type>
+        <help>Write timeout, formatted as a string. If not provided, will default to 5s. 0s means no timeout (not recommended).</help>
+    </field>
+    <field>
+        <id>output.opentelemetry_insecure_skip_verify</id>
+        <label>Disable TLS verification</label>
+        <type>checkbox</type>
+        <help>This will skip chain and host verification.</help>
+    </field>
 </form>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index 634145ed9a..63ac311e58 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -224,5 +224,28 @@
                 <wavefront>Wavefront</wavefront>
             </OptionValues>
         </mqtt_data_format>
+        <opentelemetry_enable type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </opentelemetry_enable>
+        <opentelemetry_server type="TextField">
+            <Required>N</Required>
+        </opentelemetry_server>
+        <opentelemetry_insecure_skip_verify type="BooleanField">
+            <default>0</default>
+            <Required>N</Required>
+        </opentelemetry_insecure_skip_verify>
+        <opentelemetry_timeout type="IntegerField">
+            <default>5</default>
+            <Required>N</Required>
+        </opentelemetry_timeout>
+        <opentelemetry_compression type="OptionField">
+            <default>gzip</default>
+            <Required>Y</Required>
+            <OptionValues>
+                <gzip>gzip</gzip>
+                <none>none</none>
+            </OptionValues>
+        </opentelemetry_compression>
     </items>
 </model>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index a0ac2ca8be..fd5012ae54 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -137,6 +137,24 @@
 {%   endif %}
 {% endif %}
 
+{% if helpers.exists('OPNsense.telegraf.output.opentelemetry_enable') and OPNsense.telegraf.output.opentelemetry_enable == '1' %}
+[[outputs.opentelemetry]]
+{%   if helpers.exists('OPNsense.telegraf.output.opentelemetry_server') and OPNsense.telegraf.output.opentelemetry_server != '' %}
+  service_address = {{ OPNsense.telegraf.output.opentelemetry_server }}
+{%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.opentelemetry_timeout') and OPNsense.telegraf.output.opentelemetry_timeout != '' %}
+  timeout = "{{ OPNsense.telegraf.output.opentelemetry_timeout }}s"
+{%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.opentelemetry_insecure_skip_verify') and OPNsense.telegraf.output.opentelemetry_insecure_skip_verify == '1' %}
+  insecure_skip_verify = true
+{%   else %}
+  insecure_skip_verify = false
+{%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.opentelemetry_compression') and OPNsense.telegraf.output.opentelemetry_compression != '' %}
+  compression = "{{ OPNsense.telegraf.output.opentelemetry_compression }}"
+{%   endif %}
+{% endif %}
+
 {% if helpers.exists('OPNsense.telegraf.output.graphite_enable') and OPNsense.telegraf.output.graphite_enable == '1' %}
 [[outputs.graphite]]
 {%   if helpers.exists('OPNsense.telegraf.output.graphite_server') and OPNsense.telegraf.output.graphite_server != '' %}

From 3a559f91f2d0a094531eda8e3ec6e1814ba1a7ac Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 26 Apr 2024 08:50:40 +0200
Subject: [PATCH 1860/3088] Update caddy_control.py (#3944)

Forces the reload even if the config in the Caddyfile is unchanged, using an extra command of the rc.d script, forcing certificates in the filesystem to reload.

Fixes: {"info","ts":"2024-04-26T06:13:06Z","msg":"config is unchanged"}

Otherwise, if the config is unchanged, and the certificates are replaced, the names of the certificates in the Caddyfile stay the same, thus implying the config has been unchanged.
---
 www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
index 6598926dc1..c698d82441 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
@@ -67,7 +67,7 @@ def run_service_command(action, action_message):
     "start": "start",
     "stop": "stop",
     "restart": "restart",
-    "reload": "reload",
+    "reload": "reloadssl", # Forces the reload even if the config in the Caddyfile is unchanged, using an extra command of the rc.d script, forcing certificates in the filesystem to reload.
     "validate": "validate"  # Validate action
 }
 

From de94c644f3677d2775d55e990f11c10c0a9a97ab Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 26 Apr 2024 08:56:16 +0200
Subject: [PATCH 1861/3088] www/caddy: v1.5.5 changelog (#3938)

---
 www/caddy/Makefile  | 3 +--
 www/caddy/pkg-descr | 7 +++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 2623a74790..45d38b923d 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.5.4
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.5.5
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index e59ec80758..6c742f4f5b 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -26,6 +26,13 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.5.5
+
+* Fix: "Apply" could hang when websockets are in use by clients. A grace period of 10s has been added in General Settings that forces to close all connections on config changes.
+* Add: In Reverse Proxy, a new dropdown can select one or multiple domains, filtering the Bootgrids of Domains, Subdomains and Handlers for the selected Domain.
+* Add: Global Log Level can be set in Log Settings.
+* Fix: "Apply" will always read all certificates from the filesystem, even if the Caddy configuration has remained unchanged. "reload" has been changed to "reloadssl".
+
 1.5.4
 
 * Fix: When pressing Apply, the Caddy service will be reloaded instead of restarted. This fixes long restart times and service interruptions.

From 8ec93bd7c972a062a28ffcfe2026233bee210d90 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 26 Apr 2024 09:09:53 +0200
Subject: [PATCH 1862/3088] www/caddy: Select global log level (#3941)

---
 .../controllers/OPNsense/Caddy/forms/logsettings.xml   |  6 ++++++
 .../opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml   | 10 ++++++++++
 .../service/templates/OPNsense/Caddy/Caddyfile         |  3 +++
 3 files changed, 19 insertions(+)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml
index 022ce6ca01..44f616f042 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml
@@ -1,4 +1,10 @@
 <form>
+    <field>
+        <id>caddy.general.LogLevel</id>
+        <label>Log Level</label>
+        <type>dropdown</type>
+        <help><![CDATA[Select the minimum global Log Level. "INFO" is the default and shouldn't be changed without a reason, since that level displays the ACME Client messages for automatic certificates. This setting doesn't influence the HTTP Access logs, they're always using INFO, which is their lowest supported Log Level.]]></help>
+    </field>
     <field>
         <id>caddy.general.LogCredentials</id>
         <label>Log Credentials</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 1aa9308fc5..b311f9556d 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -73,6 +73,16 @@
                 <ValidationMessage>Please enter a valid number of 1 or larger.</ValidationMessage>
                 <Required>Y</Required>
             </LogAccessPlainKeep>
+            <LogLevel type="OptionField">
+                <BlankDesc>INFO</BlankDesc>
+                <OptionValues>
+                    <DEBUG>DEBUG</DEBUG>
+                    <WARN>WARN</WARN>
+                    <ERROR>ERROR</ERROR>
+                    <PANIC>PANIC</PANIC>
+                    <FATAL>FATAL</FATAL>
+                </OptionValues>
+            </LogLevel>
             <DynDnsSimpleHttp type="UrlField">
                 <ValidationMessage>Please enter a valid URL, starting with http or https.</ValidationMessage>
             </DynDnsSimpleHttp>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 2e7e7f37e1..81b2a19cf3 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -48,6 +48,9 @@
         format json {
             time_format rfc3339
         }
+        {% if generalSettings.LogLevel %}
+        level {{ generalSettings.LogLevel }}
+        {% endif %}
     }
 
     {#

From 2ec0eef44012151aa88b02c859803694eca09387 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 26 Apr 2024 09:41:17 +0200
Subject: [PATCH 1863/3088] www/caddy: Selectpicker that can filter the Domain,
 Subdomain and Handlers by selected Domain (#3937)

* Update reverse_proxy.volt

Add a first version of a filter functionality by domain. In this version, only handlers are filtered by domain.

A selectpicker with multi selection can choose domains, and the filter function compares these UUIDs to the UUIDs of the "reverse" UUIDs of the model relation fields. Either all domains are shown, or only elements where the UUIDs match.

* Update ReverseProxyController.php

A new api endpoint for the domain search selectpicker has been created. It returns the ID and a Domain+Port combination.

The search function for the Handler now returns all fields if no filter has been set, or only the referenced UUIDs when a filter has been set.

* Update ReverseProxyController.php - Add search function to subdomains

* Update reverse_proxy.volt - Reference Search Filter in Handlers, Domains and Subdomains

* Update ReverseProxyController.php - Add the search function to domains

* Update ReverseProxyController.php

A little bit of cleanup. $add_empty was unused so it's removed.

* Update reverse_proxy.volt - Changed margin to align selectpicker with other options.

* Small margin fix to align Selectpicker with other options

* Update reverse_proxy.volt - Restrict style to the ID of only the affected selectpicker
---
 .../Caddy/Api/ReverseProxyController.php      | 85 +++++++++++++++---
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 89 +++++++++++++++++++
 2 files changed, 163 insertions(+), 11 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
index 4dcd01ce6d..eb94b82e0c 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
@@ -41,9 +41,22 @@ class ReverseProxyController extends ApiMutableModelControllerBase
 
     /*ReverseProxy Section*/
 
-    public function searchReverseProxyAction($add_empty = '0')
+    /*Search Function adjusted for the search filter dropdown*/
+    public function searchReverseProxyAction()
     {
-        return $this->searchBase("reverseproxy.reverse", null, 'description');
+        // Get a comma-separated list of UUIDs from the request
+        $reverseUuids = $this->request->get('reverseUuids');
+        $uuidArray = !empty($reverseUuids) ? explode(',', $reverseUuids) : [];
+
+        // Define the filter function to handle multiple UUIDs
+        $filterFunction = function ($modelItem) use ($uuidArray) {
+            $itemUuid = (string)$modelItem->getAttributes()['uuid'];
+            // Include the item if no UUIDs are provided (empty array) or if it's in the array of UUIDs
+            return empty($uuidArray) || in_array($itemUuid, $uuidArray, true);
+        };
+
+        // Return the search results filtered by the provided UUIDs, if any
+        return $this->searchBase("reverseproxy.reverse", null, 'description', $filterFunction);
     }
 
     public function setReverseProxyAction($uuid)
@@ -70,13 +83,48 @@ public function toggleReverseProxyAction($uuid, $enabled = null)
     {
         return $this->toggleBase("reverseproxy.reverse", $uuid, $enabled);
     }
+ 
+    /*Function for the search filter dropdown in the bootgrid*/
+    public function getAllReverseDomainsAction()
+    {
+        $this->sessionClose(); // Close session early for performance
+        $result = array("rows" => array());
+
+        $mdlCaddy = new \OPNsense\Caddy\Caddy();
+        $reverseNodes = $mdlCaddy->reverseproxy->reverse->iterateItems();
+
+        foreach ($reverseNodes as $item) {
+            if (!empty($item->FromDomain)) {
+                // Conditionally concatenate port if it exists
+                $domain = (string)$item->FromDomain;
+                $port = (string)$item->FromPort;
+                $combinedDomainPort = $domain . (!empty($port) ? ':' . $port : '');
+
+                $result['rows'][] = array(
+                    'id' => (string)$item->getAttributes()['uuid'],
+                    'domainPort' => $combinedDomainPort  // Combined domain and port, conditionally adding port
+                );
+            }
+        }
+
+        return $result;
+    }
 
 
     /*Subdomain Section*/
 
-    public function searchSubdomainAction($add_empty = '0')
+    /*Search Function adjusted for the search filter dropdown*/
+    public function searchSubdomainAction()
     {
-        return $this->searchBase("reverseproxy.subdomain", null, 'description');
+        $reverseUuids = $this->request->get('reverseUuids');
+        $uuidArray = !empty($reverseUuids) ? explode(',', $reverseUuids) : [];
+
+        $filterFunction = function ($modelItem) use ($uuidArray) {
+            // Filtering on domain UUIDs referenced by subdomains
+            return empty($uuidArray) || in_array((string)$modelItem->reverse, $uuidArray, true);
+        };
+
+        return $this->searchBase("reverseproxy.subdomain", null, 'description', $filterFunction);
     }
 
     public function setSubdomainAction($uuid)
@@ -106,10 +154,25 @@ public function toggleSubdomainAction($uuid, $enabled = null)
 
 
     /*Handler Section*/
-
-    public function searchHandleAction($add_empty = '0')
-    {
-        return $this->searchBase("reverseproxy.handle", null, 'description');
+    
+    /*Search Function adjusted for the search filter dropdown*/
+    public function searchHandleAction()
+    {
+        $reverseUuids = $this->request->get('reverseUuids');
+        $uuidArray = explode(',', $reverseUuids);
+
+        if (empty($reverseUuids)) {
+            // If no UUIDs are provided, do not apply any filter, return all records
+            return $this->searchBase("reverseproxy.handle", null, 'description');
+        } else {
+            // Apply the filter only if UUIDs are provided
+            $filterFunction = function ($modelItem) use ($uuidArray) {
+                $modelUUID = (string)$modelItem->reverse;
+                return in_array($modelUUID, $uuidArray, true);
+            };
+
+            return $this->searchBase("reverseproxy.handle", null, 'description', $filterFunction);
+        }
     }
 
     public function setHandleAction($uuid)
@@ -140,7 +203,7 @@ public function toggleHandleAction($uuid, $enabled = null)
 
     /* AccessList Section */
 
-    public function searchAccessListAction($add_empty = '0')
+    public function searchAccessListAction()
     {
         return $this->searchBase("reverseproxy.accesslist", null, 'description');
     }
@@ -168,7 +231,7 @@ public function delAccessListAction($uuid)
 
     /* BasicAuth Section */
 
-    public function searchBasicAuthAction($add_empty = '0')
+    public function searchBasicAuthAction()
     {
         return $this->searchBase("reverseproxy.basicauth", null, 'description');
     }
@@ -216,7 +279,7 @@ public function delBasicAuthAction($uuid)
 
     /* Header Section */
 
-    public function searchHeaderAction($add_empty = '0')
+    public function searchHeaderAction()
     {
         return $this->searchBase("reverseproxy.header", null, 'description');
     }
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 5d9ebc4069..ed93146a1c 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -26,6 +26,17 @@
 
 <script>
     $(document).ready(function() {
+    
+        // Function to handle the search filter request modification
+        function addDomainFilterToRequest(request) {
+            var selectedDomains = $('#reverseFilter').val();
+            if (selectedDomains && selectedDomains.length > 0) {
+                request['reverseUuids'] = selectedDomains.join(',');
+            }
+            return request;
+        }
+    
+        // Bootgrid Setup
         $("#reverseProxyGrid").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchReverseProxy/',
             get:'/api/caddy/ReverseProxy/getReverseProxy/',
@@ -33,6 +44,9 @@
             add:'/api/caddy/ReverseProxy/addReverseProxy/',
             del:'/api/caddy/ReverseProxy/delReverseProxy/',
             toggle:'/api/caddy/ReverseProxy/toggleReverseProxy/',
+            options: {
+                requestHandler: addDomainFilterToRequest
+            }
         });
 
         $("#reverseSubdomainGrid").UIBootgrid({
@@ -42,6 +56,9 @@
             add:'/api/caddy/ReverseProxy/addSubdomain/',
             del:'/api/caddy/ReverseProxy/delSubdomain/',
             toggle:'/api/caddy/ReverseProxy/toggleSubdomain/',
+            options: {
+                requestHandler: addDomainFilterToRequest
+            }
         });
 
         $("#reverseHandleGrid").UIBootgrid({
@@ -51,6 +68,9 @@
             add:'/api/caddy/ReverseProxy/addHandle/',
             del:'/api/caddy/ReverseProxy/delHandle/',
             toggle:'/api/caddy/ReverseProxy/toggleHandle/',
+            options: {
+                requestHandler: addDomainFilterToRequest
+            }
         });
 
         $("#accessListGrid").UIBootgrid({
@@ -143,10 +163,72 @@
 
         // Initialize the service control UI for 'caddy'
         updateServiceControlUI('caddy');
+        
+        // Filter function for domains
+        function loadDomainFilters() {
+            $.ajax({
+                url: '/api/caddy/ReverseProxy/getAllReverseDomains', // custom API endpoint to get uuid and domainport combinations
+                type: 'GET',
+                dataType: 'json',
+                success: function(data) {
+                    var select = $('#reverseFilter');
+                    select.empty(); // Clear current options
+                    if (data && data.rows) {
+                        data.rows.forEach(function(item) {
+                            select.append($('<option>').val(item.id).text(item.domainPort));
+                        });
+                    }
+                    select.selectpicker('refresh'); // Refresh selectpicker to update the UI
+                },
+                error: function() {
+                    $('#reverseFilter').html('<option value="">Failed to load data</option>').selectpicker('refresh');
+                }
+            });
+        }
+        loadDomainFilters();
+        
+        // Reload Bootgrid on filter change
+        $('#reverseFilter').on('changed.bs.select', function() {
+            $("#reverseProxyGrid").bootgrid("reload");
+            $("#reverseSubdomainGrid").bootgrid("reload");
+            $("#reverseHandleGrid").bootgrid("reload");
+        });
+        
+        // Control the visibility of selectpicker for filter by domain
+        function toggleSelectPicker(tab) {
+            if (tab === 'handlesTab' || tab === 'domainsTab') {
+                $('.common-filter').show();
+            } else {
+                $('.common-filter').hide();
+            }
+        }
+
+        // Initialize visibility based on the active tab on page load
+        var activeTab = $('#maintabs .active a').attr('href').replace('#', '');
+        toggleSelectPicker(activeTab);
+
+        // Change event when switching tabs
+        $('#maintabs a').on('click', function (e) {
+            var currentTab = $(this).attr('href').replace('#', '');
+            toggleSelectPicker(currentTab);
+        });
 
     });
 </script>
 
+<style>
+    .common-filter {
+        text-align: right;
+        margin-top: 20px;
+        margin-right: 5px;
+        padding: 0 15px;  // Align with the tables
+    }
+
+    #reverseFilter {
+        width: 100% !important;  // Ensure it fills the container
+    }
+</style>
+
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#domainsTab">Domains</a></li>
     <li><a data-toggle="tab" href="#handlesTab">Handlers</a></li>
@@ -156,6 +238,13 @@
 
 <div class="tab-content content-box">
 
+    <!-- Selectpicker for filter by domain -->
+    <div class="form-group common-filter">
+        <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="340px" data-size="7" title="Filter by Domain">
+            <!-- Options will be populated dynamically using JavaScript/Ajax -->
+        </select>
+    </div>
+
     <!-- Reverse Proxy Tab -->
     <div id="domainsTab" class="tab-pane fade in active">
         <div style="padding-left: 16px;">

From 3f4beb965624901689f93c0ab6f90d526a9db3dd Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 26 Apr 2024 09:41:59 +0200
Subject: [PATCH 1864/3088] www/caddy: Fix reload/stop of caddy being infinite
 when websocket streams of clients are open (#3934)

---
 .../mvc/app/controllers/OPNsense/Caddy/forms/general.xml | 7 +++++++
 .../src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml | 9 ++++++++-
 .../opnsense/service/templates/OPNsense/Caddy/Caddyfile  | 5 +++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index e17e870261..c4061ccf22 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -30,4 +30,11 @@
         <type>checkbox</type>
         <help><![CDATA[Abort all connections that don't have a matching handle or access list. This option doesn't conflict with Let's Encrypt. Disable it for troubleshooting purposes, e.g., testing if the Reverse Proxy Domain works and the Certificate has been installed. For production use, enabling this option is recommended.]]></help>
     </field>
+    <field>
+        <id>caddy.general.GracePeriod</id>
+        <label>Grace Period</label>
+        <type>text</type>
+        <hint>10</hint>
+        <help><![CDATA[Defines the grace period for shutting down HTTP servers (i.e. during config changes or when Caddy is stopping) in seconds. During the grace period, no new connections are accepted, idle connections are closed, and active connections are impatiently waited upon to finish their requests. If clients do not finish their requests within the grace period, the server will be forcefully terminated to allow the reload to complete and free up resources. This can influence how long "Apply" of new configurations take, since Caddy waits for all open connections to close.]]></help>
+    </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index b311f9556d..f544f3c9b2 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>A GUI model for configuring a reverse proxy in the Caddy web server.</description>
-    <version>1.1.8</version>
+    <version>1.1.9</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -65,6 +65,13 @@
                 </Model>
             </accesslist>
             <abort type="BooleanField"/>
+            <GracePeriod type="IntegerField">
+                <Default>10</Default>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>3600</MaximumValue>
+                <ValidationMessage>Please enter a valid Grace Period between 1 and 3600 seconds.</ValidationMessage>
+                <Required>Y</Required>
+            </GracePeriod>
             <LogCredentials type="BooleanField"/>
             <LogAccessPlain type="BooleanField"/>
             <LogAccessPlainKeep type="IntegerField">
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 81b2a19cf3..e0c0c03886 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -280,6 +280,11 @@
     {% if autoHttpsValue %}
     auto_https {{ autoHttpsValue }}
     {% endif %}
+    {# 
+    # Important: Grace Period influences how fast the server can finish reloads with open connections, by forcing termination.
+    # Default of Caddy is to wait for all connections to close before allowing reload, meaning the higher the value, the longer applies take.
+    #}
+    grace_period {{ generalSettings.GracePeriod }}s
     import /usr/local/etc/caddy/caddy.d/*.global
 }
 

From 2e7acc10be35571db5accaf346ab49eafde407ad Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 27 Apr 2024 19:10:27 +0200
Subject: [PATCH 1865/3088] www/squid - remove format() call in
 helpers.getIPNetwork() for ipaddress compatibility. for
 https://github.com/opnsense/core/issues/7415

---
 .../src/opnsense/service/templates/OPNsense/Proxy/squid.conf  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
index 4b334cd3f0..6c7369393a 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -122,10 +122,10 @@ ftp_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.ftpPort }} accel ftp-tra
 {%      for interface in OPNsense.proxy.forward.interfaces.split(",") %}
 {%          for intf_key,intf_item in interfaces.items() %}
 {%              if intf_key == interface and intf_item.ipaddr and intf_item.ipaddr != 'dhcp' %}
-acl localnet src {{ helpers.getIPNetwork(intf_item.ipaddr+'/'+intf_item.subnet)[0].format() }}/{{intf_item.subnet}} # Possible internal network (interfaces v4)
+acl localnet src {{helpers.getIPNetwork(intf_item.ipaddr+'/'+intf_item.subnet)[0].__str__() }}/{{intf_item.subnet}} # Possible internal network (interfaces v4)
 {%              endif %}
 {%              if intf_key == interface and intf_item.ipaddrv6 and intf_item.ipaddrv6.find(':') > -1 %}
-acl localnet src {{helpers.getIPNetwork(intf_item.ipaddrv6+'/'+intf_item.subnetv6)[0].format()}}/{{intf_item.subnetv6}} # Possible internal network (interfaces v6)
+acl localnet src {{helpers.getIPNetwork(intf_item.ipaddrv6+'/'+intf_item.subnetv6)[0].__str__()}}/{{intf_item.subnetv6}} # Possible internal network (interfaces v6)
 {%		endif %}
 {%          endfor %}
 {%          if helpers.exists('virtualip.vip') %}

From 60d626b568ead5372977a7a702642eb67f422686 Mon Sep 17 00:00:00 2001
From: mkerost <mr.rost@yahoo.com>
Date: Mon, 29 Apr 2024 03:26:23 -0700
Subject: [PATCH 1866/3088] Update LeCommon.php (#3936)

Match acme.sh settings where debug 2 should have corresponding syslog = 8, and debug 3 should have corresponding syslog = 9
---
 .../opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
index f7237bfcc6..d224cf9fa7 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
@@ -219,13 +219,13 @@ public function setLoglevel()
                 $this->debug = true;
                 break;
             case 'debug2':
-                $this->acme_args[] = '--syslog 7';
+                $this->acme_args[] = '--syslog 8';
                 $this->acme_args[] = '--debug 2';
                 $this->acme_syslog = 7;
                 $this->debug = true;
                 break;
             case 'debug3':
-                $this->acme_args[] = '--syslog 7';
+                $this->acme_args[] = '--syslog 9';
                 $this->acme_args[] = '--debug 3';
                 $this->acme_syslog = 7;
                 $this->debug = true;

From 59fa924ba17c8501ba6f06a5581fcc840e87cc69 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 29 Apr 2024 12:27:35 +0200
Subject: [PATCH 1867/3088] security/acme-client: bump version

---
 security/acme-client/Makefile  | 2 +-
 security/acme-client/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index b95b600127..8d3f7bf9f7 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.2
+PLUGIN_VERSION=		4.3
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 462328d2ef..079dd73b07 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.3
+
+Fixed:
+* fix acme.sh debug log levels (#3933)
+
 4.2
 
 Added:

From bce53fce71f17491aa0210d36cacf12d9859fc14 Mon Sep 17 00:00:00 2001
From: crpb <crpb@users.noreply.github.com>
Date: Wed, 1 May 2024 21:46:11 +0200
Subject: [PATCH 1868/3088] typo Nginx.xml (#3954)

fix typo
---
 www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 24a224a6b4..a55a4539c8 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -221,7 +221,7 @@
           <option1 value="=">Exact Match ("=")</option1>
           <option2 value="~">Case Sensitive Match ("~")</option2>
           <option3 value="~*">Case Insensitive Match ("~*")</option3>
-          <option4 value="^~">Don't check regular expressions on logest prefix match ("^~")</option4>
+          <option4 value="^~">Don't check regular expressions on longest prefix match ("^~")</option4>
         </OptionValues>
         <Required>N</Required>
       </matchtype>

From ece19f28c50c841fc466063baee1e99a1b17076d Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 2 May 2024 11:40:55 +0200
Subject: [PATCH 1869/3088] www/caddy: Small style fix for new selectpicker
 "Filter by Domain" (#3953)

---
 .../opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index ed93146a1c..fa8e1e233c 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -224,9 +224,6 @@
         padding: 0 15px;  // Align with the tables
     }
 
-    #reverseFilter {
-        width: 100% !important;  // Ensure it fills the container
-    }
 </style>
 
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
@@ -240,7 +237,7 @@
 
     <!-- Selectpicker for filter by domain -->
     <div class="form-group common-filter">
-        <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="340px" data-size="7" title="Filter by Domain">
+        <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="348px" data-size="7" title="Filter by Domain">
             <!-- Options will be populated dynamically using JavaScript/Ajax -->
         </select>
     </div>

From 0787bcd52e3953847723b6a9eb364fa8768e9294 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 2 May 2024 16:41:00 +0200
Subject: [PATCH 1870/3088] phalcon - change phpdoc entries for
 \Phalcon\Validation\Exception

---
 .../OPNsense/Relayd/Api/SettingsController.php            | 2 +-
 .../controllers/OPNsense/Proxy/Api/SettingsController.php | 8 ++++----
 .../controllers/OPNsense/Proxy/Api/TemplateController.php | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
index fee390f1f4..3b8a11437e 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
@@ -224,7 +224,7 @@ public function delAction($nodeType = null, $uuid = null)
      * @param string $uuid id to toggled
      * @param string|null $enabled set enabled by default
      * @return array status
-     * @throws \Phalcon\Validation\Exception when field validations fail
+     * @throws \OPNsense\Base\ValidationException when field validations fail
      * @throws \ReflectionException when not bound to model
      */
     public function toggleAction($nodeType, $uuid, $enabled = null)
diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
index 386c117f40..e6f33dba0f 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
@@ -74,7 +74,7 @@ public function getRemoteBlacklistAction($uuid = null)
      * update remote blacklist item
      * @param string $uuid
      * @return array result status
-     * @throws \Phalcon\Filter\Validation\Exception
+     * @throws \OPNsense\Base\ValidationException
      */
     public function setRemoteBlacklistAction($uuid)
     {
@@ -182,7 +182,7 @@ public function addPACRuleAction()
      * update PAC Rule
      * @param string $uuid
      * @return array result status
-     * @throws \Phalcon\Filter\Validation\Exception
+     * @throws \OPNsense\Base\ValidationException
      */
     public function setPACRuleAction($uuid)
     {
@@ -246,7 +246,7 @@ public function addPACProxyAction()
      * update PAC Proxy
      * @param string $uuid
      * @return array result status
-     * @throws \Phalcon\Filter\Validation\Exception
+     * @throws \OPNsense\Base\ValidationException
      */
     public function setPACProxyAction($uuid)
     {
@@ -299,7 +299,7 @@ public function addPACMatchAction()
      * update PAC Rule
      * @param string $uuid
      * @return array result status
-     * @throws \Phalcon\Filter\Validation\Exception
+     * @throws \OPNsense\Base\ValidationException
      */
     public function setPACMatchAction($uuid)
     {
diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php
index d6f5c04d3a..2f241f1cc4 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php
@@ -43,7 +43,7 @@ class TemplateController extends ApiMutableModelControllerBase
     /**
      * save template
      * @return array status
-     * @throws \Phalcon\Filter\Validation\Exception on validation issues
+     * @throws \OPNsense\Base\ValidationException on validation issues
      * @throws \ReflectionException when binding to the model class fails
      * @throws UserException when denied write access
      */

From e99d0b6bdd0366a500f5a944ffc2a4ced163b33d Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 2 May 2024 16:50:04 +0200
Subject: [PATCH 1871/3088] dns/bind - change Phalcon\Messages\Message to
 native implementation

---
 dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.php b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.php
index 3f73c40c4f..1c97234eaa 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.php
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.php
@@ -30,8 +30,8 @@
 namespace OPNsense\Bind;
 
 use OPNsense\Base\BaseModel;
+use OPNsense\Base\Messages\Message;
 use OPNsense\Core\Backend;
-use Phalcon\Messages\Message;
 
 class General extends BaseModel
 {

From 0a47f05a6f4f3329e96e8c292f9b076b57f9e3a4 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 2 May 2024 16:51:08 +0200
Subject: [PATCH 1872/3088] dns/ddclient - change Phalcon\Messages\Message to
 native implementation

---
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.php        | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
index 9432b50620..31682aae0b 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
@@ -28,13 +28,13 @@
 
  namespace OPNsense\DynDNS;
 
- use Phalcon\Messages\Message;
- use OPNsense\Base\BaseModel;
+use OPNsense\Base\BaseModel;
+use OPNsense\Base\Messages\Message;
 
- /**
-  * Class DynDNS
-  * @package OPNsense\DynDNS
-  */
+/**
+ * Class DynDNS
+ * @package OPNsense\DynDNS
+ */
 class DynDNS extends BaseModel
 {
     public function performValidation($validateFullModel = false)

From 06a85f1553c3c7d7c91e9206b9a4851ddfbf59eb Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 2 May 2024 16:54:14 +0200
Subject: [PATCH 1873/3088] dns/dnscrypt-proxy - change
 Phalcon\Messages\Message to native implementation

---
 .../opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.php  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.php
index 7250e8d171..6f2a3d0659 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.php
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.php
@@ -30,8 +30,8 @@
 namespace OPNsense\Dnscryptproxy;
 
 use OPNsense\Base\BaseModel;
+use OPNsense\Base\Messages\Message;
 use OPNsense\Core\Backend;
-use Phalcon\Messages\Message;
 
 class General extends BaseModel
 {

From 13b85f7145b2041cc848ad2a7ea2dcec65c6980c Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 2 May 2024 16:55:17 +0200
Subject: [PATCH 1874/3088] security/wazuh-agent - change
 Phalcon\Messages\Message to native implementation

---
 .../app/models/OPNsense/WazuhAgent/WazuhAgent.php  | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.php b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.php
index 478fb19e48..1e0fe5dbcd 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.php
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.php
@@ -26,15 +26,15 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
- namespace OPNsense\WazuhAgent;
+namespace OPNsense\WazuhAgent;
 
- use Phalcon\Messages\Message;
- use OPNsense\Base\BaseModel;
+use OPNsense\Base\BaseModel;
+use OPNsense\Base\Messages\Message;
 
- /**
-  * Class WazuhAgent
-  * @package OPNsense\WazuhAgent
-  */
+/**
+ * Class WazuhAgent
+ * @package OPNsense\WazuhAgent
+ */
 class WazuhAgent extends BaseModel
 {
 }

From 95bfb13b6c1de6ad2f39819832a487962b8fc023 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 2 May 2024 16:57:22 +0200
Subject: [PATCH 1875/3088] www/nginx -  change Phalcon\Messages\Message to
 native implementation

---
 .../OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php     | 2 +-
 .../OPNsense/Base/Constraints/NgxBusyBufferConstraint.php       | 2 +-
 .../Base/Constraints/NgxUniqueDefaultServerConstraint.php       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
index fc2c38234d..8a774fd132 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NaxsiIdentifierConstraint.php
@@ -28,7 +28,7 @@
 
 namespace OPNsense\Base\Constraints;
 
-use Phalcon\Messages\Message;
+use OPNsense\Base\Messages\Message;
 
 /**
  * a very specific nginx check for Naxsi rule IDs - not reusable
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
index 00d0469017..409dfa6f22 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
@@ -28,7 +28,7 @@
 
 namespace OPNsense\Base\Constraints;
 
-use Phalcon\Messages\Message;
+use OPNsense\Base\Messages\Message;
 
 /**
  * a very specific nginx check - not reusable
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php
index 3526b907d0..433d2b1015 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php
@@ -28,7 +28,7 @@
 
 namespace OPNsense\Base\Constraints;
 
-use Phalcon\Messages\Message;
+use OPNsense\Base\Messages\Message;
 
 /**
  * a very specific nginx check - not reusable

From 15ddd7ba9ec847fce158ed9c9717ac9f9f5f63f6 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 2 May 2024 16:58:00 +0200
Subject: [PATCH 1876/3088] www/squid - change Phalcon\Messages\Message to
 native implementation

---
 .../src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.php   | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.php b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.php
index b2401c6374..0cb27ed08f 100644
--- a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.php
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.php
@@ -30,6 +30,7 @@
 namespace OPNsense\Proxy;
 
 use OPNsense\Base\BaseModel;
+use OPNsense\Base\Messages\Message;
 
 /**
  * Class Proxy
@@ -51,7 +52,7 @@ public function performValidation($validateFullModel = false)
                     switch ($match_type) {
                         case 'url_matches':
                             if (strlen((string)$match->url) == 0) {
-                                $result->appendMessage(new \Phalcon\Messages\Message(
+                                $result->appendMessage(new Message(
                                     gettext('URL must be set.'),
                                     'pac.match.url'
                                 ));
@@ -61,7 +62,7 @@ public function performValidation($validateFullModel = false)
                         case 'dns_domain_is':
                         case 'is_resolvable':
                             if (strlen((string)$match->hostname) == 0) {
-                                $result->appendMessage(new \Phalcon\Messages\Message(
+                                $result->appendMessage(new Message(
                                     gettext('Hostname must be set.'),
                                     'pac.match.hostname'
                                 ));
@@ -70,7 +71,7 @@ public function performValidation($validateFullModel = false)
                         case 'destination_in_net':
                         case 'my_ip_in_net':
                             if (strlen((string)$match->network) == 0) {
-                                $result->appendMessage(new \Phalcon\Messages\Message(
+                                $result->appendMessage(new Message(
                                     gettext('Network must be set.'),
                                     'pac.match.network'
                                 ));

From da53031f7fe8f4fe26511164780819d9d0b52d69 Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Fri, 3 May 2024 10:20:28 +0200
Subject: [PATCH 1877/3088] security/crowdsec 1.0.8 (#3959)

---
 security/crowdsec/Makefile                    |  2 +-
 security/crowdsec/pkg-descr                   |  8 +++++
 .../crowdsec/src/etc/cron.d/oscrowdsec.cron   |  2 +-
 .../CrowdSec/Api/CollectionsController.php    | 33 -----------------
 ...arsersController.php => HubController.php} | 10 +++---
 .../CrowdSec/Api/PostoverflowsController.php  | 33 -----------------
 .../CrowdSec/Api/ScenariosController.php      | 33 -----------------
 .../OPNsense/CrowdSec/forms/general.xml       |  6 ++--
 .../app/models/OPNsense/CrowdSec/General.xml  |  6 ++--
 .../app/views/OPNsense/CrowdSec/general.volt  |  6 ++--
 .../app/views/OPNsense/CrowdSec/overview.volt | 35 ++++++++++---------
 .../scripts/OPNsense/CrowdSec/hub-upgrade.sh  | 10 +++---
 .../scripts/OPNsense/CrowdSec/reconfigure.py  |  1 +
 .../scripts/OPNsense/CrowdSec/reconfigure.sh  |  1 -
 .../conf/actions.d/actions_crowdsec.conf      | 35 ++++++-------------
 .../src/opnsense/www/js/CrowdSec/crowdsec.js  | 24 +++++++------
 16 files changed, 73 insertions(+), 172 deletions(-)
 delete mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php
 rename security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/{ParsersController.php => HubController.php} (74%)
 delete mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php
 delete mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php

diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index 621a919091..ebf2924bb9 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		crowdsec
-PLUGIN_VERSION=		1.0.7
+PLUGIN_VERSION=		1.0.8
 PLUGIN_DEPENDS=		crowdsec
 PLUGIN_COMMENT=		Lightweight and collaborative security engine
 PLUGIN_MAINTAINER=	marco@crowdsec.net
diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index 456dce4551..ef22794a44 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -8,6 +8,14 @@ WWW: https://crowdsec.net/
 Plugin Changelog
 ================
 
+1.0.8
+
+* Enable use_wal, remove warning
+* Randomize cron execution over 5 minutes
+* Refactor javascript
+* Fix initial service start with no pending hub updates (1.6.1)
+* Add input validation for `rules_tag` to prevent invalid `pf` syntax.
+
 1.0.7
 
 * Add option `retry_initial_connect` to bouncer configuration for more robust startup. The option was introduced in Crowdsec 1.5.4.
diff --git a/security/crowdsec/src/etc/cron.d/oscrowdsec.cron b/security/crowdsec/src/etc/cron.d/oscrowdsec.cron
index 635b78577f..bff08edd3e 100644
--- a/security/crowdsec/src/etc/cron.d/oscrowdsec.cron
+++ b/security/crowdsec/src/etc/cron.d/oscrowdsec.cron
@@ -6,4 +6,4 @@
 SHELL=/bin/sh
 PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
 #minute	hour	mday	month	wday	who	command
-0	1	*	*	*	root	(sleep $(jot -r 1 1 60); /usr/local/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh)
+0	1	*	*	*	root	(sleep $(jot -r 1 1 300); /usr/local/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh)
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php
deleted file mode 100644
index 62c63afa6b..0000000000
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php
+++ /dev/null
@@ -1,33 +0,0 @@
-<?php
-
-// SPDX-License-Identifier: MIT
-// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
-
-namespace OPNsense\CrowdSec\Api;
-
-use OPNsense\Base\ApiControllerBase;
-use OPNsense\CrowdSec\CrowdSec;
-use OPNsense\Core\Backend;
-
-/**
- * @package OPNsense\CrowdSec
- */
-class CollectionsController extends ApiControllerBase
-{
-    /**
-     * retrieve list of collections
-     * @return array of collections
-     * @throws \OPNsense\Base\ModelException
-     * @throws \ReflectionException
-     */
-    public function getAction()
-    {
-        $backend = new Backend();
-        $bckresult = json_decode(trim($backend->configdRun("crowdsec collections-list")), true);
-        if ($bckresult !== null) {
-            // only return valid json type responses
-            return $bckresult;
-        }
-        return array("message" => "unable to list collections");
-    }
-}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ParsersController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/HubController.php
similarity index 74%
rename from security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ParsersController.php
rename to security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/HubController.php
index 6dfcfcdb80..a8114ff2cd 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ParsersController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/HubController.php
@@ -12,22 +12,22 @@
 /**
  * @package OPNsense\CrowdSec
  */
-class ParsersController extends ApiControllerBase
+class HubController extends ApiControllerBase
 {
     /**
-     * retrieve list of registered parsers
-     * @return array of parsers
+     * retrieve the registered hub items
+     * @return dictionary of items, by type
      * @throws \OPNsense\Base\ModelException
      * @throws \ReflectionException
      */
     public function getAction()
     {
         $backend = new Backend();
-        $bckresult = json_decode(trim($backend->configdRun("crowdsec parsers-list")), true);
+        $bckresult = json_decode(trim($backend->configdRun("crowdsec hub-items")), true);
         if ($bckresult !== null) {
             // only return valid json type responses
             return $bckresult;
         }
-        return array("message" => "unable to list parsers");
+        return array("message" => "unable to list hub items");
     }
 }
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php
deleted file mode 100644
index a52fc928c0..0000000000
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php
+++ /dev/null
@@ -1,33 +0,0 @@
-<?php
-
-// SPDX-License-Identifier: MIT
-// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
-
-namespace OPNsense\CrowdSec\Api;
-
-use OPNsense\Base\ApiControllerBase;
-use OPNsense\CrowdSec\CrowdSec;
-use OPNsense\Core\Backend;
-
-/**
- * @package OPNsense\CrowdSec
- */
-class PostoverflowsController extends ApiControllerBase
-{
-    /**
-     * retrieve list of registered postoverflows
-     * @return array of postoverflows
-     * @throws \OPNsense\Base\ModelException
-     * @throws \ReflectionException
-     */
-    public function getAction()
-    {
-        $backend = new Backend();
-        $bckresult = json_decode(trim($backend->configdRun("crowdsec postoverflows-list")), true);
-        if ($bckresult !== null) {
-            // only return valid json type responses
-            return $bckresult;
-        }
-        return array("message" => "unable to list postoverflows");
-    }
-}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php
deleted file mode 100644
index 5daa6b82b0..0000000000
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php
+++ /dev/null
@@ -1,33 +0,0 @@
-<?php
-
-// SPDX-License-Identifier: MIT
-// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
-
-namespace OPNsense\CrowdSec\Api;
-
-use OPNsense\Base\ApiControllerBase;
-use OPNsense\CrowdSec\CrowdSec;
-use OPNsense\Core\Backend;
-
-/**
- * @package OPNsense\CrowdSec
- */
-class ScenariosController extends ApiControllerBase
-{
-    /**
-     * retrieve list of registered scenarios
-     * @return array of scenarios
-     * @throws \OPNsense\Base\ModelException
-     * @throws \ReflectionException
-     */
-    public function getAction()
-    {
-        $backend = new Backend();
-        $bckresult = json_decode(trim($backend->configdRun("crowdsec scenarios-list")), true);
-        if ($bckresult !== null) {
-            // only return valid json type responses
-            return $bckresult;
-        }
-        return array("message" => "unable to list scenarios");
-    }
-}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml
index f154c544ad..45d9d3f249 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml
@@ -3,7 +3,7 @@
   <!-- agent_enabled -->
   <field>
     <id>general.agent_enabled</id>
-    <label>Enable CrowdSec (IDS)</label>
+    <label>Enable Log Processor (IDS)</label>
     <type>checkbox</type>
     <help>Enable/disable the CrowdSec agent. Keep this enabled to detect
       attacks and receive alerts from the CrowSec central service.</help>
@@ -21,9 +21,9 @@
   <!-- firewall_bouncer_enabled -->
   <field>
     <id>general.firewall_bouncer_enabled</id>
-    <label>Enable Firewall Bouncer (IPS)</label>
+    <label>Enable Remediation Component (IPS)</label>
     <type>checkbox</type>
-    <help>Enable/disable the firewall bouncer. Keep this enabled to block
+    <help>Enable/disable the remediation component. Keep this enabled to block
       packets from the attacking IP addresses.</help>
   </field>
 
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
index 4349222b6c..f332b3b645 100644
--- a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
@@ -1,7 +1,7 @@
 <model>
   <mount>//OPNsense/crowdsec/general</mount>
   <description>CrowdSec general configuration</description>
-  <version>1.0.6</version>
+  <version>1.0.8</version>
   <items>
 
     <agent_enabled type="BooleanField">
@@ -43,8 +43,8 @@
     </rules_log>
 
     <rules_tag type="TextField">
-      <default></default>
-      <Required>N</Required>
+      <Mask>/^([0-9a-zA-Z]{1,63})$/u</Mask>
+      <ValidationMessage>A tag must only contain numbers and letters and must be between 1 and 63 characters.</ValidationMessage>
     </rules_tag>
 
     <crowdsec_firewall_verbose type="BooleanField">
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
index ed1b89b7dc..c7ae96adf5 100644
--- a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
@@ -71,7 +71,7 @@
         the possibilities.</p>
 
         <p>For the latest plugin documentation, including how to use it with an external LAPI, see <a
-        href="https://docs.crowdsec.net/docs/next/getting_started/install_crowdsec_opnsense">Install
+        href="https://docs.crowdsec.net/u/getting_started/installation/opnsense">Install
         CrowdSec (OPNsense)</a></p>
 
         <p>A few remarks:</p>
@@ -79,7 +79,7 @@
         <ul>
             <li>
                 New acquisition files go under <code>/usr/local/etc/crowdsec/acquis.d</code>. See opnsense.yaml for details.
-                The option <code>poll_without_inotify: true</code> is required if the acquitision targets are symlinks (which
+                The option <code>poll_without_inotify: true</code> is required if the log sources are symlinks (which
                 is the case for most opnsense logs).
             </li>
             <li>
@@ -91,7 +91,7 @@
                 At the moment, the CrowdSec package for OPNsense is fully functional on the
                 command line but its web interface is limited; you can only list the installed objects and revoke
                 <a href="https://docs.crowdsec.net/docs/user_guides/decisions_mgmt/">decisions</a>. For anything else
-                you need the shell.
+                you need the shell or the <a href="https://app.crowdsec.net">CrowdSec Console</a>.
             </li>
             <li>
                 Do not enable/start the agent and bouncer services with <code>sysrc</code> or <code>/etc/rc.conf</code>
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/overview.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/overview.volt
index 87987c30a5..a51cbb5bff 100644
--- a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/overview.volt
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/overview.volt
@@ -54,7 +54,7 @@ ul.nav>li>a {
         <table class="table table-condensed table-hover table-striped">
             <thead>
                 <tr>
-                  <th data-column-id="name">Name</th>
+                  <th data-column-id="name" data-order="asc">Name</th>
                   <th data-column-id="ip_address">IP Address</th>
                   <th data-column-id="last_update" data-formatter="datetime">Last Update</th>
                   <th data-column-id="validated" data-formatter="yesno" data-searchable="false">Validated?</th>
@@ -74,7 +74,7 @@ ul.nav>li>a {
         <table class="table table-condensed table-hover table-striped">
             <thead>
                 <tr>
-                  <th data-column-id="name">Name</th>
+                  <th data-column-id="name" data-order="asc">Name</th>
                   <th data-column-id="ip_address">IP Address</th>
                   <th data-column-id="valid" data-formatter="yesno" data-searchable="false">Valid</th>
                   <th data-column-id="last_pull" data-formatter="datetime">Last API Pull</th>
@@ -95,10 +95,11 @@ ul.nav>li>a {
         <table class="table table-condensed table-hover table-striped">
             <thead>
                 <tr>
-                  <th data-column-id="name">Name</th>
+                  <th data-column-id="name" data-order="asc">Collection</th>
                   <th data-column-id="status">Status</th>
                   <th data-column-id="local_version">Version</th>
-                  <th data-column-id="local_path">Local Path</th>
+                  <th data-visible="false" data-column-id="local_path">Path</th>
+                  <th data-column-id="description">Description</th>
                 </tr>
             </thead>
             <tbody>
@@ -114,10 +115,10 @@ ul.nav>li>a {
         <table class="table table-condensed table-hover table-striped">
             <thead>
                 <tr>
-                  <th data-column-id="name">Name</th>
+                  <th data-column-id="name" data-order="asc">Scenario</th>
                   <th data-column-id="status">Status</th>
                   <th data-column-id="local_version">Version</th>
-                  <th data-column-id="local_path">Path</th>
+                  <th data-visible="false" data-column-id="local_path">Path</th>
                   <th data-column-id="description">Description</th>
                 </tr>
             </thead>
@@ -134,10 +135,10 @@ ul.nav>li>a {
         <table class="table table-condensed table-hover table-striped">
             <thead>
                 <tr>
-                  <th data-column-id="name">Name</th>
+                  <th data-column-id="name" data-order="asc">Parser</th>
                   <th data-column-id="status">Status</th>
                   <th data-column-id="local_version">Version</th>
-                  <th data-column-id="local_path">Local Path</th>
+                  <th data-visible="false" data-column-id="local_path">Path</th>
                   <th data-column-id="description">Description</th>
                 </tr>
             </thead>
@@ -154,10 +155,10 @@ ul.nav>li>a {
         <table class="table table-condensed table-hover table-striped">
             <thead>
                 <tr>
-                  <th data-column-id="name">Name</th>
+                  <th data-column-id="name" data-order="asc">Postoverflow</th>
                   <th data-column-id="status">Status</th>
                   <th data-column-id="local_version">Version</th>
-                  <th data-column-id="local_path">Local Path</th>
+                  <th data-visible="false" data-column-id="local_path">Path</th>
                   <th data-column-id="description">Description</th>
                 </tr>
             </thead>
@@ -174,7 +175,7 @@ ul.nav>li>a {
         <table class="table table-condensed table-hover table-striped">
             <thead>
                 <tr>
-                  <th data-column-id="id" data-type="numeric">ID</th>
+                  <th data-column-id="id" data-type="numeric" data-order="asc">ID</th>
                   <th data-column-id="value">Value</th>
                   <th data-column-id="reason">Reason</th>
                   <th data-column-id="country">Country</th>
@@ -198,17 +199,19 @@ ul.nav>li>a {
         <table class="table table-condensed table-hover table-striped">
             <thead>
                 <tr>
-                  <th data-column-id="delete" data-formatter="delete" data-visible-in-selection="false"></th>
-                  <th data-column-id="id" data-identifier="true" data-type="numeric">ID</th>
-                  <th data-column-id="source">Source</th>
+                  <th data-column-id="delete" data-formatter="delete"
+                  data-visible-in-selection="false"></th>
+                  <th data-column-id="id" data-visible="false" data-identifier="true" data-type="numeric"
+                  data-order="asc">ID</th>
+                  <th data-visible="false" data-column-id="source">Source</th>
                   <th data-column-id="scope_value">Scope:Value</th>
                   <th data-column-id="reason">Reason</th>
-                  <th data-column-id="action">Action</th>
+                  <th data-visible="false" data-column-id="action">Action</th>
                   <th data-column-id="country">Country</th>
                   <th data-column-id="as">AS</th>
                   <th data-column-id="events_count" data-type="numeric">Events</th>
                   <th data-column-id="expiration" data-formatter="duration">Expiration</th>
-                  <th data-column-id="alert_id" data-type="numeric">Alert&nbsp;ID</th>
+                  <th data-visible="false" data-column-id="alert_id" data-type="numeric">Alert&nbsp;ID</th>
                 </tr>
             </thead>
             <tbody>
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
index 4d2a568081..50b81c744e 100755
--- a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
@@ -10,11 +10,11 @@ if [ ! -e "/usr/local/etc/crowdsec/collections/opnsense.yaml" ]; then
     /usr/local/bin/cscli --error collections install crowdsecurity/opnsense
 fi
 
-if [ -n "$upgraded" ]; then
-    if service crowdsec enabled; then
-        if ! service crowdsec status >/dev/null 2>&1; then
-            service crowdsec start >/dev/null 2>&1 || :
-        else
+if service crowdsec enabled; then
+    if ! service crowdsec status >/dev/null 2>&1; then
+        service crowdsec start >/dev/null 2>&1 || :
+    else
+        if [ -n "$upgraded" ]; then
             service crowdsec reload >/dev/null 2>&1 || :
         fi
     fi
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
index 20c5724392..84008d6256 100755
--- a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
@@ -45,6 +45,7 @@ def configure_agent(settings):
 
     config['common']['log_dir'] = '/var/log/crowdsec'
     config['crowdsec_service']['acquisition_dir'] = '/usr/local/etc/crowdsec/acquis.d/'
+    config['db_config']['use_wal'] = True
 
     if not int(settings.get('lapi_manual_configuration', '0')):
         config['api']['server']['listen_uri'] = get_netloc(settings)
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh
index 1c339cc01f..ce4660c502 100755
--- a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh
@@ -10,7 +10,6 @@ set -e
 # apply configuration options specific to opnsense
 /usr/local/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
 
-# enable pf anchor here - the tables and rules will be created by the bouncer
 /usr/local/sbin/configctl filter reload >/dev/null
 
 # the hub is upgraded by cron too
diff --git a/security/crowdsec/src/opnsense/service/conf/actions.d/actions_crowdsec.conf b/security/crowdsec/src/opnsense/service/conf/actions.d/actions_crowdsec.conf
index de9c3f6fda..371cf485d9 100644
--- a/security/crowdsec/src/opnsense/service/conf/actions.d/actions_crowdsec.conf
+++ b/security/crowdsec/src/opnsense/service/conf/actions.d/actions_crowdsec.conf
@@ -19,7 +19,7 @@ message: oscrowdsec status
 [restart]
 command:/usr/local/etc/rc.d/oscrowdsec restart
 type: script
-message: stopping crowdsec services
+message: restarting crowdsec services
 
 [reload]
 command:/usr/local/etc/rc.d/oscrowdsec reload
@@ -37,22 +37,17 @@ type:script_output
 message: request crowdsec_firewall status
 
 [alerts-list]
-command:/usr/local/bin/cscli alerts list -l 0 -o json | sed 's/^null$/\[\]/'
+command:/usr/local/bin/cscli alerts list -l 0 -o json
 type:script_output
 message:crowdsec alerts list
 
 [bouncers-list]
-command:/usr/local/bin/cscli bouncers list -o json | sed 's/^null$/\[\]/'
+command:/usr/local/bin/cscli bouncers list -o json
 type:script_output
 message:crowdsec bouncers list
 
-[collections-list]
-command:/usr/local/bin/cscli collections list -o json
-type:script_output
-message:crowdsec collections list
-
 [decisions-list]
-command:/usr/local/bin/cscli decisions list -l 0 -o json | sed 's/^null$/\[\]/'
+command:/usr/local/bin/cscli decisions list -l 0 -o json
 type:script_output
 message:crowdsec decisions list
 
@@ -62,25 +57,15 @@ parameters:--id %s
 type:script_output
 message:crowdsec decisions delete
 
-[machines-list]
-command:/usr/local/bin/cscli machines list -o json | sed 's/^null$/\[\]/'
+[hub-items]
+command:/usr/local/bin/cscli hub list -o json
 type:script_output
-message:crowdsec machines list
+message:crowdsec hub list
 
-[parsers-list]
-command:/usr/local/bin/cscli parsers list -o json
-type:script_output
-message:crowdsec parsers list
-
-[postoverflows-list]
-command:/usr/local/bin/cscli postoverflows list -o json
-type:script_output
-message:crowdsec postoverflows list
-
-[scenarios-list]
-command:/usr/local/bin/cscli scenarios list -o json
+[machines-list]
+command:/usr/local/bin/cscli machines list -o json
 type:script_output
-message:crowdsec scenarios list
+message:crowdsec machines list
 
 [version]
 command:/usr/local/bin/cscli version 2>&1
diff --git a/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js b/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js
index 93b9ec7670..09f16c12e5 100644
--- a/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js
+++ b/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js
@@ -6,6 +6,7 @@
 var CrowdSec = (function () {
     'use strict';
 
+    var crowdsec_path = '/usr/local/etc/crowdsec/';
     var _refreshTemplate = '<button class="btn btn-default" type="button" title="Refresh"><span class="icon glyphicon glyphicon-refresh"></span></button>';
 
     var _dataFormatters = {
@@ -87,8 +88,9 @@ var CrowdSec = (function () {
             timestamp = $freshness.data('refresh_timestamp');
         }
         var howlongHuman = '???';
+        var howlongms;
         if (timestamp) {
-            var howlongms = moment() - moment(timestamp);
+            howlongms = moment() - moment(timestamp);
             howlongHuman = moment.duration(howlongms).humanize();
         }
         $freshness.text(howlongHuman + ' ago');
@@ -129,7 +131,8 @@ var CrowdSec = (function () {
             dectypes[decision.type] = dectypes[decision.type] ? (dectypes[decision.type] + 1) : 1;
         });
         var ret = '';
-        for (var type in dectypes) {
+        var type;
+        for (type in dectypes) {
             if (ret !== '') {
                 ret += ' ';
             }
@@ -217,7 +220,7 @@ var CrowdSec = (function () {
     }
 
     function _initCollections () {
-        var url = '/api/crowdsec/collections/get';
+        var url = '/api/crowdsec/hub/get';
         var dataCallback = function (data) {
             var rows = [];
             data.collections.map(function (row) {
@@ -225,7 +228,8 @@ var CrowdSec = (function () {
                     name: row.name,
                     status: row.status,
                     local_version: row.local_version || ' ',
-                    local_path: row.local_path || ' '
+                    local_path: row.local_path ? row.local_path.replace(crowdsec_path, '') : ' ',
+                    description: row.description || ' '
                 });
             });
         $('#collections table').bootgrid('clear').bootgrid('append', rows);
@@ -234,7 +238,7 @@ var CrowdSec = (function () {
     }
 
     function _initScenarios () {
-        var url = '/api/crowdsec/scenarios/get';
+        var url = '/api/crowdsec/hub/get';
         var dataCallback = function (data) {
             var rows = [];
             data.scenarios.map(function (row) {
@@ -242,7 +246,7 @@ var CrowdSec = (function () {
                     name: row.name,
                     status: row.status,
                     local_version: row.local_version || ' ',
-                    local_path: row.local_path || ' ',
+                    local_path: row.local_path ? row.local_path.replace(crowdsec_path, '') : ' ',
                     description: row.description || ' '
                 });
             });
@@ -252,7 +256,7 @@ var CrowdSec = (function () {
     }
 
     function _initParsers () {
-        var url = '/api/crowdsec/parsers/get';
+        var url = '/api/crowdsec/hub/get';
         var dataCallback = function (data) {
             var rows = [];
             data.parsers.map(function (row) {
@@ -260,7 +264,7 @@ var CrowdSec = (function () {
                     name: row.name,
                     status: row.status,
                     local_version: row.local_version || ' ',
-                    local_path: row.local_path || ' ',
+                    local_path: row.local_path ? row.local_path.replace(crowdsec_path, '') : ' ',
                     description: row.description || ' '
                 });
             });
@@ -270,7 +274,7 @@ var CrowdSec = (function () {
     }
 
     function _initPostoverflows () {
-        var url = '/api/crowdsec/postoverflows/get';
+        var url = '/api/crowdsec/hub/get';
         var dataCallback = function (data) {
             var rows = [];
             data.postoverflows.map(function (row) {
@@ -278,7 +282,7 @@ var CrowdSec = (function () {
                     name: row.name,
                     status: row.status,
                     local_version: row.local_version || ' ',
-                    local_path: row.local_path || ' ',
+                    local_path: row.local_path ? row.local_path.replace(crowdsec_path, '') : ' ',
                     description: row.description || ' '
                 });
             });

From 938cff5cb18535c8603f9d2fcc45345e7c242645 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 6 May 2024 15:21:54 +0200
Subject: [PATCH 1878/3088] net-mgmt/telegraf: bump model

---
 .../src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index 63ac311e58..6118dcb98b 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/telegraf/output</mount>
     <description>Telegraf outputs configuration</description>
-    <version>1.4.5</version>
+    <version>1.4.6</version>
     <items>
         <influx_enable type="BooleanField">
             <default>0</default>

From e830d8ee28b11a8e88acfab3f99d7c0ff45eaceb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 6 May 2024 15:33:58 +0200
Subject: [PATCH 1879/3088] www/squid: bump revision

---
 www/squid/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index 1a40fe8707..debbe26ca1 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		squid
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_TIER=		2

From ebf7614878d3df39856fcd05cb09939d9fb186cd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 6 May 2024 15:41:22 +0200
Subject: [PATCH 1880/3088] www/nginx: bump revision

---
 www/nginx/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 337fbac2cb..14950c49ee 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.32.2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 10d0bc8e7cc1728041313e3def266c0156b807d2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 6 May 2024 16:03:22 +0200
Subject: [PATCH 1881/3088] www/caddy: whitespace sweep

---
 .../OPNsense/Caddy/Api/ReverseProxyController.php      |  4 ++--
 .../mvc/app/views/OPNsense/Caddy/reverse_proxy.volt    | 10 +++++-----
 .../service/templates/OPNsense/Caddy/Caddyfile         |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
index eb94b82e0c..de6b82b643 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
@@ -83,7 +83,7 @@ public function toggleReverseProxyAction($uuid, $enabled = null)
     {
         return $this->toggleBase("reverseproxy.reverse", $uuid, $enabled);
     }
- 
+
     /*Function for the search filter dropdown in the bootgrid*/
     public function getAllReverseDomainsAction()
     {
@@ -154,7 +154,7 @@ public function toggleSubdomainAction($uuid, $enabled = null)
 
 
     /*Handler Section*/
-    
+
     /*Search Function adjusted for the search filter dropdown*/
     public function searchHandleAction()
     {
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index fa8e1e233c..a8d4cf525a 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -26,7 +26,7 @@
 
 <script>
     $(document).ready(function() {
-    
+
         // Function to handle the search filter request modification
         function addDomainFilterToRequest(request) {
             var selectedDomains = $('#reverseFilter').val();
@@ -35,7 +35,7 @@
             }
             return request;
         }
-    
+
         // Bootgrid Setup
         $("#reverseProxyGrid").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchReverseProxy/',
@@ -163,7 +163,7 @@
 
         // Initialize the service control UI for 'caddy'
         updateServiceControlUI('caddy');
-        
+
         // Filter function for domains
         function loadDomainFilters() {
             $.ajax({
@@ -186,14 +186,14 @@
             });
         }
         loadDomainFilters();
-        
+
         // Reload Bootgrid on filter change
         $('#reverseFilter').on('changed.bs.select', function() {
             $("#reverseProxyGrid").bootgrid("reload");
             $("#reverseSubdomainGrid").bootgrid("reload");
             $("#reverseHandleGrid").bootgrid("reload");
         });
-        
+
         // Control the visibility of selectpicker for filter by domain
         function toggleSelectPicker(tab) {
             if (tab === 'handlesTab' || tab === 'domainsTab') {
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index e0c0c03886..c162a0bfde 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -280,7 +280,7 @@
     {% if autoHttpsValue %}
     auto_https {{ autoHttpsValue }}
     {% endif %}
-    {# 
+    {#
     # Important: Grace Period influences how fast the server can finish reloads with open connections, by forcing termination.
     # Default of Caddy is to wait for all connections to close before allowing reload, meaning the higher the value, the longer applies take.
     #}

From b3a6eca348be70ebd6fa61cee859c5f05b74ad82 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 6 May 2024 16:05:10 +0200
Subject: [PATCH 1882/3088] www/caddy: template fix tls_server_name option
 (#3948)

* Update Caddyfile

It is allowed for these TLS Options to appear more freely inside the transport_http blocks without producing an invalid configuration.

For example, "tls_server_name" is not required to appear together with "tls"

* Update Caddy.xml

Ensure that when "NTLM" is chosen, TLS has to be enabled at the same time.
---
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 20 +++++++++++++++++--
 .../templates/OPNsense/Caddy/Caddyfile        | 16 ++++++++-------
 2 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index f544f3c9b2..d482aa4bae 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -290,8 +290,24 @@
                     <MaximumValue>100</MaximumValue>
                     <ValidationMessage>Please enter a value between 1 to 100.</ValidationMessage>
                 </PassiveHealthFailDuration>
-                <HttpTls type="BooleanField"/>
-                <HttpNtlm type="BooleanField"/>
+                <HttpTls type="BooleanField">
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>TLS and NTLM must be enabled at the same time.</ValidationMessage>
+                            <type>DependConstraint</type>
+                            <addFields>
+                                <field1>HttpNtlm</field1>
+                            </addFields>
+                        </check001>
+                    </Constraints>
+                </HttpTls>
+                <HttpNtlm type="BooleanField">
+                    <Constraints>
+                        <check001>
+                            <reference>HttpNtlm.check001</reference>
+                        </check001>
+                    </Constraints>
+                </HttpNtlm>
                 <HttpTlsInsecureSkipVerify type="BooleanField"/>
                 <HttpTlsTrustedCaCerts type="CertificateField">
                     <Type>ca</Type>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index c162a0bfde..7aa75d1dc8 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -523,34 +523,36 @@
             {% if handle.PassiveHealthFailDuration|default("") %}
             fail_duration {{ handle.PassiveHealthFailDuration }}s
             {% endif %}
-            {% if handle.HttpTls|default("0") == "1" or handle.HttpTlsInsecureSkipVerify|default("0") == "1" %}
+            {% if handle.HttpTls|default("0") == "1" or handle.HttpTlsInsecureSkipVerify|default("0") == "1" or handle.HttpTlsTrustedCaCerts|default("") != "" or handle.HttpTlsServerName|default("") != "" %}
                 {% if handle.HttpNtlm|default("0") == "1" %}
                 transport http_ntlm {
+                    {% if handle.HttpTls|default("0") == "1" %}
+                    tls
+                    {% endif %}
                     {% if handle.HttpTlsInsecureSkipVerify|default("0") == "1" %}
                     tls_insecure_skip_verify
-                    {% else %}
-                    tls
+                    {% endif %}
                     {% if handle.HttpTlsTrustedCaCerts %}
                     tls_trusted_ca_certs /var/db/caddy/data/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
                     {% endif %}
                     {% if handle.HttpTlsServerName %}
                     tls_server_name {{ handle.HttpTlsServerName }}
                     {% endif %}
-                    {% endif %}
                 }
                 {% else %}
                 transport http {
+                    {% if handle.HttpTls|default("0") == "1" %}
+                    tls
+                    {% endif %}
                     {% if handle.HttpTlsInsecureSkipVerify|default("0") == "1" %}
                     tls_insecure_skip_verify
-                    {% else %}
-                    tls
+                    {% endif %}
                     {% if handle.HttpTlsTrustedCaCerts %}
                     tls_trusted_ca_certs /var/db/caddy/data/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
                     {% endif %}
                     {% if handle.HttpTlsServerName %}
                     tls_server_name {{ handle.HttpTlsServerName }}
                     {% endif %}
-                    {% endif %}
                 }
                 {% endif %}
             {% endif %}

From 71e78ac011d4092b433e3efad88bd9ece565727a Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 6 May 2024 16:11:41 +0200
Subject: [PATCH 1883/3088] www/caddy: general.volt - Improve Save and Apply
 buttons (#3957)

* Update general.volt - Fix Apply button when validation errors happen

Because the Apply button triggers "saveFormToEndpoint" to save the form before continuing, the "callback_fail" has to trigger when the validation fails to reject the deferred object. Otherwise, the apply button can get stuck indefinitely.

Also, the "disable_dialog" has been set to false, in order to show the validation dialog. Since there are multiple tabs, the validation result could be hidden to the user otherwise.

* Update general.volt - Improve "Save" button

Give the "Save" button the same treatment as the "Apply" button, using SimpleActionButton for better User Feedback, and also displaying the error dialog when the validation failed.
---
 .../mvc/app/views/OPNsense/Caddy/general.volt | 80 +++++++++++--------
 1 file changed, 47 insertions(+), 33 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
index eac7320b6b..df6b749a4a 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
@@ -60,31 +60,35 @@
                 onPreAction: function() {
                     const dfObj = $.Deferred();
 
-                    // Save the form before continue
-                    saveFormToEndpoint("/api/caddy/general/set", 'frm_GeneralSettings', function() {
-                        // After successful save, proceed with validation
-                        $.ajax({
-                            url: "/api/caddy/service/validate",
-                            type: "GET",
-                            dataType: "json",
-                            success: function(data) {
-                                if (data && data['status'].toLowerCase() === 'ok') {
-                                    dfObj.resolve(); // Configuration is valid
-                                } else {
-                                    showAlert(data['message'], "Validation Error");
-                                    dfObj.reject(); // Configuration is invalid
+                    // Save the form before continuing
+                    saveFormToEndpoint("/api/caddy/general/set", 'frm_GeneralSettings',
+                        function() {  // callback_ok: What to do when save is successful
+                            // After successful save, proceed with validation
+                            $.ajax({
+                                url: "/api/caddy/service/validate",
+                                type: "GET",
+                                dataType: "json",
+                                success: function(data) {
+                                    if (data && data['status'].toLowerCase() === 'ok') {
+                                        dfObj.resolve(); // Configuration is valid
+                                    } else {
+                                        showAlert(data['message'], "Validation Error");
+                                        dfObj.reject(); // Configuration is invalid
+                                    }
+                                },
+                                error: function(xhr, status, error) {
+                                    showAlert("Validation request failed: " + error, "Validation Error");
+                                    dfObj.reject(); // AJAX request failed
                                 }
-                            },
-                            error: function(xhr, status, error) {
-                                showAlert("Validation request failed: " + error, "Validation Error");
-                                dfObj.reject(); // AJAX request failed
-                            }
-                        });
-                    }, function() {
-                        // If save fails, reject the deferred object to stop the reconfigure action
-                        showAlert("Failed to save configuration.", "Error");
-                        dfObj.reject();
-                    });
+                            });
+                        }, 
+                        false, // disable_dialog: Show the dialog with the validation error
+                        function(errorData) {  // callback_fail: What to do when save fails
+                            // Handle failure due to validation errors or other issues
+                            showAlert("Configuration save failed: " + (errorData.message || "Validation Error"), "Error");
+                            dfObj.reject(); // Reject the deferred object to stop the reconfigure action
+                        }
+                    );
 
                     return dfObj.promise();
                 },
@@ -100,15 +104,25 @@
                 }
             });
 
-            // Adding Save functionality, so saving can be done independantly from applying
-            $("#saveSettings").click(function() {
-                saveFormToEndpoint("/api/caddy/general/set", 'frm_GeneralSettings', function() {
-                    // Callback function on successful save, optional
-                    showAlert("Configuration saved successfully. Please don't forget to apply the configuration.", "Save Successful");
-                }, function() {
-                    // Callback function on save failure
-                    showAlert("Failed to save configuration.", "Error");
-                });
+            $("#saveSettings").SimpleActionButton({
+                onAction: function() {
+                    const dfObj = $.Deferred();
+
+                    // Save the form before continuing
+                    saveFormToEndpoint("/api/caddy/general/set", 'frm_GeneralSettings',
+                        function() {  // callback_ok: What to do when save is successful
+                            showAlert("Configuration saved successfully. Please don't forget to apply the configuration.", "Save Successful");
+                            dfObj.resolve();
+                        }, 
+                        false, // disable_dialog: Show the dialog with the validation error
+                        function(errorData) {  // callback_fail: What to do when save fails
+                            showAlert("Configuration save failed: " + (errorData.message || "Validation Error"), "Error");
+                            dfObj.reject();
+                        }
+                    );
+
+                    return dfObj.promise();
+                },
             });
 
             // Initialize the service control UI for 'caddy'

From 045976e3396ae004c57dffa259148c7eec5758a4 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 6 May 2024 16:12:43 +0200
Subject: [PATCH 1884/3088] www/caddy: Reduce scope of variables in javascript
 - replace var with let (#3956)

* Update general.volt - Reduce scope of variables

The declared variables are only used in the block, so the scope can be reduced from "var" to "let".

* Update reverse_proxy.volt

Replace var with let
---
 .../mvc/app/views/OPNsense/Caddy/general.volt        |  6 +++---
 .../mvc/app/views/OPNsense/Caddy/reverse_proxy.volt  | 12 ++++++------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
index df6b749a4a..7e704763da 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
@@ -26,7 +26,7 @@
 
 <script type="text/javascript">
     $(document).ready(function() {
-        var data_get_map = {'frm_GeneralSettings':"/api/caddy/General/get"};
+        let data_get_map = {'frm_GeneralSettings':"/api/caddy/General/get"};
         mapDataToFormUI(data_get_map).done(function(data){
 
             // Refresh selectpicker for these dropdowns
@@ -34,8 +34,8 @@
 
             // Function to show alerts in the HTML message area
             function showAlert(message, type = "error") {
-                var alertClass = type === "error" ? "alert-danger" : "alert-success";
-                var messageArea = $("#messageArea");
+                let alertClass = type === "error" ? "alert-danger" : "alert-success";
+                let messageArea = $("#messageArea");
 
                 // Stop any current animation, clear the queue, and immediately hide the element
                 messageArea.stop(true, true).hide();
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index a8d4cf525a..7cfd98bc85 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -29,7 +29,7 @@
 
         // Function to handle the search filter request modification
         function addDomainFilterToRequest(request) {
-            var selectedDomains = $('#reverseFilter').val();
+            let selectedDomains = $('#reverseFilter').val();
             if (selectedDomains && selectedDomains.length > 0) {
                 request['reverseUuids'] = selectedDomains.join(',');
             }
@@ -99,8 +99,8 @@
 
         // Function to show alerts in the HTML message area
         function showAlert(message, type = "error") {
-            var alertClass = type === "error" ? "alert-danger" : "alert-success";
-            var messageArea = $("#messageArea");
+            let alertClass = type === "error" ? "alert-danger" : "alert-success";
+            let messageArea = $("#messageArea");
 
             // Stop any current animation, clear the queue, and immediately hide the element
             messageArea.stop(true, true).hide();
@@ -171,7 +171,7 @@
                 type: 'GET',
                 dataType: 'json',
                 success: function(data) {
-                    var select = $('#reverseFilter');
+                    let select = $('#reverseFilter');
                     select.empty(); // Clear current options
                     if (data && data.rows) {
                         data.rows.forEach(function(item) {
@@ -204,12 +204,12 @@
         }
 
         // Initialize visibility based on the active tab on page load
-        var activeTab = $('#maintabs .active a').attr('href').replace('#', '');
+        let activeTab = $('#maintabs .active a').attr('href').replace('#', '');
         toggleSelectPicker(activeTab);
 
         // Change event when switching tabs
         $('#maintabs a').on('click', function (e) {
-            var currentTab = $(this).attr('href').replace('#', '');
+            let currentTab = $(this).attr('href').replace('#', '');
             toggleSelectPicker(currentTab);
         });
 

From e7c6b68c7739145721c3597ed4bf68a2e57f0a98 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 6 May 2024 16:14:11 +0200
Subject: [PATCH 1885/3088] security/wazuh-agent: bump revision

---
 security/wazuh-agent/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/wazuh-agent/Makefile b/security/wazuh-agent/Makefile
index cd1e3dbccd..a955109f7b 100644
--- a/security/wazuh-agent/Makefile
+++ b/security/wazuh-agent/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wazuh-agent
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Agent for the open source security platform Wazuh
 PLUGIN_DEPENDS=		wazuh-agent
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 17734d9f095c3738df3558656a2f768f93a3a41e Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 6 May 2024 17:58:04 +0200
Subject: [PATCH 1886/3088] www/caddy: Update helptext about new requirement
 ACME E-Mail (#3960)

---
 .../mvc/app/controllers/OPNsense/Caddy/forms/general.xml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index c4061ccf22..00c0b85cc0 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -10,7 +10,7 @@
         <label>ACME Email</label>
         <type>text</type>
         <hint>info@example.com</hint>
-        <help><![CDATA[Enter the email address for certificate notifications.]]></help>
+        <help><![CDATA[Enter the email address for certificate notifications. This is required to receive automatic certificates from Let's Encrypt and ZeroSSL.]]></help>
     </field>
     <field>
         <id>caddy.general.TlsAutoHttps</id>

From e1d58710d8bb041fdfa5304f4fc903f72875210a Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 7 May 2024 14:40:57 +0200
Subject: [PATCH 1887/3088] www/squid - workaround for coredumps when openssl's
 legacy provider is enabled.

While debugging https://github.com/opnsense/plugins/issues/3827, @fichtner found some reports at redhat which point to some squid openssl 3 compatibility issue [1][2].
To workaround this issue, we can ship squid it's own openssl.cnf file which has legacy disabled.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=2155867
[2] https://issues.redhat.com/browse/RHEL-6873
---
 www/squid/Makefile                                              | 2 +-
 www/squid/src/opnsense/scripts/proxy/setup.sh                   | 2 ++
 .../src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d     | 2 ++
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index debbe26ca1..cfc272dd5c 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		squid
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_TIER=		2
diff --git a/www/squid/src/opnsense/scripts/proxy/setup.sh b/www/squid/src/opnsense/scripts/proxy/setup.sh
index 795ebdd0d9..9e3bb55989 100755
--- a/www/squid/src/opnsense/scripts/proxy/setup.sh
+++ b/www/squid/src/opnsense/scripts/proxy/setup.sh
@@ -40,3 +40,5 @@ fi
 
 # install theme files
 /usr/local/opnsense/scripts/proxy/deploy_error_pages.py > /dev/null 2>&1
+
+sed 's/legacy = legacy_sect/#legacy = legacy_sect/' /usr/local/openssl/openssl.cnf > /usr/local/etc/squid/openssl.cnf
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d
index 2a1dc037fd..21c5d79b49 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d
@@ -4,3 +4,5 @@ squid_enable="YES"
 {% else %}
 squid_enable="NO"
 {% endif %}
+
+squid_env="OPENSSL_CONF=/usr/local/etc/squid/openssl.cnf"

From 70de22e0c4300f10c4a69841c5d63f447ae74207 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 7 May 2024 15:00:20 +0200
Subject: [PATCH 1888/3088] www/OPNProxy - re-wire 'squid -k reconfigure' to
 use rc scripting, so we can avoid
 https://github.com/opnsense/plugins/issues/3827 due to squid's legacy openssl
 issue.

---
 www/OPNProxy/Makefile                                           | 1 +
 .../src/opnsense/service/conf/actions.d/actions_opnproxy.conf   | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/www/OPNProxy/Makefile b/www/OPNProxy/Makefile
index 3cc481e385..3c1b5d9995 100644
--- a/www/OPNProxy/Makefile
+++ b/www/OPNProxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		OPNProxy
 PLUGIN_VERSION=		1.0.5
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		OPNsense proxy additions
 PLUGIN_DEPENDS=		os-redis${PLUGIN_PKGSUFFIX} \
 			os-squid${PLUGIN_PKGSUFFIX} \
diff --git a/www/OPNProxy/src/opnsense/service/conf/actions.d/actions_opnproxy.conf b/www/OPNProxy/src/opnsense/service/conf/actions.d/actions_opnproxy.conf
index bafa0f6993..33d981cbfc 100644
--- a/www/OPNProxy/src/opnsense/service/conf/actions.d/actions_opnproxy.conf
+++ b/www/OPNProxy/src/opnsense/service/conf/actions.d/actions_opnproxy.conf
@@ -1,7 +1,7 @@
 [apply_policies]
 command:
   /usr/local/opnsense/scripts/OPNProxy/policies_to_redis_proto.py | redis-cli --pipe &&
-  /usr/local/sbin/squid -k reconfigure
+  /usr/local/etc/rc.d/squid reload
 parameters:
 type:script
 message:download proxy policies and apply to redisdb

From ff0b9042a8e350f7fbbc2357fd69c06b2f98922d Mon Sep 17 00:00:00 2001
From: xabbok255 <105869156+xabbok255@users.noreply.github.com>
Date: Mon, 13 May 2024 10:05:30 +0300
Subject: [PATCH 1889/3088] Shadowsocks plugin tcp_and_udp mode (#3868)

---
 net/shadowsocks/Makefile                              |  3 +--
 .../OPNsense/Shadowsocks/forms/general.xml            |  6 ++++++
 .../mvc/app/models/OPNsense/Shadowsocks/General.xml   | 11 ++++++++++-
 .../templates/OPNsense/Shadowsocks/shadowsocks.conf   |  1 +
 4 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/net/shadowsocks/Makefile b/net/shadowsocks/Makefile
index 478086ece7..bd4abead24 100644
--- a/net/shadowsocks/Makefile
+++ b/net/shadowsocks/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		shadowsocks
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Secure socks5 proxy
 PLUGIN_DEPENDS=		shadowsocks-libev
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/shadowsocks/src/opnsense/mvc/app/controllers/OPNsense/Shadowsocks/forms/general.xml b/net/shadowsocks/src/opnsense/mvc/app/controllers/OPNsense/Shadowsocks/forms/general.xml
index a2936b0f46..b87f8e8385 100644
--- a/net/shadowsocks/src/opnsense/mvc/app/controllers/OPNsense/Shadowsocks/forms/general.xml
+++ b/net/shadowsocks/src/opnsense/mvc/app/controllers/OPNsense/Shadowsocks/forms/general.xml
@@ -35,4 +35,10 @@
         <type>dropdown</type>
         <help>Choose the cipher to use for encryption.</help>
     </field>
+    <field>
+        <id>general.tcpudpmode</id>
+        <label>Mode</label>
+        <type>dropdown</type>
+        <help>Choose TCP, UDP or both relay mode</help>
+    </field>
 </form>
diff --git a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
index 4a93197066..b255c07344 100644
--- a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
+++ b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/shadowsocks/general</mount>
     <description>Shadowsocks configuration</description>
-    <version>1.0.0</version>
+    <version>1.0.1</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -46,5 +46,14 @@
                 <chacha20-ietf-poly1305>ChaCha20-IETF-Poly1305</chacha20-ietf-poly1305>
             </OptionValues>
         </cipher>
+        <tcpudpmode type="OptionField">
+            <default>tcp_only</default>
+            <Required>Y</Required>
+            <OptionValues>
+                <tcp_only>TCP only</tcp_only>
+                <udp_only>UDP only</udp_only>
+                <tcp_and_udp>TCP and UDP</tcp_and_udp>
+            </OptionValues>
+        </tcpudpmode>
     </items>
 </model>
diff --git a/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/shadowsocks.conf b/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/shadowsocks.conf
index ebe3fccc5a..b4337ea4a8 100644
--- a/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/shadowsocks.conf
+++ b/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/shadowsocks.conf
@@ -5,6 +5,7 @@
     "local_port":{{ OPNsense.shadowsocks.general.localport }},
     "password":"{{ OPNsense.shadowsocks.general.password }}",
     "timeout":60,
+    "mode":"{{ OPNsense.shadowsocks.general.tcpudpmode }}",
     "method":"{{ OPNsense.shadowsocks.general.cipher }}"
 }
 {% endif %}

From a9bcbe748f1a56a2d4020194a5779bfb6cb2f80f Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 13 May 2024 09:07:26 +0200
Subject: [PATCH 1890/3088] Update pkg-descr - Updated with recent changes.
 (#3974)

---
 www/caddy/pkg-descr | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 6c742f4f5b..924946fb5b 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -32,6 +32,11 @@ Plugin Changelog
 * Add: In Reverse Proxy, a new dropdown can select one or multiple domains, filtering the Bootgrids of Domains, Subdomains and Handlers for the selected Domain.
 * Add: Global Log Level can be set in Log Settings.
 * Fix: "Apply" will always read all certificates from the filesystem, even if the Caddy configuration has remained unchanged. "reload" has been changed to "reloadssl".
+* Change: ACME Email should be filled out since it's a requirement for ZeroSSL.
+* Fix: "Save" and "Apply" buttons in General Settings have been improved to reliably trigger validation of form.
+* Cleanup: Javascript variables have been changed from var to let to reduce scope.
+* Fix: Template has been fixed to allow any TLS option in Handlers to appear independant when filled out. This increases flexibility with the "tls_server_name" option.
+* Add: Diagnostics view added where the current Caddyfile and JSON configuration can be displayed, validated and downloaded.
 
 1.5.4
 

From 08aae0dfbd0e7f57a6c37268c2dd8d07f05bd8af Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 14 May 2024 10:14:58 +0200
Subject: [PATCH 1891/3088] www/caddy: HTTP-01 challenge redirection subdomain
 fix (#3977)

---
 .../OPNsense/Caddy/forms/dialogReverseProxy.xml    |  3 +--
 .../OPNsense/Caddy/forms/dialogSubdomain.xml       | 11 +++++++++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml        |  4 ++++
 .../app/views/OPNsense/Caddy/reverse_proxy.volt    |  3 ++-
 .../service/templates/OPNsense/Caddy/Caddyfile     | 14 ++++++++++++++
 5 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index a849f3593b..f84c18c97c 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -53,8 +53,7 @@ ll be automatically updated with your DNS Provider.]]></help>
         <id>reverse.AcmePassthrough</id>
         <label>HTTP-01 challenge redirection</label>
         <type>text</type>
-        <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables a server behind Caddy to serve "/.well-known/acme-challenge/". Caddy will issue a certificate for the same domain using the TLS-ALPN-01 challenge or DNS-01 challenge instead.]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables a server behind Caddy to serve "/.well-known/acme-challenge/". Caddy will issue a certificate for the same domain using the TLS-ALPN-01 challenge or DNS-01 challenge instead. Setting this option on a wildcard domain will pass the challenge of all subdomains to a single server behind Caddy. For finer control, use this option in subdomains instead of their wildcard domain.]]></help>
     </field>
     <field>
         <id>reverse.CustomCertificate</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
index 4aeace28a4..9a790162ae 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -43,6 +43,17 @@
         <type>checkbox</type>
         <help><![CDATA[Enable Dynamic DNS, please configure DNS Provider and API Key in General Settings. The DNS Records of this subdomain will be automatically updated with your DNS Provider.]]></help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Trust</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>subdomain.AcmePassthrough</id>
+        <label>HTTP-01 challenge redirection</label>
+        <type>text</type>
+        <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables a server behind Caddy to serve "/.well-known/acme-challenge/".]]></help>
+    </field>
     <field>
         <type>header</type>
         <label>Access</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index d482aa4bae..4177a5dc5b 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -219,6 +219,10 @@
                     <Required>Y</Required>
                 </description>
                 <DynDns type="BooleanField"/>
+                <AcmePassthrough type="HostnameField">
+                    <ValidationMessage>Please enter a valid 'to' domain or IP address.</ValidationMessage>
+                    <IpAllowed>Y</IpAllowed>
+                </AcmePassthrough>
             </subdomain>
             <handle type="ArrayField">
                 <enabled type="BooleanField">
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 7cfd98bc85..ec5e4b7dc8 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -257,7 +257,7 @@
                             <th data-column-id="FromPort" data-type="string">Port</th>
                             <th data-column-id="accesslist" data-type="string" data-visible="false">Access List</th>
                             <th data-column-id="basicauth" data-type="string" data-visible="false">Basic Auth</th>
-                            <th data-column-id="DnsChallenge" data-type="boolean" data-formatter="boolean" data-visible="false">DNS-01</th>
+                            <th data-column-id="DnsChallenge" data-type="boolean" data-formatter="boolean" data-visible="false">DNS-01 challenge</th>
                             <th data-column-id="DynDns" data-type="boolean" data-formatter="boolean" data-visible="false">Dynamic DNS</th>
                             <th data-column-id="AccessLog" data-type="boolean" data-formatter="boolean" data-visible="false">HTTP Access Log</th>
                             <th data-column-id="CustomCertificate" data-type="string" data-visible="false">Custom Certificate</th>
@@ -295,6 +295,7 @@
                             <th data-column-id="accesslist" data-type="string" data-visible="false">Access List</th>
                             <th data-column-id="basicauth" data-type="string" data-visible="false">Basic Auth</th>
                             <th data-column-id="DynDns" data-type="boolean" data-formatter="boolean" data-visible="false">Dynamic DNS</th>
+                            <th data-column-id="AcmePassthrough" data-type="string" data-visible="false">HTTP-01 redirection</th>
                             <th data-column-id="description" data-type="string">Description</th>
                             <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
                         </tr>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 7aa75d1dc8..7c9f7ed9de 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -308,6 +308,20 @@
         }
     {% endif %}
 {% endfor %}
+{# Process redirection for subdomains afterwards, since a redirection of a wildcard domain has to match before them. #}
+{% for subdomain in helpers.toList('Pischem.caddy.reverseproxy.subdomain') %}
+    {% if subdomain.enabled|default("0") == "1" and subdomain.AcmePassthrough %}
+        # HTTP-01 challenge redirection for subdomain: "{{ subdomain['@uuid'] }}"
+        http://{{ subdomain.FromDomain|default("") }} {
+            handle /.well-known/acme-challenge/* {
+                reverse_proxy {{ subdomain.AcmePassthrough }}
+            }
+            handle {
+                redir https://{host}{uri} 308
+            }
+        }
+    {% endif %}
+{% endfor %}
 
 {#
 #   Macro: tls_configuration

From 0bdf28fcdd3c4ba0756b37a3c6cde67443163ed2 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 14 May 2024 16:05:15 +0200
Subject: [PATCH 1892/3088] www/caddy: Added lang() function for all user
 exposed text for translation (#3978)

---
 .../mvc/app/views/OPNsense/Caddy/general.volt |  22 +--
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 156 +++++++++---------
 2 files changed, 89 insertions(+), 89 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
index 7e704763da..3ee96f8623 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
@@ -72,12 +72,12 @@
                                     if (data && data['status'].toLowerCase() === 'ok') {
                                         dfObj.resolve(); // Configuration is valid
                                     } else {
-                                        showAlert(data['message'], "Validation Error");
+                                        showAlert(data['message'], "{{ lang._('Validation Error') }}");
                                         dfObj.reject(); // Configuration is invalid
                                     }
                                 },
                                 error: function(xhr, status, error) {
-                                    showAlert("Validation request failed: " + error, "Validation Error");
+                                    showAlert("{{ lang._('Validation request failed: ') }}" + error, "{{ lang._('Validation Error') }}");
                                     dfObj.reject(); // AJAX request failed
                                 }
                             });
@@ -85,7 +85,7 @@
                         false, // disable_dialog: Show the dialog with the validation error
                         function(errorData) {  // callback_fail: What to do when save fails
                             // Handle failure due to validation errors or other issues
-                            showAlert("Configuration save failed: " + (errorData.message || "Validation Error"), "Error");
+                            showAlert("{{ lang._('Configuration save failed: ') }}" + (errorData.message || "{{ lang._('Validation Error') }}"), "{{ lang._('Error') }}");
                             dfObj.reject(); // Reject the deferred object to stop the reconfigure action
                         }
                     );
@@ -95,11 +95,11 @@
                 onAction: function(data, status) {
                     if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
                         // Configuration is valid and applied, possibly refresh UI or notify user
-                        showAlert("Configuration applied successfully.", "Apply Success");
+                        showAlert("{{ lang._('Configuration applied successfully.') }}", "{{ lang._('Apply Success') }}");
                         updateServiceControlUI('caddy');
                     } else {
                         // Handle errors or unsuccessful application
-                        showAlert("An error occurred while applying the configuration.", "Error");
+                        showAlert("{{ lang._('An error occurred while applying the configuration.') }}", "{{ lang._('Error') }}");
                     }
                 }
             });
@@ -111,12 +111,12 @@
                     // Save the form before continuing
                     saveFormToEndpoint("/api/caddy/general/set", 'frm_GeneralSettings',
                         function() {  // callback_ok: What to do when save is successful
-                            showAlert("Configuration saved successfully. Please don't forget to apply the configuration.", "Save Successful");
+                            showAlert("{{ lang._('Configuration saved successfully. Please do not forget to apply the configuration.') }}", "{{ lang._('Save Success') }}");
                             dfObj.resolve();
                         }, 
                         false, // disable_dialog: Show the dialog with the validation error
                         function(errorData) {  // callback_fail: What to do when save fails
-                            showAlert("Configuration save failed: " + (errorData.message || "Validation Error"), "Error");
+                            showAlert("{{ lang._('Configuration save failed: ') }}" + (errorData.message || "{{ lang._('Validation Error') }}"), "{{ lang._('Error') }}");
                             dfObj.reject();
                         }
                     );
@@ -134,10 +134,10 @@
 
 <!-- Tab Navigation -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#generalTab">General</a></li>
-    <li><a data-toggle="tab" href="#dnsProviderTab">DNS Provider</a></li>
-    <li><a data-toggle="tab" href="#dynamicDnsTab">Dynamic DNS</a></li>
-    <li><a data-toggle="tab" href="#logSettingsTab">Log Settings</a></li>
+    <li class="active"><a data-toggle="tab" href="#generalTab">{{ lang._('General') }}</a></li>
+    <li><a data-toggle="tab" href="#dnsProviderTab">{{ lang._('DNS Provider') }}</a></li>
+    <li><a data-toggle="tab" href="#dynamicDnsTab">{{ lang._('Dynamic DNS') }}</a></li>
+    <li><a data-toggle="tab" href="#logSettingsTab">{{ lang._('Log Settings') }}</a></li>
 </ul>
 
 <!-- Tab Content -->
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index ec5e4b7dc8..0afbf51bb1 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -136,13 +136,13 @@
                             dfObj.resolve();
                         } else {
                             // If configuration is invalid, show alert and reject the Deferred object
-                            showAlert(data['message'], "Validation Failed");
+                            showAlert(data['message'], "{{ lang._('Validation Failed') }}");
                             dfObj.reject();
                         }
                     },
                     error: function(xhr, status, error) {
                         // On AJAX error, show alert and reject the Deferred object
-                        showAlert("Validation request failed: " + error, "Error");
+                        showAlert("{{ lang._('Validation request failed: ') }}" + error, "{{ lang._('Error') }}");
                         dfObj.reject();
                     }
                 });
@@ -153,10 +153,10 @@
                 // Check if the action was successful
                 if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
                     // Update only the service control UI for 'caddy'
-                    showAlert("Configuration applied successfully.", "Apply Success");
+                    showAlert("{{ lang._('Configuration applied successfully.') }}", "{{ lang._('Apply Success') }}");
                     updateServiceControlUI('caddy');
                 } else {
-                    console.error("Action was not successful or an error occurred:", data);
+                    console.error("{{ lang._('Action was not successful or an error occurred:') }}", data);
                 }
             }
         });
@@ -181,7 +181,7 @@
                     select.selectpicker('refresh'); // Refresh selectpicker to update the UI
                 },
                 error: function() {
-                    $('#reverseFilter').html('<option value="">Failed to load data</option>').selectpicker('refresh');
+                    $('#reverseFilter').html('<option value="">{{ lang._('Failed to load data') }}</option>').selectpicker('refresh');
                 }
             });
         }
@@ -227,17 +227,17 @@
 </style>
 
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#domainsTab">Domains</a></li>
-    <li><a data-toggle="tab" href="#handlesTab">Handlers</a></li>
-    <li><a data-toggle="tab" href="#accessTab">Access</a></li>
-    <li><a data-toggle="tab" href="#headerTab">Headers</a></li>
+    <li class="active"><a data-toggle="tab" href="#domainsTab">{{ lang._('Domains') }}</a></li>
+    <li><a data-toggle="tab" href="#handlesTab">{{ lang._('Handlers') }}</a></li>
+    <li><a data-toggle="tab" href="#accessTab">{{ lang._('Access') }}</a></li>
+    <li><a data-toggle="tab" href="#headerTab">{{ lang._('Headers') }}</a></li>
 </ul>
 
 <div class="tab-content content-box">
 
     <!-- Selectpicker for filter by domain -->
     <div class="form-group common-filter">
-        <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="348px" data-size="7" title="Filter by Domain">
+        <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="348px" data-size="7" title="{{ lang._('Filter by Domain') }}">
             <!-- Options will be populated dynamically using JavaScript/Ajax -->
         </select>
     </div>
@@ -246,24 +246,24 @@
     <div id="domainsTab" class="tab-pane fade in active">
         <div style="padding-left: 16px;">
             <!-- Reverse Proxy -->
-            <h1>Domains</h1>
+            <h1>{{ lang._('Domains') }}</h1>
             <div style="display: block;"> <!-- Common container -->
                 <table id="reverseProxyGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogReverseProxy" data-editAlert="ConfigurationChangeMessage">
                     <thead>
                         <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">ID</th>
-                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">Enabled</th>
-                            <th data-column-id="FromDomain" data-type="string">Domain</th>
-                            <th data-column-id="FromPort" data-type="string">Port</th>
-                            <th data-column-id="accesslist" data-type="string" data-visible="false">Access List</th>
-                            <th data-column-id="basicauth" data-type="string" data-visible="false">Basic Auth</th>
-                            <th data-column-id="DnsChallenge" data-type="boolean" data-formatter="boolean" data-visible="false">DNS-01 challenge</th>
-                            <th data-column-id="DynDns" data-type="boolean" data-formatter="boolean" data-visible="false">Dynamic DNS</th>
-                            <th data-column-id="AccessLog" data-type="boolean" data-formatter="boolean" data-visible="false">HTTP Access Log</th>
-                            <th data-column-id="CustomCertificate" data-type="string" data-visible="false">Custom Certificate</th>
-                            <th data-column-id="AcmePassthrough" data-type="string" data-visible="false">HTTP-01 redirection</th>
-                            <th data-column-id="description" data-type="string">Description</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
+                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                            <th data-column-id="FromDomain" data-type="string">{{ lang._('Domain') }}</th>
+                            <th data-column-id="FromPort" data-type="string">{{ lang._('Port') }}</th>
+                            <th data-column-id="accesslist" data-type="string" data-visible="false">{{ lang._('Access List') }}</th>
+                            <th data-column-id="basicauth" data-type="string" data-visible="false">{{ lang._('Basic Auth') }}</th>
+                            <th data-column-id="DnsChallenge" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('DNS-01 challenge') }}</th>
+                            <th data-column-id="DynDns" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Dynamic DNS') }}</th>
+                            <th data-column-id="AccessLog" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('HTTP Access Log') }}</th>
+                            <th data-column-id="CustomCertificate" data-type="string" data-visible="false">{{ lang._('Custom Certificate') }}</th>
+                            <th data-column-id="AcmePassthrough" data-type="string" data-visible="false">{{ lang._('HTTP-01 redirection') }}</th>
+                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                         </tr>
                     </thead>
                     <tbody>
@@ -282,22 +282,22 @@
         </div>
         <div style="padding-left: 16px;">
             <!-- Subdomains -->
-            <h1>Subdomains</h1>
+            <h1>{{ lang._('Subdomains') }}</h1>
             <div style="display: block;"> <!-- Common container -->
                 <table id="reverseSubdomainGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogSubdomain" data-editAlert="ConfigurationChangeMessage">
                     <thead>
                         <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">ID</th>
-                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">Enabled</th>
-                            <th data-column-id="reverse" data-type="string">Domain</th>
-                            <th data-column-id="FromDomain" data-type="string">Subdomain</th>
-                            <th data-column-id="FromPort" data-type="string">Port</th>
-                            <th data-column-id="accesslist" data-type="string" data-visible="false">Access List</th>
-                            <th data-column-id="basicauth" data-type="string" data-visible="false">Basic Auth</th>
-                            <th data-column-id="DynDns" data-type="boolean" data-formatter="boolean" data-visible="false">Dynamic DNS</th>
-                            <th data-column-id="AcmePassthrough" data-type="string" data-visible="false">HTTP-01 redirection</th>
-                            <th data-column-id="description" data-type="string">Description</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
+                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                            <th data-column-id="reverse" data-type="string">{{ lang._('Domain') }}</th>
+                            <th data-column-id="FromDomain" data-type="string">{{ lang._('Subdomain') }}</th>
+                            <th data-column-id="FromPort" data-type="string">{{ lang._('Port') }}</th>
+                            <th data-column-id="accesslist" data-type="string" data-visible="false">{{ lang._('Access List') }}</th>
+                            <th data-column-id="basicauth" data-type="string" data-visible="false">{{ lang._('Basic Auth') }}</th>
+                            <th data-column-id="DynDns" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Dynamic DNS') }}</th>
+                            <th data-column-id="AcmePassthrough" data-type="string" data-visible="false">{{ lang._('HTTP-01 redirection') }}</th>
+                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                         </tr>
                     </thead>
                     <tbody>
@@ -319,29 +319,29 @@
     <!-- Handle Tab -->
     <div id="handlesTab" class="tab-pane fade">
         <div style="padding-left: 16px;">
-            <h1>Handlers</h1>
+            <h1>{{ lang._('Handlers') }}</h1>
             <div style="display: block;"> <!-- Common container -->
                 <table id="reverseHandleGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHandle" data-editAlert="ConfigurationChangeMessage">
                     <thead>
                         <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">ID</th>
-                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">Enabled</th>
-                            <th data-column-id="reverse" data-type="string">Domain</th>
-                            <th data-column-id="subdomain" data-type="string">Subdomain</th>
-                            <th data-column-id="HandleType" data-type="string" data-visible="false">Handle Type</th>
-                            <th data-column-id="HandlePath" data-type="string" data-visible="false">Handle Path</th>
-                            <th data-column-id="header" data-type="string" data-visible="false">Header</th>
-                            <th data-column-id="ToDomain" data-type="string">Upstream Domain</th>
-                            <th data-column-id="ToPort" data-type="string">Upstream Port</th>
-                            <th data-column-id="ToPath" data-type="string" data-visible="false">Upstream Path</th>
-                            <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">Fail Duration</th>
-                            <th data-column-id="HttpTls" data-type="boolean" data-formatter="boolean" data-visible="false">TLS</th>
-                            <th data-column-id="HttpTlsTrustedCaCerts" data-type="string" data-visible="false">TLS CA</th>
-                            <th data-column-id="HttpTlsServerName" data-type="string" data-visible="false">TLS Server Name</th>
-                            <th data-column-id="HttpNtlm" data-type="boolean" data-formatter="boolean" data-visible="false">NTLM</th>
-                            <th data-column-id="HttpTlsInsecureSkipVerify" data-type="boolean" data-formatter="boolean" data-visible="false">TLS Insecure Skip Verify</th>
-                            <th data-column-id="description" data-type="string">Description</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
+                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                            <th data-column-id="reverse" data-type="string">{{ lang._('Domain') }}</th>
+                            <th data-column-id="subdomain" data-type="string">{{ lang._('Subdomain') }}</th>
+                            <th data-column-id="HandleType" data-type="string" data-visible="false">{{ lang._('Handle Type') }}</th>
+                            <th data-column-id="HandlePath" data-type="string" data-visible="false">{{ lang._('Handle Path') }}</th>
+                            <th data-column-id="header" data-type="string" data-visible="false">{{ lang._('Header') }}</th>
+                            <th data-column-id="ToDomain" data-type="string">{{ lang._('Upstream Domain') }}</th>
+                            <th data-column-id="ToPort" data-type="string">{{ lang._('Upstream Port') }}</th>
+                            <th data-column-id="ToPath" data-type="string" data-visible="false">{{ lang._('Upstream Path') }}</th>
+                            <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Fail Duration') }}</th>
+                            <th data-column-id="HttpTls" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('TLS') }}</th>
+                            <th data-column-id="HttpTlsTrustedCaCerts" data-type="string" data-visible="false">{{ lang._('TLS CA') }}</th>
+                            <th data-column-id="HttpTlsServerName" data-type="string" data-visible="false">{{ lang._('TLS Server Name') }}</th>
+                            <th data-column-id="HttpNtlm" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('NTLM') }}</th>
+                            <th data-column-id="HttpTlsInsecureSkipVerify" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('TLS Insecure Skip Verify') }}</th>
+                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                         </tr>
                     </thead>
                     <tbody>
@@ -364,19 +364,19 @@
     <div id="accessTab" class="tab-pane fade">
         <!-- Access Lists Section -->
         <div style="padding-left: 16px;">
-            <h1>Access Lists</h1>
+            <h1>{{ lang._('Access Lists') }}</h1>
             <div style="display: block;">
                 <table id="accessListGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogAccessList" data-editAlert="ConfigurationChangeMessage">
                     <thead>
                         <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">ID</th>
-                            <th data-column-id="accesslistName" data-type="string">Name</th>
-                            <th data-column-id="clientIps" data-type="string">Client IPs</th>
-                            <th data-column-id="accesslistInvert" data-type="boolean" data-formatter="boolean">Invert</th>
-                            <th data-column-id="HttpResponseCode" data-type="string" data-visible="false">HTTP Code</th>
-                            <th data-column-id="HttpResponseMessage" data-type="string" data-visible="false">HTTP Message</th>
-                            <th data-column-id="description" data-type="string">Description</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
+                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                            <th data-column-id="accesslistName" data-type="string">{{ lang._('Name') }}</th>
+                            <th data-column-id="clientIps" data-type="string">{{ lang._('Client IPs') }}</th>
+                            <th data-column-id="accesslistInvert" data-type="boolean" data-formatter="boolean">{{ lang._('Invert') }}</th>
+                            <th data-column-id="HttpResponseCode" data-type="string" data-visible="false">{{ lang._('HTTP Code') }}</th>
+                            <th data-column-id="HttpResponseMessage" data-type="string" data-visible="false">{{ lang._('HTTP Message') }}</th>
+                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                         </tr>
                     </thead>
                     <tbody>
@@ -396,15 +396,15 @@
 
         <!-- Basic Auth Section -->
         <div style="padding-left: 16px;">
-            <h1>Basic Auth</h1>
+            <h1>{{ lang._('Basic Auth') }}</h1>
             <div style="display: block;">
                 <table id="basicAuthGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogBasicAuth" data-editAlert="ConfigurationChangeMessage">
                     <thead>
                         <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">ID</th>
-                            <th data-column-id="basicauthuser" data-type="string">User</th>
-                            <th data-column-id="description" data-type="string">Description</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
+                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                            <th data-column-id="basicauthuser" data-type="string">{{ lang._('User') }}</th>
+                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                         </tr>
                     </thead>
                     <tbody>
@@ -426,18 +426,18 @@
     <!-- Header Tab -->
     <div id="headerTab" class="tab-pane fade">
         <div style="padding-left: 16px;">
-            <h1>Headers</h1>
+            <h1>{{ lang._('Headers') }}</h1>
             <div style="display: block;"> <!-- Common container -->
                 <table id="reverseHeaderGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHeader" data-editAlert="ConfigurationChangeMessage">
                     <thead>
                         <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">ID</th>
-                            <th data-column-id="HeaderUpDown" data-type="string">Header</th>
-                            <th data-column-id="HeaderType" data-type="string">Header Type</th>
-                            <th data-column-id="HeaderValue" data-type="string" data-visible="false">Header Value</th>
-                            <th data-column-id="HeaderReplace" data-type="string" data-visible="false">Header Replace</th>
-                            <th data-column-id="description" data-type="string">Description</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
+                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                            <th data-column-id="HeaderUpDown" data-type="string">{{ lang._('Header') }}</th>
+                            <th data-column-id="HeaderType" data-type="string">{{ lang._('Header Type') }}</th>
+                            <th data-column-id="HeaderValue" data-type="string" data-visible="false">{{ lang._('Header Value') }}</th>
+                            <th data-column-id="HeaderReplace" data-type="string" data-visible="false">{{ lang._('Header Replace') }}</th>
+                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                         </tr>
                     </thead>
                     <tbody>
@@ -473,7 +473,7 @@
             <div id="messageArea" class="alert alert-info" style="display: none;"></div>
             <!-- Message Area to hint user to apply changes when data is changed in bootgrids -->
             <div id="ConfigurationChangeMessage" class="alert alert-info" style="display: none;">
-            Please don't forget to apply the configuration.
+            {{ lang._('Please do not forget to apply the configuration.') }}
             </div>
         </div>
     </div>

From e34172395c6ce60a8d8163bdd2e88a066b36ef77 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 14 May 2024 16:07:39 +0200
Subject: [PATCH 1893/3088] www/caddy: Diagnostics View (#3967)

---
 .../Caddy/Api/DiagnosticsController.php       |  92 +++++++++
 .../OPNsense/Caddy/DiagnosticsController.php  |  41 ++++
 .../mvc/app/models/OPNsense/Caddy/ACL/ACL.xml |   8 +
 .../app/models/OPNsense/Caddy/Menu/Menu.xml   |   3 +-
 .../app/views/OPNsense/Caddy/diagnostics.volt | 194 ++++++++++++++++++
 .../OPNsense/Caddy/caddy_diagnostics.py       |  86 ++++++++
 .../service/conf/actions.d/actions_caddy.conf |  12 ++
 7 files changed, 435 insertions(+), 1 deletion(-)
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/DiagnosticsController.php
 create mode 100644 www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt
 create mode 100755 www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
new file mode 100644
index 0000000000..d0d711f601
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
@@ -0,0 +1,92 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Cedrik Pischem
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Caddy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
+
+class DiagnosticsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'caddy';
+    protected static $internalModelClass = 'OPNsense\Caddy\Caddy';
+
+    /**
+     * Fetch and display the contents of the Caddy configuration as JSON.
+     * Any errors are handled by caddy_diagnostics script and passed to this controller as JSON.
+     */
+    public function configAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun('caddy config');
+
+        // Decode JSON to PHP array
+        $responseArray = json_decode($response, true);
+
+        // Since errors are handled by the caddy_diagnostics script and returned as json, check for an error key in the response
+        if (isset($responseArray['error'])) {
+            return ["status" => "failed", "message" => $responseArray['message']];
+        }
+
+        // Prepare the response array
+        $response = ['status' => 'success', 'content' => $responseArray];
+        // Set the content type
+        $this->response->setContentType('application/json', 'UTF-8');
+        // Encode and set the content
+        $this->response->setContent(json_encode($response, JSON_PRETTY_PRINT));
+
+        return $this->response;
+    }
+
+    /**
+     * Fetch and display the contents of the Caddyfile as JSON.
+     */
+    public function caddyfileAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun('caddy caddyfile');
+
+        // Decode JSON to PHP array
+        $responseArray = json_decode($response, true);
+
+        if (isset($responseArray['error'])) {
+            // Handle the error
+            return ["status" => "failed", "message" => $responseArray['message']];
+        }
+
+        // Assuming the response structure is like { "content": "actual Caddyfile content here" }
+        if (!isset($responseArray['content'])) {
+            return ["status" => "failed", "message" => "Caddyfile content not found"];
+        }
+
+        // Return the response as an array which gets automatically encoded to JSON
+        return ["status" => "success", "content" => $responseArray['content']];
+    }
+}
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/DiagnosticsController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/DiagnosticsController.php
new file mode 100644
index 0000000000..55e7bbcc6f
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/DiagnosticsController.php
@@ -0,0 +1,41 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Cedrik Pischem
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Caddy;
+
+use OPNsense\Base\IndexController;
+
+class DiagnosticsController extends IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/Caddy/diagnostics');
+    }
+}
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml
index c98f84a7e0..cea3a9cc5a 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml
@@ -15,4 +15,12 @@
             <pattern>api/caddy/reverse_proxy/*</pattern>
         </patterns>
     </page-caddy-reverse-proxy>
+    <page-caddy-diagnostics>
+        <name>Services: Caddy Web Server: Diagnostics</name>
+        <description>Allow access to Caddy Diagnostics</description>
+        <patterns>
+            <pattern>ui/caddy/diagnostics/*</pattern>
+            <pattern>api/caddy/diagnostics/*</pattern>
+        </patterns>
+    </page-caddy-diagnostics>
 </acl>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml
index 60886d550e..70d146ffed 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml
@@ -3,7 +3,8 @@
         <Caddy VisibleName="Caddy Web Server" cssClass="fa fa-globe fa-fw">
             <General VisibleName="General Settings" order="10" url="/ui/caddy/general"/>
             <ReverseProxy VisibleName="Reverse Proxy" order="20" url="/ui/caddy/reverse_proxy"/>
-            <Log VisibleName="Log File" order="30" url="/ui/diagnostics/log/core/caddy"/>
+            <Diagnostics VisibleName="Diagnostics" order="30" url="/ui/caddy/diagnostics"/>
+            <Log VisibleName="Log File" order="40" url="/ui/diagnostics/log/core/caddy"/>
         </Caddy>
     </Services>
 </menu>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt
new file mode 100644
index 0000000000..b42a377411
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt
@@ -0,0 +1,194 @@
+{#
+ # Copyright (c) 2024 Cedrik Pischem
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script type="text/javascript">
+    $(document).ready(function() {
+
+        /**
+         * Fetches data from the specified URL and displays it within a given element on the page.
+         * The response is expected to be JSON and will be formatted for display.
+         *
+         * @param {string} url - The URL from which to fetch data.
+         * @param {string} displaySelector - jQuery selector for the element where data should be displayed.
+         */
+        function fetchAndDisplay(url, displaySelector) {
+            $.ajax({
+                url: url,
+                type: "GET",
+                success: function(response) {
+                    if (response.status === "success") {
+                        let formattedContent;
+                        if (typeof response.content === 'object') {
+                            // If the content is an object, stringify and format it
+                            formattedContent = JSON.stringify(response.content, null, 2);
+                        } else {
+                            // If the content is plain text (as with the Caddyfile), just use it directly
+                            formattedContent = response.content;
+                        }
+                        $(displaySelector).text(formattedContent);
+                    } else {
+                        // If the response status is not 'success', display an error message
+                        $(displaySelector).text("{{ lang._('Failed to load content: ') }}" + response.message || "{{ lang._('Unknown error') }}");
+                    }
+                },
+                error: function(xhr, status, error) {
+                    // Handle errors from the AJAX request itself
+                    $(displaySelector).text("{{ lang._('AJAX error accessing the API: ') }}" + error);
+                }
+            });
+        }
+
+        /**
+         * Initiates a file download directly from the browser using JavaScript. The function dynamically creates
+         * an anchor (<a>) element, sets its attributes for downloading and simulates a click to start the download.
+         *
+         * @param {string} payload - The content to be downloaded, which could be any data string (e.g., JSON text, plain text).
+         * @param {string} filename - The name of the file that will be suggested to the user when downloading.
+         * @param {string} file_type - The MIME type of the file, which helps the browser to handle the file appropriately.
+         */
+        function downloadContent(payload, filename, file_type) {
+            // Create an anchor tag (<a>) dynamically using jQuery
+            let a_tag = $('<a></a>')
+                .attr('href', 'data:' + file_type + ';charset=utf-8,' + encodeURIComponent(payload))  // Set the href attribute to a data URL containing the payload
+                .attr('download', filename)  // Set the download attribute to suggest a filename
+                .appendTo('body');  // Append the anchor tag to the body of the document to make it part of the DOM
+
+            a_tag[0].click();  // Programmatically click the anchor tag to trigger the download
+            a_tag.remove();  // Remove the anchor tag
+        }
+
+        /**
+         * Shows a BootstrapDialog alert with custom settings.
+         * 
+         * @param {string} type - Type of the dialog based on BootstrapDialog types.
+         * @param {string} title - Title of the dialog.
+         * @param {string} message - Message to be displayed in the dialog.
+         */
+        function showDialogAlert(type, title, message) {
+            BootstrapDialog.show({
+                type: type,
+                title: title,
+                message: message,
+                buttons: [{
+                    label: '{{ lang._('Close') }}',
+                    action: function(dialogRef) {
+                        dialogRef.close();
+                    }
+                }]
+            });
+        }
+
+        // Fetch and display Caddyfile and JSON configuration
+        fetchAndDisplay('/api/caddy/diagnostics/caddyfile', '#caddyfileDisplay');
+        fetchAndDisplay('/api/caddy/diagnostics/config', '#jsonDisplay');
+
+        // Event handler to initiate JSON configuration download
+        $("#downloadJSONConfig").click(function() {
+            let content = $("#jsonDisplay").text();
+            let timestamp = new Date().toISOString().replace(/[-:]/g, '').replace('T', '-').split('.')[0];
+            let filename = "caddy_config_" + timestamp + ".json";
+            downloadContent(content, filename, "application/json");
+        });
+
+        // Event handler to initiate Caddyfile download
+        $("#downloadCaddyfile").click(function() {
+            let content = $("#caddyfileDisplay").text();
+            let timestamp = new Date().toISOString().replace(/[-:]/g, '').replace('T', '-').split('.')[0];
+            let filename = "Caddyfile_" + timestamp;
+            downloadContent(content, filename, "text/plain");
+        });
+
+        // Event handler for the Validate Caddyfile button
+        $('#validateCaddyfile').click(function() {
+            $.ajax({
+                url: '/api/caddy/service/validate',
+                type: 'GET',
+                dataType: 'json',
+                success: function(data) {
+                    if (data && data['status'].toLowerCase() === 'ok') {
+                        showDialogAlert(BootstrapDialog.TYPE_SUCCESS, "{{ lang._('Validation Successful') }}", data['message']);
+                    } else {
+                        showDialogAlert(BootstrapDialog.TYPE_WARNING, "{{ lang._('Validation Error') }}", data['message']);  // Show error message from the API
+                    }
+                },
+                error: function(xhr, status, error) {
+                    showDialogAlert(BootstrapDialog.TYPE_DANGER, "{{ lang._('Validation Request Failed') }}", error);  // Show AJAX error
+                }
+            });
+        });
+
+    });
+</script>
+
+<style>
+    .custom-style .content-box {
+        padding: 20px; /* Adds padding around the contents of each tab */
+    }
+
+    .custom-style .display-area {
+        overflow-y: scroll;
+        /* Dynamic height management using clamp for varying screen sizes */
+        height: clamp(50px, 50vh, 4000px); 
+        margin-bottom: 20px; /* Adds bottom margin to separate from the help text */
+    }
+
+    .custom-style .help-text {
+        margin-top: 10px;
+        margin-bottom: 20px;
+        line-height: 1.4;
+        /* Adjusting text size for readability on various displays */
+        font-size: clamp(12px, 1.5vw, 16px);
+    }
+</style>
+
+<!-- Tab Navigation -->
+<ul class="nav nav-tabs" data-tabs="tabs" id="configTabs">
+    <li class="active"><a data-toggle="tab" href="#caddyfileTab">{{ lang._('Caddyfile') }}</a></li>
+    <li><a data-toggle="tab" href="#jsonConfigTab">{{ lang._('JSON Configuration') }}</a></li>
+</ul>
+
+<!-- Tab Content -->
+<div class="tab-content content-box custom-style">
+    <!-- Caddyfile Tab -->
+    <div id="caddyfileTab" class="tab-pane fade in active">
+        <div class="content-box">
+            <pre id="caddyfileDisplay" class="display-area"></pre>
+            <p class="help-text">{{ lang._("This is the generated configuration located at %sCaddyfile%s. It's the main configuration file to get support with. The validation button triggers a manual check for any configuration errors, which is the same check that is triggered by the Apply buttons automatically.") | format('<code>/usr/local/etc/caddy/', '</code>') }}</p>
+            <button class="btn btn-primary download-btn" id="downloadCaddyfile" type="button">{{ lang._('Download') }}</button>
+            <button class="btn btn-secondary" id="validateCaddyfile" type="button">{{ lang._('Validate Caddyfile') }}</button>
+            <br/><br/>
+        </div>
+    </div>
+    <!-- JSON Configuration Tab -->
+    <div id="jsonConfigTab" class="tab-pane fade">
+        <div class="content-box">
+            <pre id="jsonDisplay" class="display-area"></pre>
+            <p class="help-text">{{ lang._("Shows the running Caddy configuration located in %sautosave.json%s. It is automatically adapted from the Caddyfile and also includes any custom imported configurations from %scaddy.d%s.") | format('<code>/var/db/caddy/config/caddy/', '</code>', '<code>/usr/local/etc/caddy/', '</code>') }}</p>
+            <button class="btn btn-primary download-btn" id="downloadJSONConfig" type="button">{{ lang._('Download') }}</button>
+            <br/><br/>
+        </div>
+    </div>
+</div>
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
new file mode 100755
index 0000000000..ec1e2d13f1
--- /dev/null
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
@@ -0,0 +1,86 @@
+#!/usr/local/bin/python3
+
+#
+# Copyright (c) 2024 Cedrik Pischem
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice,
+#    this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+#    this list of conditions and the following disclaimer in the documentation
+#    and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+import sys
+import json
+
+# Function to show the Caddy configuration from a JSON file
+def show_caddy_config():
+    config_path = "/var/db/caddy/config/caddy/autosave.json"
+
+    try:
+        # Open and read the JSON configuration file directly into a Python dictionary
+        with open(config_path, "r") as file:
+            config_data = json.load(file)  # Load the JSON directly
+
+        # Print the JSON to stdout using json.dumps to ensure it's a JSON string and nicely formatted
+        print(json.dumps(config_data))  # Output the JSON directly
+        # Output error details in JSON format so that the API can consume them
+    except FileNotFoundError:
+        print(json.dumps({"error": "File not found", "message": "Caddy autosave.json configuration file not found"}))
+    except json.JSONDecodeError:
+        print(json.dumps({"error": "Invalid JSON", "message": "Error decoding the Caddy autosave.json, the file is not valid JSON"}))
+    except Exception as e:
+        print(json.dumps({"error": "General Error", "message": str(e)}))
+
+def show_caddyfile():
+    caddyfile_path = "/usr/local/etc/caddy/Caddyfile"
+
+    try:
+        with open(caddyfile_path, "r") as file:
+            caddyfile_data = file.read()
+        # Output the Caddyfile data directly as a JSON object with a generic key like "content"
+        print(json.dumps({"content": caddyfile_data}))
+    except FileNotFoundError:
+        print(json.dumps({"error": "Caddyfile not found", "message": "Caddyfile not found"}))
+    except Exception as e:
+        print(json.dumps({"error": "General Error", "message": str(e)}))
+
+# Action handler
+def perform_action(action):
+    actions = {
+        "config": show_caddy_config,
+        "caddyfile": show_caddyfile
+        # Additional actions can be added here in the same format.
+    }
+
+    action_func = actions.get(action)
+    if action_func:
+        action_func()
+    else:
+        # Output error details in JSON format if action is unknown
+        print(json.dumps({"error": "Unknown Action", "message": f"Unknown action: {action}"}))
+
+if __name__ == "__main__":
+    if len(sys.argv) > 1:
+        action = sys.argv[1]
+        perform_action(action)
+    else:
+        # Output error details in JSON format if no action is specified
+        print(json.dumps({"error": "No Action Specified", "message": "No action specified"}))
+
diff --git a/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf b/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
index cd5f1b2f66..0d768ce42b 100644
--- a/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
+++ b/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
@@ -35,3 +35,15 @@ command:/usr/local/sbin/pluginctl -s caddy status
 parameters:
 type:script_output
 message:Request Caddy status
+
+[config]
+command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py config
+parameters:
+type:script_output
+message:Request Caddy JSON configuration
+
+[caddyfile]
+command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py caddyfile
+parameters:
+type:script_output
+message:Request Caddyfile

From ad07e33f08471913d72b0ea99b37de2993fdfc7e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 7 May 2024 15:14:52 +0200
Subject: [PATCH 1894/3088] www/squid: already bumped on stable

---
 www/squid/Makefile                                             | 2 +-
 .../src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d    | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index cfc272dd5c..debbe26ca1 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		squid
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_TIER=		2
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d
index 21c5d79b49..7ed8a7063a 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/rc.conf.d
@@ -1,8 +1,7 @@
 {% if helpers.exists('OPNsense.proxy.general.enabled') and OPNsense.proxy.general.enabled|default("0") == "1" %}
+squid_env="OPENSSL_CONF=/usr/local/etc/squid/openssl.cnf"
 squid_setup="/usr/local/opnsense/scripts/proxy/setup.sh"
 squid_enable="YES"
 {% else %}
 squid_enable="NO"
 {% endif %}
-
-squid_env="OPENSSL_CONF=/usr/local/etc/squid/openssl.cnf"

From c3aef48fbd38be2a79c6700c7214faafd8a4fd3a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 15 May 2024 08:13:45 +0200
Subject: [PATCH 1895/3088] www/caddy: style sweep

---
 .../opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt    | 4 ++--
 .../src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt    | 4 ++--
 .../src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py  | 1 -
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt
index b42a377411..40ac5e0fd9 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt
@@ -82,7 +82,7 @@
 
         /**
          * Shows a BootstrapDialog alert with custom settings.
-         * 
+         *
          * @param {string} type - Type of the dialog based on BootstrapDialog types.
          * @param {string} title - Title of the dialog.
          * @param {string} message - Message to be displayed in the dialog.
@@ -151,7 +151,7 @@
     .custom-style .display-area {
         overflow-y: scroll;
         /* Dynamic height management using clamp for varying screen sizes */
-        height: clamp(50px, 50vh, 4000px); 
+        height: clamp(50px, 50vh, 4000px);
         margin-bottom: 20px; /* Adds bottom margin to separate from the help text */
     }
 
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
index 3ee96f8623..272973e4f1 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
@@ -81,7 +81,7 @@
                                     dfObj.reject(); // AJAX request failed
                                 }
                             });
-                        }, 
+                        },
                         false, // disable_dialog: Show the dialog with the validation error
                         function(errorData) {  // callback_fail: What to do when save fails
                             // Handle failure due to validation errors or other issues
@@ -113,7 +113,7 @@
                         function() {  // callback_ok: What to do when save is successful
                             showAlert("{{ lang._('Configuration saved successfully. Please do not forget to apply the configuration.') }}", "{{ lang._('Save Success') }}");
                             dfObj.resolve();
-                        }, 
+                        },
                         false, // disable_dialog: Show the dialog with the validation error
                         function(errorData) {  // callback_fail: What to do when save fails
                             showAlert("{{ lang._('Configuration save failed: ') }}" + (errorData.message || "{{ lang._('Validation Error') }}"), "{{ lang._('Error') }}");
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
index ec1e2d13f1..243a0555d8 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
@@ -83,4 +83,3 @@ def perform_action(action):
     else:
         # Output error details in JSON format if no action is specified
         print(json.dumps({"error": "No Action Specified", "message": "No action specified"}))
-

From 3c8e3121615f1e0c3c3aa3b9bee6b1eed5ba6a50 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 16 May 2024 08:42:43 +0200
Subject: [PATCH 1896/3088] www/caddy: Implement gettext() function for
 localization in php controllers and model (#3980)

---
 .../OPNsense/Caddy/Api/DiagnosticsController.php   |  7 +------
 .../OPNsense/Caddy/Api/ServiceController.php       |  2 +-
 .../mvc/app/models/OPNsense/Caddy/Caddy.php        | 14 +++++++-------
 3 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
index d0d711f601..e2f6f5b220 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
@@ -76,16 +76,11 @@ public function caddyfileAction()
         // Decode JSON to PHP array
         $responseArray = json_decode($response, true);
 
+        // Since errors are handled by the caddy_diagnostics script and returned as json, check for an error key in the response
         if (isset($responseArray['error'])) {
-            // Handle the error
             return ["status" => "failed", "message" => $responseArray['message']];
         }
 
-        // Assuming the response structure is like { "content": "actual Caddyfile content here" }
-        if (!isset($responseArray['content'])) {
-            return ["status" => "failed", "message" => "Caddyfile content not found"];
-        }
-
         // Return the response as an array which gets automatically encoded to JSON
         return ["status" => "success", "content" => $responseArray['content']];
     }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
index e522dc52dd..6aaa5a578e 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
@@ -68,6 +68,6 @@ public function validateAction()
         }
 
         // If unable to parse the expected JSON output, return a generic error message
-        return ["status" => "failed", "message" => "Unable to parse the validation result."];
+        return ["status" => "failed", "message" => gettext("Unable to parse the validation result.")];
     }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index 5313912134..dd9da1a6c7 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -37,7 +37,7 @@ class Caddy extends BaseModel
 {
     // 1. Check domain-port combinations
     // 2. Check subdomain-port combinations
-    private function checkForUniquePortCombos($items, $messages, $type = 'domain')
+    private function checkForUniquePortCombos($items, $messages)
     {
         $combos = [];
         foreach ($items as $item) {
@@ -59,9 +59,9 @@ private function checkForUniquePortCombos($items, $messages, $type = 'domain')
                 if (isset($combos[$comboKey])) {
                     // Use dynamic $key for message referencing
                     $messages->appendMessage(new Message(
-                        "Duplicate entry: The combination of $type '$fromDomainOrSubdomain' and port '$port' is already used. Each $type and port pairing must be unique.",
-                        $type === 'domain' ? $key . ".FromDomain" : $key . ".FromDomain", // Adjusted to use dynamic key
-                        "Duplicate" . ucfirst($type) . "Port"
+                        sprintf(gettext("Duplicate entry: The combination of '%s' and port '%s' is already used. Each combination of domain/subdomain and port must be unique."), $fromDomainOrSubdomain, $port),
+                        $key . ".FromDomain", // Adjusted to use dynamic key
+                        "DuplicateDomainPort"
                     ));
                 } else {
                     $combos[$comboKey] = true;
@@ -98,7 +98,7 @@ private function checkSubdomainsAgainstDomains($subdomains, $domains, $messages)
                 if (!$isValid) {
                     $key = $subdomain->__reference; // Dynamic key based on subdomain reference
                     $messages->appendMessage(new Message(
-                        "Invalid subdomain configuration: '$subdomainName' does not fall under any configured wildcard domain.",
+                        sprintf(gettext("Invalid subdomain configuration: '%s' does not fall under any configured wildcard domain."), $subdomainName),
                         $key . ".FromDomain", // Use dynamic key for message referencing
                         "InvalidSubdomain"
                     ));
@@ -112,9 +112,9 @@ public function performValidation($validateFullModel = false)
     {
         $messages = parent::performValidation($validateFullModel);
         // 1. Check domain-port combinations
-        $this->checkForUniquePortCombos($this->reverseproxy->reverse->iterateItems(), $messages, 'domain');
+        $this->checkForUniquePortCombos($this->reverseproxy->reverse->iterateItems(), $messages);
         // 2. Check subdomain-port combinations
-        $this->checkForUniquePortCombos($this->reverseproxy->subdomain->iterateItems(), $messages, 'subdomain');
+        $this->checkForUniquePortCombos($this->reverseproxy->subdomain->iterateItems(), $messages);
         // 3. Check that subdomains are under a wildcard or exact domain
         $this->checkSubdomainsAgainstDomains($this->reverseproxy->subdomain->iterateItems(), $this->reverseproxy->reverse->iterateItems(), $messages);
 

From 4660d3e5d4d1efd331dea2649b64af1ded34c53c Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 16 May 2024 08:43:14 +0200
Subject: [PATCH 1897/3088] www/caddy: Restructure and format helptext (#3979)

---
 .../OPNsense/Caddy/forms/dialogAccessList.xml |  4 +-
 .../OPNsense/Caddy/forms/dialogBasicAuth.xml  |  4 +-
 .../OPNsense/Caddy/forms/dialogHandle.xml     | 40 ++++++++++---------
 .../OPNsense/Caddy/forms/dialogHeader.xml     |  8 ++--
 .../Caddy/forms/dialogReverseProxy.xml        | 29 +++++++-------
 .../OPNsense/Caddy/forms/dialogSubdomain.xml  | 22 +++++-----
 .../OPNsense/Caddy/forms/dnsprovider.xml      |  3 +-
 .../OPNsense/Caddy/forms/dynamicdns.xml       | 10 ++---
 .../OPNsense/Caddy/forms/general.xml          | 10 ++---
 .../OPNsense/Caddy/forms/logsettings.xml      |  8 ++--
 10 files changed, 69 insertions(+), 69 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
index 8fff82b7ea..0d51368f6a 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
@@ -24,8 +24,7 @@
         <label>HTTP Response Code</label>
         <type>text</type>
         <hint>403</hint>
-        <help><![CDATA[Set a custom HTTP response code that should be returned to the requesting client when the access list doesn't match. Setting this will replace "Abort Connections", all clients will stay connected but will receive the response code.]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Set a custom HTTP response code that should be returned to the requesting client when the access list does not match. Setting this will replace "Abort Connections" only for this access list. All clients will stay connected but will receive the response code.]]></help>
     </field>
     <field>
         <id>accesslist.HttpResponseMessage</id>
@@ -33,7 +32,6 @@
         <type>text</type>
         <hint>Forbidden</hint>
         <help><![CDATA[Set a custom HTTP response message in addition to the HTTP response code.]]></help>
-        <advanced>true</advanced>
     </field>
     <field>
         <id>accesslist.description</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml
index 18482bb3fe..955479b265 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml
@@ -3,13 +3,13 @@
         <id>basicauth.basicauthuser</id>
         <label>User</label>
         <type>text</type>
-        <help><![CDATA[Enter a username. Afterwards, you can select it in Reverse Proxy Domains or Subdomains to restrict access with basic auth.]]></help>
+        <help><![CDATA[Enter a username. Afterwards, select it in a "Domain" or "Subdomain" to restrict access with basic auth.]]></help>
     </field>
     <field>
         <id>basicauth.basicauthpass</id>
         <label>Password</label>
         <type>text</type>
-        <help><![CDATA[Enter a password. It will be hashed with bcrypt. It can only be set and changed but won't be visible anymore.]]></help>
+        <help><![CDATA[Enter a password. It will be hashed with bcrypt. It can only be set and changed but will not be visible anymore.]]></help>
     </field>
     <field>
         <id>basicauth.description</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 4a6d5ee509..c554d2eb82 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -1,7 +1,7 @@
 <form>
     <field>
         <id>handle.enabled</id>
-        <label>enabled</label>
+        <label>Enabled</label>
         <type>checkbox</type>
         <help><![CDATA[Enable this handler.]]></help>
     </field>
@@ -9,26 +9,26 @@
         <id>handle.reverse</id>
         <label>Domain</label>
         <type>dropdown</type>
-        <help><![CDATA[Select a reverse proxy domain to which this handler should be added.]]></help>
+        <help><![CDATA[Select a domain to handle.]]></help>
     </field>
     <field>
         <id>handle.subdomain</id>
         <label>Subdomain</label>
         <type>dropdown</type>
-        <help><![CDATA[Optionally, select a reverse proxy subdomain to which this handler should be added. If not using subdomains, leaving this as "None" will be the best choice.]]></help>
+        <help><![CDATA[Select a subdomain to handle. Make sure to additionaly choose a wildcard domain as "Domain". Leave unset, if not using subdomains.]]></help>
     </field>
     <field>
         <id>handle.HandleType</id>
         <label>Handle Type</label>
         <type>dropdown</type>
-        <help><![CDATA[In most cases, leaving this as "handle" will be the best choice.]]></help>
+        <help><![CDATA[Choose a handling directive. "handle" (default) will keep the URI of "Handle URI" in all requests. "handle_path" will strip the URI of "Handle URI" from all requests.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
         <id>handle.HandlePath</id>
-        <label>Handle Path</label>
+        <label>Handle URI</label>
         <type>text</type>
-        <help><![CDATA[Enter a handler like '/*' or '/example/*', or leave blank for a catch-all handler (recommended). Any request matching this handler will be reverse proxied to the upstream destination.]]></help>
+        <help><![CDATA[Enter an URI to handle. Choose a pattern like "/*" or "/example/*". Leave empty to catch all URIs (recommended). Any request matching this pattern will be handled.]]></help>
     </field>
     <field>
         <id>handle.description</id>
@@ -47,7 +47,7 @@
         <type>dropdown</type>
         <type>select_multiple</type>
         <size>5</size>
-        <help><![CDATA[Select one or multiple header manipulations. These will be set to this handler. Generally this is not needed. Setting a wrong configuration can be a security risk or break functionality.]]></help>
+        <help><![CDATA[Select one or multiple header manipulations. Caddy sets "X-Forwarded-For", "X-Forwarded-Proto" and "X-Forwarded-Host" by default, adding them here is not needed. Setting a wrong configuration can be a security risk or break functionality.]]></help>
     </field>
     <field>
         <type>header</type>
@@ -60,28 +60,32 @@
         <style>tokenize</style>
         <allownew>true</allownew>
         <hint>192.168.1.1</hint>
-        <help><![CDATA[Enter the internal domain name or IP address of the upstream destination for this handler. If multiple upstream destinations are chosen, they will be load balanced with the default random policy.]]></help>
+        <help><![CDATA[Enter a domain name or IP address of the upstream destination. If multiple are chosen, they will be load balanced with the default random policy. A health check can be set in "Load Balancing"]]></help>
     </field>
     <field>
         <id>handle.ToPort</id>
         <label>Upstream Port</label>
         <type>text</type>
         <hint>80</hint>
-        <help><![CDATA[Enter the port number of the upstream destination. Leave this empty to use port 80.]]></help>
+        <help><![CDATA[Leave empty to use the default port or choose a custom port for the upstream destination.]]></help>
     </field>
     <field>
         <id>handle.ToPath</id>
         <label>Upstream Path</label>
         <type>text</type>
-        <help><![CDATA[Enter a path prefix like '/guacamole' that should be prepended to the upstream request because the application demands it.]]></help>
+        <help><![CDATA[Enter a path prefix like "/guacamole" that should be prepended to the upstream request because the application demands it.]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <type>header</type>
+        <label>Load Balancing</label>
+        <collapse>true</collapse>
+    </field>
     <field>
         <id>handle.PassiveHealthFailDuration</id>
         <label>Upstream Fail Duration</label>
         <type>text</type>
-        <help><![CDATA[Enables a passive health check when multiple upstream destinations have been defined for load balancing. "fail_duration" is a duration value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking; the default is empty (off). A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Enables a passive health check when multiple destinations in "Upstream Domain" are set. "Fail Duration" is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking; the default is empty (off). A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
     </field>
     <field>
         <type>header</type>
@@ -92,32 +96,30 @@
         <id>handle.HttpTls</id>
         <label>TLS</label>
         <type>checkbox</type>
-        <help><![CDATA[Use HTTP over TLS (HTTPS) to communicate with the upstream destination. In most cases, leaving this unchecked will be the best choice. Caddy uses HTTP for communication with the upstream destination by default.]]></help>
+        <help><![CDATA[Enable or disable HTTP over TLS (HTTPS) to communicate with the upstream destination. Caddy uses HTTP with the upstream destination by default.]]></help>
     </field>
     <field>
         <id>handle.HttpNtlm</id>
         <label>NTLM</label>
         <type>checkbox</type>
-        <help><![CDATA[If "TLS" has been checked, check "NTLM" in addition for reverse proxying an Exchange Server. In most other cases, leaving this unchecked will be the best choice.]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Enable or disable NTLM. Needed to reverse proxy an Exchange Server.]]></help>
     </field>
     <field>
         <id>handle.HttpTlsInsecureSkipVerify</id>
         <label>TLS Insecure Skip Verify</label>
         <type>checkbox</type>
-        <help><![CDATA[Turns off TLS handshake verification, making the connection insecure and vulnerable to man-in-the-middle attacks. Do not use in production.]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Disable the TLS handshake verification, making the connection insecure and vulnerable to man-in-the-middle attacks. Do not use in production if possible. When having issues with an upstream that only accepts TLS connections, enabling this option can mitigate them.]]></help>
     </field>
     <field>
         <id>handle.HttpTlsTrustedCaCerts</id>
         <label>TLS Trusted CA Certificate</label>
         <type>dropdown</type>
-        <help><![CDATA[Optionally, if TLS is enabled, choose a CA certificate or self-signed certificate to trust from "System - Trust - Authorities".]]></help>
+        <help><![CDATA[Choose a CA or self-signed certificate to trust from "System - Trust - Authorities". Useful if the upstream destination only accepts TLS connections and offers a self signed certificate. Adding that certificate here will allow for the encrypted connection to succeed.]]></help>
     </field>
     <field>
         <id>handle.HttpTlsServerName</id>
         <label>TLS Server Name</label>
         <type>text</type>
-        <help><![CDATA[Optionally, specify a hostname or IP address that matches the SAN of the "TLS Trusted CA Certificate". Please note that only SAN certificates are supported; CN will not work.]]></help>
+        <help><![CDATA[Enter a hostname or IP address that matches the SAN "Subject Alternative Name" of the offered upstream certificate. This will change the SNI "Server Name Indication" of Caddy. Setting an IP address as "Upstream Domain", enabling "TLS" and selecting a "TLS Trusted CA Certificate", would make the SAN of the offered upstream certificate not match with the SNI of Caddy, since it will be an IP address instead of a hostname. Setting the hostname of the certificate here, fixes this issue. Please note that only SAN certificates are supported; CN "Common Name" will not work.]]></help>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
index 585ddf5124..070e8b6038 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
@@ -3,27 +3,27 @@
         <id>header.HeaderUpDown</id>
         <label>Header</label>
         <type>dropdown</type>
-        <help><![CDATA[header_up sets, adds (with the + prefix), deletes (with the - prefix), or performs a replacement (by using two arguments, a search and replacement) in a request header going upstream to the backend. header_down sets, adds (with the + prefix), deletes (with the - prefix), or performs a replacement (by using two arguments, a search and replacement) in a response header coming downstream from the backend. For more information: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#headers]]></help>
+        <help><![CDATA["header_up" sets, adds (with the "+" prefix), deletes (with the "-" prefix), or performs a replacement (by using two arguments, a search and replacement) in a request header going upstream to the backend. "header_down" sets, adds (with the "+" prefix), deletes (with the "-" prefix), or performs a replacement (by using two arguments, a search and replacement) in a response header coming downstream from the backend. For more information: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#headers]]></help>
     </field>
     <field>
         <id>header.HeaderType</id>
         <label>Header Type</label>
         <hint>Host</hint>
         <type>text</type>
-        <help><![CDATA[Enter a header, for example "Host". Use the + or - prefix to add or remove this header, for example "-Host" or "+Host". A suffix match like "-Host-*" is also supported. To replace a header, use "Some-Header" without + or -.]]></help>
+        <help><![CDATA[Enter a header, for example "Host". Use the "+" or "-" prefix to add or remove this header, for example "-Host" or "+Host". A suffix match like "-Host-*" is also supported. To replace a header, use "Host" without "+" or "-".]]></help>
     </field>
     <field>
         <id>header.HeaderValue</id>
         <label>Header Value</label>
         <hint>{upstream_hostport}</hint>
         <type>text</type>
-        <help><![CDATA[Enter a value for the above header. One of the most common options is "{upstream_hostport}". It's also possible to use a regular expression to search for a specific value in a header. For example: "^prefix-([A-Za-z0-9]*)$" which uses the regular expression language RE2 included in Go.]]></help>
+        <help><![CDATA[Enter a value for the selected header. One of the most common options is "{upstream_hostport}". It is also possible to use a regular expression to search for a specific value in a header. For example: "^prefix-([A-Za-z0-9]*)$" which uses the regular expression language RE2 included in Go.]]></help>
     </field>
     <field>
         <id>header.HeaderReplace</id>
         <label>Header Replace</label>
         <type>text</type>
-        <help><![CDATA[If a regular expression is used to search for a Header Value, here the replacement string can be set. For example: "replaced-$1-suffix" which expands the replacement string, allowing the use of captured values, $1 being the first capture group.]]></help>
+        <help><![CDATA[If a regular expression is used to search for a Header Value, the replacement string can be set here. For example: "replaced-$1-suffix" which expands the replacement string, allowing the use of captured values, "$1" being the first capture group.]]></help>
     </field>
     <field>
         <id>header.description</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index f84c18c97c..ba4670d526 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -1,30 +1,30 @@
 <form>
     <field>
         <id>reverse.enabled</id>
-        <label>enabled</label>
+        <label>Enabled</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable this reverse proxy domain.]]></help>
+        <help><![CDATA[Enable this domain.]]></help>
     </field>
     <field>
         <id>reverse.FromDomain</id>
         <label>Domain</label>
         <type>text</type>
         <hint>example.com</hint>
-        <help><![CDATA[Enter a domain name or IP address. For a wildcard domain, use *.example.com. Only use wildcard domains with a wildcard certificate. Don't forget to create a firewall rule that allows port 80 and 443 to "This Firewall".]]></help>
+        <help><![CDATA[Enter a domain name or IP address. For a base domain, use "example.com" or "opn.example.com". Using a base domain enables automatic "Let's Encrypt" and "ZeroSSL" certificates by default. For a wildcard domain, use "*.example.com". Only use wildcard domains with wildcard certificates, which require a DNS Provider.]]></help>
     </field>
     <field>
         <id>reverse.FromPort</id>
         <label>Port</label>
         <type>text</type>
         <hint>443</hint>
-        <help><![CDATA[Enter the port number. Leave this empty to bind to port 80 and 443 with automatic redirection. Don't forget to create a firewall rule that allows this port to "This Firewall".]]></help>
+        <help><![CDATA[Leave empty to use ports 80 and 443 with automatic redirection from HTTP to HTTPS or choose a custom port. Don't forget to allow these ports with a Firewall rule.]]></help>
     </field>
     <field>
         <id>reverse.description</id>
         <label>Description</label>
         <type>text</type>
         <hint>example.com.443</hint>
-        <help><![CDATA[Enter a description for this reverse proxy domain.]]></help>
+        <help><![CDATA[Enter a description for this domain.]]></help>
     </field>
     <field>
         <type>header</type>
@@ -35,8 +35,7 @@
         <id>reverse.DynDns</id>
         <label>Dynamic DNS</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable Dynamic DNS, please configure DNS Provider and API Key in General Settings. The DNS Records of this domain wi
-ll be automatically updated with your DNS Provider.]]></help>
+        <help><![CDATA[Enable or disable Dynamic DNS. Requires a "DNS Provider" in "General Settings". The DNS records of this domain will be automatically updated.]]></help>
     </field>
     <field>
         <type>header</type>
@@ -45,21 +44,21 @@ ll be automatically updated with your DNS Provider.]]></help>
     </field>
     <field>
         <id>reverse.DnsChallenge</id>
-        <label>DNS-01 challenge</label>
+        <label>DNS-01 Challenge</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable DNS-01 challenge for ACME, please configure DNS Provider and API Key in General Settings. In most cases, leaving this option unchecked will be the best choice. The automatic Let's Encrypt HTTP challenge will be used if this option is unchecked, which needs no further configuration.]]></help>
+        <help><![CDATA[Enable the DNS-01 challenge for this domain. Requires a "DNS Provider" in "General Settings". This is mostly only needed for wildcard domains, or when the HTTP-01 and TLS-ALPN-01 challenge can not be used due to restrictive firewall policies.]]></help>
     </field>
     <field>
         <id>reverse.AcmePassthrough</id>
-        <label>HTTP-01 challenge redirection</label>
+        <label>HTTP-01 Challenge Redirection</label>
         <type>text</type>
-        <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables a server behind Caddy to serve "/.well-known/acme-challenge/". Caddy will issue a certificate for the same domain using the TLS-ALPN-01 challenge or DNS-01 challenge instead. Setting this option on a wildcard domain will pass the challenge of all subdomains to a single server behind Caddy. For finer control, use this option in subdomains instead of their wildcard domain.]]></help>
+        <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this domain, and will still issue a certificate using the TLS-ALPN-01 challenge or DNS-01 challenge for itself. This option can be used for High Availability when using Caddy with a master and backup OPNsense.]]></help>
     </field>
     <field>
         <id>reverse.CustomCertificate</id>
         <label>Custom Certificate</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose your own certificate from System Trust Certificates. Make sure you have imported the full chain. In most cases, leaving this as "None" will be the best choice.]]></help>
+        <help><![CDATA[Choose a custom certificate from "System - Trust - Certificates" for this domain. Make sure the full chain has been imported.]]></help>
     </field>
     <field>
         <type>header</type>
@@ -70,19 +69,19 @@ ll be automatically updated with your DNS Provider.]]></help>
         <id>reverse.accesslist</id>
         <label>Access List</label>
         <type>dropdown</type>
-        <help><![CDATA[Optionally, select an Access List to restrict access to this domain. If left as "None", any local or remote client is allowed access. In most cases, leaving this as "None" will be the best choice.]]></help>
+        <help><![CDATA[Select an Access List to restrict access to this domain. If unset, any local or remote client is allowed access.]]></help>
     </field>
     <field>
         <id>reverse.basicauth</id>
         <label>Basic Auth</label>
         <type>select_multiple</type>
         <size>5</size>
-        <help><![CDATA[Optionally, select Users to restrict access to this domain. Basic Auth matches after Access Lists. If left as "None", any client is allowed access. In most cases, leaving this as "None" will be the best choice.]]></help>
+        <help><![CDATA[Select Users to restrict access to this domain. Basic Auth matches after Access Lists. If unset, any user is allowed access. When using CrowdSec, authorization failures will result in automatic bans.]]></help>
     </field>
     <field>
         <id>reverse.AccessLog</id>
         <label>HTTP Access Log</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable the HTTP request logging for this domain and its subdomains. This option is mostly for troubleshooting since it will log every single request.]]></help>
+        <help><![CDATA[Enable HTTP request logging for this domain and its subdomains. This option is mostly used for troubleshooting, audits and CrowdSec. It will log every single request.]]></help>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
index 9a790162ae..ca6eeb6114 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -1,36 +1,36 @@
 <form>
     <field>
         <id>subdomain.enabled</id>
-        <label>enabled</label>
+        <label>Enabled</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable this reverse proxy subdomain.]]></help>
+        <help><![CDATA[Enable this subdomain.]]></help>
     </field>
     <field>
         <id>subdomain.reverse</id>
         <label>Domain</label>
         <type>dropdown</type>
-        <help><![CDATA[Select a domain, to which this subdomain should be added.]]></help>
+        <help><![CDATA[Select a wildcard domain for this subdomain.]]></help>
     </field>
     <field>
         <id>subdomain.FromDomain</id>
         <label>Subdomain</label>
         <type>text</type>
         <hint>opn.example.com</hint>
-        <help><![CDATA[Enter the subdomain name (e.g., 'opn.example.com' if your wildcard domain is '*.example.com').]]></help>
+        <help><![CDATA[Enter a subdomain. For example, "opn.example.com" if the wildcard domain is "*.example.com".]]></help>
     </field>
     <field>
         <id>subdomain.FromPort</id>
         <label>Port</label>
         <type>text</type>
         <hint>443</hint>
-        <help><![CDATA[Enter the port number. Leave this empty to bind to port 80 and 443 with automatic redirection. Don't forget to create a firewall rule that allows this destination port to "This Firewall".]]></help>
+        <help><![CDATA[Leave empty to use ports 80 and 443 with automatic redirection from HTTP to HTTPS or choose a custom port. Do not forget to allow these ports with a Firewall rule.]]></help>
     </field>
     <field>
         <id>subdomain.description</id>
         <label>Description</label>
         <type>text</type>
         <hint>opn.example.com.443</hint>
-        <help><![CDATA[Enter a description for this reverse proxy subdomain.]]></help>
+        <help><![CDATA[Enter a description for this subdomain.]]></help>
     </field>
     <field>
         <type>header</type>
@@ -41,7 +41,7 @@
         <id>subdomain.DynDns</id>
         <label>Dynamic DNS</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable Dynamic DNS, please configure DNS Provider and API Key in General Settings. The DNS Records of this subdomain will be automatically updated with your DNS Provider.]]></help>
+        <help><![CDATA[Enable or disable Dynamic DNS. Requires a "DNS Provider" in "General Settings". The DNS records of this subdomain will be automatically updated.]]></help>
     </field>
     <field>
         <type>header</type>
@@ -50,9 +50,9 @@
     </field>
     <field>
         <id>subdomain.AcmePassthrough</id>
-        <label>HTTP-01 challenge redirection</label>
+        <label>HTTP-01 Challenge Redirection</label>
         <type>text</type>
-        <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables a server behind Caddy to serve "/.well-known/acme-challenge/".]]></help>
+        <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this subdomain.]]></help>
     </field>
     <field>
         <type>header</type>
@@ -63,13 +63,13 @@
         <id>subdomain.accesslist</id>
         <label>Access List</label>
         <type>dropdown</type>
-        <help><![CDATA[Optionally, select an Access List to restrict access to this subdomain. If left as "None", any local or remote client is allowed access. In most cases, leaving this as "None" will be the best choice.]]></help>
+        <help><![CDATA[Select an Access List to restrict access to this subdomain. If unset, any local or remote client is allowed access.]]></help>
     </field>
     <field>
         <id>subdomain.basicauth</id>
         <label>Basic Auth</label>
         <type>select_multiple</type>
         <size>5</size>
-        <help><![CDATA[Optionally, select Users to restrict access to this subdomain. Basic Auth matches after Access Lists. If left as "None", any client is allowed access. In most cases, leaving this as "None" will be the best choice.]]></help>
+        <help><![CDATA[Select Users to restrict access to this subdomain. Basic Auth matches after Access Lists. If unset, any user is allowed access.]]></help>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
index cd6f75bf78..6ff4ed00c9 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
@@ -3,7 +3,8 @@
         <id>caddy.general.TlsDnsProvider</id>
         <label>DNS Provider</label>
         <type>dropdown</type>
-        <help><![CDATA[Select the DNS provider for the DNS-01 Challenge and Dynamic DNS. This is optional, since certificates will be requested from Let's Encrypt via HTTP Challenge when this option is unset. You mostly need this for Wildcard Certificates, and for Dynamic DNS. To use the DNS-01 Challenge and Dynamic DNS, enable the checkbox in a Reverse Proxy Domain or Subdomain. For more information: https://github.com/caddy-dns]]></help>
+        <help><![CDATA[Select the DNS provider for the DNS-01 Challenge and Dynamic DNS. This is mostly needed for Wildcard Certificates, and for Dynamic DNS. To use, enable the checkbox in a "Domain" or "Subdomain". For more information, visit https://github.com/caddy-dns where each module is community maintained.]]></help>
+    </field>
     </field>
     <field>
         <id>caddy.general.TlsDnsApiKey</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
index a0a3630952..3304ac080e 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
@@ -3,19 +3,19 @@
         <id>caddy.general.DynDnsIpVersions</id>
         <label>DynDns IP Version</label>
         <type>dropdown</type>
-        <help><![CDATA[Select "IPv4+IPv6" to set IPv4 A-Records and IPv6 AAAA-Records, "IPv4 only" for only A-Records, "IPv6 only" for only AAAA-Records.]]></help>
+        <help><![CDATA[Select the DynDns IP Version: "IPv4+IPv6" to set IPv4 A-Records and IPv6 AAAA-Records, "IPv4 only" for only A-Records, "IPv6 only" for only AAAA-Records.]]></help>
     </field>
     <field>
         <id>caddy.general.DynDnsCheckInterval</id>
         <label>DynDns Check Interval</label>
         <type>text</type>
-        <help><![CDATA[Interval to poll for changes of the IP address. The default is 5 minutes. Can be a number between 1 to 1440 minutes.]]></help>
+        <help><![CDATA[Set the interval to poll for changes in the IP address. The default is 5 minutes. Values can range from 1 to 1440 minutes.]]></help>
     </field>
     <field>
         <id>caddy.general.DynDnsTTL</id>
         <label>DynDns TTL</label>
         <type>text</type>
-        <help><![CDATA[Set the TTL (time to live) for DNS Records. The default is 1 hour. Can be a number between 1 to 24 hours.]]></help>
+        <help><![CDATA[Set the TTL (Time to Live) for DNS records. The default is 1 hour. Values can range from 1 to 24 hours.]]></help>
     </field>
     <field>
         <type>header</type>
@@ -26,12 +26,12 @@
         <id>caddy.general.DynDnsSimpleHttp</id>
         <label>DynDns Check Http</label>
         <type>text</type>
-        <help><![CDATA[Optionally, enter a URL to test the current IP address of the firewall via HTTP protocol. Generally, this is not needed. Caddy uses default providers to test the current IP addresses. If you'd rather use your own, enter the https:// link to an IP address testing website.]]></help>
+        <help><![CDATA[Enter a URL to test the current IP address of the firewall via the HTTP protocol. This is generally not needed as Caddy uses default providers to test the current IP addresses. If a custom provider is preferred, enter the "https://" link to an IP address testing website.]]></help>
     </field>
     <field>
         <id>caddy.general.DynDnsInterface</id>
         <label>DynDns Check Interface</label>
         <type>dropdown</type>
-        <help><![CDATA[Optionally, select an interface to extract the current IP addresses of the firewall. At most, one IPv6 Global Unicast Address and one IPv4 non-RFC1918 Address will be extracted. This depends on the DynDns IP Version that's specified.]]></help>
+        <help><![CDATA[Select an interface to extract the current IP addresses of the firewall. This is generally not needed as Caddy uses default providers to test the current IP addresses. Depending on the specified DynDns IP Version, at most one IPv6 Global Unicast Address and one IPv4 non-RFC1918 Address will be extracted.]]></help>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 00c0b85cc0..66ee187088 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -10,31 +10,31 @@
         <label>ACME Email</label>
         <type>text</type>
         <hint>info@example.com</hint>
-        <help><![CDATA[Enter the email address for certificate notifications. This is required to receive automatic certificates from Let's Encrypt and ZeroSSL.]]></help>
+        <help><![CDATA[Enter the email address for certificate notifications. This is required to receive automatic certificates from "Let's Encrypt" and "ZeroSSL".]]></help>
     </field>
     <field>
         <id>caddy.general.TlsAutoHttps</id>
         <label>Auto HTTPS</label>
         <type>dropdown</type>
-        <help><![CDATA[Select the auto HTTPS option. "On" (default) creates automatic certificates using Let's Encrypt or ZeroSSL without needing any configuration.]]></help>
+        <help><![CDATA[Select the Auto HTTPS option. "On (default)" creates automatic certificates using "Let's Encrypt" or "ZeroSSL". "Off" turns all automatic certificate requests off.]]></help>
     </field>
     <field>
         <id>caddy.general.accesslist</id>
         <label>Trusted Proxies</label>
         <type>dropdown</type>
-        <help><![CDATA[Select an Access List of Trusted Proxies. If Caddy is not the first server being connected to by your clients (for example when a CDN is in front of Caddy), you may configure trusted_proxies with a list of IP ranges (CIDRs) from which incoming requests are trusted to have sent good values for these headers. Additionally, set the same Access List to the Domains your Trusted Proxy connects to.]]></help>
+        <help><![CDATA[Select an Access List to set IP ranges of Trusted Proxies. If Caddy is not the first server being connected to by clients (for example, when a "CDN" is in front of Caddy), configure "Trusted Proxies" with a list of IP ranges (CIDRs) from which incoming requests are trusted to have sent good values for these headers. Additionally, set the same Access List to the domains the Trusted Proxies connect to.]]></help>
     </field>
     <field>
         <id>caddy.general.abort</id>
         <label>Abort Connections</label>
         <type>checkbox</type>
-        <help><![CDATA[Abort all connections that don't have a matching handle or access list. This option doesn't conflict with Let's Encrypt. Disable it for troubleshooting purposes, e.g., testing if the Reverse Proxy Domain works and the Certificate has been installed. For production use, enabling this option is recommended.]]></help>
+        <help><![CDATA[Abort all connections that don't have a matching Handle or Access List. This option does not conflict with "Let's Encrypt" or "ZeroSSL". Disable it for troubleshooting purposes, e.g., testing if the "Domain" works and the automatic certificate has been installed. For production use, enabling this option is recommended.]]></help>
     </field>
     <field>
         <id>caddy.general.GracePeriod</id>
         <label>Grace Period</label>
         <type>text</type>
         <hint>10</hint>
-        <help><![CDATA[Defines the grace period for shutting down HTTP servers (i.e. during config changes or when Caddy is stopping) in seconds. During the grace period, no new connections are accepted, idle connections are closed, and active connections are impatiently waited upon to finish their requests. If clients do not finish their requests within the grace period, the server will be forcefully terminated to allow the reload to complete and free up resources. This can influence how long "Apply" of new configurations take, since Caddy waits for all open connections to close.]]></help>
+        <help><![CDATA[Defines the grace period for shutting down Caddy during a reload in seconds. During the grace period, no new connections are accepted, idle connections are closed, and active connections are impatiently waited upon to finish their requests. If clients do not finish their requests within the grace period, the server will be forcefully terminated to allow the reload to complete and free up resources. This can influence how long "Apply" of new configurations take, since Caddy waits for all open connections to close.]]></help>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml
index 44f616f042..7c0f1a5ace 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml
@@ -3,25 +3,25 @@
         <id>caddy.general.LogLevel</id>
         <label>Log Level</label>
         <type>dropdown</type>
-        <help><![CDATA[Select the minimum global Log Level. "INFO" is the default and shouldn't be changed without a reason, since that level displays the ACME Client messages for automatic certificates. This setting doesn't influence the HTTP Access logs, they're always using INFO, which is their lowest supported Log Level.]]></help>
+        <help><![CDATA[Select the minimum global Log Level. "INFO" is the default and should not be changed without a reason, as it displays the ACME Client messages for automatic certificates. This setting does not influence the HTTP Access logs; they always use "INFO", which is their lowest supported Log Level.]]></help>
     </field>
     <field>
         <id>caddy.general.LogCredentials</id>
         <label>Log Credentials</label>
         <type>checkbox</type>
-        <help><![CDATA[Log all Cookies and Authorization in HTTP request logging. Use combined with HTTP Access Log in the Reverse Proxy Domain. Enable this option only for troubleshooting.]]></help>
+        <help><![CDATA[Log all cookies and authorization in HTTP request logging. Use this option combined with "HTTP Access Log" in a "Domain". Enable this option only for troubleshooting.]]></help>
     </field>
     <field>
         <id>caddy.general.LogAccessPlain</id>
         <label>Log HTTP Access in JSON Format</label>
         <type>checkbox</type>
-        <help><![CDATA[Log HTTP access in a standard JSON logfile per domain, e.g for processing by CrowdSec. Use combined with HTTP Access Log in the Reverse Proxy Domain. Enabling this will make the HTTP Access Log dissappear from the standard "Log File" in the GUI. They can be found in the filesystem "/var/log/caddy/access/"]]></help>
+        <help><![CDATA[Log HTTP access in a standard JSON logfile per domain, e.g., for processing by CrowdSec. Use this option combined with "HTTP Access Log" in a "Domain". Enabling this will make the HTTP Access Log disappear from the standard Log File. Logs can be found in the filesystem at "/var/log/caddy/access/".]]></help>
     </field>
     <field>
         <id>caddy.general.LogAccessPlainKeep</id>
         <label>Keep HTTP Access JSON Logs for (days)</label>
         <hint>10</hint>
         <type>text</type>
-        <help><![CDATA[How many days to keep the JSON access logs.]]></help>
+        <help><![CDATA[Specify how many days to keep the JSON access logs.]]></help>
     </field>
 </form>

From b35877e7be1e16273aa66aa3c3d75dca53341c93 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 16 May 2024 08:50:14 +0200
Subject: [PATCH 1898/3088] www/caddy: small issue in previous CC @Monviech

---
 .../mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml     | 1 -
 1 file changed, 1 deletion(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
index 6ff4ed00c9..264a7e27ce 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
@@ -5,7 +5,6 @@
         <type>dropdown</type>
         <help><![CDATA[Select the DNS provider for the DNS-01 Challenge and Dynamic DNS. This is mostly needed for Wildcard Certificates, and for Dynamic DNS. To use, enable the checkbox in a "Domain" or "Subdomain". For more information, visit https://github.com/caddy-dns where each module is community maintained.]]></help>
     </field>
-    </field>
     <field>
         <id>caddy.general.TlsDnsApiKey</id>
         <label>DNS API Standard Field</label>

From 90fe67c97fcb41f0de5082cefc960ba8804647c9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 16 May 2024 09:00:09 +0200
Subject: [PATCH 1899/3088] net/frr: wrap up next version

---
 net/frr/Makefile  |  3 +--
 net/frr/pkg-descr | 10 ++++++----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index cfcb6bb7e8..0e6a4fe7b7 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.39
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.40
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index e07ba54025..9563643382 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,12 +12,14 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
-1.39
+1.40
 
-* Add plain password authentication to OSPF
-* Set multihop value to 255 (contributed by Cogan Ng Jun Lin)
-* Add distance to BGP
+* Add staticd to routing suite
 * Add BGP peer-group support
+* Add distance to BGP
+
+1.39
+
 * Add plain password authentication to OSPF
 * Set multihop value to 255 (contributed by Cogan Ng Jun Lin)
 

From f59fb35e18ec0eeeaa85a3f2c07ae76438b79f69 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 16 May 2024 17:30:35 +0200
Subject: [PATCH 1900/3088] www/caddy: Fix that the setup.sh script is not
 executed with reloadssl (#3982)

---
 www/caddy/Makefile                                    |  1 +
 www/caddy/pkg-descr                                   |  4 ++++
 .../opnsense/scripts/OPNsense/Caddy/caddy_control.py  | 11 +++++++++--
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 45d38b923d..4ad87d41c6 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		1.5.5
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 924946fb5b..1501aed1a7 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -37,6 +37,10 @@ Plugin Changelog
 * Cleanup: Javascript variables have been changed from var to let to reduce scope.
 * Fix: Template has been fixed to allow any TLS option in Handlers to appear independant when filled out. This increases flexibility with the "tls_server_name" option.
 * Add: Diagnostics view added where the current Caddyfile and JSON configuration can be displayed, validated and downloaded.
+* Add: HTTP-01 Challenge Redirection can also be configured for subdomains.
+* Cleanup: lang() and gettext() functions added for translations.
+* Cleanup: Rewritten most help texts in forms for consistency.
+* Fix: The newly introduced "configctl caddy reload" action, which calls the "service caddy reloadssl" command, will now also trigger the setup.sh script.
 
 1.5.4
 
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
index c698d82441..79e9a8226f 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
@@ -35,8 +35,6 @@ def run_service_command(action, action_message):
 
     if action == "validate":
         try:
-            # Call Setup script
-            subprocess.run(["/usr/local/opnsense/scripts/OPNsense/Caddy/setup.sh"], check=True)
             # Validate the Caddyfile with explicit --config flag, capturing both stdout and stderr
             validation_output = subprocess.check_output(["caddy", "validate", "--config", "/usr/local/etc/caddy/Caddyfile"], stderr=subprocess.STDOUT, text=True)
             if "Valid configuration" in validation_output:
@@ -76,6 +74,15 @@ def run_service_command(action, action_message):
     if action in actions:
         service_action = actions[action]
         message = f"{action.capitalize()}ing Caddy service" if action != "validate" else "Validating Caddy configuration"
+
+        # Call setup script for 'validate' and 'reloadssl' actions
+        # This is needed because the setup script triggers the caddy_certs.php script, which exports all certificates into the filesystem.
+        # Caddy reloads certificates when reloadssl is used. Because it is a non standard command, the caddy_setup script will not be triggered in /etc/rc.conf.d/caddy.
+        # The validate command needs it to make sure all certificates are in the filesystem, because otherwise the validation fails.
+        if service_action in ["validate", "reloadssl"]:
+            subprocess.run(["/usr/local/opnsense/scripts/OPNsense/Caddy/setup.sh"], check=True)
+
+        # Continue with the service action
         print(run_service_command(service_action, message))
     else:
         print(json.dumps({"status": "failed", "message": f"Unknown action: {action}"}))

From bb53017521b0d5b5f6fe99b55c057ef3bdcef05c Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Sun, 19 May 2024 14:38:24 +0200
Subject: [PATCH 1901/3088] crowdsec: 1.0.9 (fix service start when lapi is
 disabled) (#3986)

* crowdsec: 1.0.9 (fix service start when lapi is disabled)

* 1.0.9 -> 1.0.8-1
---
 security/crowdsec/Makefile                            |  1 +
 security/crowdsec/pkg-descr                           |  4 ++++
 .../opnsense/scripts/OPNsense/CrowdSec/reconfigure.py | 11 +++++++++++
 .../templates/OPNsense/CrowdSec/crowdsec.rc.conf.d    |  5 -----
 4 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index ebf2924bb9..dad0bf60c5 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		crowdsec
 PLUGIN_VERSION=		1.0.8
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		crowdsec
 PLUGIN_COMMENT=		Lightweight and collaborative security engine
 PLUGIN_MAINTAINER=	marco@crowdsec.net
diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index ef22794a44..abb274e564 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -8,6 +8,10 @@ WWW: https://crowdsec.net/
 Plugin Changelog
 ================
 
+1.0.8-1
+
+* Fix service start when lapi is disabled
+
 1.0.8
 
 * Enable use_wal, remove warning
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
index 84008d6256..31fb26643f 100755
--- a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
@@ -53,6 +53,16 @@ def configure_agent(settings):
     save_config(config_path, config)
 
 
+def configure_lapi(settings):
+    config_path = '/usr/local/etc/crowdsec/config.yaml'
+    config = load_config(config_path)
+
+    enable = int(settings.get('lapi_enabled', '0'))
+    config['api']['server']['enable'] = bool(enable)
+
+    save_config(config_path, config)
+
+
 def configure_lapi_credentials(settings):
     config_path = '/usr/local/etc/crowdsec/local_api_credentials.yaml'
     config = load_config(config_path)
@@ -88,6 +98,7 @@ def main():
         return
 
     configure_agent(settings)
+    configure_lapi(settings)
     configure_lapi_credentials(settings)
     configure_bouncer(settings)
 
diff --git a/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/crowdsec.rc.conf.d b/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/crowdsec.rc.conf.d
index 77eebf92fa..6c0f4e9412 100644
--- a/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/crowdsec.rc.conf.d
+++ b/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/crowdsec.rc.conf.d
@@ -4,8 +4,3 @@ crowdsec_enable="YES"
 {% else %}
 crowdsec_enable="NO"
 {% endif %}
-{% if helpers.exists('OPNsense.crowdsec.general.lapi_enabled') and OPNsense.crowdsec.general.lapi_enabled|default("1") == "1" %}
-crowdsec_flags=""
-{% else %}
-crowdsec_flags="-no-api"
-{% endif %}

From b64d2ec4c9be632fddb3fd823ba1dcfed2e23151 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 May 2024 08:10:31 +0200
Subject: [PATCH 1902/3088] security/crowdsec: shift changelog a bit

---
 security/crowdsec/pkg-descr | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index abb274e564..cb1429cf46 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -8,10 +8,6 @@ WWW: https://crowdsec.net/
 Plugin Changelog
 ================
 
-1.0.8-1
-
-* Fix service start when lapi is disabled
-
 1.0.8
 
 * Enable use_wal, remove warning
@@ -19,6 +15,7 @@ Plugin Changelog
 * Refactor javascript
 * Fix initial service start with no pending hub updates (1.6.1)
 * Add input validation for `rules_tag` to prevent invalid `pf` syntax.
+* Fix service start when lapi is disabled (revision 1)
 
 1.0.7
 

From 9cf5ea1346eb1c0369d88fdd434c27fc5aaeb311 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 May 2024 08:37:52 +0200
Subject: [PATCH 1903/3088] www/squid: fix another bug due to netaddr/ipaddr
 switch

---
 www/squid/Makefile                                            | 2 +-
 www/squid/pkg-descr                                           | 2 ++
 .../src/opnsense/service/templates/OPNsense/Proxy/wpad.dat    | 4 ++--
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index debbe26ca1..cfc272dd5c 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		squid
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_TIER=		2
diff --git a/www/squid/pkg-descr b/www/squid/pkg-descr
index 2e0b72da45..2840d18089 100644
--- a/www/squid/pkg-descr
+++ b/www/squid/pkg-descr
@@ -8,3 +8,5 @@ Plugin Changelog
 1.0
 
 * Initial version based on the OPNsense 23.7.12 core code
+* Workaround for segmentation faults using OpenSSL legacy provider
+* Correct migration to Python ipaddress library use
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/wpad.dat b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/wpad.dat
index cd4aeaabc1..d85f1027f3 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/wpad.dat
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/wpad.dat
@@ -51,11 +51,11 @@ function FindProxyForURL(url, host) {
 {%         endif %}
 {%         if match.match_type == 'destination_in_net' %}
 {%           set tmp_net = helpers.getIPNetwork(match.network) %}
-{%           set match_script = match_script + 'isInNet(dstip, "' + tmp_net.network.__str__() + '", "' + tmp_net.netmask.__str__() + '")' %}
+{%           set match_script = match_script + 'isInNet(dstip, "' + tmp_net.network_address.__str__() + '", "' + tmp_net.netmask.__str__() + '")' %}
 {%         endif %}
 {%         if match.match_type == 'my_ip_in_net' %}
 {%           set tmp_net = helpers.getIPNetwork(match.network) %}
-{%           set match_script = match_script + 'isInNet(myIpAddress(), "' + tmp_net.network.__str__() + '", "' + tmp_net.netmask.__str__() + '")' %}
+{%           set match_script = match_script + 'isInNet(myIpAddress(), "' + tmp_net.network_address.__str__() + '", "' + tmp_net.netmask.__str__() + '")' %}
 {%         endif %}
 {%         if match.match_type == 'plain_hostname' %}
 {%           set match_script = match_script + 'isPlainHostName(host)' %}

From f3532fc9d878e1f8b13dd0b6242f2ee6918b9b72 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 21 May 2024 16:34:19 +0200
Subject: [PATCH 1904/3088] www/caddy: Caddy dyndns wildcard domain fix (#3989)

- wildcard domains like "*.example.com" need the following dns update:
example.com *
- base domains like "example.com" need the following dns update:
example.com @
---
 www/caddy/pkg-descr                                         | 4 ++++
 .../src/opnsense/service/templates/OPNsense/Caddy/Caddyfile | 6 +++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 1501aed1a7..ea38afb12c 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -26,6 +26,10 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.5.6
+
+* Fix: Wildcard domains with activated "Dynamic DNS" update their base domain with * instead of @.
+
 1.5.5
 
 * Fix: "Apply" could hang when websockets are in use by clients. A grace period of 10s has been added in General Settings that forces to close all connections on config changes.
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 7c9f7ed9de..76e5a6d27d 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -123,7 +123,11 @@
     {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
         {% if reverse.enabled|default("0") == "1" and reverse.DynDns|default("0") == "1" %}
             {% set cleanedDomain = reverse.FromDomain | replace("*.","") %}
-            {% do dynDnsDomains.append(cleanedDomain + " @") %}
+            {% if reverse.FromDomain.startswith("*.") %}
+                {% do dynDnsDomains.append(cleanedDomain + " *") %}
+            {% else %}
+                {% do dynDnsDomains.append(cleanedDomain + " @") %}
+            {% endif %}
         {% endif %}
 
         {% for subdomain in helpers.toList('Pischem.caddy.reverseproxy.subdomain') %}

From e224425f0e476f19506d6e0e97fc7e2a7bdca6a8 Mon Sep 17 00:00:00 2001
From: zaidranger <82002295+zaidranger@users.noreply.github.com>
Date: Tue, 28 May 2024 00:43:23 +0800
Subject: [PATCH 1905/3088] change $(var) > ($var)

This fixes deprecation message and the settings can be used again
---
 .../opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.php    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.php b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.php
index 5218c256e6..7dade59ea6 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.php
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.php
@@ -269,7 +269,7 @@ public function linkAclToAction($acl_uuid, $action_uuid, $replace = false)
                 return $acl_uuid;
             } else {
                 // Extend existing string.
-                $linkedAcls .= ",${acl_uuid}";
+                $linkedAcls .= ",{$acl_uuid}";
             }
         } else {
             $linkedAcls = $acl_uuid;
@@ -309,7 +309,7 @@ public function linkServerToBackend($server_uuid, $backend_uuid, $replace = fals
                 return $server_uuid;
             } else {
                 // Extend existing string.
-                $linkedServers .= ",${server_uuid}";
+                $linkedServers .= ",{$server_uuid}";
             }
         } else {
             $linkedServers = $server_uuid;
@@ -349,7 +349,7 @@ public function linkActionToFrontend($action_uuid, $frontend_uuid, $replace = fa
                 return $action_uuid;
             } else {
                 // Extend existing string.
-                $linkedActions .= ",${action_uuid}";
+                $linkedActions .= ",{$action_uuid}";
             }
         } else {
             $linkedActions = $action_uuid;

From e7cb756289adec09c25623023679c234ec3fcdc3 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 29 May 2024 08:16:54 +0200
Subject: [PATCH 1906/3088] www/caddy: DNS Provider add netcup and RFC2136
 (#3998)

* Add configuration options for DNS Providers: Netcup and RFC2136

* Bump plugin version and description.
---
 www/caddy/Makefile                            |  3 +-
 www/caddy/pkg-descr                           |  1 +
 .../OPNsense/Caddy/forms/dnsprovider.xml      |  8 ++---
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  2 ++
 .../templates/OPNsense/Caddy/Caddyfile        | 36 +++++++++++++++++--
 5 files changed, 42 insertions(+), 8 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 4ad87d41c6..3e61d6cc6d 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.5.5
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.5.6
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index ea38afb12c..c7e00bd685 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -29,6 +29,7 @@ Plugin Changelog
 1.5.6
 
 * Fix: Wildcard domains with activated "Dynamic DNS" update their base domain with * instead of @.
+* Add: DNS Providers: Netcup, RFC2136
 
 1.5.5
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
index 264a7e27ce..7f469d4e9f 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
@@ -9,7 +9,7 @@
         <id>caddy.general.TlsDnsApiKey</id>
         <label>DNS API Standard Field</label>
         <type>text</type>
-        <help><![CDATA[This is the standard field for the API Key. Field can be left empty if optional: Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Njalla "api_token", Google Cloud DNS "gcp_project", Azure "tenant_id", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url".]]></help>
+        <help><![CDATA[This is the standard field for the API Key. Field can be left empty if optional: Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Njalla "api_token", Google Cloud DNS "gcp_project", Azure "tenant_id", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url", Netcup "customer_number", RFC2136 "key_name".]]></help>
     </field>
     <field>
         <type>header</type>
@@ -20,19 +20,19 @@
         <id>caddy.general.TlsDnsSecretApiKey</id>
         <label>DNS API Additional Field 1</label>
         <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Azure "client_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address".]]></help>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Azure "client_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address", Netcup "api_key", RFC2136 "key_alg".]]></help>
     </field>
     <field>
         <id>caddy.general.TlsDnsOptionalField1</id>
         <label>DNS API Additional Field 2</label>
         <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "max_retries", ACME-DNS "subdomain", Azure "client_secret", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password".]]></help>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "max_retries", ACME-DNS "subdomain", Azure "client_secret", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password", Netcup "api_password", RFC2136 "key".]]></help>
     </field>
     <field>
         <id>caddy.general.TlsDnsOptionalField2</id>
         <label>DNS API Additional Field 3</label>
         <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "aws_profile", ACME-DNS "server_url", Azure "subscription_id", OVH "consumer_key", Namecheap "client_ip", DDNS "password".]]></help>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "aws_profile", ACME-DNS "server_url", Azure "subscription_id", OVH "consumer_key", Namecheap "client_ip", DDNS "password", RFC2136 "server".]]></help>
     </field>
     <field>
         <id>caddy.general.TlsDnsOptionalField3</id>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 4177a5dc5b..49e1aa1222 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -46,6 +46,8 @@
                     <dinahosting>Dinahosting</dinahosting>
                     <hexonet>Hexonet</hexonet>
                     <mailinabox>Mail-in-a-Box</mailinabox>
+                    <netcup>Netcup</netcup>
+                    <rfc2136>RFC2136</rfc2136>
                 </OptionValues>
             </TlsDnsProvider>
             <TlsDnsApiKey type="TextField"/>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 76e5a6d27d..ca403c57a0 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -143,7 +143,7 @@
 
     {% if dnsProvider and dnsProvider != "acmedns" and dynDnsDomains|length > 0 %}
         dynamic_dns {
-            {% if dnsProvider in ['porkbun', 'desec', 'route53', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox'] %}
+            {% if dnsProvider in ['porkbun', 'desec', 'route53', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox', 'netcup', 'rfc2136'] %}
                 provider {{ dnsProvider }} {
                     {% if dnsProvider == 'porkbun' %}
                         {% if dnsApiKey %}api_key {{ dnsApiKey }}
@@ -238,6 +238,22 @@
                         {% endif %}
                         {% if dnsOptionalField1 %}password {{ dnsOptionalField1 }}
                         {% endif %}
+                    {% elif dnsProvider == 'netcup' %}
+                        {% if dnsApiKey %}customer_number {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}api_password {{ dnsOptionalField1 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'rfc2136' %}
+                        {% if dnsApiKey %}key_name {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}key_alg {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}key {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}server {{ dnsOptionalField2 }}
+                        {% endif %}
                     {% endif %}
                 }
             {% else %}
@@ -342,7 +358,7 @@
 #}
 {% macro tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4) %}
     {% if dnsChallenge == "1" and dnsProvider %}
-        {% if dnsProvider in ['duckdns', 'porkbun', 'desec', 'route53', 'acmedns', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox'] %}
+        {% if dnsProvider in ['duckdns', 'porkbun', 'desec', 'route53', 'acmedns', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox', 'netcup', 'rfc2136'] %}
             tls {
                 dns {{ dnsProvider }} {
                     {% if dnsProvider == 'duckdns' %}
@@ -452,6 +468,22 @@
                         {% endif %}
                         {% if dnsOptionalField1 %}password {{ dnsOptionalField1 }}
                         {% endif %}
+                    {% elif dnsProvider == 'netcup' %}
+                        {% if dnsApiKey %}customer_number {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}api_password {{ dnsOptionalField1 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'rfc2136' %}
+                        {% if dnsApiKey %}key_name {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}key_alg {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}key {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}server {{ dnsOptionalField2 }}
+                        {% endif %}
                     {% endif %}
                 }
             }

From 1ff8b9023933aee125c63fea2c931a57490cfbd2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 May 2024 08:18:31 +0200
Subject: [PATCH 1907/3088] net/haproxy: bump revision for php fixes

---
 net/haproxy/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 65573b469e..7e0911ca88 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		4.3
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy28 py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de

From 3ce095ffce90599e5266ea212e6fac03957fc7a9 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sat, 1 Jun 2024 13:25:40 +0200
Subject: [PATCH 1908/3088] www/caddy: Add error message when OPNsense WebGUI
 settings conflict with Caddy (#3999)

* Add error message when OPNsense WebGUI settings conflict with Caddy. Caddy can not start when port 80 and 443 are in use. A conflict with other plugins can cause this, yet the majority of cases is a conflict with the WebGUI due to default settings. This error message in General Settings helps users to fix the most common error why Caddy refuses to start (without emitting usable logs in the Log Viewer).

* Revert "Add error message when OPNsense WebGUI settings conflict with Caddy. Caddy can not start when port 80 and 443 are in use. A conflict with other plugins can cause this, yet the majority of cases is a conflict with the WebGUI due to default settings. This error message in General Settings helps users to fix the most common error why Caddy refuses to start (without emitting usable logs in the Log Viewer)."

* Move validation logic of WebGUI port conflicts with caddy to model validation.

* Refactor to get rid of some double variable declarations.

* Refactor WebGUI validation to the AutoHTTPS setting. When the default ports are used for the WebGUI, AutoHTTPS can not be set to on.

* Implement feedback from code review. Make message dynamic based on port overlap.

* Simplify from constructed message to static message to make it translation friendly. Fix if statement for webGuiPorts, so that when it is not empty, the port can be actually compared.
---
 .../mvc/app/models/OPNsense/Caddy/Caddy.php   | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index dd9da1a6c7..631afe4b91 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -32,6 +32,7 @@
 
 use OPNsense\Base\BaseModel;
 use OPNsense\Base\Messages\Message;
+use OPNsense\Core\Config;
 
 class Caddy extends BaseModel
 {
@@ -107,6 +108,39 @@ private function checkSubdomainsAgainstDomains($subdomains, $domains, $messages)
         }
     }
 
+    // 4. Get the current OPNsense WebGUI ports
+    private function getWebGuiPorts() {
+        $webgui = Config::getInstance()->object()->system->webgui ?? null;
+        $webGuiPorts = [];
+
+        // Only add ports to array if no specific interfaces for the WebGUI are set
+        if (!empty($webgui) && empty((string)$webgui->interfaces)) {
+            // Add port 443 if no specific port is set, otherwise set custom webgui port
+            $webGuiPorts[] = !empty($webgui->port) ? (string)$webgui->port : '443';
+
+            // Add port 80 if HTTP redirect is not explicitly disabled
+            if (empty((string)$webgui->disablehttpredirect)) {
+                $webGuiPorts[] = '80';
+            }
+        }
+
+        return $webGuiPorts;
+    }
+
+    // 4. Check for conflicts between Caddy and OPNsense WebGUI ports
+    private function checkWebGuiSettings($messages) {
+        $overlap = array_intersect($this->getWebGuiPorts(), ['80', '443']);
+        $tlsAutoHttpsSetting = (string)$this->general->TlsAutoHttps;
+
+        if (!empty($overlap) && $tlsAutoHttpsSetting !== 'off') {
+            $portOverlap = implode(', ', $overlap);
+            $messages->appendMessage(new Message(
+                sprintf(gettext('To use "Auto HTTPS", resolve these conflicting ports (%s) that are currently configured for the OPNsense WebGUI. Go to "System - Settings - Administration". To release port 80, enable "Disable web GUI redirect rule". To release port 443, change "TCP port" to a non-standard port, e.g., 8443.'), $portOverlap),
+                "general.TlsAutoHttps"
+            ));
+        }
+    }
+
     // Perform the actual validation
     public function performValidation($validateFullModel = false)
     {
@@ -117,6 +151,8 @@ public function performValidation($validateFullModel = false)
         $this->checkForUniquePortCombos($this->reverseproxy->subdomain->iterateItems(), $messages);
         // 3. Check that subdomains are under a wildcard or exact domain
         $this->checkSubdomainsAgainstDomains($this->reverseproxy->subdomain->iterateItems(), $this->reverseproxy->reverse->iterateItems(), $messages);
+        // 4. Check WebGUI conflicts
+        $this->checkWebGuiSettings($messages);
 
         return $messages;
     }

From 0e3caf1ac48e94d6d2835cc8cbdab6a6b5caf945 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sat, 1 Jun 2024 18:51:24 +0200
Subject: [PATCH 1909/3088] www/caddy: Fix crash of searchAction when
 reverseUuids is null (#4016)

* Fix crash when reverseUuids is null. Improve performance by using associative arrays and isset instead of in_array.

* Refactored search into a helper function that is called in each section. Made comments clearer. Moved helper functions to top of file before the boilerplate sections.

* Generalize the search helper function a bit more. Now any sections UUID can be referenced, or null for its own UUID.

* Generalize the searchActionHelper function completely.
---
 .../Caddy/Api/ReverseProxyController.php      | 147 +++++++++---------
 1 file changed, 76 insertions(+), 71 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
index de6b82b643..5f32443d00 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
@@ -39,24 +39,74 @@ class ReverseProxyController extends ApiMutableModelControllerBase
     protected static $internalModelClass = 'OPNsense\Caddy\Caddy';
     protected static $internalModelUseSafeDelete = true;
 
-    /*ReverseProxy Section*/
-
-    /*Search Function adjusted for the search filter dropdown*/
-    public function searchReverseProxyAction()
+    /**
+     * Function for search filter dropdown
+     *
+     * @return array containing rows of domain and port combinations.
+     */
+    public function getAllReverseDomainsAction()
     {
-        // Get a comma-separated list of UUIDs from the request
-        $reverseUuids = $this->request->get('reverseUuids');
-        $uuidArray = !empty($reverseUuids) ? explode(',', $reverseUuids) : [];
+        $this->sessionClose(); // Close session early for performance
+        $result = array("rows" => array());
+
+        $mdlCaddy = new \OPNsense\Caddy\Caddy();
+        $reverseNodes = $mdlCaddy->reverseproxy->reverse->iterateItems();
 
-        // Define the filter function to handle multiple UUIDs
-        $filterFunction = function ($modelItem) use ($uuidArray) {
-            $itemUuid = (string)$modelItem->getAttributes()['uuid'];
-            // Include the item if no UUIDs are provided (empty array) or if it's in the array of UUIDs
-            return empty($uuidArray) || in_array($itemUuid, $uuidArray, true);
+        foreach ($reverseNodes as $item) {
+            if (!empty($item->FromDomain)) {
+                // Conditionally concatenate port if it exists
+                $domain = (string)$item->FromDomain;
+                $port = (string)$item->FromPort;
+                $combinedDomainPort = $domain . (!empty($port) ? ':' . $port : '');
+
+                $result['rows'][] = array(
+                    'id' => (string)$item->getAttributes()['uuid'],
+                    'domainPort' => $combinedDomainPort  // Combined domain and port, conditionally adding port
+                );
+            }
+        }
+
+        return $result;
+    }
+
+    /**
+     * Centralized and generalized helper function for searching across different sections of the reverse proxy setup.
+     * This function mostly helps when model relation fields are used.
+     * It filters entries based on UUIDs provided as an argument. The section or key used for the UUID
+     * can be specified, allowing for direct or indirect UUID referencing.
+     *
+     * @param string $modelPath The data model path identifier, pointing to the section of the model being searched.
+     * @param string $uuidSearchBase The request parameter name for the comma-separated list of UUIDs to filter the search results.
+     * @param string|null $uuidReferenceKey The specific attribute key used to fetch the UUID for filtering. If null, defaults to the item's own UUID.
+     * @return array Filtered search results.
+     */
+    private function searchActionHelper($modelPath, $uuidSearchBase, $uuidReferenceKey = null)
+    {
+        // Fetch the comma-separated UUIDs string from the request using the provided parameter name.
+        $uuidList = $this->request->get($uuidSearchBase);
+        // Ensure the retrieved UUID list is a string and not empty before attempting to explode it.
+        $uuidArray = (!empty($uuidList) && is_string($uuidList)) ? explode(',', $uuidList) : [];
+
+        // Define a filter function to determine which items to include based on the UUID.
+        $filterFunction = function ($modelItem) use ($uuidArray, $uuidReferenceKey) {
+            // Extract UUID from the item, using the specified UUID key if provided, otherwise default to direct UUID access.
+            $modelUUID = ($uuidReferenceKey !== null) ? (string)$modelItem->$uuidReferenceKey : (string)$modelItem->getAttributes()['uuid'];
+            // Include the item if the UUID array is empty or if the item's UUID is in the array.
+            return empty($uuidArray) || in_array($modelUUID, $uuidArray, true);
         };
 
-        // Return the search results filtered by the provided UUIDs, if any
-        return $this->searchBase("reverseproxy.reverse", null, 'description', $filterFunction);
+        // Perform the search using the specified model path and the filter function, returning the results.
+        // Note: This uses the existing search function of the ApiMutableModelControllerBase
+        return $this->searchBase($modelPath, null, 'description', $filterFunction);
+    }
+
+
+    // ReverseProxy Section
+
+    public function searchReverseProxyAction()
+    {
+        // For domains, use their domain UUIDs directly, $uuidReferenceKey null added for explicit clarity
+        return $this->searchActionHelper("reverseproxy.reverse", "reverseUuids", null);
     }
 
     public function setReverseProxyAction($uuid)
@@ -84,47 +134,14 @@ public function toggleReverseProxyAction($uuid, $enabled = null)
         return $this->toggleBase("reverseproxy.reverse", $uuid, $enabled);
     }
 
-    /*Function for the search filter dropdown in the bootgrid*/
-    public function getAllReverseDomainsAction()
-    {
-        $this->sessionClose(); // Close session early for performance
-        $result = array("rows" => array());
 
-        $mdlCaddy = new \OPNsense\Caddy\Caddy();
-        $reverseNodes = $mdlCaddy->reverseproxy->reverse->iterateItems();
-
-        foreach ($reverseNodes as $item) {
-            if (!empty($item->FromDomain)) {
-                // Conditionally concatenate port if it exists
-                $domain = (string)$item->FromDomain;
-                $port = (string)$item->FromPort;
-                $combinedDomainPort = $domain . (!empty($port) ? ':' . $port : '');
+    // Subdomain Section
 
-                $result['rows'][] = array(
-                    'id' => (string)$item->getAttributes()['uuid'],
-                    'domainPort' => $combinedDomainPort  // Combined domain and port, conditionally adding port
-                );
-            }
-        }
-
-        return $result;
-    }
-
-
-    /*Subdomain Section*/
-
-    /*Search Function adjusted for the search filter dropdown*/
     public function searchSubdomainAction()
     {
-        $reverseUuids = $this->request->get('reverseUuids');
-        $uuidArray = !empty($reverseUuids) ? explode(',', $reverseUuids) : [];
-
-        $filterFunction = function ($modelItem) use ($uuidArray) {
-            // Filtering on domain UUIDs referenced by subdomains
-            return empty($uuidArray) || in_array((string)$modelItem->reverse, $uuidArray, true);
-        };
-
-        return $this->searchBase("reverseproxy.subdomain", null, 'description', $filterFunction);
+        // For subdomains, compare 'reverseUuids' (which contain domain UUIDs)
+        // to 'reverse' (which contain the same domain UUIDs due to model relation field)
+        return $this->searchActionHelper("reverseproxy.subdomain", "reverseUuids", "reverse");
     }
 
     public function setSubdomainAction($uuid)
@@ -153,26 +170,14 @@ public function toggleSubdomainAction($uuid, $enabled = null)
     }
 
 
-    /*Handler Section*/
+    // Handler Section
 
-    /*Search Function adjusted for the search filter dropdown*/
+    // Adjusted for search filter dropdown, using helper function
     public function searchHandleAction()
     {
-        $reverseUuids = $this->request->get('reverseUuids');
-        $uuidArray = explode(',', $reverseUuids);
-
-        if (empty($reverseUuids)) {
-            // If no UUIDs are provided, do not apply any filter, return all records
-            return $this->searchBase("reverseproxy.handle", null, 'description');
-        } else {
-            // Apply the filter only if UUIDs are provided
-            $filterFunction = function ($modelItem) use ($uuidArray) {
-                $modelUUID = (string)$modelItem->reverse;
-                return in_array($modelUUID, $uuidArray, true);
-            };
-
-            return $this->searchBase("reverseproxy.handle", null, 'description', $filterFunction);
-        }
+        // For handles, compare 'reverseUuids' (which contain domain UUIDs)
+        // to 'reverse' (which contain the same domain UUIDs due to model relation field)
+        return $this->searchActionHelper("reverseproxy.handle", "reverseUuids", "reverse");
     }
 
     public function setHandleAction($uuid)
@@ -201,7 +206,7 @@ public function toggleHandleAction($uuid, $enabled = null)
     }
 
 
-    /* AccessList Section */
+    // AccessList Section
 
     public function searchAccessListAction()
     {
@@ -229,7 +234,7 @@ public function delAccessListAction($uuid)
     }
 
 
-    /* BasicAuth Section */
+    // BasicAuth Section
 
     public function searchBasicAuthAction()
     {
@@ -277,7 +282,7 @@ public function delBasicAuthAction($uuid)
     }
 
 
-    /* Header Section */
+    // Header Section
 
     public function searchHeaderAction()
     {

From 8c0e8dbee2a53aa4c22dd2270c77755acac263b9 Mon Sep 17 00:00:00 2001
From: Mike Shuey <shuey@fmepnet.org>
Date: Sun, 2 Jun 2024 09:25:21 -0700
Subject: [PATCH 1910/3088] Look at the proper config element when enabling
 staticd (#4019)

---
 net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
index 4347dd76cc..d6bbb8d0fb 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
@@ -13,7 +13,7 @@ if helpers.exists('OPNsense.quagga.bfd.enabled') and OPNsense.quagga.bfd.enabled
 if helpers.exists('OPNsense.quagga.bgp.enabled') and OPNsense.quagga.bgp.enabled == '1' %} bgpd{% endif %}{%
 if helpers.exists('OPNsense.quagga.ospf6.enabled') and OPNsense.quagga.ospf6.enabled == '1' %} ospf6d{% endif %}{%
 if helpers.exists('OPNsense.quagga.ripng.enabled') and OPNsense.quagga.ripng.enabled == '1' %} ripngd{% endif %}{%
-if helpers.exists('OPNsense.quagga.staticd.enabled') and OPNsense.quagga.staticd.enabled == '1' %} staticd{% endif %}{%
+if helpers.exists('OPNsense.quagga.static.enabled') and OPNsense.quagga.static.enabled == '1' %} staticd{% endif %}{%
 if helpers.exists('OPNsense.quagga.isis.enabled') and OPNsense.quagga.isis.enabled == '1' %} isisd{% endif %}"
 frr_carp_demote="{%
     if not helpers.empty('OPNsense.quagga.ospf.carp_demote') %} ospfd{% endif %}{%

From c14389baf235be63aad15a8dcd378bcf0f367693 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Mon, 3 Jun 2024 17:12:12 +0200
Subject: [PATCH 1911/3088] net-mgmt/net-snmp - add xmlrpxc section (#4022)

some people seem to like xmlrpc syncs which can also be used for partial restores
---
 .../net-snmp/src/etc/inc/plugins.inc.d/netsnmp.inc   | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/net-mgmt/net-snmp/src/etc/inc/plugins.inc.d/netsnmp.inc b/net-mgmt/net-snmp/src/etc/inc/plugins.inc.d/netsnmp.inc
index 00a5205f4e..4b16e2697b 100644
--- a/net-mgmt/net-snmp/src/etc/inc/plugins.inc.d/netsnmp.inc
+++ b/net-mgmt/net-snmp/src/etc/inc/plugins.inc.d/netsnmp.inc
@@ -32,6 +32,18 @@ function netsnmp_enabled()
     return (string)$model->enabled == '1';
 }
 
+function netsnmp_xmlrpc_sync()
+{
+    return [
+        [
+            'description' => gettext('Netsnmp'),
+            'section' => 'OPNsense.netsnmp',
+            'services' => ['snmpd'],
+            'id' => 'netsnmp'
+        ]
+    ];
+}
+
 function netsnmp_services()
 {
     $services = array();

From cd16ed335a852135f3a9ec2b58e2fcf15c1d278b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Mon, 3 Jun 2024 17:15:21 +0200
Subject: [PATCH 1912/3088] net-mgmt/nrpe - add xmlrpxc section which can also
 be used for partial restores (#4021)

---
 net-mgmt/nrpe/src/etc/inc/plugins.inc.d/nrpe.inc | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/net-mgmt/nrpe/src/etc/inc/plugins.inc.d/nrpe.inc b/net-mgmt/nrpe/src/etc/inc/plugins.inc.d/nrpe.inc
index e5d1eaed64..a5c19a7cea 100644
--- a/net-mgmt/nrpe/src/etc/inc/plugins.inc.d/nrpe.inc
+++ b/net-mgmt/nrpe/src/etc/inc/plugins.inc.d/nrpe.inc
@@ -32,6 +32,18 @@ function nrpe_enabled()
     return (string)$model->enabled == '1';
 }
 
+function nrpe_xmlrpc_sync()
+{
+    return [
+        [
+            'description' => gettext('NRPE'),
+            'section' => 'OPNsense.nrpe',
+            'services' => ['nrpe'],
+            'id' => 'nrpe',
+        ]
+    ];
+}
+
 function nrpe_services()
 {
     $services = array();

From 9329907cab23613b5c41be656aa0dcf50963af4e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 4 Jun 2024 10:02:35 +0200
Subject: [PATCH 1913/3088] www/nginx: replace rand() usage

---
 www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php b/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
index 63e5c6f7a5..d43ea8f981 100755
--- a/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
+++ b/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
@@ -113,7 +113,7 @@ function get_files_lastmodified(array $files): array
     // - No content => -1
     $times = [];
     foreach ($files as $file) {
-        $mtime = @filemtime($file) ?: rand();
+        $mtime = @filemtime($file) ?: random_int(0, getrandmax());
         $times[$file] = @filesize($file) === 0 ? -1 : $mtime;
     }
     return $times;

From fd067f3a365b37f2c2a5f766d5805b8a9a228171 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Tue, 4 Jun 2024 17:01:33 +0000
Subject: [PATCH 1914/3088] www/caddy: Validation - When Auto HTTPS is enabled,
 an ACME Email address is required since caddy >=v2.8.0

---
 .../mvc/app/models/OPNsense/Caddy/Caddy.php       | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index 631afe4b91..2c009e1881 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -141,6 +141,19 @@ private function checkWebGuiSettings($messages) {
         }
     }
 
+    // 5. Check for ACME Email being required when Auto HTTPS on
+    private function checkAcmeEmailAutoHttps($messages) {
+        $tlsAutoHttpsSetting = (string)$this->general->TlsAutoHttps;
+        $tlsEmail = (string)$this->general->TlsEmail;
+
+        if (empty($tlsEmail) && $tlsAutoHttpsSetting !== 'off') {
+            $messages->appendMessage(new Message(
+                gettext('To use "Auto HTTPS", an email address is required.'),
+                "general.TlsEmail"
+            ));
+        }
+    }
+
     // Perform the actual validation
     public function performValidation($validateFullModel = false)
     {
@@ -153,6 +166,8 @@ public function performValidation($validateFullModel = false)
         $this->checkSubdomainsAgainstDomains($this->reverseproxy->subdomain->iterateItems(), $this->reverseproxy->reverse->iterateItems(), $messages);
         // 4. Check WebGUI conflicts
         $this->checkWebGuiSettings($messages);
+        // 5. Check for ACME Email requirement
+        $this->checkAcmeEmailAutoHttps($messages);
 
         return $messages;
     }

From 75d55d99e294dfb25679d13e501d2e5707d748eb Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 3 May 2024 10:54:33 +0200
Subject: [PATCH 1915/3088] Update Caddyfile - basicauth becomes basic_auth

---
 .../src/opnsense/service/templates/OPNsense/Caddy/Caddyfile     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index ca403c57a0..24f3650872 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -642,7 +642,7 @@
 #}
 {% macro basicauth_configuration(basicauth_uuids) %}
     {% if basicauth_uuids %}
-    basicauth {
+    basic_auth {
         {% for uuid in basicauth_uuids.split(',') %}
             {% set basicauth = helpers.toList('Pischem.caddy.reverseproxy.basicauth') | selectattr('@uuid', 'equalto', uuid) | first %}
             {% if basicauth %}

From 2ddbc3831d7fb5a2b3de2ad4194c0e378224f37b Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 5 Jun 2024 15:12:56 +0200
Subject: [PATCH 1916/3088] www/caddy: Remove port from subdomain since it is
 unsupported. (#4028)

* www/caddy: Remove port from subdomain since it is unsupported. Subdomains track their port from their wildcard domain.

* Add change logs and bump version to 1.5.7

* Changed numbering in validation caddy.php. Adjusted changelog to include new version of caddy.
---
 www/caddy/Makefile                            |  2 +-
 www/caddy/pkg-descr                           |  9 +++++++
 .../OPNsense/Caddy/forms/dialogSubdomain.xml  | 11 ++-------
 .../mvc/app/models/OPNsense/Caddy/Caddy.php   | 24 ++++++++-----------
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  7 +-----
 .../views/OPNsense/Caddy/reverse_proxy.volt   |  1 -
 .../templates/OPNsense/Caddy/Caddyfile        |  2 +-
 7 files changed, 24 insertions(+), 32 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 3e61d6cc6d..852d97abb0 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.5.6
+PLUGIN_VERSION=		1.5.7
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index c7e00bd685..b29f9461b5 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -26,6 +26,15 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.5.7
+
+* Build: Update to Caddy v2.8.4 + caddy-dns plugins updated to latest upstream versions
+* Add: Error message when OPNsense WebGUI settings conflict with Auto HTTPS.
+* Add: Error message when Auto HTTPS is enabled, and ACME email field is empty, for caddy v2.8.4
+* Cleanup: Fix crash of searchAction when reverseUuids is null
+* Cleanup: basicauth directive is now basic_auth in the Caddyfile template, for caddy v2.8.4
+* Fix: The subdomain port field has been removed, since it is unsupported. Subdomains track their ports from their parent wildcard domain.
+
 1.5.6
 
 * Fix: Wildcard domains with activated "Dynamic DNS" update their base domain with * instead of @.
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
index ca6eeb6114..4777809ad9 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -16,20 +16,13 @@
         <label>Subdomain</label>
         <type>text</type>
         <hint>opn.example.com</hint>
-        <help><![CDATA[Enter a subdomain. For example, "opn.example.com" if the wildcard domain is "*.example.com".]]></help>
-    </field>
-    <field>
-        <id>subdomain.FromPort</id>
-        <label>Port</label>
-        <type>text</type>
-        <hint>443</hint>
-        <help><![CDATA[Leave empty to use ports 80 and 443 with automatic redirection from HTTP to HTTPS or choose a custom port. Do not forget to allow these ports with a Firewall rule.]]></help>
+        <help><![CDATA[Enter a subdomain. For example, "opn.example.com" if the wildcard domain is "*.example.com". All subdomains use the same ports as their parent wildcard domain.]]></help>
     </field>
     <field>
         <id>subdomain.description</id>
         <label>Description</label>
         <type>text</type>
-        <hint>opn.example.com.443</hint>
+        <hint>opn.example.com</hint>
         <help><![CDATA[Enter a description for this subdomain.]]></help>
     </field>
     <field>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index 2c009e1881..4672338273 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -37,13 +37,12 @@
 class Caddy extends BaseModel
 {
     // 1. Check domain-port combinations
-    // 2. Check subdomain-port combinations
     private function checkForUniquePortCombos($items, $messages)
     {
         $combos = [];
         foreach ($items as $item) {
             $key = $item->__reference; // Dynamic key based on item reference
-            $fromDomainOrSubdomain = (string) $item->FromDomain;
+            $fromDomain = (string) $item->FromDomain;
             $fromPort = (string) $item->FromPort;
 
             if ($fromPort === '') {
@@ -53,14 +52,14 @@ private function checkForUniquePortCombos($items, $messages)
             }
 
             foreach ($defaultPorts as $port) {
-                // Create a unique key for domain/subdomain-port combination
-                $comboKey = $fromDomainOrSubdomain . ':' . $port;
+                // Create a unique key for domain-port combination
+                $comboKey = $fromDomain . ':' . $port;
 
                 // Check for duplicate combinations
                 if (isset($combos[$comboKey])) {
                     // Use dynamic $key for message referencing
                     $messages->appendMessage(new Message(
-                        sprintf(gettext("Duplicate entry: The combination of '%s' and port '%s' is already used. Each combination of domain/subdomain and port must be unique."), $fromDomainOrSubdomain, $port),
+                        sprintf(gettext("Duplicate entry: The combination of '%s' and port '%s' is already used. Each combination of domain and port must be unique."), $fromDomain, $port),
                         $key . ".FromDomain", // Adjusted to use dynamic key
                         "DuplicateDomainPort"
                     ));
@@ -71,7 +70,7 @@ private function checkForUniquePortCombos($items, $messages)
         }
     }
 
-    // 3. Check that subdomains are under a wildcard or exact domain
+    // 2. Check that subdomains are under a wildcard or exact domain
     private function checkSubdomainsAgainstDomains($subdomains, $domains, $messages)
     {
         $wildcardDomainList = [];
@@ -108,7 +107,7 @@ private function checkSubdomainsAgainstDomains($subdomains, $domains, $messages)
         }
     }
 
-    // 4. Get the current OPNsense WebGUI ports
+    // 3. Get the current OPNsense WebGUI ports and check for conflicts with Caddy
     private function getWebGuiPorts() {
         $webgui = Config::getInstance()->object()->system->webgui ?? null;
         $webGuiPorts = [];
@@ -127,7 +126,6 @@ private function getWebGuiPorts() {
         return $webGuiPorts;
     }
 
-    // 4. Check for conflicts between Caddy and OPNsense WebGUI ports
     private function checkWebGuiSettings($messages) {
         $overlap = array_intersect($this->getWebGuiPorts(), ['80', '443']);
         $tlsAutoHttpsSetting = (string)$this->general->TlsAutoHttps;
@@ -141,7 +139,7 @@ private function checkWebGuiSettings($messages) {
         }
     }
 
-    // 5. Check for ACME Email being required when Auto HTTPS on
+    // 4. Check for ACME Email being required when Auto HTTPS on
     private function checkAcmeEmailAutoHttps($messages) {
         $tlsAutoHttpsSetting = (string)$this->general->TlsAutoHttps;
         $tlsEmail = (string)$this->general->TlsEmail;
@@ -160,13 +158,11 @@ public function performValidation($validateFullModel = false)
         $messages = parent::performValidation($validateFullModel);
         // 1. Check domain-port combinations
         $this->checkForUniquePortCombos($this->reverseproxy->reverse->iterateItems(), $messages);
-        // 2. Check subdomain-port combinations
-        $this->checkForUniquePortCombos($this->reverseproxy->subdomain->iterateItems(), $messages);
-        // 3. Check that subdomains are under a wildcard or exact domain
+        // 2. Check that subdomains are under a wildcard or exact domain
         $this->checkSubdomainsAgainstDomains($this->reverseproxy->subdomain->iterateItems(), $this->reverseproxy->reverse->iterateItems(), $messages);
-        // 4. Check WebGUI conflicts
+        // 3. Check WebGUI conflicts
         $this->checkWebGuiSettings($messages);
-        // 5. Check for ACME Email requirement
+        // 4. Check for ACME Email requirement
         $this->checkAcmeEmailAutoHttps($messages);
 
         return $messages;
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 49e1aa1222..a65ba0e4ba 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>A GUI model for configuring a reverse proxy in the Caddy web server.</description>
-    <version>1.1.9</version>
+    <version>1.2.0</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -191,11 +191,6 @@
                     <ValidationMessage>Please enter a valid 'from' Subdomain that is based upon the wildcard domain.</ValidationMessage>
                     <ZoneRootAllowed>N</ZoneRootAllowed>
                 </FromDomain>
-                <FromPort type="PortField">
-                    <ValidationMessage>Please enter a valid 'from' port number.</ValidationMessage>
-                    <EnableWellKnown>Y</EnableWellKnown>
-                    <EnableRanges>N</EnableRanges>
-                </FromPort>
                 <accesslist type="ModelRelationField">
                     <Model>
                         <reverseproxy>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 0afbf51bb1..5884a9eb4a 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -291,7 +291,6 @@
                             <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                             <th data-column-id="reverse" data-type="string">{{ lang._('Domain') }}</th>
                             <th data-column-id="FromDomain" data-type="string">{{ lang._('Subdomain') }}</th>
-                            <th data-column-id="FromPort" data-type="string">{{ lang._('Port') }}</th>
                             <th data-column-id="accesslist" data-type="string" data-visible="false">{{ lang._('Access List') }}</th>
                             <th data-column-id="basicauth" data-type="string" data-visible="false">{{ lang._('Basic Auth') }}</th>
                             <th data-column-id="DynDns" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Dynamic DNS') }}</th>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 24f3650872..db183733c4 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -694,7 +694,7 @@
     {% for subdomain in helpers.toList('Pischem.caddy.reverseproxy.subdomain') %}
     {% if subdomain.enabled|default("0") == "1" and subdomain.reverse == reverse['@uuid'] %}
     @{{ subdomain['@uuid'] }} {
-        host {{ subdomain.FromDomain }}{% if subdomain.FromPort %}:{{ subdomain.FromPort }}{% endif %}
+        host {{ subdomain.FromDomain }}
     }
     handle @{{ subdomain['@uuid'] }} {
 

From 508864dd891a8f618fa3e8ec0a8db6627fdec08f Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 6 Jun 2024 15:38:20 +0000
Subject: [PATCH 1917/3088] www/caddy: Add dns providers: dnsmadeeasy, bunny,
 civo, scaleway, acmeproxy, inwx, namedotcom, easydns, infomaniak,
 directadmin, hosttech, vultr, Remove dns providers: godaddy

---
 www/caddy/pkg-descr                           |   2 +
 .../OPNsense/Caddy/forms/dnsprovider.xml      |   8 +-
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  16 ++-
 .../templates/OPNsense/Caddy/Caddyfile        | 114 +++++++++++++++++-
 4 files changed, 132 insertions(+), 8 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index b29f9461b5..e0b12623d1 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -34,6 +34,8 @@ Plugin Changelog
 * Cleanup: Fix crash of searchAction when reverseUuids is null
 * Cleanup: basicauth directive is now basic_auth in the Caddyfile template, for caddy v2.8.4
 * Fix: The subdomain port field has been removed, since it is unsupported. Subdomains track their ports from their parent wildcard domain.
+* Add: DNS Providers: dnsmadeeasy, bunny, civo, scaleway, acmeproxy, inwx, namedotcom, easydns, infomaniak, directadmin, hosttech, vultr
+* Remove: DNS Providers: godaddy
 
 1.5.6
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
index 7f469d4e9f..39d36919c4 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
@@ -9,7 +9,7 @@
         <id>caddy.general.TlsDnsApiKey</id>
         <label>DNS API Standard Field</label>
         <type>text</type>
-        <help><![CDATA[This is the standard field for the API Key. Field can be left empty if optional: Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Njalla "api_token", Google Cloud DNS "gcp_project", Azure "tenant_id", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url", Netcup "customer_number", RFC2136 "key_name".]]></help>
+        <help><![CDATA[This is the standard field for the API Key. Field can be left empty if optional: Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Njalla "api_token", Google Cloud DNS "gcp_project", Azure "tenant_id", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url", DNS Made Easy "api_key", Bunny "access_key", Civo "api_token", Scaleway "secret_key", ACME Proxy "username", INWX "username", Netcup "customer_number", RFC2136 "key_name", Name.com "token", EasyDNS "api_token", Infomaniak "api_token", DirectAdmin "host", Hosttech "api_token", Vultr "api_token"]]></help>
     </field>
     <field>
         <type>header</type>
@@ -20,19 +20,19 @@
         <id>caddy.general.TlsDnsSecretApiKey</id>
         <label>DNS API Additional Field 1</label>
         <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Azure "client_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address", Netcup "api_key", RFC2136 "key_alg".]]></help>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Azure "client_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address", DNS Made Easy "secret_key", Scaleway "organization_id", ACME Proxy "password", INWX "password", Netcup "api_key", RFC2136 "key_alg", Name.com "server", EasyDNS "api_key", DirectAdmin "user".]]></help>
     </field>
     <field>
         <id>caddy.general.TlsDnsOptionalField1</id>
         <label>DNS API Additional Field 2</label>
         <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "max_retries", ACME-DNS "subdomain", Azure "client_secret", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password", Netcup "api_password", RFC2136 "key".]]></help>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "max_retries", ACME-DNS "subdomain", Azure "client_secret", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password", DNS Made Easy "api_endpoint", ACME Proxy "endpoint", INWX "shared_secret", Netcup "api_password", Name.com "user", EasyDNS "api_url", DirectAdmin "login_key", RFC2136 "key".]]></help>
     </field>
     <field>
         <id>caddy.general.TlsDnsOptionalField2</id>
         <label>DNS API Additional Field 3</label>
         <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "aws_profile", ACME-DNS "server_url", Azure "subscription_id", OVH "consumer_key", Namecheap "client_ip", DDNS "password", RFC2136 "server".]]></help>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "aws_profile", ACME-DNS "server_url", Azure "subscription_id", OVH "consumer_key", Namecheap "client_ip", DDNS "password", INWX "endpoint_url", DirectAdmin "insecure_requests", RFC2136 "server".]]></help>
     </field>
     <field>
         <id>caddy.general.TlsDnsOptionalField3</id>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index a65ba0e4ba..d65186476c 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>A GUI model for configuring a reverse proxy in the Caddy web server.</description>
-    <version>1.2.0</version>
+    <version>1.2.1</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -26,7 +26,6 @@
                     <cloudflare>Cloudflare</cloudflare>
                     <duckdns>Duck DNS</duckdns>
                     <digitalocean>DigitalOcean</digitalocean>
-                    <godaddy>GoDaddy</godaddy>
                     <gandi>Gandi</gandi>
                     <ionos>IONOS</ionos>
                     <desec>Desec</desec>
@@ -48,6 +47,19 @@
                     <mailinabox>Mail-in-a-Box</mailinabox>
                     <netcup>Netcup</netcup>
                     <rfc2136>RFC2136</rfc2136>
+                    <dnsmadeeasy>DNS Made Easy</dnsmadeeasy>
+                    <bunny>Bunny</bunny>
+                    <civo>Civo</civo>
+                    <scaleway>Scaleway</scaleway>
+                    <acmeproxy>ACME Proxy</acmeproxy>
+                    <inwx>INWX</inwx>
+                    <netcup>Netcup</netcup>
+                    <namedotcom>Name.com</namedotcom>
+                    <easydns>EasyDNS</easydns>
+                    <infomaniak>Infomaniak</infomaniak>
+                    <directadmin>DirectAdmin</directadmin>
+                    <hosttech>Hosttech</hosttech>
+                    <vultr>Vultr</vultr>
                 </OptionValues>
             </TlsDnsProvider>
             <TlsDnsApiKey type="TextField"/>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index db183733c4..63598f962c 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -143,7 +143,7 @@
 
     {% if dnsProvider and dnsProvider != "acmedns" and dynDnsDomains|length > 0 %}
         dynamic_dns {
-            {% if dnsProvider in ['porkbun', 'desec', 'route53', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox', 'netcup', 'rfc2136'] %}
+            {% if dnsProvider in ['porkbun', 'desec', 'route53', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox', 'netcup', 'rfc2136', 'dnsmadeeasy', 'civo', 'scaleway', 'acmeproxy', 'inwx', 'netcup', 'namedotcom', 'easydns', 'directadmin'] %}
                 provider {{ dnsProvider }} {
                     {% if dnsProvider == 'porkbun' %}
                         {% if dnsApiKey %}api_key {{ dnsApiKey }}
@@ -254,9 +254,64 @@
                         {% endif %}
                         {% if dnsOptionalField2 %}server {{ dnsOptionalField2 }}
                         {% endif %}
+                    {% elif dnsProvider == 'dnsmadeeasy' %}
+                        {% if dnsApiKey %}api_key {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}secret_key {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}api_endpoint {{ dnsOptionalField1 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'civo' %}
+                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'scaleway' %}
+                        {% if dnsApiKey %}secret_key {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}organization_id {{ dnsSecretApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'acmeproxy' %}
+                        {% if dnsApiKey %}username {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}endpoint {{ dnsOptionalField1 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'inwx' %}
+                        {% if dnsApiKey %}username {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}shared_secret {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}endpoint_url {{ dnsOptionalField2 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'namedotcom' %}
+                        {% if dnsApiKey %}token {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}server {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}user {{ dnsOptionalField1 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'easydns' %}
+                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}api_url {{ dnsOptionalField1 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'directadmin' %}
+                        {% if dnsApiKey %}host {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}user {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}login_key {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}insecure_requests {{ dnsOptionalField2 }}
+                        {% endif %}
                     {% endif %}
                 }
             {% else %}
+                {# Other DNS Providers fall under this default #}
                 provider {{ dnsProvider }} {{ dnsApiKey }}
             {% endif %}
             domains {
@@ -358,7 +413,7 @@
 #}
 {% macro tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4) %}
     {% if dnsChallenge == "1" and dnsProvider %}
-        {% if dnsProvider in ['duckdns', 'porkbun', 'desec', 'route53', 'acmedns', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox', 'netcup', 'rfc2136'] %}
+        {% if dnsProvider in ['duckdns', 'porkbun', 'desec', 'route53', 'acmedns', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox', 'netcup', 'rfc2136', 'dnsmadeeasy', 'civo', 'scaleway', 'acmeproxy', 'inwx', 'netcup', 'namedotcom', 'easydns', 'directadmin'] %}
             tls {
                 dns {{ dnsProvider }} {
                     {% if dnsProvider == 'duckdns' %}
@@ -484,11 +539,66 @@
                         {% endif %}
                         {% if dnsOptionalField2 %}server {{ dnsOptionalField2 }}
                         {% endif %}
+                    {% elif dnsProvider == 'dnsmadeeasy' %}
+                        {% if dnsApiKey %}api_key {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}secret_key {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}api_endpoint {{ dnsOptionalField1 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'civo' %}
+                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'scaleway' %}
+                        {% if dnsApiKey %}secret_key {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}organization_id {{ dnsSecretApiKey }}
+                        {% endif %}
+                    {% elif dnsProvider == 'acmeproxy' %}
+                        {% if dnsApiKey %}username {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}endpoint {{ dnsOptionalField1 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'inwx' %}
+                        {% if dnsApiKey %}username {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}shared_secret {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}endpoint_url {{ dnsOptionalField2 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'namedotcom' %}
+                        {% if dnsApiKey %}token {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}server {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}user {{ dnsOptionalField1 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'easydns' %}
+                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}api_url {{ dnsOptionalField1 }}
+                        {% endif %}
+                    {% elif dnsProvider == 'directadmin' %}
+                        {% if dnsApiKey %}host {{ dnsApiKey }}
+                        {% endif %}
+                        {% if dnsSecretApiKey %}user {{ dnsSecretApiKey }}
+                        {% endif %}
+                        {% if dnsOptionalField1 %}login_key {{ dnsOptionalField1 }}
+                        {% endif %}
+                        {% if dnsOptionalField2 %}insecure_requests {{ dnsOptionalField2 }}
+                        {% endif %}
                     {% endif %}
                 }
             }
         {% else %}
             tls {
+                {# Other DNS Providers fall under this default #}
                 dns {{ dnsProvider }} {{ dnsApiKey }}
             }
         {% endif %}

From 2f625afc1995edd47cde0b7ea00efc9c7630bbdc Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 10 Jun 2024 08:23:10 +0200
Subject: [PATCH 1918/3088] www/caddy: Change "check_interval" and "ttl" to
 seconds, add "update_only" option (#4038)

* www/caddy: Change TTL of DNS Records set by dynamic DNS. TTL can be left empty to use system defaults, or a value in seconds.

* Add changelog.

* Change DynDnsCheckInterval to DynDnsInterval, using seconds. Field is allowed to be empty, it uses the system default of 1800s (30m) from the module if undefined. Improve help text. Add validation range to model.

* Add new Update Only field to Dynamic Dns. Add validations to model that were forgot in last commit.

* Update parameter comments in Caddyfile.

* Forgot to change fieldname in form controller.
---
 www/caddy/pkg-descr                           |  2 ++
 .../OPNsense/Caddy/forms/dynamicdns.xml       | 15 ++++++++---
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 25 ++++++++-----------
 .../templates/OPNsense/Caddy/Caddyfile        | 19 ++++++++------
 4 files changed, 36 insertions(+), 25 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index e0b12623d1..85d66a474e 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -33,6 +33,8 @@ Plugin Changelog
 * Add: Error message when Auto HTTPS is enabled, and ACME email field is empty, for caddy v2.8.4
 * Cleanup: Fix crash of searchAction when reverseUuids is null
 * Cleanup: basicauth directive is now basic_auth in the Caddyfile template, for caddy v2.8.4
+* Change: Dynamic DNS "TTL" and "Check Interval" have been changed to seconds. Existing values have been reset to use the defaults of the implementation.
+* Add: Dynamic DNS now supports "Update Only", only updating existing records without creating new ones.
 * Fix: The subdomain port field has been removed, since it is unsupported. Subdomains track their ports from their parent wildcard domain.
 * Add: DNS Providers: dnsmadeeasy, bunny, civo, scaleway, acmeproxy, inwx, namedotcom, easydns, infomaniak, directadmin, hosttech, vultr
 * Remove: DNS Providers: godaddy
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
index 3304ac080e..e465103ba4 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
@@ -6,16 +6,23 @@
         <help><![CDATA[Select the DynDns IP Version: "IPv4+IPv6" to set IPv4 A-Records and IPv6 AAAA-Records, "IPv4 only" for only A-Records, "IPv6 only" for only AAAA-Records.]]></help>
     </field>
     <field>
-        <id>caddy.general.DynDnsCheckInterval</id>
+        <id>caddy.general.DynDnsUpdateOnly</id>
+        <label>DynDns Update Only</label>
+        <type>checkbox</type>
+        <help><![CDATA[If enabled, no new DNS records will be created. Only existing records will be updated. This means that the A or AAAA records need to be created manually ahead of time.]]></help>
+    </field>
+    <field>
+        <id>caddy.general.DynDnsInterval</id>
         <label>DynDns Check Interval</label>
         <type>text</type>
-        <help><![CDATA[Set the interval to poll for changes in the IP address. The default is 5 minutes. Values can range from 1 to 1440 minutes.]]></help>
+        <hint>1800</hint>
+        <help><![CDATA[Set the interval in seconds to poll for changes in the IP address. Leave empty to use system defaults.]]></help>
     </field>
     <field>
-        <id>caddy.general.DynDnsTTL</id>
+        <id>caddy.general.DynDnsTtl</id>
         <label>DynDns TTL</label>
         <type>text</type>
-        <help><![CDATA[Set the TTL (Time to Live) for DNS records. The default is 1 hour. Values can range from 1 to 24 hours.]]></help>
+        <help><![CDATA[Set the TTL (Time to Live) for DNS records in seconds. Leave empty to use the default of an already existing TTL (when updating only) or the default of the provider API (when creating new records). If explicitely set, values should be as defined in rfc2181 section 8.]]></help>
     </field>
     <field>
         <type>header</type>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index d65186476c..eab9054cd3 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>A GUI model for configuring a reverse proxy in the Caddy web server.</description>
-    <version>1.2.1</version>
+    <version>1.2.2</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -108,13 +108,11 @@
                 <ValidationMessage>Please enter a valid URL, starting with http or https.</ValidationMessage>
             </DynDnsSimpleHttp>
             <DynDnsInterface type="InterfaceField"/>
-            <DynDnsCheckInterval type="IntegerField">
-                <Default>5</Default>
+            <DynDnsInterval type="IntegerField">
                 <MinimumValue>1</MinimumValue>
-                <MaximumValue>1440</MaximumValue>
-                <ValidationMessage>Please enter a valid number from 1 to 1440 minutes.</ValidationMessage>
-                <Required>Y</Required>
-            </DynDnsCheckInterval>
+                <MaximumValue>2147483647</MaximumValue>
+                <ValidationMessage>Please enter a valid number from 1 to 2147483647 seconds or leave empty for default.</ValidationMessage>
+            </DynDnsInterval>
             <DynDnsIpVersions type="OptionField">
                 <BlankDesc>IPv4+IPv6</BlankDesc>
                 <OptionValues>
@@ -122,13 +120,12 @@
                     <ipv6>IPv6 only</ipv6>
                 </OptionValues>
             </DynDnsIpVersions>
-            <DynDnsTTL type="IntegerField">
-                <Default>1</Default>
-                <MinimumValue>1</MinimumValue>
-                <MaximumValue>24</MaximumValue>
-                <ValidationMessage>Please enter a valid number from 1 to 24 hours.</ValidationMessage>
-                <Required>Y</Required>
-            </DynDnsTTL>
+            <DynDnsTtl type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+                <MaximumValue>2147483647</MaximumValue>
+                <ValidationMessage>Please enter a valid number from 0 to 2147483647 seconds or leave empty for default.</ValidationMessage>
+            </DynDnsTtl>
+            <DynDnsUpdateOnly type="BooleanField"/>
         </general>
         <reverseproxy>
             <reverse type="ArrayField">
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 63598f962c..6640f0c4e1 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -101,10 +101,11 @@
     #   - @param dnsOptionalField1 to 4 (string): Optional configuration field for the DNS provider.
     #   - @param dynDnsSimpleHttp (string): URL for a simple HTTP-based service to discover the server's public IP.
     #   - @param dynDnsInterface (string): Network interface(s) to use for IP discovery.
-    #   - @param dynDnsCheckInterval (integer): Interval in minutes to check for IP changes.
+    #   - @param dynDnsCheckInterval (integer): Interval in seconds to check for IP changes. Can be empty for defaults.
     #   - @param dynDnsIpVersions (string): The IP version(s) (IPv4, IPv6) for the DDNS update.
-    #   - @param dynDnsTTL (integer): Time-To-Live for the DNS records, in hours.
+    #   - @param dynDnsTtl (integer): Time-To-Live for the DNS records, in seconds. Can be empty for defaults.
     #   - @param dynDnsDomains (list): Domains and subdomains list for which DDNS updates are enabled.
+    #   - @param dynDnsUpdateOnly (boolean): If set, only updates DNS records, not creating new ones.
     #}
     {% set dnsProvider = helpers.toList('Pischem.caddy.general.TlsDnsProvider') | first %}
     {% set dnsApiKey = generalSettings.TlsDnsApiKey %}
@@ -115,9 +116,10 @@
     {% set dnsOptionalField4 = generalSettings.TlsDnsOptionalField4 %}
     {% set dynDnsSimpleHttp = generalSettings.DynDnsSimpleHttp %}
     {% set dynDnsInterface = generalSettings.DynDnsInterface %}
-    {% set dynDnsCheckInterval = generalSettings.DynDnsCheckInterval %}
+    {% set dynDnsUpdateOnly = generalSettings.DynDnsUpdateOnly %}
+    {% set dynDnsCheckInterval = generalSettings.DynDnsInterval %}
     {% set dynDnsIpVersions = generalSettings.DynDnsIpVersions %}
-    {% set dynDnsTTL = generalSettings.DynDnsTTL %}
+    {% set dynDnsTtl = generalSettings.DynDnsTtl %}
     {% set dynDnsDomains = [] %}
 
     {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
@@ -330,13 +332,16 @@
             ip_source interface {{ physicalInterfaceNames | join(',') }}
         {% endif %}
         {% if dynDnsCheckInterval %}
-        check_interval {{ dynDnsCheckInterval }}m
+        check_interval {{ dynDnsCheckInterval }}s
         {% endif %}
         {% if dynDnsIpVersions %}
         versions {{ dynDnsIpVersions }}
         {% endif %}
-        {% if dynDnsTTL %}
-        ttl {{ dynDnsTTL }}h
+        {% if dynDnsTtl %}
+        ttl {{ dynDnsTtl }}s
+        {% endif %}
+        {% if dynDnsUpdateOnly|default("0") == "1" %}
+        update_only
         {% endif %}
     }
     {% endif %}

From 0668669a57fdf610006dfc31dc23a94cb69fb545 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 10 Jun 2024 08:28:50 +0200
Subject: [PATCH 1919/3088] www/caddy: Remove dns provider duplication in
 Caddyfile (#4034)

* www/caddy: Remove dns provider duplication in Caddyfile, move to single source of truth to file includeDnsProvider.

* Refactor DNS Providers that require special configuration into one array to avoid duplication.

* Remove redundant dnsProvider check before tls { } block. Make comments better to explain special cases and how to maintain dns providers in the template.

* Improve comment a bit more

* Add changelog
---
 www/caddy/pkg-descr                           |   1 +
 .../templates/OPNsense/Caddy/Caddyfile        | 359 +-----------------
 .../OPNsense/Caddy/includeDnsProvider         | 186 +++++++++
 3 files changed, 201 insertions(+), 345 deletions(-)
 create mode 100644 www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 85d66a474e..90d1ce1b1f 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -38,6 +38,7 @@ Plugin Changelog
 * Fix: The subdomain port field has been removed, since it is unsupported. Subdomains track their ports from their parent wildcard domain.
 * Add: DNS Providers: dnsmadeeasy, bunny, civo, scaleway, acmeproxy, inwx, namedotcom, easydns, infomaniak, directadmin, hosttech, vultr
 * Remove: DNS Providers: godaddy
+* Cleanup: Refactor dns provider configuration in Caddyfile template
 
 1.5.6
 
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 6640f0c4e1..e9a5496aaa 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -143,174 +143,20 @@
         {% endfor %}
     {% endfor %}
 
-    {% if dnsProvider and dnsProvider != "acmedns" and dynDnsDomains|length > 0 %}
+    {#
+    # Define special DNS Providers that have more than one API key, or special requirements that do not allow the use of the default.
+    # The same providers have to be added to "OPNsense/Caddy/includeDnsProvider", best in the same order as in this array for maintainability.
+    # For a new provider to work, it has to be compiled into the caddy binary.
+    #}
+    {% set dnsProviderSpecialConfig = ['duckdns', 'porkbun', 'desec', 'route53', 'acmedns', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox', 'netcup', 'rfc2136', 'dnsmadeeasy', 'civo', 'scaleway', 'acmeproxy', 'inwx', 'namedotcom', 'easydns', 'directadmin'] %}
+
+    {# Conditionally add the dynamic_dns section, acmedns provider is special, it does not support dynamic_dns. #}
+    {% if dnsProvider and dynDnsDomains|length > 0 and dnsProvider != "acmedns" %}
         dynamic_dns {
-            {% if dnsProvider in ['porkbun', 'desec', 'route53', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox', 'netcup', 'rfc2136', 'dnsmadeeasy', 'civo', 'scaleway', 'acmeproxy', 'inwx', 'netcup', 'namedotcom', 'easydns', 'directadmin'] %}
+            {# duckdns provider is special, it has a different configuration for dynamic dns than for the dns-01 challenge. #}
+            {% if dnsProvider in dnsProviderSpecialConfig and dnsProvider != "duckdns" %}
                 provider {{ dnsProvider }} {
-                    {% if dnsProvider == 'porkbun' %}
-                        {% if dnsApiKey %}api_key {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}api_secret_key {{ dnsSecretApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'desec' %}
-                        {% if dnsApiKey %}token {{ dnsApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'route53' %}
-                        {% if dnsApiKey %}access_key_id {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}secret_access_key {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}max_retries {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}aws_profile {{ dnsOptionalField2 }}
-                        {% endif %}
-                        {% if dnsOptionalField3 %}region {{ dnsOptionalField3 }}
-                        {% endif %}
-                        {% if dnsOptionalField4 %}token {{ dnsOptionalField4 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'googleclouddns' %}
-                        {% if dnsApiKey %}gcp_project {{ dnsApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'azure' %}
-                        {% if dnsApiKey %}tenant_id {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}client_id {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}client_secret {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}subscription_id {{ dnsOptionalField2 }}
-                        {% endif %}
-                        {% if dnsOptionalField3 %}resource_group_name {{ dnsOptionalField3 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'ovh' %}
-                        {% if dnsApiKey %}endpoint {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}application_key {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}application_secret {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}consumer_key {{ dnsOptionalField2 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'namecheap' %}
-                        {% if dnsApiKey %}api_key {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}user {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}api_endpoint {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}client_ip {{ dnsOptionalField2 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'powerdns' %}
-                        {% if dnsApiKey %}server_url {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}api_token {{ dnsSecretApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'ddnss' %}
-                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}username {{ dnsSecretApiKey }}
-                        {% endif %}
-                        password {{ dnsOptionalField1 }}
-                    {% elif dnsProvider == 'linode' %}
-                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}api_url {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}api_version {{ dnsOptionalField1 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'tencentcloud' %}
-                        {% if dnsApiKey %}secret_id {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}secret_key {{ dnsSecretApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'dinahosting' %}
-                        {% if dnsApiKey %}username {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'hexonet' %}
-                        {% if dnsApiKey %}username {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'mailinabox' %}
-                        {% if dnsApiKey %}api_url {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}email_address {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}password {{ dnsOptionalField1 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'netcup' %}
-                        {% if dnsApiKey %}customer_number {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}api_password {{ dnsOptionalField1 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'rfc2136' %}
-                        {% if dnsApiKey %}key_name {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}key_alg {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}key {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}server {{ dnsOptionalField2 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'dnsmadeeasy' %}
-                        {% if dnsApiKey %}api_key {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}secret_key {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}api_endpoint {{ dnsOptionalField1 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'civo' %}
-                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'scaleway' %}
-                        {% if dnsApiKey %}secret_key {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}organization_id {{ dnsSecretApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'acmeproxy' %}
-                        {% if dnsApiKey %}username {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}endpoint {{ dnsOptionalField1 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'inwx' %}
-                        {% if dnsApiKey %}username {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}shared_secret {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}endpoint_url {{ dnsOptionalField2 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'namedotcom' %}
-                        {% if dnsApiKey %}token {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}server {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}user {{ dnsOptionalField1 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'easydns' %}
-                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}api_url {{ dnsOptionalField1 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'directadmin' %}
-                        {% if dnsApiKey %}host {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}user {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}login_key {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}insecure_requests {{ dnsOptionalField2 }}
-                        {% endif %}
-                    {% endif %}
+                    {% include "OPNsense/Caddy/includeDnsProvider" %}
                 }
             {% else %}
                 {# Other DNS Providers fall under this default #}
@@ -418,187 +264,10 @@
 #}
 {% macro tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4) %}
     {% if dnsChallenge == "1" and dnsProvider %}
-        {% if dnsProvider in ['duckdns', 'porkbun', 'desec', 'route53', 'acmedns', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox', 'netcup', 'rfc2136', 'dnsmadeeasy', 'civo', 'scaleway', 'acmeproxy', 'inwx', 'netcup', 'namedotcom', 'easydns', 'directadmin'] %}
+        {% if dnsProvider in dnsProviderSpecialConfig %}
             tls {
                 dns {{ dnsProvider }} {
-                    {% if dnsProvider == 'duckdns' %}
-                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}override_domain {{ dnsSecretApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'porkbun' %}
-                        {% if dnsApiKey %}api_key {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}api_secret_key {{ dnsSecretApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'desec' %}
-                        {% if dnsApiKey %}token {{ dnsApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'route53' %}
-                        {% if dnsApiKey %}access_key_id {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}secret_access_key {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}max_retries {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}aws_profile {{ dnsOptionalField2 }}
-                        {% endif %}
-                        {% if dnsOptionalField3 %}region {{ dnsOptionalField3 }}
-                        {% endif %}
-                        {% if dnsOptionalField4 %}token {{ dnsOptionalField4 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'acmedns' %}
-                        {% if dnsApiKey %}username {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}subdomain {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}server_url {{ dnsOptionalField2 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'googleclouddns' %}
-                        {% if dnsApiKey %}gcp_project {{ dnsApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'azure' %}
-                        {% if dnsApiKey %}tenant_id {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}client_id {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}client_secret {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}subscription_id {{ dnsOptionalField2 }}
-                        {% endif %}
-                        {% if dnsOptionalField3 %}resource_group_name {{ dnsOptionalField3 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'ovh' %}
-                        {% if dnsApiKey %}endpoint {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}application_key {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}application_secret {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}consumer_key {{ dnsOptionalField2 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'namecheap' %}
-                        {% if dnsApiKey %}api_key {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}user {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}api_endpoint {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}client_ip {{ dnsOptionalField2 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'powerdns' %}
-                        {% if dnsApiKey %}server_url {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}api_token {{ dnsSecretApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'ddnss' %}
-                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}username {{ dnsSecretApiKey }}
-                        {% endif %}
-                        password {{ dnsOptionalField1 }}
-                    {% elif dnsProvider == 'linode' %}
-                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}api_url {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}api_version {{ dnsOptionalField1 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'tencentcloud' %}
-                        {% if dnsApiKey %}secret_id {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}secret_key {{ dnsSecretApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'dinahosting' %}
-                        {% if dnsApiKey %}username {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'hexonet' %}
-                        {% if dnsApiKey %}username {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'mailinabox' %}
-                        {% if dnsApiKey %}api_url {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}email_address {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}password {{ dnsOptionalField1 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'netcup' %}
-                        {% if dnsApiKey %}customer_number {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}api_password {{ dnsOptionalField1 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'rfc2136' %}
-                        {% if dnsApiKey %}key_name {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}key_alg {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}key {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}server {{ dnsOptionalField2 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'dnsmadeeasy' %}
-                        {% if dnsApiKey %}api_key {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}secret_key {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}api_endpoint {{ dnsOptionalField1 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'civo' %}
-                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'scaleway' %}
-                        {% if dnsApiKey %}secret_key {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}organization_id {{ dnsSecretApiKey }}
-                        {% endif %}
-                    {% elif dnsProvider == 'acmeproxy' %}
-                        {% if dnsApiKey %}username {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}endpoint {{ dnsOptionalField1 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'inwx' %}
-                        {% if dnsApiKey %}username {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}shared_secret {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}endpoint_url {{ dnsOptionalField2 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'namedotcom' %}
-                        {% if dnsApiKey %}token {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}server {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}user {{ dnsOptionalField1 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'easydns' %}
-                        {% if dnsApiKey %}api_token {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}api_url {{ dnsOptionalField1 }}
-                        {% endif %}
-                    {% elif dnsProvider == 'directadmin' %}
-                        {% if dnsApiKey %}host {{ dnsApiKey }}
-                        {% endif %}
-                        {% if dnsSecretApiKey %}user {{ dnsSecretApiKey }}
-                        {% endif %}
-                        {% if dnsOptionalField1 %}login_key {{ dnsOptionalField1 }}
-                        {% endif %}
-                        {% if dnsOptionalField2 %}insecure_requests {{ dnsOptionalField2 }}
-                        {% endif %}
-                    {% endif %}
+                    {% include "OPNsense/Caddy/includeDnsProvider" %}
                 }
             }
         {% else %}
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider
new file mode 100644
index 0000000000..f962d75120
--- /dev/null
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider
@@ -0,0 +1,186 @@
+{#
+# This file gets imported in two sections of the Caddyfile template
+# - Section: Dynamic DNS Global Configuration
+# - Macro: tls_configuration
+#
+# It only includes DNS Providers that need specific settings and do not default to
+# "dns {{ dnsProvider }} {{ dnsApiKey }}"
+#}
+{% if dnsProvider == 'duckdns' %}
+    {% if dnsApiKey %}api_token {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}override_domain {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'porkbun' %}
+    {% if dnsApiKey %}api_key {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}api_secret_key {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'desec' %}
+    {% if dnsApiKey %}token {{ dnsApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'route53' %}
+    {% if dnsApiKey %}access_key_id {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}secret_access_key {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}max_retries {{ dnsOptionalField1 }}
+    {% endif %}
+    {% if dnsOptionalField2 %}aws_profile {{ dnsOptionalField2 }}
+    {% endif %}
+    {% if dnsOptionalField3 %}region {{ dnsOptionalField3 }}
+    {% endif %}
+    {% if dnsOptionalField4 %}token {{ dnsOptionalField4 }}
+    {% endif %}
+{% elif dnsProvider == 'acmedns' %}
+    {% if dnsApiKey %}username {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}subdomain {{ dnsOptionalField1 }}
+    {% endif %}
+    {% if dnsOptionalField2 %}server_url {{ dnsOptionalField2 }}
+    {% endif %}
+{% elif dnsProvider == 'googleclouddns' %}
+    {% if dnsApiKey %}gcp_project {{ dnsApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'azure' %}
+    {% if dnsApiKey %}tenant_id {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}client_id {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}client_secret {{ dnsOptionalField1 }}
+    {% endif %}
+    {% if dnsOptionalField2 %}subscription_id {{ dnsOptionalField2 }}
+    {% endif %}
+    {% if dnsOptionalField3 %}resource_group_name {{ dnsOptionalField3 }}
+    {% endif %}
+{% elif dnsProvider == 'ovh' %}
+    {% if dnsApiKey %}endpoint {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}application_key {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}application_secret {{ dnsOptionalField1 }}
+    {% endif %}
+    {% if dnsOptionalField2 %}consumer_key {{ dnsOptionalField2 }}
+    {% endif %}
+{% elif dnsProvider == 'namecheap' %}
+    {% if dnsApiKey %}api_key {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}user {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}api_endpoint {{ dnsOptionalField1 }}
+    {% endif %}
+    {% if dnsOptionalField2 %}client_ip {{ dnsOptionalField2 }}
+    {% endif %}
+{% elif dnsProvider == 'powerdns' %}
+    {% if dnsApiKey %}server_url {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}api_token {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'ddnss' %}
+    {% if dnsApiKey %}api_token {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}username {{ dnsSecretApiKey }}
+    {% endif %}
+    password {{ dnsOptionalField1 }}
+{% elif dnsProvider == 'linode' %}
+    {% if dnsApiKey %}api_token {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}api_url {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}api_version {{ dnsOptionalField1 }}
+    {% endif %}
+{% elif dnsProvider == 'tencentcloud' %}
+    {% if dnsApiKey %}secret_id {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}secret_key {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'dinahosting' %}
+    {% if dnsApiKey %}username {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'hexonet' %}
+    {% if dnsApiKey %}username {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'mailinabox' %}
+    {% if dnsApiKey %}api_url {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}email_address {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}password {{ dnsOptionalField1 }}
+    {% endif %}
+{% elif dnsProvider == 'netcup' %}
+    {% if dnsApiKey %}customer_number {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}api_password {{ dnsOptionalField1 }}
+    {% endif %}
+{% elif dnsProvider == 'rfc2136' %}
+    {% if dnsApiKey %}key_name {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}key_alg {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}key {{ dnsOptionalField1 }}
+    {% endif %}
+    {% if dnsOptionalField2 %}server {{ dnsOptionalField2 }}
+    {% endif %}
+{% elif dnsProvider == 'dnsmadeeasy' %}
+    {% if dnsApiKey %}api_key {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}secret_key {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}api_endpoint {{ dnsOptionalField1 }}
+    {% endif %}
+{% elif dnsProvider == 'civo' %}
+    {% if dnsApiKey %}api_token {{ dnsApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'scaleway' %}
+    {% if dnsApiKey %}secret_key {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}organization_id {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'acmeproxy' %}
+    {% if dnsApiKey %}username {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}endpoint {{ dnsOptionalField1 }}
+    {% endif %}
+{% elif dnsProvider == 'inwx' %}
+    {% if dnsApiKey %}username {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}shared_secret {{ dnsOptionalField1 }}
+    {% endif %}
+    {% if dnsOptionalField2 %}endpoint_url {{ dnsOptionalField2 }}
+    {% endif %}
+{% elif dnsProvider == 'namedotcom' %}
+    {% if dnsApiKey %}token {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}server {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}user {{ dnsOptionalField1 }}
+    {% endif %}
+{% elif dnsProvider == 'easydns' %}
+    {% if dnsApiKey %}api_token {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}api_url {{ dnsOptionalField1 }}
+    {% endif %}
+{% elif dnsProvider == 'directadmin' %}
+    {% if dnsApiKey %}host {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}user {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}login_key {{ dnsOptionalField1 }}
+    {% endif %}
+    {% if dnsOptionalField2 %}insecure_requests {{ dnsOptionalField2 }}
+    {% endif %}
+{% endif %}

From 6eb19d223f93544e670863f39fb4bad3002f7786 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Jun 2024 11:05:22 +0200
Subject: [PATCH 1920/3088] net/frr: bump revision

---
 net/frr/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 0e6a4fe7b7..58e43f19ed 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.40
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 68039e95fd92cfa8601da30e0c10f8747a6c3724 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Mon, 17 Jun 2024 16:14:33 +0200
Subject: [PATCH 1921/3088] Themes update for 24.7 (#4044)

---
 misc/theme-cicada/Makefile                    |   2 +-
 .../cicada/assets/stylesheets/dashboard.scss  | 299 ++++++++++++
 .../assets/stylesheets/dns-overview.scss      | 173 +++++++
 .../cicada/assets/stylesheets/main.scss       | 242 +++++-----
 .../www/themes/cicada/build/css/dashboard.css | 284 ++++++++++++
 .../themes/cicada/build/css/dns-overview.css  |   2 +-
 .../www/themes/cicada/build/css/main.css      | 163 +++----
 misc/theme-vicuna/Makefile                    |   2 +-
 .../vicuna/assets/stylesheets/dashboard.scss  | 299 ++++++++++++
 .../assets/stylesheets/dns-overview.scss      | 173 +++++++
 .../vicuna/assets/stylesheets/main.scss       | 432 +++++++++---------
 .../www/themes/vicuna/build/css/dashboard.css | 284 ++++++++++++
 .../themes/vicuna/build/css/dns-overview.css  |   4 +-
 .../www/themes/vicuna/build/css/main.css      | 319 ++++++-------
 14 files changed, 2100 insertions(+), 578 deletions(-)
 create mode 100644 misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss
 create mode 100644 misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dns-overview.scss
 create mode 100644 misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css
 create mode 100644 misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss
 create mode 100644 misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dns-overview.scss
 create mode 100644 misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index 41211e3486..d1245d117a 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.35
+PLUGIN_VERSION=		1.36
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss
new file mode 100644
index 0000000000..f50c891359
--- /dev/null
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss
@@ -0,0 +1,299 @@
+.fa-spinner {
+  font-size: 2em;
+}
+
+.grid-stack-item-content {
+  text-align: center;
+  border-style: solid;
+  border-color: rgba(25, 25, 25, 0.72);
+  border-width: 2px;
+  background-color: #1c1c1c;
+  border-radius: 0.5em 0.5em 0.5em 0.5em;
+}
+
+.widget-content {
+  position: relative;
+  width: 100%;
+  height: 100%;
+  padding: 1px;
+  cursor: grab;
+}
+
+.widget-header {
+  margin-top: 0.5em;
+  margin-left: 1em;
+  margin-right: 1em;
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+}
+
+.widget-spinner {
+  margin-top: 20px;
+}
+
+.fa-stack.small {
+  font-size: 0.5em;
+}
+
+.close-handle {
+  vertical-align: middle;
+  text-align: right;
+  cursor: pointer;
+
+  > i {
+    font-size: 0.7em;
+  }
+}
+
+.panel-divider {
+  width: 100%;
+  text-align: center;
+  height: 8px;
+  margin-bottom: 10px;
+}
+
+table {
+  table-layout: fixed;
+}
+
+td {
+  word-break: break-all;
+}
+
+.line {
+  display: inline-block;
+  height: 1px;
+  width: 70%;
+  background: #d94f00;
+  margin: 5px;
+}
+
+.canvas-container {
+  position: relative;
+}
+
+.cpu-canvas-container {
+  display: flex;
+  flex-direction: column;
+}
+
+.smoothie-container {
+  width: 100%;
+}
+
+.smoothie-chart-tooltip {
+  z-index: 1;
+
+  /* necessary to force to foreground */
+  background: rgba(50, 50, 50, 0.9);
+  padding-left: 15px;
+  padding-right: 15px;
+  color: white;
+  font-size: 13px;
+  border-radius: 0.5em 0.5em 0.5em 0.5em;
+  pointer-events: none;
+}
+
+.flex-container {
+  display: flex;
+  flex-wrap: nowrap;
+  white-space: nowrap;
+}
+
+.gateway-info {
+  margin: 5px;
+  padding: 5px;
+  font-size: 13px;
+}
+
+.gateway-detail-container {
+  display: none;
+  margin: 5px;
+}
+
+.interface-info {
+  display: flex;
+  flex-wrap: wrap;
+  align-items: center;
+  height: 100%;
+}
+
+.nowrap {
+  flex-wrap: nowrap;
+}
+
+.gateway-graph {
+  display: none;
+}
+
+.flex-container > .gateway-graph {
+  font-size: 13px;
+}
+
+.vertical-center-row {
+  height: 100%;
+  display: inline;
+}
+
+.interfaces-info {
+  margin: 5px;
+  font-size: 13px;
+}
+
+.interface-descr {
+  margin-left: 10px;
+  font-size: 15px;
+  cursor: pointer;
+  text-decoration: underline;
+}
+
+.interfaces-detail-container {
+  margin: 5px;
+  display: none;
+}
+
+.d-flex {
+  display: flex;
+
+  > {
+    .justify-content-start {
+      justify-content: start;
+    }
+
+    .justify-content-end {
+      justify-content: end;
+    }
+  }
+}
+
+#chartjs-toolip {
+  z-index: 20;
+}
+
+/* CPU widget */
+
+.cpu-type {
+  margin-bottom: 10px;
+  margin-top: 10px;
+}
+
+/* ----- */
+
+/* Custom flex table */
+
+div {
+  box-sizing: border-box;
+}
+
+.flextable-container {
+  display: block;
+  margin: 2em auto;
+  width: 95%;
+  max-width: 1200px;
+}
+
+.flextable-header {
+  display: flex;
+  flex-flow: row wrap;
+  transition: 0.5s;
+  padding: 0.5em 0.5em;
+  border-top: solid 1px rgba(217, 79, 0, 0.15);
+}
+
+.flextable-row {
+  display: flex;
+  flex-flow: row wrap;
+  transition: 0.5s;
+  padding: 0.5em 0.5em;
+  border-top: solid 1px rgba(255, 255, 255, 0.06);
+  align-items: center;
+}
+
+.flextable-header .flex-cell {
+  font-weight: bold;
+}
+
+.flextable-row:hover {
+  background: #242424;
+  transition: 500ms;
+}
+
+.flex-cell {
+  text-align: left;
+  word-break: break-word;
+}
+
+.column {
+  display: flex;
+  flex-flow: column wrap;
+  width: 50%;
+  padding: 0;
+
+  .flex-cell {
+    display: flex;
+    flex-flow: row wrap;
+    width: 100%;
+    padding: 0;
+    border: 0;
+    border-top: rgb(59, 59, 59);
+
+    &:hover {
+      background: none !important;
+      transition: 500ms;
+    }
+  }
+}
+
+.flex-subcell {
+  width: 100%;
+  text-align: left;
+}
+
+.column .flex-cell:not(:last-child) {
+  border-bottom: none !important;
+}
+
+/* ----- */
+
+/* CSS grid responsive table */
+
+.grid-header-container {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(100px, 1fr));
+}
+
+.grid-row {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(100px, 1fr));
+  background-color: #f7e2d6;
+
+  /* fade-in color, transitions to transparent */
+  border-top: 1px solid #f7e2d6;
+  transition: 0.5s;
+  opacity: 0.4;
+
+  &:hover {
+    background: #F5F5F5 !important;
+    transition: 500ms;
+  }
+}
+
+.grid-header {
+  border-top: 1px solid #f7e2d6;
+  font-weight: bold;
+}
+
+.grid-item {
+  border: 1 px solid #ccc;
+  padding: 4px;
+  text-align: center;
+}
+
+/* ----- */
+
+:root {
+  --chart-js-background-color:#bac3ca;
+  --chart-js-border-color:#bac3ca;
+  --chart-js-font-color:#bac3ca;
+}
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dns-overview.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dns-overview.scss
new file mode 100644
index 0000000000..9399ac7bee
--- /dev/null
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dns-overview.scss
@@ -0,0 +1,173 @@
+.tab-content {
+  padding: 10px;
+  border-top: 1px solid #191919;
+}
+
+.banner {
+  width: 25%;
+}
+
+.stats-element {
+  height: 5em;
+  background: #202020;
+  overflow: hidden;
+  display: flex;
+  justify-content: flex-start;
+  border-radius: .3em;
+  margin: auto;
+  border: 1px solid rgb(24, 24, 24);
+}
+
+.stats-icon {
+  height: auto;
+  width: 50%;
+  object-fit: cover;
+  background: #242424;
+  border-radius: 0 2em 2em 0 / 0 3em 3em 0;
+  box-shadow: 3px 5px 1px 3px rgb(28, 16, 9);
+}
+
+.large-icon {
+  position: relative;
+  top: 50%;
+  left: 50%;
+  transform: translate(-50%, -50%);
+  font-size: 2em;
+}
+
+.stats-text {
+  height: 5em;
+  width: 15em;
+  display: flex;
+  justify-content: center;
+  text-align: center;
+  align-items: center;
+  flex-direction: column;
+}
+
+.stats-counter-text, .stats-inner-text {
+  margin: 0;
+  padding: 0;
+  text-align: center;
+  font-size: 15px;
+}
+
+#bannersub {
+  text-align: center;
+  margin: 5px;
+}
+
+.list-group-wrapper {
+  margin: 0px;
+  padding-top: 10px;
+  padding-bottom: 10px;
+}
+
+.list-item-domain {
+  height: 2.5em;
+}
+
+.list-group-item-border {
+  border: 1px solid #191919;
+
+  &:first-child {
+    border-top-left-radius: 4px;
+    border-top-right-radius: 4px;
+    border-bottom: 2px solid #1c1c1c;
+  }
+
+  &:last-child {
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+  }
+}
+
+.btn.pull-right {
+  margin-left: 3px;
+}
+
+.odd-bg {
+  background: #f7f7f7;
+}
+
+.top-item {
+  display: flex;
+  white-space: nowrap;
+}
+
+.group-p {
+  overflow: hidden;
+  height: 20px;
+  margin-right: 5px;
+  text-overflow: ellipsis;
+}
+
+.counter {
+  position: relative;
+  top: -3px;
+  color: #888;
+  font-size: 14px;
+  line-height: 1.4;
+  flex: 1;
+  text-align: right;
+}
+
+.vertical-center {
+  margin: 0;
+  position: absolute;
+  top: 50%;
+  -ms-transform: translateY(-50%);
+  transform: translateY(-50%);
+}
+
+#maintabs > li > a {
+  border: 1px solid #191919;
+}
+
+.query-success {
+  background-color: rgba(5, 142, 73, 0.3);
+}
+
+.query-info {
+  background-color: rgba(255, 227, 0, 0.3);
+}
+
+.query-danger {
+  background-color: rgba(235, 9, 9, 0.3);
+}
+
+.query-warning {
+  background-color: rgba(255, 131, 0, 0.3);
+}
+
+.query-error {
+  background-color: #402751;
+}
+
+#searchFilter {
+  display: inline-block;
+  margin: 0 20px 0 0;
+  vertical-align: middle;
+}
+
+.tag {
+  font-size: 14px;
+  padding: .3em .4em .4em;
+  margin: 0 .1em;
+
+  a {
+    color: #bbb;
+    cursor: pointer;
+    opacity: 0.9;
+    margin: 0 0 0 .3em;
+
+    fa-times {
+      color: #fff;
+      margin-bottom: 2px;
+    }
+  }
+}
+
+.tooltip-inner {
+  max-width: 1000px !important;
+}
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index a95348ce0b..a7e374d6bb 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -10,12 +10,12 @@
   min-height: 25px !important;
 
   .btn-group .btn {
-    color: #FFFFFF !important;
+    color: #bac3ca !important;
     background: none;
     border: 0px;
 
     .glyphicon {
-      color: #FFFFFF !important;
+      color: #bac3ca !important;
     }
   }
 
@@ -245,8 +245,8 @@ optgroup {
 
 table {
   border-spacing: 0;
-  background-color: #373737;
-  color: #FFF;
+  background-color: #1c1c1c;
+  color: #bac3ca;
   width: 100%;
 }
 
@@ -823,12 +823,12 @@ td, th {
 
 .glyphicon-chevron-up:before {
   content: "\e113";
-  color: #FFFFFF !important;
+  color: #bac3ca !important;
 }
 
 .glyphicon-chevron-down:before {
   content: "\e114";
-  color: #FFFFFF !important;
+  color: #bac3ca !important;
 }
 
 .glyphicon-retweet:before {
@@ -1190,7 +1190,7 @@ body {
   font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
   font-size: 14px;
   line-height: 1.428571429;
-  color: #FFFFFF;
+  color: #bac3ca;
   background-color: none;
 }
 
@@ -1825,7 +1825,7 @@ pre {
   line-height: 1.428571429;
   word-break: break-all;
   word-wrap: break-word;
-  color: #FFFFFF;
+  color: #bac3ca;
   background-color: inherit;
   border: inherit;
   border-radius: 3px;
@@ -2757,7 +2757,7 @@ th {
         padding: 10px 0px 10px 20px;
         line-height: 1.428571429;
         vertical-align: top;
-        border-top: 1px solid #2d2d2d;
+        border-top: 1px solid #222;
       }
     }
 
@@ -2766,7 +2766,7 @@ th {
         padding: 10px 0px 10px 20px;
         line-height: 1.428571429;
         vertical-align: top;
-        border-top: 1px solid #2d2d2d;
+        border-top: 1px solid #222;
       }
     }
 
@@ -2775,7 +2775,7 @@ th {
         padding: 10px 0px 10px 20px;
         line-height: 1.428571429;
         vertical-align: top;
-        border-top: 1px solid #2d2d2d;
+        border-top: 1px solid #222;
       }
     }
 
@@ -2788,8 +2788,8 @@ th {
         border-top: 0;
         font-family: 'SourceSansProSemibold';
         font-weight: normal;
-        color: #FFF;
-        background-color: #292929;
+        color: #bac3ca;
+        background-color: #202020;
       }
     }
 
@@ -2798,8 +2798,8 @@ th {
         border-top: 0;
         font-family: 'SourceSansProSemibold';
         font-weight: normal;
-        color: #FFF;
-        background-color: #292929;
+        color: #bac3ca;
+        background-color: #202020;
       }
     }
 
@@ -2808,8 +2808,8 @@ th {
         border-top: 0;
         font-family: 'SourceSansProSemibold';
         font-weight: normal;
-        color: #FFF;
-        background-color: #292929;
+        color: #bac3ca;
+        background-color: #202020;
       }
     }
 
@@ -2875,13 +2875,13 @@ th {
 
 .table-striped > tbody > tr:nth-child(odd) > {
   td, th {
-    background-color: #333;
+    background-color: #1c1c1c;
   }
 }
 
 .table-hover > tbody > tr:hover > {
   td, th {
-    background-color: #464646;
+    background-color: #222;
   }
 }
 
@@ -3340,7 +3340,7 @@ output {
   padding-top: 7px;
   font-size: 14px;
   line-height: 1.428571429;
-  color: #FFFFFF;
+  color: #bac3ca;
 }
 
 input {
@@ -3348,7 +3348,7 @@ input {
     background-color: #262626 !important;
     border: 1px solid #5a5a5a !important;
     background-image: none !important;
-    color: #FFFFFF !important;
+    color: #bac3ca !important;
   }
 }
 
@@ -3357,7 +3357,7 @@ textarea {
     background-color: #262626 !important;
     border: 1px solid #5a5a5a !important;
     background-image: none !important;
-    color: #FFFFFF !important;
+    color: #bac3ca !important;
   }
 }
 
@@ -3366,7 +3366,7 @@ select {
     background-color: #262626 !important;
     border: 1px solid #5a5a5a !important;
     background-image: none !important;
-    color: #FFFFFF !important;
+    color: #bac3ca !important;
   }
 
   display: block;
@@ -3375,8 +3375,8 @@ select {
   padding: 6px 12px;
   font-size: 14px;
   line-height: 1.428571429;
-  color: #FFF;
-  background-color: #2d2d2d;
+  color: #bac3ca;
+  background-color: #222;
   background-image: none;
   border: 1px solid #191919;
   border-radius: 3px;
@@ -3394,8 +3394,8 @@ textarea {
   padding: 6px 12px;
   font-size: 14px;
   line-height: 1.428571429;
-  color: #FFF;
-  background-color: #2d2d2d;
+  color: #bac3ca;
+  background-color: #222;
   background-image: none;
   border: 1px solid #191919;
   border-radius: 3px;
@@ -3414,8 +3414,8 @@ input {
     padding: 6px 12px;
     font-size: 14px;
     line-height: 1.428571429;
-    color: #FFF;
-    background-color: #2d2d2d;
+    color: #bac3ca;
+    background-color: #222;
     background-image: none;
     border: 1px solid #191919;
     border-radius: 3px;
@@ -3429,7 +3429,7 @@ input {
 
 select:hover, textarea:hover {
   color: #FFF;
-  background-color: #292929;
+  background-color: #151515;
   border: 1px solid #dd630d;
   outline: 0;
 }
@@ -3437,7 +3437,7 @@ select:hover, textarea:hover {
 input {
   &[type="text"]:hover, &[type="password"]:hover, &[type="datetime"]:hover, &[type="datetime-local"]:hover, &[type="date"]:hover, &[type="month"]:hover, &[type="time"]:hover, &[type="week"]:hover, &[type="number"]:hover, &[type="email"]:hover, &[type="url"]:hover, &[type="search"]:hover, &[type="tel"]:hover, &[type="color"]:hover {
     color: #FFF;
-    background-color: #292929;
+    background-color: #151515;
     border: 1px solid #dd630d;
     outline: 0;
   }
@@ -3446,7 +3446,7 @@ input {
 select:focus, textarea:focus {
   color: #FFF;
   border: 1px solid #dd630d;
-  background-color: #232323;
+  background-color: #151515;
   outline: 0;
 }
 
@@ -3454,7 +3454,7 @@ input {
   &[type="text"]:focus, &[type="password"]:focus, &[type="datetime"]:focus, &[type="datetime-local"]:focus, &[type="date"]:focus, &[type="month"]:focus, &[type="time"]:focus, &[type="week"]:focus, &[type="number"]:focus, &[type="email"]:focus, &[type="url"]:focus, &[type="search"]:focus, &[type="tel"]:focus, &[type="color"]:focus {
     color: #FFF;
     border: 1px solid #dd630d;
-    background-color: #232323;
+    background-color: #151515;
     outline: 0;
   }
 }
@@ -4667,14 +4667,14 @@ select[multiple].input-lg, .form-horizontal .form-group-lg select[multiple].form
   -moz-user-select: none;
   -ms-user-select: none;
   user-select: none;
-  color: #FFFFFF;
-  background-color: #292929;
+  color: #bac3ca;
+  background-color: #222;
   border: 1px solid #191919;
   outline: 0;
 }
 
 .open > .btn.dropdown-toggle {
-  color: #ffffff;
+  color: #bac3ca;
 }
 
 .btn {
@@ -4744,7 +4744,7 @@ fieldset[disabled] .btn {
 
 .btn {
   .badge {
-    color: #FFFFFF;
+    color: #bac3ca;
     background-color: #3a3a3a;
   }
 
@@ -4807,24 +4807,24 @@ fieldset[disabled] .btn {
 
 .btn-default {
   &.disabled {
-    background-color: #FFFFFF;
+    background-color: #bac3ca;
     border-color: 1px solid #1d1d1d;
     outline: 0;
 
     &:hover, &:focus, &:active, &.active {
-      background-color: #FFFFFF;
+      background-color: #bac3ca;
       border-color: 1px solid #1d1d1d;
       outline: 0;
     }
   }
 
   &[disabled] {
-    background-color: #FFFFFF;
+    background-color: #bac3ca;
     border-color: 1px solid #1d1d1d;
     outline: 0;
 
     &:hover, &:focus, &:active, &.active {
-      background-color: #FFFFFF;
+      background-color: #bac3ca;
       border-color: 1px solid #1d1d1d;
       outline: 0;
     }
@@ -4832,19 +4832,19 @@ fieldset[disabled] .btn {
 }
 
 fieldset[disabled] .btn-default {
-  background-color: #FFFFFF;
+  background-color: #bac3ca;
   border-color: 1px solid #1d1d1d;
   outline: 0;
 
   &:hover, &:focus, &:active, &.active {
-    background-color: #FFFFFF;
+    background-color: #bac3ca;
     border-color: 1px solid #1d1d1d;
     outline: 0;
   }
 }
 
 .btn-default .badge {
-  color: #FFFFFF;
+  color: #bac3ca;
   background-color: #3a3a3a;
   outline: 0;
 }
@@ -5380,13 +5380,13 @@ tbody.collapse.in {
       clear: both;
       font-weight: normal;
       line-height: 1.428571429;
-      color: #FFFFFF;
+      color: #bac3ca;
       white-space: nowrap;
       outline: 0;
 
       &:hover, &:focus {
         text-decoration: none;
-        color: #FFFFFF;
+        color: #bac3ca;
         background-color: #dd630d;
       }
     }
@@ -5615,7 +5615,7 @@ tbody.collapse.in {
   .dropdown-toggle {
     &:active, &:hover {
       outline: 0;
-      color: #FFFFFF;
+      color: #bac3ca;
       background-color: #dd630d;
       border: 1px solid #191919;
     }
@@ -5623,7 +5623,7 @@ tbody.collapse.in {
 
   &.open .dropdown-toggle {
     outline: 0;
-    color: #FFFFFF;
+    color: #bac3ca;
     background-color: #dd630d;
     border: 1px solid #191919;
   }
@@ -5981,8 +5981,8 @@ tbody.collapse.in {
       position: relative;
       display: block;
       padding: 10px 15px;
-      background-color: #3a3a3a;
-      color: #fff;
+      background-color: #222;
+      color: #bac3ca;
       border-left: 1px solid #191919;
       border-right: 1px solid #191919;
       border-top: 1px solid #191919;
@@ -5995,8 +5995,8 @@ tbody.collapse.in {
   position: relative;
   display: block;
   padding: 10px 15px;
-  background-color: #3a3a3a;
-  color: #fff;
+  background-color: #222;
+  color: #bac3ca;
   border-left: 1px solid #191919;
   border-right: 1px solid #191919;
   border-top: 1px solid #191919;
@@ -6022,7 +6022,7 @@ tbody.collapse.in {
   > a {
     &:hover, &:focus {
       text-decoration: none;
-      background-color: #2d2d2d;
+      background-color: #1c1c1c;
       color: #dd630d;
     }
   }
@@ -6045,11 +6045,11 @@ a:focus {
   }
 
   .open > a {
-    background-color: #333;
+    background-color: #1c1c1c;
     cursor: pointer;
 
     &:hover, &:focus {
-      background-color: #333;
+      background-color: #1c1c1c;
       cursor: pointer;
     }
   }
@@ -6586,7 +6586,7 @@ a:focus {
 
 .navbar-default {
   .navbar-brand {
-    color: #F7F7F7;
+    color: #bac3ca;
 
     &:hover, &:focus {
       color: #dedede;
@@ -6595,12 +6595,12 @@ a:focus {
   }
 
   .navbar-text {
-    color: #F7F7F7;
+    color: #bac3ca;
   }
 
   .navbar-nav > {
     li > a {
-      color: #F7F7F7;
+      color: #bac3ca;
 
       &:hover, &:focus {
         color: #515151;
@@ -6652,7 +6652,7 @@ a:focus {
   }
 
   .navbar-link {
-    color: #F7F7F7;
+    color: #bac3ca;
 
     &:hover {
       color: #515151;
@@ -6660,7 +6660,7 @@ a:focus {
   }
 
   .btn-link {
-    color: #F7F7F7;
+    color: #bac3ca;
 
     &:hover, &:focus {
       color: #515151;
@@ -6677,7 +6677,7 @@ a:focus {
 @media (max-width: 767px) {
   .navbar-default .navbar-nav .open .dropdown-menu > {
     li > a {
-      color: #F7F7F7;
+      color: #bac3ca;
 
       &:hover, &:focus {
         color: #515151;
@@ -6900,7 +6900,7 @@ fieldset[disabled] .navbar-inverse .btn-link {
           padding: 6px 12px;
           line-height: 1.428571429;
           text-decoration: none;
-          color: #FFFFFF;
+          color: #bac3ca;
           background-color: #505050;
           border: 1px solid #191919;
           margin-left: -1px;
@@ -6926,7 +6926,7 @@ fieldset[disabled] .navbar-inverse .btn-link {
       > {
         a {
           &:hover, &:focus {
-            color: #FFFFFF;
+            color: #bac3ca;
             background-color: #dd630d;
             border-color: #303030;
           }
@@ -6934,7 +6934,7 @@ fieldset[disabled] .navbar-inverse .btn-link {
 
         span {
           &:hover, &:focus {
-            color: #FFFFFF;
+            color: #bac3ca;
             background-color: #dd630d;
             border-color: #303030;
           }
@@ -6945,14 +6945,14 @@ fieldset[disabled] .navbar-inverse .btn-link {
     .active > {
       a {
         z-index: 2;
-        color: #FFFFFF;
+        color: #bac3ca;
         background-color: #dd630d;
         border: 1px solid #191919;
         cursor: default;
 
         &:hover, &:focus {
           z-index: 2;
-          color: #FFFFFF;
+          color: #bac3ca;
           background-color: #dd630d;
           border: 1px solid #191919;
           cursor: default;
@@ -6961,14 +6961,14 @@ fieldset[disabled] .navbar-inverse .btn-link {
 
       span {
         z-index: 2;
-        color: #FFFFFF;
+        color: #bac3ca;
         background-color: #dd630d;
         border: 1px solid #191919;
         cursor: default;
 
         &:hover, &:focus {
           z-index: 2;
-          color: #FFFFFF;
+          color: #bac3ca;
           background-color: #dd630d;
           border: 1px solid #191919;
           cursor: default;
@@ -7395,7 +7395,7 @@ a.thumbnail {
 .alert-success {
   background-color: #424242;
   border-color: #515151;
-  color: #ffffff;
+  color: #bac3ca;
 
   hr {
     border-top-color: #8dcc62;
@@ -7407,9 +7407,9 @@ a.thumbnail {
 }
 
 .alert-info {
-  background-color: #2f2f2f;
+  background-color: #202020;
   border-color: #191919;
-  color: #ffffff;
+  color: #bac3ca;
   -webkit-box-shadow: 5px 5px 5px rgba(17, 17, 17, 0.8);
   box-shadow: 5px 5px 5px rgba(17, 17, 17, 0.8);
 
@@ -7439,7 +7439,7 @@ a.thumbnail {
 .alert-danger {
   background-color: #202020;
   border-color: #B13116;
-  color: #FFFFFF !important;
+  color: #bac3ca !important;
 
   hr {
     border-top-color: #B13116;
@@ -7555,7 +7555,7 @@ a.thumbnail {
 
 .progress-bar-warning {
   background-color: #CCB717;
-  color: #FFFFFF !important;
+  color: #bac3ca !important;
 }
 
 .progress-striped .progress-bar-warning {
@@ -7624,7 +7624,7 @@ a.thumbnail {
   display: block;
   padding: 6px 8px;
   margin-bottom: -1px;
-  background-color: #2f2f2f;
+  background-color: #202020;
 
   &:last-child {
     margin-bottom: 0;
@@ -7640,7 +7640,7 @@ a.thumbnail {
 }
 
 a.list-group-item {
-  color: #FFFFFF;
+  color: #bac3ca;
   border-radius: 0;
   outline: 0;
 
@@ -7651,11 +7651,11 @@ a.list-group-item {
   &:hover, &:focus {
     text-decoration: none;
     color: #dd630d;
-    background-color: #242424;
+    background-color: #151515;
   }
 
   &:hover:before, &:focus:before {
-    background: #FFFFFF;
+    background: #bac3ca;
     content: "";
     height: 42px;
     left: 0;
@@ -8468,7 +8468,7 @@ a.list-group-item-danger {
   font-size: 21px;
   font-weight: bold;
   line-height: 1;
-  color: #FFFFFF;
+  color: #bac3ca;
   text-shadow: 0 1px 0 #000;
   opacity: 1;
   filter: alpha(opacity = 100);
@@ -8599,7 +8599,7 @@ button.close {
 .modal-footer {
   padding: 5px;
   text-align: right;
-  background-color: #383838;
+  background-color: #242424;
   border-top: 1px solid inherit;
 
   &:before {
@@ -9161,7 +9161,7 @@ button.close {
 
 .show {
   display: block !important;
-  color: #22C400;
+  color: #FFF;
 }
 
 .invisible {
@@ -9422,7 +9422,7 @@ html {
   font-family: 'SourceSansProRegular';
   scrollbar-width: thin;
   scrollbar-color: #424242 #323232;
-  background-color: #242424;
+  background-color: #151515;
 }
 
 body {
@@ -9430,7 +9430,7 @@ body {
   font-family: 'SourceSansProRegular';
   scrollbar-width: thin;
   scrollbar-color: #424242 #323232;
-  background-color: #242424;
+  background-color: #151515;
   touch-action: manipulation;
   min-width: 320px;
 }
@@ -9464,7 +9464,7 @@ body {
 
 .page-content-head {
   .container-fluid {
-    background-color: #2f2f2f;
+    background-color: #1c1c1c;
     margin-left: 20px;
     margin-right: 20px;
     border-top: 1px solid #191919;
@@ -9474,6 +9474,7 @@ body {
     padding: 7px 14px 5px 14px;
     -webkit-box-shadow: 0 3px 4px rgb(23, 23, 23);
     box-shadow: 0 3px 4px rgb(23, 23, 23);
+    border-radius: 0.5em 0.5em 0.5em 0.5em;
   }
 
   padding-bottom: 2px;
@@ -9512,7 +9513,7 @@ body {
 }
 
 .page-side-nav--active {
-  background: #F7F7F7;
+  background: #bac3ca;
   border-left: 3px solid #515151;
 }
 
@@ -9531,7 +9532,7 @@ body {
 .content-box {
   padding: 0px 0px;
   margin: 0px 0px;
-  background-color: #2d2d2d;
+  background-color: #1c1c1c;
   border: 1px solid #191919;
   -webkit-box-shadow: 0 3px 3px rgba(17, 17, 17, 0.8);
   box-shadow: 5px 5px 5px rgba(17, 17, 17, 0.8);
@@ -9735,7 +9736,7 @@ main.page-content.col-lg-12 {
         padding-left: 0px;
         padding-right: 0px;
         padding-top: 15px;
-        border-bottom: 2px solid #202020;
+        border-bottom: 2px solid #262626;
       }
 
       div {
@@ -9757,22 +9758,22 @@ main.page-content.col-lg-12 {
       }
 
       a.list-group-item.active-menu-title {
-        color: #FFF !important;
-        background-color: #242424 !important;
+        color: #bac3ca !important;
+        background-color: #151515 !important;
       }
     }
   }
 }
 
 a.list-group-item.active-menu-title.collapsed {
-  color: #FFF !important;
-  background-color: #242424 !important;
+  color: #dd630d !important;
+  background-color: #151515 !important;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > {
   a.list-group-item[aria-expanded="true"] {
     color: #dd630d !important;
-    background-color: #242424 !important;
+    background-color: #151515 !important;
   }
 
   div {
@@ -9780,18 +9781,18 @@ a.list-group-item.active-menu-title.collapsed {
       &.in {
         > a.list-group-item[aria-expanded="true"] {
           color: #dd630d !important;
-          background-color: #242424 !important;
+          background-color: #151515 !important;
         }
 
         > div.collapse.in > a.list-group-item {
           padding-left: 10px !important;
           font-size: 14px !important;
-          background-color: #2f2f2f !important;
+          background-color: #151515  !important;
           opacity: 0.98;
 
           &.menu-level-3-item.active {
             color: #dd630d !important;
-            background-color: #242424 !important;
+            background-color: #151515 !important;
           }
         }
       }
@@ -9799,7 +9800,7 @@ a.list-group-item.active-menu-title.collapsed {
       > a.list-group-item {
         padding-left: 10px !important;
         font-size: 14px !important;
-        background-color: #2f2f2f !important;
+        background-color: #151515  !important;
         opacity: 0.98;
       }
 
@@ -9824,7 +9825,7 @@ a.list-group-item.active-menu-title.collapsed {
       &.in > div.collapse.in > a.list-group-item:hover {
         text-decoration: none !important;
         color: #dd630d !important;
-        background-color: #262626 !important;
+        background-color: #151515 !important;
       }
     }
   }
@@ -9833,32 +9834,32 @@ a.list-group-item.active-menu-title.collapsed {
 a.list-group-item:focus {
   text-decoration: none !important;
   color: #dd630d !important;
-  background-color: #262626 !important;
+  background-color: #151515 !important;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item {
   &.active-menu-title, &:hover {
     color: #dd630d !important;
-    background-color: #262626 !important;
+    background-color: #151515 !important;
   }
 }
 
 a.list-group-item:focus {
   color: #dd630d !important;
-  background-color: #262626 !important;
+  background-color: #151515 !important;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div {
   &.collapse.in > a.list-group-item {
     &.collapsed:focus, &:focus {
       color: #dd630d !important;
-      background-color: #262626 !important;
+      background-color: #151515 !important;
     }
   }
 
   &.active-menu.collapse.in > a.list-group-item.active {
     color: #dd630d !important;
-    background-color: #262626 !important;
+    background-color: #151515 !important;
   }
 
   &.collapse.in {
@@ -9939,7 +9940,7 @@ button.toggle-sidebar {
     }
 
     &.active > a {
-      background: #2d2d2d !important;
+      background: #1c1c1c !important;
       outline: 0;
       border-right: 1px solid #191919;
       border-top: 1px solid #191919;
@@ -9978,7 +9979,7 @@ button.toggle-sidebar {
       background: #818180;
 
       > a {
-        color: #FFFFFF;
+        color: #bac3ca;
         font-family: 'SourceSansProSemibold';
       }
     }
@@ -10106,7 +10107,7 @@ button.toggle-sidebar {
 .active-menu-title, .active-menu a {
   text-decoration: none;
   position: relative;
-  background-color: #242424;
+  background-color: #1c1c1c;
 }
 
 .active-menu-title:before, .active-menu a:before {
@@ -10114,18 +10115,18 @@ button.toggle-sidebar {
 }
 
 .list-group-item.active-menu-title, .active-menu-title.active {
-  background-color: #242424;
+  background-color: #151515;
   color: #dd630d;
 }
 
 .active-menu a {
   &.active {
-    background-color: #242424;
+    background-color: #151515;
     color: #dd630d;
   }
 
   &:before {
-    background: #dd630d;
+    background-color: #151515;
   }
 }
 
@@ -10180,7 +10181,7 @@ button.toggle-sidebar {
 
 ::-webkit-scrollbar-thumb {
   background: #424242;
-  border: thin solid #333;
+  border: thin solid #1c1c1c;
   border-radius: 0px;
 
   &:hover {
@@ -10284,7 +10285,7 @@ label > input {
 
 #ipsec {
   #ipsec-mobile, #ipsec-tunnel, #ipsec-overview {
-    background-color: #333 !important;
+    background-color: #1c1c1c !important;
   }
 
   .ipsec-tab {
@@ -10321,14 +10322,14 @@ label > input {
 
 textarea#update_status {
   color: inherit !important;
-  background-color: #3a3a3a;
+  background-color: #222;
   -webkit-box-shadow: none !important;
   box-shadow: none !important;
   border: none !important;
 
   &:hover {
     color: inherit !important;
-    background-color: #3a3a3a;
+    background-color: #222;
     -webkit-box-shadow: none !important;
     box-shadow: none !important;
     border: none !important;
@@ -10370,23 +10371,23 @@ textarea#update_status {
 
 div.container-fluid > {
   .fa-search::before, .fa-refresh::before {
-    color: #FFFFFF !important;
+    color: #bac3ca !important;
   }
 }
 
 .panel-heading h3:hover {
-  color: #FFFFFF;
+  color: #bac3ca;
   text-decoration: none;
 }
 
 h3 {
   &:focus {
-    color: #FFFFFF;
+    color: #bac3ca;
     text-decoration: none;
   }
 
   &:link {
-    color: #FFFFFF;
+    color: #bac3ca;
     text-decoration: underline;
   }
 
@@ -10413,7 +10414,7 @@ h3 {
 .btn-group.bootstrap-select {
   &.open, &:hover {
     border-color: #323232 !important;
-    color: #FFFFFF !important;
+    color: #bac3ca !important;
     background-color: #2d2d2d !important;
   }
 }
@@ -10524,11 +10525,11 @@ input[type="checkbox"] {
 
     &.active {
       background-color: #ac5314 !important;
-      color: #ffffff !important;
+      color: #bac3ca !important;
 
       &:hover {
         background-color: #ac5314 !important;
-        color: #ffffff !important;
+        color: #bac3ca !important;
       }
     }
 
@@ -10549,7 +10550,6 @@ input[type="checkbox"] {
     background-color: #ac5314;
   }
 
-.modal-side {
   background-color: #3a3a3a !important;
 }
 
@@ -10573,7 +10573,7 @@ h2 {
 }
 
 .alert.alert-primary.alert-output.m-t-15.m-b-0 {
-  background-color: #333 !important;
+  background-color: #1c1c1c !important;
   color: #FFF !important;
   border-color: #191919 !important;
 }
@@ -10629,7 +10629,7 @@ ul.jqtree-tree {
 }
 
 .modal-side-settings {
-  background-color: #2f2f2f !important;
+  background-color: #202020  !important;
 }
 
 [role="listbox"] {
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css
new file mode 100644
index 0000000000..26539606f2
--- /dev/null
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css
@@ -0,0 +1,284 @@
+.fa-spinner {
+    font-size: 2em;
+}
+
+.grid-stack-item-content {
+  text-align: center;
+  border-style: solid;
+  border-color: rgba(25, 25, 25, 0.72);
+  border-width: 2px;
+  background-color: #1c1c1c;
+  border-radius: 0.5em 0.5em 0.5em 0.5em;
+}
+
+.widget-content {
+    position: relative;
+    width: 100%;
+    height: 100%;
+    padding: 1px;
+    cursor: grab;
+}
+
+.widget-header {
+    margin-top: 0.5em;
+    margin-left: 1em;
+    margin-right: 1em;
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+}
+
+.widget-spinner {
+    margin-top: 20px;
+}
+
+.fa-stack.small {
+    font-size: 0.5em;
+}
+
+.close-handle {
+    vertical-align: middle;
+    text-align: right;
+    cursor: pointer;
+}
+
+.close-handle > i {
+    font-size: 0.7em;
+}
+
+.panel-divider {
+    width: 100%;
+    text-align: center;
+    height: 8px;
+    margin-bottom: 10px;
+}
+
+table {
+    table-layout: fixed;
+}
+
+td {
+    word-break: break-all;
+}
+
+.line {
+    display: inline-block;
+    height: 1px;
+    width: 70%;
+    background: #d94f00;
+    margin: 5px;
+}
+
+.canvas-container {
+    position: relative;
+}
+
+.cpu-canvas-container {
+    display: flex;
+    flex-direction: column;
+}
+
+.smoothie-container {
+    width: 100%;
+}
+
+.smoothie-chart-tooltip {
+  z-index: 1; /* necessary to force to foreground */
+  background: rgba(50, 50, 50, 0.9);
+  padding-left: 15px;
+  padding-right: 15px;
+  color: white;
+  font-size: 13px;
+  border-radius: 0.5em 0.5em 0.5em 0.5em;
+  pointer-events: none;
+}
+
+.flex-container {
+    display: flex;
+    flex-wrap: nowrap;
+    white-space: nowrap;
+}
+
+.gateway-info {
+  margin: 5px;
+  padding: 5px;
+  font-size: 13px;
+}
+
+.gateway-detail-container {
+    display: none;
+    margin: 5px;
+}
+
+.interface-info {
+    display: flex;
+    flex-wrap: wrap;
+    align-items: center;
+    height: 100%;
+}
+
+.nowrap {
+    flex-wrap: nowrap;
+}
+
+.gateway-graph {
+    display: none;
+}
+
+.flex-container > .gateway-graph {
+    font-size: 13px;
+}
+
+.vertical-center-row {
+    height: 100%;
+    display: inline;
+}
+
+.interfaces-info {
+  margin: 5px;
+  font-size: 13px;
+}
+
+.interface-descr {
+    margin-left: 10px;
+    font-size: 15px;
+    cursor: pointer;
+    text-decoration: underline;
+}
+
+.interfaces-detail-container {
+    margin: 5px;
+    display: none;
+}
+
+.d-flex {
+    display: flex;
+}
+
+.d-flex > .justify-content-start {
+    justify-content: start;
+}
+
+.d-flex > .justify-content-end {
+    justify-content: end;
+}
+
+#chartjs-toolip {
+    z-index: 20;
+}
+
+/* CPU widget */
+.cpu-type {
+    margin-bottom: 10px;
+    margin-top: 10px;
+}
+/* ----- */
+
+/* Custom flex table */
+div {
+    box-sizing: border-box;
+}
+
+.flextable-container {
+    display: block;
+    margin: 2em auto;
+    width: 95%;
+    max-width: 1200px;
+}
+
+.flextable-header {
+    display: flex;
+    flex-flow: row wrap;
+    transition: 0.5s;
+    padding: 0.5em 0.5em;
+    border-top: solid 1px rgba(217, 79, 0, 0.15);
+}
+
+.flextable-row {
+    display: flex;
+    flex-flow: row wrap;
+    transition: 0.5s;
+    padding: 0.5em 0.5em;
+    border-top: solid 1px rgba(255, 255, 255, 0.06);
+    align-items: center;
+}
+
+.flextable-header .flex-cell {
+    font-weight: bold;
+}
+
+.flextable-row:hover {
+    background: #242424;
+    transition: 500ms;
+}
+
+.flex-cell {
+    text-align: left;
+    word-break: break-word;
+}
+
+.column {
+    display: flex;
+    flex-flow: column wrap;
+    width: 50%;
+    padding: 0;
+}
+.column .flex-cell {
+    display: flex;
+    flex-flow: row wrap;
+    width: 100%;
+    padding: 0;
+    border: 0;
+    border-top: rgb(59, 59, 59);
+}
+.column .flex-cell:hover {
+    background: none !important;
+    transition: 500ms;
+}
+.flex-subcell {
+    width: 100%;
+    text-align: left;
+}
+
+.column .flex-cell:not(:last-child) {
+    border-bottom: none !important;
+}
+/* ----- */
+
+/* CSS grid responsive table */
+.grid-header-container {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(100px, 1fr));
+}
+
+.grid-row {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(100px, 1fr));
+    background-color: #f7e2d6; /* fade-in color, transitions to transparent */
+    border-top: 1px solid #f7e2d6;
+    transition: 0.5s;
+    opacity: 0.4;
+}
+
+.grid-row:hover {
+    background: #F5F5F5 !important;
+    transition: 500ms;
+}
+
+.grid-header {
+    border-top: 1px solid #f7e2d6;
+    font-weight: bold;
+}
+
+.grid-item {
+    border: 1 px solid #ccc;
+    padding: 4px;
+    text-align: center;
+}
+/* ----- */
+
+:root {
+    --chart-js-background-color: #bac3ca;
+    --chart-js-border-color: #bac3ca;
+    --chart-js-font-color: #bac3ca;
+}
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dns-overview.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dns-overview.css
index 0598d665ff..2994309998 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dns-overview.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dns-overview.css
@@ -81,7 +81,7 @@
 .list-group-item-border:first-child {
     border-top-left-radius: 4px;
     border-top-right-radius: 4px;
-    border-bottom: 2px solid black;
+    border-bottom: 2px solid #1c1c1c;
 }
 
 .list-group-item-border:last-child {
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index de7b81b29e..031ea2e7de 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -9,11 +9,11 @@
   min-height: 25px !important; }
 
   .widgetdiv .content-box-head .btn-group .btn {
-    color: #FFFFFF !important;
+    color: #bac3ca !important;
     background: none;
     border: 0px; }
     .widgetdiv .content-box-head .btn-group .btn .glyphicon {
-      color: #FFFFFF !important; }
+      color: #bac3ca !important; }
   .widgetdiv .content-box-head .list-inline li > h3 {
     padding-top: 4px; }
 
@@ -207,8 +207,8 @@ optgroup {
 
 table {
   border-spacing: 0;
-  background-color: #373737;
-  color: #FFF;
+  background-color: #1c1c1c;
+  color: #bac3ca;
   width:100%; }
 
 td,
@@ -646,11 +646,11 @@ th {
 
 .glyphicon-chevron-up:before {
   content: "\e113";
-  color:#FFFFFF !important; }
+  color:#bac3ca !important; }
 
 .glyphicon-chevron-down:before {
   content: "\e114";
-  color:#FFFFFF !important; }
+  color:#bac3ca !important; }
 
 .glyphicon-retweet:before {
   content: "\e115"; }
@@ -925,7 +925,7 @@ body {
   font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
   font-size: 14px;
   line-height: 1.428571429;
-  color: #FFFFFF;
+  color: #bac3ca;
   background-color: none; }
 
 input,
@@ -1333,7 +1333,7 @@ pre {
   line-height: 1.428571429;
   word-break: break-all;
   word-wrap: break-word;
-  color: #FFFFFF;
+  color: #bac3ca;
   background-color: inherit;
   border: inherit;
   border-radius: 3px; }
@@ -2036,7 +2036,7 @@ th {
     padding: 10px 0px 10px 20px;
     line-height: 1.428571429;
     vertical-align: top;
-    border-top: 1px solid #2d2d2d; }
+    border-top: 1px solid #222; }
   .table > thead > tr > th {
     vertical-align: bottom;  }
   .table > caption + thead > tr:first-child > th,
@@ -2048,8 +2048,8 @@ th {
     border-top: 0;
     font-family: 'SourceSansProSemibold';
     font-weight: normal;
-    color: #FFF;
-    background-color: #292929;
+    color: #bac3ca;
+    background-color: #202020;
   }
   .table > tbody + tbody {
     border-top: 2px solid #eee; }
@@ -2079,11 +2079,11 @@ th {
 
 .table-striped > tbody > tr:nth-child(odd) > td,
 .table-striped > tbody > tr:nth-child(odd) > th {
-  background-color: #333; }
+  background-color: #1c1c1c; }
 
 .table-hover > tbody > tr:hover > td,
 .table-hover > tbody > tr:hover > th {
-  background-color:#464646; }
+  background-color:#222; }
 
 table col[class*="col-"] {
   position: static;
@@ -2274,7 +2274,7 @@ output {
   padding-top: 7px;
   font-size: 14px;
   line-height: 1.428571429;
-  color: #FFFFFF; }
+  color: #bac3ca; }
 
 input:-internal-autofill-previewed,
 input:-internal-autofill-selected,
@@ -2285,7 +2285,7 @@ select:-internal-autofill-selected {
     background-color: #262626 !important;
     border: 1px solid #5a5a5a !important;
     background-image: none !important;
-    color: #FFFFFF !important; }
+    color: #bac3ca !important; }
 
 select,
 textarea,
@@ -2310,8 +2310,8 @@ input[type="color"]
   padding: 6px 12px;
   font-size: 14px;
   line-height: 1.428571429;
-  color: #FFF;
-  background-color: #2d2d2d;
+  color: #bac3ca;
+  background-color: #222;
   background-image: none;
   border: 1px solid #191919;
   border-radius: 3px;
@@ -2339,7 +2339,7 @@ input[type="color"]
   input[type="color"]:hover
    {
 	color: #FFF;
-	background-color: #292929;
+	background-color: #151515;
   border: 1px solid #dd630d;
 	outline: 0; }
 
@@ -2362,7 +2362,7 @@ input[type="color"]
   {
   color: #FFF;
 	border: 1px solid #dd630d;
-	background-color: #232323;
+	background-color: #151515;
 	outline: 0; }
 
   select::-moz-placeholder,
@@ -2901,12 +2901,12 @@ select[multiple].input-lg,
   -moz-user-select: none;
   -ms-user-select: none;
   user-select: none;
-  color: #FFFFFF;
-  background-color: #292929;
+  color: #bac3ca;
+  background-color: #222;
   border: 1px solid #191919;
   outline:0; }
   .open > .btn.dropdown-toggle {
-  color: #ffffff;
+  color: #bac3ca;
   }
   .btn:active, .btn.active {
   color: #dd630d;
@@ -2929,7 +2929,7 @@ select[multiple].input-lg,
 	outline:0; }
 
   .btn .badge {
-    color: #FFFFFF;
+    color: #bac3ca;
     background-color: #3a3a3a; }
   .btn:focus, .btn:active:focus, .btn.active:focus {
     outline: thin dotted;
@@ -2961,11 +2961,11 @@ select[multiple].input-lg,
 	outline:0; }
 
   .btn-default.disabled, .btn-default.disabled:hover, .btn-default.disabled:focus, .btn-default.disabled:active, .btn-default.disabled.active, .btn-default[disabled], .btn-default[disabled]:hover, .btn-default[disabled]:focus, .btn-default[disabled]:active, .btn-default[disabled].active, fieldset[disabled] .btn-default, fieldset[disabled] .btn-default:hover, fieldset[disabled] .btn-default:focus, fieldset[disabled] .btn-default:active, fieldset[disabled] .btn-default.active {
-    background-color: #FFFFFF;
+    background-color: #bac3ca;
     border-color: 1px solid #1d1d1d;
 	outline:0; }
   .btn-default .badge {
-    color: #FFFFFF;
+    color: #bac3ca;
     background-color: #3a3a3a;
 	outline:0; }
 
@@ -3205,13 +3205,13 @@ tbody.collapse.in {
     clear: both;
     font-weight: normal;
     line-height: 1.428571429;
-    color: #FFFFFF;
+    color: #bac3ca;
     white-space: nowrap;
 	outline:0;}
 
 .dropdown-menu > li > a:hover, .dropdown-menu > li > a:focus {
   text-decoration: none;
-  color: #FFFFFF;
+  color: #bac3ca;
   background-color: #dd630d; }
 
 .dropdown-menu > .active > a, .dropdown-menu > .active > a:hover, .dropdown-menu > .active > a:focus {
@@ -3356,7 +3356,7 @@ tbody.collapse.in {
 
 .btn-group .dropdown-toggle:active, .btn-group .dropdown-toggle:hover, .btn-group.open .dropdown-toggle {
   outline: 0;
-  color: #FFFFFF;
+  color: #bac3ca;
   background-color: #dd630d;
   border: 1px solid #191919; }
 
@@ -3562,8 +3562,8 @@ tbody.collapse.in {
       position: relative;
       display: block;
       padding: 10px 15px;
-	  background-color: #3a3a3a;
-	  color:#fff;
+	  background-color: #222;
+	  color:#bac3ca;
 	  border-left: 1px solid #191919;
 	  border-right: 1px solid #191919;
 	  border-top: 1px solid #191919;
@@ -3577,7 +3577,7 @@ tbody.collapse.in {
 	  border:none; }
       .nav > li > a:hover, .nav > li > a:focus {
         text-decoration: none;
-        background-color: #2d2d2d;
+        background-color: #1c1c1c;
 		color:#dd630d;
 		 }
 		.nav > li#menu_messages > a:hover, a:focus {
@@ -3592,7 +3592,7 @@ tbody.collapse.in {
         cursor: not-allowed; }
 
   .nav .open > a, .nav .open > a:hover, .nav .open > a:focus {
-    background-color: #333;
+    background-color: #1c1c1c;
 	cursor:pointer; }
 
   .nav .nav-divider {
@@ -3939,14 +3939,14 @@ tbody.collapse.in {
         margin-right: 0; } }
 
 .navbar-default .navbar-brand {
-    color: #F7F7F7; }
+    color: #bac3ca; }
     .navbar-default .navbar-brand:hover, .navbar-default .navbar-brand:focus {
       color: #dedede;
       background-color: transparent; }
   .navbar-default .navbar-text {
-    color: #F7F7F7; }
+    color: #bac3ca; }
   .navbar-default .navbar-nav > li > a {
-    color: #F7F7F7; }
+    color: #bac3ca; }
     .navbar-default .navbar-nav > li > a:hover, .navbar-default .navbar-nav > li > a:focus {
       color: #515151;
       background-color: transparent; }
@@ -3968,7 +3968,7 @@ tbody.collapse.in {
     color: #555; }
   @media (max-width: 767px) {
     .navbar-default .navbar-nav .open .dropdown-menu > li > a {
-      color: #F7F7F7; }
+      color: #bac3ca; }
       .navbar-default .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > li > a:focus {
         color: #515151;
         background-color: transparent; }
@@ -3980,11 +3980,11 @@ tbody.collapse.in {
       color: #ccc;
       background-color: transparent; } }
   .navbar-default .navbar-link {
-    color: #F7F7F7; }
+    color: #bac3ca; }
     .navbar-default .navbar-link:hover {
       color: #515151; }
   .navbar-default .btn-link {
-    color: #F7F7F7; }
+    color: #bac3ca; }
     .navbar-default .btn-link:hover, .navbar-default .btn-link:focus {
       color: #515151; }
     .navbar-default .btn-link[disabled]:hover, .navbar-default .btn-link[disabled]:focus, fieldset[disabled] .navbar-default .btn-link:hover, fieldset[disabled] .navbar-default .btn-link:focus {
@@ -4086,7 +4086,7 @@ tbody.collapse.in {
       padding: 6px 12px;
       line-height: 1.428571429;
       text-decoration: none;
-      color: #FFFFFF;
+      color: #bac3ca;
       background-color: #505050;
       border: 1px solid #191919;
       margin-left: -1px;
@@ -4104,7 +4104,7 @@ tbody.collapse.in {
   .pagination > li > a:hover, .pagination > li > a:focus,
   .pagination > li > span:hover,
   .pagination > li > span:focus {
-    color: #FFFFFF;
+    color: #bac3ca;
     background-color: #dd630d;
     border-color: #303030; }
 
@@ -4113,7 +4113,7 @@ tbody.collapse.in {
   .pagination > .active > span:hover,
   .pagination > .active > span:focus {
     z-index: 2;
-    color: #FFFFFF;
+    color: #bac3ca;
     background-color: #dd630d;
     border: 1px solid #191919;
     cursor: default; }
@@ -4381,7 +4381,7 @@ a.thumbnail.active {
 .alert-success {
 	background-color: #424242;
 	border-color: #515151;
-  color: #ffffff; }
+  color: #bac3ca; }
 
   .alert-success hr {
     border-top-color: #8dcc62; }
@@ -4389,9 +4389,9 @@ a.thumbnail.active {
     color: #72bd3e; }
 
 .alert-info {
-  background-color: #2f2f2f;
+  background-color: #202020 ;
   border-color: #191919;
-  color: #ffffff;
+  color: #bac3ca;
   -webkit-box-shadow: 5px 5px 5px rgba(17, 17, 17, 0.8);
   box-shadow: 5px 5px 5px rgba(17, 17, 17, 0.8); }
   .alert-info hr {
@@ -4411,7 +4411,7 @@ a.thumbnail.active {
 .alert-danger {
   background-color: #202020;
   border-color: #B13116;
-  color: #FFFFFF !important;}
+  color: #bac3ca !important;}
   .alert-danger hr {
     border-top-color: #B13116; }
   .alert-danger .alert-link {
@@ -4494,7 +4494,7 @@ a.thumbnail.active {
 
 .progress-bar-warning {
   background-color: #CCB717;
-  color: #FFFFFF !important; }
+  color: #bac3ca !important; }
   .progress-striped .progress-bar-warning {
     background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
     background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
@@ -4543,7 +4543,7 @@ a.thumbnail.active {
   display: block;
   padding: 6px 8px;
   margin-bottom: -1px;
-  background-color: #2f2f2f; }
+  background-color: #202020 ; }
   .list-group-item:last-child {
     margin-bottom: 0; }
   .list-group-item > .badge {
@@ -4552,7 +4552,7 @@ a.thumbnail.active {
     margin-right: 5px; }
 
 a.list-group-item {
-  color: #FFFFFF;
+  color: #bac3ca;
   border-radius: 0;
   outline:0; }
 
@@ -4561,10 +4561,10 @@ a.list-group-item {
   a.list-group-item:hover, a.list-group-item:focus {
     text-decoration: none;
     color: #dd630d;
-    background-color: #242424; }
+    background-color: #151515; }
 
     a.list-group-item:hover:before, a.list-group-item:focus:before {
-      background: #FFFFFF;
+      background: #bac3ca;
       content: "";
       height: 42px;
       left: 0;
@@ -4987,7 +4987,7 @@ a.list-group-item-danger {
   font-size: 21px;
   font-weight: bold;
   line-height: 1;
-  color: #FFFFFF;
+  color: #bac3ca;
   text-shadow: 0 1px 0 #000;
   opacity: 1;
   filter: alpha(opacity=100); }
@@ -5093,7 +5093,7 @@ button.close {
 .modal-footer {
   padding: 5px;
   text-align: right;
-  background-color: #383838;
+  background-color: #242424;
   border-top: 1px solid inherit; }
   .modal-footer:before, .modal-footer:after {
     content: " ";
@@ -5510,7 +5510,7 @@ button.close {
 
 .show {
   display: block !important;
-  color: #22C400; }
+  color: #FFF; }
 
 .invisible {
   visibility: hidden; }
@@ -5712,7 +5712,7 @@ html, body {
   font-family: 'SourceSansProRegular';
   scrollbar-width: thin;
   scrollbar-color: #424242 #323232;
-  background-color: #242424;
+  background-color: #151515;
 }
 
 body {
@@ -5741,7 +5741,7 @@ body {
   .page-content > .row {
     height: 100%; }
 .page-content-head .container-fluid {
-  background-color: #2f2f2f;
+  background-color: #1c1c1c;
   margin-left: 20px;
   margin-right: 20px;
   border-top: 1px solid #191919;
@@ -5750,7 +5750,8 @@ body {
   height: auto;
   padding: 7px 14px 5px 14px;
   -webkit-box-shadow: 0 3px 4px rgb(23, 23, 23);
-  box-shadow: 0 3px 4px rgb(23, 23, 23); }
+  box-shadow: 0 3px 4px rgb(23, 23, 23); 
+  border-radius: 0.5em 0.5em 0.5em 0.5em; }
 .page-content-head, .content-box-head {
   padding-bottom: 2px;
   padding-top: 10px; }
@@ -5776,7 +5777,7 @@ body {
   z-index: 3; }
 
 .page-side-nav--active {
-  background: #F7F7F7;
+  background: #bac3ca;
   border-left: 3px solid #515151; }
 
 .page-foot {
@@ -5794,7 +5795,7 @@ body {
 .content-box {
   padding: 0px 0px;
   margin: 0px 0px;
-  background-color: #2d2d2d;
+  background-color: #1c1c1c;
   border: 1px solid #191919;
   -webkit-box-shadow: 0 3px 3px rgba(17, 17, 17, 0.8);
   box-shadow: 5px 5px 5px rgba(17, 17, 17, 0.8)  }
@@ -5946,7 +5947,7 @@ main.page-content.col-lg-12 {
   padding-left: 0px;
   padding-right: 0px;
   padding-top:15px;
-  border-bottom:2px solid #202020;
+  border-bottom:2px solid #262626;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsing > a.list-group-item {
@@ -5966,27 +5967,27 @@ main.page-content.col-lg-12 {
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item.active-menu-title, a.list-group-item.active-menu-title.collapsed {
-  color: #FFF !important;
-  background-color: #242424 !important;
+  color: #dd630d !important;
+  background-color: #151515 !important;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item[aria-expanded="true"],
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item[aria-expanded="true"] {
   color: #dd630d !important;
-  background-color: #242424 !important;
+  background-color: #151515 !important;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > a.list-group-item,
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item {
   padding-left: 10px !important;
   font-size: 14px !important;
-  background-color: #2f2f2f !important;
+  background-color: #151515  !important;
   opacity: 0.98;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item.menu-level-3-item.active {
   color: #dd630d !important;
-  background-color: #242424 !important;
+  background-color: #151515 !important;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > div.collapse > a.list-group-item,
@@ -6003,7 +6004,7 @@ main.page-content.col-lg-12 {
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item:hover, a.list-group-item:focus {
   text-decoration: none !important;
   color: #dd630d !important;
-  background-color: #262626 !important;
+  background-color: #151515 !important;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item.active-menu-title,
@@ -6012,7 +6013,7 @@ main.page-content.col-lg-12 {
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item:focus,
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.active-menu.collapse.in >a.list-group-item.active {
   color: #dd630d !important;
-  background-color: #262626 !important;
+  background-color: #151515 !important;
 }
 
 /* Sub Level One */
@@ -6087,7 +6088,7 @@ button.toggle-sidebar {
   outline:0; }
 
 .nav-tabs > li.active > a {
-  background: #2d2d2d !important;
+  background: #1c1c1c !important;
   outline:0; }
 
 .nav-tabs > li.active > a,
@@ -6116,7 +6117,7 @@ button.toggle-sidebar {
     border-radius: 0px;
     background: #818180; }
     .nav-tabs.nav-justified > li > a {
-      color: #FFFFFF;
+      color: #bac3ca;
       font-family: 'SourceSansProSemibold'; }
       @media (min-width: 768px) {
         .nav-tabs.nav-justified > li > a {
@@ -6203,15 +6204,15 @@ button.toggle-sidebar {
 .active-menu-title, .active-menu a {
   text-decoration: none;
   position: relative;
-  background-color: #242424; }
+  background-color: #1c1c1c; }
   .active-menu-title:before, .active-menu a:before {
     width: 3px; }
   .list-group-item.active-menu-title, .active-menu-title.active, .active-menu a.active {
-    background-color: #242424;
+    background-color: #151515;
     color: #dd630d; }
 
 .active-menu a:before {
-  background: #dd630d; }
+  background-color: #151515; }
 
 .alert.alert-danger {
   color: #FFF !important; }
@@ -6255,7 +6256,7 @@ button.toggle-sidebar {
 
 ::-webkit-scrollbar-thumb {
   background: #424242;
-  border: thin solid #333;
+  border: thin solid #1c1c1c;
   border-radius: 0px; }
 
 ::-webkit-scrollbar-thumb:hover {
@@ -6327,7 +6328,7 @@ label > input[type="radio"] {
 }
 
 #ipsec #ipsec-mobile, #ipsec #ipsec-tunnel, #ipsec #ipsec-overview {
-	background-color: #333 !important;
+	background-color: #1c1c1c !important;
 }
 
 #ipsec .ipsec-tab {
@@ -6362,7 +6363,7 @@ label > input[type="radio"] {
 
 textarea#update_status, textarea#update_status:hover {
   color:inherit !important;
-  background-color: #3a3a3a;
+  background-color: #222;
   -webkit-box-shadow:none !important;
   box-shadow:none !important;
   border:none !important;
@@ -6403,16 +6404,16 @@ textarea#update_status, textarea#update_status:hover {
 }
 
 div.container-fluid > .fa-search::before, div.container-fluid  > .fa-refresh::before {
-  color: #FFFFFF !important;
+  color: #bac3ca !important;
 }
 
 .panel-heading h3:hover, h3:focus {
-  color: #FFFFFF;
+  color: #bac3ca;
   text-decoration: none;
 }
 
 h3:link {
-  color:#FFFFFF;
+  color:#bac3ca;
   text-decoration: underline;
 }
 
@@ -6443,7 +6444,7 @@ h3:hover, h3:focus {
 
 .btn-group.bootstrap-select.open, .btn-group.bootstrap-select:hover {
   border-color: #323232 !important;
-  color:#FFFFFF !important;
+  color:#bac3ca !important;
   background-color: #2d2d2d !important;
 }
 
@@ -6511,7 +6512,7 @@ input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox
 
 .bootstrap-datetimepicker-widget table td.active, .bootstrap-datetimepicker-widget table td.active:hover {
     background-color: #ac5314 !important;
-    color: #ffffff !important;
+    color: #bac3ca !important;
 }
 
 .bootstrap-datetimepicker-widget table td span:hover {
@@ -6550,7 +6551,7 @@ h2.text-center ,h2.text-primary {
 }
 
 .alert.alert-primary.alert-output.m-t-15.m-b-0 {
-  background-color: #333 !important;
+  background-color: #1c1c1c !important;
   color: #FFF !important;
   border-color: #191919 !important;
 }
@@ -6604,7 +6605,7 @@ ul.jqtree-tree .jqtree-title {
 }
 
 .modal-side-settings {
-  background-color: #2f2f2f !important;
+  background-color: #202020  !important;
 }
 
 [role="listbox"] {
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index 967d22e13b..ff3fc9687f 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.45
+PLUGIN_VERSION=		1.46
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss
new file mode 100644
index 0000000000..d5e45c9bc2
--- /dev/null
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss
@@ -0,0 +1,299 @@
+.fa-spinner {
+  font-size: 2em;
+}
+
+.grid-stack-item-content {
+  text-align: center;
+  border-style: solid;
+  border-color: rgba(25, 25, 25, 0.72);
+  border-width: 2px;
+  background-color: #1a262d;
+  border-radius: 0.5em 0.5em 0.5em 0.5em;
+}
+
+.widget-content {
+  position: relative;
+  width: 100%;
+  height: 100%;
+  padding: 1px;
+  cursor: grab;
+}
+
+.widget-header {
+  margin-top: 0.5em;
+  margin-left: 1em;
+  margin-right: 1em;
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+}
+
+.widget-spinner {
+  margin-top: 20px;
+}
+
+.fa-stack.small {
+  font-size: 0.5em;
+}
+
+.close-handle {
+  vertical-align: middle;
+  text-align: right;
+  cursor: pointer;
+
+  > i {
+    font-size: 0.7em;
+  }
+}
+
+.panel-divider {
+  width: 100%;
+  text-align: center;
+  height: 8px;
+  margin-bottom: 10px;
+}
+
+table {
+  table-layout: fixed;
+}
+
+td {
+  word-break: break-all;
+}
+
+.line {
+  display: inline-block;
+  height: 1px;
+  width: 70%;
+  background: #d94f00;
+  margin: 5px;
+}
+
+.canvas-container {
+  position: relative;
+}
+
+.cpu-canvas-container {
+  display: flex;
+  flex-direction: column;
+}
+
+.smoothie-container {
+  width: 100%;
+}
+
+.smoothie-chart-tooltip {
+  z-index: 1;
+
+  /* necessary to force to foreground */
+  background: rgba(50, 50, 50, 0.9);
+  padding-left: 15px;
+  padding-right: 15px;
+  color: white;
+  font-size: 13px;
+  border-radius: 0.5em 0.5em 0.5em 0.5em;
+  pointer-events: none;
+}
+
+.flex-container {
+  display: flex;
+  flex-wrap: nowrap;
+  white-space: nowrap;
+}
+
+.gateway-info {
+  margin: 5px;
+  padding: 5px;
+  font-size: 13px;
+}
+
+.gateway-detail-container {
+  display: none;
+  margin: 5px;
+}
+
+.interface-info {
+  display: flex;
+  flex-wrap: wrap;
+  align-items: center;
+  height: 100%;
+}
+
+.nowrap {
+  flex-wrap: nowrap;
+}
+
+.gateway-graph {
+  display: none;
+}
+
+.flex-container > .gateway-graph {
+  font-size: 13px;
+}
+
+.vertical-center-row {
+  height: 100%;
+  display: inline;
+}
+
+.interfaces-info {
+  margin: 5px;
+  font-size: 13px;
+}
+
+.interface-descr {
+  margin-left: 10px;
+  font-size: 15px;
+  cursor: pointer;
+  text-decoration: underline;
+}
+
+.interfaces-detail-container {
+  margin: 5px;
+  display: none;
+}
+
+.d-flex {
+  display: flex;
+
+  > {
+    .justify-content-start {
+      justify-content: start;
+    }
+
+    .justify-content-end {
+      justify-content: end;
+    }
+  }
+}
+
+#chartjs-toolip {
+  z-index: 20;
+}
+
+/* CPU widget */
+
+.cpu-type {
+  margin-bottom: 10px;
+  margin-top: 10px;
+}
+
+/* ----- */
+
+/* Custom flex table */
+
+div {
+  box-sizing: border-box;
+}
+
+.flextable-container {
+  display: block;
+  margin: 2em auto;
+  width: 95%;
+  max-width: 1200px;
+}
+
+.flextable-header {
+  display: flex;
+  flex-flow: row wrap;
+  transition: 0.5s;
+  padding: 0.5em 0.5em;
+  border-top: solid 1px rgba(217, 79, 0, 0.15);
+}
+
+.flextable-row {
+  display: flex;
+  flex-flow: row wrap;
+  transition: 0.5s;
+  padding: 0.5em 0.5em;
+  border-top: solid 1px rgba(255, 255, 255, 0.06);
+  align-items: center;
+}
+
+.flextable-header .flex-cell {
+  font-weight: bold;
+}
+
+.flextable-row:hover {
+  background: #131c22;
+  transition: 500ms;
+}
+
+.flex-cell {
+  text-align: left;
+  word-break: break-word;
+}
+
+.column {
+  display: flex;
+  flex-flow: column wrap;
+  width: 50%;
+  padding: 0;
+
+  .flex-cell {
+    display: flex;
+    flex-flow: row wrap;
+    width: 100%;
+    padding: 0;
+    border: 0;
+    border-top: rgb(59, 59, 59);
+
+    &:hover {
+      background: none !important;
+      transition: 500ms;
+    }
+  }
+}
+
+.flex-subcell {
+  width: 100%;
+  text-align: left;
+}
+
+.column .flex-cell:not(:last-child) {
+  border-bottom: none !important;
+}
+
+/* ----- */
+
+/* CSS grid responsive table */
+
+.grid-header-container {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(100px, 1fr));
+}
+
+.grid-row {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(100px, 1fr));
+  background-color: #f7e2d6;
+
+  /* fade-in color, transitions to transparent */
+  border-top: 1px solid #f7e2d6;
+  transition: 0.5s;
+  opacity: 0.4;
+
+  &:hover {
+    background: #F5F5F5 !important;
+    transition: 500ms;
+  }
+}
+
+.grid-header {
+  border-top: 1px solid #f7e2d6;
+  font-weight: bold;
+}
+
+.grid-item {
+  border: 1 px solid #ccc;
+  padding: 4px;
+  text-align: center;
+}
+
+/* ----- */
+
+:root {
+  --chart-js-background-color:#bac3ca;
+  --chart-js-border-color:#bac3ca;
+  --chart-js-font-color:#bac3ca;
+}
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dns-overview.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dns-overview.scss
new file mode 100644
index 0000000000..486bcac04f
--- /dev/null
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dns-overview.scss
@@ -0,0 +1,173 @@
+.tab-content {
+  padding: 10px;
+  border-top: 1px solid #191919;
+}
+
+.banner {
+  width: 25%;
+}
+
+.stats-element {
+  height: 5em;
+  background: #172229;
+  overflow: hidden;
+  display: flex;
+  justify-content: flex-start;
+  border-radius: .3em;
+  margin: auto;
+  border: 1px solid rgb(19, 19, 19);
+}
+
+.stats-icon {
+  height: auto;
+  width: 50%;
+  object-fit: cover;
+  background: #131c22;
+  border-radius: 0 2em 2em 0 / 0 3em 3em 0;
+  box-shadow: 3px 5px 1px 3px rgb(15, 24, 30);
+}
+
+.large-icon {
+  position: relative;
+  top: 50%;
+  left: 50%;
+  transform: translate(-50%, -50%);
+  font-size: 2em;
+}
+
+.stats-text {
+  height: 5em;
+  width: 15em;
+  display: flex;
+  justify-content: center;
+  text-align: center;
+  align-items: center;
+  flex-direction: column;
+}
+
+.stats-counter-text, .stats-inner-text {
+  margin: 0;
+  padding: 0;
+  text-align: center;
+  font-size: 15px;
+}
+
+#bannersub {
+  text-align: center;
+  margin: 5px;
+}
+
+.list-group-wrapper {
+  margin: 0px;
+  padding-top: 10px;
+  padding-bottom: 10px;
+}
+
+.list-item-domain {
+  height: 2.5em;
+}
+
+.list-group-item-border {
+  border: 1px solid #191919;
+
+  &:first-child {
+    border-top-left-radius: 4px;
+    border-top-right-radius: 4px;
+    border-bottom: 2px solid black;
+  }
+
+  &:last-child {
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+  }
+}
+
+.btn.pull-right {
+  margin-left: 3px;
+}
+
+.odd-bg {
+  background: #f7f7f7;
+}
+
+.top-item {
+  display: flex;
+  white-space: nowrap;
+}
+
+.group-p {
+  overflow: hidden;
+  height: 20px;
+  margin-right: 5px;
+  text-overflow: ellipsis;
+}
+
+.counter {
+  position: relative;
+  top: -3px;
+  color: #888;
+  font-size: 14px;
+  line-height: 1.4;
+  flex: 1;
+  text-align: right;
+}
+
+.vertical-center {
+  margin: 0;
+  position: absolute;
+  top: 50%;
+  -ms-transform: translateY(-50%);
+  transform: translateY(-50%);
+}
+
+#maintabs > li > a {
+  border: 1px solid #191919;
+}
+
+.query-success {
+  background-color: rgba(5, 142, 73, 0.3);
+}
+
+.query-info {
+  background-color: rgba(255, 227, 0, 0.3);
+}
+
+.query-danger {
+  background-color: rgba(235, 9, 9, 0.3);
+}
+
+.query-warning {
+  background-color: rgba(255, 131, 0, 0.3);
+}
+
+.query-error {
+  background-color: #502e62;
+}
+
+#searchFilter {
+  display: inline-block;
+  margin: 0 20px 0 0;
+  vertical-align: middle;
+}
+
+.tag {
+  font-size: 14px;
+  padding: .3em .4em .4em;
+  margin: 0 .1em;
+
+  a {
+    color: #bbb;
+    cursor: pointer;
+    opacity: 0.9;
+    margin: 0 0 0 .3em;
+
+    fa-times {
+      color: #fff;
+      margin-bottom: 2px;
+    }
+  }
+}
+
+.tooltip-inner {
+  max-width: 1000px !important;
+}
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
index d8ca6cd05e..8d0bb9bf8c 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
@@ -10,12 +10,12 @@
   min-height: 25px !important;
 
   .btn-group .btn {
-    color: #FFFFFF !important;
+    color: #bac3ca !important;
     background: none;
     border: 0px;
 
     .glyphicon {
-      color: #FFFFFF !important;
+      color: #bac3ca !important;
     }
   }
 
@@ -70,7 +70,7 @@ audio:not([controls]) {
 }
 
 a {
-  color: #D77610;
+  color: #d77610;
   text-decoration: none;
   background: transparent;
   outline: 0;
@@ -80,7 +80,7 @@ a {
   }
 
   &:hover, &:focus {
-    color: #D77610;
+    color: #bac3ca;
     text-decoration: underline;
   }
 }
@@ -246,8 +246,8 @@ optgroup {
 table {
   border-collapse: none;
   border-spacing: 0;
-  color: #FFF;
-  background-color: #1a262d;
+  color: #bac3ca;
+  background-color: #162026;
   width: 100%;
 }
 
@@ -313,7 +313,7 @@ td, th {
   }
 
   select {
-    background: #fff !important;
+    background: #bac3ca !important;
   }
 
   .navbar {
@@ -322,7 +322,7 @@ td, th {
 
   .table {
     td, th {
-      background-color: #fff !important;
+      background-color: #bac3ca !important;
     }
   }
 
@@ -401,7 +401,7 @@ td, th {
 
 .icon.glyphicon.input-group-addon.glyphicon-search:before, .glyphicon-search:before {
   content: "\e003";
-  color: #FFF !important;
+  color: #bac3ca !important;
 }
 
 .glyphicon-heart:before {
@@ -1190,7 +1190,7 @@ body {
   font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
   font-size: 14px;
   line-height: 1.428571429;
-  color: #FFF;
+  color: #bac3ca;
 }
 
 input, button, select, textarea {
@@ -1221,7 +1221,7 @@ img {
 .img-thumbnail {
   padding: 4px;
   line-height: 1.428571429;
-  background-color: #fff;
+  background-color: #bac3ca;
   border: 1px solid #ddd;
   border-radius: 3px;
   -webkit-transition: all 0.2s ease-in-out;
@@ -1584,7 +1584,7 @@ a.text-danger:hover {
 }
 
 .bg-primary {
-  color: #fff;
+  color: #bac3ca;
   background-color: #D77610;
 }
 
@@ -1805,7 +1805,7 @@ code {
 kbd {
   padding: 2px 4px;
   font-size: 90%;
-  color: #fff;
+  color: #bac3ca;
   background-color: #191919;
   border-radius: 3px;
   box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.25);
@@ -1825,7 +1825,7 @@ pre {
   line-height: 1.428571429;
   word-break: break-all;
   word-wrap: break-word;
-  color: #FFF;
+  color: #bac3ca;
   background-color: inherit;
   border: inherit;
   border-radius: 3px;
@@ -2757,7 +2757,7 @@ th {
         padding: 10px 0px 10px 20px;
         line-height: 1.428571429;
         vertical-align: top;
-        border-top: 1px solid #191919;
+        border-top: 1px solid #1a262d;
       }
     }
 
@@ -2766,7 +2766,7 @@ th {
         padding: 10px 0px 10px 20px;
         line-height: 1.428571429;
         vertical-align: top;
-        border-top: 1px solid #191919;
+        border-top: 1px solid #1a262d;
       }
     }
 
@@ -2775,7 +2775,7 @@ th {
         padding: 10px 0px 10px 20px;
         line-height: 1.428571429;
         vertical-align: top;
-        border-top: 1px solid #191919;
+        border-top: 1px solid #1a262d;
       }
     }
 
@@ -2789,7 +2789,7 @@ th {
         font-family: 'SourceSansProSemibold';
         font-weight: normal;
         border-bottom: 1px solid #191919;
-        background-color: #202f3a;
+        background-color: #172229;
       }
     }
 
@@ -2799,7 +2799,7 @@ th {
         font-family: 'SourceSansProSemibold';
         font-weight: normal;
         border-bottom: 1px solid #191919;
-        background-color: #202f3a;
+        background-color: #172229;
       }
     }
 
@@ -2809,7 +2809,7 @@ th {
         font-family: 'SourceSansProSemibold';
         font-weight: normal;
         border-bottom: 1px solid #191919;
-        background-color: #202f3a;
+        background-color: #172229;
       }
     }
 
@@ -2875,13 +2875,13 @@ th {
 
 .table-striped > tbody > tr:nth-child(odd) > {
   td, th {
-    background-color: #1c2931;
+    background-color: #162026;
   }
 }
 
 .table-hover > tbody > tr:hover > {
   td, th {
-    background-color: #283b48;
+    background-color: #19262d;
   }
 }
 
@@ -3350,8 +3350,8 @@ select, textarea {
   padding: 6px 12px;
   font-size: 14px;
   line-height: 1.428571429;
-  color: #FFF;
-  background-color: #21303a;
+  color: #bac3ca;
+  background-color: #1b272f;
   border: 1px solid #191919;
   border-radius: 3px;
   text-overflow: ellipsis;
@@ -3369,8 +3369,8 @@ input {
     padding: 6px 12px;
     font-size: 14px;
     line-height: 1.428571429;
-    color: #FFF;
-    background-color: #21303a;
+    color: #bac3ca;
+    background-color: #1b272f;
     border: 1px solid #191919;
     border-radius: 3px;
     text-overflow: ellipsis;
@@ -3382,32 +3382,32 @@ input {
 }
 
 select:hover, textarea:hover {
-  color: #FFF;
-  background-color: #172229;
+  color: #bac3ca;
+  background-color: #0f181e;
   border-color: #D77610;
   outline: 0;
 }
 
 input {
   &[type="text"]:hover, &[type="password"]:hover, &[type="datetime"]:hover, &[type="datetime-local"]:hover, &[type="date"]:hover, &[type="month"]:hover, &[type="time"]:hover, &[type="week"]:hover, &[type="number"]:hover, &[type="email"]:hover, &[type="url"]:hover, &[type="search"]:hover, &[type="tel"]:hover, &[type="color"]:hover {
-    color: #FFF;
-    background-color: #172229;
+    color: #bac3ca;
+    background-color: #0f181e;
     border-color: #D77610;
     outline: 0;
   }
 }
 
 select:focus, textarea:focus {
-  color: #FFF;
-  background-color: #172229;
+  color: #bac3ca;
+  background-color: #0f181e;
   border-color: #D77610;
   outline: 0;
 }
 
 input {
   &[type="text"]:focus, &[type="password"]:focus, &[type="datetime"]:focus, &[type="datetime-local"]:focus, &[type="date"]:focus, &[type="month"]:focus, &[type="time"]:focus, &[type="week"]:focus, &[type="number"]:focus, &[type="email"]:focus, &[type="url"]:focus, &[type="search"]:focus, &[type="tel"]:focus, &[type="color"]:focus {
-    color: #FFF;
-    background-color: #172229;
+    color: #bac3ca;
+    background-color: #0f181e;
     border-color: #D77610;
     outline: 0;
   }
@@ -4779,13 +4779,13 @@ select[multiple].input-lg, .form-horizontal .form-group-lg select[multiple].form
   border-radius: 3px;
   -ms-user-select: none;
   user-select: none;
-  color: #FFFFFF;
-  background-color: #21303a;
+  color: #bac3ca;
+  background-color: #1b272f;
   border: 1px solid #191919;
   outline: 0;
 
   &:active, &.active {
-    color: #FFF;
+    color: #bac3ca;
     background-color: #21303a;
     outline: 0;
     border-color: #191919;
@@ -4794,7 +4794,7 @@ select[multiple].input-lg, .form-horizontal .form-group-lg select[multiple].form
 }
 
 .open > .btn.dropdown-toggle {
-  color: #FFF;
+  color: #bac3ca;
   background-color: #21303a;
   outline: 0;
   border-color: #191919;
@@ -4804,7 +4804,7 @@ select[multiple].input-lg, .form-horizontal .form-group-lg select[multiple].form
 .btn {
   &:hover, &:focus {
     background-color: #d77610;
-    color: #FFF;
+    color: #bac3ca;
     border-radius: 3px;
     border: 1px solid #191919;
     text-decoration: none;
@@ -4861,7 +4861,7 @@ fieldset[disabled] .btn {
 
 .btn {
   .badge {
-    color: #FFFFFF;
+    color: #bac3ca;
     background-color: #3e3e3e;
   }
 
@@ -4897,7 +4897,7 @@ fieldset[disabled] .btn {
 
 .act_flush {
   &:hover, &:focus {
-    color: #FFF;
+    color: #bac3ca;
     background-color: #d77610;
     border-color: 1px solid #191919;
     outline: 0;
@@ -4918,24 +4918,24 @@ fieldset[disabled] .btn {
 
 .btn-default {
   &.disabled {
-    background-color: #FFFFFF;
+    background-color: #bac3ca;
     border-color: 1px solid #191919;
     outline: 0;
 
     &:hover, &:focus, &:active, &.active {
-      background-color: #FFFFFF;
+      background-color: #bac3ca;
       border-color: 1px solid #191919;
       outline: 0;
     }
   }
 
   &[disabled] {
-    background-color: #FFFFFF;
+    background-color: #bac3ca;
     border-color: 1px solid #191919;
     outline: 0;
 
     &:hover, &:focus, &:active, &.active {
-      background-color: #FFFFFF;
+      background-color: #bac3ca;
       border-color: 1px solid #191919;
       outline: 0;
     }
@@ -4943,19 +4943,19 @@ fieldset[disabled] .btn {
 }
 
 fieldset[disabled] .btn-default {
-  background-color: #FFFFFF;
+  background-color: #bac3ca;
   border-color: 1px solid #191919;
   outline: 0;
 
   &:hover, &:focus, &:active, &.active {
-    background-color: #FFFFFF;
+    background-color: #bac3ca;
     border-color: 1px solid #191919;
     outline: 0;
   }
 }
 
 .btn-default .badge {
-  color: #FFFFFF;
+  color: #bac3ca;
   background-color: #3e3e3e;
   outline: 0;
 }
@@ -4967,7 +4967,7 @@ fieldset[disabled] .btn-default {
   outline: 0;
 
   &:hover, &:focus, &:active, &.active {
-    color: #fff;
+    color: #bac3ca;
     background-color: #bf690e;
     border-color: 1px solid #191919;
     outline: 0;
@@ -4975,7 +4975,7 @@ fieldset[disabled] .btn-default {
 }
 
 .open > .btn-primary.dropdown-toggle {
-  color: #fff;
+  color: #bac3ca;
   background-color: #bf690e;
   border-color: 1px solid #191919;
   outline: 0;
@@ -5031,16 +5031,16 @@ fieldset[disabled] .btn-primary {
 
 .btn-primary .badge {
   color: #D77610;
-  background-color: #fff;
+  background-color: #bac3ca;
 }
 
 .btn-success {
-  color: #fff;
+  color: #bac3ca;
   background-color: #85ce53;
   border-color: #191919;
 
   &:hover, &:focus, &:active, &.active {
-    color: #fff;
+    color: #bac3ca;
     background-color: #7fc54f;
     border-color: #191919;
     outline: 0;
@@ -5048,7 +5048,7 @@ fieldset[disabled] .btn-primary {
 }
 
 .open > .btn-success.dropdown-toggle {
-  color: #fff;
+  color: #bac3ca;
   background-color: #7fc54f;
   border-color: #191919;
   outline: 0;
@@ -5104,23 +5104,23 @@ fieldset[disabled] .btn-success {
 
 .btn-success .badge {
   color: #9BD275;
-  background-color: #fff;
+  background-color: #bac3ca;
 }
 
 .btn-info {
-  color: #fff;
+  color: #bac3ca;
   background-color: #226808;
   border-color: #191919;
 
   &:hover, &:focus, &:active, &.active {
-    color: #fff;
+    color: #bac3ca;
     background-color: #dd630d;
     border-color: #191919;
   }
 }
 
 .open > .btn-info.dropdown-toggle {
-  color: #fff;
+  color: #bac3ca;
   background-color: #dd630d;
   border-color: #191919;
 }
@@ -5169,23 +5169,23 @@ fieldset[disabled] .btn-info {
 
 .btn-info .badge {
   color: #B0CDDB;
-  background-color: #fff;
+  background-color: #bac3ca;
 }
 
 .btn-warning {
-  color: #fff;
+  color: #bac3ca;
   background-color: #d77610;
   border-color: #191919;
 
   &:hover, &:focus, &:active, &.active {
-    color: #fff;
+    color: #bac3ca;
     background-color: #EC7726;
     border-color: #191919;
   }
 }
 
 .open > .btn-warning.dropdown-toggle {
-  color: #fff;
+  color: #bac3ca;
   background-color: #EC7726;
   border-color: #191919;
 }
@@ -5234,23 +5234,23 @@ fieldset[disabled] .btn-warning {
 
 .btn-warning .badge {
   color: #f0ad4e;
-  background-color: #fff;
+  background-color: #bac3ca;
 }
 
 .btn-danger {
-  color: #fff;
+  color: #bac3ca;
   background-color: #CB4326;
   border-color: #1B4257;
 
   &:hover, &:focus, &:active, &.active {
-    color: #fff;
+    color: #bac3ca;
     background-color: #B63B21;
     border-color: #1B4257;
   }
 }
 
 .open > .btn-danger.dropdown-toggle {
-  color: #fff;
+  color: #bac3ca;
   background-color: #B63B21;
   border-color: #1B4257;
 }
@@ -5299,7 +5299,7 @@ fieldset[disabled] .btn-danger {
 
 .btn-danger .badge {
   color: #F05050;
-  background-color: #fff;
+  background-color: #bac3ca;
 }
 
 .btn-link {
@@ -5457,8 +5457,8 @@ tbody.collapse.in {
   list-style: none;
   font-size: 14px;
   text-align: left;
-  background-color: #21303a;
-  color: #fff;
+  background-color: #172229;
+  color: #bac3ca;
   border-left: 1px solid #191919;
   border-right: 1px solid #191919;
   border-bottom: 1px solid #191919;
@@ -5491,25 +5491,25 @@ tbody.collapse.in {
       clear: both;
       font-weight: normal;
       line-height: 1.428571429;
-      color: #fff;
+      color: #bac3ca;
       white-space: nowrap;
       outline: 0;
 
       &:hover, &:focus {
         text-decoration: none;
-        color: #FFFFFF;
+        color: #bac3ca;
         background-color: #d77610;
       }
     }
 
     .active > a {
-      color: #fff;
+      color: #bac3ca;
       text-decoration: none;
       outline: 0;
       background-color: #d77610;
 
       &:hover, &:focus {
-        color: #fff;
+        color: #bac3ca;
         text-decoration: none;
         outline: 0;
         background-color: #d77610;
@@ -5726,7 +5726,7 @@ tbody.collapse.in {
   .dropdown-toggle {
     &:active, &:hover {
       outline: 0;
-      color: #FFFFFF;
+      color: #bac3ca;
       background-color: none;
       border-color: #000;
     }
@@ -5734,7 +5734,7 @@ tbody.collapse.in {
 
   &.open .dropdown-toggle {
     outline: 0;
-    color: #FFFFFF;
+    color: #bac3ca;
     background-color: none;
     border-color: #000;
   }
@@ -5942,7 +5942,7 @@ tbody.collapse.in {
   font-size: 14px;
   font-weight: normal;
   line-height: 1;
-  color: #FFF;
+  color: #bac3ca;
   text-align: center;
   background-color: #eeeeee;
   border: 1px solid #ccc;
@@ -6093,7 +6093,7 @@ tbody.collapse.in {
       position: relative;
       display: block;
       padding: 10px 15px;
-      color: #FFF;
+      color: #bac3ca;
       border-radius: 0px;
       border-top-right-radius: 10px;
       margin-right: 0px;
@@ -6108,7 +6108,7 @@ tbody.collapse.in {
   position: relative;
   display: block;
   padding: 10px 15px;
-  color: #FFF;
+  color: #bac3ca;
   border-radius: 0px;
   border-top-right-radius: 10px;
   margin-right: 0px;
@@ -6139,7 +6139,7 @@ tbody.collapse.in {
     &:hover, &:focus {
       text-decoration: none;
       background-color: #202f3a;
-      color: #FFF;
+      color: #bac3ca;
       opacity: 0.8;
     }
   }
@@ -6151,10 +6151,10 @@ a:focus {
 
 .nav {
   > li.disabled > a {
-    color: #fff;
+    color: #bac3ca;
 
     &:hover, &:focus {
-      color: #fff;
+      color: #bac3ca;
       text-decoration: none;
       background-color: #839caa;
       opacity: 0.9;
@@ -6229,12 +6229,12 @@ a:focus {
   }
 
   &.active > a {
-    color: #fff;
+    color: #bac3ca;
     background-color: #191919;
     opacity: 1.0;
 
     &:hover, &:focus {
-      color: #fff;
+      color: #bac3ca;
       background-color: #191919;
       opacity: 1.0;
     }
@@ -6742,14 +6742,14 @@ a:focus {
   }
 
   .navbar-toggle {
-    border-color: #FFF;
+    border-color: #bac3ca;
 
     &:hover, &:focus {
       background-color: #555;
     }
 
     .icon-bar {
-      background-color: #FFF;
+      background-color: #bac3ca;
     }
   }
 
@@ -6833,7 +6833,7 @@ fieldset[disabled] .navbar-default .btn-link {
     color: #777777;
 
     &:hover, &:focus {
-      color: #fff;
+      color: #bac3ca;
       background-color: transparent;
     }
   }
@@ -6847,17 +6847,17 @@ fieldset[disabled] .navbar-default .btn-link {
       color: #777777;
 
       &:hover, &:focus {
-        color: #fff;
+        color: #bac3ca;
         background-color: transparent;
       }
     }
 
     .active > a {
-      color: #fff;
+      color: #bac3ca;
       background-color: #090909;
 
       &:hover, &:focus {
-        color: #fff;
+        color: #bac3ca;
         background-color: #090909;
       }
     }
@@ -6881,7 +6881,7 @@ fieldset[disabled] .navbar-default .btn-link {
     }
 
     .icon-bar {
-      background-color: #fff;
+      background-color: #bac3ca;
     }
   }
 
@@ -6891,11 +6891,11 @@ fieldset[disabled] .navbar-default .btn-link {
 
   .navbar-nav > .open > a {
     background-color: #090909;
-    color: #fff;
+    color: #bac3ca;
 
     &:hover, &:focus {
       background-color: #090909;
-      color: #fff;
+      color: #bac3ca;
     }
   }
 
@@ -6903,7 +6903,7 @@ fieldset[disabled] .navbar-default .btn-link {
     color: #777777;
 
     &:hover {
-      color: #fff;
+      color: #bac3ca;
     }
   }
 
@@ -6911,7 +6911,7 @@ fieldset[disabled] .navbar-default .btn-link {
     color: #777777;
 
     &:hover, &:focus {
-      color: #fff;
+      color: #bac3ca;
     }
 
     &[disabled] {
@@ -6937,17 +6937,17 @@ fieldset[disabled] .navbar-default .btn-link {
         color: #777777;
 
         &:hover, &:focus {
-          color: #fff;
+          color: #bac3ca;
           background-color: transparent;
         }
       }
 
       .active > a {
-        color: #fff;
+        color: #bac3ca;
         background-color: #090909;
 
         &:hover, &:focus {
-          color: #fff;
+          color: #bac3ca;
           background-color: #090909;
         }
       }
@@ -7012,7 +7012,7 @@ fieldset[disabled] .navbar-inverse .btn-link {
           padding: 6px 12px;
           line-height: 1.428571429;
           text-decoration: none;
-          color: #FFFFFF;
+          color: #bac3ca;
           background-color: #273946;
           border: 1px solid #191919;
           margin-left: -1px;
@@ -7038,14 +7038,14 @@ fieldset[disabled] .navbar-inverse .btn-link {
       > {
         a {
           &:hover, &:focus {
-            color: #FFFFFF;
+            color: #bac3ca;
             background-color: #d77610;
           }
         }
 
         span {
           &:hover, &:focus {
-            color: #FFFFFF;
+            color: #bac3ca;
             background-color: #d77610;
           }
         }
@@ -7055,13 +7055,13 @@ fieldset[disabled] .navbar-inverse .btn-link {
     .active > {
       a {
         z-index: 2;
-        color: #FFFFFF;
+        color: #bac3ca;
         background-color: #d77610;
         cursor: default;
 
         &:hover, &:focus {
           z-index: 2;
-          color: #FFFFFF;
+          color: #bac3ca;
           background-color: #d77610;
           cursor: default;
         }
@@ -7069,13 +7069,13 @@ fieldset[disabled] .navbar-inverse .btn-link {
 
       span {
         z-index: 2;
-        color: #FFFFFF;
+        color: #bac3ca;
         background-color: #d77610;
         cursor: default;
 
         &:hover, &:focus {
           z-index: 2;
-          color: #FFFFFF;
+          color: #bac3ca;
           background-color: #d77610;
           cursor: default;
         }
@@ -7084,24 +7084,24 @@ fieldset[disabled] .navbar-inverse .btn-link {
 
     .disabled > {
       span {
-        color: #FFF;
+        color: #bac3ca;
         background-color: #273946;
         cursor: not-allowed;
 
         &:hover, &:focus {
-          color: #FFF;
+          color: #bac3ca;
           background-color: #273946;
           cursor: not-allowed;
         }
       }
 
       a {
-        color: #FFF;
+        color: #bac3ca;
         background-color: #273946;
         cursor: not-allowed;
 
         &:hover, &:focus {
-          color: #FFF;
+          color: #bac3ca;
           background-color: #273946;
           cursor: not-allowed;
         }
@@ -7180,7 +7180,7 @@ fieldset[disabled] .navbar-inverse .btn-link {
       a, span {
         display: inline-block;
         padding: 5px 14px;
-        background-color: #fff;
+        background-color: #bac3ca;
         border: 1px solid #ddd;
         border-radius: 15px;
       }
@@ -7209,19 +7209,19 @@ fieldset[disabled] .navbar-inverse .btn-link {
   .disabled > {
     a {
       color: #777777;
-      background-color: #fff;
+      background-color: #bac3ca;
       cursor: not-allowed;
 
       &:hover, &:focus {
         color: #777777;
-        background-color: #fff;
+        background-color: #bac3ca;
         cursor: not-allowed;
       }
     }
 
     span {
       color: #777777;
-      background-color: #fff;
+      background-color: #bac3ca;
       cursor: not-allowed;
     }
   }
@@ -7233,7 +7233,7 @@ fieldset[disabled] .navbar-inverse .btn-link {
   font-size: 75%;
   font-weight: bold;
   line-height: 1;
-  color: #fff;
+  color: #bac3ca;
   text-align: center;
   white-space: nowrap;
   vertical-align: baseline;
@@ -7251,7 +7251,7 @@ fieldset[disabled] .navbar-inverse .btn-link {
 
 a.label {
   &:hover, &:focus {
-    color: #fff;
+    color: #bac3ca;
     text-decoration: none;
     cursor: pointer;
   }
@@ -7330,7 +7330,7 @@ a.label {
   padding: 3px 7px;
   font-size: 12px;
   font-weight: bold;
-  color: #fff;
+  color: #bac3ca;
   line-height: 1;
   vertical-align: baseline;
   white-space: nowrap;
@@ -7355,13 +7355,13 @@ a.label {
 
 a.list-group-item.active > .badge {
   color: #D77610;
-  background-color: #fff;
+  background-color: #bac3ca;
 }
 
 .nav-pills > {
   .active > a > .badge {
     color: #D77610;
-    background-color: #fff;
+    background-color: #bac3ca;
   }
 
   li > a > .badge {
@@ -7371,7 +7371,7 @@ a.list-group-item.active > .badge {
 
 a.badge {
   &:hover, &:focus {
-    color: #fff;
+    color: #bac3ca;
     text-decoration: none;
     cursor: pointer;
   }
@@ -7429,7 +7429,7 @@ a.badge {
   padding: 4px;
   margin-bottom: 20px;
   line-height: 1.428571429;
-  background-color: #fff;
+  background-color: #bac3ca;
   border: 1px solid #ddd;
   border-radius: 3px;
   -webkit-transition: all 0.2s ease-in-out;
@@ -7511,7 +7511,7 @@ a.thumbnail {
 .alert-info {
   background-color: #25323a;
   border: 1px solid #191919;
-  color: #FFF;
+  color: #bac3ca;
 
   hr {
     border-top-color: #DA4829;
@@ -7525,7 +7525,7 @@ a.thumbnail {
 .alert-warning {
   background-color: #1c2931;
   border: 1px solid #b92515;
-  color: #fff;
+  color: #bac3ca;
 
   hr {
     border-top-color: #f7e1b5;
@@ -7571,7 +7571,7 @@ a.thumbnail {
 
 .progress {
   margin-bottom: 3px;
-  color: #FFF;
+  color: #bac3ca;
   overflow: hidden;
   height: 20px;
   background-color: #162026;
@@ -7587,7 +7587,7 @@ a.thumbnail {
   height: 100%;
   font-size: 12px;
   line-height: 20px;
-  color: #fff;
+  color: #bac3ca;
   text-align: center;
   background-color: #d77610;
   position: relative;
@@ -7655,7 +7655,7 @@ a.thumbnail {
 
 .progress-bar-warning {
   background-color: #CCB60F;
-  color: #FFFFFF !important;
+  color: #bac3ca !important;
 }
 
 .progress-striped .progress-bar-warning {
@@ -7724,7 +7724,7 @@ a.thumbnail {
   display: block;
   padding: 6px 8px;
   margin-bottom: -1px;
-  background-color: #1c2931;
+  background-color: #162026;
 
   &:last-child {
     margin-bottom: 0;
@@ -7740,7 +7740,7 @@ a.thumbnail {
 }
 
 a.list-group-item {
-  color: #FFF;
+  color: #bac3ca;
   border-radius: 0;
   outline: 0;
 
@@ -7750,8 +7750,8 @@ a.list-group-item {
 
   &:hover, &:focus {
     text-decoration: none;
-    color: #FFF;
-    background-color: #131C22;
+    color: #bac3ca;
+    background-color: #0e181e;
   }
 
   &:hover:before, &:focus:before {
@@ -7865,12 +7865,12 @@ a.list-group-item-success {
   }
 
   &.active {
-    color: #fff;
+    color: #bac3ca;
     background-color: #9BD275;
     border-color: #9BD275;
 
     &:hover, &:focus {
-      color: #fff;
+      color: #bac3ca;
       background-color: #9BD275;
       border-color: #9BD275;
     }
@@ -7895,12 +7895,12 @@ a.list-group-item-info {
   }
 
   &.active {
-    color: #fff;
+    color: #bac3ca;
     background-color: #31708f;
     border-color: #31708f;
 
     &:hover, &:focus {
-      color: #fff;
+      color: #bac3ca;
       background-color: #31708f;
       border-color: #31708f;
     }
@@ -7925,12 +7925,12 @@ a.list-group-item-warning {
   }
 
   &.active {
-    color: #fff;
+    color: #bac3ca;
     background-color: #f0ad4e;
     border-color: #f0ad4e;
 
     &:hover, &:focus {
-      color: #fff;
+      color: #bac3ca;
       background-color: #f0ad4e;
       border-color: #f0ad4e;
     }
@@ -7955,12 +7955,12 @@ a.list-group-item-danger {
   }
 
   &.active {
-    color: #fff;
+    color: #bac3ca;
     background-color: #F05050;
     border-color: #F05050;
 
     &:hover, &:focus {
-      color: #fff;
+      color: #bac3ca;
       background-color: #F05050;
       border-color: #F05050;
     }
@@ -8370,7 +8370,7 @@ a.list-group-item-danger {
 
   > {
     .panel-heading {
-      color: #fff;
+      color: #bac3ca;
       border-color: #191919;
 
       + .panel-collapse > .panel-body {
@@ -8395,7 +8395,7 @@ a.list-group-item-danger {
 
   > {
     .panel-heading {
-      color: #FFF;
+      color: #bac3ca;
       border-color: #191919;
 
       + .panel-collapse > .panel-body {
@@ -8404,7 +8404,7 @@ a.list-group-item-danger {
 
       .badge {
         color: #D77610;
-        background-color: #fff;
+        background-color: #bac3ca;
       }
     }
 
@@ -8569,7 +8569,7 @@ a.list-group-item-danger {
   font-size: 21px;
   font-weight: bold;
   line-height: 1;
-  color: #FFFFFF;
+  color: #bac3ca;
   text-shadow: 0 1px 0 #000;
   opacity: 1;
   filter: alpha(opacity = 100);
@@ -8673,7 +8673,7 @@ button.close {
   border-bottom: 1px solid #191919;
   min-height: 16.42857px;
   background-color: #d77610;
-  color: #FFF;
+  color: #bac3ca;
 
   .close {
     margin-top: -2px;
@@ -8688,12 +8688,12 @@ button.close {
 .modal-body {
   position: relative;
   padding: 5px;
-  background-color: #131c22;
+  background-color: #0e181e;
 
   .table-hover > tbody > tr:hover > {
     td, th {
       background-color: #263640;
-      color: #FFF;
+      color: #bac3ca;
     }
   }
 }
@@ -8701,7 +8701,7 @@ button.close {
 .modal-footer {
   padding: 5px;
   text-align: right;
-  background-color: #131c22;
+  background-color: #0e181e;
   border-top: 1px solid inherit;
 
   &:before {
@@ -8798,7 +8798,7 @@ button.close {
 .tooltip-inner {
   max-width: 200px;
   padding: 3px 8px;
-  color: #fff;
+  color: #bac3ca;
   text-align: center;
   text-decoration: none;
   background-color: #000;
@@ -8884,7 +8884,7 @@ button.close {
   max-width: 276px;
   padding: 1px;
   text-align: left;
-  background-color: #fff;
+  background-color: #bac3ca;
   background-clip: padding-box;
   border: 1px solid #ccc;
   border: 1px solid rgba(0, 0, 0, 0.3);
@@ -8965,7 +8965,7 @@ button.close {
       bottom: 1px;
       margin-left: -10px;
       border-bottom-width: 0;
-      border-top-color: #fff;
+      border-top-color: #bac3ca;
     }
   }
 
@@ -8982,7 +8982,7 @@ button.close {
       left: 1px;
       bottom: -10px;
       border-left-width: 0;
-      border-right-color: #fff;
+      border-right-color: #bac3ca;
     }
   }
 
@@ -8999,7 +8999,7 @@ button.close {
       top: 1px;
       margin-left: -10px;
       border-top-width: 0;
-      border-bottom-color: #fff;
+      border-bottom-color: #bac3ca;
     }
   }
 
@@ -9015,7 +9015,7 @@ button.close {
       content: " ";
       right: 1px;
       border-right-width: 0;
-      border-left-color: #fff;
+      border-left-color: #bac3ca;
       bottom: -10px;
     }
   }
@@ -9096,7 +9096,7 @@ button.close {
   opacity: 0.5;
   filter: alpha(opacity = 50);
   font-size: 20px;
-  color: #fff;
+  color: #bac3ca;
   text-align: center;
   text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6);
 
@@ -9120,7 +9120,7 @@ button.close {
 
   &:hover, &:focus {
     outline: 0;
-    color: #fff;
+    color: #bac3ca;
     text-decoration: none;
     opacity: 0.9;
     filter: alpha(opacity = 90);
@@ -9176,7 +9176,7 @@ button.close {
     height: 10px;
     margin: 1px;
     text-indent: -999px;
-    border: 1px solid #fff;
+    border: 1px solid #bac3ca;
     border-radius: 10px;
     cursor: pointer;
     background-color: #000 \9;
@@ -9187,7 +9187,7 @@ button.close {
     margin: 0;
     width: 12px;
     height: 12px;
-    background-color: #fff;
+    background-color: #bac3ca;
   }
 }
 
@@ -9199,7 +9199,7 @@ button.close {
   z-index: 10;
   padding-top: 20px;
   padding-bottom: 20px;
-  color: #fff;
+  color: #bac3ca;
   text-align: center;
   text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6);
 
@@ -9268,7 +9268,7 @@ button.close {
 
 .show {
   display: block !important;
-  color: #22C400;
+  color: #bac3ca;
 }
 
 .invisible {
@@ -9528,16 +9528,16 @@ html {
   height: 100%;
   font-family: 'SourceSansProRegular';
   scrollbar-width: thin;
-  scrollbar-color: #1c2931 #131c22;
-  background-color: #131c22;
+  scrollbar-color: #1c2931 #0e181e;
+  background-color: #0e181e;
 }
 
 body {
   height: 100%;
   font-family: 'SourceSansProRegular';
   scrollbar-width: thin;
-  scrollbar-color: #1c2931 #131c22;
-  background-color: #131c22;
+  scrollbar-color: #1c2931 #0e181e;
+  background-color: #0e181e;
   touch-action: manipulation;
   min-width: 320px;
 }
@@ -9571,8 +9571,8 @@ body {
 
 .page-content-head {
   .container-fluid {
-    color: #FFF;
-    background-color: #1a262d;
+    color: #bac3ca;
+    background-color: #172229;
     margin-left: 20px;
     margin-right: 20px;
     border-top: 1px solid #191919;
@@ -9582,16 +9582,17 @@ body {
     padding: 7px 14px 5px 14px;
     -webkit-box-shadow: 0 3px 4px rgb(23, 23, 23);
     box-shadow: 0 3px 4px rgb(23, 23, 23);
+    border-radius: 0.5em 0.5em 0.5em 0.5em;
   }
 
   padding-bottom: 2px;
-  padding-top: 8px;
+  padding-top: 10px;
   color: #000;
 }
 
 .content-box-head {
   padding-bottom: 2px;
-  padding-top: 8px;
+  padding-top: 10px;
   color: #000;
 }
 
@@ -9606,7 +9607,7 @@ body {
 
 .page-content-main {
   min-height: calc(100% - 64px);
-  padding: 10px 0px 21px 0px;
+  padding: 7px 0px 21px 0px;
 }
 
 .page-side {
@@ -9636,14 +9637,14 @@ body {
   position: fixed;
   height: 20px;
   background-color: #172229;
-  color: #FFF;
+  color: #bac3ca;
   border-top: 1px solid #191919;
 }
 
 .content-box {
   padding: 0px 0px;
   margin: 0px 0px;
-  background-color: none;
+  background-color: #162026 !important;
   border: 1px solid #111;
   -webkit-box-shadow: 0px 3px 3px rgba(17, 17, 17, 0.8);
   box-shadow: 0px 3px 3px rgba(17, 17, 17, 0.8);
@@ -9714,7 +9715,7 @@ body {
 }
 
 .page-login {
-  background: #131c22;
+  background: #121c22;
 
   .container {
     min-height: 100%;
@@ -9726,7 +9727,7 @@ body {
   }
 
   .login-foot {
-    color: #FFF;
+    color: #bac3ca;
   }
 }
 
@@ -9874,7 +9875,7 @@ main.page-content.col-lg-12 {
 
       a.list-group-item.active-menu-title {
         color: #d77610 !important;
-        background-color: #131C22 !important;
+        background-color: #0e181e !important;
       }
     }
   }
@@ -9882,13 +9883,13 @@ main.page-content.col-lg-12 {
 
 a.list-group-item.active-menu-title.collapsed {
   color: #d77610 !important;
-  background-color: #131C22 !important;
+  background-color: #0e181e !important;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > {
   a.list-group-item[aria-expanded="true"] {
     color: #d77610 !important;
-    background-color: #131C22 !important;
+    background-color: #0e181e !important;
   }
 
   div {
@@ -9897,14 +9898,14 @@ a.list-group-item.active-menu-title.collapsed {
         > {
           a.list-group-item[aria-expanded="true"], div.collapse.in > a.list-group-item.menu-level-3-item.active {
             color: #d77610 !important;
-            background-color: #131C22 !important;
+            background-color: #0e181e !important;
           }
         }
 
         > div.collapse.in > a.list-group-item {
           padding-left: 10px !important;
           font-size: 14px !important;
-          background-color: #1c2931 !important;
+          background-color: #162026 !important;
           opacity: 0.98;
         }
       }
@@ -9912,7 +9913,7 @@ a.list-group-item.active-menu-title.collapsed {
       > a.list-group-item {
         padding-left: 10px !important;
         font-size: 14px !important;
-        background-color: #1c2931 !important;
+        background-color: #162026 !important;
         opacity: 0.98;
       }
 
@@ -9937,7 +9938,7 @@ a.list-group-item.active-menu-title.collapsed {
       &.in > div.collapse.in > a.list-group-item:hover {
         text-decoration: none !important;
         color: #D77610 !important;
-        background-color: #131C22 !important;
+        background-color: #0e181e !important;
       }
     }
   }
@@ -9946,32 +9947,32 @@ a.list-group-item.active-menu-title.collapsed {
 a.list-group-item:focus {
   text-decoration: none !important;
   color: #D77610 !important;
-  background-color: #131C22 !important;
+  background-color: #0e181e !important;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item {
   &.active-menu-title, &:hover {
     color: #D77610 !important;
-    background-color: #131C22 !important;
+    background-color: #0e181e !important;
   }
 }
 
 a.list-group-item:focus {
   color: #D77610 !important;
-  background-color: #131C22 !important;
+  background-color: #0e181e !important;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div {
   &.collapse.in > a.list-group-item {
     &.collapsed:focus, &:focus {
       color: #D77610 !important;
-      background-color: #131C22 !important;
+      background-color: #0e181e !important;
     }
   }
 
   &.active-menu.collapse.in > a.list-group-item.active {
     color: #D77610 !important;
-    background-color: #131C22 !important;
+    background-color: #0e181e !important;
   }
 
   &.collapse.in {
@@ -10014,7 +10015,7 @@ a.list-group-item:focus {
 }
 
 button.toggle-sidebar {
-  color: #FFF;
+  color: #bac3ca;
   background-color: transparent;
   font-size: 14px;
   border: none;
@@ -10076,7 +10077,7 @@ button.toggle-sidebar {
       }
 
       &.active > a {
-        background: #202f3a !important;
+        background: #162026 !important;
         outline: 0;
       }
 
@@ -10107,7 +10108,7 @@ button.toggle-sidebar {
       background: #818180;
 
       > a {
-        color: #FFFFFF;
+        color: #bac3ca;
         font-family: 'SourceSansProSemibold';
       }
     }
@@ -10235,7 +10236,7 @@ button.toggle-sidebar {
 .active-menu-title, .active-menu a {
   text-decoration: none;
   position: relative;
-  background-color: #131C22;
+  background-color: #0e181e;
 }
 
 .active-menu-title:before, .active-menu a:before {
@@ -10243,13 +10244,13 @@ button.toggle-sidebar {
 }
 
 .active-menu-title.active {
-  background-color: #131C22;
+  background-color: #0e181e;
   color: #d77610;
 }
 
 .active-menu a {
   &.active {
-    background-color: #131C22;
+    background-color: #0e181e;
     color: #d77610;
   }
 
@@ -10259,7 +10260,7 @@ button.toggle-sidebar {
 }
 
 .alert.alert-danger {
-  color: #FFF !important;
+  color: #bac3ca !important;
 }
 
 .nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
@@ -10326,7 +10327,7 @@ select {
   overflow: hidden;
   border: 1px solid #191919;
   background-color: #21303a;
-  color: #FFF;
+  color: #bac3ca;
   -webkit-appearance: none;
   -moz-appearance: none;
   appearance: none;
@@ -10339,7 +10340,7 @@ select {
     overflow: hidden;
     border: 1px solid #191919;
     background-color: #21303a;
-    color: #FFF;
+    color: #bac3ca;
     -webkit-appearance: none;
     -moz-appearance: none;
     appearance: none;
@@ -10440,7 +10441,7 @@ label > input {
 
   .ipsec-tab {
     background-color: #202f3a !important;
-    color: #FFF !important;
+    color: #bac3ca !important;
     opacity: 0.5;
 
     &.activetab {
@@ -10453,17 +10454,17 @@ label > input {
 
 .fw_pass {
   background-color: #203a23 !important;
-  color: #FFF;
+  color: #bac3ca;
 }
 
 .fw_block {
   background-color: #551e1e !important;
-  color: #FFF;
+  color: #bac3ca;
 }
 
 .fw_nat {
   background-color: #7B681D !important;
-  color: #FFF;
+  color: #bac3ca;
 }
 
 /*additional extensions for theme-vicuna*/
@@ -10477,14 +10478,14 @@ textarea#update_status {
   -webkit-box-shadow: none !important;
   box-shadow: none !important;
   border: none !important;
-  background-color: #25323a;
+  background-color: #162026;
 
   &:hover {
     color: inherit !important;
     -webkit-box-shadow: none !important;
     box-shadow: none !important;
     border: none !important;
-    background-color: #25323a;
+    background-color: #162026;
   }
 }
 
@@ -10527,23 +10528,23 @@ textarea#update_status {
 
 div.container-fluid > {
   .fa-search::before, .fa-refresh::before {
-    color: #FFFFFF !important;
+    color: #bac3ca !important;
   }
 }
 
 .panel-heading h3:hover {
-  color: #FFFFFF;
+  color: #bac3ca;
   text-decoration: none;
 }
 
 h3 {
   &:focus {
-    color: #FFFFFF;
+    color: #bac3ca;
     text-decoration: none;
   }
 
   &:link {
-    color: #FFFFFF;
+    color: #bac3ca;
     text-decoration: underline;
   }
 
@@ -10563,7 +10564,7 @@ h3 {
 .btn-group.bootstrap-select {
   &.open, &:hover {
     border-color: #191919 !important;
-    color: #FFFFFF !important;
+    color: #bac3ca !important;
   }
 }
 
@@ -10601,6 +10602,10 @@ h3 {
   &.fa-play.text-muted::before {
     color: #d7af10 !important;
   }
+
+  &.fa-info-circle {
+    color: #D77610;
+  }
 }
 
 #system_log-widgets.content-box {
@@ -10621,7 +10626,7 @@ h3 {
 }
 
 .no-data {
-  color: #FFF !important;
+  color: #bac3ca !important;
   background-color: #1a262d !important;
 }
 
@@ -10672,17 +10677,17 @@ input[type="checkbox"] {
 
     &.active {
       background-color: #d77610 !important;
-      color: #ffffff !important;
+      color: #bac3ca !important;
 
       &:hover {
         background-color: #d77610 !important;
-        color: #ffffff !important;
+        color: #bac3ca !important;
       }
     }
 
     span:hover {
       background: #d77610 !important;
-      color: #ffffff !important;
+      color: #bac3ca !important;
     }
   }
 }
@@ -10696,15 +10701,14 @@ input[type="checkbox"] {
     border-bottom: 1px solid #4a4a4a;
     min-height: 16.42857px;
     background-color: #243139;
-    color: #FFF;
+    color: #bac3ca;
   }
 
-.modal-side {
   background-color: #1a262d !important;
 }
 
 .panel-report-tools:hover {
-  color: #fff !important;
+  color: #bac3ca !important;
 }
 
 .alert-primary {
@@ -10713,11 +10717,11 @@ input[type="checkbox"] {
 }
 
 label.btn.au-target {
-  color: #FFF !important;
+  color: #bac3ca !important;
 }
 
 .preloader-wrapper {
-  background-color: #131c22 !important;
+  background-color: #121c22 !important;
 }
 
 .border-bottom {
@@ -10742,7 +10746,7 @@ ul.jqtree-tree {
       color: #dd630d !important;
     }
 
-    color: #fff !important;
+    color: #bac3ca !important;
   }
 
   .jqtree-title {
@@ -10765,7 +10769,7 @@ ul.jqtree-tree {
 
 .interface-table-tr td {
   background-color: #d77610 !important;
-  color: #FFF !important;
+  color: #bac3ca !important;
 }
 
 .table.border {
@@ -10789,7 +10793,7 @@ ul.jqtree-tree {
 router-view {
   .text-success.m-r-5 {
     font-weight: bold;
-    color: #fff;
+    color: #bac3ca;
   }
 
   .text-danger.m-r-5 {
@@ -10807,5 +10811,5 @@ router-view {
 }
 
 #introduction a.btn-info {
-  color: #FFF !important;
+  color: #bac3ca !important;
 }
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css
new file mode 100644
index 0000000000..1f305478db
--- /dev/null
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css
@@ -0,0 +1,284 @@
+.fa-spinner {
+    font-size: 2em;
+}
+
+.grid-stack-item-content {
+  text-align: center;
+  border-style: solid;
+  border-color: rgba(25, 25, 25, 0.72);
+  border-width: 2px;
+  background-color: #1a262d;
+  border-radius: 0.5em 0.5em 0.5em 0.5em;
+}
+
+.widget-content {
+    position: relative;
+    width: 100%;
+    height: 100%;
+    padding: 1px;
+    cursor: grab;
+}
+
+.widget-header {
+    margin-top: 0.5em;
+    margin-left: 1em;
+    margin-right: 1em;
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+}
+
+.widget-spinner {
+    margin-top: 20px;
+}
+
+.fa-stack.small {
+    font-size: 0.5em;
+}
+
+.close-handle {
+    vertical-align: middle;
+    text-align: right;
+    cursor: pointer;
+}
+
+.close-handle > i {
+    font-size: 0.7em;
+}
+
+.panel-divider {
+    width: 100%;
+    text-align: center;
+    height: 8px;
+    margin-bottom: 10px;
+}
+
+table {
+    table-layout: fixed;
+}
+
+td {
+    word-break: break-all;
+}
+
+.line {
+    display: inline-block;
+    height: 1px;
+    width: 70%;
+    background: #d94f00;
+    margin: 5px;
+}
+
+.canvas-container {
+    position: relative;
+}
+
+.cpu-canvas-container {
+    display: flex;
+    flex-direction: column;
+}
+
+.smoothie-container {
+    width: 100%;
+}
+
+.smoothie-chart-tooltip {
+  z-index: 1; /* necessary to force to foreground */
+  background: rgba(50, 50, 50, 0.9);
+  padding-left: 15px;
+  padding-right: 15px;
+  color: white;
+  font-size: 13px;
+  border-radius: 0.5em 0.5em 0.5em 0.5em;
+  pointer-events: none;
+}
+
+.flex-container {
+    display: flex;
+    flex-wrap: nowrap;
+    white-space: nowrap;
+}
+
+.gateway-info {
+  margin: 5px;
+  padding: 5px;
+  font-size: 13px;
+}
+
+.gateway-detail-container {
+    display: none;
+    margin: 5px;
+}
+
+.interface-info {
+    display: flex;
+    flex-wrap: wrap;
+    align-items: center;
+    height: 100%;
+}
+
+.nowrap {
+    flex-wrap: nowrap;
+}
+
+.gateway-graph {
+    display: none;
+}
+
+.flex-container > .gateway-graph {
+    font-size: 13px;
+}
+
+.vertical-center-row {
+    height: 100%;
+    display: inline;
+}
+
+.interfaces-info {
+  margin: 5px;
+  font-size: 13px;
+}
+
+.interface-descr {
+    margin-left: 10px;
+    font-size: 15px;
+    cursor: pointer;
+    text-decoration: underline;
+}
+
+.interfaces-detail-container {
+    margin: 5px;
+    display: none;
+}
+
+.d-flex {
+    display: flex;
+}
+
+.d-flex > .justify-content-start {
+    justify-content: start;
+}
+
+.d-flex > .justify-content-end {
+    justify-content: end;
+}
+
+#chartjs-toolip {
+    z-index: 20;
+}
+
+/* CPU widget */
+.cpu-type {
+    margin-bottom: 10px;
+    margin-top: 10px;
+}
+/* ----- */
+
+/* Custom flex table */
+div {
+    box-sizing: border-box;
+}
+
+.flextable-container {
+    display: block;
+    margin: 2em auto;
+    width: 95%;
+    max-width: 1200px;
+}
+
+.flextable-header {
+    display: flex;
+    flex-flow: row wrap;
+    transition: 0.5s;
+    padding: 0.5em 0.5em;
+    border-top: solid 1px rgba(217, 79, 0, 0.15);
+}
+
+.flextable-row {
+    display: flex;
+    flex-flow: row wrap;
+    transition: 0.5s;
+    padding: 0.5em 0.5em;
+    border-top: solid 1px rgba(255, 255, 255, 0.06);
+    align-items: center;
+}
+
+.flextable-header .flex-cell {
+    font-weight: bold;
+}
+
+.flextable-row:hover {
+    background: #131c22;
+    transition: 500ms;
+}
+
+.flex-cell {
+    text-align: left;
+    word-break: break-word;
+}
+
+.column {
+    display: flex;
+    flex-flow: column wrap;
+    width: 50%;
+    padding: 0;
+}
+.column .flex-cell {
+    display: flex;
+    flex-flow: row wrap;
+    width: 100%;
+    padding: 0;
+    border: 0;
+    border-top: rgb(59, 59, 59);
+}
+.column .flex-cell:hover {
+    background: none !important;
+    transition: 500ms;
+}
+.flex-subcell {
+    width: 100%;
+    text-align: left;
+}
+
+.column .flex-cell:not(:last-child) {
+    border-bottom: none !important;
+}
+/* ----- */
+
+/* CSS grid responsive table */
+.grid-header-container {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(100px, 1fr));
+}
+
+.grid-row {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(100px, 1fr));
+    background-color: #f7e2d6; /* fade-in color, transitions to transparent */
+    border-top: 1px solid #f7e2d6;
+    transition: 0.5s;
+    opacity: 0.4;
+}
+
+.grid-row:hover {
+    background: #F5F5F5 !important;
+    transition: 500ms;
+}
+
+.grid-header {
+    border-top: 1px solid #f7e2d6;
+    font-weight: bold;
+}
+
+.grid-item {
+    border: 1 px solid #ccc;
+    padding: 4px;
+    text-align: center;
+}
+/* ----- */
+
+:root {
+    --chart-js-background-color: #bac3ca;
+    --chart-js-border-color: #bac3ca;
+    --chart-js-font-color: #bac3ca;
+}
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dns-overview.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dns-overview.css
index 1d1a9108e6..430bf70c17 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dns-overview.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dns-overview.css
@@ -9,7 +9,7 @@
 
 .stats-element {
     height: 5em;
-    background: #1b2b35;
+    background: #172229;
     overflow: hidden;
     display: flex;
     justify-content: flex-start;
@@ -22,7 +22,7 @@
     height: auto;
     width: 50%;
     object-fit:cover;
-    background: #1a262d;
+    background: #131c22;
     border-radius: 0 2em 2em 0 / 0 3em 3em 0;
     box-shadow: 3px 5px 1px 3px rgb(15, 24, 30);
 }
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
index ef2def6fff..3b43e7ea98 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
@@ -9,11 +9,11 @@
   min-height: 25px !important; }
 
   .widgetdiv .content-box-head .btn-group .btn {
-    color: #FFFFFF !important;
+    color: #bac3ca !important;
     background: none;
     border: 0px; }
     .widgetdiv .content-box-head .btn-group .btn .glyphicon {
-      color: #FFFFFF !important; }
+      color: #bac3ca !important; }
   .widgetdiv .content-box-head .list-inline li > h3 {
     padding-top: 4px; }
 
@@ -66,7 +66,7 @@ template {
   display: none; }
 
 a {
-  color: #D77610;
+  color: #d77610;
   text-decoration: none;
   background: transparent;
   outline: 0;  }
@@ -75,7 +75,7 @@ a {
 	outline: 0; }
 
   a:hover, a:focus {
-    color: #D77610;
+    color: #bac3ca;
     text-decoration: underline; }
 
 abbr[title] {
@@ -208,8 +208,8 @@ optgroup {
 table {
   border-collapse: none;
   border-spacing: 0;
-  color: #FFF;
-  background-color: #1a262d;
+  color: #bac3ca;
+  background-color: #162026;
   width: 100%; }
 
 td,
@@ -263,14 +263,14 @@ th {
     page-break-after: avoid; }
 
   select {
-    background: #fff !important; }
+    background: #bac3ca !important; }
 
   .navbar {
     display: none; }
 
   .table td,
   .table th {
-    background-color: #fff !important; }
+    background-color: #bac3ca !important; }
 
   .btn > .caret,
   .dropup > .btn > .caret {
@@ -329,7 +329,7 @@ th {
 
 .icon.glyphicon.input-group-addon.glyphicon-search:before, .glyphicon-search:before {
   content: "\e003";
-  color: #FFF !important; }
+  color: #bac3ca !important; }
 
 .glyphicon-heart:before {
   content: "\e005"; }
@@ -925,7 +925,7 @@ body {
   font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
   font-size: 14px;
   line-height: 1.428571429;
-  color: #FFF;
+  color: #bac3ca;
 }
 
 input,
@@ -954,7 +954,7 @@ img {
 .img-thumbnail {
   padding: 4px;
   line-height: 1.428571429;
-  background-color: #fff;
+  background-color: #bac3ca;
   border: 1px solid #ddd;
   border-radius: 3px;
   -webkit-transition: all 0.2s ease-in-out;
@@ -1151,7 +1151,7 @@ a.text-danger:hover {
   color: #D8482A; }
 
 .bg-primary {
-  color: #fff; }
+  color: #bac3ca; }
 
 .bg-primary {
   background-color: #D77610; }
@@ -1317,7 +1317,7 @@ code {
 kbd {
   padding: 2px 4px;
   font-size: 90%;
-  color: #fff;
+  color: #bac3ca;
   background-color: #191919;
   border-radius: 3px;
   box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.25); }
@@ -1334,7 +1334,7 @@ pre {
   line-height: 1.428571429;
   word-break: break-all;
   word-wrap: break-word;
-  color: #FFF;
+  color: #bac3ca;
   background-color: inherit;
   border: inherit;
   border-radius: 3px; }
@@ -2037,7 +2037,7 @@ th {
     padding: 10px 0px 10px 20px;
     line-height: 1.428571429;
     vertical-align: top;
-    border-top: 1px solid #191919; }
+    border-top: 1px solid #1a262d; }
   .table > thead > tr > th {
     vertical-align: bottom;  }
   .table > caption + thead > tr:first-child > th,
@@ -2050,7 +2050,7 @@ th {
     font-family: 'SourceSansProSemibold';
     font-weight: normal;
     border-bottom: 1px solid #191919;
-    background-color: #202f3a;}
+    background-color: #172229;}
   .table > tbody + tbody {
     border-top: 2px solid #eee; }
   .table .table {
@@ -2079,11 +2079,11 @@ th {
 
 .table-striped > tbody > tr:nth-child(odd) > td,
 .table-striped > tbody > tr:nth-child(odd) > th {
-  background-color: #1c2931; }
+  background-color: #162026; }
 
 .table-hover > tbody > tr:hover > td,
 .table-hover > tbody > tr:hover > th {
-  background-color: #283b48; }
+  background-color: #19262d; }
 
 table col[class*="col-"] {
   position: static;
@@ -2299,8 +2299,8 @@ input[type="color"]
   padding: 6px 12px;
   font-size: 14px;
   line-height: 1.428571429;
-  color: #FFF;
-  background-color: #21303a;
+  color: #bac3ca;
+  background-color: #1b272f;
   border: 1px solid #191919;
   border-radius: 3px;
   text-overflow: ellipsis;
@@ -2326,8 +2326,8 @@ input[type="color"]
   input[type="tel"]:hover,
   input[type="color"]:hover
    {
-	color: #FFF;
-	background-color: #172229;
+	color: #bac3ca;
+	background-color: #0f181e;
   border-color: #D77610;
 	outline: 0; }
 
@@ -2349,8 +2349,8 @@ input[type="color"]
   input[type="color"]:focus
 
    {
-	color: #FFF;
-	background-color: #172229;
+	color: #bac3ca;
+	background-color: #0f181e;
   border-color: #D77610;
 	outline: 0; }
 
@@ -2892,12 +2892,12 @@ select[multiple].input-lg,
   border-radius: 3px;
   -ms-user-select: none;
   user-select: none;
-  color: #FFFFFF;
-  background-color: #21303a;
+  color: #bac3ca;
+  background-color: #1b272f;
   border: 1px solid #191919;
   outline:0; }
 .btn:active, .btn.active, .open > .btn.dropdown-toggle {
-  color: #FFF;
+  color: #bac3ca;
   background-color: #21303a;
   outline:0;
   border-color: #191919;
@@ -2905,7 +2905,7 @@ select[multiple].input-lg,
 
 .btn:hover, .btn:focus {
 	background-color: #d77610;
-	color: #FFF;
+	color: #bac3ca;
 	border-radius: 3px;
 	border: 1px solid #191919;
 	text-decoration: none;}
@@ -2919,7 +2919,7 @@ select[multiple].input-lg,
 	outline:0; }
 
   .btn .badge {
-    color: #FFFFFF;
+    color: #bac3ca;
     background-color: #3e3e3e; }
   .btn:focus, .btn:active:focus, .btn.active:focus {
     outline: thin dotted;
@@ -2938,7 +2938,7 @@ select[multiple].input-lg,
     box-shadow: none; }
 
 .act_flush:hover, .act_flush:focus {
-  color: #FFF;
+  color: #bac3ca;
   background-color: #d77610;
   border-color: 1px solid #191919;
   outline:0; }
@@ -2947,11 +2947,11 @@ select[multiple].input-lg,
     background-color: #d77610;
     outline:0; }
   .btn-default.disabled, .btn-default.disabled:hover, .btn-default.disabled:focus, .btn-default.disabled:active, .btn-default.disabled.active, .btn-default[disabled], .btn-default[disabled]:hover, .btn-default[disabled]:focus, .btn-default[disabled]:active, .btn-default[disabled].active, fieldset[disabled] .btn-default, fieldset[disabled] .btn-default:hover, fieldset[disabled] .btn-default:focus, fieldset[disabled] .btn-default:active, fieldset[disabled] .btn-default.active {
-    background-color: #FFFFFF;
+    background-color: #bac3ca;
     border-color: 1px solid #191919;
     outline:0; }
   .btn-default .badge {
-    color: #FFFFFF;
+    color: #bac3ca;
     background-color: #3e3e3e;
     outline:0; }
 
@@ -2961,7 +2961,7 @@ select[multiple].input-lg,
   border: 1px solid #191919;
   outline:0;   }
   .btn-primary:hover, .btn-primary:focus, .btn-primary:active, .btn-primary.active, .open > .btn-primary.dropdown-toggle {
-    color: #fff;
+    color: #bac3ca;
     background-color: #bf690e;
     border-color: 1px solid #191919;
     outline:0; }
@@ -2975,14 +2975,14 @@ select[multiple].input-lg,
 
   .btn-primary .badge {
     color: #D77610;
-    background-color: #fff; }
+    background-color: #bac3ca; }
 
 .btn-success {
-  color: #fff;
+  color: #bac3ca;
   background-color: #85ce53;
   border-color: #191919; }
   .btn-success:hover, .btn-success:focus, .btn-success:active, .btn-success.active, .open > .btn-success.dropdown-toggle {
-    color: #fff;
+    color: #bac3ca;
     background-color: #7fc54f;
     border-color: #191919;
 	outline:0; }
@@ -2995,14 +2995,14 @@ select[multiple].input-lg,
 
   .btn-success .badge {
     color: #9BD275;
-    background-color: #fff; }
+    background-color: #bac3ca; }
 
 .btn-info {
-  color: #fff;
+  color: #bac3ca;
   background-color: #226808;
   border-color: #191919; }
   .btn-info:hover, .btn-info:focus, .btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
-    color: #fff;
+    color: #bac3ca;
     background-color: #dd630d;
     border-color: #191919; }
 
@@ -3014,14 +3014,14 @@ select[multiple].input-lg,
 
   .btn-info .badge {
     color: #B0CDDB;
-    background-color: #fff; }
+    background-color: #bac3ca; }
 
 .btn-warning {
-  color: #fff;
+  color: #bac3ca;
   background-color: #d77610;
   border-color: #191919; }
   .btn-warning:hover, .btn-warning:focus, .btn-warning:active, .btn-warning.active, .open > .btn-warning.dropdown-toggle {
-    color: #fff;
+    color: #bac3ca;
     background-color: #EC7726;
     border-color: #191919; }
 
@@ -3033,14 +3033,14 @@ select[multiple].input-lg,
 
   .btn-warning .badge {
     color: #f0ad4e;
-    background-color: #fff; }
+    background-color: #bac3ca; }
 
 .btn-danger {
-  color: #fff;
+  color: #bac3ca;
   background-color: #CB4326;
   border-color: #1B4257; }
   .btn-danger:hover, .btn-danger:focus, .btn-danger:active, .btn-danger.active, .open > .btn-danger.dropdown-toggle {
-    color: #fff;
+    color: #bac3ca;
     background-color: #B63B21;
     border-color: #1B4257; }
   .btn-danger:active, .btn-danger.active, .open > .btn-danger.dropdown-toggle {
@@ -3050,7 +3050,7 @@ select[multiple].input-lg,
     border-color: #ee3939; }
   .btn-danger .badge {
     color: #F05050;
-    background-color: #fff; }
+    background-color: #bac3ca; }
 
 .btn-link {
   color: #D77610;
@@ -3161,8 +3161,8 @@ tbody.collapse.in {
   list-style: none;
   font-size: 14px;
   text-align: left;
-  background-color: #21303a;
-  color: #fff;
+  background-color: #172229;
+  color: #bac3ca;
   border-left: 1px solid #191919;
   border-right: 1px solid #191919;
   border-bottom: 1px solid #191919;
@@ -3191,17 +3191,17 @@ tbody.collapse.in {
     clear: both;
     font-weight: normal;
     line-height: 1.428571429;
-    color: #fff;
+    color: #bac3ca;
     white-space: nowrap;
 	outline:0;}
 
 .dropdown-menu > li > a:hover, .dropdown-menu > li > a:focus {
   text-decoration: none;
-  color: #FFFFFF;
+  color: #bac3ca;
   background-color: #d77610; }
 
 .dropdown-menu > .active > a, .dropdown-menu > .active > a:hover, .dropdown-menu > .active > a:focus {
-  color: #fff;
+  color: #bac3ca;
   text-decoration: none;
   outline: 0;
   background-color: #d77610; }
@@ -3342,7 +3342,7 @@ tbody.collapse.in {
 
 .btn-group .dropdown-toggle:active, .btn-group .dropdown-toggle:hover, .btn-group.open .dropdown-toggle {
   outline: 0;
-  color: #FFFFFF;
+  color: #bac3ca;
   background-color: none;
   border-color: #000; }
 
@@ -3470,7 +3470,7 @@ tbody.collapse.in {
   font-size: 14px;
   font-weight: normal;
   line-height: 1;
-  color: #FFF;
+  color: #bac3ca;
   text-align: center;
   background-color: #eeeeee;
   border: 1px solid #ccc;
@@ -3550,7 +3550,7 @@ tbody.collapse.in {
 		position: relative;
 		display: block;
 		padding: 10px 15px;
-		color: #FFF;
+		color: #bac3ca;
 		border-radius: 0px;
 		border-top-right-radius: 10px;
 		margin-right: 0px;
@@ -3569,15 +3569,15 @@ tbody.collapse.in {
       .nav > li > a:hover, .nav > li > a:focus {
         text-decoration: none;
         background-color: #202f3a;
-		color: #FFF;
+		color: #bac3ca;
 		opacity: 0.8; }
 		.nav > li#menu_messages > a:hover, a:focus {
 		text-decoration: underline; }
 
     .nav > li.disabled > a {
-		color: #fff; }
+		color: #bac3ca; }
       .nav > li.disabled > a:hover, .nav > li.disabled > a:focus {
-		  color: #fff;
+		  color: #bac3ca;
 		  text-decoration: none;
 		  background-color: #839caa;
 		  opacity:0.9;
@@ -3617,7 +3617,7 @@ tbody.collapse.in {
   .nav-pills > li > a {
     border-radius: 0; }
   .nav-pills > li.active > a, .nav-pills > li.active > a:hover, .nav-pills > li.active > a:focus {
-    color: #fff;
+    color: #bac3ca;
     background-color: #191919;
 	opacity: 1.0; }
 
@@ -3941,11 +3941,11 @@ tbody.collapse.in {
     color: #ccc;
     background-color: transparent; }
   .navbar-default .navbar-toggle {
-    border-color: #FFF; }
+    border-color: #bac3ca; }
     .navbar-default .navbar-toggle:hover, .navbar-default .navbar-toggle:focus {
       background-color: #555; }
     .navbar-default .navbar-toggle .icon-bar {
-      background-color: #FFF; }
+      background-color: #bac3ca; }
 	.navbar-default .navbar-nav > .open > a, .navbar-default .navbar-nav > .open > a:hover, .navbar-default .navbar-nav > .open > a:focus {
     background-color: #2b2b2b;
     color: #555; }
@@ -3978,7 +3978,7 @@ tbody.collapse.in {
   .navbar-inverse .navbar-brand {
     color: #777777; }
     .navbar-inverse .navbar-brand:hover, .navbar-inverse .navbar-brand:focus {
-      color: #fff;
+      color: #bac3ca;
       background-color: transparent; }
 
   .navbar-inverse .navbar-text {
@@ -3986,10 +3986,10 @@ tbody.collapse.in {
   .navbar-inverse .navbar-nav > li > a {
     color: #777777; }
     .navbar-inverse .navbar-nav > li > a:hover, .navbar-inverse .navbar-nav > li > a:focus {
-      color: #fff;
+      color: #bac3ca;
       background-color: transparent; }
   .navbar-inverse .navbar-nav > .active > a, .navbar-inverse .navbar-nav > .active > a:hover, .navbar-inverse .navbar-nav > .active > a:focus {
-    color: #fff;
+    color: #bac3ca;
     background-color: #090909; }
   .navbar-inverse .navbar-nav > .disabled > a, .navbar-inverse .navbar-nav > .disabled > a:hover, .navbar-inverse .navbar-nav > .disabled > a:focus {
     color: #3e3e3e;
@@ -4000,13 +4000,13 @@ tbody.collapse.in {
       background-color: #191919; }
 
     .navbar-inverse .navbar-toggle .icon-bar {
-      background-color: #fff; }
+      background-color: #bac3ca; }
   .navbar-inverse .navbar-collapse,
   .navbar-inverse .navbar-form {
     border-color: #101010; }
   .navbar-inverse .navbar-nav > .open > a, .navbar-inverse .navbar-nav > .open > a:hover, .navbar-inverse .navbar-nav > .open > a:focus {
     background-color: #090909;
-    color: #fff; }
+    color: #bac3ca; }
   @media (max-width: 767px) {
     .navbar-inverse .navbar-nav .open .dropdown-menu > .dropdown-header {
       border-color: #090909; }
@@ -4015,11 +4015,11 @@ tbody.collapse.in {
     .navbar-inverse .navbar-nav .open .dropdown-menu > li > a {
       color: #777777; }
       .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:focus {
-        color: #fff;
+        color: #bac3ca;
         background-color: transparent; }
 
  .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a, .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:focus {
-      color: #fff;
+      color: #bac3ca;
       background-color: #090909; }
 
     .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a, .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:focus {
@@ -4029,11 +4029,11 @@ tbody.collapse.in {
   .navbar-inverse .navbar-link {
     color: #777777; }
     .navbar-inverse .navbar-link:hover {
-      color: #fff; }
+      color: #bac3ca; }
   .navbar-inverse .btn-link {
     color: #777777; }
     .navbar-inverse .btn-link:hover, .navbar-inverse .btn-link:focus {
-      color: #fff; }
+      color: #bac3ca; }
 
     .navbar-inverse .btn-link[disabled]:hover, .navbar-inverse .btn-link[disabled]:focus, fieldset[disabled] .navbar-inverse .btn-link:hover, fieldset[disabled] .navbar-inverse .btn-link:focus {
       color: #3e3e3e; }
@@ -4067,7 +4067,7 @@ tbody.collapse.in {
       padding: 6px 12px;
       line-height: 1.428571429;
       text-decoration: none;
-      color: #FFFFFF;
+      color: #bac3ca;
       background-color: #273946;
       border: 1px solid #191919;
       margin-left: -1px;
@@ -4084,7 +4084,7 @@ tbody.collapse.in {
   .pagination > li > a:hover, .pagination > li > a:focus,
   .pagination > li > span:hover,
   .pagination > li > span:focus {
-    color: #FFFFFF;
+    color: #bac3ca;
     background-color: #d77610; }
 
   .pagination > .active > a, .pagination > .active > a:hover, .pagination > .active > a:focus,
@@ -4092,7 +4092,7 @@ tbody.collapse.in {
   .pagination > .active > span:hover,
   .pagination > .active > span:focus {
     z-index: 2;
-    color: #FFFFFF;
+    color: #bac3ca;
     background-color: #d77610;
     cursor: default; }
 
@@ -4102,7 +4102,7 @@ tbody.collapse.in {
   .pagination > .disabled > a,
   .pagination > .disabled > a:hover,
   .pagination > .disabled > a:focus {
-    color: #FFF;
+    color: #bac3ca;
     background-color: #273946;
     cursor: not-allowed; }
 
@@ -4149,7 +4149,7 @@ tbody.collapse.in {
     .pager li > span {
       display: inline-block;
       padding: 5px 14px;
-      background-color: #fff;
+      background-color: #bac3ca;
       border: 1px solid #ddd;
       border-radius: 15px; }
     .pager li > a:hover,
@@ -4168,7 +4168,7 @@ tbody.collapse.in {
   .pager .disabled > a:focus,
   .pager .disabled > span {
     color: #777777;
-    background-color: #fff;
+    background-color: #bac3ca;
     cursor: not-allowed; }
 
 
@@ -4178,7 +4178,7 @@ tbody.collapse.in {
   font-size: 75%;
   font-weight: bold;
   line-height: 1;
-  color: #fff;
+  color: #bac3ca;
   text-align: center;
   white-space: nowrap;
   vertical-align: baseline;
@@ -4190,7 +4190,7 @@ tbody.collapse.in {
     top: -1px; }
 
 a.label:hover, a.label:focus {
-  color: #fff;
+  color: #bac3ca;
   text-decoration: none;
   cursor: pointer; }
 
@@ -4244,7 +4244,7 @@ a.label:hover, a.label:focus {
   padding: 3px 7px;
   font-size: 12px;
   font-weight: bold;
-  color: #fff;
+  color: #bac3ca;
   line-height: 1;
   vertical-align: baseline;
   white-space: nowrap;
@@ -4261,12 +4261,12 @@ a.label:hover, a.label:focus {
     padding: 1px 5px; }
   a.list-group-item.active > .badge, .nav-pills > .active > a > .badge {
     color: #D77610;
-    background-color: #fff; }
+    background-color: #bac3ca; }
   .nav-pills > li > a > .badge {
     margin-left: 3px; }
 
 a.badge:hover, a.badge:focus {
-  color: #fff;
+  color: #bac3ca;
   text-decoration: none;
   cursor: pointer; }
 
@@ -4305,7 +4305,7 @@ a.badge:hover, a.badge:focus {
   padding: 4px;
   margin-bottom: 20px;
   line-height: 1.428571429;
-  background-color: #fff;
+  background-color: #bac3ca;
   border: 1px solid #ddd;
   border-radius: 3px;
   -webkit-transition: all 0.2s ease-in-out;
@@ -4367,7 +4367,7 @@ a.thumbnail.active {
 .alert-info {
   background-color: #25323a;
   border: 1px solid #191919;
-	color: #FFF;}
+	color: #bac3ca;}
   .alert-info hr {
     border-top-color: #DA4829; }
   .alert-info .alert-link {
@@ -4376,7 +4376,7 @@ a.thumbnail.active {
 .alert-warning {
   background-color:#1c2931;
   border: 1px solid #b92515;
-  color: #fff; }
+  color: #bac3ca; }
   .alert-warning hr {
     border-top-color: #f7e1b5; }
   .alert-warning .alert-link {
@@ -4402,7 +4402,7 @@ a.thumbnail.active {
     background-position: 0 0; } }
 .progress {
   margin-bottom: 3px;
-  color: #FFF;
+  color: #bac3ca;
   overflow: hidden;
   height: 20px;
   background-color: #162026;
@@ -4417,7 +4417,7 @@ a.thumbnail.active {
   height: 100%;
   font-size: 12px;
   line-height: 20px;
-  color: #fff;
+  color: #bac3ca;
   text-align: center;
   background-color: #d77610;
   position: relative;
@@ -4468,7 +4468,7 @@ a.thumbnail.active {
 
 .progress-bar-warning {
   background-color: #CCB60F;
-  color: #FFFFFF !important; }
+  color: #bac3ca !important; }
   .progress-striped .progress-bar-warning {
     background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
     background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
@@ -4517,7 +4517,7 @@ a.thumbnail.active {
   display: block;
   padding: 6px 8px;
   margin-bottom: -1px;
-  background-color: #1c2931; }
+  background-color: #162026; }
   .list-group-item:last-child {
     margin-bottom: 0; }
   .list-group-item > .badge {
@@ -4526,7 +4526,7 @@ a.thumbnail.active {
     margin-right: 5px; }
 
 a.list-group-item {
-  color: #FFF;
+  color: #bac3ca;
   border-radius: 0;
   outline:0; }
 
@@ -4534,8 +4534,8 @@ a.list-group-item {
     color: #191919; }
   a.list-group-item:hover, a.list-group-item:focus {
     text-decoration: none;
-    color: #FFF;
-    background-color: #131C22; }
+    color: #bac3ca;
+    background-color: #0e181e; }
 
     a.list-group-item:hover:before, a.list-group-item:focus:before {
       background-color: #12222B;
@@ -4598,7 +4598,7 @@ a.list-group-item-success {
     color: #9BD275;
     background-color: #8dcc62; }
   a.list-group-item-success.active, a.list-group-item-success.active:hover, a.list-group-item-success.active:focus {
-    color: #fff;
+    color: #bac3ca;
     background-color: #9BD275;
     border-color: #9BD275; }
 
@@ -4614,7 +4614,7 @@ a.list-group-item-info {
     color: #31708f;
     background-color: #c4e3f3; }
   a.list-group-item-info.active, a.list-group-item-info.active:hover, a.list-group-item-info.active:focus {
-    color: #fff;
+    color: #bac3ca;
     background-color: #31708f;
     border-color: #31708f; }
 
@@ -4630,7 +4630,7 @@ a.list-group-item-warning {
     color: #f0ad4e;
     background-color: #faf2cc; }
   a.list-group-item-warning.active, a.list-group-item-warning.active:hover, a.list-group-item-warning.active:focus {
-    color: #fff;
+    color: #bac3ca;
     background-color: #f0ad4e;
     border-color: #f0ad4e; }
 
@@ -4646,7 +4646,7 @@ a.list-group-item-danger {
     color: #F05050;
     background-color: #ee3939; }
   a.list-group-item-danger.active, a.list-group-item-danger.active:hover, a.list-group-item-danger.active:focus {
-    color: #fff;
+    color: #bac3ca;
     background-color: #F05050;
     border-color: #F05050; }
 
@@ -4836,7 +4836,7 @@ a.list-group-item-danger {
 	-webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
     box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
   .panel-default > .panel-heading {
-	color: #fff;
+	color: #bac3ca;
 	border-color: #191919; }
     .panel-default > .panel-heading + .panel-collapse > .panel-body {
       border-top-color: #191919; }
@@ -4849,13 +4849,13 @@ a.list-group-item-danger {
 	-webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
     box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
   .panel-primary > .panel-heading {
-    color: #FFF;
+    color: #bac3ca;
     border-color: #191919; }
     .panel-primary > .panel-heading + .panel-collapse > .panel-body {
       border-top-color: #D77610; }
     .panel-primary > .panel-heading .badge {
       color: #D77610;
-      background-color: #fff; }
+      background-color: #bac3ca; }
   .panel-primary > .panel-footer + .panel-collapse > .panel-body {
     border-bottom-color: #D77610; }
 
@@ -4961,7 +4961,7 @@ a.list-group-item-danger {
   font-size: 21px;
   font-weight: bold;
   line-height: 1;
-  color: #FFFFFF;
+  color: #bac3ca;
   text-shadow: 0 1px 0 #000;
   opacity: 1;
   filter: alpha(opacity=100); }
@@ -5047,7 +5047,7 @@ button.close {
   border-bottom: 1px solid #191919;
   min-height: 16.42857px;
   background-color: #d77610;
-  color: #FFF; }
+  color: #bac3ca; }
 
 .modal-header .close {
   margin-top: -2px; }
@@ -5059,16 +5059,16 @@ button.close {
 .modal-body {
   position: relative;
   padding: 5px;
-  background-color: #131c22;}
+  background-color: #0e181e;}
 .modal-body .table-hover > tbody > tr:hover > td,
 .modal-body .table-hover > tbody > tr:hover > th {
   background-color: #263640;
-  color: #FFF; }
+  color: #bac3ca; }
 
 .modal-footer {
   padding: 5px;
   text-align: right;
-  background-color: #131c22;
+  background-color: #0e181e;
   border-top: 1px solid inherit; }
   .modal-footer:before, .modal-footer:after {
     content: " ";
@@ -5132,7 +5132,7 @@ button.close {
 .tooltip-inner {
   max-width: 200px;
   padding: 3px 8px;
-  color: #fff;
+  color: #bac3ca;
   text-align: center;
   text-decoration: none;
   background-color: #000;
@@ -5199,7 +5199,7 @@ button.close {
   max-width: 276px;
   padding: 1px;
   text-align: left;
-  background-color: #fff;
+  background-color: #bac3ca;
   background-clip: padding-box;
   border: 1px solid #ccc;
   border: 1px solid rgba(0, 0, 0, 0.30);
@@ -5259,7 +5259,7 @@ button.close {
     bottom: 1px;
     margin-left: -10px;
     border-bottom-width: 0;
-    border-top-color: #fff; }
+    border-top-color: #bac3ca; }
 .popover.right > .arrow {
   top: 50%;
   left: -11px;
@@ -5272,7 +5272,7 @@ button.close {
     left: 1px;
     bottom: -10px;
     border-left-width: 0;
-    border-right-color: #fff; }
+    border-right-color: #bac3ca; }
 .popover.bottom > .arrow {
   left: 50%;
   margin-left: -11px;
@@ -5285,7 +5285,7 @@ button.close {
     top: 1px;
     margin-left: -10px;
     border-top-width: 0;
-    border-bottom-color: #fff; }
+    border-bottom-color: #bac3ca; }
 .popover.left > .arrow {
   top: 50%;
   right: -11px;
@@ -5297,7 +5297,7 @@ button.close {
     content: " ";
     right: 1px;
     border-right-width: 0;
-    border-left-color: #fff;
+    border-left-color: #bac3ca;
     bottom: -10px; }
 
 .carousel {
@@ -5352,7 +5352,7 @@ button.close {
   opacity: 0.5;
   filter: alpha(opacity=50);
   font-size: 20px;
-  color: #fff;
+  color: #bac3ca;
   text-align: center;
   text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6); }
   .carousel-control.left {
@@ -5371,7 +5371,7 @@ button.close {
     filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1); }
   .carousel-control:hover, .carousel-control:focus {
     outline: 0;
-    color: #fff;
+    color: #bac3ca;
     text-decoration: none;
     opacity: 0.9;
     filter: alpha(opacity=90); }
@@ -5418,7 +5418,7 @@ button.close {
     height: 10px;
     margin: 1px;
     text-indent: -999px;
-    border: 1px solid #fff;
+    border: 1px solid #bac3ca;
     border-radius: 10px;
     cursor: pointer;
     background-color: #000 \9;
@@ -5427,7 +5427,7 @@ button.close {
     margin: 0;
     width: 12px;
     height: 12px;
-    background-color: #fff; }
+    background-color: #bac3ca; }
 
 .carousel-caption {
   position: absolute;
@@ -5437,7 +5437,7 @@ button.close {
   z-index: 10;
   padding-top: 20px;
   padding-bottom: 20px;
-  color: #fff;
+  color: #bac3ca;
   text-align: center;
   text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6); }
   .carousel-caption .btn {
@@ -5490,7 +5490,7 @@ button.close {
 
 .show {
   display: block !important;
-  color: #22C400; }
+  color: #bac3ca; }
 
 .invisible {
   visibility: hidden; }
@@ -5691,8 +5691,8 @@ html, body {
   height: 100%;
   font-family: 'SourceSansProRegular';
   scrollbar-width: thin;
-  scrollbar-color: #1c2931 #131c22;
-  background-color: #131c22;
+  scrollbar-color: #1c2931 #0e181e;
+  background-color: #0e181e;
 }
 
 body {
@@ -5723,8 +5723,8 @@ body {
   .page-content > .row {
     height: 100%; }
 .page-content-head .container-fluid {
-  color:#FFF;
-  background-color: #1a262d;
+  color:#bac3ca;
+  background-color: #172229;
   margin-left: 20px;
   margin-right: 20px;
   border-top: 1px solid #191919;
@@ -5733,11 +5733,12 @@ body {
   height:auto;
   padding: 7px 14px 5px 14px;
   -webkit-box-shadow: 0 3px 4px rgb(23, 23, 23);
-  box-shadow: 0 3px 4px rgb(23, 23, 23); }
+  box-shadow: 0 3px 4px rgb(23, 23, 23);
+  border-radius: 0.5em 0.5em 0.5em 0.5em; }
 
 .page-content-head, .content-box-head {
   padding-bottom: 2px;
-  padding-top: 8px;
+  padding-top: 10px;
   color:#000;}
   .page-content-head .navbar-nav, .content-box-head .navbar-nav {
     width: 100%; }
@@ -5747,7 +5748,7 @@ body {
 
 .page-content-main {
   min-height: calc(100% - 64px);
-  padding: 10px 0px 21px 0px; }
+  padding: 7px 0px 21px 0px; }
 
 .page-side {
   background: #172229;
@@ -5774,14 +5775,14 @@ body {
   position: fixed;
   height: 20px;
   background-color: #172229;
-  color:#FFF;
+  color:#bac3ca;
   border-top: 1px solid #191919;
 }
 
 .content-box {
   padding: 0px 0px;
   margin: 0px 0px;
-  background-color: none;
+  background-color: #162026 !important;
   border: 1px solid #111;
   -webkit-box-shadow: 0px 3px 3px rgba(17, 17, 17, 0.8);
   box-shadow: 0px 3px 3px rgba(17, 17, 17, 0.8); }
@@ -5826,13 +5827,13 @@ body {
     padding-top: 0 !important; } }
 
 .page-login {
-  background: #131c22; }
+  background: #121c22; }
   .page-login .container {
     min-height: 100%;
     margin-bottom: -60px; }
     .page-login .container:after {
       height: 60px; }
-.page-login .login-foot {color:#FFF;}
+.page-login .login-foot {color:#bac3ca;}
 
 .login-foot {
   font-size: 12px; }
@@ -5957,14 +5958,14 @@ main.page-content.col-lg-12 {
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item[aria-expanded="true"],
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item.menu-level-3-item.active {
   color: #d77610 !important;
-  background-color: #131C22 !important;
+  background-color: #0e181e !important;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > a.list-group-item,
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item {
   padding-left: 10px !important;
   font-size: 14px !important;
-  background-color: #1c2931 !important;
+  background-color: #162026 !important;
   opacity: 0.98;
 }
 
@@ -5982,7 +5983,7 @@ main.page-content.col-lg-12 {
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item:hover, a.list-group-item:focus {
   text-decoration: none !important;
   color: #D77610 !important;
-  background-color: #131C22 !important;
+  background-color: #0e181e !important;
 }
 
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item.active-menu-title,
@@ -5991,7 +5992,7 @@ main.page-content.col-lg-12 {
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item:focus,
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.active-menu.collapse.in >a.list-group-item.active {
   color: #D77610 !important;
-  background-color: #131C22 !important;
+  background-color: #0e181e !important;
 }
 
 /* Sub Level One */
@@ -6030,7 +6031,7 @@ main.page-content.col-lg-12 {
   color: #D77610 !important; }
 
 button.toggle-sidebar {
-  color:#FFF;
+  color:#bac3ca;
   background-color:transparent;
   font-size:14px;
   border:none;
@@ -6081,7 +6082,7 @@ button.toggle-sidebar {
  outline:0; }
 
 .nav-tabs > li.active > a {
-  background: #202f3a !important;
+  background: #162026 !important;
   outline:0; }
 
 .nav-tabs > li > a.visible-lg-inline-block:not(.pull-right) {
@@ -6103,7 +6104,7 @@ button.toggle-sidebar {
     border-radius: 0px;
     background: #818180; }
     .nav-tabs.nav-justified > li > a {
-      color: #FFFFFF;
+      color: #bac3ca;
       font-family: 'SourceSansProSemibold'; }
       @media (min-width: 768px) {
         .nav-tabs.nav-justified > li > a {
@@ -6190,18 +6191,18 @@ button.toggle-sidebar {
 .active-menu-title, .active-menu a {
   text-decoration: none;
   position: relative;
-  background-color: #131C22; }
+  background-color: #0e181e; }
   .active-menu-title:before, .active-menu a:before {
     width: 3px; }
   .active-menu-title.active, .active-menu a.active {
-	background-color: #131C22;
+	background-color: #0e181e;
   color: #d77610; }
 
 .active-menu a:before {
   background: #D77610; }
 
 .alert.alert-danger {
-  color: #FFF !important; }
+  color: #bac3ca !important; }
 
 .nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a, .nav-tabs.nav-justified > li > a {
   border-radius: 0 !important; }
@@ -6256,7 +6257,7 @@ select {
   overflow: hidden;
   border: 1px solid #191919;
   background-color: #21303a;
-  color: #FFF;
+  color: #bac3ca;
   -webkit-appearance: none;
   -moz-appearance: none;
   appearance: none;
@@ -6269,7 +6270,7 @@ select:hover, select:active, select:focus {
   overflow: hidden;
   border: 1px solid #191919;
   background-color: #21303a;
-  color: #FFF;
+  color: #bac3ca;
   -webkit-appearance: none;
   -moz-appearance: none;
   appearance: none;
@@ -6338,7 +6339,7 @@ label > input[type="radio"] {
 
 #ipsec .ipsec-tab {
 	background-color: #202f3a !important;
-	color: #FFF !important;
+	color: #bac3ca !important;
   opacity: 0.5;
 }
 
@@ -6349,15 +6350,15 @@ label > input[type="radio"] {
 }
 .fw_pass {
   background-color: #203a23 !important;
-  color:#FFF;
+  color:#bac3ca;
 }
 .fw_block {
   background-color: #551e1e !important;
-  color:#FFF;
+  color:#bac3ca;
 }
 .fw_nat {
   background-color: #7B681D !important;
-  color:#FFF;
+  color:#bac3ca;
 }
   /*additional extensions for theme-vicuna*/
 
@@ -6370,7 +6371,7 @@ textarea#update_status, textarea#update_status:hover {
   -webkit-box-shadow:none !important;
   box-shadow:none !important;
   border:none !important;
-  background-color: #25323a;
+  background-color: #162026;
 }
 
 .fa-toggle-off::before {
@@ -6409,15 +6410,15 @@ textarea#update_status, textarea#update_status:hover {
 }
 
 div.container-fluid >.fa-search::before, div.container-fluid >.fa-refresh::before {
-  color: #FFFFFF !important; }
+  color: #bac3ca !important; }
 
 .panel-heading h3:hover, h3:focus {
-  color: #FFFFFF;
+  color: #bac3ca;
   text-decoration: none;
 }
 
 h3:link {
-  color:#FFFFFF;text-decoration: underline;
+  color:#bac3ca;text-decoration: underline;
 }
 
 h3:hover, h3:focus {
@@ -6438,13 +6439,17 @@ h3:hover, h3:focus {
 
 .btn-group.bootstrap-select.open, .btn-group.bootstrap-select:hover {
   border-color: #191919 !important;
-  color:#FFFFFF !important;
+  color:#bac3ca !important;
 }
 
 .glyphicon.glyphicon-play.text-muted, .glyphicon.glyphicon-remove.text-muted, .glyphicon.glyphicon-remove-sign.text-muted, .glyphicon.glyphicon-info-sign.text-muted,.fa.fa-exclamation.fa-fw.text-muted,.fa.fa-arrows-h.fa-fw.text-muted,.fa.fa-long-arrow-left,.fa.fa-long-arrow-left::before,.fa.fa-info-circle.text-muted,.fa.fa-times-circle.text-muted,.fa.fa-times-circle.text-muted::before,.fa.fa-times.text-muted,.fa.fa-times.text-muted::before,.fa.fa-play.text-muted::before {
   color: #d7af10 !important;
 }
 
+.fa.fa-info-circle {
+  color: #D77610;
+}
+
 #system_log-widgets.content-box {
   border:none; box-shadow: none;
 }
@@ -6462,7 +6467,7 @@ h3:hover, h3:focus {
 }
 
 .no-data {
-  color: #FFF !important;
+  color: #bac3ca !important;
   background-color: #1a262d !important;
 }
 
@@ -6497,12 +6502,12 @@ input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox
 
 .bootstrap-datetimepicker-widget table td.active, .bootstrap-datetimepicker-widget table td.active:hover {
     background-color: #d77610 !important;
-    color: #ffffff !important;
+    color: #bac3ca !important;
 }
 
 .bootstrap-datetimepicker-widget table td span:hover {
     background: #d77610 !important;
-    color: #ffffff !important;
+    color: #bac3ca !important;
 }
 
 .modal-side > .p-15 {
@@ -6513,7 +6518,7 @@ input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox
   border-bottom: 1px solid #4a4a4a;
   min-height: 16.42857px;
   background-color: #243139;
-  color: #FFF;
+  color: #bac3ca;
 }
 
 .modal-side {
@@ -6521,7 +6526,7 @@ input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox
 }
 
 .panel-report-tools:hover {
-  color: #fff !important;
+  color: #bac3ca !important;
 }
 
 .alert-primary {
@@ -6530,11 +6535,11 @@ input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox
 }
 
 label.btn.au-target {
-  color: #FFF !important;
+  color: #bac3ca !important;
 }
 
 .preloader-wrapper {
-  background-color:#131c22 !important;
+  background-color:#121c22 !important;
 }
 
 .border-bottom {
@@ -6558,7 +6563,7 @@ ul.jqtree-tree .jqtree-toggler:hover {
 }
 
 ul.jqtree-tree .jqtree-toggler {
-  color:#fff !important;
+  color:#bac3ca !important;
 }
 
 ul.jqtree-tree .jqtree-title {
@@ -6580,7 +6585,7 @@ ul.jqtree-tree .jqtree-title {
 
 .interface-table-tr td {
   background-color: #d77610 !important;
-  color: #FFF !important;
+  color: #bac3ca !important;
 }
 
 .table.border {
@@ -6601,7 +6606,7 @@ ul.jqtree-tree .jqtree-title {
 
 router-view .text-success.m-r-5 {
   font-weight: bold;
-  color: #fff;
+  color: #bac3ca;
 }
 
 router-view .text-danger.m-r-5 {
@@ -6618,5 +6623,5 @@ border: 1px solid #191919 !important;
 }
 
 #introduction a.btn-info {
-  color: #FFF !important;
+  color: #bac3ca !important;
 }

From 0e178ebb64a4179fea33bd0bc12b6a2b85798309 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Mon, 17 Jun 2024 18:46:23 +0200
Subject: [PATCH 1922/3088] www/caddy: Fix type error in configAction of
 DiagnosticsController.

---
 .../controllers/OPNsense/Caddy/Api/DiagnosticsController.php    | 2 --
 1 file changed, 2 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
index e2f6f5b220..d0cc2005b8 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
@@ -61,8 +61,6 @@ public function configAction()
         $this->response->setContentType('application/json', 'UTF-8');
         // Encode and set the content
         $this->response->setContent(json_encode($response, JSON_PRETTY_PRINT));
-
-        return $this->response;
     }
 
     /**

From 8da49ef85099c40a5707837b9c412a4b129a99f1 Mon Sep 17 00:00:00 2001
From: opnsenseuser <rene@team-rebellion.net>
Date: Tue, 18 Jun 2024 11:19:43 +0200
Subject: [PATCH 1923/3088] dashboard: allow widget locking

dashboard: allow widget locking
---
 .../www/themes/cicada/assets/stylesheets/dashboard.scss      | 5 +++++
 .../src/opnsense/www/themes/cicada/build/css/dashboard.css   | 5 +++++
 .../www/themes/vicuna/assets/stylesheets/dashboard.scss      | 5 +++++
 .../src/opnsense/www/themes/vicuna/build/css/dashboard.css   | 5 +++++
 4 files changed, 20 insertions(+)

diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss
index f50c891359..9e397c33c7 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss
@@ -1,3 +1,8 @@
+.btn-pressed, .btn-pressed:hover {
+    background-color: #d94f00;
+    color: white;
+}
+
 .fa-spinner {
   font-size: 2em;
 }
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css
index 26539606f2..21d9b6a0b5 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css
@@ -1,3 +1,8 @@
+.btn-pressed, .btn-pressed:hover {
+    background-color: #d94f00;
+    color: white;
+}
+
 .fa-spinner {
     font-size: 2em;
 }
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss
index d5e45c9bc2..5d2e795095 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss
@@ -1,3 +1,8 @@
+.btn-pressed, .btn-pressed:hover {
+    background-color: #d94f00;
+    color: white;
+}
+
 .fa-spinner {
   font-size: 2em;
 }
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css
index 1f305478db..a6869e2a73 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css
@@ -1,3 +1,8 @@
+.btn-pressed, .btn-pressed:hover {
+    background-color: #d94f00;
+    color: white;
+}
+
 .fa-spinner {
     font-size: 2em;
 }

From 616951739f1f47d060ce866c5ccae1859175ca84 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 19 Jun 2024 13:10:47 +0200
Subject: [PATCH 1924/3088] misc/theme-vicuna: version only, not revision

---
 misc/theme-vicuna/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index ff3fc9687f..c9898ab84f 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
 PLUGIN_VERSION=		1.46
-PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes

From be43869f31e0ce4ab65a3ece2d2ff812b90e7a4d Mon Sep 17 00:00:00 2001
From: Nathan Rennie-Waldock <nathan.renniewaldock@gmail.com>
Date: Wed, 19 Jun 2024 19:09:24 +0100
Subject: [PATCH 1925/3088] dns/bind: Fix handling of multiple ACLs in
 allow-query/allow-transfer

---
 .../src/opnsense/service/templates/OPNsense/Bind/named.conf   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 23839cf437..8c02915ed9 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -58,7 +58,7 @@ options {
 
 {% if helpers.exists('OPNsense.bind.general.allowtransfer') and OPNsense.bind.general.allowtransfer != '' %}
         allow-transfer {
-{%              for acl in helpers.toList('OPNsense.bind.general.allowtransfer') %}
+{%              for acl in OPNsense.bind.general.allowtransfer.split(',') %}
 {%              set transfer_acl = helpers.getUUID(acl) %}
                 {{ transfer_acl.name }};
 {%              endfor %}
@@ -67,7 +67,7 @@ options {
 
 {% if helpers.exists('OPNsense.bind.general.allowquery') and OPNsense.bind.general.allowquery != '' %}
         allow-query {
-{%              for acl in helpers.toList('OPNsense.bind.general.allowquery') %}
+{%              for acl in OPNsense.bind.general.allowquery.split(',') %}
 {%              set query_acl = helpers.getUUID(acl) %}
                 {{ query_acl.name }};
 {%              endfor %}

From 0faec69e0ea62a0d4b67eb37ebe0a59461bec06a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 20 Jun 2024 08:46:55 +0200
Subject: [PATCH 1926/3088] dns/bind: bump

---
 dns/bind/Makefile  | 1 +
 dns/bind/pkg-descr | 1 +
 2 files changed, 2 insertions(+)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index abb2e5fa59..5b8cb64262 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.31
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 98b8af40f5..155d0a82fd 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 
 * Do not add the update-policy if the zone type is secondary (contributed by Brendan Bank)
 * Adjust severity log levels (contributed by kulikov-a)
+* Fix handling of multiple ACLs in allow-query/allow-transfer (contributed by Nathan Rennie-Waldock)
 
 1.30
 

From 58d06c7cc42dbb701a799507e8b6b875c70c42de Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 20 Jun 2024 09:18:55 +0200
Subject: [PATCH 1927/3088] plugins: style sweep

---
 .../src/opnsense/www/themes/cicada/build/css/main.css    | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php | 9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index 031ea2e7de..a932ab707b 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -5750,7 +5750,7 @@ body {
   height: auto;
   padding: 7px 14px 5px 14px;
   -webkit-box-shadow: 0 3px 4px rgb(23, 23, 23);
-  box-shadow: 0 3px 4px rgb(23, 23, 23); 
+  box-shadow: 0 3px 4px rgb(23, 23, 23);
   border-radius: 0.5em 0.5em 0.5em 0.5em; }
 .page-content-head, .content-box-head {
   padding-bottom: 2px;
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index 4672338273..85254166fb 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -108,7 +108,8 @@ private function checkSubdomainsAgainstDomains($subdomains, $domains, $messages)
     }
 
     // 3. Get the current OPNsense WebGUI ports and check for conflicts with Caddy
-    private function getWebGuiPorts() {
+    private function getWebGuiPorts()
+    {
         $webgui = Config::getInstance()->object()->system->webgui ?? null;
         $webGuiPorts = [];
 
@@ -126,7 +127,8 @@ private function getWebGuiPorts() {
         return $webGuiPorts;
     }
 
-    private function checkWebGuiSettings($messages) {
+    private function checkWebGuiSettings($messages)
+    {
         $overlap = array_intersect($this->getWebGuiPorts(), ['80', '443']);
         $tlsAutoHttpsSetting = (string)$this->general->TlsAutoHttps;
 
@@ -140,7 +142,8 @@ private function checkWebGuiSettings($messages) {
     }
 
     // 4. Check for ACME Email being required when Auto HTTPS on
-    private function checkAcmeEmailAutoHttps($messages) {
+    private function checkAcmeEmailAutoHttps($messages)
+    {
         $tlsAutoHttpsSetting = (string)$this->general->TlsAutoHttps;
         $tlsEmail = (string)$this->general->TlsEmail;
 

From 486260e069dba31a96f2d2ab33d7aa9b8f7a4628 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Fri, 21 Jun 2024 13:51:42 +0200
Subject: [PATCH 1928/3088] net-mgmt/zabbix-* 7 variant (#4053)

---
 net-mgmt/zabbix-agent/Makefile  | 8 +++++---
 net-mgmt/zabbix-agent/pkg-descr | 4 ++++
 net-mgmt/zabbix-proxy/Makefile  | 8 +++++---
 net-mgmt/zabbix-proxy/pkg-descr | 4 ++++
 4 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index 28005b0c59..e778bc29a8 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,9 +1,11 @@
 PLUGIN_NAME=		zabbix-agent
-PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.14
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
-PLUGIN_VARIANTS=	zabbix6 zabbix64 zabbix5
+PLUGIN_VARIANTS=	zabbix7 zabbix6 zabbix64 zabbix5
+
+zabbix7_NAME=		zabbix7-agent
+zabbix7_DEPENDS=	zabbix7-agent
 
 zabbix64_NAME=		zabbix64-agent
 zabbix64_DEPENDS=	zabbix64-agent
diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index b248584e06..d8097f7c1e 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.14
+
+* Plugin variant for Zabbix Agent 7
+
 1.13
 
 Added:
diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 4d3916f3cc..748d8a5f2e 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -1,9 +1,11 @@
 PLUGIN_NAME=		zabbix-proxy
-PLUGIN_VERSION=		1.10
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.11
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_VARIANTS=	zabbix6 zabbix64 zabbix5
+PLUGIN_VARIANTS=	zabbix7 zabbix6 zabbix64 zabbix5
+
+zabbix7_NAME=		zabbix7-proxy
+zabbix7_DEPENDS=	zabbix7-proxy
 
 zabbix64_NAME=		zabbix64-proxy
 zabbix64_DEPENDS=	zabbix64-proxy
diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index 391046febb..1aab6b36ad 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.11
+
+* Add plugin variant for Zabbix Proxy 7
+
 1.10
 
 * Add logging options (contributed by Malte Rabenseifner)

From 78a784c5d9217f021c33aac30c5afeab52e7f796 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 24 Jun 2024 17:46:24 +0200
Subject: [PATCH 1929/3088] security/etpro-telemetry - fix python 3.11
 compatibility issues

---
 security/etpro-telemetry/Makefile                               | 2 +-
 .../src/opnsense/scripts/etpro_telemetry/telemetry/log.py       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index 2c8601a2c8..b7a7a3c430 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		etpro-telemetry
 PLUGIN_VERSION=		1.6
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html
diff --git a/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/telemetry/log.py b/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/telemetry/log.py
index 2afb91cf68..50a88c73cf 100755
--- a/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/telemetry/log.py
+++ b/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/telemetry/log.py
@@ -36,7 +36,7 @@ def reverse_log_reader(filename):
     :return: generator
     """
     block_size = 81920
-    input_stream = open(filename, 'rU')
+    input_stream = open(filename, 'r')
     input_stream.seek(0, os.SEEK_END)
     file_byte_start = input_stream.tell()
 

From f1d543465743dc33e43843ee342fe3e760f736dd Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 27 Jun 2024 15:18:21 +0200
Subject: [PATCH 1930/3088] www/caddy: Fix IPv6 address + Port combination in
 Caddyfile template (#4054)

* Fix IPv6 in handlers. IPv6 will be detected and put into square brackets. Additionally removed that IP addresses are valid in the frontend domain, since that would break some template sections like dyndns and certificate generation, so it is unsupported in the scope of the GUI.

* www/caddy: Remove IP address in domains from help text too.

* www/caddy: Explicitely set IpAllowed to N since the default is Y.
---
 .../controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml    | 4 ++--
 .../src/opnsense/service/templates/OPNsense/Caddy/Caddyfile | 6 ++++--
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index ba4670d526..9b43eb0760 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -10,7 +10,7 @@
         <label>Domain</label>
         <type>text</type>
         <hint>example.com</hint>
-        <help><![CDATA[Enter a domain name or IP address. For a base domain, use "example.com" or "opn.example.com". Using a base domain enables automatic "Let's Encrypt" and "ZeroSSL" certificates by default. For a wildcard domain, use "*.example.com". Only use wildcard domains with wildcard certificates, which require a DNS Provider.]]></help>
+        <help><![CDATA[Enter a domain name. For a base domain, use "example.com" or "opn.example.com". Using a base domain enables automatic "Let's Encrypt" and "ZeroSSL" certificates by default. For a wildcard domain, use "*.example.com". Only use wildcard domains with wildcard certificates, which require a DNS Provider.]]></help>
     </field>
     <field>
         <id>reverse.FromPort</id>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index eab9054cd3..a8bc042c85 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -135,8 +135,8 @@
                 </enabled>
                 <FromDomain type="HostnameField">
                     <Required>Y</Required>
-                    <ValidationMessage>Please enter a valid 'from' domain or IP address.</ValidationMessage>
-                    <IpAllowed>Y</IpAllowed>
+                    <ValidationMessage>Please enter a valid 'from' domain.</ValidationMessage>
+                    <IpAllowed>N</IpAllowed>
                     <HostWildcardAllowed>Y</HostWildcardAllowed>
                     <FqdnWildcardAllowed>Y</FqdnWildcardAllowed>
                     <ZoneRootAllowed>N</ZoneRootAllowed>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index e9a5496aaa..6709849811 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -350,9 +350,11 @@
         rewrite * {{ handle.ToPath }}{uri}
         {% endif %}
         reverse_proxy {% for domain in handle.ToDomain.split(',') %}
+            {# Check if the domain is IPv6 and wrap in square brackets if necessary #}
+            {% set is_ipv6 = (':' in domain and domain.count(':') >= 2) %}
             {# For each domain/IP, append the port if it's specified, followed by a space #}
-            {{- domain -}}{% if handle.ToPort %}:{{ handle.ToPort }}{% endif %}{% if not loop.last %} {% endif %}
-        {% endfor %}{
+            {{- '[' if is_ipv6 else '' -}}{{ domain }}{{ ']' if is_ipv6 else '' -}}{% if handle.ToPort %}:{{ handle.ToPort }}{% endif %}{% if not loop.last %} {% endif %}
+        {% endfor %} {
             {{ header_manipulation(handle) }}
             {% if handle.PassiveHealthFailDuration|default("") %}
             fail_duration {{ handle.PassiveHealthFailDuration }}s

From 978e4a982d851ad1138bbd4cabf27c76cda08321 Mon Sep 17 00:00:00 2001
From: Electronic Viking <41167431+ElectronicViking@users.noreply.github.com>
Date: Sun, 30 Jun 2024 11:39:45 -0600
Subject: [PATCH 1931/3088] Added Gandi support to ddclient native backend.
 (#4066)

* Added Gandi support to ddclient native backend.

* bump date to 2024, cosmetic simplification to logic

* allow to be sorted alphabetically

---------

Co-authored-by: Jonathan Grande <jonathan@grande.live>
---
 .../scripts/ddclient/lib/account/gandi.py     | 81 +++++++++++++++++++
 1 file changed, 81 insertions(+)
 create mode 100644 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/gandi.py

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/gandi.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/gandi.py
new file mode 100644
index 0000000000..369dd41574
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/gandi.py
@@ -0,0 +1,81 @@
+"""
+    Copyright (c) 2024 Thomas Cekal <thomas@cekal.org>
+    Copyright (c) 2024 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import json
+import syslog
+import requests
+from . import BaseAccount
+
+
+class Gandi(BaseAccount):
+    _services = {
+        'gandi': 'api.gandi.net'
+    }
+
+    def __init__(self, account: dict):
+        super().__init__(account)
+
+    @staticmethod
+    def known_services():
+        return  Gandi._services.keys()
+
+    @staticmethod
+    def match(account):
+        return account.get('service') in Gandi._services
+
+    def execute(self):
+        if super().execute():
+            # IPv4/IPv6
+            recordType = "AAAA" if str(self.current_address).find(':') > 1 else "A"
+
+            # Use bearer (api key) authentication
+            url = "https://api.gandi.net/v5/livedns/domains/" + self.settings.get('zone') + "/records/" + self.settings.get('hostnames') + "/" + recordType
+            payload = "{\"rrset_values\":[\"" + self.current_address + "\"],\"rrset_ttl\":300}"
+            headers = {
+                'authorization': "Bearer " + self.settings.get('password'),
+                'content-type': "application/json",
+                'User-Agent': 'OPNsense-dyndns'
+            }
+            # Send IP address update
+            req = requests.request("PUT", url, data=payload, headers=headers)
+            if 200 <= req.status_code < 300:
+                if self.is_verbose:
+                    syslog.syslog(
+                        syslog.LOG_NOTICE,
+                        "Account %s set new ip %s [%s]" % (self.description, self.current_address, req.text.strip())
+                    )
+
+                self.update_state(address=self.current_address, status=req.text.split()[0] if req.text else '')
+                return True
+            else:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Account %s failed to set new ip %s [%d - %s]" % (
+                        self.description, self.current_address, req.status_code, req.text.replace('\n', '')
+                    )
+                )
+
+        return False
\ No newline at end of file

From 248c7e7fbf4b710af8c897e4988bc850379d2d50 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 30 Jun 2024 20:01:38 +0200
Subject: [PATCH 1932/3088] dns/ddclient  - add (optional) descriptive name for
 account selection to native backend, closes
 https://github.com/opnsense/plugins/issues/3553

---
 dns/ddclient/Makefile                                  |  4 ++--
 dns/ddclient/pkg-descr                                 |  5 +++++
 .../models/OPNsense/DynDNS/FieldTypes/ServiceField.php |  5 ++---
 .../opnsense/scripts/ddclient/lib/account/__init__.py  |  2 +-
 .../src/opnsense/scripts/ddclient/lib/account/azure.py |  2 +-
 .../scripts/ddclient/lib/account/cloudflare.py         | 10 ++--------
 .../src/opnsense/scripts/ddclient/lib/poller.py        |  9 +++++++--
 7 files changed, 20 insertions(+), 17 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index fcf1873f72..21c94f61a2 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.21
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.22
+#PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index a54d3b5708..8f61187af5 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,11 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.22
+
+* Add gandi support
+* Optionally support descriptive values for account selection when using native backend
+
 1.21
 
 * Add Netcup support (contributed by Ingo Lafrenz)
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/ServiceField.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/ServiceField.php
index 891423c1b6..46798b5fa1 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/ServiceField.php
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/ServiceField.php
@@ -42,9 +42,8 @@ protected function actionPostLoadingEvent()
             if ((string)$this->getParentModel()->general->backend == 'opnsense') {
                 $supported = json_decode((new Backend())->configdRun("ddclient opnbackend supported"), true);
                 if (!empty($supported)) {
-                    foreach ($supported as $srv) {
-                        self::$internalCacheOptionList[$srv] = $srv;
-                    }
+                    self::$internalCacheOptionList = $supported;
+                    asort(self::$internalCacheOptionList, SORT_NATURAL | SORT_FLAG_CASE);
                 }
             }
         }
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
index a5cb502ea0..4c3716b95e 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
@@ -61,7 +61,7 @@ def update_state(self, address, status='good'):
 
     @staticmethod
     def known_services():
-        return []
+        return {}
 
     @property
     def id(self):
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
index 64a635ab0c..e368b0f613 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/azure.py
@@ -82,7 +82,7 @@ def __init__(self, account: dict):
 
     @staticmethod
     def known_services():
-        return  Azure._services
+        return  {'azure': 'Microsoft Azure'}
 
     @staticmethod
     def match(account):
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
index f5bd716bae..6620e2431c 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
@@ -42,7 +42,7 @@ def __init__(self, account: dict):
 
     @staticmethod
     def known_services():
-        return  Cloudflare._services.keys()
+        return  {'cloudflare': 'Cloudflare'}
 
     @staticmethod
     def match(account):
@@ -51,13 +51,7 @@ def match(account):
     def execute(self):
         if super().execute():
             # IPv4/IPv6
-            recordType = None
-            if str(self.current_address).find(':') > 1:
-                #IPv6
-                recordType = "AAAA"
-            else:
-                #IPv4
-                recordType = "A"
+            recordType = "AAAA" if str(self.current_address).find(':') > 1 else "A"
 
             # get ZoneID
             url = "https://%s/client/v4/zones" % self._services[self.settings.get('service')]
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py
index d338ce569f..bb1d4900b1 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/poller.py
@@ -63,9 +63,14 @@ def get(self, account: dict):
                 return handler(account)
 
     def known_services(self):
-        all_services = []
+        all_services = {}
         for handler in self._account_classes:
-            all_services += handler.known_services()
+            data = handler.known_services()
+            if type(data) is dict:
+                all_services.update(data)
+            else:
+                for item in data:
+                    all_services[item] = item
         return all_services
 
 

From 2705ed92931e79732a947a293edcf147888d20a6 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 1 Jul 2024 15:27:56 +0200
Subject: [PATCH 1933/3088] security/etpro-telemetry - prepare for 24.7 and
 replace dashboard widget with minimalistic new version.

---
 security/etpro-telemetry/Makefile             |  4 +-
 .../opnsense/www/js/widgets/ETProTelemetry.js | 72 ++++++++++++++
 .../js/widgets/Metadata/etpro-telemetry.xml   | 15 +++
 .../src/www/widgets/include/proofpoint_et.inc |  2 -
 .../widgets/widgets/proofpoint_et.widget.php  | 96 -------------------
 5 files changed, 89 insertions(+), 100 deletions(-)
 create mode 100644 security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
 create mode 100644 security/etpro-telemetry/src/opnsense/www/js/widgets/Metadata/etpro-telemetry.xml
 delete mode 100644 security/etpro-telemetry/src/www/widgets/include/proofpoint_et.inc
 delete mode 100644 security/etpro-telemetry/src/www/widgets/widgets/proofpoint_et.widget.php

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index b7a7a3c430..e135a3f1dc 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		etpro-telemetry
-PLUGIN_VERSION=		1.6
-PLUGIN_REVISION=	4
+PLUGIN_VERSION=		1.7
+#PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html
diff --git a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
new file mode 100644
index 0000000000..a9b8a49f6f
--- /dev/null
+++ b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2024 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import BaseTableWidget from "./BaseTableWidget.js";
+
+export default class ETProTelemetry extends BaseTableWidget {
+    constructor() {
+        super();
+        this.tickTimeout = 3600000;
+    }
+
+    getMarkup() {
+        let $container = $('<div></div>');
+        let $ETProTelemetrytable = this.createTable('ETProTelemetry-table', {
+            headerPosition: 'left',
+        });
+        $container.append($ETProTelemetrytable);
+        return $container;
+    }
+
+    async onWidgetTick() {
+        await ajaxGet('/api/diagnostics/proofpoint_et/status', {}, (data, status) => {
+            if (data['sensor_status'] == 'active') {
+                $('#etpro_sensor_status').text(data['sensor_status']);
+                $('#etpro_event_received').text(data['event_received']);
+                $('#etpro_last_rule_download').text(data['last_rule_download']);
+                $('#etpro_last_heartbeat').text(data['last_heartbeat']);
+            } else {
+                $('#etpro_sensor_status').text('-');
+                $('#etpro_event_received').text('-');
+                $('#etpro_last_rule_download').text('-');
+                $('#etpro_last_heartbeat').text('-');
+            }
+        });
+    }
+
+    async onMarkupRendered() {
+        await ajaxGet('/api/core/system/systemInformation', {}, (data, status) => {
+            let rows = [];
+            rows.push([['<img src="/ui/img/proofpoint.svg" style="height:30px;" class="image_invertible">'], '']);
+            rows.push([[this.translations['sensor_status']], $('<span id="etpro_sensor_status">').prop('outerHTML')]);
+            rows.push([[this.translations['event_received']], $('<span id="etpro_event_received">').prop('outerHTML')]);
+            rows.push([[this.translations['last_rule_download']], $('<span id="etpro_last_rule_download">').prop('outerHTML')]);
+            rows.push([[this.translations['last_heartbeat']], $('<span id="etpro_last_heartbeat">').prop('outerHTML')]);
+
+            super.updateTable('ETProTelemetry-table', rows);
+        });
+    }
+}
\ No newline at end of file
diff --git a/security/etpro-telemetry/src/opnsense/www/js/widgets/Metadata/etpro-telemetry.xml b/security/etpro-telemetry/src/opnsense/www/js/widgets/Metadata/etpro-telemetry.xml
new file mode 100644
index 0000000000..7dabaa037e
--- /dev/null
+++ b/security/etpro-telemetry/src/opnsense/www/js/widgets/Metadata/etpro-telemetry.xml
@@ -0,0 +1,15 @@
+<metadata>
+    <etpro_telemetry>
+        <filename>ETProTelemetry.js</filename>
+        <endpoints>
+            <endpoint>/api/diagnostics/proofpoint_et/status</endpoint>
+        </endpoints>
+        <translations>
+            <title>Telemetry status</title>
+            <sensor_status>Status</sensor_status>
+            <event_received>Last event</event_received>
+            <last_rule_download>Last rule download</last_rule_download>
+            <last_heartbeat>Last heartbeat</last_heartbeat>
+        </translations>
+    </etpro_telemetry>
+</metadata>
\ No newline at end of file
diff --git a/security/etpro-telemetry/src/www/widgets/include/proofpoint_et.inc b/security/etpro-telemetry/src/www/widgets/include/proofpoint_et.inc
deleted file mode 100644
index abf77c3bc4..0000000000
--- a/security/etpro-telemetry/src/www/widgets/include/proofpoint_et.inc
+++ /dev/null
@@ -1,2 +0,0 @@
-<?php
-$proofpoint_et_title = gettext('Telemetry status');
diff --git a/security/etpro-telemetry/src/www/widgets/widgets/proofpoint_et.widget.php b/security/etpro-telemetry/src/www/widgets/widgets/proofpoint_et.widget.php
deleted file mode 100644
index a7844286ce..0000000000
--- a/security/etpro-telemetry/src/www/widgets/widgets/proofpoint_et.widget.php
+++ /dev/null
@@ -1,96 +0,0 @@
-<?php
-/*
-    Copyright (C) 2018-2019 Deciso B.V.
-    All rights reserved.
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-?>
-
-<style>
-  .proofpoint_logo {
-      height: 30px;
-      vertical-align: middle;
-  }
-  .proofpoint_status_div {
-      padding: 2px;
-      border: 2px solid black;
-      white-space: nowrap;
-      display: inline;
-  }
-</style>
-<script src="/ui/js/moment-with-locales.min.js"></script>
-<script>
-    $(window).on("load", function() {
-        ajaxGet("/api/diagnostics/proofpoint_et/status", {}, function(data){
-            $("#proofpoint_status").removeClass("fa-spin");
-            $("#proofpoint_status").removeClass("fa-spinner");
-            if (data.status == 'ok' && data.sensor_status == 'ACTIVE') {
-                $("#proofpoint_status").addClass("fa-check");
-            } else {
-                $("#proofpoint_status").addClass("fa-close");
-            }
-
-            if (data.status == 'ok') {
-                var props = {
-                    sensor_status: "<?=html_safe(gettext('Status'));?>",
-                    event_received: "<?=html_safe(gettext('Last event'));?>",
-                    last_rule_download: "<?=html_safe(gettext('Last rule download'));?>",
-                    last_heartbeat: "<?=html_safe(gettext('Last heartbeat'));?>"
-                };
-
-                $("#proofpoint_status_table > tbody").empty();
-                for (var idx in props) {
-                    if (idx === 'sensor_status') {
-                        var content = data[idx];
-                    } else {
-                        var content = moment(data[idx]).format('ddd MMM D HH:mm:ss ZZ YYYY')
-                    }
-                    $("#proofpoint_status_table > tbody").append(
-                      $("<tr/>")
-                        .append($("<td style='width:30%'/>").text(props[idx]))
-                        .append($("<td/>").text(content))
-                    );
-                }
-            }
-        });
-    });
-</script>
-
-<table class="table table-striped table-condensed" id="proofpoint_status_table">
-  <thead>
-      <tr>
-          <th colspan="2">
-            <img src="/ui/img/proofpoint.svg" class="proofpoint_logo image_invertible">
-            <div class="proofpoint_status_div pull-right">
-              <i class="fa fa-spinner fa-2x fa-spin" style="vertical-align: middle;" id="proofpoint_status"></i>
-            </div>
-          </th>
-      </tr>
-  </thead>
-  <tbody>
-  </tbody>
-  <tfoot>
-      <tr>
-          <td colspan="2">
-            <?=gettext("For more information, please visit");?>
-            <a target="_blank" rel="noopener noreferrer" href="https://docs.opnsense.org/manual/etpro_telemetry.html">docs.opnsense.org</a>
-          </td>
-      </tr>
-  </tfoot>
-</table>

From 7d1f448c2139a9c604a0797a7e5e34589f10e805 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 3 Jul 2024 14:05:30 +0200
Subject: [PATCH 1934/3088] www/caddy: Add forward_auth functionality, auth
 provider Authelia added. (#4063)

* Add forward_auth functionality, Provider Authelia added.

* www/caddy: Change position of forward auth in dialogHandle, add ForwardAuth to bootgrid.

* www/caddy: Add IPv6 detection logic to the Forward Auth Domain.

* Disallow wildcards in hostnames.

* Disallow wildcards in hostnames. Fixed spot where it applies.

* Remove keys that are already defaults.

* Allowing WellKnown is wrong in this context.
---
 .../OPNsense/Caddy/GeneralController.php      |  1 +
 .../OPNsense/Caddy/forms/authprovider.xml     | 32 +++++++++++++++++++
 .../OPNsense/Caddy/forms/dialogHandle.xml     | 11 +++++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 14 ++++++++
 .../mvc/app/views/OPNsense/Caddy/general.volt |  5 +++
 .../views/OPNsense/Caddy/reverse_proxy.volt   |  1 +
 .../templates/OPNsense/Caddy/Caddyfile        |  3 ++
 .../OPNsense/Caddy/includeAuthProvider        | 13 ++++++++
 8 files changed, 80 insertions(+)
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/authprovider.xml
 create mode 100644 www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/GeneralController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/GeneralController.php
index 6d64473de8..7cc6639f6f 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/GeneralController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/GeneralController.php
@@ -42,6 +42,7 @@ public function indexAction()
         $this->view->generalForm = $this->getForm("general");
         $this->view->dnsproviderForm = $this->getForm("dnsprovider");
         $this->view->dynamicdnsForm = $this->getForm("dynamicdns");
+        $this->view->authproviderForm = $this->getForm("authprovider");
         $this->view->logsettingsForm = $this->getForm("logsettings");
     }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/authprovider.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/authprovider.xml
new file mode 100644
index 0000000000..1790ceda47
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/authprovider.xml
@@ -0,0 +1,32 @@
+<form>
+    <field>
+        <id>caddy.general.AuthProvider</id>
+        <label>Forward Auth Provider</label>
+        <type>dropdown</type>
+        <help><![CDATA[Select a Forward Auth Provider. It can be added inside a "Handler" by enabling the "Forward Auth" checkbox. For Authelia only the basic subdomain example is supported. More information: https://www.authelia.com/integration/proxies/caddy/#basic-examples]]></help>
+    </field>
+    <field>
+        <id>caddy.general.AuthToDomain</id>
+        <label>Forward Auth Domain</label>
+        <type>text</type>
+        <help><![CDATA[Enter the domain name or IP address of the chosen Forward Auth Provider.]]></help>
+    </field>
+    <field>
+        <id>caddy.general.AuthToPort</id>
+        <label>Forward Auth Port</label>
+        <type>text</type>
+        <help><![CDATA[Enter the listen port of the chosen Forward Auth Provider.]]></help>
+    </field>
+    <field>
+        <id>caddy.general.AuthToTls</id>
+        <label>TLS</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable or disable HTTP over TLS (HTTPS) to communicate with the Forward Auth Provider.]]></help>
+    </field>
+    <field>
+        <id>caddy.general.AuthToUri</id>
+        <label>Forward Auth URI</label>
+        <type>text</type>
+        <help><![CDATA[Enter the URI of the authz api endpoint.]]></help>
+    </field>
+</form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index c554d2eb82..a0dd633c95 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -36,6 +36,17 @@
         <type>text</type>
         <help><![CDATA[Enter a description for this handler.]]></help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Access</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>handle.ForwardAuth</id>
+        <label>Forward Auth</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable or disable Forward Auth. Requires an "Auth Provider" in "General Settings". Headers are set automatically to the standard of the chosen provider. Enabling this option will additionally generate the forward_auth directive in front of the reverse_proxy directive inside the scope of this handler.]]></help>
+    </field>
     <field>
         <type>header</type>
         <label>Header</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index a8bc042c85..93960a2ecc 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -126,6 +126,19 @@
                 <ValidationMessage>Please enter a valid number from 0 to 2147483647 seconds or leave empty for default.</ValidationMessage>
             </DynDnsTtl>
             <DynDnsUpdateOnly type="BooleanField"/>
+            <AuthProvider type="OptionField">
+                <BlankDesc>None (default)</BlankDesc>
+                <OptionValues>
+                    <authelia>Authelia</authelia>
+                </OptionValues>
+            </AuthProvider>
+            <AuthToDomain type="HostnameField"/>
+            <AuthToPort type="PortField"/>
+            <AuthToTls type="BooleanField"/>
+            <AuthToUri type="TextField">
+                <Mask>/^(\/.*)?$/u</Mask>
+                <ValidationMessage>Please enter a valid 'URI' that starts with '/'.</ValidationMessage>
+            </AuthToUri>
         </general>
         <reverseproxy>
             <reverse type="ArrayField">
@@ -300,6 +313,7 @@
                     <MaximumValue>100</MaximumValue>
                     <ValidationMessage>Please enter a value between 1 to 100.</ValidationMessage>
                 </PassiveHealthFailDuration>
+                <ForwardAuth type="BooleanField"/>
                 <HttpTls type="BooleanField">
                     <Constraints>
                         <check001>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
index 272973e4f1..38bb9c3adc 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
@@ -137,6 +137,7 @@
     <li class="active"><a data-toggle="tab" href="#generalTab">{{ lang._('General') }}</a></li>
     <li><a data-toggle="tab" href="#dnsProviderTab">{{ lang._('DNS Provider') }}</a></li>
     <li><a data-toggle="tab" href="#dynamicDnsTab">{{ lang._('Dynamic DNS') }}</a></li>
+    <li><a data-toggle="tab" href="#authProviderTab">{{ lang._('Auth Provider') }}</a></li>
     <li><a data-toggle="tab" href="#logSettingsTab">{{ lang._('Log Settings') }}</a></li>
 </ul>
 
@@ -154,6 +155,10 @@
     <div id="dynamicDnsTab" class="tab-pane fade">
         {{ partial("layout_partials/base_form", ['fields': dynamicdnsForm, 'action': '/ui/caddy/general', 'id': 'frm_GeneralSettings']) }}
     </div>
+    <!-- Auth Provider Tab -->
+    <div id="authProviderTab" class="tab-pane fade">
+        {{ partial("layout_partials/base_form", ['fields': authproviderForm, 'action': '/ui/caddy/general', 'id': 'frm_GeneralSettings']) }}
+    </div>
     <!-- Log Settings Tab -->
     <div id="logSettingsTab" class="tab-pane fade">
         {{ partial("layout_partials/base_form", ['fields': logsettingsForm, 'action': '/ui/caddy/general', 'id': 'frm_GeneralSettings']) }}
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 5884a9eb4a..e3b5592371 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -334,6 +334,7 @@
                             <th data-column-id="ToPort" data-type="string">{{ lang._('Upstream Port') }}</th>
                             <th data-column-id="ToPath" data-type="string" data-visible="false">{{ lang._('Upstream Path') }}</th>
                             <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Fail Duration') }}</th>
+                            <th data-column-id="ForwardAuth" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Forward Auth') }}</th>
                             <th data-column-id="HttpTls" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('TLS') }}</th>
                             <th data-column-id="HttpTlsTrustedCaCerts" data-type="string" data-visible="false">{{ lang._('TLS CA') }}</th>
                             <th data-column-id="HttpTlsServerName" data-type="string" data-visible="false">{{ lang._('TLS Server Name') }}</th>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 6709849811..5070878d57 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -346,6 +346,9 @@
 #}
 {% macro reverse_proxy_configuration(handle) %}
     {{ handle.HandleType }} {{ handle.HandlePath|default("") }} {
+        {% if handle.ForwardAuth|default("0") == "1" %}
+            {% include "OPNsense/Caddy/includeAuthProvider" %}
+        {% endif %}
         {% if handle.ToPath|default("") != "" %}
         rewrite * {{ handle.ToPath }}{uri}
         {% endif %}
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
new file mode 100644
index 0000000000..4bf4b09ef6
--- /dev/null
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
@@ -0,0 +1,13 @@
+{#
+# This file gets imported to configure forward auth in handlers.
+# - Section: Reverse Proxy Configurations
+#}
+{% if generalSettings.AuthProvider == 'authelia' %}
+    {# Check if the domain is IPv6 and wrap in square brackets if necessary #}
+    {% set is_ipv6 = (':' in generalSettings.AuthToDomain and generalSettings.AuthToDomain.count(':') >= 2) %}
+    forward_auth {% if generalSettings.AuthToTls|default("0") == "1" %}https://{% endif %}{{ '[' if is_ipv6 else '' }}{{ generalSettings.AuthToDomain|default("") }}{{ ']' if is_ipv6 else '' }}{% if generalSettings.AuthToPort %}:{{ generalSettings.AuthToPort }}{% endif %} {
+    {% if generalSettings.AuthToUri %}uri {{ generalSettings.AuthToUri|default("") }}{% endif %}
+
+    copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+    }
+{% endif %}

From 71dd1a69da08811891b3faa0cd2dbad0d86c5310 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 3 Jul 2024 14:13:11 +0200
Subject: [PATCH 1935/3088] www/caddy: Allow bind to non standard ports (#4069)

* www/caddy: Allow bind to default loopback interface and bind to non standard http and https ports.

* www/caddy: Improve validation to include new custom ports. Remove wrong default_bind option.

* Remove keys that are already defaults.

* Allowing WellKnown is wrong in this context.
---
 .../controllers/OPNsense/Caddy/forms/general.xml | 16 ++++++++++++++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.php      |  9 +++++++--
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml      |  2 ++
 .../service/templates/OPNsense/Caddy/Caddyfile   | 11 +++++++++++
 4 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 66ee187088..4ac84664ed 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -5,6 +5,22 @@
         <type>checkbox</type>
         <help><![CDATA[Enable or disable the Caddy web server.]]></help>
     </field>
+    <field>
+        <id>caddy.general.HttpPort</id>
+        <label>HTTP Port</label>
+        <type>text</type>
+        <hint>80</hint>
+        <help><![CDATA[If the default HTTP port is changed to e.g. 8080, then a port forward from port 80 to 8080 is necessary to issue automatic certificates with the HTTP-01 challenge and serve clients the reverse proxied resources.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>caddy.general.HttpsPort</id>
+        <label>HTTPS Port</label>
+        <type>text</type>
+        <hint>443</hint>
+        <help><![CDATA[If the default HTTPS port is changed to e.g. 8443, then a port forward from port 443 to 8443 is necessary to issue automatic certificates with the TLS-ALPN-01 challenge and serve clients the reverse proxied resources.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>caddy.general.TlsEmail</id>
         <label>ACME Email</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index 85254166fb..f66497fdd3 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -129,13 +129,18 @@ private function getWebGuiPorts()
 
     private function checkWebGuiSettings($messages)
     {
-        $overlap = array_intersect($this->getWebGuiPorts(), ['80', '443']);
+        // Get custom caddy ports if set. If empty, default to 80 and 443.
+        $httpPort = !empty((string)$this->general->HttpPort) ? (string)$this->general->HttpPort : '80';
+        $httpsPort = !empty((string)$this->general->HttpsPort) ? (string)$this->general->HttpsPort : '443';
         $tlsAutoHttpsSetting = (string)$this->general->TlsAutoHttps;
 
+        // Check for conflicts
+        $overlap = array_intersect($this->getWebGuiPorts(), [$httpPort, $httpsPort]);
+
         if (!empty($overlap) && $tlsAutoHttpsSetting !== 'off') {
             $portOverlap = implode(', ', $overlap);
             $messages->appendMessage(new Message(
-                sprintf(gettext('To use "Auto HTTPS", resolve these conflicting ports (%s) that are currently configured for the OPNsense WebGUI. Go to "System - Settings - Administration". To release port 80, enable "Disable web GUI redirect rule". To release port 443, change "TCP port" to a non-standard port, e.g., 8443.'), $portOverlap),
+                sprintf(gettext('To use "Auto HTTPS", resolve these conflicting ports (%s) that are currently configured for the OPNsense WebGUI. Go to "System - Settings - Administration". To release port 80, enable "Disable web GUI redirect rule". To release port %s, change "TCP port" to a non-standard port, e.g., 8443.'), $portOverlap, $httpsPort),
                 "general.TlsAutoHttps"
             ));
         }
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 93960a2ecc..db4388ee43 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -8,6 +8,8 @@
                 <Default>0</Default>
                 <Required>Y</Required>
             </enabled>
+            <HttpPort type="PortField"/>
+            <HttpsPort type="PortField"/>
             <TlsEmail type="EmailField">
                 <ValidationMessage>Please enter a valid email address.</ValidationMessage>
             </TlsEmail>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 5070878d57..4cc17cd6ba 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -53,6 +53,17 @@
         {% endif %}
     }
 
+    {# Change default ports on demand #}
+    {% set httpPort = generalSettings.HttpPort %}
+    {% set httpsPort = generalSettings.HttpsPort %}
+
+    {% if httpPort %}
+        http_port {{ httpPort }}
+    {% endif %}
+    {% if httpsPort %}
+        https_port {{ httpsPort }}
+    {% endif %}
+
     {#
     #   Section: Global Trusted Proxy and Credential Logging
     #   Purpose: The trusted proxy section is important when using CDNs so that headers are trusted.

From 96170a0b2e8568586f6a71123a74cfdd10a253c9 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 3 Jul 2024 14:15:42 +0200
Subject: [PATCH 1936/3088] www/caddy: Replace tls_trusted_ca_certs with
 tls_trust_pool file, since the former has been deprecated. (#4070)

---
 .../mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml | 4 ++--
 .../src/opnsense/service/templates/OPNsense/Caddy/Caddyfile   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index a0dd633c95..cbd484ae83 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -123,7 +123,7 @@
     </field>
     <field>
         <id>handle.HttpTlsTrustedCaCerts</id>
-        <label>TLS Trusted CA Certificate</label>
+        <label>TLS Trust Pool</label>
         <type>dropdown</type>
         <help><![CDATA[Choose a CA or self-signed certificate to trust from "System - Trust - Authorities". Useful if the upstream destination only accepts TLS connections and offers a self signed certificate. Adding that certificate here will allow for the encrypted connection to succeed.]]></help>
     </field>
@@ -131,6 +131,6 @@
         <id>handle.HttpTlsServerName</id>
         <label>TLS Server Name</label>
         <type>text</type>
-        <help><![CDATA[Enter a hostname or IP address that matches the SAN "Subject Alternative Name" of the offered upstream certificate. This will change the SNI "Server Name Indication" of Caddy. Setting an IP address as "Upstream Domain", enabling "TLS" and selecting a "TLS Trusted CA Certificate", would make the SAN of the offered upstream certificate not match with the SNI of Caddy, since it will be an IP address instead of a hostname. Setting the hostname of the certificate here, fixes this issue. Please note that only SAN certificates are supported; CN "Common Name" will not work.]]></help>
+        <help><![CDATA[Enter a hostname or IP address that matches the SAN "Subject Alternative Name" of the offered upstream certificate. This will change the SNI "Server Name Indication" of Caddy. Setting an IP address as "Upstream Domain", enabling "TLS" and selecting a "TLS Trust Pool", would make the SAN of the offered upstream certificate not match with the SNI of Caddy, since it will be an IP address instead of a hostname. Setting the hostname of the certificate here, fixes this issue. Please note that only SAN certificates are supported; CN "Common Name" will not work.]]></help>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 4cc17cd6ba..795ba8f621 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -383,7 +383,7 @@
                     tls_insecure_skip_verify
                     {% endif %}
                     {% if handle.HttpTlsTrustedCaCerts %}
-                    tls_trusted_ca_certs /var/db/caddy/data/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
+                    tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
                     {% endif %}
                     {% if handle.HttpTlsServerName %}
                     tls_server_name {{ handle.HttpTlsServerName }}
@@ -398,7 +398,7 @@
                     tls_insecure_skip_verify
                     {% endif %}
                     {% if handle.HttpTlsTrustedCaCerts %}
-                    tls_trusted_ca_certs /var/db/caddy/data/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
+                    tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
                     {% endif %}
                     {% if handle.HttpTlsServerName %}
                     tls_server_name {{ handle.HttpTlsServerName }}

From a01fd048ae6d5db323473d9fd8c574da18c45388 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 3 Jul 2024 14:24:31 +0200
Subject: [PATCH 1937/3088] www/caddy: Add HTTP version selection. Mark NTLM as
 deprecated. Theoretically, it only hard codes the transport http to versions
 1.1. So, NTLM could be replaced by setting the http version to that value. At
 the same time, this also adds support for HTTP/3 to the upstream, which is
 included in the latest Caddy version 2.8.4 we have rolled out. (#4071)

---
 .../controllers/OPNsense/Caddy/forms/dialogHandle.xml    | 9 ++++++++-
 .../src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml | 8 ++++++++
 .../mvc/app/views/OPNsense/Caddy/reverse_proxy.volt      | 1 +
 .../opnsense/service/templates/OPNsense/Caddy/Caddyfile  | 8 +++++++-
 4 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index cbd484ae83..e8013cd004 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -109,11 +109,18 @@
         <type>checkbox</type>
         <help><![CDATA[Enable or disable HTTP over TLS (HTTPS) to communicate with the upstream destination. Caddy uses HTTP with the upstream destination by default.]]></help>
     </field>
+    <field>
+        <id>handle.HttpVersion</id>
+        <label>HTTP Version</label>
+        <type>dropdown</type>
+        <help><![CDATA[The default versions are highly recommended. Choose a HTTP version for the upstream destination. HTTP/3 (HTTP over QUIC) requires TLS, and only establishes connections to webservers that also support HTTP/3.]]></help>
+    </field>
     <field>
         <id>handle.HttpNtlm</id>
         <label>NTLM</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable or disable NTLM. Needed to reverse proxy an Exchange Server.]]></help>
+        <help><![CDATA[Enable or disable NTLM. Needed to reverse proxy an Exchange Server. Warning: NTLM has been deprecated by Microsoft. This option will be removed in the future when support for NTLM phases out.]]></help>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>handle.HttpTlsInsecureSkipVerify</id>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index db4388ee43..b44276dc28 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -327,6 +327,14 @@
                         </check001>
                     </Constraints>
                 </HttpTls>
+                <HttpVersion type="OptionField">
+                    <BlankDesc>HTTP/1.1, HTTP/2</BlankDesc>
+                    <OptionValues>
+                        <http1>HTTP/1.1</http1>
+                        <http2>HTTP/2</http2>
+                        <http3>HTTP/3</http3>
+                    </OptionValues>
+                </HttpVersion>
                 <HttpNtlm type="BooleanField">
                     <Constraints>
                         <check001>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index e3b5592371..41622bac3e 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -336,6 +336,7 @@
                             <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Fail Duration') }}</th>
                             <th data-column-id="ForwardAuth" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Forward Auth') }}</th>
                             <th data-column-id="HttpTls" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('TLS') }}</th>
+                            <th data-column-id="HttpVersion" data-type="string" data-visible="false">{{ lang._('HTTP Version') }}</th>
                             <th data-column-id="HttpTlsTrustedCaCerts" data-type="string" data-visible="false">{{ lang._('TLS CA') }}</th>
                             <th data-column-id="HttpTlsServerName" data-type="string" data-visible="false">{{ lang._('TLS Server Name') }}</th>
                             <th data-column-id="HttpNtlm" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('NTLM') }}</th>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 795ba8f621..592f552d58 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -354,6 +354,7 @@
 #       - HttpTlsTrustedCaCerts (string, optional): The config extracted name of a CA certificate.
 #       - HttpTlsServerName (string, optional): Specifies the server name for the TLS handshake.
 #       - PassiveHealthFailDuration (integer, optional): Enables passive health checks when set > 0.
+#       - HttpVersion (string, optional): Choose HTTP version. Empty (default) is 1.1 and 2.
 #}
 {% macro reverse_proxy_configuration(handle) %}
     {{ handle.HandleType }} {{ handle.HandlePath|default("") }} {
@@ -373,7 +374,7 @@
             {% if handle.PassiveHealthFailDuration|default("") %}
             fail_duration {{ handle.PassiveHealthFailDuration }}s
             {% endif %}
-            {% if handle.HttpTls|default("0") == "1" or handle.HttpTlsInsecureSkipVerify|default("0") == "1" or handle.HttpTlsTrustedCaCerts|default("") != "" or handle.HttpTlsServerName|default("") != "" %}
+            {% if handle.HttpTls|default("0") == "1" or handle.HttpTlsInsecureSkipVerify|default("0") == "1" or handle.HttpTlsTrustedCaCerts or handle.HttpTlsServerName or handle.HttpVersion %}
                 {% if handle.HttpNtlm|default("0") == "1" %}
                 transport http_ntlm {
                     {% if handle.HttpTls|default("0") == "1" %}
@@ -391,6 +392,11 @@
                 }
                 {% else %}
                 transport http {
+                    {# The model does not allow to set a single number as option directly, so we have to map them. #}
+                    {% set version_map = {'http1': 1.1, 'http2': 2, 'http3': 3} %}
+                    {% if handle.HttpVersion %}
+                        versions {{ version_map[handle.HttpVersion] }}
+                    {% endif %}
                     {% if handle.HttpTls|default("0") == "1" %}
                     tls
                     {% endif %}

From 8ac117f6226d56229543ba053b0bf364e1bff57c Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 3 Jul 2024 16:15:28 +0200
Subject: [PATCH 1938/3088] www/caddy: Add Caddy widgets for 24.7 new dashboard
 (#4049)

* Added Caddy widget that shows managed domains with their enabled status in the new Dashboard.

* Prepare new API endpoint for widget to display certificate validity for the automatic certificates. Swings magic wand ~asyncio.

* Add new widget to show validity status of Caddy certificates, consuming the new diagnostics certificate API.

* Missed endpoint in CaddyCertificate widget.

* Bump plugin version to 1.6.0 for 24.7

* Sort certificates by expiration date, add Expires: before the date for more clarity.

* Change cache_ttl to half a minute and fix style.

* Improve error handling of CaddyCertificate widget and API.

* Display both domains and subdomains in CaddyDomain widget. Allow free resize since the list can be long.

* Improve CaddyCertificate widget. API now serves remaining_days. Tooltip turns yellow when 14 days are left. The remaining days are shown in the overview next to the date.

* Add changelog for fix in other PR.

* Change font awesome to lock and globe symbols.

* Improve error handling of tasks with asyncio.wait_for() and a timeout.

* Update CaddyDomain and CaddyCertificate widget to emply caching of data, to only update the UI if changes are detected in the data.

* Generalize dataHasChange method in CaddyCertificate widget to compare strings.

* Implement error utility function, some cleanup for consistency.

* Update pkg-descr - Add changelog from other PRs

* Remove indent from json.dumps.

* Add widget metadata.

* Change tick timeout since resize issues have been fixed.

* Update pkg-descr

* Update pkg-descr

* Remove dataHasChanged in favor of generalized dataChanged of Base Widget.

* Update pkg-descr
---
 www/caddy/Makefile                            |   2 +-
 www/caddy/pkg-descr                           |  11 +-
 .../Caddy/Api/DiagnosticsController.php       |  20 +++
 .../OPNsense/Caddy/caddy_diagnostics.py       |  79 +++++++++++-
 .../service/conf/actions.d/actions_caddy.conf |   6 +
 .../www/js/widgets/CaddyCertificate.js        | 121 ++++++++++++++++++
 .../opnsense/www/js/widgets/CaddyDomain.js    | 119 +++++++++++++++++
 .../www/js/widgets/Metadata/Caddy.xml         |  29 +++++
 8 files changed, 383 insertions(+), 4 deletions(-)
 create mode 100644 www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
 create mode 100644 www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
 create mode 100644 www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 852d97abb0..56926373f0 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.5.7
+PLUGIN_VERSION=		1.6.0
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 90d1ce1b1f..59d58f317a 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -17,7 +17,6 @@ Main features of this plugin:
 * Access Lists to restrict access based on static networks
 * Basic Auth to restrict access by username and password
 * Syslog-ng integration and HTTP Access Log
-* NTLM Transport
 * Header manipulation with header_up and header_down
 * Simple load balancing with passive health check
 
@@ -26,6 +25,16 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.6.0
+
+* Add: New Dashboard widgets for 24.7, showing domain status and certificate validity status.
+* Fix: Caddyfile template fixed for IPv6 addresses and custom port.
+* Add: forward_auth directive with Authelia as Authz Provider.
+* Add: Default HTTP and HTTPS ports can be changed in general settings.
+* Add: Introduce HTTP version to handler. HTTP/1.1, HTTP/2 and HTTP/3 can be chosen.
+* Change: NTLM is now deprecated, though the option will stay for a while longer.
+* Change: Option "tls_trusted_ca_certs" is now "tls_trust_pool".
+
 1.5.7
 
 * Build: Update to Caddy v2.8.4 + caddy-dns plugins updated to latest upstream versions
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
index d0cc2005b8..bda64cb5e2 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
@@ -82,4 +82,24 @@ public function caddyfileAction()
         // Return the response as an array which gets automatically encoded to JSON
         return ["status" => "success", "content" => $responseArray['content']];
     }
+
+    /**
+     * Fetch the hostnames, validity and expiration dates of automatic certificates as JSON. Consumed by Caddy widget.
+     */
+    public function certificateAction()
+    {
+        $backend = new Backend();
+        $response = $backend->configdRun('caddy certificate');
+
+        // Decode JSON to PHP array
+        $responseArray = json_decode($response, true);
+
+        // Since errors are handled by the caddy_diagnostics script and returned as json, check for an error key in the response
+        if (isset($responseArray['error'])) {
+            return ["status" => "failed", "message" => $responseArray['message']];
+        }
+
+        // Return the response as an array which gets automatically encoded to JSON
+        return ["status" => "success", "content" => $responseArray];
+    }
 }
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
index 243a0555d8..f42fd60658 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
@@ -28,6 +28,10 @@
 
 import sys
 import json
+import os
+import subprocess
+import asyncio
+from datetime import datetime
 
 # Function to show the Caddy configuration from a JSON file
 def show_caddy_config():
@@ -61,12 +65,83 @@ def show_caddyfile():
     except Exception as e:
         print(json.dumps({"error": "General Error", "message": str(e)}))
 
+# Function to extract certificate information using openssl command
+async def extract_certificate_info(cert_path):
+    try:
+        # Execute the openssl command to get the expiration date with a timeout
+        result = await asyncio.wait_for(
+            asyncio.create_subprocess_exec(
+                'openssl', 'x509', '-in', cert_path, '-noout', '-enddate',
+                stdout=subprocess.PIPE, stderr=subprocess.PIPE),
+            timeout=10)  # Make sure tasks are cleaned up if they hang
+
+        stdout, stderr = await result.communicate()
+
+        # Check for errors in the execution
+        if result.returncode != 0:
+            error_message = stderr.decode().strip()
+            raise RuntimeError(f"Subprocess failed with error: {error_message}")
+
+        # Decode output and process the information
+        expiration_date_str = stdout.decode().strip().split('=')[1]
+
+        # Convert expiration date string to datetime object
+        expiration_date = datetime.strptime(expiration_date_str, "%b %d %H:%M:%S %Y GMT")
+
+        # Determine the current date
+        now = datetime.now()
+
+        # Calculate remaining days until expiration
+        remaining_days = (expiration_date - now).days
+        remaining_days = max(remaining_days, 0)  # Ensure non-negative days
+
+        # Extract the hostname from the filename
+        hostname = os.path.basename(cert_path).replace('.crt', '').lower()
+
+        return {'hostname': hostname, 'expiration_date': expiration_date_str, 'remaining_days': remaining_days}
+    except asyncio.TimeoutError as e:
+        # Handle timeout specific errors
+        raise RuntimeError(f"Timeout occurred while processing {cert_path}: {str(e)}")
+    except Exception as e:
+        raise RuntimeError(f"Error extracting certificate info for {cert_path}: {str(e)}")
+
+# Function to find certificates and create tasks to extract info
+async def find_certificates(base_dir):
+    tasks = []
+    for root, dirs, files in os.walk(base_dir):
+        # Skip any directories named 'temp'
+        dirs[:] = [d for d in dirs if d != 'temp']
+        for file in files:
+            if file.endswith('.crt'):
+                cert_path = os.path.join(root, file)
+                task = asyncio.create_task(extract_certificate_info(cert_path))
+                tasks.append(task)
+
+    if not tasks:
+        raise RuntimeError("No certificates were found in the specified directory.")
+
+    results = await asyncio.gather(*tasks, return_exceptions=True)
+    return [result for result in results if not isinstance(result, Exception)]
+
+# Function to show certificates, processing all found in the given directory
+async def show_certificates():
+    # Function to show certificates, processing all found in the given directory
+    base_dir = '/var/db/caddy/data/caddy/certificates'
+    try:
+        certificates_data = await find_certificates(base_dir)
+        if certificates_data:
+            print(json.dumps(certificates_data))
+        else:
+            raise RuntimeError("No valid certificate data found.")
+    except Exception as e:
+        print(json.dumps({"error": "General Error", "message": str(e)}))
+
 # Action handler
 def perform_action(action):
     actions = {
         "config": show_caddy_config,
-        "caddyfile": show_caddyfile
-        # Additional actions can be added here in the same format.
+        "caddyfile": show_caddyfile,
+        "certificate": lambda: asyncio.run(show_certificates())
     }
 
     action_func = actions.get(action)
diff --git a/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf b/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
index 0d768ce42b..be0997b93a 100644
--- a/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
+++ b/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
@@ -47,3 +47,9 @@ command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py caddyfil
 parameters:
 type:script_output
 message:Request Caddyfile
+
+[certificate]
+command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py certificate
+parameters:
+type:script_output
+message:Check validity of automatic certificates
diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
new file mode 100644
index 0000000000..e065111173
--- /dev/null
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
@@ -0,0 +1,121 @@
+/*
+ * Copyright (C) 2024 Cedrik Pischem
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import BaseTableWidget from "./BaseTableWidget.js";
+
+export default class CaddyCertificate extends BaseTableWidget {
+    constructor() {
+        super();
+        this.resizeHandles = "e, w";
+        this.tickTimeout = 30000;
+    }
+
+    getGridOptions() {
+        return {
+            // trigger overflow-y:scroll after 650px height
+            sizeToContent: 650
+        };
+    }
+
+    getMarkup() {
+        let $container = $('<div></div>');
+        let $caddyCertificateTable = this.createTable('caddyCertificateTable', {
+            headerPosition: 'none'
+        });
+
+        $container.append($caddyCertificateTable);
+        return $container;
+    }
+
+    async onWidgetTick() {
+        try {
+            // Check if Caddy is enabled
+            const caddyStatus = await ajaxGet('/api/caddy/reverse_proxy/get', {});
+            if (!caddyStatus.caddy.general || caddyStatus.caddy.general.enabled === "0") {
+                this.displayError(`${this.translations.unconfigured}`);
+                return;
+            }
+
+            // Fetch the certificate details
+            const response = await ajaxGet('/api/caddy/diagnostics/certificate', {});
+            if (response.status !== "success") {
+                this.displayError(`${this.translations.nocerts}`);
+                return;
+            }
+
+            // Process certificates if the response is successful
+            this.processCertificates(response.content);
+        } catch (error) {
+            this.displayError(`${this.translations.error}`);
+        }
+    }
+
+    // Utility function to display errors within the widget
+    displayError(message) {
+        const $error = $(`<div class="error-message"><a href="/ui/caddy/general">${message}</a></div>`);
+        $('#caddyCertificateTable').empty().append($error);
+    }
+
+    processCertificates(certificates) {
+        if (!this.dataChanged('certificates', certificates)) {
+            return;
+        }
+
+        let rows = certificates.map(certificate => {
+            let colorClass = 'text-success';
+            if (certificate.remaining_days === 0) {
+                colorClass = 'text-danger';
+            } else if (certificate.remaining_days < 14) {
+                colorClass = 'text-warning';
+            }
+
+            let statusText = certificate.remaining_days === 0 ? this.translations.expired :
+                             this.translations.valid;
+
+            let row = `
+                <div>
+                    <i class="fa fa-lock ${colorClass}" style="cursor: pointer;"
+                        data-toggle="tooltip" title="${statusText}">
+                    </i>
+                    &nbsp;
+                    <span><b>${certificate.hostname}</b></span>
+                    <br/>
+                    <div style="margin-top: 5px; margin-bottom: 5px;"><i>${this.translations.expires}</i> ${certificate.remaining_days} ${this.translations.days}, ${new Date(certificate.expiration_date).toLocaleString()}</div>
+                </div>`;
+            return { html: row, expirationDate: new Date(certificate.expiration_date) };
+        });
+
+        // Sort rows by expiration date from lowest to highest
+        rows.sort((a, b) => a.expirationDate - b.expirationDate);
+
+        // Extract sorted HTML rows and update table
+        let sortedRows = rows.map(row => [row.html]);
+        super.updateTable('caddyCertificateTable', sortedRows);
+
+        // Initialize tooltips for new elements
+        $('[data-toggle="tooltip"]').tooltip();
+    }
+}
diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
new file mode 100644
index 0000000000..04eca5ad1e
--- /dev/null
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) 2024 Cedrik Pischem
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import BaseTableWidget from "./BaseTableWidget.js";
+
+export default class CaddyDomain extends BaseTableWidget {
+    constructor() {
+        super();
+        this.resizeHandles = "e, w";
+    }
+
+    getGridOptions() {
+        return {
+            // Trigger overflow-y:scroll after 650px height
+            sizeToContent: 650
+        };
+    }
+
+    getMarkup() {
+        let $container = $('<div></div>');
+        let $caddyDomainTable = this.createTable('caddyDomainTable', {
+            headerPosition: 'none'
+        });
+
+        $container.append($caddyDomainTable);
+        return $container;
+    }
+
+    async onWidgetTick() {
+        try {
+            // Check if caddy is enabled
+            const data = await ajaxGet('/api/caddy/reverse_proxy/get', {});
+            if (!data.caddy.general || data.caddy.general.enabled === "0") {
+                this.displayError(`${this.translations.unconfigured}`);
+                return;
+            }
+
+            // Process domains if caddy is enabled
+            let domains = { ...data.caddy.reverseproxy.reverse, ...data.caddy.reverseproxy.subdomain };
+            this.processDomains(domains);
+
+        } catch (error) {
+            this.displayError(`${this.translations.error}`);
+        }
+    }
+
+    // Utility function to display errors within the widget
+    displayError(message) {
+        const $error = $(`<div class="error-message"><a href="/ui/caddy/general">${message}</a></div>`);
+        $('#caddyDomainTable').empty().append($error);
+    }
+
+    processDomains(domains) {
+        if (!this.dataChanged('domains', domains)) {
+            return;
+        }
+
+        let rows = [];
+        // Assuming domains is a combination of both reverse and subdomains
+        for (const key in domains) {
+            const domain = domains[key];
+            let colorClass = domain.enabled === "1" ? 'text-success' : 'text-danger';
+            let tooltipText = domain.enabled === "1" ? this.translations.enabled : this.translations.disabled;
+            let domainPort = domain.FromDomain;
+
+            if (domain.FromPort) {
+                domainPort += `:${domain.FromPort}`;
+            }
+
+            let row = $(`
+                <div class="caddy-info">
+                    <div class="caddy-enabled">
+                        <i class="fa fa-globe ${colorClass}" style="cursor: pointer;"
+                            data-toggle="tooltip" title="${tooltipText}">
+                        </i>
+                        &nbsp;
+                        <a class="caddy-domainport" href="/ui/caddy/reverse_proxy">
+                            ${domainPort}
+                        </a>
+                    </div>
+                </div>
+            `).prop('outerHTML');
+
+            rows.push({ html: row, enabled: domain.enabled });
+        }
+
+        // Sort rows by their enabled status
+        rows.sort((a, b) => a.enabled - b.enabled);
+
+        // Update table with sorted rows
+        super.updateTable('caddyDomainTable', rows.map(row => [row.html]));
+
+        // Initialize tooltips for interactivity
+        $('[data-toggle="tooltip"]').tooltip();
+    }
+}
diff --git a/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml b/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml
new file mode 100644
index 0000000000..818be0f301
--- /dev/null
+++ b/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml
@@ -0,0 +1,29 @@
+<metadata>
+    <caddydomain>
+        <filename>CaddyDomain.js</filename>
+        <endpoints>
+            <endpoint>/api/caddy/reverse_proxy/*</endpoint>
+        </endpoints>
+        <translations>
+            <title>Caddy Domains</title>
+            <enabled>Enabled</enabled>
+            <disabled>Disabled</disabled>
+            <unconfigured>Caddy is disabled or not configured.</unconfigured>
+        </translations>
+    </caddydomain>
+    <caddycertificate>
+        <filename>CaddyCertificate.js</filename>
+        <endpoints>
+            <endpoint>/api/caddy/*</endpoint>
+        </endpoints>
+        <translations>
+            <title>Caddy Certificates</title>
+            <valid>Valid</valid>
+            <expired>Expired</expired>
+            <unconfigured>Caddy is disabled or not configured.</unconfigured>
+            <nocerts>Caddy does not manage any automatic certificates.</nocerts>
+            <expires>Expires:</expires>
+            <days>days</days>
+        </translations>
+    </caddycertificate>
+</metadata>

From c1ee693f21b0b62a174d23de2e9ad2b0866c174f Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 4 Jul 2024 21:45:13 +0200
Subject: [PATCH 1939/3088] security/etpro-telemetry - align tickTimeout
 (https://github.com/opnsense/core/commit/2296c2f5ea4358e3b93ef7c95e39861ae872df7b)

---
 .../src/opnsense/www/js/widgets/ETProTelemetry.js               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
index a9b8a49f6f..ada8b232b1 100644
--- a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
+++ b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
@@ -29,7 +29,7 @@ import BaseTableWidget from "./BaseTableWidget.js";
 export default class ETProTelemetry extends BaseTableWidget {
     constructor() {
         super();
-        this.tickTimeout = 3600000;
+        this.tickTimeout = 3600;
     }
 
     getMarkup() {

From a422c8c6b39aa19b47dfb53cf95a4c101b9baa3a Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 5 Jul 2024 16:40:03 +0200
Subject: [PATCH 1940/3088] www/caddy: Add HTTP keepalive to handler, revert
 NTLM deprecation. (#4072)

* www/caddy: Add HTTP Keepalive option. Needed so that HTTP Keepalive can be set 0 (off) combined with HTTP Version 1.1, in order to replace the deprecated NTLM option.

* www/caddy: Change headers inside handler form for better sorting of options.

* www/caddy: Add changelog.

* www/caddy: Change tick timeout of CaddyCertificate widget to seconds.

* www/caddy: Move NTLM back to standard options. Remove deprecation notice from changelog. Improve helptexts.

* www/caddy: Remove try/catch block because this.ajaxGet() handles errors. In CaddyCertificate and CaddyDomain widgets.
---
 www/caddy/pkg-descr                           |  2 +-
 .../OPNsense/Caddy/forms/dialogHandle.xml     | 30 +++++++++-------
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  4 +++
 .../views/OPNsense/Caddy/reverse_proxy.volt   |  1 +
 .../templates/OPNsense/Caddy/Caddyfile        | 10 +++++-
 .../www/js/widgets/CaddyCertificate.js        | 34 ++++++++-----------
 .../opnsense/www/js/widgets/CaddyDomain.js    | 23 +++++--------
 7 files changed, 57 insertions(+), 47 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 59d58f317a..9a3d7175c7 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -32,7 +32,7 @@ Plugin Changelog
 * Add: forward_auth directive with Authelia as Authz Provider.
 * Add: Default HTTP and HTTPS ports can be changed in general settings.
 * Add: Introduce HTTP version to handler. HTTP/1.1, HTTP/2 and HTTP/3 can be chosen.
-* Change: NTLM is now deprecated, though the option will stay for a while longer.
+* Add: HTTP Keepalive can be set in a handler.
 * Change: Option "tls_trusted_ca_certs" is now "tls_trust_pool".
 
 1.5.7
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index e8013cd004..f467f6576d 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -87,16 +87,29 @@
         <help><![CDATA[Enter a path prefix like "/guacamole" that should be prepended to the upstream request because the application demands it.]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>handle.PassiveHealthFailDuration</id>
+        <label>Upstream Fail Duration</label>
+        <type>text</type>
+        <help><![CDATA[Enables a passive health check when multiple destinations in "Upstream Domain" are set. "Fail Duration" is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking; the default is empty (off). A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
+    </field>
     <field>
         <type>header</type>
-        <label>Load Balancing</label>
+        <label>HTTP Transport</label>
         <collapse>true</collapse>
     </field>
     <field>
-        <id>handle.PassiveHealthFailDuration</id>
-        <label>Upstream Fail Duration</label>
+        <id>handle.HttpVersion</id>
+        <label>HTTP Version</label>
+        <type>dropdown</type>
+        <help><![CDATA[The default versions are highly recommended. Choose a HTTP version for the upstream destination. HTTP/3 (HTTP over QUIC) requires TLS, and only establishes connections to webservers that also support HTTP/3.]]></help>
+    </field>
+    <field>
+        <id>handle.HttpKeepalive</id>
+        <label>HTTP Keepalive</label>
         <type>text</type>
-        <help><![CDATA[Enables a passive health check when multiple destinations in "Upstream Domain" are set. "Fail Duration" is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking; the default is empty (off). A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
+        <hint>120</hint>
+        <help><![CDATA[Leave empty to use default. Keepalive is either 0 (off) or a duration value that specifies how long to keep connections open (timeout) in seconds.]]></help>
     </field>
     <field>
         <type>header</type>
@@ -109,18 +122,11 @@
         <type>checkbox</type>
         <help><![CDATA[Enable or disable HTTP over TLS (HTTPS) to communicate with the upstream destination. Caddy uses HTTP with the upstream destination by default.]]></help>
     </field>
-    <field>
-        <id>handle.HttpVersion</id>
-        <label>HTTP Version</label>
-        <type>dropdown</type>
-        <help><![CDATA[The default versions are highly recommended. Choose a HTTP version for the upstream destination. HTTP/3 (HTTP over QUIC) requires TLS, and only establishes connections to webservers that also support HTTP/3.]]></help>
-    </field>
     <field>
         <id>handle.HttpNtlm</id>
         <label>NTLM</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable or disable NTLM. Needed to reverse proxy an Exchange Server. Warning: NTLM has been deprecated by Microsoft. This option will be removed in the future when support for NTLM phases out.]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Enable or disable NTLM. Needed to reverse proxy an Exchange Server. Warning: NTLM has been deprecated by Microsoft. This option will stay for as long as the optional http.reverse_proxy.transport.http_ntlm module can be compiled without errors.]]></help>
     </field>
     <field>
         <id>handle.HttpTlsInsecureSkipVerify</id>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index b44276dc28..e00c0efb6e 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -335,6 +335,10 @@
                         <http3>HTTP/3</http3>
                     </OptionValues>
                 </HttpVersion>
+                <HttpKeepalive type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>86400</MaximumValue>
+                </HttpKeepalive>
                 <HttpNtlm type="BooleanField">
                     <Constraints>
                         <check001>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 41622bac3e..9da4e45965 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -337,6 +337,7 @@
                             <th data-column-id="ForwardAuth" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Forward Auth') }}</th>
                             <th data-column-id="HttpTls" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('TLS') }}</th>
                             <th data-column-id="HttpVersion" data-type="string" data-visible="false">{{ lang._('HTTP Version') }}</th>
+                            <th data-column-id="HttpKeepalive" data-type="string" data-visible="false">{{ lang._('HTTP Keepalive') }}</th>
                             <th data-column-id="HttpTlsTrustedCaCerts" data-type="string" data-visible="false">{{ lang._('TLS CA') }}</th>
                             <th data-column-id="HttpTlsServerName" data-type="string" data-visible="false">{{ lang._('TLS Server Name') }}</th>
                             <th data-column-id="HttpNtlm" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('NTLM') }}</th>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 592f552d58..3dac6c0abd 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -355,6 +355,7 @@
 #       - HttpTlsServerName (string, optional): Specifies the server name for the TLS handshake.
 #       - PassiveHealthFailDuration (integer, optional): Enables passive health checks when set > 0.
 #       - HttpVersion (string, optional): Choose HTTP version. Empty (default) is 1.1 and 2.
+#       - HttpKeepalive (string, optional): Keeaplive is either off (0) or a value. Empty (default) 120s.
 #}
 {% macro reverse_proxy_configuration(handle) %}
     {{ handle.HandleType }} {{ handle.HandlePath|default("") }} {
@@ -374,7 +375,7 @@
             {% if handle.PassiveHealthFailDuration|default("") %}
             fail_duration {{ handle.PassiveHealthFailDuration }}s
             {% endif %}
-            {% if handle.HttpTls|default("0") == "1" or handle.HttpTlsInsecureSkipVerify|default("0") == "1" or handle.HttpTlsTrustedCaCerts or handle.HttpTlsServerName or handle.HttpVersion %}
+            {% if handle.HttpTls|default("0") == "1" or handle.HttpTlsInsecureSkipVerify|default("0") == "1" or handle.HttpTlsTrustedCaCerts or handle.HttpTlsServerName or handle.HttpVersion or handle.HttpKeepalive %}
                 {% if handle.HttpNtlm|default("0") == "1" %}
                 transport http_ntlm {
                     {% if handle.HttpTls|default("0") == "1" %}
@@ -397,6 +398,13 @@
                     {% if handle.HttpVersion %}
                         versions {{ version_map[handle.HttpVersion] }}
                     {% endif %}
+                    {% if handle.HttpKeepalive %}
+                        {% if handle.HttpKeepalive == "0" %}
+                            keepalive off
+                        {% else %}
+                            keepalive {{ handle.HttpKeepalive }}s
+                        {% endif %}
+                    {% endif %}
                     {% if handle.HttpTls|default("0") == "1" %}
                     tls
                     {% endif %}
diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
index e065111173..24b45f44fe 100644
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
@@ -30,7 +30,7 @@ export default class CaddyCertificate extends BaseTableWidget {
     constructor() {
         super();
         this.resizeHandles = "e, w";
-        this.tickTimeout = 30000;
+        this.tickTimeout = 30;
     }
 
     getGridOptions() {
@@ -51,26 +51,22 @@ export default class CaddyCertificate extends BaseTableWidget {
     }
 
     async onWidgetTick() {
-        try {
-            // Check if Caddy is enabled
-            const caddyStatus = await ajaxGet('/api/caddy/reverse_proxy/get', {});
-            if (!caddyStatus.caddy.general || caddyStatus.caddy.general.enabled === "0") {
-                this.displayError(`${this.translations.unconfigured}`);
-                return;
-            }
-
-            // Fetch the certificate details
-            const response = await ajaxGet('/api/caddy/diagnostics/certificate', {});
-            if (response.status !== "success") {
-                this.displayError(`${this.translations.nocerts}`);
-                return;
-            }
+        // Check if Caddy is enabled
+        const caddyStatus = await this.ajaxGet('/api/caddy/reverse_proxy/get');
+        if (!caddyStatus.caddy.general || caddyStatus.caddy.general.enabled === "0") {
+            this.displayError(`${this.translations.unconfigured}`);
+            return;
+        }
 
-            // Process certificates if the response is successful
-            this.processCertificates(response.content);
-        } catch (error) {
-            this.displayError(`${this.translations.error}`);
+        // Fetch the certificate details
+        const response = await this.ajaxGet('/api/caddy/diagnostics/certificate');
+        if (response.status !== "success") {
+            this.displayError(`${this.translations.nocerts}`);
+            return;
         }
+
+        // Process certificates if the response is successful
+        this.processCertificates(response.content);
     }
 
     // Utility function to display errors within the widget
diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
index 04eca5ad1e..552c6a1955 100644
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
@@ -50,21 +50,16 @@ export default class CaddyDomain extends BaseTableWidget {
     }
 
     async onWidgetTick() {
-        try {
-            // Check if caddy is enabled
-            const data = await ajaxGet('/api/caddy/reverse_proxy/get', {});
-            if (!data.caddy.general || data.caddy.general.enabled === "0") {
-                this.displayError(`${this.translations.unconfigured}`);
-                return;
-            }
-
-            // Process domains if caddy is enabled
-            let domains = { ...data.caddy.reverseproxy.reverse, ...data.caddy.reverseproxy.subdomain };
-            this.processDomains(domains);
-
-        } catch (error) {
-            this.displayError(`${this.translations.error}`);
+        // Check if caddy is enabled
+        const data = await this.ajaxGet('/api/caddy/reverse_proxy/get');
+        if (!data.caddy.general || data.caddy.general.enabled === "0") {
+            this.displayError(`${this.translations.unconfigured}`);
+            return;
         }
+
+        // Process domains if caddy is enabled
+        let domains = { ...data.caddy.reverseproxy.reverse, ...data.caddy.reverseproxy.subdomain };
+        this.processDomains(domains);
     }
 
     // Utility function to display errors within the widget

From 4f48d1e7885d9cadf7aa416b68ca371a14ceae37 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 7 Jul 2024 11:40:54 +0200
Subject: [PATCH 1941/3088] security/etpro-telemetry - prepare for 24.7 and
 replace dashboard widget with minimalistic new version. [2] copy-paste issue

---
 .../opnsense/www/js/widgets/ETProTelemetry.js    | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
index ada8b232b1..66c638b4d2 100644
--- a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
+++ b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
@@ -58,15 +58,13 @@ export default class ETProTelemetry extends BaseTableWidget {
     }
 
     async onMarkupRendered() {
-        await ajaxGet('/api/core/system/systemInformation', {}, (data, status) => {
-            let rows = [];
-            rows.push([['<img src="/ui/img/proofpoint.svg" style="height:30px;" class="image_invertible">'], '']);
-            rows.push([[this.translations['sensor_status']], $('<span id="etpro_sensor_status">').prop('outerHTML')]);
-            rows.push([[this.translations['event_received']], $('<span id="etpro_event_received">').prop('outerHTML')]);
-            rows.push([[this.translations['last_rule_download']], $('<span id="etpro_last_rule_download">').prop('outerHTML')]);
-            rows.push([[this.translations['last_heartbeat']], $('<span id="etpro_last_heartbeat">').prop('outerHTML')]);
+        let rows = [];
+        rows.push([['<img src="/ui/img/proofpoint.svg" style="height:30px;" class="image_invertible">'], '']);
+        rows.push([[this.translations['sensor_status']], $('<span id="etpro_sensor_status">').prop('outerHTML')]);
+        rows.push([[this.translations['event_received']], $('<span id="etpro_event_received">').prop('outerHTML')]);
+        rows.push([[this.translations['last_rule_download']], $('<span id="etpro_last_rule_download">').prop('outerHTML')]);
+        rows.push([[this.translations['last_heartbeat']], $('<span id="etpro_last_heartbeat">').prop('outerHTML')]);
 
-            super.updateTable('ETProTelemetry-table', rows);
-        });
+        super.updateTable('ETProTelemetry-table', rows);
     }
 }
\ No newline at end of file

From 490034f6064ddf5f10cf881fc38875fe9c981b11 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 8 Jul 2024 13:58:15 +0200
Subject: [PATCH 1942/3088] security/etpro-telemetry - prepare for 24.7 and
 replace dashboard widget with minimalistic new version. [3] cleanup

---
 .../opnsense/www/js/widgets/ETProTelemetry.js | 25 +++++++++----------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
index 66c638b4d2..4fc0c01827 100644
--- a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
+++ b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
@@ -42,19 +42,18 @@ export default class ETProTelemetry extends BaseTableWidget {
     }
 
     async onWidgetTick() {
-        await ajaxGet('/api/diagnostics/proofpoint_et/status', {}, (data, status) => {
-            if (data['sensor_status'] == 'active') {
-                $('#etpro_sensor_status').text(data['sensor_status']);
-                $('#etpro_event_received').text(data['event_received']);
-                $('#etpro_last_rule_download').text(data['last_rule_download']);
-                $('#etpro_last_heartbeat').text(data['last_heartbeat']);
-            } else {
-                $('#etpro_sensor_status').text('-');
-                $('#etpro_event_received').text('-');
-                $('#etpro_last_rule_download').text('-');
-                $('#etpro_last_heartbeat').text('-');
-            }
-        });
+        const data = await this.ajaxGet('/api/diagnostics/proofpoint_et/status');
+        if (data['sensor_status'] == 'active') {
+            $('#etpro_sensor_status').text(data['sensor_status']);
+            $('#etpro_event_received').text(data['event_received']);
+            $('#etpro_last_rule_download').text(data['last_rule_download']);
+            $('#etpro_last_heartbeat').text(data['last_heartbeat']);
+        } else {
+            $('#etpro_sensor_status').text('-');
+            $('#etpro_event_received').text('-');
+            $('#etpro_last_rule_download').text('-');
+            $('#etpro_last_heartbeat').text('-');
+        }
     }
 
     async onMarkupRendered() {

From 53a460467e76da4f59b2cc1daff2f2e82bb61dd6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Jul 2024 07:28:37 +0200
Subject: [PATCH 1943/3088] dns/ddclient: fix lint pass

---
 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/gandi.py | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/gandi.py

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/gandi.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/gandi.py
old mode 100644
new mode 100755

From 3946ec33beb2f8af0c2a0293af78ffd7d4f94ba4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Jul 2024 07:44:46 +0200
Subject: [PATCH 1944/3088] plugins: style sweep

---
 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/gandi.py | 2 +-
 .../src/opnsense/www/js/widgets/ETProTelemetry.js               | 2 +-
 .../src/opnsense/www/js/widgets/Metadata/etpro-telemetry.xml    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/gandi.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/gandi.py
index 369dd41574..c92f1e2549 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/gandi.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/gandi.py
@@ -78,4 +78,4 @@ def execute(self):
                     )
                 )
 
-        return False
\ No newline at end of file
+        return False
diff --git a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
index 4fc0c01827..8e351a2bbc 100644
--- a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
+++ b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
@@ -66,4 +66,4 @@ export default class ETProTelemetry extends BaseTableWidget {
 
         super.updateTable('ETProTelemetry-table', rows);
     }
-}
\ No newline at end of file
+}
diff --git a/security/etpro-telemetry/src/opnsense/www/js/widgets/Metadata/etpro-telemetry.xml b/security/etpro-telemetry/src/opnsense/www/js/widgets/Metadata/etpro-telemetry.xml
index 7dabaa037e..5e8949977f 100644
--- a/security/etpro-telemetry/src/opnsense/www/js/widgets/Metadata/etpro-telemetry.xml
+++ b/security/etpro-telemetry/src/opnsense/www/js/widgets/Metadata/etpro-telemetry.xml
@@ -12,4 +12,4 @@
             <last_heartbeat>Last heartbeat</last_heartbeat>
         </translations>
     </etpro_telemetry>
-</metadata>
\ No newline at end of file
+</metadata>

From 9c6261c37c81872a994b4880aefa6f7402a02f4e Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 10 Jul 2024 09:34:21 +0200
Subject: [PATCH 1945/3088] www/caddy: Add option to disable TLS in domain
 (#4077)

* www/caddy: Add option to disable TLS for a domain. Add new validation to ensure conflicting TLS options can not be selected.

* www/caddy: Add changelog.

* www/caddy: Invert the logic, make TLS activation a checkbox that is enabled by default. Standard migration will take care of this. This makes the TLS checkbox in domains behave the same as in handlers, improving consistency.

* www/caddy: Change logic again, going back to the original plan to use DisableTls for a domain. This way, the default can be empty.

* www/caddy: Only validate if field DisableTLS has changed.

* www/caddy: Remove sprintf since it does nothing here.
---
 www/caddy/pkg-descr                           |  1 +
 .../Caddy/forms/dialogReverseProxy.xml        |  6 ++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.php   | 31 +++++++++++++++++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  1 +
 .../views/OPNsense/Caddy/reverse_proxy.volt   |  1 +
 .../templates/OPNsense/Caddy/Caddyfile        |  3 +-
 6 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 9a3d7175c7..7aa3e1d4a6 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -34,6 +34,7 @@ Plugin Changelog
 * Add: Introduce HTTP version to handler. HTTP/1.1, HTTP/2 and HTTP/3 can be chosen.
 * Add: HTTP Keepalive can be set in a handler.
 * Change: Option "tls_trusted_ca_certs" is now "tls_trust_pool".
+* Add: TLS can be deactivated in a domain.
 
 1.5.7
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index 9b43eb0760..bd9f481ea1 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -42,6 +42,12 @@
         <label>Trust</label>
         <collapse>true</collapse>
     </field>
+    <field>
+        <id>reverse.DisableTls</id>
+        <label>Disable TLS</label>
+        <type>checkbox</type>
+        <help><![CDATA[Disable HTTP over TLS (HTTPS) for this domain. When disabling TLS, automatic certificate management will be disabled and all traffic to and from this domain will be unencrypted.]]></help>
+    </field>
     <field>
         <id>reverse.DnsChallenge</id>
         <label>DNS-01 Challenge</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index f66497fdd3..9f76fe20ee 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -160,6 +160,35 @@ private function checkAcmeEmailAutoHttps($messages)
         }
     }
 
+    // 5. Prevent the usage of conflicting options when TLS is deactivated for a Domain
+    private function checkDisableTlsConflicts($messages)
+    {
+        foreach ($this->reverseproxy->reverse->iterateItems() as $item) {
+            // First check if the DisableTls field has been changed
+            if ($item->isFieldChanged('DisableTls')) {
+                if ((string) $item->DisableTls === '1') {
+                    $conflictChecks = [
+                        'DnsChallenge' => (string) $item->DnsChallenge === '1',
+                        'AcmePassthrough' => !empty((string) $item->AcmePassthrough),
+                        'CustomCertificate' => !empty((string) $item->CustomCertificate)
+                    ];
+
+                    $conflictFields = array_keys(array_filter($conflictChecks));
+
+                    if (!empty($conflictFields)) {
+                        $messages->appendMessage(new Message(
+                            gettext(
+                                'TLS cannot be disabled if one of the following options are used: ' .
+                                '"DNS-01 Challenge", "HTTP-01 Challenge Redirection" and "Custom Certificate"'
+                            ),
+                            $item->__reference . ".DisableTls"
+                        ));
+                    }
+                }
+            }
+        }
+    }
+
     // Perform the actual validation
     public function performValidation($validateFullModel = false)
     {
@@ -172,6 +201,8 @@ public function performValidation($validateFullModel = false)
         $this->checkWebGuiSettings($messages);
         // 4. Check for ACME Email requirement
         $this->checkAcmeEmailAutoHttps($messages);
+        // 5. Check for TLS conflicts in Domain
+        $this->checkDisableTlsConflicts($messages);
 
         return $messages;
     }
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index e00c0efb6e..2650cb2671 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -193,6 +193,7 @@
                     <ValidationMessage>Please enter a valid 'to' domain or IP address.</ValidationMessage>
                     <IpAllowed>Y</IpAllowed>
                 </AcmePassthrough>
+                <DisableTls type="BooleanField"/>
             </reverse>
             <subdomain type="ArrayField">
                 <enabled type="BooleanField">
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 9da4e45965..fb9bc191f1 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -262,6 +262,7 @@
                             <th data-column-id="AccessLog" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('HTTP Access Log') }}</th>
                             <th data-column-id="CustomCertificate" data-type="string" data-visible="false">{{ lang._('Custom Certificate') }}</th>
                             <th data-column-id="AcmePassthrough" data-type="string" data-visible="false">{{ lang._('HTTP-01 redirection') }}</th>
+                            <th data-column-id="DisableTls" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Disable TLS') }}</th>
                             <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
                             <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                         </tr>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 3dac6c0abd..eb4ce0ad82 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -484,7 +484,8 @@
 {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
 {% if reverse.enabled|default("0") == "1" %}
 # Reverse Proxy Domain: "{{ reverse['@uuid'] }}"
-{{ reverse.FromDomain|default("") }}{% if reverse.FromPort %}:{{ reverse.FromPort }}{% endif %} {
+{# The default are encrypted connections, uncencrypted connections have to render http:// #}
+{% if reverse.DisableTls|default("0") == "1" %}http://{% endif %}{{ reverse.FromDomain|default("") }}{% if reverse.FromPort %}:{{ reverse.FromPort }}{% endif %} {
     {% if reverse.AccessLog|default("0") == "1" %}
     {% if generalSettings.LogAccessPlain|default("0") == "0" %}
     log {{ reverse['@uuid'] }}

From 105d68920b1f0324a54fcbcf43612165c3a4b4a1 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Wed, 10 Jul 2024 11:08:47 +0300
Subject: [PATCH 1946/3088] www/nginx: 1.33 (#3678)

* add resolver directive support

* add GUI config preview

* gzip disabling support

* move bots UA to GUI

* Add auto-ban log

* ban.volt: show readable time in grid

* vts.css: add tables headers borders

* Add Upstream keepalives

* constraint fix

* ver bump

* Add Stream proxy_connect_timeout and proxy_timeout support

* maintainer's suggestions

Co-Authored-By: Fabian Franz BSc <fabianfrz@users.noreply.github.com>

* Keepalive vs sockets additional help text

* no moment.js needed

* reflect core selectpicker update

* maintainer's suggestions

Co-Authored-By: Fabian Franz BSc <fabianfrz@users.noreply.github.com>

* Update www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt

Co-authored-by: Fabian Franz BSc <fabianfrz@users.noreply.github.com>

* maintainer's suggestions

Co-Authored-By: Fabian Franz BSc <fabianfrz@users.noreply.github.com>

* refactor a bit

-don't use global vars unnecessarily
-move css to separate file
-don't touch DOM for clipboard copy. use stored value
-don't use <pre> if violating standard
-add Button label translation
-check if clipboard write supported before link show()
-use text() instead of html() if possible
-change 'DOM ready' handler syntax
thnx @fabianfrz

* safety first

use lodash _.unescape to safely decode string without DOM manipulations

---------

Co-authored-by: Fabian Franz BSc <fabianfrz@users.noreply.github.com>
---
 www/nginx/pkg-descr                           |  12 ++
 .../OPNsense/Nginx/Api/LogsController.php     |  13 +-
 .../OPNsense/Nginx/Api/SettingsController.php |  41 ++++
 .../OPNsense/Nginx/IndexController.php        |   1 +
 .../OPNsense/Nginx/forms/httpserver.xml       |  14 ++
 .../OPNsense/Nginx/forms/location.xml         |   9 +-
 .../OPNsense/Nginx/forms/resolver.xml         |  44 +++++
 .../OPNsense/Nginx/forms/settings.xml         |  14 ++
 .../OPNsense/Nginx/forms/streamserver.xml     |  14 ++
 .../OPNsense/Nginx/forms/upstream.xml         |  20 ++
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml   | 105 +++++++++-
 .../mvc/app/views/OPNsense/Nginx/ban.volt     |   5 +
 .../mvc/app/views/OPNsense/Nginx/index.volt   | 180 ++++++++++++++----
 .../src/opnsense/scripts/nginx/list_logs.php  |   4 +-
 .../opnsense/scripts/nginx/ngx_showConfig.py  |  44 +++++
 .../opnsense/scripts/nginx/ngx_testConfig.sh  |  10 +
 .../src/opnsense/scripts/nginx/read_log.php   |   2 +
 .../service/conf/actions.d/actions_nginx.conf |  10 +
 .../templates/OPNsense/Nginx/http.conf        |  37 ++--
 .../templates/OPNsense/Nginx/location.conf    |   4 +
 .../templates/OPNsense/Nginx/streams.conf     |   6 +
 .../templates/OPNsense/Nginx/upstream.conf    |   9 +
 .../src/opnsense/www/css/nginx/index.css      |  88 +++++++++
 www/nginx/src/opnsense/www/css/nginx/vts.css  |   1 +
 .../www/js/nginx/dist/configuration.min.js    |   2 +-
 .../opnsense/www/js/nginx/src/nginx_config.js |   1 +
 26 files changed, 637 insertions(+), 53 deletions(-)
 create mode 100644 www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/resolver.xml
 create mode 100644 www/nginx/src/opnsense/scripts/nginx/ngx_showConfig.py
 create mode 100644 www/nginx/src/opnsense/scripts/nginx/ngx_testConfig.sh
 create mode 100644 www/nginx/src/opnsense/www/css/nginx/index.css

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 60d89e3b89..661bb49eb7 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,18 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.33
+
+* Add the "resolver" directive support
+* Add config preview/test/copy to GUI
+* Add gzip disabling support
+* Move bot UA settings to GUI
+* Add auto-ban logging support
+* Add Upstream keepalive support
+* Add Stream proxy_connect_timeout and proxy_timeout directives support
+* Convert epoch time to readable format on "Banned" page
+* Cosmetic: add table header borders on Traffic Statistic page for better reading
+
 1.32.2
 
 * Add columns select button to the log viewer (contributed by kulikov-a)
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
index b332460060..f0b4170791 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
@@ -40,7 +40,7 @@ class LogsController extends ApiControllerBase
     /**
      * "/" -> list of access logs
      * "/uuid" -> conent of access log
-     * @param null|string $uuid log uuid of the HTTP server from which the error log should be returned
+     * @param null|string $uuid log uuid of the HTTP server from which the access log should be returned
      * @param $fileno int number of logfile to retrieve
      * @param $page int pagination page to retrieve
      * @param $perPage int number of entries per page
@@ -53,7 +53,12 @@ public function accessesAction($uuid = null, $fileno = null, $page = 0, $perPage
         $this->nginx = new Nginx();
         if (!isset($uuid)) {
             // emulate REST API -> /accesses delivers a list of servers with access logs
-            return $this->list_vhosts();
+            // attach special vhost for perm_ban log if needed
+            $data = $this->list_vhosts();
+            if ((string)$this->nginx->http->log_perm_ban == "1") {
+                $data[] = array('id' => 'perm_ban', 'server_name' => 'Auto-ban');
+            }
+            return $data;
         } elseif (!isset($fileno)) {
             return $this->list_logfiles('access', $uuid);
         } else {
@@ -161,7 +166,7 @@ public function streamerrorsAction($uuid = null, $fileno = null, $page = 0, $per
      */
     private function get_logs($type, $uuid, $fileno, $page, $perPage, $query)
     {
-        if (!($this->vhost_exists($uuid) || $uuid == 'global')) {
+        if (!($this->vhost_exists($uuid) || $uuid == 'global' || $uuid == 'perm_ban')) {
             return $this->response->setStatusCode(404, "Not Found");
         }
 
@@ -182,7 +187,7 @@ private function get_logs($type, $uuid, $fileno, $page, $perPage, $query)
      */
     private function list_logfiles($type, $uuid)
     {
-        if (!($this->vhost_exists($uuid) || $uuid == 'global')) {
+        if (!($this->vhost_exists($uuid) || $uuid == 'global' || $uuid == 'perm_ban')) {
             return $this->response->setStatusCode(404, "Not Found");
         }
 
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
index 4a0849cf5d..c6d77d3950 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
@@ -229,6 +229,33 @@ public function setcustompolicyAction($uuid)
         return $this->setBase('custompolicy', 'custom_policy', $uuid);
     }
 
+    // Resolver
+    public function searchresolverAction()
+    {
+        return $this->searchBase('resolver', array('uuid', 'description', 'address', 'valid', 'timeout'));
+    }
+
+    public function getresolverAction($uuid = null)
+    {
+        $this->sessionClose();
+        return $this->getBase('resolver', 'resolver', $uuid);
+    }
+
+    public function addresolverAction()
+    {
+        return $this->addBase('resolver', 'resolver');
+    }
+
+    public function delresolverAction($uuid)
+    {
+        return $this->delBase('resolver', $uuid);
+    }
+
+    public function setresolverAction($uuid)
+    {
+        return $this->setBase('resolver', 'resolver', $uuid);
+    }
+
     // http server
     public function searchhttpserverAction()
     {
@@ -818,4 +845,18 @@ public function setsyslogTargetAction($uuid)
     {
         return $this->setBase('syslog_target', 'syslog_target', $uuid);
     }
+
+    public function showconfigAction()
+    {
+        $backend = new Backend();
+        $response = json_decode($backend->configdRun("nginx show_config"), true);
+        return $response;
+    }
+
+    public function testconfigAction()
+    {
+        $backend = new Backend();
+        $response = trim($backend->configdRun("nginx test_config"));
+        return array("response" => $response);
+    }
 }
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php
index 410e04989f..a30d036d17 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php
@@ -63,6 +63,7 @@ public function indexAction()
         $this->view->ipacl = $this->getForm("ipacl");
         $this->view->errorpage = $this->getForm("errorpage");
         $this->view->tls_fingerprint = $this->getForm("tls_fingerprint");
+        $this->view->resolver = $this->getForm("resolver");
         $this->view->syslog_target = $this->getForm("syslog_target");
         $nginx = new Nginx();
         $this->view->show_naxsi_download_button =
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
index 73e6aff5c3..4c6339d325 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
@@ -187,6 +187,13 @@
     <advanced>true</advanced>
     <help>Prefers server ciphers over client ciphers.</help>
   </field>
+  <field>
+    <id>httpserver.resolver</id>
+    <label>Resolver</label>
+    <type>dropdown</type>
+    <advanced>true</advanced>
+    <help><![CDATA[Specify resolver for Upstream names resolution, OCSP stapling etc. Uses system resolver if not specified but can produce warning messages in log.]]></help>
+  </field>
   <field>
     <id>httpserver.ocsp_stapling</id>
     <label>OCSP Stapling</label>
@@ -208,6 +215,13 @@
     <advanced>true</advanced>
     <help>Blocks files like .htaccess files or other files not intended for the public.</help>
   </field>
+  <field>
+    <id>httpserver.disable_gzip</id>
+    <label>Disable gzip</label>
+    <type>checkbox</type>
+    <advanced>true</advanced>
+    <help>Disables responses gzipping. Makes sense if TLS is used and this method of BREACH attack protection is preferred.</help>
+  </field>
   <field>
     <id>httpserver.disable_bot_protection</id>
     <label>Disable Bot Protection</label>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
index e228f35056..f5b832c194 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
@@ -241,7 +241,14 @@
     <label>WebSocket Support</label>
     <type>checkbox</type>
     <advanced>true</advanced>
-    <help>If you enable the WebSocket Support option, nginx will pass the upgrade header to the backed server.</help>
+    <help>If you enable the WebSocket Support option, nginx will pass the upgrade header to the backed server. Mutually exclusive with Keepalive support.</help>
+  </field>
+  <field>
+    <id>location.upstream_keepalive</id>
+    <label>Upstream Keepalive Support</label>
+    <type>checkbox</type>
+    <advanced>true</advanced>
+    <help>Adds the directives required for upstream keepalive to work (enables HTTP 1.1 and clears the Connection header). Mutually exclusive with WebSocket support. Keepalive parameters must be set in Upstream settings too.</help>
   </field>
   <field>
     <id>location.proxy_read_timeout</id>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/resolver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/resolver.xml
new file mode 100644
index 0000000000..e224326092
--- /dev/null
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/resolver.xml
@@ -0,0 +1,44 @@
+<form>
+  <field>
+    <id>resolver.description</id>
+    <label>Description</label>
+    <type>text</type>
+    <help>Brief description for reference.</help>
+  </field>
+  <field>
+    <id>resolver.address</id>
+    <label>Address(es)</label>
+    <allownew>true</allownew>
+    <style>tokenize</style>
+    <type>select_multiple</type>
+    <help>Enter a list of IP addresses and ports (optional). Uses port 53 if omitted. Like "8.8.8.8, [2001:4860:4860::8888], 8.8.8.8:5353".</help>
+  </field>
+  <field>
+    <id>resolver.ipv4_off</id>
+    <label>Disable IPv4</label>
+    <type>checkbox</type>
+    <help>Do not request IPv4 addresses.</help>
+    <advanced>true</advanced>
+  </field>
+  <field>
+    <id>resolver.ipv6_off</id>
+    <label>Disable IPv6</label>
+    <type>checkbox</type>
+    <help>Do not request IPv6 addresses.</help>
+    <advanced>true</advanced>
+  </field>
+  <field>
+    <id>resolver.valid</id>
+    <label>Validity Time</label>
+    <type>text</type>
+    <help>Override response TTL in seconds.</help>
+    <advanced>true</advanced>
+  </field>
+  <field>
+    <id>resolver.timeout</id>
+    <label>Time Out</label>
+    <type>text</type>
+    <help>Resolver time out in seconds. NGINX default (if empty) is 30 seconds.</help>
+    <advanced>true</advanced>
+  </field>
+</form>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
index e5d55040d3..8ac01921ce 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
@@ -66,6 +66,20 @@
                 <type>text</type>
                 <advanced>true</advanced>
             </field>
+            <field>
+                <id>nginx.http.bots_ua</id>
+                <label>Bots User Agents</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <allownew>true</allownew>
+                <help>List of bot user agents that will be used in bot protection. Uses a well known list by default.</help>
+            </field>
+            <field>
+                <id>nginx.http.log_perm_ban</id>
+                <label>Log Banned Requests</label>
+                <type>checkbox</type>
+                <help>Log requests that led to auto-blocking (bots and honeypots).</help>
+            </field>
             <field>
                 <id>nginx.http.ban_response</id>
                 <label>Autoban Response Code</label>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/streamserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/streamserver.xml
index a243578dd4..4f70528367 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/streamserver.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/streamserver.xml
@@ -41,6 +41,20 @@
     <advanced>true</advanced>
     <help>Due to the nature of UDP, nginx cannot know, when the communication ends and this helps as it tells nginx the number of datagrams the communication is expected to last on server side and it is expected to be closed afterwards. If you enter 0, it is expected, that the server never responds to a datagram. If nginx gets a datagram, it will still get forwarded to the client. Setting this option might be useful in (mostly) unidirectional communication as well.</help>
   </field>
+  <field>
+    <id>streamserver.proxy_connect_timeout</id>
+    <label>Proxy Connect Timeout</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Defines a timeout (in seconds) for establishing a connection with a proxied server.</help>
+  </field>
+  <field>
+    <id>streamserver.proxy_timeout</id>
+    <label>Proxy Timeout</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Sets the timeout (in seconds) between two successive read or write operations on client or proxied server connections.</help>
+  </field>
   <field>
     <id>streamserver.certificate</id>
     <label>TLS Certificate</label>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
index c879b98831..3f9bd6af5b 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
@@ -23,6 +23,26 @@
     <advanced>true</advanced>
     <help>If you enable the proxy protocol, an upstream proxy or server will get the client IP and the server port before the real traffic is sent.</help>
   </field>
+  <field>
+    <id>upstream.keepalive</id>
+    <label>Keepalive</label>
+    <type>text</type>
+    <help>Activates the connections cache for upstream server and sets the max number of idle connections that are preserved in the cache of each worker process. Leave blank or set to 0 to disable. Keepalive support should be enabled at Location settings also.</help>
+  </field>
+  <field>
+    <id>upstream.keepalive_requests</id>
+    <label>Keepalive requests</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Sets the maximum number of requests that can be served through one keepalive connection. NGINX default is 1000.</help>
+  </field>
+  <field>
+    <id>upstream.keepalive_timeout</id>
+    <label>Keepalive timeout</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Sets a timeout in seconds during which an idle keepalive connection to an upstream server will stay open. NGINX default is 75s.</help>
+  </field>
   <field>
     <id>upstream.host_port</id>
     <label>Host header port</label>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index a55a4539c8..81f686682a 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.32.1</version>
+  <version>1.33</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>
@@ -65,6 +65,14 @@
         <Required>Y</Required>
         <default>403</default>
       </ban_response>
+      <log_perm_ban type="BooleanField">
+        <default>0</default>
+        <Required>Y</Required>
+      </log_perm_ban>
+      <bots_ua type="CSVListField">
+        <Required>Y</Required>
+        <default>Python-urllib,Nmap,python-requests,libwww-perl,MJ12bot,Jorgee,fasthttp,libwww,Telesphoreo,A6-Indexer,ltx71,okhttp,ZmEu,sqlmap,LMAO/2.0,l9explore,l9tcpid,Masscan,zgrab,Ronin/2.0,Hakai/2.0,Indy\sLibrary,^Mozilla/[\d\.]+$,Morfeus\sFucking\sScanner,MSIE\s[0-6]\.\d+</default>
+      </bots_ua>
       <headers_more_enable type="BooleanField">
         <Required>N</Required>
       </headers_more_enable>
@@ -120,6 +128,18 @@
         <BlankDesc>Weighted Round Robin</BlankDesc>
         <Required>N</Required>
       </load_balancing_algorithm>
+      <keepalive type="IntegerField">
+        <MinimumValue>0</MinimumValue>
+        <Required>N</Required>
+      </keepalive>
+      <keepalive_requests type="IntegerField">
+        <MinimumValue>1</MinimumValue>
+        <Required>N</Required>
+      </keepalive_requests>
+      <keepalive_timeout type="IntegerField">
+        <MinimumValue>1</MinimumValue>
+        <Required>N</Required>
+      </keepalive_timeout>
       <host_port type="IntegerField">
         <MinimumValue>1</MinimumValue>
         <Required>N</Required>
@@ -420,7 +440,25 @@
       <websocket type="BooleanField">
         <Required>Y</Required>
         <default>0</default>
+        <Constraints>
+            <check001>
+                <ValidationMessage>WebSocket and Upstream Keepalive support can not be combined.</ValidationMessage>
+                <type>SingleSelectConstraint</type>
+                <addFields>
+                    <field1>upstream_keepalive</field1>
+                </addFields>
+            </check001>
+        </Constraints>
       </websocket>
+      <upstream_keepalive type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+        <Constraints>
+            <check001>
+                <reference>websocket.check001</reference>
+            </check001>
+        </Constraints>
+      </upstream_keepalive>
       <proxy_buffer_size type="IntegerField">
         <Required>N</Required>
         <minValue>1</minValue>
@@ -863,6 +901,18 @@
         <default>1</default>
         <Required>Y</Required>
       </tls_prefer_server_ciphers>
+      <resolver type="ModelRelationField">
+        <Model>
+          <template>
+            <source>OPNsense.Nginx.Nginx</source>
+            <items>resolver</items>
+            <display>description</display>
+          </template>
+        </Model>
+        <ValidationMessage>Selected resolver not found</ValidationMessage>
+        <Required>N</Required>
+        <multiple>N</multiple>
+      </resolver>
       <ocsp_stapling type="BooleanField">
         <default>0</default>
         <Required>Y</Required>
@@ -879,6 +929,10 @@
         <default>0</default>
         <Required>Y</Required>
       </disable_bot_protection>
+      <disable_gzip type="BooleanField">
+        <default>0</default>
+        <Required>Y</Required>
+      </disable_gzip>
       <naxsi_whitelist_srcip type="CSVListField">
         <Required>N</Required>
         <mask>/^((?:\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?(,?(?:(?:(\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?))*$/i</mask>
@@ -1121,6 +1175,14 @@
         <Required>N</Required>
         <MinimumValue>0</MinimumValue>
       </proxy_responses>
+      <proxy_connect_timeout type="IntegerField">
+        <Required>N</Required>
+        <MinimumValue>0</MinimumValue>
+      </proxy_connect_timeout>
+      <proxy_timeout type="IntegerField">
+        <Required>N</Required>
+        <MinimumValue>0</MinimumValue>
+      </proxy_timeout>
     </stream_server>
 
     <sni_hostname_upstream_map type="ArrayField">
@@ -1199,6 +1261,47 @@
       </action>
     </ip_acl_item>
 
+    <resolver type="ArrayField">
+      <description type="TextField">
+        <Required>Y</Required>
+        <mask>/^[^" \t]+$/i</mask>
+      </description>
+      <address type="CSVListField">
+        <Required>Y</Required>
+        <multiple>Y</multiple>
+        <mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\]))(:\d+|:?\d+)*)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\]))(:\d+|:?\d+)*))*$/i</mask>
+        <ValidationMessage>Please provide a valid resolver address, i.e. 8.8.8.8, [2001:4860:4860::8888], 8.8.8.8:5353.</ValidationMessage>
+      </address>
+      <valid type="IntegerField">
+        <MinimumValue>1</MinimumValue>
+        <Required>N</Required>
+      </valid>
+      <ipv4_off type="BooleanField">
+        <Required>N</Required>
+        <Constraints>
+            <check001>
+                <ValidationMessage>Can not disable all record types.</ValidationMessage>
+                <type>SingleSelectConstraint</type>
+                <addFields>
+                    <field1>ipv6_off</field1>
+                </addFields>
+            </check001>
+        </Constraints>
+      </ipv4_off>
+      <ipv6_off type="BooleanField">
+        <Required>N</Required>
+        <Constraints>
+            <check001>
+                <reference>ipv4_off.check001</reference>
+            </check001>
+        </Constraints>
+      </ipv6_off>
+      <timeout type="IntegerField">
+        <MinimumValue>1</MinimumValue>
+        <Required>N</Required>
+      </timeout>
+    </resolver>
+
     <http_rewrite type="ArrayField">
       <description type="TextField">
         <Required>Y</Required>
diff --git a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/ban.volt b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/ban.volt
index 45284c7425..f5830cc435 100644
--- a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/ban.volt
+++ b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/ban.volt
@@ -46,6 +46,11 @@ $(function () {
             'options': {
                 selection:false,
                 multiSelect:false,
+                converters: {
+                    timestamp: {
+                        to: function (value) { return (new Date(value*1000)).toLocaleString(); }
+                    }
+                },
                 formatters: {
                     "delbtn": function (column, row) {
                         return `<button type="button" class="btn btn-xs btn-default command-delete" data-row-id="${row.uuid}"><span class=\"fa fa-unlock-alt\"></span></button>`;
diff --git a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
index 475ff2159c..5c715e748c 100644
--- a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
+++ b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
@@ -26,6 +26,10 @@
  #}
 
 <script>
+    {% set placeholder_txt = 'Click the Show Config button to load the current configuration. Please note that this is not a configuration from the running process memory. ' %}
+    {% set placeholder_txt = placeholder_txt ~ 'Also, the displayed configuration may differ from the configuration in OPNsense config if you have made but not applied changes.' %}
+
+    ngnx_config = [];
     function bind_naxsi_rule_dl_button() {
         let naxsi_rule_download_button = $('#naxsiruledownloadbtn');
         naxsi_rule_download_button.click(function () {
@@ -55,42 +59,100 @@
             });
         });
     }
-</script>
-<script src="{{ cache_safe('/ui/js/nginx/lib/lodash.min.js') }}"></script>
-<script src="{{ cache_safe('/ui/js/nginx/lib/backbone-min.js') }}"></script>
-<script src="{{ cache_safe('/ui/js/nginx/dist/configuration.min.js') }}"></script>
-<style>
-    #frm_sni_hostname_mapdlg .col-md-4,
-    #frm_ipacl_dlg .col-md-4 {
-        width: 50%;
-    }
-    #frm_sni_hostname_mapdlg td > input[type="text"],
-    #frm_ipacl_dlg td > input[type="text"] {
-        width: 100%;
-        max-width: 100%;
-    }
-    #frm_sni_hostname_mapdlg .col-md-5,
-    #frm_ipacl_dlg .col-md-5 {
-        width: 25%;
-    }
-    #row_snihostname\.data .row,
-    #row_ipacl\.data .row {
-        padding-top: 5px;
-    }
-    #row_snihostname\.data .row div,
-    #row_ipacl\.data .row div {
-        padding: 0;
-    }
-    #sni_hostname_mapdlg .bootstrap-select,
-    #frm_ipacl_dlg .bootstrap-select {
-        width: 100% !important;
+
+    function ngnx_show_conf() {
+
+        $("#nginx_conf tbody").empty().append('<tr><td class="placeholdertd">{{ lang._("Waiting for response..") }}</td></tr>');
+        $("#config_help_text").hide();
+        // clear existing config in memory (if any)
+        ngnx_config = [];
+        ajaxCall(url="/api/nginx/settings/showconfig/", sendData={}, callback=function(data,status) {
+            if (data['time'] && data['config']) {
+                let L = 0;
+                let content = [];
+                $.each(data['config'], function(index, line) {
+                    // use lodash unescape to safely decode html chars in line and store for clipboard copy
+                    ngnx_config.push(_.unescape(line));
+                    L = line.indexOf('# configuration file ') > -1 ? 0 : L + 1;
+                    // line received HTML-encoded. Should be XSS-safe if not decoded before inserting to DOM
+                    content.push('<tr><td class="l-number">' + L.toString() + '</td><td class="config-line"><span>' + line + '</span></td></tr>');
+                });
+                $("#nginx_conf tbody").empty().append(content.join());
+                $("#config_help_text").show();
+                if ((typeof navigator.clipboard === 'object') && (typeof navigator.clipboard.writeText === 'function')) {
+                    $('#nginx_config_copy').show();
+                }
+                BootstrapDialog.show({
+                   type: BootstrapDialog.TYPE_INFO,
+                   title: "{{ lang._('NGINX config loaded successfully') }}",
+                   message: "{{ lang._('NGINX config loaded. Config file created at') }}" + ": " + (new Date(data['time']*1000)).toLocaleString(),
+                   buttons: [{
+                       label: '{{ lang._('Ok') }}',
+                       action: function(dlg){
+                           dlg.close();
+                       }
+                   }]
+                });
+            } else {
+                  $("#nginx_conf td.placeholdertd").text("{{ lang._('Empty response from the backend. Please check logs.') }}");
+            }
+        });
     }
-    .filter-option {
-        padding: inherit !important;
+
+    function ngnx_test_conf() {
+        ajaxCall(url="/api/nginx/settings/testconfig/", sendData={}, callback=function(data,status) {
+            if (data['response'].indexOf('test failed') > -1) {
+                 BootstrapDialog.show({
+                    type: BootstrapDialog.TYPE_DANGER,
+                    title: "{{ lang._('NGINX config test failed') }}",
+                    message: data['response'],
+                    buttons: [{
+                        label: '{{ lang._('Ok') }}',
+                        action: function(dlg){
+                             dlg.close();
+                        }
+                    }]
+                });
+            } else {
+                 BootstrapDialog.show({
+                    type: BootstrapDialog.TYPE_INFO,
+                    title: "{{ lang._('NGINX config test is successful') }}",
+                    message: "{{ lang._('NGINX config test is successful') }}",
+                    buttons: [{
+                        label: '{{ lang._('Ok') }}',
+                        action: function(dlg){
+                             dlg.close();
+                        }
+                    }]
+                });
+            }
+        });
     }
 
-</style>
+    $(function() {
+        $("#nginx_config_copy").click(function () {
+            if (ngnx_config.length) {
+                $(this).fadeOut();
+                navigator.clipboard.writeText(ngnx_config.join('\n'));
+                $(this).fadeIn();
+            }
+        });
+        $("#subtab_item_nginx-other-config-preview").click(function () {
+            $("#nginx_conf tbody").empty().append('<tr><td class="placeholdertd">{{ lang._(placeholder_txt) }}</td></tr>');
+        });
 
+        $("#conf_show_btn").click(function () {
+            ngnx_show_conf();
+        });
+        $("#conf_test_btn").click(function () {
+            ngnx_test_conf();
+        });
+    });
+</script>
+<script src="{{ cache_safe('/ui/js/nginx/lib/lodash.min.js') }}"></script>
+<script src="{{ cache_safe('/ui/js/nginx/lib/backbone-min.js') }}"></script>
+<script src="{{ cache_safe('/ui/js/nginx/dist/configuration.min.js') }}"></script>
+<link rel="stylesheet" href="{{ cache_safe('/ui/css/nginx/index.css') }}" type="text/css" />
 
 <ul class="nav nav-tabs" role="tablist" id="maintabs">
     {{ partial("layout_partials/base_tabs_header",['formData':settings]) }}
@@ -137,6 +199,9 @@
             <li>
                 <a data-toggle="tab" id="subtab_item_nginx-http-tls-fingerprint" href="#subtab_nginx-http-tls-fingerprint">{{ lang._('TLS Fingerprint (Advanced)')}}</a>
             </li>
+            <li>
+                <a data-toggle="tab" id="subtab_item_nginx-http-resolver" href="#subtab_nginx-http-resolver">{{ lang._('Resolvers')}}</a>
+            </li>
         </ul>
     </li>
     <li role="presentation" class="dropdown">
@@ -213,6 +278,9 @@
             <li>
                 <a data-toggle="tab" id="subtab_item_nginx-other-syslog-target" href="#subtab_nginx-other-syslog-target">{{ lang._('SYSLOG Targets')}}</a>
             </li>
+            <li>
+                <a data-toggle="tab" id="subtab_item_nginx-other-config-preview" href="#subtab_nginx-other-config-preview">{{ lang._('Config Preview')}}</a>
+            </li>
         </ul>
     </li>
 </ul>
@@ -671,6 +739,29 @@
             </tfoot>
         </table>
     </div>
+    <div id="subtab_nginx-http-resolver" class="tab-pane fade">
+        <table id="grid-resolver" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="resolverdlg">
+            <thead>
+                <tr>
+                    <th data-column-id="uuid" data-type="string" data-sortable="true" data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="description" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
+                    <th data-column-id="address" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Address') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+    </div>
     <div id="subtab_nginx-other-syslog-target" class="tab-pane fade">
         <table id="grid-syslog_target" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="syslog_target_dlg">
             <thead>
@@ -695,9 +786,31 @@
             </tfoot>
         </table>
     </div>
+    <div id="subtab_nginx-other-config-preview" class="tab-pane fade">
+        <div id="nginx_conf_container" class="nginx_table_responsive">
+            <table class="ngx_conf_table" id="nginx_conf">
+                <tbody class="ngx_conf_table_body"></tbody>
+            </table>
+            <table class="table table-striped table-condensed">
+                <tbody>
+                    <tr>
+                        <td>
+                            <div id="config_help_text" style="display:none">
+                                {{ lang._("Configuration files may contain sensitive information, keep it safe.") }}
+                                <a id="nginx_config_copy" style="display:none">{{ lang._('Click here to copy to clipboard.') }}</a>
+                            </div>
+                            <div>
+                                <button class="btn btn-primary" id="conf_show_btn" data-type="config" type="button"><b>{{ lang._('Show Config') }}</b></button>
+                                <button class="btn btn-primary" id="conf_test_btn" data-type="test" type="button"><b>{{ lang._('Test Config') }}</b></button>
+                            </div>
+                        </td>
+                    </tr>
+                </tbody>
+            </table>
+        </div>
+    </div>
 </div>
 
-
 {{ partial("layout_partials/base_dialog",['fields': upstream,'id':'upstreamdlg', 'label':lang._('Edit Upstream')]) }}
 {{ partial("layout_partials/base_dialog",['fields': upstream_server,'id':'upstreamserverdlg', 'label':lang._('Edit Upstream')]) }}
 {{ partial("layout_partials/base_dialog",['fields': location,'id':'locationdlg', 'label':lang._('Edit Location')]) }}
@@ -716,4 +829,5 @@
 {{ partial("layout_partials/base_dialog",['fields': ipacl,'id':'ipacl_dlg', 'label':lang._('Edit IP ACL')]) }}
 {{ partial("layout_partials/base_dialog",['fields': errorpage,'id':'errorpage_dlg', 'label':lang._('Edit Error Page')]) }}
 {{ partial("layout_partials/base_dialog",['fields': tls_fingerprint,'id':'tls_fingerprint_dlg', 'label':lang._('Edit TLS Fingerprint')]) }}
+{{ partial("layout_partials/base_dialog",['fields': resolver,'id':'resolverdlg', 'label':lang._('Edit Resolver')]) }}
 {{ partial("layout_partials/base_dialog",['fields': syslog_target,'id':'syslog_target_dlg', 'label':lang._('Edit SYSLOG Target')]) }}
diff --git a/www/nginx/src/opnsense/scripts/nginx/list_logs.php b/www/nginx/src/opnsense/scripts/nginx/list_logs.php
index 93d78207c8..93c951c348 100755
--- a/www/nginx/src/opnsense/scripts/nginx/list_logs.php
+++ b/www/nginx/src/opnsense/scripts/nginx/list_logs.php
@@ -68,9 +68,11 @@ function list_logfiles($prefix)
 $nginx = new Nginx();
 
 $result = [];
-// special case: the global error log
+// special cases: the global error log and the perm_ban access log
 if ($server == 'global') {
     $result = list_logfiles('error.log');
+} elseif ($server == 'perm_ban') {
+    $result = list_logfiles('perm_ban.access.log');
 } else {
     switch ($mode) {
         case 'error':
diff --git a/www/nginx/src/opnsense/scripts/nginx/ngx_showConfig.py b/www/nginx/src/opnsense/scripts/nginx/ngx_showConfig.py
new file mode 100644
index 0000000000..e96374a7ec
--- /dev/null
+++ b/www/nginx/src/opnsense/scripts/nginx/ngx_showConfig.py
@@ -0,0 +1,44 @@
+#!/usr/bin/env python3
+
+# nginx -T shows the config only if the test succeeds
+# grab nginx config from file(s) and send to stdout
+
+import os.path
+import glob
+import ujson
+
+result = dict()
+nginx_config = []
+nginx_config_root = '/usr/local/etc/nginx/'
+nginx_config_file = nginx_config_root + 'nginx.conf'
+
+def load_config_file(config_path):
+    """ load config with all inclusions
+    """
+    config_incs = []
+    # mimic 'nginx -T' syntax for config files references
+    nginx_config.append('# configuration file ' + config_path + ':')
+    for line in open(config_path, 'r').read().split('\n'):
+        nginx_config.append(line.rstrip())
+        line = line.strip()
+        if line.startswith('include '):
+            # only '*' mask is supported/used in plugin
+            if '*' not in line:
+                # it's a file relative path
+                incfilepath = nginx_config_root + line.split(' ')[-1][:-1]
+                if os.path.isfile(incfilepath):
+                    config_incs.append(incfilepath)
+            else:
+                # it's a path with a file mask
+                incdir = nginx_config_root + line.split(' ')[-1][:-1]
+                for incfilepath in glob.glob(incdir):
+                    config_incs.append(incfilepath)
+    for inc in list(dict.fromkeys(config_incs)):
+        load_config_file(inc)
+
+if os.path.isfile(nginx_config_file):
+    result['time'] = os.path.getmtime(nginx_config_file)
+    load_config_file(nginx_config_file)
+    result['config'] = nginx_config
+print(ujson.dumps(result))
+
diff --git a/www/nginx/src/opnsense/scripts/nginx/ngx_testConfig.sh b/www/nginx/src/opnsense/scripts/nginx/ngx_testConfig.sh
new file mode 100644
index 0000000000..8b085a1f09
--- /dev/null
+++ b/www/nginx/src/opnsense/scripts/nginx/ngx_testConfig.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# run nginx config test. return error text if any. always exit with 0
+if conf_test_errors=$(nginx -t -q 2>&1); then
+    echo "config is ok"
+else
+    echo "$conf_test_errors"
+fi
+
+exit 0
diff --git a/www/nginx/src/opnsense/scripts/nginx/read_log.php b/www/nginx/src/opnsense/scripts/nginx/read_log.php
index 65f288d60c..ac11b9f1ec 100755
--- a/www/nginx/src/opnsense/scripts/nginx/read_log.php
+++ b/www/nginx/src/opnsense/scripts/nginx/read_log.php
@@ -68,6 +68,8 @@
 // special case: the global error log
 if ($server == 'global') {
     $logparser = new ErrorLogParser($log_prefix . 'error' . $log_suffix, $page, $per_page, $query);
+} elseif ($server == 'perm_ban') {
+    $logparser = new AccessLogParser($log_prefix . 'perm_ban.access' . $log_suffix, $page, $per_page, $query);
 } else {
     switch ($mode) {
         case 'error':
diff --git a/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf b/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
index 2107624ea9..ce44adf64d 100644
--- a/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
+++ b/www/nginx/src/opnsense/service/conf/actions.d/actions_nginx.conf
@@ -67,3 +67,13 @@ type:script
 command:/usr/local/opnsense/scripts/nginx/vts.php
 parameters:
 type:script_output
+
+[test_config]
+command:/usr/local/opnsense/scripts/nginx/ngx_testConfig.sh
+parameters:
+type:script_output
+
+[show_config]
+command:/usr/local/opnsense/scripts/nginx/ngx_showConfig.py
+parameters:
+type:script_output
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index a5470e6da0..86b1586ab1 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -14,6 +14,11 @@ log_format  main_ext  '$remote_addr - $remote_user [$time_local] "$request" '
                       'ua="$upstream_addr" us="$upstream_status" '
                       'ut="$upstream_response_time" ul="$upstream_response_length" '
                       'cs=$upstream_cache_status';
+{% if OPNsense.Nginx.http.log_perm_ban is defined and OPNsense.Nginx.http.log_perm_ban == '1' %}
+log_format  main_ban  '$remote_addr - $remote_user [$time_local] "$scheme://$host$request_uri" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+{% endif %}
 log_format  handshake   '"$http_user_agent" "$ssl_ciphers" "$ssl_curves"';
 log_format  anonymized  ':: - $remote_user [$time_local] "$request" '
                   '$status $body_bytes_sent "$http_referer" '
@@ -146,7 +151,19 @@ server {
 {%       endif %}
 {%     endif %}
 {%   endif %}
+{%   if server.resolver is defined and server.resolver != '' %}
+{%     set resolver = helpers.getUUID(server.resolver) %}
+{%     if resolver is defined %}
+    resolver {{ resolver.address.replace(',', ' ') }}{% if resolver.valid is defined and resolver.valid != '' %} valid={{ resolver.valid}}s{% endif %}{% if resolver.ipv4_off is defined and resolver.ipv4_off == '1' %} ipv4=off{% endif %}{% if resolver.ipv6_off is defined and resolver.ipv6_off == '1' %} ipv6=off{% endif %};
+{%       if resolver.timeout is defined and resolver.timeout !='' %}
+    resolver_timeout {{ resolver.timeout }}s;
+{%       endif %}
+{%     endif %}
+{%   endif %}
 
+{% if server.disable_gzip is defined and server.disable_gzip == '1' %}
+    gzip off;
+{% endif %}
     sendfile {% if server.sendfile is defined and server.sendfile == '1' %}On{% else %}Off{% endif %};
     server_name  {{ server.servername.replace(',', ' ') }};
 {% if server.real_ip_source is defined and server.real_ip_source != '' %}
@@ -241,6 +258,9 @@ server {
     set $naxsi_extensive_log {% if server.naxsi_extensive_log is defined and server.naxsi_extensive_log == '1' %}1{% else %}0{% endif %};
     location @permanentban {
         access_log /var/log/nginx/permanentban.access.log main;
+{% if OPNsense.Nginx.http.log_perm_ban is defined and OPNsense.Nginx.http.log_perm_ban == '1' %}
+        access_log /var/log/nginx/perm_ban.access.log main_ban;
+{% endif %}
         internal;
         add_header "Content-Type" "text/plain; charset=UTF-8" always;
         return {% if OPNsense.Nginx.http.ban_response is defined and OPNsense.Nginx.http.ban_response != '403' %}{{OPNsense.Nginx.http.ban_response}}{% else %}403 "You got banned permanently from this server."{% endif %};
@@ -261,19 +281,12 @@ server {
     }
 {% endif %}
 {% if server.disable_bot_protection is not defined or server.disable_bot_protection != '1' %}
-    # block based on User Agents - stuff I have found over the years in my server log
-    if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|l9explore|l9tcpid|Masscan|zgrab|Ronin/2.0|Hakai/2.0) {
-      return 418;
-    }
-    {# MSIE 7 cannot be blocked - used for compatibility mode - https://blogs.msdn.microsoft.com/ieinternals/2013/09/21/internet-explorer-11s-many-user-agent-strings/ #}
-    if ($http_user_agent ~ "Indy\sLibrary|Morfeus Fucking Scanner|MSIE [0-6]\.\d+")
-    {
-      return 418;
-    }
-    if ($http_user_agent ~ ^Mozilla/[\d\.]+$)
-    {
-      return 418;
+{%   if OPNsense.Nginx.http.bots_ua is defined and OPNsense.Nginx.http.bots_ua|default("") != "" %}
+    # block based on User Agents defined in global http settings
+    if ($http_user_agent ~* {{ OPNsense.Nginx.http.bots_ua|replace(',','|') }}) {
+        return 418;
     }
+{%   endif %}
 {% endif %}
 {% if server.ip_acl is defined %}
 {%   set ip_acl = server.ip_acl %}
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 35145c75b2..1d0adc6dc3 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -126,6 +126,10 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection $connection_upgrade;
 {%   endif %}
+{%   if location.upstream_keepalive is defined and location.upstream_keepalive == '1' %}
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+{%   endif %}
 {%   if location.proxy_buffer_size is defined and location.proxy_buffer_size != '' %}
     proxy_buffer_size {{ location.proxy_buffer_size }}k;
 {%   endif %}
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
index 8915f32653..9b696220fa 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
@@ -104,6 +104,12 @@
 {%   if server.proxy_responses is defined and server.proxy_responses != '' %}
         proxy_responses {{ server.proxy_responses }};
 {%   endif%}
+{%   if server.proxy_connect_timeout is defined and server.proxy_connect_timeout != '' %}
+        proxy_connect_timeout {{ server.proxy_connect_timeout }}s;
+{%   endif%}
+{%   if server.proxy_timeout is defined and server.proxy_timeout != '' %}
+        proxy_timeout {{ server.proxy_timeout }}s;
+{%   endif%}
 {%   if server.trusted_proxies is defined and server.trusted_proxies != '' and server.proxy_protocol is defined and server.proxy_protocol == '1' %}
 {%     for trusted_proxy in server.trusted_proxies.split(',') %}
         set_real_ip_from {{ trusted_proxy }};
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/upstream.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/upstream.conf
index b5226fa908..3f07f37175 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/upstream.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/upstream.conf
@@ -12,6 +12,15 @@ upstream upstream{{ upstream_uuid.replace('-','') }} {
 ip_hash;
 {%     endif %}
 {%   endif %}
+{%   if upstream.keepalive is defined and upstream.keepalive|int > 0 %}
+keepalive {{ upstream.keepalive }};
+{%     if upstream.keepalive_requests is defined and upstream.keepalive_requests != '' %}
+keepalive_requests {{ upstream.keepalive_requests }};
+{%     endif %}
+{%     if upstream.keepalive_timeout is defined and upstream.keepalive_timeout != '' %}
+keepalive_timeout {{ upstream.keepalive_timeout }}s;
+{%     endif %}
+{%   endif %}
 {%   for upstream_serveruuid in upstream.serverentries.split(',') %}
 {%     set upstream_server = helpers.getUUID(upstream_serveruuid) %}
 server {% if ':' in upstream_server.server %}[{% endif %}{{ upstream_server.server }}{% if ':' in upstream_server.server %}]{% endif
diff --git a/www/nginx/src/opnsense/www/css/nginx/index.css b/www/nginx/src/opnsense/www/css/nginx/index.css
new file mode 100644
index 0000000000..a680bfef07
--- /dev/null
+++ b/www/nginx/src/opnsense/www/css/nginx/index.css
@@ -0,0 +1,88 @@
+/*
+* Copyright (C) 2023 A. Kulikov <kulikov.a@gmail.com>
+* Copyright (C) 2017-2018 Fabian Franz
+* All rights reserved.
+*
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted provided that the following conditions are met:
+*
+*  1. Redistributions of source code must retain the above copyright notice,
+*   this list of conditions and the following disclaimer.
+*
+*  2. Redistributions in binary form must reproduce the above copyright
+*    notice, this list of conditions and the following disclaimer in the
+*    documentation and/or other materials provided with the distribution.
+*
+* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+* POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#frm_sni_hostname_mapdlg .col-md-4,
+#frm_ipacl_dlg .col-md-4 {
+    width: 50%;
+}
+#frm_sni_hostname_mapdlg td > input[type="text"],
+#frm_ipacl_dlg td > input[type="text"] {
+    width: 100%;
+    max-width: 100%;
+}
+#frm_sni_hostname_mapdlg .col-md-5,
+#frm_ipacl_dlg .col-md-5 {
+    width: 25%;
+}
+#row_snihostname\.data .row,
+#row_ipacl\.data .row {
+    padding-top: 5px;
+}
+#row_snihostname\.data .row div,
+#row_ipacl\.data .row div {
+    padding: 0;
+}
+#sni_hostname_mapdlg .bootstrap-select,
+#frm_ipacl_dlg .bootstrap-select {
+    width: 100% !important;
+}
+#nginx_conf_container {
+    overflow-x: auto;
+}
+.ngx_conf_table {
+    white-space: pre-wrap;
+    color: #333333;
+    background-color: #f5f5f5;
+    word-break: break-all;
+    word-wrap: break-word;
+}
+.ngx_conf_table_body {
+    display: grid;
+    height: 400px;
+    overflow-y: auto;
+    font-family: ui-monospace,monospace;
+    font-size: 13px;
+}
+.l-number {
+    position: relative;
+    width: 1%;
+    min-width: 50px;
+    padding-right: 20px;
+    padding-left: 1px;
+    text-align: right;
+    white-space: nowrap;
+    vertical-align: top;
+    user-select: none;
+    filter: brightness(2.0);
+    filter: contrast(0.3);
+}
+.placeholdertd {
+    padding: 10px;
+}
+#nginx_config_copy {
+    cursor: pointer;
+}
diff --git a/www/nginx/src/opnsense/www/css/nginx/vts.css b/www/nginx/src/opnsense/www/css/nginx/vts.css
index a63c5e1b20..60f08183af 100644
--- a/www/nginx/src/opnsense/www/css/nginx/vts.css
+++ b/www/nginx/src/opnsense/www/css/nginx/vts.css
@@ -44,6 +44,7 @@
 #monitor thead th {
     font-size: 1em;
     padding: .1em .3em;
+    border: 1px solid;
 }
 #monitor tbody th {
     text-align: left;
diff --git a/www/nginx/src/opnsense/www/js/nginx/dist/configuration.min.js b/www/nginx/src/opnsense/www/js/nginx/dist/configuration.min.js
index e7c57eb22b..3ef498d006 100644
--- a/www/nginx/src/opnsense/www/js/nginx/dist/configuration.min.js
+++ b/www/nginx/src/opnsense/www/js/nginx/dist/configuration.min.js
@@ -1 +1 @@
-!function(t){var e={};function n(i){if(e[i])return e[i].exports;var s=e[i]={i:i,l:!1,exports:{}};return t[i].call(s.exports,s,s.exports,n),s.l=!0,s.exports}n.m=t,n.c=e,n.d=function(t,e,i){n.o(t,e)||Object.defineProperty(t,e,{enumerable:!0,get:i})},n.r=function(t){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})},n.t=function(t,e){if(1&e&&(t=n(t)),8&e)return t;if(4&e&&"object"==typeof t&&t&&t.__esModule)return t;var i=Object.create(null);if(n.r(i),Object.defineProperty(i,"default",{enumerable:!0,value:t}),2&e&&"string"!=typeof t)for(var s in t)n.d(i,s,function(e){return t[e]}.bind(null,s));return i},n.n=function(t){var e=t&&t.__esModule?function(){return t.default}:function(){return t};return n.d(e,"a",e),e},n.o=function(t,e){return Object.prototype.hasOwnProperty.call(t,e)},n.p="",n(n.s=27)}({27:function(t,e,n){"use strict";n.r(e);var i=Backbone.View.extend({tagName:"div",attributes:{class:"container-fluid"},child_views:[],createModel:null,upstreamCollection:null,initialize:function(t){this.dataField=$(t.dataField),this.entryclass=t.entryclass,this.createModel=t.createModel,this.upstreamCollection=t.upstreamCollection,this.listenTo(this.collection,"add remove reset",this.render),this.listenTo(this.collection,"change",this.update),this.dataField.after(this.$el)},events:{"click .add":"addEntry"},render:function(){this.child_views.forEach(t=>t.remove()),this.$el.html(""),this.child_views=[],this.update(),this.collection.each(t=>{const e=new this.entryclass({model:t,collection:this.collection,upstreamCollection:this.upstreamCollection});this.child_views.push(e),this.$el.append(e.$el),e.render()}),this.$el.append($('\n            <div class="row">\n                <button class="btn btn-primary pull-right add">\n                    <span class="fa fa-plus"></span>\n                </button>\n            </div>'))},update:function(){this.dataField.data("data",this.collection.toJSON())},addEntry:function(t){t.preventDefault(),this.collection.add(this.createModel())}});var s=Backbone.Collection.extend({url:"/api/nginx/settings/searchupstream",parse:function(t){return t.rows}});const a=Backbone.View.extend({tagName:"div",attributes:{class:"row"},events:{"keyup .key":function(){this.model.set("hostname",this.key.value)},"change .value":function(){this.model.set("upstream",this.value.value)},"click .delete":"deleteEntry"},key:null,value:null,delBtn:null,first:null,second:null,third:null,upstreamCollection:null,initialize:function(t){this.upstreamCollection=t.upstreamCollection,this.listenTo(this.upstreamCollection,"update reset add remove",this.regenerate_list),this.first=document.createElement("div"),this.first.classList.add("col-sm-5"),this.key=document.createElement("input"),this.first.append(this.key),this.key.type="text",this.key.classList.add("key"),this.key.value=this.model.get("hostname"),this.second=document.createElement("div"),this.second.classList.add("col-sm-5"),this.value=document.createElement("select"),this.second.append(this.value),this.value.classList.add("value"),this.value.classList.add("form-control"),this.value.value=this.model.get("upstream"),this.third=document.createElement("div"),this.third.classList.add("col-sm-2"),this.third.style.textAlign="right",this.delBtn=document.createElement("button"),this.delBtn.classList.add("delete"),this.delBtn.classList.add("btn"),this.delBtn.innerHTML='<span class="fa fa-trash"></span>',this.third.append(this.delBtn),this.model.has("upstream")&&0!==this.upstreamCollection.where({uuid:this.model.get("upstream")}).length||this.upstreamCollection.length>0&&this.model.set("upstream",this.upstreamCollection.at(0).get("uuid")),this.$el.append(this.first).append(this.second).append(this.third)},render:function(){$(this.key).val(this.model.get("hostname")),this.regenerate_list(),$(this.value).val(this.model.get("upstream"))},deleteEntry:function(t){t.preventDefault(),this.collection.remove(this.model)},regenerate_list:function(){const t=$(this.value);t.html(""),this.upstreamCollection.each(e=>t.append(`<option value="${e.escape("uuid")}">${e.escape("description")}</option>`)),t.val(this.model.get("upstream")),t.selectpicker("refresh")}}),l=Backbone.View.extend({tagName:"div",attributes:{class:"row"},events:{"keyup .key":function(){this.model.set("network",this.key.value)},"change .value":function(){this.model.set("action",this.value.value)},"click .delete":"deleteEntry"},key:null,value:null,delBtn:null,first:null,second:null,third:null,upstreamCollection:null,initialize:function(t){this.upstreamCollection=t.upstreamCollection,this.listenTo(this.upstreamCollection,"update reset add remove",this.regenerate_list),this.first=document.createElement("div"),this.first.classList.add("col-sm-5"),this.key=document.createElement("input"),this.first.append(this.key),this.key.type="text",this.key.classList.add("key"),this.key.value=this.model.get("network"),this.second=document.createElement("div"),this.second.classList.add("col-sm-5"),this.value=document.createElement("select"),this.second.append(this.value),this.value.classList.add("value"),this.value.classList.add("form-control"),this.value.value=this.model.get("action"),this.third=document.createElement("div"),this.third.classList.add("col-sm-2"),this.third.style.textAlign="right",this.delBtn=document.createElement("button"),this.delBtn.classList.add("delete"),this.delBtn.classList.add("btn"),this.delBtn.innerHTML='<span class="fa fa-trash"></span>',this.third.append(this.delBtn),this.$el.append(this.first).append(this.second).append(this.third)},render:function(){$(this.key).val(this.model.get("network")),this.regenerate_list(),$(this.value).val(this.model.get("action"))},deleteEntry:function(t){t.preventDefault(),this.collection.remove(this.model)},regenerate_list:function(){const t=$(this.value);t.html(""),this.upstreamCollection.each(e=>t.append(`<option value="${e.escape("value")}">${e.escape("name")}</option>`)),t.val(this.model.get("action")),t.selectpicker("refresh")}});var o=Backbone.Collection.extend({initialize:function(){let t=this;$("#snihostname\\.data").change(function(){t.regenerateFromView()})},regenerateFromView:function(){let t=$("#snihostname\\.data").data("data");_.isArray(t)||(t=[]),this.reset(t)}}),r=Backbone.Model.extend({}),d=Backbone.Model.extend({}),c=Backbone.Collection.extend({initialize:function(){let t=this;$("#ipacl\\.data").change(function(){t.regenerateFromView()})},regenerateFromView:function(){let t=$("#ipacl\\.data").data("data");_.isArray(t)||(t=[]),this.reset(t)}});const u=new s,h=new Backbone.Collection([{name:"Deny",value:"deny"},{name:"Allow",value:"allow"}]);$(document).ready(function(){mapDataToFormUI({frm_nginx:"/api/nginx/settings/get"}).done(function(){formatTokenizersUI(),$('select[data-allownew="false"]').selectpicker("refresh"),updateServiceControlUI("nginx")}),""!==window.location.hash&&$('a[href="'+window.location.hash+'"]').click(),$(".nav-tabs a").on("shown.bs.tab",function(t){history.pushState(null,null,t.target.hash)}),$(".reload_btn").click(function(){$(".reloadAct_progress").addClass("fa-spin"),ajaxCall("/api/nginx/service/reconfigure",{},function(){$(".reloadAct_progress").removeClass("fa-spin")})}),$('[id*="save_"]').each(function(){$(this).click(function(){let t=$(this).closest("form").attr("id"),e=$(this).closest("form").attr("data-title");saveFormToEndpoint("/api/nginx/settings/set",t,function(){$("#"+t+"_progress").addClass("fa fa-spinner fa-pulse"),ajaxCall("/api/nginx/service/reconfigure",{},function(n,i){$("#"+t+"_progress").removeClass("fa fa-spinner fa-pulse"),void 0===n||"success"===i&&"ok"===n.status?updateServiceControlUI("nginx"):BootstrapDialog.show({type:BootstrapDialog.TYPE_WARNING,title:e,message:JSON.stringify(n),draggable:!0})})})})}),["upstream","upstreamserver","location","credential","userlist","httpserver","streamserver","httprewrite","custompolicy","security_header","ipacl","limit_zone","cache_path","limit_request_connection","snifwd","errorpage","tls_fingerprint","syslog_target","naxsirule"].forEach(function(t){$("#grid-"+t).UIBootgrid({search:"/api/nginx/settings/search"+t,get:"/api/nginx/settings/get"+t+"/",set:"/api/nginx/settings/set"+t+"/",add:"/api/nginx/settings/add"+t+"/",del:"/api/nginx/settings/del"+t+"/",commands:{copy_uuid:{method:function(t){navigator.clipboard.writeText($(this).data("row-id"))}}},options:{selection:!1,multiSelect:!1,formatters:{commands:function(t,e){return'<button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-edit" data-row-id="'+e.uuid+'" title="Edit"><span class="fa fa-fw fa-pencil"></span></button> <button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-copy_uuid" data-row-id="'+e.uuid+'" title="Copy UUID to clipboard"><span class="fa fa-fw fa-clipboard"></span></button> <button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-copy" data-row-id="'+e.uuid+'" title="Clone"><span class="fa fa-fw fa-clone"></span></button> <button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-delete" data-row-id="'+e.uuid+'" title="Delete"><span class="fa fa-fw fa-trash-o"></span></button>'},response:function(t,e){return"none"==e.response?"unchanged":e.response},statuscodes:function(t,e){const n=[],i=e.statuscodes.split(",");for(let t of i)n.push(t.substr(0,3));return n.join(", ")}}}})}),bind_naxsi_rule_dl_button(),function(){let t=new i({dataField:document.getElementById("snihostname.data"),upstreamCollection:u,entryclass:a,collection:new o,createModel:function(){return new r({hostname:"localhost"})}});window.snifield=t,t.render(),$("#grid-upstream").on("loaded.rs.jquery.bootgrid",function(){u.fetch()}),u.fetch()}();let t=new i({dataField:document.getElementById("ipacl.data"),upstreamCollection:h,entryclass:l,collection:new c,createModel:function(){return new d({network:"::",action:"deny"})}});window.ipaclfield=t,t.render()})}});
\ No newline at end of file
+!function(t){var e={};function n(i){if(e[i])return e[i].exports;var s=e[i]={i:i,l:!1,exports:{}};return t[i].call(s.exports,s,s.exports,n),s.l=!0,s.exports}n.m=t,n.c=e,n.d=function(t,e,i){n.o(t,e)||Object.defineProperty(t,e,{enumerable:!0,get:i})},n.r=function(t){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})},n.t=function(t,e){if(1&e&&(t=n(t)),8&e)return t;if(4&e&&"object"==typeof t&&t&&t.__esModule)return t;var i=Object.create(null);if(n.r(i),Object.defineProperty(i,"default",{enumerable:!0,value:t}),2&e&&"string"!=typeof t)for(var s in t)n.d(i,s,function(e){return t[e]}.bind(null,s));return i},n.n=function(t){var e=t&&t.__esModule?function(){return t.default}:function(){return t};return n.d(e,"a",e),e},n.o=function(t,e){return Object.prototype.hasOwnProperty.call(t,e)},n.p="",n(n.s=25)}({25:function(t,e,n){"use strict";n.r(e);var i=Backbone.View.extend({tagName:"div",attributes:{class:"container-fluid"},child_views:[],createModel:null,upstreamCollection:null,initialize:function(t){this.dataField=$(t.dataField),this.entryclass=t.entryclass,this.createModel=t.createModel,this.upstreamCollection=t.upstreamCollection,this.listenTo(this.collection,"add remove reset",this.render),this.listenTo(this.collection,"change",this.update),this.dataField.after(this.$el)},events:{"click .add":"addEntry"},render:function(){this.child_views.forEach(t=>t.remove()),this.$el.html(""),this.child_views=[],this.update(),this.collection.each(t=>{const e=new this.entryclass({model:t,collection:this.collection,upstreamCollection:this.upstreamCollection});this.child_views.push(e),this.$el.append(e.$el),e.render()}),this.$el.append($('\n            <div class="row">\n                <button class="btn btn-primary pull-right add">\n                    <span class="fa fa-plus"></span>\n                </button>\n            </div>'))},update:function(){this.dataField.data("data",this.collection.toJSON())},addEntry:function(t){t.preventDefault(),this.collection.add(this.createModel())}});var s=Backbone.Collection.extend({url:"/api/nginx/settings/searchupstream",parse:function(t){return t.rows}});const a=Backbone.View.extend({tagName:"div",attributes:{class:"row"},events:{"keyup .key":function(){this.model.set("hostname",this.key.value)},"change .value":function(){this.model.set("upstream",this.value.value)},"click .delete":"deleteEntry"},key:null,value:null,delBtn:null,first:null,second:null,third:null,upstreamCollection:null,initialize:function(t){this.upstreamCollection=t.upstreamCollection,this.listenTo(this.upstreamCollection,"update reset add remove",this.regenerate_list),this.first=document.createElement("div"),this.first.classList.add("col-sm-5"),this.key=document.createElement("input"),this.first.append(this.key),this.key.type="text",this.key.classList.add("key"),this.key.value=this.model.get("hostname"),this.second=document.createElement("div"),this.second.classList.add("col-sm-5"),this.value=document.createElement("select"),this.second.append(this.value),this.value.classList.add("value"),this.value.classList.add("form-control"),this.value.value=this.model.get("upstream"),this.third=document.createElement("div"),this.third.classList.add("col-sm-2"),this.third.style.textAlign="right",this.delBtn=document.createElement("button"),this.delBtn.classList.add("delete"),this.delBtn.classList.add("btn"),this.delBtn.innerHTML='<span class="fa fa-trash"></span>',this.third.append(this.delBtn),this.model.has("upstream")&&0!==this.upstreamCollection.where({uuid:this.model.get("upstream")}).length||this.upstreamCollection.length>0&&this.model.set("upstream",this.upstreamCollection.at(0).get("uuid")),this.$el.append(this.first).append(this.second).append(this.third)},render:function(){$(this.key).val(this.model.get("hostname")),this.regenerate_list(),$(this.value).val(this.model.get("upstream"))},deleteEntry:function(t){t.preventDefault(),this.collection.remove(this.model)},regenerate_list:function(){const t=$(this.value);t.html(""),this.upstreamCollection.each(e=>t.append(`<option value="${e.escape("uuid")}">${e.escape("description")}</option>`)),t.val(this.model.get("upstream")),t.selectpicker("refresh")}}),l=Backbone.View.extend({tagName:"div",attributes:{class:"row"},events:{"keyup .key":function(){this.model.set("network",this.key.value)},"change .value":function(){this.model.set("action",this.value.value)},"click .delete":"deleteEntry"},key:null,value:null,delBtn:null,first:null,second:null,third:null,upstreamCollection:null,initialize:function(t){this.upstreamCollection=t.upstreamCollection,this.listenTo(this.upstreamCollection,"update reset add remove",this.regenerate_list),this.first=document.createElement("div"),this.first.classList.add("col-sm-5"),this.key=document.createElement("input"),this.first.append(this.key),this.key.type="text",this.key.classList.add("key"),this.key.value=this.model.get("network"),this.second=document.createElement("div"),this.second.classList.add("col-sm-5"),this.value=document.createElement("select"),this.second.append(this.value),this.value.classList.add("value"),this.value.classList.add("form-control"),this.value.value=this.model.get("action"),this.third=document.createElement("div"),this.third.classList.add("col-sm-2"),this.third.style.textAlign="right",this.delBtn=document.createElement("button"),this.delBtn.classList.add("delete"),this.delBtn.classList.add("btn"),this.delBtn.innerHTML='<span class="fa fa-trash"></span>',this.third.append(this.delBtn),this.$el.append(this.first).append(this.second).append(this.third)},render:function(){$(this.key).val(this.model.get("network")),this.regenerate_list(),$(this.value).val(this.model.get("action"))},deleteEntry:function(t){t.preventDefault(),this.collection.remove(this.model)},regenerate_list:function(){const t=$(this.value);t.html(""),this.upstreamCollection.each(e=>t.append(`<option value="${e.escape("value")}">${e.escape("name")}</option>`)),t.val(this.model.get("action")),t.selectpicker("refresh")}});var o=Backbone.Collection.extend({initialize:function(){let t=this;$("#snihostname\\.data").change(function(){t.regenerateFromView()})},regenerateFromView:function(){let t=$("#snihostname\\.data").data("data");_.isArray(t)||(t=[]),this.reset(t)}}),r=Backbone.Model.extend({}),d=Backbone.Model.extend({}),c=Backbone.Collection.extend({initialize:function(){let t=this;$("#ipacl\\.data").change(function(){t.regenerateFromView()})},regenerateFromView:function(){let t=$("#ipacl\\.data").data("data");_.isArray(t)||(t=[]),this.reset(t)}});const u=new s,h=new Backbone.Collection([{name:"Deny",value:"deny"},{name:"Allow",value:"allow"}]);$(document).ready(function(){mapDataToFormUI({frm_nginx:"/api/nginx/settings/get"}).done(function(){formatTokenizersUI(),$('select[data-allownew="false"]').selectpicker("refresh"),updateServiceControlUI("nginx")}),""!==window.location.hash&&$('a[href="'+window.location.hash+'"]').click(),$(".nav-tabs a").on("shown.bs.tab",function(t){history.pushState(null,null,t.target.hash)}),$(".reload_btn").click(function(){$(".reloadAct_progress").addClass("fa-spin"),ajaxCall("/api/nginx/service/reconfigure",{},function(){$(".reloadAct_progress").removeClass("fa-spin")})}),$('[id*="save_"]').each(function(){$(this).click(function(){let t=$(this).closest("form").attr("id"),e=$(this).closest("form").attr("data-title");saveFormToEndpoint("/api/nginx/settings/set",t,function(){$("#"+t+"_progress").addClass("fa fa-spinner fa-pulse"),ajaxCall("/api/nginx/service/reconfigure",{},function(n,i){$("#"+t+"_progress").removeClass("fa fa-spinner fa-pulse"),void 0===n||"success"===i&&"ok"===n.status?updateServiceControlUI("nginx"):BootstrapDialog.show({type:BootstrapDialog.TYPE_WARNING,title:e,message:JSON.stringify(n),draggable:!0})})})})}),["upstream","upstreamserver","location","credential","userlist","httpserver","streamserver","httprewrite","custompolicy","security_header","ipacl","limit_zone","cache_path","limit_request_connection","snifwd","errorpage","tls_fingerprint","resolver","syslog_target","naxsirule"].forEach(function(t){$("#grid-"+t).UIBootgrid({search:"/api/nginx/settings/search"+t,get:"/api/nginx/settings/get"+t+"/",set:"/api/nginx/settings/set"+t+"/",add:"/api/nginx/settings/add"+t+"/",del:"/api/nginx/settings/del"+t+"/",commands:{copy_uuid:{method:function(t){navigator.clipboard.writeText($(this).data("row-id"))}}},options:{selection:!1,multiSelect:!1,formatters:{commands:function(t,e){return'<button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-edit" data-row-id="'+e.uuid+'" title="Edit"><span class="fa fa-fw fa-pencil"></span></button> <button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-copy_uuid" data-row-id="'+e.uuid+'" title="Copy UUID to clipboard"><span class="fa fa-fw fa-clipboard"></span></button> <button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-copy" data-row-id="'+e.uuid+'" title="Clone"><span class="fa fa-fw fa-clone"></span></button> <button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-delete" data-row-id="'+e.uuid+'" title="Delete"><span class="fa fa-fw fa-trash-o"></span></button>'},response:function(t,e){return"none"==e.response?"unchanged":e.response},statuscodes:function(t,e){const n=[],i=e.statuscodes.split(",");for(let t of i)n.push(t.substr(0,3));return n.join(", ")}}}})}),bind_naxsi_rule_dl_button(),function(){let t=new i({dataField:document.getElementById("snihostname.data"),upstreamCollection:u,entryclass:a,collection:new o,createModel:function(){return new r({hostname:"localhost"})}});window.snifield=t,t.render(),$("#grid-upstream").on("loaded.rs.jquery.bootgrid",function(){u.fetch()}),u.fetch()}();let t=new i({dataField:document.getElementById("ipacl.data"),upstreamCollection:h,entryclass:l,collection:new c,createModel:function(){return new d({network:"::",action:"deny"})}});window.ipaclfield=t,t.render()})}});
\ No newline at end of file
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/nginx_config.js b/www/nginx/src/opnsense/www/js/nginx/src/nginx_config.js
index c2719990eb..e61a2469be 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/nginx_config.js
+++ b/www/nginx/src/opnsense/www/js/nginx/src/nginx_config.js
@@ -70,6 +70,7 @@ function init_grids() {
         'snifwd',
         'errorpage',
         'tls_fingerprint',
+        'resolver',
         'syslog_target',
         'naxsirule'].forEach(function (element) {
         $("#grid-" + element).UIBootgrid(

From 2c7c7b831169a353e89fd0f9ed1c4df757bd9712 Mon Sep 17 00:00:00 2001
From: Violet Shreve <violet@shreve.io>
Date: Wed, 10 Jul 2024 04:10:08 -0400
Subject: [PATCH 1947/3088] www/nginx: Update help text to clarify https
 redirect actions (#3776)

---
 .../mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml     | 2 +-
 .../mvc/app/controllers/OPNsense/Nginx/forms/location.xml       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
index 4c6339d325..b3ad135282 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
@@ -156,7 +156,7 @@
     <id>httpserver.https_only</id>
     <label>HTTPS Only</label>
     <type>checkbox</type>
-    <help>If you check this box, a TLS encrypted connection is enforced.</help>
+    <help>If the request scheme is not HTTPS, redirect to use HTTPS for this server.</help>
   </field>
   <field>
     <id>httpserver.tls_protocols</id>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
index f5b832c194..25c998c75d 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
@@ -204,7 +204,7 @@
     <id>location.force_https</id>
     <label>Force HTTPS</label>
     <type>checkbox</type>
-    <help>Force encrypted connections.</help>
+    <help>If the request scheme is not HTTPS, redirect to use HTTPS for this location.</help>
   </field>
   <field>
     <id>location.http2_push_preload</id>

From d09d3dbaa500b0c918fb67c6c3854a137c467786 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Jul 2024 10:17:05 +0200
Subject: [PATCH 1948/3088] www/nginx: fix lint

---
 www/nginx/src/opnsense/scripts/nginx/ngx_showConfig.py | 1 -
 www/nginx/src/opnsense/scripts/nginx/ngx_testConfig.sh | 0
 2 files changed, 1 deletion(-)
 mode change 100644 => 100755 www/nginx/src/opnsense/scripts/nginx/ngx_showConfig.py
 mode change 100644 => 100755 www/nginx/src/opnsense/scripts/nginx/ngx_testConfig.sh

diff --git a/www/nginx/src/opnsense/scripts/nginx/ngx_showConfig.py b/www/nginx/src/opnsense/scripts/nginx/ngx_showConfig.py
old mode 100644
new mode 100755
index e96374a7ec..986cece76f
--- a/www/nginx/src/opnsense/scripts/nginx/ngx_showConfig.py
+++ b/www/nginx/src/opnsense/scripts/nginx/ngx_showConfig.py
@@ -41,4 +41,3 @@ def load_config_file(config_path):
     load_config_file(nginx_config_file)
     result['config'] = nginx_config
 print(ujson.dumps(result))
-
diff --git a/www/nginx/src/opnsense/scripts/nginx/ngx_testConfig.sh b/www/nginx/src/opnsense/scripts/nginx/ngx_testConfig.sh
old mode 100644
new mode 100755

From 68a69f0c880230dc968a11dd47e0d3e8b3540f44 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 10 Jul 2024 10:19:13 +0200
Subject: [PATCH 1949/3088] www/caddy: Update route53 config field names
 (#4073)

Reference: https://github.com/caddy-dns/route53/commit/19e2b6c
---
 www/caddy/pkg-descr                                           | 1 +
 .../mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml  | 4 ++--
 .../service/templates/OPNsense/Caddy/includeDnsProvider       | 4 ++--
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 7aa3e1d4a6..94e47d2bd7 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -34,6 +34,7 @@ Plugin Changelog
 * Add: Introduce HTTP version to handler. HTTP/1.1, HTTP/2 and HTTP/3 can be chosen.
 * Add: HTTP Keepalive can be set in a handler.
 * Change: Option "tls_trusted_ca_certs" is now "tls_trust_pool".
+* Build: Update caddy-dns Cloudflare and Route53. Route53 field names changed due to upstream changes.
 * Add: TLS can be deactivated in a domain.
 
 1.5.7
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
index 39d36919c4..87fedb3ca8 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
@@ -32,7 +32,7 @@
         <id>caddy.general.TlsDnsOptionalField2</id>
         <label>DNS API Additional Field 3</label>
         <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "aws_profile", ACME-DNS "server_url", Azure "subscription_id", OVH "consumer_key", Namecheap "client_ip", DDNS "password", INWX "endpoint_url", DirectAdmin "insecure_requests", RFC2136 "server".]]></help>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "profile", ACME-DNS "server_url", Azure "subscription_id", OVH "consumer_key", Namecheap "client_ip", DDNS "password", INWX "endpoint_url", DirectAdmin "insecure_requests", RFC2136 "server".]]></help>
     </field>
     <field>
         <id>caddy.general.TlsDnsOptionalField3</id>
@@ -44,6 +44,6 @@
         <id>caddy.general.TlsDnsOptionalField4</id>
         <label>DNS API Additional Field 5</label>
         <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "token".]]></help>
+        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "session_token".]]></help>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider
index f962d75120..94df27ca0e 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider
@@ -26,11 +26,11 @@
     {% endif %}
     {% if dnsOptionalField1 %}max_retries {{ dnsOptionalField1 }}
     {% endif %}
-    {% if dnsOptionalField2 %}aws_profile {{ dnsOptionalField2 }}
+    {% if dnsOptionalField2 %}profile {{ dnsOptionalField2 }}
     {% endif %}
     {% if dnsOptionalField3 %}region {{ dnsOptionalField3 }}
     {% endif %}
-    {% if dnsOptionalField4 %}token {{ dnsOptionalField4 }}
+    {% if dnsOptionalField4 %}session_token {{ dnsOptionalField4 }}
     {% endif %}
 {% elif dnsProvider == 'acmedns' %}
     {% if dnsApiKey %}username {{ dnsApiKey }}

From 50a7a117368cd0fd670b843abd357689acc1e59d Mon Sep 17 00:00:00 2001
From: Jordan Stacy <53239541+jordanstacy@users.noreply.github.com>
Date: Tue, 9 Jul 2024 13:28:55 -0700
Subject: [PATCH 1950/3088] dns/bind: Fix multiple select on Recursion field

---
 .../mvc/app/controllers/OPNsense/Bind/forms/general.xml         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index 5be009dac0..23e9c92026 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -111,7 +111,7 @@
     <field>
         <id>general.recursion</id>
         <label>Recursion</label>
-        <type>dropdown</type>
+        <type>select_multiple</type>
         <help>Define an ACL where you allow which clients can resolve via this service. Usually use your local LAN.</help>
     </field>
     <field>

From 7967441e431e15f9c97dfb6f9a72865f75df3cac Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Jul 2024 10:46:22 +0200
Subject: [PATCH 1951/3088] dns/bind: release new version

---
 dns/bind/Makefile  | 3 +--
 dns/bind/pkg-descr | 6 +++++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 5b8cb64262..b02187266e 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.31
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.32
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 155d0a82fd..e764e3b888 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -9,11 +9,15 @@ WWW: https://www.isc.org
 Plugin Changelog
 ================
 
+1.32
+
+* Fix handling of multiple ACLs in allow-query/allow-transfer (contributed by Nathan Rennie-Waldock)
+* Fix multiple select on Recursion field (contributed by Jordan Stacy)
+
 1.31
 
 * Do not add the update-policy if the zone type is secondary (contributed by Brendan Bank)
 * Adjust severity log levels (contributed by kulikov-a)
-* Fix handling of multiple ACLs in allow-query/allow-transfer (contributed by Nathan Rennie-Waldock)
 
 1.30
 

From 5ce8679c1057dd683743fff71a3c8a8c9907821f Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 10 Jul 2024 10:48:40 +0200
Subject: [PATCH 1952/3088] www/caddy: Change this.ajaxGet to this.ajaxCall in
 Widgets. (#4084)

---
 www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js | 2 +-
 www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
index 24b45f44fe..051fc2bc19 100644
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
@@ -52,7 +52,7 @@ export default class CaddyCertificate extends BaseTableWidget {
 
     async onWidgetTick() {
         // Check if Caddy is enabled
-        const caddyStatus = await this.ajaxGet('/api/caddy/reverse_proxy/get');
+        const caddyStatus = await this.ajaxCall('/api/caddy/reverse_proxy/get');
         if (!caddyStatus.caddy.general || caddyStatus.caddy.general.enabled === "0") {
             this.displayError(`${this.translations.unconfigured}`);
             return;
diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
index 552c6a1955..d0e5453152 100644
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
@@ -51,7 +51,7 @@ export default class CaddyDomain extends BaseTableWidget {
 
     async onWidgetTick() {
         // Check if caddy is enabled
-        const data = await this.ajaxGet('/api/caddy/reverse_proxy/get');
+        const data = await this.ajaxCall('/api/caddy/reverse_proxy/get');
         if (!data.caddy.general || data.caddy.general.enabled === "0") {
             this.displayError(`${this.translations.unconfigured}`);
             return;

From ac485eccea759311428a9a41b2f5ac86f1a0f3c2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Jul 2024 11:00:10 +0200
Subject: [PATCH 1953/3088] dns/ddclient: style

---
 dns/ddclient/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 21c94f61a2..b16c15dc8d 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.22
-#PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 51211dc9edce57cd16bf30dc199c2b485d1eccb8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Jul 2024 11:01:34 +0200
Subject: [PATCH 1954/3088] dns/dnscrypt-proxy: bump to ship change

---
 dns/dnscrypt-proxy/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index 8f93604abc..c7e6f14d8c 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		dnscrypt-proxy
 PLUGIN_VERSION=		1.15
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 3fea467f858b18067472532cd6dff8a3d1a63e88 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Jul 2024 11:03:10 +0200
Subject: [PATCH 1955/3088] security/etpro-telemetry: style

---
 security/etpro-telemetry/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index e135a3f1dc..c89521644f 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		etpro-telemetry
 PLUGIN_VERSION=		1.7
-#PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html

From 392ba2a0536435fba101bdf68f2ab6280a2aa9d9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Jul 2024 11:04:20 +0200
Subject: [PATCH 1956/3088] www/nginx: update version

---
 www/nginx/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 14950c49ee..0b76a782ff 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.32.2
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.33
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From ee826d32d3f2ba237df00ed0345c6cac46333983 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Jul 2024 11:11:44 +0200
Subject: [PATCH 1957/3088] net-mgmt/net-snmp: bump version

---
 net-mgmt/net-snmp/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/net-snmp/Makefile b/net-mgmt/net-snmp/Makefile
index 942edba72e..5983317cc7 100644
--- a/net-mgmt/net-snmp/Makefile
+++ b/net-mgmt/net-snmp/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		net-snmp
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		Net-SNMP is a daemon for the SNMP protocol
 PLUGIN_DEPENDS=		net-snmp
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 7a680f60a9cd456f9f0de8bf7eef11a5d5d032a4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Jul 2024 11:12:21 +0200
Subject: [PATCH 1958/3088] net-mgmt/nrpe: bump revision

---
 net-mgmt/nrpe/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net-mgmt/nrpe/Makefile b/net-mgmt/nrpe/Makefile
index abb4f51bd2..42ba8e5c36 100644
--- a/net-mgmt/nrpe/Makefile
+++ b/net-mgmt/nrpe/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		nrpe
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Execute nagios plugins
 PLUGIN_DEPENDS=		nrpe
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From d777a605920921249ec120c8679f0e50215a0266 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 10 Jul 2024 11:38:46 +0200
Subject: [PATCH 1959/3088] www/caddy: Cleanup model, php (PSR-12), python (PEP
 8) and jinja2 files (#4060)

* www/caddy: Remove unsused code in validation.

* www/caddy: Cleanup Caddyfile template for better readability with improved indentation.

* www/caddy: Cleanup rc.conf.d/caddy

* www/caddy: Cleanup model.

* www/caddy: Cleanup Caddyfile template some more.

* www/caddy: Roll back changes to Caddyfile structure, don't fix what ain't broken.

* www/caddy: Fix caddy_certs.php style warning. A file should declare new symbols (classes, functions, constants, etc.) and cause no other side effects, or it should execute logic with side effects, but should not do both.

* www/caddy: Ignore php style warnings for migration scripts, since the class names have to ignore PascalCase.

* www/caddy: Correct style of php files so that no lines exceed 120 characters.

* www/caddy: Refactor caddy_diagnostics.py and caddy_control.py for Python PEP 8. Fix: Shadows name 'action' from outer scope

* www/caddy: Changelog add code cleanup.

* www/caddy: Fix minor regression in refactored caddy_control.py script.

* www/caddy: Fix indentation of Caddyfile template for better code readability. The template gets edited and read a lot so this fix really helps with maintainability.

* www/caddy: Add changelog.

* www/caddy: Fix caddy_certs.php style issue by removing the declared function and execute logic with side effects directly.

* www/caddy: Re-add ValidationMessage to IntegerField because there are custom constraints that are not displayed by the default validation message.

* www/caddy: Add error handling to caddy_control.py when action is empty. Make use of service_action and cmd_action clearer.

* www/caddy: Remove unnecessary variable in caddy_diagnostics.py

* www/caddy: Add validation message since there is a no IP constraint. Add same constraint to subdomains.

* www/caddy: Re-add validation message to ToDomain field since multiple are allowed

* www/caddy: Re-add validation message to clientIps field since multiple are allowed
---
 www/caddy/pkg-descr                           |   6 +-
 .../Caddy/Api/DiagnosticsController.php       |   4 +-
 .../Caddy/Api/ReverseProxyController.php      |  30 +-
 .../mvc/app/models/OPNsense/Caddy/Caddy.php   |  51 ++-
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  60 +---
 .../OPNsense/Caddy/Migrations/M1_1_3.php      |   2 +
 .../OPNsense/Caddy/Migrations/M1_1_8.php      |   2 +
 .../scripts/OPNsense/Caddy/caddy_certs.php    |  68 ++--
 .../scripts/OPNsense/Caddy/caddy_control.py   |  51 +--
 .../OPNsense/Caddy/caddy_diagnostics.py       |  19 +-
 .../templates/OPNsense/Caddy/Caddyfile        | 324 +++++++++---------
 .../templates/OPNsense/Caddy/rc.conf.d/caddy  |  11 +-
 12 files changed, 326 insertions(+), 302 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 94e47d2bd7..5306352762 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -28,7 +28,11 @@ Plugin Changelog
 1.6.0
 
 * Add: New Dashboard widgets for 24.7, showing domain status and certificate validity status.
-* Fix: Caddyfile template fixed for IPv6 addresses and custom port.
+* Cleanup: PHP files refactored for PSR-12, Python files refactored for PEP-8.
+* Cleanup: Templates Caddyfile and rc.conf.d/caddy refactored for maintainability.
+* Cleanup: Spurious keys removed from Caddy.xml model.
+* Cleanup: Unused code removed from Caddy.php.
+* Fix: Caddyfile template fixed when IPv6 addresses and ports are used in Upstream. IPv6 address wraps into brackets now.
 * Add: forward_auth directive with Authelia as Authz Provider.
 * Add: Default HTTP and HTTPS ports can be changed in general settings.
 * Add: Introduce HTTP version to handler. HTTP/1.1, HTTP/2 and HTTP/3 can be chosen.
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
index bda64cb5e2..edcb55389e 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
@@ -50,7 +50,7 @@ public function configAction()
         // Decode JSON to PHP array
         $responseArray = json_decode($response, true);
 
-        // Since errors are handled by the caddy_diagnostics script and returned as json, check for an error key in the response
+        // Errors are handled by the caddy_diagnostics script and returned, check for an error key in the response
         if (isset($responseArray['error'])) {
             return ["status" => "failed", "message" => $responseArray['message']];
         }
@@ -74,7 +74,6 @@ public function caddyfileAction()
         // Decode JSON to PHP array
         $responseArray = json_decode($response, true);
 
-        // Since errors are handled by the caddy_diagnostics script and returned as json, check for an error key in the response
         if (isset($responseArray['error'])) {
             return ["status" => "failed", "message" => $responseArray['message']];
         }
@@ -94,7 +93,6 @@ public function certificateAction()
         // Decode JSON to PHP array
         $responseArray = json_decode($response, true);
 
-        // Since errors are handled by the caddy_diagnostics script and returned as json, check for an error key in the response
         if (isset($responseArray['error'])) {
             return ["status" => "failed", "message" => $responseArray['message']];
         }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
index 5f32443d00..193aa298bf 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
@@ -26,7 +26,6 @@
  *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  *    POSSIBILITY OF SUCH DAMAGE.
- *
  */
 
 namespace OPNsense\Caddy\Api;
@@ -70,14 +69,15 @@ public function getAllReverseDomainsAction()
     }
 
     /**
-     * Centralized and generalized helper function for searching across different sections of the reverse proxy setup.
+     * Generalized helper function for searching across different sections of the reverse proxy setup.
      * This function mostly helps when model relation fields are used.
      * It filters entries based on UUIDs provided as an argument. The section or key used for the UUID
      * can be specified, allowing for direct or indirect UUID referencing.
      *
-     * @param string $modelPath The data model path identifier, pointing to the section of the model being searched.
-     * @param string $uuidSearchBase The request parameter name for the comma-separated list of UUIDs to filter the search results.
-     * @param string|null $uuidReferenceKey The specific attribute key used to fetch the UUID for filtering. If null, defaults to the item's own UUID.
+     * @param string $modelPath The data model path identifier, pointing to section of model being searched.
+     * @param string $uuidSearchBase The request parameter name for the comma-separated list of UUIDs.
+     * @param string|null $uuidReferenceKey Attribute key used to fetch the UUID for filtering.
+     *                                      If null, uses item's own UUID.
      * @return array Filtered search results.
      */
     private function searchActionHelper($modelPath, $uuidSearchBase, $uuidReferenceKey = null)
@@ -89,8 +89,12 @@ private function searchActionHelper($modelPath, $uuidSearchBase, $uuidReferenceK
 
         // Define a filter function to determine which items to include based on the UUID.
         $filterFunction = function ($modelItem) use ($uuidArray, $uuidReferenceKey) {
-            // Extract UUID from the item, using the specified UUID key if provided, otherwise default to direct UUID access.
-            $modelUUID = ($uuidReferenceKey !== null) ? (string)$modelItem->$uuidReferenceKey : (string)$modelItem->getAttributes()['uuid'];
+            // Extract UUID from the item, using the specified UUID key if provided, else default to direct UUID access.
+            if ($uuidReferenceKey !== null) {
+                $modelUUID = (string)$modelItem->$uuidReferenceKey;
+            } else {
+                $modelUUID = (string)$modelItem->getAttributes()['uuid'];
+            }
             // Include the item if the UUID array is empty or if the item's UUID is in the array.
             return empty($uuidArray) || in_array($modelUUID, $uuidArray, true);
         };
@@ -245,8 +249,10 @@ public function setBasicAuthAction($uuid)
     {
         if ($this->request->isPost()) {
             $postData = $this->request->getPost();
-
-            if (isset($postData['basicauth']['basicauthpass']) && !empty(trim($postData['basicauth']['basicauthpass']))) {
+            if (
+                isset($postData['basicauth']['basicauthpass'])
+                && !empty(trim($postData['basicauth']['basicauthpass']))
+            ) {
                 $plainPassword = $postData['basicauth']['basicauthpass'];
                 $hashedPassword = password_hash($plainPassword, PASSWORD_BCRYPT);
                 $_POST['basicauth']['basicauthpass'] = $hashedPassword;
@@ -260,8 +266,10 @@ public function addBasicAuthAction()
     {
         if ($this->request->isPost()) {
             $postData = $this->request->getPost();
-
-            if (isset($postData['basicauth']['basicauthpass']) && !empty(trim($postData['basicauth']['basicauthpass']))) {
+            if (
+                isset($postData['basicauth']['basicauthpass'])
+                && !empty(trim($postData['basicauth']['basicauthpass']))
+            ) {
                 $plainPassword = $postData['basicauth']['basicauthpass'];
                 $hashedPassword = password_hash($plainPassword, PASSWORD_BCRYPT);
                 $_POST['basicauth']['basicauthpass'] = $hashedPassword;
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index 9f76fe20ee..42972f8d1d 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -59,9 +59,15 @@ private function checkForUniquePortCombos($items, $messages)
                 if (isset($combos[$comboKey])) {
                     // Use dynamic $key for message referencing
                     $messages->appendMessage(new Message(
-                        sprintf(gettext("Duplicate entry: The combination of '%s' and port '%s' is already used. Each combination of domain and port must be unique."), $fromDomain, $port),
-                        $key . ".FromDomain", // Adjusted to use dynamic key
-                        "DuplicateDomainPort"
+                        sprintf(
+                            gettext(
+                                'Duplicate entry: The combination of %s and port %s is already used. ' .
+                                'Each combination of domain and port must be unique.'
+                            ),
+                            $fromDomain,
+                            $port
+                        ),
+                        $key . ".FromDomain"
                     ));
                 } else {
                     $combos[$comboKey] = true;
@@ -98,9 +104,14 @@ private function checkSubdomainsAgainstDomains($subdomains, $domains, $messages)
                 if (!$isValid) {
                     $key = $subdomain->__reference; // Dynamic key based on subdomain reference
                     $messages->appendMessage(new Message(
-                        sprintf(gettext("Invalid subdomain configuration: '%s' does not fall under any configured wildcard domain."), $subdomainName),
-                        $key . ".FromDomain", // Use dynamic key for message referencing
-                        "InvalidSubdomain"
+                        sprintf(
+                            gettext(
+                                'Invalid subdomain configuration: %s does not fall ' .
+                                'under any configured wildcard domain.'
+                            ),
+                            $subdomainName
+                        ),
+                        $key . ".FromDomain"
                     ));
                 }
             }
@@ -140,7 +151,18 @@ private function checkWebGuiSettings($messages)
         if (!empty($overlap) && $tlsAutoHttpsSetting !== 'off') {
             $portOverlap = implode(', ', $overlap);
             $messages->appendMessage(new Message(
-                sprintf(gettext('To use "Auto HTTPS", resolve these conflicting ports (%s) that are currently configured for the OPNsense WebGUI. Go to "System - Settings - Administration". To release port 80, enable "Disable web GUI redirect rule". To release port %s, change "TCP port" to a non-standard port, e.g., 8443.'), $portOverlap, $httpsPort),
+                sprintf(
+                    gettext(
+                        'To use "Auto HTTPS", resolve these conflicting ports %s ' .
+                        'that are currently configured for the OPNsense WebGUI. ' .
+                        'Go to "System - Settings - Administration". ' .
+                        'To release port 80, enable "Disable web GUI redirect rule". ' .
+                        'To release port %s, change "TCP port" to a non-standard port, ' .
+                        'e.g., 8443.'
+                    ),
+                    $portOverlap,
+                    $httpsPort
+                ),
                 "general.TlsAutoHttps"
             ));
         }
@@ -193,12 +215,23 @@ private function checkDisableTlsConflicts($messages)
     public function performValidation($validateFullModel = false)
     {
         $messages = parent::performValidation($validateFullModel);
+
         // 1. Check domain-port combinations
-        $this->checkForUniquePortCombos($this->reverseproxy->reverse->iterateItems(), $messages);
+        $this->checkForUniquePortCombos(
+            $this->reverseproxy->reverse->iterateItems(),
+            $messages
+        );
+
         // 2. Check that subdomains are under a wildcard or exact domain
-        $this->checkSubdomainsAgainstDomains($this->reverseproxy->subdomain->iterateItems(), $this->reverseproxy->reverse->iterateItems(), $messages);
+        $this->checkSubdomainsAgainstDomains(
+            $this->reverseproxy->subdomain->iterateItems(),
+            $this->reverseproxy->reverse->iterateItems(),
+            $messages
+        );
+
         // 3. Check WebGUI conflicts
         $this->checkWebGuiSettings($messages);
+
         // 4. Check for ACME Email requirement
         $this->checkAcmeEmailAutoHttps($messages);
         // 5. Check for TLS conflicts in Domain
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 2650cb2671..f70f548576 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -10,9 +10,7 @@
             </enabled>
             <HttpPort type="PortField"/>
             <HttpsPort type="PortField"/>
-            <TlsEmail type="EmailField">
-                <ValidationMessage>Please enter a valid email address.</ValidationMessage>
-            </TlsEmail>
+            <TlsEmail type="EmailField"/>
             <TlsAutoHttps type="OptionField">
                 <BlankDesc>On (default)</BlankDesc>
                 <OptionValues>
@@ -106,9 +104,7 @@
                     <FATAL>FATAL</FATAL>
                 </OptionValues>
             </LogLevel>
-            <DynDnsSimpleHttp type="UrlField">
-                <ValidationMessage>Please enter a valid URL, starting with http or https.</ValidationMessage>
-            </DynDnsSimpleHttp>
+            <DynDnsSimpleHttp type="UrlField"/>
             <DynDnsInterface type="InterfaceField"/>
             <DynDnsInterval type="IntegerField">
                 <MinimumValue>1</MinimumValue>
@@ -150,17 +146,11 @@
                 </enabled>
                 <FromDomain type="HostnameField">
                     <Required>Y</Required>
-                    <ValidationMessage>Please enter a valid 'from' domain.</ValidationMessage>
                     <IpAllowed>N</IpAllowed>
-                    <HostWildcardAllowed>Y</HostWildcardAllowed>
                     <FqdnWildcardAllowed>Y</FqdnWildcardAllowed>
-                    <ZoneRootAllowed>N</ZoneRootAllowed>
+                    <ValidationMessage>Please enter a valid domain name.</ValidationMessage>
                 </FromDomain>
-                <FromPort type="PortField">
-                    <ValidationMessage>Please enter a valid 'from' port number.</ValidationMessage>
-                    <EnableWellKnown>Y</EnableWellKnown>
-                    <EnableRanges>N</EnableRanges>
-                </FromPort>
+                <FromPort type="PortField"/>
                 <accesslist type="ModelRelationField">
                     <Model>
                         <reverseproxy>
@@ -189,10 +179,7 @@
                 <CustomCertificate type="CertificateField"/>
                 <AccessLog type="BooleanField"/>
                 <DynDns type="BooleanField"/>
-                <AcmePassthrough type="HostnameField">
-                    <ValidationMessage>Please enter a valid 'to' domain or IP address.</ValidationMessage>
-                    <IpAllowed>Y</IpAllowed>
-                </AcmePassthrough>
+                <AcmePassthrough type="HostnameField"/>
                 <DisableTls type="BooleanField"/>
             </reverse>
             <subdomain type="ArrayField">
@@ -213,8 +200,8 @@
                 </reverse>
                 <FromDomain type="HostnameField">
                     <Required>Y</Required>
-                    <ValidationMessage>Please enter a valid 'from' Subdomain that is based upon the wildcard domain.</ValidationMessage>
-                    <ZoneRootAllowed>N</ZoneRootAllowed>
+                    <IpAllowed>N</IpAllowed>
+                    <ValidationMessage>Please enter a valid domain name.</ValidationMessage>
                 </FromDomain>
                 <accesslist type="ModelRelationField">
                     <Model>
@@ -241,10 +228,7 @@
                     <Required>Y</Required>
                 </description>
                 <DynDns type="BooleanField"/>
-                <AcmePassthrough type="HostnameField">
-                    <ValidationMessage>Please enter a valid 'to' domain or IP address.</ValidationMessage>
-                    <IpAllowed>Y</IpAllowed>
-                </AcmePassthrough>
+                <AcmePassthrough type="HostnameField"/>
             </subdomain>
             <handle type="ArrayField">
                 <enabled type="BooleanField">
@@ -282,7 +266,7 @@
                 </HandleType>
                 <HandlePath type="TextField">
                     <Mask>/^(\/.*)?$/u</Mask>
-                    <ValidationMessage>Please enter a valid 'Handle Path' that starts with '/'.</ValidationMessage>
+                    <ValidationMessage>Please enter a valid Path that starts with '/'.</ValidationMessage>
                 </HandlePath>
                 <header type="ModelRelationField">
                     <Model>
@@ -297,19 +281,14 @@
                 </header>
                 <ToDomain type="HostnameField">
                     <Required>Y</Required>
-                    <ValidationMessage>Please enter a valid 'to' domain or IP address.</ValidationMessage>
-                    <IpAllowed>Y</IpAllowed>
                     <FieldSeparator>,</FieldSeparator>
                     <AsList>Y</AsList>
+                    <ValidationMessage>Please enter one or multiple valid IP addresses, hostnames or FQDNs.</ValidationMessage>
                 </ToDomain>
-                <ToPort type="PortField">
-                    <ValidationMessage>Please enter a valid 'to' port number.</ValidationMessage>
-                    <EnableWellKnown>Y</EnableWellKnown>
-                    <EnableRanges>N</EnableRanges>
-                </ToPort>
+                <ToPort type="PortField"/>
                 <ToPath type="TextField">
                     <Mask>/^(\/.*)?$/u</Mask>
-                    <ValidationMessage>Please enter a valid 'Backend Path' that starts with '/'.</ValidationMessage>
+                    <ValidationMessage>Please enter a valid Path that starts with '/'.</ValidationMessage>
                 </ToPath>
                 <PassiveHealthFailDuration type="IntegerField">
                     <MinimumValue>1</MinimumValue>
@@ -351,30 +330,21 @@
                 <HttpTlsTrustedCaCerts type="CertificateField">
                     <Type>ca</Type>
                 </HttpTlsTrustedCaCerts>
-                <HttpTlsServerName type="HostnameField">
-                    <ValidationMessage>Please enter a valid hostname or IP address.</ValidationMessage>
-                    <IpAllowed>Y</IpAllowed>
-                    <HostWildcardAllowed>Y</HostWildcardAllowed>
-                    <FqdnWildcardAllowed>Y</FqdnWildcardAllowed>
-                    <ZoneRootAllowed>N</ZoneRootAllowed>
-                </HttpTlsServerName>
+                <HttpTlsServerName type="HostnameField"/>
                 <description type="DescriptionField">
                     <Required>Y</Required>
                 </description>
             </handle>
             <accesslist type="ArrayField">
-                <accesslistName type="TextField">
+                <accesslistName type="DescriptionField">
                     <Required>Y</Required>
-                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_*-\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
-                <ValidationMessage>Please provide a valid Access List Name.</ValidationMessage>
                 </accesslistName>
                 <clientIps type="NetworkField">
                     <Required>Y</Required>
-                    <NetMaskAllowed>Y</NetMaskAllowed>
                     <FieldSeparator>,</FieldSeparator>
                     <AsList>Y</AsList>
                     <Strict>Y</Strict>
-                    <ValidationMessage>Please enter valid IP address(es) or network(s), separated by commas.</ValidationMessage>
+                    <ValidationMessage>Please enter one or multiple valid IP addresses or networks.</ValidationMessage>
                 </clientIps>
                 <accesslistInvert type="BooleanField"/>
                 <HttpResponseCode type="IntegerField">
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php
index c103f8d48b..649408dbcf 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php
@@ -31,7 +31,9 @@
 use OPNsense\Base\BaseModelMigration;
 use OPNsense\Core\Config;
 
+// @codingStandardsIgnoreStart
 class M1_1_3 extends BaseModelMigration
+// @codingStandardsIgnoreEnd
 {
     public function run($model)
     {
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_8.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_8.php
index 0687d49abc..c506375a1e 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_8.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_8.php
@@ -31,7 +31,9 @@
 use OPNsense\Base\BaseModelMigration;
 use OPNsense\Core\Config;
 
+// @codingStandardsIgnoreStart
 class M1_1_8 extends BaseModelMigration
+// @codingStandardsIgnoreEnd
 {
     public function run($model)
     {
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
index 0f6078b466..f65ef168cf 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
@@ -2,8 +2,7 @@
 <?php
 
 /*
- *    Copyright (C) 2023-2024 Cedrik Pischem
- *    Copyright (C) 2015 Deciso B.V.
+ *    Copyright (C) 2024 Cedrik Pischem
  *    All rights reserved.
  *
  *    Redistribution and use in source and binary forms, with or without
@@ -28,55 +27,50 @@
  *    POSSIBILITY OF SUCH DAMAGE.
  */
 
-require_once("config.inc");
+require_once "config.inc";
 
 use OPNsense\Core\Config;
 
 $configObj = Config::getInstance()->object();
 $temp_dir = '/var/db/caddy/data/caddy/certificates/temp/';
 
-function extract_and_save_certificates($configObj, $temp_dir)
-{
-    // Traverse through certificates
-    foreach ($configObj->cert as $cert) {
-        $cert_refid = (string)$cert->refid;
-        $cert_content = base64_decode((string)$cert->crt);
-        $key_content = base64_decode((string)$cert->prv);
-        $cert_chain = $cert_content;
+// Traverse through certificates
+foreach ($configObj->cert as $cert) {
+    $cert_refid = (string) $cert->refid;
+    $cert_content = base64_decode((string) $cert->crt);
+    $key_content = base64_decode((string) $cert->prv);
+    $cert_chain = $cert_content;
 
-        // Handle CA and possible intermediate CA to create a certificate bundle
-        if (!empty($cert->caref)) {
-            foreach ($configObj->ca as $ca) {
-                if ((string)$cert->caref == (string)$ca->refid) {
-                    $ca_content = base64_decode((string)$ca->crt);
-                    $cert_chain .= "\n" . $ca_content;
+    // Handle CA and possible intermediate CA to create a certificate bundle
+    if (!empty($cert->caref)) {
+        foreach ($configObj->ca as $ca) {
+            if ((string) $cert->caref === (string) $ca->refid) {
+                $ca_content = base64_decode((string) $ca->crt);
+                $cert_chain .= "\n" . $ca_content;
 
-                    if (!empty($ca->caref)) {
-                        foreach ($configObj->ca as $parent_ca) {
-                            if ((string)$ca->caref == (string)$parent_ca->refid) {
-                                $parent_ca_content = base64_decode((string)$parent_ca->crt);
-                                $cert_chain .= "\n" . $parent_ca_content;
-                                break;
-                            }
+                if (!empty($ca->caref)) {
+                    foreach ($configObj->ca as $parent_ca) {
+                        if ((string) $ca->caref === (string) $parent_ca->refid) {
+                            $parent_ca_content = base64_decode((string) $parent_ca->crt);
+                            $cert_chain .= "\n" . $parent_ca_content;
+                            break;
                         }
                     }
                 }
             }
         }
-
-        // Save the certificate chain and private key
-        file_put_contents($temp_dir . $cert_refid . '.pem', $cert_chain);
-        file_put_contents($temp_dir . $cert_refid . '.key', $key_content);
     }
 
-    // Traverse through CA certificates and save them
-    foreach ($configObj->ca as $ca) {
-        $ca_refid = (string)$ca->refid;
-        $ca_content = base64_decode((string)$ca->crt);
-
-        // Save the CA certificate
-        file_put_contents($temp_dir . $ca_refid . '.pem', $ca_content);
-    }
+    // Save the certificate chain and private key
+    file_put_contents($temp_dir . $cert_refid . '.pem', $cert_chain);
+    file_put_contents($temp_dir . $cert_refid . '.key', $key_content);
 }
 
-extract_and_save_certificates($configObj, $temp_dir);
+// Traverse through CA certificates and save them
+foreach ($configObj->ca as $ca) {
+    $ca_refid = (string) $ca->refid;
+    $ca_content = base64_decode((string) $ca->crt);
+
+    // Save the CA certificate
+    file_put_contents($temp_dir . $ca_refid . '.pem', $ca_content);
+}
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
index 79e9a8226f..add576358d 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
@@ -30,19 +30,23 @@
 import json
 import sys
 
-def run_service_command(action, action_message):
+
+def run_service_command(service_action, action_message):
     result = {"message": action_message}
 
-    if action == "validate":
+    if service_action == "validate":
         try:
             # Validate the Caddyfile with explicit --config flag, capturing both stdout and stderr
-            validation_output = subprocess.check_output(["caddy", "validate", "--config", "/usr/local/etc/caddy/Caddyfile"], stderr=subprocess.STDOUT, text=True)
+            validation_output = subprocess.check_output(
+                ["caddy", "validate", "--config", "/usr/local/etc/caddy/Caddyfile"], stderr=subprocess.STDOUT,
+                text=True)
             if "Valid configuration" in validation_output:
                 result["status"] = "ok"
                 result["message"] = "Caddy configuration is valid."
             else:
                 # Search for the specific error message
-                error_msg = next((line for line in validation_output.split('\n') if line.startswith("Error:")), "Caddy configuration is not valid.")
+                error_msg = next((line for line in validation_output.split('\n') if line.startswith("Error:")),
+                                 "Caddy configuration is not valid.")
                 result["status"] = "failed"
                 result["message"] = error_msg
         except subprocess.CalledProcessError as e:
@@ -52,7 +56,7 @@ def run_service_command(action, action_message):
             result["message"] = error_msg
     else:
         try:
-            subprocess.run(["service", "caddy", action], check=True)
+            subprocess.run(["service", "caddy", service_action], check=True)
             result["status"] = "ok"
         except subprocess.CalledProcessError as e:
             result["status"] = "failed"
@@ -60,29 +64,36 @@ def run_service_command(action, action_message):
 
     return json.dumps(result)
 
-# Updated actions dictionary
+
+# "cmd_action": "service_action"
 actions = {
     "start": "start",
     "stop": "stop",
     "restart": "restart",
-    "reload": "reloadssl", # Forces the reload even if the config in the Caddyfile is unchanged, using an extra command of the rc.d script, forcing certificates in the filesystem to reload.
+    "reload": "reloadssl",
+    # Reloadssl reloads even if the config in the Caddyfile is unchanged, using an extra command of the rc.d script,
+    # forcing certificates in the filesystem to be reloaded.
     "validate": "validate"  # Validate action
 }
 
 if __name__ == "__main__":
-    action = sys.argv[1]  # Get the action from the command-line argument
-    if action in actions:
-        service_action = actions[action]
-        message = f"{action.capitalize()}ing Caddy service" if action != "validate" else "Validating Caddy configuration"
+    if len(sys.argv) > 1:
+        action = sys.argv[1]  # Get the action from the command-line argument
+        if action in actions:
+            cmd_action = action
+            service_action = actions[action]
+            message = f"{cmd_action.capitalize()} Caddy service"
 
-        # Call setup script for 'validate' and 'reloadssl' actions
-        # This is needed because the setup script triggers the caddy_certs.php script, which exports all certificates into the filesystem.
-        # Caddy reloads certificates when reloadssl is used. Because it is a non standard command, the caddy_setup script will not be triggered in /etc/rc.conf.d/caddy.
-        # The validate command needs it to make sure all certificates are in the filesystem, because otherwise the validation fails.
-        if service_action in ["validate", "reloadssl"]:
-            subprocess.run(["/usr/local/opnsense/scripts/OPNsense/Caddy/setup.sh"], check=True)
+            # Call setup script for 'validate' and 'reloadssl' actions. This is needed because the setup script triggers
+            # the caddy_certs.php script, which exports all certificates into the filesystem. Caddy reloads certificates
+            # when reloadssl is used. Because it is a non standard command, the caddy_setup script will not be triggered
+            # in /etc/rc.conf.d/caddy. The validate command needs it to make sure all certificates are in the filesystem,
+            # because otherwise the validation fails.
+            if service_action in ["validate", "reloadssl"]:
+                subprocess.run(["/usr/local/opnsense/scripts/OPNsense/Caddy/setup.sh"], check=True)
 
-        # Continue with the service action
-        print(run_service_command(service_action, message))
+            print(run_service_command(service_action, message))
+        else:
+            print(json.dumps({"status": "failed", "message": f"Unknown action: {action}"}))
     else:
-        print(json.dumps({"status": "failed", "message": f"Unknown action: {action}"}))
+        print(json.dumps({"status": "failed", "message": "No action provided"}))
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
index f42fd60658..ab55778a60 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
@@ -33,6 +33,7 @@
 import asyncio
 from datetime import datetime
 
+
 # Function to show the Caddy configuration from a JSON file
 def show_caddy_config():
     config_path = "/var/db/caddy/config/caddy/autosave.json"
@@ -48,10 +49,12 @@ def show_caddy_config():
     except FileNotFoundError:
         print(json.dumps({"error": "File not found", "message": "Caddy autosave.json configuration file not found"}))
     except json.JSONDecodeError:
-        print(json.dumps({"error": "Invalid JSON", "message": "Error decoding the Caddy autosave.json, the file is not valid JSON"}))
+        print(json.dumps(
+            {"error": "Invalid JSON", "message": "Error decoding the Caddy autosave.json, the file is not valid JSON"}))
     except Exception as e:
         print(json.dumps({"error": "General Error", "message": str(e)}))
 
+
 def show_caddyfile():
     caddyfile_path = "/usr/local/etc/caddy/Caddyfile"
 
@@ -65,6 +68,7 @@ def show_caddyfile():
     except Exception as e:
         print(json.dumps({"error": "General Error", "message": str(e)}))
 
+
 # Function to extract certificate information using openssl command
 async def extract_certificate_info(cert_path):
     try:
@@ -105,6 +109,7 @@ async def extract_certificate_info(cert_path):
     except Exception as e:
         raise RuntimeError(f"Error extracting certificate info for {cert_path}: {str(e)}")
 
+
 # Function to find certificates and create tasks to extract info
 async def find_certificates(base_dir):
     tasks = []
@@ -123,6 +128,7 @@ async def find_certificates(base_dir):
     results = await asyncio.gather(*tasks, return_exceptions=True)
     return [result for result in results if not isinstance(result, Exception)]
 
+
 # Function to show certificates, processing all found in the given directory
 async def show_certificates():
     # Function to show certificates, processing all found in the given directory
@@ -136,25 +142,26 @@ async def show_certificates():
     except Exception as e:
         print(json.dumps({"error": "General Error", "message": str(e)}))
 
+
 # Action handler
-def perform_action(action):
+def perform_action(cmd_action):
     actions = {
         "config": show_caddy_config,
         "caddyfile": show_caddyfile,
         "certificate": lambda: asyncio.run(show_certificates())
     }
 
-    action_func = actions.get(action)
+    action_func = actions.get(cmd_action)
     if action_func:
         action_func()
     else:
         # Output error details in JSON format if action is unknown
-        print(json.dumps({"error": "Unknown Action", "message": f"Unknown action: {action}"}))
+        print(json.dumps({"error": "Unknown Action", "message": f"Unknown action: {cmd_action}"}))
+
 
 if __name__ == "__main__":
     if len(sys.argv) > 1:
-        action = sys.argv[1]
-        perform_action(action)
+        perform_action(sys.argv[1])
     else:
         # Output error details in JSON format if no action is specified
         print(json.dumps({"error": "No Action Specified", "message": "No action specified"}))
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index eb4ce0ad82..c06342fc98 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -37,11 +37,11 @@
     #}
     log {
         {% if generalSettings.LogAccessPlain|default("0") == "0" %}
-        {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
-        {% if reverse.enabled|default("0") == "1" and reverse.AccessLog|default("0") == "1" %}
-        include http.log.access.{{ reverse['@uuid'] }}
-        {% endif %}
-        {% endfor %}
+            {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
+                {% if reverse.enabled|default("0") == "1" and reverse.AccessLog|default("0") == "1" %}
+                    include http.log.access.{{ reverse['@uuid'] }}
+                {% endif %}
+            {% endfor %}
         {% endif %}
         output net unixgram//var/caddy/var/run/log {
         }
@@ -49,7 +49,7 @@
             time_format rfc3339
         }
         {% if generalSettings.LogLevel %}
-        level {{ generalSettings.LogLevel }}
+            level {{ generalSettings.LogLevel }}
         {% endif %}
     }
 
@@ -89,10 +89,10 @@
     {% if hasAccessList or hasLogCredentials %}
     servers {
         {% if hasAccessList %}
-        trusted_proxies static {{ accessList.clientIps.split(',') | join(' ') }}
+            trusted_proxies static {{ accessList.clientIps.split(',') | join(' ') }}
         {% endif %}
         {% if hasLogCredentials %}
-        log_credentials
+            log_credentials
         {% endif %}
     }
     {% endif %}
@@ -175,11 +175,11 @@
             {% endif %}
             domains {
                 {% for domain in dynDnsDomains %}
-                {{ domain }}
+                    {{ domain }}
                 {% endfor %}
             }
         {% if dynDnsSimpleHttp %}
-        ip_source simple_http {{ dynDnsSimpleHttp }}
+            ip_source simple_http {{ dynDnsSimpleHttp }}
         {% endif %}
         {% if dynDnsInterface %}
             {% set physicalInterfaceNames = [] %}
@@ -189,16 +189,16 @@
             ip_source interface {{ physicalInterfaceNames | join(',') }}
         {% endif %}
         {% if dynDnsCheckInterval %}
-        check_interval {{ dynDnsCheckInterval }}s
+            check_interval {{ dynDnsCheckInterval }}s
         {% endif %}
         {% if dynDnsIpVersions %}
-        versions {{ dynDnsIpVersions }}
+            versions {{ dynDnsIpVersions }}
         {% endif %}
         {% if dynDnsTtl %}
-        ttl {{ dynDnsTtl }}s
+            ttl {{ dynDnsTtl }}s
         {% endif %}
         {% if dynDnsUpdateOnly|default("0") == "1" %}
-        update_only
+            update_only
         {% endif %}
     }
     {% endif %}
@@ -211,11 +211,11 @@
     #}
     {% set emailValue = helpers.toList('Pischem.caddy.general.TlsEmail') | first %}
     {% if emailValue %}
-    email {{ emailValue }}
+        email {{ emailValue }}
     {% endif %}
     {% set autoHttpsValue = helpers.toList('Pischem.caddy.general.TlsAutoHttps') | first %}
     {% if autoHttpsValue %}
-    auto_https {{ autoHttpsValue }}
+        auto_https {{ autoHttpsValue }}
     {% endif %}
     {#
     # Important: Grace Period influences how fast the server can finish reloads with open connections, by forcing termination.
@@ -299,8 +299,8 @@
 #            It uses a 'handle' object that specifies which headers to manipulate based on their @UUIDs.
 #            Each handle can have multiple of these HTTP headers assigned.
 #   Parameters:
-#   @param handle (@object):
-#       - @uuid (@string)
+#   @param handle (object):
+#       - @uuid (string)
 #       - HeaderUpDown (string): Determines the direction of the header.
 #       - HeaderType (string): Specifies the name of the header.
 #       - HeaderValue (string, optional): The new value to set for the header, if any.
@@ -341,15 +341,15 @@
 #   Purpose: Sets up the handle with the reverse proxy configurations. The TLS Settings are generated here for the Upstream.
 #   Integrated Macros: header_manipulation
 #   Parameters:
-#   @param handle (@object):
-#       - @uuid (@string)
+#   @param handle (object):
+#       - @uuid (string)
 #       - HandleType (string): Specifies the handling strategy.
 #       - HandlePath (string, optional): The path the handle should match on.
 #       - ToDomain (string): Target domain for the reverse proxy.
 #       - ToPort (string, optional): Target port on the ToDomain.
 #       - ToPath (string, optional): Destination path on the ToDomain.
 #       - HttpTls (boolean, optional): Enable TLS for the connection.
-#       - HttpNtlm (boolean, optional): Enable NTLM authentication for the connection.
+#       - HttpNtlm (boolean, optional): Enable NTLM authentication for the connection. Not all HTTP options apply to NTLM.
 #       - HttpTlsInsecureSkipVerify (boolean, optional): If true, the server's SSL certificate is not verified.
 #       - HttpTlsTrustedCaCerts (string, optional): The config extracted name of a CA certificate.
 #       - HttpTlsServerName (string, optional): Specifies the server name for the TLS handshake.
@@ -363,7 +363,7 @@
             {% include "OPNsense/Caddy/includeAuthProvider" %}
         {% endif %}
         {% if handle.ToPath|default("") != "" %}
-        rewrite * {{ handle.ToPath }}{uri}
+            rewrite * {{ handle.ToPath }}{uri}
         {% endif %}
         reverse_proxy {% for domain in handle.ToDomain.split(',') %}
             {# Check if the domain is IPv6 and wrap in square brackets if necessary #}
@@ -373,22 +373,22 @@
         {% endfor %} {
             {{ header_manipulation(handle) }}
             {% if handle.PassiveHealthFailDuration|default("") %}
-            fail_duration {{ handle.PassiveHealthFailDuration }}s
+                fail_duration {{ handle.PassiveHealthFailDuration }}s
             {% endif %}
             {% if handle.HttpTls|default("0") == "1" or handle.HttpTlsInsecureSkipVerify|default("0") == "1" or handle.HttpTlsTrustedCaCerts or handle.HttpTlsServerName or handle.HttpVersion or handle.HttpKeepalive %}
                 {% if handle.HttpNtlm|default("0") == "1" %}
                 transport http_ntlm {
                     {% if handle.HttpTls|default("0") == "1" %}
-                    tls
+                        tls
                     {% endif %}
                     {% if handle.HttpTlsInsecureSkipVerify|default("0") == "1" %}
-                    tls_insecure_skip_verify
+                        tls_insecure_skip_verify
                     {% endif %}
                     {% if handle.HttpTlsTrustedCaCerts %}
-                    tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
+                        tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
                     {% endif %}
                     {% if handle.HttpTlsServerName %}
-                    tls_server_name {{ handle.HttpTlsServerName }}
+                        tls_server_name {{ handle.HttpTlsServerName }}
                     {% endif %}
                 }
                 {% else %}
@@ -406,16 +406,16 @@
                         {% endif %}
                     {% endif %}
                     {% if handle.HttpTls|default("0") == "1" %}
-                    tls
+                        tls
                     {% endif %}
                     {% if handle.HttpTlsInsecureSkipVerify|default("0") == "1" %}
-                    tls_insecure_skip_verify
+                        tls_insecure_skip_verify
                     {% endif %}
                     {% if handle.HttpTlsTrustedCaCerts %}
-                    tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
+                        tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
                     {% endif %}
                     {% if handle.HttpTlsServerName %}
-                    tls_server_name {{ handle.HttpTlsServerName }}
+                        tls_server_name {{ handle.HttpTlsServerName }}
                     {% endif %}
                 }
                 {% endif %}
@@ -431,10 +431,10 @@
 #            only get to the reverse proxy, when the access list matches. Invert is also possible, to explicitely deny IPs.
 #            The assembly is handled by the "Section: Reverse Proxy Configurations".
 #   Parameters:
-#   @param accesslist (@object):
-#       - @uuid (@string)
-#       - clientIps (@string): A comma-separated list of client IP addresses
-#       - invert (@boolean): A flag that inverts the logic of the access list
+#   @param accesslist (object):
+#       - uuid (string)
+#       - clientIps (string): A comma-separated list of client IP addresses
+#       - invert (boolean): A flag that inverts the logic of the access list
 #}
 {% macro access_list_configuration(accesslist, invert) %}
     {% set client_ips = accesslist.clientIps.split(',') %}
@@ -448,11 +448,11 @@
 #   Macro: basicauth_configuration
 #   Purpose: Implements basic authentication with a username and password for access.
 #   Parameters:
-#   @param basicauth_uuids (@string): A comma-separated list of UUIDs, each UUID corresponding to
+#   @param basicauth_uuids (string): A comma-separated list of UUIDs, each UUID corresponding to
 #                                     a specific user credentials (username and password).
-#       - @uuid (@string)
-#       - basicauthuser (@string): The username required for authentication.
-#       - basicauthpass (@string): The password associated with the username.
+#       - @uuid (string)
+#       - basicauthuser (string): The username required for authentication.
+#       - basicauthpass (string): The password associated with the username.
 #}
 {% macro basicauth_configuration(basicauth_uuids) %}
     {% if basicauth_uuids %}
@@ -482,139 +482,139 @@
 #   - Order of Wildcard Domains and Subdomains: Handles for wildcard domains come after all subdomains.
 #}
 {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
-{% if reverse.enabled|default("0") == "1" %}
-# Reverse Proxy Domain: "{{ reverse['@uuid'] }}"
-{# The default are encrypted connections, uncencrypted connections have to render http:// #}
-{% if reverse.DisableTls|default("0") == "1" %}http://{% endif %}{{ reverse.FromDomain|default("") }}{% if reverse.FromPort %}:{{ reverse.FromPort }}{% endif %} {
-    {% if reverse.AccessLog|default("0") == "1" %}
-    {% if generalSettings.LogAccessPlain|default("0") == "0" %}
-    log {{ reverse['@uuid'] }}
-    {% else %}
-    log {
-        output file /var/log/caddy/access/{{ reverse['@uuid'] }}.log {
-            roll_keep_for {{ generalSettings.LogAccessPlainKeep|default("10") }}d
-        }
-    }
-    {% endif %}
-    {% endif %}
-    {% set customCert = reverse.CustomCertificate|default("") %}
-    {% set dnsChallenge = reverse.DnsChallenge|default("0") %}
-    {{ tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4) }}
-
-    {% if not reverse.accesslist %}
-        {% set basicauth_uuids = reverse.basicauth %}
-        {{ basicauth_configuration(basicauth_uuids) }}
-    {% endif %}
+    {% if reverse.enabled|default("0") == "1" %}
+        # Reverse Proxy Domain: "{{ reverse['@uuid'] }}"
+        {# The default are encrypted connections, uncencrypted connections have to render http:// #}
+        {% if reverse.DisableTls|default("0") == "1" %}http://{% endif %}{{ reverse.FromDomain|default("") }}{% if reverse.FromPort %}:{{ reverse.FromPort }}{% endif %} {
+            {% if reverse.AccessLog|default("0") == "1" %}
+                {% if generalSettings.LogAccessPlain|default("0") == "0" %}
+                    log {{ reverse['@uuid'] }}
+                {% else %}
+                    log {
+                        output file /var/log/caddy/access/{{ reverse['@uuid'] }}.log {
+                            roll_keep_for {{ generalSettings.LogAccessPlainKeep|default("10") }}d
+                        }
+                    }
+                {% endif %}
+            {% endif %}
+            {% set customCert = reverse.CustomCertificate|default("") %}
+            {% set dnsChallenge = reverse.DnsChallenge|default("0") %}
+            {{ tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4) }}
 
-    {% for subdomain in helpers.toList('Pischem.caddy.reverseproxy.subdomain') %}
-    {% if subdomain.enabled|default("0") == "1" and subdomain.reverse == reverse['@uuid'] %}
-    @{{ subdomain['@uuid'] }} {
-        host {{ subdomain.FromDomain }}
-    }
-    handle @{{ subdomain['@uuid'] }} {
+            {% if not reverse.accesslist %}
+                {% set basicauth_uuids = reverse.basicauth %}
+                {{ basicauth_configuration(basicauth_uuids) }}
+            {% endif %}
 
-        {% if not subdomain.accesslist %}
-            {% set subdomain_basicauth_uuids = subdomain.basicauth %}
-            {{ basicauth_configuration(subdomain_basicauth_uuids) }}
-        {% endif %}
+            {% for subdomain in helpers.toList('Pischem.caddy.reverseproxy.subdomain') %}
+                {% if subdomain.enabled|default("0") == "1" and subdomain.reverse == reverse['@uuid'] %}
+                    @{{ subdomain['@uuid'] }} {
+                        host {{ subdomain.FromDomain }}
+                    }
+                    handle @{{ subdomain['@uuid'] }} {
 
-        {% if subdomain.accesslist %}
-        {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', subdomain.accesslist) | first %}
-        {{ access_list_configuration(accesslist, accesslist.accesslistInvert|default("0") == "1") }}
-        handle @{{ accesslist['@uuid'] }} {
+                        {% if not subdomain.accesslist %}
+                            {% set subdomain_basicauth_uuids = subdomain.basicauth %}
+                            {{ basicauth_configuration(subdomain_basicauth_uuids) }}
+                        {% endif %}
 
-            {% set subdomain_basicauth_uuids = subdomain.basicauth %}
-            {{ basicauth_configuration(subdomain_basicauth_uuids) }}
+                        {% if subdomain.accesslist %}
+                            {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', subdomain.accesslist) | first %}
+                            {{ access_list_configuration(accesslist, accesslist.accesslistInvert|default("0") == "1") }}
+                            handle @{{ accesslist['@uuid'] }} {
+
+                                {% set subdomain_basicauth_uuids = subdomain.basicauth %}
+                                {{ basicauth_configuration(subdomain_basicauth_uuids) }}
+
+                                {% set subdomain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('subdomain', 'equalto', subdomain['@uuid']) | list %}
+                                {% for handle in subdomain_handles %}
+                                    {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
+                                        {{ reverse_proxy_configuration(handle) }}
+                                    {% endif %}
+                                {% endfor %}
+                            {% for handle in subdomain_handles %}
+                                {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
+                                    {{ reverse_proxy_configuration(handle) }}
+                                {% endif %}
+                            {% endfor %}
+                            }
+                        {% else %}
+                            {% set subdomain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('subdomain', 'equalto', subdomain['@uuid']) | list %}
+                            {% for handle in subdomain_handles %}
+                                {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
+                                    {{ reverse_proxy_configuration(handle) }}
+                                {% endif %}
+                            {% endfor %}
+                            {% for handle in subdomain_handles %}
+                                {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
+                                    {{ reverse_proxy_configuration(handle) }}
+                                {% endif %}
+                            {% endfor %}
+                        {% endif %}
 
-            {% set subdomain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('subdomain', 'equalto', subdomain['@uuid']) | list %}
-            {% for handle in subdomain_handles %}
-            {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
-                {{ reverse_proxy_configuration(handle) }}
-            {% endif %}
-            {% endfor %}
-            {% for handle in subdomain_handles %}
-            {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
-                {{ reverse_proxy_configuration(handle) }}
-            {% endif %}
+                        {% if subdomain.accesslist %}
+                            {% if accesslist.HttpResponseCode or accesslist.HttpResponseMessage %}
+                                respond {{ '"' + accesslist.HttpResponseMessage|default('') + '"' if accesslist.HttpResponseMessage else '' }} {{ accesslist.HttpResponseCode|default(403) }}
+                            {% elif Pischem.caddy.general.abort|default("0") == "1" %}
+                                abort
+                            {% endif %}
+                        {% else %}
+                            {% if Pischem.caddy.general.abort|default("0") == "1" %}
+                                abort
+                            {% endif %}
+                        {% endif %}
+                    }
+                {% endif %}
             {% endfor %}
-        }
-        {% else %}
-        {% set subdomain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('subdomain', 'equalto', subdomain['@uuid']) | list %}
-        {% for handle in subdomain_handles %}
-        {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
-            {{ reverse_proxy_configuration(handle) }}
-        {% endif %}
-        {% endfor %}
-        {% for handle in subdomain_handles %}
-        {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
-            {{ reverse_proxy_configuration(handle) }}
-        {% endif %}
-        {% endfor %}
-        {% endif %}
 
-        {% if subdomain.accesslist %}
-            {% if accesslist.HttpResponseCode or accesslist.HttpResponseMessage %}
-            respond {{ '"' + accesslist.HttpResponseMessage|default('') + '"' if accesslist.HttpResponseMessage else '' }} {{ accesslist.HttpResponseCode|default(403) }}
-            {% elif Pischem.caddy.general.abort|default("0") == "1" %}
-            abort
-            {% endif %}
-        {% else %}
-            {% if Pischem.caddy.general.abort|default("0") == "1" %}
-            abort
+            {% if reverse.accesslist %}
+                {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', reverse.accesslist) | first %}
+                {{ access_list_configuration(accesslist, accesslist.accesslistInvert|default("0") == "1") }}
+                handle @{{ accesslist['@uuid'] }} {
+
+                    {% set basicauth_uuids = reverse.basicauth %}
+                    {{ basicauth_configuration(basicauth_uuids) }}
+
+                    {% set wildcard_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('reverse', 'equalto', reverse['@uuid']) | selectattr('subdomain', 'undefined') | list %}
+                        {% for handle in wildcard_handles %}
+                            {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
+                                {{ reverse_proxy_configuration(handle) }}
+                            {% endif %}
+                        {% endfor %}
+                    {% for handle in wildcard_handles %}
+                        {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
+                            {{ reverse_proxy_configuration(handle) }}
+                        {% endif %}
+                    {% endfor %}
+                }
+            {% else %}
+                {% set wildcard_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('reverse', 'equalto', reverse['@uuid']) | selectattr('subdomain', 'undefined') | list %}
+                {% for handle in wildcard_handles %}
+                    {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
+                        {{ reverse_proxy_configuration(handle) }}
+                    {% endif %}
+                {% endfor %}
+                {% for handle in wildcard_handles %}
+                    {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
+                        {{ reverse_proxy_configuration(handle) }}
+                    {% endif %}
+                {% endfor %}
             {% endif %}
-        {% endif %}
-    }
-    {% endif %}
-    {% endfor %}
-
-    {% if reverse.accesslist %}
-    {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', reverse.accesslist) | first %}
-    {{ access_list_configuration(accesslist, accesslist.accesslistInvert|default("0") == "1") }}
-    handle @{{ accesslist['@uuid'] }} {
 
-        {% set basicauth_uuids = reverse.basicauth %}
-        {{ basicauth_configuration(basicauth_uuids) }}
-
-        {% set wildcard_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('reverse', 'equalto', reverse['@uuid']) | selectattr('subdomain', 'undefined') | list %}
-        {% for handle in wildcard_handles %}
-        {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
-            {{ reverse_proxy_configuration(handle) }}
-        {% endif %}
-        {% endfor %}
-        {% for handle in wildcard_handles %}
-        {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
-            {{ reverse_proxy_configuration(handle) }}
-        {% endif %}
-        {% endfor %}
-    }
-    {% else %}
-    {% set wildcard_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('reverse', 'equalto', reverse['@uuid']) | selectattr('subdomain', 'undefined') | list %}
-    {% for handle in wildcard_handles %}
-    {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
-        {{ reverse_proxy_configuration(handle) }}
-    {% endif %}
-    {% endfor %}
-    {% for handle in wildcard_handles %}
-    {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
-        {{ reverse_proxy_configuration(handle) }}
-    {% endif %}
-    {% endfor %}
-    {% endif %}
-
-    {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', reverse.accesslist) | first %}
-    {% if accesslist %}
-        {% if accesslist.HttpResponseCode or accesslist.HttpResponseMessage %}
-        respond {{ '"' + accesslist.HttpResponseMessage|default('') + '"' if accesslist.HttpResponseMessage else '' }} {{ accesslist.HttpResponseCode|default(403) }}
-        {% elif Pischem.caddy.general.abort|default("0") == "1" %}
-        abort
-        {% endif %}
-    {% else %}
-        {% if Pischem.caddy.general.abort|default("0") == "1" %}
-        abort
-        {% endif %}
+            {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', reverse.accesslist) | first %}
+            {% if accesslist %}
+                {% if accesslist.HttpResponseCode or accesslist.HttpResponseMessage %}
+                    respond {{ '"' + accesslist.HttpResponseMessage|default('') + '"' if accesslist.HttpResponseMessage else '' }} {{ accesslist.HttpResponseCode|default(403) }}
+                {% elif Pischem.caddy.general.abort|default("0") == "1" %}
+                    abort
+                {% endif %}
+            {% else %}
+                {% if Pischem.caddy.general.abort|default("0") == "1" %}
+                    abort
+                {% endif %}
+            {% endif %}
+        }
     {% endif %}
-}
-{% endif %}
 {% endfor %}
 
 import /usr/local/etc/caddy/caddy.d/*.conf
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy
index 503f7da6f0..d8ab2eda2c 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy
@@ -1,13 +1,8 @@
 # DO NOT EDIT THIS FILE -- OPNsense auto-generated file
-{% if helpers.exists('Pischem.caddy.general.enabled') %}
-    {%- set general_enabled = helpers.toList('Pischem.caddy.general.enabled') | first %}
-    {%- if general_enabled == '1' %}
+{% set generalSettings = helpers.getNodeByTag('Pischem.caddy.general') %}
+{% if generalSettings.enabled|default("0") == "1" %}
 caddy_enable="YES"
-# Path to the Caddy setup script
 caddy_setup="/usr/local/opnsense/scripts/OPNsense/Caddy/setup.sh"
-    {%- else %}
-caddy_enable="NO"
-    {%- endif %}
-{%- else %}
+{% else %}
 caddy_enable="NO"
 {% endif %}

From e6dfbfd751ace7a42bf03ec04ba3665af14b70f5 Mon Sep 17 00:00:00 2001
From: Jordan Stacy <53239541+jordanstacy@users.noreply.github.com>
Date: Wed, 10 Jul 2024 22:03:02 -0700
Subject: [PATCH 1960/3088] dns/bind: fix handling of multiple ACLs in
 allow-recursion (#4085)

Same fix as #4048 but for allow-recursion
---
 .../src/opnsense/service/templates/OPNsense/Bind/named.conf     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 8c02915ed9..d479cfa163 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -49,7 +49,7 @@ options {
 {% if helpers.exists('OPNsense.bind.general.recursion') and OPNsense.bind.general.recursion != '' %}
         recursion          yes;
         allow-recursion {
-{%              for acl in helpers.toList('OPNsense.bind.general.recursion') %}
+{%              for acl in OPNsense.bind.general.recursion.split(',') %}
 {%              set recursion_acl = helpers.getUUID(acl) %}
                 {{ recursion_acl.name }};
 {%              endfor %}

From a5b075f5ebf58b47a4a861128fe007a7d50e6883 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 11 Jul 2024 07:05:14 +0200
Subject: [PATCH 1961/3088] dns/bind: document previous

---
 dns/bind/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index e764e3b888..fde7fab7c0 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -12,7 +12,7 @@ Plugin Changelog
 1.32
 
 * Fix handling of multiple ACLs in allow-query/allow-transfer (contributed by Nathan Rennie-Waldock)
-* Fix multiple select on Recursion field (contributed by Jordan Stacy)
+* Fix multiple select on Recursion field and resulting multiple ACLs (contributed by Jordan Stacy)
 
 1.31
 

From 4895e3bb833a60035ad1852f959208c4d7e05d95 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sat, 13 Jul 2024 19:32:20 +0200
Subject: [PATCH 1962/3088] www/caddy: Fix CaddyCertificate.js not loading
 (#4091)

There were two ajaxGet, and I forgot to rename one into ajaxCall.
---
 www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
index 051fc2bc19..8ad40f3df1 100644
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
@@ -59,7 +59,7 @@ export default class CaddyCertificate extends BaseTableWidget {
         }
 
         // Fetch the certificate details
-        const response = await this.ajaxGet('/api/caddy/diagnostics/certificate');
+        const response = await this.ajaxCall('/api/caddy/diagnostics/certificate');
         if (response.status !== "success") {
             this.displayError(`${this.translations.nocerts}`);
             return;

From d226cfcc11070a62bf344a429eb70bb67e981533 Mon Sep 17 00:00:00 2001
From: txr13 <txr13@users.noreply.github.com>
Date: Sun, 14 Jul 2024 13:32:23 -0700
Subject: [PATCH 1963/3088] security/acme-client: fix EasyDNS variable
 assignment (#4068)

* fix EasyDNS variable assignment

Changes an undeclared constant to a quoted string. Also fixes some (very minor) capitalization.
---
 .../OPNsense/AcmeClient/forms/dialogValidation.xml           | 2 +-
 .../library/OPNsense/AcmeClient/LeValidation/DnsEasydns.php  | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 6ec14b57b4..cffde71fd3 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1471,7 +1471,7 @@
     </field>
     <field>
         <id>validation.dns_easydns_apikey</id>
-        <label>Api Key</label>
+        <label>API Key</label>
         <type>password</type>
     </field>
     <field>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsEasydns.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsEasydns.php
index 59d4a759ad..47f8420ee3 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsEasydns.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsEasydns.php
@@ -2,6 +2,7 @@
 
 /*
  * Copyright (C) 2023 mleinart
+ * Copyright (C) 2024 txr13
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -39,7 +40,7 @@ class DnsEasydns extends Base implements LeValidationInterface
 {
     public function prepare()
     {
-        $this->acme_env[EASYDNS_Key] = (string)$this->config->dns_easydns_apikey;
-        $this->acme_env[EASYDNS_Token] = (string)$this->config->dns_easydns_apitoken;
+        $this->acme_env['EASYDNS_Key'] = (string)$this->config->dns_easydns_apikey;
+        $this->acme_env['EASYDNS_Token'] = (string)$this->config->dns_easydns_apitoken;
     }
 }

From e3cebacad73374d7fa1603f190d6b0472aefdf40 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 14 Jul 2024 22:56:25 +0200
Subject: [PATCH 1964/3088] security/acme-client: bump version

---
 security/acme-client/Makefile  | 2 +-
 security/acme-client/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 8d3f7bf9f7..d4b6e46e62 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.3
+PLUGIN_VERSION=		4.4
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 079dd73b07..fc19354bf1 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.4
+
+Fixed:
+* fix EasyDNS variable assignment (#4068)
+
 4.3
 
 Fixed:

From 6639e29302a9ba2fa46611d734259d9b2e37fcd4 Mon Sep 17 00:00:00 2001
From: Stephan de Wit <stephan.de.wit@deciso.com>
Date: Mon, 15 Jul 2024 10:41:13 +0200
Subject: [PATCH 1965/3088] dec-hw: move to new widget implementation

---
 .../OPNsense/dechw/Api/InfoController.php     |  11 +-
 .../src/opnsense/www/js/widgets/DecHW.js      | 100 ++++++++++++++++++
 .../www/js/widgets/Metadata/DecHW.xml         |  15 +++
 .../dec-hw/src/www/widgets/include/dechw.inc  |   3 -
 .../src/www/widgets/widgets/dechw.widget.php  |  94 ----------------
 5 files changed, 116 insertions(+), 107 deletions(-)
 create mode 100644 sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js
 create mode 100644 sysutils/dec-hw/src/opnsense/www/js/widgets/Metadata/DecHW.xml
 delete mode 100644 sysutils/dec-hw/src/www/widgets/include/dechw.inc
 delete mode 100644 sysutils/dec-hw/src/www/widgets/widgets/dechw.widget.php

diff --git a/sysutils/dec-hw/src/opnsense/mvc/app/controllers/OPNsense/dechw/Api/InfoController.php b/sysutils/dec-hw/src/opnsense/mvc/app/controllers/OPNsense/dechw/Api/InfoController.php
index ad0393ba4f..66b819c93b 100644
--- a/sysutils/dec-hw/src/opnsense/mvc/app/controllers/OPNsense/dechw/Api/InfoController.php
+++ b/sysutils/dec-hw/src/opnsense/mvc/app/controllers/OPNsense/dechw/Api/InfoController.php
@@ -35,20 +35,11 @@ class InfoController extends ApiControllerBase
 {
     public function powerStatusAction()
     {
-        $result = [
-            "status" => "failed",
-            "status_translated" => gettext("Power status could not be fetched.
-                This widget is only applicable to Deciso hardware with dual power supplies.")
-        ];
+        $result = ["status" => "failed"];
         $status = parse_ini_string((new Backend())->configdRun('dechw power'));
 
         if (!empty($status)) {
             $result["status"] = "OK";
-            unset($result["status_translated"]);
-
-            foreach (['pwr1', 'pwr2'] as $key) {
-                $result[$key . '_translated'] = $status[$key] === '1' ? gettext('On') : gettext('Off');
-            }
             $result = array_merge($result, $status);
         }
 
diff --git a/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js b/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js
new file mode 100644
index 0000000000..a5657599b5
--- /dev/null
+++ b/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2024 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import BaseWidget from "./BaseWidget.js";
+
+export default class DecHW extends BaseWidget {
+    constructor() {
+        super();
+    }
+
+    getMarkup() {
+        const styles = `
+            #status {
+            margin: 10px;
+            }
+            .power {
+            margin: 5px;
+            float: right;
+            }
+            .power:hover {
+            opacity: 0.5;
+            }
+            .pwr-container {
+            margin: 5px;
+            display: flex;
+            justify-content: center;
+            align-items: center;
+            }
+            .data-item {
+            padding: 10px;
+            border: 1px solid #ddd;
+            margin: 5px;
+            width: 50%;
+            display: inline-block;
+            }
+        `;
+      
+        const styleSheet = document.createElement("style");
+        styleSheet.innerText = styles;
+        document.head.appendChild(styleSheet);
+
+        return $(`
+            <div id="status"></div>
+            <div class="pwr-container">
+                <div id="pwr1" class="data-item">
+                    <strong>${this.translations.powersupply} 1</strong>
+                </div>
+                <div id="pwr2" class="data-item">
+                    <strong>${this.translations.powersupply} 2</strong>
+                </div>
+            </div> 
+        `);
+    }
+
+    async onWidgetTick() {
+        $('.power').tooltip('hide');
+        let data = await this.ajaxCall('/api/dechw/info/powerStatus');
+
+        if (!data || data.status === 'failed') {
+            $('#status').html(`<div class="error-message" style="margin: 10px;">${this.translations.nopower}</div>`);
+            $('.pwr-container').hide();
+            return;
+        }
+
+        $('.power').remove();
+        ['pwr1', 'pwr2'].forEach((key) => {
+            let status = data[key];
+
+            let $power = $(`<span class="power fa fa-power-off fa-lg" data-toggle="tooltip" title=""></span>`);
+            $power.css('color', status === '1' ? 'blue' : 'red');
+            $power.attr('title', status === '1' ? this.translations.poweron : this.translations.poweroff);
+            $(`#${key}`).append($power);
+        });
+
+        $('.power').tooltip({container: 'body'});
+    }
+}
\ No newline at end of file
diff --git a/sysutils/dec-hw/src/opnsense/www/js/widgets/Metadata/DecHW.xml b/sysutils/dec-hw/src/opnsense/www/js/widgets/Metadata/DecHW.xml
new file mode 100644
index 0000000000..a059d6edb1
--- /dev/null
+++ b/sysutils/dec-hw/src/opnsense/www/js/widgets/Metadata/DecHW.xml
@@ -0,0 +1,15 @@
+<metadata>
+    <dechw>
+        <filename>DecHW.js</filename>
+        <endpoints>
+            <endpoint>/api/dechw/info/powerStatus</endpoint>
+        </endpoints>
+        <translations>
+            <title>Deciso Hardware Information</title>
+            <nopower>Power status could not be fetched. This widget is only applicable to Deciso hardware with dual power supplies.</nopower>
+            <poweron>Power is on</poweron>
+            <poweroff>Power is off</poweroff>
+            <powersupply>Power Supply</powersupply>
+        </translations>
+    </dechw>
+</metadata>
\ No newline at end of file
diff --git a/sysutils/dec-hw/src/www/widgets/include/dechw.inc b/sysutils/dec-hw/src/www/widgets/include/dechw.inc
deleted file mode 100644
index 64b6114020..0000000000
--- a/sysutils/dec-hw/src/www/widgets/include/dechw.inc
+++ /dev/null
@@ -1,3 +0,0 @@
-<?php
-
-$dechw_title = gettext('Deciso Hardware Information');
diff --git a/sysutils/dec-hw/src/www/widgets/widgets/dechw.widget.php b/sysutils/dec-hw/src/www/widgets/widgets/dechw.widget.php
deleted file mode 100644
index 61ee170ec2..0000000000
--- a/sysutils/dec-hw/src/www/widgets/widgets/dechw.widget.php
+++ /dev/null
@@ -1,94 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2023 Deciso B.V.
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-?>
-
-<script>
-    $(document).ready(function() {
-        ajaxGet('/api/dechw/info/powerStatus', {}, function(data, status) {
-            if (data['status'] === 'failed') {
-                $('#status').html(data['status_translated']);
-                $('.pwr-container').hide();
-                return;
-            }
-
-            ['pwr1', 'pwr2'].forEach(function(key) {
-                let status = data[key];
-                let status_translated = data[key + '_translated'];
-                let $power = $('<span data-toggle="tooltip" title=""></span>').addClass('power fa fa-power-off fa-lg');
-                $power.css('color', status === '1' ? 'blue' : 'red');
-                $power.attr('title', status_translated);
-                $('#'+key).append($power);
-            })
-
-            $(".circle").tooltip({container: 'body', trigger: 'hover'});
-        });
-    });
-</script>
-
-<style>
-    #status {
-        margin: 10px;
-    }
-
-    .power {
-      margin: 5px;
-      float: right;
-    }
-
-    .power:hover {
-      opacity: 0.5;
-    }
-
-    .pwr-container {
-      margin: 5px;
-      display: flex;
-      justify-content: center;
-      align-items: center;
-    }
-
-    .data-item {
-      padding: 10px;
-      border: 1px solid #ddd;
-      margin: 5px;
-      width: 50%;
-      display: inline-block;
-    }
-</style>
-
-<div id="status"></div>
-<div class="pwr-container">
-    <div id="pwr1" class="data-item">
-        <strong><?=gettext("Power Supply 1");?></strong>
-    </div>
-    <div id="pwr2" class="data-item">
-        <strong><?=gettext("Power Supply 2");?></strong>
-    </div>
-</div>

From 2478471b2a9ebb9aca8b074512a41a191e949137 Mon Sep 17 00:00:00 2001
From: Stephan de Wit <stephan.de.wit@deciso.com>
Date: Mon, 15 Jul 2024 10:54:19 +0200
Subject: [PATCH 1966/3088] security/etpro-telemetry - change GET to ajaxCall

---
 .../src/opnsense/www/js/widgets/ETProTelemetry.js               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
index 8e351a2bbc..98456802f3 100644
--- a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
+++ b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
@@ -42,7 +42,7 @@ export default class ETProTelemetry extends BaseTableWidget {
     }
 
     async onWidgetTick() {
-        const data = await this.ajaxGet('/api/diagnostics/proofpoint_et/status');
+        const data = await this.ajaxCall('/api/diagnostics/proofpoint_et/status');
         if (data['sensor_status'] == 'active') {
             $('#etpro_sensor_status').text(data['sensor_status']);
             $('#etpro_event_received').text(data['event_received']);

From 46165c9ad7f4d6ac674e92a29b260f70c8c892a6 Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Mon, 15 Jul 2024 13:17:15 +0300
Subject: [PATCH 1967/3088] www/nginx: 1.34 (#4092)

* server handshakes log opt out

* http2 server push have been made obsolete

from nginx 1.25.1 (https://nginx.org/en/CHANGES)
    *) Feature: the "http2" directive, which enables HTTP/2 on a per-server basis; the "http2" parameter of the "listen" directive is now deprecated.
    *) Change: HTTP/2 server push support has been removed.

* 'listen ... http2' directive is deprecated

migrate to http2 directive

* ver bump and descr
---
 www/nginx/Makefile                                     |  2 +-
 www/nginx/pkg-descr                                    |  6 ++++++
 .../controllers/OPNsense/Nginx/forms/httpserver.xml    |  7 +++++++
 .../app/controllers/OPNsense/Nginx/forms/location.xml  |  6 ------
 .../opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml   | 10 +++++-----
 .../service/templates/OPNsense/Nginx/http.conf         |  6 ++++--
 .../service/templates/OPNsense/Nginx/location.conf     |  1 -
 .../service/templates/OPNsense/Nginx/webgui.conf       |  4 ++--
 8 files changed, 25 insertions(+), 17 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 0b76a782ff..5309f48ac8 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.33
+PLUGIN_VERSION=		1.34
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 661bb49eb7..476eb0962f 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,12 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.34
+
+* Add the option to not log TLS handshakes
+* Remove obsolete http2_push_preload directive
+* Migrate from the deprecated 'listen … http2' directive to the 'http2' directive
+
 1.33
 
 * Add the "resolver" directive support
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
index b3ad135282..33cf1ce522 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
@@ -142,6 +142,13 @@
     <help>Select Error Log Level. Log levels are listed in the order of increasing verbosity. Setting a certain log level will cause all messages of the specified and more severe log levels to be logged.</help>
     <advanced>true</advanced>
   </field>
+  <field>
+    <id>httpserver.log_handshakes</id>
+    <label>Enable TLS handshakes logging</label>
+    <type>checkbox</type>
+    <help>Log TLS handshakes to fill the User Agent fingerprint database and detect MITM attacks.</help>
+    <advanced>true</advanced>
+  </field>
   <field>
     <id>httpserver.enable_acme_support</id>
     <label>Enable Let's Encrypt Plugin Support</label>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
index 25c998c75d..c5ad998275 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
@@ -206,12 +206,6 @@
     <type>checkbox</type>
     <help>If the request scheme is not HTTPS, redirect to use HTTPS for this location.</help>
   </field>
-  <field>
-    <id>location.http2_push_preload</id>
-    <label>Enable HTTP/2 Preloading</label>
-    <type>checkbox</type>
-    <help>If you check this box, you can use the link header to send resources to the client before they are requested. You can boost your performance with this setting. This requires that your application sets the "Link" header correctly.</help>
-  </field>
   <field>
     <id>location.php_enable</id>
     <label>Pass Request To Local PHP Interpreter / Threat Upstream As FastCGI</label>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 81f686682a..6921fbacd9 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.33</version>
+  <version>1.34</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>
@@ -515,10 +515,6 @@
         <Required>N</Required>
         <minValue>1</minValue>
       </proxy_send_timeout>
-      <http2_push_preload type="BooleanField">
-        <Required>Y</Required>
-        <default>0</default>
-      </http2_push_preload>
       <ip_acl type="ModelRelationField">
         <Model>
           <template>
@@ -863,6 +859,10 @@
         <Required>Y</Required>
         <default>error</default>
       </error_log_level>
+      <log_handshakes type="BooleanField">
+        <default>1</default>
+        <Required>Y</Required>
+      </log_handshakes>
       <enable_acme_support type="BooleanField">
         <Required>Y</Required>
         <default>1</default>
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index 86b1586ab1..c6e47f4fa2 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -115,9 +115,9 @@ server {
 
 {%   if server.listen_https_address is defined and server.listen_https_address != '' %}
 {%     for listen_address in server.listen_https_address.split(',') %}
-    listen {{ listen_address }} http2 ssl{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %}{% if server.default_server is defined and server.default_server == '1' %} default_server{% endif %};
+    listen {{ listen_address }} ssl{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %}{% if server.default_server is defined and server.default_server == '1' %} default_server{% endif %};
 {%     endfor %}
-
+    http2 on;
 {%     if server.tls_reject_handshake is defined and server.tls_reject_handshake == '1'%}
     ssl_reject_handshake on;
 {%     endif %}
@@ -197,7 +197,9 @@ server {
 {%   set syslog_targets = server.syslog_targets.split(',') %}
 {%   include "OPNsense/Nginx/syslog_targets.conf" %}
 {% endif %}
+{% if server.log_handshakes|default("1") == "1" %}
     access_log  /var/log/nginx/tls_handshake.log handshake;
+{% endif %}
     error_log  /var/log/nginx/{{ server.servername }}.error.log{% if server.error_log_level is defined %} {{ server.error_log_level }}{% endif %};
 {% if server.root is defined and server.root != '' %}
     root "{{server.root}}";
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 1d0adc6dc3..0bb464d3d1 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -88,7 +88,6 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
     auth_request /opnsense-auth-request;
 {%   endif %}
 {% endif %}
-    http2_push_preload {% if location.http2_push_preload is defined and location.http2_push_preload == '1' %}on{% else %}off{% endif %};
 {% if location.php_enable is defined and location.php_enable == '1' %}
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
     include        fastcgi_params;
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/webgui.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/webgui.conf
index 8a14feeb10..f3be95044e 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/webgui.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/webgui.conf
@@ -9,7 +9,8 @@ server {
       return 302 https://$host$request_uri;
   }
   listen 80 default_server; # if redirect is enabled
-  listen {% if system.webgui.port is defined and system.webgui.port != '' %}{{ system.webgui.port }}{% else %}443{% endif %} ssl http2 default_server;
+  listen {% if system.webgui.port is defined and system.webgui.port != '' %}{{ system.webgui.port }}{% else %}443{% endif %} ssl default_server;
+  http2 on;
   ## TLS configuration
   ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
   ssl_ecdh_curve secp384r1;
@@ -27,7 +28,6 @@ server {
 {% endif %}
 
   autoindex off;
-  http2_push_preload on;
 
   # gzip compression
   gzip_static on;

From 160c6515c2cf960354e2d1655ba8d8aa65c5d9d0 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 16 Jul 2024 13:02:07 +0200
Subject: [PATCH 1968/3088] www/caddy: Create custom displayValidationErrors
 function in general.volt (#4096)

* www/caddy: Create custom displayValidationErrors function in general.volt that appends validation errors to form keys outside the scope of the main form.

* www/caddy: Add missing key to validationExceptions array.

* www/caddy: Make the custom validation the same style as core.
---
 .../mvc/app/views/OPNsense/Caddy/general.volt | 104 ++++++++++++++++--
 1 file changed, 95 insertions(+), 9 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
index 38bb9c3adc..292dd13190 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
@@ -26,11 +26,22 @@
 
 <script type="text/javascript">
     $(document).ready(function() {
-        let data_get_map = {'frm_GeneralSettings':"/api/caddy/General/get"};
+        const data_get_map = {'frm_GeneralSettings':"/api/caddy/General/get"};
         mapDataToFormUI(data_get_map).done(function(data){
 
-            // Refresh selectpicker for these dropdowns
-            $('.selectpicker').selectpicker('refresh');
+            // Function to initialize form elements within a tab dynamically
+            function initializeFormElements(tabContent) {
+                $(tabContent).find('.selectpicker').selectpicker('refresh');
+            }
+
+            // Initialize the first tab
+            initializeFormElements('#generalTab');
+
+            // Handle tab changes
+            $('a[data-toggle="tab"]').on('shown.bs.tab', function(e) {
+                let targetTab = $(e.target).attr('href'); // Activated tab
+                initializeFormElements(targetTab);
+            });
 
             // Function to show alerts in the HTML message area
             function showAlert(message, type = "error") {
@@ -55,6 +66,55 @@
                 $("#messageArea").hide();
             });
 
+            // These fields do not need the validation workaround, they get their validation messages from core.
+            let validationExceptions = [
+                "caddy.general.enabled",
+                "caddy.general.DisableSuperuser",
+                "caddy.general.HttpPort",
+                "caddy.general.HttpsPort",
+                "caddy.general.TlsEmail",
+                "caddy.general.TlsAutoHttps",
+                "caddy.general.accesslist",
+                "caddy.general.abort",
+                "caddy.general.GracePeriod"
+            ];
+
+            // For all other fields that are in different tabs than the main form, append the validation message.
+            // Note: This is a workaround and generally not needed. Do not copy this.
+            function displayValidationErrors(errors) {
+                $(".error-message").remove();  // Clear previous error messages
+                $(".error-input").removeClass("error-input");
+                $(".error-label").removeClass("error-label");
+
+                for (let key in errors) {
+                    if (errors.hasOwnProperty(key) && !validationExceptions.includes(key)) {
+                        let jquerySafeKey = key.replace(/\./g, '\\.');  // Escape dots for jQuery ID selector
+                        let field = $('#' + jquerySafeKey);
+                        let label = $('#control_label_' + jquerySafeKey);
+                        let helpBlock = $('#help_block_' + jquerySafeKey);
+
+                        if (field.length !== 0) {
+                            field.addClass('error-input');
+                            label.addClass('error-label');
+                            let errorMessage = $('<div class="error-message">' + errors[key] + '</div>');
+                            helpBlock.html(errorMessage);  // append error message into help block
+                        }
+                    }
+                }
+            }
+
+            $('input, select, textarea').on('change', function() {
+                // Remove error styles when the user corrects the input
+                if($(this).hasClass('error-input')) {
+                    $(this).removeClass('error-input');
+                    let id = this.id.replace(/\./g, '\\.');
+                    let label = $('#control_label_' + id);
+                    label.removeClass('error-label');
+                    let helpBlock = $('#help_block_' + id);
+                    helpBlock.empty();
+                }
+            });
+
             // Reconfigure the Caddy service, additional form save and validation with a validation API is made beforehand
             $("#reconfigureAct").SimpleActionButton({
                 onPreAction: function() {
@@ -82,10 +142,13 @@
                                 }
                             });
                         },
-                        false, // disable_dialog: Show the dialog with the validation error
+                        true, // disable_dialog: This has to be set explicitely so there actually is a callback_fail to catch the validation error.
                         function(errorData) {  // callback_fail: What to do when save fails
-                            // Handle failure due to validation errors or other issues
-                            showAlert("{{ lang._('Configuration save failed: ') }}" + (errorData.message || "{{ lang._('Validation Error') }}"), "{{ lang._('Error') }}");
+                            if (errorData.validations) {
+                                displayValidationErrors(errorData.validations);
+                            } else {
+                                showAlert("{{ lang._('Configuration save failed: ') }}" + (errorData.message || "{{ lang._('Validation Error') }}"), "{{ lang._('Error') }}");
+                            }
                             dfObj.reject(); // Reject the deferred object to stop the reconfigure action
                         }
                     );
@@ -114,9 +177,13 @@
                             showAlert("{{ lang._('Configuration saved successfully. Please do not forget to apply the configuration.') }}", "{{ lang._('Save Success') }}");
                             dfObj.resolve();
                         },
-                        false, // disable_dialog: Show the dialog with the validation error
+                        true, // disable_dialog
                         function(errorData) {  // callback_fail: What to do when save fails
-                            showAlert("{{ lang._('Configuration save failed: ') }}" + (errorData.message || "{{ lang._('Validation Error') }}"), "{{ lang._('Error') }}");
+                            if (errorData.validations) {
+                                displayValidationErrors(errorData.validations);
+                            } else {
+                                showAlert("{{ lang._('Configuration save failed: ') }}" + (errorData.message || "{{ lang._('Validation Error') }}"), "{{ lang._('Error') }}");
+                            }
                             dfObj.reject();
                         }
                     );
@@ -132,6 +199,23 @@
     });
 </script>
 
+<style>
+    .error-message {
+        color: #E55451;
+        margin-left: 10px; /* Adjust spacing to the right of the input field */
+    }
+
+    .form-control.error-input {
+        border: 1px solid #E55451;
+        padding: 2px 8px;
+        box-sizing: border-box;
+    }
+
+    .error-label {
+        color: #E55451;
+    }
+</style>
+
 <!-- Tab Navigation -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#generalTab">{{ lang._('General') }}</a></li>
@@ -141,7 +225,9 @@
     <li><a data-toggle="tab" href="#logSettingsTab">{{ lang._('Log Settings') }}</a></li>
 </ul>
 
-<!-- Tab Content -->
+<!-- Tab Content
+     Note: Do not copy this tab layout, it uses the same form id "frm_GeneralSettings". It works, but has problems with validation messages.
+     To fix this issue a custom displayValidationErrors function is used, that appends the messages to all keys. -->
 <div class="tab-content content-box">
     <!-- General Tab -->
     <div id="generalTab" class="tab-pane fade in active">

From 99628488ce0bf416ce69943e232bfd929e4583ac Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 16 Jul 2024 13:28:22 +0200
Subject: [PATCH 1969/3088] www/caddy: Add optional "DisableSuperuser" to run
 caddy as non root (#4081)

* www/caddy: Add option to run caddy as www user instead of root superuser.

* www/caddy: Add validation for DisableSuperuser that makes sure only ports 1024 or above are used.

* www/caddy: Change rc.conf.d/caddy script to conditionally set the caddy_user and caddy_group to www when DisableSuperuser is activated.

* www/caddy: Print the current Caddy user in the Caddyfile for easier support.

* www/caddy: Improve setup.sh script. Create all directories, add root:www owners, differentiate between directories and files when creating permissions.

* www/caddy: Remove copyright header in rc.conf.d/caddy.

* www/caddy: Improve helptext for new DisableSuperuser feature in general.xml.

* www/caddy: Fix style of rc.conf.d/caddy and caddy.php. Add changelog and bump plugin version.

* www/caddy: Append additional message to DisableSuperuser that warns users about conflicting ports in otherwise hidden forms in the Reverse Proxy Domains view.

* www/caddy: Add changelog.
---
 www/caddy/Makefile                            |  2 +-
 www/caddy/pkg-descr                           |  5 ++
 www/caddy/src/etc/syslog-ng.conf.d/caddy.conf |  2 +-
 .../OPNsense/Caddy/forms/general.xml          |  7 ++
 .../mvc/app/models/OPNsense/Caddy/Caddy.php   | 59 ++++++++++++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  1 +
 .../opnsense/scripts/OPNsense/Caddy/setup.sh  | 79 +++++++++++++++----
 .../templates/OPNsense/Caddy/Caddyfile        |  9 ++-
 .../templates/OPNsense/Caddy/rc.conf.d/caddy  |  5 ++
 9 files changed, 149 insertions(+), 20 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 56926373f0..cde2e39154 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.6.0
+PLUGIN_VERSION=		1.6.1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 5306352762..70b6e238bd 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -25,6 +25,11 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.6.1
+
+Add: Run Caddy as "www" user and group, by enabling "Disable Superuser" in General Settings.
+Cleanup: Validations in general.volt are all appended to their form keys, instead of triggering a Bootstrap Dialog.
+
 1.6.0
 
 * Add: New Dashboard widgets for 24.7, showing domain status and certificate validity status.
diff --git a/www/caddy/src/etc/syslog-ng.conf.d/caddy.conf b/www/caddy/src/etc/syslog-ng.conf.d/caddy.conf
index 11c96c45da..0a5eb450a3 100644
--- a/www/caddy/src/etc/syslog-ng.conf.d/caddy.conf
+++ b/www/caddy/src/etc/syslog-ng.conf.d/caddy.conf
@@ -5,7 +5,7 @@
 #
 # Define Unix socket source for Caddy
 source s_caddy {
-    unix-dgram("/var/caddy/var/run/log");
+    unix-dgram("/var/run/caddy/log.sock");
 };
 
 # Parser for Caddy log levels
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 4ac84664ed..4e9a159a7b 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -21,6 +21,13 @@
         <help><![CDATA[If the default HTTPS port is changed to e.g. 8443, then a port forward from port 443 to 8443 is necessary to issue automatic certificates with the TLS-ALPN-01 challenge and serve clients the reverse proxied resources.]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>caddy.general.DisableSuperuser</id>
+        <label>Disable Superuser</label>
+        <type>checkbox</type>
+        <help><![CDATA[Run this service as "www" user and group, instead of "root". This setting increases security, but comes with the hard restriction that the well-known port range can not be used anymore. After enabling and saving this setting, the service has to be totally restarted. For this, please disable Caddy and press Apply. Afterwards enable Caddy and press Apply. This setting is reversible by following the same steps.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>caddy.general.TlsEmail</id>
         <label>ACME Email</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index 42972f8d1d..beca19c9c1 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -211,6 +211,61 @@ private function checkDisableTlsConflicts($messages)
         }
     }
 
+    /**
+     * 6. Check that when Superuser is disabled, all ports are 1024 and above.
+     * In General settings where this triggers, a validation dialog will show the hidden validation of the domain ports.
+     * The default HTTP and HTTPS ports are not allowed to be empty, since then they are 80 and 443.
+     * Domain ports are allowed to be empty, since then they have the same value as the HTTP and HTTPS default ports.
+     * Any value that is below 1024 will trigger the validation.
+     */
+    private function checkSuperuserPorts($messages)
+    {
+        if ((string)$this->general->DisableSuperuser === '1') {
+            $httpPort = !empty((string)$this->general->HttpPort) ? (string)$this->general->HttpPort : 80;
+            $httpsPort = !empty((string)$this->general->HttpsPort) ? (string)$this->general->HttpsPort : 443;
+
+            // Check default HTTP port
+            if ($httpPort < 1024) {
+                $messages->appendMessage(new Message(
+                    gettext(
+                        'Superuser is disabled, HTTP port must not be empty and must be 1024 or above.'
+                    ),
+                    "general.HttpPort"
+                ));
+            }
+
+            // Check default HTTPS port
+            if ($httpsPort < 1024) {
+                $messages->appendMessage(new Message(
+                    gettext(
+                        'Superuser is disabled, HTTPS port must not be empty and must be 1024 or above.'
+                    ),
+                    "general.HttpsPort"
+                ));
+            }
+
+            // Check ports under domain configurations
+            foreach ($this->reverseproxy->reverse->iterateItems() as $item) {
+                $fromPort = !empty((string)$item->FromPort) ? (string)$item->FromPort : null;
+
+                if ($fromPort !== null && $fromPort < 1024) {
+                    $messages->appendMessage(new Message(
+                        gettext(
+                            'Superuser is disabled, port must be empty or must be 1024 or above.'
+                        ),
+                        $item->__reference . ".FromPort"
+                    ));
+                    $messages->appendMessage(new Message(
+                        gettext(
+                            'Ports in "Reverse Proxy - Domains" must be empty or must be 1024 or above.'
+                        ),
+                        "general.DisableSuperuser"
+                    ));
+                }
+            }
+        }
+    }
+
     // Perform the actual validation
     public function performValidation($validateFullModel = false)
     {
@@ -234,9 +289,13 @@ public function performValidation($validateFullModel = false)
 
         // 4. Check for ACME Email requirement
         $this->checkAcmeEmailAutoHttps($messages);
+
         // 5. Check for TLS conflicts in Domain
         $this->checkDisableTlsConflicts($messages);
 
+        // 6. Check DisableSuperuser Port conflicts
+        $this->checkSuperuserPorts($messages);
+
         return $messages;
     }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index f70f548576..3d66238d08 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -79,6 +79,7 @@
                 </Model>
             </accesslist>
             <abort type="BooleanField"/>
+            <DisableSuperuser type="BooleanField"/>
             <GracePeriod type="IntegerField">
                 <Default>10</Default>
                 <MinimumValue>1</MinimumValue>
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
index 334bd5672b..e2d00c66a3 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
@@ -1,26 +1,71 @@
 #!/bin/sh
 
-# Define directories
-CADDY_DIR="/usr/local/etc/caddy"
-CADDY_CERTS_DIR="/var/db/caddy/data/caddy/certificates/temp"
-CADDY_LOG_DIR="/var/log/caddy/access"
-CADDY_CONF_DIR="${CADDY_DIR}/caddy.d"
+#
+# Copyright (c) 2023-2024 Cedrik Pischem
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice,
+#    this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright notice,
+#    this list of conditions and the following disclaimer in the documentation
+#    and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
 
-# Create custom directories with appropriate permissions
-mkdir -p "${CADDY_CERTS_DIR}"
-chown -R root:wheel "${CADDY_CERTS_DIR}"
-chmod -R 600 "${CADDY_CERTS_DIR}"
+# The directories are created as root:www with rwx permissions for both,
+# so the user can change in the GUI if caddy runs as root or www
+# If only ports 1024 and above are used, caddy can run as www user and group.
 
-mkdir -p "${CADDY_LOG_DIR}"
-chown -R root:wheel "${CADDY_LOG_DIR}"
-chmod -R 750 "${CADDY_LOG_DIR}"
+# Define directories
+CADDY_CONF_DIR="/usr/local/etc/caddy"
+CADDY_DATA_DIR="/var/db/caddy"
+CADDY_LOG_DIR="/var/log/caddy"
+CADDY_RUN_DIR="/var/run/caddy"
+CADDY_CONF_CUSTOM_DIR="${CADDY_CONF_DIR}/caddy.d"
+CADDY_DATA_CUSTOM_DIR="${CADDY_DATA_DIR}/data/caddy/certificates/temp"
+CADDY_LOG_CUSTOM_DIR="${CADDY_LOG_DIR}/access"
 
 mkdir -p "${CADDY_CONF_DIR}"
-chown -R root:wheel "${CADDY_CONF_DIR}"
-chmod -R 750 "${CADDY_CONF_DIR}"
+mkdir -p "${CADDY_DATA_DIR}"
+mkdir -p "${CADDY_LOG_DIR}"
+mkdir -p "${CADDY_RUN_DIR}"
+mkdir -p "${CADDY_CONF_CUSTOM_DIR}"
+mkdir -p "${CADDY_DATA_CUSTOM_DIR}"
+mkdir -p "${CADDY_LOG_CUSTOM_DIR}"
+
+chown -R root:www "${CADDY_CONF_DIR}"
+chown -R root:www "${CADDY_DATA_DIR}"
+chown -R root:www "${CADDY_LOG_DIR}"
+chown -R root:www "${CADDY_RUN_DIR}"
+
+# Directories need execute permissions to be accessible
+find "${CADDY_CONF_DIR}" -type d -exec chmod 770 {} +
+find "${CADDY_DATA_DIR}" -type d -exec chmod 770 {} +
+find "${CADDY_LOG_DIR}" -type d -exec chmod 770 {} +
+find "${CADDY_RUN_DIR}" -type d -exec chmod 770 {} +
+
+# Files can have read/write permissions
+find "${CADDY_CONF_DIR}" -type f -exec chmod 660 {} +
+find "${CADDY_DATA_DIR}" -type f -exec chmod 660 {} +
+find "${CADDY_LOG_DIR}" -type f -exec chmod 660 {} +
+find "${CADDY_RUN_DIR}" -type f -exec chmod 660 {} +
 
-# Format and overwrite the Caddyfile
-(cd "${CADDY_DIR}" && /usr/local/bin/caddy fmt --overwrite)
+# Format and overwrite the Caddyfile, this makes whitespace control in jinja2 unnecessary
+(cd "${CADDY_CONF_DIR}" && /usr/local/bin/caddy fmt --overwrite)
 
-# Write custom certs from the OPNsense Trust Store into a directory where Caddy can read them
+# Write custom certs from the OPNsense Trust Store to CADDY_DATA_CUSTOM_DIR
 /usr/local/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index c06342fc98..f938266231 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -28,6 +28,13 @@
 
 {% set generalSettings = helpers.getNodeByTag('Pischem.caddy.general') %}
 
+{# Print as comments if Caddy runs as root or www user, as information in support cases. #}
+{% if generalSettings.DisableSuperuser|default("0") == "1" %}
+# caddy_user=www
+{% else %}
+# caddy_user=root
+{% endif %}
+
 # Global Options
 {
     {#
@@ -43,7 +50,7 @@
                 {% endif %}
             {% endfor %}
         {% endif %}
-        output net unixgram//var/caddy/var/run/log {
+        output net unixgram//var/run/caddy/log.sock {
         }
         format json {
             time_format rfc3339
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy
index d8ab2eda2c..da6745447d 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy
@@ -1,8 +1,13 @@
 # DO NOT EDIT THIS FILE -- OPNsense auto-generated file
+
 {% set generalSettings = helpers.getNodeByTag('Pischem.caddy.general') %}
 {% if generalSettings.enabled|default("0") == "1" %}
 caddy_enable="YES"
 caddy_setup="/usr/local/opnsense/scripts/OPNsense/Caddy/setup.sh"
+{% if generalSettings.DisableSuperuser|default("0") == "1" %}
+caddy_user=www
+caddy_group=www
+{% endif %}
 {% else %}
 caddy_enable="NO"
 {% endif %}

From e9bbe74574697a58a5823f249c8a361d61be1e08 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 16 Jul 2024 14:34:10 +0200
Subject: [PATCH 1970/3088] www/caddy: Description Fields are optional now. At
 no point in the model relation fields they are the only display, making them
 non required for functionality. (#4097)

---
 www/caddy/pkg-descr                           |  1 +
 .../Caddy/forms/dialogReverseProxy.xml        |  1 -
 .../OPNsense/Caddy/forms/dialogSubdomain.xml  |  1 -
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 36 +++++++------------
 4 files changed, 13 insertions(+), 26 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 70b6e238bd..fc2608ebf3 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -29,6 +29,7 @@ Plugin Changelog
 
 Add: Run Caddy as "www" user and group, by enabling "Disable Superuser" in General Settings.
 Cleanup: Validations in general.volt are all appended to their form keys, instead of triggering a Bootstrap Dialog.
+Change: Description Fields are optional now, reducing the steps needed to create new entries.
 
 1.6.0
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index bd9f481ea1..643db447de 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -23,7 +23,6 @@
         <id>reverse.description</id>
         <label>Description</label>
         <type>text</type>
-        <hint>example.com.443</hint>
         <help><![CDATA[Enter a description for this domain.]]></help>
     </field>
     <field>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
index 4777809ad9..49e3b51a04 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -22,7 +22,6 @@
         <id>subdomain.description</id>
         <label>Description</label>
         <type>text</type>
-        <hint>opn.example.com</hint>
         <help><![CDATA[Enter a description for this subdomain.]]></help>
     </field>
     <field>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 3d66238d08..c5f3474de1 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -74,7 +74,7 @@
                         <source>OPNsense.Caddy.Caddy</source>
                         <items>reverseproxy.accesslist</items>
                         <display>accesslistName,description</display>
-                        <display_format>%s - %s</display_format>
+                        <display_format>%s %s</display_format>
                     </reverseproxy>
                 </Model>
             </accesslist>
@@ -158,7 +158,7 @@
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.accesslist</items>
                             <display>accesslistName,description</display>
-                            <display_format>%s - %s</display_format>
+                            <display_format>%s %s</display_format>
                         </reverseproxy>
                     </Model>
                 </accesslist>
@@ -168,14 +168,12 @@
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.basicauth</items>
                             <display>basicauthuser,description</display>
-                            <display_format>%s - %s</display_format>
+                            <display_format>%s %s</display_format>
                         </reverseproxy>
                     </Model>
                     <Multiple>Y</Multiple>
                 </basicauth>
-                <description type="DescriptionField">
-                    <Required>Y</Required>
-                </description>
+                <description type="DescriptionField"/>
                 <DnsChallenge type="BooleanField"/>
                 <CustomCertificate type="CertificateField"/>
                 <AccessLog type="BooleanField"/>
@@ -210,7 +208,7 @@
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.accesslist</items>
                             <display>accesslistName,description</display>
-                            <display_format>%s - %s</display_format>
+                            <display_format>%s %s</display_format>
                         </reverseproxy>
                     </Model>
                 </accesslist>
@@ -220,14 +218,12 @@
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.basicauth</items>
                             <display>basicauthuser,description</display>
-                            <display_format>%s - %s</display_format>
+                            <display_format>%s %s</display_format>
                         </reverseproxy>
                     </Model>
                     <Multiple>Y</Multiple>
                 </basicauth>
-                <description type="DescriptionField">
-                    <Required>Y</Required>
-                </description>
+                <description type="DescriptionField"/>
                 <DynDns type="BooleanField"/>
                 <AcmePassthrough type="HostnameField"/>
             </subdomain>
@@ -275,7 +271,7 @@
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.header</items>
                             <display>HeaderUpDown,HeaderType,HeaderValue,description</display>
-                            <display_format>%s %s %s - %s</display_format>
+                            <display_format>%s %s %s %s</display_format>
                         </reverseproxy>
                     </Model>
                     <Multiple>Y</Multiple>
@@ -332,9 +328,7 @@
                     <Type>ca</Type>
                 </HttpTlsTrustedCaCerts>
                 <HttpTlsServerName type="HostnameField"/>
-                <description type="DescriptionField">
-                    <Required>Y</Required>
-                </description>
+                <description type="DescriptionField"/>
             </handle>
             <accesslist type="ArrayField">
                 <accesslistName type="DescriptionField">
@@ -354,9 +348,7 @@
                     <ValidationMessage>Please enter a valid HTTP response code between 100 and 599</ValidationMessage>
                 </HttpResponseCode>
                 <HttpResponseMessage type="DescriptionField"/>
-                <description type="DescriptionField">
-                    <Required>Y</Required>
-                </description>
+                <description type="DescriptionField"/>
             </accesslist>
             <basicauth type="ArrayField">
                 <basicauthuser type="TextField">
@@ -367,9 +359,7 @@
                 <basicauthpass type="UpdateOnlyTextField">
                     <Required>Y</Required>
                 </basicauthpass>
-                <description type="DescriptionField">
-                    <Required>Y</Required>
-                </description>
+                <description type="DescriptionField"/>
             </basicauth>
             <header type="ArrayField">
                 <HeaderUpDown type="OptionField">
@@ -393,9 +383,7 @@
                     <Mask>/^([^"]{0,1024})$/u</Mask>
                     <ValidationMessage>The header replacement must not contain quotation marks (") and must be less than 1024 characters.</ValidationMessage>
                 </HeaderReplace>
-                <description type="DescriptionField">
-                    <Required>Y</Required>
-                </description>
+                <description type="DescriptionField"/>
             </header>
         </reverseproxy>
     </items>

From ff0aaec106555c2c6944f9a64481e4d627b7598b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 16 Jul 2024 14:59:39 +0200
Subject: [PATCH 1971/3088] LICENSE: sync

---
 LICENSE | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/LICENSE b/LICENSE
index fccf40525f..12d216530b 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,5 @@
-Copyright (c) 2015-2023 Ad Schellevis <ad@opnsense.org>
+Copyright (c) 2023 A. Kulikov <kulikov.a@gmail.com>
+Copyright (c) 2015-2024 Ad Schellevis <ad@opnsense.org>
 Copyright (c) 2022 agh1467 <agh1467@protonmail.com>
 Copyright (c) 2024 Alex Smith
 Copyright (c) 2021 Alexander Noack
@@ -63,8 +64,9 @@ Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
 Copyright (c) 2017-2019 Smart-Soft
 Copyright (c) 2013 Stanley P. Miller \ stan-qaz
 Copyright (c) 2020 Starkstromkonsument
-Copyright (c) 2023 Thomas Cekal <thomas@cekal.org>
+Copyright (c) 2023-2024 Thomas Cekal <thomas@cekal.org>
 Copyright (c) 2020 Tobias Boehnert
+Copyright (c) 2024 txr13
 Copyright (c) 2022 Wouter Deurholt
 Copyright (c) 2010 Yehuda Katz
 Copyright (c) 2015 YoungJoo.Kim <vozltx@gmail.com>

From 86dbaa6ed6795aee4a54b4998bd8168a6cb1b80e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 16 Jul 2024 15:09:30 +0200
Subject: [PATCH 1972/3088] sysutils/dec-hw: bump version

---
 sysutils/dec-hw/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/dec-hw/Makefile b/sysutils/dec-hw/Makefile
index e605779641..9ccd8fb4f5 100644
--- a/sysutils/dec-hw/Makefile
+++ b/sysutils/dec-hw/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		dec-hw
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Deciso hardware specific information
 PLUGIN_MAINTAINER=	stephan.de.wit@deciso.com
 PLUGIN_TIER=		2

From 26d89ffaec8ae898d48a0943d09bdd6e20539fef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Wed, 17 Jul 2024 14:15:09 +0200
Subject: [PATCH 1973/3088] theme updates (#4099)

dashboard.css and bootstrap-select.css fix
---
 misc/theme-cicada/Makefile                    |   2 +-
 .../assets/stylesheets/bootstrap-select.scss  |  77 ++-
 .../cicada/assets/stylesheets/dashboard.scss  |   5 +
 .../cicada/build/css/bootstrap-select.css     |   4 +-
 .../www/themes/cicada/build/css/dashboard.css |   5 +
 misc/theme-vicuna/Makefile                    |   2 +-
 .../assets/stylesheets/bootstrap-select.scss  | 468 ++++++++++++++++++
 .../vicuna/assets/stylesheets/dashboard.scss  |   5 +
 .../vicuna/build/css/bootstrap-select.css     |   4 +-
 .../www/themes/vicuna/build/css/dashboard.css |   5 +
 10 files changed, 562 insertions(+), 15 deletions(-)
 create mode 100644 misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/bootstrap-select.scss

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index d1245d117a..339b1956e2 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.36
+PLUGIN_VERSION=		1.37
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/bootstrap-select.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/bootstrap-select.scss
index 150b35e363..931140beeb 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/bootstrap-select.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/bootstrap-select.scss
@@ -11,7 +11,9 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
 
 .bootstrap-select {
   width: 348px \0;
+
   /*IE9 and below*/
+
   > {
     .dropdown-toggle {
       position: relative;
@@ -19,16 +21,20 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
       z-index: 1;
       text-align: right;
       white-space: nowrap;
+
       &.bs-placeholder {
-        color: #fff;
+        color: #ccc;
+
         &:hover, &:focus, &:active {
-          color: #fff;
+          color: #ccc;
         }
+
         &.btn-primary, &.btn-secondary, &.btn-success, &.btn-danger, &.btn-info, &.btn-dark, &.btn-primary:hover, &.btn-secondary:hover, &.btn-success:hover, &.btn-danger:hover, &.btn-info:hover, &.btn-dark:hover, &.btn-primary:focus, &.btn-secondary:focus, &.btn-success:focus, &.btn-danger:focus, &.btn-info:focus, &.btn-dark:focus, &.btn-primary:active, &.btn-secondary:active, &.btn-success:active, &.btn-danger:active, &.btn-info:active, &.btn-dark:active {
-          color: #ffffff;
+          color: rgba(0, 0, 0, 0.5);
         }
       }
     }
+
     select {
       position: absolute !important;
       bottom: 0;
@@ -39,6 +45,7 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
       padding: 0 !important;
       opacity: 0 !important;
       border: none;
+
       &.mobile-device {
         top: 0;
         left: 0;
@@ -62,9 +69,15 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
   &.fit-width {
     width: auto !important;
   }
+
   &:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn) {
     width: 348px;
   }
+
+  > select.mobile-device:focus + .dropdown-toggle, .dropdown-toggle:focus {
+    outline: none !important;
+  }
+
   &.form-control {
     margin-bottom: 0;
     padding: 0;
@@ -79,15 +92,18 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
 .bootstrap-select {
   &.form-control.input-group-btn {
     z-index: auto;
+
     &:not(:first-child):not(:last-child) > .btn {
       border-radius: 0;
     }
   }
+
   &:not(.input-group-btn), &[class*="col-"] {
     float: none;
     display: inline-block;
     margin-left: 0;
   }
+
   &.dropdown-menu-right, &[class*="col-"].dropdown-menu-right {
     float: right;
   }
@@ -118,9 +134,11 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
     line-height: inherit;
     border-radius: inherit;
   }
+
   &.form-control-sm .dropdown-toggle {
     padding: 0.25rem 0.5rem;
   }
+
   &.form-control-lg .dropdown-toggle {
     padding: 0.5rem 1rem;
   }
@@ -133,31 +151,38 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
 .bootstrap-select {
   &.disabled {
     cursor: not-allowed;
+
     &:focus {
       outline: none !important;
     }
   }
+
   > .disabled {
     cursor: not-allowed;
   }
+
   > .disabled:focus {
     outline: none !important;
   }
+
   &.bs-container {
     position: absolute;
     top: 0;
     left: 0;
     height: 0 !important;
     padding: 0 !important;
+
     .dropdown-menu {
-      z-index: 1060;
+      z-index: 9998;
     }
   }
+
   .dropdown-toggle {
     &:before {
       content: '';
       display: inline-block;
     }
+
     .filter-option {
       position: absolute;
       top: 0;
@@ -170,12 +195,15 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
       width: 100%;
       text-align: left;
     }
+
     .filter-option-inner {
       padding-right: inherit;
     }
+
     .filter-option-inner-inner {
       overflow: hidden;
     }
+
     .caret {
       position: absolute;
       top: 50%;
@@ -194,14 +222,17 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
   &[class*="col-"] .dropdown-toggle {
     width: 100%;
   }
+
   .dropdown-menu {
     min-width: 100%;
     -webkit-box-sizing: border-box;
     -moz-box-sizing: border-box;
     box-sizing: border-box;
+
     > .inner:focus {
       outline: none !important;
     }
+
     &.inner {
       position: static;
       float: none;
@@ -212,37 +243,46 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
       -webkit-box-shadow: none;
       box-shadow: none;
     }
+
     li {
       position: relative;
+
       &.active small {
         color: rgba(255, 255, 255, 0.5) !important;
       }
+
       &.disabled a {
         cursor: not-allowed;
       }
+
       a {
         cursor: pointer;
         -webkit-user-select: none;
         -moz-user-select: none;
         -ms-user-select: none;
         user-select: none;
+
         &.opt {
           position: relative;
           padding-left: 2.25em;
         }
+
         span {
           &.check-mark {
             display: none;
           }
+
           &.text {
             display: inline-block;
           }
         }
       }
+
       small {
         padding-left: 0.5em;
       }
     }
+
     .notify {
       position: absolute;
       bottom: 5px;
@@ -250,8 +290,8 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
       margin: 0 2%;
       min-height: 26px;
       padding: 3px 5px;
-      background: #f5f5f5;
-      border: 1px solid #e3e3e3;
+      background: #151515;
+      border: 1px solid #232323;
       -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
       box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
       pointer-events: none;
@@ -261,27 +301,32 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
       box-sizing: border-box;
     }
   }
+
   .no-results {
     padding: 3px;
-    background: #f5f5f5;
+    background: #151515;
     margin: 0 5px;
     white-space: nowrap;
   }
+
   &.fit-width .dropdown-toggle {
     .filter-option {
       position: static;
       display: inline;
       padding: 0;
     }
+
     .filter-option-inner, .filter-option-inner-inner {
       display: inline;
     }
+
     .caret {
       position: static;
       top: auto;
       margin-top: -1px;
     }
   }
+
   &.show-tick .dropdown-menu {
     .selected span.check-mark {
       position: absolute;
@@ -289,10 +334,12 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
       right: 15px;
       top: 5px;
     }
+
     li a span.text {
       margin-right: 34px;
     }
   }
+
   .bs-ok-default:after {
     content: '';
     display: block;
@@ -305,10 +352,12 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
     -o-transform: rotate(45deg);
     transform: rotate(45deg);
   }
+
   &.show-menu-arrow {
     &.open > .dropdown-toggle, &.show > .dropdown-toggle {
-      z-index: 1061;
+      z-index: 9999;
     }
+
     .dropdown-toggle .filter-option {
       &:before {
         content: '';
@@ -320,6 +369,7 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
         left: 9px;
         display: none;
       }
+
       &:after {
         content: '';
         border-left: 6px solid transparent;
@@ -331,13 +381,15 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
         display: none;
       }
     }
+
     &.dropup .dropdown-toggle .filter-option {
       &:before {
         bottom: auto;
         top: -4px;
-        border-top: 7px solid rgba(204, 204, 204, 0.2);
+        border-top: 7px solid rgba(50, 50, 50, 0.2);
         border-bottom: 0;
       }
+
       &:after {
         bottom: auto;
         top: -4px;
@@ -345,16 +397,19 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
         border-bottom: 0;
       }
     }
+
     &.pull-right .dropdown-toggle .filter-option {
       &:before {
         right: 12px;
         left: auto;
       }
+
       &:after {
         right: 13px;
         left: auto;
       }
     }
+
     &.open > .dropdown-toggle .filter-option:before, &.show > .dropdown-toggle .filter-option:before, &.open > .dropdown-toggle .filter-option:after, &.show > .dropdown-toggle .filter-option:after {
       display: block;
     }
@@ -370,6 +425,7 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
   -webkit-box-sizing: border-box;
   -moz-box-sizing: border-box;
   box-sizing: border-box;
+
   .btn-group button {
     width: 50%;
   }
@@ -381,6 +437,7 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
   -webkit-box-sizing: border-box;
   -moz-box-sizing: border-box;
   box-sizing: border-box;
+
   .btn-group button {
     width: 100%;
   }
@@ -390,6 +447,7 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
   + .bs-actionsbox {
     padding: 0 8px 4px;
   }
+
   .form-control {
     margin-bottom: 0;
     width: 100%;
@@ -405,6 +463,7 @@ select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.sel
   .dropdown-menu > li > a {
     padding: 3px 20px 3px 30px;
   }
+
   &.show-tick .dropdown-menu .selected span.check-mark {
     left: 10px;
   }
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss
index 9e397c33c7..cd495cede6 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss
@@ -16,6 +16,11 @@
   border-radius: 0.5em 0.5em 0.5em 0.5em;
 }
 
+.widget-error {
+    margin: 50px;
+    color: #721c24;
+}
+
 .widget-content {
   position: relative;
   width: 100%;
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select.css
index 15d668797b..629a75b067 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/bootstrap-select.css
@@ -165,7 +165,7 @@ select.selectpicker {
   padding: 0 !important;
 }
 .bootstrap-select.bs-container .dropdown-menu {
-  z-index: 1060;
+  z-index: 9998;
 }
 .bootstrap-select .dropdown-toggle:before {
   content: '';
@@ -310,7 +310,7 @@ select.selectpicker {
 }
 .bootstrap-select.show-menu-arrow.open > .dropdown-toggle,
 .bootstrap-select.show-menu-arrow.show > .dropdown-toggle {
-  z-index: 1061;
+  z-index: 9999;
 }
 .bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:before {
   content: '';
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css
index 21d9b6a0b5..82e195ab56 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css
@@ -16,6 +16,11 @@
   border-radius: 0.5em 0.5em 0.5em 0.5em;
 }
 
+.widget-error {
+    margin: 50px;
+    color: #721c24;
+}
+
 .widget-content {
     position: relative;
     width: 100%;
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index c9898ab84f..ca31bc76ff 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.46
+PLUGIN_VERSION=		1.47
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/bootstrap-select.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/bootstrap-select.scss
new file mode 100644
index 0000000000..e7fb8d9887
--- /dev/null
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/bootstrap-select.scss
@@ -0,0 +1,468 @@
+/*!
+ * Bootstrap-select v1.13.3 (https://developer.snapappointments.com/bootstrap-select)
+ *
+ * Copyright 2012-2018 SnapAppointments, LLC
+ * Licensed under MIT (https://github.com/snapappointments/bootstrap-select/blob/master/LICENSE)
+ */
+
+select.bs-select-hidden, .bootstrap-select > select.bs-select-hidden, select.selectpicker {
+  display: none !important;
+}
+
+.bootstrap-select {
+  width: 348px \0;
+
+  /*IE9 and below*/
+
+  > {
+    .dropdown-toggle {
+      position: relative;
+      width: 100%;
+      z-index: 1;
+      text-align: right;
+      white-space: nowrap;
+
+      &.bs-placeholder {
+        color: #fff;
+
+        &:hover, &:focus, &:active {
+          color: #fff;
+        }
+
+        &.btn-primary, &.btn-secondary, &.btn-success, &.btn-danger, &.btn-info, &.btn-dark, &.btn-primary:hover, &.btn-secondary:hover, &.btn-success:hover, &.btn-danger:hover, &.btn-info:hover, &.btn-dark:hover, &.btn-primary:focus, &.btn-secondary:focus, &.btn-success:focus, &.btn-danger:focus, &.btn-info:focus, &.btn-dark:focus, &.btn-primary:active, &.btn-secondary:active, &.btn-success:active, &.btn-danger:active, &.btn-info:active, &.btn-dark:active {
+          color: #ffffff;
+        }
+      }
+    }
+
+    select {
+      position: absolute !important;
+      bottom: 0;
+      left: 50%;
+      display: block !important;
+      width: 0.5px !important;
+      height: 100% !important;
+      padding: 0 !important;
+      opacity: 0 !important;
+      border: none;
+
+      &.mobile-device {
+        top: 0;
+        left: 0;
+        display: block !important;
+        width: 100% !important;
+        z-index: 2;
+      }
+    }
+  }
+}
+
+.has-error .bootstrap-select .dropdown-toggle, .error .bootstrap-select .dropdown-toggle, .bootstrap-select.is-invalid .dropdown-toggle, .was-validated .bootstrap-select .selectpicker:invalid + .dropdown-toggle {
+  border-color: #b94a48;
+}
+
+.bootstrap-select.is-valid .dropdown-toggle, .was-validated .bootstrap-select .selectpicker:valid + .dropdown-toggle {
+  border-color: #28a745;
+}
+
+.bootstrap-select {
+  &.fit-width {
+    width: auto !important;
+  }
+
+  &:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn) {
+    width: 348px;
+  }
+
+  &.form-control {
+    margin-bottom: 0;
+    padding: 0;
+    border: none;
+  }
+}
+
+:not(.input-group) > .bootstrap-select.form-control:not([class*="col-"]) {
+  width: 100%;
+}
+
+.bootstrap-select {
+  &.form-control.input-group-btn {
+    z-index: auto;
+
+    &:not(:first-child):not(:last-child) > .btn {
+      border-radius: 0;
+    }
+  }
+
+  &:not(.input-group-btn), &[class*="col-"] {
+    float: none;
+    display: inline-block;
+    margin-left: 0;
+  }
+
+  &.dropdown-menu-right, &[class*="col-"].dropdown-menu-right {
+    float: right;
+  }
+}
+
+.row .bootstrap-select[class*="col-"].dropdown-menu-right {
+  float: right;
+}
+
+.form-inline .bootstrap-select, .form-horizontal .bootstrap-select, .form-group .bootstrap-select {
+  margin-bottom: 0;
+}
+
+.form-group-lg .bootstrap-select.form-control, .form-group-sm .bootstrap-select.form-control {
+  padding: 0;
+}
+
+.form-group-lg .bootstrap-select.form-control .dropdown-toggle, .form-group-sm .bootstrap-select.form-control .dropdown-toggle {
+  height: 100%;
+  font-size: inherit;
+  line-height: inherit;
+  border-radius: inherit;
+}
+
+.bootstrap-select {
+  &.form-control-sm .dropdown-toggle, &.form-control-lg .dropdown-toggle {
+    font-size: inherit;
+    line-height: inherit;
+    border-radius: inherit;
+  }
+
+  &.form-control-sm .dropdown-toggle {
+    padding: 0.25rem 0.5rem;
+  }
+
+  &.form-control-lg .dropdown-toggle {
+    padding: 0.5rem 1rem;
+  }
+}
+
+.form-inline .bootstrap-select .form-control {
+  width: 100%;
+}
+
+.bootstrap-select {
+  &.disabled {
+    cursor: not-allowed;
+
+    &:focus {
+      outline: none !important;
+    }
+  }
+
+  > .disabled {
+    cursor: not-allowed;
+  }
+
+  > .disabled:focus {
+    outline: none !important;
+  }
+
+  &.bs-container {
+    position: absolute;
+    top: 0;
+    left: 0;
+    height: 0 !important;
+    padding: 0 !important;
+
+    .dropdown-menu {
+      z-index: 9998;
+    }
+  }
+
+  .dropdown-toggle {
+    &:before {
+      content: '';
+      display: inline-block;
+    }
+
+    .filter-option {
+      position: absolute;
+      top: 0;
+      left: 0;
+      padding-top: inherit;
+      padding-right: inherit;
+      padding-bottom: inherit;
+      padding-left: inherit;
+      height: 100%;
+      width: 100%;
+      text-align: left;
+    }
+
+    .filter-option-inner {
+      padding-right: inherit;
+    }
+
+    .filter-option-inner-inner {
+      overflow: hidden;
+    }
+
+    .caret {
+      position: absolute;
+      top: 50%;
+      right: 12px;
+      margin-top: -2px;
+      vertical-align: middle;
+    }
+  }
+}
+
+.input-group .bootstrap-select.form-control .dropdown-toggle {
+  border-radius: inherit;
+}
+
+.bootstrap-select {
+  &[class*="col-"] .dropdown-toggle {
+    width: 100%;
+  }
+
+  .dropdown-menu {
+    min-width: 100%;
+    -webkit-box-sizing: border-box;
+    -moz-box-sizing: border-box;
+    box-sizing: border-box;
+
+    > .inner:focus {
+      outline: none !important;
+    }
+
+    &.inner {
+      position: static;
+      float: none;
+      border: 0;
+      padding: 0;
+      margin: 0;
+      border-radius: 0;
+      -webkit-box-shadow: none;
+      box-shadow: none;
+    }
+
+    li {
+      position: relative;
+
+      &.active small {
+        color: rgba(255, 255, 255, 0.5) !important;
+      }
+
+      &.disabled a {
+        cursor: not-allowed;
+      }
+
+      a {
+        cursor: pointer;
+        -webkit-user-select: none;
+        -moz-user-select: none;
+        -ms-user-select: none;
+        user-select: none;
+
+        &.opt {
+          position: relative;
+          padding-left: 2.25em;
+        }
+
+        span {
+          &.check-mark {
+            display: none;
+          }
+
+          &.text {
+            display: inline-block;
+          }
+        }
+      }
+
+      small {
+        padding-left: 0.5em;
+      }
+    }
+
+    .notify {
+      position: absolute;
+      bottom: 5px;
+      width: 96%;
+      margin: 0 2%;
+      min-height: 26px;
+      padding: 3px 5px;
+      background: #f5f5f5;
+      border: 1px solid #e3e3e3;
+      -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
+      box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
+      pointer-events: none;
+      opacity: 0.9;
+      -webkit-box-sizing: border-box;
+      -moz-box-sizing: border-box;
+      box-sizing: border-box;
+    }
+  }
+
+  .no-results {
+    padding: 3px;
+    background: #f5f5f5;
+    margin: 0 5px;
+    white-space: nowrap;
+  }
+
+  &.fit-width .dropdown-toggle {
+    .filter-option {
+      position: static;
+      display: inline;
+      padding: 0;
+    }
+
+    .filter-option-inner, .filter-option-inner-inner {
+      display: inline;
+    }
+
+    .caret {
+      position: static;
+      top: auto;
+      margin-top: -1px;
+    }
+  }
+
+  &.show-tick .dropdown-menu {
+    .selected span.check-mark {
+      position: absolute;
+      display: inline-block;
+      right: 15px;
+      top: 5px;
+    }
+
+    li a span.text {
+      margin-right: 34px;
+    }
+  }
+
+  .bs-ok-default:after {
+    content: '';
+    display: block;
+    width: 0.5em;
+    height: 1em;
+    border-style: solid;
+    border-width: 0 0.26em 0.26em 0;
+    -webkit-transform: rotate(45deg);
+    -ms-transform: rotate(45deg);
+    -o-transform: rotate(45deg);
+    transform: rotate(45deg);
+  }
+
+  &.show-menu-arrow {
+    &.open > .dropdown-toggle, &.show > .dropdown-toggle {
+      z-index: 9999;
+    }
+
+    .dropdown-toggle .filter-option {
+      &:before {
+        content: '';
+        border-left: 7px solid transparent;
+        border-right: 7px solid transparent;
+        border-bottom: 7px solid rgba(204, 204, 204, 0.2);
+        position: absolute;
+        bottom: -4px;
+        left: 9px;
+        display: none;
+      }
+
+      &:after {
+        content: '';
+        border-left: 6px solid transparent;
+        border-right: 6px solid transparent;
+        border-bottom: 6px solid white;
+        position: absolute;
+        bottom: -4px;
+        left: 10px;
+        display: none;
+      }
+    }
+
+    &.dropup .dropdown-toggle .filter-option {
+      &:before {
+        bottom: auto;
+        top: -4px;
+        border-top: 7px solid rgba(204, 204, 204, 0.2);
+        border-bottom: 0;
+      }
+
+      &:after {
+        bottom: auto;
+        top: -4px;
+        border-top: 6px solid white;
+        border-bottom: 0;
+      }
+    }
+
+    &.pull-right .dropdown-toggle .filter-option {
+      &:before {
+        right: 12px;
+        left: auto;
+      }
+
+      &:after {
+        right: 13px;
+        left: auto;
+      }
+    }
+
+    &.open > .dropdown-toggle .filter-option:before, &.show > .dropdown-toggle .filter-option:before, &.open > .dropdown-toggle .filter-option:after, &.show > .dropdown-toggle .filter-option:after {
+      display: block;
+    }
+  }
+}
+
+.bs-searchbox, .bs-actionsbox, .bs-donebutton {
+  padding: 4px 8px;
+}
+
+.bs-actionsbox {
+  width: 100%;
+  -webkit-box-sizing: border-box;
+  -moz-box-sizing: border-box;
+  box-sizing: border-box;
+
+  .btn-group button {
+    width: 50%;
+  }
+}
+
+.bs-donebutton {
+  float: left;
+  width: 100%;
+  -webkit-box-sizing: border-box;
+  -moz-box-sizing: border-box;
+  box-sizing: border-box;
+
+  .btn-group button {
+    width: 100%;
+  }
+}
+
+.bs-searchbox {
+  + .bs-actionsbox {
+    padding: 0 8px 4px;
+  }
+
+  .form-control {
+    margin-bottom: 0;
+    width: 100%;
+    float: none;
+  }
+}
+
+/* OPNsense edit to fix https://github.com/opnsense/core/issues/2612 :
+ * Move checkmarks to left hand side of the dropdown.
+ */
+
+.bootstrap-select {
+  .dropdown-menu > li > a {
+    padding: 3px 20px 3px 30px;
+  }
+
+  &.show-tick .dropdown-menu .selected span.check-mark {
+    left: 10px;
+  }
+}
+
+/* End OPNsense edit to fix #2612. */
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss
index 5d2e795095..06f4bf05a0 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss
@@ -16,6 +16,11 @@
   border-radius: 0.5em 0.5em 0.5em 0.5em;
 }
 
+.widget-error {
+    margin: 50px;
+    color: #721c24;
+}
+
 .widget-content {
   position: relative;
   width: 100%;
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/bootstrap-select.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/bootstrap-select.css
index d8cfa48d25..92411c3c74 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/bootstrap-select.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/bootstrap-select.css
@@ -160,7 +160,7 @@ select.selectpicker {
   padding: 0 !important;
 }
 .bootstrap-select.bs-container .dropdown-menu {
-  z-index: 1060;
+  z-index: 9998;
 }
 .bootstrap-select .dropdown-toggle:before {
   content: '';
@@ -305,7 +305,7 @@ select.selectpicker {
 }
 .bootstrap-select.show-menu-arrow.open > .dropdown-toggle,
 .bootstrap-select.show-menu-arrow.show > .dropdown-toggle {
-  z-index: 1061;
+  z-index: 9999;
 }
 .bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:before {
   content: '';
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css
index a6869e2a73..bbc8001a0c 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css
@@ -16,6 +16,11 @@
   border-radius: 0.5em 0.5em 0.5em 0.5em;
 }
 
+.widget-error {
+    margin: 50px;
+    color: #721c24;
+}
+
 .widget-content {
     position: relative;
     width: 100%;

From 32ba9bfe238316aad679f195004f8a55538c0cb6 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 18 Jul 2024 14:41:08 +0200
Subject: [PATCH 1974/3088] www/caddy: Allow tooltips of caddy widgets to break
 out of modal (#4100)

* www/caddy: Allow tooltips of caddy widgets to break out of modal.

* www/caddy: Allow all resizes.

* www/caddy: Hide tooltip when the UI gets updated.
---
 .../src/opnsense/www/js/widgets/CaddyCertificate.js      | 9 +++++----
 www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js     | 9 +++++----
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
index 8ad40f3df1..f37eeca311 100644
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
@@ -29,7 +29,6 @@ import BaseTableWidget from "./BaseTableWidget.js";
 export default class CaddyCertificate extends BaseTableWidget {
     constructor() {
         super();
-        this.resizeHandles = "e, w";
         this.tickTimeout = 30;
     }
 
@@ -80,6 +79,8 @@ export default class CaddyCertificate extends BaseTableWidget {
             return;
         }
 
+        $('.caddy-certificate-tooltip').tooltip('hide');
+
         let rows = certificates.map(certificate => {
             let colorClass = 'text-success';
             if (certificate.remaining_days === 0) {
@@ -93,8 +94,8 @@ export default class CaddyCertificate extends BaseTableWidget {
 
             let row = `
                 <div>
-                    <i class="fa fa-lock ${colorClass}" style="cursor: pointer;"
-                        data-toggle="tooltip" title="${statusText}">
+                    <i class="fa fa-lock ${colorClass} caddy-certificate-tooltip" style="cursor: pointer;"
+                        data-tooltip="caddy-certificate-${certificate.hostname}" title="${statusText}">
                     </i>
                     &nbsp;
                     <span><b>${certificate.hostname}</b></span>
@@ -112,6 +113,6 @@ export default class CaddyCertificate extends BaseTableWidget {
         super.updateTable('caddyCertificateTable', sortedRows);
 
         // Initialize tooltips for new elements
-        $('[data-toggle="tooltip"]').tooltip();
+        $('.caddy-certificate-tooltip').tooltip({container: 'body'});
     }
 }
diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
index d0e5453152..be8bf92f9a 100644
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
@@ -29,7 +29,6 @@ import BaseTableWidget from "./BaseTableWidget.js";
 export default class CaddyDomain extends BaseTableWidget {
     constructor() {
         super();
-        this.resizeHandles = "e, w";
     }
 
     getGridOptions() {
@@ -73,6 +72,8 @@ export default class CaddyDomain extends BaseTableWidget {
             return;
         }
 
+        $('.caddy-domain-tooltip').tooltip('hide');
+
         let rows = [];
         // Assuming domains is a combination of both reverse and subdomains
         for (const key in domains) {
@@ -88,8 +89,8 @@ export default class CaddyDomain extends BaseTableWidget {
             let row = $(`
                 <div class="caddy-info">
                     <div class="caddy-enabled">
-                        <i class="fa fa-globe ${colorClass}" style="cursor: pointer;"
-                            data-toggle="tooltip" title="${tooltipText}">
+                        <i class="fa fa-globe ${colorClass} caddy-domain-tooltip" style="cursor: pointer;"
+                            data-tooltip="caddy-domain-${domainPort}" title="${tooltipText}">
                         </i>
                         &nbsp;
                         <a class="caddy-domainport" href="/ui/caddy/reverse_proxy">
@@ -109,6 +110,6 @@ export default class CaddyDomain extends BaseTableWidget {
         super.updateTable('caddyDomainTable', rows.map(row => [row.html]));
 
         // Initialize tooltips for interactivity
-        $('[data-toggle="tooltip"]').tooltip();
+        $('.caddy-domain-tooltip').tooltip({container: 'body'});
     }
 }

From 8514b05cac1c08ab3e5e18b183d646f0bb85146a Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 19 Jul 2024 09:56:43 +0200
Subject: [PATCH 1975/3088] www/caddy: Add buttons to guide users,
 conditionally hide subdomain tab, simplify forms (#4102)

* www/caddy: Add buttons that guide the user to the right steps to create a reverse proxy, reducing friction.

* www/caddy: Cleanup the buttons and event listener.

* www/caddy: Move Subdomains to own tab and conditionally hide it when no wildcard domain is configured. Improve the wizard buttons that guide beginners.

* www/caddy: Remove stray comma.

* www/caddy: Add changelog. Wrap console error into lang function.

* www/caddy: Add css to make headers of bootgrids nicer.

* www/caddy: Focus the most used forms on the essential options to get a reverse proxy working. Hide advanced options.

* www/caddy: Move handle options out of advanced options into own header to make them better discoverable by user.

* www/caddy: Move TLS Insecure Skip Verify into plain sight, improving help text. This option is one of the most used ones.

* www/caddy: Fixed wrong variable assignement

* www/caddy: Hide obscurer options in the main general settings tab, focusing only on the essentials.
---
 www/caddy/pkg-descr                           |  2 +
 .../OPNsense/Caddy/forms/dialogHandle.xml     | 37 +++++---
 .../Caddy/forms/dialogReverseProxy.xml        |  4 +-
 .../OPNsense/Caddy/forms/general.xml          |  2 +
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 93 ++++++++++++++++---
 5 files changed, 110 insertions(+), 28 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index fc2608ebf3..7ef7b776b7 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -30,6 +30,8 @@ Plugin Changelog
 Add: Run Caddy as "www" user and group, by enabling "Disable Superuser" in General Settings.
 Cleanup: Validations in general.volt are all appended to their form keys, instead of triggering a Bootstrap Dialog.
 Change: Description Fields are optional now, reducing the steps needed to create new entries.
+Add: Shortcuts to add new Domains and Handlers.
+Change: Subdomain Tab only appears when a wildcard domain has been configured.
 
 1.6.0
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index f467f6576d..85ac5b0c46 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -17,12 +17,22 @@
         <type>dropdown</type>
         <help><![CDATA[Select a subdomain to handle. Make sure to additionaly choose a wildcard domain as "Domain". Leave unset, if not using subdomains.]]></help>
     </field>
+    <field>
+        <id>handle.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help><![CDATA[Enter a description for this handler.]]></help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Handle</label>
+        <collapse>true</collapse>
+    </field>
     <field>
         <id>handle.HandleType</id>
         <label>Handle Type</label>
         <type>dropdown</type>
         <help><![CDATA[Choose a handling directive. "handle" (default) will keep the URI of "Handle URI" in all requests. "handle_path" will strip the URI of "Handle URI" from all requests.]]></help>
-        <advanced>true</advanced>
     </field>
     <field>
         <id>handle.HandlePath</id>
@@ -30,12 +40,6 @@
         <type>text</type>
         <help><![CDATA[Enter an URI to handle. Choose a pattern like "/*" or "/example/*". Leave empty to catch all URIs (recommended). Any request matching this pattern will be handled.]]></help>
     </field>
-    <field>
-        <id>handle.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <help><![CDATA[Enter a description for this handler.]]></help>
-    </field>
     <field>
         <type>header</type>
         <label>Access</label>
@@ -71,7 +75,7 @@
         <style>tokenize</style>
         <allownew>true</allownew>
         <hint>192.168.1.1</hint>
-        <help><![CDATA[Enter a domain name or IP address of the upstream destination. If multiple are chosen, they will be load balanced with the default random policy. A health check can be set in "Load Balancing"]]></help>
+        <help><![CDATA[Enter a domain name or IP address of the upstream destination. If multiple are chosen, they will be load balanced with the default random policy. A health check can be activated by populating "Upstream Fail Duration".]]></help>
     </field>
     <field>
         <id>handle.ToPort</id>
@@ -87,6 +91,17 @@
         <help><![CDATA[Enter a path prefix like "/guacamole" that should be prepended to the upstream request because the application demands it.]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>handle.HttpTlsInsecureSkipVerify</id>
+        <label>TLS Insecure Skip Verify</label>
+        <type>checkbox</type>
+        <help><![CDATA[Caddy uses HTTP by default to connect to the Upstream. If the Upstream is only reachable via HTTPS, this option disables the TLS handshake verification. This makes the connection insecure and vulnerable to man-in-the-middle attacks. In private networks the risk is low, though do not use in production if possible. It is advised to either use plain HTTP, or proper TLS handling by using the options in "Trust".]]></help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Health Check</label>
+        <collapse>true</collapse>
+    </field>
     <field>
         <id>handle.PassiveHealthFailDuration</id>
         <label>Upstream Fail Duration</label>
@@ -128,12 +143,6 @@
         <type>checkbox</type>
         <help><![CDATA[Enable or disable NTLM. Needed to reverse proxy an Exchange Server. Warning: NTLM has been deprecated by Microsoft. This option will stay for as long as the optional http.reverse_proxy.transport.http_ntlm module can be compiled without errors.]]></help>
     </field>
-    <field>
-        <id>handle.HttpTlsInsecureSkipVerify</id>
-        <label>TLS Insecure Skip Verify</label>
-        <type>checkbox</type>
-        <help><![CDATA[Disable the TLS handshake verification, making the connection insecure and vulnerable to man-in-the-middle attacks. Do not use in production if possible. When having issues with an upstream that only accepts TLS connections, enabling this option can mitigate them.]]></help>
-    </field>
     <field>
         <id>handle.HttpTlsTrustedCaCerts</id>
         <label>TLS Trust Pool</label>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index 643db447de..eb8e1b3665 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -10,14 +10,14 @@
         <label>Domain</label>
         <type>text</type>
         <hint>example.com</hint>
-        <help><![CDATA[Enter a domain name. For a base domain, use "example.com" or "opn.example.com". Using a base domain enables automatic "Let's Encrypt" and "ZeroSSL" certificates by default. For a wildcard domain, use "*.example.com". Only use wildcard domains with wildcard certificates, which require a DNS Provider.]]></help>
+        <help><![CDATA[Enter a domain name. For a base domain, use "example.com" or "opn.example.com". Using a base domain enables automatic "Let's Encrypt" and "ZeroSSL" certificates by default. For a wildcard domain, use "*.example.com". Only use wildcard domains with wildcard certificates, which require a DNS Provider. Adding a wildcard domain and pressing "Apply" will activate the "Subdomain" Tab, in which subdomains can be configured.]]></help>
     </field>
     <field>
         <id>reverse.FromPort</id>
         <label>Port</label>
         <type>text</type>
         <hint>443</hint>
-        <help><![CDATA[Leave empty to use ports 80 and 443 with automatic redirection from HTTP to HTTPS or choose a custom port. Don't forget to allow these ports with a Firewall rule.]]></help>
+        <help><![CDATA[Leave empty to use ports 80 and 443 with automatic redirection from HTTP to HTTPS or choose a custom port. Don't forget to allow these ports with a Firewall rule. If the default ports have been changed in "General Settings", leaving this empty will use the chosen alternative ports instead.]]></help>
     </field>
     <field>
         <id>reverse.description</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 4e9a159a7b..54cdbba934 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -46,6 +46,7 @@
         <label>Trusted Proxies</label>
         <type>dropdown</type>
         <help><![CDATA[Select an Access List to set IP ranges of Trusted Proxies. If Caddy is not the first server being connected to by clients (for example, when a "CDN" is in front of Caddy), configure "Trusted Proxies" with a list of IP ranges (CIDRs) from which incoming requests are trusted to have sent good values for these headers. Additionally, set the same Access List to the domains the Trusted Proxies connect to.]]></help>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>caddy.general.abort</id>
@@ -59,5 +60,6 @@
         <type>text</type>
         <hint>10</hint>
         <help><![CDATA[Defines the grace period for shutting down Caddy during a reload in seconds. During the grace period, no new connections are accepted, idle connections are closed, and active connections are impatiently waited upon to finish their requests. If clients do not finish their requests within the grace period, the server will be forcefully terminated to allow the reload to complete and free up resources. This can influence how long "Apply" of new configurations take, since Caddy waits for all open connections to close.]]></help>
+        <advanced>true</advanced>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index fb9bc191f1..9e2cea7c90 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -155,6 +155,7 @@
                     // Update only the service control UI for 'caddy'
                     showAlert("{{ lang._('Configuration applied successfully.') }}", "{{ lang._('Apply Success') }}");
                     updateServiceControlUI('caddy');
+                    checkAndToggleSubdomainsTab();
                 } else {
                     console.error("{{ lang._('Action was not successful or an error occurred:') }}", data);
                 }
@@ -196,7 +197,7 @@
 
         // Control the visibility of selectpicker for filter by domain
         function toggleSelectPicker(tab) {
-            if (tab === 'handlesTab' || tab === 'domainsTab') {
+            if (tab === 'handlesTab' || tab === 'domainsTab' || tab === 'subdomainsTab') {
                 $('.common-filter').show();
             } else {
                 $('.common-filter').hide();
@@ -213,6 +214,61 @@
             toggleSelectPicker(currentTab);
         });
 
+        // Add click event listener for "Add Upstream" button
+        $("#addHandleBtn").on("click", function() {
+            if ($('#maintabs .active a').attr('href') === "#handlesTab") {
+                // Directly open the dialog if already in the Handles tab
+                $("#addReverseHandleBtn").click();
+            } else {
+                // Switch to the "Handlers" tab if not already there
+                $('#maintabs a[href="#handlesTab"]').tab('show').one('shown.bs.tab', function(e) {
+                    $("#addReverseHandleBtn").click();
+                });
+            }
+        });
+
+        // Add click event listener for "Add Domain" button
+        $("#addDomainBtn").on("click", function() {
+            if ($('#maintabs .active a').attr('href') === "#domainsTab") {
+                $("#addReverseProxyBtn").click();
+            } else {
+                $('#maintabs a[href="#domainsTab"]').tab('show').one('shown.bs.tab', function(e) {
+                    $("#addReverseProxyBtn").click();
+                });
+            }
+        });
+
+        // Check and set the visibility of the Subdomains tab on initial load
+        checkAndToggleSubdomainsTab();
+
+        // Function to check and toggle Subdomains tab
+        function checkAndToggleSubdomainsTab() {
+            $.ajax({
+                url: '/api/caddy/ReverseProxy/getAllReverseDomains',
+                type: 'GET',
+                dataType: 'json',
+                success: function(response) {
+                    let hasWildcard = response.rows.some(domain => domain.domainPort.startsWith('*'));
+                    toggleSubdomainsTab(hasWildcard);
+                },
+                error: function() {
+                    console.error("{{ lang._('Failed to load domain data from getAllReverseDomains') }}");
+                }
+            });
+        }
+
+        // Function to show or hide the Subdomains tab
+        function toggleSubdomainsTab(visible) {
+            let subdomainsTab = $('#maintabs a[href="#subdomainsTab"]').parent();
+            if (visible) {
+                subdomainsTab.show();
+            } else {
+                subdomainsTab.hide();
+                if (subdomainsTab.hasClass('active')) {
+                    $('#maintabs a[href="#domainsTab"]').tab('show');
+                }
+            }
+        }
     });
 </script>
 
@@ -223,20 +279,30 @@
         margin-right: 5px;
         padding: 0 15px;  // Align with the tables
     }
-
+    .custom-header {
+        font-weight: 800;
+        font-size: 16px;
+        font-style: italic;
+    }
 </style>
 
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#domainsTab">{{ lang._('Domains') }}</a></li>
+    <li><a data-toggle="tab" href="#subdomainsTab">{{ lang._('Subdomains') }}</a></li>
     <li><a data-toggle="tab" href="#handlesTab">{{ lang._('Handlers') }}</a></li>
     <li><a data-toggle="tab" href="#accessTab">{{ lang._('Access') }}</a></li>
     <li><a data-toggle="tab" href="#headerTab">{{ lang._('Headers') }}</a></li>
 </ul>
 
 <div class="tab-content content-box">
-
-    <!-- Selectpicker for filter by domain -->
-    <div class="form-group common-filter">
+    <!-- Container using flexbox -->
+    <div class="form-group common-filter" style="display: flex; justify-content: space-between; align-items: center;">
+        <!-- Button group on the left -->
+        <div>
+            <button id="addDomainBtn" type="button" class="btn btn-secondary">{{ lang._('Step 1: Add Domain') }}</button>
+            <button id="addHandleBtn" type="button" class="btn btn-secondary">{{ lang._('Step 2: Add Upstream') }}</button>
+        </div>
+        <!-- Selectpicker on the right -->
         <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="348px" data-size="7" title="{{ lang._('Filter by Domain') }}">
             <!-- Options will be populated dynamically using JavaScript/Ajax -->
         </select>
@@ -246,7 +312,7 @@
     <div id="domainsTab" class="tab-pane fade in active">
         <div style="padding-left: 16px;">
             <!-- Reverse Proxy -->
-            <h1>{{ lang._('Domains') }}</h1>
+            <h1 class="custom-header">{{ lang._('Domains') }}</h1>
             <div style="display: block;"> <!-- Common container -->
                 <table id="reverseProxyGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogReverseProxy" data-editAlert="ConfigurationChangeMessage">
                     <thead>
@@ -281,9 +347,12 @@
                 </table>
             </div>
         </div>
+    </div>
+
+    <!-- Subdomains Tab -->
+    <div id="subdomainsTab" class="tab-pane fade">
         <div style="padding-left: 16px;">
-            <!-- Subdomains -->
-            <h1>{{ lang._('Subdomains') }}</h1>
+            <h1 class="custom-header">{{ lang._('Subdomains') }}</h1>
             <div style="display: block;"> <!-- Common container -->
                 <table id="reverseSubdomainGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogSubdomain" data-editAlert="ConfigurationChangeMessage">
                     <thead>
@@ -319,7 +388,7 @@
     <!-- Handle Tab -->
     <div id="handlesTab" class="tab-pane fade">
         <div style="padding-left: 16px;">
-            <h1>{{ lang._('Handlers') }}</h1>
+            <h1 class="custom-header">{{ lang._('Handlers') }}</h1>
             <div style="display: block;"> <!-- Common container -->
                 <table id="reverseHandleGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHandle" data-editAlert="ConfigurationChangeMessage">
                     <thead>
@@ -367,7 +436,7 @@
     <div id="accessTab" class="tab-pane fade">
         <!-- Access Lists Section -->
         <div style="padding-left: 16px;">
-            <h1>{{ lang._('Access Lists') }}</h1>
+            <h1 class="custom-header">{{ lang._('Access Lists') }}</h1>
             <div style="display: block;">
                 <table id="accessListGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogAccessList" data-editAlert="ConfigurationChangeMessage">
                     <thead>
@@ -399,7 +468,7 @@
 
         <!-- Basic Auth Section -->
         <div style="padding-left: 16px;">
-            <h1>{{ lang._('Basic Auth') }}</h1>
+            <h1 class="custom-header">{{ lang._('Basic Auth') }}</h1>
             <div style="display: block;">
                 <table id="basicAuthGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogBasicAuth" data-editAlert="ConfigurationChangeMessage">
                     <thead>
@@ -429,7 +498,7 @@
     <!-- Header Tab -->
     <div id="headerTab" class="tab-pane fade">
         <div style="padding-left: 16px;">
-            <h1>{{ lang._('Headers') }}</h1>
+            <h1 class="custom-header">{{ lang._('Headers') }}</h1>
             <div style="display: block;"> <!-- Common container -->
                 <table id="reverseHeaderGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHeader" data-editAlert="ConfigurationChangeMessage">
                     <thead>

From b97e975a571a56e394ed9635d4da26473243578c Mon Sep 17 00:00:00 2001
From: Fabian Franz BSc <fabianfrz@users.noreply.github.com>
Date: Fri, 19 Jul 2024 10:02:22 +0200
Subject: [PATCH 1976/3088] Limit CSP log file size (#4098)

---
 www/nginx/pkg-descr                                |  1 +
 .../OPNsense/Nginx/forms/security_headers.xml      |  6 ++++++
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml        |  4 ++++
 .../src/opnsense/scripts/nginx/csp_report.php      | 14 ++++++++++++++
 .../service/templates/OPNsense/Nginx/http.conf     |  6 +++++-
 .../templates/OPNsense/Nginx/security_rule.conf    |  2 +-
 6 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 476eb0962f..35f74a4e09 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -15,6 +15,7 @@ Plugin Changelog
 * Add the option to not log TLS handshakes
 * Remove obsolete http2_push_preload directive
 * Migrate from the deprecated 'listen … http2' directive to the 'http2' directive
+* Limit CSP log file size (migration notice: if you want to keep CSP violations logged, you will need to enable logging in the security policy)
 
 1.33
 
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/security_headers.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/security_headers.xml
index 2e7a4b839d..a35677195c 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/security_headers.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/security_headers.xml
@@ -73,6 +73,12 @@
       <type>checkbox</type>
       <help>If checked, the Content Security Policy (CSP) header is enabled. A detailed configuration is still required via the other tabs of this sheet.</help>
     </field>
+    <field>
+      <id>security_header.csp_log_violations</id>
+      <label>Log violations</label>
+      <type>checkbox</type>
+      <help>If checked, the plugin collects CSP violation reports and stores one JSON document per line under /var/log/nginx/csp_violations.log. You can use that file to check for XSS attempts or broken web pages where the CSP denied access to a resource.</help>
+    </field>
     <field>
       <id>security_header.csp_report_only</id>
       <label>Report Only</label>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 6921fbacd9..7c0e82167e 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1369,6 +1369,10 @@
       <enable_csp type="BooleanField">
         <Required>Y</Required>
       </enable_csp>
+      <csp_log_violations type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </csp_log_violations>
       <csp_report_only type="BooleanField">
         <Required>Y</Required>
         <default>0</default>
diff --git a/www/nginx/src/opnsense/scripts/nginx/csp_report.php b/www/nginx/src/opnsense/scripts/nginx/csp_report.php
index 116707a096..47352bfc3a 100755
--- a/www/nginx/src/opnsense/scripts/nginx/csp_report.php
+++ b/www/nginx/src/opnsense/scripts/nginx/csp_report.php
@@ -27,6 +27,8 @@
  */
 
 $log_file = '/var/log/nginx/csp_violations.log';
+$max_file_size = 1024 * 1024 * 30; // 30 MiB
+$max_single_record_size = 1024 * 20; // 20 KiB
 
 // make sure we don't have any formatting issues here
 if (stristr($_SERVER['CONTENT_TYPE'], 'csp-report') === false) {
@@ -41,6 +43,18 @@
     $json_data['server_time'] = time();
     $json_data['server_uuid'] = $_SERVER['SERVER-UUID'];
     $json_data = json_encode($json_data);
+    if (strlen($json_data) > $max_single_record_size) {
+        echo "The payload is too large";
+        http_response_code(413);
+        exit(0);
+    }
+    if (file_exists($log_file)) {
+        if ((filesize($log_file) + strlen($json_data)) > $max_file_size) {
+            // silently drop the data
+            http_response_code(200);
+            exit(0);
+        }
+    }
     file_put_contents($log_file, $json_data . PHP_EOL, FILE_APPEND | LOCK_EX);
 } else {
     http_response_code(400);
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index c6e47f4fa2..87592f4b4e 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -294,7 +294,9 @@ server {
 {%   set ip_acl = server.ip_acl %}
 {%   include "OPNsense/Nginx/ipacl.conf" %}
 {% endif %}
-
+{% if server.security_header is defined and server.security_header != '' %}
+{% set security_rule = helpers.getUUID(server.security_header) %}
+{%   if security_rule is defined and security_rule.csp_log_violations is defined and security_rule.csp_log_violations == '1' %}
     location = /opnsense-report-csp-violation {
       include       fastcgi_params;
       fastcgi_param QUERY_STRING $query_string;
@@ -306,6 +308,8 @@ server {
       fastcgi_intercept_errors on;
       fastcgi_pass  unix:/var/run/php-webgui.socket;
     }
+{%   endif %}
+{% endif %}
     location /opnsense-auth-request {
       internal;
       fastcgi_pass  unix:/var/run/php-webgui.socket;
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/security_rule.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/security_rule.conf
index 0a46c83a18..b7bb71e042 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/security_rule.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/security_rule.conf
@@ -61,5 +61,5 @@
 {% do our_headers.append('Content-Security-Policy-Report-Only') %}
     add_header Content-Security-Policy{% if security_rule.csp_report_only is defined and security_rule.csp_report_only == '1' %}-Report-Only{% endif %} "{%
     for key, value in hash_csp.items() %}{{ key }} {{ value|join(' ') }}; {% endfor %}{#
-    #} report-uri /opnsense-report-csp-violation" always;
+    #}{% if security_rule.csp_log_violations is defined and security_rule.csp_log_violations == '1' %} report-uri /opnsense-report-csp-violation{% endif %}" always;
 {% endif %}

From 9a200512a19d121592fcef9f1cdc018d87b050db Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 19 Jul 2024 10:23:59 +0200
Subject: [PATCH 1977/3088] sysutils/dec-hw: style sweep

---
 sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js        | 6 +++---
 .../dec-hw/src/opnsense/www/js/widgets/Metadata/DecHW.xml   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js b/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js
index a5657599b5..b665d7d201 100644
--- a/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js
+++ b/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js
@@ -57,7 +57,7 @@ export default class DecHW extends BaseWidget {
             display: inline-block;
             }
         `;
-      
+
         const styleSheet = document.createElement("style");
         styleSheet.innerText = styles;
         document.head.appendChild(styleSheet);
@@ -71,7 +71,7 @@ export default class DecHW extends BaseWidget {
                 <div id="pwr2" class="data-item">
                     <strong>${this.translations.powersupply} 2</strong>
                 </div>
-            </div> 
+            </div>
         `);
     }
 
@@ -97,4 +97,4 @@ export default class DecHW extends BaseWidget {
 
         $('.power').tooltip({container: 'body'});
     }
-}
\ No newline at end of file
+}
diff --git a/sysutils/dec-hw/src/opnsense/www/js/widgets/Metadata/DecHW.xml b/sysutils/dec-hw/src/opnsense/www/js/widgets/Metadata/DecHW.xml
index a059d6edb1..8eb8eccb18 100644
--- a/sysutils/dec-hw/src/opnsense/www/js/widgets/Metadata/DecHW.xml
+++ b/sysutils/dec-hw/src/opnsense/www/js/widgets/Metadata/DecHW.xml
@@ -12,4 +12,4 @@
             <powersupply>Power Supply</powersupply>
         </translations>
     </dechw>
-</metadata>
\ No newline at end of file
+</metadata>

From 7d837d7f6dbd7aab495150601a3223214689967c Mon Sep 17 00:00:00 2001
From: Tim <29161710+Tim-Sc@users.noreply.github.com>
Date: Mon, 22 Jul 2024 12:47:02 +0200
Subject: [PATCH 1978/3088] www/caddy: Add authentik auth provider (#4104)

---
 www/caddy/Makefile                            |  2 +-
 www/caddy/pkg-descr                           |  4 ++++
 .../OPNsense/Caddy/forms/authprovider.xml     |  2 +-
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  1 +
 .../OPNsense/Caddy/includeAuthProvider        | 24 +++++++++++++++----
 5 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index cde2e39154..1c2aedae19 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.6.1
+PLUGIN_VERSION=		1.6.2
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 7ef7b776b7..4c2b956051 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -25,6 +25,10 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.6.2
+
+* Add Authentik as authentication provider (contributed by Tim-Sc)
+
 1.6.1
 
 Add: Run Caddy as "www" user and group, by enabling "Disable Superuser" in General Settings.
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/authprovider.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/authprovider.xml
index 1790ceda47..29527af136 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/authprovider.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/authprovider.xml
@@ -3,7 +3,7 @@
         <id>caddy.general.AuthProvider</id>
         <label>Forward Auth Provider</label>
         <type>dropdown</type>
-        <help><![CDATA[Select a Forward Auth Provider. It can be added inside a "Handler" by enabling the "Forward Auth" checkbox. For Authelia only the basic subdomain example is supported. More information: https://www.authelia.com/integration/proxies/caddy/#basic-examples]]></help>
+        <help><![CDATA[Select a Forward Auth Provider. It can be added inside a "Handler" by enabling the "Forward Auth" checkbox. For Authelia only the basic subdomain example is supported. More information: https://www.authelia.com/integration/proxies/caddy/#basic-examples. For Authentik custom headers are not supported. More information: https://docs.goauthentik.io/docs/providers/proxy/server_caddy]]></help>
     </field>
     <field>
         <id>caddy.general.AuthToDomain</id>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index c5f3474de1..38cec5fc29 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -129,6 +129,7 @@
                 <BlankDesc>None (default)</BlankDesc>
                 <OptionValues>
                     <authelia>Authelia</authelia>
+                    <authentik>Authentik</authentik>
                 </OptionValues>
             </AuthProvider>
             <AuthToDomain type="HostnameField"/>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
index 4bf4b09ef6..8dd207f85e 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
@@ -2,12 +2,28 @@
 # This file gets imported to configure forward auth in handlers.
 # - Section: Reverse Proxy Configurations
 #}
-{% if generalSettings.AuthProvider == 'authelia' %}
+{% if generalSettings.AuthProvider %}
     {# Check if the domain is IPv6 and wrap in square brackets if necessary #}
     {% set is_ipv6 = (':' in generalSettings.AuthToDomain and generalSettings.AuthToDomain.count(':') >= 2) %}
-    forward_auth {% if generalSettings.AuthToTls|default("0") == "1" %}https://{% endif %}{{ '[' if is_ipv6 else '' }}{{ generalSettings.AuthToDomain|default("") }}{{ ']' if is_ipv6 else '' }}{% if generalSettings.AuthToPort %}:{{ generalSettings.AuthToPort }}{% endif %} {
-    {% if generalSettings.AuthToUri %}uri {{ generalSettings.AuthToUri|default("") }}{% endif %}
-
+    {% set auth_url = (generalSettings.AuthToTls|default("0") == "1" and 'https://' or 'http://') + (is_ipv6 and '[' or '') + generalSettings.AuthToDomain|default("") + (is_ipv6 and ']' or '') + (generalSettings.AuthToPort and ':' + generalSettings.AuthToPort or '') %}
+{% endif %}
+{% if generalSettings.AuthProvider == 'authelia' %}
+    forward_auth {{ auth_url }} {
+    {% if generalSettings.AuthToUri %}
+        uri {{ generalSettings.AuthToUri|default("") }}
+    {% endif %}
     copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
     }
+{% elif generalSettings.AuthProvider == 'authentik' %}
+    reverse_proxy /outpost.goauthentik.io/* {{ auth_url }} {
+    {% if generalSettings.AuthToTls|default("0") == "1" %}
+        header_up Host {http.reverse_proxy.upstream.hostport}
+    {% endif %}
+    }
+    forward_auth {{ auth_url }} {
+    {% if generalSettings.AuthToUri %}
+        uri {{ generalSettings.AuthToUri|default("") }}
+    {% endif %}
+    copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    }
 {% endif %}

From 44abf3ff228b66935f55c48619a466efd9e60d57 Mon Sep 17 00:00:00 2001
From: Chris Helming <7746625+chelming@users.noreply.github.com>
Date: Mon, 22 Jul 2024 06:47:34 -0400
Subject: [PATCH 1979/3088] allow : in FreeRADIUS user and password (#3976)

---
 .../OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml    | 4 ++--
 .../src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml  | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
index e6fc8d7484..e025a865a5 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
@@ -9,13 +9,13 @@
         <id>user.username</id>
         <label>Username</label>
         <type>text</type>
-        <help>Set the unique username for the user. Allowed characters are 0-9, a-z, A-Z, and ._-@/</help>
+        <help>Set the unique username for the user. Allowed characters are 0-9, a-z, A-Z, and ._-@/:</help>
     </field>
     <field>
         <id>user.password</id>
         <label>Password</label>
         <type>password</type>
-        <help>Set the password for the user. Allowed characters are 0-9, a-z, A-Z, and ,._-!$%/()+#= with up to 128 characters.</help>
+        <help>Set the password for the user. Allowed characters are 0-9, a-z, A-Z, and ,._-!$%/()+#=: with up to 128 characters.</help>
     </field>
     <field>
         <id>user.passwordencryption</id>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
index 506ab2d3f9..589798ce4a 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
@@ -11,11 +11,11 @@
                 </enabled>
                 <username type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z@._\-\/]){1,128}$/u</mask>
+                    <mask>/^([0-9a-zA-Z@._\-\/:]){1,128}$/u</mask>
                 </username>
                 <password type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}]){1,128}$/u</mask>
+                    <mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}:]){1,128}$/u</mask>
                 </password>
                 <passwordencryption type="OptionField">
                     <default>Cleartext-Password</default>

From 317b84c0b9e5c6ab6a3b4a15d20dd8f8ab950893 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 23 Jul 2024 11:31:49 +0200
Subject: [PATCH 1980/3088] net/freeradius: wrap up new version

---
 net/freeradius/Makefile  | 2 +-
 net/freeradius/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index ae9ecd3b7b..1c54bc9fab 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.23
+PLUGIN_VERSION=		1.9.24
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 3d8d1afa8f..b5e7b176f3 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,10 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.24
+
+* Allow ":" character in usernames and passwords (contributed by Chris Helming)
+
 1.9.23
 
 * Support NT hash of user password (contributed by Stuart McLaren)

From 30fe0beda936ee1b379eb50d248d8013629016e4 Mon Sep 17 00:00:00 2001
From: Jonny5 <jonny5@nova-labs.net>
Date: Tue, 23 Jul 2024 11:58:22 -0500
Subject: [PATCH 1981/3088] using latest Snort V2 Snapshot available (#4110)

---
 .../src/opnsense/scripts/suricata/metadata/rules/snort-vrt.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/intrusion-detection-content-snort-vrt/src/opnsense/scripts/suricata/metadata/rules/snort-vrt.xml b/security/intrusion-detection-content-snort-vrt/src/opnsense/scripts/suricata/metadata/rules/snort-vrt.xml
index 699ef07494..caca730d05 100644
--- a/security/intrusion-detection-content-snort-vrt/src/opnsense/scripts/suricata/metadata/rules/snort-vrt.xml
+++ b/security/intrusion-detection-content-snort-vrt/src/opnsense/scripts/suricata/metadata/rules/snort-vrt.xml
@@ -123,6 +123,6 @@
 	</files>
 	<properties>
 		<property name="snort_vrt.oinkcode" default=""/>
-		<property name="snort_vrt.rulesfile" default="snortrules-snapshot-29151.tar.gz"/>
+		<property name="snort_vrt.rulesfile" default="snortrules-snapshot-29200.tar.gz"/>
 	</properties>
 </ruleset>

From 7a533a171bd24d92f465fbadd238223495e5e4aa Mon Sep 17 00:00:00 2001
From: Martin Wasley <mjwasley@queens-park.com>
Date: Sun, 21 Jul 2024 15:44:06 +0100
Subject: [PATCH 1982/3088] net/udpbroadcastrelay: update controller interface
 for 24.7; closes #4107

---
 net/udpbroadcastrelay/Makefile                           | 2 +-
 .../OPNsense/UDPBroadcastRelay/Api/ServiceController.php | 9 ---------
 2 files changed, 1 insertion(+), 10 deletions(-)

diff --git a/net/udpbroadcastrelay/Makefile b/net/udpbroadcastrelay/Makefile
index 938cadc201..b57ee6954e 100644
--- a/net/udpbroadcastrelay/Makefile
+++ b/net/udpbroadcastrelay/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		udpbroadcastrelay
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		Control udpbroadcastrelay processes
 PLUGIN_DEPENDS=		udpbroadcastrelay
 PLUGIN_MAINTAINER=	mjwasley@gmail.com
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/ServiceController.php b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/ServiceController.php
index b64d378d5f..c036ae0c0b 100644
--- a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/ServiceController.php
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/ServiceController.php
@@ -45,9 +45,6 @@ class ServiceController extends ApiMutableModelControllerBase
     public function statusAction($uuid)
     {
         $result = array("result" => "failed", "function" => "status");
-        if ($this->request->isPost()) {
-            $this->sessionClose();
-        }
         if ($uuid != null) {
             $mdlUDPBroadcastRelay = new UDPBroadcastRelay();
             $node = $mdlUDPBroadcastRelay->getNodeByReference('udpbroadcastrelay.' . $uuid);
@@ -127,9 +124,6 @@ public function restartAction($uuid)
     public function configAction()
     {
         $result = array("result" => "failed", "function" => "config");
-        if ($this->request->isPost()) {
-            $this->sessionClose();
-        }
         $result['result'] = $this->callBackend('template');
         return $result;
     }
@@ -140,9 +134,6 @@ public function configAction()
      */
     public function reloadAction()
     {
-        if ($this->request->isPost()) {
-            $this->sessionClose();
-        }
         $result = $this->configAction();
         if ($result['result'] == 'OK') {
             $result['function'] = "reload";

From e7532ede032ec03f97b64d6a21358487a65140cd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 26 Jul 2024 08:05:21 +0200
Subject: [PATCH 1983/3088] plugins: move to 24.7

---
 Mk/defaults.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index f1a2f19ad5..66e93ec686 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -45,7 +45,7 @@ VERSIONBIN=	${LOCALBASE}/sbin/opnsense-version
 _PLUGIN_ABI!=	${VERSIONBIN} -a
 PLUGIN_ABI?=	${_PLUGIN_ABI}
 .else
-PLUGIN_ABI?=	24.1
+PLUGIN_ABI?=	24.7
 .endif
 
 PHPBIN=		${LOCALBASE}/bin/php

From 296382b5f541f903e41fecfae8cde0d25d8adadc Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 27 Jul 2024 22:18:27 +0200
Subject: [PATCH 1984/3088] security/acme-client: fix missing log entries in
 GUI

---
 security/acme-client/pkg-descr                                 | 3 +++
 .../src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt   | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index fc19354bf1..433586dc61 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,9 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+Fixed:
+* fix empty System Log
+
 4.4
 
 Fixed:
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt
index 78f1d5e6f1..debf4ef220 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt
@@ -1,4 +1,5 @@
 {#
+ # Copyright (c) 2024 Frank Wall
  # Copyright (c) 2019 Deciso B.V.
  # All rights reserved.
  #
@@ -37,7 +38,7 @@
               rowCount:[20,50,100,200,500,1000,-1],
               requestHandler: function(request){
                   // Show only log entries that match 'AcmeClient'
-                  request['searchPhrase'] = 'AcmeClient';
+                  request['searchPhrase'] = 'acmeclient';
                   return request;
               },
           },

From c44b1e47aa8220aaf5df05af77c6ef7e71a63573 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 27 Jul 2024 22:18:46 +0200
Subject: [PATCH 1985/3088] security/acme-client: bump version

---
 security/acme-client/Makefile  | 2 +-
 security/acme-client/pkg-descr | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index d4b6e46e62..bf86a1de3c 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.4
+PLUGIN_VERSION=		4.5
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 433586dc61..026be3a675 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,8 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.5
+
 Fixed:
 * fix empty System Log
 

From 7ce10697f2edd59b4f773edc2b2fc6af347f869e Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 27 Jul 2024 22:38:25 +0200
Subject: [PATCH 1986/3088] security/acme-client: adjust HAProxy related
 logging, fixes #3860

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/Api/SettingsController.php     | 28 +++++++++----------
 2 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 026be3a675..f9eafa908d 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 
 Fixed:
 * fix empty System Log
+* avoid unnecessary error log messages (#3860)
 
 4.4
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
index f631fb8bb1..695239e5b8 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
@@ -134,12 +134,6 @@ public function fetchHAProxyIntegrationAction()
         if ($this->request->isPost()) {
             $mdlAcme = $this->getModel();
 
-            // Check if the required plugin is installed
-            if ((string)$mdlAcme->isPluginInstalled('haproxy') != "1") {
-                $this->getLogger()->error("AcmeClient: HAProxy plugin is NOT installed, skipping integration");
-                return($result);
-            }
-
             // Setup only if AcmeClient and HAProxy integration is enabled.
             // NOTE: We provide HAProxy integration no matter if the HAProxy plugin
             //       is actually enabled or not. This should avoid confusion.
@@ -147,6 +141,12 @@ public function fetchHAProxyIntegrationAction()
                 (string)$mdlAcme->settings->haproxyIntegration == "1" and
                 (string)$mdlAcme->settings->enabled == "1"
             ) {
+                // Check if the required plugin is installed
+                if ((string)$mdlAcme->isPluginInstalled('haproxy') != "1") {
+                    $this->getLogger()->error("AcmeClient: HAProxy plugin is NOT installed, skipping integration");
+                    return($result);
+                }
+
                 $mdlHAProxy = new \OPNsense\HAProxy\HAProxy();
                 $backend = new Backend();
 
@@ -209,7 +209,7 @@ public function fetchHAProxyIntegrationAction()
 
                 // Check if HAProxy integration is already complete.
                 if ($integration_found and $integration_complete) {
-                    $this->getLogger()->error("AcmeClient: HAProxy integration is complete");
+                    $this->getLogger()->notice("AcmeClient: HAProxy integration is complete");
                 } else {
                     $integration_changes = true;
                     /**
@@ -226,25 +226,25 @@ public function fetchHAProxyIntegrationAction()
                         // Remove obsolete backend item
                         if (!empty($backend_ref)) {
                             if ($mdlHAProxy->backends->backend->del($backend_ref)) {
-                                $this->getLogger()->error("AcmeClient: HAProxy integration: deleted obsolete backend item");
+                                $this->getLogger()->info("AcmeClient: HAProxy integration: deleted obsolete backend item");
                             }
                         }
                         // Remove obsolete server item
                         if (!empty($server_ref)) {
                             if ($mdlHAProxy->servers->server->del($server_ref)) {
-                                $this->getLogger()->error("AcmeClient: HAProxy integration: deleted obsolete server item");
+                                $this->getLogger()->info("AcmeClient: HAProxy integration: deleted obsolete server item");
                             }
                         }
                         // Remove obsolete action item
                         if (!empty($action_ref)) {
                             if ($mdlHAProxy->actions->action->del($action_ref)) {
-                                $this->getLogger()->error("AcmeClient: HAProxy integration: deleted obsolete action item");
+                                $this->getLogger()->info("AcmeClient: HAProxy integration: deleted obsolete action item");
                             }
                         }
                         // Remove obsolete ACL item
                         if (!empty($acl_ref)) {
                             if ($mdlHAProxy->acls->acl->del($acl_ref)) {
-                                $this->getLogger()->error("AcmeClient: HAProxy integration: deleted obsolete ACL item");
+                                $this->getLogger()->info("AcmeClient: HAProxy integration: deleted obsolete ACL item");
                             }
                         }
                         // TODO: Remove obsolete ACL link from frontends
@@ -253,7 +253,7 @@ public function fetchHAProxyIntegrationAction()
                         //       will be overwritten later anyway.
                         $result['result'] = "repaired";
                     } else {
-                        $this->getLogger()->error("AcmeClient: HAProxy integration initializing");
+                        $this->getLogger()->info("AcmeClient: HAProxy integration initializing");
                         $result['result'] = "new";
                     }
 
@@ -354,7 +354,7 @@ public function fetchHAProxyIntegrationAction()
                                     }
                                     // Add modified list of linked Actions to frontend.
                                     $frontend->linkedActions = $_actions;
-                                    $this->getLogger()->error("AcmeClient: HAProxy integration: updating frontend {$_frontend}");
+                                    $this->getLogger()->info("AcmeClient: HAProxy integration: updating frontend {$_frontend}");
                                     // We need to write changes to config.
                                     $integration_changes = true;
                                 }
@@ -365,7 +365,7 @@ public function fetchHAProxyIntegrationAction()
 
                 // Changes made to configuration?
                 if ($integration_changes === true) {
-                    $this->getLogger()->error("AcmeClient: HAProxy integration: saving updated configuration");
+                    $this->getLogger()->info("AcmeClient: HAProxy integration: saving updated configuration");
                     // Save updated configuration.
                     // Do NOT validate because the current in-memory model doesn't know about the
                     // HAProxy items just created.

From 6318a3aea13e2d4b13654d126e268222bd958ce6 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 27 Jul 2024 22:47:59 +0200
Subject: [PATCH 1987/3088] security/acme-client: fix log severity, closes
 #3955

---
 security/acme-client/pkg-descr                                  | 1 +
 .../opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php  | 2 +-
 .../opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php    | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index f9eafa908d..1573627ff1 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 Fixed:
 * fix empty System Log
 * avoid unnecessary error log messages (#3860)
+* don't log errors for successful commands (#3955)
 
 4.4
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
index 7ff90ceda9..5443f60bbc 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
@@ -228,7 +228,7 @@ public function register()
             $this->fixConfig();
 
             // Update account status.
-            LeUtils::log_error('account registration successful for ' . $this->config->name);
+            LeUtils::log_debug('account registration successful for ' . $this->config->name);
             $this->setStatus(200);
         } else {
             LeUtils::log_debug('account already registered: ' . (string)$this->config->name, $this->debug);
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
index abc57c4e58..e4ed20c783 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
@@ -209,7 +209,7 @@ public static function run_shell_command($proc_cmd, $proc_env = array())
 
             // Get exit code
             $result = proc_close($proc);
-            log_error(sprintf("AcmeClient: The shell command returned exit code '%d': '%s'", $result, $proc_cmd));
+            log_debug(sprintf("AcmeClient: The shell command returned exit code '%d': '%s'", $result, $proc_cmd));
             return($result);
         } else {
             log_error(sprintf("AcmeClient: Unable to prepare shell command '%s'", $proc_cmd));

From 1d5bb7781db65dcd25dd74949492bd3bd36ec696 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 27 Jul 2024 23:18:50 +0200
Subject: [PATCH 1988/3088] security/acme-client: fix more PHP deprecation
 messages, closes #4008

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/Api/AccountsController.php     |  2 +-
 .../AcmeClient/Api/CertificatesController.php | 10 ++++-----
 .../library/OPNsense/AcmeClient/LeAccount.php |  4 ++--
 .../AcmeClient/LeAutomationFactory.php        |  6 ++---
 .../OPNsense/AcmeClient/LeCertificate.php     | 12 +++++-----
 .../library/OPNsense/AcmeClient/LeCommon.php  |  8 +++----
 .../library/OPNsense/AcmeClient/LeUtils.php   |  6 ++---
 .../OPNsense/AcmeClient/LeValidation/Base.php |  4 ++--
 .../AcmeClient/LeValidation/DnsGcloud.php     | 18 +++++++--------
 .../AcmeClient/LeValidation/DnsNsupdate.php   |  4 ++--
 .../AcmeClient/LeValidation/DnsTransip.php    |  2 +-
 .../AcmeClient/LeValidation/HttpOpnsense.php  | 22 +++++++++----------
 .../AcmeClient/LeValidation/TlsalpnAcme.php   | 22 +++++++++----------
 .../AcmeClient/LeValidationFactory.php        |  6 ++---
 15 files changed, 64 insertions(+), 63 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 1573627ff1..fe4be7ab65 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -14,6 +14,7 @@ Fixed:
 * fix empty System Log
 * avoid unnecessary error log messages (#3860)
 * don't log errors for successful commands (#3955)
+* fix more PHP deprecation messages (#4008)
 
 4.4
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php
index 922850399f..120e7cd9c7 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php
@@ -92,7 +92,7 @@ public function registerAction($uuid)
                 $node = $mdlAcme->getNodeByReference('accounts.account.' . $uuid);
                 if ($node != null) {
                     $backend = new Backend();
-                    $response = $backend->configdRun("acmeclient register-account ${uuid}");
+                    $response = $backend->configdRun("acmeclient register-account {$uuid}");
                     return array("response" => $response);
                 }
             }
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
index e72baa6307..b76adefd7d 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
@@ -104,7 +104,7 @@ public function signAction($uuid)
                 $node = $mdlAcme->getNodeByReference('certificates.certificate.' . $uuid);
                 if ($node != null) {
                     $backend = new Backend();
-                    $response = $backend->configdRun("acmeclient sign-cert ${uuid}");
+                    $response = $backend->configdRun("acmeclient sign-cert {$uuid}");
                     return array("response" => $response);
                 }
             }
@@ -125,7 +125,7 @@ public function removekeyAction($uuid)
             $node = $mdlAcme->getNodeByReference('certificates.certificate.' . $uuid);
             if ($node != null) {
                 $backend = new Backend();
-                $response = $backend->configdRun("acmeclient remove-key ${uuid}");
+                $response = $backend->configdRun("acmeclient remove-key {$uuid}");
             }
         }
         return $result;
@@ -146,7 +146,7 @@ public function revokeAction($uuid)
                 $node = $mdlAcme->getNodeByReference('certificates.certificate.' . $uuid);
                 if ($node != null) {
                     $backend = new Backend();
-                    $response = $backend->configdRun("acmeclient revoke-cert ${uuid}");
+                    $response = $backend->configdRun("acmeclient revoke-cert {$uuid}");
                     return array("response" => $response);
                 }
             }
@@ -167,7 +167,7 @@ public function automationAction($uuid)
             $node = $mdlAcme->getNodeByReference('certificates.certificate.' . $uuid);
             if ($node != null) {
                 $backend = new Backend();
-                $response = $backend->configdRun("acmeclient run-automation ${uuid}");
+                $response = $backend->configdRun("acmeclient run-automation {$uuid}");
             }
         }
         return $result;
@@ -186,7 +186,7 @@ public function importAction($uuid)
             $node = $mdlAcme->getNodeByReference('certificates.certificate.' . $uuid);
             if ($node != null) {
                 $backend = new Backend();
-                $response = $backend->configdRun("acmeclient import ${uuid}");
+                $response = $backend->configdRun("acmeclient import {$uuid}");
             }
         }
         return $result;
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
index 5443f60bbc..682c2ed7f3 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
@@ -131,7 +131,7 @@ public function generateKey()
                 // Read account key file
                 $account_key_content = @file_get_contents($account_key_file);
                 if (empty($account_key_content) || ($account_key_content == false)) {
-                    LeUtils::log_error("unable to read account key from file ${account_key_file}");
+                    LeUtils::log_error("unable to read account key from file {$account_key_file}");
                     $this->setStatus(500);
                     return false;
                 }
@@ -257,7 +257,7 @@ public function fixConfig()
                 // Convert array back to ini file format
                 $new_account_conf = array();
                 foreach ($account_conf as $key => $value) {
-                    $new_account_conf[] = "${key}='${value}'";
+                    $new_account_conf[] = "{$key}='{$value}'";
                 }
 
                 // Write changes back to file
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationFactory.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationFactory.php
index 044b5d8400..ec068df483 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationFactory.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomationFactory.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2024 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * All rights reserved.
  *
@@ -50,7 +50,7 @@ public function getAutomation(string $uuid)
         $model = new \OPNsense\AcmeClient\AcmeClient();
         $obj = $model->getNodeByReference(self::CONFIG_PATH . '.' . $uuid);
         if ($obj == null) {
-            LeUtils::log_error("automation not found: ${uuid}");
+            LeUtils::log_error("automation not found: {$uuid}");
             return null;
         }
 
@@ -75,7 +75,7 @@ public function getAutomation(string $uuid)
             }
         }
 
-        LeUtils::log_error("automation not supported: " . (string)$obj->type . " (${uuid})");
+        LeUtils::log_error("automation not supported: " . (string)$obj->type . " ({$uuid})");
         return null;
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 0b319d34b1..9df9e88081 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -130,7 +130,7 @@ public function import(bool $skip_validation = false)
         clearstatcache(); // don't let the cache fool us
         foreach (array($this->cert_file, $this->cert_key_file, $this->cert_chain_file, $this->cert_fullchain_file) as $file) {
             if (!is_file($file)) {
-                LeUtils::log_error("unable to import certificate " . $this->config->name . ", file not found: ${file}");
+                LeUtils::log_error("unable to import certificate " . $this->config->name . ", file not found: {$file}");
                 Config::getInstance()->unlock();
                 return false;
             }
@@ -191,7 +191,7 @@ public function import(bool $skip_validation = false)
             }
         } else {
             // Create new CA
-            LeUtils::log("importing ACME CA: ${ca_cn}");
+            LeUtils::log("importing ACME CA: {$ca_cn}");
             $newca = Config::getInstance()->object()->addChild('ca');
             foreach (array_keys($ca) as $cacfg) {
                 $newca->addChild($cacfg, (string)$ca[$cacfg]);
@@ -288,7 +288,7 @@ public function import(bool $skip_validation = false)
                 $newcert->addChild($certcfg, (string)$cert[$certcfg]);
             }
         }
-        LeUtils::log("${import_log_message} ACME X.509 certificate: ${cert_cn}");
+        LeUtils::log("{$import_log_message} ACME X.509 certificate: {$cert_cn}");
 
         /**
          * Step 3: update configuration
@@ -361,7 +361,7 @@ public function issue()
             LeUtils::log('auto renewal is disabled for certificate: ' . (string)$this->config->name);
             return false;
         }
-        LeUtils::log("${acme_action} certificate: " . (string)$this->config->name);
+        LeUtils::log("{$acme_action} certificate: " . (string)$this->config->name);
         LeUtils::log('using CA: ' . $this->ca);
 
         // Ensure that account is registered.
@@ -375,7 +375,7 @@ public function issue()
         $configdir = (string)sprintf(self::ACME_CONFIG_DIR, (string)$this->config->id);
         foreach (array($certdir, $keydir, $configdir) as $dir) {
             if (!is_dir($dir)) {
-                LeUtils::log_debug("creating directory: ${dir}", $this->debug);
+                LeUtils::log_debug("creating directory: {$dir}", $this->debug);
                 mkdir($dir, 0700, true);
             }
         }
@@ -606,7 +606,7 @@ public function runAutomations()
                     $automation->run();
                 }
             } else {
-                LeUtils::log_error("ignoring invalid automation: ${auto_uuid}");
+                LeUtils::log_error("ignoring invalid automation: {$auto_uuid}");
             }
         }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
index d224cf9fa7..7f60fe0666 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCommon.php
@@ -125,9 +125,9 @@ public function loadConfig(string $path, string $uuid)
     {
         // Get config object
         $model = new \OPNsense\AcmeClient\AcmeClient();
-        $obj = $model->getNodeByReference("${path}.${uuid}");
+        $obj = $model->getNodeByReference("{$path}.{$uuid}");
         if ($obj == null) {
-            LeUtils::log_error("config of type ${path} not found: ${uuid}");
+            LeUtils::log_error("config of type {$path} not found: {$uuid}");
             return false;
         }
         // Store config objects
@@ -153,9 +153,9 @@ public function setCa(string $uuid)
     {
         // Get account config object
         $model = new \OPNsense\AcmeClient\AcmeClient();
-        $obj = $model->getNodeByReference("accounts.account.${uuid}");
+        $obj = $model->getNodeByReference("accounts.account.{$uuid}");
         if (empty($obj) || $obj == null) {
-            LeUtils::log_error("unable to set CA, account not found: ${uuid}");
+            LeUtils::log_error("unable to set CA, account not found: {$uuid}");
             return false;
         }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
index e4ed20c783..90db372932 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
@@ -155,7 +155,7 @@ public static function local_cert_get_subject_array($str_crt, $decode = true)
      */
     public static function log($msg)
     {
-        syslog(LOG_NOTICE, "AcmeClient: ${msg}");
+        syslog(LOG_NOTICE, "AcmeClient: {$msg}");
     }
 
     /**
@@ -164,7 +164,7 @@ public static function log($msg)
     public static function log_debug($msg, bool $debug = false)
     {
         if ($debug) {
-            syslog(LOG_NOTICE, "AcmeClient: ${msg}");
+            syslog(LOG_NOTICE, "AcmeClient: {$msg}");
         }
     }
 
@@ -173,7 +173,7 @@ public static function log_debug($msg, bool $debug = false)
      */
     public static function log_error($msg)
     {
-        syslog(LOG_ERR, "AcmeClient: ${msg}");
+        syslog(LOG_ERR, "AcmeClient: {$msg}");
     }
 
     /**
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index 03e229f01c..b28effbb6d 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -58,7 +58,7 @@ public function init(string $certid, string $accountuuid, bool $certecc = false)
         // Get account object to query ID
         $account = new LeAccount($accountuuid);
         if (empty($account) || $account == null) {
-            LeUtils::log_error("unable to load account information: ${accountuuid}");
+            LeUtils::log_error("unable to load account information: {$accountuuid}");
             return false;
         }
 
@@ -164,7 +164,7 @@ public function run(bool $renew = false)
         // will never change.
         $acmecmd = self::ACME_CMD
           . ' '
-          . "--${acme_action} "
+          . "--{$acme_action} "
           . implode(' ', $this->acme_args) . ' '
           . LeUtils::execSafe('--accountconf %s', $account_conf_file);
         LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGcloud.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGcloud.php
index 5b3f35ce1f..e22558eed8 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGcloud.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGcloud.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020-2021 Frank Wall
+ * Copyright (C) 2020-2024 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -56,7 +56,7 @@ public function prepare()
                 LeUtils::log_error('unable to extract project name from Google Cloud DNS JSON key');
                 return false;
             } else {
-                LeUtils::log("Google Cloud DNS project name: ${gcloud_project}");
+                LeUtils::log("Google Cloud DNS project name: {$gcloud_project}");
             }
         } else {
             LeUtils::log('no key for Google Cloud DNS was specified');
@@ -66,8 +66,8 @@ public function prepare()
         // Preparations to run gcloud CLI.
         // NOTE: Never versions of gcloud SDK no longer allow dots in config names.
         $val_id = str_replace('.', '-', (string)$this->config->id);
-        $gcloud_config = "acme-${val_id}";
-        $gcloud_key_file = '/tmp/acme_' . (string)$this->config->dns_service . "_${val_id}.json";
+        $gcloud_config = "acme-{$val_id}";
+        $gcloud_key_file = '/tmp/acme_' . (string)$this->config->dns_service . "_{$val_id}.json";
         file_put_contents($gcloud_key_file, (string)$this->config->dns_gcloud_key);
         chmod($gcloud_key_file, 0600);
         $proc_env['CLOUDSDK_PYTHON'] = '/usr/local/bin/python3';
@@ -75,11 +75,11 @@ public function prepare()
         $proc_env['CLOUDSDK_CORE_PROJECT'] = $gcloud_project;
 
         // Ensure that a working gcloud config exists.
-        LeUtils::run_shell_command("/usr/local/bin/gcloud --quiet config configurations create ${gcloud_config}", $proc_env);
-        LeUtils::run_shell_command("/usr/local/bin/gcloud --quiet config configurations activate ${gcloud_config}", $proc_env);
-        LeUtils::run_shell_command("/usr/local/bin/gcloud --quiet auth activate-service-account --key-file=${gcloud_key_file}", $proc_env);
-        LeUtils::run_shell_command("/usr/local/bin/gcloud --quiet config set account ${gcloud_account}", $proc_env);
-        LeUtils::run_shell_command("/usr/local/bin/gcloud --quiet config set project ${gcloud_project}", $proc_env);
+        LeUtils::run_shell_command("/usr/local/bin/gcloud --quiet config configurations create {$gcloud_config}", $proc_env);
+        LeUtils::run_shell_command("/usr/local/bin/gcloud --quiet config configurations activate {$gcloud_config}", $proc_env);
+        LeUtils::run_shell_command("/usr/local/bin/gcloud --quiet auth activate-service-account --key-file={$gcloud_key_file}", $proc_env);
+        LeUtils::run_shell_command("/usr/local/bin/gcloud --quiet config set account {$gcloud_account}", $proc_env);
+        LeUtils::run_shell_command("/usr/local/bin/gcloud --quiet config set project {$gcloud_project}", $proc_env);
 
         // Save config for acme client.
         $this->acme_env['CLOUDSDK_PYTHON'] = '/usr/local/bin/python3';
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php
index 4d6f349d58..9992767510 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2024 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -40,7 +40,7 @@ class DnsNsupdate extends Base implements LeValidationInterface
     public function prepare()
     {
         $configdir = (string)sprintf(self::ACME_CONFIG_DIR, $this->cert_id);
-        $secret_key_filename = "${configdir}/secret.key";
+        $secret_key_filename = "{$configdir}/secret.key";
         $secret_key_data = (string)$this->config->dns_nsupdate_key . "\n";
         file_put_contents($secret_key_filename, $secret_key_data);
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTransip.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTransip.php
index 5811202e5d..4d9dc3b5f7 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTransip.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTransip.php
@@ -40,7 +40,7 @@ class DnsTransip extends Base implements LeValidationInterface
     public function prepare()
     {
         $configdir = (string)sprintf(self::ACME_CONFIG_DIR, $this->cert_id);
-        $secret_key_filename = "${configdir}/secret.key";
+        $secret_key_filename = "{$configdir}/secret.key";
         $secret_key_data = (string)$this->config->dns_transip_key . "\n";
         file_put_contents($secret_key_filename, $secret_key_data);
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
index 7c133f44b0..81838ffdd5 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020-2021 Frank Wall
+ * Copyright (C) 2020-2024 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -55,7 +55,7 @@ public function prepare()
             $dnslist[] = $this->cert_name;
             foreach ($dnslist as $fqdn) {
                 // NOTE: This may take some time.
-                $ip_found = gethostbyname("${fqdn}.");
+                $ip_found = gethostbyname("{$fqdn}.");
                 if (!empty($ip_found)) {
                     $iplist[] = (string)$ip_found;
                 }
@@ -96,16 +96,16 @@ public function prepare()
                     // IPv4
                     $_dst = '127.0.0.1';
                     $_family = 'inet';
-                    LeUtils::log("using IPv4 address: ${ip}");
+                    LeUtils::log("using IPv4 address: {$ip}");
                 } elseif (($_ipv6_enabled == true) && (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))) {
                     // IPv6
                     $_dst = '::1';
                     $_family = 'inet6';
-                    LeUtils::log("using IPv6 address: ${ip}");
+                    LeUtils::log("using IPv6 address: {$ip}");
                 } else {
                     continue; // skip broken entries
                 }
-                $anchor_rules .= "rdr pass ${_family} proto tcp from any to ${ip} port 80 -> ${_dst} port ${local_http_port}\n";
+                $anchor_rules .= "rdr pass {$_family} proto tcp from any to {$ip} port 80 -> {$_dst} port {$local_http_port}\n";
             }
         } else {
             LeUtils::log_error("no IP addresses found to setup port forward");
@@ -120,12 +120,12 @@ public function prepare()
 
         // Create temporary port forward to allow acme challenges to get through
         $anchor_setup = "rdr-anchor \"acme-client\"\n";
-        file_put_contents("${configdir}/acme_anchor_setup", $anchor_setup);
-        chmod("${configdir}/acme_anchor_setup", 0600);
-        mwexec("/sbin/pfctl -f ${configdir}/acme_anchor_setup");
-        file_put_contents("${configdir}/acme_anchor_rules", $anchor_rules);
-        chmod("${configdir}/acme_anchor_rules", 0600);
-        mwexec("/sbin/pfctl -a acme-client -f ${configdir}/acme_anchor_rules");
+        file_put_contents("{$configdir}/acme_anchor_setup", $anchor_setup);
+        chmod("{$configdir}/acme_anchor_setup", 0600);
+        mwexec("/sbin/pfctl -f {$configdir}/acme_anchor_setup");
+        file_put_contents("{$configdir}/acme_anchor_rules", $anchor_rules);
+        chmod("{$configdir}/acme_anchor_rules", 0600);
+        mwexec("/sbin/pfctl -a acme-client -f {$configdir}/acme_anchor_rules");
     }
 
     public function cleanup()
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
index d0fbbfd9c3..9904e5d31c 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2021 Frank Wall
+ * Copyright (C) 2021-2024 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -56,7 +56,7 @@ public function prepare()
             $dnslist[] = $this->cert_name;
             foreach ($dnslist as $fqdn) {
                 // NOTE: This may take some time.
-                $ip_found = gethostbyname("${fqdn}.");
+                $ip_found = gethostbyname("{$fqdn}.");
                 if (!empty($ip_found)) {
                     $iplist[] = (string)$ip_found;
                 }
@@ -97,16 +97,16 @@ public function prepare()
                     // IPv4
                     $_dst = '127.0.0.1';
                     $_family = 'inet';
-                    LeUtils::log("using IPv4 address: ${ip}");
+                    LeUtils::log("using IPv4 address: {$ip}");
                 } elseif (($_ipv6_enabled == true) && (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))) {
                     // IPv6
                     $_dst = '::1';
                     $_family = 'inet6';
-                    LeUtils::log("using IPv6 address: ${ip}");
+                    LeUtils::log("using IPv6 address: {$ip}");
                 } else {
                     continue; // skip broken entries
                 }
-                $anchor_rules .= "rdr pass ${_family} proto tcp from any to ${ip} port 443 -> ${_dst} port ${local_tls_port}\n";
+                $anchor_rules .= "rdr pass {$_family} proto tcp from any to {$ip} port 443 -> {$_dst} port {$local_tls_port}\n";
             }
         } else {
             LeUtils::log_error("no IP addresses found to setup port forward");
@@ -121,12 +121,12 @@ public function prepare()
 
         // Create temporary port forward to allow acme challenges to get through
         $anchor_setup = "rdr-anchor \"acme-client\"\n";
-        file_put_contents("${configdir}/acme_anchor_setup", $anchor_setup);
-        chmod("${configdir}/acme_anchor_setup", 0600);
-        mwexec("/sbin/pfctl -f ${configdir}/acme_anchor_setup");
-        file_put_contents("${configdir}/acme_anchor_rules", $anchor_rules);
-        chmod("${configdir}/acme_anchor_rules", 0600);
-        mwexec("/sbin/pfctl -a acme-client -f ${configdir}/acme_anchor_rules");
+        file_put_contents("{$configdir}/acme_anchor_setup", $anchor_setup);
+        chmod("{$configdir}/acme_anchor_setup", 0600);
+        mwexec("/sbin/pfctl -f {$configdir}/acme_anchor_setup");
+        file_put_contents("{$configdir}/acme_anchor_rules", $anchor_rules);
+        chmod("{$configdir}/acme_anchor_rules", 0600);
+        mwexec("/sbin/pfctl -a acme-client -f {$configdir}/acme_anchor_rules");
     }
 
     public function cleanup()
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
index 06e8be49b0..ea12db6fa6 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidationFactory.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020-2021 Frank Wall
+ * Copyright (C) 2020-2024 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * All rights reserved.
  *
@@ -50,7 +50,7 @@ public function getValidation(string $uuid)
         $model = new \OPNsense\AcmeClient\AcmeClient();
         $obj = $model->getNodeByReference(self::CONFIG_PATH . '.' . $uuid);
         if ($obj == null) {
-            LeUtils::log_error("challenge type not found: ${uuid}");
+            LeUtils::log_error("challenge type not found: {$uuid}");
             return null;
         }
 
@@ -87,7 +87,7 @@ public function getValidation(string $uuid)
                 }
             }
         }
-        LeUtils::log_error("challenge type not supported: " . (string)$search_name . " (${uuid})");
+        LeUtils::log_error("challenge type not supported: " . (string)$search_name . " ({$uuid})");
         return null;
     }
 }

From f60f835ccabbca108dfed0c2f040bd5d181731c0 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 28 Jul 2024 14:02:00 +0200
Subject: [PATCH 1989/3088] security/acme-client: fix PHP error; don't hide
 useful messages

---
 .../mvc/app/library/OPNsense/AcmeClient/LeAccount.php         | 2 +-
 .../opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php  | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
index 682c2ed7f3..e643696f23 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
@@ -228,7 +228,7 @@ public function register()
             $this->fixConfig();
 
             // Update account status.
-            LeUtils::log_debug('account registration successful for ' . $this->config->name);
+            LeUtils::log('account registration successful for ' . $this->config->name);
             $this->setStatus(200);
         } else {
             LeUtils::log_debug('account already registered: ' . (string)$this->config->name, $this->debug);
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
index 90db372932..7514ed6562 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
@@ -209,10 +209,10 @@ public static function run_shell_command($proc_cmd, $proc_env = array())
 
             // Get exit code
             $result = proc_close($proc);
-            log_debug(sprintf("AcmeClient: The shell command returned exit code '%d': '%s'", $result, $proc_cmd));
+            self::log(sprintf("AcmeClient: The shell command returned exit code '%d': '%s'", $result, $proc_cmd));
             return($result);
         } else {
-            log_error(sprintf("AcmeClient: Unable to prepare shell command '%s'", $proc_cmd));
+            self::log_error(sprintf("AcmeClient: Unable to prepare shell command '%s'", $proc_cmd));
             return(-999);
         }
     }

From 0269de844b79750738534a9a3b77c4e41a66e892 Mon Sep 17 00:00:00 2001
From: Martin Wasley <mjwasley@queens-park.com>
Date: Mon, 29 Jul 2024 11:09:38 +0100
Subject: [PATCH 1990/3088] theme rebellion fixes for 24.7 new  lobby dashboard
 (#4127)

---
 misc/theme-rebellion/Makefile                 |   2 +-
 .../rebellion/build/css/bootstrap-select.css  | 123 +++++++++++++-----
 2 files changed, 95 insertions(+), 30 deletions(-)

diff --git a/misc/theme-rebellion/Makefile b/misc/theme-rebellion/Makefile
index 848931e2b5..335556a53a 100644
--- a/misc/theme-rebellion/Makefile
+++ b/misc/theme-rebellion/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-rebellion
-PLUGIN_VERSION=		1.8.10
+PLUGIN_VERSION=		1.9
 PLUGIN_COMMENT=		A suitably dark theme
 PLUGIN_MAINTAINER=	team-rebellion@queens-park.com
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/bootstrap-select.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/bootstrap-select.css
index bbc5c29d9a..12a1b5bee5 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/bootstrap-select.css
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/bootstrap-select.css
@@ -1,33 +1,70 @@
 /*!
- * Bootstrap-select v1.13.3 (https://developer.snapappointments.com/bootstrap-select)
+ * Bootstrap-select v1.13.18 (https://developer.snapappointments.com/bootstrap-select)
  *
- * Copyright 2012-2018 SnapAppointments, LLC
+ * Copyright 2012-2020 SnapAppointments, LLC
  * Licensed under MIT (https://github.com/snapappointments/bootstrap-select/blob/master/LICENSE)
  */
 
+@-webkit-keyframes bs-notify-fadeOut {
+  0% {
+    opacity: 0.9;
+  }
+  100% {
+    opacity: 0;
+  }
+}
+@-o-keyframes bs-notify-fadeOut {
+  0% {
+    opacity: 0.9;
+  }
+  100% {
+    opacity: 0;
+  }
+}
+@keyframes bs-notify-fadeOut {
+  0% {
+    opacity: 0.9;
+  }
+  100% {
+    opacity: 0;
+  }
+}
 select.bs-select-hidden,
 .bootstrap-select > select.bs-select-hidden,
 select.selectpicker {
   display: none !important;
-
 }
 .bootstrap-select {
   width: 348px \0;
   /*IE9 and below*/
+  vertical-align: middle;
 }
 .bootstrap-select > .dropdown-toggle {
   position: relative;
   width: 100%;
-
-  z-index: 1;
   text-align: right;
   white-space: nowrap;
+  display: -webkit-inline-box;
+  display: -webkit-inline-flex;
+  display: -ms-inline-flexbox;
+  display: inline-flex;
+  -webkit-box-align: center;
+  -webkit-align-items: center;
+      -ms-flex-align: center;
+          align-items: center;
+  -webkit-box-pack: justify;
+  -webkit-justify-content: space-between;
+      -ms-flex-pack: justify;
+          justify-content: space-between;
+}
+.bootstrap-select > .dropdown-toggle:after {
+  margin-top: -1px;
 }
 .bootstrap-select > .dropdown-toggle.bs-placeholder,
 .bootstrap-select > .dropdown-toggle.bs-placeholder:hover,
 .bootstrap-select > .dropdown-toggle.bs-placeholder:focus,
 .bootstrap-select > .dropdown-toggle.bs-placeholder:active {
-  color: #ccc;
+  color: #444;
 }
 .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary,
 .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary,
@@ -53,7 +90,7 @@ select.selectpicker {
 .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:active,
 .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:active,
 .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:active {
-  color: rgba(0, 0, 0, 0.5);
+  color: rgba(255, 255, 255, 0.5);
 }
 .bootstrap-select > select {
   position: absolute !important;
@@ -65,22 +102,23 @@ select.selectpicker {
   padding: 0 !important;
   opacity: 0 !important;
   border: none;
+  z-index: 0 !important;
 }
 .bootstrap-select > select.mobile-device {
   top: 0;
   left: 0;
   display: block !important;
   width: 100% !important;
-  z-index: 2;
+  z-index: 2 !important;
 }
 .has-error .bootstrap-select .dropdown-toggle,
 .error .bootstrap-select .dropdown-toggle,
 .bootstrap-select.is-invalid .dropdown-toggle,
-.was-validated .bootstrap-select .selectpicker:invalid + .dropdown-toggle {
+.was-validated .bootstrap-select select:invalid + .dropdown-toggle {
   border-color: #b94a48;
 }
 .bootstrap-select.is-valid .dropdown-toggle,
-.was-validated .bootstrap-select .selectpicker:valid + .dropdown-toggle {
+.was-validated .bootstrap-select select:valid + .dropdown-toggle {
   border-color: #28a745;
 }
 .bootstrap-select.fit-width {
@@ -91,7 +129,7 @@ select.selectpicker {
 }
 .bootstrap-select > select.mobile-device:focus + .dropdown-toggle,
 .bootstrap-select .dropdown-toggle:focus {
-  outline: thin dotted #bbbbbb !important;
+  outline: thin dotted #333333 !important;
   outline: 5px auto -webkit-focus-ring-color !important;
   outline-offset: -2px;
 }
@@ -99,15 +137,18 @@ select.selectpicker {
   margin-bottom: 0;
   padding: 0;
   border: none;
+  height: auto;
 }
 :not(.input-group) > .bootstrap-select.form-control:not([class*="col-"]) {
   width: 100%;
 }
 .bootstrap-select.form-control.input-group-btn {
+  float: none;
   z-index: auto;
 }
-.bootstrap-select.form-control.input-group-btn:not(:first-child):not(:last-child) > .btn {
-  border-radius: 0;
+.form-inline .bootstrap-select,
+.form-inline .bootstrap-select.form-control:not([class*="col-"]) {
+  width: auto;
 }
 .bootstrap-select:not(.input-group-btn),
 .bootstrap-select[class*="col-"] {
@@ -167,30 +208,44 @@ select.selectpicker {
   padding: 0 !important;
 }
 .bootstrap-select.bs-container .dropdown-menu {
-  z-index: 1060;
-}
-.bootstrap-select .dropdown-toggle:before {
-  content: '';
-  display: inline-block;
+  z-index: 9998;
 }
 .bootstrap-select .dropdown-toggle .filter-option {
-  position: absolute;
+  position: static;
   top: 0;
   left: 0;
-  padding-top: inherit;
-  padding-right: inherit;
-  padding-bottom: inherit;
-  padding-left: inherit;
+  float: left;
   height: 100%;
   width: 100%;
   text-align: left;
+  overflow: hidden;
+  -webkit-box-flex: 0;
+  -webkit-flex: 0 1 auto;
+      -ms-flex: 0 1 auto;
+          flex: 0 1 auto;
+}
+.bs3.bootstrap-select .dropdown-toggle .filter-option {
+  padding-right: inherit;
+}
+.input-group .bs3-has-addon.bootstrap-select .dropdown-toggle .filter-option {
+  position: absolute;
+  padding-top: inherit;
+  padding-bottom: inherit;
+  padding-left: inherit;
+  float: none;
 }
-.bootstrap-select .dropdown-toggle .filter-option-inner {
+.input-group .bs3-has-addon.bootstrap-select .dropdown-toggle .filter-option .filter-option-inner {
   padding-right: inherit;
 }
 .bootstrap-select .dropdown-toggle .filter-option-inner-inner {
   overflow: hidden;
 }
+.bootstrap-select .dropdown-toggle .filter-expand {
+  width: 0 !important;
+  float: left;
+  opacity: 0 !important;
+  overflow: hidden;
+}
 .bootstrap-select .dropdown-toggle .caret {
   position: absolute;
   top: 50%;
@@ -259,8 +314,8 @@ select.selectpicker {
   margin: 0 2%;
   min-height: 26px;
   padding: 3px 5px;
-  background: #151515;
-  border: 1px solid #232323;
+  background: #f5f5f5;
+  border: 1px solid #e3e3e3;
   -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
           box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.05);
   pointer-events: none;
@@ -269,9 +324,14 @@ select.selectpicker {
      -moz-box-sizing: border-box;
           box-sizing: border-box;
 }
+.bootstrap-select .dropdown-menu .notify.fadeOut {
+  -webkit-animation: 300ms linear 750ms forwards bs-notify-fadeOut;
+       -o-animation: 300ms linear 750ms forwards bs-notify-fadeOut;
+          animation: 300ms linear 750ms forwards bs-notify-fadeOut;
+}
 .bootstrap-select .no-results {
   padding: 3px;
-  background: #151515;
+  background: #f5f5f5;
   margin: 0 5px;
   white-space: nowrap;
 }
@@ -284,6 +344,9 @@ select.selectpicker {
 .bootstrap-select.fit-width .dropdown-toggle .filter-option-inner-inner {
   display: inline;
 }
+.bootstrap-select.fit-width .dropdown-toggle .bs-caret:before {
+  content: '\00a0';
+}
 .bootstrap-select.fit-width .dropdown-toggle .caret {
   position: static;
   top: auto;
@@ -305,6 +368,8 @@ select.selectpicker {
   height: 1em;
   border-style: solid;
   border-width: 0 0.26em 0.26em 0;
+  -webkit-transform-style: preserve-3d;
+          transform-style: preserve-3d;
   -webkit-transform: rotate(45deg);
       -ms-transform: rotate(45deg);
        -o-transform: rotate(45deg);
@@ -312,7 +377,7 @@ select.selectpicker {
 }
 .bootstrap-select.show-menu-arrow.open > .dropdown-toggle,
 .bootstrap-select.show-menu-arrow.show > .dropdown-toggle {
-  z-index: 1061;
+  z-index: 9999;
 }
 .bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:before {
   content: '';
@@ -337,7 +402,7 @@ select.selectpicker {
 .bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:before {
   bottom: auto;
   top: -4px;
-  border-top: 7px solid rgba(50, 50, 50, 0.2);
+  border-top: 7px solid rgba(204, 204, 204, 0.2);
   border-bottom: 0;
 }
 .bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:after {

From 743a87984f75fcf97a2a31f2e52b44c2fd3e38ea Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 29 Jul 2024 14:28:49 +0200
Subject: [PATCH 1991/3088] security/etpro-telemetry: Fix widget (#4128)

The API returns "sensor_status":"ACTIVE", which is upper case.
The widget logic compares it to "active", which makes the widget fail to show any data. Converting "ACTIVE" to lower case solves that issue.
---
 .../src/opnsense/www/js/widgets/ETProTelemetry.js               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
index 98456802f3..fe1709993e 100644
--- a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
+++ b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
@@ -43,7 +43,7 @@ export default class ETProTelemetry extends BaseTableWidget {
 
     async onWidgetTick() {
         const data = await this.ajaxCall('/api/diagnostics/proofpoint_et/status');
-        if (data['sensor_status'] == 'active') {
+        if (data['sensor_status'].toLowerCase() == 'active') {
             $('#etpro_sensor_status').text(data['sensor_status']);
             $('#etpro_event_received').text(data['event_received']);
             $('#etpro_last_rule_download').text(data['last_rule_download']);

From 733cb0649d02966f6079a4f98c32dd966999118e Mon Sep 17 00:00:00 2001
From: Martin Wasley <mjwasley@queens-park.com>
Date: Mon, 29 Jul 2024 19:59:26 +0100
Subject: [PATCH 1992/3088] Rebellion update- added dashboard.css and minor
 changes for color (#4130)

Missing dashboard.css and minor changes to bootstrap-select.
---
 misc/theme-rebellion/Makefile                 |   4 +-
 .../rebellion/build/css/bootstrap-select.css  |   2 +-
 .../themes/rebellion/build/css/dashboard.css  | 317 ++++++++++++++++++
 3 files changed, 320 insertions(+), 3 deletions(-)
 create mode 100644 misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css

diff --git a/misc/theme-rebellion/Makefile b/misc/theme-rebellion/Makefile
index 335556a53a..4dbbe55854 100644
--- a/misc/theme-rebellion/Makefile
+++ b/misc/theme-rebellion/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		theme-rebellion
-PLUGIN_VERSION=		1.9
+PLUGIN_VERSION=		1.9.1
 PLUGIN_COMMENT=		A suitably dark theme
-PLUGIN_MAINTAINER=	team-rebellion@queens-park.com
+PLUGIN_MAINTAINER=	martin@queens-park.com
 PLUGIN_NO_ABI=		yes
 
 .include "../../Mk/plugins.mk"
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/bootstrap-select.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/bootstrap-select.css
index 12a1b5bee5..a48ed904b6 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/bootstrap-select.css
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/bootstrap-select.css
@@ -64,7 +64,7 @@ select.selectpicker {
 .bootstrap-select > .dropdown-toggle.bs-placeholder:hover,
 .bootstrap-select > .dropdown-toggle.bs-placeholder:focus,
 .bootstrap-select > .dropdown-toggle.bs-placeholder:active {
-  color: #444;
+  color: #ddd;
 }
 .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary,
 .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary,
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css
new file mode 100644
index 0000000000..3fd193bf18
--- /dev/null
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css
@@ -0,0 +1,317 @@
+.fa-spinner {
+    font-size: 2em;
+}
+
+#save-grid {
+    width: inherit;
+    height: inherit;
+    display: inline-flex;
+    align-items: center;
+    justify-content: center;
+    transition: opacity 0.3s ease;
+    position: relative;
+    width: 50px;
+    height: 30px;
+    margin-right: 10px;
+}
+
+#save-btn-text, #icon-container {
+    position: absolute;
+}
+
+#icon-container {
+    display: inline-flex;
+    align-items: center;
+    justify-content: center;
+}
+
+#save-spinner, #save-check {
+    transition: opacity 0.3s ease, transform 0.3s ease;
+}
+
+.hide {
+    opacity: 0;
+    transform: scale(0);
+}
+
+.show {
+    opacity: 1;
+    transform: scale(1);
+}
+
+.grid-stack-item-content {
+  text-align: center;
+  border-style: solid;
+  border-color: rgba(200, 200, 200, .5);
+  border-width: 2px;
+  background-color: #222222;
+  border-radius: 0.5em 0.5em 0.5em 0.5em;
+}
+
+.widget-content {
+    position: relative;
+    width: 100%;
+    height: 100%;
+    padding: 1px;
+    cursor: grab;
+}
+
+.widget-header {
+    margin-top: 0.5em;
+    margin-left: 1em;
+    margin-right: 1em;
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+}
+
+.widget-spinner {
+    margin-top: 20px;
+}
+
+.fa-stack.small {
+    font-size: 0.5em;
+}
+
+.close-handle {
+    vertical-align: middle;
+    text-align: right;
+    cursor: pointer;
+}
+
+.close-handle > i {
+    font-size: 0.7em;
+}
+
+.panel-divider {
+    width: 100%;
+    text-align: center;
+    height: 8px;
+    margin-bottom: 10px;
+}
+
+table {
+    table-layout: fixed;
+}
+
+td {
+    word-break: break-all;
+}
+
+.line {
+    display: inline-block;
+    height: 1px;
+    width: 70%;
+    background: #121212;
+	color: #f0f0f0;
+    margin: 5px;
+}
+
+.canvas-container {
+    position: relative;
+}
+
+.cpu-canvas-container {
+    display: flex;
+    flex-direction: column;
+}
+
+.smoothie-container {
+    width: 100%;
+	
+}
+
+.smoothie-chart-tooltip {
+  z-index: 1; /* necessary to force to foreground */
+  background: rgba(80, 50, 10, 0.9);
+  padding-left: 15px;
+  padding-right: 15px;
+  color: white;
+  font-size: 11px;
+  border-radius: 0.5em 0.5em 0.5em 0.5em;
+  pointer-events: none;
+}
+
+.flex-container {
+    display: flex;
+    flex-wrap: nowrap;
+    white-space: nowrap;
+}
+
+.gateway-info {
+  margin: 5px;
+  padding: 5px;
+  font-size: 13px;
+}
+
+.gateway-detail-container {
+    display: none;
+    margin: 5px;
+}
+
+.interface-info {
+    display: flex;
+    flex-wrap: wrap;
+    align-items: center;
+    height: 100%;
+}
+
+.nowrap {
+    flex-wrap: nowrap;
+}
+
+.gateway-graph {
+    display: none;
+}
+
+.flex-container > .gateway-graph {
+    font-size: 13px;
+}
+
+.vertical-center-row {
+    height: 100%;
+    display: inline;
+}
+
+.interfaces-info {
+  margin: 5px;
+  font-size: 13px;
+}
+
+.interface-descr {
+    margin-left: 10px;
+    font-size: 15px;
+    cursor: pointer;
+    text-decoration: underline;
+}
+
+.interfaces-detail-container {
+    margin: 5px;
+    display: none;
+}
+
+.d-flex {
+    display: flex;
+}
+
+.d-flex > .justify-content-start {
+    justify-content: start;
+}
+
+.d-flex > .justify-content-end {
+    justify-content: end;
+}
+
+#chartjs-toolip {
+    z-index: 20;
+}
+
+/* CPU widget */
+.cpu-type {
+    margin-bottom: 10px;
+    margin-top: 10px;
+}
+/* ----- */
+
+/* Custom flex table */
+div {
+    box-sizing: border-box;
+}
+
+.flextable-container {
+    display: block;
+    margin: 2em auto;
+    width: 95%;
+    max-width: 1200px;
+}
+
+.flextable-header {
+    display: flex;
+    flex-flow: row wrap;
+    transition: 0.5s;
+    padding: 0.5em 0.5em;
+    border-top: solid 1px rgba(217, 79, 0, 0.15);
+}
+
+.flextable-row {
+    display: flex;
+    flex-flow: row wrap;
+    transition: 0.5s;
+    padding: 0.5em 0.5em;
+    border-top: solid 1px rgba(217, 79, 0, 0.15);
+    align-items: center;
+}
+
+.flextable-header .flex-cell {
+    font-weight: bold;
+}
+
+.flextable-row:hover {
+    background: #222222;
+    transition: 500ms;
+}
+
+.flex-cell {
+    text-align: left;
+    word-break: break-word;
+}
+
+.column {
+    display: flex;
+    flex-flow: column wrap;
+    width: 50%;
+    padding: 0;
+}
+.column .flex-cell {
+    display: flex;
+    flex-flow: row wrap;
+    width: 100%;
+    padding: 0;
+    border: 0;
+    border-top: rgba(217, 79, 0, 0.15);
+}
+.column .flex-cell:hover {
+    background: #F5F5F5;
+    transition: 500ms;
+}
+.flex-subcell {
+    width: 100%;
+    text-align: left;
+}
+
+.column .flex-cell:not(:last-child) {
+    border-bottom: solid 1px rgba(217, 79, 0, 0.15);
+}
+/* ----- */
+
+/* CSS grid responsive table */
+.grid-header-container {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(100px, 1fr));
+}
+
+.grid-row {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(100px, 1fr));
+    background-color: #f7e2d6; /* fade-in color, transitions to transparent */
+    border-top: 1px solid #f7e2d6;
+    transition: 0.5s;
+    opacity: 0.4;
+}
+
+.grid-row:hover {
+    background: #222222 !important;
+    transition: 500ms;
+}
+
+.grid-header {
+    border-top: 1px solid #f7e2d6;
+    font-weight: bold;
+}
+
+.grid-item {
+    border: 1 px solid #ccc;
+    padding: 4px;
+    text-align: center;
+}
+/* ----- */

From f6116580ac32a2bce3e708361b3ba8258adb8de4 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 29 Jul 2024 21:09:27 +0200
Subject: [PATCH 1993/3088] net/ftp-proxy: Fix php errors in ServiceController
 (#4131)

---
 net/ftp-proxy/Makefile                         |  2 +-
 .../FtpProxy/Api/ServiceController.php         | 18 ------------------
 2 files changed, 1 insertion(+), 19 deletions(-)

diff --git a/net/ftp-proxy/Makefile b/net/ftp-proxy/Makefile
index 78c8fc10ba..4f655e4bac 100644
--- a/net/ftp-proxy/Makefile
+++ b/net/ftp-proxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ftp-proxy
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		Control ftp-proxy processes
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com
 
diff --git a/net/ftp-proxy/src/opnsense/mvc/app/controllers/OPNsense/FtpProxy/Api/ServiceController.php b/net/ftp-proxy/src/opnsense/mvc/app/controllers/OPNsense/FtpProxy/Api/ServiceController.php
index 6bc2f58537..dec43eeac0 100644
--- a/net/ftp-proxy/src/opnsense/mvc/app/controllers/OPNsense/FtpProxy/Api/ServiceController.php
+++ b/net/ftp-proxy/src/opnsense/mvc/app/controllers/OPNsense/FtpProxy/Api/ServiceController.php
@@ -41,9 +41,6 @@ class ServiceController extends ApiControllerBase
     public function statusAction($uuid)
     {
         $result = array("result" => "failed", "function" => "status");
-        if ($this->request->isPost()) {
-            $this->sessionClose();
-        }
         if ($uuid != null) {
             $mdlFtpProxy = new FtpProxy();
             $node = $mdlFtpProxy->getNodeByReference('ftpproxy.' . $uuid);
@@ -62,9 +59,6 @@ public function statusAction($uuid)
     public function startAction($uuid)
     {
         $result = array("result" => "failed", "function" => "start");
-        if ($this->request->isPost()) {
-            $this->sessionClose();
-        }
         if ($uuid != null) {
             $mdlFtpProxy = new FtpProxy();
             $node = $mdlFtpProxy->getNodeByReference('ftpproxy.' . $uuid);
@@ -83,9 +77,6 @@ public function startAction($uuid)
     public function stopAction($uuid)
     {
         $result = array("result" => "failed", "function" => "stop");
-        if ($this->request->isPost()) {
-            $this->sessionClose();
-        }
         if ($uuid != null) {
             $mdlFtpProxy = new FtpProxy();
             $node = $mdlFtpProxy->getNodeByReference('ftpproxy.' . $uuid);
@@ -103,9 +94,6 @@ public function stopAction($uuid)
      */
     public function restartAction($uuid)
     {
-        if ($this->request->isPost()) {
-            $this->sessionClose();
-        }
         if ($uuid != null) {
             $mdlFtpProxy = new FtpProxy();
             $node = $mdlFtpProxy->getNodeByReference('ftpproxy.' . $uuid);
@@ -123,9 +111,6 @@ public function restartAction($uuid)
     public function configAction()
     {
         $result = array("result" => "failed", "function" => "config");
-        if ($this->request->isPost()) {
-            $this->sessionClose();
-        }
         $result['result'] = $this->callBackend('template');
         return $result;
     }
@@ -136,9 +121,6 @@ public function configAction()
      */
     public function reloadAction()
     {
-        if ($this->request->isPost()) {
-            $this->sessionClose();
-        }
         $result = $this->configAction();
         if ($result['result'] == 'OK') {
             $result['function'] = "reload";

From 32f61c510b3c712575cb5e3af86907aa893ff5e9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 29 Jul 2024 21:09:41 +0200
Subject: [PATCH 1994/3088] misc/theme-rebellion: style sweep

---
 .../src/opnsense/www/themes/rebellion/build/css/dashboard.css   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css
index 3fd193bf18..6f997d8a58 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css
@@ -118,7 +118,7 @@ td {
 
 .smoothie-container {
     width: 100%;
-	
+
 }
 
 .smoothie-chart-tooltip {

From ee3fa0bc3852dbfb135edff4561fd51f98f547d4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 29 Jul 2024 21:11:15 +0200
Subject: [PATCH 1995/3088] net/udpbroadcastrelay: remove these as well

---
 net/udpbroadcastrelay/Makefile                           | 2 +-
 .../OPNsense/UDPBroadcastRelay/Api/ServiceController.php | 9 ---------
 2 files changed, 1 insertion(+), 10 deletions(-)

diff --git a/net/udpbroadcastrelay/Makefile b/net/udpbroadcastrelay/Makefile
index b57ee6954e..0dd56ef13d 100644
--- a/net/udpbroadcastrelay/Makefile
+++ b/net/udpbroadcastrelay/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		udpbroadcastrelay
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_COMMENT=		Control udpbroadcastrelay processes
 PLUGIN_DEPENDS=		udpbroadcastrelay
 PLUGIN_MAINTAINER=	mjwasley@gmail.com
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/ServiceController.php b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/ServiceController.php
index c036ae0c0b..09e6feb639 100644
--- a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/ServiceController.php
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/ServiceController.php
@@ -63,9 +63,6 @@ public function statusAction($uuid)
     public function startAction($uuid)
     {
         $result = array("result" => "failed", "function" => "start");
-        if ($this->request->isPost()) {
-            $this->sessionClose();
-        }
         if ($uuid != null) {
             $mdlUDPBroadcastRelay = new UDPBroadcastRelay();
             $node = $mdlUDPBroadcastRelay->getNodeByReference('udpbroadcastrelay.' . $uuid);
@@ -84,9 +81,6 @@ public function startAction($uuid)
     public function stopAction($uuid)
     {
         $result = array("result" => "failed", "function" => "stop");
-        if ($this->request->isPost()) {
-            $this->sessionClose();
-        }
         if ($uuid != null) {
             $mdlUDPBroadcastRelay = new UDPBroadcastRelay();
             $node = $mdlUDPBroadcastRelay->getNodeByReference('udpbroadcastrelay.' . $uuid);
@@ -104,9 +98,6 @@ public function stopAction($uuid)
      */
     public function restartAction($uuid)
     {
-        if ($this->request->isPost()) {
-            $this->sessionClose();
-        }
         if ($uuid != null) {
             $mdlUDPBroadcastRelay = new UDPBroadcastRelay();
             $node = $mdlUDPBroadcastRelay->getNodeByReference('udpbroadcastrelay.' . $uuid);

From 3ab6e06aaab1056d9561326205fe63ba2b103a48 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 30 Jul 2024 11:51:39 +0200
Subject: [PATCH 1996/3088] www/squid: patch up squid wanting SafePorts out of
 the box

> ERROR: ACL not found: Safe_ports
---
 .../src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml   | 6 ++++--
 .../opnsense/service/templates/OPNsense/Proxy/squid.conf   | 7 ++-----
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index d7d2ed578e..d28a9ab218 100644
--- a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/proxy</mount>
-    <version>1.0.6</version>
+    <version>1.0.7</version>
     <description>Squid web proxy settings</description>
     <items>
         <general>
@@ -362,7 +362,9 @@
                     </OptionValues>
                 </youtube>
                 <safePorts type="CSVListField">
-                    <Mask>/^([ \-0-9a-zA-Z:,])*/u</Mask>
+                    <default>80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http</default>
+                    <mask>/^([ \-0-9a-zA-Z:,])*/u</mask>
+                    <Required>Y</Required>
                 </safePorts>
                 <sslPorts type="CSVListField">
                     <Mask>/^([ \-0-9a-zA-Z:,])*/u</Mask>
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
index 6c7369393a..9574a9ae58 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -227,13 +227,10 @@ acl SSL_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('
 {% endif %}
 
 # Default Safe ports are now defined in config.xml
-# Configured Safe ports (if defaults are not listed, then they have been removed from the configuration!):
-{% if helpers.exists('OPNsense.proxy.forward.acl.safePorts') %}
 # ACL - Safe_ports
-{%  for element in OPNsense.proxy.forward.acl.safePorts.split(",") %}
+{% for element in OPNsense.proxy.forward.acl.safePorts.split(",") %}
 acl Safe_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}}
-{%  endfor %}
-{% endif %}
+{% endfor %}
 acl CONNECT method CONNECT
 
 # ICAP SETTINGS

From b560bdb92b676aa1d53a3795ea12744c67b86ba5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 30 Jul 2024 11:56:39 +0200
Subject: [PATCH 1997/3088] www/squid: same for SslPorts

---
 .../src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml   | 4 +++-
 .../opnsense/service/templates/OPNsense/Proxy/squid.conf   | 7 ++-----
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index d28a9ab218..ec89d96826 100644
--- a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -362,12 +362,14 @@
                     </OptionValues>
                 </youtube>
                 <safePorts type="CSVListField">
-                    <default>80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http</default>
+                    <Default>80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http</Default>
                     <mask>/^([ \-0-9a-zA-Z:,])*/u</mask>
                     <Required>Y</Required>
                 </safePorts>
                 <sslPorts type="CSVListField">
+                    <Default>443:https</Default>
                     <Mask>/^([ \-0-9a-zA-Z:,])*/u</Mask>
+                    <Required>Y</Required>
                 </sslPorts>
                 <remoteACLs>
                     <blacklists>
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
index 9574a9ae58..b5e8e91941 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -219,12 +219,9 @@ acl blockmimetypes_requests req_mime_type {{element}}
 {% endif %}
 
 # ACL - SSL ports, default are configured in config.xml
-# Configured SSL ports (if defaults are not listed, then they have been removed from the configuration!):
-{% if helpers.exists('OPNsense.proxy.forward.acl.sslPorts') %}
-{%  for element in OPNsense.proxy.forward.acl.sslPorts.split(",") %}
+{% for element in OPNsense.proxy.forward.acl.sslPorts.split(",") %}
 acl SSL_ports port {{element.split(":")[0]}} # {{element.split(":")[1]|default('unknown')}}
-{%  endfor %}
-{% endif %}
+{% endfor %}
 
 # Default Safe ports are now defined in config.xml
 # ACL - Safe_ports

From 13a9db5d5f103cc943458feeefc5c46be7ebbd7b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 30 Jul 2024 12:02:48 +0200
Subject: [PATCH 1998/3088] www/squid: consistency is nice

---
 www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index ec89d96826..7c4f59ab51 100644
--- a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -363,7 +363,7 @@
                 </youtube>
                 <safePorts type="CSVListField">
                     <Default>80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http</Default>
-                    <mask>/^([ \-0-9a-zA-Z:,])*/u</mask>
+                    <Mask>/^([ \-0-9a-zA-Z:,])*/u</Mask>
                     <Required>Y</Required>
                 </safePorts>
                 <sslPorts type="CSVListField">

From f30007b60c29428d0af4b6de34b41410e8e0cba9 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 30 Jul 2024 12:12:18 +0200
Subject: [PATCH 1999/3088] www/caddy: Layer4 support in listener_wrapper to
 route TLS traffic without termination (#4112)

---
 www/caddy/pkg-descr                           | 229 +++++++++---------
 .../Caddy/Api/ReverseProxyController.php      |  33 +++
 .../OPNsense/Caddy/ReverseProxyController.php |   1 +
 .../OPNsense/Caddy/forms/dialogLayer4.xml     |  64 +++++
 .../OPNsense/Caddy/forms/general.xml          |   7 +
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  51 +++-
 .../mvc/app/views/OPNsense/Caddy/general.volt |   1 +
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 118 ++++++---
 .../templates/OPNsense/Caddy/Caddyfile        |  41 +++-
 .../templates/OPNsense/Caddy/includeLayer4    |  57 +++++
 10 files changed, 455 insertions(+), 147 deletions(-)
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
 create mode 100644 www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 4c2b956051..d8a139e4c2 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -9,16 +9,19 @@ WWW: https://caddyserver.com/
 Main features of this plugin:
 
 * Easy to configure and reliable! Reverse Proxy any HTTP/HTTPS or WebSocket application in minutes.
-* Hard to break! Extensive validations of the configuration on each save and apply.
-* Automatic Let's Encrypt and ZeroSSL Certificates with HTTP-01 and TLS-ALPN-01 challenge
+* Automatic Let's Encrypt and ZeroSSL certificates with HTTP-01 and TLS-ALPN-01 challenge
 * DNS-01 challenge and Dynamic DNS with supported DNS Providers built right in
 * Use custom certificates from OPNsense certificate store
 * Wildcard Domain and Subdomain support
 * Access Lists to restrict access based on static networks
 * Basic Auth to restrict access by username and password
+* Forward Auth with Authelia
 * Syslog-ng integration and HTTP Access Log
-* Header manipulation with header_up and header_down
+* NTLM Transport
+* Header manipulation
 * Simple load balancing with passive health check
+* Widgets for OPNsense Dashboard (24.7 and later)
+* Layer4 SNI based routing of TCP/UDP
 
 DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 
@@ -27,172 +30,172 @@ Plugin Changelog
 
 1.6.2
 
-* Add Authentik as authentication provider (contributed by Tim-Sc)
+* Add: Authentik as authentication provider (contributed by Tim-Sc)
+* Add: Feature Preview - Layer4 routing to proxy traffic without TLS termination. Can be enabled in advanced mode of "General Settings"
 
 1.6.1
 
-Add: Run Caddy as "www" user and group, by enabling "Disable Superuser" in General Settings.
-Cleanup: Validations in general.volt are all appended to their form keys, instead of triggering a Bootstrap Dialog.
-Change: Description Fields are optional now, reducing the steps needed to create new entries.
-Add: Shortcuts to add new Domains and Handlers.
-Change: Subdomain Tab only appears when a wildcard domain has been configured.
+* Add: Run Caddy as "www" user and group, by enabling "Disable Superuser" in General Settings
+* Add: Shortcuts to add new Domains and Handlers
+* Change: Description Fields are optional now, reducing the steps needed to create new entries
+* Change: Subdomain Tab only appears when a wildcard domain has been configured
+* Cleanup: Validations in general.volt are all appended to their form keys, instead of triggering a Bootstrap Dialog
 
 1.6.0
 
-* Add: New Dashboard widgets for 24.7, showing domain status and certificate validity status.
-* Cleanup: PHP files refactored for PSR-12, Python files refactored for PEP-8.
-* Cleanup: Templates Caddyfile and rc.conf.d/caddy refactored for maintainability.
-* Cleanup: Spurious keys removed from Caddy.xml model.
-* Cleanup: Unused code removed from Caddy.php.
-* Fix: Caddyfile template fixed when IPv6 addresses and ports are used in Upstream. IPv6 address wraps into brackets now.
-* Add: forward_auth directive with Authelia as Authz Provider.
-* Add: Default HTTP and HTTPS ports can be changed in general settings.
-* Add: Introduce HTTP version to handler. HTTP/1.1, HTTP/2 and HTTP/3 can be chosen.
-* Add: HTTP Keepalive can be set in a handler.
-* Change: Option "tls_trusted_ca_certs" is now "tls_trust_pool".
-* Build: Update caddy-dns Cloudflare and Route53. Route53 field names changed due to upstream changes.
-* Add: TLS can be deactivated in a domain.
+* Add: New Dashboard widgets for 24.7, showing domain status and certificate validity status
+* Add: forward_auth directive with Authelia as Authz Provider
+* Add: Default HTTP and HTTPS ports can be changed in general settings
+* Add: Introduce HTTP version to handler. HTTP/1.1, HTTP/2 and HTTP/3 can be chosen
+* Add: HTTP Keepalive can be set in a handler
+* Add: TLS can be deactivated in a domain
+* Build: Update caddy-dns Cloudflare and Route53. Route53 field names changed due to upstream changes
+* Change: Option "tls_trusted_ca_certs" is now "tls_trust_pool"
+* Cleanup: PHP files refactored for PSR-12, Python files refactored for PEP-8
+* Cleanup: Templates Caddyfile and rc.conf.d/caddy refactored for maintainability
+* Cleanup: Spurious keys removed from Caddy.xml model
+* Cleanup: Unused code removed from Caddy.php
+* Fix: Caddyfile template fixed when IPv6 addresses and ports are used in Upstream. IPv6 address wraps into brackets now
 
 1.5.7
 
-* Build: Update to Caddy v2.8.4 + caddy-dns plugins updated to latest upstream versions
-* Add: Error message when OPNsense WebGUI settings conflict with Auto HTTPS.
-* Add: Error message when Auto HTTPS is enabled, and ACME email field is empty, for caddy v2.8.4
+* Add: Error message when OPNsense WebGUI settings conflict with Auto HTTPS
+* Add: Error message when Auto HTTPS is enabled, and ACME email field is empty, for caddy v2.8.
+* Add: Dynamic DNS now supports "Update Only", only updating existing records without creating new ones
+* Add: DNS Providers: dnsmadeeasy, bunny, civo, scaleway, acmeproxy, inwx, namedotcom, easydns, infomaniak, directadmin, hosttech, vult
+* Build: Update to Caddy v2.8.4 + caddy-dns plugins updated to latest upstream version
+* Change: Dynamic DNS "TTL" and "Check Interval" have been changed to seconds. Existing values have been reset to use the defaults of the implementation
 * Cleanup: Fix crash of searchAction when reverseUuids is null
-* Cleanup: basicauth directive is now basic_auth in the Caddyfile template, for caddy v2.8.4
-* Change: Dynamic DNS "TTL" and "Check Interval" have been changed to seconds. Existing values have been reset to use the defaults of the implementation.
-* Add: Dynamic DNS now supports "Update Only", only updating existing records without creating new ones.
-* Fix: The subdomain port field has been removed, since it is unsupported. Subdomains track their ports from their parent wildcard domain.
-* Add: DNS Providers: dnsmadeeasy, bunny, civo, scaleway, acmeproxy, inwx, namedotcom, easydns, infomaniak, directadmin, hosttech, vultr
-* Remove: DNS Providers: godaddy
+* Cleanup: basicauth directive is now basic_auth in the Caddyfile template, for caddy v2.8
 * Cleanup: Refactor dns provider configuration in Caddyfile template
+* Fix: The subdomain port field has been removed, since it is unsupported. Subdomains track their ports from their parent wildcard domain
+* Remove: DNS Providers: godaddy
 
 1.5.6
 
-* Fix: Wildcard domains with activated "Dynamic DNS" update their base domain with * instead of @.
 * Add: DNS Providers: Netcup, RFC2136
+* Fix: Wildcard domains with activated "Dynamic DNS" update their base domain with * instead of @
 
 1.5.5
 
-* Fix: "Apply" could hang when websockets are in use by clients. A grace period of 10s has been added in General Settings that forces to close all connections on config changes.
-* Add: In Reverse Proxy, a new dropdown can select one or multiple domains, filtering the Bootgrids of Domains, Subdomains and Handlers for the selected Domain.
-* Add: Global Log Level can be set in Log Settings.
-* Fix: "Apply" will always read all certificates from the filesystem, even if the Caddy configuration has remained unchanged. "reload" has been changed to "reloadssl".
-* Change: ACME Email should be filled out since it's a requirement for ZeroSSL.
-* Fix: "Save" and "Apply" buttons in General Settings have been improved to reliably trigger validation of form.
-* Cleanup: Javascript variables have been changed from var to let to reduce scope.
-* Fix: Template has been fixed to allow any TLS option in Handlers to appear independant when filled out. This increases flexibility with the "tls_server_name" option.
-* Add: Diagnostics view added where the current Caddyfile and JSON configuration can be displayed, validated and downloaded.
-* Add: HTTP-01 Challenge Redirection can also be configured for subdomains.
-* Cleanup: lang() and gettext() functions added for translations.
-* Cleanup: Rewritten most help texts in forms for consistency.
-* Fix: The newly introduced "configctl caddy reload" action, which calls the "service caddy reloadssl" command, will now also trigger the setup.sh script.
+* Add: In Reverse Proxy, a new dropdown can select one or multiple domains, filtering the Bootgrids of Domains, Subdomains and Handlers for the selected Domain
+* Add: Global Log Level can be set in Log Settings
+* Add: Diagnostics view added where the current Caddyfile and JSON configuration can be displayed, validated and downloaded
+* Add: HTTP-01 Challenge Redirection can also be configured for subdomains
+* Change: ACME Email should be filled out since it's a requirement for ZeroSSL
+* Cleanup: Javascript variables have been changed from var to let to reduce scope
+* Cleanup: lang() and gettext() functions added for translations
+* Cleanup: Rewritten most help texts in forms for consistency
+* Fix: "Apply" could hang when websockets are in use by clients. A grace period of 10s has been added in General Settings that forces to close all connections on config changes
+* Fix: "Apply" will always read all certificates from the filesystem, even if the Caddy configuration has remained unchanged. "reload" has been changed to "reloadssl"
+* Fix: "Save" and "Apply" buttons in General Settings have been improved to reliably trigger validation of form
+* Fix: Template has been fixed to allow any TLS option in Handlers to appear independant when filled out. This increases flexibility with the "tls_server_name" option
+* Fix: The newly introduced "configctl caddy reload" action, which calls the "service caddy reloadssl" command, will now also trigger the setup.sh script
 
 1.5.4
 
-* Fix: When pressing Apply, the Caddy service will be reloaded instead of restarted. This fixes long restart times and service interruptions.
-* Change: All Description Fields are now required to be populated.
-* Change: Model Relation Fields now display two values instead of one to make most options appear unique.
-* Add: HTTP response code and HTTP response message can be set per access list in advanced mode.
-* Add: Header functionality added. Multiple header manipulations can be set per handler.
-* Cleanup: Update searchBase() in ReverseProxyController.php for easier maintainability.
-* Fix: Move selectpicker empty option to model in general.volt, using BlankDesc. This fixes the option IPv4+IPv6 not appearing in Dynamic DNS.
-* Add: Simple Load Balancing support with the default random policy, by allowing to add multiple Upstream Domains in Handlers.
-* Add: Passive Health check for load balancing (Upstream Fail Duration) in Handlers.
-* Fix: Input validation so a base domain like "example.com" and a wildcard domain like "*.example.com" can now be created at the same time in domains.
+* Add: Simple Load Balancing support with the default random policy, by allowing to add multiple Upstream Domains in Handlers
+* Add: Passive Health check for load balancing (Upstream Fail Duration) in Handlers
+* Add: HTTP response code and HTTP response message can be set per access list in advanced mode
+* Add: Header functionality added. Multiple header manipulations can be set per handler
+* Change: All Description Fields are now required to be populated
+* Change: Model Relation Fields now display two values instead of one to make most options appear unique
+* Cleanup: Update searchBase() in ReverseProxyController.php for easier maintainability
+* Fix: When pressing Apply, the Caddy service will be reloaded instead of restarted. This fixes long restart times and service interruptions
+* Fix: Move selectpicker empty option to model in general.volt, using BlankDesc. This fixes the option IPv4+IPv6 not appearing in Dynamic DNS
+* Fix: Input validation so a base domain like "example.com" and a wildcard domain like "*.example.com" can now be created at the same time in domains
 
 1.5.3
 
-* Change from "Phalcon Messages" to "OPNsense Messages" in Caddy.php.
-* Change default storage location from /usr/local/etc/caddy to /var/db/caddy/data/caddy/.
-* Change description from "TextField" to "DescriptionField" in Caddy.xml model.
-* Add tls_insecure_skip_verify to handlers.
-* Add possibility to restart Caddy with the ACME Client by using "Automations - Run Command - System or Plugin Command".
-* Add option to redirect the ACME HTTP-01 challenge to an upstream destination as advanced option in domains.
-* Remove unmaintained DNS Providers: dnspod, hetzner, namesilo, vercel, alidns, metaname, openstack-designate.
-* Cleanup dialogs and UI to present all options better.
+* Add: tls_insecure_skip_verify to handlers
+* Add: Possibility to restart Caddy with the ACME Client by using "Automations - Run Command - System or Plugin Command"
+* Add: Option to redirect the ACME HTTP-01 challenge to an upstream destination as advanced option in domains
+* Change: From "Phalcon Messages" to "OPNsense Messages" in Caddy.php
+* Change: Default storage location from /usr/local/etc/caddy to /var/db/caddy/data/caddy/
+* Change: Description from "TextField" to "DescriptionField" in Caddy.xml model
+* Cleanup: Dialogs and UI to present all options better
+* Remove: Unmaintained DNS Providers: dnspod, hetzner, namesilo, vercel, alidns, metaname, openstack-designate
 
 1.5.2
 
-* Increased timeout of message area in reverse_proxy.volt and general.volt to 15 seconds.
-* When pressing Apply, the form is saved automatically before the reconfigure action.
-* Cleaned up Caddy.xml model to satisfy make lint.
-* When selecting an interface in Dynamic DNS, at most one IPv6 GUA and IPv4 non-RFC1918 address will be extracted. Fixes all IP addresses being read.
+* Build: When selecting an interface in Dynamic DNS, at most one IPv6 GUA and IPv4 non-RFC1918 address will be extracted. Fixes all IP addresses being read
+* Cleanup: Increased timeout of message area in reverse_proxy.volt and general.volt to 15 seconds
+* Cleanup: Caddy.xml model to satisfy make lint
+* Fix: When pressing Apply, the form is saved automatically before the reconfigure action
 
 1.5.1
 
-* More DNS Providers added: netlify, namesilo, njalla, vercel, googleclouddns, alidns, powerdns, tencentcloud, dinahosting, metaname, hexonet, ddnss, linode, mailinabox, ovh, namecheap, azure, openstack-designate.
-* More input fields and better documentation added for the DNS Provider API Keys.
-* Changed rc.d script to standard freebsd poudriere one packaged with the caddy-custom binary, included setup.sh script to rc.conf.d/caddy.
-* Updated dependancy to caddy-custom instead of caddy.
-* Removed +POST_DEINSTALL.post and +POST_INSTALL.post.
-* Turned syslog-ng configuration from template to static file.
-* A few typos in the general.volt and reverse_proxy.volt corrected.
-* The RealInterfaceField custom Fieldtype was removed and replaced with an OPNsense integrated template function to read the interface name.
-* Enable $internalModelUseSafeDelete in ReverseProxyController.php - Items can only be deleted when they are not referenced by other items, making deleting in the GUI safer since there can't be any orphaned configuration left behind.
-* Migration script M1_1_3 from "Description" to "description" added. Lower case description is needed to be in line with some OPNsense integrated functions.
+* Add: More DNS Providers: netlify, namesilo, njalla, vercel, googleclouddns, alidns, powerdns, tencentcloud, dinahosting, metaname, hexonet, ddnss, linode, mailinabox, ovh, namecheap, azure, openstack-designate
+* Add: More input fields and better documentation for the DNS Provider API Keys
+* Change: rc.d script to standard freebsd poudriere one packaged with the caddy-custom binary, included setup.sh script to rc.conf.d/caddy
+* Change: Updated dependancy to caddy-custom instead of caddy
+* Change: Enable $internalModelUseSafeDelete in ReverseProxyController.php - Items can only be deleted when they are not referenced by other items, making deleting in the GUI safer since there can't be any orphaned configuration left behind
+* Cleanup: Turned syslog-ng configuration from template to static file
+* Cleanup: A few typos in the general.volt and reverse_proxy.volt corrected
+* Cleanup: The RealInterfaceField custom Fieldtype was removed and replaced with an OPNsense integrated template function to read the interface name
+* Cleanup: Migration script M1_1_3 from "Description" to "description" added. Lower case description is needed to be in line with some OPNsense integrated functions
+* Remove: +POST_DEINSTALL.post and +POST_INSTALL.post
 
 1.5.0
 
-* Omit vultr from DNS-Providers since it can't be built without errors.
-* General view cleanup by seperating options into different tabs.
-* Added ACME-DNS Provider for custom ACME Server support.
-* When pressing save, a hint will appear that changes should be applied. Apply and Save now give feedback on success.
-* Create ACL for Caddy
-* Code consistency improved.
+* Add: ACME-DNS Provider for custom ACME Server support
+* Add: When pressing save, a hint will appear that changes should be applied. Apply and Save now give feedback on success
+* Add: Create ACL for Caddy
+* Cleanup: General view cleanup by seperating options into different tabs
+* Cleanup: Code consistency improved
+* Remove: vultr from DNS-Providers since it can't be built without errors
 
 1.4.5
 
-* New validate api action when pressing apply that validates the Caddyfile + Validation model fix.
-* Added configuration option to log HTTP access to plain JSON files. [contributed by @pmhausen]
-* Added backend path prepend feature to handler configuration. [contributed by @pmhausen]
+* Add: New validate api action when pressing apply that validates the Caddyfile + Validation model fix
+* Add: Configuration option to log HTTP access to plain JSON files (contributed by pmhausen)
+* Add: Backend path prepend feature to handler configuration (contributed by pmhausen)
 
 1.4.4
 
-* Route53 DNS Provider added
-* Dark Mode GUI fix
+* Add: Route53 DNS Provider
+* Cleanup: Dark Mode GUI
 
 1.4.2
 
-* Added Basic Auth as additional access restriction, multiple users can be set per domain and subdomain.
-* Made views cleaner: Seperated General Settings and DNS Provider Settings, joined Access List and Basic Auth in new Access Tab.
-* Fixed template generation of Caddyfile for new DNS Providers deSEC.
-* Added Porkbun DNS Provider for GUI configuration with additional DNS Secret Api Key input field.
-* Cleaned up some code and fixed some typos.
+* Add: Basic Auth as additional access restriction, multiple users can be set per domain and subdomain
+* Add: Porkbun DNS Provider for GUI configuration with additional DNS Secret Api Key input field
+* Cleanup: Improve views with seperated General Settings and DNS Provider Settings, joined Access List and Basic Auth in new Access Tab
+* Cleanup: Fixed some typos in forms.
+* Fix: Template generation of Caddyfile for new DNS Provider deSEC
 
 1.4.0
 
-* DynDNS (Dynamic DNS) Feature added.
-* Logging refactored to syslog-ng.
-* HTTP Access Logs can be enabled.
-* More DNS Providers added: Cloudflare, Duck DNS, DigitalOcean, DNSPod, Hetzner, GoDaddy, Gandi, Vultr, IONOS, deSEC
+* Add: DynDNS (Dynamic DNS) Feature
+* Add: HTTP Access Logs
+* Add: More DNS Providers: Cloudflare, Duck DNS, DigitalOcean, DNSPod, Hetzner, GoDaddy, Gandi, Vultr, IONOS, deSEC
+* Cleanup: Logging refactored to syslog-ng.
 
 1.3.4
 
-* Added abort statement to close all connections that don't match any handle.
-* Added tls_server_name to model
-* Fixes DNS Challenge not adhering to the status of the DNS-01 Checkbox
+* Add: abort statement to close all connections that do not match any handle
+* Add: tls_server_name to model
+* Fix: DNS Challenge not adhering to the status of the DNS-01 Checkbox
 
 1.3.3
 
-* Swapped processing order in template from wildcard domains -> subdomains to subdomains -> wildcard domains
+* Change: Swapped processing order in template from wildcard domains -> subdomains to subdomains -> wildcard domains
 
 1.3.2
 
-* Added inline loop logic to template to always print empty handles last in the Caddyfile before specific handles.
+* Add: Inline loop logic to template to always print empty handles last in the Caddyfile before specific handles
 
 1.3.1
 
-* Added AccessList functionality.
-* Small constraint to handle added. Handles have to start at least with / when they're not empty, or Caddy won't start.
-* Add reload for the ServiceControlUI after pressing Apply.
+* Add: Access Lists
+* Add: Reload for the ServiceControlUI after pressing Apply
+* Fix: Small constraint to handle added. Handles have to start at least with / when they're not empty, or Caddy won't start
 
-1.3.0
+1.3.0 - Initial release
 
-* Initial first stable release.
-* Create easy Reverse Proxy entries, use the HTTP or DNS-01 Challenge to get quick and easy ACME Certificates with Let's Encrypt.
-* Control Caddy and view the Logfile in the OPNsense GUI.
-* Create more complicated nested handle structures with wildcard domains, subdomains, handles and catch all handles.
-* Use your own certificates where needed.
-* Use TLS, NTLM and CA certificates to communicate with your Backend Servers.
-* Use Caddy with two OPNsense Firewalls in HA - only fully supported with custom certificates from OPNsense trust store.
+* Create easy Reverse Proxy entries, use the HTTP or DNS-01 Challenge to get quick and easy ACME Certificates with Let's Encrypt
+* Control Caddy and view the Logfile in the OPNsense GUI
+* Create more complicated nested handle structures with wildcard domains, subdomains, handles and catch all handles
+* Use your own certificates where needed
+* Use TLS, NTLM and CA certificates to communicate with your Backend Servers
+* Use Caddy with two OPNsense Firewalls in HA - only fully supported with custom certificates from OPNsense trust store
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
index 193aa298bf..16bb4de37f 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
@@ -210,6 +210,39 @@ public function toggleHandleAction($uuid, $enabled = null)
     }
 
 
+    // Layer4 Section
+
+    public function searchLayer4Action()
+    {
+        return $this->searchBase("reverseproxy.layer4", null, 'description');
+    }
+
+    public function setLayer4Action($uuid)
+    {
+        return $this->setBase("layer4", "reverseproxy.layer4", $uuid);
+    }
+
+    public function addLayer4Action()
+    {
+        return $this->addBase("layer4", "reverseproxy.layer4");
+    }
+
+    public function getLayer4Action($uuid = null)
+    {
+        return $this->getBase("layer4", "reverseproxy.layer4", $uuid);
+    }
+
+    public function delLayer4Action($uuid)
+    {
+        return $this->delBase("reverseproxy.layer4", $uuid);
+    }
+
+    public function toggleLayer4Action($uuid, $enabled = null)
+    {
+        return $this->toggleBase("reverseproxy.layer4", $uuid, $enabled);
+    }
+
+
     // AccessList Section
 
     public function searchAccessListAction()
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
index fde12d63c7..d62de6c102 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
@@ -41,6 +41,7 @@ public function indexAction()
         $this->view->formDialogReverseProxy = $this->getForm("dialogReverseProxy");
         $this->view->formDialogSubdomain = $this->getForm("dialogSubdomain");
         $this->view->formDialogHandle = $this->getForm("dialogHandle");
+        $this->view->formDialogLayer4 = $this->getForm("dialogLayer4");
         $this->view->formDialogAccessList = $this->getForm("dialogAccessList");
         $this->view->formDialogBasicAuth = $this->getForm("dialogBasicAuth");
         $this->view->formDialogHeader = $this->getForm("dialogHeader");
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
new file mode 100644
index 0000000000..8abb5e9fd3
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
@@ -0,0 +1,64 @@
+<form>
+    <field>
+        <id>layer4.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable this Layer4 route.]]></help>
+    </field>
+    <field>
+        <id>layer4.FromDomain</id>
+        <label>Domain</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[Enter one or multiple domains to route via SNI or Host Header. The domain will be added to the "listener_wrapper". Essentially, all traffic that Caddy receives on its frontend listeners (most likely the default HTTP and HTTPS ports) is funnelled through this wrapper to be processed and routed. Wildcard domains are allowed, e.g. "*.example.com". Host wildcards are allowed too, e.g. "*".]]></help>
+    </field>
+    <field>
+        <id>layer4.Matchers</id>
+        <label>Matchers</label>
+        <type>dropdown</type>
+        <help><![CDATA[Match the traffic of the selected domains. The TCP/UDP packets will be routed to the selected upstream domains without terminating TLS or altering the traffic. Only protocols that send a "Client Hello" (like TLS), or a "Host Header" (like HTTP) can be routed here. Routing Precedence: 1. "Host", 2. "SNI", 3. "not SNI", 4. "HTTP Handlers" (hidden default route for all unmatched traffic). The "not" operator will invert the match of the selected domains.]]></help>
+    </field>
+    <field>
+        <id>layer4.ToDomain</id>
+        <label>Upstream Domain</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[Enter a domain name or IP address of the upstream destination. If multiple are chosen, they will be load balanced with the default random policy.]]></help>
+    </field>
+    <field>
+        <id>layer4.ToPort</id>
+        <label>Upstream Port</label>
+        <type>text</type>
+        <help><![CDATA[Choose a custom port for the upstream destination.]]></help>
+    </field>
+    <field>
+        <id>layer4.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help><![CDATA[Enter a description for this Layer4 route.]]></help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Health Check</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>layer4.PassiveHealthFailDuration</id>
+        <label>Upstream Fail Duration</label>
+        <type>text</type>
+        <help><![CDATA[Enables a passive health check when multiple destinations in "Upstream Domain" are set. "Fail Duration" is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking; the default is empty (off). A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Proxy Protocol</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>layer4.ProxyProtocol</id>
+        <label>Proxy Protocol</label>
+        <type>dropdown</type>
+        <help><![CDATA[Add the HA Proxy Protocol header. Either version 1 or 2 can be chosen. The default is off, since it is only needed when the upstream can use the Proxy Protocol header.]]></help>
+    </field>
+</form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 54cdbba934..36e3a2c588 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -5,6 +5,13 @@
         <type>checkbox</type>
         <help><![CDATA[Enable or disable the Caddy web server.]]></help>
     </field>
+    <field>
+        <id>caddy.general.EnableLayer4</id>
+        <label>(Feature Preview) Enable Layer4</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable Layer4 support to stream TCP/UDP. WARNING: This feature is in active developement and the configuration can break or change in the future. The Layer4 app matches before the HTTP app. Deactivating this option will remove all Layer4 functionality completely. More information: https://github.com/mholt/caddy-l4]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>caddy.general.HttpPort</id>
         <label>HTTP Port</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 38cec5fc29..2ce870d443 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,13 +1,14 @@
 <model>
     <mount>//Pischem/caddy</mount>
-    <description>A GUI model for configuring a reverse proxy in the Caddy web server.</description>
-    <version>1.2.2</version>
+    <description>Caddy Reverse Proxy</description>
+    <version>1.3.0</version>
     <items>
         <general>
             <enabled type="BooleanField">
                 <Default>0</Default>
                 <Required>Y</Required>
             </enabled>
+            <EnableLayer4 type="BooleanField"/>
             <HttpPort type="PortField"/>
             <HttpsPort type="PortField"/>
             <TlsEmail type="EmailField"/>
@@ -386,6 +387,52 @@
                 </HeaderReplace>
                 <description type="DescriptionField"/>
             </header>
+            <layer4 type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <FromDomain type="HostnameField">
+                    <Required>Y</Required>
+                    <IpAllowed>N</IpAllowed>
+                    <FqdnWildcardAllowed>Y</FqdnWildcardAllowed>
+                    <HostWildcardAllowed>Y</HostWildcardAllowed>
+                    <FieldSeparator>,</FieldSeparator>
+                    <AsList>Y</AsList>
+                    <ValidationMessage>Please enter one or multiple hostnames or FQDNs.</ValidationMessage>
+                </FromDomain>
+                <Matchers type="OptionField">
+                    <Required>Y</Required>
+                    <Default>tlssni</Default>
+                    <OptionValues>
+                        <httphost>Host (HTTP)</httphost>
+                        <tlssni>SNI (TLS)</tlssni>
+                        <nottlssni>not SNI (TLS)</nottlssni>
+                    </OptionValues>
+                </Matchers>
+                <ToDomain type="HostnameField">
+                    <Required>Y</Required>
+                    <FieldSeparator>,</FieldSeparator>
+                    <AsList>Y</AsList>
+                    <ValidationMessage>Please enter one or multiple valid IP addresses, hostnames or FQDNs.</ValidationMessage>
+                </ToDomain>
+                <ToPort type="PortField">
+                    <Required>Y</Required>
+                </ToPort>
+                <PassiveHealthFailDuration type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>100</MaximumValue>
+                    <ValidationMessage>Please enter a value between 1 to 100.</ValidationMessage>
+                </PassiveHealthFailDuration>
+                <ProxyProtocol type="OptionField">
+                    <BlankDesc>Off (default)</BlankDesc>
+                    <OptionValues>
+                        <v1>v1</v1>
+                        <v2>v2</v2>
+                    </OptionValues>
+                </ProxyProtocol>
+                <description type="DescriptionField"/>
+            </layer4>
         </reverseproxy>
     </items>
 </model>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
index 292dd13190..e226a83e3f 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
@@ -69,6 +69,7 @@
             // These fields do not need the validation workaround, they get their validation messages from core.
             let validationExceptions = [
                 "caddy.general.enabled",
+                "caddy.general.EnableLayer4",
                 "caddy.general.DisableSuperuser",
                 "caddy.general.HttpPort",
                 "caddy.general.HttpsPort",
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 9e2cea7c90..4df185cc76 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -61,6 +61,15 @@
             }
         });
 
+        $("#reverseLayer4Grid").UIBootgrid({
+            search:'/api/caddy/ReverseProxy/searchLayer4/',
+            get:'/api/caddy/ReverseProxy/getLayer4/',
+            set:'/api/caddy/ReverseProxy/setLayer4/',
+            add:'/api/caddy/ReverseProxy/addLayer4/',
+            del:'/api/caddy/ReverseProxy/delLayer4/',
+            toggle:'/api/caddy/ReverseProxy/toggleLayer4/',
+        });
+
         $("#reverseHandleGrid").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchHandle/',
             get:'/api/caddy/ReverseProxy/getHandle/',
@@ -152,10 +161,11 @@
             onAction: function(data, status) {
                 // Check if the action was successful
                 if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
-                    // Update only the service control UI for 'caddy'
                     showAlert("{{ lang._('Configuration applied successfully.') }}", "{{ lang._('Apply Success') }}");
+                    // Update the service control UI for 'caddy'
                     updateServiceControlUI('caddy');
-                    checkAndToggleSubdomainsTab();
+                    // Update the Tab visibility
+                    initializeTabs()
                 } else {
                     console.error("{{ lang._('Action was not successful or an error occurred:') }}", data);
                 }
@@ -214,7 +224,7 @@
             toggleSelectPicker(currentTab);
         });
 
-        // Add click event listener for "Add Upstream" button
+        // Add click event listener for "Add HTTP Handler" button
         $("#addHandleBtn").on("click", function() {
             if ($('#maintabs .active a').attr('href') === "#handlesTab") {
                 // Directly open the dialog if already in the Handles tab
@@ -238,37 +248,44 @@
             }
         });
 
-        // Check and set the visibility of the Subdomains tab on initial load
-        checkAndToggleSubdomainsTab();
-
-        // Function to check and toggle Subdomains tab
-        function checkAndToggleSubdomainsTab() {
+        // Perform an API call to get data and check tabs' visibility on initial load
+        function initializeTabs() {
             $.ajax({
-                url: '/api/caddy/ReverseProxy/getAllReverseDomains',
+                url: '/api/caddy/reverse_proxy/get',
                 type: 'GET',
                 dataType: 'json',
                 success: function(response) {
-                    let hasWildcard = response.rows.some(domain => domain.domainPort.startsWith('*'));
-                    toggleSubdomainsTab(hasWildcard);
+                    // Check for wildcards in domains to toggle Subdomains tab
+                    const hasWildcard = Object.values(response.caddy.reverseproxy.reverse).some(entry => entry.FromDomain.startsWith('*'));
+                    toggleTabVisibility('#tab-subdomains', hasWildcard);
+
+                    // Check if Layer 4 is enabled to toggle the Layer 4 tab
+                    const enableLayer4 = response.caddy.general.EnableLayer4 === '1';
+                    toggleTabVisibility('#tab-layer4', enableLayer4);
                 },
                 error: function() {
-                    console.error("{{ lang._('Failed to load domain data from getAllReverseDomains') }}");
+                    console.error("{{ lang._('Failed to load data from /api/caddy/reverse_proxy/get') }}");
                 }
             });
         }
 
-        // Function to show or hide the Subdomains tab
-        function toggleSubdomainsTab(visible) {
-            let subdomainsTab = $('#maintabs a[href="#subdomainsTab"]').parent();
+        // Generic function to show or hide a tab and switch to another tab if the current one is hidden
+        function toggleTabVisibility(tabSelector, visible) {
+            let tab = $(tabSelector);
             if (visible) {
-                subdomainsTab.show();
+                tab.show();
             } else {
-                subdomainsTab.hide();
-                if (subdomainsTab.hasClass('active')) {
-                    $('#maintabs a[href="#domainsTab"]').tab('show');
+                tab.hide();
+                // Switch to 'Domains' tab if the currently active tab is being hidden
+                if (tab.hasClass('active')) {
+                    $('#tab-domains a').tab('show');
                 }
             }
         }
+
+        // Initialize tabs on load
+        initializeTabs();
+
     });
 </script>
 
@@ -284,14 +301,16 @@
         font-size: 16px;
         font-style: italic;
     }
+
 </style>
 
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#domainsTab">{{ lang._('Domains') }}</a></li>
-    <li><a data-toggle="tab" href="#subdomainsTab">{{ lang._('Subdomains') }}</a></li>
-    <li><a data-toggle="tab" href="#handlesTab">{{ lang._('Handlers') }}</a></li>
-    <li><a data-toggle="tab" href="#accessTab">{{ lang._('Access') }}</a></li>
-    <li><a data-toggle="tab" href="#headerTab">{{ lang._('Headers') }}</a></li>
+    <li id="tab-layer4" style="display: none;"><a data-toggle="tab" href="#layer4Tab">{{ lang._('Layer4 Routes') }}</a></li>
+    <li id="tab-domains" class="active"><a data-toggle="tab" href="#domainsTab">{{ lang._('Domains') }}</a></li>
+    <li id="tab-subdomains" style="display: none;"><a data-toggle="tab" href="#subdomainsTab">{{ lang._('Subdomains') }}</a></li>
+    <li id="tab-handlers"><a data-toggle="tab" href="#handlesTab">{{ lang._('HTTP Handlers') }}</a></li>
+    <li id="tab-access"><a data-toggle="tab" href="#accessTab">{{ lang._('HTTP Access') }}</a></li>
+    <li id="tab-headers"><a data-toggle="tab" href="#headerTab">{{ lang._('HTTP Headers') }}</a></li>
 </ul>
 
 <div class="tab-content content-box">
@@ -300,7 +319,7 @@
         <!-- Button group on the left -->
         <div>
             <button id="addDomainBtn" type="button" class="btn btn-secondary">{{ lang._('Step 1: Add Domain') }}</button>
-            <button id="addHandleBtn" type="button" class="btn btn-secondary">{{ lang._('Step 2: Add Upstream') }}</button>
+            <button id="addHandleBtn" type="button" class="btn btn-secondary">{{ lang._('Step 2: Add HTTP Handler') }}</button>
         </div>
         <!-- Selectpicker on the right -->
         <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="348px" data-size="7" title="{{ lang._('Filter by Domain') }}">
@@ -388,7 +407,7 @@
     <!-- Handle Tab -->
     <div id="handlesTab" class="tab-pane fade">
         <div style="padding-left: 16px;">
-            <h1 class="custom-header">{{ lang._('Handlers') }}</h1>
+            <h1 class="custom-header">{{ lang._('HTTP Handlers') }}</h1>
             <div style="display: block;"> <!-- Common container -->
                 <table id="reverseHandleGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHandle" data-editAlert="ConfigurationChangeMessage">
                     <thead>
@@ -498,7 +517,7 @@
     <!-- Header Tab -->
     <div id="headerTab" class="tab-pane fade">
         <div style="padding-left: 16px;">
-            <h1 class="custom-header">{{ lang._('Headers') }}</h1>
+            <h1 class="custom-header">{{ lang._('HTTP Headers') }}</h1>
             <div style="display: block;"> <!-- Common container -->
                 <table id="reverseHeaderGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHeader" data-editAlert="ConfigurationChangeMessage">
                     <thead>
@@ -527,6 +546,42 @@
             </div>
         </div>
     </div>
+
+    <!-- Layer4 Tab -->
+    <div id="layer4Tab" class="tab-pane fade">
+        <div style="padding-left: 16px;">
+            <h1 class="custom-header">{{ lang._('Layer4 Routes') }}</h1>
+            <div style="display: block;"> <!-- Common container -->
+                <table id="reverseLayer4Grid" class="table table-condensed table-hover table-striped" data-editDialog="DialogLayer4" data-editAlert="ConfigurationChangeMessage">
+                    <thead>
+                        <tr>
+                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                            <th data-column-id="FromDomain" data-type="string">{{ lang._('Domain') }}</th>
+                            <th data-column-id="Matchers" data-type="string">{{ lang._('Matcher') }}</th>
+                            <th data-column-id="ToDomain" data-type="string">{{ lang._('Upstream Domain') }}</th>
+                            <th data-column-id="ToPort" data-type="string">{{ lang._('Upstream Port') }}</th>
+                            <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Fail Duration') }}</th>
+                            <th data-column-id="ProxyProtocol" data-type="string" data-visible="false">{{ lang._('Proxy Protocol') }}</th>
+                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                    </tbody>
+                    <tfoot>
+                        <tr>
+                            <td></td>
+                            <td>
+                                <button id="addReverseLayer4Btn" data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                            </td>
+                        </tr>
+                    </tfoot>
+                </table>
+            </div>
+        </div>
+    </div>
 </div>
 
 <!-- Reconfigure Button -->
@@ -551,9 +606,10 @@
     </div>
 </section>
 
-{{ partial("layout_partials/base_dialog",['fields':formDialogReverseProxy,'id':'DialogReverseProxy','label':lang._('Edit Reverse Proxy Domain')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogSubdomain,'id':'DialogSubdomain','label':lang._('Edit Reverse Proxy Subdomain')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogHandle,'id':'DialogHandle','label':lang._('Edit Handler')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogReverseProxy,'id':'DialogReverseProxy','label':lang._('Edit Domain')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogSubdomain,'id':'DialogSubdomain','label':lang._('Edit Subdomain')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogHandle,'id':'DialogHandle','label':lang._('Edit HTTP Handler')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogAccessList,'id':'DialogAccessList','label':lang._('Edit Access List')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogBasicAuth,'id':'DialogBasicAuth','label':lang._('Edit Basic Auth')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogHeader,'id':'DialogHeader','label':lang._('Edit Header')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogHeader,'id':'DialogHeader','label':lang._('Edit HTTP Header')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4,'id':'DialogLayer4','label':lang._('Edit Layer4 Route')])}}
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index f938266231..2ee50d2715 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -78,9 +78,11 @@
     #}
     {% set accessListUuid = generalSettings.accesslist %}
     {% set logCredentials = generalSettings.LogCredentials %}
+    {% set enableLayer4 = generalSettings.EnableLayer4 %}
 
     {% set hasAccessList = false %}
     {% set hasLogCredentials = false %}
+    {% set hasEnableLayer4 = false %}
 
     {% if accessListUuid %}
         {% set accessList = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', accessListUuid) | first %}
@@ -93,7 +95,11 @@
         {% set hasLogCredentials = true %}
     {% endif %}
 
-    {% if hasAccessList or hasLogCredentials %}
+    {% if enableLayer4 == '1' %}
+        {% set hasEnableLayer4 = true %}
+    {% endif %}
+
+    {% if hasAccessList or hasLogCredentials or hasEnableLayer4 %}
     servers {
         {% if hasAccessList %}
             trusted_proxies static {{ accessList.clientIps.split(',') | join(' ') }}
@@ -101,6 +107,13 @@
         {% if hasLogCredentials %}
             log_credentials
         {% endif %}
+        {% if hasEnableLayer4 %}
+            listener_wrappers {
+                {# Plug the Layer 4 template in #}
+                {% include "OPNsense/Caddy/includeLayer4" %}
+
+            }
+        {% endif %}
     }
     {% endif %}
 
@@ -234,6 +247,32 @@
 
 # Reverse Proxy Configuration
 
+{#
+#   When Layer4 is active, set default ports.
+#   Caddy does not set them up automatically under certain conditions.
+#   For example when AutoHTTPS would be off, or no domains have been configured.
+#   There are no regressions to set these ports up.
+#}
+
+{% if enableLayer4|default("0") == "1" %}
+    # Layer4 default HTTP port
+    {% if httpPort %}
+        :{{ httpPort }} {
+        }
+    {% else %}
+        :80 {
+        }
+    {% endif %}
+    # Layer4 default HTTPS port
+    {% if httpsPort %}
+        :{{ httpsPort }} {
+        }
+    {% else %}
+        :443 {
+        }
+    {% endif %}
+{% endif %}
+
 {#
 #   Section: HTTP-01 Challenge Redirection
 #   Purpose: A small premade reverse_proxy section
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4 b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
new file mode 100644
index 0000000000..a74eeeafdf
--- /dev/null
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
@@ -0,0 +1,57 @@
+{#
+# This file sets up the listener_wrapper for layer 4 routing support.
+# - Section: Servers Global Configuration
+# Also allows for custom configurations with the import statement.
+#}
+{% set layer4_configs = helpers.toList('Pischem.caddy.reverseproxy.layer4') %}
+
+{# Define a macro for setting up the proxy #}
+{% macro setup_proxy(to_domains, to_port, fail_duration, proxy_protocol) %}
+    proxy {% for domain in to_domains.split(',') %}
+        {% set is_ipv6 = (':' in domain) %}  {# Check if the domain contains a colon, typical in IPv6 addresses #}
+        {{ '[' if is_ipv6 }}{{ domain }}{{ ']' if is_ipv6 }}:{{ to_port }}{% if not loop.last %} {% endif %}
+    {% endfor %} {
+    {% if fail_duration %}
+        fail_duration {{ fail_duration }}s
+    {% endif %}
+    {% if proxy_protocol %}
+        proxy_protocol {{ proxy_protocol }}
+    {% endif %}
+    }
+{% endmacro %}
+
+{# Set up Layer4 App #}
+layer4 {
+    import /usr/local/etc/caddy/caddy.d/*.layer4
+    {# 1. loop to handle http host matchers #}
+    {% for layer4 in layer4_configs %}
+        {% if layer4.enabled == "1" and layer4.Matchers == 'httphost' %}
+            @{{ layer4['@uuid'] }} http host {{ layer4.FromDomain.replace(',', ' ') }}
+            route @{{ layer4['@uuid'] }} {
+                {{ setup_proxy(layer4.ToDomain, layer4.ToPort, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
+            }
+        {% endif %}
+    {% endfor %}
+    {# 2. loop to handle tls sni matchers #}
+    {% for layer4 in layer4_configs %}
+        {% if layer4.enabled == "1" and layer4.Matchers == 'tlssni' %}
+            @{{ layer4['@uuid'] }} tls sni {{ layer4.FromDomain.replace(',', ' ') }}
+            route @{{ layer4['@uuid'] }} {
+                {{ setup_proxy(layer4.ToDomain, layer4.ToPort, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
+            }
+        {% endif %}
+    {% endfor %}
+    {# 3. loop to handle not tls sni matchers #}
+    {% for layer4 in layer4_configs %}
+        {% if layer4.enabled == "1" and layer4.Matchers == 'nottlssni' %}
+            @{{ layer4['@uuid'] }} not tls sni {{ layer4.FromDomain.replace(',', ' ') }}
+            route @{{ layer4['@uuid'] }} {
+                {{ setup_proxy(layer4.ToDomain, layer4.ToPort, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
+            }
+        {% endif %}
+    {% endfor %}
+    {# Empty Route that catches all other traffic #}
+    route
+}
+{# Route all other traffic to HTTP App #}
+tls

From 548909f5cc213c935701b1484a2f1d8d2fef96d7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 30 Jul 2024 12:14:02 +0200
Subject: [PATCH 2000/3088] www/squid: wrap it up

---
 www/squid/Makefile  | 2 +-
 www/squid/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index cfc272dd5c..7da7431380 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		squid
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_TIER=		2
diff --git a/www/squid/pkg-descr b/www/squid/pkg-descr
index 2840d18089..f2e5e9c852 100644
--- a/www/squid/pkg-descr
+++ b/www/squid/pkg-descr
@@ -10,3 +10,4 @@ Plugin Changelog
 * Initial version based on the OPNsense 23.7.12 core code
 * Workaround for segmentation faults using OpenSSL legacy provider
 * Correct migration to Python ipaddress library use
+* Set default ACL values vor Safe_ports and SSL_ports

From fcbce1d93b2880e2f90ad73ce03cc3ece9066c7a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 31 Jul 2024 11:26:00 +0200
Subject: [PATCH 2001/3088] security/etpro-telemetry: bump revision

---
 security/etpro-telemetry/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index c89521644f..0c893d14fa 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		etpro-telemetry
 PLUGIN_VERSION=		1.7
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html

From 90b49ceca34d037fd3073622d807f27e28b27d29 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 31 Jul 2024 11:42:40 +0200
Subject: [PATCH 2002/3088] www/caddy: Add remaining compatible Layer4 traffic
 matchers (#4133)

* www/caddy: Add Layer4 SSH traffic matcher.

* www/caddy: Restructure Layer4 protocol names.

* www/caddy: Also change the names in the help text.

* www/caddy: Generalize additional protocol handling, add remaining supported protocols for layer4 routing.
---
 www/caddy/pkg-descr                           |  1 +
 .../OPNsense/Caddy/forms/dialogLayer4.xml     |  4 +--
 .../mvc/app/models/OPNsense/Caddy/Caddy.php   | 34 +++++++++++++++++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 13 +++++--
 .../templates/OPNsense/Caddy/includeLayer4    | 15 ++++++--
 5 files changed, 59 insertions(+), 8 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index d8a139e4c2..4edfff9d1e 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -32,6 +32,7 @@ Plugin Changelog
 
 * Add: Authentik as authentication provider (contributed by Tim-Sc)
 * Add: Feature Preview - Layer4 routing to proxy traffic without TLS termination. Can be enabled in advanced mode of "General Settings"
+* Add: Layer4 protocols: HTTP, Postgres, Proxy Protocol, RDP, SOCKS4, SOCKS5, SSH, TLS, XMPP
 
 1.6.1
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
index 8abb5e9fd3..307937560f 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
@@ -11,13 +11,13 @@
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
-        <help><![CDATA[Enter one or multiple domains to route via SNI or Host Header. The domain will be added to the "listener_wrapper". Essentially, all traffic that Caddy receives on its frontend listeners (most likely the default HTTP and HTTPS ports) is funnelled through this wrapper to be processed and routed. Wildcard domains are allowed, e.g. "*.example.com". Host wildcards are allowed too, e.g. "*".]]></help>
+        <help><![CDATA[Enter one or multiple domains to route via SNI or Host Header. The domain will be added to the "listener_wrapper". Essentially, all traffic that Caddy receives on its frontend listeners (most likely the default HTTP and HTTPS ports) is funnelled through this wrapper to be processed and routed. Wildcard domains are allowed, e.g. "*.example.com". Host wildcards are allowed too, e.g. "*". Some protocols match all domains and "*" is mandatory.]]></help>
     </field>
     <field>
         <id>layer4.Matchers</id>
         <label>Matchers</label>
         <type>dropdown</type>
-        <help><![CDATA[Match the traffic of the selected domains. The TCP/UDP packets will be routed to the selected upstream domains without terminating TLS or altering the traffic. Only protocols that send a "Client Hello" (like TLS), or a "Host Header" (like HTTP) can be routed here. Routing Precedence: 1. "Host", 2. "SNI", 3. "not SNI", 4. "HTTP Handlers" (hidden default route for all unmatched traffic). The "not" operator will invert the match of the selected domains.]]></help>
+        <help><![CDATA[Match the traffic of the selected domains. The TCP/UDP packets will be routed to the selected upstream domains without terminating TLS or altering the traffic. Only protocols that send a "Client Hello" (like TLS), or a "Host Header" (like HTTP) can be routed here. Routing Precedence: 1. "SSH (or other protocols)", 2. "HTTP (Host Header)", 3. "TLS (SNI)", 4. "TLS (inverted SNI)", 5. "HTTP Handlers" (hidden default route for all unmatched traffic). The "SSH" matcher (and any other matcher that does not evaluate Host Header or SNI), will match any SSH like traffic on the default ports. That means, these protocols will only match once per ruleset and will proxy traffic to one upstream.]]></help>
     </field>
     <field>
         <id>layer4.ToDomain</id>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index beca19c9c1..c493ae9b6b 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -266,6 +266,37 @@ private function checkSuperuserPorts($messages)
         }
     }
 
+    /**
+    * 6. Check that when certain Layer4 matchers are selected, only "*" is valid as FromDomain.
+    * This happens because they cannot be matched by host header or SNI, so they match all traffic.
+    * The "*" shows the user that all traffic will be matched, and that creating multiple
+    * matchers will not result in more routes for the same traffic type to work.
+    */
+    private function checkLayer4Matchers($messages)
+    {
+        foreach ($this->reverseproxy->layer4->iterateItems() as $item) {
+            $matchers = (string) $item->Matchers;
+            $fromDomain = (string) $item->FromDomain;
+
+            // Check if matchers is not in the list of specific values
+            $isNotInSpecificMatchers = !in_array($matchers, ['httphost', 'tlssni', 'nottlssni']);
+            $isInvalidFromDomain = $fromDomain !== '*';
+
+            if ($isNotInSpecificMatchers && $isInvalidFromDomain) {
+                $key = $item->__reference;
+                $messages->appendMessage(new Message(
+                    sprintf(
+                        gettext(
+                            'When "%s" matcher is selected, the only valid entry in Domain is "*".'
+                        ),
+                        $matchers
+                    ),
+                    $key . ".FromDomain"
+                ));
+            }
+        }
+    }
+
     // Perform the actual validation
     public function performValidation($validateFullModel = false)
     {
@@ -296,6 +327,9 @@ public function performValidation($validateFullModel = false)
         // 6. Check DisableSuperuser Port conflicts
         $this->checkSuperuserPorts($messages);
 
+        // 7. Check Layer4 matchers
+        $this->checkLayer4Matchers($messages);
+
         return $messages;
     }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 2ce870d443..b271254605 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -405,9 +405,16 @@
                     <Required>Y</Required>
                     <Default>tlssni</Default>
                     <OptionValues>
-                        <httphost>Host (HTTP)</httphost>
-                        <tlssni>SNI (TLS)</tlssni>
-                        <nottlssni>not SNI (TLS)</nottlssni>
+                        <httphost>HTTP (Host Header)</httphost>
+                        <postgres>Postgres</postgres>
+                        <proxy_protocol>Proxy Protocol</proxy_protocol>
+                        <rdp>RDP</rdp>
+                        <socks4>SOCKSv4</socks4>
+                        <socks5>SOCKSv5</socks5>
+                        <ssh>SSH</ssh>
+                        <tlssni>TLS (SNI)</tlssni>
+                        <nottlssni>TLS (inverted SNI)</nottlssni>
+                        <xmpp>XMPP</xmpp>
                     </OptionValues>
                 </Matchers>
                 <ToDomain type="HostnameField">
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4 b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
index a74eeeafdf..c6a20dab4e 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
@@ -23,7 +23,16 @@
 {# Set up Layer4 App #}
 layer4 {
     import /usr/local/etc/caddy/caddy.d/*.layer4
-    {# 1. loop to handle http host matchers #}
+    {# 1. loop to handle any traffic matchers that can only be added once since they match all specific protocol traffic. #}
+    {% for layer4 in layer4_configs %}
+        {% if layer4.enabled == "1" and layer4.Matchers not in ['httphost', 'tlssni', 'nottlssni'] %}
+            @{{ layer4['@uuid'] }} {{ layer4.Matchers }}
+            route @{{ layer4['@uuid'] }} {
+                {{ setup_proxy(layer4.ToDomain, layer4.ToPort, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
+            }
+        {% endif %}
+    {% endfor %}
+    {# 2. loop to handle http host matchers #}
     {% for layer4 in layer4_configs %}
         {% if layer4.enabled == "1" and layer4.Matchers == 'httphost' %}
             @{{ layer4['@uuid'] }} http host {{ layer4.FromDomain.replace(',', ' ') }}
@@ -32,7 +41,7 @@ layer4 {
             }
         {% endif %}
     {% endfor %}
-    {# 2. loop to handle tls sni matchers #}
+    {# 3. loop to handle tls sni matchers #}
     {% for layer4 in layer4_configs %}
         {% if layer4.enabled == "1" and layer4.Matchers == 'tlssni' %}
             @{{ layer4['@uuid'] }} tls sni {{ layer4.FromDomain.replace(',', ' ') }}
@@ -41,7 +50,7 @@ layer4 {
             }
         {% endif %}
     {% endfor %}
-    {# 3. loop to handle not tls sni matchers #}
+    {# 4. loop to handle not tls sni matchers #}
     {% for layer4 in layer4_configs %}
         {% if layer4.enabled == "1" and layer4.Matchers == 'nottlssni' %}
             @{{ layer4['@uuid'] }} not tls sni {{ layer4.FromDomain.replace(',', ' ') }}

From b30d8b5be3de299e867a49bf6342b0f67866173c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 31 Jul 2024 14:56:51 +0200
Subject: [PATCH 2003/3088] net-mgmt/net-snmp: do not drop privileges (#4138)

Appears to have changed in FreeBSD ports default behaviour.

PR: https://github.com/opnsense/plugins/issues/4137
---
 net-mgmt/net-snmp/Makefile                                      | 2 +-
 .../src/opnsense/service/templates/OPNsense/Netsnmp/snmpd       | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/net-snmp/Makefile b/net-mgmt/net-snmp/Makefile
index 5983317cc7..3377f582f8 100644
--- a/net-mgmt/net-snmp/Makefile
+++ b/net-mgmt/net-snmp/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		net-snmp
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_COMMENT=		Net-SNMP is a daemon for the SNMP protocol
 PLUGIN_DEPENDS=		net-snmp
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd b/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd
index 963f3c689b..320bfe9550 100644
--- a/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd
+++ b/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd
@@ -1,6 +1,7 @@
 {% if helpers.exists('OPNsense.netsnmp.general.enabled') and OPNsense.netsnmp.general.enabled == '1' %}
 snmpd_setup="/usr/local/opnsense/scripts/OPNsense/Netsnmp/setup.sh"
 snmpd_enable="YES"
+snmpd_sugid="NO"
 {% else %}
 snmpd_enable="NO"
 {% endif %}

From 5e177e30c3c0f5e417f76d6856b9ee3875d1e614 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 1 Aug 2024 11:17:12 +0200
Subject: [PATCH 2004/3088] security/intrusion-detection-content-snort-vrt:
 bump version

---
 security/intrusion-detection-content-snort-vrt/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/intrusion-detection-content-snort-vrt/Makefile b/security/intrusion-detection-content-snort-vrt/Makefile
index a2f900e6b7..d69fc583f8 100644
--- a/security/intrusion-detection-content-snort-vrt/Makefile
+++ b/security/intrusion-detection-content-snort-vrt/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		intrusion-detection-content-snort-vrt
-PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		IDS Snort VRT ruleset (needs registration or subscription)
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://www.snort.org/downloads#rules

From 25ec135f0a20cecb94471860cf9bd27c0ee60588 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 2 Aug 2024 09:27:13 +0200
Subject: [PATCH 2005/3088] security/acme-client: backend result changes
 slightly

---
 .../OPNsense/AcmeClient/LeValidation/HttpOpnsense.php    | 9 +++++++--
 .../OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php     | 9 +++++++--
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
index 81838ffdd5..d834b10757 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
@@ -74,8 +74,13 @@ public function prepare()
         if (!empty((string)$this->config->http_opn_interface)) {
             $backend = new \OPNsense\Core\Backend();
             $response = json_decode($backend->configdpRun('interface address', [(string)$this->config->http_opn_interface]));
-            if (!empty($response->address)) {
-                $iplist[] = $response->address;
+            // XXX Returns both IPv4 and IPv6 now. While "[0]" and
+            // "[1]" should remain in this order it would make sense
+            // to ensure "family" matches "inet" or "inet6" and/or
+            // pull both addresses for missing IPv6 support depending
+            // on how this should work.
+            if (!empty($response[0]->address)) {
+                $iplist[] = $response[0]->address;
             }
         }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
index 9904e5d31c..b5d97581b9 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
@@ -75,8 +75,13 @@ public function prepare()
         if (!empty((string)$this->config->tlsalpn_acme_interface)) {
             $backend = new \OPNsense\Core\Backend();
             $response = json_decode($backend->configdpRun('interface address', [(string)$this->config->tlsalpn_acme_interface]));
-            if (!empty($response->address)) {
-                $iplist[] = $response->address;
+            // XXX Returns both IPv4 and IPv6 now. While "[0]" and
+            // "[1]" should remain in this order it would make sense
+            // to ensure "family" matches "inet" or "inet6" and/or
+            // pull both addresses for missing IPv6 support depending
+            // on how this should work.
+            if (!empty($response[0]->address)) {
+                $iplist[] = $response[0]->address;
             }
         }
 

From cab23a684b902e5af00815a06bba7841a62d80a9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 2 Aug 2024 10:34:30 +0200
Subject: [PATCH 2006/3088] security/acme-client: change interface again for
 reasons

If we call the backend without an interface parameter we will return all
of them.  To provide parity with single interface check keep the interface
key so we need to access it directly as well.
---
 .../OPNsense/AcmeClient/LeValidation/HttpOpnsense.php      | 7 ++++---
 .../OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php       | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
index d834b10757..12ab4ba56c 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
@@ -73,14 +73,15 @@ public function prepare()
         // Add IP address from chosen interface
         if (!empty((string)$this->config->http_opn_interface)) {
             $backend = new \OPNsense\Core\Backend();
-            $response = json_decode($backend->configdpRun('interface address', [(string)$this->config->http_opn_interface]));
+            $interface = (string)$this->config->http_opn_interface;
+            $response = json_decode($backend->configdpRun('interface address', [$interface]));
             // XXX Returns both IPv4 and IPv6 now. While "[0]" and
             // "[1]" should remain in this order it would make sense
             // to ensure "family" matches "inet" or "inet6" and/or
             // pull both addresses for missing IPv6 support depending
             // on how this should work.
-            if (!empty($response[0]->address)) {
-                $iplist[] = $response[0]->address;
+            if (!empty($response->$interface[0]->address)) {
+                $iplist[] = $response->$interface[0]->address;
             }
         }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
index b5d97581b9..03a4f9d763 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
@@ -74,14 +74,15 @@ public function prepare()
         // Add IP address from chosen interface
         if (!empty((string)$this->config->tlsalpn_acme_interface)) {
             $backend = new \OPNsense\Core\Backend();
-            $response = json_decode($backend->configdpRun('interface address', [(string)$this->config->tlsalpn_acme_interface]));
+            $interface = (string)$this->config->tlsalpn_acme_interface;
+            $response = json_decode($backend->configdpRun('interface address', [$interface]));
             // XXX Returns both IPv4 and IPv6 now. While "[0]" and
             // "[1]" should remain in this order it would make sense
             // to ensure "family" matches "inet" or "inet6" and/or
             // pull both addresses for missing IPv6 support depending
             // on how this should work.
-            if (!empty($response[0]->address)) {
-                $iplist[] = $response[0]->address;
+            if (!empty($response->$interface[0]->address)) {
+                $iplist[] = $response->$interface[0]->address;
             }
         }
 

From dd68ab68d88c5afd355a1662cfc4bcb44117a4ed Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 2 Aug 2024 13:46:07 +0200
Subject: [PATCH 2007/3088] dns/ddclient: Add Dyndns widget for new dashboard
 (#4145)

* dns/ddclient: Add Dyndns widget for new dashboard.
---
 .../src/opnsense/www/js/widgets/Dyndns.js     | 136 ++++++++++++++++++
 .../www/js/widgets/Metadata/Dyndns.xml        |  20 +++
 2 files changed, 156 insertions(+)
 create mode 100644 dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js
 create mode 100644 dns/ddclient/src/opnsense/www/js/widgets/Metadata/Dyndns.xml

diff --git a/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js b/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js
new file mode 100644
index 0000000000..c0da3944b9
--- /dev/null
+++ b/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2024 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import BaseTableWidget from "./BaseTableWidget.js";
+
+export default class Dyndns extends BaseTableWidget {
+    constructor() {
+        super();
+    }
+
+    getGridOptions() {
+        return {
+            // Trigger overflow-y:scroll after 650px height
+            sizeToContent: 650
+        };
+    }
+
+    getMarkup() {
+        let $container = $('<div></div>');
+        let $dyndnsTable = this.createTable('dyndnsTable', {
+            headerPosition: 'top',
+            headers: [
+                this.translations.service,
+                // this.translations.domains
+            ]
+        });
+
+        $container.append($dyndnsTable);
+        return $container;
+    }
+
+    async onWidgetTick() {
+        // Check if DynDNS is enabled
+        const statusData = await this.ajaxCall('/api/dyndns/service/status');
+        if (!statusData || statusData.status !== "running") {
+            this.displayError(this.translations.servicedisabled);
+            return;
+        }
+
+        // Fetch DynDNS account information
+        const accountData = await this.ajaxCall('/api/dyndns/accounts/search_item');
+        if (!accountData || !accountData.rows || accountData.rows.length === 0) {
+            this.displayError(this.translations.noaccount);
+            return;
+        }
+
+        this.processAccounts(accountData.rows);
+    }
+
+    // Utility function to display errors within the widget
+    displayError(message) {
+        const $error = $(`
+            <div class="error-message">
+                <a href="/ui/dyndns/" target="_blank">${message}</a>
+            </div>
+        `);
+        $('#dyndnsTable').empty().append($error);
+    }
+
+    processAccounts(accounts) {
+        if (!this.dataChanged('accounts', accounts)) {
+            return;
+        }
+
+        $('.dyndns-tooltip').tooltip('hide');
+
+        let rows = [];
+        accounts.forEach(account => {
+            let colorClass = account.enabled === "1" ? 'text-success' : 'text-danger';
+            let tooltipText = account.enabled === "1" ? this.translations.enabled : this.translations.disabled;
+
+            let domainNames = account.hostnames.split(',')
+                  .map(domain => `<div>${domain}</div>`)
+                  .join('');
+
+            // Convert time to a localized format
+            let localizedTime = account.current_mtime ? new Date(account.current_mtime).toLocaleString() : this.translations.undefined;
+            let currentIp = account.current_ip || this.translations.undefined;
+
+            let row = [
+                `
+                    <div class="dyndns-service">
+                        <i class="fa fa-circle ${colorClass} dyndns-tooltip" style="cursor: pointer;" title="${tooltipText}"></i>
+                        &nbsp;<a href="/ui/dyndns/" target="_blank">${account.service}</a>
+                    </div>
+                    <div class="current-ip"><em>${this.translations.currentip}:</em> ${currentIp}</div>
+                    <div class="current-mtime"><em>${this.translations.currentmtime}:</em> ${localizedTime}</div>
+                `,
+                `
+                    <div><u>${this.translations.domains}</u></div>
+                    <div class="domain-names">${domainNames}</div>
+                `
+            ];
+
+            rows.push(row);
+        });
+
+        // Update table with rows
+        super.updateTable('dyndnsTable', rows);
+
+        // Initialize tooltips
+        $('.dyndns-tooltip').tooltip({container: 'body'});
+    }
+
+    onWidgetResize(elem, width, height) {
+        if (width < 320) {
+            $('.domain-names').parent().hide();
+        } else {
+            $('.domain-names').parent().show();
+        }
+        return true; // Return true to force the grid to update its layout
+    }
+}
diff --git a/dns/ddclient/src/opnsense/www/js/widgets/Metadata/Dyndns.xml b/dns/ddclient/src/opnsense/www/js/widgets/Metadata/Dyndns.xml
new file mode 100644
index 0000000000..43a822cb33
--- /dev/null
+++ b/dns/ddclient/src/opnsense/www/js/widgets/Metadata/Dyndns.xml
@@ -0,0 +1,20 @@
+<metadata>
+    <ddclient>
+        <filename>Dyndns.js</filename>
+        <endpoints>
+            <endpoint>/api/dyndns/*</endpoint>
+        </endpoints>
+        <translations>
+            <title>Dynamic DNS</title>
+            <servicedisabled>DynDNS service is not running</servicedisabled>
+            <noaccount>No DynDNS account information available</noaccount>
+            <enabled>Enabled</enabled>
+            <disabled>Disabled</disabled>
+            <currentip>Current IP</currentip>
+            <currentmtime>Updated</currentmtime>
+            <domains>Hostnames</domains>
+            <service>Accounts</service>
+            <undefined>N/A</undefined>
+        </translations>
+    </ddclient>
+</metadata>

From 8bc3779eeb304bc8d338b374e56d42c941a7d51b Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 5 Aug 2024 11:50:39 +0200
Subject: [PATCH 2008/3088] www/caddy: Add remote_ip matcher for access list
 functionality in Layer4 proxy (#4147)

---
 www/caddy/pkg-descr                           |  1 +
 .../OPNsense/Caddy/forms/dialogLayer4.xml     | 13 +++++++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  6 ++++
 .../views/OPNsense/Caddy/reverse_proxy.volt   |  1 +
 .../templates/OPNsense/Caddy/includeLayer4    | 29 +++++++++++++++----
 5 files changed, 44 insertions(+), 6 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 4edfff9d1e..df004fa8ca 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -33,6 +33,7 @@ Plugin Changelog
 * Add: Authentik as authentication provider (contributed by Tim-Sc)
 * Add: Feature Preview - Layer4 routing to proxy traffic without TLS termination. Can be enabled in advanced mode of "General Settings"
 * Add: Layer4 protocols: HTTP, Postgres, Proxy Protocol, RDP, SOCKS4, SOCKS5, SSH, TLS, XMPP
+* Add: Layer4 Remote IP matcher to restrict access to proxied services
 
 1.6.1
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
index 307937560f..bbc7d6b308 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
@@ -61,4 +61,17 @@
         <type>dropdown</type>
         <help><![CDATA[Add the HA Proxy Protocol header. Either version 1 or 2 can be chosen. The default is off, since it is only needed when the upstream can use the Proxy Protocol header.]]></help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Access</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>layer4.RemoteIp</id>
+        <label>Remote IP</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[Enter one or multiple IP addresses and networks. Leaving this empty will allow any remote client to connect. If populated and the remote IP address of a client matches, the connection to the "Upstream Domain" is allowed, otherwise the connection is dropped. Due to restrictions with this matcher, this list can not be inverted.]]></help>
+    </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index b271254605..d3c0d2ed28 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -438,6 +438,12 @@
                         <v2>v2</v2>
                     </OptionValues>
                 </ProxyProtocol>
+                <RemoteIp type="NetworkField">
+                    <FieldSeparator>,</FieldSeparator>
+                    <AsList>Y</AsList>
+                    <Strict>Y</Strict>
+                    <ValidationMessage>Please enter one or multiple valid IP addresses or networks.</ValidationMessage>
+                </RemoteIp>
                 <description type="DescriptionField"/>
             </layer4>
         </reverseproxy>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 4df185cc76..f16163bebd 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -561,6 +561,7 @@
                             <th data-column-id="Matchers" data-type="string">{{ lang._('Matcher') }}</th>
                             <th data-column-id="ToDomain" data-type="string">{{ lang._('Upstream Domain') }}</th>
                             <th data-column-id="ToPort" data-type="string">{{ lang._('Upstream Port') }}</th>
+                            <th data-column-id="RemoteIp" data-type="string" data-visible="false">{{ lang._('Remote IP') }}</th>
                             <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Fail Duration') }}</th>
                             <th data-column-id="ProxyProtocol" data-type="string" data-visible="false">{{ lang._('Proxy Protocol') }}</th>
                             <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4 b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
index c6a20dab4e..7eb367b6bf 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
@@ -5,8 +5,8 @@
 #}
 {% set layer4_configs = helpers.toList('Pischem.caddy.reverseproxy.layer4') %}
 
-{# Define a macro for setting up the proxy #}
-{% macro setup_proxy(to_domains, to_port, fail_duration, proxy_protocol) %}
+{# Nested Macro for proxy definition #}
+{% macro define_proxy(to_domains, to_port, fail_duration, proxy_protocol) %}
     proxy {% for domain in to_domains.split(',') %}
         {% set is_ipv6 = (':' in domain) %}  {# Check if the domain contains a colon, typical in IPv6 addresses #}
         {{ '[' if is_ipv6 }}{{ domain }}{{ ']' if is_ipv6 }}:{{ to_port }}{% if not loop.last %} {% endif %}
@@ -20,6 +20,23 @@
     }
 {% endmacro %}
 
+{# Macro for configuring the proxy with additional remote IP access list #}
+{% macro configure_proxy(to_domains, to_port, remote_ips, fail_duration, proxy_protocol) %}
+    {% if remote_ips %}
+        {% set ip_list = remote_ips.split(',') %}
+        subroute {
+            @allowed_ips remote_ip {{ ip_list|join(' ') }}
+            route @allowed_ips {
+                {# Call Nested Macro #}
+                {{ define_proxy(to_domains, to_port, fail_duration, proxy_protocol) }}
+            }
+        }
+    {% else %}
+        {# Call Nested Macro #}
+        {{ define_proxy(to_domains, to_port, fail_duration, proxy_protocol) }}
+    {% endif %}
+{% endmacro %}
+
 {# Set up Layer4 App #}
 layer4 {
     import /usr/local/etc/caddy/caddy.d/*.layer4
@@ -28,7 +45,7 @@ layer4 {
         {% if layer4.enabled == "1" and layer4.Matchers not in ['httphost', 'tlssni', 'nottlssni'] %}
             @{{ layer4['@uuid'] }} {{ layer4.Matchers }}
             route @{{ layer4['@uuid'] }} {
-                {{ setup_proxy(layer4.ToDomain, layer4.ToPort, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
+                {{ configure_proxy(layer4.ToDomain, layer4.ToPort, layer4.RemoteIp, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
             }
         {% endif %}
     {% endfor %}
@@ -37,7 +54,7 @@ layer4 {
         {% if layer4.enabled == "1" and layer4.Matchers == 'httphost' %}
             @{{ layer4['@uuid'] }} http host {{ layer4.FromDomain.replace(',', ' ') }}
             route @{{ layer4['@uuid'] }} {
-                {{ setup_proxy(layer4.ToDomain, layer4.ToPort, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
+                {{ configure_proxy(layer4.ToDomain, layer4.ToPort, layer4.RemoteIp, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
             }
         {% endif %}
     {% endfor %}
@@ -46,7 +63,7 @@ layer4 {
         {% if layer4.enabled == "1" and layer4.Matchers == 'tlssni' %}
             @{{ layer4['@uuid'] }} tls sni {{ layer4.FromDomain.replace(',', ' ') }}
             route @{{ layer4['@uuid'] }} {
-                {{ setup_proxy(layer4.ToDomain, layer4.ToPort, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
+                {{ configure_proxy(layer4.ToDomain, layer4.ToPort, layer4.RemoteIp, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
             }
         {% endif %}
     {% endfor %}
@@ -55,7 +72,7 @@ layer4 {
         {% if layer4.enabled == "1" and layer4.Matchers == 'nottlssni' %}
             @{{ layer4['@uuid'] }} not tls sni {{ layer4.FromDomain.replace(',', ' ') }}
             route @{{ layer4['@uuid'] }} {
-                {{ setup_proxy(layer4.ToDomain, layer4.ToPort, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
+                {{ configure_proxy(layer4.ToDomain, layer4.ToPort, layer4.RemoteIp, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
             }
         {% endif %}
     {% endfor %}

From 1245d3b5bec94cbbacfb4bb8f2d74b663d59ee93 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 6 Aug 2024 14:09:29 +0200
Subject: [PATCH 2009/3088] dashboard: Implement cache safe imports of base
 classes (#4157)

---
 dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js              | 2 +-
 .../src/opnsense/www/js/widgets/ETProTelemetry.js               | 2 +-
 sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js            | 2 +-
 www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js       | 2 +-
 www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js            | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js b/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js
index c0da3944b9..6c1dc2f2a9 100644
--- a/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js
+++ b/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js
@@ -24,7 +24,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-import BaseTableWidget from "./BaseTableWidget.js";
+import BaseTableWidget from 'widget-base-table';
 
 export default class Dyndns extends BaseTableWidget {
     constructor() {
diff --git a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
index fe1709993e..4394e0cda8 100644
--- a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
+++ b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
@@ -24,7 +24,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-import BaseTableWidget from "./BaseTableWidget.js";
+import BaseTableWidget from 'widget-base-table';
 
 export default class ETProTelemetry extends BaseTableWidget {
     constructor() {
diff --git a/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js b/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js
index b665d7d201..f8b4bdb2e4 100644
--- a/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js
+++ b/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js
@@ -24,7 +24,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-import BaseWidget from "./BaseWidget.js";
+import BaseWidget from 'widget-base';
 
 export default class DecHW extends BaseWidget {
     constructor() {
diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
index f37eeca311..e3b99f428a 100644
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
@@ -24,7 +24,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-import BaseTableWidget from "./BaseTableWidget.js";
+import BaseTableWidget from 'widget-base-table';
 
 export default class CaddyCertificate extends BaseTableWidget {
     constructor() {
diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
index be8bf92f9a..97477a8ace 100644
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
@@ -24,7 +24,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-import BaseTableWidget from "./BaseTableWidget.js";
+import BaseTableWidget from 'widget-base-table';
 
 export default class CaddyDomain extends BaseTableWidget {
     constructor() {

From 113e705837cad9b638779bf5b2ffb3da6a5ecf80 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Aug 2024 14:22:11 +0200
Subject: [PATCH 2010/3088] dns/ddclient: annotate new version

---
 dns/ddclient/Makefile  | 2 +-
 dns/ddclient/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index b16c15dc8d..30ada5696e 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.22
+PLUGIN_VERSION=		1.23
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 8f61187af5..6303476245 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,10 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.23
+
+* Add dashboard widget
+
 1.22
 
 * Add gandi support

From 3d2a625409774188e4a805a74bf67a14e064bfef Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Aug 2024 14:28:44 +0200
Subject: [PATCH 2011/3088] security/etpro-telemetry: bump revision

---
 security/etpro-telemetry/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index 0c893d14fa..b445344d07 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		etpro-telemetry
 PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html

From da5c76a6d8e8ff95d99fdd5dec0495302b38b215 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 Aug 2024 14:29:49 +0200
Subject: [PATCH 2012/3088] sysutils/dec-hw: bump revision

---
 sysutils/dec-hw/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysutils/dec-hw/Makefile b/sysutils/dec-hw/Makefile
index 9ccd8fb4f5..447a430eea 100644
--- a/sysutils/dec-hw/Makefile
+++ b/sysutils/dec-hw/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		dec-hw
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Deciso hardware specific information
 PLUGIN_MAINTAINER=	stephan.de.wit@deciso.com
 PLUGIN_TIER=		2

From a5ff646814d305c828dfc84eaa2a3e28cd73988c Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 6 Aug 2024 15:42:05 +0200
Subject: [PATCH 2013/3088] dns/ddclient: Hide and show dyndnsTable headers
 dynamically. (#4158)

---
 dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js b/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js
index 6c1dc2f2a9..2d4aba57bb 100644
--- a/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js
+++ b/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js
@@ -44,7 +44,7 @@ export default class Dyndns extends BaseTableWidget {
             headerPosition: 'top',
             headers: [
                 this.translations.service,
-                // this.translations.domains
+                this.translations.domains
             ]
         });
 
@@ -110,7 +110,6 @@ export default class Dyndns extends BaseTableWidget {
                     <div class="current-mtime"><em>${this.translations.currentmtime}:</em> ${localizedTime}</div>
                 `,
                 `
-                    <div><u>${this.translations.domains}</u></div>
                     <div class="domain-names">${domainNames}</div>
                 `
             ];
@@ -127,8 +126,10 @@ export default class Dyndns extends BaseTableWidget {
 
     onWidgetResize(elem, width, height) {
         if (width < 320) {
+            $('#header_dyndnsTable').hide();
             $('.domain-names').parent().hide();
         } else {
+            $('#header_dyndnsTable').show();
             $('.domain-names').parent().show();
         }
         return true; // Return true to force the grid to update its layout

From 94510a72f3953a2fba121976fc332288e2764d96 Mon Sep 17 00:00:00 2001
From: Nicola <239074+xbb@users.noreply.github.com>
Date: Wed, 7 Aug 2024 18:35:11 +0200
Subject: [PATCH 2014/3088] sysutils/apcupsd: new dashboard widget (#4150)

---
 sysutils/apcupsd/Makefile                     |   2 +-
 sysutils/apcupsd/pkg-descr                    |   4 +
 .../Apcupsd/Api/ServiceController.php         |   4 +-
 .../src/opnsense/www/js/widgets/Apcupsd.js    | 331 ++++++++++++++++++
 .../www/js/widgets/Metadata/Apcupsd.xml       |  26 ++
 .../src/www/widgets/include/apcupsd.inc       |   4 -
 .../www/widgets/widgets/apcupsd.widget.php    | 219 ------------
 7 files changed, 364 insertions(+), 226 deletions(-)
 create mode 100644 sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js
 create mode 100644 sysutils/apcupsd/src/opnsense/www/js/widgets/Metadata/Apcupsd.xml
 delete mode 100644 sysutils/apcupsd/src/www/widgets/include/apcupsd.inc
 delete mode 100644 sysutils/apcupsd/src/www/widgets/widgets/apcupsd.widget.php

diff --git a/sysutils/apcupsd/Makefile b/sysutils/apcupsd/Makefile
index e7999595d5..34ded92a0d 100644
--- a/sysutils/apcupsd/Makefile
+++ b/sysutils/apcupsd/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=        apcupsd
-PLUGIN_VERSION=     1.1
+PLUGIN_VERSION=     1.2
 PLUGIN_DEPENDS=     apcupsd
 PLUGIN_COMMENT=     APCUPSD - APC UPS daemon
 PLUGIN_MAINTAINER=  xbb@xbblabs.com
diff --git a/sysutils/apcupsd/pkg-descr b/sysutils/apcupsd/pkg-descr
index 82630562f3..94fb33301b 100644
--- a/sysutils/apcupsd/pkg-descr
+++ b/sysutils/apcupsd/pkg-descr
@@ -12,6 +12,10 @@ WWW: http://www.apcupsd.org/
 Plugin Changelog
 ================
 
+1.2
+
+* New dashboard widget
+
 1.1
 
 * Add log view
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/Api/ServiceController.php b/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/Api/ServiceController.php
index ad653efdba..89c06c8223 100644
--- a/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/Api/ServiceController.php
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/controllers/OPNsense/Apcupsd/Api/ServiceController.php
@@ -134,10 +134,10 @@ private function getUpsStatusOutput()
             $backend = new Backend();
             $output = trim($backend->configdRun('apcupsd upsstatus'));
             if (empty($output)) {
-                $error = 'Error: empty output from apcaccess';
+                $error = gettext('Error: empty output from apcaccess');
             }
         } else {
-            $error = 'Error: apcupsd is disabled';
+            $error = gettext('Error: apcupsd is disabled');
         }
 
         return array(
diff --git a/sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js b/sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js
new file mode 100644
index 0000000000..a330cc1884
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js
@@ -0,0 +1,331 @@
+/*
+ * Copyright (C) 2024 Nicola Pellegrini
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import BaseTableWidget from "./BaseTableWidget.js";
+
+/**
+ * @typedef ApcUpsdStatusValue
+ *
+ * @property {string|number} norm - normalized value
+ * @property {string|number} value - raw value
+ */
+
+/**
+ * @typedef {Object.<string, ApcUpsdStatusValue>} ApcUpsdStatus
+ */
+
+export default class ApcUpsd extends BaseTableWidget {
+    constructor() {
+        super();
+    }
+
+    getMarkup() {
+        let $container = $('<div></div>');
+        let $apcupsdTable = this.createTable('apcupsd-table', {
+            headerPosition: 'left'
+        });
+        $container.append($apcupsdTable);
+        return $container;
+    }
+
+    async onWidgetTick() {
+        const data = await this.ajaxCall('/api/apcupsd/service/getUpsStatus');
+
+        if (data.error) {
+            this.displayError(data.error);
+            return;
+        }
+
+        let rows = this.makeRows(data.status);
+        super.updateTable('apcupsd-table', rows);
+    }
+
+    /**
+     * Displays an error text row
+     *
+     * @param {string} text
+     */
+    displayError(text) {
+        // A row with `flextable-row` class will be auto removed on next tick by
+        // `this.updateTable(...)`, if the error is gone
+        const $row = $('<div class="flextable-row text-danger" style="justify-content: center"></div>').text(text);
+        // Replace all the content in the table
+        $(`#apcupsd-table`).html($row);
+    }
+
+    /**
+     * @param {ApcUpsdStatus} status
+     * @returns {Array<Array>>}
+     */
+    makeRows(status) {
+        const rows = [];
+
+        if (status.MODEL) {
+            rows.push(this.makeTextRow("status_model", status.MODEL));
+        }
+
+        if (status.STATUS) {
+            rows.push(
+                // Note: text value is not translated because it comes directly from apcupsd output
+                this.makeColoredTextRow(
+                    "status_status",
+                    status.STATUS.value,
+                    /ONLINE/, // success
+                    /ONBATT|LOWBATT|REPLACEBATT|NOBATT|SLAVEDOWN|COMMLOST/ // error
+                )
+            );
+        }
+
+        if (status.SELFTEST) {
+            const raw_value = status.SELFTEST.value;
+
+            // self test values
+            const value_keys = {
+                OK: 'status_selftest_ok',
+                BT: 'status_selftest_bt',
+                NG: 'status_selftest_ng',
+                NO: 'status_selftest_no',
+            };
+
+            // Try to translate it, otherwise use the raw value
+            const text_value = value_keys[raw_value] ? this.translate(value_keys[raw_value]) : raw_value;
+
+            if (raw_value === 'NO') {
+                // Special case for no results, no color
+                rows.push(this.makeTextRow('status_selftest', text_value));
+            } else {
+                rows.push(this.makeColoredTextRow(
+                    'status_selftest',
+                    text_value,
+                    /OK/,    // success
+                    /BT|NG/, // error, all other unknown states are "warnings"
+                    raw_value
+                ));
+            }
+        }
+
+        if (status.LINEV) {
+            rows.push(this.makeTextRow('status_linev', status.LINEV));
+        }
+
+        // NOMPOWER not checked because it's optional and it might not be available
+        if (status.LOADPCT) {
+            rows.push(this.makeUpsLoadRow('status_load', status.LOADPCT, status.NOMPOWER))
+        }
+
+        if (status.BCHARGE) {
+            rows.push(this.makeProgressBarRow('status_bcharge', status.BCHARGE.norm));
+        }
+
+        if (status.TIMELEFT) {
+            rows.push(this.makeTextRow('status_timeleft', status.TIMELEFT));
+        }
+
+        if (status.BATTV) {
+            rows.push(this.makeTextRow('status_battv', status.BATTV));
+        }
+
+        if (status.BATTDATE) {
+            let date = status.BATTDATE;
+            date = date.norm || date.value;
+            rows.push(this.makeDateRow('status_battdate', date, 'll', 'YYYY-MM-DD'));
+        }
+
+        if (status.ITEMP) {
+            rows.push(this.makeTextRow("status_itemp", status.ITEMP));
+        }
+
+        if (status.DATE) {
+            let date = status.DATE;
+            date = date.norm || date.value;
+            rows.push(this.makeDateRow('status_date', date, 'll LTS'));
+        }
+
+        return rows;
+    }
+
+    /**
+     * Makes a date row, parsing the given date with moment js (if available and the date is valid)
+     * and shows it with the new given format
+     *
+     * @param {string} labelKey - label translation key
+     * @param {string} dateString - date string
+     * @param {string} newFormat - new format to use for the date string
+     * @param {string} [parseFormat] - optional format used to parse the date string with moment js
+     *
+     * @returns {Array}
+     */
+    makeDateRow(labelKey, dateString, newFormat, parseFormat) {
+        const withMomentJs = moment && moment.version && typeof moment === 'function';
+        let text = dateString;
+        if (withMomentJs) {
+            const m = moment(dateString, parseFormat);
+            if (m.isValid()) {
+                m.locale(window.navigator.language);
+                // override text
+                text = m.format(newFormat);
+            }
+        }
+
+        return this.makeTextRow(labelKey, text);
+    }
+
+    /**
+     * Makes a row that shows the load value % and estimated watts usage if NOMPOWER is also given
+     *
+     * @param {string} labelKey - label translation key
+     * @param {ApcUpsdStatusValue} loadpct - LOADPCT status value
+     * @param {ApcUpsdStatusValue} [nompower] - NOMPOWER status value
+     *
+     * @returns {Array}
+     */
+    makeUpsLoadRow(labelKey, loadpct, nompower) {
+        let text = loadpct.norm.toFixed(1) + ' %';
+        if (nompower) {
+            const watts = Math.round(loadpct.norm * nompower.norm / 100);
+            text += ` ( ~ ${watts} W )`;
+        }
+        return this.makeProgressBarRow(labelKey, loadpct.norm, text);
+    }
+
+    /**
+     * Makes a progress bar row
+     *
+     * @param {string} labelKey - label translation key
+     * @param {number} progress - current progress (0-100)
+     * @param {string} [progressText] - text shown on top of the progress bar, defaults to "<progress> %"
+     *
+     * @returns {Array}
+     */
+    makeProgressBarRow(labelKey, progress, progressText) {
+        progressText = progressText || `${progress.toFixed(1)} %`;
+        const pb = this.makeProgressBar(progress, progressText);
+        return this.makeRow(labelKey, pb);
+    }
+
+    /**
+     * Makes a row with a progress bar value cell
+     *
+     * @param {number} progress - current progress (0-100)
+     * @param {string} text - text shown on top of the progress bar
+     *
+     * @returns {Array}
+     */
+    makeProgressBar(progress, text) {
+        const $textEl = $('<span class="text-center"></span>').text(text).css({
+            position: 'absolute',
+            left: 0,
+            right: 0
+        });
+
+        const $barEl = $('<div class="progress-bar"></div>').css({
+            width: `${progress}%`,
+            zIndex: 0
+        });
+
+        return $('<div class="progress"></div>').append($barEl, $textEl).prop("outerHTML");
+    }
+
+    /**
+     * Makes a text row, coloring the value cell text depending on the regex matches
+     *
+     * - No match: warning color
+     * - Ok regex match: success color
+     * - Err regex match: danger color
+     *
+     * @param {string} labelKey - label translation key
+     * @param {string} value - a string value that is matched with the regexes for highlighting.
+     *                         If the value needs to be translated use `check_value` for matching
+     * @param {RegExp} okRegexp - regex to apply success state CSS class
+     * @param {RegExp} errRegexp - regex to apply danger/error state CSS class
+     * @param {string} [check_value] - value to match against, if not set it defaults to the `value` argument
+     *
+     * @returns {Array}
+     */
+    makeColoredTextRow(labelKey, value, okRegexp, errRegexp, check_value) {
+        check_value = check_value ?? value;
+
+        const textEl = $('<b></b>').text(value);
+        if (okRegexp && okRegexp.exec(check_value)) {
+            textEl.addClass('text-success');
+        } else if (errRegexp && errRegexp.exec(check_value)) {
+            textEl.addClass('text-danger');
+        } else {
+            textEl.addClass('text-warning');
+        }
+
+        let html = textEl.prop('outerHTML');
+
+        return this.makeRow(labelKey, html);
+    }
+
+    /**
+     * Makes a standard text row template
+     *
+     * @param {string} labelKey - label translation key
+     * @param {string|ApcUpsdStatusValue} content - string value or an object with a value field
+     *
+     * @returns {Array}
+     */
+    makeTextRow(labelKey, content) {
+        content = typeof content === 'string' ? content : content.value;
+
+        return this.makeRow(labelKey, content);
+    }
+
+    /**
+     * Make a row object to use with {@link updateTable}
+     *
+     * Auto translates the given label key if possible
+     *
+     * @param {string} labelKey - label translation key
+     * @param {*} content - html content
+     *
+     * @returns {Array}
+     */
+    makeRow(labelKey, content) {
+        return [this.translate(labelKey), content];
+    }
+
+    /**
+     * Tries to translates the given key.
+     *
+     * If not found it logs an error and just returns the key as is.
+     *
+     * @param {string} key - key to translate
+     *
+     * @returns {string}
+     */
+    translate(key) {
+        let value = this.translations[key];
+        if (value === undefined) {
+            console.error('Missing translation for ' + key);
+            // Use the key as fallback
+            value = key;
+        }
+        return value;
+    }
+}
diff --git a/sysutils/apcupsd/src/opnsense/www/js/widgets/Metadata/Apcupsd.xml b/sysutils/apcupsd/src/opnsense/www/js/widgets/Metadata/Apcupsd.xml
new file mode 100644
index 0000000000..7be38f7ba2
--- /dev/null
+++ b/sysutils/apcupsd/src/opnsense/www/js/widgets/Metadata/Apcupsd.xml
@@ -0,0 +1,26 @@
+<metadata>
+    <apcupsd>
+        <filename>Apcupsd.js</filename>
+        <endpoints>
+            <endpoint>/api/apcupsd/service/getUpsStatus</endpoint>
+        </endpoints>
+        <translations>
+            <title>Apcupsd</title>
+            <status_model>Model</status_model>
+            <status_status>Status</status_status>
+            <status_selftest>Self test</status_selftest>
+            <status_selftest_ok>OK</status_selftest_ok>
+            <status_selftest_bt>Failed due to battery capacity (BT)</status_selftest_bt>
+            <status_selftest_ng>Failed due to overload (NG)</status_selftest_ng>
+            <status_selftest_no>No results</status_selftest_no>
+            <status_linev>Line voltage</status_linev>
+            <status_load>Load</status_load>
+            <status_bcharge>Battery level</status_bcharge>
+            <status_timeleft>Battery runtime</status_timeleft>
+            <status_battv>Battery voltage</status_battv>
+            <status_battdate>Battery date</status_battdate>
+            <status_itemp>Temperature</status_itemp>
+            <status_date>Status update</status_date>
+        </translations>
+    </apcupsd>
+</metadata>
diff --git a/sysutils/apcupsd/src/www/widgets/include/apcupsd.inc b/sysutils/apcupsd/src/www/widgets/include/apcupsd.inc
deleted file mode 100644
index 26fb46664e..0000000000
--- a/sysutils/apcupsd/src/www/widgets/include/apcupsd.inc
+++ /dev/null
@@ -1,4 +0,0 @@
-<?php
-
-$apcupsd_title = gettext('Apcupsd');
-$apcupsd_title_link = 'ui/apcupsd';
diff --git a/sysutils/apcupsd/src/www/widgets/widgets/apcupsd.widget.php b/sysutils/apcupsd/src/www/widgets/widgets/apcupsd.widget.php
deleted file mode 100644
index 3c12a8b7ac..0000000000
--- a/sysutils/apcupsd/src/www/widgets/widgets/apcupsd.widget.php
+++ /dev/null
@@ -1,219 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2021 Nicola Pellegrini
- *
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("guiconfig.inc");
-require_once("widgets/include/apcupsd.inc");
-
-?>
-<table id="apcupsd-widget" class="table table-striped table-condensed">
-    <colgroup>
-        <col class="apcupsd-widget-label" />
-        <col />
-    </colgroup>
-    <tbody id="apcupsd-widget-tbody"></tbody>
-</table>
-<style>
-    .apcupsd-widget-label {
-        max-width: 20em;
-        width: 30%;
-        min-width: 10em;
-    }
-
-    .apcupsd-widget-highlight {
-        font-weight: bold
-    }
-</style>
-<script>
-$(document).ready(() => {
-    const withMomentJs = moment && moment.version && typeof moment === 'function';
-
-    const $newCell = (content) => $('<td></td>').html(content);
-
-    const $newLabel = (text) => {
-        return $('<td></td>').text(text);
-    };
-
-    const $newRow = (content, label) => {
-        return $('<tr></tr>').append(
-            typeof label === 'string' ? $newLabel(label) : label,
-            content
-        );
-    };
-
-    const $newProgressBar = (width, text) => {
-        const $text = $('<span class="text-center"></span>').text(text).css({
-                position: 'absolute',
-                left: 0,
-                right: 0
-            });
-        const $bar = $('<div class="progress-bar"></div>').css({
-            width: width,
-            zIndex: 0
-        });
-        return $('<div class="progress"></div>').append($bar, $text);
-    };
-
-    const renderText = (data, label) => {
-        const text = typeof data === 'string' ? data : data.value;
-        return $newRow($('<td></td>').text(text), label);
-    };
-
-    const renderDateString = (data, label, format, parseFormat) => {
-        let value = typeof data === 'string' ? data : (data.norm || data.value);
-        let text;
-        if (withMomentJs) {
-            const m = moment(value, parseFormat);
-            if (m.isValid()) {
-                m.locale(window.navigator.language);
-                text = m.format(format);
-            }
-        }
-        return renderText(text || value, label);
-    };
-
-    const renderProgress = (data, label, progressText) => {
-        const width = data.norm + '%';
-        progressText = progressText || data.norm.toFixed(1) + ' %';
-        const pb = $newProgressBar(width, progressText);
-        return $newRow($newCell(pb), label);
-    };
-
-    const renderLoad = (loadpct, nompower) => {
-        let text = loadpct.norm.toFixed(1) + ' %';
-        if (nompower) {
-            text += ' ( ~ ' + Math.round(loadpct.norm * nompower.norm / 100) + ' W )';
-        }
-        return renderProgress(loadpct, 'Load', text);
-    };
-
-    const renderHighlight = (text, label, okRegexp, errRegexp) => {
-        const textEl = $('<span class="apcupsd-widget-highlight"></span>').text(text);
-        if (okRegexp && okRegexp.exec(text)) {
-            textEl.addClass('text-success');
-        } else if (errRegexp && errRegexp.exec(text)) {
-            textEl.addClass('text-danger');
-        } else {
-            textEl.addClass('text-warning');
-        }
-        return $newRow($('<td></td>').append(textEl), label);
-    };
-
-    const selfTestText = {
-        BT: 'Failed due to battery capacity (BT)',
-        NG: 'Failed due to overload (NG)',
-        NO: 'No results',
-    };
-
-    const updateUi = (status) => {
-        const rows = [];
-
-        if (status.MODEL) {
-            rows.push(renderText(status.MODEL, 'Model'));
-        }
-
-        if (status.STATUS) {
-            rows.push(
-                renderHighlight(
-                    status.STATUS.value,
-                    'Status',
-                    /ONLINE/,
-                    /ONBATT|LOWBATT|REPLACEBATT|NOBATT|SLAVEDOWN|COMMLOST/
-                )
-            );
-        }
-
-        if (status.SELFTEST) {
-            const value = status.SELFTEST.value;
-            const text = selfTestText[value] || value;
-            if (value === 'NO') {
-                rows.push(renderText(text, 'Self test'));
-            } else {
-                rows.push(renderHighlight(
-                    text,
-                    'Self test',
-                    /OK/,
-                    /BT|NG/
-                ));
-            }
-        }
-
-        if (status.LINEV) {
-            rows.push(renderText(status.LINEV, 'Line voltage'));
-        }
-
-        if (status.LOADPCT) {
-            rows.push(renderLoad(status.LOADPCT, status.NOMPOWER))
-        }
-
-        if (status.BCHARGE) {
-            rows.push(renderProgress(status.BCHARGE, 'Battery level'));
-        }
-
-        if (status.TIMELEFT) {
-            rows.push(renderText(status.TIMELEFT, 'Battery runtime'));
-        }
-
-        if (status.BATTV) {
-            rows.push(renderText(status.BATTV, 'Battery voltage'));
-        }
-
-        if (status.BATTDATE) {
-            rows.push(renderDateString(status.BATTDATE, 'Battery date', 'll', 'YYYY-MM-DD'));
-        }
-
-        if (status.ITEMP) {
-            rows.push(renderText(status.ITEMP, 'Temperature'));
-        }
-
-        if (status.DATE) {
-            rows.push(renderDateString(status.DATE, 'Status update', 'll LTS'));
-        }
-
-        $('#apcupsd-widget-tbody').html(rows);
-    };
-
-    const displayError = (message) => {
-        const el = $('<tr></tr>').append($('<td class="text-center text-danger" colspan="2"></td>').text(message));
-        $('#apcupsd-widget-tbody').html(el);
-    };
-
-    const refreshStatus = () => {
-        ajaxCall('/api/apcupsd/service/getUpsStatus', {}, function(data, status) {
-            if (status === 'success' && !data.error) {
-                updateUi(data.status);
-            } else {
-                displayError(data ? (data.message || data.error) : 'request error');
-            }
-            setTimeout(refreshStatus, 5000);
-        });
-    };
-
-    refreshStatus();
-});
-</script>

From 9a50ba8859c78d01f29ee02310f6c2c3141371de Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 7 Aug 2024 19:55:54 +0200
Subject: [PATCH 2015/3088] sysutils/apcupsd: change import

---
 sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js b/sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js
index a330cc1884..279c45793c 100644
--- a/sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js
+++ b/sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js
@@ -24,7 +24,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-import BaseTableWidget from "./BaseTableWidget.js";
+import BaseTableWidget from 'widget-base-table';
 
 /**
  * @typedef ApcUpsdStatusValue

From 047c8ba20837f6e973fafb77130c35eaf04d759a Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Thu, 8 Aug 2024 12:15:53 +0300
Subject: [PATCH 2016/3088] www/nginx: LogsController fix (#4120)

---
 .../controllers/OPNsense/Nginx/Api/LogsController.php | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
index f0b4170791..41b65da289 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/LogsController.php
@@ -287,11 +287,12 @@ private function stream_exists($uuid)
      */
     private function sendConfigdToClient($command)
     {
-        $backend = new Backend();
         // must be passed directly -> OOM Problem
-        $this->response->setContent($backend->configdRun($command));
-        $this->response->setStatusCode(200, "OK");
-        $this->response->setContentType('application/json', 'UTF-8');
-        return $this->response->send();
+        if (!$this->response->isSent()) {
+            $backend = new Backend();
+            $this->response->setContent($backend->configdRun($command));
+            $this->response->setStatusCode(200, "OK");
+            $this->response->setContentType('application/json', 'UTF-8');
+        }
     }
 }

From f374396f6443f347be673e03a3b9d19ebbc88017 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 9 Aug 2024 13:28:46 +0200
Subject: [PATCH 2017/3088] plugins: add 'feed' target

---
 Mk/defaults.mk | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 66e93ec686..2195b7b033 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -86,7 +86,7 @@ SED_REPLACE=	# empty
 SED_REPLACE+=	-e "s=%%${REPLACEMENT}%%=${${REPLACEMENT}}=g"
 .endfor
 
-ARGS=	diff mfc
+ARGS=	diff feed mfc
 
 # handle argument expansion for required targets
 .for TARGET in ${.TARGETS}
@@ -114,6 +114,9 @@ diff_ARGS?= 	.
 diff: ensure-stable
 	@git diff --stat -p stable/${PLUGIN_ABI} ${.CURDIR}/${diff_ARGS:[1]}
 
+feed: ensure-stable
+	@git log --stat -p --reverse stable/${PLUGIN_ABI}...${feed_ARGS:[1]}~1
+
 mfc_ARGS?=	.
 
 mfc: ensure-stable

From 52b971a24b42c110ebb82c3529051ad3f0ddddf6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 9 Aug 2024 13:34:27 +0200
Subject: [PATCH 2018/3088] plugins: while here also do PLUGIN_STABLE

---
 Mk/defaults.mk | 30 ++++++++++++++++--------------
 1 file changed, 16 insertions(+), 14 deletions(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 2195b7b033..b2e3dad55a 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -1,4 +1,4 @@
-# Copyright (c) 2016-2022 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2016-2024 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -48,6 +48,8 @@ PLUGIN_ABI?=	${_PLUGIN_ABI}
 PLUGIN_ABI?=	24.7
 .endif
 
+PLUGIN_STABLE?=	stable/${PLUGIN_ABI}
+
 PHPBIN=		${LOCALBASE}/bin/php
 
 .if exists(${PHPBIN})
@@ -103,34 +105,34 @@ ${_TARGET}_ARG=		${${_TARGET}_ARGS:[0]}
 .endfor
 
 ensure-stable:
-	@if ! git show-ref --verify --quiet refs/heads/stable/${PLUGIN_ABI}; then \
-		git update-ref refs/heads/stable/${PLUGIN_ABI} refs/remotes/origin/stable/${PLUGIN_ABI}; \
-		git config branch.stable/${PLUGIN_ABI}.merge refs/heads/stable/${PLUGIN_ABI}; \
-		git config branch.stable/${PLUGIN_ABI}.remote origin; \
+	@if ! git show-ref --verify --quiet refs/heads/${PLUGIN_STABLE}; then \
+		git update-ref refs/heads/${PLUGIN_STABLE} refs/remotes/origin/${PLUGIN_STABLE}; \
+		git config branch.${PLUGIN_STABLE}.merge refs/heads/${PLUGIN_STABLE}; \
+		git config branch.${PLUGIN_STABLE}.remote origin; \
 	fi
 
 diff_ARGS?= 	.
 
 diff: ensure-stable
-	@git diff --stat -p stable/${PLUGIN_ABI} ${.CURDIR}/${diff_ARGS:[1]}
+	@git diff --stat -p ${PLUGIN_STABLE} ${.CURDIR}/${diff_ARGS:[1]}
 
 feed: ensure-stable
-	@git log --stat -p --reverse stable/${PLUGIN_ABI}...${feed_ARGS:[1]}~1
+	@git log --stat -p --reverse ${PLUGIN_STABLE}...${feed_ARGS:[1]}~1
 
 mfc_ARGS?=	.
 
 mfc: ensure-stable
 .for MFC in ${mfc_ARGS}
 .if exists(${MFC})
-	@git diff --stat -p stable/${PLUGIN_ABI} ${.CURDIR}/${MFC} > /tmp/mfc.diff
-	@git checkout stable/${PLUGIN_ABI}
+	@git diff --stat -p ${PLUGIN_STABLE} ${.CURDIR}/${MFC} > /tmp/mfc.diff
+	@git checkout ${PLUGIN_STABLE}
 	@git apply /tmp/mfc.diff
 	@git add ${.CURDIR}/${MFC}
 	@if ! git diff --quiet HEAD; then \
 		git commit -m "${MFC:S/^.$/${PLUGIN_DIR}/}: sync with master"; \
 	fi
 .else
-	@git checkout stable/${PLUGIN_ABI}
+	@git checkout ${PLUGIN_STABLE}
 	@if ! git cherry-pick -x ${MFC}; then \
 		git cherry-pick --abort; \
 	fi
@@ -139,20 +141,20 @@ mfc: ensure-stable
 .endfor
 
 stable:
-	@git checkout stable/${PLUGIN_ABI}
+	@git checkout ${PLUGIN_STABLE}
 
 master:
 	@git checkout master
 
 rebase:
-	@git checkout stable/${PLUGIN_ABI}
+	@git checkout ${PLUGIN_STABLE}
 	@git rebase -i
 	@git checkout master
 
 log:
-	@git log --stat -p stable/${PLUGIN_ABI}
+	@git log --stat -p ${PLUGIN_STABLE}
 
 push:
-	@git checkout stable/${PLUGIN_ABI}
+	@git checkout ${PLUGIN_STABLE}
 	@git push
 	@git checkout master

From da411d39690dd7ca1acd751a2d12ae61e21e4045 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 9 Aug 2024 13:44:50 +0200
Subject: [PATCH 2019/3088] plugins: support PLUGIN_MAIN as well

---
 Mk/defaults.mk | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index b2e3dad55a..310d972adf 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -48,6 +48,7 @@ PLUGIN_ABI?=	${_PLUGIN_ABI}
 PLUGIN_ABI?=	24.7
 .endif
 
+PLUGIN_MAIN?=	master
 PLUGIN_STABLE?=	stable/${PLUGIN_ABI}
 
 PHPBIN=		${LOCALBASE}/bin/php
@@ -129,7 +130,7 @@ mfc: ensure-stable
 	@git apply /tmp/mfc.diff
 	@git add ${.CURDIR}/${MFC}
 	@if ! git diff --quiet HEAD; then \
-		git commit -m "${MFC:S/^.$/${PLUGIN_DIR}/}: sync with master"; \
+		git commit -m "${MFC:S/^.$/${PLUGIN_DIR}/}: sync with ${PLUGIN_MAIN}"; \
 	fi
 .else
 	@git checkout ${PLUGIN_STABLE}
@@ -137,19 +138,19 @@ mfc: ensure-stable
 		git cherry-pick --abort; \
 	fi
 .endif
-	@git checkout master
+	@git checkout ${PLUGIN_MAIN}
 .endfor
 
 stable:
 	@git checkout ${PLUGIN_STABLE}
 
-master:
-	@git checkout master
+devel main ${PLUGIN_MAIN}:
+	@git checkout ${PLUGIN_MAIN}
 
 rebase:
 	@git checkout ${PLUGIN_STABLE}
 	@git rebase -i
-	@git checkout master
+	@git checkout ${PLUGIN_MAIN}
 
 log:
 	@git log --stat -p ${PLUGIN_STABLE}
@@ -157,4 +158,4 @@ log:
 push:
 	@git checkout ${PLUGIN_STABLE}
 	@git push
-	@git checkout master
+	@git checkout ${PLUGIN_MAIN}

From 32581556f3add2ca2d58b7b630547ee814af972f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 9 Aug 2024 13:47:03 +0200
Subject: [PATCH 2020/3088] www/nginx: bump for fix

---
 www/nginx/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 5309f48ac8..69a29575e4 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.34
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From d36177fc9c0ee111831a19131e3394b192e2ef95 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 9 Aug 2024 13:50:56 +0200
Subject: [PATCH 2021/3088] plugins: tweak previous

---
 Mk/defaults.mk | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 310d972adf..f6c805c99f 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -48,7 +48,8 @@ PLUGIN_ABI?=	${_PLUGIN_ABI}
 PLUGIN_ABI?=	24.7
 .endif
 
-PLUGIN_MAIN?=	master
+PLUGIN_MAINS=	master main
+PLUGIN_MAIN?=	${PLUGIN_MAINS:[1]}
 PLUGIN_STABLE?=	stable/${PLUGIN_ABI}
 
 PHPBIN=		${LOCALBASE}/bin/php
@@ -144,7 +145,7 @@ mfc: ensure-stable
 stable:
 	@git checkout ${PLUGIN_STABLE}
 
-devel main ${PLUGIN_MAIN}:
+${PLUGIN_MAINS}:
 	@git checkout ${PLUGIN_MAIN}
 
 rebase:

From 4de45f3e668a4604a354ab22040041c67379fdb5 Mon Sep 17 00:00:00 2001
From: Rob van Oostenrijk <robvanoostenrijk@users.noreply.github.com>
Date: Fri, 9 Aug 2024 23:53:03 +0400
Subject: [PATCH 2022/3088] ddclient plugin: Added cloudflare to checkip
 providers (#4167)

* ddclient plugin: Added cloudflare to checkip providers

* Use one.one.one.one instead of 1.1.1.1 to prevent IP address before client IP in response.
---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml       | 1 +
 dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py        | 1 +
 2 files changed, 2 insertions(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 63b6eca8d5..33034df332 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -139,6 +139,7 @@
                     <Default>web_dyndns</Default>
                     <ValidationMessage>An IP service type is required.</ValidationMessage>
                     <OptionValues>
+                        <web_dyndns>cloudflare</web_dyndns>
                         <web_dyndns>dyndns</web_dyndns>
                         <web_freedns>freedns</web_freedns>
                         <web_googledomains>googledomains</web_googledomains>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
index 16a755788f..6158f6b565 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
@@ -29,6 +29,7 @@
 
 
 checkip_service_list = {
+  'cloudflare': '%s://one.one.one.one/cdn-cgi/trace',
   'dyndns': '%s://checkip.dyndns.org/',
   'freedns': '%s://freedns.afraid.org/dynamic/check.php',
   'googledomains': '%s://domains.google.com/checkip',

From 64a38846959331313ac3b13a8484d267bf177c16 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sat, 10 Aug 2024 12:11:16 +0200
Subject: [PATCH 2023/3088] www/caddy: Add Disable Propagation Timeout in DNS
 Provider Tab. (#4170)

---
 www/caddy/Makefile                            |  2 +-
 www/caddy/pkg-descr                           |  4 +++
 .../OPNsense/Caddy/forms/dnsprovider.xml      | 11 ++++++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  1 +
 .../templates/OPNsense/Caddy/Caddyfile        | 26 ++++++++++++++-----
 5 files changed, 37 insertions(+), 7 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 1c2aedae19..8a8b2898e1 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.6.2
+PLUGIN_VERSION=		1.6.3
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index df004fa8ca..570748fa5c 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -28,6 +28,10 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.6.3
+
+* Add: Disable Propagation Timeout in DNS Provider Tab. This can help if the DNS Challenge fails due to DNS Propagation being too slow.
+
 1.6.2
 
 * Add: Authentik as authentication provider (contributed by Tim-Sc)
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
index 87fedb3ca8..738419d5cc 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
@@ -46,4 +46,15 @@
         <type>text</type>
         <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "session_token".]]></help>
     </field>
+    <field>
+        <type>header</type>
+        <label>DNS Propagation</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>caddy.general.TlsDnsPropagationTimeout</id>
+        <label>Disable Propagation Timeout</label>
+        <type>checkbox</type>
+        <help><![CDATA[Propagation Timeout is a duration value that sets the maximum time to wait for the DNS TXT records to appear when using the DNS challenge. The default is 2 minutes. Disabling this will set propagation_timeout to -1 (checking propagation infinitely) and additionally set a propagation_delay of 30s (wait time before starting propagation checks). This can help when the DNS Challenge continues to fail because the local DNS Server does not know the new DNS TXT records yet in the default timeframe of 2 minutes.]]></help>
+    </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index d3c0d2ed28..f61d5c9378 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -69,6 +69,7 @@
             <TlsDnsOptionalField2 type="TextField"/>
             <TlsDnsOptionalField3 type="TextField"/>
             <TlsDnsOptionalField4 type="TextField"/>
+            <TlsDnsPropagationTimeout type="BooleanField"/>
             <accesslist type="ModelRelationField">
                 <Model>
                     <reverseproxy>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 2ee50d2715..32d33f062c 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -318,19 +318,32 @@
 #   - @param dnsChallenge (boolean): Indicates if a DNS challenge is used for certificate authentication.
 #   - @param dnsSecretApiKey (string, optional): A secret API key or token for additional security, depending on the provider.
 #   - @param TlsDnsOptionalField1 to 4 (string, optional): Additional fields for specific DNS provider configurations.
+#   - @param TlsDnsPropagationTimeout (boolean, optional): Disables Propagation Timeout for DNS Challenge.
 #}
-{% macro tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4) %}
+{% macro tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4, TlsDnsPropagationTimeout) %}
     {% if dnsChallenge == "1" and dnsProvider %}
         {% if dnsProvider in dnsProviderSpecialConfig %}
             tls {
-                dns {{ dnsProvider }} {
-                    {% include "OPNsense/Caddy/includeDnsProvider" %}
+                issuer acme {
+                    dns {{ dnsProvider }} {
+                        {% include "OPNsense/Caddy/includeDnsProvider" %}
+                    }
+                    {% if TlsDnsPropagationTimeout|default("0") == "1" %}
+                        propagation_delay 30s
+                        propagation_timeout -1
+                    {% endif %}
                 }
             }
         {% else %}
             tls {
-                {# Other DNS Providers fall under this default #}
-                dns {{ dnsProvider }} {{ dnsApiKey }}
+                issuer acme {
+                    {# Other DNS Providers fall under this default #}
+                    dns {{ dnsProvider }} {{ dnsApiKey }}
+                    {% if TlsDnsPropagationTimeout|default("0") == "1" %}
+                        propagation_delay 30s
+                        propagation_timeout -1
+                    {% endif %}
+                }
             }
         {% endif %}
     {% endif %}
@@ -545,7 +558,8 @@
             {% endif %}
             {% set customCert = reverse.CustomCertificate|default("") %}
             {% set dnsChallenge = reverse.DnsChallenge|default("0") %}
-            {{ tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4) }}
+            {% set TlsDnsPropagationTimeout = generalSettings.TlsDnsPropagationTimeout %}
+            {{ tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4, TlsDnsPropagationTimeout) }}
 
             {% if not reverse.accesslist %}
                 {% set basicauth_uuids = reverse.basicauth %}

From 016bf27cb5a2ad4d63355def079c94c4e84da8a5 Mon Sep 17 00:00:00 2001
From: ImAPerson <envoid@hotmail.com>
Date: Mon, 12 Aug 2024 01:44:53 -0400
Subject: [PATCH 2024/3088] smart nvd to nda (#4173)

FreeBSD 14 changed from the nvd driver to the nda driver for x86. This change modifies the smart service to utilize the new driver name on the UI and the backend script that pulls the smartctl code (thanks @jbilac!). Issue https://github.com/opnsense/plugins/issues/4155
---
 .../src/opnsense/scripts/OPNsense/Smart/detailed_list.sh    | 6 +++---
 .../src/opnsense/service/conf/actions.d/actions_smart.conf  | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/sysutils/smart/src/opnsense/scripts/OPNsense/Smart/detailed_list.sh b/sysutils/smart/src/opnsense/scripts/OPNsense/Smart/detailed_list.sh
index d8a3b55c18..7f0a8a5042 100755
--- a/sysutils/smart/src/opnsense/scripts/OPNsense/Smart/detailed_list.sh
+++ b/sysutils/smart/src/opnsense/scripts/OPNsense/Smart/detailed_list.sh
@@ -30,9 +30,9 @@ RESULT=
 for DEV in $(sysctl -n kern.disks); do
     IDENT=$(/usr/sbin/diskinfo -s ${DEV})
 
-    if [ "${DEV#nvd}" != "${DEV}" ]; then
-        # the disk formerly know as nvdX
-        DEV="nvme${DEV#nvd}"
+    if [ "${DEV#nda}" != "${DEV}" ]; then
+        # the disk formerly know as ndaX
+        DEV="nvme${DEV#nda}"
     fi
 
     STATE=$(/usr/local/sbin/smartctl -jH /dev/${DEV})
diff --git a/sysutils/smart/src/opnsense/service/conf/actions.d/actions_smart.conf b/sysutils/smart/src/opnsense/service/conf/actions.d/actions_smart.conf
index 7085815254..03a594580e 100644
--- a/sysutils/smart/src/opnsense/service/conf/actions.d/actions_smart.conf
+++ b/sysutils/smart/src/opnsense/service/conf/actions.d/actions_smart.conf
@@ -1,5 +1,5 @@
 [list]
-command:sysctl -n kern.disks | sed s:nvd:nvme:g
+command:sysctl -n kern.disks | sed s:nda:nvme:g
 parameters:
 type:script_output
 message:list installed devices

From 1a4a15de1b3a95258299f1315333c61d75c0dcff Mon Sep 17 00:00:00 2001
From: Philipp Nieting <Kavakuo@users.noreply.github.com>
Date: Mon, 12 Aug 2024 10:42:21 +0200
Subject: [PATCH 2025/3088] net/freeradius: Added remote syslog support (#3990)
 (#4172)

---
 net/freeradius/Makefile                                 | 2 +-
 net/freeradius/pkg-descr                                | 4 ++++
 net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc | 7 +++++++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 1c54bc9fab..2faab42f67 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.24
+PLUGIN_VERSION=		1.9.25
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index b5e7b176f3..29fb02263b 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,10 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.25
+
+* Added support for remote syslog
+
 1.9.24
 
 * Allow ":" character in usernames and passwords (contributed by Chris Helming)
diff --git a/net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc b/net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc
index ab1a541762..88888879ef 100644
--- a/net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc
+++ b/net/freeradius/src/etc/inc/plugins.inc.d/freeradius.inc
@@ -57,3 +57,10 @@ function freeradius_xmlrpc_sync()
     $result['services'] = ["freeradius"];
     return array($result);
 }
+
+function freeradius_syslog()
+{
+    return [
+        'freeradius' => ['facility' => ['radiusd']]
+    ];
+}

From 77ecf1eb876f47124240053232a129dd42953fe1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 13 Aug 2024 13:35:48 +0200
Subject: [PATCH 2026/3088] sysutils/cpu-microcode-(amd|intel): add plugins;
 closes #4075

Already support early loading for AMD, but as of 24.7.1 this hasn't
been shipped with the kernel yet.
---
 README.md                                                 | 2 ++
 sysutils/cpu-microcode-amd/Makefile                       | 8 ++++++++
 sysutils/cpu-microcode-amd/pkg-descr                      | 6 ++++++
 .../src/etc/rc.loader.d/40-cpu-microcode                  | 2 ++
 .../src/etc/rc.syshook.d/early/40-cpu-microcode           | 5 +++++
 sysutils/cpu-microcode-intel/Makefile                     | 8 ++++++++
 sysutils/cpu-microcode-intel/pkg-descr                    | 6 ++++++
 .../src/etc/rc.loader.d/40-cpu-microcode                  | 2 ++
 .../src/etc/rc.syshook.d/early/40-cpu-microcode           | 5 +++++
 9 files changed, 44 insertions(+)
 create mode 100644 sysutils/cpu-microcode-amd/Makefile
 create mode 100644 sysutils/cpu-microcode-amd/pkg-descr
 create mode 100644 sysutils/cpu-microcode-amd/src/etc/rc.loader.d/40-cpu-microcode
 create mode 100755 sysutils/cpu-microcode-amd/src/etc/rc.syshook.d/early/40-cpu-microcode
 create mode 100644 sysutils/cpu-microcode-intel/Makefile
 create mode 100644 sysutils/cpu-microcode-intel/pkg-descr
 create mode 100644 sysutils/cpu-microcode-intel/src/etc/rc.loader.d/40-cpu-microcode
 create mode 100755 sysutils/cpu-microcode-intel/src/etc/rc.syshook.d/early/40-cpu-microcode

diff --git a/README.md b/README.md
index 02fc2fb69b..2cf77dee53 100644
--- a/README.md
+++ b/README.md
@@ -91,6 +91,8 @@ security/tor -- The Onion Router
 security/wazuh-agent -- Agent for the open source security platform Wazuh
 sysutils/apcupsd -- APCUPSD - APC UPS daemon
 sysutils/apuled -- PC Engine APU LED control (development only)
+sysutils/cpu-microcode-amd -- AMD CPU microcode updates
+sysutils/cpu-microcode-intel -- Intel CPU microcode updates
 sysutils/dec-hw -- Deciso hardware specific information
 sysutils/dmidecode -- Display hardware information on the dashboard
 sysutils/git-backup -- Track config changes using git
diff --git a/sysutils/cpu-microcode-amd/Makefile b/sysutils/cpu-microcode-amd/Makefile
new file mode 100644
index 0000000000..eacda9643a
--- /dev/null
+++ b/sysutils/cpu-microcode-amd/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		cpu-microcode-amd
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		AMD CPU microcode updates
+PLUGIN_DEPENDS=		cpu-microcode-amd
+PLUGIN_CONFLICTS=	cpu-microcode-intel
+PLUGIN_MAINTAINER=	franco@opnsense.org
+
+.include "../../Mk/plugins.mk"
diff --git a/sysutils/cpu-microcode-amd/pkg-descr b/sysutils/cpu-microcode-amd/pkg-descr
new file mode 100644
index 0000000000..cdf882f5f5
--- /dev/null
+++ b/sysutils/cpu-microcode-amd/pkg-descr
@@ -0,0 +1,6 @@
+Updating your microcode can help to mitigate certain potential security
+vulnerabilities in CPUs as well as address certain functional issues that could,
+for example, result in unpredictable system behavior such as hangs, crashes,
+unexpected reboots, data errors, etc.
+
+The microcode update will be loaded when the system is rebooted.
diff --git a/sysutils/cpu-microcode-amd/src/etc/rc.loader.d/40-cpu-microcode b/sysutils/cpu-microcode-amd/src/etc/rc.loader.d/40-cpu-microcode
new file mode 100644
index 0000000000..c7cbf86a3b
--- /dev/null
+++ b/sysutils/cpu-microcode-amd/src/etc/rc.loader.d/40-cpu-microcode
@@ -0,0 +1,2 @@
+cpu_microcode_load="YES"
+cpu_microcode_name="/boot/firmware/amd-ucode.bin"
diff --git a/sysutils/cpu-microcode-amd/src/etc/rc.syshook.d/early/40-cpu-microcode b/sysutils/cpu-microcode-amd/src/etc/rc.syshook.d/early/40-cpu-microcode
new file mode 100755
index 0000000000..4dab1e32c7
--- /dev/null
+++ b/sysutils/cpu-microcode-amd/src/etc/rc.syshook.d/early/40-cpu-microcode
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+export microcode_update_enable="YES"
+
+/usr/local/etc/rc.d/microcode_update start
diff --git a/sysutils/cpu-microcode-intel/Makefile b/sysutils/cpu-microcode-intel/Makefile
new file mode 100644
index 0000000000..bd0f7384cc
--- /dev/null
+++ b/sysutils/cpu-microcode-intel/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		cpu-microcode-intel
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		Intel CPU microcode updates
+PLUGIN_DEPENDS=		cpu-microcode-intel
+PLUGIN_CONFLICTS=	cpu-microcode-amd
+PLUGIN_MAINTAINER=	franco@opnsense.org
+
+.include "../../Mk/plugins.mk"
diff --git a/sysutils/cpu-microcode-intel/pkg-descr b/sysutils/cpu-microcode-intel/pkg-descr
new file mode 100644
index 0000000000..cdf882f5f5
--- /dev/null
+++ b/sysutils/cpu-microcode-intel/pkg-descr
@@ -0,0 +1,6 @@
+Updating your microcode can help to mitigate certain potential security
+vulnerabilities in CPUs as well as address certain functional issues that could,
+for example, result in unpredictable system behavior such as hangs, crashes,
+unexpected reboots, data errors, etc.
+
+The microcode update will be loaded when the system is rebooted.
diff --git a/sysutils/cpu-microcode-intel/src/etc/rc.loader.d/40-cpu-microcode b/sysutils/cpu-microcode-intel/src/etc/rc.loader.d/40-cpu-microcode
new file mode 100644
index 0000000000..976a36fa55
--- /dev/null
+++ b/sysutils/cpu-microcode-intel/src/etc/rc.loader.d/40-cpu-microcode
@@ -0,0 +1,2 @@
+cpu_microcode_load="YES"
+cpu_microcode_name="/boot/firmware/intel-ucode.bin"
diff --git a/sysutils/cpu-microcode-intel/src/etc/rc.syshook.d/early/40-cpu-microcode b/sysutils/cpu-microcode-intel/src/etc/rc.syshook.d/early/40-cpu-microcode
new file mode 100755
index 0000000000..4dab1e32c7
--- /dev/null
+++ b/sysutils/cpu-microcode-intel/src/etc/rc.syshook.d/early/40-cpu-microcode
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+export microcode_update_enable="YES"
+
+/usr/local/etc/rc.d/microcode_update start

From 38ad22d79659765ca2d5016ae62c4f7a8b66cc44 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 13 Aug 2024 14:08:59 +0200
Subject: [PATCH 2027/3088] LICENSE: sync

---
 LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index 12d216530b..a910d27165 100644
--- a/LICENSE
+++ b/LICENSE
@@ -51,7 +51,7 @@ Copyright (c) 2023 Mikhail Kharisov
 Copyright (c) 2012 mkirbst
 Copyright (c) 2023 mleinart
 Copyright (c) 2024 MVZ Labor Ludwigsburg GbR
-Copyright (c) 2021 Nicola Pellegrini
+Copyright (c) 2021-2024 Nicola Pellegrini
 Copyright (c) 2022 Nikolaj Brinch Jørgensen
 Copyright (c) 2021 Nim G
 Copyright (c) 2023 Oliver Hartl

From 5b51b11f57a2c1cffea50543a84602bb7d82bdb6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 13 Aug 2024 15:29:30 +0200
Subject: [PATCH 2028/3088] sysutils/cpu-microcode: add x86info dependency for
 proper checking

---
 sysutils/cpu-microcode-amd/Makefile   | 2 +-
 sysutils/cpu-microcode-intel/Makefile | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysutils/cpu-microcode-amd/Makefile b/sysutils/cpu-microcode-amd/Makefile
index eacda9643a..649e3ff5bb 100644
--- a/sysutils/cpu-microcode-amd/Makefile
+++ b/sysutils/cpu-microcode-amd/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		cpu-microcode-amd
 PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		AMD CPU microcode updates
-PLUGIN_DEPENDS=		cpu-microcode-amd
+PLUGIN_DEPENDS=		cpu-microcode-amd x86info
 PLUGIN_CONFLICTS=	cpu-microcode-intel
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
diff --git a/sysutils/cpu-microcode-intel/Makefile b/sysutils/cpu-microcode-intel/Makefile
index bd0f7384cc..ac8a9774c7 100644
--- a/sysutils/cpu-microcode-intel/Makefile
+++ b/sysutils/cpu-microcode-intel/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		cpu-microcode-intel
 PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		Intel CPU microcode updates
-PLUGIN_DEPENDS=		cpu-microcode-intel
+PLUGIN_DEPENDS=		cpu-microcode-intel x86info
 PLUGIN_CONFLICTS=	cpu-microcode-amd
 PLUGIN_MAINTAINER=	franco@opnsense.org
 

From 7270d91ecfeae8e1ddf1dcff915522a04aa439f2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 Aug 2024 11:01:59 +0200
Subject: [PATCH 2029/3088] sysutils/smart: bump revision

---
 sysutils/smart/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/smart/Makefile b/sysutils/smart/Makefile
index 9a73a14739..e0ab26fb5c 100644
--- a/sysutils/smart/Makefile
+++ b/sysutils/smart/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		smart
 PLUGIN_VERSION=		2.2
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_COMMENT=		SMART tools
 PLUGIN_DEPENDS=		smartmontools
 PLUGIN_MAINTAINER=	franco@opnsense.org

From f9610f33c559498a1354cb6ba3154aa26a828b21 Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Wed, 14 Aug 2024 14:13:36 +0200
Subject: [PATCH 2030/3088] www/squid: include icap_service_failure_limit
 configuration (#4176)

This commit seems to be the final solution for #3875.
---
 .../src/opnsense/service/templates/OPNsense/Proxy/squid.conf    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
index b5e8e91941..8d6853e117 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -234,6 +234,8 @@ acl CONNECT method CONNECT
 {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
 # enable icap
 icap_enable on
+icap_service_failure_limit -1
+
 {%   if helpers.exists('OPNsense.proxy.forward.icap.OptionsTTL') %}
 icap_default_options_ttl {{OPNsense.proxy.forward.icap.OptionsTTL}}
 {%   endif %}

From 1ea9867ac934c7db34893f5b84d8c34be79c39e5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 16 Aug 2024 11:38:07 +0200
Subject: [PATCH 2031/3088] plugins: dashboard compat

PR: https://github.com/opnsense/core/issues/7777
---
 dns/ddclient/Makefile                                 |  1 +
 dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js    |  2 --
 security/etpro-telemetry/Makefile                     |  2 +-
 .../src/opnsense/www/js/widgets/ETProTelemetry.js     |  2 --
 sysutils/apcupsd/Makefile                             | 11 ++++++-----
 .../apcupsd/src/opnsense/www/js/widgets/Apcupsd.js    |  2 --
 sysutils/dec-hw/Makefile                              |  2 +-
 sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js  |  2 --
 www/caddy/Makefile                                    |  1 +
 .../src/opnsense/www/js/widgets/CaddyCertificate.js   |  2 --
 www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js  |  2 --
 11 files changed, 10 insertions(+), 19 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 30ada5696e..63c9a65501 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.23
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js b/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js
index 2d4aba57bb..e4fb01095c 100644
--- a/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js
+++ b/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js
@@ -24,8 +24,6 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-import BaseTableWidget from 'widget-base-table';
-
 export default class Dyndns extends BaseTableWidget {
     constructor() {
         super();
diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index b445344d07..05041a7cbf 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		etpro-telemetry
 PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html
diff --git a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
index 4394e0cda8..8ec7b63b2c 100644
--- a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
+++ b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
@@ -24,8 +24,6 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-import BaseTableWidget from 'widget-base-table';
-
 export default class ETProTelemetry extends BaseTableWidget {
     constructor() {
         super();
diff --git a/sysutils/apcupsd/Makefile b/sysutils/apcupsd/Makefile
index 34ded92a0d..2a79e6f8e4 100644
--- a/sysutils/apcupsd/Makefile
+++ b/sysutils/apcupsd/Makefile
@@ -1,7 +1,8 @@
-PLUGIN_NAME=        apcupsd
-PLUGIN_VERSION=     1.2
-PLUGIN_DEPENDS=     apcupsd
-PLUGIN_COMMENT=     APCUPSD - APC UPS daemon
-PLUGIN_MAINTAINER=  xbb@xbblabs.com
+PLUGIN_NAME=		apcupsd
+PLUGIN_VERSION=		1.2
+PLUGIN_REVISION=	1
+PLUGIN_DEPENDS=		apcupsd
+PLUGIN_COMMENT=		APCUPSD - APC UPS daemon
+PLUGIN_MAINTAINER=	xbb@xbblabs.com
 
 .include "../../Mk/plugins.mk"
diff --git a/sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js b/sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js
index 279c45793c..c9c447b383 100644
--- a/sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js
+++ b/sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js
@@ -24,8 +24,6 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-import BaseTableWidget from 'widget-base-table';
-
 /**
  * @typedef ApcUpsdStatusValue
  *
diff --git a/sysutils/dec-hw/Makefile b/sysutils/dec-hw/Makefile
index 447a430eea..4df54c2f12 100644
--- a/sysutils/dec-hw/Makefile
+++ b/sysutils/dec-hw/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		dec-hw
 PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Deciso hardware specific information
 PLUGIN_MAINTAINER=	stephan.de.wit@deciso.com
 PLUGIN_TIER=		2
diff --git a/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js b/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js
index f8b4bdb2e4..bba6d6807c 100644
--- a/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js
+++ b/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js
@@ -24,8 +24,6 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-import BaseWidget from 'widget-base';
-
 export default class DecHW extends BaseWidget {
     constructor() {
         super();
diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 8a8b2898e1..f8fe5bf0d6 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		1.6.3
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
index e3b99f428a..ccdf65868a 100644
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
@@ -24,8 +24,6 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-import BaseTableWidget from 'widget-base-table';
-
 export default class CaddyCertificate extends BaseTableWidget {
     constructor() {
         super();
diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
index 97477a8ace..a43f51050a 100644
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
@@ -24,8 +24,6 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-import BaseTableWidget from 'widget-base-table';
-
 export default class CaddyDomain extends BaseTableWidget {
     constructor() {
         super();

From 19070de8d0c82550f4488cf31e7a46021e620b2d Mon Sep 17 00:00:00 2001
From: Self-Hosting-Group
 <155233284+Self-Hosting-Group@users.noreply.github.com>
Date: Fri, 16 Aug 2024 13:37:41 +0200
Subject: [PATCH 2032/3088] net/upnp: Fix port maps not listed without
 description (#4103)

---
 net/upnp/Makefile                             |  3 +-
 .../src/etc/inc/plugins.inc.d/miniupnpd.inc   |  2 +-
 net/upnp/src/www/services_upnp.php            |  5 ++-
 net/upnp/src/www/status_upnp.php              | 37 ++++++++++---------
 4 files changed, 25 insertions(+), 22 deletions(-)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index ad55189cf8..44cfe30a3f 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		upnp
-PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	6
+PLUGIN_VERSION=		1.6
 PLUGIN_DEPENDS=		miniupnpd
 PLUGIN_COMMENT=		Universal Plug and Play (UPnP IGD & PCP/NAT-PMP) Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 54a44a6c67..3fdf21214b 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -232,7 +232,7 @@ function miniupnpd_configure_do($verbose = false)
 
             /* Allow UPnP IGD or PCP/NAT-PMP as requested */
             $config_text .= "enable_upnp="   . ( $upnp_config['enable_upnp']   ? "yes\n" : "no\n" );
-            $config_text .= "enable_natpmp=" . ( $upnp_config['enable_natpmp'] ? "yes\n" : "no\n" );
+            $config_text .= "enable_pcp_pmp=" . ( $upnp_config['enable_natpmp'] ? "yes\n" : "no\n" );
 
             /* configure lifetimes to force periodic expire */
             $config_text .= "clean_ruleset_interval=600\n";
diff --git a/net/upnp/src/www/services_upnp.php b/net/upnp/src/www/services_upnp.php
index 077c3bae77..e56e08a431 100644
--- a/net/upnp/src/www/services_upnp.php
+++ b/net/upnp/src/www/services_upnp.php
@@ -221,9 +221,12 @@ function miniupnpd_validate_port($port)
                   </thead>
                   <tbody>
                     <tr>
-                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Enable");?></td>
+                      <td><a id="help_for_enable" href="#" class="showhelp"><i class="fa fa-info-circle text-muted"></i></a> <?=gettext("Enable");?></td>
                       <td>
                        <input name="enable" type="checkbox" value="yes" <?=!empty($pconfig['enable']) ? "checked=\"checked\"" : ""; ?> />
+                       <div class="hidden" data-for="help_for_enable">
+                         <?=gettext("Enable autonomous port mapping service.");?>
+                       </div>
                       </td>
                     </tr>
                     <tr>
diff --git a/net/upnp/src/www/status_upnp.php b/net/upnp/src/www/status_upnp.php
index d0c5d4fcda..0a9a983d84 100644
--- a/net/upnp/src/www/status_upnp.php
+++ b/net/upnp/src/www/status_upnp.php
@@ -62,41 +62,42 @@
 <?php
           else: ?>
           <div class="table-responsive">
-            <table class="table table-striped">
+            <table class="table table-striped table-condensed table-hover">
               <thead>
                 <tr>
-                  <td><?=gettext("Port");?></td>
-                  <td><?=gettext("Protocol");?></td>
-                  <td><?=gettext("Internal IP");?></td>
-                  <td><?=gettext("Int. Port");?></td>
-                  <td><?=gettext("Description");?></td>
+                  <td><?=gettext("Interface")?></td>
+                  <td><?=gettext("Ext. Port")?></td>
+                  <td><?=gettext("Internal IP")?></td>
+                  <td><?=gettext("Int. Port")?></td>
+                  <td><?=gettext("Protocol")?></td>
+                  <td><?=gettext("Source IP")?></td>
+                  <td><?=gettext("Source Port")?></td>
+                  <td><?=gettext("Description")?></td>
                 </tr>
               </thead>
               <tbody>
 <?php
               foreach ($rdr_entries as $rdr_entry):
-                  if (!preg_match("/on (.*) inet proto (.*) from (.*) to (.*) port = (.*) keep state label \"(.*)\" rtable [0-9] -> (.*) port (.*)/", $rdr_entry, $matches)) {
+                  if (!preg_match("/on (?P<iface>.*) inet proto (?P<proto>.*) from (?P<srcaddr>.*) (port (?P<srcport>.*) )?to (?P<extaddr>.*) port = (?P<extport>.*) keep state (label \"(?P<descr>.*)\" )?rtable [0-9] -> (?P<intaddr>.*) port (?P<intport>.*)/", $rdr_entry, $matches)) {
                       continue;
                   }
-                  $rdr_proto = $matches[2];
-                  $rdr_port = $matches[5];
-                  $rdr_label =$matches[6];
-                  $rdr_ip = $matches[7];
-                  $rdr_iport = $matches[8];
               ?>
                 <tr>
-                  <td><?=$rdr_port;?></td>
-                  <td><?=$rdr_proto;?></td>
-                  <td><?=$rdr_ip;?></td>
-                  <td><?=$rdr_iport;?></td>
-                  <td><?=$rdr_label;?></td>
+                  <td><?= html_safe(convert_friendly_interface_to_friendly_descr(convert_real_interface_to_friendly_interface_name($matches['iface']))) ?></td>
+                  <td><?= html_safe($matches['extport']) ?></td>
+                  <td><?= html_safe($matches['intaddr']) ?></td>
+                  <td><?= html_safe($matches['intport']) ?></td>
+                  <td><?= html_safe(strtoupper($matches['proto'])) ?></td>
+                  <td><?= html_safe($matches['srcaddr']) ?></td>
+                  <td><?= html_safe($matches['srcport'] ?: "any") ?></td>
+                  <td><?= html_safe($matches['descr']) ?></td>
                 </tr>
 <?php
               endforeach;?>
               </tbody>
               <tfoot>
                   <tr>
-                    <td colspan="5">
+                    <td colspan="8">
                       <form method="post">
                         <button type="submit" name="clear" id="clear" class="btn btn-primary" value="Clear"><?=gettext("Clear");?></button>
                         <?=gettext("all currently connected sessions");?>.

From 1972b6dc222b995d05e878c73260547f6a932e02 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 16 Aug 2024 15:13:19 +0200
Subject: [PATCH 2033/3088] plugins: removed this from core as well

---
 Mk/plugins.mk | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index ba49c9d1a1..14fa3fe735 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -388,10 +388,6 @@ plist-fix:
 sweep: check
 	find ${.CURDIR}/src -type f -name "*.map" -print0 | \
 	    xargs -0 -n1 rm
-	if grep -nr sourceMappingURL= ${.CURDIR}/src; then \
-		echo "Mentions of sourceMappingURL must be removed"; \
-		exit 1; \
-	fi
 	find ${.CURDIR}/src ! -name "*.min.*" ! -name "*.svg" \
 	    ! -name "*.ser" -type f -print0 | \
 	    xargs -0 -n1 ${SCRIPTSDIR}/cleanfile

From 0dd7b28e0364b6779c5619876106d71ac4053d93 Mon Sep 17 00:00:00 2001
From: Rob van Oostenrijk <robvanoostenrijk@users.noreply.github.com>
Date: Sat, 17 Aug 2024 09:47:21 +0200
Subject: [PATCH 2034/3088] ddclient plugin: Removed deprecated
 domains.google.com/checkip (#4180)

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml       | 1 -
 dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py        | 1 -
 2 files changed, 2 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 33034df332..577b6651ad 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -142,7 +142,6 @@
                         <web_dyndns>cloudflare</web_dyndns>
                         <web_dyndns>dyndns</web_dyndns>
                         <web_freedns>freedns</web_freedns>
-                        <web_googledomains>googledomains</web_googledomains>
                         <web_he>he</web_he>
                         <web_icanhazip>icanhazip</web_icanhazip>
                         <web_ip4only_me value="web_ip4only.me">ip4only.me</web_ip4only_me>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
index 6158f6b565..e79fa8c5f1 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
@@ -32,7 +32,6 @@
   'cloudflare': '%s://one.one.one.one/cdn-cgi/trace',
   'dyndns': '%s://checkip.dyndns.org/',
   'freedns': '%s://freedns.afraid.org/dynamic/check.php',
-  'googledomains': '%s://domains.google.com/checkip',
   'he': '%s://checkip.dns.he.net/',
   'icanhazip': '%s://icanhazip.com/',
   'ip4only.me': '%s://ip4only.me/api/',

From 1490dc820f8b65e598526125040425c91ae8076d Mon Sep 17 00:00:00 2001
From: Rob van Oostenrijk <robvanoostenrijk@users.noreply.github.com>
Date: Sun, 18 Aug 2024 10:14:28 +0200
Subject: [PATCH 2035/3088] Refactored IP matching, ignore results of hostname.
 Added cloudflare direct IPv4 & IPv6 (#4181)

---
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml |  4 +++-
 .../opnsense/scripts/ddclient/lib/address.py  | 23 +++++++++++--------
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 577b6651ad..0888c87ace 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -139,7 +139,9 @@
                     <Default>web_dyndns</Default>
                     <ValidationMessage>An IP service type is required.</ValidationMessage>
                     <OptionValues>
-                        <web_dyndns>cloudflare</web_dyndns>
+                        <web_cloudflare>cloudflare</web_cloudflare>
+                        <web_cloudflare_ipv4 value="cloudflare-ipv4">cloudflare-ipv4</web_cloudflare_ipv4>
+                        <web_cloudflare_ipv6 value="cloudflare-ipv6">cloudflare-ipv6</web_cloudflare_ipv6>
                         <web_dyndns>dyndns</web_dyndns>
                         <web_freedns>freedns</web_freedns>
                         <web_he>he</web_he>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
index e79fa8c5f1..42842e8c15 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
@@ -26,10 +26,12 @@
 import subprocess
 import re
 import ipaddress
-
+from urllib.parse import urlparse
 
 checkip_service_list = {
   'cloudflare': '%s://one.one.one.one/cdn-cgi/trace',
+  'cloudflare-ipv4': '%s://1.1.1.1/cdn-cgi/trace',
+  'cloudflare-ipv6': '%s://[2606:4700:4700::1111]/cdn-cgi/trace',
   'dyndns': '%s://checkip.dyndns.org/',
   'freedns': '%s://freedns.afraid.org/dynamic/check.php',
   'he': '%s://checkip.dns.he.net/',
@@ -48,17 +50,18 @@
 }
 
 
-def extract_address(txt):
+def extract_address(host, txt):
     """ Extract first IPv4 or IPv6 address from provided string
         :param txt: text blob
         :return: str
     """
-    for regexp in [r'[^a-fA-F0-9\:]', r'[^F0-9\.]']:
-        for line in re.sub(regexp, ' ', txt).split():
-            if line.count('.') == 3 or line.count(':') >= 2:
+    for regexp in [r'(?:\d{1,3}\.){3}\d{1,3}', r'([a-f0-9:]+:+)+[a-f0-9]+']:
+        matches = re.finditer(regexp, txt)
+        for match in matches:
+            if match.group() != host:
                 try:
-                    ipaddress.ip_address(line)
-                    return line
+                    ipaddress.ip_address(match.group())
+                    return match.group()
                 except ValueError:
                     pass
     return ""
@@ -79,8 +82,10 @@ def checkip(service, proto='https', timeout='10', interface=None):
         if interface is not None:
             params.append("--interface")
             params.append(interface)
-        params.append(checkip_service_list[service] % proto)
-        return extract_address(subprocess.run(params, capture_output=True, text=True).stdout)
+        url = checkip_service_list[service] % proto 
+        params.append(url)
+        return extract_address(urlparse(url).hostname,
+            subprocess.run(params, capture_output=True, text=True).stdout)
     elif service in ['if', 'if6'] and interface is not None:
         # return first non private IPv[4|6] interface address
         ifcfg = subprocess.run(['/sbin/ifconfig', interface], capture_output=True, text=True).stdout

From b82690448c7acbbe5bd537868899a43139f3f5cf Mon Sep 17 00:00:00 2001
From: "Dr. Uwe Meyer-Gruhl" <17402664+meyergru@users.noreply.github.com>
Date: Sun, 18 Aug 2024 17:04:39 +0200
Subject: [PATCH 2036/3088] Change Tukan theme for 24.7.x (#4164)

The "add widget" menu was hidden behind the popup
---
 misc/theme-tukan/Makefile                                     | 2 +-
 .../stylesheets/bootstrap-select/css/bootstrap-select.css     | 4 ++--
 .../opnsense/www/themes/tukan/assets/stylesheets/main.scss    | 2 +-
 .../opnsense/www/themes/tukan/build/css/bootstrap-select.css  | 4 ++--
 .../src/opnsense/www/themes/tukan/build/css/main.css          | 2 +-
 5 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/misc/theme-tukan/Makefile b/misc/theme-tukan/Makefile
index 58302aefc0..a0cf7296ff 100644
--- a/misc/theme-tukan/Makefile
+++ b/misc/theme-tukan/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-tukan
-PLUGIN_VERSION=		1.27
+PLUGIN_VERSION=		1.28
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The tukan theme - blue/white
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/bootstrap-select/css/bootstrap-select.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/bootstrap-select/css/bootstrap-select.css
index 56214371e7..b0426be872 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/bootstrap-select/css/bootstrap-select.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/bootstrap-select/css/bootstrap-select.css
@@ -96,7 +96,7 @@ span.form-control {
   position: absolute;
 }
 .bootstrap-select.btn-group.bs-container .dropdown-menu {
-  z-index: 1060;
+  z-index: 9999;
 }
 .bootstrap-select.btn-group .dropdown-toggle .filter-option {
   display: inline-block;
@@ -204,7 +204,7 @@ span.form-control {
   margin-right: 34px;
 }
 .bootstrap-select.show-menu-arrow.open > .dropdown-toggle {
-  z-index: 1061;
+  z-index: 9999;
 }
 .bootstrap-select.show-menu-arrow .dropdown-toggle:before {
   content: '';
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
index ac64bdfc27..ea1ae3c641 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
@@ -5205,7 +5205,7 @@ button.close {
   position: absolute;
   top: 0;
   left: 0;
-  z-index: 1060;
+  z-index: 9999;
   display: none;
   max-width: 276px;
   padding: 1px;
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/bootstrap-select.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/bootstrap-select.css
index 01c6683218..6fce907aa8 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/bootstrap-select.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/bootstrap-select.css
@@ -160,7 +160,7 @@ select.selectpicker {
   padding: 0 !important;
 }
 .bootstrap-select.bs-container .dropdown-menu {
-  z-index: 1060;
+  z-index: 9999;
 }
 .bootstrap-select .dropdown-toggle:before {
   content: '';
@@ -305,7 +305,7 @@ select.selectpicker {
 }
 .bootstrap-select.show-menu-arrow.open > .dropdown-toggle,
 .bootstrap-select.show-menu-arrow.show > .dropdown-toggle {
-  z-index: 1061;
+  z-index: 9999;
 }
 .bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:before {
   content: '';
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
index ac64bdfc27..ea1ae3c641 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
@@ -5205,7 +5205,7 @@ button.close {
   position: absolute;
   top: 0;
   left: 0;
-  z-index: 1060;
+  z-index: 9999;
   display: none;
   max-width: 276px;
   padding: 1px;

From 405fb2e26363becebe5e8cf5eec11912427bab17 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 19 Aug 2024 21:22:53 +0200
Subject: [PATCH 2037/3088] www/caddy: Add custom resolver to DNS Provider Tab
 (#4183)

* www/caddy: Add custom resolver to DNS Provider Tab. Cleaned up tls_configuration macro by making it more dry.

* www/caddy: Added newline so that following options do not accidentally render in same line as dns line.

* Update www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml

* Update www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 www/caddy/pkg-descr                           |  1 +
 .../OPNsense/Caddy/forms/dnsprovider.xml      |  6 ++
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  3 +
 .../templates/OPNsense/Caddy/Caddyfile        | 73 +++++++++++--------
 4 files changed, 54 insertions(+), 29 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 570748fa5c..edcee06642 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -31,6 +31,7 @@ Plugin Changelog
 1.6.3
 
 * Add: Disable Propagation Timeout in DNS Provider Tab. This can help if the DNS Challenge fails due to DNS Propagation being too slow.
+* Add: Set custom resolver for the DNS Challenge in the DNS Provider tab.
 
 1.6.2
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
index 738419d5cc..b296f91178 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
@@ -51,6 +51,12 @@
         <label>DNS Propagation</label>
         <collapse>true</collapse>
     </field>
+    <field>
+        <id>caddy.general.TlsDnsPropagationResolvers</id>
+        <label>Resolvers</label>
+        <type>text</type>
+        <help><![CDATA[Leave empty to use the system resolvers (default). Resolvers customizes the DNS resolvers used when performing the DNS challenge; these take precedence over system resolvers or any default ones. If set here, the resolvers will propagate to all configured certificate issuers. If the system resolvers use DNS over TLS, setting an external resolver here is required or the DNS challenge will fail.]]></help>
+    </field>
     <field>
         <id>caddy.general.TlsDnsPropagationTimeout</id>
         <label>Disable Propagation Timeout</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index f61d5c9378..4b3e91a569 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -70,6 +70,9 @@
             <TlsDnsOptionalField3 type="TextField"/>
             <TlsDnsOptionalField4 type="TextField"/>
             <TlsDnsPropagationTimeout type="BooleanField"/>
+            <TlsDnsPropagationResolvers type="NetworkField">
+                <NetMaskAllowed>N</NetMaskAllowed>
+            </TlsDnsPropagationResolvers>
             <accesslist type="ModelRelationField">
                 <Model>
                     <reverseproxy>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 32d33f062c..673fd397c0 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -319,36 +319,38 @@
 #   - @param dnsSecretApiKey (string, optional): A secret API key or token for additional security, depending on the provider.
 #   - @param TlsDnsOptionalField1 to 4 (string, optional): Additional fields for specific DNS provider configurations.
 #   - @param TlsDnsPropagationTimeout (boolean, optional): Disables Propagation Timeout for DNS Challenge.
+#   - @param TlsDnsPropagationResolvers (string, optional): Set custom nameserver for DNS Challenge.
 #}
-{% macro tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4, TlsDnsPropagationTimeout) %}
-    {% if dnsChallenge == "1" and dnsProvider %}
-        {% if dnsProvider in dnsProviderSpecialConfig %}
-            tls {
-                issuer acme {
-                    dns {{ dnsProvider }} {
-                        {% include "OPNsense/Caddy/includeDnsProvider" %}
-                    }
-                    {% if TlsDnsPropagationTimeout|default("0") == "1" %}
-                        propagation_delay 30s
-                        propagation_timeout -1
-                    {% endif %}
-                }
-            }
-        {% else %}
-            tls {
-                issuer acme {
-                    {# Other DNS Providers fall under this default #}
-                    dns {{ dnsProvider }} {{ dnsApiKey }}
-                    {% if TlsDnsPropagationTimeout|default("0") == "1" %}
-                        propagation_delay 30s
-                        propagation_timeout -1
-                    {% endif %}
+{% macro tls_configuration(
+    customCert,
+    dnsChallenge,
+    dnsProvider,
+    dnsApiKey,
+    dnsSecretApiKey,
+    tlsDnsOptionalField1,
+    tlsDnsOptionalField2,
+    tlsDnsOptionalField3,
+    tlsDnsOptionalField4,
+    tlsDnsPropagationTimeout,
+    tlsDnsPropagationResolvers
+) %}
+    {% if customCert or (dnsChallenge == "1" and dnsProvider) %}
+        tls {% if customCert %}/var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.pem /var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.key{% endif %} {% if not customCert and dnsChallenge == "1" and dnsProvider %}{
+            issuer acme {
+                dns {{ dnsProvider }} {% if dnsProvider not in dnsProviderSpecialConfig %}{{ dnsApiKey }}{% else %}{
+                    {% include "OPNsense/Caddy/includeDnsProvider" %}
                 }
+                {% endif %}
+
+                {% if tlsDnsPropagationResolvers %}
+                resolvers {{ tlsDnsPropagationResolvers }}
+                {% endif %}
+                {% if tlsDnsPropagationTimeout|default("0") == "1" %}
+                propagation_delay 30s
+                propagation_timeout -1
+                {% endif %}
             }
-        {% endif %}
-    {% endif %}
-    {% if customCert %}
-        tls /var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.pem /var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.key
+        }{% endif %}
     {% endif %}
 {% endmacro %}
 
@@ -558,8 +560,21 @@
             {% endif %}
             {% set customCert = reverse.CustomCertificate|default("") %}
             {% set dnsChallenge = reverse.DnsChallenge|default("0") %}
-            {% set TlsDnsPropagationTimeout = generalSettings.TlsDnsPropagationTimeout %}
-            {{ tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge, dnsSecretApiKey, TlsDnsOptionalField1, TlsDnsOptionalField2, TlsDnsOptionalField3, TlsDnsOptionalField4, TlsDnsPropagationTimeout) }}
+            {% set tlsDnsPropagationTimeout = generalSettings.TlsDnsPropagationTimeout %}
+            {% set tlsDnsPropagationResolvers = generalSettings.TlsDnsPropagationResolvers %}
+            {{ tls_configuration(
+                customCert,
+                dnsChallenge,
+                dnsProvider,
+                dnsApiKey,
+                dnsSecretApiKey,
+                tlsDnsOptionalField1,
+                tlsDnsOptionalField2,
+                tlsDnsOptionalField3,
+                tlsDnsOptionalField4,
+                tlsDnsPropagationTimeout,
+                tlsDnsPropagationResolvers
+            ) }}
 
             {% if not reverse.accesslist %}
                 {% set basicauth_uuids = reverse.basicauth %}

From 8af0c12f9cac4f4534339fbd2b93248becd7f151 Mon Sep 17 00:00:00 2001
From: TotalGriffLock <john@theshado.ws>
Date: Tue, 20 Aug 2024 07:26:52 +0100
Subject: [PATCH 2038/3088] plugins: add double-quotes to fix handling files
 with spaces (#4187)

---
 Mk/plugins.mk | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 14fa3fe735..5525c52317 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -211,7 +211,7 @@ scripts-post:
 install: check
 	@mkdir -p ${DESTDIR}${LOCALBASE}/opnsense/version
 	@(cd ${.CURDIR}/src 2> /dev/null && find * -type f) | while read FILE; do \
-		tar -C ${.CURDIR}/src -cpf - $${FILE} | \
+		tar -C ${.CURDIR}/src -cpf - "$${FILE}" | \
 		    tar -C ${DESTDIR}${LOCALBASE} -xpf -; \
 		if [ "$${FILE%%.in}" != "$${FILE}" ]; then \
 			sed -i '' ${SED_REPLACE} "${DESTDIR}${LOCALBASE}/$${FILE}"; \
@@ -253,17 +253,17 @@ metadata: check
 
 collect: check
 	@(cd ${.CURDIR}/src 2> /dev/null && find * -type f) | while read FILE; do \
-		tar -C ${DESTDIR}${LOCALBASE} -cpf - $${FILE} | \
+		tar -C ${DESTDIR}${LOCALBASE} -cpf - "$${FILE}" | \
 		    tar -C ${.CURDIR}/src -xpf -; \
 	done
 
 remove: check
 	@(cd ${.CURDIR}/src 2> /dev/null && find * -type f) | while read FILE; do \
-		rm -f ${DESTDIR}${LOCALBASE}/$${FILE}; \
+		rm -f "${DESTDIR}${LOCALBASE}/$${FILE}"; \
 	done
 	@(cd ${.CURDIR}/src 2> /dev/null && find * -type d -depth) | while read DIR; do \
-		if [ -d ${DESTDIR}${LOCALBASE}/$${DIR} ]; then \
-			rmdir ${DESTDIR}${LOCALBASE}/$${DIR} 2> /dev/null || true; \
+		if [ -d "${DESTDIR}${LOCALBASE}/$${DIR}" ]; then \
+			rmdir "${DESTDIR}${LOCALBASE}/$${DIR}" 2> /dev/null || true; \
 		fi; \
 	done
 
@@ -324,7 +324,7 @@ lint-shell:
 	    if [ "$$(head $${FILE} | grep -c '^#!\/')" == "0" ]; then \
 	        echo "Missing shebang in $${FILE}"; exit 1; \
 	    fi; \
-	    sh -n $${FILE} || exit 1; \
+	    sh -n "$${FILE}" || exit 1; \
 	done
 
 lint-xml:

From b4dc19ee78b2e805b35acabab8c90a9f5342965d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Aug 2024 12:17:03 +0200
Subject: [PATCH 2039/3088] dns/ddclient: whitespace and changelog

---
 dns/ddclient/pkg-descr                                    | 1 +
 dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 6303476245..5298ef30af 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 1.23
 
 * Add dashboard widget
+* Refactored IP matching (contributed by Rob van Oostenrijk)
 
 1.22
 
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
index 42842e8c15..5618d9aeb6 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
@@ -82,7 +82,7 @@ def checkip(service, proto='https', timeout='10', interface=None):
         if interface is not None:
             params.append("--interface")
             params.append(interface)
-        url = checkip_service_list[service] % proto 
+        url = checkip_service_list[service] % proto
         params.append(url)
         return extract_address(urlparse(url).hostname,
             subprocess.run(params, capture_output=True, text=True).stdout)

From 2147d51daa97fca3307ca988416a17d6f2dd9881 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Aug 2024 12:25:44 +0200
Subject: [PATCH 2040/3088] www/squid: bump and document

---
 www/squid/Makefile  | 2 +-
 www/squid/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index 7da7431380..67b5f77f7b 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		squid
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_TIER=		2
diff --git a/www/squid/pkg-descr b/www/squid/pkg-descr
index f2e5e9c852..ba32c194e8 100644
--- a/www/squid/pkg-descr
+++ b/www/squid/pkg-descr
@@ -11,3 +11,4 @@ Plugin Changelog
 * Workaround for segmentation faults using OpenSSL legacy provider
 * Correct migration to Python ipaddress library use
 * Set default ACL values vor Safe_ports and SSL_ports
+* Include "icap_service_failure_limit -1" configuration (contributed by Andy Binder)

From ae04606fa5025e61e7bed3866087647984be03b4 Mon Sep 17 00:00:00 2001
From: Self-Hosting-Group
 <155233284+Self-Hosting-Group@users.noreply.github.com>
Date: Tue, 20 Aug 2024 00:00:00 +0000
Subject: [PATCH 2041/3088] net/upnp: Remove `Interface` column in status, as
 it shows the WAN

---
 net/upnp/src/www/status_upnp.php | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/net/upnp/src/www/status_upnp.php b/net/upnp/src/www/status_upnp.php
index 0a9a983d84..96ac60e80f 100644
--- a/net/upnp/src/www/status_upnp.php
+++ b/net/upnp/src/www/status_upnp.php
@@ -65,7 +65,6 @@
             <table class="table table-striped table-condensed table-hover">
               <thead>
                 <tr>
-                  <td><?=gettext("Interface")?></td>
                   <td><?=gettext("Ext. Port")?></td>
                   <td><?=gettext("Internal IP")?></td>
                   <td><?=gettext("Int. Port")?></td>
@@ -83,7 +82,6 @@
                   }
               ?>
                 <tr>
-                  <td><?= html_safe(convert_friendly_interface_to_friendly_descr(convert_real_interface_to_friendly_interface_name($matches['iface']))) ?></td>
                   <td><?= html_safe($matches['extport']) ?></td>
                   <td><?= html_safe($matches['intaddr']) ?></td>
                   <td><?= html_safe($matches['intport']) ?></td>
@@ -97,7 +95,7 @@
               </tbody>
               <tfoot>
                   <tr>
-                    <td colspan="8">
+                    <td colspan="7">
                       <form method="post">
                         <button type="submit" name="clear" id="clear" class="btn btn-primary" value="Clear"><?=gettext("Clear");?></button>
                         <?=gettext("all currently connected sessions");?>.

From c4157477de9176672f51a6342c1d95584ee1f763 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaka=20Pra=C5=A1nikar?= <Jackysi@users.noreply.github.com>
Date: Tue, 20 Aug 2024 21:00:50 +0200
Subject: [PATCH 2042/3088]  misc/theme-Aavanced: Theme based on AdvancedTomato
 project by the original author (#4189)

This is a new modern theme based on the AdvancedTomato project I
used to work on years ago. The design is blueish with conservative shadows.
Love to change it, so any ideas are welcome.

Initial release working with OPNSense 24.7.1. Any issues you find I will be more
than happy to fix. But I have been using theme as "beta" for months now and I
haven't found any specific issues yet. But more people more to find!
---
 misc/theme-advanced/Makefile                  |    7 +
 misc/theme-advanced/pkg-descr                 |    1 +
 .../glyphicons-halflings-regular.eot          |  Bin 0 -> 20127 bytes
 .../glyphicons-halflings-regular.svg          |  288 ++++
 .../glyphicons-halflings-regular.ttf          |  Bin 0 -> 45404 bytes
 .../glyphicons-halflings-regular.woff         |  Bin 0 -> 23424 bytes
 .../stylesheets/_bootstrap-compass.scss       |    7 +
 .../assets/stylesheets/_bootstrap-mincer.scss |   17 +
 .../stylesheets/_bootstrap-sprockets.scss     |    7 +
 .../assets/stylesheets/bootstrap-dialog.less  |  137 ++
 .../less/bootstrap-select.less                |  348 +++++
 .../bootstrap-select/less/variables.less      |    7 +
 .../sass/bootstrap-select.css                 |    1 +
 .../sass/bootstrap-select.scss                |  519 +++++++
 .../bootstrap-select/sass/variables.scss      |   17 +
 .../assets/stylesheets/bootstrap/_alerts.scss |   68 +
 .../assets/stylesheets/bootstrap/_badges.scss |   57 +
 .../stylesheets/bootstrap/_breadcrumbs.scss   |   26 +
 .../stylesheets/bootstrap/_button-groups.scss |  240 ++++
 .../stylesheets/bootstrap/_buttons.scss       |  159 +++
 .../stylesheets/bootstrap/_carousel.scss      |  243 ++++
 .../assets/stylesheets/bootstrap/_close.scss  |   35 +
 .../assets/stylesheets/bootstrap/_code.scss   |   68 +
 .../bootstrap/_component-animations.scss      |   35 +
 .../stylesheets/bootstrap/_dropdowns.scss     |  214 +++
 .../assets/stylesheets/bootstrap/_forms.scss  |  541 +++++++
 .../stylesheets/bootstrap/_glyphicons.scss    |  237 +++
 .../assets/stylesheets/bootstrap/_grid.scss   |   84 ++
 .../stylesheets/bootstrap/_input-groups.scss  |  166 +++
 .../stylesheets/bootstrap/_jumbotron.scss     |   48 +
 .../assets/stylesheets/bootstrap/_labels.scss |   66 +
 .../stylesheets/bootstrap/_list-group.scss    |  159 +++
 .../assets/stylesheets/bootstrap/_media.scss  |   56 +
 .../assets/stylesheets/bootstrap/_mixins.scss |   39 +
 .../assets/stylesheets/bootstrap/_modals.scss |  150 ++
 .../assets/stylesheets/bootstrap/_navbar.scss |  658 +++++++++
 .../assets/stylesheets/bootstrap/_navs.scss   |  239 ++++
 .../stylesheets/bootstrap/_normalize.scss     |  425 ++++++
 .../assets/stylesheets/bootstrap/_pager.scss  |   55 +
 .../stylesheets/bootstrap/_pagination.scss    |   88 ++
 .../assets/stylesheets/bootstrap/_panels.scss |  243 ++++
 .../stylesheets/bootstrap/_popovers.scss      |  133 ++
 .../assets/stylesheets/bootstrap/_print.scss  |  101 ++
 .../stylesheets/bootstrap/_progress-bars.scss |  107 ++
 .../bootstrap/_responsive-embed.scss          |   34 +
 .../bootstrap/_responsive-utilities.scss      |  180 +++
 .../stylesheets/bootstrap/_scaffolding.scss   |  150 ++
 .../assets/stylesheets/bootstrap/_tables.scss |  236 +++
 .../assets/stylesheets/bootstrap/_theme.scss  |  258 ++++
 .../stylesheets/bootstrap/_thumbnails.scss    |   38 +
 .../stylesheets/bootstrap/_tooltip.scss       |   95 ++
 .../assets/stylesheets/bootstrap/_type.scss   |  304 ++++
 .../stylesheets/bootstrap/_utilities.scss     |   57 +
 .../stylesheets/bootstrap/_variables.scss     |  853 +++++++++++
 .../assets/stylesheets/bootstrap/_wells.scss  |   29 +
 .../stylesheets/bootstrap/mixins/_alerts.scss |   14 +
 .../bootstrap/mixins/_background-variant.scss |   11 +
 .../bootstrap/mixins/_border-radius.scss      |   18 +
 .../bootstrap/mixins/_buttons.scss            |   50 +
 .../bootstrap/mixins/_center-block.scss       |    7 +
 .../bootstrap/mixins/_clearfix.scss           |   22 +
 .../stylesheets/bootstrap/mixins/_forms.scss  |   85 ++
 .../bootstrap/mixins/_gradients.scss          |   58 +
 .../bootstrap/mixins/_grid-framework.scss     |   81 ++
 .../stylesheets/bootstrap/mixins/_grid.scss   |  122 ++
 .../bootstrap/mixins/_hide-text.scss          |   21 +
 .../stylesheets/bootstrap/mixins/_image.scss  |   34 +
 .../stylesheets/bootstrap/mixins/_labels.scss |   12 +
 .../bootstrap/mixins/_list-group.scss         |   31 +
 .../bootstrap/mixins/_nav-divider.scss        |   10 +
 .../bootstrap/mixins/_nav-vertical-align.scss |    9 +
 .../bootstrap/mixins/_opacity.scss            |    8 +
 .../bootstrap/mixins/_pagination.scss         |   23 +
 .../stylesheets/bootstrap/mixins/_panels.scss |   24 +
 .../bootstrap/mixins/_progress-bar.scss       |   10 +
 .../bootstrap/mixins/_reset-filter.scss       |    8 +
 .../stylesheets/bootstrap/mixins/_resize.scss |    6 +
 .../mixins/_responsive-visibility.scss        |   21 +
 .../stylesheets/bootstrap/mixins/_size.scss   |   10 +
 .../bootstrap/mixins/_tab-focus.scss          |   10 +
 .../bootstrap/mixins/_table-row.scss          |   28 +
 .../bootstrap/mixins/_text-emphasis.scss      |   11 +
 .../bootstrap/mixins/_text-overflow.scss      |    8 +
 .../bootstrap/mixins/_vendor-prefixes.scss    |  219 +++
 .../assets/stylesheets/dashboard.scss         |  350 +++++
 .../advanced/assets/stylesheets/main.scss     | 1270 +++++++++++++++++
 .../advanced/build/css/bootstrap-dialog.css   |  113 ++
 .../advanced/build/css/bootstrap-select.css   |    1 +
 .../themes/advanced/build/css/dashboard.css   |    1 +
 .../www/themes/advanced/build/css/main.css    |    1 +
 ...UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2 |  Bin 0 -> 37924 bytes
 .../glyphicons-halflings-regular.eot          |  Bin 0 -> 20127 bytes
 .../glyphicons-halflings-regular.svg          |  288 ++++
 .../glyphicons-halflings-regular.ttf          |  Bin 0 -> 45404 bytes
 .../glyphicons-halflings-regular.woff         |  Bin 0 -> 23424 bytes
 .../themes/advanced/build/images/caret.png    |  Bin 0 -> 2935 bytes
 .../advanced/build/images/default-logo.svg    |   95 ++
 .../themes/advanced/build/images/favicon.png  |  Bin 0 -> 2938 bytes
 .../advanced/build/images/icon-logo.svg       |   84 ++
 99 files changed, 11504 insertions(+)
 create mode 100644 misc/theme-advanced/Makefile
 create mode 100644 misc/theme-advanced/pkg-descr
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/fonts/bootstrap/glyphicons-halflings-regular.eot
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/fonts/bootstrap/glyphicons-halflings-regular.svg
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/fonts/bootstrap/glyphicons-halflings-regular.ttf
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/fonts/bootstrap/glyphicons-halflings-regular.woff
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/_bootstrap-compass.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/_bootstrap-mincer.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/_bootstrap-sprockets.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-dialog.less
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/less/bootstrap-select.less
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/less/variables.less
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.css
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/variables.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_alerts.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_badges.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_breadcrumbs.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_button-groups.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_buttons.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_carousel.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_close.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_code.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_component-animations.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_dropdowns.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_forms.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_glyphicons.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_grid.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_input-groups.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_jumbotron.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_labels.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_list-group.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_media.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_mixins.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_modals.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_navbar.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_navs.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_normalize.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_pager.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_pagination.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_panels.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_popovers.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_print.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_progress-bars.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_responsive-embed.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_responsive-utilities.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_scaffolding.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_tables.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_theme.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_thumbnails.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_tooltip.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_type.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_utilities.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_variables.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_wells.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_alerts.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_background-variant.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_border-radius.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_buttons.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_center-block.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_clearfix.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_forms.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_gradients.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_grid-framework.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_grid.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_hide-text.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_image.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_labels.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_list-group.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_nav-divider.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_nav-vertical-align.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_opacity.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_pagination.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_panels.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_progress-bar.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_reset-filter.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_resize.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_responsive-visibility.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_size.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_tab-focus.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_table-row.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_text-emphasis.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_text-overflow.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_vendor-prefixes.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/bootstrap-dialog.css
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/bootstrap-select.css
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/dashboard.css
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/main.css
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/build/fonts/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/build/fonts/bootstrap/glyphicons-halflings-regular.eot
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/build/fonts/bootstrap/glyphicons-halflings-regular.svg
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/build/fonts/bootstrap/glyphicons-halflings-regular.ttf
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/build/fonts/bootstrap/glyphicons-halflings-regular.woff
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/caret.png
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/default-logo.svg
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/favicon.png
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/icon-logo.svg

diff --git a/misc/theme-advanced/Makefile b/misc/theme-advanced/Makefile
new file mode 100644
index 0000000000..9af08541fc
--- /dev/null
+++ b/misc/theme-advanced/Makefile
@@ -0,0 +1,7 @@
+PLUGIN_NAME=		theme-advanced
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		OPNsense theme based on AdvancedTomato GUI
+PLUGIN_MAINTAINER=	jacky@prahec.com
+PLUGIN_WWW=		https://prahec.com/
+
+.include "../../Mk/plugins.mk"
diff --git a/misc/theme-advanced/pkg-descr b/misc/theme-advanced/pkg-descr
new file mode 100644
index 0000000000..10d6368848
--- /dev/null
+++ b/misc/theme-advanced/pkg-descr
@@ -0,0 +1 @@
+Advanced - Modern theme based on AdvancedTomato project by the original author
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/fonts/bootstrap/glyphicons-halflings-regular.eot b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/fonts/bootstrap/glyphicons-halflings-regular.eot
new file mode 100644
index 0000000000000000000000000000000000000000..b93a4953fff68df523aa7656497ee339d6026d64
GIT binary patch
literal 20127
zcma%hV{j!vx9y2-`@~L8?1^pLwlPU2wr$&<*tR|KBoo`2;LUg6eW-eW-tKDb)vH%`
z^`A!Vd<6hNSRMcX|Cb;E|1qflDggj6Kmr)xA10^t-vIc3*Z+F{r%|K(GyE^?|I{=9
zNq`(c8=wS`0!RZy0g3<xfGPm^&oc(t0WAJyYk&j565#r82r@tgVE(V|{tq<<xco!B
z02==gmw&z10LOnkAb<tH1OWX@JOI9bn*UMykN1D0R{xl80Mq~Cd;ISaOaQKbJU)Q^
zKV{p0n*ZTg{L}i+{3Za_e=Uyx%G?09e;&`jxw-$pR}TDt)(rrNs7n5?o%-LK0RgDo
z0?1<k<naI!SC})WF>{M(8^tv41d}oRU?8#IBFtJy*9zAN5dcxqGlMZGL>GG%R#)4J
zDJ2;)4*E1pyHia%>lMv3X7Q`UoFyoB@|xvh^)kOE3)IL&0(G&i;g08s>c%~pHkN&6
z($7!kyv|A2DsV2mq-5Ku)D#$Kn$CzqD-wm5Q*OtEOEZe^&T$<q%?GPI*ug?*jFCZ7
zl1X3>xIb0NUL<TDAlC~xMcGnHsPe)Gh+nESIamgk2)5Ql^6QPK&XkQ+!qk}`TYc#I
zf~KwkK>}$)W)Ck`6oter6KcQG9Zcy>lXip)%e&!lQgtQ*N`#abOlytt!&i3fo)cKV
zP0BWmLxS1gQv(r_r|?9>rR0ZeEJPx;Vi|h1!Eo*dohr<W65y|5+tpvz!HDS=Q}DgN
z;O&E^rmV416<Hj_N10HwLk^Lwyhx2j;kDE@F*S-tuqy|n(-6~PPF09Xvxq56At8OG
z4-2Gj5=K^(f;q@WOp+9uP|<!09J~a(Y%m)hsl;TbWEvvuQ7(qWx_eKYE@rH9B(V+`
zF8+p6+N8}}{zS_o7#)%b=2DFYa}JT{_i@;_#xxEDZ)+D4Lz{Pv;LE}#`N2bQP*W;6
z(wPX2S3Zb<sNz$mW_!uE^K&d`O<hkRPv<3DnX$`Y*)_qR>&^lJgqJZns>&vexP@fs
zkPv93Nyw$-kM5Mw^{@wPU47Y1dSkiHyl3dtHLwV&6Tm1iv{ve;sYA}Z&kmH802s9Z
zyJEn+cfl7yFu#1^#DbtP7k&aR06|n{LnYFYEphKd@dJEq@)s#S)UA&8VJY@S2+{~>
z(4?M();zvayyd^j`@4>xCqH|Au>Sfzb$mEOcD7e4z8pPVRTiMUWiw;|gXHw7LS#U<
zsT(}Z5SJ)CRMXloh$qPnK77w_)ctHmgh}QAe<2S{DU^`!uwptCoq!Owz$u6bF)vnb
zL`bM$%>baN7l#)vtS3y6h*2?xC<XQJNpZVS!tVtuR(<D$%K=CTVlwa)G)}qDJup|w
z!YRUAk-}+0)MFG#RuE2vlb~4*bP&)ex6`$^%6ySxf}MiQja9&+C4)UgIK)TIHVp>k
z>w+s)@`O4(4_<t2L?B1i*y6fuRi+P?QZCG2j9(btWTetUT@0Q|8XO(SqEH6LSB!2L
z<;M1lya0G`cm9UEex~so>I{L-!+b%)NZcQ&ND=2lyP+xI#9OzsiY8$c)ys-MI?TG6
zEP6f=vuLo!G>J7F4v|s#lJ+7A`^nEQScH3e?B_jC&{<S@1dd<&?JtuP@v(wA>sj>m
zYD?!1z4nDG_Afi$!J(<{>z{~Q)$SaXWjj~%ZvF152Hd^VoG14rFykR=_TO)mCn&K$
z-TfZ!vMBvnToyBoKRkD{3=&=qD|L!vb#jf1f}2338z)e)g>7#NPe!FoaY*jY{f)<G
z+9IWTnFJO0p&^rK`xODpSZARax-jN9(N|ZWyg~(MGSuQYzXBQR*+_`oO>Bf>ohk-K
z4{>fVS}ZCicCqgLuYR_fYx2;*-4k>kffuywghn?15s1dIOOYfl+XLf5w?wtU2Og*f
z%X5x`H55F6g1>m~%F`655-W1wFJtY>>qNSdVT`M`1Mlh!5Q6#3j={n5#za;!X&^OJ
zgq;d4UJV-F>gg?c3Y?d=kvn3e<VW2IarGgIy4I@#ozBH$Q(a($^uvXS?@=l>V)Jb^
zO5vg0G0yN0%}xy#(6oTDSVw8l=_*2k;zTP?+N=*18H5wp`s90K-C67q{W3d8vQGmr
zhpW^>1HEQV2TG#8_P_0q91h8QgHT~8=-Ij5snJ3cj?Jn5_66uV=*pq(j}yHn<uy|J
zh=_`9%JG63kQPJ-Et!mF@={HFp+sB-S+XTFvdzD^x19Lbj{TXx=?FGKvX;|1-3-zU
zl2DyEls20Izb)isO0?xrx(b1`<I3ZDSNBd*<5l=jC`?Re`XCFaI(ny#9KlP!NYbU=
z^;IWB5he_V3}{Xdl1>f$<x%N5|7+dpJoB>Ft;5VVC?bz%9X31asJeQF2jEa47H#j`
zk<KNJ>&uxf3t?g!tltVP|B#G_UfDD}`<#B#iY^i>oDd-LGF}A@Fno~dR72c&hs6bR
z2F}9(i8+PR%R|~FV$;Ke^Q_E_B<teU&M|M>c;$)xN4Ti>Lgg4vaip!%M<tZtx+eW>
z06oxAF_*)LH57w|gCW3SwoEHwjO{}}U=pKhjKSZ{u!K<P`9nrZXY)DCi*vvJQDx`q
za_kyA2Qus4JQ%8kM3_Gd%I1O+cF3~V6=ZM1u9*Ea+iXPId}M`kd7I1T0d7Zx)Wa&?
z{PLQlHM^=&Y!og~I(XQ;5lJScjK~IrV<F7J6v`iM&M1#EkRsHYX8V%Dip>?1zm1q?
zXyA6y@)}_sONiJopF}_}(~}d4FDyp|(@w}Vb;Fl5bZL%{1`}gdw#i{KMjp2@Fb9pg
ziO|u7qP{$kxH$qh8%L+)AvwZNgUT6^zsZq-MRyZid{D?t`f|KzSAD~C?WT3d0rO`0
z=qQ6{)&UXXuHY{9g|P7l_nd-%eh}4%VVaK#Nik*tOu9lBM$<%FS@`NwGEbP0&;Xbo
zObCq=y%a`jSJmx_uTLa{@2@}^&F<l?4N8$IoqA~y`|!rgD24&AtvbWWlPF%K!I`Fp
zMCDiMrV(MWM2!hiB6=^)Er#O8q+%t)I4l3iuF$d;cBXqGAn?Z0Z*?MZRuh=zmPo~-
z_rOvv7sERj79T<uPMWCHIto@agn)X&#=QQyY*6wt){yHQ7~yFoEezd#C<dQF+u)2-
zEIMy-5P*TYpqPxY25dY9J+f-E^3<^@G(=jU{U&hQ3#o`a)dOUR&JT?mTRlBfHE<p|
zO&J|*26{JJ28qC1saVtkQ1WW^G58Smr^%f>4c%z6oe-TN&idjv+8E|$FHOvBqg5hT
zMB=7SHq`_-E?5g=()*!V>rIa&LcX(RU}aLm*38U_V$C_g4)7GrW5$GnvTwJZdBmy6
z*X)wi3=R8L=esOhY0a&eH`^fSpUHV8h$J1|o^3fKO<edeL`~4AS}?bGhbI@wd%7ob
z;HUsAzX8f<5Tcj`x1L`~p_%qxb{Gobu+`2Hh*bfnN@EZ$w1F5i32YXO9vreTkznl=
zRv&F3;kE3d@_Cys2UVvUxUU=oDO~U>|9QzaiKu>yZ9wmRkW?HTkc<*v7i*ylJ#u#j
zD1-n&{B`04oG>0Jn{5PKP*4Qsz{~`VVA3578gA+JUkiPc$Iq!^K|}*p_z3(-c&5z@
zKxmdNpp2&wg&%xL<cX5MdFnpzW;X?cI|~qZbhDWm)F_t}i=(x><xZ|=$k6lbFWo~R
z1yEA-t+BaHz`?1Zi{N`F<t?_rS*zpAEN-Lg7L9qKTVj|Ih7gOmTvLqTlA1e51SXNm
zeA`1UhC`&)%k?V^ii%`|O+coBH9$HjP#Fy1CjYhyW0DPZC>3xZNzG-5Xt7jnI@{?c
z25=M>-VF|;an2Os$Nn%HgQz7m(ujC}Ii0Oesa(y#8>D+P*_m^X##E|h$M6tJr%#=P
zWP*)Px>7z`E~U^2LNCNiy%Z7!!6RI%6fF@#ZY3z`CK91}^J<kz;gXvl4j_QvxfXmA
ze1j4n*Hru_ge<*I;p<wHXN`XVFAk2bTG~Vl5{?nXF6K!!HeqOu6_U-movw7Gx`O<C
zM~<jbZlSC}oXeAQr_Y8Tq)(9YogPgPY{6ELohD$98O2Fj5_M2=J84FuR#dyoS!A-|
z*c)!)9^dk4^<2$Ks79AAMW;%o-!%g7j{1(Pnwwy1tca#dUTE1+4y#<A6VSeCR)wQ`
zCEFu?oS$y=05cpTr}VLe+YU$GFp$#&tfXaK<ia*q3-&+6KDQP!)!Ru(yh0c}7za6=
ziFP^Nq3))g21c{b{ESQRdZN3Xnpa8jUP0DA2r&uofBU7TtM^7^s}7#&aUnGsvE`fu
z>$F!EB0YF1je9<lP78|=Z6bmMhpLsL)Tz)Cn&pP#eF?{kB>hJKU7!S5MnXV{+#K;y
zF~s*H%p@vj&-ru7#(F2L+_;IH46X(z{~HTfcThqD%b{>~u@lSc<+f5#xgt9L7$gSK
ziDJ6D*R%4&YeUB@yu@4+&70MBNTnjRyqMRd+@&lU#rV%0t3OmouhC`mkN}pL>tXin
zY*p)mt=}$EGT2E<4Q>E2`6)gZ`QJhGDNpI}bZL9}m+R>q?l`OzFjW?)Y)P`fUH(_4
zCb?sm1=DD0+Q5v}BW#0n5;Nm(@RTEa3(Y17H2H67La+>ptQHJ@WMy2xRQT$|7l`8c
zYHCxYw2o-rI?(fR2-%}pbs$I%w_&LPYE{4bo}vRoAW>3!SY_zH3`ofx3F1PsQ?&iq
z*BRG>?<6%z=x#`NhlEq{K~&rU7Kc7Y-90aRnoj~rVoKae)L$3^z*Utppk?I`)CX&&
zZ^@Go<Q-E-9qdDk;`1UZ+I6D_?B@62xgSC03f%4S8VtH3(P3D_6<1>9fm&fN`b`XY
zt0xE5aw4t@qTg_k=!-5LXU+_~DlW?53!afv6W(k@FPPX-`nA!FBMp7b!ODbL1zh58
z*69I}P_-?qSLKj}JW7gP!la}K@M}L>v?rDD!DY-tu+onu9kLoJz20M4urX_xf2dfZ
zORd9Zp&28_ff=wdMpXi%IiTTNegC}~RLkdYjA39kWqlA?jO~o1`*B&85Hd%VPkYZT
z48MPe62;TOq#c%H(`wX5(Bu>nlh4Fbd*Npasdhh?oRy8a;NB2(eb}6DgwXtx=n}fE
zx67rYw=(s0r?EsPjaya}^Qc-_UT5|*@|$Q}*|>V3O~USkIe6a0_>vd~6kHuP8=m}_
zo2IGKbv;yA+TBtlCpnw)8hDn&eq?26gN$Bh;SdxaS04Fsaih_Cfb98s39xbv)=mS0
z6M<@pM2#pe32w*lYSWG>DYqB95XhgAA)*9dOxHr{t)er0Xugoy)!Vz#2C3FaUMzYl
zCxy{igFB901*<tiyD63(hW(uERHv;@J~7F`;-e`O5Ld!(Fl>R2*F4>grPF}+G`;Yh
zGi@nRjWyG3mR(BVOeBPOF=_&}2IWT%)pqdNAcL{eP`L*^FDv#Rzq<iCP<KO7gjv}{
z^5ElYuo)cUV9?9{6e*c7eWVK@LCOKKaBR<2_;6r+GhH1i-~$};rNpE_D*2ZJ=O+cz
zyj}kfz8;}sw88^SYgzvxpkB>l5U&Suq_X%JfR_lC!S|y|xd5mQ0{0!G#9hV46S~A`
z0B!{yI-4FZEtol5)mNWXcX(`x&Pc*&gh4k{w%0S#EI>rqqlH2xv7mR=9XNCI$V#NG
z4wb-@u{PfQP;tTbzK>(DF(~bKp3;L1-A*HS!VB)Ae>Acnvde15Anb`h;I&0)aZBS6
z55ZS7mL5Wp!LCt45^{2_70<L`Ib`SKM1Oi<HkO)Y>YiI_Py=X{I3>$Px5Ez0ahLQ+
z9EWUWSyzA|+g-Axp*Lx-M{!ReQO07EG7r4^)K(xbj@%ZU=0tBC5shl)1a!ifM5OkF
z0<aV&1|hwix;hV`l{C+KeqEjnn@aQGS~k&rcJ^K626yC8@~#qf$xT7;xJLzv3M&rA
z)MirFFpng+&}hRJHKQ6_3l{ABCJLmIrj8g#cem2@!i;W7Q+}Wr^IrTp((?iq1h?Cq
z7Z^k%ps^N^e})9!YkyNa0;x`m&~<4yTQHl1+dFNY1CE<&_PZ=1v!ch(qU_a1lHd~T
zC&a1>w2xQ-<+r-h1fi7B6waX15|*GGqfva)S)dVcgea`lQ~SQ$KXPR+(3Tn2I2R<0
z9tK`L*pa^+*n%>tZPiqt{_`%v?Bb7CR-!GhMON_Fbs0$#|H}G?rW|{q5fQhvw!FxI
zs-5ZK>hAbnCS#ZQVi5K0X3PjL1JRdQO+&)*!oRCqB{wen60P6!7bGiWn@vD|+E@Xq
zb!!_WiU^I|@1M}Hz6fN-m04x=><rLlCfwyIrOU}U)<7QivZH0Rm_-}Sg~$eCMDR*Z
zx`cVPn__}6Q+CU!>Exm{b@>UCW|c8<K+|Vc^j#>vC`aNbt<B+h3ox;kC6?34Wa#|Y
zXq?n@d6k6MUBqn%SYLX5^>A@KCHujh^2RWZC}iYhL^<*Z93chIBJYU&w>$CGZDR<q
ztx<5t>cHuIgF&oyesDZ#&mA;?wxx4Cm#c0V$xYG?9OL(Smh}#fFuX(K;otJmvRP{h
ze^f-qv;)HKC7geB92_@3a9@M<H_?qNxE&=>GijS(hNNVd%-rZ;%@F_f7?Fjinbe1(
zn#jQ*jKZTqE+AUTEd3y6t>*=;AO##cmdwU4gc2&rT8l`rtKW2JF<`_M#p>cj+)yCG
zgKF)y8jrfxTjGO&ccm8RU>qn|HxQ7Z#sUo$q)P5H%8iBF$({0Ya51-rA@!I<SEC1_
zHUdTwrTB3a?*}j?j1(f*^9G0kG<5JX4@l|rR&H;`Qa2VcYZ3UxZL+D>t#NHN8MxqK
zrYyl_&=}WVfQ?+ykV4*@F6)=u_~3BebR2G2>>mKaEBPm<p!ix>SW3(qYGGXj??m3L
zHec{@jWCsSD8`xUy0pqT?Sw0oD?AUK*WxZn#D>-$`eI+IT)6ki>ic}W)t$V32^ITD
zR497@LO}S|re%A+#vdv-?fXsQGVnP?QB_d0cGE+U84Q=aM=XrOwGFN3`Lpl@P0fL$
zKN1PqOwojH*($uaQFh8_)H#>Acl&UBSZ>!2W1Dinei`R4dJGX$;~60X=|SG6#jci}
z&t4*dVDR*;+6Y(G{KGj1B2!qjvDYOyPC}%hnPbJ@g(4yBJrViG1#$$X75y+Ul1{%x
zBAuD}Q@w?MFNqF-m39FGpq7RGI?%Bvyyig&oGv)lR>d<`Bqh=p>urib5DE;u$c|$J
zwim~nPb19t?LJZsm{<(Iyyt@~H!a4yywmHKW&=1r5+oj*Fx6c89heW@(2R`i!Uiy*
zp)=`Vr8sR!)KChE-6SEIy<Vn-l!RzPhNVxOkQU85Nng*5JUtkAg)b6wP&$wmih=Au
zKs;dHW6q)pI2VT$E`W=7aAbKSJnb;$l%#?edH=)1)avHvVH)345mJ;(*l$Ed1MA<a
z72%vbZD4`I;B-RS=m{iM`7(#1x>i(dvG3<1KoVt>kGV=zZiG<Y+hj@$zd#Q#=4iVE
z)x-IdMbP%iC;0pg$QUoVt(A;lO{-jJjH=;buR+E#0Eulb^`hidN&<0Z-tju^RGPcG
z(C4$AS6l7m-h>7LGonH1+~yOK-`g0)r#+O|Q>)a`I2FVW%wr3lhO(P{ksNQuR!G_d
zeTx(M!%brW_vS9?IF>bzZ2A3mWX-MEaOk^V|4d38{1D|KOlZSjBKrj7Fgf^>JyL0k
zLoI$adZJ0T+8i_Idsuj}C;6jgx9LY#Ukh;!8eJ^B1N}q=Gn4onF*a2vY7~`x$r@rJ
z`*hi&Z2lazgu{&nz>gjd>#eq*IFlXed(%$s5!HR<!{AgXHWD~USVRvxKdGTp>XKNm
zDZld+DwDI`O6hyn2uJ)F^{^;ESf9sjJ)wMSKD~R=DqPBHyP!?cGAvL<1|7K-(=?VO
zGcKcF1spUa+ki<qEk7@%dE~%eGpEl!oK*hA!YE+isq^GFdJ#{KfWIULzmRCaF}4(*
z-$*W)k94bSp|#5~htGbQ<~v1feWKv$%wM~TX}E><`6K#@QxOTsd847N8WSWztG~?~
z!gUJn>z0O=_)VCE|56hkT~n5xXTp}Ucx$Ii%bQ{5;-a4~I2e|{l9ur#*ghd*hSqO=
z)GD@ev^w&5%k}YYB~!A%3*XbPPU-N6&3Lp1LxyP@|C<{qcn&?l54+zyMk&I3YDT|E
z{lXH-e?C{huu<@~li+73lMOk&k)3s7Asn$t6!PtXJV!RkA`qdo4|OC_a?vR!kE_}k
zK5R9KB%V@R7gt@9=TGL{=#r2gl!@3G;k-6sXp&E4u20DgvbY$iE**Xqj3TyxK>3AU
z!b9}NXuINqt>Htt6fXIy5mj7oZ{A&$XJ&thR5ySE{mkxq_YooME#VCHm2+3D!f`{)
zvR^WSjy_h4v^|!RJV-RaIT2Ctv=)UMMn@fAgjQV$2G+4?&dGA8vK35c-8r<daDqE-
zlIJCF%-7v?-xOAOA*Z$Wv;j3$ldn=}pR52aU>)z9Qqa=%k(FU)?iec14<^olkOU3p
zF-6`zHiDKPafKK<gsO-HjX!gIc-J@mlI}lqM!qAHMA?>^USUU+D01>C&Wh{{q?>5m
zGQp|z*+#>IIo=|ae8CtrN@@t~uLFOeT{}vX(IY*;>wAU=u1Qo4c+a&R);$^VCr>;!
zv4L{`lHgc9$BeM)pQ#XA_(Q#=_i<x#Kw|T_b{oltLKCCP2b6F_+)lx3b*Vc?@JD8p
z>SZL4>L~8Hx}NmOC$&*Q*bq|9Aq}rWgFnMDl~d*;7c44GipcpH9PWaBy-G$*MI^F0
z?Tdxir1D<2ui+Q#^c4?uKvq=p>)lq56<F6-{L-8bs~8_dC8J3p4CdV*Iq;6IOvBJh
z^E(Ti1wkp{O6qebTnBYm)da^xs3^-TV5tGhoGrFBA^b?UK`APfD~Y+F8!rz@iSNu3
zFO1o9o^S3!%nw&2bpBxHF!V{IaC(n}+(HqYMb(3!l`YX-ru;2?$oSZD;K6*RvAS8r
zf1jgZer>=Eb|N^qz~w7rsZu)@E4$;~snz+wIxi+980O6M#RmtgLYh@|2}9BiHSpTs
zacjGKvwkUwR3lwTSsCHlwb&*(onU;)$yvdhikonn|B44JMgs*&Lo!jn`6AE>XvBiO
z*LKNX3FVz9yLcsnmL!cRVO_qv=yIM#X|u&}#f%_?Tj0>8)8P_0r0!AjWNw;S44tst
zv+NXY1{zRLf9OYMr6H-z?4CF$Y%MdbpFIN@a-LEnmkcOF>h16cH_;A|e)pJTuCJ4O
zY7!4FxT4>4aFT8a92}84>q0&?46h>&0Vv0p>u~k&qd5$C1A6Q$I4V(5X~6{15;PD@
ze6!s9xh#^QI`J+%8*=^(-!P!@9%~buBmN2VSAp@TOo6}C?az+ALP8~&a0FWZk*F5N
z^8P8IREnN`N0i@>O0?{i-FoFShYbUB`D7O4HB`Im2{yzXmyrg$k>cY6A@>bf7i3n0
z5y&cf2#`zctT>dz+hNF&+d3g;2)U!#vsb-%LC+pqKRTiiSn#FH#e!bVwR1nAf*TG^
z!RKcCy$P>?Sfq6n<%M{T0I8?p@HlgwC!<R%oqdMv88ghhaN5z;w29c{kLz0?InueY
zuDv#J^DHLyGoyzt8(sCID)#E6<WCYlz7uC1Xvs8QhV{45h-M4rLYe7xw;{g462-zX
zIV>HoWO>~mT+X<{Ylm+$Vtj9};H3$EB}P2wR$3y!TO#$iY8eO-!}+F&jMu4%E6S>m
zB(N4w9O@2=<`WNJay5PwP8javDp~o~xkSbd4t4t8)<Wt_Xc73S;VOmD#Fsb|nTsJs
z59;v?-{=r}I{BDxTN)Iz2&5m`sG^%wjY0*@1I`W29gtM7#wwIQTHvQhS2gB?6J62R
zJXy=)7L1!%o4(?3j6J3Pc%v5LFvsR9gKoej%77dCetZylr9&mT=u=p$Kn1Z^C3ySy
z3|Tg>9jqu@bHmJHq=MV~Pt|(TghCA}fhMS?s-{klV>~=VrT$nsp7mf{?cze~KKOD4
z_1Y!F)*7^W+BBTt1R2h4f1X4Oy2%?=IMhZU8c{qk3xI1=!na*Sg<=A$?K=Y=GUR9@
zQ(ylIm4Lgm>pt#%p`zHxok%vx_=8Fap1|?OM02|N%X-g5_#S~sT@A!x&8k#wVI2lo
z1Uyj{tDQRpb*>c}mjU^gYA9{7mNhFAlM=wZkXcA#MHXWMEs^3>p9X)Oa?dx7b%N*y
zLz@K^%1JaArjgri;8ptNHwz1<0y8tcURSbHsm=26^@CYJ3hwMaE<khA9_uuFNLm1L
zw+Fp#304~-S;vdG5Nug~K2qs}yD1rrg&9Fcvifn@KphT~L22BKMX?U^9@?Ph`>vC7
z3Wi-@AaXIQ)%F6#i@%M>?Mw7$6(kW@?et@wbk-APcvMCC{>iew#vkZej8%9h0JSc?
zCb~K|!9cBU+))^q*co(E^9jRl7gR4Jihyqa(Z(P&ID#TPyysVNL7(^;?Gan!OU>au
zN}miBc&XX-M$mSv%3xs)bh>Jq9#aD_l|zO?I+p4_5qI0Ms*OZyyxA`sXcyiy>-{YN
zA70%HmibZYcHW&YOHk6S&PQ+$rJ3(utuUra3V0~@=_~QZy&nc~)AS>v&<6$gErZC3
zcbC=eVkV4Vu0#}E*r=&{X)<H<fOshUJUO>Kgq|8MGCh(wsH4geLj@#8EGYa})K2;n
z{1~=ghoz=9TSCxgzr5x3@sQZZ0FZ+t{?klSI_IZa16pSx6*;=O%n!uXVZ@1IL;JEV
zfOS&yyfE9dtS*^jmgt6>jQDOIJM5Gx#Y2eAcC3l^lmoJ{o0T>IHpEC<k{}Rs{I@x*
zb<od>TbfYgPI4#LZq0<d#zAXFmb<Y9lgw&{$vCxBQ~RnTL=zZ7D-RwUE3~Z#wraN%
z_E{llZ?GrX#>PKqnPC<SBsRloBYG4ZO7Eeh-Bv2C$rMVb@bcKn3t2`<&0ke8{h|+|
z29&HD`tAtGV2ZA(;c{wT$(NWY+fHTL0b7Km+3IMcIX(?D)PQ;HB*^`ex$kl}K>D}_
zyKxz;(`fE0z~nA1s?d{X2!#ZP8wUHzFSOoTWQrk%;wCnBV_3D%3@EC|u$Ao)tO|AO
z$4&aa!wbf}rbNc<V}`mLC?8U0y^+E9xuE>P{6=ajgg(`p5kTeu$ji20`zw)X1SH*x
zN?T36{d9TY*S896Ijc^!35LLUByY4QO=ARCQ#MMCjudFc7s!z%P$6DESz%zZ#>H|i
zw3Mc@v4~{Eke;FWs`5i@ifeYPh-Sb#vCa#qJPL|&quSKF%sp8*n#t?vIE7kFWjNFh
zJC@u^bRQ^?ra|%39Ux^Dn4I}QICyDKF0mpe+Bk}!lFlqS^WpYm&xwIYxUoS-rJ)N9
z1Tz*6Rl9;x`4lwS1cgW^H_M*)Dt*DX*W?ArBf?-t|1~ge&S}xM0K;U9Ibf{okZHf~
z#4v4qc6s6Zgm8iKch5VMbQc~_V-ZviirnKCi*ouN^c_2lo&-M;YSA>W>>^5tlXObg
zacX$k0=9Tf$Eg+#9k6yV(R5-&F{=DHP8!yvSQ`Y~XRnUx@{O$-bGCksk~3&qH^dqX
zkf+ZZ?Nv5u>LBM@2?k%k&_aUb5Xjqf#!&7%zN#VZwmv65ezo^Y4S#(ed0yUn4tFOB
zh1f1SJ6_s?a{)u6VdwUC!Hv=8`%T9(^c`2hc9nt$(q{Dm2X)dK49ba+KEheQ;7^0)
ziFKw$%EHy_B1)M>=yK^=Z$U-LT36yX<F=`VawpD(xy$9hZLKdS9NJ`Zn_|f^uS`)c
z-Rl}C$-9t=SeW=txVx%`NS&LLwx4tQT@F-lQnBqQ-sOH}Jc&bP@MTU&SQLci>>EKT
zvD8IAom2&2?bTmX@_PBR4W|p?6?LQ+&UMzXxqHC5VHzf@Eb1u)kwyfy+NOM8Wa2y@
zNNDL0PE$F;yFyf^jy&RGwDXQwYw6yz>OMWvJt98X@;yr<mIFkh{a&op3>!*RQDBE-
zE*l*u=($Zi1}0-Y4lGaK?J$yQjgb<Bq)i+tJ7(x$;ieC4!=clV5G5IPlSyhAR$E4=
z$1c&+)JfppzZ*VSL$xH3n1^iI1K%)!-^sJU%xwj7WT8t7w6499b3QQ%J+gW)4)JMb
z8GVT`4`(VvLA^xbTV6K2V_8Mv*?gDDUBYV!P-qg?Dq*YIhGKXu$p#?E9&(-}opTbz
zZ#J#VgX+|T3gSW)eF}>+*ljUvNQ!;QYAoCq@>70=sJ{o{^21^?zT@r~hhf&O;Qiq+
ziGQQLG*D@5;LZ%09mwMiE4Q{IPUx-emo*;a6#DrmWr(zY27d@ezre)Z1BGZdo&pXn
z+);gOFelKDmnjq#8dL7CTiVH)dHOqWi~uE|NM^QI3EqxE6+_n>IW67~UB#J==QOGF
zp_S)c8TJ}uiaEiaER}MyB(grNn=2m&0yztA=!%3xUREyuG_jmadN*D&1nxvjZ6^+2
zORi7iX1iPi$tKasppaR9$a3IUmrrX)m*)fg1>H+$KpqeB*G>AQV((-G{}h=qItj|d
zz~{5@{?&Dab6;0c7!!%Se>w($RmlG7Jlv_zV3Ru8b2rugY0MVPOOYGlokI7%nhIy&
z-B&wE=lh2dtD!F?noD{z^O1~Tq4MhxvchzuT_oF3-t4YyA*MJ*n&+1X3<j>~6quEN
z@m~aEp=b2~mP+}TUP^FmkRS_PDMA{B<dV*k52^3iWFIaXBr1MC#nA4rRMbI6g1e0>
zaSy(P=$T~R!yc^Ye0*pl5xcpm_JWI;@-di+nruhqZ4gy7cq-)I&s&Bt3BkgT(Zdjf
zTvvv0)8xzntEtp4iXm}~cT+pi5k{w{(Z@l2XU9lHr4Vy~3ycA_T?V(QS{qwt?v|}k
z_ST!s;C4!jyV5)^6xC#v!o<DVtBeh%T7qnQl{H-3DV=+H*Qr*Tk6W^hU(ZD0kJnpt
z6l*<^aakgBhlA+xpS}v`t7iyV?zu_V<U{&GBzBLYIuzDQe~f#6w^zD>*uS%a-jQ6<
z)>o?z7=+zNNtIz1*F_HJ(w@=`E+T|9TqhC(g7kKDc8z~?RbKQ)LRMn7A1p*PcX2YR
zUAr{);~c7I#3Ssv<0i-Woj0&Z4a!u|@Xt2J1>N-|ED<3$o2V?OwL4oQ%$@!zLamVz
zB)K&Ik^~GOmDAa143{I4?XUk1<3-k{<%?&OID&>Ud%z*Rkt*)mko0RwC2=qFf-^OV
z=d@47?tY=A;=2VAh0mF(3x;!#X!%{|vn;U2XW{(nu5b&8kOr)Kop3-5_xnK5oO_3y
z!EaIb{r%D{7zwtGgFVri4_!yUIGwR(xEV3YWSI_+E}Gdl>TINWsIrfj+7DE?xp+5^
zlr3pM-Cbse*WGKOd3+*Qen^*uHk)+EpH-{u@i%y}Z!YSid<}~kA*IRSk|nf+I1N=2
zIKi+&ej%Al-M5`cP^XU>9A(m7G>58>o|}j0ZWbMg&x`*$B9j#Rnyo0#=BMLdo%=ks
zLa3(2EinQLXQ(3zDe7Bce%Oszu%?8PO648TNst4SMFvj=+{b%)ELyB!0`B?9R6<HO
z0ZCx8TWpL$G_aCzv{2o6N{#z3g%x>aO{i-63|s@|raSQGL~s)9R#J#duFaTSZ2M{X
z1?YuM*a!!|jP^QJ(hAisJuPOM`8Y-Hzl~%d@latwj}t&0{DNNC+zJARnuQfiN`HQ#
z?boY_2?*q;Qk)LUB)s8(Lz5elaW56p&fDH*AWAq7Zrbeq1!?FBGYHCnFgRu5y1jwD
zc|yBz+UW|X`zDsc{W~8m<GsO<mO_1`^L`RbrG?Z6Us2*=^_x$`JV{a_LYEsuJtJYL
ziPBF7dm}M2=6vrP;RB?Z6!7)Zvt4B!$rUPf{RA&_8%VD|7)NrR9*=&gO*sOzLhB*~
z^{cR)lY*pt9GGm(POd`WZo!H=s$8fLl_}-xnV5A+4*BbLUMGLAzH|i9_k(p_(`_J-
zjFFqtuzWuLa;BGl;mNUQM^&@rL--@GcC@@A*GDUdTjOrweNe5I+671K_l#WVI|@LM
z6mSs@4|l^kTD;Gvy}KaDi)#o4AD~D*LX@4{{bfG+FoqQ?-6%VkN)4{7vy<hZ9gNX|
zQxtE>$sh@VVnZD$lLnKlq@Hg^;ky!}ZuPdKNi2BI70;hrpvaA4+Q_+K)I@|)q1N-H
zrycZU`*YUW``Qi^`bDX-j7j^&bO+-Xg$cz2#i##($uyW{Nl&{DK{=lLWV<rkzZltE
zVX#Q@q!0kD+4jwZ#haJNHLSu>3|=<&si||2)l=8^8_z+Vho-#5LB0EqQ3v5U#*DF7
zxT)1j^`m+lW}p$>WSIG1eZ>L|YR-@Feu!YNWiw*IZYh03mq+2QVtQ}1ezRJM?0PA<
z;mK(J5@N8>u@<6Y$QAHWNE};rR|)U_&bv8dsnsza7{=zD1VBcxrALqnOf-qW(zzTn
zTAp|pEo#FsQ$~*$j|~Q;$Zy&Liu9OM;VF@#_&*nL!N2hH!Q6l*OeTxq!l>dEc{;Hw
zCQni{iN%jHU*C;?M-VUaXxf0FEJ_G=C8)C-wD!DvhY+qQ#FT3}Th8;GgV&AV94F`D
ztT6=w_Xm8)*)dBnDkZd~UWL|W=Gl<gto;(*wC9U9tZbpA!j<N3*HCbtKUlby_Vyr4
z!?d@=(#f`*(ud3VsGC{9IRi#5(w*FK!J}~s9(p0ap?ykZJBp1cTUR*jPbbAP&K)BP
zDUly$`B#Sn(aWroZGbyL&=Dg67A>u!$hc|1w7_7l!3MAt95oIp4Xp{M%clu&TXehO
z+L-1#{mjkpTF@?|w1P98OCky~S%@OR&o75P<Wn%&Jm$EVDF7;}E<;f25{W=vmcPFf
zmJVk81ZR1bRmlb|#0}DPdayCjq(27hQh>&ZHvC}Y=(2_{ib(-Al_7aZ^U?s34#H}=
zGfFi5%KnFVCKtdO^>Htpb07#BeCXMDO8U}crpe1Gm`>Q=6qB4i=nLoLZ%p$TY=OcP
z)r}Et-Ed??u~f09d3Nx3bS@ja!fV(Dfa5lXxRs#;8?Y8G+Qvz+iv7fiRkL3liip})
z&G0u8RdEC9c$$rdU53=<QkS9aMArWJ!P8{(D~hr9YfM2Q0nl|;=ukHlQj%<P$wYfa
z?$=heR#}yGJkpA2LI#>MH`p!Jn|DHjhOxHK$tW_pw9wCTf0Eo<){HoN=zG!!Gq4z4
z7PwGh)V<N7ESN6`*^`^Q73fj(wcMs7=5Iu(yJo@Q_F?W?yk3)SdLai+cM6GrKPrjs
za_NJm=uOAmRL5F_{*Yjb_BZNY?)kCB%$WE8;A{ZK>NPXW-cE#MtofE`-$9~nmmj}m
zlzZscQ2+Jq%gaB9rMgVJkbhup0Ggpb)&L01T=%>n7-?v@I8!Q(p&+!fd+Y^Pu9l+u
zek(_$^HYFVRRIFt@0Fp52g5Q#I`tC3li`;UtDLP*rA{-#Yoa5qp{cD)QYhldihWe+
zG~zuaqLY~$-1sjh2lkbXCX;lq+p~!2Z=76cvuQe*Fl>IFwpUBP+d^<W!tp~MwxCaj
zHBQw{tTF&?2^15<bHvmlCS|A$khwaGVZw*2lw&_pOQz;LcFj@Ysq%CZ)?t&74A|dB
z4WL~cZpG-0G^KuK)}aNOTySm-Lt#QyW&mN^>&E4BGc<j4bbw_-4Ttv5`+q&kCfaBq
z#Rl}~m+g*DG5=zM=t?z8cf%Vr>{m#l%Kuo6#{XGoRyFc%Hqhf|%nYd<;yiC>tyEyk
z4I+a<QbTvlzlVm5v2!^bF)s*0Cw+t*kzz%N#&QZ42CimT6ySz~?+nd>`(%%Ie=-*n
z-{mg=j&t12)LH3R?@-B1tEb7FLMePI1HK0`Ae@#)KcS%!Qt9p4_fmBl5zhO10n401
zBSfnfJ;?_r{%R)hh}BBNSl=$BiAKbuWrNGQUZ)+0=Mt&5!X*D@yGCSaMNY&@`;^a4
z;v=%D_!K!WXV1!3%4P-M*s%V2b#2jF2bk!)#2GLVuGKd#vNpRMyg`kstw0GQ8@^k^
zuqK5uR<>FeRZ#3{%!|4X!hh7hgirQ@Mwg%%ez8pF!N$xhMNQN((yS(F2-OfduxxKE
zxY#7O(VGfNuLv-ImAw5+h@gwn%!ER;*Q+001;W7W^waWT%@(T+5k!c3A-j)a8y11t
zx4~rSN0s$M8HEOzkcWW4YbKK9GQez2XJ|Nq?TFy;jmGbg;`m&%U4hIiarKmdTHt#l
zL=H;ZHE?fYxKQQXKnC+K!TAU}r086{4m}r()-QaFmU(qWhJlc$eas&y<Oz%^3FaFm
z1?*33BSANpZbOjV<(WE=T(DuY)_XOR{Jho+f)Z}g61HjnqKKN*8E0S?ATVoi0{#On
zGn@2R)R+{|FLX_EYm8{*=&UqzSkXCnZ)vWGS!9t02v^*;nhYk{U}PXVkPhlRc3UH{
zA-5Xc>?=H9EYQy8N$8^bni9TpD<bzO7YS=tCt}zYcl)|7!PRQIoif~D7yjeqW#(B3
zmpkmPyyRt85TQV!liLz!S@Olwr9!I#6DL45xU1kD`j8+MN!ST75vIA5J=~k_se^q#
zaC@(uVW_ra*o|Fs!(sX4Ik6k-(M%QP2;-Z@Rf=+&=pE`Dv8K9?k1Fg2pF%vW*HO>p
zkA^WRs?KgYgjxX4T6?`SMs$`s3vlut(YU~f2F+id(Rf_)$BIMibk9lACI~LA+i7xn
z%-+=DHV*0TCTJp~-|$VZ@g2vmd*|2QXV;HeTzt530KyK>v&253N1l}bP_J#UjLy4)
zBJili9#-ey8Kj(dxmW^ctorxd;te|xo)%46l%5qE-YhAjP`Cc03vT)vV&GAV%#Cgb
zX~2}uWNvh`2<*AuxuJpq>SyNtZwzuU)r@@dqC@v=Ocd(HnnzytN+M&|Qi#f4Q8D=h
ziE<3ziFW%+!yy(q{il8H44g^5{_+pH60Mx5Z*FgC_3hKxmeJ+wVuX?T#ZfOOD3E4C
zRJsj#wA@3uvwZwHKKGN{{Ag+8^cs?S4N@6(Wkd$CkoCst(Z&hp+l=ffZ?2m%%ffI3
zdV7coR`R+*dPbNx=*ivWeNJK=Iy_vKd`-_Hng{l?hmp=|T3U&epbmgXXWs9ySE|=G
zeQ|^ioL}tve<e`!rDYCFUej_ysJ2z(4AIN3g4xGaB0&Y<^`&A^@AOml<{gmBP!-y6
z!IsbSiZ8eH@;)gbXcV?N4*>N{s72_&h+F+W;G}?;?_s@h5>DX(rp#eaZ!E=NivgLI
zWykLKev+}sHH41NCRm7W>K+_qdoJ8x9o5Cf!)|qLtF7Izxk*p|fX8UqEY)_sI_45O
zL2u>x=r5xLE%s|d%MO>zU%KV6QKFiEeo12g#bhei4!Hm+`~Fo~4h|BJ)%ENxy9)Up
zOxupSf1QZWun=)gF{L0YWJ<(r0?$bPFANrmphJ>kG`&7E+RgrWQi}ZS#-CQJ*i#8j
zM_A0?w@4Mq@xvk^>QSvEU|VYQoVI=TaOrsLTa`RZfe8{9F~mM{L+C`9YP9?Okn<Y+
zQ`?h`EW57j4Qxm_DjacY`kEKG93n7#6{CBssPbH&1L2KSo|Htm*KD+0p<wD8e>Lw|
zmkvz>cS6`pF0FYeLdY%>u&XpPj5$*iYkj=m7wMzHqzZ5SG~$i_^f@QEPEC+<2nf-{
zE7W+n%)q$!5@2pBuXMxhUSi*%F>e_g!$T-_`ovjBh(3jK9Q^~OR{)}!0}vdTE^M+m
z9QWsA?xG>EW;U~5gEuKR)Ubfi&YWnXV;3H6Zt^NE725*`;lpSK4HS1sN?{~9a4JkD
z%}23oAovytUKfRN87XTH2c=kq1)O<qRzRUy={bH%*8V=pA##jg=-EE6(Lotu<IYEm
zZ71>5(fH_M3M-o{{@&~KD`~TRot-gqg7Q2U2o-iiF}K>m?CokhmO<lc^{s0_OssMw
zc*3nzZ5WN~$;I6TzaKlN9W+6*SX5vHzSUyIfdtNx5K}gB*a}Ei-T%?Pusx0i{k6zW
zVCCXrjNT1#YIkZ%s$(OfAJ`FBR*66B?{y$nkK6iXlBVVr@2#yGM6%0i_(U5#>DaLB
z1p6(6JYGntNOg(s!(>ZU&lzDf+Ur)^Lirm%*}Z>T)9)fAZ9>k(kvnM;ab$ptA=hoh
zVgsVaveXbMpm{|4*d<0>?l_JUFOO8A3xNLQOh%nVXjYI6X8h?a@6kDe5-m&;M0xqx
z+1U$s>(P9P)f0!{z%M@E7|9nn#IWgEx6A6JNJ(7dk`%6$3@!C!l;JK-p2?gg+W|d-
ziEzgk$w7k48NMqg$CM*4O~Abj3+_yUKTyK1p6GDsGEs;}=E_q>^LI-~pym$qhXPJf
z2`!PJDp4l(TTm#|n@bN!j;-FFOM__eLl!6{*}z=)UAcGYloj?bv!-XY1TA6Xz;82J
zLRaF{8ayzGa|}c--}|^xh)xgX>6R(sZD|Z|qX50gu=d`gEwHqC@WYU7{%<5VOnf9+
zB<I4+b1=sZ53G|-kvYcPViY)E5R#f6q2$x?f020VY)3|@p~2oGrySSwa~uPN4nC&g
zX!I>@FX?|UL%`8EIAe!*UdYl|6wRz6Y>(#8x92$#y}wMeE|ZM2X*c}dKJ^4NIf;Fm
zNwzq%QcO?$NR-7`su!*$dlIKo2y(N;qgH@1|8QNo$0wbyyJ2^}$iZ>M{BhBjTdMjK
z>gPEzgX4;g3$rU?jvDeOq`X=>)zdt|jk1Lv3u~bjHI=EGLfIR&+K3ldcc4D&Um&04
z3^F*}WaxR(ZyaB>DlmF_UP@+Q*h$&nsOB#gwLt{1#F4i-{A5J@`>B9@{^i?g_Ce&O
z<<}_We-RUFU&&MHa1#t56u<quT+%|#XvIpRJ?co{{tU0{tvlHG=;UJAM%ZgS1Wk*<
zbzK}T;?L5YLE4NLu9J0u#X!J<y<O?uV#gKBNVOZ@7SW<kFyslWRX@_C90;+zxGfEz
zb5V;-W-;gzJ|=>_oM(Ljn7djja!T|gcxSoR=)@?owC*NkDarpBj=W4}=i1@)@L|C)
zQKA+o<(pMVp*Su(`zBC0l1yTa$MRfQ#uby|$mlOM<xEsq_18&vqMDMD7Zoz%Fkm7A
z3)Py9=vTp8h$K)n9Uvzc$sVOT&zol^a%bZk8R4Y8^rZSJmY_uRt<`DC1F!?x#33tZ
ze&XW>s=G`4J|?apMzKei%jZql#gP@IkOaOjB7MJM=@1j(&!jNnyVkn5;4lvro1!vq
ztXiV8HYj5%)r1PPpIOj)f!><jg)vV+x8*ZL<Q!-CP7F3VXp#~OA}`YkX&1&s!htsT
z^$c2`mPAtTVX<qUk`r6!8Vb=Uc23%M)2;P#-xg0%R+ozayS`Bp$+go_wMt83+CODc
z2B}|cG;*tiKwHPYIq{X<`rJQAk*7&QC@O%H3Z553ow$9gREC4~b(*v-N%(bN;Y@mL
zsmAcMVly_+3OO{6?K&3Aei;$vMv!82h}`Bdn#~L=J)xK(4o*51?I7`(&5m9X))pa;
zLPfmH5<-xa-W%$*L{V<;N$-)VdNT!&jA&vHrEgBjjo5UU0If7Vhz3vkcHNAY5aT+C
zc5euR<}4<-qaBP_Zef)X2|HW=07DGXb>pc^3#LvfZ(hz}C@-3R(Cx7R427*Fwd!XO
z4~j&IkPHcBm0h_|iG;ZNrYdJ4HI!$rSyo&sibmwIgm1|J#g6%>=ML1r!kcEhm(XY&
zD@mIJt;!O%WP7CE&wwE3?1-dt;RTHdm~LvP7K`ccWXkZ0kfFa2S;wGtx_a}S2lslw
z$<4^Jg-n#Ypc(3t2N67Juasu=h)j&UNTPNDil4MQMTlnI81kY46uMH5B^U{~nmc6+
z9>(lGhhvRK9ITfpAD!XQ&BPphL3p8B4PVBN0NF6U49;ZA0Tr75AgGw7(S=Yio+xg_
zepZ*?V#KD;sHH+15ix&yCs0eSB-Z%D%uujlXvT#V$Rz@$+w!u#3GIo*AwMI#Bm^oO
zLr1e}k5W~G0xaO!C%Mb{sarxWZ4%Dn9vG`KHmPC9GWZwOOm11XJp#o0-P-${3m4g(
z6~)X9FXw%Xm~&99tj>a-ri})ZcnsfJtc10F@t9xF5vq6E)X!iUXHq-ohlO`gQdS&k
zZl})3k||u)!_=nNlvMbz%AuIr89l#I$;rG}qvDGiK?xTd5HzMQkw*p$YvFLGyQM!J
zNC^gD!kP{A84nGosi~@MLKqWQNacfs7O$dkZtm4-BZ~iA8xWZPkTK!Hp<LTap+x4*
zUK;Ha0;Jc=$HCCwcHw+aadnOZR281fO)q}D^z9=|qH9;-;e${xK|?9elJ8=LaM<65
zE6;>A5zr!9Z&+icfAJ1)NWkTd!-9`NWU>9uXXUr;`Js#NbKFgrNhTcY4GNv*71}}T
zFJh?>=EcbUd2<|fiL+H=wMw8hbX6?+_cl4XnCB#ddwdG><R|vBc*yG=?!<`t>bki*
zt*&6Dy&EIPluL@A3_;R%)shA-tDQA1!Tw4ffBRyy;2n)vm_JV06(4O<t|JggQ(KZT
zsYO62-6u^^mX>r&QAOKNZB5f(MVC}&_!B>098R{Simr!UG}?CW1Ah+X+0#~0`X)od
zLYablwmFxN21L))!_zc`IfzWi<Gu||u|EiUx`=l}NMzvxMP68pmmwjICH*y4{3)P@
z%y44Q*AVc4<$z9@nMeRAeVJ+>`5>MxPe(Dm<mb5oz44!o-XIzF2v`EK`q7j%sCMv2
zL>jjO1}HHt7TJtAW+VXHt!aKZk>y6PoMsbDXRJnov;D~Ur~2R_7(Xr)aa%wJwZh<i
zvMmaF%EvU)a6S{Gh%whrx@S36i|iv5oL=QhR4YK<CK74@mwN~dH00RX{_e6r+#l%j
z7OK<7e3kn;@H(@8>S3gr7IGgt%@;`jpL@gyc6bGCVx!9CE7NgIbUNZ!Ur1RHror0~
zr(j$^yM4j`#c2KxSP61;(Tk^pe7b~}LWj~SZC=MEpdKf;B@on9=?_n|R|0q;Y*1_@
z>nGq>)&q!;u-8H)WCwtL<LrD$x{Fa((5#4K!l=^|krt6e2?!PZN=Rmwt*1$d&$Q{J
zCgeI0rGg+wn3iR*eck$cFmbQ~E3GYxr&dJb(4{lgPt?n#^<GT#&j{om5`|wE6bW}}
ze{Pav1oDZnak%Fz$PD1ZH8xBo#FnqUG6u>&7F4vbnnfSAlK1mwnRq2&gZrEr!b1MA
z(3%vAbh3aU-IX`d7b@q`-WiT6eitu}ZH9x#d&qx}?CtDuAXak%5<-P!{a`V=$|XmJ
zUn@4lX6#ulB@a=&-9HG)a>KkH=jE7>&S&N~0X0zD=Q=t|7w;kuh#cU=NN7gBGbQTT
z;?<kJaO{>bdSt8V&IIi}<ThZP?O{MP;s77svl-cIdCj)d-BZGJap1Ull?cz;BdUt4
zMAS0={#2iyI>sDTzA0dkU}Z-Qvg;RDe8v>468p3*&hbG<I%;HTx8<Z&Ih@Xrl%AO4
zEZ252P#-|8MJE+L5IXho^0!PtBR61%3tAJ8RP$~a8%~<+5(4Lyh@;kvSLVbDc4PRn
z?4(9&{Rpo>T1I3hi9hh~Z(!H}{+>eUyF)H&gdrX=k$aB%J6I<Mis<6rrEG;E4zw&M
zYsQ6$FFc_^cwkYGT9ds?4^G_w2+$2L@}W#bXUf0JW}7J?EgbIp`jFFailmTZXuEyM
z?LcqfTM!s>;6+^^kn1mL+E+?A!A}@xV(Qa@M%HD5C@+-4Mb4lI=Xp=@9+^x+jhtOc
zYgF2aVa(uSR*n(O)e6tf3JEg2xs#dJfhEmi1iOmDYWk|wXNHU?g23^IGKB&yHnsm7
zm_+;p?YpA#N*7vXCkeN2LTNG`{QDa#U3fcFz7SB)83=<8rF)|udrEbrZL$o6W?oDR
zQx!178Ih9B#D9Ko$H(jD{4MME&<|6%MPu|TfOc#E0B}!j^MMpV69D#h2`vsEQ{(?c
zJ3Lh!3&=yS5fWL~;1wCZ?)%nmK`Eqgcu)O6rD^3%ijcxL50^z?OI(LaVDvfL0#zjZ
z2?cPvC$QCzpxpt5jMFp05OxhK0F!Q<m=7hVYzR||ecS~Bi9y8}>`rPhDi5)y=-0C}
zIM~ku&S@pl1&0=jl+rlS<4`riV~LC-#pqNde@44MB(j%)On$0Ko(@q?4`1?4149Z_
zZi!5aU@2vM$dHR6WSZpj+VboK+>u-CbNi7*lw4K^ZxxM#24_Yc`<w`lM<_9<AjZra
zPf9|W$q@ib+eT6)aN(T>jvb9NPVi75L+MlM^U~`;a7`4H0L|TYK>%hfEfXLsu1JGM
zbh|8{wuc7ucV+`Ys1kqxsj`dajwyM;^X^`)#<+a~$WFy8b2t_RS{8yNYKKlnv+>vB
zX(QTf$kqrJ;%I@EwEs{cIcH@Z3|#^S@M+5jsP<^`@8^I4_8MlBb`~cE^n+{{;qW2q
z=p1=&+fUo%T{GhVX@;56kH8K_%?X=;$OTYqW1L*)hzelm^$*?_K;9JyIWhsn4SK(|
zSmXLTUE8VQX{se#8#Rj*lz`xHtT<61V~fb;WZUpu(M)f#<N`ZtP}(nwt@v*JXMv*g
zTjkPmLef!CJNB3?7*>;I+2_zR+)y5Jv?l`CxAinx|EY!`IJ*x9_gf_k&Gx2alL!hK
zUWj1T_pk|?iv}4EP#PZvYD_-LpzU!NfcL<ZIyO_4myXe0OU}<Cprr_|XIrM73FXg`
zNRt~K9+=_-Laa5&Rt6kJaobEvjFnh>L%fK&r$W8O1KH9c2&GV~N#T$kaXGvAOl)|T
zuF9%6(i=Y3q?X%VK-D2YIY<MPA*$`<$Z)_O$(a?^Bnjd_-qk6atAX5(s0D1W1}`G9
zl)%h^mai+5Kwy1+I$Zaauh0oNm3mQUQ=`8aEAo=0zrm72grj|c8&W!-^+^6zMgm-+
zSpJe{_P`h~;t1=21VLIQ5n~@Q5Y=~VMN|L<mJfGW44?>FPH3f|g$TrXW->&^Ab`WT
z7>Oo!u1u40?jAJ8H<j_H`^tLy@LZ5-N)dU$=t?bXuTI1>y`bv}qb<AzbCJ<X7c~}%
z50@S(*;X)_P8TrUWZGQQn`AI#Eve&0+FNaAqg<m^ZNYdEveME+t5Q5DV5-rT<{g7@
zG+rSFooLii=nDW~qWOU#YzUJee#V*XI!cGhpz&<{SF!$pIm@`rT3A99J?qG9DPU@z
z9jawkO0(cqfU^RIM<K3r*yl0SKgPT>gs8)cF0&qeVjD?e+3Ggn1Im>K77ZSpbU*08
zfZkIFcv?y)!*B{|>nx@cE{KoutP+seQU?bCGE`tS0GKUO3PN~t=2u7q_6$l;uw^4c
zVu^f{uaqsZ{*a-N?2B8ngrLS8<WR!m{e>E&s6}Xtv9rR9C^b`@q8*iH)pFz<!x=AK
zf6E-O(MiUN4a^nRWR%`TBl@CGu2cFmmpRkBUAPvyvw&qDg1_6Y)ycUoITv4yV(Mk5
z=Dtmg6tsakVjdG2BV~=LD3YcTEr=j6ou|^*Qem;+#vOz?`MQ>f1|kCfiLw6u{Z%aC
z!X^5CzF6qofFJgkl<Rtc72CagCpKF^gmhb1CH>JV3oc|Qc2XdFl+y5M9*P8}A>Kh{
zWRgRwMSZ(?Jw;m%0etU5BsWT-Dj-5F;Q$OQJrQd+lv`i6>MhVo^p*^w6{~=fhe|bN
z*37oV0kji)4an^%3ABbg5RC;CS50@PV5_hKfXjYx+(DqQdKC^JIEMo6X66$qDdLRc
z!YJPSKnbY`#Ht6`g@xGzJmKzz<St<)P9XB^ZWQT2VtTE^8HdQx8o;%`J{lUpkn0!&
z^d*IdfCW?sDnD#zV!vee5Xd}&#I@u4z;`)LVXVayyf`~NUMeM>n|abYbP+_Q(v?~~
z96%cd{E0BCsH^0HaWt{y(Cuto4VE7jhB1Z??#UaU(*R&Eo+J`UN+8mcb51F|I|n*J
zJCZ3R*OdyeS9hWkc_mA7-br>3Tw=CX2bl(=TpVt#WP8Bg^vE_9bP&6ccAf3lFMgr`
z{3=h@?Ftb$RTe&@IQtiJf<Z$(x)W;Yibdk0Eou)O=h)|ox2XJhbM7gDjm$)%o0c)W
z!;CM_%5jr$Dk{vl7{DX~*^!MCEDILf;SGbcLK^kRyl}+&4r>V;O&4fzh)e1>7seG;
z=%mA4@c7{aXeJnhEg2J@Bm;=)j=O=cl#^NNkQ<{r;Bm|8Hg}bJ-S^g4`|itx)~!LN
zXtL}?f1Hs6UQ+f0-X6&TBCW=A4>bU0{rv8C4T!(wD-h>VCK4YJk`6C9$by!fxOYw-
zV#n+0{E(0ttq<e;u-JNg<=7mR)Baf(#XbsMPDR?mv12UXo+AuGM*TW4&Dbw3MHmyv
zzQ)3g$Jc}F5k_3<jP&G5r+akl<UzYyi9?xB4hK@h8+B`?3~Bn5^eKgTbZcatPPir(
zn|7xaL9v;L3{V1l&DQSp%TOnp^O8OS$m-yD0^r7mU@qJQ<RvUSI@G_}IuDMi8mq0p
z?O{gor*9fmQL7Mrb|ducn%AQOk@nhAYv{%&-E+j$)7Bpd*!L2Cg%7pf&3ZLxA5Fwj
z%8~}*Sw2G<h3E&$jhO(1=)P&U%mN)4Rk5JcPDUdUN*FM8j0Mg^@Z|6~Ym*2e3TCV6
z?5B1NxqE*aMe#2m&+Fz%OG!n`J`B2Ww|QiS6U=1^3d+6`ls$U%hB`nu)=J>_#16B}
ze8$E#X9o{B!0vbq#WUwmv5Xz6{(!^~+}sBW{xctdNHL4^vDk!0E}(g|W_q;jR|ZK<
z8w>H-8G{%R#%f!E7cO_^B?yFRKLOH)RT9GJsb+kAKq~}WIF)NRLwKZ^Q;>!2MNa|}
z-mh?=B;*&D{Nd-mQRcfVnHkChI=DRHU4ga%xJ%+QkBd|-d9uRI76@BT(bjsjwS+r)
zvx=lGNLv1?SzZ;P)Gnn>04fO7Culg*?LmbEF0fATG8S@)oJ>NT3pYAXa*vX!eUTDF
ziBrp(QyDqr0ZMTr?4uG_Nqs6f%S0g?h`1vO5fo=5S&u#wI2d4+3hWiolEU!=3_oFo
zfie<EEFWI+<HRR}kMBRY{{xT?Ubu+n1E+3-XyZ@DlC1|CziB+t8LH;pSr1_{$txb2
z{LD6Cutu@sVLZ$sgxfHzi88%ifnz%FWxPwItQ=UFSeRQ?XX#H8uXPtSY1Da8V^-Nz
zx}G&3QUOW&pFuYAPt>?+4W#`;1dd#X@g9Yj<53S<6OB!TM8w8})7k-$&q5(smc%;r
z(BlXkTp`C47+%4JA{2X}MIaPbVF!35P#p;u7+fR*46{T+LR8+<Ms(<(ewo92Plp}^
z0K5%%0PpyoHDM$82Vjt^Jp>j25oduCfDzDv6R-hU{TVVo9fz?^N3ShMt!t0NsH)pB
zRK8-S{Dn*y3b|k^*?_B70<2gHt==l7c&cT>r`C#{S}J2;s#d{M)ncW(#Y$C*lByLQ
z&?+{dR7*gpdT~(1;<m}fXp@S^XBCFbD&Le<rzooSQB^d8r#S^ok_xS36-~w}kc?Ej
z7^zYrQY=EF$c06)iin^U556ixd{lb)^l<R>M(FfF==3z`^eW)=5a9RqvF-)2?S-(G
zhS;p(u~_qBum*q}On@$#08}ynd0+spzyVco0%G6;<-i5&016cV5UKzhQ~)fX03|>L
z8ej+HzzgVr6_5ZUpa4HW0Ca!=r1%*}Oo;2no&Zz8DfR)L!@r<<lmB!F&$32&71xdc
zAQ}KMGyqI!0F2N8;eY{y00CwIf0+QV$OUD<C@ujha0p9)KwJUh;0%`lShxaZKm`>5
z2viSZpmvo5XqXyAz{Ms7`7kX>fnr1gi4X~7KpznRT0{Xc5Cfz@43PjBMBoH@z_{~(
z(Wd}IPJ9hH+%)Fc)0!hrV+(A;76rhtI|YHbEDeERV~Ya>SQg^IvlazFkSK(KG9&{q
zkPIR~EeQaaBmwA<20}m<i2yt#0ML*D!NB+q2RLvyLxH9o41nNb1p??O7J)#e3I!NY
z1wlX)g#bnj0Jty$0KoMI0Cb7`0i50h9gE~g7Om;jPg0kO>BO?)N$(z1@p)5?%}rM|
zGF()~Z&Kx@OIDRI$d0T8;JX@vj3^2%pd_+@l9~a4lntZ;AvUIjqIZbuNTR6@hNJoV
zk4F;ut)LN4ARuyn2M6F~eg-e#UH%2P;8uPGFW^vq1vj8mdIayFOZo(tphk8C7hpT~
z1Fv8?b_LNR3QD9J+!v=p%}#<WkmT3SAH~zHvL~<r009F5U;qFWp(o;x5Q1O?TufB{
c@Yw=E7;q9obAc&xg(1}n;wTCO(gbOOU|30r`2YX_

literal 0
HcmV?d00001

diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/fonts/bootstrap/glyphicons-halflings-regular.svg b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/fonts/bootstrap/glyphicons-halflings-regular.svg
new file mode 100644
index 0000000000..94fb5490a2
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/fonts/bootstrap/glyphicons-halflings-regular.svg
@@ -0,0 +1,288 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" >
+<svg xmlns="http://www.w3.org/2000/svg">
+<metadata></metadata>
+<defs>
+<font id="glyphicons_halflingsregular" horiz-adv-x="1200" >
+<font-face units-per-em="1200" ascent="960" descent="-240" />
+<missing-glyph horiz-adv-x="500" />
+<glyph horiz-adv-x="0" />
+<glyph horiz-adv-x="400" />
+<glyph unicode=" " />
+<glyph unicode="*" d="M600 1100q15 0 34 -1.5t30 -3.5l11 -1q10 -2 17.5 -10.5t7.5 -18.5v-224l158 158q7 7 18 8t19 -6l106 -106q7 -8 6 -19t-8 -18l-158 -158h224q10 0 18.5 -7.5t10.5 -17.5q6 -41 6 -75q0 -15 -1.5 -34t-3.5 -30l-1 -11q-2 -10 -10.5 -17.5t-18.5 -7.5h-224l158 -158 q7 -7 8 -18t-6 -19l-106 -106q-8 -7 -19 -6t-18 8l-158 158v-224q0 -10 -7.5 -18.5t-17.5 -10.5q-41 -6 -75 -6q-15 0 -34 1.5t-30 3.5l-11 1q-10 2 -17.5 10.5t-7.5 18.5v224l-158 -158q-7 -7 -18 -8t-19 6l-106 106q-7 8 -6 19t8 18l158 158h-224q-10 0 -18.5 7.5 t-10.5 17.5q-6 41 -6 75q0 15 1.5 34t3.5 30l1 11q2 10 10.5 17.5t18.5 7.5h224l-158 158q-7 7 -8 18t6 19l106 106q8 7 19 6t18 -8l158 -158v224q0 10 7.5 18.5t17.5 10.5q41 6 75 6z" />
+<glyph unicode="+" d="M450 1100h200q21 0 35.5 -14.5t14.5 -35.5v-350h350q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-350v-350q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v350h-350q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5 h350v350q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xa0;" />
+<glyph unicode="&#xa5;" d="M825 1100h250q10 0 12.5 -5t-5.5 -13l-364 -364q-6 -6 -11 -18h268q10 0 13 -6t-3 -14l-120 -160q-6 -8 -18 -14t-22 -6h-125v-100h275q10 0 13 -6t-3 -14l-120 -160q-6 -8 -18 -14t-22 -6h-125v-174q0 -11 -7.5 -18.5t-18.5 -7.5h-148q-11 0 -18.5 7.5t-7.5 18.5v174 h-275q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h125v100h-275q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h118q-5 12 -11 18l-364 364q-8 8 -5.5 13t12.5 5h250q25 0 43 -18l164 -164q8 -8 18 -8t18 8l164 164q18 18 43 18z" />
+<glyph unicode="&#x2000;" horiz-adv-x="650" />
+<glyph unicode="&#x2001;" horiz-adv-x="1300" />
+<glyph unicode="&#x2002;" horiz-adv-x="650" />
+<glyph unicode="&#x2003;" horiz-adv-x="1300" />
+<glyph unicode="&#x2004;" horiz-adv-x="433" />
+<glyph unicode="&#x2005;" horiz-adv-x="325" />
+<glyph unicode="&#x2006;" horiz-adv-x="216" />
+<glyph unicode="&#x2007;" horiz-adv-x="216" />
+<glyph unicode="&#x2008;" horiz-adv-x="162" />
+<glyph unicode="&#x2009;" horiz-adv-x="260" />
+<glyph unicode="&#x200a;" horiz-adv-x="72" />
+<glyph unicode="&#x202f;" horiz-adv-x="260" />
+<glyph unicode="&#x205f;" horiz-adv-x="325" />
+<glyph unicode="&#x20ac;" d="M744 1198q242 0 354 -189q60 -104 66 -209h-181q0 45 -17.5 82.5t-43.5 61.5t-58 40.5t-60.5 24t-51.5 7.5q-19 0 -40.5 -5.5t-49.5 -20.5t-53 -38t-49 -62.5t-39 -89.5h379l-100 -100h-300q-6 -50 -6 -100h406l-100 -100h-300q9 -74 33 -132t52.5 -91t61.5 -54.5t59 -29 t47 -7.5q22 0 50.5 7.5t60.5 24.5t58 41t43.5 61t17.5 80h174q-30 -171 -128 -278q-107 -117 -274 -117q-206 0 -324 158q-36 48 -69 133t-45 204h-217l100 100h112q1 47 6 100h-218l100 100h134q20 87 51 153.5t62 103.5q117 141 297 141z" />
+<glyph unicode="&#x20bd;" d="M428 1200h350q67 0 120 -13t86 -31t57 -49.5t35 -56.5t17 -64.5t6.5 -60.5t0.5 -57v-16.5v-16.5q0 -36 -0.5 -57t-6.5 -61t-17 -65t-35 -57t-57 -50.5t-86 -31.5t-120 -13h-178l-2 -100h288q10 0 13 -6t-3 -14l-120 -160q-6 -8 -18 -14t-22 -6h-138v-175q0 -11 -5.5 -18 t-15.5 -7h-149q-10 0 -17.5 7.5t-7.5 17.5v175h-267q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h117v100h-267q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h117v475q0 10 7.5 17.5t17.5 7.5zM600 1000v-300h203q64 0 86.5 33t22.5 119q0 84 -22.5 116t-86.5 32h-203z" />
+<glyph unicode="&#x2212;" d="M250 700h800q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#x231b;" d="M1000 1200v-150q0 -21 -14.5 -35.5t-35.5 -14.5h-50v-100q0 -91 -49.5 -165.5t-130.5 -109.5q81 -35 130.5 -109.5t49.5 -165.5v-150h50q21 0 35.5 -14.5t14.5 -35.5v-150h-800v150q0 21 14.5 35.5t35.5 14.5h50v150q0 91 49.5 165.5t130.5 109.5q-81 35 -130.5 109.5 t-49.5 165.5v100h-50q-21 0 -35.5 14.5t-14.5 35.5v150h800zM400 1000v-100q0 -60 32.5 -109.5t87.5 -73.5q28 -12 44 -37t16 -55t-16 -55t-44 -37q-55 -24 -87.5 -73.5t-32.5 -109.5v-150h400v150q0 60 -32.5 109.5t-87.5 73.5q-28 12 -44 37t-16 55t16 55t44 37 q55 24 87.5 73.5t32.5 109.5v100h-400z" />
+<glyph unicode="&#x25fc;" horiz-adv-x="500" d="M0 0z" />
+<glyph unicode="&#x2601;" d="M503 1089q110 0 200.5 -59.5t134.5 -156.5q44 14 90 14q120 0 205 -86.5t85 -206.5q0 -121 -85 -207.5t-205 -86.5h-750q-79 0 -135.5 57t-56.5 137q0 69 42.5 122.5t108.5 67.5q-2 12 -2 37q0 153 108 260.5t260 107.5z" />
+<glyph unicode="&#x26fa;" d="M774 1193.5q16 -9.5 20.5 -27t-5.5 -33.5l-136 -187l467 -746h30q20 0 35 -18.5t15 -39.5v-42h-1200v42q0 21 15 39.5t35 18.5h30l468 746l-135 183q-10 16 -5.5 34t20.5 28t34 5.5t28 -20.5l111 -148l112 150q9 16 27 20.5t34 -5zM600 200h377l-182 112l-195 534v-646z " />
+<glyph unicode="&#x2709;" d="M25 1100h1150q10 0 12.5 -5t-5.5 -13l-564 -567q-8 -8 -18 -8t-18 8l-564 567q-8 8 -5.5 13t12.5 5zM18 882l264 -264q8 -8 8 -18t-8 -18l-264 -264q-8 -8 -13 -5.5t-5 12.5v550q0 10 5 12.5t13 -5.5zM918 618l264 264q8 8 13 5.5t5 -12.5v-550q0 -10 -5 -12.5t-13 5.5 l-264 264q-8 8 -8 18t8 18zM818 482l364 -364q8 -8 5.5 -13t-12.5 -5h-1150q-10 0 -12.5 5t5.5 13l364 364q8 8 18 8t18 -8l164 -164q8 -8 18 -8t18 8l164 164q8 8 18 8t18 -8z" />
+<glyph unicode="&#x270f;" d="M1011 1210q19 0 33 -13l153 -153q13 -14 13 -33t-13 -33l-99 -92l-214 214l95 96q13 14 32 14zM1013 800l-615 -614l-214 214l614 614zM317 96l-333 -112l110 335z" />
+<glyph unicode="&#xe001;" d="M700 650v-550h250q21 0 35.5 -14.5t14.5 -35.5v-50h-800v50q0 21 14.5 35.5t35.5 14.5h250v550l-500 550h1200z" />
+<glyph unicode="&#xe002;" d="M368 1017l645 163q39 15 63 0t24 -49v-831q0 -55 -41.5 -95.5t-111.5 -63.5q-79 -25 -147 -4.5t-86 75t25.5 111.5t122.5 82q72 24 138 8v521l-600 -155v-606q0 -42 -44 -90t-109 -69q-79 -26 -147 -5.5t-86 75.5t25.5 111.5t122.5 82.5q72 24 138 7v639q0 38 14.5 59 t53.5 34z" />
+<glyph unicode="&#xe003;" d="M500 1191q100 0 191 -39t156.5 -104.5t104.5 -156.5t39 -191l-1 -2l1 -5q0 -141 -78 -262l275 -274q23 -26 22.5 -44.5t-22.5 -42.5l-59 -58q-26 -20 -46.5 -20t-39.5 20l-275 274q-119 -77 -261 -77l-5 1l-2 -1q-100 0 -191 39t-156.5 104.5t-104.5 156.5t-39 191 t39 191t104.5 156.5t156.5 104.5t191 39zM500 1022q-88 0 -162 -43t-117 -117t-43 -162t43 -162t117 -117t162 -43t162 43t117 117t43 162t-43 162t-117 117t-162 43z" />
+<glyph unicode="&#xe005;" d="M649 949q48 68 109.5 104t121.5 38.5t118.5 -20t102.5 -64t71 -100.5t27 -123q0 -57 -33.5 -117.5t-94 -124.5t-126.5 -127.5t-150 -152.5t-146 -174q-62 85 -145.5 174t-150 152.5t-126.5 127.5t-93.5 124.5t-33.5 117.5q0 64 28 123t73 100.5t104 64t119 20 t120.5 -38.5t104.5 -104z" />
+<glyph unicode="&#xe006;" d="M407 800l131 353q7 19 17.5 19t17.5 -19l129 -353h421q21 0 24 -8.5t-14 -20.5l-342 -249l130 -401q7 -20 -0.5 -25.5t-24.5 6.5l-343 246l-342 -247q-17 -12 -24.5 -6.5t-0.5 25.5l130 400l-347 251q-17 12 -14 20.5t23 8.5h429z" />
+<glyph unicode="&#xe007;" d="M407 800l131 353q7 19 17.5 19t17.5 -19l129 -353h421q21 0 24 -8.5t-14 -20.5l-342 -249l130 -401q7 -20 -0.5 -25.5t-24.5 6.5l-343 246l-342 -247q-17 -12 -24.5 -6.5t-0.5 25.5l130 400l-347 251q-17 12 -14 20.5t23 8.5h429zM477 700h-240l197 -142l-74 -226 l193 139l195 -140l-74 229l192 140h-234l-78 211z" />
+<glyph unicode="&#xe008;" d="M600 1200q124 0 212 -88t88 -212v-250q0 -46 -31 -98t-69 -52v-75q0 -10 6 -21.5t15 -17.5l358 -230q9 -5 15 -16.5t6 -21.5v-93q0 -10 -7.5 -17.5t-17.5 -7.5h-1150q-10 0 -17.5 7.5t-7.5 17.5v93q0 10 6 21.5t15 16.5l358 230q9 6 15 17.5t6 21.5v75q-38 0 -69 52 t-31 98v250q0 124 88 212t212 88z" />
+<glyph unicode="&#xe009;" d="M25 1100h1150q10 0 17.5 -7.5t7.5 -17.5v-1050q0 -10 -7.5 -17.5t-17.5 -7.5h-1150q-10 0 -17.5 7.5t-7.5 17.5v1050q0 10 7.5 17.5t17.5 7.5zM100 1000v-100h100v100h-100zM875 1000h-550q-10 0 -17.5 -7.5t-7.5 -17.5v-350q0 -10 7.5 -17.5t17.5 -7.5h550 q10 0 17.5 7.5t7.5 17.5v350q0 10 -7.5 17.5t-17.5 7.5zM1000 1000v-100h100v100h-100zM100 800v-100h100v100h-100zM1000 800v-100h100v100h-100zM100 600v-100h100v100h-100zM1000 600v-100h100v100h-100zM875 500h-550q-10 0 -17.5 -7.5t-7.5 -17.5v-350q0 -10 7.5 -17.5 t17.5 -7.5h550q10 0 17.5 7.5t7.5 17.5v350q0 10 -7.5 17.5t-17.5 7.5zM100 400v-100h100v100h-100zM1000 400v-100h100v100h-100zM100 200v-100h100v100h-100zM1000 200v-100h100v100h-100z" />
+<glyph unicode="&#xe010;" d="M50 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM650 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400 q0 21 14.5 35.5t35.5 14.5zM50 500h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM650 500h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400 q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe011;" d="M50 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200 q0 21 14.5 35.5t35.5 14.5zM850 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM50 700h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200 q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 700h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM850 700h200q21 0 35.5 -14.5t14.5 -35.5v-200 q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM50 300h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 300h200 q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM850 300h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5 t35.5 14.5z" />
+<glyph unicode="&#xe012;" d="M50 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 1100h700q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v200 q0 21 14.5 35.5t35.5 14.5zM50 700h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 700h700q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-700 q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM50 300h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 300h700q21 0 35.5 -14.5t14.5 -35.5v-200 q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe013;" d="M465 477l571 571q8 8 18 8t17 -8l177 -177q8 -7 8 -17t-8 -18l-783 -784q-7 -8 -17.5 -8t-17.5 8l-384 384q-8 8 -8 18t8 17l177 177q7 8 17 8t18 -8l171 -171q7 -7 18 -7t18 7z" />
+<glyph unicode="&#xe014;" d="M904 1083l178 -179q8 -8 8 -18.5t-8 -17.5l-267 -268l267 -268q8 -7 8 -17.5t-8 -18.5l-178 -178q-8 -8 -18.5 -8t-17.5 8l-268 267l-268 -267q-7 -8 -17.5 -8t-18.5 8l-178 178q-8 8 -8 18.5t8 17.5l267 268l-267 268q-8 7 -8 17.5t8 18.5l178 178q8 8 18.5 8t17.5 -8 l268 -267l268 268q7 7 17.5 7t18.5 -7z" />
+<glyph unicode="&#xe015;" d="M507 1177q98 0 187.5 -38.5t154.5 -103.5t103.5 -154.5t38.5 -187.5q0 -141 -78 -262l300 -299q8 -8 8 -18.5t-8 -18.5l-109 -108q-7 -8 -17.5 -8t-18.5 8l-300 299q-119 -77 -261 -77q-98 0 -188 38.5t-154.5 103t-103 154.5t-38.5 188t38.5 187.5t103 154.5 t154.5 103.5t188 38.5zM506.5 1023q-89.5 0 -165.5 -44t-120 -120.5t-44 -166t44 -165.5t120 -120t165.5 -44t166 44t120.5 120t44 165.5t-44 166t-120.5 120.5t-166 44zM425 900h150q10 0 17.5 -7.5t7.5 -17.5v-75h75q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5 t-17.5 -7.5h-75v-75q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v75h-75q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h75v75q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe016;" d="M507 1177q98 0 187.5 -38.5t154.5 -103.5t103.5 -154.5t38.5 -187.5q0 -141 -78 -262l300 -299q8 -8 8 -18.5t-8 -18.5l-109 -108q-7 -8 -17.5 -8t-18.5 8l-300 299q-119 -77 -261 -77q-98 0 -188 38.5t-154.5 103t-103 154.5t-38.5 188t38.5 187.5t103 154.5 t154.5 103.5t188 38.5zM506.5 1023q-89.5 0 -165.5 -44t-120 -120.5t-44 -166t44 -165.5t120 -120t165.5 -44t166 44t120.5 120t44 165.5t-44 166t-120.5 120.5t-166 44zM325 800h350q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-350q-10 0 -17.5 7.5 t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe017;" d="M550 1200h100q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM800 975v166q167 -62 272 -209.5t105 -331.5q0 -117 -45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5 t-184.5 123t-123 184.5t-45.5 224q0 184 105 331.5t272 209.5v-166q-103 -55 -165 -155t-62 -220q0 -116 57 -214.5t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5q0 120 -62 220t-165 155z" />
+<glyph unicode="&#xe018;" d="M1025 1200h150q10 0 17.5 -7.5t7.5 -17.5v-1150q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v1150q0 10 7.5 17.5t17.5 7.5zM725 800h150q10 0 17.5 -7.5t7.5 -17.5v-750q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v750 q0 10 7.5 17.5t17.5 7.5zM425 500h150q10 0 17.5 -7.5t7.5 -17.5v-450q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v450q0 10 7.5 17.5t17.5 7.5zM125 300h150q10 0 17.5 -7.5t7.5 -17.5v-250q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5 v250q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe019;" d="M600 1174q33 0 74 -5l38 -152l5 -1q49 -14 94 -39l5 -2l134 80q61 -48 104 -105l-80 -134l3 -5q25 -44 39 -93l1 -6l152 -38q5 -43 5 -73q0 -34 -5 -74l-152 -38l-1 -6q-15 -49 -39 -93l-3 -5l80 -134q-48 -61 -104 -105l-134 81l-5 -3q-44 -25 -94 -39l-5 -2l-38 -151 q-43 -5 -74 -5q-33 0 -74 5l-38 151l-5 2q-49 14 -94 39l-5 3l-134 -81q-60 48 -104 105l80 134l-3 5q-25 45 -38 93l-2 6l-151 38q-6 42 -6 74q0 33 6 73l151 38l2 6q13 48 38 93l3 5l-80 134q47 61 105 105l133 -80l5 2q45 25 94 39l5 1l38 152q43 5 74 5zM600 815 q-89 0 -152 -63t-63 -151.5t63 -151.5t152 -63t152 63t63 151.5t-63 151.5t-152 63z" />
+<glyph unicode="&#xe020;" d="M500 1300h300q41 0 70.5 -29.5t29.5 -70.5v-100h275q10 0 17.5 -7.5t7.5 -17.5v-75h-1100v75q0 10 7.5 17.5t17.5 7.5h275v100q0 41 29.5 70.5t70.5 29.5zM500 1200v-100h300v100h-300zM1100 900v-800q0 -41 -29.5 -70.5t-70.5 -29.5h-700q-41 0 -70.5 29.5t-29.5 70.5 v800h900zM300 800v-700h100v700h-100zM500 800v-700h100v700h-100zM700 800v-700h100v700h-100zM900 800v-700h100v700h-100z" />
+<glyph unicode="&#xe021;" d="M18 618l620 608q8 7 18.5 7t17.5 -7l608 -608q8 -8 5.5 -13t-12.5 -5h-175v-575q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v375h-300v-375q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v575h-175q-10 0 -12.5 5t5.5 13z" />
+<glyph unicode="&#xe022;" d="M600 1200v-400q0 -41 29.5 -70.5t70.5 -29.5h300v-650q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v1100q0 21 14.5 35.5t35.5 14.5h450zM1000 800h-250q-21 0 -35.5 14.5t-14.5 35.5v250z" />
+<glyph unicode="&#xe023;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM525 900h50q10 0 17.5 -7.5t7.5 -17.5v-275h175q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe024;" d="M1300 0h-538l-41 400h-242l-41 -400h-538l431 1200h209l-21 -300h162l-20 300h208zM515 800l-27 -300h224l-27 300h-170z" />
+<glyph unicode="&#xe025;" d="M550 1200h200q21 0 35.5 -14.5t14.5 -35.5v-450h191q20 0 25.5 -11.5t-7.5 -27.5l-327 -400q-13 -16 -32 -16t-32 16l-327 400q-13 16 -7.5 27.5t25.5 11.5h191v450q0 21 14.5 35.5t35.5 14.5zM1125 400h50q10 0 17.5 -7.5t7.5 -17.5v-350q0 -10 -7.5 -17.5t-17.5 -7.5 h-1050q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h50q10 0 17.5 -7.5t7.5 -17.5v-175h900v175q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe026;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM525 900h150q10 0 17.5 -7.5t7.5 -17.5v-275h137q21 0 26 -11.5t-8 -27.5l-223 -275q-13 -16 -32 -16t-32 16l-223 275q-13 16 -8 27.5t26 11.5h137v275q0 10 7.5 17.5t17.5 7.5z " />
+<glyph unicode="&#xe027;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM632 914l223 -275q13 -16 8 -27.5t-26 -11.5h-137v-275q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v275h-137q-21 0 -26 11.5t8 27.5l223 275q13 16 32 16 t32 -16z" />
+<glyph unicode="&#xe028;" d="M225 1200h750q10 0 19.5 -7t12.5 -17l186 -652q7 -24 7 -49v-425q0 -12 -4 -27t-9 -17q-12 -6 -37 -6h-1100q-12 0 -27 4t-17 8q-6 13 -6 38l1 425q0 25 7 49l185 652q3 10 12.5 17t19.5 7zM878 1000h-556q-10 0 -19 -7t-11 -18l-87 -450q-2 -11 4 -18t16 -7h150 q10 0 19.5 -7t11.5 -17l38 -152q2 -10 11.5 -17t19.5 -7h250q10 0 19.5 7t11.5 17l38 152q2 10 11.5 17t19.5 7h150q10 0 16 7t4 18l-87 450q-2 11 -11 18t-19 7z" />
+<glyph unicode="&#xe029;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM540 820l253 -190q17 -12 17 -30t-17 -30l-253 -190q-16 -12 -28 -6.5t-12 26.5v400q0 21 12 26.5t28 -6.5z" />
+<glyph unicode="&#xe030;" d="M947 1060l135 135q7 7 12.5 5t5.5 -13v-362q0 -10 -7.5 -17.5t-17.5 -7.5h-362q-11 0 -13 5.5t5 12.5l133 133q-109 76 -238 76q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5h150q0 -117 -45.5 -224 t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5q192 0 347 -117z" />
+<glyph unicode="&#xe031;" d="M947 1060l135 135q7 7 12.5 5t5.5 -13v-361q0 -11 -7.5 -18.5t-18.5 -7.5h-361q-11 0 -13 5.5t5 12.5l134 134q-110 75 -239 75q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5h-150q0 117 45.5 224t123 184.5t184.5 123t224 45.5q192 0 347 -117zM1027 600h150 q0 -117 -45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5q-192 0 -348 118l-134 -134q-7 -8 -12.5 -5.5t-5.5 12.5v360q0 11 7.5 18.5t18.5 7.5h360q10 0 12.5 -5.5t-5.5 -12.5l-133 -133q110 -76 240 -76q116 0 214.5 57t155.5 155.5t57 214.5z" />
+<glyph unicode="&#xe032;" d="M125 1200h1050q10 0 17.5 -7.5t7.5 -17.5v-1150q0 -10 -7.5 -17.5t-17.5 -7.5h-1050q-10 0 -17.5 7.5t-7.5 17.5v1150q0 10 7.5 17.5t17.5 7.5zM1075 1000h-850q-10 0 -17.5 -7.5t-7.5 -17.5v-850q0 -10 7.5 -17.5t17.5 -7.5h850q10 0 17.5 7.5t7.5 17.5v850 q0 10 -7.5 17.5t-17.5 7.5zM325 900h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 900h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5zM325 700h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 700h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5zM325 500h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 500h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5zM325 300h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 300h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe033;" d="M900 800v200q0 83 -58.5 141.5t-141.5 58.5h-300q-82 0 -141 -59t-59 -141v-200h-100q-41 0 -70.5 -29.5t-29.5 -70.5v-600q0 -41 29.5 -70.5t70.5 -29.5h900q41 0 70.5 29.5t29.5 70.5v600q0 41 -29.5 70.5t-70.5 29.5h-100zM400 800v150q0 21 15 35.5t35 14.5h200 q20 0 35 -14.5t15 -35.5v-150h-300z" />
+<glyph unicode="&#xe034;" d="M125 1100h50q10 0 17.5 -7.5t7.5 -17.5v-1075h-100v1075q0 10 7.5 17.5t17.5 7.5zM1075 1052q4 0 9 -2q16 -6 16 -23v-421q0 -6 -3 -12q-33 -59 -66.5 -99t-65.5 -58t-56.5 -24.5t-52.5 -6.5q-26 0 -57.5 6.5t-52.5 13.5t-60 21q-41 15 -63 22.5t-57.5 15t-65.5 7.5 q-85 0 -160 -57q-7 -5 -15 -5q-6 0 -11 3q-14 7 -14 22v438q22 55 82 98.5t119 46.5q23 2 43 0.5t43 -7t32.5 -8.5t38 -13t32.5 -11q41 -14 63.5 -21t57 -14t63.5 -7q103 0 183 87q7 8 18 8z" />
+<glyph unicode="&#xe035;" d="M600 1175q116 0 227 -49.5t192.5 -131t131 -192.5t49.5 -227v-300q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v300q0 127 -70.5 231.5t-184.5 161.5t-245 57t-245 -57t-184.5 -161.5t-70.5 -231.5v-300q0 -10 -7.5 -17.5t-17.5 -7.5h-50 q-10 0 -17.5 7.5t-7.5 17.5v300q0 116 49.5 227t131 192.5t192.5 131t227 49.5zM220 500h160q8 0 14 -6t6 -14v-460q0 -8 -6 -14t-14 -6h-160q-8 0 -14 6t-6 14v460q0 8 6 14t14 6zM820 500h160q8 0 14 -6t6 -14v-460q0 -8 -6 -14t-14 -6h-160q-8 0 -14 6t-6 14v460 q0 8 6 14t14 6z" />
+<glyph unicode="&#xe036;" d="M321 814l258 172q9 6 15 2.5t6 -13.5v-750q0 -10 -6 -13.5t-15 2.5l-258 172q-21 14 -46 14h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h250q25 0 46 14zM900 668l120 120q7 7 17 7t17 -7l34 -34q7 -7 7 -17t-7 -17l-120 -120l120 -120q7 -7 7 -17 t-7 -17l-34 -34q-7 -7 -17 -7t-17 7l-120 119l-120 -119q-7 -7 -17 -7t-17 7l-34 34q-7 7 -7 17t7 17l119 120l-119 120q-7 7 -7 17t7 17l34 34q7 8 17 8t17 -8z" />
+<glyph unicode="&#xe037;" d="M321 814l258 172q9 6 15 2.5t6 -13.5v-750q0 -10 -6 -13.5t-15 2.5l-258 172q-21 14 -46 14h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h250q25 0 46 14zM766 900h4q10 -1 16 -10q96 -129 96 -290q0 -154 -90 -281q-6 -9 -17 -10l-3 -1q-9 0 -16 6 l-29 23q-7 7 -8.5 16.5t4.5 17.5q72 103 72 229q0 132 -78 238q-6 8 -4.5 18t9.5 17l29 22q7 5 15 5z" />
+<glyph unicode="&#xe038;" d="M967 1004h3q11 -1 17 -10q135 -179 135 -396q0 -105 -34 -206.5t-98 -185.5q-7 -9 -17 -10h-3q-9 0 -16 6l-42 34q-8 6 -9 16t5 18q111 150 111 328q0 90 -29.5 176t-84.5 157q-6 9 -5 19t10 16l42 33q7 5 15 5zM321 814l258 172q9 6 15 2.5t6 -13.5v-750q0 -10 -6 -13.5 t-15 2.5l-258 172q-21 14 -46 14h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h250q25 0 46 14zM766 900h4q10 -1 16 -10q96 -129 96 -290q0 -154 -90 -281q-6 -9 -17 -10l-3 -1q-9 0 -16 6l-29 23q-7 7 -8.5 16.5t4.5 17.5q72 103 72 229q0 132 -78 238 q-6 8 -4.5 18.5t9.5 16.5l29 22q7 5 15 5z" />
+<glyph unicode="&#xe039;" d="M500 900h100v-100h-100v-100h-400v-100h-100v600h500v-300zM1200 700h-200v-100h200v-200h-300v300h-200v300h-100v200h600v-500zM100 1100v-300h300v300h-300zM800 1100v-300h300v300h-300zM300 900h-100v100h100v-100zM1000 900h-100v100h100v-100zM300 500h200v-500 h-500v500h200v100h100v-100zM800 300h200v-100h-100v-100h-200v100h-100v100h100v200h-200v100h300v-300zM100 400v-300h300v300h-300zM300 200h-100v100h100v-100zM1200 200h-100v100h100v-100zM700 0h-100v100h100v-100zM1200 0h-300v100h300v-100z" />
+<glyph unicode="&#xe040;" d="M100 200h-100v1000h100v-1000zM300 200h-100v1000h100v-1000zM700 200h-200v1000h200v-1000zM900 200h-100v1000h100v-1000zM1200 200h-200v1000h200v-1000zM400 0h-300v100h300v-100zM600 0h-100v91h100v-91zM800 0h-100v91h100v-91zM1100 0h-200v91h200v-91z" />
+<glyph unicode="&#xe041;" d="M500 1200l682 -682q8 -8 8 -18t-8 -18l-464 -464q-8 -8 -18 -8t-18 8l-682 682l1 475q0 10 7.5 17.5t17.5 7.5h474zM319.5 1024.5q-29.5 29.5 -71 29.5t-71 -29.5t-29.5 -71.5t29.5 -71.5t71 -29.5t71 29.5t29.5 71.5t-29.5 71.5z" />
+<glyph unicode="&#xe042;" d="M500 1200l682 -682q8 -8 8 -18t-8 -18l-464 -464q-8 -8 -18 -8t-18 8l-682 682l1 475q0 10 7.5 17.5t17.5 7.5h474zM800 1200l682 -682q8 -8 8 -18t-8 -18l-464 -464q-8 -8 -18 -8t-18 8l-56 56l424 426l-700 700h150zM319.5 1024.5q-29.5 29.5 -71 29.5t-71 -29.5 t-29.5 -71.5t29.5 -71.5t71 -29.5t71 29.5t29.5 71.5t-29.5 71.5z" />
+<glyph unicode="&#xe043;" d="M300 1200h825q75 0 75 -75v-900q0 -25 -18 -43l-64 -64q-8 -8 -13 -5.5t-5 12.5v950q0 10 -7.5 17.5t-17.5 7.5h-700q-25 0 -43 -18l-64 -64q-8 -8 -5.5 -13t12.5 -5h700q10 0 17.5 -7.5t7.5 -17.5v-950q0 -10 -7.5 -17.5t-17.5 -7.5h-850q-10 0 -17.5 7.5t-7.5 17.5v975 q0 25 18 43l139 139q18 18 43 18z" />
+<glyph unicode="&#xe044;" d="M250 1200h800q21 0 35.5 -14.5t14.5 -35.5v-1150l-450 444l-450 -445v1151q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe045;" d="M822 1200h-444q-11 0 -19 -7.5t-9 -17.5l-78 -301q-7 -24 7 -45l57 -108q6 -9 17.5 -15t21.5 -6h450q10 0 21.5 6t17.5 15l62 108q14 21 7 45l-83 301q-1 10 -9 17.5t-19 7.5zM1175 800h-150q-10 0 -21 -6.5t-15 -15.5l-78 -156q-4 -9 -15 -15.5t-21 -6.5h-550 q-10 0 -21 6.5t-15 15.5l-78 156q-4 9 -15 15.5t-21 6.5h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-650q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h750q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5 t7.5 17.5v650q0 10 -7.5 17.5t-17.5 7.5zM850 200h-500q-10 0 -19.5 -7t-11.5 -17l-38 -152q-2 -10 3.5 -17t15.5 -7h600q10 0 15.5 7t3.5 17l-38 152q-2 10 -11.5 17t-19.5 7z" />
+<glyph unicode="&#xe046;" d="M500 1100h200q56 0 102.5 -20.5t72.5 -50t44 -59t25 -50.5l6 -20h150q41 0 70.5 -29.5t29.5 -70.5v-600q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5v600q0 41 29.5 70.5t70.5 29.5h150q2 8 6.5 21.5t24 48t45 61t72 48t102.5 21.5zM900 800v-100 h100v100h-100zM600 730q-95 0 -162.5 -67.5t-67.5 -162.5t67.5 -162.5t162.5 -67.5t162.5 67.5t67.5 162.5t-67.5 162.5t-162.5 67.5zM600 603q43 0 73 -30t30 -73t-30 -73t-73 -30t-73 30t-30 73t30 73t73 30z" />
+<glyph unicode="&#xe047;" d="M681 1199l385 -998q20 -50 60 -92q18 -19 36.5 -29.5t27.5 -11.5l10 -2v-66h-417v66q53 0 75 43.5t5 88.5l-82 222h-391q-58 -145 -92 -234q-11 -34 -6.5 -57t25.5 -37t46 -20t55 -6v-66h-365v66q56 24 84 52q12 12 25 30.5t20 31.5l7 13l399 1006h93zM416 521h340 l-162 457z" />
+<glyph unicode="&#xe048;" d="M753 641q5 -1 14.5 -4.5t36 -15.5t50.5 -26.5t53.5 -40t50.5 -54.5t35.5 -70t14.5 -87q0 -67 -27.5 -125.5t-71.5 -97.5t-98.5 -66.5t-108.5 -40.5t-102 -13h-500v89q41 7 70.5 32.5t29.5 65.5v827q0 24 -0.5 34t-3.5 24t-8.5 19.5t-17 13.5t-28 12.5t-42.5 11.5v71 l471 -1q57 0 115.5 -20.5t108 -57t80.5 -94t31 -124.5q0 -51 -15.5 -96.5t-38 -74.5t-45 -50.5t-38.5 -30.5zM400 700h139q78 0 130.5 48.5t52.5 122.5q0 41 -8.5 70.5t-29.5 55.5t-62.5 39.5t-103.5 13.5h-118v-350zM400 200h216q80 0 121 50.5t41 130.5q0 90 -62.5 154.5 t-156.5 64.5h-159v-400z" />
+<glyph unicode="&#xe049;" d="M877 1200l2 -57q-83 -19 -116 -45.5t-40 -66.5l-132 -839q-9 -49 13 -69t96 -26v-97h-500v97q186 16 200 98l173 832q3 17 3 30t-1.5 22.5t-9 17.5t-13.5 12.5t-21.5 10t-26 8.5t-33.5 10q-13 3 -19 5v57h425z" />
+<glyph unicode="&#xe050;" d="M1300 900h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-200v-850q0 -22 25 -34.5t50 -13.5l25 -2v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v850h-200q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h1000v-300zM175 1000h-75v-800h75l-125 -167l-125 167h75v800h-75l125 167z" />
+<glyph unicode="&#xe051;" d="M1100 900h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-200v-650q0 -22 25 -34.5t50 -13.5l25 -2v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v650h-200q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h1000v-300zM1167 50l-167 -125v75h-800v-75l-167 125l167 125v-75h800v75z" />
+<glyph unicode="&#xe052;" d="M50 1100h600q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 800h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM50 500h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe053;" d="M250 1100h700q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 800h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM250 500h700q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe054;" d="M500 950v100q0 21 14.5 35.5t35.5 14.5h600q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5zM100 650v100q0 21 14.5 35.5t35.5 14.5h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000 q-21 0 -35.5 14.5t-14.5 35.5zM300 350v100q0 21 14.5 35.5t35.5 14.5h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5zM0 50v100q0 21 14.5 35.5t35.5 14.5h1100q21 0 35.5 -14.5t14.5 -35.5v-100 q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5z" />
+<glyph unicode="&#xe055;" d="M50 1100h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 800h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM50 500h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe056;" d="M50 1100h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 1100h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM50 800h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 800h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 500h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 500h800q21 0 35.5 -14.5t14.5 -35.5v-100 q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 200h800 q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe057;" d="M400 0h-100v1100h100v-1100zM550 1100h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM550 800h500q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-500 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM267 550l-167 -125v75h-200v100h200v75zM550 500h300q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM550 200h600 q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe058;" d="M50 1100h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM900 0h-100v1100h100v-1100zM50 800h500q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-500 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM1100 600h200v-100h-200v-75l-167 125l167 125v-75zM50 500h300q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h600 q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe059;" d="M75 1000h750q31 0 53 -22t22 -53v-650q0 -31 -22 -53t-53 -22h-750q-31 0 -53 22t-22 53v650q0 31 22 53t53 22zM1200 300l-300 300l300 300v-600z" />
+<glyph unicode="&#xe060;" d="M44 1100h1112q18 0 31 -13t13 -31v-1012q0 -18 -13 -31t-31 -13h-1112q-18 0 -31 13t-13 31v1012q0 18 13 31t31 13zM100 1000v-737l247 182l298 -131l-74 156l293 318l236 -288v500h-1000zM342 884q56 0 95 -39t39 -94.5t-39 -95t-95 -39.5t-95 39.5t-39 95t39 94.5 t95 39z" />
+<glyph unicode="&#xe062;" d="M648 1169q117 0 216 -60t156.5 -161t57.5 -218q0 -115 -70 -258q-69 -109 -158 -225.5t-143 -179.5l-54 -62q-9 8 -25.5 24.5t-63.5 67.5t-91 103t-98.5 128t-95.5 148q-60 132 -60 249q0 88 34 169.5t91.5 142t137 96.5t166.5 36zM652.5 974q-91.5 0 -156.5 -65 t-65 -157t65 -156.5t156.5 -64.5t156.5 64.5t65 156.5t-65 157t-156.5 65z" />
+<glyph unicode="&#xe063;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 173v854q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57z" />
+<glyph unicode="&#xe064;" d="M554 1295q21 -72 57.5 -143.5t76 -130t83 -118t82.5 -117t70 -116t49.5 -126t18.5 -136.5q0 -71 -25.5 -135t-68.5 -111t-99 -82t-118.5 -54t-125.5 -23q-84 5 -161.5 34t-139.5 78.5t-99 125t-37 164.5q0 69 18 136.5t49.5 126.5t69.5 116.5t81.5 117.5t83.5 119 t76.5 131t58.5 143zM344 710q-23 -33 -43.5 -70.5t-40.5 -102.5t-17 -123q1 -37 14.5 -69.5t30 -52t41 -37t38.5 -24.5t33 -15q21 -7 32 -1t13 22l6 34q2 10 -2.5 22t-13.5 19q-5 4 -14 12t-29.5 40.5t-32.5 73.5q-26 89 6 271q2 11 -6 11q-8 1 -15 -10z" />
+<glyph unicode="&#xe065;" d="M1000 1013l108 115q2 1 5 2t13 2t20.5 -1t25 -9.5t28.5 -21.5q22 -22 27 -43t0 -32l-6 -10l-108 -115zM350 1100h400q50 0 105 -13l-187 -187h-368q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v182l200 200v-332 q0 -165 -93.5 -257.5t-256.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5zM1009 803l-362 -362l-161 -50l55 170l355 355z" />
+<glyph unicode="&#xe066;" d="M350 1100h361q-164 -146 -216 -200h-195q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5l200 153v-103q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5z M824 1073l339 -301q8 -7 8 -17.5t-8 -17.5l-340 -306q-7 -6 -12.5 -4t-6.5 11v203q-26 1 -54.5 0t-78.5 -7.5t-92 -17.5t-86 -35t-70 -57q10 59 33 108t51.5 81.5t65 58.5t68.5 40.5t67 24.5t56 13.5t40 4.5v210q1 10 6.5 12.5t13.5 -4.5z" />
+<glyph unicode="&#xe067;" d="M350 1100h350q60 0 127 -23l-178 -177h-349q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v69l200 200v-219q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5z M643 639l395 395q7 7 17.5 7t17.5 -7l101 -101q7 -7 7 -17.5t-7 -17.5l-531 -532q-7 -7 -17.5 -7t-17.5 7l-248 248q-7 7 -7 17.5t7 17.5l101 101q7 7 17.5 7t17.5 -7l111 -111q8 -7 18 -7t18 7z" />
+<glyph unicode="&#xe068;" d="M318 918l264 264q8 8 18 8t18 -8l260 -264q7 -8 4.5 -13t-12.5 -5h-170v-200h200v173q0 10 5 12t13 -5l264 -260q8 -7 8 -17.5t-8 -17.5l-264 -265q-8 -7 -13 -5t-5 12v173h-200v-200h170q10 0 12.5 -5t-4.5 -13l-260 -264q-8 -8 -18 -8t-18 8l-264 264q-8 8 -5.5 13 t12.5 5h175v200h-200v-173q0 -10 -5 -12t-13 5l-264 265q-8 7 -8 17.5t8 17.5l264 260q8 7 13 5t5 -12v-173h200v200h-175q-10 0 -12.5 5t5.5 13z" />
+<glyph unicode="&#xe069;" d="M250 1100h100q21 0 35.5 -14.5t14.5 -35.5v-438l464 453q15 14 25.5 10t10.5 -25v-1000q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v1000q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe070;" d="M50 1100h100q21 0 35.5 -14.5t14.5 -35.5v-438l464 453q15 14 25.5 10t10.5 -25v-438l464 453q15 14 25.5 10t10.5 -25v-1000q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5 t-14.5 35.5v1000q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe071;" d="M1200 1050v-1000q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -10.5 -25t-25.5 10l-492 480q-15 14 -15 35t15 35l492 480q15 14 25.5 10t10.5 -25v-438l464 453q15 14 25.5 10t10.5 -25z" />
+<glyph unicode="&#xe072;" d="M243 1074l814 -498q18 -11 18 -26t-18 -26l-814 -498q-18 -11 -30.5 -4t-12.5 28v1000q0 21 12.5 28t30.5 -4z" />
+<glyph unicode="&#xe073;" d="M250 1000h200q21 0 35.5 -14.5t14.5 -35.5v-800q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v800q0 21 14.5 35.5t35.5 14.5zM650 1000h200q21 0 35.5 -14.5t14.5 -35.5v-800q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v800 q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe074;" d="M1100 950v-800q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v800q0 21 14.5 35.5t35.5 14.5h800q21 0 35.5 -14.5t14.5 -35.5z" />
+<glyph unicode="&#xe075;" d="M500 612v438q0 21 10.5 25t25.5 -10l492 -480q15 -14 15 -35t-15 -35l-492 -480q-15 -14 -25.5 -10t-10.5 25v438l-464 -453q-15 -14 -25.5 -10t-10.5 25v1000q0 21 10.5 25t25.5 -10z" />
+<glyph unicode="&#xe076;" d="M1048 1102l100 1q20 0 35 -14.5t15 -35.5l5 -1000q0 -21 -14.5 -35.5t-35.5 -14.5l-100 -1q-21 0 -35.5 14.5t-14.5 35.5l-2 437l-463 -454q-14 -15 -24.5 -10.5t-10.5 25.5l-2 437l-462 -455q-15 -14 -25.5 -9.5t-10.5 24.5l-5 1000q0 21 10.5 25.5t25.5 -10.5l466 -450 l-2 438q0 20 10.5 24.5t25.5 -9.5l466 -451l-2 438q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe077;" d="M850 1100h100q21 0 35.5 -14.5t14.5 -35.5v-1000q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v438l-464 -453q-15 -14 -25.5 -10t-10.5 25v1000q0 21 10.5 25t25.5 -10l464 -453v438q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe078;" d="M686 1081l501 -540q15 -15 10.5 -26t-26.5 -11h-1042q-22 0 -26.5 11t10.5 26l501 540q15 15 36 15t36 -15zM150 400h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe079;" d="M885 900l-352 -353l352 -353l-197 -198l-552 552l552 550z" />
+<glyph unicode="&#xe080;" d="M1064 547l-551 -551l-198 198l353 353l-353 353l198 198z" />
+<glyph unicode="&#xe081;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM650 900h-100q-21 0 -35.5 -14.5t-14.5 -35.5v-150h-150 q-21 0 -35.5 -14.5t-14.5 -35.5v-100q0 -21 14.5 -35.5t35.5 -14.5h150v-150q0 -21 14.5 -35.5t35.5 -14.5h100q21 0 35.5 14.5t14.5 35.5v150h150q21 0 35.5 14.5t14.5 35.5v100q0 21 -14.5 35.5t-35.5 14.5h-150v150q0 21 -14.5 35.5t-35.5 14.5z" />
+<glyph unicode="&#xe082;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM850 700h-500q-21 0 -35.5 -14.5t-14.5 -35.5v-100q0 -21 14.5 -35.5 t35.5 -14.5h500q21 0 35.5 14.5t14.5 35.5v100q0 21 -14.5 35.5t-35.5 14.5z" />
+<glyph unicode="&#xe083;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM741.5 913q-12.5 0 -21.5 -9l-120 -120l-120 120q-9 9 -21.5 9 t-21.5 -9l-141 -141q-9 -9 -9 -21.5t9 -21.5l120 -120l-120 -120q-9 -9 -9 -21.5t9 -21.5l141 -141q9 -9 21.5 -9t21.5 9l120 120l120 -120q9 -9 21.5 -9t21.5 9l141 141q9 9 9 21.5t-9 21.5l-120 120l120 120q9 9 9 21.5t-9 21.5l-141 141q-9 9 -21.5 9z" />
+<glyph unicode="&#xe084;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM546 623l-84 85q-7 7 -17.5 7t-18.5 -7l-139 -139q-7 -8 -7 -18t7 -18 l242 -241q7 -8 17.5 -8t17.5 8l375 375q7 7 7 17.5t-7 18.5l-139 139q-7 7 -17.5 7t-17.5 -7z" />
+<glyph unicode="&#xe085;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM588 941q-29 0 -59 -5.5t-63 -20.5t-58 -38.5t-41.5 -63t-16.5 -89.5 q0 -25 20 -25h131q30 -5 35 11q6 20 20.5 28t45.5 8q20 0 31.5 -10.5t11.5 -28.5q0 -23 -7 -34t-26 -18q-1 0 -13.5 -4t-19.5 -7.5t-20 -10.5t-22 -17t-18.5 -24t-15.5 -35t-8 -46q-1 -8 5.5 -16.5t20.5 -8.5h173q7 0 22 8t35 28t37.5 48t29.5 74t12 100q0 47 -17 83 t-42.5 57t-59.5 34.5t-64 18t-59 4.5zM675 400h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe086;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM675 1000h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5 t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5zM675 700h-250q-10 0 -17.5 -7.5t-7.5 -17.5v-50q0 -10 7.5 -17.5t17.5 -7.5h75v-200h-75q-10 0 -17.5 -7.5t-7.5 -17.5v-50q0 -10 7.5 -17.5t17.5 -7.5h350q10 0 17.5 7.5t7.5 17.5v50q0 10 -7.5 17.5 t-17.5 7.5h-75v275q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe087;" d="M525 1200h150q10 0 17.5 -7.5t7.5 -17.5v-194q103 -27 178.5 -102.5t102.5 -178.5h194q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-194q-27 -103 -102.5 -178.5t-178.5 -102.5v-194q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v194 q-103 27 -178.5 102.5t-102.5 178.5h-194q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h194q27 103 102.5 178.5t178.5 102.5v194q0 10 7.5 17.5t17.5 7.5zM700 893v-168q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v168q-68 -23 -119 -74 t-74 -119h168q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-168q23 -68 74 -119t119 -74v168q0 10 7.5 17.5t17.5 7.5h150q10 0 17.5 -7.5t7.5 -17.5v-168q68 23 119 74t74 119h-168q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h168 q-23 68 -74 119t-119 74z" />
+<glyph unicode="&#xe088;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM759 823l64 -64q7 -7 7 -17.5t-7 -17.5l-124 -124l124 -124q7 -7 7 -17.5t-7 -17.5l-64 -64q-7 -7 -17.5 -7t-17.5 7l-124 124l-124 -124q-7 -7 -17.5 -7t-17.5 7l-64 64 q-7 7 -7 17.5t7 17.5l124 124l-124 124q-7 7 -7 17.5t7 17.5l64 64q7 7 17.5 7t17.5 -7l124 -124l124 124q7 7 17.5 7t17.5 -7z" />
+<glyph unicode="&#xe089;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM782 788l106 -106q7 -7 7 -17.5t-7 -17.5l-320 -321q-8 -7 -18 -7t-18 7l-202 203q-8 7 -8 17.5t8 17.5l106 106q7 8 17.5 8t17.5 -8l79 -79l197 197q7 7 17.5 7t17.5 -7z" />
+<glyph unicode="&#xe090;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5q0 -120 65 -225 l587 587q-105 65 -225 65zM965 819l-584 -584q104 -62 219 -62q116 0 214.5 57t155.5 155.5t57 214.5q0 115 -62 219z" />
+<glyph unicode="&#xe091;" d="M39 582l522 427q16 13 27.5 8t11.5 -26v-291h550q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-550v-291q0 -21 -11.5 -26t-27.5 8l-522 427q-16 13 -16 32t16 32z" />
+<glyph unicode="&#xe092;" d="M639 1009l522 -427q16 -13 16 -32t-16 -32l-522 -427q-16 -13 -27.5 -8t-11.5 26v291h-550q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5h550v291q0 21 11.5 26t27.5 -8z" />
+<glyph unicode="&#xe093;" d="M682 1161l427 -522q13 -16 8 -27.5t-26 -11.5h-291v-550q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v550h-291q-21 0 -26 11.5t8 27.5l427 522q13 16 32 16t32 -16z" />
+<glyph unicode="&#xe094;" d="M550 1200h200q21 0 35.5 -14.5t14.5 -35.5v-550h291q21 0 26 -11.5t-8 -27.5l-427 -522q-13 -16 -32 -16t-32 16l-427 522q-13 16 -8 27.5t26 11.5h291v550q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe095;" d="M639 1109l522 -427q16 -13 16 -32t-16 -32l-522 -427q-16 -13 -27.5 -8t-11.5 26v291q-94 -2 -182 -20t-170.5 -52t-147 -92.5t-100.5 -135.5q5 105 27 193.5t67.5 167t113 135t167 91.5t225.5 42v262q0 21 11.5 26t27.5 -8z" />
+<glyph unicode="&#xe096;" d="M850 1200h300q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -10.5 -25t-24.5 10l-94 94l-249 -249q-8 -7 -18 -7t-18 7l-106 106q-7 8 -7 18t7 18l249 249l-94 94q-14 14 -10 24.5t25 10.5zM350 0h-300q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 10.5 25t24.5 -10l94 -94l249 249 q8 7 18 7t18 -7l106 -106q7 -8 7 -18t-7 -18l-249 -249l94 -94q14 -14 10 -24.5t-25 -10.5z" />
+<glyph unicode="&#xe097;" d="M1014 1120l106 -106q7 -8 7 -18t-7 -18l-249 -249l94 -94q14 -14 10 -24.5t-25 -10.5h-300q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 10.5 25t24.5 -10l94 -94l249 249q8 7 18 7t18 -7zM250 600h300q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -10.5 -25t-24.5 10l-94 94 l-249 -249q-8 -7 -18 -7t-18 7l-106 106q-7 8 -7 18t7 18l249 249l-94 94q-14 14 -10 24.5t25 10.5z" />
+<glyph unicode="&#xe101;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM704 900h-208q-20 0 -32 -14.5t-8 -34.5l58 -302q4 -20 21.5 -34.5 t37.5 -14.5h54q20 0 37.5 14.5t21.5 34.5l58 302q4 20 -8 34.5t-32 14.5zM675 400h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe102;" d="M260 1200q9 0 19 -2t15 -4l5 -2q22 -10 44 -23l196 -118q21 -13 36 -24q29 -21 37 -12q11 13 49 35l196 118q22 13 45 23q17 7 38 7q23 0 47 -16.5t37 -33.5l13 -16q14 -21 18 -45l25 -123l8 -44q1 -9 8.5 -14.5t17.5 -5.5h61q10 0 17.5 -7.5t7.5 -17.5v-50 q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 -7.5t-7.5 -17.5v-175h-400v300h-200v-300h-400v175q0 10 -7.5 17.5t-17.5 7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5h61q11 0 18 3t7 8q0 4 9 52l25 128q5 25 19 45q2 3 5 7t13.5 15t21.5 19.5t26.5 15.5 t29.5 7zM915 1079l-166 -162q-7 -7 -5 -12t12 -5h219q10 0 15 7t2 17l-51 149q-3 10 -11 12t-15 -6zM463 917l-177 157q-8 7 -16 5t-11 -12l-51 -143q-3 -10 2 -17t15 -7h231q11 0 12.5 5t-5.5 12zM500 0h-375q-10 0 -17.5 7.5t-7.5 17.5v375h400v-400zM1100 400v-375 q0 -10 -7.5 -17.5t-17.5 -7.5h-375v400h400z" />
+<glyph unicode="&#xe103;" d="M1165 1190q8 3 21 -6.5t13 -17.5q-2 -178 -24.5 -323.5t-55.5 -245.5t-87 -174.5t-102.5 -118.5t-118 -68.5t-118.5 -33t-120 -4.5t-105 9.5t-90 16.5q-61 12 -78 11q-4 1 -12.5 0t-34 -14.5t-52.5 -40.5l-153 -153q-26 -24 -37 -14.5t-11 43.5q0 64 42 102q8 8 50.5 45 t66.5 58q19 17 35 47t13 61q-9 55 -10 102.5t7 111t37 130t78 129.5q39 51 80 88t89.5 63.5t94.5 45t113.5 36t129 31t157.5 37t182 47.5zM1116 1098q-8 9 -22.5 -3t-45.5 -50q-38 -47 -119 -103.5t-142 -89.5l-62 -33q-56 -30 -102 -57t-104 -68t-102.5 -80.5t-85.5 -91 t-64 -104.5q-24 -56 -31 -86t2 -32t31.5 17.5t55.5 59.5q25 30 94 75.5t125.5 77.5t147.5 81q70 37 118.5 69t102 79.5t99 111t86.5 148.5q22 50 24 60t-6 19z" />
+<glyph unicode="&#xe104;" d="M653 1231q-39 -67 -54.5 -131t-10.5 -114.5t24.5 -96.5t47.5 -80t63.5 -62.5t68.5 -46.5t65 -30q-4 7 -17.5 35t-18.5 39.5t-17 39.5t-17 43t-13 42t-9.5 44.5t-2 42t4 43t13.5 39t23 38.5q96 -42 165 -107.5t105 -138t52 -156t13 -159t-19 -149.5q-13 -55 -44 -106.5 t-68 -87t-78.5 -64.5t-72.5 -45t-53 -22q-72 -22 -127 -11q-31 6 -13 19q6 3 17 7q13 5 32.5 21t41 44t38.5 63.5t21.5 81.5t-6.5 94.5t-50 107t-104 115.5q10 -104 -0.5 -189t-37 -140.5t-65 -93t-84 -52t-93.5 -11t-95 24.5q-80 36 -131.5 114t-53.5 171q-2 23 0 49.5 t4.5 52.5t13.5 56t27.5 60t46 64.5t69.5 68.5q-8 -53 -5 -102.5t17.5 -90t34 -68.5t44.5 -39t49 -2q31 13 38.5 36t-4.5 55t-29 64.5t-36 75t-26 75.5q-15 85 2 161.5t53.5 128.5t85.5 92.5t93.5 61t81.5 25.5z" />
+<glyph unicode="&#xe105;" d="M600 1094q82 0 160.5 -22.5t140 -59t116.5 -82.5t94.5 -95t68 -95t42.5 -82.5t14 -57.5t-14 -57.5t-43 -82.5t-68.5 -95t-94.5 -95t-116.5 -82.5t-140 -59t-159.5 -22.5t-159.5 22.5t-140 59t-116.5 82.5t-94.5 95t-68.5 95t-43 82.5t-14 57.5t14 57.5t42.5 82.5t68 95 t94.5 95t116.5 82.5t140 59t160.5 22.5zM888 829q-15 15 -18 12t5 -22q25 -57 25 -119q0 -124 -88 -212t-212 -88t-212 88t-88 212q0 59 23 114q8 19 4.5 22t-17.5 -12q-70 -69 -160 -184q-13 -16 -15 -40.5t9 -42.5q22 -36 47 -71t70 -82t92.5 -81t113 -58.5t133.5 -24.5 t133.5 24t113 58.5t92.5 81.5t70 81.5t47 70.5q11 18 9 42.5t-14 41.5q-90 117 -163 189zM448 727l-35 -36q-15 -15 -19.5 -38.5t4.5 -41.5q37 -68 93 -116q16 -13 38.5 -11t36.5 17l35 34q14 15 12.5 33.5t-16.5 33.5q-44 44 -89 117q-11 18 -28 20t-32 -12z" />
+<glyph unicode="&#xe106;" d="M592 0h-148l31 120q-91 20 -175.5 68.5t-143.5 106.5t-103.5 119t-66.5 110t-22 76q0 21 14 57.5t42.5 82.5t68 95t94.5 95t116.5 82.5t140 59t160.5 22.5q61 0 126 -15l32 121h148zM944 770l47 181q108 -85 176.5 -192t68.5 -159q0 -26 -19.5 -71t-59.5 -102t-93 -112 t-129 -104.5t-158 -75.5l46 173q77 49 136 117t97 131q11 18 9 42.5t-14 41.5q-54 70 -107 130zM310 824q-70 -69 -160 -184q-13 -16 -15 -40.5t9 -42.5q18 -30 39 -60t57 -70.5t74 -73t90 -61t105 -41.5l41 154q-107 18 -178.5 101.5t-71.5 193.5q0 59 23 114q8 19 4.5 22 t-17.5 -12zM448 727l-35 -36q-15 -15 -19.5 -38.5t4.5 -41.5q37 -68 93 -116q16 -13 38.5 -11t36.5 17l12 11l22 86l-3 4q-44 44 -89 117q-11 18 -28 20t-32 -12z" />
+<glyph unicode="&#xe107;" d="M-90 100l642 1066q20 31 48 28.5t48 -35.5l642 -1056q21 -32 7.5 -67.5t-50.5 -35.5h-1294q-37 0 -50.5 34t7.5 66zM155 200h345v75q0 10 7.5 17.5t17.5 7.5h150q10 0 17.5 -7.5t7.5 -17.5v-75h345l-445 723zM496 700h208q20 0 32 -14.5t8 -34.5l-58 -252 q-4 -20 -21.5 -34.5t-37.5 -14.5h-54q-20 0 -37.5 14.5t-21.5 34.5l-58 252q-4 20 8 34.5t32 14.5z" />
+<glyph unicode="&#xe108;" d="M650 1200q62 0 106 -44t44 -106v-339l363 -325q15 -14 26 -38.5t11 -44.5v-41q0 -20 -12 -26.5t-29 5.5l-359 249v-263q100 -93 100 -113v-64q0 -21 -13 -29t-32 1l-205 128l-205 -128q-19 -9 -32 -1t-13 29v64q0 20 100 113v263l-359 -249q-17 -12 -29 -5.5t-12 26.5v41 q0 20 11 44.5t26 38.5l363 325v339q0 62 44 106t106 44z" />
+<glyph unicode="&#xe109;" d="M850 1200h100q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-150h-1100v150q0 21 14.5 35.5t35.5 14.5h50v50q0 21 14.5 35.5t35.5 14.5h100q21 0 35.5 -14.5t14.5 -35.5v-50h500v50q0 21 14.5 35.5t35.5 14.5zM1100 800v-750q0 -21 -14.5 -35.5 t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v750h1100zM100 600v-100h100v100h-100zM300 600v-100h100v100h-100zM500 600v-100h100v100h-100zM700 600v-100h100v100h-100zM900 600v-100h100v100h-100zM100 400v-100h100v100h-100zM300 400v-100h100v100h-100zM500 400 v-100h100v100h-100zM700 400v-100h100v100h-100zM900 400v-100h100v100h-100zM100 200v-100h100v100h-100zM300 200v-100h100v100h-100zM500 200v-100h100v100h-100zM700 200v-100h100v100h-100zM900 200v-100h100v100h-100z" />
+<glyph unicode="&#xe110;" d="M1135 1165l249 -230q15 -14 15 -35t-15 -35l-249 -230q-14 -14 -24.5 -10t-10.5 25v150h-159l-600 -600h-291q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h209l600 600h241v150q0 21 10.5 25t24.5 -10zM522 819l-141 -141l-122 122h-209q-21 0 -35.5 14.5 t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h291zM1135 565l249 -230q15 -14 15 -35t-15 -35l-249 -230q-14 -14 -24.5 -10t-10.5 25v150h-241l-181 181l141 141l122 -122h159v150q0 21 10.5 25t24.5 -10z" />
+<glyph unicode="&#xe111;" d="M100 1100h1000q41 0 70.5 -29.5t29.5 -70.5v-600q0 -41 -29.5 -70.5t-70.5 -29.5h-596l-304 -300v300h-100q-41 0 -70.5 29.5t-29.5 70.5v600q0 41 29.5 70.5t70.5 29.5z" />
+<glyph unicode="&#xe112;" d="M150 1200h200q21 0 35.5 -14.5t14.5 -35.5v-250h-300v250q0 21 14.5 35.5t35.5 14.5zM850 1200h200q21 0 35.5 -14.5t14.5 -35.5v-250h-300v250q0 21 14.5 35.5t35.5 14.5zM1100 800v-300q0 -41 -3 -77.5t-15 -89.5t-32 -96t-58 -89t-89 -77t-129 -51t-174 -20t-174 20 t-129 51t-89 77t-58 89t-32 96t-15 89.5t-3 77.5v300h300v-250v-27v-42.5t1.5 -41t5 -38t10 -35t16.5 -30t25.5 -24.5t35 -19t46.5 -12t60 -4t60 4.5t46.5 12.5t35 19.5t25 25.5t17 30.5t10 35t5 38t2 40.5t-0.5 42v25v250h300z" />
+<glyph unicode="&#xe113;" d="M1100 411l-198 -199l-353 353l-353 -353l-197 199l551 551z" />
+<glyph unicode="&#xe114;" d="M1101 789l-550 -551l-551 551l198 199l353 -353l353 353z" />
+<glyph unicode="&#xe115;" d="M404 1000h746q21 0 35.5 -14.5t14.5 -35.5v-551h150q21 0 25 -10.5t-10 -24.5l-230 -249q-14 -15 -35 -15t-35 15l-230 249q-14 14 -10 24.5t25 10.5h150v401h-381zM135 984l230 -249q14 -14 10 -24.5t-25 -10.5h-150v-400h385l215 -200h-750q-21 0 -35.5 14.5 t-14.5 35.5v550h-150q-21 0 -25 10.5t10 24.5l230 249q14 15 35 15t35 -15z" />
+<glyph unicode="&#xe116;" d="M56 1200h94q17 0 31 -11t18 -27l38 -162h896q24 0 39 -18.5t10 -42.5l-100 -475q-5 -21 -27 -42.5t-55 -21.5h-633l48 -200h535q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-50q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v50h-300v-50 q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v50h-31q-18 0 -32.5 10t-20.5 19l-5 10l-201 961h-54q-20 0 -35 14.5t-15 35.5t15 35.5t35 14.5z" />
+<glyph unicode="&#xe117;" d="M1200 1000v-100h-1200v100h200q0 41 29.5 70.5t70.5 29.5h300q41 0 70.5 -29.5t29.5 -70.5h500zM0 800h1200v-800h-1200v800z" />
+<glyph unicode="&#xe118;" d="M200 800l-200 -400v600h200q0 41 29.5 70.5t70.5 29.5h300q42 0 71 -29.5t29 -70.5h500v-200h-1000zM1500 700l-300 -700h-1200l300 700h1200z" />
+<glyph unicode="&#xe119;" d="M635 1184l230 -249q14 -14 10 -24.5t-25 -10.5h-150v-601h150q21 0 25 -10.5t-10 -24.5l-230 -249q-14 -15 -35 -15t-35 15l-230 249q-14 14 -10 24.5t25 10.5h150v601h-150q-21 0 -25 10.5t10 24.5l230 249q14 15 35 15t35 -15z" />
+<glyph unicode="&#xe120;" d="M936 864l249 -229q14 -15 14 -35.5t-14 -35.5l-249 -229q-15 -15 -25.5 -10.5t-10.5 24.5v151h-600v-151q0 -20 -10.5 -24.5t-25.5 10.5l-249 229q-14 15 -14 35.5t14 35.5l249 229q15 15 25.5 10.5t10.5 -25.5v-149h600v149q0 21 10.5 25.5t25.5 -10.5z" />
+<glyph unicode="&#xe121;" d="M1169 400l-172 732q-5 23 -23 45.5t-38 22.5h-672q-20 0 -38 -20t-23 -41l-172 -739h1138zM1100 300h-1000q-41 0 -70.5 -29.5t-29.5 -70.5v-100q0 -41 29.5 -70.5t70.5 -29.5h1000q41 0 70.5 29.5t29.5 70.5v100q0 41 -29.5 70.5t-70.5 29.5zM800 100v100h100v-100h-100 zM1000 100v100h100v-100h-100z" />
+<glyph unicode="&#xe122;" d="M1150 1100q21 0 35.5 -14.5t14.5 -35.5v-850q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v850q0 21 14.5 35.5t35.5 14.5zM1000 200l-675 200h-38l47 -276q3 -16 -5.5 -20t-29.5 -4h-7h-84q-20 0 -34.5 14t-18.5 35q-55 337 -55 351v250v6q0 16 1 23.5t6.5 14 t17.5 6.5h200l675 250v-850zM0 750v-250q-4 0 -11 0.5t-24 6t-30 15t-24 30t-11 48.5v50q0 26 10.5 46t25 30t29 16t25.5 7z" />
+<glyph unicode="&#xe123;" d="M553 1200h94q20 0 29 -10.5t3 -29.5l-18 -37q83 -19 144 -82.5t76 -140.5l63 -327l118 -173h17q19 0 33 -14.5t14 -35t-13 -40.5t-31 -27q-8 -4 -23 -9.5t-65 -19.5t-103 -25t-132.5 -20t-158.5 -9q-57 0 -115 5t-104 12t-88.5 15.5t-73.5 17.5t-54.5 16t-35.5 12l-11 4 q-18 8 -31 28t-13 40.5t14 35t33 14.5h17l118 173l63 327q15 77 76 140t144 83l-18 32q-6 19 3.5 32t28.5 13zM498 110q50 -6 102 -6q53 0 102 6q-12 -49 -39.5 -79.5t-62.5 -30.5t-63 30.5t-39 79.5z" />
+<glyph unicode="&#xe124;" d="M800 946l224 78l-78 -224l234 -45l-180 -155l180 -155l-234 -45l78 -224l-224 78l-45 -234l-155 180l-155 -180l-45 234l-224 -78l78 224l-234 45l180 155l-180 155l234 45l-78 224l224 -78l45 234l155 -180l155 180z" />
+<glyph unicode="&#xe125;" d="M650 1200h50q40 0 70 -40.5t30 -84.5v-150l-28 -125h328q40 0 70 -40.5t30 -84.5v-100q0 -45 -29 -74l-238 -344q-16 -24 -38 -40.5t-45 -16.5h-250q-7 0 -42 25t-66 50l-31 25h-61q-45 0 -72.5 18t-27.5 57v400q0 36 20 63l145 196l96 198q13 28 37.5 48t51.5 20z M650 1100l-100 -212l-150 -213v-375h100l136 -100h214l250 375v125h-450l50 225v175h-50zM50 800h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v500q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe126;" d="M600 1100h250q23 0 45 -16.5t38 -40.5l238 -344q29 -29 29 -74v-100q0 -44 -30 -84.5t-70 -40.5h-328q28 -118 28 -125v-150q0 -44 -30 -84.5t-70 -40.5h-50q-27 0 -51.5 20t-37.5 48l-96 198l-145 196q-20 27 -20 63v400q0 39 27.5 57t72.5 18h61q124 100 139 100z M50 1000h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v500q0 21 14.5 35.5t35.5 14.5zM636 1000l-136 -100h-100v-375l150 -213l100 -212h50v175l-50 225h450v125l-250 375h-214z" />
+<glyph unicode="&#xe127;" d="M356 873l363 230q31 16 53 -6l110 -112q13 -13 13.5 -32t-11.5 -34l-84 -121h302q84 0 138 -38t54 -110t-55 -111t-139 -39h-106l-131 -339q-6 -21 -19.5 -41t-28.5 -20h-342q-7 0 -90 81t-83 94v525q0 17 14 35.5t28 28.5zM400 792v-503l100 -89h293l131 339 q6 21 19.5 41t28.5 20h203q21 0 30.5 25t0.5 50t-31 25h-456h-7h-6h-5.5t-6 0.5t-5 1.5t-5 2t-4 2.5t-4 4t-2.5 4.5q-12 25 5 47l146 183l-86 83zM50 800h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v500 q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe128;" d="M475 1103l366 -230q2 -1 6 -3.5t14 -10.5t18 -16.5t14.5 -20t6.5 -22.5v-525q0 -13 -86 -94t-93 -81h-342q-15 0 -28.5 20t-19.5 41l-131 339h-106q-85 0 -139.5 39t-54.5 111t54 110t138 38h302l-85 121q-11 15 -10.5 34t13.5 32l110 112q22 22 53 6zM370 945l146 -183 q17 -22 5 -47q-2 -2 -3.5 -4.5t-4 -4t-4 -2.5t-5 -2t-5 -1.5t-6 -0.5h-6h-6.5h-6h-475v-100h221q15 0 29 -20t20 -41l130 -339h294l106 89v503l-342 236zM1050 800h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5 v500q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe129;" d="M550 1294q72 0 111 -55t39 -139v-106l339 -131q21 -6 41 -19.5t20 -28.5v-342q0 -7 -81 -90t-94 -83h-525q-17 0 -35.5 14t-28.5 28l-9 14l-230 363q-16 31 6 53l112 110q13 13 32 13.5t34 -11.5l121 -84v302q0 84 38 138t110 54zM600 972v203q0 21 -25 30.5t-50 0.5 t-25 -31v-456v-7v-6v-5.5t-0.5 -6t-1.5 -5t-2 -5t-2.5 -4t-4 -4t-4.5 -2.5q-25 -12 -47 5l-183 146l-83 -86l236 -339h503l89 100v293l-339 131q-21 6 -41 19.5t-20 28.5zM450 200h500q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-500 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe130;" d="M350 1100h500q21 0 35.5 14.5t14.5 35.5v100q0 21 -14.5 35.5t-35.5 14.5h-500q-21 0 -35.5 -14.5t-14.5 -35.5v-100q0 -21 14.5 -35.5t35.5 -14.5zM600 306v-106q0 -84 -39 -139t-111 -55t-110 54t-38 138v302l-121 -84q-15 -12 -34 -11.5t-32 13.5l-112 110 q-22 22 -6 53l230 363q1 2 3.5 6t10.5 13.5t16.5 17t20 13.5t22.5 6h525q13 0 94 -83t81 -90v-342q0 -15 -20 -28.5t-41 -19.5zM308 900l-236 -339l83 -86l183 146q22 17 47 5q2 -1 4.5 -2.5t4 -4t2.5 -4t2 -5t1.5 -5t0.5 -6v-5.5v-6v-7v-456q0 -22 25 -31t50 0.5t25 30.5 v203q0 15 20 28.5t41 19.5l339 131v293l-89 100h-503z" />
+<glyph unicode="&#xe131;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM914 632l-275 223q-16 13 -27.5 8t-11.5 -26v-137h-275 q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h275v-137q0 -21 11.5 -26t27.5 8l275 223q16 13 16 32t-16 32z" />
+<glyph unicode="&#xe132;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM561 855l-275 -223q-16 -13 -16 -32t16 -32l275 -223q16 -13 27.5 -8 t11.5 26v137h275q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5h-275v137q0 21 -11.5 26t-27.5 -8z" />
+<glyph unicode="&#xe133;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM855 639l-223 275q-13 16 -32 16t-32 -16l-223 -275q-13 -16 -8 -27.5 t26 -11.5h137v-275q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v275h137q21 0 26 11.5t-8 27.5z" />
+<glyph unicode="&#xe134;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM675 900h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-275h-137q-21 0 -26 -11.5 t8 -27.5l223 -275q13 -16 32 -16t32 16l223 275q13 16 8 27.5t-26 11.5h-137v275q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe135;" d="M600 1176q116 0 222.5 -46t184 -123.5t123.5 -184t46 -222.5t-46 -222.5t-123.5 -184t-184 -123.5t-222.5 -46t-222.5 46t-184 123.5t-123.5 184t-46 222.5t46 222.5t123.5 184t184 123.5t222.5 46zM627 1101q-15 -12 -36.5 -20.5t-35.5 -12t-43 -8t-39 -6.5 q-15 -3 -45.5 0t-45.5 -2q-20 -7 -51.5 -26.5t-34.5 -34.5q-3 -11 6.5 -22.5t8.5 -18.5q-3 -34 -27.5 -91t-29.5 -79q-9 -34 5 -93t8 -87q0 -9 17 -44.5t16 -59.5q12 0 23 -5t23.5 -15t19.5 -14q16 -8 33 -15t40.5 -15t34.5 -12q21 -9 52.5 -32t60 -38t57.5 -11 q7 -15 -3 -34t-22.5 -40t-9.5 -38q13 -21 23 -34.5t27.5 -27.5t36.5 -18q0 -7 -3.5 -16t-3.5 -14t5 -17q104 -2 221 112q30 29 46.5 47t34.5 49t21 63q-13 8 -37 8.5t-36 7.5q-15 7 -49.5 15t-51.5 19q-18 0 -41 -0.5t-43 -1.5t-42 -6.5t-38 -16.5q-51 -35 -66 -12 q-4 1 -3.5 25.5t0.5 25.5q-6 13 -26.5 17.5t-24.5 6.5q1 15 -0.5 30.5t-7 28t-18.5 11.5t-31 -21q-23 -25 -42 4q-19 28 -8 58q6 16 22 22q6 -1 26 -1.5t33.5 -4t19.5 -13.5q7 -12 18 -24t21.5 -20.5t20 -15t15.5 -10.5l5 -3q2 12 7.5 30.5t8 34.5t-0.5 32q-3 18 3.5 29 t18 22.5t15.5 24.5q6 14 10.5 35t8 31t15.5 22.5t34 22.5q-6 18 10 36q8 0 24 -1.5t24.5 -1.5t20 4.5t20.5 15.5q-10 23 -31 42.5t-37.5 29.5t-49 27t-43.5 23q0 1 2 8t3 11.5t1.5 10.5t-1 9.5t-4.5 4.5q31 -13 58.5 -14.5t38.5 2.5l12 5q5 28 -9.5 46t-36.5 24t-50 15 t-41 20q-18 -4 -37 0zM613 994q0 -17 8 -42t17 -45t9 -23q-8 1 -39.5 5.5t-52.5 10t-37 16.5q3 11 16 29.5t16 25.5q10 -10 19 -10t14 6t13.5 14.5t16.5 12.5z" />
+<glyph unicode="&#xe136;" d="M756 1157q164 92 306 -9l-259 -138l145 -232l251 126q6 -89 -34 -156.5t-117 -110.5q-60 -34 -127 -39.5t-126 16.5l-596 -596q-15 -16 -36.5 -16t-36.5 16l-111 110q-15 15 -15 36.5t15 37.5l600 599q-34 101 5.5 201.5t135.5 154.5z" />
+<glyph unicode="&#xe137;" horiz-adv-x="1220" d="M100 1196h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5v100q0 41 29.5 70.5t70.5 29.5zM1100 1096h-200v-100h200v100zM100 796h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000 q-41 0 -70.5 29.5t-29.5 70.5v100q0 41 29.5 70.5t70.5 29.5zM1100 696h-500v-100h500v100zM100 396h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5v100q0 41 29.5 70.5t70.5 29.5zM1100 296h-300v-100h300v100z " />
+<glyph unicode="&#xe138;" d="M150 1200h900q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM700 500v-300l-200 -200v500l-350 500h900z" />
+<glyph unicode="&#xe139;" d="M500 1200h200q41 0 70.5 -29.5t29.5 -70.5v-100h300q41 0 70.5 -29.5t29.5 -70.5v-400h-500v100h-200v-100h-500v400q0 41 29.5 70.5t70.5 29.5h300v100q0 41 29.5 70.5t70.5 29.5zM500 1100v-100h200v100h-200zM1200 400v-200q0 -41 -29.5 -70.5t-70.5 -29.5h-1000 q-41 0 -70.5 29.5t-29.5 70.5v200h1200z" />
+<glyph unicode="&#xe140;" d="M50 1200h300q21 0 25 -10.5t-10 -24.5l-94 -94l199 -199q7 -8 7 -18t-7 -18l-106 -106q-8 -7 -18 -7t-18 7l-199 199l-94 -94q-14 -14 -24.5 -10t-10.5 25v300q0 21 14.5 35.5t35.5 14.5zM850 1200h300q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -10.5 -25t-24.5 10l-94 94 l-199 -199q-8 -7 -18 -7t-18 7l-106 106q-7 8 -7 18t7 18l199 199l-94 94q-14 14 -10 24.5t25 10.5zM364 470l106 -106q7 -8 7 -18t-7 -18l-199 -199l94 -94q14 -14 10 -24.5t-25 -10.5h-300q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 10.5 25t24.5 -10l94 -94l199 199 q8 7 18 7t18 -7zM1071 271l94 94q14 14 24.5 10t10.5 -25v-300q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -25 10.5t10 24.5l94 94l-199 199q-7 8 -7 18t7 18l106 106q8 7 18 7t18 -7z" />
+<glyph unicode="&#xe141;" d="M596 1192q121 0 231.5 -47.5t190 -127t127 -190t47.5 -231.5t-47.5 -231.5t-127 -190.5t-190 -127t-231.5 -47t-231.5 47t-190.5 127t-127 190.5t-47 231.5t47 231.5t127 190t190.5 127t231.5 47.5zM596 1010q-112 0 -207.5 -55.5t-151 -151t-55.5 -207.5t55.5 -207.5 t151 -151t207.5 -55.5t207.5 55.5t151 151t55.5 207.5t-55.5 207.5t-151 151t-207.5 55.5zM454.5 905q22.5 0 38.5 -16t16 -38.5t-16 -39t-38.5 -16.5t-38.5 16.5t-16 39t16 38.5t38.5 16zM754.5 905q22.5 0 38.5 -16t16 -38.5t-16 -39t-38 -16.5q-14 0 -29 10l-55 -145 q17 -23 17 -51q0 -36 -25.5 -61.5t-61.5 -25.5t-61.5 25.5t-25.5 61.5q0 32 20.5 56.5t51.5 29.5l122 126l1 1q-9 14 -9 28q0 23 16 39t38.5 16zM345.5 709q22.5 0 38.5 -16t16 -38.5t-16 -38.5t-38.5 -16t-38.5 16t-16 38.5t16 38.5t38.5 16zM854.5 709q22.5 0 38.5 -16 t16 -38.5t-16 -38.5t-38.5 -16t-38.5 16t-16 38.5t16 38.5t38.5 16z" />
+<glyph unicode="&#xe142;" d="M546 173l469 470q91 91 99 192q7 98 -52 175.5t-154 94.5q-22 4 -47 4q-34 0 -66.5 -10t-56.5 -23t-55.5 -38t-48 -41.5t-48.5 -47.5q-376 -375 -391 -390q-30 -27 -45 -41.5t-37.5 -41t-32 -46.5t-16 -47.5t-1.5 -56.5q9 -62 53.5 -95t99.5 -33q74 0 125 51l548 548 q36 36 20 75q-7 16 -21.5 26t-32.5 10q-26 0 -50 -23q-13 -12 -39 -38l-341 -338q-15 -15 -35.5 -15.5t-34.5 13.5t-14 34.5t14 34.5q327 333 361 367q35 35 67.5 51.5t78.5 16.5q14 0 29 -1q44 -8 74.5 -35.5t43.5 -68.5q14 -47 2 -96.5t-47 -84.5q-12 -11 -32 -32 t-79.5 -81t-114.5 -115t-124.5 -123.5t-123 -119.5t-96.5 -89t-57 -45q-56 -27 -120 -27q-70 0 -129 32t-93 89q-48 78 -35 173t81 163l511 511q71 72 111 96q91 55 198 55q80 0 152 -33q78 -36 129.5 -103t66.5 -154q17 -93 -11 -183.5t-94 -156.5l-482 -476 q-15 -15 -36 -16t-37 14t-17.5 34t14.5 35z" />
+<glyph unicode="&#xe143;" d="M649 949q48 68 109.5 104t121.5 38.5t118.5 -20t102.5 -64t71 -100.5t27 -123q0 -57 -33.5 -117.5t-94 -124.5t-126.5 -127.5t-150 -152.5t-146 -174q-62 85 -145.5 174t-150 152.5t-126.5 127.5t-93.5 124.5t-33.5 117.5q0 64 28 123t73 100.5t104 64t119 20 t120.5 -38.5t104.5 -104zM896 972q-33 0 -64.5 -19t-56.5 -46t-47.5 -53.5t-43.5 -45.5t-37.5 -19t-36 19t-40 45.5t-43 53.5t-54 46t-65.5 19q-67 0 -122.5 -55.5t-55.5 -132.5q0 -23 13.5 -51t46 -65t57.5 -63t76 -75l22 -22q15 -14 44 -44t50.5 -51t46 -44t41 -35t23 -12 t23.5 12t42.5 36t46 44t52.5 52t44 43q4 4 12 13q43 41 63.5 62t52 55t46 55t26 46t11.5 44q0 79 -53 133.5t-120 54.5z" />
+<glyph unicode="&#xe144;" d="M776.5 1214q93.5 0 159.5 -66l141 -141q66 -66 66 -160q0 -42 -28 -95.5t-62 -87.5l-29 -29q-31 53 -77 99l-18 18l95 95l-247 248l-389 -389l212 -212l-105 -106l-19 18l-141 141q-66 66 -66 159t66 159l283 283q65 66 158.5 66zM600 706l105 105q10 -8 19 -17l141 -141 q66 -66 66 -159t-66 -159l-283 -283q-66 -66 -159 -66t-159 66l-141 141q-66 66 -66 159.5t66 159.5l55 55q29 -55 75 -102l18 -17l-95 -95l247 -248l389 389z" />
+<glyph unicode="&#xe145;" d="M603 1200q85 0 162 -15t127 -38t79 -48t29 -46v-953q0 -41 -29.5 -70.5t-70.5 -29.5h-600q-41 0 -70.5 29.5t-29.5 70.5v953q0 21 30 46.5t81 48t129 37.5t163 15zM300 1000v-700h600v700h-600zM600 254q-43 0 -73.5 -30.5t-30.5 -73.5t30.5 -73.5t73.5 -30.5t73.5 30.5 t30.5 73.5t-30.5 73.5t-73.5 30.5z" />
+<glyph unicode="&#xe146;" d="M902 1185l283 -282q15 -15 15 -36t-14.5 -35.5t-35.5 -14.5t-35 15l-36 35l-279 -267v-300l-212 210l-308 -307l-280 -203l203 280l307 308l-210 212h300l267 279l-35 36q-15 14 -15 35t14.5 35.5t35.5 14.5t35 -15z" />
+<glyph unicode="&#xe148;" d="M700 1248v-78q38 -5 72.5 -14.5t75.5 -31.5t71 -53.5t52 -84t24 -118.5h-159q-4 36 -10.5 59t-21 45t-40 35.5t-64.5 20.5v-307l64 -13q34 -7 64 -16.5t70 -32t67.5 -52.5t47.5 -80t20 -112q0 -139 -89 -224t-244 -97v-77h-100v79q-150 16 -237 103q-40 40 -52.5 93.5 t-15.5 139.5h139q5 -77 48.5 -126t117.5 -65v335l-27 8q-46 14 -79 26.5t-72 36t-63 52t-40 72.5t-16 98q0 70 25 126t67.5 92t94.5 57t110 27v77h100zM600 754v274q-29 -4 -50 -11t-42 -21.5t-31.5 -41.5t-10.5 -65q0 -29 7 -50.5t16.5 -34t28.5 -22.5t31.5 -14t37.5 -10 q9 -3 13 -4zM700 547v-310q22 2 42.5 6.5t45 15.5t41.5 27t29 42t12 59.5t-12.5 59.5t-38 44.5t-53 31t-66.5 24.5z" />
+<glyph unicode="&#xe149;" d="M561 1197q84 0 160.5 -40t123.5 -109.5t47 -147.5h-153q0 40 -19.5 71.5t-49.5 48.5t-59.5 26t-55.5 9q-37 0 -79 -14.5t-62 -35.5q-41 -44 -41 -101q0 -26 13.5 -63t26.5 -61t37 -66q6 -9 9 -14h241v-100h-197q8 -50 -2.5 -115t-31.5 -95q-45 -62 -99 -112 q34 10 83 17.5t71 7.5q32 1 102 -16t104 -17q83 0 136 30l50 -147q-31 -19 -58 -30.5t-55 -15.5t-42 -4.5t-46 -0.5q-23 0 -76 17t-111 32.5t-96 11.5q-39 -3 -82 -16t-67 -25l-23 -11l-55 145q4 3 16 11t15.5 10.5t13 9t15.5 12t14.5 14t17.5 18.5q48 55 54 126.5 t-30 142.5h-221v100h166q-23 47 -44 104q-7 20 -12 41.5t-6 55.5t6 66.5t29.5 70.5t58.5 71q97 88 263 88z" />
+<glyph unicode="&#xe150;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM935 1184l230 -249q14 -14 10 -24.5t-25 -10.5h-150v-900h-200v900h-150q-21 0 -25 10.5t10 24.5l230 249q14 15 35 15t35 -15z" />
+<glyph unicode="&#xe151;" d="M1000 700h-100v100h-100v-100h-100v500h300v-500zM400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM801 1100v-200h100v200h-100zM1000 350l-200 -250h200v-100h-300v150l200 250h-200v100h300v-150z " />
+<glyph unicode="&#xe152;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1000 1050l-200 -250h200v-100h-300v150l200 250h-200v100h300v-150zM1000 0h-100v100h-100v-100h-100v500h300v-500zM801 400v-200h100v200h-100z " />
+<glyph unicode="&#xe153;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1000 700h-100v400h-100v100h200v-500zM1100 0h-100v100h-200v400h300v-500zM901 400v-200h100v200h-100z" />
+<glyph unicode="&#xe154;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1100 700h-100v100h-200v400h300v-500zM901 1100v-200h100v200h-100zM1000 0h-100v400h-100v100h200v-500z" />
+<glyph unicode="&#xe155;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM900 1000h-200v200h200v-200zM1000 700h-300v200h300v-200zM1100 400h-400v200h400v-200zM1200 100h-500v200h500v-200z" />
+<glyph unicode="&#xe156;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1200 1000h-500v200h500v-200zM1100 700h-400v200h400v-200zM1000 400h-300v200h300v-200zM900 100h-200v200h200v-200z" />
+<glyph unicode="&#xe157;" d="M350 1100h400q162 0 256 -93.5t94 -256.5v-400q0 -165 -93.5 -257.5t-256.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5z" />
+<glyph unicode="&#xe158;" d="M350 1100h400q165 0 257.5 -92.5t92.5 -257.5v-400q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-163 0 -256.5 92.5t-93.5 257.5v400q0 163 94 256.5t256 93.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5zM440 770l253 -190q17 -12 17 -30t-17 -30l-253 -190q-16 -12 -28 -6.5t-12 26.5v400q0 21 12 26.5t28 -6.5z" />
+<glyph unicode="&#xe159;" d="M350 1100h400q163 0 256.5 -94t93.5 -256v-400q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 163 92.5 256.5t257.5 93.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5zM350 700h400q21 0 26.5 -12t-6.5 -28l-190 -253q-12 -17 -30 -17t-30 17l-190 253q-12 16 -6.5 28t26.5 12z" />
+<glyph unicode="&#xe160;" d="M350 1100h400q165 0 257.5 -92.5t92.5 -257.5v-400q0 -163 -92.5 -256.5t-257.5 -93.5h-400q-163 0 -256.5 94t-93.5 256v400q0 165 92.5 257.5t257.5 92.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5zM580 693l190 -253q12 -16 6.5 -28t-26.5 -12h-400q-21 0 -26.5 12t6.5 28l190 253q12 17 30 17t30 -17z" />
+<glyph unicode="&#xe161;" d="M550 1100h400q165 0 257.5 -92.5t92.5 -257.5v-400q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h450q41 0 70.5 29.5t29.5 70.5v500q0 41 -29.5 70.5t-70.5 29.5h-450q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM338 867l324 -284q16 -14 16 -33t-16 -33l-324 -284q-16 -14 -27 -9t-11 26v150h-250q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5h250v150q0 21 11 26t27 -9z" />
+<glyph unicode="&#xe162;" d="M793 1182l9 -9q8 -10 5 -27q-3 -11 -79 -225.5t-78 -221.5l300 1q24 0 32.5 -17.5t-5.5 -35.5q-1 0 -133.5 -155t-267 -312.5t-138.5 -162.5q-12 -15 -26 -15h-9l-9 8q-9 11 -4 32q2 9 42 123.5t79 224.5l39 110h-302q-23 0 -31 19q-10 21 6 41q75 86 209.5 237.5 t228 257t98.5 111.5q9 16 25 16h9z" />
+<glyph unicode="&#xe163;" d="M350 1100h400q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-450q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h450q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400 q0 165 92.5 257.5t257.5 92.5zM938 867l324 -284q16 -14 16 -33t-16 -33l-324 -284q-16 -14 -27 -9t-11 26v150h-250q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5h250v150q0 21 11 26t27 -9z" />
+<glyph unicode="&#xe164;" d="M750 1200h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -10.5 -25t-24.5 10l-109 109l-312 -312q-15 -15 -35.5 -15t-35.5 15l-141 141q-15 15 -15 35.5t15 35.5l312 312l-109 109q-14 14 -10 24.5t25 10.5zM456 900h-156q-41 0 -70.5 -29.5t-29.5 -70.5v-500 q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v148l200 200v-298q0 -165 -93.5 -257.5t-256.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5h300z" />
+<glyph unicode="&#xe165;" d="M600 1186q119 0 227.5 -46.5t187 -125t125 -187t46.5 -227.5t-46.5 -227.5t-125 -187t-187 -125t-227.5 -46.5t-227.5 46.5t-187 125t-125 187t-46.5 227.5t46.5 227.5t125 187t187 125t227.5 46.5zM600 1022q-115 0 -212 -56.5t-153.5 -153.5t-56.5 -212t56.5 -212 t153.5 -153.5t212 -56.5t212 56.5t153.5 153.5t56.5 212t-56.5 212t-153.5 153.5t-212 56.5zM600 794q80 0 137 -57t57 -137t-57 -137t-137 -57t-137 57t-57 137t57 137t137 57z" />
+<glyph unicode="&#xe166;" d="M450 1200h200q21 0 35.5 -14.5t14.5 -35.5v-350h245q20 0 25 -11t-9 -26l-383 -426q-14 -15 -33.5 -15t-32.5 15l-379 426q-13 15 -8.5 26t25.5 11h250v350q0 21 14.5 35.5t35.5 14.5zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5z M900 200v-50h100v50h-100z" />
+<glyph unicode="&#xe167;" d="M583 1182l378 -435q14 -15 9 -31t-26 -16h-244v-250q0 -20 -17 -35t-39 -15h-200q-20 0 -32 14.5t-12 35.5v250h-250q-20 0 -25.5 16.5t8.5 31.5l383 431q14 16 33.5 17t33.5 -14zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5z M900 200v-50h100v50h-100z" />
+<glyph unicode="&#xe168;" d="M396 723l369 369q7 7 17.5 7t17.5 -7l139 -139q7 -8 7 -18.5t-7 -17.5l-525 -525q-7 -8 -17.5 -8t-17.5 8l-292 291q-7 8 -7 18t7 18l139 139q8 7 18.5 7t17.5 -7zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5zM900 200v-50h100v50 h-100z" />
+<glyph unicode="&#xe169;" d="M135 1023l142 142q14 14 35 14t35 -14l77 -77l-212 -212l-77 76q-14 15 -14 36t14 35zM655 855l210 210q14 14 24.5 10t10.5 -25l-2 -599q-1 -20 -15.5 -35t-35.5 -15l-597 -1q-21 0 -25 10.5t10 24.5l208 208l-154 155l212 212zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5 v-250h-1100v250q0 21 14.5 35.5t35.5 14.5zM900 200v-50h100v50h-100z" />
+<glyph unicode="&#xe170;" d="M350 1200l599 -2q20 -1 35 -15.5t15 -35.5l1 -597q0 -21 -10.5 -25t-24.5 10l-208 208l-155 -154l-212 212l155 154l-210 210q-14 14 -10 24.5t25 10.5zM524 512l-76 -77q-15 -14 -36 -14t-35 14l-142 142q-14 14 -14 35t14 35l77 77zM50 300h1000q21 0 35.5 -14.5 t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5zM900 200v-50h100v50h-100z" />
+<glyph unicode="&#xe171;" d="M1200 103l-483 276l-314 -399v423h-399l1196 796v-1096zM483 424v-230l683 953z" />
+<glyph unicode="&#xe172;" d="M1100 1000v-850q0 -21 -14.5 -35.5t-35.5 -14.5h-150v400h-700v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200z" />
+<glyph unicode="&#xe173;" d="M1100 1000l-2 -149l-299 -299l-95 95q-9 9 -21.5 9t-21.5 -9l-149 -147h-312v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM1132 638l106 -106q7 -7 7 -17.5t-7 -17.5l-420 -421q-8 -7 -18 -7 t-18 7l-202 203q-8 7 -8 17.5t8 17.5l106 106q7 8 17.5 8t17.5 -8l79 -79l297 297q7 7 17.5 7t17.5 -7z" />
+<glyph unicode="&#xe174;" d="M1100 1000v-269l-103 -103l-134 134q-15 15 -33.5 16.5t-34.5 -12.5l-266 -266h-329v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM1202 572l70 -70q15 -15 15 -35.5t-15 -35.5l-131 -131 l131 -131q15 -15 15 -35.5t-15 -35.5l-70 -70q-15 -15 -35.5 -15t-35.5 15l-131 131l-131 -131q-15 -15 -35.5 -15t-35.5 15l-70 70q-15 15 -15 35.5t15 35.5l131 131l-131 131q-15 15 -15 35.5t15 35.5l70 70q15 15 35.5 15t35.5 -15l131 -131l131 131q15 15 35.5 15 t35.5 -15z" />
+<glyph unicode="&#xe175;" d="M1100 1000v-300h-350q-21 0 -35.5 -14.5t-14.5 -35.5v-150h-500v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM850 600h100q21 0 35.5 -14.5t14.5 -35.5v-250h150q21 0 25 -10.5t-10 -24.5 l-230 -230q-14 -14 -35 -14t-35 14l-230 230q-14 14 -10 24.5t25 10.5h150v250q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe176;" d="M1100 1000v-400l-165 165q-14 15 -35 15t-35 -15l-263 -265h-402v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM935 565l230 -229q14 -15 10 -25.5t-25 -10.5h-150v-250q0 -20 -14.5 -35 t-35.5 -15h-100q-21 0 -35.5 15t-14.5 35v250h-150q-21 0 -25 10.5t10 25.5l230 229q14 15 35 15t35 -15z" />
+<glyph unicode="&#xe177;" d="M50 1100h1100q21 0 35.5 -14.5t14.5 -35.5v-150h-1200v150q0 21 14.5 35.5t35.5 14.5zM1200 800v-550q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v550h1200zM100 500v-200h400v200h-400z" />
+<glyph unicode="&#xe178;" d="M935 1165l248 -230q14 -14 14 -35t-14 -35l-248 -230q-14 -14 -24.5 -10t-10.5 25v150h-400v200h400v150q0 21 10.5 25t24.5 -10zM200 800h-50q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h50v-200zM400 800h-100v200h100v-200zM18 435l247 230 q14 14 24.5 10t10.5 -25v-150h400v-200h-400v-150q0 -21 -10.5 -25t-24.5 10l-247 230q-15 14 -15 35t15 35zM900 300h-100v200h100v-200zM1000 500h51q20 0 34.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-34.5 -14.5h-51v200z" />
+<glyph unicode="&#xe179;" d="M862 1073l276 116q25 18 43.5 8t18.5 -41v-1106q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v397q-4 1 -11 5t-24 17.5t-30 29t-24 42t-11 56.5v359q0 31 18.5 65t43.5 52zM550 1200q22 0 34.5 -12.5t14.5 -24.5l1 -13v-450q0 -28 -10.5 -59.5 t-25 -56t-29 -45t-25.5 -31.5l-10 -11v-447q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v447q-4 4 -11 11.5t-24 30.5t-30 46t-24 55t-11 60v450q0 2 0.5 5.5t4 12t8.5 15t14.5 12t22.5 5.5q20 0 32.5 -12.5t14.5 -24.5l3 -13v-350h100v350v5.5t2.5 12 t7 15t15 12t25.5 5.5q23 0 35.5 -12.5t13.5 -24.5l1 -13v-350h100v350q0 2 0.5 5.5t3 12t7 15t15 12t24.5 5.5z" />
+<glyph unicode="&#xe180;" d="M1200 1100v-56q-4 0 -11 -0.5t-24 -3t-30 -7.5t-24 -15t-11 -24v-888q0 -22 25 -34.5t50 -13.5l25 -2v-56h-400v56q75 0 87.5 6.5t12.5 43.5v394h-500v-394q0 -37 12.5 -43.5t87.5 -6.5v-56h-400v56q4 0 11 0.5t24 3t30 7.5t24 15t11 24v888q0 22 -25 34.5t-50 13.5 l-25 2v56h400v-56q-75 0 -87.5 -6.5t-12.5 -43.5v-394h500v394q0 37 -12.5 43.5t-87.5 6.5v56h400z" />
+<glyph unicode="&#xe181;" d="M675 1000h375q21 0 35.5 -14.5t14.5 -35.5v-150h-105l-295 -98v98l-200 200h-400l100 100h375zM100 900h300q41 0 70.5 -29.5t29.5 -70.5v-500q0 -41 -29.5 -70.5t-70.5 -29.5h-300q-41 0 -70.5 29.5t-29.5 70.5v500q0 41 29.5 70.5t70.5 29.5zM100 800v-200h300v200 h-300zM1100 535l-400 -133v163l400 133v-163zM100 500v-200h300v200h-300zM1100 398v-248q0 -21 -14.5 -35.5t-35.5 -14.5h-375l-100 -100h-375l-100 100h400l200 200h105z" />
+<glyph unicode="&#xe182;" d="M17 1007l162 162q17 17 40 14t37 -22l139 -194q14 -20 11 -44.5t-20 -41.5l-119 -118q102 -142 228 -268t267 -227l119 118q17 17 42.5 19t44.5 -12l192 -136q19 -14 22.5 -37.5t-13.5 -40.5l-163 -162q-3 -1 -9.5 -1t-29.5 2t-47.5 6t-62.5 14.5t-77.5 26.5t-90 42.5 t-101.5 60t-111 83t-119 108.5q-74 74 -133.5 150.5t-94.5 138.5t-60 119.5t-34.5 100t-15 74.5t-4.5 48z" />
+<glyph unicode="&#xe183;" d="M600 1100q92 0 175 -10.5t141.5 -27t108.5 -36.5t81.5 -40t53.5 -37t31 -27l9 -10v-200q0 -21 -14.5 -33t-34.5 -9l-202 34q-20 3 -34.5 20t-14.5 38v146q-141 24 -300 24t-300 -24v-146q0 -21 -14.5 -38t-34.5 -20l-202 -34q-20 -3 -34.5 9t-14.5 33v200q3 4 9.5 10.5 t31 26t54 37.5t80.5 39.5t109 37.5t141 26.5t175 10.5zM600 795q56 0 97 -9.5t60 -23.5t30 -28t12 -24l1 -10v-50l365 -303q14 -15 24.5 -40t10.5 -45v-212q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v212q0 20 10.5 45t24.5 40l365 303v50 q0 4 1 10.5t12 23t30 29t60 22.5t97 10z" />
+<glyph unicode="&#xe184;" d="M1100 700l-200 -200h-600l-200 200v500h200v-200h200v200h200v-200h200v200h200v-500zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-12l137 -100h-950l137 100h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5 t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe185;" d="M700 1100h-100q-41 0 -70.5 -29.5t-29.5 -70.5v-1000h300v1000q0 41 -29.5 70.5t-70.5 29.5zM1100 800h-100q-41 0 -70.5 -29.5t-29.5 -70.5v-700h300v700q0 41 -29.5 70.5t-70.5 29.5zM400 0h-300v400q0 41 29.5 70.5t70.5 29.5h100q41 0 70.5 -29.5t29.5 -70.5v-400z " />
+<glyph unicode="&#xe186;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 700h-200v-100h200v-300h-300v100h200v100h-200v300h300v-100zM900 700v-300l-100 -100h-200v500h200z M700 700v-300h100v300h-100z" />
+<glyph unicode="&#xe187;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 300h-100v200h-100v-200h-100v500h100v-200h100v200h100v-500zM900 700v-300l-100 -100h-200v500h200z M700 700v-300h100v300h-100z" />
+<glyph unicode="&#xe188;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 700h-200v-300h200v-100h-300v500h300v-100zM900 700h-200v-300h200v-100h-300v500h300v-100z" />
+<glyph unicode="&#xe189;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 400l-300 150l300 150v-300zM900 550l-300 -150v300z" />
+<glyph unicode="&#xe190;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM900 300h-700v500h700v-500zM800 700h-130q-38 0 -66.5 -43t-28.5 -108t27 -107t68 -42h130v300zM300 700v-300 h130q41 0 68 42t27 107t-28.5 108t-66.5 43h-130z" />
+<glyph unicode="&#xe191;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 700h-200v-100h200v-300h-300v100h200v100h-200v300h300v-100zM900 300h-100v400h-100v100h200v-500z M700 300h-100v100h100v-100z" />
+<glyph unicode="&#xe192;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM300 700h200v-400h-300v500h100v-100zM900 300h-100v400h-100v100h200v-500zM300 600v-200h100v200h-100z M700 300h-100v100h100v-100z" />
+<glyph unicode="&#xe193;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 500l-199 -200h-100v50l199 200v150h-200v100h300v-300zM900 300h-100v400h-100v100h200v-500zM701 300h-100 v100h100v-100z" />
+<glyph unicode="&#xe194;" d="M600 1191q120 0 229.5 -47t188.5 -126t126 -188.5t47 -229.5t-47 -229.5t-126 -188.5t-188.5 -126t-229.5 -47t-229.5 47t-188.5 126t-126 188.5t-47 229.5t47 229.5t126 188.5t188.5 126t229.5 47zM600 1021q-114 0 -211 -56.5t-153.5 -153.5t-56.5 -211t56.5 -211 t153.5 -153.5t211 -56.5t211 56.5t153.5 153.5t56.5 211t-56.5 211t-153.5 153.5t-211 56.5zM800 700h-300v-200h300v-100h-300l-100 100v200l100 100h300v-100z" />
+<glyph unicode="&#xe195;" d="M600 1191q120 0 229.5 -47t188.5 -126t126 -188.5t47 -229.5t-47 -229.5t-126 -188.5t-188.5 -126t-229.5 -47t-229.5 47t-188.5 126t-126 188.5t-47 229.5t47 229.5t126 188.5t188.5 126t229.5 47zM600 1021q-114 0 -211 -56.5t-153.5 -153.5t-56.5 -211t56.5 -211 t153.5 -153.5t211 -56.5t211 56.5t153.5 153.5t56.5 211t-56.5 211t-153.5 153.5t-211 56.5zM800 700v-100l-50 -50l100 -100v-50h-100l-100 100h-150v-100h-100v400h300zM500 700v-100h200v100h-200z" />
+<glyph unicode="&#xe197;" d="M503 1089q110 0 200.5 -59.5t134.5 -156.5q44 14 90 14q120 0 205 -86.5t85 -207t-85 -207t-205 -86.5h-128v250q0 21 -14.5 35.5t-35.5 14.5h-300q-21 0 -35.5 -14.5t-14.5 -35.5v-250h-222q-80 0 -136 57.5t-56 136.5q0 69 43 122.5t108 67.5q-2 19 -2 37q0 100 49 185 t134 134t185 49zM525 500h150q10 0 17.5 -7.5t7.5 -17.5v-275h137q21 0 26 -11.5t-8 -27.5l-223 -244q-13 -16 -32 -16t-32 16l-223 244q-13 16 -8 27.5t26 11.5h137v275q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe198;" d="M502 1089q110 0 201 -59.5t135 -156.5q43 15 89 15q121 0 206 -86.5t86 -206.5q0 -99 -60 -181t-150 -110l-378 360q-13 16 -31.5 16t-31.5 -16l-381 -365h-9q-79 0 -135.5 57.5t-56.5 136.5q0 69 43 122.5t108 67.5q-2 19 -2 38q0 100 49 184.5t133.5 134t184.5 49.5z M632 467l223 -228q13 -16 8 -27.5t-26 -11.5h-137v-275q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v275h-137q-21 0 -26 11.5t8 27.5q199 204 223 228q19 19 31.5 19t32.5 -19z" />
+<glyph unicode="&#xe199;" d="M700 100v100h400l-270 300h170l-270 300h170l-300 333l-300 -333h170l-270 -300h170l-270 -300h400v-100h-50q-21 0 -35.5 -14.5t-14.5 -35.5v-50h400v50q0 21 -14.5 35.5t-35.5 14.5h-50z" />
+<glyph unicode="&#xe200;" d="M600 1179q94 0 167.5 -56.5t99.5 -145.5q89 -6 150.5 -71.5t61.5 -155.5q0 -61 -29.5 -112.5t-79.5 -82.5q9 -29 9 -55q0 -74 -52.5 -126.5t-126.5 -52.5q-55 0 -100 30v-251q21 0 35.5 -14.5t14.5 -35.5v-50h-300v50q0 21 14.5 35.5t35.5 14.5v251q-45 -30 -100 -30 q-74 0 -126.5 52.5t-52.5 126.5q0 18 4 38q-47 21 -75.5 65t-28.5 97q0 74 52.5 126.5t126.5 52.5q5 0 23 -2q0 2 -1 10t-1 13q0 116 81.5 197.5t197.5 81.5z" />
+<glyph unicode="&#xe201;" d="M1010 1010q111 -111 150.5 -260.5t0 -299t-150.5 -260.5q-83 -83 -191.5 -126.5t-218.5 -43.5t-218.5 43.5t-191.5 126.5q-111 111 -150.5 260.5t0 299t150.5 260.5q83 83 191.5 126.5t218.5 43.5t218.5 -43.5t191.5 -126.5zM476 1065q-4 0 -8 -1q-121 -34 -209.5 -122.5 t-122.5 -209.5q-4 -12 2.5 -23t18.5 -14l36 -9q3 -1 7 -1q23 0 29 22q27 96 98 166q70 71 166 98q11 3 17.5 13.5t3.5 22.5l-9 35q-3 13 -14 19q-7 4 -15 4zM512 920q-4 0 -9 -2q-80 -24 -138.5 -82.5t-82.5 -138.5q-4 -13 2 -24t19 -14l34 -9q4 -1 8 -1q22 0 28 21 q18 58 58.5 98.5t97.5 58.5q12 3 18 13.5t3 21.5l-9 35q-3 12 -14 19q-7 4 -15 4zM719.5 719.5q-49.5 49.5 -119.5 49.5t-119.5 -49.5t-49.5 -119.5t49.5 -119.5t119.5 -49.5t119.5 49.5t49.5 119.5t-49.5 119.5zM855 551q-22 0 -28 -21q-18 -58 -58.5 -98.5t-98.5 -57.5 q-11 -4 -17 -14.5t-3 -21.5l9 -35q3 -12 14 -19q7 -4 15 -4q4 0 9 2q80 24 138.5 82.5t82.5 138.5q4 13 -2.5 24t-18.5 14l-34 9q-4 1 -8 1zM1000 515q-23 0 -29 -22q-27 -96 -98 -166q-70 -71 -166 -98q-11 -3 -17.5 -13.5t-3.5 -22.5l9 -35q3 -13 14 -19q7 -4 15 -4 q4 0 8 1q121 34 209.5 122.5t122.5 209.5q4 12 -2.5 23t-18.5 14l-36 9q-3 1 -7 1z" />
+<glyph unicode="&#xe202;" d="M700 800h300v-380h-180v200h-340v-200h-380v755q0 10 7.5 17.5t17.5 7.5h575v-400zM1000 900h-200v200zM700 300h162l-212 -212l-212 212h162v200h100v-200zM520 0h-395q-10 0 -17.5 7.5t-7.5 17.5v395zM1000 220v-195q0 -10 -7.5 -17.5t-17.5 -7.5h-195z" />
+<glyph unicode="&#xe203;" d="M700 800h300v-520l-350 350l-550 -550v1095q0 10 7.5 17.5t17.5 7.5h575v-400zM1000 900h-200v200zM862 200h-162v-200h-100v200h-162l212 212zM480 0h-355q-10 0 -17.5 7.5t-7.5 17.5v55h380v-80zM1000 80v-55q0 -10 -7.5 -17.5t-17.5 -7.5h-155v80h180z" />
+<glyph unicode="&#xe204;" d="M1162 800h-162v-200h100l100 -100h-300v300h-162l212 212zM200 800h200q27 0 40 -2t29.5 -10.5t23.5 -30t7 -57.5h300v-100h-600l-200 -350v450h100q0 36 7 57.5t23.5 30t29.5 10.5t40 2zM800 400h240l-240 -400h-800l300 500h500v-100z" />
+<glyph unicode="&#xe205;" d="M650 1100h100q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h50v50q0 21 14.5 35.5t35.5 14.5zM1000 850v150q41 0 70.5 -29.5t29.5 -70.5v-800 q0 -41 -29.5 -70.5t-70.5 -29.5h-600q-1 0 -20 4l246 246l-326 326v324q0 41 29.5 70.5t70.5 29.5v-150q0 -62 44 -106t106 -44h300q62 0 106 44t44 106zM412 250l-212 -212v162h-200v100h200v162z" />
+<glyph unicode="&#xe206;" d="M450 1100h100q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h50v50q0 21 14.5 35.5t35.5 14.5zM800 850v150q41 0 70.5 -29.5t29.5 -70.5v-500 h-200v-300h200q0 -36 -7 -57.5t-23.5 -30t-29.5 -10.5t-40 -2h-600q-41 0 -70.5 29.5t-29.5 70.5v800q0 41 29.5 70.5t70.5 29.5v-150q0 -62 44 -106t106 -44h300q62 0 106 44t44 106zM1212 250l-212 -212v162h-200v100h200v162z" />
+<glyph unicode="&#xe209;" d="M658 1197l637 -1104q23 -38 7 -65.5t-60 -27.5h-1276q-44 0 -60 27.5t7 65.5l637 1104q22 39 54 39t54 -39zM704 800h-208q-20 0 -32 -14.5t-8 -34.5l58 -302q4 -20 21.5 -34.5t37.5 -14.5h54q20 0 37.5 14.5t21.5 34.5l58 302q4 20 -8 34.5t-32 14.5zM500 300v-100h200 v100h-200z" />
+<glyph unicode="&#xe210;" d="M425 1100h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM425 800h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5 t17.5 7.5zM825 800h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM25 500h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150 q0 10 7.5 17.5t17.5 7.5zM425 500h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM825 500h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5 v150q0 10 7.5 17.5t17.5 7.5zM25 200h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM425 200h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5 t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM825 200h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe211;" d="M700 1200h100v-200h-100v-100h350q62 0 86.5 -39.5t-3.5 -94.5l-66 -132q-41 -83 -81 -134h-772q-40 51 -81 134l-66 132q-28 55 -3.5 94.5t86.5 39.5h350v100h-100v200h100v100h200v-100zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-12l137 -100 h-950l138 100h-13q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe212;" d="M600 1300q40 0 68.5 -29.5t28.5 -70.5h-194q0 41 28.5 70.5t68.5 29.5zM443 1100h314q18 -37 18 -75q0 -8 -3 -25h328q41 0 44.5 -16.5t-30.5 -38.5l-175 -145h-678l-178 145q-34 22 -29 38.5t46 16.5h328q-3 17 -3 25q0 38 18 75zM250 700h700q21 0 35.5 -14.5 t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-150v-200l275 -200h-950l275 200v200h-150q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe213;" d="M600 1181q75 0 128 -53t53 -128t-53 -128t-128 -53t-128 53t-53 128t53 128t128 53zM602 798h46q34 0 55.5 -28.5t21.5 -86.5q0 -76 39 -183h-324q39 107 39 183q0 58 21.5 86.5t56.5 28.5h45zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-13 l138 -100h-950l137 100h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe214;" d="M600 1300q47 0 92.5 -53.5t71 -123t25.5 -123.5q0 -78 -55.5 -133.5t-133.5 -55.5t-133.5 55.5t-55.5 133.5q0 62 34 143l144 -143l111 111l-163 163q34 26 63 26zM602 798h46q34 0 55.5 -28.5t21.5 -86.5q0 -76 39 -183h-324q39 107 39 183q0 58 21.5 86.5t56.5 28.5h45 zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-13l138 -100h-950l137 100h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe215;" d="M600 1200l300 -161v-139h-300q0 -57 18.5 -108t50 -91.5t63 -72t70 -67.5t57.5 -61h-530q-60 83 -90.5 177.5t-30.5 178.5t33 164.5t87.5 139.5t126 96.5t145.5 41.5v-98zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-13l138 -100h-950l137 100 h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe216;" d="M600 1300q41 0 70.5 -29.5t29.5 -70.5v-78q46 -26 73 -72t27 -100v-50h-400v50q0 54 27 100t73 72v78q0 41 29.5 70.5t70.5 29.5zM400 800h400q54 0 100 -27t72 -73h-172v-100h200v-100h-200v-100h200v-100h-200v-100h200q0 -83 -58.5 -141.5t-141.5 -58.5h-400 q-83 0 -141.5 58.5t-58.5 141.5v400q0 83 58.5 141.5t141.5 58.5z" />
+<glyph unicode="&#xe218;" d="M150 1100h900q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v500q0 21 14.5 35.5t35.5 14.5zM125 400h950q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-283l224 -224q13 -13 13 -31.5t-13 -32 t-31.5 -13.5t-31.5 13l-88 88h-524l-87 -88q-13 -13 -32 -13t-32 13.5t-13 32t13 31.5l224 224h-289q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM541 300l-100 -100h324l-100 100h-124z" />
+<glyph unicode="&#xe219;" d="M200 1100h800q83 0 141.5 -58.5t58.5 -141.5v-200h-100q0 41 -29.5 70.5t-70.5 29.5h-250q-41 0 -70.5 -29.5t-29.5 -70.5h-100q0 41 -29.5 70.5t-70.5 29.5h-250q-41 0 -70.5 -29.5t-29.5 -70.5h-100v200q0 83 58.5 141.5t141.5 58.5zM100 600h1000q41 0 70.5 -29.5 t29.5 -70.5v-300h-1200v300q0 41 29.5 70.5t70.5 29.5zM300 100v-50q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v50h200zM1100 100v-50q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v50h200z" />
+<glyph unicode="&#xe221;" d="M480 1165l682 -683q31 -31 31 -75.5t-31 -75.5l-131 -131h-481l-517 518q-32 31 -32 75.5t32 75.5l295 296q31 31 75.5 31t76.5 -31zM108 794l342 -342l303 304l-341 341zM250 100h800q21 0 35.5 -14.5t14.5 -35.5v-50h-900v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe223;" d="M1057 647l-189 506q-8 19 -27.5 33t-40.5 14h-400q-21 0 -40.5 -14t-27.5 -33l-189 -506q-8 -19 1.5 -33t30.5 -14h625v-150q0 -21 14.5 -35.5t35.5 -14.5t35.5 14.5t14.5 35.5v150h125q21 0 30.5 14t1.5 33zM897 0h-595v50q0 21 14.5 35.5t35.5 14.5h50v50 q0 21 14.5 35.5t35.5 14.5h48v300h200v-300h47q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-50z" />
+<glyph unicode="&#xe224;" d="M900 800h300v-575q0 -10 -7.5 -17.5t-17.5 -7.5h-375v591l-300 300v84q0 10 7.5 17.5t17.5 7.5h375v-400zM1200 900h-200v200zM400 600h300v-575q0 -10 -7.5 -17.5t-17.5 -7.5h-650q-10 0 -17.5 7.5t-7.5 17.5v950q0 10 7.5 17.5t17.5 7.5h375v-400zM700 700h-200v200z " />
+<glyph unicode="&#xe225;" d="M484 1095h195q75 0 146 -32.5t124 -86t89.5 -122.5t48.5 -142q18 -14 35 -20q31 -10 64.5 6.5t43.5 48.5q10 34 -15 71q-19 27 -9 43q5 8 12.5 11t19 -1t23.5 -16q41 -44 39 -105q-3 -63 -46 -106.5t-104 -43.5h-62q-7 -55 -35 -117t-56 -100l-39 -234q-3 -20 -20 -34.5 t-38 -14.5h-100q-21 0 -33 14.5t-9 34.5l12 70q-49 -14 -91 -14h-195q-24 0 -65 8l-11 -64q-3 -20 -20 -34.5t-38 -14.5h-100q-21 0 -33 14.5t-9 34.5l26 157q-84 74 -128 175l-159 53q-19 7 -33 26t-14 40v50q0 21 14.5 35.5t35.5 14.5h124q11 87 56 166l-111 95 q-16 14 -12.5 23.5t24.5 9.5h203q116 101 250 101zM675 1000h-250q-10 0 -17.5 -7.5t-7.5 -17.5v-50q0 -10 7.5 -17.5t17.5 -7.5h250q10 0 17.5 7.5t7.5 17.5v50q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe226;" d="M641 900l423 247q19 8 42 2.5t37 -21.5l32 -38q14 -15 12.5 -36t-17.5 -34l-139 -120h-390zM50 1100h106q67 0 103 -17t66 -71l102 -212h823q21 0 35.5 -14.5t14.5 -35.5v-50q0 -21 -14 -40t-33 -26l-737 -132q-23 -4 -40 6t-26 25q-42 67 -100 67h-300q-62 0 -106 44 t-44 106v200q0 62 44 106t106 44zM173 928h-80q-19 0 -28 -14t-9 -35v-56q0 -51 42 -51h134q16 0 21.5 8t5.5 24q0 11 -16 45t-27 51q-18 28 -43 28zM550 727q-32 0 -54.5 -22.5t-22.5 -54.5t22.5 -54.5t54.5 -22.5t54.5 22.5t22.5 54.5t-22.5 54.5t-54.5 22.5zM130 389 l152 130q18 19 34 24t31 -3.5t24.5 -17.5t25.5 -28q28 -35 50.5 -51t48.5 -13l63 5l48 -179q13 -61 -3.5 -97.5t-67.5 -79.5l-80 -69q-47 -40 -109 -35.5t-103 51.5l-130 151q-40 47 -35.5 109.5t51.5 102.5zM380 377l-102 -88q-31 -27 2 -65l37 -43q13 -15 27.5 -19.5 t31.5 6.5l61 53q19 16 14 49q-2 20 -12 56t-17 45q-11 12 -19 14t-23 -8z" />
+<glyph unicode="&#xe227;" d="M625 1200h150q10 0 17.5 -7.5t7.5 -17.5v-109q79 -33 131 -87.5t53 -128.5q1 -46 -15 -84.5t-39 -61t-46 -38t-39 -21.5l-17 -6q6 0 15 -1.5t35 -9t50 -17.5t53 -30t50 -45t35.5 -64t14.5 -84q0 -59 -11.5 -105.5t-28.5 -76.5t-44 -51t-49.5 -31.5t-54.5 -16t-49.5 -6.5 t-43.5 -1v-75q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v75h-100v-75q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v75h-175q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h75v600h-75q-10 0 -17.5 7.5t-7.5 17.5v150 q0 10 7.5 17.5t17.5 7.5h175v75q0 10 7.5 17.5t17.5 7.5h150q10 0 17.5 -7.5t7.5 -17.5v-75h100v75q0 10 7.5 17.5t17.5 7.5zM400 900v-200h263q28 0 48.5 10.5t30 25t15 29t5.5 25.5l1 10q0 4 -0.5 11t-6 24t-15 30t-30 24t-48.5 11h-263zM400 500v-200h363q28 0 48.5 10.5 t30 25t15 29t5.5 25.5l1 10q0 4 -0.5 11t-6 24t-15 30t-30 24t-48.5 11h-363z" />
+<glyph unicode="&#xe230;" d="M212 1198h780q86 0 147 -61t61 -147v-416q0 -51 -18 -142.5t-36 -157.5l-18 -66q-29 -87 -93.5 -146.5t-146.5 -59.5h-572q-82 0 -147 59t-93 147q-8 28 -20 73t-32 143.5t-20 149.5v416q0 86 61 147t147 61zM600 1045q-70 0 -132.5 -11.5t-105.5 -30.5t-78.5 -41.5 t-57 -45t-36 -41t-20.5 -30.5l-6 -12l156 -243h560l156 243q-2 5 -6 12.5t-20 29.5t-36.5 42t-57 44.5t-79 42t-105 29.5t-132.5 12zM762 703h-157l195 261z" />
+<glyph unicode="&#xe231;" d="M475 1300h150q103 0 189 -86t86 -189v-500q0 -41 -42 -83t-83 -42h-450q-41 0 -83 42t-42 83v500q0 103 86 189t189 86zM700 300v-225q0 -21 -27 -48t-48 -27h-150q-21 0 -48 27t-27 48v225h300z" />
+<glyph unicode="&#xe232;" d="M475 1300h96q0 -150 89.5 -239.5t239.5 -89.5v-446q0 -41 -42 -83t-83 -42h-450q-41 0 -83 42t-42 83v500q0 103 86 189t189 86zM700 300v-225q0 -21 -27 -48t-48 -27h-150q-21 0 -48 27t-27 48v225h300z" />
+<glyph unicode="&#xe233;" d="M1294 767l-638 -283l-378 170l-78 -60v-224l100 -150v-199l-150 148l-150 -149v200l100 150v250q0 4 -0.5 10.5t0 9.5t1 8t3 8t6.5 6l47 40l-147 65l642 283zM1000 380l-350 -166l-350 166v147l350 -165l350 165v-147z" />
+<glyph unicode="&#xe234;" d="M250 800q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM650 800q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM1050 800q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44z" />
+<glyph unicode="&#xe235;" d="M550 1100q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM550 700q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM550 300q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44z" />
+<glyph unicode="&#xe236;" d="M125 1100h950q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-950q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM125 700h950q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-950q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5 t17.5 7.5zM125 300h950q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-950q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe237;" d="M350 1200h500q162 0 256 -93.5t94 -256.5v-500q0 -165 -93.5 -257.5t-256.5 -92.5h-500q-165 0 -257.5 92.5t-92.5 257.5v500q0 165 92.5 257.5t257.5 92.5zM900 1000h-600q-41 0 -70.5 -29.5t-29.5 -70.5v-600q0 -41 29.5 -70.5t70.5 -29.5h600q41 0 70.5 29.5 t29.5 70.5v600q0 41 -29.5 70.5t-70.5 29.5zM350 900h500q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -14.5 -35.5t-35.5 -14.5h-500q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 14.5 35.5t35.5 14.5zM400 800v-200h400v200h-400z" />
+<glyph unicode="&#xe238;" d="M150 1100h1000q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-200h50q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-200h50q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-200h50q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5 t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5h50v200h-50q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5h50v200h-50q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5h50v200h-50q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe239;" d="M650 1187q87 -67 118.5 -156t0 -178t-118.5 -155q-87 66 -118.5 155t0 178t118.5 156zM300 800q124 0 212 -88t88 -212q-124 0 -212 88t-88 212zM1000 800q0 -124 -88 -212t-212 -88q0 124 88 212t212 88zM300 500q124 0 212 -88t88 -212q-124 0 -212 88t-88 212z M1000 500q0 -124 -88 -212t-212 -88q0 124 88 212t212 88zM700 199v-144q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v142q40 -4 43 -4q17 0 57 6z" />
+<glyph unicode="&#xe240;" d="M745 878l69 19q25 6 45 -12l298 -295q11 -11 15 -26.5t-2 -30.5q-5 -14 -18 -23.5t-28 -9.5h-8q1 0 1 -13q0 -29 -2 -56t-8.5 -62t-20 -63t-33 -53t-51 -39t-72.5 -14h-146q-184 0 -184 288q0 24 10 47q-20 4 -62 4t-63 -4q11 -24 11 -47q0 -288 -184 -288h-142 q-48 0 -84.5 21t-56 51t-32 71.5t-16 75t-3.5 68.5q0 13 2 13h-7q-15 0 -27.5 9.5t-18.5 23.5q-6 15 -2 30.5t15 25.5l298 296q20 18 46 11l76 -19q20 -5 30.5 -22.5t5.5 -37.5t-22.5 -31t-37.5 -5l-51 12l-182 -193h891l-182 193l-44 -12q-20 -5 -37.5 6t-22.5 31t6 37.5 t31 22.5z" />
+<glyph unicode="&#xe241;" d="M1200 900h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-200v-850q0 -22 25 -34.5t50 -13.5l25 -2v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v850h-200q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h1000v-300zM500 450h-25q0 15 -4 24.5t-9 14.5t-17 7.5t-20 3t-25 0.5h-100v-425q0 -11 12.5 -17.5t25.5 -7.5h12v-50h-200v50q50 0 50 25v425h-100q-17 0 -25 -0.5t-20 -3t-17 -7.5t-9 -14.5t-4 -24.5h-25v150h500v-150z" />
+<glyph unicode="&#xe242;" d="M1000 300v50q-25 0 -55 32q-14 14 -25 31t-16 27l-4 11l-289 747h-69l-300 -754q-18 -35 -39 -56q-9 -9 -24.5 -18.5t-26.5 -14.5l-11 -5v-50h273v50q-49 0 -78.5 21.5t-11.5 67.5l69 176h293l61 -166q13 -34 -3.5 -66.5t-55.5 -32.5v-50h312zM412 691l134 342l121 -342 h-255zM1100 150v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h1000q21 0 35.5 -14.5t14.5 -35.5z" />
+<glyph unicode="&#xe243;" d="M50 1200h1100q21 0 35.5 -14.5t14.5 -35.5v-1100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v1100q0 21 14.5 35.5t35.5 14.5zM611 1118h-70q-13 0 -18 -12l-299 -753q-17 -32 -35 -51q-18 -18 -56 -34q-12 -5 -12 -18v-50q0 -8 5.5 -14t14.5 -6 h273q8 0 14 6t6 14v50q0 8 -6 14t-14 6q-55 0 -71 23q-10 14 0 39l63 163h266l57 -153q11 -31 -6 -55q-12 -17 -36 -17q-8 0 -14 -6t-6 -14v-50q0 -8 6 -14t14 -6h313q8 0 14 6t6 14v50q0 7 -5.5 13t-13.5 7q-17 0 -42 25q-25 27 -40 63h-1l-288 748q-5 12 -19 12zM639 611 h-197l103 264z" />
+<glyph unicode="&#xe244;" d="M1200 1100h-1200v100h1200v-100zM50 1000h400q21 0 35.5 -14.5t14.5 -35.5v-900q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v900q0 21 14.5 35.5t35.5 14.5zM650 1000h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400 q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM700 900v-300h300v300h-300z" />
+<glyph unicode="&#xe245;" d="M50 1200h400q21 0 35.5 -14.5t14.5 -35.5v-900q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v900q0 21 14.5 35.5t35.5 14.5zM650 700h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400 q0 21 14.5 35.5t35.5 14.5zM700 600v-300h300v300h-300zM1200 0h-1200v100h1200v-100z" />
+<glyph unicode="&#xe246;" d="M50 1000h400q21 0 35.5 -14.5t14.5 -35.5v-350h100v150q0 21 14.5 35.5t35.5 14.5h400q21 0 35.5 -14.5t14.5 -35.5v-150h100v-100h-100v-150q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v150h-100v-350q0 -21 -14.5 -35.5t-35.5 -14.5h-400 q-21 0 -35.5 14.5t-14.5 35.5v800q0 21 14.5 35.5t35.5 14.5zM700 700v-300h300v300h-300z" />
+<glyph unicode="&#xe247;" d="M100 0h-100v1200h100v-1200zM250 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM300 1000v-300h300v300h-300zM250 500h900q21 0 35.5 -14.5t14.5 -35.5v-400 q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe248;" d="M600 1100h150q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-150v-100h450q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5h350v100h-150q-21 0 -35.5 14.5 t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5h150v100h100v-100zM400 1000v-300h300v300h-300z" />
+<glyph unicode="&#xe249;" d="M1200 0h-100v1200h100v-1200zM550 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM600 1000v-300h300v300h-300zM50 500h900q21 0 35.5 -14.5t14.5 -35.5v-400 q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe250;" d="M865 565l-494 -494q-23 -23 -41 -23q-14 0 -22 13.5t-8 38.5v1000q0 25 8 38.5t22 13.5q18 0 41 -23l494 -494q14 -14 14 -35t-14 -35z" />
+<glyph unicode="&#xe251;" d="M335 635l494 494q29 29 50 20.5t21 -49.5v-1000q0 -41 -21 -49.5t-50 20.5l-494 494q-14 14 -14 35t14 35z" />
+<glyph unicode="&#xe252;" d="M100 900h1000q41 0 49.5 -21t-20.5 -50l-494 -494q-14 -14 -35 -14t-35 14l-494 494q-29 29 -20.5 50t49.5 21z" />
+<glyph unicode="&#xe253;" d="M635 865l494 -494q29 -29 20.5 -50t-49.5 -21h-1000q-41 0 -49.5 21t20.5 50l494 494q14 14 35 14t35 -14z" />
+<glyph unicode="&#xe254;" d="M700 741v-182l-692 -323v221l413 193l-413 193v221zM1200 0h-800v200h800v-200z" />
+<glyph unicode="&#xe255;" d="M1200 900h-200v-100h200v-100h-300v300h200v100h-200v100h300v-300zM0 700h50q0 21 4 37t9.5 26.5t18 17.5t22 11t28.5 5.5t31 2t37 0.5h100v-550q0 -22 -25 -34.5t-50 -13.5l-25 -2v-100h400v100q-4 0 -11 0.5t-24 3t-30 7t-24 15t-11 24.5v550h100q25 0 37 -0.5t31 -2 t28.5 -5.5t22 -11t18 -17.5t9.5 -26.5t4 -37h50v300h-800v-300z" />
+<glyph unicode="&#xe256;" d="M800 700h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-100v-550q0 -22 25 -34.5t50 -14.5l25 -1v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v550h-100q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h800v-300zM1100 200h-200v-100h200v-100h-300v300h200v100h-200v100h300v-300z" />
+<glyph unicode="&#xe257;" d="M701 1098h160q16 0 21 -11t-7 -23l-464 -464l464 -464q12 -12 7 -23t-21 -11h-160q-13 0 -23 9l-471 471q-7 8 -7 18t7 18l471 471q10 9 23 9z" />
+<glyph unicode="&#xe258;" d="M339 1098h160q13 0 23 -9l471 -471q7 -8 7 -18t-7 -18l-471 -471q-10 -9 -23 -9h-160q-16 0 -21 11t7 23l464 464l-464 464q-12 12 -7 23t21 11z" />
+<glyph unicode="&#xe259;" d="M1087 882q11 -5 11 -21v-160q0 -13 -9 -23l-471 -471q-8 -7 -18 -7t-18 7l-471 471q-9 10 -9 23v160q0 16 11 21t23 -7l464 -464l464 464q12 12 23 7z" />
+<glyph unicode="&#xe260;" d="M618 993l471 -471q9 -10 9 -23v-160q0 -16 -11 -21t-23 7l-464 464l-464 -464q-12 -12 -23 -7t-11 21v160q0 13 9 23l471 471q8 7 18 7t18 -7z" />
+<glyph unicode="&#xf8ff;" d="M1000 1200q0 -124 -88 -212t-212 -88q0 124 88 212t212 88zM450 1000h100q21 0 40 -14t26 -33l79 -194q5 1 16 3q34 6 54 9.5t60 7t65.5 1t61 -10t56.5 -23t42.5 -42t29 -64t5 -92t-19.5 -121.5q-1 -7 -3 -19.5t-11 -50t-20.5 -73t-32.5 -81.5t-46.5 -83t-64 -70 t-82.5 -50q-13 -5 -42 -5t-65.5 2.5t-47.5 2.5q-14 0 -49.5 -3.5t-63 -3.5t-43.5 7q-57 25 -104.5 78.5t-75 111.5t-46.5 112t-26 90l-7 35q-15 63 -18 115t4.5 88.5t26 64t39.5 43.5t52 25.5t58.5 13t62.5 2t59.5 -4.5t55.5 -8l-147 192q-12 18 -5.5 30t27.5 12z" />
+<glyph unicode="&#x1f511;" d="M250 1200h600q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-150v-500l-255 -178q-19 -9 -32 -1t-13 29v650h-150q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM400 1100v-100h300v100h-300z" />
+<glyph unicode="&#x1f6aa;" d="M250 1200h750q39 0 69.5 -40.5t30.5 -84.5v-933l-700 -117v950l600 125h-700v-1000h-100v1025q0 23 15.5 49t34.5 26zM500 525v-100l100 20v100z" />
+</font>
+</defs></svg> 
\ No newline at end of file
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/fonts/bootstrap/glyphicons-halflings-regular.ttf b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/fonts/bootstrap/glyphicons-halflings-regular.ttf
new file mode 100644
index 0000000000000000000000000000000000000000..1413fc609ab6f21774de0cb7e01360095584f65b
GIT binary patch
literal 45404
zcmd?Sd0-pWwLh*qi$?oCk~i6sWlOeWJC3|4juU5JNSu9hSVACzERcmjLV&P^utNzg
zIE4Kr1=5g!SxTX#Ern9_%4<u(w1q<J@CsjEOL>&01rlrW`<y$HCCf?Z+y45=o|!u{
zcjlhEoqP5%FoVJ1G+bj44I8ITTQqxJ-LCg=WdK{*^eI!Pu_*@0U|>Z!56xXTGQR4C
z3vR~wXq>NDx$c~e?;ia3YjJ*$!C>69a?2$lLyhpI!C<oCzO?F`i#HxWjyD@jE}WZI
zU3l5~SDy9q1|;#myS}~pymONB?2*4U816rW`)#Xn!7@d1<NOHDt5&bOWb2!+g;p30
z4<NsI$%PwMp0nZD-M=sx9=^?B5SrGVvvng|Yryk+==sq4bJm^rO#Q?6;T&}k_iWs7
z@g?8i`(dlW@aQ!LgXLG3o_Fr~uM{nsXD~dq2>FfJsP=|`8@K0|bbMpWwVU<h#k=?&
z2hLD3ege)J^J9<Jz!_dI-O6?vWP>Eygg0=0x_)HeHpGSJagJNLA3c!$EuOV>j$wi!
zbo{vZ(s8tl>@!?}dmNHXo)ABy7ohD7_1G-P@SdJWT8*oeyB<gVy2N^Mz8Y_p4K;?4
zVT9pf!y_R}Xk_T@(1FkoDm{_X>VYVW9*vn}&VI4q++W;Z+uz=QTK}^C75!`aFYCX#
zf7fC2;o`%!huaTNJAB&VWrx=szU=VLhwnbT`vc<#<`4WI6n_x@AofA~2d90o?1L3w
z9!I|#P*NQ)$#9aASijuw>JRld^-t)Zhmy|i-`Iam|IWkgu<LN>aMR%lhi4p~cX-9&
zjfbx}yz}s`4-6>D^+6FzihR)Y!GsUy=_MWi_v7y#KmYi-{iZ+s@ekkq!<s)V`@Q^L
z`rY8W#qWgQ@xJ2-1w&;af5?RzOBGthmla=B{I%lG6(3e?tJqSpv0`mSvSMY$Srtnw
z=2y(Bm|8KV{P*SWmH)c@?ebrg|GfOw@*kDIQ2vZb)ms;}`oI6t>@Wxz!~BQwiI&ti
z>hC&iBe2m(dpNVvSbZe3DVgl(dxHt-k@{xv;&`^c8GJY%&^LpM;}7)B;5Qg5J^E${
z7z~k8eWOucjX6)7q1a%EVtmnND8cclz8R1=X4W@D8IDeUGXxEWe&p>Z*voO0u_2!!
zj3dT(Ki+4E;uykKi*yr?w6!BW2FD55PD6SMj`OfBLwXL5EA-9KjpMo4*5Eqs^>4&>
z8PezAcn!9jk-h-Oo!E9EjX8W6@EkTHeI<@AY{f|5fMW<-Ez-z)xCvW3()Z#x0oydB
zzm4MzY^NdpIF9qMp-jU;99LjlgY@@s+=z`}_%V*xV7nRV*Kwrx-i`FzI0BZ#yOI8#
z!SDeNA5b6u9!Imj89v0(g$;dT_y|Yz!3V`i{{_dez8U@##|X9<u78GO6Sj7w|BmAX
zYy>A};s^7vEd!3AcdyVlhVk$v?$O442KIM1-wX^R{U7`JW&lPr3N(%kXfXT_`7w^?
z=#ntx`tTF|N$UT?pELvw7T*2;=Q-x@KmDUIbLyXZ>f5=y7z1DT<7>Bp0k;eItHF?1
zErzhlD2B$Tm|^7DrxnTYm-tgg`Mt4Eivp5{r$o9e)8(fXBO4g|G^6Xy?y$SM*&V52
z6SR*%`%DZC^w(gOWQL?6DRoI*hBNT)xW9sxvmi@!vI^!mI$3kvAMmR_q#SGn3zRb_
zGe$=;Tv3dXN~9XuIHow*NEU4y&u}FcZEZoSlXb9IBOA}!@J3uov<cnLsMTt5KB)Lj
zYZXCxu;1bqjH18<x269<Tv%)JD-Sv?wUz&5KB?<}@bC!>p}yerhPMaiI8|SDhvWVr
z^BE&yx6e3&RYqIg;mYVZ*3#A-cDJ;#ms4txEmwm<RofF(aiZ;^6Sh1kbq&8p87Q}2
z)<!HT6VUck^|BOZR8X4U*lI4NmphK3T)k;q2UF1)TE2tD(Oq%0w%C5uBAc|kj54!X
zjK;0TBFmM`n@u^bcUhg<U$UozsV%ZmyUQe7juv~qZStAE?UA}H^b(uR^svd6<ohSA
zPN(&WybCrXyU=981ISP9mNdxHZPF8l4xGdT{y?OqQH)eNL?x_*jVgBKQggghY;ER4
z2ZJLPNi?@5u<K+P9v^?cajfyXk(LSV0q=;>@g^s`BB}KmSr7K+ruIoKs=s|gOXP|2
zb1!)87h9?(+1^QRWb(Vo8+@G=o24gyuzF3ytfsKjTHZJ}o{YznGcTDm!s)DRnmOX}
z3pPL4wExoN$kyc2>#J`k+<67sy-VsfbQ-1u+HkyFR?9G`9r6g4*8!(!c65Be-5hUg
zZHY$M0k(Yd+DT1*8)G(q)1<YNpB7js)5y12Eq7a-+TSy$n{z4WbFWWmXqX`NmQ;<8
z&#kMnTCG)e^Wqb#OY{bR(&}(pp3G}-_B)F+rS(l(vS<RecZ%(lx`adE6b#<MA*v6|
zqhg4L;6Ok2!XZ8=`3{3lFr+}jevG<T8z$m4n8_pfbf#&K;T~jROxF%RXK8L@N{?d!
z)#u0D$E0^47cxZAeVEjp$RK_kRO2h>&tDl=g9H7!bZTOvEEFnBOk_K=DXF(d4JOaH
zI}*A3jGmy{gR>s}EQzyJa_q_?TYPNXR<v?#Pfy-SGCMD6($H@d06+dYtCwDuCKCO`
zfTh}KuF@>U1O;fcV_&TQZhd{@*8Tgpraf~nT0BYktu*n{a~ub^UUqQPyr~yBY{k2O
zgV)honv{B_CqY|*S~3up%Wn%7i*_>Lu|%5~j)}rQLT1ZN?5%QN`LTJ}vA!EE=1`So
z!$$Mv?6T)xk)H8JTrZ~m)oNXxS}pwPd#);<*>zWsYoL6iK!gRSBB{JCgB28C#E{T?
z5VOCMW^;h~eMke(w6vLlKvm!!TyIf;k*RtK)|Q>_@nY#J%=h%aVb)?Ni_By)X<wQw
z7V$PDEtth$n$E;Ll`Y4%BO_9n-ugy!JpHdGlaMf3-bFSa<&`Z$)FNx2;bGa5ewQ9G
znS9p(JK$Y-8V}<ibr6q#cKkEx`_lIfW`o_}!WDwa=VY;jm&MFX_KN*c$8NiQ<*(1K
zOz-}+aK2WdJ+of=zJ0eN>NxY)E3`|}_u}fn+Kp^3p4RbhFUBRtGsDyx9Eolg77iWN
z2iH-}CiM!pfYDIn7;i#Ui1KG01{3D<{e}uWTdlX4Vr*nsb^>l0%{O?0L9tP|KGw8w
z+T5F}md>3qDZQ_IVkQ|BzuN08uN?SsVt$~wcHO4pB9~ykFTJO3g<4X({-Tm1w{Ufo
zI03<6KK`ZjqVyQ(>{_aMxu7Zm^ck&~)Q84MOsQ-XS~{6j>0lTl@lMtfWjj;PT{nlZ
zIn0YL?kK7CYJa)(8?unZ)j8L(O}%$5S#lTcq{rr5_gqqtZ@*0Yw4}OdjL*kBv+>+@
z&*24U=y{Nl<J@lPNofl42dq;77(U?JMya(0Crr4x>58qJyW1vTwqsvs=VRAzojm&V
zEn6=WzdL1y+^}%Vg!ap>x%%nFi=V#wn#<ZJY+2YKgUZIdddsj}x<a~(_z&i7iw6j~
zD6-dYj8)6VXu?|^ZEI$`u2WRyTK0%)bZh&!D^9oe9c{ncschFCaT|SNh@Ip0Y7e<>
zUuheBR@*<muvvX<=P{exAmqKj@)RY=k${p2#1fI%*ObNn_Svg5fBeeKm;N;8<i#ex
z@xiUPeR$hjC=hitVD9x2{{y_iS9U^gG9f@6f6&^Vs3zp5qf?=KTW@F7W@hJ`ZBCj<
zPCXs%#Cv+T9c^4a%MvhtBnK>KS)5Mn0`f=3fMwR|#-rPMQJg(fW*5e`7xO&^UUH<N
z8S{R+VU}U8VWDBEjsa+<a|A}qi`v{;%PNhy=5G#TrE#}Jn{iFX7S1~=;h}j7?-Paq
zPz1GeaZ=ceNsUv?a;Nj+<UmnU3}yC*^X?4%XYRVxg{MEFholmVGnq^}E!rMBWy|R_
zg)925;70bcj_+u_rTSN(=HrLgwiaEHUwf>{L(U8D$JtI!ac!g(Ze89<`UiO@L+)^D
zjPk2_Ie0p~4|LiI?-+pHXuRaZKG$%zVT0jn!yTvvM^jlcp`|VSHRt-G@_&~<4&qW@
z?b#zIN)G(}L|60jer*P7#KCu*Af;{mpWWvYK$@Squ|n-Vtfgr@<WJYami@2Z&u=;5
z5Vc}@3ijIdgOz2E{1ewt+&m|4loMa2;l_ZQ>ZOmR5Xpl;0q~VILmjk$$mgp+`<2jP
z@+nW5Oap%fF4nFwnVwR7rpFaOdmnfB$-rkO6T3#w^|*rft~acgCP|ZkgA6PHD#Of|
zY%E!3tXtsWS`udLsE7cSE8g@p$ceu*tI71V31uA7jwmXUCT7+Cu3uv|W>ZwD<C#<5
zr)TgUn*z=?aQx5GtI}?)S=9!TmC))*YbR(2eeE2+a>{&O4Nfjjvl43N#A$|FWxId!
z%=X!HSiQ-#4nS&smww~iXRn<-`&zc)nR~js?|Ei-cei$^$KsqtxNDZvl1oavXK#Pz
zT&%Wln^Y5M95w=vJxj0a-ko_iQt(LTX_5x#*QfQLtPil;kkR|kz}`*xHiLWr35ajx
zHRL-QQv$|PK-$ges|NHw8k6v?&d;{A$*q15hz9{}-`e6ys1EQ1oNNKDFGQ0xA!x^(
zkG*-ueZT(GukSnK&Bs=4+w|(kuWs5V_2#3`!;f}q?>xU5IgoMl^DNf+Xd<=sl2<ov
zdi9d6DbT*4=K1<NxE2(`@^$C>XvkqviJ>d?+G@Z5nxxd5Sqd$*ENUB_mb8Z+7CyyU
zA6mDQ&e+S~w49csl*UePzY;^K)Fbs^%?7;+hFc(xz#mWoek4_&QvmT7Fe)*{h-9R4
zqyXuN5{)HdQ6yVi#tRUO#M%;pL>rQxN~6yoZ)*{{!?jU)RD*oOxDoTjVh6iNmhWNC
zB5_{R=o{qvxEvi(k<Br-9y#p7E~9amU@sQujU02m+%O6`wmyB;RZm|f_25ZIu`sWx
z9Z!xjMn{xa)<lh?>hbRS`FOXmOO|&Dj$&~><!ER!M(aXh<Y=PO>*oo)bZz%lPhEA@
zQ;;w5eu5^%i;)w?T&*=UaK?*|U3~{0tC`rvfEsRPgR~16;~{_S2&=E{fE2=c>{+y}
zx1*NTv-*zO^px5TA|B```#NetKg`19O!BK*-#~wDM@KEllk^nfQ2quy25G%)l72<>
zzL$^{DDM#jKt?<>m;!?E2p0l12`j+QJjr{Lx*47Nq(v6i3M&*P{jkZB{xR?NOSPN%
zU>I+~d_ny=pX??qjF*E78>}Mgts@_yn`)C`wN-He_!OyE+gRI?-a>Om>Vh~3OX5+&
z6MX*d1`SkdXwvb7KH&=31RCC|&H!aA1g_=ZY0hP)-Wm6?A7SG0*|$mC7N^SSBh@MG
z9?V0tv_sE>X==yV{)^LsygK2=$Mo_0N!JCOU?r}rmWdHD%$h~~G3;bt`lH&<YttXG
zCx4~x@x7rvSlVC8c4`|@!#-B8ZKS<EH?nhD1$CFfEvQA7q3vKKC(B@*EPV@^RffeA
zqF7{q<g?nf7wl2mS$#hW3X3?XI^l_=xWmcuOlQEQZFITVPFH}vOiW=uH41qNTB4w>
zAuOOZ=G1Mih**0>lB5x+r)X^8mz!0K{SScj4|a=s^VhUEp#2M=^#WRqe?T&H9GnWa
zYOq{+gBn9Q0e0*Zu>C(BAX=I-Af9wIFhCW6_>TsIH$d>|{fIrs&BX?2G>GvFc=<8`
zVJ`#^knMU~65dWGgXcht`Kb>{V2oo%<{NK|iH+<q(5YAazG9MX#mAntl?z6uydZjo
zUFklHM_4M@0HYVoyB8BtKlWH`xbBg99hUSZMa9}uddMW%i`jRIi-g-Oj+Dcyby^(`
z%RQFN&dOf4Ittp8bTTLHYY;pny(Y2BDO&N?wA-C_6&0Pd?aun4t;+U8o0V7xD{xVE
zT_xFkLYF;IV~uA~NIx^oe`|Ag_zBH%@tGSHD~4^4RZ^~BcP(EUF`avIGk5b#Qq_%$
zWYy4>R^|Gx%q+env#Js*(EBT3V0=w4F@W+oLFsA)l7Qy8mx_;6Vrk;F2RjKFvmeq}
zro&>@b^(?f))OoQ#^#s)tRL>b0gzhRYRG}EU%wr9GjQ#~Rpo|RSkeik^p9x2<p!Ww
zwwmq`!~oDTY^~4nP7mqhE1&11QI*f_7OwLIc0Sdl0He@3A$?sO|G#_xO5%4jys!Au
zz!P*LF2Fu*;<$-+ZxX4HAsc@9KfXGYIspZeD-?_4;Ohrd$nih9sE;A+xh%Yxa|I;O
zMn43xybbA$h%OeU78ZAGUa0jg*n))`>+=rUr}vfnQoeFAlv=oX%YqbLpvyvcZ3l$B
z5bo;hDd(fjT;9o7g9xUg3|#?wU2#BJ0G&W1#wn?mfNR{O7bq74<ru+<wkuK7q*HuJ
zl3ikW@`O=kCFAR2we{1>7tc~mM%m%t+7YN}^tMa24O4@w<|$lk@pGx!;%pKiq&mZB
z?3h<&w>un8r?Xua6(@Txu~Za9tI@|C4#!dmHMzDF_-_~Jolztm=e)@vG11b<LZFLt
z=a@d3MJ-E4hYQZxA3y&6-j%$UZvUfp^pCgm<jTEuP^)mszD-y$n3Q&{-23}Wv_2Y8
ztp4g>ZQAs!tFvd9{C;oxC7VfWq377Y(LR^X_TyX9bn$)I765l=rJ%9uXcjggX*r?u
zk|0!db_*1$&i8>d&G3C}A`{Fun_1J;Vx0gk7P_}8KBZDowr*8$@X?W<UwWy2E;b%8
zDnv;u#sg4V5Tml=Bw6)GO(a6bm@pXL5;t*}iEhY9Zim8L-OM$RpsE=-)J6=6)|MD4
z8{19*DSK107+0Kbw2EdWh!twa9HVGLVmN$BX1?}c?!DT~m@%MuO{=cju@-!?UnaO{
z9Q;H&SNsH&+9*iqK+))0P{pW#u+IR2<&dC||BFzIuVKjDIAwxj0gQDf!MLF#VHC`D
zN_zXShCf+#K4Io(-dXedBI4SOK2y)rryrPZ_8G(S4~O-`iR!5u^?GLIlD&{}so=+h
zoX&5625-D!az-|Zx~ma2tVY~n7Eznkush<8w1#D9lj%>6v^LYmNWI)lN92yQ;tDpN
zOUdS-W4JZUjwF-X#w0r;97;i(l}ZZT$DRd4u#?pf^e2<Tp(F_Ylx9mIONs=GDOR7J
z!s@{!h&%A8Er}aMdD0mk#s%bH^(p8HL6l-6iKJ%JY$!?VLmDqZL7D4xf%;gN>yaFo
zbm>I@5}#8FjsmigM8w_f#m4fEP<w>~r~_?OWB%SGWcn$ThnJ@Y`ZI-O&Qs#Y14To(
zWAl>9Gw7#}eT(!c%D0m>5D8**a@h;sLW=6_AsT5v1Sd_T-C4pgu_kvc?7+X&n_fct
znkHy(_LExh=N%o3I-q#f$F4<wlfSnZ{aNtlaHgD*%*;+!if9}xbu`<To}#^Vl2QkO
z7|r$zhjK8GE;uJ+566KrGlUndEl83;o70s<D1jcM$y_hC&+<$#S-_D`DMkXCs6&Ja
zX$kb)3d(TSz&8E5_#CeAoC7l{hxp54WI)}a6Fq*MuVt{GA?j6in~9$1>QJpy>jZBW
zRF7?EhqTGk)w&Koi}QQY3sVh?@e-Z3C9)P!(hMhxmX<?O%M-wa0Dx5a@<^0#9_>LC
zF_+ZSTQU`Gqx@o<HpS{<a}-BAGy@<S0>(~<vXHshk{*j+nj`s1+omT#^krl>B$dbr
zHlEUKoK&`2gl>zKXlEi8w6}`X3kh3as1~sX5@^`X_nYl}hlbpeeVlj#2sv)CIMe%b
zBs7f|37f8qq}gA~Is9gj&=te^wN8ma?;vF)7gce;&sZ64!7LqpR!fy)?4cEZposQ8
zf;rZF7Q>YM<qvPX@rO5R|G8xB*d=47F5FbX>F1~eQ|Z*!5j0DuA=`~VG$Gg6B?Om1
z6fM@`Ck-K*k(eJ)Kvysb8sccsFf@7~3vfnC=<$q+VNv)FyVh6ZsWw}*vs>%k3$)9|
zR9ek-@pA23qswe1io)(Vz!vS1o*XEN*LhVYOq#T`;rDkgt86T@O`23xW~;W_#ZS|x
zvwx-XMb7_!hIte-#JNpFxskMMpo2OYhHRr0Yn8d^(jh3-+!CNs0K2B!1dL$9UuAD=
zQ%7Ae(Y@}%Cd~!`h|wAdm$2WoZ(iA1(a_-1?znZ%8h72o&Mm*4x8Ta<4++;Yr6|}u
zW<lfR&2thZ%arCCv7^XWW_6jB>8$p&izhdqF=m8$)HyS2J6cKyo;Yvb>DTfx4`4R{
zPSODe9E|uflE<`xTO=r>u~u=NuyB&H!(2a8vwh!jP!yfE3N>IiO1<sg)|!DAM%5V4
zImfj?oZv3;y3AIvb^=HU^uh7(X5<6aoUeyP2Mi=23DNrjwj6G-I5MpbGBBkQgLzRx
z_Qg%sVsEslI2A80hOod<S>jI>7e&3rR#RO3_}G23W?gwDHgSg<QXM9d4Lsp5W&)6?
zY*roO0w$UqxC4|r(Er$DV(2l9h4At3N_U`+Ukis<fpRRCK>ekzQ^PU&G5z&}V5GO?
zfg#*72*$DP1T8i`S7=P;bQ8lYF9_@8^C(|;9v8ZaK2GnWz4$Th2a0$)XTiaxNWfdq
z;yNi9veH<s@9We549w!!z+8C$Xr3bE8Io{iV0-^0*Z((QCVLd1<H5EqJokRheRd?M
z=9-#Ba=FG%;bgG2sZn!v5}(U9c2N6|uSx2-^nZJN<Y38%>!j)ba$9pke8`y2^63BP
zIyYKj^7;2don3se!P&%I2jzFf|LA&tQ=NDs{r9fIi-F{-yiG-}@2`VR^-LIFN8BC4
z&?*<A2U+2yvz#~5iMlAv#&#x?J%g>IvLiGHH5>NY(Z^CL_A;yISNdq58}=u~9!Ia7
zm7MkDiK~lsfLpvmPMo!0$keA$`%Tm`>Fx9JpG^EfEb(;}%5}B4Dw!O3BCkf$$W-dF
z$BupUPgLpHvr<<+QcNX*w@+Rz&VQz)Uh!j4|DYeKm5IC05T$KqVV3Y|MSXom+Jn8c
zgUEaFW1McGi^44xoG*b0JWE4T`vka7qTo#dcS4RauUpE{O!ZQ?r=-MlY#;VBzhHGU
zS@kCaZ*H73XX6~HtHd*4qr2h}Pf0Re@!WOyvres_9l2!AhPiV$@O2sX>$21)-3i+_
z*sHO4Ika^!&2utZ@5%VbpH(m2wE3qOPn-I5Tbnt&yn9{k*eMr3^u6zG-~PSr(w$p>
zw)x^a*8Ru$PE+{&)%VQUvAKKiWiwvc{`|GqK2K|ZMy^Tv3g|zENL86z7i<<vQD<>c
zW`W>zV1u}X%P;Ajn+>A)2iXZbJ5YB_r>K-h5g^N=LkN^h0Y6dPFfSBh(L`G$D%7c`
z&0RXDv$}c7#w*7!x^LUes_|V*=bd&aP+KFi((tG<uj&`TKbvJwt*s;^z;4Ys<BrXj
zUcC9nsnf4nJ}oNAV^;23Huc6W7jNCNGp&VZZ68xTF&1%{6q~EkQlv<(iM7j~voh3C
z@5k4r3!z`C;}lPV?5N1<S*Q-j1No*l<5(hps4yh~OUMfaqfZSw{1(}GVOnN8<B1ow
zokS3`Befl=7x!u#A9>*gakSR+FA26%{QJdB5G1F=UuU&koU*^zQA=cEN9}Vd?OEh|
zgzbFf1?@LlPkcXH$;YZe`WEJ3si6&R2MRb}LYK&zK9WRD=kY-JMPUurX-t4(Wy{%`
zZ@0WM2+IqPa9D(^*+MXw2NWwSX-_WdF0nMWpEhAyotIgqu5Y$wA=<qv3s0%`78x7-
z!YG+vXM)||6z({8VoMOb>zfuXJ0Y2lL3#ji26-P3Z?-&0^KBc*`T$+8+cqp`%g0WB
zTH9L)FZ&t073H4?t=(U6{8B+uRW_J_n*vW|p`DugT^3xe8Tomh^d}0k^G7$3wLgP&
zn)vTWiMA&=bR8lX9H=uh4G04R6>C&Zjnx_f@MMY!6HK5v$T%vaFm;E8q=`w2Y}ucJ
zkz~dKGqv9$E80NTtnx|Rf_)|3wxpnY6nh3U9<)fv2-vhQ6v=WhKO@~@X57N-`7Ppc
zF;I7)eL?RN23FmGh0s<krvL@Zi`9X>;Z#+p)}-TgTJE%&>{W+}C`^-sy{gTm<$>rR
z-X7F%MB9Sf%6o7A%ZHReD4R;imU6<9h81{%avv}hqugeaf=~^3A=x(Om6Lku-Pn9i
zC;LP%Q7Xw*0`Kg1)X~nAsUfdV%HWrpr8dZRpd-#%)c#Fu^mqo|^b{9Mam`^Zw_@j@
zR&ZdBr3?@<@%4Z-%LT&RLgDUFs4a(CTah_5x4X`xDRugi#vI-cw*^{ncwMtA4N<n#
zKe-3R=W^+cuK>KjByYBza)Y$hozZCpuxL{IP&=tw6ZO52WY3|iwGf&IJCn+u(>icK
zZB1~bWXCmwAUz|^<&ysd#*!DSp8}DLNbl5lRFat4NkvItxy;9tpp9~<f);nGGD>|@
z;JctShv^Iq4(z+y7^j&I?GCdKMVg&jCwtCkc4*@O7HY*veGDBtAIn*JgD$QftP}8=
zxFAdF=(S>Ra6(4slk#h%b?EOU-96TIX$Jbfl*<nInof4ph4hK=1pB+w>_7IY-|R%H
zF8u|~hYS-YwWt5+^!uGcnKL~jM;)ObZ#q68ZkA?}CzV-%6_vPIdzh_wHT_$mM%<x2
zq&@Ugp@y3#qmCWN2c()zUb2i%NHytqe#*|FOc9=9=lm37FJ~XnjPaYV#gu{Rxk3h%
z6(mfsR@KE$kTrlhgn%DPo5HpDO0=1-df|X)k_Bt?_o11|zfG(qa-#Sl@L(<sfroJg
zk#3es02GuhOy#7gPL>vws9lxUj;E@#1UX?WO2R^41(X!nk$+2oJGr!sgcbn1f^yl1
z#pbPB&Bf;1&2+?};Jg5qgD1{4_|%X#s48rOLE!vx3@ktstyBsDQWwDz4GYlcgu$UJ
zp|z_32yN72T*oT$SF8<}>e;FN^X&vWNCz>b2W0rwK#<1#kbV)Cf`vN-F$&knLo5T&
z8!sO-*^x4=kJ$L&*h%rQ@49l?7_9IG99~xJDDil00<${~D&;kiqRQqeW5*22A`8I2
z(^@`qZoF7_`CO_e;8#qF!&g>UY;wD5MxWU>az<ULIsNY$DJI@Av_2K^yD6wo0kqHs
zV#M>oo=E{kW(GU#pbOi%XAn%?W{b>-bTt&2?G=E&BnK9m0zs{qr$*&g8afR_x`B~o
zd#dxPpaap;I=>1j8=9Oj)i}s@V}oXhP*{R|@DAQXzQJekJnmuQ;vL90_)H_nD1g6e
zS1H#dzg)U&6$fz0g%|jxDdz|FQN{KJ&Yx0vfuzAFewJjv`pdMRpY-wU`-Y6WQnJ(@
zGVb!-8DRJZvHnRFiR3PG3Tu^nCn(CcZHh7hQvyd7i6Q3&ot86XI{jo%WZqCPcTR0<
zMRg$ZE=PQx66ovJDvI_JChN~k@L^Pyxv#?X^<)-TS5gk`M~d<~j%!UOWG;ZMi1af<
z+86U0=sm!qAVJAIqqU`Qs1uJhQJA&n@9F1PUrYuW!-~IT>l$I!#5dB<cfvg5VibV&
zDqvU$KKCo4v0yI;auEcF&ZcvUE7}qhEUthMrKK<ZZorlPhfA2o9*2RG_C6<ZwD)23
zgbU<ugZCNmzTNu!GMX!>aiAK}RUufjg{$#GdQBkxF1=KU2E@N=i^;xgG2Y4|{H>s`
z$<vvU|F(3Nv^%2-!)gt%bV2|xrF9!>t`k8c-8`fS7Yfb1FM#)vPKVE4Uf(Pk&%HLe
z%^4L>@Z^9Z{ZOX<^e)~adVRkKJDanJ6VBC_m@6qUq_WF<AGx+lu0P|(*RBdki}PPC
zR884Dd(Bf1Tr>@Epw>AYqf%r6qDzQ~AEJ<N!$QjqcKBS<-KzqABShp7@2HODUtuI-
zM1Hm0Vba1HggryAaeKKwP<qS1QZN90CS+8P%>!jtUvLp^CcqZ^G-;Kz3T;O4WG45Z
zFhrluCxlY`M+OKr2SeI697btH7Kj`O>A!+2DTEQ=48cR>Gg2^5uqp(+y5Sl09MRl*
zp|28!v*wvMd_~e2DdKDMMQ|({HMn3D%%ATEecGG8V9>`JeL)T0KG}=}6K8NiSN5W<
z79-ZdYWRUb`T}(b{RjN8>?M~opnSRl$$^gT`B27kMym5LNHu-k;A;VF8R(HtDYJHS
zU7;L{a@`>jd0svOYKbwzq+pWSC(C~SPgG~nWR3pBA8@OICK$Cy#U`kS$I;?|^-SBC
zBFkoO8Z^%8Fc-@X!KebF2Ob3%`8zlVHj6H;^(m7J35(_bS;cZPd}TY~qixY{MhykQ
zV&7u7s%E=?i`}Ax-7dB0ih47w*7!@GBt<*7ImM|_mYS|9_K7CH+i}?*#o~a&tF-?C
zlynEu1DmiAbGurEX2Flfy$wEVk7AU;`k#=IQE*6DMWafTL|9-vT0qs{A3mmZGzOyN
zcM9#Rgo7WgB_ujU+?Q@Ql?V-!E<ESfbH6cV^f<TVZZ6$j;;%C;F7k#%v)~#tDz@O9
zGjF`&rD{{KBD!Z>=jbypS+*ch<nT0vi*LE;jA`dwa7L|Pk{%Vkrl+;{Q+Icda+|DH
zxbX_5rMru~l@p?-nW}qiMdIwMuOHt$v$Z->I&zA+C_3_@aJal}!Q54?qsL0In({Ly
zjH;e+_SK8yi0NQB%TO+Dl77jp#2pMGtwsgaC>K!)NimXG3;m7y`W+&<(ZaV>N*K$j
zLL~I+6ouPk6_(iO>61cIsinx`5}DcKSaHjYkkMuDoVl>mKO<4$F<R}h5tU~DoQW2-
zb@mx6M$TIWS(5Azchs1S!C1Vg!dX-qRh*Tlox4o><>YJ5J9A2Vl}#BP7+u~L8C6~D
zsk`pZ$9Bz3teQS1Wb|8&c2SZ;qo<#F&gS;j`!~!ADr(jJXMtcDJ9cVi>&p3~{bqaP
zgo%s8i+8V{UrYTc9)HiUR_c?cfx{Yan2#%PqJ{%?Wux4J;T$#cumM0{Es3@$>}DJg
zqe*c8##t;X(<vs5F6*OK5RBh`;EMHg+sn$v%w2!Q1AFLXOj%hwP6VgZXe#dgvNr%C
zbK2>4$?A`ve)e@YU3d2Balcivot{1(ahlE5qg@S-h(mPNH&`pBX$_~HdG48~)$x5p
z{>ghzqqn_t8~pY<5?-To>cy^6o~mifr;KWvx_oMtXOw$$d6jddXG)V@a#lL4o%N@A
zNJlQAz6R8{7jax-kQsH6JU_u*En%k^NHlvBB!$JAK!cYmS)HkLAkm0*9G3!vwMIWv
zo#)+EamIJHEUV|$d|<)2iJ`lqBQLx;HgD}c3mRu{iK23C>G{0Mp1K)bt6OU?xC4!_
zZLqpFzeu&+>O1F>%g-%U^~yRg(-wSp@vmD-PT#bCWy!%&H;qT7rfuRCEgw67V!Qob
z&tvPU@*4*$YF#2_>M0(75QxqrJr3Tvh~iDeFhxl=MzV@(psx%G8|I{~9;tv#BBE`l
z3)_98eZqFNwEF1h)uqhBmT~mSmT8k$7vSHdR97K~kM)P9PuZdS;|Op4A?O<*%!?h`
zn`}r_j%xvffs46x2hCWuo0BfIQWCw9aKkH==#B(TJ%p}p-RuIVzsRlaPL_Co{&R0h
zQrqn=g1PGjQg3&sc2IlKG0Io#v%@p>tFwF)RG0ahYs@Zng6}M*d}Xua)+h&?$`%rb
z;>M=iMh5eIHuJ5c$aC`y@CYjbFsJnSPH&}LQz4}za9YjDuao>Z^EdL@%s<cic@|#d
zk`VYkAA1)5&zzBlUXwX>aRm&LGQWXs*;FzwN#p<?>H&j~SLhDZ+QzhplV_ij(NyMl
z;v|}a<m1KirP40Q9;?ZUGeiBO`6EQCP%m`AbDrv}WVxc|a9*xhB0zVg4PQB(Updr=
z()&PI0+wG1-G5cn-?{zrU(p$hh$VW4zkc`j%O6su+dqN;>mvxRddO81LJFa~2QFUs
z+<rMf(`FCeM}FJ^oJ6DQ^2{Nc9R`a9PEsYsk4d<kKA^opcC1pDZk0kh9^Gygk8>Lk
zZck)}9uK^buJNMo4G(rSdX{57(7&n=Q6$QZ@lIO9#<3pA2ceD<ex)Co(^yo~b^iS?
z-G6>pO_340B*pHlh_y{>i&c1?vdpN1j>3UN-;;Yq?P+V5oY`4Z(|P8SwWq<)<fz%B
zj)+x<OZ_gB*%c@YSI6p9w+Ydpc!Zcf$QEBFDuqEL6=PD@Pe~N@st{xMy+-n;*Mt~v
zmrteH;(NO63jTi5?DV@CF_fsL-w|T3X%De;sQHBB^9@P)Y{)Bp<max_sHiv=Y2ujB
z*Y0pN2vXRDgae#VLF1APpWP+=i6luTbXun4wCl7o-h=Gg-_V%L+$3>n`W@AwcQ?E9
zd5j8>FT^m=MHEWfN9jS}UHHsU`&SScib$qd0i=ky0>4dz5ADy70AeIuSzw#gHhQ_c
zOp1!v6qU<Kxjvk}u}KI}1IL4P)HQX%3Qy1||7)ACyj<$_yY^HUY1Qh86mASo5oGq6
zE#i-HjkgKyfR`wC1AzxilV;sCL6u<;DfJ$k2lHogcuG&96Y=9Dx08l3i%#>)@8MY+
zMNIID?(CysRc2uZQ$l*QZVY)$X?@4$VT^>djbugLQJdm^P>?51#lXBkdXglYm|4{L
zL%Sr?2f`J+xrcN@=0tiJt(<-=+v>tHy{XaGj7^cA6felUn_KPa?V4ebfq7~4i~GKE
zpm)e@1=E;PP%?`vK6KVPKXjUXyLS1^NbnQ&?z>epHCd+J$ktT1G&L~T)nQeExe;0Z
zlei}<<dHMjP`dMgT;)rz@KwnNqz2u#jL%!`ao{S@tM3IGYSeTv3Fk3tBkVZxLRlho
z@Yxs}5wdFIYX}Vx7;lNy5jfXGDv1)02|!y=K!RAWW@=@lh*MCQ(we#;x;&XaD>_ni
ztFo}j7nBl$)s_<W4is^tCJZEK$$)&HpdlqLPzQFWv`<{7GL_AD92F#&(|%OzJIbuy
z+Ol{_jn76nNgzuA>3odmdafVieFxc)m!wM+U`2u%yhJ90giFcU1`dR6BBTKc2cQ*d
zm-{?M&%(={<F~lIWhEX{d2;PTbK5UDb8+WLo7GcN=5=ow@4S4W$LOt!x3rG3C8mvr
z0>xYHy?VCx!ogr|4g5;V{2q(L?QzJGsirn~kWHU`l`rHiIrc-Nan!hR7zaLsPr4uR
zG{En&gaRK&B@lyWV@yfFpD_^&z>84~_0Rd!v(Nr%PJhFF_ci3D#ixf|(r@$igZiWw
za*qbXIJ_Hm4)TaQ=zW^g)FC6uvyO~Hg-#Z5Vsr<Zy{+LyD`h4YS(ghy#BfWzW^5Uo
zQ8PC9sjEJ4RGC&$F|HxuyK{woR4L3OZu<36tuvn9l2snS_;Y@J&z1A*lMO*_Ur`v=
zX;m?{v#RtbKP{_C_Pwp$oMe|?dH6}PAjk=@Y1ry|VVd(HV4<-(-0+OjB`EyB0T=kn
z(gB<B0#L(B#0`VW)>ybz6uOTF>Rq1($JS`imyNB7myWWpxYL(t7`H8*voI3Qz6mvm
z$JxtArLJ(1wlCO_te?L{>8YPzQ})xJlvc5wv8p7Z=HviPYB#^#_vGO#*`<0r%MR#u
zN_mV4vaBb2RwtoOYCw)X^>r{2a0kK|WyEYoBjGxcObFl&P*??)WEWKU*V~zG5o=s@
z;rc~uuQQf9wf)MYWsWgPR!wKGt6q;^8!cD_vxrG8GMoFGOVV=(J3w6Xk;}i)9(7*U
zwR4VkP_5Zx7wqn8%M8uDj4f1aP+vh1Wue&ry@h|wuN(D2W<Jk_Ub)RM4SgV&OId4;
zn2zn6!@5a6q<V@&t`j1NlR++Q;e@+-SbcuS)(a+|%YH!7_B%_B*R5T=?m|>;v6b1^
z`)7XBZ385zg;}&Pt@?dunQ=RduGRJn^9HLU&HaeUE_cA1{+oSIjmj3z+1YiOGiu-H
zf8u-oVnG%KfhB8H?cg%@#V5n+L$MO2F4>XoBjBeX>css^h}Omu#)ExTfUE^07KOQS
znMfQY2wz?!7!{*C^)aZ^UhMZf=TJNDv8VrrW;JJ9`=|L0`w9DE8MS>+o{f#{7}B4P
z{I34>342vLsP}o=ny1eZkEabr@niT5J2AhByUz&i3Ck0H*H`LRHz;>3C_ru!X+EhJ
z6(+(lI#4c`2{`q0o9aZhI|jRjBZOV~IA_km7ItNtUa(Wsr*Hmb;b4=;<J1?+^3A&j
zK3cnIJ@xJ)8})7lyFf5`owi5yu4lj04lY55Grhwxe6`Vjk5_%2h6Srm0%!Z7OTJgS
z7xk*fSj^YWvFa#^cCzaibaRR7wifomC%U_?eh_XL=5Hz83qQMDCary#^CqnoCok6y
z#aKY5h8k>R(gF@GmsRI`pF+0tmq0<eALkrdNz?_uQPl5L<ziG;l8G^BKV7-hN+!<*
z<qETgy|$oSZ328w$u~CVg?j38Ne8Nec!$^z3O9)SK=%x<?=HO#`R=(x+xbP_2n9~L
zA~@Y5=^p7G^ly*h(SjbX22XE{f_H~{EwlIe71&(CF%AC-KZ!PkfDiovb({chpQJjK
zFbjvUr>zy~wnoJD(<MLjh**JGO%zg$#8^?N-Q#VEMllAeBN{8Gkcp5385M+IP?10`
zKNJCQBzyb5Gta#5ZT-NK&Jkr}EY5LG-*{2<GI5k_E;Cjl{9Li(svK!m$F~O+U$JQS
zMZAi<dUJWWO0+lGoKxMN#+rIpvr}TmT8W9)5>LSEwHjT<no^?z{l8Hbtg<ND1Cr6K
z6#0!VQ^*}KTk66St&+e*u_9r$$-(;3c2C&lF^#Wti6x@NV{uFO48lerx@~U7EQm%~
zi8-wSrE-(Ma!Z+cdXdE^nH(<3+*mF-qjhezv`kVwaQ)pBtm+Jzn4-9>Ot4xb0XB-+
z&4RO{Snw4G%gS9w#uSUK$Zbb#=jxEl;}6&!b-rSY$0M4pftat-$Q)*y!bpx)R%P>8
zrB&`YEX2%+s#lFCIV;cUFUTIR$Gn2%F(3yLeiG8eG8&)+cpBlzx4)sK?>uIlH+$?2
z9q9wk5zY-xr_fzFSGxYp^KSY0s%1BhsI>ai2VAc8&JiwQ>3RRk?ITx!t~r45qsMnj
zkX4bl06ojFCMq<9l*4NHMAtIxDJOX)H=K*$NkkNG<^nl46<z}8DjmoX!f<;!=?S0X
zNm_qEi&;s|L9ptUk0h&55Ob{uhVekW1KY3{I#Svm7#;P3BE~;lg8EY6Q79rf(MCE=
zN8VGwjyg@p(Rvv6Qeo&vGBF~WTM7Tu+BS~CYXlw<;F93zrP+w<0f)nm=oOTD0XeL>
zHWH1GXb?Og1f0S+8-((5yaeegCT62&4N*pNQY;%asz9r9Lfr;@Bl${1@a4QA<GQZo
zHC=)78Wbo&u{ERGcuiNo;G#(z2^9z>vMLbV6JDp>8SO^q1)#(o%k!QiRSd0eTmzC<
zNIFWY5?)+JTl1Roi=nS4%@5iF+%XztpR^BSuM~DX9q`;Mv=+$M+GgE$_>o+~$#?*y
zAcD4nd~L~EsAjXV-+li6Lua4;(EFdi|M2qV53`^4|7gR8AJI;0Xb6QGLaYl1zr&eu
zH_vFUt+<?-wHx^jA;=HXzQKp_j)#`&591BSP(wIOS;Ce(17%gs%~hdM@>Ouf4SXA~
z&Hh8K@ms^`(hJfdicecj>J^Aqd00^ccqN!-f-!=N7C1?`4J+`_f^nV!B3Q^|fuU)7
z1NDNT04hd4QqE+qBP+>ZE7{v;n3OGN`->|lHjNL5w40pe<qclDY+ja_*(_95xs;%%
zq{v>PJ?^Y6bFk@^k%^5CXZ<+4qbOplxpe)l7c6m%o-l1oWmCx%c6@rx85hi(F=v(2
zJ$jN>?yPgU#DnbDXPkHLeQwED5)W5sH#<v%tu={Y=OlW2%;gK%O0*}OtgP0-W>-eS
z%#^4dxiVs{+q(Yd^ShMN3GH)!h!@W&N`$L!SbElXCuvnqh{U7lcCvHI#{ZjwnKvu~
zAeo7Pqot+Ohm{8|RJsTr3J4GjCy5UTo_u_~p)MS&Z5UrUc|+;Mc(YS+ju|m3Y_Dvt
zonVtpBWlM718YwaN3a3wUNqX;7TqvAFnVUoD5v5WTh~}r)KoLUDw%8Rrqso~bJqd>
z_T!&Rmr6ebpV^4|knJZ%qmzL;OvG3~A*loGY7?YS%hS{2R0%NQ@fRoEK52Aiu%gj(
z_7~a}eQUh8PnyI^J!>pxB(x7FeINHHC4zLDT`&C*XUpp@s0_B^!k5Uu)^j_uuu^T>
z8WW!QK0SgwFHTA%M!L`bl3h<zOXT*J6fe~c%_xb0$mxr#<2VD=$rO0L8nX7*#{Ksu
z$LONOvFCTfJN5XIapRVZlX}Y=<Lbb4!eHVHYIDPW9?-^*TjQ2+nH<TKdTCuE{W6Ky
z7>HjPp)|wL5Var_*A1-H8LV?uY5&ou{hRjj>#X@rxV>5<xG4RL_K~wL=!|H8*ZSVn
ze*QWuVl90vQ035NRw9cT+>%-9hbP+v?$4}3EfoRH;l_wSiz{&1<+`Y5%o%q~4<MOn
zEoNk8R4!uRxI3kmMnO0fow{Ibz3`A^4>rdpRF0jOsCoLnWY5x?V)0ga>CDo`NpqS)
z@x`mh1QGkx;f)p-n^*g5M^zRTHz%b2IkLBY{F+HsjrFC9_H(=9Z5W&Eymh~A_FUJ}
znhTc9KG((OnjFO=+q>JQZJbeOoUM77M{)$)qQMcxK9f;=L;IOv_J>*~w^YOW744QZ
zoG;!b9VD3ww}OX<8sZ0F##8hvfDP{hpa3HjaLsKbLJ8<m2C(MCx~x+Mo`}Jf7gdL>
z0WpY2E!w?&cWi7&N%bOMZD~o7QT*$xCRJ@{t31~qx~+0yYrLXubXh2{_L699Nl_pn
z6)9eu+uUTUdjHXYs#pX^L)AIb!FjjNsTp7C399w&B{Q4q%yKfmy}T2uQdU|1EpNcY
zDk~(h#AdxybjfzB+mg6rdU9mDZ^V>|U13Dl$Gj+pAL}lR2a1u!SJXU_YqP9N{ose4
zk+$v}BIHX60WSGVWv;S%zvHOWdDP(-ceo(<8`y@Goy%4wDu>57QZNJc)f>Ls+}9h7
z^N=#3q3|l?aG8K#HwiW2^PJu{v|x5;awYfahC?>_af3$LmMc4%N~JwVlRZa4c+eW2
zE!zosAjOv&UeCeu;Bn5OQUC=jtZjF;NDk9$fGbxf3d29SUBekX1<Pr@Tu%2mF`vob
zdsw;fW5J;CqD*)A#3k~8m#E~>!a$Vmq_VK*MHQ4)eB!dQrHH)LVYNF%-t8!d`@!cb
z2CsKs3|!}T^7fSZm?0dJ^JE`ZGxA&a!jC<>6_y67On0M)hd$m*RAzo_qM?aeqkm`*
zXpDYcc_>TFZYaC3JV>{>mp(5H^efu!Waa7hGTAts29jjuVd1vI*fEeB?A&uG<8dLZ
z(j6<v3j>;-%vJ7R0U9}XkH)1g>&uptXPHBEA*7PSO2TZ+dbhVxspNW~ZQT3fApz}2
z_@0-lZODcd>dLrYp!mHn4k>>7kibI!Em+Vh*;z}l?0qro=aJt68joCr5Jo(Vk<@i)
z5BCKb4p6Gdr9=JSf(2Mgr=_6}%4?SwhV+JZj3Ox^_^OrQk$B^v?e<VR4r!cUQcNa*
zLw&@@0{2I&$oQBHjs;Rdk`@6y1!<-(7NgjbFuEcwrG9}&Hy03(S??>Nz}d^xRaz&~
zKVnlLnK<O~>#8^y=If2f1zmb~^5lPLe?%l}>?~wN4IN((2~U{e9fKhLMtYFj)I$(y
zgnKv?R+ZpxA$f)Q2l=aqE6EPTK=i0sY&MDFJp!vQayyvzh4wee<}kybNthRlX>SHh
z7S}9he^EBOqzBCww^duHu!u+dnf9veG{HjW!}aT7aJqzze9K6-Z~8pZAgdm1n~aDs
z8_s7?WXMPJ3EPJHi}NL&d;lZP8hDhAXf5Hd!x|^kEHu`6QukXrVdLnq5zbI~oPo?7
z2Cbu8U?$K!Z4_yNM1a(bL!GRe!@{Qom+DxjrJ!B99qu5b*Ma%^&-=6UEbC+S2zX&=
zQ!%bgJTvmv^2}hhvNQg!l=kbapAgM^hruE3k@jTxsG(B6d=4thBC*4tzVpCYXFc$a
zeqgVB^zua)y-YjpiibCCdU%txXYeNFnXcbNj*D?~)5AGjL+!!ij_4{5EWKG<MLirH
z+DX^Dk(~hl-o)R17Ke7NBWBmGx0}_Yh*L{$3or|S`y{XU9=}stg7(?(^wZZS2Da%+
zWvCP|MzT2WK(<`aoEV!R1WAp-r%3{)SA=78<qFf;<rwNmD*Y*6(NUk(!LD}1(qHA3
z`=B=489M4KM^RxXd(tHgT%9X5Tjnh2mdXv4MCT5VYa7rd+N5ISRlSW}1lw5{(5L@K
zwzTh&rM#;2<;oP^LJod0{WsXpN5C{w?l*Jg>av0^={~M^q}baAFOPzxfUM>`KPf|G
z&hsaR*7(M6KzTj8Z?;45zX@L#xU{4n$9Q_<-ac(y4g~S|Hyp^-<*d8+P4NHe?~vfm
z@y309=`lGdvN8*jw-CL<;o#DKc-%lb0i9a3%{v&2X($|Qxv(_*()&=xD=5oBg=$B0
zU?41h9)JKvP0yR{KsHoC>&`(Uz>?_`tlLjw1&5tPH3FoB%}j;yffm$$s$C=<NH+_Q
zuVOy!BKDYAHt^L);tLou9Iw!KVrZ;__9lB4Qu}AkDaaH65g@R}lia;0J%u}*93`p?
zaeF={6)8oIBzH4kIggVAVvNSbROx-Z(+`hO*myDp7yv#WCwMIxk<hHjD5AkCV*KFy
z7uwrr!(roY4b(1>RHi`I3*m@%CPqWnP@B~%DEe;7ZT{9!IMTo1hT3Q347HJ&!)BM2
z3~aClf>aFh0_9||4G}(Npu`9xYY1*SD|M~9!CCFn{-J$u2&Dg*=5$_nozpoD2nxqq
zB!--eA8UWZlcEDp4r#vhZ6|vq^9sFvRnA9HpHch5Mq4*T)oGbruj!U8Lx_G%Lby}o
zTQ-_4A7b)5A42vA0U}hUJq6&wQ0J%$`w#ph!EGmW96)@{AUx>q6E>-r^Emk!iCR+X
zdIaNH`$}7%57D1FyTccs3}Aq0<0Ei{`=S7*>pyg=Kv3nrqblqZcpsCWSQl^uMSsdj
zYzh73?6th$c~CI0>%5@!Ej`o)Xm38u0fp9=HE@Sa6l2<mw_Yh7ly>oX9^^4|Aq%GA
z3(AbFR9gA_2T2i%Ck5V<FfGDt5jFr`inQh;1&EJ*>2Q2WW-(a&(j#@l6wE4Z`xg#S
za#-UWUpU2U!TmIo`CN0JwG^>{+V#9;z<j+vge|-bMmFe5eQtw=$jBe&1J+DLGhNXR
zVF0LJkT6h0B8nsw@>vx;ztc$}@NlcyJr?q(Y`UdW6qhq!aWyB5xV1#Jb{I-ghFNO0
z<gP-h@3s4i1u==>FU~+QgPs{FY1AbiU&S$QSix>*rqYVma<-~s%ALhFyVhAYepId1
zs!gOB&weC18yhE-v6ltKZMV|>JwTX+X)Y_EI(Ff^3$WTD|Ea-1HlP;6L~&40Q&5{0
z$e$2KhUgH8ucMJxJV#M%cs!d~#hR^nRwk|uuCSf6irJCkSyI<%CR==tftx6d%;?ef
zYIcjZrP@APzbtOeUe>m-TW}c-ugh+U*RbL1eIY{?>@8aW9bb1NGRy@MTse@>=<ra>
za%;5=U}X%K2tKTYe9gjMcBvX%qrC&uZ`d(t)g)X8snf?vBe3H%d<Ke$F$Z0AGpq$L
zh*N9G{;KEPa}gmeOBNBk0zORp;`+VU|1_04|4V$bCz(R~xePApA?YFdZU$CR63IbQ
z2Pq2(THUz7SlMWdHOdM19(SYTR)^7j>G=b<Uy4X-FL@RBUeVq-s%!3f=Wp$pdFiyc
z*UH5I+~YQSU-pf1Z~4Z+d0X6)<0i*Q_Z}vh)KKf>l^rv8Z@YN$gd9yveHY0@Wt0$s
zh^7jCp(q+6XDoekb;=%y=Wr8%<!i<hjG`j2f#)CHoE%?oHV1t_^966$UcQ|tMEj_Y
z^Dp_?#syJ7V{9Es?J3v}f}pPx{87yPa7|66#gbBs#7ePJ{bo_oH&rCWA~hx1V^t$U
z+8@1TWfn_Z`;{~9gC9mv?eoQ*Y-C)rhp|}dc#r5_J0yspKw$C`a}OGKQh(E&3WUik
z4AxbHbeGhXO7DYJ7=8m!=+Sj-HxJCb*@hx`<Q?E73ZqASI|ZO4gQX;PgpcX_I2dEP
z4PzF^;fhXQ)40w{k(P#>6;z0ANH5dDR_VudDG|&_lYykJaiR+(y{zpR=qL3|2e${8
z2V<U){GkH!99$-?(vZQ6`9xYUH;m>;?jgHj7}Kl(d8C9xWRjhpf_)KOXl+@c4wrHy
zL3#9U(`=N59og2KqVh>nK~g9>fX*PI0`>i;;b6K<iTA=O-~d|1@8nQW|764_gHT9A
z+Jdw)Cus?cfv_Gsi;gF31B#4DZ2^Yn1Wk~wI*LZ!hnDLnI_*R~z#5pH4R3KO1Ir1F
zNQX5wC;<FU(7pj+t&{Y#h#K(_6=WtrHj4aPX$5uUHjT;c(e}35?V4?SZCg90+pyx(
z`_R8jCQe*LR*{P)PNV>F|8zg+k2hViCt}4dfMdvb1NJ-Rfa7vL2;lPK{Lq*u`JT>S
zoM_bZ_?UY6oV6Ja14X^;LqJPl+w?vf*C!nGK;uU^0GRN|UeFF@;H(Hgp8x^|;ygh?
zIZx3DuO(lD01ksanR@Mn#lti=p28RTNYY6yK={RMFiVd~k8!@a&^jicZ&rxD3CCI!
zVb=fI?;c#f{K4Pp2lnb8iF2mig)|6JEmU86Y%l}m>(VnI*Bj`a6qk8QL&~PFDxI8b
z2mcsQBe9$q`Q$LfG2wdvK`M1}7?SwLAV&)nO;kAk`SAz%x9CDVHVbUd$O(*aI@D|s
zLxJW7W(QeGpQY<$dSD6U$ja(;Hb3{Zx@)*fIQaW{8<$KJ&fS0caI2Py^clOq9@Irt
z7th7F?7W`j{&UmM==Lo~T&^R7A?G=K_e-zfTX|)i`pLitlNE(~tq*}sS1x2}Jlul6
z5+r#4SpQu8h{ntIv#qCVH`uG~+I8l+7ZG&d`Dm!+(rZQDV*1LS^WfH%-!5aTAxry~
z4xl&rot5ct{xQ$w$MtVTUi6tBFSJWq2Rj@?HAX1H$eL*fk{Hq;E`x|hghRkipYNyt
zKCO=*KSziiVk|+)qQCGrTYH9X!Z0$k{Nde~0Wl`P{}ca%nv<6fnYw^<s*I^w2}g4)
zDT(2xL%uqsByOSZ61tavt7O>~9dYxTnTZB&&962jX0DM&wy&8fdxX8xeHSe=UU&Mq
zRTaUKnQO|A>E#|PUo+F=Q@dMdt`P*6e92za(TH{5C*2I2S~p?~O@hYiT>1(n^Lqqn
zqewq3ctA<T{c@#lWCZ$(!d{cN7=2we77Yx!0ew~Gx<3;vHo@;Z=)<i6dXzL;AY|z|
zQh^P>A%0E)r53*P-a8Ak32mGtUG`L^WVcm`QovX`ecB4E9X60wrA(6NZ7z~*_DV_e
z8$I*eZ8m=WtChE{#QzeyHpZ%7GwFHlwo2*tAuloI-j2exx3#x7EL^&D;Re|Kj-XT-
zt9<G*I5j~YwPM=zQc<-<5T)`?p=k3wJ6%=B%=d_@HDXhwqg3ij6<6Gneq}IMRsO?+
zZ$ux+&=>08^soV2`7s+Hha!d^#J+B)0-`{qIF_x=B811SZlbUe%kvPce^xu7?LY|C
z@f1gRPha1j<g?ml{#gpkD^O$XNTr0o(I;d;h4uA8LjteITT`#--;T+ZYX+t7g{&jY
z%jLmo;U5!e_41&}2`Y3PtJNiOtyHYGC;e`w)XqI9cfa-k)QH;zlhbma7)pQ1mZ#s9
zrt1Z7OQrg>q|=f}Se)}v-7MWH9)YAs*FJ&v3ZT9TSi?e#jarin0tjPNmxZNU_JFJG
z+tZi!q)JP|4pQ)?l8$hRaPeoKf!3>MM-bp06RodLa*wD=g3)@pYJ^*YrwSIO!SaZo
zDTb!G9d!hb%Y0QdYxqNSCT5o0I!GDD$Z@N!8J3eI@@0AiJmD7brkvF!pJGg_AiJ1I
zO^^cKe`w$DsO|1#^_|`6XTfw6E3SJ(agG*G9qj?JiqFSL|6tSD6vUwK?Cwr~gg)Do
zp@$D~7~66-=p4`!!UzJDKAymb!!R(}%O?Uel|rMH>OpRGINALtg%gpg`=}M^Q#V5(
zMgJY&gF)+;`e38QHI*c%B}m94o&tOfae;<xSoo%JWgt|4OsWqBge(0MrWCl{^{1qR
z$9kiQL{yp=)4GQGI_Jm5&g#GDTYcGhkauMJQ(qfM)1pg_a_8YpGwNbwNKp#T3-1@6
z|CjTBM~_fXe$Rs`cJE+v;7^0eysLT1ugyST5y-lLQ?!t5I+r@})qno};JoRD-E=Xi
zX_8OynCqNAP{M@6q0{1lA$fd7YVYB^B3HOC?;KS&skUZdpr&?G*{Dvo9Hf%gnd2O9
zvFCA)Qg13bH?d=3bMwL-iMgPupd}c_KuUy2B!UeZUr<=BIK|YBv?yV$q58*?!w_CK
zhp}K1=StAQ6{?zIqvi9mLesqVm&dX(9+AzcRVtrMpZ;{ErIyVQpVYzYVcvn6%u9m3
zENe?2g{r;1I%;x<{deB!54%lK?QVcb%q|Y(3&@xG42;qPh~(~r6ouOokrhp}g_Byo
zKp4yiKG~E3?*xr!?^(OHXYKbID@Vk%L$MJN?dLjF_FD?rZRr8zTic`kxqVF61s8OU
zY1cLlYqVUOIkCpn>og&!J2;6ENW}QeL7<PXg{yny8O<B+-%z=8!`{k@uZK?dU2tpL
zoDCc1bk4tH!`>3jatbI1*9X~y=$Dm%6FwDcnCyMRL<PZ=`4kP-O>}zo`0=y7=}*Uw
zo3!qZncAL{HCgY!+}eKr{P8o27ye+;qJP;kOB%RpSesGoHLT6tcYp*6v~Z9NCyb6m
zP#qds0jyqXX46qMNhXDn3pyIxw2f_z;L_X9EIB}<BZV)NY+Sf`GmW4*C1<w9<G3@Y
zR-2Ao^uw)%Z0Eww)CNf&GoE61(l=R$@lLulhRTBom-G)|sA)*B&(~_KWRT_L+saB5
zo*q>AhyC`FYI}G3$WnW>#NMy{0aw}nB%1=Z4&*(FaCn5QG(zvdG^pQRU25;{wwG4h
z@kuLO0F->{@g2!;NNd!<zny}%07Jn8Nf<E`qd>PfqM-;@F0;&wK}0fT9UrH}(8A5I
zt33(<pT6JhCadCO^EwcP0}B}m196bLHZSD1wzS~lgDzyBOMDp_>+&U;CLN|8+71@g
z(s!f-kZZZILUG$QXm9iYiE*>2w;gpM>lgM{R9vT3q>qI{ELO2hJHVi`)*jzOk$r)9
zq}$VrE0$GUCm6A3H5J-=Z9i*biw8<GlN{|J&^K2l_*g<#Pt^RN|DX}11Ly}*7(>ng
zi<1nM0lo^KqRY@Asucc#DMmWsnCS;5uPR)GL3pL=-IqSd>4&D&NKSGHH?pG;=Xo`w
zw~VV9ddkwbp~m>9G0*b?j7-0fOwR?*U#BE#n7A=_fDS>`fwatxQ+`F<!Rj$KZl*<p
zT?$eX^b9WOf%^Fc5Ow$#oiLZxFXB|4X4Ah-N23bVC3rdbHNy5`I((oY2SI(gVJE_3
zv~k-4(EcFxN5Hx@>zhBGQUAyIRZ??eJt46vHBlR>9m!vfb6I)8!v6TmtZ%G6&E|1e
zOtx5xy%yOSu+<9Ul5w5N=&~4Oph?I=ZKLX5DXO(*&Po>5KjbY7s@tp$8(fO|`Xy}Y
z;NmMypLoG7r#Xz4aHz7n)MYZ7Z1v;DFHLNV{)to;(;TJ=bbMgud96xRMME#0d$z-S
z-r1ROBbW^&YdQWA>U|Y>{whex#~K!ZgEEk=LYG8Wqo28NFv)!t!~}quaAt}I^y-m|
z8~E{9H2VnyVxb_wCZ7v%y(B@VrM6lzk~|ywCi3HeiSV`TF>j+I<PcrA4vbhkc}Ds9
zVnPj;dD9hvN^{*9tq;`Y3-i35x*J^9kk!Mknb6QMp+R%r;|Y~}U1bd=<D2Z^=6NHx
z)o!mbv)c13!qxVmdz@Dme2Ud2?)buFbw!<Z_N}SPHX2@PRM{c<oRhmdQ=Q!h%GA-#
zE|+zRyX;@_)`kh%@3wm_ZjUz-66I&coi<`>jd|p*kyn;=mqtf8&DK^|*f+y$<HJ*z
z{kCJi%r~syv1<5SAj?Qn<RD-N0#-mimPHVGsjQ(4>38+9!sis9N=S)nINm9=CJ<;Y
z!t&C>MIeyou4XLM*ywT_JuOXR>VkpFwuT9j5>66<JwXm0Iz|uD_GISrZ<tb63#|b6
zmesyu7v#<;wAs4wx|xl$8!C)O(dny+&uQp5Yiylr74+Z{`kuduLfD{$!RweaKvq@@
zSKvT=l{+EaFCqSAuk-})NiD5^S-DyEOCPWcr6mSZED8GEaH3HbBi=sIw&e0Ek0*HT
zg7i-oY%env)m$!wZo6{H^btX$@qVG{e!&!~J#BILfmfs_E?=UpX#O6)G;!&c?y}Qg
zZDtQIxqNpZ+R#vKv;FOFva`NsR7883$-r&2{_WuFALO<~3Fk}Bb(WC&g8i;%)qzDY
zRjOTdfX!%Ad(<}BcYy4>7A=CU*{TBrMTgb4HuW&!%Yt`;#md7-`R`ouOi$rEd!ErI
zo#>qggAcx?C7`rQ2;)~PYCw%CkS(@EJHZ|!!lhi@Dp$*n^mgrrImsS~(ioGak>3)w
zvop0lq@II<?zr~h{;~Z%uibTbs^_R=H(HEh%|uq3KKIc_zxBu?d|hToq+T%unvO@H
z_7G`_g*WS&kUbvS*4>SuA0Ou*#1JkG{U>xSQV1e}c)!d$L1plFX5XDXX5N<n2C0jm
zX{r1Jy%RD8vWp=4fyb$$F_f=*`nvNgb$TK5DH~vUeDX&BtW7RGgbP7rCk$}DqbN_=
zG+@cCNjfaVNpOlFw+a>7Ns{kT{y5|6MfhBD+esT)e7&CgSW8FxsXTAY=}?0A!j_V9
zJ;IJ~d%av<@=fNPJ9)T3qE78kaz64E>dJaYab5u<efW`3H($g#7XgvMkYf+oz36no
z(7hfLHbbB2R0{1uae-^d+wzih8L%N9he3ud^j?e&dq$dH2awC*y4Q%$6QP+9{{{^S
zS|%?I`*;k>aU`n~Zdp2h{8DV%SKE5G^$LfuOTRRjB;TnT(Jk$r{Pfe4CO!SM_7d)I
zquW~FVCpSycJ~c*B*V8?Qqo=GwU8CkmmLFugfHQ7;A{yCy1OL-+X=twLYg9|H=~8H
znnN@|tCs^ZLlCBl5wHvYF}2vo>a6%mUWpTds_mt*@wMN4-r`%NTA%+$(`m6{MNpi@
zMx)8f>U<?#KGhQOH9sd_@m#$xV)2XXy+)7rj<v$+@Y;iI(?-Y3Sg0r<Nksvzzi#Zp
z$q~EP;jFN*8js?YBQ<`b?Z-d1$^IIsy$A>4hd!row@gM&PVo&Hx+lV@$j9yWTjTue
zG9n0DP<*HUmJ7ZZWwI2x+{t3QEfr6?T}2iXl=6e0b~)J>X3`!fXd9+2wc1%cj&F@Z
zgYR|r5Xd5jy9;YW&=4{-0rJ*L5CgDPj9^3%bp-`HkyBs`j1iTUGD4?WilZ6RO8mIE
z+~Joc?GID6K96dyuv(dWREK9Os~%?$$FxswxQsoOi8M?RnL%B~Lyk&(-09D0M?^Jy
zWjP)n(b)TF<-|C<kuA~or~e()IVaJB8ThDOo%m84{2#Jw7lA;F7HB%yOOfao*a-Bo
z9vF{4tjJ*|r>G%!Vz?8Fu&6iU<>oG#kGcrcrrBlfZMVl0wOJvsq%RL9To%iCW@)#&
zZAJWhgzYAq)#NTNb~3GBcD%ZZOc43!YWSyA7TD6xkk<oWhdAZNF5oEMySt*u%}=mX
zY^=DnO8CU4$;_0G$Mo-Kkj5NlGljS+>)n^FaRAz73b}%9d&YisBic(?mv=Iq^r%Ug
zzHq-rRrhfOOF+yR=AN!a9*Rd#sM9ONt5h~w)yMP7Dl9lfpi$H0%GPW^lS4~~?vI8Z
z%^ToK#NOe0ExmUsb`lLO$W*}yXNOxPe@zD*90uTDULnH6C?InP3J=jYEO2d)&e|mP
z1DSd0QOZeuLW<s88&Dqv$ZDY(qEHICGi1F$d4+8O&b2468PMe9JW2)dic7s&U~)}9
zv>o*NqZzopA+LXy9)fJC00NSX=_4Mi1Z)YyZVC>C!g}cY(Amaj%QN+bev|Xxd2OPD
zk!dfkY6k!(sDBvsFC2r^?}hb81(WG5Lt9|riT`2?P;B%jaf5UX<~OJ;uAL$=Ien+V
zC!V8u0v?CU<?sa9rw*YNr=`U}IHdv2<G`|o3Bx8D;^GeQOIB`c%X^K&>a)4*Q+Q_u
zkx{q;NjLcvyMuU*{+uDsCQ4U{JLowYby-tn@<?{mQ!v2u1l{5e{t5@ZjF*S!>hatL
zy}X>9y08#}oytdn^qfFesF)Tt(2!XGw#r%?7&zzFFh2U;#U9XBO8W--#gOpfbJ`Ey
z|M8FCKlWQrOJwE;@Sm02l9OBr7N}go4V8ur)}M@m2uWjggb)DC4s`I4d7_8O&E(j;
z?3$9~R$QDxNM^rNh9Y;6P7w+bo2q}NEd6f&_raor-v`UCaTM3TT8HK2-$|n{N@U>_
zL-`P7EXoEU5JRMa)?tNUEe8XFis+w8g9k(QQ)%?&Oac}S`2V$b?%`DwXBgja&&fR@
zH_XidF$p1wA)J|Wk1;?lCl?fgc)=TB3>Y8;BoMqHwJqhL)Tgydv9(?(TBX)fq%=~C
zmLj!iX-kn7QA(9snzk0LRf<%SzO&~IhLor6A3f*U^UcoAygRe!H#@UCv$JUP&vPxs
zeDj$1%#<2T1!e|!7xI+~_VXLl5|jHqvOhU7ZDUGee;HnkcPP=_k_FFxPjXg*9KyI+
zIh0@+s)1JDSuKMeaDZ3|<_*J8{TUFDLl|mXmY8B>Wj_?4mC#=XjsCKPEO=p0c&t&Z
zd1%kHxR#o9S*C?du*}tEHfAC7WetnvS}`<%j=o7YVna)6pw(xzkUi7f#$|^y4WQ{7
zu@@lu=j6xr*11VEIY+`B{tgd(<i-P<xW8QmX{Uu}CW{$k=4G`<yQ5DK7nY#9L<7KO
zZl2V*aS4sKmaEUS-mY%P1^cv^q{7lxZ)5qzsWF(QH6y#+dwE4lRddpa#$Z}_cCaKa
zE;TlFY<W#EqQ=~xoZ>c3zO8%nGk0U^%ec6h)G_`ki|XQXr!?NsQkxzV6Bn1ea9L+@
z(Zr7CU_oXaW>VOdfzENm+FlFQ7Se0ROrNdw(QLvb6{f}HRQ{$Je>(c&rws#{dFI^r
zZ4^(`J*G0~Pu_+p5AAh>RRpkcbaS2a?Fe&JqxDTp`dIW9;<O_d1fh3g+@%<JHS<h;
z`xr?<<utwG<Lj5Zdhfz~Sd#5Kb7T9+cKkOui1y`+Uv$r&om%~&H3ligXMa!k1A}&8
z`oKdmM{uQUq3k>DL%0wxX5;`KxyA4F{(~_`93>NF@bj4LF!NC&D6Zm+Di$Q-tb2*Q
z&csGmXyqA%Z9s(AxNO3@Ij=WGt=UG6J7F;r*uqdQ<A<k`&*~1mNB0QW1T5I+z^l>a
z?7j!nV{8eQE-cwY7L(3AEXF3&V*9{DpSYdyCjRhv#&2johwf{r+k`QB81%!aRVN<&
z@b*N^xiw_lU>H~@4MWzgHxSOGVfnD|iC7=hf0%CPm_@@4^t-nj#GHMug&S|FJtr?i
z^JVrobltd(-?Ll>)6>jwgX=dUy+^n_ifzM>3)an3iOzpG9Tu;+96TP<0Jm_PIqof3
zMn=~M!#Ky{CTN_2f7Y-i#|gW~32RCWKA4-J9sS&>kYpTOx#xVNLCo)A$LUme^fVNH
z@^S7VU^UJ0YR8?<bG~Mj6Gj-lk3HOub{MXq84f%T`QY6$SQB%P+{DM48!0oDB|1i&
zZKxv58$HkYAPzeA(N@4W-r2I(ob~ZN%-H1^uVTL2tUjwxrv8WT<9HEQp}oppV?S-b
z?TWa%T=%&4xZ~a0-G(Qtj>Oy$^IYuG*bm|g;@aX~i60%`7XLy*AYpYvZ^F^U(!|RW
z*C!rJ@+7TGdL=nNd1gv^%B+;Fcr$y)i0!GRsZXRHPs>QVGVR{9r_#&Qd(wL|5;H;>
zD>HUw=4CF++&{7$<8G@j*nGjhEO%BQYfjeItp4mPvY*JYb1HKd<ZQ^<n)7B(e{N}R
zNACLEJ-M&vp2!R2b>!{HJ9*)(3%BR%{Pp?AM&*yHAJsW({ivOzj*qS!-7|XEn6@zo
z3L*tBT%<4RxoAh>q{0n_JBmgW6&8hx?kL(_^k%VL>?xjAyrKBmSl`$=V|SK}ELl}@
zd|d0eo#RfG`bw9SK3%r4Y+rdvc}w}~ixV%tqawbdqvE-WcgE+BUpxMT%F@btm76MG
zn=oQRWWuTm+a{dy)Oc2V4yX(@M{QAkx>(QB59*`dLT`<?!`ti2@y+pV_8st7_#g52
z1!@8-14n{+!KuOff(Jusq1w=z(B5!jxFx(cyss+1s<Z0Bs-u@|yyQrAPIYVbrs`9d
z>Pz3Lsj9iB=HSHAiCq()ns|Cr)1<p6y)@aLys9>*c605Cx}3V&x}Lg?b+6Q?)z7Kl
zQh&1Hx`y6JY-Cwvd*ozeps}a1xAA0CR+Da;+O(i)P1C;SjOI}Dtmf6tPqo-Bl`U78
zv$kYgPntPp@G)n1an9tEoL*Vumu9`>_@I(;+5+fBa-*?fEx=mTEjZ7wq}#@Gd5_cW
z!mP{N=yqEntDo)|>oy6{9cu+-3*GTnmb^`O0^FzRPO^&aG`f@F_R*aQ_e{F+_9%NW
z4KG_B`@X3EVV9L>?_RNDMddA>w=e0KfAiw5?#i1NFT%Zz#nuv(&!yIU>lVxmzYKQ`
zzJ*0w9<&L4aJ6A;0j|_<vbtcWAbbzpCj3Gin*xk%@5HxYh(fosHrML5=EAoJzwHRw
zh@)_=)rwlI8GD^(O|@nqTobf9QEEG(*M$^xqkm*B>~i>+y(q-=;2Xxhx2v%CYY^{}
z^J@LO()eLo|7!{ghQ+(u$wxO*xY#)cL(|mi<iezIsIQq}e;H<1HsO1a%jmXB^n!Yj
z`bEguLTH*W^N>H2_ck2yN{mu4O9=hBW*pM_()-_YdH#Ru{JtwJ^R2}3?!>>m1pohh
zrn(!xCjE<?5dV)b*C5Aj$gepjhO+1}F~03sn})p^Uz6_w9HjtSwO;4fgQNBdkCC(S
zXIQs_lKEg{DKt7!64@q0U7<~Z9sWW2MiWn5C=n^v2(+j+NQ}hd(YScLR6bFX1e5GJ
z{f}vqE*X+(y(=SeU6&=<n3p71@^G&#A3gi#b>0Q&EH1<ywPMV@T7r4FN~KK7(R*2e
zG3w@Kn+NlNX^aE);gT>QK?zA%sxVh&H99cObJUY$veZhQ)MLu-h%`!*G)s$2k;~+A
z)Kk->Ri?`oGDEJEtI*wijm(s5<vO`uZjc+%3o%>f$W78FH{+qBxiU{~kq((J3uK{m
z$|C8K#j-?hm8H@x%VfFqpnvu@xn1s%J7uNZC9C99a<_b1J|mx%)$%!6gPU|~<@2&m
zz99GDp`|a%m*iggvfL;4%X;~WY>)@!tMWB@P`)k?$;0x9JSrRI8?s3rlgH(o@`OAo
zn{f*gZ#t2u<vX%PzAIbh8QCV^lkM_->6K??hx|aElOM`Xd0t+SAIUEHvFw%?Wsm$s
zUXq{6UU?a>Nc@@Xlb_2k<d?Yk`js4zSLLAmT7Dyk<TW`guge>9M1Ctr<#+O?yd}rv
z_wu&<L5|BGrBD7Of0n<<JMvdKA@9n2@;7;3{*GxNK9rO44>=_t$!Yngd@N_AUj}T;
z#*Ce|%XZr_sQcsWcsl{pCnnj+c8ZNIMmx<;w=-g$Q>BU;9k;w|zQ;4!W32Xg2Cd?{
zvmO3kuKQ^Hv;o>6ZHP8ZJ2`4~Bx?N;cf<0fi=!*G^^WzbTF3e$b&d^qqB{>nqLG81
zs94bBh%|Vj+hLu=!8(b9brJ>ZBns9^6s(gdSVyP9qnu2_I{Sg8j-rloG6{d`De5We
zDe5WeY3ga}Y3ga}Y3ga}Y3ga}Y3ga}d8y~6o|k%F>UpW>rJk31Ug~+N=cS&HdOqs;
zsOO`ek9t1p`Kafko{xGy>iMbXr=FjBxZMYc8a#gL`Kjlpo}YSt>iMY`pk9DF0qO*(
z6QE9jIsxhgs1u-0kUBx8D@eT{^@7w3QZGooAoYUO3sNscy%6<6)C*BBM7<F8LevXU
zFGRf%^}^H(Q!h-tF!jRJ3sWyly>L`dk$Xk%6}eZQXgo#!75P`>Uy*-B{uTLG<X@40
zMgA4}SL9!je?|Tk`B&s$k$*-075P`>Uy*-B{uTLG<X@40MgA4}SL9!je?|Tk`B&s$
zk$*-075P`>Uy*-B{uTLG<X@40MgA4}SL9xidqwUQxmV;~k$Xk%6}eaBUXgo6?iIOL
z<X#1$JSg(7$iE{0iu^0`ugJe5|BC!8@~_ChBL9l~EAp?%zasyN{44UW$iE{0iu^0`
zugJe5|BC!8@~_ChBL9l~EAp?%zasyN{44UW$iEuoJ{&DaDjY3GsEwTSjAnVzEDxIH
zL9;w)mIux9pvk``|C;=3@~_FiCjXlJYx1wjy(agXylZl<$+;%y7~~jDCpp*TT9a!{
zt~I&V<XV$!O|CV$*5q1~YfY{-xz^-blWR?`G3|Ub9pqZ`yspW&Cf}NTYx1qhw<h13
qd~5Qp$+srontW^Wt)qNLLXk-9aux9_WlUi5WYd6^D_dVgyY*ioe@L+a

literal 0
HcmV?d00001

diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/fonts/bootstrap/glyphicons-halflings-regular.woff b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/fonts/bootstrap/glyphicons-halflings-regular.woff
new file mode 100644
index 0000000000000000000000000000000000000000..9e612858f802245ddcbf59788a0db942224bab35
GIT binary patch
literal 23424
zcmY&eV{m0%u#Iioo_J#0nb?@vwry)-+qNe*Z>))v8{5gt_uj9!t5)^yb-JtjRGrhi
zYInOUNJxNyf_yKX01)K=WP|Si>HqEj|B{eUl?MR<)%<1&{(~)D+NPwKxWqT-@~snp
zg9KCz1VTZDiS?UH`PRk1VPM{29cgT9=<v;Lf`EYagMdIet=H@a8oRlWfPg?`f7?L(
zFKED?%?+Ku?I7~Mb(sI~^#uZMZsTe8&6R_I$YX<mq!jz=4cJ?l8k&HBDD{8auziCA
zQl4qm;+y>D?!Wc_@}qzggFv;gb@2cJQAYWWtpEZ7?y@jSVqjx${B5UV@SO|wH<<0;
z{><1KdVI%Ki}>~<`46C0AggwUwx-|QcU;iiZ{NZu`ur>hd*|<W)sXtmhXDixZoaeV
zklo$X=sQ21?>Hb(|6veERq<PbegkBRzi{?HIp-GW`hU_n&12ozz{J4dAGi@L6pDe-
z_ud2pJc-_b2pj}b3Pc9vzvpJBX4(Dy6a52IgD!!AfuwLEKN$^~jn+XAz)Mg9U?T~E
zgqNfL`tz^91n&aBz=T}M5SD}tB`7H25Mn@BQsEK4gL$l9qzGE52osF@rxjbO42^t7
z#@g=mu(37N%+Vt`PAJL-lQ=FQENF`3={3?oV6ei1hBKA`DuVTzgGk7b#0j#++TdzR
zI(97e!~g}_G7m33x=^Ssom?;fl4q}a+^;UP-1|ZzG9$*2kpk7p8YI9lAxj<90CjKp
zE8u&KGi5Zv=157hgKP@$c2&H4zuKcOmHoZD%?+qY(Kf~v8|7crq{Nr<WvZ$ts)Fb$
z8!IcdkQ`H>xu=b@5Bab=rqptGxd{QJg!4*-i_$sES~)AB46}Fjg|ea#e@?J}z%CUJ
zOsLWRQR1#<tB|QIEY)&I*ZbudHp)E;$><nb=BbXZ4tHi(jj=+TGtb?X^faOKFyozE
zS@PKF)~8;5xRSNpTm4ugp<(oc@Q3%7K-)@eyP?m1z&l;rf%%J4?;rfzsBU`M+aNyb
z*@?y5Vm{LN@ggUHmiuxx_Dtj5rsol#BM~=pjyHqe<HcvPas11*o_#i9ZJ%`X+7&6Y
z4F}#7CrnT%)O76bs<&03Bs~CBL9-lPzgZEx+oS+S$-gV~5q;R39w5(FZ(Km5B%*l&
z(rrr`BO68!fN#?(kC!s6W?du1@vWLl$02}9k4Iw`sS*azt|mzMLd*ov1C_X-Z_DEc
zA>ng^sD)A4FDuY!iUhzlgfJh(J@BRqd&P#v2B`+saBx>m+M&q7vk-75$NH%T5pi%m
z5FX?`2-5l53=a&GkC9^NZCLpN5(DMKMwwab$FDIs?q>4!!xBS}75gX_5;(luk;3Vl
zLCLd5a_8`Iyz}K}+#RMwu6DVk3O_-}n>aE!4NaD*sQn`GxY?cHe!Bl9n?u&g6?aKm
z-P8z&;Q3gr;h`YIxX%z^o&GZZg1=>_+hP2$$-DnL_?7?3^!WAsY4I7|@K;aL<>OTK
zByfjl2PA$T83*LM9(;espx-qB%wv7H2i6CFsfAg<9V>Pj*OpwX)l?^mQfr$*OPPS$
z=`mzTYs{*(UW^ij1U8UfXjNoY7GK*+YHht(2oKE&tfZuvAyoN(;_OF>-J6AMmS5fB
z<XKU7YH10@@&WJhj71Cj$=TP(r@q<cW{2}t$FbdUw)ad2!elcuLPw0X5toDsPadV*
zO3EPF>^sY6wea&&${+!}@R1f$5oC-2J>J-A${@r(dRzc`wnK>a7~8{Y-scc|ETOI8
zjtNY%Y2!PI;8-@a=O}+{ap1Ewk0@T`C`q!|=KceX9gK8wtOtIC96}-^7)v23Mu;MH
zhKyLGOQMujfRG$p(s`(2*nP4EH7*J57^=|%t(#PwCcW7U%e=8Jb>p6~<TTQ9e?y3C
zdb|J>>RAlY4a*t<yx)M!`#-^(n~+nSXHt)XXPCd>s=pl}_J{->@kKzxH|8XQ5{t=E
zV&o`$D#ZHdv&iZWFa)(~o<E{GN9+27JE4iktONzQ1b)q{Sex30G?of$HMKN~8KD%g
zA+E{L7XRV>Bh-Osl{~CS0hfM7?PyWUWsr5oYlsyC1cwULoQ4|Y5RHA2*rN+EnFPnu
z`Y_&Yz*#550YJwDy@brZU>0pWV^RxRjL221@2ABq)AtA%Cz?+FG(}Yh?^v)1Lnh%D
zeM{{3&-4#F9rZhS@DT0E(WRkrG!jC<!Dwf@j`RqVrLtHFoIyn_L9bxbWrgS*Z9wMu
z#p1&N;H{ZGv&zD_N*zbkas>#5?OFjZv*xQjUP~XsaxL2rqRKvPW$zHqHr8Urp2Z)L
z+)EvQeoeJ8c6A#Iy9>3lxiH3=@86uiTbnnJJJoypZ7gco_*Hv<E!$|Yb^#x+eGvv(
zIp;Wt3|Xgi12|CZQBu5wnkbr4Z_o<}@wU&ThE&G4r6LGOs?2M%<}Vu1j2>KOH97B?
zWiwp>+r}*Zf9b3ImxwvjL~h~j<<3shN8$k-$V1p|96I!=N6VBqmb==Bec|*;HUg?)
z4!5#R*(#Fe)w%+RH#y{8&%%!|<UeDoR>fQ5JcFzUE;-yVYR^&Ek55AXb{^w|@j|&G
z|6C-+*On%j;W|f8mj?;679?!qY86c{(s1-PI2Wahoclf%1*8%JAvRh1(0)5Vu37Iz
z`JY?RW@qKr+FMmBC{TC7k@}fv-k8t6iO}4K-i3WkF!Lc=D`<I4n3h#nG>nuD)v#Na
zA|R*no51fkUN3^rmI;tty#IK284*2Zu!kG13<C=xWI7mp_-$=}wb|<b)!OZRv-HEP
z{%b~I$E(4`VZ#-glOe-5)a2pflY1Bz-1#4je?)~T9!X4-E;pkTTM{XAe2I!K$wY&{
zHEYHdnV_WuXSOaFHmg_J8USFkT|e)_-*FkL@p7z7`X=kCplNBVHgHbdYiIA4b&ia%
zF^b30NW{}~a)`)^H3EMpr)@2a^C3(yt-t3eigT2)odQdx2zf*pafN9pF#;@+u4LZa
z7x<*Yxq9&rRf5M3B$p^s`skXsITAn=Zo(y=33sGRSGWuaK?&Ne`Pj#q{feF+D~&z+
zEyT)MiaBL7L|^V76c6eAiTxZof6@zS20aGf%dzLc3HH8OA(-=u{w4pJ6%*OO;uayC
zzR4O{sz+f(78K2km*}=(W9{c=$lUj4eqLf#^t$Qwnbo?bEXMO?j$N^G)CbdGe8!P9
zJnZQX@k)7bzDG0I8w{~ZPTf4?D$;UGe$M~$TSzciU_@dS=0n{mhB=qm5O0^X+E9+o
z1x?ef8>!$OlxJAt@zLU`kvsazO25TpJLbK&;M8kw*0)*14kpf*)3<d6yUQxMZe%8t
zXy(eYN2(&WrmwSg<nK0tWy!~|3-Ib)_FW|=FVb)tUsL?PQ@qp22p>;GiDh;C(F}$-
z1;!=OBkW#ctacN=je*Pr)lnGzX=OwgNZjTpVbFxqb;8kTc@X&L2XR0A7oc!Mf2?u9
zcctQLCCr+tYip<jrMK$>a_k=;1ETIpHt!Jeo;iy^xqBES^Ct6-+wHi%2g&)?7N^Yy
zUrMIu){Jk)luDa@7We5U!$$3XFNbyRT!YPIbMKj5$IEpTX1IOtVP~(UPO2-+9ZFi6
z-$3<|{Xb#@tABt0M0s1TVCWKwveDy^S!!@4$s|DAqhsEv--Z}Dl)t%0G>U#ycJ7cy
z^8%;|pg32=7~MJmqlC-x07Sd!2YX^|2D`?y;-$a!rZ3R5ia{v1QI_^>gi(HSS_e%2
zUbdg^zjMBBiLr8eSI^BqXM6HKKg#@-w`a**w(}RMe%XWl3MipvBODo*hi?+ykYq)z
ziqy4goZw0@VIUY65+L7DaM5q=KWFd$;W3S!Zi>sOzpEF#(*3V-27N;^pDRoMh~(ZD
zJLZXIam0lM7U#)119Hm947W)p3$%V`0Tv+*n=&ybF&}h~FA}7hEpA&1Y!BiYIb~~D
z$TSo9#3ee02e^%*@4|*+=Nq6&JG5>zX4k5f?)z*#pI-G(+j|jye%13CUdcSP;rNlY
z#Q!X%zHf|V)GWIcEz-=fW6AahfxI~y7w7i|PK6H@@twdgH>D_R@>&OtKl}%MuAQ7I
zcpFmV^~w~8$4@zzh~P~+?B~%L@EM3x(^KXJSg<wVEvJN(*DSLK{@lLZ^>c6I=;)B6
zpRco2LKIlURPE*XUmZ^|1vb?w*ZfF}EXvY13I4af+()bAI5V?BRbFp`Sb{8GRJHd*
z4S2s%4A)<beb5!5W2AL1ws>6Uc=PK%4@PbJ<{1R6+2THMk0c+kif**#ZGE)w6WsqH
z`r^DL&r8|OEAumm^qyrryd(HQ9olv$ltnVGB{aY?_76Uk%6p;e)2DTvF(;t=Q+|8b
zqfT(u5@BP);6;jmRAEV057E*2d^wx@*aL1GqWU|$6h5%O@cQtVtC^isd%gD7PZ_Io
z_BDP5w(2*)Mu&JxS@X%%ByH_@+l>y07jIc~!@;Raw)q_;9oy@*U#mCnc7%t85qa4?
z%_Vr5tkN^}(^>`EFhag;!MpRh!&bKnveQZAJ4)gEJo1@wHtT$Gs6IpznN$Lk-$NcM
z3ReVC&qcXvfGX$I0nfkS$a|Pm%x+lq{WweNc;K>a1M@EAVWs2IBcQPi<R5t!qadV8
z`@w2vB^p<`Z$u8twt230^FDUXk@KFGRjk|Wy)IU*vs&-S4^@ur^QOw}{f&PX2ZUtx
z2^VHiFLv0j^tM_qTCdnm{?$%kSnzz+Rz#c}<%d@@&Y%vBngG@bQjNu*$QIzHiMtlr
z%<!I8J_+!}g1P;40riIDVp#J58>EJNt}+Ea8~WiapASoMvo(&PdUO}AfC~>ZGzq<X
zA{wc(2{B`w8<FdY#fUA=!$2hWfZJFFh^biG^FRul&;5HGQt3HYB*8-U;tAm`ZDrW?
zLGzSCAtG}^Y%BI&AQbV|jc8`aQkJs}$KZGr4&D`BKH5)pk?++zISItrK-zIx+|7D6
zd{(|~knMc?H%TN~Ttm8w#&X{*x_x0Tx_urTbWQT(rM-zoT(XUHVI3m?V@uQP4J|db
z_OkbMEz8a;6}80;ZBwYhBLn3A0_Q%9Xo7*<Qa^td-Q$KXkb<^$rXNS+J!!v~e_27-
z?B(DtKu5zrraAfXQ`1kqTCnO1=JFF~4jJA+&eXD+hsTX=d50Jrj6yJ)U-=XHF8z-o
z1o@Y7@sl2x7U<!Ygv?%s5eyX!wKt`l=(%|REJ0yS<TOH?s9B)is6Iv13lr}2%hiI}
zPUW^d?_dD#I&an8I8t^fY)SnDOhO39OTDNje$JA5dr5!UH92rZ)87wX;yQSp&mZg<
zmgmz=w6D&%v&B;c-vM3DEvl$Gev##x*ndtU#f^N2I}99-3HZpRE^$`D%!0A_ujaQb
zI5z(Mh2X@IN1#BF?<;^jK#~(MAEc`h<3P$Nghud=)(&&|-qnC?^x{5VK>Wjd)4no(
ziLi#e3lOU~sI*XPH&n&J0cWfoh*}eWEEZW%vX?YK!$?w}htY|GALx3;YZoo=JCF4@
zdiaA-uq!*L5;Yg)z-_`MciiIwDAAR3-snC4V+<n|J*V*n#h?&wg+C8sg$z312~u%3
zz$RVnQhlm*2c)>KA>&V%Ak;p{1u>{Lw$NFj)Yn0Ms2*kxUZ)OTddbiJM}PK!DM}Ot
zczn?EZXhx3wyu6i{QMz_Ht%b?K&-@5r;8b076YDir`KXF0&2i9NQ~#JYaq*}Ylb}^
z<{{6xy&;dQ;|@k_(31PDr!}}W$zF7Jv@f%um0M$#=8ygpu%j(VU-d5JtQwT714#<!
z&vm@KPB=l<TMpuv%DS+RW~~WnEOz5WiaSxW4<ph#&0;zqiCMt1ekX<hrb8#^mBYaW
zJA2vi7UWJVhfbeu%Rejgz>f0z+Cm$F9J<FFP&8OfSp_OMl7>jGr_G!~NS@L9P;C1?
z;Ij2YVYuv}tzU+HugU=f9b1Wbx3418+xj$RKD;$gf$0j_A&c;-OhoF*z@DhEW@d9o
zbQBjqEQnn2aG?N9{bmD^A#Um6SDKsm0g{g_<4^dJjg_l_HXdDMk!p`oFv8+@_v_9>
zq;#WkQ!GNGfLT7f8m60H@$tu?p;o_It#TApmE`xnZr|_|cb3XXE)N^buLE`9R=Qbg
zXJu}6r07me2HU<)S7m?@GzrQDTE3UH?FXM7V+-lT#l}P(U>Fvnyw8T7RTeP`R579m
zj=Y>qDw1h-;|mX-)cSXCc$?hr;43LQt)7z$1QG^pyclQ1Bd!jbzsVEgIg~u9b38;>
zfsRa%U`l%did6HzPRd;TK{_EW;n^Ivp-%pu0%9G-z@Au{Ry+EqEcqW=z-#6;-!{WA
z;l+xC6Zke>dl+(R1q7B^Hu~HmrG~Kt575mzve>x*cL-shl+zqp6yuGX)DDGm`cid!
znlnZY=+a5*xQ=$qM}5$N+o!^(TqTFHDdyCcL8NM4VY@2gnNXF|D?5a558Lb*Yfm4)
z_;0%2EF7k{)i(tTvS`l5he^KvW%l&-suPwpIlWB_Za1Hfa$@J!emrcyPpTKKM@NqL
z?X_SqHt#DucWm<3Lp}W|&YyQE27zbGP55=HtZmB(k*WZA79f##?TweCt{%5yuc+Kx
zgfSrIZI*Y57FOD9l@H0nzq<E4Q@_YK<1;`>Ou|Bhrm&^m_RK6^Z<^N($=DDxyyPLA
z+J)E(gs9AfaO`5qk$IGGY+_*tEk0n_wrM}n4G#So>8Dw6#K7tx@g;U`8hN_R<bPv^
zP6}0b!dly7dCc=KnICM>;^Uw9JLRUgOQ?PTMr<oQ9o~>4YD5H7=ryv)bPtl=<&4&%
z*w6k|D-%Tg*F~sh0Ns(h&mOQ_Qf{`#_XU44(VDY8b})RFpLykg10uxUztD>gswTH}
z&&xgt>zc(+=GdM2gIQ%3V4AGxPFW0*l0YsbA|nFZpN~ih4u-P!{39d@_MN)DC%d1w
z7>SaUs-g@Hp7xqZ3Tn)e<dV~D-0@M0u`KSW@qBLlIFNKze0?;|tm!<F9_5{TDKnUY
zJB8#(%G(di5;`|v12#{)=^Bhy!6zu5lq~#Rj8QgnK?%W-bqS8Lq9_xGRU?MD1Z_M>
z7x^sC`xJ{V<3YrmbB{h9i5rdancCEyL=9ZOJXoVHo@$$-%Za<Y<=Dws@<HVOn84kp
zy7czzAj#&D?|uHYH^U!oq7C#CS4C-HKPWUJ-r}5;#IkR`+-?7IMg|O#r^#PS@coAT
z<xl(XMO(JUH%Fc8@Q;tlw>Nm-75Z-Ry9Z%!^+STWyv~To>{^T&MW0-;$3yc9L2mhq
z;ZbQ5LGNM+aN628)Cs16>p55^T^*8$Dw&ss_~4G5Go63gW^CY+0+Z07f2WB4Dh0^q
z-|6QgV8__5>~&z1gq0FxDWr`OzmR}3aJmCA^d_eufde7;d|OCrKdnaM>4(M%4<dMy
z`?Qi<9Ebh#nVT{&VVFv66RU??kcC8}u+l^~F(m>V`PxpCJc~UhEuddx9)@)9qe_|i
z)0EA%&P@_&9&o#9eqZCUCbh?`j!zgih5sJ%c4(7_#|Xt#r7MVL&Q+^PQEg3MBW;4T
zG^4-*<N;_j_KF=#ltp<I^9_IU8#T_ulQ_w;P&0IS=TATWkvf^^ks|nDnb@T^ShFUW
ztuyr~q)6&!?68RQ-V8G+#+EoOhWE-6A7rk5HfHxAG?Sknf`kY=i0}11&e`cz`MCO{
zQd*rofIJ{OtoMr$=gf?H!$EPT16>8L%s|A}R%*eGdx&i}B1He(mLygTmIAc^G(9Si
zK7e{Ngoq>r-r-zhyyg<ieAPsqNv@SQwQ@xsNn5Vw2I}E18CcU&C?((>K)*9cj8_%g
z)`>ANlipCdzw(raeqP-+ldhy<kGNs8`S#*G-e>Uv_VOht+!w*>Sh+Z7(7(l=9~_Vk
ztsM|g1xW`?)?|@m2jyAgC_IB`Mtz(O`mwgP15`lPb2V+VihV#29>y=H6ujE#rdnK`
zH`EaHzABs~teIrh`ScxMz}FC**_Ii?^EbL(n90b(F0r0PMQ70UkL}tv;*4~bKCiYm
zqngRuGy`^c_*M6{*_~%7FmOMquOEZXAg1^kM`)0ZrFqgC>C%R<qRBgHG)$UB@XBA@
zshx3_1QSr};A7TJ_s8FNBrzB>JvQSo_OAA(WF3{euE}GaeA?tu5kF@#62mM$a051I
zNhE>u>!gFE8g#Jj95BqHQS%|>DOj71MZ?EYfM+MiJcX?>*}vKfGaBfQFZ3f^Q-R1#
znhyK1*RvO@nHb|^i4Ep_0s{lZwCNa;Ix<{E5cUReguJf+72QRZIc%`9-Vy)D<o;c>
zWKhb?FbluyDTgT^naN%l2|rm}oO6D0=3kfXO2L{tqj(kDqjbl(pYz9DykeZlk4iW5
zER`)vqJxx(NOa;so@buE!389-YLbEi@6rZG0#GBsC+Z0fzT6+d7deYVU;dy!rPXiE
zmu73@Jr&~K{-9MVQD}&`)e>yLNWr>Yh8CXae9XqfvVQ&eC_;#zpoaMxZ0GpZz7xjx
z`t_Q-F?u=vr<JfY4KbWG<xAz}usjoo`>RPaj3r<9&t6K=+egimiJ8D4gh-rUYvaVy
zG($v+3zk5sMuOhjxkH7bQ}(5{PD3Mg?!@8PkK&w>n7tO8FmAmoF30_#^B~c(Q_`4L
zYWOoDVSnK|1=p{+@`Fk^Qb81Xf89_S`RSTzv(a4ID%71nll%{Wad$!CKfeTKkyC?n
zCkMKHU#*nz_(tO$M)UP&Zf<GNy8?Xs8hUzIu0nqFC9@Ka{&R$vXnbN*?hR?iwv-x*
zPrH;>J#*q(0Gr!E(l5(ce<3xut+_i8XrK8?Xr7_oeHz(bZ?~8q5q~$Rah{5@@7SMN
zx9PnJ-5?^xeW2m?yC_7A#<rjP_en{9P5bFL68vgKu`Lv^loBE5&?9+BtYGMUT06bd
zXEt*_Sdl_o?{!kSnxeJB_xVtFwR-bF`2MlsSO1bZtN)M(j%)mHVUj4b&G~L_`|PNv
zb05EL`!%-lV_>WK*B@oIy*Y@iC1n7lYKj&m7vV;KP4TVll=II)$39dOJ^czLRU>L>
z68P*PFMN+WXxdAu=Hyt3g$l(GTeTVOZYw3KY|W0Fk-$S_`@9`K=60)bEy?Z%tT+Iq
z7f>%M9P)FGg3EY$ood+v<G?d-tNS5y+I=S1dlJZvs-NC{^w-&Jr{gfwR>$pdsXvG?
zd2q3abeu-}LfAQWY@=*+#`CX8RChoA`=1!hS1x5dOF)rGjX4KFg!iPHZE2E=rv|A}
zro(8h38LLFljl^>?nJkc+wdY&MOOlVa@6>vBki#gKhNVv+%Add{g6#-@Z$k*ps}0Y
zQ=8$)+Nm||)mVz^aa4b-Vpg=1daRaOU)8@BY4j<Xy)*mrZf+Eqj^RX06GbC^vLKT|
zpteFBLq#626+?=M@k2|V@k{2aN?cRlCum?`TP_u}%3Y{AVZHbKwm{q2d`D~XsJSyD
zl=xk@5@i0e1=0fu$jfj1+lTA1h#%78*$MuUCU^B9>S>=5n#6abG@(F2`=k-eQ9@u#
zxfNFHv=z2w@{p1dzSOgHokX1AUGT0DY4jQI@YMw)EWQ~q5wmR$KQ}Y;(HPMSQCwzu
zdli|G?bj(>++CP)yQ4s6YfpDc3KqPmquQSxg%*EnTWumWugbDW5ef%8j-rT#3rJu?
z)5n;4b2c*;2LIW%LmvUu6t1~di~}0&Svy}QX#ER|hDFZwl!~zUP&}B1o<!gKVHBj1
z!0%hK_{Iy`*BgY<Qck8#<-rH4Lg1;Qj-hq2OvPXM$(Gkmg`0T7B6Gm*>KAxIzt~so
zb!GaJYOb#&qRUjEI1xe_`@<o~iP+Rf(GIMHq*yg6%vf7Mu<-aQ)$}%3o$R+x;;~W%
zCQ~RFyB5g)F1k-t!#^TN>7qv_-LggQ$JE8+{ryT4%ldwC5ete+{G3C#g@^oxfY3#F
zcLlj(l2G8>tC<5XWV|6_DZQZ7ow?MD8EZ9mM2oV~WoV-uoExmbwpzc6eMV}%J_{3l
zW(4t2a-o}XRlU|NSiYn!*nR(Sc>*@TuU*(S77gfCi7+WR%2b;4#RiyxWR3(u5BIdf
zo@#g4wQjtG3T$PqdX$2z8Zi|QP~I^*9iC+(!;?qkyk&Q7v>DLJGjS44q|%yBz}}>i
z&Ve%^6>xY<=Pi9WlwpWB%K10Iz`*#gS^YqMeV9$4qFchMFO}(%y}xs2Hn_E}s4=*3
z+lAeCKtS}9E{l(P=PBI;rsYVG-gw}-_x;KwUefIB@V%RLA&}WU2XCL_?hZHoR<7ED
zY}4#P_MmX(_G_lqfp=+iX|!*)RdLCr-1w`4rB_@bI&<E#m-6fJX?!@HMojcz?@FV(
zEwb`K9p)6DH8Vt-HX;X2^%28zP(BOT@+<+Oy5Uv8eD=4p<t0n4?tw(5<&#sr?h6zV
z!&Zb?gM&8<%??jXTdmMb1(#@6)m(rk*#aUo^iqOs4-#{`NA;|yExPzdS?_q~O>Uz#
z!>9C3&LdoB$r+O#n);WTPi;V52OhNeKfW6_NLn<EDp2Lr=qOaId}Ifx9lEG?H#PEN
zbI74Vx*PNK+cvB53_AWmzs=zCb5!9-mCcW#<QbIdOJM|=ASw5QpF+P}oobETGwNf<
z0{kapJo<fgf(@=YJA0C%pNqB2CMVFcToi3AV3#1!n@Z&vX@98&`Sz6*SUYY~uWq>w
zpFTuLC^@aPy~ZGUPZr;)=-p|b$-R8htO)JXy{ecE5a|b{{&0O%H2rN&9(VHxmvNly
zbY?sVk}@^{aw)%#J}|UW=ucLWs%%j)^n7S%8D1Woi$UT}VuU6@Sd6zc2+t_2IMBxd
zb4R#ykMr8s5gKy=v+opw6;4R&&46$V+OOpDZwp3iR0Osqpjx))joB*iX+diVl?E~Q
zc|$qmb#T#7Kcal042LUNAoPTPUxF-iGFw>ZFnUqU@y$&s8%h-HGD`EoNBbe#S>Y-4
zlkeAP>6<Z7QQ9XL^<-l?vhbA^VVM{w_AGyBxGo2D4xc6Tl~BnC{PHYDLP{4>2k~-N
zHQqXXyN6<L3Gg$i2mMBKaSbx<i~TEhvQ{`W#&P&}*M*bY-+RuxoiU+jyjZtu*2#d`
z4;V{mY|5$$TfD^8s7AA{v{=Q~S8RRnPkT2vB+qp-b$~mY>7hGD6CxQIq_zoepU&j0
zYO&}<4cS^2sp!;5))(aAD!KmUED#QGr48DVlwbyft31WlS2yU<1>#VMp?>D1BCFfB
z_JJ-kxTB{OLI}5XcPHXUo}x~->VP%of!G_N-(3Snvq`*gX3u0GR&}*fFwHo3-vIw0
zeiWskq3ZT9hTg^je{sC^@+z<IC+@jyb5}hL&*c9&Uv=C+8r5MFr<BeiUxikY7v-2j
z#^Wp1Woo#;-OnJd6+u?>3FAd}KNhbpE5RO+lsLgv$;1igG7pRwI|;BO7o($2>mS(E
z$CO@qYf5i=Zh6-xB=U8@mR7Yjk%OUp;_MMBfe_v1A(Hqk6!D})x%JNl838^ZA13Xu
zz}LyD@X2;5o1P61Rc$%jcUnJ>`;6r{h5yrEbnbM$$ntA@P2IS1PyW^RyG0$S2tUlh
z8?E(McS?7}X3n<sX7)_F=$tGzECOdx`5F$56$H6$2HeHDocU>AAJs2u_n{^05)*D7
zW{Y>o99!I9&KQdzgtG(k@BT|J*;{Pt*b|?A_})e98pXCbMWbhBZ$t&YbNQOwN^=F)
z_yIb_az2Pyya2530n@Y@<KMNVgC+@Hh^eD5>s>s>n?L79;U-O9oPY$==~f1gXro5Y
z*3~JaenSl_I}1*&dpYD?i8s<7w%~sEojqq~iFnaYyLgM#so%_ZZ^WTV0`R*H@{m2+
zja4MX^|#>xS9YQo{@F1I)!%<Q9x6E+JCnjAm>RhM{4ZUapHTKgLZLcn$ehRq(emb8
z9<w{<)uy~=x}G;ZX+CDl#T7`~iRBx5XO`@><&Nx*RLcS#)SdTxcURrJhxPM2IBP%I
zf1bWu&uRf{60-?Gclb5(IFI*!%tU*7d`i!l@>TaHzYQqH4_Y*6!Wy0d-B#Lz7Rg3l
zqKsvXUk9@6iKV6#!bDy5n&j9MYpcKm!vG7z*2&4G*Yl}iccl*@WqKZWQSJCgQSj+d
ze&}E1mAs^hP}>`{BJ6lv<q%AGiq()8hz}1^1ex;^<jj#cc=g{s#0iIU-+2jVmxWDS
zd7qq)5u4+Paaui>*>0-ft<;P@`u&VFI~P3qRtufE11+|#Y6|RJccqo27Wzr}Tp|DH
z`G4^v)_8}R24X3}=6X&@Uqu;hKEQV^-)VKnBzI*|Iskecw~l?+R|WKO*~(1LrpdJ?
z0!JKnCe<|m*WR>m+Qm+NKNH<_ye<gDWD0Fl@Ho4<!fm=u&SGgDO!cbo+8PUwfWk+V
z)@b~#GtD0d4#K=39kiev5hj=8h(Nljd<HunOw<O@9z?#m(rb)ZnCBDPu~!uM>fIml
z+x32qzkNRrhR^IhT#yCiYU{3oq196nC3ePkB)f%7X1G^Ibog$ZnYu4(HyHUiFB`6x
zo$ty-8pknmO|B9|(5TzoHG|%><C<pr4&IxzPg{!KcQqRSE~Tvrur~GxUa*ce)ipeE
zWgS=NE-mtVKb)JH#~V9~Hf<heFWK%N<`blD%sTD$A|XGR=J%4vWJQ9B3q;($v$3~e
zpgG#}?8+2jU@b$OcWYMF>s#7)CM(i=M7Nl=@GyDi-*ng6ahK(&-_4h(lyUN-oOa$`
zo+P;<GhFDlQ-b}GJ)A97b8DT!@21D?+G`33xflj&^Ajw)WxefL*Yy?uny35myNvN;
zJu2^EIk(I5BXd2N-yKn?<jAHF(>C4d@m^p9J4c~rbi$rq9nhGxayFjhg+Rqa{l#`Y
z!(P6K7fK3T;y!VZhGiC#)|pl$QX?a)a9$(4l(usVSH>2&5pIu5ALn*CqBt)9$yAl;
z-{fOmgu><7Y<XFolPQk)mb~-4Wz2OqAihGXbfUWv<O@$JoEd1wcAoD{S1ZgFTS^!t
z+_d^VD?_*`AXb~e&yM8k-n#rSNZe`F1hkVx1o46tWKB^*u4Iztzf9jS`;huL0efN_
zw(C5^O4iFb>J5k>*0Q~>lq72!XFX6P5Z{vW&zLsraKq5H%Z26}$OKDMv=sim;K<Yz
zr-(K#w$yhGyI)R05r<FcNBPUs!f8{%L|!+M;WNfIk0#<kNVlmop1dan3IH7GPG0zR
zbu5#oKma)07cl(sMbhFbgIx|mM?)DnP$;1oA~OW0kph!a5>?vsoVs(JNbgTU8-M%+
zN(+7Xl}`BDl=KDkUHM9fLlV)gN&PqbyX)$86!Wv!y+r*~kAyjFUKPDWL3A)m$@ir9
zjJ;uQV9#3$*`Dqo1Cy5*;^8DQcid^Td=CivAP+D;gl4b7*xa9IQ-R|lY5tIpiM~9-
z%Hm9*vDV@_1FfiR|Kqh_5Ml0sm?abD>@peo(cnhiSWs$uy&$RYcd+m`6%X9<SS+iH
zB{MTIilfs+m}FIm`WFe<b<`1NL(_5%pWxy`61V?hXOmI!N62_Zv-n^jPyCieqxTv3
zu0_=zb8f!dMp?R&UxGJe1qNBBRLXVmj-(R6+9rkXoo6CT-@FKe>FN%?<F{pFRdeJu
z{9WJNuwr(Se^zX7t-vqF<$J*yv&MnYO_uaKBS^eIab7YX1r1^(=OyZJp!PzX%0e7b
zeEpxGl+qFvtIR-KD}KZT9sfArU;dGM3-23I#q69NU-%A?w~!T{F+*-_Lil`8wsSSR
zeW-s?xK)R5p&SHb*TI!J314$wOF*NT7qT*&*Og`^+jXq)LaOJ8#&*`Gy)1X0+KiH$
zU-5JNg0Goq-9^C#_ZqHXSIP}b7@(P=L?LSJk~7{IhyH9xAy{$zEDuPUgJ_RJae#PE
zOqO-BK*KnjogIL_)Jz3RACJUY?ZEW~+1H$~{2k_o%Y(uIH3R6z`K|NdGL!=5lV$Vc
z*(&fGI7OherXM4x!s0w3{b4Ax#6<l}lTU2>w}s~Q=3!pJzbN~iJ}bbM*PPi@!E0eN
zhKcuT=kAsz8TQo76CMO+FW#hr6da({mqpGK2K4T|xv9SNIXZ}a=4_K5pbz1HE6T}9
zbApW~m0C`q)S^F}B9Kw5!eT)Bj_h9vlCX8%VRvMOg8PJ*>PU>%yt-hyGOhjg<ke2;
z7Th2%k_wZpW!A{?Dn2nLFJ4=lqYa4jV<d3;8-+Dg@?%0IvOWsDfrv_`J~>!2pZR4{
z=VR_*?Hw|aai##~+^H>3p$W@6Zi`o4^iO2Iy=FPdEAI58Ebc~*%1#sh8KzUKOVHs(
z<3$LMSCFP|!>fmF^oESZR|c|2JI3|gucuLq4R(||_!8L@gHU8hUQZKn2S#z@EVf3?
zTroZd&}JK(mJLe>#x8xL)jfx$6`okcHP?8i%dW?F%nZh=VJ)32CmY;^y5C1^?V0;M
z<3!e8GZcPej-h&-Osc>6PU2f4x=XhA*<_K*D6U6R)4xbEx~{3*ldB#N+7QEXD^v=I
z+i^L+V7_2ld}O2b-(#bmv*PyZI4|U#<t4E{c3+Oa>Q5|22a(-VLOTZc3!9ns1RI-?
zA<~h|tPH0y*bO1#EMrsWN>4yJM7vq<?d%8sAQUGrndP7J-=xw$nCMSpe7!xoUBNp3
zGTsNoHNSmE+wi-t?Vjri@)nrwy)cL`f%zSrKknks+ReH>FZr?uw$H8*P<CaW^*(*P
zrk<ZDEOj-RoW=I>hiHRQg1U9YoscX-G|gck+SSRX<zu*#%uOZJ$&`iwbI4f^EJ9pa
z@T8p1=V0x-K77AYupaOqRJ8Y8`CFqe-OG4O?Pk+3)K=lIg7Aj+5B{LP8{|uD9bb*L
z=JkjZ*a>!(e7@~eeUEw+POsT;=W9J&=EV`cUc{PIg_#TQVGnZsQbCs7#Q-)<h~+VJ
z%O_$A%X$-T2gv^1iV6X%A*e(F(fO?hnMA3<=C!;L;mUog>v#BicxLw#Fb?#)8TYbu
zN)5R=MI1i7FHhF|X}xEl=sW~`-kf;fOR^h1yjthSw?%#F{HqrY2$q>7!nbw~nZ8q9
z<TlAz0DCai`eopoTgUXKr$&x3a%Yszt2{+eo;=r&?LuF;Zj%RNLHAg=LM|in10Rm2
zxd6;k(nHtRPkOmYqHW7fNcCybHEd(KrX46#z77Z9Q1dkPl|2ZTAjBY-ol(B)e&98T
zgr-$?X`Ytyy13^aY2fa`@Y1*X*i2)xR`@;KF^;++G5hoP)3auvu~w3;5+L|E0eJ^s
zgZRj(m;s_<P67c5tRN5r2qBB}z`g`y!oX~V8oXD2oDd8#khWZ&toq|9@%NQ>h{vY!
z<QL?e6`jG`+hK%nypIRco?pA%s6+zYx(b~=Fi(E95-40VeV5w!L2#*>%i=H!!P&wh
z7_E%pB7l5)*VU>_O-S~d5Z!+;f{pQ4e86*&);?G<9*Q$J<tS(vm9lEGpTY@s(2ek+
z8c`{)@2$sFJY{r$73(<V2UKiNm)(n(&DNp1&6b1{q_xZVGIdKSwV*O`Z3q;#cCe`U
zk~C47tS5LEB&@mN%p)_=XY@OEf&MPgH{St5oHz7A*3o-mSC#2S@XC^m@?vD0WoA3+
z%jkw-8_?@Gk~M`p*@7Cp@q?r=ifcr#f5J(+ee*SCy-59!ceTk_CH8c7hwjNA;pzKD
zr8zf+A(f>EJ!ZxY;Oj5&@^eg0Zs!iLCAR`2K?MSFzjX;kHD6)^`&=EZOIdW>L#O`J
z<!j^{WZ{m%sbn?E@W3)ou>f~$M4}JiV}v6B-e{NUBGF<D@nTna4Fj(s(L&KkX*F3!
zglkC}q4NM*a2HP+ijp5<SToUO6J4Q%w}VEJFwp|MQ|{cP2x=Zt1r&nh4>gj-*H%NG
zfY0X(@|S8?V)drF;2OQcpDl2LV=~=%gGx?_$fbSsi@%J~taHcMTLLpjNF8FkjnjyM
zW;4sSf6RHaa~LijL#EJ0W2m!BmQP(f=%Km_N@hsBFw%q#7{Er?y1V~UEPEih87B`~
zv$jE%>Ug9&=o+sZVZL7^+sp)PSrS;ZIJac4S-M>#V;T--4FXZ*>CI7w%583<{>tb6
zOZ8gZ#B0jplyTbzto2VOs)s9U%trre`m=RlKf{I_Nwdxn(xNG%zaVNurEYiMV3*g|
z``3;{j7`UyfFrjlEbIJN{0db|r>|LA@=vX9CHFZYiexnkn$b%8Rvw0TZOQIXa;oTI
zv@j;ZP+#~|!J(aBz9S{wL7W%Dr1H)G-XUNt9-lP?ijJ-XEj1e*CI~-Xz@4(Xg;UoG
z{uzBf-U+(SHe}6oG%;A*93Zb=oE>uTb^%qsL>|bQf?7_6=KIiPU`I|r;YcZ!YG7y~
zQu@UldAwz$^|uoz3mz1;An-WVBtefSh-pv<`n&TU3oM!hrEI?l@v8A4#^$4t&~T32
zl*J=1q~h+60sNc43>0aVvhzyfjshgPYZoQ(<inR$cERK&%N~SSiy;WaiBTgdl;Bz@
zMx7h{4w6)@f3=XUfD<5b*Di$-gK~XeKu8qdfa(KL$OL~#uI0n&gFVreVt1RX*+{5+
z#8$4WWjNT2me=PpYKo4u#73>OOh>LbUIoblb@1z~zp?))n?^)q6WGuDh}gMUaA9|X
z3qq-XlcNl<s-dSKro}45AbD<^IA@6tvSaLv-;sRc5uLj-i(AB^*}0)lznJ6A48b01
zt^mDP9!TqxILrO*cRjO@t^fSYOWb`|vQ*V4*6V-Ii_hT$&15AhsiGo@jvJCCnY0);
z)Gbzh<7K3LRm`L**mLt1MLc+MqqaWkz{2JV0hUf-(7U6vlP$%@`2fR-Dt+r$66q)X
zh2sR=$#8zbejz`}<A~Y#k!TUpiD??3amyj(E}M)o)o#H-j|LmgBHBXsF9$ok?Wh84
zoxjF*=Hw;;!?a%bcJVG|FBP7@_uu_xpir_`+UDHcZX;}|^THjvjdPRUJ+HO3O$%_*
zsal`RIk@07Cuvh)iE1gNnn7n}$9q`Da-o@9CupmsX{@4y;aIQ1WV^7X(Rcx&McA%o
zqa*mh{MZ+m6i(RP#X)4DdX;+iKAzev_!HbYetk>dy5==T4rq*~g@XVY!9sYZjo#R7
zr{n)r5^S{9+$+8l7IVB*3_k5%-TBY@C%`P@&tZf>82sm#nfw7L%92>nN$663yW!yt
zhS>EfLcE_Z)gv-Y^<SaxB6gHmR|E)iyYeg|g|R}ujv8tMcq*gC>h1;xj(<<JyurkO
zku;yk5>4nD4GY{C-nWUgQc9cMmH{qpa!uEznrGF^?bbJHApScQ$j>$JZHAX80DdXu
z--AMgrA0$Otdd#N9#!cg2Z~N8&lj1d+wDh+^ZObWJ$J)_h(&2#msu>q0B$DEERy{1
zCJN{7M@%#E@8pda`@u!v@{gcT3bA*>g*xYLXlbb&o@1vX*x+l}Voys6o~^_7>#GB|
z*r!R%kA9k%J`?m>1tMHB9x$ZRe0$r~ui<kO`4q0h1q9yWTy1Vw;6%l{l&HBbZk8-0
z4ijBu+y@{d)|{@F;ZFKw{xPkg5F+CDU-3fF>}X}jOC)9LH=Po*2SLdtf3^4?VKn<h
zHzQbKiZ9a#y^bZOa6n&Wk$r`rPcR^1TWQZWl`R8PvM?r?^F}g*>u2ox&mV~0oDgi`
z;9d}P$g~9%ThTK8s}5o<m&w0gVXSc39p)SfaC_U5P2<JPm~s|o1ZFngBTt(DrBI%x
z4kDX}YqUJKdxxsso$;8{1MQ;f+HD&9TGSGCQS)Y9GN_l)t8XY5-si=Gs(k<5;!fvW
zxE8*OW}N`jlcqPjb~+szeAOl~e_-nyQAfun)m7Qku$%99s}G7SNoRK-D2Tt?3bf7l
z_f&iauzO~DnLmd4z7qW{*#v(VPN`62cvfV3MGioX->w2V4?(-lU*ed8ro|}mU}pk%
z;bqB0bx3AOk<0Joeh}Vl@_7Po&C`Cg>>gff>e<EyzTH_%h@VP9GTpHG^0d?A+RMpT
z+TYf8aiHmG?aSY>7fu41U3Ic{JQu1W%+!Gvz3GDO2ixKd;KF6UEw8F_cDAh08gB>@
zaRH2Q96sBJ>`4aXvrF0xPtI<C%^cGg^K!B-fX;2xnF2UCh5PH@z5cKKOHR==RLnzf
zSmET?(5QuFJxq~ag0rPdFM7)-DQc6Kkb_;fb-^S9@$f%6aPJ=U;g7Zr?Ox#q(-JyY
zKvu&Cw@3?z3?xc$8o*T2<9qK!(D=t1JD`+Ta(zAy-y-Frq_L?(ciWSU*N3cXEeC5N
zwIavKBghMD()mO&Qc6^H#jRYCBJ}jZ#?v?4($m6CK2G!{)QNVBe9)sd3#Jc(VH2H^
z=FWxE%(d%&VjzHKBh>WoA1pPsRQtU~xDtnEfTJnl{A9u5pR^K8=UdNq%T8F$)FbN>
zgK+_(BF#D>R>kK!M#OT~=@@}3yAYqm33?{Bv?2iBr|-aRK0@uapzuXI)wE0=R@m^7
zQ`wLBn(M*wg!mgmQT1d!@3<2z>~rmDW)KG0*B4>_R6LjiI0^9QT8gtDDT|Lclxppm
z+OeL6H3QpearJAB%1ellZ6d*)wBQ(hPbE=%?y6i^uf%`RXm*JW*WQ%>&J+=V(=qf{
zri~yItvTZbII+7S0>4Q0U9@>HnMP$X>8TqAfD(vAh};2P{QK)ik`a6$W$n<S7xQ?o
z_{n4xoeaH~jS^3HDy+veci7_+aLh^-n?E!YG6S#O$LPEC_>G<{bR2U<qLrkRpb!v0
z%U*eD$^H(<WG-@VF0k%r-g68(2_6$K`r1T6sUwW?8=<u8q_-5ITGbK36tV>fd!^iE
z#1K58$gW!xpeYHeehuhQCXZ9p%N8m<Fx1W4{1&odf~Dg9N*_P3FP{`cbE*_n{Eco>
zB+l~T_u-Ycr!U><XH<{<R0eR`Jn1$qaE<CV>!?xu!!*6rNxq37{`DhMMfY6NpD3Jw
zkYQDstvt30Hc_SaZuuMP2YrdW@HsPMbf^Y9lI<9$bnMil2X7`Ba-DGLbzgqP>mxwe
zf1&JkDH54D3nLar2KjJ3z`*R+rUABq4;>>4Kjc2i<Dy@)!kC&Aw;NA8e)mD}M7}y*
zi5fe;hrp`ef1|wy(>QEj7pVLcZYZ~pteAG4rm1{><Ecc%k1Tki@ADmF<}mEh$<1ax
zS8dQ&w8<!Cd38+}XJ1#f6|D`7AJ6+Fsr$rBs%wDxJx&tw*&5k&wN_-uj!ur;28wi0
zO+Qvl)mUZbXZm|~oa;LAHy_>PQy<rI@3u-En9*i_l~-?$0z#b@Vco$oFcZc}d3oKO
zD*z%H@Hm`{0l9tDx7KHebXBjGPA%mTPf<pnOy#m~KL9BjL-WcR=L#f{u~T2e78Ilg
z(JT)-B~I|YWyGa#aWq+mx~dt<5RI9)@9nr`in)T{m4a6g9DZqFJ{0ZDQ&w4XPvcfW
z)Zgnax(EnBgW0T@l}fNuwENi8sV_h5iwfdBoer10OP+L`!QRkj>=!QiV5G|tVk)53
zP?Azw+N)Yq3zZ`dW7Q9Bq@Y*jSK0<1f`HM;_>GH57pf_S%Ounz_yhTY8lplQSM`xx
zU{r-Deqs+*I~sLI$Oq`>i`J1kJ(+yNOYy$<j89}LeB{DsRRYsqux%gkK#X#@e^U8%
z#M!7}cTMHu<FLh@jarvDc8P_@QfzNdoQi_n+%?2AM>_>R3Jfi680<|^u#J@aY%Q>O
zqfI~sCbk#3--^zMkV&Yj0D(R^rK}+_npgPr_4^kYuG=pO%$C_7v{s@<a9Q#wuB)t?
z#;9BrH!k(Q*;IUj?T<*@HX2{0em!6debb4D8+OTu+|0s%`KdJcokszE{b|_{ztw|2
zP8WR(1+AaeXov%C!=7CsT*LuDx^}pAS;||)2N$TDO}r&-q#K7;nWjNxk~onpjleeK
zUPThfcj0^+;uf%68trL0i1;=y3B3G^4+!l>-{M-P@RL3^<`kO@b=YdKMuccfO1ZW#
zeRYE%D~CMAgPlo?T!O6?b|pOZv{iMWb;sN=jF%=?$Iz_5zH?K;aFGU^8l7u%zHgiy
z%)~y|k;Es-7YX69AMj^epGX#&^c@pp+lc}kKc`5CjPN4Z$$e58$Yn*J?81%`0~A)D
zPg-db*pj-t4-G9>ImW4IMi*v#9z^9V<wSEy0;H<_ip{R`3n$&`z?qY&+x1%E`|f!X
zF^6qcbMj~^Y|&mU__An*YVWv%D)nfhgB<CJl`_02TU%zkuVLq-ifv^5t4@48WjUK6
z<1pI%d1Hq!eHx}*)cFId$Vc5Z{|e7mEOmtuWJf&C8D27?iS2&%o3DCSW(Dy{q!vBU
z<@J%bdvlGuCbxSa3MmV6=PD4kiAVQdnmr=bOicK#q7Xa-!xi^j8Y6rBUZPWqHJ^kK
zO^AmTc89bc5I+T$XZ64^_c1Pnu-4Kq8TW>D9h@9t;3jMAUVxt=oor+16yHf{lT|G4
zya6{4#BxFw!!~UTRwXXawKU4iz$$GMY6=Z8VM{2@0{=5A0+A#p6$aT3ubRyWMWPq9
zCEH5(Il0v4e4=Yxg(tDglfYAy!UpC>&^4=x7#6_S&Ktds)a8^`^tp6RnRd{KImB^o
z2n=t#>iKx<*evmvoE{+fH#@WXGWs$)Uxr<sPjul^54Bff9y%ZVHz+5}qAbDf+|fnm
zNd{_kS$6bt11Qz5?-m)?lU>tf?r>AaxV0?kf0o@oDboJ6z0cgP@A$;k>SK1UqC?Q_
zk_I?j74;}uNXhOf_5ZxQSgB4otDEb9JJrX1kq`-o%T>g%M5~xXf!2_4P~K64tKgXq
z&KHZ0@!cPvUJG<f9>4kw-0;tPo$zJrU-Nop>Uo65Pm|yaNvKjhi7V1g98;^N1~V3%
zTR>yWa+X2FJ_wpPwz3i^6AGwOa_VMS-&`*KoKgF2&oR10Jn6{!pvVG@n=Jk@vjNuY
zL~P7aDGhg~O9G^!bHi$8?G9v9Gp0cmekYkK;(q=47;~gI>h-kx-c<vM%*#w&fX{!h
zF%L>eM{ml$#8KI$4ltyja<rI2qq{$AR1|U_tFD)9Y-d_jShjldAw-)(k${x89fc)V
z^uj$O=9MXT2cL+;^v%uZ%TIiT&+A8q@<LEWivxLuc7cEhkMJup7#M4iRHWn;gs)|%
z*`|SUEl(kbPZ=F^TZ)n%ySX6erWcgVc`2wiVw2VTP%;PP;UMWPi0k}AaIl!DD+>qP
zki^cyDERloAb)dcDBU4na9C(pfD{P@eBGA}0|Rb)p{ISqi60=^FUEdF!ok{Gs;vb)
zfj9(#1QA64w*ud^Y<WE?99td@r;1MVEDo>sN5&PeiI>c`VioE8h)e}W%S9NMA55Gs
zrWL6l+@3CKd@8(UQLTwe12SGWMqRn+j)QZRj*g)Xua)%ayzpqs{pD(WWESJYL3{M$
z%qkpM`jFoqLYVv6{IbCkL?fEiJj$VG=$taup&RL9e{s(Sgse2xVJlw0h74EXJKt<N
zv_^nt|CWo1^pEn7x}Dzrxu#9#iylF>2<mjN(C1_G037wJ*c!9$6Ya%e(y$WXL!EqA
z8HVt{2cY#I$^(s5lIv2_V)0(hY4lKgWN5U}$n%K8Jg_QsDR2~!MLCfAxETJK@puD+
zRpJ+#PBP2wu|C*%vKJ>eX|dx<CQ&quy2)IJEnV9z;^O>z{->0)3W`JN7Bv!rLvRZc
z0tAOZ2yVe4g9iq826qXAg`f!*+}(o1;1FDb>kKexumFS40KvK0yH1_@Z=LgWZ+}(Y
zwYsa;OLz6tTA%gS=>8$=Z7pLh>|K2QElL)E=Q*(n*H`8R`8={-@4mTD-SWBOYRxV?
zmF(-rJB8^Wlp?319rTrh^?QEP?|Msxrv?WbJ-+id+V#F2Y4(JPJ6U9bv+U1cIIH^W
z)lg$_=g^Ma>2~Pyd_YOAv29Cb-U6DJO?NxnW7~QP*SmYi*vdUVuW#LWQ_u0`hymZi
zaQS3Nb^4`ro$>0G%zbXmr5|D|iq0R<;S@?kr0j5Ruq87-Z1>crx%EzVZ9#U;{?}ti
zW2W%*9MQg3Nbh%Ti6LhDd|-aFSgXoPG`mHlUU1iCHr>ru>DX?W_#13(`u*!Plu2OP
z6jk=2>BC0l)aw<WV`x+C!_sw{a5i*Q67F^#P-aA<I@z6VbJW-5&rwZfvvRk3_cA8b
z-o}<6m7#V@uDa<CVdlJ4d|5@tUf!yN<DjY-Ylj}w8VTHcITO{giPiM2=!{`C)-kgy
z4M#`;s$Hx(F&Ry_6@hE&#+WZxZsYohII;=<B$l#U>;HCmxoYD1i4b%m$1`DYC_^L~
zIEAnFcHvad=-aO3(_MI=9#`z6-9*_!&$?<%meb5;jG<wc(D1r`!k7AFaq^l6-TVCr
zn@T;NWtk;qx(I~IDg2;{VNza#Y9hnvC&&D^iJtYTc_&lLexMB!uC87mR>d5Qp=MGf
z6BD{%`L#TAOq%z%@*ib95Ey7NbUF=BlszVk3Iu3imD&*91N-ij%hW?W@~2TtdHTfP
z#n0@Xd7X8Dyu36n{k#PwQ~T~X7mAO^cNV+z<<Rr{6qP*fL{*O`It}aSc#<7ICz`zH
zfdvuUP1@TR@FL!bPH1@um7aB~aO<rmJ%*b)*b*mqm<2+)la8vi-b#-P?L4aM?FRQw
z!SL2{$6_lC;MwX~JFGU~u@(2B?<Z2dhI@qhN$Or_U*}$DGND-zz*x~AawYee{HE;I
zGAb(xm0Nq$##BQLFEgd@aqT*NJhB}}du8b8cj%ob49sgx?Oi-i5sJpioR>HO@3X-#
z_@rAn$k~(l@kciCC;&Qd*fWRI>=;fL{UPlciNDWyj$bX<#r^(r;EE8wwUVQm&7~QY
zCXRj!**r^xybAEPq>h3W$uvI1j=yNIyzkE_D7fpGw)OV{U*Uwm{xB;mEg2(|y|ICd
zMdQVqzMb-=XM6|E-a9kNh)^9lY`-DjhhHD1w5lufRcy+QLgJ47!fFn<KQi>e86#F;
zX{ufroVBEZJOY?rDo!;Te6aOZ^1SO!dYRxQ*2njyA~dCWawn)>!*k7~>8Ikt<J9hI
zLTxVl%^kbxFjaJKz4UwX+jy29ohPH6;RO0%T`A|oSHWhqWuNJ8tYd1Xp}S%w!~<wT
zHSeF;1&d?WDhsdZgTM&TfZ@=Pp`{?gU%*=Eo2o<UfasbP*Vgmv1Y;j}@b2Fxb@=4D
zWq$ckb3BOYn%N0MW}!64?YGvuPD`}=WgRB1BPo(kSV>&e*0>>V5ZbO|*1+2LFOqVe
zXHb!aMk03^h%&9L8GMy7UDI2Kev>V@(R}*Iu6x+!Hn4~D@wj`P%#Hdbf(lK{+DD7f
zJ&(v*mhn_e(R$^5L#bM^^Q@-!*b!l|+Xrb(q*MRFJYnrE7*xko!SJOy9LngR2|q5k
zY`Ioiu+YBfzF{Labszk-E#*BYQk>$()=xWEGZRKwY)*UxP}0dGuPLZOk<u~1pRF`m
zxYnI*6_BmyuVfiETJ#r=!}C__TJ(hS&_}hqJq6T(xXbQJ?{M?GH1d;1)n-8$1pDWw
zJw5OAAMQDHK*ksFYeeo`fz$TbpGy<)Wsk%<#FfYFVTT9*sy=H-wkS^x;7&PL{erf!
zzf{M*8sv9&hkoBZuv}-Nb}O!f7}9<9ZL1vRNUZ5T^4kV6WRoRqMQo_+AH>NJDI9Hy
zFjfwiK6RjhH#rHW#B0(MW}i%V`943<6@Z*Nd^JEP5uZonXm=u%AM>{H^U@&Jy*i0s
za_Da^xI6pMtXzHc{e~_ZcnKP*;=YL2Z^RmzDl{dJTk7*}E_h*NvgnhnxVKB59Duh~
zqouS_WoOR*{UvUw_K#OWz;gMracr%8>QQ&V*jv!8)ho;U8}9~8EU{N<=Z_gR%IpMT
zbkePUG_a<Uo93~%MM1nso9|UdE|j>fm=#|iIfFmdqkpLMGxY5D$`?I}&T7>TexU@v
zkBx09kG)O;09ckj#(_Uov6vv{{HOcr-%H#DUQ@*GzF8Zh{iSM13%fuB%>wjdU@3Nf
zlnYE!GTyNrqes|;nLFXfWU*Wg-9wmr=NBd$nCk+H?iwNvcd0Wab^3CT9a`>3V~oWI
z9=<ivyrYLX+hLVmYbCVC7nx>_H+N-Q=M<NIna#%7G#cG5P!5#|H6`sbgz{jBdvfcF
z%F@i>Q(io4u4mpdQ;k&5FXnKV5M7R`@WJ9h(GrAirO#XXOU{qQpk^B^Vd=Dt{wiqT
zg-#j9J~@o%H2;W9mg)o6@*Vo;BSs2*4HAHpDk02mndAsov08R_48zJZ@J)s7+hyCo
zy*0L#y)?AqZt-wX%+_Vx`8*A95OLHvs1$k~{h-_N<KA7r(+uvizi3XCB3#4TpjNrJ
zvai45nQG0Co%wk~tYgN!u~~y2n6k!jjXBHc$+Gq4hqTzEj>_vov_gHJE=`X>L?5K+
zD?u59=mjtImMvd1GsDytuYp{Iy<NXRrLZ4s+5CA`p}CBZMPL-T31R=B$JFH(h7Qq$
zc5;cO7Li&TJM=S4-dTKdpeXu!TD{GoUj}7yzx4mPG(VBO;Kq@rcXv?}P$X>UkW&?h
zF>$#`n$~bZ)KN0B$<p$VcVWI@lvp&2*7))!ZYjjYh^fBV(ceia`pW>XGeMYh&`;g8
zo_2-koaO6+8O!+L>SpIQbG(i;QW9UJi{Ecewlo?s&D!^>i$|#jaW}#HJuxt|W48=?
zb^Y&O$a1s5ddr8DIt!sD!t=y1g(d4GR(s;s-HfV$GXl&m;+sAAxB^rk(3_NjE$p#L
z*t4em?tA0d+XwRxN^OQwzbDZMuSE0J1)Ky{mq)^t4bnSl*)s>zNM@mMdtd78&ebHN
z`!(|lE5q-p+TsRaNnMXwALaN5QIZ2IUi^Z22tsN5>nvIO+YU}Q*xh6}ee6@rR~<&1
z(PB4z>9ZBUMXZwSMmd9-aKKsmJeJq^G|#JclOh*xf0?^e0(`40nsg1z)(48;4}B_(
zGwPI)yo|{oX{dVDL-5-aMGr;~vU1cPtJP5JM(sswz&Q`e<@0?y{YhsO9YK8EYJA;L
z>7oG_Mts+(wCBC*Md82#XdKw&J*IizR?9k^rf1r{Ot-&>V^ke{9nI9zavlcNkIJtN
z7T>?o|4rENk-?|lewZ(EfdR;%BUrzKJ^UkCpsM)EA9QHBVV8trT&*O(9?FO{MLTFL
z=5P0H+T6C^jAuX0k4U;~GM!x`!X2N~3_n?qXY$HI>x@(DHEy&Q3ucT1R6fj28wX!I
zC=&d$@bJ_v^%?W2Ngl}e8ww`b%BrN-PzGH;$@B2Ky1?%GMkm#~Okj(-Admyy;qya|
zOi7<TIqKLJIjsT6%xMurCppK$`tFA>3kr_pwt?5Nj<kh;AkqM0FqJNvpLG2%nBiEz
zf%ifK$Kw|EzR5(&`uXcro~^V8i}*)jhx5-t$rA$`c)ZqIf9DQr!qkCRbJWjUI$JZJ
zm$fJ9L9f6?UO=_r2e^Rac$+nqbYU6z^YgMBa7iN^LoJ4qw_S?6p!J<$X}7t17(?2t
zcE?oZJ$Jvt+q&PyLJYNC4pJ6B2Qde+jOF0Lu$QB|%Hl8GeqMD>3p=&H>81!w#>Agj
z(QXx{j0r=pTl>micAI_5vUw<3`Sht?Z}-j2Wx~<RLz32QGv22&J{94fr~V)YDG95g
zjef+~vo?CO%A&z(jqgjVppWOfXF_a0rF&LK$Mau_gV9Ob!+u&!{<c^Y1J5Po?`a)A
zQzS-wDNMkxF(uva11Qd*)ipedF7L8cQx?g7Pl*j{fhk~H=G{iXJB{lDwggu}3W3aA
zqf(*0b}y=rmt<QkiQ35c+=PEj9}{Iru7J~e%e$QIlUdUy@-hWEOf@ncen^;YeTZ*X
zH+U;(?Wy8Xl+h@nkoL^sjJj(5zUISeV;JWYIiaB7RDchD*VdjmbXj9)pN{CA%vsJg
zciJ6y-i)!8uXW&CN8ViTMaOYPM$w1*SL53`0@H8hO>F8DKCUQrsXl2?W8hur42(F_
zsSJ)_36&x6A|YkY6c<2a94SXbv~d>4CC4nkDPvf9Z5Fys^6^5r0j5=E>Cgy_Dk@tS
z%?c}9!qB?t6t8(XMH%le8UeNWp@Nsma~Ql+^3Bo%_npMryeQJz4V=BAqE~T?dejng
z3ge<X@Z7g2fW4F?C!aagtvam=!RFFVpJA`q1dy-E%du?YwT%+fTkMY4<03TZ)j<Oe
zuSu|TMbn$JCNKw9K<+@tJ({pU#md3G(`)NO28!Z^`B|&xuS!YWO}}^8(&l&<H`8f(
zO-EXMeXU|crFs+^NzF_IZ*xCTMAZi{Y<c;sK84v<>{fjCHoNAfYBvsfq;G%VL|j7t
z`X0sy1EEgpyD;)tS1x+fnv-?C@glP0{RCW}Ma?3qpoq_&IJAYOy3G#s`rsh5=3>`K
zkj``<PxYPrnJ%66XZ%$jT_UO;S&LzWfo&581S_54ry#ectge+aWQh>=;|*x5HSjZC
zXNvPLh372q;=+6ja|SC!R-`JcL}}wwskajjTUGTpL(1zkN-p?BA2lmf<wk(A{@fWd
zR@`1h3RtSO<YT(S4xL@1hiEAxTBBzva~C*l--DU9m2vX&A2fTNg49@_4&`2Bzy8!U
z)6qtF$FpZMEKdNYC;O-#lGOq92InNM@``qD2YvzcS>+J3WsB7!k`0Brx8^cLTF9<g
z@nKD{&MQpkhV&mNuFe;7?=GL>h)r+LZ$vsZo}`OpOs)?c6$hclR!R#MAeh|_DY|9r
zy+_3c%IO9h9X?ksp?an&>Lw;QeQ`T-Ku6HaK~H?E9-Z5$cZu{YU;1+-6B$|JD;%!^
zt(4l>F8}a-UkC4YtOxFHckhl4VK<o_&-lD0mk1#hZYAraLBA)XZd9SwQ&Pgn$a!)D
z;&eLCGu8&`Ky;&{YdGM4YZMiZi$_@v^1aVdy+K+*Qo!QYDDtW4@Os*LbJ00k{m)5`
zoRKnSu)novfL2Ts{!-4+5Y{b=o+LpM;89G7S{vXl;M_l=ND-Rc5qgt=ci7TpEo=mH
zL6*Xt9up_3hU63OR>r6P$P_O*U!)IDory%}Wz`YeFx6TO{y2Y${SBm?H9cTWV=WWJ
z`_*CGso!ZN>l@~_jkeXtV}<eU5O#LliK7g)klc(Z=e{4*h!dp)V6v<*N!NnT1w~8K
za~UIar=<m6R+`}h>fczfA{TUkyeD>)i3|NFGcCsBmK3HXp&ol_@GVs7PIpfULy!hi
zs+%KYgS%(n7_z_}6<X(k(VFudPeVYWZh9|epL*7btD&ckkCMALmGw(owKL=w(~r63
zOyHtRRzRvkW>)hblk~W#LZ@&2)fwm6xkFP%&Ju|MFWbNiTwy{{g-pV1RK`L&=RE2D
z4|g;~vd<LODHcrO&uLo^tGtrbwh8*iCTXkJcd4-eXXU0I?k1m)6`j}QSOp%!d{k#o
zIrMoZ12w1s%;qprCkWS}WH>8x<?cZds#+JB{z{||9jq*<HT!M-cBcH=;7~J2uQ_26
zvZro;_+w%PUpNkSI<TD8&2%vNAnp4avGA`e@UKhI+!{F{Jx<Cv<%&v?&9%YQ4BL2T
zaOOpQFMay>d|teYS%w!IlT4W$&FTrk-hcTADX!P?*f1YWEIRwq$Ys%^(Z9w&HT$>}
zsMD#6Df=uJrX!JHP7<>Or;e_Cf=}`!`qR=i8fBj)$6Lxx{HRzd8Tnzd0p>kSps{OG
zKJkml>bUj8$u|F=``l(-aMxWBC@CGZ#FXClQZ<4|&%jN}Tkg#q8z)=>Ly{$i0`rjU
zv<vjl^OND_&nt8%K_DY<c$hBE?ht3o;zMF?PraCx<3H?R+3c+lcVP-`!*=iR^+4=@
zjAXY+K30oPt-hFFYy6`C$csm;r=3u|c~FmFo6B7|^>t|QddO&i=91e?h3>s~i;+6{
z8X4i6a1wDLrSuE#W(zhan+U*Zq+8p3a))JFVF4ffaV51K^YgTs<ELvmzH15OGhhY8
zrA_+PnYK;aeddV!Pi3^WYTGZ2*J)4~@C%)8#kRVzSG2!MszRFau_EOo^?}G1$p^yr
zk#PoR%ZY0-+cfohw#0i(2hnkZfA7b9`g0$EfREag|7IgZEqyUPIUSL{ls?ZdY2jlv
zX?1Mzw~@8iav*U46179*NN~X0%-qa(h<B)RSSGS9k|=WNp6TA~=CbwUXG!l)zfkxA
zNej9!)gKN9qFfwPo;8s*!hnDPngF9Kp{ukrX|iXeI3(#zb*h?bb?@D>o~3;Y*NmM;
zx8T?y-N0uyWY(8=me-HUC9xtABvX5~%yg+Cp&XF$Bq=OcK6T*D7eZ2EmIoCFWm{$S
z1PNw8HDpe5hHeCusN8kdeb&f2#=3M^A~7YwJ7FRrhq*)PG9x?JIAaC<n&nyz&js(6
zJeGWn+?QRH9iX#RFkV(w>{MV}5}<q?f|v9)L^XT#O^Q+lTLo@~KU5xyfaaECe?QTB
zEU+ll%CA@S4EasNBgDg3P3g>g#7R$-Ly%)4=IUkRCGOR|XTMjn&okRmFjaO^YF5^*
z@)#MCBOBezD)*xQNxydlUyN?dW{fS(s-T`gv*0BEnk}<MqB*2*JFz@&Ut*5R*2h-J
z)_1&Q{C@mZhFSfyIyZ=2gNVh5&AtuX!f!}*i1VjIDopYKYu?w1#R<cS5`I@F1PQbP
z*(_N34x08$O$DXg^I;Q5K8>`BdmrbmPO8q8y(X$AA}*RH%I7Av!~84pudHb&%Q5-j
zt?=6x(iR?<^_7X0v6Ys#VAL}dKk^hcjI=|EY;kPcZ_w<*H`_*|N7SacaM1ERD@6ab
zg`!iTm7$URV+lpW_{V$ruR&A>jrX68k4x2wo$45}&wf7o<|o(@B!u-L@bKyQBAGwy
z4#}UrRAu>^>Vb6k2-th^>WjvP;Nl|i3WrjWv3ISkj{m{eAcQIW^_ndxSX@|8T(ASJ
z?_<Q%GX;J*nopDj?vlGTW3<2Bi-14h9Ft?$MJo-;vYeHFBv>$fcP2u*6uOBk-{d>^
z0vWlfGQMvysI%R=iE|A+!!Nw?C917EU*_$`;;)px?s83CRd3i_jBN)k#nR5t$dJ(+
z_sP;wG@Ad)^(3LRj7q}0b2O(b`|i0~5SYb%Sjk^*5ISZ-Ab+}DGu$-X1n^TF1Ndw_
zF|e*1)cI2%`TR&AW~XpqpFb!=3cHbS>np9hYD_Mr5}y5Y<hjKC>`SY^r7isA2Q4(z
zazRQEqWDKT2zIEbjSYdCPi1ZOGz80Nsl}gxO^<!<`)h}k*WrLKhVC9A^uqPrAX2rJ
zk_X_<UKVZj#SZ`e5i&Jvd|AuDABtCTp9RP@piFO@ZU#$^j4fEyi5WR4tQO|sRzdLJ
z86FxwO1hlidA6EQ5OI;XPTXTa$K&JwxgTfPhh!ZPwc^HMC{@|JRTI?xh^Ptzlf~Qj
z4+amGs<?A`M~9~Ge+{a1r{l~f$XZHt1Ik1~ki({=W}#a+O?yAslpyDBa!(JThcKg+
z`7_G`o=!47FD0IvP768*p<&Vtm`CtC?;Dj`fo;v%1qH|i1@RjM=o$pEJq4&d1&L7t
zjHm`Qe8@BW2ApUJb#%iMo6qv$oT6Alh&RB*5@4ncFm(r*OBC@so8*msJq8zql&b-+
z5<*+q@YE4P>DWMY0AV<2K&OL{&^6#@L1?lXu#6xSMh%3^5c*}oM6DQGY#(a^@z<&D
zF(43I9e&5`h|A$5!+UFuOH0>F3$shBV4`0#M4RSB8=6F0ZgIbq<2LQ$Hh^(kAJu=!
zt8ZGXTacD{(3W{V1$j_{Jc)Ka7<N6;sXR!iJaN-JXwp2f^gSr_JqZ^)=odUOg+0iG
zJ@H#S=vq9neLbjrJ&FH#F#bWI5hI@wqj2Jp)bXe%8c1>t6u}ho`4kF+4@t_0!mCBn
z)}o%eA}L)_L?=jw6BIfll7tb3n}?*yLt&XADa=rW>qz=_6s9ziOd5sXjil>FVFx3r
zf>Feewk0v#W9>Gp4GacTRr>Sd2T6dWi-{YX`v!D)kCWzG5xQB=?es5ON(%nkwUhNl
zV>@xkWWWv*N+{e$(SrExvN6BXzU(Hxlx27{VYHf+LpIbTO+Yu(ltMk<<mdQtfilQ%
z#zERxP>;)3A(LU@ytVYFkYvTa79idMtUFhfxx?P!)2F`prNWW#Fub#l>N2s@nh&n_
zA4{#}|AIs9|A4P0ZF%fy=hDN!t#ifH<)4u2kirK~JUpjQ-J+~cXOZI&dI<edX<Pe$
z<5K%Sv8eq|W{$&;<^B}h+C6HiudVR>ts;P}UeXslP6zKvpEKSN-$y>kJ^nw2tC9bv
zo(|lT@?vZ!{_l|d^8Yh)eEBh*5ABh<!=o}_%`M5uz0&2FvS#W)djCI>+Lzjw+?V)o
z#P<J#52aEke-8d*<DbLpV99;)|DC457DTn))TG@GiB9R>-W7361>E(Y4;@`sv;VKn
G`u_lkUM?>H

literal 0
HcmV?d00001

diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/_bootstrap-compass.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/_bootstrap-compass.scss
new file mode 100644
index 0000000000..82706c47c5
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/_bootstrap-compass.scss
@@ -0,0 +1,7 @@
+@function twbs-font-path($path) {
+  @return font-url($path, true);
+}
+
+@function twbs-image-path($path) {
+  @return image-url($path, true);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/_bootstrap-mincer.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/_bootstrap-mincer.scss
new file mode 100644
index 0000000000..34132501f2
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/_bootstrap-mincer.scss
@@ -0,0 +1,17 @@
+// Mincer asset helper functions
+//
+// This must be imported into a .css.ejs.scss file.
+// Then, <% %>-interpolations will be parsed as strings by Sass, and evaluated by EJS after Sass compilation.
+
+
+@function twbs-font-path($path) {
+  // do something like following
+  // from "path/to/font.ext#suffix" to "<%- asset_path(path/to/font.ext)) + #suffix %>"
+  // from "path/to/font.ext?#suffix" to "<%- asset_path(path/to/font.ext)) + ?#suffix %>"
+  // or from "path/to/font.ext" just "<%- asset_path(path/to/font.ext)) %>"
+  @return "<%- asset_path('#{$path}'.replace(/[#?].*$/, '')) + '#{$path}'.replace(/(^[^#?]*)([#?]?.*$)/, '$2') %>";
+}
+
+@function twbs-image-path($file) {
+  @return "<%- asset_path('#{$file}') %>";
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/_bootstrap-sprockets.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/_bootstrap-sprockets.scss
new file mode 100644
index 0000000000..7d3069280e
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/_bootstrap-sprockets.scss
@@ -0,0 +1,7 @@
+@function twbs-font-path($path) {
+  @return font-path($path);
+}
+
+@function twbs-image-path($path) {
+  @return image-path($path);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-dialog.less b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-dialog.less
new file mode 100644
index 0000000000..284a99402f
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-dialog.less
@@ -0,0 +1,137 @@
+.modal-backdrop {
+  z-index: -1;
+}
+
+.bootstrap-dialog {
+
+    .modal-header {
+        border-top-left-radius: 4px;
+        border-top-right-radius: 4px;
+    }
+    .bootstrap-dialog-title {
+        color: #fff;
+        display: inline-block;
+    }
+    .bootstrap-dialog-button-icon {
+        margin-right: 3px;
+    }
+    .bootstrap-dialog-close-button {
+        float: right;
+        filter:alpha(opacity=90);
+        -moz-opacity:0.9;
+        -khtml-opacity: 0.9;
+        opacity: 0.9;
+        &:hover {
+            cursor: pointer;
+            filter: alpha(opacity=100);
+            -moz-opacity: 1;
+            -khtml-opacity: 1;
+            opacity: 1;
+        }
+    }
+
+    /* dialog types */
+    &.type-default {
+        .modal-header {
+            background-color: #fff;
+        }
+        .bootstrap-dialog-title {
+            color: #333;
+        }
+    }
+
+    &.type-info {
+        .modal-header {
+            background-color: #B0CDDB;
+        }
+    }
+
+    &.type-primary {
+        .modal-header {
+            background-color: #51aded;
+        }
+    }
+
+    &.type-success {
+        .modal-header {
+            background-color: #7ebc59;
+        }
+    }
+
+    &.type-warning {
+        .modal-header {
+            background-color: #f0ad4e;
+        }
+    }
+
+    &.type-danger {
+        .modal-header {
+            background-color: #EE451F;
+        }
+    }
+
+    &.size-large {
+        .bootstrap-dialog-title {
+            font-size: 24px;
+        }
+        .bootstrap-dialog-close-button {
+            font-size: 30px;
+        }
+        .bootstrap-dialog-message {
+            font-size: 18px;
+        }
+    }
+
+    /**
+     * Icon animation
+     * Copied from font-awesome: http://fontawesome.io/
+     **/
+    .icon-spin {
+        display: inline-block;
+        -moz-animation: spin 2s infinite linear;
+        -o-animation: spin 2s infinite linear;
+        -webkit-animation: spin 2s infinite linear;
+        animation: spin 2s infinite linear;
+    }
+    @-moz-keyframes spin {
+        0% {
+            -moz-transform: rotate(0deg);
+        }
+        100% {
+            -moz-transform: rotate(359deg);
+        }
+    }
+    @-webkit-keyframes spin {
+        0% {
+            -webkit-transform: rotate(0deg);
+        }
+        100% {
+            -webkit-transform: rotate(359deg);
+        }
+    }
+    @-o-keyframes spin {
+        0% {
+            -o-transform: rotate(0deg);
+        }
+        100% {
+            -o-transform: rotate(359deg);
+        }
+    }
+    @-ms-keyframes spin {
+        0% {
+            -ms-transform: rotate(0deg);
+        }
+        100% {
+            -ms-transform: rotate(359deg);
+        }
+    }
+    @keyframes spin {
+        0% {
+            transform: rotate(0deg);
+        }
+        100% {
+            transform: rotate(359deg);
+        }
+    }
+    /** End of icon animation **/
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/less/bootstrap-select.less b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/less/bootstrap-select.less
new file mode 100644
index 0000000000..49f13a7021
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/less/bootstrap-select.less
@@ -0,0 +1,348 @@
+@import "variables";
+
+// Mixins
+.cursor-disabled() {
+  cursor: not-allowed;
+}
+
+// Rules
+.bootstrap-select {
+  width: 348px \0; /*IE9 and below*/
+
+  // The selectpicker button
+  > .dropdown-toggle {
+    width: 100%;
+    padding-right: 25px;
+    z-index: 1;
+  }
+
+  > select {
+    position: absolute !important;
+    bottom: 0;
+    left: 50%;
+    width: 0.11px !important;
+    height: 100% !important;
+    padding: 0 !important;
+    opacity: 0 !important;
+    border: none;
+
+    &.mobile-device {
+      top: 0;
+      left: 0;
+      display: block !important;
+      width: 100% !important;
+      z-index: 2;
+    }
+  }
+
+  // Error display
+  .has-error & .dropdown-toggle,
+  .error & .dropdown-toggle {
+    border-color: @color-red-error;
+  }
+
+  &.fit-width {
+    width: auto !important;
+  }
+
+  &:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn) {
+    width: @width-default;
+  }
+
+  .dropdown-toggle:focus {
+    outline: thin dotted #333333 !important;
+    outline: 5px auto -webkit-focus-ring-color !important;
+    outline-offset: -2px;
+  }
+}
+
+.bootstrap-select.form-control {
+  margin-bottom: 0;
+  padding: 0;
+  border: none;
+
+  &:not([class*="col-"]) {
+    width: 100%;
+  }
+
+  &.input-group-btn {
+    z-index: auto;
+  }
+}
+
+// The selectpicker components
+.bootstrap-select.btn-group {
+  &:not(.input-group-btn),
+  &[class*="col-"] {
+    float: none;
+    display: inline-block;
+    margin-left: 0;
+  }
+
+  // Forces the pull to the right, if necessary
+  &,
+  &[class*="col-"],
+  .row &[class*="col-"] {
+    &.dropdown-menu-right {
+      float: right;
+    }
+  }
+
+  .form-inline &,
+  .form-horizontal &,
+  .form-group & {
+    margin-bottom: 0;
+  }
+
+  .form-group-lg &.form-control,
+  .form-group-sm &.form-control {
+    padding: 0;
+  }
+
+  // Set the width of the live search (and any other form control within an inline form)
+  // see https://github.com/silviomoreto/bootstrap-select/issues/685
+  .form-inline & .form-control {
+    width: 100%;
+  }
+
+  &.disabled,
+  > .disabled {
+    .cursor-disabled();
+
+    &:focus {
+      outline: none !important;
+    }
+  }
+
+  &.bs-container {
+    position: absolute;
+
+    .dropdown-menu {
+      z-index: @zindex-select-dropdown;
+    }
+  }
+
+  // The selectpicker button
+  .dropdown-toggle {
+    .filter-option {
+      display: inline-block;
+      overflow: hidden;
+      width: 100%;
+      text-align: left;
+    }
+
+    .caret {
+      position: absolute;
+      top: 50%;
+      right: 12px;
+      margin-top: -2px;
+      vertical-align: middle;
+    }
+  }
+
+  &[class*="col-"] .dropdown-toggle {
+    width: 100%;
+  }
+
+  // The selectpicker dropdown
+  .dropdown-menu {
+    min-width: 100%;
+    box-sizing: border-box;
+
+    &.inner {
+      position: static;
+      float: none;
+      border: 0;
+      padding: 0;
+      margin: 0;
+      border-radius: 0;
+      box-shadow: none;
+    }
+
+    li {
+      position: relative;
+
+      &.active small {
+        color: #fff;
+      }
+
+      &.disabled a {
+        .cursor-disabled();
+      }
+
+      a {
+        cursor: pointer;
+        -webkit-user-select: none;
+           -moz-user-select: none;
+            -ms-user-select: none;
+                user-select: none;
+
+        &.opt {
+          position: relative;
+          padding-left: 2.25em;
+        }
+
+        span.check-mark {
+          display: none;
+        }
+
+        span.text {
+          display: inline-block;
+        }
+      }
+
+      small {
+        padding-left: 0.5em;
+      }
+    }
+
+    .notify {
+      position: absolute;
+      bottom: 5px;
+      width: 96%;
+      margin: 0 2%;
+      min-height: 26px;
+      padding: 3px 5px;
+      background: rgb(245, 245, 245);
+      border: 1px solid rgb(227, 227, 227);
+      box-shadow: inset 0 1px 1px fade(rgb(0, 0, 0), 5%);
+      pointer-events: none;
+      opacity: 0.9;
+      box-sizing: border-box;
+    }
+  }
+
+  .no-results {
+    padding: 3px;
+    background: #f5f5f5;
+    margin: 0 5px;
+    white-space: nowrap;
+  }
+
+  &.fit-width .dropdown-toggle {
+    .filter-option {
+      position: static;
+    }
+
+    .caret {
+      position: static;
+      top: auto;
+      margin-top: -1px;
+    }
+  }
+
+  &.show-tick .dropdown-menu li {
+    &.selected a span.check-mark {
+      position: absolute;
+      display: inline-block;
+      right: 15px;
+      margin-top: 5px;
+    }
+
+    a span.text {
+      margin-right: 34px;
+    }
+  }
+}
+
+.bootstrap-select.show-menu-arrow {
+  &.open > .dropdown-toggle {
+    z-index: (@zindex-select-dropdown + 1);
+  }
+
+  .dropdown-toggle {
+    &:before {
+      content: '';
+      border-left: 7px solid transparent;
+      border-right: 7px solid transparent;
+      border-bottom: 7px solid @color-grey-arrow;
+      position: absolute;
+      bottom: -4px;
+      left: 9px;
+      display: none;
+    }
+
+    &:after {
+      content: '';
+      border-left: 6px solid transparent;
+      border-right: 6px solid transparent;
+      border-bottom: 6px solid white;
+      position: absolute;
+      bottom: -4px;
+      left: 10px;
+      display: none;
+    }
+  }
+
+  &.dropup .dropdown-toggle {
+    &:before {
+      bottom: auto;
+      top: -3px;
+      border-top: 7px solid @color-grey-arrow;
+      border-bottom: 0;
+    }
+
+    &:after {
+      bottom: auto;
+      top: -3px;
+      border-top: 6px solid white;
+      border-bottom: 0;
+    }
+  }
+
+  &.pull-right .dropdown-toggle {
+    &:before {
+      right: 12px;
+      left: auto;
+    }
+
+    &:after {
+      right: 13px;
+      left: auto;
+    }
+  }
+
+  &.open > .dropdown-toggle {
+    &:before,
+    &:after {
+      display: block;
+    }
+  }
+}
+
+.bs-searchbox,
+.bs-actionsbox,
+.bs-donebutton {
+  padding: 4px 8px;
+}
+
+.bs-actionsbox {
+  width: 100%;
+  box-sizing: border-box;
+
+  & .btn-group button {
+    width: 50%;
+  }
+}
+
+.bs-donebutton {
+  float: left;
+  width: 100%;
+  box-sizing: border-box;
+
+  & .btn-group button {
+    width: 100%;
+  }
+}
+
+.bs-searchbox {
+  & + .bs-actionsbox {
+    padding: 0 8px 4px;
+  }
+
+  & .form-control {
+    margin-bottom: 0;
+    width: 100%;
+    float: none;
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/less/variables.less b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/less/variables.less
new file mode 100644
index 0000000000..97a510c23a
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/less/variables.less
@@ -0,0 +1,7 @@
+@color-red-error: rgb(185, 74, 72);
+@color-blue-hover: rgba(100, 177, 216, 0.4);
+@color-grey-arrow: rgba(204, 204, 204, 0.2);
+
+@width-default: 348px; // 3 960px-grid columns
+
+@zindex-select-dropdown: 1035; // must be lower than a modal background (1040) but higher than the fixed navbar (1030)
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.css b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.css
new file mode 100644
index 0000000000..b6c2903d8d
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.css
@@ -0,0 +1 @@
+@keyframes bs-notify-fadeOut{0%{opacity:0.9}100%{opacity:0}}select.bs-select-hidden,.bootstrap-select>select.bs-select-hidden,select.selectpicker{display:none !important}.bootstrap-select{width:220px \0;vertical-align:middle}.bootstrap-select>.dropdown-toggle{position:relative;width:100%;text-align:right;white-space:nowrap;display:inline-flex;align-items:center;justify-content:space-between}.bootstrap-select>.dropdown-toggle:after{margin-top:-1px}.bootstrap-select>.dropdown-toggle.bs-placeholder,.bootstrap-select>.dropdown-toggle.bs-placeholder:hover,.bootstrap-select>.dropdown-toggle.bs-placeholder:focus,.bootstrap-select>.dropdown-toggle.bs-placeholder:active{color:#999}.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-primary,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-primary:hover,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-primary:focus,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-primary:active,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-secondary,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-secondary:hover,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-secondary:focus,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-secondary:active,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-success,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-success:hover,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-success:focus,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-success:active,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-danger,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-danger:hover,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-danger:focus,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-danger:active,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-info,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-info:hover,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-info:focus,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-info:active,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-dark,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-dark:hover,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-dark:focus,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-dark:active{color:rgba(255,255,255,0.5)}.bootstrap-select>select{position:absolute !important;bottom:0;left:50%;display:block !important;width:0.5px !important;height:100% !important;padding:0 !important;opacity:0 !important;border:none;z-index:0 !important}.bootstrap-select>select.mobile-device{top:0;left:0;display:block !important;width:100% !important;z-index:2 !important}.has-error .bootstrap-select .dropdown-toggle,.error .bootstrap-select .dropdown-toggle,.bootstrap-select.is-invalid .dropdown-toggle,.was-validated .bootstrap-select select:invalid+.dropdown-toggle{border-color:#b94a48}.bootstrap-select.is-valid .dropdown-toggle,.was-validated .bootstrap-select select:valid+.dropdown-toggle{border-color:#28a745}.bootstrap-select.fit-width{width:auto !important}.bootstrap-select:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn){width:220px}.bootstrap-select>select.mobile-device:focus+.dropdown-toggle{outline:thin dotted #333333 !important;outline:5px auto -webkit-focus-ring-color !important;outline-offset:-2px}.bootstrap-select.form-control{margin-bottom:0;padding:0;border:none;height:auto}:not(.input-group)>.bootstrap-select.form-control:not([class*="col-"]){width:100%}.bootstrap-select.form-control.input-group-btn{float:none;z-index:auto}.form-inline .bootstrap-select,.form-inline .bootstrap-select.form-control:not([class*="col-"]){width:auto}.bootstrap-select:not(.input-group-btn),.bootstrap-select[class*="col-"]{float:none;display:inline-block;margin-left:0}.bootstrap-select.dropdown-menu-right,.bootstrap-select[class*="col-"].dropdown-menu-right,.row .bootstrap-select[class*="col-"].dropdown-menu-right{float:right}.form-inline .bootstrap-select,.form-horizontal .bootstrap-select,.form-group .bootstrap-select{margin-bottom:0}.form-group-lg .bootstrap-select.form-control,.form-group-sm .bootstrap-select.form-control{padding:0}.form-group-lg .bootstrap-select.form-control .dropdown-toggle,.form-group-sm .bootstrap-select.form-control .dropdown-toggle{height:100%;font-size:inherit;line-height:inherit;border-radius:inherit}.bootstrap-select.form-control-sm .dropdown-toggle,.bootstrap-select.form-control-lg .dropdown-toggle{font-size:inherit;line-height:inherit;border-radius:inherit}.bootstrap-select.form-control-sm .dropdown-toggle{padding:.25rem .5rem}.bootstrap-select.form-control-lg .dropdown-toggle{padding:.5rem 1rem}.form-inline .bootstrap-select .form-control{width:100%}.bootstrap-select.disabled,.bootstrap-select>.disabled{cursor:not-allowed}.bootstrap-select.disabled:focus,.bootstrap-select>.disabled:focus{outline:none !important}.bootstrap-select.bs-container{position:absolute;top:0;left:0;height:0 !important;padding:0 !important}.bootstrap-select.bs-container .dropdown-menu{z-index:9998}.bootstrap-select .dropdown-toggle .filter-option{position:static;top:0;left:0;float:left;height:100%;width:100%;text-align:left;overflow:hidden;flex:0 1 auto}.bs3.bootstrap-select .dropdown-toggle .filter-option{padding-right:inherit}.input-group .bs3-has-addon.bootstrap-select .dropdown-toggle .filter-option{position:absolute;padding-top:inherit;padding-bottom:inherit;padding-left:inherit;float:none}.input-group .bs3-has-addon.bootstrap-select .dropdown-toggle .filter-option .filter-option-inner{padding-right:inherit}.bootstrap-select .dropdown-toggle .filter-option-inner-inner{overflow:hidden}.bootstrap-select .dropdown-toggle .filter-expand{width:0 !important;float:left;opacity:0 !important;overflow:hidden}.bootstrap-select .dropdown-toggle .caret{position:absolute;top:50%;right:12px;margin-top:-2px;vertical-align:middle}.input-group .bootstrap-select.form-control .dropdown-toggle{border-radius:inherit}.bootstrap-select[class*="col-"] .dropdown-toggle{width:100%}.bootstrap-select .dropdown-menu{min-width:100%;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.bootstrap-select .dropdown-menu>.inner:focus{outline:none !important}.bootstrap-select .dropdown-menu.inner{position:static;float:none;border:0;padding:0;margin:0;border-radius:0;box-shadow:none}.bootstrap-select .dropdown-menu li{position:relative}.bootstrap-select .dropdown-menu li.active small{color:rgba(255,255,255,0.5) !important}.bootstrap-select .dropdown-menu li.disabled a{cursor:not-allowed}.bootstrap-select .dropdown-menu li a{cursor:pointer;user-select:none}.bootstrap-select .dropdown-menu li a.opt{position:relative;padding-left:2.25em}.bootstrap-select .dropdown-menu li a span.check-mark{display:none}.bootstrap-select .dropdown-menu li a span.text{display:inline-block}.bootstrap-select .dropdown-menu li small{padding-left:0.5em}.bootstrap-select .dropdown-menu .notify{position:absolute;bottom:5px;width:96%;margin:0 2%;min-height:26px;padding:3px 5px;background:#f5f5f5;border:1px solid #e3e3e3;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.05);box-shadow:inset 0 1px 1px rgba(0,0,0,0.05);pointer-events:none;opacity:0.9;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.bootstrap-select .dropdown-menu .notify.fadeOut{animation:300ms linear 750ms forwards bs-notify-fadeOut}.bootstrap-select .no-results{padding:3px;background:#f5f5f5;margin:0 5px;white-space:nowrap}.bootstrap-select.fit-width .dropdown-toggle .filter-option{position:static;display:inline;padding:0}.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner,.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner-inner{display:inline}.bootstrap-select.fit-width .dropdown-toggle .bs-caret:before{content:'\00a0'}.bootstrap-select.fit-width .dropdown-toggle .caret{position:static;top:auto;margin-top:-1px}.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark{position:absolute;display:inline-block;right:15px;top:5px}.bootstrap-select.show-tick .dropdown-menu li a span.text{margin-right:34px}.bootstrap-select .bs-ok-default:after{content:'';display:block;width:0.5em;height:1em;border-style:solid;border-width:0 0.26em 0.26em 0;transform:rotate(45deg)}.bootstrap-select.show-menu-arrow.open>.dropdown-toggle,.bootstrap-select.show-menu-arrow.show>.dropdown-toggle{z-index:9999}.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:before{content:'';border-left:7px solid transparent;border-right:7px solid transparent;border-bottom:7px solid rgba(204,204,204,0.2);position:absolute;bottom:-4px;left:9px;display:none}.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:after{content:'';border-left:6px solid transparent;border-right:6px solid transparent;border-bottom:6px solid white;position:absolute;bottom:-4px;left:10px;display:none}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:before{bottom:auto;top:-4px;border-top:7px solid rgba(204,204,204,0.2);border-bottom:0}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:after{bottom:auto;top:-4px;border-top:6px solid white;border-bottom:0}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:before{right:12px;left:auto}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:after{right:13px;left:auto}.bootstrap-select.show-menu-arrow.open>.dropdown-toggle .filter-option:before,.bootstrap-select.show-menu-arrow.open>.dropdown-toggle .filter-option:after,.bootstrap-select.show-menu-arrow.show>.dropdown-toggle .filter-option:before,.bootstrap-select.show-menu-arrow.show>.dropdown-toggle .filter-option:after{display:block}.bs-searchbox,.bs-actionsbox,.bs-donebutton{padding:4px 8px}.bs-actionsbox{width:100%;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.bs-actionsbox .btn-group button{width:50%}.bs-donebutton{float:left;width:100%;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.bs-donebutton .btn-group button{width:100%}.bs-searchbox+.bs-actionsbox{padding:0 8px 4px}.bs-searchbox .form-control{margin-bottom:0;width:100%;float:none}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.scss
new file mode 100644
index 0000000000..ce955acc9a
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.scss
@@ -0,0 +1,519 @@
+@import "variables";
+
+@keyframes bs-notify-fadeOut {
+  0% {opacity: 0.9;}
+  100% {opacity: 0;}
+}
+
+// Mixins
+@mixin cursor-disabled() {
+  cursor: not-allowed;
+}
+
+@mixin box-sizing($fmt) {
+  -webkit-box-sizing: $fmt;
+     -moz-box-sizing: $fmt;
+          box-sizing: $fmt;
+}
+
+@mixin box-shadow($fmt) {
+  -webkit-box-shadow: $fmt;
+          box-shadow: $fmt;
+}
+
+@function fade($color, $amnt) {
+  @if $amnt > 1 {
+    $amnt: $amnt / 100; // convert to percentage if int
+  }
+  @return rgba($color, $amnt);
+}
+
+// Rules
+select.bs-select-hidden,
+.bootstrap-select > select.bs-select-hidden,
+select.selectpicker {
+  display: none !important;
+}
+
+.bootstrap-select {
+  width: 220px \0; /*IE9 and below*/
+  vertical-align: middle;
+
+  // The selectpicker button
+  > .dropdown-toggle {
+    position: relative;
+    width: 100%;
+    // necessary for proper positioning of caret in Bootstrap 4 (pushes caret to the right)
+    text-align: right;
+    white-space: nowrap;
+    // force caret to be vertically centered for Bootstrap 4 multi-line buttons
+    display: inline-flex;
+    align-items: center;
+    justify-content: space-between;
+
+    &:after {
+      margin-top: -1px;
+    }
+
+    &.bs-placeholder {
+      &,
+      &:hover,
+      &:focus,
+      &:active {
+        color: $input-color-placeholder;
+      }
+
+      &.btn-primary,
+      &.btn-secondary,
+      &.btn-success,
+      &.btn-danger,
+      &.btn-info,
+      &.btn-dark {
+        &,
+        &:hover,
+        &:focus,
+        &:active {
+          color: $input-alt-color-placeholder;
+        }
+      }
+    }
+  }
+
+  > select {
+    position: absolute !important;
+    bottom: 0;
+    left: 50%;
+    display: block !important;
+    width: 0.5px !important;
+    height: 100% !important;
+    padding: 0 !important;
+    opacity: 0 !important;
+    border: none;
+    z-index: 0 !important;
+
+    &.mobile-device {
+      top: 0;
+      left: 0;
+      display: block !important;
+      width: 100% !important;
+      z-index: 2 !important;
+    }
+  }
+
+  // Error display
+  .has-error & .dropdown-toggle,
+  .error & .dropdown-toggle,
+  &.is-invalid .dropdown-toggle,
+  .was-validated & select:invalid + .dropdown-toggle {
+    border-color: $color-red-error;
+  }
+
+  &.is-valid .dropdown-toggle,
+  .was-validated & select:valid + .dropdown-toggle {
+    border-color: $color-green-success;
+  }
+
+  &.fit-width {
+    width: auto !important;
+  }
+
+  &:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn) {
+    width: $width-default;
+  }
+
+  > select.mobile-device:focus + .dropdown-toggle {
+    outline: thin dotted #333333 !important;
+    outline: 5px auto -webkit-focus-ring-color !important;
+    outline-offset: -2px;
+  }
+}
+
+// The selectpicker components
+.bootstrap-select {
+  &.form-control {
+    margin-bottom: 0;
+    padding: 0;
+    border: none;
+    height: auto;
+
+    :not(.input-group) > &:not([class*="col-"]) {
+      width: 100%;
+    }
+
+    &.input-group-btn {
+      float: none;
+      z-index: auto;
+    }
+  }
+
+  .form-inline &,
+  .form-inline &.form-control:not([class*="col-"]) {
+    width: auto;
+  }
+
+  &:not(.input-group-btn),
+  &[class*="col-"] {
+    float: none;
+    display: inline-block;
+    margin-left: 0;
+  }
+
+  // Forces the pull to the right, if necessary
+  &,
+  &[class*="col-"],
+  .row &[class*="col-"] {
+    &.dropdown-menu-right {
+      float: right;
+    }
+  }
+
+  .form-inline &,
+  .form-horizontal &,
+  .form-group & {
+    margin-bottom: 0;
+  }
+
+  .form-group-lg &.form-control,
+  .form-group-sm &.form-control {
+    padding: 0;
+
+    .dropdown-toggle {
+      height: 100%;
+      font-size: inherit;
+      line-height: inherit;
+      border-radius: inherit;
+    }
+  }
+
+  &.form-control-sm .dropdown-toggle,
+  &.form-control-lg .dropdown-toggle {
+    font-size: inherit;
+    line-height: inherit;
+    border-radius: inherit;
+  }
+
+  &.form-control-sm .dropdown-toggle {
+    padding: $input-padding-y-sm $input-padding-x-sm;
+  }
+
+  &.form-control-lg .dropdown-toggle {
+    padding: $input-padding-y-lg $input-padding-x-lg;
+  }
+
+  // Set the width of the live search (and any other form control within an inline form)
+  // see https://github.com/silviomoreto/bootstrap-select/issues/685
+  .form-inline & .form-control {
+    width: 100%;
+  }
+
+  &.disabled,
+  > .disabled {
+    @include cursor-disabled();
+
+    &:focus {
+      outline: none !important;
+    }
+  }
+
+  &.bs-container {
+    position: absolute;
+    top: 0;
+    left: 0;
+    height: 0 !important;
+    padding: 0 !important;
+
+    .dropdown-menu {
+      z-index: $zindex-select-dropdown;
+    }
+  }
+
+  // The selectpicker button
+  .dropdown-toggle {
+    .filter-option {
+      position: static;
+      top: 0;
+      left: 0;
+      float: left;
+      height: 100%;
+      width: 100%;
+      text-align: left;
+      overflow: hidden;
+      flex: 0 1 auto; // for IE10
+
+      @at-root .bs3#{&} {
+        padding-right: inherit;
+      }
+
+      @at-root .input-group .bs3-has-addon#{&} {
+        position: absolute;
+        padding-top: inherit;
+        padding-bottom: inherit;
+        padding-left: inherit;
+        float: none;
+
+        .filter-option-inner {
+          padding-right: inherit;
+        }
+      }
+    }
+
+    .filter-option-inner-inner {
+      overflow: hidden;
+    }
+
+    // used to expand the height of the button when inside an input group
+    .filter-expand {
+      width: 0 !important;
+      float: left;
+      opacity: 0 !important;
+      overflow: hidden;
+    }
+
+    .caret {
+      position: absolute;
+      top: 50%;
+      right: 12px;
+      margin-top: -2px;
+      vertical-align: middle;
+    }
+  }
+
+  .input-group &.form-control .dropdown-toggle {
+    border-radius: inherit;
+  }
+
+  &[class*="col-"] .dropdown-toggle {
+    width: 100%;
+  }
+
+  // The selectpicker dropdown
+  .dropdown-menu {
+    min-width: 100%;
+    @include box-sizing(border-box);
+
+    > .inner:focus {
+      outline: none !important;
+    }
+
+    &.inner {
+      position: static;
+      float: none;
+      border: 0;
+      padding: 0;
+      margin: 0;
+      border-radius: 0;
+      box-shadow: none;
+    }
+
+    li {
+      position: relative;
+
+      &.active small {
+        color: $input-alt-color-placeholder !important;
+      }
+
+      &.disabled a {
+        @include cursor-disabled();
+      }
+
+      a {
+        cursor: pointer;
+        user-select: none;
+
+        &.opt {
+          position: relative;
+          padding-left: 2.25em;
+        }
+
+        span.check-mark {
+          display: none;
+        }
+
+        span.text {
+          display: inline-block;
+        }
+      }
+
+      small {
+        padding-left: 0.5em;
+      }
+    }
+
+    .notify {
+      position: absolute;
+      bottom: 5px;
+      width: 96%;
+      margin: 0 2%;
+      min-height: 26px;
+      padding: 3px 5px;
+      background: rgb(245, 245, 245);
+      border: 1px solid rgb(227, 227, 227);
+      @include box-shadow(inset 0 1px 1px fade(rgb(0, 0, 0), 5));
+      pointer-events: none;
+      opacity: 0.9;
+      @include box-sizing(border-box);
+
+      &.fadeOut {
+        animation: 300ms linear 750ms forwards bs-notify-fadeOut;
+      }
+    }
+  }
+
+  .no-results {
+    padding: 3px;
+    background: #f5f5f5;
+    margin: 0 5px;
+    white-space: nowrap;
+  }
+
+  &.fit-width .dropdown-toggle {
+    .filter-option {
+      position: static;
+      display: inline;
+      padding: 0;
+    }
+
+    .filter-option-inner,
+    .filter-option-inner-inner {
+      display: inline;
+    }
+
+    .bs-caret:before {
+      content: '\00a0';
+    }
+
+    .caret {
+      position: static;
+      top: auto;
+      margin-top: -1px;
+    }
+  }
+
+  &.show-tick .dropdown-menu {
+    .selected span.check-mark {
+      position: absolute;
+      display: inline-block;
+      right: 15px;
+      top: 5px;
+    }
+
+    li a span.text {
+      margin-right: 34px;
+    }
+  }
+
+  // default check mark for use without an icon font
+  .bs-ok-default:after {
+    content: '';
+    display: block;
+    width: 0.5em;
+    height: 1em;
+    border-style: solid;
+    border-width: 0 0.26em 0.26em 0;
+    transform: rotate(45deg);
+  }
+}
+
+.bootstrap-select.show-menu-arrow {
+  &.open > .dropdown-toggle,
+  &.show > .dropdown-toggle {
+    z-index: ($zindex-select-dropdown + 1);
+  }
+
+  .dropdown-toggle .filter-option {
+    &:before {
+      content: '';
+      border-left: 7px solid transparent;
+      border-right: 7px solid transparent;
+      border-bottom: 7px solid $color-grey-arrow;
+      position: absolute;
+      bottom: -4px;
+      left: 9px;
+      display: none;
+    }
+
+    &:after {
+      content: '';
+      border-left: 6px solid transparent;
+      border-right: 6px solid transparent;
+      border-bottom: 6px solid white;
+      position: absolute;
+      bottom: -4px;
+      left: 10px;
+      display: none;
+    }
+  }
+
+  &.dropup .dropdown-toggle .filter-option {
+    &:before {
+      bottom: auto;
+      top: -4px;
+      border-top: 7px solid $color-grey-arrow;
+      border-bottom: 0;
+    }
+
+    &:after {
+      bottom: auto;
+      top: -4px;
+      border-top: 6px solid white;
+      border-bottom: 0;
+    }
+  }
+
+  &.pull-right .dropdown-toggle .filter-option {
+    &:before {
+      right: 12px;
+      left: auto;
+    }
+
+    &:after {
+      right: 13px;
+      left: auto;
+    }
+  }
+
+  &.open > .dropdown-toggle .filter-option,
+  &.show > .dropdown-toggle .filter-option {
+    &:before,
+    &:after {
+      display: block;
+    }
+  }
+}
+
+.bs-searchbox,
+.bs-actionsbox,
+.bs-donebutton {
+  padding: 4px 8px;
+}
+
+.bs-actionsbox {
+  width: 100%;
+  @include box-sizing(border-box);
+
+  & .btn-group button {
+    width: 50%;
+  }
+}
+
+.bs-donebutton {
+  float: left;
+  width: 100%;
+  @include box-sizing(border-box);
+
+  & .btn-group button {
+    width: 100%;
+  }
+}
+
+.bs-searchbox {
+  & + .bs-actionsbox {
+    padding: 0 8px 4px;
+  }
+
+  & .form-control {
+    margin-bottom: 0;
+    width: 100%;
+    float: none;
+  }
+}
\ No newline at end of file
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/variables.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/variables.scss
new file mode 100644
index 0000000000..555ef10fcf
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/variables.scss
@@ -0,0 +1,17 @@
+$color-red-error: rgb(185, 74, 72) !default;
+$color-green-success: #28a745;
+$color-grey-arrow: rgba(204, 204, 204, 0.2) !default;
+
+$width-default: 220px !default; // 3 960px-grid columns
+
+$zindex-select-dropdown: 9998 !default; // must be higher than a modal background (1050)
+
+//** Placeholder text color
+$input-color-placeholder: #999 !default;
+$input-alt-color-placeholder: rgba(255, 255, 255, 0.5) !default;
+
+$input-padding-y-sm: .25rem !default;
+$input-padding-x-sm: .5rem !default;
+
+$input-padding-y-lg: 0.5rem !default;
+$input-padding-x-lg: 1rem !default;
\ No newline at end of file
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_alerts.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_alerts.scss
new file mode 100644
index 0000000000..e45de83058
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_alerts.scss
@@ -0,0 +1,68 @@
+//
+// Alerts
+// --------------------------------------------------
+
+
+// Base styles
+// -------------------------
+
+.alert {
+  padding: $alert-padding;
+  margin-bottom: $line-height-computed;
+  border: 1px solid transparent;
+  border-radius: $alert-border-radius;
+
+  // Headings for larger alerts
+  h4 {
+    margin-top: 0;
+    // Specified for the h4 to prevent conflicts of changing $headings-color
+    color: inherit;
+  }
+  // Provide class for links that match alerts
+  .alert-link {
+    font-weight: $alert-link-font-weight;
+  }
+
+  // Improve alignment and spacing of inner content
+  > p,
+  > ul {
+    margin-bottom: 0;
+  }
+  > p + p {
+    margin-top: 5px;
+  }
+}
+
+// Dismissible alerts
+//
+// Expand the right padding and account for the close button's positioning.
+
+.alert-dismissable, // The misspelled .alert-dismissable was deprecated in 3.2.0.
+.alert-dismissible {
+  padding-right: ($alert-padding + 20);
+
+  // Adjust close link position
+  .close {
+    position: relative;
+    top: -2px;
+    right: -21px;
+    color: inherit;
+  }
+}
+
+// Alternate styles
+//
+// Generate contextual modifier classes for colorizing the alert.
+
+.alert-success {
+  @include alert-variant($alert-success-bg, $alert-success-border, $alert-success-text);
+}
+.alert-info {
+  @include alert-variant($alert-info-bg, $alert-info-border, $alert-info-text);
+}
+.alert-warning {
+  @include alert-variant($alert-warning-bg, $alert-warning-border, $alert-warning-text);
+}
+.alert-danger {
+  @include alert-variant($alert-danger-bg, $alert-danger-border, $alert-danger-text);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_badges.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_badges.scss
new file mode 100644
index 0000000000..02394ae7fa
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_badges.scss
@@ -0,0 +1,57 @@
+//
+// Badges
+// --------------------------------------------------
+
+
+// Base class
+.badge {
+  display: inline-block;
+  min-width: 10px;
+  padding: 3px 7px;
+  font-size: $font-size-small;
+  font-weight: $badge-font-weight;
+  color: $badge-color;
+  line-height: $badge-line-height;
+  vertical-align: baseline;
+  white-space: nowrap;
+  text-align: center;
+  background-color: $badge-bg;
+  border-radius: $badge-border-radius;
+
+  // Empty badges collapse automatically (not available in IE8)
+  &:empty {
+    display: none;
+  }
+
+  // Quick fix for badges in buttons
+  .btn & {
+    position: relative;
+    top: -1px;
+  }
+  .btn-xs & {
+    top: 0;
+    padding: 1px 5px;
+  }
+
+  // [converter] extracted a& to a.badge
+
+  // Account for badges in navs
+  a.list-group-item.active > &,
+  .nav-pills > .active > a > & {
+    color: $badge-active-color;
+    background-color: $badge-active-bg;
+  }
+  .nav-pills > li > a > & {
+    margin-left: 3px;
+  }
+}
+
+// Hover state, but only for links
+a.badge {
+  &:hover,
+  &:focus {
+    color: $badge-link-hover-color;
+    text-decoration: none;
+    cursor: pointer;
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_breadcrumbs.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_breadcrumbs.scss
new file mode 100644
index 0000000000..3641e333b8
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_breadcrumbs.scss
@@ -0,0 +1,26 @@
+//
+// Breadcrumbs
+// --------------------------------------------------
+
+
+.breadcrumb {
+  padding: $breadcrumb-padding-vertical $breadcrumb-padding-horizontal;
+  margin-bottom: $line-height-computed;
+  list-style: none;
+  background-color: $breadcrumb-bg;
+  border-radius: $border-radius-base;
+
+  > li {
+    display: inline-block;
+
+    + li:before {
+      content: "#{$breadcrumb-separator}\00a0"; // Unicode space added since inline-block means non-collapsing white-space
+      padding: 0 5px;
+      color: $breadcrumb-color;
+    }
+  }
+
+  > .active {
+    color: $breadcrumb-active-color;
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_button-groups.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_button-groups.scss
new file mode 100644
index 0000000000..63ccd927c8
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_button-groups.scss
@@ -0,0 +1,240 @@
+//
+// Button groups
+// --------------------------------------------------
+
+// Make the div behave like a button
+.btn-group,
+.btn-group-vertical {
+  position: relative;
+  display: inline-block;
+  vertical-align: middle; // match .btn alignment given font-size hack above
+  > .btn {
+    position: relative;
+    float: left;
+    // Bring the "active" button to the front
+    &:hover,
+    &:focus,
+    &:active,
+    &.active {
+      z-index: 2;
+    }
+    &:focus {
+      // Remove focus outline when dropdown JS adds it after closing the menu
+      outline: 0;
+    }
+  }
+}
+
+// Prevent double borders when buttons are next to each other
+.btn-group {
+  .btn + .btn,
+  .btn + .btn-group,
+  .btn-group + .btn,
+  .btn-group + .btn-group {
+    margin-left: -1px;
+  }
+}
+
+// Optional: Group multiple button groups together for a toolbar
+.btn-toolbar {
+  margin-left: -5px; // Offset the first child's margin
+  @include clearfix();
+
+  .btn-group,
+  .input-group {
+    float: left;
+  }
+  > .btn,
+  > .btn-group,
+  > .input-group {
+    margin-left: 5px;
+  }
+}
+
+.btn-group > .btn:not(:first-child):not(:last-child):not(.dropdown-toggle) {
+  border-radius: 0;
+}
+
+// Set corners individual because sometimes a single button can be in a .btn-group and we need :first-child and :last-child to both match
+.btn-group > .btn:first-child {
+  margin-left: 0;
+  &:not(:last-child):not(.dropdown-toggle) {
+    @include border-right-radius(0);
+  }
+}
+// Need .dropdown-toggle since :last-child doesn't apply given a .dropdown-menu immediately after it
+.btn-group > .btn:last-child:not(:first-child),
+.btn-group > .dropdown-toggle:not(:first-child) {
+  @include border-left-radius(0);
+}
+
+// Custom edits for including btn-groups within btn-groups (useful for including dropdown buttons within a btn-group)
+.btn-group > .btn-group {
+  float: left;
+}
+.btn-group > .btn-group:not(:first-child):not(:last-child) > .btn {
+  border-radius: 0;
+}
+.btn-group > .btn-group:first-child {
+  > .btn:last-child,
+  > .dropdown-toggle {
+    @include border-right-radius(0);
+  }
+}
+.btn-group > .btn-group:last-child > .btn:first-child {
+  @include border-left-radius(0);
+}
+
+// On active and open, don't show outline
+.btn-group .dropdown-toggle:active,
+.btn-group.open .dropdown-toggle {
+  outline: 0;
+}
+
+
+// Sizing
+//
+// Remix the default button sizing classes into new ones for easier manipulation.
+
+.btn-group-xs > .btn { @extend .btn-xs; }
+.btn-group-sm > .btn { @extend .btn-sm; }
+.btn-group-lg > .btn { @extend .btn-lg; }
+
+
+// Split button dropdowns
+// ----------------------
+
+// Give the line between buttons some depth
+.btn-group > .btn + .dropdown-toggle {
+  padding-left: 8px;
+  padding-right: 8px;
+}
+.btn-group > .btn-lg + .dropdown-toggle {
+  padding-left: 12px;
+  padding-right: 12px;
+}
+
+// The clickable button for toggling the menu
+// Remove the gradient and set the same inset shadow as the :active state
+.btn-group.open .dropdown-toggle {
+  @include box-shadow(inset 0 3px 5px rgba(0,0,0,.125));
+
+  // Show no shadow for `.btn-link` since it has no other button styles.
+  &.btn-link {
+    @include box-shadow(none);
+  }
+}
+
+
+// Reposition the caret
+.btn .caret {
+  margin-left: 0;
+}
+// Carets in other button sizes
+.btn-lg .caret {
+  border-width: $caret-width-large $caret-width-large 0;
+  border-bottom-width: 0;
+}
+// Upside down carets for .dropup
+.dropup .btn-lg .caret {
+  border-width: 0 $caret-width-large $caret-width-large;
+}
+
+
+// Vertical button groups
+// ----------------------
+
+.btn-group-vertical {
+  > .btn,
+  > .btn-group,
+  > .btn-group > .btn {
+    display: block;
+    float: none;
+    width: 100%;
+    max-width: 100%;
+  }
+
+  // Clear floats so dropdown menus can be properly placed
+  > .btn-group {
+    @include clearfix();
+    > .btn {
+      float: none;
+    }
+  }
+
+  > .btn + .btn,
+  > .btn + .btn-group,
+  > .btn-group + .btn,
+  > .btn-group + .btn-group {
+    margin-top: -1px;
+    margin-left: 0;
+  }
+}
+
+.btn-group-vertical > .btn {
+  &:not(:first-child):not(:last-child) {
+    border-radius: 0;
+  }
+  &:first-child:not(:last-child) {
+    border-top-right-radius: $border-radius-base;
+    @include border-bottom-radius(0);
+  }
+  &:last-child:not(:first-child) {
+    border-bottom-left-radius: $border-radius-base;
+    @include border-top-radius(0);
+  }
+}
+.btn-group-vertical > .btn-group:not(:first-child):not(:last-child) > .btn {
+  border-radius: 0;
+}
+.btn-group-vertical > .btn-group:first-child:not(:last-child) {
+  > .btn:last-child,
+  > .dropdown-toggle {
+    @include border-bottom-radius(0);
+  }
+}
+.btn-group-vertical > .btn-group:last-child:not(:first-child) > .btn:first-child {
+  @include border-top-radius(0);
+}
+
+
+
+// Justified button groups
+// ----------------------
+
+.btn-group-justified {
+  display: table;
+  width: 100%;
+  table-layout: fixed;
+  border-collapse: separate;
+  > .btn,
+  > .btn-group {
+    float: none;
+    display: table-cell;
+    width: 1%;
+  }
+  > .btn-group .btn {
+    width: 100%;
+  }
+
+  > .btn-group .dropdown-menu {
+    left: auto;
+  }
+}
+
+
+// Checkbox and radio options
+//
+// In order to support the browser's form validation feedback, powered by the
+// `required` attribute, we have to "hide" the inputs via `opacity`. We cannot
+// use `display: none;` or `visibility: hidden;` as that also hides the popover.
+// This way, we ensure a DOM element is visible to position the popover from.
+//
+// See https://github.com/twbs/bootstrap/pull/12794 for more.
+
+[data-toggle="buttons"] > .btn > input[type="radio"],
+[data-toggle="buttons"] > .btn > input[type="checkbox"] {
+  position: absolute;
+  z-index: -1;
+  @include opacity(0);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_buttons.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_buttons.scss
new file mode 100644
index 0000000000..f2684c1b76
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_buttons.scss
@@ -0,0 +1,159 @@
+//
+// Buttons
+// --------------------------------------------------
+
+
+// Base styles
+// --------------------------------------------------
+
+.btn {
+  display: inline-block;
+  margin-bottom: 0; // For input.btn
+  font-weight: $btn-font-weight;
+  text-align: center;
+  vertical-align: middle;
+  cursor: pointer;
+  background-image: none; // Reset unusual Firefox-on-Android default style; see https://github.com/necolas/normalize.css/issues/214
+  border: 1px solid transparent;
+  white-space: nowrap;
+  @include button-size($padding-base-vertical, $padding-base-horizontal, $font-size-base, $line-height-base, $border-radius-base);
+  @include user-select(none);
+
+  @include button-variant($btn-default-color, $btn-default-bg, $btn-default-border);
+
+  &,
+  &:active,
+  &.active {
+    &:focus {
+      @include tab-focus();
+    }
+  }
+
+  &:hover,
+  &:focus {
+    color: $btn-default-color;
+    text-decoration: none;
+  }
+
+  &:active,
+  &.active {
+    outline: 0;
+    background-image: none;
+    @include box-shadow(inset 0 3px 5px rgba(0,0,0,.125));
+  }
+
+  &.disabled,
+  &[disabled],
+  fieldset[disabled] & {
+    cursor: not-allowed;
+    pointer-events: none; // Future-proof disabling of clicks
+    @include opacity(.65);
+    @include box-shadow(none);
+  }
+}
+
+
+// Alternate buttons
+// --------------------------------------------------
+
+.btn-default {
+  @include button-variant($btn-default-color, $btn-default-bg, $btn-default-border);
+}
+.btn-primary {
+  @include button-variant($btn-primary-color, $btn-primary-bg, $btn-primary-border);
+}
+// Success appears as green
+.btn-success {
+  @include button-variant($btn-success-color, $btn-success-bg, $btn-success-border);
+}
+// Info appears as blue-green
+.btn-info {
+  @include button-variant($btn-info-color, $btn-info-bg, $btn-info-border);
+}
+// Warning appears as orange
+.btn-warning {
+  @include button-variant($btn-warning-color, $btn-warning-bg, $btn-warning-border);
+}
+// Danger and error appear as red
+.btn-danger {
+  @include button-variant($btn-danger-color, $btn-danger-bg, $btn-danger-border);
+}
+
+
+// Link buttons
+// -------------------------
+
+// Make a button look and behave like a link
+.btn-link {
+  color: $link-color;
+  font-weight: normal;
+  cursor: pointer;
+  border-radius: 0;
+
+  &,
+  &:active,
+  &[disabled],
+  fieldset[disabled] & {
+    background-color: transparent;
+    @include box-shadow(none);
+  }
+  &,
+  &:hover,
+  &:focus,
+  &:active {
+    border-color: transparent;
+  }
+  &:hover,
+  &:focus {
+    color: $link-hover-color;
+    text-decoration: underline;
+    background-color: transparent;
+  }
+  &[disabled],
+  fieldset[disabled] & {
+    &:hover,
+    &:focus {
+      color: $btn-link-disabled-color;
+      text-decoration: none;
+    }
+  }
+}
+
+
+// Button Sizes
+// --------------------------------------------------
+
+.btn-lg {
+  // line-height: ensure even-numbered height of button next to large input
+  @include button-size($padding-large-vertical, $padding-large-horizontal, $font-size-large, $line-height-large, $border-radius-large);
+}
+.btn-sm {
+  // line-height: ensure proper height of button next to small input
+  @include button-size($padding-small-vertical, $padding-small-horizontal, $font-size-small, $line-height-small, $border-radius-small);
+}
+.btn-xs {
+  @include button-size($padding-xs-vertical, $padding-xs-horizontal, $font-size-small, $line-height-small, $border-radius-small);
+}
+
+
+// Block button
+// --------------------------------------------------
+
+.btn-block {
+  display: block;
+  width: 100%;
+}
+
+// Vertically space out multiple block buttons
+.btn-block + .btn-block {
+  margin-top: 5px;
+}
+
+// Specificity overrides
+input[type="submit"],
+input[type="reset"],
+input[type="button"] {
+  &.btn-block {
+    width: 100%;
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_carousel.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_carousel.scss
new file mode 100644
index 0000000000..e9e2f7ce1e
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_carousel.scss
@@ -0,0 +1,243 @@
+//
+// Carousel
+// --------------------------------------------------
+
+
+// Wrapper for the slide container and indicators
+.carousel {
+  position: relative;
+}
+
+.carousel-inner {
+  position: relative;
+  overflow: hidden;
+  width: 100%;
+
+  > .item {
+    display: none;
+    position: relative;
+    @include transition(.6s ease-in-out left);
+
+    // Account for jankitude on images
+    > img,
+    > a > img {
+      @include img-responsive();
+      line-height: 1;
+    }
+  }
+
+  > .active,
+  > .next,
+  > .prev {
+    display: block;
+  }
+
+  > .active {
+    left: 0;
+  }
+
+  > .next,
+  > .prev {
+    position: absolute;
+    top: 0;
+    width: 100%;
+  }
+
+  > .next {
+    left: 100%;
+  }
+  > .prev {
+    left: -100%;
+  }
+  > .next.left,
+  > .prev.right {
+    left: 0;
+  }
+
+  > .active.left {
+    left: -100%;
+  }
+  > .active.right {
+    left: 100%;
+  }
+
+}
+
+// Left/right controls for nav
+// ---------------------------
+
+.carousel-control {
+  position: absolute;
+  top: 0;
+  left: 0;
+  bottom: 0;
+  width: $carousel-control-width;
+  @include opacity($carousel-control-opacity);
+  font-size: $carousel-control-font-size;
+  color: $carousel-control-color;
+  text-align: center;
+  text-shadow: $carousel-text-shadow;
+  // We can't have this transition here because WebKit cancels the carousel
+  // animation if you trip this while in the middle of another animation.
+
+  // Set gradients for backgrounds
+  &.left {
+    @include gradient-horizontal($start-color: rgba(0,0,0,.5), $end-color: rgba(0,0,0,.0001));
+  }
+  &.right {
+    left: auto;
+    right: 0;
+    @include gradient-horizontal($start-color: rgba(0,0,0,.0001), $end-color: rgba(0,0,0,.5));
+  }
+
+  // Hover/focus state
+  &:hover,
+  &:focus {
+    outline: 0;
+    color: $carousel-control-color;
+    text-decoration: none;
+    @include opacity(.9);
+  }
+
+  // Toggles
+  .icon-prev,
+  .icon-next,
+  .glyphicon-chevron-left,
+  .glyphicon-chevron-right {
+    position: absolute;
+    top: 50%;
+    z-index: 5;
+    display: inline-block;
+  }
+  .icon-prev,
+  .glyphicon-chevron-left {
+    left: 50%;
+    margin-left: -10px;
+  }
+  .icon-next,
+  .glyphicon-chevron-right {
+    right: 50%;
+    margin-right: -10px;
+  }
+  .icon-prev,
+  .icon-next {
+    width:  20px;
+    height: 20px;
+    margin-top: -10px;
+    font-family: serif;
+  }
+
+
+  .icon-prev {
+    &:before {
+      content: '\2039';// SINGLE LEFT-POINTING ANGLE QUOTATION MARK (U+2039)
+    }
+  }
+  .icon-next {
+    &:before {
+      content: '\203a';// SINGLE RIGHT-POINTING ANGLE QUOTATION MARK (U+203A)
+    }
+  }
+}
+
+// Optional indicator pips
+//
+// Add an unordered list with the following class and add a list item for each
+// slide your carousel holds.
+
+.carousel-indicators {
+  position: absolute;
+  bottom: 10px;
+  left: 50%;
+  z-index: 15;
+  width: 60%;
+  margin-left: -30%;
+  padding-left: 0;
+  list-style: none;
+  text-align: center;
+
+  li {
+    display: inline-block;
+    width:  10px;
+    height: 10px;
+    margin: 1px;
+    text-indent: -999px;
+    border: 1px solid $carousel-indicator-border-color;
+    border-radius: 10px;
+    cursor: pointer;
+
+    // IE8-9 hack for event handling
+    //
+    // Internet Explorer 8-9 does not support clicks on elements without a set
+    // `background-color`. We cannot use `filter` since that's not viewed as a
+    // background color by the browser. Thus, a hack is needed.
+    //
+    // For IE8, we set solid black as it doesn't support `rgba()`. For IE9, we
+    // set alpha transparency for the best results possible.
+    background-color: #000 \9; // IE8
+    background-color: rgba(0,0,0,0); // IE9
+  }
+  .active {
+    margin: 0;
+    width:  12px;
+    height: 12px;
+    background-color: $carousel-indicator-active-bg;
+  }
+}
+
+// Optional captions
+// -----------------------------
+// Hidden by default for smaller viewports
+.carousel-caption {
+  position: absolute;
+  left: 15%;
+  right: 15%;
+  bottom: 20px;
+  z-index: 10;
+  padding-top: 20px;
+  padding-bottom: 20px;
+  color: $carousel-caption-color;
+  text-align: center;
+  text-shadow: $carousel-text-shadow;
+  & .btn {
+    text-shadow: none; // No shadow for button elements in carousel-caption
+  }
+}
+
+
+// Scale up controls for tablets and up
+@media screen and (min-width: $screen-sm-min) {
+
+  // Scale up the controls a smidge
+  .carousel-control {
+    .glyphicon-chevron-left,
+    .glyphicon-chevron-right,
+    .icon-prev,
+    .icon-next {
+      width: 30px;
+      height: 30px;
+      margin-top: -15px;
+      font-size: 30px;
+    }
+    .glyphicon-chevron-left,
+    .icon-prev {
+      margin-left: -15px;
+    }
+    .glyphicon-chevron-right,
+    .icon-next {
+      margin-right: -15px;
+    }
+  }
+
+  // Show and left align the captions
+  .carousel-caption {
+    left: 20%;
+    right: 20%;
+    padding-bottom: 30px;
+  }
+
+  // Move up the indicators
+  .carousel-indicators {
+    bottom: 20px;
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_close.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_close.scss
new file mode 100644
index 0000000000..62ce30fa37
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_close.scss
@@ -0,0 +1,35 @@
+//
+// Close icons
+// --------------------------------------------------
+
+
+.close {
+  float: right;
+  font-size: ($font-size-base * 1.5);
+  font-weight: $close-font-weight;
+  line-height: 1;
+  color: $close-color;
+  text-shadow: $close-text-shadow;
+  @include opacity(.2);
+
+  &:hover,
+  &:focus {
+    color: $close-color;
+    text-decoration: none;
+    cursor: pointer;
+    @include opacity(.5);
+  }
+
+  // [converter] extracted button& to button.close
+}
+
+// Additional properties for button version
+// iOS requires the button element instead of an anchor tag.
+// If you want the anchor version, it requires `href="#"`.
+button.close {
+  padding: 0;
+  cursor: pointer;
+  background: transparent;
+  border: 0;
+  -webkit-appearance: none;
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_code.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_code.scss
new file mode 100644
index 0000000000..3a434b946b
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_code.scss
@@ -0,0 +1,68 @@
+//
+// Code (inline and block)
+// --------------------------------------------------
+
+
+// Inline and block code styles
+code,
+kbd,
+pre,
+samp {
+  font-family: $font-family-monospace;
+}
+
+// Inline code
+code {
+  padding: 2px 4px;
+  font-size: 90%;
+  color: $code-color;
+  background-color: $code-bg;
+  border-radius: $border-radius-base;
+}
+
+// User input typically entered via keyboard
+kbd {
+  padding: 2px 4px;
+  font-size: 90%;
+  color: $kbd-color;
+  background-color: $kbd-bg;
+  border-radius: $border-radius-small;
+  box-shadow: inset 0 -1px 0 rgba(0,0,0,.25);
+
+  kbd {
+    padding: 0;
+    font-size: 100%;
+    box-shadow: none;
+  }
+}
+
+// Blocks of code
+pre {
+  display: block;
+  padding: calc(($line-height-computed - 100%) / 2);
+  margin: 0 0 calc($line-height-computed / 2);
+  font-size: ($font-size-base - 1); // 14px to 13px
+  line-height: $line-height-base;
+  word-break: break-all;
+  word-wrap: break-word;
+  color: $pre-color;
+  background-color: $pre-bg;
+  border: 1px solid $pre-border-color;
+  border-radius: $border-radius-base;
+
+  // Account for some code outputs that place code tags in pre tags
+  code {
+    padding: 0;
+    font-size: inherit;
+    color: inherit;
+    white-space: pre-wrap;
+    background-color: transparent;
+    border-radius: 0;
+  }
+}
+
+// Enable scrollable blocks of code
+.pre-scrollable {
+  max-height: $pre-scrollable-max-height;
+  overflow-y: scroll;
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_component-animations.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_component-animations.scss
new file mode 100644
index 0000000000..8c3fd07a27
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_component-animations.scss
@@ -0,0 +1,35 @@
+//
+// Component animations
+// --------------------------------------------------
+
+// Heads up!
+//
+// We don't use the `.opacity()` mixin here since it causes a bug with text
+// fields in IE7-8. Source: https://github.com/twbs/bootstrap/pull/3552.
+
+.fade {
+  opacity: 0;
+  @include transition(opacity .15s linear);
+  &.in {
+    opacity: 1;
+  }
+}
+
+.collapse {
+  display: none;
+
+  &.in      { display: block; }
+  // [converter] extracted tr&.in to tr.collapse.in
+  // [converter] extracted tbody&.in to tbody.collapse.in
+}
+
+tr.collapse.in    { display: table-row; }
+
+tbody.collapse.in { display: table-row-group; }
+
+.collapsing {
+  position: relative;
+  height: 0;
+  overflow: hidden;
+  @include transition(height .35s ease);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_dropdowns.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_dropdowns.scss
new file mode 100644
index 0000000000..df50ec0cbc
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_dropdowns.scss
@@ -0,0 +1,214 @@
+//
+// Dropdown menus
+// --------------------------------------------------
+
+
+// Dropdown arrow/caret
+.caret {
+  display: inline-block;
+  width: 0;
+  height: 0;
+  margin-left: 2px;
+  vertical-align: middle;
+  border-top:   $caret-width-base solid;
+  border-right: $caret-width-base solid transparent;
+  border-left:  $caret-width-base solid transparent;
+}
+
+// The dropdown wrapper (div)
+.dropdown {
+  position: relative;
+}
+
+// Prevent the focus on the dropdown toggle when closing dropdowns
+.dropdown-toggle:focus {
+  outline: 0;
+}
+
+// The dropdown menu (ul)
+.dropdown-menu {
+  position: absolute;
+  top: 100%;
+  left: 0;
+  z-index: $zindex-dropdown;
+  display: none; // none by default, but block on "open" of the menu
+  float: left;
+  min-width: 160px;
+  padding: 5px 0;
+  margin: 2px 0 0; // override default ul
+  list-style: none;
+  font-size: $font-size-base;
+  text-align: left; // Ensures proper alignment if parent has it changed (e.g., modal footer)
+  background-color: $dropdown-bg;
+  border: 1px solid $dropdown-fallback-border; // IE8 fallback
+  border: 1px solid $dropdown-border;
+  border-radius: $border-radius-base;
+  @include box-shadow(0 6px 12px rgba(0,0,0,.175));
+  background-clip: padding-box;
+
+  // Aligns the dropdown menu to right
+  //
+  // Deprecated as of 3.1.0 in favor of `.dropdown-menu-[dir]`
+  &.pull-right {
+    right: 0;
+    left: auto;
+  }
+
+  // Dividers (basically an hr) within the dropdown
+  .divider {
+    @include nav-divider($dropdown-divider-bg);
+  }
+
+  // Links within the dropdown menu
+  > li > a {
+    display: block;
+    padding: 3px 20px;
+    clear: both;
+    font-weight: normal;
+    line-height: $line-height-base;
+    color: $dropdown-link-color;
+    white-space: nowrap; // prevent links from randomly breaking onto new lines
+  }
+}
+
+// Hover/Focus state
+.dropdown-menu > li > a {
+  &:hover,
+  &:focus {
+    text-decoration: none;
+    color: $dropdown-link-hover-color;
+    background-color: $dropdown-link-hover-bg;
+  }
+}
+
+// Active state
+.dropdown-menu > .active > a {
+  &,
+  &:hover,
+  &:focus {
+    color: $dropdown-link-active-color;
+    text-decoration: none;
+    outline: 0;
+    background-color: $dropdown-link-active-bg;
+  }
+}
+
+// Disabled state
+//
+// Gray out text and ensure the hover/focus state remains gray
+
+.dropdown-menu > .disabled > a {
+  &,
+  &:hover,
+  &:focus {
+    color: $dropdown-link-disabled-color;
+  }
+}
+// Nuke hover/focus effects
+.dropdown-menu > .disabled > a {
+  &:hover,
+  &:focus {
+    text-decoration: none;
+    background-color: transparent;
+    background-image: none; // Remove CSS gradient
+    @include reset-filter();
+    cursor: not-allowed;
+  }
+}
+
+// Open state for the dropdown
+.open {
+  // Show the menu
+  > .dropdown-menu {
+    display: block;
+  }
+
+  // Remove the outline when :focus is triggered
+  > a {
+    outline: 0;
+  }
+}
+
+// Menu positioning
+//
+// Add extra class to `.dropdown-menu` to flip the alignment of the dropdown
+// menu with the parent.
+.dropdown-menu-right {
+  left: auto; // Reset the default from `.dropdown-menu`
+  right: 0;
+}
+// With v3, we enabled auto-flipping if you have a dropdown within a right
+// aligned nav component. To enable the undoing of that, we provide an override
+// to restore the default dropdown menu alignment.
+//
+// This is only for left-aligning a dropdown menu within a `.navbar-right` or
+// `.pull-right` nav component.
+.dropdown-menu-left {
+  left: 0;
+  right: auto;
+}
+
+// Dropdown section headers
+.dropdown-header {
+  display: block;
+  padding: 3px 20px;
+  font-size: $font-size-small;
+  line-height: $line-height-base;
+  color: $dropdown-header-color;
+  white-space: nowrap; // as with > li > a
+}
+
+// Backdrop to catch body clicks on mobile, etc.
+.dropdown-backdrop {
+  position: fixed;
+  left: 0;
+  right: 0;
+  bottom: 0;
+  top: 0;
+  z-index: ($zindex-dropdown - 10);
+}
+
+// Right aligned dropdowns
+.pull-right > .dropdown-menu {
+  right: 0;
+  left: auto;
+}
+
+// Allow for dropdowns to go bottom up (aka, dropup-menu)
+//
+// Just add .dropup after the standard .dropdown class and you're set, bro.
+// TODO: abstract this so that the navbar fixed styles are not placed here?
+
+.dropup,
+.navbar-fixed-bottom .dropdown {
+  // Reverse the caret
+  .caret {
+    border-top: 0;
+    border-bottom: $caret-width-base solid;
+    content: "";
+  }
+  // Different positioning for bottom up menu
+  .dropdown-menu {
+    top: auto;
+    bottom: 100%;
+    margin-bottom: 1px;
+  }
+}
+
+
+// Component alignment
+//
+// Reiterate per navbar.less and the modified component alignment there.
+
+@media (min-width: $grid-float-breakpoint) {
+  .navbar-right {
+    .dropdown-menu {
+      right: 0; left: auto;
+    }
+    // Necessary for overrides of the default right aligned menu.
+    // Will remove come v4 in all likelihood.
+    .dropdown-menu-left {
+      left: 0; right: auto;
+    }
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_forms.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_forms.scss
new file mode 100644
index 0000000000..cd5e5f1bf4
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_forms.scss
@@ -0,0 +1,541 @@
+//
+// Forms
+// --------------------------------------------------
+
+
+// Normalize non-controls
+//
+// Restyle and baseline non-control form elements.
+
+fieldset {
+  padding: 0;
+  margin: 0;
+  border: 0;
+  // Chrome and Firefox set a min-width: min-content; on fieldsets,
+  // so we reset that to ensure it behaves more like a standard block element.
+  // See https://github.com/twbs/bootstrap/issues/12359.
+  min-width: 0;
+}
+
+legend {
+  display: block;
+  width: 100%;
+  padding: 0;
+  margin-bottom: $line-height-computed;
+  font-size: ($font-size-base * 1.5);
+  line-height: inherit;
+  color: $legend-color;
+  border: 0;
+  border-bottom: 1px solid $legend-border-color;
+}
+
+label {
+  display: inline-block;
+  max-width: 100%; // Force IE8 to wrap long content (see https://github.com/twbs/bootstrap/issues/13141)
+  margin-bottom: 5px;
+  font-weight: normal;
+}
+
+
+// Normalize form controls
+//
+// While most of our form styles require extra classes, some basic normalization
+// is required to ensure optimum display with or without those classes to better
+// address browser inconsistencies.
+
+// Override content-box in Normalize (isnt specific enough)
+input[type="search"] {
+  @include box-sizing(border-box);
+}
+
+// Position radios and checkboxes better
+input[type="radio"],
+input[type="checkbox"] {
+  margin: 4px 0 0;
+  margin-top: 1px \9; // IE8-9
+  line-height: normal;
+}
+
+// Set the height of file controls to match text inputs
+input[type="file"] {
+  display: block;
+}
+
+// Make range inputs behave like textual form controls
+input[type="range"] {
+  display: block;
+  width: 100%;
+}
+
+// Make multiple select elements height not fixed
+select[multiple],
+select[size] {
+  height: auto;
+}
+
+// Focus for file, radio, and checkbox
+input[type="file"]:focus,
+input[type="radio"]:focus,
+input[type="checkbox"]:focus {
+  @include tab-focus();
+}
+
+// Adjust output element
+output {
+  display: block;
+  padding-top: ($padding-base-vertical + 1);
+  font-size: $font-size-base;
+  line-height: $line-height-base;
+  color: $input-color;
+}
+
+
+// Common form controls
+//
+// Shared size and type resets for form controls. Apply `.form-control` to any
+// of the following form controls:
+//
+select,
+textarea,
+input[type="text"],
+input[type="password"],
+input[type="datetime"],
+input[type="datetime-local"],
+input[type="date"],
+input[type="month"],
+input[type="time"],
+input[type="week"],
+input[type="number"],
+input[type="email"],
+input[type="url"],
+input[type="search"],
+input[type="tel"],
+input[type="color"]
+/* .form-control */
+{
+  display: block;
+  width: 100%;
+  height: $input-height-base; // Make inputs at least the height of their button counterpart (base line-height + padding + border)
+  padding: $padding-base-vertical $padding-base-horizontal;
+  font-size: $font-size-base;
+  line-height: $line-height-base;
+  color: $input-color;
+  background-color: $input-bg;
+  background-image: none; // Reset unusual Firefox-on-Android default style; see https://github.com/necolas/normalize.css/issues/214
+  border: 1px solid $input-border;
+  border-radius: $input-border-radius;
+  text-overflow: ellipsis;
+  max-width:450px;
+  transition:  none;
+  //@include box-shadow(inset 0 1px 1px rgba(0,0,0,.075));
+  @include transition(border-color ease-in-out .1s, box-shadow ease-in-out .1s);
+
+  // Customize the `:focus` state to imitate native WebKit styles.
+  @include form-control-focus();
+
+  // Placeholder
+  @include placeholder();
+
+  // Disabled and read-only inputs
+  //
+  // HTML5 says that controls under a fieldset > legend:first-child wont be
+  // disabled if the fieldset is disabled. Due to implementation difficulty, we
+  // dont honor that edge case; we style them as disabled anyway.
+  &[disabled],
+  &[readonly],
+  fieldset[disabled] & {
+    cursor: not-allowed;
+    background-color: $input-bg-disabled;
+    opacity: 1; // iOS fix for unreadable disabled content
+  }
+
+  // [converter] extracted textarea& to textarea.form-control
+}
+
+// Reset height for `textarea`s
+textarea{
+  height: auto;
+}
+
+
+// Search inputs in iOS
+//
+// This overrides the extra rounded corners on search inputs in iOS so that our
+// `.form-control` class can properly style them. Note that this cannot simply
+// be added to `.form-control` as its not specific enough. For details, see
+// https://github.com/twbs/bootstrap/issues/11586.
+
+input[type="search"] {
+  -webkit-appearance: none;
+}
+
+
+// Special styles for iOS temporal inputs
+//
+// In Mobile Safari, setting `display: block` on temporal inputs causes the
+// text within the input to become vertically misaligned.
+// As a workaround, we set a pixel line-height that matches the
+// given height of the input. Since this fucks up everything else, we have to
+// appropriately reset it for Internet Explorer and the size variations.
+
+input[type="date"],
+input[type="time"],
+input[type="datetime-local"],
+input[type="month"] {
+  line-height: $input-height-base;
+  // IE8+ misaligns the text within date inputs, so we reset
+  line-height: $line-height-base #{\0};
+
+  &.input-sm {
+    line-height: $input-height-small;
+  }
+  &.input-lg {
+    line-height: $input-height-large;
+  }
+}
+
+
+// Form groups
+//
+// Designed to help with the organization and spacing of vertical forms. For
+// horizontal forms, use the predefined grid classes.
+
+.form-group {
+  margin-bottom: 15px;
+}
+
+
+// Checkboxes and radios
+//
+// Indent the labels to position radios/checkboxes as hanging controls.
+
+.radio,
+.checkbox {
+  position: relative;
+  display: block;
+  min-height: $line-height-computed; // clear the floating input if there is no label text
+  margin-top: 10px;
+  margin-bottom: 10px;
+
+  label {
+    padding-left: 20px;
+    margin-bottom: 0;
+    font-weight: normal;
+    cursor: pointer;
+  }
+}
+.radio input[type="radio"],
+.radio-inline input[type="radio"],
+.checkbox input[type="checkbox"],
+.checkbox-inline input[type="checkbox"] {
+  position: absolute;
+  margin-left: -20px;
+  margin-top: 4px \9;
+}
+
+.radio + .radio,
+.checkbox + .checkbox {
+  margin-top: -5px; // Move up sibling radios or checkboxes for tighter spacing
+}
+
+// Radios and checkboxes on same line
+.radio-inline,
+.checkbox-inline {
+  display: inline-block;
+  padding-left: 20px;
+  margin-bottom: 0;
+  vertical-align: middle;
+  font-weight: normal;
+  cursor: pointer;
+}
+.radio-inline + .radio-inline,
+.checkbox-inline + .checkbox-inline {
+  margin-top: 0;
+  margin-left: 10px; // space out consecutive inline controls
+}
+
+// Apply same disabled cursor tweak as for inputs
+// Some special care is needed because <label>s don't inherit their parent's `cursor`.
+//
+// Note: Neither radios nor checkboxes can be readonly.
+input[type="radio"],
+input[type="checkbox"] {
+  &[disabled],
+  &.disabled,
+  fieldset[disabled] & {
+    cursor: not-allowed;
+  }
+}
+// These classes are used directly on <label>s
+.radio-inline,
+.checkbox-inline {
+  &.disabled,
+  fieldset[disabled] & {
+    cursor: not-allowed;
+  }
+}
+// These classes are used on elements with <label> descendants
+.radio,
+.checkbox {
+  &.disabled,
+  fieldset[disabled] & {
+    label {
+      cursor: not-allowed;
+    }
+  }
+}
+
+
+// Static form control text
+//
+// Apply class to a `p` element to make any string of text align with labels in
+// a horizontal form layout.
+
+.form-control-static {
+  // Size it appropriately next to real form controls
+  padding-top: ($padding-base-vertical + 1);
+  padding-bottom: ($padding-base-vertical + 1);
+  // Remove default margin from `p`
+  margin-bottom: 0;
+
+  &.input-lg,
+  &.input-sm {
+    padding-left: 0;
+    padding-right: 0;
+  }
+}
+
+
+// Form control sizing
+//
+// Build on `.form-control` with modifier classes to decrease or increase the
+// height and font-size of form controls.
+
+@include input-size('.input-sm', $input-height-small, $padding-small-vertical, $padding-small-horizontal, $font-size-small, $line-height-small, $border-radius-small);
+
+@include input-size('.input-lg', $input-height-large, $padding-large-vertical, $padding-large-horizontal, $font-size-large, $line-height-large, $border-radius-large);
+
+
+// Form control feedback states
+//
+// Apply contextual and semantic states to individual form controls.
+
+.has-feedback {
+  // Enable absolute positioning
+  position: relative;
+
+  // Ensure icons dont overlap text
+  .form-control {
+    padding-right: ($input-height-base * 1.25);
+  }
+}
+// Feedback icon (requires .glyphicon classes)
+.form-control-feedback {
+  position: absolute;
+  top: ($line-height-computed + 5); // Height of the `label` and its margin
+  right: 0;
+  z-index: 2; // Ensure icon is above input groups
+  display: block;
+  width: $input-height-base;
+  height: $input-height-base;
+  line-height: $input-height-base;
+  text-align: center;
+}
+.input-lg + .form-control-feedback {
+  width: $input-height-large;
+  height: $input-height-large;
+  line-height: $input-height-large;
+}
+.input-sm + .form-control-feedback {
+  width: $input-height-small;
+  height: $input-height-small;
+  line-height: $input-height-small;
+}
+
+// Feedback states
+.has-success {
+  @include form-control-validation($state-success-text, $state-success-text, $state-success-bg);
+}
+.has-warning {
+  @include form-control-validation($state-warning-text, $state-warning-text, $state-warning-bg);
+}
+.has-error {
+  @include form-control-validation($state-danger-text, $state-danger-text, $state-danger-bg);
+}
+
+
+// Reposition feedback icon if label is hidden with "screenreader only" state
+.has-feedback label.sr-only ~ .form-control-feedback {
+  top: 0;
+}
+
+
+// Help text
+//
+// Apply to any element you wish to create light text for placement immediately
+// below a form control. Use for general help, formatting, or instructional text.
+
+.help-block {
+  display: block; // account for any element using help-block
+  margin-top: 5px;
+  margin-bottom: 10px;
+  color: lighten($text-color, 25%); // lighten the text some for contrast
+}
+
+
+
+// Inline forms
+//
+// Make forms appear inline(-block) by adding the `.form-inline` class. Inline
+// forms begin stacked on extra small (mobile) devices and then go inline when
+// viewports reach <768px.
+//
+// Requires wrapping inputs and labels with `.form-group` for proper display of
+// default HTML form controls and our custom form controls (e.g., input groups).
+//
+// Heads up! This is mixin-ed into `.navbar-form` in navbars.less.
+
+.form-inline {
+
+  // Kick in the inline
+  @media (min-width: $screen-sm-min) {
+    // Inline-block all the things for "inline"
+    .form-group {
+      display: inline-block;
+      margin-bottom: 0;
+      vertical-align: middle;
+    }
+
+    // In navbar-form, allow folks to *not* use `.form-group`
+    .form-control {
+      display: inline-block;
+      width: auto; // Prevent labels from stacking above inputs in `.form-group`
+      vertical-align: middle;
+    }
+
+    .input-group {
+      display: inline-table;
+      vertical-align: middle;
+
+      .input-group-addon,
+      .input-group-btn,
+      .form-control {
+        width: auto;
+      }
+    }
+
+    // Input groups need that 100% width though
+    .input-group > .form-control {
+      width: 100%;
+    }
+
+    .control-label {
+      margin-bottom: 0;
+      vertical-align: middle;
+    }
+
+    // Remove default margin on radios/checkboxes that were used for stacking, and
+    // then undo the floating of radios and checkboxes to match (which also avoids
+    // a bug in WebKit: https://github.com/twbs/bootstrap/issues/1969).
+    .radio,
+    .checkbox {
+      display: inline-block;
+      margin-top: 0;
+      margin-bottom: 0;
+      vertical-align: middle;
+
+      label {
+        padding-left: 0;
+      }
+    }
+    .radio input[type="radio"],
+    .checkbox input[type="checkbox"] {
+      position: relative;
+      margin-left: 0;
+    }
+
+    // Validation states
+    //
+    // Reposition the icon because its now within a grid column and columns have
+    // `position: relative;` on them. Also accounts for the grid gutter padding.
+    .has-feedback .form-control-feedback {
+      top: 0;
+    }
+  }
+}
+
+
+// Horizontal forms
+//
+// Horizontal forms are built on grid classes and allow you to create forms with
+// labels on the left and inputs on the right.
+
+.form-horizontal {
+
+  // Consistent vertical alignment of radios and checkboxes
+  //
+  // Labels also get some reset styles, but that is scoped to a media query below.
+  .radio,
+  .checkbox,
+  .radio-inline,
+  .checkbox-inline {
+    margin-top: 0;
+    margin-bottom: 0;
+    padding-top: ($padding-base-vertical + 1); // Default padding plus a border
+  }
+  // Account for padding we're adding to ensure the alignment and of help text
+  // and other content below items
+  .radio,
+  .checkbox {
+    min-height: ($line-height-computed + ($padding-base-vertical + 1));
+  }
+
+  // Make form groups behave like rows
+  .form-group {
+    @include make-row();
+  }
+
+  // Reset spacing and right align labels, but scope to media queries so that
+  // labels on narrow viewports stack the same as a default form example.
+  @media (min-width: $screen-sm-min) {
+    .control-label {
+      text-align: right;
+      margin-bottom: 0;
+      padding-top: ($padding-base-vertical + 1); // Default padding plus a border
+    }
+  }
+
+  // Validation states
+  //
+  // Reposition the icon because it's now within a grid column and columns have
+  // `position: relative;` on them. Also accounts for the grid gutter padding.
+  .has-feedback control-feedback {
+    top: 0;
+    right: calc($grid-gutter-width / 2);
+  }
+
+  // Form group sizes
+  //
+  // Quick utility class for applying `.input-lg` and `.input-sm` styles to the
+  // inputs and labels within a `.form-group`.
+  .form-group-lg {
+    @media (min-width: $screen-sm-min) {
+      .control-label {
+        padding-top: (($padding-large-vertical * $line-height-large) + 1);
+      }
+    }
+    .form-control {
+      @extend .input-lg;
+    }
+  }
+  .form-group-sm {
+    @media (min-width: $screen-sm-min) {
+      .control-label {
+        padding-top: ($padding-small-vertical + 1);
+      }
+    }
+    .form-control {
+      @extend .input-sm;
+    }
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_glyphicons.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_glyphicons.scss
new file mode 100644
index 0000000000..0f6ad34520
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_glyphicons.scss
@@ -0,0 +1,237 @@
+//= depend_on "bootstrap/glyphicons-halflings-regular.eot"
+//= depend_on "bootstrap/glyphicons-halflings-regular.svg"
+//= depend_on "bootstrap/glyphicons-halflings-regular.ttf"
+//= depend_on "bootstrap/glyphicons-halflings-regular.woff"
+//
+// Glyphicons for Bootstrap
+//
+// Since icons are fonts, they can be placed anywhere text is placed and are
+// thus automatically sized to match the surrounding child. To use, create an
+// inline element with the appropriate classes, like so:
+//
+// <a href="#"><span class="glyphicon glyphicon-star"></span> Star</a>
+
+// Import the fonts
+@font-face {
+  font-family: 'Glyphicons Halflings';
+  src: url(if($bootstrap-sass-asset-helper, twbs-font-path('#{$icon-font-path}#{$icon-font-name}.eot'), '#{$icon-font-path}#{$icon-font-name}.eot'));
+  src: url(if($bootstrap-sass-asset-helper, twbs-font-path('#{$icon-font-path}#{$icon-font-name}.eot?#iefix'), '#{$icon-font-path}#{$icon-font-name}.eot?#iefix')) format('embedded-opentype'),
+       url(if($bootstrap-sass-asset-helper, twbs-font-path('#{$icon-font-path}#{$icon-font-name}.woff'), '#{$icon-font-path}#{$icon-font-name}.woff')) format('woff'),
+       url(if($bootstrap-sass-asset-helper, twbs-font-path('#{$icon-font-path}#{$icon-font-name}.ttf'), '#{$icon-font-path}#{$icon-font-name}.ttf')) format('truetype'),
+       url(if($bootstrap-sass-asset-helper, twbs-font-path('#{$icon-font-path}#{$icon-font-name}.svg##{$icon-font-svg-id}'), '#{$icon-font-path}#{$icon-font-name}.svg##{$icon-font-svg-id}')) format('svg');
+}
+
+// Catchall baseclass
+.glyphicon {
+  position: relative;
+  top: 1px;
+  display: inline-block;
+  font-family: 'Glyphicons Halflings';
+  font-style: normal;
+  font-weight: normal;
+  line-height: 1;
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+}
+
+// Individual icons
+.glyphicon-asterisk               { &:before { content: "\2a"; } }
+.glyphicon-plus                   { &:before { content: "\2b"; } }
+.glyphicon-euro                   { &:before { content: "\20ac"; } }
+.glyphicon-minus                  { &:before { content: "\2212"; } }
+.glyphicon-cloud                  { &:before { content: "\2601"; } }
+.glyphicon-envelope               { &:before { content: "\2709"; } }
+.glyphicon-pencil                 { &:before { content: "\270f"; } }
+.glyphicon-glass                  { &:before { content: "\e001"; } }
+.glyphicon-music                  { &:before { content: "\e002"; } }
+.glyphicon-search                 { &:before { content: "\e003"; } }
+.glyphicon-heart                  { &:before { content: "\e005"; } }
+.glyphicon-star                   { &:before { content: "\e006"; } }
+.glyphicon-star-empty             { &:before { content: "\e007"; } }
+.glyphicon-user                   { &:before { content: "\e008"; } }
+.glyphicon-film                   { &:before { content: "\e009"; } }
+.glyphicon-th-large               { &:before { content: "\e010"; } }
+.glyphicon-th                     { &:before { content: "\e011"; } }
+.glyphicon-th-list                { &:before { content: "\e012"; } }
+.glyphicon-ok                     { &:before { content: "\e013"; } }
+.glyphicon-remove                 { &:before { content: "\e014"; } }
+.glyphicon-zoom-in                { &:before { content: "\e015"; } }
+.glyphicon-zoom-out               { &:before { content: "\e016"; } }
+.glyphicon-off                    { &:before { content: "\e017"; } }
+.glyphicon-signal                 { &:before { content: "\e018"; } }
+.glyphicon-cog                    { &:before { content: "\e019"; } }
+.glyphicon-trash                  { &:before { content: "\e020"; } }
+.glyphicon-home                   { &:before { content: "\e021"; } }
+.glyphicon-file                   { &:before { content: "\e022"; } }
+.glyphicon-time                   { &:before { content: "\e023"; } }
+.glyphicon-road                   { &:before { content: "\e024"; } }
+.glyphicon-download-alt           { &:before { content: "\e025"; } }
+.glyphicon-download               { &:before { content: "\e026"; } }
+.glyphicon-upload                 { &:before { content: "\e027"; } }
+.glyphicon-inbox                  { &:before { content: "\e028"; } }
+.glyphicon-play-circle            { &:before { content: "\e029"; } }
+.glyphicon-repeat                 { &:before { content: "\e030"; } }
+.glyphicon-refresh                { &:before { content: "\e031"; } }
+.glyphicon-list-alt               { &:before { content: "\e032"; } }
+.glyphicon-lock                   { &:before { content: "\e033"; } }
+.glyphicon-flag                   { &:before { content: "\e034"; } }
+.glyphicon-headphones             { &:before { content: "\e035"; } }
+.glyphicon-volume-off             { &:before { content: "\e036"; } }
+.glyphicon-volume-down            { &:before { content: "\e037"; } }
+.glyphicon-volume-up              { &:before { content: "\e038"; } }
+.glyphicon-qrcode                 { &:before { content: "\e039"; } }
+.glyphicon-barcode                { &:before { content: "\e040"; } }
+.glyphicon-tag                    { &:before { content: "\e041"; } }
+.glyphicon-tags                   { &:before { content: "\e042"; } }
+.glyphicon-book                   { &:before { content: "\e043"; } }
+.glyphicon-bookmark               { &:before { content: "\e044"; } }
+.glyphicon-print                  { &:before { content: "\e045"; } }
+.glyphicon-camera                 { &:before { content: "\e046"; } }
+.glyphicon-font                   { &:before { content: "\e047"; } }
+.glyphicon-bold                   { &:before { content: "\e048"; } }
+.glyphicon-italic                 { &:before { content: "\e049"; } }
+.glyphicon-text-height            { &:before { content: "\e050"; } }
+.glyphicon-text-width             { &:before { content: "\e051"; } }
+.glyphicon-align-left             { &:before { content: "\e052"; } }
+.glyphicon-align-center           { &:before { content: "\e053"; } }
+.glyphicon-align-right            { &:before { content: "\e054"; } }
+.glyphicon-align-justify          { &:before { content: "\e055"; } }
+.glyphicon-list                   { &:before { content: "\e056"; } }
+.glyphicon-indent-left            { &:before { content: "\e057"; } }
+.glyphicon-indent-right           { &:before { content: "\e058"; } }
+.glyphicon-facetime-video         { &:before { content: "\e059"; } }
+.glyphicon-picture                { &:before { content: "\e060"; } }
+.glyphicon-map-marker             { &:before { content: "\e062"; } }
+.glyphicon-adjust                 { &:before { content: "\e063"; } }
+.glyphicon-tint                   { &:before { content: "\e064"; } }
+.glyphicon-edit                   { &:before { content: "\e065"; } }
+.glyphicon-share                  { &:before { content: "\e066"; } }
+.glyphicon-check                  { &:before { content: "\e067"; } }
+.glyphicon-move                   { &:before { content: "\e068"; } }
+.glyphicon-step-backward          { &:before { content: "\e069"; } }
+.glyphicon-fast-backward          { &:before { content: "\e070"; } }
+.glyphicon-backward               { &:before { content: "\e071"; } }
+.glyphicon-play                   { &:before { content: "\e072"; } }
+.glyphicon-pause                  { &:before { content: "\e073"; } }
+.glyphicon-stop                   { &:before { content: "\e074"; } }
+.glyphicon-forward                { &:before { content: "\e075"; } }
+.glyphicon-fast-forward           { &:before { content: "\e076"; } }
+.glyphicon-step-forward           { &:before { content: "\e077"; } }
+.glyphicon-eject                  { &:before { content: "\e078"; } }
+.glyphicon-chevron-left           { &:before { content: "\e079"; } }
+.glyphicon-chevron-right          { &:before { content: "\e080"; } }
+.glyphicon-plus-sign              { &:before { content: "\e081"; } }
+.glyphicon-minus-sign             { &:before { content: "\e082"; } }
+.glyphicon-remove-sign            { &:before { content: "\e083"; } }
+.glyphicon-ok-sign                { &:before { content: "\e084"; } }
+.glyphicon-question-sign          { &:before { content: "\e085"; } }
+.glyphicon-info-sign              { &:before { content: "\e086"; } }
+.glyphicon-screenshot             { &:before { content: "\e087"; } }
+.glyphicon-remove-circle          { &:before { content: "\e088"; } }
+.glyphicon-ok-circle              { &:before { content: "\e089"; } }
+.glyphicon-ban-circle             { &:before { content: "\e090"; } }
+.glyphicon-arrow-left             { &:before { content: "\e091"; } }
+.glyphicon-arrow-right            { &:before { content: "\e092"; } }
+.glyphicon-arrow-up               { &:before { content: "\e093"; } }
+.glyphicon-arrow-down             { &:before { content: "\e094"; } }
+.glyphicon-share-alt              { &:before { content: "\e095"; } }
+.glyphicon-resize-full            { &:before { content: "\e096"; } }
+.glyphicon-resize-small           { &:before { content: "\e097"; } }
+.glyphicon-exclamation-sign       { &:before { content: "\e101"; } }
+.glyphicon-gift                   { &:before { content: "\e102"; } }
+.glyphicon-leaf                   { &:before { content: "\e103"; } }
+.glyphicon-fire                   { &:before { content: "\e104"; } }
+.glyphicon-eye-open               { &:before { content: "\e105"; } }
+.glyphicon-eye-close              { &:before { content: "\e106"; } }
+.glyphicon-warning-sign           { &:before { content: "\e107"; } }
+.glyphicon-plane                  { &:before { content: "\e108"; } }
+.glyphicon-calendar               { &:before { content: "\e109"; } }
+.glyphicon-random                 { &:before { content: "\e110"; } }
+.glyphicon-comment                { &:before { content: "\e111"; } }
+.glyphicon-magnet                 { &:before { content: "\e112"; } }
+.glyphicon-chevron-up             { &:before { content: "\e113"; } }
+.glyphicon-chevron-down           { &:before { content: "\e114"; } }
+.glyphicon-retweet                { &:before { content: "\e115"; } }
+.glyphicon-shopping-cart          { &:before { content: "\e116"; } }
+.glyphicon-folder-close           { &:before { content: "\e117"; } }
+.glyphicon-folder-open            { &:before { content: "\e118"; } }
+.glyphicon-resize-vertical        { &:before { content: "\e119"; } }
+.glyphicon-resize-horizontal      { &:before { content: "\e120"; } }
+.glyphicon-hdd                    { &:before { content: "\e121"; } }
+.glyphicon-bullhorn               { &:before { content: "\e122"; } }
+.glyphicon-bell                   { &:before { content: "\e123"; } }
+.glyphicon-certificate            { &:before { content: "\e124"; } }
+.glyphicon-thumbs-up              { &:before { content: "\e125"; } }
+.glyphicon-thumbs-down            { &:before { content: "\e126"; } }
+.glyphicon-hand-right             { &:before { content: "\e127"; } }
+.glyphicon-hand-left              { &:before { content: "\e128"; } }
+.glyphicon-hand-up                { &:before { content: "\e129"; } }
+.glyphicon-hand-down              { &:before { content: "\e130"; } }
+.glyphicon-circle-arrow-right     { &:before { content: "\e131"; } }
+.glyphicon-circle-arrow-left      { &:before { content: "\e132"; } }
+.glyphicon-circle-arrow-up        { &:before { content: "\e133"; } }
+.glyphicon-circle-arrow-down      { &:before { content: "\e134"; } }
+.glyphicon-globe                  { &:before { content: "\e135"; } }
+.glyphicon-wrench                 { &:before { content: "\e136"; } }
+.glyphicon-tasks                  { &:before { content: "\e137"; } }
+.glyphicon-filter                 { &:before { content: "\e138"; } }
+.glyphicon-briefcase              { &:before { content: "\e139"; } }
+.glyphicon-fullscreen             { &:before { content: "\e140"; } }
+.glyphicon-dashboard              { &:before { content: "\e141"; } }
+.glyphicon-paperclip              { &:before { content: "\e142"; } }
+.glyphicon-heart-empty            { &:before { content: "\e143"; } }
+.glyphicon-link                   { &:before { content: "\e144"; } }
+.glyphicon-phone                  { &:before { content: "\e145"; } }
+.glyphicon-pushpin                { &:before { content: "\e146"; } }
+.glyphicon-usd                    { &:before { content: "\e148"; } }
+.glyphicon-gbp                    { &:before { content: "\e149"; } }
+.glyphicon-sort                   { &:before { content: "\e150"; } }
+.glyphicon-sort-by-alphabet       { &:before { content: "\e151"; } }
+.glyphicon-sort-by-alphabet-alt   { &:before { content: "\e152"; } }
+.glyphicon-sort-by-order          { &:before { content: "\e153"; } }
+.glyphicon-sort-by-order-alt      { &:before { content: "\e154"; } }
+.glyphicon-sort-by-attributes     { &:before { content: "\e155"; } }
+.glyphicon-sort-by-attributes-alt { &:before { content: "\e156"; } }
+.glyphicon-unchecked              { &:before { content: "\e157"; } }
+.glyphicon-expand                 { &:before { content: "\e158"; } }
+.glyphicon-collapse-down          { &:before { content: "\e159"; } }
+.glyphicon-collapse-up            { &:before { content: "\e160"; } }
+.glyphicon-log-in                 { &:before { content: "\e161"; } }
+.glyphicon-flash                  { &:before { content: "\e162"; } }
+.glyphicon-log-out                { &:before { content: "\e163"; } }
+.glyphicon-new-window             { &:before { content: "\e164"; } }
+.glyphicon-record                 { &:before { content: "\e165"; } }
+.glyphicon-save                   { &:before { content: "\e166"; } }
+.glyphicon-open                   { &:before { content: "\e167"; } }
+.glyphicon-saved                  { &:before { content: "\e168"; } }
+.glyphicon-import                 { &:before { content: "\e169"; } }
+.glyphicon-export                 { &:before { content: "\e170"; } }
+.glyphicon-send                   { &:before { content: "\e171"; } }
+.glyphicon-floppy-disk            { &:before { content: "\e172"; } }
+.glyphicon-floppy-saved           { &:before { content: "\e173"; } }
+.glyphicon-floppy-remove          { &:before { content: "\e174"; } }
+.glyphicon-floppy-save            { &:before { content: "\e175"; } }
+.glyphicon-floppy-open            { &:before { content: "\e176"; } }
+.glyphicon-credit-card            { &:before { content: "\e177"; } }
+.glyphicon-transfer               { &:before { content: "\e178"; } }
+.glyphicon-cutlery                { &:before { content: "\e179"; } }
+.glyphicon-header                 { &:before { content: "\e180"; } }
+.glyphicon-compressed             { &:before { content: "\e181"; } }
+.glyphicon-earphone               { &:before { content: "\e182"; } }
+.glyphicon-phone-alt              { &:before { content: "\e183"; } }
+.glyphicon-tower                  { &:before { content: "\e184"; } }
+.glyphicon-stats                  { &:before { content: "\e185"; } }
+.glyphicon-sd-video               { &:before { content: "\e186"; } }
+.glyphicon-hd-video               { &:before { content: "\e187"; } }
+.glyphicon-subtitles              { &:before { content: "\e188"; } }
+.glyphicon-sound-stereo           { &:before { content: "\e189"; } }
+.glyphicon-sound-dolby            { &:before { content: "\e190"; } }
+.glyphicon-sound-5-1              { &:before { content: "\e191"; } }
+.glyphicon-sound-6-1              { &:before { content: "\e192"; } }
+.glyphicon-sound-7-1              { &:before { content: "\e193"; } }
+.glyphicon-copyright-mark         { &:before { content: "\e194"; } }
+.glyphicon-registration-mark      { &:before { content: "\e195"; } }
+.glyphicon-cloud-download         { &:before { content: "\e197"; } }
+.glyphicon-cloud-upload           { &:before { content: "\e198"; } }
+.glyphicon-tree-conifer           { &:before { content: "\e199"; } }
+.glyphicon-tree-deciduous         { &:before { content: "\e200"; } }
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_grid.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_grid.scss
new file mode 100644
index 0000000000..f71f8b9015
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_grid.scss
@@ -0,0 +1,84 @@
+//
+// Grid system
+// --------------------------------------------------
+
+
+// Container widths
+//
+// Set the container width, and override it for fixed navbars in media queries.
+
+.container {
+  @include container-fixed();
+
+  @media (min-width: $screen-sm-min) {
+    width: $container-sm;
+  }
+  @media (min-width: $screen-md-min) {
+    width: $container-md;
+  }
+  @media (min-width: $screen-lg-min) {
+    width: $container-lg;
+  }
+}
+
+
+// Fluid container
+//
+// Utilizes the mixin meant for fixed width containers, but without any defined
+// width for fluid, full width layouts.
+
+.container-fluid {
+  @include container-fixed();
+}
+
+
+// Row
+//
+// Rows contain and clear the floats of your columns.
+
+.row {
+  @include make-row();
+}
+
+
+// Columns
+//
+// Common styles for small and large grid columns
+
+@include make-grid-columns();
+
+
+// Extra small grid
+//
+// Columns, offsets, pushes, and pulls for extra small devices like
+// smartphones.
+
+@include make-grid(xs);
+
+
+// Small grid
+//
+// Columns, offsets, pushes, and pulls for the small device range, from phones
+// to tablets.
+
+@media (min-width: $screen-sm-min) {
+  @include make-grid(sm);
+}
+
+
+// Medium grid
+//
+// Columns, offsets, pushes, and pulls for the desktop device range.
+
+@media (min-width: $screen-md-min) {
+  @include make-grid(md);
+}
+
+
+// Large grid
+//
+// Columns, offsets, pushes, and pulls for the large desktop device range.
+
+@media (min-width: $screen-lg-min) {
+  @include make-grid(lg);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_input-groups.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_input-groups.scss
new file mode 100644
index 0000000000..f56322e3ba
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_input-groups.scss
@@ -0,0 +1,166 @@
+//
+// Input groups
+// --------------------------------------------------
+
+// Base styles
+// -------------------------
+.input-group {
+  position: relative; // For dropdowns
+  display: table;
+  border-collapse: separate; // prevent input groups from inheriting border styles from table cells when placed within a table
+
+  // Undo padding and float of grid classes
+  &[class*="col-"] {
+    float: none;
+    padding-left: 0;
+    padding-right: 0;
+  }
+
+  .form-control {
+    // Ensure that the input is always above the *appended* addon button for
+    // proper border colors.
+    position: relative;
+    z-index: 2;
+
+    // IE9 fubars the placeholder attribute in text inputs and the arrows on
+    // select elements in input groups. To fix it, we float the input. Details:
+    // https://github.com/twbs/bootstrap/issues/11561#issuecomment-28936855
+    float: left;
+
+    width: 100%;
+    margin-bottom: 0;
+  }
+}
+
+// Sizing options
+//
+// Remix the default form control sizing classes into new ones for easier
+// manipulation.
+
+.input-group-lg > .form-control,
+.input-group-lg > .input-group-addon,
+.input-group-lg > .input-group-btn > .btn {
+  @extend .input-lg;
+}
+.input-group-sm > .form-control,
+.input-group-sm > .input-group-addon,
+.input-group-sm > .input-group-btn > .btn {
+  @extend .input-sm;
+}
+
+
+// Display as table-cell
+// -------------------------
+.input-group-addon,
+.input-group-btn,
+.input-group .form-control {
+  display: table-cell;
+
+  &:not(:first-child):not(:last-child) {
+    border-radius: 0;
+  }
+}
+// Addon and addon wrapper for buttons
+.input-group-addon,
+.input-group-btn {
+  width: 1%;
+  white-space: nowrap;
+  vertical-align: middle; // Match the inputs
+}
+
+// Text input groups
+// -------------------------
+.input-group-addon {
+  padding: $padding-base-vertical $padding-base-horizontal;
+  font-size: $font-size-base;
+  font-weight: normal;
+  line-height: 1;
+  color: $input-color;
+  text-align: center;
+  background-color: $input-group-addon-bg;
+  border: 1px solid $input-group-addon-border-color;
+  border-radius: $border-radius-base;
+
+  // Sizing
+  &.input-sm {
+    padding: $padding-small-vertical $padding-small-horizontal;
+    font-size: $font-size-small;
+    border-radius: $border-radius-small;
+  }
+  &.input-lg {
+    padding: $padding-large-vertical $padding-large-horizontal;
+    font-size: $font-size-large;
+    border-radius: $border-radius-large;
+  }
+
+  // Nuke default margins from checkboxes and radios to vertically center within.
+  input[type="radio"],
+  input[type="checkbox"] {
+    margin-top: 0;
+  }
+}
+
+// Reset rounded corners
+.input-group .form-control:first-child,
+.input-group-addon:first-child,
+.input-group-btn:first-child > .btn,
+.input-group-btn:first-child > .btn-group > .btn,
+.input-group-btn:first-child > .dropdown-toggle,
+.input-group-btn:last-child > .btn:not(:last-child):not(.dropdown-toggle),
+.input-group-btn:last-child > .btn-group:not(:last-child) > .btn {
+  @include border-right-radius(0);
+}
+.input-group-addon:first-child {
+  border-right: 0;
+}
+.input-group .form-control:last-child,
+.input-group-addon:last-child,
+.input-group-btn:last-child > .btn,
+.input-group-btn:last-child > .btn-group > .btn,
+.input-group-btn:last-child > .dropdown-toggle,
+.input-group-btn:first-child > .btn:not(:first-child),
+.input-group-btn:first-child > .btn-group:not(:first-child) > .btn {
+  @include border-left-radius(0);
+}
+.input-group-addon:last-child {
+  border-left: 0;
+}
+
+// Button input groups
+// -------------------------
+.input-group-btn {
+  position: relative;
+  // Jankily prevent input button groups from wrapping with `white-space` and
+  // `font-size` in combination with `inline-block` on buttons.
+  font-size: 0;
+  white-space: nowrap;
+
+  // Negative margin for spacing, position for bringing hovered/focused/activated
+  // element above the siblings.
+  > .btn {
+    position: relative;
+    + .btn {
+      margin-left: -1px;
+    }
+    // Bring the "active" button to the front
+    &:hover,
+    &:focus,
+    &:active {
+      z-index: 2;
+    }
+  }
+
+  // Negative margin to only have a 1px border between the two
+  &:first-child {
+    > .btn,
+    > .btn-group {
+      margin-right: -1px;
+    }
+  }
+  &:last-child {
+    > .btn,
+    > .btn-group {
+      margin-left: -1px;
+    }
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_jumbotron.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_jumbotron.scss
new file mode 100644
index 0000000000..110c97f54b
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_jumbotron.scss
@@ -0,0 +1,48 @@
+//
+// Jumbotron
+// --------------------------------------------------
+
+
+.jumbotron {
+  padding: $jumbotron-padding;
+  margin-bottom: $jumbotron-padding;
+  color: $jumbotron-color;
+  background-color: $jumbotron-bg;
+
+  h1,
+  .h1 {
+    color: $jumbotron-heading-color;
+  }
+  p {
+    margin-bottom: calc($jumbotron-padding / 2);
+    font-size: $jumbotron-font-size;
+    font-weight: 200;
+  }
+
+  > hr {
+    border-top-color: darken($jumbotron-bg, 10%);
+  }
+
+  .container & {
+    border-radius: $border-radius-large; // Only round corners at higher resolutions if contained in a container
+  }
+
+  .container {
+    max-width: 100%;
+  }
+
+  @media screen and (min-width: $screen-sm-min) {
+    padding-top:    ($jumbotron-padding * 1.6);
+    padding-bottom: ($jumbotron-padding * 1.6);
+
+    .container & {
+      padding-left:  ($jumbotron-padding * 2);
+      padding-right: ($jumbotron-padding * 2);
+    }
+
+    h1,
+    .h1 {
+      font-size: ($font-size-base * 4.5);
+    }
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_labels.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_labels.scss
new file mode 100644
index 0000000000..42ed6ea123
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_labels.scss
@@ -0,0 +1,66 @@
+//
+// Labels
+// --------------------------------------------------
+
+.label {
+  display: inline;
+  padding: .2em .6em .3em;
+  font-size: 75%;
+  font-weight: bold;
+  line-height: 1;
+  color: $label-color;
+  text-align: center;
+  white-space: nowrap;
+  vertical-align: baseline;
+  border-radius: .25em;
+
+  // [converter] extracted a& to a.label
+
+  // Empty labels collapse automatically (not available in IE8)
+  &:empty {
+    display: none;
+  }
+
+  // Quick fix for labels in buttons
+  .btn & {
+    position: relative;
+    top: -1px;
+  }
+}
+
+// Add hover effects, but only for links
+a.label {
+  &:hover,
+  &:focus {
+    color: $label-link-hover-color;
+    text-decoration: none;
+    cursor: pointer;
+  }
+}
+
+// Colors
+// Contextual variations (linked labels get darker on :hover)
+
+.label-default {
+  @include label-variant($label-default-bg);
+}
+
+.label-primary {
+  @include label-variant($label-primary-bg);
+}
+
+.label-success {
+  @include label-variant($label-success-bg);
+}
+
+.label-info {
+  @include label-variant($label-info-bg);
+}
+
+.label-warning {
+  @include label-variant($label-warning-bg);
+}
+
+.label-danger {
+  @include label-variant($label-danger-bg);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_list-group.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_list-group.scss
new file mode 100644
index 0000000000..63027b8802
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_list-group.scss
@@ -0,0 +1,159 @@
+//
+// List groups
+// --------------------------------------------------
+
+
+// Base class
+//
+// Easily usable on <ul>, <ol>, or <div>.
+
+.list-group {
+  // No need to set list-style: none; since .list-group-item is block level
+  margin-bottom: 20px;
+  padding-left: 0; // reset padding because ul and ol
+}
+
+
+// Individual list items
+//
+// Use on `li`s or `div`s within the `.list-group` parent.
+
+.list-group-item {
+  position: relative;
+  display: block;
+  padding: 6px 8px;
+  // Place the border on the list items and negative margin up for better styling
+  margin-bottom: -1px;
+  background-color: $list-group-bg;
+  //border: 1px solid $list-group-border;
+
+  // Round the first and last items
+  &:first-child {
+  }
+  &:last-child {
+    margin-bottom: 0;
+  }
+
+  // Align badges within list items
+  > .badge {
+    float: right;
+  }
+  > .badge + .badge {
+    margin-right: 5px;
+  }
+}
+
+
+// Linked list items
+//
+// Use anchor elements instead of `li`s or `div`s to create linked list items.
+// Includes an extra `.active` modifier class for showing selected items.
+
+a.list-group-item {
+  color: $list-group-link-color;
+  border-radius: 0;
+
+  .list-group-item-heading {
+    color: $list-group-link-heading-color;
+  }
+
+  // Hover state
+  &:hover,
+  &:focus {
+    text-decoration: none;
+    color: $list-group-link-hover-color;
+    background-color: $list-group-hover-bg;
+
+     &:before{
+		background: $list-group-active-border;
+		  content: "";
+		  height: 42px;
+		  left: 0;
+		  position: absolute;
+		  top:0;
+		  width: 3px;
+	  }
+  }
+}
+
+.list-group-item {
+  // Disabled state
+  &.disabled,
+  &.disabled:hover,
+  &.disabled:focus {
+    background-color: $list-group-disabled-bg;
+    color: $list-group-disabled-color;
+
+    // Force color to inherit for custom content
+    .list-group-item-heading {
+      color: inherit;
+    }
+    .list-group-item-text {
+      color: $list-group-disabled-text-color;
+    }
+  }
+
+  // Active class on item itself, not parent
+  &.active,
+  &.active:hover,
+  &.active:focus {
+    z-index: 2; // Place active items above their siblings for proper border styling
+
+ &:before{
+		background: $list-group-active-border;
+		  content: "";
+		  height: 42px;
+		  left: 0;
+		  position: absolute;
+		  top:0px;
+		  width: 3px;
+	  }
+
+    // Force color to inherit for custom content
+    .list-group-item-heading,
+    .list-group-item-heading > small,
+    .list-group-item-heading > .small {
+      color: inherit;
+    }
+    .list-group-item-text {
+      color: $list-group-active-text-color;
+    }
+
+    +.collapse > .list-group-item{
+	      &:before{
+		background: $list-group-active-border;
+		  content: "";
+		  height: 42px;
+		  left: 0;
+		  position: absolute;
+		  top:0px;
+		  width: 3px;
+	  }
+    }
+  }
+}
+
+
+// Contextual variants
+//
+// Add modifier classes to change text and background color on individual items.
+// Organizationally, this must come after the `:hover` states.
+
+@include list-group-item-variant(success, $state-success-bg, $state-success-text);
+@include list-group-item-variant(info, $state-info-bg, $state-info-text);
+@include list-group-item-variant(warning, $state-warning-bg, $state-warning-text);
+@include list-group-item-variant(danger, $state-danger-bg, $state-danger-text);
+
+
+// Custom content options
+//
+// Extra classes for creating well-formatted content within `.list-group-item`s.
+
+.list-group-item-heading {
+  margin-top: 0;
+  margin-bottom: 5px;
+}
+.list-group-item-text {
+  margin-bottom: 0;
+  line-height: 1.3;
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_media.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_media.scss
new file mode 100644
index 0000000000..5ad22cd6d5
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_media.scss
@@ -0,0 +1,56 @@
+// Media objects
+// Source: http://stubbornella.org/content/?p=497
+// --------------------------------------------------
+
+
+// Common styles
+// -------------------------
+
+// Clear the floats
+.media,
+.media-body {
+  overflow: hidden;
+  zoom: 1;
+}
+
+// Proper spacing between instances of .media
+.media,
+.media .media {
+  margin-top: 15px;
+}
+.media:first-child {
+  margin-top: 0;
+}
+
+// For images and videos, set to block
+.media-object {
+  display: block;
+}
+
+// Reset margins on headings for tighter default spacing
+.media-heading {
+  margin: 0 0 5px;
+}
+
+
+// Media image alignment
+// -------------------------
+
+.media {
+  > .pull-left {
+    margin-right: 10px;
+  }
+  > .pull-right {
+    margin-left: 10px;
+  }
+}
+
+
+// Media list variation
+// -------------------------
+
+// Undo default ul/ol styles
+.media-list {
+  padding-left: 0;
+  list-style: none;
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_mixins.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_mixins.scss
new file mode 100644
index 0000000000..b565f013a4
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_mixins.scss
@@ -0,0 +1,39 @@
+// Mixins
+// --------------------------------------------------
+
+// Utilities
+@import "mixins/hide-text";
+@import "mixins/opacity";
+@import "mixins/image";
+@import "mixins/labels";
+@import "mixins/reset-filter";
+@import "mixins/resize";
+@import "mixins/responsive-visibility";
+@import "mixins/size";
+@import "mixins/tab-focus";
+@import "mixins/text-emphasis";
+@import "mixins/text-overflow";
+@import "mixins/vendor-prefixes";
+
+// Components
+@import "mixins/alerts";
+@import "mixins/buttons";
+@import "mixins/panels";
+@import "mixins/pagination";
+@import "mixins/list-group";
+@import "mixins/nav-divider";
+@import "mixins/forms";
+@import "mixins/progress-bar";
+@import "mixins/table-row";
+
+// Skins
+@import "mixins/background-variant";
+@import "mixins/border-radius";
+@import "mixins/gradients";
+
+// Layout
+@import "mixins/clearfix";
+@import "mixins/center-block";
+@import "mixins/nav-vertical-align";
+@import "mixins/grid-framework";
+@import "mixins/grid";
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_modals.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_modals.scss
new file mode 100644
index 0000000000..df980e55cd
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_modals.scss
@@ -0,0 +1,150 @@
+//
+// Modals
+// --------------------------------------------------
+
+// .modal-open      - body class for killing the scroll
+// .modal           - container to scroll within
+// .modal-dialog    - positioning shell for the actual modal
+// .modal-content   - actual modal w/ bg and corners and shit
+
+// Kill the scroll on the body
+.modal-open {
+  overflow: hidden;
+}
+
+// Container that the modal scrolls within
+.modal {
+  display: none;
+  overflow: hidden;
+  position: fixed;
+  top: 0;
+  right: 0;
+  bottom: 0;
+  left: 0;
+  z-index: $zindex-modal;
+  -webkit-overflow-scrolling: touch;
+
+  // Prevent Chrome on Windows from adding a focus outline. For details, see
+  // https://github.com/twbs/bootstrap/pull/10951.
+  outline: 0;
+
+  // When fading in the modal, animate it to slide down
+  &.fade .modal-dialog {
+    @include translate3d(0, -25%, 0);
+    @include transition-transform(0.3s ease-out);
+  }
+  &.in .modal-dialog { @include translate3d(0, 0, 0) }
+}
+.modal-open .modal {
+  overflow-x: hidden;
+  overflow-y: auto;
+}
+
+// Shell div to position the modal with bottom padding
+.modal-dialog {
+  position: relative;
+  width: auto;
+  margin: 52px+10px 10px 10px 10px;
+}
+
+// Actual modal
+.modal-content {
+  position: relative;
+  background-color: $modal-content-bg;
+  border: 1px solid $modal-content-fallback-border-color; //old browsers fallback (ie8 etc)
+  border: 1px solid $modal-content-border-color;
+  border-radius: $border-radius-large;
+  @include box-shadow(0 3px 9px rgba(0,0,0,.5));
+  background-clip: padding-box;
+  // Remove focus outline from opened modal
+  outline: 0;
+}
+
+// Modal background
+.modal-backdrop {
+  position: fixed;
+  top: 0;
+  right: 0;
+  bottom: 0;
+  left: 0;
+  z-index: $zindex-modal-background;
+  background-color: $modal-backdrop-bg;
+  // Fade for backdrop
+  &.fade { @include opacity(0); }
+  &.in { @include opacity($modal-backdrop-opacity); }
+}
+
+// Modal header
+// Top section of the modal w/ title and dismiss
+.modal-header {
+  padding: $modal-title-padding;
+  border-bottom: 1px solid $modal-header-border-color;
+  min-height: ($modal-title-padding + $modal-title-line-height);
+}
+// Close icon
+.modal-header .close {
+  margin-top: -2px;
+}
+
+// Title text within header
+.modal-title {
+  margin: 0;
+  line-height: $modal-title-line-height;
+}
+
+// Modal body
+// Where all modal content resides (sibling of .modal-header and .modal-footer)
+.modal-body {
+  position: relative;
+  padding: $modal-inner-padding;
+}
+
+// Footer (for actions)
+.modal-footer {
+  padding: $modal-inner-padding;
+  text-align: right; // right align buttons
+  border-top: 1px solid $modal-footer-border-color;
+  @include clearfix(); // clear it in case folks use .pull-* classes on buttons
+
+  // Properly space out buttons
+  .btn + .btn {
+    margin-left: 5px;
+    margin-bottom: 0; // account for input[type="submit"] which gets the bottom margin like all other inputs
+  }
+  // but override that for button groups
+  .btn-group .btn + .btn {
+    margin-left: -1px;
+  }
+  // and override it for block buttons as well
+  .btn-block + .btn-block {
+    margin-left: 0;
+  }
+}
+
+// Measure scrollbar width for padding body during modal show/hide
+.modal-scrollbar-measure {
+  position: absolute;
+  top: -9999px;
+  width: 50px;
+  height: 50px;
+  overflow: scroll;
+}
+
+// Scale up the modal
+@media (min-width: $screen-sm-min) {
+  // Automatically set modal's width for larger viewports
+  .modal-dialog {
+    width: $modal-md;
+    margin: 52px+30px auto 30px auto;
+  }
+  .modal-content {
+    @include box-shadow(0 5px 15px rgba(0,0,0,.5));
+  }
+
+  // Modal sizes
+  .modal-sm { width: $modal-sm; }
+}
+
+@media (min-width: $screen-md-min) {
+  .modal-lg { width: $modal-lg; }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_navbar.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_navbar.scss
new file mode 100644
index 0000000000..6cee973c35
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_navbar.scss
@@ -0,0 +1,658 @@
+//
+// Navbars
+// --------------------------------------------------
+
+
+// Wrapper and base class
+//
+// Provide a static navbar from which we expand to create full-width, fixed, and
+// other navbar variations.
+
+.navbar {
+  position: relative;
+  min-height: $navbar-height; // Ensure a navbar always shows (e.g., without a .navbar-brand in collapsed mode)
+  margin-bottom: $navbar-margin-bottom;
+  border: 1px solid transparent;
+
+  // Prevent floats from breaking the navbar
+  @include clearfix();
+
+  @media (min-width: $grid-float-breakpoint) {
+    border-radius: $navbar-border-radius;
+  }
+}
+
+
+// Navbar heading
+//
+// Groups `.navbar-brand` and `.navbar-toggle` into a single component for easy
+// styling of responsive aspects.
+
+.navbar-header {
+  @include clearfix();
+
+  @media (min-width: $grid-float-breakpoint) {
+    float: left;
+  }
+}
+
+
+// Navbar collapse (body)
+//
+// Group your navbar content into this for easy collapsing and expanding across
+// various device sizes. By default, this content is collapsed when <768px, but
+// will expand past that for a horizontal display.
+//
+// To start (on mobile devices) the navbar links, forms, and buttons are stacked
+// vertically and include a `max-height` to overflow in case you have too much
+// content for the user's viewport.
+
+.navbar-collapse {
+  overflow-x: visible;
+  padding-right: $navbar-padding-horizontal;
+  padding-left:  $navbar-padding-horizontal;
+  border-top: 1px solid transparent;
+  box-shadow: inset 0 1px 0 rgba(255,255,255,.1);
+  @include clearfix();
+  -webkit-overflow-scrolling: touch;
+
+  &.in {
+    overflow-y: auto;
+  }
+
+  @media (min-width: $grid-float-breakpoint) {
+    width: auto;
+    border-top: 0;
+    box-shadow: none;
+
+    &.collapse {
+      display: block !important;
+      height: auto !important;
+      padding-bottom: 0; // Override default setting
+      overflow: visible !important;
+    }
+
+    &.in {
+      overflow-y: visible;
+    }
+
+    // Undo the collapse side padding for navbars with containers to ensure
+    // alignment of right-aligned contents.
+    .navbar-fixed-top &,
+    .navbar-static-top &,
+    .navbar-fixed-bottom & {
+      padding-left: 0;
+      padding-right: 0;
+    }
+  }
+}
+
+.navbar-fixed-top,
+.navbar-fixed-bottom {
+  .navbar-collapse {
+    max-height: $navbar-collapse-max-height;
+
+    @media (max-width: $screen-xs-min) and (orientation: landscape) {
+      max-height: 200px;
+    }
+  }
+}
+
+
+// Both navbar header and collapse
+//
+// When a container is present, change the behavior of the header and collapse.
+
+.container,
+.container-fluid {
+  > .navbar-header,
+  > .navbar-collapse {
+    margin-right: -$navbar-padding-horizontal;
+    margin-left:  -$navbar-padding-horizontal;
+
+    @media (min-width: $grid-float-breakpoint) {
+      margin-right: 0;
+      margin-left:  0;
+    }
+  }
+}
+
+
+//
+// Navbar alignment options
+//
+// Display the navbar across the entirety of the page or fixed it to the top or
+// bottom of the page.
+
+// Static top (unfixed, but 100% wide) navbar
+.navbar-static-top {
+  z-index: $zindex-navbar;
+  border-width: 0 0 1px;
+
+  @media (min-width: $grid-float-breakpoint) {
+    border-radius: 0;
+  }
+}
+
+// Fix the top/bottom navbars when screen real estate supports it
+.navbar-fixed-top,
+.navbar-fixed-bottom {
+  position: fixed;
+  right: 0;
+  left: 0;
+  z-index: $zindex-navbar-fixed;
+  @include translate3d(0, 0, 0);
+
+  // Undo the rounded corners
+  @media (min-width: $grid-float-breakpoint) {
+    border-radius: 0;
+  }
+}
+.navbar-fixed-top {
+  top: 0;
+  border-width: 0 0 1px;
+}
+.navbar-fixed-bottom {
+  bottom: 0;
+  margin-bottom: 0; // override .navbar defaults
+  border-width: 1px 0 0;
+}
+
+
+// Brand/project name
+
+.navbar-brand {
+  float: left;
+  padding: $navbar-padding-vertical $navbar-padding-horizontal;
+  font-size: $font-size-large;
+  height: $navbar-height;
+
+  &:hover,
+  &:focus {
+    text-decoration: none;
+  }
+
+  @media (min-width: $grid-float-breakpoint) {
+    .navbar > .container &,
+    .navbar > .container-fluid & {
+      margin-left: -$navbar-padding-horizontal;
+    }
+  }
+}
+
+
+// Navbar toggle
+//
+// Custom button for toggling the `.navbar-collapse`, powered by the collapse
+// JavaScript plugin.
+
+.navbar-toggle {
+  position: relative;
+  float: left;
+  margin-right: $navbar-padding-horizontal;
+  padding: 9px 10px;
+  @include navbar-vertical-align(34px);
+  background-color: transparent;
+  background-image: none; // Reset unusual Firefox-on-Android default style; see https://github.com/necolas/normalize.css/issues/214
+  border: 1px solid transparent;
+  border-radius: $border-radius-base;
+
+  // We remove the `outline` here, but later compensate by attaching `:hover`
+  // styles to `:focus`.
+  &:focus {
+    outline: 0;
+  }
+
+  // Bars
+  .icon-bar {
+    display: block;
+    width: 22px;
+    height: 2px;
+    border-radius: 1px;
+  }
+  .icon-bar + .icon-bar {
+    margin-top: 4px;
+  }
+
+  @media (min-width: $grid-float-breakpoint) {
+    display: none;
+  }
+}
+
+
+// Navbar nav links
+//
+// Builds on top of the `.nav` components with its own modifier class to make
+// the nav the full height of the horizontal nav (above 768px).
+
+.navbar-nav {
+  margin: calc($navbar-padding-vertical / 2) (-$navbar-padding-horizontal);
+
+  > li > a {
+    padding-top:    10px;
+    padding-bottom: 10px;
+    line-height: $line-height-computed;
+  }
+
+  @media (max-width: $grid-float-breakpoint-max) {
+    // Dropdowns get custom display when collapsed
+    .open .dropdown-menu {
+      position: static;
+      float: none;
+      width: auto;
+      margin-top: 0;
+      background-color: transparent;
+      border: 0;
+      box-shadow: none;
+      > li > a,
+      .dropdown-header {
+        padding: 5px 15px 5px 25px;
+      }
+      > li > a {
+        line-height: $line-height-computed;
+        &:hover,
+        &:focus {
+          background-image: none;
+        }
+      }
+    }
+  }
+
+  // Uncollapse the nav
+  @media (min-width: $grid-float-breakpoint) {
+    float: left;
+    margin: 0;
+
+    > li {
+      float: left;
+      > a {
+        padding-top:    $navbar-padding-vertical;
+        padding-bottom: $navbar-padding-vertical;
+      }
+    }
+
+    &.navbar-right:last-child {
+      margin-right: -$navbar-padding-horizontal;
+    }
+  }
+}
+
+
+// Component alignment
+//
+// Repurpose the pull utilities as their own navbar utilities to avoid specificity
+// issues with parents and chaining. Only do this when the navbar is uncollapsed
+// though so that navbar contents properly stack and align in mobile.
+
+@media (min-width: $grid-float-breakpoint) {
+  .navbar-left {
+    float: left !important;
+  }
+  .navbar-right {
+    float: right !important;
+  }
+}
+
+
+// Navbar form
+//
+// Extension of the `.form-inline` with some extra flavor for optimum display in
+// our navbars.
+
+.navbar-form {
+  margin-left: -$navbar-padding-horizontal;
+  margin-right: -$navbar-padding-horizontal;
+  padding: 10px 0px;
+  border-top: 1px solid transparent;
+  border-bottom: 1px solid transparent;
+  $shadow: inset 0 1px 0 rgba(255,255,255,.1), 0 1px 0 rgba(255,255,255,.1);
+  @include box-shadow($shadow);
+
+  // Mixin behavior for optimum display
+  @extend .form-inline;
+
+  .form-group {
+    @media (max-width: $grid-float-breakpoint-max) {
+      margin-bottom: 5px;
+    }
+  }
+
+  // Vertically center in expanded, horizontal navbar
+  @include navbar-vertical-align($input-height-base);
+
+  // Undo 100% width for pull classes
+  @media (min-width: $grid-float-breakpoint) {
+    width: auto;
+    border: 0;
+    margin-left: 0;
+    margin-right: 0;
+    padding-top: 0;
+    padding-bottom: 0;
+    @include box-shadow(none);
+
+    // Outdent the form if last child to line up with content down the page
+    &.navbar-right:last-child {
+      margin-right: -$navbar-padding-horizontal;
+    }
+  }
+}
+
+
+// Dropdown menus
+
+// Menu position and menu carets
+.navbar-nav > li > .dropdown-menu {
+  margin-top: 0;
+  @include border-top-radius(0);
+}
+// Menu position and menu caret support for dropups via extra dropup class
+.navbar-fixed-bottom .navbar-nav > li > .dropdown-menu {
+  @include border-bottom-radius(0);
+}
+
+
+// Buttons in navbars
+//
+// Vertically center a button within a navbar (when *not* in a form).
+
+.navbar-btn {
+  @include navbar-vertical-align($input-height-base);
+
+  &.btn-sm {
+    @include navbar-vertical-align($input-height-small);
+  }
+  &.btn-xs {
+    @include navbar-vertical-align(22px);
+  }
+}
+
+
+// Text in navbars
+//
+// Add a class to make any element properly align itself vertically within the navbars.
+
+.navbar-text {
+  @include navbar-vertical-align($line-height-computed);
+
+  @media (min-width: $grid-float-breakpoint) {
+    float: left;
+    margin-left: $navbar-padding-horizontal;
+    margin-right: $navbar-padding-horizontal;
+
+    // Outdent the form if last child to line up with content down the page
+    &.navbar-right:last-child {
+      margin-right: 0;
+    }
+  }
+}
+
+// Alternate navbars
+// --------------------------------------------------
+
+// Default navbar
+.navbar-default {
+  background-color: $navbar-default-bg;
+  border-color: $navbar-default-border;
+
+  .navbar-brand {
+    color: $navbar-default-brand-color;
+    &:hover,
+    &:focus {
+      color: $navbar-default-brand-hover-color;
+      background-color: $navbar-default-brand-hover-bg;
+    }
+  }
+
+  .navbar-text {
+    color: $navbar-default-color;
+  }
+
+  .navbar-nav {
+    > li > a {
+      color: $navbar-default-link-color;
+
+      &:hover,
+      &:focus {
+        color: $navbar-default-link-hover-color;
+        background-color: $navbar-default-link-hover-bg;
+      }
+    }
+    > .active > a {
+      &,
+      &:hover,
+      &:focus {
+        color: $navbar-default-link-active-color;
+        background-color: $navbar-default-link-active-bg;
+      }
+    }
+    > .disabled > a {
+      &,
+      &:hover,
+      &:focus {
+        color: $navbar-default-link-disabled-color;
+        background-color: $navbar-default-link-disabled-bg;
+      }
+    }
+  }
+
+  .navbar-toggle {
+    border-color: $navbar-default-toggle-border-color;
+    &:hover,
+    &:focus {
+      background-color: $navbar-default-toggle-hover-bg;
+    }
+    .icon-bar {
+      background-color: $navbar-default-toggle-icon-bar-bg;
+    }
+  }
+
+  .navbar-collapse,
+  .navbar-form {
+    border-color: $navbar-default-border;
+  }
+
+  // Dropdown menu items
+  .navbar-nav {
+    // Remove background color from open dropdown
+    > .open > a {
+      &,
+      &:hover,
+      &:focus {
+        background-color: $navbar-default-link-active-bg;
+        color: $navbar-default-link-active-color;
+      }
+    }
+
+    @media (max-width: $grid-float-breakpoint-max) {
+      // Dropdowns get custom display when collapsed
+      .open .dropdown-menu {
+        > li > a {
+          color: $navbar-default-link-color;
+          &:hover,
+          &:focus {
+            color: $navbar-default-link-hover-color;
+            background-color: $navbar-default-link-hover-bg;
+          }
+        }
+        > .active > a {
+          &,
+          &:hover,
+          &:focus {
+            color: $navbar-default-link-active-color;
+            background-color: $navbar-default-link-active-bg;
+          }
+        }
+        > .disabled > a {
+          &,
+          &:hover,
+          &:focus {
+            color: $navbar-default-link-disabled-color;
+            background-color: $navbar-default-link-disabled-bg;
+          }
+        }
+      }
+    }
+  }
+
+
+  // Links in navbars
+  //
+  // Add a class to ensure links outside the navbar nav are colored correctly.
+
+  .navbar-link {
+    color: $navbar-default-link-color;
+    &:hover {
+      color: $navbar-default-link-hover-color;
+    }
+  }
+
+  .btn-link {
+    color: $navbar-default-link-color;
+    &:hover,
+    &:focus {
+      color: $navbar-default-link-hover-color;
+    }
+    &[disabled],
+    fieldset[disabled] & {
+      &:hover,
+      &:focus {
+        color: $navbar-default-link-disabled-color;
+      }
+    }
+  }
+}
+
+// Inverse navbar
+
+.navbar-inverse {
+  background-color: $navbar-inverse-bg;
+  border-color: $navbar-inverse-border;
+
+  .navbar-brand {
+    color: $navbar-inverse-brand-color;
+    &:hover,
+    &:focus {
+      color: $navbar-inverse-brand-hover-color;
+      background-color: $navbar-inverse-brand-hover-bg;
+    }
+  }
+
+  .navbar-text {
+    color: $navbar-inverse-color;
+  }
+
+  .navbar-nav {
+    > li > a {
+      color: $navbar-inverse-link-color;
+
+      &:hover,
+      &:focus {
+        color: $navbar-inverse-link-hover-color;
+        background-color: $navbar-inverse-link-hover-bg;
+      }
+    }
+    > .active > a {
+      &,
+      &:hover,
+      &:focus {
+        color: $navbar-inverse-link-active-color;
+        background-color: $navbar-inverse-link-active-bg;
+      }
+    }
+    > .disabled > a {
+      &,
+      &:hover,
+      &:focus {
+        color: $navbar-inverse-link-disabled-color;
+        background-color: $navbar-inverse-link-disabled-bg;
+      }
+    }
+  }
+
+  // Darken the responsive nav toggle
+  .navbar-toggle {
+    border-color: $navbar-inverse-toggle-border-color;
+    &:hover,
+    &:focus {
+      background-color: $navbar-inverse-toggle-hover-bg;
+    }
+    .icon-bar {
+      background-color: $navbar-inverse-toggle-icon-bar-bg;
+    }
+  }
+
+  .navbar-collapse,
+  .navbar-form {
+    border-color: darken($navbar-inverse-bg, 7%);
+  }
+
+  // Dropdowns
+  .navbar-nav {
+    > .open > a {
+      &,
+      &:hover,
+      &:focus {
+        background-color: $navbar-inverse-link-active-bg;
+        color: $navbar-inverse-link-active-color;
+      }
+    }
+
+    @media (max-width: $grid-float-breakpoint-max) {
+      // Dropdowns get custom display
+      .open .dropdown-menu {
+        > .dropdown-header {
+          border-color: $navbar-inverse-border;
+        }
+        .divider {
+          background-color: $navbar-inverse-border;
+        }
+        > li > a {
+          color: $navbar-inverse-link-color;
+          &:hover,
+          &:focus {
+            color: $navbar-inverse-link-hover-color;
+            background-color: $navbar-inverse-link-hover-bg;
+          }
+        }
+        > .active > a {
+          &,
+          &:hover,
+          &:focus {
+            color: $navbar-inverse-link-active-color;
+            background-color: $navbar-inverse-link-active-bg;
+          }
+        }
+        > .disabled > a {
+          &,
+          &:hover,
+          &:focus {
+            color: $navbar-inverse-link-disabled-color;
+            background-color: $navbar-inverse-link-disabled-bg;
+          }
+        }
+      }
+    }
+  }
+
+  .navbar-link {
+    color: $navbar-inverse-link-color;
+    &:hover {
+      color: $navbar-inverse-link-hover-color;
+    }
+  }
+
+  .btn-link {
+    color: $navbar-inverse-link-color;
+    &:hover,
+    &:focus {
+      color: $navbar-inverse-link-hover-color;
+    }
+    &[disabled],
+    fieldset[disabled] & {
+      &:hover,
+      &:focus {
+        color: $navbar-inverse-link-disabled-color;
+      }
+    }
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_navs.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_navs.scss
new file mode 100644
index 0000000000..d9957806ee
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_navs.scss
@@ -0,0 +1,239 @@
+//
+// Navs
+// --------------------------------------------------
+
+
+// Base class
+// --------------------------------------------------
+
+.nav {
+  margin-bottom: 0;
+  padding-left: 0; // Override default ul/ol
+  list-style: none;
+  @include clearfix();
+
+  > li {
+    position: relative;
+    display: block;
+
+    > a {
+      position: relative;
+      display: block;
+      padding: $nav-link-padding;
+      &:hover,
+      &:focus {
+        text-decoration: none;
+        background-color: $nav-link-hover-bg;
+      }
+    }
+
+    // Disabled state sets text to gray and nukes hover/tab effects
+    &.disabled > a {
+      color: $nav-disabled-link-color;
+
+      &:hover,
+      &:focus {
+        color: $nav-disabled-link-hover-color;
+        text-decoration: none;
+        background-color: transparent;
+        cursor: not-allowed;
+      }
+    }
+  }
+
+  // Open dropdowns
+  .open > a {
+    &,
+    &:hover,
+    &:focus {
+      background-color: $nav-link-hover-bg;
+      border-color: $link-color;
+    }
+  }
+
+  // Nav dividers (deprecated with v3.0.1)
+  //
+  // This should have been removed in v3 with the dropping of `.nav-list`, but
+  // we missed it. We don't currently support this anywhere, but in the interest
+  // of maintaining backward compatibility in case you use it, it's deprecated.
+  .nav-divider {
+    @include nav-divider();
+  }
+
+  // Prevent IE8 from misplacing imgs
+  //
+  // See https://github.com/h5bp/html5-boilerplate/issues/984#issuecomment-3985989
+  > li > a > img {
+    max-width: none;
+  }
+}
+
+
+// Tabs
+// -------------------------
+
+// Give the tabs something to sit on
+.nav-tabs {
+  border-bottom: 1px solid $nav-tabs-border-color;
+  > li {
+    float: left;
+    // Make the list-items overlay the bottom border
+    margin-bottom: -1px;
+
+    // Actual tabs (as links)
+    > a {
+      margin-right: 2px;
+      line-height: $line-height-base;
+      border: 1px solid transparent;
+      border-radius: $border-radius-base $border-radius-base 0 0;
+      &:hover {
+        border-color: $nav-tabs-link-hover-border-color $nav-tabs-link-hover-border-color $nav-tabs-border-color;
+      }
+    }
+
+    // Active state, and its :hover to override normal :hover
+    &.active > a {
+      &,
+      &:hover,
+      &:focus {
+        color: $nav-tabs-active-link-hover-color;
+        background-color: $nav-tabs-active-link-hover-bg;
+        border: 1px solid $nav-tabs-active-link-hover-border-color;
+        border-bottom-color: transparent;
+        cursor: default;
+      }
+    }
+  }
+  // pulling this in mainly for less shorthand
+  &.nav-justified {
+    @extend .nav-justified;
+    @extend .nav-tabs-justified;
+  }
+}
+
+
+// Pills
+// -------------------------
+.nav-pills {
+  > li {
+    float: left;
+
+    // Links rendered as pills
+    > a {
+      border-radius: $nav-pills-border-radius;
+    }
+
+    // Active state
+    &.active > a {
+      &,
+      &:hover,
+      &:focus {
+        color: $nav-pills-active-link-hover-color;
+        background-color: $nav-pills-active-link-hover-bg;
+      }
+    }
+  }
+}
+
+
+// Stacked pills
+.nav-stacked {
+  > li {
+    float: none;
+    + li {
+      margin-top: 2px;
+      margin-left: 0; // no need for this gap between nav items
+    }
+  }
+}
+
+
+// Nav variations
+// --------------------------------------------------
+
+// Justified nav links
+// -------------------------
+
+.nav-justified {
+  width: 100%;
+
+  > li {
+    float: none;
+    > a {
+      text-align: left;
+      margin-bottom: 5px;
+    }
+  }
+
+  > .dropdown .dropdown-menu {
+    top: auto;
+    left: auto;
+  }
+
+  @media (min-width: $screen-sm-min) {
+    > li {
+      display: table-cell;
+      width: 1%;
+      > a {
+        margin-bottom: 0;
+      }
+    }
+  }
+}
+
+// Move borders to anchors instead of bottom of list
+//
+// Mixin for adding on top the shared `.nav-justified` styles for our tabs
+.nav-tabs-justified {
+  border-bottom: 0;
+
+  > li > a {
+    // Override margin from .nav-tabs
+    margin-right: 0;
+    border-radius: $border-radius-base;
+  }
+
+  > .active > a,
+  > .active > a:hover,
+  > .active > a:focus {
+    border: 1px solid $nav-tabs-justified-link-border-color;
+  }
+
+  @media (min-width: $screen-sm-min) {
+    > li > a {
+      border-bottom: 1px solid $nav-tabs-justified-link-border-color;
+      border-radius: $border-radius-base $border-radius-base 0 0;
+    }
+    > .active > a,
+    > .active > a:hover,
+    > .active > a:focus {
+      border-bottom-color: $nav-tabs-justified-active-link-border-color;
+    }
+  }
+}
+
+
+// Tabbable tabs
+// -------------------------
+
+// Hide tabbable panes to start, show them when `.active`
+.tab-content {
+  > .tab-pane {
+    display: none;
+  }
+  > .active {
+    display: block;
+  }
+}
+
+
+// Dropdowns
+// -------------------------
+
+// Specific dropdowns
+.nav-tabs .dropdown-menu {
+  // make dropdown border overlap tab border
+  margin-top: -1px;
+  // Remove the top rounded corners here since there is a hard edge above the menu
+  @include border-top-radius(0);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_normalize.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_normalize.scss
new file mode 100644
index 0000000000..ce04b6a2f9
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_normalize.scss
@@ -0,0 +1,425 @@
+/*! normalize.css v3.0.1 | MIT License | git.io/normalize */
+
+//
+// 1. Set default font family to sans-serif.
+// 2. Prevent iOS text size adjust after orientation change, without disabling
+//    user zoom.
+//
+
+html {
+  font-family: sans-serif; // 1
+  -ms-text-size-adjust: 100%; // 2
+  -webkit-text-size-adjust: 100%; // 2
+}
+
+//
+// Remove default margin.
+//
+
+body {
+  margin: 0;
+}
+
+// HTML5 display definitions
+// ==========================================================================
+
+//
+// Correct `block` display not defined for any HTML5 element in IE 8/9.
+// Correct `block` display not defined for `details` or `summary` in IE 10/11 and Firefox.
+// Correct `block` display not defined for `main` in IE 11.
+//
+
+article,
+aside,
+details,
+figcaption,
+figure,
+footer,
+header,
+hgroup,
+main,
+nav,
+section,
+summary {
+  display: block;
+}
+
+//
+// 1. Correct `inline-block` display not defined in IE 8/9.
+// 2. Normalize vertical alignment of `progress` in Chrome, Firefox, and Opera.
+//
+
+audio,
+canvas,
+progress,
+video {
+  display: inline-block; // 1
+  vertical-align: baseline; // 2
+}
+
+//
+// Prevent modern browsers from displaying `audio` without controls.
+// Remove excess height in iOS 5 devices.
+//
+
+audio:not([controls]) {
+  display: none;
+  height: 0;
+}
+
+//
+// Address `[hidden]` styling not present in IE 8/9/10.
+// Hide the `template` element in IE 8/9/11, Safari, and Firefox < 22.
+//
+
+[hidden],
+template {
+  display: none;
+}
+
+// Links
+// ==========================================================================
+
+//
+// Remove the gray background color from active links in IE 10.
+//
+
+a {
+  background: transparent;
+}
+
+//
+// Improve readability when focused and also mouse hovered in all browsers.
+//
+
+a:active,
+a:hover {
+  outline: 0;
+}
+
+// Text-level semantics
+// ==========================================================================
+
+//
+// Address styling not present in IE 8/9/10/11, Safari, and Chrome.
+//
+
+abbr[title] {
+  border-bottom: 1px dotted;
+}
+
+//
+// Address style set to `bolder` in Firefox 4+, Safari, and Chrome.
+//
+
+b,
+strong {
+  font-weight: bold;
+}
+
+//
+// Address styling not present in Safari and Chrome.
+//
+
+dfn {
+  font-style: italic;
+}
+
+//
+// Address variable `h1` font-size and margin within `section` and `article`
+// contexts in Firefox 4+, Safari, and Chrome.
+//
+
+h1 {
+  font-size: 2em;
+  margin: 0.67em 0;
+}
+
+//
+// Address styling not present in IE 8/9.
+//
+
+mark {
+  background: #ff0;
+  color: #000;
+}
+
+//
+// Address inconsistent and variable font size in all browsers.
+//
+
+small {
+  font-size: 80%;
+}
+
+//
+// Prevent `sub` and `sup` affecting `line-height` in all browsers.
+//
+
+sub,
+sup {
+  font-size: 75%;
+  line-height: 0;
+  position: relative;
+  vertical-align: baseline;
+}
+
+sup {
+  top: -0.5em;
+}
+
+sub {
+  bottom: -0.25em;
+}
+
+// Embedded content
+// ==========================================================================
+
+//
+// Remove border when inside `a` element in IE 8/9/10.
+//
+
+img {
+  border: 0;
+}
+
+//
+// Correct overflow not hidden in IE 9/10/11.
+//
+
+svg:not(:root) {
+  overflow: hidden;
+}
+
+// Grouping content
+// ==========================================================================
+
+//
+// Address margin not present in IE 8/9 and Safari.
+//
+
+figure {
+  margin: 1em 40px;
+}
+
+//
+// Address differences between Firefox and other browsers.
+//
+
+hr {
+  -moz-box-sizing: content-box;
+  box-sizing: content-box;
+  height: 0;
+}
+
+//
+// Contain overflow in all browsers.
+//
+
+pre {
+  overflow: auto;
+}
+
+//
+// Address odd `em`-unit font size rendering in all browsers.
+//
+
+code,
+kbd,
+pre,
+samp {
+  font-family: monospace, monospace;
+  font-size: 1em;
+}
+
+// Forms
+// ==========================================================================
+
+//
+// Known limitation: by default, Chrome and Safari on OS X allow very limited
+// styling of `select`, unless a `border` property is set.
+//
+
+//
+// 1. Correct color not being inherited.
+//    Known issue: affects color of disabled elements.
+// 2. Correct font properties not being inherited.
+// 3. Address margins set differently in Firefox 4+, Safari, and Chrome.
+//
+
+button,
+input,
+optgroup,
+select,
+textarea {
+  color: inherit; // 1
+  font: inherit; // 2
+  margin: 0; // 3
+}
+
+//
+// Address `overflow` set to `hidden` in IE 8/9/10/11.
+//
+
+button {
+  overflow: visible;
+}
+
+//
+// Address inconsistent `text-transform` inheritance for `button` and `select`.
+// All other form control elements do not inherit `text-transform` values.
+// Correct `button` style inheritance in Firefox, IE 8/9/10/11, and Opera.
+// Correct `select` style inheritance in Firefox.
+//
+
+button,
+select {
+  text-transform: none;
+}
+
+//
+// 1. Avoid the WebKit bug in Android 4.0.* where (2) destroys native `audio`
+//    and `video` controls.
+// 2. Correct inability to style clickable `input` types in iOS.
+// 3. Improve usability and consistency of cursor style between image-type
+//    `input` and others.
+//
+
+button,
+html input[type="button"], // 1
+input[type="reset"],
+input[type="submit"] {
+  -webkit-appearance: button; // 2
+  cursor: pointer; // 3
+}
+
+//
+// Re-set default cursor for disabled elements.
+//
+
+button[disabled],
+html input[disabled] {
+  cursor: default;
+}
+
+//
+// Remove inner padding and border in Firefox 4+.
+//
+
+button::-moz-focus-inner,
+input::-moz-focus-inner {
+  border: 0;
+  padding: 0;
+}
+
+//
+// Address Firefox 4+ setting `line-height` on `input` using `!important` in
+// the UA stylesheet.
+//
+
+input {
+  line-height: normal;
+}
+
+//
+// It's recommended that you don't attempt to style these elements.
+// Firefox's implementation doesn't respect box-sizing, padding, or width.
+//
+// 1. Address box sizing set to `content-box` in IE 8/9/10.
+// 2. Remove excess padding in IE 8/9/10.
+//
+
+input[type="checkbox"],
+input[type="radio"] {
+  box-sizing: border-box; // 1
+  padding: 0; // 2
+}
+
+//
+// Fix the cursor style for Chrome's increment/decrement buttons. For certain
+// `font-size` values of the `input`, it causes the cursor style of the
+// decrement button to change from `default` to `text`.
+//
+
+input[type="number"]::-webkit-inner-spin-button,
+input[type="number"]::-webkit-outer-spin-button {
+  height: auto;
+}
+
+//
+// 1. Address `appearance` set to `searchfield` in Safari and Chrome.
+// 2. Address `box-sizing` set to `border-box` in Safari and Chrome
+//    (include `-moz` to future-proof).
+//
+
+input[type="search"] {
+  -webkit-appearance: textfield; // 1
+  -moz-box-sizing: content-box;
+  -webkit-box-sizing: content-box; // 2
+  box-sizing: content-box;
+}
+
+//
+// Remove inner padding and search cancel button in Safari and Chrome on OS X.
+// Safari (but not Chrome) clips the cancel button when the search input has
+// padding (and `textfield` appearance).
+//
+
+input[type="search"]::-webkit-search-cancel-button,
+input[type="search"]::-webkit-search-decoration {
+  -webkit-appearance: none;
+}
+
+//
+// Define consistent border, margin, and padding.
+//
+
+fieldset {
+  border: 1px solid #c0c0c0;
+  margin: 0 2px;
+  padding: 0.35em 0.625em 0.75em;
+}
+
+//
+// 1. Correct `color` not being inherited in IE 8/9/10/11.
+// 2. Remove padding so people aren't caught out if they zero out fieldsets.
+//
+
+legend {
+  border: 0; // 1
+  padding: 0; // 2
+}
+
+//
+// Remove default vertical scrollbar in IE 8/9/10/11.
+//
+
+textarea {
+  overflow: auto;
+}
+
+//
+// Don't inherit the `font-weight` (applied by a rule above).
+// NOTE: the default cannot safely be changed in Chrome and Safari on OS X.
+//
+
+optgroup {
+  font-weight: bold;
+}
+
+// Tables
+// ==========================================================================
+
+//
+// Remove most spacing between table cells.
+//
+
+table {
+  border-collapse: collapse;
+  border-spacing: 0;
+}
+
+td,
+th {
+  padding: 0;
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_pager.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_pager.scss
new file mode 100644
index 0000000000..6531fe6f89
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_pager.scss
@@ -0,0 +1,55 @@
+//
+// Pager pagination
+// --------------------------------------------------
+
+
+.pager {
+  padding-left: 0;
+  margin: $line-height-computed 0;
+  list-style: none;
+  text-align: center;
+  @include clearfix();
+  li {
+    display: inline;
+    > a,
+    > span {
+      display: inline-block;
+      padding: 5px 14px;
+      background-color: $pager-bg;
+      border: 1px solid $pager-border;
+      border-radius: $pager-border-radius;
+    }
+
+    > a:hover,
+    > a:focus {
+      text-decoration: none;
+      background-color: $pager-hover-bg;
+    }
+  }
+
+  .next {
+    > a,
+    > span {
+      float: right;
+    }
+  }
+
+  .previous {
+    > a,
+    > span {
+      float: left;
+    }
+  }
+
+  .disabled {
+    > a,
+    > a:hover,
+    > a:focus,
+    > span {
+      color: $pager-disabled-color;
+      background-color: $pager-bg;
+      cursor: not-allowed;
+    }
+  }
+
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_pagination.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_pagination.scss
new file mode 100644
index 0000000000..44c12226b0
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_pagination.scss
@@ -0,0 +1,88 @@
+//
+// Pagination (multiple pages)
+// --------------------------------------------------
+.pagination {
+  display: inline-block;
+  padding-left: 0;
+  margin: $line-height-computed 0;
+  border-radius: $border-radius-base;
+
+  > li {
+    display: inline; // Remove list-style and block-level defaults
+    > a,
+    > span {
+      position: relative;
+      float: left; // Collapse white-space
+      padding: $padding-base-vertical $padding-base-horizontal;
+      line-height: $line-height-base;
+      text-decoration: none;
+      color: $pagination-color;
+      background-color: $pagination-bg;
+      border: 1px solid $pagination-border;
+      margin-left: -1px;
+    }
+    &:first-child {
+      > a,
+      > span {
+        margin-left: 0;
+        @include border-left-radius($border-radius-base);
+      }
+    }
+    &:last-child {
+      > a,
+      > span {
+        @include border-right-radius($border-radius-base);
+      }
+    }
+  }
+
+  > li > a,
+  > li > span {
+    &:hover,
+    &:focus {
+      color: $pagination-hover-color;
+      background-color: $pagination-hover-bg;
+      border-color: $pagination-hover-border;
+    }
+  }
+
+  > .active > a,
+  > .active > span {
+    &,
+    &:hover,
+    &:focus {
+      z-index: 2;
+      color: $pagination-active-color;
+      background-color: $pagination-active-bg;
+      border-color: $pagination-active-border;
+      cursor: default;
+    }
+  }
+
+  > .disabled {
+    > span,
+    > span:hover,
+    > span:focus,
+    > a,
+    > a:hover,
+    > a:focus {
+      color: $pagination-disabled-color;
+      background-color: $pagination-disabled-bg;
+      border-color: $pagination-disabled-border;
+      cursor: not-allowed;
+    }
+  }
+}
+
+// Sizing
+// --------------------------------------------------
+
+// Large
+.pagination-lg {
+  @include pagination-size($padding-large-vertical, $padding-large-horizontal, $font-size-large, $border-radius-large);
+}
+
+// Small
+.pagination-sm {
+  @include pagination-size($padding-small-vertical, $padding-small-horizontal, $font-size-small, $border-radius-small);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_panels.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_panels.scss
new file mode 100644
index 0000000000..57cdcbc1f1
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_panels.scss
@@ -0,0 +1,243 @@
+//
+// Panels
+// --------------------------------------------------
+
+
+// Base class
+.panel {
+  margin-bottom: $line-height-computed;
+  background-color: $panel-bg;
+  border: 1px solid transparent;
+  border-radius: $panel-border-radius;
+  @include box-shadow(0 1px 1px rgba(0,0,0,.05));
+}
+
+// Panel contents
+.panel-body {
+  padding: $panel-body-padding;
+  @include clearfix();
+}
+
+// Optional heading
+.panel-heading {
+  padding: $panel-heading-padding;
+  border-bottom: 1px solid transparent;
+  @include border-top-radius(($panel-border-radius - 1));
+
+  > .dropdown .dropdown-toggle {
+    color: inherit;
+  }
+}
+
+// Within heading, strip any `h*` tag of its default margins for spacing.
+.panel-title {
+  margin-top: 0;
+  margin-bottom: 0;
+  font-size: ceil(($font-size-base * 1.125));
+  color: inherit;
+
+  > a {
+    color: inherit;
+  }
+}
+
+// Optional footer (stays gray in every modifier class)
+.panel-footer {
+  padding: $panel-footer-padding;
+  background-color: $panel-footer-bg;
+  border-top: 1px solid $panel-inner-border;
+  @include border-bottom-radius(($panel-border-radius - 1));
+}
+
+
+// List groups in panels
+//
+// By default, space out list group content from panel headings to account for
+// any kind of custom content between the two.
+
+.panel {
+  > .list-group {
+    margin-bottom: 0;
+
+    .list-group-item {
+      border-width: 1px 0;
+      border-radius: 0;
+    }
+
+    // Add border top radius for first one
+    &:first-child {
+      .list-group-item:first-child {
+        border-top: 0;
+        @include border-top-radius(($panel-border-radius - 1));
+      }
+    }
+    // Add border bottom radius for last one
+    &:last-child {
+      .list-group-item:last-child {
+        border-bottom: 0;
+        @include border-bottom-radius(($panel-border-radius - 1));
+      }
+    }
+  }
+}
+// Collapse space between when there's no additional content.
+.panel-heading + .list-group {
+  .list-group-item:first-child {
+    border-top-width: 0;
+  }
+}
+.list-group + .panel-footer {
+  border-top-width: 0;
+}
+
+// Tables in panels
+//
+// Place a non-bordered `.table` within a panel (not within a `.panel-body`) and
+// watch it go full width.
+
+.panel {
+  > .table,
+  > .table-responsive > .table,
+  > .panel-collapse > .table {
+    margin-bottom: 0;
+  }
+  // Add border top radius for first one
+  > .table:first-child,
+  > .table-responsive:first-child > .table:first-child {
+    @include border-top-radius(($panel-border-radius - 1));
+
+    > thead:first-child,
+    > tbody:first-child {
+      > tr:first-child {
+        td:first-child,
+        th:first-child {
+          border-top-left-radius: ($panel-border-radius - 1);
+        }
+        td:last-child,
+        th:last-child {
+          border-top-right-radius: ($panel-border-radius - 1);
+        }
+      }
+    }
+  }
+  // Add border bottom radius for last one
+  > .table:last-child,
+  > .table-responsive:last-child > .table:last-child {
+    @include border-bottom-radius(($panel-border-radius - 1));
+
+    > tbody:last-child,
+    > tfoot:last-child {
+      > tr:last-child {
+        td:first-child,
+        th:first-child {
+          border-bottom-left-radius: ($panel-border-radius - 1);
+        }
+        td:last-child,
+        th:last-child {
+          border-bottom-right-radius: ($panel-border-radius - 1);
+        }
+      }
+    }
+  }
+  > .panel-body + .table,
+  > .panel-body + .table-responsive {
+    border-top: 1px solid $table-border-color;
+  }
+  > .table > tbody:first-child > tr:first-child th,
+  > .table > tbody:first-child > tr:first-child td {
+    border-top: 0;
+  }
+  > .table-bordered,
+  > .table-responsive > .table-bordered {
+    border: 0;
+    > thead,
+    > tbody,
+    > tfoot {
+      > tr {
+        > th:first-child,
+        > td:first-child {
+          border-left: 0;
+        }
+        > th:last-child,
+        > td:last-child {
+          border-right: 0;
+        }
+      }
+    }
+    > thead,
+    > tbody {
+      > tr:first-child {
+        > td,
+        > th {
+          border-bottom: 0;
+        }
+      }
+    }
+    > tbody,
+    > tfoot {
+      > tr:last-child {
+        > td,
+        > th {
+          border-bottom: 0;
+        }
+      }
+    }
+  }
+  > .table-responsive {
+    border: 0;
+    margin-bottom: 0;
+  }
+}
+
+
+// Collapsable panels (aka, accordion)
+//
+// Wrap a series of panels in `.panel-group` to turn them into an accordion with
+// the help of our collapse JavaScript plugin.
+
+.panel-group {
+  margin-bottom: $line-height-computed;
+
+  // Tighten up margin so it's only between panels
+  .panel {
+    margin-bottom: 0;
+    border-radius: $panel-border-radius;
+    + .panel {
+      margin-top: 5px;
+    }
+  }
+
+  .panel-heading {
+    border-bottom: 0;
+    + .panel-collapse > .panel-body {
+      border-top: 1px solid $panel-inner-border;
+    }
+  }
+  .panel-footer {
+    border-top: 0;
+    + .panel-collapse .panel-body {
+      border-bottom: 1px solid $panel-inner-border;
+    }
+  }
+}
+
+
+// Contextual variations
+.panel-default {
+  @include panel-variant($panel-default-border, $panel-default-text, $panel-default-heading-bg, $panel-default-border);
+}
+.panel-primary {
+  @include panel-variant($panel-primary-border, $panel-primary-text, $panel-primary-heading-bg, $panel-primary-border);
+}
+.panel-success {
+  @include panel-variant($panel-success-border, $panel-success-text, $panel-success-heading-bg, $panel-success-border);
+}
+.panel-info {
+  @include panel-variant($panel-info-border, $panel-info-text, $panel-info-heading-bg, $panel-info-border);
+}
+.panel-warning {
+  @include panel-variant($panel-warning-border, $panel-warning-text, $panel-warning-heading-bg, $panel-warning-border);
+}
+.panel-danger {
+  @include panel-variant($panel-danger-border, $panel-danger-text, $panel-danger-heading-bg, $panel-danger-border);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_popovers.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_popovers.scss
new file mode 100644
index 0000000000..1cf27aed55
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_popovers.scss
@@ -0,0 +1,133 @@
+//
+// Popovers
+// --------------------------------------------------
+
+
+.popover {
+  position: absolute;
+  top: 0;
+  left: 0;
+  z-index: $zindex-popover;
+  display: none;
+  max-width: $popover-max-width;
+  padding: 1px;
+  text-align: left; // Reset given new insertion method
+  background-color: $popover-bg;
+  background-clip: padding-box;
+  border: 1px solid $popover-fallback-border-color;
+  border: 1px solid $popover-border-color;
+  border-radius: $border-radius-large;
+  @include box-shadow(0 5px 10px rgba(0,0,0,.2));
+
+  // Overrides for proper insertion
+  white-space: normal;
+
+  // Offset the popover to account for the popover arrow
+  &.top     { margin-top: -$popover-arrow-width; }
+  &.right   { margin-left: $popover-arrow-width; }
+  &.bottom  { margin-top: $popover-arrow-width; }
+  &.left    { margin-left: -$popover-arrow-width; }
+}
+
+.popover-title {
+  margin: 0; // reset heading margin
+  padding: 8px 14px;
+  font-size: $font-size-base;
+  font-weight: normal;
+  line-height: 18px;
+  background-color: $popover-title-bg;
+  border-bottom: 1px solid darken($popover-title-bg, 5%);
+  border-radius: ($border-radius-large - 1) ($border-radius-large - 1) 0 0;
+}
+
+.popover-content {
+  padding: 9px 14px;
+}
+
+// Arrows
+//
+// .arrow is outer, .arrow:after is inner
+
+.popover > .arrow {
+  &,
+  &:after {
+    position: absolute;
+    display: block;
+    width: 0;
+    height: 0;
+    border-color: transparent;
+    border-style: solid;
+  }
+}
+.popover > .arrow {
+  border-width: $popover-arrow-outer-width;
+}
+.popover > .arrow:after {
+  border-width: $popover-arrow-width;
+  content: "";
+}
+
+.popover {
+  &.top > .arrow {
+    left: 50%;
+    margin-left: -$popover-arrow-outer-width;
+    border-bottom-width: 0;
+    border-top-color: $popover-arrow-outer-fallback-color; // IE8 fallback
+    border-top-color: $popover-arrow-outer-color;
+    bottom: -$popover-arrow-outer-width;
+    &:after {
+      content: " ";
+      bottom: 1px;
+      margin-left: -$popover-arrow-width;
+      border-bottom-width: 0;
+      border-top-color: $popover-arrow-color;
+    }
+  }
+  &.right > .arrow {
+    top: 50%;
+    left: -$popover-arrow-outer-width;
+    margin-top: -$popover-arrow-outer-width;
+    border-left-width: 0;
+    border-right-color: $popover-arrow-outer-fallback-color; // IE8 fallback
+    border-right-color: $popover-arrow-outer-color;
+    &:after {
+      content: " ";
+      left: 1px;
+      bottom: -$popover-arrow-width;
+      border-left-width: 0;
+      border-right-color: $popover-arrow-color;
+    }
+  }
+  &.bottom > .arrow {
+    left: 50%;
+    margin-left: -$popover-arrow-outer-width;
+    border-top-width: 0;
+    border-bottom-color: $popover-arrow-outer-fallback-color; // IE8 fallback
+    border-bottom-color: $popover-arrow-outer-color;
+    top: -$popover-arrow-outer-width;
+    &:after {
+      content: " ";
+      top: 1px;
+      margin-left: -$popover-arrow-width;
+      border-top-width: 0;
+      border-bottom-color: $popover-arrow-color;
+    }
+  }
+
+  &.left > .arrow {
+    top: 50%;
+    right: -$popover-arrow-outer-width;
+    margin-top: -$popover-arrow-outer-width;
+    border-right-width: 0;
+    border-left-color: $popover-arrow-outer-fallback-color; // IE8 fallback
+    border-left-color: $popover-arrow-outer-color;
+    &:after {
+      content: " ";
+      right: 1px;
+      border-right-width: 0;
+      border-left-color: $popover-arrow-color;
+      bottom: -$popover-arrow-width;
+    }
+  }
+
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_print.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_print.scss
new file mode 100644
index 0000000000..3655d03953
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_print.scss
@@ -0,0 +1,101 @@
+//
+// Basic print styles
+// --------------------------------------------------
+// Source: https://github.com/h5bp/html5-boilerplate/blob/master/css/main.css
+
+@media print {
+
+  * {
+    text-shadow: none !important;
+    color: #000 !important; // Black prints faster: h5bp.com/s
+    background: transparent !important;
+    box-shadow: none !important;
+  }
+
+  a,
+  a:visited {
+    text-decoration: underline;
+  }
+
+  a[href]:after {
+    content: " (" attr(href) ")";
+  }
+
+  abbr[title]:after {
+    content: " (" attr(title) ")";
+  }
+
+  // Don't show links for images, or javascript/internal links
+  a[href^="javascript:"]:after,
+  a[href^="#"]:after {
+    content: "";
+  }
+
+  pre,
+  blockquote {
+    border: 1px solid #999;
+    page-break-inside: avoid;
+  }
+
+  thead {
+    display: table-header-group; // h5bp.com/t
+  }
+
+  tr,
+  img {
+    page-break-inside: avoid;
+  }
+
+  img {
+    max-width: 100% !important;
+  }
+
+  p,
+  h2,
+  h3 {
+    orphans: 3;
+    widows: 3;
+  }
+
+  h2,
+  h3 {
+    page-break-after: avoid;
+  }
+
+  // Chrome (OSX) fix for https://github.com/twbs/bootstrap/issues/11245
+  // Once fixed, we can just straight up remove this.
+  select {
+    background: #fff !important;
+  }
+
+  // Bootstrap components
+  .navbar {
+    display: none;
+  }
+  .table {
+    td,
+    th {
+      background-color: #fff !important;
+    }
+  }
+  .btn,
+  .dropup > .btn {
+    > .caret {
+      border-top-color: #000 !important;
+    }
+  }
+  .label {
+    border: 1px solid #000;
+  }
+
+  .table {
+    border-collapse: collapse !important;
+  }
+  .table-bordered {
+    th,
+    td {
+      border: 1px solid #ddd !important;
+    }
+  }
+
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_progress-bars.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_progress-bars.scss
new file mode 100644
index 0000000000..a656795773
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_progress-bars.scss
@@ -0,0 +1,107 @@
+//
+// Progress bars
+// --------------------------------------------------
+
+
+// Bar animations
+// -------------------------
+
+// WebKit
+@-webkit-keyframes progress-bar-stripes {
+  from  { background-position: 40px 0; }
+  to    { background-position: 0 0; }
+}
+
+// Spec and IE10+
+@keyframes progress-bar-stripes {
+  from  { background-position: 40px 0; }
+  to    { background-position: 0 0; }
+}
+
+
+
+// Bar itself
+// -------------------------
+
+// Outer container
+.progress {
+  overflow: hidden;
+  height: $line-height-computed;
+  background-color: $progress-bg;
+  border-radius: $border-radius-base;
+  position: relative;
+  @include box-shadow(inset 0 1px 2px rgba(0,0,0,.1));
+}
+
+// Bar of progress
+.progress-bar {
+  float: left;
+  width: 0%;
+  height: 100%;
+  font-size: $font-size-small;
+  line-height: $line-height-computed;
+  color: $progress-bar-color;
+  text-align: center;
+  background-color: $progress-bar-bg;
+  position: relative;
+  z-index: 2;
+  @include box-shadow(inset 0 -1px 0 rgba(0,0,0,.15));
+  @include transition(width .6s ease);
+}
+
+// Striped bars
+//
+// `.progress-striped .progress-bar` is deprecated as of v3.2.0 in favor of the
+// `.progress-bar-striped` class, which you just add to an existing
+// `.progress-bar`.
+.progress-striped .progress-bar,
+.progress-bar-striped {
+  @include gradient-striped();
+  background-size: 40px 40px;
+}
+
+// Call animation for the active one
+//
+// `.progress.active .progress-bar` is deprecated as of v3.2.0 in favor of the
+// `.progress-bar.active` approach.
+.progress.active .progress-bar,
+.progress-bar.active {
+  @include animation(progress-bar-stripes 2s linear infinite);
+}
+
+// Account for lower percentages
+.progress-bar {
+  &[aria-valuenow="1"],
+  &[aria-valuenow="2"] {
+    min-width: 30px;
+  }
+
+  &[aria-valuenow="0"] {
+    color: $gray-light;
+    min-width: 30px;
+    background-color: transparent;
+    background-image: none;
+    box-shadow: none;
+  }
+}
+
+
+
+// Variations
+// -------------------------
+
+.progress-bar-success {
+  @include progress-bar-variant($progress-bar-success-bg);
+}
+
+.progress-bar-info {
+  @include progress-bar-variant($progress-bar-info-bg);
+}
+
+.progress-bar-warning {
+  @include progress-bar-variant($progress-bar-warning-bg);
+}
+
+.progress-bar-danger {
+  @include progress-bar-variant($progress-bar-danger-bg);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_responsive-embed.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_responsive-embed.scss
new file mode 100644
index 0000000000..a884d49fed
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_responsive-embed.scss
@@ -0,0 +1,34 @@
+// Embeds responsive
+//
+// Credit: Nicolas Gallagher and SUIT CSS.
+
+.embed-responsive {
+  position: relative;
+  display: block;
+  height: 0;
+  padding: 0;
+  overflow: hidden;
+
+  .embed-responsive-item,
+  iframe,
+  embed,
+  object {
+    position: absolute;
+    top: 0;
+    left: 0;
+    bottom: 0;
+    height: 100%;
+    width: 100%;
+    border: 0;
+  }
+
+  // Modifier class for 16:9 aspect ratio
+  &.embed-responsive-16by9 {
+    padding-bottom: 56.25%;
+  }
+
+  // Modifier class for 4:3 aspect ratio
+  &.embed-responsive-4by3 {
+    padding-bottom: 75%;
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_responsive-utilities.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_responsive-utilities.scss
new file mode 100644
index 0000000000..7cd861bf11
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_responsive-utilities.scss
@@ -0,0 +1,180 @@
+//
+// Responsive: Utility classes
+// --------------------------------------------------
+
+
+// IE10 in Windows (Phone) 8
+//
+// Support for responsive views via media queries is kind of borked in IE10, for
+// Surface/desktop in split view and for Windows Phone 8. This particular fix
+// must be accompanied by a snippet of JavaScript to sniff the user agent and
+// apply some conditional CSS to *only* the Surface/desktop Windows 8. Look at
+// our Getting Started page for more information on this bug.
+//
+// For more information, see the following:
+//
+// Issue: https://github.com/twbs/bootstrap/issues/10497
+// Docs: http://getbootstrap.com/getting-started/#support-ie10-width
+// Source: http://timkadlec.com/2013/01/windows-phone-8-and-device-width/
+// Source: http://timkadlec.com/2012/10/ie10-snap-mode-and-responsive-design/
+
+@-ms-viewport {
+  width: device-width;
+}
+
+
+// Visibility utilities
+// Note: Deprecated .visible-xs, .visible-sm, .visible-md, and .visible-lg as of v3.2.0
+
+@include responsive-invisibility('.visible-xs, .visible-sm, .visible-md, .visible-lg');
+
+.visible-xs-block,
+.visible-xs-inline,
+.visible-xs-inline-block,
+.visible-sm-block,
+.visible-sm-inline,
+.visible-sm-inline-block,
+.visible-md-block,
+.visible-md-inline,
+.visible-md-inline-block,
+.visible-lg-block,
+.visible-lg-inline,
+.visible-lg-inline-block {
+  display: none !important;
+}
+
+@media (max-width: $screen-xs-max) {
+  @include responsive-visibility('.visible-xs');
+}
+.visible-xs-block {
+  @media (max-width: $screen-xs-max) {
+    display: block !important;
+  }
+}
+.visible-xs-inline {
+  @media (max-width: $screen-xs-max) {
+    display: inline !important;
+  }
+}
+.visible-xs-inline-block {
+  @media (max-width: $screen-xs-max) {
+    display: inline-block !important;
+  }
+}
+
+@media (min-width: $screen-sm-min) and (max-width: $screen-sm-max) {
+  @include responsive-visibility('.visible-sm');
+}
+.visible-sm-block {
+  @media (min-width: $screen-sm-min) and (max-width: $screen-sm-max) {
+    display: block !important;
+  }
+}
+.visible-sm-inline {
+  @media (min-width: $screen-sm-min) and (max-width: $screen-sm-max) {
+    display: inline !important;
+  }
+}
+.visible-sm-inline-block {
+  @media (min-width: $screen-sm-min) and (max-width: $screen-sm-max) {
+    display: inline-block !important;
+  }
+}
+
+@media (min-width: $screen-md-min) and (max-width: $screen-md-max) {
+  @include responsive-visibility('.visible-md');
+}
+.visible-md-block {
+  @media (min-width: $screen-md-min) and (max-width: $screen-md-max) {
+    display: block !important;
+  }
+}
+.visible-md-inline {
+  @media (min-width: $screen-md-min) and (max-width: $screen-md-max) {
+    display: inline !important;
+  }
+}
+.visible-md-inline-block {
+  @media (min-width: $screen-md-min) and (max-width: $screen-md-max) {
+    display: inline-block !important;
+  }
+}
+
+@media (min-width: $screen-lg-min) {
+  @include responsive-visibility('.visible-lg');
+}
+.visible-lg-block {
+  @media (min-width: $screen-lg-min) {
+    display: block !important;
+  }
+}
+.visible-lg-inline {
+  @media (min-width: $screen-lg-min) {
+    display: inline !important;
+  }
+}
+.visible-lg-inline-block {
+  @media (min-width: $screen-lg-min) {
+    display: inline-block !important;
+  }
+}
+
+@media (max-width: $screen-xs-max) {
+  @include responsive-invisibility('.hidden-xs');
+}
+
+@media (min-width: $screen-sm-min) and (max-width: $screen-sm-max) {
+  @include responsive-invisibility('.hidden-sm');
+}
+
+@media (max-width: 768px), (max-height: 669px) {
+  .toggle-sidebar {
+    display: none !important;
+  }
+}
+
+@media (min-width: $screen-md-min) and (max-width: $screen-md-max) {
+  @include responsive-invisibility('.hidden-md');
+}
+
+@media (min-width: $screen-lg-min) {
+  @include responsive-invisibility('.hidden-lg');
+}
+
+
+// Print utilities
+//
+// Media queries are placed on the inside to be mixin-friendly.
+
+// Note: Deprecated .visible-print as of v3.2.0
+
+@include responsive-invisibility('.visible-print');
+
+@media print {
+  @include responsive-visibility('.visible-print');
+}
+.visible-print-block {
+  display: none !important;
+
+  @media print {
+    display: block !important;
+  }
+}
+.visible-print-inline {
+  display: none !important;
+
+  @media print {
+    display: inline !important;
+  }
+}
+.visible-print-inline-block {
+  display: none !important;
+
+  @media print {
+    display: inline-block !important;
+  }
+}
+
+@media print {
+  @include responsive-invisibility('.hidden-print');
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_scaffolding.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_scaffolding.scss
new file mode 100644
index 0000000000..8cea4cdc3f
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_scaffolding.scss
@@ -0,0 +1,150 @@
+//
+// Scaffolding
+// --------------------------------------------------
+
+
+// Reset the box-sizing
+//
+// Heads up! This reset may cause conflicts with some third-party widgets.
+// For recommendations on resolving such conflicts, see
+// http://getbootstrap.com/getting-started/#third-box-sizing
+* {
+  @include box-sizing(border-box);
+}
+*:before,
+*:after {
+  @include box-sizing(border-box);
+}
+
+
+// Body reset
+
+html {
+  font-size: 10px;
+  -webkit-tap-highlight-color: rgba(0,0,0,0);
+}
+
+body {
+  font-family: $font-family-base;
+  font-size: $font-size-base;
+  line-height: $line-height-base;
+  color: $text-color;
+  background-color: $body-bg;
+}
+
+// Reset fonts for relevant elements
+input,
+button,
+select,
+textarea {
+  font-family: inherit;
+  font-size: inherit;
+  line-height: inherit;
+}
+
+
+// Links
+
+a {
+  color: $link-color;
+  text-decoration: none;
+
+  &:hover,
+  &:focus {
+    color: $link-hover-color;
+    text-decoration: underline;
+  }
+
+  &:focus {
+    @include tab-focus();
+  }
+}
+
+
+// Figures
+//
+// We reset this here because previously Normalize had no `figure` margins. This
+// ensures we don't break anyone's use of the element.
+
+figure {
+  margin: 0;
+}
+
+
+// Images
+
+img {
+  vertical-align: middle;
+}
+
+// Responsive images (ensure images don't scale beyond their parents)
+.img-responsive {
+  @include img-responsive();
+}
+
+// Rounded corners
+.img-rounded {
+  border-radius: $border-radius-large;
+}
+
+// Image thumbnails
+//
+// Heads up! This is mixin-ed into thumbnails.less for `.thumbnail`.
+.img-thumbnail {
+  padding: $thumbnail-padding;
+  line-height: $line-height-base;
+  background-color: $thumbnail-bg;
+  border: 1px solid $thumbnail-border;
+  border-radius: $thumbnail-border-radius;
+  @include transition(all .2s ease-in-out);
+
+  // Keep them at most 100% wide
+  @include img-responsive(inline-block);
+}
+
+// Perfect circle
+.img-circle {
+  border-radius: 50%; // set radius in percents
+}
+
+
+// Horizontal rules
+
+hr {
+  margin-top:    $line-height-computed;
+  margin-bottom: $line-height-computed;
+  border: 0;
+  border-top: 1px solid $hr-border;
+}
+
+
+// Only display content to screen readers
+//
+// See: http://a11yproject.com/posts/how-to-hide-content/
+
+.sr-only {
+  position: absolute;
+  width: 1px;
+  height: 1px;
+  margin: -1px;
+  padding: 0;
+  overflow: hidden;
+  clip: rect(0,0,0,0);
+  border: 0;
+}
+
+// Use in conjunction with .sr-only to only display content when it's focused.
+// Useful for "Skip to main content" links; see http://www.w3.org/TR/2013/NOTE-WCAG20-TECHS-20130905/G1
+// Credit: HTML5 Boilerplate
+
+.sr-only-focusable {
+  &:active,
+  &:focus {
+    position: static;
+    width: auto;
+    height: auto;
+    margin: 0;
+    overflow: visible;
+    clip: auto;
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_tables.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_tables.scss
new file mode 100644
index 0000000000..2e5f9a51dc
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_tables.scss
@@ -0,0 +1,236 @@
+//
+// Tables
+// --------------------------------------------------
+
+
+table {
+  background-color: $table-bg;
+  color: #444;
+}
+th {
+  text-align: left;
+}
+
+
+// Baseline styles
+
+.table {
+  width: 100%;
+  max-width: 100%;
+  margin-bottom: $line-height-computed;
+  // Cells
+  > thead,
+  > tbody,
+  > tfoot {
+    > tr {
+      > th,
+      > td {
+        padding: $table-cell-padding;
+        line-height: $line-height-base;
+        vertical-align: top;
+        border-top: 1px solid $table-border-color;
+      }
+    }
+  }
+  // Bottom align for column headings
+  > thead > tr > th {
+    vertical-align: bottom;
+    border-bottom: 1px solid $table-border-color;
+  }
+  // Remove top border from thead by default
+  > caption + thead,
+  > colgroup + thead,
+  > thead:first-child {
+    > tr:first-child {
+      > th,
+      > td {
+        border-top: 0;
+        font-family: 'Inter';
+        font-weight: normal;
+      }
+    }
+  }
+  // Account for multiple tbody instances
+  > tbody + tbody {
+    border-top: 2px solid $table-border-color;
+  }
+
+  // Nesting
+  .table {
+    background-color: $body-bg;
+  }
+}
+
+
+// Condensed table w/ half padding
+
+.table-condensed {
+  > thead,
+  > tbody,
+  > tfoot {
+    > tr {
+      > th,
+      > td {
+        padding: $table-condensed-cell-padding;
+      }
+    }
+  }
+}
+
+
+// Bordered version
+//
+// Add borders all around the table and between all the columns.
+
+.table-bordered {
+  border: 1px solid $table-border-color;
+  > thead,
+  > tbody,
+  > tfoot {
+    > tr {
+      > th,
+      > td {
+        border: 1px solid $table-border-color;
+      }
+    }
+  }
+  > thead > tr {
+    > th,
+    > td {
+      border-bottom-width: 2px;
+    }
+  }
+}
+
+
+// Zebra-striping
+//
+// Default zebra-stripe styles (alternating gray and transparent backgrounds)
+
+.table-striped {
+  > tbody > tr:nth-child(odd) {
+    > td,
+    > th {
+      background-color: $table-bg-accent;
+    }
+  }
+}
+
+
+// Hover effect
+//
+// Placed here since it has to come after the potential zebra striping
+
+.table-hover {
+  > tbody > tr:hover {
+    > td,
+    > th {
+      background-color: $table-bg-hover;
+    }
+  }
+}
+
+
+// Table cell sizing
+//
+// Reset default table behavior
+
+table col[class*="col-"] {
+  position: static; // Prevent border hiding in Firefox and IE9/10 (see https://github.com/twbs/bootstrap/issues/11623)
+  float: none;
+  display: table-column;
+}
+table {
+  td,
+  th {
+    &[class*="col-"] {
+      position: static; // Prevent border hiding in Firefox and IE9/10 (see https://github.com/twbs/bootstrap/issues/11623)
+      float: none;
+      display: table-cell;
+    }
+  }
+}
+
+
+// Table backgrounds
+//
+// Exact selectors below required to override `.table-striped` and prevent
+// inheritance to nested tables.
+
+// Generate the contextual variants
+@include table-row-variant('active', $table-bg-active);
+@include table-row-variant('success', $state-success-bg);
+@include table-row-variant('info', $state-info-bg);
+@include table-row-variant('warning', $state-warning-bg);
+@include table-row-variant('danger', $state-danger-bg);
+
+
+// Responsive tables
+//
+// Wrap your tables in `.table-responsive` and we'll make them mobile friendly
+// by enabling horizontal scrolling. Only applies <768px. Everything above that
+// will display normally.
+
+.table-responsive {
+  @media screen and (max-width: $screen-xs-max) {
+    width: 100%;
+    margin-bottom: ($line-height-computed * 0.75);
+    overflow-y: hidden;
+    overflow-x: auto;
+    -ms-overflow-style: -ms-autohiding-scrollbar;
+/*     border: 1px solid $table-border-color; */
+    -webkit-overflow-scrolling: touch;
+
+    // Tighten up spacing
+    > .table {
+      margin-bottom: 0;
+
+      // Ensure the content doesn't wrap
+      > thead,
+      > tbody,
+      > tfoot {
+        > tr {
+          > th,
+          > td {
+            white-space: nowrap;
+          }
+        }
+      }
+    }
+
+    // Special overrides for the bordered tables
+    > .table-bordered {
+      border: 0;
+
+      // Nuke the appropriate borders so that the parent can handle them
+      > thead,
+      > tbody,
+      > tfoot {
+        > tr {
+          > th:first-child,
+          > td:first-child {
+            border-left: 0;
+          }
+          > th:last-child,
+          > td:last-child {
+            border-right: 0;
+          }
+        }
+      }
+
+      // Only nuke the last row's bottom-border in `tbody` and `tfoot` since
+      // chances are there will be only one `tr` in a `thead` and that would
+      // remove the border altogether.
+      > tbody,
+      > tfoot {
+        > tr:last-child {
+          > th,
+          > td {
+            border-bottom: 0;
+          }
+        }
+      }
+
+    }
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_theme.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_theme.scss
new file mode 100644
index 0000000000..00386a2881
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_theme.scss
@@ -0,0 +1,258 @@
+
+//
+// Load core variables and mixins
+// --------------------------------------------------
+
+@import "variables";
+@import "mixins";
+
+
+
+//
+// Buttons
+// --------------------------------------------------
+
+// Common styles
+.btn-default,
+.btn-primary,
+.btn-success,
+.btn-info,
+.btn-warning,
+.btn-danger {
+  text-shadow: 0 -1px 0 rgba(0,0,0,.2);
+  $shadow: inset 0 1px 0 rgba(255,255,255,.15), 0 1px 1px rgba(0,0,0,.075);
+  @include box-shadow($shadow);
+
+  // Reset the shadow
+  &:active,
+  &.active {
+    @include box-shadow(inset 0 3px 5px rgba(0,0,0,.125));
+  }
+}
+
+// Mixin for generating new styles
+@mixin btn-styles($btn-color: #555) {
+  @include gradient-vertical($start-color: $btn-color, $end-color: darken($btn-color, 12%));
+  @include reset-filter(); // Disable gradients for IE9 because filter bleeds through rounded corners
+  background-repeat: repeat-x;
+  border-color: darken($btn-color, 14%);
+
+  &:hover,
+  &:focus  {
+    background-color: darken($btn-color, 12%);
+    background-position: 0 -15px;
+  }
+
+  &:active,
+  &.active {
+    background-color: darken($btn-color, 12%);
+    border-color: darken($btn-color, 14%);
+  }
+
+  &:disabled,
+  &[disabled] {
+    background-color: darken($btn-color, 12%);
+    background-image: none;
+  }
+}
+
+// Common styles
+.btn {
+  // Remove the gradient for the pressed/active state
+  &:active,
+  &.active {
+    background-image: none;
+  }
+}
+
+// Apply the mixin to the buttons
+.btn-default { @include btn-styles($btn-default-bg); text-shadow: 0 1px 0 #fff; border-color: #ccc; }
+.btn-primary { @include btn-styles($btn-primary-bg); }
+.btn-success { @include btn-styles($btn-success-bg); }
+.btn-info    { @include btn-styles($btn-info-bg); }
+.btn-warning { @include btn-styles($btn-warning-bg); }
+.btn-danger  { @include btn-styles($btn-danger-bg); }
+
+
+
+//
+// Images
+// --------------------------------------------------
+
+.thumbnail,
+.img-thumbnail {
+  @include box-shadow(0 1px 2px rgba(0,0,0,.075));
+}
+
+
+
+//
+// Dropdowns
+// --------------------------------------------------
+
+.dropdown-menu > li > a:hover,
+.dropdown-menu > li > a:focus {
+  @include gradient-vertical($start-color: $dropdown-link-hover-bg, $end-color: darken($dropdown-link-hover-bg, 5%));
+  background-color: darken($dropdown-link-hover-bg, 5%);
+}
+.dropdown-menu > .active > a,
+.dropdown-menu > .active > a:hover,
+.dropdown-menu > .active > a:focus {
+  @include gradient-vertical($start-color: $dropdown-link-active-bg, $end-color: darken($dropdown-link-active-bg, 5%));
+  background-color: darken($dropdown-link-active-bg, 5%);
+}
+
+
+
+//
+// Navbar
+// --------------------------------------------------
+
+// Default navbar
+.navbar-default {
+  @include gradient-vertical($start-color: lighten($navbar-default-bg, 10%), $end-color: $navbar-default-bg);
+  @include reset-filter(); // Remove gradient in IE<10 to fix bug where dropdowns don't get triggered
+  border-radius: $navbar-border-radius;
+  $shadow: inset 0 1px 0 rgba(255,255,255,.15), 0 1px 5px rgba(0,0,0,.075);
+  @include box-shadow($shadow);
+
+  .navbar-nav > .active > a {
+    @include gradient-vertical($start-color: darken($navbar-default-bg, 5%), $end-color: darken($navbar-default-bg, 2%));
+    @include box-shadow(inset 0 3px 9px rgba(0,0,0,.075));
+  }
+}
+.navbar-brand,
+.navbar-nav > li > a {
+  text-shadow: 0 1px 0 rgba(255,255,255,.25);
+}
+
+// Inverted navbar
+.navbar-inverse {
+  @include gradient-vertical($start-color: lighten($navbar-inverse-bg, 10%), $end-color: $navbar-inverse-bg);
+  @include reset-filter(); // Remove gradient in IE<10 to fix bug where dropdowns don't get triggered
+
+  .navbar-nav > .active > a {
+    @include gradient-vertical($start-color: $navbar-inverse-bg, $end-color: lighten($navbar-inverse-bg, 2.5%));
+    @include box-shadow(inset 0 3px 9px rgba(0,0,0,.25));
+  }
+
+  .navbar-brand,
+  .navbar-nav > li > a {
+    text-shadow: 0 -1px 0 rgba(0,0,0,.25);
+  }
+}
+
+// Undo rounded corners in static and fixed navbars
+.navbar-static-top,
+.navbar-fixed-top,
+.navbar-fixed-bottom {
+  border-radius: 0;
+}
+
+
+
+//
+// Alerts
+// --------------------------------------------------
+
+// Common styles
+.alert {
+  text-shadow: 0 1px 0 rgba(255,255,255,.2);
+  $shadow: inset 0 1px 0 rgba(255,255,255,.25), 0 1px 2px rgba(0,0,0,.05);
+  @include box-shadow($shadow);
+}
+
+// Mixin for generating new styles
+@mixin alert-styles($color) {
+  @include gradient-vertical($start-color: $color, $end-color: darken($color, 7.5%));
+  border-color: darken($color, 15%);
+}
+
+// Apply the mixin to the alerts
+.alert-success    { @include alert-styles($alert-success-bg); }
+.alert-info       { @include alert-styles($alert-info-bg); }
+.alert-warning    { @include alert-styles($alert-warning-bg); }
+.alert-danger     { @include alert-styles($alert-danger-bg); }
+
+
+
+//
+// Progress bars
+// --------------------------------------------------
+
+// Give the progress background some depth
+.progress {
+  @include gradient-vertical($start-color: darken($progress-bg, 4%), $end-color: $progress-bg)
+}
+
+// Mixin for generating new styles
+@mixin progress-bar-styles($color) {
+  @include gradient-vertical($start-color: $color, $end-color: darken($color, 10%));
+}
+
+// Apply the mixin to the progress bars
+.progress-bar            { @include progress-bar-styles($progress-bar-bg); }
+.progress-bar-success    { @include progress-bar-styles($progress-bar-success-bg); }
+.progress-bar-info       { @include progress-bar-styles($progress-bar-info-bg); }
+.progress-bar-warning    { @include progress-bar-styles($progress-bar-warning-bg); }
+.progress-bar-danger     { @include progress-bar-styles($progress-bar-danger-bg); }
+
+// Reset the striped class because our mixins don't do multiple gradients and
+// the above custom styles override the new `.progress-bar-striped` in v3.2.0.
+.progress-bar-striped {
+  @include gradient-striped();
+}
+
+
+//
+// List groups
+// --------------------------------------------------
+
+.list-group {
+  border-radius: $border-radius-base;
+  @include box-shadow(0 1px 2px rgba(0,0,0,.075));
+}
+.list-group-item.active,
+.list-group-item.active:hover,
+.list-group-item.active:focus {
+  text-shadow: 0 -1px 0 darken($list-group-active-bg, 10%);
+  @include gradient-vertical($start-color: $list-group-active-bg, $end-color: darken($list-group-active-bg, 7.5%));
+  border-color: darken($list-group-active-border, 7.5%);
+}
+
+
+
+//
+// Panels
+// --------------------------------------------------
+
+// Common styles
+.panel {
+  @include box-shadow(0 1px 2px rgba(0,0,0,.05));
+}
+
+// Mixin for generating new styles
+@mixin panel-heading-styles($color) {
+  @include gradient-vertical($start-color: $color, $end-color: darken($color, 5%));
+}
+
+// Apply the mixin to the panel headings only
+.panel-default > .panel-heading   { @include panel-heading-styles($panel-default-heading-bg); }
+.panel-primary > .panel-heading   { @include panel-heading-styles($panel-primary-heading-bg); }
+.panel-success > .panel-heading   { @include panel-heading-styles($panel-success-heading-bg); }
+.panel-info > .panel-heading      { @include panel-heading-styles($panel-info-heading-bg); }
+.panel-warning > .panel-heading   { @include panel-heading-styles($panel-warning-heading-bg); }
+.panel-danger > .panel-heading    { @include panel-heading-styles($panel-danger-heading-bg); }
+
+
+
+//
+// Wells
+// --------------------------------------------------
+
+.well {
+  @include gradient-vertical($start-color: darken($well-bg, 5%), $end-color: $well-bg);
+  border-color: darken($well-bg, 10%);
+  $shadow: inset 0 1px 3px rgba(0,0,0,.05), 0 1px 0 rgba(255,255,255,.1);
+  @include box-shadow($shadow);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_thumbnails.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_thumbnails.scss
new file mode 100644
index 0000000000..3d5ed86d05
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_thumbnails.scss
@@ -0,0 +1,38 @@
+//
+// Thumbnails
+// --------------------------------------------------
+
+
+// Mixin and adjust the regular image class
+.thumbnail {
+  display: block;
+  padding: $thumbnail-padding;
+  margin-bottom: $line-height-computed;
+  line-height: $line-height-base;
+  background-color: $thumbnail-bg;
+  border: 1px solid $thumbnail-border;
+  border-radius: $thumbnail-border-radius;
+  @include transition(all .2s ease-in-out);
+
+  > img,
+  a > img {
+    @include img-responsive();
+    margin-left: auto;
+    margin-right: auto;
+  }
+
+  // [converter] extracted a&:hover, a&:focus, a&.active to a.thumbnail:hover, a.thumbnail:focus, a.thumbnail.active
+
+  // Image captions
+  .caption {
+    padding: $thumbnail-caption-padding;
+    color: $thumbnail-caption-color;
+  }
+}
+
+// Add a hover state for linked versions only
+a.thumbnail:hover,
+a.thumbnail:focus,
+a.thumbnail.active {
+  border-color: $link-color;
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_tooltip.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_tooltip.scss
new file mode 100644
index 0000000000..dec674cb40
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_tooltip.scss
@@ -0,0 +1,95 @@
+//
+// Tooltips
+// --------------------------------------------------
+
+
+// Base class
+.tooltip {
+  position: absolute;
+  z-index: $zindex-tooltip;
+  display: block;
+  visibility: visible;
+  font-size: $font-size-small;
+  line-height: 1.4;
+  @include opacity(0);
+
+  &.in     { @include opacity($tooltip-opacity); }
+  &.top    { margin-top:  -3px; padding: $tooltip-arrow-width 0; }
+  &.right  { margin-left:  3px; padding: 0 $tooltip-arrow-width; }
+  &.bottom { margin-top:   3px; padding: $tooltip-arrow-width 0; }
+  &.left   { margin-left: -3px; padding: 0 $tooltip-arrow-width; }
+}
+
+// Wrapper for the tooltip content
+.tooltip-inner {
+  max-width: $tooltip-max-width;
+  padding: 3px 8px;
+  color: $tooltip-color;
+  text-align: center;
+  text-decoration: none;
+  background-color: $tooltip-bg;
+  border-radius: $border-radius-base;
+}
+
+// Arrows
+.tooltip-arrow {
+  position: absolute;
+  width: 0;
+  height: 0;
+  border-color: transparent;
+  border-style: solid;
+}
+.tooltip {
+  &.top .tooltip-arrow {
+    bottom: 0;
+    left: 50%;
+    margin-left: -$tooltip-arrow-width;
+    border-width: $tooltip-arrow-width $tooltip-arrow-width 0;
+    border-top-color: $tooltip-arrow-color;
+  }
+  &.top-left .tooltip-arrow {
+    bottom: 0;
+    left: $tooltip-arrow-width;
+    border-width: $tooltip-arrow-width $tooltip-arrow-width 0;
+    border-top-color: $tooltip-arrow-color;
+  }
+  &.top-right .tooltip-arrow {
+    bottom: 0;
+    right: $tooltip-arrow-width;
+    border-width: $tooltip-arrow-width $tooltip-arrow-width 0;
+    border-top-color: $tooltip-arrow-color;
+  }
+  &.right .tooltip-arrow {
+    top: 50%;
+    left: 0;
+    margin-top: -$tooltip-arrow-width;
+    border-width: $tooltip-arrow-width $tooltip-arrow-width $tooltip-arrow-width 0;
+    border-right-color: $tooltip-arrow-color;
+  }
+  &.left .tooltip-arrow {
+    top: 50%;
+    right: 0;
+    margin-top: -$tooltip-arrow-width;
+    border-width: $tooltip-arrow-width 0 $tooltip-arrow-width $tooltip-arrow-width;
+    border-left-color: $tooltip-arrow-color;
+  }
+  &.bottom .tooltip-arrow {
+    top: 0;
+    left: 50%;
+    margin-left: -$tooltip-arrow-width;
+    border-width: 0 $tooltip-arrow-width $tooltip-arrow-width;
+    border-bottom-color: $tooltip-arrow-color;
+  }
+  &.bottom-left .tooltip-arrow {
+    top: 0;
+    left: $tooltip-arrow-width;
+    border-width: 0 $tooltip-arrow-width $tooltip-arrow-width;
+    border-bottom-color: $tooltip-arrow-color;
+  }
+  &.bottom-right .tooltip-arrow {
+    top: 0;
+    right: $tooltip-arrow-width;
+    border-width: 0 $tooltip-arrow-width $tooltip-arrow-width;
+    border-bottom-color: $tooltip-arrow-color;
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_type.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_type.scss
new file mode 100644
index 0000000000..154e4fd04d
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_type.scss
@@ -0,0 +1,304 @@
+//
+// Typography
+// --------------------------------------------------
+
+
+// Headings
+// -------------------------
+
+h1, h2, h3, h4, h5, h6,
+.h1, .h2, .h3, .h4, .h5, .h6 {
+  font-family: $headings-font-family;
+  font-weight: $headings-font-weight;
+  line-height: $headings-line-height;
+  color: $headings-color;
+
+  small,
+  .small {
+    font-weight: normal;
+    line-height: 1;
+    color: $headings-small-color;
+  }
+}
+
+h1, .h1,
+h2, .h2,
+h3, .h3 {
+  margin-top: $line-height-computed;
+  margin-bottom: calc($line-height-computed / 2);
+
+  small,
+  .small {
+    font-size: 65%;
+  }
+}
+h4, .h4,
+h5, .h5,
+h6, .h6 {
+  margin-top: calc($line-height-computed / 2);
+  margin-bottom: calc($line-height-computed / 2);
+
+  small,
+  .small {
+    font-size: 75%;
+  }
+}
+
+h1, .h1 { font-size: $font-size-h1; }
+h2, .h2 { font-size: $font-size-h2; }
+h3, .h3 { font-size: $font-size-h3; }
+h4, .h4 { font-size: $font-size-h4; }
+h5, .h5 { font-size: $font-size-h5; }
+h6, .h6 { font-size: $font-size-h6; }
+
+
+// Body text
+// -------------------------
+
+p {
+  margin: 0 0 calc($line-height-computed / 2);
+}
+
+.lead {
+  margin-bottom: $line-height-computed;
+  font-size: floor(calc($font-size-base * 1.15));
+  font-weight: 300;
+  line-height: 1.4;
+
+  @media (min-width: $screen-sm-min) {
+    font-size: calc($font-size-base * 1.5);
+  }
+}
+
+
+// Emphasis & misc
+// -------------------------
+
+// Ex: (12px small font / 14px base font) * 100% = about 85%
+small,
+.small {
+  font-size: floor(calc(100% * $font-size-small / $font-size-base));
+}
+
+// Undo browser default styling
+cite {
+  font-style: normal;
+}
+
+mark,
+.mark {
+  background-color: $state-warning-bg;
+  padding: .2em;
+}
+
+// Alignment
+.text-left           { text-align: left; }
+.text-right          { text-align: right; }
+.text-center         { text-align: center; }
+.text-justify        { text-align: justify; }
+.text-nowrap         { white-space: nowrap; }
+
+// Transformation
+.text-lowercase      { text-transform: lowercase; }
+.text-uppercase      { text-transform: uppercase; }
+.text-capitalize     { text-transform: capitalize; }
+
+// Contextual colors
+.text-muted {
+  color: $text-muted;
+}
+
+@include text-emphasis-variant('.text-primary', $brand-primary);
+
+@include text-emphasis-variant('.text-success', $state-success-text);
+
+@include text-emphasis-variant('.text-info', $state-info-text);
+
+@include text-emphasis-variant('.text-warning', $state-warning-text);
+
+@include text-emphasis-variant('.text-danger', $state-danger-text);
+
+// Contextual backgrounds
+// For now we'll leave these alongside the text classes until v4 when we can
+// safely shift things around (per SemVer rules).
+.bg-primary {
+  // Given the contrast here, this is the only class to have its color inverted
+  // automatically.
+  color: #fff;
+}
+@include bg-variant('.bg-primary', $brand-primary);
+
+@include bg-variant('.bg-success', $state-success-bg);
+
+@include bg-variant('.bg-info', $state-info-bg);
+
+@include bg-variant('.bg-warning', $state-warning-bg);
+
+@include bg-variant('.bg-danger', $state-danger-bg);
+
+
+// Page header
+// -------------------------
+
+.page-header {
+  padding-bottom: (calc($line-height-computed / 2) - 1);
+  margin: calc($line-height-computed * 2) 0 $line-height-computed;
+  border-bottom: 1px solid $page-header-border-color;
+}
+
+
+// Lists
+// -------------------------
+
+// Unordered and Ordered lists
+ul,
+ol {
+  margin-top: 0;
+  margin-bottom: calc($line-height-computed / 2);
+  ul,
+  ol {
+    margin-bottom: 0;
+  }
+}
+
+// List options
+
+// Unstyled keeps list items block level, just removes default browser padding and list-style
+.list-unstyled {
+  padding-left: 0;
+  list-style: none;
+}
+
+// Inline turns list items into inline-block
+.list-inline {
+  @extend .list-unstyled;
+  margin-left: -5px;
+
+  > li {
+    float:left;
+    padding-left: 5px;
+    padding-right: 5px;
+  }
+}
+
+// Description Lists
+dl {
+  margin-top: 0; // Remove browser default
+  margin-bottom: $line-height-computed;
+}
+dt,
+dd {
+  line-height: $line-height-base;
+}
+dt {
+  font-weight: bold;
+}
+dd {
+  margin-left: 0; // Undo browser default
+}
+
+// Horizontal description lists
+//
+// Defaults to being stacked without any of the below styles applied, until the
+// grid breakpoint is reached (default of ~768px).
+
+.dl-horizontal {
+  dd {
+    @include clearfix(); // Clear the floated `dt` if an empty `dd` is present
+  }
+
+  @media (min-width: $grid-float-breakpoint) {
+    dt {
+      float: left;
+      width: ($dl-horizontal-offset - 20);
+      clear: left;
+      text-align: right;
+      @include text-overflow();
+    }
+    dd {
+      margin-left: $dl-horizontal-offset;
+    }
+  }
+}
+
+
+// Misc
+// -------------------------
+
+// Abbreviations and acronyms
+abbr[title],
+// Add data-* attribute to help out our tooltip plugin, per https://github.com/twbs/bootstrap/issues/5257
+abbr[data-original-title] {
+  cursor: help;
+  border-bottom: 1px dotted $abbr-border-color;
+}
+.initialism {
+  font-size: 90%;
+  text-transform: uppercase;
+}
+
+// Blockquotes
+blockquote {
+  padding: calc($line-height-computed / 2) $line-height-computed;
+  margin: 0 0 $line-height-computed;
+  font-size: $blockquote-font-size;
+  border-left: 5px solid $blockquote-border-color;
+
+  p,
+  ul,
+  ol {
+    &:last-child {
+      margin-bottom: 0;
+    }
+  }
+
+  // Note: Deprecated small and .small as of v3.1.0
+  // Context: https://github.com/twbs/bootstrap/issues/11660
+  footer,
+  small,
+  .small {
+    display: block;
+    font-size: 80%; // back to default font-size
+    line-height: $line-height-base;
+    color: $blockquote-small-color;
+
+    &:before {
+      content: '\2014 \00A0'; // em dash, nbsp
+    }
+  }
+}
+
+// Opposite alignment of blockquote
+//
+// Heads up: `blockquote.pull-right` has been deprecated as of v3.1.0.
+.blockquote-reverse,
+blockquote.pull-right {
+  padding-right: 15px;
+  padding-left: 0;
+  border-right: 5px solid $blockquote-border-color;
+  border-left: 0;
+  text-align: right;
+
+  // Account for citation
+  footer,
+  small,
+  .small {
+    &:before { content: ''; }
+    &:after {
+      content: '\00A0 \2014'; // nbsp, em dash
+    }
+  }
+}
+
+// Quotes
+blockquote:before,
+blockquote:after {
+  content: "";
+}
+
+// Addresses
+address {
+  margin-bottom: $line-height-computed;
+  font-style: normal;
+  line-height: $line-height-base;
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_utilities.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_utilities.scss
new file mode 100644
index 0000000000..3ad5f2eed5
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_utilities.scss
@@ -0,0 +1,57 @@
+//
+// Utility classes
+// --------------------------------------------------
+
+
+// Floats
+// -------------------------
+
+.clearfix {
+  @include clearfix();
+}
+.center-block {
+  @include center-block();
+}
+.pull-right {
+  float: right !important;
+}
+.pull-left {
+  float: left !important;
+}
+
+
+// Toggling content
+// -------------------------
+
+// Note: Deprecated .hide in favor of .hidden or .sr-only (as appropriate) in v3.0.1
+.hide {
+  display: none !important;
+}
+.show {
+  display: block !important;
+}
+.invisible {
+  visibility: hidden;
+}
+.text-hide {
+  @include text-hide();
+}
+
+
+// Hide from screenreaders and browsers
+//
+// Credit: HTML5 Boilerplate
+
+.hidden {
+  display: none !important;
+  visibility: hidden !important;
+}
+
+
+// For Affix plugin
+// -------------------------
+
+.affix {
+  position: fixed;
+  @include translate3d(0, 0, 0);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_variables.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_variables.scss
new file mode 100644
index 0000000000..882f7e1319
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_variables.scss
@@ -0,0 +1,853 @@
+// When true, asset path helpers are used, otherwise the regular CSS `url()` is used.
+// When there no function is defined, `fn('')` is parsed as string that equals the right hand side
+// NB: in Sass 3.3 there is a native function: function-exists(twbs-font-path)
+$bootstrap-sass-asset-helper: (twbs-font-path("") != unquote('twbs-font-path("")')) !default;
+
+//
+// Variables
+// --------------------------------------------------
+
+
+//== Colors
+//
+//## Gray and brand colors for use across Bootstrap.
+
+$gray-darker:            lighten(#000, 13.5%) !default; // #222
+$gray-dark:              lighten(#000, 20%) !default;   // #333
+$gray:                   lighten(#000, 33.5%) !default; // #555
+$gray-light:             lighten(#000, 46.7%) !default; // #777
+$gray-lighter:           lighten(#000, 93.5%) !default; // #eee
+
+$brand-default:         map-get($colors, default) !default;
+$brand-primary:         map-get($colors, primary) !default;
+$brand-success:         #7ebc59 !default;
+$brand-info:            #368cbf !default;
+$brand-warning:         #f0ad4e !default;
+$brand-danger:          #EE451F !default;
+
+
+//== Scaffolding
+//
+//## Settings for some of the most global styles.
+
+//** Background color for `<body>`.
+$body-bg:               #fff !default;
+//** Global text color on `<body>`.
+$text-color:            map-get($colors, darkgrey) !default;
+
+//** Global textual link color.
+$link-color:            $brand-primary !default;
+//** Link hover color set via `darken()` function.
+$link-hover-color:      darken($link-color, 15%) !default;
+
+
+//== Typography
+//
+//## Font, line-height, and color for body text, headings, and more.
+
+$font-family-sans-serif:  "Helvetica Neue", Helvetica, Arial, sans-serif !default;
+$font-family-serif:       Georgia, "Times New Roman", Times, serif !default;
+//** Default monospace fonts for `<code>`, `<kbd>`, and `<pre>`.
+$font-family-monospace:   Menlo, Monaco, Consolas, "Courier New", monospace !default;
+$font-family-base:        $font-family-sans-serif !default;
+
+$font-size-base:          14px !default;
+$font-size-large:         ceil(($font-size-base * 1.25)) !default; // ~18px
+$font-size-small:         ceil(($font-size-base * 0.85)) !default; // ~12px
+
+$font-size-h1:            floor(($font-size-base * 1.7)) !default; // ~36px
+$font-size-h2:            floor(($font-size-base * 1.15)) !default; // ~30px
+$font-size-h3:            ceil(($font-size-base * 1)) !default; // ~24px
+$font-size-h4:            ceil(($font-size-base * 1.25)) !default; // ~18px
+$font-size-h5:            $font-size-base !default;
+$font-size-h6:            ceil(($font-size-base * 0.85)) !default; // ~12px
+
+//** Unit-less `line-height` for use in components like buttons.
+$line-height-base:        1.428571429 !default; // 20/14
+//** Computed "line-height" (`font-size` * `line-height`) for use with `margin`, `padding`, etc.
+$line-height-computed:    floor(($font-size-base * $line-height-base)) !default; // ~20px
+
+//** By default, this inherits from the `<body>`.
+$headings-font-family:    "Inter" !default;
+$headings-font-weight:    500 !default;
+$headings-line-height:    1.4 !default;
+$headings-color:          inherit !default;
+
+
+//== Iconography
+//
+//## Specify custom location and filename of the included Glyphicons icon font. Useful for those including Bootstrap via Bower.
+
+//** Load fonts from this directory.
+
+// [converter] Asset helpers such as Sprockets and Node.js Mincer do not resolve relative paths
+$icon-font-path: if($bootstrap-sass-asset-helper, "bootstrap/", "../fonts/bootstrap/") !default;
+
+//** File name for all font files.
+$icon-font-name:          "glyphicons-halflings-regular" !default;
+//** Element ID within SVG icon file.
+$icon-font-svg-id:        "glyphicons_halflingsregular" !default;
+
+
+//== Components
+//
+//## Define common padding and border radius sizes and more. Values based on 14px text and 1.428 line-height (~20px to start).
+
+$padding-base-vertical:     6px !default;
+$padding-base-horizontal:   12px !default;
+
+$padding-large-vertical:    10px !default;
+$padding-large-horizontal:  16px !default;
+
+$padding-small-vertical:    5px !default;
+$padding-small-horizontal:  10px !default;
+
+$padding-xs-vertical:       1px !default;
+$padding-xs-horizontal:     5px !default;
+
+$line-height-large:         1.33 !default;
+$line-height-small:         1.5 !default;
+
+$border-radius-base:        3px !default;
+$border-radius-large:       6px !default;
+$border-radius-small:       3px !default;
+
+//** Global color for active items (e.g., navs or dropdowns).
+$component-active-color:    #fff !default;
+//** Global background color for active items (e.g., navs or dropdowns).
+$component-active-bg:       $brand-primary !default;
+
+//** Width of the `border` for generating carets that indicator dropdowns.
+$caret-width-base:          4px !default;
+//** Carets increase slightly in size for larger components.
+$caret-width-large:         5px !default;
+
+
+//== Tables
+//
+//## Customizes the `.table` component with basic values, each used across all table variations.
+
+//** Padding for `<th>`s and `<td>`s.
+$table-cell-padding:            10px 0px 10px 20px !default;
+//** Padding for cells in `.table-condensed`.
+$table-condensed-cell-padding:  8px !default;
+
+//** Default background color used for all tables.
+$table-bg:                      transparent !default;
+//** Background color used for `.table-striped`.
+$table-bg-accent:               map-get($colors, lightergrey) !default;
+//** Background color used for `.table-hover`.
+$table-bg-hover:                #f5f5f5 !default;
+$table-bg-active:               $table-bg-hover !default;
+
+//** Border color for table and cell borders.
+$table-border-color:            #eee !default;
+
+
+//== Buttons
+//
+//## For each of Bootstrap's buttons, define text, background and border color.
+
+$btn-font-weight:                normal !default;
+
+$btn-default-color:              #fff !default;
+$btn-default-bg:                 $brand-default !default;
+$btn-default-border:            $brand-default !default;
+
+$btn-primary-color:              #fff !default;
+$btn-primary-bg:                 $brand-primary !default;
+$btn-primary-border:             $brand-primary !default;
+
+$btn-success-color:              #fff !default;
+$btn-success-bg:                 $brand-success !default;
+$btn-success-border:             darken($btn-success-bg, 5%) !default;
+
+$btn-info-color:                 #fff !default;
+$btn-info-bg:                    $brand-info !default;
+$btn-info-border:                darken($btn-info-bg, 5%) !default;
+
+$btn-warning-color:              #fff !default;
+$btn-warning-bg:                 $brand-warning !default;
+$btn-warning-border:             darken($btn-warning-bg, 5%) !default;
+
+$btn-danger-color:               #fff !default;
+$btn-danger-bg:                  $brand-danger !default;
+$btn-danger-border:              darken($btn-danger-bg, 5%) !default;
+
+$btn-link-disabled-color:        $gray-light !default;
+
+
+//== Forms
+//
+//##
+
+//** `<input>` background color
+$input-bg:                       #fff !default;
+//** `<input disabled>` background color
+$input-bg-disabled:              $gray-lighter !default;
+
+//** Text color for `<input>`s
+$input-color:                    $gray !default;
+//** `<input>` border color
+$input-border:                   #ccc !default;
+//** `<input>` border radius
+$input-border-radius:            $border-radius-base !default;
+//** Border color for inputs on focus
+$input-border-focus:             #66afe9 !default;
+
+//** Placeholder text color
+$input-color-placeholder:        $gray-light !default;
+
+//** Default `.form-control` height
+$input-height-base:              ($line-height-computed + ($padding-base-vertical * 2) + 2) !default;
+//** Large `.form-control` height
+$input-height-large:             (ceil($font-size-large * $line-height-large) + ($padding-large-vertical * 2) + 2) !default;
+//** Small `.form-control` height
+$input-height-small:             (floor($font-size-small * $line-height-small) + ($padding-small-vertical * 2) + 2) !default;
+
+$legend-color:                   $gray-dark !default;
+$legend-border-color:            #e5e5e5 !default;
+
+//** Background color for textual input addons
+$input-group-addon-bg:           $gray-lighter !default;
+//** Border color for textual input addons
+$input-group-addon-border-color: $input-border !default;
+
+
+//== Dropdowns
+//
+//## Dropdown menu container and contents.
+
+//** Background for the dropdown menu.
+$dropdown-bg:                    #fff !default;
+//** Dropdown menu `border-color`.
+$dropdown-border:                rgba(0,0,0,.15) !default;
+//** Dropdown menu `border-color` **for IE8**.
+$dropdown-fallback-border:       #ccc !default;
+//** Divider color for between dropdown items.
+$dropdown-divider-bg:            #e5e5e5 !default;
+
+//** Dropdown link text color.
+$dropdown-link-color:            $gray-dark !default;
+//** Hover color for dropdown links.
+$dropdown-link-hover-color:      darken($gray-dark, 5%) !default;
+//** Hover background for dropdown links.
+$dropdown-link-hover-bg:         #f5f5f5 !default;
+
+//** Active dropdown menu item text color.
+$dropdown-link-active-color:     $component-active-color !default;
+//** Active dropdown menu item background color.
+$dropdown-link-active-bg:        $component-active-bg !default;
+
+//** Disabled dropdown menu item background color.
+$dropdown-link-disabled-color:   $gray-light !default;
+
+//** Text color for headers within dropdown menus.
+$dropdown-header-color:          $gray-light !default;
+
+//** Deprecated `$dropdown-caret-color` as of v3.1.0
+$dropdown-caret-color:           #000 !default;
+
+
+//-- Z-index master list
+//
+// Warning: Avoid customizing these values. They're used for a bird's eye view
+// of components dependent on the z-axis and are designed to all work together.
+//
+// Note: These variables are not generated into the Customizer.
+
+$zindex-navbar:            1000 !default;
+$zindex-dropdown:          1000 !default;
+$zindex-popover:           1060 !default;
+$zindex-tooltip:           1070 !default;
+$zindex-navbar-fixed:      1030 !default;
+$zindex-modal-background:  1040 !default;
+$zindex-modal:             1050 !default;
+
+
+//== Media queries breakpoints
+//
+//## Define the breakpoints at which your layout will change, adapting to different screen sizes.
+
+// Extra small screen / phone
+//** Deprecated `$screen-xs` as of v3.0.1
+$screen-xs:                  480px !default;
+//** Deprecated `$screen-xs-min` as of v3.2.0
+$screen-xs-min:              $screen-xs !default;
+//** Deprecated `$screen-phone` as of v3.0.1
+$screen-phone:               $screen-xs-min !default;
+
+// Small screen / tablet
+//** Deprecated `$screen-sm` as of v3.0.1
+$screen-sm:                  768px !default;
+$screen-sm-min:              $screen-sm !default;
+//** Deprecated `$screen-tablet` as of v3.0.1
+$screen-tablet:              $screen-sm-min !default;
+
+// Medium screen / desktop
+//** Deprecated `$screen-md` as of v3.0.1
+$screen-md:                  992px !default;
+$screen-md-min:              $screen-md !default;
+//** Deprecated `$screen-desktop` as of v3.0.1
+$screen-desktop:             $screen-md-min !default;
+
+// Large screen / wide desktop
+//** Deprecated `$screen-lg` as of v3.0.1
+$screen-lg:                  1200px !default;
+$screen-lg-min:              $screen-lg !default;
+//** Deprecated `$screen-lg-desktop` as of v3.0.1
+$screen-lg-desktop:          $screen-lg-min !default;
+
+// So media queries don't overlap when required, provide a maximum
+$screen-xs-max:              ($screen-sm-min - 1) !default;
+$screen-sm-max:              ($screen-md-min - 1) !default;
+$screen-md-max:              ($screen-lg-min - 1) !default;
+
+
+//== Grid system
+//
+//## Define your custom responsive grid.
+
+//** Number of columns in the grid.
+$grid-columns:              12 !default;
+//** Padding between columns. Gets divided in half for the left and right.
+$grid-gutter-width:         40px !default;
+// Navbar collapse
+//** Point at which the navbar becomes uncollapsed.
+$grid-float-breakpoint:     $screen-sm-min !default;
+//** Point at which the navbar begins collapsing.
+$grid-float-breakpoint-max: ($grid-float-breakpoint - 1) !default;
+
+
+//== Container sizes
+//
+//## Define the maximum width of `.container` for different screen sizes.
+
+// Small screen / tablet
+$container-tablet:             ((720px + $grid-gutter-width)) !default;
+//** For `$screen-sm-min` and up.
+$container-sm:                 $container-tablet !default;
+
+// Medium screen / desktop
+$container-desktop:            ((940px + $grid-gutter-width)) !default;
+//** For `$screen-md-min` and up.
+$container-md:                 $container-desktop !default;
+
+// Large screen / wide desktop
+$container-large-desktop:      ((1140px + $grid-gutter-width)) !default;
+//** For `$screen-lg-min` and up.
+$container-lg:                 $container-large-desktop !default;
+
+
+//== Navbar
+//
+//##
+
+// Basics of a navbar
+$navbar-height:                    50px !default;
+$navbar-margin-bottom:             0;
+$navbar-border-radius:             0;
+$navbar-padding-horizontal:        floor((calc($grid-gutter-width / 2))) !default;
+$navbar-padding-vertical:          15px;
+$navbar-collapse-max-height:       340px !default;
+
+$navbar-default-color:             map-get($colors, lightgrey) !default;
+$navbar-default-bg:                map-get($colors, darkgrey) !default;
+$navbar-default-border:            darken($navbar-default-bg, 6.5%) !default;
+
+// Navbar links
+$navbar-default-link-color:                map-get($colors, lightgrey) !default;
+$navbar-default-link-hover-color:          map-get($colors, orange) !default;
+$navbar-default-link-hover-bg:             transparent !default;
+$navbar-default-link-active-color:         #555 !default;
+$navbar-default-link-active-bg:            darken($navbar-default-bg, 6.5%) !default;
+$navbar-default-link-disabled-color:       #ccc !default;
+$navbar-default-link-disabled-bg:          transparent !default;
+
+// Navbar brand label
+$navbar-default-brand-color:               $navbar-default-link-color !default;
+$navbar-default-brand-hover-color:         darken($navbar-default-brand-color, 10%) !default;
+$navbar-default-brand-hover-bg:            transparent !default;
+
+// Navbar toggle
+$navbar-default-toggle-hover-bg:           #555 !default;
+$navbar-default-toggle-icon-bar-bg:        #FFF !default;
+$navbar-default-toggle-border-color:       #FFF !default;
+
+
+// Inverted navbar
+// Reset inverted navbar basics
+$navbar-inverse-color:                      $gray-light !default;
+$navbar-inverse-bg:                         #222 !default;
+$navbar-inverse-border:                     darken($navbar-inverse-bg, 10%) !default;
+
+// Inverted navbar links
+$navbar-inverse-link-color:                 $gray-light !default;
+$navbar-inverse-link-hover-color:           #fff !default;
+$navbar-inverse-link-hover-bg:              transparent !default;
+$navbar-inverse-link-active-color:          $navbar-inverse-link-hover-color !default;
+$navbar-inverse-link-active-bg:             darken($navbar-inverse-bg, 10%) !default;
+$navbar-inverse-link-disabled-color:        #444 !default;
+$navbar-inverse-link-disabled-bg:           transparent !default;
+
+// Inverted navbar brand label
+$navbar-inverse-brand-color:                $navbar-inverse-link-color !default;
+$navbar-inverse-brand-hover-color:          #fff !default;
+$navbar-inverse-brand-hover-bg:             transparent !default;
+
+// Inverted navbar toggle
+$navbar-inverse-toggle-hover-bg:            #333 !default;
+$navbar-inverse-toggle-icon-bar-bg:         #fff !default;
+$navbar-inverse-toggle-border-color:        #333 !default;
+
+
+//== Navs
+//
+//##
+
+//=== Shared nav styles
+$nav-link-padding:                          10px 15px !default;
+$nav-link-hover-bg:                         $gray-lighter !default;
+
+$nav-disabled-link-color:                   $gray-light !default;
+$nav-disabled-link-hover-color:             $gray-light !default;
+
+$nav-open-link-hover-color:                 #fff !default;
+
+//== Tabs
+$nav-tabs-border-color:                     #E5E5E5 !default;
+
+$nav-tabs-link-hover-border-color:          $gray-lighter !default;
+
+$nav-tabs-active-link-hover-bg:             $body-bg !default;
+$nav-tabs-active-link-hover-color:          $gray !default;
+$nav-tabs-active-link-hover-border-color:   #ddd !default;
+
+$nav-tabs-justified-link-border-color:            #ddd !default;
+$nav-tabs-justified-active-link-border-color:     $body-bg !default;
+
+//== Pills
+$nav-pills-border-radius:                   0 !default;
+$nav-pills-active-link-hover-bg:            $component-active-bg !default;
+$nav-pills-active-link-hover-color:         $component-active-color !default;
+
+
+//== Pagination
+//
+//##
+
+$pagination-color:                     $link-color !default;
+$pagination-bg:                        #fff !default;
+$pagination-border:                    #ddd !default;
+
+$pagination-hover-color:               $link-hover-color !default;
+$pagination-hover-bg:                  $gray-lighter !default;
+$pagination-hover-border:              #ddd !default;
+
+$pagination-active-color:              #fff !default;
+$pagination-active-bg:                 $brand-primary !default;
+$pagination-active-border:             $brand-primary !default;
+
+$pagination-disabled-color:            $gray-light !default;
+$pagination-disabled-bg:               #fff !default;
+$pagination-disabled-border:           #ddd !default;
+
+
+//== Pager
+//
+//##
+
+$pager-bg:                             $pagination-bg !default;
+$pager-border:                         $pagination-border !default;
+$pager-border-radius:                  15px !default;
+
+$pager-hover-bg:                       $pagination-hover-bg !default;
+
+$pager-active-bg:                      $pagination-active-bg !default;
+$pager-active-color:                   $pagination-active-color !default;
+
+$pager-disabled-color:                 $pagination-disabled-color !default;
+
+
+//== Jumbotron
+//
+//##
+
+$jumbotron-padding:              30px !default;
+$jumbotron-color:                inherit !default;
+$jumbotron-bg:                   $gray-lighter !default;
+$jumbotron-heading-color:        inherit !default;
+$jumbotron-font-size:            ceil(($font-size-base * 1.5)) !default;
+
+
+//== Form states and alerts
+//
+//## Define colors for form feedback states and, by default, alerts.
+
+$state-success-text:             $brand-success !default;
+$state-success-bg:               $brand-success !default;
+$state-success-border:           $brand-success !default;
+
+$state-info-text:                #31708f !default;
+$state-info-bg:                  #d9edf7 !default;
+$state-info-border:              darken(adjust-hue($state-info-bg, -10), 7%) !default;
+
+$state-warning-text:             $brand-warning !default;
+$state-warning-bg:               #fcf8e3 !default;
+$state-warning-border:           darken(adjust-hue($state-warning-bg, -10), 5%) !default;
+
+$state-danger-text:              $brand-danger !default;
+$state-danger-bg:                $brand-danger !default;
+$state-danger-border:            $brand-danger !default;
+
+
+//== Tooltips
+//
+//##
+
+//** Tooltip max width
+$tooltip-max-width:           200px !default;
+//** Tooltip text color
+$tooltip-color:               #fff !default;
+//** Tooltip background color
+$tooltip-bg:                  #000 !default;
+$tooltip-opacity:             .9 !default;
+
+//** Tooltip arrow width
+$tooltip-arrow-width:         5px !default;
+//** Tooltip arrow color
+$tooltip-arrow-color:         $tooltip-bg !default;
+
+
+//== Popovers
+//
+//##
+
+//** Popover body background color
+$popover-bg:                          #fff !default;
+//** Popover maximum width
+$popover-max-width:                   276px !default;
+//** Popover border color
+$popover-border-color:                rgba(0,0,0,.2) !default;
+//** Popover fallback border color
+$popover-fallback-border-color:       #ccc !default;
+
+//** Popover title background color
+$popover-title-bg:                    darken($popover-bg, 3%) !default;
+
+//** Popover arrow width
+$popover-arrow-width:                 10px !default;
+//** Popover arrow color
+$popover-arrow-color:                 #fff !default;
+
+//** Popover outer arrow width
+$popover-arrow-outer-width:           ($popover-arrow-width + 1) !default;
+//** Popover outer arrow color
+$popover-arrow-outer-color:           fade_in($popover-border-color, 0.05) !default;
+//** Popover outer arrow fallback color
+$popover-arrow-outer-fallback-color:  darken($popover-fallback-border-color, 20%) !default;
+
+
+//== Labels
+//
+//##
+
+//** Default label background color
+$label-default-bg:            $gray-light !default;
+//** Primary label background color
+$label-primary-bg:            $brand-primary !default;
+//** Success label background color
+$label-success-bg:            $brand-success !default;
+//** Info label background color
+$label-info-bg:               $brand-info !default;
+//** Warning label background color
+$label-warning-bg:            $brand-warning !default;
+//** Danger label background color
+$label-danger-bg:             $brand-danger !default;
+
+//** Default label text color
+$label-color:                 #fff !default;
+//** Default text color of a linked label
+$label-link-hover-color:      #fff !default;
+
+
+//== Modals
+//
+//##
+
+//** Padding applied to the modal body
+$modal-inner-padding:         15px !default;
+
+//** Padding applied to the modal title
+$modal-title-padding:         15px !default;
+//** Modal title line-height
+$modal-title-line-height:     $line-height-base !default;
+
+//** Background color of modal content area
+$modal-content-bg:                             #fff !default;
+//** Modal content border color
+$modal-content-border-color:                   rgba(0,0,0,.2) !default;
+//** Modal content border color **for IE8**
+$modal-content-fallback-border-color:          #999 !default;
+
+//** Modal backdrop background color
+$modal-backdrop-bg:           #000 !default;
+//** Modal backdrop opacity
+$modal-backdrop-opacity:      .5 !default;
+//** Modal header border color
+$modal-header-border-color:   #e5e5e5 !default;
+//** Modal footer border color
+$modal-footer-border-color:   $modal-header-border-color !default;
+
+$modal-lg:                    900px !default;
+$modal-md:                    600px !default;
+$modal-sm:                    300px !default;
+
+
+//== Alerts
+//
+//## Define alert colors, border radius, and padding.
+
+$alert-padding:               15px !default;
+$alert-border-radius:         $border-radius-base !default;
+$alert-link-font-weight:      bold !default;
+
+$alert-success-bg:            $state-success-bg !default;
+$alert-success-text:          $state-success-text !default;
+$alert-success-border:        $state-success-border !default;
+
+$alert-info-bg:               $state-info-bg !default;
+$alert-info-text:             $state-info-text !default;
+$alert-info-border:           $state-info-border !default;
+
+$alert-warning-bg:            $state-warning-bg !default;
+$alert-warning-text:          $state-warning-text !default;
+$alert-warning-border:        $state-warning-border !default;
+
+$alert-danger-bg:             $state-danger-bg !default;
+$alert-danger-text:           $state-danger-text !default;
+$alert-danger-border:         $state-danger-border !default;
+
+
+//== Progress bars
+//
+//##
+
+//** Background color of the whole progress component
+$progress-bg:                 #f5f5f5 !default;
+//** Progress bar text color
+$progress-bar-color:          #fff !default;
+
+//** Default progress bar color
+$progress-bar-bg:             $brand-primary !default;
+//** Success progress bar color
+$progress-bar-success-bg:     $brand-success !default;
+//** Warning progress bar color
+$progress-bar-warning-bg:     $brand-warning !default;
+//** Danger progress bar color
+$progress-bar-danger-bg:      $brand-danger !default;
+//** Info progress bar color
+$progress-bar-info-bg:        $brand-info !default;
+
+
+//== List group
+//
+//##
+
+//** Background color on `.list-group-item`
+$list-group-bg:                 #fff !default;
+//** `.list-group-item` border color
+$list-group-border:             #ddd !default;
+//** List group border radius
+$list-group-border-radius:      $border-radius-base !default;
+
+//** Background color of single list items on hover
+$list-group-hover-bg:           #f5f5f5 !default;
+//** Text color of active list items
+$list-group-active-color:       $component-active-color !default;
+//** Background color of active list items
+$list-group-active-bg:          $component-active-bg !default;
+//** Border color of active list elements
+$list-group-active-border:      $list-group-active-bg !default;
+//** Text color for content within active list items
+$list-group-active-text-color:  lighten($list-group-active-bg, 40%) !default;
+
+//** Text color of disabled list items
+$list-group-disabled-color:      $gray-light !default;
+//** Background color of disabled list items
+$list-group-disabled-bg:         $gray-lighter !default;
+//** Text color for content within disabled list items
+$list-group-disabled-text-color: $list-group-disabled-color !default;
+
+$list-group-link-color:         map-get($colors, darkgrey) !default;
+$list-group-link-hover-color:   map-get($colors, orange) !default;
+$list-group-link-heading-color: #333 !default;
+
+
+//== Panels
+//
+//##
+
+$panel-bg:                    #fff !default;
+$panel-body-padding:          15px !default;
+$panel-heading-padding:       10px 15px !default;
+$panel-footer-padding:        $panel-heading-padding !default;
+$panel-border-radius:         $border-radius-base !default;
+
+//** Border color for elements within panels
+$panel-inner-border:          #ddd !default;
+$panel-footer-bg:             #f5f5f5 !default;
+
+$panel-default-text:          $gray-dark !default;
+$panel-default-border:        #ddd !default;
+$panel-default-heading-bg:    #f5f5f5 !default;
+
+$panel-primary-text:          #fff !default;
+$panel-primary-border:        $brand-primary !default;
+$panel-primary-heading-bg:    $brand-primary !default;
+
+$panel-success-text:          $state-success-text !default;
+$panel-success-border:        $state-success-border !default;
+$panel-success-heading-bg:    $state-success-bg !default;
+
+$panel-info-text:             $state-info-text !default;
+$panel-info-border:           $state-info-border !default;
+$panel-info-heading-bg:       $state-info-bg !default;
+
+$panel-warning-text:          $state-warning-text !default;
+$panel-warning-border:        $state-warning-border !default;
+$panel-warning-heading-bg:    $state-warning-bg !default;
+
+$panel-danger-text:           $state-danger-text !default;
+$panel-danger-border:         $state-danger-border !default;
+$panel-danger-heading-bg:     $state-danger-bg !default;
+
+
+//== Thumbnails
+//
+//##
+
+//** Padding around the thumbnail image
+$thumbnail-padding:           4px !default;
+//** Thumbnail background color
+$thumbnail-bg:                $body-bg !default;
+//** Thumbnail border color
+$thumbnail-border:            #ddd !default;
+//** Thumbnail border radius
+$thumbnail-border-radius:     $border-radius-base !default;
+
+//** Custom text color for thumbnail captions
+$thumbnail-caption-color:     $text-color !default;
+//** Padding around the thumbnail caption
+$thumbnail-caption-padding:   9px !default;
+
+
+//== Wells
+//
+//##
+
+$well-bg:                     #f5f5f5 !default;
+$well-border:                 darken($well-bg, 7%) !default;
+
+
+//== Badges
+//
+//##
+
+$badge-color:                 #fff !default;
+//** Linked badge text color on hover
+$badge-link-hover-color:      #fff !default;
+$badge-bg:                    $gray-light !default;
+
+//** Badge text color in active nav link
+$badge-active-color:          $link-color !default;
+//** Badge background color in active nav link
+$badge-active-bg:             #fff !default;
+
+$badge-font-weight:           bold !default;
+$badge-line-height:           1 !default;
+$badge-border-radius:         10px !default;
+
+
+//== Breadcrumbs
+//
+//##
+
+$breadcrumb-padding-vertical:   8px !default;
+$breadcrumb-padding-horizontal: 15px !default;
+//** Breadcrumb background color
+$breadcrumb-bg:                 #f5f5f5 !default;
+//** Breadcrumb text color
+$breadcrumb-color:              #ccc !default;
+//** Text color of current page in the breadcrumb
+$breadcrumb-active-color:       $gray-light !default;
+//** Textual separator for between breadcrumb elements
+$breadcrumb-separator:          "/" !default;
+
+
+//== Carousel
+//
+//##
+
+$carousel-text-shadow:                        0 1px 2px rgba(0,0,0,.6) !default;
+
+$carousel-control-color:                      #fff !default;
+$carousel-control-width:                      15% !default;
+$carousel-control-opacity:                    .5 !default;
+$carousel-control-font-size:                  20px !default;
+
+$carousel-indicator-active-bg:                #fff !default;
+$carousel-indicator-border-color:             #fff !default;
+
+$carousel-caption-color:                      #fff !default;
+
+
+//== Close
+//
+//##
+
+$close-font-weight:           bold !default;
+$close-color:                 #000 !default;
+$close-text-shadow:           0 1px 0 #fff !default;
+
+
+//== Code
+//
+//##
+
+$code-color:                  #c7254e !default;
+$code-bg:                     #f9f2f4 !default;
+
+$kbd-color:                   #fff !default;
+$kbd-bg:                      #333 !default;
+
+$pre-bg:                      #f5f5f5 !default;
+$pre-color:                   $gray-dark !default;
+$pre-border-color:            #ccc !default;
+$pre-scrollable-max-height:   340px !default;
+
+
+//== Type
+//
+//##
+
+//** Horizontal offset for forms and lists.
+$component-offset-horizontal: 180px !default;
+//** Text muted color
+$text-muted:                  $gray-light !default;
+//** Abbreviations and acronyms border color
+$abbr-border-color:           $gray-light !default;
+//** Headings small color
+$headings-small-color:        $gray-light !default;
+//** Blockquote small color
+$blockquote-small-color:      $gray-light !default;
+//** Blockquote font size
+$blockquote-font-size:        ($font-size-base * 1.25) !default;
+//** Blockquote border color
+$blockquote-border-color:     $gray-lighter !default;
+//** Page header border color
+$page-header-border-color:    $gray-lighter !default;
+//** Width of horizontal description list titles
+$dl-horizontal-offset:        $component-offset-horizontal !default;
+//** Horizontal line color.
+$hr-border:                   $gray-lighter !default;
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_wells.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_wells.scss
new file mode 100644
index 0000000000..b8657118a6
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_wells.scss
@@ -0,0 +1,29 @@
+//
+// Wells
+// --------------------------------------------------
+
+
+// Base class
+.well {
+  min-height: 20px;
+  padding: 19px;
+  margin-bottom: 20px;
+  background-color: $well-bg;
+  border: 1px solid $well-border;
+  border-radius: $border-radius-base;
+  @include box-shadow(inset 0 1px 1px rgba(0,0,0,.05));
+  blockquote {
+    border-color: #ddd;
+    border-color: rgba(0,0,0,.15);
+  }
+}
+
+// Sizes
+.well-lg {
+  padding: 24px;
+  border-radius: $border-radius-large;
+}
+.well-sm {
+  padding: 9px;
+  border-radius: $border-radius-small;
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_alerts.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_alerts.scss
new file mode 100644
index 0000000000..9a0b590071
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_alerts.scss
@@ -0,0 +1,14 @@
+// Alerts
+
+@mixin alert-variant($background, $border, $text-color) {
+  background-color: $background;
+  border-color: $border;
+  color: darken($text-color, 20%);
+
+  hr {
+    border-top-color: darken($border, 5%);
+  }
+  .alert-link {
+    color: darken($text-color, 15%);
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_background-variant.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_background-variant.scss
new file mode 100644
index 0000000000..4993bd2b80
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_background-variant.scss
@@ -0,0 +1,11 @@
+// Contextual backgrounds
+
+// [converter] $parent hack
+@mixin bg-variant($parent, $color) {
+  #{$parent} {
+    background-color: $color;
+  }
+  a#{$parent}:hover {
+    background-color: darken($color, 10%);
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_border-radius.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_border-radius.scss
new file mode 100644
index 0000000000..ce19499875
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_border-radius.scss
@@ -0,0 +1,18 @@
+// Single side border-radius
+
+@mixin border-top-radius($radius) {
+  border-top-right-radius: $radius;
+   border-top-left-radius: $radius;
+}
+@mixin border-right-radius($radius) {
+  border-bottom-right-radius: $radius;
+     border-top-right-radius: $radius;
+}
+@mixin border-bottom-radius($radius) {
+  border-bottom-right-radius: $radius;
+   border-bottom-left-radius: $radius;
+}
+@mixin border-left-radius($radius) {
+  border-bottom-left-radius: $radius;
+     border-top-left-radius: $radius;
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_buttons.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_buttons.scss
new file mode 100644
index 0000000000..58ad13e502
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_buttons.scss
@@ -0,0 +1,50 @@
+// Button variants
+//
+// Easily pump out default styles, as well as :hover, :focus, :active,
+// and disabled options for all buttons
+
+@mixin button-variant($color, $background, $border) {
+  color: $color;
+  background-color: $background;
+  border-color: $border;
+
+  &:hover,
+  &:focus,
+  &:active,
+  &.active,
+  .open > &.dropdown-toggle {
+    color: $color;
+    background-color: darken($background, 10%);
+        border-color: darken($border, 12%);
+  }
+  &:active,
+  &.active,
+  .open > &.dropdown-toggle {
+    background-image: none;
+  }
+  &.disabled,
+  &[disabled],
+  fieldset[disabled] & {
+    &,
+    &:hover,
+    &:focus,
+    &:active,
+    &.active {
+      background-color: $background;
+          border-color: $border;
+    }
+  }
+
+  .badge {
+    color: $background;
+    background-color: $color;
+  }
+}
+
+// Button sizes
+@mixin button-size($padding-vertical, $padding-horizontal, $font-size, $line-height, $border-radius) {
+  padding: $padding-vertical $padding-horizontal;
+  font-size: $font-size;
+  line-height: $line-height;
+  border-radius: $border-radius;
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_center-block.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_center-block.scss
new file mode 100644
index 0000000000..e06fb5e276
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_center-block.scss
@@ -0,0 +1,7 @@
+// Center-align a block level element
+
+@mixin center-block() {
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_clearfix.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_clearfix.scss
new file mode 100644
index 0000000000..dc3e2ab426
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_clearfix.scss
@@ -0,0 +1,22 @@
+// Clearfix
+//
+// For modern browsers
+// 1. The space content is one way to avoid an Opera bug when the
+//    contenteditable attribute is included anywhere else in the document.
+//    Otherwise it causes space to appear at the top and bottom of elements
+//    that are clearfixed.
+// 2. The use of `table` rather than `block` is only necessary if using
+//    `:before` to contain the top-margins of child elements.
+//
+// Source: http://nicolasgallagher.com/micro-clearfix-hack/
+
+@mixin clearfix() {
+  &:before,
+  &:after {
+    content: " "; // 1
+    display: table; // 2
+  }
+  &:after {
+    clear: both;
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_forms.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_forms.scss
new file mode 100644
index 0000000000..606504bd6a
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_forms.scss
@@ -0,0 +1,85 @@
+// Form validation states
+//
+// Used in forms.less to generate the form validation CSS for warnings, errors,
+// and successes.
+
+@mixin form-control-validation($text-color: #555, $border-color: #ccc, $background-color: #f5f5f5) {
+    // Color the label and help text
+    .help-block,
+    .control-label,
+    .radio,
+    .checkbox,
+    .radio-inline,
+    .checkbox-inline {
+        color: $text-color;
+    }
+    // Set the border and box shadow on specific inputs to match
+    .form-control {
+        border-color: $border-color;
+        @include box-shadow(inset 0 1px 1px rgba(0, 0, 0, .075)); // Redeclare so transitions work
+        &:focus {
+            border-color: darken($border-color, 10%);
+            $shadow: inset 0 1px 1px rgba(0, 0, 0, .075), 0 0 6px lighten($border-color, 20%);
+            @include box-shadow($shadow);
+        }
+    }
+    // Set validation states also for addons
+    .input-group-addon {
+        color: $text-color;
+        border-color: $border-color;
+        background-color: $background-color;
+    }
+    // Optional feedback icon
+    .form-control-feedback {
+        color: $text-color;
+    }
+}
+
+
+// Form control focus state
+//
+// Generate a customized focus state and for any input with the specified color,
+// which defaults to the `$input-border-focus` variable.
+//
+// We highly encourage you to not customize the default value, but instead use
+// this to tweak colors on an as-needed basis. This aesthetic change is based on
+// WebKit's default styles, but applicable to a wider range of browsers. Its
+// usability and accessibility should be taken into account with any change.
+//
+// Example usage: change the default blue border and shadow to white for better
+// contrast against a dark gray background.
+@mixin form-control-focus($color: $input-border-focus) {
+    $color-rgba: rgba(red($color), green($color), blue($color), .6);
+    &:focus {
+        border-color: $color;
+        outline: 0;
+        transition: border-color 250ms ease;
+        //@include box-shadow(inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px $color-rgba);
+    }
+}
+
+// Form control sizing
+//
+// Relative text size, padding, and border-radii changes for form controls. For
+// horizontal sizing, wrap controls in the predefined grid classes. `<select>`
+// element gets special love because it's special, and that's a fact!
+// [converter] $parent hack
+@mixin input-size($parent, $input-height, $padding-vertical, $padding-horizontal, $font-size, $line-height, $border-radius) {
+    #{$parent} {
+        height: $input-height;
+        padding: $padding-vertical $padding-horizontal;
+        font-size: $font-size;
+        line-height: $line-height;
+        border-radius: $border-radius;
+    }
+
+    select#{$parent} {
+        height: $input-height;
+        line-height: $input-height;
+    }
+
+    textarea#{$parent},
+    select[multiple]#{$parent} {
+        height: auto;
+    }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_gradients.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_gradients.scss
new file mode 100644
index 0000000000..a8939f5ae6
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_gradients.scss
@@ -0,0 +1,58 @@
+// Gradients
+
+
+
+// Horizontal gradient, from left to right
+//
+// Creates two color stops, start and end, by specifying a color and position for each color stop.
+// Color stops are not available in IE9 and below.
+@mixin gradient-horizontal($start-color: #555, $end-color: #333, $start-percent: 0%, $end-percent: 100%) {
+  background-image: -webkit-linear-gradient(left, $start-color $start-percent, $end-color $end-percent); // Safari 5.1-6, Chrome 10+
+  background-image: -o-linear-gradient(left, $start-color $start-percent, $end-color $end-percent); // Opera 12
+  background-image: linear-gradient(to right, $start-color $start-percent, $end-color $end-percent); // Standard, IE10, Firefox 16+, Opera 12.10+, Safari 7+, Chrome 26+
+  background-repeat: repeat-x;
+  filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#{ie-hex-str($start-color)}', endColorstr='#{ie-hex-str($end-color)}', GradientType=1); // IE9 and down
+}
+
+// Vertical gradient, from top to bottom
+//
+// Creates two color stops, start and end, by specifying a color and position for each color stop.
+// Color stops are not available in IE9 and below.
+@mixin gradient-vertical($start-color: #555, $end-color: #333, $start-percent: 0%, $end-percent: 100%) {
+  background-image: -webkit-linear-gradient(top, $start-color $start-percent, $end-color $end-percent);  // Safari 5.1-6, Chrome 10+
+  background-image: -o-linear-gradient(top, $start-color $start-percent, $end-color $end-percent);  // Opera 12
+  background-image: linear-gradient(to bottom, $start-color $start-percent, $end-color $end-percent); // Standard, IE10, Firefox 16+, Opera 12.10+, Safari 7+, Chrome 26+
+  background-repeat: repeat-x;
+  filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#{ie-hex-str($start-color)}', endColorstr='#{ie-hex-str($end-color)}', GradientType=0); // IE9 and down
+}
+
+@mixin gradient-directional($start-color: #555, $end-color: #333, $deg: 45deg) {
+  background-repeat: repeat-x;
+  background-image: -webkit-linear-gradient($deg, $start-color, $end-color); // Safari 5.1-6, Chrome 10+
+  background-image: -o-linear-gradient($deg, $start-color, $end-color); // Opera 12
+  background-image: linear-gradient($deg, $start-color, $end-color); // Standard, IE10, Firefox 16+, Opera 12.10+, Safari 7+, Chrome 26+
+}
+@mixin gradient-horizontal-three-colors($start-color: #00b3ee, $mid-color: #7a43b6, $color-stop: 50%, $end-color: #c3325f) {
+  background-image: -webkit-linear-gradient(left, $start-color, $mid-color $color-stop, $end-color);
+  background-image: -o-linear-gradient(left, $start-color, $mid-color $color-stop, $end-color);
+  background-image: linear-gradient(to right, $start-color, $mid-color $color-stop, $end-color);
+  background-repeat: no-repeat;
+  filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#{ie-hex-str($start-color)}', endColorstr='#{ie-hex-str($end-color)}', GradientType=1); // IE9 and down, gets no color-stop at all for proper fallback
+}
+@mixin gradient-vertical-three-colors($start-color: #00b3ee, $mid-color: #7a43b6, $color-stop: 50%, $end-color: #c3325f) {
+  background-image: -webkit-linear-gradient($start-color, $mid-color $color-stop, $end-color);
+  background-image: -o-linear-gradient($start-color, $mid-color $color-stop, $end-color);
+  background-image: linear-gradient($start-color, $mid-color $color-stop, $end-color);
+  background-repeat: no-repeat;
+  filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#{ie-hex-str($start-color)}', endColorstr='#{ie-hex-str($end-color)}', GradientType=0); // IE9 and down, gets no color-stop at all for proper fallback
+}
+@mixin gradient-radial($inner-color: #555, $outer-color: #333) {
+  background-image: -webkit-radial-gradient(circle, $inner-color, $outer-color);
+  background-image: radial-gradient(circle, $inner-color, $outer-color);
+  background-repeat: no-repeat;
+}
+@mixin gradient-striped($color: rgba(255,255,255,.15), $angle: 45deg) {
+  background-image: -webkit-linear-gradient($angle, $color 25%, transparent 25%, transparent 50%, $color 50%, $color 75%, transparent 75%, transparent);
+  background-image: -o-linear-gradient($angle, $color 25%, transparent 25%, transparent 50%, $color 50%, $color 75%, transparent 75%, transparent);
+  background-image: linear-gradient($angle, $color 25%, transparent 25%, transparent 50%, $color 50%, $color 75%, transparent 75%, transparent);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_grid-framework.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_grid-framework.scss
new file mode 100644
index 0000000000..d6df41f0fa
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_grid-framework.scss
@@ -0,0 +1,81 @@
+// Framework grid generation
+//
+// Used only by Bootstrap to generate the correct number of grid classes given
+// any value of `$grid-columns`.
+
+// [converter] This is defined recursively in LESS, but Sass supports real loops
+@mixin make-grid-columns($i: 1, $list: ".col-xs-#{$i}, .col-sm-#{$i}, .col-md-#{$i}, .col-lg-#{$i}") {
+  @for $i from (1 + 1) through $grid-columns {
+    $list: "#{$list}, .col-xs-#{$i}, .col-sm-#{$i}, .col-md-#{$i}, .col-lg-#{$i}";
+  }
+  #{$list} {
+    position: relative;
+    // Prevent columns from collapsing when empty
+    min-height: 1px;
+    // Inner gutter via padding
+    padding-left:  calc($grid-gutter-width / 2);
+    padding-right: calc($grid-gutter-width / 2);
+  }
+}
+
+
+// [converter] This is defined recursively in LESS, but Sass supports real loops
+@mixin float-grid-columns($class, $i: 1, $list: ".col-#{$class}-#{$i}") {
+  @for $i from (1 + 1) through $grid-columns {
+    $list: "#{$list}, .col-#{$class}-#{$i}";
+  }
+  #{$list} {
+    float: left;
+  }
+}
+
+
+@mixin calc-grid-column($index, $class, $type) {
+  @if ($type == width) and ($index > 0) {
+    .col-#{$class}-#{$index} {
+      width: percentage(calc($index / $grid-columns));
+    }
+  }
+  @if ($type == push) and ($index > 0) {
+    .col-#{$class}-push-#{$index} {
+      left: percentage(calc($index / $grid-columns));
+    }
+  }
+  @if ($type == push) and ($index == 0) {
+    .col-#{$class}-push-0 {
+      left: auto;
+    }
+  }
+  @if ($type == pull) and ($index > 0) {
+    .col-#{$class}-pull-#{$index} {
+      right: percentage(calc($index / $grid-columns));
+    }
+  }
+  @if ($type == pull) and ($index == 0) {
+    .col-#{$class}-pull-0 {
+      right: auto;
+    }
+  }
+  @if ($type == offset) {
+    .col-#{$class}-offset-#{$index} {
+      margin-left: percentage(calc($index / $grid-columns));
+    }
+  }
+}
+
+// [converter] This is defined recursively in LESS, but Sass supports real loops
+@mixin loop-grid-columns($columns, $class, $type) {
+  @for $i from 0 through $columns {
+    @include calc-grid-column($i, $class, $type);
+  }
+}
+
+
+// Create grid for specific class
+@mixin make-grid($class) {
+  @include float-grid-columns($class);
+  @include loop-grid-columns($grid-columns, $class, width);
+  @include loop-grid-columns($grid-columns, $class, pull);
+  @include loop-grid-columns($grid-columns, $class, push);
+  @include loop-grid-columns($grid-columns, $class, offset);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_grid.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_grid.scss
new file mode 100644
index 0000000000..6358016283
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_grid.scss
@@ -0,0 +1,122 @@
+// Grid system
+//
+// Generate semantic grid columns with these mixins.
+
+// Centered container element
+@mixin container-fixed($gutter: $grid-gutter-width) {
+  margin-right: auto;
+  margin-left: auto;
+  padding-left:  calc($gutter / 2);
+  padding-right: calc($gutter / 2);
+  @include clearfix();
+}
+
+// Creates a wrapper for a series of columns
+@mixin make-row($gutter: $grid-gutter-width) {
+  margin-left:  calc($gutter / -2);
+  margin-right: calc($gutter / -2);
+  @include clearfix();
+}
+
+// Generate the extra small columns
+@mixin make-xs-column($columns, $gutter: $grid-gutter-width) {
+  position: relative;
+  float: left;
+  width: percentage(($columns / $grid-columns));
+  min-height: 1px;
+  padding-left:  calc($gutter / 2);
+  padding-right: calc($gutter / 2);
+}
+@mixin make-xs-column-offset($columns) {
+  margin-left: percentage(($columns / $grid-columns));
+}
+@mixin make-xs-column-push($columns) {
+  left: percentage(($columns / $grid-columns));
+}
+@mixin make-xs-column-pull($columns) {
+  right: percentage(($columns / $grid-columns));
+}
+
+// Generate the small columns
+@mixin make-sm-column($columns, $gutter: $grid-gutter-width) {
+  position: relative;
+  min-height: 1px;
+  padding-left:  calc($gutter / 2);
+  padding-right: calc($gutter / 2);
+
+  @media (min-width: $screen-sm-min) {
+    float: left;
+    width: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-sm-column-offset($columns) {
+  @media (min-width: $screen-sm-min) {
+    margin-left: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-sm-column-push($columns) {
+  @media (min-width: $screen-sm-min) {
+    left: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-sm-column-pull($columns) {
+  @media (min-width: $screen-sm-min) {
+    right: percentage(calc($columns / $grid-columns));
+  }
+}
+
+// Generate the medium columns
+@mixin make-md-column($columns, $gutter: $grid-gutter-width) {
+  position: relative;
+  min-height: 1px;
+  padding-left:  ($gutter / 2);
+  padding-right: ($gutter / 2);
+
+  @media (min-width: $screen-md-min) {
+    float: left;
+    width: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-md-column-offset($columns) {
+  @media (min-width: $screen-md-min) {
+    margin-left: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-md-column-push($columns) {
+  @media (min-width: $screen-md-min) {
+    left: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-md-column-pull($columns) {
+  @media (min-width: $screen-md-min) {
+    right: percentage(calc($columns / $grid-columns));
+  }
+}
+
+// Generate the large columns
+@mixin make-lg-column($columns, $gutter: $grid-gutter-width) {
+  position: relative;
+  min-height: 1px;
+  padding-left:  ($gutter / 2);
+  padding-right: ($gutter / 2);
+
+  @media (min-width: $screen-lg-min) {
+    float: left;
+    width: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-lg-column-offset($columns) {
+  @media (min-width: $screen-lg-min) {
+    margin-left: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-lg-column-push($columns) {
+  @media (min-width: $screen-lg-min) {
+    left: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-lg-column-pull($columns) {
+  @media (min-width: $screen-lg-min) {
+    right: percentage(calc($columns / $grid-columns));
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_hide-text.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_hide-text.scss
new file mode 100644
index 0000000000..c5a281ffa8
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_hide-text.scss
@@ -0,0 +1,21 @@
+// CSS image replacement
+//
+// Heads up! v3 launched with only `.hide-text()`, but per our pattern for
+// mixins being reused as classes with the same name, this doesn't hold up. As
+// of v3.0.1 we have added `.text-hide()` and deprecated `.hide-text()`.
+//
+// Source: https://github.com/h5bp/html5-boilerplate/commit/aa0396eae757
+
+// Deprecated as of v3.0.1 (will be removed in v4)
+@mixin hide-text() {
+  font: #{0/0} a;
+  color: transparent;
+  text-shadow: none;
+  background-color: transparent;
+  border: 0;
+}
+
+// New mixin to use as of v3.0.1
+@mixin text-hide() {
+  @include hide-text();
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_image.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_image.scss
new file mode 100644
index 0000000000..57d60a32d8
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_image.scss
@@ -0,0 +1,34 @@
+// Image Mixins
+// - Responsive image
+// - Retina image
+
+
+// Responsive image
+//
+// Keep images from scaling beyond the width of their parents.
+@mixin img-responsive($display: block) {
+  display: $display;
+  width: 100% \9; // Force IE10 and below to size SVG images correctly
+  max-width: 100%; // Part 1: Set a maximum relative to the parent
+  height: auto; // Part 2: Scale the height according to the width, otherwise you get stretching
+}
+
+
+// Retina image
+//
+// Short retina mixin for setting background-image and -size. Note that the
+// spelling of `min--moz-device-pixel-ratio` is intentional.
+@mixin img-retina($file-1x, $file-2x, $width-1x, $height-1x) {
+  background-image: url(if($bootstrap-sass-asset-helper, twbs-image-path("#{$file-1x}"), "#{$file-1x}"));
+
+  @media
+  only screen and (-webkit-min-device-pixel-ratio: 2),
+  only screen and (   min--moz-device-pixel-ratio: 2),
+  only screen and (     -o-min-device-pixel-ratio: 2/1),
+  only screen and (        min-device-pixel-ratio: 2),
+  only screen and (                min-resolution: 192dpi),
+  only screen and (                min-resolution: 2dppx) {
+    background-image: url(if($bootstrap-sass-asset-helper, twbs-image-path("#{$file-2x}"), "#{$file-2x}"));
+    background-size: $width-1x $height-1x;
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_labels.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_labels.scss
new file mode 100644
index 0000000000..eda6dfd29e
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_labels.scss
@@ -0,0 +1,12 @@
+// Labels
+
+@mixin label-variant($color) {
+  background-color: $color;
+
+  &[href] {
+    &:hover,
+    &:focus {
+      background-color: darken($color, 10%);
+    }
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_list-group.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_list-group.scss
new file mode 100644
index 0000000000..5f05e7ba23
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_list-group.scss
@@ -0,0 +1,31 @@
+// List Groups
+
+@mixin list-group-item-variant($state, $background, $color) {
+  .list-group-item-#{$state} {
+    color: $color;
+    background-color: $background;
+
+    // [converter] extracted a& to a.list-group-item-#{$state}
+  }
+
+  a.list-group-item-#{$state} {
+    color: $color;
+
+    .list-group-item-heading {
+      color: inherit;
+    }
+
+    &:hover,
+    &:focus {
+      color: $color;
+      background-color: darken($background, 5%);
+    }
+    &.active,
+    &.active:hover,
+    &.active:focus {
+      color: #fff;
+      background-color: $color;
+      border-color: $color;
+    }
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_nav-divider.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_nav-divider.scss
new file mode 100644
index 0000000000..21f2cd5be6
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_nav-divider.scss
@@ -0,0 +1,10 @@
+// Horizontal dividers
+//
+// Dividers (basically an hr) within dropdowns and nav lists
+
+@mixin nav-divider($color: #e5e5e5) {
+  height: 1px;
+  margin: (calc($line-height-computed / 2) - 1) 0;
+  overflow: hidden;
+  background-color: $color;
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_nav-vertical-align.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_nav-vertical-align.scss
new file mode 100644
index 0000000000..c774a327e2
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_nav-vertical-align.scss
@@ -0,0 +1,9 @@
+// Navbar vertical align
+//
+// Vertically center elements in the navbar.
+// Example: an element has a height of 30px, so write out `.navbar-vertical-align(30px);` to calculate the appropriate top margin.
+
+@mixin navbar-vertical-align($element-height) {
+  margin-top: calc(($navbar-height - $element-height) / 2);
+  margin-bottom: calc(($navbar-height - $element-height) / 2);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_opacity.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_opacity.scss
new file mode 100644
index 0000000000..df088adfe9
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_opacity.scss
@@ -0,0 +1,8 @@
+// Opacity
+
+@mixin opacity($opacity) {
+  opacity: $opacity;
+  // IE8 filter
+  $opacity-ie: ($opacity * 100);
+  filter: #{alpha(opacity=$opacity-ie)};
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_pagination.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_pagination.scss
new file mode 100644
index 0000000000..43fff6863d
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_pagination.scss
@@ -0,0 +1,23 @@
+// Pagination
+
+@mixin pagination-size($padding-vertical, $padding-horizontal, $font-size, $border-radius) {
+  > li {
+    > a,
+    > span {
+      padding: $padding-vertical $padding-horizontal;
+      font-size: $font-size;
+    }
+    &:first-child {
+      > a,
+      > span {
+        @include border-left-radius($border-radius);
+      }
+    }
+    &:last-child {
+      > a,
+      > span {
+        @include border-right-radius($border-radius);
+      }
+    }
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_panels.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_panels.scss
new file mode 100644
index 0000000000..3ff31ae51e
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_panels.scss
@@ -0,0 +1,24 @@
+// Panels
+
+@mixin panel-variant($border, $heading-text-color, $heading-bg-color, $heading-border) {
+  border-color: $border;
+
+  & > .panel-heading {
+    color: $heading-text-color;
+    background-color: $heading-bg-color;
+    border-color: $heading-border;
+
+    + .panel-collapse > .panel-body {
+      border-top-color: $border;
+    }
+    .badge {
+      color: $heading-bg-color;
+      background-color: $heading-text-color;
+    }
+  }
+  & > .panel-footer {
+    + .panel-collapse > .panel-body {
+      border-bottom-color: $border;
+    }
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_progress-bar.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_progress-bar.scss
new file mode 100644
index 0000000000..3275ea33d4
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_progress-bar.scss
@@ -0,0 +1,10 @@
+// Progress bars
+
+@mixin progress-bar-variant($color) {
+  background-color: $color;
+
+  // Deprecated parent class requirement as of v3.2.0
+  .progress-striped & {
+    @include gradient-striped();
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_reset-filter.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_reset-filter.scss
new file mode 100644
index 0000000000..bf73051200
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_reset-filter.scss
@@ -0,0 +1,8 @@
+// Reset filters for IE
+//
+// When you need to remove a gradient background, do not forget to use this to reset
+// the IE filter for IE9 and below.
+
+@mixin reset-filter() {
+  filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_resize.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_resize.scss
new file mode 100644
index 0000000000..83fa637917
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_resize.scss
@@ -0,0 +1,6 @@
+// Resize anything
+
+@mixin resizable($direction) {
+  resize: $direction; // Options: horizontal, vertical, both
+  overflow: auto; // Per CSS3 UI, `resize` only applies when `overflow` isn't `visible`
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_responsive-visibility.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_responsive-visibility.scss
new file mode 100644
index 0000000000..9867db013d
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_responsive-visibility.scss
@@ -0,0 +1,21 @@
+// Responsive utilities
+
+//
+// More easily include all the states for responsive-utilities.less.
+// [converter] $parent hack
+@mixin responsive-visibility($parent) {
+  #{$parent} {
+    display: block !important;
+  }
+  table#{$parent}  { display: table; }
+  tr#{$parent}     { display: table-row !important; }
+  th#{$parent},
+  td#{$parent}     { display: table-cell !important; }
+}
+
+// [converter] $parent hack
+@mixin responsive-invisibility($parent) {
+  #{$parent} {
+    display: none !important;
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_size.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_size.scss
new file mode 100644
index 0000000000..abbe2463ce
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_size.scss
@@ -0,0 +1,10 @@
+// Sizing shortcuts
+
+@mixin size($width, $height) {
+  width: $width;
+  height: $height;
+}
+
+@mixin square($size) {
+  @include size($size, $size);
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_tab-focus.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_tab-focus.scss
new file mode 100644
index 0000000000..1308d7d4ec
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_tab-focus.scss
@@ -0,0 +1,10 @@
+// WebKit-style focus
+
+@mixin tab-focus() {
+    // Default
+    //outline: thin dotted;
+    // WebKit
+    //outline: 5px auto -webkit-focus-ring-color;
+    //outline-offset: -2px;
+    outline: none;
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_table-row.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_table-row.scss
new file mode 100644
index 0000000000..136795081e
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_table-row.scss
@@ -0,0 +1,28 @@
+// Tables
+
+@mixin table-row-variant($state, $background) {
+  // Exact selectors below required to override `.table-striped` and prevent
+  // inheritance to nested tables.
+  .table > thead > tr,
+  .table > tbody > tr,
+  .table > tfoot > tr {
+    > td.#{$state},
+    > th.#{$state},
+    &.#{$state} > td,
+    &.#{$state} > th {
+      background-color: $background;
+    }
+  }
+
+  // Hover states for `.table-hover`
+  // Note: this is not available for cells or rows within `thead` or `tfoot`.
+  .table-hover > tbody > tr {
+    > td.#{$state}:hover,
+    > th.#{$state}:hover,
+    &.#{$state}:hover > td,
+    &:hover > .#{$state},
+    &.#{$state}:hover > th {
+      background-color: darken($background, 5%);
+    }
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_text-emphasis.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_text-emphasis.scss
new file mode 100644
index 0000000000..1101e03662
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_text-emphasis.scss
@@ -0,0 +1,11 @@
+// Typography
+
+// [converter] $parent hack
+@mixin text-emphasis-variant($parent, $color) {
+  #{$parent} {
+    color: $color;
+  }
+  a#{$parent}:hover {
+    color: darken($color, 10%);
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_text-overflow.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_text-overflow.scss
new file mode 100644
index 0000000000..1593b25ea5
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_text-overflow.scss
@@ -0,0 +1,8 @@
+// Text overflow
+// Requires inline-block or block for proper styling
+
+@mixin text-overflow() {
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_vendor-prefixes.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_vendor-prefixes.scss
new file mode 100644
index 0000000000..f91f57686d
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/mixins/_vendor-prefixes.scss
@@ -0,0 +1,219 @@
+// Vendor Prefixes
+//
+// All vendor mixins are deprecated as of v3.2.0 due to the introduction of
+// Autoprefixer in our Gruntfile. They will be removed in v4.
+
+// - Animations
+// - Backface visibility
+// - Box shadow
+// - Box sizing
+// - Content columns
+// - Hyphens
+// - Placeholder text
+// - Transformations
+// - Transitions
+// - User Select
+
+
+// Animations
+@mixin animation($animation) {
+  -webkit-animation: $animation;
+       -o-animation: $animation;
+          animation: $animation;
+}
+@mixin animation-name($name) {
+  -webkit-animation-name: $name;
+          animation-name: $name;
+}
+@mixin animation-duration($duration) {
+  -webkit-animation-duration: $duration;
+          animation-duration: $duration;
+}
+@mixin animation-timing-function($timing-function) {
+  -webkit-animation-timing-function: $timing-function;
+          animation-timing-function: $timing-function;
+}
+@mixin animation-delay($delay) {
+  -webkit-animation-delay: $delay;
+          animation-delay: $delay;
+}
+@mixin animation-iteration-count($iteration-count) {
+  -webkit-animation-iteration-count: $iteration-count;
+          animation-iteration-count: $iteration-count;
+}
+@mixin animation-direction($direction) {
+  -webkit-animation-direction: $direction;
+          animation-direction: $direction;
+}
+@mixin animation-fill-mode($fill-mode) {
+  -webkit-animation-fill-mode: $fill-mode;
+          animation-fill-mode: $fill-mode;
+}
+
+// Backface visibility
+// Prevent browsers from flickering when using CSS 3D transforms.
+// Default value is `visible`, but can be changed to `hidden`
+
+@mixin backface-visibility($visibility){
+  -webkit-backface-visibility: $visibility;
+     -moz-backface-visibility: $visibility;
+          backface-visibility: $visibility;
+}
+
+// Drop shadows
+//
+// Note: Deprecated `.box-shadow()` as of v3.1.0 since all of Bootstrap's
+// supported browsers that have box shadow capabilities now support it.
+
+@mixin box-shadow($shadow...) {
+  -webkit-box-shadow: $shadow; // iOS <4.3 & Android <4.1
+          box-shadow: $shadow;
+}
+
+// Box sizing
+@mixin box-sizing($boxmodel) {
+  -webkit-box-sizing: $boxmodel;
+     -moz-box-sizing: $boxmodel;
+          box-sizing: $boxmodel;
+}
+
+// CSS3 Content Columns
+@mixin content-columns($column-count, $column-gap: $grid-gutter-width) {
+  -webkit-column-count: $column-count;
+     -moz-column-count: $column-count;
+          column-count: $column-count;
+  -webkit-column-gap: $column-gap;
+     -moz-column-gap: $column-gap;
+          column-gap: $column-gap;
+}
+
+// Optional hyphenation
+@mixin hyphens($mode: auto) {
+  word-wrap: break-word;
+  -webkit-hyphens: $mode;
+     -moz-hyphens: $mode;
+      -ms-hyphens: $mode; // IE10+
+       -o-hyphens: $mode;
+          hyphens: $mode;
+}
+
+// Placeholder text
+@mixin placeholder($color: $input-color-placeholder) {
+  &::-moz-placeholder           { color: $color;   // Firefox
+                                  opacity: 1; } // See https://github.com/twbs/bootstrap/pull/11526
+  &:-ms-input-placeholder       { color: $color; } // Internet Explorer 10+
+  &::-webkit-input-placeholder  { color: $color; } // Safari and Chrome
+}
+
+// Transformations
+@mixin scale($ratio...) {
+  -webkit-transform: scale($ratio);
+      -ms-transform: scale($ratio); // IE9 only
+       -o-transform: scale($ratio);
+          transform: scale($ratio);
+}
+
+@mixin scaleX($ratio) {
+  -webkit-transform: scaleX($ratio);
+      -ms-transform: scaleX($ratio); // IE9 only
+       -o-transform: scaleX($ratio);
+          transform: scaleX($ratio);
+}
+@mixin scaleY($ratio) {
+  -webkit-transform: scaleY($ratio);
+      -ms-transform: scaleY($ratio); // IE9 only
+       -o-transform: scaleY($ratio);
+          transform: scaleY($ratio);
+}
+@mixin skew($x, $y) {
+  -webkit-transform: skewX($x) skewY($y);
+      -ms-transform: skewX($x) skewY($y); // See https://github.com/twbs/bootstrap/issues/4885; IE9+
+       -o-transform: skewX($x) skewY($y);
+          transform: skewX($x) skewY($y);
+}
+@mixin translate($x, $y) {
+  -webkit-transform: translate($x, $y);
+      -ms-transform: translate($x, $y); // IE9 only
+       -o-transform: translate($x, $y);
+          transform: translate($x, $y);
+}
+@mixin translate3d($x, $y, $z) {
+  -webkit-transform: translate3d($x, $y, $z);
+          transform: translate3d($x, $y, $z);
+}
+@mixin rotate($degrees) {
+  -webkit-transform: rotate($degrees);
+      -ms-transform: rotate($degrees); // IE9 only
+       -o-transform: rotate($degrees);
+          transform: rotate($degrees);
+}
+@mixin rotateX($degrees) {
+  -webkit-transform: rotateX($degrees);
+      -ms-transform: rotateX($degrees); // IE9 only
+       -o-transform: rotateX($degrees);
+          transform: rotateX($degrees);
+}
+@mixin rotateY($degrees) {
+  -webkit-transform: rotateY($degrees);
+      -ms-transform: rotateY($degrees); // IE9 only
+       -o-transform: rotateY($degrees);
+          transform: rotateY($degrees);
+}
+@mixin perspective($perspective) {
+  -webkit-perspective: $perspective;
+     -moz-perspective: $perspective;
+          perspective: $perspective;
+}
+@mixin perspective-origin($perspective) {
+  -webkit-perspective-origin: $perspective;
+     -moz-perspective-origin: $perspective;
+          perspective-origin: $perspective;
+}
+@mixin transform-origin($origin) {
+  -webkit-transform-origin: $origin;
+     -moz-transform-origin: $origin;
+      -ms-transform-origin: $origin; // IE9 only
+          transform-origin: $origin;
+}
+
+
+// Transitions
+
+@mixin transition($transition...) {
+  -webkit-transition: $transition;
+       -o-transition: $transition;
+          transition: $transition;
+}
+@mixin transition-property($transition-property...) {
+  -webkit-transition-property: $transition-property;
+          transition-property: $transition-property;
+}
+@mixin transition-delay($transition-delay) {
+  -webkit-transition-delay: $transition-delay;
+          transition-delay: $transition-delay;
+}
+@mixin transition-duration($transition-duration...) {
+  -webkit-transition-duration: $transition-duration;
+          transition-duration: $transition-duration;
+}
+@mixin transition-timing-function($timing-function) {
+  -webkit-transition-timing-function: $timing-function;
+          transition-timing-function: $timing-function;
+}
+@mixin transition-transform($transition...) {
+  -webkit-transition: -webkit-transform $transition;
+     -moz-transition: -moz-transform $transition;
+       -o-transition: -o-transform $transition;
+          transition: transform $transition;
+}
+
+
+// User select
+// For selecting text on the page
+
+@mixin user-select($select) {
+  -webkit-user-select: $select;
+     -moz-user-select: $select;
+      -ms-user-select: $select; // IE10+
+          user-select: $select;
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss
new file mode 100644
index 0000000000..d3b2a4313d
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss
@@ -0,0 +1,350 @@
+
+:root {
+    --chart-js-background-color: #f7e2d6;
+    --chart-js-border-color: #f6f6f6;
+    --chart-js-font-color: #4b4b64;
+}
+
+.btn-pressed, .btn-pressed:hover {
+    color: white;
+    background-color: #0086d9;
+}
+
+
+#save-grid {
+    position: relative;
+    display: inline-flex;
+    align-items: center;
+    justify-content: center;
+    width: 50px;
+    height: 33px;
+    margin-right: 10px;
+    transition: opacity 0.3s ease;
+}
+
+#save-btn-text, #icon-container {
+    position: absolute;
+}
+
+#icon-container {
+    display: inline-flex;
+    align-items: center;
+    justify-content: center;
+}
+
+#save-spinner, #save-check {
+    transition: opacity 0.3s ease, transform 0.3s ease;
+}
+
+.transition-spinner, transition-check {
+    transition: opacity 0.3s ease, transform 0.3s ease;
+}
+
+
+.grid-stack-item-content {
+    text-align: center;
+    border: none !important;
+    border-radius: 0.5em 0.5em 0.5em 0.5em;
+    background-color: #fff;
+    box-shadow: 0 2px 4px rgba(40, 40, 50, 0.15), 0 0 1px rgba(40, 40, 50, 0.35);
+}
+
+.widget-error {
+    margin: 50px;
+    color: #721c24
+}
+
+.widget-content {
+    position: relative;
+    width: 100%;
+    height: 100%;
+    padding: 1px;
+    cursor: grab;
+}
+
+.widget-header {
+    font-size: 14px;
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    margin-top: 0.5em;
+    margin-right: 1em;
+    margin-left: 1em;
+}
+
+.widget-spinner {
+    margin-top: 20px;
+}
+
+.fa-stack.small {
+    font-size: 0.5em;
+}
+
+.close-handle,
+.edit-handle {
+    padding: .2rem .5rem;
+    cursor: pointer;
+    text-align: right;
+    vertical-align: middle;
+}
+
+.close-handle > i,
+.edit-handle > i {
+    font-size: 1.2rem !important;
+}
+
+.widget-header-left {
+    display: flex;
+    align-items: center;
+    flex: 1;
+    justify-content: flex-start;
+}
+
+.widget-command-container {
+    display: flex;
+    align-items: center;
+    flex: 1;
+    justify-content: flex-end;
+}
+
+.widget-title {
+    display: flex;
+    align-items: center;
+    justify-content: center;
+}
+
+.panel-divider {
+    width: 100%;
+    height: 8px;
+    margin-bottom: 10px;
+    text-align: center;
+
+    .line {
+        display: none;
+    }
+}
+
+td {
+    word-break: break-all;
+}
+
+
+.canvas-container {
+    position: relative;
+}
+
+.cpu-canvas-container {
+    display: flex;
+    flex-direction: column;
+}
+
+.smoothie-container {
+    width: 100%;
+}
+
+.smoothie-chart-tooltip {
+    font-size: 13px;
+    z-index: 1; /* necessary to force to foreground */
+    padding-right: 15px;
+    padding-left: 15px;
+    pointer-events: none;
+    color: white;
+    border-radius: 0.5em 0.5em 0.5em 0.5em;
+    background: rgba(50, 50, 50, 0.9);
+}
+
+.flex-container {
+    display: flex;
+    flex-wrap: nowrap;
+    white-space: nowrap;
+}
+
+.gateway-info {
+    font-size: 13px;
+    margin: 5px;
+    padding: 5px;
+}
+
+.gateway-detail-container {
+    display: none;
+    margin: 5px;
+}
+
+.interface-info {
+    display: flex;
+    align-items: center;
+    flex-wrap: wrap;
+    height: 100%;
+}
+
+.nowrap {
+    flex-wrap: nowrap;
+}
+
+.gateway-graph {
+    display: none;
+}
+
+.flex-container > .gateway-graph {
+    font-size: 13px;
+}
+
+.vertical-center-row {
+    display: inline;
+    height: 100%;
+}
+
+.interfaces-info {
+    font-size: .8rem;
+    margin: 5px;
+}
+
+.interface-descr {
+    font-size: 1em;
+    margin-left: .8em;
+    cursor: pointer;
+    text-decoration: underline;
+}
+
+.interfaces-detail-container {
+    display: none;
+    margin: 5px;
+}
+
+.d-flex {
+    display: flex;
+}
+
+.d-flex > .justify-content-start {
+    justify-content: start;
+}
+
+.d-flex > .justify-content-end {
+    justify-content: end;
+}
+
+#chartjs-toolip {
+    z-index: 20;
+}
+
+/* CPU widget */
+.cpu-type {
+    margin-top: 10px;
+    margin-bottom: 10px;
+}
+
+/* ----- */
+
+/* Custom flex table */
+div {
+    box-sizing: border-box;
+}
+
+.flextable-container {
+    display: block;
+    width: 95%;
+    max-width: 1200px;
+    margin: 2em auto;
+}
+
+.flextable-header {
+    display: flex;
+    flex-flow: row wrap;
+    padding: 0.5em 0.5em;
+    transition: 0.5s;
+    border-top: solid 1px rgba(0, 119, 217, 0.15) !important;
+}
+
+.flextable-row {
+    display: flex;
+    align-items: center;
+    flex-flow: row wrap;
+    padding: 0.5em 0.5em;
+    transition: 0.5s;
+    border-top: solid 1px #e8eaef !important;
+}
+
+.flextable-header .flex-cell {
+    font-weight: bold;
+}
+
+.flextable-row:hover {
+    transition: 500ms;
+    background: #f5f5f5;
+}
+
+.flex-cell {
+    padding: 4px 0;
+    text-align: left;
+    word-break: break-word;
+}
+
+.column {
+    display: flex;
+    flex-flow: column wrap;
+    width: 50%;
+    padding: 0;
+}
+
+.column .flex-cell {
+    display: flex;
+    flex-flow: row wrap;
+    width: 100%;
+    padding: 4px 0;
+    border: 0;
+    border-top: #e8eaef;
+}
+
+.column .flex-cell:hover {
+    transition: 500ms;
+    background: #f5f5f5;
+}
+
+.flex-subcell {
+    width: 100%;
+    text-align: left;
+}
+
+.column .flex-cell:not(:last-child) {
+    border-bottom: solid 1px #e8eaef !important;
+}
+
+/* ----- */
+
+/* CSS grid responsive table */
+.grid-header-container {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(100px, 1fr));
+}
+
+.grid-row {
+    display: grid;
+    transition: 0.5s;
+    opacity: 0.4;
+    border-top: 1px solid #eff3f8;
+    background-color: #d6e5f7; /* fade-in color, transitions to transparent */
+    grid-template-columns: repeat(auto-fit, minmax(100px, 1fr));
+}
+
+.grid-row:hover {
+    transition: 500ms;
+    background: #f5f5f5 !important;
+}
+
+.grid-header {
+    font-weight: bold;
+    border-top: 1px solid #eff3f8;
+}
+
+.grid-item {
+    padding: 4px;
+    text-align: center;
+}
+
+/* ----- */
+
+.ovpn-common-name {
+    display: flex;
+    align-items: center;
+    justify-content: center;
+}
\ No newline at end of file
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss
new file mode 100644
index 0000000000..89a913f6af
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss
@@ -0,0 +1,1270 @@
+/**
+ * Bootstrap Variables
+ */
+$colors: (
+        default: #536270,
+        primary: #51aded,
+        navbg: #263238,
+        lightgrey: #f7f7f7,
+        lightergrey: #fbfbfb,
+        darkgrey: #3c3c3b,
+        bordergrey: #eaeaea,
+);
+
+$input-border: #e4eaec;
+$list-group-active-border: #3498db;
+$theme-path: "/ui/themes/advanced";
+
+$zindex: (
+        header: 2,
+        footer: 2,
+        main: 1,
+        sidebar: 3,
+);
+
+$font-size-base: 13px;
+
+// format dashboard widget headers
+.widgetdiv {
+    .content-box-head {
+        overflow: hidden;
+        min-height: 25px !important;
+        padding: 8px !important;
+        color: map-get($colors, darkgrey) !important;
+        border-top-left-radius: 3px;
+        border-top-right-radius: 3px;
+        background: #e8e8e8 !important;
+
+        .btn-group {
+            .btn {
+                color: map-get($colors, darkgrey) !important;
+                border: 0px;
+                background: #e8e8e8 !important;
+
+                .glyphicon {
+                    color: map-get($colors, darkgrey) !important;
+                }
+            }
+        }
+
+        .list-inline {
+            li > h3 {
+                padding-top: 4px;
+            }
+        }
+    }
+}
+
+@font-face {
+    font-family: "Inter";
+    font-style: normal;
+    font-weight: 600;
+    font-display: swap;
+    src: url($theme-path + "/build/fonts/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2") format("woff2");
+    unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
+}
+
+@font-face {
+    font-family: "Inter";
+    font-style: normal;
+    font-weight: 500;
+    font-display: swap;
+    src: url($theme-path + "/build/fonts/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2") format("woff2");
+    unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
+}
+
+@font-face {
+    font-family: "Inter";
+    font-style: normal;
+    font-weight: 400;
+    font-display: swap;
+    src: url($theme-path + "/build/fonts/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2") format("woff2");
+    unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
+}
+
+// Core variables and mixins
+@import "bootstrap/variables";
+@import "bootstrap/mixins";
+
+// Reset and dependencies
+@import "bootstrap/normalize";
+@import "bootstrap/print";
+@import "bootstrap/glyphicons";
+
+// Core CSS
+@import "bootstrap/scaffolding";
+@import "bootstrap/type";
+@import "bootstrap/code";
+@import "bootstrap/grid";
+@import "bootstrap/tables";
+@import "bootstrap/forms";
+@import "bootstrap/buttons";
+
+// Components
+@import "bootstrap/component-animations";
+@import "bootstrap/dropdowns";
+@import "bootstrap/button-groups";
+@import "bootstrap/input-groups";
+@import "bootstrap/navs";
+@import "bootstrap/navbar";
+@import "bootstrap/breadcrumbs";
+@import "bootstrap/pagination";
+@import "bootstrap/pager";
+@import "bootstrap/labels";
+@import "bootstrap/badges";
+@import "bootstrap/jumbotron";
+@import "bootstrap/thumbnails";
+@import "bootstrap/alerts";
+@import "bootstrap/progress-bars";
+@import "bootstrap/media";
+@import "bootstrap/list-group";
+@import "bootstrap/panels";
+@import "bootstrap/responsive-embed";
+@import "bootstrap/wells";
+@import "bootstrap/close";
+
+// Components w/ JavaScript
+@import "bootstrap/modals";
+@import "bootstrap/tooltip";
+@import "bootstrap/popovers";
+@import "bootstrap/carousel";
+
+// Utility classes
+@import "bootstrap/utilities";
+@import "bootstrap/responsive-utilities";
+
+* {
+    -webkit-font-smoothing: antialiased;
+}
+
+html, body {
+    font-family: "Inter", serif;
+    font-weight: 400;
+    height: 100%;
+    background-color: #fff;
+}
+
+body {
+    min-width: 320px;
+    touch-action: manipulation;
+}
+
+.widget-sort-handle {
+    touch-action: none;
+}
+
+.page-head {
+    position: fixed;
+    z-index: map-get($zindex, header);
+    top: 0;
+    right: 0;
+    left: 0;
+    background: map-get($colors, darkgrey);
+
+    .navbar-default {
+        min-height: 60px;
+        color: rgba(87, 87, 87, 0.67);
+        border: 0;
+        background: #fff;
+        box-shadow: 0 2px 4px rgb(0 0 0 / 8%);
+    }
+
+    .navbar-text {
+        color: #494949;
+    }
+
+    .navbar-right {
+        margin-top: 6px;
+    }
+
+    .navbar-brand {
+        display: flex;
+        flex-direction: column;
+        width: 250px;
+        height: 100%;
+        text-align: center;
+        color: #000;
+        background: #3498db;
+
+        &::before {
+            font-size: 16px;
+            font-weight: 500;
+            display: inline-block;
+            content: "OPNSense";
+            color: #fff;
+        }
+
+        &::after {
+            font-size: 12px;
+            font-weight: 400;
+            display: inline-block;
+            content: "AdvancedOPN Theme";
+            color: #fafafa;
+        }
+
+        &:hover, &:focus {
+            background: #3498db;
+        }
+
+        .brand-logo, .brand-icon {
+            width: 1px;
+            height: 1px;
+        }
+    }
+
+    .navbar-toggle {
+        margin-top: 14px;
+
+        .icon-bar {
+            background-color: #363636;
+        }
+
+        &:hover, &:focus {
+            background-color: transparent;
+
+            .icon-bar {
+                background-color: #3498db;
+            }
+        }
+    }
+}
+
+.page-content {
+    position: relative;
+    z-index: map-get($zindex, main);
+    height: calc(100% - 60px);
+    padding-top: 60px;
+
+    > .row {
+        height: 100%;
+    }
+
+    @media (min-width: $screen-sm-min) {
+        &.col-lg-10, &.col-sm-9 {
+            width: calc(100% - 250px);
+        }
+        &.col-lg-push-2, &.col-sm-push-3 {
+            left: 250px;
+        }
+    }
+}
+
+.page-content-head {
+    padding-top: 20px;
+    padding-bottom: 15px;
+    border-bottom: 1px solid rgba(#D9D9D9, .50);
+    background: map-get($colors, lightergrey);
+
+    .navbar-nav {
+        width: 100%;
+    }
+
+    h1, h2, h3 {
+        line-height: 1;
+        margin: 0;
+    }
+}
+
+.page-content-main {
+    min-height: calc(100% - 64px);
+    padding: 15px 0 (15px + 58px);
+    background: #f7f7f7;
+}
+
+.page-side {
+    position: fixed;
+    z-index: map-get($zindex, sidebar);
+    top: 0;
+    left: 0;
+    overflow: auto;
+    width: 250px;
+    height: 100% !important;
+    height: calc(100% - 60px) !important;
+    margin-top: 60px;
+    border-right: 1px solid rgba(0, 0, 0, .15);
+    background: map-get($colors, navbg);
+
+    @extend .hidden-xs;
+}
+
+.page-side-nav {
+
+    &--active {
+        border-left: 3px solid map-get($colors, orange);
+        background: map-get($colors, lightgrey);
+    }
+
+    .panel {
+        background: map-get($colors, navbg);
+    }
+
+}
+
+.page-foot {
+    font-size: 12px;
+    position: fixed;
+    z-index: map-get($zindex, footer);
+    bottom: 0;
+    width: 100%;
+    padding: 20px 0;
+    border-top: 1px solid rgba(#D9D9D9, .50);
+    background: map-get($colors, lightergrey);
+}
+
+.content-box {
+    border: 1px solid map-get($colors, bordergrey);;
+    border-radius: 3px;
+    background: #fff;
+
+    @extend .clearfix;
+
+    &-head {
+        @extend .page-content-head;
+    }
+
+    &-main {
+        //background: map-get($colors, lightgrey);
+        padding-top: 15px;
+        padding-bottom: 15px;
+    }
+}
+
+div.content-box.wizard {
+    div {
+        img {
+            filter: invert(25%);
+        }
+    }
+}
+
+.tab-content {
+    padding: 0px 0;
+    border-top: 0px;
+
+    > .tab-content {
+        margin-bottom: 0;
+        padding: 0 15px;
+    }
+
+    .tab-content:last-child {
+        margin-bottom: 0;
+    }
+}
+
+.page-content-main section[class^="col-"] + section[class^="col-"] {
+    padding-top: calc($grid-gutter-width / 2);
+}
+
+.brand-logo {
+    display: none;
+
+    @media (min-width: $screen-sm-min) {
+        display: inline-block;
+    }
+}
+
+.brand-icon {
+    display: inline-block;
+
+    @media (min-width: $screen-sm-min) {
+        display: none;
+    }
+}
+
+.col-sm-disable-spacer {
+    @media (min-width: $screen-sm-min) {
+        padding-top: 0 !important;
+    }
+}
+
+.col-md-disable-spacer {
+    @media (min-width: $screen-md-min) {
+        padding-top: 0 !important;
+    }
+}
+
+.col-lg-disable-spacer {
+    @media (min-width: $screen-lg-min) {
+        padding-top: 0 !important;
+    }
+}
+
+.page-login {
+    background: linear-gradient(#eff2f5, #f5f7f8);
+
+    .container {
+        display: flex;
+        align-items: center;
+        flex-direction: column;
+        justify-content: center;
+        min-height: 100%;
+
+        &:after {
+            height: 60px;
+        }
+    }
+}
+
+.login-foot {
+    font-size: 12px;
+}
+
+.login-modal {
+
+    &-container {
+        width: 100%;
+        max-width: 400px;
+        //border: 1px solid map-get($colors, bordergrey);
+        margin-bottom: 8px;
+        border-radius: 4px;
+        background: #fff;
+        box-shadow: 0 1px 8px rgba(#000, .1);
+    }
+
+    &-head {
+        height: 50px;
+        padding: 0 20px;
+        border-top-left-radius: 4px;
+        border-top-right-radius: 4px;
+        background: map-get($colors, primary);
+
+        img {
+            display: none;
+        }
+
+        .navbar-brand {
+            display: flex;
+            float: none;
+            align-items: center;
+            flex-direction: column;
+            justify-content: center;
+            text-align: center;
+
+            &::before {
+                font-size: 16px;
+                font-weight: 500;
+                display: inline-block;
+                content: "OPNSense";
+                color: #fff;
+            }
+
+            &::after {
+                font-size: 11px;
+                font-weight: 400;
+                display: inline-block;
+                content: "AdvancedOPN Theme";
+                color: #fafafa;
+            }
+        }
+    }
+
+    &-content {
+        padding: 20px 20px 20px 20px;
+    }
+
+    &-foot {
+        height: 60px;
+        padding: 20px 20px 0 20px;
+        border-top: 1px solid map-get($colors, bordergrey);
+        background: map-get($colors, lightgrey);
+
+        a {
+            text-decoration: none;
+            color: #7d7d7d;
+
+            &:hover {
+                text-decoration: underline;
+                color: darken(#7d7d7d, 10%);
+            }
+        }
+    }
+}
+
+.list-inline .btn-group-container {
+    @media (min-width: $screen-sm-min) {
+        float: right;
+    }
+}
+
+.btn.btn-fixed {
+    width: 100%;
+    max-width: 174px;
+}
+
+.progress-bar-placeholder {
+    font-size: 12px;
+    position: absolute;
+    z-index: 1;
+    width: 100%;
+    text-align: center;
+}
+
+/* BOOTSTRAP EDIT */
+.list-group-item {
+    border-right: none;
+    border-left: none;
+
+    &.collapsed .caret {
+        border-top: 0;
+        border-bottom: 4px solid green;
+    }
+}
+
+/* COLLAPSE SIDEBAR */
+main.page-content.col-lg-12 {
+    padding-left: 90px;
+}
+
+/**
+ * Primary navigation
+ */
+#navigation {
+
+    .panel.list-group {
+        .fa:not(.__iconspacer) {
+            width: auto;
+            padding-right: 10px;
+        }
+
+        a.list-group-item {
+            font-size: 14px;
+            position: relative;
+            padding: 12px 16px;
+            text-decoration: none;
+            color: #a6adb3;
+            background: map-get($colors, navbg);
+
+            &:hover {
+                color: #e1e4e6;
+                background: rgba(#fff, 0.03);
+
+                &::before {
+                    background-color: $list-group-active-border;
+                }
+            }
+
+            &.active {
+                color: #e1e4e6;
+                background: rgba(#fff, 0.02);
+            }
+
+        }
+
+        > .list-group-item:not(.collapsed).active-menu-title {
+            &::before {
+                width: 3px;
+                transition: opacity 200ms;
+                background-color: $list-group-active-border;
+            }
+        }
+
+    }
+
+
+    .panel.list-group > div {
+        .list-group-item {
+            font-size: 13px;
+            position: relative;
+            padding: 5px 0 5px 35px;
+
+            &::before {
+                position: absolute;
+                z-index: 1;
+                top: -11px;
+                bottom: 13px;
+                left: 12px;
+                display: block;
+                width: 0;
+                content: "";
+                opacity: .8;
+                border-left: 1px dotted #3e474e !important;
+            }
+
+            &::after {
+                position: absolute;
+                z-index: 1;
+                top: 13px;
+                left: 12px;
+                display: block;
+                width: 12px;
+                content: "";
+                border-bottom: 1px dotted #3e474e !important;
+            }
+
+            &:hover, &.active, &:focus {
+                &::before {
+                    opacity: 1;
+                    background-color: #3e474e;
+                }
+            }
+
+        }
+
+    }
+}
+
+#navigation.col-sidebar-left {
+    overflow: hidden;
+    width: 70px;
+    border: none !important;
+    background-color: transparent !important;
+
+    > div {
+        &.row {
+            height: 100% !important;
+
+            > nav.page-side-nav {
+                width: 70px;
+                height: 100% !important;
+                border-right: 1px solid lighten(map-get($colors, navbg), 5%);
+                background: map-get($colors, navbg);
+            }
+        }
+
+        > nav > #mainmenu > div > {
+            a.list-group-item {
+                font-size: 13px;
+                width: 70px;
+                height: 70px;
+                padding-top: 12px;
+                padding-right: 0px;
+                padding-left: 0px;
+                text-align: center;
+                color: #a6adb3;
+                border-right: 1px solid lighten(map-get($colors, navbg), 5%);
+                border-bottom: 2px solid #lightergrey;
+
+                > span {
+                    &.fa, &.glyphicon {
+                        font-size: 20px;
+                        visibility: visible;
+                    }
+
+                    &.__iconspacer {
+                        display: block;
+                        height: 30px;
+                        padding: 0px;
+                        text-align: center;
+                    }
+                }
+            }
+
+            div {
+                &.collapsing > a.list-group-item {
+                    font-size: 14px !important;
+                    position: absolute !important;
+                    left: 70px !important;
+                    display: block !important;
+                    padding-left: 10px !important;
+                }
+
+                &.collapse {
+                    &.in {
+                        > {
+                            div.collapsing > a.list-group-item {
+                                font-size: 14px !important;
+                                position: absolute !important;
+                                left: 166px !important;
+                                display: block !important;
+                                padding-left: 10px !important;
+                            }
+
+                            a.list-group-item, div.collapse.in > a.list-group-item {
+                                background-color: map-get($colors, navbg) !important;
+                            }
+                        }
+
+                        > div.collapse.in > a.list-group-item {
+                            font-size: 14px !important;
+                            padding-left: 10px !important;
+                        }
+                    }
+
+                    > {
+                        div.collapse > a.list-group-item, a.list-group-item {
+                            font-size: 14px !important;
+                            padding-left: 10px !important;
+
+                            &::before, &::after {
+                                display: none;
+                            }
+                        }
+                    }
+                }
+
+                &.collapsed > a.list-group-item {
+                    font-size: 14px !important;
+                    padding-left: 10px !important;
+                }
+
+                &.collapse {
+                    > {
+                        a.list-group-item, div.collapse > a.list-group-item {
+                            padding: 3px 8px !important;
+                        }
+                    }
+
+                    &.in {
+                        font-size: 14px;
+                        position: absolute;
+                        z-index: 10;
+                        left: 70px;
+                        width: 168px;
+                        margin-top: -70px;
+                        border: 1px solid lighten(map-get($colors, navbg), 5%);
+                        -moz-box-shadow: 2px 2px 1px 0px rgba(234, 234, 234, 0.5);
+                        -webkit-box-shadow: 2px 2px 1px 0px rgba(234, 234, 234, 0.5);
+                        box-shadow: 2px 2px 1px 0px rgba(234, 234, 234, 0.5);
+
+                        > div.collapse.in {
+                            font-size: 14px;
+                            position: absolute;
+                            z-index: 10;
+                            left: 166px;
+                            width: 168px;
+                            margin-top: -26px;
+                            border: 1px solid lighten(map-get($colors, navbg), 5%);
+                            -moz-box-shadow: 2px 2px 1px 0px rgba(234, 234, 234, 0.5);
+                            -webkit-box-shadow: 2px 2px 1px 0px rgba(234, 234, 234, 0.5);
+                            box-shadow: 2px 2px 1px 0px rgba(234, 234, 234, 0.5);
+                        }
+                    }
+                }
+
+                &.collapsing, &.collapse.in > div.collapsing {
+                    display: none;
+                }
+            }
+        }
+    }
+}
+
+button.toggle-sidebar {
+    font-size: 14px;
+    float: left;
+    margin-top: 20px;
+    color: #575757;
+    border: none;
+    outline: none;
+    background-color: transparent;
+}
+
+/* COLLAPSE SIDEBAR END*/
+#navigation.collapse.in {
+    display: block !important;
+}
+
+.list-group-submenu .list-group-item:last-child,
+.collapse .list-group-item:last-child {
+    border-bottom: none;
+}
+
+ul.nav > li.dropdown > ul.dropdown-menu > li > a {
+    padding: 3px 10px;
+}
+
+.nav-tabs {
+    margin-right: 1px;
+    border-bottom: 2px solid map-get($colors, bordergrey);
+}
+
+.nav-tabs > li {
+    margin-right: 2px;
+    border-radius: 0px;
+    border-top-right-radius: 10px;
+}
+
+.nav-tabs > li > a {
+    margin-right: 0px;
+    cursor: pointer;
+    color: #777777;
+    border-top-left-radius: 4px;
+    border-top-right-radius: 4px;
+    background: #fcfcfc;
+}
+
+.nav-tabs > li > a {
+    border: none;
+    background: transparent;
+
+    &:hover, &:focus {
+        border-bottom: 2px solid darken(map-get($colors, bordergrey), 4%);
+        background-color: #efefef;
+    }
+}
+
+.nav-tabs > li.active > a,
+.nav-tabs > li.active > a:hover,
+.nav-tabs > li.active > a:focus {
+    color: map-get($colors, primary);
+    border-top: none;
+    border-right: none;
+    border-bottom: 2px solid map-get($colors, primary);
+    border-left: none;
+    background: transparent;
+
+}
+
+.nav-tabs > li > a.visible-lg-inline-block:not(.pull-right) {
+    padding-right: 6px !important;
+    padding-left: 12px !important;
+    border-top-right-radius: 0px !important;
+}
+
+.nav-tabs > li > a.visible-lg-inline-block.pull-right {
+    padding-right: 12px !important;
+    padding-left: 6px !important;
+    border-left: 0px !important;
+    border-top-left-radius: 0;
+}
+
+
+.nav-tabs.nav-justified {
+    border-right: 1px solid map-get($colors, bordergrey);
+
+    > li {
+        border-top: 1px solid map-get($colors, bordergrey);
+        border-bottom: 1px solid map-get($colors, bordergrey);
+        border-left: 1px solid map-get($colors, bordergrey);
+        border-radius: 0px;
+        background: map-get($colors, lightgrey);
+
+        > a {
+            font-family: "Inter", serif;
+            color: map-get($colors, darkgrey);
+
+            @media (min-width: $screen-sm-min) {
+                border-bottom: 1px solid transparent;
+            }
+        }
+    }
+
+    > li.active > a {
+        @media (max-width: $screen-xs-max) {
+            border-right: 0 !important;
+        }
+    }
+}
+
+> li.active + li > a {
+    @media (min-width: $screen-sm-min) {
+        border-left: 1px solid transparent;
+    }
+}
+
+> li:last-child > a {
+    border-right: 1px solid transparent !important;
+
+    @media (max-width: $screen-xs-max) {
+        margin-bottom: 0;
+    }
+}
+
+// Modal for notifications
+#opn-status-list .btn {
+    color: #565656;
+    border: 1px solid #ecedf1;
+    background: transparent;
+
+    &:hover {
+        background: #f9f9f9;
+    }
+}
+
+// Tweak dialogs
+.bootstrap-dialog-title {
+    font-size: 15px;
+    font-weight: 500;
+}
+
+// Tweak bootstrap select
+.bootstrap-select {
+
+    .btn-default {
+        color: #76838f;
+        border: 1px solid $input-border;
+        background: #fff;
+
+        &:focus {
+            border-color: $input-border-focus;
+            background: #fff;
+        }
+    }
+
+    &.open > .btn-default {
+        color: #76838f;
+        border-color: $input-border-focus;
+        background: #fff;
+    }
+
+    .dropdown-toggle:focus {
+        outline-color: #fff !important;
+    }
+
+}
+
+.btn .glyphicon {
+    vertical-align: -1px;
+}
+
+.btn-default .glyphicon {
+    color: #757575;
+}
+
+table {
+    width: 100%;
+}
+
+.table {
+    margin-bottom: 0px !important;
+}
+
+.nav-tabs-justified, .nav-tabs.nav-justified {
+    .nav-tabs.nav-justified > .active > a:focus {
+        border: 0px !important;
+    }
+}
+
+.table th, strong, b {
+    font-family: "Inter", serif;
+    font-weight: 500;
+}
+
+.table > tbody > tr > td:last-child {
+    padding-right: 15px;
+}
+
+/* helpers */
+.__nowrap {
+    white-space: nowrap;
+}
+
+.__nomb {
+    margin-bottom: 0;
+}
+
+.__mb {
+    margin-bottom: 15px;
+}
+
+.__mt {
+    margin-top: 15px;
+}
+
+.__ml {
+    margin-left: 15px;
+}
+
+.__mr {
+    margin-right: 15px;
+}
+
+.__iconspacer {
+    padding-right: 10px;
+}
+
+#mainmenu .glyphicon {
+    vertical-align: -2px;
+}
+
+.list-group-item {
+    overflow: hidden;
+    text-overflow: ellipsis;
+
+    + div.collapse {
+        margin-bottom: -1px;
+    }
+
+    + div > a {
+        padding-left: 44px;
+    }
+
+    &:before {
+        position: absolute;
+        top: 0px;
+        left: 0;
+        width: 0;
+        height: 42px;
+        min-height: 100%;
+        content: "";
+        transition: opacity 0ms;
+        opacity: 0;
+    }
+
+}
+
+.list-group-submenu a {
+    padding-left: 56px;
+}
+
+.active-menu-title, .active-menu a {
+    position: relative;
+    text-decoration: none;
+    background-color: #242f35;
+
+    &:before {
+        width: 3px;
+    }
+
+    &.active {
+        background-color: #242f35;
+    }
+}
+
+.active-menu a:before {
+    background: #242f35;
+}
+
+.alert.alert-danger {
+    color: #fff !important;
+}
+
+.nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
+    border-radius: 0 !important;
+}
+
+.navbar-brand {
+    padding: 10px 20px;
+}
+
+.label-opnsense {
+    /* emulates btn */
+    font-size: 12px;
+    line-height: 1.5;
+    display: inline-block;
+    vertical-align: middle;
+    border: 1px solid transparent;
+    border-radius: 3px;
+}
+
+.label-opnsense-sm {
+    /* emulates btn-sm */
+    padding: 5px 10px;
+}
+
+.label-opnsense-xs,
+.btn-xs {
+    /* emulates btn-xs */
+    padding: 1px 3px;
+}
+
+::-webkit-scrollbar {
+    width: 8px;
+}
+
+::-webkit-scrollbar-button {
+    width: 8px;
+    height: 5px;
+}
+
+::-webkit-scrollbar-track {
+    border-radius: 0;
+    background: #dcdcdc;
+    box-shadow: 0px 0px 0px;
+}
+
+::-webkit-scrollbar-thumb {
+    border: thin solid #e5e5e5;
+    border-radius: 0px;
+    background: #afafaf;
+}
+
+::-webkit-scrollbar-thumb:hover {
+    background: #e5e5e5;
+}
+
+.widgetdiv {
+    padding-top: 0px !important;
+    padding-bottom: 20px;
+}
+
+select {
+    overflow: hidden;
+    cursor: pointer;
+    border: 1px solid #ccc;
+    background-image: url($theme-path + "/build/images/caret.png") !important;
+    background-repeat: no-repeat;
+    background-position: right;
+    -webkit-appearance: none;
+    -moz-appearance: none;
+    appearance: none;
+}
+
+#grid-log th[data-column-id="__timestamp__"],
+#filter-log-entries th[data-column-id="__timestamp__"] {
+    min-width: 3.5em;
+}
+
+.table-responsive {
+    @media screen and (max-width: $screen-xs-max) {
+        margin-bottom: 0;
+        > .table {
+            > thead,
+            > tbody,
+            > tfoot {
+                > tr {
+                    > th,
+                    > td {
+                        white-space: normal;
+                    }
+                }
+            }
+        }
+    }
+}
+
+label > input[type="checkbox"],
+label > input[type="radio"] {
+    float: left;
+    margin-right: .4em;
+}
+
+input[type="checkbox"], input[type="radio"] {
+    font: inherit;
+    display: inline-flex;
+    align-items: center;
+    justify-content: center;
+
+    width: 20px;
+    height: 20px;
+    margin: 0;
+    cursor: pointer;
+    transition: border-color 150ms ease, background-color 150ms ease;
+    transform: translateY(1px);
+    color: #3f3f3f;
+    border: 1px solid #e4eaec;
+
+    border-radius: 0.15em;
+    background-color: #fff;
+    -webkit-appearance: none;
+    appearance: none;
+
+    &::before {
+        visibility: hidden;
+        width: 10px;
+        height: 10px;
+        content: "";
+        transition: transform 120ms ease-out 60ms, opacity 120ms ease-out, visibility 120ms ease-out;
+        transform: scale(.65);
+        opacity: 0;
+        background-color: #fafafa;
+        box-shadow: inset 1em 1em var(--form-control-color);
+        /* Windows High Contrast Mode */
+        clip-path: polygon(14% 44%, 0 65%, 50% 100%, 100% 16%, 80% 0%, 43% 62%);
+    }
+
+    &:checked {
+        border-color: #3498db;
+        background-color: #3498db;
+
+        &::before {
+            visibility: visible;
+            transform: scale(1);
+            opacity: 1;
+            background-color: #fff;
+        }
+    }
+
+    &:hover {
+        border-color: #3498db;
+    }
+
+    &:disabled {
+        cursor: not-allowed;
+
+        color: var(--form-control-disabled);
+        --form-control-color: var(--form-control-disabled);
+    }
+}
+
+// Radio
+input[type="radio"] {
+    border-radius: 50%;
+}
+
+div[data-for*="help_for"] {
+    font-size: .85em;
+    font-style: italic;
+    padding-top: .5em;
+}
+
+#log-settings label[for^="act"] {
+    margin-right: 1.5em;
+}
+
+#log-settings table > tbody > tr > td {
+    vertical-align: middle;
+}
+
+#log-settings select#filterlogentries,
+#log-settings select#filterlogentriesupdateinterval {
+    width: 5em;
+}
+
+#log-settings select#filterlogentriesinterfaces {
+    min-width: 100%;
+    max-width: 100%;
+}
+
+/* fields in firewall schedule */
+[data-state="lightcoral"] {
+    background-color: lightcoral;
+}
+
+[data-state="white"] {
+    background-color: white;
+}
+
+[data-state="red"] {
+    background-color: red;
+}
+
+.tokens-container {
+    margin-top: 0px;
+    margin-bottom: 0px;
+}
+
+/**
+ * PRAHEC OVERRIDES
+ */
+.actionBar {
+    .btn.btn-default {
+        color: #767676;
+        border-color: #d8d8d8;
+        background: #fafafa;
+    }
+}
+
+.bootgrid-table td.select-cell {
+    overflow: visible;
+    width: 30px !important;
+}
+
+.act_toggle {
+    font-size: 15px;
+}
+
+.fa.command-toggle {
+    font-size: 16px;
+    padding-top: 5px;
+    vertical-align: middle;
+}
+
+.form-control {
+    &:hover {
+        border-color: #d1e5f2;
+    }
+}
+
+// Small fix for checkboxes & buttons in table rows due to our paddings.
+.table {
+    input[type=checkbox] {
+        margin-top: -4px;
+        margin-bottom: -4px;
+    }
+
+    .btn-xs {
+        margin-top: -4px;
+        margin-bottom: -4px;
+    }
+}
\ No newline at end of file
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/bootstrap-dialog.css b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/bootstrap-dialog.css
new file mode 100644
index 0000000000..adeca844d5
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/bootstrap-dialog.css
@@ -0,0 +1,113 @@
+.modal-backdrop {
+  z-index: -1;
+}
+.bootstrap-dialog {
+  /* dialog types */
+  /**
+     * Icon animation
+     * Copied from font-awesome: http://fontawesome.io/
+     **/
+  /** End of icon animation **/
+}
+.bootstrap-dialog .modal-header {
+  border-top-left-radius: 4px;
+  border-top-right-radius: 4px;
+}
+.bootstrap-dialog .bootstrap-dialog-title {
+  color: #fff;
+  display: inline-block;
+}
+.bootstrap-dialog .bootstrap-dialog-button-icon {
+  margin-right: 3px;
+}
+.bootstrap-dialog .bootstrap-dialog-close-button {
+  float: right;
+  filter: alpha(opacity=90);
+  -moz-opacity: 0.9;
+  -khtml-opacity: 0.9;
+  opacity: 0.9;
+}
+.bootstrap-dialog .bootstrap-dialog-close-button:hover {
+  cursor: pointer;
+  filter: alpha(opacity=100);
+  -moz-opacity: 1;
+  -khtml-opacity: 1;
+  opacity: 1;
+}
+.bootstrap-dialog.type-default .modal-header {
+  background-color: #fff;
+}
+.bootstrap-dialog.type-default .bootstrap-dialog-title {
+  color: #333;
+}
+.bootstrap-dialog.type-info .modal-header {
+  background-color: #B0CDDB;
+}
+.bootstrap-dialog.type-primary .modal-header {
+  background-color: #51aded;
+}
+.bootstrap-dialog.type-success .modal-header {
+  background-color: #7ebc59;
+}
+.bootstrap-dialog.type-warning .modal-header {
+  background-color: #f0ad4e;
+}
+.bootstrap-dialog.type-danger .modal-header {
+  background-color: #EE451F;
+}
+.bootstrap-dialog.size-large .bootstrap-dialog-title {
+  font-size: 24px;
+}
+.bootstrap-dialog.size-large .bootstrap-dialog-close-button {
+  font-size: 30px;
+}
+.bootstrap-dialog.size-large .bootstrap-dialog-message {
+  font-size: 18px;
+}
+.bootstrap-dialog .icon-spin {
+  display: inline-block;
+  -moz-animation: spin 2s infinite linear;
+  -o-animation: spin 2s infinite linear;
+  -webkit-animation: spin 2s infinite linear;
+  animation: spin 2s infinite linear;
+}
+@-moz-keyframes spin {
+  0% {
+    -moz-transform: rotate(0deg);
+  }
+  100% {
+    -moz-transform: rotate(359deg);
+  }
+}
+@-webkit-keyframes spin {
+  0% {
+    -webkit-transform: rotate(0deg);
+  }
+  100% {
+    -webkit-transform: rotate(359deg);
+  }
+}
+@-o-keyframes spin {
+  0% {
+    -o-transform: rotate(0deg);
+  }
+  100% {
+    -o-transform: rotate(359deg);
+  }
+}
+@-ms-keyframes spin {
+  0% {
+    -ms-transform: rotate(0deg);
+  }
+  100% {
+    -ms-transform: rotate(359deg);
+  }
+}
+@keyframes spin {
+  0% {
+    transform: rotate(0deg);
+  }
+  100% {
+    transform: rotate(359deg);
+  }
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/bootstrap-select.css b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/bootstrap-select.css
new file mode 100644
index 0000000000..b6c2903d8d
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/bootstrap-select.css
@@ -0,0 +1 @@
+@keyframes bs-notify-fadeOut{0%{opacity:0.9}100%{opacity:0}}select.bs-select-hidden,.bootstrap-select>select.bs-select-hidden,select.selectpicker{display:none !important}.bootstrap-select{width:220px \0;vertical-align:middle}.bootstrap-select>.dropdown-toggle{position:relative;width:100%;text-align:right;white-space:nowrap;display:inline-flex;align-items:center;justify-content:space-between}.bootstrap-select>.dropdown-toggle:after{margin-top:-1px}.bootstrap-select>.dropdown-toggle.bs-placeholder,.bootstrap-select>.dropdown-toggle.bs-placeholder:hover,.bootstrap-select>.dropdown-toggle.bs-placeholder:focus,.bootstrap-select>.dropdown-toggle.bs-placeholder:active{color:#999}.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-primary,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-primary:hover,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-primary:focus,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-primary:active,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-secondary,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-secondary:hover,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-secondary:focus,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-secondary:active,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-success,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-success:hover,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-success:focus,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-success:active,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-danger,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-danger:hover,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-danger:focus,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-danger:active,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-info,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-info:hover,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-info:focus,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-info:active,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-dark,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-dark:hover,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-dark:focus,.bootstrap-select>.dropdown-toggle.bs-placeholder.btn-dark:active{color:rgba(255,255,255,0.5)}.bootstrap-select>select{position:absolute !important;bottom:0;left:50%;display:block !important;width:0.5px !important;height:100% !important;padding:0 !important;opacity:0 !important;border:none;z-index:0 !important}.bootstrap-select>select.mobile-device{top:0;left:0;display:block !important;width:100% !important;z-index:2 !important}.has-error .bootstrap-select .dropdown-toggle,.error .bootstrap-select .dropdown-toggle,.bootstrap-select.is-invalid .dropdown-toggle,.was-validated .bootstrap-select select:invalid+.dropdown-toggle{border-color:#b94a48}.bootstrap-select.is-valid .dropdown-toggle,.was-validated .bootstrap-select select:valid+.dropdown-toggle{border-color:#28a745}.bootstrap-select.fit-width{width:auto !important}.bootstrap-select:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn){width:220px}.bootstrap-select>select.mobile-device:focus+.dropdown-toggle{outline:thin dotted #333333 !important;outline:5px auto -webkit-focus-ring-color !important;outline-offset:-2px}.bootstrap-select.form-control{margin-bottom:0;padding:0;border:none;height:auto}:not(.input-group)>.bootstrap-select.form-control:not([class*="col-"]){width:100%}.bootstrap-select.form-control.input-group-btn{float:none;z-index:auto}.form-inline .bootstrap-select,.form-inline .bootstrap-select.form-control:not([class*="col-"]){width:auto}.bootstrap-select:not(.input-group-btn),.bootstrap-select[class*="col-"]{float:none;display:inline-block;margin-left:0}.bootstrap-select.dropdown-menu-right,.bootstrap-select[class*="col-"].dropdown-menu-right,.row .bootstrap-select[class*="col-"].dropdown-menu-right{float:right}.form-inline .bootstrap-select,.form-horizontal .bootstrap-select,.form-group .bootstrap-select{margin-bottom:0}.form-group-lg .bootstrap-select.form-control,.form-group-sm .bootstrap-select.form-control{padding:0}.form-group-lg .bootstrap-select.form-control .dropdown-toggle,.form-group-sm .bootstrap-select.form-control .dropdown-toggle{height:100%;font-size:inherit;line-height:inherit;border-radius:inherit}.bootstrap-select.form-control-sm .dropdown-toggle,.bootstrap-select.form-control-lg .dropdown-toggle{font-size:inherit;line-height:inherit;border-radius:inherit}.bootstrap-select.form-control-sm .dropdown-toggle{padding:.25rem .5rem}.bootstrap-select.form-control-lg .dropdown-toggle{padding:.5rem 1rem}.form-inline .bootstrap-select .form-control{width:100%}.bootstrap-select.disabled,.bootstrap-select>.disabled{cursor:not-allowed}.bootstrap-select.disabled:focus,.bootstrap-select>.disabled:focus{outline:none !important}.bootstrap-select.bs-container{position:absolute;top:0;left:0;height:0 !important;padding:0 !important}.bootstrap-select.bs-container .dropdown-menu{z-index:9998}.bootstrap-select .dropdown-toggle .filter-option{position:static;top:0;left:0;float:left;height:100%;width:100%;text-align:left;overflow:hidden;flex:0 1 auto}.bs3.bootstrap-select .dropdown-toggle .filter-option{padding-right:inherit}.input-group .bs3-has-addon.bootstrap-select .dropdown-toggle .filter-option{position:absolute;padding-top:inherit;padding-bottom:inherit;padding-left:inherit;float:none}.input-group .bs3-has-addon.bootstrap-select .dropdown-toggle .filter-option .filter-option-inner{padding-right:inherit}.bootstrap-select .dropdown-toggle .filter-option-inner-inner{overflow:hidden}.bootstrap-select .dropdown-toggle .filter-expand{width:0 !important;float:left;opacity:0 !important;overflow:hidden}.bootstrap-select .dropdown-toggle .caret{position:absolute;top:50%;right:12px;margin-top:-2px;vertical-align:middle}.input-group .bootstrap-select.form-control .dropdown-toggle{border-radius:inherit}.bootstrap-select[class*="col-"] .dropdown-toggle{width:100%}.bootstrap-select .dropdown-menu{min-width:100%;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.bootstrap-select .dropdown-menu>.inner:focus{outline:none !important}.bootstrap-select .dropdown-menu.inner{position:static;float:none;border:0;padding:0;margin:0;border-radius:0;box-shadow:none}.bootstrap-select .dropdown-menu li{position:relative}.bootstrap-select .dropdown-menu li.active small{color:rgba(255,255,255,0.5) !important}.bootstrap-select .dropdown-menu li.disabled a{cursor:not-allowed}.bootstrap-select .dropdown-menu li a{cursor:pointer;user-select:none}.bootstrap-select .dropdown-menu li a.opt{position:relative;padding-left:2.25em}.bootstrap-select .dropdown-menu li a span.check-mark{display:none}.bootstrap-select .dropdown-menu li a span.text{display:inline-block}.bootstrap-select .dropdown-menu li small{padding-left:0.5em}.bootstrap-select .dropdown-menu .notify{position:absolute;bottom:5px;width:96%;margin:0 2%;min-height:26px;padding:3px 5px;background:#f5f5f5;border:1px solid #e3e3e3;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.05);box-shadow:inset 0 1px 1px rgba(0,0,0,0.05);pointer-events:none;opacity:0.9;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.bootstrap-select .dropdown-menu .notify.fadeOut{animation:300ms linear 750ms forwards bs-notify-fadeOut}.bootstrap-select .no-results{padding:3px;background:#f5f5f5;margin:0 5px;white-space:nowrap}.bootstrap-select.fit-width .dropdown-toggle .filter-option{position:static;display:inline;padding:0}.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner,.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner-inner{display:inline}.bootstrap-select.fit-width .dropdown-toggle .bs-caret:before{content:'\00a0'}.bootstrap-select.fit-width .dropdown-toggle .caret{position:static;top:auto;margin-top:-1px}.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark{position:absolute;display:inline-block;right:15px;top:5px}.bootstrap-select.show-tick .dropdown-menu li a span.text{margin-right:34px}.bootstrap-select .bs-ok-default:after{content:'';display:block;width:0.5em;height:1em;border-style:solid;border-width:0 0.26em 0.26em 0;transform:rotate(45deg)}.bootstrap-select.show-menu-arrow.open>.dropdown-toggle,.bootstrap-select.show-menu-arrow.show>.dropdown-toggle{z-index:9999}.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:before{content:'';border-left:7px solid transparent;border-right:7px solid transparent;border-bottom:7px solid rgba(204,204,204,0.2);position:absolute;bottom:-4px;left:9px;display:none}.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:after{content:'';border-left:6px solid transparent;border-right:6px solid transparent;border-bottom:6px solid white;position:absolute;bottom:-4px;left:10px;display:none}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:before{bottom:auto;top:-4px;border-top:7px solid rgba(204,204,204,0.2);border-bottom:0}.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:after{bottom:auto;top:-4px;border-top:6px solid white;border-bottom:0}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:before{right:12px;left:auto}.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:after{right:13px;left:auto}.bootstrap-select.show-menu-arrow.open>.dropdown-toggle .filter-option:before,.bootstrap-select.show-menu-arrow.open>.dropdown-toggle .filter-option:after,.bootstrap-select.show-menu-arrow.show>.dropdown-toggle .filter-option:before,.bootstrap-select.show-menu-arrow.show>.dropdown-toggle .filter-option:after{display:block}.bs-searchbox,.bs-actionsbox,.bs-donebutton{padding:4px 8px}.bs-actionsbox{width:100%;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.bs-actionsbox .btn-group button{width:50%}.bs-donebutton{float:left;width:100%;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}.bs-donebutton .btn-group button{width:100%}.bs-searchbox+.bs-actionsbox{padding:0 8px 4px}.bs-searchbox .form-control{margin-bottom:0;width:100%;float:none}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/dashboard.css b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/dashboard.css
new file mode 100644
index 0000000000..f140ce3411
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/dashboard.css
@@ -0,0 +1 @@
+:root{--chart-js-background-color: #f7e2d6;--chart-js-border-color: #f6f6f6;--chart-js-font-color: #4b4b64}.btn-pressed,.btn-pressed:hover{color:white;background-color:#0086d9}#save-grid{position:relative;display:inline-flex;align-items:center;justify-content:center;width:50px;height:33px;margin-right:10px;transition:opacity 0.3s ease}#save-btn-text,#icon-container{position:absolute}#icon-container{display:inline-flex;align-items:center;justify-content:center}#save-spinner,#save-check{transition:opacity 0.3s ease, transform 0.3s ease}.transition-spinner,transition-check{transition:opacity 0.3s ease, transform 0.3s ease}.grid-stack-item-content{text-align:center;border:none !important;border-radius:0.5em 0.5em 0.5em 0.5em;background-color:#fff;box-shadow:0 2px 4px rgba(40,40,50,0.15),0 0 1px rgba(40,40,50,0.35)}.widget-error{margin:50px;color:#721c24}.widget-content{position:relative;width:100%;height:100%;padding:1px;cursor:grab}.widget-header{font-size:14px;display:flex;align-items:center;justify-content:space-between;margin-top:0.5em;margin-right:1em;margin-left:1em}.widget-spinner{margin-top:20px}.fa-stack.small{font-size:0.5em}.close-handle,.edit-handle{padding:.2rem .5rem;cursor:pointer;text-align:right;vertical-align:middle}.close-handle>i,.edit-handle>i{font-size:1.2rem !important}.widget-header-left{display:flex;align-items:center;flex:1;justify-content:flex-start}.widget-command-container{display:flex;align-items:center;flex:1;justify-content:flex-end}.widget-title{display:flex;align-items:center;justify-content:center}.panel-divider{width:100%;height:8px;margin-bottom:10px;text-align:center}.panel-divider .line{display:none}td{word-break:break-all}.canvas-container{position:relative}.cpu-canvas-container{display:flex;flex-direction:column}.smoothie-container{width:100%}.smoothie-chart-tooltip{font-size:13px;z-index:1;padding-right:15px;padding-left:15px;pointer-events:none;color:white;border-radius:0.5em 0.5em 0.5em 0.5em;background:rgba(50,50,50,0.9)}.flex-container{display:flex;flex-wrap:nowrap;white-space:nowrap}.gateway-info{font-size:13px;margin:5px;padding:5px}.gateway-detail-container{display:none;margin:5px}.interface-info{display:flex;align-items:center;flex-wrap:wrap;height:100%}.nowrap{flex-wrap:nowrap}.gateway-graph{display:none}.flex-container>.gateway-graph{font-size:13px}.vertical-center-row{display:inline;height:100%}.interfaces-info{font-size:.8rem;margin:5px}.interface-descr{font-size:1em;margin-left:.8em;cursor:pointer;text-decoration:underline}.interfaces-detail-container{display:none;margin:5px}.d-flex{display:flex}.d-flex>.justify-content-start{justify-content:start}.d-flex>.justify-content-end{justify-content:end}#chartjs-toolip{z-index:20}.cpu-type{margin-top:10px;margin-bottom:10px}div{box-sizing:border-box}.flextable-container{display:block;width:95%;max-width:1200px;margin:2em auto}.flextable-header{display:flex;flex-flow:row wrap;padding:0.5em 0.5em;transition:0.5s;border-top:solid 1px rgba(0,119,217,0.15) !important}.flextable-row{display:flex;align-items:center;flex-flow:row wrap;padding:0.5em 0.5em;transition:0.5s;border-top:solid 1px #e8eaef !important}.flextable-header .flex-cell{font-weight:bold}.flextable-row:hover{transition:500ms;background:#f5f5f5}.flex-cell{padding:4px 0;text-align:left;word-break:break-word}.column{display:flex;flex-flow:column wrap;width:50%;padding:0}.column .flex-cell{display:flex;flex-flow:row wrap;width:100%;padding:4px 0;border:0;border-top:#e8eaef}.column .flex-cell:hover{transition:500ms;background:#f5f5f5}.flex-subcell{width:100%;text-align:left}.column .flex-cell:not(:last-child){border-bottom:solid 1px #e8eaef !important}.grid-header-container{display:grid;grid-template-columns:repeat(auto-fit, minmax(100px, 1fr))}.grid-row{display:grid;transition:0.5s;opacity:0.4;border-top:1px solid #eff3f8;background-color:#d6e5f7;grid-template-columns:repeat(auto-fit, minmax(100px, 1fr))}.grid-row:hover{transition:500ms;background:#f5f5f5 !important}.grid-header{font-weight:bold;border-top:1px solid #eff3f8}.grid-item{padding:4px;text-align:center}.ovpn-common-name{display:flex;align-items:center;justify-content:center}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/main.css b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/main.css
new file mode 100644
index 0000000000..9333e6d6b6
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/main.css
@@ -0,0 +1 @@
+.widgetdiv .content-box-head{overflow:hidden;min-height:25px !important;padding:8px !important;color:#3c3c3b !important;border-top-left-radius:3px;border-top-right-radius:3px;background:#e8e8e8 !important}.widgetdiv .content-box-head .btn-group .btn{color:#3c3c3b !important;border:0px;background:#e8e8e8 !important}.widgetdiv .content-box-head .btn-group .btn .glyphicon{color:#3c3c3b !important}.widgetdiv .content-box-head .list-inline li>h3{padding-top:4px}@font-face{font-family:"Inter";font-style:normal;font-weight:600;font-display:swap;src:url("/ui/themes/advanced/build/fonts/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2") format("woff2");unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+2000-206F,U+2074,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD}@font-face{font-family:"Inter";font-style:normal;font-weight:500;font-display:swap;src:url("/ui/themes/advanced/build/fonts/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2") format("woff2");unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+2000-206F,U+2074,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD}@font-face{font-family:"Inter";font-style:normal;font-weight:400;font-display:swap;src:url("/ui/themes/advanced/build/fonts/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2") format("woff2");unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+2000-206F,U+2074,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD}/*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:rgba(0,0,0,0)}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{-moz-box-sizing:content-box;box-sizing:content-box;height:0}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}input{line-height:normal}input[type=checkbox],input[type=radio]{box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-appearance:textfield;-moz-box-sizing:content-box;-webkit-box-sizing:content-box;box-sizing:content-box}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{border:1px solid silver;margin:0 2px;padding:.35em .625em .75em}legend{border:0;padding:0}textarea{overflow:auto}optgroup{font-weight:bold}table{border-collapse:collapse;border-spacing:0}td,th{padding:0}@media print{*{text-shadow:none !important;color:#000 !important;background:rgba(0,0,0,0) !important;box-shadow:none !important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100% !important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff !important}.navbar{display:none}.table td,.table th{background-color:#fff !important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000 !important}.label{border:1px solid #000}.table{border-collapse:collapse !important}.table-bordered th,.table-bordered td{border:1px solid #ddd !important}}@font-face{font-family:"Glyphicons Halflings";src:url("../fonts/bootstrap/glyphicons-halflings-regular.eot");src:url("../fonts/bootstrap/glyphicons-halflings-regular.eot?#iefix") format("embedded-opentype"),url("../fonts/bootstrap/glyphicons-halflings-regular.woff") format("woff"),url("../fonts/bootstrap/glyphicons-halflings-regular.ttf") format("truetype"),url("../fonts/bootstrap/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") format("svg")}.glyphicon{position:relative;top:1px;display:inline-block;font-family:"Glyphicons Halflings";font-style:normal;font-weight:normal;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"*"}.glyphicon-plus:before{content:"+"}.glyphicon-euro:before{content:"€"}.glyphicon-minus:before{content:"−"}.glyphicon-cloud:before{content:"☁"}.glyphicon-envelope:before{content:"✉"}.glyphicon-pencil:before{content:"✏"}.glyphicon-glass:before{content:""}.glyphicon-music:before{content:""}.glyphicon-search:before{content:""}.glyphicon-heart:before{content:""}.glyphicon-star:before{content:""}.glyphicon-star-empty:before{content:""}.glyphicon-user:before{content:""}.glyphicon-film:before{content:""}.glyphicon-th-large:before{content:""}.glyphicon-th:before{content:""}.glyphicon-th-list:before{content:""}.glyphicon-ok:before{content:""}.glyphicon-remove:before{content:""}.glyphicon-zoom-in:before{content:""}.glyphicon-zoom-out:before{content:""}.glyphicon-off:before{content:""}.glyphicon-signal:before{content:""}.glyphicon-cog:before{content:""}.glyphicon-trash:before{content:""}.glyphicon-home:before{content:""}.glyphicon-file:before{content:""}.glyphicon-time:before{content:""}.glyphicon-road:before{content:""}.glyphicon-download-alt:before{content:""}.glyphicon-download:before{content:""}.glyphicon-upload:before{content:""}.glyphicon-inbox:before{content:""}.glyphicon-play-circle:before{content:""}.glyphicon-repeat:before{content:""}.glyphicon-refresh:before{content:""}.glyphicon-list-alt:before{content:""}.glyphicon-lock:before{content:""}.glyphicon-flag:before{content:""}.glyphicon-headphones:before{content:""}.glyphicon-volume-off:before{content:""}.glyphicon-volume-down:before{content:""}.glyphicon-volume-up:before{content:""}.glyphicon-qrcode:before{content:""}.glyphicon-barcode:before{content:""}.glyphicon-tag:before{content:""}.glyphicon-tags:before{content:""}.glyphicon-book:before{content:""}.glyphicon-bookmark:before{content:""}.glyphicon-print:before{content:""}.glyphicon-camera:before{content:""}.glyphicon-font:before{content:""}.glyphicon-bold:before{content:""}.glyphicon-italic:before{content:""}.glyphicon-text-height:before{content:""}.glyphicon-text-width:before{content:""}.glyphicon-align-left:before{content:""}.glyphicon-align-center:before{content:""}.glyphicon-align-right:before{content:""}.glyphicon-align-justify:before{content:""}.glyphicon-list:before{content:""}.glyphicon-indent-left:before{content:""}.glyphicon-indent-right:before{content:""}.glyphicon-facetime-video:before{content:""}.glyphicon-picture:before{content:""}.glyphicon-map-marker:before{content:""}.glyphicon-adjust:before{content:""}.glyphicon-tint:before{content:""}.glyphicon-edit:before{content:""}.glyphicon-share:before{content:""}.glyphicon-check:before{content:""}.glyphicon-move:before{content:""}.glyphicon-step-backward:before{content:""}.glyphicon-fast-backward:before{content:""}.glyphicon-backward:before{content:""}.glyphicon-play:before{content:""}.glyphicon-pause:before{content:""}.glyphicon-stop:before{content:""}.glyphicon-forward:before{content:""}.glyphicon-fast-forward:before{content:""}.glyphicon-step-forward:before{content:""}.glyphicon-eject:before{content:""}.glyphicon-chevron-left:before{content:""}.glyphicon-chevron-right:before{content:""}.glyphicon-plus-sign:before{content:""}.glyphicon-minus-sign:before{content:""}.glyphicon-remove-sign:before{content:""}.glyphicon-ok-sign:before{content:""}.glyphicon-question-sign:before{content:""}.glyphicon-info-sign:before{content:""}.glyphicon-screenshot:before{content:""}.glyphicon-remove-circle:before{content:""}.glyphicon-ok-circle:before{content:""}.glyphicon-ban-circle:before{content:""}.glyphicon-arrow-left:before{content:""}.glyphicon-arrow-right:before{content:""}.glyphicon-arrow-up:before{content:""}.glyphicon-arrow-down:before{content:""}.glyphicon-share-alt:before{content:""}.glyphicon-resize-full:before{content:""}.glyphicon-resize-small:before{content:""}.glyphicon-exclamation-sign:before{content:""}.glyphicon-gift:before{content:""}.glyphicon-leaf:before{content:""}.glyphicon-fire:before{content:""}.glyphicon-eye-open:before{content:""}.glyphicon-eye-close:before{content:""}.glyphicon-warning-sign:before{content:""}.glyphicon-plane:before{content:""}.glyphicon-calendar:before{content:""}.glyphicon-random:before{content:""}.glyphicon-comment:before{content:""}.glyphicon-magnet:before{content:""}.glyphicon-chevron-up:before{content:""}.glyphicon-chevron-down:before{content:""}.glyphicon-retweet:before{content:""}.glyphicon-shopping-cart:before{content:""}.glyphicon-folder-close:before{content:""}.glyphicon-folder-open:before{content:""}.glyphicon-resize-vertical:before{content:""}.glyphicon-resize-horizontal:before{content:""}.glyphicon-hdd:before{content:""}.glyphicon-bullhorn:before{content:""}.glyphicon-bell:before{content:""}.glyphicon-certificate:before{content:""}.glyphicon-thumbs-up:before{content:""}.glyphicon-thumbs-down:before{content:""}.glyphicon-hand-right:before{content:""}.glyphicon-hand-left:before{content:""}.glyphicon-hand-up:before{content:""}.glyphicon-hand-down:before{content:""}.glyphicon-circle-arrow-right:before{content:""}.glyphicon-circle-arrow-left:before{content:""}.glyphicon-circle-arrow-up:before{content:""}.glyphicon-circle-arrow-down:before{content:""}.glyphicon-globe:before{content:""}.glyphicon-wrench:before{content:""}.glyphicon-tasks:before{content:""}.glyphicon-filter:before{content:""}.glyphicon-briefcase:before{content:""}.glyphicon-fullscreen:before{content:""}.glyphicon-dashboard:before{content:""}.glyphicon-paperclip:before{content:""}.glyphicon-heart-empty:before{content:""}.glyphicon-link:before{content:""}.glyphicon-phone:before{content:""}.glyphicon-pushpin:before{content:""}.glyphicon-usd:before{content:""}.glyphicon-gbp:before{content:""}.glyphicon-sort:before{content:""}.glyphicon-sort-by-alphabet:before{content:""}.glyphicon-sort-by-alphabet-alt:before{content:""}.glyphicon-sort-by-order:before{content:""}.glyphicon-sort-by-order-alt:before{content:""}.glyphicon-sort-by-attributes:before{content:""}.glyphicon-sort-by-attributes-alt:before{content:""}.glyphicon-unchecked:before{content:""}.glyphicon-expand:before{content:""}.glyphicon-collapse-down:before{content:""}.glyphicon-collapse-up:before{content:""}.glyphicon-log-in:before{content:""}.glyphicon-flash:before{content:""}.glyphicon-log-out:before{content:""}.glyphicon-new-window:before{content:""}.glyphicon-record:before{content:""}.glyphicon-save:before{content:""}.glyphicon-open:before{content:""}.glyphicon-saved:before{content:""}.glyphicon-import:before{content:""}.glyphicon-export:before{content:""}.glyphicon-send:before{content:""}.glyphicon-floppy-disk:before{content:""}.glyphicon-floppy-saved:before{content:""}.glyphicon-floppy-remove:before{content:""}.glyphicon-floppy-save:before{content:""}.glyphicon-floppy-open:before{content:""}.glyphicon-credit-card:before{content:""}.glyphicon-transfer:before{content:""}.glyphicon-cutlery:before{content:""}.glyphicon-header:before{content:""}.glyphicon-compressed:before{content:""}.glyphicon-earphone:before{content:""}.glyphicon-phone-alt:before{content:""}.glyphicon-tower:before{content:""}.glyphicon-stats:before{content:""}.glyphicon-sd-video:before{content:""}.glyphicon-hd-video:before{content:""}.glyphicon-subtitles:before{content:""}.glyphicon-sound-stereo:before{content:""}.glyphicon-sound-dolby:before{content:""}.glyphicon-sound-5-1:before{content:""}.glyphicon-sound-6-1:before{content:""}.glyphicon-sound-7-1:before{content:""}.glyphicon-copyright-mark:before{content:""}.glyphicon-registration-mark:before{content:""}.glyphicon-cloud-download:before{content:""}.glyphicon-cloud-upload:before{content:""}.glyphicon-tree-conifer:before{content:""}.glyphicon-tree-deciduous:before{content:""}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}*:before,*:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;line-height:1.428571429;color:#3c3c3b;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#51aded;text-decoration:none}a:hover,a:focus{color:#178adb;text-decoration:underline}a:focus{outline:none}figure{margin:0}img{vertical-align:middle}.img-responsive{display:block;width:100% \9 ;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{padding:4px;line-height:1.428571429;background-color:#fff;border:1px solid #ddd;border-radius:3px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out;display:inline-block;width:100% \9 ;max-width:100%;height:auto}.img-circle{border-radius:50%}hr{margin-top:18px;margin-bottom:18px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;margin:-1px;padding:0;overflow:hidden;clip:rect(0, 0, 0, 0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:"Inter";font-weight:500;line-height:1.4;color:inherit}h1 small,h1 .small,h2 small,h2 .small,h3 small,h3 .small,h4 small,h4 .small,h5 small,h5 .small,h6 small,h6 .small,.h1 small,.h1 .small,.h2 small,.h2 .small,.h3 small,.h3 .small,.h4 small,.h4 .small,.h5 small,.h5 .small,.h6 small,.h6 .small{font-weight:normal;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:18px;margin-bottom:9px}h1 small,h1 .small,.h1 small,.h1 .small,h2 small,h2 .small,.h2 small,.h2 .small,h3 small,h3 .small,.h3 small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:9px;margin-bottom:9px}h4 small,h4 .small,.h4 small,.h4 .small,h5 small,h5 .small,.h5 small,.h5 .small,h6 small,h6 .small,.h6 small,.h6 .small{font-size:75%}h1,.h1{font-size:22px}h2,.h2{font-size:14px}h3,.h3{font-size:13px}h4,.h4{font-size:17px}h5,.h5{font-size:13px}h6,.h6{font-size:12px}p{margin:0 0 9px}.lead{margin-bottom:18px;font-size:14px;font-weight:300;line-height:1.4}@media(min-width: 768px){.lead{font-size:19.5px}}small,.small{font-size:92%}cite{font-style:normal}mark,.mark{background-color:#fcf8e3;padding:.2em}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#51aded}a.text-primary:hover{color:#2397e8}.text-success{color:#7ebc59}a.text-success:hover{color:#65a141}.text-info{color:#31708f}a.text-info:hover{color:#245269}.text-warning{color:#f0ad4e}a.text-warning:hover{color:#ec971f}.text-danger{color:#ee451f}a.text-danger:hover{color:#cb320f}.bg-primary{color:#fff}.bg-primary{background-color:#51aded}a.bg-primary:hover{background-color:#2397e8}.bg-success{background-color:#7ebc59}a.bg-success:hover{background-color:#65a141}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#ee451f}a.bg-danger:hover{background-color:#cb320f}.page-header{padding-bottom:8px;margin:36px 0 18px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:9px}ul ul,ul ol,ol ul,ol ol{margin-bottom:0}.list-unstyled,.list-inline{padding-left:0;list-style:none}.list-inline{margin-left:-5px}.list-inline>li{float:left;padding-left:5px;padding-right:5px}dl{margin-top:0;margin-bottom:18px}dt,dd{line-height:1.428571429}dt{font-weight:bold}dd{margin-left:0}.dl-horizontal dd:before,.dl-horizontal dd:after{content:" ";display:table}.dl-horizontal dd:after{clear:both}@media(min-width: 768px){.dl-horizontal dt{float:left;width:160px;clear:left;text-align:right;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:9px 18px;margin:0 0 18px;font-size:16.25px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.428571429;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:"— "}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;border-right:5px solid #eee;border-left:0;text-align:right}.blockquote-reverse footer:before,.blockquote-reverse small:before,.blockquote-reverse .small:before,blockquote.pull-right footer:before,blockquote.pull-right small:before,blockquote.pull-right .small:before{content:""}.blockquote-reverse footer:after,.blockquote-reverse small:after,.blockquote-reverse .small:after,blockquote.pull-right footer:after,blockquote.pull-right small:after,blockquote.pull-right .small:after{content:" —"}blockquote:before,blockquote:after{content:""}address{margin-bottom:18px;font-style:normal;line-height:1.428571429}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:3px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;box-shadow:none}pre{display:block;padding:calc((18px - 100%)/2);margin:0 0 9px;font-size:12px;line-height:1.428571429;word-break:break-all;word-wrap:break-word;color:#333;background-color:#f5f5f5;border:1px solid #ccc;border-radius:3px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:rgba(0,0,0,0);border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{margin-right:auto;margin-left:auto;padding-left:20px;padding-right:20px}.container:before,.container:after{content:" ";display:table}.container:after{clear:both}@media(min-width: 768px){.container{width:760px}}@media(min-width: 992px){.container{width:980px}}@media(min-width: 1200px){.container{width:1180px}}.container-fluid{margin-right:auto;margin-left:auto;padding-left:20px;padding-right:20px}.container-fluid:before,.container-fluid:after{content:" ";display:table}.container-fluid:after{clear:both}.row{margin-left:-20px;margin-right:-20px}.row:before,.row:after{content:" ";display:table}.row:after{clear:both}.col-xs-1,.col-sm-1,.col-md-1,.col-lg-1,.col-xs-2,.col-sm-2,.col-md-2,.col-lg-2,.col-xs-3,.col-sm-3,.col-md-3,.col-lg-3,.col-xs-4,.col-sm-4,.col-md-4,.col-lg-4,.col-xs-5,.col-sm-5,.col-md-5,.col-lg-5,.col-xs-6,.col-sm-6,.col-md-6,.col-lg-6,.col-xs-7,.col-sm-7,.col-md-7,.col-lg-7,.col-xs-8,.col-sm-8,.col-md-8,.col-lg-8,.col-xs-9,.col-sm-9,.col-md-9,.col-lg-9,.col-xs-10,.col-sm-10,.col-md-10,.col-lg-10,.col-xs-11,.col-sm-11,.col-md-11,.col-lg-11,.col-xs-12,.col-sm-12,.col-md-12,.col-lg-12{position:relative;min-height:1px;padding-left:20px;padding-right:20px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12{float:left}.col-xs-1{width:8.3333333333%}.col-xs-2{width:16.6666666667%}.col-xs-3{width:25%}.col-xs-4{width:33.3333333333%}.col-xs-5{width:41.6666666667%}.col-xs-6{width:50%}.col-xs-7{width:58.3333333333%}.col-xs-8{width:66.6666666667%}.col-xs-9{width:75%}.col-xs-10{width:83.3333333333%}.col-xs-11{width:91.6666666667%}.col-xs-12{width:100%}.col-xs-pull-0{right:auto}.col-xs-pull-1{right:8.3333333333%}.col-xs-pull-2{right:16.6666666667%}.col-xs-pull-3{right:25%}.col-xs-pull-4{right:33.3333333333%}.col-xs-pull-5{right:41.6666666667%}.col-xs-pull-6{right:50%}.col-xs-pull-7{right:58.3333333333%}.col-xs-pull-8{right:66.6666666667%}.col-xs-pull-9{right:75%}.col-xs-pull-10{right:83.3333333333%}.col-xs-pull-11{right:91.6666666667%}.col-xs-pull-12{right:100%}.col-xs-push-0{left:auto}.col-xs-push-1{left:8.3333333333%}.col-xs-push-2{left:16.6666666667%}.col-xs-push-3{left:25%}.col-xs-push-4{left:33.3333333333%}.col-xs-push-5{left:41.6666666667%}.col-xs-push-6{left:50%}.col-xs-push-7{left:58.3333333333%}.col-xs-push-8{left:66.6666666667%}.col-xs-push-9{left:75%}.col-xs-push-10{left:83.3333333333%}.col-xs-push-11{left:91.6666666667%}.col-xs-push-12{left:100%}.col-xs-offset-0{margin-left:0%}.col-xs-offset-1{margin-left:8.3333333333%}.col-xs-offset-2{margin-left:16.6666666667%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-4{margin-left:33.3333333333%}.col-xs-offset-5{margin-left:41.6666666667%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-7{margin-left:58.3333333333%}.col-xs-offset-8{margin-left:66.6666666667%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-10{margin-left:83.3333333333%}.col-xs-offset-11{margin-left:91.6666666667%}.col-xs-offset-12{margin-left:100%}@media(min-width: 768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12{float:left}.col-sm-1{width:8.3333333333%}.col-sm-2{width:16.6666666667%}.col-sm-3{width:25%}.col-sm-4{width:33.3333333333%}.col-sm-5{width:41.6666666667%}.col-sm-6{width:50%}.col-sm-7{width:58.3333333333%}.col-sm-8{width:66.6666666667%}.col-sm-9{width:75%}.col-sm-10{width:83.3333333333%}.col-sm-11{width:91.6666666667%}.col-sm-12{width:100%}.col-sm-pull-0{right:auto}.col-sm-pull-1{right:8.3333333333%}.col-sm-pull-2{right:16.6666666667%}.col-sm-pull-3{right:25%}.col-sm-pull-4{right:33.3333333333%}.col-sm-pull-5{right:41.6666666667%}.col-sm-pull-6{right:50%}.col-sm-pull-7{right:58.3333333333%}.col-sm-pull-8{right:66.6666666667%}.col-sm-pull-9{right:75%}.col-sm-pull-10{right:83.3333333333%}.col-sm-pull-11{right:91.6666666667%}.col-sm-pull-12{right:100%}.col-sm-push-0{left:auto}.col-sm-push-1{left:8.3333333333%}.col-sm-push-2{left:16.6666666667%}.col-sm-push-3{left:25%}.col-sm-push-4{left:33.3333333333%}.col-sm-push-5{left:41.6666666667%}.col-sm-push-6{left:50%}.col-sm-push-7{left:58.3333333333%}.col-sm-push-8{left:66.6666666667%}.col-sm-push-9{left:75%}.col-sm-push-10{left:83.3333333333%}.col-sm-push-11{left:91.6666666667%}.col-sm-push-12{left:100%}.col-sm-offset-0{margin-left:0%}.col-sm-offset-1{margin-left:8.3333333333%}.col-sm-offset-2{margin-left:16.6666666667%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-4{margin-left:33.3333333333%}.col-sm-offset-5{margin-left:41.6666666667%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-7{margin-left:58.3333333333%}.col-sm-offset-8{margin-left:66.6666666667%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-10{margin-left:83.3333333333%}.col-sm-offset-11{margin-left:91.6666666667%}.col-sm-offset-12{margin-left:100%}}@media(min-width: 992px){.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12{float:left}.col-md-1{width:8.3333333333%}.col-md-2{width:16.6666666667%}.col-md-3{width:25%}.col-md-4{width:33.3333333333%}.col-md-5{width:41.6666666667%}.col-md-6{width:50%}.col-md-7{width:58.3333333333%}.col-md-8{width:66.6666666667%}.col-md-9{width:75%}.col-md-10{width:83.3333333333%}.col-md-11{width:91.6666666667%}.col-md-12{width:100%}.col-md-pull-0{right:auto}.col-md-pull-1{right:8.3333333333%}.col-md-pull-2{right:16.6666666667%}.col-md-pull-3{right:25%}.col-md-pull-4{right:33.3333333333%}.col-md-pull-5{right:41.6666666667%}.col-md-pull-6{right:50%}.col-md-pull-7{right:58.3333333333%}.col-md-pull-8{right:66.6666666667%}.col-md-pull-9{right:75%}.col-md-pull-10{right:83.3333333333%}.col-md-pull-11{right:91.6666666667%}.col-md-pull-12{right:100%}.col-md-push-0{left:auto}.col-md-push-1{left:8.3333333333%}.col-md-push-2{left:16.6666666667%}.col-md-push-3{left:25%}.col-md-push-4{left:33.3333333333%}.col-md-push-5{left:41.6666666667%}.col-md-push-6{left:50%}.col-md-push-7{left:58.3333333333%}.col-md-push-8{left:66.6666666667%}.col-md-push-9{left:75%}.col-md-push-10{left:83.3333333333%}.col-md-push-11{left:91.6666666667%}.col-md-push-12{left:100%}.col-md-offset-0{margin-left:0%}.col-md-offset-1{margin-left:8.3333333333%}.col-md-offset-2{margin-left:16.6666666667%}.col-md-offset-3{margin-left:25%}.col-md-offset-4{margin-left:33.3333333333%}.col-md-offset-5{margin-left:41.6666666667%}.col-md-offset-6{margin-left:50%}.col-md-offset-7{margin-left:58.3333333333%}.col-md-offset-8{margin-left:66.6666666667%}.col-md-offset-9{margin-left:75%}.col-md-offset-10{margin-left:83.3333333333%}.col-md-offset-11{margin-left:91.6666666667%}.col-md-offset-12{margin-left:100%}}@media(min-width: 1200px){.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{float:left}.col-lg-1{width:8.3333333333%}.col-lg-2{width:16.6666666667%}.col-lg-3{width:25%}.col-lg-4{width:33.3333333333%}.col-lg-5{width:41.6666666667%}.col-lg-6{width:50%}.col-lg-7{width:58.3333333333%}.col-lg-8{width:66.6666666667%}.col-lg-9{width:75%}.col-lg-10{width:83.3333333333%}.col-lg-11{width:91.6666666667%}.col-lg-12{width:100%}.col-lg-pull-0{right:auto}.col-lg-pull-1{right:8.3333333333%}.col-lg-pull-2{right:16.6666666667%}.col-lg-pull-3{right:25%}.col-lg-pull-4{right:33.3333333333%}.col-lg-pull-5{right:41.6666666667%}.col-lg-pull-6{right:50%}.col-lg-pull-7{right:58.3333333333%}.col-lg-pull-8{right:66.6666666667%}.col-lg-pull-9{right:75%}.col-lg-pull-10{right:83.3333333333%}.col-lg-pull-11{right:91.6666666667%}.col-lg-pull-12{right:100%}.col-lg-push-0{left:auto}.col-lg-push-1{left:8.3333333333%}.col-lg-push-2{left:16.6666666667%}.col-lg-push-3{left:25%}.col-lg-push-4{left:33.3333333333%}.col-lg-push-5{left:41.6666666667%}.col-lg-push-6{left:50%}.col-lg-push-7{left:58.3333333333%}.col-lg-push-8{left:66.6666666667%}.col-lg-push-9{left:75%}.col-lg-push-10{left:83.3333333333%}.col-lg-push-11{left:91.6666666667%}.col-lg-push-12{left:100%}.col-lg-offset-0{margin-left:0%}.col-lg-offset-1{margin-left:8.3333333333%}.col-lg-offset-2{margin-left:16.6666666667%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-4{margin-left:33.3333333333%}.col-lg-offset-5{margin-left:41.6666666667%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-7{margin-left:58.3333333333%}.col-lg-offset-8{margin-left:66.6666666667%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-10{margin-left:83.3333333333%}.col-lg-offset-11{margin-left:91.6666666667%}.col-lg-offset-12{margin-left:100%}}table{background-color:rgba(0,0,0,0);color:#444}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:18px}.table>thead>tr>th,.table>thead>tr>td,.table>tbody>tr>th,.table>tbody>tr>td,.table>tfoot>tr>th,.table>tfoot>tr>td{padding:10px 0px 10px 20px;line-height:1.428571429;vertical-align:top;border-top:1px solid #eee}.table>thead>tr>th{vertical-align:bottom;border-bottom:1px solid #eee}.table>caption+thead>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>th,.table>thead:first-child>tr:first-child>td{border-top:0;font-family:"Inter";font-weight:normal}.table>tbody+tbody{border-top:2px solid #eee}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>th,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>th,.table-condensed>tfoot>tr>td{padding:8px}.table-bordered{border:1px solid #eee}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>th,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>th,.table-bordered>tfoot>tr>td{border:1px solid #eee}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#fbfbfb}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*=col-]{position:static;float:none;display:table-column}table td[class*=col-],table th[class*=col-]{position:static;float:none;display:table-cell}.table>thead>tr>td.active,.table>thead>tr>th.active,.table>thead>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr>td.active,.table>tbody>tr>th.active,.table>tbody>tr.active>td,.table>tbody>tr.active>th,.table>tfoot>tr>td.active,.table>tfoot>tr>th.active,.table>tfoot>tr.active>td,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>thead>tr>th.success,.table>thead>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr>td.success,.table>tbody>tr>th.success,.table>tbody>tr.success>td,.table>tbody>tr.success>th,.table>tfoot>tr>td.success,.table>tfoot>tr>th.success,.table>tfoot>tr.success>td,.table>tfoot>tr.success>th{background-color:#7ebc59}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#70b348}.table>thead>tr>td.info,.table>thead>tr>th.info,.table>thead>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr>td.info,.table>tbody>tr>th.info,.table>tbody>tr.info>td,.table>tbody>tr.info>th,.table>tfoot>tr>td.info,.table>tfoot>tr>th.info,.table>tfoot>tr.info>td,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>thead>tr>th.warning,.table>thead>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr>td.warning,.table>tbody>tr>th.warning,.table>tbody>tr.warning>td,.table>tbody>tr.warning>th,.table>tfoot>tr>td.warning,.table>tfoot>tr>th.warning,.table>tfoot>tr.warning>td,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>thead>tr>th.danger,.table>thead>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr>td.danger,.table>tbody>tr>th.danger,.table>tbody>tr.danger>td,.table>tbody>tr.danger>th,.table>tfoot>tr>td.danger,.table>tfoot>tr>th.danger,.table>tfoot>tr.danger>td,.table>tfoot>tr.danger>th{background-color:#ee451f}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#e23811}@media screen and (max-width: 767px){.table-responsive{width:100%;margin-bottom:13.5px;overflow-y:hidden;overflow-x:auto;-ms-overflow-style:-ms-autohiding-scrollbar;-webkit-overflow-scrolling:touch}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{padding:0;margin:0;border:0;min-width:0}legend{display:block;width:100%;padding:0;margin-bottom:18px;font-size:19.5px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:normal}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=radio],input[type=checkbox]{margin:4px 0 0;margin-top:1px \9 ;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=radio]:focus,input[type=checkbox]:focus{outline:none}output{display:block;padding-top:7px;font-size:13px;line-height:1.428571429;color:#555}select,textarea,input[type=text],input[type=password],input[type=datetime],input[type=datetime-local],input[type=date],input[type=month],input[type=time],input[type=week],input[type=number],input[type=email],input[type=url],input[type=search],input[type=tel],input[type=color]{display:block;width:100%;height:32px;padding:6px 12px;font-size:13px;line-height:1.428571429;color:#555;background-color:#fff;background-image:none;border:1px solid #e4eaec;border-radius:3px;text-overflow:ellipsis;max-width:450px;transition:none;-webkit-transition:border-color ease-in-out .1s,box-shadow ease-in-out .1s;-o-transition:border-color ease-in-out .1s,box-shadow ease-in-out .1s;transition:border-color ease-in-out .1s,box-shadow ease-in-out .1s}select:focus,textarea:focus,input[type=text]:focus,input[type=password]:focus,input[type=datetime]:focus,input[type=datetime-local]:focus,input[type=date]:focus,input[type=month]:focus,input[type=time]:focus,input[type=week]:focus,input[type=number]:focus,input[type=email]:focus,input[type=url]:focus,input[type=search]:focus,input[type=tel]:focus,input[type=color]:focus{border-color:#66afe9;outline:0;transition:border-color 250ms ease}select::-moz-placeholder,textarea::-moz-placeholder,input[type=text]::-moz-placeholder,input[type=password]::-moz-placeholder,input[type=datetime]::-moz-placeholder,input[type=datetime-local]::-moz-placeholder,input[type=date]::-moz-placeholder,input[type=month]::-moz-placeholder,input[type=time]::-moz-placeholder,input[type=week]::-moz-placeholder,input[type=number]::-moz-placeholder,input[type=email]::-moz-placeholder,input[type=url]::-moz-placeholder,input[type=search]::-moz-placeholder,input[type=tel]::-moz-placeholder,input[type=color]::-moz-placeholder{color:#777;opacity:1}select:-ms-input-placeholder,textarea:-ms-input-placeholder,input[type=text]:-ms-input-placeholder,input[type=password]:-ms-input-placeholder,input[type=datetime]:-ms-input-placeholder,input[type=datetime-local]:-ms-input-placeholder,input[type=date]:-ms-input-placeholder,input[type=month]:-ms-input-placeholder,input[type=time]:-ms-input-placeholder,input[type=week]:-ms-input-placeholder,input[type=number]:-ms-input-placeholder,input[type=email]:-ms-input-placeholder,input[type=url]:-ms-input-placeholder,input[type=search]:-ms-input-placeholder,input[type=tel]:-ms-input-placeholder,input[type=color]:-ms-input-placeholder{color:#777}select::-webkit-input-placeholder,textarea::-webkit-input-placeholder,input[type=text]::-webkit-input-placeholder,input[type=password]::-webkit-input-placeholder,input[type=datetime]::-webkit-input-placeholder,input[type=datetime-local]::-webkit-input-placeholder,input[type=date]::-webkit-input-placeholder,input[type=month]::-webkit-input-placeholder,input[type=time]::-webkit-input-placeholder,input[type=week]::-webkit-input-placeholder,input[type=number]::-webkit-input-placeholder,input[type=email]::-webkit-input-placeholder,input[type=url]::-webkit-input-placeholder,input[type=search]::-webkit-input-placeholder,input[type=tel]::-webkit-input-placeholder,input[type=color]::-webkit-input-placeholder{color:#777}select[disabled],select[readonly],fieldset[disabled] select,textarea[disabled],textarea[readonly],fieldset[disabled] textarea,input[type=text][disabled],input[type=text][readonly],fieldset[disabled] input[type=text],input[type=password][disabled],input[type=password][readonly],fieldset[disabled] input[type=password],input[type=datetime][disabled],input[type=datetime][readonly],fieldset[disabled] input[type=datetime],input[type=datetime-local][disabled],input[type=datetime-local][readonly],fieldset[disabled] input[type=datetime-local],input[type=date][disabled],input[type=date][readonly],fieldset[disabled] input[type=date],input[type=month][disabled],input[type=month][readonly],fieldset[disabled] input[type=month],input[type=time][disabled],input[type=time][readonly],fieldset[disabled] input[type=time],input[type=week][disabled],input[type=week][readonly],fieldset[disabled] input[type=week],input[type=number][disabled],input[type=number][readonly],fieldset[disabled] input[type=number],input[type=email][disabled],input[type=email][readonly],fieldset[disabled] input[type=email],input[type=url][disabled],input[type=url][readonly],fieldset[disabled] input[type=url],input[type=search][disabled],input[type=search][readonly],fieldset[disabled] input[type=search],input[type=tel][disabled],input[type=tel][readonly],fieldset[disabled] input[type=tel],input[type=color][disabled],input[type=color][readonly],fieldset[disabled] input[type=color]{cursor:not-allowed;background-color:#eee;opacity:1}textarea{height:auto}input[type=search]{-webkit-appearance:none}input[type=date],input[type=time],input[type=datetime-local],input[type=month]{line-height:32px;line-height:1.428571429 \0 }input[type=date].input-sm,.input-group-sm>input[type=date].form-control,.input-group-sm>input[type=date].input-group-addon,.input-group-sm>.input-group-btn>input[type=date].btn,.form-horizontal .form-group-sm input[type=date].form-control,input[type=time].input-sm,.input-group-sm>input[type=time].form-control,.input-group-sm>input[type=time].input-group-addon,.input-group-sm>.input-group-btn>input[type=time].btn,.form-horizontal .form-group-sm input[type=time].form-control,input[type=datetime-local].input-sm,.input-group-sm>input[type=datetime-local].form-control,.input-group-sm>input[type=datetime-local].input-group-addon,.input-group-sm>.input-group-btn>input[type=datetime-local].btn,.form-horizontal .form-group-sm input[type=datetime-local].form-control,input[type=month].input-sm,.input-group-sm>input[type=month].form-control,.input-group-sm>input[type=month].input-group-addon,.input-group-sm>.input-group-btn>input[type=month].btn,.form-horizontal .form-group-sm input[type=month].form-control{line-height:30px}input[type=date].input-lg,.input-group-lg>input[type=date].form-control,.input-group-lg>input[type=date].input-group-addon,.input-group-lg>.input-group-btn>input[type=date].btn,.form-horizontal .form-group-lg input[type=date].form-control,input[type=time].input-lg,.input-group-lg>input[type=time].form-control,.input-group-lg>input[type=time].input-group-addon,.input-group-lg>.input-group-btn>input[type=time].btn,.form-horizontal .form-group-lg input[type=time].form-control,input[type=datetime-local].input-lg,.input-group-lg>input[type=datetime-local].form-control,.input-group-lg>input[type=datetime-local].input-group-addon,.input-group-lg>.input-group-btn>input[type=datetime-local].btn,.form-horizontal .form-group-lg input[type=datetime-local].form-control,input[type=month].input-lg,.input-group-lg>input[type=month].form-control,.input-group-lg>input[type=month].input-group-addon,.input-group-lg>.input-group-btn>input[type=month].btn,.form-horizontal .form-group-lg input[type=month].form-control{line-height:45px}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;min-height:18px;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{padding-left:20px;margin-bottom:0;font-weight:normal;cursor:pointer}.radio input[type=radio],.radio-inline input[type=radio],.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox]{position:absolute;margin-left:-20px;margin-top:4px \9 }.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;vertical-align:middle;font-weight:normal;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type=radio][disabled],input[type=radio].disabled,fieldset[disabled] input[type=radio],input[type=checkbox][disabled],input[type=checkbox].disabled,fieldset[disabled] input[type=checkbox]{cursor:not-allowed}.radio-inline.disabled,fieldset[disabled] .radio-inline,.checkbox-inline.disabled,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,fieldset[disabled] .radio label,.checkbox.disabled label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.input-group-lg>.form-control-static.form-control,.input-group-lg>.form-control-static.input-group-addon,.input-group-lg>.input-group-btn>.form-control-static.btn,.form-horizontal .form-group-lg .form-control-static.form-control,.form-control-static.input-sm,.input-group-sm>.form-control-static.form-control,.input-group-sm>.form-control-static.input-group-addon,.input-group-sm>.input-group-btn>.form-control-static.btn,.form-horizontal .form-group-sm .form-control-static.form-control{padding-left:0;padding-right:0}.input-sm,.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn,.form-horizontal .form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm,.input-group-sm>select.form-control,.input-group-sm>select.input-group-addon,.input-group-sm>.input-group-btn>select.btn,.form-horizontal .form-group-sm select.form-control{height:30px;line-height:30px}textarea.input-sm,.input-group-sm>textarea.form-control,.input-group-sm>textarea.input-group-addon,.input-group-sm>.input-group-btn>textarea.btn,.form-horizontal .form-group-sm textarea.form-control,select[multiple].input-sm,.input-group-sm>select[multiple].form-control,.input-group-sm>select[multiple].input-group-addon,.input-group-sm>.input-group-btn>select[multiple].btn,.form-horizontal .form-group-sm select[multiple].form-control{height:auto}.input-lg,.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn,.form-horizontal .form-group-lg .form-control{height:45px;padding:10px 16px;font-size:17px;line-height:1.33;border-radius:6px}select.input-lg,.input-group-lg>select.form-control,.input-group-lg>select.input-group-addon,.input-group-lg>.input-group-btn>select.btn,.form-horizontal .form-group-lg select.form-control{height:45px;line-height:45px}textarea.input-lg,.input-group-lg>textarea.form-control,.input-group-lg>textarea.input-group-addon,.input-group-lg>.input-group-btn>textarea.btn,.form-horizontal .form-group-lg textarea.form-control,select[multiple].input-lg,.input-group-lg>select[multiple].form-control,.input-group-lg>select[multiple].input-group-addon,.input-group-lg>.input-group-btn>select[multiple].btn,.form-horizontal .form-group-lg select[multiple].form-control{height:auto}.has-feedback{position:relative}.has-feedback .form-control{padding-right:40px}.form-control-feedback{position:absolute;top:23px;right:0;z-index:2;display:block;width:32px;height:32px;line-height:32px;text-align:center}.input-lg+.form-control-feedback,.input-group-lg>.form-control+.form-control-feedback,.input-group-lg>.input-group-addon+.form-control-feedback,.input-group-lg>.input-group-btn>.btn+.form-control-feedback,.form-horizontal .form-group-lg .form-control+.form-control-feedback{width:45px;height:45px;line-height:45px}.input-sm+.form-control-feedback,.input-group-sm>.form-control+.form-control-feedback,.input-group-sm>.input-group-addon+.form-control-feedback,.input-group-sm>.input-group-btn>.btn+.form-control-feedback,.form-horizontal .form-group-sm .form-control+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#7ebc59}.has-success .form-control{border-color:#7ebc59;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#65a141;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #b6d9a2;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #b6d9a2}.has-success .input-group-addon{color:#7ebc59;border-color:#7ebc59;background-color:#7ebc59}.has-success .form-control-feedback{color:#7ebc59}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#f0ad4e}.has-warning .form-control{border-color:#f0ad4e;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#ec971f;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #f8d9ac;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #f8d9ac}.has-warning .input-group-addon{color:#f0ad4e;border-color:#f0ad4e;background-color:#fcf8e3}.has-warning .form-control-feedback{color:#f0ad4e}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#ee451f}.has-error .form-control{border-color:#ee451f;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#cb320f;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #f5947e;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #f5947e}.has-error .input-group-addon{color:#ee451f;border-color:#ee451f;background-color:#ee451f}.has-error .form-control-feedback{color:#ee451f}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#7c7c7a}@media(min-width: 768px){.form-inline .form-group,.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control,.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .input-group,.navbar-form .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.navbar-form .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.navbar-form .input-group .input-group-btn,.form-inline .input-group .form-control,.navbar-form .input-group .form-control{width:auto}.form-inline .input-group>.form-control,.navbar-form .input-group>.form-control{width:100%}.form-inline .control-label,.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.navbar-form .radio,.form-inline .checkbox,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.navbar-form .radio label,.form-inline .checkbox label,.navbar-form .checkbox label{padding-left:0}.form-inline .radio input[type=radio],.navbar-form .radio input[type=radio],.form-inline .checkbox input[type=checkbox],.navbar-form .checkbox input[type=checkbox]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback,.navbar-form .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{margin-top:0;margin-bottom:0;padding-top:7px}.form-horizontal .radio,.form-horizontal .checkbox{min-height:25px}.form-horizontal .form-group{margin-left:-20px;margin-right:-20px}.form-horizontal .form-group:before,.form-horizontal .form-group:after{content:" ";display:table}.form-horizontal .form-group:after{clear:both}@media(min-width: 768px){.form-horizontal .control-label{text-align:right;margin-bottom:0;padding-top:7px}}.form-horizontal .has-feedback control-feedback{top:0;right:20px}@media(min-width: 768px){.form-horizontal .form-group-lg .control-label{padding-top:14.3px}}@media(min-width: 768px){.form-horizontal .form-group-sm .control-label{padding-top:6px}}.btn{display:inline-block;margin-bottom:0;font-weight:normal;text-align:center;vertical-align:middle;cursor:pointer;background-image:none;border:1px solid rgba(0,0,0,0);white-space:nowrap;padding:6px 12px;font-size:13px;line-height:1.428571429;border-radius:3px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;color:#fff;background-color:#536270;border-color:#536270}.btn:hover,.btn:focus,.btn:active,.btn.active,.open>.btn.dropdown-toggle{color:#fff;background-color:#3d4853;border-color:#39434d}.btn:active,.btn.active,.open>.btn.dropdown-toggle{background-image:none}.btn.disabled,.btn.disabled:hover,.btn.disabled:focus,.btn.disabled:active,.btn.disabled.active,.btn[disabled],.btn[disabled]:hover,.btn[disabled]:focus,.btn[disabled]:active,.btn[disabled].active,fieldset[disabled] .btn,fieldset[disabled] .btn:hover,fieldset[disabled] .btn:focus,fieldset[disabled] .btn:active,fieldset[disabled] .btn.active{background-color:#536270;border-color:#536270}.btn .badge{color:#536270;background-color:#fff}.btn:focus,.btn:active:focus,.btn.active:focus{outline:none}.btn:hover,.btn:focus{color:#fff;text-decoration:none}.btn:active,.btn.active{outline:0;background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{cursor:not-allowed;pointer-events:none;opacity:.65;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none}.btn-default{color:#fff;background-color:#536270;border-color:#536270}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open>.btn-default.dropdown-toggle{color:#fff;background-color:#3d4853;border-color:#39434d}.btn-default:active,.btn-default.active,.open>.btn-default.dropdown-toggle{background-image:none}.btn-default.disabled,.btn-default.disabled:hover,.btn-default.disabled:focus,.btn-default.disabled:active,.btn-default.disabled.active,.btn-default[disabled],.btn-default[disabled]:hover,.btn-default[disabled]:focus,.btn-default[disabled]:active,.btn-default[disabled].active,fieldset[disabled] .btn-default,fieldset[disabled] .btn-default:hover,fieldset[disabled] .btn-default:focus,fieldset[disabled] .btn-default:active,fieldset[disabled] .btn-default.active{background-color:#536270;border-color:#536270}.btn-default .badge{color:#536270;background-color:#fff}.btn-primary{color:#fff;background-color:#51aded;border-color:#51aded}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open>.btn-primary.dropdown-toggle{color:#fff;background-color:#2397e8;border-color:#1a93e7}.btn-primary:active,.btn-primary.active,.open>.btn-primary.dropdown-toggle{background-image:none}.btn-primary.disabled,.btn-primary.disabled:hover,.btn-primary.disabled:focus,.btn-primary.disabled:active,.btn-primary.disabled.active,.btn-primary[disabled],.btn-primary[disabled]:hover,.btn-primary[disabled]:focus,.btn-primary[disabled]:active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary,fieldset[disabled] .btn-primary:hover,fieldset[disabled] .btn-primary:focus,fieldset[disabled] .btn-primary:active,fieldset[disabled] .btn-primary.active{background-color:#51aded;border-color:#51aded}.btn-primary .badge{color:#51aded;background-color:#fff}.btn-success{color:#fff;background-color:#7ebc59;border-color:#70b348}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open>.btn-success.dropdown-toggle{color:#fff;background-color:#65a141;border-color:#558837}.btn-success:active,.btn-success.active,.open>.btn-success.dropdown-toggle{background-image:none}.btn-success.disabled,.btn-success.disabled:hover,.btn-success.disabled:focus,.btn-success.disabled:active,.btn-success.disabled.active,.btn-success[disabled],.btn-success[disabled]:hover,.btn-success[disabled]:focus,.btn-success[disabled]:active,.btn-success[disabled].active,fieldset[disabled] .btn-success,fieldset[disabled] .btn-success:hover,fieldset[disabled] .btn-success:focus,fieldset[disabled] .btn-success:active,fieldset[disabled] .btn-success.active{background-color:#7ebc59;border-color:#70b348}.btn-success .badge{color:#7ebc59;background-color:#fff}.btn-info{color:#fff;background-color:#368cbf;border-color:#307dab}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open>.btn-info.dropdown-toggle{color:#fff;background-color:#2b6f97;border-color:#235a7b}.btn-info:active,.btn-info.active,.open>.btn-info.dropdown-toggle{background-image:none}.btn-info.disabled,.btn-info.disabled:hover,.btn-info.disabled:focus,.btn-info.disabled:active,.btn-info.disabled.active,.btn-info[disabled],.btn-info[disabled]:hover,.btn-info[disabled]:focus,.btn-info[disabled]:active,.btn-info[disabled].active,fieldset[disabled] .btn-info,fieldset[disabled] .btn-info:hover,fieldset[disabled] .btn-info:focus,fieldset[disabled] .btn-info:active,fieldset[disabled] .btn-info.active{background-color:#368cbf;border-color:#307dab}.btn-info .badge{color:#368cbf;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open>.btn-warning.dropdown-toggle{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.btn-warning.dropdown-toggle{background-image:none}.btn-warning.disabled,.btn-warning.disabled:hover,.btn-warning.disabled:focus,.btn-warning.disabled:active,.btn-warning.disabled.active,.btn-warning[disabled],.btn-warning[disabled]:hover,.btn-warning[disabled]:focus,.btn-warning[disabled]:active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning,fieldset[disabled] .btn-warning:hover,fieldset[disabled] .btn-warning:focus,fieldset[disabled] .btn-warning:active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#ee451f;border-color:#e23811}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open>.btn-danger.dropdown-toggle{color:#fff;background-color:#cb320f;border-color:#a92a0d}.btn-danger:active,.btn-danger.active,.open>.btn-danger.dropdown-toggle{background-image:none}.btn-danger.disabled,.btn-danger.disabled:hover,.btn-danger.disabled:focus,.btn-danger.disabled:active,.btn-danger.disabled.active,.btn-danger[disabled],.btn-danger[disabled]:hover,.btn-danger[disabled]:focus,.btn-danger[disabled]:active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger,fieldset[disabled] .btn-danger:hover,fieldset[disabled] .btn-danger:focus,fieldset[disabled] .btn-danger:active,fieldset[disabled] .btn-danger.active{background-color:#ee451f;border-color:#e23811}.btn-danger .badge{color:#ee451f;background-color:#fff}.btn-link{color:#51aded;font-weight:normal;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:rgba(0,0,0,0);-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:rgba(0,0,0,0)}.btn-link:hover,.btn-link:focus{color:#178adb;text-decoration:underline;background-color:rgba(0,0,0,0)}.btn-link[disabled]:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:hover,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:17px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=submit].btn-block,input[type=reset].btn-block,input[type=button].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid;border-right:4px solid rgba(0,0,0,0);border-left:4px solid rgba(0,0,0,0)}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;list-style:none;font-size:13px;text-align:left;background-color:#fff;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:3px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175);background-clip:padding-box}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:8px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:normal;line-height:1.428571429;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{text-decoration:none;color:#262626;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;outline:0;background-color:#51aded}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#777}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;background-color:rgba(0,0,0,0);background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled = false);cursor:not-allowed}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{left:auto;right:0}.dropdown-menu-left{left:0;right:auto}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.428571429;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;left:0;right:0;bottom:0;top:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{border-top:0;border-bottom:4px solid;content:""}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media(min-width: 768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{left:0;right:auto}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group>.btn:focus,.btn-group>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn:hover,.btn-group-vertical>.btn:focus,.btn-group-vertical>.btn:active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar:before,.btn-toolbar:after{content:" ";display:table}.btn-toolbar:after{clear:both}.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-bottom-left-radius:0;border-top-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-left:8px;padding-right:8px}.btn-group>.btn-lg+.dropdown-toggle,.btn-group-lg.btn-group>.btn+.dropdown-toggle{padding-left:12px;padding-right:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret,.btn-group-lg>.btn .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret,.dropup .btn-group-lg>.btn .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after{content:" ";display:table}.btn-group-vertical>.btn-group:after{clear:both}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:3px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-bottom-left-radius:3px;border-top-right-radius:0;border-top-left-radius:0}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-right-radius:0;border-top-left-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{float:none;display:table-cell;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn>input[type=radio],[data-toggle=buttons]>.btn>input[type=checkbox]{position:absolute;z-index:-1;opacity:0;filter:alpha(opacity=0)}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-left:0;padding-right:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:13px;font-weight:normal;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #e4eaec;border-radius:3px}.input-group-addon.input-sm,.form-horizontal .form-group-sm .input-group-addon.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.input-group-addon.btn{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg,.form-horizontal .form-group-lg .input-group-addon.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.input-group-addon.btn{padding:10px 16px;font-size:17px;border-radius:6px}.input-group-addon input[type=radio],.input-group-addon input[type=checkbox]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-bottom-right-radius:0;border-top-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-bottom-left-radius:0;border-top-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{margin-left:-1px}.nav{margin-bottom:0;padding-left:0;list-style:none}.nav:before,.nav:after{content:" ";display:table}.nav:after{clear:both}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;background-color:rgba(0,0,0,0);cursor:not-allowed}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#51aded}.nav .nav-divider{height:1px;margin:8px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #e5e5e5}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.428571429;border:1px solid rgba(0,0,0,0);border-radius:3px 3px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #e5e5e5}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;background-color:#fff;border:1px solid #ddd;border-bottom-color:rgba(0,0,0,0);cursor:default}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:0}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#51aded}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified,.nav-tabs.nav-justified{width:100%}.nav-justified>li,.nav-tabs.nav-justified>li{float:none}.nav-justified>li>a,.nav-tabs.nav-justified>li>a{text-align:left;margin-bottom:5px}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media(min-width: 768px){.nav-justified>li,.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a,.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified,.nav-tabs.nav-justified{border-bottom:0}.nav-tabs-justified>li>a,.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:3px}.nav-tabs-justified>.active>a,.nav-tabs.nav-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media(min-width: 768px){.nav-tabs-justified>li>a,.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:3px 3px 0 0}.nav-tabs-justified>.active>a,.nav-tabs.nav-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-right-radius:0;border-top-left-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:0;border:1px solid rgba(0,0,0,0)}.navbar:before,.navbar:after{content:" ";display:table}.navbar:after{clear:both}@media(min-width: 768px){.navbar{border-radius:0}}.navbar-header:before,.navbar-header:after{content:" ";display:table}.navbar-header:after{clear:both}@media(min-width: 768px){.navbar-header{float:left}}.navbar-collapse{overflow-x:visible;padding-right:20px;padding-left:20px;border-top:1px solid rgba(0,0,0,0);box-shadow:inset 0 1px 0 rgba(255,255,255,.1);-webkit-overflow-scrolling:touch}.navbar-collapse:before,.navbar-collapse:after{content:" ";display:table}.navbar-collapse:after{clear:both}.navbar-collapse.in{overflow-y:auto}@media(min-width: 768px){.navbar-collapse{width:auto;border-top:0;box-shadow:none}.navbar-collapse.collapse{display:block !important;height:auto !important;padding-bottom:0;overflow:visible !important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-left:0;padding-right:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media(max-width: 480px)and (orientation: landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-header,.container-fluid>.navbar-collapse{margin-right:-20px;margin-left:-20px}@media(min-width: 768px){.container>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-header,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media(min-width: 768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;-webkit-transform:translate3d(0, 0, 0);transform:translate3d(0, 0, 0)}@media(min-width: 768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;padding:15px 20px;font-size:17px;height:50px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media(min-width: 768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-20px}}.navbar-toggle{position:relative;float:left;margin-right:20px;padding:9px 10px;margin-top:8px;margin-bottom:8px;background-color:rgba(0,0,0,0);background-image:none;border:1px solid rgba(0,0,0,0);border-radius:3px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media(min-width: 768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -20px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:18px}@media(max-width: 767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:rgba(0,0,0,0);border:0;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:18px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media(min-width: 768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}.navbar-nav.navbar-right:last-child{margin-right:-20px}}@media(min-width: 768px){.navbar-left{float:left !important}.navbar-right{float:right !important}}.navbar-form{margin-left:-20px;margin-right:-20px;padding:10px 0px;border-top:1px solid rgba(0,0,0,0);border-bottom:1px solid rgba(0,0,0,0);-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);margin-top:9px;margin-bottom:9px}@media(max-width: 767px){.navbar-form .form-group{margin-bottom:5px}}@media(min-width: 768px){.navbar-form{width:auto;border:0;margin-left:0;margin-right:0;padding-top:0;padding-bottom:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-20px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-right-radius:0;border-top-left-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:9px;margin-bottom:9px}.navbar-btn.btn-sm,.btn-group-sm>.navbar-btn.btn{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs,.btn-group-xs>.navbar-btn.btn{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:16px;margin-bottom:16px}@media(min-width: 768px){.navbar-text{float:left;margin-left:20px;margin-right:20px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#3c3c3b;border-color:#2b2b2b}.navbar-default .navbar-brand{color:#f7f7f7}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#dedede;background-color:rgba(0,0,0,0)}.navbar-default .navbar-text{color:#f7f7f7}.navbar-default .navbar-nav>li>a{color:#f7f7f7}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{background-color:rgba(0,0,0,0)}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#2b2b2b}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:rgba(0,0,0,0)}.navbar-default .navbar-toggle{border-color:#fff}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#555}.navbar-default .navbar-toggle .icon-bar{background-color:#fff}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#2b2b2b}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{background-color:#2b2b2b;color:#555}@media(max-width: 767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#f7f7f7}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{background-color:rgba(0,0,0,0)}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#2b2b2b}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:rgba(0,0,0,0)}}.navbar-default .navbar-link{color:#f7f7f7}.navbar-default .btn-link{color:#f7f7f7}.navbar-default .btn-link[disabled]:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:hover,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#090909}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:rgba(0,0,0,0)}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:rgba(0,0,0,0)}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#090909}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:rgba(0,0,0,0)}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{background-color:#090909;color:#fff}@media(max-width: 767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#090909}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#090909}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:rgba(0,0,0,0)}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#090909}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:rgba(0,0,0,0)}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:hover,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:18px;list-style:none;background-color:#f5f5f5;border-radius:3px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{content:"/ ";padding:0 5px;color:#ccc}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:18px 0;border-radius:3px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;line-height:1.428571429;text-decoration:none;color:#51aded;background-color:#fff;border:1px solid #ddd;margin-left:-1px}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-bottom-left-radius:3px;border-top-left-radius:3px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-bottom-right-radius:3px;border-top-right-radius:3px}.pagination>li>a:hover,.pagination>li>a:focus,.pagination>li>span:hover,.pagination>li>span:focus{color:#178adb;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>a:hover,.pagination>.active>a:focus,.pagination>.active>span,.pagination>.active>span:hover,.pagination>.active>span:focus{z-index:2;color:#fff;background-color:#51aded;border-color:#51aded;cursor:default}.pagination>.disabled>span,.pagination>.disabled>span:hover,.pagination>.disabled>span:focus,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#777;background-color:#fff;border-color:#ddd;cursor:not-allowed}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:17px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-bottom-left-radius:6px;border-top-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-bottom-right-radius:6px;border-top-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-bottom-left-radius:3px;border-top-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-bottom-right-radius:3px;border-top-right-radius:3px}.pager{padding-left:0;margin:18px 0;list-style:none;text-align:center}.pager:before,.pager:after{content:" ";display:table}.pager:after{clear:both}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#777;background-color:#fff;cursor:not-allowed}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}.label:empty{display:none}.btn .label{position:relative;top:-1px}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#51aded}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#2397e8}.label-success{background-color:#7ebc59}.label-success[href]:hover,.label-success[href]:focus{background-color:#65a141}.label-info{background-color:#368cbf}.label-info[href]:hover,.label-info[href]:focus{background-color:#2b6f97}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#ee451f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#cb320f}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:bold;color:#fff;line-height:1;vertical-align:baseline;white-space:nowrap;text-align:center;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge,.btn-group-xs>.btn .badge{top:0;padding:1px 5px}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#51aded;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}.jumbotron{padding:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron h1,.jumbotron .h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:20px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron{border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width: 768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-left:60px;padding-right:60px}.jumbotron h1,.jumbotron .h1{font-size:58.5px}}.thumbnail{display:block;padding:4px;margin-bottom:18px;line-height:1.428571429;background-color:#fff;border:1px solid #ddd;border-radius:3px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img,.thumbnail a>img{display:block;width:100% \9 ;max-width:100%;height:auto;margin-left:auto;margin-right:auto}.thumbnail .caption{padding:9px;color:#3c3c3b}a.thumbnail:hover,a.thumbnail:focus,a.thumbnail.active{border-color:#51aded}.alert{padding:15px;margin-bottom:18px;border:1px solid rgba(0,0,0,0);border-radius:3px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:bold}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{background-color:#7ebc59;border-color:#7ebc59;color:#4e7d32}.alert-success hr{border-top-color:#70b348}.alert-success .alert-link{color:#598f3a}.alert-info{background-color:#d9edf7;border-color:#bce8f1;color:#173543}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#1d4356}.alert-warning{background-color:#fcf8e3;border-color:#faebcc;color:#c77c11}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#df8a13}.alert-danger{background-color:#ee451f;border-color:#ee451f;color:#9b260c}.alert-danger hr{border-top-color:#e23811}.alert-danger .alert-link{color:#b32c0e}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{overflow:hidden;height:18px;background-color:#f5f5f5;border-radius:3px;position:relative;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0%;height:100%;font-size:12px;line-height:18px;color:#fff;text-align:center;background-color:#51aded;position:relative;z-index:2;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar[aria-valuenow="1"],.progress-bar[aria-valuenow="2"]{min-width:30px}.progress-bar[aria-valuenow="0"]{color:#777;min-width:30px;background-color:rgba(0,0,0,0);background-image:none;box-shadow:none}.progress-bar-success{background-color:#7ebc59}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent)}.progress-bar-info{background-color:#368cbf}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent)}.progress-bar-danger{background-color:#ee451f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{display:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{margin-bottom:20px;padding-left:0}.list-group-item{position:relative;display:block;padding:6px 8px;margin-bottom:-1px;background-color:#fff}.list-group-item:last-child{margin-bottom:0}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#3c3c3b;border-radius:0}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{text-decoration:none;background-color:#f5f5f5}a.list-group-item:hover:before,a.list-group-item:focus:before{background:#3498db;content:"";height:42px;left:0;position:absolute;top:0;width:3px}.list-group-item.disabled,.list-group-item.disabled:hover,.list-group-item.disabled:focus{background-color:#eee;color:#777}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2}.list-group-item.active:before,.list-group-item.active:hover:before,.list-group-item.active:focus:before{background:#3498db;content:"";height:42px;left:0;position:absolute;top:0px;width:3px}.list-group-item.active .list-group-item-heading,.list-group-item.active .list-group-item-heading>small,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading>.small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#fff}.list-group-item.active+.collapse>.list-group-item:before,.list-group-item.active:hover+.collapse>.list-group-item:before,.list-group-item.active:focus+.collapse>.list-group-item:before{background:#3498db;content:"";height:42px;left:0;position:absolute;top:0px;width:3px}.list-group-item-success{color:#7ebc59;background-color:#7ebc59}a.list-group-item-success{color:#7ebc59}a.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:hover,a.list-group-item-success:focus{color:#7ebc59;background-color:#70b348}a.list-group-item-success.active,a.list-group-item-success.active:hover,a.list-group-item-success.active:focus{color:#fff;background-color:#7ebc59;border-color:#7ebc59}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:hover,a.list-group-item-info:focus{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:hover,a.list-group-item-info.active:focus{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#f0ad4e;background-color:#fcf8e3}a.list-group-item-warning{color:#f0ad4e}a.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:hover,a.list-group-item-warning:focus{color:#f0ad4e;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:hover,a.list-group-item-warning.active:focus{color:#fff;background-color:#f0ad4e;border-color:#f0ad4e}.list-group-item-danger{color:#ee451f;background-color:#ee451f}a.list-group-item-danger{color:#ee451f}a.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:hover,a.list-group-item-danger:focus{color:#ee451f;background-color:#e23811}a.list-group-item-danger.active,a.list-group-item-danger.active:hover,a.list-group-item-danger.active:focus{color:#fff;background-color:#ee451f;border-color:#ee451f}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:18px;background-color:#fff;border:1px solid rgba(0,0,0,0);border-radius:3px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-body:before,.panel-body:after{content:" ";display:table}.panel-body:after{clear:both}.panel-heading{padding:10px 15px;border-bottom:1px solid rgba(0,0,0,0);border-top-right-radius:2px;border-top-left-radius:2px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:15px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:2px;border-bottom-left-radius:2px}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-right-radius:2px;border-top-left-radius:2px}.panel>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:2px;border-bottom-left-radius:2px}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-right-radius:2px;border-top-left-radius:2px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:2px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:2px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:2px;border-bottom-left-radius:2px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:2px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:2px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #eee}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{border:0;margin-bottom:0}.panel-group{margin-bottom:18px}.panel-group .panel{margin-bottom:0;border-radius:3px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#51aded}.panel-primary>.panel-heading{color:#fff;background-color:#51aded;border-color:#51aded}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#51aded}.panel-primary>.panel-heading .badge{color:#51aded;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#51aded}.panel-success{border-color:#7ebc59}.panel-success>.panel-heading{color:#7ebc59;background-color:#7ebc59;border-color:#7ebc59}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#7ebc59}.panel-success>.panel-heading .badge{color:#7ebc59;background-color:#7ebc59}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#7ebc59}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#f0ad4e;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#f0ad4e}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ee451f}.panel-danger>.panel-heading{color:#ee451f;background-color:#ee451f;border-color:#ee451f}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ee451f}.panel-danger>.panel-heading .badge{color:#ee451f;background-color:#ee451f}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ee451f}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object{position:absolute;top:0;left:0;bottom:0;height:100%;width:100%;border:0}.embed-responsive.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:3px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:19.5px;font-weight:bold;line-height:1;color:#000;text-shadow:0 1px 0 #fff;opacity:.2;filter:alpha(opacity=20)}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;opacity:.5;filter:alpha(opacity=50)}button.close{padding:0;cursor:pointer;background:rgba(0,0,0,0);border:0;-webkit-appearance:none}.modal-open{overflow:hidden}.modal{display:none;overflow:hidden;position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transform:translate3d(0, -25%, 0);transform:translate3d(0, -25%, 0);-webkit-transition:-webkit-transform .3s ease-out;-moz-transition:-moz-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out}.modal.in .modal-dialog{-webkit-transform:translate3d(0, 0, 0);transform:translate3d(0, 0, 0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:62px 10px 10px 10px}.modal-content{position:relative;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5);background-clip:padding-box;outline:0}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{opacity:0;filter:alpha(opacity=0)}.modal-backdrop.in{opacity:.5;filter:alpha(opacity=50)}.modal-header{padding:15px;border-bottom:1px solid #e5e5e5;min-height:16.428571429px}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.428571429}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer:before,.modal-footer:after{content:" ";display:table}.modal-footer:after{clear:both}.modal-footer .btn+.btn{margin-left:5px;margin-bottom:0}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media(min-width: 768px){.modal-dialog{width:600px;margin:82px auto 30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media(min-width: 992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;visibility:visible;font-size:12px;line-height:1.4;opacity:0;filter:alpha(opacity=0)}.tooltip.in{opacity:.9;filter:alpha(opacity=90)}.tooltip.top{margin-top:-3px;padding:5px 0}.tooltip.right{margin-left:3px;padding:0 5px}.tooltip.bottom{margin-top:3px;padding:5px 0}.tooltip.left{margin-left:-3px;padding:0 5px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:3px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:rgba(0,0,0,0);border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{bottom:0;right:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;text-align:left;background-color:#fff;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2);white-space:normal}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{margin:0;padding:8px 14px;font-size:13px;font-weight:normal;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:rgba(0,0,0,0);border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{border-width:10px;content:""}.popover.top>.arrow{left:50%;margin-left:-11px;border-bottom-width:0;border-top-color:#999;border-top-color:rgba(0,0,0,.25);bottom:-11px}.popover.top>.arrow:after{content:" ";bottom:1px;margin-left:-10px;border-bottom-width:0;border-top-color:#fff}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-left-width:0;border-right-color:#999;border-right-color:rgba(0,0,0,.25)}.popover.right>.arrow:after{content:" ";left:1px;bottom:-10px;border-left-width:0;border-right-color:#fff}.popover.bottom>.arrow{left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25);top:-11px}.popover.bottom>.arrow:after{content:" ";top:1px;margin-left:-10px;border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{content:" ";right:1px;border-right-width:0;border-left-color:#fff;bottom:-10px}.carousel{position:relative}.carousel-inner{position:relative;overflow:hidden;width:100%}.carousel-inner>.item{display:none;position:relative;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:block;width:100% \9 ;max-width:100%;height:auto;line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;left:0;bottom:0;width:15%;opacity:.5;filter:alpha(opacity=50);font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-control.left{background-image:-webkit-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);background-image:-o-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);background-image:linear-gradient(to right, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr="#80000000", endColorstr="#00000000", GradientType=1)}.carousel-control.right{left:auto;right:0;background-image:-webkit-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);background-image:-o-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);background-image:linear-gradient(to right, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr="#00000000", endColorstr="#80000000", GradientType=1)}.carousel-control:hover,.carousel-control:focus{outline:0;color:#fff;text-decoration:none;opacity:.9;filter:alpha(opacity=90)}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right{position:absolute;top:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .glyphicon-chevron-left{left:50%;margin-left:-10px}.carousel-control .icon-next,.carousel-control .glyphicon-chevron-right{right:50%;margin-right:-10px}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;font-family:serif}.carousel-control .icon-prev:before{content:"‹"}.carousel-control .icon-next:before{content:"›"}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;margin-left:-30%;padding-left:0;list-style:none;text-align:center}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;border:1px solid #fff;border-radius:10px;cursor:pointer;background-color:#000 \9 ;background-color:rgba(0,0,0,0)}.carousel-indicators .active{margin:0;width:12px;height:12px;background-color:#fff}.carousel-caption{position:absolute;left:15%;right:15%;bottom:20px;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width: 768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-prev,.carousel-control .icon-next{width:30px;height:30px;margin-top:-15px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-15px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-15px}.carousel-caption{left:20%;right:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.clearfix:before,.content-box:before,.clearfix:after,.content-box:after{content:" ";display:table}.clearfix:after,.content-box:after{clear:both}.center-block{display:block;margin-left:auto;margin-right:auto}.pull-right{float:right !important}.pull-left{float:left !important}.hide{display:none !important}.show{display:block !important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:rgba(0,0,0,0);text-shadow:none;background-color:rgba(0,0,0,0);border:0}.hidden{display:none !important;visibility:hidden !important}.affix{position:fixed;-webkit-transform:translate3d(0, 0, 0);transform:translate3d(0, 0, 0)}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none !important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none !important}@media(max-width: 767px){.visible-xs{display:block !important}table.visible-xs{display:table}tr.visible-xs{display:table-row !important}th.visible-xs,td.visible-xs{display:table-cell !important}}@media(max-width: 767px){.visible-xs-block{display:block !important}}@media(max-width: 767px){.visible-xs-inline{display:inline !important}}@media(max-width: 767px){.visible-xs-inline-block{display:inline-block !important}}@media(min-width: 768px)and (max-width: 991px){.visible-sm{display:block !important}table.visible-sm{display:table}tr.visible-sm{display:table-row !important}th.visible-sm,td.visible-sm{display:table-cell !important}}@media(min-width: 768px)and (max-width: 991px){.visible-sm-block{display:block !important}}@media(min-width: 768px)and (max-width: 991px){.visible-sm-inline{display:inline !important}}@media(min-width: 768px)and (max-width: 991px){.visible-sm-inline-block{display:inline-block !important}}@media(min-width: 992px)and (max-width: 1199px){.visible-md{display:block !important}table.visible-md{display:table}tr.visible-md{display:table-row !important}th.visible-md,td.visible-md{display:table-cell !important}}@media(min-width: 992px)and (max-width: 1199px){.visible-md-block{display:block !important}}@media(min-width: 992px)and (max-width: 1199px){.visible-md-inline{display:inline !important}}@media(min-width: 992px)and (max-width: 1199px){.visible-md-inline-block{display:inline-block !important}}@media(min-width: 1200px){.visible-lg{display:block !important}table.visible-lg{display:table}tr.visible-lg{display:table-row !important}th.visible-lg,td.visible-lg{display:table-cell !important}}@media(min-width: 1200px){.visible-lg-block{display:block !important}}@media(min-width: 1200px){.visible-lg-inline{display:inline !important}}@media(min-width: 1200px){.visible-lg-inline-block{display:inline-block !important}}@media(max-width: 767px){.hidden-xs,.page-side{display:none !important}}@media(min-width: 768px)and (max-width: 991px){.hidden-sm{display:none !important}}@media(max-width: 768px),(max-height: 669px){.toggle-sidebar{display:none !important}}@media(min-width: 992px)and (max-width: 1199px){.hidden-md{display:none !important}}@media(min-width: 1200px){.hidden-lg{display:none !important}}.visible-print{display:none !important}@media print{.visible-print{display:block !important}table.visible-print{display:table}tr.visible-print{display:table-row !important}th.visible-print,td.visible-print{display:table-cell !important}}.visible-print-block{display:none !important}@media print{.visible-print-block{display:block !important}}.visible-print-inline{display:none !important}@media print{.visible-print-inline{display:inline !important}}.visible-print-inline-block{display:none !important}@media print{.visible-print-inline-block{display:inline-block !important}}@media print{.hidden-print{display:none !important}}*{-webkit-font-smoothing:antialiased}html,body{font-family:"Inter",serif;font-weight:400;height:100%;background-color:#fff}body{min-width:320px;touch-action:manipulation}.widget-sort-handle{touch-action:none}.page-head{position:fixed;z-index:2;top:0;right:0;left:0;background:#3c3c3b}.page-head .navbar-default{min-height:60px;color:rgba(87,87,87,.67);border:0;background:#fff;box-shadow:0 2px 4px rgba(0,0,0,.08)}.page-head .navbar-text{color:#494949}.page-head .navbar-right{margin-top:6px}.page-head .navbar-brand{display:flex;flex-direction:column;width:250px;height:100%;text-align:center;color:#000;background:#3498db}.page-head .navbar-brand::before{font-size:16px;font-weight:500;display:inline-block;content:"OPNSense";color:#fff}.page-head .navbar-brand::after{font-size:12px;font-weight:400;display:inline-block;content:"AdvancedOPN Theme";color:#fafafa}.page-head .navbar-brand:hover,.page-head .navbar-brand:focus{background:#3498db}.page-head .navbar-brand .brand-logo,.page-head .navbar-brand .brand-icon{width:1px;height:1px}.page-head .navbar-toggle{margin-top:14px}.page-head .navbar-toggle .icon-bar{background-color:#363636}.page-head .navbar-toggle:hover,.page-head .navbar-toggle:focus{background-color:rgba(0,0,0,0)}.page-head .navbar-toggle:hover .icon-bar,.page-head .navbar-toggle:focus .icon-bar{background-color:#3498db}.page-content{position:relative;z-index:1;height:calc(100% - 60px);padding-top:60px}.page-content>.row{height:100%}@media(min-width: 768px){.page-content.col-lg-10,.page-content.col-sm-9{width:calc(100% - 250px)}.page-content.col-lg-push-2,.page-content.col-sm-push-3{left:250px}}.page-content-head,.content-box-head{padding-top:20px;padding-bottom:15px;border-bottom:1px solid rgba(217,217,217,.5);background:#fbfbfb}.page-content-head .navbar-nav,.content-box-head .navbar-nav{width:100%}.page-content-head h1,.content-box-head h1,.page-content-head h2,.content-box-head h2,.page-content-head h3,.content-box-head h3{line-height:1;margin:0}.page-content-main{min-height:calc(100% - 64px);padding:15px 0 73px;background:#f7f7f7}.page-side{position:fixed;z-index:3;top:0;left:0;overflow:auto;width:250px;height:100% !important;height:calc(100% - 60px) !important;margin-top:60px;border-right:1px solid rgba(0,0,0,.15);background:#263238}.page-side-nav--active{border-left:3px solid;background:#f7f7f7}.page-side-nav .panel{background:#263238}.page-foot{font-size:12px;position:fixed;z-index:2;bottom:0;width:100%;padding:20px 0;border-top:1px solid rgba(217,217,217,.5);background:#fbfbfb}.content-box{border:1px solid #eaeaea;border-radius:3px;background:#fff}.content-box-main{padding-top:15px;padding-bottom:15px}div.content-box.wizard div img{filter:invert(25%)}.tab-content{padding:0px 0;border-top:0px}.tab-content>.tab-content{margin-bottom:0;padding:0 15px}.tab-content .tab-content:last-child{margin-bottom:0}.page-content-main section[class^=col-]+section[class^=col-]{padding-top:20px}.brand-logo{display:none}@media(min-width: 768px){.brand-logo{display:inline-block}}.brand-icon{display:inline-block}@media(min-width: 768px){.brand-icon{display:none}}@media(min-width: 768px){.col-sm-disable-spacer{padding-top:0 !important}}@media(min-width: 992px){.col-md-disable-spacer{padding-top:0 !important}}@media(min-width: 1200px){.col-lg-disable-spacer{padding-top:0 !important}}.page-login{background:linear-gradient(#eff2f5, #f5f7f8)}.page-login .container{display:flex;align-items:center;flex-direction:column;justify-content:center;min-height:100%}.page-login .container:after{height:60px}.login-foot{font-size:12px}.login-modal-container{width:100%;max-width:400px;margin-bottom:8px;border-radius:4px;background:#fff;box-shadow:0 1px 8px rgba(0,0,0,.1)}.login-modal-head{height:50px;padding:0 20px;border-top-left-radius:4px;border-top-right-radius:4px;background:#51aded}.login-modal-head img{display:none}.login-modal-head .navbar-brand{display:flex;float:none;align-items:center;flex-direction:column;justify-content:center;text-align:center}.login-modal-head .navbar-brand::before{font-size:16px;font-weight:500;display:inline-block;content:"OPNSense";color:#fff}.login-modal-head .navbar-brand::after{font-size:11px;font-weight:400;display:inline-block;content:"AdvancedOPN Theme";color:#fafafa}.login-modal-content{padding:20px 20px 20px 20px}.login-modal-foot{height:60px;padding:20px 20px 0 20px;border-top:1px solid #eaeaea;background:#f7f7f7}.login-modal-foot a{text-decoration:none;color:#7d7d7d}.login-modal-foot a:hover{text-decoration:underline;color:#646464}@media(min-width: 768px){.list-inline .btn-group-container{float:right}}.btn.btn-fixed{width:100%;max-width:174px}.progress-bar-placeholder{font-size:12px;position:absolute;z-index:1;width:100%;text-align:center}.list-group-item{border-right:none;border-left:none}.list-group-item.collapsed .caret{border-top:0;border-bottom:4px solid green}main.page-content.col-lg-12{padding-left:90px}#navigation .panel.list-group .fa:not(.__iconspacer){width:auto;padding-right:10px}#navigation .panel.list-group a.list-group-item{font-size:14px;position:relative;padding:12px 16px;text-decoration:none;color:#a6adb3;background:#263238}#navigation .panel.list-group a.list-group-item:hover{color:#e1e4e6;background:rgba(255,255,255,.03)}#navigation .panel.list-group a.list-group-item:hover::before{background-color:#3498db}#navigation .panel.list-group a.list-group-item.active{color:#e1e4e6;background:rgba(255,255,255,.02)}#navigation .panel.list-group>.list-group-item:not(.collapsed).active-menu-title::before{width:3px;transition:opacity 200ms;background-color:#3498db}#navigation .panel.list-group>div .list-group-item{font-size:13px;position:relative;padding:5px 0 5px 35px}#navigation .panel.list-group>div .list-group-item::before{position:absolute;z-index:1;top:-11px;bottom:13px;left:12px;display:block;width:0;content:"";opacity:.8;border-left:1px dotted #3e474e !important}#navigation .panel.list-group>div .list-group-item::after{position:absolute;z-index:1;top:13px;left:12px;display:block;width:12px;content:"";border-bottom:1px dotted #3e474e !important}#navigation .panel.list-group>div .list-group-item:hover::before,#navigation .panel.list-group>div .list-group-item.active::before,#navigation .panel.list-group>div .list-group-item:focus::before{opacity:1;background-color:#3e474e}#navigation.col-sidebar-left{overflow:hidden;width:70px;border:none !important;background-color:rgba(0,0,0,0) !important}#navigation.col-sidebar-left>div.row{height:100% !important}#navigation.col-sidebar-left>div.row>nav.page-side-nav{width:70px;height:100% !important;border-right:1px solid #304047;background:#263238}#navigation.col-sidebar-left>div>nav>#mainmenu>div>a.list-group-item{font-size:13px;width:70px;height:70px;padding-top:12px;padding-right:0px;padding-left:0px;text-align:center;color:#a6adb3;border-right:1px solid #304047;border-bottom:2px solid #lightergrey}#navigation.col-sidebar-left>div>nav>#mainmenu>div>a.list-group-item>span.fa,#navigation.col-sidebar-left>div>nav>#mainmenu>div>a.list-group-item>span.glyphicon{font-size:20px;visibility:visible}#navigation.col-sidebar-left>div>nav>#mainmenu>div>a.list-group-item>span.__iconspacer{display:block;height:30px;padding:0px;text-align:center}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapsing>a.list-group-item{font-size:14px !important;position:absolute !important;left:70px !important;display:block !important;padding-left:10px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>div.collapsing>a.list-group-item{font-size:14px !important;position:absolute !important;left:166px !important;display:block !important;padding-left:10px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>a.list-group-item,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>div.collapse.in>a.list-group-item{background-color:#263238 !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>div.collapse.in>a.list-group-item{font-size:14px !important;padding-left:10px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>div.collapse>a.list-group-item,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>a.list-group-item{font-size:14px !important;padding-left:10px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>div.collapse>a.list-group-item::before,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>div.collapse>a.list-group-item::after,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>a.list-group-item::before,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>a.list-group-item::after{display:none}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapsed>a.list-group-item{font-size:14px !important;padding-left:10px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>a.list-group-item,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>div.collapse>a.list-group-item{padding:3px 8px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in{font-size:14px;position:absolute;z-index:10;left:70px;width:168px;margin-top:-70px;border:1px solid #304047;-moz-box-shadow:2px 2px 1px 0px rgba(234,234,234,.5);-webkit-box-shadow:2px 2px 1px 0px rgba(234,234,234,.5);box-shadow:2px 2px 1px 0px rgba(234,234,234,.5)}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>div.collapse.in{font-size:14px;position:absolute;z-index:10;left:166px;width:168px;margin-top:-26px;border:1px solid #304047;-moz-box-shadow:2px 2px 1px 0px rgba(234,234,234,.5);-webkit-box-shadow:2px 2px 1px 0px rgba(234,234,234,.5);box-shadow:2px 2px 1px 0px rgba(234,234,234,.5)}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapsing,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>div.collapsing{display:none}button.toggle-sidebar{font-size:14px;float:left;margin-top:20px;color:#575757;border:none;outline:none;background-color:rgba(0,0,0,0)}#navigation.collapse.in{display:block !important}.list-group-submenu .list-group-item:last-child,.collapse .list-group-item:last-child{border-bottom:none}ul.nav>li.dropdown>ul.dropdown-menu>li>a{padding:3px 10px}.nav-tabs{margin-right:1px;border-bottom:2px solid #eaeaea}.nav-tabs>li{margin-right:2px;border-radius:0px;border-top-right-radius:10px}.nav-tabs>li>a{margin-right:0px;cursor:pointer;color:#777;border-top-left-radius:4px;border-top-right-radius:4px;background:#fcfcfc}.nav-tabs>li>a{border:none;background:rgba(0,0,0,0)}.nav-tabs>li>a:hover,.nav-tabs>li>a:focus{border-bottom:2px solid #e0e0e0;background-color:#efefef}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#51aded;border-top:none;border-right:none;border-bottom:2px solid #51aded;border-left:none;background:rgba(0,0,0,0)}.nav-tabs>li>a.visible-lg-inline-block:not(.pull-right){padding-right:6px !important;padding-left:12px !important;border-top-right-radius:0px !important}.nav-tabs>li>a.visible-lg-inline-block.pull-right{padding-right:12px !important;padding-left:6px !important;border-left:0px !important;border-top-left-radius:0}.nav-tabs.nav-justified{border-right:1px solid #eaeaea}.nav-tabs.nav-justified>li{border-top:1px solid #eaeaea;border-bottom:1px solid #eaeaea;border-left:1px solid #eaeaea;border-radius:0px;background:#f7f7f7}.nav-tabs.nav-justified>li>a{font-family:"Inter",serif;color:#3c3c3b}@media(min-width: 768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid rgba(0,0,0,0)}}@media(max-width: 767px){.nav-tabs.nav-justified>li.active>a{border-right:0 !important}}@media(min-width: 768px){>li.active+li>a{border-left:1px solid rgba(0,0,0,0)}}>li:last-child>a{border-right:1px solid rgba(0,0,0,0) !important}@media(max-width: 767px){>li:last-child>a{margin-bottom:0}}#opn-status-list .btn{color:#565656;border:1px solid #ecedf1;background:rgba(0,0,0,0)}#opn-status-list .btn:hover{background:#f9f9f9}.bootstrap-dialog-title{font-size:15px;font-weight:500}.bootstrap-select .btn-default{color:#76838f;border:1px solid #e4eaec;background:#fff}.bootstrap-select .btn-default:focus{border-color:#66afe9;background:#fff}.bootstrap-select.open>.btn-default{color:#76838f;border-color:#66afe9;background:#fff}.bootstrap-select .dropdown-toggle:focus{outline-color:#fff !important}.btn .glyphicon{vertical-align:-1px}.btn-default .glyphicon{color:#757575}table{width:100%}.table{margin-bottom:0px !important}.nav-tabs-justified .nav-tabs.nav-justified>.active>a:focus,.nav-tabs.nav-justified .nav-tabs.nav-justified>.active>a:focus{border:0px !important}.table th,strong,b{font-family:"Inter",serif;font-weight:500}.table>tbody>tr>td:last-child{padding-right:15px}.__nowrap{white-space:nowrap}.__nomb{margin-bottom:0}.__mb{margin-bottom:15px}.__mt{margin-top:15px}.__ml{margin-left:15px}.__mr{margin-right:15px}.__iconspacer{padding-right:10px}#mainmenu .glyphicon{vertical-align:-2px}.list-group-item{overflow:hidden;text-overflow:ellipsis}.list-group-item+div.collapse{margin-bottom:-1px}.list-group-item+div>a{padding-left:44px}.list-group-item:before{position:absolute;top:0px;left:0;width:0;height:42px;min-height:100%;content:"";transition:opacity 0ms;opacity:0}.list-group-submenu a{padding-left:56px}.active-menu-title,.active-menu a{position:relative;text-decoration:none;background-color:#242f35}.active-menu-title:before,.active-menu a:before{width:3px}.active-menu-title.active,.active-menu a.active{background-color:#242f35}.active-menu a:before{background:#242f35}.alert.alert-danger{color:#fff !important}.nav-tabs-justified>li>a,.nav-tabs.nav-justified>li>a{border-radius:0 !important}.navbar-brand{padding:10px 20px}.label-opnsense{font-size:12px;line-height:1.5;display:inline-block;vertical-align:middle;border:1px solid rgba(0,0,0,0);border-radius:3px}.label-opnsense-sm{padding:5px 10px}.label-opnsense-xs,.btn-xs,.btn-group-xs>.btn{padding:1px 3px}::-webkit-scrollbar{width:8px}::-webkit-scrollbar-button{width:8px;height:5px}::-webkit-scrollbar-track{border-radius:0;background:#dcdcdc;box-shadow:0px 0px 0px}::-webkit-scrollbar-thumb{border:thin solid #e5e5e5;border-radius:0px;background:#afafaf}::-webkit-scrollbar-thumb:hover{background:#e5e5e5}.widgetdiv{padding-top:0px !important;padding-bottom:20px}select{overflow:hidden;cursor:pointer;border:1px solid #ccc;background-image:url("/ui/themes/advanced/build/images/caret.png") !important;background-repeat:no-repeat;background-position:right;-webkit-appearance:none;-moz-appearance:none;appearance:none}#grid-log th[data-column-id=__timestamp__],#filter-log-entries th[data-column-id=__timestamp__]{min-width:3.5em}@media screen and (max-width: 767px){.table-responsive{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>tfoot>tr>td{white-space:normal}}label>input[type=checkbox],label>input[type=radio]{float:left;margin-right:.4em}input[type=checkbox],input[type=radio]{font:inherit;display:inline-flex;align-items:center;justify-content:center;width:20px;height:20px;margin:0;cursor:pointer;transition:border-color 150ms ease,background-color 150ms ease;transform:translateY(1px);color:#3f3f3f;border:1px solid #e4eaec;border-radius:.15em;background-color:#fff;-webkit-appearance:none;appearance:none}input[type=checkbox]::before,input[type=radio]::before{visibility:hidden;width:10px;height:10px;content:"";transition:transform 120ms ease-out 60ms,opacity 120ms ease-out,visibility 120ms ease-out;transform:scale(0.65);opacity:0;background-color:#fafafa;box-shadow:inset 1em 1em var(--form-control-color);clip-path:polygon(14% 44%, 0 65%, 50% 100%, 100% 16%, 80% 0%, 43% 62%)}input[type=checkbox]:checked,input[type=radio]:checked{border-color:#3498db;background-color:#3498db}input[type=checkbox]:checked::before,input[type=radio]:checked::before{visibility:visible;transform:scale(1);opacity:1;background-color:#fff}input[type=checkbox]:hover,input[type=radio]:hover{border-color:#3498db}input[type=checkbox]:disabled,input[type=radio]:disabled{cursor:not-allowed;color:var(--form-control-disabled);--form-control-color: var(--form-control-disabled)}input[type=radio]{border-radius:50%}div[data-for*=help_for]{font-size:.85em;font-style:italic;padding-top:.5em}#log-settings label[for^=act]{margin-right:1.5em}#log-settings table>tbody>tr>td{vertical-align:middle}#log-settings select#filterlogentries,#log-settings select#filterlogentriesupdateinterval{width:5em}#log-settings select#filterlogentriesinterfaces{min-width:100%;max-width:100%}[data-state=lightcoral]{background-color:#f08080}[data-state=white]{background-color:#fff}[data-state=red]{background-color:red}.tokens-container{margin-top:0px;margin-bottom:0px}.actionBar .btn.btn-default{color:#767676;border-color:#d8d8d8;background:#fafafa}.bootgrid-table td.select-cell{overflow:visible;width:30px !important}.act_toggle{font-size:15px}.fa.command-toggle{font-size:16px;padding-top:5px;vertical-align:middle}.form-control:hover{border-color:#d1e5f2}.table input[type=checkbox]{margin-top:-4px;margin-bottom:-4px}.table .btn-xs,.table .btn-group-xs>.btn{margin-top:-4px;margin-bottom:-4px}/*# sourceMappingURL=main.css.map */
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/fonts/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2 b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/fonts/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2
new file mode 100644
index 0000000000000000000000000000000000000000..fff3df969eda985038527443ec8cafc60780689e
GIT binary patch
literal 37924
zcmV)YK&-!aPew8T0RR910F)#E6951J0c^+s0F$%;0RR9100000000000000000000
z0000Qf>j%VuL>N-20utvK~jl724Fu^R6$gMH~@tNFKiJA3W23ifrfhvg){&#f{<nb
zHUcCAiev;J1%+G(APfgvby;x)YqwoKC*rmN&_C5#`J8_V+tq;1oBUQ8*5y+$j!n27
zC~DgK!sP$||J<Y^W2PM@v>RgxBC7vyC^OH&2$~GYQJotXFrs@>UqB-eT1;>12&kvH
zf<&de&T@w2jg(ufoGoN3Xzs+e3j=jO%ws!GoFfvc+|W|Vl~@9?rI}G9!UQrRY=k%L
zQWCb6KkaEAQ=BCSug8>a`ezgBX2N?R*6HZ7d^Q)jF3W{|t){<S67)!y-Wc=`Ga71J
zISBU8+ce&n%$6pR<LgQCBzcm&ZG!f5jDDEk+j|ML!`5b1y!$!bQSgV|Bk29jx5BcZ
z_y1K9apz%a!-)yU=3Ua~8>VN*dv?Aq>5_%30J|kV#14DNqtSn!*7VPP@6F7c*;y0B
zC9o0EiW|FGh#E=FNGir}sV7dII6sXLDn`sn_yck3Kg+@hM*%^E5g<SiK@>+J3b;g2
zhX}_oXJe^DoYhTf>UM7Gc5X&mc4NP^!8Yq<JKr7u*T3U>{EchbKeo@`aT|YQ9cz6%
zF7x{Nt=G93NoXQkC-qMhq9h6!5N3S*SNG?pmo~sfyNC;mMqqa%v{4nnj0i>OGMRrE
zm&*Jj6d?-*2qKy;kf8wY<795?CeF=i;-=1>lb!@Gbz3iWQ@8a}uQ^HG%xm4&bYA9d
zW;LnVta7`0PnXyGO5XbaW1Ia2BSy<~aQPj6Ki%yttLGo*FRRSD{%u<dILmHlS?LVj
znU3vHrIsp{)QOnZh*1MRG1Z8vJZlUQBL)ZnQBXSTkz`x^3J6dfLDpCp#Ryo802u^c
zNo#u{vJoJI_yq`1f&zk=MEu&wd44M8`<?f9-rvc&s;Hc+&iA|Oe19HamG8>=9W6Zn
zfBElecS`%cf&^oQ|MG~$vi!`OmkJcX7*v7)wb?xUXVbp>s;avs+4{`k4<}rZ#-2H6
z<K+wh!+w^R5JF%KnN{;O=QrE>uf=qKD(RStI2vLwnIB0c3Gt(%f})N%5+qo*)N<QB
z)?=&h-s-W|(*n=){*~tjaw(P?MA+T@3HU=+a;Z|NS&}7Hv{Q!f{Qs1jf8Wexfg}X?
z{3Bg<`Vak|ztjEAO9IqG{q%3!`X)2LsH2WJV$=~w93j9c0S5>)LV$>=vP2GTBaJq#
zxbx5Nw$L&><n5m$mZK&Up`WYcbeu!c40FzzbIdj~48t7v*gkTe!)$ZU4C`<tnH=$>
z<Frc0^;4--I$h~1yLY*JW<?KiA~-;pnSPM&GVOha(Z4w|XXcbhP<E6UW;Tt}BYes^
zwFx|}nV4d9ULDoZSqF7+2Y1TU0eYejxbF_`JC{j)1_a9Bb}CRzA*O>p+w-s=ASk>t
z-ExNx<`sJ1=O7+51KJh}{MM<}009RG?cbrh&VM6G*J3DxRcxb>0w<7tv_u5J#A9og
zxM<j)k>+>6%tO`^R@=hCQgzGWeC)IN)K2MBh6SOW#kop$u6+UptN_@(D?PJ2YJ{;H
z8#?%VQ?1hf077ietU-^)^m=G^x!YPx&eUG4q1M~V&-#z<2HOE*6A&aAVg!&QU4usR
z0T6QyK-?inQA3fE)>-!f3|CEZGzSrs;acmmGsc8_7fo$6;e{8(7i7+)&V=zs;U$5O
z@2|OD`!}B*6eX)~OaahVR#shK_DTS@vYoxnZho?RTL=}Hyd$fVYguhBs=&h3|8LqW
zou{{Vo9i6e9m%x-*11y=){bV&+qYxImW$ToF0^T_L&G1VoS@KBaR?4zK_CF~@ch^E
zn|^ahsma2xT(9VvjklVVn!*?gwe=+-T7$DBC;-jG^Ug{5@Of%_Liw%)#wfv`(FY%Y
zvmWlATJeQi$lFSojS<s>f2|sujCh}TbMxJ(`sPKj_j0$IMkGk^hagU<ky@#_d#@8J
zV!5VzfW!wa4mY{g|IL3h=H0bl1-nLWtl+I6A|fKM$JlG1nAYy+H?NoLrq(7_2`C~U
zBBD%;-9dJhc5>L_r1JAYf#A5<3ZK@169XoeYGZ;Fll(%8+x%LJyYx%(xIaqqTxC<t
zVN)DqQ=Dc^^s*-U+$1&*BynD0(_|l;FOBZW^5g#-hX7*91IPtX3E)-$YXJNx1$!Sb
z03e721OS0oekixG697R)Icmfc$rR0UJQ74nR<-Pgj^PeBMOQH#FGwhzFYr+S41fmw
zS%f-rG?G!P9ExOGl4ZF`6|IUbnN^#<%qcmJ87-f0<)9P;1eN7V2Mh=S2^k$r7!aay
zg^~bri6D~Dq#zgs`u6<>DFA~242a$mPx4SM(RqZ2FdRN`{0LbL*zf=V2!J7BxWobI
zvmgM900sfj?6T+)Aml}%We~3JCx+SSAh3w^5@%)9jp%I3=!{G&8`#n8cy^QRH{DMl
zWso!^LWgB=NcBkK1Y|1VoK}dOL|#YUwSVO{E&}l#6ddwVoet)x!)=G30|g~?N_Jv9
z-F616z0Swn{}Ruc?>y(s67rCX0@zb7ER8QPTy<m=ox>I3MzJ#7#?dnF2i&INL*@zh
zyY8{>*4X|o^yI`&y3cL*LTy&G3>pSl+h>3T81t1US(HF$YrAOMq*+ojADgpFxy-L5
zT5HMWwKI;7Oj&=nD<$~54~2^mNN2oFzl;q%U%?O-$fTayiRP6`t+wyM{>(=nqv%N<
zGCDasxQ~1T99sM9Mui}|Wk}vK9m%%9+DF(tn#EAOnabywhy84r>k)4YAgZ0Fo$IRb
zk><z~-5*^+J)^2%NNNabC~NMZi!tn6zf5@WDXD-xZs#6kLhXpdyz)k5seRj$jIw_s
z=W;5#wrO7CxshX@J0X{EkZfejV$p4Oe!S@rZlTo`SsZCiLAC(V{@DOUMu-2*Y9`Ax
zxh<WqJY2YLt}ClH%P3b`>Vp~ow+creoh_(HR_61AGxt=;tl9svLB}n)z&Kw)g*r3H
zHBGC@&@EDwwf*UT>%|}aNYm9_U;BEsp8_o<9uvDiie8#(<z|sQ9Ho%Dndp*IIP1t2
z@U&aG5+!qlK~He45hRB1^iK(pR{66C&aAl<r4znQL@S|5@zxN_0z)xr{Srvjts?(F
zw`(f&VW+>IYoJ~BbDHTA_8Y0YR)SZU@XucZuK;z;ab?si8^n;;|1^_O&vbZ$xt&Xm
z)O`f|VS}xuMFCU%Q}CTkFQ#LM|EW3`(t!HlJG%5>KBoPSfF$KpM<D7a<;I>3v;1ZN
z86DDITp`2st!8P+or<Ac@r~&%rj=CBX@deS?EUu4{>@JHrI$)aOx*n>dMu-<h#x=`
zGf}h9(y=8O?e|W>5-2Z&FEbG)O;R#)GD<E=1@;Bs@f!D@kn!%FKAHimj>c%;CrKN7
zNaZT(6EmBBb%X0vSmV*x3uwKO6xRSp9sEDxm^=;KeW<DWaAg~gNx_{;>uDqHu;4wL
z#5*gKg710z@R}#>7UeHFJ;Q2q%{8sZIAkL(T(u!f*q8GKLT+i+Nm1u5Ntm+ya_Uvl
z))PIbM&*W%?~v_^+MLvKy!*SwWjG!x3UcWly%P0czjNK+RLY1vz)kxlvS-<t@NLdn
z;gM|1urckSLC9w$@*iPw=_xq~J%3~XL^2clrWuxS%Rf7x=`(XsI6q=$D#S#jg=I>T
z8g;rpmMw8~9{@dz;1Y6sw8JvlA&AK!XNJcK+NS@Tt7)WrW>D)g#-dRrd`tJFI;3Te
zC~46%WPTtoGdYzln4>_~5)6DcN$Ap*AnRJEwoy{MJYU?bsfNNDnbqUc(rK$0k8OVp
z)oC|2qNa)06oRY$pRPx>O*uWka3(!yN8Wb%Al|_oKcZ)qy#N;*z0V}c0Q~T*WB}mX
z$G29#t-Q1Hdw7!>@RHb%H6*0lkcwlQy+sB@`zK{5Bx&JTBz_enEH3_Dd8LQJ<b0&$
z`_CJ6_2~=~X71O{D@(%5*lRq+U9<z~ZPyN+>J5^b?BwOt4so@mbp&0G*F#Oh>+BfH
zhJlUc)q*Y_O#9Ps2vcw05G1nfc&-CqI^Wn3&nskt?R|y`?QA2bJP*!tmd|V?Nl%kS
zJhCP@|9%!)hlCULz1U9{V1VDwdMn>X-dqXb?Rj>Er;mip=6i@Fczm`8Z|lAkUxYb@
z0~JSJLH5tQ9q>&Rfu)@rbQhJqGej(tg2Dfz#!dgTF|c6brW6Yl<y1mbMKv{}#-mNU
z4xPGm>v2Y}0fUB6hK(3CX555HG$?FI#IhC0S*xN1Yu0VpB1utXWaSi<lo=|jY;~%p
z2$7`GF1u;=XxE`rmu@{yunicLFl5B2l#82(myfTXKcq~^6iSs^qt)pRMw8j%kd;?d
zWXVc4vXg_8i<^g6yksdt5uCJ2n>;Qq`L;YEKawAlW_hOspuHmj_zCbj;Wsy+j6~NN
z8#&){Ph8)#0_Y+UD+yC92t9OcePh&E$7s8<?p8T_XrF0!>4ovH&ZzT}p+#@6MkjWu
z)@M2-=vCmW`3`-sNkbiY9s5?#KeVnBht=Kc#_#ek&QpGUSEq$7Da}(USdHV=y`{~_
z;i)SC_c(ZM7R13%;b<tIFhe3{I|i*f6)6Ayn$G+gSa7N-&~+VDazA~C#5_}He1HDH
zG-OG6l+P!n-d^S%qa7evGIfV5j8I?XXPj|posii`KopE+>_jDfGIG~@8Ln_beQMTJ
zNk00KMTV}ZqahM`9nGk+0XkK`;JOc<L;$!y;|KUbe(0%hb+qpUSDf@aq@UPmTM)`g
zo92l(2*A2#AAxs>KCtNCpwy9ec2i78neCLFu-pIbv){q3gKf?~z1-b<I+U}ea@7P3
z5JspxroA{C0GeW|X<RNb-3)Fs)t;{D>4l*V>Wwmb8M6Z_6O@2yp6ffYOVATIkJE#J
z3CnPTLZy*nlBb*!UsK6uZJAGMY0KId`*C09o4L%luztV7Xf%K^#u;zIF<*Pw(XO~c
z`~;1gzH99ePx>wLRQX~K^Ck7>vUG??uFauRcgMmACn!`JnV6%MDuq;&8nybVQ!khS
zeq<mFGT0D94Kv)xHa5V|XDl|?<XX7S^=@!eZrKNq<_WZC`iHZjyKAeuTewG=S!)p;
zt+D%>vZVX*#_s9UXWV#=XTv0AV`fwPu2X(!KXov>_R>LVVE?*fsa!Py1B4MOZ!ztF
znMk*R-FuQab%m6se6CXwa&IrW4<7JfJ=EtDRUn_T`Ha$r_It<qQ#XH;fBd`rH)(R;
zvDK$fAB)9eu~_R6rD5_+|CnN|^@+9*5?a%149^G(l}7H@C;_Y~+8xcQ>S)z2YJ7eY
zpT?j!T{6F3Gw-KA<Xc$(*3Evu9rk|=8_;gag9}eS<N@-ahx*HfbroD5Hj2}lwz58d
zgeyvGX8qC2i|f|P^>jKqzn=)EsH}*2>tId`cU}?-v#~=VvdFw(I^WojH*Ke5sdlI9
zyZ<8zcmF_#_U<1dXzch9LsPFF7Gf!2x{3Al5G~g79sm>sOa%f%r)!226e_J`Uz%Dx
zoo1QUngh6p&m$clny~h)PJ~aR!dW*4VCjN}V4Jk}*=~o%L$jhzO3^LJK!H?xnTQ~3
zLq72*ZFr&_xb3KERcq^V7Gut1i9C`dOOYx~x(u1JH!JxmfI>xzQ!>&QoEYyWMiy-<
zCewoHZgg|*)yf0#poj9zaP!%{yD~9oOfhMs(d0wr^GVd!4tFx$ls}Na%8xyrd5Ls1
z)9J$B)h8)=*&wB}4$PLk9D)x*&LbZ6DJ?#2r(Ig@=B_vBPyeVnGlK77FXkFZPTq&K
zXZlz6Z2!4E*YD~1U@zEdFZK*yno!*9*Jq})4NV4K05KQ|Hd;?K2?hoR1_lLH+uIj~
z`Gwf@wT_)$zVZi>7Rf~yAr|0~nDCU2Tg8x<`K%I*OnC|wOX%+;Atu1)VG16VCh@JB
zro`uFs?#h-i`sv+*?jG`K-b}gdh|JKKug}hNokvpDaTJ;v4Y4ZtIdgBV~Jm$zvh0^
zH!s{m@BCDc_k48X25hJu^34wW@n=u_O@*(@7)os`rTnSwRb{uMVJ*4a<g&p-H1O}0
zMJD<9cXEKt(xjsh$ew7(kcn_KpG#SIX0|9f3~26KV~NHc3y4goaIYu&?uFtAmbK+9
zwgRy@TFF;P`SB_>eEP9sZ@c~wcE*7Ku0?Tw@chI|bz&7osU0ZsO>ftnT(?sJFF-`v
zvGC{=seq(f1W5*gJuwCXkj6{M0Kj|~=#5$H;8;}SYzVfiC3v776U5dMKq-~EMg2i4
zb#Od(Vz@UMe7vUMgZaz`Z8DY;fPxANzU;lp)z^lh{1(3yn+87Cktn{ibn?y!+dTtA
z%ruvo<{`Eni>dAM{Y6L#1AE(5sb<$2E7u#?3lrrlQ!2Cc+uJp>Z*<XOYz^ReY03Qz
z##piG+i~K8y05?kT(p>rBh~esmMh+X4SZ&IwJ0Q5$H!F)uzLldT;<+bfNVL8lfefl
z*Eb7N-c~Rt{cR8=Nv0tq?xR{pJSEH&5|wW<x-7B`C=RN$$pKNI+;<onDmFw*IR}j5
z39&YE#Zs324uLJh%65k^sO7xFu$3HKu{?JOoii4&R?=XmWuB)>9vDBdDE&Mqk{Ixc
z8>}WK(JH9?cL*0t5=u%;RA6u<6_qlWX`%!i;^PhF7|g-ALEQ$4MilC{6U7JXfNlHT
zc+WfGfFG=7$Ns&!PVfUZ9lZwU|Bz-ju0LY){v64pPF!=G|9#ABl&vRhInsaug0sG`
z#t4)qNyZ=t&CmjE&<+LoIuyU0x}`_@q+k9+SQJGu^d9;(`Yrl^X}5L7)$O_ZAKQM`
z_%CfwN&-M5kcvf;iXjI8K?2NaCc1~vtlsCKp<_9FJ4u}%nQK{eGDXI59K6)u_I$If
zhjeEnwsR_c&xLki2M(gA)w{xGLozBcF1?dfXaXWwi20!zSebqbY2U+(g{{l1Rso-0
z`Fy*N$n<Zox3hN9-fgGt{dSIhm;DVpU$s<qntbiy+I|kr?dHCZ_VQodt32fy@6wxo
z*!%kx3aT$m7M@?^m;Kd!v!C%f-?#7YPc99Xu7C8;_<R1PfBm2RHwF_{Ewl2Ul&PNC
zSsHu3439z)h!n!RKUZ5=K^&Y>haU7jcuDBfk@F~bLL7^QdU<T{xERl`JeHpSM?CB4
z{@jydL^;bmFBr&Qeqd5lxPhX~Lj+KRjITs4&l2R~kvQ3^mlBKz&Pwnaw31*x)Fp)@
z(4hod%}^DNNqg&XER9snB&c_S>$`T4bcd1?JhxMYP6#TMTD~7x|J6|l=Y?0!-N#Z*
z>m}UFD+`>1VxpURq(^Fmz#Vm*BzN@KYLufm&3Wf${QEU8Dus#SM1CSWkprtcvg7|&
zgqQ$)06!oA2m(TY7$6Ra0>Xd@E}mW>>pY)ScL#CG6t~gLz*5~UX*UBnwybH*x{0{X
z_Z>(|M}*fsos42<;0zSxntZ%Z@@W(<t#vJTqEnT;>Q2jg{CwpYO~V1_0h!#v!vJKj
zS_VvrYfg!mL<%=BB(T;T+&z6Ha$W*NT3R%<g|OIV6C1)nYM~5?3+fpYhtv|n6emHj
zV*fU%{<XL)&=G{ISep1<lm&NlQaq@Jv(?HzsfqezNN~dCSyuBVOFR!aoJ$IRvB5X`
zn&1}MAnxP2=Q)1NKD$uiuB-=>B0W%zWZak2apOM6^c>Dw{R#f_Fe@mJj$?a*LQkq|
zm|6vTT*6Fp7fXbZ1YAo<b`ls9SkHx~y1^@%&!s3rf-U(6^4@5=@a&6BN>JuCV+6UP
zvKv99LYd+p%vNPm3|VabMa-)3QOM@&x8ju7%4-2R^$iJfRN1c~w>~I^JXOY3<UNro
zX0lH5$gi{I+(c1b2?cey0)u)^Ky*4oVXbylVHX;&IH8K78iGom8gcAdNAW@eS9Jq^
z-Ly)si>Ht?9w%+8p|s{op#f2Yf-1`DXHuyklUae*QC^>xMnf{+uV4$PVo~_p6;nam
zf2y2^_L^SF#|Q0(Bt&IHbI_3&=h`Lji~*)$*b`OFgILq-MbDU4+u2uePKOr_phih9
zsVpNp%7RN=ONRxTl0H>b(|&3ep+P`Vq;$|aJxS0dnNspX1E^OtffXI|@n{=pLOZwY
zb1I0_-HH?_Hu5esfQ(?k9&uBlWH8OdhT52o^R<N0)Xr;7tA1Pe%0e-_<5NIxP00fd
z_VhY6dvY3EtH((V?lPX=Jd&u&R9?PS`U(DPHVuRL)k_8l44Q)cmaxi(>8dZbk!@Jo
zv2jG|P;0-(UY-7L-_U*s9K6&2wTGqnA}zNP>TIh;6G%>eI%-$%0FnAlNF<BhwX=Cf
zwj8vd2@(HS{?B!YUa@Hk_-EBDh0ZEctVF3Y<tj|uVykTk6K67ssoKB_El6a%<$E(9
ze?~s1cH#x=ow`Yj&)!4Rc4^(ah~o`!`|-;+e%&XIzWC*@BPHm~B`2wXLQoZ;vyb4i
zLD$AI#4TZqDn=^{FilFil2)px@R8qu4Z|x=;FNnIm@4h9JMsuN-i*VA3dR<?O`@O_
zr7bdPwvZ!f_BNG#(>&}j^NqN{6PCO{ammXBEWalV-`~7qUSQQ%B&%{Htv2BCbeO{V
zbjBYW-cjW~;!Ehv5(j;LP)H>s2+X3eggNi<f{*i?tNegZWR2fm4J~!;l?f$8?c@#%
zbR<lmZIZKHVy4R$J#Uq%h2QXb9@7iI$4Zmt;%HPkn;-PxycvOtNQuZ(lly5#3ZB43
zlR_?K)B&j=vxvbOZ<*u^OYD#{CQ6X9bY&nbIosQ?Bb{LSOe$y0DUUewqt2PZ!=CZs
z4mMk(AKz>$Qk!JDT<i@M8foOOk}M{WSXe_(0T%C><{K;Qpc@sH5G6?&>1XfASW$>V
z95V`0h~Ap{#h5poMP-VCmbbcfC%ENblHRf&Q~m$;6s>KtE$kTYP(w>v@`I!y6OpnI
zEz7a;KGXS@mGBA&7AHkDP>f;|*ZMcS3C%2{)#W=?)MM3qzIHjCFWQZ6EGi)-A>TCH
z{$|!F>$&hoZ_4Iw+14%G%F4UA#;)z#o!l?Gv^$$SOp?%*yKXn=R^9o0FZAM$euY<g
zBPZPKDYtayt>4F+y&t!BuKC?)<2b-^J*`R^Y~N58=hZWqJ<i3pmX^*W$8;J*WAWC>
za)^doOpq+lEVINQDY9H#w`W8(!4XY_o#+A)xCts?5wyVTTKW#3z4qW0XCB=+;Wt9@
z1AlfVJ9C}o&S0LwMVC@;W!2TuP{(6+t0%o}vM(*QQw~Phx?)}Fu0mI}YY<;l(UN2;
zgs9V|&p{`#-0;8)?@i)Dt>MYtL>$DUJKmk{&Ucr)>)b=`d+MW~^vvhK<dq{7yvqj&
zfv=&>=M;hOW1H6)t2f_O*Hjl9XEVo@%?}G#us-hF?>ZA}qbz9V+7)mmwpqZpOTr)=
zLEAmZt1OGegIUOxYNi**hU8r5d{=+3FLssId}$q?{)HdEVPBoyV53TN8zjklBT%V6
zqV3H+u9k(j*)!I1r`8o`+Rq|WgV&ZROzbO&{WWGyAd{~tZzL{6w#pqJZFiwE^r#e8
z7}Jh@5l1jB#27Fn#FXaV=&plq>ce?AdrzD*o_$N#z$YfLyD)_gUAj5j|D}7@`tldC
zb-Kf&fw39)3lvVQE`LS^$Uwbg=__{Vrt@p=N70!+v%Mf`zU?;X{HCAmW{uW5?Z&9m
zK>@NLEX=5w)ylmM8Z~L2gyqFDtEb(~wlOf`Wa%g9kTdS%#yUXSKcWehhn&f`$&{28
zaV{2goz8$aITD=+U^L4ZQC^Q?J<7@`l2J~J?pl;lqnjGVN^~kwBw|Yu-FckLqZ^Bu
zbE4<%fQZAi@6Xi}-g6Uw#Z|*F3P_+>FSpOjW3jCNZ}NL|(1oLr-RC(9*+?WwNs<5n
zFf+5-ci)el=VA)Aw|aDk<`oR1fCR#*PLd=E002<@rY!C}KDCQ6hEROPw>n{$6P^Qw
zY_8oo=Nw6rk|Y5DU}k37Ij?u&C^R|eoO2{eN|FQsfSH*!kt9iyBuSDaNs=T<lB6U_
zk|arzBuSDaNs=T1001na&_t4?BuM}OGywq2%*@OdQD`DbQj#P90L;v6QOAbGmoYxa
zK?Hc=T5vcV4hJEG5F&&SLI3~&0ES^0#?xZ%_*h%M^~61Pse5#i<`=#HYS=LrO*q-c
zJ=Q^k^pm4}rA|6{BMne`+C~LlE&Tw$?38voJDuDazGd$7)Q^+6>LutzCpxL~u_tJd
zQSyCvWwcOj!Cf~`42T@*&vCSKBJEw<OCf$9KrV8x6vX7I<3d906&tD)^;*;X4TC}!
zCWRimbzl>al6vYBltLX0hu!JF0J7WE=Rb+t$%b$q@NB4HhYqj)IZ&*;SbOa5k@~Yg
zx?K9+M<?sA;46Q+ar^Wm({(p~b>m+*>u>(<=HG7r>2CeK-#z%%!$SP)4~q}!hrJK`
z9``<NoiEJyJ*Qu`B{~+`k``x8+LP3~nE%VCuYW3jqCfR~E2N1`R=sDeS-V#I%2@xm
zj*-=M%<D<)jPE?t-#_N3ryd)f+Se?%Y#)($2r>uTlLG~)d|9rLuPylNKK1QB{nj#{
z*qOa;ZhjW1&jIuKfL;K>3qXAZXs<!=67CIPzX5R%Ak_!bn*hEAq_+Ti2bk|b!V_S;
z2e|iv^8ti@2+l`<`6Ni61nrX`e-^CIg7rmEzX|>~LH;hFAA<WsQ!EGgr>2P|;Qj=k
z0HJLu_t^4fFN%J6-!NZkl-B-;_FI&?tudLi%JEKVz2a5Ml0+%UT}gA6EFvJ#P`yQe
z=n+?XM4m;{eE|u2Nt-N3lmhCz7Qp)~Y?7z!IeS625?hQ8$YaplY`yqHVv{D>SHbqP
zokvY~!l}L-C--z(!a{l6>|~?rq|J2hnsdJE?*#!*Ie%}Sk6+O@r<0@RUZ%{>){L<^
zy;zqo!(GEl;enPmOIEL!F$)$V%-OAOrigfEEGVp&LU#5hhp@WlCa9m7`D-l1)2j&2
z2Hgq?th<-cipyElO%P!ys%mKdyb~n-DfiyCrXja!Wy|GDjdP8wiX+NQPUICWC|*(%
zMl}{I5=HmQ*YmaB5Y?tIS41;^9=^O_i|%Bc8x+q6_B=*~k_jSGDN_oKB$<@NAd@O9
zY8u#deA@~X)@d+>MJ}K`nrxeQ*uudbQ@Es1`A%|yym%_8L`KUl5L&*)H$b%XUvscC
zU%~gm+ssfnexhPt1_0n)g6)L6wrvK>mn-J4A9w+dVJ11c9{{T&4J1+v^s<&P01sw>
zRFLZrWjo~o;Gstx>69!6JTUNxxcm^U&j3~m0CWj{pgd{@33jINz)#M^FCzfh+w~2X
ziiV>uvw0`aksWopor%}jhxHu904;rACje%md+I{YqPF`7s$oE3(f+?$w(_R?@=Q+J
zOy-jLs(EQU!c1T$F>a=Usb=b!2Bw*5W1OCT&(s}twf}m@+jo}aD%%1iBGATo9F!j0
zx%1CIgP|Dunl~}6`e-^GbAC2od2qR_{QbYRFMoFVGx9WmuGbWvFT7oNw$M=s75@9v
zouy|_y%@Y0VV)vIHGnDJY(0QpmE_O0N-r=kow3vfT&a02aeiLD)-xTx(d)9#<!WJQ
z{AB-ZIVK4@gUQCt!^?M90X^wH0)d=cCOYpS&}gM*JsLgLRkkYqAt2cwRM#fmP2eK^
z_zQ%Ca3@KnwAUS~CS97{smwBIGIU7S?R`1^@V6fv@{Si3`pYiI9GB%zYuYPu)IWYK
zz54c85&ieHag0W?uyb&735XKS-zi%6L%75g$#zJ6+A2JP=%i{j>eZ?fWXBPT6NkGZ
zMA4EZ9U>GKm4n=Jjc8;sBB7>8?jbi6bMDrez*t0|&Xgpkld7{8L13cXMnM-6vko3z
z8btfy2*PD8T`BFRs~P@=u5DrWQm^;$QFLPqzbSCDUVB1aI{^279)NuapeF*J1tdM7
zYyfcv04NyIw;X}t3Sy9J0liMeIYg3%Tm{p4HVu(j_?ek>ljNPPvW{>mXQhtDHI-X{
zB)w_0bFr>+1r|^WxvjJF>G~!Lq^paj;qo66RK-bTFYCy?NzLU0ZO0Tl86Ub>_frrn
z$>p){C2&f&Wxk9%?Cpd4c4PEbX1LYuH%YN|k-T;KDCbUoTLj_Sc>58=J0&(%)F9jJ
zM=Ek_FV2+!?VZhJ?u};N9w9+o=4vr(>{5C)%qxi+B&&LJO`a-Uw(jfoGEU-Jp$j}=
zMCj`;6&AHpGJn32RxMJ@b0()+qSGi->{#$n`bL{I$h=!~UK4Mq*2p(b;gp#qB1HiX
z{{05GnkRVlDx8ag^dU=sIKo=sNT4uQSPPPt$aT*12#cv@rD2<;@c0D`A8SbIUM<_?
zWelA1LHTTg`tCHOxC7h9bqy*tRt!lg?=2RBxl6^E@?>OQ>`TvqfJwhgT8XyGk%=J8
zziUzw7R;vzIdleN*AsvMlCGZe&Jio21i1+Kz2J?X1es+FAdY*}@*0;=H|tB;n%?8R
zTj3z$h$x}R+X~7ebZ#``@6v(c3Kqz_DlXl6F|Cw;ap1iZ@t&2Db0g`$p4JH#mNOM7
zELb<eN(0uC7%sXZ&gA@!4}_$EVR$mZ0CKq+h3^iosL!lCh=y!w7&h!Q+3iTGs~EBE
zgeWT?IbRnf(GUl=0&T2vGd-R%0tmV-Qzi)+a^(FsQTg3wxskL(><9O(j4p32XLUk#
zcEqxG|2(CV*!DgBcWC)2QzGZR)B?G9*Q2aUOS0{};PGWe&nBB{F6C}Cj;o!Z*Kd`R
z#*GAkJA0ng0Z=BZb?s}B)M-<B$vPQIP+(#dS@FRbv%YIkY=k$%b5-X=WeA2;COUMF
z5@(J1&47lC5~6^K;IJew?+(n{j}9J}Y3uf0&_5ug&wXF0V7!JNTC12pC7N!P%}$9f
z5p7)`&90Y~UT$l2egqI=P-s2?ii?<}>QmZocU*B3Rfei&ap4|+R_wE~w_Vl(!E&yh
z3xiW=84T-&>a<~q8n_PiqyaxEz2UFYdG50%q>m*LPI4Px)d`8SEy5kL19}jAw4%`7
znfRldCKbC4kgu~(x(H&I!R;B}2;(`V@ub4BV>BQw2?@f!0SybZFea37Ai&Dt<4!RG
z(f-7yCnm~9?Sh{<zSb9HD)xF;nVqT>RzDEd)#qUAjA-l<fx*=aL<TzsS%W^ij$?=k
z)Y<CEXlG1&^^U1=eCi4g-1I{uOm&5Elq!y&ftP|O;xB1vgjKRMolsUfGp<^UH<IUj
zLxYPK-8KmMOr~oRCLEbY=L8=S949b87WJQplMjIXAj&Kf>=M6-`i4BnT`+hjIT2`B
zs|m9;4aAU}o}@9%$qu6K?(3ahwYQ`8_jadqXS13ElYxjfRUa3=RSWw^oTH$R5f}(S
z*wPf8oQO$(M{Bv}F*nxIS=}}x$9iLVdx{4$vraXR1-ry5k|CA)+%C6Mzv{K!sdO}%
zoowu^XoDjfA3})sU0oc?o{zzntwHkMGwB++6z|O6a$}*`Wi}3tpW^QgNw-K2O(o)8
z^{fyHs)%{%Rz{(b<_*6`NgKG$c-^X~i@d%FLb(9}SYcOX$)V&{w@Fg#eGy4-sF*us
zAcB+btk;Q0)>m%>7wKAO!vg<f1*YBzJeO&0Q*+6!oyu(~fq19jtSCs^ZJL{c7rbey
z6KO-|jikmnlR^v}Pf0LuT|rHfX(ev8zCXxAS65yjN+AJ(Yzr3pI;_)6?p;~snmO)9
z<VNeN334v(-t*IYC<f4E>+KP@tVCbR`q>&bSjAaw2mVku-qq@TW3YfFNC4M=r763b
zD3-{rfbqs~nMx7e<~LkP=$qC^(SI4;#N|)WlksVxvF3l%H}ODO4Pqy#MWNulq7{bG
zK<rQ_U&e%Rpj!~b*<b6hU^--wIbWi(wmz`N#_Kplm~t%;+Pi9dr?uB-TGQ&{WP^8c
zBZ0j<&*Q&{jWAA3ol~vmujI6bB*A93@w<<k$&cVJaY}E^GcJ?Zqy@(m>?^5NBq=(J
z9&FQno615;w-d9KZJIQ=wPH5dk$oOKa|Sd#bv&kGbGk9NH)1&!X(5jR2wYg5C@8nu
zqkhq3uav*67tZ5K9vr>TiOE*&TwZV-yJH_wS%=4wXCKiX^8OCtezwoB<9HWnAEjd+
z!UNk8)0KO8-*v4_!VE@UAjm52vt4FQDoK8{FALO1fxwG$a!$rPT5fi_a?c*k^;{y_
z=uD%8utw8qx}&-gfL;dL`7UGZ@#{X#ucYg1+3Fn6tS2k0@!G8PwXJ%X!e#ZLXVlxC
zr8x)jeTS1z(t_g~ujGLzB;Xox-HcXDL2u)^ux6xcY2eeiZp>@<#tmhqUPgPoxXe4M
z&pq!A;a%KA58P?&h0Ncb)BUOJN(Xt%^oDNWyROh8oK%B-Ef;Kzf&dS7H`O}V%Xda&
z9(m0s>d|;jqQL0yS6r_~8=0VIX2<nZ0Cs!zE76a2NK4xaohb>NCwA7p?!_An{w<ro
zRx09A)P~>emWH%~>pT+NZdWZj@g`9St$=nq=M;H`<J<PTXg%c2_{kBfK>#aV9P;R}
z9BJ@HVbm}C`Vr_P4_ux|3B-XzxyA`s2du$s_Xc=}VkWUJH$3@Vy6nMZhJO%IsHXX@
zhqq4Gx@o}QmJD}-V_fhTfq?lYb`uQFJ==rl_>##tGAjgeJ%e1CHF0|<;gS|TF-eU!
z)Dg?}*>;-PNs>H3(xj!&y{(Kia>hJ383>`mdsPVX-qvT7i=jhUbiH0l?oP+s-njS9
z*g9HGxQEre-jFRlyAs{HvMuLk2)B6?WEe_<>d71{+HdR1ZXEotMqB-@IR3&hqKUm5
zbYvyD5O9~7!=J*F=;c`&7G?sHUOSX;TC$lV^t9&*K81Q+%Amw=r$``D*TUWV=@gf-
z@7zfW;%O7OC8CQ|Y<wk2d!3jNf4oK*9>p16ldhxY$W!b5|1?TK0E-t=`lgpS%!5(w
zb55_lr$t@ME2YfQCjv`N2uk6l@Z&zYsZ-vLhir3ubJJ=0hj{#^Hq52Y?N4_8t){Ic
zK3S6>?DhIQIrHwvP6%rbQ($fM#zyCzFt~0*@YA54_a>GE33m9pKl9g?_k-VT0qRHu
zyKq^hs^Hs7MsQyp-cJ>V*>))<=Lx&1_-kJI=l@pLzWg{|K#CNIqVhL87b!x&s5WxJ
z*!bdY@Mt4#(;G!@Z;Bl=CypK)6U4~L0mB$2MmVmI%vOoq)L>SB|CI*~XqKtpTKthn
z#%x%c8S{^x>TjSt4j{zpyEYEbow9wtIQ;Fi70O>X5hwEJW;^lp<obL-=@E-}w<^SI
zn+)U>0wATx*_F1wNV%BpN(n2;_nNbGTbL?NtpO1VO^Xo4s)`@6iaURJY#>HXZZJlF
zY(k(=R|gw+*+~*Bh(Fkql)AX#Xxfr~<d;0gM<vI~t86u_SWvwYQ`2Q%_5!jZ?de9=
zfPFq5M&EC)_brn?)wZ+2Cfi=0E?3%CI@G-_z4m#_#?&*kddINn+5mTc4zb02s|KfU
z4l)%nO{WP=4&)<=m509|XHnyOJr57u0<8<*G6SZTe-nS(?sjv4Va5&d&%je$rH-Hb
zq%#T{-{#r#mBqn00?LR0V{{ruj@Ev(Gh(Mf<!GC?yS=RP<<vnAY_5+8fLOoWVP)xW
z*s>Uu)PZLUMkaQrb$@OCUT))VD+a0|m^m`r8Tok~@gwsy>ieb8ng12@s`sBeS9Q>k
z|8af)n~vG|z^ROkz$^2yT|yx1LmfkdK0j)O_7*{(95r`2C_*tN(ejLzu&Xub)vAWA
z9}HFxapyt<1?A|V3-g4|H@RF<!#;Y0);_5Q;M)Y0_HG>=ExhJOX~cQCQ!`u(49b?w
z(XeSJVRq8hicX%qbIY38w)FfTOBdLFZDHL_RC?LdV0tHo7@sqOj^6vr@gq`oYspby
zy<>XDxJ39xGy%xXdSWa9`-g$7?>vWaljB+9H>XkI<DX6dd-dj-_k8a{E9q}GB7J>d
zBYAJ?*bTXUu(NV5z@5|1EV%nt40^A*#ICLEx*-5{?WiutX~ee3E^5bvPDrwQTqz&t
z1Y5eL#^`h*<=g87C<NjbXs(SU16V{^qx0puUq$qfgd3H14s{jC{D+mmSDWW+tKP>J
z->hRqaQiVgPedseEAe-E9EU?{SR78z<>~|8PtaDybIcE?sLqo*!swI-7dCp972@OK
zN6=xnN+x4){n-0Y37UDZ^c_Ay@~tLVQeejUOx(AR#5WKB{)(h-g{u4}as#l9*lum(
zh7yVF(2zFRg*37Q!s~sa6HzYFsXjhtxS+;g_<;myt$6-9Fn9EqbHC=*#niXx%R}+|
z?-5vwf;{5FcoMC2u_)$ob|F7){a$7nrp_cLYA^b^jc#HO|Ht*{$z?{uq+9Z}BXM~l
zw@ySVAm#7I0#e=1Wp__Da;kZEi(T%&+OgY27HqFCxBP$Kp7NhK6wOl~oXN-4O&z?_
zf&aYGLD)YvSu=<W&2H3OliFg1Lqu9x%?y(u$7SQBXQFi#q6)kuuu-l1<_lfnum0x|
z&8{u8rBXWXDVMLQlP<EEMc2y`B>6)W+3UMXf@^IeQdGRxlna>m!Lu+-X-)2*>L6@<
z?!X_sGF8XN1!va7Hr9Y7t!OreW)I>LZ<UE^!XbPfUQ(o1)Xg;Dq}g18+>8!PQ(BL0
zr+K)wH6F?A+OjH{M>&w%QTZu|;r9ARR?FA^thJ~HbN0EN`2eVcQpUhlzgWK*jXt{t
zm8Zr@#H0iu(*sNhw(si{c8NZEjQ-;Wa<516=%-I6Ently>4K2D(E|g$==HUZkb{#`
zbpl*SX1&_R3!nzJ4sGUA6{K9tM7iN#dOPudMCBEAGxfMFCX28!Qv@`FOy(MpD5}Ra
z`F_c{mUo$XU?#aXd0~96i+VncGzRX2iUKP6t-$_93<80}*r#Q*e7?QPYk;^x#hYq>
zdgjZpOH=VR3Tmd<3p2_1>?B!73W@oLmq_Urw)N>P+=BfhItC=>p6SW&U7X`0CeW+}
z#UcyO^R(*GPrp-G*Kn=SA{}a({H~<q`ZiGHSmSy}Dzn*xQ?+l_W9dDt{NUCwEH8di
zd{!l0fx1%0XTHtO1=FR?xv^{9ctKb=)r4v-TU_PiKdiqW?zQE7Bz*ltgkiIEt97A0
zOtz^hZ2Q8I)}nCO3q>~G=Iw4T$bnIsBQqw}N7%`jyxd_AH~_XDNB52ZslC{U9j^Bi
z>=+mv1Orbn+hedEHcia{bZc(BxLvfiF9T09&fi!v(8KX7rA6v)5{Aczd=&KW=LZwm
zq(v}3(tXRy#Faol9Z@<;!~5ri7id2>|IcuKv7J%3q?j`N&UoRF=!yBhjG>Imj;Rv7
zM;tj(eaq@^!|9uCc~!H2A7H<bo`v&l8|$n4ZZP=0iaE{ixC6r<$_-&tyEf(SwpIVN
zR0&tbFJfB#{F(`^cm6vsT&0Cq5z*Y>iiz2d=EaNEVA~iluLg7U-0QeCpuA47#06`a
z98`Oze=F5@7lJV1n>mmVoEf!b4X7w6w2b<k&98Wpo#QZDc8||i`=1ZU9MLpwtt5*y
zJ`qWyO+<NrW-}tKaPsj-+2?J<*{4z!^l)`*cOzK06(CxggW7}ATO7cqd%6J%V>JBs
zAZs`}U9%ad-;_!-)rbIUjUeu!>V|&YavyuUp|7_v9Z<bBW|x}PlCKI~o=7@EJ({AM
z55fF|k~z70G&z^q>r(gjk_fQ%#l`SmHe+C+uHwvbQ)z!FSqyBqY-)`vhcoiw@z!QJ
zHrudY!b7MSS|;)dXH%)+og)7-D43`*jZc@@Ro^HYa~{`^U*fpjeMrBNq%zV=?MJ7i
zXuytU4CoqazfX(k>N<l`R3x&-WjDJ*j$fR=Rduxh|FSGEU`zD1R$ZwL{aR5N@ZoX|
zP`m}K1+C~-AF*qY**dC=-zoJZ0_N3|dEQ<Cnh^kl2|g22H5<9~8<0%k7Jl@PWp5Vc
z3`k5<FQX4gPv6g=9#z<8yi=+L7tDpJLdV<^R{*d<;Ikg=udgg0G;v>WKUPah5w>Mn
z-1e~eZf<RpqSB@zA^MT*gX8-&OPS?wiEaHh_ch~R+bBi^R<N7{v4er};~;3uv7lK`
z8gSf(lBi&XT<Zv<^Fo(?EbwkVex`TlSWAqY9AVVg>(4x1h_1vhk#Ktmjo+T!y89!M
zz^LzA8!QHxL+r~ZzjfVpckRA=YIAiJ7>28RgyX+;eY&#x{eucQO43bH&Ep@f<#KU}
zH?M%|S^y+jWX2V~xcuJomfJI&=gGN^lg_;%WMa#pZ(K4T8`7V&ChXYx&#GaeN_~q&
zYrMzZ8JU6cg?G@4Vo*snXG{u&pEcHR4VO}O#Vwh!5R}Lv$H(#Rg)zBeZu&((QX82R
z)Y$18A2sTlR3RO{zKwP6b9%wx#LkAwA4~d$U)G#}UfK5mBI*!A%vS-<!;2R76*bm`
zBMcMhxLAtwEEH^eZw*MG3~LJZ6!(15n%AvGtHPG-=_JZ^dOr2$LRucc;A-2S*BY{-
zS2D%^jzJ1fPo9n#KQPp7Iy=obG86#wlxCL1ub`!eS;?BvaPAeYUA6r@g~FaMf!2+r
zv!ZkC56~8n<S_SXN*y~LDbVE)7|l%dSQ=ft{wRAci+U?Bhq64KksZo$PS3UP3{FqD
zHJ1xu4?4o2T4FB%{%)03Lpj#GZdo-T34TfLA+fL~PFbO9fB#>wX}<q!pj0@dTFUy0
zX4udDU9?{zR(Y@{QVc?L^h#PRU0f-i4~XG_7$iP2cr84Sz8Fp&1c`{bo3juA5lzMR
z`h~TCNJL!M)Z-JM*yn?30uhM3zNOC(n7K8d0l#)F-Oox=S0Z*!YRhNSyWwx&NGzE?
z&wjtFC4F;yH>P=_1bTcvf4tkmXk_W}icIQF8qJxG^3D;InsDPy&@iQWO}Dy5qLW6R
zne5H-J-Bklf|MKSURW9Dp6rfDwMDsCr8k^LTTW+c8qm9=a|dok{FhpkzWkV4*Yqek
zWh$Y%@?KVOz5dzou**lV_>Obo>C_e6&=^U!<HaIIBB|1N;^YJ__Ba`6yMdv3@{L_Q
zq!8*H8R=YTXyEB#0PI!J_gD8O5zQGHczFIiV`(xaCS0Bt7l&DLFgUYZG%l#T(JjQQ
z-Y&dSHtDx)59^c6VGE>-%f7r2ix|u-_A~V}i%iw;kjPMoLz6pzN^x8P{5k%txG2o3
zDg<vv^XSw~tdzMLnVxoM+-gl^CJ(|jflZ%IKQFgjgUi&y_?yHHe+YWp%n7A0$2hwU
z;5b|5@+m_fn#;>T4)<mXfD|axAjgd@dZwtQ;LI*YG1s=pWIlyHYg0W<WjLDEB~`c|
z%83cOW_VcdcXdKdp_|MX*>V}hU775P1?Qi}?iER9wG0&1*lv2gXC3e$p(_P-Y2x9L
zbqvQp^85y98r|u%vE$s)-{1M)Da2fl_MXo3nr3D6>y;XZ12#wN+Z?)%=7!7rDx~2e
zT2IDH<w{@u1>+)OqpSe^q^xU_5GRk{&e4lRtte1#7y4jw0*U0}L%J{WQPNe<pY$KY
zU4EBPAqi_L`qh_T4B1&w0%CU`<``O;UwANMysE9p(ai6Nc6rd*?LEeENljoS`%F`5
zcB_p=;C3klB+Sya(PH0hC=KihFN6jBh>|d<7t~|To`ZR-@3P<*E@WA(zCD=R(|ah_
z8#xw{kps_O1c&l^Rx<7q+6RN)Fos%n75cf{9sMlbApuKo2mb`aqOD6=gVQDFa7bCB
zjiaiHo$QvCR5=_uyY)(4sv4j=gFWn2bKl%Rx0qG*x1S!g1^c_jiu05!=7L+zm8{5_
zVlhn&rtzPMKL8CrbO@+LLTcJ<a`J3idh(3N)tE_!k)9S|;I%^{v7agOMw-ye@*;(Y
zw#kV&6%afXcM+(|0DfO<!Q|2;dg|5sKL$fSzTNSOLe~>ev0-O4G#)AC^itJMxODi&
z5lO{-`8YtI)}zLaZ=00f!*y3zu^MwL$X^p#DOa0f*q^NSV_S#xe=j+I_@B9<hjTwk
z;w{rZB4+^~{|%}?sKS>&2>##qg1Zj@Zag~x6(EHlDdiD|9;`=E0epd|_xXqG5>!X0
z{Qdn9`gw(gM*v;AX2W}x1A|mwzsDVD4QULy3Wbw8G?GMeL6IWtgN=wlxkQkp845<@
z_4PfC;1Qtl-33I8yXlA02m5dpbQKEzdRDR{e*SzAk=X4|4so*aH#R+k&y+~M|Bj{1
zU*LE7$AqA40v>Zu5=9~pC{0v|cf|%)T&^^Jg%Rnjf^tPel&hGaEZIBavzEE$I7xm1
zdjWcfJOJ1a87>bL0ku`UM}&o19cy;OYBs~*0886>A@N;kSHVKXf(IN-IeB~`fWu<V
zv*hEEM$RM;Pd7>|+;B&#Sljh90_m#1w<$^^=t9uYa1fxoJGC=bRx-3ZI}Lk0PSpvs
zc3kdO=5Um|yBYK3?)V_VF%C@Juc+9@En9!0<>oHNXE*U&9+kie3*!(7goz|jS$Qzx
z=ai_v`6{i9JB=4?^k!y0%;xCmaI?Te*yjjsoh;77m2kP14hP;xIX18Rj^;dlnsWrK
zrT6^N!91MP*LxVuGg@RF-5LGa(<3y1`a{e93FEnjDh!`yuhLe5)V0c@u|nf0wiIxP
zOU+r%$XL$FDHxM;^49EGRFb`Y5(-6_CZnQPI$*@HZu`0Wdj^KvBi<<&y*Vcmu1s7K
zAa<m=Y<z^qSY2h!rA7x?!(C4KSR@#_I_jvl?LE!PE$tZUEp7b2^F7c%*2!gwD|fQ0
z9{+LO*|_)zw=(P{c6`L-j1*RCQUWW3oSMj~_Q@Oo=>oR9Y-JdW#wbSv1B)0NIQnO@
zu_F?wG<J92wp|oJbf<6#WTt4IfBUw8oSK2h(`X=2(>s2Q`tW#Xv(D&6oOrzZAz|m=
z6t6-swn_6vZeDL`V8UrLypgpX3Gelb{yZG-6clA$j&XLa&W?9cm3BO3$Hmr^PrMFh
zw0?cM_!a9-wSZX=*G-OdwF}4F|Dr!3F8zB4vULRp<yf1Q<f#hzP{+h(W=*cdmNh-e
zOMA7=?z5#S*4On{!Sj&>L!S&EEH&NvSmM3<bp4Pdpz$N{d7{<!+xGXC7lG`97k=Aj
ze-aa>A7m1EHj+rDCt#NQ{&dVRW<%n*B(KxO#kDb^QqSE40oXsWKKFi5cDqERSkj{w
z7nf8Q?c>9WE+DW7aW!}!_pERtu?jEgy(|%#-gZ5JmUq=Jt`SGBJ{zqBse&=v;)q$S
zN5Md*>rJ;F-MVJ|>NXpQ*1IXMHBqGHMNqO~<#(<;<oCgqmERc<`QOJL_9Yd~i7pk*
zBqbHiToM({fk$tZlOMdTa$(sP(0<+*5$fR=XXBoR2@FibdCoPyoERN_G*ODO$jJUT
z!gpmDqSpd+{j@pXgj(!vdqyB0PYba}mHH+4*ZAWZXY3L20fB*8f%c0Mn3&2j@6^-_
z?h%Fl7<xwZ4oJRIMG-zYzGB`B1a0EV-&0@sN57L^j)jUgxg(gCfT}-z%saYPB5YC8
zEgcg`{5KhcJ)1~`lMEk-4q91Fcf$@^N!v78d6IZ%h)hy!T;J6&aMS=iK*PU}={%X6
z>vXNOGkW`t15JI8F6}tGERT$G_hiuTj6$?V3oyi}j)2f+Tok!$DvaKSXQcZ16;QE=
zXbY<lKS)4&JYXuK3JA8_x?4-s01o;YOP(pkXRu9;R3%6>ETzoHD<*f$C7C+vLeBN_
zNhynlLDFG0jhHhj#s7KcRwJYIt<eUk!U#NqeB2gogvyT~ee_EWLm*Nyet}6C1R^O6
zXmdWyeh;|OayRrQ{=*CCj_$=o0=b^hoHkpcxi!YphmnFuMcJ5zhBlO)7Nj5`ZFd6x
z9|7~-adm?0hPgv)i|aPHwe5YNz~tVvK&-{@RC$MZz`Bw83G%6pcfVX!>j!c-sa=Ti
zimzR?@(jIa{*^{G`V{iybiiUr#`uDNCe?)Gy<l_FJ9NeLYkI25=Mb@tU#Y7h#ud1S
zXk<$8=n#dLH$Vv(rJS&VqXN4@O3>)S3K`>9MUFgEg*kxt11zx0mA=sAc!<m+-BMDV
z%dh_eGhYG)gg%G9++4}7pHcC(E6e@HG<9BFQdM&mYS(su|4B6z1ST(DkZt5o<-+|A
zpbdQvn8DrsZH9L;`4@8S0}j|5x*dSSo&5o<cCo67YzOU=c9XrXUxn{58jZYvH<qaC
zn)ajJ<a48va&NPjWScSRmiG4HhVc;aPDqOOThLgamPTX&G2d9)V+iQ&@Ym@*Q2^|J
zmR)TdU%!0)`f%~e$}kp)e-|b`FdZxduBCGPc-D&~U_Ss3>(Wxr$`jXwlDOIp0Av!r
ztJIP5n)H_#NLqWaI1URWBdlF44r3i|9K2QurX9o3;p`YKK&aLhw^S&Q6vA>5r+ie)
z`DhG6x3SWWCcV~47d7B#uxRzX{lAS?^T6@JvFf}@?f^BHlGc3FbPuWe#<aB4yAA^X
z24%O^>3W(0Z)?aaG_CW%7d}oi?0+uzaoul!%W2Aav|V$=X`KCXDg*{#br=9NDG&*=
zGaG*ar)CMA=84GWti(3Gl7zyxjQjA^EauneAum+PRj4|%wCt9*kE2tw$|%h%Yh07&
zi$B!z&9kWGCDd{ZwLBdfYjYfpJb=a{V_7aKO=w|!)*79{sP%cw+@ebM@UEZVsg8yT
z(-MidI>SFvDDoIOc~+07_1Qlf&Z7{7#|91n_*7OTW6O&(uX$47(`h~zTc?vToaQN<
zHi-ag7~EKBppkRl9T@Vx0XL2g@cHLtbpoLB%uRBWX9Mt-=k9QchKsU(NI!h0Kl7%3
z<PrVG+kdL*CP1pN62L1StI&+qScB)y3pE97|IlBD-le7CJ<$6Pbl6VosQml*X#s|R
zN1wQ6^ZE2by4l*dE(mxoepN7{j~>Y2qY4%K?FhT7eDgOjS59TRf$eVk7gx#9BK>Wm
z(a@4V#`k8|l#<!q!!Fa^yRxB^^bVZDX`I1XoWprsz{S?3F8Pv+@Kb=^Ls9fmjxMY#
z0eQk%oX166GADcdeVoE+oWWU~!+Bi5#pKfCU>AB7oZ2WmvHtd_2MwUI_Uz!(48_%v
zn!Q8pSYPs~8fgG(P>Xs5(H{da5QBJdG{HLEv#R6vkJ$#tYt_Ya_y$_OwK%?c|HJM!
zV6cX2)pk?g8HMdGK(jX9y=@x+cxVq`7@+wly69Nre-=Rb|EMeAY$gkoq3rd5z>_8G
zQ-DTsA9ta*V$FP#-_#Nl+nMaqG+XS#F~*(rdS9A^==BHzm3k6qX5iJK*GcFd!L;x8
z|4GM$lT5>5k%m`>%z*W>0P2Is2iOR21qtAE<Ad#XLqAY{?zXk89|0Xb;K(Ldy_GrS
z_399HOXz4kGXVX6Tpf@0-tN)pbvDZs0P%<$$OWigCykt;Zia~#HK$HSA@2n2>YJkr
zpdmMdy(08fPJ38*3-H1OfJkB3KsUt!J#anhJv(m4fbNCP?%8&pl)<hb40`~8-{TnK
z&OI<5Sc1^DPKR4P3vCr1QQUy`L9)wk!0bsnDs$n>U$H9)kck$N7dn4n>=_c!(Gw|(
z7j2Itxk3eC5>gclpl8Y?U@&EYaM+j=EU&AWq=Q4W_$phf0DlzS@^l5j3lS&M7K!dX
z<Ul(QKiDfwmo0{VbhD`_{foWGrlEWXAr7r!s7Z$I^paVJdu9W}q^la3RXHPly~}O0
z4UAG<CYsr9)hV<9%HD=}?ER3X#h_H~t}%hjar8I92Mg-vghK`|q9#>Kq(@bu($Hm2
zRaR67Ol<CQg4LFa+Y<z;#->RkjtR7eNlkjVI=w`axMl;xq^la3-7-mD1fchm02y?<
zVR&bX#KO?pSH*z2j*&U=`Co=>8Cw53$haw&SVPH*DL~Vl;0OzQ9wcr<46y#+hC{!&
zzW(Wi*EKiXabI?59{Q`f&Gz5S9Bbs$?SHiIWB;9<V1LJcO1K=qaQwmXB9S7#B<@#>
z6@iNXt}q-os_$B!sJvs@stHs*RrR#%-(2ftr^i696shV%+pibH3?0M3urb`^;^cU8
zk3Dko>J}TzL(dz}cZHkYRo|H6e95HW!p_<`06hd{D!D5KD@7`$DqY@%+ts)0(XNlm
zNM&zjoN~PKtnwBtfE|Ffz+S<=ssyV1*)6~OiQNUeYj<;Z52+qi<*L3{i&Fcv$9fNK
zPx+qbdp@ayXuo=aI#Ins{g#HG22rD0<Dq7x=K9`>y?_6){ztG+Yae4@r<SbNYOR~v
zPTH?^6m`C*ubr1mIP9A4F2{6zZp6*GNw?q+`qi){{G(lL#f$MyTuD!N2Ve{vKoAEV
zY`6vLU<#cWMFksp53-Sumv9kv(#b(R>eHSyGU+C&r4D*Yt4tilz*nyGoxCcal%L!v
zRnjIr8I{|Tky18uP5$O<b93frtliKz()ZGD*I(BEVX)iagn_LA!C=Z@$>5Q}cSDF_
zz9G>t)=+GeZ6q|_X8e@#g7H_A!zON~2ve+SuNl<L-t1p9j@cV?ck?v!YZk{W>?|hW
zx^QFoX*e2=fk(sB;05qnI0rrmzYPBmz5;&>|7Iy=X}8R?gj=>*_E}=#w@OV=(z!nL
zoL2Q&y{Ge<(V}VQw!V?gY-=kfTiIIWcv+XV@?7~-Q|q%nQ-$?eb2htO*NPM>pVr}a
zr>(DmxiER=4oqQ<ANn8uNB9&$SWR~KaE;RJ&7N1tAu{r5iW3lwDPR(VfiwlcGw5}w
zVK+c_W!~#C6WbmV47&@aPV@viR}nH_bMpWMyP!Ebx(M`iOFZw?!O;N7F3t@+HCj#a
zf7nvOQIvXTO~}Ygnih)x;BaCPGAOfwcMp3Mll?6STuk8JOX)##2&@Nl%q_*2J2PK$
z%2T#MslIuiv9?vdVm~Q6aV!WA^@XvW#6q~YW-M{R{=LI}y>|EnlH}V9p<eRB0=#2_
zKptb8EBz>LVUF#spn&}}^H}7`jQxU9=Hxq@txpF_zvwCGps#80uZN=3kIyK{A%@Zv
z&twe5`lA_M8w<y&Xf7Pb;y3~b?$Dc#o2}To`hPEdaEZr6ZsibrC2~e)|L`QZAznwr
zP3i=G*SLRwxTy%a6+<x5V|I(0`)2PK7FIX0d9<;;sj84xhac#snIei-!3qWjnP3LT
z{)R!iX{F&J+vsM9i_;A{|Fjfw{`H41m-3W;efjYAsTi{T=f~%FZr^(T;iq<ieW)n`
z=UXS^>914%8tpM|A<EnVZ9*VT%3DJD1&kEabp=aF9*HzFsXqYDpR;JuLL?I+a-ilw
zDMFBBCiaB(-GPZ_J}DngQfSmHnAU--JSVdZZv6U5tMgOC6g4*3$v<)B+L3aLw;;NJ
z9#Lyo96CN3F1-Vy6nz#S#hR8yd2wn=#@P^2xe}wi)bMyWp_j84>Zrpk5^C(Ys8ZEk
zjR7A{GE%>vNL<Iv1IsJhaxLKQ_uoQ+FX~_Bo#11|;>l`t7<<B}@C<}0`bz7V=6alK
zSPi$&VhRNbLGXvcxb*?hJ=t?VS18d7=@`Rx@MLw__m5qt_S7n#mq<{@#n`;O>skAB
zq3=qj*3^?DSY80JDq9MUjX*60X7i?3SrlwhF9acRWMgk%Pkpx8*tx0@b5QFDbC`j%
z{|YnL2RIKw=v}BWzqnI83%MQ)IT%vy#bD(XF|2|pf(53Nt8;$xuGddVwt{<tg*6M!
z(4T0CR=Y(X*MO25qD{h{^Q_oP7Q18}-~8#*2h}k5K!t{BVMZO_&nT!!3f*TO8Zwq5
z=;&VQk0uI04I2Esg6*?=Ch_i1$GFk)iyiM+zT;;QGhWzPPmDk<B?qF2%Oz;nlf=GR
z;?OB!8pYh2<SeT_)?Uj=00;YS$OR5SDxk_c@r*OHnhjje&~tD*-CMj}nDON8rkL`{
zJPb#ZH$(YM5NhJMa(yPQVYXU3$<Iy4TVvchg-*EozN^D5|FT^X;kbWB-%-CVgMW*i
zs!EM2Dar|prF2IG8a4I`@`hRU2kB9I!Hoi8t+IcfTpjkhnpD$hk1GC1Gm8GJ1XhA0
zpchq6GJBvov{a#4tbGiDGb_(;QaVtax>M}K9>}M$1<tkPOq>C-JaT{?c|vLh-ASel
z>%WFOmLI*hmhY8OPq^0~LIPxPJ3KQpp58KQU;A#Y7Lj`l^=3G+)Nq32wSJp2Jv<}p
zB~n<iV^cF3{)&cMD`n8i!tnOWT)6cz^6*S)`8S+l`?&E)Ef#hZSa9K=dYHL6GS$u-
zVl&33H@gg6ujVG}^FiY;h}O==nid0Kfn1+6)KbMWN47QD-B_4~Wq=<hTIvj64|J%_
zCAHZUcUs3@{D+IW4{hcj+e1~Rup?*a`DQK5ZYXoY6WF)+3E1w!kFNaa#2Z7PB@`3*
z$29KU0_{;@%|$3B@b-)`6-|-WdGWJ}MToH=IHGk2f5Q0iK!y6_$D*iUuFuD76uBMI
z-lg1=O2`EL<l&o0@KfZ*2%=1*%Ol>Kq2?}Itvk7TSDSW1tt%59m>y2$EX5RUJ}991
z!xDIPJl#&spUm$7bLs(FIuRxRgnlqEjl!5~>9cAFr_5!SY`fVG7gK6R2D5SEfC}*x
zm_>Hp&D|gJ8M{NXx<ZO_I-T=?ePqX<g;s@!7lLK~JZ=#pZ(A7$Qwwju$N-5+fw6}w
z!>Dk4D+uR5W|g;5i(r^ZNP&VP)i5ro^mm8d3c6LOKB$6}5k76DY6#3kqGK3El}+58
zgVhD`V+i8@A2M(<HDk07I85frGbS&GwFOB)Zc+UGY}kd|9@`w`j3<Ja-yvd7&yYUQ
z;SutoycokamS_?G1HRC4*W_WN6*0r8#klCaDT?sXa_Huf&5gisqDkywhbv2!>^5U3
ze%IuywZ)`L6b9C~dd)W4NIX15xH|q9d;)=J6g#LpiD+!`<m31TREO2tlLU>d!^A<}
zfRp8deAH#ckYdZ9O66)fQ&B%={#TiL&0|T%VGQDti=cv{li=UNXA9?^t$nrI(;1%4
z2?+$W#@a-YF8Pww1!HR(9^rhhik}qi(8HYB#F>ADxwSQL95x@WmuKt2MGp@@$Uh^R
zTK$mc`PFJc(xdR5gmDN&8sdIS`BWImY9-J~(aK7gdpJ~%V2fP*=Ga*?;W=!-f$zI6
z;L-nmg8-{{&1yC#+^@F{tEifw@^9<LNFI=PvD|V~lb>sFpV71Sx{FZ|+ycuvUfmp5
z^_Y}#?A?)H0u5KeJr9uR!47;<P98y=>~Po&vhqM+Z6oc29p(|tnXywD&}qguqSu-Y
z-?d2KL$q7~u7;aUW29tZwUp)Lr)6IGh%2ugkEjGKKq;4A<=K33;Is@%3LL_4`Tt?h
zAgfNt>!wAts*%A{I9Xz*{a`Vqp8J(psLOPeH$$<&@aR=gp%+x-8DSqN&~?l!{-o{a
zx)KLr3f#4EqoFpuDksv$`|@`vJkdqWA)?-#Q}<hjc`#?v&L+TUf*Z!j5&S8`7^zri
z_m|gv#w#~#ZDm{VwKk%HmSV}Sg~Fj8wa~@l)Rn@f07E3Ga>_-Oy0Oo*@Ja2lcZrQ8
z7xstbnMwM19nB7mr#?f$6xsEu;P#-E1~RJ7PG7dD?+Pwx9`G4&xU1@O0D}0s(26d6
zz#XQSpu-FSKR&{Uo*X|aqe*7&TOF21^iWi=(@)Fl=fORR1_~NsMKk@B1dJI;Ees7z
z6G^jjjQZh!UK2(27GutMJN;)lW{M@n3;5<Pq0r02=Qr@}0T{7l&yX=8QxZ;d;hTC!
zwRwb#BS%M+&)%730MoyIC3Gr9c55!Y2it7fMqe5}UpDszMQt=JA!kC)Btrz=ut;?o
zv1IR~sZ2~GP@3fAt1F?XXv^_jzOF^=7;lh=q0U^PR!G`0sFC@;kzN1q^=sH&W57rX
zUy1<)bud>R>*UJUC#Zl<X?H%Qp~<_D;yCIBZ)29d@L*1?ITYtNx2cr{6K@X+k6;}i
zMz(`1SYaUGikK+_IJ9MNa~y^o#tyyu%)dPwCt&9c*Y0rse-LAc#QO4hc!~YM>Yga^
zXIKO>Gy|2u9Lswz_6I+k$~T{ocINjkFD(^tFgqT5Xn~Id8*ZzC^`r6Sz@zX{L)vGu
zeLQ}8$<2Iyf(jX2$Q@K1j!1-2>ScwFw)g7Na}}_*7`&MLmj@sckw7&JHiNiJl4kLW
zmDd+sr$*GL-@@y5`r&XhG?@`6BAR6|%qX;Hv`&-k>9p*@UfR_*uWmzP4=M2=7$~p^
z|C}aHa%oW#>=fL*8^ft8J%JE%o!5CeP~!Es`GQe$HXPLQ4A|xQO=<`8PTgt06P&7h
zo<I$#o>R-af#VI?{tROLvEip)(@idT(<de(gGx)GyjOyM3`Z|2xyRuZnVEVA+Jedj
zJ*nSP4wOOV+~jdfu4Hz&RC1BYQ7$}Km9wPN#^S`v<4+|%bk|YR!$*PHx)3w=p!DE!
z^h7&KZS69F2IvV>GPa^Bu5uxwQ7!}&Gg4FQ!<Bbs1w(Tf)2-Vb8ZX9MzS3UCb1ExH
zCees0@h}JP>6@Y#rAn`cO*~Sx{yJfaUVG!;4v?n8we<laV(k4N8VS-MJ&3@3R1yd7
zb|ALDmaCu*o&}WTTv&LXV+Zm1=wJlb!w|-@DVwIj?ww=?&jh6pQ!Rl(7;|6<E^C5l
zJ;qN%glJwQYJd&f6IiHn26(yF`X}Sn!9OSBJJskX=;{jddQ<`f4bWm%j*+ziS6+=K
z92+&f%?)#6uUtVcV>*)#(!$eBfx5TJC93kwn#WE_+NXm_!+n6$kBZA#rDwl2&Bvyf
zRp;Iq0+7?IU=Uj)tkpeH(`#~pY(oJ$#;<!kT<q^WcI4_qnbbnaey&Zt6ptN<+4Q&V
zkhLw|k6(vH+ez=)2p5Dg|1ws!<7GdDm{x`qql~mkw8@^i*7n!2p!iT#i<#@!@U8$;
z++^Y9HHzuS%_}R~ia}ISL`5x0%o2qpu78O;5p#-m!d^a;zc$2S@^{(V!NjNW`t;PA
z_h{cxGC4A-Y=4?TaO@771U#+o4=&e$TD22?xM3Y^^6=fqW&q6bm~WkypO-8p_NTRH
z=F|ed;qJ`PnxdJg|NWKQe&{mewfD%KhfgNBx%Sdb;$!yH_VvtBPK$Oc=LW_SdDG%5
z479`H8%DiQlj)^vyB*=bW5MjP$vIvkInAa|#o+Apgm^~a1zNM@+-rk}q>xK^;cK}|
zyTj(Gb#g8lGg~D|I%swzzY{mSc7hY7=7l(#Ky(j6c(=dhD$UQmXN<;!^;%84pApe{
ziciDyNW?1|Q~O9{-iq$ch-)=MZAvuL3<p|7(Cy<*b*Qpj)(}0-6AHwGY?eEp+@sA0
zB+9$HIb-a9GQRVf<L7dMl{&-`kD~D-WOMv!FPf?Ge*GO#f0lxJ3Z)iq{tW^ZhlelU
z=tg~3;pvdo7Q>4+{nOMRNgF&)s%QFC>q-p>w^Krx?kOfIH}7*Tej{|xdqJDrAvU|5
zory;LaiW&-Plb)=EQM0a1{zFTxs7cG+^TP$Ja^{I8Eps!b$}e>$||wG<i<DR;I+OJ
zUAFgjc&Dswl^n+@*V?l&J1&+VqBEzhSJLBD1e|10(Tr7<(r+kAUtnd9Yqe=F5E0ZU
z^JU&gmVXpOPu^P&$N9JhUwl5a?S&46vTU)CM$EDgnq@1qxuH{oZAsTER%w76Aw<tK
zxE@_?J+Cjt0y_4+Gic?qPc==$7`~+E?>DMiJ(^uOYXHs&&t9;#Mt-HIRj8jDM#lP@
z4b6<6e6!v10%i?spFoQuphQqqsS$x46ZR^PX1JX%IP1yv@D#4stT8zXc*McdJ{}Ay
z&Yv9Ax-BhB5e~sKd_5y<25%&9@GyRKWercw<Fbti!Q(oRg{fI7O(g%oRqV;gI?FH_
z?lE1X8+ZG9&Z+`Ui1a7Ew{T(--$%3#3mhuv)S_=>Gj9(+JqJk&-aJiQDvfeCO4FRi
z6lw`Q^)9<~oqXPf*7V^buJS7F+;KCXV>#slt&Lf)2(M0_HT?U*Veind7GF_yf@amR
zcpeg$PE_>e#E=<ApSM@bW4Q!fgP05Lt>7Rp@myiScUs=K0=3777)ruHvc{@e<;s37
zJke|WEL%8<B_2pjdZ%zBPLXK4G%YZ<uQ3-bj6=q&Ot^&$F`pa?$o3Z%I#H)XA+}lQ
z`Xc6ma>Ne(zqE=A1{26^ef2umfiIfwvBX){*hIh9WBUur%HaiDLySWxpRQblHxFq#
zD^Ey{IL5hJnD9<$A*O%=wsqp>8HM1KFiTF&U=O$TDGBb#Ou4jkX>(;}D4Gk8ML<Q^
zB>Ig^uLR&9tF0od^OeG*8?41%{a?GUbXKSRJzHw)YW%oX|HOLok@k#|9KC91i8B}I
zHb-YK_99tU-c*R;BI4Tw-CItU=^n_Ck<m#k5)6lH@A%CBu6;GgHTUSSkh8;6-YoUH
zOpq)nmt%B_{sGr(U}i-J=n(>IckTPE_IzbW^rGhaN69NRxxKNWH*)`|h13{>TbP#3
z(bVrOxJsuW&&<n?UHG?v+y$a8$<33FDjPp8#iJ|7yZlUZ!Zq8(^*Ic~@#QQoDgRIu
z$Kn)`%&7w_IKjv(7l29_PWXECzim(2KqHC%eP8R$P(oJxv35|CPOXV_aju*}K3+J8
zS;&x5`_o-K2wE(nLo6o#vZL`B*hd1fevflP1IA|P_fmD*ubNrZiM$)>MyEByykY6l
zMe!72DZE8b9DJ{$hMVl3m-#x@Orh>83o9Fj8!S|%3zr-`O`AtzZiY!#G1-h>WBT@(
z3{DsZ<5bv{%OD)9usKv(_W!u-&rE$2=UxhkCa-CeVKa++r@#=E=lBJ+;>BMFS-<a7
zDW^8V!ttZ~w#9?dh~r|o(f(hqgNkfE?xomBeUo~I%PS)()^Vtqx8uU{Me{OuDFtYY
z0G3^xYtFIA#Ip7(N|i|%4yI@Hx*EenxL9FXB`j?<nx{+S80AWjEchj@Zh%31fC?CG
z2JTR*#FM17Rc>gIMW5d9`)o*804MbA7~R+kGiz4SM6O+<lpsU5D#@`@%-EX<3Vj>y
zh}?48ySZo}`&SBY{H)A`IUAIF+%XF*b~FFKK!gAtyER{wn3kVX1u^jg1<+Fgf(DFW
z_Zl~v@n=d;&bt_D81g-|1QzT7^s-G!ayl_TW7clB6U8{##ULa(MbEhLoKffHPUq<f
zA3jL4u6bUJrgdxJ>A2X2LnrVvJW8=}?Z!~3xqii%labqU@z^!vxZHv5QMt0sWx$hb
z9kET3O<ZBy<Qtk(Pkx=3++$d$3`3|qU&loK9H-9ezz30s`Ek_RzfhoAD7V8$Qlt(S
zMTU_uF%qvmpzZE~rL3-_xtzKxX(JDMikq#hwyR?w7Yoct-=Z5Cgg@H}H_$9FK*@&M
z0B)El41j(_LhSvQJdQq?q-i#eMuYa3`Y8@w=YcTlpfT(VYoiRxa6}9OJOBD^TmOq8
zR>)<_nTzgFLt4^kNg$*m*-<dIf$p8LG8p^*91{@h9Y)?Ewi=r&?xv!2J$}sCVG?Q|
z6&P-!_0kw|ruE-liKgQcR+ZwZ90|%3hIw+K0VI6}Y+$Pgr#BW!oZbyl$d(|hfq24%
zC9f{Pt?<->Eum0MlOqjsYnv)pTcL!-z4U@nawaT^S>t8&t(>DGr6`L9lo19uDa?Ms
zFmrCSM1&BU9#z#J9v&rxlv@>dL_A}3p&7egY4OqimYQ-@p&t{w7eLb})^NxUw)O@%
zYTJxqkztPRQVg>d=`+U82(!S>x!LPOR?3ZTlA%#ke3By&RYi=BPzc@UkWQr94UfPw
zAs^A2wWuhR#Q)TLak*&wkoAq1@*axkUsUVL0R@E8M-N(ECvdL1RJ3@O+vyIr%N6A?
z6*%xNQ(-c58#DT|ZL}{u+L#&Xws`h5UT*eouDu&e#|IToy#y}l+u?Am<xz&t=TKsj
z<9Wf68KUj<(XX#UKY7+H=E@T^Llb4Lrye5duWxJ$q`Uwf!pNd}H+BKWrZb+^jhTTO
zJ1EMzSoGacwn0=XVgNQ9TdmHopC#`f@R6&e)oy6#Sw%0Xd65}r-N%t(W-ZB|EAp2{
zk#KD=K7pks1>CkAZoJ@Hxc>nX|8^NUBQxe2J`*-?gx%xZEMX4z7BF&JI4Cd5b7cGZ
zXtAtzVJ-IAi-Fe%N{R4UbD;BR>>_dDpwGb2`(ItROfU-uu<9|H+Ti%=Nh0%Z_TfuJ
zLj*9a0IFYS-Nl#ZH!XC4Idz~Uq|G>Id-!-OG+dCy-USRd!b~mGR9L9`Oq!+kE0RVs
zlZw7bZ!D_XJ&$v=$jK@n;drMCnx79Q&zTiyn0DnNb?F)VtJHKpN$ftokVVr_5}l(z
z3+rLPzaj|$ANz%R*0;n270iac-W+&xuZS;8eQ*~%sd?Pl6}PWqjbMuIyVE-aN5@_3
zY@ynfjcZA-wK&>s;i4iJ_gz=*Dw5v#zBtZ2@8MD=!Y2L+h}FsO#=fMU=`J}1F3O!w
z#dM-A4A-QXw@{)dGQB~Gp!)0Q^R&;(Mab@4OqZr@=;r6(PMYW1r*~hR4i9RHr--5b
z1-kRjveHMeIM?-x-9oDAnx{40(ua5M_Cksv4iBOeh_JQD&}7ZMaCiCIG&(NDbI4A;
zL#bLamuuiIZXL*1+RH<zuv4Aevf>}v32HK=R*EqWri)p9N7;V!qlwfYnq3LAx|-Ne
z{ELdyk;M&;c)Vpbzni$dy2h0-NlT!mCMVB`8$vfo`e1MRH$%~wiQ4zWyiKT^cl?5Z
z%Rfp*7PK^bG}bY?((w|^MO6`FBvw(hKWGgprB6rm4ef5Ubz4F$Ld~D1!G!CyUO%1H
z6W(mZjveaDER@24e1WH+$<U3|T!KBAIxNslHp%Ifc!3N=RJ034%_NqTxf@O0_cpfs
zlqn6<Z}V{Z>REk%VKym4I1OP>p4(TZDTOP7BxS=mYje=fZTErRKLItm8ibhjgQq&9
zl%8<8PHrF!4%lx?S9MyRkWTrQ>>^8)^%_%P-P}Bs*XR8w@Y`zTH-wp;-T(~y@D$BB
zKxk&tN+Ik)Pw^QG<*qWqZ@+Q}@e)Ekcv-JNqA!)q{X_{%I6-=1IIarR!AP-}C`Ye`
zFzg=prBG}Hg$L%;RZ<Wj<@xrWplHi<P8T3^4XLhWvrOD#Jv=HGSyFsp6V(HJk%;pr
zqj;*rQ!w%MspE0)w{(MAP6b(Vp6q_r+En5)<}|~e==BbiV^A`I9x-<^m1<6|Un`2D
z<SZ#B5kU~^R@J-i{FBVUtQJ&)B1_6Ul;oTi!7zF{U%e^}_x9Uvd6gAM+u&8R{|?Bh
zA8K<m3R0`oqq~4UW=a5e=>?^o|8PVUf^!qWFdW7QO|{_&Ef!Bq32IJsyi$!65swCT
zVRxMQSOI2~W~e5x=iNoEZ!C+=2tl}t!))=ODOx%Zs%y0|!tl}>SpKEx9IYCay2Hy(
zYUg4Y!rjA+aTD?;;`c!`+9@aExj>{yRY@TV`F1jcd~)g#1d*QuWj|fISfE)dZ-Qp}
z2ul?RK+Ll;*s-x?g5;9$*c)LyCEg<(*@o}~?;GTKsa2=m4J7XS1YEBCK{k|klW%=)
zXA1Z)3@u4_oX{&4<5vMMyt7G8byv%Z(6ye{Q=-Z%QZ4RyKS@-A*}kt(3zseU%0dk<
z`ZG#mk)uZ2n4}NKeg~4)#Iu5(sO|Wo#Lt*E_t*Uu(XmQ|k)*JA3cq_gCJgt*uM&n0
zEz*yau)4~C+CV}{G2$r*Psd?ET{Yw1MZ>LuQH4M<c>yL2FKIIveR8c=K!}M-Dv`<C
z5M6TdXyG%HnAL}igX?~9$kq9gpccm@Mbf%?SIH(VQqEsy4EGOob95A3=Q>lqr_2`z
zf)c(|J#)~wGmlUbZaFn4XO5@Tyrf$7BC2}uz`Pa?6SNXHTQDgG_k@Fq6S%76rR)|b
zS7IH6i>4d#tg3V)iUzl1yva4g#+?OBqf?K~0Fq~5mT{1%rQmB_DC9gh(91_HN1sz;
zdeNl7Z;?qe{KwXkP!g$Xm*wRrEH?UJz}JNsz#!3rt+!``1tW}@@QipQ6P`Vwnrs~t
z@h!i|K5l=!E=$08itFa!E#$LWaT9unckH}g<`8>JfVN6qqmEbD{E!7Um<t#9gZwl?
zCQ%#NrrRJ$7%!vP9p1Xd#Dgimb88OCj>lc8Sry4_K?8j;0Gm4$<lNQ+Ed2)@Xv4wx
z?4N30`GV7J$LDq}))^3f*-ZM+Vc<6Vy`<p}Bd$73H>8_v`@ub#!2nidFzM;jEYGp*
z)<88&{PCWwd583bM)>sg%})m4A6E=Cn*Z^9Y=IDwLdsK%Z|5@IPsy3lT-P>H*%3Cs
z-p?JWP-|TIuD<iVG8G{Au1>7bj!2ZY{r^*akaI#(WS0y4EFqjPrN|W_&$<ryXQ?#S
z;8rpkLkI5Pu~#;qh_{DZE5Tt=^2Y0lReR>$;2Hcxku}@_o_1bN;6Yeem!@_}mLyeP
zBDE%NY?cn~lR6`6r;`1R=al_Rgs|&wIC4m)=*X0)GzswD=9Y)q34SBa9D`3Pqi)nj
zjmMFOJz(Db-<jUOrTnQ()opi;ECx5M>V(bFj?PwI@_#a_`g=bEtof0}#`7#EX-?MQ
zl<0ll7y}7eQ^4?%u!m4zUSrsIPTY(iRWuwozrxxMRq&6k(hsqi=?KGs-mHm9y9vyO
zbq{RQ<(jgPdzVcq$Vz{{LgV+&Na7=0jUIZ0fv?_rX?@+2B9`RJ#yobRh;$KG4P#1_
zDL7_3J9k6$5_6I2z_VY>c(j^}`0R8_EMHPY55g`R2+FQt{KLJgVO_q-glX8-aue}M
z*NNw{HRlJ)>kE*`Hz?I>Z06kD;cO)deQ%K|trEwL0QGFZEH4f=^BKq_61xP)aMX)8
zS9SoIj40t~viJ3aM%@ynL}sxLMx+1Q{ftF|P_m@DKB!i;5+#U`8?C+Qd?A&phwI^~
z=b+{7a&B&^MNk}Or~@k>OOXR7Iy(z(HEhB1`H$GY>^a`-x$_d^5wOx)OtCEWlPnn@
z6N4ygkp<@OmTJ_TEw{5Q^t2l4Frv(mNb$o>B}^?SPY10Kg!Xo-0ev0*757=b3T|xJ
z!?E>cdwVM}SQAe2+w9S~>pU!@v4d_aVsHvPkti6Y0|bKNOt<SW`bBCEH)qIs3JE(Z
zgDv#D9CBMF*Q9+zxC!nfZG$#S4J@7gn%Gj0dy{bs1W%FGtiuPqOGGt`{DfJ9R@0sO
z&cZ>tf}eP&)9eOh16~sFK;{);#q=Py&~P+kgt?s#)W3$|-#eeja4|OOQhRWZ_>xm-
zL5&LW6WfQFx@^GO7bFIZ(}mqD7#GlT#yWi+JqdZ!!Lay4Xj}XqIJTCyAw881W*JRg
z;CMiC0QeIQIpgLuRmZR}JXi`Ww&xZA#z3ZNaMxY8d;6eEIvwAe&GBv|@3?-%c4Iy^
z2q*<EU*h6_!;Z}YkX2~i&AtY^k1j<m@d%fnk5v|oFg{!LG9Ryb#z1g6>g1ICP+!b>
z{ze#_6={)_4k6f#24Q8l<m0;;N2}>fUsCcqVhlSF>RnePCl03^8^3tFTO3J}_N(Os
zNt8LPKrBRS{eyx=CEMqq6CgTNCpx1i)-k#@rm;?EIR^Su5%IRpDJXUr4>yxBsz4t(
z!8aKy)uleexFMG2YsnsyzOIq1b7t!F>N?zLQrD1~vod~%xxl-Cfp$%+F@>E)$$su&
zo893`&12bmW^C_r(Cq9C(XfGKf0w8^3`@qPt-dg)ybk>@nb0M0fn9MKau1lG^)0%#
zpoXmwl+MMj#9q_PsA1>k9M#v^q7nk3&}D~bp*c$o=PL!#YqXHZ=$KTsPqVH2n*G4E
z{&;t{T_B6P)h6YU79#DPHuUm~a|7DW)Hm2Z)pPO@s)W#$z1E<Ar#yx0wtp(GyJ^nM
zYFGX2i(p*{ZI#0wVh&Yo1o;)l*{xxY8SB~=B{(h;>T&=5cgTbtpRYL+zu-_+`cdD$
z=)R#hnRW*lqBDlr&i2cW4oKN5Yz-H|oX)&8*s7W0p)UotW)sdgBf2EY$d&aQi8)DG
zRGVLS%TU5DH`6`_ATH^Hi*C=h^3AbD0@b6GT_!<85tNiDfq>_`*m1POrxD0=taYq&
zXgS-nBxHX;;4v8Es9`(;CBGhaB)Rs#Z6E&{v7+igRaIS&SguvXC<)RACO5$urateb
z2R85gRxk&i%n~o3TG~MJbzy7l?#?_<)+#ky9Cf(EC}%IqiZfC{#WXf51TE_xF(n^r
z12F}ZD~I6u7OCCw(;EA9Ie)Z0$c1iDF;|nZlUbj2Vn$uv8s-9lD@zGN<TZzufhIl9
z$Ki>moQrUR6AQl0_{@roMvi(laMIAnWrmVjhXYi#1h%pb=XDOS3Gqzr@#`m^?dmw}
zk^l;qydKPMHgU<Z4Al#^I&%}lVtARb^wX&;1TykI4J2da^L>uN)mvAl!_7@H<<-dB
zKCL07?r&#RyJs^qMxgT96AkPqnkW<t+n&Avd{S4=Zmm>5JUruplnLKHj|8Fq|K>EQ
zwc{~!dQzNJL^KlF582t(Jx&T2=chu%260sL_?O&X>$dx6*7;!1Yr;#aqB=8CcD1w5
zzi3pmHq`?q8xfAEx^3OQrEmG&RqEX0O<uc&v)&2=fdrk#`86kX<r?|JVy)Q_X0LVX
zdOV1JA&{>QiMnpW9p;|L7j7fr{=BK$<yk?2I3nOgrTNtpn&{dYGDt2`m89UM$Bi2x
zv*CrL1exXGiBV3$-M$oZxs7K=U|)h#&`yzH!uE>-)<D}cH+$p*>=oQzp}m{eYM9yz
zqY{q{C5BoR<$%>2?;V_#O>GC11JQ}q(YMHEK=%2Dx$|<Z<ErdcT4govCEbx%_USqB
zpE|FxSIwj|x|UbsDKv(Cs6F6DHT`}DtGdx1ki&r)Z0zecy->%oz27%bY4L?dP9nN;
zZ~8U=uB)0@8ko}t=|Q2AJIs3ON?TwV(Pr!<^Gu<WSrdPC_f(ySOfCX}rPFr*;;n%Y
zGwwu{&`Gl9$h#|R@;BjP<;(FYue2#neB9(rOr3%^-!%0rnwC`+Z9NzEZRy$_mEl^h
z05>%t8OV{<ldAEfsB@08!d5?{<iV-etyo@EhR(sGP(n&8*Ep~D>tWS!)_49`(556G
zOtXLF0w-PBqThpUJp3wKKv6SQL9-S{l}BZ)6DqBxPYPKJSA*SR2ITuR4gVr+>q#sN
zBZP(E-1)v9lI^ZTa%y=#)j1nAwK{*R$CC#a+SS6VVP0G3^7~vYESa=JuCuMIiruBl
zn{(D+^Dp{xmAQ?&C5spPd;X9}PM`0N9XdWnMXv1b-qBg{PgS>FTwO>utTM-~?)fdy
zvD+Aq#-r@q`gUpk7B#CQ+5+;WL(*-|=_yoYK5N*z&7zT~`SP_*FRb^@)cQ4B)X!Ul
zZY+=>Lo{raBNCb$8R)@VfsC>}7ub@4C0$j2`!8U`v-3~Z`p6n(u+s-gA7?T$Wzhvb
zgs)BKAHl;ud7C^EHgUNs+apyggSONaEr@-~Gs8D*DcPy<Cz?W9Y2J18sC&>^Yh-`)
zjA*vZs<V%7?alM?F>YjfN1#0jo-I`lw=^4O-bOy#Zgq}tv<I5H=BN<CVi>=q$6I2;
zjJT`GkM@G}&mNRbrA7lx1)JJXhl*Tp+}wcgu$cBpDf$4h;holKd6`_Y!<lMjiVpOn
zWUBBW<vp90D5-q*DSmQ2969zF&VawFHhzBmUa+C85H|-B2qXqZU$ipjvhgB&=hY1q
z!>OM|L(BKrr$grHq7w^3Wz;x!iep?T@e~&CjhF*h*MRoK25e1>=I`ixe35wpS@AMV
zeJ9qZH_KN4Ks;-BQ&45G6tzd(-{m|e+!=E$Y<lGkxG8cn3ZRb7Zw^{|KP*jmvHuDY
z;n^ZAbm2Fpszz-<t{LbWw~;5YGsf?cE=eQ#(_W7gK{%`pCRdu(A5a3-Co0AIQL$=6
ztyz=ciaY~W(;<t7ZVx~N9vpyB1M91G4`wTtj4lFwhY+0V5=%~i%4cw+Vl&-DUejbW
z->~4~Qw5U1Oju5_g~M&k4q|l=Z&KYv2R;vJig-riYjddYunw*Lu+kuHRg^sGs)REL
zSg?Kc@(5@Nc@3cD;m>c#Hf}fFdTu83Gd`Z29ztq1Tx5>(JJN^RHRFT^Y78GKKGI#X
z!H35fwj0-_Tnx@dHAc&3OWnAQDSr<V`cWJey`EBFpyt!<Of9?nObCvu(eU2*6==qh
z4i!t8^?@?H<j0Ay5|*Pg{VX*BcGbFA8QLwv{=SH&67yAJh7k}n!V0Np^;ZoZHNrOj
zxRJI!5B29Zerr#v=g3eN<%&qFn~PEdd;`m-6ru`dtIPvQaNhmKvQ0J?zWHp|K^8K<
z*Zz5c!XNsOAed^Rf=R=%W1Zt1^UmDJNUZp%f{r}e-9oMd+w1YjlZy{E!%RiulCMcY
zM5rIfW?~&|D#8XyhMe4Uny~(Ut!gn`r4(akDW48pdNzeNOQ*q9HC2Ad4>&dN1l^yQ
zMq_Ck=Y>e{!LoSe4`|VJQ|iXzf|0+&u(89(sriQXCpDxBMe<aK)`Di_p&ZKR<zDYS
z`(9`85n=<CL=aQcK2KyEi>S{Diawrlxe_0YDe$pG*hJRG2s=+R^1aa^jZ!V8LZlH&
ztclnaCIzG*OJ{qGzH)odKw|h57dTfr6hMjS7FotI8<$t?CPVN?nU}ZYsXsrKX<5)l
z?3gcx+aDO{yFBCxt{q!R)a69a$Z56-y2~Ua-6K@7N^Pv7tPAJPBnG-G@9NnOdXxcg
zCOk2>6Jn;5JnUt0GuTIw6(AQ&&^CD>Me=NLHhYSKmTFzjF6{w#9l|D#oNYm1+X%Q@
zq^vcKXK)XCAp`jdv?bo##pd7A;>o0)J$SBR`pWL3Im(tV#HRoK>^J<P#P364JI9}`
z?zF!%YW!+u9UdaE_8J_2m>Yd#d`fcpwd6_dduz6)yp;`&^+arot1Rfe3SCdczIMo!
zmX_6?<JiE7C}@=-oZ>`)w1uSa#{C8OVBsiw^1G7s;3V9zye(QKc*XAxIMHa$O6R64
zh5fYTTCu)3T+vYSbnaV~2N1e+8Vv-p+~KCKchC%YSD4hSF?AxkMZwEr>>u%`NF~%v
zQcjo$tMp-}B+(58rjJ-R^%y-zF@5)gA7FFpy#9nSd~egc-`AUKj-UG8N1bDD|Et0r
zdNx~IIu*;NyL%Tj(I8tJ)qbtCzHtvt-FW&2{efs_Z1GZZd|C}&A7#*9Y~Apl5^JdI
z5h}T`a<G5UVY!IacROj77%vO_O)gM*lb*b*_oW5C^=I#BmUaF$Uid(_4*}+dl>kDi
zA8R`Lq}@j5u>atB?T#(c<0+qUc5#NhV%xk(5T@hfC@tOnh+VTTG;R=x62d~rF1pA_
zB?<q_uhC_wZ9LUm+_7WxMt#Yn@x|n>K|dV+qJF=R7Y~%9m173#_@-}8_D2eY6IK?r
zZ$$Zwocs$P#RW04Q`4RHG(L2y)9O3}$=3%4ti^4tjo;i(%|eynk)1xzMM`v|yphrP
z*t}sx{q(s<QegY^7dM+(P_qZ;TV{j)&xfjlmkcwGv!C|^m6?NRaI^iHSZKW}7LD-L
zmhW1XlbE}1pf@7*g>;K%k#pY}UZ5kEJkP!$ByZMOlGUD?8uT=grSV|LhSxVYimh%D
z#+5)RNnVjtXxSvoZ11CQ%lk>-GdJRKvD1@#n5=F(+Y+XpN_HGS2_#}odo7AIh8GYY
z`4`hqkV`(y+60l<O*ZL+;RIQ^D449wDP@w69=^Z(XBa6ll-Vuc8TP(ZYRO59+zgxw
zgq6M0EUhA%(t>Rfhbj1{tbxgdu;e(7ZQ$IIS<}Q4ahh>hjqFf^oL(TtabDdW!PXz%
z&u=-EN@wz&dE)*y8)&nx(!IW?D+Ti#cchGp<7S)I8E+IcxaA^q%KBcuZn_Myg@)n5
zcjW{qq_5v2D~M1(2}wdH{c6*h4+4zrh)fBkfPZ0#2_!*QvD4t*$2Q#{j%T)JbsVHA
zvd*`Yp-k9VA&g`;4>B>BdYQ2V19zkA^2V_rt>`(D%7zBGpNRj&9-S0yGdapcqmjY5
zF*thjs24ULIVp53Riig))}3f(Mm|lvQ)>IL1#4=RX>(a^*?Eu0!Gw|AJ>PTETA&x;
z^C#A<h#xG4Po9ZCB1_-@uin!^y-V9xS^Ms7Ns;`<`1F4w-r)YttxeMWH=_G<$Ij|-
z#zC`km%LHVW%sA|Y%kWmhjNFnJ$>f%wTCsN2y|*F(VvYVQ5L;^TVRaqRUuiq`*tT>
z!4$yh?}n4fc@3-qJ!(&jfBTL{W7%75@NSXIXn0SWu_clmkfceO?;|0U_h4cE>kDj1
zG+FNmkjmiba#+ZLK^Du`&$S*g1#)I6NZON!sNa@H&dSeOUHw*L93{E0Q_RF=EP}mq
z_k6?g7oj0IcCF;f+QJhkNO^Z4#7aqkR#U=P@MqQEZl3X?m<BVUWqG0nT){>gJf?$T
z&odbImL?XCwOI@)4AjKgkyno%F3tR(ldEFe75G8~3^OkMD4Y@Z$l4Nu#vG5ODDv|k
zR3Tp%3UE^&FP#8&Q)rV2CLxANA*4C}gj>XUMtXvt4XmhLxYh1pnBlQ@-U*;*tnA=5
zvy;?qk8dQ6@DV3n9{3<NWcH?R@4-ZEv}|A#lz|S1QNb#L&|qJH<40MSJRj_eC(>QV
zGN6L`F0gSBQerUFie!z({%&8WN&+$&t|twwO!yF>!(s@?j-KF0xj?fHV>gC0Gz}!7
zf$5!-Nl^FmBfr9o7&p}K(cUcge(}13A@1nL0n9mDd@vGNISe@Pvvuzb+L%{7or`tZ
zum#3~11?j}KL>N570_i4SQqC|0JRelgCpwl+(Y+_?A)3OnGsM8vWUi^JV`ozn;mJZ
zBmffwkimEP-W@L`>jh<-kw{dv9%^&)tR!Vo?<_2Ya7&Xf*m?RyE_d;oxPVybOUmjq
zNiD==^V{V>E@UUQVQaU?PY#1?NDuYIIN)R_f}d$F+r&?~(K=g-<q*-K`lC3#$xY8j
zDFd=J1Togy4<0ug5%C0;Nf5KK2#lL<I31`RpE7ZE)Li&O_<}L3*wF`1DmSO@@H-K^
z_gT%YH8^QS%L!8NyqIX0PF}OQ9CT$azbm=2yLJqv77n*`dDTF&U!hxHX5lQ9xpe!o
zAs&(5VLJ>BNaxTZs<->2yQvrZXKEgxL*@li$YxN*?(~}}^oM@V9B!$gQP|Rw6JeNt
zjy1AFs}(6thX@TkD`X%V#~{*%AV}m^4)nPI-vy#alK4OaO%44-p?7DAghe{Q4uOc}
zi3+)kF}b2GEar9`fc-IcTL4h`F$pB}k$j#bI-+OZSG~iupQKr6#;zuSwOv0(G3v~K
zVo8n<^YM*rEn?;9zavPLb4!}ufON<y;hI*YK@lo6hMc*-M}v$o&?sTntbt-d3rc;5
z7TCL=q9#i<^W`FEpc9xa7~7(^a}*;1ohcQN2x%5e5f}2gTz(MBrXb<lHVb;A=-nxp
zfpvH=!t|Ovr0Zt;+b(<BXef!%8{^@aC=UxiOyTsc(cKY2`p$*(MjNe6_5xauP`fTF
zdV?F8Z|waerN=cRqVU4OrHJYJPYz)H5vYe4bd&~2U`&JgSYuj~+1@CNH@JI&B*elG
z&}JviRt=Jq`plXCrT3)>aJn8_{=b*AiV+5X;Y$Uq;_2~<czrF=cT&Z9M+jkciGeAO
zYsp8<GFtvnw}~lXPwdIPw`U6F11E!aMoZdE*Vpv&D3rxZ;gVE8$p-sN49dU<imp?4
zf*tg!)bfqn%8BIy+me^ax@zH8<MgsuC2xjDScF~u<r(OVz-Ho<#(bRFoGw^h#wLfS
z{PG%gz0@h|jIm+USn;i30vy}L?CWYIJ`j54NXiob!O1E}0zW=Qh3-fWhR|m@KWJ2J
zT)qsbLlfS(5T_hqjCv^(>P+$Jt>U=6XEZxwwrR(+<8R7<bEEX*>=wDHIU`P?Nj_|G
zPv-N-_V|lym|BY%DM`=9@b+D0)Yh^*5vBiAWXRa`n${e4t{>}+GVB@B40Jjs&fYR$
zslh1DVbY^}7?(VJ?nfQ2)7+!po%>A@l*R2HZRG`(^0M6T3q_g|#_i!L-s+>NKZrqa
zqY0-);xntF4xPr#mr_RVrBS`VJE176H}0e!{2ke4D%Dyo;aifnu|?V@hv`>?=}8vr
zd%*Z!u>`X@n3AvcNh<g?tXO=s#!4H~2J0)@tVN+rR_ui$ZHRUm<(32*5e-$@>shAM
z$=Y%u9=?yiKuzQZ$TMej{S4*vuHbarJb>6&%OChU`AnaqU$X=^7?L3_Tj^ER_*%ks
zHTx~;H5WtAvpqAjE+d!gLb~tnGL0sI!e;~*1YPNzu}u^5N(fDuQhAU8HB_fY$@yN7
zOh|9IgCgHslh{L@?oa}}@HN3Xo%sw@bl-rySq-BMr~|JRB9Joh*#>9@pv^$3KjR=w
z>YO~Q&wH)YTh5Isl84e9a3kD9MpakH_uu>1Hm3X@QFQc3b8Yg>CYCNgmUSa`Hwy#(
z%QHUsVrHGzcEKaA-T+(8em+R!3W!-^HmC{7i=A)jg7cb&Eb(zUyr7}@Ev7Xtw<>4&
z{@!MUh7z;dTTtDZDULUlR@d{1YWeFRrnvf%l3m@*rqFQMgNuS4)Dmhh_A^RZ0i64_
zSi=_Aq1L0w4K%|`LECgP!$vGJ_n(EqlJp^b;T&;jvB7qp0Zz9jP~mM`yv-O=(vY$Q
z;&IF7tA#J#5Ymu!OsS%ao(9D330_}7h&;QP*O$O&PYr7NCp-4!-z4vf#N5SgtjnI$
z@Wp<9!Hc_bajjWj{VKsZB{+WB*!>*KFf_1!u2vu3D=%JNUe(RDi(}||T_BddK_%uc
zKyBGEN4TTLgNV?g2h%Z&#*?DhMKlk`jG4TdJHRqRE{`irLt_)0>I>f{HCj6lE*=o;
ztRUD&)Bb>>M36aWIRIOK(wotKpTXE4d*%r!PPteG?w(r_fX`+b1q2g_68!uuA_o(;
zEW>R0(h)Eml7?dUo*E|8q6_w@Bk<Gbftg_LvJWH8h8u7uAdkV}^e=gysKMr##EVtK
z*B>*fC$D<e`<0X);wijl4g^G}m>CMzYQ&!1^;Y`u`le9LBf)bAzO{hhEtK%e28q{D
ziEC_-H>KhAam6M+A1HHuOlup?Oe#jryfVr3wrRIB*fJB47vUas;o_M&l0gf@lw9%e
z1*uOV@r<<rl@n_0+Wiy$L#5gp<ET>MXtt5^<($+r&|G7JHrngcjmVIrU@%QP-KA2`
zkMn%uOf!)E(pi8#TRZLD)6pGa*kO9tODM|O{x)-J(x=1PJCm!b+Sr<mxw%yt3xekX
zUn=cRbtIFzzA3dgSIn#PnN0c;*|{x&rz5p}PsX!%d$QeVG_ezso&wxEMSA7OyLeu&
zvA&@v>b6C4Av9xtj7D1ws5R_Ey&~2dKS)cq8?j{mcD;}$wQ{Ky18I%d+<3oWX=V|_
zJtgcZn~0n%<e~gz9nwau(Z9*hFy;*yrXTNawfBmn%gJ3i-oc$oBkVdydvbePsIvy*
zi$alJj-YKl<XCYh!FU=P)`fvaNP!fKGr-5RLXi!(DGqw6r@%_lBdGbxn7`=f<T|0W
zD(U`WjR#W2m8e#Kv=Qvr@FZEFntQWx1+~SO3we;I_%^(&W6T|h?$J<1%pgZL<k&)?
z#NehHMwrKRhzSe3jivQLebD<so;|QLdpKKYfT&`lI)!f_?9S?&%m$7uoRpb-+%}<9
z##8}%0cHA+x-`F;Ft=8G>fHe*M4U9tSkTg&jO<mgVqkcGWQ6AOpTD8b77-)V-Y-p^
z5OZ&KTpJs*vbUw$Hp98#bhWMcKte$17IWAx=_*3|XvrlNGyF=^VA*Nxk6y=D2n=1(
zRLvF7=2o+7$tswJxvp51xH7afkZk<4QDNpQ|GE2?RfPFuT*iKtds?q}Z3M1<s!K03
ze4WCwaEWA;hpQ@zg}H}`aMGNlHgxpCE4P&Go=-D}o9ZySdKIBL9OwF+D``-2E>lAo
z`D(M-@zp7;?5-$D9!yX(=|;Cm*;xh*Jg0(RY%85{hDn8V>{~{_6GuKtk~k&Q1`{*0
z`cYzUo5NoH%_}mdZ?VKR2X^hG{cWtOUX7%vRI{5zI3*ZULWuz1qgq&2r<$k1n0ju;
z0w7t*EFxFXJ?ZbP;gM5}DIND6I(~F(nD;}LSS(8>mi?K<C@Ora-R=aF?x-v3KJ1Sx
zsOF1q-x*6IZ%7Ur3YNU_)=O^ZL(#7G?$?M1xR923?^?@qI7%o%`RR@+n%nK*{XeS~
z7VcA$8B8cAMb0nwm`86aN-(UdroWQWVp8_q{b~DK=feOPOa{C(Q1!f2vl8>iszf{!
z>(r~q8c9Xna%K`@t1p(4tgPxH)ZMHKCE+4-e4y<Z3|>?eDUgl`1@T4AkxgE)-(Dq!
z6LQ5nqQOrau&wqm5GM5nHQ!bW^(ySc@D!_toexA53#Y|4m>Ar23D?1O)PfQ4iN!)}
zS4M7>;8%s)896Oh!_pu5j88XJW+e{SYxY>yK^-DK4|WRgm{<@(GTdmPMnoyD#CDQ7
zb%n8DVJ^?%p$bCW#%i=C_2U%s)j0Q?%}vxD3_s5-1>2DXU89<P@_;K@=!S2L<=L`x
z=e9Kc%6bq@VWScExZ4MdTSGshQ7dPbBTCzps%m=Jvnr1$fU&4@n-Mn(@*$tpyk6-;
z&-!_tU+7gES==x(JV8n%ydGL=V4O=)Er1U_>5@gNnN|Oge{G<uYBsymt+;FU+J$>=
zu^CYn4dWt6ZWkuhLupd$!*&yQtbM)SY)~3oN&G<{jBu&f5OB$1Qpe>J{}$9bo1^D}
z$kSGZE3Xhg!kQGWmTl_gn%IJj^wJszR|?DqSbjz^;hZ1b#|Ky5ko%B_UFqv3F;c0D
z2W`dlD`s5toDmHbuFs@oSwG&+?sA?P`wR(nP)GROq-JN07&AkUM5VAJeL70d5j**f
zQ!Vf;-qB3CR_IhwqK^wG4ZAA>ViydJXqvQM4)ssQj}*cZwkO>j#)K2!PgDF$SKP$k
z|3JEf=GzkMOY#|na=g3lN@!?Y4P-K1Ab*sGT2&a+&&r#e;ZKVlbmsjwbEh)wk3leq
zk_g4{^d%CVW@_L$a3DA(Mz<OqmAI}fhJ%)<x`$>TTVW1+P}AeabVw_ZIu?bm%nxAd
ztg(SPag?O=0&(CtH}vKzL0j9T^2AfAj(9Ru4Ll@5SZED<25up7&p|C*fiiYP%je>F
z))aMht92+cRf2R#aXLvdrb&_)-%1-OD2ask2b;zi=bgO;h@s(C>4<3})vqLTxv{bs
zUm7aW(icMRs1h1wUjnt;Lc1^mMo?1+Zf&gd#kBscMl*NDy%4hQ7ADMu8M8a0EzO(!
zsKcP9P`aAp`LGT*tCl%w>l49{w=X|A!;hCm!C2iKzMJ`)WkLGN{8j~7!mOeFR^ctJ
ztq|%)>m#AANF2Hr04W8Or-r=yGsP{zu7zkbB6fMl^eT~OY7>cJf_1nCrW1LCH{l^a
zHBB-)y-f~OB8$CR;#RgQo<k|LO4W6r>)k7>hbBNv;r^}l6`Wc&%2Ua*_I_qr2Fc3h
zj^(zYLl{>`q1NSazb-z&Hk7PORo6yaphNBC?g76ZC6ZSqjl`a8c~Yx5B3o~@;7nzc
zjR&DS1&4YmL$)vd@hz97@;Cz7ZJ}y5D^r5P%@0^fZ_4gQJO7ko*1?LbPqSJ9vT<Tc
zAbw;<%IsnK@;TF?vZ|B`3^Aj6I1(Oa9%fbzR;_e<3UD*t!^3X#1BW$FvuQ>(o|)p6
zs|3#`A8w)CiTO2_d&Kw1+E4>LGd#IM_CXE>Zec;;dkv`UGm3Cr(l>J8f5%WxuCqa_
z$;mN)4wdP)-lD9cbI9``0r!4Y9+BtgWu6K)<$%r8*3GXJc})y~T&F!*qOMa4&L?zd
zR42GGwh)+VX+XLsqT<rBy1G^7R!+TJT<BK66R!Bl16ma#$7x9BZ;}2n+qyLB<6dT^
zye*=xa4nHPbS2OtQ{0tB`Fbv<4Yn>x*Ob$2150nQDnuJ%3FD$la!m0G(9)$F+onAa
zO@!~b83=u!8)xisl8Wi$EPtl0j!;m(v;x`gzy4z!XZNU~t)&=j89h*0%jA8H%-+&b
zeOZE+CAgMjLUIvhx;+o=s%vk0QIso7#oVyXyw&QDrz}Q0GITZ}$_4Pgrgu&<^K~DJ
zZt;ioUBl;4;zq9xTiN80MLYF>PhLYA;!0heEpz019(UWr*bcT?LCPwU*05;%Y1_G<
z=F62^(l0XUR#r`8V^ahRL+%MtDP@%k7SRkTi%<f)NS14OD1L*mQY4#(f~b;bXGrP|
z4HY?>ZfZ$_ytIW!8r)k}1ap!ZM*d7oeI_uQCFYywDgYh)jNFE!nM3VK5U?cM0?7vc
zZ8#t5;SBO)3zW!J{=90G8(+KFX<U5Z$m@bS|Cx^yC`9R5;2saIVHM0I*cb&rp43sI
zW~H{Jq@VUyvuvTkjGa|MlVnACWR+5_p$q2Kw}PW*3f`Oy)b_zzJt3#nZ-S#=jJeQC
zY7ak17stos!0HuNny|FIfgh8wR#su1RY8(<d+X?mHOaEI7A$@x9$ef=sh#sx0<|7f
z2(yIwpN*(sTP`rw3&bs|Dw$`@*Y2jOAxR9Uwv8&&Br()lk}63g5!zKul^Le8kes3a
zL$?axDZz_|8%PgA%+1C^t=RQe8%Y&`L8nOo8jrcK<_9rk8~+%o05n6ZmOhB4*U_ni
zdgr$e=8C0M^c?3<>RQhYKlc0^1M26&UE!dQ1Shp)(tdtLi`Py)XOD24{L=2i6Pwba
zTvPz2S7W&IVJOdVjHaxH*F2O*V^+hHcq2h@HmEq6oDvS~BqxhY4>^ms@*pmbBab2C
zt{i9F%-Lpg71qId)>RRxSA!z1ywVzU0*eUWqr<C-zAwk4aOPPjtYx*Q+)Ra*=2zPJ
zWaBQF+ek0_lWS?J((Wm02yte2#Hfo{TT^hBEOUjwoD4ZvMnb%4#l^9PrzXVR2oJsJ
za+1r7bSopL>MT~N4dm@U*uk{Hts6$-Qo_R$qbf0QDc_H_+`B4@YNY7bp@t}9HDvz!
zrV{^}1Y=-C_E6YAf&n~=dzC9b`5FgjPkox351+q5e>OU2!h7}UHMf)NSAyC)MjEDB
zT5W?TcnU5xtCcjo#KWl<$bCKZPaJpc1WNl^RsA3J4!1f5_bFY${#X7EwvDMJ#*Nds
zO7PB%nIYdxUkdS%{IaIN04cFXS*p3Zi%~%7&JY<ah7twrAym}^rC9G#AV;@&rqmuB
ziHm}jtlrG($_nMroKgT$kCa)9G_X#yJ1&#Z(E1Efp!H_(#0jY929I#5J{Q}4Ww_hZ
z!Q;I*(QM`^UN!-ARlUW<=j)1ktlZ|06|sq-22^(A-B+oUN>_z|BcJ#1a4<V|?Dzo#
zTga=$=O6w^2n5DRm$;9?!Ka^o1}{Ip`|Rb*SD$<bhM2;KPafU8I?=-bTvIhTSo?On
z=f?z|exdMdt=rKT`xJ)J6%y3d4NrNKqWm2k4<E4wc@uLYLwpf%yECB)QHXV_{@yUQ
zLn1AYXlZGy>zVw1c>mtBPrdjdk~tY)=PW|}h4JBvvAT--ek2J3wJ<EKtwCHUL;2T_
zeg?VXS37lWZ?N@l(~Z!(0w>k88{H0_aC8*4e<+n1Q_tOiVKQ?SQ~rE(nMn;j60O!?
zf&-vT+$U7r5<W3&F4|%D!#xIMr{+)PD18cr&f<V-jkyX*8AsGIOvPvk8f{_p5x7V(
zx_Em8WquyUs2~$mRKn47=Fqu;-?&=&_AG<NSfKCgi+H?+M7+98RBjW#-NNv=7#*o$
z3tr$+FMEU&D<4MxnPyJ$_yRZ8W*l{w;M0^i9ty;-VOg3~w8&cFL*KCR$SlGshhktB
zd6gQHGQ)&TdfjFCrp+$m2)@|2d4`Euo(a6L%UP4hBc5`G68~Xj5cehTYn?0ylA6ls
zXZ7*`yXE7AOPkE|E>e7ssV98$|I#<AlwZ;rQc)ujj7iwDNucq<vC_uQS}|?$p~v+v
z*LXGrJCNNg#Pb^TZDgk<b`pFlb-Yut(0+4-7+S6Jy8<!nqm^%NIa%y?TkHM4N&?HL
zDvsFdf8|&|!-O6n%~e(jU*8VCsDX{Nh%c7-#CPDybUCJnzNn^u!ORUTZPI%oi$d3q
zV`jr})6Do?WCh9ooZXLY)9aojPoQt>rAY!-`IXaR(?l{7<PmF?R<5i(ZgIdz&K<wD
zjLx#Q^TmPu_z#x7i@|5lw~|BZP&#>nKV7GjYtfJIDiiff?F32trdRsulX$!zrphOD
z1sc;EbdMa52DjbxBRGKx|GlX%@I#Eko+IyxFu@o5M2hzUZ3esCKW`<EG0xWTkH2F(
zm89W*vF|r*Z1W6Z2c>0$N!}YTgdG$1(y=|0bisl<<rfDetr|Y-E+X1?Dmi$uw^3=T
z$XgLdZCNWAa~lBsTPt)V1!KqJ$KR^mC=C4i5J(AW>ee&cLVnftTU)|n7Mu4MwzQns
zR4CU)oTR&SUo+Dm;D8E|IAgdh<_vM~_JpzPfbNd~AOP+-u*ltY=ew;7Uy+rQ008#?
z<xd*{fCG20`Tbql81%k;B><qp00092)Sq`XuK2dBY4pn=1-%#1wuuSoQy-l-W)&S{
zY9+e>v~W`f>fhpuS;e5P_Rj*(v1E%EEfqcBmzma(g}+Q~gal)mptCMq*OCu~Sq-io
zby@WZ!}$rtD-*%RMPKD4je=JELKQ*xL<#sl8beS<8zbE--m58!vy2d=RujmmS-5A^
zM{)@KG6o8Syn6*Apa(#Q1%r;k)B$EWa@Mi$S{eb^y-FiC1HJ{*sMHV#0j2c@m^Sv{
z2UuLy?_uyQ5;SQ4Kqt(h2AyNvgGZmP;F&mD6hmgVCg4lOfo5u)1aAU#@Z1yQH2C8Z
z=%Wj6Ou+FnIWZ)xMWztZf~-yea7ZETQ2v>XVR0o$;T%H@N*=!ICcYcmJ#?cV90I?%
zn^#4+`hrFkTB<ZSR23krhyu2%2@8EgmPGIj0kCivRaJak4I9D5f+5$|hePbf3S4yX
z$j0YvLHO3+zLLyU3>`~X_3@YUVbxpnm<nNX4d<C8X@(BSH0Q<I&CNe#f?m~@t>_9z
z-@t$rDoj4$is0*UI_?E%ZQ-|?sNfA523iSr90hSC7^$yPY6#di2LsK4-quTZ{TRMh
zpucs}+q&p(t@O77y)}T&R;0TX@YVE{N95jF9o_hTj1mLoOb=wcu_DmDG(4?D?;-(t
z7_bqzFfp7%XsDtC&@l{w*Hn1E5QoY*D0QAGmVUKT0K79jfUyxq5m~0jDKIBT6T#Qw
zn<JGXxh*p!iA0(DA?@;bySO5ea6(a`^T%4@YY&19Q|(y8y29<r&28HthYnydP__~V
zi(45s*0gd8nQRqAv)HOo&VyE!XyGnkqf{IhLw1<*XsZLWgj=0pGQZUgDKXVM=W5aY
zeMo4H0+)|lV<6<i);KWvxix_jx%`wRVV1w)YvWo8R%6g)sR)k|)Gg{Egpf`zDk6hw
zG!?mMNlx@sL)5S8RW;5vRCsumFsnF-P8rg8mL{rQl{6@&q+lqh1;Ny%8B9K7rmi|Q
zyB5_Yf=}+KL6l)W(^f@AL`^qLF>o1O?Z~6ABVC~>&28^dm%3F4qG-Z+{J5k{NTVdp
z<bkCauSof+;;L3yu!`#j9a6J1<cbhpjAhUDs8+m)d?)x34YHsbNf$31Rj845zCu$~
k@Cp=6R*9a-xvV0yI%{-dO5O$k8*UxHA^cZIWU-+*3V&zT%>V!Z

literal 0
HcmV?d00001

diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/fonts/bootstrap/glyphicons-halflings-regular.eot b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/fonts/bootstrap/glyphicons-halflings-regular.eot
new file mode 100644
index 0000000000000000000000000000000000000000..b93a4953fff68df523aa7656497ee339d6026d64
GIT binary patch
literal 20127
zcma%hV{j!vx9y2-`@~L8?1^pLwlPU2wr$&<*tR|KBoo`2;LUg6eW-eW-tKDb)vH%`
z^`A!Vd<6hNSRMcX|Cb;E|1qflDggj6Kmr)xA10^t-vIc3*Z+F{r%|K(GyE^?|I{=9
zNq`(c8=wS`0!RZy0g3<xfGPm^&oc(t0WAJyYk&j565#r82r@tgVE(V|{tq<<xco!B
z02==gmw&z10LOnkAb<tH1OWX@JOI9bn*UMykN1D0R{xl80Mq~Cd;ISaOaQKbJU)Q^
zKV{p0n*ZTg{L}i+{3Za_e=Uyx%G?09e;&`jxw-$pR}TDt)(rrNs7n5?o%-LK0RgDo
z0?1<k<naI!SC})WF>{M(8^tv41d}oRU?8#IBFtJy*9zAN5dcxqGlMZGL>GG%R#)4J
zDJ2;)4*E1pyHia%>lMv3X7Q`UoFyoB@|xvh^)kOE3)IL&0(G&i;g08s>c%~pHkN&6
z($7!kyv|A2DsV2mq-5Ku)D#$Kn$CzqD-wm5Q*OtEOEZe^&T$<q%?GPI*ug?*jFCZ7
zl1X3>xIb0NUL<TDAlC~xMcGnHsPe)Gh+nESIamgk2)5Ql^6QPK&XkQ+!qk}`TYc#I
zf~KwkK>}$)W)Ck`6oter6KcQG9Zcy>lXip)%e&!lQgtQ*N`#abOlytt!&i3fo)cKV
zP0BWmLxS1gQv(r_r|?9>rR0ZeEJPx;Vi|h1!Eo*dohr<W65y|5+tpvz!HDS=Q}DgN
z;O&E^rmV416<Hj_N10HwLk^Lwyhx2j;kDE@F*S-tuqy|n(-6~PPF09Xvxq56At8OG
z4-2Gj5=K^(f;q@WOp+9uP|<!09J~a(Y%m)hsl;TbWEvvuQ7(qWx_eKYE@rH9B(V+`
zF8+p6+N8}}{zS_o7#)%b=2DFYa}JT{_i@;_#xxEDZ)+D4Lz{Pv;LE}#`N2bQP*W;6
z(wPX2S3Zb<sNz$mW_!uE^K&d`O<hkRPv<3DnX$`Y*)_qR>&^lJgqJZns>&vexP@fs
zkPv93Nyw$-kM5Mw^{@wPU47Y1dSkiHyl3dtHLwV&6Tm1iv{ve;sYA}Z&kmH802s9Z
zyJEn+cfl7yFu#1^#DbtP7k&aR06|n{LnYFYEphKd@dJEq@)s#S)UA&8VJY@S2+{~>
z(4?M();zvayyd^j`@4>xCqH|Au>Sfzb$mEOcD7e4z8pPVRTiMUWiw;|gXHw7LS#U<
zsT(}Z5SJ)CRMXloh$qPnK77w_)ctHmgh}QAe<2S{DU^`!uwptCoq!Owz$u6bF)vnb
zL`bM$%>baN7l#)vtS3y6h*2?xC<XQJNpZVS!tVtuR(<D$%K=CTVlwa)G)}qDJup|w
z!YRUAk-}+0)MFG#RuE2vlb~4*bP&)ex6`$^%6ySxf}MiQja9&+C4)UgIK)TIHVp>k
z>w+s)@`O4(4_<t2L?B1i*y6fuRi+P?QZCG2j9(btWTetUT@0Q|8XO(SqEH6LSB!2L
z<;M1lya0G`cm9UEex~so>I{L-!+b%)NZcQ&ND=2lyP+xI#9OzsiY8$c)ys-MI?TG6
zEP6f=vuLo!G>J7F4v|s#lJ+7A`^nEQScH3e?B_jC&{<S@1dd<&?JtuP@v(wA>sj>m
zYD?!1z4nDG_Afi$!J(<{>z{~Q)$SaXWjj~%ZvF152Hd^VoG14rFykR=_TO)mCn&K$
z-TfZ!vMBvnToyBoKRkD{3=&=qD|L!vb#jf1f}2338z)e)g>7#NPe!FoaY*jY{f)<G
z+9IWTnFJO0p&^rK`xODpSZARax-jN9(N|ZWyg~(MGSuQYzXBQR*+_`oO>Bf>ohk-K
z4{>fVS}ZCicCqgLuYR_fYx2;*-4k>kffuywghn?15s1dIOOYfl+XLf5w?wtU2Og*f
z%X5x`H55F6g1>m~%F`655-W1wFJtY>>qNSdVT`M`1Mlh!5Q6#3j={n5#za;!X&^OJ
zgq;d4UJV-F>gg?c3Y?d=kvn3e<VW2IarGgIy4I@#ozBH$Q(a($^uvXS?@=l>V)Jb^
zO5vg0G0yN0%}xy#(6oTDSVw8l=_*2k;zTP?+N=*18H5wp`s90K-C67q{W3d8vQGmr
zhpW^>1HEQV2TG#8_P_0q91h8QgHT~8=-Ij5snJ3cj?Jn5_66uV=*pq(j}yHn<uy|J
zh=_`9%JG63kQPJ-Et!mF@={HFp+sB-S+XTFvdzD^x19Lbj{TXx=?FGKvX;|1-3-zU
zl2DyEls20Izb)isO0?xrx(b1`<I3ZDSNBd*<5l=jC`?Re`XCFaI(ny#9KlP!NYbU=
z^;IWB5he_V3}{Xdl1>f$<x%N5|7+dpJoB>Ft;5VVC?bz%9X31asJeQF2jEa47H#j`
zk<KNJ>&uxf3t?g!tltVP|B#G_UfDD}`<#B#iY^i>oDd-LGF}A@Fno~dR72c&hs6bR
z2F}9(i8+PR%R|~FV$;Ke^Q_E_B<teU&M|M>c;$)xN4Ti>Lgg4vaip!%M<tZtx+eW>
z06oxAF_*)LH57w|gCW3SwoEHwjO{}}U=pKhjKSZ{u!K<P`9nrZXY)DCi*vvJQDx`q
za_kyA2Qus4JQ%8kM3_Gd%I1O+cF3~V6=ZM1u9*Ea+iXPId}M`kd7I1T0d7Zx)Wa&?
z{PLQlHM^=&Y!og~I(XQ;5lJScjK~IrV<F7J6v`iM&M1#EkRsHYX8V%Dip>?1zm1q?
zXyA6y@)}_sONiJopF}_}(~}d4FDyp|(@w}Vb;Fl5bZL%{1`}gdw#i{KMjp2@Fb9pg
ziO|u7qP{$kxH$qh8%L+)AvwZNgUT6^zsZq-MRyZid{D?t`f|KzSAD~C?WT3d0rO`0
z=qQ6{)&UXXuHY{9g|P7l_nd-%eh}4%VVaK#Nik*tOu9lBM$<%FS@`NwGEbP0&;Xbo
zObCq=y%a`jSJmx_uTLa{@2@}^&F<l?4N8$IoqA~y`|!rgD24&AtvbWWlPF%K!I`Fp
zMCDiMrV(MWM2!hiB6=^)Er#O8q+%t)I4l3iuF$d;cBXqGAn?Z0Z*?MZRuh=zmPo~-
z_rOvv7sERj79T<uPMWCHIto@agn)X&#=QQyY*6wt){yHQ7~yFoEezd#C<dQF+u)2-
zEIMy-5P*TYpqPxY25dY9J+f-E^3<^@G(=jU{U&hQ3#o`a)dOUR&JT?mTRlBfHE<p|
zO&J|*26{JJ28qC1saVtkQ1WW^G58Smr^%f>4c%z6oe-TN&idjv+8E|$FHOvBqg5hT
zMB=7SHq`_-E?5g=()*!V>rIa&LcX(RU}aLm*38U_V$C_g4)7GrW5$GnvTwJZdBmy6
z*X)wi3=R8L=esOhY0a&eH`^fSpUHV8h$J1|o^3fKO<edeL`~4AS}?bGhbI@wd%7ob
z;HUsAzX8f<5Tcj`x1L`~p_%qxb{Gobu+`2Hh*bfnN@EZ$w1F5i32YXO9vreTkznl=
zRv&F3;kE3d@_Cys2UVvUxUU=oDO~U>|9QzaiKu>yZ9wmRkW?HTkc<*v7i*ylJ#u#j
zD1-n&{B`04oG>0Jn{5PKP*4Qsz{~`VVA3578gA+JUkiPc$Iq!^K|}*p_z3(-c&5z@
zKxmdNpp2&wg&%xL<cX5MdFnpzW;X?cI|~qZbhDWm)F_t}i=(x><xZ|=$k6lbFWo~R
z1yEA-t+BaHz`?1Zi{N`F<t?_rS*zpAEN-Lg7L9qKTVj|Ih7gOmTvLqTlA1e51SXNm
zeA`1UhC`&)%k?V^ii%`|O+coBH9$HjP#Fy1CjYhyW0DPZC>3xZNzG-5Xt7jnI@{?c
z25=M>-VF|;an2Os$Nn%HgQz7m(ujC}Ii0Oesa(y#8>D+P*_m^X##E|h$M6tJr%#=P
zWP*)Px>7z`E~U^2LNCNiy%Z7!!6RI%6fF@#ZY3z`CK91}^J<kz;gXvl4j_QvxfXmA
ze1j4n*Hru_ge<*I;p<wHXN`XVFAk2bTG~Vl5{?nXF6K!!HeqOu6_U-movw7Gx`O<C
zM~<jbZlSC}oXeAQr_Y8Tq)(9YogPgPY{6ELohD$98O2Fj5_M2=J84FuR#dyoS!A-|
z*c)!)9^dk4^<2$Ks79AAMW;%o-!%g7j{1(Pnwwy1tca#dUTE1+4y#<A6VSeCR)wQ`
zCEFu?oS$y=05cpTr}VLe+YU$GFp$#&tfXaK<ia*q3-&+6KDQP!)!Ru(yh0c}7za6=
ziFP^Nq3))g21c{b{ESQRdZN3Xnpa8jUP0DA2r&uofBU7TtM^7^s}7#&aUnGsvE`fu
z>$F!EB0YF1je9<lP78|=Z6bmMhpLsL)Tz)Cn&pP#eF?{kB>hJKU7!S5MnXV{+#K;y
zF~s*H%p@vj&-ru7#(F2L+_;IH46X(z{~HTfcThqD%b{>~u@lSc<+f5#xgt9L7$gSK
ziDJ6D*R%4&YeUB@yu@4+&70MBNTnjRyqMRd+@&lU#rV%0t3OmouhC`mkN}pL>tXin
zY*p)mt=}$EGT2E<4Q>E2`6)gZ`QJhGDNpI}bZL9}m+R>q?l`OzFjW?)Y)P`fUH(_4
zCb?sm1=DD0+Q5v}BW#0n5;Nm(@RTEa3(Y17H2H67La+>ptQHJ@WMy2xRQT$|7l`8c
zYHCxYw2o-rI?(fR2-%}pbs$I%w_&LPYE{4bo}vRoAW>3!SY_zH3`ofx3F1PsQ?&iq
z*BRG>?<6%z=x#`NhlEq{K~&rU7Kc7Y-90aRnoj~rVoKae)L$3^z*Utppk?I`)CX&&
zZ^@Go<Q-E-9qdDk;`1UZ+I6D_?B@62xgSC03f%4S8VtH3(P3D_6<1>9fm&fN`b`XY
zt0xE5aw4t@qTg_k=!-5LXU+_~DlW?53!afv6W(k@FPPX-`nA!FBMp7b!ODbL1zh58
z*69I}P_-?qSLKj}JW7gP!la}K@M}L>v?rDD!DY-tu+onu9kLoJz20M4urX_xf2dfZ
zORd9Zp&28_ff=wdMpXi%IiTTNegC}~RLkdYjA39kWqlA?jO~o1`*B&85Hd%VPkYZT
z48MPe62;TOq#c%H(`wX5(Bu>nlh4Fbd*Npasdhh?oRy8a;NB2(eb}6DgwXtx=n}fE
zx67rYw=(s0r?EsPjaya}^Qc-_UT5|*@|$Q}*|>V3O~USkIe6a0_>vd~6kHuP8=m}_
zo2IGKbv;yA+TBtlCpnw)8hDn&eq?26gN$Bh;SdxaS04Fsaih_Cfb98s39xbv)=mS0
z6M<@pM2#pe32w*lYSWG>DYqB95XhgAA)*9dOxHr{t)er0Xugoy)!Vz#2C3FaUMzYl
zCxy{igFB901*<tiyD63(hW(uERHv;@J~7F`;-e`O5Ld!(Fl>R2*F4>grPF}+G`;Yh
zGi@nRjWyG3mR(BVOeBPOF=_&}2IWT%)pqdNAcL{eP`L*^FDv#Rzq<iCP<KO7gjv}{
z^5ElYuo)cUV9?9{6e*c7eWVK@LCOKKaBR<2_;6r+GhH1i-~$};rNpE_D*2ZJ=O+cz
zyj}kfz8;}sw88^SYgzvxpkB>l5U&Suq_X%JfR_lC!S|y|xd5mQ0{0!G#9hV46S~A`
z0B!{yI-4FZEtol5)mNWXcX(`x&Pc*&gh4k{w%0S#EI>rqqlH2xv7mR=9XNCI$V#NG
z4wb-@u{PfQP;tTbzK>(DF(~bKp3;L1-A*HS!VB)Ae>Acnvde15Anb`h;I&0)aZBS6
z55ZS7mL5Wp!LCt45^{2_70<L`Ib`SKM1Oi<HkO)Y>YiI_Py=X{I3>$Px5Ez0ahLQ+
z9EWUWSyzA|+g-Axp*Lx-M{!ReQO07EG7r4^)K(xbj@%ZU=0tBC5shl)1a!ifM5OkF
z0<aV&1|hwix;hV`l{C+KeqEjnn@aQGS~k&rcJ^K626yC8@~#qf$xT7;xJLzv3M&rA
z)MirFFpng+&}hRJHKQ6_3l{ABCJLmIrj8g#cem2@!i;W7Q+}Wr^IrTp((?iq1h?Cq
z7Z^k%ps^N^e})9!YkyNa0;x`m&~<4yTQHl1+dFNY1CE<&_PZ=1v!ch(qU_a1lHd~T
zC&a1>w2xQ-<+r-h1fi7B6waX15|*GGqfva)S)dVcgea`lQ~SQ$KXPR+(3Tn2I2R<0
z9tK`L*pa^+*n%>tZPiqt{_`%v?Bb7CR-!GhMON_Fbs0$#|H}G?rW|{q5fQhvw!FxI
zs-5ZK>hAbnCS#ZQVi5K0X3PjL1JRdQO+&)*!oRCqB{wen60P6!7bGiWn@vD|+E@Xq
zb!!_WiU^I|@1M}Hz6fN-m04x=><rLlCfwyIrOU}U)<7QivZH0Rm_-}Sg~$eCMDR*Z
zx`cVPn__}6Q+CU!>Exm{b@>UCW|c8<K+|Vc^j#>vC`aNbt<B+h3ox;kC6?34Wa#|Y
zXq?n@d6k6MUBqn%SYLX5^>A@KCHujh^2RWZC}iYhL^<*Z93chIBJYU&w>$CGZDR<q
ztx<5t>cHuIgF&oyesDZ#&mA;?wxx4Cm#c0V$xYG?9OL(Smh}#fFuX(K;otJmvRP{h
ze^f-qv;)HKC7geB92_@3a9@M<H_?qNxE&=>GijS(hNNVd%-rZ;%@F_f7?Fjinbe1(
zn#jQ*jKZTqE+AUTEd3y6t>*=;AO##cmdwU4gc2&rT8l`rtKW2JF<`_M#p>cj+)yCG
zgKF)y8jrfxTjGO&ccm8RU>qn|HxQ7Z#sUo$q)P5H%8iBF$({0Ya51-rA@!I<SEC1_
zHUdTwrTB3a?*}j?j1(f*^9G0kG<5JX4@l|rR&H;`Qa2VcYZ3UxZL+D>t#NHN8MxqK
zrYyl_&=}WVfQ?+ykV4*@F6)=u_~3BebR2G2>>mKaEBPm<p!ix>SW3(qYGGXj??m3L
zHec{@jWCsSD8`xUy0pqT?Sw0oD?AUK*WxZn#D>-$`eI+IT)6ki>ic}W)t$V32^ITD
zR497@LO}S|re%A+#vdv-?fXsQGVnP?QB_d0cGE+U84Q=aM=XrOwGFN3`Lpl@P0fL$
zKN1PqOwojH*($uaQFh8_)H#>Acl&UBSZ>!2W1Dinei`R4dJGX$;~60X=|SG6#jci}
z&t4*dVDR*;+6Y(G{KGj1B2!qjvDYOyPC}%hnPbJ@g(4yBJrViG1#$$X75y+Ul1{%x
zBAuD}Q@w?MFNqF-m39FGpq7RGI?%Bvyyig&oGv)lR>d<`Bqh=p>urib5DE;u$c|$J
zwim~nPb19t?LJZsm{<(Iyyt@~H!a4yywmHKW&=1r5+oj*Fx6c89heW@(2R`i!Uiy*
zp)=`Vr8sR!)KChE-6SEIy<Vn-l!RzPhNVxOkQU85Nng*5JUtkAg)b6wP&$wmih=Au
zKs;dHW6q)pI2VT$E`W=7aAbKSJnb;$l%#?edH=)1)avHvVH)345mJ;(*l$Ed1MA<a
z72%vbZD4`I;B-RS=m{iM`7(#1x>i(dvG3<1KoVt>kGV=zZiG<Y+hj@$zd#Q#=4iVE
z)x-IdMbP%iC;0pg$QUoVt(A;lO{-jJjH=;buR+E#0Eulb^`hidN&<0Z-tju^RGPcG
z(C4$AS6l7m-h>7LGonH1+~yOK-`g0)r#+O|Q>)a`I2FVW%wr3lhO(P{ksNQuR!G_d
zeTx(M!%brW_vS9?IF>bzZ2A3mWX-MEaOk^V|4d38{1D|KOlZSjBKrj7Fgf^>JyL0k
zLoI$adZJ0T+8i_Idsuj}C;6jgx9LY#Ukh;!8eJ^B1N}q=Gn4onF*a2vY7~`x$r@rJ
z`*hi&Z2lazgu{&nz>gjd>#eq*IFlXed(%$s5!HR<!{AgXHWD~USVRvxKdGTp>XKNm
zDZld+DwDI`O6hyn2uJ)F^{^;ESf9sjJ)wMSKD~R=DqPBHyP!?cGAvL<1|7K-(=?VO
zGcKcF1spUa+ki<qEk7@%dE~%eGpEl!oK*hA!YE+isq^GFdJ#{KfWIULzmRCaF}4(*
z-$*W)k94bSp|#5~htGbQ<~v1feWKv$%wM~TX}E><`6K#@QxOTsd847N8WSWztG~?~
z!gUJn>z0O=_)VCE|56hkT~n5xXTp}Ucx$Ii%bQ{5;-a4~I2e|{l9ur#*ghd*hSqO=
z)GD@ev^w&5%k}YYB~!A%3*XbPPU-N6&3Lp1LxyP@|C<{qcn&?l54+zyMk&I3YDT|E
z{lXH-e?C{huu<@~li+73lMOk&k)3s7Asn$t6!PtXJV!RkA`qdo4|OC_a?vR!kE_}k
zK5R9KB%V@R7gt@9=TGL{=#r2gl!@3G;k-6sXp&E4u20DgvbY$iE**Xqj3TyxK>3AU
z!b9}NXuINqt>Htt6fXIy5mj7oZ{A&$XJ&thR5ySE{mkxq_YooME#VCHm2+3D!f`{)
zvR^WSjy_h4v^|!RJV-RaIT2Ctv=)UMMn@fAgjQV$2G+4?&dGA8vK35c-8r<daDqE-
zlIJCF%-7v?-xOAOA*Z$Wv;j3$ldn=}pR52aU>)z9Qqa=%k(FU)?iec14<^olkOU3p
zF-6`zHiDKPafKK<gsO-HjX!gIc-J@mlI}lqM!qAHMA?>^USUU+D01>C&Wh{{q?>5m
zGQp|z*+#>IIo=|ae8CtrN@@t~uLFOeT{}vX(IY*;>wAU=u1Qo4c+a&R);$^VCr>;!
zv4L{`lHgc9$BeM)pQ#XA_(Q#=_i<x#Kw|T_b{oltLKCCP2b6F_+)lx3b*Vc?@JD8p
z>SZL4>L~8Hx}NmOC$&*Q*bq|9Aq}rWgFnMDl~d*;7c44GipcpH9PWaBy-G$*MI^F0
z?Tdxir1D<2ui+Q#^c4?uKvq=p>)lq56<F6-{L-8bs~8_dC8J3p4CdV*Iq;6IOvBJh
z^E(Ti1wkp{O6qebTnBYm)da^xs3^-TV5tGhoGrFBA^b?UK`APfD~Y+F8!rz@iSNu3
zFO1o9o^S3!%nw&2bpBxHF!V{IaC(n}+(HqYMb(3!l`YX-ru;2?$oSZD;K6*RvAS8r
zf1jgZer>=Eb|N^qz~w7rsZu)@E4$;~snz+wIxi+980O6M#RmtgLYh@|2}9BiHSpTs
zacjGKvwkUwR3lwTSsCHlwb&*(onU;)$yvdhikonn|B44JMgs*&Lo!jn`6AE>XvBiO
z*LKNX3FVz9yLcsnmL!cRVO_qv=yIM#X|u&}#f%_?Tj0>8)8P_0r0!AjWNw;S44tst
zv+NXY1{zRLf9OYMr6H-z?4CF$Y%MdbpFIN@a-LEnmkcOF>h16cH_;A|e)pJTuCJ4O
zY7!4FxT4>4aFT8a92}84>q0&?46h>&0Vv0p>u~k&qd5$C1A6Q$I4V(5X~6{15;PD@
ze6!s9xh#^QI`J+%8*=^(-!P!@9%~buBmN2VSAp@TOo6}C?az+ALP8~&a0FWZk*F5N
z^8P8IREnN`N0i@>O0?{i-FoFShYbUB`D7O4HB`Im2{yzXmyrg$k>cY6A@>bf7i3n0
z5y&cf2#`zctT>dz+hNF&+d3g;2)U!#vsb-%LC+pqKRTiiSn#FH#e!bVwR1nAf*TG^
z!RKcCy$P>?Sfq6n<%M{T0I8?p@HlgwC!<R%oqdMv88ghhaN5z;w29c{kLz0?InueY
zuDv#J^DHLyGoyzt8(sCID)#E6<WCYlz7uC1Xvs8QhV{45h-M4rLYe7xw;{g462-zX
zIV>HoWO>~mT+X<{Ylm+$Vtj9};H3$EB}P2wR$3y!TO#$iY8eO-!}+F&jMu4%E6S>m
zB(N4w9O@2=<`WNJay5PwP8javDp~o~xkSbd4t4t8)<Wt_Xc73S;VOmD#Fsb|nTsJs
z59;v?-{=r}I{BDxTN)Iz2&5m`sG^%wjY0*@1I`W29gtM7#wwIQTHvQhS2gB?6J62R
zJXy=)7L1!%o4(?3j6J3Pc%v5LFvsR9gKoej%77dCetZylr9&mT=u=p$Kn1Z^C3ySy
z3|Tg>9jqu@bHmJHq=MV~Pt|(TghCA}fhMS?s-{klV>~=VrT$nsp7mf{?cze~KKOD4
z_1Y!F)*7^W+BBTt1R2h4f1X4Oy2%?=IMhZU8c{qk3xI1=!na*Sg<=A$?K=Y=GUR9@
zQ(ylIm4Lgm>pt#%p`zHxok%vx_=8Fap1|?OM02|N%X-g5_#S~sT@A!x&8k#wVI2lo
z1Uyj{tDQRpb*>c}mjU^gYA9{7mNhFAlM=wZkXcA#MHXWMEs^3>p9X)Oa?dx7b%N*y
zLz@K^%1JaArjgri;8ptNHwz1<0y8tcURSbHsm=26^@CYJ3hwMaE<khA9_uuFNLm1L
zw+Fp#304~-S;vdG5Nug~K2qs}yD1rrg&9Fcvifn@KphT~L22BKMX?U^9@?Ph`>vC7
z3Wi-@AaXIQ)%F6#i@%M>?Mw7$6(kW@?et@wbk-APcvMCC{>iew#vkZej8%9h0JSc?
zCb~K|!9cBU+))^q*co(E^9jRl7gR4Jihyqa(Z(P&ID#TPyysVNL7(^;?Gan!OU>au
zN}miBc&XX-M$mSv%3xs)bh>Jq9#aD_l|zO?I+p4_5qI0Ms*OZyyxA`sXcyiy>-{YN
zA70%HmibZYcHW&YOHk6S&PQ+$rJ3(utuUra3V0~@=_~QZy&nc~)AS>v&<6$gErZC3
zcbC=eVkV4Vu0#}E*r=&{X)<H<fOshUJUO>Kgq|8MGCh(wsH4geLj@#8EGYa})K2;n
z{1~=ghoz=9TSCxgzr5x3@sQZZ0FZ+t{?klSI_IZa16pSx6*;=O%n!uXVZ@1IL;JEV
zfOS&yyfE9dtS*^jmgt6>jQDOIJM5Gx#Y2eAcC3l^lmoJ{o0T>IHpEC<k{}Rs{I@x*
zb<od>TbfYgPI4#LZq0<d#zAXFmb<Y9lgw&{$vCxBQ~RnTL=zZ7D-RwUE3~Z#wraN%
z_E{llZ?GrX#>PKqnPC<SBsRloBYG4ZO7Eeh-Bv2C$rMVb@bcKn3t2`<&0ke8{h|+|
z29&HD`tAtGV2ZA(;c{wT$(NWY+fHTL0b7Km+3IMcIX(?D)PQ;HB*^`ex$kl}K>D}_
zyKxz;(`fE0z~nA1s?d{X2!#ZP8wUHzFSOoTWQrk%;wCnBV_3D%3@EC|u$Ao)tO|AO
z$4&aa!wbf}rbNc<V}`mLC?8U0y^+E9xuE>P{6=ajgg(`p5kTeu$ji20`zw)X1SH*x
zN?T36{d9TY*S896Ijc^!35LLUByY4QO=ARCQ#MMCjudFc7s!z%P$6DESz%zZ#>H|i
zw3Mc@v4~{Eke;FWs`5i@ifeYPh-Sb#vCa#qJPL|&quSKF%sp8*n#t?vIE7kFWjNFh
zJC@u^bRQ^?ra|%39Ux^Dn4I}QICyDKF0mpe+Bk}!lFlqS^WpYm&xwIYxUoS-rJ)N9
z1Tz*6Rl9;x`4lwS1cgW^H_M*)Dt*DX*W?ArBf?-t|1~ge&S}xM0K;U9Ibf{okZHf~
z#4v4qc6s6Zgm8iKch5VMbQc~_V-ZviirnKCi*ouN^c_2lo&-M;YSA>W>>^5tlXObg
zacX$k0=9Tf$Eg+#9k6yV(R5-&F{=DHP8!yvSQ`Y~XRnUx@{O$-bGCksk~3&qH^dqX
zkf+ZZ?Nv5u>LBM@2?k%k&_aUb5Xjqf#!&7%zN#VZwmv65ezo^Y4S#(ed0yUn4tFOB
zh1f1SJ6_s?a{)u6VdwUC!Hv=8`%T9(^c`2hc9nt$(q{Dm2X)dK49ba+KEheQ;7^0)
ziFKw$%EHy_B1)M>=yK^=Z$U-LT36yX<F=`VawpD(xy$9hZLKdS9NJ`Zn_|f^uS`)c
z-Rl}C$-9t=SeW=txVx%`NS&LLwx4tQT@F-lQnBqQ-sOH}Jc&bP@MTU&SQLci>>EKT
zvD8IAom2&2?bTmX@_PBR4W|p?6?LQ+&UMzXxqHC5VHzf@Eb1u)kwyfy+NOM8Wa2y@
zNNDL0PE$F;yFyf^jy&RGwDXQwYw6yz>OMWvJt98X@;yr<mIFkh{a&op3>!*RQDBE-
zE*l*u=($Zi1}0-Y4lGaK?J$yQjgb<Bq)i+tJ7(x$;ieC4!=clV5G5IPlSyhAR$E4=
z$1c&+)JfppzZ*VSL$xH3n1^iI1K%)!-^sJU%xwj7WT8t7w6499b3QQ%J+gW)4)JMb
z8GVT`4`(VvLA^xbTV6K2V_8Mv*?gDDUBYV!P-qg?Dq*YIhGKXu$p#?E9&(-}opTbz
zZ#J#VgX+|T3gSW)eF}>+*ljUvNQ!;QYAoCq@>70=sJ{o{^21^?zT@r~hhf&O;Qiq+
ziGQQLG*D@5;LZ%09mwMiE4Q{IPUx-emo*;a6#DrmWr(zY27d@ezre)Z1BGZdo&pXn
z+);gOFelKDmnjq#8dL7CTiVH)dHOqWi~uE|NM^QI3EqxE6+_n>IW67~UB#J==QOGF
zp_S)c8TJ}uiaEiaER}MyB(grNn=2m&0yztA=!%3xUREyuG_jmadN*D&1nxvjZ6^+2
zORi7iX1iPi$tKasppaR9$a3IUmrrX)m*)fg1>H+$KpqeB*G>AQV((-G{}h=qItj|d
zz~{5@{?&Dab6;0c7!!%Se>w($RmlG7Jlv_zV3Ru8b2rugY0MVPOOYGlokI7%nhIy&
z-B&wE=lh2dtD!F?noD{z^O1~Tq4MhxvchzuT_oF3-t4YyA*MJ*n&+1X3<j>~6quEN
z@m~aEp=b2~mP+}TUP^FmkRS_PDMA{B<dV*k52^3iWFIaXBr1MC#nA4rRMbI6g1e0>
zaSy(P=$T~R!yc^Ye0*pl5xcpm_JWI;@-di+nruhqZ4gy7cq-)I&s&Bt3BkgT(Zdjf
zTvvv0)8xzntEtp4iXm}~cT+pi5k{w{(Z@l2XU9lHr4Vy~3ycA_T?V(QS{qwt?v|}k
z_ST!s;C4!jyV5)^6xC#v!o<DVtBeh%T7qnQl{H-3DV=+H*Qr*Tk6W^hU(ZD0kJnpt
z6l*<^aakgBhlA+xpS}v`t7iyV?zu_V<U{&GBzBLYIuzDQe~f#6w^zD>*uS%a-jQ6<
z)>o?z7=+zNNtIz1*F_HJ(w@=`E+T|9TqhC(g7kKDc8z~?RbKQ)LRMn7A1p*PcX2YR
zUAr{);~c7I#3Ssv<0i-Woj0&Z4a!u|@Xt2J1>N-|ED<3$o2V?OwL4oQ%$@!zLamVz
zB)K&Ik^~GOmDAa143{I4?XUk1<3-k{<%?&OID&>Ud%z*Rkt*)mko0RwC2=qFf-^OV
z=d@47?tY=A;=2VAh0mF(3x;!#X!%{|vn;U2XW{(nu5b&8kOr)Kop3-5_xnK5oO_3y
z!EaIb{r%D{7zwtGgFVri4_!yUIGwR(xEV3YWSI_+E}Gdl>TINWsIrfj+7DE?xp+5^
zlr3pM-Cbse*WGKOd3+*Qen^*uHk)+EpH-{u@i%y}Z!YSid<}~kA*IRSk|nf+I1N=2
zIKi+&ej%Al-M5`cP^XU>9A(m7G>58>o|}j0ZWbMg&x`*$B9j#Rnyo0#=BMLdo%=ks
zLa3(2EinQLXQ(3zDe7Bce%Oszu%?8PO648TNst4SMFvj=+{b%)ELyB!0`B?9R6<HO
z0ZCx8TWpL$G_aCzv{2o6N{#z3g%x>aO{i-63|s@|raSQGL~s)9R#J#duFaTSZ2M{X
z1?YuM*a!!|jP^QJ(hAisJuPOM`8Y-Hzl~%d@latwj}t&0{DNNC+zJARnuQfiN`HQ#
z?boY_2?*q;Qk)LUB)s8(Lz5elaW56p&fDH*AWAq7Zrbeq1!?FBGYHCnFgRu5y1jwD
zc|yBz+UW|X`zDsc{W~8m<GsO<mO_1`^L`RbrG?Z6Us2*=^_x$`JV{a_LYEsuJtJYL
ziPBF7dm}M2=6vrP;RB?Z6!7)Zvt4B!$rUPf{RA&_8%VD|7)NrR9*=&gO*sOzLhB*~
z^{cR)lY*pt9GGm(POd`WZo!H=s$8fLl_}-xnV5A+4*BbLUMGLAzH|i9_k(p_(`_J-
zjFFqtuzWuLa;BGl;mNUQM^&@rL--@GcC@@A*GDUdTjOrweNe5I+671K_l#WVI|@LM
z6mSs@4|l^kTD;Gvy}KaDi)#o4AD~D*LX@4{{bfG+FoqQ?-6%VkN)4{7vy<hZ9gNX|
zQxtE>$sh@VVnZD$lLnKlq@Hg^;ky!}ZuPdKNi2BI70;hrpvaA4+Q_+K)I@|)q1N-H
zrycZU`*YUW``Qi^`bDX-j7j^&bO+-Xg$cz2#i##($uyW{Nl&{DK{=lLWV<rkzZltE
zVX#Q@q!0kD+4jwZ#haJNHLSu>3|=<&si||2)l=8^8_z+Vho-#5LB0EqQ3v5U#*DF7
zxT)1j^`m+lW}p$>WSIG1eZ>L|YR-@Feu!YNWiw*IZYh03mq+2QVtQ}1ezRJM?0PA<
z;mK(J5@N8>u@<6Y$QAHWNE};rR|)U_&bv8dsnsza7{=zD1VBcxrALqnOf-qW(zzTn
zTAp|pEo#FsQ$~*$j|~Q;$Zy&Liu9OM;VF@#_&*nL!N2hH!Q6l*OeTxq!l>dEc{;Hw
zCQni{iN%jHU*C;?M-VUaXxf0FEJ_G=C8)C-wD!DvhY+qQ#FT3}Th8;GgV&AV94F`D
ztT6=w_Xm8)*)dBnDkZd~UWL|W=Gl<gto;(*wC9U9tZbpA!j<N3*HCbtKUlby_Vyr4
z!?d@=(#f`*(ud3VsGC{9IRi#5(w*FK!J}~s9(p0ap?ykZJBp1cTUR*jPbbAP&K)BP
zDUly$`B#Sn(aWroZGbyL&=Dg67A>u!$hc|1w7_7l!3MAt95oIp4Xp{M%clu&TXehO
z+L-1#{mjkpTF@?|w1P98OCky~S%@OR&o75P<Wn%&Jm$EVDF7;}E<;f25{W=vmcPFf
zmJVk81ZR1bRmlb|#0}DPdayCjq(27hQh>&ZHvC}Y=(2_{ib(-Al_7aZ^U?s34#H}=
zGfFi5%KnFVCKtdO^>Htpb07#BeCXMDO8U}crpe1Gm`>Q=6qB4i=nLoLZ%p$TY=OcP
z)r}Et-Ed??u~f09d3Nx3bS@ja!fV(Dfa5lXxRs#;8?Y8G+Qvz+iv7fiRkL3liip})
z&G0u8RdEC9c$$rdU53=<QkS9aMArWJ!P8{(D~hr9YfM2Q0nl|;=ukHlQj%<P$wYfa
z?$=heR#}yGJkpA2LI#>MH`p!Jn|DHjhOxHK$tW_pw9wCTf0Eo<){HoN=zG!!Gq4z4
z7PwGh)V<N7ESN6`*^`^Q73fj(wcMs7=5Iu(yJo@Q_F?W?yk3)SdLai+cM6GrKPrjs
za_NJm=uOAmRL5F_{*Yjb_BZNY?)kCB%$WE8;A{ZK>NPXW-cE#MtofE`-$9~nmmj}m
zlzZscQ2+Jq%gaB9rMgVJkbhup0Ggpb)&L01T=%>n7-?v@I8!Q(p&+!fd+Y^Pu9l+u
zek(_$^HYFVRRIFt@0Fp52g5Q#I`tC3li`;UtDLP*rA{-#Yoa5qp{cD)QYhldihWe+
zG~zuaqLY~$-1sjh2lkbXCX;lq+p~!2Z=76cvuQe*Fl>IFwpUBP+d^<W!tp~MwxCaj
zHBQw{tTF&?2^15<bHvmlCS|A$khwaGVZw*2lw&_pOQz;LcFj@Ysq%CZ)?t&74A|dB
z4WL~cZpG-0G^KuK)}aNOTySm-Lt#QyW&mN^>&E4BGc<j4bbw_-4Ttv5`+q&kCfaBq
z#Rl}~m+g*DG5=zM=t?z8cf%Vr>{m#l%Kuo6#{XGoRyFc%Hqhf|%nYd<;yiC>tyEyk
z4I+a<QbTvlzlVm5v2!^bF)s*0Cw+t*kzz%N#&QZ42CimT6ySz~?+nd>`(%%Ie=-*n
z-{mg=j&t12)LH3R?@-B1tEb7FLMePI1HK0`Ae@#)KcS%!Qt9p4_fmBl5zhO10n401
zBSfnfJ;?_r{%R)hh}BBNSl=$BiAKbuWrNGQUZ)+0=Mt&5!X*D@yGCSaMNY&@`;^a4
z;v=%D_!K!WXV1!3%4P-M*s%V2b#2jF2bk!)#2GLVuGKd#vNpRMyg`kstw0GQ8@^k^
zuqK5uR<>FeRZ#3{%!|4X!hh7hgirQ@Mwg%%ez8pF!N$xhMNQN((yS(F2-OfduxxKE
zxY#7O(VGfNuLv-ImAw5+h@gwn%!ER;*Q+001;W7W^waWT%@(T+5k!c3A-j)a8y11t
zx4~rSN0s$M8HEOzkcWW4YbKK9GQez2XJ|Nq?TFy;jmGbg;`m&%U4hIiarKmdTHt#l
zL=H;ZHE?fYxKQQXKnC+K!TAU}r086{4m}r()-QaFmU(qWhJlc$eas&y<Oz%^3FaFm
z1?*33BSANpZbOjV<(WE=T(DuY)_XOR{Jho+f)Z}g61HjnqKKN*8E0S?ATVoi0{#On
zGn@2R)R+{|FLX_EYm8{*=&UqzSkXCnZ)vWGS!9t02v^*;nhYk{U}PXVkPhlRc3UH{
zA-5Xc>?=H9EYQy8N$8^bni9TpD<bzO7YS=tCt}zYcl)|7!PRQIoif~D7yjeqW#(B3
zmpkmPyyRt85TQV!liLz!S@Olwr9!I#6DL45xU1kD`j8+MN!ST75vIA5J=~k_se^q#
zaC@(uVW_ra*o|Fs!(sX4Ik6k-(M%QP2;-Z@Rf=+&=pE`Dv8K9?k1Fg2pF%vW*HO>p
zkA^WRs?KgYgjxX4T6?`SMs$`s3vlut(YU~f2F+id(Rf_)$BIMibk9lACI~LA+i7xn
z%-+=DHV*0TCTJp~-|$VZ@g2vmd*|2QXV;HeTzt530KyK>v&253N1l}bP_J#UjLy4)
zBJili9#-ey8Kj(dxmW^ctorxd;te|xo)%46l%5qE-YhAjP`Cc03vT)vV&GAV%#Cgb
zX~2}uWNvh`2<*AuxuJpq>SyNtZwzuU)r@@dqC@v=Ocd(HnnzytN+M&|Qi#f4Q8D=h
ziE<3ziFW%+!yy(q{il8H44g^5{_+pH60Mx5Z*FgC_3hKxmeJ+wVuX?T#ZfOOD3E4C
zRJsj#wA@3uvwZwHKKGN{{Ag+8^cs?S4N@6(Wkd$CkoCst(Z&hp+l=ffZ?2m%%ffI3
zdV7coR`R+*dPbNx=*ivWeNJK=Iy_vKd`-_Hng{l?hmp=|T3U&epbmgXXWs9ySE|=G
zeQ|^ioL}tve<e`!rDYCFUej_ysJ2z(4AIN3g4xGaB0&Y<^`&A^@AOml<{gmBP!-y6
z!IsbSiZ8eH@;)gbXcV?N4*>N{s72_&h+F+W;G}?;?_s@h5>DX(rp#eaZ!E=NivgLI
zWykLKev+}sHH41NCRm7W>K+_qdoJ8x9o5Cf!)|qLtF7Izxk*p|fX8UqEY)_sI_45O
zL2u>x=r5xLE%s|d%MO>zU%KV6QKFiEeo12g#bhei4!Hm+`~Fo~4h|BJ)%ENxy9)Up
zOxupSf1QZWun=)gF{L0YWJ<(r0?$bPFANrmphJ>kG`&7E+RgrWQi}ZS#-CQJ*i#8j
zM_A0?w@4Mq@xvk^>QSvEU|VYQoVI=TaOrsLTa`RZfe8{9F~mM{L+C`9YP9?Okn<Y+
zQ`?h`EW57j4Qxm_DjacY`kEKG93n7#6{CBssPbH&1L2KSo|Htm*KD+0p<wD8e>Lw|
zmkvz>cS6`pF0FYeLdY%>u&XpPj5$*iYkj=m7wMzHqzZ5SG~$i_^f@QEPEC+<2nf-{
zE7W+n%)q$!5@2pBuXMxhUSi*%F>e_g!$T-_`ovjBh(3jK9Q^~OR{)}!0}vdTE^M+m
z9QWsA?xG>EW;U~5gEuKR)Ubfi&YWnXV;3H6Zt^NE725*`;lpSK4HS1sN?{~9a4JkD
z%}23oAovytUKfRN87XTH2c=kq1)O<qRzRUy={bH%*8V=pA##jg=-EE6(Lotu<IYEm
zZ71>5(fH_M3M-o{{@&~KD`~TRot-gqg7Q2U2o-iiF}K>m?CokhmO<lc^{s0_OssMw
zc*3nzZ5WN~$;I6TzaKlN9W+6*SX5vHzSUyIfdtNx5K}gB*a}Ei-T%?Pusx0i{k6zW
zVCCXrjNT1#YIkZ%s$(OfAJ`FBR*66B?{y$nkK6iXlBVVr@2#yGM6%0i_(U5#>DaLB
z1p6(6JYGntNOg(s!(>ZU&lzDf+Ur)^Lirm%*}Z>T)9)fAZ9>k(kvnM;ab$ptA=hoh
zVgsVaveXbMpm{|4*d<0>?l_JUFOO8A3xNLQOh%nVXjYI6X8h?a@6kDe5-m&;M0xqx
z+1U$s>(P9P)f0!{z%M@E7|9nn#IWgEx6A6JNJ(7dk`%6$3@!C!l;JK-p2?gg+W|d-
ziEzgk$w7k48NMqg$CM*4O~Abj3+_yUKTyK1p6GDsGEs;}=E_q>^LI-~pym$qhXPJf
z2`!PJDp4l(TTm#|n@bN!j;-FFOM__eLl!6{*}z=)UAcGYloj?bv!-XY1TA6Xz;82J
zLRaF{8ayzGa|}c--}|^xh)xgX>6R(sZD|Z|qX50gu=d`gEwHqC@WYU7{%<5VOnf9+
zB<I4+b1=sZ53G|-kvYcPViY)E5R#f6q2$x?f020VY)3|@p~2oGrySSwa~uPN4nC&g
zX!I>@FX?|UL%`8EIAe!*UdYl|6wRz6Y>(#8x92$#y}wMeE|ZM2X*c}dKJ^4NIf;Fm
zNwzq%QcO?$NR-7`su!*$dlIKo2y(N;qgH@1|8QNo$0wbyyJ2^}$iZ>M{BhBjTdMjK
z>gPEzgX4;g3$rU?jvDeOq`X=>)zdt|jk1Lv3u~bjHI=EGLfIR&+K3ldcc4D&Um&04
z3^F*}WaxR(ZyaB>DlmF_UP@+Q*h$&nsOB#gwLt{1#F4i-{A5J@`>B9@{^i?g_Ce&O
z<<}_We-RUFU&&MHa1#t56u<quT+%|#XvIpRJ?co{{tU0{tvlHG=;UJAM%ZgS1Wk*<
zbzK}T;?L5YLE4NLu9J0u#X!J<y<O?uV#gKBNVOZ@7SW<kFyslWRX@_C90;+zxGfEz
zb5V;-W-;gzJ|=>_oM(Ljn7djja!T|gcxSoR=)@?owC*NkDarpBj=W4}=i1@)@L|C)
zQKA+o<(pMVp*Su(`zBC0l1yTa$MRfQ#uby|$mlOM<xEsq_18&vqMDMD7Zoz%Fkm7A
z3)Py9=vTp8h$K)n9Uvzc$sVOT&zol^a%bZk8R4Y8^rZSJmY_uRt<`DC1F!?x#33tZ
ze&XW>s=G`4J|?apMzKei%jZql#gP@IkOaOjB7MJM=@1j(&!jNnyVkn5;4lvro1!vq
ztXiV8HYj5%)r1PPpIOj)f!><jg)vV+x8*ZL<Q!-CP7F3VXp#~OA}`YkX&1&s!htsT
z^$c2`mPAtTVX<qUk`r6!8Vb=Uc23%M)2;P#-xg0%R+ozayS`Bp$+go_wMt83+CODc
z2B}|cG;*tiKwHPYIq{X<`rJQAk*7&QC@O%H3Z553ow$9gREC4~b(*v-N%(bN;Y@mL
zsmAcMVly_+3OO{6?K&3Aei;$vMv!82h}`Bdn#~L=J)xK(4o*51?I7`(&5m9X))pa;
zLPfmH5<-xa-W%$*L{V<;N$-)VdNT!&jA&vHrEgBjjo5UU0If7Vhz3vkcHNAY5aT+C
zc5euR<}4<-qaBP_Zef)X2|HW=07DGXb>pc^3#LvfZ(hz}C@-3R(Cx7R427*Fwd!XO
z4~j&IkPHcBm0h_|iG;ZNrYdJ4HI!$rSyo&sibmwIgm1|J#g6%>=ML1r!kcEhm(XY&
zD@mIJt;!O%WP7CE&wwE3?1-dt;RTHdm~LvP7K`ccWXkZ0kfFa2S;wGtx_a}S2lslw
z$<4^Jg-n#Ypc(3t2N67Juasu=h)j&UNTPNDil4MQMTlnI81kY46uMH5B^U{~nmc6+
z9>(lGhhvRK9ITfpAD!XQ&BPphL3p8B4PVBN0NF6U49;ZA0Tr75AgGw7(S=Yio+xg_
zepZ*?V#KD;sHH+15ix&yCs0eSB-Z%D%uujlXvT#V$Rz@$+w!u#3GIo*AwMI#Bm^oO
zLr1e}k5W~G0xaO!C%Mb{sarxWZ4%Dn9vG`KHmPC9GWZwOOm11XJp#o0-P-${3m4g(
z6~)X9FXw%Xm~&99tj>a-ri})ZcnsfJtc10F@t9xF5vq6E)X!iUXHq-ohlO`gQdS&k
zZl})3k||u)!_=nNlvMbz%AuIr89l#I$;rG}qvDGiK?xTd5HzMQkw*p$YvFLGyQM!J
zNC^gD!kP{A84nGosi~@MLKqWQNacfs7O$dkZtm4-BZ~iA8xWZPkTK!Hp<LTap+x4*
zUK;Ha0;Jc=$HCCwcHw+aadnOZR281fO)q}D^z9=|qH9;-;e${xK|?9elJ8=LaM<65
zE6;>A5zr!9Z&+icfAJ1)NWkTd!-9`NWU>9uXXUr;`Js#NbKFgrNhTcY4GNv*71}}T
zFJh?>=EcbUd2<|fiL+H=wMw8hbX6?+_cl4XnCB#ddwdG><R|vBc*yG=?!<`t>bki*
zt*&6Dy&EIPluL@A3_;R%)shA-tDQA1!Tw4ffBRyy;2n)vm_JV06(4O<t|JggQ(KZT
zsYO62-6u^^mX>r&QAOKNZB5f(MVC}&_!B>098R{Simr!UG}?CW1Ah+X+0#~0`X)od
zLYablwmFxN21L))!_zc`IfzWi<Gu||u|EiUx`=l}NMzvxMP68pmmwjICH*y4{3)P@
z%y44Q*AVc4<$z9@nMeRAeVJ+>`5>MxPe(Dm<mb5oz44!o-XIzF2v`EK`q7j%sCMv2
zL>jjO1}HHt7TJtAW+VXHt!aKZk>y6PoMsbDXRJnov;D~Ur~2R_7(Xr)aa%wJwZh<i
zvMmaF%EvU)a6S{Gh%whrx@S36i|iv5oL=QhR4YK<CK74@mwN~dH00RX{_e6r+#l%j
z7OK<7e3kn;@H(@8>S3gr7IGgt%@;`jpL@gyc6bGCVx!9CE7NgIbUNZ!Ur1RHror0~
zr(j$^yM4j`#c2KxSP61;(Tk^pe7b~}LWj~SZC=MEpdKf;B@on9=?_n|R|0q;Y*1_@
z>nGq>)&q!;u-8H)WCwtL<LrD$x{Fa((5#4K!l=^|krt6e2?!PZN=Rmwt*1$d&$Q{J
zCgeI0rGg+wn3iR*eck$cFmbQ~E3GYxr&dJb(4{lgPt?n#^<GT#&j{om5`|wE6bW}}
ze{Pav1oDZnak%Fz$PD1ZH8xBo#FnqUG6u>&7F4vbnnfSAlK1mwnRq2&gZrEr!b1MA
z(3%vAbh3aU-IX`d7b@q`-WiT6eitu}ZH9x#d&qx}?CtDuAXak%5<-P!{a`V=$|XmJ
zUn@4lX6#ulB@a=&-9HG)a>KkH=jE7>&S&N~0X0zD=Q=t|7w;kuh#cU=NN7gBGbQTT
z;?<kJaO{>bdSt8V&IIi}<ThZP?O{MP;s77svl-cIdCj)d-BZGJap1Ull?cz;BdUt4
zMAS0={#2iyI>sDTzA0dkU}Z-Qvg;RDe8v>468p3*&hbG<I%;HTx8<Z&Ih@Xrl%AO4
zEZ252P#-|8MJE+L5IXho^0!PtBR61%3tAJ8RP$~a8%~<+5(4Lyh@;kvSLVbDc4PRn
z?4(9&{Rpo>T1I3hi9hh~Z(!H}{+>eUyF)H&gdrX=k$aB%J6I<Mis<6rrEG;E4zw&M
zYsQ6$FFc_^cwkYGT9ds?4^G_w2+$2L@}W#bXUf0JW}7J?EgbIp`jFFailmTZXuEyM
z?LcqfTM!s>;6+^^kn1mL+E+?A!A}@xV(Qa@M%HD5C@+-4Mb4lI=Xp=@9+^x+jhtOc
zYgF2aVa(uSR*n(O)e6tf3JEg2xs#dJfhEmi1iOmDYWk|wXNHU?g23^IGKB&yHnsm7
zm_+;p?YpA#N*7vXCkeN2LTNG`{QDa#U3fcFz7SB)83=<8rF)|udrEbrZL$o6W?oDR
zQx!178Ih9B#D9Ko$H(jD{4MME&<|6%MPu|TfOc#E0B}!j^MMpV69D#h2`vsEQ{(?c
zJ3Lh!3&=yS5fWL~;1wCZ?)%nmK`Eqgcu)O6rD^3%ijcxL50^z?OI(LaVDvfL0#zjZ
z2?cPvC$QCzpxpt5jMFp05OxhK0F!Q<m=7hVYzR||ecS~Bi9y8}>`rPhDi5)y=-0C}
zIM~ku&S@pl1&0=jl+rlS<4`riV~LC-#pqNde@44MB(j%)On$0Ko(@q?4`1?4149Z_
zZi!5aU@2vM$dHR6WSZpj+VboK+>u-CbNi7*lw4K^ZxxM#24_Yc`<w`lM<_9<AjZra
zPf9|W$q@ib+eT6)aN(T>jvb9NPVi75L+MlM^U~`;a7`4H0L|TYK>%hfEfXLsu1JGM
zbh|8{wuc7ucV+`Ys1kqxsj`dajwyM;^X^`)#<+a~$WFy8b2t_RS{8yNYKKlnv+>vB
zX(QTf$kqrJ;%I@EwEs{cIcH@Z3|#^S@M+5jsP<^`@8^I4_8MlBb`~cE^n+{{;qW2q
z=p1=&+fUo%T{GhVX@;56kH8K_%?X=;$OTYqW1L*)hzelm^$*?_K;9JyIWhsn4SK(|
zSmXLTUE8VQX{se#8#Rj*lz`xHtT<61V~fb;WZUpu(M)f#<N`ZtP}(nwt@v*JXMv*g
zTjkPmLef!CJNB3?7*>;I+2_zR+)y5Jv?l`CxAinx|EY!`IJ*x9_gf_k&Gx2alL!hK
zUWj1T_pk|?iv}4EP#PZvYD_-LpzU!NfcL<ZIyO_4myXe0OU}<Cprr_|XIrM73FXg`
zNRt~K9+=_-Laa5&Rt6kJaobEvjFnh>L%fK&r$W8O1KH9c2&GV~N#T$kaXGvAOl)|T
zuF9%6(i=Y3q?X%VK-D2YIY<MPA*$`<$Z)_O$(a?^Bnjd_-qk6atAX5(s0D1W1}`G9
zl)%h^mai+5Kwy1+I$Zaauh0oNm3mQUQ=`8aEAo=0zrm72grj|c8&W!-^+^6zMgm-+
zSpJe{_P`h~;t1=21VLIQ5n~@Q5Y=~VMN|L<mJfGW44?>FPH3f|g$TrXW->&^Ab`WT
z7>Oo!u1u40?jAJ8H<j_H`^tLy@LZ5-N)dU$=t?bXuTI1>y`bv}qb<AzbCJ<X7c~}%
z50@S(*;X)_P8TrUWZGQQn`AI#Eve&0+FNaAqg<m^ZNYdEveME+t5Q5DV5-rT<{g7@
zG+rSFooLii=nDW~qWOU#YzUJee#V*XI!cGhpz&<{SF!$pIm@`rT3A99J?qG9DPU@z
z9jawkO0(cqfU^RIM<K3r*yl0SKgPT>gs8)cF0&qeVjD?e+3Ggn1Im>K77ZSpbU*08
zfZkIFcv?y)!*B{|>nx@cE{KoutP+seQU?bCGE`tS0GKUO3PN~t=2u7q_6$l;uw^4c
zVu^f{uaqsZ{*a-N?2B8ngrLS8<WR!m{e>E&s6}Xtv9rR9C^b`@q8*iH)pFz<!x=AK
zf6E-O(MiUN4a^nRWR%`TBl@CGu2cFmmpRkBUAPvyvw&qDg1_6Y)ycUoITv4yV(Mk5
z=Dtmg6tsakVjdG2BV~=LD3YcTEr=j6ou|^*Qem;+#vOz?`MQ>f1|kCfiLw6u{Z%aC
z!X^5CzF6qofFJgkl<Rtc72CagCpKF^gmhb1CH>JV3oc|Qc2XdFl+y5M9*P8}A>Kh{
zWRgRwMSZ(?Jw;m%0etU5BsWT-Dj-5F;Q$OQJrQd+lv`i6>MhVo^p*^w6{~=fhe|bN
z*37oV0kji)4an^%3ABbg5RC;CS50@PV5_hKfXjYx+(DqQdKC^JIEMo6X66$qDdLRc
z!YJPSKnbY`#Ht6`g@xGzJmKzz<St<)P9XB^ZWQT2VtTE^8HdQx8o;%`J{lUpkn0!&
z^d*IdfCW?sDnD#zV!vee5Xd}&#I@u4z;`)LVXVayyf`~NUMeM>n|abYbP+_Q(v?~~
z96%cd{E0BCsH^0HaWt{y(Cuto4VE7jhB1Z??#UaU(*R&Eo+J`UN+8mcb51F|I|n*J
zJCZ3R*OdyeS9hWkc_mA7-br>3Tw=CX2bl(=TpVt#WP8Bg^vE_9bP&6ccAf3lFMgr`
z{3=h@?Ftb$RTe&@IQtiJf<Z$(x)W;Yibdk0Eou)O=h)|ox2XJhbM7gDjm$)%o0c)W
z!;CM_%5jr$Dk{vl7{DX~*^!MCEDILf;SGbcLK^kRyl}+&4r>V;O&4fzh)e1>7seG;
z=%mA4@c7{aXeJnhEg2J@Bm;=)j=O=cl#^NNkQ<{r;Bm|8Hg}bJ-S^g4`|itx)~!LN
zXtL}?f1Hs6UQ+f0-X6&TBCW=A4>bU0{rv8C4T!(wD-h>VCK4YJk`6C9$by!fxOYw-
zV#n+0{E(0ttq<e;u-JNg<=7mR)Baf(#XbsMPDR?mv12UXo+AuGM*TW4&Dbw3MHmyv
zzQ)3g$Jc}F5k_3<jP&G5r+akl<UzYyi9?xB4hK@h8+B`?3~Bn5^eKgTbZcatPPir(
zn|7xaL9v;L3{V1l&DQSp%TOnp^O8OS$m-yD0^r7mU@qJQ<RvUSI@G_}IuDMi8mq0p
z?O{gor*9fmQL7Mrb|ducn%AQOk@nhAYv{%&-E+j$)7Bpd*!L2Cg%7pf&3ZLxA5Fwj
z%8~}*Sw2G<h3E&$jhO(1=)P&U%mN)4Rk5JcPDUdUN*FM8j0Mg^@Z|6~Ym*2e3TCV6
z?5B1NxqE*aMe#2m&+Fz%OG!n`J`B2Ww|QiS6U=1^3d+6`ls$U%hB`nu)=J>_#16B}
ze8$E#X9o{B!0vbq#WUwmv5Xz6{(!^~+}sBW{xctdNHL4^vDk!0E}(g|W_q;jR|ZK<
z8w>H-8G{%R#%f!E7cO_^B?yFRKLOH)RT9GJsb+kAKq~}WIF)NRLwKZ^Q;>!2MNa|}
z-mh?=B;*&D{Nd-mQRcfVnHkChI=DRHU4ga%xJ%+QkBd|-d9uRI76@BT(bjsjwS+r)
zvx=lGNLv1?SzZ;P)Gnn>04fO7Culg*?LmbEF0fATG8S@)oJ>NT3pYAXa*vX!eUTDF
ziBrp(QyDqr0ZMTr?4uG_Nqs6f%S0g?h`1vO5fo=5S&u#wI2d4+3hWiolEU!=3_oFo
zfie<EEFWI+<HRR}kMBRY{{xT?Ubu+n1E+3-XyZ@DlC1|CziB+t8LH;pSr1_{$txb2
z{LD6Cutu@sVLZ$sgxfHzi88%ifnz%FWxPwItQ=UFSeRQ?XX#H8uXPtSY1Da8V^-Nz
zx}G&3QUOW&pFuYAPt>?+4W#`;1dd#X@g9Yj<53S<6OB!TM8w8})7k-$&q5(smc%;r
z(BlXkTp`C47+%4JA{2X}MIaPbVF!35P#p;u7+fR*46{T+LR8+<Ms(<(ewo92Plp}^
z0K5%%0PpyoHDM$82Vjt^Jp>j25oduCfDzDv6R-hU{TVVo9fz?^N3ShMt!t0NsH)pB
zRK8-S{Dn*y3b|k^*?_B70<2gHt==l7c&cT>r`C#{S}J2;s#d{M)ncW(#Y$C*lByLQ
z&?+{dR7*gpdT~(1;<m}fXp@S^XBCFbD&Le<rzooSQB^d8r#S^ok_xS36-~w}kc?Ej
z7^zYrQY=EF$c06)iin^U556ixd{lb)^l<R>M(FfF==3z`^eW)=5a9RqvF-)2?S-(G
zhS;p(u~_qBum*q}On@$#08}ynd0+spzyVco0%G6;<-i5&016cV5UKzhQ~)fX03|>L
z8ej+HzzgVr6_5ZUpa4HW0Ca!=r1%*}Oo;2no&Zz8DfR)L!@r<<lmB!F&$32&71xdc
zAQ}KMGyqI!0F2N8;eY{y00CwIf0+QV$OUD<C@ujha0p9)KwJUh;0%`lShxaZKm`>5
z2viSZpmvo5XqXyAz{Ms7`7kX>fnr1gi4X~7KpznRT0{Xc5Cfz@43PjBMBoH@z_{~(
z(Wd}IPJ9hH+%)Fc)0!hrV+(A;76rhtI|YHbEDeERV~Ya>SQg^IvlazFkSK(KG9&{q
zkPIR~EeQaaBmwA<20}m<i2yt#0ML*D!NB+q2RLvyLxH9o41nNb1p??O7J)#e3I!NY
z1wlX)g#bnj0Jty$0KoMI0Cb7`0i50h9gE~g7Om;jPg0kO>BO?)N$(z1@p)5?%}rM|
zGF()~Z&Kx@OIDRI$d0T8;JX@vj3^2%pd_+@l9~a4lntZ;AvUIjqIZbuNTR6@hNJoV
zk4F;ut)LN4ARuyn2M6F~eg-e#UH%2P;8uPGFW^vq1vj8mdIayFOZo(tphk8C7hpT~
z1Fv8?b_LNR3QD9J+!v=p%}#<WkmT3SAH~zHvL~<r009F5U;qFWp(o;x5Q1O?TufB{
c@Yw=E7;q9obAc&xg(1}n;wTCO(gbOOU|30r`2YX_

literal 0
HcmV?d00001

diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/fonts/bootstrap/glyphicons-halflings-regular.svg b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/fonts/bootstrap/glyphicons-halflings-regular.svg
new file mode 100644
index 0000000000..94fb5490a2
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/fonts/bootstrap/glyphicons-halflings-regular.svg
@@ -0,0 +1,288 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" >
+<svg xmlns="http://www.w3.org/2000/svg">
+<metadata></metadata>
+<defs>
+<font id="glyphicons_halflingsregular" horiz-adv-x="1200" >
+<font-face units-per-em="1200" ascent="960" descent="-240" />
+<missing-glyph horiz-adv-x="500" />
+<glyph horiz-adv-x="0" />
+<glyph horiz-adv-x="400" />
+<glyph unicode=" " />
+<glyph unicode="*" d="M600 1100q15 0 34 -1.5t30 -3.5l11 -1q10 -2 17.5 -10.5t7.5 -18.5v-224l158 158q7 7 18 8t19 -6l106 -106q7 -8 6 -19t-8 -18l-158 -158h224q10 0 18.5 -7.5t10.5 -17.5q6 -41 6 -75q0 -15 -1.5 -34t-3.5 -30l-1 -11q-2 -10 -10.5 -17.5t-18.5 -7.5h-224l158 -158 q7 -7 8 -18t-6 -19l-106 -106q-8 -7 -19 -6t-18 8l-158 158v-224q0 -10 -7.5 -18.5t-17.5 -10.5q-41 -6 -75 -6q-15 0 -34 1.5t-30 3.5l-11 1q-10 2 -17.5 10.5t-7.5 18.5v224l-158 -158q-7 -7 -18 -8t-19 6l-106 106q-7 8 -6 19t8 18l158 158h-224q-10 0 -18.5 7.5 t-10.5 17.5q-6 41 -6 75q0 15 1.5 34t3.5 30l1 11q2 10 10.5 17.5t18.5 7.5h224l-158 158q-7 7 -8 18t6 19l106 106q8 7 19 6t18 -8l158 -158v224q0 10 7.5 18.5t17.5 10.5q41 6 75 6z" />
+<glyph unicode="+" d="M450 1100h200q21 0 35.5 -14.5t14.5 -35.5v-350h350q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-350v-350q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v350h-350q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5 h350v350q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xa0;" />
+<glyph unicode="&#xa5;" d="M825 1100h250q10 0 12.5 -5t-5.5 -13l-364 -364q-6 -6 -11 -18h268q10 0 13 -6t-3 -14l-120 -160q-6 -8 -18 -14t-22 -6h-125v-100h275q10 0 13 -6t-3 -14l-120 -160q-6 -8 -18 -14t-22 -6h-125v-174q0 -11 -7.5 -18.5t-18.5 -7.5h-148q-11 0 -18.5 7.5t-7.5 18.5v174 h-275q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h125v100h-275q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h118q-5 12 -11 18l-364 364q-8 8 -5.5 13t12.5 5h250q25 0 43 -18l164 -164q8 -8 18 -8t18 8l164 164q18 18 43 18z" />
+<glyph unicode="&#x2000;" horiz-adv-x="650" />
+<glyph unicode="&#x2001;" horiz-adv-x="1300" />
+<glyph unicode="&#x2002;" horiz-adv-x="650" />
+<glyph unicode="&#x2003;" horiz-adv-x="1300" />
+<glyph unicode="&#x2004;" horiz-adv-x="433" />
+<glyph unicode="&#x2005;" horiz-adv-x="325" />
+<glyph unicode="&#x2006;" horiz-adv-x="216" />
+<glyph unicode="&#x2007;" horiz-adv-x="216" />
+<glyph unicode="&#x2008;" horiz-adv-x="162" />
+<glyph unicode="&#x2009;" horiz-adv-x="260" />
+<glyph unicode="&#x200a;" horiz-adv-x="72" />
+<glyph unicode="&#x202f;" horiz-adv-x="260" />
+<glyph unicode="&#x205f;" horiz-adv-x="325" />
+<glyph unicode="&#x20ac;" d="M744 1198q242 0 354 -189q60 -104 66 -209h-181q0 45 -17.5 82.5t-43.5 61.5t-58 40.5t-60.5 24t-51.5 7.5q-19 0 -40.5 -5.5t-49.5 -20.5t-53 -38t-49 -62.5t-39 -89.5h379l-100 -100h-300q-6 -50 -6 -100h406l-100 -100h-300q9 -74 33 -132t52.5 -91t61.5 -54.5t59 -29 t47 -7.5q22 0 50.5 7.5t60.5 24.5t58 41t43.5 61t17.5 80h174q-30 -171 -128 -278q-107 -117 -274 -117q-206 0 -324 158q-36 48 -69 133t-45 204h-217l100 100h112q1 47 6 100h-218l100 100h134q20 87 51 153.5t62 103.5q117 141 297 141z" />
+<glyph unicode="&#x20bd;" d="M428 1200h350q67 0 120 -13t86 -31t57 -49.5t35 -56.5t17 -64.5t6.5 -60.5t0.5 -57v-16.5v-16.5q0 -36 -0.5 -57t-6.5 -61t-17 -65t-35 -57t-57 -50.5t-86 -31.5t-120 -13h-178l-2 -100h288q10 0 13 -6t-3 -14l-120 -160q-6 -8 -18 -14t-22 -6h-138v-175q0 -11 -5.5 -18 t-15.5 -7h-149q-10 0 -17.5 7.5t-7.5 17.5v175h-267q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h117v100h-267q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h117v475q0 10 7.5 17.5t17.5 7.5zM600 1000v-300h203q64 0 86.5 33t22.5 119q0 84 -22.5 116t-86.5 32h-203z" />
+<glyph unicode="&#x2212;" d="M250 700h800q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#x231b;" d="M1000 1200v-150q0 -21 -14.5 -35.5t-35.5 -14.5h-50v-100q0 -91 -49.5 -165.5t-130.5 -109.5q81 -35 130.5 -109.5t49.5 -165.5v-150h50q21 0 35.5 -14.5t14.5 -35.5v-150h-800v150q0 21 14.5 35.5t35.5 14.5h50v150q0 91 49.5 165.5t130.5 109.5q-81 35 -130.5 109.5 t-49.5 165.5v100h-50q-21 0 -35.5 14.5t-14.5 35.5v150h800zM400 1000v-100q0 -60 32.5 -109.5t87.5 -73.5q28 -12 44 -37t16 -55t-16 -55t-44 -37q-55 -24 -87.5 -73.5t-32.5 -109.5v-150h400v150q0 60 -32.5 109.5t-87.5 73.5q-28 12 -44 37t-16 55t16 55t44 37 q55 24 87.5 73.5t32.5 109.5v100h-400z" />
+<glyph unicode="&#x25fc;" horiz-adv-x="500" d="M0 0z" />
+<glyph unicode="&#x2601;" d="M503 1089q110 0 200.5 -59.5t134.5 -156.5q44 14 90 14q120 0 205 -86.5t85 -206.5q0 -121 -85 -207.5t-205 -86.5h-750q-79 0 -135.5 57t-56.5 137q0 69 42.5 122.5t108.5 67.5q-2 12 -2 37q0 153 108 260.5t260 107.5z" />
+<glyph unicode="&#x26fa;" d="M774 1193.5q16 -9.5 20.5 -27t-5.5 -33.5l-136 -187l467 -746h30q20 0 35 -18.5t15 -39.5v-42h-1200v42q0 21 15 39.5t35 18.5h30l468 746l-135 183q-10 16 -5.5 34t20.5 28t34 5.5t28 -20.5l111 -148l112 150q9 16 27 20.5t34 -5zM600 200h377l-182 112l-195 534v-646z " />
+<glyph unicode="&#x2709;" d="M25 1100h1150q10 0 12.5 -5t-5.5 -13l-564 -567q-8 -8 -18 -8t-18 8l-564 567q-8 8 -5.5 13t12.5 5zM18 882l264 -264q8 -8 8 -18t-8 -18l-264 -264q-8 -8 -13 -5.5t-5 12.5v550q0 10 5 12.5t13 -5.5zM918 618l264 264q8 8 13 5.5t5 -12.5v-550q0 -10 -5 -12.5t-13 5.5 l-264 264q-8 8 -8 18t8 18zM818 482l364 -364q8 -8 5.5 -13t-12.5 -5h-1150q-10 0 -12.5 5t5.5 13l364 364q8 8 18 8t18 -8l164 -164q8 -8 18 -8t18 8l164 164q8 8 18 8t18 -8z" />
+<glyph unicode="&#x270f;" d="M1011 1210q19 0 33 -13l153 -153q13 -14 13 -33t-13 -33l-99 -92l-214 214l95 96q13 14 32 14zM1013 800l-615 -614l-214 214l614 614zM317 96l-333 -112l110 335z" />
+<glyph unicode="&#xe001;" d="M700 650v-550h250q21 0 35.5 -14.5t14.5 -35.5v-50h-800v50q0 21 14.5 35.5t35.5 14.5h250v550l-500 550h1200z" />
+<glyph unicode="&#xe002;" d="M368 1017l645 163q39 15 63 0t24 -49v-831q0 -55 -41.5 -95.5t-111.5 -63.5q-79 -25 -147 -4.5t-86 75t25.5 111.5t122.5 82q72 24 138 8v521l-600 -155v-606q0 -42 -44 -90t-109 -69q-79 -26 -147 -5.5t-86 75.5t25.5 111.5t122.5 82.5q72 24 138 7v639q0 38 14.5 59 t53.5 34z" />
+<glyph unicode="&#xe003;" d="M500 1191q100 0 191 -39t156.5 -104.5t104.5 -156.5t39 -191l-1 -2l1 -5q0 -141 -78 -262l275 -274q23 -26 22.5 -44.5t-22.5 -42.5l-59 -58q-26 -20 -46.5 -20t-39.5 20l-275 274q-119 -77 -261 -77l-5 1l-2 -1q-100 0 -191 39t-156.5 104.5t-104.5 156.5t-39 191 t39 191t104.5 156.5t156.5 104.5t191 39zM500 1022q-88 0 -162 -43t-117 -117t-43 -162t43 -162t117 -117t162 -43t162 43t117 117t43 162t-43 162t-117 117t-162 43z" />
+<glyph unicode="&#xe005;" d="M649 949q48 68 109.5 104t121.5 38.5t118.5 -20t102.5 -64t71 -100.5t27 -123q0 -57 -33.5 -117.5t-94 -124.5t-126.5 -127.5t-150 -152.5t-146 -174q-62 85 -145.5 174t-150 152.5t-126.5 127.5t-93.5 124.5t-33.5 117.5q0 64 28 123t73 100.5t104 64t119 20 t120.5 -38.5t104.5 -104z" />
+<glyph unicode="&#xe006;" d="M407 800l131 353q7 19 17.5 19t17.5 -19l129 -353h421q21 0 24 -8.5t-14 -20.5l-342 -249l130 -401q7 -20 -0.5 -25.5t-24.5 6.5l-343 246l-342 -247q-17 -12 -24.5 -6.5t-0.5 25.5l130 400l-347 251q-17 12 -14 20.5t23 8.5h429z" />
+<glyph unicode="&#xe007;" d="M407 800l131 353q7 19 17.5 19t17.5 -19l129 -353h421q21 0 24 -8.5t-14 -20.5l-342 -249l130 -401q7 -20 -0.5 -25.5t-24.5 6.5l-343 246l-342 -247q-17 -12 -24.5 -6.5t-0.5 25.5l130 400l-347 251q-17 12 -14 20.5t23 8.5h429zM477 700h-240l197 -142l-74 -226 l193 139l195 -140l-74 229l192 140h-234l-78 211z" />
+<glyph unicode="&#xe008;" d="M600 1200q124 0 212 -88t88 -212v-250q0 -46 -31 -98t-69 -52v-75q0 -10 6 -21.5t15 -17.5l358 -230q9 -5 15 -16.5t6 -21.5v-93q0 -10 -7.5 -17.5t-17.5 -7.5h-1150q-10 0 -17.5 7.5t-7.5 17.5v93q0 10 6 21.5t15 16.5l358 230q9 6 15 17.5t6 21.5v75q-38 0 -69 52 t-31 98v250q0 124 88 212t212 88z" />
+<glyph unicode="&#xe009;" d="M25 1100h1150q10 0 17.5 -7.5t7.5 -17.5v-1050q0 -10 -7.5 -17.5t-17.5 -7.5h-1150q-10 0 -17.5 7.5t-7.5 17.5v1050q0 10 7.5 17.5t17.5 7.5zM100 1000v-100h100v100h-100zM875 1000h-550q-10 0 -17.5 -7.5t-7.5 -17.5v-350q0 -10 7.5 -17.5t17.5 -7.5h550 q10 0 17.5 7.5t7.5 17.5v350q0 10 -7.5 17.5t-17.5 7.5zM1000 1000v-100h100v100h-100zM100 800v-100h100v100h-100zM1000 800v-100h100v100h-100zM100 600v-100h100v100h-100zM1000 600v-100h100v100h-100zM875 500h-550q-10 0 -17.5 -7.5t-7.5 -17.5v-350q0 -10 7.5 -17.5 t17.5 -7.5h550q10 0 17.5 7.5t7.5 17.5v350q0 10 -7.5 17.5t-17.5 7.5zM100 400v-100h100v100h-100zM1000 400v-100h100v100h-100zM100 200v-100h100v100h-100zM1000 200v-100h100v100h-100z" />
+<glyph unicode="&#xe010;" d="M50 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM650 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400 q0 21 14.5 35.5t35.5 14.5zM50 500h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM650 500h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400 q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe011;" d="M50 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200 q0 21 14.5 35.5t35.5 14.5zM850 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM50 700h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200 q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 700h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM850 700h200q21 0 35.5 -14.5t14.5 -35.5v-200 q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM50 300h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 300h200 q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM850 300h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5 t35.5 14.5z" />
+<glyph unicode="&#xe012;" d="M50 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 1100h700q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v200 q0 21 14.5 35.5t35.5 14.5zM50 700h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 700h700q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-700 q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM50 300h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 300h700q21 0 35.5 -14.5t14.5 -35.5v-200 q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe013;" d="M465 477l571 571q8 8 18 8t17 -8l177 -177q8 -7 8 -17t-8 -18l-783 -784q-7 -8 -17.5 -8t-17.5 8l-384 384q-8 8 -8 18t8 17l177 177q7 8 17 8t18 -8l171 -171q7 -7 18 -7t18 7z" />
+<glyph unicode="&#xe014;" d="M904 1083l178 -179q8 -8 8 -18.5t-8 -17.5l-267 -268l267 -268q8 -7 8 -17.5t-8 -18.5l-178 -178q-8 -8 -18.5 -8t-17.5 8l-268 267l-268 -267q-7 -8 -17.5 -8t-18.5 8l-178 178q-8 8 -8 18.5t8 17.5l267 268l-267 268q-8 7 -8 17.5t8 18.5l178 178q8 8 18.5 8t17.5 -8 l268 -267l268 268q7 7 17.5 7t18.5 -7z" />
+<glyph unicode="&#xe015;" d="M507 1177q98 0 187.5 -38.5t154.5 -103.5t103.5 -154.5t38.5 -187.5q0 -141 -78 -262l300 -299q8 -8 8 -18.5t-8 -18.5l-109 -108q-7 -8 -17.5 -8t-18.5 8l-300 299q-119 -77 -261 -77q-98 0 -188 38.5t-154.5 103t-103 154.5t-38.5 188t38.5 187.5t103 154.5 t154.5 103.5t188 38.5zM506.5 1023q-89.5 0 -165.5 -44t-120 -120.5t-44 -166t44 -165.5t120 -120t165.5 -44t166 44t120.5 120t44 165.5t-44 166t-120.5 120.5t-166 44zM425 900h150q10 0 17.5 -7.5t7.5 -17.5v-75h75q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5 t-17.5 -7.5h-75v-75q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v75h-75q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h75v75q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe016;" d="M507 1177q98 0 187.5 -38.5t154.5 -103.5t103.5 -154.5t38.5 -187.5q0 -141 -78 -262l300 -299q8 -8 8 -18.5t-8 -18.5l-109 -108q-7 -8 -17.5 -8t-18.5 8l-300 299q-119 -77 -261 -77q-98 0 -188 38.5t-154.5 103t-103 154.5t-38.5 188t38.5 187.5t103 154.5 t154.5 103.5t188 38.5zM506.5 1023q-89.5 0 -165.5 -44t-120 -120.5t-44 -166t44 -165.5t120 -120t165.5 -44t166 44t120.5 120t44 165.5t-44 166t-120.5 120.5t-166 44zM325 800h350q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-350q-10 0 -17.5 7.5 t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe017;" d="M550 1200h100q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM800 975v166q167 -62 272 -209.5t105 -331.5q0 -117 -45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5 t-184.5 123t-123 184.5t-45.5 224q0 184 105 331.5t272 209.5v-166q-103 -55 -165 -155t-62 -220q0 -116 57 -214.5t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5q0 120 -62 220t-165 155z" />
+<glyph unicode="&#xe018;" d="M1025 1200h150q10 0 17.5 -7.5t7.5 -17.5v-1150q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v1150q0 10 7.5 17.5t17.5 7.5zM725 800h150q10 0 17.5 -7.5t7.5 -17.5v-750q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v750 q0 10 7.5 17.5t17.5 7.5zM425 500h150q10 0 17.5 -7.5t7.5 -17.5v-450q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v450q0 10 7.5 17.5t17.5 7.5zM125 300h150q10 0 17.5 -7.5t7.5 -17.5v-250q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5 v250q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe019;" d="M600 1174q33 0 74 -5l38 -152l5 -1q49 -14 94 -39l5 -2l134 80q61 -48 104 -105l-80 -134l3 -5q25 -44 39 -93l1 -6l152 -38q5 -43 5 -73q0 -34 -5 -74l-152 -38l-1 -6q-15 -49 -39 -93l-3 -5l80 -134q-48 -61 -104 -105l-134 81l-5 -3q-44 -25 -94 -39l-5 -2l-38 -151 q-43 -5 -74 -5q-33 0 -74 5l-38 151l-5 2q-49 14 -94 39l-5 3l-134 -81q-60 48 -104 105l80 134l-3 5q-25 45 -38 93l-2 6l-151 38q-6 42 -6 74q0 33 6 73l151 38l2 6q13 48 38 93l3 5l-80 134q47 61 105 105l133 -80l5 2q45 25 94 39l5 1l38 152q43 5 74 5zM600 815 q-89 0 -152 -63t-63 -151.5t63 -151.5t152 -63t152 63t63 151.5t-63 151.5t-152 63z" />
+<glyph unicode="&#xe020;" d="M500 1300h300q41 0 70.5 -29.5t29.5 -70.5v-100h275q10 0 17.5 -7.5t7.5 -17.5v-75h-1100v75q0 10 7.5 17.5t17.5 7.5h275v100q0 41 29.5 70.5t70.5 29.5zM500 1200v-100h300v100h-300zM1100 900v-800q0 -41 -29.5 -70.5t-70.5 -29.5h-700q-41 0 -70.5 29.5t-29.5 70.5 v800h900zM300 800v-700h100v700h-100zM500 800v-700h100v700h-100zM700 800v-700h100v700h-100zM900 800v-700h100v700h-100z" />
+<glyph unicode="&#xe021;" d="M18 618l620 608q8 7 18.5 7t17.5 -7l608 -608q8 -8 5.5 -13t-12.5 -5h-175v-575q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v375h-300v-375q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v575h-175q-10 0 -12.5 5t5.5 13z" />
+<glyph unicode="&#xe022;" d="M600 1200v-400q0 -41 29.5 -70.5t70.5 -29.5h300v-650q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v1100q0 21 14.5 35.5t35.5 14.5h450zM1000 800h-250q-21 0 -35.5 14.5t-14.5 35.5v250z" />
+<glyph unicode="&#xe023;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM525 900h50q10 0 17.5 -7.5t7.5 -17.5v-275h175q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe024;" d="M1300 0h-538l-41 400h-242l-41 -400h-538l431 1200h209l-21 -300h162l-20 300h208zM515 800l-27 -300h224l-27 300h-170z" />
+<glyph unicode="&#xe025;" d="M550 1200h200q21 0 35.5 -14.5t14.5 -35.5v-450h191q20 0 25.5 -11.5t-7.5 -27.5l-327 -400q-13 -16 -32 -16t-32 16l-327 400q-13 16 -7.5 27.5t25.5 11.5h191v450q0 21 14.5 35.5t35.5 14.5zM1125 400h50q10 0 17.5 -7.5t7.5 -17.5v-350q0 -10 -7.5 -17.5t-17.5 -7.5 h-1050q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h50q10 0 17.5 -7.5t7.5 -17.5v-175h900v175q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe026;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM525 900h150q10 0 17.5 -7.5t7.5 -17.5v-275h137q21 0 26 -11.5t-8 -27.5l-223 -275q-13 -16 -32 -16t-32 16l-223 275q-13 16 -8 27.5t26 11.5h137v275q0 10 7.5 17.5t17.5 7.5z " />
+<glyph unicode="&#xe027;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM632 914l223 -275q13 -16 8 -27.5t-26 -11.5h-137v-275q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v275h-137q-21 0 -26 11.5t8 27.5l223 275q13 16 32 16 t32 -16z" />
+<glyph unicode="&#xe028;" d="M225 1200h750q10 0 19.5 -7t12.5 -17l186 -652q7 -24 7 -49v-425q0 -12 -4 -27t-9 -17q-12 -6 -37 -6h-1100q-12 0 -27 4t-17 8q-6 13 -6 38l1 425q0 25 7 49l185 652q3 10 12.5 17t19.5 7zM878 1000h-556q-10 0 -19 -7t-11 -18l-87 -450q-2 -11 4 -18t16 -7h150 q10 0 19.5 -7t11.5 -17l38 -152q2 -10 11.5 -17t19.5 -7h250q10 0 19.5 7t11.5 17l38 152q2 10 11.5 17t19.5 7h150q10 0 16 7t4 18l-87 450q-2 11 -11 18t-19 7z" />
+<glyph unicode="&#xe029;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM540 820l253 -190q17 -12 17 -30t-17 -30l-253 -190q-16 -12 -28 -6.5t-12 26.5v400q0 21 12 26.5t28 -6.5z" />
+<glyph unicode="&#xe030;" d="M947 1060l135 135q7 7 12.5 5t5.5 -13v-362q0 -10 -7.5 -17.5t-17.5 -7.5h-362q-11 0 -13 5.5t5 12.5l133 133q-109 76 -238 76q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5h150q0 -117 -45.5 -224 t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5q192 0 347 -117z" />
+<glyph unicode="&#xe031;" d="M947 1060l135 135q7 7 12.5 5t5.5 -13v-361q0 -11 -7.5 -18.5t-18.5 -7.5h-361q-11 0 -13 5.5t5 12.5l134 134q-110 75 -239 75q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5h-150q0 117 45.5 224t123 184.5t184.5 123t224 45.5q192 0 347 -117zM1027 600h150 q0 -117 -45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5q-192 0 -348 118l-134 -134q-7 -8 -12.5 -5.5t-5.5 12.5v360q0 11 7.5 18.5t18.5 7.5h360q10 0 12.5 -5.5t-5.5 -12.5l-133 -133q110 -76 240 -76q116 0 214.5 57t155.5 155.5t57 214.5z" />
+<glyph unicode="&#xe032;" d="M125 1200h1050q10 0 17.5 -7.5t7.5 -17.5v-1150q0 -10 -7.5 -17.5t-17.5 -7.5h-1050q-10 0 -17.5 7.5t-7.5 17.5v1150q0 10 7.5 17.5t17.5 7.5zM1075 1000h-850q-10 0 -17.5 -7.5t-7.5 -17.5v-850q0 -10 7.5 -17.5t17.5 -7.5h850q10 0 17.5 7.5t7.5 17.5v850 q0 10 -7.5 17.5t-17.5 7.5zM325 900h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 900h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5zM325 700h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 700h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5zM325 500h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 500h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5zM325 300h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 300h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe033;" d="M900 800v200q0 83 -58.5 141.5t-141.5 58.5h-300q-82 0 -141 -59t-59 -141v-200h-100q-41 0 -70.5 -29.5t-29.5 -70.5v-600q0 -41 29.5 -70.5t70.5 -29.5h900q41 0 70.5 29.5t29.5 70.5v600q0 41 -29.5 70.5t-70.5 29.5h-100zM400 800v150q0 21 15 35.5t35 14.5h200 q20 0 35 -14.5t15 -35.5v-150h-300z" />
+<glyph unicode="&#xe034;" d="M125 1100h50q10 0 17.5 -7.5t7.5 -17.5v-1075h-100v1075q0 10 7.5 17.5t17.5 7.5zM1075 1052q4 0 9 -2q16 -6 16 -23v-421q0 -6 -3 -12q-33 -59 -66.5 -99t-65.5 -58t-56.5 -24.5t-52.5 -6.5q-26 0 -57.5 6.5t-52.5 13.5t-60 21q-41 15 -63 22.5t-57.5 15t-65.5 7.5 q-85 0 -160 -57q-7 -5 -15 -5q-6 0 -11 3q-14 7 -14 22v438q22 55 82 98.5t119 46.5q23 2 43 0.5t43 -7t32.5 -8.5t38 -13t32.5 -11q41 -14 63.5 -21t57 -14t63.5 -7q103 0 183 87q7 8 18 8z" />
+<glyph unicode="&#xe035;" d="M600 1175q116 0 227 -49.5t192.5 -131t131 -192.5t49.5 -227v-300q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v300q0 127 -70.5 231.5t-184.5 161.5t-245 57t-245 -57t-184.5 -161.5t-70.5 -231.5v-300q0 -10 -7.5 -17.5t-17.5 -7.5h-50 q-10 0 -17.5 7.5t-7.5 17.5v300q0 116 49.5 227t131 192.5t192.5 131t227 49.5zM220 500h160q8 0 14 -6t6 -14v-460q0 -8 -6 -14t-14 -6h-160q-8 0 -14 6t-6 14v460q0 8 6 14t14 6zM820 500h160q8 0 14 -6t6 -14v-460q0 -8 -6 -14t-14 -6h-160q-8 0 -14 6t-6 14v460 q0 8 6 14t14 6z" />
+<glyph unicode="&#xe036;" d="M321 814l258 172q9 6 15 2.5t6 -13.5v-750q0 -10 -6 -13.5t-15 2.5l-258 172q-21 14 -46 14h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h250q25 0 46 14zM900 668l120 120q7 7 17 7t17 -7l34 -34q7 -7 7 -17t-7 -17l-120 -120l120 -120q7 -7 7 -17 t-7 -17l-34 -34q-7 -7 -17 -7t-17 7l-120 119l-120 -119q-7 -7 -17 -7t-17 7l-34 34q-7 7 -7 17t7 17l119 120l-119 120q-7 7 -7 17t7 17l34 34q7 8 17 8t17 -8z" />
+<glyph unicode="&#xe037;" d="M321 814l258 172q9 6 15 2.5t6 -13.5v-750q0 -10 -6 -13.5t-15 2.5l-258 172q-21 14 -46 14h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h250q25 0 46 14zM766 900h4q10 -1 16 -10q96 -129 96 -290q0 -154 -90 -281q-6 -9 -17 -10l-3 -1q-9 0 -16 6 l-29 23q-7 7 -8.5 16.5t4.5 17.5q72 103 72 229q0 132 -78 238q-6 8 -4.5 18t9.5 17l29 22q7 5 15 5z" />
+<glyph unicode="&#xe038;" d="M967 1004h3q11 -1 17 -10q135 -179 135 -396q0 -105 -34 -206.5t-98 -185.5q-7 -9 -17 -10h-3q-9 0 -16 6l-42 34q-8 6 -9 16t5 18q111 150 111 328q0 90 -29.5 176t-84.5 157q-6 9 -5 19t10 16l42 33q7 5 15 5zM321 814l258 172q9 6 15 2.5t6 -13.5v-750q0 -10 -6 -13.5 t-15 2.5l-258 172q-21 14 -46 14h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h250q25 0 46 14zM766 900h4q10 -1 16 -10q96 -129 96 -290q0 -154 -90 -281q-6 -9 -17 -10l-3 -1q-9 0 -16 6l-29 23q-7 7 -8.5 16.5t4.5 17.5q72 103 72 229q0 132 -78 238 q-6 8 -4.5 18.5t9.5 16.5l29 22q7 5 15 5z" />
+<glyph unicode="&#xe039;" d="M500 900h100v-100h-100v-100h-400v-100h-100v600h500v-300zM1200 700h-200v-100h200v-200h-300v300h-200v300h-100v200h600v-500zM100 1100v-300h300v300h-300zM800 1100v-300h300v300h-300zM300 900h-100v100h100v-100zM1000 900h-100v100h100v-100zM300 500h200v-500 h-500v500h200v100h100v-100zM800 300h200v-100h-100v-100h-200v100h-100v100h100v200h-200v100h300v-300zM100 400v-300h300v300h-300zM300 200h-100v100h100v-100zM1200 200h-100v100h100v-100zM700 0h-100v100h100v-100zM1200 0h-300v100h300v-100z" />
+<glyph unicode="&#xe040;" d="M100 200h-100v1000h100v-1000zM300 200h-100v1000h100v-1000zM700 200h-200v1000h200v-1000zM900 200h-100v1000h100v-1000zM1200 200h-200v1000h200v-1000zM400 0h-300v100h300v-100zM600 0h-100v91h100v-91zM800 0h-100v91h100v-91zM1100 0h-200v91h200v-91z" />
+<glyph unicode="&#xe041;" d="M500 1200l682 -682q8 -8 8 -18t-8 -18l-464 -464q-8 -8 -18 -8t-18 8l-682 682l1 475q0 10 7.5 17.5t17.5 7.5h474zM319.5 1024.5q-29.5 29.5 -71 29.5t-71 -29.5t-29.5 -71.5t29.5 -71.5t71 -29.5t71 29.5t29.5 71.5t-29.5 71.5z" />
+<glyph unicode="&#xe042;" d="M500 1200l682 -682q8 -8 8 -18t-8 -18l-464 -464q-8 -8 -18 -8t-18 8l-682 682l1 475q0 10 7.5 17.5t17.5 7.5h474zM800 1200l682 -682q8 -8 8 -18t-8 -18l-464 -464q-8 -8 -18 -8t-18 8l-56 56l424 426l-700 700h150zM319.5 1024.5q-29.5 29.5 -71 29.5t-71 -29.5 t-29.5 -71.5t29.5 -71.5t71 -29.5t71 29.5t29.5 71.5t-29.5 71.5z" />
+<glyph unicode="&#xe043;" d="M300 1200h825q75 0 75 -75v-900q0 -25 -18 -43l-64 -64q-8 -8 -13 -5.5t-5 12.5v950q0 10 -7.5 17.5t-17.5 7.5h-700q-25 0 -43 -18l-64 -64q-8 -8 -5.5 -13t12.5 -5h700q10 0 17.5 -7.5t7.5 -17.5v-950q0 -10 -7.5 -17.5t-17.5 -7.5h-850q-10 0 -17.5 7.5t-7.5 17.5v975 q0 25 18 43l139 139q18 18 43 18z" />
+<glyph unicode="&#xe044;" d="M250 1200h800q21 0 35.5 -14.5t14.5 -35.5v-1150l-450 444l-450 -445v1151q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe045;" d="M822 1200h-444q-11 0 -19 -7.5t-9 -17.5l-78 -301q-7 -24 7 -45l57 -108q6 -9 17.5 -15t21.5 -6h450q10 0 21.5 6t17.5 15l62 108q14 21 7 45l-83 301q-1 10 -9 17.5t-19 7.5zM1175 800h-150q-10 0 -21 -6.5t-15 -15.5l-78 -156q-4 -9 -15 -15.5t-21 -6.5h-550 q-10 0 -21 6.5t-15 15.5l-78 156q-4 9 -15 15.5t-21 6.5h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-650q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h750q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5 t7.5 17.5v650q0 10 -7.5 17.5t-17.5 7.5zM850 200h-500q-10 0 -19.5 -7t-11.5 -17l-38 -152q-2 -10 3.5 -17t15.5 -7h600q10 0 15.5 7t3.5 17l-38 152q-2 10 -11.5 17t-19.5 7z" />
+<glyph unicode="&#xe046;" d="M500 1100h200q56 0 102.5 -20.5t72.5 -50t44 -59t25 -50.5l6 -20h150q41 0 70.5 -29.5t29.5 -70.5v-600q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5v600q0 41 29.5 70.5t70.5 29.5h150q2 8 6.5 21.5t24 48t45 61t72 48t102.5 21.5zM900 800v-100 h100v100h-100zM600 730q-95 0 -162.5 -67.5t-67.5 -162.5t67.5 -162.5t162.5 -67.5t162.5 67.5t67.5 162.5t-67.5 162.5t-162.5 67.5zM600 603q43 0 73 -30t30 -73t-30 -73t-73 -30t-73 30t-30 73t30 73t73 30z" />
+<glyph unicode="&#xe047;" d="M681 1199l385 -998q20 -50 60 -92q18 -19 36.5 -29.5t27.5 -11.5l10 -2v-66h-417v66q53 0 75 43.5t5 88.5l-82 222h-391q-58 -145 -92 -234q-11 -34 -6.5 -57t25.5 -37t46 -20t55 -6v-66h-365v66q56 24 84 52q12 12 25 30.5t20 31.5l7 13l399 1006h93zM416 521h340 l-162 457z" />
+<glyph unicode="&#xe048;" d="M753 641q5 -1 14.5 -4.5t36 -15.5t50.5 -26.5t53.5 -40t50.5 -54.5t35.5 -70t14.5 -87q0 -67 -27.5 -125.5t-71.5 -97.5t-98.5 -66.5t-108.5 -40.5t-102 -13h-500v89q41 7 70.5 32.5t29.5 65.5v827q0 24 -0.5 34t-3.5 24t-8.5 19.5t-17 13.5t-28 12.5t-42.5 11.5v71 l471 -1q57 0 115.5 -20.5t108 -57t80.5 -94t31 -124.5q0 -51 -15.5 -96.5t-38 -74.5t-45 -50.5t-38.5 -30.5zM400 700h139q78 0 130.5 48.5t52.5 122.5q0 41 -8.5 70.5t-29.5 55.5t-62.5 39.5t-103.5 13.5h-118v-350zM400 200h216q80 0 121 50.5t41 130.5q0 90 -62.5 154.5 t-156.5 64.5h-159v-400z" />
+<glyph unicode="&#xe049;" d="M877 1200l2 -57q-83 -19 -116 -45.5t-40 -66.5l-132 -839q-9 -49 13 -69t96 -26v-97h-500v97q186 16 200 98l173 832q3 17 3 30t-1.5 22.5t-9 17.5t-13.5 12.5t-21.5 10t-26 8.5t-33.5 10q-13 3 -19 5v57h425z" />
+<glyph unicode="&#xe050;" d="M1300 900h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-200v-850q0 -22 25 -34.5t50 -13.5l25 -2v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v850h-200q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h1000v-300zM175 1000h-75v-800h75l-125 -167l-125 167h75v800h-75l125 167z" />
+<glyph unicode="&#xe051;" d="M1100 900h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-200v-650q0 -22 25 -34.5t50 -13.5l25 -2v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v650h-200q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h1000v-300zM1167 50l-167 -125v75h-800v-75l-167 125l167 125v-75h800v75z" />
+<glyph unicode="&#xe052;" d="M50 1100h600q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 800h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM50 500h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe053;" d="M250 1100h700q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 800h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM250 500h700q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe054;" d="M500 950v100q0 21 14.5 35.5t35.5 14.5h600q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5zM100 650v100q0 21 14.5 35.5t35.5 14.5h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000 q-21 0 -35.5 14.5t-14.5 35.5zM300 350v100q0 21 14.5 35.5t35.5 14.5h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5zM0 50v100q0 21 14.5 35.5t35.5 14.5h1100q21 0 35.5 -14.5t14.5 -35.5v-100 q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5z" />
+<glyph unicode="&#xe055;" d="M50 1100h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 800h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM50 500h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe056;" d="M50 1100h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 1100h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM50 800h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 800h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 500h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 500h800q21 0 35.5 -14.5t14.5 -35.5v-100 q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 200h800 q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe057;" d="M400 0h-100v1100h100v-1100zM550 1100h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM550 800h500q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-500 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM267 550l-167 -125v75h-200v100h200v75zM550 500h300q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM550 200h600 q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe058;" d="M50 1100h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM900 0h-100v1100h100v-1100zM50 800h500q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-500 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM1100 600h200v-100h-200v-75l-167 125l167 125v-75zM50 500h300q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h600 q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe059;" d="M75 1000h750q31 0 53 -22t22 -53v-650q0 -31 -22 -53t-53 -22h-750q-31 0 -53 22t-22 53v650q0 31 22 53t53 22zM1200 300l-300 300l300 300v-600z" />
+<glyph unicode="&#xe060;" d="M44 1100h1112q18 0 31 -13t13 -31v-1012q0 -18 -13 -31t-31 -13h-1112q-18 0 -31 13t-13 31v1012q0 18 13 31t31 13zM100 1000v-737l247 182l298 -131l-74 156l293 318l236 -288v500h-1000zM342 884q56 0 95 -39t39 -94.5t-39 -95t-95 -39.5t-95 39.5t-39 95t39 94.5 t95 39z" />
+<glyph unicode="&#xe062;" d="M648 1169q117 0 216 -60t156.5 -161t57.5 -218q0 -115 -70 -258q-69 -109 -158 -225.5t-143 -179.5l-54 -62q-9 8 -25.5 24.5t-63.5 67.5t-91 103t-98.5 128t-95.5 148q-60 132 -60 249q0 88 34 169.5t91.5 142t137 96.5t166.5 36zM652.5 974q-91.5 0 -156.5 -65 t-65 -157t65 -156.5t156.5 -64.5t156.5 64.5t65 156.5t-65 157t-156.5 65z" />
+<glyph unicode="&#xe063;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 173v854q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57z" />
+<glyph unicode="&#xe064;" d="M554 1295q21 -72 57.5 -143.5t76 -130t83 -118t82.5 -117t70 -116t49.5 -126t18.5 -136.5q0 -71 -25.5 -135t-68.5 -111t-99 -82t-118.5 -54t-125.5 -23q-84 5 -161.5 34t-139.5 78.5t-99 125t-37 164.5q0 69 18 136.5t49.5 126.5t69.5 116.5t81.5 117.5t83.5 119 t76.5 131t58.5 143zM344 710q-23 -33 -43.5 -70.5t-40.5 -102.5t-17 -123q1 -37 14.5 -69.5t30 -52t41 -37t38.5 -24.5t33 -15q21 -7 32 -1t13 22l6 34q2 10 -2.5 22t-13.5 19q-5 4 -14 12t-29.5 40.5t-32.5 73.5q-26 89 6 271q2 11 -6 11q-8 1 -15 -10z" />
+<glyph unicode="&#xe065;" d="M1000 1013l108 115q2 1 5 2t13 2t20.5 -1t25 -9.5t28.5 -21.5q22 -22 27 -43t0 -32l-6 -10l-108 -115zM350 1100h400q50 0 105 -13l-187 -187h-368q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v182l200 200v-332 q0 -165 -93.5 -257.5t-256.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5zM1009 803l-362 -362l-161 -50l55 170l355 355z" />
+<glyph unicode="&#xe066;" d="M350 1100h361q-164 -146 -216 -200h-195q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5l200 153v-103q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5z M824 1073l339 -301q8 -7 8 -17.5t-8 -17.5l-340 -306q-7 -6 -12.5 -4t-6.5 11v203q-26 1 -54.5 0t-78.5 -7.5t-92 -17.5t-86 -35t-70 -57q10 59 33 108t51.5 81.5t65 58.5t68.5 40.5t67 24.5t56 13.5t40 4.5v210q1 10 6.5 12.5t13.5 -4.5z" />
+<glyph unicode="&#xe067;" d="M350 1100h350q60 0 127 -23l-178 -177h-349q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v69l200 200v-219q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5z M643 639l395 395q7 7 17.5 7t17.5 -7l101 -101q7 -7 7 -17.5t-7 -17.5l-531 -532q-7 -7 -17.5 -7t-17.5 7l-248 248q-7 7 -7 17.5t7 17.5l101 101q7 7 17.5 7t17.5 -7l111 -111q8 -7 18 -7t18 7z" />
+<glyph unicode="&#xe068;" d="M318 918l264 264q8 8 18 8t18 -8l260 -264q7 -8 4.5 -13t-12.5 -5h-170v-200h200v173q0 10 5 12t13 -5l264 -260q8 -7 8 -17.5t-8 -17.5l-264 -265q-8 -7 -13 -5t-5 12v173h-200v-200h170q10 0 12.5 -5t-4.5 -13l-260 -264q-8 -8 -18 -8t-18 8l-264 264q-8 8 -5.5 13 t12.5 5h175v200h-200v-173q0 -10 -5 -12t-13 5l-264 265q-8 7 -8 17.5t8 17.5l264 260q8 7 13 5t5 -12v-173h200v200h-175q-10 0 -12.5 5t5.5 13z" />
+<glyph unicode="&#xe069;" d="M250 1100h100q21 0 35.5 -14.5t14.5 -35.5v-438l464 453q15 14 25.5 10t10.5 -25v-1000q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v1000q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe070;" d="M50 1100h100q21 0 35.5 -14.5t14.5 -35.5v-438l464 453q15 14 25.5 10t10.5 -25v-438l464 453q15 14 25.5 10t10.5 -25v-1000q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5 t-14.5 35.5v1000q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe071;" d="M1200 1050v-1000q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -10.5 -25t-25.5 10l-492 480q-15 14 -15 35t15 35l492 480q15 14 25.5 10t10.5 -25v-438l464 453q15 14 25.5 10t10.5 -25z" />
+<glyph unicode="&#xe072;" d="M243 1074l814 -498q18 -11 18 -26t-18 -26l-814 -498q-18 -11 -30.5 -4t-12.5 28v1000q0 21 12.5 28t30.5 -4z" />
+<glyph unicode="&#xe073;" d="M250 1000h200q21 0 35.5 -14.5t14.5 -35.5v-800q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v800q0 21 14.5 35.5t35.5 14.5zM650 1000h200q21 0 35.5 -14.5t14.5 -35.5v-800q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v800 q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe074;" d="M1100 950v-800q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v800q0 21 14.5 35.5t35.5 14.5h800q21 0 35.5 -14.5t14.5 -35.5z" />
+<glyph unicode="&#xe075;" d="M500 612v438q0 21 10.5 25t25.5 -10l492 -480q15 -14 15 -35t-15 -35l-492 -480q-15 -14 -25.5 -10t-10.5 25v438l-464 -453q-15 -14 -25.5 -10t-10.5 25v1000q0 21 10.5 25t25.5 -10z" />
+<glyph unicode="&#xe076;" d="M1048 1102l100 1q20 0 35 -14.5t15 -35.5l5 -1000q0 -21 -14.5 -35.5t-35.5 -14.5l-100 -1q-21 0 -35.5 14.5t-14.5 35.5l-2 437l-463 -454q-14 -15 -24.5 -10.5t-10.5 25.5l-2 437l-462 -455q-15 -14 -25.5 -9.5t-10.5 24.5l-5 1000q0 21 10.5 25.5t25.5 -10.5l466 -450 l-2 438q0 20 10.5 24.5t25.5 -9.5l466 -451l-2 438q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe077;" d="M850 1100h100q21 0 35.5 -14.5t14.5 -35.5v-1000q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v438l-464 -453q-15 -14 -25.5 -10t-10.5 25v1000q0 21 10.5 25t25.5 -10l464 -453v438q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe078;" d="M686 1081l501 -540q15 -15 10.5 -26t-26.5 -11h-1042q-22 0 -26.5 11t10.5 26l501 540q15 15 36 15t36 -15zM150 400h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe079;" d="M885 900l-352 -353l352 -353l-197 -198l-552 552l552 550z" />
+<glyph unicode="&#xe080;" d="M1064 547l-551 -551l-198 198l353 353l-353 353l198 198z" />
+<glyph unicode="&#xe081;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM650 900h-100q-21 0 -35.5 -14.5t-14.5 -35.5v-150h-150 q-21 0 -35.5 -14.5t-14.5 -35.5v-100q0 -21 14.5 -35.5t35.5 -14.5h150v-150q0 -21 14.5 -35.5t35.5 -14.5h100q21 0 35.5 14.5t14.5 35.5v150h150q21 0 35.5 14.5t14.5 35.5v100q0 21 -14.5 35.5t-35.5 14.5h-150v150q0 21 -14.5 35.5t-35.5 14.5z" />
+<glyph unicode="&#xe082;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM850 700h-500q-21 0 -35.5 -14.5t-14.5 -35.5v-100q0 -21 14.5 -35.5 t35.5 -14.5h500q21 0 35.5 14.5t14.5 35.5v100q0 21 -14.5 35.5t-35.5 14.5z" />
+<glyph unicode="&#xe083;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM741.5 913q-12.5 0 -21.5 -9l-120 -120l-120 120q-9 9 -21.5 9 t-21.5 -9l-141 -141q-9 -9 -9 -21.5t9 -21.5l120 -120l-120 -120q-9 -9 -9 -21.5t9 -21.5l141 -141q9 -9 21.5 -9t21.5 9l120 120l120 -120q9 -9 21.5 -9t21.5 9l141 141q9 9 9 21.5t-9 21.5l-120 120l120 120q9 9 9 21.5t-9 21.5l-141 141q-9 9 -21.5 9z" />
+<glyph unicode="&#xe084;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM546 623l-84 85q-7 7 -17.5 7t-18.5 -7l-139 -139q-7 -8 -7 -18t7 -18 l242 -241q7 -8 17.5 -8t17.5 8l375 375q7 7 7 17.5t-7 18.5l-139 139q-7 7 -17.5 7t-17.5 -7z" />
+<glyph unicode="&#xe085;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM588 941q-29 0 -59 -5.5t-63 -20.5t-58 -38.5t-41.5 -63t-16.5 -89.5 q0 -25 20 -25h131q30 -5 35 11q6 20 20.5 28t45.5 8q20 0 31.5 -10.5t11.5 -28.5q0 -23 -7 -34t-26 -18q-1 0 -13.5 -4t-19.5 -7.5t-20 -10.5t-22 -17t-18.5 -24t-15.5 -35t-8 -46q-1 -8 5.5 -16.5t20.5 -8.5h173q7 0 22 8t35 28t37.5 48t29.5 74t12 100q0 47 -17 83 t-42.5 57t-59.5 34.5t-64 18t-59 4.5zM675 400h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe086;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM675 1000h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5 t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5zM675 700h-250q-10 0 -17.5 -7.5t-7.5 -17.5v-50q0 -10 7.5 -17.5t17.5 -7.5h75v-200h-75q-10 0 -17.5 -7.5t-7.5 -17.5v-50q0 -10 7.5 -17.5t17.5 -7.5h350q10 0 17.5 7.5t7.5 17.5v50q0 10 -7.5 17.5 t-17.5 7.5h-75v275q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe087;" d="M525 1200h150q10 0 17.5 -7.5t7.5 -17.5v-194q103 -27 178.5 -102.5t102.5 -178.5h194q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-194q-27 -103 -102.5 -178.5t-178.5 -102.5v-194q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v194 q-103 27 -178.5 102.5t-102.5 178.5h-194q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h194q27 103 102.5 178.5t178.5 102.5v194q0 10 7.5 17.5t17.5 7.5zM700 893v-168q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v168q-68 -23 -119 -74 t-74 -119h168q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-168q23 -68 74 -119t119 -74v168q0 10 7.5 17.5t17.5 7.5h150q10 0 17.5 -7.5t7.5 -17.5v-168q68 23 119 74t74 119h-168q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h168 q-23 68 -74 119t-119 74z" />
+<glyph unicode="&#xe088;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM759 823l64 -64q7 -7 7 -17.5t-7 -17.5l-124 -124l124 -124q7 -7 7 -17.5t-7 -17.5l-64 -64q-7 -7 -17.5 -7t-17.5 7l-124 124l-124 -124q-7 -7 -17.5 -7t-17.5 7l-64 64 q-7 7 -7 17.5t7 17.5l124 124l-124 124q-7 7 -7 17.5t7 17.5l64 64q7 7 17.5 7t17.5 -7l124 -124l124 124q7 7 17.5 7t17.5 -7z" />
+<glyph unicode="&#xe089;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM782 788l106 -106q7 -7 7 -17.5t-7 -17.5l-320 -321q-8 -7 -18 -7t-18 7l-202 203q-8 7 -8 17.5t8 17.5l106 106q7 8 17.5 8t17.5 -8l79 -79l197 197q7 7 17.5 7t17.5 -7z" />
+<glyph unicode="&#xe090;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5q0 -120 65 -225 l587 587q-105 65 -225 65zM965 819l-584 -584q104 -62 219 -62q116 0 214.5 57t155.5 155.5t57 214.5q0 115 -62 219z" />
+<glyph unicode="&#xe091;" d="M39 582l522 427q16 13 27.5 8t11.5 -26v-291h550q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-550v-291q0 -21 -11.5 -26t-27.5 8l-522 427q-16 13 -16 32t16 32z" />
+<glyph unicode="&#xe092;" d="M639 1009l522 -427q16 -13 16 -32t-16 -32l-522 -427q-16 -13 -27.5 -8t-11.5 26v291h-550q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5h550v291q0 21 11.5 26t27.5 -8z" />
+<glyph unicode="&#xe093;" d="M682 1161l427 -522q13 -16 8 -27.5t-26 -11.5h-291v-550q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v550h-291q-21 0 -26 11.5t8 27.5l427 522q13 16 32 16t32 -16z" />
+<glyph unicode="&#xe094;" d="M550 1200h200q21 0 35.5 -14.5t14.5 -35.5v-550h291q21 0 26 -11.5t-8 -27.5l-427 -522q-13 -16 -32 -16t-32 16l-427 522q-13 16 -8 27.5t26 11.5h291v550q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe095;" d="M639 1109l522 -427q16 -13 16 -32t-16 -32l-522 -427q-16 -13 -27.5 -8t-11.5 26v291q-94 -2 -182 -20t-170.5 -52t-147 -92.5t-100.5 -135.5q5 105 27 193.5t67.5 167t113 135t167 91.5t225.5 42v262q0 21 11.5 26t27.5 -8z" />
+<glyph unicode="&#xe096;" d="M850 1200h300q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -10.5 -25t-24.5 10l-94 94l-249 -249q-8 -7 -18 -7t-18 7l-106 106q-7 8 -7 18t7 18l249 249l-94 94q-14 14 -10 24.5t25 10.5zM350 0h-300q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 10.5 25t24.5 -10l94 -94l249 249 q8 7 18 7t18 -7l106 -106q7 -8 7 -18t-7 -18l-249 -249l94 -94q14 -14 10 -24.5t-25 -10.5z" />
+<glyph unicode="&#xe097;" d="M1014 1120l106 -106q7 -8 7 -18t-7 -18l-249 -249l94 -94q14 -14 10 -24.5t-25 -10.5h-300q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 10.5 25t24.5 -10l94 -94l249 249q8 7 18 7t18 -7zM250 600h300q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -10.5 -25t-24.5 10l-94 94 l-249 -249q-8 -7 -18 -7t-18 7l-106 106q-7 8 -7 18t7 18l249 249l-94 94q-14 14 -10 24.5t25 10.5z" />
+<glyph unicode="&#xe101;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM704 900h-208q-20 0 -32 -14.5t-8 -34.5l58 -302q4 -20 21.5 -34.5 t37.5 -14.5h54q20 0 37.5 14.5t21.5 34.5l58 302q4 20 -8 34.5t-32 14.5zM675 400h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe102;" d="M260 1200q9 0 19 -2t15 -4l5 -2q22 -10 44 -23l196 -118q21 -13 36 -24q29 -21 37 -12q11 13 49 35l196 118q22 13 45 23q17 7 38 7q23 0 47 -16.5t37 -33.5l13 -16q14 -21 18 -45l25 -123l8 -44q1 -9 8.5 -14.5t17.5 -5.5h61q10 0 17.5 -7.5t7.5 -17.5v-50 q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 -7.5t-7.5 -17.5v-175h-400v300h-200v-300h-400v175q0 10 -7.5 17.5t-17.5 7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5h61q11 0 18 3t7 8q0 4 9 52l25 128q5 25 19 45q2 3 5 7t13.5 15t21.5 19.5t26.5 15.5 t29.5 7zM915 1079l-166 -162q-7 -7 -5 -12t12 -5h219q10 0 15 7t2 17l-51 149q-3 10 -11 12t-15 -6zM463 917l-177 157q-8 7 -16 5t-11 -12l-51 -143q-3 -10 2 -17t15 -7h231q11 0 12.5 5t-5.5 12zM500 0h-375q-10 0 -17.5 7.5t-7.5 17.5v375h400v-400zM1100 400v-375 q0 -10 -7.5 -17.5t-17.5 -7.5h-375v400h400z" />
+<glyph unicode="&#xe103;" d="M1165 1190q8 3 21 -6.5t13 -17.5q-2 -178 -24.5 -323.5t-55.5 -245.5t-87 -174.5t-102.5 -118.5t-118 -68.5t-118.5 -33t-120 -4.5t-105 9.5t-90 16.5q-61 12 -78 11q-4 1 -12.5 0t-34 -14.5t-52.5 -40.5l-153 -153q-26 -24 -37 -14.5t-11 43.5q0 64 42 102q8 8 50.5 45 t66.5 58q19 17 35 47t13 61q-9 55 -10 102.5t7 111t37 130t78 129.5q39 51 80 88t89.5 63.5t94.5 45t113.5 36t129 31t157.5 37t182 47.5zM1116 1098q-8 9 -22.5 -3t-45.5 -50q-38 -47 -119 -103.5t-142 -89.5l-62 -33q-56 -30 -102 -57t-104 -68t-102.5 -80.5t-85.5 -91 t-64 -104.5q-24 -56 -31 -86t2 -32t31.5 17.5t55.5 59.5q25 30 94 75.5t125.5 77.5t147.5 81q70 37 118.5 69t102 79.5t99 111t86.5 148.5q22 50 24 60t-6 19z" />
+<glyph unicode="&#xe104;" d="M653 1231q-39 -67 -54.5 -131t-10.5 -114.5t24.5 -96.5t47.5 -80t63.5 -62.5t68.5 -46.5t65 -30q-4 7 -17.5 35t-18.5 39.5t-17 39.5t-17 43t-13 42t-9.5 44.5t-2 42t4 43t13.5 39t23 38.5q96 -42 165 -107.5t105 -138t52 -156t13 -159t-19 -149.5q-13 -55 -44 -106.5 t-68 -87t-78.5 -64.5t-72.5 -45t-53 -22q-72 -22 -127 -11q-31 6 -13 19q6 3 17 7q13 5 32.5 21t41 44t38.5 63.5t21.5 81.5t-6.5 94.5t-50 107t-104 115.5q10 -104 -0.5 -189t-37 -140.5t-65 -93t-84 -52t-93.5 -11t-95 24.5q-80 36 -131.5 114t-53.5 171q-2 23 0 49.5 t4.5 52.5t13.5 56t27.5 60t46 64.5t69.5 68.5q-8 -53 -5 -102.5t17.5 -90t34 -68.5t44.5 -39t49 -2q31 13 38.5 36t-4.5 55t-29 64.5t-36 75t-26 75.5q-15 85 2 161.5t53.5 128.5t85.5 92.5t93.5 61t81.5 25.5z" />
+<glyph unicode="&#xe105;" d="M600 1094q82 0 160.5 -22.5t140 -59t116.5 -82.5t94.5 -95t68 -95t42.5 -82.5t14 -57.5t-14 -57.5t-43 -82.5t-68.5 -95t-94.5 -95t-116.5 -82.5t-140 -59t-159.5 -22.5t-159.5 22.5t-140 59t-116.5 82.5t-94.5 95t-68.5 95t-43 82.5t-14 57.5t14 57.5t42.5 82.5t68 95 t94.5 95t116.5 82.5t140 59t160.5 22.5zM888 829q-15 15 -18 12t5 -22q25 -57 25 -119q0 -124 -88 -212t-212 -88t-212 88t-88 212q0 59 23 114q8 19 4.5 22t-17.5 -12q-70 -69 -160 -184q-13 -16 -15 -40.5t9 -42.5q22 -36 47 -71t70 -82t92.5 -81t113 -58.5t133.5 -24.5 t133.5 24t113 58.5t92.5 81.5t70 81.5t47 70.5q11 18 9 42.5t-14 41.5q-90 117 -163 189zM448 727l-35 -36q-15 -15 -19.5 -38.5t4.5 -41.5q37 -68 93 -116q16 -13 38.5 -11t36.5 17l35 34q14 15 12.5 33.5t-16.5 33.5q-44 44 -89 117q-11 18 -28 20t-32 -12z" />
+<glyph unicode="&#xe106;" d="M592 0h-148l31 120q-91 20 -175.5 68.5t-143.5 106.5t-103.5 119t-66.5 110t-22 76q0 21 14 57.5t42.5 82.5t68 95t94.5 95t116.5 82.5t140 59t160.5 22.5q61 0 126 -15l32 121h148zM944 770l47 181q108 -85 176.5 -192t68.5 -159q0 -26 -19.5 -71t-59.5 -102t-93 -112 t-129 -104.5t-158 -75.5l46 173q77 49 136 117t97 131q11 18 9 42.5t-14 41.5q-54 70 -107 130zM310 824q-70 -69 -160 -184q-13 -16 -15 -40.5t9 -42.5q18 -30 39 -60t57 -70.5t74 -73t90 -61t105 -41.5l41 154q-107 18 -178.5 101.5t-71.5 193.5q0 59 23 114q8 19 4.5 22 t-17.5 -12zM448 727l-35 -36q-15 -15 -19.5 -38.5t4.5 -41.5q37 -68 93 -116q16 -13 38.5 -11t36.5 17l12 11l22 86l-3 4q-44 44 -89 117q-11 18 -28 20t-32 -12z" />
+<glyph unicode="&#xe107;" d="M-90 100l642 1066q20 31 48 28.5t48 -35.5l642 -1056q21 -32 7.5 -67.5t-50.5 -35.5h-1294q-37 0 -50.5 34t7.5 66zM155 200h345v75q0 10 7.5 17.5t17.5 7.5h150q10 0 17.5 -7.5t7.5 -17.5v-75h345l-445 723zM496 700h208q20 0 32 -14.5t8 -34.5l-58 -252 q-4 -20 -21.5 -34.5t-37.5 -14.5h-54q-20 0 -37.5 14.5t-21.5 34.5l-58 252q-4 20 8 34.5t32 14.5z" />
+<glyph unicode="&#xe108;" d="M650 1200q62 0 106 -44t44 -106v-339l363 -325q15 -14 26 -38.5t11 -44.5v-41q0 -20 -12 -26.5t-29 5.5l-359 249v-263q100 -93 100 -113v-64q0 -21 -13 -29t-32 1l-205 128l-205 -128q-19 -9 -32 -1t-13 29v64q0 20 100 113v263l-359 -249q-17 -12 -29 -5.5t-12 26.5v41 q0 20 11 44.5t26 38.5l363 325v339q0 62 44 106t106 44z" />
+<glyph unicode="&#xe109;" d="M850 1200h100q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-150h-1100v150q0 21 14.5 35.5t35.5 14.5h50v50q0 21 14.5 35.5t35.5 14.5h100q21 0 35.5 -14.5t14.5 -35.5v-50h500v50q0 21 14.5 35.5t35.5 14.5zM1100 800v-750q0 -21 -14.5 -35.5 t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v750h1100zM100 600v-100h100v100h-100zM300 600v-100h100v100h-100zM500 600v-100h100v100h-100zM700 600v-100h100v100h-100zM900 600v-100h100v100h-100zM100 400v-100h100v100h-100zM300 400v-100h100v100h-100zM500 400 v-100h100v100h-100zM700 400v-100h100v100h-100zM900 400v-100h100v100h-100zM100 200v-100h100v100h-100zM300 200v-100h100v100h-100zM500 200v-100h100v100h-100zM700 200v-100h100v100h-100zM900 200v-100h100v100h-100z" />
+<glyph unicode="&#xe110;" d="M1135 1165l249 -230q15 -14 15 -35t-15 -35l-249 -230q-14 -14 -24.5 -10t-10.5 25v150h-159l-600 -600h-291q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h209l600 600h241v150q0 21 10.5 25t24.5 -10zM522 819l-141 -141l-122 122h-209q-21 0 -35.5 14.5 t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h291zM1135 565l249 -230q15 -14 15 -35t-15 -35l-249 -230q-14 -14 -24.5 -10t-10.5 25v150h-241l-181 181l141 141l122 -122h159v150q0 21 10.5 25t24.5 -10z" />
+<glyph unicode="&#xe111;" d="M100 1100h1000q41 0 70.5 -29.5t29.5 -70.5v-600q0 -41 -29.5 -70.5t-70.5 -29.5h-596l-304 -300v300h-100q-41 0 -70.5 29.5t-29.5 70.5v600q0 41 29.5 70.5t70.5 29.5z" />
+<glyph unicode="&#xe112;" d="M150 1200h200q21 0 35.5 -14.5t14.5 -35.5v-250h-300v250q0 21 14.5 35.5t35.5 14.5zM850 1200h200q21 0 35.5 -14.5t14.5 -35.5v-250h-300v250q0 21 14.5 35.5t35.5 14.5zM1100 800v-300q0 -41 -3 -77.5t-15 -89.5t-32 -96t-58 -89t-89 -77t-129 -51t-174 -20t-174 20 t-129 51t-89 77t-58 89t-32 96t-15 89.5t-3 77.5v300h300v-250v-27v-42.5t1.5 -41t5 -38t10 -35t16.5 -30t25.5 -24.5t35 -19t46.5 -12t60 -4t60 4.5t46.5 12.5t35 19.5t25 25.5t17 30.5t10 35t5 38t2 40.5t-0.5 42v25v250h300z" />
+<glyph unicode="&#xe113;" d="M1100 411l-198 -199l-353 353l-353 -353l-197 199l551 551z" />
+<glyph unicode="&#xe114;" d="M1101 789l-550 -551l-551 551l198 199l353 -353l353 353z" />
+<glyph unicode="&#xe115;" d="M404 1000h746q21 0 35.5 -14.5t14.5 -35.5v-551h150q21 0 25 -10.5t-10 -24.5l-230 -249q-14 -15 -35 -15t-35 15l-230 249q-14 14 -10 24.5t25 10.5h150v401h-381zM135 984l230 -249q14 -14 10 -24.5t-25 -10.5h-150v-400h385l215 -200h-750q-21 0 -35.5 14.5 t-14.5 35.5v550h-150q-21 0 -25 10.5t10 24.5l230 249q14 15 35 15t35 -15z" />
+<glyph unicode="&#xe116;" d="M56 1200h94q17 0 31 -11t18 -27l38 -162h896q24 0 39 -18.5t10 -42.5l-100 -475q-5 -21 -27 -42.5t-55 -21.5h-633l48 -200h535q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-50q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v50h-300v-50 q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v50h-31q-18 0 -32.5 10t-20.5 19l-5 10l-201 961h-54q-20 0 -35 14.5t-15 35.5t15 35.5t35 14.5z" />
+<glyph unicode="&#xe117;" d="M1200 1000v-100h-1200v100h200q0 41 29.5 70.5t70.5 29.5h300q41 0 70.5 -29.5t29.5 -70.5h500zM0 800h1200v-800h-1200v800z" />
+<glyph unicode="&#xe118;" d="M200 800l-200 -400v600h200q0 41 29.5 70.5t70.5 29.5h300q42 0 71 -29.5t29 -70.5h500v-200h-1000zM1500 700l-300 -700h-1200l300 700h1200z" />
+<glyph unicode="&#xe119;" d="M635 1184l230 -249q14 -14 10 -24.5t-25 -10.5h-150v-601h150q21 0 25 -10.5t-10 -24.5l-230 -249q-14 -15 -35 -15t-35 15l-230 249q-14 14 -10 24.5t25 10.5h150v601h-150q-21 0 -25 10.5t10 24.5l230 249q14 15 35 15t35 -15z" />
+<glyph unicode="&#xe120;" d="M936 864l249 -229q14 -15 14 -35.5t-14 -35.5l-249 -229q-15 -15 -25.5 -10.5t-10.5 24.5v151h-600v-151q0 -20 -10.5 -24.5t-25.5 10.5l-249 229q-14 15 -14 35.5t14 35.5l249 229q15 15 25.5 10.5t10.5 -25.5v-149h600v149q0 21 10.5 25.5t25.5 -10.5z" />
+<glyph unicode="&#xe121;" d="M1169 400l-172 732q-5 23 -23 45.5t-38 22.5h-672q-20 0 -38 -20t-23 -41l-172 -739h1138zM1100 300h-1000q-41 0 -70.5 -29.5t-29.5 -70.5v-100q0 -41 29.5 -70.5t70.5 -29.5h1000q41 0 70.5 29.5t29.5 70.5v100q0 41 -29.5 70.5t-70.5 29.5zM800 100v100h100v-100h-100 zM1000 100v100h100v-100h-100z" />
+<glyph unicode="&#xe122;" d="M1150 1100q21 0 35.5 -14.5t14.5 -35.5v-850q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v850q0 21 14.5 35.5t35.5 14.5zM1000 200l-675 200h-38l47 -276q3 -16 -5.5 -20t-29.5 -4h-7h-84q-20 0 -34.5 14t-18.5 35q-55 337 -55 351v250v6q0 16 1 23.5t6.5 14 t17.5 6.5h200l675 250v-850zM0 750v-250q-4 0 -11 0.5t-24 6t-30 15t-24 30t-11 48.5v50q0 26 10.5 46t25 30t29 16t25.5 7z" />
+<glyph unicode="&#xe123;" d="M553 1200h94q20 0 29 -10.5t3 -29.5l-18 -37q83 -19 144 -82.5t76 -140.5l63 -327l118 -173h17q19 0 33 -14.5t14 -35t-13 -40.5t-31 -27q-8 -4 -23 -9.5t-65 -19.5t-103 -25t-132.5 -20t-158.5 -9q-57 0 -115 5t-104 12t-88.5 15.5t-73.5 17.5t-54.5 16t-35.5 12l-11 4 q-18 8 -31 28t-13 40.5t14 35t33 14.5h17l118 173l63 327q15 77 76 140t144 83l-18 32q-6 19 3.5 32t28.5 13zM498 110q50 -6 102 -6q53 0 102 6q-12 -49 -39.5 -79.5t-62.5 -30.5t-63 30.5t-39 79.5z" />
+<glyph unicode="&#xe124;" d="M800 946l224 78l-78 -224l234 -45l-180 -155l180 -155l-234 -45l78 -224l-224 78l-45 -234l-155 180l-155 -180l-45 234l-224 -78l78 224l-234 45l180 155l-180 155l234 45l-78 224l224 -78l45 234l155 -180l155 180z" />
+<glyph unicode="&#xe125;" d="M650 1200h50q40 0 70 -40.5t30 -84.5v-150l-28 -125h328q40 0 70 -40.5t30 -84.5v-100q0 -45 -29 -74l-238 -344q-16 -24 -38 -40.5t-45 -16.5h-250q-7 0 -42 25t-66 50l-31 25h-61q-45 0 -72.5 18t-27.5 57v400q0 36 20 63l145 196l96 198q13 28 37.5 48t51.5 20z M650 1100l-100 -212l-150 -213v-375h100l136 -100h214l250 375v125h-450l50 225v175h-50zM50 800h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v500q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe126;" d="M600 1100h250q23 0 45 -16.5t38 -40.5l238 -344q29 -29 29 -74v-100q0 -44 -30 -84.5t-70 -40.5h-328q28 -118 28 -125v-150q0 -44 -30 -84.5t-70 -40.5h-50q-27 0 -51.5 20t-37.5 48l-96 198l-145 196q-20 27 -20 63v400q0 39 27.5 57t72.5 18h61q124 100 139 100z M50 1000h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v500q0 21 14.5 35.5t35.5 14.5zM636 1000l-136 -100h-100v-375l150 -213l100 -212h50v175l-50 225h450v125l-250 375h-214z" />
+<glyph unicode="&#xe127;" d="M356 873l363 230q31 16 53 -6l110 -112q13 -13 13.5 -32t-11.5 -34l-84 -121h302q84 0 138 -38t54 -110t-55 -111t-139 -39h-106l-131 -339q-6 -21 -19.5 -41t-28.5 -20h-342q-7 0 -90 81t-83 94v525q0 17 14 35.5t28 28.5zM400 792v-503l100 -89h293l131 339 q6 21 19.5 41t28.5 20h203q21 0 30.5 25t0.5 50t-31 25h-456h-7h-6h-5.5t-6 0.5t-5 1.5t-5 2t-4 2.5t-4 4t-2.5 4.5q-12 25 5 47l146 183l-86 83zM50 800h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v500 q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe128;" d="M475 1103l366 -230q2 -1 6 -3.5t14 -10.5t18 -16.5t14.5 -20t6.5 -22.5v-525q0 -13 -86 -94t-93 -81h-342q-15 0 -28.5 20t-19.5 41l-131 339h-106q-85 0 -139.5 39t-54.5 111t54 110t138 38h302l-85 121q-11 15 -10.5 34t13.5 32l110 112q22 22 53 6zM370 945l146 -183 q17 -22 5 -47q-2 -2 -3.5 -4.5t-4 -4t-4 -2.5t-5 -2t-5 -1.5t-6 -0.5h-6h-6.5h-6h-475v-100h221q15 0 29 -20t20 -41l130 -339h294l106 89v503l-342 236zM1050 800h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5 v500q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe129;" d="M550 1294q72 0 111 -55t39 -139v-106l339 -131q21 -6 41 -19.5t20 -28.5v-342q0 -7 -81 -90t-94 -83h-525q-17 0 -35.5 14t-28.5 28l-9 14l-230 363q-16 31 6 53l112 110q13 13 32 13.5t34 -11.5l121 -84v302q0 84 38 138t110 54zM600 972v203q0 21 -25 30.5t-50 0.5 t-25 -31v-456v-7v-6v-5.5t-0.5 -6t-1.5 -5t-2 -5t-2.5 -4t-4 -4t-4.5 -2.5q-25 -12 -47 5l-183 146l-83 -86l236 -339h503l89 100v293l-339 131q-21 6 -41 19.5t-20 28.5zM450 200h500q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-500 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe130;" d="M350 1100h500q21 0 35.5 14.5t14.5 35.5v100q0 21 -14.5 35.5t-35.5 14.5h-500q-21 0 -35.5 -14.5t-14.5 -35.5v-100q0 -21 14.5 -35.5t35.5 -14.5zM600 306v-106q0 -84 -39 -139t-111 -55t-110 54t-38 138v302l-121 -84q-15 -12 -34 -11.5t-32 13.5l-112 110 q-22 22 -6 53l230 363q1 2 3.5 6t10.5 13.5t16.5 17t20 13.5t22.5 6h525q13 0 94 -83t81 -90v-342q0 -15 -20 -28.5t-41 -19.5zM308 900l-236 -339l83 -86l183 146q22 17 47 5q2 -1 4.5 -2.5t4 -4t2.5 -4t2 -5t1.5 -5t0.5 -6v-5.5v-6v-7v-456q0 -22 25 -31t50 0.5t25 30.5 v203q0 15 20 28.5t41 19.5l339 131v293l-89 100h-503z" />
+<glyph unicode="&#xe131;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM914 632l-275 223q-16 13 -27.5 8t-11.5 -26v-137h-275 q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h275v-137q0 -21 11.5 -26t27.5 8l275 223q16 13 16 32t-16 32z" />
+<glyph unicode="&#xe132;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM561 855l-275 -223q-16 -13 -16 -32t16 -32l275 -223q16 -13 27.5 -8 t11.5 26v137h275q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5h-275v137q0 21 -11.5 26t-27.5 -8z" />
+<glyph unicode="&#xe133;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM855 639l-223 275q-13 16 -32 16t-32 -16l-223 -275q-13 -16 -8 -27.5 t26 -11.5h137v-275q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v275h137q21 0 26 11.5t-8 27.5z" />
+<glyph unicode="&#xe134;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM675 900h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-275h-137q-21 0 -26 -11.5 t8 -27.5l223 -275q13 -16 32 -16t32 16l223 275q13 16 8 27.5t-26 11.5h-137v275q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe135;" d="M600 1176q116 0 222.5 -46t184 -123.5t123.5 -184t46 -222.5t-46 -222.5t-123.5 -184t-184 -123.5t-222.5 -46t-222.5 46t-184 123.5t-123.5 184t-46 222.5t46 222.5t123.5 184t184 123.5t222.5 46zM627 1101q-15 -12 -36.5 -20.5t-35.5 -12t-43 -8t-39 -6.5 q-15 -3 -45.5 0t-45.5 -2q-20 -7 -51.5 -26.5t-34.5 -34.5q-3 -11 6.5 -22.5t8.5 -18.5q-3 -34 -27.5 -91t-29.5 -79q-9 -34 5 -93t8 -87q0 -9 17 -44.5t16 -59.5q12 0 23 -5t23.5 -15t19.5 -14q16 -8 33 -15t40.5 -15t34.5 -12q21 -9 52.5 -32t60 -38t57.5 -11 q7 -15 -3 -34t-22.5 -40t-9.5 -38q13 -21 23 -34.5t27.5 -27.5t36.5 -18q0 -7 -3.5 -16t-3.5 -14t5 -17q104 -2 221 112q30 29 46.5 47t34.5 49t21 63q-13 8 -37 8.5t-36 7.5q-15 7 -49.5 15t-51.5 19q-18 0 -41 -0.5t-43 -1.5t-42 -6.5t-38 -16.5q-51 -35 -66 -12 q-4 1 -3.5 25.5t0.5 25.5q-6 13 -26.5 17.5t-24.5 6.5q1 15 -0.5 30.5t-7 28t-18.5 11.5t-31 -21q-23 -25 -42 4q-19 28 -8 58q6 16 22 22q6 -1 26 -1.5t33.5 -4t19.5 -13.5q7 -12 18 -24t21.5 -20.5t20 -15t15.5 -10.5l5 -3q2 12 7.5 30.5t8 34.5t-0.5 32q-3 18 3.5 29 t18 22.5t15.5 24.5q6 14 10.5 35t8 31t15.5 22.5t34 22.5q-6 18 10 36q8 0 24 -1.5t24.5 -1.5t20 4.5t20.5 15.5q-10 23 -31 42.5t-37.5 29.5t-49 27t-43.5 23q0 1 2 8t3 11.5t1.5 10.5t-1 9.5t-4.5 4.5q31 -13 58.5 -14.5t38.5 2.5l12 5q5 28 -9.5 46t-36.5 24t-50 15 t-41 20q-18 -4 -37 0zM613 994q0 -17 8 -42t17 -45t9 -23q-8 1 -39.5 5.5t-52.5 10t-37 16.5q3 11 16 29.5t16 25.5q10 -10 19 -10t14 6t13.5 14.5t16.5 12.5z" />
+<glyph unicode="&#xe136;" d="M756 1157q164 92 306 -9l-259 -138l145 -232l251 126q6 -89 -34 -156.5t-117 -110.5q-60 -34 -127 -39.5t-126 16.5l-596 -596q-15 -16 -36.5 -16t-36.5 16l-111 110q-15 15 -15 36.5t15 37.5l600 599q-34 101 5.5 201.5t135.5 154.5z" />
+<glyph unicode="&#xe137;" horiz-adv-x="1220" d="M100 1196h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5v100q0 41 29.5 70.5t70.5 29.5zM1100 1096h-200v-100h200v100zM100 796h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000 q-41 0 -70.5 29.5t-29.5 70.5v100q0 41 29.5 70.5t70.5 29.5zM1100 696h-500v-100h500v100zM100 396h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5v100q0 41 29.5 70.5t70.5 29.5zM1100 296h-300v-100h300v100z " />
+<glyph unicode="&#xe138;" d="M150 1200h900q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM700 500v-300l-200 -200v500l-350 500h900z" />
+<glyph unicode="&#xe139;" d="M500 1200h200q41 0 70.5 -29.5t29.5 -70.5v-100h300q41 0 70.5 -29.5t29.5 -70.5v-400h-500v100h-200v-100h-500v400q0 41 29.5 70.5t70.5 29.5h300v100q0 41 29.5 70.5t70.5 29.5zM500 1100v-100h200v100h-200zM1200 400v-200q0 -41 -29.5 -70.5t-70.5 -29.5h-1000 q-41 0 -70.5 29.5t-29.5 70.5v200h1200z" />
+<glyph unicode="&#xe140;" d="M50 1200h300q21 0 25 -10.5t-10 -24.5l-94 -94l199 -199q7 -8 7 -18t-7 -18l-106 -106q-8 -7 -18 -7t-18 7l-199 199l-94 -94q-14 -14 -24.5 -10t-10.5 25v300q0 21 14.5 35.5t35.5 14.5zM850 1200h300q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -10.5 -25t-24.5 10l-94 94 l-199 -199q-8 -7 -18 -7t-18 7l-106 106q-7 8 -7 18t7 18l199 199l-94 94q-14 14 -10 24.5t25 10.5zM364 470l106 -106q7 -8 7 -18t-7 -18l-199 -199l94 -94q14 -14 10 -24.5t-25 -10.5h-300q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 10.5 25t24.5 -10l94 -94l199 199 q8 7 18 7t18 -7zM1071 271l94 94q14 14 24.5 10t10.5 -25v-300q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -25 10.5t10 24.5l94 94l-199 199q-7 8 -7 18t7 18l106 106q8 7 18 7t18 -7z" />
+<glyph unicode="&#xe141;" d="M596 1192q121 0 231.5 -47.5t190 -127t127 -190t47.5 -231.5t-47.5 -231.5t-127 -190.5t-190 -127t-231.5 -47t-231.5 47t-190.5 127t-127 190.5t-47 231.5t47 231.5t127 190t190.5 127t231.5 47.5zM596 1010q-112 0 -207.5 -55.5t-151 -151t-55.5 -207.5t55.5 -207.5 t151 -151t207.5 -55.5t207.5 55.5t151 151t55.5 207.5t-55.5 207.5t-151 151t-207.5 55.5zM454.5 905q22.5 0 38.5 -16t16 -38.5t-16 -39t-38.5 -16.5t-38.5 16.5t-16 39t16 38.5t38.5 16zM754.5 905q22.5 0 38.5 -16t16 -38.5t-16 -39t-38 -16.5q-14 0 -29 10l-55 -145 q17 -23 17 -51q0 -36 -25.5 -61.5t-61.5 -25.5t-61.5 25.5t-25.5 61.5q0 32 20.5 56.5t51.5 29.5l122 126l1 1q-9 14 -9 28q0 23 16 39t38.5 16zM345.5 709q22.5 0 38.5 -16t16 -38.5t-16 -38.5t-38.5 -16t-38.5 16t-16 38.5t16 38.5t38.5 16zM854.5 709q22.5 0 38.5 -16 t16 -38.5t-16 -38.5t-38.5 -16t-38.5 16t-16 38.5t16 38.5t38.5 16z" />
+<glyph unicode="&#xe142;" d="M546 173l469 470q91 91 99 192q7 98 -52 175.5t-154 94.5q-22 4 -47 4q-34 0 -66.5 -10t-56.5 -23t-55.5 -38t-48 -41.5t-48.5 -47.5q-376 -375 -391 -390q-30 -27 -45 -41.5t-37.5 -41t-32 -46.5t-16 -47.5t-1.5 -56.5q9 -62 53.5 -95t99.5 -33q74 0 125 51l548 548 q36 36 20 75q-7 16 -21.5 26t-32.5 10q-26 0 -50 -23q-13 -12 -39 -38l-341 -338q-15 -15 -35.5 -15.5t-34.5 13.5t-14 34.5t14 34.5q327 333 361 367q35 35 67.5 51.5t78.5 16.5q14 0 29 -1q44 -8 74.5 -35.5t43.5 -68.5q14 -47 2 -96.5t-47 -84.5q-12 -11 -32 -32 t-79.5 -81t-114.5 -115t-124.5 -123.5t-123 -119.5t-96.5 -89t-57 -45q-56 -27 -120 -27q-70 0 -129 32t-93 89q-48 78 -35 173t81 163l511 511q71 72 111 96q91 55 198 55q80 0 152 -33q78 -36 129.5 -103t66.5 -154q17 -93 -11 -183.5t-94 -156.5l-482 -476 q-15 -15 -36 -16t-37 14t-17.5 34t14.5 35z" />
+<glyph unicode="&#xe143;" d="M649 949q48 68 109.5 104t121.5 38.5t118.5 -20t102.5 -64t71 -100.5t27 -123q0 -57 -33.5 -117.5t-94 -124.5t-126.5 -127.5t-150 -152.5t-146 -174q-62 85 -145.5 174t-150 152.5t-126.5 127.5t-93.5 124.5t-33.5 117.5q0 64 28 123t73 100.5t104 64t119 20 t120.5 -38.5t104.5 -104zM896 972q-33 0 -64.5 -19t-56.5 -46t-47.5 -53.5t-43.5 -45.5t-37.5 -19t-36 19t-40 45.5t-43 53.5t-54 46t-65.5 19q-67 0 -122.5 -55.5t-55.5 -132.5q0 -23 13.5 -51t46 -65t57.5 -63t76 -75l22 -22q15 -14 44 -44t50.5 -51t46 -44t41 -35t23 -12 t23.5 12t42.5 36t46 44t52.5 52t44 43q4 4 12 13q43 41 63.5 62t52 55t46 55t26 46t11.5 44q0 79 -53 133.5t-120 54.5z" />
+<glyph unicode="&#xe144;" d="M776.5 1214q93.5 0 159.5 -66l141 -141q66 -66 66 -160q0 -42 -28 -95.5t-62 -87.5l-29 -29q-31 53 -77 99l-18 18l95 95l-247 248l-389 -389l212 -212l-105 -106l-19 18l-141 141q-66 66 -66 159t66 159l283 283q65 66 158.5 66zM600 706l105 105q10 -8 19 -17l141 -141 q66 -66 66 -159t-66 -159l-283 -283q-66 -66 -159 -66t-159 66l-141 141q-66 66 -66 159.5t66 159.5l55 55q29 -55 75 -102l18 -17l-95 -95l247 -248l389 389z" />
+<glyph unicode="&#xe145;" d="M603 1200q85 0 162 -15t127 -38t79 -48t29 -46v-953q0 -41 -29.5 -70.5t-70.5 -29.5h-600q-41 0 -70.5 29.5t-29.5 70.5v953q0 21 30 46.5t81 48t129 37.5t163 15zM300 1000v-700h600v700h-600zM600 254q-43 0 -73.5 -30.5t-30.5 -73.5t30.5 -73.5t73.5 -30.5t73.5 30.5 t30.5 73.5t-30.5 73.5t-73.5 30.5z" />
+<glyph unicode="&#xe146;" d="M902 1185l283 -282q15 -15 15 -36t-14.5 -35.5t-35.5 -14.5t-35 15l-36 35l-279 -267v-300l-212 210l-308 -307l-280 -203l203 280l307 308l-210 212h300l267 279l-35 36q-15 14 -15 35t14.5 35.5t35.5 14.5t35 -15z" />
+<glyph unicode="&#xe148;" d="M700 1248v-78q38 -5 72.5 -14.5t75.5 -31.5t71 -53.5t52 -84t24 -118.5h-159q-4 36 -10.5 59t-21 45t-40 35.5t-64.5 20.5v-307l64 -13q34 -7 64 -16.5t70 -32t67.5 -52.5t47.5 -80t20 -112q0 -139 -89 -224t-244 -97v-77h-100v79q-150 16 -237 103q-40 40 -52.5 93.5 t-15.5 139.5h139q5 -77 48.5 -126t117.5 -65v335l-27 8q-46 14 -79 26.5t-72 36t-63 52t-40 72.5t-16 98q0 70 25 126t67.5 92t94.5 57t110 27v77h100zM600 754v274q-29 -4 -50 -11t-42 -21.5t-31.5 -41.5t-10.5 -65q0 -29 7 -50.5t16.5 -34t28.5 -22.5t31.5 -14t37.5 -10 q9 -3 13 -4zM700 547v-310q22 2 42.5 6.5t45 15.5t41.5 27t29 42t12 59.5t-12.5 59.5t-38 44.5t-53 31t-66.5 24.5z" />
+<glyph unicode="&#xe149;" d="M561 1197q84 0 160.5 -40t123.5 -109.5t47 -147.5h-153q0 40 -19.5 71.5t-49.5 48.5t-59.5 26t-55.5 9q-37 0 -79 -14.5t-62 -35.5q-41 -44 -41 -101q0 -26 13.5 -63t26.5 -61t37 -66q6 -9 9 -14h241v-100h-197q8 -50 -2.5 -115t-31.5 -95q-45 -62 -99 -112 q34 10 83 17.5t71 7.5q32 1 102 -16t104 -17q83 0 136 30l50 -147q-31 -19 -58 -30.5t-55 -15.5t-42 -4.5t-46 -0.5q-23 0 -76 17t-111 32.5t-96 11.5q-39 -3 -82 -16t-67 -25l-23 -11l-55 145q4 3 16 11t15.5 10.5t13 9t15.5 12t14.5 14t17.5 18.5q48 55 54 126.5 t-30 142.5h-221v100h166q-23 47 -44 104q-7 20 -12 41.5t-6 55.5t6 66.5t29.5 70.5t58.5 71q97 88 263 88z" />
+<glyph unicode="&#xe150;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM935 1184l230 -249q14 -14 10 -24.5t-25 -10.5h-150v-900h-200v900h-150q-21 0 -25 10.5t10 24.5l230 249q14 15 35 15t35 -15z" />
+<glyph unicode="&#xe151;" d="M1000 700h-100v100h-100v-100h-100v500h300v-500zM400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM801 1100v-200h100v200h-100zM1000 350l-200 -250h200v-100h-300v150l200 250h-200v100h300v-150z " />
+<glyph unicode="&#xe152;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1000 1050l-200 -250h200v-100h-300v150l200 250h-200v100h300v-150zM1000 0h-100v100h-100v-100h-100v500h300v-500zM801 400v-200h100v200h-100z " />
+<glyph unicode="&#xe153;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1000 700h-100v400h-100v100h200v-500zM1100 0h-100v100h-200v400h300v-500zM901 400v-200h100v200h-100z" />
+<glyph unicode="&#xe154;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1100 700h-100v100h-200v400h300v-500zM901 1100v-200h100v200h-100zM1000 0h-100v400h-100v100h200v-500z" />
+<glyph unicode="&#xe155;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM900 1000h-200v200h200v-200zM1000 700h-300v200h300v-200zM1100 400h-400v200h400v-200zM1200 100h-500v200h500v-200z" />
+<glyph unicode="&#xe156;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1200 1000h-500v200h500v-200zM1100 700h-400v200h400v-200zM1000 400h-300v200h300v-200zM900 100h-200v200h200v-200z" />
+<glyph unicode="&#xe157;" d="M350 1100h400q162 0 256 -93.5t94 -256.5v-400q0 -165 -93.5 -257.5t-256.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5z" />
+<glyph unicode="&#xe158;" d="M350 1100h400q165 0 257.5 -92.5t92.5 -257.5v-400q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-163 0 -256.5 92.5t-93.5 257.5v400q0 163 94 256.5t256 93.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5zM440 770l253 -190q17 -12 17 -30t-17 -30l-253 -190q-16 -12 -28 -6.5t-12 26.5v400q0 21 12 26.5t28 -6.5z" />
+<glyph unicode="&#xe159;" d="M350 1100h400q163 0 256.5 -94t93.5 -256v-400q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 163 92.5 256.5t257.5 93.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5zM350 700h400q21 0 26.5 -12t-6.5 -28l-190 -253q-12 -17 -30 -17t-30 17l-190 253q-12 16 -6.5 28t26.5 12z" />
+<glyph unicode="&#xe160;" d="M350 1100h400q165 0 257.5 -92.5t92.5 -257.5v-400q0 -163 -92.5 -256.5t-257.5 -93.5h-400q-163 0 -256.5 94t-93.5 256v400q0 165 92.5 257.5t257.5 92.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5zM580 693l190 -253q12 -16 6.5 -28t-26.5 -12h-400q-21 0 -26.5 12t6.5 28l190 253q12 17 30 17t30 -17z" />
+<glyph unicode="&#xe161;" d="M550 1100h400q165 0 257.5 -92.5t92.5 -257.5v-400q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h450q41 0 70.5 29.5t29.5 70.5v500q0 41 -29.5 70.5t-70.5 29.5h-450q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM338 867l324 -284q16 -14 16 -33t-16 -33l-324 -284q-16 -14 -27 -9t-11 26v150h-250q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5h250v150q0 21 11 26t27 -9z" />
+<glyph unicode="&#xe162;" d="M793 1182l9 -9q8 -10 5 -27q-3 -11 -79 -225.5t-78 -221.5l300 1q24 0 32.5 -17.5t-5.5 -35.5q-1 0 -133.5 -155t-267 -312.5t-138.5 -162.5q-12 -15 -26 -15h-9l-9 8q-9 11 -4 32q2 9 42 123.5t79 224.5l39 110h-302q-23 0 -31 19q-10 21 6 41q75 86 209.5 237.5 t228 257t98.5 111.5q9 16 25 16h9z" />
+<glyph unicode="&#xe163;" d="M350 1100h400q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-450q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h450q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400 q0 165 92.5 257.5t257.5 92.5zM938 867l324 -284q16 -14 16 -33t-16 -33l-324 -284q-16 -14 -27 -9t-11 26v150h-250q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5h250v150q0 21 11 26t27 -9z" />
+<glyph unicode="&#xe164;" d="M750 1200h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -10.5 -25t-24.5 10l-109 109l-312 -312q-15 -15 -35.5 -15t-35.5 15l-141 141q-15 15 -15 35.5t15 35.5l312 312l-109 109q-14 14 -10 24.5t25 10.5zM456 900h-156q-41 0 -70.5 -29.5t-29.5 -70.5v-500 q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v148l200 200v-298q0 -165 -93.5 -257.5t-256.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5h300z" />
+<glyph unicode="&#xe165;" d="M600 1186q119 0 227.5 -46.5t187 -125t125 -187t46.5 -227.5t-46.5 -227.5t-125 -187t-187 -125t-227.5 -46.5t-227.5 46.5t-187 125t-125 187t-46.5 227.5t46.5 227.5t125 187t187 125t227.5 46.5zM600 1022q-115 0 -212 -56.5t-153.5 -153.5t-56.5 -212t56.5 -212 t153.5 -153.5t212 -56.5t212 56.5t153.5 153.5t56.5 212t-56.5 212t-153.5 153.5t-212 56.5zM600 794q80 0 137 -57t57 -137t-57 -137t-137 -57t-137 57t-57 137t57 137t137 57z" />
+<glyph unicode="&#xe166;" d="M450 1200h200q21 0 35.5 -14.5t14.5 -35.5v-350h245q20 0 25 -11t-9 -26l-383 -426q-14 -15 -33.5 -15t-32.5 15l-379 426q-13 15 -8.5 26t25.5 11h250v350q0 21 14.5 35.5t35.5 14.5zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5z M900 200v-50h100v50h-100z" />
+<glyph unicode="&#xe167;" d="M583 1182l378 -435q14 -15 9 -31t-26 -16h-244v-250q0 -20 -17 -35t-39 -15h-200q-20 0 -32 14.5t-12 35.5v250h-250q-20 0 -25.5 16.5t8.5 31.5l383 431q14 16 33.5 17t33.5 -14zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5z M900 200v-50h100v50h-100z" />
+<glyph unicode="&#xe168;" d="M396 723l369 369q7 7 17.5 7t17.5 -7l139 -139q7 -8 7 -18.5t-7 -17.5l-525 -525q-7 -8 -17.5 -8t-17.5 8l-292 291q-7 8 -7 18t7 18l139 139q8 7 18.5 7t17.5 -7zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5zM900 200v-50h100v50 h-100z" />
+<glyph unicode="&#xe169;" d="M135 1023l142 142q14 14 35 14t35 -14l77 -77l-212 -212l-77 76q-14 15 -14 36t14 35zM655 855l210 210q14 14 24.5 10t10.5 -25l-2 -599q-1 -20 -15.5 -35t-35.5 -15l-597 -1q-21 0 -25 10.5t10 24.5l208 208l-154 155l212 212zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5 v-250h-1100v250q0 21 14.5 35.5t35.5 14.5zM900 200v-50h100v50h-100z" />
+<glyph unicode="&#xe170;" d="M350 1200l599 -2q20 -1 35 -15.5t15 -35.5l1 -597q0 -21 -10.5 -25t-24.5 10l-208 208l-155 -154l-212 212l155 154l-210 210q-14 14 -10 24.5t25 10.5zM524 512l-76 -77q-15 -14 -36 -14t-35 14l-142 142q-14 14 -14 35t14 35l77 77zM50 300h1000q21 0 35.5 -14.5 t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5zM900 200v-50h100v50h-100z" />
+<glyph unicode="&#xe171;" d="M1200 103l-483 276l-314 -399v423h-399l1196 796v-1096zM483 424v-230l683 953z" />
+<glyph unicode="&#xe172;" d="M1100 1000v-850q0 -21 -14.5 -35.5t-35.5 -14.5h-150v400h-700v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200z" />
+<glyph unicode="&#xe173;" d="M1100 1000l-2 -149l-299 -299l-95 95q-9 9 -21.5 9t-21.5 -9l-149 -147h-312v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM1132 638l106 -106q7 -7 7 -17.5t-7 -17.5l-420 -421q-8 -7 -18 -7 t-18 7l-202 203q-8 7 -8 17.5t8 17.5l106 106q7 8 17.5 8t17.5 -8l79 -79l297 297q7 7 17.5 7t17.5 -7z" />
+<glyph unicode="&#xe174;" d="M1100 1000v-269l-103 -103l-134 134q-15 15 -33.5 16.5t-34.5 -12.5l-266 -266h-329v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM1202 572l70 -70q15 -15 15 -35.5t-15 -35.5l-131 -131 l131 -131q15 -15 15 -35.5t-15 -35.5l-70 -70q-15 -15 -35.5 -15t-35.5 15l-131 131l-131 -131q-15 -15 -35.5 -15t-35.5 15l-70 70q-15 15 -15 35.5t15 35.5l131 131l-131 131q-15 15 -15 35.5t15 35.5l70 70q15 15 35.5 15t35.5 -15l131 -131l131 131q15 15 35.5 15 t35.5 -15z" />
+<glyph unicode="&#xe175;" d="M1100 1000v-300h-350q-21 0 -35.5 -14.5t-14.5 -35.5v-150h-500v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM850 600h100q21 0 35.5 -14.5t14.5 -35.5v-250h150q21 0 25 -10.5t-10 -24.5 l-230 -230q-14 -14 -35 -14t-35 14l-230 230q-14 14 -10 24.5t25 10.5h150v250q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe176;" d="M1100 1000v-400l-165 165q-14 15 -35 15t-35 -15l-263 -265h-402v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM935 565l230 -229q14 -15 10 -25.5t-25 -10.5h-150v-250q0 -20 -14.5 -35 t-35.5 -15h-100q-21 0 -35.5 15t-14.5 35v250h-150q-21 0 -25 10.5t10 25.5l230 229q14 15 35 15t35 -15z" />
+<glyph unicode="&#xe177;" d="M50 1100h1100q21 0 35.5 -14.5t14.5 -35.5v-150h-1200v150q0 21 14.5 35.5t35.5 14.5zM1200 800v-550q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v550h1200zM100 500v-200h400v200h-400z" />
+<glyph unicode="&#xe178;" d="M935 1165l248 -230q14 -14 14 -35t-14 -35l-248 -230q-14 -14 -24.5 -10t-10.5 25v150h-400v200h400v150q0 21 10.5 25t24.5 -10zM200 800h-50q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h50v-200zM400 800h-100v200h100v-200zM18 435l247 230 q14 14 24.5 10t10.5 -25v-150h400v-200h-400v-150q0 -21 -10.5 -25t-24.5 10l-247 230q-15 14 -15 35t15 35zM900 300h-100v200h100v-200zM1000 500h51q20 0 34.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-34.5 -14.5h-51v200z" />
+<glyph unicode="&#xe179;" d="M862 1073l276 116q25 18 43.5 8t18.5 -41v-1106q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v397q-4 1 -11 5t-24 17.5t-30 29t-24 42t-11 56.5v359q0 31 18.5 65t43.5 52zM550 1200q22 0 34.5 -12.5t14.5 -24.5l1 -13v-450q0 -28 -10.5 -59.5 t-25 -56t-29 -45t-25.5 -31.5l-10 -11v-447q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v447q-4 4 -11 11.5t-24 30.5t-30 46t-24 55t-11 60v450q0 2 0.5 5.5t4 12t8.5 15t14.5 12t22.5 5.5q20 0 32.5 -12.5t14.5 -24.5l3 -13v-350h100v350v5.5t2.5 12 t7 15t15 12t25.5 5.5q23 0 35.5 -12.5t13.5 -24.5l1 -13v-350h100v350q0 2 0.5 5.5t3 12t7 15t15 12t24.5 5.5z" />
+<glyph unicode="&#xe180;" d="M1200 1100v-56q-4 0 -11 -0.5t-24 -3t-30 -7.5t-24 -15t-11 -24v-888q0 -22 25 -34.5t50 -13.5l25 -2v-56h-400v56q75 0 87.5 6.5t12.5 43.5v394h-500v-394q0 -37 12.5 -43.5t87.5 -6.5v-56h-400v56q4 0 11 0.5t24 3t30 7.5t24 15t11 24v888q0 22 -25 34.5t-50 13.5 l-25 2v56h400v-56q-75 0 -87.5 -6.5t-12.5 -43.5v-394h500v394q0 37 -12.5 43.5t-87.5 6.5v56h400z" />
+<glyph unicode="&#xe181;" d="M675 1000h375q21 0 35.5 -14.5t14.5 -35.5v-150h-105l-295 -98v98l-200 200h-400l100 100h375zM100 900h300q41 0 70.5 -29.5t29.5 -70.5v-500q0 -41 -29.5 -70.5t-70.5 -29.5h-300q-41 0 -70.5 29.5t-29.5 70.5v500q0 41 29.5 70.5t70.5 29.5zM100 800v-200h300v200 h-300zM1100 535l-400 -133v163l400 133v-163zM100 500v-200h300v200h-300zM1100 398v-248q0 -21 -14.5 -35.5t-35.5 -14.5h-375l-100 -100h-375l-100 100h400l200 200h105z" />
+<glyph unicode="&#xe182;" d="M17 1007l162 162q17 17 40 14t37 -22l139 -194q14 -20 11 -44.5t-20 -41.5l-119 -118q102 -142 228 -268t267 -227l119 118q17 17 42.5 19t44.5 -12l192 -136q19 -14 22.5 -37.5t-13.5 -40.5l-163 -162q-3 -1 -9.5 -1t-29.5 2t-47.5 6t-62.5 14.5t-77.5 26.5t-90 42.5 t-101.5 60t-111 83t-119 108.5q-74 74 -133.5 150.5t-94.5 138.5t-60 119.5t-34.5 100t-15 74.5t-4.5 48z" />
+<glyph unicode="&#xe183;" d="M600 1100q92 0 175 -10.5t141.5 -27t108.5 -36.5t81.5 -40t53.5 -37t31 -27l9 -10v-200q0 -21 -14.5 -33t-34.5 -9l-202 34q-20 3 -34.5 20t-14.5 38v146q-141 24 -300 24t-300 -24v-146q0 -21 -14.5 -38t-34.5 -20l-202 -34q-20 -3 -34.5 9t-14.5 33v200q3 4 9.5 10.5 t31 26t54 37.5t80.5 39.5t109 37.5t141 26.5t175 10.5zM600 795q56 0 97 -9.5t60 -23.5t30 -28t12 -24l1 -10v-50l365 -303q14 -15 24.5 -40t10.5 -45v-212q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v212q0 20 10.5 45t24.5 40l365 303v50 q0 4 1 10.5t12 23t30 29t60 22.5t97 10z" />
+<glyph unicode="&#xe184;" d="M1100 700l-200 -200h-600l-200 200v500h200v-200h200v200h200v-200h200v200h200v-500zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-12l137 -100h-950l137 100h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5 t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe185;" d="M700 1100h-100q-41 0 -70.5 -29.5t-29.5 -70.5v-1000h300v1000q0 41 -29.5 70.5t-70.5 29.5zM1100 800h-100q-41 0 -70.5 -29.5t-29.5 -70.5v-700h300v700q0 41 -29.5 70.5t-70.5 29.5zM400 0h-300v400q0 41 29.5 70.5t70.5 29.5h100q41 0 70.5 -29.5t29.5 -70.5v-400z " />
+<glyph unicode="&#xe186;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 700h-200v-100h200v-300h-300v100h200v100h-200v300h300v-100zM900 700v-300l-100 -100h-200v500h200z M700 700v-300h100v300h-100z" />
+<glyph unicode="&#xe187;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 300h-100v200h-100v-200h-100v500h100v-200h100v200h100v-500zM900 700v-300l-100 -100h-200v500h200z M700 700v-300h100v300h-100z" />
+<glyph unicode="&#xe188;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 700h-200v-300h200v-100h-300v500h300v-100zM900 700h-200v-300h200v-100h-300v500h300v-100z" />
+<glyph unicode="&#xe189;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 400l-300 150l300 150v-300zM900 550l-300 -150v300z" />
+<glyph unicode="&#xe190;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM900 300h-700v500h700v-500zM800 700h-130q-38 0 -66.5 -43t-28.5 -108t27 -107t68 -42h130v300zM300 700v-300 h130q41 0 68 42t27 107t-28.5 108t-66.5 43h-130z" />
+<glyph unicode="&#xe191;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 700h-200v-100h200v-300h-300v100h200v100h-200v300h300v-100zM900 300h-100v400h-100v100h200v-500z M700 300h-100v100h100v-100z" />
+<glyph unicode="&#xe192;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM300 700h200v-400h-300v500h100v-100zM900 300h-100v400h-100v100h200v-500zM300 600v-200h100v200h-100z M700 300h-100v100h100v-100z" />
+<glyph unicode="&#xe193;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 500l-199 -200h-100v50l199 200v150h-200v100h300v-300zM900 300h-100v400h-100v100h200v-500zM701 300h-100 v100h100v-100z" />
+<glyph unicode="&#xe194;" d="M600 1191q120 0 229.5 -47t188.5 -126t126 -188.5t47 -229.5t-47 -229.5t-126 -188.5t-188.5 -126t-229.5 -47t-229.5 47t-188.5 126t-126 188.5t-47 229.5t47 229.5t126 188.5t188.5 126t229.5 47zM600 1021q-114 0 -211 -56.5t-153.5 -153.5t-56.5 -211t56.5 -211 t153.5 -153.5t211 -56.5t211 56.5t153.5 153.5t56.5 211t-56.5 211t-153.5 153.5t-211 56.5zM800 700h-300v-200h300v-100h-300l-100 100v200l100 100h300v-100z" />
+<glyph unicode="&#xe195;" d="M600 1191q120 0 229.5 -47t188.5 -126t126 -188.5t47 -229.5t-47 -229.5t-126 -188.5t-188.5 -126t-229.5 -47t-229.5 47t-188.5 126t-126 188.5t-47 229.5t47 229.5t126 188.5t188.5 126t229.5 47zM600 1021q-114 0 -211 -56.5t-153.5 -153.5t-56.5 -211t56.5 -211 t153.5 -153.5t211 -56.5t211 56.5t153.5 153.5t56.5 211t-56.5 211t-153.5 153.5t-211 56.5zM800 700v-100l-50 -50l100 -100v-50h-100l-100 100h-150v-100h-100v400h300zM500 700v-100h200v100h-200z" />
+<glyph unicode="&#xe197;" d="M503 1089q110 0 200.5 -59.5t134.5 -156.5q44 14 90 14q120 0 205 -86.5t85 -207t-85 -207t-205 -86.5h-128v250q0 21 -14.5 35.5t-35.5 14.5h-300q-21 0 -35.5 -14.5t-14.5 -35.5v-250h-222q-80 0 -136 57.5t-56 136.5q0 69 43 122.5t108 67.5q-2 19 -2 37q0 100 49 185 t134 134t185 49zM525 500h150q10 0 17.5 -7.5t7.5 -17.5v-275h137q21 0 26 -11.5t-8 -27.5l-223 -244q-13 -16 -32 -16t-32 16l-223 244q-13 16 -8 27.5t26 11.5h137v275q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe198;" d="M502 1089q110 0 201 -59.5t135 -156.5q43 15 89 15q121 0 206 -86.5t86 -206.5q0 -99 -60 -181t-150 -110l-378 360q-13 16 -31.5 16t-31.5 -16l-381 -365h-9q-79 0 -135.5 57.5t-56.5 136.5q0 69 43 122.5t108 67.5q-2 19 -2 38q0 100 49 184.5t133.5 134t184.5 49.5z M632 467l223 -228q13 -16 8 -27.5t-26 -11.5h-137v-275q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v275h-137q-21 0 -26 11.5t8 27.5q199 204 223 228q19 19 31.5 19t32.5 -19z" />
+<glyph unicode="&#xe199;" d="M700 100v100h400l-270 300h170l-270 300h170l-300 333l-300 -333h170l-270 -300h170l-270 -300h400v-100h-50q-21 0 -35.5 -14.5t-14.5 -35.5v-50h400v50q0 21 -14.5 35.5t-35.5 14.5h-50z" />
+<glyph unicode="&#xe200;" d="M600 1179q94 0 167.5 -56.5t99.5 -145.5q89 -6 150.5 -71.5t61.5 -155.5q0 -61 -29.5 -112.5t-79.5 -82.5q9 -29 9 -55q0 -74 -52.5 -126.5t-126.5 -52.5q-55 0 -100 30v-251q21 0 35.5 -14.5t14.5 -35.5v-50h-300v50q0 21 14.5 35.5t35.5 14.5v251q-45 -30 -100 -30 q-74 0 -126.5 52.5t-52.5 126.5q0 18 4 38q-47 21 -75.5 65t-28.5 97q0 74 52.5 126.5t126.5 52.5q5 0 23 -2q0 2 -1 10t-1 13q0 116 81.5 197.5t197.5 81.5z" />
+<glyph unicode="&#xe201;" d="M1010 1010q111 -111 150.5 -260.5t0 -299t-150.5 -260.5q-83 -83 -191.5 -126.5t-218.5 -43.5t-218.5 43.5t-191.5 126.5q-111 111 -150.5 260.5t0 299t150.5 260.5q83 83 191.5 126.5t218.5 43.5t218.5 -43.5t191.5 -126.5zM476 1065q-4 0 -8 -1q-121 -34 -209.5 -122.5 t-122.5 -209.5q-4 -12 2.5 -23t18.5 -14l36 -9q3 -1 7 -1q23 0 29 22q27 96 98 166q70 71 166 98q11 3 17.5 13.5t3.5 22.5l-9 35q-3 13 -14 19q-7 4 -15 4zM512 920q-4 0 -9 -2q-80 -24 -138.5 -82.5t-82.5 -138.5q-4 -13 2 -24t19 -14l34 -9q4 -1 8 -1q22 0 28 21 q18 58 58.5 98.5t97.5 58.5q12 3 18 13.5t3 21.5l-9 35q-3 12 -14 19q-7 4 -15 4zM719.5 719.5q-49.5 49.5 -119.5 49.5t-119.5 -49.5t-49.5 -119.5t49.5 -119.5t119.5 -49.5t119.5 49.5t49.5 119.5t-49.5 119.5zM855 551q-22 0 -28 -21q-18 -58 -58.5 -98.5t-98.5 -57.5 q-11 -4 -17 -14.5t-3 -21.5l9 -35q3 -12 14 -19q7 -4 15 -4q4 0 9 2q80 24 138.5 82.5t82.5 138.5q4 13 -2.5 24t-18.5 14l-34 9q-4 1 -8 1zM1000 515q-23 0 -29 -22q-27 -96 -98 -166q-70 -71 -166 -98q-11 -3 -17.5 -13.5t-3.5 -22.5l9 -35q3 -13 14 -19q7 -4 15 -4 q4 0 8 1q121 34 209.5 122.5t122.5 209.5q4 12 -2.5 23t-18.5 14l-36 9q-3 1 -7 1z" />
+<glyph unicode="&#xe202;" d="M700 800h300v-380h-180v200h-340v-200h-380v755q0 10 7.5 17.5t17.5 7.5h575v-400zM1000 900h-200v200zM700 300h162l-212 -212l-212 212h162v200h100v-200zM520 0h-395q-10 0 -17.5 7.5t-7.5 17.5v395zM1000 220v-195q0 -10 -7.5 -17.5t-17.5 -7.5h-195z" />
+<glyph unicode="&#xe203;" d="M700 800h300v-520l-350 350l-550 -550v1095q0 10 7.5 17.5t17.5 7.5h575v-400zM1000 900h-200v200zM862 200h-162v-200h-100v200h-162l212 212zM480 0h-355q-10 0 -17.5 7.5t-7.5 17.5v55h380v-80zM1000 80v-55q0 -10 -7.5 -17.5t-17.5 -7.5h-155v80h180z" />
+<glyph unicode="&#xe204;" d="M1162 800h-162v-200h100l100 -100h-300v300h-162l212 212zM200 800h200q27 0 40 -2t29.5 -10.5t23.5 -30t7 -57.5h300v-100h-600l-200 -350v450h100q0 36 7 57.5t23.5 30t29.5 10.5t40 2zM800 400h240l-240 -400h-800l300 500h500v-100z" />
+<glyph unicode="&#xe205;" d="M650 1100h100q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h50v50q0 21 14.5 35.5t35.5 14.5zM1000 850v150q41 0 70.5 -29.5t29.5 -70.5v-800 q0 -41 -29.5 -70.5t-70.5 -29.5h-600q-1 0 -20 4l246 246l-326 326v324q0 41 29.5 70.5t70.5 29.5v-150q0 -62 44 -106t106 -44h300q62 0 106 44t44 106zM412 250l-212 -212v162h-200v100h200v162z" />
+<glyph unicode="&#xe206;" d="M450 1100h100q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h50v50q0 21 14.5 35.5t35.5 14.5zM800 850v150q41 0 70.5 -29.5t29.5 -70.5v-500 h-200v-300h200q0 -36 -7 -57.5t-23.5 -30t-29.5 -10.5t-40 -2h-600q-41 0 -70.5 29.5t-29.5 70.5v800q0 41 29.5 70.5t70.5 29.5v-150q0 -62 44 -106t106 -44h300q62 0 106 44t44 106zM1212 250l-212 -212v162h-200v100h200v162z" />
+<glyph unicode="&#xe209;" d="M658 1197l637 -1104q23 -38 7 -65.5t-60 -27.5h-1276q-44 0 -60 27.5t7 65.5l637 1104q22 39 54 39t54 -39zM704 800h-208q-20 0 -32 -14.5t-8 -34.5l58 -302q4 -20 21.5 -34.5t37.5 -14.5h54q20 0 37.5 14.5t21.5 34.5l58 302q4 20 -8 34.5t-32 14.5zM500 300v-100h200 v100h-200z" />
+<glyph unicode="&#xe210;" d="M425 1100h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM425 800h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5 t17.5 7.5zM825 800h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM25 500h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150 q0 10 7.5 17.5t17.5 7.5zM425 500h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM825 500h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5 v150q0 10 7.5 17.5t17.5 7.5zM25 200h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM425 200h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5 t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM825 200h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe211;" d="M700 1200h100v-200h-100v-100h350q62 0 86.5 -39.5t-3.5 -94.5l-66 -132q-41 -83 -81 -134h-772q-40 51 -81 134l-66 132q-28 55 -3.5 94.5t86.5 39.5h350v100h-100v200h100v100h200v-100zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-12l137 -100 h-950l138 100h-13q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe212;" d="M600 1300q40 0 68.5 -29.5t28.5 -70.5h-194q0 41 28.5 70.5t68.5 29.5zM443 1100h314q18 -37 18 -75q0 -8 -3 -25h328q41 0 44.5 -16.5t-30.5 -38.5l-175 -145h-678l-178 145q-34 22 -29 38.5t46 16.5h328q-3 17 -3 25q0 38 18 75zM250 700h700q21 0 35.5 -14.5 t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-150v-200l275 -200h-950l275 200v200h-150q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe213;" d="M600 1181q75 0 128 -53t53 -128t-53 -128t-128 -53t-128 53t-53 128t53 128t128 53zM602 798h46q34 0 55.5 -28.5t21.5 -86.5q0 -76 39 -183h-324q39 107 39 183q0 58 21.5 86.5t56.5 28.5h45zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-13 l138 -100h-950l137 100h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe214;" d="M600 1300q47 0 92.5 -53.5t71 -123t25.5 -123.5q0 -78 -55.5 -133.5t-133.5 -55.5t-133.5 55.5t-55.5 133.5q0 62 34 143l144 -143l111 111l-163 163q34 26 63 26zM602 798h46q34 0 55.5 -28.5t21.5 -86.5q0 -76 39 -183h-324q39 107 39 183q0 58 21.5 86.5t56.5 28.5h45 zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-13l138 -100h-950l137 100h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe215;" d="M600 1200l300 -161v-139h-300q0 -57 18.5 -108t50 -91.5t63 -72t70 -67.5t57.5 -61h-530q-60 83 -90.5 177.5t-30.5 178.5t33 164.5t87.5 139.5t126 96.5t145.5 41.5v-98zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-13l138 -100h-950l137 100 h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe216;" d="M600 1300q41 0 70.5 -29.5t29.5 -70.5v-78q46 -26 73 -72t27 -100v-50h-400v50q0 54 27 100t73 72v78q0 41 29.5 70.5t70.5 29.5zM400 800h400q54 0 100 -27t72 -73h-172v-100h200v-100h-200v-100h200v-100h-200v-100h200q0 -83 -58.5 -141.5t-141.5 -58.5h-400 q-83 0 -141.5 58.5t-58.5 141.5v400q0 83 58.5 141.5t141.5 58.5z" />
+<glyph unicode="&#xe218;" d="M150 1100h900q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v500q0 21 14.5 35.5t35.5 14.5zM125 400h950q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-283l224 -224q13 -13 13 -31.5t-13 -32 t-31.5 -13.5t-31.5 13l-88 88h-524l-87 -88q-13 -13 -32 -13t-32 13.5t-13 32t13 31.5l224 224h-289q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM541 300l-100 -100h324l-100 100h-124z" />
+<glyph unicode="&#xe219;" d="M200 1100h800q83 0 141.5 -58.5t58.5 -141.5v-200h-100q0 41 -29.5 70.5t-70.5 29.5h-250q-41 0 -70.5 -29.5t-29.5 -70.5h-100q0 41 -29.5 70.5t-70.5 29.5h-250q-41 0 -70.5 -29.5t-29.5 -70.5h-100v200q0 83 58.5 141.5t141.5 58.5zM100 600h1000q41 0 70.5 -29.5 t29.5 -70.5v-300h-1200v300q0 41 29.5 70.5t70.5 29.5zM300 100v-50q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v50h200zM1100 100v-50q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v50h200z" />
+<glyph unicode="&#xe221;" d="M480 1165l682 -683q31 -31 31 -75.5t-31 -75.5l-131 -131h-481l-517 518q-32 31 -32 75.5t32 75.5l295 296q31 31 75.5 31t76.5 -31zM108 794l342 -342l303 304l-341 341zM250 100h800q21 0 35.5 -14.5t14.5 -35.5v-50h-900v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe223;" d="M1057 647l-189 506q-8 19 -27.5 33t-40.5 14h-400q-21 0 -40.5 -14t-27.5 -33l-189 -506q-8 -19 1.5 -33t30.5 -14h625v-150q0 -21 14.5 -35.5t35.5 -14.5t35.5 14.5t14.5 35.5v150h125q21 0 30.5 14t1.5 33zM897 0h-595v50q0 21 14.5 35.5t35.5 14.5h50v50 q0 21 14.5 35.5t35.5 14.5h48v300h200v-300h47q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-50z" />
+<glyph unicode="&#xe224;" d="M900 800h300v-575q0 -10 -7.5 -17.5t-17.5 -7.5h-375v591l-300 300v84q0 10 7.5 17.5t17.5 7.5h375v-400zM1200 900h-200v200zM400 600h300v-575q0 -10 -7.5 -17.5t-17.5 -7.5h-650q-10 0 -17.5 7.5t-7.5 17.5v950q0 10 7.5 17.5t17.5 7.5h375v-400zM700 700h-200v200z " />
+<glyph unicode="&#xe225;" d="M484 1095h195q75 0 146 -32.5t124 -86t89.5 -122.5t48.5 -142q18 -14 35 -20q31 -10 64.5 6.5t43.5 48.5q10 34 -15 71q-19 27 -9 43q5 8 12.5 11t19 -1t23.5 -16q41 -44 39 -105q-3 -63 -46 -106.5t-104 -43.5h-62q-7 -55 -35 -117t-56 -100l-39 -234q-3 -20 -20 -34.5 t-38 -14.5h-100q-21 0 -33 14.5t-9 34.5l12 70q-49 -14 -91 -14h-195q-24 0 -65 8l-11 -64q-3 -20 -20 -34.5t-38 -14.5h-100q-21 0 -33 14.5t-9 34.5l26 157q-84 74 -128 175l-159 53q-19 7 -33 26t-14 40v50q0 21 14.5 35.5t35.5 14.5h124q11 87 56 166l-111 95 q-16 14 -12.5 23.5t24.5 9.5h203q116 101 250 101zM675 1000h-250q-10 0 -17.5 -7.5t-7.5 -17.5v-50q0 -10 7.5 -17.5t17.5 -7.5h250q10 0 17.5 7.5t7.5 17.5v50q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe226;" d="M641 900l423 247q19 8 42 2.5t37 -21.5l32 -38q14 -15 12.5 -36t-17.5 -34l-139 -120h-390zM50 1100h106q67 0 103 -17t66 -71l102 -212h823q21 0 35.5 -14.5t14.5 -35.5v-50q0 -21 -14 -40t-33 -26l-737 -132q-23 -4 -40 6t-26 25q-42 67 -100 67h-300q-62 0 -106 44 t-44 106v200q0 62 44 106t106 44zM173 928h-80q-19 0 -28 -14t-9 -35v-56q0 -51 42 -51h134q16 0 21.5 8t5.5 24q0 11 -16 45t-27 51q-18 28 -43 28zM550 727q-32 0 -54.5 -22.5t-22.5 -54.5t22.5 -54.5t54.5 -22.5t54.5 22.5t22.5 54.5t-22.5 54.5t-54.5 22.5zM130 389 l152 130q18 19 34 24t31 -3.5t24.5 -17.5t25.5 -28q28 -35 50.5 -51t48.5 -13l63 5l48 -179q13 -61 -3.5 -97.5t-67.5 -79.5l-80 -69q-47 -40 -109 -35.5t-103 51.5l-130 151q-40 47 -35.5 109.5t51.5 102.5zM380 377l-102 -88q-31 -27 2 -65l37 -43q13 -15 27.5 -19.5 t31.5 6.5l61 53q19 16 14 49q-2 20 -12 56t-17 45q-11 12 -19 14t-23 -8z" />
+<glyph unicode="&#xe227;" d="M625 1200h150q10 0 17.5 -7.5t7.5 -17.5v-109q79 -33 131 -87.5t53 -128.5q1 -46 -15 -84.5t-39 -61t-46 -38t-39 -21.5l-17 -6q6 0 15 -1.5t35 -9t50 -17.5t53 -30t50 -45t35.5 -64t14.5 -84q0 -59 -11.5 -105.5t-28.5 -76.5t-44 -51t-49.5 -31.5t-54.5 -16t-49.5 -6.5 t-43.5 -1v-75q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v75h-100v-75q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v75h-175q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h75v600h-75q-10 0 -17.5 7.5t-7.5 17.5v150 q0 10 7.5 17.5t17.5 7.5h175v75q0 10 7.5 17.5t17.5 7.5h150q10 0 17.5 -7.5t7.5 -17.5v-75h100v75q0 10 7.5 17.5t17.5 7.5zM400 900v-200h263q28 0 48.5 10.5t30 25t15 29t5.5 25.5l1 10q0 4 -0.5 11t-6 24t-15 30t-30 24t-48.5 11h-263zM400 500v-200h363q28 0 48.5 10.5 t30 25t15 29t5.5 25.5l1 10q0 4 -0.5 11t-6 24t-15 30t-30 24t-48.5 11h-363z" />
+<glyph unicode="&#xe230;" d="M212 1198h780q86 0 147 -61t61 -147v-416q0 -51 -18 -142.5t-36 -157.5l-18 -66q-29 -87 -93.5 -146.5t-146.5 -59.5h-572q-82 0 -147 59t-93 147q-8 28 -20 73t-32 143.5t-20 149.5v416q0 86 61 147t147 61zM600 1045q-70 0 -132.5 -11.5t-105.5 -30.5t-78.5 -41.5 t-57 -45t-36 -41t-20.5 -30.5l-6 -12l156 -243h560l156 243q-2 5 -6 12.5t-20 29.5t-36.5 42t-57 44.5t-79 42t-105 29.5t-132.5 12zM762 703h-157l195 261z" />
+<glyph unicode="&#xe231;" d="M475 1300h150q103 0 189 -86t86 -189v-500q0 -41 -42 -83t-83 -42h-450q-41 0 -83 42t-42 83v500q0 103 86 189t189 86zM700 300v-225q0 -21 -27 -48t-48 -27h-150q-21 0 -48 27t-27 48v225h300z" />
+<glyph unicode="&#xe232;" d="M475 1300h96q0 -150 89.5 -239.5t239.5 -89.5v-446q0 -41 -42 -83t-83 -42h-450q-41 0 -83 42t-42 83v500q0 103 86 189t189 86zM700 300v-225q0 -21 -27 -48t-48 -27h-150q-21 0 -48 27t-27 48v225h300z" />
+<glyph unicode="&#xe233;" d="M1294 767l-638 -283l-378 170l-78 -60v-224l100 -150v-199l-150 148l-150 -149v200l100 150v250q0 4 -0.5 10.5t0 9.5t1 8t3 8t6.5 6l47 40l-147 65l642 283zM1000 380l-350 -166l-350 166v147l350 -165l350 165v-147z" />
+<glyph unicode="&#xe234;" d="M250 800q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM650 800q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM1050 800q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44z" />
+<glyph unicode="&#xe235;" d="M550 1100q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM550 700q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM550 300q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44z" />
+<glyph unicode="&#xe236;" d="M125 1100h950q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-950q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM125 700h950q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-950q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5 t17.5 7.5zM125 300h950q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-950q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe237;" d="M350 1200h500q162 0 256 -93.5t94 -256.5v-500q0 -165 -93.5 -257.5t-256.5 -92.5h-500q-165 0 -257.5 92.5t-92.5 257.5v500q0 165 92.5 257.5t257.5 92.5zM900 1000h-600q-41 0 -70.5 -29.5t-29.5 -70.5v-600q0 -41 29.5 -70.5t70.5 -29.5h600q41 0 70.5 29.5 t29.5 70.5v600q0 41 -29.5 70.5t-70.5 29.5zM350 900h500q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -14.5 -35.5t-35.5 -14.5h-500q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 14.5 35.5t35.5 14.5zM400 800v-200h400v200h-400z" />
+<glyph unicode="&#xe238;" d="M150 1100h1000q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-200h50q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-200h50q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-200h50q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5 t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5h50v200h-50q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5h50v200h-50q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5h50v200h-50q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe239;" d="M650 1187q87 -67 118.5 -156t0 -178t-118.5 -155q-87 66 -118.5 155t0 178t118.5 156zM300 800q124 0 212 -88t88 -212q-124 0 -212 88t-88 212zM1000 800q0 -124 -88 -212t-212 -88q0 124 88 212t212 88zM300 500q124 0 212 -88t88 -212q-124 0 -212 88t-88 212z M1000 500q0 -124 -88 -212t-212 -88q0 124 88 212t212 88zM700 199v-144q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v142q40 -4 43 -4q17 0 57 6z" />
+<glyph unicode="&#xe240;" d="M745 878l69 19q25 6 45 -12l298 -295q11 -11 15 -26.5t-2 -30.5q-5 -14 -18 -23.5t-28 -9.5h-8q1 0 1 -13q0 -29 -2 -56t-8.5 -62t-20 -63t-33 -53t-51 -39t-72.5 -14h-146q-184 0 -184 288q0 24 10 47q-20 4 -62 4t-63 -4q11 -24 11 -47q0 -288 -184 -288h-142 q-48 0 -84.5 21t-56 51t-32 71.5t-16 75t-3.5 68.5q0 13 2 13h-7q-15 0 -27.5 9.5t-18.5 23.5q-6 15 -2 30.5t15 25.5l298 296q20 18 46 11l76 -19q20 -5 30.5 -22.5t5.5 -37.5t-22.5 -31t-37.5 -5l-51 12l-182 -193h891l-182 193l-44 -12q-20 -5 -37.5 6t-22.5 31t6 37.5 t31 22.5z" />
+<glyph unicode="&#xe241;" d="M1200 900h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-200v-850q0 -22 25 -34.5t50 -13.5l25 -2v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v850h-200q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h1000v-300zM500 450h-25q0 15 -4 24.5t-9 14.5t-17 7.5t-20 3t-25 0.5h-100v-425q0 -11 12.5 -17.5t25.5 -7.5h12v-50h-200v50q50 0 50 25v425h-100q-17 0 -25 -0.5t-20 -3t-17 -7.5t-9 -14.5t-4 -24.5h-25v150h500v-150z" />
+<glyph unicode="&#xe242;" d="M1000 300v50q-25 0 -55 32q-14 14 -25 31t-16 27l-4 11l-289 747h-69l-300 -754q-18 -35 -39 -56q-9 -9 -24.5 -18.5t-26.5 -14.5l-11 -5v-50h273v50q-49 0 -78.5 21.5t-11.5 67.5l69 176h293l61 -166q13 -34 -3.5 -66.5t-55.5 -32.5v-50h312zM412 691l134 342l121 -342 h-255zM1100 150v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h1000q21 0 35.5 -14.5t14.5 -35.5z" />
+<glyph unicode="&#xe243;" d="M50 1200h1100q21 0 35.5 -14.5t14.5 -35.5v-1100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v1100q0 21 14.5 35.5t35.5 14.5zM611 1118h-70q-13 0 -18 -12l-299 -753q-17 -32 -35 -51q-18 -18 -56 -34q-12 -5 -12 -18v-50q0 -8 5.5 -14t14.5 -6 h273q8 0 14 6t6 14v50q0 8 -6 14t-14 6q-55 0 -71 23q-10 14 0 39l63 163h266l57 -153q11 -31 -6 -55q-12 -17 -36 -17q-8 0 -14 -6t-6 -14v-50q0 -8 6 -14t14 -6h313q8 0 14 6t6 14v50q0 7 -5.5 13t-13.5 7q-17 0 -42 25q-25 27 -40 63h-1l-288 748q-5 12 -19 12zM639 611 h-197l103 264z" />
+<glyph unicode="&#xe244;" d="M1200 1100h-1200v100h1200v-100zM50 1000h400q21 0 35.5 -14.5t14.5 -35.5v-900q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v900q0 21 14.5 35.5t35.5 14.5zM650 1000h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400 q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM700 900v-300h300v300h-300z" />
+<glyph unicode="&#xe245;" d="M50 1200h400q21 0 35.5 -14.5t14.5 -35.5v-900q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v900q0 21 14.5 35.5t35.5 14.5zM650 700h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400 q0 21 14.5 35.5t35.5 14.5zM700 600v-300h300v300h-300zM1200 0h-1200v100h1200v-100z" />
+<glyph unicode="&#xe246;" d="M50 1000h400q21 0 35.5 -14.5t14.5 -35.5v-350h100v150q0 21 14.5 35.5t35.5 14.5h400q21 0 35.5 -14.5t14.5 -35.5v-150h100v-100h-100v-150q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v150h-100v-350q0 -21 -14.5 -35.5t-35.5 -14.5h-400 q-21 0 -35.5 14.5t-14.5 35.5v800q0 21 14.5 35.5t35.5 14.5zM700 700v-300h300v300h-300z" />
+<glyph unicode="&#xe247;" d="M100 0h-100v1200h100v-1200zM250 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM300 1000v-300h300v300h-300zM250 500h900q21 0 35.5 -14.5t14.5 -35.5v-400 q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe248;" d="M600 1100h150q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-150v-100h450q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5h350v100h-150q-21 0 -35.5 14.5 t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5h150v100h100v-100zM400 1000v-300h300v300h-300z" />
+<glyph unicode="&#xe249;" d="M1200 0h-100v1200h100v-1200zM550 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM600 1000v-300h300v300h-300zM50 500h900q21 0 35.5 -14.5t14.5 -35.5v-400 q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe250;" d="M865 565l-494 -494q-23 -23 -41 -23q-14 0 -22 13.5t-8 38.5v1000q0 25 8 38.5t22 13.5q18 0 41 -23l494 -494q14 -14 14 -35t-14 -35z" />
+<glyph unicode="&#xe251;" d="M335 635l494 494q29 29 50 20.5t21 -49.5v-1000q0 -41 -21 -49.5t-50 20.5l-494 494q-14 14 -14 35t14 35z" />
+<glyph unicode="&#xe252;" d="M100 900h1000q41 0 49.5 -21t-20.5 -50l-494 -494q-14 -14 -35 -14t-35 14l-494 494q-29 29 -20.5 50t49.5 21z" />
+<glyph unicode="&#xe253;" d="M635 865l494 -494q29 -29 20.5 -50t-49.5 -21h-1000q-41 0 -49.5 21t20.5 50l494 494q14 14 35 14t35 -14z" />
+<glyph unicode="&#xe254;" d="M700 741v-182l-692 -323v221l413 193l-413 193v221zM1200 0h-800v200h800v-200z" />
+<glyph unicode="&#xe255;" d="M1200 900h-200v-100h200v-100h-300v300h200v100h-200v100h300v-300zM0 700h50q0 21 4 37t9.5 26.5t18 17.5t22 11t28.5 5.5t31 2t37 0.5h100v-550q0 -22 -25 -34.5t-50 -13.5l-25 -2v-100h400v100q-4 0 -11 0.5t-24 3t-30 7t-24 15t-11 24.5v550h100q25 0 37 -0.5t31 -2 t28.5 -5.5t22 -11t18 -17.5t9.5 -26.5t4 -37h50v300h-800v-300z" />
+<glyph unicode="&#xe256;" d="M800 700h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-100v-550q0 -22 25 -34.5t50 -14.5l25 -1v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v550h-100q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h800v-300zM1100 200h-200v-100h200v-100h-300v300h200v100h-200v100h300v-300z" />
+<glyph unicode="&#xe257;" d="M701 1098h160q16 0 21 -11t-7 -23l-464 -464l464 -464q12 -12 7 -23t-21 -11h-160q-13 0 -23 9l-471 471q-7 8 -7 18t7 18l471 471q10 9 23 9z" />
+<glyph unicode="&#xe258;" d="M339 1098h160q13 0 23 -9l471 -471q7 -8 7 -18t-7 -18l-471 -471q-10 -9 -23 -9h-160q-16 0 -21 11t7 23l464 464l-464 464q-12 12 -7 23t21 11z" />
+<glyph unicode="&#xe259;" d="M1087 882q11 -5 11 -21v-160q0 -13 -9 -23l-471 -471q-8 -7 -18 -7t-18 7l-471 471q-9 10 -9 23v160q0 16 11 21t23 -7l464 -464l464 464q12 12 23 7z" />
+<glyph unicode="&#xe260;" d="M618 993l471 -471q9 -10 9 -23v-160q0 -16 -11 -21t-23 7l-464 464l-464 -464q-12 -12 -23 -7t-11 21v160q0 13 9 23l471 471q8 7 18 7t18 -7z" />
+<glyph unicode="&#xf8ff;" d="M1000 1200q0 -124 -88 -212t-212 -88q0 124 88 212t212 88zM450 1000h100q21 0 40 -14t26 -33l79 -194q5 1 16 3q34 6 54 9.5t60 7t65.5 1t61 -10t56.5 -23t42.5 -42t29 -64t5 -92t-19.5 -121.5q-1 -7 -3 -19.5t-11 -50t-20.5 -73t-32.5 -81.5t-46.5 -83t-64 -70 t-82.5 -50q-13 -5 -42 -5t-65.5 2.5t-47.5 2.5q-14 0 -49.5 -3.5t-63 -3.5t-43.5 7q-57 25 -104.5 78.5t-75 111.5t-46.5 112t-26 90l-7 35q-15 63 -18 115t4.5 88.5t26 64t39.5 43.5t52 25.5t58.5 13t62.5 2t59.5 -4.5t55.5 -8l-147 192q-12 18 -5.5 30t27.5 12z" />
+<glyph unicode="&#x1f511;" d="M250 1200h600q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-150v-500l-255 -178q-19 -9 -32 -1t-13 29v650h-150q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM400 1100v-100h300v100h-300z" />
+<glyph unicode="&#x1f6aa;" d="M250 1200h750q39 0 69.5 -40.5t30.5 -84.5v-933l-700 -117v950l600 125h-700v-1000h-100v1025q0 23 15.5 49t34.5 26zM500 525v-100l100 20v100z" />
+</font>
+</defs></svg> 
\ No newline at end of file
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/fonts/bootstrap/glyphicons-halflings-regular.ttf b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/fonts/bootstrap/glyphicons-halflings-regular.ttf
new file mode 100644
index 0000000000000000000000000000000000000000..1413fc609ab6f21774de0cb7e01360095584f65b
GIT binary patch
literal 45404
zcmd?Sd0-pWwLh*qi$?oCk~i6sWlOeWJC3|4juU5JNSu9hSVACzERcmjLV&P^utNzg
zIE4Kr1=5g!SxTX#Ern9_%4<u(w1q<J@CsjEOL>&01rlrW`<y$HCCf?Z+y45=o|!u{
zcjlhEoqP5%FoVJ1G+bj44I8ITTQqxJ-LCg=WdK{*^eI!Pu_*@0U|>Z!56xXTGQR4C
z3vR~wXq>NDx$c~e?;ia3YjJ*$!C>69a?2$lLyhpI!C<oCzO?F`i#HxWjyD@jE}WZI
zU3l5~SDy9q1|;#myS}~pymONB?2*4U816rW`)#Xn!7@d1<NOHDt5&bOWb2!+g;p30
z4<NsI$%PwMp0nZD-M=sx9=^?B5SrGVvvng|Yryk+==sq4bJm^rO#Q?6;T&}k_iWs7
z@g?8i`(dlW@aQ!LgXLG3o_Fr~uM{nsXD~dq2>FfJsP=|`8@K0|bbMpWwVU<h#k=?&
z2hLD3ege)J^J9<Jz!_dI-O6?vWP>Eygg0=0x_)HeHpGSJagJNLA3c!$EuOV>j$wi!
zbo{vZ(s8tl>@!?}dmNHXo)ABy7ohD7_1G-P@SdJWT8*oeyB<gVy2N^Mz8Y_p4K;?4
zVT9pf!y_R}Xk_T@(1FkoDm{_X>VYVW9*vn}&VI4q++W;Z+uz=QTK}^C75!`aFYCX#
zf7fC2;o`%!huaTNJAB&VWrx=szU=VLhwnbT`vc<#<`4WI6n_x@AofA~2d90o?1L3w
z9!I|#P*NQ)$#9aASijuw>JRld^-t)Zhmy|i-`Iam|IWkgu<LN>aMR%lhi4p~cX-9&
zjfbx}yz}s`4-6>D^+6FzihR)Y!GsUy=_MWi_v7y#KmYi-{iZ+s@ekkq!<s)V`@Q^L
z`rY8W#qWgQ@xJ2-1w&;af5?RzOBGthmla=B{I%lG6(3e?tJqSpv0`mSvSMY$Srtnw
z=2y(Bm|8KV{P*SWmH)c@?ebrg|GfOw@*kDIQ2vZb)ms;}`oI6t>@Wxz!~BQwiI&ti
z>hC&iBe2m(dpNVvSbZe3DVgl(dxHt-k@{xv;&`^c8GJY%&^LpM;}7)B;5Qg5J^E${
z7z~k8eWOucjX6)7q1a%EVtmnND8cclz8R1=X4W@D8IDeUGXxEWe&p>Z*voO0u_2!!
zj3dT(Ki+4E;uykKi*yr?w6!BW2FD55PD6SMj`OfBLwXL5EA-9KjpMo4*5Eqs^>4&>
z8PezAcn!9jk-h-Oo!E9EjX8W6@EkTHeI<@AY{f|5fMW<-Ez-z)xCvW3()Z#x0oydB
zzm4MzY^NdpIF9qMp-jU;99LjlgY@@s+=z`}_%V*xV7nRV*Kwrx-i`FzI0BZ#yOI8#
z!SDeNA5b6u9!Imj89v0(g$;dT_y|Yz!3V`i{{_dez8U@##|X9<u78GO6Sj7w|BmAX
zYy>A};s^7vEd!3AcdyVlhVk$v?$O442KIM1-wX^R{U7`JW&lPr3N(%kXfXT_`7w^?
z=#ntx`tTF|N$UT?pELvw7T*2;=Q-x@KmDUIbLyXZ>f5=y7z1DT<7>Bp0k;eItHF?1
zErzhlD2B$Tm|^7DrxnTYm-tgg`Mt4Eivp5{r$o9e)8(fXBO4g|G^6Xy?y$SM*&V52
z6SR*%`%DZC^w(gOWQL?6DRoI*hBNT)xW9sxvmi@!vI^!mI$3kvAMmR_q#SGn3zRb_
zGe$=;Tv3dXN~9XuIHow*NEU4y&u}FcZEZoSlXb9IBOA}!@J3uov<cnLsMTt5KB)Lj
zYZXCxu;1bqjH18<x269<Tv%)JD-Sv?wUz&5KB?<}@bC!>p}yerhPMaiI8|SDhvWVr
z^BE&yx6e3&RYqIg;mYVZ*3#A-cDJ;#ms4txEmwm<RofF(aiZ;^6Sh1kbq&8p87Q}2
z)<!HT6VUck^|BOZR8X4U*lI4NmphK3T)k;q2UF1)TE2tD(Oq%0w%C5uBAc|kj54!X
zjK;0TBFmM`n@u^bcUhg<U$UozsV%ZmyUQe7juv~qZStAE?UA}H^b(uR^svd6<ohSA
zPN(&WybCrXyU=981ISP9mNdxHZPF8l4xGdT{y?OqQH)eNL?x_*jVgBKQggghY;ER4
z2ZJLPNi?@5u<K+P9v^?cajfyXk(LSV0q=;>@g^s`BB}KmSr7K+ruIoKs=s|gOXP|2
zb1!)87h9?(+1^QRWb(Vo8+@G=o24gyuzF3ytfsKjTHZJ}o{YznGcTDm!s)DRnmOX}
z3pPL4wExoN$kyc2>#J`k+<67sy-VsfbQ-1u+HkyFR?9G`9r6g4*8!(!c65Be-5hUg
zZHY$M0k(Yd+DT1*8)G(q)1<YNpB7js)5y12Eq7a-+TSy$n{z4WbFWWmXqX`NmQ;<8
z&#kMnTCG)e^Wqb#OY{bR(&}(pp3G}-_B)F+rS(l(vS<RecZ%(lx`adE6b#<MA*v6|
zqhg4L;6Ok2!XZ8=`3{3lFr+}jevG<T8z$m4n8_pfbf#&K;T~jROxF%RXK8L@N{?d!
z)#u0D$E0^47cxZAeVEjp$RK_kRO2h>&tDl=g9H7!bZTOvEEFnBOk_K=DXF(d4JOaH
zI}*A3jGmy{gR>s}EQzyJa_q_?TYPNXR<v?#Pfy-SGCMD6($H@d06+dYtCwDuCKCO`
zfTh}KuF@>U1O;fcV_&TQZhd{@*8Tgpraf~nT0BYktu*n{a~ub^UUqQPyr~yBY{k2O
zgV)honv{B_CqY|*S~3up%Wn%7i*_>Lu|%5~j)}rQLT1ZN?5%QN`LTJ}vA!EE=1`So
z!$$Mv?6T)xk)H8JTrZ~m)oNXxS}pwPd#);<*>zWsYoL6iK!gRSBB{JCgB28C#E{T?
z5VOCMW^;h~eMke(w6vLlKvm!!TyIf;k*RtK)|Q>_@nY#J%=h%aVb)?Ni_By)X<wQw
z7V$PDEtth$n$E;Ll`Y4%BO_9n-ugy!JpHdGlaMf3-bFSa<&`Z$)FNx2;bGa5ewQ9G
znS9p(JK$Y-8V}<ibr6q#cKkEx`_lIfW`o_}!WDwa=VY;jm&MFX_KN*c$8NiQ<*(1K
zOz-}+aK2WdJ+of=zJ0eN>NxY)E3`|}_u}fn+Kp^3p4RbhFUBRtGsDyx9Eolg77iWN
z2iH-}CiM!pfYDIn7;i#Ui1KG01{3D<{e}uWTdlX4Vr*nsb^>l0%{O?0L9tP|KGw8w
z+T5F}md>3qDZQ_IVkQ|BzuN08uN?SsVt$~wcHO4pB9~ykFTJO3g<4X({-Tm1w{Ufo
zI03<6KK`ZjqVyQ(>{_aMxu7Zm^ck&~)Q84MOsQ-XS~{6j>0lTl@lMtfWjj;PT{nlZ
zIn0YL?kK7CYJa)(8?unZ)j8L(O}%$5S#lTcq{rr5_gqqtZ@*0Yw4}OdjL*kBv+>+@
z&*24U=y{Nl<J@lPNofl42dq;77(U?JMya(0Crr4x>58qJyW1vTwqsvs=VRAzojm&V
zEn6=WzdL1y+^}%Vg!ap>x%%nFi=V#wn#<ZJY+2YKgUZIdddsj}x<a~(_z&i7iw6j~
zD6-dYj8)6VXu?|^ZEI$`u2WRyTK0%)bZh&!D^9oe9c{ncschFCaT|SNh@Ip0Y7e<>
zUuheBR@*<muvvX<=P{exAmqKj@)RY=k${p2#1fI%*ObNn_Svg5fBeeKm;N;8<i#ex
z@xiUPeR$hjC=hitVD9x2{{y_iS9U^gG9f@6f6&^Vs3zp5qf?=KTW@F7W@hJ`ZBCj<
zPCXs%#Cv+T9c^4a%MvhtBnK>KS)5Mn0`f=3fMwR|#-rPMQJg(fW*5e`7xO&^UUH<N
z8S{R+VU}U8VWDBEjsa+<a|A}qi`v{;%PNhy=5G#TrE#}Jn{iFX7S1~=;h}j7?-Paq
zPz1GeaZ=ceNsUv?a;Nj+<UmnU3}yC*^X?4%XYRVxg{MEFholmVGnq^}E!rMBWy|R_
zg)925;70bcj_+u_rTSN(=HrLgwiaEHUwf>{L(U8D$JtI!ac!g(Ze89<`UiO@L+)^D
zjPk2_Ie0p~4|LiI?-+pHXuRaZKG$%zVT0jn!yTvvM^jlcp`|VSHRt-G@_&~<4&qW@
z?b#zIN)G(}L|60jer*P7#KCu*Af;{mpWWvYK$@Squ|n-Vtfgr@<WJYami@2Z&u=;5
z5Vc}@3ijIdgOz2E{1ewt+&m|4loMa2;l_ZQ>ZOmR5Xpl;0q~VILmjk$$mgp+`<2jP
z@+nW5Oap%fF4nFwnVwR7rpFaOdmnfB$-rkO6T3#w^|*rft~acgCP|ZkgA6PHD#Of|
zY%E!3tXtsWS`udLsE7cSE8g@p$ceu*tI71V31uA7jwmXUCT7+Cu3uv|W>ZwD<C#<5
zr)TgUn*z=?aQx5GtI}?)S=9!TmC))*YbR(2eeE2+a>{&O4Nfjjvl43N#A$|FWxId!
z%=X!HSiQ-#4nS&smww~iXRn<-`&zc)nR~js?|Ei-cei$^$KsqtxNDZvl1oavXK#Pz
zT&%Wln^Y5M95w=vJxj0a-ko_iQt(LTX_5x#*QfQLtPil;kkR|kz}`*xHiLWr35ajx
zHRL-QQv$|PK-$ges|NHw8k6v?&d;{A$*q15hz9{}-`e6ys1EQ1oNNKDFGQ0xA!x^(
zkG*-ueZT(GukSnK&Bs=4+w|(kuWs5V_2#3`!;f}q?>xU5IgoMl^DNf+Xd<=sl2<ov
zdi9d6DbT*4=K1<NxE2(`@^$C>XvkqviJ>d?+G@Z5nxxd5Sqd$*ENUB_mb8Z+7CyyU
zA6mDQ&e+S~w49csl*UePzY;^K)Fbs^%?7;+hFc(xz#mWoek4_&QvmT7Fe)*{h-9R4
zqyXuN5{)HdQ6yVi#tRUO#M%;pL>rQxN~6yoZ)*{{!?jU)RD*oOxDoTjVh6iNmhWNC
zB5_{R=o{qvxEvi(k<Br-9y#p7E~9amU@sQujU02m+%O6`wmyB;RZm|f_25ZIu`sWx
z9Z!xjMn{xa)<lh?>hbRS`FOXmOO|&Dj$&~><!ER!M(aXh<Y=PO>*oo)bZz%lPhEA@
zQ;;w5eu5^%i;)w?T&*=UaK?*|U3~{0tC`rvfEsRPgR~16;~{_S2&=E{fE2=c>{+y}
zx1*NTv-*zO^px5TA|B```#NetKg`19O!BK*-#~wDM@KEllk^nfQ2quy25G%)l72<>
zzL$^{DDM#jKt?<>m;!?E2p0l12`j+QJjr{Lx*47Nq(v6i3M&*P{jkZB{xR?NOSPN%
zU>I+~d_ny=pX??qjF*E78>}Mgts@_yn`)C`wN-He_!OyE+gRI?-a>Om>Vh~3OX5+&
z6MX*d1`SkdXwvb7KH&=31RCC|&H!aA1g_=ZY0hP)-Wm6?A7SG0*|$mC7N^SSBh@MG
z9?V0tv_sE>X==yV{)^LsygK2=$Mo_0N!JCOU?r}rmWdHD%$h~~G3;bt`lH&<YttXG
zCx4~x@x7rvSlVC8c4`|@!#-B8ZKS<EH?nhD1$CFfEvQA7q3vKKC(B@*EPV@^RffeA
zqF7{q<g?nf7wl2mS$#hW3X3?XI^l_=xWmcuOlQEQZFITVPFH}vOiW=uH41qNTB4w>
zAuOOZ=G1Mih**0>lB5x+r)X^8mz!0K{SScj4|a=s^VhUEp#2M=^#WRqe?T&H9GnWa
zYOq{+gBn9Q0e0*Zu>C(BAX=I-Af9wIFhCW6_>TsIH$d>|{fIrs&BX?2G>GvFc=<8`
zVJ`#^knMU~65dWGgXcht`Kb>{V2oo%<{NK|iH+<q(5YAazG9MX#mAntl?z6uydZjo
zUFklHM_4M@0HYVoyB8BtKlWH`xbBg99hUSZMa9}uddMW%i`jRIi-g-Oj+Dcyby^(`
z%RQFN&dOf4Ittp8bTTLHYY;pny(Y2BDO&N?wA-C_6&0Pd?aun4t;+U8o0V7xD{xVE
zT_xFkLYF;IV~uA~NIx^oe`|Ag_zBH%@tGSHD~4^4RZ^~BcP(EUF`avIGk5b#Qq_%$
zWYy4>R^|Gx%q+env#Js*(EBT3V0=w4F@W+oLFsA)l7Qy8mx_;6Vrk;F2RjKFvmeq}
zro&>@b^(?f))OoQ#^#s)tRL>b0gzhRYRG}EU%wr9GjQ#~Rpo|RSkeik^p9x2<p!Ww
zwwmq`!~oDTY^~4nP7mqhE1&11QI*f_7OwLIc0Sdl0He@3A$?sO|G#_xO5%4jys!Au
zz!P*LF2Fu*;<$-+ZxX4HAsc@9KfXGYIspZeD-?_4;Ohrd$nih9sE;A+xh%Yxa|I;O
zMn43xybbA$h%OeU78ZAGUa0jg*n))`>+=rUr}vfnQoeFAlv=oX%YqbLpvyvcZ3l$B
z5bo;hDd(fjT;9o7g9xUg3|#?wU2#BJ0G&W1#wn?mfNR{O7bq74<ru+<wkuK7q*HuJ
zl3ikW@`O=kCFAR2we{1>7tc~mM%m%t+7YN}^tMa24O4@w<|$lk@pGx!;%pKiq&mZB
z?3h<&w>un8r?Xua6(@Txu~Za9tI@|C4#!dmHMzDF_-_~Jolztm=e)@vG11b<LZFLt
z=a@d3MJ-E4hYQZxA3y&6-j%$UZvUfp^pCgm<jTEuP^)mszD-y$n3Q&{-23}Wv_2Y8
ztp4g>ZQAs!tFvd9{C;oxC7VfWq377Y(LR^X_TyX9bn$)I765l=rJ%9uXcjggX*r?u
zk|0!db_*1$&i8>d&G3C}A`{Fun_1J;Vx0gk7P_}8KBZDowr*8$@X?W<UwWy2E;b%8
zDnv;u#sg4V5Tml=Bw6)GO(a6bm@pXL5;t*}iEhY9Zim8L-OM$RpsE=-)J6=6)|MD4
z8{19*DSK107+0Kbw2EdWh!twa9HVGLVmN$BX1?}c?!DT~m@%MuO{=cju@-!?UnaO{
z9Q;H&SNsH&+9*iqK+))0P{pW#u+IR2<&dC||BFzIuVKjDIAwxj0gQDf!MLF#VHC`D
zN_zXShCf+#K4Io(-dXedBI4SOK2y)rryrPZ_8G(S4~O-`iR!5u^?GLIlD&{}so=+h
zoX&5625-D!az-|Zx~ma2tVY~n7Eznkush<8w1#D9lj%>6v^LYmNWI)lN92yQ;tDpN
zOUdS-W4JZUjwF-X#w0r;97;i(l}ZZT$DRd4u#?pf^e2<Tp(F_Ylx9mIONs=GDOR7J
z!s@{!h&%A8Er}aMdD0mk#s%bH^(p8HL6l-6iKJ%JY$!?VLmDqZL7D4xf%;gN>yaFo
zbm>I@5}#8FjsmigM8w_f#m4fEP<w>~r~_?OWB%SGWcn$ThnJ@Y`ZI-O&Qs#Y14To(
zWAl>9Gw7#}eT(!c%D0m>5D8**a@h;sLW=6_AsT5v1Sd_T-C4pgu_kvc?7+X&n_fct
znkHy(_LExh=N%o3I-q#f$F4<wlfSnZ{aNtlaHgD*%*;+!if9}xbu`<To}#^Vl2QkO
z7|r$zhjK8GE;uJ+566KrGlUndEl83;o70s<D1jcM$y_hC&+<$#S-_D`DMkXCs6&Ja
zX$kb)3d(TSz&8E5_#CeAoC7l{hxp54WI)}a6Fq*MuVt{GA?j6in~9$1>QJpy>jZBW
zRF7?EhqTGk)w&Koi}QQY3sVh?@e-Z3C9)P!(hMhxmX<?O%M-wa0Dx5a@<^0#9_>LC
zF_+ZSTQU`Gqx@o<HpS{<a}-BAGy@<S0>(~<vXHshk{*j+nj`s1+omT#^krl>B$dbr
zHlEUKoK&`2gl>zKXlEi8w6}`X3kh3as1~sX5@^`X_nYl}hlbpeeVlj#2sv)CIMe%b
zBs7f|37f8qq}gA~Is9gj&=te^wN8ma?;vF)7gce;&sZ64!7LqpR!fy)?4cEZposQ8
zf;rZF7Q>YM<qvPX@rO5R|G8xB*d=47F5FbX>F1~eQ|Z*!5j0DuA=`~VG$Gg6B?Om1
z6fM@`Ck-K*k(eJ)Kvysb8sccsFf@7~3vfnC=<$q+VNv)FyVh6ZsWw}*vs>%k3$)9|
zR9ek-@pA23qswe1io)(Vz!vS1o*XEN*LhVYOq#T`;rDkgt86T@O`23xW~;W_#ZS|x
zvwx-XMb7_!hIte-#JNpFxskMMpo2OYhHRr0Yn8d^(jh3-+!CNs0K2B!1dL$9UuAD=
zQ%7Ae(Y@}%Cd~!`h|wAdm$2WoZ(iA1(a_-1?znZ%8h72o&Mm*4x8Ta<4++;Yr6|}u
zW<lfR&2thZ%arCCv7^XWW_6jB>8$p&izhdqF=m8$)HyS2J6cKyo;Yvb>DTfx4`4R{
zPSODe9E|uflE<`xTO=r>u~u=NuyB&H!(2a8vwh!jP!yfE3N>IiO1<sg)|!DAM%5V4
zImfj?oZv3;y3AIvb^=HU^uh7(X5<6aoUeyP2Mi=23DNrjwj6G-I5MpbGBBkQgLzRx
z_Qg%sVsEslI2A80hOod<S>jI>7e&3rR#RO3_}G23W?gwDHgSg<QXM9d4Lsp5W&)6?
zY*roO0w$UqxC4|r(Er$DV(2l9h4At3N_U`+Ukis<fpRRCK>ekzQ^PU&G5z&}V5GO?
zfg#*72*$DP1T8i`S7=P;bQ8lYF9_@8^C(|;9v8ZaK2GnWz4$Th2a0$)XTiaxNWfdq
z;yNi9veH<s@9We549w!!z+8C$Xr3bE8Io{iV0-^0*Z((QCVLd1<H5EqJokRheRd?M
z=9-#Ba=FG%;bgG2sZn!v5}(U9c2N6|uSx2-^nZJN<Y38%>!j)ba$9pke8`y2^63BP
zIyYKj^7;2don3se!P&%I2jzFf|LA&tQ=NDs{r9fIi-F{-yiG-}@2`VR^-LIFN8BC4
z&?*<A2U+2yvz#~5iMlAv#&#x?J%g>IvLiGHH5>NY(Z^CL_A;yISNdq58}=u~9!Ia7
zm7MkDiK~lsfLpvmPMo!0$keA$`%Tm`>Fx9JpG^EfEb(;}%5}B4Dw!O3BCkf$$W-dF
z$BupUPgLpHvr<<+QcNX*w@+Rz&VQz)Uh!j4|DYeKm5IC05T$KqVV3Y|MSXom+Jn8c
zgUEaFW1McGi^44xoG*b0JWE4T`vka7qTo#dcS4RauUpE{O!ZQ?r=-MlY#;VBzhHGU
zS@kCaZ*H73XX6~HtHd*4qr2h}Pf0Re@!WOyvres_9l2!AhPiV$@O2sX>$21)-3i+_
z*sHO4Ika^!&2utZ@5%VbpH(m2wE3qOPn-I5Tbnt&yn9{k*eMr3^u6zG-~PSr(w$p>
zw)x^a*8Ru$PE+{&)%VQUvAKKiWiwvc{`|GqK2K|ZMy^Tv3g|zENL86z7i<<vQD<>c
zW`W>zV1u}X%P;Ajn+>A)2iXZbJ5YB_r>K-h5g^N=LkN^h0Y6dPFfSBh(L`G$D%7c`
z&0RXDv$}c7#w*7!x^LUes_|V*=bd&aP+KFi((tG<uj&`TKbvJwt*s;^z;4Ys<BrXj
zUcC9nsnf4nJ}oNAV^;23Huc6W7jNCNGp&VZZ68xTF&1%{6q~EkQlv<(iM7j~voh3C
z@5k4r3!z`C;}lPV?5N1<S*Q-j1No*l<5(hps4yh~OUMfaqfZSw{1(}GVOnN8<B1ow
zokS3`Befl=7x!u#A9>*gakSR+FA26%{QJdB5G1F=UuU&koU*^zQA=cEN9}Vd?OEh|
zgzbFf1?@LlPkcXH$;YZe`WEJ3si6&R2MRb}LYK&zK9WRD=kY-JMPUurX-t4(Wy{%`
zZ@0WM2+IqPa9D(^*+MXw2NWwSX-_WdF0nMWpEhAyotIgqu5Y$wA=<qv3s0%`78x7-
z!YG+vXM)||6z({8VoMOb>zfuXJ0Y2lL3#ji26-P3Z?-&0^KBc*`T$+8+cqp`%g0WB
zTH9L)FZ&t073H4?t=(U6{8B+uRW_J_n*vW|p`DugT^3xe8Tomh^d}0k^G7$3wLgP&
zn)vTWiMA&=bR8lX9H=uh4G04R6>C&Zjnx_f@MMY!6HK5v$T%vaFm;E8q=`w2Y}ucJ
zkz~dKGqv9$E80NTtnx|Rf_)|3wxpnY6nh3U9<)fv2-vhQ6v=WhKO@~@X57N-`7Ppc
zF;I7)eL?RN23FmGh0s<krvL@Zi`9X>;Z#+p)}-TgTJE%&>{W+}C`^-sy{gTm<$>rR
z-X7F%MB9Sf%6o7A%ZHReD4R;imU6<9h81{%avv}hqugeaf=~^3A=x(Om6Lku-Pn9i
zC;LP%Q7Xw*0`Kg1)X~nAsUfdV%HWrpr8dZRpd-#%)c#Fu^mqo|^b{9Mam`^Zw_@j@
zR&ZdBr3?@<@%4Z-%LT&RLgDUFs4a(CTah_5x4X`xDRugi#vI-cw*^{ncwMtA4N<n#
zKe-3R=W^+cuK>KjByYBza)Y$hozZCpuxL{IP&=tw6ZO52WY3|iwGf&IJCn+u(>icK
zZB1~bWXCmwAUz|^<&ysd#*!DSp8}DLNbl5lRFat4NkvItxy;9tpp9~<f);nGGD>|@
z;JctShv^Iq4(z+y7^j&I?GCdKMVg&jCwtCkc4*@O7HY*veGDBtAIn*JgD$QftP}8=
zxFAdF=(S>Ra6(4slk#h%b?EOU-96TIX$Jbfl*<nInof4ph4hK=1pB+w>_7IY-|R%H
zF8u|~hYS-YwWt5+^!uGcnKL~jM;)ObZ#q68ZkA?}CzV-%6_vPIdzh_wHT_$mM%<x2
zq&@Ugp@y3#qmCWN2c()zUb2i%NHytqe#*|FOc9=9=lm37FJ~XnjPaYV#gu{Rxk3h%
z6(mfsR@KE$kTrlhgn%DPo5HpDO0=1-df|X)k_Bt?_o11|zfG(qa-#Sl@L(<sfroJg
zk#3es02GuhOy#7gPL>vws9lxUj;E@#1UX?WO2R^41(X!nk$+2oJGr!sgcbn1f^yl1
z#pbPB&Bf;1&2+?};Jg5qgD1{4_|%X#s48rOLE!vx3@ktstyBsDQWwDz4GYlcgu$UJ
zp|z_32yN72T*oT$SF8<}>e;FN^X&vWNCz>b2W0rwK#<1#kbV)Cf`vN-F$&knLo5T&
z8!sO-*^x4=kJ$L&*h%rQ@49l?7_9IG99~xJDDil00<${~D&;kiqRQqeW5*22A`8I2
z(^@`qZoF7_`CO_e;8#qF!&g>UY;wD5MxWU>az<ULIsNY$DJI@Av_2K^yD6wo0kqHs
zV#M>oo=E{kW(GU#pbOi%XAn%?W{b>-bTt&2?G=E&BnK9m0zs{qr$*&g8afR_x`B~o
zd#dxPpaap;I=>1j8=9Oj)i}s@V}oXhP*{R|@DAQXzQJekJnmuQ;vL90_)H_nD1g6e
zS1H#dzg)U&6$fz0g%|jxDdz|FQN{KJ&Yx0vfuzAFewJjv`pdMRpY-wU`-Y6WQnJ(@
zGVb!-8DRJZvHnRFiR3PG3Tu^nCn(CcZHh7hQvyd7i6Q3&ot86XI{jo%WZqCPcTR0<
zMRg$ZE=PQx66ovJDvI_JChN~k@L^Pyxv#?X^<)-TS5gk`M~d<~j%!UOWG;ZMi1af<
z+86U0=sm!qAVJAIqqU`Qs1uJhQJA&n@9F1PUrYuW!-~IT>l$I!#5dB<cfvg5VibV&
zDqvU$KKCo4v0yI;auEcF&ZcvUE7}qhEUthMrKK<ZZorlPhfA2o9*2RG_C6<ZwD)23
zgbU<ugZCNmzTNu!GMX!>aiAK}RUufjg{$#GdQBkxF1=KU2E@N=i^;xgG2Y4|{H>s`
z$<vvU|F(3Nv^%2-!)gt%bV2|xrF9!>t`k8c-8`fS7Yfb1FM#)vPKVE4Uf(Pk&%HLe
z%^4L>@Z^9Z{ZOX<^e)~adVRkKJDanJ6VBC_m@6qUq_WF<AGx+lu0P|(*RBdki}PPC
zR884Dd(Bf1Tr>@Epw>AYqf%r6qDzQ~AEJ<N!$QjqcKBS<-KzqABShp7@2HODUtuI-
zM1Hm0Vba1HggryAaeKKwP<qS1QZN90CS+8P%>!jtUvLp^CcqZ^G-;Kz3T;O4WG45Z
zFhrluCxlY`M+OKr2SeI697btH7Kj`O>A!+2DTEQ=48cR>Gg2^5uqp(+y5Sl09MRl*
zp|28!v*wvMd_~e2DdKDMMQ|({HMn3D%%ATEecGG8V9>`JeL)T0KG}=}6K8NiSN5W<
z79-ZdYWRUb`T}(b{RjN8>?M~opnSRl$$^gT`B27kMym5LNHu-k;A;VF8R(HtDYJHS
zU7;L{a@`>jd0svOYKbwzq+pWSC(C~SPgG~nWR3pBA8@OICK$Cy#U`kS$I;?|^-SBC
zBFkoO8Z^%8Fc-@X!KebF2Ob3%`8zlVHj6H;^(m7J35(_bS;cZPd}TY~qixY{MhykQ
zV&7u7s%E=?i`}Ax-7dB0ih47w*7!@GBt<*7ImM|_mYS|9_K7CH+i}?*#o~a&tF-?C
zlynEu1DmiAbGurEX2Flfy$wEVk7AU;`k#=IQE*6DMWafTL|9-vT0qs{A3mmZGzOyN
zcM9#Rgo7WgB_ujU+?Q@Ql?V-!E<ESfbH6cV^f<TVZZ6$j;;%C;F7k#%v)~#tDz@O9
zGjF`&rD{{KBD!Z>=jbypS+*ch<nT0vi*LE;jA`dwa7L|Pk{%Vkrl+;{Q+Icda+|DH
zxbX_5rMru~l@p?-nW}qiMdIwMuOHt$v$Z->I&zA+C_3_@aJal}!Q54?qsL0In({Ly
zjH;e+_SK8yi0NQB%TO+Dl77jp#2pMGtwsgaC>K!)NimXG3;m7y`W+&<(ZaV>N*K$j
zLL~I+6ouPk6_(iO>61cIsinx`5}DcKSaHjYkkMuDoVl>mKO<4$F<R}h5tU~DoQW2-
zb@mx6M$TIWS(5Azchs1S!C1Vg!dX-qRh*Tlox4o><>YJ5J9A2Vl}#BP7+u~L8C6~D
zsk`pZ$9Bz3teQS1Wb|8&c2SZ;qo<#F&gS;j`!~!ADr(jJXMtcDJ9cVi>&p3~{bqaP
zgo%s8i+8V{UrYTc9)HiUR_c?cfx{Yan2#%PqJ{%?Wux4J;T$#cumM0{Es3@$>}DJg
zqe*c8##t;X(<vs5F6*OK5RBh`;EMHg+sn$v%w2!Q1AFLXOj%hwP6VgZXe#dgvNr%C
zbK2>4$?A`ve)e@YU3d2Balcivot{1(ahlE5qg@S-h(mPNH&`pBX$_~HdG48~)$x5p
z{>ghzqqn_t8~pY<5?-To>cy^6o~mifr;KWvx_oMtXOw$$d6jddXG)V@a#lL4o%N@A
zNJlQAz6R8{7jax-kQsH6JU_u*En%k^NHlvBB!$JAK!cYmS)HkLAkm0*9G3!vwMIWv
zo#)+EamIJHEUV|$d|<)2iJ`lqBQLx;HgD}c3mRu{iK23C>G{0Mp1K)bt6OU?xC4!_
zZLqpFzeu&+>O1F>%g-%U^~yRg(-wSp@vmD-PT#bCWy!%&H;qT7rfuRCEgw67V!Qob
z&tvPU@*4*$YF#2_>M0(75QxqrJr3Tvh~iDeFhxl=MzV@(psx%G8|I{~9;tv#BBE`l
z3)_98eZqFNwEF1h)uqhBmT~mSmT8k$7vSHdR97K~kM)P9PuZdS;|Op4A?O<*%!?h`
zn`}r_j%xvffs46x2hCWuo0BfIQWCw9aKkH==#B(TJ%p}p-RuIVzsRlaPL_Co{&R0h
zQrqn=g1PGjQg3&sc2IlKG0Io#v%@p>tFwF)RG0ahYs@Zng6}M*d}Xua)+h&?$`%rb
z;>M=iMh5eIHuJ5c$aC`y@CYjbFsJnSPH&}LQz4}za9YjDuao>Z^EdL@%s<cic@|#d
zk`VYkAA1)5&zzBlUXwX>aRm&LGQWXs*;FzwN#p<?>H&j~SLhDZ+QzhplV_ij(NyMl
z;v|}a<m1KirP40Q9;?ZUGeiBO`6EQCP%m`AbDrv}WVxc|a9*xhB0zVg4PQB(Updr=
z()&PI0+wG1-G5cn-?{zrU(p$hh$VW4zkc`j%O6su+dqN;>mvxRddO81LJFa~2QFUs
z+<rMf(`FCeM}FJ^oJ6DQ^2{Nc9R`a9PEsYsk4d<kKA^opcC1pDZk0kh9^Gygk8>Lk
zZck)}9uK^buJNMo4G(rSdX{57(7&n=Q6$QZ@lIO9#<3pA2ceD<ex)Co(^yo~b^iS?
z-G6>pO_340B*pHlh_y{>i&c1?vdpN1j>3UN-;;Yq?P+V5oY`4Z(|P8SwWq<)<fz%B
zj)+x<OZ_gB*%c@YSI6p9w+Ydpc!Zcf$QEBFDuqEL6=PD@Pe~N@st{xMy+-n;*Mt~v
zmrteH;(NO63jTi5?DV@CF_fsL-w|T3X%De;sQHBB^9@P)Y{)Bp<max_sHiv=Y2ujB
z*Y0pN2vXRDgae#VLF1APpWP+=i6luTbXun4wCl7o-h=Gg-_V%L+$3>n`W@AwcQ?E9
zd5j8>FT^m=MHEWfN9jS}UHHsU`&SScib$qd0i=ky0>4dz5ADy70AeIuSzw#gHhQ_c
zOp1!v6qU<Kxjvk}u}KI}1IL4P)HQX%3Qy1||7)ACyj<$_yY^HUY1Qh86mASo5oGq6
zE#i-HjkgKyfR`wC1AzxilV;sCL6u<;DfJ$k2lHogcuG&96Y=9Dx08l3i%#>)@8MY+
zMNIID?(CysRc2uZQ$l*QZVY)$X?@4$VT^>djbugLQJdm^P>?51#lXBkdXglYm|4{L
zL%Sr?2f`J+xrcN@=0tiJt(<-=+v>tHy{XaGj7^cA6felUn_KPa?V4ebfq7~4i~GKE
zpm)e@1=E;PP%?`vK6KVPKXjUXyLS1^NbnQ&?z>epHCd+J$ktT1G&L~T)nQeExe;0Z
zlei}<<dHMjP`dMgT;)rz@KwnNqz2u#jL%!`ao{S@tM3IGYSeTv3Fk3tBkVZxLRlho
z@Yxs}5wdFIYX}Vx7;lNy5jfXGDv1)02|!y=K!RAWW@=@lh*MCQ(we#;x;&XaD>_ni
ztFo}j7nBl$)s_<W4is^tCJZEK$$)&HpdlqLPzQFWv`<{7GL_AD92F#&(|%OzJIbuy
z+Ol{_jn76nNgzuA>3odmdafVieFxc)m!wM+U`2u%yhJ90giFcU1`dR6BBTKc2cQ*d
zm-{?M&%(={<F~lIWhEX{d2;PTbK5UDb8+WLo7GcN=5=ow@4S4W$LOt!x3rG3C8mvr
z0>xYHy?VCx!ogr|4g5;V{2q(L?QzJGsirn~kWHU`l`rHiIrc-Nan!hR7zaLsPr4uR
zG{En&gaRK&B@lyWV@yfFpD_^&z>84~_0Rd!v(Nr%PJhFF_ci3D#ixf|(r@$igZiWw
za*qbXIJ_Hm4)TaQ=zW^g)FC6uvyO~Hg-#Z5Vsr<Zy{+LyD`h4YS(ghy#BfWzW^5Uo
zQ8PC9sjEJ4RGC&$F|HxuyK{woR4L3OZu<36tuvn9l2snS_;Y@J&z1A*lMO*_Ur`v=
zX;m?{v#RtbKP{_C_Pwp$oMe|?dH6}PAjk=@Y1ry|VVd(HV4<-(-0+OjB`EyB0T=kn
z(gB<B0#L(B#0`VW)>ybz6uOTF>Rq1($JS`imyNB7myWWpxYL(t7`H8*voI3Qz6mvm
z$JxtArLJ(1wlCO_te?L{>8YPzQ})xJlvc5wv8p7Z=HviPYB#^#_vGO#*`<0r%MR#u
zN_mV4vaBb2RwtoOYCw)X^>r{2a0kK|WyEYoBjGxcObFl&P*??)WEWKU*V~zG5o=s@
z;rc~uuQQf9wf)MYWsWgPR!wKGt6q;^8!cD_vxrG8GMoFGOVV=(J3w6Xk;}i)9(7*U
zwR4VkP_5Zx7wqn8%M8uDj4f1aP+vh1Wue&ry@h|wuN(D2W<Jk_Ub)RM4SgV&OId4;
zn2zn6!@5a6q<V@&t`j1NlR++Q;e@+-SbcuS)(a+|%YH!7_B%_B*R5T=?m|>;v6b1^
z`)7XBZ385zg;}&Pt@?dunQ=RduGRJn^9HLU&HaeUE_cA1{+oSIjmj3z+1YiOGiu-H
zf8u-oVnG%KfhB8H?cg%@#V5n+L$MO2F4>XoBjBeX>css^h}Omu#)ExTfUE^07KOQS
znMfQY2wz?!7!{*C^)aZ^UhMZf=TJNDv8VrrW;JJ9`=|L0`w9DE8MS>+o{f#{7}B4P
z{I34>342vLsP}o=ny1eZkEabr@niT5J2AhByUz&i3Ck0H*H`LRHz;>3C_ru!X+EhJ
z6(+(lI#4c`2{`q0o9aZhI|jRjBZOV~IA_km7ItNtUa(Wsr*Hmb;b4=;<J1?+^3A&j
zK3cnIJ@xJ)8})7lyFf5`owi5yu4lj04lY55Grhwxe6`Vjk5_%2h6Srm0%!Z7OTJgS
z7xk*fSj^YWvFa#^cCzaibaRR7wifomC%U_?eh_XL=5Hz83qQMDCary#^CqnoCok6y
z#aKY5h8k>R(gF@GmsRI`pF+0tmq0<eALkrdNz?_uQPl5L<ziG;l8G^BKV7-hN+!<*
z<qETgy|$oSZ328w$u~CVg?j38Ne8Nec!$^z3O9)SK=%x<?=HO#`R=(x+xbP_2n9~L
zA~@Y5=^p7G^ly*h(SjbX22XE{f_H~{EwlIe71&(CF%AC-KZ!PkfDiovb({chpQJjK
zFbjvUr>zy~wnoJD(<MLjh**JGO%zg$#8^?N-Q#VEMllAeBN{8Gkcp5385M+IP?10`
zKNJCQBzyb5Gta#5ZT-NK&Jkr}EY5LG-*{2<GI5k_E;Cjl{9Li(svK!m$F~O+U$JQS
zMZAi<dUJWWO0+lGoKxMN#+rIpvr}TmT8W9)5>LSEwHjT<no^?z{l8Hbtg<ND1Cr6K
z6#0!VQ^*}KTk66St&+e*u_9r$$-(;3c2C&lF^#Wti6x@NV{uFO48lerx@~U7EQm%~
zi8-wSrE-(Ma!Z+cdXdE^nH(<3+*mF-qjhezv`kVwaQ)pBtm+Jzn4-9>Ot4xb0XB-+
z&4RO{Snw4G%gS9w#uSUK$Zbb#=jxEl;}6&!b-rSY$0M4pftat-$Q)*y!bpx)R%P>8
zrB&`YEX2%+s#lFCIV;cUFUTIR$Gn2%F(3yLeiG8eG8&)+cpBlzx4)sK?>uIlH+$?2
z9q9wk5zY-xr_fzFSGxYp^KSY0s%1BhsI>ai2VAc8&JiwQ>3RRk?ITx!t~r45qsMnj
zkX4bl06ojFCMq<9l*4NHMAtIxDJOX)H=K*$NkkNG<^nl46<z}8DjmoX!f<;!=?S0X
zNm_qEi&;s|L9ptUk0h&55Ob{uhVekW1KY3{I#Svm7#;P3BE~;lg8EY6Q79rf(MCE=
zN8VGwjyg@p(Rvv6Qeo&vGBF~WTM7Tu+BS~CYXlw<;F93zrP+w<0f)nm=oOTD0XeL>
zHWH1GXb?Og1f0S+8-((5yaeegCT62&4N*pNQY;%asz9r9Lfr;@Bl${1@a4QA<GQZo
zHC=)78Wbo&u{ERGcuiNo;G#(z2^9z>vMLbV6JDp>8SO^q1)#(o%k!QiRSd0eTmzC<
zNIFWY5?)+JTl1Roi=nS4%@5iF+%XztpR^BSuM~DX9q`;Mv=+$M+GgE$_>o+~$#?*y
zAcD4nd~L~EsAjXV-+li6Lua4;(EFdi|M2qV53`^4|7gR8AJI;0Xb6QGLaYl1zr&eu
zH_vFUt+<?-wHx^jA;=HXzQKp_j)#`&591BSP(wIOS;Ce(17%gs%~hdM@>Ouf4SXA~
z&Hh8K@ms^`(hJfdicecj>J^Aqd00^ccqN!-f-!=N7C1?`4J+`_f^nV!B3Q^|fuU)7
z1NDNT04hd4QqE+qBP+>ZE7{v;n3OGN`->|lHjNL5w40pe<qclDY+ja_*(_95xs;%%
zq{v>PJ?^Y6bFk@^k%^5CXZ<+4qbOplxpe)l7c6m%o-l1oWmCx%c6@rx85hi(F=v(2
zJ$jN>?yPgU#DnbDXPkHLeQwED5)W5sH#<v%tu={Y=OlW2%;gK%O0*}OtgP0-W>-eS
z%#^4dxiVs{+q(Yd^ShMN3GH)!h!@W&N`$L!SbElXCuvnqh{U7lcCvHI#{ZjwnKvu~
zAeo7Pqot+Ohm{8|RJsTr3J4GjCy5UTo_u_~p)MS&Z5UrUc|+;Mc(YS+ju|m3Y_Dvt
zonVtpBWlM718YwaN3a3wUNqX;7TqvAFnVUoD5v5WTh~}r)KoLUDw%8Rrqso~bJqd>
z_T!&Rmr6ebpV^4|knJZ%qmzL;OvG3~A*loGY7?YS%hS{2R0%NQ@fRoEK52Aiu%gj(
z_7~a}eQUh8PnyI^J!>pxB(x7FeINHHC4zLDT`&C*XUpp@s0_B^!k5Uu)^j_uuu^T>
z8WW!QK0SgwFHTA%M!L`bl3h<zOXT*J6fe~c%_xb0$mxr#<2VD=$rO0L8nX7*#{Ksu
z$LONOvFCTfJN5XIapRVZlX}Y=<Lbb4!eHVHYIDPW9?-^*TjQ2+nH<TKdTCuE{W6Ky
z7>HjPp)|wL5Var_*A1-H8LV?uY5&ou{hRjj>#X@rxV>5<xG4RL_K~wL=!|H8*ZSVn
ze*QWuVl90vQ035NRw9cT+>%-9hbP+v?$4}3EfoRH;l_wSiz{&1<+`Y5%o%q~4<MOn
zEoNk8R4!uRxI3kmMnO0fow{Ibz3`A^4>rdpRF0jOsCoLnWY5x?V)0ga>CDo`NpqS)
z@x`mh1QGkx;f)p-n^*g5M^zRTHz%b2IkLBY{F+HsjrFC9_H(=9Z5W&Eymh~A_FUJ}
znhTc9KG((OnjFO=+q>JQZJbeOoUM77M{)$)qQMcxK9f;=L;IOv_J>*~w^YOW744QZ
zoG;!b9VD3ww}OX<8sZ0F##8hvfDP{hpa3HjaLsKbLJ8<m2C(MCx~x+Mo`}Jf7gdL>
z0WpY2E!w?&cWi7&N%bOMZD~o7QT*$xCRJ@{t31~qx~+0yYrLXubXh2{_L699Nl_pn
z6)9eu+uUTUdjHXYs#pX^L)AIb!FjjNsTp7C399w&B{Q4q%yKfmy}T2uQdU|1EpNcY
zDk~(h#AdxybjfzB+mg6rdU9mDZ^V>|U13Dl$Gj+pAL}lR2a1u!SJXU_YqP9N{ose4
zk+$v}BIHX60WSGVWv;S%zvHOWdDP(-ceo(<8`y@Goy%4wDu>57QZNJc)f>Ls+}9h7
z^N=#3q3|l?aG8K#HwiW2^PJu{v|x5;awYfahC?>_af3$LmMc4%N~JwVlRZa4c+eW2
zE!zosAjOv&UeCeu;Bn5OQUC=jtZjF;NDk9$fGbxf3d29SUBekX1<Pr@Tu%2mF`vob
zdsw;fW5J;CqD*)A#3k~8m#E~>!a$Vmq_VK*MHQ4)eB!dQrHH)LVYNF%-t8!d`@!cb
z2CsKs3|!}T^7fSZm?0dJ^JE`ZGxA&a!jC<>6_y67On0M)hd$m*RAzo_qM?aeqkm`*
zXpDYcc_>TFZYaC3JV>{>mp(5H^efu!Waa7hGTAts29jjuVd1vI*fEeB?A&uG<8dLZ
z(j6<v3j>;-%vJ7R0U9}XkH)1g>&uptXPHBEA*7PSO2TZ+dbhVxspNW~ZQT3fApz}2
z_@0-lZODcd>dLrYp!mHn4k>>7kibI!Em+Vh*;z}l?0qro=aJt68joCr5Jo(Vk<@i)
z5BCKb4p6Gdr9=JSf(2Mgr=_6}%4?SwhV+JZj3Ox^_^OrQk$B^v?e<VR4r!cUQcNa*
zLw&@@0{2I&$oQBHjs;Rdk`@6y1!<-(7NgjbFuEcwrG9}&Hy03(S??>Nz}d^xRaz&~
zKVnlLnK<O~>#8^y=If2f1zmb~^5lPLe?%l}>?~wN4IN((2~U{e9fKhLMtYFj)I$(y
zgnKv?R+ZpxA$f)Q2l=aqE6EPTK=i0sY&MDFJp!vQayyvzh4wee<}kybNthRlX>SHh
z7S}9he^EBOqzBCww^duHu!u+dnf9veG{HjW!}aT7aJqzze9K6-Z~8pZAgdm1n~aDs
z8_s7?WXMPJ3EPJHi}NL&d;lZP8hDhAXf5Hd!x|^kEHu`6QukXrVdLnq5zbI~oPo?7
z2Cbu8U?$K!Z4_yNM1a(bL!GRe!@{Qom+DxjrJ!B99qu5b*Ma%^&-=6UEbC+S2zX&=
zQ!%bgJTvmv^2}hhvNQg!l=kbapAgM^hruE3k@jTxsG(B6d=4thBC*4tzVpCYXFc$a
zeqgVB^zua)y-YjpiibCCdU%txXYeNFnXcbNj*D?~)5AGjL+!!ij_4{5EWKG<MLirH
z+DX^Dk(~hl-o)R17Ke7NBWBmGx0}_Yh*L{$3or|S`y{XU9=}stg7(?(^wZZS2Da%+
zWvCP|MzT2WK(<`aoEV!R1WAp-r%3{)SA=78<qFf;<rwNmD*Y*6(NUk(!LD}1(qHA3
z`=B=489M4KM^RxXd(tHgT%9X5Tjnh2mdXv4MCT5VYa7rd+N5ISRlSW}1lw5{(5L@K
zwzTh&rM#;2<;oP^LJod0{WsXpN5C{w?l*Jg>av0^={~M^q}baAFOPzxfUM>`KPf|G
z&hsaR*7(M6KzTj8Z?;45zX@L#xU{4n$9Q_<-ac(y4g~S|Hyp^-<*d8+P4NHe?~vfm
z@y309=`lGdvN8*jw-CL<;o#DKc-%lb0i9a3%{v&2X($|Qxv(_*()&=xD=5oBg=$B0
zU?41h9)JKvP0yR{KsHoC>&`(Uz>?_`tlLjw1&5tPH3FoB%}j;yffm$$s$C=<NH+_Q
zuVOy!BKDYAHt^L);tLou9Iw!KVrZ;__9lB4Qu}AkDaaH65g@R}lia;0J%u}*93`p?
zaeF={6)8oIBzH4kIggVAVvNSbROx-Z(+`hO*myDp7yv#WCwMIxk<hHjD5AkCV*KFy
z7uwrr!(roY4b(1>RHi`I3*m@%CPqWnP@B~%DEe;7ZT{9!IMTo1hT3Q347HJ&!)BM2
z3~aClf>aFh0_9||4G}(Npu`9xYY1*SD|M~9!CCFn{-J$u2&Dg*=5$_nozpoD2nxqq
zB!--eA8UWZlcEDp4r#vhZ6|vq^9sFvRnA9HpHch5Mq4*T)oGbruj!U8Lx_G%Lby}o
zTQ-_4A7b)5A42vA0U}hUJq6&wQ0J%$`w#ph!EGmW96)@{AUx>q6E>-r^Emk!iCR+X
zdIaNH`$}7%57D1FyTccs3}Aq0<0Ei{`=S7*>pyg=Kv3nrqblqZcpsCWSQl^uMSsdj
zYzh73?6th$c~CI0>%5@!Ej`o)Xm38u0fp9=HE@Sa6l2<mw_Yh7ly>oX9^^4|Aq%GA
z3(AbFR9gA_2T2i%Ck5V<FfGDt5jFr`inQh;1&EJ*>2Q2WW-(a&(j#@l6wE4Z`xg#S
za#-UWUpU2U!TmIo`CN0JwG^>{+V#9;z<j+vge|-bMmFe5eQtw=$jBe&1J+DLGhNXR
zVF0LJkT6h0B8nsw@>vx;ztc$}@NlcyJr?q(Y`UdW6qhq!aWyB5xV1#Jb{I-ghFNO0
z<gP-h@3s4i1u==>FU~+QgPs{FY1AbiU&S$QSix>*rqYVma<-~s%ALhFyVhAYepId1
zs!gOB&weC18yhE-v6ltKZMV|>JwTX+X)Y_EI(Ff^3$WTD|Ea-1HlP;6L~&40Q&5{0
z$e$2KhUgH8ucMJxJV#M%cs!d~#hR^nRwk|uuCSf6irJCkSyI<%CR==tftx6d%;?ef
zYIcjZrP@APzbtOeUe>m-TW}c-ugh+U*RbL1eIY{?>@8aW9bb1NGRy@MTse@>=<ra>
za%;5=U}X%K2tKTYe9gjMcBvX%qrC&uZ`d(t)g)X8snf?vBe3H%d<Ke$F$Z0AGpq$L
zh*N9G{;KEPa}gmeOBNBk0zORp;`+VU|1_04|4V$bCz(R~xePApA?YFdZU$CR63IbQ
z2Pq2(THUz7SlMWdHOdM19(SYTR)^7j>G=b<Uy4X-FL@RBUeVq-s%!3f=Wp$pdFiyc
z*UH5I+~YQSU-pf1Z~4Z+d0X6)<0i*Q_Z}vh)KKf>l^rv8Z@YN$gd9yveHY0@Wt0$s
zh^7jCp(q+6XDoekb;=%y=Wr8%<!i<hjG`j2f#)CHoE%?oHV1t_^966$UcQ|tMEj_Y
z^Dp_?#syJ7V{9Es?J3v}f}pPx{87yPa7|66#gbBs#7ePJ{bo_oH&rCWA~hx1V^t$U
z+8@1TWfn_Z`;{~9gC9mv?eoQ*Y-C)rhp|}dc#r5_J0yspKw$C`a}OGKQh(E&3WUik
z4AxbHbeGhXO7DYJ7=8m!=+Sj-HxJCb*@hx`<Q?E73ZqASI|ZO4gQX;PgpcX_I2dEP
z4PzF^;fhXQ)40w{k(P#>6;z0ANH5dDR_VudDG|&_lYykJaiR+(y{zpR=qL3|2e${8
z2V<U){GkH!99$-?(vZQ6`9xYUH;m>;?jgHj7}Kl(d8C9xWRjhpf_)KOXl+@c4wrHy
zL3#9U(`=N59og2KqVh>nK~g9>fX*PI0`>i;;b6K<iTA=O-~d|1@8nQW|764_gHT9A
z+Jdw)Cus?cfv_Gsi;gF31B#4DZ2^Yn1Wk~wI*LZ!hnDLnI_*R~z#5pH4R3KO1Ir1F
zNQX5wC;<FU(7pj+t&{Y#h#K(_6=WtrHj4aPX$5uUHjT;c(e}35?V4?SZCg90+pyx(
z`_R8jCQe*LR*{P)PNV>F|8zg+k2hViCt}4dfMdvb1NJ-Rfa7vL2;lPK{Lq*u`JT>S
zoM_bZ_?UY6oV6Ja14X^;LqJPl+w?vf*C!nGK;uU^0GRN|UeFF@;H(Hgp8x^|;ygh?
zIZx3DuO(lD01ksanR@Mn#lti=p28RTNYY6yK={RMFiVd~k8!@a&^jicZ&rxD3CCI!
zVb=fI?;c#f{K4Pp2lnb8iF2mig)|6JEmU86Y%l}m>(VnI*Bj`a6qk8QL&~PFDxI8b
z2mcsQBe9$q`Q$LfG2wdvK`M1}7?SwLAV&)nO;kAk`SAz%x9CDVHVbUd$O(*aI@D|s
zLxJW7W(QeGpQY<$dSD6U$ja(;Hb3{Zx@)*fIQaW{8<$KJ&fS0caI2Py^clOq9@Irt
z7th7F?7W`j{&UmM==Lo~T&^R7A?G=K_e-zfTX|)i`pLitlNE(~tq*}sS1x2}Jlul6
z5+r#4SpQu8h{ntIv#qCVH`uG~+I8l+7ZG&d`Dm!+(rZQDV*1LS^WfH%-!5aTAxry~
z4xl&rot5ct{xQ$w$MtVTUi6tBFSJWq2Rj@?HAX1H$eL*fk{Hq;E`x|hghRkipYNyt
zKCO=*KSziiVk|+)qQCGrTYH9X!Z0$k{Nde~0Wl`P{}ca%nv<6fnYw^<s*I^w2}g4)
zDT(2xL%uqsByOSZ61tavt7O>~9dYxTnTZB&&962jX0DM&wy&8fdxX8xeHSe=UU&Mq
zRTaUKnQO|A>E#|PUo+F=Q@dMdt`P*6e92za(TH{5C*2I2S~p?~O@hYiT>1(n^Lqqn
zqewq3ctA<T{c@#lWCZ$(!d{cN7=2we77Yx!0ew~Gx<3;vHo@;Z=)<i6dXzL;AY|z|
zQh^P>A%0E)r53*P-a8Ak32mGtUG`L^WVcm`QovX`ecB4E9X60wrA(6NZ7z~*_DV_e
z8$I*eZ8m=WtChE{#QzeyHpZ%7GwFHlwo2*tAuloI-j2exx3#x7EL^&D;Re|Kj-XT-
zt9<G*I5j~YwPM=zQc<-<5T)`?p=k3wJ6%=B%=d_@HDXhwqg3ij6<6Gneq}IMRsO?+
zZ$ux+&=>08^soV2`7s+Hha!d^#J+B)0-`{qIF_x=B811SZlbUe%kvPce^xu7?LY|C
z@f1gRPha1j<g?ml{#gpkD^O$XNTr0o(I;d;h4uA8LjteITT`#--;T+ZYX+t7g{&jY
z%jLmo;U5!e_41&}2`Y3PtJNiOtyHYGC;e`w)XqI9cfa-k)QH;zlhbma7)pQ1mZ#s9
zrt1Z7OQrg>q|=f}Se)}v-7MWH9)YAs*FJ&v3ZT9TSi?e#jarin0tjPNmxZNU_JFJG
z+tZi!q)JP|4pQ)?l8$hRaPeoKf!3>MM-bp06RodLa*wD=g3)@pYJ^*YrwSIO!SaZo
zDTb!G9d!hb%Y0QdYxqNSCT5o0I!GDD$Z@N!8J3eI@@0AiJmD7brkvF!pJGg_AiJ1I
zO^^cKe`w$DsO|1#^_|`6XTfw6E3SJ(agG*G9qj?JiqFSL|6tSD6vUwK?Cwr~gg)Do
zp@$D~7~66-=p4`!!UzJDKAymb!!R(}%O?Uel|rMH>OpRGINALtg%gpg`=}M^Q#V5(
zMgJY&gF)+;`e38QHI*c%B}m94o&tOfae;<xSoo%JWgt|4OsWqBge(0MrWCl{^{1qR
z$9kiQL{yp=)4GQGI_Jm5&g#GDTYcGhkauMJQ(qfM)1pg_a_8YpGwNbwNKp#T3-1@6
z|CjTBM~_fXe$Rs`cJE+v;7^0eysLT1ugyST5y-lLQ?!t5I+r@})qno};JoRD-E=Xi
zX_8OynCqNAP{M@6q0{1lA$fd7YVYB^B3HOC?;KS&skUZdpr&?G*{Dvo9Hf%gnd2O9
zvFCA)Qg13bH?d=3bMwL-iMgPupd}c_KuUy2B!UeZUr<=BIK|YBv?yV$q58*?!w_CK
zhp}K1=StAQ6{?zIqvi9mLesqVm&dX(9+AzcRVtrMpZ;{ErIyVQpVYzYVcvn6%u9m3
zENe?2g{r;1I%;x<{deB!54%lK?QVcb%q|Y(3&@xG42;qPh~(~r6ouOokrhp}g_Byo
zKp4yiKG~E3?*xr!?^(OHXYKbID@Vk%L$MJN?dLjF_FD?rZRr8zTic`kxqVF61s8OU
zY1cLlYqVUOIkCpn>og&!J2;6ENW}QeL7<PXg{yny8O<B+-%z=8!`{k@uZK?dU2tpL
zoDCc1bk4tH!`>3jatbI1*9X~y=$Dm%6FwDcnCyMRL<PZ=`4kP-O>}zo`0=y7=}*Uw
zo3!qZncAL{HCgY!+}eKr{P8o27ye+;qJP;kOB%RpSesGoHLT6tcYp*6v~Z9NCyb6m
zP#qds0jyqXX46qMNhXDn3pyIxw2f_z;L_X9EIB}<BZV)NY+Sf`GmW4*C1<w9<G3@Y
zR-2Ao^uw)%Z0Eww)CNf&GoE61(l=R$@lLulhRTBom-G)|sA)*B&(~_KWRT_L+saB5
zo*q>AhyC`FYI}G3$WnW>#NMy{0aw}nB%1=Z4&*(FaCn5QG(zvdG^pQRU25;{wwG4h
z@kuLO0F->{@g2!;NNd!<zny}%07Jn8Nf<E`qd>PfqM-;@F0;&wK}0fT9UrH}(8A5I
zt33(<pT6JhCadCO^EwcP0}B}m196bLHZSD1wzS~lgDzyBOMDp_>+&U;CLN|8+71@g
z(s!f-kZZZILUG$QXm9iYiE*>2w;gpM>lgM{R9vT3q>qI{ELO2hJHVi`)*jzOk$r)9
zq}$VrE0$GUCm6A3H5J-=Z9i*biw8<GlN{|J&^K2l_*g<#Pt^RN|DX}11Ly}*7(>ng
zi<1nM0lo^KqRY@Asucc#DMmWsnCS;5uPR)GL3pL=-IqSd>4&D&NKSGHH?pG;=Xo`w
zw~VV9ddkwbp~m>9G0*b?j7-0fOwR?*U#BE#n7A=_fDS>`fwatxQ+`F<!Rj$KZl*<p
zT?$eX^b9WOf%^Fc5Ow$#oiLZxFXB|4X4Ah-N23bVC3rdbHNy5`I((oY2SI(gVJE_3
zv~k-4(EcFxN5Hx@>zhBGQUAyIRZ??eJt46vHBlR>9m!vfb6I)8!v6TmtZ%G6&E|1e
zOtx5xy%yOSu+<9Ul5w5N=&~4Oph?I=ZKLX5DXO(*&Po>5KjbY7s@tp$8(fO|`Xy}Y
z;NmMypLoG7r#Xz4aHz7n)MYZ7Z1v;DFHLNV{)to;(;TJ=bbMgud96xRMME#0d$z-S
z-r1ROBbW^&YdQWA>U|Y>{whex#~K!ZgEEk=LYG8Wqo28NFv)!t!~}quaAt}I^y-m|
z8~E{9H2VnyVxb_wCZ7v%y(B@VrM6lzk~|ywCi3HeiSV`TF>j+I<PcrA4vbhkc}Ds9
zVnPj;dD9hvN^{*9tq;`Y3-i35x*J^9kk!Mknb6QMp+R%r;|Y~}U1bd=<D2Z^=6NHx
z)o!mbv)c13!qxVmdz@Dme2Ud2?)buFbw!<Z_N}SPHX2@PRM{c<oRhmdQ=Q!h%GA-#
zE|+zRyX;@_)`kh%@3wm_ZjUz-66I&coi<`>jd|p*kyn;=mqtf8&DK^|*f+y$<HJ*z
z{kCJi%r~syv1<5SAj?Qn<RD-N0#-mimPHVGsjQ(4>38+9!sis9N=S)nINm9=CJ<;Y
z!t&C>MIeyou4XLM*ywT_JuOXR>VkpFwuT9j5>66<JwXm0Iz|uD_GISrZ<tb63#|b6
zmesyu7v#<;wAs4wx|xl$8!C)O(dny+&uQp5Yiylr74+Z{`kuduLfD{$!RweaKvq@@
zSKvT=l{+EaFCqSAuk-})NiD5^S-DyEOCPWcr6mSZED8GEaH3HbBi=sIw&e0Ek0*HT
zg7i-oY%env)m$!wZo6{H^btX$@qVG{e!&!~J#BILfmfs_E?=UpX#O6)G;!&c?y}Qg
zZDtQIxqNpZ+R#vKv;FOFva`NsR7883$-r&2{_WuFALO<~3Fk}Bb(WC&g8i;%)qzDY
zRjOTdfX!%Ad(<}BcYy4>7A=CU*{TBrMTgb4HuW&!%Yt`;#md7-`R`ouOi$rEd!ErI
zo#>qggAcx?C7`rQ2;)~PYCw%CkS(@EJHZ|!!lhi@Dp$*n^mgrrImsS~(ioGak>3)w
zvop0lq@II<?zr~h{;~Z%uibTbs^_R=H(HEh%|uq3KKIc_zxBu?d|hToq+T%unvO@H
z_7G`_g*WS&kUbvS*4>SuA0Ou*#1JkG{U>xSQV1e}c)!d$L1plFX5XDXX5N<n2C0jm
zX{r1Jy%RD8vWp=4fyb$$F_f=*`nvNgb$TK5DH~vUeDX&BtW7RGgbP7rCk$}DqbN_=
zG+@cCNjfaVNpOlFw+a>7Ns{kT{y5|6MfhBD+esT)e7&CgSW8FxsXTAY=}?0A!j_V9
zJ;IJ~d%av<@=fNPJ9)T3qE78kaz64E>dJaYab5u<efW`3H($g#7XgvMkYf+oz36no
z(7hfLHbbB2R0{1uae-^d+wzih8L%N9he3ud^j?e&dq$dH2awC*y4Q%$6QP+9{{{^S
zS|%?I`*;k>aU`n~Zdp2h{8DV%SKE5G^$LfuOTRRjB;TnT(Jk$r{Pfe4CO!SM_7d)I
zquW~FVCpSycJ~c*B*V8?Qqo=GwU8CkmmLFugfHQ7;A{yCy1OL-+X=twLYg9|H=~8H
znnN@|tCs^ZLlCBl5wHvYF}2vo>a6%mUWpTds_mt*@wMN4-r`%NTA%+$(`m6{MNpi@
zMx)8f>U<?#KGhQOH9sd_@m#$xV)2XXy+)7rj<v$+@Y;iI(?-Y3Sg0r<Nksvzzi#Zp
z$q~EP;jFN*8js?YBQ<`b?Z-d1$^IIsy$A>4hd!row@gM&PVo&Hx+lV@$j9yWTjTue
zG9n0DP<*HUmJ7ZZWwI2x+{t3QEfr6?T}2iXl=6e0b~)J>X3`!fXd9+2wc1%cj&F@Z
zgYR|r5Xd5jy9;YW&=4{-0rJ*L5CgDPj9^3%bp-`HkyBs`j1iTUGD4?WilZ6RO8mIE
z+~Joc?GID6K96dyuv(dWREK9Os~%?$$FxswxQsoOi8M?RnL%B~Lyk&(-09D0M?^Jy
zWjP)n(b)TF<-|C<kuA~or~e()IVaJB8ThDOo%m84{2#Jw7lA;F7HB%yOOfao*a-Bo
z9vF{4tjJ*|r>G%!Vz?8Fu&6iU<>oG#kGcrcrrBlfZMVl0wOJvsq%RL9To%iCW@)#&
zZAJWhgzYAq)#NTNb~3GBcD%ZZOc43!YWSyA7TD6xkk<oWhdAZNF5oEMySt*u%}=mX
zY^=DnO8CU4$;_0G$Mo-Kkj5NlGljS+>)n^FaRAz73b}%9d&YisBic(?mv=Iq^r%Ug
zzHq-rRrhfOOF+yR=AN!a9*Rd#sM9ONt5h~w)yMP7Dl9lfpi$H0%GPW^lS4~~?vI8Z
z%^ToK#NOe0ExmUsb`lLO$W*}yXNOxPe@zD*90uTDULnH6C?InP3J=jYEO2d)&e|mP
z1DSd0QOZeuLW<s88&Dqv$ZDY(qEHICGi1F$d4+8O&b2468PMe9JW2)dic7s&U~)}9
zv>o*NqZzopA+LXy9)fJC00NSX=_4Mi1Z)YyZVC>C!g}cY(Amaj%QN+bev|Xxd2OPD
zk!dfkY6k!(sDBvsFC2r^?}hb81(WG5Lt9|riT`2?P;B%jaf5UX<~OJ;uAL$=Ien+V
zC!V8u0v?CU<?sa9rw*YNr=`U}IHdv2<G`|o3Bx8D;^GeQOIB`c%X^K&>a)4*Q+Q_u
zkx{q;NjLcvyMuU*{+uDsCQ4U{JLowYby-tn@<?{mQ!v2u1l{5e{t5@ZjF*S!>hatL
zy}X>9y08#}oytdn^qfFesF)Tt(2!XGw#r%?7&zzFFh2U;#U9XBO8W--#gOpfbJ`Ey
z|M8FCKlWQrOJwE;@Sm02l9OBr7N}go4V8ur)}M@m2uWjggb)DC4s`I4d7_8O&E(j;
z?3$9~R$QDxNM^rNh9Y;6P7w+bo2q}NEd6f&_raor-v`UCaTM3TT8HK2-$|n{N@U>_
zL-`P7EXoEU5JRMa)?tNUEe8XFis+w8g9k(QQ)%?&Oac}S`2V$b?%`DwXBgja&&fR@
zH_XidF$p1wA)J|Wk1;?lCl?fgc)=TB3>Y8;BoMqHwJqhL)Tgydv9(?(TBX)fq%=~C
zmLj!iX-kn7QA(9snzk0LRf<%SzO&~IhLor6A3f*U^UcoAygRe!H#@UCv$JUP&vPxs
zeDj$1%#<2T1!e|!7xI+~_VXLl5|jHqvOhU7ZDUGee;HnkcPP=_k_FFxPjXg*9KyI+
zIh0@+s)1JDSuKMeaDZ3|<_*J8{TUFDLl|mXmY8B>Wj_?4mC#=XjsCKPEO=p0c&t&Z
zd1%kHxR#o9S*C?du*}tEHfAC7WetnvS}`<%j=o7YVna)6pw(xzkUi7f#$|^y4WQ{7
zu@@lu=j6xr*11VEIY+`B{tgd(<i-P<xW8QmX{Uu}CW{$k=4G`<yQ5DK7nY#9L<7KO
zZl2V*aS4sKmaEUS-mY%P1^cv^q{7lxZ)5qzsWF(QH6y#+dwE4lRddpa#$Z}_cCaKa
zE;TlFY<W#EqQ=~xoZ>c3zO8%nGk0U^%ec6h)G_`ki|XQXr!?NsQkxzV6Bn1ea9L+@
z(Zr7CU_oXaW>VOdfzENm+FlFQ7Se0ROrNdw(QLvb6{f}HRQ{$Je>(c&rws#{dFI^r
zZ4^(`J*G0~Pu_+p5AAh>RRpkcbaS2a?Fe&JqxDTp`dIW9;<O_d1fh3g+@%<JHS<h;
z`xr?<<utwG<Lj5Zdhfz~Sd#5Kb7T9+cKkOui1y`+Uv$r&om%~&H3ligXMa!k1A}&8
z`oKdmM{uQUq3k>DL%0wxX5;`KxyA4F{(~_`93>NF@bj4LF!NC&D6Zm+Di$Q-tb2*Q
z&csGmXyqA%Z9s(AxNO3@Ij=WGt=UG6J7F;r*uqdQ<A<k`&*~1mNB0QW1T5I+z^l>a
z?7j!nV{8eQE-cwY7L(3AEXF3&V*9{DpSYdyCjRhv#&2johwf{r+k`QB81%!aRVN<&
z@b*N^xiw_lU>H~@4MWzgHxSOGVfnD|iC7=hf0%CPm_@@4^t-nj#GHMug&S|FJtr?i
z^JVrobltd(-?Ll>)6>jwgX=dUy+^n_ifzM>3)an3iOzpG9Tu;+96TP<0Jm_PIqof3
zMn=~M!#Ky{CTN_2f7Y-i#|gW~32RCWKA4-J9sS&>kYpTOx#xVNLCo)A$LUme^fVNH
z@^S7VU^UJ0YR8?<bG~Mj6Gj-lk3HOub{MXq84f%T`QY6$SQB%P+{DM48!0oDB|1i&
zZKxv58$HkYAPzeA(N@4W-r2I(ob~ZN%-H1^uVTL2tUjwxrv8WT<9HEQp}oppV?S-b
z?TWa%T=%&4xZ~a0-G(Qtj>Oy$^IYuG*bm|g;@aX~i60%`7XLy*AYpYvZ^F^U(!|RW
z*C!rJ@+7TGdL=nNd1gv^%B+;Fcr$y)i0!GRsZXRHPs>QVGVR{9r_#&Qd(wL|5;H;>
zD>HUw=4CF++&{7$<8G@j*nGjhEO%BQYfjeItp4mPvY*JYb1HKd<ZQ^<n)7B(e{N}R
zNACLEJ-M&vp2!R2b>!{HJ9*)(3%BR%{Pp?AM&*yHAJsW({ivOzj*qS!-7|XEn6@zo
z3L*tBT%<4RxoAh>q{0n_JBmgW6&8hx?kL(_^k%VL>?xjAyrKBmSl`$=V|SK}ELl}@
zd|d0eo#RfG`bw9SK3%r4Y+rdvc}w}~ixV%tqawbdqvE-WcgE+BUpxMT%F@btm76MG
zn=oQRWWuTm+a{dy)Oc2V4yX(@M{QAkx>(QB59*`dLT`<?!`ti2@y+pV_8st7_#g52
z1!@8-14n{+!KuOff(Jusq1w=z(B5!jxFx(cyss+1s<Z0Bs-u@|yyQrAPIYVbrs`9d
z>Pz3Lsj9iB=HSHAiCq()ns|Cr)1<p6y)@aLys9>*c605Cx}3V&x}Lg?b+6Q?)z7Kl
zQh&1Hx`y6JY-Cwvd*ozeps}a1xAA0CR+Da;+O(i)P1C;SjOI}Dtmf6tPqo-Bl`U78
zv$kYgPntPp@G)n1an9tEoL*Vumu9`>_@I(;+5+fBa-*?fEx=mTEjZ7wq}#@Gd5_cW
z!mP{N=yqEntDo)|>oy6{9cu+-3*GTnmb^`O0^FzRPO^&aG`f@F_R*aQ_e{F+_9%NW
z4KG_B`@X3EVV9L>?_RNDMddA>w=e0KfAiw5?#i1NFT%Zz#nuv(&!yIU>lVxmzYKQ`
zzJ*0w9<&L4aJ6A;0j|_<vbtcWAbbzpCj3Gin*xk%@5HxYh(fosHrML5=EAoJzwHRw
zh@)_=)rwlI8GD^(O|@nqTobf9QEEG(*M$^xqkm*B>~i>+y(q-=;2Xxhx2v%CYY^{}
z^J@LO()eLo|7!{ghQ+(u$wxO*xY#)cL(|mi<iezIsIQq}e;H<1HsO1a%jmXB^n!Yj
z`bEguLTH*W^N>H2_ck2yN{mu4O9=hBW*pM_()-_YdH#Ru{JtwJ^R2}3?!>>m1pohh
zrn(!xCjE<?5dV)b*C5Aj$gepjhO+1}F~03sn})p^Uz6_w9HjtSwO;4fgQNBdkCC(S
zXIQs_lKEg{DKt7!64@q0U7<~Z9sWW2MiWn5C=n^v2(+j+NQ}hd(YScLR6bFX1e5GJ
z{f}vqE*X+(y(=SeU6&=<n3p71@^G&#A3gi#b>0Q&EH1<ywPMV@T7r4FN~KK7(R*2e
zG3w@Kn+NlNX^aE);gT>QK?zA%sxVh&H99cObJUY$veZhQ)MLu-h%`!*G)s$2k;~+A
z)Kk->Ri?`oGDEJEtI*wijm(s5<vO`uZjc+%3o%>f$W78FH{+qBxiU{~kq((J3uK{m
z$|C8K#j-?hm8H@x%VfFqpnvu@xn1s%J7uNZC9C99a<_b1J|mx%)$%!6gPU|~<@2&m
zz99GDp`|a%m*iggvfL;4%X;~WY>)@!tMWB@P`)k?$;0x9JSrRI8?s3rlgH(o@`OAo
zn{f*gZ#t2u<vX%PzAIbh8QCV^lkM_->6K??hx|aElOM`Xd0t+SAIUEHvFw%?Wsm$s
zUXq{6UU?a>Nc@@Xlb_2k<d?Yk`js4zSLLAmT7Dyk<TW`guge>9M1Ctr<#+O?yd}rv
z_wu&<L5|BGrBD7Of0n<<JMvdKA@9n2@;7;3{*GxNK9rO44>=_t$!Yngd@N_AUj}T;
z#*Ce|%XZr_sQcsWcsl{pCnnj+c8ZNIMmx<;w=-g$Q>BU;9k;w|zQ;4!W32Xg2Cd?{
zvmO3kuKQ^Hv;o>6ZHP8ZJ2`4~Bx?N;cf<0fi=!*G^^WzbTF3e$b&d^qqB{>nqLG81
zs94bBh%|Vj+hLu=!8(b9brJ>ZBns9^6s(gdSVyP9qnu2_I{Sg8j-rloG6{d`De5We
zDe5WeY3ga}Y3ga}Y3ga}Y3ga}Y3ga}d8y~6o|k%F>UpW>rJk31Ug~+N=cS&HdOqs;
zsOO`ek9t1p`Kafko{xGy>iMbXr=FjBxZMYc8a#gL`Kjlpo}YSt>iMY`pk9DF0qO*(
z6QE9jIsxhgs1u-0kUBx8D@eT{^@7w3QZGooAoYUO3sNscy%6<6)C*BBM7<F8LevXU
zFGRf%^}^H(Q!h-tF!jRJ3sWyly>L`dk$Xk%6}eZQXgo#!75P`>Uy*-B{uTLG<X@40
zMgA4}SL9!je?|Tk`B&s$k$*-075P`>Uy*-B{uTLG<X@40MgA4}SL9!je?|Tk`B&s$
zk$*-075P`>Uy*-B{uTLG<X@40MgA4}SL9xidqwUQxmV;~k$Xk%6}eaBUXgo6?iIOL
z<X#1$JSg(7$iE{0iu^0`ugJe5|BC!8@~_ChBL9l~EAp?%zasyN{44UW$iE{0iu^0`
zugJe5|BC!8@~_ChBL9l~EAp?%zasyN{44UW$iEuoJ{&DaDjY3GsEwTSjAnVzEDxIH
zL9;w)mIux9pvk``|C;=3@~_FiCjXlJYx1wjy(agXylZl<$+;%y7~~jDCpp*TT9a!{
zt~I&V<XV$!O|CV$*5q1~YfY{-xz^-blWR?`G3|Ub9pqZ`yspW&Cf}NTYx1qhw<h13
qd~5Qp$+srontW^Wt)qNLLXk-9aux9_WlUi5WYd6^D_dVgyY*ioe@L+a

literal 0
HcmV?d00001

diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/fonts/bootstrap/glyphicons-halflings-regular.woff b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/fonts/bootstrap/glyphicons-halflings-regular.woff
new file mode 100644
index 0000000000000000000000000000000000000000..9e612858f802245ddcbf59788a0db942224bab35
GIT binary patch
literal 23424
zcmY&eV{m0%u#Iioo_J#0nb?@vwry)-+qNe*Z>))v8{5gt_uj9!t5)^yb-JtjRGrhi
zYInOUNJxNyf_yKX01)K=WP|Si>HqEj|B{eUl?MR<)%<1&{(~)D+NPwKxWqT-@~snp
zg9KCz1VTZDiS?UH`PRk1VPM{29cgT9=<v;Lf`EYagMdIet=H@a8oRlWfPg?`f7?L(
zFKED?%?+Ku?I7~Mb(sI~^#uZMZsTe8&6R_I$YX<mq!jz=4cJ?l8k&HBDD{8auziCA
zQl4qm;+y>D?!Wc_@}qzggFv;gb@2cJQAYWWtpEZ7?y@jSVqjx${B5UV@SO|wH<<0;
z{><1KdVI%Ki}>~<`46C0AggwUwx-|QcU;iiZ{NZu`ur>hd*|<W)sXtmhXDixZoaeV
zklo$X=sQ21?>Hb(|6veERq<PbegkBRzi{?HIp-GW`hU_n&12ozz{J4dAGi@L6pDe-
z_ud2pJc-_b2pj}b3Pc9vzvpJBX4(Dy6a52IgD!!AfuwLEKN$^~jn+XAz)Mg9U?T~E
zgqNfL`tz^91n&aBz=T}M5SD}tB`7H25Mn@BQsEK4gL$l9qzGE52osF@rxjbO42^t7
z#@g=mu(37N%+Vt`PAJL-lQ=FQENF`3={3?oV6ei1hBKA`DuVTzgGk7b#0j#++TdzR
zI(97e!~g}_G7m33x=^Ssom?;fl4q}a+^;UP-1|ZzG9$*2kpk7p8YI9lAxj<90CjKp
zE8u&KGi5Zv=157hgKP@$c2&H4zuKcOmHoZD%?+qY(Kf~v8|7crq{Nr<WvZ$ts)Fb$
z8!IcdkQ`H>xu=b@5Bab=rqptGxd{QJg!4*-i_$sES~)AB46}Fjg|ea#e@?J}z%CUJ
zOsLWRQR1#<tB|QIEY)&I*ZbudHp)E;$><nb=BbXZ4tHi(jj=+TGtb?X^faOKFyozE
zS@PKF)~8;5xRSNpTm4ugp<(oc@Q3%7K-)@eyP?m1z&l;rf%%J4?;rfzsBU`M+aNyb
z*@?y5Vm{LN@ggUHmiuxx_Dtj5rsol#BM~=pjyHqe<HcvPas11*o_#i9ZJ%`X+7&6Y
z4F}#7CrnT%)O76bs<&03Bs~CBL9-lPzgZEx+oS+S$-gV~5q;R39w5(FZ(Km5B%*l&
z(rrr`BO68!fN#?(kC!s6W?du1@vWLl$02}9k4Iw`sS*azt|mzMLd*ov1C_X-Z_DEc
zA>ng^sD)A4FDuY!iUhzlgfJh(J@BRqd&P#v2B`+saBx>m+M&q7vk-75$NH%T5pi%m
z5FX?`2-5l53=a&GkC9^NZCLpN5(DMKMwwab$FDIs?q>4!!xBS}75gX_5;(luk;3Vl
zLCLd5a_8`Iyz}K}+#RMwu6DVk3O_-}n>aE!4NaD*sQn`GxY?cHe!Bl9n?u&g6?aKm
z-P8z&;Q3gr;h`YIxX%z^o&GZZg1=>_+hP2$$-DnL_?7?3^!WAsY4I7|@K;aL<>OTK
zByfjl2PA$T83*LM9(;espx-qB%wv7H2i6CFsfAg<9V>Pj*OpwX)l?^mQfr$*OPPS$
z=`mzTYs{*(UW^ij1U8UfXjNoY7GK*+YHht(2oKE&tfZuvAyoN(;_OF>-J6AMmS5fB
z<XKU7YH10@@&WJhj71Cj$=TP(r@q<cW{2}t$FbdUw)ad2!elcuLPw0X5toDsPadV*
zO3EPF>^sY6wea&&${+!}@R1f$5oC-2J>J-A${@r(dRzc`wnK>a7~8{Y-scc|ETOI8
zjtNY%Y2!PI;8-@a=O}+{ap1Ewk0@T`C`q!|=KceX9gK8wtOtIC96}-^7)v23Mu;MH
zhKyLGOQMujfRG$p(s`(2*nP4EH7*J57^=|%t(#PwCcW7U%e=8Jb>p6~<TTQ9e?y3C
zdb|J>>RAlY4a*t<yx)M!`#-^(n~+nSXHt)XXPCd>s=pl}_J{->@kKzxH|8XQ5{t=E
zV&o`$D#ZHdv&iZWFa)(~o<E{GN9+27JE4iktONzQ1b)q{Sex30G?of$HMKN~8KD%g
zA+E{L7XRV>Bh-Osl{~CS0hfM7?PyWUWsr5oYlsyC1cwULoQ4|Y5RHA2*rN+EnFPnu
z`Y_&Yz*#550YJwDy@brZU>0pWV^RxRjL221@2ABq)AtA%Cz?+FG(}Yh?^v)1Lnh%D
zeM{{3&-4#F9rZhS@DT0E(WRkrG!jC<!Dwf@j`RqVrLtHFoIyn_L9bxbWrgS*Z9wMu
z#p1&N;H{ZGv&zD_N*zbkas>#5?OFjZv*xQjUP~XsaxL2rqRKvPW$zHqHr8Urp2Z)L
z+)EvQeoeJ8c6A#Iy9>3lxiH3=@86uiTbnnJJJoypZ7gco_*Hv<E!$|Yb^#x+eGvv(
zIp;Wt3|Xgi12|CZQBu5wnkbr4Z_o<}@wU&ThE&G4r6LGOs?2M%<}Vu1j2>KOH97B?
zWiwp>+r}*Zf9b3ImxwvjL~h~j<<3shN8$k-$V1p|96I!=N6VBqmb==Bec|*;HUg?)
z4!5#R*(#Fe)w%+RH#y{8&%%!|<UeDoR>fQ5JcFzUE;-yVYR^&Ek55AXb{^w|@j|&G
z|6C-+*On%j;W|f8mj?;679?!qY86c{(s1-PI2Wahoclf%1*8%JAvRh1(0)5Vu37Iz
z`JY?RW@qKr+FMmBC{TC7k@}fv-k8t6iO}4K-i3WkF!Lc=D`<I4n3h#nG>nuD)v#Na
zA|R*no51fkUN3^rmI;tty#IK284*2Zu!kG13<C=xWI7mp_-$=}wb|<b)!OZRv-HEP
z{%b~I$E(4`VZ#-glOe-5)a2pflY1Bz-1#4je?)~T9!X4-E;pkTTM{XAe2I!K$wY&{
zHEYHdnV_WuXSOaFHmg_J8USFkT|e)_-*FkL@p7z7`X=kCplNBVHgHbdYiIA4b&ia%
zF^b30NW{}~a)`)^H3EMpr)@2a^C3(yt-t3eigT2)odQdx2zf*pafN9pF#;@+u4LZa
z7x<*Yxq9&rRf5M3B$p^s`skXsITAn=Zo(y=33sGRSGWuaK?&Ne`Pj#q{feF+D~&z+
zEyT)MiaBL7L|^V76c6eAiTxZof6@zS20aGf%dzLc3HH8OA(-=u{w4pJ6%*OO;uayC
zzR4O{sz+f(78K2km*}=(W9{c=$lUj4eqLf#^t$Qwnbo?bEXMO?j$N^G)CbdGe8!P9
zJnZQX@k)7bzDG0I8w{~ZPTf4?D$;UGe$M~$TSzciU_@dS=0n{mhB=qm5O0^X+E9+o
z1x?ef8>!$OlxJAt@zLU`kvsazO25TpJLbK&;M8kw*0)*14kpf*)3<d6yUQxMZe%8t
zXy(eYN2(&WrmwSg<nK0tWy!~|3-Ib)_FW|=FVb)tUsL?PQ@qp22p>;GiDh;C(F}$-
z1;!=OBkW#ctacN=je*Pr)lnGzX=OwgNZjTpVbFxqb;8kTc@X&L2XR0A7oc!Mf2?u9
zcctQLCCr+tYip<jrMK$>a_k=;1ETIpHt!Jeo;iy^xqBES^Ct6-+wHi%2g&)?7N^Yy
zUrMIu){Jk)luDa@7We5U!$$3XFNbyRT!YPIbMKj5$IEpTX1IOtVP~(UPO2-+9ZFi6
z-$3<|{Xb#@tABt0M0s1TVCWKwveDy^S!!@4$s|DAqhsEv--Z}Dl)t%0G>U#ycJ7cy
z^8%;|pg32=7~MJmqlC-x07Sd!2YX^|2D`?y;-$a!rZ3R5ia{v1QI_^>gi(HSS_e%2
zUbdg^zjMBBiLr8eSI^BqXM6HKKg#@-w`a**w(}RMe%XWl3MipvBODo*hi?+ykYq)z
ziqy4goZw0@VIUY65+L7DaM5q=KWFd$;W3S!Zi>sOzpEF#(*3V-27N;^pDRoMh~(ZD
zJLZXIam0lM7U#)119Hm947W)p3$%V`0Tv+*n=&ybF&}h~FA}7hEpA&1Y!BiYIb~~D
z$TSo9#3ee02e^%*@4|*+=Nq6&JG5>zX4k5f?)z*#pI-G(+j|jye%13CUdcSP;rNlY
z#Q!X%zHf|V)GWIcEz-=fW6AahfxI~y7w7i|PK6H@@twdgH>D_R@>&OtKl}%MuAQ7I
zcpFmV^~w~8$4@zzh~P~+?B~%L@EM3x(^KXJSg<wVEvJN(*DSLK{@lLZ^>c6I=;)B6
zpRco2LKIlURPE*XUmZ^|1vb?w*ZfF}EXvY13I4af+()bAI5V?BRbFp`Sb{8GRJHd*
z4S2s%4A)<beb5!5W2AL1ws>6Uc=PK%4@PbJ<{1R6+2THMk0c+kif**#ZGE)w6WsqH
z`r^DL&r8|OEAumm^qyrryd(HQ9olv$ltnVGB{aY?_76Uk%6p;e)2DTvF(;t=Q+|8b
zqfT(u5@BP);6;jmRAEV057E*2d^wx@*aL1GqWU|$6h5%O@cQtVtC^isd%gD7PZ_Io
z_BDP5w(2*)Mu&JxS@X%%ByH_@+l>y07jIc~!@;Raw)q_;9oy@*U#mCnc7%t85qa4?
z%_Vr5tkN^}(^>`EFhag;!MpRh!&bKnveQZAJ4)gEJo1@wHtT$Gs6IpznN$Lk-$NcM
z3ReVC&qcXvfGX$I0nfkS$a|Pm%x+lq{WweNc;K>a1M@EAVWs2IBcQPi<R5t!qadV8
z`@w2vB^p<`Z$u8twt230^FDUXk@KFGRjk|Wy)IU*vs&-S4^@ur^QOw}{f&PX2ZUtx
z2^VHiFLv0j^tM_qTCdnm{?$%kSnzz+Rz#c}<%d@@&Y%vBngG@bQjNu*$QIzHiMtlr
z%<!I8J_+!}g1P;40riIDVp#J58>EJNt}+Ea8~WiapASoMvo(&PdUO}AfC~>ZGzq<X
zA{wc(2{B`w8<FdY#fUA=!$2hWfZJFFh^biG^FRul&;5HGQt3HYB*8-U;tAm`ZDrW?
zLGzSCAtG}^Y%BI&AQbV|jc8`aQkJs}$KZGr4&D`BKH5)pk?++zISItrK-zIx+|7D6
zd{(|~knMc?H%TN~Ttm8w#&X{*x_x0Tx_urTbWQT(rM-zoT(XUHVI3m?V@uQP4J|db
z_OkbMEz8a;6}80;ZBwYhBLn3A0_Q%9Xo7*<Qa^td-Q$KXkb<^$rXNS+J!!v~e_27-
z?B(DtKu5zrraAfXQ`1kqTCnO1=JFF~4jJA+&eXD+hsTX=d50Jrj6yJ)U-=XHF8z-o
z1o@Y7@sl2x7U<!Ygv?%s5eyX!wKt`l=(%|REJ0yS<TOH?s9B)is6Iv13lr}2%hiI}
zPUW^d?_dD#I&an8I8t^fY)SnDOhO39OTDNje$JA5dr5!UH92rZ)87wX;yQSp&mZg<
zmgmz=w6D&%v&B;c-vM3DEvl$Gev##x*ndtU#f^N2I}99-3HZpRE^$`D%!0A_ujaQb
zI5z(Mh2X@IN1#BF?<;^jK#~(MAEc`h<3P$Nghud=)(&&|-qnC?^x{5VK>Wjd)4no(
ziLi#e3lOU~sI*XPH&n&J0cWfoh*}eWEEZW%vX?YK!$?w}htY|GALx3;YZoo=JCF4@
zdiaA-uq!*L5;Yg)z-_`MciiIwDAAR3-snC4V+<n|J*V*n#h?&wg+C8sg$z312~u%3
zz$RVnQhlm*2c)>KA>&V%Ak;p{1u>{Lw$NFj)Yn0Ms2*kxUZ)OTddbiJM}PK!DM}Ot
zczn?EZXhx3wyu6i{QMz_Ht%b?K&-@5r;8b076YDir`KXF0&2i9NQ~#JYaq*}Ylb}^
z<{{6xy&;dQ;|@k_(31PDr!}}W$zF7Jv@f%um0M$#=8ygpu%j(VU-d5JtQwT714#<!
z&vm@KPB=l<TMpuv%DS+RW~~WnEOz5WiaSxW4<ph#&0;zqiCMt1ekX<hrb8#^mBYaW
zJA2vi7UWJVhfbeu%Rejgz>f0z+Cm$F9J<FFP&8OfSp_OMl7>jGr_G!~NS@L9P;C1?
z;Ij2YVYuv}tzU+HugU=f9b1Wbx3418+xj$RKD;$gf$0j_A&c;-OhoF*z@DhEW@d9o
zbQBjqEQnn2aG?N9{bmD^A#Um6SDKsm0g{g_<4^dJjg_l_HXdDMk!p`oFv8+@_v_9>
zq;#WkQ!GNGfLT7f8m60H@$tu?p;o_It#TApmE`xnZr|_|cb3XXE)N^buLE`9R=Qbg
zXJu}6r07me2HU<)S7m?@GzrQDTE3UH?FXM7V+-lT#l}P(U>Fvnyw8T7RTeP`R579m
zj=Y>qDw1h-;|mX-)cSXCc$?hr;43LQt)7z$1QG^pyclQ1Bd!jbzsVEgIg~u9b38;>
zfsRa%U`l%did6HzPRd;TK{_EW;n^Ivp-%pu0%9G-z@Au{Ry+EqEcqW=z-#6;-!{WA
z;l+xC6Zke>dl+(R1q7B^Hu~HmrG~Kt575mzve>x*cL-shl+zqp6yuGX)DDGm`cid!
znlnZY=+a5*xQ=$qM}5$N+o!^(TqTFHDdyCcL8NM4VY@2gnNXF|D?5a558Lb*Yfm4)
z_;0%2EF7k{)i(tTvS`l5he^KvW%l&-suPwpIlWB_Za1Hfa$@J!emrcyPpTKKM@NqL
z?X_SqHt#DucWm<3Lp}W|&YyQE27zbGP55=HtZmB(k*WZA79f##?TweCt{%5yuc+Kx
zgfSrIZI*Y57FOD9l@H0nzq<E4Q@_YK<1;`>Ou|Bhrm&^m_RK6^Z<^N($=DDxyyPLA
z+J)E(gs9AfaO`5qk$IGGY+_*tEk0n_wrM}n4G#So>8Dw6#K7tx@g;U`8hN_R<bPv^
zP6}0b!dly7dCc=KnICM>;^Uw9JLRUgOQ?PTMr<oQ9o~>4YD5H7=ryv)bPtl=<&4&%
z*w6k|D-%Tg*F~sh0Ns(h&mOQ_Qf{`#_XU44(VDY8b})RFpLykg10uxUztD>gswTH}
z&&xgt>zc(+=GdM2gIQ%3V4AGxPFW0*l0YsbA|nFZpN~ih4u-P!{39d@_MN)DC%d1w
z7>SaUs-g@Hp7xqZ3Tn)e<dV~D-0@M0u`KSW@qBLlIFNKze0?;|tm!<F9_5{TDKnUY
zJB8#(%G(di5;`|v12#{)=^Bhy!6zu5lq~#Rj8QgnK?%W-bqS8Lq9_xGRU?MD1Z_M>
z7x^sC`xJ{V<3YrmbB{h9i5rdancCEyL=9ZOJXoVHo@$$-%Za<Y<=Dws@<HVOn84kp
zy7czzAj#&D?|uHYH^U!oq7C#CS4C-HKPWUJ-r}5;#IkR`+-?7IMg|O#r^#PS@coAT
z<xl(XMO(JUH%Fc8@Q;tlw>Nm-75Z-Ry9Z%!^+STWyv~To>{^T&MW0-;$3yc9L2mhq
z;ZbQ5LGNM+aN628)Cs16>p55^T^*8$Dw&ss_~4G5Go63gW^CY+0+Z07f2WB4Dh0^q
z-|6QgV8__5>~&z1gq0FxDWr`OzmR}3aJmCA^d_eufde7;d|OCrKdnaM>4(M%4<dMy
z`?Qi<9Ebh#nVT{&VVFv66RU??kcC8}u+l^~F(m>V`PxpCJc~UhEuddx9)@)9qe_|i
z)0EA%&P@_&9&o#9eqZCUCbh?`j!zgih5sJ%c4(7_#|Xt#r7MVL&Q+^PQEg3MBW;4T
zG^4-*<N;_j_KF=#ltp<I^9_IU8#T_ulQ_w;P&0IS=TATWkvf^^ks|nDnb@T^ShFUW
ztuyr~q)6&!?68RQ-V8G+#+EoOhWE-6A7rk5HfHxAG?Sknf`kY=i0}11&e`cz`MCO{
zQd*rofIJ{OtoMr$=gf?H!$EPT16>8L%s|A}R%*eGdx&i}B1He(mLygTmIAc^G(9Si
zK7e{Ngoq>r-r-zhyyg<ieAPsqNv@SQwQ@xsNn5Vw2I}E18CcU&C?((>K)*9cj8_%g
z)`>ANlipCdzw(raeqP-+ldhy<kGNs8`S#*G-e>Uv_VOht+!w*>Sh+Z7(7(l=9~_Vk
ztsM|g1xW`?)?|@m2jyAgC_IB`Mtz(O`mwgP15`lPb2V+VihV#29>y=H6ujE#rdnK`
zH`EaHzABs~teIrh`ScxMz}FC**_Ii?^EbL(n90b(F0r0PMQ70UkL}tv;*4~bKCiYm
zqngRuGy`^c_*M6{*_~%7FmOMquOEZXAg1^kM`)0ZrFqgC>C%R<qRBgHG)$UB@XBA@
zshx3_1QSr};A7TJ_s8FNBrzB>JvQSo_OAA(WF3{euE}GaeA?tu5kF@#62mM$a051I
zNhE>u>!gFE8g#Jj95BqHQS%|>DOj71MZ?EYfM+MiJcX?>*}vKfGaBfQFZ3f^Q-R1#
znhyK1*RvO@nHb|^i4Ep_0s{lZwCNa;Ix<{E5cUReguJf+72QRZIc%`9-Vy)D<o;c>
zWKhb?FbluyDTgT^naN%l2|rm}oO6D0=3kfXO2L{tqj(kDqjbl(pYz9DykeZlk4iW5
zER`)vqJxx(NOa;so@buE!389-YLbEi@6rZG0#GBsC+Z0fzT6+d7deYVU;dy!rPXiE
zmu73@Jr&~K{-9MVQD}&`)e>yLNWr>Yh8CXae9XqfvVQ&eC_;#zpoaMxZ0GpZz7xjx
z`t_Q-F?u=vr<JfY4KbWG<xAz}usjoo`>RPaj3r<9&t6K=+egimiJ8D4gh-rUYvaVy
zG($v+3zk5sMuOhjxkH7bQ}(5{PD3Mg?!@8PkK&w>n7tO8FmAmoF30_#^B~c(Q_`4L
zYWOoDVSnK|1=p{+@`Fk^Qb81Xf89_S`RSTzv(a4ID%71nll%{Wad$!CKfeTKkyC?n
zCkMKHU#*nz_(tO$M)UP&Zf<GNy8?Xs8hUzIu0nqFC9@Ka{&R$vXnbN*?hR?iwv-x*
zPrH;>J#*q(0Gr!E(l5(ce<3xut+_i8XrK8?Xr7_oeHz(bZ?~8q5q~$Rah{5@@7SMN
zx9PnJ-5?^xeW2m?yC_7A#<rjP_en{9P5bFL68vgKu`Lv^loBE5&?9+BtYGMUT06bd
zXEt*_Sdl_o?{!kSnxeJB_xVtFwR-bF`2MlsSO1bZtN)M(j%)mHVUj4b&G~L_`|PNv
zb05EL`!%-lV_>WK*B@oIy*Y@iC1n7lYKj&m7vV;KP4TVll=II)$39dOJ^czLRU>L>
z68P*PFMN+WXxdAu=Hyt3g$l(GTeTVOZYw3KY|W0Fk-$S_`@9`K=60)bEy?Z%tT+Iq
z7f>%M9P)FGg3EY$ood+v<G?d-tNS5y+I=S1dlJZvs-NC{^w-&Jr{gfwR>$pdsXvG?
zd2q3abeu-}LfAQWY@=*+#`CX8RChoA`=1!hS1x5dOF)rGjX4KFg!iPHZE2E=rv|A}
zro(8h38LLFljl^>?nJkc+wdY&MOOlVa@6>vBki#gKhNVv+%Add{g6#-@Z$k*ps}0Y
zQ=8$)+Nm||)mVz^aa4b-Vpg=1daRaOU)8@BY4j<Xy)*mrZf+Eqj^RX06GbC^vLKT|
zpteFBLq#626+?=M@k2|V@k{2aN?cRlCum?`TP_u}%3Y{AVZHbKwm{q2d`D~XsJSyD
zl=xk@5@i0e1=0fu$jfj1+lTA1h#%78*$MuUCU^B9>S>=5n#6abG@(F2`=k-eQ9@u#
zxfNFHv=z2w@{p1dzSOgHokX1AUGT0DY4jQI@YMw)EWQ~q5wmR$KQ}Y;(HPMSQCwzu
zdli|G?bj(>++CP)yQ4s6YfpDc3KqPmquQSxg%*EnTWumWugbDW5ef%8j-rT#3rJu?
z)5n;4b2c*;2LIW%LmvUu6t1~di~}0&Svy}QX#ER|hDFZwl!~zUP&}B1o<!gKVHBj1
z!0%hK_{Iy`*BgY<Qck8#<-rH4Lg1;Qj-hq2OvPXM$(Gkmg`0T7B6Gm*>KAxIzt~so
zb!GaJYOb#&qRUjEI1xe_`@<o~iP+Rf(GIMHq*yg6%vf7Mu<-aQ)$}%3o$R+x;;~W%
zCQ~RFyB5g)F1k-t!#^TN>7qv_-LggQ$JE8+{ryT4%ldwC5ete+{G3C#g@^oxfY3#F
zcLlj(l2G8>tC<5XWV|6_DZQZ7ow?MD8EZ9mM2oV~WoV-uoExmbwpzc6eMV}%J_{3l
zW(4t2a-o}XRlU|NSiYn!*nR(Sc>*@TuU*(S77gfCi7+WR%2b;4#RiyxWR3(u5BIdf
zo@#g4wQjtG3T$PqdX$2z8Zi|QP~I^*9iC+(!;?qkyk&Q7v>DLJGjS44q|%yBz}}>i
z&Ve%^6>xY<=Pi9WlwpWB%K10Iz`*#gS^YqMeV9$4qFchMFO}(%y}xs2Hn_E}s4=*3
z+lAeCKtS}9E{l(P=PBI;rsYVG-gw}-_x;KwUefIB@V%RLA&}WU2XCL_?hZHoR<7ED
zY}4#P_MmX(_G_lqfp=+iX|!*)RdLCr-1w`4rB_@bI&<E#m-6fJX?!@HMojcz?@FV(
zEwb`K9p)6DH8Vt-HX;X2^%28zP(BOT@+<+Oy5Uv8eD=4p<t0n4?tw(5<&#sr?h6zV
z!&Zb?gM&8<%??jXTdmMb1(#@6)m(rk*#aUo^iqOs4-#{`NA;|yExPzdS?_q~O>Uz#
z!>9C3&LdoB$r+O#n);WTPi;V52OhNeKfW6_NLn<EDp2Lr=qOaId}Ifx9lEG?H#PEN
zbI74Vx*PNK+cvB53_AWmzs=zCb5!9-mCcW#<QbIdOJM|=ASw5QpF+P}oobETGwNf<
z0{kapJo<fgf(@=YJA0C%pNqB2CMVFcToi3AV3#1!n@Z&vX@98&`Sz6*SUYY~uWq>w
zpFTuLC^@aPy~ZGUPZr;)=-p|b$-R8htO)JXy{ecE5a|b{{&0O%H2rN&9(VHxmvNly
zbY?sVk}@^{aw)%#J}|UW=ucLWs%%j)^n7S%8D1Woi$UT}VuU6@Sd6zc2+t_2IMBxd
zb4R#ykMr8s5gKy=v+opw6;4R&&46$V+OOpDZwp3iR0Osqpjx))joB*iX+diVl?E~Q
zc|$qmb#T#7Kcal042LUNAoPTPUxF-iGFw>ZFnUqU@y$&s8%h-HGD`EoNBbe#S>Y-4
zlkeAP>6<Z7QQ9XL^<-l?vhbA^VVM{w_AGyBxGo2D4xc6Tl~BnC{PHYDLP{4>2k~-N
zHQqXXyN6<L3Gg$i2mMBKaSbx<i~TEhvQ{`W#&P&}*M*bY-+RuxoiU+jyjZtu*2#d`
z4;V{mY|5$$TfD^8s7AA{v{=Q~S8RRnPkT2vB+qp-b$~mY>7hGD6CxQIq_zoepU&j0
zYO&}<4cS^2sp!;5))(aAD!KmUED#QGr48DVlwbyft31WlS2yU<1>#VMp?>D1BCFfB
z_JJ-kxTB{OLI}5XcPHXUo}x~->VP%of!G_N-(3Snvq`*gX3u0GR&}*fFwHo3-vIw0
zeiWskq3ZT9hTg^je{sC^@+z<IC+@jyb5}hL&*c9&Uv=C+8r5MFr<BeiUxikY7v-2j
z#^Wp1Woo#;-OnJd6+u?>3FAd}KNhbpE5RO+lsLgv$;1igG7pRwI|;BO7o($2>mS(E
z$CO@qYf5i=Zh6-xB=U8@mR7Yjk%OUp;_MMBfe_v1A(Hqk6!D})x%JNl838^ZA13Xu
zz}LyD@X2;5o1P61Rc$%jcUnJ>`;6r{h5yrEbnbM$$ntA@P2IS1PyW^RyG0$S2tUlh
z8?E(McS?7}X3n<sX7)_F=$tGzECOdx`5F$56$H6$2HeHDocU>AAJs2u_n{^05)*D7
zW{Y>o99!I9&KQdzgtG(k@BT|J*;{Pt*b|?A_})e98pXCbMWbhBZ$t&YbNQOwN^=F)
z_yIb_az2Pyya2530n@Y@<KMNVgC+@Hh^eD5>s>s>n?L79;U-O9oPY$==~f1gXro5Y
z*3~JaenSl_I}1*&dpYD?i8s<7w%~sEojqq~iFnaYyLgM#so%_ZZ^WTV0`R*H@{m2+
zja4MX^|#>xS9YQo{@F1I)!%<Q9x6E+JCnjAm>RhM{4ZUapHTKgLZLcn$ehRq(emb8
z9<w{<)uy~=x}G;ZX+CDl#T7`~iRBx5XO`@><&Nx*RLcS#)SdTxcURrJhxPM2IBP%I
zf1bWu&uRf{60-?Gclb5(IFI*!%tU*7d`i!l@>TaHzYQqH4_Y*6!Wy0d-B#Lz7Rg3l
zqKsvXUk9@6iKV6#!bDy5n&j9MYpcKm!vG7z*2&4G*Yl}iccl*@WqKZWQSJCgQSj+d
ze&}E1mAs^hP}>`{BJ6lv<q%AGiq()8hz}1^1ex;^<jj#cc=g{s#0iIU-+2jVmxWDS
zd7qq)5u4+Paaui>*>0-ft<;P@`u&VFI~P3qRtufE11+|#Y6|RJccqo27Wzr}Tp|DH
z`G4^v)_8}R24X3}=6X&@Uqu;hKEQV^-)VKnBzI*|Iskecw~l?+R|WKO*~(1LrpdJ?
z0!JKnCe<|m*WR>m+Qm+NKNH<_ye<gDWD0Fl@Ho4<!fm=u&SGgDO!cbo+8PUwfWk+V
z)@b~#GtD0d4#K=39kiev5hj=8h(Nljd<HunOw<O@9z?#m(rb)ZnCBDPu~!uM>fIml
z+x32qzkNRrhR^IhT#yCiYU{3oq196nC3ePkB)f%7X1G^Ibog$ZnYu4(HyHUiFB`6x
zo$ty-8pknmO|B9|(5TzoHG|%><C<pr4&IxzPg{!KcQqRSE~Tvrur~GxUa*ce)ipeE
zWgS=NE-mtVKb)JH#~V9~Hf<heFWK%N<`blD%sTD$A|XGR=J%4vWJQ9B3q;($v$3~e
zpgG#}?8+2jU@b$OcWYMF>s#7)CM(i=M7Nl=@GyDi-*ng6ahK(&-_4h(lyUN-oOa$`
zo+P;<GhFDlQ-b}GJ)A97b8DT!@21D?+G`33xflj&^Ajw)WxefL*Yy?uny35myNvN;
zJu2^EIk(I5BXd2N-yKn?<jAHF(>C4d@m^p9J4c~rbi$rq9nhGxayFjhg+Rqa{l#`Y
z!(P6K7fK3T;y!VZhGiC#)|pl$QX?a)a9$(4l(usVSH>2&5pIu5ALn*CqBt)9$yAl;
z-{fOmgu><7Y<XFolPQk)mb~-4Wz2OqAihGXbfUWv<O@$JoEd1wcAoD{S1ZgFTS^!t
z+_d^VD?_*`AXb~e&yM8k-n#rSNZe`F1hkVx1o46tWKB^*u4Iztzf9jS`;huL0efN_
zw(C5^O4iFb>J5k>*0Q~>lq72!XFX6P5Z{vW&zLsraKq5H%Z26}$OKDMv=sim;K<Yz
zr-(K#w$yhGyI)R05r<FcNBPUs!f8{%L|!+M;WNfIk0#<kNVlmop1dan3IH7GPG0zR
zbu5#oKma)07cl(sMbhFbgIx|mM?)DnP$;1oA~OW0kph!a5>?vsoVs(JNbgTU8-M%+
zN(+7Xl}`BDl=KDkUHM9fLlV)gN&PqbyX)$86!Wv!y+r*~kAyjFUKPDWL3A)m$@ir9
zjJ;uQV9#3$*`Dqo1Cy5*;^8DQcid^Td=CivAP+D;gl4b7*xa9IQ-R|lY5tIpiM~9-
z%Hm9*vDV@_1FfiR|Kqh_5Ml0sm?abD>@peo(cnhiSWs$uy&$RYcd+m`6%X9<SS+iH
zB{MTIilfs+m}FIm`WFe<b<`1NL(_5%pWxy`61V?hXOmI!N62_Zv-n^jPyCieqxTv3
zu0_=zb8f!dMp?R&UxGJe1qNBBRLXVmj-(R6+9rkXoo6CT-@FKe>FN%?<F{pFRdeJu
z{9WJNuwr(Se^zX7t-vqF<$J*yv&MnYO_uaKBS^eIab7YX1r1^(=OyZJp!PzX%0e7b
zeEpxGl+qFvtIR-KD}KZT9sfArU;dGM3-23I#q69NU-%A?w~!T{F+*-_Lil`8wsSSR
zeW-s?xK)R5p&SHb*TI!J314$wOF*NT7qT*&*Og`^+jXq)LaOJ8#&*`Gy)1X0+KiH$
zU-5JNg0Goq-9^C#_ZqHXSIP}b7@(P=L?LSJk~7{IhyH9xAy{$zEDuPUgJ_RJae#PE
zOqO-BK*KnjogIL_)Jz3RACJUY?ZEW~+1H$~{2k_o%Y(uIH3R6z`K|NdGL!=5lV$Vc
z*(&fGI7OherXM4x!s0w3{b4Ax#6<l}lTU2>w}s~Q=3!pJzbN~iJ}bbM*PPi@!E0eN
zhKcuT=kAsz8TQo76CMO+FW#hr6da({mqpGK2K4T|xv9SNIXZ}a=4_K5pbz1HE6T}9
zbApW~m0C`q)S^F}B9Kw5!eT)Bj_h9vlCX8%VRvMOg8PJ*>PU>%yt-hyGOhjg<ke2;
z7Th2%k_wZpW!A{?Dn2nLFJ4=lqYa4jV<d3;8-+Dg@?%0IvOWsDfrv_`J~>!2pZR4{
z=VR_*?Hw|aai##~+^H>3p$W@6Zi`o4^iO2Iy=FPdEAI58Ebc~*%1#sh8KzUKOVHs(
z<3$LMSCFP|!>fmF^oESZR|c|2JI3|gucuLq4R(||_!8L@gHU8hUQZKn2S#z@EVf3?
zTroZd&}JK(mJLe>#x8xL)jfx$6`okcHP?8i%dW?F%nZh=VJ)32CmY;^y5C1^?V0;M
z<3!e8GZcPej-h&-Osc>6PU2f4x=XhA*<_K*D6U6R)4xbEx~{3*ldB#N+7QEXD^v=I
z+i^L+V7_2ld}O2b-(#bmv*PyZI4|U#<t4E{c3+Oa>Q5|22a(-VLOTZc3!9ns1RI-?
zA<~h|tPH0y*bO1#EMrsWN>4yJM7vq<?d%8sAQUGrndP7J-=xw$nCMSpe7!xoUBNp3
zGTsNoHNSmE+wi-t?Vjri@)nrwy)cL`f%zSrKknks+ReH>FZr?uw$H8*P<CaW^*(*P
zrk<ZDEOj-RoW=I>hiHRQg1U9YoscX-G|gck+SSRX<zu*#%uOZJ$&`iwbI4f^EJ9pa
z@T8p1=V0x-K77AYupaOqRJ8Y8`CFqe-OG4O?Pk+3)K=lIg7Aj+5B{LP8{|uD9bb*L
z=JkjZ*a>!(e7@~eeUEw+POsT;=W9J&=EV`cUc{PIg_#TQVGnZsQbCs7#Q-)<h~+VJ
z%O_$A%X$-T2gv^1iV6X%A*e(F(fO?hnMA3<=C!;L;mUog>v#BicxLw#Fb?#)8TYbu
zN)5R=MI1i7FHhF|X}xEl=sW~`-kf;fOR^h1yjthSw?%#F{HqrY2$q>7!nbw~nZ8q9
z<TlAz0DCai`eopoTgUXKr$&x3a%Yszt2{+eo;=r&?LuF;Zj%RNLHAg=LM|in10Rm2
zxd6;k(nHtRPkOmYqHW7fNcCybHEd(KrX46#z77Z9Q1dkPl|2ZTAjBY-ol(B)e&98T
zgr-$?X`Ytyy13^aY2fa`@Y1*X*i2)xR`@;KF^;++G5hoP)3auvu~w3;5+L|E0eJ^s
zgZRj(m;s_<P67c5tRN5r2qBB}z`g`y!oX~V8oXD2oDd8#khWZ&toq|9@%NQ>h{vY!
z<QL?e6`jG`+hK%nypIRco?pA%s6+zYx(b~=Fi(E95-40VeV5w!L2#*>%i=H!!P&wh
z7_E%pB7l5)*VU>_O-S~d5Z!+;f{pQ4e86*&);?G<9*Q$J<tS(vm9lEGpTY@s(2ek+
z8c`{)@2$sFJY{r$73(<V2UKiNm)(n(&DNp1&6b1{q_xZVGIdKSwV*O`Z3q;#cCe`U
zk~C47tS5LEB&@mN%p)_=XY@OEf&MPgH{St5oHz7A*3o-mSC#2S@XC^m@?vD0WoA3+
z%jkw-8_?@Gk~M`p*@7Cp@q?r=ifcr#f5J(+ee*SCy-59!ceTk_CH8c7hwjNA;pzKD
zr8zf+A(f>EJ!ZxY;Oj5&@^eg0Zs!iLCAR`2K?MSFzjX;kHD6)^`&=EZOIdW>L#O`J
z<!j^{WZ{m%sbn?E@W3)ou>f~$M4}JiV}v6B-e{NUBGF<D@nTna4Fj(s(L&KkX*F3!
zglkC}q4NM*a2HP+ijp5<SToUO6J4Q%w}VEJFwp|MQ|{cP2x=Zt1r&nh4>gj-*H%NG
zfY0X(@|S8?V)drF;2OQcpDl2LV=~=%gGx?_$fbSsi@%J~taHcMTLLpjNF8FkjnjyM
zW;4sSf6RHaa~LijL#EJ0W2m!BmQP(f=%Km_N@hsBFw%q#7{Er?y1V~UEPEih87B`~
zv$jE%>Ug9&=o+sZVZL7^+sp)PSrS;ZIJac4S-M>#V;T--4FXZ*>CI7w%583<{>tb6
zOZ8gZ#B0jplyTbzto2VOs)s9U%trre`m=RlKf{I_Nwdxn(xNG%zaVNurEYiMV3*g|
z``3;{j7`UyfFrjlEbIJN{0db|r>|LA@=vX9CHFZYiexnkn$b%8Rvw0TZOQIXa;oTI
zv@j;ZP+#~|!J(aBz9S{wL7W%Dr1H)G-XUNt9-lP?ijJ-XEj1e*CI~-Xz@4(Xg;UoG
z{uzBf-U+(SHe}6oG%;A*93Zb=oE>uTb^%qsL>|bQf?7_6=KIiPU`I|r;YcZ!YG7y~
zQu@UldAwz$^|uoz3mz1;An-WVBtefSh-pv<`n&TU3oM!hrEI?l@v8A4#^$4t&~T32
zl*J=1q~h+60sNc43>0aVvhzyfjshgPYZoQ(<inR$cERK&%N~SSiy;WaiBTgdl;Bz@
zMx7h{4w6)@f3=XUfD<5b*Di$-gK~XeKu8qdfa(KL$OL~#uI0n&gFVreVt1RX*+{5+
z#8$4WWjNT2me=PpYKo4u#73>OOh>LbUIoblb@1z~zp?))n?^)q6WGuDh}gMUaA9|X
z3qq-XlcNl<s-dSKro}45AbD<^IA@6tvSaLv-;sRc5uLj-i(AB^*}0)lznJ6A48b01
zt^mDP9!TqxILrO*cRjO@t^fSYOWb`|vQ*V4*6V-Ii_hT$&15AhsiGo@jvJCCnY0);
z)Gbzh<7K3LRm`L**mLt1MLc+MqqaWkz{2JV0hUf-(7U6vlP$%@`2fR-Dt+r$66q)X
zh2sR=$#8zbejz`}<A~Y#k!TUpiD??3amyj(E}M)o)o#H-j|LmgBHBXsF9$ok?Wh84
zoxjF*=Hw;;!?a%bcJVG|FBP7@_uu_xpir_`+UDHcZX;}|^THjvjdPRUJ+HO3O$%_*
zsal`RIk@07Cuvh)iE1gNnn7n}$9q`Da-o@9CupmsX{@4y;aIQ1WV^7X(Rcx&McA%o
zqa*mh{MZ+m6i(RP#X)4DdX;+iKAzev_!HbYetk>dy5==T4rq*~g@XVY!9sYZjo#R7
zr{n)r5^S{9+$+8l7IVB*3_k5%-TBY@C%`P@&tZf>82sm#nfw7L%92>nN$663yW!yt
zhS>EfLcE_Z)gv-Y^<SaxB6gHmR|E)iyYeg|g|R}ujv8tMcq*gC>h1;xj(<<JyurkO
zku;yk5>4nD4GY{C-nWUgQc9cMmH{qpa!uEznrGF^?bbJHApScQ$j>$JZHAX80DdXu
z--AMgrA0$Otdd#N9#!cg2Z~N8&lj1d+wDh+^ZObWJ$J)_h(&2#msu>q0B$DEERy{1
zCJN{7M@%#E@8pda`@u!v@{gcT3bA*>g*xYLXlbb&o@1vX*x+l}Voys6o~^_7>#GB|
z*r!R%kA9k%J`?m>1tMHB9x$ZRe0$r~ui<kO`4q0h1q9yWTy1Vw;6%l{l&HBbZk8-0
z4ijBu+y@{d)|{@F;ZFKw{xPkg5F+CDU-3fF>}X}jOC)9LH=Po*2SLdtf3^4?VKn<h
zHzQbKiZ9a#y^bZOa6n&Wk$r`rPcR^1TWQZWl`R8PvM?r?^F}g*>u2ox&mV~0oDgi`
z;9d}P$g~9%ThTK8s}5o<m&w0gVXSc39p)SfaC_U5P2<JPm~s|o1ZFngBTt(DrBI%x
z4kDX}YqUJKdxxsso$;8{1MQ;f+HD&9TGSGCQS)Y9GN_l)t8XY5-si=Gs(k<5;!fvW
zxE8*OW}N`jlcqPjb~+szeAOl~e_-nyQAfun)m7Qku$%99s}G7SNoRK-D2Tt?3bf7l
z_f&iauzO~DnLmd4z7qW{*#v(VPN`62cvfV3MGioX->w2V4?(-lU*ed8ro|}mU}pk%
z;bqB0bx3AOk<0Joeh}Vl@_7Po&C`Cg>>gff>e<EyzTH_%h@VP9GTpHG^0d?A+RMpT
z+TYf8aiHmG?aSY>7fu41U3Ic{JQu1W%+!Gvz3GDO2ixKd;KF6UEw8F_cDAh08gB>@
zaRH2Q96sBJ>`4aXvrF0xPtI<C%^cGg^K!B-fX;2xnF2UCh5PH@z5cKKOHR==RLnzf
zSmET?(5QuFJxq~ag0rPdFM7)-DQc6Kkb_;fb-^S9@$f%6aPJ=U;g7Zr?Ox#q(-JyY
zKvu&Cw@3?z3?xc$8o*T2<9qK!(D=t1JD`+Ta(zAy-y-Frq_L?(ciWSU*N3cXEeC5N
zwIavKBghMD()mO&Qc6^H#jRYCBJ}jZ#?v?4($m6CK2G!{)QNVBe9)sd3#Jc(VH2H^
z=FWxE%(d%&VjzHKBh>WoA1pPsRQtU~xDtnEfTJnl{A9u5pR^K8=UdNq%T8F$)FbN>
zgK+_(BF#D>R>kK!M#OT~=@@}3yAYqm33?{Bv?2iBr|-aRK0@uapzuXI)wE0=R@m^7
zQ`wLBn(M*wg!mgmQT1d!@3<2z>~rmDW)KG0*B4>_R6LjiI0^9QT8gtDDT|Lclxppm
z+OeL6H3QpearJAB%1ellZ6d*)wBQ(hPbE=%?y6i^uf%`RXm*JW*WQ%>&J+=V(=qf{
zri~yItvTZbII+7S0>4Q0U9@>HnMP$X>8TqAfD(vAh};2P{QK)ik`a6$W$n<S7xQ?o
z_{n4xoeaH~jS^3HDy+veci7_+aLh^-n?E!YG6S#O$LPEC_>G<{bR2U<qLrkRpb!v0
z%U*eD$^H(<WG-@VF0k%r-g68(2_6$K`r1T6sUwW?8=<u8q_-5ITGbK36tV>fd!^iE
z#1K58$gW!xpeYHeehuhQCXZ9p%N8m<Fx1W4{1&odf~Dg9N*_P3FP{`cbE*_n{Eco>
zB+l~T_u-Ycr!U><XH<{<R0eR`Jn1$qaE<CV>!?xu!!*6rNxq37{`DhMMfY6NpD3Jw
zkYQDstvt30Hc_SaZuuMP2YrdW@HsPMbf^Y9lI<9$bnMil2X7`Ba-DGLbzgqP>mxwe
zf1&JkDH54D3nLar2KjJ3z`*R+rUABq4;>>4Kjc2i<Dy@)!kC&Aw;NA8e)mD}M7}y*
zi5fe;hrp`ef1|wy(>QEj7pVLcZYZ~pteAG4rm1{><Ecc%k1Tki@ADmF<}mEh$<1ax
zS8dQ&w8<!Cd38+}XJ1#f6|D`7AJ6+Fsr$rBs%wDxJx&tw*&5k&wN_-uj!ur;28wi0
zO+Qvl)mUZbXZm|~oa;LAHy_>PQy<rI@3u-En9*i_l~-?$0z#b@Vco$oFcZc}d3oKO
zD*z%H@Hm`{0l9tDx7KHebXBjGPA%mTPf<pnOy#m~KL9BjL-WcR=L#f{u~T2e78Ilg
z(JT)-B~I|YWyGa#aWq+mx~dt<5RI9)@9nr`in)T{m4a6g9DZqFJ{0ZDQ&w4XPvcfW
z)Zgnax(EnBgW0T@l}fNuwENi8sV_h5iwfdBoer10OP+L`!QRkj>=!QiV5G|tVk)53
zP?Azw+N)Yq3zZ`dW7Q9Bq@Y*jSK0<1f`HM;_>GH57pf_S%Ounz_yhTY8lplQSM`xx
zU{r-Deqs+*I~sLI$Oq`>i`J1kJ(+yNOYy$<j89}LeB{DsRRYsqux%gkK#X#@e^U8%
z#M!7}cTMHu<FLh@jarvDc8P_@QfzNdoQi_n+%?2AM>_>R3Jfi680<|^u#J@aY%Q>O
zqfI~sCbk#3--^zMkV&Yj0D(R^rK}+_npgPr_4^kYuG=pO%$C_7v{s@<a9Q#wuB)t?
z#;9BrH!k(Q*;IUj?T<*@HX2{0em!6debb4D8+OTu+|0s%`KdJcokszE{b|_{ztw|2
zP8WR(1+AaeXov%C!=7CsT*LuDx^}pAS;||)2N$TDO}r&-q#K7;nWjNxk~onpjleeK
zUPThfcj0^+;uf%68trL0i1;=y3B3G^4+!l>-{M-P@RL3^<`kO@b=YdKMuccfO1ZW#
zeRYE%D~CMAgPlo?T!O6?b|pOZv{iMWb;sN=jF%=?$Iz_5zH?K;aFGU^8l7u%zHgiy
z%)~y|k;Es-7YX69AMj^epGX#&^c@pp+lc}kKc`5CjPN4Z$$e58$Yn*J?81%`0~A)D
zPg-db*pj-t4-G9>ImW4IMi*v#9z^9V<wSEy0;H<_ip{R`3n$&`z?qY&+x1%E`|f!X
zF^6qcbMj~^Y|&mU__An*YVWv%D)nfhgB<CJl`_02TU%zkuVLq-ifv^5t4@48WjUK6
z<1pI%d1Hq!eHx}*)cFId$Vc5Z{|e7mEOmtuWJf&C8D27?iS2&%o3DCSW(Dy{q!vBU
z<@J%bdvlGuCbxSa3MmV6=PD4kiAVQdnmr=bOicK#q7Xa-!xi^j8Y6rBUZPWqHJ^kK
zO^AmTc89bc5I+T$XZ64^_c1Pnu-4Kq8TW>D9h@9t;3jMAUVxt=oor+16yHf{lT|G4
zya6{4#BxFw!!~UTRwXXawKU4iz$$GMY6=Z8VM{2@0{=5A0+A#p6$aT3ubRyWMWPq9
zCEH5(Il0v4e4=Yxg(tDglfYAy!UpC>&^4=x7#6_S&Ktds)a8^`^tp6RnRd{KImB^o
z2n=t#>iKx<*evmvoE{+fH#@WXGWs$)Uxr<sPjul^54Bff9y%ZVHz+5}qAbDf+|fnm
zNd{_kS$6bt11Qz5?-m)?lU>tf?r>AaxV0?kf0o@oDboJ6z0cgP@A$;k>SK1UqC?Q_
zk_I?j74;}uNXhOf_5ZxQSgB4otDEb9JJrX1kq`-o%T>g%M5~xXf!2_4P~K64tKgXq
z&KHZ0@!cPvUJG<f9>4kw-0;tPo$zJrU-Nop>Uo65Pm|yaNvKjhi7V1g98;^N1~V3%
zTR>yWa+X2FJ_wpPwz3i^6AGwOa_VMS-&`*KoKgF2&oR10Jn6{!pvVG@n=Jk@vjNuY
zL~P7aDGhg~O9G^!bHi$8?G9v9Gp0cmekYkK;(q=47;~gI>h-kx-c<vM%*#w&fX{!h
zF%L>eM{ml$#8KI$4ltyja<rI2qq{$AR1|U_tFD)9Y-d_jShjldAw-)(k${x89fc)V
z^uj$O=9MXT2cL+;^v%uZ%TIiT&+A8q@<LEWivxLuc7cEhkMJup7#M4iRHWn;gs)|%
z*`|SUEl(kbPZ=F^TZ)n%ySX6erWcgVc`2wiVw2VTP%;PP;UMWPi0k}AaIl!DD+>qP
zki^cyDERloAb)dcDBU4na9C(pfD{P@eBGA}0|Rb)p{ISqi60=^FUEdF!ok{Gs;vb)
zfj9(#1QA64w*ud^Y<WE?99td@r;1MVEDo>sN5&PeiI>c`VioE8h)e}W%S9NMA55Gs
zrWL6l+@3CKd@8(UQLTwe12SGWMqRn+j)QZRj*g)Xua)%ayzpqs{pD(WWESJYL3{M$
z%qkpM`jFoqLYVv6{IbCkL?fEiJj$VG=$taup&RL9e{s(Sgse2xVJlw0h74EXJKt<N
zv_^nt|CWo1^pEn7x}Dzrxu#9#iylF>2<mjN(C1_G037wJ*c!9$6Ya%e(y$WXL!EqA
z8HVt{2cY#I$^(s5lIv2_V)0(hY4lKgWN5U}$n%K8Jg_QsDR2~!MLCfAxETJK@puD+
zRpJ+#PBP2wu|C*%vKJ>eX|dx<CQ&quy2)IJEnV9z;^O>z{->0)3W`JN7Bv!rLvRZc
z0tAOZ2yVe4g9iq826qXAg`f!*+}(o1;1FDb>kKexumFS40KvK0yH1_@Z=LgWZ+}(Y
zwYsa;OLz6tTA%gS=>8$=Z7pLh>|K2QElL)E=Q*(n*H`8R`8={-@4mTD-SWBOYRxV?
zmF(-rJB8^Wlp?319rTrh^?QEP?|Msxrv?WbJ-+id+V#F2Y4(JPJ6U9bv+U1cIIH^W
z)lg$_=g^Ma>2~Pyd_YOAv29Cb-U6DJO?NxnW7~QP*SmYi*vdUVuW#LWQ_u0`hymZi
zaQS3Nb^4`ro$>0G%zbXmr5|D|iq0R<;S@?kr0j5Ruq87-Z1>crx%EzVZ9#U;{?}ti
zW2W%*9MQg3Nbh%Ti6LhDd|-aFSgXoPG`mHlUU1iCHr>ru>DX?W_#13(`u*!Plu2OP
z6jk=2>BC0l)aw<WV`x+C!_sw{a5i*Q67F^#P-aA<I@z6VbJW-5&rwZfvvRk3_cA8b
z-o}<6m7#V@uDa<CVdlJ4d|5@tUf!yN<DjY-Ylj}w8VTHcITO{giPiM2=!{`C)-kgy
z4M#`;s$Hx(F&Ry_6@hE&#+WZxZsYohII;=<B$l#U>;HCmxoYD1i4b%m$1`DYC_^L~
zIEAnFcHvad=-aO3(_MI=9#`z6-9*_!&$?<%meb5;jG<wc(D1r`!k7AFaq^l6-TVCr
zn@T;NWtk;qx(I~IDg2;{VNza#Y9hnvC&&D^iJtYTc_&lLexMB!uC87mR>d5Qp=MGf
z6BD{%`L#TAOq%z%@*ib95Ey7NbUF=BlszVk3Iu3imD&*91N-ij%hW?W@~2TtdHTfP
z#n0@Xd7X8Dyu36n{k#PwQ~T~X7mAO^cNV+z<<Rr{6qP*fL{*O`It}aSc#<7ICz`zH
zfdvuUP1@TR@FL!bPH1@um7aB~aO<rmJ%*b)*b*mqm<2+)la8vi-b#-P?L4aM?FRQw
z!SL2{$6_lC;MwX~JFGU~u@(2B?<Z2dhI@qhN$Or_U*}$DGND-zz*x~AawYee{HE;I
zGAb(xm0Nq$##BQLFEgd@aqT*NJhB}}du8b8cj%ob49sgx?Oi-i5sJpioR>HO@3X-#
z_@rAn$k~(l@kciCC;&Qd*fWRI>=;fL{UPlciNDWyj$bX<#r^(r;EE8wwUVQm&7~QY
zCXRj!**r^xybAEPq>h3W$uvI1j=yNIyzkE_D7fpGw)OV{U*Uwm{xB;mEg2(|y|ICd
zMdQVqzMb-=XM6|E-a9kNh)^9lY`-DjhhHD1w5lufRcy+QLgJ47!fFn<KQi>e86#F;
zX{ufroVBEZJOY?rDo!;Te6aOZ^1SO!dYRxQ*2njyA~dCWawn)>!*k7~>8Ikt<J9hI
zLTxVl%^kbxFjaJKz4UwX+jy29ohPH6;RO0%T`A|oSHWhqWuNJ8tYd1Xp}S%w!~<wT
zHSeF;1&d?WDhsdZgTM&TfZ@=Pp`{?gU%*=Eo2o<UfasbP*Vgmv1Y;j}@b2Fxb@=4D
zWq$ckb3BOYn%N0MW}!64?YGvuPD`}=WgRB1BPo(kSV>&e*0>>V5ZbO|*1+2LFOqVe
zXHb!aMk03^h%&9L8GMy7UDI2Kev>V@(R}*Iu6x+!Hn4~D@wj`P%#Hdbf(lK{+DD7f
zJ&(v*mhn_e(R$^5L#bM^^Q@-!*b!l|+Xrb(q*MRFJYnrE7*xko!SJOy9LngR2|q5k
zY`Ioiu+YBfzF{Labszk-E#*BYQk>$()=xWEGZRKwY)*UxP}0dGuPLZOk<u~1pRF`m
zxYnI*6_BmyuVfiETJ#r=!}C__TJ(hS&_}hqJq6T(xXbQJ?{M?GH1d;1)n-8$1pDWw
zJw5OAAMQDHK*ksFYeeo`fz$TbpGy<)Wsk%<#FfYFVTT9*sy=H-wkS^x;7&PL{erf!
zzf{M*8sv9&hkoBZuv}-Nb}O!f7}9<9ZL1vRNUZ5T^4kV6WRoRqMQo_+AH>NJDI9Hy
zFjfwiK6RjhH#rHW#B0(MW}i%V`943<6@Z*Nd^JEP5uZonXm=u%AM>{H^U@&Jy*i0s
za_Da^xI6pMtXzHc{e~_ZcnKP*;=YL2Z^RmzDl{dJTk7*}E_h*NvgnhnxVKB59Duh~
zqouS_WoOR*{UvUw_K#OWz;gMracr%8>QQ&V*jv!8)ho;U8}9~8EU{N<=Z_gR%IpMT
zbkePUG_a<Uo93~%MM1nso9|UdE|j>fm=#|iIfFmdqkpLMGxY5D$`?I}&T7>TexU@v
zkBx09kG)O;09ckj#(_Uov6vv{{HOcr-%H#DUQ@*GzF8Zh{iSM13%fuB%>wjdU@3Nf
zlnYE!GTyNrqes|;nLFXfWU*Wg-9wmr=NBd$nCk+H?iwNvcd0Wab^3CT9a`>3V~oWI
z9=<ivyrYLX+hLVmYbCVC7nx>_H+N-Q=M<NIna#%7G#cG5P!5#|H6`sbgz{jBdvfcF
z%F@i>Q(io4u4mpdQ;k&5FXnKV5M7R`@WJ9h(GrAirO#XXOU{qQpk^B^Vd=Dt{wiqT
zg-#j9J~@o%H2;W9mg)o6@*Vo;BSs2*4HAHpDk02mndAsov08R_48zJZ@J)s7+hyCo
zy*0L#y)?AqZt-wX%+_Vx`8*A95OLHvs1$k~{h-_N<KA7r(+uvizi3XCB3#4TpjNrJ
zvai45nQG0Co%wk~tYgN!u~~y2n6k!jjXBHc$+Gq4hqTzEj>_vov_gHJE=`X>L?5K+
zD?u59=mjtImMvd1GsDytuYp{Iy<NXRrLZ4s+5CA`p}CBZMPL-T31R=B$JFH(h7Qq$
zc5;cO7Li&TJM=S4-dTKdpeXu!TD{GoUj}7yzx4mPG(VBO;Kq@rcXv?}P$X>UkW&?h
zF>$#`n$~bZ)KN0B$<p$VcVWI@lvp&2*7))!ZYjjYh^fBV(ceia`pW>XGeMYh&`;g8
zo_2-koaO6+8O!+L>SpIQbG(i;QW9UJi{Ecewlo?s&D!^>i$|#jaW}#HJuxt|W48=?
zb^Y&O$a1s5ddr8DIt!sD!t=y1g(d4GR(s;s-HfV$GXl&m;+sAAxB^rk(3_NjE$p#L
z*t4em?tA0d+XwRxN^OQwzbDZMuSE0J1)Ky{mq)^t4bnSl*)s>zNM@mMdtd78&ebHN
z`!(|lE5q-p+TsRaNnMXwALaN5QIZ2IUi^Z22tsN5>nvIO+YU}Q*xh6}ee6@rR~<&1
z(PB4z>9ZBUMXZwSMmd9-aKKsmJeJq^G|#JclOh*xf0?^e0(`40nsg1z)(48;4}B_(
zGwPI)yo|{oX{dVDL-5-aMGr;~vU1cPtJP5JM(sswz&Q`e<@0?y{YhsO9YK8EYJA;L
z>7oG_Mts+(wCBC*Md82#XdKw&J*IizR?9k^rf1r{Ot-&>V^ke{9nI9zavlcNkIJtN
z7T>?o|4rENk-?|lewZ(EfdR;%BUrzKJ^UkCpsM)EA9QHBVV8trT&*O(9?FO{MLTFL
z=5P0H+T6C^jAuX0k4U;~GM!x`!X2N~3_n?qXY$HI>x@(DHEy&Q3ucT1R6fj28wX!I
zC=&d$@bJ_v^%?W2Ngl}e8ww`b%BrN-PzGH;$@B2Ky1?%GMkm#~Okj(-Admyy;qya|
zOi7<TIqKLJIjsT6%xMurCppK$`tFA>3kr_pwt?5Nj<kh;AkqM0FqJNvpLG2%nBiEz
zf%ifK$Kw|EzR5(&`uXcro~^V8i}*)jhx5-t$rA$`c)ZqIf9DQr!qkCRbJWjUI$JZJ
zm$fJ9L9f6?UO=_r2e^Rac$+nqbYU6z^YgMBa7iN^LoJ4qw_S?6p!J<$X}7t17(?2t
zcE?oZJ$Jvt+q&PyLJYNC4pJ6B2Qde+jOF0Lu$QB|%Hl8GeqMD>3p=&H>81!w#>Agj
z(QXx{j0r=pTl>micAI_5vUw<3`Sht?Z}-j2Wx~<RLz32QGv22&J{94fr~V)YDG95g
zjef+~vo?CO%A&z(jqgjVppWOfXF_a0rF&LK$Mau_gV9Ob!+u&!{<c^Y1J5Po?`a)A
zQzS-wDNMkxF(uva11Qd*)ipedF7L8cQx?g7Pl*j{fhk~H=G{iXJB{lDwggu}3W3aA
zqf(*0b}y=rmt<QkiQ35c+=PEj9}{Iru7J~e%e$QIlUdUy@-hWEOf@ncen^;YeTZ*X
zH+U;(?Wy8Xl+h@nkoL^sjJj(5zUISeV;JWYIiaB7RDchD*VdjmbXj9)pN{CA%vsJg
zciJ6y-i)!8uXW&CN8ViTMaOYPM$w1*SL53`0@H8hO>F8DKCUQrsXl2?W8hur42(F_
zsSJ)_36&x6A|YkY6c<2a94SXbv~d>4CC4nkDPvf9Z5Fys^6^5r0j5=E>Cgy_Dk@tS
z%?c}9!qB?t6t8(XMH%le8UeNWp@Nsma~Ql+^3Bo%_npMryeQJz4V=BAqE~T?dejng
z3ge<X@Z7g2fW4F?C!aagtvam=!RFFVpJA`q1dy-E%du?YwT%+fTkMY4<03TZ)j<Oe
zuSu|TMbn$JCNKw9K<+@tJ({pU#md3G(`)NO28!Z^`B|&xuS!YWO}}^8(&l&<H`8f(
zO-EXMeXU|crFs+^NzF_IZ*xCTMAZi{Y<c;sK84v<>{fjCHoNAfYBvsfq;G%VL|j7t
z`X0sy1EEgpyD;)tS1x+fnv-?C@glP0{RCW}Ma?3qpoq_&IJAYOy3G#s`rsh5=3>`K
zkj``<PxYPrnJ%66XZ%$jT_UO;S&LzWfo&581S_54ry#ectge+aWQh>=;|*x5HSjZC
zXNvPLh372q;=+6ja|SC!R-`JcL}}wwskajjTUGTpL(1zkN-p?BA2lmf<wk(A{@fWd
zR@`1h3RtSO<YT(S4xL@1hiEAxTBBzva~C*l--DU9m2vX&A2fTNg49@_4&`2Bzy8!U
z)6qtF$FpZMEKdNYC;O-#lGOq92InNM@``qD2YvzcS>+J3WsB7!k`0Brx8^cLTF9<g
z@nKD{&MQpkhV&mNuFe;7?=GL>h)r+LZ$vsZo}`OpOs)?c6$hclR!R#MAeh|_DY|9r
zy+_3c%IO9h9X?ksp?an&>Lw;QeQ`T-Ku6HaK~H?E9-Z5$cZu{YU;1+-6B$|JD;%!^
zt(4l>F8}a-UkC4YtOxFHckhl4VK<o_&-lD0mk1#hZYAraLBA)XZd9SwQ&Pgn$a!)D
z;&eLCGu8&`Ky;&{YdGM4YZMiZi$_@v^1aVdy+K+*Qo!QYDDtW4@Os*LbJ00k{m)5`
zoRKnSu)novfL2Ts{!-4+5Y{b=o+LpM;89G7S{vXl;M_l=ND-Rc5qgt=ci7TpEo=mH
zL6*Xt9up_3hU63OR>r6P$P_O*U!)IDory%}Wz`YeFx6TO{y2Y${SBm?H9cTWV=WWJ
z`_*CGso!ZN>l@~_jkeXtV}<eU5O#LliK7g)klc(Z=e{4*h!dp)V6v<*N!NnT1w~8K
za~UIar=<m6R+`}h>fczfA{TUkyeD>)i3|NFGcCsBmK3HXp&ol_@GVs7PIpfULy!hi
zs+%KYgS%(n7_z_}6<X(k(VFudPeVYWZh9|epL*7btD&ckkCMALmGw(owKL=w(~r63
zOyHtRRzRvkW>)hblk~W#LZ@&2)fwm6xkFP%&Ju|MFWbNiTwy{{g-pV1RK`L&=RE2D
z4|g;~vd<LODHcrO&uLo^tGtrbwh8*iCTXkJcd4-eXXU0I?k1m)6`j}QSOp%!d{k#o
zIrMoZ12w1s%;qprCkWS}WH>8x<?cZds#+JB{z{||9jq*<HT!M-cBcH=;7~J2uQ_26
zvZro;_+w%PUpNkSI<TD8&2%vNAnp4avGA`e@UKhI+!{F{Jx<Cv<%&v?&9%YQ4BL2T
zaOOpQFMay>d|teYS%w!IlT4W$&FTrk-hcTADX!P?*f1YWEIRwq$Ys%^(Z9w&HT$>}
zsMD#6Df=uJrX!JHP7<>Or;e_Cf=}`!`qR=i8fBj)$6Lxx{HRzd8Tnzd0p>kSps{OG
zKJkml>bUj8$u|F=``l(-aMxWBC@CGZ#FXClQZ<4|&%jN}Tkg#q8z)=>Ly{$i0`rjU
zv<vjl^OND_&nt8%K_DY<c$hBE?ht3o;zMF?PraCx<3H?R+3c+lcVP-`!*=iR^+4=@
zjAXY+K30oPt-hFFYy6`C$csm;r=3u|c~FmFo6B7|^>t|QddO&i=91e?h3>s~i;+6{
z8X4i6a1wDLrSuE#W(zhan+U*Zq+8p3a))JFVF4ffaV51K^YgTs<ELvmzH15OGhhY8
zrA_+PnYK;aeddV!Pi3^WYTGZ2*J)4~@C%)8#kRVzSG2!MszRFau_EOo^?}G1$p^yr
zk#PoR%ZY0-+cfohw#0i(2hnkZfA7b9`g0$EfREag|7IgZEqyUPIUSL{ls?ZdY2jlv
zX?1Mzw~@8iav*U46179*NN~X0%-qa(h<B)RSSGS9k|=WNp6TA~=CbwUXG!l)zfkxA
zNej9!)gKN9qFfwPo;8s*!hnDPngF9Kp{ukrX|iXeI3(#zb*h?bb?@D>o~3;Y*NmM;
zx8T?y-N0uyWY(8=me-HUC9xtABvX5~%yg+Cp&XF$Bq=OcK6T*D7eZ2EmIoCFWm{$S
z1PNw8HDpe5hHeCusN8kdeb&f2#=3M^A~7YwJ7FRrhq*)PG9x?JIAaC<n&nyz&js(6
zJeGWn+?QRH9iX#RFkV(w>{MV}5}<q?f|v9)L^XT#O^Q+lTLo@~KU5xyfaaECe?QTB
zEU+ll%CA@S4EasNBgDg3P3g>g#7R$-Ly%)4=IUkRCGOR|XTMjn&okRmFjaO^YF5^*
z@)#MCBOBezD)*xQNxydlUyN?dW{fS(s-T`gv*0BEnk}<MqB*2*JFz@&Ut*5R*2h-J
z)_1&Q{C@mZhFSfyIyZ=2gNVh5&AtuX!f!}*i1VjIDopYKYu?w1#R<cS5`I@F1PQbP
z*(_N34x08$O$DXg^I;Q5K8>`BdmrbmPO8q8y(X$AA}*RH%I7Av!~84pudHb&%Q5-j
zt?=6x(iR?<^_7X0v6Ys#VAL}dKk^hcjI=|EY;kPcZ_w<*H`_*|N7SacaM1ERD@6ab
zg`!iTm7$URV+lpW_{V$ruR&A>jrX68k4x2wo$45}&wf7o<|o(@B!u-L@bKyQBAGwy
z4#}UrRAu>^>Vb6k2-th^>WjvP;Nl|i3WrjWv3ISkj{m{eAcQIW^_ndxSX@|8T(ASJ
z?_<Q%GX;J*nopDj?vlGTW3<2Bi-14h9Ft?$MJo-;vYeHFBv>$fcP2u*6uOBk-{d>^
z0vWlfGQMvysI%R=iE|A+!!Nw?C917EU*_$`;;)px?s83CRd3i_jBN)k#nR5t$dJ(+
z_sP;wG@Ad)^(3LRj7q}0b2O(b`|i0~5SYb%Sjk^*5ISZ-Ab+}DGu$-X1n^TF1Ndw_
zF|e*1)cI2%`TR&AW~XpqpFb!=3cHbS>np9hYD_Mr5}y5Y<hjKC>`SY^r7isA2Q4(z
zazRQEqWDKT2zIEbjSYdCPi1ZOGz80Nsl}gxO^<!<`)h}k*WrLKhVC9A^uqPrAX2rJ
zk_X_<UKVZj#SZ`e5i&Jvd|AuDABtCTp9RP@piFO@ZU#$^j4fEyi5WR4tQO|sRzdLJ
z86FxwO1hlidA6EQ5OI;XPTXTa$K&JwxgTfPhh!ZPwc^HMC{@|JRTI?xh^Ptzlf~Qj
z4+amGs<?A`M~9~Ge+{a1r{l~f$XZHt1Ik1~ki({=W}#a+O?yAslpyDBa!(JThcKg+
z`7_G`o=!47FD0IvP768*p<&Vtm`CtC?;Dj`fo;v%1qH|i1@RjM=o$pEJq4&d1&L7t
zjHm`Qe8@BW2ApUJb#%iMo6qv$oT6Alh&RB*5@4ncFm(r*OBC@so8*msJq8zql&b-+
z5<*+q@YE4P>DWMY0AV<2K&OL{&^6#@L1?lXu#6xSMh%3^5c*}oM6DQGY#(a^@z<&D
zF(43I9e&5`h|A$5!+UFuOH0>F3$shBV4`0#M4RSB8=6F0ZgIbq<2LQ$Hh^(kAJu=!
zt8ZGXTacD{(3W{V1$j_{Jc)Ka7<N6;sXR!iJaN-JXwp2f^gSr_JqZ^)=odUOg+0iG
zJ@H#S=vq9neLbjrJ&FH#F#bWI5hI@wqj2Jp)bXe%8c1>t6u}ho`4kF+4@t_0!mCBn
z)}o%eA}L)_L?=jw6BIfll7tb3n}?*yLt&XADa=rW>qz=_6s9ziOd5sXjil>FVFx3r
zf>Feewk0v#W9>Gp4GacTRr>Sd2T6dWi-{YX`v!D)kCWzG5xQB=?es5ON(%nkwUhNl
zV>@xkWWWv*N+{e$(SrExvN6BXzU(Hxlx27{VYHf+LpIbTO+Yu(ltMk<<mdQtfilQ%
z#zERxP>;)3A(LU@ytVYFkYvTa79idMtUFhfxx?P!)2F`prNWW#Fub#l>N2s@nh&n_
zA4{#}|AIs9|A4P0ZF%fy=hDN!t#ifH<)4u2kirK~JUpjQ-J+~cXOZI&dI<edX<Pe$
z<5K%Sv8eq|W{$&;<^B}h+C6HiudVR>ts;P}UeXslP6zKvpEKSN-$y>kJ^nw2tC9bv
zo(|lT@?vZ!{_l|d^8Yh)eEBh*5ABh<!=o}_%`M5uz0&2FvS#W)djCI>+Lzjw+?V)o
z#P<J#52aEke-8d*<DbLpV99;)|DC457DTn))TG@GiB9R>-W7361>E(Y4;@`sv;VKn
G`u_lkUM?>H

literal 0
HcmV?d00001

diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/caret.png b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/caret.png
new file mode 100644
index 0000000000000000000000000000000000000000..c5a91e69a3bf5d9cf9aa3d2708e50fa28a124af2
GIT binary patch
literal 2935
zcmV--3yAcIP)<h;3K|Lk000e1NJLTq000>P000pP1^@s6D7ps@000WNX+uL$Nkc;*
zP;zf(X>4Tx07%EJmv>N8`4-22_oj!076?U3=uLVD={0oeASxjVA(RkOP_ZGhxB_cI
zL<Gx<E>*#`&=wW3U`4=Q7i3XT*TsUMsO$wE;k`Grf4rG@GH325XU;u2=jQxoz83(}
z2!qd0hh+iC;E4p`ex9`0xOf`wcK{<FJdgug45pCp5f&B%{?R_&1JKO%w&_eQ@V}WH
zi!EdV0EHo(#1b+y5I%)?50ftt0f5R!;ySBD{28uASV4d^h;YXYbLO~rhLh&_kJ+5a
za4&=>0l<?O3;_oK5*mrqvY8yD4oMeb3m%KhLpTy)S7r)>g>Wgti!(AZXSfq#!=!(!
z!}*VzNs^ij21mkkv&<Uan=9m}GuD9rw`HV@=YK;RaZ-xFKODL0BhRchEi+KUyrhuO
zdFHZa^Jh6l>>oAHOrcl&JhK?yf%7a*i}ILfhG5}du81Bv&w|WwNqx4^Cqh!6O%Iav
zkRBr8WUeoLo^w(nW9B)V8yzyw!nBCMg&Z$QTp$jY^qeg4mCTqST<DF-Sm;5N66wFt
zTdbr97TeoL66Zxp^7$f9Nlkuwm?WQ_?k9;0vm+$;ijW1H=Tt^O*g~B!$@2k`AO(m4
z53m3m2tX3Z1nEEoXuunAfe`SKZw!E}hlsseG&6)(CV!29%SjQ@JdjhwrqOv!v&A$k
z3rkx7X3pf?U;cqQd)6T8wS`y~va61TNRYD-W9R_T_5uLPr-hi#dt_a90C1+4DHdeU
z#b(wPU;q)w00p1|G=L5;1g5|W*a2tY4tziW2t_7|11kU%nI{98WEEHkHh}_A1a^Sk
zpaL8Ohe0hk22Ow$&;iba%iucb1$V(?FaU<ZYcK{rfhh=ra1a@yKq`<Xqz9QmR*(ba
z3i&`mP&gC^B|;pC2Z^C|&}OIzDuF7XLr@*`E7S&^hps|>&_iet8in3NUtknWf)!wO
zSRXcr9bgYQ5RQbG!yGsZ&VlpcZE!hU1s{c*;q&ly_%1vEzlO(A040T@qO?$^C<l}m
zDijruN=6A#8&HL)GE^0+5!H_BM%_jYpx&T9qp@fTnuaz-JEQ&4QD`PQ3%vndjIKb}
zqMOkd(YMiq=rQzn3>l+_F~K-t=$Kdx2eS%OfGNXNV@_i(VeVpvF`uwlEEQ{jwa5Bn
z<FKjNwb)|peryxA6WfO!!j9u`I2D`;&IK2WW8g%%0^DBQQQSFPKW-Q|iI>7_;;rz$
z_;@@IpNB8Q*W=IP`|&UFQv_Lp9>IwaN?;Mz5VjMJ5ZVd12*ZRaq8!nH=t7JnrV=+1
z%ZZJ|OT;I{4^mQ6+ER{EOQpC{xl-j)$EB`F4N83`$&-vpUZez)n6!;lL+T_wBz+*0
z$@*k>ay(f?-bSt?Um!mtPfAmy&7|qlEa{EXmD0`9{nBq`2r_yy9x^Lra%9S6PRiVp
zc_T}Z)tB{>Wyo%jt(0w(y)Qd1N0GCX3zf@|E0(L5yDB##kCWGz_mOAG=gS|KzaT$E
zK~Z!lUKA!}Gvx^75@lEct6-o&S4dSTQaGm2qcEl@uV|wft+-mTQt^!902M{mr_!nE
z)a}$0)O*w~O6p1;N^GUAN{veWN)yV9l--rt%7w~J%6FB&sL)h=RMJ#-s<fy)RYj{B
zt1eYtrFua1lIoj93X7Z<F&7msI<e@H8mwll7Ou8d?XcPnwQ+R~bw72!`d;-5>Tfit
z8txjY8l@U%HAXclny#8$%~H*Cny+YzG!I%jt(<m|Hm0Sf<*y~yI;7R3HKlE!9i^S8
z-K70ghp6MAldMy!)1@<}tEn5TyH2-3_mLh!&p|ImZ;xKL-h{q^evJMW{TBTZ17!oc
zL5@L#!4pHWp_^frVU^(>Bdn2wQJT?yqh4d!*w#43xYGER32b6#!Zq1%(zh71*l{s$
zan<7crX*7j(`?fQ(?K(;S&&(tS&P|Qb6xXz^PT41=HD%BEz&KHSUk3rw+yh%vuw9~
zZ)I%7w5qhaV@<a9wccpmYW>c}#D;Biz~+H1#WvV>i*1+fH#>VffnB5BsJ*UzqWwPm
z`wj{YVGhL(R~#{po{k$GI~+ed**S@vPB{JLZ0elmT<<)x#9#?~$&n>PF4`^(mqRWC
zt~A#~*PmSn+_c;nZdGp2-F4hq?$z!uJ&Zh3J&t<3^|bI5c%Js0@N)86@73vz^7ivC
z^zQMI_lfeU@OkE|?aT3P@E!BB^;_%L>5uUb^xx@!pRP`4((CAB0rmmw11<)V0wV$|
z0-pyN2ML1OgW=$S;9bE_Li9p-AuXXGlpeY(^l6wuSXS6?OR-DCmR2r(5pEg2F1$N}
z60tI(KH^iPXXN(C$5Dn+;;61@ndpS*y6A}*@0gO9fmrj{^|9CERO7gDt?{_{==kdR
z@nt^Cb}t)FuuUjPxVPM3`Re6YSE#N?UvXxo%u2?}lZlwbn8f<TuZ&Pe6=OV!p0qD%
zjOoSP!+gzhXO*%>*)Hr7_RD0K<dWnOjtgfOXEenvr7YzQ*Na=heV6K=dN6e&Ei|nr
zZ8|+By(t5qk(klOljo)JE@o<EuFmY^oA3+x16fX4yR*gwfr4rwBwQ|R6)7O%=Z4r&
z{DXKf+cmo~dvaCus*|hbR`XWhSYy0q>zbE2zB#|FMXzP9?OLa`ZqvHK^&aaFZGbi;
zZRpylvoU|;aIRl&?Iz-;v`shjEb>b7K5mZL+@7zVpPN7QgWnGg1=0nAg8N&Xw;cQt
z{Ui6so~_nf_ip`O$SS;6WKmRB^tG5-eC;R8pUQul-j=+rXS?0@13R!gcsuUxblX{5
zB3F`AGPEmrS92+?w6OH!?v=Z*mf4gY+(X<W-ZM}hRNlH*ckhn9Un^27?pAtMHtkc}
zw{_pde%Ai}1MUYJ52_z5I{4*h?#~Yn`5kJm(yuBzj6Ixv_{EXvBi+9^{8Cq~T3uBA
zt%g@KP#a!*vCh7(u3oKvdjs4cZWuk9aJ2WB_p#PS)5b$h)TW~2;JEnst6vj;y>}w;
zMAu1&lZ~hJPVGBQIbGNcHLqzNYe{JtXpL*_YYS-WYIklw{hQfuH62<Vm1h*sY(Gmp
zn}2rtT+X@iPJZW`^PKZTT`RjDUx>YM=i<_fJ(mJ6UAgRg`9ilx_qi)BS30gbU2VJO
zaINLK-Sy@hwl_}Sw7q${$F8UOmi?{PUdP_{z9oHU``!A_-}b(J`40Wg^}8W=`|d^E
zdvHJD{=fs)gOP{n58pk?el+zs_X*}n;ZxbCWzW=}RsC-Cd((j3z?nhs!5hybo<AO9
z4!!<E_{Z1b{1@aGWiK^f){R(=bd36r_P$#7YWOw(_0*e!Kjr@1_tx<3slVL+x-k|z
zHvCTTZu))k2bB*sA8kH%jfagt`;_r%YNBvbWwQ3O!{_cVF<)Lzt@?`lTK>)GTl@FG
z?@y*Prl<J~0b^DQpb&?XlL2^N0{}S=(GG~NCQ8p~=2?U0bp9-Xf8se^J!^IV)VKo>
zl?y-+qEQYYu9rKft!E@tq&tAEttI|16DC_*&DA0y$`dm=J^eu)09-o&-vrasQ~Rf<
zza2rEeF#8j)|^(KF)Z>1Q(~Ybi@AKW#5w=JHS^zZy$adoxh@$1000JJOGiWi{{a60
z|De66lK=n!32;bRa{vGf6951U69E94oEQKA00(qQO+^Ra2?7r#AW&o(vH$=8K}keG
zR5;6H{Qv(y1FZoQ10BGqB_q@l7JQPfuC7?q_wL=h8L8$IY=)6)0a3w)Y$!PvFfcGM
hFplQ<QA>ulB>?VZ66NhRF4X`4002ovPDHLkV1jAaiw6Jz

literal 0
HcmV?d00001

diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/default-logo.svg b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/default-logo.svg
new file mode 100644
index 0000000000..1fc57d76c7
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/default-logo.svg
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<!-- Creator: CorelDRAW X8 -->
+<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" width="171.889mm" height="34.3477mm" version="1.1" style="shape-rendering:geometricPrecision; text-rendering:geometricPrecision; image-rendering:optimizeQuality; fill-rule:evenodd; clip-rule:evenodd"
+viewBox="0 0 21856 4367"
+ xmlns:xlink="http://www.w3.org/1999/xlink">
+ <defs>
+  <style type="text/css">
+   <![CDATA[
+    .fil0 {fill:#EBECEC;fill-rule:nonzero}
+    .fil2 {fill:#E3E4E5;fill-rule:nonzero}
+    .fil8 {fill:#AAABAB;fill-rule:nonzero}
+    .fil5 {fill:#939292;fill-rule:nonzero}
+    .fil1 {fill:#D94F00;fill-rule:nonzero}
+    .fil11 {fill:url(#id0);fill-rule:nonzero}
+    .fil7 {fill:url(#id1);fill-rule:nonzero}
+    .fil10 {fill:url(#id2);fill-rule:nonzero}
+    .fil15 {fill:url(#id3);fill-rule:nonzero}
+    .fil14 {fill:url(#id4);fill-rule:nonzero}
+    .fil16 {fill:url(#id5);fill-rule:nonzero}
+    .fil9 {fill:url(#id6);fill-rule:nonzero}
+    .fil12 {fill:url(#id7);fill-rule:nonzero}
+    .fil13 {fill:url(#id8);fill-rule:nonzero}
+    .fil3 {fill:url(#id9);fill-rule:nonzero}
+    .fil4 {fill:url(#id10);fill-rule:nonzero}
+    .fil6 {fill:url(#id11);fill-rule:nonzero}
+   ]]>
+  </style>
+  <linearGradient id="id0" gradientUnits="userSpaceOnUse" x1="2258.18" y1="2586.09" x2="4329.89" y2="3125.08">
+   <stop offset="0" style="stop-opacity:1; stop-color:#AAABAB"/>
+   <stop offset="0.101961" style="stop-opacity:1; stop-color:#AAABAB"/>
+   <stop offset="1" style="stop-opacity:1; stop-color:#4E4E4E"/>
+  </linearGradient>
+  <linearGradient id="id1" gradientUnits="userSpaceOnUse" x1="4003.85" y1="4057.41" x2="4106.63" y2="3796.38">
+   <stop offset="0" style="stop-opacity:1; stop-color:#E4E4E4"/>
+   <stop offset="1" style="stop-opacity:1; stop-color:#A2A2A2"/>
+  </linearGradient>
+  <linearGradient id="id2" gradientUnits="userSpaceOnUse" xlink:href="#id0" x1="2258.16" y1="1781.29" x2="4329.9" y2="1242.3">
+  </linearGradient>
+  <linearGradient id="id3" gradientUnits="userSpaceOnUse" x1="4249.51" y1="3279.41" x2="2665.39" y2="3279.41">
+   <stop offset="0" style="stop-opacity:1; stop-color:#FEFEFE"/>
+   <stop offset="0.231373" style="stop-opacity:1; stop-color:#FEFEFE"/>
+   <stop offset="1" style="stop-opacity:1; stop-color:#B0B0B0"/>
+  </linearGradient>
+  <linearGradient id="id4" gradientUnits="userSpaceOnUse" xlink:href="#id3" x1="4249.51" y1="1087.97" x2="2665.39" y2="1087.97">
+  </linearGradient>
+  <linearGradient id="id5" gradientUnits="userSpaceOnUse" xlink:href="#id3" x1="-0.0127153" y1="3279.41" x2="1584.11" y2="3279.41">
+  </linearGradient>
+  <linearGradient id="id6" gradientUnits="userSpaceOnUse" xlink:href="#id0" x1="1991.34" y1="1781.31" x2="-80.3479" y2="1242.28">
+  </linearGradient>
+  <linearGradient id="id7" gradientUnits="userSpaceOnUse" xlink:href="#id0" x1="1991.33" y1="2586.07" x2="-80.3352" y2="3125.09">
+  </linearGradient>
+  <linearGradient id="id8" gradientUnits="userSpaceOnUse" xlink:href="#id3" x1="-0.0127153" y1="1087.97" x2="1584.11" y2="1087.97">
+  </linearGradient>
+  <linearGradient id="id9" gradientUnits="userSpaceOnUse" xlink:href="#id1" x1="4048.89" y1="285.509" x2="4123.28" y2="547.495">
+  </linearGradient>
+  <linearGradient id="id10" gradientUnits="userSpaceOnUse" xlink:href="#id1" x1="245.672" y1="309.973" x2="142.882" y2="571.018">
+  </linearGradient>
+  <linearGradient id="id11" gradientUnits="userSpaceOnUse" xlink:href="#id1" x1="200.647" y1="4081.86" x2="126.237" y2="3819.93">
+  </linearGradient>
+ </defs>
+ <g id="Layer_x0020_1">
+  <metadata id="CorelCorpID_0Corel-Layer"/>
+  <g id="_1932602954816">
+   <path class="fil0" d="M7629 276l-1838 0c-270,0 -491,221 -491,491l0 3135 0 166 166 0 1838 0c270,0 491,-220 491,-490l0 -3136 0 -166 -166 0zm4077 14l0 0 1838 0 165 0 0 166 0 3135c0,432 -348,500 -681,500 -56,0 -125,-3 -189,-6 -42,-2 -80,-4 -126,-4l0 -165 0 -166c32,0 84,3 140,5 50,3 105,5 175,5 171,0 350,-23 350,-169l0 -2970 -1590 0 -82 0 -6 0 0 0 -2 0 0 0 -2 1 -1 0 -1 0 0 0 -2 0 -1 0 -1 0 -1 0 -1 0 -1 0 -1 0 0 0 -2 1 0 0 -2 0 0 0 -1 0 -1 0 -1 0 -1 1 -1 0 -1 0 -1 0 -1 0 -1 1 -1 0 -1 0 -1 0 -1 0 -1 1 0 0 -2 0 0 0 -2 1 0 0 -2 0 0 0 -2 1 -1 0 0 0 -2 1 0 0 -2 0 0 1 -2 0 0 0 -1 1 -1 0 -1 0 -1 1 -1 0 0 0 -1 1 -1 0 -1 0 -1 1 -1 0 -1 1 -1 0 0 0 -1 1 -1 0 -1 0 -1 1 0 0 -2 1 0 0 -3 2 0 0 -2 0 0 1 -1 0 -1 1 -1 0 0 0 -2 1 -1 1 0 0 -2 1 0 0 -1 1 -1 0 -1 1 0 0 -2 1 0 0 -1 1 -2 1 0 1 -1 0 -1 1 -1 0 0 1 -1 1 -1 0 0 1 -1 0 -1 1 -1 0 0 1 -1 1 -1 0 -1 1 0 0 -1 1 0 0 -1 1 -1 1 -1 1 0 0 -1 1 0 0 -2 1 0 0 -1 2 0 0 -1 1c-29,29 -47,68 -47,112l0 3136 -3 0 0 165 -163 0 -165 0 0 -165 0 -3136c0,-135 55,-258 143,-346 89,-89 212,-144 347,-144zm-1190 -9l0 0 -1741 0c-252,0 -458,206 -458,458l0 1655 0 166 0 0 0 1502 333 0 0 -1502 1574 0c253,0 458,-206 458,-458l0 -1655 0 -166 -166 0zm-1741 333l0 0 1575 0 0 1488c0,6 -1,12 -2,18l0 0 0 4 0 0 -1 2 0 0 0 2 0 1 -1 0 0 2 0 1 -1 4 0 1 -1 1 0 2 -1 1 0 1 -1 3 0 0 -1 3 0 0 -1 3 -1 0 -1 3 0 0 -1 2 1 -1 -3 4 0 1 -1 2 0 1 -1 0 0 1 -2 4 -1 0 0 1 -1 0 -1 2 0 1 -1 1 0 1 -2 2 -2 3 -1 1 -3 3 0 1 -5 5 -6 5 -2 3 -6 5 -1 0 0 1 -4 2 0 0 -1 1 -1 1 -4 2 -1 1 -1 0 0 0 -3 2 0 0 -6 3 0 0 -5 2 0 0 -3 2 0 0c-3,1 -7,3 -12,4l-3 1 0 0 -4 1 -2 0 -3 1 0 0 -4 0 0 0c-6,1 -12,1 -18,1l-1575 0 0 -1488c0,-6 1,-12 2,-18l0 -3 0 0 1 -3 1 -3 0 0 0 -3 0 -1 1 -3 3 -8 0 0 0 1 0 -1 1 -4 0 1 2 -4 0 0 2 -4 0 0 3 -6 0 -1 2 -3 0 0 0 0 1 -1 2 -4 1 -1 1 -2 0 0 2 -3 3 -3 3 -4 0 -1 3 -2 0 0 5 -6 5 -5 1 0 3 -3 1 0 3 -2 0 -1 3 -1 1 -1 3 -2 0 0 1 -1 0 0 4 -3 1 0 0 0 1 0 2 -2 1 0 4 -2 -1 0 2 -1 0 0 3 -1 0 0 3 -1 3 -1 4 -2 -1 1 5 -2 5 -1 1 -1 2 0 0 0 1 0 0 0 2 -1 0 0 2 0 0 0 4 -1c6,-1 12,-1 18,-1zm1573 1506l0 0 0 0 0 0zm0 4l0 0 0 0 0 0zm-1 2l0 0 0 0 0 0zm0 3l0 0 -1 0 1 0zm-1 2l0 0 0 1 0 -1zm-1 5l0 0 0 1 0 -1zm-1 2l0 0 0 2 0 -2zm-1 3l0 0 0 1 0 -1zm-1 4l0 0 0 0 0 0zm-1 3l0 0 0 0 0 0zm-1 3l0 0 -1 0 1 0zm-2 3l0 0 0 0 0 0zm-3 5l0 0 0 1 0 -1zm-1 3l0 0 0 1 0 -1zm-1 1l0 0 0 1 0 -1zm-2 5l0 0 -1 0 1 0zm-1 1l0 0 -1 0 1 0zm-2 2l0 0 0 1 0 -1zm-1 2l0 0 0 1 0 -1zm-4 6l0 0 -1 1 1 -1zm-4 4l0 0 0 1 0 -1zm-20 19l0 0 0 1 0 -1zm-4 3l0 0 0 0 0 0zm-1 1l0 0 -1 1 1 -1zm-5 3l0 0 -1 1 1 -1zm-2 1l0 0 0 0 0 0zm-3 2l0 0 0 0 0 0zm-11 5l0 0 0 0 0 0zm-18 7l0 0 0 0 0 0zm-9 2l0 0 0 0 0 0zm-4 0l0 0 0 0 0 0zm-1591 -1505l0 0 0 -3 0 0 0 0 0 3zm2 -9l0 0 0 0 0 0zm0 -3l0 0 0 -1 0 1zm7 -19l0 0 0 0 0 0zm5 -10l0 0 0 -1 0 1zm2 -4l0 0 0 0 0 0zm0 0l0 0 1 -1 -1 1zm3 -5l0 0 1 -1 -1 1zm2 -3l0 0 0 0 0 0zm8 -10l0 0 0 -1 0 1zm3 -3l0 0 0 0 0 0zm10 -11l0 0 1 0 -1 0zm4 -3l0 0 1 0 -1 0zm4 -2l0 0 0 -1 0 1zm7 -5l0 0 0 0 0 0zm1 -1l0 0 0 0 0 0zm4 -3l0 0 1 0 -1 0zm1 0l0 0 1 0 -1 0zm3 -2l0 0 1 0 -1 0zm6 -3l0 0 0 0 0 0zm3 -1l0 0 0 0 0 0zm19 -6l0 0 1 -1 -1 1zm3 -1l0 0 0 0 0 0zm1 0l0 0 0 0 0 0zm2 -1l0 0 0 0 0 0zm2 0l0 0 0 0 0 0zm4 -1l0 0 -2966 -7 1672 0 0 2970c0,13 -5,40 -5,40l-6 18 0 0 0 -1 0 1 -1 1 0 1 -1 3 0 0 -1 3 -1 0 -6 13 0 0 -2 3 0 0 -4 6 0 0 -4 5 0 0 -2 3 0 0 -2 3 0 0 -1 1 0 0 -2 3 0 0 -2 2 -2 2 -1 1 -1 1 0 0 -5 5 0 0 -2 2 0 0 -2 2 -3 2 0 0 -2 2 -1 1 -1 1 0 0 -3 2 0 0 -2 2 -1 0 -5 4 0 0 -5 3 0 0 -3 2 -1 0 -12 7 -4 1 -2 2 -2 0 -18 6 -1 0 1 0 0 0 -1 0 0 1c-14,3 -25,5 -40,5l-1672 0 0 -2970c0,-13 5,-40 5,-40l6 -18 0 0 0 1 0 -1 1 -2 0 -1 1 -2 0 0 1 -3 1 -1 6 -12 0 0 2 -4 0 0 4 -5 0 0 4 -5 0 -1 2 -2 0 0 2 -3 0 0 1 -1 0 -1 2 -2 0 0 2 -2 2 -3 1 0 1 -2 0 0 5 -5 0 0 2 -1 0 -1 2 -1 3 -3 0 0 2 -2 1 0 1 -1 0 0 3 -2 0 0 2 -2 1 0 5 -4 0 0 5 -4 0 0 4 -2 0 0 12 -6 4 -2 0 0 2 -1 3 -1 18 -6 0 0 -1 0 1 0 0 0 0 0c14,-3 25,-5 40,-5l2966 7zm-1306 3022l0 0 0 1 0 -1zm-1 4l0 0 0 0 0 0zm-1 3l0 0 -1 0 1 0zm-7 13l0 0 0 0 0 0zm-2 3l0 0 0 0 0 0zm-4 6l0 0 0 0 0 0zm-4 5l0 0 0 0 0 0zm-2 3l0 0 0 0 0 0zm-2 3l0 0 0 0 0 0zm-1 1l0 0 0 0 0 0zm-6 7l0 0 -1 1 1 -1zm-2 2l0 0 0 0 0 0zm-5 5l0 0 0 0 0 0zm-2 2l0 0 0 0 0 0zm-7 6l0 0 -1 1 1 -1zm-2 2l0 0 0 0 0 0zm-3 2l0 0 0 0 0 0zm-2 2l0 0 -1 0 1 0zm-6 4l0 0 0 0 0 0zm-5 3l0 0 0 0 0 0zm-3 2l0 0 -1 0 1 0zm-17 8l0 0 -23 8 0 1 0 -1 23 -8zm-1723 -3016l0 0 0 -1 0 1zm1 -3l0 0 0 0 0 0zm1 -3l0 0 1 -1 -1 1zm7 -13l0 0 0 0 0 0zm2 -4l0 0 0 0 0 0zm4 -5l0 0 0 0 0 0zm4 -5l0 0 0 -1 0 1zm2 -3l0 0 0 0 0 0zm2 -3l0 0 0 0 0 0zm1 -1l0 0 0 -1 0 1zm6 -8l0 0 1 0 -1 0zm2 -2l0 0 0 0 0 0zm5 -5l0 0 0 0 0 0zm2 -1l0 0 0 -1 0 1zm7 -7l0 0 1 0 -1 0zm2 -1l0 0 0 0 0 0zm3 -2l0 0 0 0 0 0zm2 -2l0 0 1 0 -1 0zm6 -4l0 0 0 0 0 0zm5 -4l0 0 0 0 0 0zm4 -2l0 0 0 0 0 0zm16 -8l0 0 0 0 0 0zm23 -8l0 0 0 0 0 0z"/>
+  </g>
+  <g id="_1932602954464">
+   <path class="fil0" d="M21552 1415c51,0 101,13 150,39 48,27 86,64 113,113 28,49 41,100 41,152 0,53 -13,103 -40,152 -27,48 -64,85 -112,112 -49,27 -99,40 -152,40 -52,0 -103,-13 -151,-40 -48,-27 -86,-64 -113,-112 -26,-49 -40,-99 -40,-152 0,-52 14,-103 41,-152 27,-49 65,-86 114,-113 48,-26 98,-39 149,-39zm0 51l0 0c-42,0 -84,11 -125,32 -40,22 -72,54 -94,94 -23,41 -35,83 -35,127 0,44 12,86 34,126 22,41 54,72 94,94 40,23 82,34 126,34 44,0 86,-11 126,-34 41,-22 72,-53 94,-94 23,-40 34,-82 34,-126 0,-44 -12,-86 -34,-127 -23,-40 -55,-72 -95,-94 -41,-21 -82,-32 -125,-32z"/>
+   <path class="fil0" d="M21674 1822c-16,-29 -35,-51 -49,-64 -7,-7 -16,-14 -27,-18 28,-3 51,-13 68,-30 17,-18 26,-39 26,-63 0,-17 -5,-32 -16,-48 -10,-15 -23,-25 -41,-31 -17,-6 -45,-9 -83,-9l-113 0 0 327 53 0 0 -139 31 0c19,0 32,8 42,16 14,10 39,40 52,66 11,20 18,57 18,57l64 0c0,0 -9,-36 -25,-64zm-118 -120l0 0 -64 0 0 -99 60 0c26,0 44,2 53,6 10,4 17,9 23,17 5,8 8,16 8,26 0,15 -6,27 -17,36 -11,9 -32,14 -63,14z"/>
+  </g>
+  <path class="fil1" d="M15312 2714l-531 0 0 -107c0,-92 -5,-149 -16,-174 -10,-24 -36,-36 -78,-36 -34,0 -59,11 -76,33 -17,23 -25,56 -25,101 0,61 4,105 12,133 8,29 34,60 76,93 42,35 128,84 259,149 175,85 289,165 343,241 55,76 82,186 82,330 0,161 -21,283 -62,364 -42,82 -112,146 -210,190 -98,45 -215,66 -354,66 -152,0 -284,-23 -392,-71 -109,-48 -184,-112 -225,-194 -40,-81 -61,-204 -61,-369l0 -95 535 0 0 124c0,106 6,175 20,207 13,31 40,47 79,47 43,0 72,-10 89,-32 17,-21 25,-66 25,-135 0,-94 -10,-153 -32,-177 -23,-24 -140,-95 -350,-212 -176,-100 -284,-190 -323,-271 -39,-81 -58,-177 -58,-289 0,-158 21,-275 63,-349 41,-76 112,-134 212,-174 100,-41 216,-62 347,-62 132,0 243,17 335,50 92,34 162,78 212,133 48,54 78,105 89,152 10,47 15,120 15,219l0 115zm1572 391l0 0 -782 0 0 429c0,90 7,148 20,174 13,26 38,38 75,38 46,0 77,-17 93,-51 15,-35 23,-101 23,-200l0 -249 571 0 0 134c0,123 -8,217 -23,282 -16,66 -52,136 -108,211 -57,75 -129,131 -216,168 -87,38 -196,56 -327,56 -128,0 -240,-18 -338,-55 -97,-37 -173,-87 -227,-151 -55,-64 -92,-135 -113,-212 -21,-77 -31,-189 -31,-337l0 -577c0,-173 23,-310 70,-410 47,-100 123,-177 229,-230 107,-53 229,-80 368,-80 169,0 308,32 418,97 110,64 188,149 232,255 44,105 66,254 66,446l0 262zm-602 -321l0 0 0 -144c0,-103 -5,-169 -16,-199 -12,-30 -34,-44 -69,-44 -43,0 -69,12 -79,38 -11,25 -16,93 -16,205l0 144 180 0zm1409 -702l0 0 -10 151c61,-71 92,-98 155,-136 63,-36 142,-52 225,-52 103,0 187,25 253,74 66,48 108,110 127,184 19,74 28,197 28,370l0 1388 -601 0 0 -1372c0,-136 -5,-220 -14,-249 -9,-30 -34,-45 -75,-45 -43,0 -70,17 -81,51 -11,35 -17,127 -17,276l0 1339 -601 0 0 -1979 611 0zm2217 632l0 0 -532 0 0 -107c0,-92 -5,-149 -16,-174 -10,-24 -36,-36 -78,-36 -33,0 -59,11 -76,33 -16,23 -25,56 -25,101 0,61 4,105 13,133 8,29 33,60 75,93 42,35 129,84 259,149 175,85 289,165 343,241 55,76 82,186 82,330 0,161 -20,283 -62,364 -42,82 -112,146 -209,190 -99,45 -216,66 -355,66 -152,0 -284,-23 -392,-71 -109,-48 -184,-112 -224,-194 -41,-81 -61,-204 -61,-369l0 -95 534 0 0 124c0,106 7,175 20,207 14,31 40,47 79,47 43,0 72,-10 89,-32 17,-21 26,-66 26,-135 0,-94 -11,-153 -33,-177 -23,-24 -139,-95 -350,-212 -176,-100 -284,-190 -323,-271 -38,-81 -58,-177 -58,-289 0,-158 21,-275 63,-349 42,-76 112,-134 212,-174 100,-41 216,-62 348,-62 131,0 242,17 334,50 92,34 162,78 212,133 49,54 79,105 89,152 11,47 16,120 16,219l0 115zm1571 391l0 0 -781 0 0 429c0,90 6,148 19,174 13,26 38,38 75,38 46,0 78,-17 93,-51 16,-35 23,-101 23,-200l0 -249 571 0 0 134c0,123 -7,217 -23,282 -15,66 -51,136 -108,211 -57,75 -129,131 -216,168 -87,38 -196,56 -327,56 -127,0 -240,-18 -338,-55 -97,-37 -173,-87 -227,-151 -55,-64 -92,-135 -112,-212 -21,-77 -32,-189 -32,-337l0 -577c0,-173 23,-310 70,-410 47,-100 123,-177 230,-230 107,-53 229,-80 367,-80 169,0 309,32 419,97 109,64 187,149 231,255 44,105 66,254 66,446l0 262zm-601 -321l0 0 0 -144c0,-103 -6,-169 -17,-199 -11,-30 -34,-44 -69,-44 -43,0 -69,12 -79,38 -10,25 -15,93 -15,205l0 144 180 0z"/>
+  <path class="fil2" d="M4250 404l-327 0 0 -68 -3440 0c-14,0 -25,2 -39,5l0 0 0 0 -1 0 -17 6 -3 1 -2 1 -3 2 -13 7 0 0 -3 1 0 1 -6 3 0 0 -5 4 0 0 -2 2 0 0 -3 2 0 0 -2 1 0 1 -2 2 0 0 -3 2 -2 2 0 0 -2 2 0 0 -5 5 0 0 -1 2 0 0 -3 3 -2 1 1 0 -3 3 0 0 -1 1 0 1 -2 2 0 1 -2 2 0 0 -1 2 -343 0 0 -23c51,-218 243,-381 470,-381l0 0 3767 0 0 333 0 3 0 68z"/>
+  <polygon class="fil3" points="3923,337 4250,161 4250,333 4250,336 4250,497 3924,672 3923,672 "/>
+  <path class="fil4" d="M90 209l299 160 -3 2 0 0 -2 1 0 1 -2 2 0 0 -3 2 -2 2 0 0 -2 2 0 0 -5 5 0 0 -1 2 0 0 -3 3 -2 1 1 0 -3 3 0 0 -1 1 0 1 -2 2 0 1 -2 2 0 0 -3 5 -1 1 -3 5 0 0 -2 3 0 1 -7 12 0 1 -1 3 0 0 -1 2 -1 2 0 1 -6 19c0,-1 -5,26 -5,39l0 0 0 176 -327 -175 0 -1c0,-107 33,-206 90,-287z"/>
+  <polygon class="fil5" points="3596,1008 654,1008 654,672 3596,672 "/>
+  <path class="fil2" d="M0 3964l327 0 0 67 3440 0 0 0c14,0 25,-1 38,-5l1 0 0 0 0 0 18 -6 2 -1 2 -1 4 -1 12 -7 0 0 3 -2 1 0 5 -4 0 0 5 -3 0 -1 3 -2 0 0 3 -2 0 0 1 -1 0 0 3 -2 0 0 3 -3 1 -1 0 -1 2 -1 0 0 5 -5 0 -1 2 -1 0 0 2 -3 2 -2 0 0 2 -3 0 0 1 -1 0 0 2 -3 0 0 2 -3 1 0 1 -1 342 0 0 23c-51,218 -242,380 -469,380l0 0 -3767 0 0 -332 0 -4 0 -67z"/>
+  <polygon class="fil6" points="327,4031 0,4206 0,4035 0,4031 0,3870 325,3695 327,3695 "/>
+  <path class="fil7" d="M4160 4158l-299 -160 3 -2 0 0 1 -1 0 0 3 -2 0 0 3 -3 1 -1 0 -1 2 -1 0 0 5 -5 0 -1 2 -1 0 0 2 -3 2 -2 0 0 2 -3 0 0 1 -1 0 0 2 -3 0 0 2 -3 1 0 3 -5 0 0 4 -6 0 0 2 -3 0 0 6 -13 1 -1 1 -2 0 -1 1 -2 0 -1 1 -1 6 -19c0,0 5,-27 5,-40l0 0 0 -175 327 174 0 1c-1,107 -34,206 -90,287z"/>
+  <polygon class="fil8" points="1584,1680 327,1680 327,1344 1584,1344 "/>
+  <polygon class="fil9" points="949,1680 327,1346 327,1344 960,1344 1584,1678 1584,1680 "/>
+  <polygon class="fil8" points="2665,1680 3923,1680 3923,1344 2665,1344 "/>
+  <polygon class="fil10" points="3300,1680 3923,1346 3923,1344 3289,1344 2665,1678 2665,1680 "/>
+  <polygon class="fil8" points="2665,2688 3923,2688 3923,3024 2665,3024 "/>
+  <polygon class="fil11" points="3300,2688 3923,3021 3923,3024 3289,3024 2665,2689 2665,2688 "/>
+  <polygon class="fil8" points="1584,2688 327,2688 327,3024 1584,3024 "/>
+  <polygon class="fil12" points="949,2688 327,3021 327,3024 960,3024 1584,2689 1584,2688 "/>
+  <polygon class="fil13" points="1584,1680 0,832 0,496 1584,1344 "/>
+  <polygon class="fil14" points="2665,1680 4250,832 4250,496 2665,1344 "/>
+  <polygon class="fil5" points="3602,3695 660,3695 660,3360 3602,3360 "/>
+  <polygon class="fil15" points="2665,2688 4250,3535 4250,3871 2665,3024 "/>
+  <polygon class="fil16" points="1584,2688 0,3535 0,3871 1584,3024 "/>
+  <polygon class="fil1" points="4250,2016 3293,2016 3595,1854 3595,1518 2665,2016 2665,2016 2665,2016 2665,2351 2665,2352 2665,2352 2666,2352 3596,2849 3596,2513 3294,2352 4250,2352 "/>
+  <polygon class="fil1" points="654,1518 654,1854 957,2016 0,2016 0,2352 956,2352 654,2513 654,2849 1584,2352 1584,2352 1584,2352 1584,2351 1584,2016 1584,2016 1584,2016 "/>
+ </g>
+</svg>
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/favicon.png b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/favicon.png
new file mode 100644
index 0000000000000000000000000000000000000000..3e6dde97264d7a9305e8efb15b48002d2bb63484
GIT binary patch
literal 2938
zcmV-=3x)KFP)<h;3K|Lk000e1NJLTq001xm001xu1^@s6R|5Hm00004b3#c}2nYxW
zd<bNS00009a7bBm000XT000XT0n*)m`~Uy|9CSrkbW?9;ba!ELWdK2BZ(?O2Mrm?o
zcW-iQb09-gHt4*vi~s-t7<5HgbVG7wVRUJ4ZXi@?ZDjy5I4v<TEiy1MG`&gH`v3q6
z&`Cr=RA_<KS#5As)fs-yJ@<37yUB(P3;BQqBE--nQ#;7S5rGP}qksgaKudyku+u?n
zp{>YLbr7utDoT}FTSci_WfH4|kLlQ{+5r(!TP0CQCBPC$h>7`PvtRezz4!D-vP-~C
z*a#)`nc3OoyyrdldG0yqJ@0v!aL)1n3^DcxAtc^dS-E~SfYkt8!@wyic)e=~&`$sW
zJh6F`!XoT>01E*q!$B-5oO{>j3t$oU2SP~2RlBSR01jBD6>o|QSmX8nI1~)sp(qNd
zNMp^%dtLf#9u{x_IhJWDOlM$>#SL)*t*xyqHBF;-yB&(Egj7{sKnQso!!LkC0`wmJ
zJ;qpRAP_((6p9<;0x~l*Q`_6yt+uu{!C`lN@$~PvyfrLz2f)e|D<XkF0HP>bnVFgK
zH69l*W5$f`?(XiK&p!JMCr_T#hll3C=<e<|#*7(*qM{<6mX;>O+T#L(!64N%jh2>{
zqOh<qzpSim;qCM0RRh4Hg$thp;6d+lx)LA&B30GZivjSRH8pc|T`zPv9N?VONF;Ku
zV=UtA*}eM+fNKFj5CoW}2_tIk4Tr;zzVX*L{z54oMJY}2tjiD6G+~;iHT9;cbH|Pu
zyPQ&bn<PoFtaH(4_MABc0EB*iivc_XfX6y=i%+AJzFm4lX}Z(tgkc!x4RX0*Sr!b#
zKuSsqCQqJhc}9Bnn5KDK%+`k&0Zfhk6Q6<DNxXa4uIm7-<($uDtT$v?+(I}UhR^52
zsZ*y~L%~qJD2jGMh<rJSbIuLZG<y_9$<N8j$<EEoh23rk0f8*bkYyQ^(tiMWc+T9p
z2l{*x3y5LY&Yia~#vW#jmFi4~VHhw?6Ol;dOQy4@a&vPxFIv3#vTSzCvdG2_8}5~5
z`94)sb10>~#3dQBB7Z7L(j#SM^J^{;J-C1vwr_u}T-Wsn8DkT5ri1AWeTPY-uIua9
zS5`iEDdg99z2%Z5J)|hg1X-3LD>4*Cfh@~DS(ewAmse~}<d?L77;1Lx_(?}+$128H
zzW=PBL?RLBx{gRBQp*@yXS3OAe*5_2Nk^%>moL9nmgTjIqFk>i3N%fF-EQZyA~)LY
z_9vGtDc>@f|DXaE%%5NK`QgJ)9X)!~1PBO0)UqtU+wHz)>Ww!RO_?%9pp>G!yBm>6
z1d&JtjIjrw-@5g&WXRvOY}wtCBt4@j3RG1^YHBJt=cui%<^TTVllpKtbj0Hs<w#9U
zl{8I-s;HtQN~^10uReI805Q=6G))^(Qd~SO-Q_}keLcF*`T+p#?d{l6Q-k*p9Kej}
z(@{`R0994d7nie>A>W5g0FY%FqA23?!-w(l#~-1yvy)_GWE7^l^9oZOsc>o(k|d)q
ze2+>rP(lHWF-{1<xbgXzFg_PEq)+hN{x%#q)&syqTU#5ds;iNmm4zu&rXVXT3qv_0
zD5YEw1e`v78lN9NjP~}g;BvW;UoZ)xEe$1Z6Z1y5;?4GPXbbhFpaUGD2?Y>B`~d27
z#w<u8=H-U2Ezc#&OaJj;)4pI={h43`2y9Kw%}Vo*9lWHZM4U9K@JzA-!r^f1$;QSL
zCr+G*+U+SMcl-p#6=!flI>wb{emUY6M*|_S%r`Nvo^u!=5CL>1<eJPT?(#aD1@KI#
zLJ;9%w_);U9i!cw$j=%Q4mwouZN+wf!>N@5_zH!v5n+=O3qmwa@sB3!(4NqzkGGJ>
zm;hf`An4WsW<=AtWv=OIZmkPG;Jlab)h;Q&2>jZy%zxBZ3(I`ev@Cbfl!(<!s~#qa
zT+Bb|FxusH-ih9O@&ufJKR5#5Q2?*IHu%kCNOyUi0)W{7)&jWh0<#am6Rr*ZX9gSN
zYf-4n>wFzR#sK}J0L}skC9o9&*bd-&0KdFAeE`6{0Dd=sEeK#nm)AKDfHcS$(}D9h
z@hkwTNfJnetReJu4`TaP-zO>b-vgJLW)9`9aM|t^{b%4K47`La^e&;%01A+J^LGs4
zx&8s#Ie-QLrvW$tTr@z$1-Lf&zdu;VF0XS5fCupP3;sy}l>lD3*u(l^3xE~?4*{5X
zfsF#Fa&7QGKiB}gviCdLb6^jE+W>%^oBd9K;7Nzvvze?*xVbM1z6nxKhvOd3v6}a#
z3jEyrIhZE)e3$%&hZFh^B^&MXI?oXB(VAeugy=Upw%X;uMzRiV--P(r$o$Eb7CvRJ
z0{C)~M_nO{f<rLVT>cScHO>xMz@mi<O8`7=a#*rRg{Sh~nVd#~+Ix`+*wsF^<4BLA
zE`>%lksB%iXqrYvQGE5qZQC{`LwIRL#ZQ}>o9=09YBC)T2OO>pJu2CQMJ{8~?W3AK
z(`^kfIm}f}-}|s7C@@*z6u|1L>go?J6p%0%0x$x=O$2}l3x|w6yx-}@zs{yZM07+N
zjm)qt3yP}3;c$Rb3dUGoGUNe3Rn?q=i3LUO5pFabYe3V<V@OX=N4=4bFZ_9U*F74u
zN48K7aznpp;Yl>sKmq^&0s)xG@oZy0qLu{>VOXXKNz>qVyOENT0>dy63WdNqPdW@+
zmc=>e$j!|~ettfDJ|Al9YSGr#h77kG?+4Rys67X%N)%L}7_2Zjkbo`#`+(lKMlELY
zsNok?b<C*j>~Fi>z2{IU6zX3s_$pZe=nJ`wF$jWy;^JZy78c@A?IG0G)*a@ZUB@y!
zBOP!!L`_v8%L)WRXiZu`Rdw~J0H*bCd*zjv7Y71?2N+`rhr-ZxJ+=-T2qC`_1Y!FS
z1Z*LMGy`~ub6yk<hoNa2rcaxWSu<xzDfX0|6%|XjB{R@PqtI)wy*igMwpQ2m>tbaV
zrZece-o_Z)1Ypbh%F2sojft?v>lHZX%Vk;iDvFYQ!KMC)EX$9SmseCJ@=d0!Qpy-x
z#|$=0*Uyzz^oZVWFyoI|*;yNZv}8%(n-ISc2S4~g+Pin}uS7{)p{lBfQcC)jRrbr0
z{P4W8vUidauzT083Fw{L^8SUbNF;*B##1=e*x1<9({qSYY7+$Eviyp}IcL#mG?<c-
zGASn~XZ+aQvBYMxohxi9GN?e`1n|h5xpQk13fQxI_cZ|S1n>(0D(4)GF&I$;EoWMy
z_4V~)M@I()D)dE$%MZ)4V45b<($X-oV4|6wolPZCidE(Sz(j8v^5@xe=F|e`CuMH{
zSOY*6gx+RB5I#0dbKd^_``bD@J0VHZ|BQU!^B_qQ{C+<^Jous2(cZC`Qo1i@LvNn6
z62PIDPdo~7&IzRyq9`H|2y{x4bpQMX3tj+#ML$@$7zA0k^pra(P)Z4<H2m`wE2;og
z?X0Q!VK^M#Y`5Dzu~~{CzJ&hy?z^A*{r;l5x;lFN`0<ZkdimukSAuM^xMS(kzvt!U
z-BMg!Y&xAz;pUk$1)$#y?Ay0bYiVgA!C(+}yFJ;<{uP7WZkK#MA6i;kNM>dxZk{<4
zKtBOKpKp|+D1yi1fubndurW=5^^ZOFop3l@Vzb#02m}P5&lk^7;{q}=GHjwKLen%z
zl5|aF<@!Uoaz7~z1`eRWX0vIM)Ekka(P+FN5EtNZIHIB`N>rraoXY@8hJ)>ZAb_mM
z5GC<%o{^q-5jnor6-DV1L?M1aT!n~o&fk(`sbbk(cNww9xBw1rT@?!^F*tx1IOn&n
ky6^t;%9-RUe&b2uzp$9K#m3Z@`2YX_07*qoM6N<$g7gSppa1{>

literal 0
HcmV?d00001

diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/icon-logo.svg b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/icon-logo.svg
new file mode 100644
index 0000000000..2e3ac8998c
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/icon-logo.svg
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="100%" height="100%" viewBox="0 0 95 98" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:1.41421;">
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <path d="M94.747,9.011L87.457,9.011L87.457,7.495L10.768,7.495C10.456,7.495 10.21,7.539 9.898,7.606L9.876,7.606L9.497,7.74L9.43,7.762L9.386,7.785L9.319,7.829L9.029,7.985L8.962,8.007L8.962,8.03L8.828,8.097L8.717,8.186L8.672,8.23L8.605,8.275L8.561,8.297L8.561,8.32L8.516,8.364L8.449,8.409L8.405,8.453L8.36,8.498L8.249,8.609L8.226,8.654L8.159,8.721L8.115,8.743L8.137,8.743L8.07,8.81L8.048,8.832L8.048,8.855L8.003,8.899L8.003,8.922L7.959,8.966L7.936,9.011L0.29,9.011L0.29,8.498C1.427,3.638 5.707,0.004 10.768,0.004L94.747,0.004L94.747,9.011Z" style="fill:rgb(227,228,229);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <path d="M87.457,7.517L94.747,3.593L94.747,11.084L87.479,14.985L87.457,14.985L87.457,7.517Z" style="fill:url(#_Linear1);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <path d="M2.006,4.663L8.672,8.23L8.605,8.275L8.561,8.297L8.561,8.32L8.516,8.364L8.449,8.409L8.405,8.453L8.36,8.498L8.249,8.609L8.226,8.654L8.159,8.721L8.115,8.743L8.137,8.743L8.07,8.81L8.048,8.832L8.048,8.855L8.003,8.899L8.003,8.922L7.959,8.966L7.892,9.078L7.87,9.1L7.803,9.211L7.758,9.278L7.758,9.3L7.602,9.568L7.602,9.59L7.58,9.657L7.557,9.702L7.535,9.746L7.535,9.769L7.401,10.192C7.401,10.17 7.29,10.772 7.29,11.062L7.29,14.985L0,11.084L0,11.062C0,8.676 0.736,6.469 2.006,4.663Z" style="fill:url(#_Linear2);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <rect x="14.58" y="14.985" width="65.587" height="7.491" style="fill:rgb(147,146,146);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <path d="M0,88.375L7.29,88.375L7.29,89.869L83.979,89.869C84.291,89.869 84.537,89.847 84.826,89.757L84.849,89.757L85.25,89.624L85.295,89.601L85.339,89.579L85.428,89.557L85.696,89.401L85.763,89.356L85.785,89.356L85.896,89.267L86.008,89.2L86.008,89.178L86.075,89.133L86.142,89.089L86.164,89.066L86.231,89.022L86.298,88.955L86.32,88.933L86.32,88.91L86.365,88.888L86.476,88.776L86.476,88.754L86.521,88.732L86.565,88.665L86.61,88.62L86.654,88.554L86.677,88.531L86.721,88.464L86.766,88.397L86.788,88.397L86.81,88.375L94.435,88.375L94.435,88.888C93.298,93.748 89.04,97.359 83.979,97.359L0,97.359L0,89.958L0,89.869L0,88.375Z" style="fill:rgb(227,228,229);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <path d="M7.29,89.869L0,93.77L0,89.958L0,89.869L0,86.28L7.245,82.378L7.29,82.378L7.29,89.869Z" style="fill:url(#_Linear3);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <path d="M92.741,92.7L86.075,89.133L86.142,89.089L86.164,89.066L86.231,89.022L86.298,88.955L86.32,88.933L86.32,88.91L86.365,88.888L86.476,88.776L86.476,88.754L86.521,88.732L86.565,88.665L86.61,88.62L86.654,88.554L86.677,88.531L86.721,88.464L86.766,88.397L86.788,88.397L86.855,88.286L86.944,88.152L86.989,88.085L87.123,87.796L87.145,87.773L87.167,87.729L87.167,87.706L87.189,87.662L87.189,87.639L87.212,87.617L87.346,87.194C87.346,87.194 87.457,86.592 87.457,86.302L87.457,82.401L94.747,86.28L94.747,86.302C94.725,88.687 93.989,90.894 92.741,92.7Z" style="fill:url(#_Linear4);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <rect x="7.29" y="29.966" width="28.023" height="7.491" style="fill:rgb(170,171,171);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <path d="M21.156,37.457L7.29,30.011L7.29,29.966L21.402,29.966L35.313,37.412L35.313,37.457L21.156,37.457Z" style="fill:url(#_Linear5);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <rect x="59.412" y="29.966" width="28.045" height="7.491" style="fill:rgb(170,171,171);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <path d="M73.568,37.457L87.457,30.011L87.457,29.966L73.323,29.966L59.412,37.412L59.412,37.457L73.568,37.457Z" style="fill:url(#_Linear6);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <rect x="59.412" y="59.929" width="28.045" height="7.491" style="fill:rgb(170,171,171);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <path d="M73.568,59.929L87.457,67.352L87.457,67.419L73.323,67.419L59.412,59.951L59.412,59.929L73.568,59.929Z" style="fill:url(#_Linear7);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <rect x="7.29" y="59.929" width="28.023" height="7.491" style="fill:rgb(170,171,171);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <path d="M21.156,59.929L7.29,67.352L7.29,67.419L21.402,67.419L35.313,59.951L35.313,59.929L21.156,59.929Z" style="fill:url(#_Linear8);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <path d="M35.313,37.457L0,18.552L0,11.062L35.313,29.966L35.313,37.457Z" style="fill:url(#_Linear9);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <path d="M59.412,37.457L94.747,18.552L94.747,11.062L59.412,29.966L59.412,37.457Z" style="fill:url(#_Linear10);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <rect x="14.714" y="74.91" width="65.587" height="7.468" style="fill:rgb(147,146,146);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <path d="M59.412,59.929L94.747,78.811L94.747,86.302L59.412,67.419L59.412,59.929Z" style="fill:url(#_Linear11);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <path d="M35.313,59.929L0,78.811L0,86.302L35.313,67.419L35.313,59.929Z" style="fill:url(#_Linear12);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <path d="M94.747,44.948L73.412,44.948L80.145,41.336L80.145,33.846L59.412,44.948L59.412,52.438L59.434,52.438L80.167,63.518L80.167,56.027L73.434,52.438L94.747,52.438L94.747,44.948Z" style="fill:rgb(217,79,0);fill-rule:nonzero;"/>
+    </g>
+    <g transform="matrix(1,0,0,1,0,-0.00415471)">
+        <path d="M14.58,33.846L14.58,41.336L21.335,44.948L0,44.948L0,52.438L21.312,52.438L14.58,56.027L14.58,63.518L35.313,52.438L35.313,52.416L35.313,44.948L14.58,33.846Z" style="fill:rgb(217,79,0);fill-rule:nonzero;"/>
+    </g>
+    <defs>
+        <linearGradient id="_Linear1" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(1.65841,5.84056,-5.84056,1.65841,90.2635,6.36912)"><stop offset="0" style="stop-color:rgb(228,228,228);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(162,162,162);stop-opacity:1"/></linearGradient>
+        <linearGradient id="_Linear2" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-2.29154,5.81958,-5.81958,-2.29154,5.47686,6.9145)"><stop offset="0" style="stop-color:rgb(228,228,228);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(162,162,162);stop-opacity:1"/></linearGradient>
+        <linearGradient id="_Linear3" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-1.65885,-5.83931,5.83931,-1.65885,4.4731,91.0027)"><stop offset="0" style="stop-color:rgb(228,228,228);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(162,162,162);stop-opacity:1"/></linearGradient>
+        <linearGradient id="_Linear4" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(2.29131,-5.81924,5.81924,2.29131,89.2594,90.4576)"><stop offset="0" style="stop-color:rgb(228,228,228);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(162,162,162);stop-opacity:1"/></linearGradient>
+        <linearGradient id="_Linear5" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-46.185,-12.0168,12.0168,-46.185,44.3937,39.7156)"><stop offset="0" style="stop-color:rgb(170,171,171);stop-opacity:1"/><stop offset="0.1" style="stop-color:rgb(170,171,171);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(78,78,78);stop-opacity:1"/></linearGradient>
+        <linearGradient id="_Linear6" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(46.1861,-12.0159,12.0159,46.1861,50.342,39.7152)"><stop offset="0" style="stop-color:rgb(170,171,171);stop-opacity:1"/><stop offset="0.1" style="stop-color:rgb(170,171,171);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(78,78,78);stop-opacity:1"/></linearGradient>
+        <linearGradient id="_Linear7" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(46.1854,12.0159,-12.0159,46.1854,50.3425,57.6569)"><stop offset="0" style="stop-color:rgb(170,171,171);stop-opacity:1"/><stop offset="0.1" style="stop-color:rgb(170,171,171);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(78,78,78);stop-opacity:1"/></linearGradient>
+        <linearGradient id="_Linear8" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-46.1844,12.0166,-12.0166,-46.1844,44.3935,57.6564)"><stop offset="0" style="stop-color:rgb(170,171,171);stop-opacity:1"/><stop offset="0.1" style="stop-color:rgb(170,171,171);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(78,78,78);stop-opacity:1"/></linearGradient>
+        <linearGradient id="_Linear9" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(35.3155,0,0,35.3155,-0.000283467,24.2587)"><stop offset="0" style="stop-color:rgb(254,254,254);stop-opacity:1"/><stop offset="0.23" style="stop-color:rgb(254,254,254);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(176,176,176);stop-opacity:1"/></linearGradient>
+        <linearGradient id="_Linear10" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-35.3154,4.32489e-15,-4.32489e-15,-35.3154,94.736,24.2587)"><stop offset="0" style="stop-color:rgb(254,254,254);stop-opacity:1"/><stop offset="0.23" style="stop-color:rgb(254,254,254);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(176,176,176);stop-opacity:1"/></linearGradient>
+        <linearGradient id="_Linear11" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-35.3154,4.32489e-15,-4.32489e-15,-35.3154,94.736,73.1133)"><stop offset="0" style="stop-color:rgb(254,254,254);stop-opacity:1"/><stop offset="0.23" style="stop-color:rgb(254,254,254);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(176,176,176);stop-opacity:1"/></linearGradient>
+        <linearGradient id="_Linear12" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(35.3155,0,0,35.3155,-0.000283467,73.1133)"><stop offset="0" style="stop-color:rgb(254,254,254);stop-opacity:1"/><stop offset="0.23" style="stop-color:rgb(254,254,254);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(176,176,176);stop-opacity:1"/></linearGradient>
+    </defs>
+</svg>

From 977209c555d2204a8cab71032ecfff835fca300e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Aug 2024 21:07:47 +0200
Subject: [PATCH 2043/3088] misc/theme-advanced: sync

---
 README.md                                                       | 1 +
 .../stylesheets/bootstrap-select/sass/bootstrap-select.scss     | 2 +-
 .../assets/stylesheets/bootstrap-select/sass/variables.scss     | 2 +-
 .../www/themes/advanced/assets/stylesheets/dashboard.scss       | 2 +-
 .../opnsense/www/themes/advanced/assets/stylesheets/main.scss   | 2 +-
 5 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 2cf77dee53..8cb7fd41d5 100644
--- a/README.md
+++ b/README.md
@@ -42,6 +42,7 @@ emulators/qemu-guest-agent -- QEMU Guest Agent for OPNsense
 ftp/tftp -- TFTP server
 mail/postfix -- SMTP mail relay
 mail/rspamd -- Protect your network from spam
+misc/theme-advanced -- OPNsense theme based on AdvancedTomato GUI
 misc/theme-cicada -- The cicada theme - dark grey onyx
 misc/theme-rebellion -- A suitably dark theme
 misc/theme-tukan -- The tukan theme - blue/white
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.scss
index ce955acc9a..32b852e26f 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.scss
@@ -516,4 +516,4 @@ select.selectpicker {
     width: 100%;
     float: none;
   }
-}
\ No newline at end of file
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/variables.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/variables.scss
index 555ef10fcf..6e9c8af262 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/variables.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/variables.scss
@@ -14,4 +14,4 @@ $input-padding-y-sm: .25rem !default;
 $input-padding-x-sm: .5rem !default;
 
 $input-padding-y-lg: 0.5rem !default;
-$input-padding-x-lg: 1rem !default;
\ No newline at end of file
+$input-padding-x-lg: 1rem !default;
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss
index d3b2a4313d..af78a80af8 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss
@@ -347,4 +347,4 @@ div {
     display: flex;
     align-items: center;
     justify-content: center;
-}
\ No newline at end of file
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss
index 89a913f6af..0498b12cec 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss
@@ -1267,4 +1267,4 @@ div[data-for*="help_for"] {
         margin-top: -4px;
         margin-bottom: -4px;
     }
-}
\ No newline at end of file
+}

From cad9ddd04b9b424fcbd7d54c1f8ee8df369f3e86 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 21 Aug 2024 07:32:27 +0200
Subject: [PATCH 2044/3088] misc: minor changes to themes

---
 misc/theme-advanced/Makefile | 1 +
 misc/theme-tukan/Makefile    | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/theme-advanced/Makefile b/misc/theme-advanced/Makefile
index 9af08541fc..d8fabc971b 100644
--- a/misc/theme-advanced/Makefile
+++ b/misc/theme-advanced/Makefile
@@ -3,5 +3,6 @@ PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		OPNsense theme based on AdvancedTomato GUI
 PLUGIN_MAINTAINER=	jacky@prahec.com
 PLUGIN_WWW=		https://prahec.com/
+PLUGIN_NO_ABI=		yes
 
 .include "../../Mk/plugins.mk"
diff --git a/misc/theme-tukan/Makefile b/misc/theme-tukan/Makefile
index a0cf7296ff..68fc232d70 100644
--- a/misc/theme-tukan/Makefile
+++ b/misc/theme-tukan/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		theme-tukan
 PLUGIN_VERSION=		1.28
-PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The tukan theme - blue/white
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes

From 742727d35111ea2638380a1d616ee8431d2fb104 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 21 Aug 2024 11:32:11 +0200
Subject: [PATCH 2045/3088] plugins: hard error without parallel lint

---
 Mk/plugins.mk | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 5525c52317..ed4a7237df 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -372,13 +372,7 @@ lint-php: check
 .if exists(${LINTBIN})
 	@if [ -d ${.CURDIR}/src ]; then ${LINTBIN} src; fi
 .else
-	@find ${.CURDIR}/src \
-	    ! -name "*.xml" ! -name "*.xml.sample" ! -name "*.eot" \
-	    ! -name "*.svg" ! -name "*.woff" ! -name "*.woff2" \
-	    ! -name "*.otf" ! -name "*.png" ! -name "*.js" ! -name "*.md" \
-	    ! -name "*.scss" ! -name "*.py" ! -name "*.ttf" ! -name "*.txz" \
-	    ! -name "*.tgz" ! -name "*.xml.dist" ! -name "*.sh" ! -name "bootstrap80.php" \
-	    -type f -print0 | xargs -0 -n1 php -l
+	@echo "Did not find LINTBIN, please provide a core repository"; exit 1
 .endif
 
 lint: lint-desc lint-shell lint-xml lint-model lint-exec lint-php

From 8797399fe1ca71192b12bf4261d6aa6d3c0c4719 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Fri, 23 Aug 2024 08:17:37 +0200
Subject: [PATCH 2046/3088] Themes Cicada/Vicuna  - dashboard fix for hover
 effects (#4194)

get rid of unnecessary hover effects on dashboard for both dark themes
---
 misc/theme-cicada/Makefile                    |  2 +-
 .../cicada/assets/stylesheets/dashboard.scss  | 26 ++++++-------------
 .../www/themes/cicada/build/css/dashboard.css | 14 ----------
 misc/theme-vicuna/Makefile                    |  2 +-
 .../vicuna/assets/stylesheets/dashboard.scss  | 26 ++++++-------------
 .../www/themes/vicuna/build/css/dashboard.css | 14 ----------
 6 files changed, 18 insertions(+), 66 deletions(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index 339b1956e2..7835483758 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.37
+PLUGIN_VERSION=		1.38
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss
index cd495cede6..2eb8ea4d3c 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss
@@ -1,6 +1,11 @@
-.btn-pressed, .btn-pressed:hover {
+.btn-pressed {
+  background-color: #d94f00;
+  color: white;
+
+  &:hover {
     background-color: #d94f00;
     color: white;
+  }
 }
 
 .fa-spinner {
@@ -17,8 +22,8 @@
 }
 
 .widget-error {
-    margin: 50px;
-    color: #721c24;
+  margin: 50px;
+  color: #721c24;
 }
 
 .widget-content {
@@ -224,11 +229,6 @@ div {
   font-weight: bold;
 }
 
-.flextable-row:hover {
-  background: #242424;
-  transition: 500ms;
-}
-
 .flex-cell {
   text-align: left;
   word-break: break-word;
@@ -247,11 +247,6 @@ div {
     padding: 0;
     border: 0;
     border-top: rgb(59, 59, 59);
-
-    &:hover {
-      background: none !important;
-      transition: 500ms;
-    }
   }
 }
 
@@ -282,11 +277,6 @@ div {
   border-top: 1px solid #f7e2d6;
   transition: 0.5s;
   opacity: 0.4;
-
-  &:hover {
-    background: #F5F5F5 !important;
-    transition: 500ms;
-  }
 }
 
 .grid-header {
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css
index 82e195ab56..4725d9e073 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css
@@ -217,11 +217,6 @@ div {
     font-weight: bold;
 }
 
-.flextable-row:hover {
-    background: #242424;
-    transition: 500ms;
-}
-
 .flex-cell {
     text-align: left;
     word-break: break-word;
@@ -241,10 +236,6 @@ div {
     border: 0;
     border-top: rgb(59, 59, 59);
 }
-.column .flex-cell:hover {
-    background: none !important;
-    transition: 500ms;
-}
 .flex-subcell {
     width: 100%;
     text-align: left;
@@ -270,11 +261,6 @@ div {
     opacity: 0.4;
 }
 
-.grid-row:hover {
-    background: #F5F5F5 !important;
-    transition: 500ms;
-}
-
 .grid-header {
     border-top: 1px solid #f7e2d6;
     font-weight: bold;
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index ca31bc76ff..d05a700232 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.47
+PLUGIN_VERSION=		1.48
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss
index 06f4bf05a0..73c5374217 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss
@@ -1,6 +1,11 @@
-.btn-pressed, .btn-pressed:hover {
+.btn-pressed {
+  background-color: #d94f00;
+  color: white;
+
+  &:hover {
     background-color: #d94f00;
     color: white;
+  }
 }
 
 .fa-spinner {
@@ -17,8 +22,8 @@
 }
 
 .widget-error {
-    margin: 50px;
-    color: #721c24;
+  margin: 50px;
+  color: #721c24;
 }
 
 .widget-content {
@@ -224,11 +229,6 @@ div {
   font-weight: bold;
 }
 
-.flextable-row:hover {
-  background: #131c22;
-  transition: 500ms;
-}
-
 .flex-cell {
   text-align: left;
   word-break: break-word;
@@ -247,11 +247,6 @@ div {
     padding: 0;
     border: 0;
     border-top: rgb(59, 59, 59);
-
-    &:hover {
-      background: none !important;
-      transition: 500ms;
-    }
   }
 }
 
@@ -282,11 +277,6 @@ div {
   border-top: 1px solid #f7e2d6;
   transition: 0.5s;
   opacity: 0.4;
-
-  &:hover {
-    background: #F5F5F5 !important;
-    transition: 500ms;
-  }
 }
 
 .grid-header {
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css
index bbc8001a0c..62bc03c5ef 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css
@@ -217,11 +217,6 @@ div {
     font-weight: bold;
 }
 
-.flextable-row:hover {
-    background: #131c22;
-    transition: 500ms;
-}
-
 .flex-cell {
     text-align: left;
     word-break: break-word;
@@ -241,10 +236,6 @@ div {
     border: 0;
     border-top: rgb(59, 59, 59);
 }
-.column .flex-cell:hover {
-    background: none !important;
-    transition: 500ms;
-}
 .flex-subcell {
     width: 100%;
     text-align: left;
@@ -270,11 +261,6 @@ div {
     opacity: 0.4;
 }
 
-.grid-row:hover {
-    background: #F5F5F5 !important;
-    transition: 500ms;
-}
-
 .grid-header {
     border-top: 1px solid #f7e2d6;
     font-weight: bold;

From 54d5328c6e19aa68789016f29576a391f3bc8539 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 23 Aug 2024 08:41:34 +0200
Subject: [PATCH 2047/3088] net/upnp: move to compatible newwanip_map event

---
 net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 3fdf21214b..2399be7ac3 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -90,7 +90,7 @@ function miniupnpd_configure()
 {
     return [
         'bootup' => ['miniupnpd_configure_do'],
-        'newwanip' => ['miniupnpd_configure_do'],
+        'newwanip_map' => ['miniupnpd_configure_do'],
     ];
 }
 

From 7fead4f46a03fb0b95d5f0c94675bfeff880f3fd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 23 Aug 2024 08:42:38 +0200
Subject: [PATCH 2048/3088] net/igmp-proxy: move to compatible newwanip_map
 event

---
 net/igmp-proxy/Makefile                                | 2 +-
 net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/igmp-proxy/Makefile b/net/igmp-proxy/Makefile
index e322484ae3..8c0acc1c44 100644
--- a/net/igmp-proxy/Makefile
+++ b/net/igmp-proxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		igmp-proxy
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_DEPENDS=		igmpproxy
 PLUGIN_COMMENT=		IGMP-Proxy Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc b/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc
index 246ca5e0f8..d8d80bda7d 100644
--- a/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc
+++ b/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc
@@ -58,7 +58,7 @@ function igmpproxy_configure()
 {
     return [
         'bootup' => ['igmpproxy_configure_do'],
-        'newwanip' => ['igmpproxy_configure_do'],
+        'newwanip_map' => ['igmpproxy_configure_do'],
     ];
 }
 

From ffe1badd2ced2bdf459cc6fabbae8a21cce7bbc0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 23 Aug 2024 08:50:44 +0200
Subject: [PATCH 2049/3088] dns/rfc2136: convert to newwanip_map event

---
 dns/rfc2136/Makefile                              | 2 +-
 dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc | 9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/dns/rfc2136/Makefile b/dns/rfc2136/Makefile
index f4ac272b23..176f5376f8 100644
--- a/dns/rfc2136/Makefile
+++ b/dns/rfc2136/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		rfc2136
 PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		RFC-2136 Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_DEPENDS=		bind-tools
diff --git a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
index 25c3fc9141..73cf42bc09 100644
--- a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
+++ b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
@@ -34,7 +34,7 @@ function rfc2136_configure()
     return [
         'bootup' => ['rfc2136_configure_do'],
         'local' => ['rfc2136_configure_do'],
-        'newwanip' => ['rfc2136_configure_do:2'],
+        'newwanip_map' => ['rfc2136_configure_map:2'],
     ];
 }
 
@@ -87,7 +87,7 @@ function rfc2136_cache_file($dnsupdate, $ipver = 4)
     return "/var/cache/rfc2136_{$dnsupdate['interface']}_{$dnsupdate['host']}_{$dnsupdate['server']}{$ipver}.cache";
 }
 
-function rfc2136_configure_do($verbose = false, $int = '', $updatehost = '', $forced = false)
+function rfc2136_configure_do($verbose = false, $int = null, $updatehost = '', $forced = false)
 {
     global $config;
 
@@ -95,12 +95,15 @@ function rfc2136_configure_do($verbose = false, $int = '', $updatehost = '', $fo
         return;
     }
 
+    /* $int is passed as an optional CSV so transform into empty array when not set */
+    $int = !empty($int) ? explode(',', $int) : [];
+
     service_log('Configuring RFC 2136 clients...', $verbose);
 
     foreach ($config['dnsupdates']['dnsupdate'] as $i => $dnsupdate) {
         if (!isset($dnsupdate['enable'])) {
             continue;
-        } elseif (!empty($int) && $int != $dnsupdate['interface']) {
+        } elseif (count($int) && !in_array($dnsupdate['interface'], $int)) {
             continue;
         } elseif (!empty($updatehost) && ($updatehost != $dnsupdate['host'])) {
             continue;

From 2209ce0943502ccae23530d6b0364bb2234ef7f1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 26 Aug 2024 11:25:38 +0200
Subject: [PATCH 2050/3088] dns/rfc2136: bump version

---
 dns/rfc2136/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/dns/rfc2136/Makefile b/dns/rfc2136/Makefile
index 176f5376f8..dada9a6509 100644
--- a/dns/rfc2136/Makefile
+++ b/dns/rfc2136/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		rfc2136
-PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.9
 PLUGIN_COMMENT=		RFC-2136 Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_DEPENDS=		bind-tools

From c5727814b51933c57b67da5513d773b0e793f691 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 26 Aug 2024 11:30:31 +0200
Subject: [PATCH 2051/3088] net/upnp: wrap up version

---
 net/upnp/pkg-descr | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/upnp/pkg-descr b/net/upnp/pkg-descr
index 283b27ae7b..366e0cb687 100644
--- a/net/upnp/pkg-descr
+++ b/net/upnp/pkg-descr
@@ -7,6 +7,11 @@ WWW: https://miniupnp.tuxfamily.org/
 Plugin Changelog
 ================
 
+1.6
+
+* Fix port maps not listed without description (contributed by Self-Hosting-Group)
+* Move to compatible newwanip_map event
+
 1.5
 
 * Enable STUN and allow LAN subnet override (contributed by Tawmu)

From 6cacfaa34f10d001b36ffc44a2ceef99f952f806 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 26 Aug 2024 11:35:36 +0200
Subject: [PATCH 2052/3088] dns/ddclient: shift versioning

---
 dns/ddclient/Makefile  | 2 +-
 dns/ddclient/pkg-descr | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 63c9a65501..f769b4053a 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.23
+PLUGIN_VERSION=		1.24
 PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 5298ef30af..c6bac757fc 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,10 +6,13 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.24
+
+* Refactored IP matching (contributed by Rob van Oostenrijk)
+
 1.23
 
 * Add dashboard widget
-* Refactored IP matching (contributed by Rob van Oostenrijk)
 
 1.22
 

From e553f5691ffe569db53284cfc0c97749f272d532 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Brzezi=C5=84ski?= <mike3e@o2.pl>
Date: Mon, 26 Aug 2024 11:48:10 +0200
Subject: [PATCH 2053/3088] WOL widget rewrite for new dashboard (#4192)

---
 net/wol/Makefile                              |  3 +-
 .../www/js/widgets/Metadata/WakeOnLan.xml     | 17 ++++
 .../src/opnsense/www/js/widgets/WakeOnLan.js  | 99 +++++++++++++++++++
 .../src/www/widgets/include/wake_on_lan.inc   |  4 -
 .../widgets/widgets/wake_on_lan.widget.php    | 86 ----------------
 5 files changed, 117 insertions(+), 92 deletions(-)
 create mode 100644 net/wol/src/opnsense/www/js/widgets/Metadata/WakeOnLan.xml
 create mode 100644 net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
 delete mode 100644 net/wol/src/www/widgets/include/wake_on_lan.inc
 delete mode 100644 net/wol/src/www/widgets/widgets/wake_on_lan.widget.php

diff --git a/net/wol/Makefile b/net/wol/Makefile
index 08a4a492c6..7ce7348827 100644
--- a/net/wol/Makefile
+++ b/net/wol/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		wol
-PLUGIN_VERSION=		2.4
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		2.5
 PLUGIN_DEPENDS=		wol
 PLUGIN_COMMENT=		Wake on LAN Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/wol/src/opnsense/www/js/widgets/Metadata/WakeOnLan.xml b/net/wol/src/opnsense/www/js/widgets/Metadata/WakeOnLan.xml
new file mode 100644
index 0000000000..7cb8e5f500
--- /dev/null
+++ b/net/wol/src/opnsense/www/js/widgets/Metadata/WakeOnLan.xml
@@ -0,0 +1,17 @@
+<metadata>
+    <wol>
+        <filename>WakeOnLan.js</filename>
+        <endpoints>
+            <endpoint>/api/wol/wol/searchHost</endpoint>
+            <endpoint>/api/wol/wol/set</endpoint>
+            <endpoint>/diagnostics/interface/getArp</endpoint>
+        </endpoints>
+        <translations>
+            <title>WakeOnLan</title>
+            <msg_empty_wol>No saved WOL addresses</msg_empty_wol>
+            <h_device>Device</h_device>
+            <h_interface>Interface</h_interface>
+            <h_status>Status</h_status>
+        </translations>
+    </wol>
+</metadata>
diff --git a/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js b/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
new file mode 100644
index 0000000000..23d577f777
--- /dev/null
+++ b/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2024 Michał Brzeziński
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+export default class WakeOnLan extends BaseTableWidget {
+    constructor() {
+        super();
+    }
+
+    getGridOptions() {
+        return {
+            // trigger overflow-y:scroll after 650px height
+            sizeToContent: 650
+        }
+    }
+
+    getMarkup() {
+        let $container = $('<div id="wol-clients-container"></div>');
+        let $wol_table = this.createTable('wol-table', {
+            headerPosition: 'none'
+        });
+
+        $container.append($wol_table);
+        return $container;
+    }
+
+    async onWidgetTick() {
+        const data = await this.ajaxCall('/api/wol/wol/searchHost');
+
+        let rows = [];
+      	if (data.total == 0) {
+          const empty_list = [`<b>${this.translations.msg_empty_wol}</b>`];
+          rows.push(empty_list);
+      	} else {
+          const header = [`<b>${this.translations.h_device}</b>`,
+                          `<b>${this.translations.h_interface}</b>`,
+                          `<b>${this.translations.h_status}</b>`,
+                          ''];
+          rows.push(header);
+
+          //NOTE: this ARP list call is the most expensive one and can grow substantialy in big networks
+          //With previous widget it had been done on the backend side with direct exec of 'arp -an | grep ...'
+          const arp = await this.ajaxCall('/api/diagnostics/interface/getArp');
+
+          for(let it = 0; it < data.rows.length; it++){
+              const item = data.rows[it];
+              let is_active = this.checkActive(arp, item.mac, item.interface);
+              let row = [
+                  `${item.descr.length !== 0 ? item.descr + '<br/>': ''} ${item.mac}`,
+                  `${item.interface}`,
+                  `<i class="fa fa-${is_active == 1 ? "play" : "remove"} fa-fw text-${is_active == 1 ? "success" : "danger"}" ></i>
+                   ${ is_active == 1 ? "Online" : "Offline"}`,
+                  `<button class="btn btn-primary btn-xs wakeupbtn" data-mac="${item.mac}" data-interface="${item.interface}" data-uuid="${item.uuid}">
+                    <i class="fa fa-bolt fa-fw" title="Wake Up"></i>
+                   </button>`
+                  ];
+              rows.push(row);
+        }
+    }
+    super.updateTable('wol-table', rows);
+
+    $('.wakeupbtn').on('click', async (event) => {
+      event.preventDefault();
+      const data = {uuid: $(event.currentTarget).data('uuid')};
+      const result = await this.ajaxCall('/api/wol/wol/set', JSON.stringify(data), 'POST');
+    });
+  }
+
+  checkActive(arp_list, mac, intf) {
+    const arp = arp_list.find((obj) => obj.mac === mac);
+    if (arp === undefined) {
+      return 0;
+    } else {
+      return (arp.expired === false && arp.intf_description === intf);
+    }
+  }
+}
diff --git a/net/wol/src/www/widgets/include/wake_on_lan.inc b/net/wol/src/www/widgets/include/wake_on_lan.inc
deleted file mode 100644
index db09f7f1d4..0000000000
--- a/net/wol/src/www/widgets/include/wake_on_lan.inc
+++ /dev/null
@@ -1,4 +0,0 @@
-<?php
-
-$wake_on_lan_title = gettext('Wake On Lan');
-$wake_on_lan_title_link = 'ui/wol';
diff --git a/net/wol/src/www/widgets/widgets/wake_on_lan.widget.php b/net/wol/src/www/widgets/widgets/wake_on_lan.widget.php
deleted file mode 100644
index c97fc9b70c..0000000000
--- a/net/wol/src/www/widgets/widgets/wake_on_lan.widget.php
+++ /dev/null
@@ -1,86 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2014-2016 Deciso B.V.
- * Copyright (C) 2010 Yehuda Katz
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INClUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("guiconfig.inc");
-require_once("widgets/include/wake_on_lan.inc");
-require_once("interfaces.inc");
-
-use OPNsense\Wol\Wol;
-$wol = new Wol();
-?>
-<table class="table table-striped table-condensed">
-  <thead>
-    <tr>
-      <th><?=gettext("Computer / Device");?></th>
-      <th><?=gettext("Interface");?></th>
-      <th><?=gettext("Status");?></th>
-      <th></th>
-    </tr>
-  </thead>
-  <tbody>
-<?php
-    foreach ($wol->wolentry->iterateItems() as $wolent):
-      $is_active = exec("/usr/sbin/arp -an |/usr/bin/grep -i {$wolent->mac}| /usr/bin/wc -l|/usr/bin/awk '{print $1;}'");?>
-    <tr>
-        <td><?= !empty((string)$wolent->descr) ? $wolent->descr : gettext('Unnamed entry') ?><br/><?= $wolent->mac ?></td>
-        <td><?=htmlspecialchars(convert_friendly_interface_to_friendly_descr((string)$wolent->interface));?></td>
-        <td>
-          <i class="fa fa-<?=$is_active == 1 ? "play" : "remove";?> fa-fw text-<?=$is_active == 1 ? "success" : "danger";?>" ></i>
-          <?=$is_active == 1 ? gettext("Online") : gettext("Offline");?>
-        </td>
-        <td>
-          <button class="btn btn-primary btn-xs wakeupbtn" data-mac="<?= $wolent->mac ?>" data-interface="<?= $wolent->interface ?>" data-uuid="<?= $wolent->getAttributes()['uuid'] ?>">
-            <i class="fa fa-bolt fa-fw" title="<?=gettext("Wake Up");?>"></i>
-          </button>
-        </td>
-    </tr>
-<?php
-    endforeach;
-    if (count(iterator_to_array($wol->wolentry->iterateItems())) == 0):?>
-    <tr>
-      <td colspan="4" ><?=gettext("No saved WoL addresses");?></td>
-    </tr>
-<?php
-    endif;?>
-  </tbody>
-  <tfoot>
-    <tr>
-      <td colspan="4"><a href="ui/dhcpv4/leases" class="navlink"><?= gettext('DHCP Leases Status') ?></a></td>
-    </tr>
-  </tfoot>
-</table>
-<script>
-    $("#dashboard_container").on("WidgetsReady", function() {
-        $('.wakeupbtn').click(function(event) {
-            event.preventDefault();
-            var data = this.dataset;
-            $.post('/api/wol/wol/set', {'uuid': data['uuid']}, function(result) {
-            });
-        })
-    });
-</script>

From 40d28ac149c46af32a2bd227a2e36ec211e98841 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 26 Aug 2024 12:43:38 +0200
Subject: [PATCH 2054/3088] net/wol: fix the ARP lookup in the least intrusive
 way #4192

Also make sure the wake button has some form of user feedback.
The checkmark is reset when the plugin is refreshed.  Omitted
spinner because the action only takes a fraction of a second.
---
 .../OPNsense/Wol/Api/WolController.php        | 21 +++++++++++++++++--
 .../src/opnsense/www/js/widgets/WakeOnLan.js  | 14 ++++++++-----
 2 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/net/wol/src/opnsense/mvc/app/controllers/OPNsense/Wol/Api/WolController.php b/net/wol/src/opnsense/mvc/app/controllers/OPNsense/Wol/Api/WolController.php
index e56554a27b..c6d3255f6e 100644
--- a/net/wol/src/opnsense/mvc/app/controllers/OPNsense/Wol/Api/WolController.php
+++ b/net/wol/src/opnsense/mvc/app/controllers/OPNsense/Wol/Api/WolController.php
@@ -66,27 +66,40 @@ public function delHostAction($uuid)
     {
         $this->delBase('wolentry', $uuid);
     }
+
     public function searchHostAction()
     {
-        return $this->searchBase('wolentry', array("interface", "mac", "descr"));
+        $ret = $this->searchBase('wolentry', ['interface', 'mac', 'descr']);
+
+        foreach ($ret['rows'] ?? [] as $idx => $wol) {
+            /* not entirely accurate naming but it's too much effor to unwind this API */
+            $ret['rows'][$idx]['identifier'] =
+                (string)$this->getModel()->getNodeByReference('wolentry.' . $wol['uuid'])->interface;
+        }
+
+        return $ret;
     }
+
     public function getHostAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('host', 'wolentry', $uuid);
     }
+
     public function getwakeAction()
     {
         return $this->getBase('wake', 'wolentry', null);
     }
+
     public function addHostAction()
     {
         return $this->addBase('host', 'wolentry');
     }
+
     public function setHostAction($uuid)
     {
         return $this->setBase('host', 'wolentry', $uuid);
     }
+
     public function wakeallAction()
     {
         if (!$this->request->isPost()) {
@@ -100,6 +113,7 @@ public function wakeallAction()
         }
         return $results;
     }
+
     private function wakeHostByNode($wolent, &$result)
     {
         $backend = new Backend();
@@ -114,6 +128,7 @@ private function wakeHostByNode($wolent, &$result)
         $broadcast_ip = escapeshellarg($this->calculateSubnetBroadcast($ipaddr, $cidr));
         $result['status'] = trim($backend->configdRun("wol wake {$broadcast_ip} " . escapeshellarg((string)$wolent->mac)));
     }
+
     private function getInterfaceIP($if)
     {
         $cfg = Config::getInstance()->object();
@@ -128,6 +143,7 @@ private function getInterfaceIP($if)
             return null;
         }
     }
+
     private function getInterfaceSubnet($if)
     {
         $cfg = Config::getInstance()->object();
@@ -137,6 +153,7 @@ private function getInterfaceSubnet($if)
             return null;
         }
     }
+
     private function calculateSubnetBroadcast($ip_addr, $cidr)
     {
         // TODO undefined offset
diff --git a/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js b/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
index 23d577f777..fa7d3fe33d 100644
--- a/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
+++ b/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
@@ -50,10 +50,10 @@ export default class WakeOnLan extends BaseTableWidget {
         const data = await this.ajaxCall('/api/wol/wol/searchHost');
 
         let rows = [];
-      	if (data.total == 0) {
+	if (data.total == 0) {
           const empty_list = [`<b>${this.translations.msg_empty_wol}</b>`];
           rows.push(empty_list);
-      	} else {
+	} else {
           const header = [`<b>${this.translations.h_device}</b>`,
                           `<b>${this.translations.h_interface}</b>`,
                           `<b>${this.translations.h_status}</b>`,
@@ -66,13 +66,13 @@ export default class WakeOnLan extends BaseTableWidget {
 
           for(let it = 0; it < data.rows.length; it++){
               const item = data.rows[it];
-              let is_active = this.checkActive(arp, item.mac, item.interface);
+              let is_active = this.checkActive(arp, item.mac, item.identifier);
               let row = [
                   `${item.descr.length !== 0 ? item.descr + '<br/>': ''} ${item.mac}`,
                   `${item.interface}`,
                   `<i class="fa fa-${is_active == 1 ? "play" : "remove"} fa-fw text-${is_active == 1 ? "success" : "danger"}" ></i>
                    ${ is_active == 1 ? "Online" : "Offline"}`,
-                  `<button class="btn btn-primary btn-xs wakeupbtn" data-mac="${item.mac}" data-interface="${item.interface}" data-uuid="${item.uuid}">
+                  `<button class="btn btn-primary btn-xs wakeupbtn" data-uuid="${item.uuid}">
                     <i class="fa fa-bolt fa-fw" title="Wake Up"></i>
                    </button>`
                   ];
@@ -83,8 +83,12 @@ export default class WakeOnLan extends BaseTableWidget {
 
     $('.wakeupbtn').on('click', async (event) => {
       event.preventDefault();
+      let btn = $(event.currentTarget).find('i');
+      /* the call is quick, omit fa-spinner fa-pulse use */
       const data = {uuid: $(event.currentTarget).data('uuid')};
-      const result = await this.ajaxCall('/api/wol/wol/set', JSON.stringify(data), 'POST');
+      const result = await this.ajaxCall('/api/wol/wol/set', JSON.stringify(data), 'POST').then(() => {
+          btn.removeClass('fa-bolt').addClass('fa-check');
+      });
     });
   }
 

From ba175b5cc6c695b49c72af1aa4bb69abf5b9d01e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 26 Aug 2024 13:21:24 +0200
Subject: [PATCH 2055/3088] net/wol: remove focus after click

---
 net/wol/src/opnsense/www/js/widgets/WakeOnLan.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js b/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
index fa7d3fe33d..04c15480d0 100644
--- a/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
+++ b/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
@@ -89,6 +89,7 @@ export default class WakeOnLan extends BaseTableWidget {
       const result = await this.ajaxCall('/api/wol/wol/set', JSON.stringify(data), 'POST').then(() => {
           btn.removeClass('fa-bolt').addClass('fa-check');
       });
+      event.currentTarget.blur();
     });
   }
 

From fd504cf04a36ab9218c45e4daadd1ec194aa91f0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 26 Aug 2024 15:09:49 +0200
Subject: [PATCH 2056/3088] net/wol: change this back, bug in getArp()

---
 .../app/controllers/OPNsense/Wol/Api/WolController.php | 10 +---------
 net/wol/src/opnsense/www/js/widgets/WakeOnLan.js       |  6 +++---
 2 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/net/wol/src/opnsense/mvc/app/controllers/OPNsense/Wol/Api/WolController.php b/net/wol/src/opnsense/mvc/app/controllers/OPNsense/Wol/Api/WolController.php
index c6d3255f6e..7b7841b5e7 100644
--- a/net/wol/src/opnsense/mvc/app/controllers/OPNsense/Wol/Api/WolController.php
+++ b/net/wol/src/opnsense/mvc/app/controllers/OPNsense/Wol/Api/WolController.php
@@ -69,15 +69,7 @@ public function delHostAction($uuid)
 
     public function searchHostAction()
     {
-        $ret = $this->searchBase('wolentry', ['interface', 'mac', 'descr']);
-
-        foreach ($ret['rows'] ?? [] as $idx => $wol) {
-            /* not entirely accurate naming but it's too much effor to unwind this API */
-            $ret['rows'][$idx]['identifier'] =
-                (string)$this->getModel()->getNodeByReference('wolentry.' . $wol['uuid'])->interface;
-        }
-
-        return $ret;
+        return $this->searchBase('wolentry', ['interface', 'mac', 'descr']);
     }
 
     public function getHostAction($uuid = null)
diff --git a/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js b/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
index 04c15480d0..7a98b6a80e 100644
--- a/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
+++ b/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
@@ -50,10 +50,10 @@ export default class WakeOnLan extends BaseTableWidget {
         const data = await this.ajaxCall('/api/wol/wol/searchHost');
 
         let rows = [];
-	if (data.total == 0) {
+        if (data.total == 0) {
           const empty_list = [`<b>${this.translations.msg_empty_wol}</b>`];
           rows.push(empty_list);
-	} else {
+        } else {
           const header = [`<b>${this.translations.h_device}</b>`,
                           `<b>${this.translations.h_interface}</b>`,
                           `<b>${this.translations.h_status}</b>`,
@@ -66,7 +66,7 @@ export default class WakeOnLan extends BaseTableWidget {
 
           for(let it = 0; it < data.rows.length; it++){
               const item = data.rows[it];
-              let is_active = this.checkActive(arp, item.mac, item.identifier);
+              let is_active = this.checkActive(arp, item.mac, item.interface);
               let row = [
                   `${item.descr.length !== 0 ? item.descr + '<br/>': ''} ${item.mac}`,
                   `${item.interface}`,

From 8b338f631bd31c9eff88c184c8748f678ee2efb7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 26 Aug 2024 16:09:45 +0200
Subject: [PATCH 2057/3088] dns/ddclient: not needed, merge rest to widget

---
 dns/ddclient/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index f769b4053a..ea35bed1ca 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.24
-PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 5d346589ed4431a048aeece4840c75d4bac9d753 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 27 Aug 2024 08:57:45 +0200
Subject: [PATCH 2058/3088] plugins: add conflicts to #4202

In order to devise a plan to cope with plugins that deinstall other
plugins the best approach seems to be to simply tell the core that
other plugins are conflicting.  We already have that information
so we just have to pass it along.

It's a bit similar to pkg and ports where this information is available
during build but not used later during runtime.  Conflicts are based
on installing the same file, but pkg only notices this when it starts
installing and will try to tell you again, but it could have already
kown.

Needs some glue in core as well but it will be very cool.
---
 Mk/defaults.mk    | 1 +
 Templates/version | 1 +
 2 files changed, 2 insertions(+)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index f6c805c99f..f6a2908623 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -75,6 +75,7 @@ PLUGIN_PYTHON?=	${_PLUGIN_PYTHON:[2]:S/./ /g:[1..2]:tW:S/ //}
 
 REPLACEMENTS=	PLUGIN_ABI \
 		PLUGIN_ARCH \
+		PLUGIN_CONFLICTS \
 		PLUGIN_HASH \
 		PLUGIN_MAINTAINER \
 		PLUGIN_NAME \
diff --git a/Templates/version b/Templates/version
index 6d97cfccb5..82d753f288 100644
--- a/Templates/version
+++ b/Templates/version
@@ -1,6 +1,7 @@
 {
     "product_abi": "%%PLUGIN_ABI%%",
     "product_arch": "%%PLUGIN_ARCH%%",
+    "product_conflicts": "%%PLUGIN_CONFLICTS%%",
     "product_email": "%%PLUGIN_MAINTAINER%%",
     "product_hash": "%%PLUGIN_HASH%%",
     "product_id": "%%PLUGIN_PKGNAME%%",

From 4867a75d309ed2c647a4b3020c7483c2bcd2d373 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 27 Aug 2024 09:19:39 +0200
Subject: [PATCH 2059/3088] plugins: do not register own name as conflict #4202

---
 Mk/plugins.mk | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index ed4a7237df..a74b6c76ff 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -71,12 +71,14 @@ PLUGIN_SUFFIX?=		-devel
 PLUGIN_VARIANT?=	${PLUGIN_VARIANTS:[1]}
 .endif
 
-.if !empty(PLUGIN_VARIANT)
+.if "${PLUGIN_VARIANT}" == ""
+.error Plugin variant cannot be empty
+.else
 PLUGIN_NAME:=		${${PLUGIN_VARIANT}_NAME}
 .if empty(PLUGIN_NAME)
 .error Plugin variant '${PLUGIN_VARIANT}' does not exist
 .endif
-.for _PLUGIN_VARIANT in ${PLUGIN_VARIANTS}
+.for _PLUGIN_VARIANT in ${PLUGIN_VARIANTS:N${PLUGIN_VARIANT}}
 PLUGIN_CONFLICTS+=	${${_PLUGIN_VARIANT}_NAME}
 .endfor
 PLUGIN_DEPENDS+=	${${PLUGIN_VARIANT}_DEPENDS}

From 560e31016654d2b36bfb62a3274b27e29382ee5f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 27 Aug 2024 09:23:52 +0200
Subject: [PATCH 2060/3088] plugins: conditional falling appart, better hide
 under relevant section #4202

---
 Mk/plugins.mk | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index a74b6c76ff..26be14e768 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -69,8 +69,6 @@ PLUGIN_SUFFIX?=		-devel
 
 .if !empty(PLUGIN_VARIANTS)
 PLUGIN_VARIANT?=	${PLUGIN_VARIANTS:[1]}
-.endif
-
 .if "${PLUGIN_VARIANT}" == ""
 .error Plugin variant cannot be empty
 .else
@@ -83,6 +81,7 @@ PLUGIN_CONFLICTS+=	${${_PLUGIN_VARIANT}_NAME}
 .endfor
 PLUGIN_DEPENDS+=	${${PLUGIN_VARIANT}_DEPENDS}
 .endif
+.endif
 
 .if !empty(PLUGIN_NAME)
 PLUGIN_DIR?=		${.CURDIR:S/\// /g:[-2]}/${.CURDIR:S/\// /g:[-1]}

From 961eedb901fbeccbc4fd28977f282dd21dc6171d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 27 Aug 2024 09:26:56 +0200
Subject: [PATCH 2061/3088] sysutils/cpu-microcode-*: has docs, switch to tier
 2

---
 sysutils/cpu-microcode-amd/Makefile   | 1 +
 sysutils/cpu-microcode-intel/Makefile | 1 +
 2 files changed, 2 insertions(+)

diff --git a/sysutils/cpu-microcode-amd/Makefile b/sysutils/cpu-microcode-amd/Makefile
index 649e3ff5bb..c5a40b6f77 100644
--- a/sysutils/cpu-microcode-amd/Makefile
+++ b/sysutils/cpu-microcode-amd/Makefile
@@ -4,5 +4,6 @@ PLUGIN_COMMENT=		AMD CPU microcode updates
 PLUGIN_DEPENDS=		cpu-microcode-amd x86info
 PLUGIN_CONFLICTS=	cpu-microcode-intel
 PLUGIN_MAINTAINER=	franco@opnsense.org
+PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"
diff --git a/sysutils/cpu-microcode-intel/Makefile b/sysutils/cpu-microcode-intel/Makefile
index ac8a9774c7..f349390dca 100644
--- a/sysutils/cpu-microcode-intel/Makefile
+++ b/sysutils/cpu-microcode-intel/Makefile
@@ -4,5 +4,6 @@ PLUGIN_COMMENT=		Intel CPU microcode updates
 PLUGIN_DEPENDS=		cpu-microcode-intel x86info
 PLUGIN_CONFLICTS=	cpu-microcode-amd
 PLUGIN_MAINTAINER=	franco@opnsense.org
+PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"

From 39104124c38f979f9777327a5fc63e00188e5622 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 27 Aug 2024 11:36:02 +0200
Subject: [PATCH 2062/3088] plugins: register conflicts with development
 versions too #4202

To make this consistent the product_id and product_conflicts
now both have a consistent plugin prefix.
---
 Mk/plugins.mk | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 26be14e768..b68ab957fb 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -67,6 +67,10 @@ PLUGIN_DEVEL?=		yes
 PLUGIN_PREFIX?=		os-
 PLUGIN_SUFFIX?=		-devel
 
+.for CONFLICT in ${PLUGIN_CONFLICTS}
+PLUGIN_CONFLICTS+=	${CONFLICT}${PLUGIN_SUFFIX}
+.endfor
+
 .if !empty(PLUGIN_VARIANTS)
 PLUGIN_VARIANT?=	${PLUGIN_VARIANTS:[1]}
 .if "${PLUGIN_VARIANT}" == ""
@@ -77,7 +81,7 @@ PLUGIN_NAME:=		${${PLUGIN_VARIANT}_NAME}
 .error Plugin variant '${PLUGIN_VARIANT}' does not exist
 .endif
 .for _PLUGIN_VARIANT in ${PLUGIN_VARIANTS:N${PLUGIN_VARIANT}}
-PLUGIN_CONFLICTS+=	${${_PLUGIN_VARIANT}_NAME}
+PLUGIN_CONFLICTS+=	${PLUGIN_PREFIX}${${_PLUGIN_VARIANT}_NAME}${PLUGIN_SUFFIX} ${PLUGIN_PREFIX}${${_PLUGIN_VARIANT}_NAME}
 .endfor
 PLUGIN_DEPENDS+=	${${PLUGIN_VARIANT}_DEPENDS}
 .endif
@@ -87,20 +91,16 @@ PLUGIN_DEPENDS+=	${${PLUGIN_VARIANT}_DEPENDS}
 PLUGIN_DIR?=		${.CURDIR:S/\// /g:[-2]}/${.CURDIR:S/\// /g:[-1]}
 .endif
 
-PLUGIN_PKGNAMES=	${PLUGIN_PREFIX}${PLUGIN_NAME}${PLUGIN_SUFFIX} \
-			${PLUGIN_PREFIX}${PLUGIN_NAME}
-.for CONFLICT in ${PLUGIN_CONFLICTS}
-PLUGIN_PKGNAMES+=	${PLUGIN_PREFIX}${CONFLICT}${PLUGIN_SUFFIX} \
-			${PLUGIN_PREFIX}${CONFLICT}
-.endfor
-
 .if "${PLUGIN_DEVEL}" != ""
+PLUGIN_CONFLICTS+=	${PLUGIN_PREFIX}${PLUGIN_NAME}
 PLUGIN_PKGSUFFIX=	${PLUGIN_SUFFIX}
 .else
+PLUGIN_CONFLICTS+=	${PLUGIN_PREFIX}${PLUGIN_NAME}${PLUGIN_SUFFIX}
 PLUGIN_PKGSUFFIX=	# empty
 .endif
 
 PLUGIN_PKGNAME=		${PLUGIN_PREFIX}${PLUGIN_NAME}${PLUGIN_PKGSUFFIX}
+PLUGIN_PKGNAMES=	${PLUGIN_CONFLICTS} ${PLUGIN_PKGNAME}
 
 .if "${PLUGIN_REVISION}" != "" && "${PLUGIN_REVISION}" != "0"
 PLUGIN_PKGVERSION=	${PLUGIN_VERSION}_${PLUGIN_REVISION}

From f8852876656a2b02bb0ec32a3be47e52978e2666 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 27 Aug 2024 11:57:30 +0200
Subject: [PATCH 2063/3088] plugins: simplify this just a little #4202

---
 Mk/plugins.mk | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index b68ab957fb..0dea226d92 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -81,7 +81,8 @@ PLUGIN_NAME:=		${${PLUGIN_VARIANT}_NAME}
 .error Plugin variant '${PLUGIN_VARIANT}' does not exist
 .endif
 .for _PLUGIN_VARIANT in ${PLUGIN_VARIANTS:N${PLUGIN_VARIANT}}
-PLUGIN_CONFLICTS+=	${PLUGIN_PREFIX}${${_PLUGIN_VARIANT}_NAME}${PLUGIN_SUFFIX} ${PLUGIN_PREFIX}${${_PLUGIN_VARIANT}_NAME}
+PLUGIN_CONFLICTS+=	${${_PLUGIN_VARIANT}_NAME}${PLUGIN_SUFFIX} \
+			${${_PLUGIN_VARIANT}_NAME}
 .endfor
 PLUGIN_DEPENDS+=	${${PLUGIN_VARIANT}_DEPENDS}
 .endif
@@ -92,13 +93,15 @@ PLUGIN_DIR?=		${.CURDIR:S/\// /g:[-2]}/${.CURDIR:S/\// /g:[-1]}
 .endif
 
 .if "${PLUGIN_DEVEL}" != ""
-PLUGIN_CONFLICTS+=	${PLUGIN_PREFIX}${PLUGIN_NAME}
+PLUGIN_CONFLICTS+=	${PLUGIN_NAME}
 PLUGIN_PKGSUFFIX=	${PLUGIN_SUFFIX}
 .else
-PLUGIN_CONFLICTS+=	${PLUGIN_PREFIX}${PLUGIN_NAME}${PLUGIN_SUFFIX}
+PLUGIN_CONFLICTS+=	${PLUGIN_NAME}${PLUGIN_SUFFIX}
 PLUGIN_PKGSUFFIX=	# empty
 .endif
 
+PLUGIN_CONFLICTS:=	${PLUGIN_CONFLICTS:S/^/${PLUGIN_PREFIX}/g:O}
+
 PLUGIN_PKGNAME=		${PLUGIN_PREFIX}${PLUGIN_NAME}${PLUGIN_PKGSUFFIX}
 PLUGIN_PKGNAMES=	${PLUGIN_CONFLICTS} ${PLUGIN_PKGNAME}
 

From d869ae5e543fb471dbd2af5ada65a3150d97fd91 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 27 Aug 2024 21:45:25 +0200
Subject: [PATCH 2064/3088] LICENSE: sync

---
 LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index a910d27165..3d24f7ac54 100644
--- a/LICENSE
+++ b/LICENSE
@@ -46,6 +46,7 @@ Copyright (c) 2022 Markus Reiter <me@reitermark.us>
 Copyright (c) 2020 Martin Wasley
 Copyright (c) 2022 Marvo2011
 Copyright (c) 2017-2024 Michael Muenz <m.muenz@gmail.com>
+Copyright (c) 2024 Michał Brzeziński
 Copyright (c) 2024 Mike Shuey
 Copyright (c) 2023 Mikhail Kharisov
 Copyright (c) 2012 mkirbst
@@ -68,7 +69,6 @@ Copyright (c) 2023-2024 Thomas Cekal <thomas@cekal.org>
 Copyright (c) 2020 Tobias Boehnert
 Copyright (c) 2024 txr13
 Copyright (c) 2022 Wouter Deurholt
-Copyright (c) 2010 Yehuda Katz
 Copyright (c) 2015 YoungJoo.Kim <vozltx@gmail.com>
 All rights reserved.
 

From 5b529766760293fbdc01fe488e9e3e2eed4e1af0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 27 Aug 2024 21:57:22 +0200
Subject: [PATCH 2065/3088] plugins: add more boring variants glue

If we want separate comments for each plugin this would be the
way to do it.
---
 Mk/plugins.mk | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 0dea226d92..ffaed11209 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -58,6 +58,8 @@ check:
 .  endif
 .endfor
 
+_PLUGIN_COMMENT:=	${PLUGIN_COMMENT}
+
 .if defined(_PLUGIN_DEVEL)
 PLUGIN_DEVEL?:=		${_PLUGIN_DEVEL}
 .else
@@ -85,6 +87,9 @@ PLUGIN_CONFLICTS+=	${${_PLUGIN_VARIANT}_NAME}${PLUGIN_SUFFIX} \
 			${${_PLUGIN_VARIANT}_NAME}
 .endfor
 PLUGIN_DEPENDS+=	${${PLUGIN_VARIANT}_DEPENDS}
+.if !empty(${PLUGIN_VARIANT}_COMMENT)
+_PLUGIN_COMMENT:=	${${PLUGIN_VARIANT}_COMMENT}
+.endif
 .endif
 .endif
 
@@ -115,7 +120,7 @@ manifest: check
 	@echo "name: ${PLUGIN_PKGNAME}"
 	@echo "version: \"${PLUGIN_PKGVERSION}\""
 	@echo "origin: opnsense/${PLUGIN_PKGNAME}"
-	@echo "comment: \"${PLUGIN_COMMENT}\""
+	@echo "comment: \"${_PLUGIN_COMMENT}\""
 	@echo "maintainer: \"${PLUGIN_MAINTAINER}\""
 	@echo "categories: [ \"${.CURDIR:S/\// /g:[-2]}\" ]"
 	@echo "www: \"${PLUGIN_WWW}\""

From 098a191c578aebfa88af9195531d395ce270bd67 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 27 Aug 2024 21:58:48 +0200
Subject: [PATCH 2066/3088] sysutils/cpu-microcode: merge the plugin code bases
 using variants

Should have done this from the start, but now this looks much cooler.  ;)
---
 README.md                                       |  3 +--
 sysutils/cpu-microcode-amd/Makefile             |  9 ---------
 .../src/etc/rc.loader.d/40-cpu-microcode        |  2 --
 sysutils/cpu-microcode-intel/Makefile           |  9 ---------
 sysutils/cpu-microcode-intel/pkg-descr          |  6 ------
 .../src/etc/rc.loader.d/40-cpu-microcode        |  2 --
 .../src/etc/rc.syshook.d/early/40-cpu-microcode |  5 -----
 sysutils/cpu-microcode/Makefile                 | 17 +++++++++++++++++
 .../pkg-descr                                   |  6 +++---
 .../src/etc/rc.loader.d/40-cpu-microcode.in     |  2 ++
 .../src/etc/rc.syshook.d/early/40-cpu-microcode |  0
 11 files changed, 23 insertions(+), 38 deletions(-)
 delete mode 100644 sysutils/cpu-microcode-amd/Makefile
 delete mode 100644 sysutils/cpu-microcode-amd/src/etc/rc.loader.d/40-cpu-microcode
 delete mode 100644 sysutils/cpu-microcode-intel/Makefile
 delete mode 100644 sysutils/cpu-microcode-intel/pkg-descr
 delete mode 100644 sysutils/cpu-microcode-intel/src/etc/rc.loader.d/40-cpu-microcode
 delete mode 100755 sysutils/cpu-microcode-intel/src/etc/rc.syshook.d/early/40-cpu-microcode
 create mode 100644 sysutils/cpu-microcode/Makefile
 rename sysutils/{cpu-microcode-amd => cpu-microcode}/pkg-descr (60%)
 create mode 100644 sysutils/cpu-microcode/src/etc/rc.loader.d/40-cpu-microcode.in
 rename sysutils/{cpu-microcode-amd => cpu-microcode}/src/etc/rc.syshook.d/early/40-cpu-microcode (100%)

diff --git a/README.md b/README.md
index 8cb7fd41d5..7b970ba603 100644
--- a/README.md
+++ b/README.md
@@ -92,8 +92,7 @@ security/tor -- The Onion Router
 security/wazuh-agent -- Agent for the open source security platform Wazuh
 sysutils/apcupsd -- APCUPSD - APC UPS daemon
 sysutils/apuled -- PC Engine APU LED control (development only)
-sysutils/cpu-microcode-amd -- AMD CPU microcode updates
-sysutils/cpu-microcode-intel -- Intel CPU microcode updates
+sysutils/cpu-microcode -- CPU microcode updates
 sysutils/dec-hw -- Deciso hardware specific information
 sysutils/dmidecode -- Display hardware information on the dashboard
 sysutils/git-backup -- Track config changes using git
diff --git a/sysutils/cpu-microcode-amd/Makefile b/sysutils/cpu-microcode-amd/Makefile
deleted file mode 100644
index c5a40b6f77..0000000000
--- a/sysutils/cpu-microcode-amd/Makefile
+++ /dev/null
@@ -1,9 +0,0 @@
-PLUGIN_NAME=		cpu-microcode-amd
-PLUGIN_VERSION=		1.0
-PLUGIN_COMMENT=		AMD CPU microcode updates
-PLUGIN_DEPENDS=		cpu-microcode-amd x86info
-PLUGIN_CONFLICTS=	cpu-microcode-intel
-PLUGIN_MAINTAINER=	franco@opnsense.org
-PLUGIN_TIER=		2
-
-.include "../../Mk/plugins.mk"
diff --git a/sysutils/cpu-microcode-amd/src/etc/rc.loader.d/40-cpu-microcode b/sysutils/cpu-microcode-amd/src/etc/rc.loader.d/40-cpu-microcode
deleted file mode 100644
index c7cbf86a3b..0000000000
--- a/sysutils/cpu-microcode-amd/src/etc/rc.loader.d/40-cpu-microcode
+++ /dev/null
@@ -1,2 +0,0 @@
-cpu_microcode_load="YES"
-cpu_microcode_name="/boot/firmware/amd-ucode.bin"
diff --git a/sysutils/cpu-microcode-intel/Makefile b/sysutils/cpu-microcode-intel/Makefile
deleted file mode 100644
index f349390dca..0000000000
--- a/sysutils/cpu-microcode-intel/Makefile
+++ /dev/null
@@ -1,9 +0,0 @@
-PLUGIN_NAME=		cpu-microcode-intel
-PLUGIN_VERSION=		1.0
-PLUGIN_COMMENT=		Intel CPU microcode updates
-PLUGIN_DEPENDS=		cpu-microcode-intel x86info
-PLUGIN_CONFLICTS=	cpu-microcode-amd
-PLUGIN_MAINTAINER=	franco@opnsense.org
-PLUGIN_TIER=		2
-
-.include "../../Mk/plugins.mk"
diff --git a/sysutils/cpu-microcode-intel/pkg-descr b/sysutils/cpu-microcode-intel/pkg-descr
deleted file mode 100644
index cdf882f5f5..0000000000
--- a/sysutils/cpu-microcode-intel/pkg-descr
+++ /dev/null
@@ -1,6 +0,0 @@
-Updating your microcode can help to mitigate certain potential security
-vulnerabilities in CPUs as well as address certain functional issues that could,
-for example, result in unpredictable system behavior such as hangs, crashes,
-unexpected reboots, data errors, etc.
-
-The microcode update will be loaded when the system is rebooted.
diff --git a/sysutils/cpu-microcode-intel/src/etc/rc.loader.d/40-cpu-microcode b/sysutils/cpu-microcode-intel/src/etc/rc.loader.d/40-cpu-microcode
deleted file mode 100644
index 976a36fa55..0000000000
--- a/sysutils/cpu-microcode-intel/src/etc/rc.loader.d/40-cpu-microcode
+++ /dev/null
@@ -1,2 +0,0 @@
-cpu_microcode_load="YES"
-cpu_microcode_name="/boot/firmware/intel-ucode.bin"
diff --git a/sysutils/cpu-microcode-intel/src/etc/rc.syshook.d/early/40-cpu-microcode b/sysutils/cpu-microcode-intel/src/etc/rc.syshook.d/early/40-cpu-microcode
deleted file mode 100755
index 4dab1e32c7..0000000000
--- a/sysutils/cpu-microcode-intel/src/etc/rc.syshook.d/early/40-cpu-microcode
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-
-export microcode_update_enable="YES"
-
-/usr/local/etc/rc.d/microcode_update start
diff --git a/sysutils/cpu-microcode/Makefile b/sysutils/cpu-microcode/Makefile
new file mode 100644
index 0000000000..9251d5fd5d
--- /dev/null
+++ b/sysutils/cpu-microcode/Makefile
@@ -0,0 +1,17 @@
+PLUGIN_NAME=		cpu-microcode-amd
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		CPU microcode updates
+PLUGIN_DEPENDS=		x86info
+PLUGIN_MAINTAINER=	franco@opnsense.org
+PLUGIN_TIER=		2
+PLUGIN_VARIANTS=	amd intel
+
+amd_NAME=		cpu-microcode-amd
+amd_DEPENDS=		cpu-microcode-amd
+amd_COMMENT:=		AMD ${PLUGIN_COMMENT}
+
+intel_NAME=		cpu-microcode-intel
+intel_DEPENDS=		cpu-microcode-intel
+intel_COMMENT:=		Intel ${PLUGIN_COMMENT}
+
+.include "../../Mk/plugins.mk"
diff --git a/sysutils/cpu-microcode-amd/pkg-descr b/sysutils/cpu-microcode/pkg-descr
similarity index 60%
rename from sysutils/cpu-microcode-amd/pkg-descr
rename to sysutils/cpu-microcode/pkg-descr
index cdf882f5f5..c84f699029 100644
--- a/sysutils/cpu-microcode-amd/pkg-descr
+++ b/sysutils/cpu-microcode/pkg-descr
@@ -1,6 +1,6 @@
 Updating your microcode can help to mitigate certain potential security
-vulnerabilities in CPUs as well as address certain functional issues that could,
-for example, result in unpredictable system behavior such as hangs, crashes,
-unexpected reboots, data errors, etc.
+vulnerabilities in CPUs as well as address certain functional issues that
+could, for example, result in unpredictable system behavior such as hangs,
+crashes, unexpected reboots, data errors, etc.
 
 The microcode update will be loaded when the system is rebooted.
diff --git a/sysutils/cpu-microcode/src/etc/rc.loader.d/40-cpu-microcode.in b/sysutils/cpu-microcode/src/etc/rc.loader.d/40-cpu-microcode.in
new file mode 100644
index 0000000000..b20660e00f
--- /dev/null
+++ b/sysutils/cpu-microcode/src/etc/rc.loader.d/40-cpu-microcode.in
@@ -0,0 +1,2 @@
+cpu_microcode_load="YES"
+cpu_microcode_name="/boot/firmware/%%PLUGIN_VARIANT%%-ucode.bin"
diff --git a/sysutils/cpu-microcode-amd/src/etc/rc.syshook.d/early/40-cpu-microcode b/sysutils/cpu-microcode/src/etc/rc.syshook.d/early/40-cpu-microcode
similarity index 100%
rename from sysutils/cpu-microcode-amd/src/etc/rc.syshook.d/early/40-cpu-microcode
rename to sysutils/cpu-microcode/src/etc/rc.syshook.d/early/40-cpu-microcode

From a5b4227c84bf2c7085f453ab0bce0cb9c24abe99 Mon Sep 17 00:00:00 2001
From: Makss39 <61969235+Makss39@users.noreply.github.com>
Date: Wed, 28 Aug 2024 14:33:33 +0200
Subject: [PATCH 2067/3088] PR - rspamd phishing exclusion (#4204)

---
 .../app/controllers/OPNsense/Rspamd/forms/settings.xml    | 8 ++++++++
 .../opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml    | 3 +++
 .../opnsense/service/templates/OPNsense/Rspamd/+TARGETS   | 1 +
 .../templates/OPNsense/Rspamd/phishing_whitelist.inc      | 5 +++++
 4 files changed, 17 insertions(+)
 create mode 100644 mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/phishing_whitelist.inc

diff --git a/mail/rspamd/src/opnsense/mvc/app/controllers/OPNsense/Rspamd/forms/settings.xml b/mail/rspamd/src/opnsense/mvc/app/controllers/OPNsense/Rspamd/forms/settings.xml
index b37c8b7806..b7a8d1b780 100644
--- a/mail/rspamd/src/opnsense/mvc/app/controllers/OPNsense/Rspamd/forms/settings.xml
+++ b/mail/rspamd/src/opnsense/mvc/app/controllers/OPNsense/Rspamd/forms/settings.xml
@@ -297,6 +297,14 @@
                 <type>text</type>
                 <help>Give a URL where to retrieve the Phishtank feed.</help>
             </field>
+            <field>
+                <id>rspamd.phishing.exclusion</id>
+                <label>Exclusion</label>
+                <type>select_multiple</type>
+                <style>tokenize</style>
+                <allownew>true</allownew>
+                <help>The exclusion map should only contain a list of host names without a scheme and path.</help>
+            </field>
         </subtab>
         <subtab id="rspamd-anti-spam-rate-limit" description="Rate Limit">
             <field>
diff --git a/mail/rspamd/src/opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml b/mail/rspamd/src/opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml
index fccb94dfce..66453a0fe7 100644
--- a/mail/rspamd/src/opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml
+++ b/mail/rspamd/src/opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml
@@ -298,6 +298,9 @@
         <default></default>
         <Required>N</Required>
       </phishtank_map>
+      <exclusion type="CSVListField">
+        <Required>N</Required>
+      </exclusion>
     </phishing>
 
     <rate_limit>
diff --git a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/+TARGETS b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/+TARGETS
index 6337a9b543..dc9db3cbac 100644
--- a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/+TARGETS
+++ b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/+TARGETS
@@ -13,6 +13,7 @@ surbl-whitelist.inc.local:/var/db/rspamd/surbl-whitelist.inc.local
 greylist.conf:/usr/local/etc/rspamd/local.d/greylist.conf
 greylist_ip.wl:/usr/local/etc/rspamd/local.d/greylist_ip.wl
 phishing.conf:/usr/local/etc/rspamd/local.d/phishing.conf
+phishing_whitelist.inc:/usr/local/etc/rspamd/local.d/phishing_whitelist.inc
 milter_headers.conf:/usr/local/etc/rspamd/local.d/milter_headers.conf
 multimap.conf:/usr/local/etc/rspamd/local.d/multimap.conf
 mx_check.conf:/usr/local/etc/rspamd/local.d/mx_check.conf
diff --git a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/phishing_whitelist.inc b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/phishing_whitelist.inc
new file mode 100644
index 0000000000..a46347d158
--- /dev/null
+++ b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/phishing_whitelist.inc
@@ -0,0 +1,5 @@
+{% if helpers.exists('OPNsense.Rspamd.general.enabled') and OPNsense.Rspamd.general.enabled == '1' and helpers.exists('OPNsense.Rspamd.phishing.exclusion') and OPNsense.Rspamd.phishing.exclusion != '' %}
+{%   for sender in OPNsense.Rspamd.phishing.exclusion.split(',') %}
+{{ sender }}
+{%   endfor %}
+{% endif %}

From fc23a1a576d159965332a38e35032d00047bf81b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 29 Aug 2024 17:39:53 +0200
Subject: [PATCH 2068/3088] dns/rfc2136: fix previous, mea culpa

---
 dns/rfc2136/Makefile                              | 1 +
 dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc | 2 +-
 dns/rfc2136/src/www/services_rfc2136.php          | 2 +-
 dns/rfc2136/src/www/services_rfc2136_edit.php     | 2 +-
 4 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/dns/rfc2136/Makefile b/dns/rfc2136/Makefile
index dada9a6509..0b739b1895 100644
--- a/dns/rfc2136/Makefile
+++ b/dns/rfc2136/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		rfc2136
 PLUGIN_VERSION=		1.9
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		RFC-2136 Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_DEPENDS=		bind-tools
diff --git a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
index 73cf42bc09..fd9588e359 100644
--- a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
+++ b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
@@ -34,7 +34,7 @@ function rfc2136_configure()
     return [
         'bootup' => ['rfc2136_configure_do'],
         'local' => ['rfc2136_configure_do'],
-        'newwanip_map' => ['rfc2136_configure_map:2'],
+        'newwanip_map' => ['rfc2136_configure_do:2'],
     ];
 }
 
diff --git a/dns/rfc2136/src/www/services_rfc2136.php b/dns/rfc2136/src/www/services_rfc2136.php
index 4c7c385c07..6acf4e7610 100644
--- a/dns/rfc2136/src/www/services_rfc2136.php
+++ b/dns/rfc2136/src/www/services_rfc2136.php
@@ -54,7 +54,7 @@
             write_config();
             system_cron_configure();
             if (!empty($a_rfc2136[$_POST['id']]['enable'])) {
-                rfc2136_configure_do(false, '', $a_rfc2136[$_POST['id']]['host'], true);
+                rfc2136_configure_do(false, null, $a_rfc2136[$_POST['id']]['host'], true);
             }
         }
         exit;
diff --git a/dns/rfc2136/src/www/services_rfc2136_edit.php b/dns/rfc2136/src/www/services_rfc2136_edit.php
index 8702129a37..5dd4614f79 100644
--- a/dns/rfc2136/src/www/services_rfc2136_edit.php
+++ b/dns/rfc2136/src/www/services_rfc2136_edit.php
@@ -122,7 +122,7 @@
         system_cron_configure();
 
         if (!empty($pconfig['force'])) {
-            rfc2136_configure_do(false, '', $rfc2136['host'], true);
+            rfc2136_configure_do(false, null, $rfc2136['host'], true);
         }
 
         header(url_safe('Location: /services_rfc2136.php'));

From 8600f77784c387beb6b74de325569396582d5b73 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 1 Sep 2024 11:31:50 +0200
Subject: [PATCH 2069/3088] www/nginx - contact us is very unclear which seems
 to lead people to believe they should contact OPNsense, which is clearly not
 the case.

---
 www/nginx/Makefile                            | 2 +-
 www/nginx/src/etc/nginx/views/waf_denied.html | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 69a29575e4..4ed214f639 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/src/etc/nginx/views/waf_denied.html b/www/nginx/src/etc/nginx/views/waf_denied.html
index 7fdcc343c8..3dc3c0b35d 100644
--- a/www/nginx/src/etc/nginx/views/waf_denied.html
+++ b/www/nginx/src/etc/nginx/views/waf_denied.html
@@ -51,7 +51,7 @@
     <h1>Request Denied For Security Reasons</h1>
     <p>The request has been denied by the web application firewall due to a security policy violation.</p>
     <p>Request information have been logged to investigate the incident.</p>
-    <p>If you think this is an error on our side, please contact us.</p>
+    <p>Please contact your system administrator if you believe these policies are incorrect.</p>
     <hr />
     <footer>
           <div class="footertext">Web Application Protection by OPNsense</div>

From e1815a2faf22b4fbb491734a2ec7beb9f2d0b09c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 2 Sep 2024 10:03:24 +0200
Subject: [PATCH 2070/3088] mail/rspamd: revision for now

---
 mail/rspamd/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mail/rspamd/Makefile b/mail/rspamd/Makefile
index b72d9f6058..6d672f7ffe 100644
--- a/mail/rspamd/Makefile
+++ b/mail/rspamd/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		rspamd
 PLUGIN_VERSION=		1.13
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Protect your network from spam
 PLUGIN_DEPENDS=		rspamd
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From fc0bf2d9f82fe34ad511132e047fd477ba106e55 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 2 Sep 2024 18:11:40 +0200
Subject: [PATCH 2071/3088] www/caddy: Refactor general.volt to base_tabs,
 Update DNS Providers (#4209)

* Refactor general.volt from layout_partials/base_form to layout_partials/base_tabs

* www/caddy: Refactor general.volt from layout_partials/base_form to layout_partials/base_tabs

* Add Layer4 DNS matcher, Add DNS Provider Hetzner, Change DNS Providers Router53 max_retries to hosted_zone_id, Restructure general.xml to add Advanced Settings Tab.

* Small tweak that message area starts at approximately the same spot as the Apply button

* Adjust Makefile and pkg-descr

* www/caddy: reverse_proxy.volt, adjust style to fit with general.volt. Make add buttons primary. Hide Wizard buttons in Subdomaintab. Print errors with alert-danger.

* www/caddy: Remove useless help text in diagnostics.volt

* www/caddy: Refactor views for ajaxGet and ajaxCall. Clean up some style. Add Comments to functions. Declare functions first before calling them.
---
 www/caddy/Makefile                            |   5 +-
 www/caddy/pkg-descr                           |  35 +-
 .../OPNsense/Caddy/GeneralController.php      |   4 -
 .../OPNsense/Caddy/forms/authprovider.xml     |  32 --
 .../OPNsense/Caddy/forms/dnsprovider.xml      |  66 ----
 .../OPNsense/Caddy/forms/dynamicdns.xml       |  44 ---
 .../OPNsense/Caddy/forms/general.xml          | 302 ++++++++++++----
 .../OPNsense/Caddy/forms/logsettings.xml      |  27 --
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |   2 +
 .../app/views/OPNsense/Caddy/diagnostics.volt |  76 ++---
 .../mvc/app/views/OPNsense/Caddy/general.volt | 321 +++++-------------
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 256 +++++++-------
 .../OPNsense/Caddy/includeDnsProvider         |   2 +-
 13 files changed, 510 insertions(+), 662 deletions(-)
 delete mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/authprovider.xml
 delete mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
 delete mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
 delete mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index f8fe5bf0d6..d1427802e5 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,8 +1,7 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.6.3
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.7.0
 PLUGIN_DEPENDS=		caddy-custom
-PLUGIN_COMMENT=		Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
+PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
 
 .include "../../Mk/plugins.mk"
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index edcee06642..650aa8ef9e 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -1,33 +1,28 @@
 Caddy - The Ultimate Server - makes your sites more secure, more reliable, and more scalable than any other solution.
-By default, Caddy automatically obtains and renews TLS certificates for all your sites.
+By default, Caddy automatically obtains and renews TLS certificates (Let's Encrypt and ZeroSSL) for all your sites.
 It's the most advanced HTTPS server in the world.
 
-Reverse Proxy HTTP, HTTPS, FastCGI, WebSockets, gRPC, FastCGI (usually PHP), and more!
+* Reverse Proxy HTTP, HTTPS and WebSockets
+* Route UDP/TCP traffic with the included Layer4 module: https://github.com/mholt/caddy-l4
+* Dynamic DNS module included: https://github.com/mholt/caddy-dynamicdns
+* Large selection of DNS Providers available: https://github.com/caddy-dns
 
 WWW: https://caddyserver.com/
-
-Main features of this plugin:
-
-* Easy to configure and reliable! Reverse Proxy any HTTP/HTTPS or WebSocket application in minutes.
-* Automatic Let's Encrypt and ZeroSSL certificates with HTTP-01 and TLS-ALPN-01 challenge
-* DNS-01 challenge and Dynamic DNS with supported DNS Providers built right in
-* Use custom certificates from OPNsense certificate store
-* Wildcard Domain and Subdomain support
-* Access Lists to restrict access based on static networks
-* Basic Auth to restrict access by username and password
-* Forward Auth with Authelia
-* Syslog-ng integration and HTTP Access Log
-* NTLM Transport
-* Header manipulation
-* Simple load balancing with passive health check
-* Widgets for OPNsense Dashboard (24.7 and later)
-* Layer4 SNI based routing of TCP/UDP
-
 DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 
 Plugin Changelog
 ================
 
+1.7.0
+
+* Add: Layer4 protocols: DNS
+* Add: DNS Providers: Hetzner
+* Change: DNS Providers: Route53 field "max_retries" has been renamed to "hosted_zone_id"
+* Cleanup: Refactor "general.volt" from "layout_partials/base_form" to "layout_partials/base_tabs"
+* Cleanup: Refactor "general.volt", "reverse_proxy.volt" and "diagnostics.volt" to imported ajaxGet() and ajaxCall()
+* Cleanup: Adjust style of all views
+* Cleanup: Restructure "general.xml" to include tabs, add new "Advanced Settings" Tab
+
 1.6.3
 
 * Add: Disable Propagation Timeout in DNS Provider Tab. This can help if the DNS Challenge fails due to DNS Propagation being too slow.
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/GeneralController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/GeneralController.php
index 7cc6639f6f..0986a01dfb 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/GeneralController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/GeneralController.php
@@ -40,9 +40,5 @@ public function indexAction()
         // Assign the general settings form to the view
         $this->view->pick('OPNsense/Caddy/general');
         $this->view->generalForm = $this->getForm("general");
-        $this->view->dnsproviderForm = $this->getForm("dnsprovider");
-        $this->view->dynamicdnsForm = $this->getForm("dynamicdns");
-        $this->view->authproviderForm = $this->getForm("authprovider");
-        $this->view->logsettingsForm = $this->getForm("logsettings");
     }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/authprovider.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/authprovider.xml
deleted file mode 100644
index 29527af136..0000000000
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/authprovider.xml
+++ /dev/null
@@ -1,32 +0,0 @@
-<form>
-    <field>
-        <id>caddy.general.AuthProvider</id>
-        <label>Forward Auth Provider</label>
-        <type>dropdown</type>
-        <help><![CDATA[Select a Forward Auth Provider. It can be added inside a "Handler" by enabling the "Forward Auth" checkbox. For Authelia only the basic subdomain example is supported. More information: https://www.authelia.com/integration/proxies/caddy/#basic-examples. For Authentik custom headers are not supported. More information: https://docs.goauthentik.io/docs/providers/proxy/server_caddy]]></help>
-    </field>
-    <field>
-        <id>caddy.general.AuthToDomain</id>
-        <label>Forward Auth Domain</label>
-        <type>text</type>
-        <help><![CDATA[Enter the domain name or IP address of the chosen Forward Auth Provider.]]></help>
-    </field>
-    <field>
-        <id>caddy.general.AuthToPort</id>
-        <label>Forward Auth Port</label>
-        <type>text</type>
-        <help><![CDATA[Enter the listen port of the chosen Forward Auth Provider.]]></help>
-    </field>
-    <field>
-        <id>caddy.general.AuthToTls</id>
-        <label>TLS</label>
-        <type>checkbox</type>
-        <help><![CDATA[Enable or disable HTTP over TLS (HTTPS) to communicate with the Forward Auth Provider.]]></help>
-    </field>
-    <field>
-        <id>caddy.general.AuthToUri</id>
-        <label>Forward Auth URI</label>
-        <type>text</type>
-        <help><![CDATA[Enter the URI of the authz api endpoint.]]></help>
-    </field>
-</form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
deleted file mode 100644
index b296f91178..0000000000
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dnsprovider.xml
+++ /dev/null
@@ -1,66 +0,0 @@
-<form>
-    <field>
-        <id>caddy.general.TlsDnsProvider</id>
-        <label>DNS Provider</label>
-        <type>dropdown</type>
-        <help><![CDATA[Select the DNS provider for the DNS-01 Challenge and Dynamic DNS. This is mostly needed for Wildcard Certificates, and for Dynamic DNS. To use, enable the checkbox in a "Domain" or "Subdomain". For more information, visit https://github.com/caddy-dns where each module is community maintained.]]></help>
-    </field>
-    <field>
-        <id>caddy.general.TlsDnsApiKey</id>
-        <label>DNS API Standard Field</label>
-        <type>text</type>
-        <help><![CDATA[This is the standard field for the API Key. Field can be left empty if optional: Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Njalla "api_token", Google Cloud DNS "gcp_project", Azure "tenant_id", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url", DNS Made Easy "api_key", Bunny "access_key", Civo "api_token", Scaleway "secret_key", ACME Proxy "username", INWX "username", Netcup "customer_number", RFC2136 "key_name", Name.com "token", EasyDNS "api_token", Infomaniak "api_token", DirectAdmin "host", Hosttech "api_token", Vultr "api_token"]]></help>
-    </field>
-    <field>
-        <type>header</type>
-        <label>Additional Fields</label>
-        <collapse>true</collapse>
-    </field>
-    <field>
-        <id>caddy.general.TlsDnsSecretApiKey</id>
-        <label>DNS API Additional Field 1</label>
-        <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Azure "client_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address", DNS Made Easy "secret_key", Scaleway "organization_id", ACME Proxy "password", INWX "password", Netcup "api_key", RFC2136 "key_alg", Name.com "server", EasyDNS "api_key", DirectAdmin "user".]]></help>
-    </field>
-    <field>
-        <id>caddy.general.TlsDnsOptionalField1</id>
-        <label>DNS API Additional Field 2</label>
-        <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "max_retries", ACME-DNS "subdomain", Azure "client_secret", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password", DNS Made Easy "api_endpoint", ACME Proxy "endpoint", INWX "shared_secret", Netcup "api_password", Name.com "user", EasyDNS "api_url", DirectAdmin "login_key", RFC2136 "key".]]></help>
-    </field>
-    <field>
-        <id>caddy.general.TlsDnsOptionalField2</id>
-        <label>DNS API Additional Field 3</label>
-        <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "profile", ACME-DNS "server_url", Azure "subscription_id", OVH "consumer_key", Namecheap "client_ip", DDNS "password", INWX "endpoint_url", DirectAdmin "insecure_requests", RFC2136 "server".]]></help>
-    </field>
-    <field>
-        <id>caddy.general.TlsDnsOptionalField3</id>
-        <label>DNS API Additional Field 4</label>
-        <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "region", Azure "resource_group_name".]]></help>
-    </field>
-    <field>
-        <id>caddy.general.TlsDnsOptionalField4</id>
-        <label>DNS API Additional Field 5</label>
-        <type>text</type>
-        <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "session_token".]]></help>
-    </field>
-    <field>
-        <type>header</type>
-        <label>DNS Propagation</label>
-        <collapse>true</collapse>
-    </field>
-    <field>
-        <id>caddy.general.TlsDnsPropagationResolvers</id>
-        <label>Resolvers</label>
-        <type>text</type>
-        <help><![CDATA[Leave empty to use the system resolvers (default). Resolvers customizes the DNS resolvers used when performing the DNS challenge; these take precedence over system resolvers or any default ones. If set here, the resolvers will propagate to all configured certificate issuers. If the system resolvers use DNS over TLS, setting an external resolver here is required or the DNS challenge will fail.]]></help>
-    </field>
-    <field>
-        <id>caddy.general.TlsDnsPropagationTimeout</id>
-        <label>Disable Propagation Timeout</label>
-        <type>checkbox</type>
-        <help><![CDATA[Propagation Timeout is a duration value that sets the maximum time to wait for the DNS TXT records to appear when using the DNS challenge. The default is 2 minutes. Disabling this will set propagation_timeout to -1 (checking propagation infinitely) and additionally set a propagation_delay of 30s (wait time before starting propagation checks). This can help when the DNS Challenge continues to fail because the local DNS Server does not know the new DNS TXT records yet in the default timeframe of 2 minutes.]]></help>
-    </field>
-</form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
deleted file mode 100644
index e465103ba4..0000000000
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dynamicdns.xml
+++ /dev/null
@@ -1,44 +0,0 @@
-<form>
-    <field>
-        <id>caddy.general.DynDnsIpVersions</id>
-        <label>DynDns IP Version</label>
-        <type>dropdown</type>
-        <help><![CDATA[Select the DynDns IP Version: "IPv4+IPv6" to set IPv4 A-Records and IPv6 AAAA-Records, "IPv4 only" for only A-Records, "IPv6 only" for only AAAA-Records.]]></help>
-    </field>
-    <field>
-        <id>caddy.general.DynDnsUpdateOnly</id>
-        <label>DynDns Update Only</label>
-        <type>checkbox</type>
-        <help><![CDATA[If enabled, no new DNS records will be created. Only existing records will be updated. This means that the A or AAAA records need to be created manually ahead of time.]]></help>
-    </field>
-    <field>
-        <id>caddy.general.DynDnsInterval</id>
-        <label>DynDns Check Interval</label>
-        <type>text</type>
-        <hint>1800</hint>
-        <help><![CDATA[Set the interval in seconds to poll for changes in the IP address. Leave empty to use system defaults.]]></help>
-    </field>
-    <field>
-        <id>caddy.general.DynDnsTtl</id>
-        <label>DynDns TTL</label>
-        <type>text</type>
-        <help><![CDATA[Set the TTL (Time to Live) for DNS records in seconds. Leave empty to use the default of an already existing TTL (when updating only) or the default of the provider API (when creating new records). If explicitely set, values should be as defined in rfc2181 section 8.]]></help>
-    </field>
-    <field>
-        <type>header</type>
-        <label>Additional Checks</label>
-        <collapse>true</collapse>
-    </field>
-    <field>
-        <id>caddy.general.DynDnsSimpleHttp</id>
-        <label>DynDns Check Http</label>
-        <type>text</type>
-        <help><![CDATA[Enter a URL to test the current IP address of the firewall via the HTTP protocol. This is generally not needed as Caddy uses default providers to test the current IP addresses. If a custom provider is preferred, enter the "https://" link to an IP address testing website.]]></help>
-    </field>
-    <field>
-        <id>caddy.general.DynDnsInterface</id>
-        <label>DynDns Check Interface</label>
-        <type>dropdown</type>
-        <help><![CDATA[Select an interface to extract the current IP addresses of the firewall. This is generally not needed as Caddy uses default providers to test the current IP addresses. Depending on the specified DynDns IP Version, at most one IPv6 Global Unicast Address and one IPv4 non-RFC1918 Address will be extracted.]]></help>
-    </field>
-</form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 36e3a2c588..e76e34a2c1 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -1,72 +1,234 @@
 <form>
-    <field>
-        <id>caddy.general.enabled</id>
-        <label>Enabled</label>
-        <type>checkbox</type>
-        <help><![CDATA[Enable or disable the Caddy web server.]]></help>
-    </field>
-    <field>
-        <id>caddy.general.EnableLayer4</id>
-        <label>(Feature Preview) Enable Layer4</label>
-        <type>checkbox</type>
-        <help><![CDATA[Enable Layer4 support to stream TCP/UDP. WARNING: This feature is in active developement and the configuration can break or change in the future. The Layer4 app matches before the HTTP app. Deactivating this option will remove all Layer4 functionality completely. More information: https://github.com/mholt/caddy-l4]]></help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <id>caddy.general.HttpPort</id>
-        <label>HTTP Port</label>
-        <type>text</type>
-        <hint>80</hint>
-        <help><![CDATA[If the default HTTP port is changed to e.g. 8080, then a port forward from port 80 to 8080 is necessary to issue automatic certificates with the HTTP-01 challenge and serve clients the reverse proxied resources.]]></help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <id>caddy.general.HttpsPort</id>
-        <label>HTTPS Port</label>
-        <type>text</type>
-        <hint>443</hint>
-        <help><![CDATA[If the default HTTPS port is changed to e.g. 8443, then a port forward from port 443 to 8443 is necessary to issue automatic certificates with the TLS-ALPN-01 challenge and serve clients the reverse proxied resources.]]></help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <id>caddy.general.DisableSuperuser</id>
-        <label>Disable Superuser</label>
-        <type>checkbox</type>
-        <help><![CDATA[Run this service as "www" user and group, instead of "root". This setting increases security, but comes with the hard restriction that the well-known port range can not be used anymore. After enabling and saving this setting, the service has to be totally restarted. For this, please disable Caddy and press Apply. Afterwards enable Caddy and press Apply. This setting is reversible by following the same steps.]]></help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <id>caddy.general.TlsEmail</id>
-        <label>ACME Email</label>
-        <type>text</type>
-        <hint>info@example.com</hint>
-        <help><![CDATA[Enter the email address for certificate notifications. This is required to receive automatic certificates from "Let's Encrypt" and "ZeroSSL".]]></help>
-    </field>
-    <field>
-        <id>caddy.general.TlsAutoHttps</id>
-        <label>Auto HTTPS</label>
-        <type>dropdown</type>
-        <help><![CDATA[Select the Auto HTTPS option. "On (default)" creates automatic certificates using "Let's Encrypt" or "ZeroSSL". "Off" turns all automatic certificate requests off.]]></help>
-    </field>
-    <field>
-        <id>caddy.general.accesslist</id>
-        <label>Trusted Proxies</label>
-        <type>dropdown</type>
-        <help><![CDATA[Select an Access List to set IP ranges of Trusted Proxies. If Caddy is not the first server being connected to by clients (for example, when a "CDN" is in front of Caddy), configure "Trusted Proxies" with a list of IP ranges (CIDRs) from which incoming requests are trusted to have sent good values for these headers. Additionally, set the same Access List to the domains the Trusted Proxies connect to.]]></help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <id>caddy.general.abort</id>
-        <label>Abort Connections</label>
-        <type>checkbox</type>
-        <help><![CDATA[Abort all connections that don't have a matching Handle or Access List. This option does not conflict with "Let's Encrypt" or "ZeroSSL". Disable it for troubleshooting purposes, e.g., testing if the "Domain" works and the automatic certificate has been installed. For production use, enabling this option is recommended.]]></help>
-    </field>
-    <field>
-        <id>caddy.general.GracePeriod</id>
-        <label>Grace Period</label>
-        <type>text</type>
-        <hint>10</hint>
-        <help><![CDATA[Defines the grace period for shutting down Caddy during a reload in seconds. During the grace period, no new connections are accepted, idle connections are closed, and active connections are impatiently waited upon to finish their requests. If clients do not finish their requests within the grace period, the server will be forcefully terminated to allow the reload to complete and free up resources. This can influence how long "Apply" of new configurations take, since Caddy waits for all open connections to close.]]></help>
-        <advanced>true</advanced>
-    </field>
+    <tab id="general-settings" description="General Settings">
+        <field>
+            <id>caddy.general.enabled</id>
+            <label>Enabled</label>
+            <type>checkbox</type>
+            <help><![CDATA[Enable or disable the Caddy web server.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.TlsEmail</id>
+            <label>ACME Email</label>
+            <type>text</type>
+            <hint>info@example.com</hint>
+            <help><![CDATA[Enter the email address for certificate notifications. This is required to receive automatic certificates from "Let's Encrypt" and "ZeroSSL".]]></help>
+        </field>
+        <field>
+            <id>caddy.general.TlsAutoHttps</id>
+            <label>Auto HTTPS</label>
+            <type>dropdown</type>
+            <help><![CDATA[Select the Auto HTTPS option. "On (default)" creates automatic certificates using "Let's Encrypt" or "ZeroSSL". "Off" turns all automatic certificate requests off.]]></help>
+        </field>
+    </tab>
+    <tab id="general-advanced" description="Advanced Settings">
+        <field>
+            <id>caddy.general.EnableLayer4</id>
+            <label>Enable Layer4</label>
+            <type>checkbox</type>
+            <help><![CDATA[Enable Layer4 support to stream TCP/UDP. This feature is in active developement and the configuration can break or change in the future. The Layer4 app matches before the HTTP app. Deactivating this option will remove all Layer4 functionality completely. More information: https://github.com/mholt/caddy-l4]]></help>
+        </field>
+        <field>
+            <id>caddy.general.DisableSuperuser</id>
+            <label>Disable Superuser</label>
+            <type>checkbox</type>
+            <help><![CDATA[Run this service as "www" user and group, instead of "root". This setting increases security, but comes with the hard restriction that the well-known port range can not be used anymore. After enabling and saving this setting, the service has to be totally restarted. For this, please disable Caddy and press Apply. Afterwards enable Caddy and press Apply. This setting is reversible by following the same steps.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.HttpPort</id>
+            <label>HTTP Port</label>
+            <type>text</type>
+            <hint>80</hint>
+            <help><![CDATA[If the default HTTP port is changed to e.g. 8080, then a port forward from port 80 to 8080 is necessary to issue automatic certificates with the HTTP-01 challenge and serve clients the reverse proxied resources.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.HttpsPort</id>
+            <label>HTTPS Port</label>
+            <type>text</type>
+            <hint>443</hint>
+            <help><![CDATA[If the default HTTPS port is changed to e.g. 8443, then a port forward from port 443 to 8443 is necessary to issue automatic certificates with the TLS-ALPN-01 challenge and serve clients the reverse proxied resources.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.accesslist</id>
+            <label>Trusted Proxies</label>
+            <type>dropdown</type>
+            <help><![CDATA[Select an Access List to set IP ranges of Trusted Proxies. If Caddy is not the first server being connected to by clients (for example, when a "CDN" is in front of Caddy), configure "Trusted Proxies" with a list of IP ranges (CIDRs) from which incoming requests are trusted to have sent good values for these headers. Additionally, set the same Access List to the domains the Trusted Proxies connect to.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.abort</id>
+            <label>Abort Connections</label>
+            <type>checkbox</type>
+            <help><![CDATA[Abort all connections that don't have a matching Handle or Access List. This option does not conflict with "Let's Encrypt" or "ZeroSSL". Disable it for troubleshooting purposes, e.g., testing if the "Domain" works and the automatic certificate has been installed. For production use, enabling this option is recommended.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.GracePeriod</id>
+            <label>Grace Period</label>
+            <type>text</type>
+            <hint>10</hint>
+            <help><![CDATA[Defines the grace period for shutting down Caddy during a reload in seconds. During the grace period, no new connections are accepted, idle connections are closed, and active connections are impatiently waited upon to finish their requests. If clients do not finish their requests within the grace period, the server will be forcefully terminated to allow the reload to complete and free up resources. This can influence how long "Apply" of new configurations take, since Caddy waits for all open connections to close.]]></help>
+        </field>
+    </tab>
+    <tab id="general-logsettings" description="Log Settings">
+        <field>
+            <id>caddy.general.LogLevel</id>
+            <label>Log Level</label>
+            <type>dropdown</type>
+            <help><![CDATA[Select the minimum global Log Level. "INFO" is the default and should not be changed without a reason, as it displays the ACME Client messages for automatic certificates. This setting does not influence the HTTP Access logs; they always use "INFO", which is their lowest supported Log Level.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.LogCredentials</id>
+            <label>Log Credentials</label>
+            <type>checkbox</type>
+            <help><![CDATA[Log all cookies and authorization in HTTP request logging. Use this option combined with "HTTP Access Log" in a "Domain". Enable this option only for troubleshooting.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.LogAccessPlain</id>
+            <label>Log HTTP Access in JSON Format</label>
+            <type>checkbox</type>
+            <help><![CDATA[Log HTTP access in a standard JSON logfile per domain, e.g., for processing by CrowdSec. Use this option combined with "HTTP Access Log" in a "Domain". Enabling this will make the HTTP Access Log disappear from the standard Log File. Logs can be found in the filesystem at "/var/log/caddy/access/".]]></help>
+        </field>
+        <field>
+            <id>caddy.general.LogAccessPlainKeep</id>
+            <label>Keep HTTP Access JSON Logs for (days)</label>
+            <hint>10</hint>
+            <type>text</type>
+            <help><![CDATA[Specify how many days to keep the JSON access logs.]]></help>
+        </field>
+    </tab>
+    <tab id="general-dnsprovider" description="DNS Provider">
+        <field>
+            <id>caddy.general.TlsDnsProvider</id>
+            <label>DNS Provider</label>
+            <type>dropdown</type>
+            <help><![CDATA[Select the DNS provider for the DNS-01 Challenge and Dynamic DNS. This is mostly needed for Wildcard Certificates, and for Dynamic DNS. To use, enable the checkbox in a "Domain" or "Subdomain". For more information, visit https://github.com/caddy-dns where each module is community maintained.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.TlsDnsApiKey</id>
+            <label>DNS API Standard Field</label>
+            <type>text</type>
+            <help><![CDATA[This is the standard field for the API Key. Field can be left empty if optional: Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Njalla "api_token", Google Cloud DNS "gcp_project", Azure "tenant_id", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url", DNS Made Easy "api_key", Bunny "access_key", Civo "api_token", Scaleway "secret_key", ACME Proxy "username", INWX "username", Netcup "customer_number", RFC2136 "key_name", Name.com "token", EasyDNS "api_token", Infomaniak "api_token", DirectAdmin "host", Hosttech "api_token", Vultr "api_token", Hetzner "api_token"]]></help>
+        </field>
+        <field>
+            <type>header</type>
+            <label>Additional Fields</label>
+            <collapse>true</collapse>
+        </field>
+        <field>
+            <id>caddy.general.TlsDnsSecretApiKey</id>
+            <label>DNS API Additional Field 1</label>
+            <type>text</type>
+            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Azure "client_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address", DNS Made Easy "secret_key", Scaleway "organization_id", ACME Proxy "password", INWX "password", Netcup "api_key", RFC2136 "key_alg", Name.com "server", EasyDNS "api_key", DirectAdmin "user".]]></help>
+        </field>
+        <field>
+            <id>caddy.general.TlsDnsOptionalField1</id>
+            <label>DNS API Additional Field 2</label>
+            <type>text</type>
+            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "hosted_zone_id", ACME-DNS "subdomain", Azure "client_secret", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password", DNS Made Easy "api_endpoint", ACME Proxy "endpoint", INWX "shared_secret", Netcup "api_password", Name.com "user", EasyDNS "api_url", DirectAdmin "login_key", RFC2136 "key".]]></help>
+        </field>
+        <field>
+            <id>caddy.general.TlsDnsOptionalField2</id>
+            <label>DNS API Additional Field 3</label>
+            <type>text</type>
+            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "profile", ACME-DNS "server_url", Azure "subscription_id", OVH "consumer_key", Namecheap "client_ip", DDNS "password", INWX "endpoint_url", DirectAdmin "insecure_requests", RFC2136 "server".]]></help>
+        </field>
+        <field>
+            <id>caddy.general.TlsDnsOptionalField3</id>
+            <label>DNS API Additional Field 4</label>
+            <type>text</type>
+            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "region", Azure "resource_group_name".]]></help>
+        </field>
+        <field>
+            <id>caddy.general.TlsDnsOptionalField4</id>
+            <label>DNS API Additional Field 5</label>
+            <type>text</type>
+            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "session_token".]]></help>
+        </field>
+        <field>
+            <type>header</type>
+            <label>DNS Propagation</label>
+        </field>
+        <field>
+            <id>caddy.general.TlsDnsPropagationResolvers</id>
+            <label>Resolvers</label>
+            <type>text</type>
+            <help><![CDATA[Leave empty to use the system resolvers (default). Resolvers customizes the DNS resolvers used when performing the DNS challenge; these take precedence over system resolvers or any default ones. If set here, the resolvers will propagate to all configured certificate issuers. If the system resolvers use DNS over TLS, setting an external resolver here is required or the DNS challenge will fail.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.TlsDnsPropagationTimeout</id>
+            <label>Disable Propagation Timeout</label>
+            <type>checkbox</type>
+            <help><![CDATA[Propagation Timeout is a duration value that sets the maximum time to wait for the DNS TXT records to appear when using the DNS challenge. The default is 2 minutes. Disabling this will set propagation_timeout to -1 (checking propagation infinitely) and additionally set a propagation_delay of 30s (wait time before starting propagation checks). This can help when the DNS Challenge continues to fail because the local DNS Server does not know the new DNS TXT records yet in the default timeframe of 2 minutes.]]></help>
+        </field>
+    </tab>
+    <tab id="general-dynamicdns" description="Dynamic DNS">
+        <field>
+            <id>caddy.general.DynDnsIpVersions</id>
+            <label>DynDns IP Version</label>
+            <type>dropdown</type>
+            <help><![CDATA[Select the DynDns IP Version: "IPv4+IPv6" to set IPv4 A-Records and IPv6 AAAA-Records, "IPv4 only" for only A-Records, "IPv6 only" for only AAAA-Records.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.DynDnsUpdateOnly</id>
+            <label>DynDns Update Only</label>
+            <type>checkbox</type>
+            <help><![CDATA[If enabled, no new DNS records will be created. Only existing records will be updated. This means that the A or AAAA records need to be created manually ahead of time.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.DynDnsInterval</id>
+            <label>DynDns Check Interval</label>
+            <type>text</type>
+            <hint>1800</hint>
+            <help><![CDATA[Set the interval in seconds to poll for changes in the IP address. Leave empty to use system defaults.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.DynDnsTtl</id>
+            <label>DynDns TTL</label>
+            <type>text</type>
+            <help><![CDATA[Set the TTL (Time to Live) for DNS records in seconds. Leave empty to use the default of an already existing TTL (when updating only) or the default of the provider API (when creating new records). If explicitely set, values should be as defined in rfc2181 section 8.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.DynDnsSimpleHttp</id>
+            <label>DynDns Check Http</label>
+            <type>text</type>
+            <help><![CDATA[Enter a URL to test the current IP address of the firewall via the HTTP protocol. This is generally not needed as Caddy uses default providers to test the current IP addresses. If a custom provider is preferred, enter the "https://" link to an IP address testing website.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.DynDnsInterface</id>
+            <label>DynDns Check Interface</label>
+            <type>dropdown</type>
+            <help><![CDATA[Select an interface to extract the current IP addresses of the firewall. This is generally not needed as Caddy uses default providers to test the current IP addresses. Depending on the specified DynDns IP Version, at most one IPv6 Global Unicast Address and one IPv4 non-RFC1918 Address will be extracted.]]></help>
+        </field>
+    </tab>
+    <tab id="general-authprovider" description="Auth Provider">
+        <field>
+            <id>caddy.general.AuthProvider</id>
+            <label>Forward Auth Provider</label>
+            <type>dropdown</type>
+            <help><![CDATA[Select a Forward Auth Provider. It can be added inside a "Handler" by enabling the "Forward Auth" checkbox. For Authelia only the basic subdomain example is supported. More information: https://www.authelia.com/integration/proxies/caddy/#basic-examples. For Authentik custom headers are not supported. More information: https://docs.goauthentik.io/docs/providers/proxy/server_caddy]]></help>
+        </field>
+        <field>
+            <id>caddy.general.AuthToDomain</id>
+            <label>Forward Auth Domain</label>
+            <type>text</type>
+            <help><![CDATA[Enter the domain name or IP address of the chosen Forward Auth Provider.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.AuthToPort</id>
+            <label>Forward Auth Port</label>
+            <type>text</type>
+            <help><![CDATA[Enter the listen port of the chosen Forward Auth Provider.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.AuthToTls</id>
+            <label>TLS</label>
+            <type>checkbox</type>
+            <help><![CDATA[Enable or disable HTTP over TLS (HTTPS) to communicate with the Forward Auth Provider.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.AuthToUri</id>
+            <label>Forward Auth URI</label>
+            <type>text</type>
+            <help><![CDATA[Enter the URI of the authz api endpoint.]]></help>
+        </field>
+    </tab>
+    <activetab>general-settings</activetab>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml
deleted file mode 100644
index 7c0f1a5ace..0000000000
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/logsettings.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-<form>
-    <field>
-        <id>caddy.general.LogLevel</id>
-        <label>Log Level</label>
-        <type>dropdown</type>
-        <help><![CDATA[Select the minimum global Log Level. "INFO" is the default and should not be changed without a reason, as it displays the ACME Client messages for automatic certificates. This setting does not influence the HTTP Access logs; they always use "INFO", which is their lowest supported Log Level.]]></help>
-    </field>
-    <field>
-        <id>caddy.general.LogCredentials</id>
-        <label>Log Credentials</label>
-        <type>checkbox</type>
-        <help><![CDATA[Log all cookies and authorization in HTTP request logging. Use this option combined with "HTTP Access Log" in a "Domain". Enable this option only for troubleshooting.]]></help>
-    </field>
-    <field>
-        <id>caddy.general.LogAccessPlain</id>
-        <label>Log HTTP Access in JSON Format</label>
-        <type>checkbox</type>
-        <help><![CDATA[Log HTTP access in a standard JSON logfile per domain, e.g., for processing by CrowdSec. Use this option combined with "HTTP Access Log" in a "Domain". Enabling this will make the HTTP Access Log disappear from the standard Log File. Logs can be found in the filesystem at "/var/log/caddy/access/".]]></help>
-    </field>
-    <field>
-        <id>caddy.general.LogAccessPlainKeep</id>
-        <label>Keep HTTP Access JSON Logs for (days)</label>
-        <hint>10</hint>
-        <type>text</type>
-        <help><![CDATA[Specify how many days to keep the JSON access logs.]]></help>
-    </field>
-</form>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 4b3e91a569..324e6069e1 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -61,6 +61,7 @@
                     <directadmin>DirectAdmin</directadmin>
                     <hosttech>Hosttech</hosttech>
                     <vultr>Vultr</vultr>
+                    <hetzner>Hetzner</hetzner>
                 </OptionValues>
             </TlsDnsProvider>
             <TlsDnsApiKey type="TextField"/>
@@ -409,6 +410,7 @@
                     <Required>Y</Required>
                     <Default>tlssni</Default>
                     <OptionValues>
+                        <dns>DNS</dns>
                         <httphost>HTTP (Host Header)</httphost>
                         <postgres>Postgres</postgres>
                         <proxy_protocol>Proxy Protocol</proxy_protocol>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt
index 40ac5e0fd9..259c6e141f 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt
@@ -35,29 +35,24 @@
          * @param {string} displaySelector - jQuery selector for the element where data should be displayed.
          */
         function fetchAndDisplay(url, displaySelector) {
-            $.ajax({
-                url: url,
-                type: "GET",
-                success: function(response) {
-                    if (response.status === "success") {
-                        let formattedContent;
-                        if (typeof response.content === 'object') {
-                            // If the content is an object, stringify and format it
-                            formattedContent = JSON.stringify(response.content, null, 2);
-                        } else {
-                            // If the content is plain text (as with the Caddyfile), just use it directly
-                            formattedContent = response.content;
-                        }
-                        $(displaySelector).text(formattedContent);
+            ajaxGet(url, null, function(response, status) {
+                if (status === "success" && response.status === "success") {
+                    let formattedContent;
+                    if (typeof response.content === 'object') {
+                        // If the content is an object, stringify and format it
+                        formattedContent = JSON.stringify(response.content, null, 2);
                     } else {
-                        // If the response status is not 'success', display an error message
-                        $(displaySelector).text("{{ lang._('Failed to load content: ') }}" + response.message || "{{ lang._('Unknown error') }}");
+                        // If the content is plain text (as with the Caddyfile), just use it directly
+                        formattedContent = response.content;
                     }
-                },
-                error: function(xhr, status, error) {
-                    // Handle errors from the AJAX request itself
-                    $(displaySelector).text("{{ lang._('AJAX error accessing the API: ') }}" + error);
+                    $(displaySelector).text(formattedContent);
+                } else {
+                    // If the response status is not 'success', display an error message
+                    $(displaySelector).text("{{ lang._('Failed to load content: ') }}" + (response.message || "{{ lang._('Unknown error') }}"));
                 }
+            }).fail(function(xhr, status, error) {
+                // Handle errors from the AJAX request itself
+                $(displaySelector).text("{{ lang._('AJAX error accessing the API: ') }}" + error);
             });
         }
 
@@ -123,20 +118,14 @@
 
         // Event handler for the Validate Caddyfile button
         $('#validateCaddyfile').click(function() {
-            $.ajax({
-                url: '/api/caddy/service/validate',
-                type: 'GET',
-                dataType: 'json',
-                success: function(data) {
-                    if (data && data['status'].toLowerCase() === 'ok') {
-                        showDialogAlert(BootstrapDialog.TYPE_SUCCESS, "{{ lang._('Validation Successful') }}", data['message']);
-                    } else {
-                        showDialogAlert(BootstrapDialog.TYPE_WARNING, "{{ lang._('Validation Error') }}", data['message']);  // Show error message from the API
-                    }
-                },
-                error: function(xhr, status, error) {
-                    showDialogAlert(BootstrapDialog.TYPE_DANGER, "{{ lang._('Validation Request Failed') }}", error);  // Show AJAX error
+            ajaxGet('/api/caddy/service/validate', null, function(data, status) {
+                if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
+                    showDialogAlert(BootstrapDialog.TYPE_SUCCESS, "{{ lang._('Validation Successful') }}", data['message']);
+                } else {
+                    showDialogAlert(BootstrapDialog.TYPE_WARNING, "{{ lang._('Validation Error') }}", data['message']);  // Show error message from the API
                 }
+            }).fail(function(xhr, status, error) {
+                showDialogAlert(BootstrapDialog.TYPE_DANGER, "{{ lang._('Validation Request Failed') }}", error);  // Show AJAX error
             });
         });
 
@@ -144,23 +133,24 @@
 </script>
 
 <style>
+    .nav-tabs a {
+        font-weight: bold;
+    }
+
     .custom-style .content-box {
-        padding: 20px; /* Adds padding around the contents of each tab */
+        padding: 10px;
     }
 
     .custom-style .display-area {
         overflow-y: scroll;
-        /* Dynamic height management using clamp for varying screen sizes */
         height: clamp(50px, 50vh, 4000px);
-        margin-bottom: 20px; /* Adds bottom margin to separate from the help text */
+        margin: 10px;
+        padding: 10px;
+        margin-bottom: 20px;
     }
 
-    .custom-style .help-text {
-        margin-top: 10px;
-        margin-bottom: 20px;
-        line-height: 1.4;
-        /* Adjusting text size for readability on various displays */
-        font-size: clamp(12px, 1.5vw, 16px);
+    .custom-style .content-box .btn {
+        margin-left: 10px;
     }
 </style>
 
@@ -176,7 +166,6 @@
     <div id="caddyfileTab" class="tab-pane fade in active">
         <div class="content-box">
             <pre id="caddyfileDisplay" class="display-area"></pre>
-            <p class="help-text">{{ lang._("This is the generated configuration located at %sCaddyfile%s. It's the main configuration file to get support with. The validation button triggers a manual check for any configuration errors, which is the same check that is triggered by the Apply buttons automatically.") | format('<code>/usr/local/etc/caddy/', '</code>') }}</p>
             <button class="btn btn-primary download-btn" id="downloadCaddyfile" type="button">{{ lang._('Download') }}</button>
             <button class="btn btn-secondary" id="validateCaddyfile" type="button">{{ lang._('Validate Caddyfile') }}</button>
             <br/><br/>
@@ -186,7 +175,6 @@
     <div id="jsonConfigTab" class="tab-pane fade">
         <div class="content-box">
             <pre id="jsonDisplay" class="display-area"></pre>
-            <p class="help-text">{{ lang._("Shows the running Caddy configuration located in %sautosave.json%s. It is automatically adapted from the Caddyfile and also includes any custom imported configurations from %scaddy.d%s.") | format('<code>/var/db/caddy/config/caddy/', '</code>', '<code>/usr/local/etc/caddy/', '</code>') }}</p>
             <button class="btn btn-primary download-btn" id="downloadJSONConfig" type="button">{{ lang._('Download') }}</button>
             <br/><br/>
         </div>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
index e226a83e3f..ef58bada00 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
@@ -24,254 +24,107 @@
  # POSSIBILITY OF SUCH DAMAGE.
  #}
 
-<script type="text/javascript">
+<script>
     $(document).ready(function() {
-        const data_get_map = {'frm_GeneralSettings':"/api/caddy/General/get"};
-        mapDataToFormUI(data_get_map).done(function(data){
-
-            // Function to initialize form elements within a tab dynamically
-            function initializeFormElements(tabContent) {
-                $(tabContent).find('.selectpicker').selectpicker('refresh');
-            }
-
-            // Initialize the first tab
-            initializeFormElements('#generalTab');
-
-            // Handle tab changes
-            $('a[data-toggle="tab"]').on('shown.bs.tab', function(e) {
-                let targetTab = $(e.target).attr('href'); // Activated tab
-                initializeFormElements(targetTab);
-            });
-
-            // Function to show alerts in the HTML message area
-            function showAlert(message, type = "error") {
-                let alertClass = type === "error" ? "alert-danger" : "alert-success";
-                let messageArea = $("#messageArea");
-
-                // Stop any current animation, clear the queue, and immediately hide the element
-                messageArea.stop(true, true).hide();
-
-                // Now set the class and message
-                messageArea.removeClass("alert-success alert-danger").addClass(alertClass).html(message);
-
-                // Use fadeIn to make the message appear smoothly, then fadeOut after a delay
-                messageArea.fadeIn(500).delay(15000).fadeOut(500, function() {
-                    // Clear the message after fading out to ensure it's clean for the next message
-                    $(this).html('');
-                });
-            }
+        // Initial setup
+        mapDataToFormUI({'frm_general': "/api/caddy/general/get"}).done(function() {
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('caddy');
+        });
 
-            // Hide message area when starting new actions
-            $('input, select, textarea').on('change', function() {
-                $("#messageArea").hide();
+        /**
+         * Displays an alert message to the user.
+         *
+         * @param {string} message - The message to display.
+         * @param {string} [type="error"] - The type of alert (error or success).
+         */
+        function showAlert(message, type = "error") {
+            const alertClass = type === "error" ? "alert-danger" : "alert-success";
+            const messageArea = $("#messageArea");
+            messageArea.stop(true, true).hide();
+            messageArea.removeClass("alert-success alert-danger").addClass(alertClass).html(message);
+            messageArea.fadeIn(500).delay(15000).fadeOut(500, function() {
+                $(this).html('');
             });
-
-            // These fields do not need the validation workaround, they get their validation messages from core.
-            let validationExceptions = [
-                "caddy.general.enabled",
-                "caddy.general.EnableLayer4",
-                "caddy.general.DisableSuperuser",
-                "caddy.general.HttpPort",
-                "caddy.general.HttpsPort",
-                "caddy.general.TlsEmail",
-                "caddy.general.TlsAutoHttps",
-                "caddy.general.accesslist",
-                "caddy.general.abort",
-                "caddy.general.GracePeriod"
-            ];
-
-            // For all other fields that are in different tabs than the main form, append the validation message.
-            // Note: This is a workaround and generally not needed. Do not copy this.
-            function displayValidationErrors(errors) {
-                $(".error-message").remove();  // Clear previous error messages
-                $(".error-input").removeClass("error-input");
-                $(".error-label").removeClass("error-label");
-
-                for (let key in errors) {
-                    if (errors.hasOwnProperty(key) && !validationExceptions.includes(key)) {
-                        let jquerySafeKey = key.replace(/\./g, '\\.');  // Escape dots for jQuery ID selector
-                        let field = $('#' + jquerySafeKey);
-                        let label = $('#control_label_' + jquerySafeKey);
-                        let helpBlock = $('#help_block_' + jquerySafeKey);
-
-                        if (field.length !== 0) {
-                            field.addClass('error-input');
-                            label.addClass('error-label');
-                            let errorMessage = $('<div class="error-message">' + errors[key] + '</div>');
-                            helpBlock.html(errorMessage);  // append error message into help block
-                        }
-                    }
-                }
+        }
+
+        /**
+         * Manages the spinner icon.
+         * @param {string} generalId - The ID of the general form.
+         * @param {string} action - The action to perform ("start" or "stop").
+         */
+        function setSpinner(generalId, action) {
+            const $progressIcon = $("#" + generalId + "_progress");
+            if (action === 'start') {
+                $progressIcon.addClass("fa fa-spinner fa-pulse");
+            } else if (action === 'stop') {
+                $progressIcon.removeClass("fa fa-spinner fa-pulse");
             }
-
-            $('input, select, textarea').on('change', function() {
-                // Remove error styles when the user corrects the input
-                if($(this).hasClass('error-input')) {
-                    $(this).removeClass('error-input');
-                    let id = this.id.replace(/\./g, '\\.');
-                    let label = $('#control_label_' + id);
-                    label.removeClass('error-label');
-                    let helpBlock = $('#help_block_' + id);
-                    helpBlock.empty();
+        }
+
+        /**
+         * Reconfigures the service.
+         * @param {string} generalId - The ID of the general form (used for controlling the spinner).
+         */
+        function reconfigureService(generalId) {
+            ajaxCall("/api/caddy/service/reconfigure", {}, function(data, status) {
+                if (status !== "success" || data.status !== 'ok') {
+                    showAlert("{{ lang._('Error applying configuration: ') }}" + JSON.stringify(data), "error");
+                } else {
+                    showAlert("{{ lang._('Configuration applied successfully.') }}", "success");
+                    updateServiceControlUI('caddy');
                 }
+                setSpinner(generalId, 'stop');
+            }).fail(function() {
+                handleError("error", "{{ lang._('Reconfiguration request failed.') }}");
+                setSpinner(generalId, 'stop');
             });
-
-            // Reconfigure the Caddy service, additional form save and validation with a validation API is made beforehand
-            $("#reconfigureAct").SimpleActionButton({
-                onPreAction: function() {
-                    const dfObj = $.Deferred();
-
-                    // Save the form before continuing
-                    saveFormToEndpoint("/api/caddy/general/set", 'frm_GeneralSettings',
-                        function() {  // callback_ok: What to do when save is successful
-                            // After successful save, proceed with validation
-                            $.ajax({
-                                url: "/api/caddy/service/validate",
-                                type: "GET",
-                                dataType: "json",
-                                success: function(data) {
-                                    if (data && data['status'].toLowerCase() === 'ok') {
-                                        dfObj.resolve(); // Configuration is valid
-                                    } else {
-                                        showAlert(data['message'], "{{ lang._('Validation Error') }}");
-                                        dfObj.reject(); // Configuration is invalid
-                                    }
-                                },
-                                error: function(xhr, status, error) {
-                                    showAlert("{{ lang._('Validation request failed: ') }}" + error, "{{ lang._('Validation Error') }}");
-                                    dfObj.reject(); // AJAX request failed
-                                }
-                            });
-                        },
-                        true, // disable_dialog: This has to be set explicitely so there actually is a callback_fail to catch the validation error.
-                        function(errorData) {  // callback_fail: What to do when save fails
-                            if (errorData.validations) {
-                                displayValidationErrors(errorData.validations);
-                            } else {
-                                showAlert("{{ lang._('Configuration save failed: ') }}" + (errorData.message || "{{ lang._('Validation Error') }}"), "{{ lang._('Error') }}");
-                            }
-                            dfObj.reject(); // Reject the deferred object to stop the reconfigure action
-                        }
-                    );
-
-                    return dfObj.promise();
-                },
-                onAction: function(data, status) {
-                    if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
-                        // Configuration is valid and applied, possibly refresh UI or notify user
-                        showAlert("{{ lang._('Configuration applied successfully.') }}", "{{ lang._('Apply Success') }}");
-                        updateServiceControlUI('caddy');
+        }
+
+        /**
+         * Centralizes error handling.
+         * @param {string} type - The type of error.
+         * @param {string} message - The error message.
+         */
+        function handleError(type, message) {
+            showAlert(message, type);
+        }
+
+        // Event binding for saving forms
+        $('[id*="save_general-"]').on('click', function() {
+            const generalId = this.form.id;
+            setSpinner(generalId, 'start');
+            saveFormToEndpoint("/api/caddy/general/set", generalId, function() {
+                // Validate Caddyfile after saving the form
+                ajaxGet("/api/caddy/service/validate", {}, function(data, status) {
+                    if (status === "success" && data && data.status.toLowerCase() === 'ok') {
+                        reconfigureService(generalId);
                     } else {
-                        // Handle errors or unsuccessful application
-                        showAlert("{{ lang._('An error occurred while applying the configuration.') }}", "{{ lang._('Error') }}");
+                        handleError("error", data.message || "{{ lang._('Validation Error') }}");
+                        setSpinner(generalId, 'stop');
                     }
-                }
-            });
-
-            $("#saveSettings").SimpleActionButton({
-                onAction: function() {
-                    const dfObj = $.Deferred();
-
-                    // Save the form before continuing
-                    saveFormToEndpoint("/api/caddy/general/set", 'frm_GeneralSettings',
-                        function() {  // callback_ok: What to do when save is successful
-                            showAlert("{{ lang._('Configuration saved successfully. Please do not forget to apply the configuration.') }}", "{{ lang._('Save Success') }}");
-                            dfObj.resolve();
-                        },
-                        true, // disable_dialog
-                        function(errorData) {  // callback_fail: What to do when save fails
-                            if (errorData.validations) {
-                                displayValidationErrors(errorData.validations);
-                            } else {
-                                showAlert("{{ lang._('Configuration save failed: ') }}" + (errorData.message || "{{ lang._('Validation Error') }}"), "{{ lang._('Error') }}");
-                            }
-                            dfObj.reject();
-                        }
-                    );
-
-                    return dfObj.promise();
-                },
+                }).fail(function() {
+                    handleError("error", "{{ lang._('Validation request failed.') }}");
+                    setSpinner(generalId, 'stop');
+                });
+            }, true, function(errorData) {
+                handleError("error", errorData.message || "{{ lang._('Validation Error') }}");
+                setSpinner(generalId, 'stop');
             });
-
-            // Initialize the service control UI for 'caddy'
-            updateServiceControlUI('caddy');
-
         });
     });
 </script>
 
-<style>
-    .error-message {
-        color: #E55451;
-        margin-left: 10px; /* Adjust spacing to the right of the input field */
-    }
-
-    .form-control.error-input {
-        border: 1px solid #E55451;
-        padding: 2px 8px;
-        box-sizing: border-box;
-    }
-
-    .error-label {
-        color: #E55451;
-    }
-</style>
-
-<!-- Tab Navigation -->
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#generalTab">{{ lang._('General') }}</a></li>
-    <li><a data-toggle="tab" href="#dnsProviderTab">{{ lang._('DNS Provider') }}</a></li>
-    <li><a data-toggle="tab" href="#dynamicDnsTab">{{ lang._('Dynamic DNS') }}</a></li>
-    <li><a data-toggle="tab" href="#authProviderTab">{{ lang._('Auth Provider') }}</a></li>
-    <li><a data-toggle="tab" href="#logSettingsTab">{{ lang._('Log Settings') }}</a></li>
+<!-- General Tab -->
+<ul id="generalTabsHeader" class="nav nav-tabs" role="tablist">
+    {{ partial("layout_partials/base_tabs_header", ['formData': generalForm]) }}
 </ul>
 
-<!-- Tab Content
-     Note: Do not copy this tab layout, it uses the same form id "frm_GeneralSettings". It works, but has problems with validation messages.
-     To fix this issue a custom displayValidationErrors function is used, that appends the messages to all keys. -->
-<div class="tab-content content-box">
-    <!-- General Tab -->
-    <div id="generalTab" class="tab-pane fade in active">
-        {{ partial("layout_partials/base_form", ['fields': generalForm, 'action': '/ui/caddy/general', 'id': 'frm_GeneralSettings']) }}
-    </div>
-    <!-- DNS Provider Tab -->
-    <div id="dnsProviderTab" class="tab-pane fade">
-        {{ partial("layout_partials/base_form", ['fields': dnsproviderForm, 'action': '/ui/caddy/general', 'id': 'frm_GeneralSettings']) }}
-    </div>
-    <!-- Dynamic DNS Tab -->
-    <div id="dynamicDnsTab" class="tab-pane fade">
-        {{ partial("layout_partials/base_form", ['fields': dynamicdnsForm, 'action': '/ui/caddy/general', 'id': 'frm_GeneralSettings']) }}
-    </div>
-    <!-- Auth Provider Tab -->
-    <div id="authProviderTab" class="tab-pane fade">
-        {{ partial("layout_partials/base_form", ['fields': authproviderForm, 'action': '/ui/caddy/general', 'id': 'frm_GeneralSettings']) }}
-    </div>
-    <!-- Log Settings Tab -->
-    <div id="logSettingsTab" class="tab-pane fade">
-        {{ partial("layout_partials/base_form", ['fields': logsettingsForm, 'action': '/ui/caddy/general', 'id': 'frm_GeneralSettings']) }}
-    </div>
-</div>
-
-<section class="page-content-main">
-    <div class="content-box">
-        <div class="col-md-12">
-            <br/>
-            <!-- Reconfigure Button with Pre-Action -->
-            <button class="btn btn-primary" id="reconfigureAct"
-                    data-endpoint="/api/caddy/service/reconfigure"
-                    data-label="{{ lang._('Apply') }}"
-                    data-error-title="{{ lang._('Error reconfiguring Caddy') }}"
-                    type="button"
-            ></button>
-            <button class="btn btn-primary" id="saveSettings"
-                    data-endpoint="/api/caddy/general/set"
-                    data-label="{{ lang._('Save') }}"
-                    type="button"
-                    style="margin-left: 2px;"
-            >{{ lang._('Save') }}</button>
-            <br/><br/>
-            <!-- Message Area for error/success messages -->
+<div id="generalTabsContent" class="content-box tab-content">
+    {{ partial("layout_partials/base_tabs_content", ['formData': generalForm]) }}
+    <!-- Message Area for error/success messages -->
+    <div style="max-width: 98%; margin: 10px auto;">
         <div id="messageArea" class="alert alert-info" style="display: none;"></div>
-        </div>
     </div>
-</section>
+</div>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index f16163bebd..b56cba21fc 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -26,16 +26,6 @@
 
 <script>
     $(document).ready(function() {
-
-        // Function to handle the search filter request modification
-        function addDomainFilterToRequest(request) {
-            let selectedDomains = $('#reverseFilter').val();
-            if (selectedDomains && selectedDomains.length > 0) {
-                request['reverseUuids'] = selectedDomains.join(',');
-            }
-            return request;
-        }
-
         // Bootgrid Setup
         $("#reverseProxyGrid").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchReverseProxy/',
@@ -106,24 +96,124 @@
             del:'/api/caddy/ReverseProxy/delHeader/',
         });
 
-        // Function to show alerts in the HTML message area
+        /**
+         * Modifies the search request to include domain filter.
+         *
+         * @param {Object} request - The original request object.
+         * @returns {Object} The modified request object with domain filter.
+         */
+        function addDomainFilterToRequest(request) {
+            let selectedDomains = $('#reverseFilter').val();
+            if (selectedDomains && selectedDomains.length > 0) {
+                request['reverseUuids'] = selectedDomains.join(',');
+            }
+            return request;
+        }
+
+        /**
+         * Displays an alert message to the user.
+         *
+         * @param {string} message - The message to display.
+         * @param {string} [type="error"] - The type of alert (error or success).
+         */
         function showAlert(message, type = "error") {
-            let alertClass = type === "error" ? "alert-danger" : "alert-success";
-            let messageArea = $("#messageArea");
+            const alertClass = type === "error" ? "alert-danger" : "alert-success";
+            const messageArea = $("#messageArea");
 
-            // Stop any current animation, clear the queue, and immediately hide the element
             messageArea.stop(true, true).hide();
-
-            // Now set the class and message
             messageArea.removeClass("alert-success alert-danger").addClass(alertClass).html(message);
-
-            // Use fadeIn to make the message appear smoothly, then fadeOut after a delay
             messageArea.fadeIn(500).delay(15000).fadeOut(500, function() {
-                // Clear the message after fading out to ensure it's clean for the next message
                 $(this).html('');
             });
         }
 
+        /**
+         * Loads domain filters from the server and populates the filter dropdown.
+         */
+        function loadDomainFilters() {
+            ajaxGet('/api/caddy/ReverseProxy/getAllReverseDomains', null, function(data, status) {
+                let select = $('#reverseFilter');
+                select.empty(); // Clear current options
+                if (status === "success" && data && data.rows) {
+                    data.rows.forEach(function(item) {
+                        select.append($('<option>').val(item.id).text(item.domainPort));
+                    });
+                } else {
+                    select.html('<option value="">{{ lang._('Failed to load data') }}</option>');
+                }
+                select.selectpicker('refresh'); // Refresh selectpicker to update the UI
+            }).fail(function() {
+                $('#reverseFilter').html('<option value="">{{ lang._('Failed to load data') }}</option>').selectpicker('refresh');
+            });
+        }
+
+        /**
+         * Controls the visibility of the selectpicker for domain filtering.
+         *
+         * @param {string} tab - The currently active tab.
+         */
+        function toggleSelectPicker(tab) {
+            if (tab === 'handlesTab' || tab === 'domainsTab' || tab === 'subdomainsTab') {
+                $('.common-filter').show();
+            } else {
+                $('.common-filter').hide();
+            }
+        }
+
+        /**
+         * Controls the visibility of add buttons based on the active tab.
+         *
+         * @param {string} tab - The currently active tab.
+         */
+        function toggleButtonVisibility(tab) {
+            if (tab === 'handlesTab' || tab === 'domainsTab') {
+                $("#addDomainBtn").show();
+                $("#addHandleBtn").show();
+            } else {
+                $("#addDomainBtn").hide();
+                $("#addHandleBtn").hide();
+            }
+        }
+
+        /**
+         * Initializes tabs by fetching data and setting visibility.
+         */
+        function initializeTabs() {
+            ajaxGet('/api/caddy/reverse_proxy/get', null, function(response, status) {
+                if (status === "success" && response) {
+                    // Check for wildcards in domains to toggle Subdomains tab
+                    const hasWildcard = Object.values(response.caddy.reverseproxy.reverse).some(entry => entry.FromDomain.startsWith('*'));
+                    toggleTabVisibility('#tab-subdomains', hasWildcard);
+
+                    // Check if Layer 4 is enabled to toggle the Layer 4 tab
+                    const enableLayer4 = response.caddy.general.EnableLayer4 === '1';
+                    toggleTabVisibility('#tab-layer4', enableLayer4);
+                } else {
+                    showAlert("{{ lang._('Failed to load data from /api/caddy/reverse_proxy/get') }}", "error");
+                }
+            }).fail(function() {
+                showAlert("{{ lang._('Failed to load data from /api/caddy/reverse_proxy/get') }}", "error");
+            });
+        }
+
+        /**
+         * Toggles the visibility of a specific tab.
+         *
+         * @param {string} tabSelector - The jQuery selector for the tab.
+         * @param {boolean} visible - Whether the tab should be visible.
+         */
+        function toggleTabVisibility(tabSelector, visible) {
+            let tab = $(tabSelector);
+            if (visible) {
+                tab.show();
+            } else {
+                tab.hide();
+                if (tab.hasClass('active')) {
+                    $('#tab-domains a').tab('show');
+                }
+            }
+        }
+
         // Hide message area when starting new actions
         $('input, select, textarea').on('change', function() {
             $("#messageArea").hide();
@@ -135,25 +225,19 @@
                 const dfObj = new $.Deferred();
 
                 // Perform configuration validation
-                $.ajax({
-                    url: "/api/caddy/service/validate",
-                    type: "GET",
-                    dataType: "json",
-                    success: function(data) {
-                        if (data && data['status'].toLowerCase() === 'ok') {
-                            // If configuration is valid, resolve the Deferred object to proceed
-                            dfObj.resolve();
-                        } else {
-                            // If configuration is invalid, show alert and reject the Deferred object
-                            showAlert(data['message'], "{{ lang._('Validation Failed') }}");
-                            dfObj.reject();
-                        }
-                    },
-                    error: function(xhr, status, error) {
-                        // On AJAX error, show alert and reject the Deferred object
-                        showAlert("{{ lang._('Validation request failed: ') }}" + error, "{{ lang._('Error') }}");
+                ajaxGet("/api/caddy/service/validate", null, function(data, status) {
+                    if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
+                        // If configuration is valid, resolve the Deferred object to proceed
+                        dfObj.resolve();
+                    } else {
+                        // If configuration is invalid, show alert and reject the Deferred object
+                        showAlert(data['message'], "error");
                         dfObj.reject();
                     }
+                }).fail(function(xhr, status, error) {
+                    // On AJAX error, show alert and reject the Deferred object
+                    showAlert("{{ lang._('Validation request failed: ') }}" + error, "error");
+                    dfObj.reject();
                 });
 
                 return dfObj.promise();
@@ -165,39 +249,13 @@
                     // Update the service control UI for 'caddy'
                     updateServiceControlUI('caddy');
                     // Update the Tab visibility
-                    initializeTabs()
+                    initializeTabs();
                 } else {
-                    console.error("{{ lang._('Action was not successful or an error occurred:') }}", data);
+                    showAlert("{{ lang._('Action was not successful or an error occurred.') }}", "error");
                 }
             }
         });
 
-        // Initialize the service control UI for 'caddy'
-        updateServiceControlUI('caddy');
-
-        // Filter function for domains
-        function loadDomainFilters() {
-            $.ajax({
-                url: '/api/caddy/ReverseProxy/getAllReverseDomains', // custom API endpoint to get uuid and domainport combinations
-                type: 'GET',
-                dataType: 'json',
-                success: function(data) {
-                    let select = $('#reverseFilter');
-                    select.empty(); // Clear current options
-                    if (data && data.rows) {
-                        data.rows.forEach(function(item) {
-                            select.append($('<option>').val(item.id).text(item.domainPort));
-                        });
-                    }
-                    select.selectpicker('refresh'); // Refresh selectpicker to update the UI
-                },
-                error: function() {
-                    $('#reverseFilter').html('<option value="">{{ lang._('Failed to load data') }}</option>').selectpicker('refresh');
-                }
-            });
-        }
-        loadDomainFilters();
-
         // Reload Bootgrid on filter change
         $('#reverseFilter').on('changed.bs.select', function() {
             $("#reverseProxyGrid").bootgrid("reload");
@@ -205,23 +263,16 @@
             $("#reverseHandleGrid").bootgrid("reload");
         });
 
-        // Control the visibility of selectpicker for filter by domain
-        function toggleSelectPicker(tab) {
-            if (tab === 'handlesTab' || tab === 'domainsTab' || tab === 'subdomainsTab') {
-                $('.common-filter').show();
-            } else {
-                $('.common-filter').hide();
-            }
-        }
-
         // Initialize visibility based on the active tab on page load
         let activeTab = $('#maintabs .active a').attr('href').replace('#', '');
         toggleSelectPicker(activeTab);
+        toggleButtonVisibility(activeTab);
 
         // Change event when switching tabs
         $('#maintabs a').on('click', function (e) {
             let currentTab = $(this).attr('href').replace('#', '');
             toggleSelectPicker(currentTab);
+            toggleButtonVisibility(currentTab);
         });
 
         // Add click event listener for "Add HTTP Handler" button
@@ -248,50 +299,17 @@
             }
         });
 
-        // Perform an API call to get data and check tabs' visibility on initial load
-        function initializeTabs() {
-            $.ajax({
-                url: '/api/caddy/reverse_proxy/get',
-                type: 'GET',
-                dataType: 'json',
-                success: function(response) {
-                    // Check for wildcards in domains to toggle Subdomains tab
-                    const hasWildcard = Object.values(response.caddy.reverseproxy.reverse).some(entry => entry.FromDomain.startsWith('*'));
-                    toggleTabVisibility('#tab-subdomains', hasWildcard);
-
-                    // Check if Layer 4 is enabled to toggle the Layer 4 tab
-                    const enableLayer4 = response.caddy.general.EnableLayer4 === '1';
-                    toggleTabVisibility('#tab-layer4', enableLayer4);
-                },
-                error: function() {
-                    console.error("{{ lang._('Failed to load data from /api/caddy/reverse_proxy/get') }}");
-                }
-            });
-        }
-
-        // Generic function to show or hide a tab and switch to another tab if the current one is hidden
-        function toggleTabVisibility(tabSelector, visible) {
-            let tab = $(tabSelector);
-            if (visible) {
-                tab.show();
-            } else {
-                tab.hide();
-                // Switch to 'Domains' tab if the currently active tab is being hidden
-                if (tab.hasClass('active')) {
-                    $('#tab-domains a').tab('show');
-                }
-            }
-        }
-
-        // Initialize tabs on load
+        // Initialize tabs, service control and filter selectpicker
         initializeTabs();
+        updateServiceControlUI('caddy');
+        loadDomainFilters();
 
     });
 </script>
 
 <style>
     .common-filter {
-        text-align: right;
+        align-items: center;
         margin-top: 20px;
         margin-right: 5px;
         padding: 0 15px;  // Align with the tables
@@ -302,6 +320,10 @@
         font-style: italic;
     }
 
+    .nav-tabs a {
+        font-weight: bold;
+    }
+
 </style>
 
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
@@ -358,7 +380,7 @@
                         <tr>
                             <td></td>
                             <td>
-                                <button id="addReverseProxyBtn" data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                                <button id="addReverseProxyBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
                                 <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                             </td>
                         </tr>
@@ -394,7 +416,7 @@
                         <tr>
                             <td></td>
                             <td>
-                                <button id="addSubdomainBtn" data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                                <button id="addSubdomainBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
                                 <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                             </td>
                         </tr>
@@ -441,7 +463,7 @@
                         <tr>
                             <td></td>
                             <td>
-                                <button id="addReverseHandleBtn" data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                                <button id="addReverseHandleBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
                                 <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                             </td>
                         </tr>
@@ -476,7 +498,7 @@
                         <tr>
                             <td></td>
                             <td>
-                                <button id="addAccessListBtn" data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                                <button id="addAccessListBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
                                 <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                             </td>
                         </tr>
@@ -504,7 +526,7 @@
                         <tr>
                             <td></td>
                             <td>
-                                <button id="addBasicAuthBtn" data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                                <button id="addBasicAuthBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
                                 <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                             </td>
                         </tr>
@@ -537,7 +559,7 @@
                         <tr>
                             <td></td>
                             <td>
-                                <button id="addReverseHeaderBtn" data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                                <button id="addReverseHeaderBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
                                 <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                             </td>
                         </tr>
@@ -574,7 +596,7 @@
                         <tr>
                             <td></td>
                             <td>
-                                <button id="addReverseLayer4Btn" data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                                <button id="addReverseLayer4Btn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
                                 <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                             </td>
                         </tr>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider
index 94df27ca0e..52b715a7e2 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider
@@ -24,7 +24,7 @@
     {% endif %}
     {% if dnsSecretApiKey %}secret_access_key {{ dnsSecretApiKey }}
     {% endif %}
-    {% if dnsOptionalField1 %}max_retries {{ dnsOptionalField1 }}
+    {% if dnsOptionalField1 %}hosted_zone_id {{ dnsOptionalField1 }}
     {% endif %}
     {% if dnsOptionalField2 %}profile {{ dnsOptionalField2 }}
     {% endif %}

From 0e03ffbd6ff8b8e0f7a10899a0c9ed821b6f8cf0 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 3 Sep 2024 07:08:28 +0200
Subject: [PATCH 2072/3088] www/caddy: Refactor Caddyfile template to make it
 more dry (#4211)

* www/caddy: Refactor Caddyfile to make it more dry. All prior functionality remains the same.

* www/caddy: Fix typo in TlsInsecureSkipVerify
---
 .../templates/OPNsense/Caddy/Caddyfile        | 296 +++++++-----------
 1 file changed, 107 insertions(+), 189 deletions(-)

diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 673fd397c0..0ca5f257f4 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -275,34 +275,28 @@
 
 {#
 #   Section: HTTP-01 Challenge Redirection
-#   Purpose: A small premade reverse_proxy section
-#            that can redirect the HTTP-01 challenge to a different webserver.
+#   Purpose: Redirects HTTP-01 challenges to a different webserver for reverse proxies and subdomains.
 #}
+{% macro http01_challenge_redirection(domain, acme_passthrough) %}
+http://{{ domain }} {
+    handle /.well-known/acme-challenge/* {
+        reverse_proxy {{ acme_passthrough }}
+    }
+    handle {
+        redir https://{host}{uri} 308
+    }
+}
+{% endmacro %}
+
 {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
     {% if reverse.enabled|default("0") == "1" and reverse.AcmePassthrough %}
-        # HTTP-01 challenge redirection for domain: "{{ reverse['@uuid'] }}"
-        http://{{ reverse.FromDomain|default("") }} {
-            handle /.well-known/acme-challenge/* {
-                reverse_proxy {{ reverse.AcmePassthrough }}
-            }
-            handle {
-                redir https://{host}{uri} 308
-            }
-        }
+        {{ http01_challenge_redirection(reverse.FromDomain|default(""), reverse.AcmePassthrough) }}
     {% endif %}
 {% endfor %}
-{# Process redirection for subdomains afterwards, since a redirection of a wildcard domain has to match before them. #}
+
 {% for subdomain in helpers.toList('Pischem.caddy.reverseproxy.subdomain') %}
     {% if subdomain.enabled|default("0") == "1" and subdomain.AcmePassthrough %}
-        # HTTP-01 challenge redirection for subdomain: "{{ subdomain['@uuid'] }}"
-        http://{{ subdomain.FromDomain|default("") }} {
-            handle /.well-known/acme-challenge/* {
-                reverse_proxy {{ subdomain.AcmePassthrough }}
-            }
-            handle {
-                redir https://{host}{uri} 308
-            }
-        }
+        {{ http01_challenge_redirection(subdomain.FromDomain|default(""), subdomain.AcmePassthrough) }}
     {% endif %}
 {% endfor %}
 
@@ -399,24 +393,9 @@
 
 {#
 #   Macro: reverse_proxy_configuration
-#   Purpose: Sets up the handle with the reverse proxy configurations. The TLS Settings are generated here for the Upstream.
-#   Integrated Macros: header_manipulation
+#   Purpose: Sets up the handle with the reverse proxy configurations.
 #   Parameters:
-#   @param handle (object):
-#       - @uuid (string)
-#       - HandleType (string): Specifies the handling strategy.
-#       - HandlePath (string, optional): The path the handle should match on.
-#       - ToDomain (string): Target domain for the reverse proxy.
-#       - ToPort (string, optional): Target port on the ToDomain.
-#       - ToPath (string, optional): Destination path on the ToDomain.
-#       - HttpTls (boolean, optional): Enable TLS for the connection.
-#       - HttpNtlm (boolean, optional): Enable NTLM authentication for the connection. Not all HTTP options apply to NTLM.
-#       - HttpTlsInsecureSkipVerify (boolean, optional): If true, the server's SSL certificate is not verified.
-#       - HttpTlsTrustedCaCerts (string, optional): The config extracted name of a CA certificate.
-#       - HttpTlsServerName (string, optional): Specifies the server name for the TLS handshake.
-#       - PassiveHealthFailDuration (integer, optional): Enables passive health checks when set > 0.
-#       - HttpVersion (string, optional): Choose HTTP version. Empty (default) is 1.1 and 2.
-#       - HttpKeepalive (string, optional): Keeaplive is either off (0) or a value. Empty (default) 120s.
+#   @param handle (object)
 #}
 {% macro reverse_proxy_configuration(handle) %}
     {{ handle.HandleType }} {{ handle.HandlePath|default("") }} {
@@ -436,27 +415,15 @@
             {% if handle.PassiveHealthFailDuration|default("") %}
                 fail_duration {{ handle.PassiveHealthFailDuration }}s
             {% endif %}
-            {% if handle.HttpTls|default("0") == "1" or handle.HttpTlsInsecureSkipVerify|default("0") == "1" or handle.HttpTlsTrustedCaCerts or handle.HttpTlsServerName or handle.HttpVersion or handle.HttpKeepalive %}
+            {% set has_transport_options = handle.HttpVersion or handle.HttpKeepalive or handle.HttpTls|default("0") == "1" or handle.HttpTlsesecureSkipVerify|default("0") == "1" or handle.HttpTlsTrustedCaCerts or handle.HttpTlsServerName %}
+            {% if has_transport_options %}
                 {% if handle.HttpNtlm|default("0") == "1" %}
                 transport http_ntlm {
-                    {% if handle.HttpTls|default("0") == "1" %}
-                        tls
-                    {% endif %}
-                    {% if handle.HttpTlsInsecureSkipVerify|default("0") == "1" %}
-                        tls_insecure_skip_verify
-                    {% endif %}
-                    {% if handle.HttpTlsTrustedCaCerts %}
-                        tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
-                    {% endif %}
-                    {% if handle.HttpTlsServerName %}
-                        tls_server_name {{ handle.HttpTlsServerName }}
-                    {% endif %}
-                }
                 {% else %}
                 transport http {
-                    {# The model does not allow to set a single number as option directly, so we have to map them. #}
-                    {% set version_map = {'http1': 1.1, 'http2': 2, 'http3': 3} %}
+                {% endif %}
                     {% if handle.HttpVersion %}
+                        {% set version_map = {'http1': 1.1, 'http2': 2, 'http3': 3} %}
                         versions {{ version_map[handle.HttpVersion] }}
                     {% endif %}
                     {% if handle.HttpKeepalive %}
@@ -479,43 +446,42 @@
                         tls_server_name {{ handle.HttpTlsServerName }}
                     {% endif %}
                 }
-                {% endif %}
             {% endif %}
         }
     }
 {% endmacro %}
 
 {#
-#   Macro: access_list_configuration
-#   Purpose: Defines access lists based on client IP addresses. The standard logic is "allow these IP addresses, deny all others."
-#            A handle with an @ matcher is created that will put the reverse_proxy_configuration inside. That means, the traffic will
-#            only get to the reverse proxy, when the access list matches. Invert is also possible, to explicitely deny IPs.
-#            The assembly is handled by the "Section: Reverse Proxy Configurations".
+#   Macro: handle_accesslist
+#   Purpose: Manages the logic for access lists, including configuration and handling.
 #   Parameters:
-#   @param accesslist (object):
-#       - uuid (string)
-#       - clientIps (string): A comma-separated list of client IP addresses
-#       - invert (boolean): A flag that inverts the logic of the access list
+#   @param accesslist (string): The UUID of the access list to be applied.
+#   @param content (string): The content to be wrapped in the access list handler.
+#   @param invert (boolean): A flag that inverts the logic of the access list.
 #}
-{% macro access_list_configuration(accesslist, invert) %}
-    {% set client_ips = accesslist.clientIps.split(',') %}
-    {% set client_ips_space_separated = client_ips | join(' ') %}
-    @{{ accesslist['@uuid'] }} {
-        {{ 'not' if invert else '' }} client_ip {{ client_ips_space_separated }}
-    }
+{% macro handle_accesslist(accesslist, content, invert=false) %}
+    {% if accesslist %}
+        {% set accesslist_obj = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', accesslist) | first %}
+        {% set client_ips = accesslist_obj.clientIps.split(',') %}
+        {% set client_ips_space_separated = client_ips | join(' ') %}
+        @{{ accesslist_obj['@uuid'] }} {
+            {{ 'not' if invert or accesslist_obj.accesslistenvert|default("0") == "1" else '' }} client_ip {{ client_ips_space_separated }}
+        }
+        handle @{{ accesslist_obj['@uuid'] }} {
+            {{ content }}
+        }
+    {% else %}
+        {{ content }}
+    {% endif %}
 {% endmacro %}
 
 {#
-#   Macro: basicauth_configuration
-#   Purpose: Implements basic authentication with a username and password for access.
+#   Macro: render_basic_auth
+#   Purpose: Renders the basic authentication configuration.
 #   Parameters:
-#   @param basicauth_uuids (string): A comma-separated list of UUIDs, each UUID corresponding to
-#                                     a specific user credentials (username and password).
-#       - @uuid (string)
-#       - basicauthuser (string): The username required for authentication.
-#       - basicauthpass (string): The password associated with the username.
+#   @param basicauth_uuids (string): A comma-separated list of UUIDs for basic authentication.
 #}
-{% macro basicauth_configuration(basicauth_uuids) %}
+{% macro render_basic_auth(basicauth_uuids) %}
     {% if basicauth_uuids %}
     basic_auth {
         {% for uuid in basicauth_uuids.split(',') %}
@@ -528,24 +494,64 @@
     {% endif %}
 {% endmacro %}
 
+{#
+#   Macro: handle_response
+#   Purpose: Manages the response logic for access lists and aborts.
+#   Parameters:
+#   @param accesslist (object): The access list object containing response settings.
+#   @param general_abort (string): The global abort setting.
+#}
+{% macro handle_response(accesslist, general_abort) %}
+    {% if accesslist %}
+        {% if accesslist.HttpResponseCode or accesslist.HttpResponseMessage %}
+            respond {{ '"' + accesslist.HttpResponseMessage|default('') + '"' if accesslist.HttpResponseMessage else '' }} {{ accesslist.HttpResponseCode|default(403) }}
+        {% elif general_abort == "1" %}
+            abort
+        {% endif %}
+    {% elif general_abort == "1" %}
+        abort
+    {% endif %}
+{% endmacro %}
+
+{#
+#   Macro: render_handles
+#   Purpose: Renders the handles in the correct order (path-specific first, then catch-all),
+#            including basic authentication configuration.
+#   Parameters:
+#   @param handles (list): A list of handle objects to be rendered.
+#   @param basicauth_uuids (string): A comma-separated list of UUIDs for basic authentication.
+#}
+{% macro render_handles(handles, basicauth_uuids=None) %}
+    {{ render_basic_auth(basicauth_uuids) }}
+    {% for handle in handles %}
+        {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
+            {{ reverse_proxy_configuration(handle) }}
+        {% endif %}
+    {% endfor %}
+    {% for handle in handles %}
+        {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
+            {{ reverse_proxy_configuration(handle) }}
+        {% endif %}
+    {% endfor %}
+{% endmacro %}
+
 {#
 #   Section: Reverse Proxy Configurations
 #   Purpose: Assembles reverse proxy configurations using predefined macros.
 #            This is the main logic of the whole template, handle with care.
 #   Macros Used:
-#   - tls_configuration
-#   - basicauth_configuration
-#   - access_list_configuration
-#   - reverse_proxy_configuration
-#   - indirect: header_manipulation
+#   - tls_configuration: Configures TLS settings for the domain.
+#   - handle_accesslist: Manages the logic for access lists, including configuration.
+#   - render_handles: Renders the handles in the correct order, including basic authentication.
+#   - reverse_proxy_configuration: Sets up the handle with reverse proxy configurations.
+#   - handle_response: Manages the response logic for access lists and aborts.
 #   Important Details:
-#   - Order of Path specific Handles - Prioritizes order of specific path handles over catch-all handles.
+#   - Order of Path specific Handles: Prioritizes order of specific path handles over catch-all handles.
 #   - Order of Wildcard Domains and Subdomains: Handles for wildcard domains come after all subdomains.
 #}
 {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
     {% if reverse.enabled|default("0") == "1" %}
         # Reverse Proxy Domain: "{{ reverse['@uuid'] }}"
-        {# The default are encrypted connections, uncencrypted connections have to render http:// #}
         {% if reverse.DisableTls|default("0") == "1" %}http://{% endif %}{{ reverse.FromDomain|default("") }}{% if reverse.FromPort %}:{{ reverse.FromPort }}{% endif %} {
             {% if reverse.AccessLog|default("0") == "1" %}
                 {% if generalSettings.LogAccessPlain|default("0") == "0" %}
@@ -560,8 +566,6 @@
             {% endif %}
             {% set customCert = reverse.CustomCertificate|default("") %}
             {% set dnsChallenge = reverse.DnsChallenge|default("0") %}
-            {% set tlsDnsPropagationTimeout = generalSettings.TlsDnsPropagationTimeout %}
-            {% set tlsDnsPropagationResolvers = generalSettings.TlsDnsPropagationResolvers %}
             {{ tls_configuration(
                 customCert,
                 dnsChallenge,
@@ -572,122 +576,36 @@
                 tlsDnsOptionalField2,
                 tlsDnsOptionalField3,
                 tlsDnsOptionalField4,
-                tlsDnsPropagationTimeout,
-                tlsDnsPropagationResolvers
+                generalSettings.TlsDnsPropagationTimeout,
+                generalSettings.TlsDnsPropagationResolvers
             ) }}
 
-            {% if not reverse.accesslist %}
-                {% set basicauth_uuids = reverse.basicauth %}
-                {{ basicauth_configuration(basicauth_uuids) }}
-            {% endif %}
-
             {% for subdomain in helpers.toList('Pischem.caddy.reverseproxy.subdomain') %}
                 {% if subdomain.enabled|default("0") == "1" and subdomain.reverse == reverse['@uuid'] %}
                     @{{ subdomain['@uuid'] }} {
                         host {{ subdomain.FromDomain }}
                     }
                     handle @{{ subdomain['@uuid'] }} {
-
-                        {% if not subdomain.accesslist %}
-                            {% set subdomain_basicauth_uuids = subdomain.basicauth %}
-                            {{ basicauth_configuration(subdomain_basicauth_uuids) }}
-                        {% endif %}
-
-                        {% if subdomain.accesslist %}
-                            {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', subdomain.accesslist) | first %}
-                            {{ access_list_configuration(accesslist, accesslist.accesslistInvert|default("0") == "1") }}
-                            handle @{{ accesslist['@uuid'] }} {
-
-                                {% set subdomain_basicauth_uuids = subdomain.basicauth %}
-                                {{ basicauth_configuration(subdomain_basicauth_uuids) }}
-
-                                {% set subdomain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('subdomain', 'equalto', subdomain['@uuid']) | list %}
-                                {% for handle in subdomain_handles %}
-                                    {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
-                                        {{ reverse_proxy_configuration(handle) }}
-                                    {% endif %}
-                                {% endfor %}
-                            {% for handle in subdomain_handles %}
-                                {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
-                                    {{ reverse_proxy_configuration(handle) }}
-                                {% endif %}
-                            {% endfor %}
-                            }
-                        {% else %}
-                            {% set subdomain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('subdomain', 'equalto', subdomain['@uuid']) | list %}
-                            {% for handle in subdomain_handles %}
-                                {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
-                                    {{ reverse_proxy_configuration(handle) }}
-                                {% endif %}
-                            {% endfor %}
-                            {% for handle in subdomain_handles %}
-                                {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
-                                    {{ reverse_proxy_configuration(handle) }}
-                                {% endif %}
-                            {% endfor %}
-                        {% endif %}
-
-                        {% if subdomain.accesslist %}
-                            {% if accesslist.HttpResponseCode or accesslist.HttpResponseMessage %}
-                                respond {{ '"' + accesslist.HttpResponseMessage|default('') + '"' if accesslist.HttpResponseMessage else '' }} {{ accesslist.HttpResponseCode|default(403) }}
-                            {% elif Pischem.caddy.general.abort|default("0") == "1" %}
-                                abort
-                            {% endif %}
-                        {% else %}
-                            {% if Pischem.caddy.general.abort|default("0") == "1" %}
-                                abort
-                            {% endif %}
-                        {% endif %}
+                        {% set subdomain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('subdomain', 'equalto', subdomain['@uuid']) | list %}
+                        {% set subdomain_content %}
+                            {{ render_handles(subdomain_handles, subdomain.basicauth) }}
+                        {% endset %}
+                        {{ handle_accesslist(subdomain.accesslist, subdomain_content) }}
+
+                        {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', subdomain.accesslist) | first %}
+                        {{ handle_response(accesslist, Pischem.caddy.general.abort|default("0")) }}
                     }
                 {% endif %}
             {% endfor %}
 
-            {% if reverse.accesslist %}
-                {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', reverse.accesslist) | first %}
-                {{ access_list_configuration(accesslist, accesslist.accesslistInvert|default("0") == "1") }}
-                handle @{{ accesslist['@uuid'] }} {
-
-                    {% set basicauth_uuids = reverse.basicauth %}
-                    {{ basicauth_configuration(basicauth_uuids) }}
-
-                    {% set wildcard_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('reverse', 'equalto', reverse['@uuid']) | selectattr('subdomain', 'undefined') | list %}
-                        {% for handle in wildcard_handles %}
-                            {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
-                                {{ reverse_proxy_configuration(handle) }}
-                            {% endif %}
-                        {% endfor %}
-                    {% for handle in wildcard_handles %}
-                        {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
-                            {{ reverse_proxy_configuration(handle) }}
-                        {% endif %}
-                    {% endfor %}
-                }
-            {% else %}
-                {% set wildcard_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('reverse', 'equalto', reverse['@uuid']) | selectattr('subdomain', 'undefined') | list %}
-                {% for handle in wildcard_handles %}
-                    {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
-                        {{ reverse_proxy_configuration(handle) }}
-                    {% endif %}
-                {% endfor %}
-                {% for handle in wildcard_handles %}
-                    {% if handle.enabled|default("0") == "1" and not handle.HandlePath %}
-                        {{ reverse_proxy_configuration(handle) }}
-                    {% endif %}
-                {% endfor %}
-            {% endif %}
+            {% set wildcard_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('reverse', 'equalto', reverse['@uuid']) | selectattr('subdomain', 'undefined') | list %}
+            {% set wildcard_content %}
+                {{ render_handles(wildcard_handles, reverse.basicauth) }}
+            {% endset %}
+            {{ handle_accesslist(reverse.accesslist, wildcard_content) }}
 
             {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', reverse.accesslist) | first %}
-            {% if accesslist %}
-                {% if accesslist.HttpResponseCode or accesslist.HttpResponseMessage %}
-                    respond {{ '"' + accesslist.HttpResponseMessage|default('') + '"' if accesslist.HttpResponseMessage else '' }} {{ accesslist.HttpResponseCode|default(403) }}
-                {% elif Pischem.caddy.general.abort|default("0") == "1" %}
-                    abort
-                {% endif %}
-            {% else %}
-                {% if Pischem.caddy.general.abort|default("0") == "1" %}
-                    abort
-                {% endif %}
-            {% endif %}
+            {{ handle_response(accesslist, Pischem.caddy.general.abort|default("0")) }}
         }
     {% endif %}
 {% endfor %}

From 416faefa752702b70a7f8a3ba8d43a3a1d345670 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 3 Sep 2024 14:30:12 +0200
Subject: [PATCH 2073/3088] devel/helloworld - upgrade to latest standards.

---
 .../HelloWorld/Api/ServiceController.php      | 13 ++---
 .../HelloWorld/Api/SettingsController.php     | 57 ++-----------------
 .../Api/SimplifiedSettingsController.php      | 43 --------------
 .../app/views/OPNsense/HelloWorld/index.volt  | 21 +++----
 .../OPNsense/HelloWorld/helloworld.conf       |  2 +-
 5 files changed, 18 insertions(+), 118 deletions(-)
 delete mode 100644 devel/helloworld/src/opnsense/mvc/app/controllers/OPNsense/HelloWorld/Api/SimplifiedSettingsController.php

diff --git a/devel/helloworld/src/opnsense/mvc/app/controllers/OPNsense/HelloWorld/Api/ServiceController.php b/devel/helloworld/src/opnsense/mvc/app/controllers/OPNsense/HelloWorld/Api/ServiceController.php
index 6c7073da19..5b068bae43 100644
--- a/devel/helloworld/src/opnsense/mvc/app/controllers/OPNsense/HelloWorld/Api/ServiceController.php
+++ b/devel/helloworld/src/opnsense/mvc/app/controllers/OPNsense/HelloWorld/Api/ServiceController.php
@@ -46,13 +46,9 @@ public function reloadAction()
     {
         $status = "failed";
         if ($this->request->isPost()) {
-            $backend = new Backend();
-            $bckresult = trim($backend->configdRun('template reload OPNsense/HelloWorld'));
-            if ($bckresult == "OK") {
-                $status = "ok";
-            }
+            $status = strtolower(trim((new Backend())->configdRun('template reload OPNsense/HelloWorld')));
         }
-        return array("status" => $status);
+        return ["status" => $status];
     }
 
     /**
@@ -61,13 +57,12 @@ public function reloadAction()
     public function testAction()
     {
         if ($this->request->isPost()) {
-            $backend = new Backend();
-            $bckresult = json_decode(trim($backend->configdRun("helloworld test")), true);
+            $bckresult = json_decode(trim((new Backend())->configdRun("helloworld test")), true);
             if ($bckresult !== null) {
                 // only return valid json type responses
                 return $bckresult;
             }
         }
-        return array("message" => "unable to run config action");
+        return ["message" => "unable to run config action"];
     }
 }
diff --git a/devel/helloworld/src/opnsense/mvc/app/controllers/OPNsense/HelloWorld/Api/SettingsController.php b/devel/helloworld/src/opnsense/mvc/app/controllers/OPNsense/HelloWorld/Api/SettingsController.php
index 750e1b986e..440ff3ce16 100644
--- a/devel/helloworld/src/opnsense/mvc/app/controllers/OPNsense/HelloWorld/Api/SettingsController.php
+++ b/devel/helloworld/src/opnsense/mvc/app/controllers/OPNsense/HelloWorld/Api/SettingsController.php
@@ -30,63 +30,14 @@
 
 namespace OPNsense\HelloWorld\Api;
 
-use OPNsense\Base\ApiControllerBase;
-use OPNsense\HelloWorld\HelloWorld;
-use OPNsense\Core\Config;
+use OPNsense\Base\ApiMutableModelControllerBase;
 
 /**
  * Class SettingsController Handles settings related API actions for the HelloWorld module
  * @package OPNsense\Helloworld
  */
-class SettingsController extends ApiControllerBase
+class SettingsController extends ApiMutableModelControllerBase
 {
-    /**
-     * retrieve HelloWorld general settings
-     * @return array general settings
-     * @throws \OPNsense\Base\ModelException
-     * @throws \ReflectionException
-     */
-    public function getAction()
-    {
-        // define list of configurable settings
-        $result = array();
-        if ($this->request->isGet()) {
-            $mdlHelloWorld = new HelloWorld();
-            $result['helloworld'] = $mdlHelloWorld->getNodes();
-        }
-        return $result;
-    }
-
-    /**
-     * update HelloWorld settings
-     * @return array status
-     * @throws \OPNsense\Base\ModelException
-     * @throws \ReflectionException
-     */
-    public function setAction()
-    {
-        $result = array("result" => "failed");
-        if ($this->request->isPost()) {
-            // load model and update with provided data
-            $mdlHelloWorld = new HelloWorld();
-            $mdlHelloWorld->setNodes($this->request->getPost("helloworld"));
-
-            // perform validation
-            $valMsgs = $mdlHelloWorld->performValidation();
-            foreach ($valMsgs as $field => $msg) {
-                if (!array_key_exists("validations", $result)) {
-                    $result["validations"] = array();
-                }
-                $result["validations"]["helloworld." . $msg->getField()] = $msg->getMessage();
-            }
-
-            // serialize model to config and save
-            if ($valMsgs->count() == 0) {
-                $mdlHelloWorld->serializeToConfig();
-                Config::getInstance()->save();
-                $result["result"] = "saved";
-            }
-        }
-        return $result;
-    }
+    protected static $internalModelClass = 'OPNsense\HelloWorld\HelloWorld';
+    protected static $internalModelName = 'helloworld';
 }
diff --git a/devel/helloworld/src/opnsense/mvc/app/controllers/OPNsense/HelloWorld/Api/SimplifiedSettingsController.php b/devel/helloworld/src/opnsense/mvc/app/controllers/OPNsense/HelloWorld/Api/SimplifiedSettingsController.php
deleted file mode 100644
index 72167c2153..0000000000
--- a/devel/helloworld/src/opnsense/mvc/app/controllers/OPNsense/HelloWorld/Api/SimplifiedSettingsController.php
+++ /dev/null
@@ -1,43 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2015-2019 Deciso B.V.
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-namespace OPNsense\HelloWorld\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-
-/**
- * a simplified settings controller for our HelloWorld app, uses our ApiMutableModelControllerBase type
- * @package OPNsense\Helloworld
- */
-class SimplifiedSettingsController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelName = 'helloworld';
-    protected static $internalModelClass = 'OPNsense\HelloWorld\HelloWorld';
-}
diff --git a/devel/helloworld/src/opnsense/mvc/app/views/OPNsense/HelloWorld/index.volt b/devel/helloworld/src/opnsense/mvc/app/views/OPNsense/HelloWorld/index.volt
index 33255d209b..d09d70e1db 100644
--- a/devel/helloworld/src/opnsense/mvc/app/views/OPNsense/HelloWorld/index.volt
+++ b/devel/helloworld/src/opnsense/mvc/app/views/OPNsense/HelloWorld/index.volt
@@ -28,14 +28,13 @@ POSSIBILITY OF SUCH DAMAGE.
 
 <script>
     $( document ).ready(function() {
-        var data_get_map = {'frm_GeneralSettings':"/api/helloworld/settings/get"};
-        mapDataToFormUI(data_get_map).done(function(data){
+        mapDataToFormUI({'frm_GeneralSettings':"/api/helloworld/settings/get"}).done(function(data){
             // place actions to run after load, for example update form styles.
         });
 
         // link save button to API set action
         $("#saveAct").click(function(){
-            saveFormToEndpoint(url="/api/helloworld/settings/set",formid='frm_GeneralSettings',callback_ok=function(){
+            saveFormToEndpoint("/api/helloworld/settings/set",'frm_GeneralSettings',function(){
                 // action to run after successful save, for example reconfigure service.
                 ajaxCall(url="/api/helloworld/service/reload", sendData={},callback=function(data,status) {
                     // action to run after reload
@@ -43,14 +42,12 @@ POSSIBILITY OF SUCH DAMAGE.
             });
         });
 
-        $("#testAct").click(function(){
-            $("#responseMsg").removeClass("hidden");
-            ajaxCall(url="/api/helloworld/service/test", sendData={},callback=function(data,status) {
-                // action to run after reload
-                $("#responseMsg").html(data['message']);
-            });
+        // use a SimpleActionButton() to call /api/helloworld/service/test
+        $("#testAct").SimpleActionButton({
+            onAction: function(data) {
+                $("#responseMsg").removeClass("hidden").html(data['message']);
+            }
         });
-
     });
 </script>
 
@@ -63,6 +60,6 @@ POSSIBILITY OF SUCH DAMAGE.
 </div>
 
 <div class="col-md-12">
-    <button class="btn btn-primary"  id="saveAct" type="button"><b>{{ lang._('Save') }}</b></button>
-    <button class="btn btn-primary"  id="testAct" type="button"><b>{{ lang._('Test') }}</b></button>
+    <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b></button>
+    <button class="btn btn-primary" id="testAct" data-endpoint="/api/helloworld/service/test" data-label="{{ lang._('Test') }}"></button>
 </div>
diff --git a/devel/helloworld/src/opnsense/service/templates/OPNsense/HelloWorld/helloworld.conf b/devel/helloworld/src/opnsense/service/templates/OPNsense/HelloWorld/helloworld.conf
index 7ccefce079..28199b1465 100644
--- a/devel/helloworld/src/opnsense/service/templates/OPNsense/HelloWorld/helloworld.conf
+++ b/devel/helloworld/src/opnsense/service/templates/OPNsense/HelloWorld/helloworld.conf
@@ -1,4 +1,4 @@
-{% if helpers.exists('OPNsense.helloworld.general') and OPNsense.helloworld.general.Enabled|default("0") == "1" %}
+{% if not helpers.empty('OPNsense.helloworld.general.Enabled') %}
 [general]
 SMTPHost={{ OPNsense.helloworld.general.SMTPHost|default("") }}
 FromEmail={{ OPNsense.helloworld.general.FromEmail|default("") }}

From 61db9e7146522a4f2b498e820440305ec6085261 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 3 Sep 2024 17:09:58 +0200
Subject: [PATCH 2074/3088] www/caddy: Remove old custom migration scripts
 (#4213)

* www/caddy: Remove old custom migration scripts

* www/caddy: Remove email validation since it made default migration fail due to an impossible condition at initial config creation
---
 www/caddy/pkg-descr                           |  3 +
 .../mvc/app/models/OPNsense/Caddy/Caddy.php   | 41 +++-------
 .../OPNsense/Caddy/Migrations/M1_1_3.php      | 79 -------------------
 .../OPNsense/Caddy/Migrations/M1_1_8.php      | 73 -----------------
 4 files changed, 15 insertions(+), 181 deletions(-)
 delete mode 100644 www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php
 delete mode 100644 www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_8.php

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 650aa8ef9e..38f7cbb899 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -22,6 +22,9 @@ Plugin Changelog
 * Cleanup: Refactor "general.volt", "reverse_proxy.volt" and "diagnostics.volt" to imported ajaxGet() and ajaxCall()
 * Cleanup: Adjust style of all views
 * Cleanup: Restructure "general.xml" to include tabs, add new "Advanced Settings" Tab
+* Cleanup: Remove old custom migrations
+* Cleanup: Refactor Caddyfile template, extracting duplicate logic into macros
+* Fix: Removed email validation from Caddy.php since it made the default migration fail
 
 1.6.3
 
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index c493ae9b6b..ddb6f919fc 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -36,7 +36,7 @@
 
 class Caddy extends BaseModel
 {
-    // 1. Check domain-port combinations
+    // Check domain-port combinations
     private function checkForUniquePortCombos($items, $messages)
     {
         $combos = [];
@@ -76,7 +76,7 @@ private function checkForUniquePortCombos($items, $messages)
         }
     }
 
-    // 2. Check that subdomains are under a wildcard or exact domain
+    // Check that subdomains are under a wildcard or exact domain
     private function checkSubdomainsAgainstDomains($subdomains, $domains, $messages)
     {
         $wildcardDomainList = [];
@@ -118,7 +118,7 @@ private function checkSubdomainsAgainstDomains($subdomains, $domains, $messages)
         }
     }
 
-    // 3. Get the current OPNsense WebGUI ports and check for conflicts with Caddy
+    // Get the current OPNsense WebGUI ports and check for conflicts with Caddy
     private function getWebGuiPorts()
     {
         $webgui = Config::getInstance()->object()->system->webgui ?? null;
@@ -168,21 +168,7 @@ private function checkWebGuiSettings($messages)
         }
     }
 
-    // 4. Check for ACME Email being required when Auto HTTPS on
-    private function checkAcmeEmailAutoHttps($messages)
-    {
-        $tlsAutoHttpsSetting = (string)$this->general->TlsAutoHttps;
-        $tlsEmail = (string)$this->general->TlsEmail;
-
-        if (empty($tlsEmail) && $tlsAutoHttpsSetting !== 'off') {
-            $messages->appendMessage(new Message(
-                gettext('To use "Auto HTTPS", an email address is required.'),
-                "general.TlsEmail"
-            ));
-        }
-    }
-
-    // 5. Prevent the usage of conflicting options when TLS is deactivated for a Domain
+    // Prevent the usage of conflicting options when TLS is deactivated for a Domain
     private function checkDisableTlsConflicts($messages)
     {
         foreach ($this->reverseproxy->reverse->iterateItems() as $item) {
@@ -212,7 +198,7 @@ private function checkDisableTlsConflicts($messages)
     }
 
     /**
-     * 6. Check that when Superuser is disabled, all ports are 1024 and above.
+     * Check that when Superuser is disabled, all ports are 1024 and above.
      * In General settings where this triggers, a validation dialog will show the hidden validation of the domain ports.
      * The default HTTP and HTTPS ports are not allowed to be empty, since then they are 80 and 443.
      * Domain ports are allowed to be empty, since then they have the same value as the HTTP and HTTPS default ports.
@@ -267,7 +253,7 @@ private function checkSuperuserPorts($messages)
     }
 
     /**
-    * 6. Check that when certain Layer4 matchers are selected, only "*" is valid as FromDomain.
+    * Check that when certain Layer4 matchers are selected, only "*" is valid as FromDomain.
     * This happens because they cannot be matched by host header or SNI, so they match all traffic.
     * The "*" shows the user that all traffic will be matched, and that creating multiple
     * matchers will not result in more routes for the same traffic type to work.
@@ -302,32 +288,29 @@ public function performValidation($validateFullModel = false)
     {
         $messages = parent::performValidation($validateFullModel);
 
-        // 1. Check domain-port combinations
+        // Check domain-port combinations
         $this->checkForUniquePortCombos(
             $this->reverseproxy->reverse->iterateItems(),
             $messages
         );
 
-        // 2. Check that subdomains are under a wildcard or exact domain
+        // Check that subdomains are under a wildcard or exact domain
         $this->checkSubdomainsAgainstDomains(
             $this->reverseproxy->subdomain->iterateItems(),
             $this->reverseproxy->reverse->iterateItems(),
             $messages
         );
 
-        // 3. Check WebGUI conflicts
+        // Check WebGUI conflicts
         $this->checkWebGuiSettings($messages);
 
-        // 4. Check for ACME Email requirement
-        $this->checkAcmeEmailAutoHttps($messages);
-
-        // 5. Check for TLS conflicts in Domain
+        // Check for TLS conflicts in Domain
         $this->checkDisableTlsConflicts($messages);
 
-        // 6. Check DisableSuperuser Port conflicts
+        // Check DisableSuperuser Port conflicts
         $this->checkSuperuserPorts($messages);
 
-        // 7. Check Layer4 matchers
+        // Check Layer4 matchers
         $this->checkLayer4Matchers($messages);
 
         return $messages;
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php
deleted file mode 100644
index 649408dbcf..0000000000
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_3.php
+++ /dev/null
@@ -1,79 +0,0 @@
-<?php
-
-/*
- *    Copyright (C) 2024 Cedrik Pischem
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Caddy\Migrations;
-
-use OPNsense\Base\BaseModelMigration;
-use OPNsense\Core\Config;
-
-// @codingStandardsIgnoreStart
-class M1_1_3 extends BaseModelMigration
-// @codingStandardsIgnoreEnd
-{
-    public function run($model)
-    {
-        // Load the current system configuration
-        $config = Config::getInstance()->object();
-
-        // Ensure there are reverse proxy configurations to process
-        if (!empty($config->Pischem->caddy->reverseproxy)) {
-            // Loop through each reverse proxy configuration in the stored configuration config.xml
-            foreach ($config->Pischem->caddy->reverseproxy->children() as $configNode) {
-                // Extract the UUID attribute to identify the configuration item
-                $uuid = (string)$configNode->attributes()->uuid;
-
-                // Check if the current configuration item has a 'Description' to migrate
-                if (!empty($configNode->Description)) {
-                    // Store the value of 'Description' for migration
-                    $descriptionValue = (string)$configNode->Description;
-
-                    // Attempt to locate the corresponding node in the model using the UUID
-                    $modelNode = null;
-
-                    // Retrieve reverse proxy items from the model for matching UUID
-                    $reverseProxies = $model->getNodeByReference('reverseproxy')->iterateItems();
-                    foreach ($reverseProxies as $item) {
-                        foreach ($item->iterateItems() as $modelUuid => $node) {
-                            if ($uuid === $modelUuid) {
-                                $modelNode = $node;
-                                break 2; // Break from both loops once the node is found
-                            }
-                        }
-                    }
-
-                    // If a matching node is found in the model, migrate the 'Description' value to 'description' value
-                    if ($modelNode !== null) {
-                        $modelNode->description = $descriptionValue;
-                    }
-                }
-            }
-        }
-
-        // Model is saved by 'run_migrations.php'
-    }
-}
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_8.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_8.php
deleted file mode 100644
index c506375a1e..0000000000
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Migrations/M1_1_8.php
+++ /dev/null
@@ -1,73 +0,0 @@
-<?php
-
-/*
- *    Copyright (C) 2024 Cedrik Pischem
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\Caddy\Migrations;
-
-use OPNsense\Base\BaseModelMigration;
-use OPNsense\Core\Config;
-
-// @codingStandardsIgnoreStart
-class M1_1_8 extends BaseModelMigration
-// @codingStandardsIgnoreEnd
-{
-    public function run($model)
-    {
-        // Load the current system configuration
-        $config = Config::getInstance()->object();
-
-        // Read and migrate TlsAutoHttps setting if necessary
-        if (!empty($config->Pischem->caddy->general->TlsAutoHttps)) {
-            $tlsAutoHttpsValue = (string)$config->Pischem->caddy->general->TlsAutoHttps;
-            // Check if the current value is 'on' and needs to be migrated
-            if ($tlsAutoHttpsValue === 'on') {
-                // Locate the corresponding node in the model
-                $modelNode = $model->getNodeByReference('general.TlsAutoHttps');
-                if ($modelNode != null) {
-                    // Set to empty value in the model, migration from 'on' to ''
-                    $modelNode->setValue('');
-                }
-            }
-        }
-
-        // Read and migrate TlsDnsProvider setting if necessary
-        if (!empty($config->Pischem->caddy->general->TlsDnsProvider)) {
-            $tlsDnsProviderValue = (string)$config->Pischem->caddy->general->TlsDnsProvider;
-            // Check if the current value is 'none' and needs to be migrated
-            if ($tlsDnsProviderValue === 'none') {
-                // Locate the corresponding node in the model
-                $modelNode = $model->getNodeByReference('general.TlsDnsProvider');
-                if ($modelNode != null) {
-                    // Set to empty value in the model, migration from 'none' to ''
-                    $modelNode->setValue('');
-                }
-            }
-        }
-
-        // Model is saved by 'run_migrations.php'
-    }
-}

From 70ecb2abd5a26d45978f901ae3dcec95144f81c5 Mon Sep 17 00:00:00 2001
From: doktornotor <1075960+doktornotor@users.noreply.github.com>
Date: Wed, 4 Sep 2024 09:47:30 +0200
Subject: [PATCH 2075/3088] dns/bind: add SSHFP Record Type (#4220)

---
 dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml
index bd520cb797..2e806041ce 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml
@@ -40,6 +40,7 @@
                         <RP>RP</RP>
                         <RRSIG>RRSIG</RRSIG>
                         <SRV>SRV</SRV>
+                        <SSHFP>SSHFP</SSHFP>
                         <TLSA>TLSA</TLSA>
                         <TXT>TXT</TXT>
                     </OptionValues>

From 546c0396b517c94083b5955f873f8750062321a4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 5 Sep 2024 08:26:05 +0200
Subject: [PATCH 2076/3088] devel/helloworld: update to new version

---
 devel/helloworld/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/devel/helloworld/Makefile b/devel/helloworld/Makefile
index bf22cc416b..a7e4092dc9 100644
--- a/devel/helloworld/Makefile
+++ b/devel/helloworld/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		helloworld
-PLUGIN_VERSION=		1.3
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.4
 PLUGIN_COMMENT=		A sample framework application
 PLUGIN_MAINTAINER=	ad@opnsense.org
 

From 206e47728fc3b0e19e7f05b644f9969aa1a37e68 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 5 Sep 2024 09:26:28 +0200
Subject: [PATCH 2077/3088] dns/bind: feature amendmend

---
 dns/bind/Makefile  | 1 +
 dns/bind/pkg-descr | 1 +
 2 files changed, 2 insertions(+)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index b02187266e..ad9f68174d 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.32
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index fde7fab7c0..c03a02f2be 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 
 * Fix handling of multiple ACLs in allow-query/allow-transfer (contributed by Nathan Rennie-Waldock)
 * Fix multiple select on Recursion field and resulting multiple ACLs (contributed by Jordan Stacy)
+* Add SSHFP record type (contributed by doktornotor)
 
 1.31
 

From 5a02d3867d5e074837a1de8af7ffbaa46552a89f Mon Sep 17 00:00:00 2001
From: franciscodimattia <59030809+franciscodimattia@users.noreply.github.com>
Date: Thu, 5 Sep 2024 17:14:38 -0300
Subject: [PATCH 2078/3088] Create Smart widget XML (#4215)

---
 .../www/js/widgets/Metadata/Smart.xml         | 14 ++++
 .../src/opnsense/www/js/widgets/Smart.js      | 71 +++++++++++++++++++
 2 files changed, 85 insertions(+)
 create mode 100644 sysutils/smart/src/opnsense/www/js/widgets/Metadata/Smart.xml
 create mode 100644 sysutils/smart/src/opnsense/www/js/widgets/Smart.js

diff --git a/sysutils/smart/src/opnsense/www/js/widgets/Metadata/Smart.xml b/sysutils/smart/src/opnsense/www/js/widgets/Metadata/Smart.xml
new file mode 100644
index 0000000000..0d94d7d899
--- /dev/null
+++ b/sysutils/smart/src/opnsense/www/js/widgets/Metadata/Smart.xml
@@ -0,0 +1,14 @@
+<metadata>
+    <smart>
+        <filename>Smart.js</filename>
+        <endpoints>
+            <endpoint>/api/smart/service/list</endpoint>
+            <endpoint>/api/smart/service/info</endpoint>
+        </endpoints>
+        <translations>
+            <title>SMART Status</title>
+            <nodisk>Error fetching disk list</nodisk>
+            <nosmart>Error fetching SMART info for device</nosmart>
+        </translations>
+    </smart>
+</metadata>
diff --git a/sysutils/smart/src/opnsense/www/js/widgets/Smart.js b/sysutils/smart/src/opnsense/www/js/widgets/Smart.js
new file mode 100644
index 0000000000..1aa2d3b077
--- /dev/null
+++ b/sysutils/smart/src/opnsense/www/js/widgets/Smart.js
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2024 Francisco Dimattia <info@tecnoservicio.com.ar>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+export default class Smart extends BaseTableWidget {
+    constructor() {
+        super();
+        this.tickTimeout = 300;
+        this.disks = null;
+    }
+
+    getMarkup() {
+        const $container = $('<div></div>');
+        const $smarttable = this.createTable('smart-table', {
+            headerPosition: 'left',
+        });
+        $container.append($smarttable);
+        return $container;
+    }
+
+    async onWidgetTick() {
+        if (this.disks && this.disks.devices) {
+            for (const device of this.disks.devices) {
+                try {
+                    const data = await ajaxCall("/api/smart/service/info", { type: "H", device });
+                    const health = data.output.includes("PASSED");
+                    $(`#${device}`).css({ color: health ? "green" : "red", fontSize: '150%' });
+                    $(`#${device}`).text(health ? "OK" : "FAILED");
+                } catch (error) {
+                    super.updateTable('smart-table', [[["Error"], $(`<span>${this.translations.nosmart} ${device}: ${error}</span>`).prop('outerHTML')]]);
+                }
+            }
+        }
+    }
+
+    async onMarkupRendered() {
+        try {
+            this.disks = await ajaxCall("/api/smart/service/list", {});
+            const rows = [];
+            for (const device of this.disks.devices) {
+                const field = $(`<span id="${device}">`).prop('outerHTML');
+                rows.push([[device], field]);
+            }
+            super.updateTable('smart-table', rows);
+        } catch (error) {
+            super.updateTable('smart-table', [[["Error"], $(`<span>${this.translations.nodisk}: ${error}</span>`).prop('outerHTML')]]);
+        }
+    }
+}

From 4924b275261c8a1d270dde4d4c49c1dab05e028a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 11 Sep 2024 06:42:40 +0200
Subject: [PATCH 2079/3088] sysutils/smart: get read for next release

---
 sysutils/smart/Makefile                       |  3 +-
 .../src/www/widgets/include/smart_status.inc  |  4 -
 .../widgets/widgets/smart_status.widget.php   | 74 -------------------
 3 files changed, 1 insertion(+), 80 deletions(-)
 delete mode 100644 sysutils/smart/src/www/widgets/include/smart_status.inc
 delete mode 100644 sysutils/smart/src/www/widgets/widgets/smart_status.widget.php

diff --git a/sysutils/smart/Makefile b/sysutils/smart/Makefile
index e0ab26fb5c..2afa17e450 100644
--- a/sysutils/smart/Makefile
+++ b/sysutils/smart/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		smart
-PLUGIN_VERSION=		2.2
-PLUGIN_REVISION=	5
+PLUGIN_VERSION=		2.3
 PLUGIN_COMMENT=		SMART tools
 PLUGIN_DEPENDS=		smartmontools
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/sysutils/smart/src/www/widgets/include/smart_status.inc b/sysutils/smart/src/www/widgets/include/smart_status.inc
deleted file mode 100644
index 5080309907..0000000000
--- a/sysutils/smart/src/www/widgets/include/smart_status.inc
+++ /dev/null
@@ -1,4 +0,0 @@
-<?php
-
-$smart_status_title = gettext('SMART Status');
-$smart_status_title_link = 'ui/smart';
diff --git a/sysutils/smart/src/www/widgets/widgets/smart_status.widget.php b/sysutils/smart/src/www/widgets/widgets/smart_status.widget.php
deleted file mode 100644
index 976be530d1..0000000000
--- a/sysutils/smart/src/www/widgets/widgets/smart_status.widget.php
+++ /dev/null
@@ -1,74 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2018 Smart-Soft
- * Copyright (C) 2014 Deciso B.V.
- * Copyright (C) 2012 mkirbst
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once('guiconfig.inc');
-require_once('widgets/include/smart_status.inc');
-
-$devs = json_decode(configd_run('smart detailed list'));
-
-?>
-
-<table class="table table-striped table-condensed">
-  <thead>
-    <tr>
-        <th><?= gettext('Drive') ?></td>
-        <th><?= gettext('Ident') ?></td>
-        <th><?= gettext('Status') ?></td>
-    </tr>
-  </thead>
-  <tbody>
-
-<?php foreach ($devs as $dev):
-
-    $dev_state_translated = gettext('Unknown');
-    $color = 'default';
-
-    if (isset($dev->state->smart_status->passed)) {
-        if ($dev->state->smart_status->passed) {
-            $dev_state_translated = gettext('OK');
-            $color = 'success';
-        } else {
-            $dev_state_translated = gettext('FAILED');
-            $color = 'danger';
-	}
-    }
-
-?>
-
-    <tr>
-      <td><?= html_safe($dev->device) ?></td>
-      <td style="word-break: break-word;"><?= html_safe($dev->ident) ?></td>
-      <td><span class="label label-<?= $color ?>"><?= html_safe($dev_state_translated) ?></span></td>
-    </tr>
-
-<?php endforeach ?>
-
-  </tbody>
-</table>

From 5ff52943407930f3dc272fdb5bc596088cb9ab34 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 11 Sep 2024 06:44:34 +0200
Subject: [PATCH 2080/3088] mail/rspamd document change

---
 mail/rspamd/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mail/rspamd/pkg-descr b/mail/rspamd/pkg-descr
index 80f7d7b76f..c356fd21c3 100644
--- a/mail/rspamd/pkg-descr
+++ b/mail/rspamd/pkg-descr
@@ -8,6 +8,7 @@ Plugin Changelog
 1.13
 
 * Make local whitelist by e-mail address possible (contributed by itNGO)
+* Add phishing exclusion (contributed by Makss39)
 
 1.12
 

From c86e31a0d03bb385ae70143a3f72af5e7a407cfe Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 11 Sep 2024 16:55:18 +0200
Subject: [PATCH 2081/3088] sysutils/smart: widget needs a rework

I'd rather emulate the old network which used the
detailed list backend call.  Funnel this through
the API on request but no time to do this now.
---
 sysutils/smart/Makefile                                  | 3 ++-
 .../controllers/OPNsense/Smart/Api/ServiceController.php | 9 +++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/sysutils/smart/Makefile b/sysutils/smart/Makefile
index 2afa17e450..bdacbc9e01 100644
--- a/sysutils/smart/Makefile
+++ b/sysutils/smart/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		smart
-PLUGIN_VERSION=		2.3
+PLUGIN_VERSION=		2.2
+PLUGIN_REVISION=	6
 PLUGIN_COMMENT=		SMART tools
 PLUGIN_DEPENDS=		smartmontools
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/sysutils/smart/src/opnsense/mvc/app/controllers/OPNsense/Smart/Api/ServiceController.php b/sysutils/smart/src/opnsense/mvc/app/controllers/OPNsense/Smart/Api/ServiceController.php
index 874ba272f2..d35feb29bb 100644
--- a/sysutils/smart/src/opnsense/mvc/app/controllers/OPNsense/Smart/Api/ServiceController.php
+++ b/sysutils/smart/src/opnsense/mvc/app/controllers/OPNsense/Smart/Api/ServiceController.php
@@ -43,10 +43,15 @@ private function getDevices()
         return $devices;
     }
 
-    public function listAction()
+    public function listAction($details = null)
     {
         if ($this->request->isPost()) {
-            return array("devices" => $this->getDevices());
+            $backend = new Backend();
+
+            $devices = empty($details) ? $this->getDevices() :
+                json_decode(trim($backend->configdRun('smart detailed list')), true);
+
+            return ['devices' => $devices];
         }
 
         return array("message" => "Unable to run list action");

From b77cb8ee77925b22d39b39490d5f07817ccb55cd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 13 Sep 2024 11:30:23 +0200
Subject: [PATCH 2082/3088] plugins: add lint-acl pass

---
 Mk/plugins.mk | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index ffaed11209..8796b41622 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -366,6 +366,15 @@ lint-model:
 		done; \
 	done; fi
 
+ACLBIN?=	${.CURDIR}/../../../core/Scripts/dashboard-acl.sh
+
+lint-acl: check
+.if exists(${ACLBIN})
+	@${ACLBIN}
+.else
+	@echo "Did not find ACLBIN, please provide a core repository"; exit 1
+.endif
+
 lint-exec: check
 .for DIR in ${.CURDIR}/src/opnsense/scripts ${.CURDIR}/src/etc/rc.d ${.CURDIR}/src/etc/rc.syshook.d
 .if exists(${DIR})
@@ -384,7 +393,7 @@ lint-php: check
 	@echo "Did not find LINTBIN, please provide a core repository"; exit 1
 .endif
 
-lint: lint-desc lint-shell lint-xml lint-model lint-exec lint-php
+lint: lint-desc lint-shell lint-xml lint-model lint-acl lint-exec lint-php
 
 plist-fix:
 

From 297335efbf863ac14ab0187f1cd843679984c382 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 13 Sep 2024 11:35:09 +0200
Subject: [PATCH 2083/3088] dns/ddclient: fix ACLs due to lint-acl addition

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/ACL/ACL.xml   | 4 +++-
 dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js            | 4 ++--
 dns/ddclient/src/opnsense/www/js/widgets/Metadata/Dyndns.xml  | 3 ++-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/ACL/ACL.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/ACL/ACL.xml
index 4503995ce9..32da0de0bf 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/ACL/ACL.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/ACL/ACL.xml
@@ -2,8 +2,10 @@
     <page-services-dyndns>
         <name>Services: Dynamic DNS</name>
         <patterns>
+            <pattern>api/dyndns/accounts/*</pattern>
+            <pattern>api/dyndns/service/*</pattern>
+            <pattern>api/dyndns/settings/*</pattern>
             <pattern>ui/dyndns/*</pattern>
-            <pattern>api/dyndns/*</pattern>
         </patterns>
     </page-services-dyndns>
 </acl>
diff --git a/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js b/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js
index e4fb01095c..bc4c359abb 100644
--- a/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js
+++ b/dns/ddclient/src/opnsense/www/js/widgets/Dyndns.js
@@ -52,14 +52,14 @@ export default class Dyndns extends BaseTableWidget {
 
     async onWidgetTick() {
         // Check if DynDNS is enabled
-        const statusData = await this.ajaxCall('/api/dyndns/service/status');
+        const statusData = await this.ajaxCall(`/api/dyndns/service/${'status'}`);
         if (!statusData || statusData.status !== "running") {
             this.displayError(this.translations.servicedisabled);
             return;
         }
 
         // Fetch DynDNS account information
-        const accountData = await this.ajaxCall('/api/dyndns/accounts/search_item');
+        const accountData = await this.ajaxCall(`/api/dyndns/accounts/${'search_item'}`);
         if (!accountData || !accountData.rows || accountData.rows.length === 0) {
             this.displayError(this.translations.noaccount);
             return;
diff --git a/dns/ddclient/src/opnsense/www/js/widgets/Metadata/Dyndns.xml b/dns/ddclient/src/opnsense/www/js/widgets/Metadata/Dyndns.xml
index 43a822cb33..17569ac10b 100644
--- a/dns/ddclient/src/opnsense/www/js/widgets/Metadata/Dyndns.xml
+++ b/dns/ddclient/src/opnsense/www/js/widgets/Metadata/Dyndns.xml
@@ -2,7 +2,8 @@
     <ddclient>
         <filename>Dyndns.js</filename>
         <endpoints>
-            <endpoint>/api/dyndns/*</endpoint>
+            <endpoint>/api/dyndns/accounts/*</endpoint>
+            <endpoint>/api/dyndns/service/*</endpoint>
         </endpoints>
         <translations>
             <title>Dynamic DNS</title>

From b3579345651cd1960bfae421117cc0df5b736c2f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 13 Sep 2024 12:14:44 +0200
Subject: [PATCH 2084/3088] plugins: need to take core ACLs into account

---
 Mk/plugins.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 8796b41622..3e89eaab6b 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -370,7 +370,7 @@ ACLBIN?=	${.CURDIR}/../../../core/Scripts/dashboard-acl.sh
 
 lint-acl: check
 .if exists(${ACLBIN})
-	@${ACLBIN}
+	@${ACLBIN} ${.CURDIR}/../../../core
 .else
 	@echo "Did not find ACLBIN, please provide a core repository"; exit 1
 .endif

From bae6b2bb9e6acee189fdcb612c193298b0e975d7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 13 Sep 2024 12:20:21 +0200
Subject: [PATCH 2085/3088] net/wol: fix ACL dasbhoard definitions

---
 net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/ACL/ACL.xml | 2 +-
 net/wol/src/opnsense/www/js/widgets/Metadata/WakeOnLan.xml   | 2 +-
 net/wol/src/opnsense/www/js/widgets/WakeOnLan.js             | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/ACL/ACL.xml b/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/ACL/ACL.xml
index 43a21eb742..5103b5c239 100644
--- a/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/ACL/ACL.xml
+++ b/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/ACL/ACL.xml
@@ -3,7 +3,7 @@
         <name>Services: Wake on LAN</name>
         <patterns>
             <pattern>ui/wol/*</pattern>
-            <pattern>api/wol/*</pattern>
+            <pattern>api/wol/wol/*</pattern>
         </patterns>
     </page-services-wakeonlan>
 </acl>
diff --git a/net/wol/src/opnsense/www/js/widgets/Metadata/WakeOnLan.xml b/net/wol/src/opnsense/www/js/widgets/Metadata/WakeOnLan.xml
index 7cb8e5f500..3ba307ae97 100644
--- a/net/wol/src/opnsense/www/js/widgets/Metadata/WakeOnLan.xml
+++ b/net/wol/src/opnsense/www/js/widgets/Metadata/WakeOnLan.xml
@@ -2,9 +2,9 @@
     <wol>
         <filename>WakeOnLan.js</filename>
         <endpoints>
+            <endpoint>/api/diagnostics/interface/getArp*</endpoint>
             <endpoint>/api/wol/wol/searchHost</endpoint>
             <endpoint>/api/wol/wol/set</endpoint>
-            <endpoint>/diagnostics/interface/getArp</endpoint>
         </endpoints>
         <translations>
             <title>WakeOnLan</title>
diff --git a/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js b/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
index 7a98b6a80e..d8a0b0e2f4 100644
--- a/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
+++ b/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
@@ -62,7 +62,7 @@ export default class WakeOnLan extends BaseTableWidget {
 
           //NOTE: this ARP list call is the most expensive one and can grow substantialy in big networks
           //With previous widget it had been done on the backend side with direct exec of 'arp -an | grep ...'
-          const arp = await this.ajaxCall('/api/diagnostics/interface/getArp');
+          const arp = await this.ajaxCall(`/api/diagnostics/interface/getArp${''}`);
 
           for(let it = 0; it < data.rows.length; it++){
               const item = data.rows[it];

From ed333b463c8958f50a3a5c167317f004515f92dd Mon Sep 17 00:00:00 2001
From: IDH-oliver <o_will@hussein.de>
Date: Fri, 13 Sep 2024 12:28:45 +0200
Subject: [PATCH 2086/3088]  net/wol: fix false negatives on MAC lookup (#4231)

---
 net/wol/src/opnsense/www/js/widgets/WakeOnLan.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js b/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
index d8a0b0e2f4..988d60bd5d 100644
--- a/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
+++ b/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
@@ -94,7 +94,7 @@ export default class WakeOnLan extends BaseTableWidget {
   }
 
   checkActive(arp_list, mac, intf) {
-    const arp = arp_list.find((obj) => obj.mac === mac);
+    const arp = arp_list.find((obj) => obj.mac === mac.toLowerCase());
     if (arp === undefined) {
       return 0;
     } else {

From d02e175cd2e6db9b6f9c7c9509d08153e54ce1d5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 13 Sep 2024 12:30:24 +0200
Subject: [PATCH 2087/3088] sysutils/apcupsd: fix ACL

---
 .../src/opnsense/mvc/app/models/OPNsense/Apcupsd/ACL/ACL.xml   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/ACL/ACL.xml b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/ACL/ACL.xml
index a911bfa876..db08da4269 100644
--- a/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/ACL/ACL.xml
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/ACL/ACL.xml
@@ -2,8 +2,9 @@
     <page-services-apcupsd>
         <name>Services: Apcupsd System Monitoring page</name>
         <patterns>
+            <pattern>api/apcupsd/service/*</pattern>
+            <pattern>api/apcupsd/settings/*</pattern>
             <pattern>ui/apcupsd/*</pattern>
-            <pattern>api/apcupsd/*</pattern>
         </patterns>
     </page-services-apcupsd>
 </acl>

From 539193d14bc12cdd38ac6cbfe99b2e1ea7cc5adc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 13 Sep 2024 12:39:23 +0200
Subject: [PATCH 2088/3088] sysutils/smart: fix ACL

---
 .../src/opnsense/mvc/app/models/OPNsense/Smart/ACL/ACL.xml    | 2 +-
 sysutils/smart/src/opnsense/www/js/widgets/Smart.js           | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/sysutils/smart/src/opnsense/mvc/app/models/OPNsense/Smart/ACL/ACL.xml b/sysutils/smart/src/opnsense/mvc/app/models/OPNsense/Smart/ACL/ACL.xml
index d728c58976..d7fb0e73c5 100644
--- a/sysutils/smart/src/opnsense/mvc/app/models/OPNsense/Smart/ACL/ACL.xml
+++ b/sysutils/smart/src/opnsense/mvc/app/models/OPNsense/Smart/ACL/ACL.xml
@@ -3,7 +3,7 @@
         <name>Services: SMART</name>
         <patterns>
             <pattern>ui/smart/*</pattern>
-            <pattern>api/smart/*</pattern>
+            <pattern>api/smart/service/*</pattern>
         </patterns>
     </page-services-smart>
 </acl>
diff --git a/sysutils/smart/src/opnsense/www/js/widgets/Smart.js b/sysutils/smart/src/opnsense/www/js/widgets/Smart.js
index 1aa2d3b077..b46419e0c2 100644
--- a/sysutils/smart/src/opnsense/www/js/widgets/Smart.js
+++ b/sysutils/smart/src/opnsense/www/js/widgets/Smart.js
@@ -44,7 +44,7 @@ export default class Smart extends BaseTableWidget {
         if (this.disks && this.disks.devices) {
             for (const device of this.disks.devices) {
                 try {
-                    const data = await ajaxCall("/api/smart/service/info", { type: "H", device });
+                    const data = await this.ajaxCall('/api/smart/service/info', { type: "H", device });
                     const health = data.output.includes("PASSED");
                     $(`#${device}`).css({ color: health ? "green" : "red", fontSize: '150%' });
                     $(`#${device}`).text(health ? "OK" : "FAILED");
@@ -57,7 +57,7 @@ export default class Smart extends BaseTableWidget {
 
     async onMarkupRendered() {
         try {
-            this.disks = await ajaxCall("/api/smart/service/list", {});
+            this.disks = await this.ajaxCall('/api/smart/service/list', {});
             const rows = [];
             for (const device of this.disks.devices) {
                 const field = $(`<span id="${device}">`).prop('outerHTML');

From 0068b7295e7ff477b1f1e040211138fc80a585eb Mon Sep 17 00:00:00 2001
From: Stephan de Wit <stephan.de.wit@deciso.com>
Date: Fri, 13 Sep 2024 16:36:17 +0200
Subject: [PATCH 2089/3088] sysutils/dechw: fix ACL, fixes
 https://github.com/opnsense/plugins/issues/4233

---
 .../opnsense/mvc/app/models/OPNsense/dechw/ACL/ACL.xml    | 8 ++++++++
 sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js      | 2 +-
 .../dec-hw/src/opnsense/www/js/widgets/Metadata/DecHW.xml | 2 +-
 3 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 sysutils/dec-hw/src/opnsense/mvc/app/models/OPNsense/dechw/ACL/ACL.xml

diff --git a/sysutils/dec-hw/src/opnsense/mvc/app/models/OPNsense/dechw/ACL/ACL.xml b/sysutils/dec-hw/src/opnsense/mvc/app/models/OPNsense/dechw/ACL/ACL.xml
new file mode 100644
index 0000000000..3d2b4f028a
--- /dev/null
+++ b/sysutils/dec-hw/src/opnsense/mvc/app/models/OPNsense/dechw/ACL/ACL.xml
@@ -0,0 +1,8 @@
+<acl>
+    <page-dashboard-widget-dechw>
+        <name>Dashboard: Deciso Hardware Information widget</name>
+        <patterns>
+            <pattern>api/dechw/info/powerstatus</pattern>
+        </patterns>
+    </page-dashboard-widget-dechw>
+</acl>
diff --git a/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js b/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js
index bba6d6807c..a5c9743747 100644
--- a/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js
+++ b/sysutils/dec-hw/src/opnsense/www/js/widgets/DecHW.js
@@ -75,7 +75,7 @@ export default class DecHW extends BaseWidget {
 
     async onWidgetTick() {
         $('.power').tooltip('hide');
-        let data = await this.ajaxCall('/api/dechw/info/powerStatus');
+        let data = await this.ajaxCall('/api/dechw/info/powerstatus');
 
         if (!data || data.status === 'failed') {
             $('#status').html(`<div class="error-message" style="margin: 10px;">${this.translations.nopower}</div>`);
diff --git a/sysutils/dec-hw/src/opnsense/www/js/widgets/Metadata/DecHW.xml b/sysutils/dec-hw/src/opnsense/www/js/widgets/Metadata/DecHW.xml
index 8eb8eccb18..a4d579970a 100644
--- a/sysutils/dec-hw/src/opnsense/www/js/widgets/Metadata/DecHW.xml
+++ b/sysutils/dec-hw/src/opnsense/www/js/widgets/Metadata/DecHW.xml
@@ -2,7 +2,7 @@
     <dechw>
         <filename>DecHW.js</filename>
         <endpoints>
-            <endpoint>/api/dechw/info/powerStatus</endpoint>
+            <endpoint>/api/dechw/info/powerstatus</endpoint>
         </endpoints>
         <translations>
             <title>Deciso Hardware Information</title>

From bf45298f0c1d2cf533a0956fb6bdc889a8407de1 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 13 Sep 2024 20:55:20 +0200
Subject: [PATCH 2090/3088] www/caddy: Typo in TlsInsecureSkipVerify condition
 prevents it from appearing if it is the only transport_http option. (#4237)

---
 www/caddy/Makefile                                              | 1 +
 .../src/opnsense/service/templates/OPNsense/Caddy/Caddyfile     | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index d1427802e5..0a0183dace 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		1.7.0
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 0ca5f257f4..ef1a10481b 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -415,7 +415,7 @@ http://{{ domain }} {
             {% if handle.PassiveHealthFailDuration|default("") %}
                 fail_duration {{ handle.PassiveHealthFailDuration }}s
             {% endif %}
-            {% set has_transport_options = handle.HttpVersion or handle.HttpKeepalive or handle.HttpTls|default("0") == "1" or handle.HttpTlsesecureSkipVerify|default("0") == "1" or handle.HttpTlsTrustedCaCerts or handle.HttpTlsServerName %}
+            {% set has_transport_options = handle.HttpVersion or handle.HttpKeepalive or handle.HttpTls|default("0") == "1" or handle.HttpTlsInsecureSkipVerify|default("0") == "1" or handle.HttpTlsTrustedCaCerts or handle.HttpTlsServerName %}
             {% if has_transport_options %}
                 {% if handle.HttpNtlm|default("0") == "1" %}
                 transport http_ntlm {

From ea150f2e901cb019d33645998c401ef0659cde6b Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sat, 14 Sep 2024 11:03:34 +0200
Subject: [PATCH 2091/3088] www/caddy: Fix api endpoints in widgets via
 lint-acl (#4234)

* www/caddy: Fix api endpoints in widgets via lint-acl.

* www/caddy: Add links to Metadata too.

* www/caddy: Use wildcards for api endpoints.

* Revert "www/caddy: Use wildcards for api endpoints."

This reverts commit 85d2027634c8e08ac18e723432d9b74c5d7facce.
---
 www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml b/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml
index 818be0f301..ac818fd2a0 100644
--- a/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml
+++ b/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml
@@ -1,8 +1,9 @@
 <metadata>
     <caddydomain>
         <filename>CaddyDomain.js</filename>
+        <link>/ui/caddy/reverse_proxy</link>
         <endpoints>
-            <endpoint>/api/caddy/reverse_proxy/*</endpoint>
+            <endpoint>/api/caddy/reverse_proxy/get</endpoint>
         </endpoints>
         <translations>
             <title>Caddy Domains</title>
@@ -13,8 +14,10 @@
     </caddydomain>
     <caddycertificate>
         <filename>CaddyCertificate.js</filename>
+        <link>/ui/caddy/reverse_proxy</link>
         <endpoints>
-            <endpoint>/api/caddy/*</endpoint>
+            <endpoint>/api/caddy/diagnostics/certificate</endpoint>
+            <endpoint>/api/caddy/reverse_proxy/get</endpoint>
         </endpoints>
         <translations>
             <title>Caddy Certificates</title>

From 4f9e0308990626ed3e50db5822c5374f182aba1c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 14 Sep 2024 13:16:04 +0200
Subject: [PATCH 2092/3088] net/zerotier: spoofmac is not supported here

PR: https://forum.opnsense.org/index.php?topic=42798.0
---
 net/zerotier/Makefile                               | 2 +-
 net/zerotier/src/etc/inc/plugins.inc.d/zerotier.inc | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/zerotier/Makefile b/net/zerotier/Makefile
index 101ec53855..aad751c0a0 100644
--- a/net/zerotier/Makefile
+++ b/net/zerotier/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		zerotier
 PLUGIN_VERSION=		1.3.2
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_COMMENT=		Virtual Networks That Just Work
 PLUGIN_DEPENDS=		zerotier
 PLUGIN_MAINTAINER=	dharrigan@gmail.com
diff --git a/net/zerotier/src/etc/inc/plugins.inc.d/zerotier.inc b/net/zerotier/src/etc/inc/plugins.inc.d/zerotier.inc
index b325c637b9..68d740538b 100644
--- a/net/zerotier/src/etc/inc/plugins.inc.d/zerotier.inc
+++ b/net/zerotier/src/etc/inc/plugins.inc.d/zerotier.inc
@@ -62,5 +62,5 @@ function zerotier_services()
 
 function zerotier_devices()
 {
-    return [['pattern' => '^zt', 'volatile' => true]];
+    return [['pattern' => '^zt', 'spoofmac' => false, 'volatile' => true]];
 }

From d7569fda0f6811b09162a472b4c7ab4ee06a3447 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sat, 14 Sep 2024 20:20:05 +0200
Subject: [PATCH 2093/3088] www/caddy: Add option to disable QUIC protocol
 (#4238)

* www/caddy: Add option to disable QUIC protocol

* Resolve all -Enable to Disable something- options into clear selectpickers. Simplify template that generates server options.

* www/caddy: Make new option fields totally backwards compatible to prior checkboxes. Shift two options around in the ReverseProxy form for clarity.
---
 .../Caddy/forms/dialogReverseProxy.xml        | 24 +++++++-------
 .../OPNsense/Caddy/forms/general.xml          | 10 ++++--
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 32 ++++++++++++++++---
 .../templates/OPNsense/Caddy/Caddyfile        | 32 ++++---------------
 4 files changed, 54 insertions(+), 44 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index eb8e1b3665..56f2562ddf 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -5,6 +5,12 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this domain.]]></help>
     </field>
+    <field>
+        <id>reverse.DisableTls</id>
+        <label>Protocol</label>
+        <type>dropdown</type>
+        <help><![CDATA[When choosing HTTPS, the ACME HTTP-01, TLS-ALPN-01 or DNS-01 challenge will be used to get automatic Let's Encrypt or ZeroSSL certificates, without the need of any additional plugin. When choosing HTTP, it will disable HTTP over TLS (HTTPS) for this domain, automatic certificate management will be disabled and all traffic to and from this domain will be unencrypted.]]></help>
+    </field>
     <field>
         <id>reverse.FromDomain</id>
         <label>Domain</label>
@@ -41,30 +47,24 @@
         <label>Trust</label>
         <collapse>true</collapse>
     </field>
-    <field>
-        <id>reverse.DisableTls</id>
-        <label>Disable TLS</label>
-        <type>checkbox</type>
-        <help><![CDATA[Disable HTTP over TLS (HTTPS) for this domain. When disabling TLS, automatic certificate management will be disabled and all traffic to and from this domain will be unencrypted.]]></help>
-    </field>
     <field>
         <id>reverse.DnsChallenge</id>
         <label>DNS-01 Challenge</label>
         <type>checkbox</type>
         <help><![CDATA[Enable the DNS-01 challenge for this domain. Requires a "DNS Provider" in "General Settings". This is mostly only needed for wildcard domains, or when the HTTP-01 and TLS-ALPN-01 challenge can not be used due to restrictive firewall policies.]]></help>
     </field>
-    <field>
-        <id>reverse.AcmePassthrough</id>
-        <label>HTTP-01 Challenge Redirection</label>
-        <type>text</type>
-        <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this domain, and will still issue a certificate using the TLS-ALPN-01 challenge or DNS-01 challenge for itself. This option can be used for High Availability when using Caddy with a master and backup OPNsense.]]></help>
-    </field>
     <field>
         <id>reverse.CustomCertificate</id>
         <label>Custom Certificate</label>
         <type>dropdown</type>
         <help><![CDATA[Choose a custom certificate from "System - Trust - Certificates" for this domain. Make sure the full chain has been imported.]]></help>
     </field>
+    <field>
+        <id>reverse.AcmePassthrough</id>
+        <label>HTTP-01 Challenge Redirection</label>
+        <type>text</type>
+        <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this domain, and will still issue a certificate using the TLS-ALPN-01 challenge or DNS-01 challenge for itself. This option can be used for High Availability when using Caddy with a master and backup OPNsense.]]></help>
+    </field>
     <field>
         <type>header</type>
         <label>Access</label>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index e76e34a2c1..beb0b5ef18 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -29,10 +29,16 @@
         </field>
         <field>
             <id>caddy.general.DisableSuperuser</id>
-            <label>Disable Superuser</label>
-            <type>checkbox</type>
+            <label>System User</label>
+            <type>dropdown</type>
             <help><![CDATA[Run this service as "www" user and group, instead of "root". This setting increases security, but comes with the hard restriction that the well-known port range can not be used anymore. After enabling and saving this setting, the service has to be totally restarted. For this, please disable Caddy and press Apply. Afterwards enable Caddy and press Apply. This setting is reversible by following the same steps.]]></help>
         </field>
+        <field>
+            <id>caddy.general.HttpVersion</id>
+            <label>HTTP Version</label>
+            <type>select_multiple</type>
+            <help><![CDATA[Select the HTTP Version for the frontend listeners. By default, QUIC (HTTP/3) is enabled. This means, UDP/443 will be used by Caddy. To free this protocol port combination for a different service, choose a different combination of protocols that does not include HTTP/3.]]></help>
+        </field>
         <field>
             <id>caddy.general.HttpPort</id>
             <label>HTTP Port</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 324e6069e1..243b323b06 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>Caddy Reverse Proxy</description>
-    <version>1.3.0</version>
+    <version>1.3.1</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -85,7 +85,14 @@
                 </Model>
             </accesslist>
             <abort type="BooleanField"/>
-            <DisableSuperuser type="BooleanField"/>
+            <DisableSuperuser type="OptionField">
+                <Required>Y</Required>
+                <Default>0</Default>
+                <OptionValues>
+                    <root value="0">root (default)</root>
+                    <www value="1">www</www>
+                </OptionValues>
+            </DisableSuperuser>
             <GracePeriod type="IntegerField">
                 <Default>10</Default>
                 <MinimumValue>1</MinimumValue>
@@ -93,6 +100,16 @@
                 <ValidationMessage>Please enter a valid Grace Period between 1 and 3600 seconds.</ValidationMessage>
                 <Required>Y</Required>
             </GracePeriod>
+            <HttpVersion type="OptionField">
+                <Required>Y</Required>
+                <Default>h1,h2,h3</Default>
+                <Multiple>Y</Multiple>
+                <OptionValues>
+                    <h1>HTTP/1.1</h1>
+                    <h2>HTTP/2</h2>
+                    <h3>HTTP/3</h3>
+                </OptionValues>
+            </HttpVersion>
             <LogCredentials type="BooleanField"/>
             <LogAccessPlain type="BooleanField"/>
             <LogAccessPlainKeep type="IntegerField">
@@ -186,7 +203,14 @@
                 <AccessLog type="BooleanField"/>
                 <DynDns type="BooleanField"/>
                 <AcmePassthrough type="HostnameField"/>
-                <DisableTls type="BooleanField"/>
+                <DisableTls type="OptionField">
+                    <Required>Y</Required>
+                    <Default>0</Default>
+                    <OptionValues>
+                        <https value="0">HTTPS (default)</https>
+                        <http value="1">HTTP</http>
+                    </OptionValues>
+                </DisableTls>
             </reverse>
             <subdomain type="ArrayField">
                 <enabled type="BooleanField">
@@ -312,7 +336,7 @@
                     </Constraints>
                 </HttpTls>
                 <HttpVersion type="OptionField">
-                    <BlankDesc>HTTP/1.1, HTTP/2</BlankDesc>
+                    <BlankDesc>HTTP/1.1, HTTP/2 (default)</BlankDesc>
                     <OptionValues>
                         <http1>HTTP/1.1</http1>
                         <http2>HTTP/2</http2>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index ef1a10481b..be973608af 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -76,38 +76,19 @@
     #   Purpose: The trusted proxy section is important when using CDNs so that headers are trusted.
     #            Credential logging is useful for troubleshooting basic auth.
     #}
-    {% set accessListUuid = generalSettings.accesslist %}
-    {% set logCredentials = generalSettings.LogCredentials %}
-    {% set enableLayer4 = generalSettings.EnableLayer4 %}
-
-    {% set hasAccessList = false %}
-    {% set hasLogCredentials = false %}
-    {% set hasEnableLayer4 = false %}
-
-    {% if accessListUuid %}
-        {% set accessList = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', accessListUuid) | first %}
-        {% if accessList %}
-            {% set hasAccessList = true %}
-        {% endif %}
-    {% endif %}
-
-    {% if logCredentials == '1' %}
-        {% set hasLogCredentials = true %}
-    {% endif %}
-
-    {% if enableLayer4 == '1' %}
-        {% set hasEnableLayer4 = true %}
+    {% if generalSettings.accesslist %}
+        {% set accessList = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', generalSettings.accesslist) | first %}
     {% endif %}
 
-    {% if hasAccessList or hasLogCredentials or hasEnableLayer4 %}
     servers {
-        {% if hasAccessList %}
+        protocols {{ generalSettings.HttpVersion.split(',') | join(' ') }}
+        {% if accessList %}
             trusted_proxies static {{ accessList.clientIps.split(',') | join(' ') }}
         {% endif %}
-        {% if hasLogCredentials %}
+        {% if generalSettings.LogCredentials|default("0") == "1" %}
             log_credentials
         {% endif %}
-        {% if hasEnableLayer4 %}
+        {% if generalSettings.EnableLayer4|default("0") == "1" %}
             listener_wrappers {
                 {# Plug the Layer 4 template in #}
                 {% include "OPNsense/Caddy/includeLayer4" %}
@@ -115,7 +96,6 @@
             }
         {% endif %}
     }
-    {% endif %}
 
     {#
     #   Section: Dynamic DNS Global Configuration

From ba9587e6edf4336bcac744af7e5c33abd7fa2351 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 16 Sep 2024 12:40:27 +0200
Subject: [PATCH 2094/3088] LICENSE/README: sync

---
 LICENSE   | 2 +-
 README.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/LICENSE b/LICENSE
index 3d24f7ac54..e892c79234 100644
--- a/LICENSE
+++ b/LICENSE
@@ -22,6 +22,7 @@ Copyright (c) 2008-2010 Ermal Luçi
 Copyright (c) 2016-2019 EURO-LOG AG
 Copyright (c) 2017-2020 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
+Copyright (c) 2024 Francisco Dimattia <info@tecnoservicio.com.ar>
 Copyright (c) 2014-2024 Franco Fichtner <franco@opnsense.org>
 Copyright (c) 2016-2024 Frank Wall
 Copyright (c) 2021 Github-jjw
@@ -49,7 +50,6 @@ Copyright (c) 2017-2024 Michael Muenz <m.muenz@gmail.com>
 Copyright (c) 2024 Michał Brzeziński
 Copyright (c) 2024 Mike Shuey
 Copyright (c) 2023 Mikhail Kharisov
-Copyright (c) 2012 mkirbst
 Copyright (c) 2023 mleinart
 Copyright (c) 2024 MVZ Labor Ludwigsburg GbR
 Copyright (c) 2021-2024 Nicola Pellegrini
diff --git a/README.md b/README.md
index 7b970ba603..c265b6fdec 100644
--- a/README.md
+++ b/README.md
@@ -112,7 +112,7 @@ vendor/sunnyvalley -- Vendor Repository for Zenarmor (a.k.a Sensei, Next Generat
 www/OPNProxy -- OPNsense proxy additions
 www/c-icap -- c-icap connects the web proxy with a virus scanner
 www/cache -- Webserver cache
-www/caddy -- Easy to configure Reverse Proxy with Automatic HTTPS and Dynamic DNS
+www/caddy -- Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 www/nginx -- Nginx HTTP server and reverse proxy
 www/squid -- Squid is a caching proxy for the web
 www/web-proxy-sso -- Kerberos authentication module

From 08c4f7c380afc8a3dcc143043c852349713e2c2c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Sep 2024 07:32:41 +0200
Subject: [PATCH 2095/3088] sysutils/dec-hw: revision bump

---
 sysutils/dec-hw/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/dec-hw/Makefile b/sysutils/dec-hw/Makefile
index 4df54c2f12..aa109fcd9a 100644
--- a/sysutils/dec-hw/Makefile
+++ b/sysutils/dec-hw/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		dec-hw
 PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Deciso hardware specific information
 PLUGIN_MAINTAINER=	stephan.de.wit@deciso.com
 PLUGIN_TIER=		2

From d42064f8195fe4f59b34493a795f37cc19bd5f91 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Sep 2024 07:35:02 +0200
Subject: [PATCH 2096/3088] dns/ddclient: bump revisio

---
 dns/ddclient/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index ea35bed1ca..f769b4053a 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.24
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From d95b1dcf77d22a7730a4acfc899c76bb578d1686 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Sep 2024 07:45:37 +0200
Subject: [PATCH 2097/3088] net/wol: revision bump

---
 net/wol/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wol/Makefile b/net/wol/Makefile
index 7ce7348827..b878db54f1 100644
--- a/net/wol/Makefile
+++ b/net/wol/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		wol
 PLUGIN_VERSION=		2.5
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		wol
 PLUGIN_COMMENT=		Wake on LAN Service
 PLUGIN_MAINTAINER=	franco@opnsense.org

From 92c782607dadf0b41cae7f1eb31254065eecfae6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Sep 2024 07:46:32 +0200
Subject: [PATCH 2098/3088] sysutils/apcupsd: revision bump

---
 sysutils/apcupsd/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/apcupsd/Makefile b/sysutils/apcupsd/Makefile
index 2a79e6f8e4..f82d37451e 100644
--- a/sysutils/apcupsd/Makefile
+++ b/sysutils/apcupsd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		apcupsd
 PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		apcupsd
 PLUGIN_COMMENT=		APCUPSD - APC UPS daemon
 PLUGIN_MAINTAINER=	xbb@xbblabs.com

From a6f100463492843773c79e5fab159c9a31e568df Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Sep 2024 08:05:15 +0200
Subject: [PATCH 2099/3088] security/etpro-telemetry: add missing ACL; closes
 #4232

---
 security/etpro-telemetry/Makefile                         | 2 +-
 .../mvc/app/models/OPNsense/ProofpointET/ACL/ACL.xml      | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 security/etpro-telemetry/src/opnsense/mvc/app/models/OPNsense/ProofpointET/ACL/ACL.xml

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index 05041a7cbf..5877c38ca3 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		etpro-telemetry
 PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html
diff --git a/security/etpro-telemetry/src/opnsense/mvc/app/models/OPNsense/ProofpointET/ACL/ACL.xml b/security/etpro-telemetry/src/opnsense/mvc/app/models/OPNsense/ProofpointET/ACL/ACL.xml
new file mode 100644
index 0000000000..7233fdbd04
--- /dev/null
+++ b/security/etpro-telemetry/src/opnsense/mvc/app/models/OPNsense/ProofpointET/ACL/ACL.xml
@@ -0,0 +1,8 @@
+<acl>
+    <page-dashboard-widget-etpro-telemetry>
+        <name>Dashboard: ET Pro Telemetry widget</name>
+        <patterns>
+            <pattern>api/diagnostics/proofpoint_et/status</pattern>
+        </patterns>
+    </page-dashboard-widget-etpro-telemetry>
+</acl>

From 27bb69523f4a036acc37bc682eaa27e85b85ce4d Mon Sep 17 00:00:00 2001
From: Naomi Rennie-Waldock <naomi.renniewaldock@gmail.com>
Date: Thu, 19 Sep 2024 15:17:55 +0100
Subject: [PATCH 2100/3088] dns/bind: Add option to allow the rndc-key for zone
 transfers (#4177)

---
 .../Bind/forms/dialogEditBindPrimaryDomain.xml      |  6 ++++++
 .../mvc/app/models/OPNsense/Bind/Domain.xml         |  1 +
 .../service/templates/OPNsense/Bind/named.conf      | 13 +++++++++----
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
index 3a296f636d..8439403d18 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
@@ -17,6 +17,12 @@
         <type>select_multiple</type>
         <help>Define the ACLs where you allow which server can retrieve this zone.</help>
     </field>
+    <field>
+        <id>domain.allowrndctransfer</id>
+        <label>Allow RDNC key transfer</label>
+        <type>checkbox</type>
+        <help>Allow transfers via the RDNC key named "rndc-key". The key is shown in the general tab.</help>
+    </field>
     <field>
         <id>domain.allowquery</id>
         <label>Allow Query</label>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
index e6ea2505d0..4541eb182b 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
@@ -61,6 +61,7 @@
                     <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </allowtransfer>
+                <allowrndctransfer type="BooleanField"/>
                 <allowquery type="ModelRelationField">
                     <Model>
                         <template>
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index d479cfa163..00bf5afbbb 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -164,12 +164,17 @@ zone "{{ domain.domainname }}" {
 {%       else %}
         file "/usr/local/etc/namedb/primary/{{ domain.domainname }}.db";
 {%       endif %}
-{%      if domain.allowtransfer is defined %}
+{%      if domain.allowtransfer is defined or (domain.allowrndctransfer is defined and domain.allowrndctransfer == "1") %}
         allow-transfer {
-{%              for acl in domain.allowtransfer.split(',') %}
-{%              set transfer_acl = helpers.getUUID(acl) %}
+{%              if domain.allowrndctransfer is defined and domain.allowrndctransfer == "1" %}
+                key "rndc-key";
+{%              endif %}
+{%              if domain.allowtransfer is defined %}
+{%                for acl in domain.allowtransfer.split(',') %}
+{%                  set transfer_acl = helpers.getUUID(acl) %}
                 {{ transfer_acl.name }};
-{%              endfor %}
+{%                endfor %}
+{%              endif %}
         };
 {%      endif %}
 {%      if domain.allowquery is defined %}

From e894be0e1ae3529c24b6d2b3d19e59074802b35a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 19 Sep 2024 15:21:53 +0100
Subject: [PATCH 2101/3088] dns/bind: light refactor for better diff

---
 dns/bind/Makefile                                  |  3 +--
 dns/bind/pkg-descr                                 |  4 ++++
 .../service/templates/OPNsense/Bind/named.conf     | 14 +++++++-------
 3 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index ad9f68174d..b903a0bc5d 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.32
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.33
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind918
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index c03a02f2be..a4e2f5250b 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -9,6 +9,10 @@ WWW: https://www.isc.org
 Plugin Changelog
 ================
 
+1.33
+
+* Add option to allow the rndc-key for zone transfers (contributed by Naomi Rennie-Waldock)
+
 1.32
 
 * Fix handling of multiple ACLs in allow-query/allow-transfer (contributed by Nathan Rennie-Waldock)
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 00bf5afbbb..6b833e19a9 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -166,15 +166,15 @@ zone "{{ domain.domainname }}" {
 {%       endif %}
 {%      if domain.allowtransfer is defined or (domain.allowrndctransfer is defined and domain.allowrndctransfer == "1") %}
         allow-transfer {
-{%              if domain.allowrndctransfer is defined and domain.allowrndctransfer == "1" %}
+{%          if domain.allowrndctransfer is defined and domain.allowrndctransfer == "1" %}
                 key "rndc-key";
-{%              endif %}
-{%              if domain.allowtransfer is defined %}
-{%                for acl in domain.allowtransfer.split(',') %}
-{%                  set transfer_acl = helpers.getUUID(acl) %}
+{%          endif %}
+{%          if domain.allowtransfer is defined %}
+{%              for acl in domain.allowtransfer.split(',') %}
+{%              set transfer_acl = helpers.getUUID(acl) %}
                 {{ transfer_acl.name }};
-{%                endfor %}
-{%              endif %}
+{%              endfor %}
+{%          endif %}
         };
 {%      endif %}
 {%      if domain.allowquery is defined %}

From 1e934b0c08b5130aa0ed16786ba774360797b64c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 19 Sep 2024 15:34:18 +0100
Subject: [PATCH 2102/3088] dns/bind: style in model definitions

---
 .../mvc/app/models/OPNsense/Bind/Acl.xml      |  4 +-
 .../mvc/app/models/OPNsense/Bind/Dnsbl.xml    | 10 ++--
 .../mvc/app/models/OPNsense/Bind/Domain.xml   | 40 +++++----------
 .../mvc/app/models/OPNsense/Bind/General.xml  | 49 +++++++------------
 .../mvc/app/models/OPNsense/Bind/Record.xml   |  9 ++--
 5 files changed, 41 insertions(+), 71 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
index c7dd887851..870ee9ec03 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
@@ -6,11 +6,10 @@
         <acls>
             <acl type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <default></default>
                     <Required>Y</Required>
                     <mask>/^(?!any$|localhost$|localnets$|none$)[0-9a-zA-Z_\-]{1,32}$/u</mask>
                     <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9, a-z, A-Z, _ and -. Built-in ACL names must not be used: any, localhost, localnets, none.</ValidationMessage>
@@ -22,7 +21,6 @@
                     </Constraints>
                 </name>
                 <networks type="NetworkField">
-                    <default></default>
                     <FieldSeparator>,</FieldSeparator>
                     <Required>Y</Required>
                     <asList>Y</asList>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Dnsbl.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Dnsbl.xml
index 119dbf76fc..103db84e29 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Dnsbl.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Dnsbl.xml
@@ -4,7 +4,7 @@
     <version>1.0.5</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <type type="OptionField">
@@ -41,19 +41,19 @@
             <Required>N</Required>
         </whitelists>
         <forcesafegoogle type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </forcesafegoogle>
         <forcesafeduckduckgo type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </forcesafeduckduckgo>
         <forcesafeyoutube type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </forcesafeyoutube>
         <forcestrictbing type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </forcestrictbing>
     </items>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
index 4541eb182b..4f885f4bae 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
@@ -6,11 +6,11 @@
         <domains>
             <domain type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <type type="OptionField">
-                    <default>primary</default>
+                    <Default>primary</Default>
                     <Required>Y</Required>
                     <OptionValues>
                         <primary>primary</primary>
@@ -18,12 +18,10 @@
                     </OptionValues>
                 </type>
                 <primaryip type="NetworkField">
-                    <Required>N</Required>
                     <FieldSeparator>,</FieldSeparator>
                     <asList>Y</asList>
                 </primaryip>
                 <transferkeyalgo type="OptionField">
-                    <Required>N</Required>
                     <OptionValues>
                         <hmac-sha512>HMAC-SHA512</hmac-sha512>
                         <hmac-sha384>HMAC-SHA384</hmac-sha384>
@@ -33,21 +31,13 @@
                         <hmac-md5>HMAC-MD5</hmac-md5>
                     </OptionValues>
                 </transferkeyalgo>
-                <transferkeyname type="TextField">
-                    <Required>N</Required>
-                    <default></default>
-                </transferkeyname>
-                <transferkey type="TextField">
-                    <Required>N</Required>
-                    <default></default>
-                </transferkey>
+                <transferkeyname type="TextField"/>
+                <transferkey type="TextField"/>
                 <allownotifysecondary type="NetworkField">
-                    <Required>N</Required>
                     <FieldSeparator>,</FieldSeparator>
                     <asList>Y</asList>
                 </allownotifysecondary>
                 <domainname type="TextField">
-                    <default></default>
                     <Required>Y</Required>
                 </domainname>
                 <allowtransfer type="ModelRelationField">
@@ -59,7 +49,6 @@
                         </template>
                     </Model>
                     <Multiple>Y</Multiple>
-                    <Required>N</Required>
                 </allowtransfer>
                 <allowrndctransfer type="BooleanField"/>
                 <allowquery type="ModelRelationField">
@@ -71,56 +60,53 @@
                         </template>
                     </Model>
                     <Multiple>Y</Multiple>
-                    <Required>N</Required>
                 </allowquery>
                 <allowrndcupdate type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </allowrndcupdate>
-                <serial type="TextField">
-                    <Required>N</Required>
-                </serial>
+                <serial type="TextField"/>
                 <ttl type="IntegerField">
-                    <default>86400</default>
+                    <Default>86400</Default>
                     <Required>Y</Required>
                     <MinimumValue>60</MinimumValue>
                     <MaximumValue>86400</MaximumValue>
                     <ValidationMessage>Set a value between 60 and 86400.</ValidationMessage>
                 </ttl>
                 <refresh type="IntegerField">
-                    <default>21600</default>
+                    <Default>21600</Default>
                     <Required>Y</Required>
                     <MinimumValue>60</MinimumValue>
                     <MaximumValue>86400</MaximumValue>
                     <ValidationMessage>Set a value between 60 and 86400.</ValidationMessage>
                 </refresh>
                 <retry type="IntegerField">
-                    <default>3600</default>
+                    <Default>3600</Default>
                     <Required>Y</Required>
                     <MinimumValue>60</MinimumValue>
                     <MaximumValue>86400</MaximumValue>
                     <ValidationMessage>Set a value between 60 and 86400.</ValidationMessage>
                 </retry>
                 <expire type="IntegerField">
-                    <default>3542400</default>
+                    <Default>3542400</Default>
                     <Required>Y</Required>
                     <MinimumValue>60</MinimumValue>
                     <MaximumValue>10000000</MaximumValue>
                     <ValidationMessage>Set a value between 60 and 10000000.</ValidationMessage>
                 </expire>
                 <negative type="IntegerField">
-                    <default>3600</default>
+                    <Default>3600</Default>
                     <Required>Y</Required>
                     <MinimumValue>60</MinimumValue>
                     <MaximumValue>86400</MaximumValue>
                     <ValidationMessage>Set a value between 60 and 86400.</ValidationMessage>
                 </negative>
                 <mailadmin type="TextField">
-                    <default>mail.opnsense.localdomain</default>
+                    <Default>mail.opnsense.localdomain</Default>
                     <Required>Y</Required>
                 </mailadmin>
                 <dnsserver type="HostnameField">
-                    <default>opnsense.localdomain</default>
+                    <Default>opnsense.localdomain</Default>
                     <Required>Y</Required>
                 </dnsserver>
             </domain>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index 9935dbae45..72e771fbc8 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -4,73 +4,67 @@
     <version>1.0.12</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <disablev6 type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </disablev6>
         <enablerpz type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </enablerpz>
         <listenv4 type="NetworkField">
-            <default>0.0.0.0</default>
+            <Default>0.0.0.0</Default>
             <FieldSeparator>,</FieldSeparator>
             <Required>Y</Required>
             <asList>Y</asList>
         </listenv4>
         <listenv6 type="NetworkField">
-            <default>::</default>
+            <Default>::</Default>
             <FieldSeparator>,</FieldSeparator>
             <Required>Y</Required>
             <asList>Y</asList>
         </listenv6>
         <querysource type="NetworkField">
-            <Required>N</Required>
             <AddressFamily>ipv4</AddressFamily>
             <NetMaskAllowed>N</NetMaskAllowed>
         </querysource>
         <querysourcev6 type="NetworkField">
-            <Required>N</Required>
             <AddressFamily>ipv6</AddressFamily>
             <NetMaskAllowed>N</NetMaskAllowed>
         </querysourcev6>
         <transfersource type="NetworkField">
-            <Required>N</Required>
             <AddressFamily>ipv4</AddressFamily>
             <NetMaskAllowed>N</NetMaskAllowed>
         </transfersource>
         <transfersourcev6 type="NetworkField">
-            <Required>N</Required>
             <AddressFamily>ipv6</AddressFamily>
             <NetMaskAllowed>N</NetMaskAllowed>
         </transfersourcev6>
         <port type="PortField">
-            <default>53530</default>
+            <Default>53530</Default>
             <Required>Y</Required>
         </port>
         <forwarders type="NetworkField">
             <FieldSeparator>,</FieldSeparator>
-            <Required>N</Required>
             <asList>Y</asList>
         </forwarders>
         <filteraaaav4 type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </filteraaaav4>
         <filteraaaav6 type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </filteraaaav6>
         <filteraaaaacl type="NetworkField">
             <FieldSeparator>,</FieldSeparator>
-            <Required>N</Required>
             <asList>Y</asList>
         </filteraaaaacl>
         <logsize type="IntegerField">
-            <default>5</default>
+            <Default>5</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>1000</MaximumValue>
@@ -87,10 +81,10 @@
                 <dynamic value="dynamic">Dynamic</dynamic>
             </OptionValues>
             <Required>Y</Required>
-            <default>info</default>
+            <Default>info</Default>
         </general_log_level>
         <maxcachesize type="IntegerField">
-            <default>80</default>
+            <Default>80</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>99</MaximumValue>
@@ -105,7 +99,6 @@
                 </template>
             </Model>
             <Multiple>Y</Multiple>
-            <Required>N</Required>
             <ValidationMessage>Choose an ACL.</ValidationMessage>
         </recursion>
         <allowtransfer type="ModelRelationField">
@@ -117,7 +110,6 @@
                 </template>
             </Model>
             <Multiple>Y</Multiple>
-            <Required>N</Required>
         </allowtransfer>
         <allowquery type="ModelRelationField">
             <Model>
@@ -128,48 +120,45 @@
                 </template>
             </Model>
             <Multiple>Y</Multiple>
-            <Required>N</Required>
         </allowquery>
         <dnssecvalidation type="OptionField">
             <OptionValues>
                 <no>No</no>
                 <auto>Auto</auto>
             </OptionValues>
-            <default>no</default>
-            <Multiple>N</Multiple>
+            <Default>no</Default>
             <Required>Y</Required>
         </dnssecvalidation>
         <hidehostname type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </hidehostname>
         <hideversion type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </hideversion>
         <disableprefetch type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </disableprefetch>
         <enableratelimiting type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enableratelimiting>
         <ratelimitcount type="IntegerField">
-            <Required>N</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>1000</MaximumValue>
             <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
         </ratelimitcount>
         <ratelimitexcept type="NetworkField">
-            <default>0.0.0.0,::</default>
+            <Default>0.0.0.0,::</Default>
             <FieldSeparator>,</FieldSeparator>
             <Required>Y</Required>
             <asList>Y</asList>
         </ratelimitexcept>
         <rndcalgo type="OptionField">
             <Required>Y</Required>
-            <default>hmac-sha256</default>
+            <Default>hmac-sha256</Default>
             <OptionValues>
                 <hmac-sha512>HMAC-SHA512</hmac-sha512>
                 <hmac-sha384>HMAC-SHA384</hmac-sha384>
@@ -181,7 +170,7 @@
         </rndcalgo>
         <rndcsecret type="Base64Field">
             <Required>Y</Required>
-            <default>VxtIzJevSQXqnr7h2qerrcwjnZlMWSGGFBndKeNIDfw=</default>
+            <Default>VxtIzJevSQXqnr7h2qerrcwjnZlMWSGGFBndKeNIDfw=</Default>
         </rndcsecret>
     </items>
 </model>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml
index 2e806041ce..ccb589cbfa 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Record.xml
@@ -6,7 +6,7 @@
         <records>
             <record type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <domain type="ModelRelationField">
@@ -19,12 +19,9 @@
                         </template>
                     </Model>
                 </domain>
-                <name type="TextField">
-                    <default></default>
-                    <Required>N</Required>
-                </name>
+                <name type="TextField"/>
                 <type type="OptionField">
-                    <default>A</default>
+                    <Default>A</Default>
                     <Required>Y</Required>
                     <OptionValues>
                         <A>A</A>

From 7faded335d3880cac2cffb7ddf4039b75bd5f7b2 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 20 Sep 2024 15:09:49 +0200
Subject: [PATCH 2103/3088] www/caddy: Handler and other dialogue form cleanup
 (#4242)

* www/caddy: Cleanup Handle, Domain and Layer4 dialogue. Convert all TLS checkboxes to dropdowns for consistency.

* www/caddy: Remove all hints from forms that do not imply a default value. Change the position of some options. Improve some help texts.

* www/caddy: Refactor dialogHandler to hide options based on selections or inside advanced mode.

* www/caddy: Remove boldness from tabs since it renders strange in some browsers. Change spot of HttpTls in handler.

* www/caddy: Add Access header with advanced mode.

* www/caddy: Final touches on the improved dialogHandle.

* www/caddy: Changelog

* www/caddy: Access is inside handler

* www/caddy: Caddy Domains widget opens links to domains in new tab.

* www/caddy: Improve Domain and Subdomain dialogue, rename Bootgrid options for consistency.

* www/caddy: Mark ACME as default.

* www/caddy: Last tweaks to dialogDomain.
---
 www/caddy/Makefile                            |   3 +-
 www/caddy/pkg-descr                           |   7 +
 .../OPNsense/Caddy/forms/dialogAccessList.xml |   2 -
 .../OPNsense/Caddy/forms/dialogHandle.xml     | 124 +++++++++---------
 .../OPNsense/Caddy/forms/dialogHeader.xml     |   2 -
 .../OPNsense/Caddy/forms/dialogLayer4.xml     |  32 ++---
 .../Caddy/forms/dialogReverseProxy.xml        |  59 ++++-----
 .../OPNsense/Caddy/forms/dialogSubdomain.xml  |  29 ++--
 .../OPNsense/Caddy/forms/general.xml          |  12 +-
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  31 +++--
 .../app/views/OPNsense/Caddy/diagnostics.volt |   4 -
 .../views/OPNsense/Caddy/reverse_proxy.volt   |  57 +++++---
 .../opnsense/www/js/widgets/CaddyDomain.js    |   2 +-
 13 files changed, 199 insertions(+), 165 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 0a0183dace..2581e24c63 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.7.0
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.7.1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 38f7cbb899..8f4f1679f2 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -13,6 +13,13 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.7.1
+
+* Add: Frontend HTTP Version can be selected in General Settings, can be used to disable QUIC protocol
+* Change: Caddy Domains widget will now open links to managed websites in new browser tabs
+* Cleanup: TLS checkboxes have been converted to dropdowns with http/https for clarity
+* Cleanup: Layer4, Domain and Handle dialogues have been cleaned up, some options are now hidden in advanced mode
+
 1.7.0
 
 * Add: Layer4 protocols: DNS
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
index 0d51368f6a..b38f500fdb 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
@@ -23,14 +23,12 @@
         <id>accesslist.HttpResponseCode</id>
         <label>HTTP Response Code</label>
         <type>text</type>
-        <hint>403</hint>
         <help><![CDATA[Set a custom HTTP response code that should be returned to the requesting client when the access list does not match. Setting this will replace "Abort Connections" only for this access list. All clients will stay connected but will receive the response code.]]></help>
     </field>
     <field>
         <id>accesslist.HttpResponseMessage</id>
         <label>HTTP Response Message</label>
         <type>text</type>
-        <hint>Forbidden</hint>
         <help><![CDATA[Set a custom HTTP response message in addition to the HTTP response code.]]></help>
     </field>
     <field>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 85ac5b0c46..b8402eccac 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -5,6 +5,16 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this handler.]]></help>
     </field>
+    <field>
+        <id>handle.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help><![CDATA[Enter a description for this handler.]]></help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Frontend</label>
+    </field>
     <field>
         <id>handle.reverse</id>
         <label>Domain</label>
@@ -15,59 +25,80 @@
         <id>handle.subdomain</id>
         <label>Subdomain</label>
         <type>dropdown</type>
+        <style>Subdomain</style>
         <help><![CDATA[Select a subdomain to handle. Make sure to additionaly choose a wildcard domain as "Domain". Leave unset, if not using subdomains.]]></help>
     </field>
-    <field>
-        <id>handle.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <help><![CDATA[Enter a description for this handler.]]></help>
-    </field>
     <field>
         <type>header</type>
-        <label>Handle</label>
-        <collapse>true</collapse>
+        <label>Handler</label>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>handle.HandleType</id>
-        <label>Handle Type</label>
+        <label>Handler</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose a handling directive. "handle" (default) will keep the URI of "Handle URI" in all requests. "handle_path" will strip the URI of "Handle URI" from all requests.]]></help>
+        <help><![CDATA[Choose a handling directive. "handle" (default) will keep the path in all requests. "handle_path" will strip the path from all requests.]]></help>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>handle.HandlePath</id>
-        <label>Handle URI</label>
+        <label>Path</label>
         <type>text</type>
-        <help><![CDATA[Enter an URI to handle. Choose a pattern like "/*" or "/example/*". Leave empty to catch all URIs (recommended). Any request matching this pattern will be handled.]]></help>
+        <hint>any</hint>
+        <help><![CDATA[Enter a path to handle. Choose a pattern like "/*" or "/example/*". Leave empty to handle any paths (recommended). Any request matching this pattern will be reverse proxied.]]></help>
+        <advanced>true</advanced>
     </field>
     <field>
         <type>header</type>
         <label>Access</label>
-        <collapse>true</collapse>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>handle.ForwardAuth</id>
         <label>Forward Auth</label>
         <type>checkbox</type>
         <help><![CDATA[Enable or disable Forward Auth. Requires an "Auth Provider" in "General Settings". Headers are set automatically to the standard of the chosen provider. Enabling this option will additionally generate the forward_auth directive in front of the reverse_proxy directive inside the scope of this handler.]]></help>
+        <advanced>true</advanced>
     </field>
     <field>
         <type>header</type>
         <label>Header</label>
-        <collapse>true</collapse>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>handle.header</id>
-        <label>Header Manipulation</label>
+        <label>HTTP Headers</label>
         <type>dropdown</type>
         <type>select_multiple</type>
         <size>5</size>
-        <help><![CDATA[Select one or multiple header manipulations. Caddy sets "X-Forwarded-For", "X-Forwarded-Proto" and "X-Forwarded-Host" by default, adding them here is not needed. Setting a wrong configuration can be a security risk or break functionality.]]></help>
+        <help><![CDATA[Select one or multiple headers. Caddy sets "X-Forwarded-For", "X-Forwarded-Proto" and "X-Forwarded-Host" by default, adding them here is not needed. Setting a wrong configuration can be a security risk or break functionality.]]></help>
+        <advanced>true</advanced>
     </field>
     <field>
         <type>header</type>
         <label>Upstream</label>
     </field>
+    <field>
+        <id>handle.HttpVersion</id>
+        <label>HTTP Version</label>
+        <type>dropdown</type>
+        <help><![CDATA[The default versions are highly recommended. Choose a HTTP version for the upstream destination. HTTP/3 (HTTP over QUIC) requires HTTPS, and only establishes connections to webservers that also support HTTP/3.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.HttpKeepalive</id>
+        <label>HTTP Keepalive</label>
+        <type>text</type>
+        <hint>120</hint>
+        <help><![CDATA[Leave empty to use default. Keepalive is either 0 (off) or a duration value that specifies how long to keep connections open (timeout) in seconds.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.HttpTls</id>
+        <label>Protocol</label>
+        <type>dropdown</type>
+        <help><![CDATA[Enable or disable HTTP over TLS (HTTPS) to communicate with the upstream destination. Caddy uses HTTP with the upstream destination by default.]]></help>
+    </field>
     <field>
         <id>handle.ToDomain</id>
         <label>Upstream Domain</label>
@@ -75,7 +106,7 @@
         <style>tokenize</style>
         <allownew>true</allownew>
         <hint>192.168.1.1</hint>
-        <help><![CDATA[Enter a domain name or IP address of the upstream destination. If multiple are chosen, they will be load balanced with the default random policy. A health check can be activated by populating "Upstream Fail Duration".]]></help>
+        <help><![CDATA[Enter a domain name or IP address of the upstream destination. If multiple are chosen, they will be load balanced with the default random policy. A health check can be activated by populating "Upstream Fail Duration" in advanced mode.]]></help>
     </field>
     <field>
         <id>handle.ToPort</id>
@@ -88,71 +119,42 @@
         <id>handle.ToPath</id>
         <label>Upstream Path</label>
         <type>text</type>
-        <help><![CDATA[Enter a path prefix like "/guacamole" that should be prepended to the upstream request because the application demands it.]]></help>
+        <help><![CDATA[Enter a path prefix like "/guacamole" that should be prepended to the upstream request. This is useful for destinations that have a virtual directory as their base path.]]></help>
         <advanced>true</advanced>
     </field>
-    <field>
-        <id>handle.HttpTlsInsecureSkipVerify</id>
-        <label>TLS Insecure Skip Verify</label>
-        <type>checkbox</type>
-        <help><![CDATA[Caddy uses HTTP by default to connect to the Upstream. If the Upstream is only reachable via HTTPS, this option disables the TLS handshake verification. This makes the connection insecure and vulnerable to man-in-the-middle attacks. In private networks the risk is low, though do not use in production if possible. It is advised to either use plain HTTP, or proper TLS handling by using the options in "Trust".]]></help>
-    </field>
-    <field>
-        <type>header</type>
-        <label>Health Check</label>
-        <collapse>true</collapse>
-    </field>
     <field>
         <id>handle.PassiveHealthFailDuration</id>
         <label>Upstream Fail Duration</label>
         <type>text</type>
         <help><![CDATA[Enables a passive health check when multiple destinations in "Upstream Domain" are set. "Fail Duration" is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking; the default is empty (off). A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
+        <advanced>true</advanced>
     </field>
     <field>
-        <type>header</type>
-        <label>HTTP Transport</label>
-        <collapse>true</collapse>
-    </field>
-    <field>
-        <id>handle.HttpVersion</id>
-        <label>HTTP Version</label>
-        <type>dropdown</type>
-        <help><![CDATA[The default versions are highly recommended. Choose a HTTP version for the upstream destination. HTTP/3 (HTTP over QUIC) requires TLS, and only establishes connections to webservers that also support HTTP/3.]]></help>
-    </field>
-    <field>
-        <id>handle.HttpKeepalive</id>
-        <label>HTTP Keepalive</label>
-        <type>text</type>
-        <hint>120</hint>
-        <help><![CDATA[Leave empty to use default. Keepalive is either 0 (off) or a duration value that specifies how long to keep connections open (timeout) in seconds.]]></help>
-    </field>
-    <field>
-        <type>header</type>
-        <label>Trust</label>
-        <collapse>true</collapse>
-    </field>
-    <field>
-        <id>handle.HttpTls</id>
-        <label>TLS</label>
-        <type>checkbox</type>
-        <help><![CDATA[Enable or disable HTTP over TLS (HTTPS) to communicate with the upstream destination. Caddy uses HTTP with the upstream destination by default.]]></help>
-    </field>
-    <field>
-        <id>handle.HttpNtlm</id>
-        <label>NTLM</label>
+        <id>handle.HttpTlsInsecureSkipVerify</id>
+        <label>TLS Insecure Skip Verify</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable or disable NTLM. Needed to reverse proxy an Exchange Server. Warning: NTLM has been deprecated by Microsoft. This option will stay for as long as the optional http.reverse_proxy.transport.http_ntlm module can be compiled without errors.]]></help>
+        <style>HttpTls</style>
+        <help><![CDATA[Caddy uses HTTP by default to connect to the Upstream. If the Upstream is only reachable via HTTPS, this option disables the TLS handshake verification. This makes the connection insecure and vulnerable to man-in-the-middle attacks. In private networks the risk is low, though do not use in production if possible. It is advised to either use plain HTTP, or proper TLS handling by using the options in "Trust".]]></help>
     </field>
     <field>
         <id>handle.HttpTlsTrustedCaCerts</id>
         <label>TLS Trust Pool</label>
         <type>dropdown</type>
+        <style>HttpTls</style>
         <help><![CDATA[Choose a CA or self-signed certificate to trust from "System - Trust - Authorities". Useful if the upstream destination only accepts TLS connections and offers a self signed certificate. Adding that certificate here will allow for the encrypted connection to succeed.]]></help>
     </field>
     <field>
         <id>handle.HttpTlsServerName</id>
         <label>TLS Server Name</label>
         <type>text</type>
+        <style>HttpTls</style>
         <help><![CDATA[Enter a hostname or IP address that matches the SAN "Subject Alternative Name" of the offered upstream certificate. This will change the SNI "Server Name Indication" of Caddy. Setting an IP address as "Upstream Domain", enabling "TLS" and selecting a "TLS Trust Pool", would make the SAN of the offered upstream certificate not match with the SNI of Caddy, since it will be an IP address instead of a hostname. Setting the hostname of the certificate here, fixes this issue. Please note that only SAN certificates are supported; CN "Common Name" will not work.]]></help>
     </field>
+    <field>
+        <id>handle.HttpNtlm</id>
+        <label>NTLM</label>
+        <type>checkbox</type>
+        <style>HttpTls</style>
+        <help><![CDATA[Enable or disable NTLM. Needed to reverse proxy an Exchange Server. Warning: NTLM has been deprecated by Microsoft. This option will stay for as long as the optional http.reverse_proxy.transport.http_ntlm module can be compiled without errors.]]></help>
+    </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
index 070e8b6038..df19819f0c 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
@@ -8,14 +8,12 @@
     <field>
         <id>header.HeaderType</id>
         <label>Header Type</label>
-        <hint>Host</hint>
         <type>text</type>
         <help><![CDATA[Enter a header, for example "Host". Use the "+" or "-" prefix to add or remove this header, for example "-Host" or "+Host". A suffix match like "-Host-*" is also supported. To replace a header, use "Host" without "+" or "-".]]></help>
     </field>
     <field>
         <id>header.HeaderValue</id>
         <label>Header Value</label>
-        <hint>{upstream_hostport}</hint>
         <type>text</type>
         <help><![CDATA[Enter a value for the selected header. One of the most common options is "{upstream_hostport}". It is also possible to use a regular expression to search for a specific value in a header. For example: "^prefix-([A-Za-z0-9]*)$" which uses the regular expression language RE2 included in Go.]]></help>
     </field>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
index bbc7d6b308..acac47c8cb 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
@@ -5,6 +5,16 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this Layer4 route.]]></help>
     </field>
+    <field>
+        <id>layer4.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help><![CDATA[Enter a description for this Layer4 route.]]></help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Frontend</label>
+    </field>
     <field>
         <id>layer4.FromDomain</id>
         <label>Domain</label>
@@ -19,6 +29,10 @@
         <type>dropdown</type>
         <help><![CDATA[Match the traffic of the selected domains. The TCP/UDP packets will be routed to the selected upstream domains without terminating TLS or altering the traffic. Only protocols that send a "Client Hello" (like TLS), or a "Host Header" (like HTTP) can be routed here. Routing Precedence: 1. "SSH (or other protocols)", 2. "HTTP (Host Header)", 3. "TLS (SNI)", 4. "TLS (inverted SNI)", 5. "HTTP Handlers" (hidden default route for all unmatched traffic). The "SSH" matcher (and any other matcher that does not evaluate Host Header or SNI), will match any SSH like traffic on the default ports. That means, these protocols will only match once per ruleset and will proxy traffic to one upstream.]]></help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Upstream</label>
+    </field>
     <field>
         <id>layer4.ToDomain</id>
         <label>Upstream Domain</label>
@@ -33,33 +47,19 @@
         <type>text</type>
         <help><![CDATA[Choose a custom port for the upstream destination.]]></help>
     </field>
-    <field>
-        <id>layer4.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <help><![CDATA[Enter a description for this Layer4 route.]]></help>
-    </field>
-    <field>
-        <type>header</type>
-        <label>Health Check</label>
-        <collapse>true</collapse>
-    </field>
     <field>
         <id>layer4.PassiveHealthFailDuration</id>
         <label>Upstream Fail Duration</label>
         <type>text</type>
         <help><![CDATA[Enables a passive health check when multiple destinations in "Upstream Domain" are set. "Fail Duration" is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking; the default is empty (off). A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
-    </field>
-    <field>
-        <type>header</type>
-        <label>Proxy Protocol</label>
-        <collapse>true</collapse>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>layer4.ProxyProtocol</id>
         <label>Proxy Protocol</label>
         <type>dropdown</type>
         <help><![CDATA[Add the HA Proxy Protocol header. Either version 1 or 2 can be chosen. The default is off, since it is only needed when the upstream can use the Proxy Protocol header.]]></help>
+        <advanced>true</advanced>
     </field>
     <field>
         <type>header</type>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index 56f2562ddf..5cba4c1a26 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -5,18 +5,28 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this domain.]]></help>
     </field>
+    <field>
+        <id>reverse.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help><![CDATA[Enter a description for this domain.]]></help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Frontend</label>
+    </field>
     <field>
         <id>reverse.DisableTls</id>
         <label>Protocol</label>
         <type>dropdown</type>
-        <help><![CDATA[When choosing HTTPS, the ACME HTTP-01, TLS-ALPN-01 or DNS-01 challenge will be used to get automatic Let's Encrypt or ZeroSSL certificates, without the need of any additional plugin. When choosing HTTP, it will disable HTTP over TLS (HTTPS) for this domain, automatic certificate management will be disabled and all traffic to and from this domain will be unencrypted.]]></help>
+        <help><![CDATA[When choosing HTTP, automatic certificate management will be disabled and all traffic to and from this domain will be unencrypted.]]></help>
     </field>
     <field>
         <id>reverse.FromDomain</id>
         <label>Domain</label>
         <type>text</type>
         <hint>example.com</hint>
-        <help><![CDATA[Enter a domain name. For a base domain, use "example.com" or "opn.example.com". Using a base domain enables automatic "Let's Encrypt" and "ZeroSSL" certificates by default. For a wildcard domain, use "*.example.com". Only use wildcard domains with wildcard certificates, which require a DNS Provider. Adding a wildcard domain and pressing "Apply" will activate the "Subdomain" Tab, in which subdomains can be configured.]]></help>
+        <help><![CDATA[Enter a domain name. For a base domain, use "example.com" or "opn.example.com". For a wildcard domain, use "*.example.com". Adding a wildcard domain and pressing "Apply" will activate the "Subdomain" Tab, in which subdomains can be configured. Using subdomains requires a "DNS Provider" and the "DNS-01 Challenge" or a custom certificate.]]></help>
     </field>
     <field>
         <id>reverse.FromPort</id>
@@ -26,44 +36,31 @@
         <help><![CDATA[Leave empty to use ports 80 and 443 with automatic redirection from HTTP to HTTPS or choose a custom port. Don't forget to allow these ports with a Firewall rule. If the default ports have been changed in "General Settings", leaving this empty will use the chosen alternative ports instead.]]></help>
     </field>
     <field>
-        <id>reverse.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <help><![CDATA[Enter a description for this domain.]]></help>
-    </field>
-    <field>
-        <type>header</type>
-        <label>DNS</label>
-        <collapse>true</collapse>
-    </field>
-    <field>
-        <id>reverse.DynDns</id>
-        <label>Dynamic DNS</label>
-        <type>checkbox</type>
-        <help><![CDATA[Enable or disable Dynamic DNS. Requires a "DNS Provider" in "General Settings". The DNS records of this domain will be automatically updated.]]></help>
+        <id>reverse.CustomCertificate</id>
+        <label>Certificate</label>
+        <type>dropdown</type>
+        <style>DisableTls</style>
+        <help><![CDATA[Choose ACME to get automatic certificates with the built in ACME client; no additional plugin required. The "HTTP-01", "TLS-ALPN-01" or "DNS-01" challenge will be used to get automatic "Let's Encrypt" or "ZeroSSL" certificates. Alternatively, choose a custom certificate from "System - Trust - Certificates" for this domain. Make sure the full chain has been imported.]]></help>
     </field>
     <field>
-        <type>header</type>
-        <label>Trust</label>
-        <collapse>true</collapse>
+        <id>reverse.AcmePassthrough</id>
+        <label>HTTP-01 Challenge Redirection</label>
+        <type>text</type>
+        <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this domain, and will still issue a certificate using the TLS-ALPN-01 challenge or DNS-01 challenge for itself. This option can be used for High Availability when using Caddy with a master and backup OPNsense.]]></help>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>reverse.DnsChallenge</id>
         <label>DNS-01 Challenge</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable the DNS-01 challenge for this domain. Requires a "DNS Provider" in "General Settings". This is mostly only needed for wildcard domains, or when the HTTP-01 and TLS-ALPN-01 challenge can not be used due to restrictive firewall policies.]]></help>
-    </field>
-    <field>
-        <id>reverse.CustomCertificate</id>
-        <label>Custom Certificate</label>
-        <type>dropdown</type>
-        <help><![CDATA[Choose a custom certificate from "System - Trust - Certificates" for this domain. Make sure the full chain has been imported.]]></help>
+        <style>DisableTls</style>
+        <help><![CDATA[Enable the DNS-01 Challenge for this domain. Requires a "DNS Provider" in "General Settings". This is only needed for wildcard domains, or when the default challenges can not be used due to restrictive firewall policies.]]></help>
     </field>
     <field>
-        <id>reverse.AcmePassthrough</id>
-        <label>HTTP-01 Challenge Redirection</label>
-        <type>text</type>
-        <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this domain, and will still issue a certificate using the TLS-ALPN-01 challenge or DNS-01 challenge for itself. This option can be used for High Availability when using Caddy with a master and backup OPNsense.]]></help>
+        <id>reverse.DynDns</id>
+        <label>Dynamic DNS</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable or disable Dynamic DNS. Requires a "DNS Provider" in "General Settings". The DNS records of this domain will be automatically updated. A wildcard domain will create a "*.example.com" record. A base domain will create a "example.com" or "opn.example.com" record. Some providers need subdomains to set records for domains like "opn.example.com"; in that case use the checkbox in the subdomains tab.]]></help>
     </field>
     <field>
         <type>header</type>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
index 49e3b51a04..8711c4a968 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -5,6 +5,16 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this subdomain.]]></help>
     </field>
+    <field>
+        <id>subdomain.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help><![CDATA[Enter a description for this subdomain.]]></help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Frontend</label>
+    </field>
     <field>
         <id>subdomain.reverse</id>
         <label>Domain</label>
@@ -16,18 +26,7 @@
         <label>Subdomain</label>
         <type>text</type>
         <hint>opn.example.com</hint>
-        <help><![CDATA[Enter a subdomain. For example, "opn.example.com" if the wildcard domain is "*.example.com". All subdomains use the same ports as their parent wildcard domain.]]></help>
-    </field>
-    <field>
-        <id>subdomain.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <help><![CDATA[Enter a description for this subdomain.]]></help>
-    </field>
-    <field>
-        <type>header</type>
-        <label>DNS</label>
-        <collapse>true</collapse>
+        <help><![CDATA[Enter a subdomain. For example, "opn.example.com" if the wildcard domain is "*.example.com". All subdomains use the same ports and protocols as their parent wildcard domain.]]></help>
     </field>
     <field>
         <id>subdomain.DynDns</id>
@@ -35,16 +34,12 @@
         <type>checkbox</type>
         <help><![CDATA[Enable or disable Dynamic DNS. Requires a "DNS Provider" in "General Settings". The DNS records of this subdomain will be automatically updated.]]></help>
     </field>
-    <field>
-        <type>header</type>
-        <label>Trust</label>
-        <collapse>true</collapse>
-    </field>
     <field>
         <id>subdomain.AcmePassthrough</id>
         <label>HTTP-01 Challenge Redirection</label>
         <type>text</type>
         <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this subdomain.]]></help>
+        <advanced>true</advanced>
     </field>
     <field>
         <type>header</type>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index beb0b5ef18..09ef4f2ab7 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -211,6 +211,12 @@
             <type>dropdown</type>
             <help><![CDATA[Select a Forward Auth Provider. It can be added inside a "Handler" by enabling the "Forward Auth" checkbox. For Authelia only the basic subdomain example is supported. More information: https://www.authelia.com/integration/proxies/caddy/#basic-examples. For Authentik custom headers are not supported. More information: https://docs.goauthentik.io/docs/providers/proxy/server_caddy]]></help>
         </field>
+        <field>
+            <id>caddy.general.AuthToTls</id>
+            <label>Protocol</label>
+            <type>dropdown</type>
+            <help><![CDATA[Enable or disable HTTP over TLS (HTTPS) to communicate with the Forward Auth Provider.]]></help>
+        </field>
         <field>
             <id>caddy.general.AuthToDomain</id>
             <label>Forward Auth Domain</label>
@@ -223,12 +229,6 @@
             <type>text</type>
             <help><![CDATA[Enter the listen port of the chosen Forward Auth Provider.]]></help>
         </field>
-        <field>
-            <id>caddy.general.AuthToTls</id>
-            <label>TLS</label>
-            <type>checkbox</type>
-            <help><![CDATA[Enable or disable HTTP over TLS (HTTPS) to communicate with the Forward Auth Provider.]]></help>
-        </field>
         <field>
             <id>caddy.general.AuthToUri</id>
             <label>Forward Auth URI</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 243b323b06..e489d2f6e0 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -157,7 +157,14 @@
             </AuthProvider>
             <AuthToDomain type="HostnameField"/>
             <AuthToPort type="PortField"/>
-            <AuthToTls type="BooleanField"/>
+            <AuthToTls type="OptionField">
+                <Required>Y</Required>
+                <Default>0</Default>
+                <OptionValues>
+                    <http value="0">http://</http>
+                    <https value="1">https://</https>
+                </OptionValues>
+            </AuthToTls>
             <AuthToUri type="TextField">
                 <Mask>/^(\/.*)?$/u</Mask>
                 <ValidationMessage>Please enter a valid 'URI' that starts with '/'.</ValidationMessage>
@@ -199,7 +206,9 @@
                 </basicauth>
                 <description type="DescriptionField"/>
                 <DnsChallenge type="BooleanField"/>
-                <CustomCertificate type="CertificateField"/>
+                <CustomCertificate type="CertificateField">
+                    <BlankDesc>ACME (HTTP-01, TLS-ALPN-01)</BlankDesc>
+                </CustomCertificate>
                 <AccessLog type="BooleanField"/>
                 <DynDns type="BooleanField"/>
                 <AcmePassthrough type="HostnameField"/>
@@ -207,8 +216,8 @@
                     <Required>Y</Required>
                     <Default>0</Default>
                     <OptionValues>
-                        <https value="0">HTTPS (default)</https>
-                        <http value="1">HTTP</http>
+                        <https value="0">https://</https>
+                        <http value="1">http://</http>
                     </OptionValues>
                 </DisableTls>
             </reverse>
@@ -269,8 +278,8 @@
                         <reverseproxy>
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.reverse</items>
-                            <display>FromDomain,FromPort</display>
-                            <display_format>%s %s</display_format>
+                            <display>DisableTls,FromDomain,FromPort</display>
+                            <display_format>%s%s %s</display_format>
                         </reverseproxy>
                     </Model>
                 </reverse>
@@ -324,10 +333,16 @@
                     <ValidationMessage>Please enter a value between 1 to 100.</ValidationMessage>
                 </PassiveHealthFailDuration>
                 <ForwardAuth type="BooleanField"/>
-                <HttpTls type="BooleanField">
+                <HttpTls type="OptionField">
+                    <Required>Y</Required>
+                    <Default>0</Default>
+                    <OptionValues>
+                        <http value="0">http://</http>
+                        <https value="1">https://</https>
+                    </OptionValues>
                     <Constraints>
                         <check001>
-                            <ValidationMessage>TLS and NTLM must be enabled at the same time.</ValidationMessage>
+                            <ValidationMessage>HTTPS and NTLM must be enabled at the same time.</ValidationMessage>
                             <type>DependConstraint</type>
                             <addFields>
                                 <field1>HttpNtlm</field1>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt
index 259c6e141f..4d9a3dc9f8 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt
@@ -133,10 +133,6 @@
 </script>
 
 <style>
-    .nav-tabs a {
-        font-weight: bold;
-    }
-
     .custom-style .content-box {
         padding: 10px;
     }
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index b56cba21fc..6d3aca02f2 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -184,6 +184,7 @@
                     // Check for wildcards in domains to toggle Subdomains tab
                     const hasWildcard = Object.values(response.caddy.reverseproxy.reverse).some(entry => entry.FromDomain.startsWith('*'));
                     toggleTabVisibility('#tab-subdomains', hasWildcard);
+                    toggleSubdomainOptions(hasWildcard);
 
                     // Check if Layer 4 is enabled to toggle the Layer 4 tab
                     const enableLayer4 = response.caddy.general.EnableLayer4 === '1';
@@ -214,6 +215,19 @@
             }
         }
 
+        /**
+         * Toggles the visibility of Subdomain options in dialogHandle based on wildcard domain existence.
+         *
+         * @param {boolean} hasWildcard - Whether a wildcard domain exists.
+         */
+        function toggleSubdomainOptions(hasWildcard) {
+            if (hasWildcard) {
+                $(".Subdomain").closest('tr').show();
+            } else {
+                $(".Subdomain").closest('tr').hide();
+            }
+        }
+
         // Hide message area when starting new actions
         $('input, select, textarea').on('change', function() {
             $("#messageArea").hide();
@@ -299,6 +313,23 @@
             }
         });
 
+        // Show TLS options based on chosen protocol
+        $("#handle\\.HttpTls").change(function() {
+            if ($(this).val() === "0") {
+                $(".HttpTls").closest('tr').hide();
+            } else {
+                $(".HttpTls").closest('tr').show();
+            }
+        });
+
+        $("#reverse\\.DisableTls").change(function() {
+            if ($(this).val() === "1") {
+                $(".DisableTls").closest('tr').hide();
+            } else {
+                $(".DisableTls").closest('tr').show();
+            }
+        });
+
         // Initialize tabs, service control and filter selectpicker
         initializeTabs();
         updateServiceControlUI('caddy');
@@ -320,10 +351,6 @@
         font-style: italic;
     }
 
-    .nav-tabs a {
-        font-weight: bold;
-    }
-
 </style>
 
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
@@ -360,16 +387,16 @@
                         <tr>
                             <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                             <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                            <th data-column-id="DisableTls" data-type="string">{{ lang._('Protocol') }}</th>
                             <th data-column-id="FromDomain" data-type="string">{{ lang._('Domain') }}</th>
                             <th data-column-id="FromPort" data-type="string">{{ lang._('Port') }}</th>
                             <th data-column-id="accesslist" data-type="string" data-visible="false">{{ lang._('Access List') }}</th>
                             <th data-column-id="basicauth" data-type="string" data-visible="false">{{ lang._('Basic Auth') }}</th>
-                            <th data-column-id="DnsChallenge" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('DNS-01 challenge') }}</th>
+                            <th data-column-id="DnsChallenge" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('DNS-01 Challenge') }}</th>
                             <th data-column-id="DynDns" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Dynamic DNS') }}</th>
                             <th data-column-id="AccessLog" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('HTTP Access Log') }}</th>
-                            <th data-column-id="CustomCertificate" data-type="string" data-visible="false">{{ lang._('Custom Certificate') }}</th>
-                            <th data-column-id="AcmePassthrough" data-type="string" data-visible="false">{{ lang._('HTTP-01 redirection') }}</th>
-                            <th data-column-id="DisableTls" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Disable TLS') }}</th>
+                            <th data-column-id="CustomCertificate" data-type="string" data-visible="false">{{ lang._('Certificate') }}</th>
+                            <th data-column-id="AcmePassthrough" data-type="string" data-visible="false">{{ lang._('HTTP-01 Challenge Redirection') }}</th>
                             <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
                             <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                         </tr>
@@ -405,7 +432,7 @@
                             <th data-column-id="accesslist" data-type="string" data-visible="false">{{ lang._('Access List') }}</th>
                             <th data-column-id="basicauth" data-type="string" data-visible="false">{{ lang._('Basic Auth') }}</th>
                             <th data-column-id="DynDns" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Dynamic DNS') }}</th>
-                            <th data-column-id="AcmePassthrough" data-type="string" data-visible="false">{{ lang._('HTTP-01 redirection') }}</th>
+                            <th data-column-id="AcmePassthrough" data-type="string" data-visible="false">{{ lang._('HTTP-01 Challenge Redirection') }}</th>
                             <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
                             <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                         </tr>
@@ -438,18 +465,18 @@
                             <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                             <th data-column-id="reverse" data-type="string">{{ lang._('Domain') }}</th>
                             <th data-column-id="subdomain" data-type="string">{{ lang._('Subdomain') }}</th>
-                            <th data-column-id="HandleType" data-type="string" data-visible="false">{{ lang._('Handle Type') }}</th>
-                            <th data-column-id="HandlePath" data-type="string" data-visible="false">{{ lang._('Handle Path') }}</th>
-                            <th data-column-id="header" data-type="string" data-visible="false">{{ lang._('Header') }}</th>
+                            <th data-column-id="HandleType" data-type="string" data-visible="false">{{ lang._('Handler') }}</th>
+                            <th data-column-id="HandlePath" data-type="string" data-visible="false">{{ lang._('Path') }}</th>
+                            <th data-column-id="header" data-type="string" data-visible="false">{{ lang._('HTTP Headers') }}</th>
+                            <th data-column-id="HttpTls" data-type="string" data-visible="false">{{ lang._('Protocol') }}</th>
                             <th data-column-id="ToDomain" data-type="string">{{ lang._('Upstream Domain') }}</th>
                             <th data-column-id="ToPort" data-type="string">{{ lang._('Upstream Port') }}</th>
                             <th data-column-id="ToPath" data-type="string" data-visible="false">{{ lang._('Upstream Path') }}</th>
-                            <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Fail Duration') }}</th>
+                            <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Upstream Fail Duration') }}</th>
                             <th data-column-id="ForwardAuth" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Forward Auth') }}</th>
-                            <th data-column-id="HttpTls" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('TLS') }}</th>
                             <th data-column-id="HttpVersion" data-type="string" data-visible="false">{{ lang._('HTTP Version') }}</th>
                             <th data-column-id="HttpKeepalive" data-type="string" data-visible="false">{{ lang._('HTTP Keepalive') }}</th>
-                            <th data-column-id="HttpTlsTrustedCaCerts" data-type="string" data-visible="false">{{ lang._('TLS CA') }}</th>
+                            <th data-column-id="HttpTlsTrustedCaCerts" data-type="string" data-visible="false">{{ lang._('TLS Trust Pool') }}</th>
                             <th data-column-id="HttpTlsServerName" data-type="string" data-visible="false">{{ lang._('TLS Server Name') }}</th>
                             <th data-column-id="HttpNtlm" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('NTLM') }}</th>
                             <th data-column-id="HttpTlsInsecureSkipVerify" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('TLS Insecure Skip Verify') }}</th>
diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
index a43f51050a..c544cfe6f8 100644
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
@@ -91,7 +91,7 @@ export default class CaddyDomain extends BaseTableWidget {
                             data-tooltip="caddy-domain-${domainPort}" title="${tooltipText}">
                         </i>
                         &nbsp;
-                        <a class="caddy-domainport" href="/ui/caddy/reverse_proxy">
+                        <a class="caddy-domainport" href="https://${domainPort}" target="_blank">
                             ${domainPort}
                         </a>
                     </div>

From b8699cde8cf210e864e4bfab7329dcaaf40ec995 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sun, 22 Sep 2024 09:53:55 +0200
Subject: [PATCH 2104/3088] www/caddy: Allow access lists in handlers (#4245)

* www/caddy: Allow access lists in handlers. The new unique_suffix constructs the named matcher so that it is always unique. Also small bug that the invert did not render was fixed.

* www/caddy: Create inline access list logic that matches in the scope of a handler before the reverse_proxy directive, effectively blocking connections on matched IPs before they process further.

* www/caddy: Rework access list feature to use a single macro and work the same in domains, subdomains and handlers. Remove abort statement from general settings since the new logic makes it mandatory.

* www/caddy: Actually add the new template to the commit

* www/caddy: Hide Access List Response Code in advanced mode, since abort is now the standard action. Add changelog.

* www/caddy: Remove default values from Access List Response, since abort is the default. Add it as hint to dialogAccessList. Fix two small bugs: Layer4 ports do not render since the generalSettings was missing, Subdomains do not have ports, so replace with description.
---
 www/caddy/pkg-descr                           |  6 ++
 .../OPNsense/Caddy/forms/dialogAccessList.xml |  7 +-
 .../OPNsense/Caddy/forms/dialogHandle.xml     |  7 ++
 .../OPNsense/Caddy/forms/general.xml          |  6 --
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 13 +++-
 .../views/OPNsense/Caddy/reverse_proxy.volt   |  1 +
 .../templates/OPNsense/Caddy/Caddyfile        | 77 +++++++------------
 7 files changed, 58 insertions(+), 59 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 8f4f1679f2..6585ef2233 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -16,9 +16,15 @@ Plugin Changelog
 1.7.1
 
 * Add: Frontend HTTP Version can be selected in General Settings, can be used to disable QUIC protocol
+* Add: Access Lists can now be defined per HTTP Handler in advanced mode
 * Change: Caddy Domains widget will now open links to managed websites in new browser tabs
+* Change: To select tls_insecure_skip_verify in a HTTP Handler, the protocol https:// must be chosen
+* Change: Abort from General Settings has been removed, it is now automatically added to all Access Lists
+* Cleanup: Caddyfile template logic for Access Lists has been rewritten
 * Cleanup: TLS checkboxes have been converted to dropdowns with http/https for clarity
 * Cleanup: Layer4, Domain and Handle dialogues have been cleaned up, some options are now hidden in advanced mode
+* Fix: Layer4 default ports did not render due to regression in previous version
+* Fix: Invert in Access Lists did not render due to regression in previous version
 
 1.7.0
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
index b38f500fdb..50c2718ab9 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
@@ -23,13 +23,16 @@
         <id>accesslist.HttpResponseCode</id>
         <label>HTTP Response Code</label>
         <type>text</type>
-        <help><![CDATA[Set a custom HTTP response code that should be returned to the requesting client when the access list does not match. Setting this will replace "Abort Connections" only for this access list. All clients will stay connected but will receive the response code.]]></help>
+        <hint>abort</hint>
+        <help><![CDATA[Set a custom HTTP response code that should be returned to the requesting client when the access list does not match. If empty, the connection is aborted with no response.]]></help>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>accesslist.HttpResponseMessage</id>
         <label>HTTP Response Message</label>
         <type>text</type>
-        <help><![CDATA[Set a custom HTTP response message in addition to the HTTP response code.]]></help>
+        <help><![CDATA[Set a custom HTTP response message in addition to the HTTP response code. If empty, the default HTTP response message for the chosen HTTP response code will be used.]]></help>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>accesslist.description</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index b8402eccac..6cbba6939f 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -53,6 +53,13 @@
         <label>Access</label>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>handle.accesslist</id>
+        <label>Access List</label>
+        <type>dropdown</type>
+        <help><![CDATA[Select an Access List to restrict access to this handler. If unset, any local or remote client is allowed access.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>handle.ForwardAuth</id>
         <label>Forward Auth</label>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 09ef4f2ab7..3b87e2cc14 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -59,12 +59,6 @@
             <type>dropdown</type>
             <help><![CDATA[Select an Access List to set IP ranges of Trusted Proxies. If Caddy is not the first server being connected to by clients (for example, when a "CDN" is in front of Caddy), configure "Trusted Proxies" with a list of IP ranges (CIDRs) from which incoming requests are trusted to have sent good values for these headers. Additionally, set the same Access List to the domains the Trusted Proxies connect to.]]></help>
         </field>
-        <field>
-            <id>caddy.general.abort</id>
-            <label>Abort Connections</label>
-            <type>checkbox</type>
-            <help><![CDATA[Abort all connections that don't have a matching Handle or Access List. This option does not conflict with "Let's Encrypt" or "ZeroSSL". Disable it for troubleshooting purposes, e.g., testing if the "Domain" works and the automatic certificate has been installed. For production use, enabling this option is recommended.]]></help>
-        </field>
         <field>
             <id>caddy.general.GracePeriod</id>
             <label>Grace Period</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index e489d2f6e0..d04bda3df2 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -84,7 +84,6 @@
                     </reverseproxy>
                 </Model>
             </accesslist>
-            <abort type="BooleanField"/>
             <DisableSuperuser type="OptionField">
                 <Required>Y</Required>
                 <Default>0</Default>
@@ -288,7 +287,7 @@
                         <reverseproxy>
                             <source>OPNsense.Caddy.Caddy</source>
                             <items>reverseproxy.subdomain</items>
-                            <display>FromDomain,FromPort</display>
+                            <display>FromDomain,description</display>
                             <display_format>%s %s</display_format>
                         </reverseproxy>
                     </Model>
@@ -305,6 +304,16 @@
                     <Mask>/^(\/.*)?$/u</Mask>
                     <ValidationMessage>Please enter a valid Path that starts with '/'.</ValidationMessage>
                 </HandlePath>
+                <accesslist type="ModelRelationField">
+                    <Model>
+                        <reverseproxy>
+                            <source>OPNsense.Caddy.Caddy</source>
+                            <items>reverseproxy.accesslist</items>
+                            <display>accesslistName,description</display>
+                            <display_format>%s %s</display_format>
+                        </reverseproxy>
+                    </Model>
+                </accesslist>
                 <header type="ModelRelationField">
                     <Model>
                         <reverseproxy>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 6d3aca02f2..2473da5bf7 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -474,6 +474,7 @@
                             <th data-column-id="ToPath" data-type="string" data-visible="false">{{ lang._('Upstream Path') }}</th>
                             <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Upstream Fail Duration') }}</th>
                             <th data-column-id="ForwardAuth" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Forward Auth') }}</th>
+                            <th data-column-id="accesslist" data-type="string" data-visible="false">{{ lang._('Access List') }}</th>
                             <th data-column-id="HttpVersion" data-type="string" data-visible="false">{{ lang._('HTTP Version') }}</th>
                             <th data-column-id="HttpKeepalive" data-type="string" data-visible="false">{{ lang._('HTTP Keepalive') }}</th>
                             <th data-column-id="HttpTlsTrustedCaCerts" data-type="string" data-visible="false">{{ lang._('TLS Trust Pool') }}</th>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index be973608af..a710e61eda 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -234,7 +234,7 @@
 #   There are no regressions to set these ports up.
 #}
 
-{% if enableLayer4|default("0") == "1" %}
+{% if generalSettings.EnableLayer4|default("0") == "1" %}
     # Layer4 default HTTP port
     {% if httpPort %}
         :{{ httpPort }} {
@@ -379,6 +379,8 @@ http://{{ domain }} {
 #}
 {% macro reverse_proxy_configuration(handle) %}
     {{ handle.HandleType }} {{ handle.HandlePath|default("") }} {
+        {{ handle_accesslist(handle.accesslist) }}
+        {# All IPs not matched by accesslist will continue processing #}
         {% if handle.ForwardAuth|default("0") == "1" %}
             {% include "OPNsense/Caddy/includeAuthProvider" %}
         {% endif %}
@@ -433,25 +435,29 @@ http://{{ domain }} {
 
 {#
 #   Macro: handle_accesslist
-#   Purpose: Manages the logic for access lists, including configuration and handling.
+#   Purpose: Manages the logic for access lists, used for handlers, domains and subdomains
 #   Parameters:
 #   @param accesslist (string): The UUID of the access list to be applied.
-#   @param content (string): The content to be wrapped in the access list handler.
-#   @param invert (boolean): A flag that inverts the logic of the access list.
 #}
-{% macro handle_accesslist(accesslist, content, invert=false) %}
+{% macro handle_accesslist(accesslist) %}
+    {# Access list logic for dropping connections based on IP #}
     {% if accesslist %}
         {% set accesslist_obj = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', accesslist) | first %}
-        {% set client_ips = accesslist_obj.clientIps.split(',') %}
-        {% set client_ips_space_separated = client_ips | join(' ') %}
-        @{{ accesslist_obj['@uuid'] }} {
-            {{ 'not' if invert or accesslist_obj.accesslistenvert|default("0") == "1" else '' }} client_ip {{ client_ips_space_separated }}
-        }
-        handle @{{ accesslist_obj['@uuid'] }} {
-            {{ content }}
-        }
-    {% else %}
-        {{ content }}
+        {% if accesslist_obj %}
+            {% set client_ips = accesslist_obj.clientIps.split(',') | join(' ') %}
+            @{{ accesslist_obj['@uuid'] }} {
+                {# Non-inverted access lists have "not" as default, inverted ones '' #}
+                {{ 'not' if accesslist_obj.accesslistInvert|default("0") == "0" else '' }} client_ip {{ client_ips }}
+            }
+            {# When IP is matched, abort or send response code. This will end processing and drop the request #}
+            handle @{{ accesslist_obj['@uuid'] }} {
+                {% if accesslist_obj.HttpResponseCode %}
+                    respond {{ '"' + accesslist_obj.HttpResponseMessage + '"' if accesslist_obj.HttpResponseMessage else '' }} {{ accesslist_obj.HttpResponseCode }}
+                {% else %}
+                    abort
+                {% endif %}
+            }
+        {% endif %}
     {% endif %}
 {% endmacro %}
 
@@ -474,25 +480,6 @@ http://{{ domain }} {
     {% endif %}
 {% endmacro %}
 
-{#
-#   Macro: handle_response
-#   Purpose: Manages the response logic for access lists and aborts.
-#   Parameters:
-#   @param accesslist (object): The access list object containing response settings.
-#   @param general_abort (string): The global abort setting.
-#}
-{% macro handle_response(accesslist, general_abort) %}
-    {% if accesslist %}
-        {% if accesslist.HttpResponseCode or accesslist.HttpResponseMessage %}
-            respond {{ '"' + accesslist.HttpResponseMessage|default('') + '"' if accesslist.HttpResponseMessage else '' }} {{ accesslist.HttpResponseCode|default(403) }}
-        {% elif general_abort == "1" %}
-            abort
-        {% endif %}
-    {% elif general_abort == "1" %}
-        abort
-    {% endif %}
-{% endmacro %}
-
 {#
 #   Macro: render_handles
 #   Purpose: Renders the handles in the correct order (path-specific first, then catch-all),
@@ -567,25 +554,17 @@ http://{{ domain }} {
                     }
                     handle @{{ subdomain['@uuid'] }} {
                         {% set subdomain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('subdomain', 'equalto', subdomain['@uuid']) | list %}
-                        {% set subdomain_content %}
-                            {{ render_handles(subdomain_handles, subdomain.basicauth) }}
-                        {% endset %}
-                        {{ handle_accesslist(subdomain.accesslist, subdomain_content) }}
-
-                        {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', subdomain.accesslist) | first %}
-                        {{ handle_response(accesslist, Pischem.caddy.general.abort|default("0")) }}
+                        {{ handle_accesslist(subdomain.accesslist) }}
+                        {# All IPs not matched by accesslist will continue processing #}
+                        {{ render_handles(subdomain_handles, subdomain.basicauth) }}
                     }
                 {% endif %}
             {% endfor %}
 
-            {% set wildcard_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('reverse', 'equalto', reverse['@uuid']) | selectattr('subdomain', 'undefined') | list %}
-            {% set wildcard_content %}
-                {{ render_handles(wildcard_handles, reverse.basicauth) }}
-            {% endset %}
-            {{ handle_accesslist(reverse.accesslist, wildcard_content) }}
-
-            {% set accesslist = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', reverse.accesslist) | first %}
-            {{ handle_response(accesslist, Pischem.caddy.general.abort|default("0")) }}
+            {% set domain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('reverse', 'equalto', reverse['@uuid']) | selectattr('subdomain', 'undefined') | list %}
+            {{ handle_accesslist(reverse.accesslist) }}
+            {# All IPs not matched by accesslist will continue processing #}
+            {{ render_handles(domain_handles, reverse.basicauth) }}
         }
     {% endif %}
 {% endfor %}

From f8dc24af670992b5861acc51abbc5d536cfc7769 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 23 Sep 2024 10:12:09 +0200
Subject: [PATCH 2105/3088] dns/bind: happy trigger switch to bind 9.20 on
 devel package

---
 dns/bind/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index b903a0bc5d..03621be6e4 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.33
 PLUGIN_COMMENT=		BIND domain name service
-PLUGIN_DEPENDS=		bind918
+PLUGIN_DEPENDS=		bind920
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
 .include "../../Mk/plugins.mk"

From 110f48dae177830283cbf01b8b442822adb7dfcc Mon Sep 17 00:00:00 2001
From: Mark Keisler <mark@mitsein.net>
Date: Mon, 23 Sep 2024 19:53:18 -0500
Subject: [PATCH 2106/3088] security/acme-client: Update "OPNsense certificate
 storage" link to correct href

---
 .../mvc/app/views/OPNsense/AcmeClient/certificates.volt       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index c0483969bf..7c6fa8ae76 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -466,8 +466,8 @@ POSSIBILITY OF SUCH DAMAGE.
             <p>{{ lang._('The following principles apply when managing certificates with this plugin:') }}</p>
             <ul>
               <li>{{ lang._('Certificates must be %svalidated%s by the CA before they can be used. This process runs in the background and may take several minutes to complete. The progress can be monitored by using the %slog files%s.') | format('<b>', '</b>', '<a href="/ui/acmeclient/logs">', '</a>') }}</li>
-              <li>{{ lang._('Certificates are stored in the %sOPNsense certificate storage%s. When a CA has completed the validation of a certificate request, the resulting certificate is then automatically imported into the OPNsense certificate storage. The same applies when renewing certificates, the existing entry in the OPNsense certificate storage will automatically be updated.') | format('<a href="/system_certmanager.php">', '</a>') }}</li>
-              <li>{{ lang._('When removing a certificate from the plugin, the certificate in the %sOPNsense certificate storage%s is %sNOT removed%s, because it may still be used by a core application or another plugin. Obsolete certificates should be manually removed from the OPNsense certificate storage. Note that when creating a new certificate with the same name, a new certificated will be imported into the OPNsense certificate storage (instead of updating the existing entry).') | format('<a href="/system_certmanager.php">', '</a>', '<b>', '</b>') }}</li>
+              <li>{{ lang._('Certificates are stored in the %sOPNsense certificate storage%s. When a CA has completed the validation of a certificate request, the resulting certificate is then automatically imported into the OPNsense certificate storage. The same applies when renewing certificates, the existing entry in the OPNsense certificate storage will automatically be updated.') | format('<a href="/ui/trust/cert">', '</a>') }}</li>
+              <li>{{ lang._('When removing a certificate from the plugin, the certificate in the %sOPNsense certificate storage%s is %sNOT removed%s, because it may still be used by a core application or another plugin. Obsolete certificates should be manually removed from the OPNsense certificate storage. Note that when creating a new certificate with the same name, a new certificated will be imported into the OPNsense certificate storage (instead of updating the existing entry).') | format('<a href="/ui/trust/cert">', '</a>', '<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('When experiencing issues, try setting the log level to "debug" on the %ssettings%s page.') | format('<a href="/ui/acmeclient#settings">', '</a>') }}</p>
         </div>

From ebc0085ba874b71e861c0b5f6334f663dbc19681 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 26 Sep 2024 09:36:23 +0200
Subject: [PATCH 2107/3088] dns/rfc2136: port to plugins_argument_map()

---
 dns/rfc2136/Makefile                              | 2 +-
 dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc | 7 ++-----
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/dns/rfc2136/Makefile b/dns/rfc2136/Makefile
index 0b739b1895..ff070041ec 100644
--- a/dns/rfc2136/Makefile
+++ b/dns/rfc2136/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		rfc2136
 PLUGIN_VERSION=		1.9
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		RFC-2136 Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_DEPENDS=		bind-tools
diff --git a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
index fd9588e359..affb2fb465 100644
--- a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
+++ b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
@@ -91,19 +91,16 @@ function rfc2136_configure_do($verbose = false, $int = null, $updatehost = '', $
 {
     global $config;
 
-    if (!rfc2136_enabled()) {
+    if (!rfc2136_enabled() || !plugins_argument_map($int)) {
         return;
     }
 
-    /* $int is passed as an optional CSV so transform into empty array when not set */
-    $int = !empty($int) ? explode(',', $int) : [];
-
     service_log('Configuring RFC 2136 clients...', $verbose);
 
     foreach ($config['dnsupdates']['dnsupdate'] as $i => $dnsupdate) {
         if (!isset($dnsupdate['enable'])) {
             continue;
-        } elseif (count($int) && !in_array($dnsupdate['interface'], $int)) {
+        } elseif (!empty($int) && !in_array($dnsupdate['interface'], $int)) {
             continue;
         } elseif (!empty($updatehost) && ($updatehost != $dnsupdate['host'])) {
             continue;

From 1233676ed14c5cd5e964ca4b8cb10f2ba4fea8bb Mon Sep 17 00:00:00 2001
From: franciscodimattia <59030809+franciscodimattia@users.noreply.github.com>
Date: Fri, 27 Sep 2024 11:04:01 -0300
Subject: [PATCH 2108/3088] Update Smart.js to use detailed API (#4257)

---
 .../src/opnsense/www/js/widgets/Smart.js      | 30 +++++++------------
 1 file changed, 10 insertions(+), 20 deletions(-)

diff --git a/sysutils/smart/src/opnsense/www/js/widgets/Smart.js b/sysutils/smart/src/opnsense/www/js/widgets/Smart.js
index b46419e0c2..3ae73ea709 100644
--- a/sysutils/smart/src/opnsense/www/js/widgets/Smart.js
+++ b/sysutils/smart/src/opnsense/www/js/widgets/Smart.js
@@ -41,31 +41,21 @@ export default class Smart extends BaseTableWidget {
     }
 
     async onWidgetTick() {
-        if (this.disks && this.disks.devices) {
-            for (const device of this.disks.devices) {
+        let disks = await ajaxCall(`/api/smart/service/list/detailed`, {}, null);
+        if (disks && disks.devices) {
+            const rows = [];
+            for (const device of disks.devices) {
                 try {
-                    const data = await this.ajaxCall('/api/smart/service/info', { type: "H", device });
-                    const health = data.output.includes("PASSED");
-                    $(`#${device}`).css({ color: health ? "green" : "red", fontSize: '150%' });
-                    $(`#${device}`).text(health ? "OK" : "FAILED");
+                    const health = device.state.smart_status.passed;
+                    const text = health ? "OK" : "FAILED";
+                    const css = { color: health ? "green" : "red", fontSize: '150%' };
+                    const field = $(`<span id="${device.device}">`).text(text).css(css).prop('outerHTML');
+                    rows.push([[device.device], field]);
                 } catch (error) {
-                    super.updateTable('smart-table', [[["Error"], $(`<span>${this.translations.nosmart} ${device}: ${error}</span>`).prop('outerHTML')]]);
+                    super.updateTable('smart-table', [[["Error"], $(`<span>${this.translations.nosmart} ${device.device}: ${error}</span>`).prop('outerHTML')]]);
                 }
             }
-        }
-    }
-
-    async onMarkupRendered() {
-        try {
-            this.disks = await this.ajaxCall('/api/smart/service/list', {});
-            const rows = [];
-            for (const device of this.disks.devices) {
-                const field = $(`<span id="${device}">`).prop('outerHTML');
-                rows.push([[device], field]);
-            }
             super.updateTable('smart-table', rows);
-        } catch (error) {
-            super.updateTable('smart-table', [[["Error"], $(`<span>${this.translations.nodisk}: ${error}</span>`).prop('outerHTML')]]);
         }
     }
 }

From 2ccfa77efee1a5d2b9be5e3938c9608199a8ab74 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 27 Sep 2024 16:07:36 +0200
Subject: [PATCH 2109/3088] sysutils/smart: fix ACL lint complaints

---
 sysutils/smart/src/opnsense/www/js/widgets/Metadata/Smart.xml | 3 +--
 sysutils/smart/src/opnsense/www/js/widgets/Smart.js           | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/sysutils/smart/src/opnsense/www/js/widgets/Metadata/Smart.xml b/sysutils/smart/src/opnsense/www/js/widgets/Metadata/Smart.xml
index 0d94d7d899..a18760b458 100644
--- a/sysutils/smart/src/opnsense/www/js/widgets/Metadata/Smart.xml
+++ b/sysutils/smart/src/opnsense/www/js/widgets/Metadata/Smart.xml
@@ -2,8 +2,7 @@
     <smart>
         <filename>Smart.js</filename>
         <endpoints>
-            <endpoint>/api/smart/service/list</endpoint>
-            <endpoint>/api/smart/service/info</endpoint>
+            <endpoint>/api/smart/service/*</endpoint>
         </endpoints>
         <translations>
             <title>SMART Status</title>
diff --git a/sysutils/smart/src/opnsense/www/js/widgets/Smart.js b/sysutils/smart/src/opnsense/www/js/widgets/Smart.js
index 3ae73ea709..c5a6dc24bd 100644
--- a/sysutils/smart/src/opnsense/www/js/widgets/Smart.js
+++ b/sysutils/smart/src/opnsense/www/js/widgets/Smart.js
@@ -41,7 +41,7 @@ export default class Smart extends BaseTableWidget {
     }
 
     async onWidgetTick() {
-        let disks = await ajaxCall(`/api/smart/service/list/detailed`, {}, null);
+        let disks = await this.ajaxCall(`/api/smart/service/${'list/detailed'}`, {}, null);
         if (disks && disks.devices) {
             const rows = [];
             for (const device of disks.devices) {

From c00f0ac007fd1ca0846ac6b1002b8c69de99f3c0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 27 Sep 2024 16:08:04 +0200
Subject: [PATCH 2110/3088] sysutils/smart: can change version now

---
 sysutils/smart/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/sysutils/smart/Makefile b/sysutils/smart/Makefile
index bdacbc9e01..2afa17e450 100644
--- a/sysutils/smart/Makefile
+++ b/sysutils/smart/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		smart
-PLUGIN_VERSION=		2.2
-PLUGIN_REVISION=	6
+PLUGIN_VERSION=		2.3
 PLUGIN_COMMENT=		SMART tools
 PLUGIN_DEPENDS=		smartmontools
 PLUGIN_MAINTAINER=	franco@opnsense.org

From bd009e41c3031453009da074225a307565d1a45d Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 27 Sep 2024 19:48:51 +0200
Subject: [PATCH 2111/3088] www/caddy: Force caddy to restart if a reload takes
 too long (#4261)

* www/caddy: Patch behavior of caddy hanging during a reload or restart in some circumstances. This will avoid caddy waiting indefinitely when the NTLM module is active. After the Grace Period is over, there is a hard kill and restart. Since the template already regenerated the configuration, the new one will be used when Caddy starts.

* www/caddy: Bump revision and add changelog
---
 www/caddy/Makefile                            |  1 +
 www/caddy/pkg-descr                           |  1 +
 .../OPNsense/Caddy/forms/general.xml          |  2 +-
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  4 +-
 .../scripts/OPNsense/Caddy/caddy_control.py   | 52 ++++++++++++++++---
 5 files changed, 49 insertions(+), 11 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 2581e24c63..00b7379f05 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		1.7.1
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 6585ef2233..47d8458bba 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -25,6 +25,7 @@ Plugin Changelog
 * Cleanup: Layer4, Domain and Handle dialogues have been cleaned up, some options are now hidden in advanced mode
 * Fix: Layer4 default ports did not render due to regression in previous version
 * Fix: Invert in Access Lists did not render due to regression in previous version
+* Fix: When Apply takes longer than 20 seconds, Caddy will be forcefully restarted
 
 1.7.0
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 3b87e2cc14..43afbb0ada 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -64,7 +64,7 @@
             <label>Grace Period</label>
             <type>text</type>
             <hint>10</hint>
-            <help><![CDATA[Defines the grace period for shutting down Caddy during a reload in seconds. During the grace period, no new connections are accepted, idle connections are closed, and active connections are impatiently waited upon to finish their requests. If clients do not finish their requests within the grace period, the server will be forcefully terminated to allow the reload to complete and free up resources. This can influence how long "Apply" of new configurations take, since Caddy waits for all open connections to close.]]></help>
+            <help><![CDATA[Defines the grace period for shutting down Caddy during a reload in seconds. If clients do not finish their requests within the grace period, the server will be forcefully terminated to allow the reload to complete and free up resources. This can influence how long "Apply" of new configurations take, since Caddy waits for all open connections to close. If the grace period is over and Caddy is unresponsive, there will be a forced kill and service restart.]]></help>
         </field>
     </tab>
     <tab id="general-logsettings" description="Log Settings">
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index d04bda3df2..c4ae85caf4 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -95,8 +95,8 @@
             <GracePeriod type="IntegerField">
                 <Default>10</Default>
                 <MinimumValue>1</MinimumValue>
-                <MaximumValue>3600</MaximumValue>
-                <ValidationMessage>Please enter a valid Grace Period between 1 and 3600 seconds.</ValidationMessage>
+                <MaximumValue>20</MaximumValue>
+                <ValidationMessage>Please enter a valid Grace Period between 1 and 20 seconds.</ValidationMessage>
                 <Required>Y</Required>
             </GracePeriod>
             <HttpVersion type="OptionField">
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
index add576358d..8acc99f2b8 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
@@ -29,14 +29,41 @@
 import subprocess
 import json
 import sys
+import os
+import signal
+import time
+
+
+def kill_and_start_caddy(pidfile):
+    """
+    Caddy can fail to reload in rare circumstances when
+    persistent keepalive connections are open with the NTLM
+    module active
+    """
+    if os.path.exists(pidfile):
+        try:
+            with open(pidfile, 'r') as f:
+                pid = int(f.read().strip())
+
+            os.kill(pid, signal.SIGKILL)
+            time.sleep(2)
+            subprocess.run(["service", "caddy", "start"], check=True)
+        except Exception as e:
+            print(f"Error: {str(e)}")
+    else:
+        subprocess.run(["service", "caddy", "start"], check=True)
 
 
 def run_service_command(service_action, action_message):
+    """
+    Includes special actions like a validation and
+    timeouts that force a restart when caddy is unresponsive
+    """
     result = {"message": action_message}
+    pidfile = "/var/run/caddy/caddy.pid"
 
     if service_action == "validate":
         try:
-            # Validate the Caddyfile with explicit --config flag, capturing both stdout and stderr
             validation_output = subprocess.check_output(
                 ["caddy", "validate", "--config", "/usr/local/etc/caddy/Caddyfile"], stderr=subprocess.STDOUT,
                 text=True)
@@ -44,16 +71,27 @@ def run_service_command(service_action, action_message):
                 result["status"] = "ok"
                 result["message"] = "Caddy configuration is valid."
             else:
-                # Search for the specific error message
                 error_msg = next((line for line in validation_output.split('\n') if line.startswith("Error:")),
                                  "Caddy configuration is not valid.")
                 result["status"] = "failed"
                 result["message"] = error_msg
         except subprocess.CalledProcessError as e:
-            # Extracting only the specific "Error: ..." line from the output
             error_msg = next((line for line in e.output.split('\n') if line.startswith("Error:")), "Validation failed.")
             result["status"] = "failed"
             result["message"] = error_msg
+    elif service_action in ["stop", "restart", "reloadssl"]:
+        try:
+            proc = subprocess.Popen(["service", "caddy", service_action])
+            try:
+                proc.wait(timeout=20)
+                result["status"] = "ok"
+            except subprocess.TimeoutExpired:
+                kill_and_start_caddy(pidfile)
+                result["status"] = "ok"
+                result["message"] = f"{service_action.capitalize()} took too long, Caddy was forcefully restarted."
+        except subprocess.CalledProcessError as e:
+            result["status"] = "failed"
+            result["message"] = str(e)
     else:
         try:
             subprocess.run(["service", "caddy", service_action], check=True)
@@ -71,14 +109,12 @@ def run_service_command(service_action, action_message):
     "stop": "stop",
     "restart": "restart",
     "reload": "reloadssl",
-    # Reloadssl reloads even if the config in the Caddyfile is unchanged, using an extra command of the rc.d script,
-    # forcing certificates in the filesystem to be reloaded.
-    "validate": "validate"  # Validate action
+    "validate": "validate"
 }
 
 if __name__ == "__main__":
     if len(sys.argv) > 1:
-        action = sys.argv[1]  # Get the action from the command-line argument
+        action = sys.argv[1]
         if action in actions:
             cmd_action = action
             service_action = actions[action]
@@ -86,7 +122,7 @@ def run_service_command(service_action, action_message):
 
             # Call setup script for 'validate' and 'reloadssl' actions. This is needed because the setup script triggers
             # the caddy_certs.php script, which exports all certificates into the filesystem. Caddy reloads certificates
-            # when reloadssl is used. Because it is a non standard command, the caddy_setup script will not be triggered
+            # when reloadssl is used. Because it is a non-standard command, the caddy_setup script will not be triggered
             # in /etc/rc.conf.d/caddy. The validate command needs it to make sure all certificates are in the filesystem,
             # because otherwise the validation fails.
             if service_action in ["validate", "reloadssl"]:

From 1d692d95719ace8651d79be345a1981e78612749 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 28 Sep 2024 23:02:19 +0200
Subject: [PATCH 2112/3088] Squashed commit of the following:

commit f70158ab043ec0c2d5b31f469b0b36c3e1445df6
Author: Ad Schellevis <ad@opnsense.org>
Date:   Sat Sep 28 22:53:12 2024 +0200

    Routing: OSPFv3 - style cleanups for https://github.com/opnsense/plugins/pull/4247

commit 549ee36704f5f40ee2a556eeac0d52b54f880455
Author: Mike Shuey <shuey@fmepnet.org>
Date:   Sat Sep 21 11:47:05 2024 -0700

    Set up networks, prefix lists, and route maps for OSPF6
---
 .../Quagga/Api/Ospf6settingsController.php    |  78 ++++-
 .../OPNsense/Quagga/Ospf6Controller.php       |   3 +
 .../Quagga/forms/dialogEditOSPF6Interface.xml |   1 +
 .../Quagga/forms/dialogEditOSPF6Network.xml   |  41 +++
 .../forms/dialogEditOSPF6PrefixLists.xml      |  32 +++
 .../Quagga/forms/dialogEditOSPF6RouteMaps.xml |  38 +++
 .../OPNsense/Quagga/forms/ospf6.xml           |   7 +-
 .../mvc/app/models/OPNsense/Quagga/OSPF6.xml  | 153 ++++++++--
 .../mvc/app/views/OPNsense/Quagga/ospf6.volt  | 266 +++++++++++++-----
 .../templates/OPNsense/Quagga/ospf6d.conf     |  72 ++++-
 10 files changed, 577 insertions(+), 114 deletions(-)
 create mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Network.xml
 create mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6PrefixLists.xml
 create mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6RouteMaps.xml

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php
index 0046b5df7a..5019e029be 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- *    Copyright (C) 2015-2017 Deciso B.V.
+ *    Copyright (C) 2015-2024 Deciso B.V.
  *    Copyright (C) 2015 Jos Schellevis <jos@opnsense.org>
  *    Copyright (C) 2017 Fabian Franz
  *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
@@ -40,29 +40,101 @@ class Ospf6settingsController extends ApiMutableModelControllerBase
 {
     protected static $internalModelName = 'ospf6';
     protected static $internalModelClass = '\OPNsense\Quagga\OSPF6';
+
+    public function searchNetworkAction()
+    {
+        return $this->searchBase('networks.network');
+    }
     public function searchInterfaceAction()
     {
-        return $this->searchBase('interfaces.interface', array("enabled", "interfacename", "area", "networktype"));
+        return $this->searchBase('interfaces.interface');
+    }
+    public function searchPrefixlistAction()
+    {
+        return $this->searchBase('prefixlists.prefixlist');
+    }
+    public function searchRoutemapAction()
+    {
+        return $this->searchBase('routemaps.routemap');
+    }
+    public function getNetworkAction($uuid = null)
+    {
+        return $this->getBase('network', 'networks.network', $uuid);
     }
     public function getInterfaceAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('interface', 'interfaces.interface', $uuid);
     }
+    public function getPrefixlistAction($uuid = null)
+    {
+        return $this->getBase('prefixlist', 'prefixlists.prefixlist', $uuid);
+    }
+    public function getRoutemapAction($uuid = null)
+    {
+        return $this->getBase('routemap', 'routemaps.routemap', $uuid);
+    }
+    public function addNetworkAction()
+    {
+        return $this->addBase('network', 'networks.network');
+    }
     public function addInterfaceAction()
     {
         return $this->addBase('interface', 'interfaces.interface');
     }
+    public function addPrefixlistAction()
+    {
+        return $this->addBase('prefixlist', 'prefixlists.prefixlist');
+    }
+    public function addRoutemapAction()
+    {
+        return $this->addBase('routemap', 'routemaps.routemap');
+    }
+    public function delNetworkAction($uuid)
+    {
+        return $this->delBase('networks.network', $uuid);
+    }
     public function delInterfaceAction($uuid)
     {
         return $this->delBase('interfaces.interface', $uuid);
     }
+    public function delPrefixlistAction($uuid)
+    {
+        return $this->delBase('prefixlists.prefixlist', $uuid);
+    }
+    public function delRoutemapAction($uuid)
+    {
+        return $this->delBase('routemaps.routemap', $uuid);
+    }
+    public function setNetworkAction($uuid)
+    {
+        return $this->setBase('network', 'networks.network', $uuid);
+    }
     public function setInterfaceAction($uuid)
     {
         return $this->setBase('interface', 'interfaces.interface', $uuid);
     }
+    public function setPrefixlistAction($uuid)
+    {
+        return $this->setBase('prefixlist', 'prefixlists.prefixlist', $uuid);
+    }
+    public function setRoutemapAction($uuid)
+    {
+        return $this->setBase('routemap', 'routemaps.routemap', $uuid);
+    }
+    public function toggleNetworkAction($uuid)
+    {
+        return $this->toggleBase('networks.network', $uuid);
+    }
     public function toggleInterfaceAction($uuid)
     {
         return $this->toggleBase('interfaces.interface', $uuid);
     }
+    public function togglePrefixlistAction($uuid)
+    {
+        return $this->toggleBase('prefixlists.prefixlist', $uuid);
+    }
+    public function toggleRoutemapAction($uuid)
+    {
+        return $this->toggleBase('routemaps.routemap', $uuid);
+    }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Ospf6Controller.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Ospf6Controller.php
index 60fa682411..f4863bedbe 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Ospf6Controller.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Ospf6Controller.php
@@ -30,7 +30,10 @@ class Ospf6Controller extends \OPNsense\Base\IndexController
     public function indexAction()
     {
         $this->view->ospf6Form = $this->getForm("ospf6");
+        $this->view->formDialogEditNetwork = $this->getForm("dialogEditOSPF6Network");
         $this->view->formDialogEditInterface = $this->getForm("dialogEditOSPF6Interface");
+        $this->view->formDialogEditPrefixLists = $this->getForm("dialogEditOSPF6PrefixLists");
+        $this->view->formDialogEditRouteMaps = $this->getForm("dialogEditOSPF6RouteMaps");
         $this->view->pick('OPNsense/Quagga/ospf6');
     }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml
index ec7300f00e..610edd3b20 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml
@@ -30,6 +30,7 @@
     <id>interface.cost_demoted</id>
     <label>Cost (when demoted)</label>
     <type>text</type>
+    <hint>65535</hint>
   </field>
   <field>
     <id>interface.carp_depend_on</id>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Network.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Network.xml
new file mode 100644
index 0000000000..c047e03f04
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Network.xml
@@ -0,0 +1,41 @@
+<form>
+  <field>
+    <id>network.enabled</id>
+    <label>Enabled</label>
+    <type>checkbox</type>
+  </field>
+  <field>
+    <id>network.ipaddr</id>
+    <label>Network Address</label>
+    <type>text</type>
+  </field>
+  <field>
+    <id>network.netmask</id>
+    <label>Network Mask</label>
+    <type>text</type>
+  </field>
+  <field>
+    <id>network.area</id>
+    <label>Area</label>
+    <type>text</type>
+    <help>Area in wildcard mask style like 0.0.0.0 and no decimal 0. Only use Area in Interface tab or in Network tab once.</help>
+  </field>
+  <field>
+    <id>network.arearange</id>
+    <label>Area Range</label>
+    <type>text</type>
+    <help>Here you can summarize a network for this area like fe80:1234::0/64</help>
+  </field>
+  <field>
+    <id>network.linkedPrefixlistIn</id>
+    <label>Prefix-List In</label>
+    <type>dropdown</type>
+    <help>Prefix-List for inbound direction</help>
+  </field>
+  <field>
+    <id>network.linkedPrefixlistOut</id>
+    <label>Prefix-List Out</label>
+    <type>dropdown</type>
+    <help>Prefix-List for outbound direction</help>
+  </field>
+</form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6PrefixLists.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6PrefixLists.xml
new file mode 100644
index 0000000000..a1f0fce3ab
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6PrefixLists.xml
@@ -0,0 +1,32 @@
+<form>
+  <field>
+    <id>prefixlist.enabled</id>
+    <label>Enabled</label>
+    <type>checkbox</type>
+    <help>Enable / Disable</help>
+  </field>
+  <field>
+    <id>prefixlist.name</id>
+    <label>Name</label>
+    <type>text</type>
+    <help>The name of your Prefix-List, please choose one near to the result you want to achieve.</help>
+  </field>
+  <field>
+    <id>prefixlist.seqnumber</id>
+    <label>Number</label>
+    <type>text</type>
+    <help>The ACL sequence number (10-99)</help>
+  </field>
+  <field>
+    <id>prefixlist.action</id>
+    <label>Action</label>
+    <type>select_multiple</type>
+    <help>Set permit for match or deny to negate the rule.</help>
+  </field>
+  <field>
+    <id>prefixlist.network</id>
+    <label>Network</label>
+    <type>text</type>
+    <help>The network pattern you want to match. It's not validated so please be careful!</help>
+  </field>
+</form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6RouteMaps.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6RouteMaps.xml
new file mode 100644
index 0000000000..8d82c8ec46
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6RouteMaps.xml
@@ -0,0 +1,38 @@
+<form>
+  <field>
+    <id>routemap.enabled</id>
+    <label>Enabled</label>
+    <type>checkbox</type>
+  </field>
+  <field>
+    <id>routemap.name</id>
+    <label>Name</label>
+    <type>text</type>
+    <help>Route-map name to match and set your patterns, it will be enabled via redistribution.</help>
+  </field>
+  <field>
+    <id>routemap.action</id>
+    <label>Action</label>
+    <type>select_multiple</type>
+    <help>Set permit for match or deny to negate the rule.</help>
+  </field>
+  <field>
+    <id>routemap.id</id>
+    <label>ID</label>
+    <type>text</type>
+    <help>Route-map ID between 10 and 99. Be aware that the sorting will be done under the hood, so when you add an entry between it get's to the right position</help>
+  </field>
+  <field>
+    <id>routemap.match2</id>
+    <label>Prefix List</label>
+    <type>select_multiple</type>
+    <style>tokenize</style>
+    <allownew>true</allownew>
+  </field>
+    <field>
+    <id>routemap.set</id>
+    <label>Set</label>
+    <type>text</type>
+    <help>Free text field for your set, please be careful! You can set e.g. "local-preference 300" or "community 1:1" (http://docs.frrouting.org/en/latest/routemap.html#route-map-set-command)</help>
+  </field>
+</form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml
index 598f8eda8c..c7295a7024 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml
@@ -22,6 +22,12 @@
         <help><![CDATA[Select other routing sources, which should be redistributed to the other nodes.]]></help>
         <hint>Type or select a route source.</hint>
     </field>
+    <field>
+        <id>ospf6.redistributemap</id>
+        <label>Redistribution Map</label>
+        <type>dropdown</type>
+        <help>Route Map to set for Redistribution.</help>
+    </field>
     <field>
         <id>ospf6.routerid</id>
         <label>Router ID</label>
@@ -33,7 +39,6 @@
         <label>Advertise Default Gateway</label>
         <type>checkbox</type>
         <help>This will send the information that we have a default gateway.</help>
-        <style>opt_checkbox</style>
     </field>
     <field>
         <id>ospf6.originatealways</id>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
index 177e571550..5bd6613ac9 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
@@ -12,17 +12,25 @@
             <Required>Y</Required>
         </carp_demote>
         <redistribute type="OptionField">
-                <Required>N</Required>
                 <multiple>Y</multiple>
-                <default></default>
                 <OptionValues>
                         <connected>Connected routes (directly attached subnet or host)</connected>
                         <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
                         <static>Statically configured routes</static>
                 </OptionValues>
         </redistribute>
+        <redistributemap type="ModelRelationField">
+                <Model>
+                        <template>
+                                <source>OPNsense.quagga.ospf6</source>
+                                <items>routemaps.routemap</items>
+                                <display>name</display>
+                                <group>name</group>
+                        </template>
+                </Model>
+                <ValidationMessage>Related Route-Map item not found</ValidationMessage>
+        </redistributemap>
         <routerid type="TextField">
-                <Required>N</Required>
                 <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
         </routerid>
         <originate type="BooleanField">
@@ -34,11 +42,59 @@
             <Required>Y</Required>
         </originatealways>
         <originatemetric type="IntegerField">
-            <Required>N</Required>
             <MinimumValue>0</MinimumValue>
             <MaximumValue>16777214</MaximumValue>
             <ValidationMessage>Must be a number between 0 and 16777214.</ValidationMessage>
         </originatemetric>
+        <networks>
+                <network type="ArrayField">
+                        <enabled type="BooleanField">
+                                <default>1</default>
+                                <Required>Y</Required>
+                        </enabled>
+                        <!-- XXX: it would make sense to merge both into a single field "network" -->
+                        <ipaddr type="NetworkField">
+                                <Required>Y</Required>
+                                <NetMaskAllowed>N</NetMaskAllowed>
+                                <WildcardEnabled>N</WildcardEnabled>
+                                <AddressFamily>ipv6</AddressFamily>
+                        </ipaddr>
+                        <netmask type="IntegerField">
+                                <default>64</default>
+                                <MinimumValue>0</MinimumValue>
+                                <Required>Y</Required>
+                                <MaximumValue>128</MaximumValue>
+                                <ValidationMessage>Network mask must be between 0 and 128.</ValidationMessage>
+                        </netmask>
+                        <area type="TextField">
+                                <Required>Y</Required>
+                                <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
+                        </area>
+                        <arearange type="TextField"/>
+                        <linkedPrefixlistIn type="ModelRelationField">
+                                <Model>
+                                        <template>
+                                                <source>OPNsense.quagga.ospf6</source>
+                                                <items>prefixlists.prefixlist</items>
+                                                <display>name</display>
+                                                <group>name</group>
+                                        </template>
+                                </Model>
+                                <ValidationMessage>Related Prefix-List item not found</ValidationMessage>
+                        </linkedPrefixlistIn>
+                        <linkedPrefixlistOut type="ModelRelationField">
+                                <Model>
+                                        <template>
+                                                <source>OPNsense.quagga.ospf6</source>
+                                                <items>prefixlists.prefixlist</items>
+                                                <display>name</display>
+                                                <group>name</group>
+                                        </template>
+                                </Model>
+                                <ValidationMessage>Related Prefix-List item not found</ValidationMessage>
+                        </linkedPrefixlistOut>
+                </network>
+        </networks>
         <interfaces>
                 <interface type="ArrayField">
                         <enabled type="BooleanField">
@@ -46,16 +102,12 @@
                                 <Required>Y</Required>
                         </enabled>
                         <interfacename type="InterfaceField">
-                                 <Required>N</Required>
-                                 <multiple>N</multiple>
-                                 <default></default>
                                  <AllowDynamic>Y</AllowDynamic>
                                  <filters>
                                          <enable>/^(?!0).*$/</enable>
                                  </filters>
                         </interfacename>
                         <area type="TextField">
-                                <default></default>
                                 <Required>Y</Required>
                                 <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
                         </area>
@@ -64,66 +116,45 @@
                                 <Required>Y</Required>
                         </passive>
                         <cost type="IntegerField">
-                                <default></default>
                                 <MinimumValue>0</MinimumValue>
-                                <Required>N</Required>
                                 <MaximumValue>4294967295</MaximumValue>
                                 <ValidationMessage>Cost must be between 0 and 4294967295.</ValidationMessage>
                         </cost>
                         <cost_demoted type="IntegerField">
-                                <default>65535</default>
                                 <MinimumValue>1</MinimumValue>
-                                <Required>N</Required>
                                 <MaximumValue>65535</MaximumValue>
                                 <ValidationMessage>Cost must be between 1 and 65535.</ValidationMessage>
                         </cost_demoted>
                         <carp_depend_on type="VirtualIPField">
                             <type>carp</type>
-                            <Required>N</Required>
                         </carp_depend_on>
                         <hellointerval type="IntegerField">
-                                <default></default>
                                 <MinimumValue>0</MinimumValue>
-                                <Required>N</Required>
                                 <MaximumValue>4294967295</MaximumValue>
                                 <ValidationMessage>Hello interval must be between 0 and 4294967295.</ValidationMessage>
                         </hellointerval>
                         <deadinterval type="IntegerField">
-                                <default></default>
                                 <MinimumValue>0</MinimumValue>
-                                <Required>N</Required>
                                 <MaximumValue>4294967295</MaximumValue>
                                 <ValidationMessage>Dead interval must be between 0 and 4294967295.</ValidationMessage>
                         </deadinterval>
                         <retransmitinterval type="IntegerField">
-                                <default></default>
                                 <MinimumValue>0</MinimumValue>
-                                <Required>N</Required>
                                 <MaximumValue>4294967295</MaximumValue>
                                 <ValidationMessage>Retransmit interval must be between 0 and 4294967295.</ValidationMessage>
                         </retransmitinterval>
                         <transmitdelay type="IntegerField">
-                                <default></default>
                                 <MinimumValue>0</MinimumValue>
-                                <Required>N</Required>
                                 <MaximumValue>4294967295</MaximumValue>
                                 <ValidationMessage>Transmit delay must be between 0 and 4294967295.</ValidationMessage>
                         </transmitdelay>
                         <priority type="IntegerField">
-                                <default></default>
                                 <MinimumValue>0</MinimumValue>
-                                <Required>N</Required>
                                 <MaximumValue>4294967295</MaximumValue>
                                 <ValidationMessage>Priority must be between 0 and 4294967295.</ValidationMessage>
                         </priority>
-			<bfd type="BooleanField">
-                                <default>0</default>
-                                <Required>N</Required>
-                        </bfd>
+			<bfd type="BooleanField"/>
                         <networktype type="OptionField">
-                                <Required>N</Required>
-                                <multiple>N</multiple>
-                                <default></default>
                                 <OptionValues>
                                         <broadcast>Broadcast multi-access network</broadcast>
                                         <point-to-point>Point-to-point network</point-to-point>
@@ -131,5 +162,67 @@
                         </networktype>
                 </interface>
         </interfaces>
+        <prefixlists>
+                <prefixlist type="ArrayField">
+                        <enabled type="BooleanField">
+                                <default>1</default>
+                                <Required>Y</Required>
+                        </enabled>
+                        <name type="TextField">
+                                <Required>Y</Required>
+                                <mask>/^([0-9a-zA-Z\._\-]){1,64}$/u</mask>
+                                <ValidationMessage>The name should only contain alphanumeric characters, dashes, underscores or a dot.</ValidationMessage>
+                        </name>
+                        <seqnumber type="IntegerField">
+                                <Required>Y</Required>
+                                <MinimumValue>10</MinimumValue>
+                                <MaximumValue>99</MaximumValue>
+                        </seqnumber>
+                        <action type="OptionField">
+                                <Required>Y</Required>
+                                <OptionValues>
+                                        <permit>Permit</permit>
+                                        <deny>Deny</deny>
+                                </OptionValues>
+                        </action>
+                        <network type="TextField">
+                                <Required>Y</Required>
+                        </network>
+                </prefixlist>
+        </prefixlists>
+        <routemaps>
+                <routemap type="ArrayField">
+                        <enabled type="BooleanField">
+                                <default>1</default>
+                                <Required>Y</Required>
+                        </enabled>
+                        <name type="TextField">
+                                <Required>Y</Required>
+                        </name>
+                        <action type="OptionField">
+                                <Required>Y</Required>
+                                <OptionValues>
+                                        <permit>Permit</permit>
+                                        <deny>Deny</deny>
+                                </OptionValues>
+                        </action>
+                        <id type="IntegerField">
+                                <Required>Y</Required>
+                                <MinimumValue>10</MinimumValue>
+                                <MaximumValue>99</MaximumValue>
+                        </id>
+                        <match2 type="ModelRelationField">
+                                <Model>
+                                        <template>
+                                                <source>OPNsense.quagga.ospf6</source>
+                                                <items>prefixlists.prefixlist</items>
+                                                <display>name</display>
+                                        </template>
+                                </Model>
+                                <ValidationMessage>Related item not found</ValidationMessage>
+                        </match2>
+                        <set type="TextField"/>
+                </routemap>
+        </routemaps>
     </items>
 </model>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
index 6052ccd59b..8b9ff52978 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
@@ -1,8 +1,7 @@
 {#
-
-OPNsense® is Copyright © 2014 – 2023 by Deciso B.V.
-This file is Copyright © 2017 by Fabian Franz
-This file is Copyright © 2017 by Michael Muenz <m.muenz@gmail.com>
+Copyright (c) 2014 – 2024 by Deciso B.V.
+Copyright (c) 2017 by Fabian Franz
+Copyright (c) Michael Muenz <m.muenz@gmail.com></m.muenz>
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification,
@@ -27,22 +26,130 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGE.
 
 #}
+<script>
+    'use strict';
+    $( document ).ready(function () {
+        mapDataToFormUI({'frm_ospf6_settings':"/api/quagga/ospf6settings/get"}).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+        });
+
+        updateServiceControlUI('quagga');
+
+        // link save button to API set action
+        $("#saveAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/quagga/ospf6settings/set", 'frm_ospf6_settings', function(){
+                    dfObj.resolve();
+                });
+                return dfObj;
+            }
+        });
+
+        $("#grid-networks").UIBootgrid({
+            'search':'/api/quagga/ospf6settings/searchNetwork',
+            'get':'/api/quagga/ospf6settings/getNetwork/',
+            'set':'/api/quagga/ospf6settings/setNetwork/',
+            'add':'/api/quagga/ospf6settings/addNetwork/',
+            'del':'/api/quagga/ospf6settings/delNetwork/',
+            'toggle':'/api/quagga/ospf6settings/toggleNetwork/',
+            'options':{
+                selection:false,
+                multiSelect:false
+            }
+        });
+        $("#grid-interfaces").UIBootgrid({
+            'search':'/api/quagga/ospf6settings/searchInterface',
+            'get':'/api/quagga/ospf6settings/getInterface/',
+            'set':'/api/quagga/ospf6settings/setInterface/',
+            'add':'/api/quagga/ospf6settings/addInterface/',
+            'del':'/api/quagga/ospf6settings/delInterface/',
+            'toggle':'/api/quagga/ospf6settings/toggleInterface/',
+            'options':{
+                selection:false,
+                multiSelect:false
+            }
+        });
+        $("#grid-prefixlists").UIBootgrid({
+            'search':'/api/quagga/ospf6settings/searchPrefixlist',
+            'get':'/api/quagga/ospf6settings/getPrefixlist/',
+            'set':'/api/quagga/ospf6settings/setPrefixlist/',
+            'add':'/api/quagga/ospf6settings/addPrefixlist/',
+            'del':'/api/quagga/ospf6settings/delPrefixlist/',
+            'toggle':'/api/quagga/ospf6settings/togglePrefixlist/',
+            'options':{
+                selection:false,
+                multiSelect:false
+            }
+        });
+        $("#grid-routemaps").UIBootgrid({
+            'search':'/api/quagga/ospf6settings/searchRoutemap',
+            'get':'/api/quagga/ospf6settings/getRoutemap/',
+            'set':'/api/quagga/ospf6settings/setRoutemap/',
+            'add':'/api/quagga/ospf6settings/addRoutemap/',
+            'del':'/api/quagga/ospf6settings/delRoutemap/',
+            'toggle':'/api/quagga/ospf6settings/toggleRoutemap/',
+            'options':{
+                selection:false,
+                multiSelect:false
+            }
+        });
+
+        // hook checkbox item with conditional options
+        $("#ospf6\\.originate").change(function(){
+            if ($(this).is(':checked')) {
+                $(".ospf6_originate").closest('tr').show();
+            } else {
+                $(".ospf6_originate").closest('tr').hide();
+            }
+        });
+    });
+</script>
+
+
 
-    <!-- Navigation bar -->
-    <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-        <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
-        <li><a data-toggle="tab" href="#interfaces">{{ lang._('Interfaces') }}</a></li>
-    </ul>
-    <div class="tab-content content-box tab-content">
-        <div id="general" class="tab-pane fade in active">
-            <div class="content-box" style="padding-bottom: 1.5em;">
-                {{ partial("layout_partials/base_form",['fields':ospf6Form,'id':'frm_ospf6_settings'])}}
-                <div class="col-md-12">
-                    <hr />
-                    <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-                </div>
-            </div>
+<!-- Navigation bar -->
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
+    <li><a data-toggle="tab" href="#networks">{{ lang._('Networks') }}</a></li>
+    <li><a data-toggle="tab" href="#interfaces">{{ lang._('Interfaces') }}</a></li>
+    <li><a data-toggle="tab" href="#prefixlists">{{ lang._('Prefix Lists') }}</a></li>
+    <li><a data-toggle="tab" href="#routemaps">{{ lang._('Route Maps') }}</a></li>
+</ul>
+<div class="tab-content content-box tab-content">
+    <div id="general" class="tab-pane fade in active">
+        <div class="content-box" style="padding-bottom: 1.5em;">
+            {{ partial("layout_partials/base_form",['fields':ospf6Form,'id':'frm_ospf6_settings'])}}
         </div>
+    </div>
+
+    <!-- Tab: Networks -->
+    <div id="networks" class="tab-pane fade in">
+      <table id="grid-networks" class="table table-responsive" data-editDialog="DialogEditNetwork">
+          <thead>
+              <tr>
+                  <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                  <th data-column-id="ipaddr" data-type="string" data-visible="true">{{ lang._('Network Address') }}</th>
+                  <th data-column-id="netmask" data-type="string" data-visible="true">{{ lang._('Mask') }}</th>
+                  <th data-column-id="area" data-type="string" data-visible="true">{{ lang._('Area') }}</th>
+                  <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                  <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                  <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+              </tr>
+          </thead>
+          <tbody>
+          </tbody>
+          <tfoot>
+              <tr>
+                  <td colspan="5"></td>
+                  <td>
+                      <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                  </td>
+              </tr>
+          </tfoot>
+      </table>
+    </div>
 
     <!-- Tab: Interfaces -->
     <div id="interfaces" class="tab-pane fade in">
@@ -64,66 +171,85 @@ POSSIBILITY OF SUCH DAMAGE.
                     <td colspan="5"></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
                     </td>
                 </tr>
             </tfoot>
         </table>
     </div>
 
+    <!-- Tab: Prefix Lists -->
+    <div id="prefixlists" class="tab-pane fade in">
+        <table id="grid-prefixlists" class="table table-responsive" data-editDialog="DialogEditPrefixLists">
+            <thead>
+                <tr>
+                    <th data-column-id="enabled" data-type="string" data-formatter="rowt
+oggle" data-sortable="false">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="name" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Name') }}</th>
+                    <th data-column-id="seqnumber" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Sequence Number') }}</th>
+                    <th data-column-id="action" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Action') }}</th>
+                    <th data-column-id="network" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Network') }}</th>
+                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td colspan="5"></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
     </div>
 
-<script>
+    <!-- Tab: Route Maps -->
+    <div id="routemaps" class="tab-pane fade in">
+        <table id="grid-routemaps" class="table table-responsive" data-editDialog="DialogEditRouteMaps">
+            <thead>
+                <tr>
+                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
+                    <th data-column-id="action" data-type="string" data-visible="true">{{ lang._('Action') }}</th>
+                    <th data-column-id="id" data-type="string" data-visible="true">{{ lang._('ID') }}</th>
+                    <th data-column-id="match2" data-type="string" data-visible="true">{{ lang._('Prefix List') }}</th>
+                    <th data-column-id="set" data-type="string" data-visible="true">{{ lang._('Set') }}</th>
+                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td colspan="5"></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
+</div>
+
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <button class="btn btn-primary __mb __mt" id="saveAct"
+                data-endpoint='/api/quagga/service/reconfigure'
+                data-label="{{ lang._('Apply') }}"
+                data-error-title="{{ lang._('Error reconfiguring OSPFv3') }}"
+                data-service-widget="quagga"
+                type="button"
+            ></button>
+        </div>
+    </div>
+</section>
 
-$( document ).ready(function() {
-  var data_get_map = {'frm_ospf6_settings':"/api/quagga/ospf6settings/get"};
-  mapDataToFormUI(data_get_map).done(function(data){
-      formatTokenizersUI();
-      $('.selectpicker').selectpicker('refresh');
-  });
-
-  updateServiceControlUI('quagga');
-
-  // link save button to API set action
-  $("#saveAct").click(function(){
-      saveFormToEndpoint(url="/api/quagga/ospf6settings/set",formid='frm_ospf6_settings',callback_ok=function(){
-        $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-        ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-          updateServiceControlUI('quagga');
-          $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-        });
-      });
-  });
-
-  /* allow a user to manually reload the service (for forms which do not do it automatically) */
-  $('.reload_btn').click(function reload_handler() {
-    $(".reloadAct_progress").addClass("fa-spin");
-    ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-      updateServiceControlUI('quagga');
-      $(".reloadAct_progress").removeClass("fa-spin");
-    });
-  });
-
-  $("#grid-interfaces").UIBootgrid(
-    { 'search':'/api/quagga/ospf6settings/searchInterface',
-      'get':'/api/quagga/ospf6settings/getInterface/',
-      'set':'/api/quagga/ospf6settings/setInterface/',
-      'add':'/api/quagga/ospf6settings/addInterface/',
-      'del':'/api/quagga/ospf6settings/delInterface/',
-      'toggle':'/api/quagga/ospf6settings/toggleInterface/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-
-  // hook checkbox item with conditional options
-  $(".opt_checkbox").change(function(){
-      if ($(this).is(':checked')) {
-          $("." + $(this).attr('id').replace('.', '_')).closest('tr').show();
-      } else {
-          $("." + $(this).attr('id').replace('.', '_')).closest('tr').hide();
-      }
-  });
-});
-</script>
 
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditNetwork,'id':'DialogEditNetwork','label':lang._('Edit Network')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditInterface,'id':'DialogEditInterface','label':lang._('Edit Interface')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditPrefixLists,'id':'DialogEditPrefixLists','label':lang._('Edit Prefix Lists')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditRouteMaps,'id':'DialogEditRouteMaps','label':lang._('Edit Route Maps')])}}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
index b7e0a52e30..cba31d7888 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
@@ -2,13 +2,13 @@
   ipv6 ospf6 {{ directive }} {{ modelname }}
 {% endif %}{%- endmacro %}
 {% from 'OPNsense/Macros/interface.macro' import physical_interface %}
-{% if helpers.exists('OPNsense.quagga.ospf6.enabled') and OPNsense.quagga.ospf6.enabled == '1' %}
+{% if not helpers.empty('OPNsense.quagga.ospf6.enabled') %}
 !
 ! Zebra configuration saved from vty
 !   2017/03/03 20:21:04
 !
 {% if helpers.exists('OPNsense.quagga.general') %}
-{%   if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
+{%   if not helpers.empty('OPNsense.quagga.general.enablesyslog') %}
 log syslog {{ OPNsense.quagga.general.sysloglevel }}
 {%   endif %}
 {%   if helpers.exists('OPNsense.quagga.general.profile') %}
@@ -21,9 +21,8 @@ agentx
 !
 !
 !
-{% if helpers.exists('OPNsense.quagga.ospf6.interfaces.interface') %}
-{%   for interface in helpers.toList('OPNsense.quagga.ospf6.interfaces.interface') %}
-{%     if interface.enabled == '1' %}
+{% for interface in helpers.toList('OPNsense.quagga.ospf6.interfaces.interface') %}
+{%   if interface.enabled == '1' %}
 interface {{ physical_interface(interface.interfacename) }}
 {%        if interface.bfd|default('') == '1' %}
   ipv6 ospf6 bfd
@@ -40,22 +39,48 @@ interface {{ physical_interface(interface.interfacename) }}
 }}{{       cline("priority",interface.priority)
 }}{{       cline("retransmit-interval",interface.retransmitinterval)
 }}!
-{%     endif %}
-{%   endfor %}
-{% endif %}
+{%   endif %}
+{% endfor %}
 !
 router ospf6
-{% if helpers.exists('OPNsense.quagga.ospf6.routerid') and OPNsense.quagga.ospf6.routerid != '' %}
+{% if not helpers.empty('OPNsense.quagga.ospf6.routerid') %}
  ospf6 router-id {{ OPNsense.quagga.ospf6.routerid }}
 {% endif %}
 {% if not helpers.empty('OPNsense.quagga.ospf6.originate') %}
  default-information originate{% if not helpers.empty('OPNsense.quagga.ospf6.originatealways')  %} always {% endif %}{% if OPNsense.quagga.ospf6.originatemetric|default('') != '' %} metric {{ OPNsense.quagga.ospf6.originatemetric }}{% endif %}
 
 {% endif %}
-{% if helpers.exists('OPNsense.quagga.ospf6.redistribute') and OPNsense.quagga.ospf6.redistribute != '' %}
+{% if not helpers.empty('OPNsense.quagga.ospf6.redistribute')%}
 {% for line in OPNsense.quagga.ospf6.redistribute.split(',') %}
+{% if not helpers.empty('OPNsense.quagga.ospf6.redistributemap') %}{% set line = line + " route-map " + helpers.getUUID(OPNsense.quagga.ospf6.redistributemap).name %}{% endif %}
  redistribute {{ line }}
 {% endfor %}{% endif %}
+{% if helpers.exists('OPNsense.quagga.ospf6.networks.network') %}
+{%   for network in helpers.toList('OPNsense.quagga.ospf6.networks.network') %}
+{%     if network.enabled == '1' %}
+ network {{ network.ipaddr }}/{{ network.netmask }} area {{ network.area }}
+{%     endif %}
+{%     if network.arearange|default("") != "" %}
+ area {{ network.area }} range {{ network.arearange }}
+{%     endif %}
+{%     if network.linkedPrefixlistIn|default("") != "" %}
+{%       for prefixlist in network.linkedPrefixlistIn.split(",") %}
+{%         set prefixlist2_data = helpers.getUUID(prefixlist) %}
+{%         if prefixlist2_data != {} and prefixlist2_data.enabled == '1' %}
+ area {{ network.area }} filter-list prefix {{ prefixlist2_data.name }} in
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%     if network.linkedPrefixlistOut|default("") != "" %}
+{%       for prefixlist in network.linkedPrefixlistOut.split(",") %}
+{%         set prefixlist_data = helpers.getUUID(prefixlist) %}
+{%         if prefixlist_data != {} and prefixlist_data.enabled == '1' %}
+ area {{ network.area }} filter-list prefix {{ prefixlist_data.name }} out
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
 {% if helpers.exists('OPNsense.quagga.ospf6.interfaces.interface') %}
 {%   for interface in helpers.toList('OPNsense.quagga.ospf6.interfaces.interface') %}
 {%     if interface.enabled == '1' %}
@@ -64,6 +89,33 @@ router ospf6
 {%   endfor %}
 {% endif %}
 !
+{%   if helpers.exists('OPNsense.quagga.ospf6.prefixlists.prefixlist') %}
+{%     for prefixlist in helpers.sortDictList(OPNsense.quagga.ospf6.prefixlists.prefixlist, 'name', 'seqnumber' ) %}
+{%       if prefixlist.enabled == '1' %}
+ip prefix-list {{ prefixlist.name }} seq {{ prefixlist.seqnumber }} {{ prefixlist.action }} {{ prefixlist.network }}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+!
+{%   if helpers.exists('OPNsense.quagga.ospf6.routemaps.routemap') %}
+{%     for routemap in helpers.sortDictList(OPNsense.quagga.ospf6.routemaps.routemap, 'name', 'id' ) %}
+{%       if routemap.enabled == '1' %}
+route-map {{ routemap.name }} {{ routemap.action }} {{ routemap.id }}
+{%         if routemap.match2|default("") != "" %}
+{%           for prefixlist in routemap.match2.split(",") %}
+{%             set prefixlist_data = helpers.getUUID(prefixlist) %}
+{%             if 'match2' in routemap and routemap.match2 != '' %}
+ match ip address prefix-list {{ prefixlist_data.name }}
+{%             endif %}
+{%           endfor %}
+{%         endif %}
+{%         if routemap.set|default("") != "" %}
+ set {{ routemap.set }}
+{%         endif %}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+!
 line vty
 !
 {% endif %}

From 07fae7ecf9f93e3e9e862c92c3b09b5152d8e5f1 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sun, 29 Sep 2024 09:11:58 +0200
Subject: [PATCH 2113/3088] www/caddy: Add redir directive to HTTP Handler
 (#4263)

* www/caddy: Directive can be chosen in HTTP Handler, redir added to create HTTP redirects.

* www/caddy: Disable reverse_proxy specific fields when redir is chosen, these fields do not generate anything in the config even when they have been filled out. The disable property makes that clearer to the user. Unhide directive from advanced mode so its easier to create basic redirects. Clean up style names for consistency.

* www/caddy: HandleDirective does not need default in template
---
 www/caddy/Makefile                            |  3 +-
 www/caddy/pkg-descr                           |  4 ++
 .../OPNsense/Caddy/forms/dialogHandle.xml     | 41 +++++++++++--------
 .../Caddy/forms/dialogReverseProxy.xml        |  4 +-
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 10 ++++-
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 20 ++++++---
 .../templates/OPNsense/Caddy/Caddyfile        | 17 +++++++-
 7 files changed, 71 insertions(+), 28 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 00b7379f05..259bea8b24 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.7.1
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.7.2
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 47d8458bba..b6dc9e1bd7 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -13,6 +13,10 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.7.2
+
+* Add: Directive in HTTP Handler can be chosen, "reverse_proxy" and "redir"
+
 1.7.1
 
 * Add: Frontend HTTP Version can be selected in General Settings, can be used to disable QUIC protocol
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 6cbba6939f..43e3fa9976 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -37,7 +37,7 @@
         <id>handle.HandleType</id>
         <label>Handler</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose a handling directive. "handle" (default) will keep the path in all requests. "handle_path" will strip the path from all requests.]]></help>
+        <help><![CDATA[Choose a handling type: "handle" (default) will keep the path in all requests. "handle_path" will strip the path from all requests.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
@@ -45,7 +45,7 @@
         <label>Path</label>
         <type>text</type>
         <hint>any</hint>
-        <help><![CDATA[Enter a path to handle. Choose a pattern like "/*" or "/example/*". Leave empty to handle any paths (recommended). Any request matching this pattern will be reverse proxied.]]></help>
+        <help><![CDATA[Enter a path to handle. Choose a pattern like "/*" or "/example/*". Leave empty to handle any paths (recommended). Any request matching this pattern will be handled by the chosen directive.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
@@ -69,17 +69,13 @@
     </field>
     <field>
         <type>header</type>
-        <label>Header</label>
-        <advanced>true</advanced>
+        <label>Directive</label>
     </field>
     <field>
-        <id>handle.header</id>
-        <label>HTTP Headers</label>
+        <id>handle.HandleDirective</id>
+        <label>Directive</label>
         <type>dropdown</type>
-        <type>select_multiple</type>
-        <size>5</size>
-        <help><![CDATA[Select one or multiple headers. Caddy sets "X-Forwarded-For", "X-Forwarded-Proto" and "X-Forwarded-Host" by default, adding them here is not needed. Setting a wrong configuration can be a security risk or break functionality.]]></help>
-        <advanced>true</advanced>
+        <help><![CDATA[Choose a handling directive: "reverse_proxy" will proxy all HTTP traffic to the selected upstream. "redir" will create a HTTP redirect.]]></help>
     </field>
     <field>
         <type>header</type>
@@ -89,14 +85,26 @@
         <id>handle.HttpVersion</id>
         <label>HTTP Version</label>
         <type>dropdown</type>
+        <style>style_reverse_proxy</style>
         <help><![CDATA[The default versions are highly recommended. Choose a HTTP version for the upstream destination. HTTP/3 (HTTP over QUIC) requires HTTPS, and only establishes connections to webservers that also support HTTP/3.]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>handle.header</id>
+        <label>HTTP Headers</label>
+        <type>dropdown</type>
+        <type>select_multiple</type>
+        <size>5</size>
+        <style>style_reverse_proxy selectpicker</style>
+        <help><![CDATA[Select one or multiple headers. Caddy sets "X-Forwarded-For", "X-Forwarded-Proto" and "X-Forwarded-Host" by default, adding them here is not needed. Setting a wrong configuration can be a security risk or break functionality.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>handle.HttpKeepalive</id>
         <label>HTTP Keepalive</label>
         <type>text</type>
         <hint>120</hint>
+        <style>style_reverse_proxy</style>
         <help><![CDATA[Leave empty to use default. Keepalive is either 0 (off) or a duration value that specifies how long to keep connections open (timeout) in seconds.]]></help>
         <advanced>true</advanced>
     </field>
@@ -113,7 +121,7 @@
         <style>tokenize</style>
         <allownew>true</allownew>
         <hint>192.168.1.1</hint>
-        <help><![CDATA[Enter a domain name or IP address of the upstream destination. If multiple are chosen, they will be load balanced with the default random policy. A health check can be activated by populating "Upstream Fail Duration" in advanced mode.]]></help>
+        <help><![CDATA[Enter a domain name or IP address of the upstream destination. If multiple are chosen, they will be load balanced with the default random policy. A health check can be activated by populating "Upstream Fail Duration" in advanced mode. When directive is "redir", only the first domain will be evaluated.]]></help>
     </field>
     <field>
         <id>handle.ToPort</id>
@@ -126,13 +134,14 @@
         <id>handle.ToPath</id>
         <label>Upstream Path</label>
         <type>text</type>
-        <help><![CDATA[Enter a path prefix like "/guacamole" that should be prepended to the upstream request. This is useful for destinations that have a virtual directory as their base path.]]></help>
+        <help><![CDATA[When directive is "reverse_proxy", enter a path prefix like "/guacamole" that should be prepended to the upstream request. This is useful for destinations that have a virtual directory as their base path. When directive is "redir", add the path the request should be redirected to; leaving it empty will append {uri}.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
         <id>handle.PassiveHealthFailDuration</id>
         <label>Upstream Fail Duration</label>
         <type>text</type>
+        <style>style_reverse_proxy</style>
         <help><![CDATA[Enables a passive health check when multiple destinations in "Upstream Domain" are set. "Fail Duration" is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking; the default is empty (off). A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
         <advanced>true</advanced>
     </field>
@@ -140,28 +149,28 @@
         <id>handle.HttpTlsInsecureSkipVerify</id>
         <label>TLS Insecure Skip Verify</label>
         <type>checkbox</type>
-        <style>HttpTls</style>
+        <style>style_tls style_reverse_proxy</style>
         <help><![CDATA[Caddy uses HTTP by default to connect to the Upstream. If the Upstream is only reachable via HTTPS, this option disables the TLS handshake verification. This makes the connection insecure and vulnerable to man-in-the-middle attacks. In private networks the risk is low, though do not use in production if possible. It is advised to either use plain HTTP, or proper TLS handling by using the options in "Trust".]]></help>
     </field>
     <field>
         <id>handle.HttpTlsTrustedCaCerts</id>
         <label>TLS Trust Pool</label>
         <type>dropdown</type>
-        <style>HttpTls</style>
+        <style>style_tls style_reverse_proxy</style>
         <help><![CDATA[Choose a CA or self-signed certificate to trust from "System - Trust - Authorities". Useful if the upstream destination only accepts TLS connections and offers a self signed certificate. Adding that certificate here will allow for the encrypted connection to succeed.]]></help>
     </field>
     <field>
         <id>handle.HttpTlsServerName</id>
         <label>TLS Server Name</label>
         <type>text</type>
-        <style>HttpTls</style>
+        <style>style_tls style_reverse_proxy</style>
         <help><![CDATA[Enter a hostname or IP address that matches the SAN "Subject Alternative Name" of the offered upstream certificate. This will change the SNI "Server Name Indication" of Caddy. Setting an IP address as "Upstream Domain", enabling "TLS" and selecting a "TLS Trust Pool", would make the SAN of the offered upstream certificate not match with the SNI of Caddy, since it will be an IP address instead of a hostname. Setting the hostname of the certificate here, fixes this issue. Please note that only SAN certificates are supported; CN "Common Name" will not work.]]></help>
     </field>
     <field>
         <id>handle.HttpNtlm</id>
         <label>NTLM</label>
         <type>checkbox</type>
-        <style>HttpTls</style>
+        <style>style_tls style_reverse_proxy</style>
         <help><![CDATA[Enable or disable NTLM. Needed to reverse proxy an Exchange Server. Warning: NTLM has been deprecated by Microsoft. This option will stay for as long as the optional http.reverse_proxy.transport.http_ntlm module can be compiled without errors.]]></help>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index 5cba4c1a26..46642786bc 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -39,7 +39,7 @@
         <id>reverse.CustomCertificate</id>
         <label>Certificate</label>
         <type>dropdown</type>
-        <style>DisableTls</style>
+        <style>style_tls</style>
         <help><![CDATA[Choose ACME to get automatic certificates with the built in ACME client; no additional plugin required. The "HTTP-01", "TLS-ALPN-01" or "DNS-01" challenge will be used to get automatic "Let's Encrypt" or "ZeroSSL" certificates. Alternatively, choose a custom certificate from "System - Trust - Certificates" for this domain. Make sure the full chain has been imported.]]></help>
     </field>
     <field>
@@ -53,7 +53,7 @@
         <id>reverse.DnsChallenge</id>
         <label>DNS-01 Challenge</label>
         <type>checkbox</type>
-        <style>DisableTls</style>
+        <style>style_tls</style>
         <help><![CDATA[Enable the DNS-01 Challenge for this domain. Requires a "DNS Provider" in "General Settings". This is only needed for wildcard domains, or when the default challenges can not be used due to restrictive firewall policies.]]></help>
     </field>
     <field>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index c4ae85caf4..c663b3960b 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>Caddy Reverse Proxy</description>
-    <version>1.3.1</version>
+    <version>1.3.2</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -325,6 +325,14 @@
                     </Model>
                     <Multiple>Y</Multiple>
                 </header>
+                <HandleDirective type="OptionField">
+                    <Required>Y</Required>
+                    <Default>reverse_proxy</Default>
+                    <OptionValues>
+                        <reverse_proxy>reverse_proxy</reverse_proxy>
+                        <redir>redir</redir>
+                    </OptionValues>
+                </HandleDirective>
                 <ToDomain type="HostnameField">
                     <Required>Y</Required>
                     <FieldSeparator>,</FieldSeparator>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 2473da5bf7..ee1b2f5ab3 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -313,20 +313,29 @@
             }
         });
 
-        // Show TLS options based on chosen protocol
         $("#handle\\.HttpTls").change(function() {
             if ($(this).val() === "0") {
-                $(".HttpTls").closest('tr').hide();
+                $(".style_tls").closest('tr').hide();
             } else {
-                $(".HttpTls").closest('tr').show();
+                $(".style_tls").closest('tr').show();
+            }
+        });
+
+        $("#handle\\.HandleDirective").change(function() {
+            if ($(this).val() === "redir") {
+                $(".style_reverse_proxy").prop('disabled', true);
+                $("#handle\\.header").selectpicker('refresh');
+            } else {
+                $(".style_reverse_proxy").prop('disabled', false);
+                $("#handle\\.header").selectpicker('refresh');
             }
         });
 
         $("#reverse\\.DisableTls").change(function() {
             if ($(this).val() === "1") {
-                $(".DisableTls").closest('tr').hide();
+                $(".style_tls").closest('tr').hide();
             } else {
-                $(".DisableTls").closest('tr').show();
+                $(".style_tls").closest('tr').show();
             }
         });
 
@@ -468,6 +477,7 @@
                             <th data-column-id="HandleType" data-type="string" data-visible="false">{{ lang._('Handler') }}</th>
                             <th data-column-id="HandlePath" data-type="string" data-visible="false">{{ lang._('Path') }}</th>
                             <th data-column-id="header" data-type="string" data-visible="false">{{ lang._('HTTP Headers') }}</th>
+                            <th data-column-id="HandleDirective" data-type="string">{{ lang._('Directive') }}</th>
                             <th data-column-id="HttpTls" data-type="string" data-visible="false">{{ lang._('Protocol') }}</th>
                             <th data-column-id="ToDomain" data-type="string">{{ lang._('Upstream Domain') }}</th>
                             <th data-column-id="ToPort" data-type="string">{{ lang._('Upstream Port') }}</th>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index a710e61eda..0fd8fc9fd3 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -384,10 +384,11 @@ http://{{ domain }} {
         {% if handle.ForwardAuth|default("0") == "1" %}
             {% include "OPNsense/Caddy/includeAuthProvider" %}
         {% endif %}
-        {% if handle.ToPath|default("") != "" %}
+        {% if handle.HandleDirective == "reverse_proxy" and handle.ToPath|default("") != "" %}
             rewrite * {{ handle.ToPath }}{uri}
         {% endif %}
-        reverse_proxy {% for domain in handle.ToDomain.split(',') %}
+        {% if handle.HandleDirective == "reverse_proxy" %}
+        {{ handle.HandleDirective }} {% for domain in handle.ToDomain.split(',') %}
             {# Check if the domain is IPv6 and wrap in square brackets if necessary #}
             {% set is_ipv6 = (':' in domain and domain.count(':') >= 2) %}
             {# For each domain/IP, append the port if it's specified, followed by a space #}
@@ -430,6 +431,18 @@ http://{{ domain }} {
                 }
             {% endif %}
         }
+        {% else %}
+            {% set protocol = 'https://' if handle.HttpTls == "1" else 'http://' %}
+            {% set domain = handle.ToDomain.split(',')[0] %}
+            {% set is_ipv6 = (':' in domain and domain.count(':') >= 2) %}
+            {% set formatted_domain = ('[' ~ domain ~ ']') if is_ipv6 else domain %}
+            {% if handle.ToPort %}
+                {% set domain_with_port = formatted_domain ~ ':' ~ handle.ToPort %}
+            {% else %}
+                {% set domain_with_port = formatted_domain %}
+            {% endif %}
+            {{ handle.HandleDirective }} {{ protocol }}{{ domain_with_port }}{{ handle.ToPath|default("{uri}") }}
+        {% endif %}
     }
 {% endmacro %}
 

From edacecf8936311d011d252edade13d8d83225759 Mon Sep 17 00:00:00 2001
From: laraveluser <44818308+laraveluser@users.noreply.github.com>
Date: Mon, 30 Sep 2024 13:55:54 +0200
Subject: [PATCH 2114/3088] security/acme-client: Add Support for Lima-City DNS
 API  (#3566)

---
 .../AcmeClient/forms/dialogValidation.xml     | 10 +++++
 .../AcmeClient/LeValidation/DnsLimacity.php   | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 3 files changed, 58 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLimacity.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index cffde71fd3..5b8f4c823a 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -822,6 +822,16 @@
         <label>Token</label>
         <type>text</type>
     </field>
+    <field>
+        <label>Lima-City DNS API</label>
+        <type>header</type>
+        <style>table_dns table_dns_limacity</style>
+    </field>
+    <field>
+        <id>validation.dns_limacity_apikey</id>
+        <label>API-Key</label>
+        <type>text</type>
+    </field>
     <field>
         <label>Linode API (v3 / Deprecated)</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLimacity.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLimacity.php
new file mode 100644
index 0000000000..ee2dd9ab2e
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsLimacity.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2024 laraveluser
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Netcup DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsLimacity extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['LIMACITY_APIKEY'] = (string)$this->config->dns_limacity_apikey;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index e39b8dd18b..d7dd70ccad 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -484,6 +484,7 @@
                         <dns_knot>Knot (knsupdate)</dns_knot>
                         <dns_leaseweb>LeaseWeb</dns_leaseweb>
                         <dns_lexicon>lexicon (DEPRECATED)</dns_lexicon>
+                        <dns_limacity>Lima-City (TrafficPlex)</dns_limacity>
                         <dns_linode>Linode (v3 / Deprecated)</dns_linode>
                         <dns_linode_v4>Linode (v4)</dns_linode_v4>
                         <dns_loopia>Loopia</dns_loopia>
@@ -865,6 +866,9 @@
                 <dns_lexicon_token type="TextField">
                     <Required>N</Required>
                 </dns_lexicon_token>
+                <dns_limacity_apikey type="TextField">
+                    <Required>N</Required>
+                </dns_limacity_apikey>
                 <dns_linode_key type="TextField">
                     <Required>N</Required>
                 </dns_linode_key>

From 57a68f9bba17c99ebcf29465f564035a0489f230 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 30 Sep 2024 20:25:36 +0200
Subject: [PATCH 2115/3088] net/upnp: change this back for 25.1

---
 net/upnp/Makefile                                | 1 +
 net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index 44cfe30a3f..fdff0f1246 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		upnp
 PLUGIN_VERSION=		1.6
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		miniupnpd
 PLUGIN_COMMENT=		Universal Plug and Play (UPnP IGD & PCP/NAT-PMP) Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 2399be7ac3..3fdf21214b 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -90,7 +90,7 @@ function miniupnpd_configure()
 {
     return [
         'bootup' => ['miniupnpd_configure_do'],
-        'newwanip_map' => ['miniupnpd_configure_do'],
+        'newwanip' => ['miniupnpd_configure_do'],
     ];
 }
 

From a4cf1cd4f29e1510fc672e61cf3e91074825cff9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 30 Sep 2024 20:26:07 +0200
Subject: [PATCH 2116/3088] net/upnp: remove this note since we will be moving
 back

---
 net/upnp/pkg-descr | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/upnp/pkg-descr b/net/upnp/pkg-descr
index 366e0cb687..2382b75296 100644
--- a/net/upnp/pkg-descr
+++ b/net/upnp/pkg-descr
@@ -10,7 +10,6 @@ Plugin Changelog
 1.6
 
 * Fix port maps not listed without description (contributed by Self-Hosting-Group)
-* Move to compatible newwanip_map event
 
 1.5
 

From 0620c0bcad1c070c22727fca3ccc981937b454b9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 30 Sep 2024 20:27:06 +0200
Subject: [PATCH 2117/3088] net/igmp-proxy: move back to old compatible event

---
 net/igmp-proxy/Makefile                                | 2 +-
 net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/igmp-proxy/Makefile b/net/igmp-proxy/Makefile
index 8c0acc1c44..5c83bdf7e3 100644
--- a/net/igmp-proxy/Makefile
+++ b/net/igmp-proxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		igmp-proxy
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_DEPENDS=		igmpproxy
 PLUGIN_COMMENT=		IGMP-Proxy Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc b/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc
index d8d80bda7d..246ca5e0f8 100644
--- a/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc
+++ b/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc
@@ -58,7 +58,7 @@ function igmpproxy_configure()
 {
     return [
         'bootup' => ['igmpproxy_configure_do'],
-        'newwanip_map' => ['igmpproxy_configure_do'],
+        'newwanip' => ['igmpproxy_configure_do'],
     ];
 }
 

From c2862e12502f285721dcd8db3ad383f682429705 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 30 Sep 2024 20:29:07 +0200
Subject: [PATCH 2118/3088] dns/rfc2136: move back to compatible base event

---
 dns/rfc2136/Makefile                              | 2 +-
 dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/rfc2136/Makefile b/dns/rfc2136/Makefile
index ff070041ec..13df9955f7 100644
--- a/dns/rfc2136/Makefile
+++ b/dns/rfc2136/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		rfc2136
 PLUGIN_VERSION=		1.9
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		RFC-2136 Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_DEPENDS=		bind-tools
diff --git a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
index affb2fb465..349f07dde8 100644
--- a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
+++ b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
@@ -34,7 +34,7 @@ function rfc2136_configure()
     return [
         'bootup' => ['rfc2136_configure_do'],
         'local' => ['rfc2136_configure_do'],
-        'newwanip_map' => ['rfc2136_configure_do:2'],
+        'newwanip' => ['rfc2136_configure_do:2'],
     ];
 }
 

From c96d0b8aa9eb1c1bca2fa7e6cdad641072fdbfd8 Mon Sep 17 00:00:00 2001
From: Marek Wester <marekwester@gmail.com>
Date: Tue, 1 Oct 2024 00:32:01 +0200
Subject: [PATCH 2119/3088] security/acme-client: fix vault support, added
 vault token (#4270)

---
 .../OPNsense/AcmeClient/forms/dialogAction.xml         | 10 ++++++++--
 .../OPNsense/AcmeClient/LeAutomation/AcmeVault.php     |  3 +++
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml  |  5 +++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index 5fa9e700dd..09066d054b 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -368,12 +368,18 @@
         <id>action.acme_vault_prefix</id>
         <label>Vault Prefix</label>
         <type>text</type>
-        <help>This specifies the prefix path in Vault.</help>
+        <help>This specifies the prefix path in Vault. If you select KV v2 you need to add .../data/... between the secret-mount-path and the path. Example: v1 prefix path: secret/acme, v2 prefix path: secret/data/acme.</help>
+    </field>
+    <field>
+        <id>action.acme_vault_token</id>
+        <label>Vault Token</label>
+        <type>password</type>
+        <help>This specifies the Vault token to authenticate with.</help>
     </field>
     <field>
         <id>action.acme_vault_kvv2</id>
         <label>Use KV v2</label>
         <type>checkbox</type>
-        <help>If checked version 2 of the kv store will be used, otherwise version 1.</help>
+        <help>If checked version 2 of the kv store will be used, otherwise version 1. If you use v2 please consider the comment in the field "Vault Prefix".</help>
     </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeVault.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeVault.php
index 7242b58f66..86f59f910f 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeVault.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeVault.php
@@ -45,6 +45,9 @@ public function prepare()
         if ((string)$this->config->acme_vault_kvv2 == 1) {
             $this->acme_env['VAULT_KV_V2'] = 1;
         }
+        if (!empty((string)$this->config->acme_vault_token)) {
+            $this->acme_env['VAULT_TOKEN'] = (string)$this->config->acme_vault_token;
+        }
         $this->acme_args[] = '--deploy-hook vault';
         return true;
     }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index d7dd70ccad..3bbd0d6adc 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1596,6 +1596,11 @@
                     <mask>/^.{1,1024}$/u</mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_vault_prefix>
+                <acme_vault_token type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_vault_token>
                 <acme_vault_kvv2 type="BooleanField">
                     <default>1</default>
                 </acme_vault_kvv2>

From 2da2cbfbfab6d378c7cb8ce7c8a6b11d83983550 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 30 Sep 2024 15:26:32 +0200
Subject: [PATCH 2120/3088] security/acme-client: create symlinks for acme.sh
 script directories

We've received reports that in some cases acme.sh is unable to locate required scripts:
"Cannot find dns api hook for: ..."
Although I have not been able to reproduce this, a simple fix seems to add symlinks for the script directories to $LE_WORKING_DIR.
---
 .../scripts/OPNsense/AcmeClient/setup.sh      | 22 ++++++++++++++-----
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh
index 20a65224b4..8a63526528 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh
@@ -2,6 +2,8 @@
 
 ACME_BASE="/var/etc/acme-client"
 ACME_DIRS="/var/etc/acme-client/certs /var/etc/acme-client/keys /var/etc/acme-client/configs /var/etc/acme-client/challenges /var/etc/acme-client/home /var/etc/acme-client/cert-home"
+ACME_LINKS="deploy dnsapi notify"
+ACME_LINK_TARGET="/usr/local/share/examples/acme.sh"
 
 # Create required directories and set owner/mode recursively.
 for directory in ${ACME_DIRS}; do
@@ -10,14 +12,22 @@ for directory in ${ACME_DIRS}; do
     chmod -R 750 ${directory}
 done
 
-# Remove symlink in order to use upstream version
-# see https://github.com/opnsense/plugins/pull/1888
-if [ -L /var/etc/acme-client/home/dns_opnsense.sh ]; then
-    unlink /var/etc/acme-client/home/dns_opnsense.sh
-fi
-
 # Set owner/mode for base and immediate children (non recursive).
 chown root:wheel ${ACME_BASE} ${ACME_BASE}/*
 chmod 750 ${ACME_BASE} ${ACME_BASE}/*
 
+# Create symlinks for acme.sh script directories.
+# This should guard against manual misconfiguration.
+for link in ${ACME_LINKS}; do
+    # First remove any existing file/directory.
+    if [ -f "${ACME_BASE}/home/${link}" ]; then
+        rm ${ACME_BASE}/home/${link}
+    elif [ -d "${ACME_BASE}/home/${link}" ]; then
+        rmdir ${ACME_BASE}/home/${link}
+    elif [ ! -e "${ACME_BASE}/home/${link}" ]; then
+        # Create the symlink.
+        ln -s ${ACME_LINK_TARGET}/${link} ${ACME_BASE}/home/${link}
+    fi
+done
+
 exit 0

From 35935cfac2636a285e582512507a2e963ea73663 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 30 Sep 2024 15:36:45 +0200
Subject: [PATCH 2121/3088] security/acme-client: bump version

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index bf86a1de3c..06cece8adf 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.5
+PLUGIN_VERSION=		4.6
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From b59158a3363f373d3ed8bf147768929e18a13b64 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 30 Sep 2024 15:39:46 +0200
Subject: [PATCH 2122/3088] security/acme-client: update changelog

---
 security/acme-client/pkg-descr | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index fe4be7ab65..0bcee071ee 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,15 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.6
+
+Added:
+* add Lima-City DNS API (#3566)
+
+Fixed:
+* fix Hashicorp Vault support, added Vault token (#4270)
+* fix acme.sh error: "Cannot find dns api hook for..."
+
 4.5
 
 Fixed:

From b92946ee17f99c8641a700229bca745d1da7543f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 1 Oct 2024 09:01:23 +0200
Subject: [PATCH 2123/3088] plugins: prefer /ui links over /api links in ACL

Otherwise the landing page might be an API endpoint that's not overly
useful to the user.
---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/ACL/ACL.xml     | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Apcupsd/ACL/ACL.xml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/ACL/ACL.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/ACL/ACL.xml
index 32da0de0bf..5e0cde48b2 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/ACL/ACL.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/ACL/ACL.xml
@@ -2,10 +2,10 @@
     <page-services-dyndns>
         <name>Services: Dynamic DNS</name>
         <patterns>
+            <pattern>ui/dyndns/*</pattern>
             <pattern>api/dyndns/accounts/*</pattern>
             <pattern>api/dyndns/service/*</pattern>
             <pattern>api/dyndns/settings/*</pattern>
-            <pattern>ui/dyndns/*</pattern>
         </patterns>
     </page-services-dyndns>
 </acl>
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/ACL/ACL.xml b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/ACL/ACL.xml
index db08da4269..2633a36fdd 100644
--- a/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/ACL/ACL.xml
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/ACL/ACL.xml
@@ -2,9 +2,9 @@
     <page-services-apcupsd>
         <name>Services: Apcupsd System Monitoring page</name>
         <patterns>
+            <pattern>ui/apcupsd/*</pattern>
             <pattern>api/apcupsd/service/*</pattern>
             <pattern>api/apcupsd/settings/*</pattern>
-            <pattern>ui/apcupsd/*</pattern>
         </patterns>
     </page-services-apcupsd>
 </acl>

From d7c4f61824e093f0f27cb1c03752f167549134ea Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Oct 2024 08:03:52 +0200
Subject: [PATCH 2124/3088] net/frr: make a new version

---
 net/frr/Makefile  | 3 +--
 net/frr/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 58e43f19ed..369c01212c 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.40
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.41
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 9563643382..6d6a8a79d8 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.41
+
+* Set up networks, prefix lists, and route maps for OSPF6 (contributed by Mike Shuey)
+
 1.40
 
 * Add staticd to routing suite

From 99f8486002c744487c818e0d65a734f580e46183 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Oct 2024 08:04:36 +0200
Subject: [PATCH 2125/3088] dns/ddclient: revision bump for ACL reorder

---
 dns/ddclient/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index f769b4053a..3b90c78397 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.24
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 50692fd759ff78729188d960a1a9d5da2b6ec0b4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Oct 2024 08:07:42 +0200
Subject: [PATCH 2126/3088] sysutils/apcupsd: revision bump

---
 sysutils/apcupsd/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/apcupsd/Makefile b/sysutils/apcupsd/Makefile
index f82d37451e..744bb779ce 100644
--- a/sysutils/apcupsd/Makefile
+++ b/sysutils/apcupsd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		apcupsd
 PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_DEPENDS=		apcupsd
 PLUGIN_COMMENT=		APCUPSD - APC UPS daemon
 PLUGIN_MAINTAINER=	xbb@xbblabs.com

From 1118565a1a9d19c84b22043ec4792096f85eeafe Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Oct 2024 08:09:30 +0200
Subject: [PATCH 2127/3088] www/caddy: misplaced release note

---
 www/caddy/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index b6dc9e1bd7..df9e7da547 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -16,6 +16,7 @@ Plugin Changelog
 1.7.2
 
 * Add: Directive in HTTP Handler can be chosen, "reverse_proxy" and "redir"
+* Fix: When Apply takes longer than 20 seconds, Caddy will be forcefully restarted
 
 1.7.1
 
@@ -29,7 +30,6 @@ Plugin Changelog
 * Cleanup: Layer4, Domain and Handle dialogues have been cleaned up, some options are now hidden in advanced mode
 * Fix: Layer4 default ports did not render due to regression in previous version
 * Fix: Invert in Access Lists did not render due to regression in previous version
-* Fix: When Apply takes longer than 20 seconds, Caddy will be forcefully restarted
 
 1.7.0
 

From 8e4128a353fa4bfd45f34d591bebfaf2822dbbe8 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 4 Oct 2024 22:12:43 +0200
Subject: [PATCH 2128/3088] www/caddy-custom: Update layer4 module (#4279)

---
 www/caddy/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index df9e7da547..01962ce7a5 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -16,6 +16,7 @@ Plugin Changelog
 1.7.2
 
 * Add: Directive in HTTP Handler can be chosen, "reverse_proxy" and "redir"
+* Build: Update Caddy Layer4 module, fixes TLS matcher in chromium based browsers
 * Fix: When Apply takes longer than 20 seconds, Caddy will be forcefully restarted
 
 1.7.1

From 30a1d4796eb8a2db3b22baadd2bac2ed4109ce11 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 8 Oct 2024 13:00:43 +0200
Subject: [PATCH 2129/3088] www/caddy: Complete Layer4 routing feature (#4281)

* www/caddy: Improve Layer 4 Routes to allow configurations outside the context of listener_wrappers, streaming and loadbalancing any TCP/UDP traffic on custom ports.

* www/caddy: Add validations for Layer 4 Routes.

* www/caddy: Control visibility of FromDomain in Layer4 based on Matcher. Remove need to always select * even when matcher does not support domains. Remove requirement for FromDomain, it is now validated based on selected Matcher.

* www/caddy: Cleanup validations, add isFieldChanged where applicable, removed weird old subdomain validation.

* www/caddy: Introduce InvertMatchers to invert any matchers, replacing the not tls sni matcher. Add HTTP and TLS without domain requirement as additional matchers. Add validations to ensure these matchers can not be chosen for listener_wrappers. Improve validations to ensure domain is empty when not using HTTP Host Header or TLS SNI Client Hello matchers.

* www/caddy: Bump model version. Add changelog.

* www/caddy: Since the prior validation demanded * and required FromDomain to be filled out, the new validation has to allow this too to avoid migration issues.

* www/caddy: Implement sequence number so rules can be sorted and be processed in custom order.
---
 www/caddy/pkg-descr                           |   4 +
 .../OPNsense/Caddy/forms/dialogLayer4.xml     |  59 +++++-
 .../mvc/app/models/OPNsense/Caddy/Caddy.php   | 198 +++++++++---------
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  39 +++-
 .../views/OPNsense/Caddy/reverse_proxy.volt   |  15 +-
 .../templates/OPNsense/Caddy/Caddyfile        |  20 +-
 .../templates/OPNsense/Caddy/includeLayer4    | 145 +++++++------
 7 files changed, 310 insertions(+), 170 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 01962ce7a5..d2c94173f8 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -16,6 +16,10 @@ Plugin Changelog
 1.7.2
 
 * Add: Directive in HTTP Handler can be chosen, "reverse_proxy" and "redir"
+* Add: Layer4 routes feature. Routing Type "global" or "listener_wrapper" can be chosen
+* Add: Any Layer4 TCP/UDP traffic can be proxied without choosing a Layer 7 protocol matcher
+* Change: Layer4 routes are not ordered automatically anymore
+* Change: Layer4 "not tls sni" matcher has been replaced by generalized "Invert Matchers" checkbox
 * Build: Update Caddy Layer4 module, fixes TLS matcher in chromium based browsers
 * Fix: When Apply takes longer than 20 seconds, Caddy will be forcefully restarted
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
index acac47c8cb..a2c73f6a01 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
@@ -5,6 +5,12 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this Layer4 route.]]></help>
     </field>
+    <field>
+        <id>layer4.Sequence</id>
+        <label>Sequence</label>
+        <type>text</type>
+        <help><![CDATA[Rules are sorted based on the sequence number, higher number means lower priority. Rules without a sequence number will be processed first.]]></help>
+    </field>
     <field>
         <id>layer4.description</id>
         <label>Description</label>
@@ -13,21 +19,59 @@
     </field>
     <field>
         <type>header</type>
-        <label>Frontend</label>
+        <label>Type</label>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>layer4.Type</id>
+        <label>Routing Type</label>
+        <type>dropdown</type>
+        <help><![CDATA[Choose either "listener_wrappers" for multiplexing protocols on the default HTTP and HTTPS ports on OSI Layer 7, or "global" for raw TCP/UDP traffic routing on a custom "Local port" on OSI Layer 4 with optional OSI Layer 7 protocol matching.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Layer 4</label>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>layer4.Protocol</id>
+        <label>Protocol</label>
+        <type>dropdown</type>
+        <help><![CDATA[Match the received traffic on OSI Layer 4, either TCP or UDP. When "Routing Type" is "listener_wrappers", currently only TCP will match.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>layer4.FromPort</id>
+        <label>Local Port</label>
+        <type>text</type>
+        <help><![CDATA[Choose a custom local port to listen on.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Layer 7</label>
+    </field>
+    <field>
+        <id>layer4.Matchers</id>
+        <label>Matchers</label>
+        <type>dropdown</type>
+        <help><![CDATA[Match the received traffic on OSI Layer 7. When choosing a protocol like TLS, it will be matched and routed to the upstream destination. When "Routing Type" of the matcher is "listener_wrapper", any unmatched traffic will be received by the "HTTP App" (reverse_proxy). When "Routing Type" of the matcher is "global", unmatched traffic will be consumed and blocked. Choose "ANY" to not match on OSI Layer 7 and allow any traffic.]]></help>
     </field>
     <field>
         <id>layer4.FromDomain</id>
         <label>Domain</label>
         <type>select_multiple</type>
-        <style>tokenize</style>
+        <style>style_matchers tokenize</style>
         <allownew>true</allownew>
-        <help><![CDATA[Enter one or multiple domains to route via SNI or Host Header. The domain will be added to the "listener_wrapper". Essentially, all traffic that Caddy receives on its frontend listeners (most likely the default HTTP and HTTPS ports) is funnelled through this wrapper to be processed and routed. Wildcard domains are allowed, e.g. "*.example.com". Host wildcards are allowed too, e.g. "*". Some protocols match all domains and "*" is mandatory.]]></help>
+        <help><![CDATA[Enter one or multiple domains to route via SNI or Host Header. Wildcard domains and host wildcards are allowed, e.g. "*.example.com" and "*".]]></help>
     </field>
     <field>
-        <id>layer4.Matchers</id>
-        <label>Matchers</label>
-        <type>dropdown</type>
-        <help><![CDATA[Match the traffic of the selected domains. The TCP/UDP packets will be routed to the selected upstream domains without terminating TLS or altering the traffic. Only protocols that send a "Client Hello" (like TLS), or a "Host Header" (like HTTP) can be routed here. Routing Precedence: 1. "SSH (or other protocols)", 2. "HTTP (Host Header)", 3. "TLS (SNI)", 4. "TLS (inverted SNI)", 5. "HTTP Handlers" (hidden default route for all unmatched traffic). The "SSH" matcher (and any other matcher that does not evaluate Host Header or SNI), will match any SSH like traffic on the default ports. That means, these protocols will only match once per ruleset and will proxy traffic to one upstream.]]></help>
+        <id>layer4.InvertMatchers</id>
+        <label>Invert Matchers</label>
+        <type>checkbox</type>
+        <help><![CDATA[Invert the sense of the matcher. E.g., if the protocol is TLS, inverting will match all traffic that is not TLS. When domains have been chosen, these will be equally inverted.]]></help>
+        <advanced>true</advanced>
     </field>
     <field>
         <type>header</type>
@@ -64,7 +108,6 @@
     <field>
         <type>header</type>
         <label>Access</label>
-        <collapse>true</collapse>
     </field>
     <field>
         <id>layer4.RemoteIp</id>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index ddb6f919fc..aefc67b9b8 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -37,11 +37,11 @@
 class Caddy extends BaseModel
 {
     // Check domain-port combinations
-    private function checkForUniquePortCombos($items, $messages)
+    private function checkForUniquePortCombos($messages)
     {
         $combos = [];
-        foreach ($items as $item) {
-            $key = $item->__reference; // Dynamic key based on item reference
+        foreach ($this->reverseproxy->reverse->iterateItems() as $item) {
+            $key = $item->__reference;
             $fromDomain = (string) $item->FromDomain;
             $fromPort = (string) $item->FromPort;
 
@@ -52,12 +52,9 @@ private function checkForUniquePortCombos($items, $messages)
             }
 
             foreach ($defaultPorts as $port) {
-                // Create a unique key for domain-port combination
                 $comboKey = $fromDomain . ':' . $port;
 
-                // Check for duplicate combinations
                 if (isset($combos[$comboKey])) {
-                    // Use dynamic $key for message referencing
                     $messages->appendMessage(new Message(
                         sprintf(
                             gettext(
@@ -76,48 +73,6 @@ private function checkForUniquePortCombos($items, $messages)
         }
     }
 
-    // Check that subdomains are under a wildcard or exact domain
-    private function checkSubdomainsAgainstDomains($subdomains, $domains, $messages)
-    {
-        $wildcardDomainList = [];
-        foreach ($domains as $domain) {
-            if ((string) $domain->enabled === '1') {
-                $domainName = (string) $domain->FromDomain;
-                if (str_starts_with($domainName, '*.')) {
-                    $wildcardBase = substr($domainName, 2);
-                    $wildcardDomainList[$wildcardBase] = $domainName;
-                }
-            }
-        }
-
-        foreach ($subdomains as $subdomain) {
-            if ((string) $subdomain->enabled === '1') {
-                $subdomainName = (string) $subdomain->FromDomain;
-                $isValid = false;
-                foreach ($wildcardDomainList as $baseDomain => $wildcardDomain) {
-                    if (str_ends_with($subdomainName, $baseDomain)) {
-                        $isValid = true;
-                        break;
-                    }
-                }
-
-                if (!$isValid) {
-                    $key = $subdomain->__reference; // Dynamic key based on subdomain reference
-                    $messages->appendMessage(new Message(
-                        sprintf(
-                            gettext(
-                                'Invalid subdomain configuration: %s does not fall ' .
-                                'under any configured wildcard domain.'
-                            ),
-                            $subdomainName
-                        ),
-                        $key . ".FromDomain"
-                    ));
-                }
-            }
-        }
-    }
-
     // Get the current OPNsense WebGUI ports and check for conflicts with Caddy
     private function getWebGuiPorts()
     {
@@ -172,8 +127,7 @@ private function checkWebGuiSettings($messages)
     private function checkDisableTlsConflicts($messages)
     {
         foreach ($this->reverseproxy->reverse->iterateItems() as $item) {
-            // First check if the DisableTls field has been changed
-            if ($item->isFieldChanged('DisableTls')) {
+            if ($item->isFieldChanged()) {
                 if ((string) $item->DisableTls === '1') {
                     $conflictChecks = [
                         'DnsChallenge' => (string) $item->DnsChallenge === '1',
@@ -214,7 +168,7 @@ private function checkSuperuserPorts($messages)
             if ($httpPort < 1024) {
                 $messages->appendMessage(new Message(
                     gettext(
-                        'Superuser is disabled, HTTP port must not be empty and must be 1024 or above.'
+                        'www user is active, HTTP port must not be empty and must be 1024 or above.'
                     ),
                     "general.HttpPort"
                 ));
@@ -224,7 +178,7 @@ private function checkSuperuserPorts($messages)
             if ($httpsPort < 1024) {
                 $messages->appendMessage(new Message(
                     gettext(
-                        'Superuser is disabled, HTTPS port must not be empty and must be 1024 or above.'
+                        'www user is active, HTTPS port must not be empty and must be 1024 or above.'
                     ),
                     "general.HttpsPort"
                 ));
@@ -237,7 +191,7 @@ private function checkSuperuserPorts($messages)
                 if ($fromPort !== null && $fromPort < 1024) {
                     $messages->appendMessage(new Message(
                         gettext(
-                            'Superuser is disabled, port must be empty or must be 1024 or above.'
+                            'www user is active, port must be empty or must be 1024 or above.'
                         ),
                         $item->__reference . ".FromPort"
                     ));
@@ -249,36 +203,111 @@ private function checkSuperuserPorts($messages)
                     ));
                 }
             }
+
+            foreach ($this->reverseproxy->layer4->iterateItems() as $item) {
+                $fromPort = !empty((string)$item->FromPort) ? (string)$item->FromPort : null;
+
+                if ($fromPort !== null && $fromPort < 1024) {
+                    $messages->appendMessage(new Message(
+                        gettext(
+                            'www user is active, port must be empty or must be 1024 or above.'
+                        ),
+                        $item->__reference . ".FromPort"
+                    ));
+                    $messages->appendMessage(new Message(
+                        gettext(
+                            'Ports in "Reverse Proxy - Layer4 Routes" must be empty or must be 1024 or above.'
+                        ),
+                        "general.DisableSuperuser"
+                    ));
+                }
+            }
         }
     }
 
-    /**
-    * Check that when certain Layer4 matchers are selected, only "*" is valid as FromDomain.
-    * This happens because they cannot be matched by host header or SNI, so they match all traffic.
-    * The "*" shows the user that all traffic will be matched, and that creating multiple
-    * matchers will not result in more routes for the same traffic type to work.
-    */
     private function checkLayer4Matchers($messages)
     {
         foreach ($this->reverseproxy->layer4->iterateItems() as $item) {
-            $matchers = (string) $item->Matchers;
-            $fromDomain = (string) $item->FromDomain;
+            if ($item->isFieldChanged()) {
+                $key = $item->__reference;
+                if (in_array((string)$item->Matchers, ['httphost', 'tlssni']) && empty((string)$item->FromDomain)) {
+                    $messages->appendMessage(new Message(
+                        sprintf(
+                            gettext(
+                                'When "%s" matcher is selected, domain is required.'
+                            ),
+                            $item->Matchers
+                        ),
+                        $key . ".FromDomain"
+                    ));
+                    } elseif (
+                        !in_array((string)$item->Matchers, ['httphost', 'tlssni']) &&
+                        (
+                            !empty((string)$item->FromDomain) &&
+                            (string)$item->FromDomain != '*'
+                        )
+                    ) {
+                        $messages->appendMessage(new Message(
+                            sprintf(
+                                gettext(
+                                    'When "%s" matcher is selected, domain must be empty or *.'
+                                ),
+                                $item->Matchers
+                            ),
+                            $key . ".FromDomain"
+                        ));
+                    }
 
-            // Check if matchers is not in the list of specific values
-            $isNotInSpecificMatchers = !in_array($matchers, ['httphost', 'tlssni', 'nottlssni']);
-            $isInvalidFromDomain = $fromDomain !== '*';
+                if ((string)$item->Type === 'global' && empty((string)$item->FromPort)) {
+                    $messages->appendMessage(new Message(
+                        sprintf(
+                            gettext(
+                                'When routing type is "%s", port is required.'
+                            ),
+                            $item->Type
+                        ),
+                        $key . ".FromPort"
+                    ));
+                } elseif ((string)$item->Type !== 'global' && !empty((string)$item->FromPort)) {
+                    $messages->appendMessage(new Message(
+                        sprintf(
+                            gettext(
+                                'When routing type is "%s", port must be empty.'
+                            ),
+                            $item->Type
+                        ),
+                        $key . ".FromPort"
+                    ));
+                }
 
-            if ($isNotInSpecificMatchers && $isInvalidFromDomain) {
-                $key = $item->__reference;
-                $messages->appendMessage(new Message(
-                    sprintf(
-                        gettext(
-                            'When "%s" matcher is selected, the only valid entry in Domain is "*".'
+                if ((string)$item->Type !== 'global' && ((string)$item->Protocol !== 'tcp')) {
+                    $messages->appendMessage(new Message(
+                        sprintf(
+                            gettext(
+                                'When routing type is "%s", protocol must be TCP.'
+                            ),
+                            $item->Type
                         ),
-                        $matchers
-                    ),
-                    $key . ".FromDomain"
-                ));
+                        $key . ".Protocol"
+                    ));
+                }
+
+                if ((string)$item->Type !== 'global' &&
+                    (
+                        (string)$item->Matchers == 'tls' ||
+                        (string)$item->Matchers == 'http'
+                    )
+                ) {
+                    $messages->appendMessage(new Message(
+                        sprintf(
+                            gettext(
+                                'When routing type is "%s", matchers "HTTP" or "TLS" cannot be chosen.'
+                            ),
+                            $item->Type
+                        ),
+                        $key . ".Matchers"
+                    ));
+                }
             }
         }
     }
@@ -288,29 +317,10 @@ public function performValidation($validateFullModel = false)
     {
         $messages = parent::performValidation($validateFullModel);
 
-        // Check domain-port combinations
-        $this->checkForUniquePortCombos(
-            $this->reverseproxy->reverse->iterateItems(),
-            $messages
-        );
-
-        // Check that subdomains are under a wildcard or exact domain
-        $this->checkSubdomainsAgainstDomains(
-            $this->reverseproxy->subdomain->iterateItems(),
-            $this->reverseproxy->reverse->iterateItems(),
-            $messages
-        );
-
-        // Check WebGUI conflicts
+        $this->checkForUniquePortCombos($messages);
         $this->checkWebGuiSettings($messages);
-
-        // Check for TLS conflicts in Domain
         $this->checkDisableTlsConflicts($messages);
-
-        // Check DisableSuperuser Port conflicts
         $this->checkSuperuserPorts($messages);
-
-        // Check Layer4 matchers
         $this->checkLayer4Matchers($messages);
 
         return $messages;
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index c663b3960b..8e357ad8ee 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>Caddy Reverse Proxy</description>
-    <version>1.3.2</version>
+    <version>1.3.3</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -453,8 +453,35 @@
                     <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
-                <FromDomain type="HostnameField">
+                <Sequence type="AutoNumberField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>99999</MaximumValue>
+                    <ValidationMessage>Please enter a value between 1 and 99999 or leave empty.</ValidationMessage>
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>Sequence value has to be unique or empty.</ValidationMessage>
+                            <type>UniqueConstraint</type>
+                        </check001>
+                    </Constraints>
+                </Sequence>
+                <Type type="OptionField">
                     <Required>Y</Required>
+                    <Default>listener_wrappers</Default>
+                    <OptionValues>
+                        <listener_wrappers>listener_wrappers</listener_wrappers>
+                        <global>global</global>
+                    </OptionValues>
+                </Type>
+                <Protocol type="OptionField">
+                    <Required>Y</Required>
+                    <Default>tcp</Default>
+                    <OptionValues>
+                        <tcp>TCP</tcp>
+                        <udp>UDP</udp>
+                    </OptionValues>
+                </Protocol>
+                <FromPort type="PortField"/>
+                <FromDomain type="HostnameField">
                     <IpAllowed>N</IpAllowed>
                     <FqdnWildcardAllowed>Y</FqdnWildcardAllowed>
                     <HostWildcardAllowed>Y</HostWildcardAllowed>
@@ -466,7 +493,9 @@
                     <Required>Y</Required>
                     <Default>tlssni</Default>
                     <OptionValues>
+                        <any>ANY</any>
                         <dns>DNS</dns>
+                        <http>HTTP</http>
                         <httphost>HTTP (Host Header)</httphost>
                         <postgres>Postgres</postgres>
                         <proxy_protocol>Proxy Protocol</proxy_protocol>
@@ -474,11 +503,13 @@
                         <socks4>SOCKSv4</socks4>
                         <socks5>SOCKSv5</socks5>
                         <ssh>SSH</ssh>
-                        <tlssni>TLS (SNI)</tlssni>
-                        <nottlssni>TLS (inverted SNI)</nottlssni>
+                        <tls>TLS</tls>
+                        <tlssni>TLS (SNI Client Hello)</tlssni>
+                        <wireguard>Wireguard</wireguard>
                         <xmpp>XMPP</xmpp>
                     </OptionValues>
                 </Matchers>
+                <InvertMatchers type="BooleanField"/>
                 <ToDomain type="HostnameField">
                     <Required>Y</Required>
                     <FieldSeparator>,</FieldSeparator>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index ee1b2f5ab3..cd7cb0dc38 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -339,6 +339,14 @@
             }
         });
 
+        $("#layer4\\.Matchers").change(function() {
+            if ($(this).val() !== "tlssni" && $(this).val() !== "httphost") {
+                $(".style_matchers").closest('tr').hide();
+            } else {
+                $(".style_matchers").closest('tr').show();
+            }
+        });
+
         // Initialize tabs, service control and filter selectpicker
         initializeTabs();
         updateServiceControlUI('caddy');
@@ -617,8 +625,13 @@
                         <tr>
                             <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                             <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                            <th data-column-id="Sequence" data-type="string">{{ lang._('Sequence') }}</th>
+                            <th data-column-id="Type" data-type="string" data-visible="false">{{ lang._('Routing Type') }}</th>
+                            <th data-column-id="Protocol" data-type="string">{{ lang._('Protocol') }}</th>
+                            <th data-column-id="FromPort" data-type="string" data-visible="false">{{ lang._('Local Port') }}</th>
                             <th data-column-id="FromDomain" data-type="string">{{ lang._('Domain') }}</th>
-                            <th data-column-id="Matchers" data-type="string">{{ lang._('Matcher') }}</th>
+                            <th data-column-id="Matchers" data-type="string">{{ lang._('Matchers') }}</th>
+                            <th data-column-id="InvertMatchers" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Invert Matchers') }}</th>
                             <th data-column-id="ToDomain" data-type="string">{{ lang._('Upstream Domain') }}</th>
                             <th data-column-id="ToPort" data-type="string">{{ lang._('Upstream Port') }}</th>
                             <th data-column-id="RemoteIp" data-type="string" data-visible="false">{{ lang._('Remote IP') }}</th>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 0fd8fc9fd3..62f47f65d8 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -90,13 +90,27 @@
         {% endif %}
         {% if generalSettings.EnableLayer4|default("0") == "1" %}
             listener_wrappers {
-                {# Plug the Layer 4 template in #}
-                {% include "OPNsense/Caddy/includeLayer4" %}
-
+                layer4 {
+                    import /usr/local/etc/caddy/caddy.d/*.layer4listener
+                    {% set context_var = "listener_wrappers" %}
+                    {% include "OPNsense/Caddy/includeLayer4" %}
+                    {# Empty Route that catches all other traffic #}
+                    route
+                }
+                {# Route all other traffic to HTTP App #}
+                tls
             }
         {% endif %}
     }
 
+    {% if generalSettings.EnableLayer4|default("0") == "1" %}
+        layer4 {
+            import /usr/local/etc/caddy/caddy.d/*.layer4global
+            {% set context_var = "global" %}
+            {% include "OPNsense/Caddy/includeLayer4" %}
+        }
+    {% endif %}
+
     {#
     #   Section: Dynamic DNS Global Configuration
     #   Purpose: Sets up global configuration for Dynamic DNS. Caddy needs to be compiled with
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4 b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
index 7eb367b6bf..defaf2528f 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
@@ -1,15 +1,31 @@
 {#
-# This file sets up the listener_wrapper for layer 4 routing support.
-# - Section: Servers Global Configuration
-# Also allows for custom configurations with the import statement.
+#  This file sets up layer4 routing support.
+#  There are two contexts: "listener_wrappers" and "global"
+#
+#  "listener_wrappers" multiplexes on OSI Layer 7 on the default HTTP and HTTPS ports and requires a traffic matcher since
+#  otherwise the "reverse_proxy" would stop receiving any requests. The "any" Layer 7 matcher is not allowed here.
+#  This context allows for matching domains via SNI and route them without terminating TLS.
+#
+#  "global" can set up custom ports and also route any OSI Layer 4 TCP/UDP traffic without a matcher.
+#  They will be grouped under the same protocol/port combination
+#  to allow multiple Layer 7 matchers inside the scope of the same Layer 4 matcher.
+#  This context is for advanced usecases where raw TCP/UDP traffic on custom ports should be proxied or load balanced.
 #}
-{% set layer4_configs = helpers.toList('Pischem.caddy.reverseproxy.layer4') %}
 
-{# Nested Macro for proxy definition #}
-{% macro define_proxy(to_domains, to_port, fail_duration, proxy_protocol) %}
+{% set unsorted_layer4_configs = helpers.toList('Pischem.caddy.reverseproxy.layer4') %}
+
+{# Ensure that 'Sequence' is present and converted to an integer in each item #}
+{% for item in unsorted_layer4_configs %}
+    {% set _ = item.update({'Sequence': item.get('Sequence', '0') | int}) %}
+{% endfor %}
+
+{# Sort the configurations based on 'Sequence' #}
+{% set layer4_configs = unsorted_layer4_configs | sort(attribute='Sequence') %}
+
+{% macro define_proxy(layer4, to_domains, to_port, fail_duration, proxy_protocol) %}
     proxy {% for domain in to_domains.split(',') %}
-        {% set is_ipv6 = (':' in domain) %}  {# Check if the domain contains a colon, typical in IPv6 addresses #}
-        {{ '[' if is_ipv6 }}{{ domain }}{{ ']' if is_ipv6 }}:{{ to_port }}{% if not loop.last %} {% endif %}
+        {% set is_ipv6 = (':' in domain) %}
+        {{ layer4.Protocol }}/{{ '[' if is_ipv6 }}{{ domain }}{{ ']' if is_ipv6 }}:{{ to_port }}{% if not loop.last %} {% endif %}
     {% endfor %} {
     {% if fail_duration %}
         fail_duration {{ fail_duration }}s
@@ -20,64 +36,73 @@
     }
 {% endmacro %}
 
-{# Macro for configuring the proxy with additional remote IP access list #}
-{% macro configure_proxy(to_domains, to_port, remote_ips, fail_duration, proxy_protocol) %}
-    {% if remote_ips %}
-        {% set ip_list = remote_ips.split(',') %}
-        subroute {
-            @allowed_ips remote_ip {{ ip_list|join(' ') }}
-            route @allowed_ips {
-                {# Call Nested Macro #}
-                {{ define_proxy(to_domains, to_port, fail_duration, proxy_protocol) }}
+{% macro configure_proxy(layer4, to_domains, to_port, remote_ips, fail_duration, proxy_protocol) %}
+    {% set content %}
+        {% if remote_ips %}
+            {% set ip_list = remote_ips.split(',') %}
+            subroute {
+                @allowed_ips remote_ip {{ ip_list|join(' ') }}
+                route @allowed_ips {
+                    {{ define_proxy(layer4, to_domains, to_port, fail_duration, proxy_protocol) }}
+                }
             }
-        }
+        {% else %}
+            {{ define_proxy(layer4, to_domains, to_port, fail_duration, proxy_protocol) }}
+        {% endif %}
+    {% endset %}
+    {{ content|trim }}
+{% endmacro %}
+
+{% set grouped_configs = {} %}
+{% for layer4 in layer4_configs %}
+    {% if layer4.FromPort and layer4.Protocol and layer4.enabled == "1"  %}
+        {% set key = layer4.Protocol ~ '/:' ~ layer4.FromPort %}
+        {% if not key in grouped_configs %}
+            {% set _ = grouped_configs.update({key: []}) %}
+        {% endif %}
+        {% set _ = grouped_configs[key].append(layer4) %}
+    {% endif %}
+{% endfor %}
+
+{% macro handle_special_matchers(layer4) %}
+    {% set invert_prefix = 'not ' if layer4.InvertMatchers == '1' else '' %}
+    {% if layer4.Matchers == 'httphost' %}
+        {{ invert_prefix }}http host {{ layer4.FromDomain.replace(',', ' ') }}
+    {% elif layer4.Matchers == 'tlssni' %}
+        {{ invert_prefix }}tls sni {{ layer4.FromDomain.replace(',', ' ') }}
     {% else %}
-        {# Call Nested Macro #}
-        {{ define_proxy(to_domains, to_port, fail_duration, proxy_protocol) }}
+        {{ invert_prefix }}{{ layer4.Matchers }}
     {% endif %}
 {% endmacro %}
 
-{# Set up Layer4 App #}
-layer4 {
-    import /usr/local/etc/caddy/caddy.d/*.layer4
-    {# 1. loop to handle any traffic matchers that can only be added once since they match all specific protocol traffic. #}
+{% if context_var == 'listener_wrappers' %}
     {% for layer4 in layer4_configs %}
-        {% if layer4.enabled == "1" and layer4.Matchers not in ['httphost', 'tlssni', 'nottlssni'] %}
-            @{{ layer4['@uuid'] }} {{ layer4.Matchers }}
-            route @{{ layer4['@uuid'] }} {
-                {{ configure_proxy(layer4.ToDomain, layer4.ToPort, layer4.RemoteIp, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
-            }
+        {% if layer4.enabled == "1" and layer4.Type == 'listener_wrappers' %}
+            {% if layer4.Matchers != 'any' %}
+                @{{ layer4['@uuid'] }} {{ handle_special_matchers(layer4) }}
+                route @{{ layer4['@uuid'] }} {
+                    {{ configure_proxy(layer4, layer4.ToDomain, layer4.ToPort, layer4.RemoteIp, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
+                }
+            {% endif %}
         {% endif %}
     {% endfor %}
-    {# 2. loop to handle http host matchers #}
-    {% for layer4 in layer4_configs %}
-        {% if layer4.enabled == "1" and layer4.Matchers == 'httphost' %}
-            @{{ layer4['@uuid'] }} http host {{ layer4.FromDomain.replace(',', ' ') }}
-            route @{{ layer4['@uuid'] }} {
-                {{ configure_proxy(layer4.ToDomain, layer4.ToPort, layer4.RemoteIp, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
-            }
-        {% endif %}
-    {% endfor %}
-    {# 3. loop to handle tls sni matchers #}
-    {% for layer4 in layer4_configs %}
-        {% if layer4.enabled == "1" and layer4.Matchers == 'tlssni' %}
-            @{{ layer4['@uuid'] }} tls sni {{ layer4.FromDomain.replace(',', ' ') }}
-            route @{{ layer4['@uuid'] }} {
-                {{ configure_proxy(layer4.ToDomain, layer4.ToPort, layer4.RemoteIp, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
-            }
-        {% endif %}
-    {% endfor %}
-    {# 4. loop to handle not tls sni matchers #}
-    {% for layer4 in layer4_configs %}
-        {% if layer4.enabled == "1" and layer4.Matchers == 'nottlssni' %}
-            @{{ layer4['@uuid'] }} not tls sni {{ layer4.FromDomain.replace(',', ' ') }}
-            route @{{ layer4['@uuid'] }} {
-                {{ configure_proxy(layer4.ToDomain, layer4.ToPort, layer4.RemoteIp, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
-            }
-        {% endif %}
+{% elif context_var == 'global' %}
+    {% for key, layers in grouped_configs.items() %}
+        {{ key }} {
+            {% for layer4 in layers %}
+                {% if layer4.enabled == "1" and layer4.Type == 'global' %}
+                    {% if layer4.Matchers != 'any' %}
+                        @{{ layer4['@uuid'] }} {{ handle_special_matchers(layer4) }}
+                        route @{{ layer4['@uuid'] }} {
+                            {{ configure_proxy(layer4, layer4.ToDomain, layer4.ToPort, layer4.RemoteIp, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
+                        }
+                    {% else %}
+                        route {
+                            {{ configure_proxy(layer4, layer4.ToDomain, layer4.ToPort, layer4.RemoteIp, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
+                        }
+                    {% endif %}
+                {% endif %}
+            {% endfor %}
+        }
     {% endfor %}
-    {# Empty Route that catches all other traffic #}
-    route
-}
-{# Route all other traffic to HTTP App #}
-tls
+{% endif %}

From 5b06e8af1bf832036af19be72ee1051249607933 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 8 Oct 2024 16:43:09 +0200
Subject: [PATCH 2130/3088] databases/redis: switch to 7.2 port for
 security+licensing

---
 databases/redis/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/databases/redis/Makefile b/databases/redis/Makefile
index badb38f13c..129de8ac7d 100644
--- a/databases/redis/Makefile
+++ b/databases/redis/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		redis
 PLUGIN_VERSION=		1.1
 PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Redis DB
-PLUGIN_DEPENDS=		redis
+PLUGIN_DEPENDS=		redis72
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 
 .include "../../Mk/plugins.mk"

From c4eb416554e0c6b8e4544785ab4a0de4ad5b32ea Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 9 Oct 2024 08:53:27 +0200
Subject: [PATCH 2131/3088] sysutils/smart: repair breakage

---
 sysutils/smart/src/opnsense/www/js/widgets/Smart.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/smart/src/opnsense/www/js/widgets/Smart.js b/sysutils/smart/src/opnsense/www/js/widgets/Smart.js
index c5a6dc24bd..30b2d5986e 100644
--- a/sysutils/smart/src/opnsense/www/js/widgets/Smart.js
+++ b/sysutils/smart/src/opnsense/www/js/widgets/Smart.js
@@ -41,7 +41,7 @@ export default class Smart extends BaseTableWidget {
     }
 
     async onWidgetTick() {
-        let disks = await this.ajaxCall(`/api/smart/service/${'list/detailed'}`, {}, null);
+        let disks = await this.ajaxCall(`/api/smart/service/${'list/detailed'}`, {}, 'POST');
         if (disks && disks.devices) {
             const rows = [];
             for (const device of disks.devices) {

From c48d31be34606655729f2b15430ed86f211ec13b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 9 Oct 2024 08:55:02 +0200
Subject: [PATCH 2132/3088] sysutils/smart: also add link

---
 sysutils/smart/src/opnsense/www/js/widgets/Metadata/Smart.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysutils/smart/src/opnsense/www/js/widgets/Metadata/Smart.xml b/sysutils/smart/src/opnsense/www/js/widgets/Metadata/Smart.xml
index a18760b458..eb36c75fe9 100644
--- a/sysutils/smart/src/opnsense/www/js/widgets/Metadata/Smart.xml
+++ b/sysutils/smart/src/opnsense/www/js/widgets/Metadata/Smart.xml
@@ -1,6 +1,7 @@
 <metadata>
     <smart>
         <filename>Smart.js</filename>
+        <link>/ui/smart</link>
         <endpoints>
             <endpoint>/api/smart/service/*</endpoint>
         </endpoints>

From ae9a0afb269887686229519298ef423f83dd3c75 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 9 Oct 2024 09:01:28 +0200
Subject: [PATCH 2133/3088] net/frr: fixup this header

---
 .../mvc/app/views/OPNsense/Quagga/ospf6.volt  | 52 +++++++++----------
 1 file changed, 26 insertions(+), 26 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
index 8b9ff52978..3e3b00e0b7 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
@@ -1,31 +1,31 @@
 {#
-Copyright (c) 2014 – 2024 by Deciso B.V.
-Copyright (c) 2017 by Fabian Franz
-Copyright (c) Michael Muenz <m.muenz@gmail.com></m.muenz>
-All rights reserved.
+ # Copyright (c) 2014-2024 Deciso B.V.
+ # Copyright (c) 2017 Fabian Franz
+ # Copyright (c) 2017 Michael Muenz <m.muenz@gmail.com>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
 
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-    this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-    this list of conditions and the following disclaimer in the documentation
-    and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
 <script>
     'use strict';
     $( document ).ready(function () {

From f25a1fa6d54ef53339ab02685ecaf53a8fa5fcbb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 9 Oct 2024 09:01:41 +0200
Subject: [PATCH 2134/3088] LICENSE: sync

---
 LICENSE | 1 +
 1 file changed, 1 insertion(+)

diff --git a/LICENSE b/LICENSE
index e892c79234..2e63b3f32b 100644
--- a/LICENSE
+++ b/LICENSE
@@ -36,6 +36,7 @@ Copyright (c) 2010 Jim Pingle <jimp@pfsense.org>
 Copyright (c) 2015 Jos Schellevis <jos@opnsense.org>
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>
 Copyright (c) 2019-2022 Juergen Kellerer
+Copyright (c) 2024 laraveluser
 Copyright (c) 2023 Liam Steckler <liam@liamsteckler.com>
 Copyright (c) 2020-2021 Manuel Faux
 Copyright (c) 2021 Manuel Hofmann

From 5a5d2dad3aeeb32cc6ca60db5a5ce89844a38c4b Mon Sep 17 00:00:00 2001
From: jkellerer <jkellerer@users.noreply.github.com>
Date: Thu, 10 Oct 2024 12:07:23 +0200
Subject: [PATCH 2135/3088] qemu-ga: fixes disabled-rpcs broke service start

Applies renamed CLI arg `blacklist` > `block-rpcs`.
See: https://bugzilla.redhat.com/show_bug.cgi?id=2156515
---
 .../service/templates/OPNsense/QemuGuestAgent/rc.conf.d         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/emulators/qemu-guest-agent/src/opnsense/service/templates/OPNsense/QemuGuestAgent/rc.conf.d b/emulators/qemu-guest-agent/src/opnsense/service/templates/OPNsense/QemuGuestAgent/rc.conf.d
index 301b81ccb2..4a14bee7e6 100644
--- a/emulators/qemu-guest-agent/src/opnsense/service/templates/OPNsense/QemuGuestAgent/rc.conf.d
+++ b/emulators/qemu-guest-agent/src/opnsense/service/templates/OPNsense/QemuGuestAgent/rc.conf.d
@@ -6,7 +6,7 @@
 {%     do optional_flags.append('-v') %}
 {%   endif %}
 {%   if helpers.exists('OPNsense.QemuGuestAgent.general.DisabledRPCs') and not helpers.empty('OPNsense.QemuGuestAgent.general.DisabledRPCs') %}
-{%     do optional_flags.append('--blacklist=' ~ OPNsense.QemuGuestAgent.general.DisabledRPCs) %}
+{%     do optional_flags.append('--block-rpcs=' ~ OPNsense.QemuGuestAgent.general.DisabledRPCs) %}
 {%   endif %}
 qemu_guest_agent_setup="/usr/local/opnsense/scripts/OPNsense/QemuGuestAgent/setup.sh"
 qemu_guest_agent_enable="YES"

From 4c4e4a25c6e1bdb251ca7d2297b1916d9f362725 Mon Sep 17 00:00:00 2001
From: TotalGriffLock <john@theshado.ws>
Date: Thu, 10 Oct 2024 18:44:22 +0100
Subject: [PATCH 2136/3088] Enable AgentX Integration in LLDP (#4249)

* Update lldpd

Add handler for agentx to add -x switch

* Update General.xml

Added AgentX field to model

* Update general.xml

Add field for agentx support

* Update lldpd

Rearrange ifs slightly

* Update Makefile

Reflect version changes

* Update net-mgmt/lldpd/Makefile

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

* Update net-mgmt/lldpd/src/opnsense/mvc/app/controllers/OPNsense/Lldpd/forms/general.xml

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 net-mgmt/lldpd/Makefile                                     | 3 +--
 .../mvc/app/controllers/OPNsense/Lldpd/forms/general.xml    | 6 ++++++
 .../src/opnsense/mvc/app/models/OPNsense/Lldpd/General.xml  | 6 +++++-
 .../src/opnsense/service/templates/OPNsense/Lldpd/lldpd     | 2 +-
 4 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/net-mgmt/lldpd/Makefile b/net-mgmt/lldpd/Makefile
index 96a79b57a2..ae63bd512b 100644
--- a/net-mgmt/lldpd/Makefile
+++ b/net-mgmt/lldpd/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		lldpd
-PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		LLDP allows you to know exactly on which port is a server
 PLUGIN_DEPENDS=		lldpd
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/lldpd/src/opnsense/mvc/app/controllers/OPNsense/Lldpd/forms/general.xml b/net-mgmt/lldpd/src/opnsense/mvc/app/controllers/OPNsense/Lldpd/forms/general.xml
index 93809a4d08..48da1c1d5f 100644
--- a/net-mgmt/lldpd/src/opnsense/mvc/app/controllers/OPNsense/Lldpd/forms/general.xml
+++ b/net-mgmt/lldpd/src/opnsense/mvc/app/controllers/OPNsense/Lldpd/forms/general.xml
@@ -29,6 +29,12 @@
         <type>checkbox</type>
         <help>This will activate the SONMP Protocol by Nortel.</help>
     </field>
+    <field>
+        <id>general.agentx</id>
+        <label>Enable AgentX SNMP Integration</label>
+        <type>checkbox</type>
+        <help>This will enable AgentX support, which can then be queried via SNMP.</help>
+    </field>
     <field>
         <id>general.interface</id>
         <label>Interface Configuration</label>
diff --git a/net-mgmt/lldpd/src/opnsense/mvc/app/models/OPNsense/Lldpd/General.xml b/net-mgmt/lldpd/src/opnsense/mvc/app/models/OPNsense/Lldpd/General.xml
index 43bf37a88c..30304bf6f0 100644
--- a/net-mgmt/lldpd/src/opnsense/mvc/app/models/OPNsense/Lldpd/General.xml
+++ b/net-mgmt/lldpd/src/opnsense/mvc/app/models/OPNsense/Lldpd/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/lldpd/general</mount>
     <description>Lldpd configuration</description>
-    <version>1.0.0</version>
+    <version>1.0.1</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -23,6 +23,10 @@
             <default>0</default>
             <Required>Y</Required>
         </sonmp>
+        <agentx type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </agentx>
         <interface type="TextField">
             <Required>N</Required>
         </interface>
diff --git a/net-mgmt/lldpd/src/opnsense/service/templates/OPNsense/Lldpd/lldpd b/net-mgmt/lldpd/src/opnsense/service/templates/OPNsense/Lldpd/lldpd
index 9595e7d7d3..4e627eb957 100644
--- a/net-mgmt/lldpd/src/opnsense/service/templates/OPNsense/Lldpd/lldpd
+++ b/net-mgmt/lldpd/src/opnsense/service/templates/OPNsense/Lldpd/lldpd
@@ -1,6 +1,6 @@
 {% if helpers.exists('OPNsense.lldpd.general.enabled') and OPNsense.lldpd.general.enabled == '1' %}
 lldpd_enable="YES"
-lldpd_flags="{% if helpers.exists('OPNsense.lldpd.general.cdp') and OPNsense.lldpd.general.cdp == '1' %}-c{% endif %}{% if helpers.exists('OPNsense.lldpd.general.fdp') and OPNsense.lldpd.general.fdp == '1' %} -f{% endif %}{% if helpers.exists('OPNsense.lldpd.general.edp') and OPNsense.lldpd.general.edp == '1' %} -e{% endif %}{% if helpers.exists('OPNsense.lldpd.general.sonmp') and OPNsense.lldpd.general.sonmp == '1' %} -s{% endif %}{% if helpers.exists('OPNsense.lldpd.general.interface') and OPNsense.lldpd.general.interface != '' %} -I {{ OPNsense.lldpd.general.interface }}{% endif %} -M 4"
+lldpd_flags="{% if helpers.exists('OPNsense.lldpd.general.cdp') and OPNsense.lldpd.general.cdp == '1' %}-c{% endif %}{% if helpers.exists('OPNsense.lldpd.general.fdp') and OPNsense.lldpd.general.fdp == '1' %} -f{% endif %}{% if helpers.exists('OPNsense.lldpd.general.edp') and OPNsense.lldpd.general.edp == '1' %} -e{% endif %}{% if helpers.exists('OPNsense.lldpd.general.sonmp') and OPNsense.lldpd.general.sonmp == '1' %} -s{% endif %}{% if helpers.exists('OPNsense.lldpd.general.agentx') and OPNsense.lldpd.general.agentx == '1' %} -x{% endif %}{% if helpers.exists('OPNsense.lldpd.general.interface') and OPNsense.lldpd.general.interface != '' %} -I {{ OPNsense.lldpd.general.interface }}{% endif %} -M 4"
 {% else %}
 lldpd_enable="NO"
 {% endif %}

From deebe03e41134306e2ad2ecab632672876be762a Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 10 Oct 2024 21:21:09 +0200
Subject: [PATCH 2137/3088] security/wazuh-agent - add advanced option to
 specifify protocol. closes https://github.com/opnsense/plugins/issues/4289

---
 .../controllers/OPNsense/WazuhAgent/forms/settings.xml |  7 +++++++
 .../mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml  | 10 +++++++++-
 .../service/templates/OPNsense/WazuhAgent/ossec.conf   |  1 +
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
index 0253a4fd17..3654827d80 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
@@ -15,6 +15,13 @@
         <type>text</type>
         <help>Specifies the IP address or the hostname of the Wazuh manager.</help>
     </field>
+    <field>
+        <id>agent.general.protocol</id>
+        <label>Protocol</label>
+        <type>dropdown</type>
+        <advanced>true</advanced>
+        <help>Specifies the IP protocol to use.</help>
+    </field>
     <field>
         <id>agent.logcollector.syslog_programs</id>
         <label>Applications</label>
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
index 9a5b5de72c..4c4a2b568d 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/WazuhAgent</mount>
-    <version>1.0.0</version>
+    <version>1.0.1</version>
     <description>
         Wazuh Agent
     </description>
@@ -14,6 +14,14 @@
                 <Required>Y</Required>
                 <IpAllowed>Y</IpAllowed>
             </server_address>
+            <protocol type="OptionField">
+                <default>tcp</default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <tcp>TCP</tcp>
+                    <udp>UDP</udp>
+                </OptionValues>
+            </protocol>
             <debug_level type="OptionField">
                 <default>0</default>
                 <Required>Y</Required>
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
index 1303029ae1..53aeb20e77 100644
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
@@ -2,6 +2,7 @@
   <client>
     <server>
       <address>{{OPNsense.WazuhAgent.general.server_address}}</address>
+      <protocol>{{OPNsense.WazuhAgent.general.protocol|default('tcp')}}</protocol>
     </server>
     <crypto_method>aes</crypto_method>
   </client>

From a66cc228f8320dd332c40a5558b22d44d33db6ad Mon Sep 17 00:00:00 2001
From: captainko <thongnguyen.uit@gmail.com>
Date: Fri, 26 Jul 2024 18:47:02 +0700
Subject: [PATCH 2138/3088] net/freeradius: Allow `&` as a password character
 #4115

---
 .../OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml      | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
index e025a865a5..0a6f50c54d 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
@@ -15,7 +15,7 @@
         <id>user.password</id>
         <label>Password</label>
         <type>password</type>
-        <help>Set the password for the user. Allowed characters are 0-9, a-z, A-Z, and ,._-!$%/()+#=: with up to 128 characters.</help>
+        <help><![CDATA[Set the password for the user. Allowed characters are 0-9, a-z, A-Z, and ,._-!$%/()+#=:& with up to 128 characters.]]></help>
     </field>
     <field>
         <id>user.passwordencryption</id>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
index 589798ce4a..822e7c92bb 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
@@ -15,7 +15,7 @@
                 </username>
                 <password type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}:]){1,128}$/u</mask>
+                    <mask><![CDATA[/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}:&]){1,128}$/u]]></mask>
                 </password>
                 <passwordencryption type="OptionField">
                     <default>Cleartext-Password</default>

From bc3495c5722a78489eb799a0dbb00607a9aee69b Mon Sep 17 00:00:00 2001
From: Mike Shuey <shuey@fmepnet.org>
Date: Sun, 13 Oct 2024 01:49:07 -0700
Subject: [PATCH 2139/3088] Correct minor issues in OSPF6 (#4291)

Template for ospf6d.conf should call out ipv6, not ip, for both
route-map and prefix-list.  Also, a rogue newline crept into
ospf6.volt - corrupting the enabled checkboxes in the Prefix Lists
tab.
---
 net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt | 3 +--
 .../opnsense/service/templates/OPNsense/Quagga/ospf6d.conf    | 4 ++--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
index 3e3b00e0b7..3a47744363 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
@@ -182,8 +182,7 @@
         <table id="grid-prefixlists" class="table table-responsive" data-editDialog="DialogEditPrefixLists">
             <thead>
                 <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowt
-oggle" data-sortable="false">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle" data-sortable="false">{{ lang._('Enabled') }}</th>
                     <th data-column-id="name" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Name') }}</th>
                     <th data-column-id="seqnumber" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Sequence Number') }}</th>
                     <th data-column-id="action" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Action') }}</th>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
index cba31d7888..3c066333ad 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
@@ -92,7 +92,7 @@ router ospf6
 {%   if helpers.exists('OPNsense.quagga.ospf6.prefixlists.prefixlist') %}
 {%     for prefixlist in helpers.sortDictList(OPNsense.quagga.ospf6.prefixlists.prefixlist, 'name', 'seqnumber' ) %}
 {%       if prefixlist.enabled == '1' %}
-ip prefix-list {{ prefixlist.name }} seq {{ prefixlist.seqnumber }} {{ prefixlist.action }} {{ prefixlist.network }}
+ipv6 prefix-list {{ prefixlist.name }} seq {{ prefixlist.seqnumber }} {{ prefixlist.action }} {{ prefixlist.network }}
 {%       endif %}
 {%     endfor %}
 {%   endif %}
@@ -105,7 +105,7 @@ route-map {{ routemap.name }} {{ routemap.action }} {{ routemap.id }}
 {%           for prefixlist in routemap.match2.split(",") %}
 {%             set prefixlist_data = helpers.getUUID(prefixlist) %}
 {%             if 'match2' in routemap and routemap.match2 != '' %}
- match ip address prefix-list {{ prefixlist_data.name }}
+ match ipv6 address prefix-list {{ prefixlist_data.name }}
 {%             endif %}
 {%           endfor %}
 {%         endif %}

From a46befba299b3ad3430a7998a578630e20cbe4d2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 14 Oct 2024 10:41:50 +0200
Subject: [PATCH 2140/3088] plugins: commit this local modification

---
 .gitignore | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitignore b/.gitignore
index 855a6c3936..6213804b6b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,6 @@
 *.pyc
+.*DS_Store
 .idea
+.sass-cache
 venv
 /*/*/work

From 5ec09a64f24dddf93880f4bf9e95a69acece4999 Mon Sep 17 00:00:00 2001
From: ilumos <ilumos@gmail.com>
Date: Wed, 16 Oct 2024 06:41:21 +0100
Subject: [PATCH 2141/3088] dns/ddclient: Add DigitalOcean support (#4290)

* dns/ddclient: Add DigitalOcean support

* Implement improvements from AdSchellevis in PR #4290
---
 .../ddclient/lib/account/digitalocean.py      | 177 ++++++++++++++++++
 1 file changed, 177 insertions(+)
 create mode 100644 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/digitalocean.py

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/digitalocean.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/digitalocean.py
new file mode 100644
index 0000000000..e6a62f25fa
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/digitalocean.py
@@ -0,0 +1,177 @@
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    Copyright (c) 2024 Olly Baker <ilumos@gmail.com>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import json
+import syslog
+import requests
+from . import BaseAccount
+
+
+class DigitalOcean(BaseAccount):
+    _priority = 65535
+
+    _services = {"digitalocean": "api.digitalocean.com"}
+
+    def __init__(self, account: dict):
+        super().__init__(account)
+
+    @staticmethod
+    def known_services():
+        return {"digitalocean": "DigitalOcean"}
+
+    @staticmethod
+    def match(account):
+        return account.get("service") in DigitalOcean._services
+
+    def execute(self):
+        if super().execute():
+            recordType = "AAAA" if str(self.current_address).find(":") > 1 else "A"
+
+            headers = {
+                "User-Agent": "OPNsense-dyndns",
+                "Authorization": "Bearer " + self.settings.get("password"),
+            }
+
+            url = "https://%s/v2/domains/%s/records" % (
+                self._services[self.settings.get("service")],
+                self.settings.get("zone"),
+            )
+
+            if self.is_verbose:
+                syslog.syslog(
+                    syslog.LOG_NOTICE,
+                    "Account %s current IP is %s (%s)"
+                    % (self.description, self.current_address, recordType),
+                )
+
+                syslog.syslog(
+                    syslog.LOG_NOTICE,
+                    "Account %s updating hostnames %s"
+                    % (self.description, self.settings.get("hostnames", "")),
+                )
+
+            # Update each hostname
+            for hostname in self.settings.get("hostnames", "").split(","):
+
+                if self.is_verbose:
+                    syslog.syslog(
+                        syslog.LOG_NOTICE,
+                        "Account %s getting record ID for hostname %s (%s)"
+                        % (self.description, hostname, recordType),
+                    )
+
+                request = {
+                    "url": url,
+                    "params": {"name": hostname, "type": recordType},
+                    "headers": headers,
+                }
+
+                # Get record ID
+                response = requests.get(**request)
+
+                try:
+                    payload = response.json()
+                except requests.exceptions.JSONDecodeError:
+                    syslog.syslog(
+                        syslog.LOG_ERR,
+                        "Account %s error getting record ID for hostname %s (%s): failed to decode response as JSON. Response: %s"
+                        % (self.description, hostname, recordType, response.text),
+                    )
+                    continue
+
+                if response.status_code != 200:
+                    syslog.syslog(
+                        syslog.LOG_ERR,
+                        "Account %s error getting record ID for hostname %s (%s): HTTP %s. Response: %s"
+                        % (
+                            self.description,
+                            hostname,
+                            recordType,
+                            response.status_code,
+                            response.text,
+                        ),
+                    )
+                    continue
+
+                if not payload.get("domain_records"):
+                    syslog.syslog(
+                        syslog.LOG_ERR,
+                        "Account %s error getting record ID for hostname %s (%s): no results returned. Response: %s"
+                        % (self.description, hostname, recordType, response.text),
+                    )
+                    continue
+
+                record_id = payload["domain_records"][0]["id"]
+                if self.is_verbose:
+                    syslog.syslog(
+                        syslog.LOG_NOTICE,
+                        "Account %s record ID for %s (%s) is %s"
+                        % (self.description, hostname, recordType, record_id),
+                    )
+
+                request = {
+                    "url": "%s/%s" % (url, str(record_id)),
+                    "json": {
+                        "type": recordType,
+                        "data": str(self.current_address),
+                    },
+                    "headers": headers,
+                }
+
+                # Update record IP
+                response = requests.patch(**request)
+
+                if response.status_code == 200:
+                    if self.is_verbose:
+                        syslog.syslog(
+                            syslog.LOG_NOTICE,
+                            "Account %s successfully updated hostname %s (%s) to IP %s"
+                            % (
+                                self.description,
+                                hostname,
+                                recordType,
+                                self.current_address,
+                            ),
+                        )
+
+                else:
+                    syslog.syslog(
+                        syslog.LOG_ERR,
+                        "Account %s failed to set new IP (%s) for hostname %s (%s): HTTP %s. Response: %s"
+                        % (
+                            self.description,
+                            self.current_address,
+                            self.description,
+                            hostname,
+                            recordType,
+                            response.status_code,
+                            response.text,
+                        ),
+                    )
+                    continue
+            self.update_state(address=self.current_address)
+            return True
+        return False

From ea446e3abf414c25a71d7c491c89f32af700691e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 16 Oct 2024 07:45:56 +0200
Subject: [PATCH 2142/3088] net/frr: bump revision

---
 net/frr/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 369c01212c..7c51f3c321 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.41
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 3304711c9de6e61725940eaf79dec041d253bd38 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 16 Oct 2024 07:46:57 +0200
Subject: [PATCH 2143/3088] net/freeradius: bump revision

---
 net/freeradius/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 2faab42f67..80c42387ee 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		freeradius
 PLUGIN_VERSION=		1.9.25
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 3b55d0a012b4fea4f2742fe6c038f3aec6025a2a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 16 Oct 2024 07:51:58 +0200
Subject: [PATCH 2144/3088] security/wazuh-agent: wrap up next version

---
 security/wazuh-agent/Makefile                                 | 3 +--
 security/wazuh-agent/pkg-descr                                | 4 ++++
 .../app/controllers/OPNsense/WazuhAgent/forms/settings.xml    | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/security/wazuh-agent/Makefile b/security/wazuh-agent/Makefile
index a955109f7b..41a7f47851 100644
--- a/security/wazuh-agent/Makefile
+++ b/security/wazuh-agent/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		wazuh-agent
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Agent for the open source security platform Wazuh
 PLUGIN_DEPENDS=		wazuh-agent
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/security/wazuh-agent/pkg-descr b/security/wazuh-agent/pkg-descr
index d131468862..feb4a29e2a 100644
--- a/security/wazuh-agent/pkg-descr
+++ b/security/wazuh-agent/pkg-descr
@@ -8,6 +8,10 @@ solution.
 Plugin Changelog
 ================
 
+1.1
+
+* Add advanced option to specify transport protocol
+
 1.0
 
 * Initial version
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
index 3654827d80..342b03cb51 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
@@ -20,7 +20,7 @@
         <label>Protocol</label>
         <type>dropdown</type>
         <advanced>true</advanced>
-        <help>Specifies the IP protocol to use.</help>
+        <help>Specifies the transport protocol to use.</help>
     </field>
     <field>
         <id>agent.logcollector.syslog_programs</id>

From 47dd377ae62aa00d79fd07c41e7c0c19edccb5e9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 16 Oct 2024 08:04:37 +0200
Subject: [PATCH 2145/3088] net-mgmt/lldpd: add a plugin changelog

---
 net-mgmt/lldpd/pkg-descr | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/net-mgmt/lldpd/pkg-descr b/net-mgmt/lldpd/pkg-descr
index 81e62b6a3c..652ec7c97f 100644
--- a/net-mgmt/lldpd/pkg-descr
+++ b/net-mgmt/lldpd/pkg-descr
@@ -1,7 +1,19 @@
-LLDP is an industry standard protocol designed to supplant
-proprietary Link-Layer protocols such as EDP or CDP.
-The goal of LLDP is to provide an inter-vendor compatible
-mechanism to deliver Link-Layer notifications to adjacent
-network devices.
+LLDP is an industry standard protocol designed to supplant proprietary
+Link-Layer protocols such as EDP or CDP.  The goal of LLDP is to provide
+an inter-vendor compatible mechanism to deliver Link-Layer notifications
+to adjacent network devices.
 
-WWW: https://vincentbernat.github.io/lldpd/
+Plugin Changelog
+================
+
+1.2
+
+* Add AgentX integration support (contributed by TotalGriffLock)
+
+1.1
+
+* Ability to set interfaces (contributed by Michael Muenz)
+
+1.0
+
+* Initial version (contributed by Michael Muenz)

From ee64ec628ba0279a1739a512fb94e1b5f3f8b6a1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 16 Oct 2024 08:06:30 +0200
Subject: [PATCH 2146/3088] dns/ddclient: new version

---
 dns/ddclient/Makefile  | 3 +--
 dns/ddclient/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 3b90c78397..dc8f2f58d0 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.24
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.25
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index c6bac757fc..1215267ca5 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,10 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.25
+
+* Add DigitalOcean support to native backend (contributed by Olly Baker)
+
 1.24
 
 * Refactored IP matching (contributed by Rob van Oostenrijk)

From 4f9801f9debd062f69a1dcec99276aa0f12ee1e4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 16 Oct 2024 08:31:10 +0200
Subject: [PATCH 2147/3088] www/caddy: style fix

---
 .../mvc/app/models/OPNsense/Caddy/Caddy.php   | 25 ++++++++++---------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index aefc67b9b8..28181a9fda 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -240,23 +240,23 @@ private function checkLayer4Matchers($messages)
                         ),
                         $key . ".FromDomain"
                     ));
-                    } elseif (
+                } elseif (
                         !in_array((string)$item->Matchers, ['httphost', 'tlssni']) &&
                         (
                             !empty((string)$item->FromDomain) &&
                             (string)$item->FromDomain != '*'
                         )
-                    ) {
-                        $messages->appendMessage(new Message(
-                            sprintf(
-                                gettext(
-                                    'When "%s" matcher is selected, domain must be empty or *.'
-                                ),
-                                $item->Matchers
+                ) {
+                    $messages->appendMessage(new Message(
+                        sprintf(
+                            gettext(
+                                'When "%s" matcher is selected, domain must be empty or *.'
                             ),
-                            $key . ".FromDomain"
-                        ));
-                    }
+                            $item->Matchers
+                        ),
+                        $key . ".FromDomain"
+                    ));
+                }
 
                 if ((string)$item->Type === 'global' && empty((string)$item->FromPort)) {
                     $messages->appendMessage(new Message(
@@ -292,7 +292,8 @@ private function checkLayer4Matchers($messages)
                     ));
                 }
 
-                if ((string)$item->Type !== 'global' &&
+                if (
+                    (string)$item->Type !== 'global' &&
                     (
                         (string)$item->Matchers == 'tls' ||
                         (string)$item->Matchers == 'http'

From 5a20104f393c19ae5190a82ac65d5e5b94f47399 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 16 Oct 2024 08:48:31 +0200
Subject: [PATCH 2148/3088] dns/ddclient: fix permission

---
 .../src/opnsense/scripts/ddclient/lib/account/digitalocean.py     | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/digitalocean.py

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/digitalocean.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/digitalocean.py
old mode 100644
new mode 100755

From 1a64cab8cb8f5b1f8f1a5d83de25652940e9ae39 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 16 Oct 2024 08:48:51 +0200
Subject: [PATCH 2149/3088] plugins: add 'commit' target to ease a bit of
 typing

---
 Mk/plugins.mk | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 3e89eaab6b..172c7b40d4 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -280,6 +280,9 @@ WRKDIR?=${.CURDIR}/work
 WRKSRC?=${WRKDIR}/src
 PKGDIR?=${WRKDIR}/pkg
 
+ensure-workdirs:
+	@mkdir -p ${WRKSRC} ${PKGDIR}
+
 package: check
 	@rm -rf ${WRKSRC}
 	@mkdir -p ${WRKSRC} ${PKGDIR}
@@ -455,4 +458,8 @@ test: check
 		    ${.CURDIR}/src/opnsense/mvc/tests; \
 	fi
 
+commit: ensure-workdirs
+	@echo -n "${.CURDIR:C/\// /g:[-2]}/${.CURDIR:C/\// /g:[-1]}: " > \
+	    ${WRKDIR}/.commitmsg && git commit -eF ${WRKDIR}/.commitmsg .
+
 .PHONY:	check plist-fix

From 8acc780ecc376223f27503c6f5e94a580e5043ca Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 17 Oct 2024 11:47:30 +0200
Subject: [PATCH 2150/3088] sysutils/cpu-microcode: remove the late loading
 code, AMD early load now supported

---
 sysutils/cpu-microcode/Makefile                              | 2 +-
 .../src/etc/rc.syshook.d/early/40-cpu-microcode              | 5 -----
 2 files changed, 1 insertion(+), 6 deletions(-)
 delete mode 100755 sysutils/cpu-microcode/src/etc/rc.syshook.d/early/40-cpu-microcode

diff --git a/sysutils/cpu-microcode/Makefile b/sysutils/cpu-microcode/Makefile
index 9251d5fd5d..4a4d477b76 100644
--- a/sysutils/cpu-microcode/Makefile
+++ b/sysutils/cpu-microcode/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		cpu-microcode-amd
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		CPU microcode updates
 PLUGIN_DEPENDS=		x86info
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/sysutils/cpu-microcode/src/etc/rc.syshook.d/early/40-cpu-microcode b/sysutils/cpu-microcode/src/etc/rc.syshook.d/early/40-cpu-microcode
deleted file mode 100755
index 4dab1e32c7..0000000000
--- a/sysutils/cpu-microcode/src/etc/rc.syshook.d/early/40-cpu-microcode
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/sh
-
-export microcode_update_enable="YES"
-
-/usr/local/etc/rc.d/microcode_update start

From e0838b9ef929e2a8fa8ecb73155ef077ce15686a Mon Sep 17 00:00:00 2001
From: "Patrick M. Hausen" <hausen@punkt.de>
Date: Fri, 18 Oct 2024 10:33:19 +0200
Subject: [PATCH 2151/3088] net/freeradius add `require_message_authenticator`
 client option (#4306)

It is recommended for RADIUS clients to use a message authenticator for all
requests to protect against the BlastRADIUS attack.

PR: https://forum.opnsense.org/index.php?topic=42094.msg207448
---
 net/freeradius/Makefile                                    | 2 +-
 net/freeradius/pkg-descr                                   | 4 ++++
 .../Freeradius/forms/dialogEditFreeRADIUSClient.xml        | 7 +++++++
 .../opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml | 6 +++++-
 .../service/templates/OPNsense/Freeradius/clients.conf     | 3 +++
 5 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 80c42387ee..3ae166e0f3 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.25
+PLUGIN_VERSION=		1.9.26
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 29fb02263b..d8aef153f1 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -15,6 +15,10 @@ The server is fast, feature-rich, modular, and scalable.
 Plugin Changelog
 ================
 
+1.9.26
+
+* Added support for `require_message_authenticator` in client configuration (contributed by Patrick M. Hausen)
+
 1.9.25
 
 * Added support for remote syslog
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml
index 5247b87ed5..e94468185e 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml
@@ -23,4 +23,11 @@
         <type>text</type>
         <help>Set the IP address of the remote client or the complete network like 10.10.10.0/24</help>
     </field>
+    <field>
+        <id>client.require_ma</id>
+        <label>Require Message-Authenticator</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>RFC 5080 suggests that all clients should include it in an Access-Request. If the server requires it (option checked) and the client does not, then the packet will be silently discarded.</help>
+    </field>
 </form>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
index 22caf41c24..97f2a43245 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/freeradius/client</mount>
     <description>FreeRADIUS client configuration</description>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <items>
         <clients>
             <client type="ArrayField">
@@ -18,6 +18,10 @@
                 <ip type="NetworkField">
                     <Required>N</Required>
                 </ip>
+                <require_ma type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </require_ma>
             </client>
         </clients>
     </items>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
index bac3ce8a11..7a6eb48de4 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
@@ -11,6 +11,9 @@ client "{{ client_list.name }}" {
 {%       else %}
        ipaddr    = {{ client_list.ip }}
 {%       endif %}
+{%       if client_list.require_ma == '1' %}
+       require_message_authenticator = yes
+{%       endif %}
 }
 
 {%     endif %}

From f0d52376a5a29e1c5b33595ce7620652102281b4 Mon Sep 17 00:00:00 2001
From: "Patrick M. Hausen" <hausen@punkt.de>
Date: Fri, 18 Oct 2024 10:59:53 +0200
Subject: [PATCH 2152/3088] net-mgmt/net-snmp Add Observium extended OIDs
 (#4301)

Add OIDs and script for the Observium network management system.

https://docs.observium.org/device_linux/

(Adapted for FreeBSD)
---
 net-mgmt/net-snmp/Makefile                    |   3 +-
 net-mgmt/net-snmp/pkg-descr                   |   4 +
 .../OPNsense/Netsnmp/forms/general.xml        |   6 +
 .../app/models/OPNsense/Netsnmp/General.xml   |   6 +-
 .../scripts/OPNsense/Netsnmp/distro.sh        | 605 ++++++++++++++++++
 .../templates/OPNsense/Netsnmp/snmpd.conf     |   7 +
 6 files changed, 628 insertions(+), 3 deletions(-)
 create mode 100755 net-mgmt/net-snmp/src/opnsense/scripts/OPNsense/Netsnmp/distro.sh

diff --git a/net-mgmt/net-snmp/Makefile b/net-mgmt/net-snmp/Makefile
index 3377f582f8..6d3792c1c7 100644
--- a/net-mgmt/net-snmp/Makefile
+++ b/net-mgmt/net-snmp/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		net-snmp
-PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	5
+PLUGIN_VERSION=		1.6
 PLUGIN_COMMENT=		Net-SNMP is a daemon for the SNMP protocol
 PLUGIN_DEPENDS=		net-snmp
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/net-snmp/pkg-descr b/net-mgmt/net-snmp/pkg-descr
index bead1bf838..aaa479720a 100644
--- a/net-mgmt/net-snmp/pkg-descr
+++ b/net-mgmt/net-snmp/pkg-descr
@@ -11,6 +11,10 @@ WWW: http://www.net-snmp.org
 Plugin Changelog
 ----------------
 
+1.6
+
+* Add support for Observium (contributed by Patrick M. Hausen)
+
 1.5
 
 * Add support for agentx
diff --git a/net-mgmt/net-snmp/src/opnsense/mvc/app/controllers/OPNsense/Netsnmp/forms/general.xml b/net-mgmt/net-snmp/src/opnsense/mvc/app/controllers/OPNsense/Netsnmp/forms/general.xml
index 114b0761a5..f723fa1de6 100644
--- a/net-mgmt/net-snmp/src/opnsense/mvc/app/controllers/OPNsense/Netsnmp/forms/general.xml
+++ b/net-mgmt/net-snmp/src/opnsense/mvc/app/controllers/OPNsense/Netsnmp/forms/general.xml
@@ -29,6 +29,12 @@
         <type>checkbox</type>
         <help>Enable support for AgentX Application (FRR, others).</help>
     </field>
+    <field>
+        <id>general.enableobservium</id>
+        <label>Add Observium Support</label>
+        <type>checkbox</type>
+        <help>Enable extended OIDs for Observium NMS.</help>
+    </field>
     <field>
         <id>general.l3visibility</id>
         <label>Layer 3 Visibility</label>
diff --git a/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml b/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml
index 911568aab8..aad29a1693 100644
--- a/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml
+++ b/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/netsnmp/general</mount>
     <description>Netsnmp configuration</description>
-    <version>1.0.4</version>
+    <version>1.0.5</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -31,6 +31,10 @@
             <default>0</default>
             <Required>Y</Required>
         </enableagentx>
+        <enableobservium type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enableobservium>
         <listen type="NetworkField">
             <FieldSeparator>,</FieldSeparator>
             <Required>N</Required>
diff --git a/net-mgmt/net-snmp/src/opnsense/scripts/OPNsense/Netsnmp/distro.sh b/net-mgmt/net-snmp/src/opnsense/scripts/OPNsense/Netsnmp/distro.sh
new file mode 100755
index 0000000000..e299ffb24b
--- /dev/null
+++ b/net-mgmt/net-snmp/src/opnsense/scripts/OPNsense/Netsnmp/distro.sh
@@ -0,0 +1,605 @@
+#!/bin/sh
+#
+#   Observium License Version 1.0
+#
+#   Copyright (C) 2013-2019 Joe Holden, (C) 2014-2024 Observium Limited
+#
+#   The intent of this license is to establish the freedom to use, share and contribute to
+#   the software regulated by this license.
+#
+#   This license applies to any software containing a notice placed by the copyright holder
+#   saying that it may be distributed under the terms of this license. Such software is herein
+#   referred to as the Software. This license covers modification and distribution of the
+#   Software.
+#
+#   Granted Rights
+#
+#   1. You are granted the non-exclusive rights set forth in this license provided you agree to
+#      and comply with any and all conditions in this license. Whole or partial distribution of the
+#      Software, or software items that link with the Software, in any form signifies acceptance of
+#      this license.
+#
+#   2. You may copy and distribute the Software in unmodified form provided that the entire package,
+#      including - but not restricted to - copyright, trademark notices and disclaimers, as released
+#      by the initial developer of the Software, is distributed.
+#
+#   3. You may make modifications to the Software and distribute your modifications, in a form that
+#      is separate from the Software, such as patches. The following restrictions apply to modifications:
+#
+#      a. Modifications must not alter or remove any copyright notices in the Software.
+#      b. When modifications to the Software are released under this license, a non-exclusive royalty-free
+#         right is granted to the initial developer of the Software to distribute your modification in
+#         future versions of the Software provided such versions remain available under these terms in
+#         addition to any other license(s) of the initial developer.
+#
+#   Limitations of Liability
+#
+#   In no event shall the initial developers or copyright holders be liable for any damages whatsoever,
+#   including - but not restricted to - lost revenue or profits or other direct, indirect, special,
+#   incidental or consequential damages, even if they have been advised of the possibility of such damages,
+#   except to the extent invariable law, if any, provides otherwise.
+#
+#   No Warranty
+#
+#   The Software and this license document are provided AS IS with NO WARRANTY OF ANY KIND, INCLUDING THE
+#   WARRANTY OF DESIGN, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+#
+#   URL: [https://www.observium.org/files/distro]
+
+DISTROSCRIPT="2.3.2"
+
+if [ -z ${DISTROFORMAT} ]; then
+    DISTROFORMAT="pipe"
+fi
+
+if [ -n "${AGENT_LIBDIR}" -o -n "${MK_LIBDIR}" ]; then
+    DISTROFORMAT="export"
+fi
+
+getos() {
+    OS=`uname -s`
+    if [ "${OS}" = "SunOS" ]; then
+        OS="Solaris"
+    elif [ "${OS}" = "DragonFly" ]; then
+        OS="DragonFlyBSD"
+    fi
+    export OS
+    return 0
+}
+
+getkernel() {
+    if [ "${OS}" = "FreeBSD" -o "${OS}" = "DragonFlyBSD" ]; then
+        KERNEL=`uname -i`
+    elif [ "${OS}" = "OpenBSD" -o "${OS}" = "NetBSD" ]; then
+        KERNEL=`uname -v`
+    elif [ "${OS}" = "AIX" ]; then
+        KERNEL=`oslevel -s`
+    else
+        KERNEL=`uname -r`
+    fi
+    export KERNEL
+    return 0
+}
+
+getdistro() {
+    if [ "${OS}" = "Linux" ]; then
+        if [ -f /etc/os-release ]; then
+            if [ -f /etc/armbian-release ]; then
+                # Armbian uses incorrect os-release
+                DISTRO="Armbian"
+            elif [ -f /etc/orangepi-release ]; then
+                # Orange Pi uses incorrect os-release
+                DISTRO="Orange OS"
+            elif [ -f /boot/dietpi/.version ]; then
+                # This is clone of Raspbian, but distro/version incorrect
+                DISTRO="DietPi"
+            else
+                # note, this source include also set variable name $VERSION, ie on debian "10 (buster)"
+                . /etc/os-release
+                #DISTRO=`echo ${NAME} | awk '{print $1}'`
+                DISTRO="${NAME% *}"
+                if [ "${DISTRO}" = "Linux" ]; then
+                    # ie: Linux Mint
+                    DISTRO="${NAME#Linux *}"
+                fi
+            fi
+        elif [ -x /usr/bin/lsb_release ]; then
+            DISTRO=`/usr/bin/lsb_release -si 2>/dev/null`
+        elif [ -f /etc/redhat-release ]; then
+            DISTRO=`cat /etc/redhat-release | cut -d" " -f1`
+        elif [ -f /etc/fedora-release ]; then
+            DISTRO="Fedora"
+        elif [ -f /etc/debian_version ]; then
+            if [ -f /etc/mailcleaner/etc/mailcleaner/version.def ]; then
+                DISTRO="MailCleaner"
+            else
+                DISTRO="Debian"
+            fi
+        elif [ -f /etc/arch-release ]; then
+            DISTRO="ArchLinux"
+        elif [ -f /etc/gentoo-release ]; then
+            DISTRO="Gentoo"
+        elif [ -f /etc/SuSE-release -o -f /etc/novell-release -o -f /etc/sles-release ]; then
+            DISTRO="SuSE"
+          if [ -f /etc/os-release ]; then
+              . /etc/os-release
+                if [ "${NAME}" = "openSUSE" ]; then
+                    DISTRO="openSUSE"
+                fi
+            fi
+        elif [ -f /etc/mandriva-release ]; then
+            DISTRO="Mandriva"
+        elif [ -f /etc/mandrake-release -o -f /etc/mandakelinux-release ]; then
+            DISTRO="Mandrake"
+        elif [ -f /etc/UnitedLinux-release ]; then
+            DISTRO="UnitedLinux"
+        elif [ -f /etc/openwrt_version ]; then
+            DISTRO="OpenWRT"
+        elif [ -f /etc/slackware-version -o -f /etc/slackware-release ]; then
+            DISTRO="Slackware"
+        elif [ -f /etc/annvix-release ]; then
+            DISTRO="Annvix"
+        elif [ -f /etc/arklinux-release ]; then
+            DISTRO="Arklinux"
+        elif [ -f /etc/aurox-release ]; then
+            DISTRO="Aurox Linux"
+        elif [ -f /etc/blackcat-release ]; then
+            DISTRO="BlackCat"
+        elif [ -f /etc/cobalt-release ]; then
+            DISTRO="Cobalt"
+        elif [ -f /etc/conectiva-release ]; then
+            DISTRO="Conectiva"
+        elif [ -f /etc/eos-version ]; then
+            DISTRO="FreeEOS"
+        elif [ -f /etc/hlfs-release -o -f /etc/hlfs_version ]; then
+            DISTRO="HLFS"
+        elif [ -f /etc/immunix-release ]; then
+            DISTRO="Immunix"
+        elif [ -f /knoppix_version ]; then
+            DISTRO="Knoppix"
+        elif [ -f /etc/lfs-release -o -f /etc/lfs_version ]; then
+            DISTRO="Linux-From-Scratch"
+        elif [ -f /etc/linuxppc-release ]; then
+            DISTRO="Linux-PPC"
+        elif [ -f /etc/mageia-release ]; then
+            DISTRO="Mageia"
+        elif [ -f /etc/mklinux-release ]; then
+            DISTRO="MkLinux"
+        elif [ -f /etc/nld-release ]; then
+            DISTRO="Novell Linux Desktop"
+        elif [ -f /etc/pld-release ]; then
+            DISTRO="PLD"
+        elif [ -f /etc/rubix-version ]; then
+            DISTRO="Rubix"
+        elif [ -f /etc/e-smith-release ]; then
+            DISTRO="SME Server"
+        elif [ -f /etc/synoinfo.conf ]; then
+            DISTRO="Synology"
+        elif [ -f /etc/tinysofa-release ]; then
+            DISTRO="Tiny Sofa"
+        elif [ -f /etc/trustix-release -o -f /etc/trustix-version ]; then
+            DISTRO="Trustix"
+        elif [ -f /etc/turbolinux-release ]; then
+            DISTRO="TurboLinux"
+        elif [ -f /etc/ultrapenguin-release ]; then
+            DISTRO="UltraPenguin"
+        elif [ -f /etc/va-release ]; then
+            DISTRO="VA-Linux"
+        elif [ -f /etc/yellowdog-release ]; then
+            DISTRO="Yellow Dog"
+        else
+            DISTRO=
+        fi
+
+        # Additional Distro fixes
+        if [ "${DISTRO}" = "Debian GNU/Linux" ]; then
+            DISTRO="Debian"
+        elif [ "${DISTRO}" = "Red" -o "${DISTRO}" = "RedHatEnterpriseServer" ]; then
+            DISTRO="RedHat"
+        elif [ "${DISTRO}" = "VMware Photon" ]; then
+            DISTRO="Photon"
+        elif [ "${DISTRO}" = "Arch" ]; then
+            DISTRO="Arch Linux"
+        elif [ "${DISTRO}" = "Orange" ]; then
+            DISTRO="Orange OS"
+        elif [ "${DISTRO}" = "Amazon" ]; then
+            DISTRO="Amazon Linux"
+        fi
+
+    elif [ "${OS}" = "FreeBSD" ]; then
+        if [ -f /etc/platform -a -f /etc/version ]; then
+            DISTRO="pfSense"
+        elif [ -f /etc/platform -a -f /etc/prd.name ]; then
+            DISTRO=`cat /etc/prd.name`
+        elif [ -x /usr/local/sbin/opnsense-version ]; then
+            DISTRO="OPNsense"
+        elif [ -f /usr/local/bin/pbreg ]; then
+            DISTRO="PC-BSD"
+        elif [ -f /usr/sbin/hbsd-update -o -f /etc/hbsd-update.conf ]; then
+            DISTRO="HardenedBSD"
+        elif [ -f /tmp/freenas_config.md5 ]; then
+            DISTRO="FreeNAS"
+        else
+            DISTRO=
+        fi
+    elif [ "${OS}" = "Solaris" ]; then
+        DISTRO=`head -n 1 /etc/release | awk '{print $1}'`
+        if [ "${DISTRO}" = "Solaris" -o "${DISTRO}" = "Oracle" ]; then
+            DISTRO=
+        fi
+    elif [ "${OS}" = "Darwin" ]; then
+        case `uname -m` in
+            AppleTV*)
+                DISTRO="AppleTV"
+            ;;
+            iPad*)
+                DISTRO="iPad"
+                ;;
+            iPhone*)
+                DISTRO="iPhone"
+                ;;
+            iPod*)
+                DISTRO="iPod"
+                ;;
+            *)
+                DISTRO="macOS"
+                ;;
+        esac
+    else
+        DISTRO=
+    fi
+    export DISTRO
+    return 0
+}
+
+getarch() {
+    if [ "${OS}" = "Solaris" ]; then
+        ARCH=`isainfo -k`
+    elif [ "${OS}" = "Darwin" ]; then
+        ARCH=`uname -m`
+    elif [ "${OS}" = "AIX" ]; then
+        ARCH=`uname -p`
+    else
+        ARCH=`uname -m`
+    fi
+    if [ "${ARCH}" = "x86_64" ]; then
+        ARCH="amd64"
+    elif [ "${ARCH}" = "i486" -o "${ARCH}" = "i586" -o "${ARCH}" = "i686" ]; then
+        ARCH="i386"
+    fi
+    export ARCH
+    return 0
+}
+
+getversion() {
+    if [ "${OS}" = "FreeBSD" -o "${OS}" = "DragonFlyBSD" ]; then
+        if [ "${DISTRO}" = "pfSense" ]; then
+            VERSION=`cat /etc/version`
+        elif [ "${DISTRO}" = "PC-BSD" ]; then
+            VERSION=`pbreg get /PC-BSD/Version`
+        #elif [ "${DISTRO}" = "HardenedBSD" ]; then
+        #    tmp=`sysctl -n hardening.version 2>/dev/null`
+        #    VERSION=``
+        elif [ "${DISTRO}" = "OPNsense" ]; then
+            VERSION=`/usr/local/sbin/opnsense-version | awk '{ print $2 }'`
+        elif [ -f /etc/prd.version ]; then
+            VERSION=`cat /etc/prd.version`
+        elif [ -f /bin/freebsd-version ]; then
+            VERSION=`/bin/freebsd-version -u`
+        else
+            VERSION=`uname -r`
+        fi
+    elif [ "${OS}" = "OpenBSD" -o "${OS}" = "NetBSD" ]; then
+        VERSION=`uname -r`
+    elif [ "${OS}" = "Linux" ]; then
+        VERSION=none
+        if [ "${DISTRO}" = "Debian GNU/Linux" ]; then
+            DISTRO="Debian"
+        fi
+        if [ "${DISTRO}" = "OpenWRT" ]; then
+            VERSION=`cat /etc/openwrt_version`
+        elif [ "${DISTRO}" = "Slackware" ]; then
+            VERSION=`cat /etc/slackware-version | cut -d" " -f2`
+        elif [ "${DISTRO}" = "Armbian" ]; then
+            #. /etc/armbian-release
+            VERSION=`awk -F '=' '/VERSION=/ { print $2 }' /etc/armbian-release`
+        elif [ "${DISTRO}" = "Orange OS" ]; then
+            #. /etc/orangepi-release
+            VERSION=`awk -F '=' '/VERSION=/ { print $2 }' /etc/orangepi-release`
+        elif [ "${DISTRO}" = "DietPi" ]; then
+            . /boot/dietpi/.version
+            VERSION="${G_DIETPI_VERSION_CORE}.${G_DIETPI_VERSION_SUB}.${G_DIETPI_VERSION_RC}"
+        elif [ -f /etc/orangepi-os-version ]; then
+            VERSION=`awk -F ' - ' '{ print $NF }' /etc/orangepi-os-version | sed 's/-linux.*//'`
+        elif [ -f /etc/os-release ]; then
+            . /etc/os-release
+            VERSION="${VERSION_ID}"
+        elif [ -f /etc/redhat-release ]; then
+            VERSION=`cat /etc/redhat-release | sed 's/.*release\ //' | cut -d" " -f1`
+        elif [ -x /usr/bin/lsb_release ]; then
+            VERSION=`lsb_release -sr 2>/dev/null`
+        elif [ -f /etc/debian_version ]; then
+            VERSION=`cat /etc/debian_version | cut -d"." -f1`
+        fi
+
+        # reset not numeric version string
+        case $VERSION in 0*|1*|2*|3*|4*|5*|6*|7*|8*|9*)
+            ;;
+            *)
+                VERSION=none
+                ;;
+        esac
+
+        if [ "${VERSION}" = "none" -a -f /etc/os-release ]; then
+            . /etc/os-release
+            VERSION="${VERSION_ID}"
+        fi
+
+    elif [ "${OS}" = "Darwin" ]; then
+        VERSION=`sw_vers -productVersion`
+    elif [ "${OS}" = "Solaris" ]; then
+        VERSION=`uname -v`
+    elif [ "${OS}" = "AIX" ]; then
+        # ie: 6.1.0.0
+        VERSION=`oslevel`
+    else
+        VERSION=
+    fi
+    export VERSION
+    return 0
+}
+
+detectvirt() {
+    local type
+    type=none
+    case $1 in
+        [Vv][Mm][Ww][Aa][Rr][Ee]*)
+            type=vmware
+            ;;
+        HVM*domU*)
+            type=xenhvm
+            ;;
+        [Xx][Ee][Nn]*)
+            type=xenpv
+            ;;
+        [Mm][Ii][Cc][Rr][Oo][Ss][Oo][Ff][Tt]|[Vv][Ii][Rr][Tt][Uu][Aa][Ll]*)
+            type=microsoft
+            ;;
+        [Bb][Hh][Yy][Vv][Ee]*)
+            type=bhyve
+            ;;
+        Standard*PC*Q*ICH*|Standard*PC*i440FX*PIIX*)
+            type=qemu
+            ;;
+        QEMU*Virtual*CPU*)
+            type=qemu
+            ;;
+        KVM*|[Go][Oo][Oo][Gg][Ll][Ee]*)
+            type=kvm
+            ;;
+        zvm|oracle|amazon|bochs|uml|parallels|kvm|qemu|qnx|acrn|powervm)
+            type="${1}"
+            ;;
+        vm-other)
+            type=other
+            ;;
+        *)
+            type=none
+            ;;
+    esac
+
+    echo $type
+}
+
+detectcont() {
+    local type
+    type=none
+    case $1 in
+        *)
+            type="${1}"
+            ;;
+    esac
+
+    echo $type
+}
+
+getcont() {
+    CONT="none"
+    if [ "${OS}" = "Linux" ]; then
+		if [ "${CONT}" = "none" -a -f /proc/user_beancounters ]; then
+            if [ "`awk '/envID:/ {print $2}' /proc/self/status 2>/dev/null`" != "0" ]; then
+                CONT=openvz
+            fi
+		fi
+        if [ "${CONT}" = "none" -a -f /usr/bin/systemd-detect-virt ]; then
+            CONT=`/usr/bin/systemd-detect-virt -c`
+        fi
+        if [ "${CONT}" = "none" -a -f /proc/1/cgroup ]; then
+            if grep -qa docker /proc/1/cgroup 2>/dev/null; then
+                CONT=docker
+            elif grep -qa lxc /proc/1/cgroup 2>/dev/null; then
+                CONT=lxc
+            fi
+        fi
+        if [ "${CONT}" = "none" -a -f /.dockerenv ]; then
+            CONT=docker
+        fi
+    elif [ "${OS}" = "FreeBSD" -o "${OS}" = "OpenBSD" -o "${OS}" = "NetBSD" ]; then
+        if [ "${OS}" = "FreeBSD" ]; then
+            tmp=`sysctl -n security.jail.jailed 2>/dev/null`
+            if [ "${tmp}" = "1" ]; then
+                CONT=jail
+            fi
+        fi
+    else
+        CONT=""
+    fi
+    if [ "${CONT}" = "none" ]; then
+        CONT=""
+    fi
+    export CONT
+    return 0
+}
+
+getvirt() {
+    VIRT="none"
+    if [ "${OS}" = "Linux" ]; then
+        if [ "${VIRT}" = "none" -a -f /usr/bin/systemd-detect-virt ]; then
+            tmp=`/usr/bin/systemd-detect-virt -v`
+            # systemd-detect-virt falsely detects "Microsoft" virtualisation
+            # https://github.com/systemd/systemd/issues/21468
+            if [ "${tmp}" = "microsoft" -a -f /sys/devices/virtual/dmi/id/product_name ]; then
+                tmp2=`cat /sys/devices/virtual/dmi/id/product_name`
+                if [ "${tmp2}" = "KVM" ]; then
+                    tmp="${tmp2}"
+                fi
+            fi
+            VIRT=`detectvirt "${tmp}"`
+        fi
+        if [ "${VIRT}" = "none" -a -f /sys/devices/virtual/dmi/id/product_name ]; then
+            tmp=`cat /sys/devices/virtual/dmi/id/product_name`
+            VIRT=`detectvirt "${tmp}"`
+        fi
+        if [ "${VIRT}" = "none" ]; then
+            if [ -f `which dmidecode 2>/dev/null` ]; then
+                tmp=`dmidecode -s system-product-name 2>/dev/null`
+                VIRT=`detectvirt "${tmp}"`
+            fi
+        fi
+        if [ "${VIRT}" = "none" ]; then
+            if [ -f /proc/cpuinfo ]; then
+                tmp=`grep 'model name' /proc/cpuinfo | cut -d\  -f3-`
+                VIRT=`detectvirt "${tmp}"`
+            fi
+        fi
+    elif [ "${OS}" = "FreeBSD" -o "${OS}" = "OpenBSD" -o "${OS}" = "NetBSD" ]; then
+        if [ "${OS}" = "FreeBSD" ]; then
+            tmp=`sysctl -n hw.hv_vendor 2>/dev/null`
+            VIRT=`detectvirt "${tmp}"`
+            if [ "${VIRT}" = "none" ]; then
+                tmp=`sysctl -n machdep.dmi.system-vendor 2>/dev/null`
+                VIRT=`detectvirt "${tmp}"`
+            fi
+            if [ "${VIRT}" = "none" ]; then
+                tmp=`sysctl -n machdep.dmi.system-product 2>/dev/null`
+                VIRT=`detectvirt "${tmp}"`
+            fi
+        fi
+        if [ "${OS}" = "OpenBSD" ]; then
+            tmp=`dmesg | grep pvbus0 | awk '{print $4}'`
+            VIRT=`detectvirt "${tmp}"`
+        fi
+        if [ "${VIRT}" = "none" ]; then
+            tmp=`sysctl -n hw.product 2>/dev/null`
+            VIRT=`detectvirt "${tmp}"`
+        fi
+        if [ "${VIRT}" = "none" ]; then
+            tmp=`sysctl -n hw.model 2>/dev/null`
+            VIRT=`detectvirt "${tmp}"`
+        fi
+    else
+        VIRT=""
+    fi
+    if [ "${VIRT}" = "none" ]; then
+        VIRT=""
+    fi
+    export VIRT
+    return 0
+}
+
+help() {
+    cat << EOF
+Usage: distro [-f format] [-o out] [-h] [-v]
+
+Options:
+  -f <format>       Output format: pipe (default), twopipe, json, ini, export
+  -o <out>          Show specific parameter only: os, kernel, arch, distro,
+                    version, virt, cont
+  -h                Show help
+  -v                Show version
+
+See the distro homepage at https://docs.observium.org/distro_script
+and source code at https://github.com/observium/distroscript
+EOF
+}
+
+while getopts vho:f: flag
+do
+    case "${flag}" in
+        v) echo $DISTROSCRIPT; exit;;
+        h) help; exit;;
+        o)
+            getos
+            getdistro
+            if [ "${OPTARG}" = "os" ]; then
+                #getos
+                echo $OS
+            elif [ "${OPTARG}" = "kernel" ]; then
+                getkernel
+                echo $KERNEL
+            elif [ "${OPTARG}" = "arch" ]; then
+                getarch
+                echo $ARCH
+            elif [ "${OPTARG}" = "distro" ]; then
+                #getdistro
+                echo $DISTRO
+            elif [ "${OPTARG}" = "version" ]; then
+                getversion
+                echo $VERSION
+            elif [ "${OPTARG}" = "virt" ]; then
+                getvirt
+                echo $VIRT
+            elif [ "${OPTARG}" = "cont" ]; then
+                getcont
+                echo $CONT
+            fi
+            exit
+        ;;
+        f)  if [ "${OPTARG}" = "pipe" -o "${OPTARG}" = "twopipe" -o "${OPTARG}" = "json" -o "${OPTARG}" = "export" -o "${OPTARG}" = "ini" ]; then
+                DISTROFORMAT=${OPTARG}
+            fi
+        ;;
+    esac
+done
+
+if [ -z ${DISTROEXEC+x} ]; then
+
+    getos
+    getkernel
+    getarch
+    getdistro
+    getversion
+    getvirt
+    getcont
+
+    if [ "${AGENT_LIBDIR}" -o "${MK_LIBDIR}" ]; then
+        echo "<<<distro>>>"
+    fi
+    if [ "${DISTROFORMAT}" = "twopipe" ]; then
+        echo "${OS}||${KERNEL}||${ARCH}||${DISTRO}||${VERSION}||${VIRT}||${CONT}"
+    elif [ "${DISTROFORMAT}" = "ini" ]; then
+        echo "[distroscript]"
+        echo "  OS = ${OS}"
+        echo "  KERNEL = ${KERNEL}"
+        echo "  ARCH = ${ARCH}"
+        echo "  DISTRO = ${DISTRO}"
+        echo "  VERSION = ${VERSION}"
+        echo "  VIRT = ${VIRT}"
+        echo "  CONT = ${CONT}"
+        echo "  SCRIPTVER = ${DISTROSCRIPT}"
+    elif [ "${DISTROFORMAT}" = "export" ]; then
+        echo "OS=${OS}"
+        echo "KERNEL=${KERNEL}"
+        echo "ARCH=${ARCH}"
+        echo "DISTRO=${DISTRO}"
+        echo "VERSION=${VERSION}"
+        echo "VIRT=${VIRT}"
+        echo "CONT=${CONT}"
+        echo "SCRIPTVER=${DISTROSCRIPT}"
+    elif [ "${DISTROFORMAT}" = "json" ]; then
+        echo "{\"os\":\"${OS}\",\"kernel\":\"${KERNEL}\",\"arch\":\"${ARCH}\",\"distro\":\"${DISTRO}\",\"version\":\"${VERSION}\",\"virt\":\"${VIRT}\",\"cont\":\"${CONT}\",\"scriptver\":\"${DISTROSCRIPT}\"}"
+    else
+        echo "${OS}|${KERNEL}|${ARCH}|${DISTRO}|${VERSION}|${VIRT}|${CONT}"
+    fi
+    exit 0
+fi
diff --git a/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf b/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf
index a04c0a1820..71d456f33e 100644
--- a/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf
+++ b/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf
@@ -18,6 +18,13 @@ agentxsocket /var/agentx/master
 agentxperms 777 777
 {% endif %}
 
+{% if OPNsense.netsnmp.general.enableobservium == '1' %}
+extend .1.3.6.1.4.1.2021.7890.1 distro /usr/local/opnsense/scripts/OPNsense/Netsnmp/distro.sh
+extend .1.3.6.1.4.1.2021.7890.2 hardware /bin/kenv smbios.planar.product
+extend .1.3.6.1.4.1.2021.7890.3 vendor /bin/kenv smbios.planar.maker
+extend .1.3.6.1.4.1.2021.7890.4 serial /bin/kenv smbios.planar.serial
+{% endif %}
+
 {% if helpers.exists('OPNsense.netsnmp.general.community') and OPNsense.netsnmp.general.community != '' %}
 rocommunity {{ OPNsense.netsnmp.general.community }}
 rocommunity6 {{ OPNsense.netsnmp.general.community }}

From 6eb2c50d22a8b4c2972790614b1db653564072b8 Mon Sep 17 00:00:00 2001
From: "Patrick M. Hausen" <hausen@punkt.de>
Date: Fri, 18 Oct 2024 12:54:30 +0200
Subject: [PATCH 2153/3088] net-mgmt/net-snmp: fix sysServices (#4307)

The plugin offers an option to enable "Layer 3 Visibility" which leads to the sysServices OID being set to 76.

This boils down to the following services being advertised:

datalink/subnetwork
internet
end-to-end
I really don't know why this is necessary as an option and not simply hardwired - but maybe OPNsense as a transparent bridge does not count as an internet/IP providing system. I can see that ...

That being said in the absence of that option the sysServices OID is not set at all which I consider a bug. It should be set to 72 instead. This pull request does exactly that.

Reference:

https://oidref.com/1.3.6.1.4.1.1978.2.18.1.7
---
 net-mgmt/net-snmp/pkg-descr                                     | 1 +
 .../src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf  | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/net-mgmt/net-snmp/pkg-descr b/net-mgmt/net-snmp/pkg-descr
index aaa479720a..29e8f8eff0 100644
--- a/net-mgmt/net-snmp/pkg-descr
+++ b/net-mgmt/net-snmp/pkg-descr
@@ -14,6 +14,7 @@ Plugin Changelog
 1.6
 
 * Add support for Observium (contributed by Patrick M. Hausen)
+* Fix sysServices value in case "Layer 3 Visibility" option is unchecked (contributed by Patrick M. Hausen)
 
 1.5
 
diff --git a/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf b/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf
index 71d456f33e..61699aea19 100644
--- a/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf
+++ b/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf
@@ -49,6 +49,8 @@ sysContact {{ OPNsense.netsnmp.general.syscontact }}
 
 {% if helpers.exists('OPNsense.netsnmp.general.l3visibility') and OPNsense.netsnmp.general.l3visibility == '1' %}
 sysServices 76
+{% else %}
+sysServices 72
 {% endif %}
 
 {% if helpers.exists('OPNsense.netsnmp.general.versionoid') and OPNsense.netsnmp.general.versionoid == '1' %}

From 6fdf3aad25524a17c9200a51159115dfb300b6af Mon Sep 17 00:00:00 2001
From: Kreeblah <kreeblah@gmail.com>
Date: Sat, 19 Oct 2024 04:10:57 -0700
Subject: [PATCH 2154/3088] net/upnp - Allow for setting arbitrary number of
 UPnP permissions (#4305)

---
 net/upnp/Makefile                             |  3 +--
 net/upnp/pkg-descr                            |  4 ++++
 .../src/etc/inc/plugins.inc.d/miniupnpd.inc   | 11 ++++++++--
 net/upnp/src/www/services_upnp.php            | 21 +++++++++++++++++--
 4 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index fdff0f1246..ea12da5524 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		upnp
-PLUGIN_VERSION=		1.6
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.7
 PLUGIN_DEPENDS=		miniupnpd
 PLUGIN_COMMENT=		Universal Plug and Play (UPnP IGD & PCP/NAT-PMP) Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/upnp/pkg-descr b/net/upnp/pkg-descr
index 2382b75296..e970623794 100644
--- a/net/upnp/pkg-descr
+++ b/net/upnp/pkg-descr
@@ -7,6 +7,10 @@ WWW: https://miniupnp.tuxfamily.org/
 Plugin Changelog
 ================
 
+1.7
+
+* Add option to allow arbitrary number of UPnP/NAT-PMP rules (contributed by Kreeblah)
+
 1.6
 
 * Fix port maps not listed without description (contributed by Self-Hosting-Group)
diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 3fdf21214b..6214f4ce0b 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -104,10 +104,17 @@ function miniupnpd_uuid()
 
 function miniupnpd_permuser_list()
 {
+    global $config;
+
+    $num_permuser = 8;
+
+    if (!empty($config['installedpackages']['miniupnpd']['config'][0]['num_permuser'])) {
+        $num_permuser = $config['installedpackages']['miniupnpd']['config'][0]['num_permuser'];
+    }
+
     $ret = [];
-    $count = 8;
 
-    for ($i = 1; $i <= $count; $i++) {
+    for ($i = 1; $i <= $num_permuser; $i++) {
         $ret[$i] = "permuser{$i}";
     }
 
diff --git a/net/upnp/src/www/services_upnp.php b/net/upnp/src/www/services_upnp.php
index e56e08a431..6968826763 100644
--- a/net/upnp/src/www/services_upnp.php
+++ b/net/upnp/src/www/services_upnp.php
@@ -81,6 +81,7 @@ function miniupnpd_validate_port($port)
         'permdefault',
         'stun_host',
         'stun_port',
+        'num_permuser',
         'sysuptime',
         'upload',
     ];
@@ -133,12 +134,15 @@ function miniupnpd_validate_port($port)
     if ((!empty($pconfig['download']) && empty($pconfig['upload'])) || (!empty($pconfig['upload']) && empty($pconfig['download']))) {
         $input_errors[] = gettext('You must fill in both \'Maximum Download Speed\' and \'Maximum Upload Speed\' fields');
     }
-    if (!empty($pconfig['download']) && ($pconfig['download'] <= 0 || !is_numeric($pconfig['download']))) {
+    if (!empty($pconfig['download']) && (!is_numeric($pconfig['download']) || $pconfig['download'] <= 0)) {
         $input_errors[] = gettext('You must specify a value greater than 0 in the \'Maximum Download Speed\' field');
     }
-    if (!empty($pconfig['upload']) && ($pconfig['upload'] <= 0 || !is_numeric($pconfig['upload']))) {
+    if (!empty($pconfig['upload']) && (!is_numeric($pconfig['upload']) || $pconfig['upload'] <= 0)) {
         $input_errors[] = gettext('You must specify a value greater than 0 in the \'Maximum Upload Speed\' field');
     }
+    if (!empty($pconfig['num_permuser'] && (!is_numeric($pconfig['num_permuser']) || $pconfig['num_permuser'] < 1))) {
+        $input_errors[] = gettext('Number of permissions must be an integer greater than 0');
+    }
 
     /* user permissions validation */
     foreach (miniupnpd_permuser_list() as $i => $permuser) {
@@ -171,6 +175,10 @@ function miniupnpd_validate_port($port)
         foreach (['enable', 'enable_upnp', 'enable_natpmp', 'logpackets', 'sysuptime', 'permdefault'] as $fieldname) {
             $upnp[$fieldname] = !empty($pconfig[$fieldname]);
         }
+        // numeric types
+        if (!empty($upnp['num_permuser'])) {
+            $upnp['num_permuser'] = $pconfig['num_permuser'];
+        }
         // text field types
         foreach (['ext_iface', 'download', 'upload', 'overridewanip', 'overridesubnet', 'stun_host', 'stun_port'] as $fieldname) {
             $upnp[$fieldname] = $pconfig[$fieldname];
@@ -382,6 +390,15 @@ function miniupnpd_validate_port($port)
                     </tr>
                   </thead>
                   <tbody>
+                    <tr>
+                      <td><a id="help_for_num_permuser" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Number of permissions");?></td>
+                      <td>
+                        <input name="num_permuser" type="number" value="<?=$pconfig['num_permuser'];?>" />
+                        <div class="hidden" data-for="help_for_num_permuser">
+                          <?=gettext("Number of permissions to configure.");?>
+                        </div>
+                      </td>
+                    </tr>
 <?php foreach (miniupnpd_permuser_list() as $i => $permuser): ?>
                     <tr>
 <?php if ($i == 1): ?>

From 730a05ad6c9b439e7ff70b4e67325aabc1daec4b Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sun, 20 Oct 2024 07:56:12 +0200
Subject: [PATCH 2155/3088] security/clamav: adjust new rc filenames (#4313)

---
 security/clamav/Makefile                           |  1 +
 .../service/conf/actions.d/actions_clamav.conf     | 14 +++++++-------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/security/clamav/Makefile b/security/clamav/Makefile
index 9b5f206a33..f0b6d9325f 100644
--- a/security/clamav/Makefile
+++ b/security/clamav/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		clamav
 PLUGIN_VERSION=		1.8
+PLUGIN_REVISION= 	1
 PLUGIN_COMMENT=		Antivirus engine for detecting malicious threats
 PLUGIN_DEPENDS=		clamav
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/clamav/src/opnsense/service/conf/actions.d/actions_clamav.conf b/security/clamav/src/opnsense/service/conf/actions.d/actions_clamav.conf
index db9285bb35..59ad71ea7d 100644
--- a/security/clamav/src/opnsense/service/conf/actions.d/actions_clamav.conf
+++ b/security/clamav/src/opnsense/service/conf/actions.d/actions_clamav.conf
@@ -1,29 +1,29 @@
 [start]
 command:
-    /usr/local/etc/rc.d/clamav-freshclam start;
-    /usr/local/etc/rc.d/clamav-clamd start
+    /usr/local/etc/rc.d/clamav_freshclam start;
+    /usr/local/etc/rc.d/clamav_clamd start
 parameters:
 type:script
 message:starting ClamAV
 
 [stop]
 command:
-     /usr/local/etc/rc.d/clamav-freshclam stop;
-     /usr/local/etc/rc.d/clamav-clamd stop
+     /usr/local/etc/rc.d/clamav_freshclam stop;
+     /usr/local/etc/rc.d/clamav_clamd stop
 parameters:
 type:script
 message:stopping ClamAV
 
 [restart]
 command:
-    /usr/local/etc/rc.d/clamav-freshclam restart;
-    /usr/local/etc/rc.d/clamav-clamd restart
+    /usr/local/etc/rc.d/clamav_freshclam restart;
+    /usr/local/etc/rc.d/clamav_clamd restart
 parameters:
 type:script
 message:restarting ClamAV
 
 [status]
-command: /usr/local/etc/rc.d/clamav-clamd status; exit 0
+command: /usr/local/etc/rc.d/clamav_clamd status; exit 0
 parameters:
 type:script_output
 message:request ClamAV status

From 6d051c7016e17640b7651f667a7ee572a40dcc13 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 20 Oct 2024 07:57:02 +0200
Subject: [PATCH 2156/3088] security/clamav: style update

---
 security/clamav/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/clamav/Makefile b/security/clamav/Makefile
index f0b6d9325f..afe24b92ef 100644
--- a/security/clamav/Makefile
+++ b/security/clamav/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		clamav
 PLUGIN_VERSION=		1.8
-PLUGIN_REVISION= 	1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Antivirus engine for detecting malicious threats
 PLUGIN_DEPENDS=		clamav
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From c0a976f81f236c863eed1cbd059e1b80d5dbb3a2 Mon Sep 17 00:00:00 2001
From: linuxlurak <3813355+linuxlurak@users.noreply.github.com>
Date: Sun, 20 Oct 2024 09:27:49 +0200
Subject: [PATCH 2157/3088] Update sensor.xml (#4269)

* Update sensor.xml

Added optimized description regarding remote logging.

* Update security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 .../mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml b/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml
index c875b562c3..62cc353c4e 100644
--- a/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml
+++ b/security/maltrail/src/opnsense/mvc/app/controllers/OPNsense/Maltrail/forms/sensor.xml
@@ -21,13 +21,13 @@
         <id>sensor.remoteserver</id>
         <label>Remote Server</label>
         <type>text</type>
-        <help>IP address of the remote logging server.</help>
+        <help>IP address of the remote logging server. This is necessary if you are using a centralized Maltrail instance, otherwise leave it blank to use this instance as the logging server.</help>
     </field>
     <field>
         <id>sensor.remoteport</id>
         <label>Remote Port</label>
         <type>text</type>
-        <help>Port of the logging server.</help>
+        <help>Port of the remote logging server.</help>
     </field>
     <field>
         <id>sensor.syslogserver</id>
@@ -39,6 +39,6 @@
         <id>sensor.syslogport</id>
         <label>Syslog Port</label>
         <type>text</type>
-        <help>Port of the syslog server.</help>
+        <help>Port of the remote syslog server.</help>
     </field>
 </form>

From 3c5e2b9d771bf8e7145eb659f1d8a4302640cc62 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Sun, 20 Oct 2024 09:57:21 +0100
Subject: [PATCH 2158/3088] net/frr - Routing: BFD - add multihop support for
 IPv4. closes https://github.com/opnsense/plugins/issues/4282 (#4285)

Although IPv6 also supports multihop, it does require a local-address to be set (https://docs.frrouting.org/en/latest/bfd.html#bfdd-commands), to avoid adding extra complexity now, start with IPv4 and see where that brings us.
---
 .../Quagga/forms/dialogEditBFDNeighbor.xml    |  9 ++++++++
 .../mvc/app/models/OPNsense/Quagga/BFD.php    | 23 +++++++++++++++++++
 .../mvc/app/models/OPNsense/Quagga/BFD.xml    |  6 ++++-
 .../templates/OPNsense/Quagga/bfdd.conf       |  2 +-
 4 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml
index 4a76e64a95..26780cc973 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml
@@ -16,4 +16,13 @@
     <type>text</type>
     <help>Specify the IP of your neighbor.</help>
   </field>
+  <field>
+    <id>neighbor.multihop</id>
+    <label>Multihop</label>
+    <type>checkbox</type>
+    <help>multihop tells the BFD daemon that we should expect packets with TTL less than 254
+    (because it will take more than one hop) and to listen on the multihop port (4784).
+    When using multi-hop mode echo-mode will not work (see RFC 5883 section 3).
+    </help>
+  </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.php b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.php
index 39313ae57b..f1a01d56b5 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.php
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.php
@@ -3,8 +3,10 @@
 namespace OPNsense\Quagga;
 
 use OPNsense\Base\BaseModel;
+use OPNsense\Base\Messages\Message;
 
 /*
+    Copyright (C) 2024 Deciso B.V.
     Copyright (C) 2017 Fabian Franz
     Copyright (C) 2017 - 2021 Michael Muenz <m.muenz@gmail.com>
     All rights reserved.
@@ -28,4 +30,25 @@
 */
 class BFD extends BaseModel
 {
+       /**
+     * {@inheritdoc}
+     */
+    public function performValidation($validateFullModel = false)
+    {
+        $messages = parent::performValidation($validateFullModel);
+        foreach ($this->neighbors->neighbor->iterateItems() as $neighbor) {
+            if (!$validateFullModel && !$neighbor->isFieldChanged()) {
+                continue;
+            }
+            $key = $neighbor->__reference;
+            $address_proto = str_contains($neighbor->address, ':') ? 'inet6' : 'inet';
+            if (!empty((string)$neighbor->multihop) && $address_proto == 'inet6') {
+               $messages->appendMessage(
+                  new Message(gettext("Multihop is currently only supported for IPv4"), $key . ".multihop")
+              );
+            }
+
+        }
+        return $messages;
+    }
 }
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
index df4e256b75..9c14c4416d 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/bfd</mount>
     <description>BFD configuration</description>
-    <version>1.0.0</version>
+    <version>1.0.1</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -21,6 +21,10 @@
                     <default></default>
                     <Required>Y</Required>
                 </address>
+                <multihop  type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </multihop>
             </neighbor>
         </neighbors>
     </items>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
index 8b13652630..235d5d9b79 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
@@ -21,7 +21,7 @@ bfd
 {%   if helpers.exists('OPNsense.quagga.bfd.neighbors.neighbor') %}
 {%     for neighbor in helpers.toList('OPNsense.quagga.bfd.neighbors.neighbor') %}
 {%       if neighbor.enabled == '1' %}
- peer {{ neighbor.address }}
+ peer {{ neighbor.address }} {% if neighbor.multihop|default('0') == '1' %}multihop{% endif +%}
 {%       endif %}
 {%     endfor %}
 {%   endif %}

From 7a1dce77d632d0a1d4f876da858e38cdee3fef72 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 21 Oct 2024 11:09:55 +0200
Subject: [PATCH 2159/3088] net/frr: Fix updatesource not rendering when
 interface has been selected (#4315)

---
 .../src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 12fc2b9a7a..4dbaaa487b 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -68,7 +68,7 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%       if 'remoteas' in peergroup and peergroup.remoteas != '' %}
  neighbor {{ peergroup.name }} remote-as {{ peergroup.remoteas }}
 {%       endif %}
-{%       if peergroup.updatesource|default('0') == '1' %}
+{%       if peergroup.updatesource %}
  neighbor {{ peergroup.name }} update-source {{ physical_interface(peergroup.updatesource) }}
 {%       endif %}
  neighbor {{ peergroup.name }} activate

From 75702c050d11883a83453733cb823a061fb558fb Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 21 Oct 2024 17:02:36 +0200
Subject: [PATCH 2160/3088] www/caddy: Put Layer4 Proxy into own menu, cleanup
 reverse_proxy.volt (#4312)

* www/caddy: Move Layer4 tab to own Menu entry to make it less convoluted.

* www/caddy: Remove stray data-column-id

* www/caddy: Fix ACL for Layer4 menu

* www/caddy: Cleanup terminology of previous

* www/caddy: Rename Layer4 to Layer4 Proxy

* www/caddy: Cleanup reverse_proxy.volt. Remove Subdomain tab and add it to the Domains tab. Remove some of the hide logic for subdomains for brevity. Add clear all button for filter by domain selectpicker.

* www/caddy: Adjust helptext and remove style that is no longer needed due to change where subdomains are displayed

* www/caddy: Changelog and version bump

* www/caddy: Remove stray data-column-id in handle bootgrid, again
---
 www/caddy/Makefile                            |   2 +-
 www/caddy/pkg-descr                           |   7 +
 .../OPNsense/Caddy/Layer4Controller.php       |  42 ++++
 .../OPNsense/Caddy/ReverseProxyController.php |   1 -
 .../OPNsense/Caddy/forms/dialogHandle.xml     |   1 -
 .../Caddy/forms/dialogReverseProxy.xml        |   2 +-
 .../OPNsense/Caddy/forms/general.xml          |  15 +-
 .../mvc/app/models/OPNsense/Caddy/ACL/ACL.xml |   8 +
 .../app/models/OPNsense/Caddy/Menu/Menu.xml   |   5 +-
 .../mvc/app/views/OPNsense/Caddy/layer4.volt  | 179 +++++++++++++++
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 210 +++++-------------
 11 files changed, 303 insertions(+), 169 deletions(-)
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
 create mode 100644 www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 259bea8b24..1fe46006ff 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.7.2
+PLUGIN_VERSION=		1.7.3
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index d2c94173f8..af5015875c 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -13,6 +13,13 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.7.3
+
+* Add: Clear All button to Filter by Domain selectpicker
+* Change: Layer4 Proxy has own menu entry
+* Change: Domains and Subdomains are in same tab, Subdomains are not initially hidden anymore
+* Fix: WebGUI port conflict validation triggers too aggressively
+
 1.7.2
 
 * Add: Directive in HTTP Handler can be chosen, "reverse_proxy" and "redir"
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
new file mode 100644
index 0000000000..00b4548e7d
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
@@ -0,0 +1,42 @@
+<?php
+
+/**
+ *    Copyright (C) 2023-2024 Cedrik Pischem
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Caddy;
+
+use OPNsense\Base\IndexController;
+
+class Layer4Controller extends IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/Caddy/layer4');
+        $this->view->formDialogLayer4 = $this->getForm("dialogLayer4");
+    }
+}
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
index d62de6c102..fde12d63c7 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
@@ -41,7 +41,6 @@ public function indexAction()
         $this->view->formDialogReverseProxy = $this->getForm("dialogReverseProxy");
         $this->view->formDialogSubdomain = $this->getForm("dialogSubdomain");
         $this->view->formDialogHandle = $this->getForm("dialogHandle");
-        $this->view->formDialogLayer4 = $this->getForm("dialogLayer4");
         $this->view->formDialogAccessList = $this->getForm("dialogAccessList");
         $this->view->formDialogBasicAuth = $this->getForm("dialogBasicAuth");
         $this->view->formDialogHeader = $this->getForm("dialogHeader");
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 43e3fa9976..68714b31c3 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -25,7 +25,6 @@
         <id>handle.subdomain</id>
         <label>Subdomain</label>
         <type>dropdown</type>
-        <style>Subdomain</style>
         <help><![CDATA[Select a subdomain to handle. Make sure to additionaly choose a wildcard domain as "Domain". Leave unset, if not using subdomains.]]></help>
     </field>
     <field>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index 46642786bc..522c916d44 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -26,7 +26,7 @@
         <label>Domain</label>
         <type>text</type>
         <hint>example.com</hint>
-        <help><![CDATA[Enter a domain name. For a base domain, use "example.com" or "opn.example.com". For a wildcard domain, use "*.example.com". Adding a wildcard domain and pressing "Apply" will activate the "Subdomain" Tab, in which subdomains can be configured. Using subdomains requires a "DNS Provider" and the "DNS-01 Challenge" or a custom certificate.]]></help>
+        <help><![CDATA[Enter a domain name. For a base domain, use "example.com" or "opn.example.com". For a wildcard domain, use "*.example.com". Using a wildcard domain with subdomains requires a "DNS Provider" and the "DNS-01 Challenge" or a custom certificate.]]></help>
     </field>
     <field>
         <id>reverse.FromPort</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 43afbb0ada..10976f1649 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -2,15 +2,20 @@
     <tab id="general-settings" description="General Settings">
         <field>
             <id>caddy.general.enabled</id>
-            <label>Enabled</label>
+            <label>Enable Caddy</label>
             <type>checkbox</type>
             <help><![CDATA[Enable or disable the Caddy web server.]]></help>
         </field>
+        <field>
+            <id>caddy.general.EnableLayer4</id>
+            <label>Enable Layer4 Proxy</label>
+            <type>checkbox</type>
+            <help><![CDATA[Enable Layer4 Proxy to stream TCP/UDP. Layer4 Proxy matches before the Reverse Proxy; both can be used concurrently. More information: https://github.com/mholt/caddy-l4]]></help>
+        </field>
         <field>
             <id>caddy.general.TlsEmail</id>
             <label>ACME Email</label>
             <type>text</type>
-            <hint>info@example.com</hint>
             <help><![CDATA[Enter the email address for certificate notifications. This is required to receive automatic certificates from "Let's Encrypt" and "ZeroSSL".]]></help>
         </field>
         <field>
@@ -21,12 +26,6 @@
         </field>
     </tab>
     <tab id="general-advanced" description="Advanced Settings">
-        <field>
-            <id>caddy.general.EnableLayer4</id>
-            <label>Enable Layer4</label>
-            <type>checkbox</type>
-            <help><![CDATA[Enable Layer4 support to stream TCP/UDP. This feature is in active developement and the configuration can break or change in the future. The Layer4 app matches before the HTTP app. Deactivating this option will remove all Layer4 functionality completely. More information: https://github.com/mholt/caddy-l4]]></help>
-        </field>
         <field>
             <id>caddy.general.DisableSuperuser</id>
             <label>System User</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml
index cea3a9cc5a..0aaba284cd 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml
@@ -15,6 +15,14 @@
             <pattern>api/caddy/reverse_proxy/*</pattern>
         </patterns>
     </page-caddy-reverse-proxy>
+    <page-caddy-layer4-routes>
+        <name>Services: Caddy Web Server: Layer4 Proxy</name>
+        <description>Allow access to Caddy Layer4 Proxy</description>
+        <patterns>
+            <pattern>ui/caddy/layer4/*</pattern>
+            <pattern>api/caddy/reverse_proxy/*</pattern>
+        </patterns>
+    </page-caddy-layer4-routes>
     <page-caddy-diagnostics>
         <name>Services: Caddy Web Server: Diagnostics</name>
         <description>Allow access to Caddy Diagnostics</description>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml
index 70d146ffed..0a992a746f 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml
@@ -3,8 +3,9 @@
         <Caddy VisibleName="Caddy Web Server" cssClass="fa fa-globe fa-fw">
             <General VisibleName="General Settings" order="10" url="/ui/caddy/general"/>
             <ReverseProxy VisibleName="Reverse Proxy" order="20" url="/ui/caddy/reverse_proxy"/>
-            <Diagnostics VisibleName="Diagnostics" order="30" url="/ui/caddy/diagnostics"/>
-            <Log VisibleName="Log File" order="40" url="/ui/diagnostics/log/core/caddy"/>
+            <Layer4 VisibleName="Layer4 Proxy" order="30" url="/ui/caddy/layer4"/>
+            <Diagnostics VisibleName="Diagnostics" order="40" url="/ui/caddy/diagnostics"/>
+            <Log VisibleName="Log File" order="50" url="/ui/diagnostics/log/core/caddy"/>
         </Caddy>
     </Services>
 </menu>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
new file mode 100644
index 0000000000..d1bfc6cf62
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
@@ -0,0 +1,179 @@
+{#
+ # Copyright (c) 2024 Cedrik Pischem
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script>
+    $(document).ready(function() {
+        // Bootgrid Setup
+        $("#Layer4Grid").UIBootgrid({
+            search:'/api/caddy/ReverseProxy/searchLayer4/',
+            get:'/api/caddy/ReverseProxy/getLayer4/',
+            set:'/api/caddy/ReverseProxy/setLayer4/',
+            add:'/api/caddy/ReverseProxy/addLayer4/',
+            del:'/api/caddy/ReverseProxy/delLayer4/',
+            toggle:'/api/caddy/ReverseProxy/toggleLayer4/',
+        });
+
+        /**
+         * Displays an alert message to the user.
+         *
+         * @param {string} message - The message to display.
+         * @param {string} [type="error"] - The type of alert (error or success).
+         */
+        function showAlert(message, type = "error") {
+            const alertClass = type === "error" ? "alert-danger" : "alert-success";
+            const messageArea = $("#messageArea");
+
+            messageArea.stop(true, true).hide();
+            messageArea.removeClass("alert-success alert-danger").addClass(alertClass).html(message);
+            messageArea.fadeIn(500).delay(15000).fadeOut(500, function() {
+                $(this).html('');
+            });
+        }
+
+        $('input, select, textarea').on('change', function() {
+            $("#messageArea").hide();
+        });
+
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+
+                // Perform configuration validation
+                ajaxGet("/api/caddy/service/validate", null, function(data, status) {
+                    if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
+                        dfObj.resolve();
+                    } else {
+                        showAlert(data['message'], "error");
+                        dfObj.reject();
+                    }
+                }).fail(function(xhr, status, error) {
+                    showAlert("{{ lang._('Validation request failed: ') }}" + error, "error");
+                    dfObj.reject();
+                });
+
+                return dfObj.promise();
+            },
+            onAction: function(data, status) {
+                if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
+                    showAlert("{{ lang._('Configuration applied successfully.') }}", "{{ lang._('Apply Success') }}");
+                    updateServiceControlUI('caddy');
+                } else {
+                    showAlert("{{ lang._('Action was not successful or an error occurred.') }}", "error");
+                }
+            }
+        });
+
+        $("#layer4\\.Matchers").change(function() {
+            if ($(this).val() !== "tlssni" && $(this).val() !== "httphost") {
+                $(".style_matchers").closest('tr').hide();
+            } else {
+                $(".style_matchers").closest('tr').show();
+            }
+        });
+
+        updateServiceControlUI('caddy');
+    });
+</script>
+
+<style>
+    .custom-header {
+        font-weight: 800;
+        font-size: 16px;
+        font-style: italic;
+    }
+</style>
+
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li id="tab-layer4" class="active"><a data-toggle="tab" href="#layer4Tab">{{ lang._('Layer4 Routes') }}</a></li>
+</ul>
+
+<div class="tab-content content-box">
+    <!-- Layer4 Tab -->
+    <div id="layer4Tab" class="tab-pane fade active in">
+        <div style="padding-left: 16px;">
+            <h1 class="custom-header">{{ lang._('Layer4 Routes') }}</h1>
+            <div style="display: block;"> <!-- Common container -->
+                <table id="Layer4Grid" class="table table-condensed table-hover table-striped" data-editDialog="DialogLayer4" data-editAlert="ConfigurationChangeMessage">
+                    <thead>
+                        <tr>
+                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                            <th data-column-id="Sequence" data-type="string">{{ lang._('Sequence') }}</th>
+                            <th data-column-id="Type" data-type="string" data-visible="false">{{ lang._('Routing Type') }}</th>
+                            <th data-column-id="Protocol" data-type="string">{{ lang._('Protocol') }}</th>
+                            <th data-column-id="FromPort" data-type="string" data-visible="false">{{ lang._('Local Port') }}</th>
+                            <th data-column-id="FromDomain" data-type="string">{{ lang._('Domain') }}</th>
+                            <th data-column-id="Matchers" data-type="string">{{ lang._('Matchers') }}</th>
+                            <th data-column-id="InvertMatchers" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Invert Matchers') }}</th>
+                            <th data-column-id="ToDomain" data-type="string">{{ lang._('Upstream Domain') }}</th>
+                            <th data-column-id="ToPort" data-type="string">{{ lang._('Upstream Port') }}</th>
+                            <th data-column-id="RemoteIp" data-type="string" data-visible="false">{{ lang._('Remote IP') }}</th>
+                            <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Fail Duration') }}</th>
+                            <th data-column-id="ProxyProtocol" data-type="string" data-visible="false">{{ lang._('Proxy Protocol') }}</th>
+                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                    </tbody>
+                    <tfoot>
+                        <tr>
+                            <td></td>
+                            <td>
+                                <button id="addLayer4Btn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
+                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                            </td>
+                        </tr>
+                    </tfoot>
+                </table>
+            </div>
+        </div>
+    </div>
+</div>
+
+<!-- Reconfigure Button -->
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint="/api/caddy/service/reconfigure"
+                    data-label="{{ lang._('Apply') }}"
+                    data-error-title="{{ lang._('Error reconfiguring Caddy') }}"
+                    type="button"
+            ></button>
+            <br/><br/>
+            <!-- Message Area for error/success messages -->
+            <div id="messageArea" class="alert alert-info" style="display: none;"></div>
+            <!-- Message Area to hint user to apply changes when data is changed in bootgrids -->
+            <div id="ConfigurationChangeMessage" class="alert alert-info" style="display: none;">
+            {{ lang._('Please do not forget to apply the configuration.') }}
+            </div>
+        </div>
+    </div>
+</section>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4,'id':'DialogLayer4','label':lang._('Edit Layer4 Route')])}}
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index cd7cb0dc38..e98e921a0b 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -35,7 +35,8 @@
             del:'/api/caddy/ReverseProxy/delReverseProxy/',
             toggle:'/api/caddy/ReverseProxy/toggleReverseProxy/',
             options: {
-                requestHandler: addDomainFilterToRequest
+                requestHandler: addDomainFilterToRequest,
+                rowCount: [4,7,14,20,50,100,-1]
             }
         });
 
@@ -47,19 +48,11 @@
             del:'/api/caddy/ReverseProxy/delSubdomain/',
             toggle:'/api/caddy/ReverseProxy/toggleSubdomain/',
             options: {
-                requestHandler: addDomainFilterToRequest
+                requestHandler: addDomainFilterToRequest,
+                rowCount: [4,7,14,20,50,100,-1]
             }
         });
 
-        $("#reverseLayer4Grid").UIBootgrid({
-            search:'/api/caddy/ReverseProxy/searchLayer4/',
-            get:'/api/caddy/ReverseProxy/getLayer4/',
-            set:'/api/caddy/ReverseProxy/setLayer4/',
-            add:'/api/caddy/ReverseProxy/addLayer4/',
-            del:'/api/caddy/ReverseProxy/delLayer4/',
-            toggle:'/api/caddy/ReverseProxy/toggleLayer4/',
-        });
-
         $("#reverseHandleGrid").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchHandle/',
             get:'/api/caddy/ReverseProxy/getHandle/',
@@ -78,6 +71,9 @@
             set:'/api/caddy/ReverseProxy/setAccessList/',
             add:'/api/caddy/ReverseProxy/addAccessList/',
             del:'/api/caddy/ReverseProxy/delAccessList/',
+            options:{
+                rowCount: [4,7,14,20,50,100,-1]
+            }
         });
 
         $("#basicAuthGrid").UIBootgrid({
@@ -86,6 +82,9 @@
             set:'/api/caddy/ReverseProxy/setBasicAuth/',
             add:'/api/caddy/ReverseProxy/addBasicAuth/',
             del:'/api/caddy/ReverseProxy/delBasicAuth/',
+            options:{
+                rowCount: [4,7,14,20,50,100,-1]
+            }
         });
 
         $("#reverseHeaderGrid").UIBootgrid({
@@ -133,7 +132,7 @@
         function loadDomainFilters() {
             ajaxGet('/api/caddy/ReverseProxy/getAllReverseDomains', null, function(data, status) {
                 let select = $('#reverseFilter');
-                select.empty(); // Clear current options
+                select.empty();
                 if (status === "success" && data && data.rows) {
                     data.rows.forEach(function(item) {
                         select.append($('<option>').val(item.id).text(item.domainPort));
@@ -141,91 +140,33 @@
                 } else {
                     select.html('<option value="">{{ lang._('Failed to load data') }}</option>');
                 }
-                select.selectpicker('refresh'); // Refresh selectpicker to update the UI
+                select.selectpicker('refresh');
             }).fail(function() {
                 $('#reverseFilter').html('<option value="">{{ lang._('Failed to load data') }}</option>').selectpicker('refresh');
             });
         }
 
         /**
-         * Controls the visibility of the selectpicker for domain filtering.
+         * Controls the visibility of the selectpicker and add buttons based on the active tab.
          *
          * @param {string} tab - The currently active tab.
          */
-        function toggleSelectPicker(tab) {
-            if (tab === 'handlesTab' || tab === 'domainsTab' || tab === 'subdomainsTab') {
-                $('.common-filter').show();
-            } else {
-                $('.common-filter').hide();
-            }
-        }
-
-        /**
-         * Controls the visibility of add buttons based on the active tab.
-         *
-         * @param {string} tab - The currently active tab.
-         */
-        function toggleButtonVisibility(tab) {
+        function toggleVisibility(tab) {
             if (tab === 'handlesTab' || tab === 'domainsTab') {
                 $("#addDomainBtn").show();
                 $("#addHandleBtn").show();
+                $('.common-filter').show();
             } else {
                 $("#addDomainBtn").hide();
                 $("#addHandleBtn").hide();
+                $('.common-filter').hide();
             }
         }
 
-        /**
-         * Initializes tabs by fetching data and setting visibility.
-         */
-        function initializeTabs() {
-            ajaxGet('/api/caddy/reverse_proxy/get', null, function(response, status) {
-                if (status === "success" && response) {
-                    // Check for wildcards in domains to toggle Subdomains tab
-                    const hasWildcard = Object.values(response.caddy.reverseproxy.reverse).some(entry => entry.FromDomain.startsWith('*'));
-                    toggleTabVisibility('#tab-subdomains', hasWildcard);
-                    toggleSubdomainOptions(hasWildcard);
-
-                    // Check if Layer 4 is enabled to toggle the Layer 4 tab
-                    const enableLayer4 = response.caddy.general.EnableLayer4 === '1';
-                    toggleTabVisibility('#tab-layer4', enableLayer4);
-                } else {
-                    showAlert("{{ lang._('Failed to load data from /api/caddy/reverse_proxy/get') }}", "error");
-                }
-            }).fail(function() {
-                showAlert("{{ lang._('Failed to load data from /api/caddy/reverse_proxy/get') }}", "error");
-            });
-        }
-
-        /**
-         * Toggles the visibility of a specific tab.
-         *
-         * @param {string} tabSelector - The jQuery selector for the tab.
-         * @param {boolean} visible - Whether the tab should be visible.
-         */
-        function toggleTabVisibility(tabSelector, visible) {
-            let tab = $(tabSelector);
-            if (visible) {
-                tab.show();
-            } else {
-                tab.hide();
-                if (tab.hasClass('active')) {
-                    $('#tab-domains a').tab('show');
-                }
-            }
-        }
-
-        /**
-         * Toggles the visibility of Subdomain options in dialogHandle based on wildcard domain existence.
-         *
-         * @param {boolean} hasWildcard - Whether a wildcard domain exists.
-         */
-        function toggleSubdomainOptions(hasWildcard) {
-            if (hasWildcard) {
-                $(".Subdomain").closest('tr').show();
-            } else {
-                $(".Subdomain").closest('tr').hide();
-            }
+        function reloadGrids() {
+            $("#reverseProxyGrid").bootgrid("reload");
+            $("#reverseSubdomainGrid").bootgrid("reload");
+            $("#reverseHandleGrid").bootgrid("reload");
         }
 
         // Hide message area when starting new actions
@@ -233,23 +174,19 @@
             $("#messageArea").hide();
         });
 
-        // Adjusting the Reconfigure button to include validation in onPreAction
+        // Reconfigure button with custom validation
         $("#reconfigureAct").SimpleActionButton({
             onPreAction: function() {
                 const dfObj = new $.Deferred();
 
-                // Perform configuration validation
                 ajaxGet("/api/caddy/service/validate", null, function(data, status) {
                     if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
-                        // If configuration is valid, resolve the Deferred object to proceed
                         dfObj.resolve();
                     } else {
-                        // If configuration is invalid, show alert and reject the Deferred object
                         showAlert(data['message'], "error");
                         dfObj.reject();
                     }
                 }).fail(function(xhr, status, error) {
-                    // On AJAX error, show alert and reject the Deferred object
                     showAlert("{{ lang._('Validation request failed: ') }}" + error, "error");
                     dfObj.reject();
                 });
@@ -257,45 +194,43 @@
                 return dfObj.promise();
             },
             onAction: function(data, status) {
-                // Check if the action was successful
                 if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
                     showAlert("{{ lang._('Configuration applied successfully.') }}", "{{ lang._('Apply Success') }}");
-                    // Update the service control UI for 'caddy'
                     updateServiceControlUI('caddy');
-                    // Update the Tab visibility
-                    initializeTabs();
                 } else {
                     showAlert("{{ lang._('Action was not successful or an error occurred.') }}", "error");
                 }
             }
         });
 
+        $("#clearDomains").on("click", function(e) {
+            e.preventDefault();
+            $('#reverseFilter').val([]);
+            $('#reverseFilter').selectpicker('refresh');
+
+            reloadGrids();
+        });
+
         // Reload Bootgrid on filter change
         $('#reverseFilter').on('changed.bs.select', function() {
-            $("#reverseProxyGrid").bootgrid("reload");
-            $("#reverseSubdomainGrid").bootgrid("reload");
-            $("#reverseHandleGrid").bootgrid("reload");
+            reloadGrids();
         });
 
         // Initialize visibility based on the active tab on page load
         let activeTab = $('#maintabs .active a').attr('href').replace('#', '');
-        toggleSelectPicker(activeTab);
-        toggleButtonVisibility(activeTab);
+        toggleVisibility(activeTab);
 
         // Change event when switching tabs
         $('#maintabs a').on('click', function (e) {
             let currentTab = $(this).attr('href').replace('#', '');
-            toggleSelectPicker(currentTab);
-            toggleButtonVisibility(currentTab);
+            toggleVisibility(currentTab);
         });
 
         // Add click event listener for "Add HTTP Handler" button
         $("#addHandleBtn").on("click", function() {
             if ($('#maintabs .active a').attr('href') === "#handlesTab") {
-                // Directly open the dialog if already in the Handles tab
                 $("#addReverseHandleBtn").click();
             } else {
-                // Switch to the "Handlers" tab if not already there
                 $('#maintabs a[href="#handlesTab"]').tab('show').one('shown.bs.tab', function(e) {
                     $("#addReverseHandleBtn").click();
                 });
@@ -347,11 +282,8 @@
             }
         });
 
-        // Initialize tabs, service control and filter selectpicker
-        initializeTabs();
         updateServiceControlUI('caddy');
         loadDomainFilters();
-
     });
 </script>
 
@@ -360,8 +292,19 @@
         align-items: center;
         margin-top: 20px;
         margin-right: 5px;
-        padding: 0 15px;  // Align with the tables
+        padding: 0 15px;
+    }
+
+    .filter-actions {
+        display: flex;
+        flex-direction: column;
+        align-items: flex-end;
+    }
+
+    #clearDomains {
+        margin-top: 5px;
     }
+
     .custom-header {
         font-weight: 800;
         font-size: 16px;
@@ -371,9 +314,7 @@
 </style>
 
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li id="tab-layer4" style="display: none;"><a data-toggle="tab" href="#layer4Tab">{{ lang._('Layer4 Routes') }}</a></li>
     <li id="tab-domains" class="active"><a data-toggle="tab" href="#domainsTab">{{ lang._('Domains') }}</a></li>
-    <li id="tab-subdomains" style="display: none;"><a data-toggle="tab" href="#subdomainsTab">{{ lang._('Subdomains') }}</a></li>
     <li id="tab-handlers"><a data-toggle="tab" href="#handlesTab">{{ lang._('HTTP Handlers') }}</a></li>
     <li id="tab-access"><a data-toggle="tab" href="#accessTab">{{ lang._('HTTP Access') }}</a></li>
     <li id="tab-headers"><a data-toggle="tab" href="#headerTab">{{ lang._('HTTP Headers') }}</a></li>
@@ -387,13 +328,17 @@
             <button id="addDomainBtn" type="button" class="btn btn-secondary">{{ lang._('Step 1: Add Domain') }}</button>
             <button id="addHandleBtn" type="button" class="btn btn-secondary">{{ lang._('Step 2: Add HTTP Handler') }}</button>
         </div>
-        <!-- Selectpicker on the right -->
-        <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="348px" data-size="7" title="{{ lang._('Filter by Domain') }}">
-            <!-- Options will be populated dynamically using JavaScript/Ajax -->
-        </select>
+        <!-- Selectpicker and Clear All on the right -->
+        <div class="filter-actions" style="display: flex; flex-direction: column; align-items: flex-end;">
+            <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="348px" data-size="7" title="{{ lang._('Filter by Domain') }}">
+            </select>
+            <a href="#" class="text-danger" id="clearDomains" style="margin-top: 5px;">
+                <i class="fa fa-times-circle"></i> <small>Clear All</small>
+            </a>
+        </div>
     </div>
 
-    <!-- Reverse Proxy Tab -->
+    <!-- Combined Domains Tab -->
     <div id="domainsTab" class="tab-pane fade in active">
         <div style="padding-left: 16px;">
             <!-- Reverse Proxy -->
@@ -432,10 +377,8 @@
                 </table>
             </div>
         </div>
-    </div>
 
-    <!-- Subdomains Tab -->
-    <div id="subdomainsTab" class="tab-pane fade">
+        <!-- Subdomains Tab -->
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Subdomains') }}</h1>
             <div style="display: block;"> <!-- Common container -->
@@ -519,7 +462,7 @@
         </div>
     </div>
 
-    <!-- New Combined Access Tab -->
+    <!-- Combined Access Tab -->
     <div id="accessTab" class="tab-pane fade">
         <!-- Access Lists Section -->
         <div style="padding-left: 16px;">
@@ -614,48 +557,6 @@
             </div>
         </div>
     </div>
-
-    <!-- Layer4 Tab -->
-    <div id="layer4Tab" class="tab-pane fade">
-        <div style="padding-left: 16px;">
-            <h1 class="custom-header">{{ lang._('Layer4 Routes') }}</h1>
-            <div style="display: block;"> <!-- Common container -->
-                <table id="reverseLayer4Grid" class="table table-condensed table-hover table-striped" data-editDialog="DialogLayer4" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                            <th data-column-id="Sequence" data-type="string">{{ lang._('Sequence') }}</th>
-                            <th data-column-id="Type" data-type="string" data-visible="false">{{ lang._('Routing Type') }}</th>
-                            <th data-column-id="Protocol" data-type="string">{{ lang._('Protocol') }}</th>
-                            <th data-column-id="FromPort" data-type="string" data-visible="false">{{ lang._('Local Port') }}</th>
-                            <th data-column-id="FromDomain" data-type="string">{{ lang._('Domain') }}</th>
-                            <th data-column-id="Matchers" data-type="string">{{ lang._('Matchers') }}</th>
-                            <th data-column-id="InvertMatchers" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Invert Matchers') }}</th>
-                            <th data-column-id="ToDomain" data-type="string">{{ lang._('Upstream Domain') }}</th>
-                            <th data-column-id="ToPort" data-type="string">{{ lang._('Upstream Port') }}</th>
-                            <th data-column-id="RemoteIp" data-type="string" data-visible="false">{{ lang._('Remote IP') }}</th>
-                            <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Fail Duration') }}</th>
-                            <th data-column-id="ProxyProtocol" data-type="string" data-visible="false">{{ lang._('Proxy Protocol') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addReverseLayer4Btn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
-            </div>
-        </div>
-    </div>
 </div>
 
 <!-- Reconfigure Button -->
@@ -686,4 +587,3 @@
 {{ partial("layout_partials/base_dialog",['fields':formDialogAccessList,'id':'DialogAccessList','label':lang._('Edit Access List')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogBasicAuth,'id':'DialogBasicAuth','label':lang._('Edit Basic Auth')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogHeader,'id':'DialogHeader','label':lang._('Edit HTTP Header')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4,'id':'DialogLayer4','label':lang._('Edit Layer4 Route')])}}

From 72dfcfa12b01d4b2a62a1a82f9b553d29afb9cce Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 21 Oct 2024 20:54:40 +0200
Subject: [PATCH 2161/3088] www/caddy: Fix WebGUI ports validation (by removing
 it) (#4311)

* www/caddy: Remove WebGUI validation
---
 .../mvc/app/models/OPNsense/Caddy/Caddy.php   | 51 -------------------
 1 file changed, 51 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index 28181a9fda..f738609ea9 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -73,56 +73,6 @@ private function checkForUniquePortCombos($messages)
         }
     }
 
-    // Get the current OPNsense WebGUI ports and check for conflicts with Caddy
-    private function getWebGuiPorts()
-    {
-        $webgui = Config::getInstance()->object()->system->webgui ?? null;
-        $webGuiPorts = [];
-
-        // Only add ports to array if no specific interfaces for the WebGUI are set
-        if (!empty($webgui) && empty((string)$webgui->interfaces)) {
-            // Add port 443 if no specific port is set, otherwise set custom webgui port
-            $webGuiPorts[] = !empty($webgui->port) ? (string)$webgui->port : '443';
-
-            // Add port 80 if HTTP redirect is not explicitly disabled
-            if (empty((string)$webgui->disablehttpredirect)) {
-                $webGuiPorts[] = '80';
-            }
-        }
-
-        return $webGuiPorts;
-    }
-
-    private function checkWebGuiSettings($messages)
-    {
-        // Get custom caddy ports if set. If empty, default to 80 and 443.
-        $httpPort = !empty((string)$this->general->HttpPort) ? (string)$this->general->HttpPort : '80';
-        $httpsPort = !empty((string)$this->general->HttpsPort) ? (string)$this->general->HttpsPort : '443';
-        $tlsAutoHttpsSetting = (string)$this->general->TlsAutoHttps;
-
-        // Check for conflicts
-        $overlap = array_intersect($this->getWebGuiPorts(), [$httpPort, $httpsPort]);
-
-        if (!empty($overlap) && $tlsAutoHttpsSetting !== 'off') {
-            $portOverlap = implode(', ', $overlap);
-            $messages->appendMessage(new Message(
-                sprintf(
-                    gettext(
-                        'To use "Auto HTTPS", resolve these conflicting ports %s ' .
-                        'that are currently configured for the OPNsense WebGUI. ' .
-                        'Go to "System - Settings - Administration". ' .
-                        'To release port 80, enable "Disable web GUI redirect rule". ' .
-                        'To release port %s, change "TCP port" to a non-standard port, ' .
-                        'e.g., 8443.'
-                    ),
-                    $portOverlap,
-                    $httpsPort
-                ),
-                "general.TlsAutoHttps"
-            ));
-        }
-    }
-
     // Prevent the usage of conflicting options when TLS is deactivated for a Domain
     private function checkDisableTlsConflicts($messages)
     {
@@ -319,7 +269,6 @@ public function performValidation($validateFullModel = false)
         $messages = parent::performValidation($validateFullModel);
 
         $this->checkForUniquePortCombos($messages);
-        $this->checkWebGuiSettings($messages);
         $this->checkDisableTlsConflicts($messages);
         $this->checkSuperuserPorts($messages);
         $this->checkLayer4Matchers($messages);

From ee7868fa9324cc58988d2a678a920fb6cade89b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alex=20W=2E=20Baul=C3=A9?= <alexwbaule@gmail.com>
Date: Tue, 22 Oct 2024 02:33:46 -0300
Subject: [PATCH 2162/3088] Fix for mixed ping plugin config (#4316)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With this, the "ipv4 vs ipv6" will be respected, and the count is respected too.

Signed-off-by: Alex W Baulé <alexwbaule@gmail.com>
---
 .../service/templates/OPNsense/Telegraf/telegraf.conf      | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index fd5012ae54..9b227e71a1 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -313,7 +313,8 @@
 
 {% if helpers.exists('OPNsense.telegraf.input.ping') and OPNsense.telegraf.input.ping == '1' %}
 [[inputs.ping]]
-  method = "exec"
+  method = "native"
+  ipv4 = true
 {%   if helpers.exists('OPNsense.telegraf.input.ping_hosts') and OPNsense.telegraf.input.ping_hosts != '' %}
   urls = [{{ "'" + ("','".join(OPNsense.telegraf.input.ping_hosts.split(','))) + "'" }}]
 {%   endif %}
@@ -324,8 +325,8 @@
 
 {% if helpers.exists('OPNsense.telegraf.input.ping6') and OPNsense.telegraf.input.ping6 == '1' %}
 [[inputs.ping]]
-  method = "exec"
-  binary = "ping6"
+  method = "native"
+  ipv6 = true
 {%   if helpers.exists('OPNsense.telegraf.input.ping6_hosts') and OPNsense.telegraf.input.ping6_hosts != '' %}
   urls = [{{ "'" + ("','".join(OPNsense.telegraf.input.ping6_hosts.split(','))) + "'" }}]
 {%   endif %}

From d1dabf300fce225e664d1d974f2f734206952003 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 22 Oct 2024 10:49:08 +0200
Subject: [PATCH 2163/3088] net-mgmt/telegraf: bump revision

---
 net-mgmt/telegraf/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index bfd8b96006..2c275b4560 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		telegraf
 PLUGIN_VERSION=		1.12.11
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 5b02c207784102f59d8dd22c5dff205714d0a2a3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 22 Oct 2024 10:50:06 +0200
Subject: [PATCH 2164/3088] net/freeradius: clear revision

---
 net/freeradius/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 3ae166e0f3..d9db167fab 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		freeradius
 PLUGIN_VERSION=		1.9.26
-PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 51df8d04d24660c057157dae6e7652a69cd86ac5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 22 Oct 2024 10:55:23 +0200
Subject: [PATCH 2165/3088] net/frr: new version

---
 net/frr/Makefile                                            | 3 +--
 net/frr/pkg-descr                                           | 5 +++++
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 7c51f3c321..30b45d27b1 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.41
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.42
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 6d6a8a79d8..529a3b2c45 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,11 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.42
+
+* Fix updatesource not rendering when interface has been selected
+* Add BFD multihop support for IPv4
+
 1.41
 
 * Set up networks, prefix lists, and route maps for OSPF6 (contributed by Mike Shuey)
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
index 9c14c4416d..00c2dd22ba 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
@@ -21,7 +21,7 @@
                     <default></default>
                     <Required>Y</Required>
                 </address>
-                <multihop  type="BooleanField">
+                <multihop type="BooleanField">
                     <default>0</default>
                     <Required>Y</Required>
                 </multihop>

From a9e45bfaa2bf5b7d70c318816d1ca2d6e16119a4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 23 Oct 2024 09:48:02 +0200
Subject: [PATCH 2166/3088] net/upnp: unbreak and fix PHP warnings

---
 net/upnp/src/www/services_upnp.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/upnp/src/www/services_upnp.php b/net/upnp/src/www/services_upnp.php
index 6968826763..d3a5897d88 100644
--- a/net/upnp/src/www/services_upnp.php
+++ b/net/upnp/src/www/services_upnp.php
@@ -90,6 +90,8 @@ function miniupnpd_validate_port($port)
         $copy_fields[] = $permuser;
     }
 
+    $pconfig['num_permuser'] = null;
+
     foreach ($copy_fields as $fieldname) {
         if (isset($config['installedpackages']['miniupnpd']['config'][0][$fieldname])) {
             $pconfig[$fieldname] = $config['installedpackages']['miniupnpd']['config'][0][$fieldname];
@@ -176,7 +178,7 @@ function miniupnpd_validate_port($port)
             $upnp[$fieldname] = !empty($pconfig[$fieldname]);
         }
         // numeric types
-        if (!empty($upnp['num_permuser'])) {
+        if (!empty($pconfig['num_permuser'])) {
             $upnp['num_permuser'] = $pconfig['num_permuser'];
         }
         // text field types
@@ -393,7 +395,7 @@ function miniupnpd_validate_port($port)
                     <tr>
                       <td><a id="help_for_num_permuser" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Number of permissions");?></td>
                       <td>
-                        <input name="num_permuser" type="number" value="<?=$pconfig['num_permuser'];?>" />
+                        <input name="num_permuser" type="text" value="<?= html_safe($pconfig['num_permuser']) ?>" />
                         <div class="hidden" data-for="help_for_num_permuser">
                           <?=gettext("Number of permissions to configure.");?>
                         </div>
@@ -407,7 +409,7 @@ function miniupnpd_validate_port($port)
                       <td style="width:22%"><i class="fa fa-info-circle text-muted"></i> <?=gettext('Entry') . ' ' . $i ?></td>
 <?php endif ?>
                       <td style="width:78%">
-                        <input name="<?= html_safe($permuser) ?>" type="text" value="<?= $pconfig[$permuser] ?>" />
+                        <input name="<?= html_safe($permuser) ?>" type="text" value="<?= isset($pconfig[$permuser]) ? $pconfig[$permuser] : '' ?>" />
 <?php if ($i == 1): ?>
                         <div class="hidden" data-for="help_for_permuser">
                           <?=gettext("Format: [allow or deny] [ext port or range] [int ipaddr or ipaddr/cidr] [int port or range]");?><br/>

From fbd16d3db23c1b8c40d39e4a945bc05facf1f8c9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 23 Oct 2024 10:59:18 +0200
Subject: [PATCH 2167/3088] LICENSE: sync

---
 LICENSE | 1 +
 1 file changed, 1 insertion(+)

diff --git a/LICENSE b/LICENSE
index 2e63b3f32b..e7427a06be 100644
--- a/LICENSE
+++ b/LICENSE
@@ -57,6 +57,7 @@ Copyright (c) 2021-2024 Nicola Pellegrini
 Copyright (c) 2022 Nikolaj Brinch Jørgensen
 Copyright (c) 2021 Nim G
 Copyright (c) 2023 Oliver Hartl
+Copyright (c) 2024 Olly Baker <ilumos@gmail.com>
 Copyright (c) 2024 realizelol
 Copyright (c) 2022 Robbert Rijkse
 Copyright (c) 2023 sattamjh

From 5c4e3a231f6a46cef9d9ae9dc87d92b12ad97fb9 Mon Sep 17 00:00:00 2001
From: Leo Huang <leo.tx.huang@gmail.com>
Date: Fri, 25 Oct 2024 19:56:10 +1100
Subject: [PATCH 2168/3088] benchmarks/iperf: fix JS TypeError when parsing
 iperf result with an error (#3925) (#3928)

Co-authored-by: Leo Huang <leo.h@wbstech.com.au>
---
 .../mvc/app/views/OPNsense/iperf/index.volt   | 90 ++++++++++---------
 1 file changed, 49 insertions(+), 41 deletions(-)

diff --git a/benchmarks/iperf/src/opnsense/mvc/app/views/OPNsense/iperf/index.volt b/benchmarks/iperf/src/opnsense/mvc/app/views/OPNsense/iperf/index.volt
index 85ca1d448c..8cef80501f 100644
--- a/benchmarks/iperf/src/opnsense/mvc/app/views/OPNsense/iperf/index.volt
+++ b/benchmarks/iperf/src/opnsense/mvc/app/views/OPNsense/iperf/index.volt
@@ -51,47 +51,55 @@ function result_to_html(elements) {
 
         // only if test did already run
         if ('result' in element) {
-            var result = element.result,
-                start = result.start,
-                connection = start.connected[0],
-                intervals = result.intervals,
-                test_end = result.end,
-                cpu = test_end.cpu_utilization_percent;
-            // General
-            output += "<h3>{{ lang._('General') }}</h3>";
-            output += '<table class="table table-striped">';
-            output += table_tr_kv("{{ lang._('Time') }}", start.timestamp.time);
-            output += table_tr_kv("{{ lang._('Duration') }}", start.test_start.duration);
-            output += table_tr_kv("{{ lang._('Block Size') }}", start.test_start.blksize);
-            output += "</table>";
-            // connection
-            output += "<h3>{{ lang._('Connection') }}</h3>";
-            output += '<table class="table table-striped">';
-            output += table_tr_kv("{{ lang._('Local Host') }}", connection.local_host);
-            output += table_tr_kv("{{ lang._('Local Port') }}", connection.local_port);
-            output += table_tr_kv("{{ lang._('Remote Host') }}", connection.remote_host);
-            output += table_tr_kv("{{ lang._('Remote Port') }}", connection.remote_port);
-            output += "</table>";
-            // CPU Usage
-            output += "<h3>{{ lang._('CPU Usage') }}</h3>";
-            output += '<table class="table table-striped">';
-            output += table_tr_kv("{{ lang._('Host Total') }}", cpu.host_total.toFixed(2));
-            output += table_tr_kv("{{ lang._('Host User') }}", cpu.host_user.toFixed(2));
-            output += table_tr_kv("{{ lang._('Host System') }}", cpu.host_system.toFixed(2));
-            output += table_tr_kv("{{ lang._('Remote Total') }}", cpu.remote_total.toFixed(2));
-            output += table_tr_kv("{{ lang._('Remote User') }}", cpu.remote_user.toFixed(2));
-            output += table_tr_kv("{{ lang._('Remote System') }}", cpu.remote_system.toFixed(2));
-            output += "</table>";
-            // performance data
-            output += "<h3>{{ lang._('Performance Data') }}</h3>";
-            output += '<table class="table table-striped">';
-            var fields = ['sum_sent', 'sum_received'];
-            output += table_tr_transpose("{{ lang._('Start') }}","start",fields, test_end);
-            output += table_tr_transpose("{{ lang._('End') }}","end",fields, test_end);
-            output += table_tr_transpose("{{ lang._('Seconds') }}","seconds",fields, test_end);
-            output += table_tr_transpose("{{ lang._('Bytes') }}","bytes",fields, test_end);
-            output += table_tr_transpose("{{ lang._('Bits Per Second') }}","bits_per_second",fields, test_end);
-            output += "</table>";
+            var result = element.result;
+            if ('error' in result) {
+                // We can't assume that any other fields exist when there's an error
+                output += "<h3>{{ lang._('Error') }}</h3>";
+                output += '<table class="table table-striped">';
+                output += table_tr_kv("{{ lang._('Error message') }}", result.error);
+                output += "</table>";
+            } else {
+                var start = result.start,
+                    connection = start.connected[0],
+                    intervals = result.intervals,
+                    test_end = result.end,
+                    cpu = test_end.cpu_utilization_percent;
+                // General
+                output += "<h3>{{ lang._('General') }}</h3>";
+                output += '<table class="table table-striped">';
+                output += table_tr_kv("{{ lang._('Time') }}", start.timestamp.time);
+                output += table_tr_kv("{{ lang._('Duration') }}", start.test_start.duration);
+                output += table_tr_kv("{{ lang._('Block Size') }}", start.test_start.blksize);
+                output += "</table>";
+                // connection
+                output += "<h3>{{ lang._('Connection') }}</h3>";
+                output += '<table class="table table-striped">';
+                output += table_tr_kv("{{ lang._('Local Host') }}", connection.local_host);
+                output += table_tr_kv("{{ lang._('Local Port') }}", connection.local_port);
+                output += table_tr_kv("{{ lang._('Remote Host') }}", connection.remote_host);
+                output += table_tr_kv("{{ lang._('Remote Port') }}", connection.remote_port);
+                output += "</table>";
+                // CPU Usage
+                output += "<h3>{{ lang._('CPU Usage') }}</h3>";
+                output += '<table class="table table-striped">';
+                output += table_tr_kv("{{ lang._('Host Total') }}", cpu.host_total.toFixed(2));
+                output += table_tr_kv("{{ lang._('Host User') }}", cpu.host_user.toFixed(2));
+                output += table_tr_kv("{{ lang._('Host System') }}", cpu.host_system.toFixed(2));
+                output += table_tr_kv("{{ lang._('Remote Total') }}", cpu.remote_total.toFixed(2));
+                output += table_tr_kv("{{ lang._('Remote User') }}", cpu.remote_user.toFixed(2));
+                output += table_tr_kv("{{ lang._('Remote System') }}", cpu.remote_system.toFixed(2));
+                output += "</table>";
+                // performance data
+                output += "<h3>{{ lang._('Performance Data') }}</h3>";
+                output += '<table class="table table-striped">';
+                var fields = ['sum_sent', 'sum_received'];
+                output += table_tr_transpose("{{ lang._('Start') }}","start",fields, test_end);
+                output += table_tr_transpose("{{ lang._('End') }}","end",fields, test_end);
+                output += table_tr_transpose("{{ lang._('Seconds') }}","seconds",fields, test_end);
+                output += table_tr_transpose("{{ lang._('Bytes') }}","bytes",fields, test_end);
+                output += table_tr_transpose("{{ lang._('Bits Per Second') }}","bits_per_second",fields, test_end);
+                output += "</table>";
+            }
         }
     }
     $('#resultcontainer').html(output);

From 21ca8a504cd074b560fde646c04b763956148939 Mon Sep 17 00:00:00 2001
From: mkozlowski <10508687+m-kozlowski@users.noreply.github.com>
Date: Tue, 29 Oct 2024 20:30:28 +0100
Subject: [PATCH 2169/3088] fix for opnsense/plugins#4035

---
 .../src/opnsense/service/conf/actions.d/actions_haproxy.conf  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
index ab181dd8ac..407dad535e 100644
--- a/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
+++ b/net/haproxy/src/opnsense/service/conf/actions.d/actions_haproxy.conf
@@ -91,7 +91,7 @@ type:script_output
 message:Show diff between configured ssl certificates and certs from HAProxy memory for multiple frontends
 
 [cert_sync]
-command:configctl template reload OPNsense/HAProxy 2 > /dev/null; /usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
+command:configctl -q template reload OPNsense/HAProxy; /usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py
 parameters: sync --frontend-ids %s --output json
 type:script_output
 message:Sync ssl certificates into HAProxy memory for multiple frontends
@@ -103,7 +103,7 @@ type:script_output
 message:Show diff between configured ssl certificates and certs from HAProxy memory for all frontends
 
 [cert_sync_bulk]
-command:configctl template reload OPNsense/HAProxy 2 > /dev/null; /usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py sync --output json
+command:configctl -q template reload OPNsense/HAProxy; /usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py sync --output json
 parameters:
 type:script_output
 message:Sync ssl certificates into HAProxy memory for all frontends

From 30bf1fa72f72355a29fc057f8630b19c9efa61bc Mon Sep 17 00:00:00 2001
From: doktornotor <1075960+doktornotor@users.noreply.github.com>
Date: Thu, 31 Oct 2024 18:26:08 +0100
Subject: [PATCH 2170/3088] Lower logging priority (#4228)

PR: https://forum.opnsense.org/index.php?topic=42759.0

See man syslog(3) and https://github.com/opnsense/core/issues/7101

This log message is of no interest to anyone beyond debugging telemetry functionality.
---
 .../src/opnsense/scripts/etpro_telemetry/send_telemetry.py      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/send_telemetry.py b/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/send_telemetry.py
index dea1240b7d..1604274b02 100755
--- a/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/send_telemetry.py
+++ b/security/etpro-telemetry/src/opnsense/scripts/etpro_telemetry/send_telemetry.py
@@ -78,7 +78,7 @@
             # data collected, log and push
             if row_count > 0 and max_timestamp is not None:
                 syslog.syslog(
-                    syslog.LOG_NOTICE,
+                    syslog.LOG_DEBUG,
                     'telemetry data collected %d records in %.2f seconds @%s' % (
                         row_count, time.time() - send_start_time, max_timestamp
                     )

From 343912e4540accd826b89cf254a7e2708e4cc585 Mon Sep 17 00:00:00 2001
From: Andrew <andrew.hotlab@hotmail.com>
Date: Sun, 3 Nov 2024 10:38:07 +0100
Subject: [PATCH 2171/3088] Remove "pipes" Python module dependency (#4336)

This commit fixes the folowing warning at boot:

<118>/usr/local/opnsense/scripts/OPNsense/Tinc/tincd.py:34: DeprecationWarning: 'pipes' is deprecated and slated for removal in Python 3.13
---
 security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
index 2f73ae60b6..7979c93002 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
@@ -31,12 +31,12 @@
 import os
 import sys
 import glob
-import pipes
 import xml.etree.ElementTree
 import shutil
 import subprocess
 import ipaddress
 from lib import objects
+from shlex import quote
 
 def write_file(filename, content, mode=0o600):
     dirname = '/'.join(filename.split('/')[0:-1])
@@ -92,7 +92,7 @@ def deploy(config_filename):
 
         if_up = list()
         if_up.append("#!/bin/sh")
-        if_up.append("ifconfig %s %s %s" % (interface_name, interface_family, pipes.quote(interface_address)))
+        if_up.append("ifconfig %s %s %s" % (interface_name, interface_family, quote(interface_address)))
         if_up.append("configctl interface %s %s" % (interface_configd, interface_name))
         write_file("%s/tinc-up" % network.get_basepath(), '\n'.join(if_up) + "\n", 0o700)
 

From e806ea3fd6d0da6a1fa177e68c7e71ea79f113c5 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 4 Nov 2024 17:25:09 +0100
Subject: [PATCH 2172/3088] www/caddy: Remove default route from layer4 since
 its obsolete (#4323)

---
 .../src/opnsense/service/templates/OPNsense/Caddy/Caddyfile     | 2 --
 1 file changed, 2 deletions(-)

diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 62f47f65d8..a5fae7d8af 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -94,8 +94,6 @@
                     import /usr/local/etc/caddy/caddy.d/*.layer4listener
                     {% set context_var = "listener_wrappers" %}
                     {% include "OPNsense/Caddy/includeLayer4" %}
-                    {# Empty Route that catches all other traffic #}
-                    route
                 }
                 {# Route all other traffic to HTTP App #}
                 tls

From 72e09d54d1a5a7d2af39183ee99b9dc11f1df8fb Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 4 Nov 2024 17:26:24 +0100
Subject: [PATCH 2173/3088] www/caddy: Add Layer4 openvpn, winbox and quic
 matcher (#4325)

* www/caddy: Add CRUD for Layer4 OpenVPN matcher with mode and static key support.

* www/caddy: Export static keys to the filesystem as uuid.key

* www/caddy: Remove validation that checks for multiple keys, help text is enough.

* www/caddy: Expand layer4 template for all supported OpenVPN modes.

* www/caddy: Prevent multiple static keys for modes other than crypt2_client. Fix helptexts.

* www/caddy: Add unique constraint to description of openvpn static key

* www/caddy: Changelog and version bump

* www/caddy: Make static key optional when choosing the tls mode in openvpn matcher

* www/caddy: Prepare new Layer7 Matcher Tab for more customizable matchers in the future.

* www/caddy: Add Layer4 QUIC matcher.

* www/caddy: Rename matcherTab

* www/caddy: Revert a4ea0cb3 since its non operational and will not be needed for a while anyway

* www/caddy: Changelog
---
 www/caddy/Makefile                            |   2 +-
 www/caddy/pkg-descr                           |  12 +++
 .../Caddy/Api/ReverseProxyController.php      | 100 ++++++++++++------
 .../OPNsense/Caddy/Layer4Controller.php       |   1 +
 .../OPNsense/Caddy/forms/dialogLayer4.xml     |  18 +++-
 .../Caddy/forms/dialogLayer4Openvpn.xml       |  13 +++
 .../mvc/app/models/OPNsense/Caddy/Caddy.php   |  33 +++++-
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  41 +++++++
 .../mvc/app/views/OPNsense/Caddy/layer4.volt  |  62 +++++++++--
 .../scripts/OPNsense/Caddy/caddy_certs.php    |  29 +++--
 .../templates/OPNsense/Caddy/includeLayer4    |  60 +++++++++++
 11 files changed, 316 insertions(+), 55 deletions(-)
 create mode 100644 www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4Openvpn.xml

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 1fe46006ff..bd346b669e 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.7.3
+PLUGIN_VERSION=		1.7.4
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index af5015875c..42a8d507d6 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -13,6 +13,18 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.7.4
+
+* Add: Layer4 OpenVPN matcher with mode, digest and static key support
+* Add: Layer4 Winbox matcher
+* Add: Layer4 QUIC matcher
+* Build: Update dependency to lang/go123
+* Build: Update caddy-l4 and caddy-dynamicdns module
+* Build: Fix that caddy-l4 does not stop when ssh is proxied
+* Build: DNS Providers: Update porkbun, dnsmadeeasy
+* Cleanup: Layer4 default route in listener_wrappers has been removed (obsolete)
+* Fix: Error when same Access List is set to wildcard and subdomain
+
 1.7.3
 
 * Add: Clear All button to Filter by Domain selectpicker
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
index 16bb4de37f..0e46c0504a 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
@@ -209,40 +209,6 @@ public function toggleHandleAction($uuid, $enabled = null)
         return $this->toggleBase("reverseproxy.handle", $uuid, $enabled);
     }
 
-
-    // Layer4 Section
-
-    public function searchLayer4Action()
-    {
-        return $this->searchBase("reverseproxy.layer4", null, 'description');
-    }
-
-    public function setLayer4Action($uuid)
-    {
-        return $this->setBase("layer4", "reverseproxy.layer4", $uuid);
-    }
-
-    public function addLayer4Action()
-    {
-        return $this->addBase("layer4", "reverseproxy.layer4");
-    }
-
-    public function getLayer4Action($uuid = null)
-    {
-        return $this->getBase("layer4", "reverseproxy.layer4", $uuid);
-    }
-
-    public function delLayer4Action($uuid)
-    {
-        return $this->delBase("reverseproxy.layer4", $uuid);
-    }
-
-    public function toggleLayer4Action($uuid, $enabled = null)
-    {
-        return $this->toggleBase("reverseproxy.layer4", $uuid, $enabled);
-    }
-
-
     // AccessList Section
 
     public function searchAccessListAction()
@@ -349,4 +315,70 @@ public function delHeaderAction($uuid)
     {
         return $this->delBase("reverseproxy.header", $uuid);
     }
+
+
+    // Layer4 Proxy Section
+
+    public function searchLayer4Action()
+    {
+        return $this->searchBase("reverseproxy.layer4", null, 'description');
+    }
+
+    public function setLayer4Action($uuid)
+    {
+        return $this->setBase("layer4", "reverseproxy.layer4", $uuid);
+    }
+
+    public function addLayer4Action()
+    {
+        return $this->addBase("layer4", "reverseproxy.layer4");
+    }
+
+    public function getLayer4Action($uuid = null)
+    {
+        return $this->getBase("layer4", "reverseproxy.layer4", $uuid);
+    }
+
+    public function delLayer4Action($uuid)
+    {
+        return $this->delBase("reverseproxy.layer4", $uuid);
+    }
+
+    public function toggleLayer4Action($uuid, $enabled = null)
+    {
+        return $this->toggleBase("reverseproxy.layer4", $uuid, $enabled);
+    }
+
+
+    // Layer4 OpenVPN Section
+
+    public function searchLayer4OpenvpnAction()
+    {
+        return $this->searchBase("reverseproxy.layer4openvpn", null, 'description');
+    }
+
+    public function setLayer4OpenvpnAction($uuid)
+    {
+        return $this->setBase("layer4openvpn", "reverseproxy.layer4openvpn", $uuid);
+    }
+
+    public function addLayer4OpenvpnAction()
+    {
+        return $this->addBase("layer4openvpn", "reverseproxy.layer4openvpn");
+    }
+
+    public function getLayer4OpenvpnAction($uuid = null)
+    {
+        return $this->getBase("layer4openvpn", "reverseproxy.layer4openvpn", $uuid);
+    }
+
+    public function delLayer4OpenvpnAction($uuid)
+    {
+        return $this->delBase("reverseproxy.layer4openvpn", $uuid);
+    }
+
+    public function toggleLayer4OpenvpnAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase("reverseproxy.layer4openvpn", $uuid, $enabled);
+    }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
index 00b4548e7d..1a085eff42 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
@@ -38,5 +38,6 @@ public function indexAction()
     {
         $this->view->pick('OPNsense/Caddy/layer4');
         $this->view->formDialogLayer4 = $this->getForm("dialogLayer4");
+        $this->view->formDialogLayer4Openvpn = $this->getForm("dialogLayer4Openvpn");
     }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
index a2c73f6a01..1679b056fe 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
@@ -62,10 +62,26 @@
         <id>layer4.FromDomain</id>
         <label>Domain</label>
         <type>select_multiple</type>
-        <style>style_matchers tokenize</style>
+        <style>style_matchers tokenize matchers_domain</style>
         <allownew>true</allownew>
         <help><![CDATA[Enter one or multiple domains to route via SNI or Host Header. Wildcard domains and host wildcards are allowed, e.g. "*.example.com" and "*".]]></help>
     </field>
+    <field>
+        <id>layer4.FromOpenvpnModes</id>
+        <label>OpenVPN Mode</label>
+        <type>dropdown</type>
+        <style>style_matchers matchers_openvpn</style>
+        <help><![CDATA[Select the mode matching the OpenVPN Server or Client.]]></help>
+    </field>
+    <field>
+        <id>layer4.FromOpenvpnStaticKey</id>
+        <label>OpenVPN Static Key</label>
+        <type>select_multiple</type>
+        <style>style_matchers selectpicker matchers_openvpn</style>
+        <hint>Any</hint>
+        <size>5</size>
+        <help><![CDATA[Select a Static Key to match. Multiple Static Keys are only supported for tls-crypt2_client mode.]]></help>
+    </field>
     <field>
         <id>layer4.InvertMatchers</id>
         <label>Invert Matchers</label>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4Openvpn.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4Openvpn.xml
new file mode 100644
index 0000000000..ec225e85f3
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4Openvpn.xml
@@ -0,0 +1,13 @@
+<fields>
+    <field>
+        <id>layer4openvpn.description</id>
+        <label>Description</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>layer4openvpn.StaticKey</id>
+        <label>Static Key</label>
+        <type>textbox</type>
+        <help>Paste an OpenVPN Static key.</help>
+    </field>
+</fields>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index f738609ea9..066574cbf5 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -180,7 +180,7 @@ private function checkLayer4Matchers($messages)
         foreach ($this->reverseproxy->layer4->iterateItems() as $item) {
             if ($item->isFieldChanged()) {
                 $key = $item->__reference;
-                if (in_array((string)$item->Matchers, ['httphost', 'tlssni']) && empty((string)$item->FromDomain)) {
+                if (in_array((string)$item->Matchers, ['httphost', 'tlssni', 'quicsni']) && empty((string)$item->FromDomain)) {
                     $messages->appendMessage(new Message(
                         sprintf(
                             gettext(
@@ -191,7 +191,7 @@ private function checkLayer4Matchers($messages)
                         $key . ".FromDomain"
                     ));
                 } elseif (
-                        !in_array((string)$item->Matchers, ['httphost', 'tlssni']) &&
+                        !in_array((string)$item->Matchers, ['httphost', 'tlssni', 'quicsni']) &&
                         (
                             !empty((string)$item->FromDomain) &&
                             (string)$item->FromDomain != '*'
@@ -208,6 +208,30 @@ private function checkLayer4Matchers($messages)
                     ));
                 }
 
+                if ((string)$item->Matchers !== 'openvpn' && !empty((string)$item->FromOpenvpnModes)) {
+                    $messages->appendMessage(new Message(
+                        sprintf(
+                            gettext(
+                                'When "%s" matcher is selected, field must be empty.'
+                            ),
+                            $item->Matchers
+                        ),
+                        $key . ".FromOpenvpnModes"
+                    ));
+                }
+
+                if ((string)$item->Matchers !== 'openvpn' && !empty((string)$item->FromOpenvpnStaticKey)) {
+                    $messages->appendMessage(new Message(
+                        sprintf(
+                            gettext(
+                                'When "%s" matcher is selected, field must be empty.'
+                            ),
+                            $item->Matchers
+                        ),
+                        $key . ".FromOpenvpnStaticKey"
+                    ));
+                }
+
                 if ((string)$item->Type === 'global' && empty((string)$item->FromPort)) {
                     $messages->appendMessage(new Message(
                         sprintf(
@@ -246,13 +270,14 @@ private function checkLayer4Matchers($messages)
                     (string)$item->Type !== 'global' &&
                     (
                         (string)$item->Matchers == 'tls' ||
-                        (string)$item->Matchers == 'http'
+                        (string)$item->Matchers == 'http' ||
+                        (string)$item->Matchers == 'quic'
                     )
                 ) {
                     $messages->appendMessage(new Message(
                         sprintf(
                             gettext(
-                                'When routing type is "%s", matchers "HTTP" or "TLS" cannot be chosen.'
+                                'When routing type is "%s", matchers "HTTP", "TLS" or "QUIC" cannot be chosen.'
                             ),
                             $item->Type
                         ),
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 8e357ad8ee..f1ef8c65d7 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -489,6 +489,29 @@
                     <AsList>Y</AsList>
                     <ValidationMessage>Please enter one or multiple hostnames or FQDNs.</ValidationMessage>
                 </FromDomain>
+                <FromOpenvpnModes type="OptionField">
+                    <BlankDesc>Any</BlankDesc>
+                    <OptionValues>
+                        <auth_sha256_normal>tls-auth_sha256_normal</auth_sha256_normal>
+                        <auth_sha256_inverse>tls-auth_sha256_inverse</auth_sha256_inverse>
+                        <auth_sha512_normal>tls-auth_sha512_normal</auth_sha512_normal>
+                        <auth_sha512_inverse>tls-auth_sha512_inverse</auth_sha512_inverse>
+                        <crypt>tls-crypt</crypt>
+                        <crypt2_client>tls-crypt2_client</crypt2_client>
+                        <crypt2_server>tls-crypt2_server</crypt2_server>
+                    </OptionValues>
+                </FromOpenvpnModes>
+                <FromOpenvpnStaticKey type="ModelRelationField">
+                    <Model>
+                        <reverseproxy>
+                            <source>OPNsense.Caddy.Caddy</source>
+                            <items>reverseproxy.layer4openvpn</items>
+                            <display>description</display>
+                            <display_format>%s</display_format>
+                        </reverseproxy>
+                    </Model>
+                    <Multiple>Y</Multiple>
+                </FromOpenvpnStaticKey>
                 <Matchers type="OptionField">
                     <Required>Y</Required>
                     <Default>tlssni</Default>
@@ -497,14 +520,18 @@
                         <dns>DNS</dns>
                         <http>HTTP</http>
                         <httphost>HTTP (Host Header)</httphost>
+                        <openvpn>OpenVPN</openvpn>
                         <postgres>Postgres</postgres>
                         <proxy_protocol>Proxy Protocol</proxy_protocol>
+                        <quic>QUIC</quic>
+                        <quicsni>QUIC (SNI Client Hello)</quicsni>
                         <rdp>RDP</rdp>
                         <socks4>SOCKSv4</socks4>
                         <socks5>SOCKSv5</socks5>
                         <ssh>SSH</ssh>
                         <tls>TLS</tls>
                         <tlssni>TLS (SNI Client Hello)</tlssni>
+                        <winbox>Winbox</winbox>
                         <wireguard>Wireguard</wireguard>
                         <xmpp>XMPP</xmpp>
                     </OptionValues>
@@ -539,6 +566,20 @@
                 </RemoteIp>
                 <description type="DescriptionField"/>
             </layer4>
+            <layer4openvpn type="ArrayField">
+                <StaticKey type="TextField">
+                    <Required>Y</Required>
+                </StaticKey>
+                <description type="DescriptionField">
+                    <Required>Y</Required>
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>Description must be unique.</ValidationMessage>
+                            <type>UniqueConstraint</type>
+                        </check001>
+                    </Constraints>
+                </description>
+            </layer4openvpn>
         </reverseproxy>
     </items>
 </model>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
index d1bfc6cf62..b762112926 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
@@ -36,6 +36,15 @@
             toggle:'/api/caddy/ReverseProxy/toggleLayer4/',
         });
 
+        $("#Layer4OpenvpnGrid").UIBootgrid({
+            search:'/api/caddy/ReverseProxy/searchLayer4Openvpn/',
+            get:'/api/caddy/ReverseProxy/getLayer4Openvpn/',
+            set:'/api/caddy/ReverseProxy/setLayer4Openvpn/',
+            add:'/api/caddy/ReverseProxy/addLayer4Openvpn/',
+            del:'/api/caddy/ReverseProxy/delLayer4Openvpn/',
+            toggle:'/api/caddy/ReverseProxy/toggleLayer4Openvpn/',
+        });
+
         /**
          * Displays an alert message to the user.
          *
@@ -86,11 +95,17 @@
             }
         });
 
+        // Hide all elements with style_matchers initially
+        $(".style_matchers").closest('tr').hide();
+
         $("#layer4\\.Matchers").change(function() {
-            if ($(this).val() !== "tlssni" && $(this).val() !== "httphost") {
-                $(".style_matchers").closest('tr').hide();
-            } else {
-                $(".style_matchers").closest('tr').show();
+            $(".style_matchers").closest('tr').hide();
+            const selectedVal = $(this).val();
+
+            if (selectedVal === "tlssni" || selectedVal === "httphost" || selectedVal === "quicsni") {
+                $(".matchers_domain").closest('tr').show();
+            } else if (selectedVal === "openvpn") {
+                $(".matchers_openvpn").closest('tr').show();
             }
         });
 
@@ -108,6 +123,7 @@
 
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li id="tab-layer4" class="active"><a data-toggle="tab" href="#layer4Tab">{{ lang._('Layer4 Routes') }}</a></li>
+    <li id="tab-matcher"><a data-toggle="tab" href="#matcherTab">{{ lang._('Layer7 Matcher Settings') }}</a></li>
 </ul>
 
 <div class="tab-content content-box">
@@ -115,7 +131,7 @@
     <div id="layer4Tab" class="tab-pane fade active in">
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Layer4 Routes') }}</h1>
-            <div style="display: block;"> <!-- Common container -->
+            <div style="display: block;">
                 <table id="Layer4Grid" class="table table-condensed table-hover table-striped" data-editDialog="DialogLayer4" data-editAlert="ConfigurationChangeMessage">
                     <thead>
                         <tr>
@@ -125,9 +141,11 @@
                             <th data-column-id="Type" data-type="string" data-visible="false">{{ lang._('Routing Type') }}</th>
                             <th data-column-id="Protocol" data-type="string">{{ lang._('Protocol') }}</th>
                             <th data-column-id="FromPort" data-type="string" data-visible="false">{{ lang._('Local Port') }}</th>
-                            <th data-column-id="FromDomain" data-type="string">{{ lang._('Domain') }}</th>
                             <th data-column-id="Matchers" data-type="string">{{ lang._('Matchers') }}</th>
                             <th data-column-id="InvertMatchers" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Invert Matchers') }}</th>
+                            <th data-column-id="FromDomain" data-type="string">{{ lang._('Domain') }}</th>
+                            <th data-column-id="FromOpenvpnModes" data-type="string" data-visible="false">{{ lang._('OpenVPN Modes') }}</th>
+                            <th data-column-id="FromOpenvpnStaticKey" data-type="string" data-visible="false">{{ lang._('OpenVPN Static Key') }}</th>
                             <th data-column-id="ToDomain" data-type="string">{{ lang._('Upstream Domain') }}</th>
                             <th data-column-id="ToPort" data-type="string">{{ lang._('Upstream Port') }}</th>
                             <th data-column-id="RemoteIp" data-type="string" data-visible="false">{{ lang._('Remote IP') }}</th>
@@ -152,8 +170,39 @@
             </div>
         </div>
     </div>
+
+    <!-- Layer7 Tab -->
+    <div id="matcherTab" class="tab-pane fade">
+        <div style="padding-left: 16px;">
+            <!-- OpenVPN Matcher -->
+            <h1 class="custom-header">{{ lang._('OpenVPN Static Keys') }}</h1>
+            <div style="display: block;">
+                <table id="Layer4OpenvpnGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogLayer4Openvpn" data-editAlert="ConfigurationChangeMessage">
+                    <thead>
+                        <tr>
+                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                    </tbody>
+                    <tfoot>
+                        <tr>
+                            <td></td>
+                            <td>
+                                <button id="addLayer4OpenvpnBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
+                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                            </td>
+                        </tr>
+                    </tfoot>
+                </table>
+            </div>
+        </div>
+    </div>
 </div>
 
+
 <!-- Reconfigure Button -->
 <section class="page-content-main">
     <div class="content-box">
@@ -177,3 +226,4 @@
 </section>
 
 {{ partial("layout_partials/base_dialog",['fields':formDialogLayer4,'id':'DialogLayer4','label':lang._('Edit Layer4 Route')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4Openvpn,'id':'DialogLayer4Openvpn','label':lang._('Edit OpenVPN Static Key')])}}
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
index f65ef168cf..a8e6c36cf1 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
@@ -36,22 +36,22 @@
 
 // Traverse through certificates
 foreach ($configObj->cert as $cert) {
-    $cert_refid = (string) $cert->refid;
-    $cert_content = base64_decode((string) $cert->crt);
-    $key_content = base64_decode((string) $cert->prv);
+    $cert_refid = (string)$cert->refid;
+    $cert_content = base64_decode((string)$cert->crt);
+    $key_content = base64_decode((string)$cert->prv);
     $cert_chain = $cert_content;
 
     // Handle CA and possible intermediate CA to create a certificate bundle
     if (!empty($cert->caref)) {
         foreach ($configObj->ca as $ca) {
-            if ((string) $cert->caref === (string) $ca->refid) {
-                $ca_content = base64_decode((string) $ca->crt);
+            if ((string)$cert->caref === (string)$ca->refid) {
+                $ca_content = base64_decode((string)$ca->crt);
                 $cert_chain .= "\n" . $ca_content;
 
                 if (!empty($ca->caref)) {
                     foreach ($configObj->ca as $parent_ca) {
-                        if ((string) $ca->caref === (string) $parent_ca->refid) {
-                            $parent_ca_content = base64_decode((string) $parent_ca->crt);
+                        if ((string)$ca->caref === (string)$parent_ca->refid) {
+                            $parent_ca_content = base64_decode((string)$parent_ca->crt);
                             $cert_chain .= "\n" . $parent_ca_content;
                             break;
                         }
@@ -68,9 +68,20 @@
 
 // Traverse through CA certificates and save them
 foreach ($configObj->ca as $ca) {
-    $ca_refid = (string) $ca->refid;
-    $ca_content = base64_decode((string) $ca->crt);
+    $ca_refid = (string)$ca->refid;
+    $ca_content = base64_decode((string)$ca->crt);
 
     // Save the CA certificate
     file_put_contents($temp_dir . $ca_refid . '.pem', $ca_content);
 }
+
+// Traverse through layer4 OpenVPN static keys and save them as files
+if (isset($configObj->Pischem->caddy->reverseproxy->layer4openvpn)) {
+    foreach ($configObj->Pischem->caddy->reverseproxy->layer4openvpn as $openvpn) {
+        $uuid = (string) $openvpn['uuid'];
+        $static_key = (string) $openvpn->StaticKey;
+
+        // Save the static key
+        file_put_contents($temp_dir . $uuid . '.key', $static_key);
+    }
+}
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4 b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
index defaf2528f..c6058ccd70 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
@@ -70,6 +70,66 @@
         {{ invert_prefix }}http host {{ layer4.FromDomain.replace(',', ' ') }}
     {% elif layer4.Matchers == 'tlssni' %}
         {{ invert_prefix }}tls sni {{ layer4.FromDomain.replace(',', ' ') }}
+    {% elif layer4.Matchers == 'quicsni' %}
+        {{ invert_prefix }}quic sni {{ layer4.FromDomain.replace(',', ' ') }}
+    {% elif layer4.Matchers == 'openvpn' and layer4.FromOpenvpnModes %}
+        {% for mode in layer4.FromOpenvpnModes.split(',') %}
+            {% set mode_clean = mode.strip() %}
+            {% if layer4.FromOpenvpnStaticKey %}
+                {% set key_list = layer4.FromOpenvpnStaticKey.split(',') %}
+            {% endif %}
+            {% if mode_clean.startswith('auth') %}
+                {% if key_list|length > 1 %}
+                    {% set key_list = key_list[:1] %}
+                {% endif %}
+                {% set digest = 'sha256' if 'sha256' in mode_clean else 'sha512' %}
+                {% set direction = 'normal' if 'normal' in mode_clean else 'inverse' %}
+                {{ invert_prefix }}openvpn {
+                    modes auth
+                    auth_digest {{ digest }}
+                {% if layer4.FromOpenvpnStaticKey %}
+                    group_key_direction {{ direction }}
+                    {% for key_uuid in key_list %}
+                    group_key_file /var/db/caddy/data/caddy/certificates/temp/{{ key_uuid.strip() }}.key
+                    {% endfor %}
+                {% endif %}
+                }
+            {% elif mode_clean == 'crypt' %}
+                {% if key_list|length > 1 %}
+                    {% set key_list = key_list[:1] %}
+                {% endif %}
+                {{ invert_prefix }}openvpn {
+                    modes crypt
+                {% if layer4.FromOpenvpnStaticKey %}
+                    {% for key_uuid in key_list %}
+                    group_key_file /var/db/caddy/data/caddy/certificates/temp/{{ key_uuid.strip() }}.key
+                    {% endfor %}
+                {% endif %}
+                }
+            {% elif mode_clean == 'crypt2_client' %}
+                {# Multiple keys are allowed for crypt2_client #}
+                {{ invert_prefix }}openvpn {
+                    modes crypt2
+                    {% if layer4.FromOpenvpnStaticKey %}
+                        {% for key_uuid in key_list %}
+                    client_key_file /var/db/caddy/data/caddy/certificates/temp/{{ key_uuid.strip() }}.key
+                        {% endfor %}
+                    {% endif %}
+                }
+            {% elif mode_clean == 'crypt2_server' %}
+                {% if key_list|length > 1 %}
+                    {% set key_list = key_list[:1] %}
+                {% endif %}
+                {{ invert_prefix }}openvpn {
+                    modes crypt2
+                    {% if layer4.FromOpenvpnStaticKey %}
+                        {% for key_uuid in key_list %}
+                    server_key_file /var/db/caddy/data/caddy/certificates/temp/{{ key_uuid.strip() }}.key
+                        {% endfor %}
+                    {% endif %}
+                }
+            {% endif %}
+        {% endfor %}
     {% else %}
         {{ invert_prefix }}{{ layer4.Matchers }}
     {% endif %}

From 50f261d4e5179b3dda0e938b2cdf6a7e1ce5744b Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 4 Nov 2024 17:26:41 +0100
Subject: [PATCH 2174/3088] www/caddy: Fix access list handle being the same
 duplicate string when appended to both wildcard and subdomain. (#4334)

---
 .../service/templates/OPNsense/Caddy/Caddyfile     | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index a5fae7d8af..c25a36e048 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -463,19 +463,23 @@ http://{{ domain }} {
 #   Purpose: Manages the logic for access lists, used for handlers, domains and subdomains
 #   Parameters:
 #   @param accesslist (string): The UUID of the access list to be applied.
+#   @param unique_suffix (string): A unique string to append to the access list, stripped of non-alphanumeric characters.
 #}
-{% macro handle_accesslist(accesslist) %}
+{% macro handle_accesslist(accesslist, unique_suffix='') %}
     {# Access list logic for dropping connections based on IP #}
     {% if accesslist %}
+        {% set sanitized_suffix = unique_suffix | regex_replace('[^a-zA-Z0-9]', '') %}
+        {% set unique_identifier = '@' + accesslist + ('_' + sanitized_suffix if sanitized_suffix else '') %}
+
         {% set accesslist_obj = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', accesslist) | first %}
         {% if accesslist_obj %}
             {% set client_ips = accesslist_obj.clientIps.split(',') | join(' ') %}
-            @{{ accesslist_obj['@uuid'] }} {
+            {{ unique_identifier }} {
                 {# Non-inverted access lists have "not" as default, inverted ones '' #}
                 {{ 'not' if accesslist_obj.accesslistInvert|default("0") == "0" else '' }} client_ip {{ client_ips }}
             }
             {# When IP is matched, abort or send response code. This will end processing and drop the request #}
-            handle @{{ accesslist_obj['@uuid'] }} {
+            handle {{ unique_identifier }} {
                 {% if accesslist_obj.HttpResponseCode %}
                     respond {{ '"' + accesslist_obj.HttpResponseMessage + '"' if accesslist_obj.HttpResponseMessage else '' }} {{ accesslist_obj.HttpResponseCode }}
                 {% else %}
@@ -579,7 +583,7 @@ http://{{ domain }} {
                     }
                     handle @{{ subdomain['@uuid'] }} {
                         {% set subdomain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('subdomain', 'equalto', subdomain['@uuid']) | list %}
-                        {{ handle_accesslist(subdomain.accesslist) }}
+                        {{ handle_accesslist(subdomain.accesslist, subdomain.FromDomain) }}
                         {# All IPs not matched by accesslist will continue processing #}
                         {{ render_handles(subdomain_handles, subdomain.basicauth) }}
                     }
@@ -587,7 +591,7 @@ http://{{ domain }} {
             {% endfor %}
 
             {% set domain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('reverse', 'equalto', reverse['@uuid']) | selectattr('subdomain', 'undefined') | list %}
-            {{ handle_accesslist(reverse.accesslist) }}
+            {{ handle_accesslist(reverse.accesslist, reverse.FromDomain) }}
             {# All IPs not matched by accesslist will continue processing #}
             {{ render_handles(domain_handles, reverse.basicauth) }}
         }

From cd126b69c623e17817bdc60ecf5024935bc7d6e7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 5 Nov 2024 15:58:47 +0100
Subject: [PATCH 2175/3088] net/frr: style sweep

---
 .../src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.php    | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.php b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.php
index f1a01d56b5..b737f80f49 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.php
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.php
@@ -43,11 +43,10 @@ public function performValidation($validateFullModel = false)
             $key = $neighbor->__reference;
             $address_proto = str_contains($neighbor->address, ':') ? 'inet6' : 'inet';
             if (!empty((string)$neighbor->multihop) && $address_proto == 'inet6') {
-               $messages->appendMessage(
-                  new Message(gettext("Multihop is currently only supported for IPv4"), $key . ".multihop")
-              );
+                $messages->appendMessage(
+                    new Message(gettext("Multihop is currently only supported for IPv4"), $key . ".multihop")
+                );
             }
-
         }
         return $messages;
     }

From 69f73f4ca1383c5cf08e837a3d198a7876d4f899 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 5 Nov 2024 15:59:56 +0100
Subject: [PATCH 2176/3088] benchmarks/iperf: bump revision

---
 benchmarks/iperf/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/benchmarks/iperf/Makefile b/benchmarks/iperf/Makefile
index 1882a1ae75..c3e8860aec 100644
--- a/benchmarks/iperf/Makefile
+++ b/benchmarks/iperf/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		iperf
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Connection speed tester
 PLUGIN_DEPENDS=		iperf3 ruby rubygem-rexml
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 4080aaf261605ab1ff882d0240d658c5e9599bfe Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 5 Nov 2024 16:02:23 +0100
Subject: [PATCH 2177/3088] dns/bind: do the switch

---
 dns/bind/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index a4e2f5250b..3457965b84 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 1.33
 
 * Add option to allow the rndc-key for zone transfers (contributed by Naomi Rennie-Waldock)
+* Switch to Bind 9.20
 
 1.32
 

From d7748ce367248086c7443bf085ba274f5dda3907 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 5 Nov 2024 16:03:48 +0100
Subject: [PATCH 2178/3088] security/etpro-telemetry: bump revision

---
 security/etpro-telemetry/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index 5877c38ca3..c45747de65 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		etpro-telemetry
 PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html

From bb69d4653746320c0bf4363eb42f63906b5584e8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 5 Nov 2024 16:05:12 +0100
Subject: [PATCH 2179/3088] security/tinc: bump revision

---
 security/tinc/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index ea9b6397ab..7265c9cc06 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		tinc
 PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 1e2357205385d63f0ec2ac286836aa914a771aa9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 9 Nov 2024 12:44:44 +0100
Subject: [PATCH 2180/3088] www/nginx: fix isEmpty() use #4342

---
 www/nginx/Makefile                                       | 2 +-
 .../Base/Constraints/NgxBusyBufferConstraint.php         | 9 +++++----
 .../Constraints/NgxUniqueDefaultServerConstraint.php     | 4 ++--
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 4ed214f639..7b5d49baff 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
index 409dfa6f22..83491dbff2 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
@@ -43,24 +43,25 @@ public function validate($validator, $attribute): bool
         $node = $this->getOption('node');
         if ($node) {
             $parentNode = $node->getParentNode();
-            if (!$this->isEmpty($node)) {
+            if (!$node->isEmpty()) {
                 $proxy_buffer_size_node = $parentNode->proxy_buffer_size;
                 $proxy_buffers_count_node = $parentNode->proxy_buffers_count;
                 $proxy_buffers_size_node = $parentNode->proxy_buffers_size;
                 $proxy_busy_buffers_size_node = $parentNode->proxy_busy_buffers_size;
 
-                if (!$this->isEmpty($proxy_buffers_count_node) && !$this->isEmpty($proxy_buffers_size_node)) {
+                if (!is_null($proxy_buffers_count_node) && !$proxy_buffers_count_node->isEmpty() &&
+                    !is_null($proxy_buffers_size_node) && !$proxy_buffers_size_node->isEmpty()) {
                     $proxy_buffers_count_int = intval((string) $proxy_buffers_count_node);
                     $proxy_buffers_size_int = intval((string) $proxy_buffers_size_node);
 
                     $proxy_buffers_total_minus1_size = ($proxy_buffers_count_int - 1) * $proxy_buffers_size_int;
                 }
 
-                if (!$this->isEmpty($proxy_busy_buffers_size_node)) {
+                if (!is_null($proxy_busy_buffers_size_node) && !$proxy_busy_buffers_size_node->isEmpty()) {
                     $proxy_busy_buffers_size = intval((string) $proxy_busy_buffers_size_node);
                 }
 
-                if (!$this->isEmpty($proxy_buffer_size_node)) {
+                if (!is_null($proxy_buffer_size_node) && !$proxy_buffer_size_node->isEmpty()) {
                     $proxy_buffer_size_int = intval((string) $proxy_buffer_size_node);
                 }
 
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php
index 433d2b1015..4393425f4f 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxUniqueDefaultServerConstraint.php
@@ -45,7 +45,7 @@ public function validate($validator, $attribute): bool
         if ($node) {
             $httpServerNode = $node->getParentNode();
             $defaultServerNode = $httpServerNode->getChild("default_server");
-            if (!$this->isEmpty($defaultServerNode)) {
+            if (!$defaultServerNode->isEmpty()) {
                 $myUUID = $httpServerNode->getAttribute("uuid");
                 $myListenHTTPAddress = $httpServerNode->getChild("listen_http_address");
 
@@ -58,7 +58,7 @@ public function validate($validator, $attribute): bool
                     $uuid = $httpServer->getAttribute("uuid");
                     if ($uuid != $myUUID) {
                         $defaultServerNode = $httpServer->getChild("default_server");
-                        if (!$this->isEmpty($defaultServerNode)) {
+                        if (!$defaultServerNode->isEmpty()) {
                             $listenHTTPAddressNode = $httpServer->getChild("listen_http_address");
                             if ($this->compareListenAddresses($myListenHTTPAddress, $listenHTTPAddressNode, $msg)) {
                                 $validator->appendMessage(new Message(

From e31bf67701c9c900f656b41f62c6a63dffd8834c Mon Sep 17 00:00:00 2001
From: kumy <kumy@users.noreply.github.com>
Date: Mon, 11 Nov 2024 10:18:54 +0100
Subject: [PATCH 2181/3088] sysutils/git-backup: Fix typo (#4345)

---
 .../src/opnsense/mvc/app/library/OPNsense/Backup/Git.php        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
index f402ae3bee..a109a1adc9 100644
--- a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
+++ b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
@@ -117,7 +117,7 @@ public function setConfiguration($conf)
     }
 
     /**
-     * Backup is responsible for initialising the local repo and pusing it to upstream.
+     * Backup is responsible for initialising the local repo and pushing it to upstream.
      * To ensure initial content, we should trigger a 'system event config_changed' which should enforce a
      * add + commit in our (newly created) repo.
      *

From 4f40b607a119d62ced0f9e88b60c83c33ade4070 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 11 Nov 2024 10:28:20 +0100
Subject: [PATCH 2182/3088] www/nginx: style issue

---
 .../OPNsense/Base/Constraints/NgxBusyBufferConstraint.php   | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
index 83491dbff2..fe84e2ffd8 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Base/Constraints/NgxBusyBufferConstraint.php
@@ -49,8 +49,10 @@ public function validate($validator, $attribute): bool
                 $proxy_buffers_size_node = $parentNode->proxy_buffers_size;
                 $proxy_busy_buffers_size_node = $parentNode->proxy_busy_buffers_size;
 
-                if (!is_null($proxy_buffers_count_node) && !$proxy_buffers_count_node->isEmpty() &&
-                    !is_null($proxy_buffers_size_node) && !$proxy_buffers_size_node->isEmpty()) {
+                if (
+                    !is_null($proxy_buffers_count_node) && !$proxy_buffers_count_node->isEmpty() &&
+                    !is_null($proxy_buffers_size_node) && !$proxy_buffers_size_node->isEmpty()
+                ) {
                     $proxy_buffers_count_int = intval((string) $proxy_buffers_count_node);
                     $proxy_buffers_size_int = intval((string) $proxy_buffers_size_node);
 

From 530e70cebc2df5c0968fa681851ae421e237d265 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?sophie=20=5B=E2=9B=A7-440729=5D?= <github@999eagle.moe>
Date: Mon, 11 Nov 2024 18:03:00 +0100
Subject: [PATCH 2183/3088] security/wazuh-agent: implement options to change
 server ports (#4346)

---
 .../OPNsense/WazuhAgent/forms/settings.xml       | 15 ++++++++++++++-
 .../models/OPNsense/WazuhAgent/WazuhAgent.xml    | 16 +++++++++++++++-
 .../templates/OPNsense/WazuhAgent/ossec.conf     |  4 ++++
 3 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
index 342b03cb51..8c92582f1f 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
@@ -22,6 +22,13 @@
         <advanced>true</advanced>
         <help>Specifies the transport protocol to use.</help>
     </field>
+    <field>
+        <id>agent.general.port</id>
+        <label>Manager port</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Specifies the port to use for communicating with the Wazuh manager.</help>
+    </field>
     <field>
         <id>agent.logcollector.syslog_programs</id>
         <label>Applications</label>
@@ -84,7 +91,7 @@
     </field>
     <field>
         <type>header</type>
-        <label>Authentication</label>
+        <label>Enrollment</label>
         <collapse>true</collapse>
     </field>
     <field>
@@ -93,6 +100,12 @@
         <type>password</type>
         <help>Password to use in authd.pass file.</help>
     </field>
+    <field>
+        <id>agent.auth.port</id>
+        <label>Enrollment port</label>
+        <type>text</type>
+        <help>Specifies the port to use for communicating with the Wazuh manager during enrollment.</help>
+    </field>
     <field>
         <type>header</type>
         <label>Policy monitoring and anomaly detection</label>
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
index 4c4a2b568d..cba8e4b2f5 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/WazuhAgent</mount>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <description>
         Wazuh Agent
     </description>
@@ -22,6 +22,13 @@
                     <udp>UDP</udp>
                 </OptionValues>
             </protocol>
+            <port type="IntegerField">
+                <default>1514</default>
+                <Required>Y</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>65536</MaximumValue>
+                <ValidationMessage>This must be a valid port number.</ValidationMessage>
+            </port>
             <debug_level type="OptionField">
                 <default>0</default>
                 <Required>Y</Required>
@@ -35,6 +42,13 @@
         <auth>
             <password type="TextField">
             </password>
+            <port type="IntegerField">
+                <default>1515</default>
+                <Required>Y</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>65536</MaximumValue>
+                <ValidationMessage>This must be a valid port number.</ValidationMessage>
+            </port>
         </auth>
         <logcollector>
             <remote_commands type="BooleanField">
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
index 53aeb20e77..68eac29d17 100644
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
@@ -3,8 +3,12 @@
     <server>
       <address>{{OPNsense.WazuhAgent.general.server_address}}</address>
       <protocol>{{OPNsense.WazuhAgent.general.protocol|default('tcp')}}</protocol>
+      <port>{{OPNsense.WazuhAgent.general.port|default('1514')}}</port>
     </server>
     <crypto_method>aes</crypto_method>
+    <enrollment>
+      <port>{{OPNsense.WazuhAgent.auth.port|default('1515')}}</port>
+    </enrollment>
   </client>
 
   <client_buffer>

From 864af63f4e4192b3aea5a5310d6bc3f1bad5c13d Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 12 Nov 2024 13:59:52 +0100
Subject: [PATCH 2184/3088] net/ndproxy: Add os-ndproxy plugin (#4348)

* net/ndproxy: Add os-ndproxy plugin

* net/ndproxy: Fix a few small errors.

* net/ndproxy: Fix a few small errors.

* Update net/ndproxy/src/etc/inc/plugins.inc.d/ndproxy.inc

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

* Update net/ndproxy/src/etc/inc/plugins.inc.d/ndproxy.inc

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

* net/ndproxy: Cleanup view to use base_form and SimpleActionButton

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 net/ndproxy/Makefile                          |  7 ++
 net/ndproxy/pkg-descr                         |  8 ++
 .../src/etc/inc/plugins.inc.d/ndproxy.inc     | 64 ++++++++++++++++
 .../Ndproxy/Api/GeneralController.php         | 40 ++++++++++
 .../Ndproxy/Api/ServiceController.php         | 41 +++++++++++
 .../OPNsense/Ndproxy/GeneralController.php    | 42 +++++++++++
 .../Ndproxy/forms/Api/GeneralController.php   | 40 ++++++++++
 .../Ndproxy/forms/Api/ServiceController.php   | 41 +++++++++++
 .../Ndproxy/forms/GeneralController.php       | 42 +++++++++++
 .../OPNsense/Ndproxy/forms/general.xml        | 40 ++++++++++
 .../app/models/OPNsense/Ndproxy/ACL/ACL.xml   | 10 +++
 .../app/models/OPNsense/Ndproxy/Menu/Menu.xml |  5 ++
 .../app/models/OPNsense/Ndproxy/Ndproxy.php   | 66 +++++++++++++++++
 .../app/models/OPNsense/Ndproxy/Ndproxy.xml   | 27 +++++++
 .../app/views/OPNsense/Ndproxy/general.volt   | 73 +++++++++++++++++++
 .../conf/actions.d/actions_ndproxy.conf       | 24 ++++++
 .../templates/OPNsense/Ndproxy/+TARGETS       |  1 +
 .../OPNsense/Ndproxy/rc.conf.d/ndproxy        | 19 +++++
 18 files changed, 590 insertions(+)
 create mode 100644 net/ndproxy/Makefile
 create mode 100644 net/ndproxy/pkg-descr
 create mode 100644 net/ndproxy/src/etc/inc/plugins.inc.d/ndproxy.inc
 create mode 100644 net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/Api/GeneralController.php
 create mode 100644 net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/Api/ServiceController.php
 create mode 100644 net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/GeneralController.php
 create mode 100644 net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/Api/GeneralController.php
 create mode 100644 net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/Api/ServiceController.php
 create mode 100644 net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/GeneralController.php
 create mode 100644 net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/general.xml
 create mode 100644 net/ndproxy/src/opnsense/mvc/app/models/OPNsense/Ndproxy/ACL/ACL.xml
 create mode 100644 net/ndproxy/src/opnsense/mvc/app/models/OPNsense/Ndproxy/Menu/Menu.xml
 create mode 100644 net/ndproxy/src/opnsense/mvc/app/models/OPNsense/Ndproxy/Ndproxy.php
 create mode 100644 net/ndproxy/src/opnsense/mvc/app/models/OPNsense/Ndproxy/Ndproxy.xml
 create mode 100644 net/ndproxy/src/opnsense/mvc/app/views/OPNsense/Ndproxy/general.volt
 create mode 100644 net/ndproxy/src/opnsense/service/conf/actions.d/actions_ndproxy.conf
 create mode 100644 net/ndproxy/src/opnsense/service/templates/OPNsense/Ndproxy/+TARGETS
 create mode 100644 net/ndproxy/src/opnsense/service/templates/OPNsense/Ndproxy/rc.conf.d/ndproxy

diff --git a/net/ndproxy/Makefile b/net/ndproxy/Makefile
new file mode 100644
index 0000000000..17d6902560
--- /dev/null
+++ b/net/ndproxy/Makefile
@@ -0,0 +1,7 @@
+PLUGIN_NAME=		ndproxy
+PLUGIN_VERSION=		1.0
+PLUGIN_DEPENDS=		ndproxy
+PLUGIN_COMMENT=		Neighbor Discovery Proxy
+PLUGIN_MAINTAINER=	cedrik@pischem.com
+
+.include "../../Mk/plugins.mk"
diff --git a/net/ndproxy/pkg-descr b/net/ndproxy/pkg-descr
new file mode 100644
index 0000000000..ee59b68dd7
--- /dev/null
+++ b/net/ndproxy/pkg-descr
@@ -0,0 +1,8 @@
+Ndproxy is a kernel module that implements IPv6 Neighbor Discovery proxying over Ethernet-like access networks.
+
+Plugin Changelog
+================
+
+1.0
+
+* Initial Release
diff --git a/net/ndproxy/src/etc/inc/plugins.inc.d/ndproxy.inc b/net/ndproxy/src/etc/inc/plugins.inc.d/ndproxy.inc
new file mode 100644
index 0000000000..aead8fa56c
--- /dev/null
+++ b/net/ndproxy/src/etc/inc/plugins.inc.d/ndproxy.inc
@@ -0,0 +1,64 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Cedrik Pischem
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function ndproxy_services()
+{
+    global $config;
+
+    $services = [];
+
+    if (isset($config['OPNsense']['ndproxy']['general']['enabled']) &&
+        $config['OPNsense']['ndproxy']['general']['enabled'] == 1) {
+        $services[] = [
+            'description' => gettext('Ndproxy'),
+            'configd' => [
+                'start' => ['ndproxy start'],
+                'restart' => ['ndproxy restart'],
+                'stop' => ['ndproxy stop'],
+            ],
+            'name' => 'ndproxy',
+            'nocheck' => true,
+        ];
+    }
+
+    return $services;
+}
+
+function ndproxy_xmlrpc_sync()
+{
+    $result = [];
+
+    $result[] = array(
+        'description' => gettext('Ndproxy'),
+        'section' => 'OPNsense.ndproxy',
+        'id' => 'ndproxy',
+        'services' => ["ndproxy"],
+    );
+
+    return $result;
+}
diff --git a/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/Api/GeneralController.php b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/Api/GeneralController.php
new file mode 100644
index 0000000000..3fe747dc6c
--- /dev/null
+++ b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/Api/GeneralController.php
@@ -0,0 +1,40 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Cedrik Pischem
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Ndproxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Config;
+
+class GeneralController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'ndproxy';
+    protected static $internalModelClass = 'OPNsense\Ndproxy\Ndproxy';
+}
diff --git a/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/Api/ServiceController.php b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/Api/ServiceController.php
new file mode 100644
index 0000000000..55d3983dc9
--- /dev/null
+++ b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/Api/ServiceController.php
@@ -0,0 +1,41 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Cedrik Pischem
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Ndproxy\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Ndproxy\Ndproxy';
+    protected static $internalServiceTemplate = 'OPNsense/Ndproxy';
+    protected static $internalServiceEnabled = 'general.enabled';
+    protected static $internalServiceName = 'ndproxy';
+}
diff --git a/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/GeneralController.php b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/GeneralController.php
new file mode 100644
index 0000000000..d97a29a228
--- /dev/null
+++ b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/GeneralController.php
@@ -0,0 +1,42 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Cedrik Pischem
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Ndproxy;
+
+use OPNsense\Base\IndexController;
+
+class GeneralController extends IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/Ndproxy/general');
+        $this->view->generalForm = $this->getForm("general");
+    }
+}
diff --git a/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/Api/GeneralController.php b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/Api/GeneralController.php
new file mode 100644
index 0000000000..3fe747dc6c
--- /dev/null
+++ b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/Api/GeneralController.php
@@ -0,0 +1,40 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Cedrik Pischem
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Ndproxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Config;
+
+class GeneralController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'ndproxy';
+    protected static $internalModelClass = 'OPNsense\Ndproxy\Ndproxy';
+}
diff --git a/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/Api/ServiceController.php b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/Api/ServiceController.php
new file mode 100644
index 0000000000..55d3983dc9
--- /dev/null
+++ b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/Api/ServiceController.php
@@ -0,0 +1,41 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Cedrik Pischem
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Ndproxy\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Ndproxy\Ndproxy';
+    protected static $internalServiceTemplate = 'OPNsense/Ndproxy';
+    protected static $internalServiceEnabled = 'general.enabled';
+    protected static $internalServiceName = 'ndproxy';
+}
diff --git a/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/GeneralController.php b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/GeneralController.php
new file mode 100644
index 0000000000..d97a29a228
--- /dev/null
+++ b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/GeneralController.php
@@ -0,0 +1,42 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Cedrik Pischem
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Ndproxy;
+
+use OPNsense\Base\IndexController;
+
+class GeneralController extends IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/Ndproxy/general');
+        $this->view->generalForm = $this->getForm("general");
+    }
+}
diff --git a/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/general.xml b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/general.xml
new file mode 100644
index 0000000000..09f6ed144f
--- /dev/null
+++ b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/general.xml
@@ -0,0 +1,40 @@
+<form>
+    <field>
+        <type>header</type>
+        <label>General Settings</label>
+    </field>
+    <field>
+        <id>ndproxy.general.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable or disable ndproxy.]]></help>
+    </field>
+    <field>
+        <id>ndproxy.general.ndproxy_uplink_interface</id>
+        <label>Uplink Interface</label>
+        <type>dropdown</type>
+        <help><![CDATA[Choose the uplink interface which receives the external IPv6 prefix from the ISP. Usually, this is the WAN interface.]]></help>
+    </field>
+    <field>
+        <id>ndproxy.general.ndproxy_downlink_mac_address</id>
+        <label>Downlink MAC Address</label>
+        <type>text</type>
+        <help><![CDATA[Enter the MAC address of the downlink interface that will distribute the external IPv6 prefix of the upstream interface. Usually, this is the LAN interface.]]></help>
+    </field>
+    <field>
+        <id>ndproxy.general.ndproxy_uplink_ipv6_addresses</id>
+        <label>Uplink IPv6 Addresses</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[Define IPv6 addresses of the Provider Edge (PE) router(s). These addresses represent the sources from which ndproxy will handle and respond to NDP traffic. Defining these addresses ensures that ndproxy only proxies traffic from trusted upstream routers.]]></help>
+    </field>
+    <field>
+        <id>ndproxy.general.ndproxy_exception_ipv6_addresses</id>
+        <label>Exception IPv6 Addresses</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[Define IPv6 addresses that should be excepted from proxying. This is to prevent ndproxy from handling NDP requests for specific addresses on the network that should be managed by other devices. Can be left empty for simple networks.]]></help>
+    </field>
+</form>
diff --git a/net/ndproxy/src/opnsense/mvc/app/models/OPNsense/Ndproxy/ACL/ACL.xml b/net/ndproxy/src/opnsense/mvc/app/models/OPNsense/Ndproxy/ACL/ACL.xml
new file mode 100644
index 0000000000..a2aa1cba51
--- /dev/null
+++ b/net/ndproxy/src/opnsense/mvc/app/models/OPNsense/Ndproxy/ACL/ACL.xml
@@ -0,0 +1,10 @@
+<acl>
+    <page-ndproxy-general>
+        <name>Services: Ndproxy: General Settings</name>
+        <description>Allow access to Ndproxy General Settings</description>
+        <patterns>
+            <pattern>ui/ndproxy/general/*</pattern>
+            <pattern>api/ndproxy/general/*</pattern>
+        </patterns>
+    </page-ndproxy-general>
+</acl>
diff --git a/net/ndproxy/src/opnsense/mvc/app/models/OPNsense/Ndproxy/Menu/Menu.xml b/net/ndproxy/src/opnsense/mvc/app/models/OPNsense/Ndproxy/Menu/Menu.xml
new file mode 100644
index 0000000000..32ba653a7e
--- /dev/null
+++ b/net/ndproxy/src/opnsense/mvc/app/models/OPNsense/Ndproxy/Menu/Menu.xml
@@ -0,0 +1,5 @@
+<menu>
+    <Services>
+        <Ndproxy VisibleName="Ndproxy" cssClass="fa fa-bullseye fa-fw" url="/ui/ndproxy/general"/>
+    </Services>
+</menu>
diff --git a/net/ndproxy/src/opnsense/mvc/app/models/OPNsense/Ndproxy/Ndproxy.php b/net/ndproxy/src/opnsense/mvc/app/models/OPNsense/Ndproxy/Ndproxy.php
new file mode 100644
index 0000000000..1db32ccfc3
--- /dev/null
+++ b/net/ndproxy/src/opnsense/mvc/app/models/OPNsense/Ndproxy/Ndproxy.php
@@ -0,0 +1,66 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Cedrik Pischem
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Ndproxy;
+
+use OPNsense\Base\BaseModel;
+use OPNsense\Base\Messages\Message;
+
+class Ndproxy extends BaseModel
+{
+    private function checkConfiguration($messages)
+    {
+        if ((string)$this->general->enabled === '1') {
+            $requiredFields = [
+                'ndproxy_uplink_interface',
+                'ndproxy_downlink_mac_address',
+                'ndproxy_uplink_ipv6_addresses'
+            ];
+
+            foreach ($requiredFields as $field) {
+                if (empty((string)$this->general->$field)) {
+                    $messages->appendMessage(new Message(
+                        gettext('Field is required to enable Ndproxy.'),
+                        "general." . $field
+                    ));
+                }
+            }
+        }
+    }
+
+    public function performValidation($validateFullModel = false)
+    {
+        $messages = parent::performValidation($validateFullModel);
+
+        $this->checkConfiguration($messages);
+
+        return $messages;
+    }
+}
diff --git a/net/ndproxy/src/opnsense/mvc/app/models/OPNsense/Ndproxy/Ndproxy.xml b/net/ndproxy/src/opnsense/mvc/app/models/OPNsense/Ndproxy/Ndproxy.xml
new file mode 100644
index 0000000000..1076dd8111
--- /dev/null
+++ b/net/ndproxy/src/opnsense/mvc/app/models/OPNsense/Ndproxy/Ndproxy.xml
@@ -0,0 +1,27 @@
+<model>
+    <mount>//OPNsense/ndproxy</mount>
+    <description>ndproxy configuration model</description>
+    <version>1.0</version>
+    <items>
+        <general>
+            <enabled type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enabled>
+            <ndproxy_uplink_interface type="InterfaceField"/>
+            <ndproxy_downlink_mac_address type="MacAddressField"/>
+            <ndproxy_exception_ipv6_addresses type="NetworkField">
+                <AddressFamily>ipv6</AddressFamily>
+                <FieldSeparator>,</FieldSeparator>
+                <AsList>Y</AsList>
+                <ValidationMessage>Please enter one or multiple valid IPv6 addresses.</ValidationMessage>
+            </ndproxy_exception_ipv6_addresses>
+            <ndproxy_uplink_ipv6_addresses type="NetworkField">
+                <AddressFamily>ipv6</AddressFamily>
+                <FieldSeparator>,</FieldSeparator>
+                <AsList>Y</AsList>
+                <ValidationMessage>Please enter one or multiple valid IPv6 addresses.</ValidationMessage>
+            </ndproxy_uplink_ipv6_addresses>
+        </general>
+    </items>
+</model>
diff --git a/net/ndproxy/src/opnsense/mvc/app/views/OPNsense/Ndproxy/general.volt b/net/ndproxy/src/opnsense/mvc/app/views/OPNsense/Ndproxy/general.volt
new file mode 100644
index 0000000000..5e212445bd
--- /dev/null
+++ b/net/ndproxy/src/opnsense/mvc/app/views/OPNsense/Ndproxy/general.volt
@@ -0,0 +1,73 @@
+{#
+ # Copyright (c) 2024 Cedrik Pischem
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script>
+    $(document).ready(function() {
+        mapDataToFormUI({'frm_GeneralSettings': "/api/ndproxy/general/get"}).done(function() {
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('ndproxy');
+        });
+
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = $.Deferred();
+                saveFormToEndpoint("/api/ndproxy/general/set", 'frm_GeneralSettings', dfObj.resolve, true, dfObj.reject);
+                return dfObj;
+            },
+            onAction: function(data, status) {
+                if (status === "success" && data.status === 'ok') {
+                    ajaxCall("/api/ndproxy/service/reconfigure", {}, function(reconfigData, reconfigStatus) {
+                        if (reconfigStatus === "success" && reconfigData.status === 'ok') {
+                            updateServiceControlUI('ndproxy');
+                        }
+                    });
+                }
+            }
+        });
+
+        updateServiceControlUI('ndproxy');
+    });
+</script>
+
+<section class="page-content-main">
+    <div class="content-box">
+        {{ partial("layout_partials/base_form", ['fields': generalForm, 'id': 'frm_GeneralSettings']) }}
+    </div>
+    <br/>
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint="/api/ndproxy/service/reconfigure"
+                    data-label="{{ lang._('Apply') }}"
+                    type="button">
+                {{ lang._('Apply') }}
+            </button>
+            <br/><br/>
+        </div>
+    </div>
+</section>
diff --git a/net/ndproxy/src/opnsense/service/conf/actions.d/actions_ndproxy.conf b/net/ndproxy/src/opnsense/service/conf/actions.d/actions_ndproxy.conf
new file mode 100644
index 0000000000..eeb5174bbf
--- /dev/null
+++ b/net/ndproxy/src/opnsense/service/conf/actions.d/actions_ndproxy.conf
@@ -0,0 +1,24 @@
+[start]
+command:service ndproxy start
+parameters:
+type:script
+message:Starting ndproxy service
+
+[stop]
+command:service ndproxy stop
+parameters:
+type:script
+message:Stopping ndproxy service
+
+[restart]
+command:service ndproxy restart
+parameters:
+type:script
+message:Restarting ndproxy service
+description:Restart ndproxy service
+
+[status]
+command:/usr/local/sbin/pluginctl -s ndproxy status
+parameters:
+type:script_output
+message:Request ndproxy status
diff --git a/net/ndproxy/src/opnsense/service/templates/OPNsense/Ndproxy/+TARGETS b/net/ndproxy/src/opnsense/service/templates/OPNsense/Ndproxy/+TARGETS
new file mode 100644
index 0000000000..181513c0d1
--- /dev/null
+++ b/net/ndproxy/src/opnsense/service/templates/OPNsense/Ndproxy/+TARGETS
@@ -0,0 +1 @@
+rc.conf.d/ndproxy:/etc/rc.conf.d/ndproxy
diff --git a/net/ndproxy/src/opnsense/service/templates/OPNsense/Ndproxy/rc.conf.d/ndproxy b/net/ndproxy/src/opnsense/service/templates/OPNsense/Ndproxy/rc.conf.d/ndproxy
new file mode 100644
index 0000000000..f907ee0329
--- /dev/null
+++ b/net/ndproxy/src/opnsense/service/templates/OPNsense/Ndproxy/rc.conf.d/ndproxy
@@ -0,0 +1,19 @@
+# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
+{% set generalSettings = helpers.getNodeByTag('OPNsense.ndproxy.general') %}
+{% if generalSettings.enabled|default("0") == "1" %}
+ndproxy_enable="YES"
+{%     if generalSettings.ndproxy_uplink_interface %}
+ndproxy_uplink_interface="{{ helpers.physical_interface(generalSettings.ndproxy_uplink_interface) }}"
+{%     endif %}
+{%     if generalSettings.ndproxy_downlink_mac_address %}
+ndproxy_downlink_mac_address="{{ generalSettings.ndproxy_downlink_mac_address }}"
+{%     endif %}
+{%     if generalSettings.ndproxy_exception_ipv6_addresses %}
+ndproxy_exception_ipv6_addresses="{{ generalSettings.ndproxy_exception_ipv6_addresses | replace(',', ';') }}"
+{%     endif %}
+{%     if generalSettings.ndproxy_uplink_ipv6_addresses %}
+ndproxy_uplink_ipv6_addresses="{{ generalSettings.ndproxy_uplink_ipv6_addresses | replace(',', ';') }}"
+{%     endif %}
+{% else %}
+ndproxy_enable="NO"
+{% endif %}

From 045a3b8a8ea7d44a8934a000c519395feb737dbe Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 13 Nov 2024 08:08:57 +0100
Subject: [PATCH 2185/3088] devel/debug: add opnsense-atf and related glue

---
 devel/debug/Makefile              |   4 +-
 devel/debug/src/sbin/opnsense-atf | 132 ++++++++++++++++++++++++++++++
 2 files changed, 134 insertions(+), 2 deletions(-)
 create mode 100755 devel/debug/src/sbin/opnsense-atf

diff --git a/devel/debug/Makefile b/devel/debug/Makefile
index 0348b91ee8..8e7336c0ca 100644
--- a/devel/debug/Makefile
+++ b/devel/debug/Makefile
@@ -1,11 +1,11 @@
 PLUGIN_NAME=		debug
-PLUGIN_VERSION=		1.5
+PLUGIN_VERSION=		1.6.d
 PLUGIN_COMMENT=		Debugging Tools
 PLUGIN_DEPENDS=		php${PLUGIN_PHP}-pear-PHP_CodeSniffer \
 			php${PLUGIN_PHP}-pecl-xdebug \
 			phpunit9-php${PLUGIN_PHP} \
 			py${PLUGIN_PYTHON}-pycodestyle \
-			p5-File-Slurp git
+			p5-File-Slurp git jq scapy
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_TIER=		2
 
diff --git a/devel/debug/src/sbin/opnsense-atf b/devel/debug/src/sbin/opnsense-atf
new file mode 100755
index 0000000000..a0cb9dae8b
--- /dev/null
+++ b/devel/debug/src/sbin/opnsense-atf
@@ -0,0 +1,132 @@
+#!/bin/sh
+
+# Copyright (c) 2014-2024 Franco Fichtner <franco@opnsense.org>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice,
+#    this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+PATTERNS="-e ^passed -e ^skipped -e ^failed"
+TESTDIR=/usr/src/tests/sys/netpfil/pf
+__RUNNING_INSIDE_ATF_RUN=internal-yes-value
+
+export __RUNNING_INSIDE_ATF_RUN
+
+if [ "$(id -u)" != "0" ]; then
+	echo "Must be root."
+	exit 1
+fi
+
+DO_ALL=
+DO_DEBUG=
+DO_LIST=
+
+while getopts adlV OPT; do
+	case ${OPT} in
+	a)
+		DO_ALL="-a"
+		;;
+	d)
+		DO_DEBUG="-d"
+		PATTERNS="-e ."
+		;;
+	l)
+		DO_LIST="-l"
+		;;
+	V)
+		DO_VERBOSE="-V"
+		;;
+	*)
+		echo "Usage: man ${0##*/}" >&2
+		exit 1
+		;;
+	esac
+done
+
+shift $((OPTIND - 1))
+
+if [ -n "${DO_VERBOSE}" ]; then
+	set -x
+fi
+
+list()
+{
+	for TESTFILE in $(find -s ${TESTDIR} -name "*.sh"); do
+		TESTFILE=$(basename ${TESTFILE})
+		echo ${TESTFILE%.sh}
+	done
+}
+
+run()
+{
+	TESTFILE=${1%%:*}
+	TESTCASE=${1#*:}
+
+	TEST=${TESTDIR}/${TESTFILE}.sh
+
+	if [ "${TESTCASE}" = "${1}" ]; then
+		TESTCASE=
+	fi
+
+	if [ ! -f "${TEST}" ]; then
+		echo "Unsupported test case: ${TESTFILE}" >&2
+		exit 1
+	fi
+
+	grep ^atf_test_case ${TEST} | tr -d '"' | awk '{ print $2 " " $3}' | while read CASE CLEANUP; do
+		if [ -n "${TESTCASE}" -a "${TESTCASE}" != "${CASE}" ]; then
+			continue
+		fi
+		RESULT=$( (/usr/libexec/atf-sh ${TEST} ${CASE} 2>&1) | grep ${PATTERNS})
+		if [ -n "${CLEANUP}" ]; then
+			/usr/libexec/atf-sh ${TEST} ${CASE}:cleanup > /dev/null 2>&1
+		fi
+		if [ -z "${DO_DEBUG}" ]; then
+			echo ">>> $(basename ${TESTDIR})(${TESTFILE}:${CASE}): ${RESULT}"
+		else
+			echo "${RESULT}"
+		fi
+	done
+}
+
+if [ -n "${DO_LIST}" ]; then
+	list
+	exit 0
+fi
+
+TESTS=${@}
+if [ -n "${DO_ALL}" ]; then
+	TESTS=$(list)
+fi
+
+# We could consider copying the whole test setup
+# somewhere else # but the whole thing needs to
+# be redesigned anyway.  Fudge this locally.
+chmod 555 ${TESTDIR}/../common/*.sh ${TESTDIR}/../common/*.py ${TESTDIR}/*.py
+
+for TEST in ${TESTS}; do
+	run ${TEST}
+done
+
+if [ -z "${TESTS}" ]; then
+	echo "Nothing to do."
+fi
+
+chmod 644 ${TESTDIR}/../common/*.sh ${TESTDIR}/../common/*.py ${TESTDIR}/*.py

From ecced78fabd4e6d2a592427230ea61da1742f9f5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 13 Nov 2024 08:25:10 +0100
Subject: [PATCH 2186/3088] net/ndproxy: sync

---
 README.md                                         | 1 +
 net/ndproxy/src/etc/inc/plugins.inc.d/ndproxy.inc | 6 ++++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index c265b6fdec..3da5813b91 100644
--- a/README.md
+++ b/README.md
@@ -55,6 +55,7 @@ net/google-cloud-sdk -- Google Cloud SDK
 net/haproxy -- Reliable, high performance TCP/HTTP load balancer
 net/igmp-proxy -- IGMP-Proxy Service
 net/mdns-repeater -- Proxy multicast DNS between networks
+net/ndproxy -- Neighbor Discovery Proxy
 net/ntopng -- Traffic Analysis and Flow Collection
 net/radsecproxy -- RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
 net/realtek-re -- Realtek re(4) vendor driver
diff --git a/net/ndproxy/src/etc/inc/plugins.inc.d/ndproxy.inc b/net/ndproxy/src/etc/inc/plugins.inc.d/ndproxy.inc
index aead8fa56c..9ea3e573a7 100644
--- a/net/ndproxy/src/etc/inc/plugins.inc.d/ndproxy.inc
+++ b/net/ndproxy/src/etc/inc/plugins.inc.d/ndproxy.inc
@@ -32,8 +32,10 @@ function ndproxy_services()
 
     $services = [];
 
-    if (isset($config['OPNsense']['ndproxy']['general']['enabled']) &&
-        $config['OPNsense']['ndproxy']['general']['enabled'] == 1) {
+    if (
+        isset($config['OPNsense']['ndproxy']['general']['enabled']) &&
+        $config['OPNsense']['ndproxy']['general']['enabled'] == 1
+    ) {
         $services[] = [
             'description' => gettext('Ndproxy'),
             'configd' => [

From 955306a03fdc52981bd8512c1cf43f5415da57bb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 13 Nov 2024 08:29:14 +0100
Subject: [PATCH 2187/3088] debug/devel: fix scapy prefix and pivot to atf port

---
 devel/debug/Makefile              | 3 ++-
 devel/debug/src/sbin/opnsense-atf | 9 +++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/devel/debug/Makefile b/devel/debug/Makefile
index 8e7336c0ca..6d79424ce9 100644
--- a/devel/debug/Makefile
+++ b/devel/debug/Makefile
@@ -5,7 +5,8 @@ PLUGIN_DEPENDS=		php${PLUGIN_PHP}-pear-PHP_CodeSniffer \
 			php${PLUGIN_PHP}-pecl-xdebug \
 			phpunit9-php${PLUGIN_PHP} \
 			py${PLUGIN_PYTHON}-pycodestyle \
-			p5-File-Slurp git jq scapy
+			py${PLUGIN_PYTHON}-scapy \
+			p5-File-Slurp atf git jq
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_TIER=		2
 
diff --git a/devel/debug/src/sbin/opnsense-atf b/devel/debug/src/sbin/opnsense-atf
index a0cb9dae8b..c0cc515fbd 100755
--- a/devel/debug/src/sbin/opnsense-atf
+++ b/devel/debug/src/sbin/opnsense-atf
@@ -23,6 +23,7 @@
 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 # POSSIBILITY OF SUCH DAMAGE.
 
+ATFCMD=/usr/local/bin/atf-sh
 PATTERNS="-e ^passed -e ^skipped -e ^failed"
 TESTDIR=/usr/src/tests/sys/netpfil/pf
 __RUNNING_INSIDE_ATF_RUN=internal-yes-value
@@ -94,9 +95,9 @@ run()
 		if [ -n "${TESTCASE}" -a "${TESTCASE}" != "${CASE}" ]; then
 			continue
 		fi
-		RESULT=$( (/usr/libexec/atf-sh ${TEST} ${CASE} 2>&1) | grep ${PATTERNS})
+		RESULT=$( (${ATFCMD} ${TEST} ${CASE} 2>&1) | grep ${PATTERNS})
 		if [ -n "${CLEANUP}" ]; then
-			/usr/libexec/atf-sh ${TEST} ${CASE}:cleanup > /dev/null 2>&1
+			${ATFCMD} ${TEST} ${CASE}:cleanup > /dev/null 2>&1
 		fi
 		if [ -z "${DO_DEBUG}" ]; then
 			echo ">>> $(basename ${TESTDIR})(${TESTFILE}:${CASE}): ${RESULT}"
@@ -117,8 +118,8 @@ if [ -n "${DO_ALL}" ]; then
 fi
 
 # We could consider copying the whole test setup
-# somewhere else # but the whole thing needs to
-# be redesigned anyway.  Fudge this locally.
+# somewhere else but the whole thing needs to be
+# redesigned anyway.  Fudge this locally.
 chmod 555 ${TESTDIR}/../common/*.sh ${TESTDIR}/../common/*.py ${TESTDIR}/*.py
 
 for TEST in ${TESTS}; do

From b62c92870ce5b50de12c0ebe59a51f40267d502c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 13 Nov 2024 13:45:04 +0100
Subject: [PATCH 2188/3088] devel/debug: minor script improvements

---
 devel/debug/src/sbin/opnsense-atf | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/devel/debug/src/sbin/opnsense-atf b/devel/debug/src/sbin/opnsense-atf
index c0cc515fbd..a048205906 100755
--- a/devel/debug/src/sbin/opnsense-atf
+++ b/devel/debug/src/sbin/opnsense-atf
@@ -31,7 +31,7 @@ __RUNNING_INSIDE_ATF_RUN=internal-yes-value
 export __RUNNING_INSIDE_ATF_RUN
 
 if [ "$(id -u)" != "0" ]; then
-	echo "Must be root."
+	echo "Must be root." >&2
 	exit 1
 fi
 
@@ -107,6 +107,11 @@ run()
 	done
 }
 
+if [ ! -d "${TESTDIR}" ]; then
+	echo "Test directory not found: ${TESTDIR}" >&2
+	exit 1
+fi
+
 if [ -n "${DO_LIST}" ]; then
 	list
 	exit 0
@@ -131,3 +136,6 @@ if [ -z "${TESTS}" ]; then
 fi
 
 chmod 644 ${TESTDIR}/../common/*.sh ${TESTDIR}/../common/*.py ${TESTDIR}/*.py
+
+# other leftovers
+rm -f created_interfaces.lst created_jails.lst

From dc353664c7f4e38e56080a0c2efcf6d8be23c788 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 13 Nov 2024 15:04:37 +0100
Subject: [PATCH 2189/3088] devel/debug: cleanup before and after, CTRL-C being
 used too much

---
 devel/debug/src/sbin/opnsense-atf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/devel/debug/src/sbin/opnsense-atf b/devel/debug/src/sbin/opnsense-atf
index a048205906..80777d8100 100755
--- a/devel/debug/src/sbin/opnsense-atf
+++ b/devel/debug/src/sbin/opnsense-atf
@@ -95,6 +95,9 @@ run()
 		if [ -n "${TESTCASE}" -a "${TESTCASE}" != "${CASE}" ]; then
 			continue
 		fi
+		if [ -n "${CLEANUP}" ]; then
+			${ATFCMD} ${TEST} ${CASE}:cleanup > /dev/null 2>&1
+		fi
 		RESULT=$( (${ATFCMD} ${TEST} ${CASE} 2>&1) | grep ${PATTERNS})
 		if [ -n "${CLEANUP}" ]; then
 			${ATFCMD} ${TEST} ${CASE}:cleanup > /dev/null 2>&1

From ac95208b61a84efdaf1ad299c067e8bdd409edd3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 13 Nov 2024 20:17:22 +0100
Subject: [PATCH 2190/3088] devel/debug: restructure again for maximum effect

---
 devel/debug/src/sbin/opnsense-atf | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/devel/debug/src/sbin/opnsense-atf b/devel/debug/src/sbin/opnsense-atf
index 80777d8100..3e22d9ab22 100755
--- a/devel/debug/src/sbin/opnsense-atf
+++ b/devel/debug/src/sbin/opnsense-atf
@@ -46,7 +46,6 @@ while getopts adlV OPT; do
 		;;
 	d)
 		DO_DEBUG="-d"
-		PATTERNS="-e ."
 		;;
 	l)
 		DO_LIST="-l"
@@ -95,16 +94,22 @@ run()
 		if [ -n "${TESTCASE}" -a "${TESTCASE}" != "${CASE}" ]; then
 			continue
 		fi
+
+		echo -n ">>> $(basename ${TESTDIR})(${TESTFILE}:${CASE}): "
+
 		if [ -n "${CLEANUP}" ]; then
 			${ATFCMD} ${TEST} ${CASE}:cleanup > /dev/null 2>&1
 		fi
-		RESULT=$( (${ATFCMD} ${TEST} ${CASE} 2>&1) | grep ${PATTERNS})
+
+		RESULT=$(${ATFCMD} ${TEST} ${CASE} 2>&1)
+
 		if [ -n "${CLEANUP}" ]; then
 			${ATFCMD} ${TEST} ${CASE}:cleanup > /dev/null 2>&1
 		fi
-		if [ -z "${DO_DEBUG}" ]; then
-			echo ">>> $(basename ${TESTDIR})(${TESTFILE}:${CASE}): ${RESULT}"
-		else
+
+		(echo "${RESULT}" | grep ${PATTERN})
+
+		if [ -n "${DO_DEBUG}" ]; then
 			echo "${RESULT}"
 		fi
 	done

From 2e82b51f637f95fa535cb9ea4ede8e2b229b2446 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 13 Nov 2024 20:19:08 +0100
Subject: [PATCH 2191/3088] devel/debug: one more

---
 devel/debug/src/sbin/opnsense-atf | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/devel/debug/src/sbin/opnsense-atf b/devel/debug/src/sbin/opnsense-atf
index 3e22d9ab22..c647f3ee5e 100755
--- a/devel/debug/src/sbin/opnsense-atf
+++ b/devel/debug/src/sbin/opnsense-atf
@@ -24,7 +24,6 @@
 # POSSIBILITY OF SUCH DAMAGE.
 
 ATFCMD=/usr/local/bin/atf-sh
-PATTERNS="-e ^passed -e ^skipped -e ^failed"
 TESTDIR=/usr/src/tests/sys/netpfil/pf
 __RUNNING_INSIDE_ATF_RUN=internal-yes-value
 
@@ -107,7 +106,7 @@ run()
 			${ATFCMD} ${TEST} ${CASE}:cleanup > /dev/null 2>&1
 		fi
 
-		(echo "${RESULT}" | grep ${PATTERN})
+		echo "${RESULT}" | grep -e ^passed -e ^skipped -e ^failed
 
 		if [ -n "${DO_DEBUG}" ]; then
 			echo "${RESULT}"

From 3a14c24a36f1baeddaf1103869b5159fd13129c9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 15 Nov 2024 08:11:30 +0100
Subject: [PATCH 2192/3088] devel/debug: the "you're holding it wrong" release
 ;)

---
 devel/debug/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devel/debug/Makefile b/devel/debug/Makefile
index 6d79424ce9..9cb0a3c89f 100644
--- a/devel/debug/Makefile
+++ b/devel/debug/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		debug
-PLUGIN_VERSION=		1.6.d
+PLUGIN_VERSION=		1.6
 PLUGIN_COMMENT=		Debugging Tools
 PLUGIN_DEPENDS=		php${PLUGIN_PHP}-pear-PHP_CodeSniffer \
 			php${PLUGIN_PHP}-pecl-xdebug \

From 4a4eaf40da46c3f43b61ef9992122e4ac2dd8b0a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 15 Nov 2024 08:13:47 +0100
Subject: [PATCH 2193/3088] Revert "Fix for mixed ping plugin config (#4316)"
 #4349

This reverts commit ee7868fa9324cc58988d2a678a920fb6cade89b1.
---
 .../service/templates/OPNsense/Telegraf/telegraf.conf      | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index 9b227e71a1..fd5012ae54 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -313,8 +313,7 @@
 
 {% if helpers.exists('OPNsense.telegraf.input.ping') and OPNsense.telegraf.input.ping == '1' %}
 [[inputs.ping]]
-  method = "native"
-  ipv4 = true
+  method = "exec"
 {%   if helpers.exists('OPNsense.telegraf.input.ping_hosts') and OPNsense.telegraf.input.ping_hosts != '' %}
   urls = [{{ "'" + ("','".join(OPNsense.telegraf.input.ping_hosts.split(','))) + "'" }}]
 {%   endif %}
@@ -325,8 +324,8 @@
 
 {% if helpers.exists('OPNsense.telegraf.input.ping6') and OPNsense.telegraf.input.ping6 == '1' %}
 [[inputs.ping]]
-  method = "native"
-  ipv6 = true
+  method = "exec"
+  binary = "ping6"
 {%   if helpers.exists('OPNsense.telegraf.input.ping6_hosts') and OPNsense.telegraf.input.ping6_hosts != '' %}
   urls = [{{ "'" + ("','".join(OPNsense.telegraf.input.ping6_hosts.split(','))) + "'" }}]
 {%   endif %}

From 0e7c12c9c0cc03fc774f71c5b937973025971c7e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 15 Nov 2024 08:14:29 +0100
Subject: [PATCH 2194/3088] net-mgmt/telegraf: bump

---
 net-mgmt/telegraf/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index 2c275b4560..c5890c6229 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		telegraf
 PLUGIN_VERSION=		1.12.11
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 46ef70f242936629ff009722ba100d7a9464306a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 15 Nov 2024 08:17:55 +0100
Subject: [PATCH 2195/3088] security/wazuh: defaults are all required in the
 model

---
 security/wazuh-agent/Makefile                               | 2 +-
 security/wazuh-agent/pkg-descr                              | 4 ++++
 .../mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml       | 4 +---
 .../service/templates/OPNsense/WazuhAgent/ossec.conf        | 6 +++---
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/security/wazuh-agent/Makefile b/security/wazuh-agent/Makefile
index 41a7f47851..fcc6e3fd7b 100644
--- a/security/wazuh-agent/Makefile
+++ b/security/wazuh-agent/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		wazuh-agent
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		Agent for the open source security platform Wazuh
 PLUGIN_DEPENDS=		wazuh-agent
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/security/wazuh-agent/pkg-descr b/security/wazuh-agent/pkg-descr
index feb4a29e2a..f42ab3aa9c 100644
--- a/security/wazuh-agent/pkg-descr
+++ b/security/wazuh-agent/pkg-descr
@@ -8,6 +8,10 @@ solution.
 Plugin Changelog
 ================
 
+1.2
+
+* Implement options to change server ports (contributed by 999eagle)
+
 1.1
 
 * Add advanced option to specify transport protocol
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
index cba8e4b2f5..79697b050e 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
@@ -1,9 +1,7 @@
 <model>
     <mount>//OPNsense/WazuhAgent</mount>
     <version>1.0.2</version>
-    <description>
-        Wazuh Agent
-    </description>
+    <description>Wazuh Agent</description>
     <items>
         <general>
             <enabled type="BooleanField">
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
index 68eac29d17..2cddc9323e 100644
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
@@ -2,12 +2,12 @@
   <client>
     <server>
       <address>{{OPNsense.WazuhAgent.general.server_address}}</address>
-      <protocol>{{OPNsense.WazuhAgent.general.protocol|default('tcp')}}</protocol>
-      <port>{{OPNsense.WazuhAgent.general.port|default('1514')}}</port>
+      <protocol>{{OPNsense.WazuhAgent.general.protocol}}</protocol>
+      <port>{{OPNsense.WazuhAgent.general.port}}</port>
     </server>
     <crypto_method>aes</crypto_method>
     <enrollment>
-      <port>{{OPNsense.WazuhAgent.auth.port|default('1515')}}</port>
+      <port>{{OPNsense.WazuhAgent.auth.port}}</port>
     </enrollment>
   </client>
 

From 598cf8ccd321bf6980d84f3aef63c312ac606130 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 18 Nov 2024 17:14:04 +0100
Subject: [PATCH 2196/3088] devel/debug: will not be needing this then

Still provide scapy and jq for test coverage reasons.  For reference:

  1. Single test via:

    # kyua debug -k /usr/tests/sys/netpfil/pf/Kyuafile killstate:match

  2. Running test suite via:

    # kyua test -k /usr/tests/sys/netpfil/pf/Kyuafile
---
 devel/debug/Makefile              |   2 +-
 devel/debug/src/sbin/opnsense-atf | 148 ------------------------------
 2 files changed, 1 insertion(+), 149 deletions(-)
 delete mode 100755 devel/debug/src/sbin/opnsense-atf

diff --git a/devel/debug/Makefile b/devel/debug/Makefile
index 9cb0a3c89f..ecd817af99 100644
--- a/devel/debug/Makefile
+++ b/devel/debug/Makefile
@@ -6,7 +6,7 @@ PLUGIN_DEPENDS=		php${PLUGIN_PHP}-pear-PHP_CodeSniffer \
 			phpunit9-php${PLUGIN_PHP} \
 			py${PLUGIN_PYTHON}-pycodestyle \
 			py${PLUGIN_PYTHON}-scapy \
-			p5-File-Slurp atf git jq
+			p5-File-Slurp git jq
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_TIER=		2
 
diff --git a/devel/debug/src/sbin/opnsense-atf b/devel/debug/src/sbin/opnsense-atf
deleted file mode 100755
index c647f3ee5e..0000000000
--- a/devel/debug/src/sbin/opnsense-atf
+++ /dev/null
@@ -1,148 +0,0 @@
-#!/bin/sh
-
-# Copyright (c) 2014-2024 Franco Fichtner <franco@opnsense.org>
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-# 1. Redistributions of source code must retain the above copyright notice,
-#    this list of conditions and the following disclaimer.
-#
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in the
-#    documentation and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-# POSSIBILITY OF SUCH DAMAGE.
-
-ATFCMD=/usr/local/bin/atf-sh
-TESTDIR=/usr/src/tests/sys/netpfil/pf
-__RUNNING_INSIDE_ATF_RUN=internal-yes-value
-
-export __RUNNING_INSIDE_ATF_RUN
-
-if [ "$(id -u)" != "0" ]; then
-	echo "Must be root." >&2
-	exit 1
-fi
-
-DO_ALL=
-DO_DEBUG=
-DO_LIST=
-
-while getopts adlV OPT; do
-	case ${OPT} in
-	a)
-		DO_ALL="-a"
-		;;
-	d)
-		DO_DEBUG="-d"
-		;;
-	l)
-		DO_LIST="-l"
-		;;
-	V)
-		DO_VERBOSE="-V"
-		;;
-	*)
-		echo "Usage: man ${0##*/}" >&2
-		exit 1
-		;;
-	esac
-done
-
-shift $((OPTIND - 1))
-
-if [ -n "${DO_VERBOSE}" ]; then
-	set -x
-fi
-
-list()
-{
-	for TESTFILE in $(find -s ${TESTDIR} -name "*.sh"); do
-		TESTFILE=$(basename ${TESTFILE})
-		echo ${TESTFILE%.sh}
-	done
-}
-
-run()
-{
-	TESTFILE=${1%%:*}
-	TESTCASE=${1#*:}
-
-	TEST=${TESTDIR}/${TESTFILE}.sh
-
-	if [ "${TESTCASE}" = "${1}" ]; then
-		TESTCASE=
-	fi
-
-	if [ ! -f "${TEST}" ]; then
-		echo "Unsupported test case: ${TESTFILE}" >&2
-		exit 1
-	fi
-
-	grep ^atf_test_case ${TEST} | tr -d '"' | awk '{ print $2 " " $3}' | while read CASE CLEANUP; do
-		if [ -n "${TESTCASE}" -a "${TESTCASE}" != "${CASE}" ]; then
-			continue
-		fi
-
-		echo -n ">>> $(basename ${TESTDIR})(${TESTFILE}:${CASE}): "
-
-		if [ -n "${CLEANUP}" ]; then
-			${ATFCMD} ${TEST} ${CASE}:cleanup > /dev/null 2>&1
-		fi
-
-		RESULT=$(${ATFCMD} ${TEST} ${CASE} 2>&1)
-
-		if [ -n "${CLEANUP}" ]; then
-			${ATFCMD} ${TEST} ${CASE}:cleanup > /dev/null 2>&1
-		fi
-
-		echo "${RESULT}" | grep -e ^passed -e ^skipped -e ^failed
-
-		if [ -n "${DO_DEBUG}" ]; then
-			echo "${RESULT}"
-		fi
-	done
-}
-
-if [ ! -d "${TESTDIR}" ]; then
-	echo "Test directory not found: ${TESTDIR}" >&2
-	exit 1
-fi
-
-if [ -n "${DO_LIST}" ]; then
-	list
-	exit 0
-fi
-
-TESTS=${@}
-if [ -n "${DO_ALL}" ]; then
-	TESTS=$(list)
-fi
-
-# We could consider copying the whole test setup
-# somewhere else but the whole thing needs to be
-# redesigned anyway.  Fudge this locally.
-chmod 555 ${TESTDIR}/../common/*.sh ${TESTDIR}/../common/*.py ${TESTDIR}/*.py
-
-for TEST in ${TESTS}; do
-	run ${TEST}
-done
-
-if [ -z "${TESTS}" ]; then
-	echo "Nothing to do."
-fi
-
-chmod 644 ${TESTDIR}/../common/*.sh ${TESTDIR}/../common/*.py ${TESTDIR}/*.py
-
-# other leftovers
-rm -f created_interfaces.lst created_jails.lst

From 000dcc9bda54249db4b2e8d38a778102bce1e67a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 18 Nov 2024 20:28:56 +0100
Subject: [PATCH 2197/3088] devel/debug: another requirement for testing

---
 devel/debug/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/devel/debug/Makefile b/devel/debug/Makefile
index ecd817af99..a3cfa16c9a 100644
--- a/devel/debug/Makefile
+++ b/devel/debug/Makefile
@@ -5,6 +5,7 @@ PLUGIN_DEPENDS=		php${PLUGIN_PHP}-pear-PHP_CodeSniffer \
 			php${PLUGIN_PHP}-pecl-xdebug \
 			phpunit9-php${PLUGIN_PHP} \
 			py${PLUGIN_PYTHON}-pycodestyle \
+			py${PLUGIN_PYTHON}-pytest \
 			py${PLUGIN_PYTHON}-scapy \
 			p5-File-Slurp git jq
 PLUGIN_MAINTAINER=	franco@opnsense.org

From 45bc2f35affcdff66b54b392bcebf48d5a2b87ad Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 21 Nov 2024 13:22:20 +0100
Subject: [PATCH 2198/3088] devel/debug: meet 'qyua', the quick-kyua command ;)

With the tool we can run tests from the source tree given the tests
(or a respective prebuilt set) have been installed in the system.

It creates "_" prefixed files in order to not taint the otherwise
installed tests and set up the few things that the build would
for source tree based test files.

Underneath eventually it runs kyua-test or kyua-debug depending
on the debug command line flag -d.  -a runs all the tests in the
source tree and -l lists them.

For now only supports .sh files and both /usr/src and /usr/tests
have to be manually managed, but more to come.
---
 devel/debug/Makefile      |   2 +-
 devel/debug/src/sbin/qyua | 144 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 145 insertions(+), 1 deletion(-)
 create mode 100755 devel/debug/src/sbin/qyua

diff --git a/devel/debug/Makefile b/devel/debug/Makefile
index a3cfa16c9a..08952f7696 100644
--- a/devel/debug/Makefile
+++ b/devel/debug/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		debug
-PLUGIN_VERSION=		1.6
+PLUGIN_VERSION=		1.7.d
 PLUGIN_COMMENT=		Debugging Tools
 PLUGIN_DEPENDS=		php${PLUGIN_PHP}-pear-PHP_CodeSniffer \
 			php${PLUGIN_PHP}-pecl-xdebug \
diff --git a/devel/debug/src/sbin/qyua b/devel/debug/src/sbin/qyua
new file mode 100755
index 0000000000..6ed0ec9990
--- /dev/null
+++ b/devel/debug/src/sbin/qyua
@@ -0,0 +1,144 @@
+#!/bin/sh
+
+# Copyright (c) 2014-2024 Franco Fichtner <franco@opnsense.org>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice,
+#    this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+COMPONENT=sys/netpfil/pf
+
+TESTDIR=/usr/src/tests/${COMPONENT}
+DESTDIR=/usr/tests/${COMPONENT}
+
+if [ "$(id -u)" != "0" ]; then
+	echo "Must be root." >&2
+	exit 1
+fi
+
+DO_ALL=
+DO_DEBUG=
+DO_LIST=
+
+while getopts adlV OPT; do
+	case ${OPT} in
+	a)
+		DO_ALL="-a"
+		;;
+	d)
+		DO_DEBUG="-d"
+		;;
+	l)
+		DO_LIST="-l"
+		;;
+	V)
+		DO_VERBOSE="-V"
+		;;
+	*)
+		echo "Usage: man ${0##*/}" >&2
+		exit 1
+		;;
+	esac
+done
+
+shift $((OPTIND - 1))
+
+if [ -n "${DO_VERBOSE}" ]; then
+	set -x
+fi
+
+list()
+{
+	for TEST in $(find -s ${TESTDIR} -name "*.sh"); do
+		TEST=$(basename ${TEST})
+		echo ${TEST%.sh}
+	done
+}
+
+if [ ! -d "${TESTDIR}" ]; then
+	echo "Source directory not found: ${TESTDIR}" >&2
+	exit 1
+fi
+
+if [ ! -d "${DESTDIR}" ]; then
+	echo "Target directory not found: ${DESTDIR}" >&2
+	exit 1
+fi
+
+if [ -n "${DO_LIST}" ]; then
+	list
+	exit 0
+fi
+
+TESTS=${@}
+if [ -n "${DO_ALL}" ]; then
+	TESTS=$(list)
+fi
+
+if [ -z "${TESTS}" ]; then
+	echo "Nothing to do."
+	exit 0
+fi
+
+
+# clear from previous run
+rm -rf ${DESTDIR}/_*
+
+# set up a shadow config
+cat > ${DESTDIR}/_Kyuafile << EOF
+-- Automatically generated by bsd.test.mk.
+
+syntax(2)
+
+test_suite("FreeBSD")
+
+EOF
+
+for TEST in ${TESTS}; do
+	if [ -n "${DO_DEBUG}" ]; then
+		TEST=${TEST%%:*}
+	fi
+
+	if [ ! -f  ${TESTDIR}/${TEST}.sh ]; then
+		echo "Source file not found: ${TESTDIR}/${TEST}.sh" >&2
+		exit 1
+	fi
+
+	cat >> ${DESTDIR}/_Kyuafile << EOF
+atf_test_program{name="_${TEST}", is_exclusive=true}
+EOF
+
+	cat > ${DESTDIR}/_${TEST} << EOF
+#! /usr/libexec/atf-sh
+
+$(cat ${TESTDIR}/${TEST}.sh)
+EOF
+
+	chmod 555 ${DESTDIR}/_${TEST}
+done
+
+if [ -z "${DO_DEBUG}" ]; then
+	exec kyua test -k ${DESTDIR}/_Kyuafile
+else
+	for TEST in ${TESTS}; do
+		# only support first one
+		exec kyua debug -k ${DESTDIR}/_Kyuafile _${TEST}
+	done
+fi

From edae632a23c1c35c518539989373187bdd87c520 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 21 Nov 2024 13:34:35 +0100
Subject: [PATCH 2199/3088] devel/debug: fix previous

---
 devel/debug/src/sbin/qyua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devel/debug/src/sbin/qyua b/devel/debug/src/sbin/qyua
index 6ed0ec9990..7596ecbbac 100755
--- a/devel/debug/src/sbin/qyua
+++ b/devel/debug/src/sbin/qyua
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (c) 2014-2024 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2024 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are met:

From 530ca736f14db3eb16dc7ec962161801c3e93654 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 22 Nov 2024 08:56:45 +0100
Subject: [PATCH 2200/3088] devel/debug: some qyua improvements

Allow to run reference tests via -r, does not need /usr/src

Add a -b bootstrap mode which brings in /usr/tests
---
 devel/debug/src/sbin/qyua | 80 +++++++++++++++++++++++++++------------
 1 file changed, 55 insertions(+), 25 deletions(-)

diff --git a/devel/debug/src/sbin/qyua b/devel/debug/src/sbin/qyua
index 7596ecbbac..77f50354ff 100755
--- a/devel/debug/src/sbin/qyua
+++ b/devel/debug/src/sbin/qyua
@@ -23,6 +23,8 @@
 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 # POSSIBILITY OF SUCH DAMAGE.
 
+set -e
+
 COMPONENT=sys/netpfil/pf
 
 TESTDIR=/usr/src/tests/${COMPONENT}
@@ -34,20 +36,29 @@ if [ "$(id -u)" != "0" ]; then
 fi
 
 DO_ALL=
+DO_BOOTSTRAP=
 DO_DEBUG=
 DO_LIST=
+DO_INJECT=yes
 
-while getopts adlV OPT; do
+while getopts abdlrV OPT; do
 	case ${OPT} in
 	a)
 		DO_ALL="-a"
 		;;
+	b)
+		DO_BOOTSTRAP="-b"
+		;;
 	d)
 		DO_DEBUG="-d"
 		;;
 	l)
 		DO_LIST="-l"
 		;;
+	r)
+		# referenece testing via /usr/tests
+		unset DO_INJECT
+		;;
 	V)
 		DO_VERBOSE="-V"
 		;;
@@ -64,15 +75,14 @@ if [ -n "${DO_VERBOSE}" ]; then
 	set -x
 fi
 
-list()
-{
-	for TEST in $(find -s ${TESTDIR} -name "*.sh"); do
-		TEST=$(basename ${TEST})
-		echo ${TEST%.sh}
-	done
-}
+if [ -n "${DO_BOOTSTRAP}" ]; then
+	opnsense-update -Q
 
-if [ ! -d "${TESTDIR}" ]; then
+	# XXX needed for inject mode (default) but not sure if the best way
+	#opnsense-code src
+fi
+
+if [ -n "${DO_INJECT}" -a ! -d "${TESTDIR}" ]; then
 	echo "Source directory not found: ${TESTDIR}" >&2
 	exit 1
 fi
@@ -82,6 +92,23 @@ if [ ! -d "${DESTDIR}" ]; then
 	exit 1
 fi
 
+# clear from previous run
+rm -rf ${DESTDIR}/_*
+
+list()
+{
+	if [ -z "${DO_INJECT}" ]; then
+		cat ${DESTDIR}/Kyuafile | tr '"' ' ' | while read PRE NAME MORE; do
+			echo ${NAME}
+		done
+	else
+		for TEST in $(find -s ${TESTDIR} -name "*.sh"); do
+			TEST=$(basename ${TEST})
+			echo ${TEST%.sh}
+		done
+	fi
+}
+
 if [ -n "${DO_LIST}" ]; then
 	list
 	exit 0
@@ -98,9 +125,6 @@ if [ -z "${TESTS}" ]; then
 fi
 
 
-# clear from previous run
-rm -rf ${DESTDIR}/_*
-
 # set up a shadow config
 cat > ${DESTDIR}/_Kyuafile << EOF
 -- Automatically generated by bsd.test.mk.
@@ -111,34 +135,40 @@ test_suite("FreeBSD")
 
 EOF
 
+FINAL=
+
 for TEST in ${TESTS}; do
-	if [ -n "${DO_DEBUG}" ]; then
-		TEST=${TEST%%:*}
-	fi
+	if [ -n "${DO_INJECT}" ]; then
+		if [ -n "${DO_DEBUG}" ]; then
+			TEST=${TEST%%:*}
+		fi
 
-	if [ ! -f  ${TESTDIR}/${TEST}.sh ]; then
-		echo "Source file not found: ${TESTDIR}/${TEST}.sh" >&2
-		exit 1
-	fi
+		if [ ! -f  ${TESTDIR}/${TEST}.sh ]; then
+			echo "Source file not found: ${TESTDIR}/${TEST}.sh" >&2
+			exit 1
+		fi
 
-	cat >> ${DESTDIR}/_Kyuafile << EOF
+		cat >> ${DESTDIR}/_Kyuafile << EOF
 atf_test_program{name="_${TEST}", is_exclusive=true}
 EOF
 
-	cat > ${DESTDIR}/_${TEST} << EOF
+		cat > ${DESTDIR}/_${TEST} << EOF
 #! /usr/libexec/atf-sh
 
 $(cat ${TESTDIR}/${TEST}.sh)
 EOF
 
-	chmod 555 ${DESTDIR}/_${TEST}
+		chmod 555 ${DESTDIR}/_${TEST}
+	fi
+
+	FINAL="${FINAL} ${DO_INJECT+_}${TEST}"
 done
 
 if [ -z "${DO_DEBUG}" ]; then
-	exec kyua test -k ${DESTDIR}/_Kyuafile
+	exec kyua test -k ${DESTDIR}/${DO_INJECT+_}Kyuafile ${FINAL}
 else
-	for TEST in ${TESTS}; do
+	for TEST in ${FINAL}; do
 		# only support first one
-		exec kyua debug -k ${DESTDIR}/_Kyuafile _${TEST}
+		exec kyua debug -k ${DESTDIR}/${DO_INJECT+_}Kyuafile ${TEST}
 	done
 fi

From 321beb0f0ad1cd26ae0f529aa4cd2ab3ea9a788a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 22 Nov 2024 10:33:49 +0100
Subject: [PATCH 2201/3088] Framework: add manual page support

---
 Mk/plugins.mk | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 172c7b40d4..90c89fad63 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -231,6 +231,11 @@ install: check
 			mv "${DESTDIR}${LOCALBASE}/$${FILE}" \
 			    "${DESTDIR}${LOCALBASE}/$${FILE%%.shadow}.sample"; \
 		fi; \
+		if [ "$${FILE%%/*}" == "man" ]; then \
+			gzip -cn "${DESTDIR}${LOCALBASE}/$${FILE}" > \
+			    "${DESTDIR}${LOCALBASE}/$${FILE}.gz"; \
+			rm "${DESTDIR}${LOCALBASE}/$${FILE}"; \
+		fi; \
 	done
 	@cat ${TEMPLATESDIR}/version | sed ${SED_REPLACE} > "${DESTDIR}${LOCALBASE}/opnsense/version/${PLUGIN_NAME}"
 
@@ -244,6 +249,9 @@ plist: check
 			FILE="$${FILE%%.shadow}.sample"; \
 			PREFIX="@shadow "; \
 		fi; \
+		if [ "$${FILE%%/*}" == "man" ]; then \
+			FILE="$${FILE}.gz"; \
+		fi; \
 		echo "$${PREFIX}${LOCALBASE}/$${FILE}"; \
 	done
 	@echo "${LOCALBASE}/opnsense/version/${PLUGIN_NAME}"

From 8cd1be1adbf33c4d04d4b77406c0b84f1de0a42e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 22 Nov 2024 11:02:18 +0100
Subject: [PATCH 2202/3088] devel/debug: wrap this up with a neat manual page

---
 devel/debug/Makefile               |  2 +-
 devel/debug/src/{sbin => bin}/qyua |  1 +
 devel/debug/src/man/man1/qyua.1    | 99 ++++++++++++++++++++++++++++++
 3 files changed, 101 insertions(+), 1 deletion(-)
 rename devel/debug/src/{sbin => bin}/qyua (98%)
 create mode 100644 devel/debug/src/man/man1/qyua.1

diff --git a/devel/debug/Makefile b/devel/debug/Makefile
index 08952f7696..e60a1f1f5d 100644
--- a/devel/debug/Makefile
+++ b/devel/debug/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		debug
-PLUGIN_VERSION=		1.7.d
+PLUGIN_VERSION=		1.7
 PLUGIN_COMMENT=		Debugging Tools
 PLUGIN_DEPENDS=		php${PLUGIN_PHP}-pear-PHP_CodeSniffer \
 			php${PLUGIN_PHP}-pecl-xdebug \
diff --git a/devel/debug/src/sbin/qyua b/devel/debug/src/bin/qyua
similarity index 98%
rename from devel/debug/src/sbin/qyua
rename to devel/debug/src/bin/qyua
index 77f50354ff..70da97da23 100755
--- a/devel/debug/src/sbin/qyua
+++ b/devel/debug/src/bin/qyua
@@ -124,6 +124,7 @@ if [ -z "${TESTS}" ]; then
 	exit 0
 fi
 
+# XXX kldload required things now as kyua is powerless (but complains)
 
 # set up a shadow config
 cat > ${DESTDIR}/_Kyuafile << EOF
diff --git a/devel/debug/src/man/man1/qyua.1 b/devel/debug/src/man/man1/qyua.1
new file mode 100644
index 0000000000..79c8641682
--- /dev/null
+++ b/devel/debug/src/man/man1/qyua.1
@@ -0,0 +1,99 @@
+.\"
+.\" Copyright (c) 2024 Franco Fichtner <franco@opnsense.org>
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd November 22, 2024
+.Dt QYUA 1
+.Os
+.Sh NAME
+.Nm qyua
+.Nd Quick kyua wrapper
+.Sh SYNOPSIS
+.Nm
+.Op Fl abdlrV
+.Op Ar test ...
+.Sh DESCRIPTION
+The
+.Nm
+utility is a thin wrapper around
+.Xr kyua 1
+in order to run test cases directly from the source tree at
+.Pa /usr/src .
+In order to do this,
+the
+.Pa /usr/tests
+directory is required,
+which is provided by the
+.Li tests
+set of
+.Xr opnsense-update 8 .
+The source tree can be installed using
+.Xr opnsense-code 8 .
+Internally,
+.Xr kyua-test 1
+is used to run the given tests.
+.Pp
+Please note that
+.Nm
+is only concerned with a single test component, namely
+.Pa sys/netpfil/pf .
+The focus is the ability to assist with writing tests where
+they are being committed/published in the first place without
+the need to compile/install anything.
+.Pp
+The options are as follows:
+.Bl -tag -width ".Fl a" -offset indent
+.It Fl a
+Select all available tests to run.
+.It Fl b
+Bootstrap mode installs the matching tests set.
+.It Fl d
+In debug mode, a single test case is selected from the specified
+test file using
+.Sq Ar file:name .
+Internally, this invokes
+.Xr kyua-debug 1 
+instead.
+.It Fl l
+List all the tests that can be run.
+.It Fl r
+In reference mode, run the tests available in
+.Pa /usr/tests .
+This works without
+.Pa /usr/src
+being available, but is not the default mode.
+.It Fl V
+Set debug mode for shell script output.
+.El
+.Sh EXIT STATUS
+.Ex -std
+.Sh SEE ALSO
+.Xr kyua 1 ,
+.Xr kyua-debug 1 ,
+.Xr kyua-test 1 ,
+.Xr opnsense-code 8 ,
+.Xr opnsense-update 8
+.Sh AUTHORS
+.An Franco Fichtner Aq Mt franco@opnsense.org

From bff03eabf20d252198e2641fa0be2f0549c65bf5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 27 Nov 2024 07:36:27 +0100
Subject: [PATCH 2203/3088] devel/debug: small issue on -d mode

---
 devel/debug/src/bin/qyua | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/devel/debug/src/bin/qyua b/devel/debug/src/bin/qyua
index 70da97da23..b4bfc63a0d 100755
--- a/devel/debug/src/bin/qyua
+++ b/devel/debug/src/bin/qyua
@@ -140,7 +140,10 @@ FINAL=
 
 for TEST in ${TESTS}; do
 	if [ -n "${DO_INJECT}" ]; then
+		CASE=
+
 		if [ -n "${DO_DEBUG}" ]; then
+			CASE=:${TEST##*:}
 			TEST=${TEST%%:*}
 		fi
 
@@ -162,7 +165,7 @@ EOF
 		chmod 555 ${DESTDIR}/_${TEST}
 	fi
 
-	FINAL="${FINAL} ${DO_INJECT+_}${TEST}"
+	FINAL="${FINAL} ${DO_INJECT+_}${TEST}${CASE}"
 done
 
 if [ -z "${DO_DEBUG}" ]; then

From 726a450d9e216da7f793d20636997a2abd8dfbed Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 27 Nov 2024 07:44:22 +0100
Subject: [PATCH 2204/3088] devel/debug: another minor issue with test case
 handling

---
 devel/debug/src/bin/qyua | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/devel/debug/src/bin/qyua b/devel/debug/src/bin/qyua
index b4bfc63a0d..5b3426878a 100755
--- a/devel/debug/src/bin/qyua
+++ b/devel/debug/src/bin/qyua
@@ -143,6 +143,11 @@ for TEST in ${TESTS}; do
 		CASE=
 
 		if [ -n "${DO_DEBUG}" ]; then
+			if [ -n "${TEST%%*:*}" ]; then
+				echo "No test case given in debug mode, use '${TEST}:case'" >&2
+				exit 1
+			fi
+
 			CASE=:${TEST##*:}
 			TEST=${TEST%%:*}
 		fi

From 421708e175f044d2a11c87b19efa2d0ce3e12973 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 28 Nov 2024 08:25:20 +0100
Subject: [PATCH 2205/3088] devel/debug: whitespace

---
 devel/debug/src/man/man1/qyua.1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devel/debug/src/man/man1/qyua.1 b/devel/debug/src/man/man1/qyua.1
index 79c8641682..ad9a6e3897 100644
--- a/devel/debug/src/man/man1/qyua.1
+++ b/devel/debug/src/man/man1/qyua.1
@@ -74,7 +74,7 @@ In debug mode, a single test case is selected from the specified
 test file using
 .Sq Ar file:name .
 Internally, this invokes
-.Xr kyua-debug 1 
+.Xr kyua-debug 1
 instead.
 .It Fl l
 List all the tests that can be run.

From 5925be8c3333a605bf6c392b5187be1ef9a9e56c Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 29 Nov 2024 10:45:45 +0100
Subject: [PATCH 2206/3088] www/caddy: Refactor certificate extraction to Trust
 model (#4365)

* www/caddy: Refactor certificate extraction script to use model

* www/caddy: caddy_certs remove namespace, use load_phalcon, use getCaChain to get full chain
---
 .../scripts/OPNsense/Caddy/caddy_certs.php    | 115 +++++++++++-------
 1 file changed, 68 insertions(+), 47 deletions(-)

diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
index a8e6c36cf1..67618d75aa 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
@@ -27,61 +27,82 @@
  *    POSSIBILITY OF SUCH DAMAGE.
  */
 
-require_once "config.inc";
-
-use OPNsense\Core\Config;
-
-$configObj = Config::getInstance()->object();
-$temp_dir = '/var/db/caddy/data/caddy/certificates/temp/';
-
-// Traverse through certificates
-foreach ($configObj->cert as $cert) {
-    $cert_refid = (string)$cert->refid;
-    $cert_content = base64_decode((string)$cert->crt);
-    $key_content = base64_decode((string)$cert->prv);
-    $cert_chain = $cert_content;
-
-    // Handle CA and possible intermediate CA to create a certificate bundle
-    if (!empty($cert->caref)) {
-        foreach ($configObj->ca as $ca) {
-            if ((string)$cert->caref === (string)$ca->refid) {
-                $ca_content = base64_decode((string)$ca->crt);
-                $cert_chain .= "\n" . $ca_content;
-
-                if (!empty($ca->caref)) {
-                    foreach ($configObj->ca as $parent_ca) {
-                        if ((string)$ca->caref === (string)$parent_ca->refid) {
-                            $parent_ca_content = base64_decode((string)$parent_ca->crt);
-                            $cert_chain .= "\n" . $parent_ca_content;
-                            break;
-                        }
-                    }
-                }
+require_once('script/load_phalcon.php');
+
+use OPNsense\Caddy\Caddy;
+use OPNsense\Trust\Ca;
+use OPNsense\Trust\Cert;
+use OPNsense\Trust\Store as CertStore;
+
+$writeFileIfChanged = function ($filePath, $content) {
+    if (
+        !file_exists($filePath) ||
+        hash('sha256', $content) !== hash_file('sha256', $filePath)
+    ) {
+        file_put_contents($filePath, $content);
+    }
+};
+
+$tempDir = '/var/db/caddy/data/caddy/certificates/temp/';
+
+// leaf certificate chain
+$certificateRefs = [];
+
+foreach ((new Caddy())->reverseproxy->reverse->iterateItems() as $reverseItem) {
+    $certRef = (string)$reverseItem->CustomCertificate;
+    if (!empty($certRef)) {
+        $certificateRefs[] = $certRef;
+    }
+}
+
+$certificateRefs = array_unique($certificateRefs);
+
+foreach ((new Cert())->cert->iterateItems() as $cert) {
+    $refid = (string)$cert->refid;
+
+    if (in_array($refid, $certificateRefs, true)) {
+        $certChain = base64_decode((string)$cert->crt);
+        $certKey = base64_decode((string)$cert->prv);
+
+        if (!empty((string)$cert->caref)) {
+            $ca = CertStore::getCaChain((string)$cert->caref);
+            if ($ca) {
+                $certChain .= "\n" . $ca;
             }
         }
-    }
 
-    // Save the certificate chain and private key
-    file_put_contents($temp_dir . $cert_refid . '.pem', $cert_chain);
-    file_put_contents($temp_dir . $cert_refid . '.key', $key_content);
+        $writeFileIfChanged($tempDir . $refid . '.pem', $certChain);
+        $writeFileIfChanged($tempDir . $refid . '.key', $certKey);
+    }
 }
 
-// Traverse through CA certificates and save them
-foreach ($configObj->ca as $ca) {
-    $ca_refid = (string)$ca->refid;
-    $ca_content = base64_decode((string)$ca->crt);
+// ca certificate
+$caCertRefs = [];
+
+foreach ((new Caddy())->reverseproxy->handle->iterateItems() as $handleItem) {
+    $caCertField = (string)$handleItem->HttpTlsTrustedCaCerts;
 
-    // Save the CA certificate
-    file_put_contents($temp_dir . $ca_refid . '.pem', $ca_content);
+    if (!empty($caCertField)) {
+        $caCertRefs[] = $caCertField;
+    }
 }
 
-// Traverse through layer4 OpenVPN static keys and save them as files
-if (isset($configObj->Pischem->caddy->reverseproxy->layer4openvpn)) {
-    foreach ($configObj->Pischem->caddy->reverseproxy->layer4openvpn as $openvpn) {
-        $uuid = (string) $openvpn['uuid'];
-        $static_key = (string) $openvpn->StaticKey;
+$caCertRefs = array_unique($caCertRefs);
+
+foreach ((new Ca())->ca->iterateItems() as $caItem) {
+    $refid = (string)$caItem->refid;
+
+    if (in_array($refid, $caCertRefs, true)) {
+        $caCert = base64_decode((string)$caItem->crt);
 
-        // Save the static key
-        file_put_contents($temp_dir . $uuid . '.key', $static_key);
+        $writeFileIfChanged($tempDir . $refid . '.pem', $caCert);
     }
 }
+
+// openvpn static keys
+foreach ((new Caddy())->reverseproxy->layer4openvpn->iterateItems() as $openvpnItem) {
+    $writeFileIfChanged(
+        $tempDir . (string)$openvpnItem->getAttributes()['uuid'] . '.key',
+        (string)$openvpnItem->StaticKey
+    );
+}

From ec4b328027e6e87ebab618834073fcd8f9b7bf06 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 29 Nov 2024 17:31:30 +0100
Subject: [PATCH 2207/3088] www/caddy: Add h2c protocol to handler (#4369)

* www/caddy: Add h2c protocol to handler

* www/caddy: Hide tls options when http or h2c is selected

* www/caddy: elif is better, reduce diff

* www/caddy: Add comments for clarity
---
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  1 +
 .../views/OPNsense/Caddy/reverse_proxy.volt   |  4 +-
 .../templates/OPNsense/Caddy/Caddyfile        | 58 +++++++++----------
 3 files changed, 33 insertions(+), 30 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index f1ef8c65d7..04897e2f84 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -356,6 +356,7 @@
                     <OptionValues>
                         <http value="0">http://</http>
                         <https value="1">https://</https>
+                        <h2c value="2">h2c://</h2c>
                     </OptionValues>
                     <Constraints>
                         <check001>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index e98e921a0b..2840c9b83c 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -248,8 +248,9 @@
             }
         });
 
+        // Hide TLS specific options when http or h2c is selected
         $("#handle\\.HttpTls").change(function() {
-            if ($(this).val() === "0") {
+            if ($(this).val() != "1") {
                 $(".style_tls").closest('tr').hide();
             } else {
                 $(".style_tls").closest('tr').show();
@@ -266,6 +267,7 @@
             }
         });
 
+        // Hide TLS specific options when http is selected
         $("#reverse\\.DisableTls").change(function() {
             if ($(this).val() === "1") {
                 $(".style_tls").closest('tr').hide();
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index c25a36e048..ba29d7e26a 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -399,18 +399,28 @@ http://{{ domain }} {
         {% if handle.HandleDirective == "reverse_proxy" and handle.ToPath|default("") != "" %}
             rewrite * {{ handle.ToPath }}{uri}
         {% endif %}
+        {# http:// is the empty default #}
+        {% set protocol = 'https://' if handle.HttpTls == "1" else 'h2c://' if handle.HttpTls == "2" else '' -%}
+        {% set formatted_domains = [] -%}
+        {% for domain in handle.ToDomain.split(',') -%}
+            {% set is_ipv6 = (':' in domain and domain.count(':') >= 2) -%}
+            {% set formatted_domain =
+                ( '[' ~ domain ~ ']' if is_ipv6 else domain ) ~
+                ( ':' ~ handle.ToPort if handle.ToPort else '' ) -%}
+            {% set _ = formatted_domains.append(protocol ~ formatted_domain) -%}
+        {% endfor -%}
         {% if handle.HandleDirective == "reverse_proxy" %}
-        {{ handle.HandleDirective }} {% for domain in handle.ToDomain.split(',') %}
-            {# Check if the domain is IPv6 and wrap in square brackets if necessary #}
-            {% set is_ipv6 = (':' in domain and domain.count(':') >= 2) %}
-            {# For each domain/IP, append the port if it's specified, followed by a space #}
-            {{- '[' if is_ipv6 else '' -}}{{ domain }}{{ ']' if is_ipv6 else '' -}}{% if handle.ToPort %}:{{ handle.ToPort }}{% endif %}{% if not loop.last %} {% endif %}
-        {% endfor %} {
+        {{ handle.HandleDirective }} {{ formatted_domains | join(' ') }} {
             {{ header_manipulation(handle) }}
             {% if handle.PassiveHealthFailDuration|default("") %}
                 fail_duration {{ handle.PassiveHealthFailDuration }}s
             {% endif %}
-            {% set has_transport_options = handle.HttpVersion or handle.HttpKeepalive or handle.HttpTls|default("0") == "1" or handle.HttpTlsInsecureSkipVerify|default("0") == "1" or handle.HttpTlsTrustedCaCerts or handle.HttpTlsServerName %}
+            {% set has_transport_options =
+                handle.HttpVersion or
+                handle.HttpKeepalive or
+                handle.HttpTlsInsecureSkipVerify|default("0") == "1" or
+                handle.HttpTlsTrustedCaCerts or
+                handle.HttpTlsServerName -%}
             {% if has_transport_options %}
                 {% if handle.HttpNtlm|default("0") == "1" %}
                 transport http_ntlm {
@@ -428,32 +438,22 @@ http://{{ domain }} {
                             keepalive {{ handle.HttpKeepalive }}s
                         {% endif %}
                     {% endif %}
-                    {% if handle.HttpTls|default("0") == "1" %}
-                        tls
-                    {% endif %}
-                    {% if handle.HttpTlsInsecureSkipVerify|default("0") == "1" %}
-                        tls_insecure_skip_verify
-                    {% endif %}
-                    {% if handle.HttpTlsTrustedCaCerts %}
-                        tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
-                    {% endif %}
-                    {% if handle.HttpTlsServerName %}
-                        tls_server_name {{ handle.HttpTlsServerName }}
+                    {% if handle.HttpTls == "1" %}
+                        {% if handle.HttpTlsInsecureSkipVerify|default("0") == "1" %}
+                            tls_insecure_skip_verify
+                        {% endif %}
+                        {% if handle.HttpTlsTrustedCaCerts %}
+                            tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
+                        {% endif %}
+                        {% if handle.HttpTlsServerName %}
+                            tls_server_name {{ handle.HttpTlsServerName }}
+                        {% endif %}
                     {% endif %}
                 }
             {% endif %}
         }
-        {% else %}
-            {% set protocol = 'https://' if handle.HttpTls == "1" else 'http://' %}
-            {% set domain = handle.ToDomain.split(',')[0] %}
-            {% set is_ipv6 = (':' in domain and domain.count(':') >= 2) %}
-            {% set formatted_domain = ('[' ~ domain ~ ']') if is_ipv6 else domain %}
-            {% if handle.ToPort %}
-                {% set domain_with_port = formatted_domain ~ ':' ~ handle.ToPort %}
-            {% else %}
-                {% set domain_with_port = formatted_domain %}
-            {% endif %}
-            {{ handle.HandleDirective }} {{ protocol }}{{ domain_with_port }}{{ handle.ToPath|default("{uri}") }}
+        {% elif handle.HandleDirective == "redir" %}
+            {{ handle.HandleDirective }} {{ formatted_domains[0] }}{{ handle.ToPath|default("{uri}") }}
         {% endif %}
     }
 {% endmacro %}

From 088ab968c76a83d43ee8b7cf7b0e6e506d6e1229 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 29 Nov 2024 17:49:44 +0100
Subject: [PATCH 2208/3088] www/caddy: Add TLS termination to Layer4 Proxy
 (#4364)

* www/caddy: Add TLS termination to Layer4 Proxy

* www/caddy: Unhide important options from advanced and change position of new TerminateTls

* www/caddy: default in template is better, reduce diff

* www/caddy: Add changelog

* www/caddy: Improve UX of layer4 dialog, since it is unclear what happens when routing type is not exposed

* www/caddy: Make style
---
 www/caddy/Makefile                            |  2 +-
 www/caddy/pkg-descr                           |  6 ++++++
 .../OPNsense/Caddy/forms/dialogLayer4.xml     | 20 +++++++++----------
 .../mvc/app/models/OPNsense/Caddy/Caddy.php   | 17 +++++++++++++++-
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  1 +
 .../mvc/app/views/OPNsense/Caddy/layer4.volt  | 11 +++++++---
 .../templates/OPNsense/Caddy/includeLayer4    |  3 +++
 7 files changed, 45 insertions(+), 15 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index bd346b669e..26bed4d6a1 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.7.4
+PLUGIN_VERSION=		1.7.5
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 42a8d507d6..4f4a41636d 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -13,6 +13,12 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.7.5
+
+* Add: Layer4 TLS Termination
+* Add: h2c protocol to HTTP Handler
+* Cleanup: Refactor caddy_certs.php to Trust model
+
 1.7.4
 
 * Add: Layer4 OpenVPN matcher with mode, digest and static key support
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
index 1679b056fe..a3ebb43f95 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
@@ -19,34 +19,27 @@
     </field>
     <field>
         <type>header</type>
-        <label>Type</label>
-        <advanced>true</advanced>
+        <label>Layer 4</label>
     </field>
     <field>
         <id>layer4.Type</id>
         <label>Routing Type</label>
         <type>dropdown</type>
         <help><![CDATA[Choose either "listener_wrappers" for multiplexing protocols on the default HTTP and HTTPS ports on OSI Layer 7, or "global" for raw TCP/UDP traffic routing on a custom "Local port" on OSI Layer 4 with optional OSI Layer 7 protocol matching.]]></help>
-        <advanced>true</advanced>
-    </field>
-    <field>
-        <type>header</type>
-        <label>Layer 4</label>
-        <advanced>true</advanced>
     </field>
     <field>
         <id>layer4.Protocol</id>
         <label>Protocol</label>
         <type>dropdown</type>
+        <style>style_type</style>
         <help><![CDATA[Match the received traffic on OSI Layer 4, either TCP or UDP. When "Routing Type" is "listener_wrappers", currently only TCP will match.]]></help>
-        <advanced>true</advanced>
     </field>
     <field>
         <id>layer4.FromPort</id>
         <label>Local Port</label>
         <type>text</type>
+        <style>style_type</style>
         <help><![CDATA[Choose a custom local port to listen on.]]></help>
-        <advanced>true</advanced>
     </field>
     <field>
         <type>header</type>
@@ -89,6 +82,13 @@
         <help><![CDATA[Invert the sense of the matcher. E.g., if the protocol is TLS, inverting will match all traffic that is not TLS. When domains have been chosen, these will be equally inverted.]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>layer4.TerminateTls</id>
+        <label>Terminate TLS</label>
+        <type>checkbox</type>
+        <style>style_matchers matchers_domain</style>
+        <help><![CDATA[Terminate TLS before routing to the upstream. Since this requires a certificate, ensure there is a domain configured in "Reverse Proxy" that matches the SNI of "Domain". The best matching SAN or wildcard certificate will be used automatically for this route.]]></help>
+    </field>
     <field>
         <type>header</type>
         <label>Upstream</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index 066574cbf5..2be38c8bb6 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -180,7 +180,10 @@ private function checkLayer4Matchers($messages)
         foreach ($this->reverseproxy->layer4->iterateItems() as $item) {
             if ($item->isFieldChanged()) {
                 $key = $item->__reference;
-                if (in_array((string)$item->Matchers, ['httphost', 'tlssni', 'quicsni']) && empty((string)$item->FromDomain)) {
+                if (
+                    in_array((string)$item->Matchers, ['httphost', 'tlssni', 'quicsni']) &&
+                    empty((string)$item->FromDomain)
+                ) {
                     $messages->appendMessage(new Message(
                         sprintf(
                             gettext(
@@ -208,6 +211,18 @@ private function checkLayer4Matchers($messages)
                     ));
                 }
 
+                if (!in_array((string)$item->Matchers, ['tlssni', 'quicsni']) && !empty((string)$item->TerminateTls)) {
+                    $messages->appendMessage(new Message(
+                        sprintf(
+                            gettext(
+                                'When "%s" matcher is selected, TLS can not be terminated.'
+                            ),
+                            $item->Matchers
+                        ),
+                        $key . ".TerminateTls"
+                    ));
+                }
+
                 if ((string)$item->Matchers !== 'openvpn' && !empty((string)$item->FromOpenvpnModes)) {
                     $messages->appendMessage(new Message(
                         sprintf(
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 04897e2f84..dc0f8de5e5 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -544,6 +544,7 @@
                     <AsList>Y</AsList>
                     <ValidationMessage>Please enter one or multiple valid IP addresses, hostnames or FQDNs.</ValidationMessage>
                 </ToDomain>
+                <TerminateTls type="BooleanField"/>
                 <ToPort type="PortField">
                     <Required>Y</Required>
                 </ToPort>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
index b762112926..7e41ee4172 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
@@ -95,9 +95,6 @@
             }
         });
 
-        // Hide all elements with style_matchers initially
-        $(".style_matchers").closest('tr').hide();
-
         $("#layer4\\.Matchers").change(function() {
             $(".style_matchers").closest('tr').hide();
             const selectedVal = $(this).val();
@@ -109,6 +106,14 @@
             }
         });
 
+        $("#layer4\\.Type").change(function() {
+            if ($(this).val() === "global") {
+                $(".style_type").closest('tr').show();
+            } else {
+                $(".style_type").closest('tr').hide();
+            }
+        });
+
         updateServiceControlUI('caddy');
     });
 </script>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4 b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
index c6058ccd70..0029c1ba62 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
@@ -23,6 +23,9 @@
 {% set layer4_configs = unsorted_layer4_configs | sort(attribute='Sequence') %}
 
 {% macro define_proxy(layer4, to_domains, to_port, fail_duration, proxy_protocol) %}
+    {% if layer4.TerminateTls|default("0") == "1" %}
+    tls
+    {% endif %}
     proxy {% for domain in to_domains.split(',') %}
         {% set is_ipv6 = (':' in domain) %}
         {{ layer4.Protocol }}/{{ '[' if is_ipv6 }}{{ domain }}{{ ']' if is_ipv6 }}:{{ to_port }}{% if not loop.last %} {% endif %}

From 60b0bfea878473978c0d9ed4c5b10e9cd645dc13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alex=20W=2E=20Baul=C3=A9?= <alexwbaule@gmail.com>
Date: Sun, 1 Dec 2024 05:46:03 -0300
Subject: [PATCH 2209/3088] Fix in ping telegraf plugin, the "count" to be a
 "arguments". (#4359)

its the correct way to configure ping to use the "binary" file.
(the "count" is a parameter passed to the ping binary).
---
 .../service/templates/OPNsense/Telegraf/telegraf.conf       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index fd5012ae54..f0a9c93114 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -318,19 +318,19 @@
   urls = [{{ "'" + ("','".join(OPNsense.telegraf.input.ping_hosts.split(','))) + "'" }}]
 {%   endif %}
 {%   if helpers.exists('OPNsense.telegraf.input.ping_count') and OPNsense.telegraf.input.ping_count != '' %}
-  count = {{ OPNsense.telegraf.input.ping_count }}
+  arguments = ["-4", "-c", "{{ OPNsense.telegraf.input.ping_count }}"]
 {%   endif %}
 {% endif %}
 
 {% if helpers.exists('OPNsense.telegraf.input.ping6') and OPNsense.telegraf.input.ping6 == '1' %}
 [[inputs.ping]]
   method = "exec"
-  binary = "ping6"
+  binary = "ping"
 {%   if helpers.exists('OPNsense.telegraf.input.ping6_hosts') and OPNsense.telegraf.input.ping6_hosts != '' %}
   urls = [{{ "'" + ("','".join(OPNsense.telegraf.input.ping6_hosts.split(','))) + "'" }}]
 {%   endif %}
 {%   if helpers.exists('OPNsense.telegraf.input.ping6_count') and OPNsense.telegraf.input.ping6_count != '' %}
-  count = {{ OPNsense.telegraf.input.ping6_count }}
+  arguments = ["-6", "-c", "{{ OPNsense.telegraf.input.ping6_count }}"]
 {%   endif %}
 {% endif %}
 

From 76bb1b96c38d3b09c3b849ec8d7a9db8ee89499f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 1 Dec 2024 09:47:17 +0100
Subject: [PATCH 2210/3088] net-mgmt/telegraf: make sure the defaults are
 explicit

exec/binary are set for IPv6 now, do the same for IPv4
although for now this appears to be the default in telegraf:

https://github.com/influxdata/telegraf/blob/master/plugins/inputs/ping/README.md#ping-input-plugin
---
 .../opnsense/service/templates/OPNsense/Telegraf/telegraf.conf   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index f0a9c93114..a4db82bf8e 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -314,6 +314,7 @@
 {% if helpers.exists('OPNsense.telegraf.input.ping') and OPNsense.telegraf.input.ping == '1' %}
 [[inputs.ping]]
   method = "exec"
+  binary = "ping"
 {%   if helpers.exists('OPNsense.telegraf.input.ping_hosts') and OPNsense.telegraf.input.ping_hosts != '' %}
   urls = [{{ "'" + ("','".join(OPNsense.telegraf.input.ping_hosts.split(','))) + "'" }}]
 {%   endif %}

From 3913456755410861c968880995a240d7b289c8c8 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 2 Dec 2024 14:40:35 +0100
Subject: [PATCH 2211/3088] www/caddy: widgets, hide unused certs, improve
 error handling (#4372)

* www/caddy: CaddyCertificate widget, compare certs on disk with configured hostnames and only display relevant ones

* www/caddy: Caddy Domain widget improve error handling
---
 www/caddy/pkg-descr                           |  2 +
 .../www/js/widgets/CaddyCertificate.js        | 67 ++++++++++---------
 .../opnsense/www/js/widgets/CaddyDomain.js    | 28 +++++---
 .../www/js/widgets/Metadata/Caddy.xml         |  1 +
 4 files changed, 58 insertions(+), 40 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 4f4a41636d..378f12b86d 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -17,6 +17,8 @@ Plugin Changelog
 
 * Add: Layer4 TLS Termination
 * Add: h2c protocol to HTTP Handler
+* Cleanup: Caddy Certificate widget hides unused automatic certificates
+* Cleanup: Widgets error handling improved
 * Cleanup: Refactor caddy_certs.php to Trust model
 
 1.7.4
diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
index ccdf65868a..7a3834294b 100644
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
@@ -38,8 +38,8 @@ export default class CaddyCertificate extends BaseTableWidget {
     }
 
     getMarkup() {
-        let $container = $('<div></div>');
-        let $caddyCertificateTable = this.createTable('caddyCertificateTable', {
+        const $container = $('<div></div>');
+        const $caddyCertificateTable = this.createTable('caddyCertificateTable', {
             headerPosition: 'none'
         });
 
@@ -48,49 +48,54 @@ export default class CaddyCertificate extends BaseTableWidget {
     }
 
     async onWidgetTick() {
-        // Check if Caddy is enabled
-        const caddyStatus = await this.ajaxCall('/api/caddy/reverse_proxy/get');
-        if (!caddyStatus.caddy.general || caddyStatus.caddy.general.enabled === "0") {
+        const proxyData = await this.ajaxCall('/api/caddy/reverse_proxy/get');
+        if (!proxyData.caddy.general || proxyData.caddy.general.enabled === "0") {
             this.displayError(`${this.translations.unconfigured}`);
             return;
         }
 
-        // Fetch the certificate details
-        const response = await this.ajaxCall('/api/caddy/diagnostics/certificate');
-        if (response.status !== "success") {
+        const domains = Object.values(proxyData.caddy.reverseproxy?.reverse || [])
+            .map(proxy => proxy.FromDomain)
+            .filter(Boolean);
+
+        const certificates = (await this.ajaxCall('/api/caddy/diagnostics/certificate')).content || [];
+
+        // Display certificate if hostname in config and CN of stored cert on disk match
+        const matchingCertificates = certificates.filter(cert => domains.includes(cert.hostname));
+
+        if (matchingCertificates.length === 0) {
             this.displayError(`${this.translations.nocerts}`);
             return;
         }
 
-        // Process certificates if the response is successful
-        this.processCertificates(response.content);
+        this.clearError();
+        this.processCertificates(matchingCertificates);
     }
 
-    // Utility function to display errors within the widget
     displayError(message) {
         const $error = $(`<div class="error-message"><a href="/ui/caddy/general">${message}</a></div>`);
         $('#caddyCertificateTable').empty().append($error);
     }
 
-    processCertificates(certificates) {
-        if (!this.dataChanged('certificates', certificates)) {
-            return;
-        }
+    clearError() {
+        $('#caddyCertificateTable .error-message').remove();
+    }
 
+    processCertificates(certificates) {
         $('.caddy-certificate-tooltip').tooltip('hide');
 
-        let rows = certificates.map(certificate => {
-            let colorClass = 'text-success';
-            if (certificate.remaining_days === 0) {
-                colorClass = 'text-danger';
-            } else if (certificate.remaining_days < 14) {
-                colorClass = 'text-warning';
-            }
+        const rows = certificates.map(certificate => {
+            const colorClass = certificate.remaining_days === 0
+                ? 'text-danger'
+                : certificate.remaining_days < 14
+                ? 'text-warning'
+                : 'text-success';
 
-            let statusText = certificate.remaining_days === 0 ? this.translations.expired :
-                             this.translations.valid;
+            const statusText = certificate.remaining_days === 0
+                ? this.translations.expired
+                : this.translations.valid;
 
-            let row = `
+            const row = `
                 <div>
                     <i class="fa fa-lock ${colorClass} caddy-certificate-tooltip" style="cursor: pointer;"
                         data-tooltip="caddy-certificate-${certificate.hostname}" title="${statusText}">
@@ -98,19 +103,19 @@ export default class CaddyCertificate extends BaseTableWidget {
                     &nbsp;
                     <span><b>${certificate.hostname}</b></span>
                     <br/>
-                    <div style="margin-top: 5px; margin-bottom: 5px;"><i>${this.translations.expires}</i> ${certificate.remaining_days} ${this.translations.days}, ${new Date(certificate.expiration_date).toLocaleString()}</div>
+                    <div style="margin-top: 5px; margin-bottom: 5px;">
+                        <i>${this.translations.expires}</i> ${certificate.remaining_days} ${this.translations.days},
+                        ${new Date(certificate.expiration_date).toLocaleString()}
+                    </div>
                 </div>`;
             return { html: row, expirationDate: new Date(certificate.expiration_date) };
         });
 
-        // Sort rows by expiration date from lowest to highest
         rows.sort((a, b) => a.expirationDate - b.expirationDate);
 
-        // Extract sorted HTML rows and update table
-        let sortedRows = rows.map(row => [row.html]);
+        const sortedRows = rows.map(row => [row.html]);
         super.updateTable('caddyCertificateTable', sortedRows);
 
-        // Initialize tooltips for new elements
-        $('.caddy-certificate-tooltip').tooltip({container: 'body'});
+        $('.caddy-certificate-tooltip').tooltip({ container: 'body' });
     }
 }
diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
index c544cfe6f8..ecfbf0f242 100644
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
@@ -37,8 +37,8 @@ export default class CaddyDomain extends BaseTableWidget {
     }
 
     getMarkup() {
-        let $container = $('<div></div>');
-        let $caddyDomainTable = this.createTable('caddyDomainTable', {
+        const $container = $('<div></div>');
+        const $caddyDomainTable = this.createTable('caddyDomainTable', {
             headerPosition: 'none'
         });
 
@@ -55,7 +55,14 @@ export default class CaddyDomain extends BaseTableWidget {
         }
 
         // Process domains if caddy is enabled
-        let domains = { ...data.caddy.reverseproxy.reverse, ...data.caddy.reverseproxy.subdomain };
+        const domains = { ...data.caddy.reverseproxy.reverse, ...data.caddy.reverseproxy.subdomain };
+
+        if (Object.keys(domains).length === 0) {
+            this.displayError(`${this.translations.nodomains}`);
+            return;
+        }
+
+        this.clearError();
         this.processDomains(domains);
     }
 
@@ -65,6 +72,10 @@ export default class CaddyDomain extends BaseTableWidget {
         $('#caddyDomainTable').empty().append($error);
     }
 
+    clearError() {
+        $('#caddyDomainTable .error-message').remove();
+    }
+
     processDomains(domains) {
         if (!this.dataChanged('domains', domains)) {
             return;
@@ -72,19 +83,18 @@ export default class CaddyDomain extends BaseTableWidget {
 
         $('.caddy-domain-tooltip').tooltip('hide');
 
-        let rows = [];
-        // Assuming domains is a combination of both reverse and subdomains
+        const rows = [];
         for (const key in domains) {
             const domain = domains[key];
-            let colorClass = domain.enabled === "1" ? 'text-success' : 'text-danger';
-            let tooltipText = domain.enabled === "1" ? this.translations.enabled : this.translations.disabled;
+            const colorClass = domain.enabled === "1" ? 'text-success' : 'text-danger';
+            const tooltipText = domain.enabled === "1" ? this.translations.enabled : this.translations.disabled;
             let domainPort = domain.FromDomain;
 
             if (domain.FromPort) {
                 domainPort += `:${domain.FromPort}`;
             }
 
-            let row = $(`
+            const row = $(`
                 <div class="caddy-info">
                     <div class="caddy-enabled">
                         <i class="fa fa-globe ${colorClass} caddy-domain-tooltip" style="cursor: pointer;"
@@ -108,6 +118,6 @@ export default class CaddyDomain extends BaseTableWidget {
         super.updateTable('caddyDomainTable', rows.map(row => [row.html]));
 
         // Initialize tooltips for interactivity
-        $('.caddy-domain-tooltip').tooltip({container: 'body'});
+        $('.caddy-domain-tooltip').tooltip({ container: 'body' });
     }
 }
diff --git a/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml b/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml
index ac818fd2a0..c423f6163d 100644
--- a/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml
+++ b/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml
@@ -10,6 +10,7 @@
             <enabled>Enabled</enabled>
             <disabled>Disabled</disabled>
             <unconfigured>Caddy is disabled or not configured.</unconfigured>
+            <nodomains>Caddy does not manage any domains.</nodomains>
         </translations>
     </caddydomain>
     <caddycertificate>

From d2df86728a8eefb18ced03fc3d16b4887a951c7c Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 2 Dec 2024 14:55:25 +0100
Subject: [PATCH 2212/3088] net/ndproxy: Delete duplicate files (#4376)

* net/ndproxy: Delete duplicate files

* Update net/ndproxy/Makefile

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 .../Ndproxy/forms/Api/GeneralController.php   | 40 ------------------
 .../Ndproxy/forms/Api/ServiceController.php   | 41 ------------------
 .../Ndproxy/forms/GeneralController.php       | 42 -------------------
 3 files changed, 123 deletions(-)
 delete mode 100644 net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/Api/GeneralController.php
 delete mode 100644 net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/Api/ServiceController.php
 delete mode 100644 net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/GeneralController.php

diff --git a/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/Api/GeneralController.php b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/Api/GeneralController.php
deleted file mode 100644
index 3fe747dc6c..0000000000
--- a/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/Api/GeneralController.php
+++ /dev/null
@@ -1,40 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2024 Cedrik Pischem
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-namespace OPNsense\Ndproxy\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-use OPNsense\Core\Config;
-
-class GeneralController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelName = 'ndproxy';
-    protected static $internalModelClass = 'OPNsense\Ndproxy\Ndproxy';
-}
diff --git a/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/Api/ServiceController.php b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/Api/ServiceController.php
deleted file mode 100644
index 55d3983dc9..0000000000
--- a/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/Api/ServiceController.php
+++ /dev/null
@@ -1,41 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2024 Cedrik Pischem
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-namespace OPNsense\Ndproxy\Api;
-
-use OPNsense\Base\ApiMutableServiceControllerBase;
-
-class ServiceController extends ApiMutableServiceControllerBase
-{
-    protected static $internalServiceClass = '\OPNsense\Ndproxy\Ndproxy';
-    protected static $internalServiceTemplate = 'OPNsense/Ndproxy';
-    protected static $internalServiceEnabled = 'general.enabled';
-    protected static $internalServiceName = 'ndproxy';
-}
diff --git a/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/GeneralController.php b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/GeneralController.php
deleted file mode 100644
index d97a29a228..0000000000
--- a/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/GeneralController.php
+++ /dev/null
@@ -1,42 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2024 Cedrik Pischem
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-namespace OPNsense\Ndproxy;
-
-use OPNsense\Base\IndexController;
-
-class GeneralController extends IndexController
-{
-    public function indexAction()
-    {
-        $this->view->pick('OPNsense/Ndproxy/general');
-        $this->view->generalForm = $this->getForm("general");
-    }
-}

From 6bde751bc97b7929af6c5b859f85a4335003bdb6 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 2 Dec 2024 16:15:58 +0100
Subject: [PATCH 2213/3088] www/caddy: Add Load Balancing options to Reverse
 Proxy and Layer4 Proxy (#4379)

* www/caddy: Add Load Balancing options to Reverse Proxy and Layer4 Proxy

* www/caddy: Add Load Balancing options to Reverse Proxy and Layer4 Proxy

* Update www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

* www/caddy: Add changelog

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 www/caddy/pkg-descr                           |  1 +
 .../OPNsense/Caddy/forms/dialogHandle.xml     | 93 +++++++++++++++++--
 .../OPNsense/Caddy/forms/dialogLayer4.xml     | 36 +++++--
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 69 ++++++++++++--
 .../mvc/app/views/OPNsense/Caddy/layer4.volt  |  5 +-
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 10 +-
 .../templates/OPNsense/Caddy/Caddyfile        | 24 +++++
 .../templates/OPNsense/Caddy/includeLayer4    | 36 ++++---
 8 files changed, 233 insertions(+), 41 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 378f12b86d..023352a4a8 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -15,6 +15,7 @@ Plugin Changelog
 
 1.7.5
 
+* Add: Load Balancing options to Layer 4 Proxy and HTTP Handle
 * Add: Layer4 TLS Termination
 * Add: h2c protocol to HTTP Handler
 * Cleanup: Caddy Certificate widget hides unused automatic certificates
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 68714b31c3..3ada90d0bb 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -136,14 +136,6 @@
         <help><![CDATA[When directive is "reverse_proxy", enter a path prefix like "/guacamole" that should be prepended to the upstream request. This is useful for destinations that have a virtual directory as their base path. When directive is "redir", add the path the request should be redirected to; leaving it empty will append {uri}.]]></help>
         <advanced>true</advanced>
     </field>
-    <field>
-        <id>handle.PassiveHealthFailDuration</id>
-        <label>Upstream Fail Duration</label>
-        <type>text</type>
-        <style>style_reverse_proxy</style>
-        <help><![CDATA[Enables a passive health check when multiple destinations in "Upstream Domain" are set. "Fail Duration" is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking; the default is empty (off). A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
-        <advanced>true</advanced>
-    </field>
     <field>
         <id>handle.HttpTlsInsecureSkipVerify</id>
         <label>TLS Insecure Skip Verify</label>
@@ -172,4 +164,89 @@
         <style>style_tls style_reverse_proxy</style>
         <help><![CDATA[Enable or disable NTLM. Needed to reverse proxy an Exchange Server. Warning: NTLM has been deprecated by Microsoft. This option will stay for as long as the optional http.reverse_proxy.transport.http_ntlm module can be compiled without errors.]]></help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Load Balancing</label>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.lb_policy</id>
+        <label>Load Balance Policy</label>
+        <type>dropdown</type>
+        <style>style_reverse_proxy</style>
+        <help><![CDATA[lb_policy is the name of the load balancing policy, along with any options. For policies that involve hashing, the highest-random-weight (HRW) algorithm is used to ensure that a client or request with the same hash key is mapped to the same upstream, even if the list of upstreams change.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.lb_retries</id>
+        <label>Load Balance Retries</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <hint>off</hint>
+        <help><![CDATA[lb_retries is how many times to retry selecting available backends for each request if the next available host is down. If lb_try_duration is also configured, then retries may stop early if the duration is reached. In other words, the retry duration takes precedence over the retry count.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.lb_try_duration</id>
+        <label>Load Balance Try Duration (s)</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <hint>0</hint>
+        <help><![CDATA[lb_try_duration is a duration value that defines how long to try selecting available backends for each request if the next available host is down. Clients will wait for up to this long while the load balancer tries to find an available upstream host. A reasonable starting point might be 5s since the HTTP transport's default dial timeout is 3s, so that should allow for at least one retry if the first selected upstream cannot be reached.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.lb_try_interval</id>
+        <label>Load Balance Try Interval (ms)</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <hint>250</hint>
+        <help><![CDATA[lb_try_interval is a duration value that defines how long to wait between selecting the next host from the pool. Only relevant when a request to an upstream host fails. Be aware that setting this to 0 with a non-zero lb_try_duration can cause the CPU to spin if all backends are down and latency is very low.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.PassiveHealthFailDuration</id>
+        <label>Passive Health Fail Duration (s)</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <hint>off</hint>
+        <help><![CDATA[fail_duration enables a passive health check when multiple destinations in "Upstream Domain" are set. It is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking. A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.PassiveHealthMaxFails</id>
+        <label>Passive Health Max Fails</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <hint>1</hint>
+        <help><![CDATA[max_fails is the maximum number of failed requests within fail_duration that are needed before considering an upstream to be down.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.PassiveHealthUnhealthyStatus</id>
+        <label>Passive Health Unhealthy Status</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <hint>off</hint>
+        <help><![CDATA[unhealthy_status counts a request as failed if the response comes back with one of these status codes. Can be a 3-digit status code or a status code class ending in xx, for example: 404 or 5xx.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.PassiveHealthUnhealthyLatency</id>
+        <label>Passive Health Unhealthy Latency (ms)</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <hint>off</hint>
+        <help><![CDATA[unhealthy_latency is a duration value in ms that counts a request as failed if it takes this long to get a response.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>handle.PassiveHealthUnhealthyRequestCount</id>
+        <label>Passive Health Unhealthy Request Count</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <hint>off</hint>
+        <help><![CDATA[unhealthy_request_count is the permissible number of simultaneous requests to a backend before marking it as down. In other words, if a particular backend is currently handling this many requests, then it is considered "overloaded" and other backends will be preferred instead. This should be a reasonably large number; configuring this means that the proxy will have a limit of unhealthy_request_count × upstreams_count total simultaneous requests, and any requests after that point will result in an error due to no upstreams being available.]]></help>
+        <advanced>true</advanced>
+    </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
index a3ebb43f95..8fa4fdcae0 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
@@ -107,18 +107,42 @@
         <type>text</type>
         <help><![CDATA[Choose a custom port for the upstream destination.]]></help>
     </field>
+    <field>
+        <id>layer4.ProxyProtocol</id>
+        <label>Proxy Protocol</label>
+        <type>dropdown</type>
+        <help><![CDATA[Add the HA Proxy Protocol header. Either version 1 or 2 can be chosen. The default is off, since it is only needed when the upstream can use the Proxy Protocol header.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Load Balancing</label>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>layer4.lb_policy</id>
+        <label>Load Balance Policy</label>
+        <type>dropdown</type>
+        <style>style_reverse_proxy</style>
+        <help><![CDATA[lb_policy is the name of the load balancing policy, along with any options. For policies that involve hashing, the highest-random-weight (HRW) algorithm is used to ensure that a client or request with the same hash key is mapped to the same upstream, even if the list of upstreams change.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>layer4.PassiveHealthFailDuration</id>
-        <label>Upstream Fail Duration</label>
+        <label>Passive Health Fail Duration (s)</label>
         <type>text</type>
-        <help><![CDATA[Enables a passive health check when multiple destinations in "Upstream Domain" are set. "Fail Duration" is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking; the default is empty (off). A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
+        <style>style_reverse_proxy</style>
+        <hint>off</hint>
+        <help><![CDATA[fail_duration enables a passive health check when multiple destinations in "Upstream Domain" are set. It is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking. A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
-        <id>layer4.ProxyProtocol</id>
-        <label>Proxy Protocol</label>
-        <type>dropdown</type>
-        <help><![CDATA[Add the HA Proxy Protocol header. Either version 1 or 2 can be chosen. The default is off, since it is only needed when the upstream can use the Proxy Protocol header.]]></help>
+        <id>layer4.PassiveHealthMaxFails</id>
+        <label>Passive Health Max Fails</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <hint>1</hint>
+        <help><![CDATA[max_fails is the maximum number of failed requests within fail_duration that are needed before considering an upstream to be down.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index dc0f8de5e5..f7da86b039 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -344,11 +344,6 @@
                     <Mask>/^(\/.*)?$/u</Mask>
                     <ValidationMessage>Please enter a valid Path that starts with '/'.</ValidationMessage>
                 </ToPath>
-                <PassiveHealthFailDuration type="IntegerField">
-                    <MinimumValue>1</MinimumValue>
-                    <MaximumValue>100</MaximumValue>
-                    <ValidationMessage>Please enter a value between 1 to 100.</ValidationMessage>
-                </PassiveHealthFailDuration>
                 <ForwardAuth type="BooleanField"/>
                 <HttpTls type="OptionField">
                     <Required>Y</Required>
@@ -392,6 +387,46 @@
                     <Type>ca</Type>
                 </HttpTlsTrustedCaCerts>
                 <HttpTlsServerName type="HostnameField"/>
+                <lb_policy type="OptionField">
+                    <BlankDesc>random</BlankDesc>
+                    <OptionValues>
+                        <first>first</first>
+                        <round_robin>round_robin</round_robin>
+                        <least_conn>least_conn</least_conn>
+                        <ip_hash>ip_hash</ip_hash>
+                        <client_ip_hash>client_ip_hash</client_ip_hash>
+                        <uri_hash>uri_hash</uri_hash>
+                    </OptionValues>
+                </lb_policy>
+                <lb_retries type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>Please enter a minimum value of 1 or leave empty for defaults.</ValidationMessage>
+                </lb_retries>
+                <lb_try_duration type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>Please enter a minimum value of 1 or leave empty for defaults.</ValidationMessage>
+                </lb_try_duration>
+                <lb_try_interval type="IntegerField"/>
+                <PassiveHealthFailDuration type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>Please enter a minimum value of 1 or leave empty for defaults.</ValidationMessage>
+                </PassiveHealthFailDuration>
+                <PassiveHealthMaxFails type="IntegerField">
+                    <MinimumValue>2</MinimumValue>
+                    <ValidationMessage>Please enter a minimum value of 2 or leave empty for defaults.</ValidationMessage>
+                </PassiveHealthMaxFails>
+                <PassiveHealthUnhealthyStatus type="TextField">
+                    <mask>/^(100|[1-5][0-9]{2}|[1-5]xx)$/u</mask>
+                    <ValidationMessage>Please enter a valid HTTP response code like 404 a status code class like 4xx.</ValidationMessage>
+                </PassiveHealthUnhealthyStatus>
+                <PassiveHealthUnhealthyLatency type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>Please enter a minimum value of 1 or leave empty for defaults.</ValidationMessage>
+                </PassiveHealthUnhealthyLatency>
+                <PassiveHealthUnhealthyRequestCount type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>Please enter a minimum value of 1 or leave empty for defaults.</ValidationMessage>
+                </PassiveHealthUnhealthyRequestCount>
                 <description type="DescriptionField"/>
             </handle>
             <accesslist type="ArrayField">
@@ -548,11 +583,6 @@
                 <ToPort type="PortField">
                     <Required>Y</Required>
                 </ToPort>
-                <PassiveHealthFailDuration type="IntegerField">
-                    <MinimumValue>1</MinimumValue>
-                    <MaximumValue>100</MaximumValue>
-                    <ValidationMessage>Please enter a value between 1 to 100.</ValidationMessage>
-                </PassiveHealthFailDuration>
                 <ProxyProtocol type="OptionField">
                     <BlankDesc>Off (default)</BlankDesc>
                     <OptionValues>
@@ -560,6 +590,25 @@
                         <v2>v2</v2>
                     </OptionValues>
                 </ProxyProtocol>
+                <lb_policy type="OptionField">
+                    <BlankDesc>random</BlankDesc>
+                    <OptionValues>
+                        <first>first</first>
+                        <round_robin>round_robin</round_robin>
+                        <least_conn>least_conn</least_conn>
+                        <ip_hash>ip_hash</ip_hash>
+                        <client_ip_hash>client_ip_hash</client_ip_hash>
+                        <uri_hash>uri_hash</uri_hash>
+                    </OptionValues>
+                </lb_policy>
+                <PassiveHealthFailDuration type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>Please enter a minimum value of 1 or leave empty for defaults.</ValidationMessage>
+                </PassiveHealthFailDuration>
+                <PassiveHealthMaxFails type="IntegerField">
+                    <MinimumValue>2</MinimumValue>
+                    <ValidationMessage>Please enter a minimum value of 2 or leave empty for defaults.</ValidationMessage>
+                </PassiveHealthMaxFails>
                 <RemoteIp type="NetworkField">
                     <FieldSeparator>,</FieldSeparator>
                     <AsList>Y</AsList>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
index 7e41ee4172..f1c57229c9 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
@@ -148,13 +148,16 @@
                             <th data-column-id="FromPort" data-type="string" data-visible="false">{{ lang._('Local Port') }}</th>
                             <th data-column-id="Matchers" data-type="string">{{ lang._('Matchers') }}</th>
                             <th data-column-id="InvertMatchers" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Invert Matchers') }}</th>
+                            <th data-column-id="TerminateTls" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Terminate TLS') }}</th>
                             <th data-column-id="FromDomain" data-type="string">{{ lang._('Domain') }}</th>
                             <th data-column-id="FromOpenvpnModes" data-type="string" data-visible="false">{{ lang._('OpenVPN Modes') }}</th>
                             <th data-column-id="FromOpenvpnStaticKey" data-type="string" data-visible="false">{{ lang._('OpenVPN Static Key') }}</th>
                             <th data-column-id="ToDomain" data-type="string">{{ lang._('Upstream Domain') }}</th>
                             <th data-column-id="ToPort" data-type="string">{{ lang._('Upstream Port') }}</th>
                             <th data-column-id="RemoteIp" data-type="string" data-visible="false">{{ lang._('Remote IP') }}</th>
-                            <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Fail Duration') }}</th>
+                            <th data-column-id="lb_policy" data-type="string" data-visible="false">{{ lang._('Load Balance Policy') }}</th>
+                            <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Passive Health Fail Duration') }}</th>
+                            <th data-column-id="PassiveHealthMaxFails" data-type="string" data-visible="false">{{ lang._('Passive Health Max Fails') }}</th>
                             <th data-column-id="ProxyProtocol" data-type="string" data-visible="false">{{ lang._('Proxy Protocol') }}</th>
                             <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
                             <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 2840c9b83c..42036d6040 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -435,7 +435,6 @@
                             <th data-column-id="ToDomain" data-type="string">{{ lang._('Upstream Domain') }}</th>
                             <th data-column-id="ToPort" data-type="string">{{ lang._('Upstream Port') }}</th>
                             <th data-column-id="ToPath" data-type="string" data-visible="false">{{ lang._('Upstream Path') }}</th>
-                            <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Upstream Fail Duration') }}</th>
                             <th data-column-id="ForwardAuth" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Forward Auth') }}</th>
                             <th data-column-id="accesslist" data-type="string" data-visible="false">{{ lang._('Access List') }}</th>
                             <th data-column-id="HttpVersion" data-type="string" data-visible="false">{{ lang._('HTTP Version') }}</th>
@@ -444,6 +443,15 @@
                             <th data-column-id="HttpTlsServerName" data-type="string" data-visible="false">{{ lang._('TLS Server Name') }}</th>
                             <th data-column-id="HttpNtlm" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('NTLM') }}</th>
                             <th data-column-id="HttpTlsInsecureSkipVerify" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('TLS Insecure Skip Verify') }}</th>
+                            <th data-column-id="lb_policy" data-type="string" data-visible="false">{{ lang._('Load Balance Policy') }}</th>
+                            <th data-column-id="lb_retries" data-type="string" data-visible="false">{{ lang._('Load Balance Retries') }}</th>
+                            <th data-column-id="lb_try_duration" data-type="string" data-visible="false">{{ lang._('Load Balance Try Duration') }}</th>
+                            <th data-column-id="lb_try_interval" data-type="string" data-visible="false">{{ lang._('Load Balance Try Interval') }}</th>
+                            <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Passive Health Fail Duration') }}</th>
+                            <th data-column-id="PassiveHealthMaxFails" data-type="string" data-visible="false">{{ lang._('Passive Health Max Fails') }}</th>
+                            <th data-column-id="PassiveHealthUnhealthyStatus" data-type="string" data-visible="false">{{ lang._('Passive Health Unhealthy Status') }}</th>
+                            <th data-column-id="PassiveHealthUnhealthyLatency" data-type="string" data-visible="false">{{ lang._('Passive Health Unhealthy Latency') }}</th>
+                            <th data-column-id="PassiveHealthUnhealthyRequestCount" data-type="string" data-visible="false">{{ lang._('Passive Health Unhealthy Request Count') }}</th>
                             <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
                             <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                         </tr>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index ba29d7e26a..90543e2fd0 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -412,9 +412,33 @@ http://{{ domain }} {
         {% if handle.HandleDirective == "reverse_proxy" %}
         {{ handle.HandleDirective }} {{ formatted_domains | join(' ') }} {
             {{ header_manipulation(handle) }}
+            {% if handle.lb_policy|default("") %}
+                lb_policy {{ handle.lb_policy }}
+            {% endif %}
+            {% if handle.lb_retries|default("") %}
+                lb_retries {{ handle.lb_retries }}
+            {% endif %}
+            {% if handle.lb_try_duration|default("") %}
+                lb_try_duration {{ handle.lb_try_duration }}s
+            {% endif %}
+            {% if handle.lb_try_interval|default("") %}
+                lb_try_interval {{ handle.lb_try_interval }}ms
+            {% endif %}
             {% if handle.PassiveHealthFailDuration|default("") %}
                 fail_duration {{ handle.PassiveHealthFailDuration }}s
             {% endif %}
+            {% if handle.PassiveHealthMaxFails|default("") %}
+                max_fails {{ handle.PassiveHealthMaxFails }}
+            {% endif %}
+            {% if handle.PassiveHealthUnhealthyStatus|default("") %}
+                unhealthy_status {{ handle.PassiveHealthUnhealthyStatus }}
+            {% endif %}
+            {% if handle.PassiveHealthUnhealthyLatency|default("") %}
+                unhealthy_latency {{ handle.PassiveHealthUnhealthyLatency }}ms
+            {% endif %}
+            {% if handle.PassiveHealthUnhealthyRequestCount|default("") %}
+                unhealthy_request_count {{ handle.PassiveHealthUnhealthyRequestCount }}
+            {% endif %}
             {% set has_transport_options =
                 handle.HttpVersion or
                 handle.HttpKeepalive or
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4 b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
index 0029c1ba62..92d6387594 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
@@ -22,35 +22,41 @@
 {# Sort the configurations based on 'Sequence' #}
 {% set layer4_configs = unsorted_layer4_configs | sort(attribute='Sequence') %}
 
-{% macro define_proxy(layer4, to_domains, to_port, fail_duration, proxy_protocol) %}
+{% macro define_proxy(layer4) %}
     {% if layer4.TerminateTls|default("0") == "1" %}
     tls
     {% endif %}
-    proxy {% for domain in to_domains.split(',') %}
+    proxy {% for domain in layer4.ToDomain.split(',') %}
         {% set is_ipv6 = (':' in domain) %}
-        {{ layer4.Protocol }}/{{ '[' if is_ipv6 }}{{ domain }}{{ ']' if is_ipv6 }}:{{ to_port }}{% if not loop.last %} {% endif %}
+        {{ layer4.Protocol }}/{{ '[' if is_ipv6 }}{{ domain }}{{ ']' if is_ipv6 }}:{{ layer4.ToPort }}{% if not loop.last %} {% endif %}
     {% endfor %} {
-    {% if fail_duration %}
-        fail_duration {{ fail_duration }}s
+    {% if layer4.lb_policy|default("") %}
+        lb_policy {{ layer4.lb_policy }}
     {% endif %}
-    {% if proxy_protocol %}
-        proxy_protocol {{ proxy_protocol }}
+    {% if layer4.PassiveHealthFailDuration|default("") %}
+        fail_duration {{ layer4.PassiveHealthFailDuration }}s
+    {% endif %}
+    {% if layer4.PassiveHealthMaxFails|default("") %}
+        max_fails {{ layer4.PassiveHealthMaxFails }}
+    {% endif %}
+    {% if layer4.ProxyProtocol %}
+        proxy_protocol {{ layer4.ProxyProtocol }}
     {% endif %}
     }
 {% endmacro %}
 
-{% macro configure_proxy(layer4, to_domains, to_port, remote_ips, fail_duration, proxy_protocol) %}
+{% macro configure_proxy(layer4) %}
     {% set content %}
-        {% if remote_ips %}
-            {% set ip_list = remote_ips.split(',') %}
+        {% if layer4.RemoteIp %}
+            {% set ip_list = layer4.RemoteIp.split(',') %}
             subroute {
                 @allowed_ips remote_ip {{ ip_list|join(' ') }}
                 route @allowed_ips {
-                    {{ define_proxy(layer4, to_domains, to_port, fail_duration, proxy_protocol) }}
+                    {{ define_proxy(layer4) }}
                 }
             }
         {% else %}
-            {{ define_proxy(layer4, to_domains, to_port, fail_duration, proxy_protocol) }}
+            {{ define_proxy(layer4) }}
         {% endif %}
     {% endset %}
     {{ content|trim }}
@@ -144,7 +150,7 @@
             {% if layer4.Matchers != 'any' %}
                 @{{ layer4['@uuid'] }} {{ handle_special_matchers(layer4) }}
                 route @{{ layer4['@uuid'] }} {
-                    {{ configure_proxy(layer4, layer4.ToDomain, layer4.ToPort, layer4.RemoteIp, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
+                    {{ configure_proxy(layer4) }}
                 }
             {% endif %}
         {% endif %}
@@ -157,11 +163,11 @@
                     {% if layer4.Matchers != 'any' %}
                         @{{ layer4['@uuid'] }} {{ handle_special_matchers(layer4) }}
                         route @{{ layer4['@uuid'] }} {
-                            {{ configure_proxy(layer4, layer4.ToDomain, layer4.ToPort, layer4.RemoteIp, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
+                            {{ configure_proxy(layer4) }}
                         }
                     {% else %}
                         route {
-                            {{ configure_proxy(layer4, layer4.ToDomain, layer4.ToPort, layer4.RemoteIp, layer4.PassiveHealthFailDuration, layer4.ProxyProtocol) }}
+                            {{ configure_proxy(layer4) }}
                         }
                     {% endif %}
                 {% endif %}

From 29efc900c412017fc15ae87776b55395d3c59448 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 3 Dec 2024 07:56:17 +0100
Subject: [PATCH 2214/3088] net-mgmt/telegraf: make a new version, give it a
 round on development version

---
 net-mgmt/telegraf/Makefile  | 3 +--
 net-mgmt/telegraf/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index c5890c6229..f9615b538f 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.12.11
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.12.12
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 33d82d4b0c..aec0d9c1ae 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 Plugin Changelog
 ================
 
+1.12.12
+
+* Fix for mixed ping plugin config (contributed by Alex Baulé)
+
 1.12.11
 
 * Add OpenTelemetry output

From e2ec34bc2d840264930b06d0fc1328aa6e4e6666 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 3 Dec 2024 20:29:04 +0100
Subject: [PATCH 2215/3088] mail/postfix: bump cert.pem location

---
 mail/postfix/Makefile                                         | 2 +-
 .../src/opnsense/service/templates/OPNsense/Postfix/main.cf   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index 659bcd8c19..f0c2159c3b 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		postfix
 PLUGIN_VERSION=		1.23
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index 5ce384efad..2d462bb425 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -37,7 +37,7 @@ recipient_bcc_maps = hash:/usr/local/etc/postfix/recipientbcc
 sender_canonical_maps = regexp:/usr/local/etc/postfix/sendercanonical
 header_checks = pcre:/usr/local/etc/postfix/header_checks_receiving
 smtp_header_checks = pcre:/usr/local/etc/postfix/header_checks_delivering
-smtp_tls_CAfile = /etc/ssl/cert.pem
+smtp_tls_CAfile = /usr/local/etc/ssl/cert.pem
 ##########################
 # END SYSTEM DEFAULTS
 ##########################
@@ -120,7 +120,7 @@ smtpd_tls_cert_file = /usr/local/etc/postfix/cert_opn.pem
 {% if helpers.exists('OPNsense.postfix.general.ca') and OPNsense.postfix.general.ca != '' %}
 smtpd_tls_CAfile = /usr/local/etc/postfix/ca_opn.pem
 {% else %}
-smtpd_tls_CAfile = /etc/ssl/cert.pem
+smtpd_tls_CAfile = /usr/local/etc/ssl/cert.pem
 {% endif %}
 {% if helpers.exists('OPNsense.postfix.general.tls_server_compatibility') %}
 {% if OPNsense.postfix.general.tls_server_compatibility == 'modern' %}

From c73af598a4b045ea7d0c774e99c27ff36afb987b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 3 Dec 2024 20:29:38 +0100
Subject: [PATCH 2216/3088] net/chrony: bump cert.pem location

---
 net/chrony/Makefile                                             | 2 +-
 .../src/opnsense/service/templates/OPNsense/Chrony/chrony.conf  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/chrony/Makefile b/net/chrony/Makefile
index 8c7aa0bed6..02436f088c 100644
--- a/net/chrony/Makefile
+++ b/net/chrony/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		chrony
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Chrony time synchronisation
 PLUGIN_DEPENDS=		chrony
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
index 2c717494c4..7cd4f7a16f 100644
--- a/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
+++ b/net/chrony/src/opnsense/service/templates/OPNsense/Chrony/chrony.conf
@@ -7,7 +7,7 @@ makestep 1 3
 
 {%   if helpers.exists('OPNsense.chrony.general.ntsclient') and OPNsense.chrony.general.ntsclient == '1' %}
 ntsdumpdir /var/lib/chrony
-ntstrustedcerts /etc/ssl/cert.pem
+ntstrustedcerts /usr/local/etc/ssl/cert.pem
 nosystemcert
 {%   endif %}
 

From 99ad9d9da317a64bdfcd24f2f14767b62d6a01f2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 3 Dec 2024 20:30:35 +0100
Subject: [PATCH 2217/3088] net/haproxy: bump cert.pem location

---
 net/haproxy/Makefile                                            | 2 +-
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 7e0911ca88..887d00cd87 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		4.3
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy28 py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 847091b70a..679ab09db3 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1874,7 +1874,7 @@ backend {{backend.name}}
 {%                     do server_options.append('ca-file /tmp/haproxy/ssl/' ~ server_data.id ~ '.calist') %}
 {%                   else %}
 {#                     # fallback to system CA Root Certificates #}
-{%                     do server_options.append('ca-file /etc/ssl/cert.pem') %}
+{%                     do server_options.append('ca-file /usr/local/etc/ssl/cert.pem') %}
 {%                   endif %}
 {#                   # check for SSL CRL #}
 {%                   if server_data.sslCRL|default("") != "" %}

From ae922ba20c0cd48d2a021f58d782bafbdfca1325 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 3 Dec 2024 20:30:52 +0100
Subject: [PATCH 2218/3088] www/nginx: bump cert.pem location

---
 www/nginx/Makefile                                              | 2 +-
 .../src/opnsense/service/templates/OPNsense/Nginx/location.conf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 7b5d49baff..f20b54fcb8 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 0bb464d3d1..80f2d3b022 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -208,7 +208,7 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
 {%     if upstream.tls_trusted_certificate is defined and upstream.tls_trusted_certificate != '' %}
     proxy_ssl_trusted_certificate /usr/local/etc/nginx/key/trust_upstream_{{ location.upstream }}.pem;
 {%     else %}
-    proxy_ssl_trusted_certificate /etc/ssl/cert.pem;
+    proxy_ssl_trusted_certificate /usr/local/etc/ssl/cert.pem;
 {%     endif %}
     proxy_ssl_verify {% if upstream.tls_verify == '1' %}on{% else %}off{% endif %};
 {%     if upstream.tls_verify_depth is defined and upstream.tls_verify_depth != '' %}

From 658f6023b9b19f7bfc904e4c9edce2aee2a01f36 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 3 Dec 2024 22:07:03 +0100
Subject: [PATCH 2219/3088] emulators/qemu-guest-agent: bump version

---
 emulators/qemu-guest-agent/Makefile  | 2 +-
 emulators/qemu-guest-agent/pkg-descr | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/emulators/qemu-guest-agent/Makefile b/emulators/qemu-guest-agent/Makefile
index f0c669044a..62690e9e82 100644
--- a/emulators/qemu-guest-agent/Makefile
+++ b/emulators/qemu-guest-agent/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		qemu-guest-agent
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		QEMU Guest Agent for OPNsense
 PLUGIN_DEPENDS=		qemu-guest-agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/emulators/qemu-guest-agent/pkg-descr b/emulators/qemu-guest-agent/pkg-descr
index e074dd911f..656993fb20 100644
--- a/emulators/qemu-guest-agent/pkg-descr
+++ b/emulators/qemu-guest-agent/pkg-descr
@@ -6,6 +6,12 @@ WWW: http://wiki.qemu.org/Main_Page
 Plugin Changelog
 ================
 
+1.3
+
+Fixed:
+* fix disabled-rpcs break service start (#4287)
+* service not working after upgrade to 24.7 (#4255)
+
 1.2
 
 Changed:

From 6d79d32ea8e94e522e53d16d6c7871414340110c Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 5 Dec 2024 08:11:11 +0100
Subject: [PATCH 2220/3088] www/caddy: Fix wildcard certificate extraction for
 widget (#4385)

* www/caddy: Fix wildcard certificate extraction for widget

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 www/caddy/Makefile                                              | 1 +
 .../src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py    | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 26bed4d6a1..ba7f7a9565 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		1.7.5
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
index ab55778a60..9a15eb01f7 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
@@ -101,6 +101,8 @@ async def extract_certificate_info(cert_path):
 
         # Extract the hostname from the filename
         hostname = os.path.basename(cert_path).replace('.crt', '').lower()
+        if hostname.startswith("wildcard_"):
+            hostname = hostname.replace("wildcard_", "*", 1)
 
         return {'hostname': hostname, 'expiration_date': expiration_date_str, 'remaining_days': remaining_days}
     except asyncio.TimeoutError as e:

From be46a42f8eb360da29b4e18097d467c276df1e3e Mon Sep 17 00:00:00 2001
From: David PHAM-VAN <1387855+DavBfr@users.noreply.github.com>
Date: Fri, 6 Dec 2024 08:24:06 -0400
Subject: [PATCH 2221/3088] Add ddclient TTL configuration in Gandi and GoDaddy
 (#4387)

---
 .../app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml | 2 +-
 .../service/templates/OPNsense/ddclient/ddclient.conf       | 6 ++----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index 28d40b7e42..b47b38ddac 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -77,7 +77,7 @@
         <id>account.ttl</id>
         <label>TTL</label>
         <type>text</type>
-        <style>optional_setting service_aws service_netcup</style>
+        <style>optional_setting service_aws service_netcup service_gandi service_godaddy</style>
         <help>Time to Live for the DNS entry</help>
     </field>
     <field>
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 333d478a83..95e37f9c73 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -44,9 +44,10 @@ protocol={{account.service}}, \
 dynurl=https://ipv4.cloudns.net/api/dynamicURL/?q={{account.password}}, \
 {%      elif account.service == 'hosting1984' %}
 protocol=1984, \
-{%      elif account.service == 'godaddy' %}
+{%      elif account.service in ['godaddy', 'gandi'] %}
 protocol={{account.service}}, \
 zone={{account.zone}}, \
+ttl={{account.ttl}}, \
 {%      elif account.service == 'hetzner' %}
 protocol={{account.service}}, \
 zone={{account.zone}}, \
@@ -56,9 +57,6 @@ server=updates.dnsomatic.com, \
 {%      elif account.service == 'dynu' %}
 protocol=dyndns2, \
 server=api.dynu.com, \
-{%      elif account.service == 'gandi' %}
-protocol={{account.service}}, \
-zone={{account.zone}}, \
 {%      elif account.service == 'he-net' %}
 protocol=dyndns2, \
 server=dyn.dns.he.net, \

From dbe996b0539d9e8b4627354527f1281cc97aef5d Mon Sep 17 00:00:00 2001
From: DollarSign23 <142776995+DollarSign23@users.noreply.github.com>
Date: Fri, 6 Dec 2024 14:28:46 +0100
Subject: [PATCH 2222/3088] sysutils/nut: new dashboard widget (#4188)

---
 sysutils/nut/Makefile                         |   3 +-
 sysutils/nut/pkg-descr                        |   4 +
 .../opnsense/www/js/widgets/Metadata/Nut.xml  |  43 ++++
 .../nut/src/opnsense/www/js/widgets/Nut.js    | 228 ++++++++++++++++++
 4 files changed, 276 insertions(+), 2 deletions(-)
 create mode 100644 sysutils/nut/src/opnsense/www/js/widgets/Metadata/Nut.xml
 create mode 100644 sysutils/nut/src/opnsense/www/js/widgets/Nut.js

diff --git a/sysutils/nut/Makefile b/sysutils/nut/Makefile
index 99334db4ce..6a95cd0cf3 100644
--- a/sysutils/nut/Makefile
+++ b/sysutils/nut/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		nut
-PLUGIN_VERSION=		1.8.1
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.9.0
 PLUGIN_COMMENT=		Network UPS Tools
 PLUGIN_DEPENDS=		nut
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/sysutils/nut/pkg-descr b/sysutils/nut/pkg-descr
index 9f9fe6b37a..15131a87ad 100644
--- a/sysutils/nut/pkg-descr
+++ b/sysutils/nut/pkg-descr
@@ -9,6 +9,10 @@ and management interface.
 Plugin Changelog
 ----------------
 
+1.9
+
+* Add dashboard widget
+
 1.8
 
 * Add apcupsd-ups driver support
diff --git a/sysutils/nut/src/opnsense/www/js/widgets/Metadata/Nut.xml b/sysutils/nut/src/opnsense/www/js/widgets/Metadata/Nut.xml
new file mode 100644
index 0000000000..a3ebebf193
--- /dev/null
+++ b/sysutils/nut/src/opnsense/www/js/widgets/Metadata/Nut.xml
@@ -0,0 +1,43 @@
+<metadata>
+    <nut>
+        <filename>Nut.js</filename>
+        <endpoints>
+            <endpoint>/api/nut/service/status</endpoint>
+            <endpoint>/api/nut/settings/get</endpoint>
+            <endpoint>/api/nut/diagnostics/upsstatus</endpoint>
+        </endpoints>
+        <translations>
+            <title>NUT</title>
+            <status_model>UPS Model</status_model>
+            <status_status>UPS Status</status_status>
+            <status_battery>Battery status</status_battery>
+            <status_load>UPS Load</status_load>
+            <status_efficiency>UPS Efficiency</status_efficiency>
+            <status_bcharge>Battery level</status_bcharge>
+            <status_timeleft>Battery runtime</status_timeleft>
+            <status_output_power>Output Power</status_output_power>
+            <status_input_power>Input Power</status_input_power>
+            <status_selftest>Self test</status_selftest>
+            <status_ol>On line</status_ol>
+            <status_ob>On battery</status_ob>
+            <status_lb>Low battery</status_lb>
+            <status_hb>High battery</status_hb>
+            <status_rb>Battery needs to be replaced</status_rb>
+            <status_chrg>Battery is charging</status_chrg>
+            <status_dischrg>Battery is discharging</status_dischrg>
+            <status_bypass>UPS bypass circuit is active</status_bypass>
+            <status_cal>Performing runtime calibration</status_cal>
+            <status_off>UPS is offline</status_off>
+            <status_over>UPS is overloaded</status_over>
+            <status_trim>UPS is trimming voltage</status_trim>
+            <status_boost>UPS is boosting voltage</status_boost>
+            <status_fsd>Forced Shutdown</status_fsd>
+            <unconfigured>Nut is not started. Click to configure Nut.</unconfigured>
+            <netclient_unconfigured>This widget only works with the Netclient driver. Click to configure the Netclient driver.</netclient_unconfigured>
+            <netclient_remote_server>Remote NUT Server</netclient_remote_server>
+            <time_hours>h</time_hours>
+            <time_minutes>m</time_minutes>
+            <time_seconds>s</time_seconds>
+        </translations>
+    </nut>
+</metadata>
diff --git a/sysutils/nut/src/opnsense/www/js/widgets/Nut.js b/sysutils/nut/src/opnsense/www/js/widgets/Nut.js
new file mode 100644
index 0000000000..53de7a14b7
--- /dev/null
+++ b/sysutils/nut/src/opnsense/www/js/widgets/Nut.js
@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) 2024 DollarSign23
+ * Copyright (C) 2024 Nicola Pellegrini
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+
+import BaseTableWidget from 'widget-base-table';
+
+export default class NutNetclient extends BaseTableWidget {
+    constructor() {
+        super();
+        this.timeoutPeriod = 1000; // Set a timeout period for AJAX calls or other timed operations.
+    }
+
+    getGridOptions() {
+        return {
+            // Trigger overflow-y:scroll after 650px height
+            sizeToContent: 650
+        };
+    }
+
+    // Creates and returns the HTML structure for the widget, including a table without a header.
+    getMarkup() {
+        let $container = $('<div></div>'); // Create a container div.
+        let $nut_table = this.createTable('nut-table', {
+            headerPosition: 'none', // Disable table headers.
+        });
+        $container.append($nut_table); // Append the table to the container.
+        return $container; // Return the container with the table.
+    }
+
+    // Periodically called to update the widget's data and UI.
+    async onWidgetTick() {
+        // Fetch the NUT service status from the server.
+        const nut_service_status = await this.ajaxCall('/api/nut/service/status');
+
+        // If the service is not running, display a message and stop further processing.
+        if (!nut_service_status || nut_service_status.status !== 'running') {
+            $('#nut-table').html(`<a href="/ui/nut/index">${this.translations.unconfigured}</a>`);
+            return;
+        }
+
+        // Fetch the NUT settings from the server.
+        const nut_settings = await this.ajaxCall('/api/nut/settings/get');
+
+        // // If netclient is not enabled, display a message and stop further processing.
+        // if (nut_settings.nut?.netclient?.enable !== "1") {
+        //     $('#nut-table').html(`<a href="/ui/nut/index#subtab_nut-ups-netclient">${this.translations.netclient_unconfigured}</a>`);
+        //     return;
+        // }
+
+        // Fetch the UPS status data from the server.
+        const { response: nut_ups_status_response } = await this.ajaxCall('/api/nut/diagnostics/upsstatus');
+
+        // Parse the UPS status data into a key-value object.
+        const nut_ups_status = nut_ups_status_response.split('\n').reduce((acc, line) => {
+            const [key, value] = line.split(': ');
+            if (key) acc[key] = value; // Only add non-empty keys.
+            return acc;
+        }, {});
+
+        // Use the dataChanged method to check if the data has changed since the last tick
+        if (!this.dataChanged('ups_status', nut_ups_status)) {
+            return;
+        }
+
+        // Prepare the rows for the table based on the fetched data.
+        const rows = [
+            // Display the remote server address if available.
+            nut_settings.nut?.netclient?.address && nut_settings.nut?.netclient?.address && nut_settings.nut?.netclient?.user && this.makeTextRow("netclient_remote_server", `${nut_settings.nut?.netclient?.user}@${nut_settings.nut?.netclient?.address}:${nut_settings.nut?.netclient?.port}`),
+            // Display the manufacturer and model if available.
+            nut_ups_status['device.mfr'] && nut_ups_status['device.model'] && this.makeTextRow("status_model", `${nut_ups_status['device.mfr']} - ${nut_ups_status['device.model']}`),
+            // Display the UPS Status if available.
+            nut_ups_status['ups.status'] && this.makeColoredTextRow('status_status', this.nutMapStatus(nut_ups_status['ups.status']), /OL/, /OB|LB|RB|DISCHRG/, nut_ups_status['ups.status']),
+            // Display the UPS load with percentage and optional nominal power.
+            nut_ups_status['ups.load'] && nut_ups_status['ups.realpower'] && this.makeUpsLoadRow('status_load', parseFloat(nut_ups_status['ups.load']), parseFloat(nut_ups_status['ups.realpower'])),
+            // Display the battery charge as a progress bar if available.
+            nut_ups_status['battery.charge'] && this.makeProgressBarRow("status_bcharge", parseFloat(nut_ups_status['battery.charge'])),
+            // Display the battery status if available.
+            nut_ups_status['battery.charger.status'] && this.makeTextRow('status_battery', nut_ups_status['battery.charger.status']),
+            // Display the formatted battery runtime if available.
+            nut_ups_status['battery.runtime'] && this.makeTextRow('status_timeleft', this.formatRuntime(parseInt(nut_ups_status['battery.runtime'], 10))),
+            // Display the input voltage and frequency if available.
+            nut_ups_status['input.voltage'] && nut_ups_status['input.frequency'] && this.makeTextRow('status_input_power', `${nut_ups_status['input.voltage']} V | ${nut_ups_status['input.frequency']} Hz`),
+            // Display the output voltage and frequency if available.
+            nut_ups_status['output.voltage'] && nut_ups_status['output.frequency'] && this.makeTextRow('status_output_power', `${nut_ups_status['output.voltage']} V | ${nut_ups_status['output.frequency']} Hz`),
+            // Display the result of the UPS efficiency if available.
+            nut_ups_status['ups.efficiency'] && this.makeTextRow('status_efficiency', `${nut_ups_status['ups.efficiency']}%`),
+            // Display the result of the UPS self-test if available.
+            nut_ups_status['ups.test.result'] && this.makeTextRow('status_selftest', nut_ups_status['ups.test.result']),
+        ].filter(Boolean); // Remove any undefined or null rows.
+
+        // Update the table with the prepared rows.
+        this.updateTable('nut-table', rows);
+    }
+
+    // Formats the runtime (in seconds) into a human-readable format (hours, minutes, seconds).
+    formatRuntime(seconds) {
+        const hours = Math.floor(seconds / 3600); // Calculate full hours.
+        const minutes = Math.floor((seconds % 3600) / 60); // Calculate remaining full minutes.
+        const remainingSeconds = seconds % 60; // Calculate remaining seconds.
+
+        let formattedTime = '';
+
+        if (hours > 0) {
+            formattedTime += `${hours}${this.translate('time_hours')} `;
+        }
+        if (minutes > 0 || hours > 0) { // Only show minutes if they are > 0 or hours are present.
+            formattedTime += `${minutes}${this.translate('time_minutes')} `;
+        }
+        formattedTime += `${remainingSeconds}${this.translate('time_seconds')}`; // Always show seconds.
+
+        return formattedTime.trim(); // Remove any trailing spaces.
+    }
+
+    // Create a mapping between UPS status codes and their corresponding translations
+    nutMapStatus(statusCode) {
+        const statusMapping = {
+            'OL': this.translate('status_ol'),         // On line (mains is present)
+            'OB': this.translate('status_ob'),         // On battery (mains is not present)
+            'LB': this.translate('status_lb'),         // Low battery
+            'HB': this.translate('status_hb'),         // High battery
+            'RB': this.translate('status_rb'),         // Battery needs to be replaced
+            'CHRG': this.translate('status_chrg'),     // Battery is charging
+            'DISCHRG': this.translate('status_dischrg'), // Battery is discharging
+            'BYPASS': this.translate('status_bypass'), // UPS bypass circuit is active (no battery protection available)
+            'CAL': this.translate('status_cal'),       // Performing runtime calibration (on battery)
+            'OFF': this.translate('status_off'),       // UPS is offline
+            'OVER': this.translate('status_over'),     // UPS is overloaded
+            'TRIM': this.translate('status_trim'),     // UPS is trimming incoming voltage
+            'BOOST': this.translate('status_boost'),   // UPS is boosting incoming voltage
+            'FSD': this.translate('status_fsd'),       // Forced Shutdown
+        };
+
+        // Return the mapped translation or the original status code if no translation is found
+        return statusMapping[statusCode] || statusCode;
+    }
+
+    // Creates a row for the UPS load, including the percentage and optional nominal power.
+    makeUpsLoadRow(labelKey, loadpct, nompower) {
+        let text = loadpct.toFixed(1) + ' %';
+        if (nompower) {
+            text += ` ( ~ ${nompower} W )`;
+        }
+        return this.makeProgressBarRow(labelKey, loadpct, text);
+    }
+
+    // Creates a row with a progress bar, optionally including custom text.
+    makeProgressBarRow(labelKey, progress, progressText = `${progress.toFixed(1)} %`) {
+        const pb = this.makeProgressBar(progress, progressText); // Create the progress bar.
+        return this.makeRow(labelKey, pb); // Create a row with the progress bar.
+    }
+
+    // Creates a row with text, applying color based on regular expressions.
+    makeColoredTextRow(labelKey, value, okRegexp, errRegexp, check_value = value) {
+        const textEl = $('<b></b>').text(value); // Create a bold text element with the value.
+
+        // Apply CSS classes based on regex matches.
+        if (okRegexp?.exec(check_value)) {
+            textEl.addClass('text-success');
+        } else if (errRegexp?.exec(check_value)) {
+            textEl.addClass('text-danger');
+        } else {
+            textEl.addClass('text-warning');
+        }
+
+        return this.makeRow(labelKey, textEl.prop('outerHTML')); // Create a row with the colored text.
+    }
+
+    // Creates a progress bar with a text overlay.
+    makeProgressBar(progress, text) {
+        const $textEl = $('<span class="text-center"></span>').text(text).css({
+            position: 'absolute',
+            left: 0,
+            right: 0
+        });
+
+        const $barEl = $('<div class="progress-bar"></div>').css({
+            width: `${progress}%`,
+            zIndex: 0
+        });
+
+        return $('<div class="progress"></div>').append($barEl, $textEl).prop("outerHTML");
+    }
+
+    // Creates a text row for the table.
+    makeTextRow(labelKey, content) {
+        content = typeof content === 'string' ? content : content.value; // Ensure content is a string.
+        return this.makeRow(labelKey, content); // Create a row with the text content.
+    }
+
+    // Creates a row with a label and content.
+    makeRow(labelKey, content) {
+        return [this.translate(labelKey), content];
+    }
+
+    // Translates a key into the corresponding text.
+    translate(key) {
+        let value = this.translations[key];
+        if (value === undefined) {
+            console.error('Missing translation for ' + key);
+            value = key; // Fallback to the key itself if translation is missing.
+        }
+        return value;
+    }
+}

From cadc03aebd3dd2a701428089dc3acf532e0de4b6 Mon Sep 17 00:00:00 2001
From: Sam Sheridan <sheridans@users.noreply.github.com>
Date: Fri, 6 Dec 2024 15:48:34 +0000
Subject: [PATCH 2223/3088] add tailscale plugin (#4386)

---
 security/tailscale/Makefile                   |   8 ++
 security/tailscale/pkg-descr                  |  11 ++
 .../src/etc/inc/plugins.inc.d/tailscale.inc   |  65 +++++++++
 .../Api/AuthenticationController.php          |  39 ++++++
 .../Tailscale/Api/ServiceController.php       |  45 ++++++
 .../Tailscale/Api/SettingsController.php      |  77 ++++++++++
 .../Tailscale/Api/StatusController.php        |  65 +++++++++
 .../Tailscale/AuthenticationController.php    |  38 +++++
 .../OPNsense/Tailscale/SettingsController.php |  39 ++++++
 .../OPNsense/Tailscale/StatusController.php   |  37 +++++
 .../Tailscale/forms/authentication.xml        |  14 ++
 .../Tailscale/forms/dialogSubnet4.xml         |  14 ++
 .../OPNsense/Tailscale/forms/settings.xml     |  32 +++++
 .../app/models/OPNsense/Tailscale/ACL/ACL.xml |   9 ++
 .../OPNsense/Tailscale/Authentication.php     |  35 +++++
 .../OPNsense/Tailscale/Authentication.xml     |  14 ++
 .../models/OPNsense/Tailscale/Menu/Menu.xml   |   9 ++
 .../models/OPNsense/Tailscale/Settings.php    |  35 +++++
 .../models/OPNsense/Tailscale/Settings.xml    |  37 +++++
 .../app/models/OPNsense/Tailscale/Status.php  |  35 +++++
 .../app/models/OPNsense/Tailscale/Status.xml  |   6 +
 .../OPNsense/Tailscale/authentication.volt    |  39 ++++++
 .../views/OPNsense/Tailscale/settings.volt    |  75 ++++++++++
 .../app/views/OPNsense/Tailscale/status.volt  | 132 ++++++++++++++++++
 .../conf/actions.d/actions_tailscale.conf     |  47 +++++++
 .../templates/OPNsense/Tailscale/+TARGETS     |   1 +
 .../templates/OPNsense/Tailscale/rc.conf.d    |  49 +++++++
 27 files changed, 1007 insertions(+)
 create mode 100644 security/tailscale/Makefile
 create mode 100644 security/tailscale/pkg-descr
 create mode 100644 security/tailscale/src/etc/inc/plugins.inc.d/tailscale.inc
 create mode 100644 security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/AuthenticationController.php
 create mode 100644 security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/ServiceController.php
 create mode 100644 security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/SettingsController.php
 create mode 100644 security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/StatusController.php
 create mode 100644 security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/AuthenticationController.php
 create mode 100644 security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/SettingsController.php
 create mode 100644 security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/StatusController.php
 create mode 100644 security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/authentication.xml
 create mode 100644 security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/dialogSubnet4.xml
 create mode 100644 security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
 create mode 100644 security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/ACL/ACL.xml
 create mode 100644 security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.php
 create mode 100644 security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.xml
 create mode 100644 security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Menu/Menu.xml
 create mode 100644 security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.php
 create mode 100644 security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
 create mode 100644 security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Status.php
 create mode 100644 security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Status.xml
 create mode 100644 security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/authentication.volt
 create mode 100644 security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/settings.volt
 create mode 100644 security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
 create mode 100644 security/tailscale/src/opnsense/service/conf/actions.d/actions_tailscale.conf
 create mode 100644 security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/+TARGETS
 create mode 100644 security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d

diff --git a/security/tailscale/Makefile b/security/tailscale/Makefile
new file mode 100644
index 0000000000..b995e68c9c
--- /dev/null
+++ b/security/tailscale/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=       tailscale
+PLUGIN_VERSION=    1.0.d
+PLUGIN_DEVEL=      yes
+PLUGIN_COMMENT=    Tailscale makes creating software-defined networks easy
+PLUGIN_DEPENDS=    tailscale
+PLUGIN_MAINTAINER= sam@sheridan.co.uk
+
+.include "../../Mk/plugins.mk"
diff --git a/security/tailscale/pkg-descr b/security/tailscale/pkg-descr
new file mode 100644
index 0000000000..9befef3b61
--- /dev/null
+++ b/security/tailscale/pkg-descr
@@ -0,0 +1,11 @@
+Tailscale is a mesh VPN alternative, based on WireGuard, that connects your
+computers, databases, and services together securely without any proxies.
+
+https://tailscale.com/
+
+Plugin Changelog
+================
+
+1.0
+
+* initial development release
diff --git a/security/tailscale/src/etc/inc/plugins.inc.d/tailscale.inc b/security/tailscale/src/etc/inc/plugins.inc.d/tailscale.inc
new file mode 100644
index 0000000000..dc1bf6b0b1
--- /dev/null
+++ b/security/tailscale/src/etc/inc/plugins.inc.d/tailscale.inc
@@ -0,0 +1,65 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Sheridan Computers
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function tailscale_enabled()
+{
+    return !empty((string)(new \OPNsense\Tailscale\Settings())->enabled);
+}
+
+function tailscale_services()
+{
+    $services = [];
+
+    if (!tailscale_enabled()) {
+        return $services;
+    }
+
+    $services[] = [
+        'description' => gettext('Tailscale'),
+        'pidfile' => '/var/run/tailscaled.pid',
+        'configd' => [
+            'restart' => ['tailscale restart'],
+            'start' => ['tailscale start'],
+            'stop' => ['tailscale stop'],
+        ],
+        'name' => 'tailscale',
+    ]; 
+
+    return $services;
+}
+
+function tailscale_devices()
+{
+    return [[
+        'pattern' => '^tailscale0$',
+        'configurable' => false,
+        'spoofmac' => false,
+        'volatile' => true,
+    ]];
+}
+
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/AuthenticationController.php b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/AuthenticationController.php
new file mode 100644
index 0000000000..0161b75b61
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/AuthenticationController.php
@@ -0,0 +1,39 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Sheridan Computers
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Tailscale\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
+
+class AuthenticationController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'authentication';
+    protected static $internalModelClass = '\OPNsense\Tailscale\Authentication';
+}
+
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/ServiceController.php b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/ServiceController.php
new file mode 100644
index 0000000000..eece38360d
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/ServiceController.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Sheridan Computers
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Tailscale\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Backend;
+
+/**
+ * Class ServiceController
+ * @package OPNsense\Tailscale
+ */
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Tailscale\Settings';
+    protected static $internalServiceEnabled = 'enabled';
+    protected static $internalServiceTemplate = 'OPNsense/Tailscale';
+    protected static $internalServiceName = 'tailscale';
+}
+
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/SettingsController.php b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/SettingsController.php
new file mode 100644
index 0000000000..49f3b50b4a
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/SettingsController.php
@@ -0,0 +1,77 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Sheridan Computers
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Tailscale\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
+
+class SettingsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'settings';
+    protected static $internalModelClass = '\OPNsense\Tailscale\Settings';
+
+    public function searchSubnetAction()
+    {
+        return $this->searchBase("subnets.subnet4", null, "subnet");
+    }
+    public function setSubnetAction($uuid)
+    {
+        return $this->setBase("subnet4", "subnets.subnet4", $uuid);
+    }
+    public function addSubnetAction()
+    {
+        return $this->addBase("subnet4", "subnets.subnet4");
+    }
+
+    public function getSubnetAction($uuid = null)
+    {
+        return $this->getBase("subnet4", "subnets.subnet4", $uuid);
+    }
+
+    public function delSubnetAction($uuid)
+    {
+        return $this->delBase("subnets.subnet4", $uuid);
+    }
+
+    public function reloadAction()
+    {
+        $mdl = $this->getModel();
+	    $enabled = $mdl->enabled->__toString() === '1';
+   	    $response = $this->toggleTailScaleService($enabled);
+        return ['result ' => $response];
+    }
+
+    private function toggleTailscaleService($enabled)
+    {
+        $backend = new Backend();
+        $backend->configdRun('template reload OPNsense/Tailscale');
+        $action = $enabled ? 'start' : 'stop';
+        return trim($backend->configdRun('tailscale ' . $action));
+    }
+}
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/StatusController.php b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/StatusController.php
new file mode 100644
index 0000000000..f3688ac9cc
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/StatusController.php
@@ -0,0 +1,65 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Sheridan Computers
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Tailscale\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
+
+class StatusController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'Tailscale';
+    protected static $internalModelClass = '\OPNsense\Tailscale\Status';
+
+    public function statusAction()
+    {
+        $response = json_decode(trim((new Backend())->configdRun('tailscale tailscale-status')), true);
+        if ($response !== null) {
+            return $response;
+        }
+    	return ['error' => 'Unable to determine Tailscale status, is the service running?'];
+    }
+
+    public function ipAction()
+    {
+        $response = trim((new Backend())->configdRun('tailscale tailscale-ip'));
+    	return ['result' => $response];
+    }
+
+    public function netAction()
+    {
+        $response = trim((new Backend())->configdRun('tailscale tailscale-netcheck'));
+    	return ['result' => $response];
+    }
+
+    private function isJson($string) {
+        return is_string($string)
+            && (is_object(json_decode($string))
+            || is_array(json_decode($string)));
+    }
+}
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/AuthenticationController.php b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/AuthenticationController.php
new file mode 100644
index 0000000000..98b9397b2f
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/AuthenticationController.php
@@ -0,0 +1,38 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Sheridan Computers
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Tailscale;
+
+class AuthenticationController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/Tailscale/authentication');
+        $this->view->authenticationForm = $this->getForm('authentication');
+    }
+}
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/SettingsController.php b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/SettingsController.php
new file mode 100644
index 0000000000..0170af9573
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/SettingsController.php
@@ -0,0 +1,39 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Sheridan Computers
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Tailscale;
+
+class SettingsController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/Tailscale/settings');
+        $this->view->settingsForm = $this->getForm('settings');
+        $this->view->formDialogSubnet = $this->getForm("dialogSubnet4");
+    }
+}
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/StatusController.php b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/StatusController.php
new file mode 100644
index 0000000000..707b41dd39
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/StatusController.php
@@ -0,0 +1,37 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Sheridan Computers
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Tailscale;
+
+class StatusController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/Tailscale/status');
+    }
+}
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/authentication.xml b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/authentication.xml
new file mode 100644
index 0000000000..b2bcae8b3a
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/authentication.xml
@@ -0,0 +1,14 @@
+<form>
+    <field>
+        <id>authentication.loginServer</id>
+        <label>Login Server</label>
+        <type>text</type>
+        <help>Base URL of login (control) server.</help>
+    </field>
+    <field>
+        <id>authentication.preAuthKey</id>
+        <label>Pre-authentication Key</label>
+        <type>text</type>
+        <help>Use a non-reusable auth key and disable expiration</help>
+    </field>
+</form>
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/dialogSubnet4.xml b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/dialogSubnet4.xml
new file mode 100644
index 0000000000..ce35d9f3d1
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/dialogSubnet4.xml
@@ -0,0 +1,14 @@
+<form>
+    <field>
+        <id>subnet4.subnet</id>
+        <label>Subnet</label>
+        <type>text</type>
+        <help>Subnet to use, should be large enough to hold the specified pools and reservations</help>
+    </field>
+    <field>
+        <id>subnet4.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>You may enter a description here for your reference (not parsed).</help>
+    </field>
+</form>
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
new file mode 100644
index 0000000000..6b35707ae1
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
@@ -0,0 +1,32 @@
+<form>
+    <field>
+        <id>settings.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will activate the Tailscale service.</help>
+    </field>
+    <field>
+        <id>settings.listenPort</id>
+        <label>Listen Port</label>
+	<type>text</type>
+        <help>UDP port to listen on for Wireguard and peer-to-peer traffic.</help>
+    </field>
+    <field>
+        <id>settings.acceptDNS</id>
+        <label>Accept DNS</label>
+        <type>checkbox</type>
+        <help>Accept DNS configuration from the control server.</help>
+    </field>
+    <field>
+        <id>settings.advertiseExitNode</id>
+        <label>Advertise Exit Node</label>
+        <type>checkbox</type>
+        <help>Offer to be an exit node for outbound internet traffic from the Tailscale network.</help>
+    </field>
+    <field>
+        <id>settings.acceptSubnetRoutes</id>
+        <label>Accept Subnet Routes</label>
+        <type>checkbox</type>
+        <help>Accept subnet routes that other nodes advertise.</help>
+    </field>
+</form>
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/ACL/ACL.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/ACL/ACL.xml
new file mode 100644
index 0000000000..d0f6a91381
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+    <page-tailscale-config>
+        <name>Tailscale</name>
+        <patterns>
+            <pattern>ui/tailscale/*</pattern>
+            <pattern>api/tailscale/*</pattern>
+        </patterns>
+    </page-tailscale-config>
+</acl>
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.php b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.php
new file mode 100644
index 0000000000..eb9ee4d7f9
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.php
@@ -0,0 +1,35 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Sheridan Computers
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Tailscale;
+
+use OPNsense\Base\BaseModel;
+
+class Authentication extends BaseModel
+{
+}
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.xml
new file mode 100644
index 0000000000..358995b1aa
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.xml
@@ -0,0 +1,14 @@
+<model>
+    <mount>//OPNsense/tailscale/authentication</mount>
+    <description>Tailscale authentication settings</description>
+    <items>
+        <loginServer type="UrlField">
+            <default>https://controlplane.tailscale.com</default>
+            <Required>Y</Required>
+            <ValidationMessage>Please enter a valid URL</ValidationMessage>
+        </loginServer>
+        <preAuthKey type="TextField">
+            <Required>Y</Required>
+        </preAuthKey>
+    </items>
+</model>
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Menu/Menu.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Menu/Menu.xml
new file mode 100644
index 0000000000..b28d1794fe
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Menu/Menu.xml
@@ -0,0 +1,9 @@
+<menu>
+    <VPN>
+      <Tailscale cssClass="fa fa-lock fa-fw">
+        <Authentication order="1" url="/ui/tailscale/authentication"/>
+        <Settings order="2" url="/ui/tailscale/settings"/>
+        <Status order="3" url="/ui/tailscale/status"/>
+      </Tailscale>
+    </VPN>
+</menu>
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.php b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.php
new file mode 100644
index 0000000000..791f600e26
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.php
@@ -0,0 +1,35 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Sheridan Computers
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Tailscale;
+
+use OPNsense\Base\BaseModel;
+
+class Settings extends BaseModel
+{
+}
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
new file mode 100644
index 0000000000..f232346c87
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
@@ -0,0 +1,37 @@
+<model>
+    <mount>//OPNsense/tailscale/settings</mount>
+    <description>Tailscale general settings</description>
+    <items>
+        <enabled type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enabled>
+        <listenPort type="PortField">
+            <default>41641</default>
+            <Required>Y</Required>
+        </listenPort>
+        <acceptDNS type="BooleanField">
+            <default>1</default>
+            <Required>Y</Required>
+        </acceptDNS>
+        <advertiseExitNode type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </advertiseExitNode>
+        <acceptSubnetRoutes type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </acceptSubnetRoutes>
+        <subnets>
+            <subnet4 type="ArrayField">
+                <subnet type="NetworkField">
+                    <NetMaskRequired>Y</NetMaskRequired>
+                    <AddressFamily>ipv4</AddressFamily>
+                    <Strict>Y</Strict>
+                    <Required>Y</Required>
+                </subnet>
+                <description type="DescriptionField"/>
+            </subnet4>
+        </subnets>
+    </items>
+</model>
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Status.php b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Status.php
new file mode 100644
index 0000000000..b70a04b95c
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Status.php
@@ -0,0 +1,35 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Sheridan Computers
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Tailscale;
+
+use OPNsense\Base\BaseModel;
+
+class Status extends BaseModel
+{
+}
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Status.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Status.xml
new file mode 100644
index 0000000000..dfc842fce7
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Status.xml
@@ -0,0 +1,6 @@
+<model>
+    <mount>//OPNsense/tailscale/status</mount>
+    <description>Tailscale status settings</description>
+    <items>
+    </items>
+</model>
diff --git a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/authentication.volt b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/authentication.volt
new file mode 100644
index 0000000000..52cb55b6a6
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/authentication.volt
@@ -0,0 +1,39 @@
+<script type="text/javascript">
+    $( document ).ready(function() {
+        mapDataToFormUI({'frmAuthentication':"/api/tailscale/authentication/get"}).done(function(data) {
+            updateServiceControlUI('tailscale');
+        });
+
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/tailscale/authentication/set", 'frmAuthentication', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
+                return dfObj;
+            },
+                onAction: function(data, status) {
+                updateServiceControlUI('tailscale');
+            }
+        });
+
+    });
+</script>
+<div class="content-box">
+    {{ partial("layout_partials/base_form",['fields':authenticationForm,'id':'frmAuthentication']) }}
+</div>
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <div id="tailscaleChangeMessage" class="alert alert-info" style="display: none" role="alert">
+                {{ lang._('After changing settings, please remember to apply them') }}
+            </div>
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint='/api/tailscale/service/reconfigure'
+                    data-label="{{ lang._('Apply') }}"
+                    data-error-title="{{ lang._('Error reconfiguring Tailscale') }}"
+                    type="button"
+            ></button>
+            <br/><br/>
+        </div>
+    </div>
+</section>
diff --git a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/settings.volt b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/settings.volt
new file mode 100644
index 0000000000..aee1bd69f8
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/settings.volt
@@ -0,0 +1,75 @@
+<script type="text/javascript">
+    $( document ).ready(function() {
+        mapDataToFormUI({'frmSettings':"/api/tailscale/settings/get"}).done(function(data) {
+            updateServiceControlUI('tailscale');
+        });
+
+        $("#grid-subnets").UIBootgrid(
+            {   search:'/api/tailscale/settings/search_subnet',
+                get:'/api/tailscale/settings/get_subnet/',
+                set:'/api/tailscale/settings/set_subnet/',
+                add:'/api/tailscale/settings/add_subnet/',
+                del:'/api/tailscale/settings/del_subnet/'
+            }
+        );
+
+        // link save button to API set action
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/tailscale/settings/set", 'frmSettings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
+                return dfObj;
+            },
+            onAction: function(data, status) {
+                updateServiceControlUI('tailscale');
+            }
+        });
+    });
+</script>
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#settings" id="tab_settings">{{ lang._('Settings') }}</a></li>
+    <li><a data-toggle="tab" href="#subnets" id="tab_subnets"> {{ lang._('Advertised Routes') }} </a></li>
+</ul>
+<div class="tab-content content-box">
+    <div id="settings"  class="tab-pane fade in active">
+        {{ partial("layout_partials/base_form",['fields':settingsForm,'id':'frmSettings'])}}
+    </div>
+    <div id="subnets" class="tab-pane fade in">
+        <table id="grid-subnets" class="table table-condensed table-hover table-striped" data-editDialog="DialogSubnet" data-editAlert="tailscaleChangeMessage">
+            <thead>
+                <tr>
+                  <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                  <th data-column-id="subnet" data-type="string">{{ lang._('Subnet') }}</th>
+                  <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                  <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+                <tr>
+                    <td></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-fw fa-plus"></span></button>
+                    </td>
+                </tr>
+            </tfoot>
+        </table>
+    </div>
+</div>
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <button class="btn btn-primary" id="reconfigureAct"
+                data-endpoint='/api/tailscale/service/reconfigure'
+                data-label="{{ lang._('Apply') }}"
+                data-error-title="{{ lang._('Error reconfiguring Tailscale') }}"
+                type="button"
+            ></button>
+            <br/><br/>
+        </div>
+    </div>
+</section>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogSubnet,'id':'DialogSubnet','label':lang._('Edit Subnet')])}}
diff --git a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
new file mode 100644
index 0000000000..b911f13938
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
@@ -0,0 +1,132 @@
+<script>
+    $(document).ready(function() {
+        function nl2br (str, is_xhtml) {
+            if (typeof str === 'undefined' || str === null) {
+                return '';
+            }
+            var breakTag = (is_xhtml || typeof is_xhtml === 'undefined') ? '<br />' : '<br>';
+            return (str + '').replace(/([^>\r\n]?)(\r\n|\n\r|\r|\n)/g, '$1' + breakTag + '$2');
+        }
+
+
+	function updateNetInfo() {
+            ajaxGet(url = "/api/tailscale/status/net/", sendData={},
+                callback = function (data, status) {
+                    if (status == "success") {
+                        if (data.result) {
+                            var html = nl2br(data.result);
+                            html = html.replace(/\t/g, '&nbsp;&nbsp;&nbsp;&nbsp;');
+			    $('#net_info').html(html);
+                        }
+                    } else {
+                        $('#net_info').html('Error');
+                    }
+                }
+            );
+        }
+
+        function updatePeerInfo(peers) {
+            $.each(peers, function(peer, data) {
+                let tailscaleIp = '';
+                if (data.TailscaleIPs !== null && data.TailscaleIPs !== undefined) {
+                    tailscaleIp = data.TailscaleIPs.join(', '); 
+
+                    console.log(tailscaleIp);
+                } 
+
+                let row = '<tr><td>' + data.HostName;
+                row += '</td><td>' + tailscaleIp;
+                row += '</td><td>' + data.LastSeen;
+                row += '</td><td>' + data.OS;
+                row += '</td></tr>';
+
+                $('#peerInfo > tbody').append(row);
+            });
+        }
+
+	
+        function updateStatusInfo() {
+            ajaxGet(url = "/api/tailscale/status/status/", sendData={},
+                callback = function (data, status) {
+                    $('#statusList > tbody').empty();
+                    $('#statusList > thead').hide();
+                    if (status == "success") {
+                        $('#statusList > thead').show();
+
+                        let skipKeys = [
+                            'CertDomains',
+                            'ClientVersion',
+                            'CurrentTailnet', 
+                            'Health',
+                            'Self', 
+                            'User'
+                        ];
+
+                        $.each(data, function (key, value) {
+                            if (skipKeys.includes(key)) {
+                                return true;
+                            }
+
+                            if (key === 'Peer') {
+                                updatePeerInfo(data.Peer);
+                                return true;
+                            }
+
+                            $('#statusList > tbody').append('<tr><td>' + key + '</td>' +
+                            '<td>' + value + '</td></tr>');
+                        });
+                    } else {
+                        $('#statusList > tbody').append('<tr><td colspan=2>Unable to fetch status, is Tailscale running?</td></tr>');
+                    }
+                }
+            );
+        }
+
+
+        updateNetInfo();
+        updateStatusInfo();
+
+    });
+</script>
+
+<!-- Navigation bar -->
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" id="tab_general" href="#general">{{ lang._('General') }}</a></li>
+    <li><a data-toggle="tab" id="tab_peers" href="#peers">{{ lang._('Peers') }}</a></li>
+    <li><a data-toggle="tab" id="tab_net_info" href="#net_info">{{ lang._('Net Check') }}</a></li>
+</ul>
+
+<div class="tab-content content-box tab-content">
+    <div id="general" class="tab-pane fade in active">
+        <div id="status_info">
+            <table id="statusList" class="table table-striped table-condensed table-responsive">
+                <thead>
+                    <tr>
+                        <th>{{ lang._('Name') }}</th>
+                        <th>{{ lang._('Value') }}</th>
+                    </tr>
+                </thead>
+                <tbody>
+                </tbody>
+            </table>
+        </div>
+    </div>
+
+    <div id="peers" class="tab-pane fade in">
+        <table id="peerInfo" class="table table-striped table-condensed table-responsive">
+            <thead>
+                <tr>
+                    <th>{{ lang._('Name') }}</th>
+                    <th>{{ lang._('Tailscale IPs') }}</th>
+                    <th>{{ lang._('Last Seen') }}</th>
+                    <th>{{ lang._('OS') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+        </table>
+    </div>
+
+    <div id="net_info" class="tab-pane fade in">
+    </div>
+</div>
diff --git a/security/tailscale/src/opnsense/service/conf/actions.d/actions_tailscale.conf b/security/tailscale/src/opnsense/service/conf/actions.d/actions_tailscale.conf
new file mode 100644
index 0000000000..e5d6e3b3d5
--- /dev/null
+++ b/security/tailscale/src/opnsense/service/conf/actions.d/actions_tailscale.conf
@@ -0,0 +1,47 @@
+[start]
+command:/usr/local/etc/rc.d/tailscaled start
+type: script
+message: starting tailscale service
+
+[stop]
+command:/usr/local/etc/rc.d/tailscaled stop; exit 0
+type: script
+message: stopping tailscale service
+
+[status]
+command:/usr/local/etc/rc.d/tailscaled status; exit 0
+type: script_output
+message: tailscaled status
+
+[restart]
+command:/usr/local/etc/rc.d/tailscaled restart
+type: script
+message: restarting tailscale services
+
+[reload]
+command:/usr/local/etc/rc.d/tailscaled reload
+type: script
+message: reload tailscale configuration
+
+[tailscale-status]
+command:/usr/local/bin/tailscale status --json; exit 0
+type:script_output
+message: request tailscale status
+
+[tailscale-ip]
+command:/usr/local/bin/tailscale ip; exit 0
+type:script_output
+message: request tailscale ip
+
+[tailscale-version]
+command:/usr/local/bin/tailscale version; exit 0
+type:script_output
+message: request tailscale version
+
+[tailscale-netcheck]
+command:/usr/local/bin/tailscale netcheck; exit 0
+type:script_output
+message: request tailscale netcheck
+
+
+
diff --git a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/+TARGETS b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/+TARGETS
new file mode 100644
index 0000000000..e9380f1c2a
--- /dev/null
+++ b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/+TARGETS
@@ -0,0 +1 @@
+rc.conf.d:/etc/rc.conf.d/tailscaled
diff --git a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
new file mode 100644
index 0000000000..6713fa87ee
--- /dev/null
+++ b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
@@ -0,0 +1,49 @@
+# DO NOT EDIT
+# THIS FILE IS AUTOMATICALLY GENERATED - ANY CHANGES WILL BE OVERWRITTEN
+#
+{%  if not helpers.empty('OPNsense.tailscale.settings.enabled')  %}
+tailscaled_enable="YES"
+# Uncommenting the below breaks being able to access subnets 
+# see - https://github.com/tailscale/tailscale/issues/5573#issuecomment-1584695981 
+# tailscaled_env="TS_DEBUG_NETSTACK_SUBNETS=0"
+{%    if helpers.exists('OPNsense.tailscale.settings.listenPort') %}
+tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
+{%    endif %}
+{%    set up_args = [] %}
+{%    if helpers.exists('OPNsense.tailscale.settings.advertiseExitNode') and OPNsense.tailscale.settings.advertiseExitNode|default("0") == "1" %}
+{%      do up_args.append("--advertise-exit-node") %}
+{%    else %}
+{%      do up_args.append("--advertise-exit-node=false") %}
+{%    endif %}
+{%    if helpers.exists('OPNsense.tailscale.settings.acceptSubnetRoutes') and OPNsense.tailscale.settings.acceptSubnetRoutes|default("0") == "1" %}
+{%      do up_args.append("--accept-routes") %}
+{%    else %}
+{%      do up_args.append("--accept-routes=false") %}
+{%    endif %}
+{%    if helpers.exists('OPNsense.tailscale.settings.acceptDNS') and OPNsense.tailscale.settings.acceptDNS|default("0") == "1" %}
+{%      do up_args.append("--accept-dns") %}
+{%    else %}
+{%      do up_args.append("--accept-dns=false") %}
+{%    endif %}
+{%    if helpers.exists('OPNsense.tailscale.authentication.loginServer') %}
+{%      do up_args.append("--login-server=" + OPNsense.tailscale.authentication.loginServer) %}
+{%    endif %}
+{%    if helpers.exists('OPNsense.tailscale.authentication.preAuthKey') %}
+{%      do up_args.append("--auth-key=" + OPNsense.tailscale.authentication.preAuthKey) %}
+{%    endif %}
+{#  loop through subnets to build list #}
+{%    if helpers.exists('OPNsense.tailscale.settings.subnets.subnet4') %}
+{%      set subnets = [] %}
+{%      for subnet_list in helpers.toList('OPNsense.tailscale.settings.subnets.subnet4') %}
+{%        do subnets.append(subnet_list.subnet) %}
+{%      endfor %}
+{%      set subnetString = subnets|join(',') %}
+{%      do up_args.append("--advertise-routes=" + subnetString) %}
+{%    else %}
+{%      do up_args.append("--advertise-routes=") %}
+{%    endif %}
+tailscaled_up_args="{{ up_args|join(' ') }}"
+{%  else %}
+tailscaled_enable=NO
+{%  endif %}
+

From 80ef9889898e0f0800b49d392fbc5b9ec646b629 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 6 Dec 2024 17:14:35 +0100
Subject: [PATCH 2224/3088] security/tailscale: style sweep

---
 LICENSE                                                |  1 +
 README.md                                              |  1 +
 .../tailscale/src/etc/inc/plugins.inc.d/tailscale.inc  |  3 +--
 .../Tailscale/Api/AuthenticationController.php         |  1 -
 .../OPNsense/Tailscale/Api/ServiceController.php       |  1 -
 .../OPNsense/Tailscale/Api/SettingsController.php      |  4 ++--
 .../OPNsense/Tailscale/Api/StatusController.php        |  9 +++++----
 .../mvc/app/views/OPNsense/Tailscale/status.volt       | 10 +++++-----
 .../service/conf/actions.d/actions_tailscale.conf      |  3 ---
 .../service/templates/OPNsense/Tailscale/rc.conf.d     |  5 ++---
 10 files changed, 17 insertions(+), 21 deletions(-)

diff --git a/LICENSE b/LICENSE
index e7427a06be..10f2a52409 100644
--- a/LICENSE
+++ b/LICENSE
@@ -63,6 +63,7 @@ Copyright (c) 2022 Robbert Rijkse
 Copyright (c) 2023 sattamjh
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
 Copyright (c) 2010 Seth Mos <seth.mos@dds.nl>
+Copyright (c) 2024 Sheridan Computers
 Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
 Copyright (c) 2017-2019 Smart-Soft
 Copyright (c) 2013 Stanley P. Miller \ stan-qaz
diff --git a/README.md b/README.md
index 3da5813b91..fa75e2618d 100644
--- a/README.md
+++ b/README.md
@@ -88,6 +88,7 @@ security/maltrail -- Malicious traffic detection system
 security/openconnect -- OpenConnect Client
 security/softether -- Cross-platform Multi-protocol VPN Program (development only)
 security/stunnel -- Stunnel TLS proxy
+security/tailscale -- Tailscale makes creating software-defined networks easy (development only)
 security/tinc -- Tinc VPN
 security/tor -- The Onion Router
 security/wazuh-agent -- Agent for the open source security platform Wazuh
diff --git a/security/tailscale/src/etc/inc/plugins.inc.d/tailscale.inc b/security/tailscale/src/etc/inc/plugins.inc.d/tailscale.inc
index dc1bf6b0b1..a6d62352df 100644
--- a/security/tailscale/src/etc/inc/plugins.inc.d/tailscale.inc
+++ b/security/tailscale/src/etc/inc/plugins.inc.d/tailscale.inc
@@ -48,7 +48,7 @@ function tailscale_services()
             'stop' => ['tailscale stop'],
         ],
         'name' => 'tailscale',
-    ]; 
+    ];
 
     return $services;
 }
@@ -62,4 +62,3 @@ function tailscale_devices()
         'volatile' => true,
     ]];
 }
-
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/AuthenticationController.php b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/AuthenticationController.php
index 0161b75b61..272d4d4700 100644
--- a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/AuthenticationController.php
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/AuthenticationController.php
@@ -36,4 +36,3 @@ class AuthenticationController extends ApiMutableModelControllerBase
     protected static $internalModelName = 'authentication';
     protected static $internalModelClass = '\OPNsense\Tailscale\Authentication';
 }
-
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/ServiceController.php b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/ServiceController.php
index eece38360d..464100425c 100644
--- a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/ServiceController.php
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/ServiceController.php
@@ -42,4 +42,3 @@ class ServiceController extends ApiMutableServiceControllerBase
     protected static $internalServiceTemplate = 'OPNsense/Tailscale';
     protected static $internalServiceName = 'tailscale';
 }
-
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/SettingsController.php b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/SettingsController.php
index 49f3b50b4a..20954fbe93 100644
--- a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/SettingsController.php
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/SettingsController.php
@@ -62,8 +62,8 @@ public function delSubnetAction($uuid)
     public function reloadAction()
     {
         $mdl = $this->getModel();
-	    $enabled = $mdl->enabled->__toString() === '1';
-   	    $response = $this->toggleTailScaleService($enabled);
+        $enabled = $mdl->enabled->__toString() === '1';
+        $response = $this->toggleTailScaleService($enabled);
         return ['result ' => $response];
     }
 
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/StatusController.php b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/StatusController.php
index f3688ac9cc..9a40a1154e 100644
--- a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/StatusController.php
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/Api/StatusController.php
@@ -42,22 +42,23 @@ public function statusAction()
         if ($response !== null) {
             return $response;
         }
-    	return ['error' => 'Unable to determine Tailscale status, is the service running?'];
+        return ['error' => 'Unable to determine Tailscale status, is the service running?'];
     }
 
     public function ipAction()
     {
         $response = trim((new Backend())->configdRun('tailscale tailscale-ip'));
-    	return ['result' => $response];
+        return ['result' => $response];
     }
 
     public function netAction()
     {
         $response = trim((new Backend())->configdRun('tailscale tailscale-netcheck'));
-    	return ['result' => $response];
+        return ['result' => $response];
     }
 
-    private function isJson($string) {
+    private function isJson($string)
+    {
         return is_string($string)
             && (is_object(json_decode($string))
             || is_array(json_decode($string)));
diff --git a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
index b911f13938..b93d968448 100644
--- a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
+++ b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
@@ -29,10 +29,10 @@
             $.each(peers, function(peer, data) {
                 let tailscaleIp = '';
                 if (data.TailscaleIPs !== null && data.TailscaleIPs !== undefined) {
-                    tailscaleIp = data.TailscaleIPs.join(', '); 
+                    tailscaleIp = data.TailscaleIPs.join(', ');
 
                     console.log(tailscaleIp);
-                } 
+                }
 
                 let row = '<tr><td>' + data.HostName;
                 row += '</td><td>' + tailscaleIp;
@@ -44,7 +44,7 @@
             });
         }
 
-	
+
         function updateStatusInfo() {
             ajaxGet(url = "/api/tailscale/status/status/", sendData={},
                 callback = function (data, status) {
@@ -56,9 +56,9 @@
                         let skipKeys = [
                             'CertDomains',
                             'ClientVersion',
-                            'CurrentTailnet', 
+                            'CurrentTailnet',
                             'Health',
-                            'Self', 
+                            'Self',
                             'User'
                         ];
 
diff --git a/security/tailscale/src/opnsense/service/conf/actions.d/actions_tailscale.conf b/security/tailscale/src/opnsense/service/conf/actions.d/actions_tailscale.conf
index e5d6e3b3d5..023ddf0fe6 100644
--- a/security/tailscale/src/opnsense/service/conf/actions.d/actions_tailscale.conf
+++ b/security/tailscale/src/opnsense/service/conf/actions.d/actions_tailscale.conf
@@ -42,6 +42,3 @@ message: request tailscale version
 command:/usr/local/bin/tailscale netcheck; exit 0
 type:script_output
 message: request tailscale netcheck
-
-
-
diff --git a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
index 6713fa87ee..704c9bbc81 100644
--- a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
+++ b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
@@ -3,8 +3,8 @@
 #
 {%  if not helpers.empty('OPNsense.tailscale.settings.enabled')  %}
 tailscaled_enable="YES"
-# Uncommenting the below breaks being able to access subnets 
-# see - https://github.com/tailscale/tailscale/issues/5573#issuecomment-1584695981 
+# Uncommenting the below breaks being able to access subnets
+# see - https://github.com/tailscale/tailscale/issues/5573#issuecomment-1584695981
 # tailscaled_env="TS_DEBUG_NETSTACK_SUBNETS=0"
 {%    if helpers.exists('OPNsense.tailscale.settings.listenPort') %}
 tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
@@ -46,4 +46,3 @@ tailscaled_up_args="{{ up_args|join(' ') }}"
 {%  else %}
 tailscaled_enable=NO
 {%  endif %}
-

From 65cbc820537298e46141b4fefe92830a920f8bc7 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 6 Dec 2024 17:28:15 +0100
Subject: [PATCH 2225/3088] net/mdns-repeater: Modernize plugin code; Add
 blocklist support (contributed by Kodehyrden) (#4375)

* net/mdns-repeater: Modernize plugin code; Add blacklist support (contributed by Kodehyrden)

* net/mdns-repeater: bump version

* net/mdns-repeater: fix indentation of model and form

* Update net/mdns-repeater/src/etc/inc/plugins.inc.d/mdnsrepeater.inc

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

* Update net/mdns-repeater/src/opnsense/mvc/app/views/OPNsense/MDNSRepeater/index.volt

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

* Update net/mdns-repeater/pkg-descr

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

* net/mdnsrepeater: Change blacklist to blocklist

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 net/mdns-repeater/Makefile                    |   3 +-
 net/mdns-repeater/pkg-descr                   |   5 +
 .../etc/inc/plugins.inc.d/mdnsrepeater.inc    | 102 ++++++++--------
 .../MDNSRepeater/Api/ServiceController.php    |  53 ++------
 .../OPNsense/MDNSRepeater/forms/general.xml   |  48 +++++---
 .../OPNsense/MDNSRepeater/MDNSRepeater.xml    |  44 ++++---
 .../views/OPNsense/MDNSRepeater/index.volt    | 114 ++++++++++--------
 .../conf/actions.d/actions_mdnsrepeater.conf  |   5 -
 .../OPNsense/MDNSRepeater/mdnsrepeater        |   8 +-
 9 files changed, 191 insertions(+), 191 deletions(-)

diff --git a/net/mdns-repeater/Makefile b/net/mdns-repeater/Makefile
index 8fc5683f4a..35f45dfb85 100644
--- a/net/mdns-repeater/Makefile
+++ b/net/mdns-repeater/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		mdns-repeater
-PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		Proxy multicast DNS between networks
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 PLUGIN_DEPENDS=		mdns-repeater
diff --git a/net/mdns-repeater/pkg-descr b/net/mdns-repeater/pkg-descr
index a5ed7facd2..c67d64e00a 100644
--- a/net/mdns-repeater/pkg-descr
+++ b/net/mdns-repeater/pkg-descr
@@ -7,6 +7,11 @@ It can be used to bridge zeroconf devices to work properly across the two subnet
 Plugin Changelog
 ================
 
+1.2
+
+* modernize plugin code
+* blocklist support (contributed by Kodehyrden)
+
 1.1
 
 * CARP support (contributed by Markus Reiter)
diff --git a/net/mdns-repeater/src/etc/inc/plugins.inc.d/mdnsrepeater.inc b/net/mdns-repeater/src/etc/inc/plugins.inc.d/mdnsrepeater.inc
index 6990e232fb..9d51f61d97 100644
--- a/net/mdns-repeater/src/etc/inc/plugins.inc.d/mdnsrepeater.inc
+++ b/net/mdns-repeater/src/etc/inc/plugins.inc.d/mdnsrepeater.inc
@@ -1,63 +1,65 @@
 <?php
 
 /*
-    Copyright (C) 2017 Fabian Franz
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-function mdnsrepeater_enabled()
-{
-    $model = new \OPNsense\MDNSRepeater\MDNSRepeater();
-    return (string)$model->enabled == '1';
-}
+ * Copyright (c) 2017 Fabian Franz
+ * Copyright (c) 2024 Cedrik Pischem
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS`` AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
-function mdnsrepeater_firewall($fw)
+function mdnsrepeater_services()
 {
-    if (!mdnsrepeater_enabled()) {
-        return;
+    global $config;
+
+    $services = [];
+
+    if (isset($config['OPNsense']['MDNSRepeater']['enabled']) &&
+        $config['OPNsense']['MDNSRepeater']['enabled'] == '1') {
+        $services[] = [
+            'description' => gettext('mDNS Repeater'),
+            'configd' => [
+                'start' => ['mdnsrepeater start'],
+                'restart' => ['mdnsrepeater restart'],
+                'stop' => ['mdnsrepeater stop'],
+            ],
+            'name' => 'mdns-repeater',
+            'pidfile' => '/var/run/mdns-repeater.pid',
+        ];
     }
+
+    return $services;
 }
 
-function mdnsrepeater_services()
+function mdnsrepeater_xmlrpc_sync()
 {
-    $services = array();
+    $result = [];
 
-    // don't load the service if it is not enabled
-    // maybe there are no settings yet
-    if (!mdnsrepeater_enabled()) {
-        return $services;
-    }
-
-    $services[] = array(
+    $result[] = [
         'description' => gettext('mDNS Repeater'),
-        'configd' => array(
-            'restart' => array('mdnsrepeater restart'),
-            'start' => array('mdnsrepeater start'),
-            'stop' => array('mdnsrepeater stop'),
-        ),
-        'name' => 'mdns-repeater',
-    );
+        'section' => 'OPNsense.MDNSRepeater',
+        'id' => 'mdns-repeater',
+        'services' => ['mdns-repeater'],
+    ];
 
-    return $services;
+    return $result;
 }
diff --git a/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/Api/ServiceController.php b/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/Api/ServiceController.php
index 1d5637292f..f109dd8a32 100644
--- a/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/Api/ServiceController.php
+++ b/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/Api/ServiceController.php
@@ -2,6 +2,7 @@
 
 /**
  *    Copyright (C) 2017 Fabian Franz
+ *    Copyright (C) 2024 Cedrik Pischem
  *    All rights reserved.
  *
  *    Redistribution and use in source and binary forms, with or without
@@ -28,52 +29,12 @@
 
 namespace OPNsense\MDNSRepeater\Api;
 
-use OPNsense\Base\ApiControllerBase;
-use OPNsense\Core\Backend;
-use OPNsense\MDNSRepeater\MDNSRepeater;
+use OPNsense\Base\ApiMutableServiceControllerBase;
 
-class ServiceController extends ApiControllerBase
+class ServiceController extends ApiMutableServiceControllerBase
 {
-    public function statusAction()
-    {
-        $backend = new Backend();
-        $result = array('result' => 'failed');
-        $res = $backend->configdRun('mdnsrepeater status');
-        if (stripos($res, 'is running')) {
-            $result['result'] = 'running';
-        } elseif (stripos($res, 'not running')) {
-            $general = new MDNSRepeater();
-            if ((string)$general->enabled == '1') {
-                $result['result'] = 'stopped';
-            } else {
-                $result['result'] = 'disabled';
-            }
-        } else {
-            $result['message'] = $res;
-        }
-        return $result;
-    }
-
-    public function startAction()
-    {
-        $backend = new Backend();
-        $result = array('result' => 'failed');
-        $backend->configdRun('template reload OPNsense/MDNSRepeater');
-        $result['result'] = $backend->configdRun('mdnsrepeater start');
-        return $result;
-    }
-
-    public function stopAction()
-    {
-        $backend = new Backend();
-        $result = array("result" => "failed");
-        $result['result'] = $backend->configdRun('mdnsrepeater stop');
-        return $result;
-    }
-
-    public function restartAction()
-    {
-        $this->stopAction();
-        return $this->startAction();
-    }
+    protected static $internalServiceClass = '\OPNsense\MDNSRepeater\MDNSRepeater';
+    protected static $internalServiceTemplate = 'OPNsense/MDNSRepeater';
+    protected static $internalServiceEnabled = 'enabled';
+    protected static $internalServiceName = 'mdnsrepeater';
 }
diff --git a/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/forms/general.xml b/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/forms/general.xml
index 7a565757fe..4f6ba145ba 100644
--- a/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/forms/general.xml
+++ b/net/mdns-repeater/src/opnsense/mvc/app/controllers/OPNsense/MDNSRepeater/forms/general.xml
@@ -1,20 +1,32 @@
 <form>
-  <field>
-    <id>mdnsrepeater.enabled</id>
-    <label>Enable</label>
-    <type>checkbox</type>
-    <help>Enable the repeater.</help>
-  </field>
-  <field>
-    <id>mdnsrepeater.enablecarp</id>
-    <label>Enable CARP Failover</label>
-    <type>checkbox</type>
-    <help>This will activate the repeater service only on the master device.</help>
-  </field>
-  <field>
-    <id>mdnsrepeater.interfaces</id>
-    <label>Listen Interfaces</label>
-    <type>select_multiple</type>
-    <help>At least 2 interfaces must be selected. The maximum number of supported interfaces by the daemon is 5.</help>
-  </field>
+    <field>
+        <type>header</type>
+        <label>General Settings</label>
+    </field>
+    <field>
+        <id>mdnsrepeater.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>Enable the repeater.</help>
+    </field>
+    <field>
+        <id>mdnsrepeater.enablecarp</id>
+        <label>Enable CARP Failover</label>
+        <type>checkbox</type>
+        <help>This will activate the repeater service only on the master device.</help>
+    </field>
+    <field>
+        <id>mdnsrepeater.interfaces</id>
+        <label>Listen Interfaces</label>
+        <type>select_multiple</type>
+        <help>At least 2 interfaces must be selected. The maximum number of supported interfaces by the daemon is 5.</help>
+    </field>
+    <field>
+        <id>mdnsrepeater.blocklist</id>
+        <label>Blocklist</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>Enter up to 16 client IPv4 addresses including subnet or networks to be exluded.</help>
+    </field>
 </form>
diff --git a/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/MDNSRepeater.xml b/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/MDNSRepeater.xml
index 85015e3d67..e5e868d550 100644
--- a/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/MDNSRepeater.xml
+++ b/net/mdns-repeater/src/opnsense/mvc/app/models/OPNsense/MDNSRepeater/MDNSRepeater.xml
@@ -1,20 +1,28 @@
 <model>
-  <mount>//OPNsense/MDNSRepeater</mount>
-  <version>1.0.1</version>
-  <description>mdns-repeater settings</description>
-  <items>
-    <enabled type="BooleanField">
-      <Default>0</Default>
-      <Required>Y</Required>
-    </enabled>
-    <enablecarp type="BooleanField">
-      <Default>0</Default>
-      <Required>Y</Required>
-    </enablecarp>
-    <interfaces type="InterfaceField">
-      <Default>lan</Default>
-      <Required>Y</Required>
-      <Multiple>Y</Multiple>
-    </interfaces>
-  </items>
+    <mount>//OPNsense/MDNSRepeater</mount>
+    <version>1.0.1</version>
+    <description>mdns-repeater settings</description>
+    <items>
+        <enabled type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </enabled>
+        <enablecarp type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </enablecarp>
+        <interfaces type="InterfaceField">
+            <Default>lan</Default>
+            <Required>Y</Required>
+            <Multiple>Y</Multiple>
+        </interfaces>
+        <blocklist type="NetworkField">
+            <NetMaskRequired>Y</NetMaskRequired>
+            <AddressFamily>ipv4</AddressFamily>
+            <FieldSeparator>,</FieldSeparator>
+            <WildcardEnabled>N</WildcardEnabled>
+            <AsList>Y</AsList>
+            <ValidationMessage>Only valid IPv4 networks or individual addresses including subnet are allowed.</ValidationMessage>
+        </blocklist>
+    </items>
 </model>
diff --git a/net/mdns-repeater/src/opnsense/mvc/app/views/OPNsense/MDNSRepeater/index.volt b/net/mdns-repeater/src/opnsense/mvc/app/views/OPNsense/MDNSRepeater/index.volt
index 014decb92c..639ff6f3b9 100644
--- a/net/mdns-repeater/src/opnsense/mvc/app/views/OPNsense/MDNSRepeater/index.volt
+++ b/net/mdns-repeater/src/opnsense/mvc/app/views/OPNsense/MDNSRepeater/index.volt
@@ -1,63 +1,75 @@
 {#
-
-Copyright © 2017 Fabian Franz
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-this list of conditions and the following disclaimer in the documentation
-and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
+ # Copyright (c) 2017 Fabian Franz
+ # Copyright (c) 2024 Cedrik Pischem
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
 
 <script>
-
-$( document ).ready(function() {
-    var data_get_map = {'general': '/api/mdnsrepeater/settings/get'};
-    mapDataToFormUI(data_get_map).done(function(data){
+$(document).ready(function() {
+    mapDataToFormUI({'frm_GeneralSettings': "/api/mdnsrepeater/settings/get"}).done(function() {
         formatTokenizersUI();
-        $('select').selectpicker('refresh');
-    });
-    ajaxCall(url="/api/mdnsrepeater/service/status", sendData={}, callback=function(data,status) {
-        updateServiceStatusUI(data['result']);
+        $('.selectpicker').selectpicker('refresh');
+        updateServiceControlUI('mdnsrepeater');
     });
 
-    // link save button to API set action
-    $("#saveAct").click(function(){
-        saveFormToEndpoint(url="/api/mdnsrepeater/settings/set", formid='general',callback_ok=function(){
-            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall(url="/api/mdnsrepeater/service/restart", sendData={}, callback=function(data,status) {
-                ajaxCall(url="/api/mdnsrepeater/service/status", sendData={}, callback=function(data,status) {
-                    updateServiceStatusUI(data['result']);
+    $("#reconfigureAct").SimpleActionButton({
+        onPreAction: function() {
+            const dfObj = $.Deferred();
+            saveFormToEndpoint("/api/mdnsrepeater/settings/set", 'frm_GeneralSettings', dfObj.resolve, true, dfObj.reject);
+            return dfObj;
+        },
+        onAction: function(data, status) {
+            if (status === "success" && data.status === 'ok') {
+                ajaxCall("/api/mdnsrepeater/service/reconfigure", {}, function(reconfigData, reconfigStatus) {
+                    if (reconfigStatus === "success" && reconfigData.status === 'ok') {
+                        updateServiceControlUI('mdnsrepeater');
+                    }
                 });
-                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-            });
-        });
+            }
+        }
     });
-});
 
+    // Initialize service control UI
+    updateServiceControlUI('mdnsrepeater');
+});
 </script>
 
-<div class="content-box" style="padding-bottom: 1.5em;">
-    {{ partial("layout_partials/base_form",['fields': general,'id':'general'])}}
-    <div class="col-md-12">
-        <hr />
-        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
+<section class="page-content-main">
+    <div class="content-box">
+        {{ partial("layout_partials/base_form", ['fields': general, 'id': 'frm_GeneralSettings']) }}
+    </div>
+    <br/>
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint="/api/mdnsrepeater/service/reconfigure"
+                    data-label="{{ lang._('Apply') }}"
+                    type="button">
+                {{ lang._('Apply') }}
+            </button>
+            <br/><br/>
+        </div>
     </div>
-</div>
+</section>
diff --git a/net/mdns-repeater/src/opnsense/service/conf/actions.d/actions_mdnsrepeater.conf b/net/mdns-repeater/src/opnsense/service/conf/actions.d/actions_mdnsrepeater.conf
index 16ef2c5c5f..6372ffde18 100644
--- a/net/mdns-repeater/src/opnsense/service/conf/actions.d/actions_mdnsrepeater.conf
+++ b/net/mdns-repeater/src/opnsense/service/conf/actions.d/actions_mdnsrepeater.conf
@@ -17,8 +17,3 @@ message:mdns-repeater status
 command:service mdns-repeater restart
 type:script
 message:restarting mdns-repeater
-
-[reload]
-command:service mdns-repeater reload
-type:script
-message:reload mdns-repeater
diff --git a/net/mdns-repeater/src/opnsense/service/templates/OPNsense/MDNSRepeater/mdnsrepeater b/net/mdns-repeater/src/opnsense/service/templates/OPNsense/MDNSRepeater/mdnsrepeater
index 7ca779ca55..7d397003e1 100644
--- a/net/mdns-repeater/src/opnsense/service/templates/OPNsense/MDNSRepeater/mdnsrepeater
+++ b/net/mdns-repeater/src/opnsense/service/templates/OPNsense/MDNSRepeater/mdnsrepeater
@@ -9,7 +9,13 @@ required_files="/var/run/mdns-repeater.CARP_MASTER"
 {% for i in osifnames %}
 {% do interface_list.append(physical_interface(i)) %}
 {% endfor %}
-mdns_repeater_interfaces="{{ interface_list | join(' ') }}"
+{% set repeater_interfaces = interface_list | join(' ') %}
+{% if helpers.exists('OPNsense.MDNSRepeater.blocklist') and OPNsense.MDNSRepeater.blocklist != '' %}
+{% set blocklist_and_repeater_interfaces = "-b " + OPNsense.MDNSRepeater.blocklist.split(',') | join(' -b ') + " " + repeater_interfaces %}
+mdns_repeater_interfaces="{{ blocklist_and_repeater_interfaces }}"
+{% else %}
+mdns_repeater_interfaces="{{ repeater_interfaces }}"
+{% endif %}
 {% else %}
 mdns_repeater_enable="NO"
 {% endif %}

From f2a59dad2f90d5aa5e89762e39f680a725ab6f3f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 6 Dec 2024 17:31:26 +0100
Subject: [PATCH 2226/3088] sysutils/nut: scrub

---
 .../nut/src/opnsense/www/js/widgets/Metadata/Nut.xml     | 4 +---
 sysutils/nut/src/opnsense/www/js/widgets/Nut.js          | 9 +++------
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/sysutils/nut/src/opnsense/www/js/widgets/Metadata/Nut.xml b/sysutils/nut/src/opnsense/www/js/widgets/Metadata/Nut.xml
index a3ebebf193..5d74878983 100644
--- a/sysutils/nut/src/opnsense/www/js/widgets/Metadata/Nut.xml
+++ b/sysutils/nut/src/opnsense/www/js/widgets/Metadata/Nut.xml
@@ -2,9 +2,7 @@
     <nut>
         <filename>Nut.js</filename>
         <endpoints>
-            <endpoint>/api/nut/service/status</endpoint>
-            <endpoint>/api/nut/settings/get</endpoint>
-            <endpoint>/api/nut/diagnostics/upsstatus</endpoint>
+            <endpoint>/api/nut/*</endpoint>
         </endpoints>
         <translations>
             <title>NUT</title>
diff --git a/sysutils/nut/src/opnsense/www/js/widgets/Nut.js b/sysutils/nut/src/opnsense/www/js/widgets/Nut.js
index 53de7a14b7..6ede278cec 100644
--- a/sysutils/nut/src/opnsense/www/js/widgets/Nut.js
+++ b/sysutils/nut/src/opnsense/www/js/widgets/Nut.js
@@ -25,9 +25,6 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-
-import BaseTableWidget from 'widget-base-table';
-
 export default class NutNetclient extends BaseTableWidget {
     constructor() {
         super();
@@ -54,7 +51,7 @@ export default class NutNetclient extends BaseTableWidget {
     // Periodically called to update the widget's data and UI.
     async onWidgetTick() {
         // Fetch the NUT service status from the server.
-        const nut_service_status = await this.ajaxCall('/api/nut/service/status');
+        const nut_service_status = await this.ajaxCall(`/api/nut/${'service/status'}`);
 
         // If the service is not running, display a message and stop further processing.
         if (!nut_service_status || nut_service_status.status !== 'running') {
@@ -63,7 +60,7 @@ export default class NutNetclient extends BaseTableWidget {
         }
 
         // Fetch the NUT settings from the server.
-        const nut_settings = await this.ajaxCall('/api/nut/settings/get');
+        const nut_settings = await this.ajaxCall(`/api/nut/${'settings/get'}`);
 
         // // If netclient is not enabled, display a message and stop further processing.
         // if (nut_settings.nut?.netclient?.enable !== "1") {
@@ -72,7 +69,7 @@ export default class NutNetclient extends BaseTableWidget {
         // }
 
         // Fetch the UPS status data from the server.
-        const { response: nut_ups_status_response } = await this.ajaxCall('/api/nut/diagnostics/upsstatus');
+        const { response: nut_ups_status_response } = await this.ajaxCall(`/api/nut/${'diagnostics/upsstatus'}`);
 
         // Parse the UPS status data into a key-value object.
         const nut_ups_status = nut_ups_status_response.split('\n').reduce((acc, line) => {

From fc230cc9274918c17671b982cd5e47a4bbb358ce Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 6 Dec 2024 17:50:14 +0100
Subject: [PATCH 2227/3088] sysutils/nut: do not crash on this edge case, all I
 can test

---
 sysutils/nut/src/opnsense/www/js/widgets/Metadata/Nut.xml | 1 +
 sysutils/nut/src/opnsense/www/js/widgets/Nut.js           | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/sysutils/nut/src/opnsense/www/js/widgets/Metadata/Nut.xml b/sysutils/nut/src/opnsense/www/js/widgets/Metadata/Nut.xml
index 5d74878983..72d6988cf8 100644
--- a/sysutils/nut/src/opnsense/www/js/widgets/Metadata/Nut.xml
+++ b/sysutils/nut/src/opnsense/www/js/widgets/Metadata/Nut.xml
@@ -31,6 +31,7 @@
             <status_boost>UPS is boosting voltage</status_boost>
             <status_fsd>Forced Shutdown</status_fsd>
             <unconfigured>Nut is not started. Click to configure Nut.</unconfigured>
+            <misconfigured>Nut is not returning a status. Click to reconfigure Nut.</misconfigured>
             <netclient_unconfigured>This widget only works with the Netclient driver. Click to configure the Netclient driver.</netclient_unconfigured>
             <netclient_remote_server>Remote NUT Server</netclient_remote_server>
             <time_hours>h</time_hours>
diff --git a/sysutils/nut/src/opnsense/www/js/widgets/Nut.js b/sysutils/nut/src/opnsense/www/js/widgets/Nut.js
index 6ede278cec..6d65644b33 100644
--- a/sysutils/nut/src/opnsense/www/js/widgets/Nut.js
+++ b/sysutils/nut/src/opnsense/www/js/widgets/Nut.js
@@ -71,6 +71,11 @@ export default class NutNetclient extends BaseTableWidget {
         // Fetch the UPS status data from the server.
         const { response: nut_ups_status_response } = await this.ajaxCall(`/api/nut/${'diagnostics/upsstatus'}`);
 
+        if (!nut_ups_status_response) {
+            $('#nut-table').html(`<a href="/ui/nut/index">${this.translations.misconfigured}</a>`);
+            return;
+        }
+
         // Parse the UPS status data into a key-value object.
         const nut_ups_status = nut_ups_status_response.split('\n').reduce((acc, line) => {
             const [key, value] = line.split(': ');

From 0e4e0f58511b0ee5eec2c414ac74c5bfa6465ead Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 6 Dec 2024 17:50:34 +0100
Subject: [PATCH 2228/3088] net/mdns-releater: scrub

---
 .../src/etc/inc/plugins.inc.d/mdnsrepeater.inc              | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/mdns-repeater/src/etc/inc/plugins.inc.d/mdnsrepeater.inc b/net/mdns-repeater/src/etc/inc/plugins.inc.d/mdnsrepeater.inc
index 9d51f61d97..1ab4f9fe63 100644
--- a/net/mdns-repeater/src/etc/inc/plugins.inc.d/mdnsrepeater.inc
+++ b/net/mdns-repeater/src/etc/inc/plugins.inc.d/mdnsrepeater.inc
@@ -33,8 +33,10 @@ function mdnsrepeater_services()
 
     $services = [];
 
-    if (isset($config['OPNsense']['MDNSRepeater']['enabled']) &&
-        $config['OPNsense']['MDNSRepeater']['enabled'] == '1') {
+    if (
+        isset($config['OPNsense']['MDNSRepeater']['enabled']) &&
+        $config['OPNsense']['MDNSRepeater']['enabled'] == '1'
+    ) {
         $services[] = [
             'description' => gettext('mDNS Repeater'),
             'configd' => [

From 33466e18894c07ebffb3212f58d2d3e86e5e1550 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 9 Dec 2024 14:01:34 +0100
Subject: [PATCH 2229/3088] sysutils/nut: easier version number

---
 sysutils/nut/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/nut/Makefile b/sysutils/nut/Makefile
index 6a95cd0cf3..4d749383bf 100644
--- a/sysutils/nut/Makefile
+++ b/sysutils/nut/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nut
-PLUGIN_VERSION=		1.9.0
+PLUGIN_VERSION=		1.9
 PLUGIN_COMMENT=		Network UPS Tools
 PLUGIN_DEPENDS=		nut
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From bb2ec32b0efc7693124717aef5770e02a69d42c7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Dec 2024 08:18:10 +0100
Subject: [PATCH 2230/3088] www/caddy: remove sessionClose()

---
 .../Caddy/Api/ReverseProxyController.php      | 44 +++++++++----------
 1 file changed, 21 insertions(+), 23 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
index 0e46c0504a..742fb4e177 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
@@ -1,31 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2023-2024 Cedrik Pischem
- *    Copyright (C) 2015 Deciso B.V.
+/*
+ * Copyright (C) 2023-2024 Cedrik Pischem
+ * Copyright (C) 2015 Deciso B.V.
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Caddy\Api;
@@ -45,7 +44,6 @@ class ReverseProxyController extends ApiMutableModelControllerBase
      */
     public function getAllReverseDomainsAction()
     {
-        $this->sessionClose(); // Close session early for performance
         $result = array("rows" => array());
 
         $mdlCaddy = new \OPNsense\Caddy\Caddy();

From a6d1d54f4f963691e356600ce8ae5e7483e3b47f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Dec 2024 08:24:29 +0100
Subject: [PATCH 2231/3088] dns/bind: remove sessionClose, some cleanups

---
 dns/bind/Makefile                             |  1 +
 .../OPNsense/Bind/Api/AclController.php       | 50 ++++++++++---------
 .../OPNsense/Bind/Api/DomainController.php    |  1 -
 .../OPNsense/Bind/Api/RecordController.php    | 45 ++++++++---------
 .../OPNsense/Bind/Api/ServiceController.php   |  5 +-
 5 files changed, 50 insertions(+), 52 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 03621be6e4..b2d897b0f9 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.33
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind920
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/AclController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/AclController.php
index e092f1f5ba..b7a213ef0e 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/AclController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/AclController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Bind\Api;
@@ -39,25 +37,29 @@ class AclController extends ApiMutableModelControllerBase
 
     public function searchAclAction()
     {
-        return $this->searchBase('acls.acl', array("enabled", "name", "networks"));
+        return $this->searchBase('acls.acl', ['enabled', 'name', 'networks']);
     }
+
     public function getAclAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('acl', 'acls.acl', $uuid);
     }
+
     public function addAclAction()
     {
         return $this->addBase('acl', 'acls.acl');
     }
+
     public function delAclAction($uuid)
     {
         return $this->delBase('acls.acl', $uuid);
     }
+
     public function setAclAction($uuid)
     {
         return $this->setBase('acl', 'acls.acl', $uuid);
     }
+
     public function toggleAclAction($uuid)
     {
         return $this->toggleBase('acls.acl', $uuid);
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
index d91945f839..841588c02e 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
@@ -75,7 +75,6 @@ function ($record) {
 
     public function getDomainAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('domain', 'domains.domain', $uuid);
     }
 
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/RecordController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/RecordController.php
index 49cac764ea..67dc5e30fb 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/RecordController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/RecordController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
- *    Copyright (C) 2019 Deciso B.V.
+/*
+ * Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+ * Copyright (C) 2019 Deciso B.V.
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Bind\Api;
@@ -77,7 +75,6 @@ public function searchRecordAction()
 
     public function getRecordAction($uuid = null)
     {
-        $this->sessionClose();
         $domain = $this->request->get('domain');
         $result = $this->getBase('record', 'records.record', $uuid);
         if ($uuid == null && !empty($result['record']['domain'])) {
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/ServiceController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/ServiceController.php
index a612a11216..8c4935bd0a 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/ServiceController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/ServiceController.php
@@ -48,10 +48,9 @@ class ServiceController extends ApiMutableServiceControllerBase
 
     public function dnsblAction()
     {
-        $this->sessionClose();
         $mdl = new Dnsbl();
         $backend = new Backend();
-        $response = $backend->configdpRun('bind dnsbl', array((string)$mdl->type));
-        return array("response" => $response);
+        $response = $backend->configdpRun('bind dnsbl', [(string)$mdl->type]);
+        return ['response' => $response];
     }
 }

From 751ac7fd5f4c8737895c659cddf1e415336b7d09 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Dec 2024 08:33:58 +0100
Subject: [PATCH 2232/3088] dns/dnscrypt-proxy: remove sessionClose(), some
 style

---
 dns/dnscrypt-proxy/Makefile                   |  2 +-
 .../Dnscryptproxy/Api/CloakController.php     | 50 ++++++++++---------
 .../Dnscryptproxy/Api/ForwardController.php   | 50 ++++++++++---------
 .../Dnscryptproxy/Api/ServerController.php    |  8 ++-
 .../Dnscryptproxy/Api/ServiceController.php   | 47 ++++++++---------
 .../Dnscryptproxy/Api/WhitelistController.php | 50 ++++++++++---------
 6 files changed, 107 insertions(+), 100 deletions(-)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index c7e6f14d8c..2f982bea54 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		dnscrypt-proxy
 PLUGIN_VERSION=		1.15
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/CloakController.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/CloakController.php
index 98fc77a5b5..efc47624ea 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/CloakController.php
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/CloakController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Dnscryptproxy\Api;
@@ -40,25 +38,29 @@ class CloakController extends ApiMutableModelControllerBase
 
     public function searchCloakAction()
     {
-        return $this->searchBase('cloaks.cloak', array("enabled", "name", "destination"));
+        return $this->searchBase('cloaks.cloak', ['enabled', 'name', 'destination']);
     }
+
     public function getCloakAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('cloak', 'cloaks.cloak', $uuid);
     }
+
     public function addCloakAction()
     {
         return $this->addBase('cloak', 'cloaks.cloak');
     }
+
     public function delCloakAction($uuid)
     {
         return $this->delBase('cloaks.cloak', $uuid);
     }
+
     public function setCloakAction($uuid)
     {
         return $this->setBase('cloak', 'cloaks.cloak', $uuid);
     }
+
     public function toggleCloakAction($uuid)
     {
         return $this->toggleBase('cloaks.cloak', $uuid);
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ForwardController.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ForwardController.php
index cff952a76b..2d2c6dd16d 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ForwardController.php
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ForwardController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Dnscryptproxy\Api;
@@ -40,25 +38,29 @@ class ForwardController extends ApiMutableModelControllerBase
 
     public function searchForwardAction()
     {
-        return $this->searchBase('forwards.forward', array("enabled", "domain", "dnsserver"));
+        return $this->searchBase('forwards.forward', ['enabled', 'domain', 'dnsserver']);
     }
+
     public function getForwardAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('forward', 'forwards.forward', $uuid);
     }
+
     public function addForwardAction()
     {
         return $this->addBase('forward', 'forwards.forward');
     }
+
     public function delForwardAction($uuid)
     {
         return $this->delBase('forwards.forward', $uuid);
     }
+
     public function setForwardAction($uuid)
     {
         return $this->setBase('forward', 'forwards.forward', $uuid);
     }
+
     public function toggleForwardAction($uuid)
     {
         return $this->toggleBase('forwards.forward', $uuid);
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ServerController.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ServerController.php
index 778d31a421..58d27fa2aa 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ServerController.php
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ServerController.php
@@ -38,25 +38,29 @@ class ServerController extends ApiMutableModelControllerBase
 
     public function searchServerAction()
     {
-        return $this->searchBase('servers.server', array("enabled", "name", "stamp"));
+        return $this->searchBase('servers.server', ['enabled', 'name', 'stamp']);
     }
+
     public function getServerAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('server', 'servers.server', $uuid);
     }
+
     public function addServerAction()
     {
         return $this->addBase('server', 'servers.server');
     }
+
     public function delServerAction($uuid)
     {
         return $this->delBase('servers.server', $uuid);
     }
+
     public function setServerAction($uuid)
     {
         return $this->setBase('server', 'servers.server', $uuid);
     }
+
     public function toggleServerAction($uuid)
     {
         return $this->toggleBase('servers.server', $uuid);
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ServiceController.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ServiceController.php
index 8a00c2b4ac..835b974c5b 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ServiceController.php
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/ServiceController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Dnscryptproxy\Api;
@@ -48,10 +46,9 @@ class ServiceController extends ApiMutableServiceControllerBase
 
     public function dnsblAction()
     {
-        $this->sessionClose();
         $mdl = new Dnsbl();
         $backend = new Backend();
-        $response = $backend->configdpRun('dnscryptproxy dnsbl', array((string)$mdl->type));
-        return array("response" => $response);
+        $response = $backend->configdpRun('dnscryptproxy dnsbl', [(string)$mdl->type]);
+        return ['response' => $response];
     }
 }
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/WhitelistController.php b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/WhitelistController.php
index 31b298fdc7..fbb05c043c 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/WhitelistController.php
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/Api/WhitelistController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Dnscryptproxy\Api;
@@ -40,25 +38,29 @@ class WhitelistController extends ApiMutableModelControllerBase
 
     public function searchWhitelistAction()
     {
-        return $this->searchBase('whitelists.whitelist', array("enabled", "name", "description"));
+        return $this->searchBase('whitelists.whitelist', ['enabled', 'name', 'description']);
     }
+
     public function getWhitelistAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('whitelist', 'whitelists.whitelist', $uuid);
     }
+
     public function addWhitelistAction()
     {
         return $this->addBase('whitelist', 'whitelists.whitelist');
     }
+
     public function delWhitelistAction($uuid)
     {
         return $this->delBase('whitelists.whitelist', $uuid);
     }
+
     public function setWhitelistAction($uuid)
     {
         return $this->setBase('whitelist', 'whitelists.whitelist', $uuid);
     }
+
     public function toggleWhitelistAction($uuid)
     {
         return $this->toggleBase('whitelists.whitelist', $uuid);

From b4e133bb39d6e304d135bd2d26ddf2774a87ce09 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 10 Dec 2024 08:47:27 +0100
Subject: [PATCH 2233/3088] www/caddy: Fix redirect regression (#4390)

www/caddy: Fix redirect regression, always attach http to redir instead of empty default
---
 .../opnsense/service/templates/OPNsense/Caddy/Caddyfile  | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 90543e2fd0..320eb86195 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -399,8 +399,13 @@ http://{{ domain }} {
         {% if handle.HandleDirective == "reverse_proxy" and handle.ToPath|default("") != "" %}
             rewrite * {{ handle.ToPath }}{uri}
         {% endif %}
-        {# http:// is the empty default #}
-        {% set protocol = 'https://' if handle.HttpTls == "1" else 'h2c://' if handle.HttpTls == "2" else '' -%}
+        {# http:// is the empty default for reverse_proxy #}
+        {% set protocol = (
+            "http://" if handle.HttpTls == "0" and handle.HandleDirective == "redir" else
+            "https://" if handle.HttpTls == "1" else
+            "h2c://" if handle.HttpTls == "2" else
+            ''
+        ) %}
         {% set formatted_domains = [] -%}
         {% for domain in handle.ToDomain.split(',') -%}
             {% set is_ipv6 = (':' in domain and domain.count(':') >= 2) -%}

From 8dedafb72552942e8d9edeef79d5a0fb9eab7d9d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Dec 2024 08:38:11 +0100
Subject: [PATCH 2234/3088] www/OPNProxy: remove sessionClose()

---
 .../mvc/app/controllers/OPNsense/Proxy/Api/AclController.php    | 2 --
 1 file changed, 2 deletions(-)

diff --git a/www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/AclController.php b/www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/AclController.php
index 80a7563ff4..4af0a6586b 100644
--- a/www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/AclController.php
+++ b/www/OPNProxy/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/AclController.php
@@ -99,7 +99,6 @@ public function toggleCustomPolicyAction($uuid, $enabled = null)
     public function applyAction()
     {
         if ($this->request->isPost()) {
-            $this->sessionClose();
             $backend = new Backend();
             $backend->configdRun('template reload Deciso/Proxy');
             $backend->configdRun('opnproxy sync_users');
@@ -116,7 +115,6 @@ public function testAction()
             $src = !empty($src) ? $src : "-";
             $user = $this->request->getPost('user', null, '');
             $user = !empty($user) ? $user : "-";
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdpRun('opnproxy user test', [
                 $user, $this->request->getPost('uri'), $src

From ee4ccb371df2076145748e825a748b06611f9c00 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Dec 2024 08:39:07 +0100
Subject: [PATCH 2235/3088] sysutils/nut: remove sessionClose()

---
 .../Nut/Api/DiagnosticsController.php         | 39 +++++++++----------
 1 file changed, 19 insertions(+), 20 deletions(-)

diff --git a/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/Api/DiagnosticsController.php b/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/Api/DiagnosticsController.php
index fe002451e0..fe1faf74ac 100644
--- a/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/Api/DiagnosticsController.php
+++ b/sysutils/nut/src/opnsense/mvc/app/controllers/OPNsense/Nut/Api/DiagnosticsController.php
@@ -1,29 +1,29 @@
 <?php
 
 /*
- *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- *    All rights reserved.
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Nut\Api;
@@ -36,7 +36,6 @@ class DiagnosticsController extends ApiControllerBase
 {
     public function upsstatusAction()
     {
-        $this->sessionClose();
         $mdl = new Nut();
         $host = '127.0.0.1';
         if (!empty((string)$mdl->netclient->address)) {

From b5ea231c9c399bd71aa8601c506ea4a8721db430 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Dec 2024 08:39:43 +0100
Subject: [PATCH 2236/3088] mail/postfix: remove sessionClose()

---
 .../app/controllers/OPNsense/Postfix/Api/ServiceController.php | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/Api/ServiceController.php b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/Api/ServiceController.php
index e0091751c1..60018990d5 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/Api/ServiceController.php
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/Api/ServiceController.php
@@ -64,9 +64,6 @@ public function checkrspamdAction()
     public function reconfigureAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $mdlGeneral = new General();
             $backend = new Backend();
 

From 11cea67b5f43d0708d20663e0db138801c06b77a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Dec 2024 08:40:37 +0100
Subject: [PATCH 2237/3088] net/ftp-proxy: remove sessionClose()

---
 .../FtpProxy/Api/SettingsController.php       | 43 +++++++++----------
 1 file changed, 20 insertions(+), 23 deletions(-)

diff --git a/net/ftp-proxy/src/opnsense/mvc/app/controllers/OPNsense/FtpProxy/Api/SettingsController.php b/net/ftp-proxy/src/opnsense/mvc/app/controllers/OPNsense/FtpProxy/Api/SettingsController.php
index 4e570b30d2..1b25ff5e04 100644
--- a/net/ftp-proxy/src/opnsense/mvc/app/controllers/OPNsense/FtpProxy/Api/SettingsController.php
+++ b/net/ftp-proxy/src/opnsense/mvc/app/controllers/OPNsense/FtpProxy/Api/SettingsController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2016 EURO-LOG AG
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2016 EURO-LOG AG
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\FtpProxy\Api;
@@ -237,7 +235,6 @@ public function toggleProxyAction($uuid)
      */
     public function searchProxyAction()
     {
-        $this->sessionClose();
         $fields = array(
                 "enabled",
                 "listenaddress",

From 8d0c52fbe329a2696fd5bc1f5a41d9d5c806d5dc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Dec 2024 08:42:09 +0100
Subject: [PATCH 2238/3088] security/clamav: remove sessionClose()

---
 .../OPNsense/ClamAV/Api/UrlController.php     | 50 ++++++++++---------
 1 file changed, 26 insertions(+), 24 deletions(-)

diff --git a/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/Api/UrlController.php b/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/Api/UrlController.php
index 768b95b432..447ab1f854 100644
--- a/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/Api/UrlController.php
+++ b/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/Api/UrlController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\ClamAV\Api;
@@ -39,25 +37,29 @@ class UrlController extends ApiMutableModelControllerBase
 
     public function searchUrlAction()
     {
-        return $this->searchBase('lists.list', array("enabled", "name", "link"));
+        return $this->searchBase('lists.list', ['enabled', 'name', 'link']);
     }
+
     public function getUrlAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('list', 'lists.list', $uuid);
     }
+
     public function addUrlAction()
     {
         return $this->addBase('list', 'lists.list');
     }
+
     public function delUrlAction($uuid)
     {
         return $this->delBase('lists.list', $uuid);
     }
+
     public function setUrlAction($uuid)
     {
         return $this->setBase('list', 'lists.list', $uuid);
     }
+
     public function toggleUrlAction($uuid)
     {
         return $this->toggleBase('lists.list', $uuid);

From 110d71fc3b73764e90ec55a92ea6bcd6d9f45497 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Dec 2024 08:42:51 +0100
Subject: [PATCH 2239/3088] security/etpro-telemetry: remove sessionClose()

---
 .../OPNsense/Diagnostics/Api/ProofpointEtController.php          | 1 -
 1 file changed, 1 deletion(-)

diff --git a/security/etpro-telemetry/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/ProofpointEtController.php b/security/etpro-telemetry/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/ProofpointEtController.php
index 5ac5edf8dd..a0f306ad7e 100644
--- a/security/etpro-telemetry/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/ProofpointEtController.php
+++ b/security/etpro-telemetry/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/ProofpointEtController.php
@@ -43,7 +43,6 @@ class ProofpointEtController extends ApiControllerBase
      */
     public function statusAction()
     {
-        $this->sessionClose();
         $backend = new Backend();
         $response = $backend->configdRun('proofpoint et status');
         $activity = json_decode($response, true);

From f390551cf3e6dc22ae49f9497bb1fd5178f1f41f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Dec 2024 08:43:31 +0100
Subject: [PATCH 2240/3088] net/zerotier: remove sessionClose()

---
 .../app/controllers/OPNsense/Zerotier/Api/NetworkController.php  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/zerotier/src/opnsense/mvc/app/controllers/OPNsense/Zerotier/Api/NetworkController.php b/net/zerotier/src/opnsense/mvc/app/controllers/OPNsense/Zerotier/Api/NetworkController.php
index c1b436118e..72c0550496 100644
--- a/net/zerotier/src/opnsense/mvc/app/controllers/OPNsense/Zerotier/Api/NetworkController.php
+++ b/net/zerotier/src/opnsense/mvc/app/controllers/OPNsense/Zerotier/Api/NetworkController.php
@@ -44,7 +44,6 @@ class NetworkController extends ApiMutableModelControllerBase
 
     public function searchAction()
     {
-        $this->sessionClose();
         $mdlZerotier = $this->getModel();
         $grid = new UIModelGrid($mdlZerotier->networks->network);
         return $grid->fetchBindRequest(

From 3cc1b69054574dfb4c76ddfb9b60d06b5b533268 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Dec 2024 08:44:17 +0100
Subject: [PATCH 2241/3088] net/udpbroadcastrelay: remove sessionClose()

---
 .../Api/SettingsController.php                | 39 +++++++++----------
 1 file changed, 19 insertions(+), 20 deletions(-)

diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/SettingsController.php b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/SettingsController.php
index 4f63375ccb..6a27ad28ef 100644
--- a/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/SettingsController.php
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/controllers/OPNsense/UDPBroadcastRelay/Api/SettingsController.php
@@ -1,29 +1,29 @@
 <?php
 
 /*
- *    Copyright (C) 2020 Martin Wasley
- *    All rights reserved.
+ * Copyright (C) 2020 Martin Wasley
+ * All rights reserved.
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\UDPBroadcastRelay\Api;
@@ -312,7 +312,6 @@ public function toggleRelayAction($uuid)
      */
     public function searchRelayAction()
     {
-        $this->sessionClose();
         $fields = array(
                 "enabled",
                 "interfaces",

From 06a28c3496eabdffc1216a8630b573a4f6c2df2b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Dec 2024 08:46:01 +0100
Subject: [PATCH 2242/3088] net-mgmt/nrpe: remove sessionClose()

---
 .../OPNsense/Nrpe/Api/CommandController.php   | 50 ++++++++++---------
 1 file changed, 26 insertions(+), 24 deletions(-)

diff --git a/net-mgmt/nrpe/src/opnsense/mvc/app/controllers/OPNsense/Nrpe/Api/CommandController.php b/net-mgmt/nrpe/src/opnsense/mvc/app/controllers/OPNsense/Nrpe/Api/CommandController.php
index b3197dc83d..2f1b8ccedc 100644
--- a/net-mgmt/nrpe/src/opnsense/mvc/app/controllers/OPNsense/Nrpe/Api/CommandController.php
+++ b/net-mgmt/nrpe/src/opnsense/mvc/app/controllers/OPNsense/Nrpe/Api/CommandController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Nrpe\Api;
@@ -39,25 +37,29 @@ class CommandController extends ApiMutableModelControllerBase
 
     public function searchCommandAction()
     {
-        return $this->searchBase('commands.command', array("enabled", "name", "nrpecommand", "arguments"));
+        return $this->searchBase('commands.command', ['enabled', 'name', 'nrpecommand', 'arguments']);
     }
+
     public function getCommandAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('command', 'commands.command', $uuid);
     }
+
     public function addCommandAction()
     {
         return $this->addBase('command', 'commands.command');
     }
+
     public function delCommandAction($uuid)
     {
         return $this->delBase('commands.command', $uuid);
     }
+
     public function setCommandAction($uuid)
     {
         return $this->setBase('command', 'commands.command', $uuid);
     }
+
     public function toggleCommandAction($uuid)
     {
         return $this->toggleBase('commands.command', $uuid);

From a6b7de9dc18ec774b940a004e082103cb12deee6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Dec 2024 08:47:27 +0100
Subject: [PATCH 2243/3088] net-mgmt/net-snmp: remove sessionClose()

---
 .../OPNsense/Netsnmp/Api/UserController.php   | 50 ++++++++++---------
 1 file changed, 26 insertions(+), 24 deletions(-)

diff --git a/net-mgmt/net-snmp/src/opnsense/mvc/app/controllers/OPNsense/Netsnmp/Api/UserController.php b/net-mgmt/net-snmp/src/opnsense/mvc/app/controllers/OPNsense/Netsnmp/Api/UserController.php
index 717d4768c1..65ee1bf707 100644
--- a/net-mgmt/net-snmp/src/opnsense/mvc/app/controllers/OPNsense/Netsnmp/Api/UserController.php
+++ b/net-mgmt/net-snmp/src/opnsense/mvc/app/controllers/OPNsense/Netsnmp/Api/UserController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+/*
+ * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Netsnmp\Api;
@@ -39,25 +37,29 @@ class UserController extends ApiMutableModelControllerBase
 
     public function searchUserAction()
     {
-        return $this->searchBase('users.user', array("enabled", "username", "password", "enckey"));
+        return $this->searchBase('users.user', ['enabled', 'username', 'password', 'enckey']);
     }
+
     public function getUserAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('user', 'users.user', $uuid);
     }
+
     public function addUserAction()
     {
         return $this->addBase('user', 'users.user');
     }
+
     public function delUserAction($uuid)
     {
         return $this->delBase('users.user', $uuid);
     }
+
     public function setUserAction($uuid)
     {
         return $this->setBase('user', 'users.user', $uuid);
     }
+
     public function toggleUserAction($uuid)
     {
         return $this->toggleBase('users.user', $uuid);

From 7c0c385c942fd314f296d165edbeb2dba07c416a Mon Sep 17 00:00:00 2001
From: Gavin Chappell <gavin.chappell@gmail.com>
Date: Fri, 13 Dec 2024 10:00:00 +0000
Subject: [PATCH 2244/3088] opnsense/plugins#4402: configure custom permissions
 on caddy.sock (#4403)

---
 www/caddy/Makefile                                            | 3 +--
 www/caddy/pkg-descr                                           | 4 ++++
 .../opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy | 1 +
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index ba7f7a9565..f5a01d871f 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.7.5
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.7.6
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 023352a4a8..24bccb238b 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -13,6 +13,10 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.7.6
+
+* Fix: Web UI can still restart/stop Caddy when running as `www` user (opnsense/plugins#4402)
+
 1.7.5
 
 * Add: Load Balancing options to Layer 4 Proxy and HTTP Handle
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy
index da6745447d..6464fe130b 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy
@@ -3,6 +3,7 @@
 {% set generalSettings = helpers.getNodeByTag('Pischem.caddy.general') %}
 {% if generalSettings.enabled|default("0") == "1" %}
 caddy_enable="YES"
+caddy_admin="unix//var/run/caddy/caddy.sock|0220"
 caddy_setup="/usr/local/opnsense/scripts/OPNsense/Caddy/setup.sh"
 {% if generalSettings.DisableSuperuser|default("0") == "1" %}
 caddy_user=www

From b8c07d4a623086e9a23c182cdf2f1dc48ee71d05 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 13 Dec 2024 16:15:18 +0100
Subject: [PATCH 2245/3088] www/caddy: Add missing changelog for 1.7.6 (#4405)

---
 www/caddy/pkg-descr | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 24bccb238b..2ec24cd5ea 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -15,7 +15,9 @@ Plugin Changelog
 
 1.7.6
 
-* Fix: Web UI can still restart/stop Caddy when running as `www` user (opnsense/plugins#4402)
+* Fix: Web UI can still restart/stop Caddy when running as `www` user (opnsense/plugins/pull/4403)
+* Fix: Wildcard certificates displaying in Certificate Widget (opnsense/plugins/pull/4390)
+* Fix: http being correctly prepended on redirects (opnsense/plugins/pull/4385)
 
 1.7.5
 

From eb044ee8954d90f173501f40ce06839056291b5c Mon Sep 17 00:00:00 2001
From: Sam Sheridan <sheridans@users.noreply.github.com>
Date: Fri, 13 Dec 2024 19:30:42 +0000
Subject: [PATCH 2246/3088] enforce --auth-key param in template preventing
 prompt for auth on boot (#4395)

---
 security/tailscale/Makefile                                 | 1 +
 security/tailscale/pkg-descr                                | 5 +++++
 .../opnsense/mvc/app/views/OPNsense/Tailscale/status.volt   | 6 ++----
 .../opnsense/service/templates/OPNsense/Tailscale/rc.conf.d | 2 ++
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/security/tailscale/Makefile b/security/tailscale/Makefile
index b995e68c9c..02fad9cd94 100644
--- a/security/tailscale/Makefile
+++ b/security/tailscale/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=       tailscale
 PLUGIN_VERSION=    1.0.d
+PLUGIN_REVISION=   1
 PLUGIN_DEVEL=      yes
 PLUGIN_COMMENT=    Tailscale makes creating software-defined networks easy
 PLUGIN_DEPENDS=    tailscale
diff --git a/security/tailscale/pkg-descr b/security/tailscale/pkg-descr
index 9befef3b61..41c6d5b041 100644
--- a/security/tailscale/pkg-descr
+++ b/security/tailscale/pkg-descr
@@ -9,3 +9,8 @@ Plugin Changelog
 1.0
 
 * initial development release
+
+1.0_1
+
+* fixes to template to prevent auth key prompt when empty
+
diff --git a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
index b93d968448..f42e3ce8db 100644
--- a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
+++ b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
@@ -8,7 +8,6 @@
             return (str + '').replace(/([^>\r\n]?)(\r\n|\n\r|\r|\n)/g, '$1' + breakTag + '$2');
         }
 
-
 	function updateNetInfo() {
             ajaxGet(url = "/api/tailscale/status/net/", sendData={},
                 callback = function (data, status) {
@@ -44,7 +43,6 @@
             });
         }
 
-
         function updateStatusInfo() {
             ajaxGet(url = "/api/tailscale/status/status/", sendData={},
                 callback = function (data, status) {
@@ -78,14 +76,14 @@
                     } else {
                         $('#statusList > tbody').append('<tr><td colspan=2>Unable to fetch status, is Tailscale running?</td></tr>');
                     }
+
+                    updateServiceControlUI('tailscale');
                 }
             );
         }
 
-
         updateNetInfo();
         updateStatusInfo();
-
     });
 </script>
 
diff --git a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
index 704c9bbc81..500a34c52a 100644
--- a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
+++ b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
@@ -30,6 +30,8 @@ tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%    endif %}
 {%    if helpers.exists('OPNsense.tailscale.authentication.preAuthKey') %}
 {%      do up_args.append("--auth-key=" + OPNsense.tailscale.authentication.preAuthKey) %}
+{%    else %}
+{%      do up_args.append("--auth-key=non-specified") %}
 {%    endif %}
 {#  loop through subnets to build list #}
 {%    if helpers.exists('OPNsense.tailscale.settings.subnets.subnet4') %}

From f326f0fd8d99cb12cc2cba080e0578c2f94772c8 Mon Sep 17 00:00:00 2001
From: kulikov-a <kulikov.a@gmail.com>
Date: Mon, 16 Dec 2024 10:38:06 +0300
Subject: [PATCH 2247/3088] tmpfs logs fix (#4199)

---
 www/nginx/Makefile                             | 2 +-
 www/nginx/src/opnsense/scripts/nginx/setup.php | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index f20b54fcb8..9da0cf1123 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index 1b9a304fdd..96a863c740 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -74,6 +74,8 @@ function find_ca($refid)
 @mkdir('/usr/local/etc/nginx/key', 0750, true);
 @mkdir("/var/db/nginx/auth", 0750, true);
 @mkdir("/var/log/nginx", 0750, true);
+// check logs dir permissions. in case if logs moved to tmpfs
+@chmod('/var/log/nginx', 0750);
 @chgrp('/var/db/nginx', GROUP_OWNER);
 @chgrp('/var/db/nginx/auth', GROUP_OWNER);
 @chgrp('/var/log/nginx', GROUP_OWNER);

From 361c4806a354c11454cf28db1a214f2672d3225d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Dec 2024 07:27:26 +0100
Subject: [PATCH 2248/3088] security/tinc: remove sessionClose()

---
 .../OPNsense/Tinc/Api/ServiceController.php   | 50 ++++++++-----------
 .../OPNsense/Tinc/Api/SettingsController.php  | 44 ++++++++--------
 2 files changed, 40 insertions(+), 54 deletions(-)

diff --git a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/Api/ServiceController.php b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/Api/ServiceController.php
index caa0331772..fe8c8f7248 100644
--- a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/Api/ServiceController.php
+++ b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/Api/ServiceController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2016 Deciso B.V.
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2016 Deciso B.V.
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Tinc\Api;
@@ -45,8 +43,6 @@ class ServiceController extends ApiControllerBase
     public function reconfigureAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $backend->configdRun('template reload OPNsense/Tinc');
             return array("status" => "ok");
@@ -62,8 +58,6 @@ public function reconfigureAction()
     public function startAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("tinc start");
             return array("response" => $response);
@@ -79,8 +73,6 @@ public function startAction()
     public function stopAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("tinc stop");
             return array("response" => $response);
@@ -96,8 +88,6 @@ public function stopAction()
     public function restartAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("tinc restart");
             return array("response" => $response);
diff --git a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/Api/SettingsController.php b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/Api/SettingsController.php
index 4bbbe0395f..c8c7497b0f 100644
--- a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/Api/SettingsController.php
+++ b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/Api/SettingsController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2016 Deciso B.V.
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2016 Deciso B.V.
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Tinc\Api;
@@ -97,7 +95,6 @@ public function setNetworkAction($uuid = null)
      */
     public function searchNetworkAction()
     {
-        $this->sessionClose();
         $grid = new UIModelGrid($this->getModel()->networks->network);
         return $grid->fetchBindRequest(
             $this->request,
@@ -197,7 +194,6 @@ public function setHostAction($uuid = null)
      */
     public function searchHostAction()
     {
-        $this->sessionClose();
         $grid = new UIModelGrid($this->getModel()->hosts->host);
         return $grid->fetchBindRequest(
             $this->request,

From e93694014ab2c880ced33a7804cedb098ce78fdc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Dec 2024 07:27:52 +0100
Subject: [PATCH 2249/3088] Framework: use /bin/echo for consistent -n support

---
 Mk/plugins.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 90c89fad63..3cccfff5da 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -467,7 +467,7 @@ test: check
 	fi
 
 commit: ensure-workdirs
-	@echo -n "${.CURDIR:C/\// /g:[-2]}/${.CURDIR:C/\// /g:[-1]}: " > \
+	@/bin/echo -n "${.CURDIR:C/\// /g:[-2]}/${.CURDIR:C/\// /g:[-1]}: " > \
 	    ${WRKDIR}/.commitmsg && git commit -eF ${WRKDIR}/.commitmsg .
 
 .PHONY:	check plist-fix

From 7f59a32e061d813d12a1bad26707e6074c2c07b3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Dec 2024 07:31:31 +0100
Subject: [PATCH 2250/3088] net-mgmt/zabbix-agent: remove sessionClose()

---
 .../ZabbixAgent/Api/SettingsController.php    | 50 +++++++++----------
 1 file changed, 23 insertions(+), 27 deletions(-)

diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/Api/SettingsController.php b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/Api/SettingsController.php
index d928f45188..35d6c30186 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/Api/SettingsController.php
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/Api/SettingsController.php
@@ -1,32 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2017 Frank Wall
- *    Copyright (C) 2015 Deciso B.V.
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2017 Frank Wall
+ * Copyright (C) 2015 Deciso B.V.
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\ZabbixAgent\Api;
@@ -47,12 +45,11 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function searchUserparametersAction()
     {
-        return $this->searchBase('userparameters.userparameter', array("enabled", "key", "command"));
+        return $this->searchBase('userparameters.userparameter', ['enabled', 'key', 'command']);
     }
 
     public function getUserparameterAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('userparameter', 'userparameters.userparameter', $uuid);
     }
 
@@ -78,12 +75,11 @@ public function toggleUserparameterAction($uuid)
 
     public function searchAliasesAction()
     {
-        return $this->searchBase('aliases.alias', array("enabled", "key", "sourceKey"));
+        return $this->searchBase('aliases.alias', ['enabled', 'key', 'sourceKey']);
     }
 
     public function getAliasAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('alias', 'aliases.alias', $uuid);
     }
 

From 5071c8f4100c4190961e83fc4e11d8500a200c5e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Dec 2024 07:38:16 +0100
Subject: [PATCH 2251/3088] security/tailscale: tweak description

---
 README.md                    |  2 +-
 security/tailscale/Makefile  | 13 ++++++-------
 security/tailscale/pkg-descr |  7 +------
 3 files changed, 8 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index fa75e2618d..720fab5188 100644
--- a/README.md
+++ b/README.md
@@ -88,7 +88,7 @@ security/maltrail -- Malicious traffic detection system
 security/openconnect -- OpenConnect Client
 security/softether -- Cross-platform Multi-protocol VPN Program (development only)
 security/stunnel -- Stunnel TLS proxy
-security/tailscale -- Tailscale makes creating software-defined networks easy (development only)
+security/tailscale -- VPN mesh securely connecting clients using WireGuard (development only)
 security/tinc -- Tinc VPN
 security/tor -- The Onion Router
 security/wazuh-agent -- Agent for the open source security platform Wazuh
diff --git a/security/tailscale/Makefile b/security/tailscale/Makefile
index 02fad9cd94..e0294bca07 100644
--- a/security/tailscale/Makefile
+++ b/security/tailscale/Makefile
@@ -1,9 +1,8 @@
-PLUGIN_NAME=       tailscale
-PLUGIN_VERSION=    1.0.d
-PLUGIN_REVISION=   1
-PLUGIN_DEVEL=      yes
-PLUGIN_COMMENT=    Tailscale makes creating software-defined networks easy
-PLUGIN_DEPENDS=    tailscale
-PLUGIN_MAINTAINER= sam@sheridan.co.uk
+PLUGIN_NAME=		tailscale
+PLUGIN_VERSION=		1.0.d
+PLUGIN_DEVEL=		yes
+PLUGIN_COMMENT=		VPN mesh securely connecting clients using WireGuard
+PLUGIN_DEPENDS=		tailscale
+PLUGIN_MAINTAINER=	sam@sheridan.co.uk
 
 .include "../../Mk/plugins.mk"
diff --git a/security/tailscale/pkg-descr b/security/tailscale/pkg-descr
index 41c6d5b041..f134a7c2a3 100644
--- a/security/tailscale/pkg-descr
+++ b/security/tailscale/pkg-descr
@@ -8,9 +8,4 @@ Plugin Changelog
 
 1.0
 
-* initial development release
-
-1.0_1
-
-* fixes to template to prevent auth key prompt when empty
-
+* initial release

From 8d1f8dba475a6004ac10f87fa9e8bbf91cb5055d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Dec 2024 07:41:24 +0100
Subject: [PATCH 2252/3088] LICENSE: sync

---
 LICENSE | 1 +
 1 file changed, 1 insertion(+)

diff --git a/LICENSE b/LICENSE
index 10f2a52409..5c3d5ae4bf 100644
--- a/LICENSE
+++ b/LICENSE
@@ -17,6 +17,7 @@ Copyright (c) 2021 David Hughes
 Copyright (c) 2014-2024 Deciso B.V.
 Copyright (c) 2020 devNan0 <nan0@nan0.dev>
 Copyright (c) 2023 Dmitry Shinkaruk
+Copyright (c) 2024 DollarSign23
 Copyright (c) 2006 Eric Friesen
 Copyright (c) 2008-2010 Ermal Luçi
 Copyright (c) 2016-2019 EURO-LOG AG

From c97f3d4ce8b1f8a8bfa2c4dddf75513433aaa78e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Dec 2024 07:45:12 +0100
Subject: [PATCH 2253/3088] dns/ddclient: new version

---
 dns/ddclient/Makefile  | 2 +-
 dns/ddclient/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index dc8f2f58d0..d61c418102 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.25
+PLUGIN_VERSION=		1.26
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 1215267ca5..c4aad2a2e9 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,10 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.26
+
+* Add ddclient TTL configuration in Gandi and GoDaddy (contributed by David PHAM-VAN)
+
 1.25
 
 * Add DigitalOcean support to native backend (contributed by Olly Baker)

From 5bcbe9adc7bef52cdd3aee1ebf5efd7142c9a355 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Dec 2024 08:21:19 +0100
Subject: [PATCH 2254/3088] security/tailscale: release 1.0

---
 README.md                   | 2 +-
 security/tailscale/Makefile | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 720fab5188..fcc3df8e32 100644
--- a/README.md
+++ b/README.md
@@ -88,7 +88,7 @@ security/maltrail -- Malicious traffic detection system
 security/openconnect -- OpenConnect Client
 security/softether -- Cross-platform Multi-protocol VPN Program (development only)
 security/stunnel -- Stunnel TLS proxy
-security/tailscale -- VPN mesh securely connecting clients using WireGuard (development only)
+security/tailscale -- VPN mesh securely connecting clients using WireGuard
 security/tinc -- Tinc VPN
 security/tor -- The Onion Router
 security/wazuh-agent -- Agent for the open source security platform Wazuh
diff --git a/security/tailscale/Makefile b/security/tailscale/Makefile
index e0294bca07..8629b03454 100644
--- a/security/tailscale/Makefile
+++ b/security/tailscale/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		tailscale
-PLUGIN_VERSION=		1.0.d
-PLUGIN_DEVEL=		yes
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		VPN mesh securely connecting clients using WireGuard
 PLUGIN_DEPENDS=		tailscale
 PLUGIN_MAINTAINER=	sam@sheridan.co.uk

From 15dc01adf467a41b7a7d6047b538ebf2f1563946 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 3 Dec 2024 22:28:07 +0100
Subject: [PATCH 2255/3088] net/haproxy: bump version

---
 net/haproxy/Makefile  | 3 +--
 net/haproxy/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 887d00cd87..81ea69ec06 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		4.3
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		4.4
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy28 py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 4f59e884f1..b9017c96bb 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+4.4
+
+Fixed:
+* Cron job "Sync SSL certificate changes" not working (#4035)
+
 4.3
 
 Added:

From 327dd52f985e7e0dc5711d6c29198436d84e80db Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 3 Dec 2024 22:55:49 +0100
Subject: [PATCH 2256/3088] net/haproxy: show warning if group has no members,
 fixes #3364

---
 net/haproxy/pkg-descr                         |  1 +
 .../templates/OPNsense/HAProxy/haproxy.conf   | 31 +++++++++++--------
 2 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index b9017c96bb..d3e0b934fc 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -10,6 +10,7 @@ Plugin Changelog
 
 Fixed:
 * Cron job "Sync SSL certificate changes" not working (#4035)
+* Template error with empty user group (#3364)
 
 4.3
 
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 679ab09db3..3e40f63c02 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -886,22 +886,27 @@
 {%       if group_data == {} %}
     # WARNING: group data not found ({{group}})
 {%       else %}
-{#         # extract user list from group object #}
-{%         for user in group_data.members.split(",") %}
-{%           set user_data = helpers.getUUID(user) %}
-{%           if user_data.name in users_seen %}
+{#         # check if group has any member #}
+{%         if group_data.members is defined %}
+{#           # extract user list from group object #}
+{%           for user in group_data.members.split(",") %}
+{%             set user_data = helpers.getUUID(user) %}
+{%             if user_data.name in users_seen %}
     # WARNING: skipping duplicate username ({{user_data.name}})
-{%           else %}
-{%             do users_seen.append(user_data.name) %}
-{#             # check if using an encrypted password #}
-{%             if user_data.password|default("")|truncate(1, False, '', 0) == '$' %}
-{%               set user_pwsec = 'password' %}
 {%             else %}
-{%               set user_pwsec = 'insecure-password' %}
-{%             endif %}
+{%               do users_seen.append(user_data.name) %}
+{#               # check if using an encrypted password #}
+{%               if user_data.password|default("")|truncate(1, False, '', 0) == '$' %}
+{%                 set user_pwsec = 'password' %}
+{%               else %}
+{%                 set user_pwsec = 'insecure-password' %}
+{%               endif %}
     user {{user_data.name}} {{user_pwsec}} {{user_data.password}}
-{%           endif %}
-{%         endfor %}
+{%             endif %}
+{%           endfor %}
+{%         else %}
+    # WARNING: ignoring group with no members ({{group_data.name}})
+{%         endif %}
 {%       endif %}
 {%     endfor %}
 {%   else %}

From 83dee33e3a5f4575610794910190ff0ce04299f5 Mon Sep 17 00:00:00 2001
From: W516 <135984346+W516@users.noreply.github.com>
Date: Wed, 18 Dec 2024 00:33:29 +0900
Subject: [PATCH 2257/3088] security/acme-client: Add support for MyDNS.JP DNS
 API (#4328)

Added support for mydns.jp to acme client's WebGUI.
---
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsMydnsjp.php    | 41 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 ++++
 3 files changed, 63 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMydnsjp.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 5b8f4c823a..6bd908aa44 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -935,6 +935,21 @@
         <type>text</type>
         <help>MailinaBox Server FQDN</help>
     </field>
+    <field>
+        <label>MyDNS.JP</label>
+        <type>header</type>
+        <style>table_dns table_dns_mydnsjp</style>
+    </field>
+    <field>
+        <id>validation.dns_mydnsjp_masterid</id>
+        <label>Master ID</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_mydnsjp_password</id>
+        <label>Password</label>
+        <type>password</type>
+    </field>
     <field>
         <label>Mythic Beasts</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMydnsjp.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMydnsjp.php
new file mode 100644
index 0000000000..fc83325c06
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMydnsjp.php
@@ -0,0 +1,41 @@
+<?php
+
+/*
+ * Copyright (C) 2024 W516
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+  
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+  
+class DnsMydnsjp extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['MYDNSJP_MasterID'] = (string)$this->config->dns_mydnsjp_masterid;
+        $this->acme_env['MYDNSJP_Password'] = (string)$this->config->dns_mydnsjp_password;
+    }
+}
+
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 3bbd0d6adc..5a3a3fc175 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -490,6 +490,7 @@
                         <dns_loopia>Loopia</dns_loopia>
                         <dns_lua>LuaDNS.com</dns_lua>
                         <dns_miab>MailinaBox</dns_miab>
+                        <dns_mydnsjp>MyDNS.JP</dns_mydnsjp>
                         <dns_mythic_beasts>Mythic Beasts</dns_mythic_beasts>
                         <dns_namecom>Name.com</dns_namecom>
                         <dns_namecheap>Namecheap</dns_namecheap>
@@ -906,6 +907,12 @@
                 <dns_me_secret type="TextField">
                     <Required>N</Required>
                 </dns_me_secret>
+                <dns_mydnsjp_masterid type="TextField">
+                    <Required>N</Required>
+                </dns_mydnsjp_masterid>
+                <dns_mydnsjp_password type="TextField">
+                    <Required>N</Required>
+                </dns_mydnsjp_password>
                 <dns_mythic_beasts_key type="TextField">
                     <Required>N</Required>
                 </dns_mythic_beasts_key>

From afa69999beb4faa976f1431cbc8ed269566f6737 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 17 Dec 2024 16:38:41 +0100
Subject: [PATCH 2258/3088] security/acme-client: minor style fixes, refs #4328

---
 .../library/OPNsense/AcmeClient/LeValidation/DnsMydnsjp.php   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMydnsjp.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMydnsjp.php
index fc83325c06..5ed9adbcff 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMydnsjp.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMydnsjp.php
@@ -26,10 +26,10 @@
  */
 
 namespace OPNsense\AcmeClient\LeValidation;
-  
+
 use OPNsense\AcmeClient\LeValidationInterface;
 use OPNsense\Core\Config;
-  
+
 class DnsMydnsjp extends Base implements LeValidationInterface
 {
     public function prepare()

From ee2eda08ed00e3f83eca4b8f74688aeb2213d63b Mon Sep 17 00:00:00 2001
From: Mihail <49451608+CreatorHRS@users.noreply.github.com>
Date: Tue, 17 Dec 2024 18:39:10 +0300
Subject: [PATCH 2259/3088] security/acme-client: Add fornex API dns challenge
 type (#4389)

security/acme-client: Add fornex API dns challenge type
---
 .../AcmeClient/forms/dialogValidation.xml     | 10 +++++
 .../AcmeClient/LeValidation/DnsFornex.php     | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 3 files changed, 58 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsFornex.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 6bd908aa44..56b38f1de5 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -552,6 +552,16 @@
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Fornex</label>
+        <type>header</type>
+        <style>table_dns table_dns_fornex</style>
+    </field>
+    <field>
+        <id>validation.dns_fornex_api_key</id>
+        <label>ApiKey</label>
+        <type>password</type>
+    </field>
     <field>
         <label>Gandi LiveDNS</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsFornex.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsFornex.php
new file mode 100644
index 0000000000..5136bebbc6
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsFornex.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2024 Mikhail Kharisov
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+ namespace OPNsense\AcmeClient\LeValidation;
+
+ use OPNsense\AcmeClient\LeValidationInterface;
+ use OPNsense\Core\Config;
+
+ /**
+  * Fornex DNS API
+  * @package OPNsense\AcmeClient
+  */
+ class DnsFornex extends Base implements LeValidationInterface
+ {
+     public function prepare()
+     {
+         $this->acme_env['FORNEX_API_KEY'] = (string)$this->config->dns_fornex_api_key;
+     }
+ }
\ No newline at end of file
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 5a3a3fc175..49fd928674 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -461,6 +461,7 @@
                         <dns_easydns>EasyDNS</dns_easydns>
                         <dns_euserv>EUserv</dns_euserv>
                         <dns_exoscale>Exoscale</dns_exoscale>
+                        <dns_fornex>Fornex</dns_fornex>
                         <dns_freedns>FreeDNS</dns_freedns>
                         <dns_gandi_livedns>Gandi LiveDNS</dns_gandi_livedns>
                         <dns_gd>GoDaddy.com</dns_gd>
@@ -700,6 +701,9 @@
                 <dns_freedns_password type="TextField">
                     <Required>N</Required>
                 </dns_freedns_password>
+                <dns_fornex_api_key type="TextField">
+                    <Required>N</Required>
+                </dns_fornex_api_key>
                 <dns_gandi_livedns_key type="TextField">
                     <Required>N</Required>
                 </dns_gandi_livedns_key>

From 636a1f18bac74f9b4a793445ccda5764591da635 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 3 Dec 2024 23:11:28 +0100
Subject: [PATCH 2260/3088] security/acme-client: set default SFTP/SSH port if
 unset, fixes #4363

---
 security/acme-client/pkg-descr                               | 5 +++++
 .../opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php  | 2 +-
 .../src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 0bcee071ee..f6fb2be75f 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.7
+
+Fixed:
+* SFTP/SSH automation results in fatal PHP error (#4363)
+
 4.6
 
 Added:
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
index 9a16b8689a..97e2b0809c 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
@@ -189,7 +189,7 @@ function runRemoteCommand(array $options, &$error): ?array
     $identity_type = trim(($options["identity-type"] ?? ""));
     $host = trim(($options["host"] ?? ""));
     $host_key = ($options["host-key"] ?? "");
-    $port = $options["port"] ?? 22;
+    $port = !empty($options["port"]) ? $options["port"] : SSHKeys::DEFAULT_PORT;
     $username = $options["user"] ?? false;
     $command = $options["run"] ?? "";
 
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
index 5a11b3d60b..052a1889ca 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
@@ -317,7 +317,7 @@ function connectWithServer(array $options, &$error): ?SftpClient
     $identity_type = trim(($options["identity-type"] ?? "")) ?: SSHKeys::DEFAULT_IDENTITY_TYPE;
     $host = trim(($options["host"] ?? ""));
     $host_key = ($options["host-key"] ?? "");
-    $port = $options["port"] ?? 22;
+    $port = !empty($options["port"]) ? $options["port"] : SSHKeys::DEFAULT_PORT;
     $username = $options["user"];
 
     $sftp = new SftpClient(configPath(), $identity_type);

From 9d528264d76a6deab9e9e75209876ffc6b1573dd Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 17 Dec 2024 17:00:25 +0100
Subject: [PATCH 2261/3088] security/acme-client: convert synology_dsm
 variables to uppercase, refs #4286

---
 .../LeAutomation/AcmeSynologyDsm.php          | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php
index 3194f57450..8762bebf65 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2021 Frank Wall
+ * Copyright (C) 2021-2024 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -38,20 +38,20 @@ class AcmeSynologyDsm extends Base implements LeAutomationInterface
 {
     public function prepare()
     {
-        $this->acme_env['SYNO_Certificate'] = 'OPNsense ACME cert ' . $this->cert_id;
-        $this->acme_env['SYNO_Hostname'] = (string)$this->config->acme_synology_dsm_hostname;
-        $this->acme_env['SYNO_Port'] = (string)$this->config->acme_synology_dsm_port;
-        $this->acme_env['SYNO_Scheme'] = (string)$this->config->acme_synology_dsm_scheme;
-        $this->acme_env['SYNO_Username'] = (string)$this->config->acme_synology_dsm_username;
-        $this->acme_env['SYNO_Password'] = (string)$this->config->acme_synology_dsm_password;
+        $this->acme_env['SYNO_CERTIFICATE'] = 'OPNsense ACME cert ' . $this->cert_id;
+        $this->acme_env['SYNO_HOSTNAME'] = (string)$this->config->acme_synology_dsm_hostname;
+        $this->acme_env['SYNO_PORT'] = (string)$this->config->acme_synology_dsm_port;
+        $this->acme_env['SYNO_SCHEME'] = (string)$this->config->acme_synology_dsm_scheme;
+        $this->acme_env['SYNO_USERNAME'] = (string)$this->config->acme_synology_dsm_username;
+        $this->acme_env['SYNO_PASSWORD'] = (string)$this->config->acme_synology_dsm_password;
         if (!empty((string)$this->config->acme_synology_dsm_create)) {
-            $this->acme_env['SYNO_Create'] = (string)$this->config->acme_synology_dsm_create;
+            $this->acme_env['SYNO_CREATE'] = (string)$this->config->acme_synology_dsm_create;
         }
         if (!empty((string)$this->config->acme_synology_dsm_deviceid)) {
-            $this->acme_env['SYNO_Device_ID'] = (string)$this->config->acme_synology_dsm_deviceid;
+            $this->acme_env['SYNO_DEVICE_ID'] = (string)$this->config->acme_synology_dsm_deviceid;
         }
         if (!empty((string)$this->config->acme_synology_dsm_devicename)) {
-            $this->acme_env['SYNO_Device_Name'] = (string)$this->config->acme_synology_dsm_devicename;
+            $this->acme_env['SYNO_DEVICE_NAME'] = (string)$this->config->acme_synology_dsm_devicename;
         }
         $this->acme_args[] = '--deploy-hook synology_dsm';
         return true;

From 675f682aeb90e34ca9d25ce0a7096e217849ce76 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 17 Dec 2024 17:02:25 +0100
Subject: [PATCH 2262/3088] security/acme-client: bump version + update
 changelog

---
 security/acme-client/Makefile  | 2 +-
 security/acme-client/pkg-descr | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 06cece8adf..e431857ae6 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.6
+PLUGIN_VERSION=		4.7
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index f6fb2be75f..19c9cb23ae 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,6 +10,13 @@ Plugin Changelog
 
 4.7
 
+Added:
+* Add support for MyDNS.JP DNS API (#4328)
+* Add support for fornex DNS API (#4389)
+
+Changed:
+* Convert synology_dsm deploy hook variables to uppercase (#4286)
+
 Fixed:
 * SFTP/SSH automation results in fatal PHP error (#4363)
 

From 911bdce8b4c3c8f1fbc5b10d3a11f6d95de8a708 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 17 Dec 2024 17:22:20 +0100
Subject: [PATCH 2263/3088] security/acme-client: add OTP Code for Synology,
 refs #4045

---
 security/acme-client/pkg-descr                              | 3 ++-
 .../controllers/OPNsense/AcmeClient/forms/dialogAction.xml  | 6 ++++++
 .../OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php    | 3 +++
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml       | 5 +++++
 4 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 19c9cb23ae..46af10d174 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -13,9 +13,10 @@ Plugin Changelog
 Added:
 * Add support for MyDNS.JP DNS API (#4328)
 * Add support for fornex DNS API (#4389)
+* Add support for OTP Code to Synology deploy hook (#4045)
 
 Changed:
-* Convert synology_dsm deploy hook variables to uppercase (#4286)
+* Convert Synology deploy hook variables to uppercase (#4286)
 
 Fixed:
 * SFTP/SSH automation results in fatal PHP error (#4363)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index 09066d054b..97d14b3557 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -225,6 +225,12 @@
         <type>text</type>
         <help>If Synology DSM has OTP enabled, then the device name has to be provided so that no OTP is required when running the automation.</help>
     </field>
+    <field>
+        <id>action.acme_synology_dsm_otpcode</id>
+        <label>OTP Code</label>
+        <type>text</type>
+        <help>If Synology DSM has OTP enabled, then a OTP may be required.</help>
+    </field>
     <field>
         <id>action.acme_synology_dsm_create</id>
         <label>Create certificates</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php
index 8762bebf65..48c520d9c6 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeSynologyDsm.php
@@ -53,6 +53,9 @@ public function prepare()
         if (!empty((string)$this->config->acme_synology_dsm_devicename)) {
             $this->acme_env['SYNO_DEVICE_NAME'] = (string)$this->config->acme_synology_dsm_devicename;
         }
+        if (!empty((string)$this->config->acme_synology_dsm_otpcode)) {
+            $this->acme_env['SYNO_OTP_CODE'] = (string)$this->config->acme_synology_dsm_otpcode;
+        }
         $this->acme_args[] = '--deploy-hook synology_dsm';
         return true;
     }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 49fd928674..93a1de5781 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1506,6 +1506,11 @@
                     <mask>/^.{1,1024}$/u</mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_synology_dsm_devicename>
+                <acme_synology_dsm_otpcode type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_synology_dsm_otpcode>
                 <acme_fritzbox_url type="TextField">
                     <Required>N</Required>
                     <mask>/^.{1,1024}$/u</mask>

From 6b1700bd23c0816cee9e7634d1398c0150d53581 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 18 Dec 2024 10:46:45 +0100
Subject: [PATCH 2264/3088] security/acme-client: add support for INWX 2FA
 (#3942)

requires https://github.com/opnsense/tools/pull/444

While here, fix a typo in the INWX password field name:
inws -> inwx
---
 security/acme-client/pkg-descr                |  2 +
 .../AcmeClient/forms/dialogValidation.xml     |  8 +++-
 .../AcmeClient/LeValidation/DnsInwx.php       | 12 ++++-
 .../models/OPNsense/AcmeClient/AcmeClient.php | 17 ++++++-
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  9 +++-
 .../OPNsense/AcmeClient/Migrations/M4_2_0.php | 47 +++++++++++++++++++
 6 files changed, 90 insertions(+), 5 deletions(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_2_0.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 46af10d174..ff97285f04 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -14,12 +14,14 @@ Added:
 * Add support for MyDNS.JP DNS API (#4328)
 * Add support for fornex DNS API (#4389)
 * Add support for OTP Code to Synology deploy hook (#4045)
+* Add support for Shared Secret to INWX DNS API (#3942)
 
 Changed:
 * Convert Synology deploy hook variables to uppercase (#4286)
 
 Fixed:
 * SFTP/SSH automation results in fatal PHP error (#4363)
+* Typo in INWX password field name
 
 4.6
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 56b38f1de5..702aa67c94 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -690,10 +690,16 @@
         <type>text</type>
     </field>
     <field>
-        <id>validation.dns_inws_password</id>
+        <id>validation.dns_inwx_password</id>
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <id>validation.dns_inwx_shared_secret</id>
+        <label>Shared Secret</label>
+        <type>password</type>
+        <help>When 2FA is enabled, the Shared Secret must be provided. Note that this feature requires the package oath-toolkit, which must be installed manually.</help>
+    </field>
     <field>
         <label>IONOS domain API</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInwx.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInwx.php
index f4e0533fb6..736dd0c0e3 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInwx.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsInwx.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020 Frank Wall
+ * Copyright (C) 2020-2024 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -29,6 +29,7 @@
 namespace OPNsense\AcmeClient\LeValidation;
 
 use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\AcmeClient\LeUtils;
 use OPNsense\Core\Config;
 
 /**
@@ -40,6 +41,13 @@ class DnsInwx extends Base implements LeValidationInterface
     public function prepare()
     {
         $this->acme_env['INWX_User'] = (string)$this->config->dns_inwx_user;
-        $this->acme_env['INWX_Password'] = (string)$this->config->dns_inws_password;
+        $this->acme_env['INWX_Password'] = (string)$this->config->dns_inwx_password;
+        if (!empty((string)$this->config->dns_inwx_shared_secret)) {
+            if ((string)$this->model->isPackageInstalled('oath-toolkit') != '1') {
+                LeUtils::log_error('Required package oath-toolkit is NOT installed. Please install the package or remove the INWX Shared Secret.');
+                return false;
+            }
+            $this->acme_env['INWX_Shared_Secret'] = (string)$this->config->dns_inwx_shared_secret;
+        }
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.php
index 347cd471b0..d775974d27 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.php
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2017 Frank Wall
+ *    Copyright (C) 2017-2024 Frank Wall
  *    Copyright (C) 2015 Deciso B.V.
  *
  *    All rights reserved.
@@ -101,4 +101,19 @@ public function isPluginInstalled($name)
         $backend = new Backend();
         return trim($backend->configdRun('firmware plugin ' . escapeshellarg($name)));
     }
+
+    /**
+     * check if the specfied package is installed
+     * @param $name package name
+     * @return bool is the package installed
+     */
+    public function isPackageInstalled($name)
+    {
+        $backend = new Backend();
+        $_package_list = $backend->configdRun('firmware local');
+        if (preg_match("/^$name\|\|.*/m", $_package_list)) {
+          return 1;
+        }
+        return 0;
+    }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 93a1de5781..ab94015e5e 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>4.1.0</version>
+    <version>4.2.0</version>
     <description>A secure ACME Client plugin</description>
     <items>
         <settings>
@@ -746,9 +746,16 @@
                 <dns_inwx_user type="TextField">
                     <Required>N</Required>
                 </dns_inwx_user>
+                <!-- TODO: old value, should be removed -->
                 <dns_inws_password type="TextField">
                     <Required>N</Required>
                 </dns_inws_password>
+                <dns_inwx_password type="TextField">
+                    <Required>N</Required>
+                </dns_inwx_password>
+                <dns_inwx_shared_secret type="TextField">
+                    <Required>N</Required>
+                </dns_inwx_shared_secret>
                 <dns_ionos_prefix type="TextField">
                     <Required>N</Required>
                 </dns_ionos_prefix>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_2_0.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_2_0.php
new file mode 100644
index 0000000000..f896a8e65b
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_2_0.php
@@ -0,0 +1,47 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Frank Wall
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\AcmeClient\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M4_2_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        foreach ($model->getNodeByReference('validations.validation')->iterateItems() as $validation) {
+            $dns_service = (string)$validation->dns_service;
+            if ($dns_service === 'dns_inwx') {
+                // Migrate data from misspelled item to new one
+                $validation->dns_inwx_password = (string)$validation->dns_inws_password;
+            }
+        }
+    }
+}

From fee8f412d1b8ce019f9a26b9f1220d78feeb13bf Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Thu, 19 Dec 2024 08:53:05 +0100
Subject: [PATCH 2265/3088] Implement squid "workers". (#4393)

---
 .../mvc/app/controllers/OPNsense/Proxy/forms/main.xml      | 7 +++++++
 .../src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml   | 6 ++++++
 .../opnsense/service/templates/OPNsense/Proxy/squid.conf   | 4 ++++
 3 files changed, 17 insertions(+)

diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
index 1db7c2fd7f..7671a7f47e 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -339,6 +339,13 @@
                 <allownew>true</allownew>
                 <help>Create a list of sites which may not be inspected, for example bank sites. Prefix the domain with a . to accept all subdomains (e.g. .google.com).</help>
             </field>
+            <field>
+                <id>proxy.forward.workers</id>
+                <label>Number of squid workers</label>
+                <type>text</type>
+                <help>Start N main Squid process daemons (i.e., SMP mode). Requires Restart. Default: 1</help>
+                <advanced>true</advanced>
+            </field>
             <field>
                 <id>proxy.forward.ssl_crtd_storage_max_size</id>
                 <label>SSL cache size</label>
diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index 7c4f59ab51..1c04b1f6b3 100644
--- a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -282,6 +282,12 @@
               <Mask>/^([a-zA-Z0-9\.:\[\]\s\-]*?,)*([a-zA-Z0-9\.:\[\]\s\-]*)$/</Mask>
               <ValidationMessage>Please enter ip addresses or domain names here</ValidationMessage>
             </sslnobumpsites>
+            <workers type="IntegerField">
+              <Default>1</Default>
+              <MinimumValue>1</MinimumValue>
+              <MaximumValue>100</MaximumValue>
+              <ValidationMessage>worker number needs to be an integer value between 1 and 100</ValidationMessage>
+            </workers>
             <ssl_crtd_storage_max_size type="IntegerField">
               <Required>Y</Required>
               <Default>4</Default>
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
index 8d6853e117..d42e8dfa78 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -53,6 +53,10 @@
 {%     endfor %}
 {% endif %}
 
+{%   if not helpers.empty('OPNsense.proxy.forward.workers') %}
+workers {{ OPNsense.proxy.forward.workers }}
+{%   endif %}
+
 {% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
 # setup ssl re-cert
 sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M {{ OPNsense.proxy.forward.ssl_crtd_storage_max_size|default('4') }}MB

From e44716bda6dad40bfff513a4f2ebfe6c88ded878 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 19 Dec 2024 09:35:19 +0100
Subject: [PATCH 2266/3088] security/acme-client: style sweep

---
 .../OPNsense/AcmeClient/LeValidation/DnsFornex.php | 14 +++++++-------
 .../AcmeClient/LeValidation/DnsMydnsjp.php         |  1 -
 .../app/models/OPNsense/AcmeClient/AcmeClient.php  |  2 +-
 3 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsFornex.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsFornex.php
index 5136bebbc6..d25c60f20a 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsFornex.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsFornex.php
@@ -35,10 +35,10 @@
   * Fornex DNS API
   * @package OPNsense\AcmeClient
   */
- class DnsFornex extends Base implements LeValidationInterface
- {
-     public function prepare()
-     {
-         $this->acme_env['FORNEX_API_KEY'] = (string)$this->config->dns_fornex_api_key;
-     }
- }
\ No newline at end of file
+class DnsFornex extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['FORNEX_API_KEY'] = (string)$this->config->dns_fornex_api_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMydnsjp.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMydnsjp.php
index 5ed9adbcff..41a86c9647 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMydnsjp.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMydnsjp.php
@@ -38,4 +38,3 @@ public function prepare()
         $this->acme_env['MYDNSJP_Password'] = (string)$this->config->dns_mydnsjp_password;
     }
 }
-
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.php
index d775974d27..0bfef54092 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.php
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.php
@@ -112,7 +112,7 @@ public function isPackageInstalled($name)
         $backend = new Backend();
         $_package_list = $backend->configdRun('firmware local');
         if (preg_match("/^$name\|\|.*/m", $_package_list)) {
-          return 1;
+            return 1;
         }
         return 0;
     }

From d637100cc41924f6dd4e32b3889edbbc2d1cf509 Mon Sep 17 00:00:00 2001
From: Sam Sheridan <sheridans@users.noreply.github.com>
Date: Thu, 19 Dec 2024 15:57:09 +0000
Subject: [PATCH 2267/3088] security/tailscale dashboard widget, ipv6
 advertised routes (#4414)

---
 security/tailscale/Makefile                   |   4 +-
 security/tailscale/pkg-descr                  |   7 +
 .../app/models/OPNsense/Tailscale/ACL/ACL.xml |   4 +-
 .../models/OPNsense/Tailscale/Settings.xml    |   1 -
 .../app/views/OPNsense/Tailscale/status.volt  |  12 +-
 .../www/js/widgets/Metadata/Tailscale.xml     |  25 +++
 .../src/opnsense/www/js/widgets/Tailscale.js  | 160 ++++++++++++++++++
 7 files changed, 206 insertions(+), 7 deletions(-)
 create mode 100644 security/tailscale/src/opnsense/www/js/widgets/Metadata/Tailscale.xml
 create mode 100644 security/tailscale/src/opnsense/www/js/widgets/Tailscale.js

diff --git a/security/tailscale/Makefile b/security/tailscale/Makefile
index 8629b03454..f762919fb0 100644
--- a/security/tailscale/Makefile
+++ b/security/tailscale/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		tailscale
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		VPN mesh securely connecting clients using WireGuard
 PLUGIN_DEPENDS=		tailscale
-PLUGIN_MAINTAINER=	sam@sheridan.co.uk
+PLUGIN_MAINTAINER=	sam@sheridan.uk
 
 .include "../../Mk/plugins.mk"
diff --git a/security/tailscale/pkg-descr b/security/tailscale/pkg-descr
index f134a7c2a3..8fe3c0cebc 100644
--- a/security/tailscale/pkg-descr
+++ b/security/tailscale/pkg-descr
@@ -6,6 +6,13 @@ https://tailscale.com/
 Plugin Changelog
 ================
 
+1.1
+
+* add dashboard widget
+* change peer status list to DNSname instead of hostname
+* show online status for peers in status list
+* allow advertising of IPv6 routes
+
 1.0
 
 * initial release
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/ACL/ACL.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/ACL/ACL.xml
index d0f6a91381..1bf4f2b210 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/ACL/ACL.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/ACL/ACL.xml
@@ -3,7 +3,9 @@
         <name>Tailscale</name>
         <patterns>
             <pattern>ui/tailscale/*</pattern>
-            <pattern>api/tailscale/*</pattern>
+            <pattern>api/tailscale/service/*</pattern>
+            <pattern>api/tailscale/settings/*</pattern>
+            <pattern>api/tailscale/status/*</pattern>
         </patterns>
     </page-tailscale-config>
 </acl>
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
index f232346c87..e23c5d4a67 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
@@ -26,7 +26,6 @@
             <subnet4 type="ArrayField">
                 <subnet type="NetworkField">
                     <NetMaskRequired>Y</NetMaskRequired>
-                    <AddressFamily>ipv4</AddressFamily>
                     <Strict>Y</Strict>
                     <Required>Y</Required>
                 </subnet>
diff --git a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
index f42e3ce8db..3ff2c208ba 100644
--- a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
+++ b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
@@ -8,7 +8,7 @@
             return (str + '').replace(/([^>\r\n]?)(\r\n|\n\r|\r|\n)/g, '$1' + breakTag + '$2');
         }
 
-	function updateNetInfo() {
+        function updateNetInfo() {
             ajaxGet(url = "/api/tailscale/status/net/", sendData={},
                 callback = function (data, status) {
                     if (status == "success") {
@@ -33,7 +33,13 @@
                     console.log(tailscaleIp);
                 }
 
-                let row = '<tr><td>' + data.HostName;
+                let color = 'text-success';
+                if (data.Online === false) {
+                    color = 'text-danger';
+                }
+
+                let onlineStatus = `<i class="fa fa-circle ${color}"></i> `;
+                let row = `<tr><td>${onlineStatus}` + data.DNSName;
                 row += '</td><td>' + tailscaleIp;
                 row += '</td><td>' + data.LastSeen;
                 row += '</td><td>' + data.OS;
@@ -114,7 +120,7 @@
         <table id="peerInfo" class="table table-striped table-condensed table-responsive">
             <thead>
                 <tr>
-                    <th>{{ lang._('Name') }}</th>
+                    <th>{{ lang._('Peer') }}</th>
                     <th>{{ lang._('Tailscale IPs') }}</th>
                     <th>{{ lang._('Last Seen') }}</th>
                     <th>{{ lang._('OS') }}</th>
diff --git a/security/tailscale/src/opnsense/www/js/widgets/Metadata/Tailscale.xml b/security/tailscale/src/opnsense/www/js/widgets/Metadata/Tailscale.xml
new file mode 100644
index 0000000000..171aeddf92
--- /dev/null
+++ b/security/tailscale/src/opnsense/www/js/widgets/Metadata/Tailscale.xml
@@ -0,0 +1,25 @@
+<metadata>
+    <Tailscale>
+        <filename>Tailscale.js</filename>
+        <endpoints>
+            <endpoint>/api/tailscale/service/status</endpoint>
+            <endpoint>/api/tailscale/status/status</endpoint>
+        </endpoints>
+        <translations>
+            <title>Tailscale</title>
+            <serviceDisabled>Tailscale service is not running</serviceDisabled>
+            <backendState>Backend State</backendState>
+            <dnsName>DNS Name</dnsName>
+            <enabled>Enabled</enabled>
+            <exitNode>Exit Node</exitNode>
+            <no>No</no>
+            <noData>Could not fetch data</noData>
+            <online>Online</online>
+            <peers>Peers</peers>
+            <tailscaleIP>Tailscale IP</tailscaleIP>
+            <yes>Yes</yes>
+            <version>Version</version>
+        </translations>
+    </Tailscale>
+</metadata>
+
diff --git a/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js b/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
new file mode 100644
index 0000000000..5a68e91479
--- /dev/null
+++ b/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2024 Sheridan Computers
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+export default class Wireguard extends BaseTableWidget {
+    constructor() {
+        super();
+    }
+
+    getGridOptions() {
+        return {
+            // Automatically triggers vertical scrolling after reaching 650px in height
+            sizeToContent: 650
+        };
+    }
+
+    getMarkup() {
+        let $container = $('<div></div>');
+        let $tailscaleStatusTable = this.createTable('tailscaleStatusTable', {
+            headerPosition: 'left'
+        });
+
+        $container.append($tailscaleStatusTable);
+        return $container;
+    }
+
+    async onWidgetTick() {
+        // check if Tailscale is enabled
+        const ServiceStatusData = await this.ajaxCall('/api/tailscale/service/status');
+        if (!ServiceStatusData || ServiceStatusData.status !== 'running') {
+            this.displayError(this.translations.serviceDisabled);
+            return;
+        }
+
+        const tsData = await this.ajaxCall('/api/tailscale/status/status');
+        if (!tsData) {
+            this.displayError(this.translations.noData);
+            return;
+        }
+
+        let statusData = this.parseData(tsData);
+        if (!this.dataChanged('tailscale-data', statusData)) {
+            return;
+        }
+
+        this.updateWidgetTable(statusData);
+    }
+
+    parseData(data) {
+        let result = [];
+
+        result['version'] = data.Version;
+        result['backendState'] = data.BackendState;
+        result['dnsName'] = data.Self.DNSName;
+        
+        result['online'] = (data.Self.Online === true) ?
+          this.translations.yes : this.translations.no; 
+            
+        result['exitNode'] = (data.Self.ExitNode === true) ?
+          this.translations.yes : this.translations.no; 
+
+        result['peerCount'] = Object.keys(data.Peer).length;
+
+        let ipAddresses = [];
+        data.TailscaleIPs.forEach(ip => {
+            ipAddresses.push(ip);
+        });
+        result['ipAddresses'] = ipAddresses;
+
+        return result;
+    }
+
+    updateWidgetTable(data) {
+        let rows = [];
+        
+        let color = "text-success";
+        if (data['online'] === false) {
+            color = "text-danger";
+        }
+
+        let row = [
+            `<div><i class="fa fa-circle ${color}"></i> ${this.translations.online}</div>`,
+            `<div>${data['online']}</div>`
+        ];
+        rows.push(row);
+         
+        // version
+        row = [
+            `<div>${this.translations.version}</div>`,
+            `<div>${data['version']}</div>`
+        ];
+        rows.push(row);
+
+        // backend state
+        row = [
+            `<div>${this.translations.backendState}</div>`,
+            `<div>${data['backendState']}</div>`
+        ];
+        rows.push(row);
+     
+        // dns name 
+        row = [
+            `<div>${this.translations.dnsName}</div>`,
+            `<div>${data['dnsName']}</div>`
+        ];
+        rows.push(row);
+
+        // ip addreses 
+        row = [
+            `<div>${this.translations.tailscaleIP}</div>`,
+            `<div>${data['ipAddresses'].join('<br>')}</div>`
+        ];
+        rows.push(row);
+
+        // exit node
+        row = [
+            `<div>${this.translations.exitNode}</div>`,
+            `<div>${data['exitNode']}</div>`
+        ];
+        rows.push(row);
+        
+        // peers
+        row = [
+            `<div>${this.translations.peers}</div>`,
+            `<div>${data['peerCount']}</div>`
+        ];
+        rows.push(row);
+        
+        super.updateTable('tailscaleStatusTable', rows);
+    }
+
+    displayError(message) {
+        $('#tailscaleStatusTable').empty().append(
+            $(`<div class="error-message">${message}</div>`)
+        );
+    }
+}
+

From 9aa95c79bff74769a81f534bd41dfd2f39939188 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 19 Dec 2024 16:57:46 +0100
Subject: [PATCH 2268/3088] security/tailscale: style sweep

---
 .../www/js/widgets/Metadata/Tailscale.xml     |  1 -
 .../src/opnsense/www/js/widgets/Tailscale.js  | 23 +++++++++----------
 2 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/security/tailscale/src/opnsense/www/js/widgets/Metadata/Tailscale.xml b/security/tailscale/src/opnsense/www/js/widgets/Metadata/Tailscale.xml
index 171aeddf92..12d7f0468d 100644
--- a/security/tailscale/src/opnsense/www/js/widgets/Metadata/Tailscale.xml
+++ b/security/tailscale/src/opnsense/www/js/widgets/Metadata/Tailscale.xml
@@ -22,4 +22,3 @@
         </translations>
     </Tailscale>
 </metadata>
-
diff --git a/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js b/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
index 5a68e91479..59e8491dee 100644
--- a/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
+++ b/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
@@ -74,12 +74,12 @@ export default class Wireguard extends BaseTableWidget {
         result['version'] = data.Version;
         result['backendState'] = data.BackendState;
         result['dnsName'] = data.Self.DNSName;
-        
+
         result['online'] = (data.Self.Online === true) ?
-          this.translations.yes : this.translations.no; 
-            
+          this.translations.yes : this.translations.no;
+
         result['exitNode'] = (data.Self.ExitNode === true) ?
-          this.translations.yes : this.translations.no; 
+          this.translations.yes : this.translations.no;
 
         result['peerCount'] = Object.keys(data.Peer).length;
 
@@ -94,7 +94,7 @@ export default class Wireguard extends BaseTableWidget {
 
     updateWidgetTable(data) {
         let rows = [];
-        
+
         let color = "text-success";
         if (data['online'] === false) {
             color = "text-danger";
@@ -105,7 +105,7 @@ export default class Wireguard extends BaseTableWidget {
             `<div>${data['online']}</div>`
         ];
         rows.push(row);
-         
+
         // version
         row = [
             `<div>${this.translations.version}</div>`,
@@ -119,15 +119,15 @@ export default class Wireguard extends BaseTableWidget {
             `<div>${data['backendState']}</div>`
         ];
         rows.push(row);
-     
-        // dns name 
+
+        // dns name
         row = [
             `<div>${this.translations.dnsName}</div>`,
             `<div>${data['dnsName']}</div>`
         ];
         rows.push(row);
 
-        // ip addreses 
+        // ip addreses
         row = [
             `<div>${this.translations.tailscaleIP}</div>`,
             `<div>${data['ipAddresses'].join('<br>')}</div>`
@@ -140,14 +140,14 @@ export default class Wireguard extends BaseTableWidget {
             `<div>${data['exitNode']}</div>`
         ];
         rows.push(row);
-        
+
         // peers
         row = [
             `<div>${this.translations.peers}</div>`,
             `<div>${data['peerCount']}</div>`
         ];
         rows.push(row);
-        
+
         super.updateTable('tailscaleStatusTable', rows);
     }
 
@@ -157,4 +157,3 @@ export default class Wireguard extends BaseTableWidget {
         );
     }
 }
-

From 72e7bc03ec1984a67bea390190e91cc59c2b8cb0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 19 Dec 2024 17:36:11 +0100
Subject: [PATCH 2269/3088] make: add glint target here too

---
 Makefile      | 2 +-
 Mk/plugins.mk | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index d6aebe498c..b8928dbc9f 100644
--- a/Makefile
+++ b/Makefile
@@ -44,7 +44,7 @@ list:
 .endfor
 
 # shared targets that are sane to run from the root directory
-TARGETS=	clean lint plist-fix revision style style-fix style-python sweep test
+TARGETS=	clean glint lint plist-fix revision style style-fix style-python sweep test
 
 .for TARGET in ${TARGETS}
 ${TARGET}:
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 3cccfff5da..33d5be9106 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -417,6 +417,8 @@ sweep: check
 	find ${.CURDIR} -type f -depth 1 -print0 | \
 	    xargs -0 -n1 ${SCRIPTSDIR}/cleanfile
 
+glint: sweep style-fix plist-fix lint
+
 revision:
 	@MAKE=${MAKE} ${SCRIPTSDIR}/revbump.sh ${.CURDIR}
 

From 80c2623bd581f4586b09eb54ae30b2e0965cf60c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 19 Dec 2024 19:06:56 +0100
Subject: [PATCH 2270/3088] security/tailscale: minor changes to previous

---
 .../mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml   | 2 +-
 security/tailscale/src/opnsense/www/js/widgets/Tailscale.js     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
index 6b35707ae1..38d929de3b 100644
--- a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
@@ -9,7 +9,7 @@
         <id>settings.listenPort</id>
         <label>Listen Port</label>
 	<type>text</type>
-        <help>UDP port to listen on for Wireguard and peer-to-peer traffic.</help>
+        <help>UDP port to listen on for WireGuard and peer-to-peer traffic.</help>
     </field>
     <field>
         <id>settings.acceptDNS</id>
diff --git a/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js b/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
index 59e8491dee..f81dccbdb9 100644
--- a/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
+++ b/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
@@ -24,7 +24,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-export default class Wireguard extends BaseTableWidget {
+export default class Tailscale extends BaseTableWidget {
     constructor() {
         super();
     }

From 2b31d941f6dac7f064d423524632f1190c89895d Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Mon, 23 Dec 2024 08:37:32 +0100
Subject: [PATCH 2271/3088] www/squid: Squid syslog corrections (#4419)

* Adjust syslog-filter to support multiple squid-processes

* Change squid facility from squid-1 to squid
---
 www/squid/src/etc/inc/plugins.inc.d/squid.inc                   | 2 +-
 .../service/templates/OPNsense/Syslog/local/squid_access.conf   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/squid/src/etc/inc/plugins.inc.d/squid.inc b/www/squid/src/etc/inc/plugins.inc.d/squid.inc
index 87948be2bd..5b5a96aafd 100644
--- a/www/squid/src/etc/inc/plugins.inc.d/squid.inc
+++ b/www/squid/src/etc/inc/plugins.inc.d/squid.inc
@@ -73,7 +73,7 @@ function squid_syslog()
 {
     $logfacilities = array();
     $logfacilities['squid'] = array(
-        'facility' => array('(squid-1)')
+        'facility' => array('squid')
     );
     return $logfacilities;
 }
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf b/www/squid/src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf
index 0f742e2a14..159dcb5638 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf
@@ -2,5 +2,5 @@
 # Local syslog-ng configuration filter definition [squid_access].
 ###################################################################
 filter f_local_squid_access {
-    program("(squid-1)");
+    program("^(squid-|squid-coord-)\\d+");
 };

From 235e6a52148fff67aee829bd430c7dac0bb9fc97 Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Thu, 26 Dec 2024 07:49:22 +0100
Subject: [PATCH 2272/3088] Fix typo in freshclam.sh (#4423)

---
 .../clamav/src/opnsense/scripts/OPNsense/ClamAV/freshclam.sh    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/clamav/src/opnsense/scripts/OPNsense/ClamAV/freshclam.sh b/security/clamav/src/opnsense/scripts/OPNsense/ClamAV/freshclam.sh
index cc94eb91c5..715b1ab14e 100755
--- a/security/clamav/src/opnsense/scripts/OPNsense/ClamAV/freshclam.sh
+++ b/security/clamav/src/opnsense/scripts/OPNsense/ClamAV/freshclam.sh
@@ -37,7 +37,7 @@ elif pgrep -qF ${PIDFILE} 2> /dev/null; then
 elif [ -z "${COMMAND}" ]; then
 	echo "missing"
 else
-       daemon -f -p ${PIDFILE} /usr/local/etc/rc.d/clamav-freshclam restart
+       daemon -f -p ${PIDFILE} /usr/local/etc/rc.d/clamav_freshclam restart
        echo "starting"
 fi
 

From 30dd74260cec698f0221981fddbccb247489d095 Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Thu, 26 Dec 2024 09:01:36 +0100
Subject: [PATCH 2273/3088] www/c-icap: Change 50-c-icap script. (#4424)

---
 www/c-icap/src/etc/rc.syshook.d/start/50-c-icap | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/c-icap/src/etc/rc.syshook.d/start/50-c-icap b/www/c-icap/src/etc/rc.syshook.d/start/50-c-icap
index bb12c91336..ace732728a 100755
--- a/www/c-icap/src/etc/rc.syshook.d/start/50-c-icap
+++ b/www/c-icap/src/etc/rc.syshook.d/start/50-c-icap
@@ -1,4 +1,4 @@
 #!/bin/sh
 
-# start again to fix race with clamav (no need to restart)
-/usr/local/etc/rc.d/c-icap start
+# restart service to make sure c-icap starts after clamav is ready
+/usr/local/etc/rc.d/c-icap restart

From bdf9379b22405946b281280796b39e75df6bc594 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 5 Jan 2025 23:23:24 +0100
Subject: [PATCH 2274/3088] security/acme-client: migrate cert+CA import/update
 to Trust MVC

---
 security/acme-client/pkg-descr                |   2 +
 .../OPNsense/AcmeClient/LeCertificate.php     | 163 ++++++++----------
 .../library/OPNsense/AcmeClient/LeUtils.php   |  82 +--------
 .../scripts/OPNsense/AcmeClient/lecert.php    |   3 +-
 .../OPNsense/AcmeClient/run_remote_ssh.php    |   1 -
 .../OPNsense/AcmeClient/upload_sftp.php       |  17 +-
 6 files changed, 87 insertions(+), 181 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index ff97285f04..1536c9c9ca 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -18,10 +18,12 @@ Added:
 
 Changed:
 * Convert Synology deploy hook variables to uppercase (#4286)
+* Migrate to MVC Trust storage
 
 Fixed:
 * SFTP/SSH automation results in fatal PHP error (#4363)
 * Typo in INWX password field name
+* Certs not fully functional after import into Trust storage (#4401)
 
 4.6
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 9df9e88081..9a5056fbea 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020-2024 Frank Wall
+ * Copyright (C) 2020-2025 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28,10 +28,12 @@
 
 namespace OPNsense\AcmeClient;
 
-// Load legacy functions
-require_once("certs.inc"); // used in import()
+require_once("script/load_phalcon.php");
 
 use OPNsense\Core\Config;
+use OPNsense\Trust\Ca;
+use OPNsense\Trust\Cert;
+use OPNsense\Trust\Store as CertStore;
 use OPNsense\AcmeClient\LeAccount;
 use OPNsense\AcmeClient\LeAutomationFactory;
 use OPNsense\AcmeClient\LeValidationFactory;
@@ -143,61 +145,54 @@ public function import(bool $skip_validation = false)
         // Read contents from CA file
         $ca_content = @file_get_contents($this->cert_chain_file);
         if ($ca_content != false) {
-            $ca_subject = cert_get_subject($ca_content, false);
-            $ca_serial  = cert_get_serial($ca_content, false);
-            $ca_cn      = LeUtils::local_cert_get_cn($ca_content, false);
-            $ca_issuer  = cert_get_issuer($ca_content, false);
-            $ca_purpose = cert_get_purpose($ca_content, false);
+            $ca_details = CertStore::parseX509($ca_content);
+            $ca_subject = $ca_details['name'];
+            $ca_serial = $ca_details['serialNumber'];
+            $ca_cn = $ca_details['commonname'];
+            $ca_issuer = implode(",", $ca_details['issuer']);
         } else {
             LeUtils::log_error('unable to read CA certificate content from file');
             Config::getInstance()->unlock();
             return false;
         }
 
-        // Prepare CA for import in Cert Manager
+        // Prepare CA
+        $caModel = new Ca();
         $ca = array();
-        $ca['crt'] = base64_encode($ca_content);
         $ca['refid'] = uniqid();
+        $ca['descr'] = (string)$ca_cn . ' (ACME Client)';
         $ca_found = false;
 
         // Check if CA was previously imported
-        foreach (Config::getInstance()->object()->ca as $cacrt) {
-            $cacrt_subject = cert_get_subject($cacrt->crt, true);
-            $cacrt_issuer = cert_get_issuer($cacrt->crt, true);
+        foreach ($caModel->ca->iterateItems() as $cacrt) {
+            $cacrt_content = base64_decode((string)$cacrt->crt);
+            $cacrt_details = CertStore::parseX509($cacrt_content);
+            $cacrt_subject = $cacrt_details['name'];
+            $cacrt_issuer = implode(",", $cacrt_details['issuer']);
             if (($ca_subject === $cacrt_subject) and ($ca_issuer === $cacrt_issuer)) {
                 // Use old refid instead of generating a new one
                 $ca['refid'] = (string)$cacrt->refid;
+                // Update existing CA
+                $cacrt->descr = $ca['descr'];
                 $ca_found = true;
                 break;
             }
         }
 
-        // Collect required CA information
-        $ca_cn = LeUtils::local_cert_get_cn($ca_content, false);
-        $ca['descr'] = (string)$ca_cn . ' (ACME Client)';
-
-        // Prepare CA for import
-        LeUtils::local_ca_import($ca, $ca_content);
-
-        // Check if CA was found in config
-        if ($ca_found == true) {
-            // Update existing CA
-            foreach (Config::getInstance()->object()->ca as $cacrt) {
-                if ((string)$cacrt->refid == $ca['refid']) {
-                    $cacrt->crt = $ca['crt'];
-                    $cacrt->descr = $ca['descr'];
-                    break;
-                }
-            }
-        } else {
-            // Create new CA
-            LeUtils::log("importing ACME CA: {$ca_cn}");
-            $newca = Config::getInstance()->object()->addChild('ca');
+        // Create new CA
+        if ($ca_found == false) {
+            LeUtils::log("imported ACME CA: {$ca_cn} ({$ca['refid']})");
+            $newca = $caModel->ca->Add();
             foreach (array_keys($ca) as $cacfg) {
-                $newca->addChild($cacfg, (string)$ca[$cacfg]);
+                $newca->$cacfg = (string)$ca[$cacfg];
             }
+            $newca->crt = base64_encode($ca_content);
         }
 
+        // Serialize to config and save
+        $caModel->serializeToConfig();
+        Config::getInstance()->save();
+
         /**
          * Step 2: import certificate
          */
@@ -205,11 +200,11 @@ public function import(bool $skip_validation = false)
         // Read contents from certificate file
         $cert_content = @file_get_contents($this->cert_file);
         if ($cert_content != false) {
-            $cert_subject = cert_get_subject($cert_content, false);
-            $cert_serial  = cert_get_serial($cert_content, false);
-            $cert_cn      = LeUtils::local_cert_get_cn($cert_content, false);
-            $cert_issuer  = cert_get_issuer($cert_content, false);
-            $cert_purpose = cert_get_purpose($cert_content, false);
+            $cert_details = CertStore::parseX509($cert_content);
+            $cert_subject = $cert_details['name'];
+            $cert_serial  = $cert_details['serialNumber'];
+            $cert_cn      = $cert_details['commonname'];
+            $cert_issuer  = implode(",", $cert_details['issuer']);
         } else {
             LeUtils::log_error('unable to read certificate content from file');
             Config::getInstance()->unlock();
@@ -217,65 +212,48 @@ public function import(bool $skip_validation = false)
             return false;
         }
 
-        // Prepare certificate for import in Cert Manager
+        // Read private key
+        $key_content = @file_get_contents($this->cert_key_file);
+        if ($key_content == false) {
+            LeUtils::log_error('unable to read private key from file: ' . $this->cert_key_file);
+            Config::getInstance()->unlock();
+            $this->setStatus(500);
+            return false;
+        }
+
+        // Prepare certificate
+        $certModel = new Cert();
         $cert = array();
-        $cert_refid = uniqid();
-        $cert['refid'] = $cert_refid;
+        $cert['refid'] = uniqid();
         $cert['caref'] = (string)$ca['refid'];
+        $cert['descr'] = (string)$cert_cn . ' (ACME Client)';
         $import_log_message = 'imported';
         $cert_found = false;
 
-        // Check if cert was previously imported
+        // Check if cert was previously imported.
+        // Otherwise just import as new cert.
         if (!empty((string)$this->config->certRefId)) {
             // Check if the previously imported certificate can still be found
-            foreach (Config::getInstance()->object()->cert as $cfgCert) {
+            foreach ($certModel->cert->iterateItems() as $cfgCert) {
                 // Check if IDs match
                 if ((string)$this->config->certRefId == (string)$cfgCert->refid) {
+                    // Use old refid instead of generating a new one
+                    $cert['refid'] = (string)$cfgCert->refid;
+                    $import_log_message = 'updated';
                     $cert_found = true;
                     break;
                 }
             }
-            // Existing cert?
-            if ($cert_found) {
-                // Use old refid instead of generating a new one
-                $cert_refid = (string)$this->config->certRefId;
-                $import_log_message = 'updated';
-            }
-        } else {
-            // Not found. Just import as new cert.
         }
 
-        // Read private key
-        $key_content = @file_get_contents($this->cert_key_file);
-        if ($key_content == false) {
-            LeUtils::log_error('unable to read private key from file: ' . $this->cert_key_file);
-            Config::getInstance()->unlock();
-            $this->setStatus(500);
-            return false;
-        }
-
-        // Collect required cert information
-        $cert_cn = LeUtils::local_cert_get_cn($cert_content, false);
-        $cert['descr'] = (string)$cert_cn . ' (ACME Client)';
-        $cert['refid'] = $cert_refid;
-
-        // Prepare certificate for import
-        cert_import($cert, $cert_content, $key_content);
-
-        // Overwrite caref in order to use the correct CA (GH #2550).
-        // This is required because cert_import() uses lookup_ca_by_subject()
-        // to find a matching CA. If multiple CAs are using the same name, the
-        // first CA wins, but it may still be the wrong CA.
-        $cert['caref'] = (string)$ca['refid'];
-
         // Check if cert was found in config
         if ($cert_found == true) {
             // Update existing cert
-            foreach (Config::getInstance()->object()->cert as $cfgCert) {
+            foreach ($certModel->cert->iterateItems() as $cfgCert) {
                 if ((string)$cfgCert->refid == $cert['refid']) {
-                    $cfgCert->crt = $cert['crt'];
-                    $cfgCert->prv = $cert['prv'];
                     $cfgCert->descr = $cert['descr'];
+                    $cfgCert->crt = base64_encode($cert_content);
+                    $cfgCert->prv = base64_encode($key_content);
                     // Update CA ref, because it may be signed by a different CA.
                     $cfgCert->caref = $cert['caref'];
                     break;
@@ -283,27 +261,32 @@ public function import(bool $skip_validation = false)
             }
         } else {
             // Create new cert
-            $newcert = Config::getInstance()->object()->addChild('cert');
+            $newcert = $certModel->cert->Add();
             foreach (array_keys($cert) as $certcfg) {
-                $newcert->addChild($certcfg, (string)$cert[$certcfg]);
+                $newcert->$certcfg = (string)$cert[$certcfg];
             }
+            $newcert->crt = base64_encode($cert_content);
+            $newcert->prv = base64_encode($key_content);
         }
-        LeUtils::log("{$import_log_message} ACME X.509 certificate: {$cert_cn}");
+        LeUtils::log("{$import_log_message} ACME X.509 certificate: {$cert_cn} ({$cert['refid']})");
+
+        // Serialize to config and save
+        // Skip validation because the current in-memory model may not
+        // know about the CA item that was just created.
+        $certModel->serializeToConfig(false,true);
+        Config::getInstance()->save();
 
         /**
          * Step 3: update configuration
          */
 
-        // Add refid to certObj
-        $this->config->certRefId = $cert_refid;
-        // Set update/create time
+        // Update Acme cert config
+        $this->config->certRefId = $cert['refid'];
         $this->config->lastUpdate = time();
 
         // Serialize to config and save
         $this->model->serializeToConfig();
         Config::getInstance()->save();
-
-        // Reload to get most recent config
         Config::getInstance()->forceReload();
         $this->loadConfig(self::CONFIG_PATH, $this->uuid);
 
@@ -402,12 +385,12 @@ public function issue()
             return false;
         }
 
-        // Run referenced automations.
-        $this->runAutomations();
-
         // Update cert status.
         $this->setStatus(200);
 
+        // Run referenced automations.
+        $this->runAutomations();
+
         return true;
     }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
index 7514ed6562..6dfd33effd 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2017-2024 Frank Wall
+ * Copyright (C) 2017-2025 Frank Wall
  * Copyright (C) 2015 Deciso B.V.
  * Copyright (C) 2010 Jim Pingle <jimp@pfsense.org>
  * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
@@ -70,86 +70,6 @@ public static function execSafe($format, $args = array())
         return vsprintf($format, $args);
     }
 
-    // Copied from system_camanager.php.
-    public static function local_ca_import(&$ca, $str, $key = "", $serial = 0)
-    {
-        // Get config object.
-        $config = Config::getInstance()->object();
-
-        $ca['crt'] = base64_encode($str);
-        if (!empty($key)) {
-            $ca['prv'] = base64_encode($key);
-        }
-        if (!empty($serial)) {
-            $ca['serial'] = $serial;
-        }
-        $subject = cert_get_subject($str, false);
-        $issuer = cert_get_issuer($str, false);
-
-        // Find my issuer unless self-signed
-        if ($issuer != $subject) {
-            $issuer_crt =& lookup_ca_by_subject($issuer);
-            if ($issuer_crt) {
-                $ca['caref'] = $issuer_crt['refid'];
-            }
-        }
-
-        /* Correct if child certificate was loaded first */
-        if (is_array($config['ca'])) {
-            foreach ($config['ca'] as & $oca) {
-                $issuer = cert_get_issuer($oca['crt']);
-                if ($ca['refid'] != $oca['refid'] && $issuer == $subject) {
-                    $oca['caref'] = $ca['refid'];
-                }
-            }
-        }
-        if (is_array($config['cert'])) {
-            foreach ($config['cert'] as & $cert) {
-                $issuer = cert_get_issuer($cert['crt']);
-                if ($issuer == $subject) {
-                    $cert['caref'] = $ca['refid'];
-                }
-            }
-        }
-        return true;
-    }
-
-    // copied from certs.inc
-    public static function local_cert_get_cn($crt, $decode = true)
-    {
-        $sub = self::local_cert_get_subject_array($crt, $decode);
-        if (is_array($sub)) {
-            foreach ($sub as $s) {
-                if (strtoupper($s['a']) == "CN") {
-                    return $s['v'];
-                }
-            }
-        }
-        return "";
-    }
-
-    // copied from certs.inc
-    public static function local_cert_get_subject_array($str_crt, $decode = true)
-    {
-        if ($decode) {
-            $str_crt = base64_decode($str_crt);
-        }
-        $inf_crt = openssl_x509_parse($str_crt);
-        $components = $inf_crt['subject'];
-
-        if (!is_array($components)) {
-            return;
-        }
-
-        $subject_array = array();
-
-        foreach ($components as $a => $v) {
-            $subject_array[] = array('a' => $a, 'v' => $v);
-        }
-
-        return $subject_array;
-    }
-
     /**
      * log runtime information
      */
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
index 73bb87ee28..0079a3a8f7 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/lecert.php
@@ -2,7 +2,7 @@
 <?php
 
 /*
- * Copyright (C) 2020-2021 Frank Wall
+ * Copyright (C) 2020-2025 Frank Wall
  * Copyright (C) 2019 Juergen Kellerer
  * All rights reserved.
  *
@@ -30,7 +30,6 @@
 
 // Import legacy code
 @include_once('config.inc');
-@include_once('certs.inc');
 @include_once('util.inc');
 
 // Import classes
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
index 97e2b0809c..019c44d819 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
@@ -94,7 +94,6 @@
 
 // Optional imports
 @include_once("config.inc");
-@include_once("certs.inc");
 @include_once("util.inc");
 
 // Optional autoloader (for local dev environment)
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
index 052a1889ca..40db45dbe8 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
@@ -2,6 +2,7 @@
 <?php
 
 /*
+ * Copyright (C) 2025 Frank Wall
  * Copyright (C) 2019 Juergen Kellerer
  * All rights reserved.
  *
@@ -124,8 +125,8 @@
 
 // Optional imports
 @include_once("config.inc");
-@include_once("certs.inc");
 @include_once("util.inc");
+require_once("script/load_phalcon.php");
 
 // Optional autoloader (for local dev environment)
 if (!function_exists("log_error")) {
@@ -135,6 +136,8 @@
 }
 
 // Importing classes
+use OPNsense\Trust\Cert;
+use OPNsense\Trust\Store as CertStore;
 use OPNsense\AcmeClient\SftpUploader;
 use OPNsense\AcmeClient\SftpClient;
 use OPNsense\AcmeClient\SSHKeys;
@@ -519,17 +522,17 @@ function findCertificates(array $certificate_ids_or_names, $load_content = true)
 function exportCertificates(array $cert_refids): array
 {
     $result = [];
-    $config = OPNsense\Core\Config::getInstance()->object();
-    foreach ($config->cert as $cert) {
+    $certModel = new Cert();
+    foreach ($certModel->cert->iterateItems() as $cert) {
         $refid = (string)$cert->refid;
         $item = [];
         if (in_array($refid, $cert_refids)) {
-            $item["cert"] = str_replace(["\n\n", "\r"], ["\n", ""], base64_decode($cert->crt));
-            $item["key"] = str_replace(["\n\n", "\r"], ["\n", ""], base64_decode($cert->prv));
+            $_tmp = CertStore::getCertificate($refid);
+            $item["cert"] = $_tmp["crt"];
+            $item["key"] = $_tmp["prv"];
             // check if a CA is linked
             if (!empty((string)$cert->caref)) {
-                $cert = (array)$cert;
-                $item["ca"] = ca_chain($cert);
+                $item["ca"] = $_tmp["ca"];;
                 // combine files to export a fullchain.pem
                 $item["fullchain"] = $item["cert"] . $item["ca"];
             }

From 4f44f8337bf36b6247c48084f8460852d94126d2 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 7 Jan 2025 17:05:22 +0100
Subject: [PATCH 2275/3088] www/caddy: Some small UX tweaks (#4442)

* www/caddy: Remove HTTP from terminology. It was added when Layer4 Proxy was still in the same tabs to distinguish the HTTP Proxy from the Layer4 Proxy. Now that everything has its own pages it improves readability and follows the caddy syntax more closely.

* www/caddy: Do not auto hide the access settings, its annoying

* www/caddy: Remove hints that are no real defaults or can change dynamically depending on configuration.
---
 .../OPNsense/Caddy/forms/dialogHandle.xml      |  2 --
 .../Caddy/forms/dialogReverseProxy.xml         |  3 ---
 .../OPNsense/Caddy/forms/dialogSubdomain.xml   |  1 -
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml    |  2 +-
 .../views/OPNsense/Caddy/reverse_proxy.volt    | 18 +++++++++---------
 5 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 3ada90d0bb..7ece8310aa 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -119,14 +119,12 @@
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
-        <hint>192.168.1.1</hint>
         <help><![CDATA[Enter a domain name or IP address of the upstream destination. If multiple are chosen, they will be load balanced with the default random policy. A health check can be activated by populating "Upstream Fail Duration" in advanced mode. When directive is "redir", only the first domain will be evaluated.]]></help>
     </field>
     <field>
         <id>handle.ToPort</id>
         <label>Upstream Port</label>
         <type>text</type>
-        <hint>80</hint>
         <help><![CDATA[Leave empty to use the default port or choose a custom port for the upstream destination.]]></help>
     </field>
     <field>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index 522c916d44..014e1853ea 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -25,14 +25,12 @@
         <id>reverse.FromDomain</id>
         <label>Domain</label>
         <type>text</type>
-        <hint>example.com</hint>
         <help><![CDATA[Enter a domain name. For a base domain, use "example.com" or "opn.example.com". For a wildcard domain, use "*.example.com". Using a wildcard domain with subdomains requires a "DNS Provider" and the "DNS-01 Challenge" or a custom certificate.]]></help>
     </field>
     <field>
         <id>reverse.FromPort</id>
         <label>Port</label>
         <type>text</type>
-        <hint>443</hint>
         <help><![CDATA[Leave empty to use ports 80 and 443 with automatic redirection from HTTP to HTTPS or choose a custom port. Don't forget to allow these ports with a Firewall rule. If the default ports have been changed in "General Settings", leaving this empty will use the chosen alternative ports instead.]]></help>
     </field>
     <field>
@@ -65,7 +63,6 @@
     <field>
         <type>header</type>
         <label>Access</label>
-        <collapse>true</collapse>
     </field>
     <field>
         <id>reverse.accesslist</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
index 8711c4a968..8a515e2ca6 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -44,7 +44,6 @@
     <field>
         <type>header</type>
         <label>Access</label>
-        <collapse>true</collapse>
     </field>
     <field>
         <id>subdomain.accesslist</id>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index f7da86b039..920f2cac27 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -206,7 +206,7 @@
                 <description type="DescriptionField"/>
                 <DnsChallenge type="BooleanField"/>
                 <CustomCertificate type="CertificateField">
-                    <BlankDesc>ACME (HTTP-01, TLS-ALPN-01)</BlankDesc>
+                    <BlankDesc>ACME</BlankDesc>
                 </CustomCertificate>
                 <AccessLog type="BooleanField"/>
                 <DynDns type="BooleanField"/>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 42036d6040..b77bf8618a 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -226,7 +226,7 @@
             toggleVisibility(currentTab);
         });
 
-        // Add click event listener for "Add HTTP Handler" button
+        // Add click event listener for "Add Handler" button
         $("#addHandleBtn").on("click", function() {
             if ($('#maintabs .active a').attr('href') === "#handlesTab") {
                 $("#addReverseHandleBtn").click();
@@ -317,9 +317,9 @@
 
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li id="tab-domains" class="active"><a data-toggle="tab" href="#domainsTab">{{ lang._('Domains') }}</a></li>
-    <li id="tab-handlers"><a data-toggle="tab" href="#handlesTab">{{ lang._('HTTP Handlers') }}</a></li>
-    <li id="tab-access"><a data-toggle="tab" href="#accessTab">{{ lang._('HTTP Access') }}</a></li>
-    <li id="tab-headers"><a data-toggle="tab" href="#headerTab">{{ lang._('HTTP Headers') }}</a></li>
+    <li id="tab-handlers"><a data-toggle="tab" href="#handlesTab">{{ lang._('Handlers') }}</a></li>
+    <li id="tab-access"><a data-toggle="tab" href="#accessTab">{{ lang._('Access') }}</a></li>
+    <li id="tab-headers"><a data-toggle="tab" href="#headerTab">{{ lang._('Headers') }}</a></li>
 </ul>
 
 <div class="tab-content content-box">
@@ -328,7 +328,7 @@
         <!-- Button group on the left -->
         <div>
             <button id="addDomainBtn" type="button" class="btn btn-secondary">{{ lang._('Step 1: Add Domain') }}</button>
-            <button id="addHandleBtn" type="button" class="btn btn-secondary">{{ lang._('Step 2: Add HTTP Handler') }}</button>
+            <button id="addHandleBtn" type="button" class="btn btn-secondary">{{ lang._('Step 2: Add Handler') }}</button>
         </div>
         <!-- Selectpicker and Clear All on the right -->
         <div class="filter-actions" style="display: flex; flex-direction: column; align-items: flex-end;">
@@ -418,7 +418,7 @@
     <!-- Handle Tab -->
     <div id="handlesTab" class="tab-pane fade">
         <div style="padding-left: 16px;">
-            <h1 class="custom-header">{{ lang._('HTTP Handlers') }}</h1>
+            <h1 class="custom-header">{{ lang._('Handlers') }}</h1>
             <div style="display: block;"> <!-- Common container -->
                 <table id="reverseHandleGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHandle" data-editAlert="ConfigurationChangeMessage">
                     <thead>
@@ -538,7 +538,7 @@
     <!-- Header Tab -->
     <div id="headerTab" class="tab-pane fade">
         <div style="padding-left: 16px;">
-            <h1 class="custom-header">{{ lang._('HTTP Headers') }}</h1>
+            <h1 class="custom-header">{{ lang._('Headers') }}</h1>
             <div style="display: block;"> <!-- Common container -->
                 <table id="reverseHeaderGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHeader" data-editAlert="ConfigurationChangeMessage">
                     <thead>
@@ -593,7 +593,7 @@
 
 {{ partial("layout_partials/base_dialog",['fields':formDialogReverseProxy,'id':'DialogReverseProxy','label':lang._('Edit Domain')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogSubdomain,'id':'DialogSubdomain','label':lang._('Edit Subdomain')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogHandle,'id':'DialogHandle','label':lang._('Edit HTTP Handler')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogHandle,'id':'DialogHandle','label':lang._('Edit Handler')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogAccessList,'id':'DialogAccessList','label':lang._('Edit Access List')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogBasicAuth,'id':'DialogBasicAuth','label':lang._('Edit Basic Auth')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogHeader,'id':'DialogHeader','label':lang._('Edit HTTP Header')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogHeader,'id':'DialogHeader','label':lang._('Edit Header')])}}

From d5b7c364c788d0638a56c367dce9f18ac1a1bfb0 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 7 Jan 2025 17:05:50 +0100
Subject: [PATCH 2276/3088] www/caddy: Mark DNS Providers optional that are not
 included per default (#4441)

* www/caddy: Mark DNS Providers optional that are not included in the shipped binary per default. These modules must be added on demand on the command line with caddy add-package. This lowers maintainance burden and deflates the binary of big unused structs and sdks, since providers like route53 or googleclouddns alone pull around 16MB into the binary. Remove duplicate Netcup.

* www/caddy: Make API Fields for DNS Providers clearer
---
 .../OPNsense/Caddy/forms/general.xml          | 23 +++++++++----------
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 23 +++++++++----------
 2 files changed, 22 insertions(+), 24 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 10976f1649..488c9aeb29 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -98,46 +98,45 @@
             <id>caddy.general.TlsDnsProvider</id>
             <label>DNS Provider</label>
             <type>dropdown</type>
-            <help><![CDATA[Select the DNS provider for the DNS-01 Challenge and Dynamic DNS. This is mostly needed for Wildcard Certificates, and for Dynamic DNS. To use, enable the checkbox in a "Domain" or "Subdomain". For more information, visit https://github.com/caddy-dns where each module is community maintained.]]></help>
+            <help><![CDATA[Select the DNS Provider for the DNS-01 Challenge and Dynamic DNS. Providers marked as "optional" must be installed manually, see https://caddyserver.com/docs/command-line#caddy-add-package. For more information, visit https://github.com/caddy-dns where each module is community maintained.]]></help>
+        </field>
+        <field>
+            <type>header</type>
+            <label>API Fields</label>
         </field>
         <field>
             <id>caddy.general.TlsDnsApiKey</id>
-            <label>DNS API Standard Field</label>
+            <label>API Field 1</label>
             <type>text</type>
             <help><![CDATA[This is the standard field for the API Key. Field can be left empty if optional: Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Njalla "api_token", Google Cloud DNS "gcp_project", Azure "tenant_id", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url", DNS Made Easy "api_key", Bunny "access_key", Civo "api_token", Scaleway "secret_key", ACME Proxy "username", INWX "username", Netcup "customer_number", RFC2136 "key_name", Name.com "token", EasyDNS "api_token", Infomaniak "api_token", DirectAdmin "host", Hosttech "api_token", Vultr "api_token", Hetzner "api_token"]]></help>
         </field>
-        <field>
-            <type>header</type>
-            <label>Additional Fields</label>
-            <collapse>true</collapse>
-        </field>
         <field>
             <id>caddy.general.TlsDnsSecretApiKey</id>
-            <label>DNS API Additional Field 1</label>
+            <label>API Field 2</label>
             <type>text</type>
             <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Azure "client_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address", DNS Made Easy "secret_key", Scaleway "organization_id", ACME Proxy "password", INWX "password", Netcup "api_key", RFC2136 "key_alg", Name.com "server", EasyDNS "api_key", DirectAdmin "user".]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsOptionalField1</id>
-            <label>DNS API Additional Field 2</label>
+            <label>API Field 3</label>
             <type>text</type>
             <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "hosted_zone_id", ACME-DNS "subdomain", Azure "client_secret", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password", DNS Made Easy "api_endpoint", ACME Proxy "endpoint", INWX "shared_secret", Netcup "api_password", Name.com "user", EasyDNS "api_url", DirectAdmin "login_key", RFC2136 "key".]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsOptionalField2</id>
-            <label>DNS API Additional Field 3</label>
+            <label>API Field 4</label>
             <type>text</type>
             <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "profile", ACME-DNS "server_url", Azure "subscription_id", OVH "consumer_key", Namecheap "client_ip", DDNS "password", INWX "endpoint_url", DirectAdmin "insecure_requests", RFC2136 "server".]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsOptionalField3</id>
-            <label>DNS API Additional Field 4</label>
+            <label>API Field 5</label>
             <type>text</type>
             <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "region", Azure "resource_group_name".]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsOptionalField4</id>
-            <label>DNS API Additional Field 5</label>
+            <label>API Field 6</label>
             <type>text</type>
             <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "session_token".]]></help>
         </field>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 920f2cac27..5fd4bf0003 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -26,42 +26,41 @@
                 <OptionValues>
                     <cloudflare>Cloudflare</cloudflare>
                     <duckdns>Duck DNS</duckdns>
-                    <digitalocean>DigitalOcean</digitalocean>
                     <gandi>Gandi</gandi>
                     <ionos>IONOS</ionos>
                     <desec>Desec</desec>
                     <porkbun>Porkbun</porkbun>
-                    <route53>Route53</route53>
                     <acmedns>ACME-DNS</acmedns>
-                    <googleclouddns>Google Cloud DNS</googleclouddns>
                     <azure>Azure</azure>
                     <ovh>OVH</ovh>
                     <namecheap>Namecheap</namecheap>
-                    <netlify>Netlify</netlify>
                     <powerdns>PowerDNS</powerdns>
-                    <ddnss>DDNSS</ddnss>
-                    <njalla>Njalla</njalla>
                     <linode>Linode</linode>
-                    <tencentcloud>Tencent Cloud</tencentcloud>
-                    <dinahosting>Dinahosting</dinahosting>
                     <hexonet>Hexonet</hexonet>
                     <mailinabox>Mail-in-a-Box</mailinabox>
-                    <netcup>Netcup</netcup>
                     <rfc2136>RFC2136</rfc2136>
                     <dnsmadeeasy>DNS Made Easy</dnsmadeeasy>
                     <bunny>Bunny</bunny>
-                    <civo>Civo</civo>
                     <scaleway>Scaleway</scaleway>
                     <acmeproxy>ACME Proxy</acmeproxy>
                     <inwx>INWX</inwx>
                     <netcup>Netcup</netcup>
                     <namedotcom>Name.com</namedotcom>
-                    <easydns>EasyDNS</easydns>
                     <infomaniak>Infomaniak</infomaniak>
                     <directadmin>DirectAdmin</directadmin>
-                    <hosttech>Hosttech</hosttech>
                     <vultr>Vultr</vultr>
                     <hetzner>Hetzner</hetzner>
+                    <digitalocean>DigitalOcean (optional)</digitalocean>
+                    <route53>Route53 (optional)</route53>
+                    <googleclouddns>Google Cloud DNS (optional)</googleclouddns>
+                    <netlify>Netlify (optional)</netlify>
+                    <ddnss>DDNSS (optional)</ddnss>
+                    <njalla>Njalla (optional)</njalla>
+                    <tencentcloud>Tencent Cloud (optional)</tencentcloud>
+                    <dinahosting>Dinahosting (optional)</dinahosting>
+                    <civo>Civo (optional)</civo>
+                    <easydns>EasyDNS (optional)</easydns>
+                    <hosttech>Hosttech (optional)</hosttech>
                 </OptionValues>
             </TlsDnsProvider>
             <TlsDnsApiKey type="TextField"/>

From ed4c9a345b8d933f2b4fb9983631b23d7f16b63b Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 7 Jan 2025 17:06:43 +0100
Subject: [PATCH 2277/3088] www/caddy: Add syslog function; change visible name
 to Caddy (#4439)

* www/caddy: Add syslog function

* www/caddy: Bump version

* www/caddy: Add changelog, make sweep

* www/caddy: Change visible name from Caddy Web Server to Caddy

* www/caddy: Update changelog again

* www/caddy: Reduce diff in caddy.inc
---
 www/caddy/Makefile                                    |  2 +-
 www/caddy/pkg-descr                                   | 10 ++++++++++
 www/caddy/src/etc/inc/plugins.inc.d/caddy.inc         | 11 ++++++++---
 .../mvc/app/models/OPNsense/Caddy/Menu/Menu.xml       |  2 +-
 4 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index f5a01d871f..4264cd9b08 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.7.6
+PLUGIN_VERSION=		1.8.0
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 2ec24cd5ea..f7217f7f6b 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -13,6 +13,16 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.8.0
+
+* Build: Update to caddy-v2.9.0 and update dependencies (opnsense/plugins/issues/4437)
+* Build: Fix caddy-l4 timeout issue (opnsense/plugins/issues/4384)
+* Build: Mark DNS Providers optional that are not included per default (opnsense/plugins/pull/4441)
+         digitalocean, route53, googleclouddns, netlify, ddnss, njalla, tencentcloud
+         dinahosting, civo, easydns, hosttech; must be added via https://caddyserver.com/docs/command-line#caddy-add-package
+* Cleanup: Refactor caddy.inc and add syslog function, change name from Caddy Web Server to Caddy (opnsense/plugins/issues/4426)
+* Cleanup: Some small UI tweaks (opnsense/plugins/pull/4442)
+
 1.7.6
 
 * Fix: Web UI can still restart/stop Caddy when running as `www` user (opnsense/plugins/pull/4403)
diff --git a/www/caddy/src/etc/inc/plugins.inc.d/caddy.inc b/www/caddy/src/etc/inc/plugins.inc.d/caddy.inc
index 78da119b7c..5e116933a2 100644
--- a/www/caddy/src/etc/inc/plugins.inc.d/caddy.inc
+++ b/www/caddy/src/etc/inc/plugins.inc.d/caddy.inc
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2023-2024 Cedrik Pischem
+ * Copyright (C) 2023-2025 Cedrik Pischem
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -37,7 +37,7 @@ function caddy_services()
         $config['Pischem']['caddy']['general']['enabled'] == 1
     ) {
         $services[] = array(
-            'description' => gettext('Caddy Web Server'),
+            'description' => gettext('Caddy'),
             'configd' => array(
                 'restart' => array('caddy restart'),
                 'start' => array('caddy start'),
@@ -56,7 +56,7 @@ function caddy_xmlrpc_sync()
     $result = array();
 
     $result[] = array(
-        'description' => gettext('Caddy Web Server'),
+        'description' => gettext('Caddy'),
         'section' => 'Pischem.caddy',
         'id' => 'caddy',
         'services' => ["caddy"],
@@ -64,3 +64,8 @@ function caddy_xmlrpc_sync()
 
     return $result;
 }
+
+function caddy_syslog()
+{
+    return ['caddy' => ['facility' => ['caddy']]];
+}
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml
index 0a992a746f..421560b530 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Menu/Menu.xml
@@ -1,6 +1,6 @@
 <menu>
     <Services>
-        <Caddy VisibleName="Caddy Web Server" cssClass="fa fa-globe fa-fw">
+        <Caddy cssClass="fa fa-globe fa-fw">
             <General VisibleName="General Settings" order="10" url="/ui/caddy/general"/>
             <ReverseProxy VisibleName="Reverse Proxy" order="20" url="/ui/caddy/reverse_proxy"/>
             <Layer4 VisibleName="Layer4 Proxy" order="30" url="/ui/caddy/layer4"/>

From 5816a723324e344a6fdf1bdab2fc93f74763c92e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Jan 2025 08:08:11 +0100
Subject: [PATCH 2278/3088] security/acme-client: style sweep

---
 .../mvc/app/library/OPNsense/AcmeClient/LeCertificate.php      | 2 +-
 .../src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php   | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 9a5056fbea..518a2c0f7e 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -273,7 +273,7 @@ public function import(bool $skip_validation = false)
         // Serialize to config and save
         // Skip validation because the current in-memory model may not
         // know about the CA item that was just created.
-        $certModel->serializeToConfig(false,true);
+        $certModel->serializeToConfig(false, true);
         Config::getInstance()->save();
 
         /**
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
index 40db45dbe8..f5e00cc85d 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
@@ -532,7 +532,8 @@ function exportCertificates(array $cert_refids): array
             $item["key"] = $_tmp["prv"];
             // check if a CA is linked
             if (!empty((string)$cert->caref)) {
-                $item["ca"] = $_tmp["ca"];;
+                $item['ca'] = $_tmp['ca'];
+
                 // combine files to export a fullchain.pem
                 $item["fullchain"] = $item["cert"] . $item["ca"];
             }

From fc23b6a7003af8b525b640d9d64fa64426d88267 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Wed, 8 Jan 2025 09:18:03 +0100
Subject: [PATCH 2279/3088] net/frr - style cleanup and unify forms (#4450)

* net/frr - style cleanup and unify forms

Apply frontend / api changes to align more with current core patterns.

* net/frr - change maintainer to core
---
 net/frr/Makefile                              |   2 +-
 .../OPNsense/Quagga/Api/BfdController.php     |  10 +-
 .../OPNsense/Quagga/Api/GeneralController.php |  46 +---
 .../Quagga/Api/OspfsettingsController.php     |  13 +-
 .../OPNsense/Quagga/Api/ServiceController.php | 119 +--------
 .../mvc/app/views/OPNsense/Quagga/bfd.volt    | 108 ++++----
 .../mvc/app/views/OPNsense/Quagga/bgp.volt    | 235 ++++++++----------
 .../app/views/OPNsense/Quagga/general.volt    |  53 ++--
 .../mvc/app/views/OPNsense/Quagga/ospf.volt   | 210 ++++++++--------
 .../mvc/app/views/OPNsense/Quagga/ospf6.volt  |  59 ++---
 .../mvc/app/views/OPNsense/Quagga/rip.volt    |  64 +++--
 11 files changed, 369 insertions(+), 550 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 30b45d27b1..d8e07f27a2 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.42
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
-PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
+PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BfdController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BfdController.php
index 4904f54c0d..76fe62f705 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BfdController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BfdController.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2015-2025 Deciso B.V.
  * Copyright (C) 2017 Fabian Franz
  * Copyright (C) 2017-2021 Michael Muenz <m.muenz@gmail.com>
  * All rights reserved.
@@ -39,17 +39,11 @@ class BfdController extends ApiMutableModelControllerBase
 
     public function searchNeighborAction()
     {
-        return $this->searchBase(
-            'neighbors.neighbor',
-            array("enabled",
-                  "description",
-                  "address")
-        );
+        return $this->searchBase('neighbors.neighbor');
     }
 
     public function getNeighborAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('neighbor', 'neighbors.neighbor', $uuid);
     }
 
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/GeneralController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/GeneralController.php
index e27efec61e..d8e615d6a0 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/GeneralController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/GeneralController.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2015-2025 Deciso B.V.
  * Copyright (C) 2017 Fabian Franz
  * All rights reserved.
  *
@@ -29,46 +29,10 @@
 
 namespace OPNsense\Quagga\Api;
 
-use OPNsense\Base\ApiControllerBase;
-use OPNsense\Quagga\General;
-use OPNsense\Core\Config;
+use OPNsense\Base\ApiMutableModelControllerBase;
 
-class GeneralController extends ApiControllerBase
+class GeneralController extends ApiMutableModelControllerBase
 {
-    public function getAction()
-    {
-        // define list of configurable settings
-        $result = array();
-        if ($this->request->isGet()) {
-            $mdlGeneral = new General();
-            $result['general'] = $mdlGeneral->getNodes();
-        }
-        return $result;
-    }
-    public function setAction()
-    {
-        $result = array("result" => "failed");
-        if ($this->request->isPost()) {
-            // load model and update with provided data
-            $mdlGeneral = new General();
-            $mdlGeneral->setNodes($this->request->getPost("general"));
-
-            // perform validation
-            $valMsgs = $mdlGeneral->performValidation();
-            foreach ($valMsgs as $field => $msg) {
-                if (!array_key_exists("validations", $result)) {
-                    $result["validations"] = array();
-                }
-                $result["validations"]["general." . $msg->getField()] = $msg->getMessage();
-            }
-
-            // serialize model to config and save
-            if ($valMsgs->count() == 0) {
-                $mdlGeneral->serializeToConfig();
-                Config::getInstance()->save();
-                $result["result"] = "saved";
-            }
-        }
-        return $result;
-    }
+    protected static $internalModelName = 'general';
+    protected static $internalModelClass = '\OPNsense\Quagga\General';
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
index ae4c6b1285..cb495c1c24 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
@@ -1,6 +1,7 @@
 <?php
 
 /*
+ *    Copyright (C) 2025 Deciso B.V.
  *    Copyright (C) 2017 Fabian Franz
  *    Copyright (C) 2019 Michael Muenz <m.muenz@gmail.com>
  *    All rights reserved.
@@ -38,38 +39,34 @@ class OspfsettingsController extends ApiMutableModelControllerBase
 
     public function searchNetworkAction()
     {
-        return $this->searchBase('networks.network', array("enabled", "ipaddr", "netmask", "area"));
+        return $this->searchBase('networks.network');
     }
     public function searchInterfaceAction()
     {
-        return $this->searchBase('interfaces.interface', array("enabled", "interfacename", "networktype", "authtype", "area"));
+        return $this->searchBase('interfaces.interface');
     }
     public function searchPrefixlistAction()
     {
-        return $this->searchBase('prefixlists.prefixlist', array("enabled", "name", "seqnumber", "action", "network" ));
+        return $this->searchBase('prefixlists.prefixlist');
     }
     public function searchRoutemapAction()
     {
-        return $this->searchBase('routemaps.routemap', array("enabled", "name", "action", "id", "match2", "set"));
+        return $this->searchBase('routemaps.routemap');
     }
     public function getNetworkAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('network', 'networks.network', $uuid);
     }
     public function getInterfaceAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('interface', 'interfaces.interface', $uuid);
     }
     public function getPrefixlistAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('prefixlist', 'prefixlists.prefixlist', $uuid);
     }
     public function getRoutemapAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('routemap', 'routemaps.routemap', $uuid);
     }
     public function addNetworkAction()
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/ServiceController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/ServiceController.php
index a9935cfb59..c62632492a 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/ServiceController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/ServiceController.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2015-2025 Deciso B.V.
  * Copyright (C) 2017 Fabian Franz
  * All rights reserved.
  *
@@ -29,121 +29,16 @@
 
 namespace OPNsense\Quagga\Api;
 
-use OPNsense\Base\ApiControllerBase;
-use OPNsense\Core\Backend;
-use OPNsense\Quagga\General;
+use OPNsense\Base\ApiMutableServiceControllerBase;
 
 /**
  * Class ServiceController
  * @package OPNsense\Quagga
  */
-class ServiceController extends ApiControllerBase
+class ServiceController extends ApiMutableServiceControllerBase
 {
-    /**
-     * start quagga service and reload filter rules to pass OSPF
-     * before the bogon filter kills the routing protocol packets
-     * @return array
-     */
-    public function startAction()
-    {
-        if ($this->request->isPost()) {
-            $backend = new Backend();
-            $response = $backend->configdRun('quagga start');
-            $backend->configdRun('filter reload');
-            return array('response' => $response);
-        } else {
-            return array('response' => array());
-        }
-    }
-
-    /**
-     * stop quagga service
-     * @return array
-     */
-    public function stopAction()
-    {
-        if ($this->request->isPost()) {
-            $backend = new Backend();
-            $response = $backend->configdRun('quagga stop');
-            return array('response' => $response);
-        } else {
-            return array('response' => array());
-        }
-    }
-
-    /**
-     * restart quagga service
-     * @return array
-     */
-    public function restartAction()
-    {
-        if ($this->request->isPost()) {
-            $backend = new Backend();
-            $response = $backend->configdRun('quagga restart');
-            $backend->configdRun('filter reload');
-            return array('response' => $response);
-        } else {
-            return array('response' => array());
-        }
-    }
-
-    /**
-     * retrieve status of quagga
-     * @return array
-     * @throws \Exception
-     */
-    public function statusAction()
-    {
-        $backend = new Backend();
-        $mdlGeneral = new General();
-        $response = $backend->configdRun('quagga status');
-
-        if (strpos($response, 'not running') > 0) {
-            if ($mdlGeneral->enabled->__toString() == 1) {
-                $status = 'stopped';
-            } else {
-                $status = 'disabled';
-            }
-        } elseif (strpos($response, 'is running') > 0) {
-            $status = 'running';
-        } elseif ($mdlGeneral->enabled->__toString() == 0) {
-            $status = 'disabled';
-        } else {
-            $status = 'unknown';
-        }
-
-
-        return array('status' => $status);
-    }
-
-    /**
-     * reconfigure quagga, generate config and reload
-     */
-    public function reconfigureAction()
-    {
-        if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
-            $mdlGeneral = new General();
-            $backend = new Backend();
-
-            $runStatus = $this->statusAction();
-
-            // stop quagga if it is running or not
-            $this->stopAction();
-
-            // generate template
-            $backend->configdRun('template reload OPNsense/Quagga');
-
-            // (res)start daemon
-            if ($mdlGeneral->enabled->__toString() == 1) {
-                $this->startAction();
-            }
-
-            return array('status' => 'ok');
-        } else {
-            return array('status' => 'failed');
-        }
-    }
+    protected static $internalServiceClass = '\OPNsense\Quagga\General';
+    protected static $internalServiceTemplate = 'OPNsense/Quagga';
+    protected static $internalServiceEnabled = 'enabled';
+    protected static $internalServiceName = 'quagga';
 }
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
index 3c56ad63eb..4510e23ce1 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
@@ -1,6 +1,6 @@
 {#
 
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+OPNsense® is Copyright © 2014 – 2025 by Deciso B.V.
 Copyright (C) 2017 Fabian Franz
 Copyright (C) 2017 - 2021 Michael Muenz <m.muenz@gmail.com>
 All rights reserved.
@@ -27,20 +27,46 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGE.
 
 #}
+
+<script>
+    $( document ).ready(function() {
+        mapDataToFormUI({'frm_bfd_settings':"/api/quagga/bfd/get"}).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('quagga');
+        });
+
+        $("#grid-neighbors").UIBootgrid({
+            'search':'/api/quagga/bfd/searchNeighbor',
+            'get':'/api/quagga/bfd/getNeighbor/',
+            'set':'/api/quagga/bfd/setNeighbor/',
+            'add':'/api/quagga/bfd/addNeighbor/',
+            'del':'/api/quagga/bfd/delNeighbor/',
+            'toggle':'/api/quagga/bfd/toggleNeighbor/'
+        });
+
+        $("#reconfigureAct").SimpleActionButton({
+              onPreAction: function() {
+                  const dfObj = new $.Deferred();
+                  saveFormToEndpoint("/api/quagga/bfd/set", 'frm_bfd_settings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
+                  return dfObj;
+              },
+              onAction: function(data, status) {
+                  updateServiceControlUI('quagga');
+              }
+        });
+    });
+</script>
+
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
     <li><a data-toggle="tab" href="#neighbors">{{ lang._('Neighbors') }}</a></li>
 </ul>
+
 <div class="tab-content content-box tab-content">
     <div id="general" class="tab-pane fade in active">
-        <div class="content-box" style="padding-bottom: 1.5em;">
-            {{ partial("layout_partials/base_form",['fields':bfdForm,'id':'frm_bfd_settings'])}}
-            <div class="col-md-12">
-                <hr />
-                <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-            </div>
-        </div>
+        {{ partial("layout_partials/base_form",['fields':bfdForm,'id':'frm_bfd_settings'])}}
     </div>
     <div id="neighbors" class="tab-pane fade in">
         <table id="grid-neighbors" class="table table-responsive" data-editDialog="DialogEditBFDNeighbor">
@@ -57,10 +83,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="10"></td>
-                    <td colspan="1">
+                    <td></td>
+                    <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -68,51 +94,19 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 </div>
 
-<script>
-
-function quagga_update_status() {
-    updateServiceControlUI('quagga');
-}
-
-$(document).ready(function() {
-  var data_get_map = {'frm_bfd_settings':"/api/quagga/bfd/get"};
-  mapDataToFormUI(data_get_map).done(function(data){
-      formatTokenizersUI();
-      $('.selectpicker').selectpicker('refresh');
-  });
-  quagga_update_status();
-
-  // link save button to API set action
-  $("#saveAct").click(function(){
-      saveFormToEndpoint(url="/api/quagga/bfd/set",formid='frm_bfd_settings',callback_ok=function(){
-          $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-          ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-              quagga_update_status();
-              $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-          });
-      });
-  });
-
-  /* allow a user to manually reload the service (for forms which do not do it automatically) */
-  $('.reload_btn').click(function reload_handler() {
-    $(".reloadAct_progress").addClass("fa-spin");
-    ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-        quagga_update_status();
-        $(".reloadAct_progress").removeClass("fa-spin");
-    });
-  });
-
-  $("#grid-neighbors").UIBootgrid(
-    { 'search':'/api/quagga/bfd/searchNeighbor',
-      'get':'/api/quagga/bfd/getNeighbor/',
-      'set':'/api/quagga/bfd/setNeighbor/',
-      'add':'/api/quagga/bfd/addNeighbor/',
-      'del':'/api/quagga/bfd/delNeighbor/',
-      'toggle':'/api/quagga/bfd/toggleNeighbor/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-});
-</script>
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint='/api/quagga/service/reconfigure'
+                    data-label="{{ lang._('Apply') }}"
+                    data-error-title="{{ lang._('Error reconfiguring BFD') }}"
+                    type="button"
+            ></button>
+            <br/><br/>
+        </div>
+    </div>
+</section>
 
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBFDNeighbor,'id':'DialogEditBFDNeighbor','label':lang._('Edit Neighbor')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
index 82e62cfe63..b8385d5463 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
@@ -1,6 +1,6 @@
 {#
 
-OPNsense® is Copyright © 2014 – 2024 by Deciso B.V.
+OPNsense® is Copyright © 2014 – 2025 by Deciso B.V.
 Copyright (C) 2017 Fabian Franz
 Copyright (C) 2017 - 2020 Michael Muenz <m.muenz@gmail.com>
 All rights reserved.
@@ -27,6 +27,77 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGE.
 
 #}
+
+<script>
+    $(document).ready(function() {
+        mapDataToFormUI({'frm_bgp_settings':"/api/quagga/bgp/get"}).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('quagga');
+        });
+
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/quagga/bgp/set", 'frm_bgp_settings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
+                return dfObj;
+            },
+            onAction: function(data, status) {
+                updateServiceControlUI('quagga');
+            }
+        });
+
+        $("#grid-neighbors").UIBootgrid({
+            'search':'/api/quagga/bgp/searchNeighbor',
+            'get':'/api/quagga/bgp/getNeighbor/',
+            'set':'/api/quagga/bgp/setNeighbor/',
+            'add':'/api/quagga/bgp/addNeighbor/',
+            'del':'/api/quagga/bgp/delNeighbor/',
+            'toggle':'/api/quagga/bgp/toggleNeighbor/'
+        });
+        $("#grid-aspaths").UIBootgrid({
+            'search':'/api/quagga/bgp/searchAspath',
+            'get':'/api/quagga/bgp/getAspath/',
+            'set':'/api/quagga/bgp/setAspath/',
+            'add':'/api/quagga/bgp/addAspath/',
+            'del':'/api/quagga/bgp/delAspath/',
+            'toggle':'/api/quagga/bgp/toggleAspath/'
+        });
+        $("#grid-prefixlists").UIBootgrid({
+            'search':'/api/quagga/bgp/searchPrefixlist',
+            'get':'/api/quagga/bgp/getPrefixlist/',
+            'set':'/api/quagga/bgp/setPrefixlist/',
+            'add':'/api/quagga/bgp/addPrefixlist/',
+            'del':'/api/quagga/bgp/delPrefixlist/',
+            'toggle':'/api/quagga/bgp/togglePrefixlist/'
+        });
+        $("#grid-communitylists").UIBootgrid({
+            'search':'/api/quagga/bgp/searchCommunitylist',
+            'get':'/api/quagga/bgp/getCommunitylist/',
+            'set':'/api/quagga/bgp/setCommunitylist/',
+            'add':'/api/quagga/bgp/addCommunitylist/',
+            'del':'/api/quagga/bgp/delCommunitylist/',
+            'toggle':'/api/quagga/bgp/toggleCommunitylist/'
+        });
+        $("#grid-routemaps").UIBootgrid({
+            'search':'/api/quagga/bgp/searchRoutemap',
+            'get':'/api/quagga/bgp/getRoutemap/',
+            'set':'/api/quagga/bgp/setRoutemap/',
+            'add':'/api/quagga/bgp/addRoutemap/',
+            'del':'/api/quagga/bgp/delRoutemap/',
+            'toggle':'/api/quagga/bgp/toggleRoutemap/'
+        });
+        $("#grid-peergroups").UIBootgrid({
+            'search':'/api/quagga/bgp/searchPeergroup',
+            'get':'/api/quagga/bgp/getPeergroup/',
+            'set':'/api/quagga/bgp/setPeergroup/',
+            'add':'/api/quagga/bgp/addPeergroup/',
+            'del':'/api/quagga/bgp/delPeergroup/',
+            'toggle':'/api/quagga/bgp/togglePeergroup/'
+        });
+    });
+</script>
+
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
@@ -41,10 +112,6 @@ POSSIBILITY OF SUCH DAMAGE.
     <div id="general" class="tab-pane fade in active">
         <div class="content-box" style="padding-bottom: 1.5em;">
             {{ partial("layout_partials/base_form",['fields':bgpForm,'id':'frm_bgp_settings'])}}
-            <div class="col-md-12">
-                <hr />
-                <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-            </div>
         </div>
     </div>
     <div id="neighbors" class="tab-pane fade in">
@@ -67,11 +134,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="10"></td>
-                    <td colspan="1">
+                    <td></td>
+                    <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
-                        <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -94,11 +160,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
-                <td>
-                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                    <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
-                    <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                    <td></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -122,11 +187,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
-                <td>
-                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                    <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
-                    <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                    <td></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -150,11 +214,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
-                <td>
-                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                    <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
-                    <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                    <td></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -181,10 +244,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
-                <td>
-                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                    <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                    <td></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -210,10 +273,10 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="10"></td>
-                    <td colspan="1">
+                    <td></td>
+                    <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -221,102 +284,20 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 </div>
 
-<script>
-
-function quagga_update_status() {
-    updateServiceControlUI('quagga');
-}
-
-$(document).ready(function() {
-  var data_get_map = {'frm_bgp_settings':"/api/quagga/bgp/get"};
-  mapDataToFormUI(data_get_map).done(function(data){
-      formatTokenizersUI();
-      $('.selectpicker').selectpicker('refresh');
-  });
-  quagga_update_status();
-
-  // link save button to API set action
-  $("#saveAct").click(function(){
-      saveFormToEndpoint(url="/api/quagga/bgp/set",formid='frm_bgp_settings',callback_ok=function(){
-          $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-          ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-              quagga_update_status();
-              $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-          });
-      });
-  });
-
-  /* allow a user to manually reload the service (for forms which do not do it automatically) */
-  $('.reload_btn').click(function reload_handler() {
-    $(".reloadAct_progress").addClass("fa-spin");
-    ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-        quagga_update_status();
-        $(".reloadAct_progress").removeClass("fa-spin");
-    });
-  });
-
-  $("#grid-neighbors").UIBootgrid(
-    { 'search':'/api/quagga/bgp/searchNeighbor',
-      'get':'/api/quagga/bgp/getNeighbor/',
-      'set':'/api/quagga/bgp/setNeighbor/',
-      'add':'/api/quagga/bgp/addNeighbor/',
-      'del':'/api/quagga/bgp/delNeighbor/',
-      'toggle':'/api/quagga/bgp/toggleNeighbor/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-  $("#grid-aspaths").UIBootgrid(
-    { 'search':'/api/quagga/bgp/searchAspath',
-      'get':'/api/quagga/bgp/getAspath/',
-      'set':'/api/quagga/bgp/setAspath/',
-      'add':'/api/quagga/bgp/addAspath/',
-      'del':'/api/quagga/bgp/delAspath/',
-      'toggle':'/api/quagga/bgp/toggleAspath/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-  $("#grid-prefixlists").UIBootgrid(
-    { 'search':'/api/quagga/bgp/searchPrefixlist',
-      'get':'/api/quagga/bgp/getPrefixlist/',
-      'set':'/api/quagga/bgp/setPrefixlist/',
-      'add':'/api/quagga/bgp/addPrefixlist/',
-      'del':'/api/quagga/bgp/delPrefixlist/',
-      'toggle':'/api/quagga/bgp/togglePrefixlist/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-  $("#grid-communitylists").UIBootgrid(
-    { 'search':'/api/quagga/bgp/searchCommunitylist',
-      'get':'/api/quagga/bgp/getCommunitylist/',
-      'set':'/api/quagga/bgp/setCommunitylist/',
-      'add':'/api/quagga/bgp/addCommunitylist/',
-      'del':'/api/quagga/bgp/delCommunitylist/',
-      'toggle':'/api/quagga/bgp/toggleCommunitylist/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-  $("#grid-routemaps").UIBootgrid(
-    { 'search':'/api/quagga/bgp/searchRoutemap',
-      'get':'/api/quagga/bgp/getRoutemap/',
-      'set':'/api/quagga/bgp/setRoutemap/',
-      'add':'/api/quagga/bgp/addRoutemap/',
-      'del':'/api/quagga/bgp/delRoutemap/',
-      'toggle':'/api/quagga/bgp/toggleRoutemap/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-  $("#grid-peergroups").UIBootgrid(
-    { 'search':'/api/quagga/bgp/searchPeergroup',
-      'get':'/api/quagga/bgp/getPeergroup/',
-      'set':'/api/quagga/bgp/setPeergroup/',
-      'add':'/api/quagga/bgp/addPeergroup/',
-      'del':'/api/quagga/bgp/delPeergroup/',
-      'toggle':'/api/quagga/bgp/togglePeergroup/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-    });
-</script>
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint='/api/quagga/service/reconfigure'
+                    data-label="{{ lang._('Apply') }}"
+                    data-error-title="{{ lang._('Error reconfiguring BGP') }}"
+                    type="button"
+            ></button>
+            <br/><br/>
+        </div>
+    </div>
+</section>
 
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPNeighbor,'id':'DialogEditBGPNeighbor','label':lang._('Edit Neighbor')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPASPaths,'id':'DialogEditBGPASPaths','label':lang._('Edit AS Paths')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/general.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/general.volt
index 01e1746bd9..aacb7d557c 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/general.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/general.volt
@@ -1,6 +1,6 @@
 {#
 
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+OPNsense® is Copyright © 2014 – 2025 by Deciso B.V.
 This file is Copyright © 2017 by Fabian Franz
 All rights reserved.
 
@@ -26,32 +26,43 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGE.
 
 #}
-<div class="content-box" style="padding-bottom: 1.5em;">
-    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-    <div class="col-md-12">
-        <hr />
-        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-    </div>
-</div>
 
 <script>
     $( document ).ready(function() {
-        var data_get_map = {'frm_general_settings':"/api/quagga/general/get"};
-        mapDataToFormUI(data_get_map).done(function(data){
+        mapDataToFormUI({'frm_general_settings':"/api/quagga/general/get"}).done(function(data){
             formatTokenizersUI();
             $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('quagga');
         });
-        updateServiceControlUI('quagga');
-
-        // link save button to API set action
-        $("#saveAct").click(function(){
-            saveFormToEndpoint(url="/api/quagga/general/set", formid='frm_general_settings',callback_ok=function(){
-                $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-                ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-                    updateServiceControlUI('quagga');
-                    $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-                });
-            }, true);
+
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/quagga/general/set", 'frm_general_settings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
+                return dfObj;
+            },
+            onAction: function(data, status) {
+                updateServiceControlUI('quagga');
+            }
         });
     });
 </script>
+
+<div class="content-box" style="padding-bottom: 1.5em;">
+    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
+</div>
+
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint='/api/quagga/service/reconfigure'
+                    data-label="{{ lang._('Apply') }}"
+                    data-error-title="{{ lang._('Error reconfiguring BFD') }}"
+                    type="button"
+            ></button>
+            <br/><br/>
+        </div>
+    </div>
+</section>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
index b68db50c83..9daaa0e144 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
@@ -1,6 +1,6 @@
 {#
 
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+OPNsense® is Copyright © 2014 – 2025 by Deciso B.V.
 This file is Copyright © 2017 by Fabian Franz
 All rights reserved.
 
@@ -27,25 +27,78 @@ POSSIBILITY OF SUCH DAMAGE.
 
 #}
 
-    <!-- Navigation bar -->
-    <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-        <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
-        <li><a data-toggle="tab" href="#networks">{{ lang._('Networks') }}</a></li>
-        <li><a data-toggle="tab" href="#interfaces">{{ lang._('Interfaces') }}</a></li>
-        <li><a data-toggle="tab" href="#prefixlists">{{ lang._('Prefix Lists') }}</a></li>
-        <li><a data-toggle="tab" href="#routemaps">{{ lang._('Route Maps') }}</a></li>
-    </ul>
-    <div class="tab-content content-box tab-content">
-        <div id="general" class="tab-pane fade in active">
-            <div class="content-box" style="padding-bottom: 1.5em;">
-                {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_ospf_settings'])}}
-                <div class="col-md-12">
-                    <hr />
-                    <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-                </div>
-            </div>
-        </div>
+<script>
+
+    function quagga_update_status() {
+      updateServiceControlUI('quagga');
+    }
+
+    $( document ).ready(function() {
+        mapDataToFormUI({'frm_ospf_settings':"/api/quagga/ospfsettings/get"}).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('quagga');
+        });
+
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/quagga/ospfsettings/set", 'frm_ospf_settings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
+                return dfObj;
+            },
+            onAction: function(data, status) {
+                updateServiceControlUI('quagga');
+            }
+        });
+
+        $("#grid-networks").UIBootgrid({
+            'search':'/api/quagga/ospfsettings/searchNetwork',
+            'get':'/api/quagga/ospfsettings/getNetwork/',
+            'set':'/api/quagga/ospfsettings/setNetwork/',
+            'add':'/api/quagga/ospfsettings/addNetwork/',
+            'del':'/api/quagga/ospfsettings/delNetwork/',
+            'toggle':'/api/quagga/ospfsettings/toggleNetwork/'
+        });
+        $("#grid-interfaces").UIBootgrid({
+            'search':'/api/quagga/ospfsettings/searchInterface',
+            'get':'/api/quagga/ospfsettings/getInterface/',
+            'set':'/api/quagga/ospfsettings/setInterface/',
+            'add':'/api/quagga/ospfsettings/addInterface/',
+            'del':'/api/quagga/ospfsettings/delInterface/',
+            'toggle':'/api/quagga/ospfsettings/toggleInterface/'
+        });
+        $("#grid-prefixlists").UIBootgrid({
+            'search':'/api/quagga/ospfsettings/searchPrefixlist',
+            'get':'/api/quagga/ospfsettings/getPrefixlist/',
+            'set':'/api/quagga/ospfsettings/setPrefixlist/',
+            'add':'/api/quagga/ospfsettings/addPrefixlist/',
+            'del':'/api/quagga/ospfsettings/delPrefixlist/',
+            'toggle':'/api/quagga/ospfsettings/togglePrefixlist/'
+        });
+        $("#grid-routemaps").UIBootgrid({
+            'search':'/api/quagga/ospfsettings/searchRoutemap',
+            'get':'/api/quagga/ospfsettings/getRoutemap/',
+            'set':'/api/quagga/ospfsettings/setRoutemap/',
+            'add':'/api/quagga/ospfsettings/addRoutemap/',
+            'del':'/api/quagga/ospfsettings/delRoutemap/',
+            'toggle':'/api/quagga/ospfsettings/toggleRoutemap/'
+        });
+    });
+</script>
 
+<!-- Navigation bar -->
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
+    <li><a data-toggle="tab" href="#networks">{{ lang._('Networks') }}</a></li>
+    <li><a data-toggle="tab" href="#interfaces">{{ lang._('Interfaces') }}</a></li>
+    <li><a data-toggle="tab" href="#prefixlists">{{ lang._('Prefix Lists') }}</a></li>
+    <li><a data-toggle="tab" href="#routemaps">{{ lang._('Route Maps') }}</a></li>
+</ul>
+<div class="tab-content content-box tab-content">
+    <!-- Tab: General -->
+    <div id="general" class="tab-pane fade in active">
+        {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_ospf_settings'])}}
+    </div>
     <!-- Tab: Networks -->
     <div id="networks" class="tab-pane fade in">
       <table id="grid-networks" class="table table-responsive" data-editDialog="DialogEditNetwork">
@@ -63,17 +116,15 @@ POSSIBILITY OF SUCH DAMAGE.
           </tbody>
           <tfoot>
               <tr>
-                  <td colspan="5"></td>
+                  <td></td>
                   <td>
-                      <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                      <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
-                      <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                   </td>
               </tr>
           </tfoot>
       </table>
     </div>
-
     <!-- Tab: Interfaces -->
     <div id="interfaces" class="tab-pane fade in">
         <table id="grid-interfaces" class="table table-responsive" data-editDialog="DialogEditInterface">
@@ -85,22 +136,22 @@ POSSIBILITY OF SUCH DAMAGE.
                     <th data-column-id="authtype" data-type="string" data-visible="true">{{ lang._('Authentication Type') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                     <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-            </tr>
+                </tr>
             </thead>
             <tbody>
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
+                    <td></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
-                        <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
         </table>
     </div>
+    <!-- Tab: Prefixlists -->
     <div id="prefixlists" class="tab-pane fade in">
         <table id="grid-prefixlists" class="table table-responsive" data-editDialog="DialogEditPrefixLists">
             <thead>
@@ -118,16 +169,16 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
+                    <td></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <!-- <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button> -->
-                        <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
         </table>
     </div>
+    <!-- Tab: Routemaps -->
     <div id="routemaps" class="tab-pane fade in">
         <table id="grid-routemaps" class="table table-responsive" data-editDialog="DialogEditRouteMaps">
             <thead>
@@ -146,95 +197,30 @@ POSSIBILITY OF SUCH DAMAGE.
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
+                    <td></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span> {{ lang._('Reload Service') }}</button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
         </table>
     </div>
+</div>
+
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <button class="btn btn-primary __mb __mt" id="reconfigureAct"
+                data-endpoint='/api/quagga/service/reconfigure'
+                data-label="{{ lang._('Apply') }}"
+                data-error-title="{{ lang._('Error reconfiguring OSPFv3') }}"
+                data-service-widget="quagga"
+                type="button"
+            ></button>
+        </div>
     </div>
-
-<script>
-
-function quagga_update_status() {
-  updateServiceControlUI('quagga');
-}
-
-$( document ).ready(function() {
-  var data_get_map = {'frm_ospf_settings':"/api/quagga/ospfsettings/get"};
-  mapDataToFormUI(data_get_map).done(function(data){
-      formatTokenizersUI();
-      $('.selectpicker').selectpicker('refresh');
-  });
-  quagga_update_status();
-
-  // link save button to API set action
-  $("#saveAct").click(function(){
-      saveFormToEndpoint(url="/api/quagga/ospfsettings/set",formid='frm_ospf_settings',callback_ok=function(){
-        $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-        ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-          quagga_update_status();
-          $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-        });
-      });
-  });
-
-
-  /* allow a user to manually reload the service (for forms which do not do it automatically) */
-  $('.reload_btn').click(function reload_handler() {
-    $(".reloadAct_progress").addClass("fa-spin");
-    ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-      quagga_update_status();
-      $(".reloadAct_progress").removeClass("fa-spin");
-    });
-  });
-
-
-  $("#grid-networks").UIBootgrid(
-    { 'search':'/api/quagga/ospfsettings/searchNetwork',
-      'get':'/api/quagga/ospfsettings/getNetwork/',
-      'set':'/api/quagga/ospfsettings/setNetwork/',
-      'add':'/api/quagga/ospfsettings/addNetwork/',
-      'del':'/api/quagga/ospfsettings/delNetwork/',
-      'toggle':'/api/quagga/ospfsettings/toggleNetwork/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-  $("#grid-interfaces").UIBootgrid(
-    { 'search':'/api/quagga/ospfsettings/searchInterface',
-      'get':'/api/quagga/ospfsettings/getInterface/',
-      'set':'/api/quagga/ospfsettings/setInterface/',
-      'add':'/api/quagga/ospfsettings/addInterface/',
-      'del':'/api/quagga/ospfsettings/delInterface/',
-      'toggle':'/api/quagga/ospfsettings/toggleInterface/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-  $("#grid-prefixlists").UIBootgrid(
-    { 'search':'/api/quagga/ospfsettings/searchPrefixlist',
-      'get':'/api/quagga/ospfsettings/getPrefixlist/',
-      'set':'/api/quagga/ospfsettings/setPrefixlist/',
-      'add':'/api/quagga/ospfsettings/addPrefixlist/',
-      'del':'/api/quagga/ospfsettings/delPrefixlist/',
-      'toggle':'/api/quagga/ospfsettings/togglePrefixlist/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-  $("#grid-routemaps").UIBootgrid(
-    { 'search':'/api/quagga/ospfsettings/searchRoutemap',
-      'get':'/api/quagga/ospfsettings/getRoutemap/',
-      'set':'/api/quagga/ospfsettings/setRoutemap/',
-      'add':'/api/quagga/ospfsettings/addRoutemap/',
-      'del':'/api/quagga/ospfsettings/delRoutemap/',
-      'toggle':'/api/quagga/ospfsettings/toggleRoutemap/',
-      'options':{selection:false, multiSelect:false}
-    }
-  );
-});
-</script>
+</section>
 
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditNetwork,'id':'DialogEditNetwork','label':lang._('Edit Network')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditInterface,'id':'DialogEditInterface','label':lang._('Edit Interface')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
index 3a47744363..d0749ac7cd 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
@@ -1,5 +1,5 @@
 {#
- # Copyright (c) 2014-2024 Deciso B.V.
+ # Copyright (c) 2014-2025 Deciso B.V.
  # Copyright (c) 2017 Fabian Franz
  # Copyright (c) 2017 Michael Muenz <m.muenz@gmail.com>
  # All rights reserved.
@@ -32,18 +32,17 @@
         mapDataToFormUI({'frm_ospf6_settings':"/api/quagga/ospf6settings/get"}).done(function(data){
             formatTokenizersUI();
             $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('quagga');
         });
 
-        updateServiceControlUI('quagga');
-
-        // link save button to API set action
-        $("#saveAct").SimpleActionButton({
+        $("#reconfigureAct").SimpleActionButton({
             onPreAction: function() {
                 const dfObj = new $.Deferred();
-                saveFormToEndpoint("/api/quagga/ospf6settings/set", 'frm_ospf6_settings', function(){
-                    dfObj.resolve();
-                });
+                saveFormToEndpoint("/api/quagga/ospf6settings/set", 'frm_ospf6_settings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
                 return dfObj;
+            },
+            onAction: function(data, status) {
+                updateServiceControlUI('quagga');
             }
         });
 
@@ -53,11 +52,7 @@
             'set':'/api/quagga/ospf6settings/setNetwork/',
             'add':'/api/quagga/ospf6settings/addNetwork/',
             'del':'/api/quagga/ospf6settings/delNetwork/',
-            'toggle':'/api/quagga/ospf6settings/toggleNetwork/',
-            'options':{
-                selection:false,
-                multiSelect:false
-            }
+            'toggle':'/api/quagga/ospf6settings/toggleNetwork/'
         });
         $("#grid-interfaces").UIBootgrid({
             'search':'/api/quagga/ospf6settings/searchInterface',
@@ -65,11 +60,7 @@
             'set':'/api/quagga/ospf6settings/setInterface/',
             'add':'/api/quagga/ospf6settings/addInterface/',
             'del':'/api/quagga/ospf6settings/delInterface/',
-            'toggle':'/api/quagga/ospf6settings/toggleInterface/',
-            'options':{
-                selection:false,
-                multiSelect:false
-            }
+            'toggle':'/api/quagga/ospf6settings/toggleInterface/'
         });
         $("#grid-prefixlists").UIBootgrid({
             'search':'/api/quagga/ospf6settings/searchPrefixlist',
@@ -77,11 +68,7 @@
             'set':'/api/quagga/ospf6settings/setPrefixlist/',
             'add':'/api/quagga/ospf6settings/addPrefixlist/',
             'del':'/api/quagga/ospf6settings/delPrefixlist/',
-            'toggle':'/api/quagga/ospf6settings/togglePrefixlist/',
-            'options':{
-                selection:false,
-                multiSelect:false
-            }
+            'toggle':'/api/quagga/ospf6settings/togglePrefixlist/'
         });
         $("#grid-routemaps").UIBootgrid({
             'search':'/api/quagga/ospf6settings/searchRoutemap',
@@ -89,11 +76,7 @@
             'set':'/api/quagga/ospf6settings/setRoutemap/',
             'add':'/api/quagga/ospf6settings/addRoutemap/',
             'del':'/api/quagga/ospf6settings/delRoutemap/',
-            'toggle':'/api/quagga/ospf6settings/toggleRoutemap/',
-            'options':{
-                selection:false,
-                multiSelect:false
-            }
+            'toggle':'/api/quagga/ospf6settings/toggleRoutemap/'
         });
 
         // hook checkbox item with conditional options
@@ -142,10 +125,11 @@
           </tbody>
           <tfoot>
               <tr>
-                  <td colspan="5"></td>
-                  <td>
-                      <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                  </td>
+                    <td></td>
+                    <td>
+                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                    </td>
               </tr>
           </tfoot>
       </table>
@@ -168,9 +152,10 @@
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
+                    <td></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -195,9 +180,10 @@
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
+                    <td></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -223,9 +209,10 @@
             </tbody>
             <tfoot>
                 <tr>
-                    <td colspan="5"></td>
+                    <td></td>
                     <td>
                         <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
                     </td>
                 </tr>
             </tfoot>
@@ -236,7 +223,7 @@
 <section class="page-content-main">
     <div class="content-box">
         <div class="col-md-12">
-            <button class="btn btn-primary __mb __mt" id="saveAct"
+            <button class="btn btn-primary __mb __mt" id="reconfigureAct"
                 data-endpoint='/api/quagga/service/reconfigure'
                 data-label="{{ lang._('Apply') }}"
                 data-error-title="{{ lang._('Error reconfiguring OSPFv3') }}"
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
index 8abc7a3f51..b0b7effca1 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
@@ -1,6 +1,6 @@
 {#
 
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+OPNsense® is Copyright © 2014 – 2025 by Deciso B.V.
 This file is Copyright © 2017 by Fabian Franz
 All rights reserved.
 
@@ -27,33 +27,43 @@ POSSIBILITY OF SUCH DAMAGE.
 
 #}
 
+<script>
+      $( document ).ready(function() {
+        mapDataToFormUI({'frm_rip_settings':"/api/quagga/rip/get"}).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('quagga');
+        });
+
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/quagga/rip/set", 'frm_rip_settings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
+                return dfObj;
+            },
+            onAction: function(data, status) {
+                updateServiceControlUI('quagga');
+            }
+        });
+    });
+</script>
+
 <div class="content-box" style="padding-bottom: 1.5em;">
     {{ partial("layout_partials/base_form",['fields':ripForm,'id':'frm_rip_settings'])}}
-    <div class="col-md-12">
-        <hr />
-        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-    </div>
 </div>
 
-<script>
-$(document).ready(function() {
-  var data_get_map = {'frm_rip_settings':"/api/quagga/rip/get"};
-  mapDataToFormUI(data_get_map).done(function(data){
-      formatTokenizersUI();
-      $('.selectpicker').selectpicker('refresh');
-  });
-
-  updateServiceControlUI('quagga');
-
-  // link save button to API set action
-  $("#saveAct").click(function(){
-      saveFormToEndpoint(url="/api/quagga/rip/set",formid='frm_rip_settings',callback_ok=function(){
-        $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-        ajaxCall(url="/api/quagga/service/reconfigure", sendData={}, callback=function(data,status) {
-          updateServiceControlUI('quagga');
-          $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-        });
-      });
-  });
-});
-</script>
+<section class="page-content-main">
+  <div class="content-box">
+      <div class="col-md-12">
+          <br/>
+          <button class="btn btn-primary" id="reconfigureAct"
+                  data-endpoint='/api/quagga/service/reconfigure'
+                  data-label="{{ lang._('Apply') }}"
+                  data-error-title="{{ lang._('Error reconfiguring BFD') }}"
+                  type="button"
+          ></button>
+          <br/><br/>
+      </div>
+  </div>
+</section>
+

From a4b774a9e4cef178b91d901d5baf50eaee8118c4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Jan 2025 09:25:48 +0100
Subject: [PATCH 2280/3088] net/frr: glint and rev bump

---
 net/frr/Makefile                                            | 1 +
 net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index d8e07f27a2..a3813aca20 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.42
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
index b0b7effca1..6e1c01c4c4 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
@@ -66,4 +66,3 @@ POSSIBILITY OF SUCH DAMAGE.
       </div>
   </div>
 </section>
-

From 898100b9a60cd1a8bf8f64a4b35cc1056a14ea60 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Jan 2025 09:29:42 +0100
Subject: [PATCH 2281/3088] www/c-icap: bump rev

---
 www/c-icap/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/c-icap/Makefile b/www/c-icap/Makefile
index 575fb3e90a..90a88fdf19 100644
--- a/www/c-icap/Makefile
+++ b/www/c-icap/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		c-icap
 PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_COMMENT=		c-icap connects the web proxy with a virus scanner
 PLUGIN_DEPENDS=		c-icap c-icap-modules
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 04fb480492f1b33c2cf98a829dbce1b3aafab6df Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Jan 2025 09:31:02 +0100
Subject: [PATCH 2282/3088] security/clamav: rev bump

---
 security/clamav/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/clamav/Makefile b/security/clamav/Makefile
index afe24b92ef..f4d90f2093 100644
--- a/security/clamav/Makefile
+++ b/security/clamav/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		clamav
 PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Antivirus engine for detecting malicious threats
 PLUGIN_DEPENDS=		clamav
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From dbe43dc186578da25d441e2dc8cb1b410c5d1131 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 10 Jan 2025 09:30:22 +0100
Subject: [PATCH 2283/3088] www/caddy: Implement reusable grid template (#4454)

See: https://github.com/opnsense/core/commit/a7a99fcdfe972dacc1a6beada7607e73a1689d05
---
 .../OPNsense/Caddy/Layer4Controller.php       |  10 +-
 .../OPNsense/Caddy/ReverseProxyController.php |  15 +-
 .../OPNsense/Caddy/forms/dialogAccessList.xml |  10 +
 .../OPNsense/Caddy/forms/dialogHandle.xml     |  74 ++++++
 .../OPNsense/Caddy/forms/dialogHeader.xml     |   6 +
 .../OPNsense/Caddy/forms/dialogLayer4.xml     |  42 ++++
 .../Caddy/forms/dialogLayer4Openvpn.xml       |   3 +
 .../Caddy/forms/dialogReverseProxy.xml        |  32 +++
 .../OPNsense/Caddy/forms/dialogSubdomain.xml  |  19 ++
 .../mvc/app/views/OPNsense/Caddy/layer4.volt  |  72 +-----
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 228 +++---------------
 11 files changed, 243 insertions(+), 268 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
index 1a085eff42..b1366ab72a 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2023-2024 Cedrik Pischem
+ *    Copyright (C) 2023-2025 Cedrik Pischem
  *
  *    All rights reserved.
  *
@@ -37,7 +37,11 @@ class Layer4Controller extends IndexController
     public function indexAction()
     {
         $this->view->pick('OPNsense/Caddy/layer4');
-        $this->view->formDialogLayer4 = $this->getForm("dialogLayer4");
-        $this->view->formDialogLayer4Openvpn = $this->getForm("dialogLayer4Openvpn");
+
+        $this->view->formDialogLayer4 = $this->getForm('dialogLayer4');
+        $this->view->formGridLayer4 = $this->getFormGrid('dialogLayer4', null, 'ConfChangeMessage');
+
+        $this->view->formDialogLayer4Openvpn = $this->getForm('dialogLayer4Openvpn');
+        $this->view->formGridLayer4Openvpn = $this->getFormGrid('dialogLayer4Openvpn', null, 'ConfChangeMessage');
     }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
index fde12d63c7..e30315299a 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
@@ -1,8 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2023-2024 Cedrik Pischem
- *    Copyright (C) 2015 Deciso B.V.
+ *    Copyright (C) 2023-2025 Cedrik Pischem
  *
  *    All rights reserved.
  *
@@ -38,11 +37,23 @@ class ReverseProxyController extends IndexController
     public function indexAction()
     {
         $this->view->pick('OPNsense/Caddy/reverse_proxy');
+
         $this->view->formDialogReverseProxy = $this->getForm("dialogReverseProxy");
+        $this->view->formGridReverseProxy = $this->getFormGrid('dialogReverseProxy', null, 'ConfChangeMessage');
+
         $this->view->formDialogSubdomain = $this->getForm("dialogSubdomain");
+        $this->view->formGridSubdomain = $this->getFormGrid('dialogSubdomain', null, 'ConfChangeMessage');
+
         $this->view->formDialogHandle = $this->getForm("dialogHandle");
+        $this->view->formGridHandle = $this->getFormGrid('dialogHandle', null, 'ConfChangeMessage');
+
         $this->view->formDialogAccessList = $this->getForm("dialogAccessList");
+        $this->view->formGridAccessList = $this->getFormGrid('dialogAccessList', null, 'ConfChangeMessage');
+
         $this->view->formDialogBasicAuth = $this->getForm("dialogBasicAuth");
+        $this->view->formGridBasicAuth = $this->getFormGrid('dialogBasicAuth', null, 'ConfChangeMessage');
+
         $this->view->formDialogHeader = $this->getForm("dialogHeader");
+        $this->view->formGridHeader = $this->getFormGrid('dialogHeader', null, 'ConfChangeMessage');
     }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
index 50c2718ab9..774ebd997e 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
@@ -18,6 +18,10 @@
         <label>Invert List</label>
         <type>checkbox</type>
         <help><![CDATA[If checked, the access list logic will be inverted (i.e., the listed IPs will be blocked instead of allowed).]]></help>
+        <grid_view>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <id>accesslist.HttpResponseCode</id>
@@ -26,6 +30,9 @@
         <hint>abort</hint>
         <help><![CDATA[Set a custom HTTP response code that should be returned to the requesting client when the access list does not match. If empty, the connection is aborted with no response.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>accesslist.HttpResponseMessage</id>
@@ -33,6 +40,9 @@
         <type>text</type>
         <help><![CDATA[Set a custom HTTP response message in addition to the HTTP response code. If empty, the default HTTP response message for the chosen HTTP response code will be used.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>accesslist.description</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 7ece8310aa..3efcdb8dd1 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -4,6 +4,11 @@
         <label>Enabled</label>
         <type>checkbox</type>
         <help><![CDATA[Enable this handler.]]></help>
+        <grid_view>
+            <width>6em</width>
+            <type>boolean</type>
+            <formatter>rowtoggle</formatter>
+        </grid_view>
     </field>
     <field>
         <id>handle.description</id>
@@ -38,6 +43,9 @@
         <type>dropdown</type>
         <help><![CDATA[Choose a handling type: "handle" (default) will keep the path in all requests. "handle_path" will strip the path from all requests.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.HandlePath</id>
@@ -46,6 +54,9 @@
         <hint>any</hint>
         <help><![CDATA[Enter a path to handle. Choose a pattern like "/*" or "/example/*". Leave empty to handle any paths (recommended). Any request matching this pattern will be handled by the chosen directive.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -58,6 +69,9 @@
         <type>dropdown</type>
         <help><![CDATA[Select an Access List to restrict access to this handler. If unset, any local or remote client is allowed access.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.ForwardAuth</id>
@@ -65,6 +79,11 @@
         <type>checkbox</type>
         <help><![CDATA[Enable or disable Forward Auth. Requires an "Auth Provider" in "General Settings". Headers are set automatically to the standard of the chosen provider. Enabling this option will additionally generate the forward_auth directive in front of the reverse_proxy directive inside the scope of this handler.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -87,6 +106,9 @@
         <style>style_reverse_proxy</style>
         <help><![CDATA[The default versions are highly recommended. Choose a HTTP version for the upstream destination. HTTP/3 (HTTP over QUIC) requires HTTPS, and only establishes connections to webservers that also support HTTP/3.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.header</id>
@@ -97,6 +119,9 @@
         <style>style_reverse_proxy selectpicker</style>
         <help><![CDATA[Select one or multiple headers. Caddy sets "X-Forwarded-For", "X-Forwarded-Proto" and "X-Forwarded-Host" by default, adding them here is not needed. Setting a wrong configuration can be a security risk or break functionality.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.HttpKeepalive</id>
@@ -106,6 +131,9 @@
         <style>style_reverse_proxy</style>
         <help><![CDATA[Leave empty to use default. Keepalive is either 0 (off) or a duration value that specifies how long to keep connections open (timeout) in seconds.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.HttpTls</id>
@@ -133,6 +161,9 @@
         <type>text</type>
         <help><![CDATA[When directive is "reverse_proxy", enter a path prefix like "/guacamole" that should be prepended to the upstream request. This is useful for destinations that have a virtual directory as their base path. When directive is "redir", add the path the request should be redirected to; leaving it empty will append {uri}.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.HttpTlsInsecureSkipVerify</id>
@@ -140,6 +171,11 @@
         <type>checkbox</type>
         <style>style_tls style_reverse_proxy</style>
         <help><![CDATA[Caddy uses HTTP by default to connect to the Upstream. If the Upstream is only reachable via HTTPS, this option disables the TLS handshake verification. This makes the connection insecure and vulnerable to man-in-the-middle attacks. In private networks the risk is low, though do not use in production if possible. It is advised to either use plain HTTP, or proper TLS handling by using the options in "Trust".]]></help>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <id>handle.HttpTlsTrustedCaCerts</id>
@@ -147,6 +183,9 @@
         <type>dropdown</type>
         <style>style_tls style_reverse_proxy</style>
         <help><![CDATA[Choose a CA or self-signed certificate to trust from "System - Trust - Authorities". Useful if the upstream destination only accepts TLS connections and offers a self signed certificate. Adding that certificate here will allow for the encrypted connection to succeed.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.HttpTlsServerName</id>
@@ -154,6 +193,9 @@
         <type>text</type>
         <style>style_tls style_reverse_proxy</style>
         <help><![CDATA[Enter a hostname or IP address that matches the SAN "Subject Alternative Name" of the offered upstream certificate. This will change the SNI "Server Name Indication" of Caddy. Setting an IP address as "Upstream Domain", enabling "TLS" and selecting a "TLS Trust Pool", would make the SAN of the offered upstream certificate not match with the SNI of Caddy, since it will be an IP address instead of a hostname. Setting the hostname of the certificate here, fixes this issue. Please note that only SAN certificates are supported; CN "Common Name" will not work.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.HttpNtlm</id>
@@ -161,6 +203,11 @@
         <type>checkbox</type>
         <style>style_tls style_reverse_proxy</style>
         <help><![CDATA[Enable or disable NTLM. Needed to reverse proxy an Exchange Server. Warning: NTLM has been deprecated by Microsoft. This option will stay for as long as the optional http.reverse_proxy.transport.http_ntlm module can be compiled without errors.]]></help>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -174,6 +221,9 @@
         <style>style_reverse_proxy</style>
         <help><![CDATA[lb_policy is the name of the load balancing policy, along with any options. For policies that involve hashing, the highest-random-weight (HRW) algorithm is used to ensure that a client or request with the same hash key is mapped to the same upstream, even if the list of upstreams change.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.lb_retries</id>
@@ -183,6 +233,9 @@
         <hint>off</hint>
         <help><![CDATA[lb_retries is how many times to retry selecting available backends for each request if the next available host is down. If lb_try_duration is also configured, then retries may stop early if the duration is reached. In other words, the retry duration takes precedence over the retry count.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.lb_try_duration</id>
@@ -192,6 +245,9 @@
         <hint>0</hint>
         <help><![CDATA[lb_try_duration is a duration value that defines how long to try selecting available backends for each request if the next available host is down. Clients will wait for up to this long while the load balancer tries to find an available upstream host. A reasonable starting point might be 5s since the HTTP transport's default dial timeout is 3s, so that should allow for at least one retry if the first selected upstream cannot be reached.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.lb_try_interval</id>
@@ -201,6 +257,9 @@
         <hint>250</hint>
         <help><![CDATA[lb_try_interval is a duration value that defines how long to wait between selecting the next host from the pool. Only relevant when a request to an upstream host fails. Be aware that setting this to 0 with a non-zero lb_try_duration can cause the CPU to spin if all backends are down and latency is very low.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.PassiveHealthFailDuration</id>
@@ -210,6 +269,9 @@
         <hint>off</hint>
         <help><![CDATA[fail_duration enables a passive health check when multiple destinations in "Upstream Domain" are set. It is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking. A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.PassiveHealthMaxFails</id>
@@ -219,6 +281,9 @@
         <hint>1</hint>
         <help><![CDATA[max_fails is the maximum number of failed requests within fail_duration that are needed before considering an upstream to be down.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.PassiveHealthUnhealthyStatus</id>
@@ -228,6 +293,9 @@
         <hint>off</hint>
         <help><![CDATA[unhealthy_status counts a request as failed if the response comes back with one of these status codes. Can be a 3-digit status code or a status code class ending in xx, for example: 404 or 5xx.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.PassiveHealthUnhealthyLatency</id>
@@ -237,6 +305,9 @@
         <hint>off</hint>
         <help><![CDATA[unhealthy_latency is a duration value in ms that counts a request as failed if it takes this long to get a response.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.PassiveHealthUnhealthyRequestCount</id>
@@ -246,5 +317,8 @@
         <hint>off</hint>
         <help><![CDATA[unhealthy_request_count is the permissible number of simultaneous requests to a backend before marking it as down. In other words, if a particular backend is currently handling this many requests, then it is considered "overloaded" and other backends will be preferred instead. This should be a reasonably large number; configuring this means that the proxy will have a limit of unhealthy_request_count × upstreams_count total simultaneous requests, and any requests after that point will result in an error due to no upstreams being available.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
index df19819f0c..f7885bedd8 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
@@ -16,12 +16,18 @@
         <label>Header Value</label>
         <type>text</type>
         <help><![CDATA[Enter a value for the selected header. One of the most common options is "{upstream_hostport}". It is also possible to use a regular expression to search for a specific value in a header. For example: "^prefix-([A-Za-z0-9]*)$" which uses the regular expression language RE2 included in Go.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>header.HeaderReplace</id>
         <label>Header Replace</label>
         <type>text</type>
         <help><![CDATA[If a regular expression is used to search for a Header Value, the replacement string can be set here. For example: "replaced-$1-suffix" which expands the replacement string, allowing the use of captured values, "$1" being the first capture group.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>header.description</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
index 8fa4fdcae0..9cabfaf42b 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
@@ -4,6 +4,11 @@
         <label>Enabled</label>
         <type>checkbox</type>
         <help><![CDATA[Enable this Layer4 route.]]></help>
+        <grid_view>
+            <width>6em</width>
+            <type>boolean</type>
+            <formatter>rowtoggle</formatter>
+        </grid_view>
     </field>
     <field>
         <id>layer4.Sequence</id>
@@ -26,6 +31,9 @@
         <label>Routing Type</label>
         <type>dropdown</type>
         <help><![CDATA[Choose either "listener_wrappers" for multiplexing protocols on the default HTTP and HTTPS ports on OSI Layer 7, or "global" for raw TCP/UDP traffic routing on a custom "Local port" on OSI Layer 4 with optional OSI Layer 7 protocol matching.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>layer4.Protocol</id>
@@ -40,6 +48,9 @@
         <type>text</type>
         <style>style_type</style>
         <help><![CDATA[Choose a custom local port to listen on.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -65,6 +76,9 @@
         <type>dropdown</type>
         <style>style_matchers matchers_openvpn</style>
         <help><![CDATA[Select the mode matching the OpenVPN Server or Client.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>layer4.FromOpenvpnStaticKey</id>
@@ -74,6 +88,9 @@
         <hint>Any</hint>
         <size>5</size>
         <help><![CDATA[Select a Static Key to match. Multiple Static Keys are only supported for tls-crypt2_client mode.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>layer4.InvertMatchers</id>
@@ -81,6 +98,11 @@
         <type>checkbox</type>
         <help><![CDATA[Invert the sense of the matcher. E.g., if the protocol is TLS, inverting will match all traffic that is not TLS. When domains have been chosen, these will be equally inverted.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <id>layer4.TerminateTls</id>
@@ -88,6 +110,11 @@
         <type>checkbox</type>
         <style>style_matchers matchers_domain</style>
         <help><![CDATA[Terminate TLS before routing to the upstream. Since this requires a certificate, ensure there is a domain configured in "Reverse Proxy" that matches the SNI of "Domain". The best matching SAN or wildcard certificate will be used automatically for this route.]]></help>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -113,6 +140,9 @@
         <type>dropdown</type>
         <help><![CDATA[Add the HA Proxy Protocol header. Either version 1 or 2 can be chosen. The default is off, since it is only needed when the upstream can use the Proxy Protocol header.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -126,6 +156,9 @@
         <style>style_reverse_proxy</style>
         <help><![CDATA[lb_policy is the name of the load balancing policy, along with any options. For policies that involve hashing, the highest-random-weight (HRW) algorithm is used to ensure that a client or request with the same hash key is mapped to the same upstream, even if the list of upstreams change.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>layer4.PassiveHealthFailDuration</id>
@@ -135,6 +168,9 @@
         <hint>off</hint>
         <help><![CDATA[fail_duration enables a passive health check when multiple destinations in "Upstream Domain" are set. It is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking. A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>layer4.PassiveHealthMaxFails</id>
@@ -144,6 +180,9 @@
         <hint>1</hint>
         <help><![CDATA[max_fails is the maximum number of failed requests within fail_duration that are needed before considering an upstream to be down.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -156,5 +195,8 @@
         <style>tokenize</style>
         <allownew>true</allownew>
         <help><![CDATA[Enter one or multiple IP addresses and networks. Leaving this empty will allow any remote client to connect. If populated and the remote IP address of a client matches, the connection to the "Upstream Domain" is allowed, otherwise the connection is dropped. Due to restrictions with this matcher, this list can not be inverted.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4Openvpn.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4Openvpn.xml
index ec225e85f3..2ac8521216 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4Openvpn.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4Openvpn.xml
@@ -9,5 +9,8 @@
         <label>Static Key</label>
         <type>textbox</type>
         <help>Paste an OpenVPN Static key.</help>
+        <grid_view>
+            <ignore>true</ignore>
+        </grid_view>
     </field>
 </fields>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index 014e1853ea..a8163b33f1 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -4,6 +4,11 @@
         <label>Enabled</label>
         <type>checkbox</type>
         <help><![CDATA[Enable this domain.]]></help>
+        <grid_view>
+            <width>6em</width>
+            <type>boolean</type>
+            <formatter>rowtoggle</formatter>
+        </grid_view>
     </field>
     <field>
         <id>reverse.description</id>
@@ -39,6 +44,9 @@
         <type>dropdown</type>
         <style>style_tls</style>
         <help><![CDATA[Choose ACME to get automatic certificates with the built in ACME client; no additional plugin required. The "HTTP-01", "TLS-ALPN-01" or "DNS-01" challenge will be used to get automatic "Let's Encrypt" or "ZeroSSL" certificates. Alternatively, choose a custom certificate from "System - Trust - Certificates" for this domain. Make sure the full chain has been imported.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>reverse.AcmePassthrough</id>
@@ -46,6 +54,9 @@
         <type>text</type>
         <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this domain, and will still issue a certificate using the TLS-ALPN-01 challenge or DNS-01 challenge for itself. This option can be used for High Availability when using Caddy with a master and backup OPNsense.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>reverse.DnsChallenge</id>
@@ -53,12 +64,22 @@
         <type>checkbox</type>
         <style>style_tls</style>
         <help><![CDATA[Enable the DNS-01 Challenge for this domain. Requires a "DNS Provider" in "General Settings". This is only needed for wildcard domains, or when the default challenges can not be used due to restrictive firewall policies.]]></help>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <id>reverse.DynDns</id>
         <label>Dynamic DNS</label>
         <type>checkbox</type>
         <help><![CDATA[Enable or disable Dynamic DNS. Requires a "DNS Provider" in "General Settings". The DNS records of this domain will be automatically updated. A wildcard domain will create a "*.example.com" record. A base domain will create a "example.com" or "opn.example.com" record. Some providers need subdomains to set records for domains like "opn.example.com"; in that case use the checkbox in the subdomains tab.]]></help>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -69,6 +90,9 @@
         <label>Access List</label>
         <type>dropdown</type>
         <help><![CDATA[Select an Access List to restrict access to this domain. If unset, any local or remote client is allowed access.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>reverse.basicauth</id>
@@ -76,11 +100,19 @@
         <type>select_multiple</type>
         <size>5</size>
         <help><![CDATA[Select Users to restrict access to this domain. Basic Auth matches after Access Lists. If unset, any user is allowed access. When using CrowdSec, authorization failures will result in automatic bans.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>reverse.AccessLog</id>
         <label>HTTP Access Log</label>
         <type>checkbox</type>
         <help><![CDATA[Enable HTTP request logging for this domain and its subdomains. This option is mostly used for troubleshooting, audits and CrowdSec. It will log every single request.]]></help>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
index 8a515e2ca6..5db43f6f22 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -4,6 +4,11 @@
         <label>Enabled</label>
         <type>checkbox</type>
         <help><![CDATA[Enable this subdomain.]]></help>
+        <grid_view>
+            <width>6em</width>
+            <type>boolean</type>
+            <formatter>rowtoggle</formatter>
+        </grid_view>
     </field>
     <field>
         <id>subdomain.description</id>
@@ -33,6 +38,11 @@
         <label>Dynamic DNS</label>
         <type>checkbox</type>
         <help><![CDATA[Enable or disable Dynamic DNS. Requires a "DNS Provider" in "General Settings". The DNS records of this subdomain will be automatically updated.]]></help>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
     </field>
     <field>
         <id>subdomain.AcmePassthrough</id>
@@ -40,6 +50,9 @@
         <type>text</type>
         <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this subdomain.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -50,6 +63,9 @@
         <label>Access List</label>
         <type>dropdown</type>
         <help><![CDATA[Select an Access List to restrict access to this subdomain. If unset, any local or remote client is allowed access.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>subdomain.basicauth</id>
@@ -57,5 +73,8 @@
         <type>select_multiple</type>
         <size>5</size>
         <help><![CDATA[Select Users to restrict access to this subdomain. Basic Auth matches after Access Lists. If unset, any user is allowed access.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
index f1c57229c9..be371635c6 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
@@ -1,5 +1,5 @@
 {#
- # Copyright (c) 2024 Cedrik Pischem
+ # Copyright (c) 2024-2025 Cedrik Pischem
  # All rights reserved.
  #
  # Redistribution and use in source and binary forms, with or without modification,
@@ -27,7 +27,7 @@
 <script>
     $(document).ready(function() {
         // Bootgrid Setup
-        $("#Layer4Grid").UIBootgrid({
+        $("#{{formGridLayer4['table_id']}}").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchLayer4/',
             get:'/api/caddy/ReverseProxy/getLayer4/',
             set:'/api/caddy/ReverseProxy/setLayer4/',
@@ -36,7 +36,7 @@
             toggle:'/api/caddy/ReverseProxy/toggleLayer4/',
         });
 
-        $("#Layer4OpenvpnGrid").UIBootgrid({
+        $("#{{formGridLayer4Openvpn['table_id']}}").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchLayer4Openvpn/',
             get:'/api/caddy/ReverseProxy/getLayer4Openvpn/',
             set:'/api/caddy/ReverseProxy/setLayer4Openvpn/',
@@ -137,44 +137,7 @@
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Layer4 Routes') }}</h1>
             <div style="display: block;">
-                <table id="Layer4Grid" class="table table-condensed table-hover table-striped" data-editDialog="DialogLayer4" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                            <th data-column-id="Sequence" data-type="string">{{ lang._('Sequence') }}</th>
-                            <th data-column-id="Type" data-type="string" data-visible="false">{{ lang._('Routing Type') }}</th>
-                            <th data-column-id="Protocol" data-type="string">{{ lang._('Protocol') }}</th>
-                            <th data-column-id="FromPort" data-type="string" data-visible="false">{{ lang._('Local Port') }}</th>
-                            <th data-column-id="Matchers" data-type="string">{{ lang._('Matchers') }}</th>
-                            <th data-column-id="InvertMatchers" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Invert Matchers') }}</th>
-                            <th data-column-id="TerminateTls" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Terminate TLS') }}</th>
-                            <th data-column-id="FromDomain" data-type="string">{{ lang._('Domain') }}</th>
-                            <th data-column-id="FromOpenvpnModes" data-type="string" data-visible="false">{{ lang._('OpenVPN Modes') }}</th>
-                            <th data-column-id="FromOpenvpnStaticKey" data-type="string" data-visible="false">{{ lang._('OpenVPN Static Key') }}</th>
-                            <th data-column-id="ToDomain" data-type="string">{{ lang._('Upstream Domain') }}</th>
-                            <th data-column-id="ToPort" data-type="string">{{ lang._('Upstream Port') }}</th>
-                            <th data-column-id="RemoteIp" data-type="string" data-visible="false">{{ lang._('Remote IP') }}</th>
-                            <th data-column-id="lb_policy" data-type="string" data-visible="false">{{ lang._('Load Balance Policy') }}</th>
-                            <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Passive Health Fail Duration') }}</th>
-                            <th data-column-id="PassiveHealthMaxFails" data-type="string" data-visible="false">{{ lang._('Passive Health Max Fails') }}</th>
-                            <th data-column-id="ProxyProtocol" data-type="string" data-visible="false">{{ lang._('Proxy Protocol') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addLayer4Btn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
+                {{ partial('layout_partials/base_bootgrid_table', formGridLayer4)}}
             </div>
         </div>
     </div>
@@ -185,26 +148,7 @@
             <!-- OpenVPN Matcher -->
             <h1 class="custom-header">{{ lang._('OpenVPN Static Keys') }}</h1>
             <div style="display: block;">
-                <table id="Layer4OpenvpnGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogLayer4Openvpn" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addLayer4OpenvpnBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
+                {{ partial('layout_partials/base_bootgrid_table', formGridLayer4Openvpn)}}
             </div>
         </div>
     </div>
@@ -226,12 +170,12 @@
             <!-- Message Area for error/success messages -->
             <div id="messageArea" class="alert alert-info" style="display: none;"></div>
             <!-- Message Area to hint user to apply changes when data is changed in bootgrids -->
-            <div id="ConfigurationChangeMessage" class="alert alert-info" style="display: none;">
+            <div id="ConfChangeMessage" class="alert alert-info" style="display: none;">
             {{ lang._('Please do not forget to apply the configuration.') }}
             </div>
         </div>
     </div>
 </section>
 
-{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4,'id':'DialogLayer4','label':lang._('Edit Layer4 Route')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4Openvpn,'id':'DialogLayer4Openvpn','label':lang._('Edit OpenVPN Static Key')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4,'id':formGridLayer4['edit_dialog_id'],'label':lang._('Edit Layer4 Route')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4Openvpn,'id':formGridLayer4Openvpn['edit_dialog_id'],'label':lang._('Edit OpenVPN Static Key')])}}
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index b77bf8618a..f95594d214 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -1,5 +1,5 @@
 {#
- # Copyright (c) 2023-2024 Cedrik Pischem
+ # Copyright (c) 2023-2025 Cedrik Pischem
  # All rights reserved.
  #
  # Redistribution and use in source and binary forms, with or without modification,
@@ -27,7 +27,7 @@
 <script>
     $(document).ready(function() {
         // Bootgrid Setup
-        $("#reverseProxyGrid").UIBootgrid({
+        $("#{{formGridReverseProxy['table_id']}}").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchReverseProxy/',
             get:'/api/caddy/ReverseProxy/getReverseProxy/',
             set:'/api/caddy/ReverseProxy/setReverseProxy/',
@@ -40,7 +40,7 @@
             }
         });
 
-        $("#reverseSubdomainGrid").UIBootgrid({
+        $("#{{formGridSubdomain['table_id']}}").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchSubdomain/',
             get:'/api/caddy/ReverseProxy/getSubdomain/',
             set:'/api/caddy/ReverseProxy/setSubdomain/',
@@ -53,7 +53,7 @@
             }
         });
 
-        $("#reverseHandleGrid").UIBootgrid({
+        $("#{{formGridHandle['table_id']}}").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchHandle/',
             get:'/api/caddy/ReverseProxy/getHandle/',
             set:'/api/caddy/ReverseProxy/setHandle/',
@@ -65,7 +65,7 @@
             }
         });
 
-        $("#accessListGrid").UIBootgrid({
+        $("#{{formGridAccessList['table_id']}}").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchAccessList/',
             get:'/api/caddy/ReverseProxy/getAccessList/',
             set:'/api/caddy/ReverseProxy/setAccessList/',
@@ -76,7 +76,7 @@
             }
         });
 
-        $("#basicAuthGrid").UIBootgrid({
+        $("#{{formGridBasicAuth['table_id']}}").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchBasicAuth/',
             get:'/api/caddy/ReverseProxy/getBasicAuth/',
             set:'/api/caddy/ReverseProxy/setBasicAuth/',
@@ -87,7 +87,7 @@
             }
         });
 
-        $("#reverseHeaderGrid").UIBootgrid({
+        $("#{{formGridHeader['table_id']}}").UIBootgrid({
             search:'/api/caddy/ReverseProxy/searchHeader/',
             get:'/api/caddy/ReverseProxy/getHeader/',
             set:'/api/caddy/ReverseProxy/setHeader/',
@@ -138,11 +138,11 @@
                         select.append($('<option>').val(item.id).text(item.domainPort));
                     });
                 } else {
-                    select.html('<option value="">{{ lang._('Failed to load data') }}</option>');
+                    select.html(`<option value="">{{ lang._('Failed to load data') }}</option>`);
                 }
                 select.selectpicker('refresh');
             }).fail(function() {
-                $('#reverseFilter').html('<option value="">{{ lang._('Failed to load data') }}</option>').selectpicker('refresh');
+                $('#reverseFilter').html(`<option value="">{{ lang._('Failed to load data') }}</option>`).selectpicker('refresh');
             });
         }
 
@@ -164,9 +164,9 @@
         }
 
         function reloadGrids() {
-            $("#reverseProxyGrid").bootgrid("reload");
-            $("#reverseSubdomainGrid").bootgrid("reload");
-            $("#reverseHandleGrid").bootgrid("reload");
+            $("#{{formGridReverseProxy['table_id']}}").bootgrid("reload");
+            $("#{{formGridSubdomain['table_id']}}").bootgrid("reload");
+            $("#{{formGridHandle['table_id']}}").bootgrid("reload");
         }
 
         // Hide message area when starting new actions
@@ -345,72 +345,16 @@
         <div style="padding-left: 16px;">
             <!-- Reverse Proxy -->
             <h1 class="custom-header">{{ lang._('Domains') }}</h1>
-            <div style="display: block;"> <!-- Common container -->
-                <table id="reverseProxyGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogReverseProxy" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                            <th data-column-id="DisableTls" data-type="string">{{ lang._('Protocol') }}</th>
-                            <th data-column-id="FromDomain" data-type="string">{{ lang._('Domain') }}</th>
-                            <th data-column-id="FromPort" data-type="string">{{ lang._('Port') }}</th>
-                            <th data-column-id="accesslist" data-type="string" data-visible="false">{{ lang._('Access List') }}</th>
-                            <th data-column-id="basicauth" data-type="string" data-visible="false">{{ lang._('Basic Auth') }}</th>
-                            <th data-column-id="DnsChallenge" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('DNS-01 Challenge') }}</th>
-                            <th data-column-id="DynDns" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Dynamic DNS') }}</th>
-                            <th data-column-id="AccessLog" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('HTTP Access Log') }}</th>
-                            <th data-column-id="CustomCertificate" data-type="string" data-visible="false">{{ lang._('Certificate') }}</th>
-                            <th data-column-id="AcmePassthrough" data-type="string" data-visible="false">{{ lang._('HTTP-01 Challenge Redirection') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addReverseProxyBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
+            <div style="display: block;">
+                {{ partial('layout_partials/base_bootgrid_table', formGridReverseProxy)}}
             </div>
         </div>
 
         <!-- Subdomains Tab -->
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Subdomains') }}</h1>
-            <div style="display: block;"> <!-- Common container -->
-                <table id="reverseSubdomainGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogSubdomain" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                            <th data-column-id="reverse" data-type="string">{{ lang._('Domain') }}</th>
-                            <th data-column-id="FromDomain" data-type="string">{{ lang._('Subdomain') }}</th>
-                            <th data-column-id="accesslist" data-type="string" data-visible="false">{{ lang._('Access List') }}</th>
-                            <th data-column-id="basicauth" data-type="string" data-visible="false">{{ lang._('Basic Auth') }}</th>
-                            <th data-column-id="DynDns" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Dynamic DNS') }}</th>
-                            <th data-column-id="AcmePassthrough" data-type="string" data-visible="false">{{ lang._('HTTP-01 Challenge Redirection') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addSubdomainBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
+            <div style="display: block;">
+                {{ partial('layout_partials/base_bootgrid_table', formGridSubdomain)}}
             </div>
         </div>
     </div>
@@ -419,55 +363,8 @@
     <div id="handlesTab" class="tab-pane fade">
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Handlers') }}</h1>
-            <div style="display: block;"> <!-- Common container -->
-                <table id="reverseHandleGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHandle" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="enabled" data-width="6em" data-type="boolean" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                            <th data-column-id="reverse" data-type="string">{{ lang._('Domain') }}</th>
-                            <th data-column-id="subdomain" data-type="string">{{ lang._('Subdomain') }}</th>
-                            <th data-column-id="HandleType" data-type="string" data-visible="false">{{ lang._('Handler') }}</th>
-                            <th data-column-id="HandlePath" data-type="string" data-visible="false">{{ lang._('Path') }}</th>
-                            <th data-column-id="header" data-type="string" data-visible="false">{{ lang._('HTTP Headers') }}</th>
-                            <th data-column-id="HandleDirective" data-type="string">{{ lang._('Directive') }}</th>
-                            <th data-column-id="HttpTls" data-type="string" data-visible="false">{{ lang._('Protocol') }}</th>
-                            <th data-column-id="ToDomain" data-type="string">{{ lang._('Upstream Domain') }}</th>
-                            <th data-column-id="ToPort" data-type="string">{{ lang._('Upstream Port') }}</th>
-                            <th data-column-id="ToPath" data-type="string" data-visible="false">{{ lang._('Upstream Path') }}</th>
-                            <th data-column-id="ForwardAuth" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('Forward Auth') }}</th>
-                            <th data-column-id="accesslist" data-type="string" data-visible="false">{{ lang._('Access List') }}</th>
-                            <th data-column-id="HttpVersion" data-type="string" data-visible="false">{{ lang._('HTTP Version') }}</th>
-                            <th data-column-id="HttpKeepalive" data-type="string" data-visible="false">{{ lang._('HTTP Keepalive') }}</th>
-                            <th data-column-id="HttpTlsTrustedCaCerts" data-type="string" data-visible="false">{{ lang._('TLS Trust Pool') }}</th>
-                            <th data-column-id="HttpTlsServerName" data-type="string" data-visible="false">{{ lang._('TLS Server Name') }}</th>
-                            <th data-column-id="HttpNtlm" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('NTLM') }}</th>
-                            <th data-column-id="HttpTlsInsecureSkipVerify" data-type="boolean" data-formatter="boolean" data-visible="false">{{ lang._('TLS Insecure Skip Verify') }}</th>
-                            <th data-column-id="lb_policy" data-type="string" data-visible="false">{{ lang._('Load Balance Policy') }}</th>
-                            <th data-column-id="lb_retries" data-type="string" data-visible="false">{{ lang._('Load Balance Retries') }}</th>
-                            <th data-column-id="lb_try_duration" data-type="string" data-visible="false">{{ lang._('Load Balance Try Duration') }}</th>
-                            <th data-column-id="lb_try_interval" data-type="string" data-visible="false">{{ lang._('Load Balance Try Interval') }}</th>
-                            <th data-column-id="PassiveHealthFailDuration" data-type="string" data-visible="false">{{ lang._('Passive Health Fail Duration') }}</th>
-                            <th data-column-id="PassiveHealthMaxFails" data-type="string" data-visible="false">{{ lang._('Passive Health Max Fails') }}</th>
-                            <th data-column-id="PassiveHealthUnhealthyStatus" data-type="string" data-visible="false">{{ lang._('Passive Health Unhealthy Status') }}</th>
-                            <th data-column-id="PassiveHealthUnhealthyLatency" data-type="string" data-visible="false">{{ lang._('Passive Health Unhealthy Latency') }}</th>
-                            <th data-column-id="PassiveHealthUnhealthyRequestCount" data-type="string" data-visible="false">{{ lang._('Passive Health Unhealthy Request Count') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addReverseHandleBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
+            <div style="display: block;">
+                {{ partial('layout_partials/base_bootgrid_table', formGridHandle)}}
             </div>
         </div>
     </div>
@@ -478,31 +375,7 @@
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Access Lists') }}</h1>
             <div style="display: block;">
-                <table id="accessListGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogAccessList" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="accesslistName" data-type="string">{{ lang._('Name') }}</th>
-                            <th data-column-id="clientIps" data-type="string">{{ lang._('Client IPs') }}</th>
-                            <th data-column-id="accesslistInvert" data-type="boolean" data-formatter="boolean">{{ lang._('Invert') }}</th>
-                            <th data-column-id="HttpResponseCode" data-type="string" data-visible="false">{{ lang._('HTTP Code') }}</th>
-                            <th data-column-id="HttpResponseMessage" data-type="string" data-visible="false">{{ lang._('HTTP Message') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addAccessListBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
+                {{ partial('layout_partials/base_bootgrid_table', formGridAccessList)}}
             </div>
         </div>
 
@@ -510,27 +383,7 @@
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Basic Auth') }}</h1>
             <div style="display: block;">
-                <table id="basicAuthGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogBasicAuth" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="basicauthuser" data-type="string">{{ lang._('User') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addBasicAuthBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
+                {{ partial('layout_partials/base_bootgrid_table', formGridBasicAuth)}}
             </div>
         </div>
     </div>
@@ -539,31 +392,8 @@
     <div id="headerTab" class="tab-pane fade">
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Headers') }}</h1>
-            <div style="display: block;"> <!-- Common container -->
-                <table id="reverseHeaderGrid" class="table table-condensed table-hover table-striped" data-editDialog="DialogHeader" data-editAlert="ConfigurationChangeMessage">
-                    <thead>
-                        <tr>
-                            <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                            <th data-column-id="HeaderUpDown" data-type="string">{{ lang._('Header') }}</th>
-                            <th data-column-id="HeaderType" data-type="string">{{ lang._('Header Type') }}</th>
-                            <th data-column-id="HeaderValue" data-type="string" data-visible="false">{{ lang._('Header Value') }}</th>
-                            <th data-column-id="HeaderReplace" data-type="string" data-visible="false">{{ lang._('Header Replace') }}</th>
-                            <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                        </tr>
-                    </thead>
-                    <tbody>
-                    </tbody>
-                    <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <button id="addReverseHeaderBtn" data-action="add" type="button" class="btn btn-xs btn-primary"><span class="fa fa-plus"></span></button>
-                                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                            </td>
-                        </tr>
-                    </tfoot>
-                </table>
+            <div style="display: block;">
+                {{ partial('layout_partials/base_bootgrid_table', formGridHeader)}}
             </div>
         </div>
     </div>
@@ -584,16 +414,16 @@
             <!-- Message Area for error/success messages -->
             <div id="messageArea" class="alert alert-info" style="display: none;"></div>
             <!-- Message Area to hint user to apply changes when data is changed in bootgrids -->
-            <div id="ConfigurationChangeMessage" class="alert alert-info" style="display: none;">
+            <div id="ConfChangeMessage" class="alert alert-info" style="display: none;">
             {{ lang._('Please do not forget to apply the configuration.') }}
             </div>
         </div>
     </div>
 </section>
 
-{{ partial("layout_partials/base_dialog",['fields':formDialogReverseProxy,'id':'DialogReverseProxy','label':lang._('Edit Domain')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogSubdomain,'id':'DialogSubdomain','label':lang._('Edit Subdomain')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogHandle,'id':'DialogHandle','label':lang._('Edit Handler')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogAccessList,'id':'DialogAccessList','label':lang._('Edit Access List')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogBasicAuth,'id':'DialogBasicAuth','label':lang._('Edit Basic Auth')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogHeader,'id':'DialogHeader','label':lang._('Edit Header')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogReverseProxy,'id':formGridReverseProxy['edit_dialog_id'],'label':lang._('Edit Domain')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogSubdomain,'id':formGridSubdomain['edit_dialog_id'],'label':lang._('Edit Subdomain')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogHandle,'id':formGridHandle['edit_dialog_id'],'label':lang._('Edit Handler')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogAccessList,'id':formGridAccessList['edit_dialog_id'],'label':lang._('Edit Access List')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogBasicAuth,'id':formGridBasicAuth['edit_dialog_id'],'label':lang._('Edit Basic Auth')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogHeader,'id':formGridHeader['edit_dialog_id'],'label':lang._('Edit Header')])}}

From 9e571ed7631f15718346e24b65f250b03205fee4 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 7 Jan 2025 23:43:42 +0100
Subject: [PATCH 2284/3088] net/haproxy: migrate cert export to Trust MVC

---
 net/haproxy/pkg-descr                             |  5 +++++
 .../scripts/OPNsense/HAProxy/exportCerts.php      | 15 +++++++--------
 .../scripts/OPNsense/HAProxy/exportErrorFiles.php |  2 --
 .../scripts/OPNsense/HAProxy/exportLuaScripts.php |  2 --
 .../scripts/OPNsense/HAProxy/exportMapFiles.php   |  2 --
 5 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index d3e0b934fc..f6ed896fa7 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+4.5
+
+Changed:
+* migrate cert export to Trust MVC
+
 4.4
 
 Fixed:
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
index 20b72fd3d3..9358448780 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
@@ -2,7 +2,7 @@
 <?php
 
 /*
- * Copyright (C) 2016-2024 Frank Wall
+ * Copyright (C) 2016-2025 Frank Wall
  * Copyright (C) 2015 Deciso B.V.
  * All rights reserved.
  *
@@ -28,12 +28,11 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-// Use legacy code to export certificates to the filesystem.
+require_once('script/load_phalcon.php');
 require_once("config.inc");
-require_once("certs.inc");
-require_once("legacy_bindings.inc");
 
 use OPNsense\Core\Config;
+use OPNsense\Trust\Store as CertStore;
 
 $export_path = '/tmp/haproxy/ssl/';
 
@@ -82,8 +81,9 @@ function hasOcspInfo($cert_content)
                                         $ocsp_conf = '';
                                         // CRLs require special export
                                         if ($type == 'crl') {
-                                            $crl =& lookup_crl($cert_refid);
-                                            $pem_content = base64_decode($crl['text']);
+                                            if (isset($cert->text)) {
+                                                $pem_content = base64_decode($cert->text);
+                                            }
                                         } else {
                                             $pem_content = str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->crt)));
                                             $pem_content .= "\n" . str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->prv)));
@@ -91,9 +91,8 @@ function hasOcspInfo($cert_content)
                                             $ocsp_conf = hasOcspInfo($pem_content) ? ' [ocsp-update on]' : '';
                                             // check if a CA is linked
                                             if (!empty((string)$cert->caref)) {
-                                                $cert = (array)$cert;
-                                                $ca = ca_chain($cert);
                                                 // append the CA to the certificate data
+                                                $ca = CertStore::getCaChain((string)$cert->caref));
                                                 $pem_content .= "\n" . $ca;
                                                 // additionally export CA to it's own file,
                                                 // not required for HAProxy, but makes OCSP handling easier
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportErrorFiles.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportErrorFiles.php
index 9ffaa95d99..f5417c754e 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportErrorFiles.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportErrorFiles.php
@@ -30,8 +30,6 @@
 
 // Use legacy code to export certificates to the filesystem.
 require_once("config.inc");
-require_once("certs.inc");
-require_once("legacy_bindings.inc");
 
 use OPNsense\Core\Config;
 
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php
index 8406572815..30e8bd3b31 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportLuaScripts.php
@@ -30,8 +30,6 @@
 
 // Use legacy code to export certificates to the filesystem.
 require_once("config.inc");
-require_once("certs.inc");
-require_once("legacy_bindings.inc");
 
 use OPNsense\Core\Config;
 
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php
index ee502e4783..fe2e682f78 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php
@@ -30,8 +30,6 @@
 
 // Use legacy code to export certificates to the filesystem.
 require_once("config.inc");
-require_once("certs.inc");
-require_once("legacy_bindings.inc");
 
 use OPNsense\Core\Config;
 

From b77ef8dc9bebcc830be83303ce7bea163e9a62af Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 9 Jan 2025 22:34:10 +0100
Subject: [PATCH 2285/3088] net/haproxy: switch to HAProxy 3.0, refs #4411

---
 net/haproxy/Makefile                                 |  4 ++--
 net/haproxy/pkg-descr                                |  1 +
 .../OPNsense/HAProxy/forms/dialogAction.xml          | 12 ++++++------
 .../OPNsense/HAProxy/forms/dialogBackend.xml         | 12 ++++++------
 .../OPNsense/HAProxy/forms/dialogFcgi.xml            |  2 +-
 .../OPNsense/HAProxy/forms/dialogFrontend.xml        |  6 +++---
 .../OPNsense/HAProxy/forms/dialogMapfile.xml         |  2 +-
 .../mvc/app/views/OPNsense/HAProxy/index.volt        | 10 +++++-----
 .../scripts/OPNsense/HAProxy/exportCerts.php         |  2 +-
 .../service/templates/OPNsense/HAProxy/haproxy.conf  |  4 ++--
 10 files changed, 28 insertions(+), 27 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 81ea69ec06..e629b6ca0e 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		4.4
+PLUGIN_VERSION=		4.5
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
-PLUGIN_DEPENDS=		haproxy28 py${PLUGIN_PYTHON}-haproxy-cli
+PLUGIN_DEPENDS=		haproxy py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de
 
 .include "../../Mk/plugins.mk"
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index f6ed896fa7..daac185c39 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 4.5
 
 Changed:
+* upgrade to HAProxy 3.0 release series (#4411)
 * migrate cert export to Trust MVC
 
 4.4
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index 7945ded643..e0e5e345df 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -89,7 +89,7 @@
         <id>action.http_request_redirect</id>
         <label>HTTP Redirect</label>
         <type>text</type>
-        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. See <a href="http://docs.haproxy.org/2.8/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. See <a href="http://docs.haproxy.org/3.0/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -128,7 +128,7 @@
         <id>action.http_request_add_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.8/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.0/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -145,7 +145,7 @@
         <id>action.http_request_set_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.8/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.0/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -251,7 +251,7 @@
         <id>action.http_response_add_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.8/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.0/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -268,7 +268,7 @@
         <id>action.http_response_set_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/2.8/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.0/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -468,6 +468,6 @@
         <id>action.fcgi_set_param</id>
         <label>Parameter</label>
         <type>text</type>
-        <help><![CDATA[Set a FastCGI parameter that should be passed to the application. Its value must follow HAProxy's <a href="http://docs.haproxy.org/2.8/configuration.html#8.2.4">Custom Log format rules</a>. With this directive, it is possible to overwrite the value of default FastCGI parameters.]]></help>
+        <help><![CDATA[Set a FastCGI parameter that should be passed to the application. Its value must follow HAProxy's <a href="http://docs.haproxy.org/3.0/configuration.html#8.2.4">Custom Log format rules</a>. With this directive, it is possible to overwrite the value of default FastCGI parameters.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index 8411a6ad93..014b959aeb 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -28,7 +28,7 @@
         <id>backend.algorithm</id>
         <label>Balancing Algorithm</label>
         <type>dropdown</type>
-        <help><![CDATA[Define the load balancing algorithm to be used in a Backend Pool. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#balance">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Define the load balancing algorithm to be used in a Backend Pool. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#balance">HAProxy documentation</a> for a full description.]]></help>
         <hint>Choose a load balancing algorithm.</hint>
     </field>
     <field>
@@ -42,7 +42,7 @@
         <id>backend.proxyProtocol</id>
         <label>Proxy Protocol</label>
         <type>dropdown</type>
-        <help><![CDATA[Enforces use of the PROXY protocol over any connection established to the configured servers. The PROXY protocol informs the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the servers are not aware of the PROXY protocol. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#send-proxy">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Enforces use of the PROXY protocol over any connection established to the configured servers. The PROXY protocol informs the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the servers are not aware of the PROXY protocol. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#send-proxy">HAProxy documentation</a> for a full description.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
@@ -186,7 +186,7 @@
         <style>tokenize</style>
         <allownew>true</allownew>
         <sortable>true</sortable>
-        <help><![CDATA[This may be used to add more information to the forwarded header. Default behavior enables proto parameter and injects original client IP. See he <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#option forwarded">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This may be used to add more information to the forwarded header. Default behavior enables proto parameter and injects original client IP. See he <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#option forwarded">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.forwardFor</id>
@@ -213,7 +213,7 @@
         <id>backend.persistence_cookiemode</id>
         <label>Cookie handling</label>
         <type>dropdown</type>
-        <help><![CDATA[Usually it is better to reuse an existing cookie. In this case HAProxy prefixes the cookie with the required information. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#4.2-cookie">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Usually it is better to reuse an existing cookie. In this case HAProxy prefixes the cookie with the required information. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#4.2-cookie">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.persistence_cookiename</id>
@@ -235,14 +235,14 @@
         <id>backend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
+        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
         <hint>Choose a persistence type.</hint>
     </field>
     <field>
         <id>backend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.stickiness_expire</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
index c02327bcea..4ad9d1e94e 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
@@ -33,7 +33,7 @@
         <id>fcgi.path_info</id>
         <label>Path Info</label>
         <type>text</type>
-        <help><![CDATA[Define a regular expression to extract the script-name and the path-info from the URL-decoded path, see <a href="http://docs.haproxy.org/2.8/configuration.html#10.1.1-path-info">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[Define a regular expression to extract the script-name and the path-info from the URL-decoded path, see <a href="http://docs.haproxy.org/3.0/configuration.html#10.1.1-path-info">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <id>fcgi.log_stderr</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 2268abe723..a826ecfa85 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -350,14 +350,14 @@
         <id>frontend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
+        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
         <hint>Choose a stick-table type.</hint>
     </field>
     <field>
         <id>frontend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>frontend.stickiness_expire</id>
@@ -384,7 +384,7 @@
         <id>frontend.stickiness_counter_key</id>
         <label>Sticky counter key</label>
         <type>text</type>
-        <help><![CDATA[It describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters. Defaults to "src" to track elements of the source IP. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#tcp-request connection">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[It describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters. Defaults to "src" to track elements of the source IP. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#tcp-request connection">HAProxy documentation</a> for a full description.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
index 4955c8519a..554246fa45 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
@@ -15,6 +15,6 @@
         <id>mapfile.content</id>
         <label>Content</label>
         <type>textbox</type>
-        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://docs.haproxy.org/2.8/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 932c8814f3..fd025caccd 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -717,7 +717,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('Lastly, enable HAProxy using the %sService%s settings page.') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Please be aware that you need to %smanually%s add the required firewall rules for all configured services.') | format('<b>', '</b>') }}</p>
-            <p>{{ lang._('Further information is available in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="http://docs.haproxy.org/2.8/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._('Further information is available in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="http://docs.haproxy.org/3.0/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -759,7 +759,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('%sConditions:%s HAProxy is capable of extracting data from requests, responses and other connection data and match it against predefined patterns. Use these powerful patterns to compose a condition that may be used in multiple Rules.') | format('<b>', '</b>') }}</li>
               <li>{{ lang._('%sRules:%s Perform a large set of actions if one or more %sConditions%s match. These Rules may be used in %sBackend Pools%s as well as %sPublic Services%s.') | format('<b>', '</b>', '<b>', '</b>', '<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/2.8/configuration.html#7" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/3.0/configuration.html#7" target="_blank">', '</a>') }}</p>
             <p>{{ lang._('Note that it is possible to directly add options to the HAProxy configuration by using the "option pass-through", a setting that is available for several configuration items. It allows you to implement configurations that are currently not officially supported by this plugin. It is strongly discouraged to rely on this feature. Please report missing features on our GitHub page!') | format('<b>', '</b>') }}</p>
             <br/>
         </div>
@@ -774,7 +774,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('%sGroup:%s A optional list containing one or more users. Groups usually make it easier to manage permissions for a large number of users') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Note that users and groups must be selected from the Backend Pool or Public Service configuration in order to be used for authentication. In addition to this users and groups may also be used in Rules/Conditions.') }}</p>
-            <p>{{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/2.8/configuration.html#3.4" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/3.0/configuration.html#3.4" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -792,7 +792,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sCache:%s HAProxy's cache which was designed to perform cache on small objects (favicon, css, etc.). This is a minimalist low-maintenance cache which runs in RAM.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sPeers:%s Configure a communication channel between two HAProxy instances. This will propagate entries of any data-types in stick-tables between these HAProxy instances over TCP connections in a multi-master fashion. Useful when aiming for a seamless failover in a HA setup.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://docs.haproxy.org/2.8/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.8/configuration.html#10" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.8/configuration.html#3.5" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://docs.haproxy.org/3.0/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/3.0/configuration.html#10" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/3.0/configuration.html#3.5" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -810,7 +810,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sResolvers:%s This feature allows in-depth configuration of how HAProxy handles name resolution and interacts with name resolvers (DNS). Each resolver configuration can be used in %sBackend Pools%s to apply individual name resolution configurations.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sE-Mail Alerts:%s It is possible to send email alerts when the state of servers changes. Each configuration can be used in %sBackend Pools%s to send e-mail alerts to the configured recipient.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://docs.haproxy.org/2.8/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.8/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/2.8/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.8/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.8/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/2.8/configuration.html#process" target="_blank">', '</a>','<a href="http://docs.haproxy.org/2.8/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://docs.haproxy.org/3.0/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/3.0/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/3.0/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/3.0/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/3.0/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/3.0/configuration.html#process" target="_blank">', '</a>','<a href="http://docs.haproxy.org/3.0/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
index 9358448780..cccff6408d 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
@@ -92,7 +92,7 @@ function hasOcspInfo($cert_content)
                                             // check if a CA is linked
                                             if (!empty((string)$cert->caref)) {
                                                 // append the CA to the certificate data
-                                                $ca = CertStore::getCaChain((string)$cert->caref));
+                                                $ca = CertStore::getCaChain((string)$cert->caref);
                                                 $pem_content .= "\n" . $ca;
                                                 // additionally export CA to it's own file,
                                                 // not required for HAProxy, but makes OCSP handling easier
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 3e40f63c02..642a84e4a6 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -990,10 +990,10 @@ global
 {# # check if OCSP is enabled #}
 {% if OPNsense.HAProxy.general.tuning.ocspUpdateEnabled|default('') == '1' %}
 {%   if helpers.exists('OPNsense.HAProxy.general.tuning.ocspUpdateMinDelay') %}
-    tune.ssl.ocsp-update.mindelay {{OPNsense.HAProxy.general.tuning.ocspUpdateMinDelay}}
+    ocsp-update.mindelay {{OPNsense.HAProxy.general.tuning.ocspUpdateMinDelay}}
 {%   endif %}
 {%   if helpers.exists('OPNsense.HAProxy.general.tuning.ocspUpdateMaxDelay') %}
-    tune.ssl.ocsp-update.maxdelay {{OPNsense.HAProxy.general.tuning.ocspUpdateMaxDelay}}
+    ocsp-update.maxdelay {{OPNsense.HAProxy.general.tuning.ocspUpdateMaxDelay}}
 {%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.HAProxy.general.tuning.resolversPrefer') %}

From be90096c4096ef53a583cc21e4fd8c3c853e4fd6 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:06:12 +0000
Subject: [PATCH 2286/3088] net/freeradius: Remove sessionClose()

---
 .../controllers/OPNsense/Freeradius/Api/AvpairController.php   | 1 -
 .../controllers/OPNsense/Freeradius/Api/ClientController.php   | 1 -
 .../app/controllers/OPNsense/Freeradius/Api/DhcpController.php | 1 -
 .../controllers/OPNsense/Freeradius/Api/LeaseController.php    | 1 -
 .../controllers/OPNsense/Freeradius/Api/ProxyController.php    | 3 ---
 .../controllers/OPNsense/Freeradius/Api/ServiceController.php  | 3 ---
 .../app/controllers/OPNsense/Freeradius/Api/UserController.php | 1 -
 7 files changed, 11 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/AvpairController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/AvpairController.php
index b22f665fc3..e2500e13ad 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/AvpairController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/AvpairController.php
@@ -42,7 +42,6 @@ public function searchAvpairAction()
     }
     public function getAvpairAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('avpair', 'avpairs.avpair', $uuid);
     }
     public function addAvpairAction()
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ClientController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ClientController.php
index f00443fb1b..3cd6cc46d5 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ClientController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ClientController.php
@@ -76,7 +76,6 @@ public function setAction()
 
     public function searchClientAction()
     {
-        $this->sessionClose();
         $mdlClient = $this->getModel();
         $grid = new UIModelGrid($mdlClient->clients->client);
         return $grid->fetchBindRequest(
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/DhcpController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/DhcpController.php
index fb1dd5ebdc..84be1d862c 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/DhcpController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/DhcpController.php
@@ -42,7 +42,6 @@ public function searchDhcpAction()
     }
     public function getDhcpAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('dhcp', 'dhcps.dhcp', $uuid);
     }
     public function addDhcpAction()
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LeaseController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LeaseController.php
index 3cff21e0eb..4d8960e72d 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LeaseController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LeaseController.php
@@ -42,7 +42,6 @@ public function searchLeaseAction()
     }
     public function getLeaseAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('lease', 'leases.lease', $uuid);
     }
     public function addLeaseAction()
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ProxyController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ProxyController.php
index d19ac612b7..118ffea5cd 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ProxyController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ProxyController.php
@@ -78,7 +78,6 @@ public function setAction()
 
     public function searchRealmAction()
     {
-        $this->sessionClose();
         $mdlRealm = $this->getModel();
         $grid = new UIModelGrid($mdlRealm->realms->realm);
         return $grid->fetchBindRequest(
@@ -204,7 +203,6 @@ public function toggleRealmAction($uuid)
     }
     public function searchHomeserverAction()
     {
-        $this->sessionClose();
         $mdlHomeserver = $this->getModel();
         $grid = new UIModelGrid($mdlHomeserver->homeservers->homeserver);
         return $grid->fetchBindRequest(
@@ -306,7 +304,6 @@ public function toggleHomeserverAction($uuid)
     }
     public function searchHomeserverpoolAction()
     {
-        $this->sessionClose();
         $mdlHomeserverpool = $this->getModel();
         $grid = new UIModelGrid($mdlHomeserverpool->homeserverpools->homeserverpool);
         return $grid->fetchBindRequest(
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ServiceController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ServiceController.php
index 777f14d5de..699c7c8941 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ServiceController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/ServiceController.php
@@ -119,9 +119,6 @@ public function statusAction()
     public function reconfigureAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $mdlGeneral = new General();
             $backend = new Backend();
 
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/UserController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/UserController.php
index b6638e2c2c..5a103278a3 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/UserController.php
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/UserController.php
@@ -77,7 +77,6 @@ public function setAction()
 
     public function searchUserAction()
     {
-        $this->sessionClose();
         $mdlUser = $this->getModel();
         $grid = new UIModelGrid($mdlUser->users->user);
         return $grid->fetchBindRequest(

From ff349682f8f1245bbe0e2a3e0faa4fca4dac1890 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:07:54 +0000
Subject: [PATCH 2287/3088] net/relayd: Remove sessionClose()

---
 .../app/controllers/OPNsense/Relayd/Api/ServiceController.php   | 2 --
 .../app/controllers/OPNsense/Relayd/Api/SettingsController.php  | 1 -
 .../app/controllers/OPNsense/Relayd/Api/StatusController.php    | 1 -
 3 files changed, 4 deletions(-)

diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/ServiceController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/ServiceController.php
index 83eda01320..0bffec3e78 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/ServiceController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/ServiceController.php
@@ -71,7 +71,6 @@ public function configtestAction()
     {
         if ($this->request->isPost()) {
             $result['status'] = 'ok';
-            $this->sessionClose();
 
             $backend = new Backend();
 
@@ -96,7 +95,6 @@ public function reconfigureAction()
     {
         if ($this->request->isPost()) {
             if ($this->lock()) {
-                $this->sessionClose();
                 $result['function'] = "reconfigure";
                 $result['status'] = 'failed';
                 $backend = new Backend();
diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
index 3b8a11437e..f8cac66f1a 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
@@ -240,7 +240,6 @@ public function toggleAction($nodeType, $uuid, $enabled = null)
      */
     public function searchAction($nodeType = null)
     {
-        $this->sessionClose();
         if ($this->request->isPost() && $nodeType != null) {
             $this->validateNodeType($nodeType);
             $grid = new UIModelGrid($this->getModel()->$nodeType);
diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
index 879bd22115..40c1a3134f 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
@@ -202,7 +202,6 @@ public function toggleAction($nodeType = null, $id = null, $action = null)
     {
         $result = ["result" => "failed", "function" => "toggle"];
         if ($this->request->isPost()) {
-            $this->sessionClose();
             $backend = new Backend();
             if (in_array($nodeType, ['redirect', 'table', 'host']) && in_array($action, ['enable', 'disable'])) {
                 if ($id != null && $id > 0) {

From 8e8e5772684b940f81c130b4487d35ac5cac2238 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:10:00 +0000
Subject: [PATCH 2288/3088] net/siproxd: Remove sessionClose()

---
 .../OPNsense/Siproxd/Api/DomainController.php            | 1 -
 .../OPNsense/Siproxd/Api/ServiceController.php           | 9 ---------
 .../controllers/OPNsense/Siproxd/Api/UserController.php  | 1 -
 3 files changed, 11 deletions(-)

diff --git a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/DomainController.php b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/DomainController.php
index 20c57f8efb..97c1e45cc9 100644
--- a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/DomainController.php
+++ b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/DomainController.php
@@ -77,7 +77,6 @@ public function setAction()
 
     public function searchDomainAction()
     {
-        $this->sessionClose();
         $mdlDomain = $this->getModel();
         $grid = new UIModelGrid($mdlDomain->domains->domain);
         return $grid->fetchBindRequest(
diff --git a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/ServiceController.php b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/ServiceController.php
index 6e934931a9..2a48eec360 100644
--- a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/ServiceController.php
+++ b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/ServiceController.php
@@ -57,8 +57,6 @@ public function showregistrationsAction()
     public function startAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("siproxd start");
             return array("response" => $response);
@@ -74,8 +72,6 @@ public function startAction()
     public function stopAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("siproxd stop");
             return array("response" => $response);
@@ -91,8 +87,6 @@ public function stopAction()
     public function restartAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("siproxd restart");
             return array("response" => $response);
@@ -135,9 +129,6 @@ public function statusAction()
     public function reconfigureAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $mdlGeneral = new General();
             $backend = new Backend();
 
diff --git a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/UserController.php b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/UserController.php
index 76645935ce..ebb57998d1 100644
--- a/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/UserController.php
+++ b/net/siproxd/src/opnsense/mvc/app/controllers/OPNsense/Siproxd/Api/UserController.php
@@ -77,7 +77,6 @@ public function setAction()
 
     public function searchUserAction()
     {
-        $this->sessionClose();
         $mdlUser = $this->getModel();
         $grid = new UIModelGrid($mdlUser->users->user);
         return $grid->fetchBindRequest(

From f882de47f0c8b713f31c5cc425ce1742600ac693 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:11:26 +0000
Subject: [PATCH 2289/3088] net-mgmt/telegraf: Remove sessionClose()

---
 .../controllers/OPNsense/Telegraf/Api/KeyController.php  | 1 -
 .../OPNsense/Telegraf/Api/ServiceController.php          | 9 ---------
 2 files changed, 10 deletions(-)

diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/KeyController.php b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/KeyController.php
index 09acd8b417..64b5c0189e 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/KeyController.php
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/KeyController.php
@@ -43,7 +43,6 @@ public function searchKeyAction()
     }
     public function getKeyAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('key', 'keys.key', $uuid);
     }
     public function addKeyAction()
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/ServiceController.php b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/ServiceController.php
index 3f21c8b2a4..b23981c3b4 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/ServiceController.php
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/Api/ServiceController.php
@@ -46,8 +46,6 @@ class ServiceController extends ApiControllerBase
     public function startAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("telegraf start");
             return array("response" => $response);
@@ -63,8 +61,6 @@ public function startAction()
     public function stopAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("telegraf stop");
             return array("response" => $response);
@@ -80,8 +76,6 @@ public function stopAction()
     public function restartAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("telegraf restart");
             return array("response" => $response);
@@ -124,9 +118,6 @@ public function statusAction()
     public function reconfigureAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $mdlGeneral = new General();
             $backend = new Backend();
 

From f71b3e494108b41cf2038854159398882e84f0f9 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:15:05 +0000
Subject: [PATCH 2290/3088] net-mgmt/collectd: Remove sessionClose()

---
 .../OPNsense/Collectd/Api/ServiceController.php          | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/Api/ServiceController.php b/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/Api/ServiceController.php
index 2d00ae3116..8228899418 100644
--- a/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/Api/ServiceController.php
+++ b/net-mgmt/collectd/src/opnsense/mvc/app/controllers/OPNsense/Collectd/Api/ServiceController.php
@@ -46,8 +46,6 @@ class ServiceController extends ApiControllerBase
     public function startAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("collectd start");
             return array("response" => $response);
@@ -63,8 +61,6 @@ public function startAction()
     public function stopAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("collectd stop");
             return array("response" => $response);
@@ -80,8 +76,6 @@ public function stopAction()
     public function restartAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("collectd restart");
             return array("response" => $response);
@@ -124,9 +118,6 @@ public function statusAction()
     public function reconfigureAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $mdlGeneral = new General();
             $backend = new Backend();
 

From 7c2207999213fa3094973734eaa1d86b95d04f48 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:16:58 +0000
Subject: [PATCH 2291/3088] www/nginx: Remove sessionClose()

---
 .../OPNsense/Nginx/Api/SettingsController.php | 20 -------------------
 1 file changed, 20 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
index c6d77d3950..0458bc2aa3 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
@@ -56,7 +56,6 @@ public function searchuserlistAction()
 
     public function getuserlistAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('userlist', 'userlist', $uuid);
     }
 
@@ -83,7 +82,6 @@ public function searchcredentialAction()
 
     public function getcredentialAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('credential', 'credential', $uuid);
     }
 
@@ -110,7 +108,6 @@ public function searchupstreamAction()
 
     public function getupstreamAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('upstream', 'upstream', $uuid);
     }
 
@@ -137,7 +134,6 @@ public function searchupstreamserverAction()
 
     public function getupstreamserverAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('upstream_server', 'upstream_server', $uuid);
     }
 
@@ -183,7 +179,6 @@ public function searchlocationAction()
 
     public function getlocationAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('location', 'location', $uuid);
     }
 
@@ -210,7 +205,6 @@ public function searchcustompolicyAction()
 
     public function getcustompolicyAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('custompolicy', 'custom_policy', $uuid);
     }
 
@@ -237,7 +231,6 @@ public function searchresolverAction()
 
     public function getresolverAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('resolver', 'resolver', $uuid);
     }
 
@@ -267,7 +260,6 @@ public function searchhttpserverAction()
 
     public function gethttpserverAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('httpserver', 'http_server', $uuid);
     }
 
@@ -294,7 +286,6 @@ public function searchstreamserverAction()
 
     public function getstreamserverAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('streamserver', 'stream_server', $uuid);
     }
 
@@ -321,7 +312,6 @@ public function searchnaxsiruleAction()
 
     public function getnaxsiruleAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('naxsi_rule', 'naxsi_rule', $uuid);
     }
 
@@ -348,7 +338,6 @@ public function searchhttprewriteAction()
 
     public function gethttprewriteAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('httprewrite', 'http_rewrite', $uuid);
     }
 
@@ -448,7 +437,6 @@ public function searchsecurityHeaderAction()
 
     public function getsecurityHeaderAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('security_header', 'security_header', $uuid);
     }
 
@@ -478,7 +466,6 @@ public function searchlimitZoneAction()
 
     public function getlimitZoneAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('limit_zone', 'limit_zone', $uuid);
     }
 
@@ -505,7 +492,6 @@ public function searcherrorpageAction()
 
     public function geterrorpageAction($uuid = null)
     {
-        $this->sessionClose();
         $data = $this->getBase('errorpage', 'errorpage', $uuid);
         // Decode base64 encoded page content
         $data['errorpage']['pagecontent'] = base64_decode($data['errorpage']['pagecontent']);
@@ -541,7 +527,6 @@ public function searchtlsFingerprintAction()
 
     public function gettlsFingerprintAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('tls_fingerprint', 'tls_fingerprint', $uuid);
     }
 
@@ -571,7 +556,6 @@ public function searchlimitRequestConnectionAction()
 
     public function getlimitRequestConnectionAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('limit_request_connection', 'limit_request_connection', $uuid);
     }
 
@@ -600,7 +584,6 @@ public function searchcachePathAction()
 
     public function getcachePathAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('cache_path', 'cache_path', $uuid);
     }
 
@@ -627,7 +610,6 @@ public function searchsnifwdAction()
 
     public function getsnifwdAction($uuid = null)
     {
-        $this->sessionClose();
         $base = $this->getBase('snihostname', 'sni_hostname_upstream_map', $uuid);
         return $this->convert_sni_fwd_for_client($base);
     }
@@ -672,7 +654,6 @@ public function searchipaclAction()
 
     public function getipaclAction($uuid = null)
     {
-        $this->sessionClose();
         $base = $this->getBase('ipacl', 'ip_acl', $uuid);
         return $this->convert_ipacl_for_client($base);
     }
@@ -827,7 +808,6 @@ public function searchsyslogTargetAction()
 
     public function getsyslogTargetAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('syslog_target', 'syslog_target', $uuid);
     }
 

From 659b29eff55b2ed30df0b1f2cc59c35a1d0febc6 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:21:39 +0000
Subject: [PATCH 2292/3088] www/squid: Remove sessionClose()

---
 .../OPNsense/Proxy/Api/ServiceController.php           | 10 ----------
 .../OPNsense/Proxy/Api/SettingsController.php          |  7 -------
 .../OPNsense/Proxy/Api/TemplateController.php          |  1 -
 3 files changed, 18 deletions(-)

diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php
index 3fa2f25a55..5caae55f42 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php
@@ -84,8 +84,6 @@ public function restartAction()
     public function resetAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             return array('status' => $backend->configdRun('proxy reset'));
         } else {
@@ -101,8 +99,6 @@ public function resetAction()
     public function refreshTemplateAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             return array('status' => $backend->configdRun('template reload OPNsense/Proxy'));
         } else {
@@ -118,9 +114,6 @@ public function refreshTemplateAction()
     public function fetchaclsAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $backend = new Backend();
             // generate template
             $backend->configdRun('template reload OPNsense/Proxy');
@@ -140,9 +133,6 @@ public function fetchaclsAction()
     public function downloadaclsAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $backend = new Backend();
             // generate template
             $backend->configdRun('template reload OPNsense/Proxy');
diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
index e6f33dba0f..faa8cfc6ce 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
@@ -50,7 +50,6 @@ class SettingsController extends ApiMutableModelControllerBase
      */
     public function searchRemoteBlacklistsAction()
     {
-        $this->sessionClose();
         $mdlProxy = $this->getModel();
         $grid = new UIModelGrid($mdlProxy->forward->acl->remoteACLs->blacklists->blacklist);
         return $grid->fetchBindRequest(
@@ -153,7 +152,6 @@ public function fetchRBCronAction()
      */
     public function searchPACRuleAction()
     {
-        $this->sessionClose();
         return $this->searchBase('pac.rule', array("enabled", "description", "proxies", "matches"), "description");
     }
 
@@ -164,7 +162,6 @@ public function searchPACRuleAction()
      */
     public function getPACRuleAction($uuid = null)
     {
-        $this->sessionClose();
         return array("pac" => $this->getBase('rule', 'pac.rule', $uuid));
     }
 
@@ -217,7 +214,6 @@ public function delPACRuleAction($uuid)
      */
     public function searchPACProxyAction()
     {
-        $this->sessionClose();
         return $this->searchBase('pac.proxy', array("enabled","proxy_type", "name", "url", "description"), "description");
     }
 
@@ -228,7 +224,6 @@ public function searchPACProxyAction()
      */
     public function getPACProxyAction($uuid = null)
     {
-        $this->sessionClose();
         return array("pac" => $this->getBase('proxy', 'pac.proxy', $uuid));
     }
 
@@ -270,7 +265,6 @@ public function delPACProxyAction($uuid)
      */
     public function searchPACMatchAction()
     {
-        $this->sessionClose();
         return $this->searchBase('pac.match', array("enabled", "name", "description", "negate", "match_type"), "name");
     }
 
@@ -281,7 +275,6 @@ public function searchPACMatchAction()
      */
     public function getPACMatchAction($uuid = null)
     {
-        $this->sessionClose();
         return array("pac" => $this->getBase('match', 'pac.match', $uuid));
     }
 
diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php
index 2f241f1cc4..aab6b0ced7 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/TemplateController.php
@@ -50,7 +50,6 @@ class TemplateController extends ApiMutableModelControllerBase
     public function setAction()
     {
         if ($this->request->isPost() && $this->request->hasPost("content")) {
-            $this->sessionClose();
             $mdl = $this->getModel();
             $mdl->error_pages->template = $this->request->getPost("content", "striptags");
             $result = $this->validate();

From 586f6379750bb87ceb80a75af0114eb9214a533b Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:24:00 +0000
Subject: [PATCH 2293/3088] security/acme-client: Remove sessionClose()

---
 .../OPNsense/AcmeClient/Api/AccountsController.php       | 1 -
 .../OPNsense/AcmeClient/Api/ActionsController.php        | 1 -
 .../OPNsense/AcmeClient/Api/CertificatesController.php   | 1 -
 .../OPNsense/AcmeClient/Api/ServiceController.php        | 9 ---------
 .../OPNsense/AcmeClient/Api/ValidationsController.php    | 1 -
 5 files changed, 13 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php
index 120e7cd9c7..87c3eeb0d6 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/AccountsController.php
@@ -48,7 +48,6 @@ class AccountsController extends ApiMutableModelControllerBase
 
     public function getAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('account', 'accounts.account', $uuid);
     }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ActionsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ActionsController.php
index 441eb6fb01..761f8f511c 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ActionsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ActionsController.php
@@ -46,7 +46,6 @@ class ActionsController extends ApiMutableModelControllerBase
 
     public function getAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('action', 'actions.action', $uuid);
     }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
index b76adefd7d..76927da11d 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/CertificatesController.php
@@ -48,7 +48,6 @@ class CertificatesController extends ApiMutableModelControllerBase
 
     public function getAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('certificate', 'certificates.certificate', $uuid);
     }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php
index 0e1a34a236..6e15abf0c0 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ServiceController.php
@@ -50,8 +50,6 @@ class ServiceController extends ApiControllerBase
     public function startAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("acmeclient http-start");
             return array("response" => $response);
@@ -67,8 +65,6 @@ public function startAction()
     public function stopAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("acmeclient http-stop");
             return array("response" => $response);
@@ -84,8 +80,6 @@ public function stopAction()
     public function restartAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
             $backend = new Backend();
             $response = $backend->configdRun("acmeclient http-restart");
             return array("response" => $response);
@@ -128,9 +122,6 @@ public function statusAction()
     public function reconfigureAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $force_restart = false;
 
             $mdlAcme = new AcmeClient();
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ValidationsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ValidationsController.php
index 703a8fef35..c4c3403499 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ValidationsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/ValidationsController.php
@@ -47,7 +47,6 @@ class ValidationsController extends ApiMutableModelControllerBase
 
     public function getAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('validation', 'validations.validation', $uuid);
     }
 

From 499b8ff7ca94f6a90e2bfa68acb339b22770a455 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 9 Jan 2025 08:25:33 +0000
Subject: [PATCH 2294/3088] security/tor: Remove sessionClose()

---
 .../mvc/app/controllers/OPNsense/Tor/Api/ExitaclController.php | 1 -
 .../mvc/app/controllers/OPNsense/Tor/Api/GeneralController.php | 1 -
 .../controllers/OPNsense/Tor/Api/HiddenserviceController.php   | 1 -
 .../OPNsense/Tor/Api/HiddenserviceaclController.php            | 1 -
 .../mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php | 3 ---
 .../app/controllers/OPNsense/Tor/Api/SocksaclController.php    | 1 -
 6 files changed, 8 deletions(-)

diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ExitaclController.php b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ExitaclController.php
index 0e0beaa381..beb06d1cdc 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ExitaclController.php
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ExitaclController.php
@@ -43,7 +43,6 @@ public function searchaclAction()
     }
     public function getaclAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('exitpolicy', 'policy', $uuid);
     }
     public function addaclAction()
diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/GeneralController.php b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/GeneralController.php
index b87068681e..455057eda9 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/GeneralController.php
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/GeneralController.php
@@ -82,7 +82,6 @@ public function searchhidservauthAction()
 
     public function gethidservauthAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('client_auth', 'client_authentications.client_auth', $uuid);
     }
 
diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/HiddenserviceController.php b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/HiddenserviceController.php
index 7655546afc..0079f3d531 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/HiddenserviceController.php
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/HiddenserviceController.php
@@ -40,7 +40,6 @@ public function searchserviceAction()
     }
     public function getserviceAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('hiddenservice', 'service', $uuid);
     }
     public function addserviceAction()
diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/HiddenserviceaclController.php b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/HiddenserviceaclController.php
index 42d372b5f0..75e302df97 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/HiddenserviceaclController.php
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/HiddenserviceaclController.php
@@ -40,7 +40,6 @@ public function searchaclAction()
     }
     public function getaclAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('hiddenserviceacl', 'hiddenserviceacl', $uuid);
     }
     public function addaclAction()
diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php
index a5ae94af95..40d9cc066b 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/ServiceController.php
@@ -132,9 +132,6 @@ public function statusAction()
     public function reconfigureAction()
     {
         if ($this->request->isPost()) {
-            // close session for long running action
-            $this->sessionClose();
-
             $general = new General();
             $backend = new Backend();
 
diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/SocksaclController.php b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/SocksaclController.php
index 7add9c0fab..449fb38de3 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/SocksaclController.php
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/Api/SocksaclController.php
@@ -40,7 +40,6 @@ public function searchaclAction()
     }
     public function getaclAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('policy', 'policy', $uuid);
     }
     public function addaclAction()

From f96d0023d097de52a9df4dcba16ae2d965a9b172 Mon Sep 17 00:00:00 2001
From: trantor1 <alexander.riedel@googlemail.com>
Date: Fri, 10 Jan 2025 14:49:15 +0100
Subject: [PATCH 2295/3088] mail/rspamd: fix wrong key in greylist.conf
 template for whitelisted ips (#4459)

Co-authored-by: Alexander Riedel <ariedel@compnetgmbh.de>
---
 .../opnsense/service/templates/OPNsense/Rspamd/greylist.conf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/greylist.conf b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/greylist.conf
index 42e19b416a..0d359054db 100644
--- a/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/greylist.conf
+++ b/mail/rspamd/src/opnsense/service/templates/OPNsense/Rspamd/greylist.conf
@@ -11,5 +11,5 @@
   action = "soft reject"; # default greylisted action
   ipv4_mask = {{ OPNsense.Rspamd.graylist.ipv4mask|default('19') }};
   ipv6_mask = {{ OPNsense.Rspamd.graylist.ipv6mask|default('64') }};
-  whitelist_ip = "/usr/local/etc/rspamd/local.d/greylist_ip.wl";
+  whitelisted_ip = "/usr/local/etc/rspamd/local.d/greylist_ip.wl";
 {% endif %}

From 15cec3fee0fd548a56bc17371fd3d65ff6c17ba7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 10 Jan 2025 14:51:53 +0100
Subject: [PATCH 2296/3088] mail/rspamd: revision bump after fix

---
 mail/rspamd/Makefile  | 2 +-
 mail/rspamd/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/mail/rspamd/Makefile b/mail/rspamd/Makefile
index 6d672f7ffe..a1e2148ce0 100644
--- a/mail/rspamd/Makefile
+++ b/mail/rspamd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		rspamd
 PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Protect your network from spam
 PLUGIN_DEPENDS=		rspamd
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/mail/rspamd/pkg-descr b/mail/rspamd/pkg-descr
index c356fd21c3..a1d6d33b66 100644
--- a/mail/rspamd/pkg-descr
+++ b/mail/rspamd/pkg-descr
@@ -8,6 +8,7 @@ Plugin Changelog
 1.13
 
 * Make local whitelist by e-mail address possible (contributed by itNGO)
+* Fix typo in "whitelisted_ip" option (contributed by Alexander Riedel)
 * Add phishing exclusion (contributed by Makss39)
 
 1.12

From 1e4674a853ea6145011ce1bcab5294eb219be917 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 13 Jan 2025 13:56:34 +0100
Subject: [PATCH 2297/3088] plugins: address 'adress' typo like in core

---
 .../mvc/app/views/OPNsense/Relayd/index.volt  | 54 +++++++++----------
 .../AcmeClient/forms/dialogAction.xml         |  4 +-
 .../OPNsense/Tor/forms/acl_exitpolicy.xml     |  2 +-
 3 files changed, 29 insertions(+), 31 deletions(-)

diff --git a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
index 8c96a0ec31..11a7e3e0c5 100644
--- a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
+++ b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
@@ -1,31 +1,29 @@
 {#
-
-Copyright © 2018 by EURO-LOG AG
-Copyright (c) 2021 Deciso B.V.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-this list of conditions and the following disclaimer in the documentation
-and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
+ # Copyright (c) 2018 EURO-LOG AG
+ # Copyright (c) 2021 Deciso B.V.
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
 
 <script>
 
@@ -365,7 +363,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                 <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
                 <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
-                <th data-column-id="listen_address" data-type="string">{{ lang._('Adress') }}</th>
+                <th data-column-id="listen_address" data-type="string">{{ lang._('Address') }}</th>
                 <th data-column-id="listen_startport" data-formatter="listen_port" data-type="string">{{ lang._('Port') }}</th>
                 <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                 <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Edit') }} | {{ lang._('Delete') }}</th>
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index 97d14b3557..a2fb434eb4 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -188,7 +188,7 @@
         <id>action.acme_synology_dsm_hostname</id>
         <label>Synology Hostname</label>
         <type>text</type>
-        <help>Hostname of IP adress of the Synology DSM, i.e. synology.example.com or 192.168.0.1.</help>
+        <help>Hostname of IP address of the Synology DSM, i.e. synology.example.com or 192.168.0.1.</help>
     </field>
     <field>
         <id>action.acme_synology_dsm_port</id>
@@ -340,7 +340,7 @@
         <id>action.acme_truenas_hostname</id>
         <label>TrueNAS hostname</label>
         <type>text</type>
-        <help>Hostname or IP adress of TrueNAS Core Server.</help>
+        <help>Hostname or IP address of TrueNAS Core Server.</help>
     </field>
     <field>
         <id>action.acme_truenas_scheme</id>
diff --git a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/acl_exitpolicy.xml b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/acl_exitpolicy.xml
index 0f1050ea7b..6308f1b9fa 100644
--- a/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/acl_exitpolicy.xml
+++ b/security/tor/src/opnsense/mvc/app/controllers/OPNsense/Tor/forms/acl_exitpolicy.xml
@@ -15,7 +15,7 @@
     <id>exitpolicy.network</id>
     <label>Network</label>
     <type>text</type>
-    <help>Network on which this ACL is applied. Enter 'any' to use wildcard adressing.</help>
+    <help>Network on which this ACL is applied. Enter 'any' to use wildcard addressing.</help>
   </field>
   <field>
     <id>exitpolicy.startport</id>

From 2f4e63b03ba7688cf9541073ef242fc1dd2ff863 Mon Sep 17 00:00:00 2001
From: RasAlGhul <razzaguhl@gmail.com>
Date: Tue, 14 Jan 2025 10:51:41 +0100
Subject: [PATCH 2298/3088] net/freeradius: EAP-TLS with multiple CAs (#4381)

* controller eap: changed from dropdown to select_multiple

* model eap: add mulitple option to CertificateField type ca

* script generate_certs: Multiple comma-separated refid values are possible. Use explode() and process them with a foreach loop
---
 .../OPNsense/Freeradius/forms/eap.xml         |  2 +-
 .../app/models/OPNsense/Freeradius/Eap.xml    |  1 +
 .../scripts/Freeradius/generate_certs.php     | 26 +++++++++++--------
 3 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
index 8438620895..cb032d2fcc 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
@@ -20,7 +20,7 @@
     <field>
         <id>eap.ca</id>
         <label>Root Certificate</label>
-        <type>dropdown</type>
+        <type>select_multiple</type>
         <help>Choose the Root CA. This CA will be trusted to issue client certificates for authentication.</help>
     </field>
     <field>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index c44c58ed39..991e9bd526 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -31,6 +31,7 @@
         <ca type="CertificateField">
             <Type>ca</Type>
             <Required>N</Required>
+            <multiple>Y</multiple>
         </ca>
         <certificate type="CertificateField">
             <Type>cert</Type>
diff --git a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
index efb5eabd0f..a55e822d0d 100755
--- a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
+++ b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
@@ -80,17 +80,21 @@
         $cert_refid = (string)$find_cert->ca;
         // if eap has a ca-certificate attached, search for its contents
         if ($cert_refid != "") {
-            foreach ($configObj->ca as $ca) {
-                if ($cert_refid == (string)$ca->refid) {
-                    // generate cert pem file
-                    $pem_content = trim(str_replace("\n\n", "\n", str_replace(
-                        "\r",
-                        "",
-                        base64_decode((string)$ca->crt)
-                    )));
-
-                    $pem_content .= "\n";
-                    $ca_pem_content .= $pem_content;
+            // multiple comma-separated refid values are possible
+            $cert_refids = explode(',', $cert_refid);
+            foreach ($cert_refids as $current_refid) {
+                foreach ($configObj->ca as $ca) {
+                    if ($current_refid == (string)$ca->refid) {
+                        // generate cert pem file
+                        $pem_content = trim(str_replace("\n\n", "\n", str_replace(
+                            "\r",
+                            "",
+                            base64_decode((string)$ca->crt)
+                        )));
+    
+                        $pem_content .= "\n";
+                        $ca_pem_content .= $pem_content;
+                    }
                 }
             }
         }

From 8cb288309e715948363dbd711c7f62e172d53d9e Mon Sep 17 00:00:00 2001
From: Martin Wasley <mjwasley@queens-park.com>
Date: Tue, 14 Jan 2025 10:57:20 +0000
Subject: [PATCH 2299/3088] Grid and Dashboard colour change (#4451)

Grid colour changes to improve readability
Dashboard cosmetic colour change for line.
---
 misc/theme-rebellion/Makefile                 |  2 +-
 .../themes/rebellion/build/css/dashboard.css  |  2 +-
 .../www/themes/rebellion/build/css/main.css   | 86 +++++++++----------
 3 files changed, 45 insertions(+), 45 deletions(-)

diff --git a/misc/theme-rebellion/Makefile b/misc/theme-rebellion/Makefile
index 4dbbe55854..c1628de989 100644
--- a/misc/theme-rebellion/Makefile
+++ b/misc/theme-rebellion/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-rebellion
-PLUGIN_VERSION=		1.9.1
+PLUGIN_VERSION=		1.9.2
 PLUGIN_COMMENT=		A suitably dark theme
 PLUGIN_MAINTAINER=	martin@queens-park.com
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css
index 6f997d8a58..9ada408359 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css
@@ -102,7 +102,7 @@ td {
     display: inline-block;
     height: 1px;
     width: 70%;
-    background: #121212;
+    background: #ea7105b8;
 	color: #f0f0f0;
     margin: 5px;
 }
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
index 90ee518d4d..356ce50aca 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/main.css
@@ -1121,7 +1121,7 @@ a.text-primary:hover {
   color: #b85904; }
 
 .text-success {
-  color: #7Ba255; }
+  color: #5b8a35; }
 
 a.text-success:hover {
   color: #628143; }
@@ -1152,7 +1152,7 @@ a.bg-primary:hover {
   background-color: #b85904; }
 
 .bg-success {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
 
 a.bg-success:hover {
   background-color: #628143; }
@@ -1851,7 +1851,7 @@ pre {
 
 table {
   background-color: transparent;
-  color: #ccc; }
+  color: #f1f1f1; }
 
 th {
   text-align: left; }
@@ -1956,22 +1956,22 @@ table td[class*=col-], table th[class*=col-] {
   background-color: #3b3b3b; }
 
 .table > thead > tr > td.success, .table > thead > tr > th.success {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
 
 .table > thead > tr.success > td, .table > thead > tr.success > th {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
 
 .table > tbody > tr > td.success, .table > tbody > tr > th.success {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
 
 .table > tbody > tr.success > td, .table > tbody > tr.success > th {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
 
 .table > tfoot > tr > td.success, .table > tfoot > tr > th.success {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
 
 .table > tfoot > tr.success > td, .table > tfoot > tr.success > th {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
 
 .table-hover > tbody > tr > td.success:hover, .table-hover > tbody > tr > th.success:hover {
   background-color: #6e914c; }
@@ -2701,10 +2701,10 @@ textarea.input-lg {
   line-height: 30px; }
 
 .has-success .help-block, .has-success .control-label, .has-success .radio, .has-success .checkbox, .has-success .radio-inline, .has-success .checkbox-inline {
-  color: #7Ba255; }
+  color: #5b8a35; }
 
 .has-success .form-control {
-  border-color: #7Ba255;
+  border-color: #5b8a35;
   -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
   box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); }
   .has-success .form-control:focus {
@@ -2713,12 +2713,12 @@ textarea.input-lg {
     box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #aec895; }
 
 .has-success .input-group-addon {
-  color: #7Ba255;
-  border-color: #7Ba255;
-  background-color: #7Ba255; }
+  color: #5b8a35;
+  border-color: #5b8a35;
+  background-color: #5b8a35; }
 
 .has-success .form-control-feedback {
-  color: #7Ba255; }
+  color: #5b8a35; }
 
 .has-warning .help-block, .has-warning .control-label, .has-warning .radio, .has-warning .checkbox, .has-warning .radio-inline, .has-warning .checkbox-inline {
   color: #f0ad4e; }
@@ -3023,7 +3023,7 @@ fieldset[disabled] .btn-primary {
 
 .btn-success {
   color: #eee;
-  background-color: #7Ba255;
+  background-color: #5b8a35;
   border-color: #6e914c; }
   .btn-success:hover, .btn-success:focus, .btn-success:active, .btn-success.active {
     color: #eee;
@@ -3042,28 +3042,28 @@ fieldset[disabled] .btn-primary {
   background-image: none; }
 
 .btn-success.disabled {
-  background-color: #7Ba255;
+  background-color: #5b8a35;
   border-color: #6e914c; }
   .btn-success.disabled:hover, .btn-success.disabled:focus, .btn-success.disabled:active, .btn-success.disabled.active {
-    background-color: #7Ba255;
+    background-color: #5b8a35;
     border-color: #6e914c; }
 
 .btn-success[disabled] {
-  background-color: #7Ba255;
+  background-color: #5b8a35;
   border-color: #6e914c; }
   .btn-success[disabled]:hover, .btn-success[disabled]:focus, .btn-success[disabled]:active, .btn-success[disabled].active {
-    background-color: #7Ba255;
+    background-color: #5b8a35;
     border-color: #6e914c; }
 
 fieldset[disabled] .btn-success {
-  background-color: #7Ba255;
+  background-color: #5b8a35;
   border-color: #6e914c; }
   fieldset[disabled] .btn-success:hover, fieldset[disabled] .btn-success:focus, fieldset[disabled] .btn-success:active, fieldset[disabled] .btn-success.active {
-    background-color: #7Ba255;
+    background-color: #5b8a35;
     border-color: #6e914c; }
 
 .btn-success .badge {
-  color: #7Ba255;
+  color: #5b8a35;
   background-color: #eee; }
 
 .btn-info {
@@ -4444,7 +4444,7 @@ a.label:hover, a.label:focus {
     background-color: #b85904; }
 
 .label-success {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
   .label-success[href]:hover, .label-success[href]:focus {
     background-color: #628143; }
 
@@ -4583,8 +4583,8 @@ a.thumbnail:hover, a.thumbnail:focus, a.thumbnail.active {
   color: inherit; }
 
 .alert-success {
-  background-color: #7Ba255;
-  border-color: #7Ba255;
+  background-color: #5b8a35;
+  border-color: #5b8a35;
   color: #485f32; }
   .alert-success hr {
     border-top-color: #6e914c; }
@@ -4683,7 +4683,7 @@ a.thumbnail:hover, a.thumbnail:focus, a.thumbnail.active {
   box-shadow: none; }
 
 .progress-bar-success {
-  background-color: #7Ba255; }
+  background-color: #5b8a35; }
 
 .progress-striped .progress-bar-success {
   background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
@@ -4823,24 +4823,24 @@ a.list-group-item {
     width: 3px; }
 
 .list-group-item-success {
-  color: #7Ba255;
-  background-color: #7Ba255; }
+  color: #5b8a35;
+  background-color: #5b8a35; }
 
 a.list-group-item-success {
-  color: #7Ba255; }
+  color: #5b8a35; }
   a.list-group-item-success .list-group-item-heading {
     color: inherit; }
   a.list-group-item-success:hover, a.list-group-item-success:focus {
-    color: #7Ba255;
+    color: #5b8a35;
     background-color: #6e914c; }
   a.list-group-item-success.active {
     color: #222;
-    background-color: #7Ba255;
-    border-color: #7Ba255; }
+    background-color: #5b8a35;
+    border-color: #5b8a35; }
     a.list-group-item-success.active:hover, a.list-group-item-success.active:focus {
       color: #222;
-      background-color: #7Ba255;
-      border-color: #7Ba255; }
+      background-color: #5b8a35;
+      border-color: #5b8a35; }
 
 .list-group-item-info {
   color: #ffffff;
@@ -5143,18 +5143,18 @@ a.list-group-item-danger {
     border-bottom-color: #EA7105; }
 
 .panel-success {
-  border-color: #7Ba255; }
+  border-color: #5b8a35; }
   .panel-success > .panel-heading {
-    color: #7Ba255;
-    background-color: #7Ba255;
-    border-color: #7Ba255; }
+    color: #5b8a35;
+    background-color: #5b8a35;
+    border-color: #5b8a35; }
     .panel-success > .panel-heading + .panel-collapse > .panel-body {
-      border-top-color: #7Ba255; }
+      border-top-color: #5b8a35; }
     .panel-success > .panel-heading .badge {
-      color: #7Ba255;
-      background-color: #7Ba255; }
+      color: #5b8a35;
+      background-color: #5b8a35; }
   .panel-success > .panel-footer + .panel-collapse > .panel-body {
-    border-bottom-color: #7Ba255; }
+    border-bottom-color: #5b8a35; }
 
 .panel-info {
   border-color: #3b488e; }

From feccd9ce21d3a00808c72f9f04a539cf863776f3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 14 Jan 2025 13:48:57 +0100
Subject: [PATCH 2300/3088] LICENSE: sync

---
 LICENSE | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/LICENSE b/LICENSE
index 5c3d5ae4bf..5264977a0a 100644
--- a/LICENSE
+++ b/LICENSE
@@ -7,14 +7,14 @@ Copyright (c) 2021 Andreas Stuerz
 Copyright (c) 2021 Axelrtgs
 Copyright (c) 2023 Bernhard Frenking <bernhard@frenking.eu>
 Copyright (c) 2023 Cannon Matthews <cannonmatthews@google.com>
-Copyright (c) 2023-2024 Cedrik Pischem
+Copyright (c) 2023-2025 Cedrik Pischem
 Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
 Copyright (c) 2021 Dan Lundqvist
 Copyright (c) 2021 David Berry
 Copyright (c) 2017-2018 David Harrigan
 Copyright (c) 2021 David Hughes
-Copyright (c) 2014-2024 Deciso B.V.
+Copyright (c) 2014-2025 Deciso B.V.
 Copyright (c) 2020 devNan0 <nan0@nan0.dev>
 Copyright (c) 2023 Dmitry Shinkaruk
 Copyright (c) 2024 DollarSign23
@@ -25,7 +25,7 @@ Copyright (c) 2017-2020 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
 Copyright (c) 2024 Francisco Dimattia <info@tecnoservicio.com.ar>
 Copyright (c) 2014-2024 Franco Fichtner <franco@opnsense.org>
-Copyright (c) 2016-2024 Frank Wall
+Copyright (c) 2016-2025 Frank Wall
 Copyright (c) 2021 Github-jjw
 Copyright (c) 2023 Greg Glockner <greg@glockners.net>
 Copyright (c) 2024 Hasan Ucak <hasan@sunnyvalley.io>
@@ -51,7 +51,7 @@ Copyright (c) 2022 Marvo2011
 Copyright (c) 2017-2024 Michael Muenz <m.muenz@gmail.com>
 Copyright (c) 2024 Michał Brzeziński
 Copyright (c) 2024 Mike Shuey
-Copyright (c) 2023 Mikhail Kharisov
+Copyright (c) 2023-2024 Mikhail Kharisov
 Copyright (c) 2023 mleinart
 Copyright (c) 2024 MVZ Labor Ludwigsburg GbR
 Copyright (c) 2021-2024 Nicola Pellegrini
@@ -72,6 +72,7 @@ Copyright (c) 2020 Starkstromkonsument
 Copyright (c) 2023-2024 Thomas Cekal <thomas@cekal.org>
 Copyright (c) 2020 Tobias Boehnert
 Copyright (c) 2024 txr13
+Copyright (c) 2024 W516
 Copyright (c) 2022 Wouter Deurholt
 Copyright (c) 2015 YoungJoo.Kim <vozltx@gmail.com>
 All rights reserved.

From f76eecd3b7c452af238067a4742c7417e172c49b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 14 Jan 2025 14:49:42 +0100
Subject: [PATCH 2301/3088] net/freeradius: new version

---
 net/freeradius/Makefile                               |  2 +-
 net/freeradius/pkg-descr                              | 11 +++++++----
 .../opnsense/scripts/Freeradius/generate_certs.php    |  2 +-
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index d9db167fab..b40352f967 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.26
+PLUGIN_VERSION=		1.9.27
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index d8aef153f1..66640e76e9 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -11,13 +11,19 @@ security, particularly in the academic community, including eduroam.
 
 The server is fast, feature-rich, modular, and scalable.
 
+WWW: https://www.freeradius.org
+
 
 Plugin Changelog
 ================
 
+1.9.27
+
+* Allow EAP-TLS with multiple CAs (contributed by RasAlGhul)
+
 1.9.26
 
-* Added support for `require_message_authenticator` in client configuration (contributed by Patrick M. Hausen)
+* Added support for "require_message_authenticator" in client configuration (contributed by Patrick M. Hausen)
 
 1.9.25
 
@@ -119,6 +125,3 @@ Plugin Changelog
 * Add DHCP support, serving only for DHCP relays
 * Allow usage of remote MySQL server
 * Rework service status UI
-
-
-WWW: https://www.freeradius.org
diff --git a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
index a55e822d0d..e68d95971a 100755
--- a/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
+++ b/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
@@ -91,7 +91,7 @@
                             "",
                             base64_decode((string)$ca->crt)
                         )));
-    
+
                         $pem_content .= "\n";
                         $ca_pem_content .= $pem_content;
                     }

From dffc5ecc6ba3892f59efbdd015dc968f52cc1a94 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 14 Jan 2025 14:54:34 +0100
Subject: [PATCH 2302/3088] www/squid: new version

---
 www/squid/Makefile  | 3 +--
 www/squid/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index 67b5f77f7b..30e2f86cd8 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		squid
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	4
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_TIER=		2
diff --git a/www/squid/pkg-descr b/www/squid/pkg-descr
index ba32c194e8..3ffe8644c5 100644
--- a/www/squid/pkg-descr
+++ b/www/squid/pkg-descr
@@ -5,6 +5,10 @@ content serving applications.
 Plugin Changelog
 ================
 
+1.1
+
+* Syslog corrections and implementation of "workers" (contributed by Andy Binder)
+
 1.0
 
 * Initial version based on the OPNsense 23.7.12 core code

From e195b2e49bcd26f895562d66933bf5da816548b2 Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Thu, 16 Jan 2025 11:00:57 +0100
Subject: [PATCH 2303/3088] www/squid: Regex + hint (#4470)

---
 .../opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml | 3 ++-
 .../service/templates/OPNsense/Syslog/local/squid_access.conf  | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
index 7671a7f47e..998bd76b40 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -343,7 +343,8 @@
                 <id>proxy.forward.workers</id>
                 <label>Number of squid workers</label>
                 <type>text</type>
-                <help>Start N main Squid process daemons (i.e., SMP mode). Requires Restart. Default: 1</help>
+                <help>Start N main Squid process daemons (i.e., SMP mode). Requires Restart. Do not enable when using local cache.</help>
+                <hint>1</hint>
                 <advanced>true</advanced>
             </field>
             <field>
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf b/www/squid/src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf
index 159dcb5638..1b81f08a71 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Syslog/local/squid_access.conf
@@ -2,5 +2,5 @@
 # Local syslog-ng configuration filter definition [squid_access].
 ###################################################################
 filter f_local_squid_access {
-    program("^(squid-|squid-coord-)\\d+");
+    program("squid-*");
 };

From 38b1c6815bb348b5261339803689c16eb760e684 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 16 Jan 2025 12:28:20 +0100
Subject: [PATCH 2304/3088] wwww/squid: bump and fix model default not used

---
 www/squid/Makefile                                             | 1 +
 www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index 30e2f86cd8..a70692d4f3 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		squid
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_TIER=		2
diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index 1c04b1f6b3..3d77eabfef 100644
--- a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -283,7 +283,6 @@
               <ValidationMessage>Please enter ip addresses or domain names here</ValidationMessage>
             </sslnobumpsites>
             <workers type="IntegerField">
-              <Default>1</Default>
               <MinimumValue>1</MinimumValue>
               <MaximumValue>100</MaximumValue>
               <ValidationMessage>worker number needs to be an integer value between 1 and 100</ValidationMessage>

From 3b8d735a9276ca7ec5393f002d6174bec90b88fd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 16 Jan 2025 14:25:12 +0100
Subject: [PATCH 2305/3088] www/caddy: fix sort of a typo here

---
 www/caddy/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index f7217f7f6b..65e926dd6f 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -15,7 +15,7 @@ Plugin Changelog
 
 1.8.0
 
-* Build: Update to caddy-v2.9.0 and update dependencies (opnsense/plugins/issues/4437)
+* Build: Update Caddy to version 2.9.x and update dependencies (opnsense/plugins/issues/4437)
 * Build: Fix caddy-l4 timeout issue (opnsense/plugins/issues/4384)
 * Build: Mark DNS Providers optional that are not included per default (opnsense/plugins/pull/4441)
          digitalocean, route53, googleclouddns, netlify, ddnss, njalla, tencentcloud

From 98b20bcc82031a3e0aab4430195c755ce05edf9e Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 17 Jan 2025 14:42:32 +0100
Subject: [PATCH 2306/3088] www/caddy: Add persistent banner notification if
 custom imports are used. (#4476)

---
 .../System/Status/CaddyOverrideStatus.php     | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php

diff --git a/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php b/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php
new file mode 100644
index 0000000000..742adbac12
--- /dev/null
+++ b/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php
@@ -0,0 +1,54 @@
+<?php
+/*
+ * Copyright (C) 2025 Cedrik Pischem
+ * Copyright (C) 2025 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\System\Status;
+
+use OPNsense\System\AbstractStatus;
+use OPNsense\System\SystemStatusCode;
+
+class CaddyOverrideStatus extends AbstractStatus
+{
+    public function __construct()
+    {
+        $this->internalPriority = 2;
+        $this->internalPersistent = true;
+        $this->internalIsBanner = true;
+        $this->internalTitle = gettext('Caddy config override');
+        $this->internalScope = [
+            '/ui/caddy/layer4',
+            '/ui/caddy/diagnostics',
+            '/ui/caddy/reverse_proxy',
+            '/ui/caddy/general'
+        ];
+
+        if (count(glob('/usr/local/etc/caddy/caddy.d/*.*'))) {
+            $this->internalMessage = gettext('Custom configuration imports exist in "/usr/local/etc/caddy/caddy.d/".');
+            $this->internalStatus = SystemStatusCode::NOTICE;
+        }
+    }
+}

From 84aa445f5cc7ee8623d22fe3d73c1cd678fa62c3 Mon Sep 17 00:00:00 2001
From: abrychcy <abrychcy@users.noreply.github.com>
Date: Fri, 17 Jan 2025 23:22:10 +0100
Subject: [PATCH 2307/3088] security/acme-client: fix export of ca certs for
 SFTP upload

export correct array element for ca certs. fixes #4477
---
 .../src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
index f5e00cc85d..2f42e46e5e 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
@@ -532,7 +532,7 @@ function exportCertificates(array $cert_refids): array
             $item["key"] = $_tmp["prv"];
             // check if a CA is linked
             if (!empty((string)$cert->caref)) {
-                $item['ca'] = $_tmp['ca'];
+                $item['ca'] = $_tmp['ca']['crt'];
 
                 // combine files to export a fullchain.pem
                 $item["fullchain"] = $item["cert"] . $item["ca"];

From 22939ae2fc74ac938525c4ee165afc4679238c43 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 19 Jan 2025 12:09:51 +0100
Subject: [PATCH 2308/3088] security/acme-client: bump version

---
 security/acme-client/Makefile  | 2 +-
 security/acme-client/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index e431857ae6..f750997c05 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.7
+PLUGIN_VERSION=		4.8
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 1536c9c9ca..8dd171559e 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.8
+
+Fixed:
+* SFTP automation unable to transfer certs (#4477)
+
 4.7
 
 Added:

From c4e2f2559f7976c31fdce85567b756a60ea057f8 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 19 Jan 2025 12:31:47 +0100
Subject: [PATCH 2309/3088] security/acme-client: add note regarding OCSP
 support

---
 security/acme-client/pkg-descr                             | 7 +++++++
 .../OPNsense/AcmeClient/forms/dialogCertificate.xml        | 6 +++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 8dd171559e..5d07a9eae6 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,6 +10,13 @@ Plugin Changelog
 
 4.8
 
+BREAKING CHANGE: Let's Encrypt ends support for the OCSP Must Staple
+extension on 30.01.2025. Issuance requests will fail if this option is
+still enabled past this date.
+
+Changed:
+* Add note regarding the support of OCSP
+
 Fixed:
 * SFTP automation unable to transfer certs (#4477)
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
index ddeda0b173..703b67d98c 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
@@ -68,11 +68,15 @@
         <type>dropdown</type>
         <help><![CDATA[Specify the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.]]></help>
     </field>
+    <field>
+        <label><![CDATA[NOTE: OCSP is not supported by all CAs.]]></label>
+        <type>info</type>
+    </field>
     <field>
         <id>certificate.ocsp</id>
         <label>OCSP Must Staple</label>
         <type>checkbox</type>
-        <help>Generate and add OCSP Must Staple extension to the certificate.</help>
+        <help>Generate and add OCSP Must Staple extension to the certificate. When this option is enabled and issueance/renewal requests fail, then this extension is probably not supported by the CA.</help>
     </field>
     <field>
         <label>Advanced Settings</label>

From e2aa9e1dc5ee5d6f83d327356af4a931ef77d57b Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 20 Jan 2025 11:29:37 +0100
Subject: [PATCH 2310/3088] www/caddy: Disable HTTP/3 to mitigate status 400
 issue when reverse proxying the OPNsense WebGUI (#4482)

---
 www/caddy/Makefile                                        | 1 +
 www/caddy/pkg-descr                                       | 1 +
 .../mvc/app/controllers/OPNsense/Caddy/forms/general.xml  | 6 +++---
 .../src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml  | 8 ++++----
 .../opnsense/service/templates/OPNsense/Caddy/Caddyfile   | 2 +-
 5 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 4264cd9b08..ebfe26f13d 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		1.8.0
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 65e926dd6f..716a22aa4c 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -22,6 +22,7 @@ Plugin Changelog
          dinahosting, civo, easydns, hosttech; must be added via https://caddyserver.com/docs/command-line#caddy-add-package
 * Cleanup: Refactor caddy.inc and add syslog function, change name from Caddy Web Server to Caddy (opnsense/plugins/issues/4426)
 * Cleanup: Some small UI tweaks (opnsense/plugins/pull/4442)
+* Change: Disable HTTP/3 to mitigate status 400 issue when reverse proxying the OPNsense WebGUI (opnsense/plugins/issues/4471)
 
 1.7.6
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 488c9aeb29..60d604eaf9 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -33,10 +33,10 @@
             <help><![CDATA[Run this service as "www" user and group, instead of "root". This setting increases security, but comes with the hard restriction that the well-known port range can not be used anymore. After enabling and saving this setting, the service has to be totally restarted. For this, please disable Caddy and press Apply. Afterwards enable Caddy and press Apply. This setting is reversible by following the same steps.]]></help>
         </field>
         <field>
-            <id>caddy.general.HttpVersion</id>
-            <label>HTTP Version</label>
+            <id>caddy.general.HttpVersions</id>
+            <label>HTTP Versions</label>
             <type>select_multiple</type>
-            <help><![CDATA[Select the HTTP Version for the frontend listeners. By default, QUIC (HTTP/3) is enabled. This means, UDP/443 will be used by Caddy. To free this protocol port combination for a different service, choose a different combination of protocols that does not include HTTP/3.]]></help>
+            <help><![CDATA[Select the HTTP versions for the frontend listeners. By default, QUIC (HTTP/3) is disabled.]]></help>
         </field>
         <field>
             <id>caddy.general.HttpPort</id>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 5fd4bf0003..70f09cc376 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>Caddy Reverse Proxy</description>
-    <version>1.3.3</version>
+    <version>1.3.4</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -98,16 +98,16 @@
                 <ValidationMessage>Please enter a valid Grace Period between 1 and 20 seconds.</ValidationMessage>
                 <Required>Y</Required>
             </GracePeriod>
-            <HttpVersion type="OptionField">
+            <HttpVersions type="OptionField">
                 <Required>Y</Required>
-                <Default>h1,h2,h3</Default>
+                <Default>h1,h2</Default>
                 <Multiple>Y</Multiple>
                 <OptionValues>
                     <h1>HTTP/1.1</h1>
                     <h2>HTTP/2</h2>
                     <h3>HTTP/3</h3>
                 </OptionValues>
-            </HttpVersion>
+            </HttpVersions>
             <LogCredentials type="BooleanField"/>
             <LogAccessPlain type="BooleanField"/>
             <LogAccessPlainKeep type="IntegerField">
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 320eb86195..1e452f62c8 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -81,7 +81,7 @@
     {% endif %}
 
     servers {
-        protocols {{ generalSettings.HttpVersion.split(',') | join(' ') }}
+        protocols {{ generalSettings.HttpVersions.split(',') | join(' ') }}
         {% if accessList %}
             trusted_proxies static {{ accessList.clientIps.split(',') | join(' ') }}
         {% endif %}

From dc225a57dde2aef7c9068a2d7d577d5dd918fa3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Eirik=20=C3=98verby?= <ltning-github@anduin.net>
Date: Mon, 20 Jan 2025 19:17:03 +0100
Subject: [PATCH 2311/3088] www/nginx: Add basic support for forced caching
 (#4481)

---
 .../mvc/app/controllers/OPNsense/Nginx/forms/location.xml  | 7 +++++++
 .../src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml   | 3 +++
 .../service/templates/OPNsense/Nginx/location.conf         | 3 +++
 3 files changed, 13 insertions(+)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
index c5ad998275..d6ee67abb0 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
@@ -96,6 +96,13 @@
     <advanced>true</advanced>
     <help>Enter how often the resource must be hit before adding it to the cache.</help>
   </field>
+  <field>
+    <id>location.cache_valid</id>
+    <label>Cache: Force caching time</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Force caching of 200, 301 and 302 responses according to the request methods enabled for caching. Given in minutes; leave empty to rely on request/response headers from client and upstream.</help>
+  </field>
   <field>
     <id>location.cache_background_update</id>
     <label>Cache: Background Update</label>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 7c0e82167e..22f15d3ff0 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -349,6 +349,9 @@
         <Required>Y</Required>
         <default>1</default>
       </cache_min_uses>
+      <cache_valid type="IntegerField">
+        <Required>N</Required>
+      </cache_valid>
       <cache_background_update type="BooleanField">
         <Required>Y</Required>
         <default>0</default>
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 80f2d3b022..9f9b576038 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -142,6 +142,9 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
     proxy_cache {{ location.cache_path.replace('-', '') }};
 {%   if location.cache_use_stale is defined and location.cache_use_stale != '' %}
     proxy_cache_use_stale  {{ location.cache_use_stale.replace(',', ' ') }};
+{%   endif %}
+{%   if location.cache_valid is defined and location.cache_valid != '' %}
+    proxy_cache_valid  {{ location.cache_valid }}m;
 {%   endif %}
     proxy_cache_min_uses {{ location.cache_min_uses|default('1') }};
     proxy_cache_background_update {% if location.cache_background_update is defined and location.cache_background_update == '1' %}on{% else %}off{% endif %};

From 305af347b831d068dc6ee7b8eb1e2489afb5560b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 Jan 2025 09:25:51 +0100
Subject: [PATCH 2312/3088] www/nginx: bump revision

---
 www/nginx/Makefile  | 2 +-
 www/nginx/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 9da0cf1123..0b7db7007c 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	5
+PLUGIN_REVISION=	6
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 35f74a4e09..464215e465 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -16,6 +16,7 @@ Plugin Changelog
 * Remove obsolete http2_push_preload directive
 * Migrate from the deprecated 'listen … http2' directive to the 'http2' directive
 * Limit CSP log file size (migration notice: if you want to keep CSP violations logged, you will need to enable logging in the security policy)
+* Add basic support for forced caching (contributed by Eirik Øverby)
 
 1.33
 

From 104fc7a12fcc4d262acb0dfa0e365e6aa0d0751e Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 21 Jan 2025 16:30:08 +0100
Subject: [PATCH 2313/3088] net/relayd - regression in controller refactor
 (https://github.com/opnsense/core/issues/6389).

As StatusController->toggleAction creates an instance of ServiceController, it needs to pass $request in order to check for isPost().
---
 .../app/controllers/OPNsense/Relayd/Api/StatusController.php  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
index 40c1a3134f..d2a8b0d5de 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/StatusController.php
@@ -224,7 +224,9 @@ public function toggleAction($nodeType = null, $id = null, $action = null)
                 $relaydMdl->serializeToConfig();
                 Config::getInstance()->save();
                 // invoke service controller
-                return (new ServiceController())->reconfigureAction();
+                $srv = new ServiceController();
+                $srv->request = $this->request;
+                return $srv->reconfigureAction();
             }
         }
         return $result;

From 600b364b1174c127e01a167d9769725eaf7442ab Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 22 Jan 2025 08:25:49 +0100
Subject: [PATCH 2314/3088] net/relayd: bump revision

---
 net/relayd/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index bb65570d65..9abfcd2221 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		relayd
 PLUGIN_VERSION=		2.9
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com

From 2b17488006fa02fd238fbb9b0bb721cc1a9bd2e1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 22 Jan 2025 09:25:21 +0100
Subject: [PATCH 2315/3088] plugins: switch to 25.1 as the default

---
 Mk/defaults.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index f6a2908623..cb5cc80e97 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -45,7 +45,7 @@ VERSIONBIN=	${LOCALBASE}/sbin/opnsense-version
 _PLUGIN_ABI!=	${VERSIONBIN} -a
 PLUGIN_ABI?=	${_PLUGIN_ABI}
 .else
-PLUGIN_ABI?=	24.7
+PLUGIN_ABI?=	25.1
 .endif
 
 PLUGIN_MAINS=	master main

From c9a9f1c02786256c04bb4814553d52a98ee2dc82 Mon Sep 17 00:00:00 2001
From: Yann Bayart <yannbayart@MacBook-Pro-de-Yann.local>
Date: Wed, 22 Jan 2025 12:05:12 +0100
Subject: [PATCH 2316/3088] Add support for Scaleway DNS challenge

---
 .../AcmeClient/forms/dialogValidation.xml     | 10 +++++
 .../AcmeClient/LeValidation/DnsScaleway.php   | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 3 files changed, 58 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsScaleway.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 702aa67c94..b0f4e09a2a 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1924,4 +1924,14 @@
         <label>Token</label>
         <type>password</type>
     </field>
+    <field>
+        <label>scaleway</label>
+        <type>header</type>
+        <style>table_dns table_dns_scaleway</style>
+    </field>
+    <field>
+        <id>validation.dns_scaleway_token</id>
+        <label>API Key</label>
+        <type>text</type>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsScaleway.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsScaleway.php
new file mode 100644
index 0000000000..22f237ac99
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsScaleway.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Yann Bayart
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * scaleway DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsScaleway extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['SCALEWAY_API_TOKEN'] = (string)$this->config->dns_scaleway_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index ab94015e5e..571de00bc7 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -513,6 +513,7 @@
                         <dns_rackspace>Rackspace</dns_rackspace>
                         <dns_rage4>rage4</dns_rage4>
                         <dns_regru>RegRu</dns_regru>
+                        <dns_scaleway>Scaleway</dns_scaleway>
                         <dns_schlundtech>SchlundTech</dns_schlundtech>
                         <dns_selectel>selectel.com / selectel.ru</dns_selectel>
                         <dns_selfhost>Selfhost</dns_selfhost>
@@ -1307,6 +1308,9 @@
                 <dns_rage4_user type="TextField">
                     <Required>N</Required>
                 </dns_rage4_user>
+                <dns_scaleway_token type="TextField">
+                    <Required>N</Required>
+                </dns_scaleway_token>
             </validation>
         </validations>
         <actions>

From 8606b3572dfb3b1ba11c63fe6c69e6cded472c29 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Thu, 23 Jan 2025 07:36:46 +0000
Subject: [PATCH 2317/3088] dns/ddclient: Add support for altering IPv6
 addresses in ddclient plugin (#4497)

* Add support for altering IPv6 addresses in ddclient plugin

* Refactoring of checkip

* dns/ddclient - minor cleanups for https://github.com/opnsense/plugins/pull/4491

* simplify network / host concat a bit
* add try...except for the curl fetch in case the other end doesn't return a valid address
* extend form help text for "Dynamic ipv6 host" a bit

---------

Co-authored-by: SaarLAN-Pissbeutel <183202051+SaarLAN-Pissbeutel@users.noreply.github.com>
Co-authored-by: Marc Philippi <mphilippi@t-online.de>
---
 .../OPNsense/DynDNS/forms/dialogAccount.xml   |  7 +++++
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml |  5 +++
 .../scripts/ddclient/lib/account/__init__.py  |  3 +-
 .../opnsense/scripts/ddclient/lib/address.py  | 31 ++++++++++++++++---
 .../templates/OPNsense/ddclient/ddclient.json |  1 +
 5 files changed, 42 insertions(+), 5 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index b47b38ddac..eb0fb768e4 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -91,6 +91,13 @@
         <label>Interface to monitor</label>
         <type>dropdown</type>
     </field>
+    <field>
+        <id>account.dynipv6host</id>
+        <label>Dynamic ipv6 host</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Swap the interface identifier of the ipv6 address with the given partial ipv6 address (the least significant 64 bits of the address)</help>
+    </field>
     <field>
         <id>account.checkip_timeout</id>
         <label>Check ip timeout</label>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 0888c87ace..600e17517b 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -165,6 +165,11 @@
                         </check001>
                     </Constraints>
                 </checkip>
+                <dynipv6host type="TextField">
+                    <Required>N</Required>
+                    <mask>/^::(([0-9a-fA-F]{1,4}:){0,3}[0-9a-fA-F]{1,4})?$/u</mask>
+                    <ValidationMessage>Entry is not a valid partial ipv6 address definition (e.g. ::1000).</ValidationMessage>
+                </dynipv6host>
                 <checkip_timeout type="IntegerField">
                     <Default>10</Default>
                     <Required>Y</Required>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
index 4c3716b95e..7b600eb579 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
@@ -118,7 +118,8 @@ def execute(self):
             service = self.settings.get('checkip'),
             proto = 'https' if self.settings.get('force_ssl', False) else 'http',
             timeout = str(self.settings.get('checkip_timeout', '10')),
-            interface = self.settings['interface'] if self.settings.get('interface' ,'').strip() != '' else None
+            interface = self.settings['interface'] if self.settings.get('interface' ,'').strip() != '' else None,
+            dynipv6host = self.settings['dynipv6host'] if self.settings.get('dynipv6host' ,'').strip() != '' else None
         )
 
         if self._current_address == None:
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
index 5618d9aeb6..d1dc1c6ab1 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
@@ -1,5 +1,5 @@
 """
-    Copyright (c) 2022-2023 Ad Schellevis <ad@opnsense.org>
+    Copyright (c) 2022-2025 Ad Schellevis <ad@opnsense.org>
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
@@ -67,11 +67,29 @@ def extract_address(host, txt):
     return ""
 
 
-def checkip(service, proto='https', timeout='10', interface=None):
+def transform_ip(ip, ipv6host=None):
+    """ Changes ipv6 addresses if interface identifier is given
+        :param ip: ip address
+        :param ipv6host: 64 bit interface identifier
+        :return ipaddress.IPv4Address|ipaddress.IPv6Address
+        :raises ValueError: If the input can not be converted to an IPaddress
+    """
+    if ipv6host and ip.find(':') > 0:
+        # extract 64 bit long prefix and add ipv6host [64]bits
+        return ipaddress.ip_address(
+            ipaddress.ip_network("%s/64" % ip, strict=False).network_address.exploded[0:19] +
+            ipaddress.ip_address(ipv6host).exploded[19:]
+        )
+    else:
+        return ipaddress.ip_address(ip)
+
+
+def checkip(service, proto='https', timeout='10', interface=None, dynipv6host=None):
     """ find ip address using external services defined in checkip_service_list
         :param proto: protocol
         :param timeout: timeout in seconds
         :param interface: bind to interface
+        :param dynipv6host: optional partial ipv6 address
         :return: str
     """
     if service.startswith('web_'):
@@ -84,8 +102,13 @@ def checkip(service, proto='https', timeout='10', interface=None):
             params.append(interface)
         url = checkip_service_list[service] % proto
         params.append(url)
-        return extract_address(urlparse(url).hostname,
+        extracted_address = extract_address(urlparse(url).hostname,
             subprocess.run(params, capture_output=True, text=True).stdout)
+        try:
+            return str(transform_ip(extracted_address, dynipv6host))
+        except ValueError:
+            # invalid address
+            return ""
     elif service in ['if', 'if6'] and interface is not None:
         # return first non private IPv[4|6] interface address
         ifcfg = subprocess.run(['/sbin/ifconfig', interface], capture_output=True, text=True).stdout
@@ -94,7 +117,7 @@ def checkip(service, proto='https', timeout='10', interface=None):
                 parts = line.split()
                 if (parts[0] == 'inet' and service == 'if') or (parts[0] == 'inet6' and service == 'if6'):
                     try:
-                        address = ipaddress.ip_address(parts[1])
+                        address = transform_ip(parts[1], dynipv6host)
                         if address.is_global:
                             return str(address)
                     except ValueError:
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
index 79cf6fbbd1..4a2cc7a852 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.json
@@ -22,6 +22,7 @@
             "zone": "{{ account.zone }}",
             "checkip": "{{ account.checkip }}",
             "interface": "{% if account.interface %}{{physical_interface(account.interface)}}{% endif %}",
+            "dynipv6host": "{{ account.dynipv6host }}",
             "checkip_timeout": {{ account.checkip_timeout }},
             "force_ssl": {{ "true" if account.force_ssl == '1' else "false"}},
             "ttl": "{{ account.ttl }}",

From 97e87d12902cfc536fc4103b7337154bfc3feba5 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Thu, 23 Jan 2025 09:01:36 +0000
Subject: [PATCH 2318/3088] www/caddy: Adjust status banner for
 https://github.com/opnsense/core/commit/cfdd2749794c1. Address some former
 feedback at same time.

---
 .../OPNsense/System/Status/CaddyOverrideStatus.php       | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php b/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php
index 742adbac12..0acbacf7b3 100644
--- a/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php
+++ b/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php
@@ -45,9 +45,14 @@ public function __construct()
             '/ui/caddy/reverse_proxy',
             '/ui/caddy/general'
         ];
+    }
 
-        if (count(glob('/usr/local/etc/caddy/caddy.d/*.*'))) {
-            $this->internalMessage = gettext('Custom configuration imports exist in "/usr/local/etc/caddy/caddy.d/".');
+    public function collectStatus()
+    {
+        if (count(glob('/usr/local/etc/caddy/caddy.d/*'))) {
+            $this->internalMessage = gettext(
+                'The configuration contains manual overwrites, these may interfere with the settings configured here.'
+            );
             $this->internalStatus = SystemStatusCode::NOTICE;
         }
     }

From c206ed2c00de56cadf9a06b638257d5e120b26c3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 23 Jan 2025 10:09:51 +0100
Subject: [PATCH 2319/3088] www/caddy: revision to force reinstall

---
 www/caddy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index ebfe26f13d..d876e47e50 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		1.8.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com

From 3cec3a107188496e45bbf79c1e50b66c2833522e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20=F0=9F=A6=84?=
 <43847817+codiflow@users.noreply.github.com>
Date: Thu, 23 Jan 2025 23:39:36 +0100
Subject: [PATCH 2320/3088] Fixing non-existing path

---
 .../opnsense/service/templates/OPNsense/Maltrail/maltrail.conf  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
index fcd0dd1026..33a2170c48 100644
--- a/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
+++ b/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf
@@ -36,7 +36,7 @@ SYSLOG_SERVER {{ OPNsense.maltrail.sensor.syslogserver }}:{{ OPNsense.maltrail.s
 {% endif %}
 
 SENSOR_NAME $HOSTNAME
-CUSTOM_TRAILS_DIR /usr/local/maltrail/trails/custom/
+CUSTOM_TRAILS_DIR /usr/local/share/maltrail/trails/custom/
 PROCESS_COUNT $CPU_CORES
 DISABLE_CPU_AFFINITY false
 USE_FEED_UPDATES true

From 7745e63d0f43813ed74ef0a40a4f24728ee6bc81 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 24 Jan 2025 09:47:17 +0100
Subject: [PATCH 2321/3088] www/caddy: Add copy_headers selectpicker to Auth
 Provider tab. Authorization header added. (#4496)

---
 www/caddy/Makefile                            |  3 +--
 www/caddy/pkg-descr                           |  6 ++++++
 .../OPNsense/Caddy/forms/general.xml          |  7 +++++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 21 +++++++++++++++++++
 .../OPNsense/Caddy/includeAuthProvider        | 12 +++++++++--
 5 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index d876e47e50..0a03f12848 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.8.0
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.8.1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 716a22aa4c..c9583ba431 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -13,6 +13,12 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.8.1
+
+* Add: Optional "Authorization" header to forward_auth (opnsense/plugins/issues/4488)
+* Add: Persistent banner notification if custom imports are used (opnsense/plugins/issues/4244)
+* Cleanup: Implement reusable grid template in views (opnsense/plugins/pull/4454)
+
 1.8.0
 
 * Build: Update Caddy to version 2.9.x and update dependencies (opnsense/plugins/issues/4437)
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 60d604eaf9..ca6b843ecf 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -227,6 +227,13 @@
             <type>text</type>
             <help><![CDATA[Enter the URI of the authz api endpoint.]]></help>
         </field>
+        <field>
+            <id>caddy.general.AuthCopyHeaders</id>
+            <label>Copy Headers</label>
+            <type>select_multiple</type>
+            <style>selectpicker</style>
+            <help><![CDATA[If nothing is selected, the correct default headers for the chosen provider will be used. If you change the default, you must select the required headers manually. "copy_headers" is a list of HTTP header fields to copy from the response to the original request, when the request has a success status code.]]></help>
+        </field>
     </tab>
     <activetab>general-settings</activetab>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 70f09cc376..49bd641f35 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -167,6 +167,27 @@
                 <Mask>/^(\/.*)?$/u</Mask>
                 <ValidationMessage>Please enter a valid 'URI' that starts with '/'.</ValidationMessage>
             </AuthToUri>
+            <AuthCopyHeaders type="OptionField">
+                <Multiple>Y</Multiple>
+                <OptionValues>
+                    <Authorization>Authorization</Authorization>
+                    <Remote-User>Remote-User</Remote-User>
+                    <Remote-Groups>Remote-Groups</Remote-Groups>
+                    <Remote-Name>Remote-Name</Remote-Name>
+                    <Remote-Email>Remote-Email</Remote-Email>
+                    <X-Authentik-Username>X-Authentik-Username</X-Authentik-Username>
+                    <X-Authentik-Groups>X-Authentik-Groups</X-Authentik-Groups>
+                    <X-Authentik-Email>X-Authentik-Email</X-Authentik-Email>
+                    <X-Authentik-Name>X-Authentik-Name</X-Authentik-Name>
+                    <X-Authentik-Uid>X-Authentik-Uid</X-Authentik-Uid>
+                    <X-Authentik-Jwt>X-Authentik-Jwt</X-Authentik-Jwt>
+                    <X-Authentik-Meta-Jwks>X-Authentik-Meta-Jwks</X-Authentik-Meta-Jwks>
+                    <X-Authentik-Meta-Outpost>X-Authentik-Meta-Outpost</X-Authentik-Meta-Outpost>
+                    <X-Authentik-Meta-Provider>X-Authentik-Meta-Provider</X-Authentik-Meta-Provider>
+                    <X-Authentik-Meta-App>X-Authentik-Meta-App</X-Authentik-Meta-App>
+                    <X-Authentik-Meta-Version>X-Authentik-Meta-Version</X-Authentik-Meta-Version>
+                </OptionValues>
+            </AuthCopyHeaders>
         </general>
         <reverseproxy>
             <reverse type="ArrayField">
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
index 8dd207f85e..f179fc845f 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
@@ -12,7 +12,11 @@
     {% if generalSettings.AuthToUri %}
         uri {{ generalSettings.AuthToUri|default("") }}
     {% endif %}
-    copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+    {% if generalSettings.AuthCopyHeaders|default("") == "" %}
+        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+    {% else %}
+        copy_headers {{ generalSettings.AuthCopyHeaders.split(',') | join(' ') }}
+    {% endif %}
     }
 {% elif generalSettings.AuthProvider == 'authentik' %}
     reverse_proxy /outpost.goauthentik.io/* {{ auth_url }} {
@@ -24,6 +28,10 @@
     {% if generalSettings.AuthToUri %}
         uri {{ generalSettings.AuthToUri|default("") }}
     {% endif %}
-    copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    {% if generalSettings.AuthCopyHeaders|default("") == "" %}
+        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+    {% else %}
+       copy_headers {{ generalSettings.AuthCopyHeaders.split(',') | join(' ') }}
+    {% endif %}
     }
 {% endif %}

From 9c87fed72814fa6e1824792cde6baf783bbdd0f9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 24 Jan 2025 09:53:52 +0100
Subject: [PATCH 2322/3088] security/maltrail: bump revision

---
 security/maltrail/Makefile  | 1 +
 security/maltrail/pkg-descr | 1 +
 2 files changed, 2 insertions(+)

diff --git a/security/maltrail/Makefile b/security/maltrail/Makefile
index c13f207fed..5fe41603d0 100644
--- a/security/maltrail/Makefile
+++ b/security/maltrail/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		maltrail
 PLUGIN_VERSION=		1.10
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Malicious traffic detection system
 PLUGIN_DEPENDS=		maltrail
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/maltrail/pkg-descr b/security/maltrail/pkg-descr
index 42506909e9..69ad13f616 100644
--- a/security/maltrail/pkg-descr
+++ b/security/maltrail/pkg-descr
@@ -14,6 +14,7 @@ Changelog
 1.10
 
 * Add CHECK_HOST_DOMAINS option
+* Fix CUSTOM_TRAILS_DIR (contributed by codiflow)
 
 1.9
 

From 57a224a3cd4ac799dc3dd14d1a93c48f5f1be42f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 24 Jan 2025 09:57:39 +0100
Subject: [PATCH 2323/3088] dns/ddclient: lazy bump

---
 dns/ddclient/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index d61c418102..f52ee87b02 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.26
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 7a7a3138a3170fc9a70d95ee9ae6f383eb2a0644 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 24 Jan 2025 09:59:18 +0100
Subject: [PATCH 2324/3088] plugins: add reset target

---
 Mk/defaults.mk | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index cb5cc80e97..9cf73ce3a6 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -1,4 +1,4 @@
-# Copyright (c) 2016-2024 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2016-2025 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -161,3 +161,8 @@ push:
 	@git checkout ${PLUGIN_STABLE}
 	@git push
 	@git checkout ${PLUGIN_MAIN}
+
+reset:
+	@git checkout ${PLUGIN_STABLE}
+	@git reset --hard HEAD~1
+	@git checkout ${PLUGIN_MAIN}

From f45767b6a6dd476b4f262b2bd5734deae8fbcc98 Mon Sep 17 00:00:00 2001
From: Ben Smithurst <low.dusk0860@hdme.uk>
Date: Mon, 27 Jan 2025 15:33:29 +0000
Subject: [PATCH 2325/3088] security/tailscale: make login timeout (tailscale
 up --timeout parameter) configurable (#4490)

---
 .../controllers/OPNsense/Tailscale/forms/settings.xml    | 9 ++++++++-
 .../mvc/app/models/OPNsense/Tailscale/Settings.xml       | 4 ++++
 .../service/templates/OPNsense/Tailscale/rc.conf.d       | 1 +
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
index 38d929de3b..e2e14c1025 100644
--- a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
@@ -5,10 +5,17 @@
         <type>checkbox</type>
         <help>This will activate the Tailscale service.</help>
     </field>
+    <field>
+        <id>settings.loginTimeout</id>
+        <label>Login timeout</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Maximum time to wait for successful login, in seconds. Set to 0 to wait indefinitely, however this may prevent OPNsense booting completely if the Tailscale control plane is unavailable. Default is 10 seconds.</help>
+    </field>
     <field>
         <id>settings.listenPort</id>
         <label>Listen Port</label>
-	<type>text</type>
+        <type>text</type>
         <help>UDP port to listen on for WireGuard and peer-to-peer traffic.</help>
     </field>
     <field>
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
index e23c5d4a67..82bd86a962 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
@@ -6,6 +6,10 @@
             <default>0</default>
             <Required>Y</Required>
         </enabled>
+        <loginTimeout type="IntegerField">
+            <default>10</default>
+            <Required>Y</Required>
+        </loginTimeout>
         <listenPort type="PortField">
             <default>41641</default>
             <Required>Y</Required>
diff --git a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
index 500a34c52a..6d16323045 100644
--- a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
+++ b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
@@ -10,6 +10,7 @@ tailscaled_enable="YES"
 tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%    endif %}
 {%    set up_args = [] %}
+{%      do up_args.append("--timeout=" + OPNsense.tailscale.settings.loginTimeout + "s") %}
 {%    if helpers.exists('OPNsense.tailscale.settings.advertiseExitNode') and OPNsense.tailscale.settings.advertiseExitNode|default("0") == "1" %}
 {%      do up_args.append("--advertise-exit-node") %}
 {%    else %}

From 4dce2f33d91660dd218bd4c2d34e53ca4266fd51 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 27 Jan 2025 16:34:42 +0100
Subject: [PATCH 2326/3088] security/tailscale: add a version (and bump it)

---
 .../src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
index 82bd86a962..2ca43451b3 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
@@ -1,6 +1,7 @@
 <model>
     <mount>//OPNsense/tailscale/settings</mount>
     <description>Tailscale general settings</description>
+    <version>1.0.1</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>

From 068f22ce541fc010ef96405434c1689295dc08b1 Mon Sep 17 00:00:00 2001
From: Ben Smithurst <low.dusk0860@hdme.uk>
Date: Mon, 27 Jan 2025 15:39:36 +0000
Subject: [PATCH 2327/3088] security/tailscale: Allow use of an exit node
 (#4438)

---
 .../OPNsense/Tailscale/forms/settings.xml     |  6 ++++
 .../Tailscale/FieldTypes/ExitNodeField.php    | 31 +++++++++++++++++++
 .../models/OPNsense/Tailscale/Settings.xml    |  1 +
 .../views/OPNsense/Tailscale/settings.volt    |  1 +
 .../app/views/OPNsense/Tailscale/status.volt  | 10 ++++++
 .../templates/OPNsense/Tailscale/rc.conf.d    |  3 ++
 6 files changed, 52 insertions(+)
 create mode 100644 security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/FieldTypes/ExitNodeField.php

diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
index e2e14c1025..4cdef72dcd 100644
--- a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
@@ -30,6 +30,12 @@
         <type>checkbox</type>
         <help>Offer to be an exit node for outbound internet traffic from the Tailscale network.</help>
     </field>
+    <field>
+        <id>settings.useExitNode</id>
+        <label>Use Exit Node</label>
+        <type>dropdown</type>
+        <help>Route traffic to the specified exit node. Note that this only affects traffic routed into your Tailscale interface, which you will have to configure separately using firewall rules and hybrid outbound NAT rules.</help>
+    </field>
     <field>
         <id>settings.acceptSubnetRoutes</id>
         <label>Accept Subnet Routes</label>
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/FieldTypes/ExitNodeField.php b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/FieldTypes/ExitNodeField.php
new file mode 100644
index 0000000000..f886f60699
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/FieldTypes/ExitNodeField.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace OPNsense\Tailscale\FieldTypes;
+
+use OPNsense\Base\FieldTypes\BaseListField;
+use OPNsense\Core\Backend;
+
+class ExitNodeField extends BaseListField
+{
+    private static array $internalCacheOptionList = [];
+    protected $internalIsContainer = false;
+
+    protected function actionPostLoadingEvent()
+    {
+        if (empty(self::$internalCacheOptionList)) {
+            $response = json_decode(trim((new Backend())->configdRun('tailscale tailscale-status')), true);
+            $exitNodes = ['' => gettext('None')];
+
+            if (is_array($response) && array_key_exists('Peer', $response) && is_array($response['Peer'])) {
+                foreach ($response['Peer'] as $peer) {
+                    if ($peer['ExitNodeOption']) {
+                        $exitNodes[$peer['TailscaleIPs'][0]] = $peer['HostName'];
+                    }
+                }
+            }
+
+            self::$internalCacheOptionList = $exitNodes;
+        }
+        $this->internalOptionList = self::$internalCacheOptionList;
+    }
+}
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
index 2ca43451b3..e6d8f962eb 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
@@ -23,6 +23,7 @@
             <default>0</default>
             <Required>Y</Required>
         </advertiseExitNode>
+        <useExitNode type=".\ExitNodeField"/>
         <acceptSubnetRoutes type="BooleanField">
             <default>0</default>
             <Required>Y</Required>
diff --git a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/settings.volt b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/settings.volt
index aee1bd69f8..e5141b0fcd 100644
--- a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/settings.volt
+++ b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/settings.volt
@@ -1,6 +1,7 @@
 <script type="text/javascript">
     $( document ).ready(function() {
         mapDataToFormUI({'frmSettings':"/api/tailscale/settings/get"}).done(function(data) {
+            $('.selectpicker').selectpicker('refresh');
             updateServiceControlUI('tailscale');
         });
 
diff --git a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
index 3ff2c208ba..6366063229 100644
--- a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
+++ b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
@@ -76,6 +76,16 @@
                                 return true;
                             }
 
+                            if (key == 'ExitNodeStatus') {
+                                var newValue = value.TailscaleIPs[0];
+                                if (value.Online) {
+                                    newValue += ' (online)';
+                                } else {
+                                    newValue += ' (offline)';
+                                }
+                                value = newValue;
+                            }
+
                             $('#statusList > tbody').append('<tr><td>' + key + '</td>' +
                             '<td>' + value + '</td></tr>');
                         });
diff --git a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
index 6d16323045..18f4fe2a78 100644
--- a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
+++ b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
@@ -16,6 +16,9 @@ tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%    else %}
 {%      do up_args.append("--advertise-exit-node=false") %}
 {%    endif %}
+{%    if helpers.exists('OPNsense.tailscale.settings.useExitNode') %}
+{%      do up_args.append("--exit-node=" + OPNsense.tailscale.settings.useExitNode) %}
+{%    endif %}
 {%    if helpers.exists('OPNsense.tailscale.settings.acceptSubnetRoutes') and OPNsense.tailscale.settings.acceptSubnetRoutes|default("0") == "1" %}
 {%      do up_args.append("--accept-routes") %}
 {%    else %}

From d17828a2ced2f959e17d866b2d0bce3ef5c23f6e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 27 Jan 2025 16:43:21 +0100
Subject: [PATCH 2328/3088] security/tailscale: the default seems 0.0.0 so we
 can use 1.0.0

---
 .../src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
index e6d8f962eb..03e8526f13 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/tailscale/settings</mount>
     <description>Tailscale general settings</description>
-    <version>1.0.1</version>
+    <version>1.0.0</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>

From 327982fa0b5f2a115f2c332ac70243dee2e3a301 Mon Sep 17 00:00:00 2001
From: Sam Sheridan <sheridans@users.noreply.github.com>
Date: Mon, 27 Jan 2025 15:44:53 +0000
Subject: [PATCH 2329/3088] security/tailscale Add option to allow tailscale to
 manage ssh connections (#4493)

---
 security/tailscale/Makefile                        |  2 +-
 security/tailscale/pkg-descr                       |  8 ++++++++
 .../OPNsense/Tailscale/forms/settings.xml          | 14 ++++++++++++++
 .../mvc/app/models/OPNsense/Tailscale/Settings.xml |  8 ++++++++
 .../service/templates/OPNsense/Tailscale/rc.conf.d | 10 ++++++++--
 .../src/opnsense/www/js/widgets/Tailscale.js       |  2 +-
 6 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/security/tailscale/Makefile b/security/tailscale/Makefile
index f762919fb0..ed1eeaebb6 100644
--- a/security/tailscale/Makefile
+++ b/security/tailscale/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		tailscale
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		VPN mesh securely connecting clients using WireGuard
 PLUGIN_DEPENDS=		tailscale
 PLUGIN_MAINTAINER=	sam@sheridan.uk
diff --git a/security/tailscale/pkg-descr b/security/tailscale/pkg-descr
index 8fe3c0cebc..0ab315c61b 100644
--- a/security/tailscale/pkg-descr
+++ b/security/tailscale/pkg-descr
@@ -6,6 +6,14 @@ https://tailscale.com/
 Plugin Changelog
 ================
 
+1.2
+
+* add option to allow Tailscale to manage SSH connections
+* add option to disable SNAT routing (experimental)
+* fix dashboard widget always showing exit node as no
+* add login timeout (10s default) for when login server is unavailable
+  causing OPNsense to hang on boot (added by Ben Smithurst)
+
 1.1
 
 * add dashboard widget
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
index 4cdef72dcd..0b31a18351 100644
--- a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
@@ -42,4 +42,18 @@
         <type>checkbox</type>
         <help>Accept subnet routes that other nodes advertise.</help>
     </field>
+    <field>
+        <id>settings.enableSSH</id>
+        <label>Enable SSH</label>
+        <advanced>true</advanced>
+        <type>checkbox</type>
+        <help>Allow Tailscale to manage SSH connections in your tailnet.</help>
+    </field>
+    <field>
+        <id>settings.disableSNAT</id>
+        <label>Disable SNAT</label>
+        <advanced>true</advanced>
+        <type>checkbox</type>
+        <help>Disable source NAT to disable subnet routing (experimental).</help>
+    </field>
 </form>
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
index 03e8526f13..39975013b2 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
@@ -28,6 +28,14 @@
             <default>0</default>
             <Required>Y</Required>
         </acceptSubnetRoutes>
+        <enableSSH type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enableSSH>
+        <disableSNAT type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </disableSNAT>
         <subnets>
             <subnet4 type="ArrayField">
                 <subnet type="NetworkField">
diff --git a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
index 18f4fe2a78..e8e9e63938 100644
--- a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
+++ b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
@@ -3,9 +3,10 @@
 #
 {%  if not helpers.empty('OPNsense.tailscale.settings.enabled')  %}
 tailscaled_enable="YES"
-# Uncommenting the below breaks being able to access subnets
+{%    if helpers.exists('OPNsense.tailscale.settings.disableSNAT') and OPNsense.tailscale.settings.disableSNAT|default("0") == "1" %}
 # see - https://github.com/tailscale/tailscale/issues/5573#issuecomment-1584695981
-# tailscaled_env="TS_DEBUG_NETSTACK_SUBNETS=0"
+tailscaled_env="TS_DEBUG_NETSTACK_SUBNETS=0"
+{%    endif %}
 {%    if helpers.exists('OPNsense.tailscale.settings.listenPort') %}
 tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%    endif %}
@@ -29,6 +30,11 @@ tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%    else %}
 {%      do up_args.append("--accept-dns=false") %}
 {%    endif %}
+{%    if helpers.exists('OPNsense.tailscale.settings.enableSSH') and OPNsense.tailscale.settings.enableSSH|default("0") == "1" %}
+{%      do up_args.append("--ssh=true") %}
+{%    else %}
+{%      do up_args.append("--ssh=false") %}
+{%    endif %}
 {%    if helpers.exists('OPNsense.tailscale.authentication.loginServer') %}
 {%      do up_args.append("--login-server=" + OPNsense.tailscale.authentication.loginServer) %}
 {%    endif %}
diff --git a/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js b/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
index f81dccbdb9..c6fd214a68 100644
--- a/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
+++ b/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
@@ -78,7 +78,7 @@ export default class Tailscale extends BaseTableWidget {
         result['online'] = (data.Self.Online === true) ?
           this.translations.yes : this.translations.no;
 
-        result['exitNode'] = (data.Self.ExitNode === true) ?
+        result['exitNode'] = (data.Self.ExitNodeOption === true) ?
           this.translations.yes : this.translations.no;
 
         result['peerCount'] = Object.keys(data.Peer).length;

From 232fd8b20ca16e1c5a6d8b08a20827fcfb3a22f0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 27 Jan 2025 16:46:29 +0100
Subject: [PATCH 2330/3088] security/tailscale: change changelog

---
 security/tailscale/pkg-descr | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/tailscale/pkg-descr b/security/tailscale/pkg-descr
index 0ab315c61b..54639ddb97 100644
--- a/security/tailscale/pkg-descr
+++ b/security/tailscale/pkg-descr
@@ -10,9 +10,9 @@ Plugin Changelog
 
 * add option to allow Tailscale to manage SSH connections
 * add option to disable SNAT routing (experimental)
+* add login timeout (10s default) for when login server is unavailable causing OPNsense to hang on boot (contributed by Ben Smithurst)
+* add exit node option (contributed by Ben Smithurst)
 * fix dashboard widget always showing exit node as no
-* add login timeout (10s default) for when login server is unavailable
-  causing OPNsense to hang on boot (added by Ben Smithurst)
 
 1.1
 

From a4f74d021012aacbbeed8282ef6f59960be24b45 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 28 Jan 2025 08:07:40 +0100
Subject: [PATCH 2331/3088] LICENSE: sync

---
 LICENSE | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/LICENSE b/LICENSE
index 5264977a0a..baf0a1005e 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,5 +1,5 @@
 Copyright (c) 2023 A. Kulikov <kulikov.a@gmail.com>
-Copyright (c) 2015-2024 Ad Schellevis <ad@opnsense.org>
+Copyright (c) 2015-2025 Ad Schellevis <ad@opnsense.org>
 Copyright (c) 2022 agh1467 <agh1467@protonmail.com>
 Copyright (c) 2024 Alex Smith
 Copyright (c) 2021 Alexander Noack
@@ -24,7 +24,7 @@ Copyright (c) 2016-2019 EURO-LOG AG
 Copyright (c) 2017-2020 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
 Copyright (c) 2024 Francisco Dimattia <info@tecnoservicio.com.ar>
-Copyright (c) 2014-2024 Franco Fichtner <franco@opnsense.org>
+Copyright (c) 2014-2025 Franco Fichtner <franco@opnsense.org>
 Copyright (c) 2016-2025 Frank Wall
 Copyright (c) 2021 Github-jjw
 Copyright (c) 2023 Greg Glockner <greg@glockners.net>

From f37654a3464123f491ca7f8590baeb76374b4c6c Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 28 Jan 2025 09:24:34 +0100
Subject: [PATCH 2332/3088] net/frr: Integrate
 layout_partials/base_bootgrid_table (#4494)

* net/frr: ospf.volt - Integrate layout_partials/base_bootgrid_table

* net/frr: ospf6.volt - Integrate layout_partials/base_bootgrid_table

* net/frr: bgp.volt - Integrate layout_partials/base_bootgrid_table

* net/frr: bfd.volt - Integrate layout_partials/base_bootgrid_table

* net/frr: static.volt - Integrate layout_partials/base_bootgrid_table, fix whitespace

* net/frr: Fix a few inconsistencies in the labels and visible grid columns

* net/frr: First batch of new help texts, removed some hints since they are replaced by the proper help texts.

* net/frr: Second batch of new help texts.

* net/frr: Remove non operational ISIS leftovers.
---
 .../OPNsense/Quagga/BfdController.php         |   3 +
 .../OPNsense/Quagga/BgpController.php         |  13 ++
 .../OPNsense/Quagga/IsisController.php        |  38 ----
 .../OPNsense/Quagga/Ospf6Controller.php       |   9 +
 .../OPNsense/Quagga/OspfController.php        |   9 +
 .../OPNsense/Quagga/StaticController.php      |   3 +
 .../controllers/OPNsense/Quagga/forms/bgp.xml |  17 +-
 .../Quagga/forms/dialogEditBFDNeighbor.xml    |  14 +-
 .../Quagga/forms/dialogEditBGPASPath.xml      |  12 +-
 .../forms/dialogEditBGPCommunityLists.xml     |  12 +-
 .../Quagga/forms/dialogEditBGPNeighbor.xml    | 141 +++++++++---
 .../Quagga/forms/dialogEditBGPPeergroups.xml  |  37 +++-
 .../Quagga/forms/dialogEditBGPPrefixLists.xml |  17 +-
 .../Quagga/forms/dialogEditBGPRouteMaps.xml   |  20 +-
 .../Quagga/forms/dialogEditOSPF6Interface.xml |  52 ++++-
 .../Quagga/forms/dialogEditOSPF6Network.xml   |  24 ++-
 .../forms/dialogEditOSPF6PrefixLists.xml      |  12 +-
 .../Quagga/forms/dialogEditOSPF6RouteMaps.xml |  12 +-
 .../Quagga/forms/dialogEditOSPFInterface.xml  |  60 +++++-
 .../Quagga/forms/dialogEditOSPFNetwork.xml    |  24 ++-
 .../forms/dialogEditOSPFPrefixLists.xml       |  12 +-
 .../Quagga/forms/dialogEditOSPFRouteMaps.xml  |  12 +-
 .../Quagga/forms/dialogEditSTATICRoute.xml    |   7 +-
 .../OPNsense/Quagga/forms/general.xml         |  12 +-
 .../OPNsense/Quagga/forms/isis.xml            |   8 -
 .../OPNsense/Quagga/forms/ospf.xml            |  29 ++-
 .../OPNsense/Quagga/forms/ospf6.xml           |  25 +--
 .../controllers/OPNsense/Quagga/forms/rip.xml |  10 +-
 .../OPNsense/Quagga/forms/static.xml          |   2 +-
 .../app/models/OPNsense/Quagga/Menu/Menu.xml  |   1 -
 .../mvc/app/views/OPNsense/Quagga/bfd.volt    |  32 +--
 .../mvc/app/views/OPNsense/Quagga/bgp.volt    | 200 +++---------------
 .../mvc/app/views/OPNsense/Quagga/ospf.volt   | 118 ++---------
 .../mvc/app/views/OPNsense/Quagga/ospf6.volt  | 133 ++----------
 .../mvc/app/views/OPNsense/Quagga/static.volt |  86 +++-----
 .../service/templates/OPNsense/Quagga/frr     |   3 +-
 36 files changed, 558 insertions(+), 661 deletions(-)
 delete mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/IsisController.php
 delete mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/isis.xml

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BfdController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BfdController.php
index 93575aa03f..88d9582ba8 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BfdController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BfdController.php
@@ -33,7 +33,10 @@ class BfdController extends \OPNsense\Base\IndexController
     public function indexAction()
     {
         $this->view->bfdForm = $this->getForm("bfd");
+
         $this->view->formDialogEditBFDNeighbor = $this->getForm("dialogEditBFDNeighbor");
+        $this->view->formGridEditBFDNeighbor = $this->getFormGrid("dialogEditBFDNeighbor", null, "BFDChangeMessage");
+
         $this->view->pick('OPNsense/Quagga/bfd');
     }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
index 0b34cfd6c2..b31579b66d 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
@@ -33,12 +33,25 @@ class BgpController extends \OPNsense\Base\IndexController
     public function indexAction()
     {
         $this->view->bgpForm = $this->getForm("bgp");
+
         $this->view->formDialogEditBGPNeighbor = $this->getForm("dialogEditBGPNeighbor");
+        $this->view->formGridEditBGPNeighbor = $this->getFormGrid("dialogEditBGPNeighbor", null, "BGPChangeMessage");
+
         $this->view->formDialogEditBGPASPaths = $this->getForm("dialogEditBGPASPath");
+        $this->view->formGridEditBGPASPaths = $this->getFormGrid("dialogEditBGPASPath", null, "BGPChangeMessage");
+
         $this->view->formDialogEditBGPPrefixLists = $this->getForm("dialogEditBGPPrefixLists");
+        $this->view->formGridEditBGPPrefixLists = $this->getFormGrid("dialogEditBGPPrefixLists", null, "BGPChangeMessage");
+
         $this->view->formDialogEditBGPCommunityLists = $this->getForm("dialogEditBGPCommunityLists");
+        $this->view->formGridEditBGPCommunityLists = $this->getFormGrid("dialogEditBGPCommunityLists", null, "BGPChangeMessage");
+
         $this->view->formDialogEditBGPRouteMaps = $this->getForm("dialogEditBGPRouteMaps");
+        $this->view->formGridEditBGPRouteMaps = $this->getFormGrid("dialogEditBGPRouteMaps", null, "BGPChangeMessage");
+
         $this->view->formDialogEditBGPPeergroups = $this->getForm("dialogEditBGPPeergroups");
+        $this->view->formGridEditBGPPeergroups = $this->getFormGrid("dialogEditBGPPeergroups", null, "BGPChangeMessage");
+
         $this->view->pick('OPNsense/Quagga/bgp');
     }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/IsisController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/IsisController.php
deleted file mode 100644
index 873c88c9a4..0000000000
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/IsisController.php
+++ /dev/null
@@ -1,38 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2017 Fabian Franz
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-namespace OPNsense\Quagga;
-
-class IsisController extends \OPNsense\Base\IndexController
-{
-    public function indexAction()
-    {
-        $this->view->generalForm = $this->getForm("isis");
-        $this->view->pick('OPNsense/Quagga/isis');
-    }
-}
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Ospf6Controller.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Ospf6Controller.php
index f4863bedbe..785c3c8279 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Ospf6Controller.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Ospf6Controller.php
@@ -30,10 +30,19 @@ class Ospf6Controller extends \OPNsense\Base\IndexController
     public function indexAction()
     {
         $this->view->ospf6Form = $this->getForm("ospf6");
+
         $this->view->formDialogEditNetwork = $this->getForm("dialogEditOSPF6Network");
+        $this->view->formGridEditNetwork = $this->getFormGrid("dialogEditOSPF6Network", null, "OSPF6ChangeMessage");
+
         $this->view->formDialogEditInterface = $this->getForm("dialogEditOSPF6Interface");
+        $this->view->formGridEditInterface = $this->getFormGrid("dialogEditOSPF6Interface", null, "OSPF6ChangeMessage");
+
         $this->view->formDialogEditPrefixLists = $this->getForm("dialogEditOSPF6PrefixLists");
+        $this->view->formGridEditPrefixLists = $this->getFormGrid("dialogEditOSPF6PrefixLists", null, "OSPF6ChangeMessage");
+
         $this->view->formDialogEditRouteMaps = $this->getForm("dialogEditOSPF6RouteMaps");
+        $this->view->formGridEditRouteMaps = $this->getFormGrid("dialogEditOSPF6RouteMaps", null, "OSPF6ChangeMessage");
+
         $this->view->pick('OPNsense/Quagga/ospf6');
     }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php
index c240f4cf64..3cfb380e67 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php
@@ -33,10 +33,19 @@ class OspfController extends \OPNsense\Base\IndexController
     public function indexAction()
     {
         $this->view->generalForm = $this->getForm("ospf");
+
         $this->view->formDialogEditNetwork = $this->getForm("dialogEditOSPFNetwork");
+        $this->view->formGridEditNetwork = $this->getFormGrid("dialogEditOSPFNetwork", null, "OSPFChangeMessage");
+
         $this->view->formDialogEditInterface = $this->getForm("dialogEditOSPFInterface");
+        $this->view->formGridEditInterface = $this->getFormGrid("dialogEditOSPFInterface", null, "OSPFChangeMessage");
+
         $this->view->formDialogEditPrefixLists = $this->getForm("dialogEditOSPFPrefixLists");
+        $this->view->formGridEditPrefixLists = $this->getFormGrid("dialogEditOSPFPrefixLists", null, "OSPFChangeMessage");
+
         $this->view->formDialogEditRouteMaps = $this->getForm("dialogEditOSPFRouteMaps");
+        $this->view->formGridEditRouteMaps = $this->getFormGrid("dialogEditOSPFRouteMaps", null, "OSPFChangeMessage");
+
         $this->view->pick('OPNsense/Quagga/ospf');
     }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/StaticController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/StaticController.php
index a6888d4693..11990134d5 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/StaticController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/StaticController.php
@@ -36,7 +36,10 @@ class StaticController extends \OPNsense\Base\IndexController
     public function indexAction()
     {
         $this->view->staticForm = $this->getForm("static");
+
         $this->view->formDialogEditSTATICRoute = $this->getForm("dialogEditSTATICRoute");
+        $this->view->formGridEditSTATICRoute = $this->getFormGrid("dialogEditSTATICRoute", null, "STATICChangeMessage");
+
         $this->view->pick('OPNsense/Quagga/static');
     }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
index 8cb5f97590..85e104b23f 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
@@ -3,34 +3,34 @@
         <id>bgp.enabled</id>
         <label>enable</label>
         <type>checkbox</type>
-        <help>This will activate the bgp service.</help>
+        <help>This will activate the BGP service.</help>
     </field>
     <field>
         <id>bgp.asnumber</id>
         <label>BGP AS Number</label>
         <type>text</type>
-        <help>Your AS Number here</help>
+        <help>Your AS Number here.</help>
     </field>
     <field>
         <id>bgp.distance</id>
         <label>BGP AD Distance</label>
         <type>text</type>
         <advanced>true</advanced>
-        <help>BGP routes usually have an administrative distance of 20. Here you can adjust these values, e.g. when you want to prefer OSPF learned routes.</help>
+        <help>Adjust BGP administrative distance, typically set to 20. Useful if you want to prefer OSPF-learned routes.</help>
     </field>
     <field>
         <id>bgp.routerid</id>
         <label>Router ID</label>
         <type>text</type>
         <advanced>true</advanced>
-        <help>In some cases it might be clearer to set a fixed router-id.</help>
+        <help>Optional fixed router ID for BGP.</help>
     </field>
     <field>
         <id>bgp.graceful</id>
         <label>Graceful Restart</label>
         <type>checkbox</type>
         <advanced>true</advanced>
-        <help>BGP graceful restart functionality as defined in RFC-4724 defines the mechanisms that allows BGP speaker to continue to forward data packets along known routes while the routing protocol information is being restored.</help>
+        <help>Enable BGP graceful restart as per RFC 4724, allowing packet forwarding during protocol restoration.</help>
     </field>
     <field>
         <id>bgp.networks</id>
@@ -38,7 +38,7 @@
         <style>tokenize</style>
         <type>select_multiple</type>
         <allownew>true</allownew>
-        <help>Defines which networks, which are connected to this router, will be advertised over BGP. To announce all defined networks, Network Import-Check can be disabled in advanced settings if required.</help>
+        <help>Defines connected networks to be advertised over BGP. Disable Network Import-Check to announce all networks.</help>
     </field>
     <field>
         <id>bgp.networkimportcheck</id>
@@ -51,13 +51,12 @@
         <id>bgp.logneighborchanges</id>
         <label>Log Neighbor Changes</label>
         <type>checkbox</type>
-        <help>This will activate exetended logging of BGP neighbor changes.</help>
+        <help>Enable extended logging of BGP neighbor changes.</help>
     </field>
     <field>
         <id>bgp.redistribute</id>
         <label>Route Redistribution</label>
         <type>select_multiple</type>
-        <help>Select other routing sources, which should be redistributed to the other nodes.</help>
-        <hint>Type or select a route source.</hint>
+        <help>Select routing sources to redistribute to other nodes.</help>
     </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml
index 26780cc973..fbaeabcd7d 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml
@@ -3,6 +3,11 @@
     <id>neighbor.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.description</id>
@@ -20,9 +25,10 @@
     <id>neighbor.multihop</id>
     <label>Multihop</label>
     <type>checkbox</type>
-    <help>multihop tells the BFD daemon that we should expect packets with TTL less than 254
-    (because it will take more than one hop) and to listen on the multihop port (4784).
-    When using multi-hop mode echo-mode will not work (see RFC 5883 section 3).
-    </help>
+    <help>Multihop tells the BFD daemon that we should expect packets with TTL less than 254 (because it will take more than one hop) and to listen on the multihop port (4784). When using multi-hop mode echo-mode will not work (see RFC 5883 section 3).</help>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+    </grid_view>
   </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml
index 50fc88cc2e..03a97ba52a 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPASPath.xml
@@ -3,19 +3,23 @@
     <id>aspath.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
-    <help>If this AS-Path list should be enabled.</help>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
   </field>
   <field>
     <id>aspath.description</id>
     <label>Description</label>
     <type>text</type>
-    <help>Add an optional description for this AS-Path list.</help>
+    <help>Optional description for the AS-Path list.</help>
   </field>
   <field>
     <id>aspath.number</id>
     <label>Number</label>
     <type>text</type>
-    <help>The ACL rule number (0-4294967294); keep in mind that there are no sequence numbers with AS-Path lists. When you want to add a new line between you have to completely remove the ACL!</help>
+    <help>The ACL rule number (0-4294967294); keep in mind that there are no sequence numbers with AS-Path lists. When you want to add a new line between you have to completely remove the ACL.</help>
   </field>
   <field>
     <id>aspath.action</id>
@@ -27,6 +31,6 @@
     <id>aspath.as</id>
     <label>AS</label>
     <type>text</type>
-    <help>The AS pattern you want to match, regexp allowed (e.g. .$ or _1$). It's not validated so please be careful!</help>
+    <help>The AS pattern you want to match, regexp allowed (e.g. .$ or _1$).</help>
   </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml
index ad1e86dcb3..f8d3277fbe 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPCommunityLists.xml
@@ -3,19 +3,23 @@
     <id>communitylist.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
-    <help>Enable / Disable</help>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
   </field>
     <field>
     <id>communitylist.description</id>
     <label>Description</label>
     <type>text</type>
-    <help>Add an optional description for this Community-List.</help>
+    <help>Optional description for the Community-List.</help>
   </field>
   <field>
     <id>communitylist.number</id>
     <label>Number</label>
     <type>text</type>
-    <help>Set the number of your Community-List. 1-99 are standard lists while 100-500 are expanded lists.</help>
+    <help>Community-List number (1-99 for standard, 100-500 for expanded).</help>
   </field>
   <field>
     <id>communitylist.seqnumber</id>
@@ -33,6 +37,6 @@
     <id>communitylist.community</id>
     <label>Community</label>
     <type>text</type>
-    <help>The community you want to match. You can also regex and it is not validated so please be careful.</help>
+    <help>Community pattern to match, with optional regex.</help>
   </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 7b326faecf..9c2d176bef 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -3,176 +3,263 @@
     <id>neighbor.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.description</id>
     <label>Description</label>
     <type>text</type>
-    <help>Set an optional description for this neighbor.</help>
+    <help>Optional description for the neighbor.</help>
   </field>
   <field>
     <id>neighbor.address</id>
     <label>Peer-IP</label>
     <type>text</type>
-    <help>Specify the IP of your neighbor.</help>
+    <help>Specify the IP address of the BGP neighbor.</help>
   </field>
   <field>
     <id>neighbor.remoteas</id>
     <label>Remote AS</label>
     <type>text</type>
-    <help>Neighbor AS.</help>
+    <help>AS (Autonomous System) number of the neighbor, required for establishing a BGP session.</help>
   </field>
   <field>
     <id>neighbor.password</id>
     <label>BGP MD5 Password</label>
     <type>text</type>
     <advanced>true</advanced>
-    <help>Set a password for BGP authentication.</help>
+    <help>Password used for MD5 authentication of BGP connections to enhance security.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.weight</id>
     <label>Weight</label>
     <type>text</type>
     <advanced>true</advanced>
-    <help>Specify a default weight value for the neighbor’s routes.</help>
+    <help>Default weight for routes from this neighbor; higher weight increases path preference within the same AS.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.localip</id>
     <label>Local Initiater IP</label>
     <type>text</type>
     <advanced>true</advanced>
-    <help>Set the local IP connecting to the neighbor. This is only required for BGP authentication.</help>
+    <help>Specify the local IP address used to establish connections with the neighbor. Only relevant for MD5 authentication.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.updatesource</id>
     <label>Update-Source Interface</label>
     <type>dropdown</type>
-    <help><![CDATA[Physical name of the IPv4 interface facing the peer. Please refer to the <a href="http://docs.frrouting.org/en/stable-7.4/bgp.html#clicmd-[no]neighborPEERupdate-source%3CIFNAME|ADDRESS%3E">FRR documentation</a> for more information.]]></help>
+    <help>Interface (IPv4) where BGP sessions are sourced from, typically required when using loopback addresses.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.linklocalinterface</id>
     <label>IPv6 link-local interface</label>
     <type>dropdown</type>
     <advanced>true</advanced>
-    <help><![CDATA[Interface to use for IPv6 link-local neighbours. Please refer to the <a href="http://docs.frrouting.org/en/stable-7.4/bgp.html#clicmd-[no]neighborPEERinterfaceIFNAME">FRR documentation</a> for more information.]]></help>
+    <help>Interface for IPv6 link-local neighbors, used primarily for link-local IPv6 addressing.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.nexthopself</id>
     <label>Next-Hop-Self</label>
     <type>checkbox</type>
+    <help>Sets the local router as the next hop for routes advertised to the neighbor, commonly used in Route Reflector setups.</help>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.nexthopselfall</id>
     <label>Next-Hop-Self All</label>
     <type>checkbox</type>
-    <help>Add the parameter "all" after next-hop-self command.</help>
+    <help>Extends Next-Hop-Self by applying the setting to all addresses, including multiple address families.</help>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.multihop</id>
     <label>Multi-Hop</label>
-    <help>
-      Specifying ebgp-multihop allows sessions with eBGP neighbors to establish when they are multiple hops away.
-      When the neighbor is not directly connected and this knob is not enabled, the session will not establish.
-    </help>
+    <help>Enables connections to eBGP neighbors across multiple hops; often required for peering over loopback addresses.</help>
     <type>checkbox</type>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.multiprotocol</id>
     <label>Multi-Protocol</label>
     <type>checkbox</type>
     <advanced>true</advanced>
-    <help><![CDATA[Is this neighbour multiprotocol capable per <a href="https://datatracker.ietf.org/doc/html/rfc2283.html">RFC 2283</a>]]></help>
+    <help>Enables multiprotocol BGP for support of additional address families like IPv6.</help>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.rrclient</id>
     <label>Route Reflector Client</label>
     <type>checkbox</type>
+    <help>Marks the neighbor as a client for a route reflector; used to reduce the number of full BGP mesh connections.</help>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.soft_reconfiguration_inbound</id>
     <label>Soft reconfiguration inbound</label>
     <type>checkbox</type>
-    <help>This option allows changing policies without clearing the BGP session.</help>
+    <help>Allows policy changes without resetting the session by storing inbound updates.</help>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.bfd</id>
     <label>BFD</label>
     <type>checkbox</type>
-    <help>You can enable BFD support for this neighbor.</help>
+    <help>Enable Bidirectional Forwarding Detection (BFD) for rapid link failure detection with the neighbor.</help>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.keepalive</id>
     <label>Keepalive</label>
     <type>text</type>
     <advanced>true</advanced>
-    <help>Keepalive timer to check if the neighbor is still up. Default when unset is 60 seconds.</help>
+    <hint>60</hint>
+    <help>Sets the interval (default 60 seconds) between keepalive messages to check the neighbors availability.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.holddown</id>
     <label>Hold Down Time</label>
     <type>text</type>
     <advanced>true</advanced>
-    <help>The time in seconds when a neighbor is considered dead. This is usually 3 times the keeplive timer and when unset 180 seconds.</help>
+    <hint>180</hint>
+    <help>Time (default 180 seconds) before declaring a neighbor down if no keepalive messages are received.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.connecttimer</id>
     <label>Connect Timer</label>
     <type>text</type>
     <advanced>true</advanced>
-    <help>The time in seconds how fast a neighbor tries to reconnect.</help>
+    <help>Interval to attempt reconnecting with a neighbor after a disconnect.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.defaultoriginate</id>
     <label>Send Defaultroute</label>
     <type>checkbox</type>
+    <help>Sends a default route to the neighbor, useful in small AS environments where a full routing table is not necessary.</help>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.asoverride</id>
     <label>Enable AS-Override</label>
     <type>checkbox</type>
-    <help>Override AS number of the originating router with the local AS number. This command is only allowed for eBGP peers.</help>
+    <help>Allows replacement of the neighbors AS with the local AS, common in eBGP confederations.</help>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.disable_connected_check</id>
     <label>Disable Connected Check</label>
     <type>checkbox</type>
-    <help>Allow peerings between directly connected eBGP peers using loopback addresses.</help>
+    <help>Allows eBGP connections over loopback addresses by bypassing checks for direct connections.</help>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.attributeunchanged</id>
     <label>Attribute Unchanged</label>
     <type>dropdown</type>
     <advanced>true</advanced>
-    <help><![CDATA[This specifies attributes to be left unchanged when sending advertisements to a peer. Read more at <a href="https://docs.frrouting.org/en/latest/bgp.html#clicmd-neighbor-PEER-attribute-unchanged-as-path-next-hop-med">FRR documentation</a>.]]></help>
+    <help>Keeps specified attributes (like MED, AS-Path, etc.) unchanged in updates to the neighbor.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>neighbor.linkedPrefixlistIn</id>
     <label>Prefix-List In</label>
     <type>dropdown</type>
-    <help>Prefix-List for inbound direction</help>
+    <help>Prefix list to filter inbound prefixes from this neighbor.</help>
   </field>
   <field>
     <id>neighbor.linkedPrefixlistOut</id>
     <label>Prefix-List Out</label>
     <type>dropdown</type>
-    <help>Prefix-List for outbound direction</help>
+    <help>Prefix list to filter outbound prefixes sent to this neighbor.</help>
   </field>
   <field>
     <id>neighbor.linkedRoutemapIn</id>
     <label>Route-Map In</label>
     <type>dropdown</type>
-    <help>Route-Map for inbound direction</help>
+    <help>Route-map to apply to routes received from this neighbor.</help>
   </field>
   <field>
     <id>neighbor.linkedRoutemapOut</id>
     <label>Route-Map Out</label>
     <type>dropdown</type>
-    <help>Route-Map for outbound direction</help>
+    <help>Route-map to apply to routes advertised to this neighbor.</help>
   </field>
   <field>
     <id>neighbor.peergroup</id>
     <label>Peer Group</label>
     <type>dropdown</type>
-    <help>Peer Group this neighbor belongs to.</help>
+    <help>Groups neighbors with similar configurations to simplify management.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml
index ea19cf0c05..a42ece7628 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml
@@ -3,57 +3,78 @@
     <id>peergroup.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
   </field>
   <field>
     <id>peergroup.name</id>
     <label>Name</label>
     <type>text</type>
-    <help>Specify the name of this peergroup.</help>
+    <help>Name of the peer group.</help>
   </field>
   <field>
     <id>peergroup.remoteas</id>
     <label>Remote AS</label>
     <type>text</type>
-    <help>Remote AS for tthis peergroup.</help>
+    <help>Remote AS for the peer group.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>peergroup.updatesource</id>
     <label>Update-Source Interface</label>
     <type>dropdown</type>
-    <help><![CDATA[Physical name of the IPv4 interface facing the peer. Please refer to the <a href="http://docs.frrouting.org/en/stable-7.4/bgp.html#clicmd-[no]neighborPEERupdate-source%3CIFNAME|ADDRESS%3E">FRR documentation</a> for more information.]]></help>
+    <help>Physical IPv4 interface facing the peer.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>peergroup.nexthopself</id>
     <label>Next-Hop-Self</label>
     <type>checkbox</type>
+    <help>Sets the local router as the next hop for routes advertised to the neighbor, commonly used in Route Reflector setups.</help>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+    </grid_view>
   </field>
-    <field>
+  <field>
     <id>peergroup.defaultoriginate</id>
     <label>Send Defaultroute</label>
     <type>checkbox</type>
+    <help>Enable sending of default routes to the peer group.</help>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+    </grid_view>
   </field>
   <field>
     <id>peergroup.linkedPrefixlistIn</id>
     <label>Prefix-List In</label>
     <type>dropdown</type>
-    <help>Prefix-List for inbound direction.</help>
+    <help>Prefix list to filter inbound prefixes from this neighbor.</help>
   </field>
   <field>
     <id>peergroup.linkedPrefixlistOut</id>
     <label>Prefix-List Out</label>
     <type>dropdown</type>
-    <help>Prefix-List for outbound direction.</help>
+    <help>Prefix list to filter outbound prefixes sent to this neighbor.</help>
   </field>
   <field>
     <id>peergroup.linkedRoutemapIn</id>
     <label>Route-Map In</label>
     <type>dropdown</type>
-    <help>Route-Map for inbound direction.</help>
+    <help>Route-map to apply to routes received from this neighbor.</help>
   </field>
   <field>
     <id>peergroup.linkedRoutemapOut</id>
     <label>Route-Map Out</label>
     <type>dropdown</type>
-    <help>Route-Map for outbound direction.</help>
+    <help>Route-map to apply to routes advertised to this neighbor.</help>
   </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml
index 2a7def2682..f72c12df45 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPrefixLists.xml
@@ -3,7 +3,11 @@
     <id>prefixlist.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
-    <help>If this Prefix-List should be enabled.</help>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
   </field>
     <field>
     <id>prefixlist.description</id>
@@ -15,19 +19,22 @@
     <id>prefixlist.name</id>
     <label>Name</label>
     <type>text</type>
-    <help>The name of your Prefix-List, please choose one near to the result you want to achieve.</help>
+    <help>Name of the Prefix-List, descriptive of its purpose. If there should be multiple entries for the same prefix list, give them all the same name.</help>
   </field>
   <field>
     <id>prefixlist.version</id>
     <label>IP Version</label>
     <type>dropdown</type>
     <help>Set the IP version to use.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>prefixlist.seqnumber</id>
-    <label>Number</label>
+    <label>Sequence Number</label>
     <type>text</type>
-    <help>The ACL sequence number (1-4294967294)</help>
+    <help>The ACL sequence number (1-4294967294).</help>
   </field>
   <field>
     <id>prefixlist.action</id>
@@ -39,6 +46,6 @@
     <id>prefixlist.network</id>
     <label>Network</label>
     <type>text</type>
-    <help>The network pattern you want to match. You can also add "ge" or "le" additions after the network statement. It's not validated so please be careful!</help>
+    <help>Specifies a network pattern to match, with optional ge (greater than or equal) and le (less than or equal) attributes to control the prefix length range. For example, a pattern like "192.168.0.0/16 ge 24 le 28" matches any route within the 192.168.0.0/16 block with prefix lengths from /24 to /28.</help>
   </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml
index 59ebcb6004..c64a36fdb2 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPRouteMaps.xml
@@ -3,19 +3,23 @@
     <id>routemap.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
-    <help>Enable / Disable</help>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
   </field>
   <field>
     <id>routemap.description</id>
     <label>Description</label>
     <type>text</type>
-    <help>Add an optional description for this route-map.</help>
+    <help>Optional description for the route-map.</help>
   </field>
   <field>
     <id>routemap.name</id>
     <label>Name</label>
     <type>text</type>
-    <help>Route-map name to match and set your patterns, it will be enabled via the neighbor configuration.</help>
+    <help>Name of the route-map, used in neighbor configuration.</help>
   </field>
   <field>
     <id>routemap.action</id>
@@ -27,7 +31,7 @@
     <id>routemap.id</id>
     <label>ID</label>
     <type>text</type>
-    <help>Route-map ID between 1 and 65535. Be aware that the sorting will be done under the hood, so when you add an entry between it get's to the right position</help>
+    <help>Route-map ID (1-65535). Sorting is managed automatically.</help>
   </field>
   <field>
     <id>routemap.match</id>
@@ -35,7 +39,7 @@
     <type>select_multiple</type>
     <style>tokenize</style>
     <allownew>true</allownew>
-    <help>Select the AS-Path List.</help>
+    <help>Select the AS-Path List. If multiples with the same name exist, selecting one is enough.</help>
   </field>
   <field>
     <id>routemap.match2</id>
@@ -43,7 +47,7 @@
     <type>select_multiple</type>
     <style>tokenize</style>
     <allownew>true</allownew>
-    <help>Select the Prefix List.</help>
+    <help>Select the Prefix List. If multiples with the same name exist, selecting one is enough.</help>
   </field>
   <field>
     <id>routemap.match3</id>
@@ -51,12 +55,12 @@
     <type>select_multiple</type>
     <style>tokenize</style>
     <allownew>true</allownew>
-    <help>Select the Community List.</help>
+    <help>Select the Community List. If multiples with the same name exist, selecting one is enough.</help>
   </field>
     <field>
     <id>routemap.set</id>
     <label>Set</label>
     <type>text</type>
-    <help>Free text field for your set, please be careful! You can set e.g. "local-preference 300" or "community 1:1" (http://www.nongnu.org/quagga/docs/docs-multi/Route-Map-Set-Command.html#Route-Map-Set-Command)</help>
+    <help>Free text field for setting attributes, e.g., “local-preference 300” or “community 1:1”.</help>
   </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml
index 610edd3b20..88bd9cc54a 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Interface.xml
@@ -3,6 +3,11 @@
     <id>interface.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
   </field>
   <field>
     <id>interface.interfacename</id>
@@ -14,65 +19,104 @@
     <id>interface.area</id>
     <label>Area</label>
     <type>text</type>
-    <help>Area in wildcard mask style like 0.0.0.0 and no decimal 0</help>
+    <help>Assigns the network to an OSPF area using an identifier like 0.0.0.0 (Backbone Area). The Backbone Area connects other areas, supporting inter-area communication, while additional areas (e.g., 0.0.0.1, 0.0.0.255) segment the network logically to limit routing updates. Only use Area in Interface tab or in Network tab once.</help>
   </field>
   <field>
     <id>interface.passive</id>
     <label>Passive Interface</label>
     <type>checkbox</type>
+    <help>Disables OSPF Hello packets on the interface, preventing neighbor relationships (used for security or optimization).</help>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.cost</id>
     <label>Cost</label>
     <type>text</type>
+    <help>Sets the OSPF metric for path selection; lower costs are preferred paths within the area.</help>
   </field>
   <field>
     <id>interface.cost_demoted</id>
     <label>Cost (when demoted)</label>
     <type>text</type>
     <hint>65535</hint>
+    <help>Specifies metric cost when interface is in backup mode via CARP, deprioritizing paths dynamically.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.carp_depend_on</id>
     <label>Depend on (carp)</label>
     <type>dropdown</type>
-    <help>The carp VHID to depend on, when this virtual address is not in master state,
-      the interface cost will be set to the demoted cost (specified above).</help>
+    <help>Links the interface cost to a CARP VHID, adjusting costs based on primary or backup status.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.hellointerval</id>
     <label>Hello Interval</label>
     <type>text</type>
+    <help>Sets frequency (in seconds) of Hello packets to maintain OSPF neighbor relationships.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.deadinterval</id>
     <label>Dead Interval</label>
     <type>text</type>
+    <help>Defines the timeout period for OSPF neighbors; after this period, the neighbor is marked as down.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.retransmitinterval</id>
     <label>Retransmission Interval</label>
     <type>text</type>
+    <help>Time (seconds) to wait before resending Link-State Advertisements (LSAs) if acknowledgment is delayed.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.transmitdelay</id>
     <label>Retransmission Delay</label>
     <type>text</type>
+    <help>Configures the hold time before LSAs are resent, accommodating slow or high-latency links.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.priority</id>
     <label>Priority</label>
     <type>text</type>
+    <help>Determines the likelihood of becoming a Designated Router; higher values increase priority.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.bfd</id>
     <label>BFD</label>
     <type>checkbox</type>
-    <help>You can enable BFD support for this interface. You will also need to configure BFD peers.</help>
+    <help>Activates Bidirectional Forwarding Detection for rapid link failure detection; peer configuration required.</help>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.networktype</id>
     <label>Network Type</label>
     <type>dropdown</type>
+    <help>Defines the OSPF network type, impacting adjacency and LSA flooding methods. "Broadcast Multi-Access": Assumes networks supporting multiple routers with broadcast capability (e.g., Ethernet). "Non-Broadcast Multi-Access (NBMA)"": For networks without broadcast support (e.g., Frame Relay); requires manual neighbor setup. "Point-to-Multipoint": Connects multiple routers over a single interface, treating each as a point-to-point link. "Point-to-Point": Directly connects two routers, simplifying adjacency and LSA transmission.</help>
   </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Network.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Network.xml
index c047e03f04..2b73476c07 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Network.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6Network.xml
@@ -3,39 +3,55 @@
     <id>network.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
   </field>
   <field>
     <id>network.ipaddr</id>
     <label>Network Address</label>
     <type>text</type>
+    <help>Specifies the IPv6 network address (e.g., fe80::1234) to include in OSPFv3.</help>
   </field>
   <field>
     <id>network.netmask</id>
     <label>Network Mask</label>
     <type>text</type>
+    <help>Defines the network prefix length (e.g., 64) for the specified IPv6 address range.</help>
   </field>
   <field>
     <id>network.area</id>
     <label>Area</label>
     <type>text</type>
-    <help>Area in wildcard mask style like 0.0.0.0 and no decimal 0. Only use Area in Interface tab or in Network tab once.</help>
+    <help>Assigns the network to an OSPF area using an identifier like 0.0.0.0 (Backbone Area). The Backbone Area connects other areas, supporting inter-area communication, while additional areas (e.g., 0.0.0.1, 0.0.0.255) segment the network logically to limit routing updates. Only use Area in Interface tab or in Network tab once.</help>
   </field>
   <field>
     <id>network.arearange</id>
     <label>Area Range</label>
     <type>text</type>
-    <help>Here you can summarize a network for this area like fe80:1234::0/64</help>
+    <help>Summarizes multiple networks in the specified area, consolidating multiple networks into a single summarized route like fe80:1234::/56.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>network.linkedPrefixlistIn</id>
     <label>Prefix-List In</label>
     <type>dropdown</type>
-    <help>Prefix-List for inbound direction</help>
+    <help>Filters inbound route advertisements using a prefix list.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>network.linkedPrefixlistOut</id>
     <label>Prefix-List Out</label>
     <type>dropdown</type>
-    <help>Prefix-List for outbound direction</help>
+    <help>Filters outbound route advertisements using a prefix list.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6PrefixLists.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6PrefixLists.xml
index a1f0fce3ab..ab34dbc024 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6PrefixLists.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6PrefixLists.xml
@@ -3,17 +3,21 @@
     <id>prefixlist.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
-    <help>Enable / Disable</help>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
   </field>
   <field>
     <id>prefixlist.name</id>
     <label>Name</label>
     <type>text</type>
-    <help>The name of your Prefix-List, please choose one near to the result you want to achieve.</help>
+    <help>The name of your Prefix-List. If there should be multiple entries for the same prefix list, give them all the same name.</help>
   </field>
   <field>
     <id>prefixlist.seqnumber</id>
-    <label>Number</label>
+    <label>Sequence Number</label>
     <type>text</type>
     <help>The ACL sequence number (10-99)</help>
   </field>
@@ -27,6 +31,6 @@
     <id>prefixlist.network</id>
     <label>Network</label>
     <type>text</type>
-    <help>The network pattern you want to match. It's not validated so please be careful!</help>
+    <help>The network pattern you want to match.</help>
   </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6RouteMaps.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6RouteMaps.xml
index 8d82c8ec46..427662d7ff 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6RouteMaps.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPF6RouteMaps.xml
@@ -3,12 +3,17 @@
     <id>routemap.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
   </field>
   <field>
     <id>routemap.name</id>
     <label>Name</label>
     <type>text</type>
-    <help>Route-map name to match and set your patterns, it will be enabled via redistribution.</help>
+    <help>Route-map name for matching and setting patterns, enabled via redistribution.</help>
   </field>
   <field>
     <id>routemap.action</id>
@@ -20,7 +25,7 @@
     <id>routemap.id</id>
     <label>ID</label>
     <type>text</type>
-    <help>Route-map ID between 10 and 99. Be aware that the sorting will be done under the hood, so when you add an entry between it get's to the right position</help>
+    <help>Route-map ID between 10 and 99. Entries added in order of insertion.</help>
   </field>
   <field>
     <id>routemap.match2</id>
@@ -28,11 +33,12 @@
     <type>select_multiple</type>
     <style>tokenize</style>
     <allownew>true</allownew>
+    <help>Allows for matching based on prefix lists, multiple selections enabled.</help>
   </field>
     <field>
     <id>routemap.set</id>
     <label>Set</label>
     <type>text</type>
-    <help>Free text field for your set, please be careful! You can set e.g. "local-preference 300" or "community 1:1" (http://docs.frrouting.org/en/latest/routemap.html#route-map-set-command)</help>
+    <help>Free text field for your set. You can set e.g. "local-preference 300" or "community 1:1" (http://docs.frrouting.org/en/latest/routemap.html#route-map-set-command)</help>
   </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
index d46200e626..bc08a4c8c7 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
@@ -3,86 +3,136 @@
     <id>interface.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
   </field>
   <field>
     <id>interface.interfacename</id>
     <label>Interface</label>
     <type>dropdown</type>
-    <help>Select an interface where this settings apply to.</help>
+    <help>Select an interface where this settings apply.</help>
   </field>
   <field>
     <id>interface.authtype</id>
     <label>Authentication Type</label>
     <type>dropdown</type>
+    <help>Defines security method for OSPF exchanges (None, plain, or MD5) to prevent unauthorized updates.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.authkey</id>
     <label>Authentication Key</label>
     <type>text</type>
+    <help>Specifies a password or key used for plain or MD5 authentication.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.authkey_id</id>
     <label>Authentication Key ID</label>
     <advanced>true</advanced>
     <type>text</type>
+    <help>Numeric identifier for MD5 authentication, ensuring correct key selection.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.area</id>
     <label>Area</label>
     <type>text</type>
-    <help>Area in wildcard mask style like 0.0.0.0 and no decimal 0. Only use Area in Interface tab or in Network tab once.</help>
+    <help>Assigns the network to an OSPF area using an identifier like 0.0.0.0 (Backbone Area). The Backbone Area connects other areas, supporting inter-area communication, while additional areas (e.g., 0.0.0.1, 0.0.0.255) segment the network logically to limit routing updates. Only use Area in Interface tab or in Network tab once.</help>
   </field>
   <field>
     <id>interface.cost</id>
     <label>Cost</label>
     <type>text</type>
+    <help>Sets the OSPF metric for path selection; lower costs are preferred paths within the area.</help>
   </field>
   <field>
     <id>interface.cost_demoted</id>
     <label>Cost (when demoted)</label>
     <type>text</type>
+    <help>Specifies metric cost when interface is in backup mode via CARP, deprioritizing paths dynamically.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.carp_depend_on</id>
     <label>Depend on (carp)</label>
     <type>dropdown</type>
-    <help>The carp VHID to depend on, when this virtual address is not in master state,
-      the interface cost will be set to the demoted cost (specified above).</help>
+    <help>Links the interface cost to a CARP VHID, adjusting costs based on primary or backup status.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.hellointerval</id>
     <label>Hello Interval</label>
     <type>text</type>
+    <help>Sets frequency (in seconds) of Hello packets to maintain OSPF neighbor relationships.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.deadinterval</id>
     <label>Dead Interval</label>
     <type>text</type>
+    <help>Defines the timeout period for OSPF neighbors; after this period, the neighbor is marked as down.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.retransmitinterval</id>
     <label>Retransmission Interval</label>
     <type>text</type>
+    <help>Time (seconds) to wait before resending Link-State Advertisements (LSAs) if acknowledgment is delayed.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.transmitdelay</id>
     <label>Retransmission Delay</label>
     <type>text</type>
+    <help>Configures the hold time before LSAs are resent, accommodating slow or high-latency links.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.priority</id>
     <label>Priority</label>
     <type>text</type>
+    <help>Determines the likelihood of becoming a Designated Router; higher values increase priority.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.bfd</id>
     <label>BFD</label>
     <type>checkbox</type>
-    <help>You can enable BFD support for this interface. You will also need to configure BFD peers.</help>
+    <help>Activates Bidirectional Forwarding Detection for rapid link failure detection; peer configuration required.</help>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>interface.networktype</id>
     <label>Network Type</label>
     <type>dropdown</type>
+    <help>Defines the OSPF network type, impacting adjacency and LSA flooding methods. "Broadcast Multi-Access": Assumes networks supporting multiple routers with broadcast capability (e.g., Ethernet). "Non-Broadcast Multi-Access (NBMA)"": For networks without broadcast support (e.g., Frame Relay); requires manual neighbor setup. "Point-to-Multipoint": Connects multiple routers over a single interface, treating each as a point-to-point link. "Point-to-Point": Directly connects two routers, simplifying adjacency and LSA transmission.</help>
   </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFNetwork.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFNetwork.xml
index f15e330eb4..66c72e677f 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFNetwork.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFNetwork.xml
@@ -3,39 +3,55 @@
     <id>network.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
   </field>
   <field>
     <id>network.ipaddr</id>
     <label>Network Address</label>
     <type>text</type>
+    <help>Specifies the network address (e.g., 192.168.1.0) to include in OSPF.</help>
   </field>
   <field>
     <id>network.netmask</id>
     <label>Network Mask</label>
     <type>text</type>
+    <help>Defines the network mask (e.g., 24) for the specified network.</help>
   </field>
   <field>
     <id>network.area</id>
     <label>Area</label>
     <type>text</type>
-    <help>Area in wildcard mask style like 0.0.0.0 and no decimal 0. Only use Area in Interface tab or in Network tab once.</help>
+    <help>Assigns the network to an OSPF area using an identifier like 0.0.0.0 (Backbone Area). The Backbone Area connects other areas, supporting inter-area communication, while additional areas (e.g., 0.0.0.1, 0.0.0.255) segment the network logically to limit routing updates. Only use Area in Interface tab or in Network tab once.</help>
   </field>
   <field>
     <id>network.arearange</id>
     <label>Area Range</label>
     <type>text</type>
-    <help>Here you can summarize a network for this area like 192.168.0.0/23</help>
+    <help>Summarizes multiple networks in the specified area, consolidating multiple networks into a single summarized route like 192.168.0.0/23</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>network.linkedPrefixlistIn</id>
     <label>Prefix-List In</label>
     <type>dropdown</type>
-    <help>Prefix-List for inbound direction</help>
+    <help>Filters inbound route advertisements using a prefix list.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
   <field>
     <id>network.linkedPrefixlistOut</id>
     <label>Prefix-List Out</label>
     <type>dropdown</type>
-    <help>Prefix-List for outbound direction</help>
+    <help>Filters outbound route advertisements using a prefix list.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
   </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFPrefixLists.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFPrefixLists.xml
index a1f0fce3ab..ab34dbc024 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFPrefixLists.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFPrefixLists.xml
@@ -3,17 +3,21 @@
     <id>prefixlist.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
-    <help>Enable / Disable</help>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
   </field>
   <field>
     <id>prefixlist.name</id>
     <label>Name</label>
     <type>text</type>
-    <help>The name of your Prefix-List, please choose one near to the result you want to achieve.</help>
+    <help>The name of your Prefix-List. If there should be multiple entries for the same prefix list, give them all the same name.</help>
   </field>
   <field>
     <id>prefixlist.seqnumber</id>
-    <label>Number</label>
+    <label>Sequence Number</label>
     <type>text</type>
     <help>The ACL sequence number (10-99)</help>
   </field>
@@ -27,6 +31,6 @@
     <id>prefixlist.network</id>
     <label>Network</label>
     <type>text</type>
-    <help>The network pattern you want to match. It's not validated so please be careful!</help>
+    <help>The network pattern you want to match.</help>
   </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFRouteMaps.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFRouteMaps.xml
index 8d82c8ec46..427662d7ff 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFRouteMaps.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFRouteMaps.xml
@@ -3,12 +3,17 @@
     <id>routemap.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
   </field>
   <field>
     <id>routemap.name</id>
     <label>Name</label>
     <type>text</type>
-    <help>Route-map name to match and set your patterns, it will be enabled via redistribution.</help>
+    <help>Route-map name for matching and setting patterns, enabled via redistribution.</help>
   </field>
   <field>
     <id>routemap.action</id>
@@ -20,7 +25,7 @@
     <id>routemap.id</id>
     <label>ID</label>
     <type>text</type>
-    <help>Route-map ID between 10 and 99. Be aware that the sorting will be done under the hood, so when you add an entry between it get's to the right position</help>
+    <help>Route-map ID between 10 and 99. Entries added in order of insertion.</help>
   </field>
   <field>
     <id>routemap.match2</id>
@@ -28,11 +33,12 @@
     <type>select_multiple</type>
     <style>tokenize</style>
     <allownew>true</allownew>
+    <help>Allows for matching based on prefix lists, multiple selections enabled.</help>
   </field>
     <field>
     <id>routemap.set</id>
     <label>Set</label>
     <type>text</type>
-    <help>Free text field for your set, please be careful! You can set e.g. "local-preference 300" or "community 1:1" (http://docs.frrouting.org/en/latest/routemap.html#route-map-set-command)</help>
+    <help>Free text field for your set. You can set e.g. "local-preference 300" or "community 1:1" (http://docs.frrouting.org/en/latest/routemap.html#route-map-set-command)</help>
   </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditSTATICRoute.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditSTATICRoute.xml
index adbbeb2d4f..aae3f26c75 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditSTATICRoute.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditSTATICRoute.xml
@@ -3,6 +3,11 @@
     <id>route.enabled</id>
     <label>Enabled</label>
     <type>checkbox</type>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
   </field>
   <field>
     <id>route.network</id>
@@ -12,7 +17,7 @@
   </field>
   <field>
     <id>route.gateway</id>
-    <label>Gateway (optional)</label>
+    <label>Gateway</label>
     <type>text</type>
     <help>Optional gateway IP address for this route.</help>
   </field>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
index b3c2c1b7e0..f8baf46fef 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/general.xml
@@ -3,20 +3,20 @@
         <id>general.enabled</id>
         <label>Enable</label>
         <type>checkbox</type>
-        <help>This will activate the routing service.</help>
+        <help>This will activate the routing service. Without enabling it globally, none of the individual services will run.</help>
     </field>
     <field>
         <id>general.profile</id>
         <label>Profile</label>
         <type>dropdown</type>
         <advanced>true</advanced>
-        <help><![CDATA[Control FRR's default profile. "traditional" is the default, "datacenter" is more aggressive. Please refer to the <a href="http://docs.frrouting.org/en/latest/basic.html#profiles">FRR documentation</a> for more information.]]></help>
+        <help>Control FRR’s default profile: traditional reflects defaults adhering mostly to IETF standards or common practices in wide-area internet routing. datacenter reflects a single administrative domain with intradomain links using aggressive timers.</help>
     </field>
     <field>
         <id>general.enablecarp</id>
         <label>Enable CARP Failover</label>
         <type>checkbox</type>
-        <help>This will activate the routing service only on the master device.</help>
+        <help>This will activate the routing service only on the master device. The backup device will stop the service completely.</help>
     </field>
     <field>
         <id>general.enablesnmp</id>
@@ -28,7 +28,7 @@
         <id>general.enablesyslog</id>
         <label>Enable logging</label>
         <type>checkbox</type>
-        <help>Syslog is a service which is made to collect log messages from different software and maybe to a central logging server. Check this box if you have such a setup.</help>
+        <help>Sends logs to the OPNsense integrated syslog-ng service.</help>
     </field>
     <field>
         <id>general.sysloglevel</id>
@@ -40,8 +40,6 @@
         <id>general.fwrules</id>
         <label>Firewall rules</label>
         <type>checkbox</type>
-        <help>Enable automatically created firewall rules, when additional policies are needed, disable this and define
-        your own custom policies in the Firewall section.
-        </help>
+        <help>Enable automatically created firewall rules, when additional policies are needed, disable this and define your own custom policies in the Firewall section.</help>
     </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/isis.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/isis.xml
deleted file mode 100644
index bf188c45cd..0000000000
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/isis.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<form>
-    <field>
-        <id>routing.isis.general.Enabled</id>
-        <label>enable</label>
-        <type>checkbox</type>
-        <help>This will activate the isis service.</help>
-    </field>
-</form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml
index 7a1fb79db0..3600e8497c 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml
@@ -3,17 +3,13 @@
         <id>ospf.enabled</id>
         <label>Enable</label>
         <type>checkbox</type>
-        <help>This will activate the OSPF service if routing protocols are enabled in "General".</help>
+        <help>This will activate the OSPF service.</help>
     </field>
     <field>
-      <id>ospf.carp_demote</id>
-      <label>CARP demote</label>
-      <type>checkbox</type>
-      <help>
-            Register CARP status monitor, when no neighbors are found, consider this node less attractive.
-            This feature needs syslog enabled using "Debugging" logging to catch all relevant status events.
-            This option is not compatible with "Enable CARP Failover".
-      </help>
+        <id>ospf.carp_demote</id>
+        <label>CARP demote</label>
+        <type>checkbox</type>
+        <help>Register CARP status monitor. When no neighbors are found, consider this node less attractive. Requires syslog enabled with “Debugging” logging. Incompatible with “Enable CARP Failover”.</help>
     </field>
     <field>
         <id>ospf.routerid</id>
@@ -27,32 +23,31 @@
         <label>Reference Cost</label>
         <type>text</type>
         <advanced>true</advanced>
-        <help>Here you can adjust the reference cost in Mbps for path calculation. Mostly needed when you bundle interfaces to higher bandwidth.</help>
+        <help>Adjust the reference cost in Mbps for path calculation, useful when bundling interfaces for higher bandwidth.</help>
     </field>
     <field>
         <id>ospf.passiveinterfaces</id>
         <label>Passive Interfaces</label>
         <type>select_multiple</type>
-        <help><![CDATA[Select the interfaces, where no OSPF packets should be sent to.]]></help>
-        <hint>Type or select interface.</hint>
+        <help>Select the interfaces where no OSPF packets should be sent.</help>
     </field>
     <field>
         <id>ospf.redistribute</id>
         <label>Route Redistribution</label>
         <type>select_multiple</type>
-        <help><![CDATA[Select other routing sources, which should be redistributed to the other nodes.]]></help>
-        <hint>Type or select a route source.</hint>
+        <help>Select other routing sources to redistribute to other nodes.</help>
     </field>
     <field>
         <id>ospf.redistributemap</id>
         <label>Redistribution Map</label>
         <type>dropdown</type>
-        <help>Route Map to set for Redistribution.</help>
+        <help>Route Map to set for Redistribution, can be used to send a specific network as advertisement when it is defined in a Prefix List attached to a Route Map.</help>
     </field>
     <field>
         <id>ospf.logadjacencychanges</id>
         <label>Log Adjacency Changes</label>
         <type>checkbox</type>
+        <help>If it should be logged when the topology of the area changes.</help>
     </field>
     <field>
         <id>ospf.originate</id>
@@ -64,12 +59,12 @@
         <id>ospf.originatealways</id>
         <label>Always Advertise Default Gateway</label>
         <type>checkbox</type>
-        <help>This will send the information that we have a default gateway, regardless of if it is available.</help>
+        <help>Always sends default gateway information, regardless of availability.</help>
     </field>
     <field>
         <id>ospf.originatemetric</id>
         <label>Advertise Default Gateway Metric</label>
         <type>text</type>
-        <help>This let you manipulate the metric when advertising default gateway.</help>
+        <help>Allows manipulation of the metric when advertising the default gateway.</help>
     </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml
index c7295a7024..5432da38f7 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml
@@ -3,36 +3,31 @@
         <id>ospf6.enabled</id>
         <label>Enable</label>
         <type>checkbox</type>
-        <help>This will activate the OSPFv3 service if routing protocols are enabled in "General".</help>
+        <help>This will activate the OSPF service.</help>
     </field>
     <field>
-      <id>ospf6.carp_demote</id>
-      <label>CARP demote</label>
-      <type>checkbox</type>
-      <help>
-            Register CARP status monitor, when no neighbors are found, consider this node less attractive.
-            This feature needs syslog enabled using "Debugging" logging to catch all relevant status events.
-            This option is not compatible with "Enable CARP Failover".
-      </help>
+        <id>ospf6.carp_demote</id>
+        <label>CARP demote</label>
+        <type>checkbox</type>
+        <help>Register CARP status monitor. When no neighbors are found, consider this node less attractive. Requires syslog enabled with “Debugging” logging. Incompatible with “Enable CARP Failover”.</help>
     </field>
     <field>
         <id>ospf6.redistribute</id>
         <label>Route Redistribution</label>
         <type>select_multiple</type>
-        <help><![CDATA[Select other routing sources, which should be redistributed to the other nodes.]]></help>
-        <hint>Type or select a route source.</hint>
+        <help>Select other routing sources to redistribute to other nodes.</help>
     </field>
     <field>
         <id>ospf6.redistributemap</id>
         <label>Redistribution Map</label>
         <type>dropdown</type>
-        <help>Route Map to set for Redistribution.</help>
+        <help>Route Map to set for Redistribution, can be used to send a specific network as advertisement when it is defined in a Prefix List attached to a Route Map.</help>
     </field>
     <field>
         <id>ospf6.routerid</id>
         <label>Router ID</label>
         <type>text</type>
-        <help>Router ID as IPv4 Address</help>
+        <help>Router ID as an IPv4 Address to uniquely identify the router.</help>
     </field>
     <field>
         <id>ospf6.originate</id>
@@ -44,14 +39,14 @@
         <id>ospf6.originatealways</id>
         <label>Always Advertise Default Gateway</label>
         <type>checkbox</type>
-        <help>This will send the information that we have a default gateway, regardless of if it is available.</help>
+        <help>Always sends default gateway information, regardless of availability.</help>
         <style>ospf6_originate</style>
     </field>
     <field>
         <id>ospf6.originatemetric</id>
         <label>Advertise Default Gateway Metric</label>
         <type>text</type>
-        <help>This let you manipulate the metric when advertising default gateway.</help>
+        <help>Allows manipulation of the metric when advertising the default gateway.</help>
         <style>ospf6_originate</style>
     </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/rip.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/rip.xml
index 3b2ff44945..640f1b3ef8 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/rip.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/rip.xml
@@ -3,7 +3,7 @@
         <id>rip.enabled</id>
         <label>enable</label>
         <type>checkbox</type>
-        <help>This will activate the RIP service if the support of routing protocols is enabled in "General".</help>
+        <help>This will activate the RIP service.</help>
     </field>
     <field>
         <id>rip.version</id>
@@ -15,15 +15,13 @@
         <id>rip.passiveinterfaces</id>
         <label>Passive Interfaces</label>
         <type>select_multiple</type>
-        <help><![CDATA[Select the interfaces, where no RIP packets should be sent to.]]></help>
-        <hint>Type or select interface.</hint>
+        <help>Select the interfaces, where no RIP packets should be sent to, (e.g., WAN interface).</help>
     </field>
     <field>
         <id>rip.redistribute</id>
         <label>Route Redistribution</label>
         <type>select_multiple</type>
-        <help><![CDATA[Select other routing sources, which should be redistributed to the other nodes.]]></help>
-        <hint>Type or select a route source.</hint>
+        <help>Select other routing sources, which should be redistributed to the other nodes. A good choice is Connected Routes to automatically redistribute all locally attached routes to other routers with RIP. Otherwise use the Networks option to manually insert networks to distribute.</help>
     </field>
     <field>
         <id>rip.networks</id>
@@ -37,6 +35,6 @@
         <id>rip.defaultmetric</id>
         <label>Default Metric</label>
         <type>text</type>
-        <help>Set the default metric to a value between 1 and 16.</help>
+        <help>Set the default metric to a value between 1 and 16. Routes with lower metrics will be preferred, while higher metrics indicate less preferred or distant paths.</help>
     </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/static.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/static.xml
index 0a766e8f63..b5d4690ccc 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/static.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/static.xml
@@ -3,6 +3,6 @@
         <id>staticd.enabled</id>
         <label>Enable</label>
         <type>checkbox</type>
-        <help>This will activate the staticd service if the support of routing protocols is enabled in "General".</help>
+        <help>This will activate the staticd service.</help>
     </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
index e63c3a58eb..4241ec17da 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Menu/Menu.xml
@@ -4,7 +4,6 @@
     <RIP VisibleName="RIP" cssClass="fa fa-expand fa-fw" url="/ui/quagga/rip/index" order="10" />
     <OSPF VisibleName="OSPF" cssClass="fa fa-map fa-fw" url="/ui/quagga/ospf/index" order="20" />
     <OSPFv3 VisibleName="OSPFv3" cssClass="fa fa-map fa-fw" url="/ui/quagga/ospf6/index" order="25" />
-    <!--<ISIS VisibleName="IS-IS" cssClass="fa fa-bolt fa-fw" url="/ui/quagga/isis/index" order="30" />-->
     <BGP VisibleName="BGP" cssClass="fa fa-globe fa-fw" url="/ui/quagga/bgp/index" order="40" />
     <BFD VisibleName="BFD" cssClass="fa fa-exchange fa-fw" url="/ui/quagga/bfd/index" order="50" />
     <STATIC VisibleName="STATIC" cssClass="fa fa-expand fa-fw" url="/ui/quagga/static/index" order="60" />
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
index 4510e23ce1..5657ef9632 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
@@ -36,7 +36,7 @@ POSSIBILITY OF SUCH DAMAGE.
             updateServiceControlUI('quagga');
         });
 
-        $("#grid-neighbors").UIBootgrid({
+        $("#{{formGridEditBFDNeighbor['table_id']}}").UIBootgrid({
             'search':'/api/quagga/bfd/searchNeighbor',
             'get':'/api/quagga/bfd/getNeighbor/',
             'set':'/api/quagga/bfd/setNeighbor/',
@@ -65,32 +65,13 @@ POSSIBILITY OF SUCH DAMAGE.
 </ul>
 
 <div class="tab-content content-box tab-content">
+    <!-- Tab: General -->
     <div id="general" class="tab-pane fade in active">
         {{ partial("layout_partials/base_form",['fields':bfdForm,'id':'frm_bfd_settings'])}}
     </div>
+    <!-- Tab: Neighbors -->
     <div id="neighbors" class="tab-pane fade in">
-        <table id="grid-neighbors" class="table table-responsive" data-editDialog="DialogEditBFDNeighbor">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="description" data-type="string" data-visible="true">{{ lang._('Description') }}</th>
-                    <th data-column-id="address" data-type="string" data-visible="true">{{ lang._('Neighbor Address') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditBFDNeighbor)}}
     </div>
 </div>
 
@@ -107,6 +88,9 @@ POSSIBILITY OF SUCH DAMAGE.
             <br/><br/>
         </div>
     </div>
+    <div id="BFDChangeMessage" class="alert alert-info" style="display: none" role="alert">
+        {{ lang._('After changing settings, please remember to apply them.') }}
+    </div>
 </section>
 
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditBFDNeighbor,'id':'DialogEditBFDNeighbor','label':lang._('Edit Neighbor')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBFDNeighbor,'id':formGridEditBFDNeighbor['edit_dialog_id'],'label':lang._('Edit Neighbor')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
index b8385d5463..b456e7de9f 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
@@ -47,7 +47,7 @@ POSSIBILITY OF SUCH DAMAGE.
             }
         });
 
-        $("#grid-neighbors").UIBootgrid({
+        $("#{{formGridEditBGPNeighbor['table_id']}}").UIBootgrid({
             'search':'/api/quagga/bgp/searchNeighbor',
             'get':'/api/quagga/bgp/getNeighbor/',
             'set':'/api/quagga/bgp/setNeighbor/',
@@ -55,7 +55,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'del':'/api/quagga/bgp/delNeighbor/',
             'toggle':'/api/quagga/bgp/toggleNeighbor/'
         });
-        $("#grid-aspaths").UIBootgrid({
+        $("#{{formGridEditBGPASPaths['table_id']}}").UIBootgrid({
             'search':'/api/quagga/bgp/searchAspath',
             'get':'/api/quagga/bgp/getAspath/',
             'set':'/api/quagga/bgp/setAspath/',
@@ -63,7 +63,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'del':'/api/quagga/bgp/delAspath/',
             'toggle':'/api/quagga/bgp/toggleAspath/'
         });
-        $("#grid-prefixlists").UIBootgrid({
+        $("#{{formGridEditBGPPrefixLists['table_id']}}").UIBootgrid({
             'search':'/api/quagga/bgp/searchPrefixlist',
             'get':'/api/quagga/bgp/getPrefixlist/',
             'set':'/api/quagga/bgp/setPrefixlist/',
@@ -71,7 +71,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'del':'/api/quagga/bgp/delPrefixlist/',
             'toggle':'/api/quagga/bgp/togglePrefixlist/'
         });
-        $("#grid-communitylists").UIBootgrid({
+        $("#{{formGridEditBGPCommunityLists['table_id']}}").UIBootgrid({
             'search':'/api/quagga/bgp/searchCommunitylist',
             'get':'/api/quagga/bgp/getCommunitylist/',
             'set':'/api/quagga/bgp/setCommunitylist/',
@@ -79,7 +79,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'del':'/api/quagga/bgp/delCommunitylist/',
             'toggle':'/api/quagga/bgp/toggleCommunitylist/'
         });
-        $("#grid-routemaps").UIBootgrid({
+        $("#{{formGridEditBGPRouteMaps['table_id']}}").UIBootgrid({
             'search':'/api/quagga/bgp/searchRoutemap',
             'get':'/api/quagga/bgp/getRoutemap/',
             'set':'/api/quagga/bgp/setRoutemap/',
@@ -87,7 +87,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'del':'/api/quagga/bgp/delRoutemap/',
             'toggle':'/api/quagga/bgp/toggleRoutemap/'
         });
-        $("#grid-peergroups").UIBootgrid({
+        $("#{{formGridEditBGPPeergroups['table_id']}}").UIBootgrid({
             'search':'/api/quagga/bgp/searchPeergroup',
             'get':'/api/quagga/bgp/getPeergroup/',
             'set':'/api/quagga/bgp/setPeergroup/',
@@ -109,178 +109,33 @@ POSSIBILITY OF SUCH DAMAGE.
     <li><a data-toggle="tab" href="#peergroups">{{ lang._('Peer Groups') }}</a></li>
 </ul>
 <div class="tab-content content-box tab-content">
+    <!-- Tab: General -->
     <div id="general" class="tab-pane fade in active">
-        <div class="content-box" style="padding-bottom: 1.5em;">
-            {{ partial("layout_partials/base_form",['fields':bgpForm,'id':'frm_bgp_settings'])}}
-        </div>
+        {{ partial("layout_partials/base_form",['fields':bgpForm,'id':'frm_bgp_settings'])}}
     </div>
+    <!-- Tab: Neighbors -->
     <div id="neighbors" class="tab-pane fade in">
-        <table id="grid-neighbors" class="table table-responsive" data-editDialog="DialogEditBGPNeighbor">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                    <th data-column-id="address" data-type="string">{{ lang._('Neighbor Address') }}</th>
-                    <th data-column-id="remoteas" data-type="string">{{ lang._('Remote AS') }}</th>
-                    <th data-column-id="linkedPrefixlistIn" data-type="string">{{ lang._('Prefix List inbound') }}</th>
-                    <th data-column-id="linkedPrefixlistOut" data-type="string">{{ lang._('Prefix List outbound') }}</th>
-                    <th data-column-id="linkedRoutemapIn" data-type="string">{{ lang._('Route Map inbound') }}</th>
-                    <th data-column-id="linkedRoutemapOut" data-type="string">{{ lang._('Route Map outbound') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditBGPNeighbor)}}
     </div>
+    <!-- Tab: AS Paths -->
     <div id="aspaths" class="tab-pane fade in">
-        <table id="grid-aspaths" class="table table-responsive" data-editDialog="DialogEditBGPASPaths">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle" data-sortable="false">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                    <th data-column-id="number" data-type="string" data-sortable="true">{{ lang._('Number') }}</th>
-                    <th data-column-id="action" data-type="string" data-sortable="false">{{ lang._('Action') }}</th>
-                    <th data-column-id="as" data-type="string" data-sortable="false">{{ lang._('AS Number') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditBGPASPaths)}}
     </div>
+    <!-- Tab: Prefix Lists -->
     <div id="prefixlists" class="tab-pane fade in">
-        <table id="grid-prefixlists" class="table table-responsive" data-editDialog="DialogEditBGPPrefixLists">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle" data-sortable="false">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="name" data-type="string" data-sortable="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                    <th data-column-id="seqnumber" data-type="string" data-sortable="true">{{ lang._('Sequence Number') }}</th>
-                    <th data-column-id="action" data-type="string" data-sortable="false">{{ lang._('Action') }}</th>
-                    <th data-column-id="network" data-type="string" data-sortable="false">{{ lang._('Network') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditBGPPrefixLists)}}
     </div>
+    <!-- Tab: Community Lists -->
     <div id="communitylists" class="tab-pane fade in">
-        <table id="grid-communitylists" class="table table-responsive" data-editDialog="DialogEditBGPCommunityLists">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle" data-sortable="false">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="number" data-type="string" data-sortable="true">{{ lang._('Number') }}</th>
-                    <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                    <th data-column-id="seqnumber" data-type="string" data-sortable="true">{{ lang._('Secquence Number') }}</th>
-                    <th data-column-id="action" data-type="string" data-sortable="false">{{ lang._('Action') }}</th>
-                    <th data-column-id="community" data-type="string" data-sortable="false">{{ lang._('Community') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditBGPCommunityLists)}}
     </div>
+    <!-- Tab: Route Maps -->
     <div id="routemaps" class="tab-pane fade in">
-        <table id="grid-routemaps" class="table table-responsive" data-editDialog="DialogEditBGPRouteMaps">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
-                    <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
-                    <th data-column-id="action" data-type="string">{{ lang._('Action') }}</th>
-                    <th data-column-id="id" data-type="string">{{ lang._('ID') }}</th>
-                    <th data-column-id="match" data-type="string">{{ lang._('AS Path List') }}</th>
-                    <th data-column-id="match2" data-type="string">{{ lang._('Prefix List') }}</th>
-                    <th data-column-id="match3" data-type="string">{{ lang._('Community List') }}</th>
-                    <th data-column-id="set" data-type="string">{{ lang._('Set') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditBGPRouteMaps)}}
     </div>
+    <!-- Tab: Peer Groups -->
     <div id="peergroups" class="tab-pane fade in">
-        <table id="grid-peergroups" class="table table-responsive" data-editDialog="DialogEditBGPPeergroups">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="name" data-type="string">{{ lang._('Name') }}</th>
-                    <th data-column-id="nexthopself" data-type="string" data-formatter="boolean">{{ lang._('Next Hop Self') }}</th>
-                    <th data-column-id="defaultoriginate" data-type="string" data-formatter="boolean">{{ lang._('Default Originate') }}</th>
-                    <th data-column-id="linkedPrefixlistIn" data-type="string">{{ lang._('Prefix List inbound') }}</th>
-                    <th data-column-id="linkedPrefixlistOut" data-type="string">{{ lang._('Prefix List outbound') }}</th>
-                    <th data-column-id="linkedRoutemapIn" data-type="string">{{ lang._('Route Map inbound') }}</th>
-                    <th data-column-id="linkedRoutemapOut" data-type="string">{{ lang._('Route Map outbound') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditBGPPeergroups)}}
     </div>
 </div>
 
@@ -297,11 +152,14 @@ POSSIBILITY OF SUCH DAMAGE.
             <br/><br/>
         </div>
     </div>
+    <div id="BGPChangeMessage" class="alert alert-info" style="display: none" role="alert">
+        {{ lang._('After changing settings, please remember to apply them.') }}
+    </div>
 </section>
 
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPNeighbor,'id':'DialogEditBGPNeighbor','label':lang._('Edit Neighbor')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPASPaths,'id':'DialogEditBGPASPaths','label':lang._('Edit AS Paths')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPPrefixLists,'id':'DialogEditBGPPrefixLists','label':lang._('Edit Prefix Lists')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPCommunityLists,'id':'DialogEditBGPCommunityLists','label':lang._('Edit Community Lists')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPRouteMaps,'id':'DialogEditBGPRouteMaps','label':lang._('Edit Route Maps')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPPeergroups,'id':'DialogEditBGPPeergroups','label':lang._('Edit Peer Groups')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPNeighbor,'id':formGridEditBGPNeighbor['edit_dialog_id'],'label':lang._('Edit Neighbor')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPASPaths,'id':formGridEditBGPASPaths['edit_dialog_id'],'label':lang._('Edit AS Paths')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPPrefixLists,'id':formGridEditBGPPrefixLists['edit_dialog_id'],'label':lang._('Edit Prefix Lists')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPCommunityLists,'id':formGridEditBGPCommunityLists['edit_dialog_id'],'label':lang._('Edit Community Lists')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPRouteMaps,'id':formGridEditBGPRouteMaps['edit_dialog_id'],'label':lang._('Edit Route Maps')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPPeergroups,'id':formGridEditBGPPeergroups['edit_dialog_id'],'label':lang._('Edit Peer Groups')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
index 9daaa0e144..34c581cc0c 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
@@ -51,7 +51,7 @@ POSSIBILITY OF SUCH DAMAGE.
             }
         });
 
-        $("#grid-networks").UIBootgrid({
+        $("#{{formGridEditNetwork['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospfsettings/searchNetwork',
             'get':'/api/quagga/ospfsettings/getNetwork/',
             'set':'/api/quagga/ospfsettings/setNetwork/',
@@ -59,7 +59,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'del':'/api/quagga/ospfsettings/delNetwork/',
             'toggle':'/api/quagga/ospfsettings/toggleNetwork/'
         });
-        $("#grid-interfaces").UIBootgrid({
+        $("#{{formGridEditInterface['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospfsettings/searchInterface',
             'get':'/api/quagga/ospfsettings/getInterface/',
             'set':'/api/quagga/ospfsettings/setInterface/',
@@ -67,7 +67,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'del':'/api/quagga/ospfsettings/delInterface/',
             'toggle':'/api/quagga/ospfsettings/toggleInterface/'
         });
-        $("#grid-prefixlists").UIBootgrid({
+        $("#{{formGridEditPrefixLists['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospfsettings/searchPrefixlist',
             'get':'/api/quagga/ospfsettings/getPrefixlist/',
             'set':'/api/quagga/ospfsettings/setPrefixlist/',
@@ -75,7 +75,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'del':'/api/quagga/ospfsettings/delPrefixlist/',
             'toggle':'/api/quagga/ospfsettings/togglePrefixlist/'
         });
-        $("#grid-routemaps").UIBootgrid({
+        $("#{{formGridEditRouteMaps['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospfsettings/searchRoutemap',
             'get':'/api/quagga/ospfsettings/getRoutemap/',
             'set':'/api/quagga/ospfsettings/setRoutemap/',
@@ -101,110 +101,19 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
     <!-- Tab: Networks -->
     <div id="networks" class="tab-pane fade in">
-      <table id="grid-networks" class="table table-responsive" data-editDialog="DialogEditNetwork">
-          <thead>
-              <tr>
-                  <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                  <th data-column-id="ipaddr" data-type="string" data-visible="true">{{ lang._('Network Address') }}</th>
-                  <th data-column-id="netmask" data-type="string" data-visible="true">{{ lang._('Mask') }}</th>
-                  <th data-column-id="area" data-type="string" data-visible="true">{{ lang._('Area') }}</th>
-                  <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                  <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-              </tr>
-          </thead>
-          <tbody>
-          </tbody>
-          <tfoot>
-              <tr>
-                  <td></td>
-                  <td>
-                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                  </td>
-              </tr>
-          </tfoot>
-      </table>
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditNetwork)}}
     </div>
     <!-- Tab: Interfaces -->
     <div id="interfaces" class="tab-pane fade in">
-        <table id="grid-interfaces" class="table table-responsive" data-editDialog="DialogEditInterface">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="interfacename" data-type="string" data-visible="true">{{ lang._('Interface Name') }}</th>
-                    <th data-column-id="networktype" data-type="string" data-visible="true">{{ lang._('Network Type') }}</th>
-                    <th data-column-id="authtype" data-type="string" data-visible="true">{{ lang._('Authentication Type') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditInterface)}}
     </div>
     <!-- Tab: Prefixlists -->
     <div id="prefixlists" class="tab-pane fade in">
-        <table id="grid-prefixlists" class="table table-responsive" data-editDialog="DialogEditPrefixLists">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle" data-sortable="false">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="name" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="seqnumber" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Sequence Number') }}</th>
-                    <th data-column-id="action" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Action') }}</th>
-                    <th data-column-id="network" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Network') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditPrefixLists)}}
     </div>
     <!-- Tab: Routemaps -->
     <div id="routemaps" class="tab-pane fade in">
-        <table id="grid-routemaps" class="table table-responsive" data-editDialog="DialogEditRouteMaps">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="action" data-type="string" data-visible="true">{{ lang._('Action') }}</th>
-                    <th data-column-id="id" data-type="string" data-visible="true">{{ lang._('ID') }}</th>
-                    <th data-column-id="match2" data-type="string" data-visible="true">{{ lang._('Prefix List') }}</th>
-                    <th data-column-id="set" data-type="string" data-visible="true">{{ lang._('Set') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditRouteMaps)}}
     </div>
 </div>
 
@@ -220,9 +129,12 @@ POSSIBILITY OF SUCH DAMAGE.
             ></button>
         </div>
     </div>
+    <div id="OSPFChangeMessage" class="alert alert-info" style="display: none" role="alert">
+        {{ lang._('After changing settings, please remember to apply them.') }}
+    </div>
 </section>
 
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditNetwork,'id':'DialogEditNetwork','label':lang._('Edit Network')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditInterface,'id':'DialogEditInterface','label':lang._('Edit Interface')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditPrefixLists,'id':'DialogEditPrefixLists','label':lang._('Edit Prefix Lists')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditRouteMaps,'id':'DialogEditRouteMaps','label':lang._('Edit Route Maps')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditNetwork,'id':formGridEditNetwork['edit_dialog_id'],'label':lang._('Edit Network')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditInterface,'id':formGridEditInterface['edit_dialog_id'],'label':lang._('Edit Interface')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditPrefixLists,'id':formGridEditPrefixLists['edit_dialog_id'],'label':lang._('Edit Prefix Lists')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditRouteMaps,'id':formGridEditRouteMaps['edit_dialog_id'],'label':lang._('Edit Route Maps')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
index d0749ac7cd..ecb1700332 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
@@ -46,7 +46,7 @@
             }
         });
 
-        $("#grid-networks").UIBootgrid({
+        $("#{{formGridEditNetwork['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospf6settings/searchNetwork',
             'get':'/api/quagga/ospf6settings/getNetwork/',
             'set':'/api/quagga/ospf6settings/setNetwork/',
@@ -54,7 +54,7 @@
             'del':'/api/quagga/ospf6settings/delNetwork/',
             'toggle':'/api/quagga/ospf6settings/toggleNetwork/'
         });
-        $("#grid-interfaces").UIBootgrid({
+        $("#{{formGridEditInterface['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospf6settings/searchInterface',
             'get':'/api/quagga/ospf6settings/getInterface/',
             'set':'/api/quagga/ospf6settings/setInterface/',
@@ -62,7 +62,7 @@
             'del':'/api/quagga/ospf6settings/delInterface/',
             'toggle':'/api/quagga/ospf6settings/toggleInterface/'
         });
-        $("#grid-prefixlists").UIBootgrid({
+        $("#{{formGridEditPrefixLists['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospf6settings/searchPrefixlist',
             'get':'/api/quagga/ospf6settings/getPrefixlist/',
             'set':'/api/quagga/ospf6settings/setPrefixlist/',
@@ -70,7 +70,7 @@
             'del':'/api/quagga/ospf6settings/delPrefixlist/',
             'toggle':'/api/quagga/ospf6settings/togglePrefixlist/'
         });
-        $("#grid-routemaps").UIBootgrid({
+        $("#{{formGridEditRouteMaps['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospf6settings/searchRoutemap',
             'get':'/api/quagga/ospf6settings/getRoutemap/',
             'set':'/api/quagga/ospf6settings/setRoutemap/',
@@ -101,122 +101,25 @@
     <li><a data-toggle="tab" href="#routemaps">{{ lang._('Route Maps') }}</a></li>
 </ul>
 <div class="tab-content content-box tab-content">
+    <!-- Tab: General -->
     <div id="general" class="tab-pane fade in active">
-        <div class="content-box" style="padding-bottom: 1.5em;">
-            {{ partial("layout_partials/base_form",['fields':ospf6Form,'id':'frm_ospf6_settings'])}}
-        </div>
+        {{ partial("layout_partials/base_form",['fields':ospf6Form,'id':'frm_ospf6_settings'])}}
     </div>
-
     <!-- Tab: Networks -->
     <div id="networks" class="tab-pane fade in">
-      <table id="grid-networks" class="table table-responsive" data-editDialog="DialogEditNetwork">
-          <thead>
-              <tr>
-                  <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                  <th data-column-id="ipaddr" data-type="string" data-visible="true">{{ lang._('Network Address') }}</th>
-                  <th data-column-id="netmask" data-type="string" data-visible="true">{{ lang._('Mask') }}</th>
-                  <th data-column-id="area" data-type="string" data-visible="true">{{ lang._('Area') }}</th>
-                  <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                  <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                  <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-              </tr>
-          </thead>
-          <tbody>
-          </tbody>
-          <tfoot>
-              <tr>
-                    <td></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                    </td>
-              </tr>
-          </tfoot>
-      </table>
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditNetwork)}}
     </div>
-
     <!-- Tab: Interfaces -->
     <div id="interfaces" class="tab-pane fade in">
-        <table id="grid-interfaces" class="table table-responsive" data-editDialog="DialogEditInterface">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="interfacename" data-type="string" data-visible="true">{{ lang._('Interface Name') }}</th>
-                    <th data-column-id="area" data-type="string" data-visible="true">{{ lang._('Area') }}</th>
-                    <th data-column-id="networktype" data-type="string" data-visible="true">{{ lang._('Network Type') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-            </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditInterface)}}
     </div>
-
-    <!-- Tab: Prefix Lists -->
+    <!-- Tab: Prefixlists -->
     <div id="prefixlists" class="tab-pane fade in">
-        <table id="grid-prefixlists" class="table table-responsive" data-editDialog="DialogEditPrefixLists">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle" data-sortable="false">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="name" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="seqnumber" data-type="string" data-visible="true" data-sortable="true">{{ lang._('Sequence Number') }}</th>
-                    <th data-column-id="action" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Action') }}</th>
-                    <th data-column-id="network" data-type="string" data-visible="true" data-sortable="false">{{ lang._('Network') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditPrefixLists)}}
     </div>
-
-    <!-- Tab: Route Maps -->
+    <!-- Tab: Routemaps -->
     <div id="routemaps" class="tab-pane fade in">
-        <table id="grid-routemaps" class="table table-responsive" data-editDialog="DialogEditRouteMaps">
-            <thead>
-                <tr>
-                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
-                    <th data-column-id="action" data-type="string" data-visible="true">{{ lang._('Action') }}</th>
-                    <th data-column-id="id" data-type="string" data-visible="true">{{ lang._('ID') }}</th>
-                    <th data-column-id="match2" data-type="string" data-visible="true">{{ lang._('Prefix List') }}</th>
-                    <th data-column-id="set" data-type="string" data-visible="true">{{ lang._('Set') }}</th>
-                    <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                    <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                    <td></td>
-                    <td>
-                        <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                        <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-                    </td>
-                </tr>
-            </tfoot>
-        </table>
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditRouteMaps)}}
     </div>
 </div>
 
@@ -232,10 +135,12 @@
             ></button>
         </div>
     </div>
+    <div id="OSPF6ChangeMessage" class="alert alert-info" style="display: none" role="alert">
+        {{ lang._('After changing settings, please remember to apply them.') }}
+    </div>
 </section>
 
-
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditNetwork,'id':'DialogEditNetwork','label':lang._('Edit Network')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditInterface,'id':'DialogEditInterface','label':lang._('Edit Interface')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditPrefixLists,'id':'DialogEditPrefixLists','label':lang._('Edit Prefix Lists')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditRouteMaps,'id':'DialogEditRouteMaps','label':lang._('Edit Route Maps')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditNetwork,'id':formGridEditNetwork['edit_dialog_id'],'label':lang._('Edit Network')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditInterface,'id':formGridEditInterface['edit_dialog_id'],'label':lang._('Edit Interface')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditPrefixLists,'id':formGridEditPrefixLists['edit_dialog_id'],'label':lang._('Edit Prefix Lists')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditRouteMaps,'id':formGridEditRouteMaps['edit_dialog_id'],'label':lang._('Edit Route Maps')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
index f699b7d2cd..c6ae4303a9 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
@@ -26,24 +26,23 @@
  #}
 
 <script>
-  $( document ).ready(function() {
-      let data_get_map = {'frm_static_settings':"/api/quagga/static/get"};
-      mapDataToFormUI(data_get_map).done(function(data){
-          formatTokenizersUI();
-          $('.selectpicker').selectpicker('refresh');
-          updateServiceControlUI('quagga');
-      });
+    $( document ).ready(function() {
+        mapDataToFormUI({'frm_static_settings': "/api/quagga/static/get"}).done(function(data){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('quagga');
+        });
 
-      $("#grid-iproutes").UIBootgrid({
-          'search':'/api/quagga/static/searchRoute',
-          'get':'/api/quagga/static/getRoute/',
-          'set':'/api/quagga/static/setRoute/',
-          'add':'/api/quagga/static/addRoute/',
-          'del':'/api/quagga/static/delRoute/',
-          'toggle':'/api/quagga/static/toggleRoute/'
-      });
+        $("#{{formGridEditSTATICRoute['table_id']}}").UIBootgrid({
+            'search':'/api/quagga/static/searchRoute',
+            'get':'/api/quagga/static/getRoute/',
+            'set':'/api/quagga/static/setRoute/',
+            'add':'/api/quagga/static/addRoute/',
+            'del':'/api/quagga/static/delRoute/',
+            'toggle':'/api/quagga/static/toggleRoute/'
+        });
 
-      $("#reconfigureAct").SimpleActionButton({
+        $("#reconfigureAct").SimpleActionButton({
             onPreAction: function() {
                 const dfObj = new $.Deferred();
                 saveFormToEndpoint("/api/quagga/static/set", 'frm_static_settings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
@@ -63,51 +62,32 @@
 </ul>
 
 <div class="tab-content content-box">
-    <!-- general settings  -->
+    <!-- Tab: General -->
     <div id="general"  class="tab-pane fade in active">
         {{ partial("layout_partials/base_form",['fields':staticForm,'id':'frm_static_settings'])}}
     </div>
     <!-- Tab: Routes -->
     <div id="iproute" class="tab-pane fade in">
-      <table id="grid-iproutes" class="table table-responsive" data-editDialog="DialogEditSTATICRoute">
-        <thead>
-          <tr>
-              <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-              <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-              <th data-column-id="network" data-type="string">{{ lang._('Network') }}</th>
-              <th data-column-id="gateway" data-type="string">{{ lang._('Gateway') }}</th>
-              <th data-column-id="interfacename" data-type="string">{{ lang._('Interface') }}</th>
-              <th data-column-id="commands" data-formatter="commands">{{ lang._('Commands') }}</th>
-          </tr>
-        </thead>
-        <tbody>
-        </tbody>
-        <tfoot>
-          <tr>
-            <td></td>
-            <td>
-              <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-              <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-            </td>
-          </tr>
-        </tfoot>
-      </table>
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditSTATICRoute)}}
     </div>
 </div>
 
 <section class="page-content-main">
-  <div class="content-box">
-      <div class="col-md-12">
-          <br/>
-          <button class="btn btn-primary" id="reconfigureAct"
-                  data-endpoint='/api/quagga/service/reconfigure'
-                  data-label="{{ lang._('Apply') }}"
-                  data-error-title="{{ lang._('Error reconfiguring STATIC') }}"
-                  type="button"
-          ></button>
-          <br/><br/>
-      </div>
-  </div>
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint='/api/quagga/service/reconfigure'
+                    data-label="{{ lang._('Apply') }}"
+                    data-error-title="{{ lang._('Error reconfiguring STATIC') }}"
+                    type="button"
+            ></button>
+            <br/><br/>
+        </div>
+    </div>
+    <div id="STATICChangeMessage" class="alert alert-info" style="display: none" role="alert">
+        {{ lang._('After changing settings, please remember to apply them.') }}
+    </div>
 </section>
 
-{{ partial("layout_partials/base_dialog",['fields':formDialogEditSTATICRoute,'id':'DialogEditSTATICRoute','label':lang._('Edit Routes')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditSTATICRoute,'id':formGridEditSTATICRoute['edit_dialog_id'],'label':lang._('Edit Routes')])}}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
index d6bbb8d0fb..7235af5106 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
@@ -13,8 +13,7 @@ if helpers.exists('OPNsense.quagga.bfd.enabled') and OPNsense.quagga.bfd.enabled
 if helpers.exists('OPNsense.quagga.bgp.enabled') and OPNsense.quagga.bgp.enabled == '1' %} bgpd{% endif %}{%
 if helpers.exists('OPNsense.quagga.ospf6.enabled') and OPNsense.quagga.ospf6.enabled == '1' %} ospf6d{% endif %}{%
 if helpers.exists('OPNsense.quagga.ripng.enabled') and OPNsense.quagga.ripng.enabled == '1' %} ripngd{% endif %}{%
-if helpers.exists('OPNsense.quagga.static.enabled') and OPNsense.quagga.static.enabled == '1' %} staticd{% endif %}{%
-if helpers.exists('OPNsense.quagga.isis.enabled') and OPNsense.quagga.isis.enabled == '1' %} isisd{% endif %}"
+if helpers.exists('OPNsense.quagga.static.enabled') and OPNsense.quagga.static.enabled == '1' %} staticd{% endif %}"
 frr_carp_demote="{%
     if not helpers.empty('OPNsense.quagga.ospf.carp_demote') %} ospfd{% endif %}{%
     if not helpers.empty('OPNsense.quagga.ospf6.carp_demote') %} ospf6d{% endif

From 49467c3d5d40c562647e9b0725abc8485c7a0a93 Mon Sep 17 00:00:00 2001
From: Tony An <anxuanzi@gmail.com>
Date: Wed, 29 Jan 2025 13:47:13 -0600
Subject: [PATCH 2333/3088] www/caddy: Include ClouDNS as DNS Provider (#4507)

---
 .../mvc/app/controllers/OPNsense/Caddy/forms/general.xml   | 6 +++---
 .../src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml   | 1 +
 .../opnsense/service/templates/OPNsense/Caddy/Caddyfile    | 2 +-
 .../service/templates/OPNsense/Caddy/includeDnsProvider    | 7 +++++++
 4 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index ca6b843ecf..9d70fcafa2 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -108,19 +108,19 @@
             <id>caddy.general.TlsDnsApiKey</id>
             <label>API Field 1</label>
             <type>text</type>
-            <help><![CDATA[This is the standard field for the API Key. Field can be left empty if optional: Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Njalla "api_token", Google Cloud DNS "gcp_project", Azure "tenant_id", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url", DNS Made Easy "api_key", Bunny "access_key", Civo "api_token", Scaleway "secret_key", ACME Proxy "username", INWX "username", Netcup "customer_number", RFC2136 "key_name", Name.com "token", EasyDNS "api_token", Infomaniak "api_token", DirectAdmin "host", Hosttech "api_token", Vultr "api_token", Hetzner "api_token"]]></help>
+            <help><![CDATA[This is the standard field for the API Key. Field can be left empty if optional: Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Njalla "api_token", Google Cloud DNS "gcp_project", Azure "tenant_id", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url", DNS Made Easy "api_key", Bunny "access_key", Civo "api_token", Scaleway "secret_key", ACME Proxy "username", INWX "username", Netcup "customer_number", RFC2136 "key_name", Name.com "token", EasyDNS "api_token", Infomaniak "api_token", DirectAdmin "host", Hosttech "api_token", Vultr "api_token", Hetzner "api_token", ClouDNS "auth_id".]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsSecretApiKey</id>
             <label>API Field 2</label>
             <type>text</type>
-            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Azure "client_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address", DNS Made Easy "secret_key", Scaleway "organization_id", ACME Proxy "password", INWX "password", Netcup "api_key", RFC2136 "key_alg", Name.com "server", EasyDNS "api_key", DirectAdmin "user".]]></help>
+            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Azure "client_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address", DNS Made Easy "secret_key", Scaleway "organization_id", ACME Proxy "password", INWX "password", Netcup "api_key", RFC2136 "key_alg", Name.com "server", EasyDNS "api_key", DirectAdmin "user", ClouDNS "auth_password".]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsOptionalField1</id>
             <label>API Field 3</label>
             <type>text</type>
-            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "hosted_zone_id", ACME-DNS "subdomain", Azure "client_secret", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password", DNS Made Easy "api_endpoint", ACME Proxy "endpoint", INWX "shared_secret", Netcup "api_password", Name.com "user", EasyDNS "api_url", DirectAdmin "login_key", RFC2136 "key".]]></help>
+            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "hosted_zone_id", ACME-DNS "subdomain", Azure "client_secret", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password", DNS Made Easy "api_endpoint", ACME Proxy "endpoint", INWX "shared_secret", Netcup "api_password", Name.com "user", EasyDNS "api_url", DirectAdmin "login_key", RFC2136 "key", ClouDNS "sub_auth_id".]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsOptionalField2</id>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 49bd641f35..88b4853da1 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -61,6 +61,7 @@
                     <civo>Civo (optional)</civo>
                     <easydns>EasyDNS (optional)</easydns>
                     <hosttech>Hosttech (optional)</hosttech>
+                    <cloudns>ClouDNS (optional)</cloudns>
                 </OptionValues>
             </TlsDnsProvider>
             <TlsDnsApiKey type="TextField"/>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 1e452f62c8..e81c23bc69 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -171,7 +171,7 @@
     # The same providers have to be added to "OPNsense/Caddy/includeDnsProvider", best in the same order as in this array for maintainability.
     # For a new provider to work, it has to be compiled into the caddy binary.
     #}
-    {% set dnsProviderSpecialConfig = ['duckdns', 'porkbun', 'desec', 'route53', 'acmedns', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox', 'netcup', 'rfc2136', 'dnsmadeeasy', 'civo', 'scaleway', 'acmeproxy', 'inwx', 'namedotcom', 'easydns', 'directadmin'] %}
+    {% set dnsProviderSpecialConfig = ['duckdns', 'porkbun', 'desec', 'route53', 'acmedns', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox', 'netcup', 'rfc2136', 'dnsmadeeasy', 'civo', 'scaleway', 'acmeproxy', 'inwx', 'namedotcom', 'easydns', 'directadmin', 'cloudns'] %}
 
     {# Conditionally add the dynamic_dns section, acmedns provider is special, it does not support dynamic_dns. #}
     {% if dnsProvider and dynDnsDomains|length > 0 and dnsProvider != "acmedns" %}
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider
index 52b715a7e2..e771a66b74 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider
@@ -183,4 +183,11 @@
     {% endif %}
     {% if dnsOptionalField2 %}insecure_requests {{ dnsOptionalField2 }}
     {% endif %}
+{% elif dnsProvider == 'cloudns' %}
+    {% if dnsApiKey %}auth_id {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}auth_password {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}sub_auth_id {{ dnsOptionalField1 }}
+    {% endif %}
 {% endif %}

From 32f3408f19f58e70c3153486ce24e2e1f9982922 Mon Sep 17 00:00:00 2001
From: SaarLAN-Pissbeutel
 <183202051+SaarLAN-Pissbeutel@users.noreply.github.com>
Date: Sun, 2 Feb 2025 13:33:51 +0100
Subject: [PATCH 2334/3088] dns/ddclient: Fix Netcup host/domain recognition
 (#4516)

* Fix ddclient netcup host/domain recognition

* Update dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py

Co-authored-by: Ad Schellevis <AdSchellevis@users.noreply.github.com>

---------

Co-authored-by: Ad Schellevis <AdSchellevis@users.noreply.github.com>
---
 .../src/opnsense/scripts/ddclient/lib/account/netcup.py        | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py
index 9bb775c1e1..10322a6309 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py
@@ -64,7 +64,8 @@ def execute(self):
                 syslog.syslog(syslog.LOG_ERR, "Incomplete FQDN offerred %s" % self.settings['hostnames'])
                 return False
 
-            self.hostname, self.domain = self.settings['hostnames'].split('.', 1)
+            self.domain = self.settings['hostnames'].split('.', self.settings['hostnames'].count('.')-1)[-1]
+            self.hostname = self.settings['hostnames'].rsplit('.', 2)[0] if self.domain != self.settings['hostnames'] else '@'
 
             if self.settings['password'].count('|') == 1:
                 self.settings['APIPassword'], self.settings['APIKey'] = self.settings['password'].split('|')

From e9fc7c7974047870002883fe843f5f5065af9f2a Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 3 Feb 2025 21:18:33 +0100
Subject: [PATCH 2335/3088] www/caddy: Fix addHandleBtn and addDomainBtn,
 change data-width of reverseFilter (#4525)

---
 .../app/views/OPNsense/Caddy/reverse_proxy.volt    | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index f95594d214..cf3010b4e0 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -229,10 +229,10 @@
         // Add click event listener for "Add Handler" button
         $("#addHandleBtn").on("click", function() {
             if ($('#maintabs .active a').attr('href') === "#handlesTab") {
-                $("#addReverseHandleBtn").click();
+                $(`#{{formGridHandle['table_id']}} button[data-action="add"]`).click();
             } else {
-                $('#maintabs a[href="#handlesTab"]').tab('show').one('shown.bs.tab', function(e) {
-                    $("#addReverseHandleBtn").click();
+                $('#maintabs a[href="#handlesTab"]').tab('show').one('shown.bs.tab', function() {
+                    $(`#{{formGridHandle['table_id']}} button[data-action="add"]`).click();
                 });
             }
         });
@@ -240,10 +240,10 @@
         // Add click event listener for "Add Domain" button
         $("#addDomainBtn").on("click", function() {
             if ($('#maintabs .active a').attr('href') === "#domainsTab") {
-                $("#addReverseProxyBtn").click();
+                $(`#{{formGridReverseProxy['table_id']}} button[data-action="add"]`).click();
             } else {
-                $('#maintabs a[href="#domainsTab"]').tab('show').one('shown.bs.tab', function(e) {
-                    $("#addReverseProxyBtn").click();
+                $('#maintabs a[href="#domainsTab"]').tab('show').one('shown.bs.tab', function() {
+                    $(`#{{formGridReverseProxy['table_id']}} button[data-action="add"]`).click();
                 });
             }
         });
@@ -332,7 +332,7 @@
         </div>
         <!-- Selectpicker and Clear All on the right -->
         <div class="filter-actions" style="display: flex; flex-direction: column; align-items: flex-end;">
-            <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="348px" data-size="7" title="{{ lang._('Filter by Domain') }}">
+            <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="334px" data-size="7" title="{{ lang._('Filter by Domain') }}">
             </select>
             <a href="#" class="text-danger" id="clearDomains" style="margin-top: 5px;">
                 <i class="fa fa-times-circle"></i> <small>Clear All</small>

From b6b0cf292a831ca161b7facc3bb342a519751665 Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Tue, 4 Feb 2025 17:44:51 +0100
Subject: [PATCH 2336/3088] Update crowdsec rule reference ($ -> <>); bump
 release (#4526)

---
 security/crowdsec/Makefile                                    | 3 +--
 security/crowdsec/pkg-descr                                   | 4 ++++
 security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc      | 4 ++--
 .../src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml | 2 +-
 4 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index dad0bf60c5..7218bfb389 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		crowdsec
-PLUGIN_VERSION=		1.0.8
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.0.9
 PLUGIN_DEPENDS=		crowdsec
 PLUGIN_COMMENT=		Lightweight and collaborative security engine
 PLUGIN_MAINTAINER=	marco@crowdsec.net
diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index cb1429cf46..f7889b32dc 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -8,6 +8,10 @@ WWW: https://crowdsec.net/
 Plugin Changelog
 ================
 
+1.0.9
+
+ * Update rule reference ($ -> <>) for opnsense 25.1
+
 1.0.8
 
 * Enable use_wal, remove warning
diff --git a/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc b/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc
index 386bc73cac..a1c149a1cf 100644
--- a/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc
+++ b/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc
@@ -52,7 +52,7 @@ function crowdsec_firewall(Plugin $fw)
         array(
             'ipprotocol' => 'inet',
             'descr'      => 'CrowdSec (IPv4)',
-            'from'       => '$crowdsec_blacklists',     # $ to reference an alias
+            'from'       => '<crowdsec_blacklists>',
             'direction'  => 'in',
             'type'       => 'block',
             'log'        => $rules_log_enabled,
@@ -68,7 +68,7 @@ function crowdsec_firewall(Plugin $fw)
         array(
             'ipprotocol' => 'inet6',
             'descr'      => 'CrowdSec (IPv6)',
-            'from'       => '$crowdsec6_blacklists',    # $ to reference an alias
+            'from'       => '<crowdsec6_blacklists>',
             'direction'  => 'in',
             'type'       => 'block',
             'log'        => $rules_log_enabled,
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
index f332b3b645..4208065f48 100644
--- a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
@@ -1,7 +1,7 @@
 <model>
   <mount>//OPNsense/crowdsec/general</mount>
   <description>CrowdSec general configuration</description>
-  <version>1.0.8</version>
+  <version>1.0.9</version>
   <items>
 
     <agent_enabled type="BooleanField">

From 6644d16b6b9def1c83f3d41b0462a0111136a439 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 5 Feb 2025 14:11:04 +0100
Subject: [PATCH 2337/3088] www/caddy: Add client_ip_headers (#4519)

* www/caddy: Add client_ip_headers for https://github.com/opnsense/plugins/issues/4517 , Rewrite copy_headers logic for https://github.com/opnsense/plugins/issues/4488 . Since headers are used in multiple parts of the configuration this creates a single point of truth to ease maintenance burden.

* www/caddy: Forgot to add general form options for https://github.com/opnsense/plugins/issues/4517

* www/caddy: Change directive name from AuthCopyHeaders to CopyHeaders since Field Type changed to empty it. The field was introduced in the prior version and optional, so impact low. Changelogs.

* www/caddy: Improve helptext for client_ip_headers feature
---
 www/caddy/Makefile                            |  2 +-
 www/caddy/pkg-descr                           |  7 +++
 .../OPNsense/Caddy/forms/general.xml          | 16 ++++++-
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 43 ++++++++++---------
 .../templates/OPNsense/Caddy/Caddyfile        |  8 ++++
 .../OPNsense/Caddy/includeAuthProvider        | 37 +++++++++++-----
 6 files changed, 79 insertions(+), 34 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 0a03f12848..6c8288cf3c 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.8.1
+PLUGIN_VERSION=		1.8.2
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index c9583ba431..0dfa6ca707 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -13,6 +13,13 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.8.2
+
+* Add: client_ip_headers (opnsense/plugins/issues/4517)
+* Add: CloudDNS provider (opnsense/plugins/pull/4507)
+* Change: Generalize forward_auth copy_headers directive. Existing configuration from (issues/4488) will be emptied. (opnsense/plugins/pull/4519)
+* Fix: Shortcut buttons in reverse_proxy.volt (opnsense/plugins/pull/4525)
+
 1.8.1
 
 * Add: Optional "Authorization" header to forward_auth (opnsense/plugins/issues/4488)
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 9d70fcafa2..573fbce1d6 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -58,6 +58,16 @@
             <type>dropdown</type>
             <help><![CDATA[Select an Access List to set IP ranges of Trusted Proxies. If Caddy is not the first server being connected to by clients (for example, when a "CDN" is in front of Caddy), configure "Trusted Proxies" with a list of IP ranges (CIDRs) from which incoming requests are trusted to have sent good values for these headers. Additionally, set the same Access List to the domains the Trusted Proxies connect to.]]></help>
         </field>
+        <field>
+            <id>caddy.general.ClientIpHeaders</id>
+            <label>Client IP Headers</label>
+            <type>dropdown</type>
+            <type>select_multiple</type>
+            <size>5</size>
+            <style>selectpicker</style>
+            <hint>X-Forwarded-For</hint>
+            <help><![CDATA[Select one or multiple headers to extract the real client IP. Headers can be added in "Reverse Proxy - Headers". As example, setting "X-Forwarded-For" and "Cf-Connecting-Ip" can extract the real client IP from Cloudflare.]]></help>
+        </field>
         <field>
             <id>caddy.general.GracePeriod</id>
             <label>Grace Period</label>
@@ -228,11 +238,13 @@
             <help><![CDATA[Enter the URI of the authz api endpoint.]]></help>
         </field>
         <field>
-            <id>caddy.general.AuthCopyHeaders</id>
+            <id>caddy.general.CopyHeaders</id>
             <label>Copy Headers</label>
+            <type>dropdown</type>
             <type>select_multiple</type>
+            <size>5</size>
             <style>selectpicker</style>
-            <help><![CDATA[If nothing is selected, the correct default headers for the chosen provider will be used. If you change the default, you must select the required headers manually. "copy_headers" is a list of HTTP header fields to copy from the response to the original request, when the request has a success status code.]]></help>
+            <help><![CDATA[Select headers to copy in addition to the default of the chosen provider. Headers can be added in "Reverse Proxy - Headers". As example, copying "Authorization" can pass Basic Auth credentials from the Auth Provider to the reverse proxied application.]]></help>
         </field>
     </tab>
     <activetab>general-settings</activetab>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 88b4853da1..7a851ce706 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>Caddy Reverse Proxy</description>
-    <version>1.3.4</version>
+    <version>1.3.5</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -84,6 +84,17 @@
                     </reverseproxy>
                 </Model>
             </accesslist>
+            <ClientIpHeaders type="ModelRelationField">
+                <Model>
+                    <reverseproxy>
+                        <source>OPNsense.Caddy.Caddy</source>
+                        <items>reverseproxy.header</items>
+                        <display>HeaderType,description</display>
+                        <display_format>%s %s</display_format>
+                    </reverseproxy>
+                </Model>
+                <Multiple>Y</Multiple>
+            </ClientIpHeaders>
             <DisableSuperuser type="OptionField">
                 <Required>Y</Required>
                 <Default>0</Default>
@@ -168,27 +179,17 @@
                 <Mask>/^(\/.*)?$/u</Mask>
                 <ValidationMessage>Please enter a valid 'URI' that starts with '/'.</ValidationMessage>
             </AuthToUri>
-            <AuthCopyHeaders type="OptionField">
+            <CopyHeaders type="ModelRelationField">
+                <Model>
+                    <reverseproxy>
+                        <source>OPNsense.Caddy.Caddy</source>
+                        <items>reverseproxy.header</items>
+                        <display>HeaderType,description</display>
+                        <display_format>%s %s</display_format>
+                    </reverseproxy>
+                </Model>
                 <Multiple>Y</Multiple>
-                <OptionValues>
-                    <Authorization>Authorization</Authorization>
-                    <Remote-User>Remote-User</Remote-User>
-                    <Remote-Groups>Remote-Groups</Remote-Groups>
-                    <Remote-Name>Remote-Name</Remote-Name>
-                    <Remote-Email>Remote-Email</Remote-Email>
-                    <X-Authentik-Username>X-Authentik-Username</X-Authentik-Username>
-                    <X-Authentik-Groups>X-Authentik-Groups</X-Authentik-Groups>
-                    <X-Authentik-Email>X-Authentik-Email</X-Authentik-Email>
-                    <X-Authentik-Name>X-Authentik-Name</X-Authentik-Name>
-                    <X-Authentik-Uid>X-Authentik-Uid</X-Authentik-Uid>
-                    <X-Authentik-Jwt>X-Authentik-Jwt</X-Authentik-Jwt>
-                    <X-Authentik-Meta-Jwks>X-Authentik-Meta-Jwks</X-Authentik-Meta-Jwks>
-                    <X-Authentik-Meta-Outpost>X-Authentik-Meta-Outpost</X-Authentik-Meta-Outpost>
-                    <X-Authentik-Meta-Provider>X-Authentik-Meta-Provider</X-Authentik-Meta-Provider>
-                    <X-Authentik-Meta-App>X-Authentik-Meta-App</X-Authentik-Meta-App>
-                    <X-Authentik-Meta-Version>X-Authentik-Meta-Version</X-Authentik-Meta-Version>
-                </OptionValues>
-            </AuthCopyHeaders>
+            </CopyHeaders>
         </general>
         <reverseproxy>
             <reverse type="ArrayField">
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index e81c23bc69..afe9898087 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -85,6 +85,14 @@
         {% if accessList %}
             trusted_proxies static {{ accessList.clientIps.split(',') | join(' ') }}
         {% endif %}
+        {% if generalSettings.ClientIpHeaders %}
+            {% for header_uuid in generalSettings.ClientIpHeaders.split(',') %}
+                {% set header = helpers.toList('Pischem.caddy.reverseproxy.header') | selectattr('@uuid', 'equalto', header_uuid) | first %}
+                {% if header and header.HeaderType %}
+                    client_ip_headers {{ header.HeaderType }}
+                {% endif %}
+            {% endfor %}
+        {% endif %}
         {% if generalSettings.LogCredentials|default("0") == "1" %}
             log_credentials
         {% endif %}
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
index f179fc845f..1c6beb34b9 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeAuthProvider
@@ -7,16 +7,26 @@
     {% set is_ipv6 = (':' in generalSettings.AuthToDomain and generalSettings.AuthToDomain.count(':') >= 2) %}
     {% set auth_url = (generalSettings.AuthToTls|default("0") == "1" and 'https://' or 'http://') + (is_ipv6 and '[' or '') + generalSettings.AuthToDomain|default("") + (is_ipv6 and ']' or '') + (generalSettings.AuthToPort and ':' + generalSettings.AuthToPort or '') %}
 {% endif %}
+{% macro generate_copy_headers() %}
+    {% if generalSettings.CopyHeaders %}
+        {% for header_uuid in generalSettings.CopyHeaders.split(',') %}
+            {% set header = helpers.toList('Pischem.caddy.reverseproxy.header') | selectattr('@uuid', 'equalto', header_uuid) | first %}
+            {% if header and header.HeaderType %}
+                copy_headers {{ header.HeaderType }}
+            {% endif %}
+        {% endfor %}
+    {% endif %}
+{% endmacro %}
 {% if generalSettings.AuthProvider == 'authelia' %}
     forward_auth {{ auth_url }} {
     {% if generalSettings.AuthToUri %}
         uri {{ generalSettings.AuthToUri|default("") }}
     {% endif %}
-    {% if generalSettings.AuthCopyHeaders|default("") == "" %}
-        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
-    {% else %}
-        copy_headers {{ generalSettings.AuthCopyHeaders.split(',') | join(' ') }}
-    {% endif %}
+        copy_headers Remote-User
+        copy_headers Remote-Groups
+        copy_headers Remote-Name
+        copy_headers Remote-Email
+        {{ generate_copy_headers() }}
     }
 {% elif generalSettings.AuthProvider == 'authentik' %}
     reverse_proxy /outpost.goauthentik.io/* {{ auth_url }} {
@@ -28,10 +38,17 @@
     {% if generalSettings.AuthToUri %}
         uri {{ generalSettings.AuthToUri|default("") }}
     {% endif %}
-    {% if generalSettings.AuthCopyHeaders|default("") == "" %}
-        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
-    {% else %}
-       copy_headers {{ generalSettings.AuthCopyHeaders.split(',') | join(' ') }}
-    {% endif %}
+        copy_headers X-Authentik-Username
+        copy_headers X-Authentik-Groups
+        copy_headers X-Authentik-Email
+        copy_headers X-Authentik-Name
+        copy_headers X-Authentik-Uid
+        copy_headers X-Authentik-Jwt
+        copy_headers X-Authentik-Meta-Jwks
+        copy_headers X-Authentik-Meta-Outpost
+        copy_headers X-Authentik-Meta-Provider
+        copy_headers X-Authentik-Meta-App
+        copy_headers X-Authentik-Meta-Version
+        {{ generate_copy_headers() }}
     }
 {% endif %}

From 44683ac25f9cedbd08f84e498d40c2337869af35 Mon Sep 17 00:00:00 2001
From: kulikov-a <kulikov.a@gmail.com>
Date: Sun, 9 Feb 2025 21:29:27 +0300
Subject: [PATCH 2338/3088] security/intrusion-detection-content-pt-open: new
 ruleset plugin (#4462)

---
 .../LICENSE                                   | 24 +++++++++++++++++++
 .../Makefile                                  |  6 +++++
 .../pkg-descr                                 | 12 ++++++++++
 .../suricata/metadata/rules/pt-open.xml       | 11 +++++++++
 4 files changed, 53 insertions(+)
 create mode 100644 security/intrusion-detection-content-pt-open/LICENSE
 create mode 100644 security/intrusion-detection-content-pt-open/Makefile
 create mode 100644 security/intrusion-detection-content-pt-open/pkg-descr
 create mode 100644 security/intrusion-detection-content-pt-open/src/opnsense/scripts/suricata/metadata/rules/pt-open.xml

diff --git a/security/intrusion-detection-content-pt-open/LICENSE b/security/intrusion-detection-content-pt-open/LICENSE
new file mode 100644
index 0000000000..2274378454
--- /dev/null
+++ b/security/intrusion-detection-content-pt-open/LICENSE
@@ -0,0 +1,24 @@
+(C) 2024 JSC Positive Technologies. All rights reserved.
+
+Definitions
+
+“Program” refers to any copyrightable work (including rule sets for open source network threat detection engine Suricata) and associated documentation files licensed under this License, accessible at: https://rules.ptsecurity.com “License” means the terms of this license agreement which apply to the Program.
+“Licensee” refers to individuals or legal entities accessing and/or using the Program.
+“Modify” a work (part of the work) means to make any change, including translation of the Program from one language into another, except for adaptation.
+“Copyright holder” means JSС Positive Technologies as the holder of the exclusive right to the Program.
+
+Legal Usage
+
+The Licensee is hereby granted free of charge the rights to use, copy, publish, distribute, sublicense, and/or sell copies of the Program for non-commercial and commercial use subject to the following conditions:
+· The above copyright notice shall be included in all copies or substantial portions of the Program.
+· Neither the name of the Copyright holder nor the names of its contributors may be used to endorse or promote programs in which the Program was integrated without specific prior written permission.
+· Redistributions of the Program must retain the above copyright notice and the full text of the License.
+No permission is hereby granted to the Licensee to modify the Program and distribute the modified Program. However, for the avoidance of doubt, the Licensee is granted the right to integrate the original Program into other programs and distribute such programs.
+
+Applicable law
+
+This License is governed by the laws of the Russian Federation. The rules of the article 1286.1 of the Civil Code of the Russian Federation are applicable to this License.
+
+Disclaimer
+
+THIS PROGRAM IS PROVIDED BY THE COPYRIGHT HOLDER “AS IS”. UNDER NO CIRCUMSTANCES THE COPYRIGHT HOLDER IS LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES RESULTING FROM (I) THE LICENSEE'S USE OF THE PROGRAM; (II) THE LICENSEE'S INTERPRETATION AND APPLICATION OF ANY FILES, METHODS, OR ANY OTHER INFORMATION PROVIDED ON OR THROUGH THE PROGRAM; (III) THE FAILURE OF THE PROGRAM TO MEET THE LICENSEE'S EXPECTATIONS. IF, NOTWITHSTANDING THE OTHER PROVISIONS OF THIS LISENCE, THE COPYRIGHT HOLDER IS FORCED TO BEAR RESPONSIBILITY TO THE LICENSEE FOR ANY LOSSES RELATED TO THE LICENSEE'S USE OF THE PROGRAM, THE COPYRIGHT HOLDER’S LIABILITY SHALL IN NO CASE EXCEED THE EQUIVALENT OF 10 (TEN) U.S. DOLLARS.
diff --git a/security/intrusion-detection-content-pt-open/Makefile b/security/intrusion-detection-content-pt-open/Makefile
new file mode 100644
index 0000000000..6941de8be3
--- /dev/null
+++ b/security/intrusion-detection-content-pt-open/Makefile
@@ -0,0 +1,6 @@
+PLUGIN_NAME=		intrusion-detection-content-ptopen
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		IDS Positive Technologies ESC ruleset
+PLUGIN_MAINTAINER=	kulikov.a@gmail.com
+PLUGIN_WWW=		https://rules.ptsecurity.com
+.include "../../Mk/plugins.mk"
diff --git a/security/intrusion-detection-content-pt-open/pkg-descr b/security/intrusion-detection-content-pt-open/pkg-descr
new file mode 100644
index 0000000000..ee22fba6c0
--- /dev/null
+++ b/security/intrusion-detection-content-pt-open/pkg-descr
@@ -0,0 +1,12 @@
+IDS PT ESC open ruleset designed to detect a variety of network threats,
+including those communicated under TLS.
+PT Rules is an open-source project focused on enhancing network security
+through proactive threat detection. As the PT Expert Security Center attack
+detection team, we are a dedicated group of cybersecurity experts committed
+to improve network security through open-source initiatives.
+
+Don't forget to define the $DC_SERVERS rule-variable if you want to use the
+protection rules against DCShadow/DCSync attacks.
+
+LICENSE: https://rules.ptsecurity.com/view/LICENSE.txt
+WWW: https://rules.ptsecurity.com/
diff --git a/security/intrusion-detection-content-pt-open/src/opnsense/scripts/suricata/metadata/rules/pt-open.xml b/security/intrusion-detection-content-pt-open/src/opnsense/scripts/suricata/metadata/rules/pt-open.xml
new file mode 100644
index 0000000000..632c0bdf18
--- /dev/null
+++ b/security/intrusion-detection-content-pt-open/src/opnsense/scripts/suricata/metadata/rules/pt-open.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+<ruleset documentation_url="https://rules.ptsecurity.com/">
+    <location url="https://rules.ptsecurity.com/files/ptopen.rules.tar.gz" prefix="PT open"/>
+    <files>
+        <file description="attacks" url="inline::rules/ptopen-attacks.rules">ptopen-attacks.rules</file>
+        <file description="info" url="inline::rules/ptopen-info.rules">ptopen-info.rules</file>
+        <file description="malware" url="inline::rules/ptopen-malware.rules">ptopen-malware.rules</file>
+        <file description="tools" url="inline::rules/ptopen-tools.rules">ptopen-tools.rules</file>
+        <file description="windows" url="inline::rules/ptopen-windows.rules">ptopen-windows.rules</file>
+    </files>
+</ruleset>

From 252e3ec84e51d47a7bb6cfe33dca52f1ae81bddf Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 11 Feb 2025 11:43:16 +0100
Subject: [PATCH 2339/3088] dns/ddclient: new version now

---
 dns/ddclient/Makefile  | 3 +--
 dns/ddclient/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index f52ee87b02..1d004d5588 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.26
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.27
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index c4aad2a2e9..3e91a0e2a1 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,11 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.27
+
+* Add support for altering IPv6 addresses in native backend (contributed by SaarLAN-Pissbeutel)
+* Fix Netcup host/domain recognition (contributed by SaarLAN-Pissbeutel)
+
 1.26
 
 * Add ddclient TTL configuration in Gandi and GoDaddy (contributed by David PHAM-VAN)

From f26a9c5ea839e61d9531e459777fe976270fccac Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 12 Feb 2025 09:01:30 +0100
Subject: [PATCH 2340/3088] README: sync

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index fcc3df8e32..de7ef15853 100644
--- a/README.md
+++ b/README.md
@@ -83,6 +83,7 @@ security/crowdsec -- Lightweight and collaborative security engine
 security/etpro-telemetry -- ET Pro Telemetry Edition
 security/intrusion-detection-content-et-open -- IDS Proofpoint full ET open ruleset complementary subset for ET Pro Telemetry edition
 security/intrusion-detection-content-et-pro -- IDS Proofpoint ET Pro ruleset (needs a valid subscription)
+security/intrusion-detection-content-pt-open -- IDS Positive Technologies ESC ruleset
 security/intrusion-detection-content-snort-vrt -- IDS Snort VRT ruleset (needs registration or subscription)
 security/maltrail -- Malicious traffic detection system
 security/openconnect -- OpenConnect Client

From 8fbddef87906a0114963d90503674ffc24ce1c48 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 13 Feb 2025 11:05:56 +0100
Subject: [PATCH 2341/3088] net/frr: Use frr-reload instead of restarting the
 service on configuration changes (#4535)

* net/frr: Use frr-reload instead of restarting the service on configuration changes

* Update net/frr/Makefile

Co-authored-by: Franco Fichtner <franco@opnsense.org>

* net/frr: Add changelog

---------

Co-authored-by: Franco Fichtner <franco@opnsense.org>
---
 net/frr/Makefile                                          | 5 ++---
 net/frr/pkg-descr                                         | 8 ++++++++
 .../controllers/OPNsense/Quagga/Api/ServiceController.php | 6 ++++++
 .../opnsense/service/conf/actions.d/actions_quagga.conf   | 7 +++++++
 4 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index a3813aca20..46155e8a8f 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,8 +1,7 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.42
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.43
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
-PLUGIN_DEPENDS=		frr8
+PLUGIN_DEPENDS=		frr8-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2
 
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 529a3b2c45..3341c9126b 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,14 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.43
+
+* Use frr-reload instead of restarting the service on configuration changes (opnsense/plugins/issues/4529)
+* Migrate separate daemon config files into single frr.conf file (opnsense/plugins/issues/4510)
+* Add help texts to all options and expose them in grid as columns (opnsense/plugins/pull/4494)
+* Replace deprecated passive-interface directive in ospf (opnsense/plugins/issues/4534)
+* Style cleanup and unify forms (opnsense/plugins/pull/4450)
+
 1.42
 
 * Fix updatesource not rendering when interface has been selected
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/ServiceController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/ServiceController.php
index c62632492a..9ddce03578 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/ServiceController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/ServiceController.php
@@ -41,4 +41,10 @@ class ServiceController extends ApiMutableServiceControllerBase
     protected static $internalServiceTemplate = 'OPNsense/Quagga';
     protected static $internalServiceEnabled = 'enabled';
     protected static $internalServiceName = 'quagga';
+
+    protected function reconfigureForceRestart()
+    {
+        // frr can reload using frr-reload and frr8-pythontools
+        return 0;
+    }
 }
diff --git a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
index 4c5079cafb..aa2e0b70bd 100644
--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@@ -17,6 +17,13 @@ type:script
 message:restarting frr
 description:Restart FRR
 
+[reload]
+command:service frr reload
+parameters:
+type:script
+message:reloading frr
+description:Reload FRR
+
 [status]
 command:/usr/local/etc/rc.d/frr status; exit 0
 parameters:

From 7a72050636f37ba90547f0ff663df7608a008d69 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 13 Feb 2025 11:07:18 +0100
Subject: [PATCH 2342/3088] net/frr: Implement frr.conf file (#4528)

* net/frr: Implement frr.conf file, Part 1

* net/frr: Implement frr.conf file, Part 2

* net/frr: Implement frr.conf file, Part 3

* net/frr: Fix sa_policies.conf generation, include fix for passive interfaces https://github.com/opnsense/plugins/pull/4536, adjust comments
---
 .../templates/OPNsense/Quagga/+TARGETS        | 14 +---
 .../templates/OPNsense/Quagga/bfdd.conf       | 20 +----
 .../templates/OPNsense/Quagga/bgpd.conf       | 26 +-----
 .../templates/OPNsense/Quagga/frr.conf        |  8 ++
 .../templates/OPNsense/Quagga/ospf6d.conf     | 22 +----
 .../OPNsense/Quagga/ospf6d_carp.conf          |  1 +
 .../templates/OPNsense/Quagga/ospfd.conf      | 82 ++++++++-----------
 .../templates/OPNsense/Quagga/ospfd_carp.conf |  1 +
 .../templates/OPNsense/Quagga/ripd.conf       | 17 +---
 .../OPNsense/Quagga/sa_policies.conf          |  1 +
 .../templates/OPNsense/Quagga/staticd.conf    | 12 +--
 .../templates/OPNsense/Quagga/vtysh.conf      |  1 +
 .../templates/OPNsense/Quagga/zebra.conf      | 16 +---
 13 files changed, 58 insertions(+), 163 deletions(-)
 create mode 100644 net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr.conf

diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
index 430e871671..9ee342bb4c 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/+TARGETS
@@ -1,13 +1,7 @@
-bfdd.conf:/usr/local/etc/frr/bfdd.conf
-bgpd.conf:/usr/local/etc/frr/bgpd.conf
-ospfd.conf:/usr/local/etc/frr/ospfd.conf
-ospfd_carp.conf:/usr/local/etc/frr/ospfd_carp.conf
-ospf6d.conf:/usr/local/etc/frr/ospf6d.conf
-ospf6d_carp.conf:/usr/local/etc/frr/ospf6d_carp.conf
-ripd.conf:/usr/local/etc/frr/ripd.conf
-sa_policies.conf:/usr/local/etc/frr/sa_policies.conf
-staticd.conf:/usr/local/etc/frr/staticd.conf
 frr:/etc/rc.conf.d/frr
-zebra.conf:/usr/local/etc/frr/zebra.conf
+frr.conf:/usr/local/etc/frr/frr.conf
 vtysh.conf:/usr/local/etc/frr/vtysh.conf
+ospf6d_carp.conf:/usr/local/etc/frr/ospf6d_carp.conf
+ospfd_carp.conf:/usr/local/etc/frr/ospfd_carp.conf
+sa_policies.conf:/usr/local/etc/frr/sa_policies.conf
 syslog-ng-frr-events.conf:/usr/local/etc/syslog-ng.conf.d/frr-events.conf
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
index 235d5d9b79..e4e3d832c8 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
@@ -1,22 +1,5 @@
+{# included in frr.conf #}
 {% if helpers.exists('OPNsense.quagga.bfd.enabled') and OPNsense.quagga.bfd.enabled == '1' %}
-!
-! Zebra configuration saved from vty
-!   2017/03/03 20:21:04
-!
-{% if helpers.exists('OPNsense.quagga.general') %}
-{%   if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
-log syslog {{ OPNsense.quagga.general.sysloglevel }}
-{%   endif %}
-{%   if helpers.exists('OPNsense.quagga.general.profile') %}
-frr defaults {{ OPNsense.quagga.general.profile }}
-{%   endif %}
-{% endif %}
-!
-!
-!
-line vty
-!
-!
 bfd
 {%   if helpers.exists('OPNsense.quagga.bfd.neighbors.neighbor') %}
 {%     for neighbor in helpers.toList('OPNsense.quagga.bfd.neighbors.neighbor') %}
@@ -25,5 +8,4 @@ bfd
 {%       endif %}
 {%     endfor %}
 {%   endif %}
-!
 {% endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 4dbaaa487b..e560f3c25b 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -1,3 +1,4 @@
+{# included in frr.conf #}
 {% if helpers.exists('OPNsense.quagga.bgp.enabled') and OPNsense.quagga.bgp.enabled == '1' %}
 {%   from 'OPNsense/Macros/interface.macro' import physical_interface %}
 {%   set addressFamilies = ['ipv4', 'ipv6' ] %}
@@ -26,21 +27,6 @@
 {%       endif %}
 {%     endfor %}
 {%   endif %}
-!
-! Zebra configuration saved from vty
-!   2017/03/03 20:21:04
-!
-{% if helpers.exists('OPNsense.quagga.general') %}
-{%   if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
-log syslog {{ OPNsense.quagga.general.sysloglevel }}
-{%   endif %}
-{%   if helpers.exists('OPNsense.quagga.general.profile') %}
-frr defaults {{ OPNsense.quagga.general.profile }}
-{%   endif %}
-{% endif %}
-!
-!
-!
 {% if helpers.exists('OPNsense.quagga.bgp.asnumber') and OPNsense.quagga.bgp.asnumber != '' %}
 router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%   if not helpers.empty('OPNsense.quagga.bgp.logneighborchanges') %}
@@ -220,7 +206,6 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%     endif %}
 {%   endfor %}
  exit-address-family
-!
 {%  endfor %}
 
 {%   if helpers.exists('OPNsense.quagga.bgp.prefixlists.prefixlist') %}
@@ -228,13 +213,11 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%       if prefixlist.enabled == '1' and prefixlist.version == 'IPv4' %}
 ip prefix-list {{ prefixlist.name }} seq {{ prefixlist.seqnumber }} {{ prefixlist.action }} {{ prefixlist.network }}
 {%       endif %}
-!
 {%       if prefixlist.enabled == '1' and prefixlist.version == 'IPv6' %}
 ipv6 prefix-list {{ prefixlist.name }} seq {{ prefixlist.seqnumber }} {{ prefixlist.action }} {{ prefixlist.network }}
 {%       endif %}
 {%     endfor %}
 {%   endif %}
-!
 {%   if helpers.exists('OPNsense.quagga.bgp.aspaths.aspath') %}
 {%     for aspath in helpers.sortDictList(OPNsense.quagga.bgp.aspaths.aspath, 'number' ) %}
 {%       if aspath.enabled == '1' %}
@@ -242,7 +225,6 @@ bgp as-path access-list {{ aspath.number }} {{ aspath.action }} {{ aspath.as }}
 {%       endif %}
 {%     endfor %}
 {%   endif %}
-!
 {%   if helpers.exists('OPNsense.quagga.bgp.communitylists.communitylist') %}
 {%     for communitylist in helpers.sortDictList(OPNsense.quagga.bgp.communitylists.communitylist, 'number' ) %}
 {%       if communitylist.enabled == '1' %}
@@ -250,7 +232,6 @@ bgp community-list {{ communitylist.number }} seq {{ communitylist.seqnumber }}
 {%       endif %}
 {%     endfor %}
 {%   endif %}
-!
 {%   if helpers.exists('OPNsense.quagga.bgp.routemaps.routemap') %}
 {%     for routemap in helpers.sortDictList(OPNsense.quagga.bgp.routemaps.routemap, 'name', 'id' ) %}
 {%       if routemap.enabled == '1' %}
@@ -290,13 +271,8 @@ route-map {{ routemap.name }} {{ routemap.action }} {{ routemap.id }}
 {%       endif %}
 {%     endfor %}
 {%   endif %}
-!
 {% endif %}
-!
 {% if helpers.exists('OPNsense.quagga.bgpd.enabled') and OPNsense.quagga.general.enablesnmp == '1' %}
 agentx
 {% endif %}
-!
-line vty
-!
 {% endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr.conf
new file mode 100644
index 0000000000..b8da1a348f
--- /dev/null
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr.conf
@@ -0,0 +1,8 @@
+{# Main configuration file #}
+{% include "OPNsense/Quagga/zebra.conf" %}
+{% include "OPNsense/Quagga/ripd.conf" %}
+{% include "OPNsense/Quagga/ospfd.conf" %}
+{% include "OPNsense/Quagga/ospf6d.conf" %}
+{% include "OPNsense/Quagga/bgpd.conf" %}
+{% include "OPNsense/Quagga/bfdd.conf" %}
+{% include "OPNsense/Quagga/staticd.conf" %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
index 3c066333ad..f581d001ab 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
@@ -1,26 +1,14 @@
+{# included in frr.conf #}
 {% macro cline(directive, modelname) -%}{% if modelname %}
   ipv6 ospf6 {{ directive }} {{ modelname }}
 {% endif %}{%- endmacro %}
 {% from 'OPNsense/Macros/interface.macro' import physical_interface %}
 {% if not helpers.empty('OPNsense.quagga.ospf6.enabled') %}
-!
-! Zebra configuration saved from vty
-!   2017/03/03 20:21:04
-!
 {% if helpers.exists('OPNsense.quagga.general') %}
-{%   if not helpers.empty('OPNsense.quagga.general.enablesyslog') %}
-log syslog {{ OPNsense.quagga.general.sysloglevel }}
-{%   endif %}
-{%   if helpers.exists('OPNsense.quagga.general.profile') %}
-frr defaults {{ OPNsense.quagga.general.profile }}
-{%   endif %}
 {%   if OPNsense.quagga.general.enablesnmp == '1' %}
 agentx
 {%   endif %}
 {% endif %}
-!
-!
-!
 {% for interface in helpers.toList('OPNsense.quagga.ospf6.interfaces.interface') %}
 {%   if interface.enabled == '1' %}
 interface {{ physical_interface(interface.interfacename) }}
@@ -38,10 +26,9 @@ interface {{ physical_interface(interface.interfacename) }}
 }}{{       cline("hello-interval",interface.hellointerval)
 }}{{       cline("priority",interface.priority)
 }}{{       cline("retransmit-interval",interface.retransmitinterval)
-}}!
+}}
 {%   endif %}
 {% endfor %}
-!
 router ospf6
 {% if not helpers.empty('OPNsense.quagga.ospf6.routerid') %}
  ospf6 router-id {{ OPNsense.quagga.ospf6.routerid }}
@@ -88,7 +75,6 @@ router ospf6
 {%     endif %}
 {%   endfor %}
 {% endif %}
-!
 {%   if helpers.exists('OPNsense.quagga.ospf6.prefixlists.prefixlist') %}
 {%     for prefixlist in helpers.sortDictList(OPNsense.quagga.ospf6.prefixlists.prefixlist, 'name', 'seqnumber' ) %}
 {%       if prefixlist.enabled == '1' %}
@@ -96,7 +82,6 @@ ipv6 prefix-list {{ prefixlist.name }} seq {{ prefixlist.seqnumber }} {{ prefixl
 {%       endif %}
 {%     endfor %}
 {%   endif %}
-!
 {%   if helpers.exists('OPNsense.quagga.ospf6.routemaps.routemap') %}
 {%     for routemap in helpers.sortDictList(OPNsense.quagga.ospf6.routemaps.routemap, 'name', 'id' ) %}
 {%       if routemap.enabled == '1' %}
@@ -115,7 +100,4 @@ route-map {{ routemap.name }} {{ routemap.action }} {{ routemap.id }}
 {%       endif %}
 {%     endfor %}
 {%   endif %}
-!
-line vty
-!
 {% endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d_carp.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d_carp.conf
index af3400036f..3d03df677f 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d_carp.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d_carp.conf
@@ -1,3 +1,4 @@
+{# consumed by ospf6d.py #}
 {% from 'OPNsense/Macros/interface.macro' import physical_interface %}
 {% if helpers.exists('OPNsense.quagga.ospf6.interfaces.interface') %}
 {%   for interface in helpers.toList('OPNsense.quagga.ospf6.interfaces.interface') %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
index 03f648c2f1..b937c735bb 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
@@ -1,54 +1,51 @@
+{# included in frr.conf #}
 {% macro cline(directive, modelname) -%}{% if modelname %}
   ip ospf {{ directive }} {{ modelname }}
 {% endif %}{%- endmacro %}
 {% from 'OPNsense/Macros/interface.macro' import physical_interface %}
 {% if helpers.exists('OPNsense.quagga.ospf.enabled') and OPNsense.quagga.ospf.enabled == '1' %}
-!
-! Zebra configuration saved from vty
-!   2017/03/03 20:21:04
-!
 {% if helpers.exists('OPNsense.quagga.general') %}
-{%   if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
-log syslog {{ OPNsense.quagga.general.sysloglevel }}
-{%   endif %}
-{%   if helpers.exists('OPNsense.quagga.general.profile') %}
-frr defaults {{ OPNsense.quagga.general.profile }}
-{%   endif %}
 {%   if OPNsense.quagga.general.enablesnmp == '1' %}
 agentx
 {%   endif %}
 {% endif %}
-!
-!
-!
+{% set passive_interfaces = [] %}
+{% if helpers.exists('OPNsense.quagga.ospf.passiveinterfaces') and OPNsense.quagga.ospf.passiveinterfaces != '' %}
+{%     for line in OPNsense.quagga.ospf.passiveinterfaces.split(',') %}
+{%         set iface = physical_interface(line) %}
+{%         set _ = passive_interfaces.append(iface) %}
+interface {{ iface }}
+  ip ospf passive
+{%     endfor %}
+{% endif %}
+{# Render only the enabled non-passive interfaces past this point #}
 {% if helpers.exists('OPNsense.quagga.ospf.interfaces.interface') %}
-{%   for interface in helpers.toList('OPNsense.quagga.ospf.interfaces.interface') %}
-{%     if interface.enabled == '1' %}
-interface {{ physical_interface(interface.interfacename) }}
-{%        if interface.bfd|default('') == '1' %}
+{%     for interface in helpers.toList('OPNsense.quagga.ospf.interfaces.interface') %}
+{%         set iface = physical_interface(interface.interfacename) %}
+{%         if interface.enabled == '1' and iface not in passive_interfaces %}
+interface {{ iface }}
+{%             if interface.bfd|default('') == '1' %}
   ip ospf bfd
-{%        endif %}
-{% if interface.networktype %}
-{{       cline("network",interface.networktype)
-}}{% endif %}
-{% if interface.authtype and interface.authtype == 'message-digest'
-%}{{       cline("authentication",interface.authtype)
-}}{{       cline("message-digest-key " + interface.authkey_id + " md5",interface.authkey)
-}}{% elif interface.authtype and interface.authtype == 'plain'
-%}{{       cline("authentication",' ')
-}}{{       cline("authentication-key",interface.authkey)
-}}{% endif
-%}{{       cline("area",interface.area)
-}}{{       cline("cost",interface.cost)
-}}{{       cline("dead-interval",interface.deadinterval)
-}}{{       cline("hello-interval",interface.hellointerval)
-}}{{       cline("priority",interface.priority)
-}}{{       cline("retransmit-interval",interface.retransmitinterval)
-}}!
-{%     endif %}
-{%   endfor %}
+{%             endif %}
+{%             if interface.networktype %}
+  {{ cline("network", interface.networktype) }}
+{%             endif %}
+{%             if interface.authtype and interface.authtype == 'message-digest' %}
+  {{ cline("authentication", interface.authtype) }}
+  {{ cline("message-digest-key " + interface.authkey_id + " md5", interface.authkey) }}
+{%             elif interface.authtype and interface.authtype == 'plain' %}
+  {{ cline("authentication", ' ') }}
+  {{ cline("authentication-key", interface.authkey) }}
+{%             endif %}
+  {{ cline("area", interface.area) }}
+  {{ cline("cost", interface.cost) }}
+  {{ cline("dead-interval", interface.deadinterval) }}
+  {{ cline("hello-interval", interface.hellointerval) }}
+  {{ cline("priority", interface.priority) }}
+  {{ cline("retransmit-interval", interface.retransmitinterval) }}
+{%         endif %}
+{%     endfor %}
 {% endif %}
-!
 router ospf
 {% if helpers.exists('OPNsense.quagga.ospf.logadjacencychanges') and OPNsense.quagga.ospf.logadjacencychanges == '1' %}
  log-adjacency-changes
@@ -64,10 +61,6 @@ router ospf
 {% if helpers.exists('OPNsense.quagga.ospf.redistributemap') and OPNsense.quagga.ospf.redistributemap != '' %}{% set line = line + " route-map " + helpers.getUUID(OPNsense.quagga.ospf.redistributemap).name %}{% endif %}
  redistribute {{ line }}
 {% endfor %}{% endif %}
-{% if helpers.exists('OPNsense.quagga.ospf.passiveinterfaces') and OPNsense.quagga.ospf.passiveinterfaces != '' %}
-{% for line in OPNsense.quagga.ospf.passiveinterfaces.split(',') %}
- passive-interface {{ physical_interface(line) }}
-{% endfor %}{% endif %}
 {% if helpers.exists('OPNsense.quagga.ospf.networks.network') %}
 {%   for network in helpers.toList('OPNsense.quagga.ospf.networks.network') %}
 {%     if network.enabled == '1' %}
@@ -98,7 +91,6 @@ router ospf
  default-information originate{% if helpers.exists('OPNsense.quagga.ospf.originatealways') and OPNsense.quagga.ospf.originatealways == '1' %} always {% endif %}{% if helpers.exists('OPNsense.quagga.ospf.originatemetric') and OPNsense.quagga.ospf.originatemetric != '' %} metric {{ OPNsense.quagga.ospf.originatemetric }}{% endif %}
 
 {% endif %}
-!
 {%   if helpers.exists('OPNsense.quagga.ospf.prefixlists.prefixlist') %}
 {%     for prefixlist in helpers.sortDictList(OPNsense.quagga.ospf.prefixlists.prefixlist, 'name', 'seqnumber' ) %}
 {%       if prefixlist.enabled == '1' %}
@@ -106,7 +98,6 @@ ip prefix-list {{ prefixlist.name }} seq {{ prefixlist.seqnumber }} {{ prefixlis
 {%       endif %}
 {%     endfor %}
 {%   endif %}
-!
 {%   if helpers.exists('OPNsense.quagga.ospf.routemaps.routemap') %}
 {%     for routemap in helpers.sortDictList(OPNsense.quagga.ospf.routemaps.routemap, 'name', 'id' ) %}
 {%       if routemap.enabled == '1' %}
@@ -125,7 +116,4 @@ route-map {{ routemap.name }} {{ routemap.action }} {{ routemap.id }}
 {%       endif %}
 {%     endfor %}
 {%   endif %}
-!
-line vty
-!
 {% endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd_carp.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd_carp.conf
index 724d7cb3c1..d67fdde4a3 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd_carp.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd_carp.conf
@@ -1,3 +1,4 @@
+{# consumed by ospfd.py #}
 {% from 'OPNsense/Macros/interface.macro' import physical_interface %}
 {% if helpers.exists('OPNsense.quagga.ospf.interfaces.interface') %}
 {%   for interface in helpers.toList('OPNsense.quagga.ospf.interfaces.interface') %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ripd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ripd.conf
index 70532d4f1a..70d29a8359 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ripd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ripd.conf
@@ -1,18 +1,6 @@
+{# included in frr.conf #}
 {% if helpers.exists('OPNsense.quagga.rip.enabled') and OPNsense.quagga.rip.enabled == '1' %}
 {% from 'OPNsense/Macros/interface.macro' import physical_interface %}
-!
-! Zebra configuration saved from vty
-!   2017/03/26 22:40:16
-!
-{% if helpers.exists('OPNsense.quagga.general') %}
-{%   if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
-log syslog {{ OPNsense.quagga.general.sysloglevel }}
-{%   endif %}
-{%   if helpers.exists('OPNsense.quagga.general.profile') %}
-frr defaults {{ OPNsense.quagga.general.profile }}
-{%   endif %}
-{% endif %}
-!
 router rip
  version {{ OPNsense.quagga.rip.version }}
 {% if helpers.exists('OPNsense.quagga.rip.redistribute') and OPNsense.quagga.rip.redistribute != '' %}
@@ -31,7 +19,4 @@ router rip
 {% if helpers.exists('OPNsense.quagga.rip.defaultmetric') and OPNsense.quagga.rip.defaultmetric != '' %}
  default-metric {{ OPNsense.quagga.rip.defaultmetric }}
 {% endif %}
-!
-line vty
-!
 {% endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/sa_policies.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/sa_policies.conf
index bb1587cf3d..9f0df54223 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/sa_policies.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/sa_policies.conf
@@ -1,3 +1,4 @@
+{# consumed by scripts/frr/register_sas #}
 {% if helpers.exists('OPNsense.quagga.bgp.enabled') and OPNsense.quagga.bgp.enabled == '1' %}
 {%   if helpers.exists('OPNsense.quagga.bgp.neighbors.neighbor') %}
 {%     for neighbor in helpers.toList('OPNsense.quagga.bgp.neighbors.neighbor') %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/staticd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/staticd.conf
index 099a06ea72..fdff7d0f28 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/staticd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/staticd.conf
@@ -1,18 +1,8 @@
-!
-! staticd Zebra config autogenerated by OPNsense
-!
+{# included in frr.conf #}
 {% if not helpers.empty('OPNsense.quagga.static.enabled') %}
-{%    if not helpers.empty('OPNsense.quagga.general') %}
-log syslog {{ OPNsense.quagga.general.sysloglevel }}
-{%    endif %}
-{%    if not helpers.empty('OPNsense.quagga.general.profile') %}
-frr defaults {{ OPNsense.quagga.general.profile }}
-{%    endif %}
-!
 {%    for route in helpers.toList('OPNsense.quagga.static.routes.route') %}
 {%        if route.enabled == '1' %}
 {% if ':' in route.network %}ipv6{% else %}ip{% endif %} route {{ route.network }} {{ route.gateway|default('')}} {{ helpers.physical_interface(route.interfacename) }}
 {%        endif %}
 {%    endfor %}
-!
 {% endif %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/vtysh.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/vtysh.conf
index e69de29bb2..57d0b081de 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/vtysh.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/vtysh.conf
@@ -0,0 +1 @@
+{# file is empty on purpose since vtysh requires a configuration file to exist #}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/zebra.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/zebra.conf
index fbc685f72b..1822f47f1f 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/zebra.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/zebra.conf
@@ -1,28 +1,14 @@
+{# included in frr.conf #}
 {% if helpers.exists('OPNsense.quagga.general') %}
-!
-! Zebra configuration saved from vty
-!   2017/03/03 20:21:04
-!
 {% if helpers.exists('OPNsense.quagga.general.profile') %}
 frr defaults {{ OPNsense.quagga.general.profile }}
 {% endif %}
 {% if helpers.exists('OPNsense.quagga.general.enablesyslog') and OPNsense.quagga.general.enablesyslog == '1' %}
 log syslog {{ OPNsense.quagga.general.sysloglevel }}
 {% endif %}
-!
-!
-!
-!
-!
 {% if OPNsense.quagga.general.enablesnmp == '1' %}
 agentx
 {% endif %}
-!
-!
 ip forwarding
 ipv6 forwarding
-!
-!
-line vty
-!
 {% endif %}

From f9dbcde25ec8f079189915a9d42ba60a846c2350 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 13 Feb 2025 11:08:30 +0100
Subject: [PATCH 2343/3088] net/frr: Integrate
 layout_partials/base_apply_button (#4542)

---
 .../OPNsense/Quagga/BfdController.php         |  2 +-
 .../OPNsense/Quagga/BgpController.php         | 12 +++++------
 .../OPNsense/Quagga/Ospf6Controller.php       |  8 ++++----
 .../OPNsense/Quagga/OspfController.php        |  8 ++++----
 .../OPNsense/Quagga/StaticController.php      |  2 +-
 .../mvc/app/views/OPNsense/Quagga/bfd.volt    | 20 +------------------
 .../mvc/app/views/OPNsense/Quagga/bgp.volt    | 20 +------------------
 .../app/views/OPNsense/Quagga/general.volt    | 16 +--------------
 .../mvc/app/views/OPNsense/Quagga/ospf.volt   | 19 +-----------------
 .../mvc/app/views/OPNsense/Quagga/ospf6.volt  | 19 +-----------------
 .../mvc/app/views/OPNsense/Quagga/rip.volt    | 16 +--------------
 .../mvc/app/views/OPNsense/Quagga/static.volt | 20 +------------------
 12 files changed, 23 insertions(+), 139 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BfdController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BfdController.php
index 88d9582ba8..ddec80fac4 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BfdController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BfdController.php
@@ -35,7 +35,7 @@ public function indexAction()
         $this->view->bfdForm = $this->getForm("bfd");
 
         $this->view->formDialogEditBFDNeighbor = $this->getForm("dialogEditBFDNeighbor");
-        $this->view->formGridEditBFDNeighbor = $this->getFormGrid("dialogEditBFDNeighbor", null, "BFDChangeMessage");
+        $this->view->formGridEditBFDNeighbor = $this->getFormGrid("dialogEditBFDNeighbor");
 
         $this->view->pick('OPNsense/Quagga/bfd');
     }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
index b31579b66d..1374be541d 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
@@ -35,22 +35,22 @@ public function indexAction()
         $this->view->bgpForm = $this->getForm("bgp");
 
         $this->view->formDialogEditBGPNeighbor = $this->getForm("dialogEditBGPNeighbor");
-        $this->view->formGridEditBGPNeighbor = $this->getFormGrid("dialogEditBGPNeighbor", null, "BGPChangeMessage");
+        $this->view->formGridEditBGPNeighbor = $this->getFormGrid("dialogEditBGPNeighbor");
 
         $this->view->formDialogEditBGPASPaths = $this->getForm("dialogEditBGPASPath");
-        $this->view->formGridEditBGPASPaths = $this->getFormGrid("dialogEditBGPASPath", null, "BGPChangeMessage");
+        $this->view->formGridEditBGPASPaths = $this->getFormGrid("dialogEditBGPASPath");
 
         $this->view->formDialogEditBGPPrefixLists = $this->getForm("dialogEditBGPPrefixLists");
-        $this->view->formGridEditBGPPrefixLists = $this->getFormGrid("dialogEditBGPPrefixLists", null, "BGPChangeMessage");
+        $this->view->formGridEditBGPPrefixLists = $this->getFormGrid("dialogEditBGPPrefixLists");
 
         $this->view->formDialogEditBGPCommunityLists = $this->getForm("dialogEditBGPCommunityLists");
-        $this->view->formGridEditBGPCommunityLists = $this->getFormGrid("dialogEditBGPCommunityLists", null, "BGPChangeMessage");
+        $this->view->formGridEditBGPCommunityLists = $this->getFormGrid("dialogEditBGPCommunityLists");
 
         $this->view->formDialogEditBGPRouteMaps = $this->getForm("dialogEditBGPRouteMaps");
-        $this->view->formGridEditBGPRouteMaps = $this->getFormGrid("dialogEditBGPRouteMaps", null, "BGPChangeMessage");
+        $this->view->formGridEditBGPRouteMaps = $this->getFormGrid("dialogEditBGPRouteMaps");
 
         $this->view->formDialogEditBGPPeergroups = $this->getForm("dialogEditBGPPeergroups");
-        $this->view->formGridEditBGPPeergroups = $this->getFormGrid("dialogEditBGPPeergroups", null, "BGPChangeMessage");
+        $this->view->formGridEditBGPPeergroups = $this->getFormGrid("dialogEditBGPPeergroups");
 
         $this->view->pick('OPNsense/Quagga/bgp');
     }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Ospf6Controller.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Ospf6Controller.php
index 785c3c8279..107cafa782 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Ospf6Controller.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Ospf6Controller.php
@@ -32,16 +32,16 @@ public function indexAction()
         $this->view->ospf6Form = $this->getForm("ospf6");
 
         $this->view->formDialogEditNetwork = $this->getForm("dialogEditOSPF6Network");
-        $this->view->formGridEditNetwork = $this->getFormGrid("dialogEditOSPF6Network", null, "OSPF6ChangeMessage");
+        $this->view->formGridEditNetwork = $this->getFormGrid("dialogEditOSPF6Network");
 
         $this->view->formDialogEditInterface = $this->getForm("dialogEditOSPF6Interface");
-        $this->view->formGridEditInterface = $this->getFormGrid("dialogEditOSPF6Interface", null, "OSPF6ChangeMessage");
+        $this->view->formGridEditInterface = $this->getFormGrid("dialogEditOSPF6Interface");
 
         $this->view->formDialogEditPrefixLists = $this->getForm("dialogEditOSPF6PrefixLists");
-        $this->view->formGridEditPrefixLists = $this->getFormGrid("dialogEditOSPF6PrefixLists", null, "OSPF6ChangeMessage");
+        $this->view->formGridEditPrefixLists = $this->getFormGrid("dialogEditOSPF6PrefixLists");
 
         $this->view->formDialogEditRouteMaps = $this->getForm("dialogEditOSPF6RouteMaps");
-        $this->view->formGridEditRouteMaps = $this->getFormGrid("dialogEditOSPF6RouteMaps", null, "OSPF6ChangeMessage");
+        $this->view->formGridEditRouteMaps = $this->getFormGrid("dialogEditOSPF6RouteMaps");
 
         $this->view->pick('OPNsense/Quagga/ospf6');
     }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php
index 3cfb380e67..0ab2f15881 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php
@@ -35,16 +35,16 @@ public function indexAction()
         $this->view->generalForm = $this->getForm("ospf");
 
         $this->view->formDialogEditNetwork = $this->getForm("dialogEditOSPFNetwork");
-        $this->view->formGridEditNetwork = $this->getFormGrid("dialogEditOSPFNetwork", null, "OSPFChangeMessage");
+        $this->view->formGridEditNetwork = $this->getFormGrid("dialogEditOSPFNetwork");
 
         $this->view->formDialogEditInterface = $this->getForm("dialogEditOSPFInterface");
-        $this->view->formGridEditInterface = $this->getFormGrid("dialogEditOSPFInterface", null, "OSPFChangeMessage");
+        $this->view->formGridEditInterface = $this->getFormGrid("dialogEditOSPFInterface");
 
         $this->view->formDialogEditPrefixLists = $this->getForm("dialogEditOSPFPrefixLists");
-        $this->view->formGridEditPrefixLists = $this->getFormGrid("dialogEditOSPFPrefixLists", null, "OSPFChangeMessage");
+        $this->view->formGridEditPrefixLists = $this->getFormGrid("dialogEditOSPFPrefixLists");
 
         $this->view->formDialogEditRouteMaps = $this->getForm("dialogEditOSPFRouteMaps");
-        $this->view->formGridEditRouteMaps = $this->getFormGrid("dialogEditOSPFRouteMaps", null, "OSPFChangeMessage");
+        $this->view->formGridEditRouteMaps = $this->getFormGrid("dialogEditOSPFRouteMaps");
 
         $this->view->pick('OPNsense/Quagga/ospf');
     }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/StaticController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/StaticController.php
index 11990134d5..07f3b796e6 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/StaticController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/StaticController.php
@@ -38,7 +38,7 @@ public function indexAction()
         $this->view->staticForm = $this->getForm("static");
 
         $this->view->formDialogEditSTATICRoute = $this->getForm("dialogEditSTATICRoute");
-        $this->view->formGridEditSTATICRoute = $this->getFormGrid("dialogEditSTATICRoute", null, "STATICChangeMessage");
+        $this->view->formGridEditSTATICRoute = $this->getFormGrid("dialogEditSTATICRoute");
 
         $this->view->pick('OPNsense/Quagga/static');
     }
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
index 5657ef9632..909fdaced3 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
@@ -74,23 +74,5 @@ POSSIBILITY OF SUCH DAMAGE.
         {{ partial('layout_partials/base_bootgrid_table', formGridEditBFDNeighbor)}}
     </div>
 </div>
-
-<section class="page-content-main">
-    <div class="content-box">
-        <div class="col-md-12">
-            <br/>
-            <button class="btn btn-primary" id="reconfigureAct"
-                    data-endpoint='/api/quagga/service/reconfigure'
-                    data-label="{{ lang._('Apply') }}"
-                    data-error-title="{{ lang._('Error reconfiguring BFD') }}"
-                    type="button"
-            ></button>
-            <br/><br/>
-        </div>
-    </div>
-    <div id="BFDChangeMessage" class="alert alert-info" style="display: none" role="alert">
-        {{ lang._('After changing settings, please remember to apply them.') }}
-    </div>
-</section>
-
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/quagga/service/reconfigure', 'data_service_widget': 'quagga'}) }}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBFDNeighbor,'id':formGridEditBFDNeighbor['edit_dialog_id'],'label':lang._('Edit Neighbor')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
index b456e7de9f..a1835c5981 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
@@ -138,25 +138,7 @@ POSSIBILITY OF SUCH DAMAGE.
         {{ partial('layout_partials/base_bootgrid_table', formGridEditBGPPeergroups)}}
     </div>
 </div>
-
-<section class="page-content-main">
-    <div class="content-box">
-        <div class="col-md-12">
-            <br/>
-            <button class="btn btn-primary" id="reconfigureAct"
-                    data-endpoint='/api/quagga/service/reconfigure'
-                    data-label="{{ lang._('Apply') }}"
-                    data-error-title="{{ lang._('Error reconfiguring BGP') }}"
-                    type="button"
-            ></button>
-            <br/><br/>
-        </div>
-    </div>
-    <div id="BGPChangeMessage" class="alert alert-info" style="display: none" role="alert">
-        {{ lang._('After changing settings, please remember to apply them.') }}
-    </div>
-</section>
-
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/quagga/service/reconfigure', 'data_service_widget': 'quagga'}) }}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPNeighbor,'id':formGridEditBGPNeighbor['edit_dialog_id'],'label':lang._('Edit Neighbor')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPASPaths,'id':formGridEditBGPASPaths['edit_dialog_id'],'label':lang._('Edit AS Paths')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPPrefixLists,'id':formGridEditBGPPrefixLists['edit_dialog_id'],'label':lang._('Edit Prefix Lists')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/general.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/general.volt
index aacb7d557c..d6113799a3 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/general.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/general.volt
@@ -51,18 +51,4 @@ POSSIBILITY OF SUCH DAMAGE.
 <div class="content-box" style="padding-bottom: 1.5em;">
     {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
 </div>
-
-<section class="page-content-main">
-    <div class="content-box">
-        <div class="col-md-12">
-            <br/>
-            <button class="btn btn-primary" id="reconfigureAct"
-                    data-endpoint='/api/quagga/service/reconfigure'
-                    data-label="{{ lang._('Apply') }}"
-                    data-error-title="{{ lang._('Error reconfiguring BFD') }}"
-                    type="button"
-            ></button>
-            <br/><br/>
-        </div>
-    </div>
-</section>
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/quagga/service/reconfigure', 'data_service_widget': 'quagga'}) }}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
index 34c581cc0c..fcdba3c814 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
@@ -116,24 +116,7 @@ POSSIBILITY OF SUCH DAMAGE.
         {{ partial('layout_partials/base_bootgrid_table', formGridEditRouteMaps)}}
     </div>
 </div>
-
-<section class="page-content-main">
-    <div class="content-box">
-        <div class="col-md-12">
-            <button class="btn btn-primary __mb __mt" id="reconfigureAct"
-                data-endpoint='/api/quagga/service/reconfigure'
-                data-label="{{ lang._('Apply') }}"
-                data-error-title="{{ lang._('Error reconfiguring OSPFv3') }}"
-                data-service-widget="quagga"
-                type="button"
-            ></button>
-        </div>
-    </div>
-    <div id="OSPFChangeMessage" class="alert alert-info" style="display: none" role="alert">
-        {{ lang._('After changing settings, please remember to apply them.') }}
-    </div>
-</section>
-
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/quagga/service/reconfigure', 'data_service_widget': 'quagga'}) }}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditNetwork,'id':formGridEditNetwork['edit_dialog_id'],'label':lang._('Edit Network')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditInterface,'id':formGridEditInterface['edit_dialog_id'],'label':lang._('Edit Interface')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditPrefixLists,'id':formGridEditPrefixLists['edit_dialog_id'],'label':lang._('Edit Prefix Lists')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
index ecb1700332..0f67ec6322 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
@@ -122,24 +122,7 @@
         {{ partial('layout_partials/base_bootgrid_table', formGridEditRouteMaps)}}
     </div>
 </div>
-
-<section class="page-content-main">
-    <div class="content-box">
-        <div class="col-md-12">
-            <button class="btn btn-primary __mb __mt" id="reconfigureAct"
-                data-endpoint='/api/quagga/service/reconfigure'
-                data-label="{{ lang._('Apply') }}"
-                data-error-title="{{ lang._('Error reconfiguring OSPFv3') }}"
-                data-service-widget="quagga"
-                type="button"
-            ></button>
-        </div>
-    </div>
-    <div id="OSPF6ChangeMessage" class="alert alert-info" style="display: none" role="alert">
-        {{ lang._('After changing settings, please remember to apply them.') }}
-    </div>
-</section>
-
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/quagga/service/reconfigure', 'data_service_widget': 'quagga'}) }}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditNetwork,'id':formGridEditNetwork['edit_dialog_id'],'label':lang._('Edit Network')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditInterface,'id':formGridEditInterface['edit_dialog_id'],'label':lang._('Edit Interface')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditPrefixLists,'id':formGridEditPrefixLists['edit_dialog_id'],'label':lang._('Edit Prefix Lists')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
index 6e1c01c4c4..4434550201 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
@@ -51,18 +51,4 @@ POSSIBILITY OF SUCH DAMAGE.
 <div class="content-box" style="padding-bottom: 1.5em;">
     {{ partial("layout_partials/base_form",['fields':ripForm,'id':'frm_rip_settings'])}}
 </div>
-
-<section class="page-content-main">
-  <div class="content-box">
-      <div class="col-md-12">
-          <br/>
-          <button class="btn btn-primary" id="reconfigureAct"
-                  data-endpoint='/api/quagga/service/reconfigure'
-                  data-label="{{ lang._('Apply') }}"
-                  data-error-title="{{ lang._('Error reconfiguring BFD') }}"
-                  type="button"
-          ></button>
-          <br/><br/>
-      </div>
-  </div>
-</section>
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/quagga/service/reconfigure', 'data_service_widget': 'quagga'}) }}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
index c6ae4303a9..6227fed7eb 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
@@ -71,23 +71,5 @@
         {{ partial('layout_partials/base_bootgrid_table', formGridEditSTATICRoute)}}
     </div>
 </div>
-
-<section class="page-content-main">
-    <div class="content-box">
-        <div class="col-md-12">
-            <br/>
-            <button class="btn btn-primary" id="reconfigureAct"
-                    data-endpoint='/api/quagga/service/reconfigure'
-                    data-label="{{ lang._('Apply') }}"
-                    data-error-title="{{ lang._('Error reconfiguring STATIC') }}"
-                    type="button"
-            ></button>
-            <br/><br/>
-        </div>
-    </div>
-    <div id="STATICChangeMessage" class="alert alert-info" style="display: none" role="alert">
-        {{ lang._('After changing settings, please remember to apply them.') }}
-    </div>
-</section>
-
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/quagga/service/reconfigure', 'data_service_widget': 'quagga'}) }}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditSTATICRoute,'id':formGridEditSTATICRoute['edit_dialog_id'],'label':lang._('Edit Routes')])}}

From 087d848c18dbd11f9f409f7237ac162a804fced8 Mon Sep 17 00:00:00 2001
From: Stephan de Wit <stephan.de.wit@deciso.com>
Date: Mon, 17 Feb 2025 15:48:47 +0100
Subject: [PATCH 2344/3088] misc/themes: update css for chart.js v4

---
 .../themes/advanced/assets/stylesheets/dashboard.scss  |  9 +++++++++
 .../www/themes/advanced/build/css/dashboard.css        |  2 +-
 .../themes/cicada/assets/stylesheets/dashboard.scss    | 10 ++++++++++
 .../opnsense/www/themes/cicada/build/css/dashboard.css | 10 ++++++++++
 .../www/themes/rebellion/build/css/dashboard.css       | 10 ++++++++++
 .../themes/vicuna/assets/stylesheets/dashboard.scss    |  9 +++++++++
 .../opnsense/www/themes/vicuna/build/css/dashboard.css | 10 ++++++++++
 7 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss
index af78a80af8..7a7d96579d 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss
@@ -128,11 +128,20 @@ td {
     word-break: break-all;
 }
 
+.canvas-container-noaspectratio {
+    position: relative;
+}
 
 .canvas-container {
     position: relative;
 }
 
+.canvas-container > canvas {
+    /* ChartJS v4 workaround: https://github.com/chartjs/Chart.js/issues/11005 */
+    width: 100% !important;
+    height: 100% !important;
+}
+
 .cpu-canvas-container {
     display: flex;
     flex-direction: column;
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/dashboard.css b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/dashboard.css
index f140ce3411..947ca20757 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/dashboard.css
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/dashboard.css
@@ -1 +1 @@
-:root{--chart-js-background-color: #f7e2d6;--chart-js-border-color: #f6f6f6;--chart-js-font-color: #4b4b64}.btn-pressed,.btn-pressed:hover{color:white;background-color:#0086d9}#save-grid{position:relative;display:inline-flex;align-items:center;justify-content:center;width:50px;height:33px;margin-right:10px;transition:opacity 0.3s ease}#save-btn-text,#icon-container{position:absolute}#icon-container{display:inline-flex;align-items:center;justify-content:center}#save-spinner,#save-check{transition:opacity 0.3s ease, transform 0.3s ease}.transition-spinner,transition-check{transition:opacity 0.3s ease, transform 0.3s ease}.grid-stack-item-content{text-align:center;border:none !important;border-radius:0.5em 0.5em 0.5em 0.5em;background-color:#fff;box-shadow:0 2px 4px rgba(40,40,50,0.15),0 0 1px rgba(40,40,50,0.35)}.widget-error{margin:50px;color:#721c24}.widget-content{position:relative;width:100%;height:100%;padding:1px;cursor:grab}.widget-header{font-size:14px;display:flex;align-items:center;justify-content:space-between;margin-top:0.5em;margin-right:1em;margin-left:1em}.widget-spinner{margin-top:20px}.fa-stack.small{font-size:0.5em}.close-handle,.edit-handle{padding:.2rem .5rem;cursor:pointer;text-align:right;vertical-align:middle}.close-handle>i,.edit-handle>i{font-size:1.2rem !important}.widget-header-left{display:flex;align-items:center;flex:1;justify-content:flex-start}.widget-command-container{display:flex;align-items:center;flex:1;justify-content:flex-end}.widget-title{display:flex;align-items:center;justify-content:center}.panel-divider{width:100%;height:8px;margin-bottom:10px;text-align:center}.panel-divider .line{display:none}td{word-break:break-all}.canvas-container{position:relative}.cpu-canvas-container{display:flex;flex-direction:column}.smoothie-container{width:100%}.smoothie-chart-tooltip{font-size:13px;z-index:1;padding-right:15px;padding-left:15px;pointer-events:none;color:white;border-radius:0.5em 0.5em 0.5em 0.5em;background:rgba(50,50,50,0.9)}.flex-container{display:flex;flex-wrap:nowrap;white-space:nowrap}.gateway-info{font-size:13px;margin:5px;padding:5px}.gateway-detail-container{display:none;margin:5px}.interface-info{display:flex;align-items:center;flex-wrap:wrap;height:100%}.nowrap{flex-wrap:nowrap}.gateway-graph{display:none}.flex-container>.gateway-graph{font-size:13px}.vertical-center-row{display:inline;height:100%}.interfaces-info{font-size:.8rem;margin:5px}.interface-descr{font-size:1em;margin-left:.8em;cursor:pointer;text-decoration:underline}.interfaces-detail-container{display:none;margin:5px}.d-flex{display:flex}.d-flex>.justify-content-start{justify-content:start}.d-flex>.justify-content-end{justify-content:end}#chartjs-toolip{z-index:20}.cpu-type{margin-top:10px;margin-bottom:10px}div{box-sizing:border-box}.flextable-container{display:block;width:95%;max-width:1200px;margin:2em auto}.flextable-header{display:flex;flex-flow:row wrap;padding:0.5em 0.5em;transition:0.5s;border-top:solid 1px rgba(0,119,217,0.15) !important}.flextable-row{display:flex;align-items:center;flex-flow:row wrap;padding:0.5em 0.5em;transition:0.5s;border-top:solid 1px #e8eaef !important}.flextable-header .flex-cell{font-weight:bold}.flextable-row:hover{transition:500ms;background:#f5f5f5}.flex-cell{padding:4px 0;text-align:left;word-break:break-word}.column{display:flex;flex-flow:column wrap;width:50%;padding:0}.column .flex-cell{display:flex;flex-flow:row wrap;width:100%;padding:4px 0;border:0;border-top:#e8eaef}.column .flex-cell:hover{transition:500ms;background:#f5f5f5}.flex-subcell{width:100%;text-align:left}.column .flex-cell:not(:last-child){border-bottom:solid 1px #e8eaef !important}.grid-header-container{display:grid;grid-template-columns:repeat(auto-fit, minmax(100px, 1fr))}.grid-row{display:grid;transition:0.5s;opacity:0.4;border-top:1px solid #eff3f8;background-color:#d6e5f7;grid-template-columns:repeat(auto-fit, minmax(100px, 1fr))}.grid-row:hover{transition:500ms;background:#f5f5f5 !important}.grid-header{font-weight:bold;border-top:1px solid #eff3f8}.grid-item{padding:4px;text-align:center}.ovpn-common-name{display:flex;align-items:center;justify-content:center}
+:root{--chart-js-background-color: #f7e2d6;--chart-js-border-color: #f6f6f6;--chart-js-font-color: #4b4b64}.btn-pressed,.btn-pressed:hover{color:#fff;background-color:#0086d9}#save-grid{position:relative;display:inline-flex;align-items:center;justify-content:center;width:50px;height:33px;margin-right:10px;transition:opacity .3s ease}#save-btn-text,#icon-container{position:absolute}#icon-container{display:inline-flex;align-items:center;justify-content:center}#save-spinner,#save-check{transition:opacity .3s ease,transform .3s ease}.transition-spinner,transition-check{transition:opacity .3s ease,transform .3s ease}.grid-stack-item-content{text-align:center;border:none !important;border-radius:.5em .5em .5em .5em;background-color:#fff;box-shadow:0 2px 4px rgba(40,40,50,.15),0 0 1px rgba(40,40,50,.35)}.widget-error{margin:50px;color:#721c24}.widget-content{position:relative;width:100%;height:100%;padding:1px;cursor:grab}.widget-header{font-size:14px;display:flex;align-items:center;justify-content:space-between;margin-top:.5em;margin-right:1em;margin-left:1em}.widget-spinner{margin-top:20px}.fa-stack.small{font-size:.5em}.close-handle,.edit-handle{padding:.2rem .5rem;cursor:pointer;text-align:right;vertical-align:middle}.close-handle>i,.edit-handle>i{font-size:1.2rem !important}.widget-header-left{display:flex;align-items:center;flex:1;justify-content:flex-start}.widget-command-container{display:flex;align-items:center;flex:1;justify-content:flex-end}.widget-title{display:flex;align-items:center;justify-content:center}.panel-divider{width:100%;height:8px;margin-bottom:10px;text-align:center}.panel-divider .line{display:none}td{word-break:break-all}.canvas-container-noaspectratio{position:relative}.canvas-container{position:relative}.canvas-container>canvas{width:100% !important;height:100% !important}.cpu-canvas-container{display:flex;flex-direction:column}.smoothie-container{width:100%}.smoothie-chart-tooltip{font-size:13px;z-index:1;padding-right:15px;padding-left:15px;pointer-events:none;color:#fff;border-radius:.5em .5em .5em .5em;background:rgba(50,50,50,.9)}.flex-container{display:flex;flex-wrap:nowrap;white-space:nowrap}.gateway-info{font-size:13px;margin:5px;padding:5px}.gateway-detail-container{display:none;margin:5px}.interface-info{display:flex;align-items:center;flex-wrap:wrap;height:100%}.nowrap{flex-wrap:nowrap}.gateway-graph{display:none}.flex-container>.gateway-graph{font-size:13px}.vertical-center-row{display:inline;height:100%}.interfaces-info{font-size:.8rem;margin:5px}.interface-descr{font-size:1em;margin-left:.8em;cursor:pointer;text-decoration:underline}.interfaces-detail-container{display:none;margin:5px}.d-flex{display:flex}.d-flex>.justify-content-start{justify-content:start}.d-flex>.justify-content-end{justify-content:end}#chartjs-toolip{z-index:20}.cpu-type{margin-top:10px;margin-bottom:10px}div{box-sizing:border-box}.flextable-container{display:block;width:95%;max-width:1200px;margin:2em auto}.flextable-header{display:flex;flex-flow:row wrap;padding:.5em .5em;transition:.5s;border-top:solid 1px rgba(0,119,217,.15) !important}.flextable-row{display:flex;align-items:center;flex-flow:row wrap;padding:.5em .5em;transition:.5s;border-top:solid 1px #e8eaef !important}.flextable-header .flex-cell{font-weight:bold}.flextable-row:hover{transition:500ms;background:#f5f5f5}.flex-cell{padding:4px 0;text-align:left;word-break:break-word}.column{display:flex;flex-flow:column wrap;width:50%;padding:0}.column .flex-cell{display:flex;flex-flow:row wrap;width:100%;padding:4px 0;border:0;border-top:#e8eaef}.column .flex-cell:hover{transition:500ms;background:#f5f5f5}.flex-subcell{width:100%;text-align:left}.column .flex-cell:not(:last-child){border-bottom:solid 1px #e8eaef !important}.grid-header-container{display:grid;grid-template-columns:repeat(auto-fit, minmax(100px, 1fr))}.grid-row{display:grid;transition:.5s;opacity:.4;border-top:1px solid #eff3f8;background-color:#d6e5f7;grid-template-columns:repeat(auto-fit, minmax(100px, 1fr))}.grid-row:hover{transition:500ms;background:#f5f5f5 !important}.grid-header{font-weight:bold;border-top:1px solid #eff3f8}.grid-item{padding:4px;text-align:center}.ovpn-common-name{display:flex;align-items:center;justify-content:center}/*# sourceMappingURL=dashboard.css.map */
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss
index 2eb8ea4d3c..88e6979879 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/dashboard.scss
@@ -84,10 +84,20 @@ td {
   margin: 5px;
 }
 
+.canvas-container-noaspectratio {
+  position: relative;
+}
+
 .canvas-container {
   position: relative;
 }
 
+.canvas-container > canvas {
+  /* ChartJS v4 workaround: https://github.com/chartjs/Chart.js/issues/11005 */
+  width: 100% !important;
+  height: 100% !important;
+}
+
 .cpu-canvas-container {
   display: flex;
   flex-direction: column;
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css
index 4725d9e073..7d784bb260 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/dashboard.css
@@ -79,10 +79,20 @@ td {
     margin: 5px;
 }
 
+.canvas-container-noaspectratio {
+    position: relative;
+}
+
 .canvas-container {
     position: relative;
 }
 
+.canvas-container > canvas {
+    /* ChartJS v4 workaround: https://github.com/chartjs/Chart.js/issues/11005 */
+    width: 100% !important;
+    height: 100% !important;
+}
+
 .cpu-canvas-container {
     display: flex;
     flex-direction: column;
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css
index 9ada408359..d1b95c4292 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/dashboard.css
@@ -107,10 +107,20 @@ td {
     margin: 5px;
 }
 
+.canvas-container-noaspectratio {
+    position: relative;
+}
+
 .canvas-container {
     position: relative;
 }
 
+.canvas-container > canvas {
+    /* ChartJS v4 workaround: https://github.com/chartjs/Chart.js/issues/11005 */
+    width: 100% !important;
+    height: 100% !important;
+}
+
 .cpu-canvas-container {
     display: flex;
     flex-direction: column;
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss
index 73c5374217..4d4066e9b0 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/dashboard.scss
@@ -84,10 +84,19 @@ td {
   margin: 5px;
 }
 
+.canvas-container-noaspectratio {
+  position: relative;
+}
+
 .canvas-container {
   position: relative;
 }
 
+.canvas-container > canvas {
+  /* ChartJS v4 workaround: https://github.com/chartjs/Chart.js/issues/11005 */
+  width: 100% !important;
+  height: 100% !important;
+}
 .cpu-canvas-container {
   display: flex;
   flex-direction: column;
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css
index 62bc03c5ef..533397d12b 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/dashboard.css
@@ -79,10 +79,20 @@ td {
     margin: 5px;
 }
 
+.canvas-container-noaspectratio {
+    position: relative;
+}
+
 .canvas-container {
     position: relative;
 }
 
+.canvas-container > canvas {
+    /* ChartJS v4 workaround: https://github.com/chartjs/Chart.js/issues/11005 */
+    width: 100% !important;
+    height: 100% !important;
+}
+
 .cpu-canvas-container {
     display: flex;
     flex-direction: column;

From 7de5c626512d087a07bbae93df4438828b5e4a57 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 17 Feb 2025 17:03:17 +0100
Subject: [PATCH 2345/3088] net/frr: Delete per daemon and old watchfrr files
 (#4552)

* net/frr: Delete per daemon and old watchfrr files, this cleans up remains after the frr.conf migration.

Co-authored-by: Franco Fichtner <franco@opnsense.org>

---------

Co-authored-by: Franco Fichtner <franco@opnsense.org>
---
 net/frr/pkg-descr                         |  2 ++
 net/frr/src/opnsense/scripts/frr/setup.sh | 14 ++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 3341c9126b..6a19f73797 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -16,9 +16,11 @@ Plugin Changelog
 
 * Use frr-reload instead of restarting the service on configuration changes (opnsense/plugins/issues/4529)
 * Migrate separate daemon config files into single frr.conf file (opnsense/plugins/issues/4510)
+* Delete per daemon and old watchfrr files (opnsense/plugins/issues/4551)
 * Add help texts to all options and expose them in grid as columns (opnsense/plugins/pull/4494)
 * Replace deprecated passive-interface directive in ospf (opnsense/plugins/issues/4534)
 * Style cleanup and unify forms (opnsense/plugins/pull/4450)
+* Implement base_apply_button (opnsense/plugins/pull/4542)
 
 1.42
 
diff --git a/net/frr/src/opnsense/scripts/frr/setup.sh b/net/frr/src/opnsense/scripts/frr/setup.sh
index f91e271fd3..bda37d2c33 100755
--- a/net/frr/src/opnsense/scripts/frr/setup.sh
+++ b/net/frr/src/opnsense/scripts/frr/setup.sh
@@ -21,3 +21,17 @@ chown $user:$group /var/log/frr.log
 
 # register Security Associations
 /usr/local/opnsense/scripts/frr/register_sas
+
+# delete stale configuration files from frr.conf migration
+files_to_delete="
+    /etc/rc.d/watchfrr
+    /usr/local/etc/frr/bfdd.conf
+    /usr/local/etc/frr/bgpd.conf
+    /usr/local/etc/frr/ospfd.conf
+    /usr/local/etc/frr/ospf6d.conf
+    /usr/local/etc/frr/ripd.conf
+    /usr/local/etc/frr/staticd.conf
+    /usr/local/etc/frr/zebra.conf
+"
+
+rm -f $files_to_delete

From c58ba1498e658872ec6e449f1d04c5d67d454bbf Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 19 Feb 2025 10:32:44 +0100
Subject: [PATCH 2346/3088] net/ndproxy: Adjust helptext of downlink interface
 (#4553)

* net/ndproxy: Adjust helptext of downlink interface

* Update net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/general.xml

Co-authored-by: Franco Fichtner <franco@opnsense.org>

* Update net/ndproxy/Makefile

Co-authored-by: Franco Fichtner <franco@opnsense.org>

---------

Co-authored-by: Franco Fichtner <franco@opnsense.org>
---
 .../mvc/app/controllers/OPNsense/Ndproxy/forms/general.xml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/general.xml b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/general.xml
index 09f6ed144f..2075466263 100644
--- a/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/general.xml
+++ b/net/ndproxy/src/opnsense/mvc/app/controllers/OPNsense/Ndproxy/forms/general.xml
@@ -19,7 +19,7 @@
         <id>ndproxy.general.ndproxy_downlink_mac_address</id>
         <label>Downlink MAC Address</label>
         <type>text</type>
-        <help><![CDATA[Enter the MAC address of the downlink interface that will distribute the external IPv6 prefix of the upstream interface. Usually, this is the LAN interface.]]></help>
+        <help><![CDATA[Enter the MAC address of the downlink interface. Usually, this is the WAN interface. When ndproxy runs on the same router that distributes the IPv6 prefix, uplink and downlink interfaces are identical.]]></help>
     </field>
     <field>
         <id>ndproxy.general.ndproxy_uplink_ipv6_addresses</id>

From c875ba91201bf06d2e0abecd03983655d3d29a89 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 19 Feb 2025 15:53:54 +0100
Subject: [PATCH 2347/3088] security/acme-client: bump version

---
 security/acme-client/Makefile  | 2 +-
 security/acme-client/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index f750997c05..809895dc03 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.8
+PLUGIN_VERSION=		4.9
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 5d07a9eae6..9a3c8d0133 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.9
+
+Added:
+* Add support for Scaleway DNS API (#4492)
+
 4.8
 
 BREAKING CHANGE: Let's Encrypt ends support for the OCSP Must Staple

From 58c646121f2babb6f66ac47e2fb63c869af9924f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 21 Feb 2025 09:01:15 +0100
Subject: [PATCH 2348/3088] dns/rfc2136: drop last old code widget

---
 .../src/www/widgets/include/rfc2136.inc       |   4 -
 .../www/widgets/widgets/rfc2136.widget.php    | 156 ------------------
 2 files changed, 160 deletions(-)
 delete mode 100644 dns/rfc2136/src/www/widgets/include/rfc2136.inc
 delete mode 100644 dns/rfc2136/src/www/widgets/widgets/rfc2136.widget.php

diff --git a/dns/rfc2136/src/www/widgets/include/rfc2136.inc b/dns/rfc2136/src/www/widgets/include/rfc2136.inc
deleted file mode 100644
index c143db6dd7..0000000000
--- a/dns/rfc2136/src/www/widgets/include/rfc2136.inc
+++ /dev/null
@@ -1,4 +0,0 @@
-<?php
-
-$rfc2136_title = gettext('RFC 2136');
-$rfc2136_title_link = 'services_rfc2136.php';
diff --git a/dns/rfc2136/src/www/widgets/widgets/rfc2136.widget.php b/dns/rfc2136/src/www/widgets/widgets/rfc2136.widget.php
deleted file mode 100644
index 0c2d57611b..0000000000
--- a/dns/rfc2136/src/www/widgets/widgets/rfc2136.widget.php
+++ /dev/null
@@ -1,156 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2017 Franco Fichtner <franco@opnsense.org>
- * Copyright (C) 2014-2016 Deciso B.V.
- * Copyright (C) 2008 Ermal Luçi
- * Copyright (C) 2013 Stanley P. Miller \ stan-qaz
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INClUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once("guiconfig.inc");
-require_once("widgets/include/rfc2136.inc");
-require_once("interfaces.inc");
-require_once("plugins.inc.d/rfc2136.inc");
-
-$a_rfc2136 = &config_read_array('dnsupdates', 'dnsupdate');
-
-if (!empty($_REQUEST['getrfc2136status'])) {
-    $first_entry = true;
-    foreach ($a_rfc2136 as $rfc2136) {
-        if ($first_entry) {
-            $first_entry = false;
-        } else {
-            // Put a vertical bar delimiter between the echoed HTML for each entry processed.
-            echo '|';
-        }
-
-        $filename = rfc2136_cache_file($rfc2136, 4);
-        $fdata = '';
-        if (!empty($rfc2136['enable']) && (empty($rfc2136['recordtype']) || $rfc2136['recordtype'] == 'A') && file_exists($filename)) {
-            $ipaddr = get_rfc2136_ip_address($rfc2136['interface'], 4);
-            $fdata = @file_get_contents($filename);
-        }
-
-        $filename_v6 = rfc2136_cache_file($rfc2136, 6);
-        $fdata6 = '';
-        if (!empty($rfc2136['enable']) && (empty($rfc2136['recordtype']) || $rfc2136['recordtype'] == 'AAAA') && file_exists($filename_v6)) {
-            $ipv6addr = get_rfc2136_ip_address($rfc2136['interface'], 6);
-            $fdata6 = @file_get_contents($filename_v6);
-        }
-
-        if (!empty($fdata)) {
-            $cached_ip_s = explode('|', $fdata);
-            $cached_ip = $cached_ip_s[0];
-            echo sprintf(
-                'IPv4: <font color="%s">%s</font>',
-                $ipaddr != $cached_ip ? 'red' : 'green',
-                htmlspecialchars($cached_ip)
-            );
-        } else {
-            echo 'IPv4: ' . gettext('N/A');
-        }
-
-        echo '<br />';
-
-        if (!empty($fdata6)) {
-            $cached_ipv6_s = explode('|', $fdata6);
-            $cached_ipv6 = $cached_ipv6_s[0];
-            echo sprintf(
-                'IPv6: <font color="%s">%s</font>',
-                $ipv6addr != $cached_ipv6 ? 'red' : 'green',
-                htmlspecialchars($cached_ipv6)
-            );
-        } else {
-            echo 'IPv6: ' . gettext('N/A');
-        }
-    }
-    exit;
-}
-
-?>
-
-<table class="table table-striped table-condensed">
-  <thead>
-    <tr>
-      <th style="word-break:break-word;"><?=gettext("Interface");?></th>
-      <th style="word-break:break-word;"><?=gettext("Server");?></th>
-      <th style="word-break:break-word;"><?=gettext("Hostname");?></th>
-      <th style="word-break:break-word;"><?=gettext("Cached IP");?></th>
-    </tr>
-  </thead>
-  <tbody>
-<?php
-  $iflist = get_configured_interface_with_descr();
-  foreach ($a_rfc2136 as $i => $rfc2136) :?>
-    <tr ondblclick="document.location='services_rfc2136_edit.php?id=<?=$i;?>'">
-      <td style="word-break:break-word;" <?= isset($rfc2136['enable']) ? '' : 'class="text-muted"' ?>>
-<?php
-        foreach ($iflist as $if => $ifdesc) {
-            if ($rfc2136['interface'] == $if) {
-                echo "{$ifdesc}";
-                break;
-            }
-        }?>
-      </td>
-      <td style="word-break:break-word;" <?= isset($rfc2136['enable']) ? '' : 'class="text-muted"' ?>>
-        <?= htmlspecialchars($rfc2136['server']) ?>
-      </td>
-      <td style="word-break:break-word;" <?= isset($rfc2136['enable']) ? '' : 'class="text-muted"' ?>>
-        <?= htmlspecialchars($rfc2136['host']) ?>
-      </td>
-      <td style="word-break:break-word;" <?= isset($rfc2136['enable']) ? '' : 'class="text-muted"' ?>>
-        <div id='rfc2136status<?=$i;?>'>
-          <?= gettext('Checking...') ?>
-        </div>
-      </td>
-    </tr>
-<?php
-  endforeach;?>
-  </tbody>
-</table>
-<script>
-  function rfc2136_getstatus()
-  {
-      scroll(0,0);
-      var url = "/widgets/widgets/rfc2136.widget.php";
-      var pars = 'getrfc2136status=yes';
-      jQuery.ajax(url, {type: 'get', data: pars, complete: rfc2136callback});
-      // Refresh the status every 5 minutes
-      setTimeout('rfc2136_getstatus()', 5*60*1000);
-  }
-  function rfc2136callback(transport)
-  {
-      // The server returns a string of statuses separated by vertical bars
-      var responseStrings = transport.responseText.split("|");
-      for (var count=0; count<responseStrings.length; count++) {
-          var divlabel = '#rfc2136status' + count;
-          jQuery(divlabel).prop('innerHTML',responseStrings[count]);
-      }
-  }
-  $(window).on("load", function() {
-    // Do the first status check 2 seconds after the dashboard opens
-    setTimeout('rfc2136_getstatus()', 2000);
-  });
-</script>

From 8dc6460052e1d229a7b83755b12c59b7ff526df4 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Tue, 25 Feb 2025 20:02:41 +0000
Subject: [PATCH 2349/3088] sysutils/sftp-backup : add sftp backup connector
 (#4563)

Add a simple backup option using secure copy (sftp).

Easy to use with any unix/linux target server offering ssh services. Just add a public key to `~/.ssh/authorized_keys`  (`~` = users home directory), upload a matching private key and set the remote location (for example `sftp://root@192.168.1.1//root/test_backup`)

[ssh-keygen](https://man.openbsd.org/ssh-keygen.1) can be used to generate a keypair.
---
 sysutils/sftp-backup/Makefile                 |   7 +
 sysutils/sftp-backup/pkg-descr                |   3 +
 .../mvc/app/library/OPNsense/Backup/Sftp.php  | 269 ++++++++++++++++++
 .../models/OPNsense/Backup/SftpSettings.php   |  39 +++
 .../models/OPNsense/Backup/SftpSettings.xml   |  52 ++++
 5 files changed, 370 insertions(+)
 create mode 100644 sysutils/sftp-backup/Makefile
 create mode 100644 sysutils/sftp-backup/pkg-descr
 create mode 100644 sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
 create mode 100644 sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.php
 create mode 100644 sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml

diff --git a/sysutils/sftp-backup/Makefile b/sysutils/sftp-backup/Makefile
new file mode 100644
index 0000000000..918b74903f
--- /dev/null
+++ b/sysutils/sftp-backup/Makefile
@@ -0,0 +1,7 @@
+PLUGIN_NAME=		sftp-backup
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		Backup configurations using sftp
+PLUGIN_MAINTAINER=	ad@opnsense.org
+PLUGIN_TIER=		2
+
+.include "../../Mk/plugins.mk"
diff --git a/sysutils/sftp-backup/pkg-descr b/sysutils/sftp-backup/pkg-descr
new file mode 100644
index 0000000000..f9dcd53e91
--- /dev/null
+++ b/sysutils/sftp-backup/pkg-descr
@@ -0,0 +1,3 @@
+This package adds a backup option using sftp (secure copy).
+
+Due to the sensitive nature of the data being send to the backup, we strongly advise to not use a public service to send backups to.
diff --git a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
new file mode 100644
index 0000000000..5c49ac0080
--- /dev/null
+++ b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
@@ -0,0 +1,269 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Backup;
+
+use OPNsense\Core\Backend;
+use OPNsense\Core\Config;
+use OPNsense\Core\File;
+use OPNsense\Backup\SftpSettings;
+
+/**
+ * Class Sftp backup
+ * @package OPNsense\Backup
+ */
+class Sftp extends Base implements IBackupProvider
+{
+    private $model = null;
+
+    public function __construct()
+    {
+        $this->model = new SftpSettings();
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function getConfigurationFields()
+    {
+        $fields = [
+           [
+                "name" => "enabled",
+                "type" => "checkbox",
+                "label" => gettext("Enable"),
+                "value" => null
+           ],
+           [
+                "name" => "url",
+                "type" => "text",
+                "label" => gettext("URL"),
+                "help" => gettext(
+                    "Target location, specified as uri, e.g. sftp://user@my.host.at.domain[:port]//path/to/backup"
+                ),
+                "value" => null
+           ],
+           [
+                "name" => "privkey",
+                "type" => "passwordarea",
+                "label" => gettext("SSH private key"),
+                "help" => gettext("The private key used to setup the connection."),
+                "value" => null
+           ],
+           [
+                "name" => "backupcount",
+                "type" => "text",
+                "label" => gettext("Backup Count"),
+                "value" => null
+           ],
+           [
+                "name" => "password",
+                "type" => "password",
+                "label" => gettext("Encrypt Password"),
+                "value" => null
+           ],
+           [
+                "name" => "passwordconfirm",
+                "type" => "password",
+                "label" => gettext("Confirm"),
+                "value" => null
+           ]
+        ];
+        foreach ($fields as &$field) {
+            if ($field['name'] == 'passwordconfirm') {
+                $field['value'] = (string)$this->model->getNodeByReference('password');
+            } else {
+                $field['value'] = (string)$this->model->getNodeByReference($field['name']);
+            }
+        }
+        return $fields;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function getName()
+    {
+        return gettext("sftp");
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function setConfiguration($conf)
+    {
+        $this->setModelProperties($this->model, $conf);
+        $validation_messages = $this->validateModel($this->model);
+        if ($conf['passwordconfirm'] != $conf['password']) {
+            $validation_messages[] = gettext("The supplied 'Password' and 'Confirm' field values must match.");
+        }
+        if (empty($validation_messages)) {
+            $this->model->serializeToConfig();
+            Config::getInstance()->save();
+        }
+        return $validation_messages;
+    }
+
+    /**
+     * sftp command
+     * @param string $sftpcmd command to execute
+     * @return array [stdout|stderr|exit_status]
+     */
+    private function sftpCmd($sftpcmd)
+    {
+        $cmd = [
+            '/usr/local/bin/sftp',
+            '-o StrictHostKeyChecking=accept-new',
+            '-o PasswordAuthentication=no',
+            '-o ChallengeResponseAuthentication=no',
+            '-i ' . $this->getIdentity(),
+            escapeshellarg($this->model->url)
+        ];
+
+        $result = ['exit_status' => -1, 'stderr' => '', 'stdout' => ''];
+        $process = proc_open(
+            implode(' ', $cmd),
+            [["pipe", "r"], ["pipe", "w"], ["pipe", "w"]],
+            $pipes
+        );
+        if (is_resource($process)) {
+            fwrite($pipes[0], $sftpcmd);
+            fclose($pipes[0]);
+            $result['stdout'] = stream_get_contents($pipes[1]);
+            fclose($pipes[1]);
+            $result['stderr'] = stream_get_contents($pipes[2]);
+            fclose($pipes[2]);
+            $result['exit_status'] = proc_close($process);
+        }
+        if ($result['exit_status'] !== 0) {
+            /* always throw on non zero exit status */
+            syslog(LOG_ERR, "sftp-backup error (" . str_replace("\n", " ", $result['stderr']) . ")");
+            throw new \Exception($result['stderr']);
+        }
+        return $result;
+    }
+
+    /**
+     * @return identity file, create new when non existent
+     */
+    private function getIdentity()
+    {
+        $confdir = "/conf/backup/sftp";
+        $identfile = $confdir . '/identity';
+        if (!is_dir($confdir)) {
+            mkdir($confdir);
+        }
+        if (!is_file($identfile) || file_get_contents($identfile) != $this->model->privkey) {
+            File::file_put_contents($identfile, $this->model->privkey, 0600);
+        }
+        return $identfile;
+    }
+
+    /**
+     * @return list of files on remote location
+     */
+    private function ls($pattern='')
+    {
+        $result = [];
+        foreach (explode("\n", $this->sftpCmd('ls -lnt '. $pattern)['stdout']) as $line) {
+            $parts = preg_split('/\s+/', $line, -1, PREG_SPLIT_NO_EMPTY);
+            if (count($parts) >= 7) {
+                $result[] = $parts[count($parts)-1];
+            }
+        }
+        return $result;
+    }
+
+    /**
+     * @param string $source filename
+     * @param string $destination filename
+     */
+    private function put($source, $destination)
+    {
+        $this->sftpCmd(sprintf('put %s %s', $source, $destination));
+    }
+
+    /**
+     * @param string $filename
+     */
+    private function del($filename)
+    {
+        $this->sftpCmd(sprintf('rm %s', $filename));
+    }
+
+    /**
+     * @return array filelist
+     */
+    public function backup()
+    {
+        if ($this->model->enabled->isEmpty()) {
+            /* disabled */
+            return;
+        }
+        /**
+         * Collect most recent backup, since /conf/backup/ always contains the latests, we can use the filename
+         * for easy comparison.
+         **/
+        $all_backups = glob('/conf/backup/config-*.xml');
+        $most_recent = $all_backups[count($all_backups) - 1];
+        $confdata = file_get_contents($most_recent);
+        if (!$this->model->password->isEmpty()) {
+            $confdata = $this->encrypt($confdata, (string)$this->model->password);
+        }
+        /* backup filename when not already on remote location */
+        $remote_backups = $this->ls('config-*.xml');
+        $target_filename = basename($most_recent);
+        if (!in_array($target_filename, $remote_backups)) {
+            syslog(LOG_NOTICE, "backup configuration as " . $target_filename);
+            $tmpfilename = sprintf("/conf/backup/sftp/%s", $target_filename);
+            File::file_put_contents($tmpfilename, $confdata, 0600);
+            $this->put($tmpfilename, $target_filename);
+            unlink($tmpfilename);
+            $remote_backups = $this->ls('config-*.xml');
+        }
+        /* cleanup */
+        rsort($remote_backups);
+        if (count($remote_backups) > (int)$this->model->backupcount->getCurrentValue()) {
+            for ($i = $this->model->backupcount->getCurrentValue() ; $i < count($remote_backups); $i++) {
+                $this->del($remote_backups[$i]);
+            }
+            $remote_backups = $this->ls('config-*.xml');
+        }
+
+        return $remote_backups;
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function isEnabled()
+    {
+        return !$this->model->enabled->isEmpty();
+    }
+}
diff --git a/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.php b/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.php
new file mode 100644
index 0000000000..4cad4acf76
--- /dev/null
+++ b/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.php
@@ -0,0 +1,39 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Backup;
+
+use OPNsense\Base\BaseModel;
+
+/**
+ * Class SftpSettings
+ * @package Backup
+ */
+class SftpSettings extends BaseModel
+{
+}
diff --git a/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml b/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml
new file mode 100644
index 0000000000..a6f5397f0b
--- /dev/null
+++ b/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml
@@ -0,0 +1,52 @@
+<model>
+    <mount>//system/backup/sftp</mount>
+    <version>1.0.0</version>
+    <description>OPNsense sftp Backup Settings</description>
+    <items>
+        <enabled type="BooleanField">
+          <Default>0</Default>
+          <Required>Y</Required>
+          <Constraints>
+              <check001>
+                  <reference>privkey.check001</reference>
+              </check001>
+              <check002>
+                  <reference>url.check001</reference>
+              </check002>
+          </Constraints>
+        </enabled>
+        <url type="TextField">
+            <Required>N</Required>
+            <mask>/^((sftp))?:\/\/.*[^\/]$/</mask>
+            <ValidationMessage>A valid location must be provided.</ValidationMessage>
+            <Constraints>
+                <check001>
+                    <ValidationMessage>A backup location (url) is required.</ValidationMessage>
+                    <type>DependConstraint</type>
+                    <addFields>
+                        <field1>enabled</field1>
+                    </addFields>
+                </check001>
+            </Constraints>
+        </url>
+        <privkey type="TextField">
+            <Required>N</Required>
+            <Constraints>
+                <check001>
+                    <ValidationMessage>A private key is required.</ValidationMessage>
+                    <type>DependConstraint</type>
+                    <addFields>
+                        <field1>enabled</field1>
+                    </addFields>
+                </check001>
+            </Constraints>
+        </privkey>
+        <password type="TextField"/>
+        <passwordconfirm type="TextField" volatile="true"/>
+        <backupcount type="IntegerField">
+            <Default>60</Default>
+            <Require>Y</Require>
+            <MinimumValue>1</MinimumValue>
+        </backupcount>
+    </items>
+</model>

From 5453f4eaff8a8058cebd64b5f7eba10e7c6ea406 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 27 Feb 2025 10:32:30 +0100
Subject: [PATCH 2350/3088] misc/theme-advanced: bump revision

---
 misc/theme-advanced/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/misc/theme-advanced/Makefile b/misc/theme-advanced/Makefile
index d8fabc971b..a784ed7a50 100644
--- a/misc/theme-advanced/Makefile
+++ b/misc/theme-advanced/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		theme-advanced
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		OPNsense theme based on AdvancedTomato GUI
 PLUGIN_MAINTAINER=	jacky@prahec.com
 PLUGIN_WWW=		https://prahec.com/

From 50a77335c8300de2e0dcc254f0c720cd18ff1919 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 27 Feb 2025 10:34:32 +0100
Subject: [PATCH 2351/3088] misc/theme-cicada: bump revision

---
 misc/theme-cicada/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index 7835483758..bb86392603 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		theme-cicada
 PLUGIN_VERSION=		1.38
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes

From 1187c33b389b5676835f150023b18de70dd24482 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 27 Feb 2025 10:35:29 +0100
Subject: [PATCH 2352/3088] misc/theme-rebellion: bump revision

---
 misc/theme-rebellion/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/misc/theme-rebellion/Makefile b/misc/theme-rebellion/Makefile
index c1628de989..4059bd27e5 100644
--- a/misc/theme-rebellion/Makefile
+++ b/misc/theme-rebellion/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		theme-rebellion
 PLUGIN_VERSION=		1.9.2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		A suitably dark theme
 PLUGIN_MAINTAINER=	martin@queens-park.com
 PLUGIN_NO_ABI=		yes

From a2a83a5b0d79061be58c8987d7faae2added100a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 27 Feb 2025 10:36:16 +0100
Subject: [PATCH 2353/3088] misc/theme-vicuna: bump revision

---
 misc/theme-vicuna/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index d05a700232..f5fa4eaf10 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		theme-vicuna
 PLUGIN_VERSION=		1.48
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes

From 428d6b6822731acc42549ac5b5bb4752b5182bfa Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 22 Jan 2025 12:09:25 +0100
Subject: [PATCH 2354/3088] new plugin: net/turnserver, closes #4473

based on devel/helloworld plugin
---
 net/turnserver/Makefile                       |   7 +
 net/turnserver/pkg-descr                      |   4 +
 .../src/etc/inc/plugins.inc.d/turnserver.inc  |  71 ++++++++++
 .../Turnserver/Api/ServiceController.php      |  42 ++++++
 .../Turnserver/Api/SettingsController.php     |  44 ++++++
 .../OPNsense/Turnserver/IndexController.php   |  47 +++++++
 .../OPNsense/Turnserver/forms/settings.xml    | 127 ++++++++++++++++++
 .../models/OPNsense/Turnserver/ACL/ACL.xml    |   9 ++
 .../models/OPNsense/Turnserver/Menu/Menu.xml  |   5 +
 .../models/OPNsense/Turnserver/Turnserver.php |  53 ++++++++
 .../models/OPNsense/Turnserver/Turnserver.xml |  97 +++++++++++++
 .../app/views/OPNsense/Turnserver/index.volt  |  57 ++++++++
 .../OPNsense/Turnserver/export_certs.php      |  61 +++++++++
 .../scripts/OPNsense/Turnserver/setup.sh      |   3 +
 .../conf/actions.d/actions_turnserver.conf    |  26 ++++
 .../templates/OPNsense/Turnserver/+TARGETS    |   2 +
 .../templates/OPNsense/Turnserver/rc.conf.d   |   5 +
 .../OPNsense/Turnserver/turnserver.conf       |  60 +++++++++
 18 files changed, 720 insertions(+)
 create mode 100644 net/turnserver/Makefile
 create mode 100644 net/turnserver/pkg-descr
 create mode 100644 net/turnserver/src/etc/inc/plugins.inc.d/turnserver.inc
 create mode 100644 net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/Api/ServiceController.php
 create mode 100644 net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/Api/SettingsController.php
 create mode 100644 net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/IndexController.php
 create mode 100644 net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml
 create mode 100644 net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml
 create mode 100644 net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml
 create mode 100644 net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.php
 create mode 100644 net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
 create mode 100644 net/turnserver/src/opnsense/mvc/app/views/OPNsense/Turnserver/index.volt
 create mode 100755 net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/export_certs.php
 create mode 100755 net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/setup.sh
 create mode 100644 net/turnserver/src/opnsense/service/conf/actions.d/actions_turnserver.conf
 create mode 100644 net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/+TARGETS
 create mode 100644 net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/rc.conf.d
 create mode 100644 net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf

diff --git a/net/turnserver/Makefile b/net/turnserver/Makefile
new file mode 100644
index 0000000000..dfe3b1ce6e
--- /dev/null
+++ b/net/turnserver/Makefile
@@ -0,0 +1,7 @@
+PLUGIN_NAME=		turnserver
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		The coturn STUN/TURN Server
+PLUGIN_DEPENDS=		turnserver
+PLUGIN_MAINTAINER=	opnsense@moov.de
+
+.include "../../Mk/plugins.mk"
diff --git a/net/turnserver/pkg-descr b/net/turnserver/pkg-descr
new file mode 100644
index 0000000000..f801217423
--- /dev/null
+++ b/net/turnserver/pkg-descr
@@ -0,0 +1,4 @@
+Coturn is a free open source implementation of TURN and STUN Server.
+The TURN Server is a VoIP media traffic NAT traversal server and gateway.
+
+WWW: https://github.com/coturn/coturn
diff --git a/net/turnserver/src/etc/inc/plugins.inc.d/turnserver.inc b/net/turnserver/src/etc/inc/plugins.inc.d/turnserver.inc
new file mode 100644
index 0000000000..26757713ba
--- /dev/null
+++ b/net/turnserver/src/etc/inc/plugins.inc.d/turnserver.inc
@@ -0,0 +1,71 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Frank Wall
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function turnserver_enabled()
+{
+    global $config;
+
+    return isset($config['OPNsense']['turnserver']['settings']['Enabled']) &&
+    $config['OPNsense']['turnserver']['settings']['Enabled'] == 1;
+}
+
+/**
+ *  register legacy service
+ * @return array
+ */
+function turnserver_services()
+{
+    $services = array();
+
+    if (!turnserver_enabled()) {
+        return $services;
+    }
+
+    $services[] = array(
+        'description' => gettext('coturn STUN/TURN Server'),
+        'pidfile' => '/var/run/turnserver.pid',
+        'configd' => array(
+            'restart' => array('turnserver restart'),
+            'start' => array('turnserver start'),
+            'stop' => array('turnserver stop'),
+        ),
+        'name' => 'turnserver',
+    );
+
+    return $services;
+}
+
+function turnserver_xmlrpc_sync()
+{
+    $result = array();
+    $result['id'] = 'turnserver';
+    $result['section'] = 'OPNsense.turnserver';
+    $result['description'] = gettext('coturn STUN/TURN Server');
+    $result['services'] = ['turnserver'];
+    return array($result);
+}
diff --git a/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/Api/ServiceController.php b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/Api/ServiceController.php
new file mode 100644
index 0000000000..3973ff2e60
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/Api/ServiceController.php
@@ -0,0 +1,42 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Frank Wall
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Turnserver\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Turnserver\Turnserver';
+    protected static $internalServiceTemplate = 'OPNsense/Turnserver';
+    protected static $internalServiceEnabled = 'settings.Enabled';
+    protected static $internalServiceName = 'turnserver';
+}
diff --git a/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/Api/SettingsController.php b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/Api/SettingsController.php
new file mode 100644
index 0000000000..e489777643
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/Api/SettingsController.php
@@ -0,0 +1,44 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Frank Wall
+ *    Copyright (C) 2015-2019 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Turnserver\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+/**
+ * Class SettingsController Handles settings related API actions
+ * @package OPNsense\Turnserver
+ */
+class SettingsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelClass = 'OPNsense\Turnserver\Turnserver';
+    protected static $internalModelName = 'turnserver';
+}
diff --git a/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/IndexController.php b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/IndexController.php
new file mode 100644
index 0000000000..e709b4c228
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/IndexController.php
@@ -0,0 +1,47 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Frank Wall
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Turnserver;
+
+/**
+ * Class IndexController
+ * @package OPNsense\Turnserver
+ */
+class IndexController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        // pick the template to serve
+        $this->view->pick('OPNsense/Turnserver/index');
+        // fetch form data
+        $this->view->settingsForm = $this->getForm("settings");
+    }
+}
diff --git a/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml
new file mode 100644
index 0000000000..37f6633cb3
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml
@@ -0,0 +1,127 @@
+<form>
+    <field>
+        <label>General Settings</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>turnserver.settings.Enabled</id>
+        <label>Enable Service</label>
+        <type>checkbox</type>
+        <help>Enable the Turnserver service</help>
+    </field>
+    <field>
+        <id>turnserver.settings.ListenIP</id>
+        <label>Listen IPs</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help><![CDATA[Listener IP address of relay server. Multiple listeners can be specified. Use 0.0.0.0 or :: to listen on all IPv4 or IPv6 addresses respectively.]]></help>
+    </field>
+    <field>
+        <id>turnserver.settings.ListenPort</id>
+        <label>Listen Port</label>
+        <type>text</type>
+        <help>TURN listener port for UDP and TCP (Default: 3478). NOTE: Do NOT set this to 80 or 443 when listening on all IPs, this may block access to the OPNsense WebUI.</help>
+    </field>
+    <field>
+        <id>turnserver.settings.MinPort</id>
+        <label>Min UDP Port</label>
+        <type>text</type>
+        <help>Lower bound of the UDP relay endpoints (Default: 49152).</help>
+    </field>
+    <field>
+        <id>turnserver.settings.MaxPort</id>
+        <label>Max UDP Port</label>
+        <type>text</type>
+        <help>Upper bound of the UDP relay endpoints (Default: 65535).</help>
+    </field>
+    <field>
+        <label>TLS Support</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>turnserver.settings.TlsEnabled</id>
+        <label>Enable TLS</label>
+        <type>checkbox</type>
+        <help>Enable TLS/DTLS support. This requires a valid TLS certificate.</help>
+    </field>
+    <field>
+        <id>turnserver.settings.TlsCertificate</id>
+        <label>TLS Certificate</label>
+        <type>dropdown</type>
+        <style>style_tls</style>
+        <help>Select a valid TLS certificate.</help>
+    </field>
+    <field>
+        <id>turnserver.settings.TlsPort</id>
+        <label>TLS Port</label>
+        <type>text</type>
+        <help>TURN listener port for TLS (Default: 5349). NOTE: Do NOT set this to 80 or 443 when listening on all IPs, this may block access to the OPNsense WebUI.</help>
+    </field>
+    <field>
+        <label>Security</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>turnserver.settings.UseAuthSecret</id>
+        <label>Use Auth Secret</label>
+        <type>checkbox</type>
+        <help>This sets a special authorization option that is based upon authentication secret. Enables TURN REST API.</help>
+    </field>
+    <field>
+        <id>turnserver.settings.StaticAuthSecret</id>
+        <label>Auth Secret</label>
+        <type>password</type>
+        <help>The authentication secret value for TURN REST API. It is recommended to use a long random string, at least 32 characters long.</help>
+    </field>
+    <field>
+        <label>Features</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>turnserver.settings.Realm</id>
+        <label>Realm</label>
+        <type>text</type>
+        <help>The default realm to be used for the users. Must be used with TURN REST API. A good choice may be the domain name of the company.</help>
+    </field>
+    <field>
+        <id>turnserver.settings.FingerprintsEnabled</id>
+        <label>Enable Fingerprints</label>
+        <type>checkbox</type>
+        <help>Use fingerprints in the TURN messages.</help>
+    </field>
+    <field>
+        <label>Tuning</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>turnserver.settings.UserQuota</id>
+        <label>User Quota</label>
+        <type>text</type>
+        <help>Per-user allocation quota. Default value is 0 (no quota, unlimited number of sessions per user).</help>
+    </field>
+    <field>
+        <id>turnserver.settings.TotalQuota</id>
+        <label>Total Quota</label>
+        <type>text</type>
+        <help>Total allocation quota. Default value is 0 (no quota).</help>
+    </field>
+    <field>
+        <id>turnserver.settings.StaleNonce</id>
+        <label>Stale Nonce Lifetime</label>
+        <type>text</type>
+        <help>Limit the nonce lifetime (in seconds) for extra security. Default value is 600 secs (10 minutes).</help>
+    </field>
+    <field>
+        <id>turnserver.settings.ChannelLifetime</id>
+        <label>Channel Lifetime</label>
+        <type>text</type>
+        <help>The lifetime for the channel (in seconds). Default value is 600 secs (10 minutes).</help>
+    </field>
+    <field>
+        <id>turnserver.settings.PermissionLifetime</id>
+        <label>Permission Lifetime</label>
+        <type>text</type>
+        <help>The permission lifetime (in seconds). Default value is 300 secs (5 minutes).</help>
+    </field>
+</form>
diff --git a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml
new file mode 100644
index 0000000000..2fa8a37a6d
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+    <page-services-turnserver>
+        <name>Services: Turnserver</name>
+        <patterns>
+            <pattern>ui/turnserver/*</pattern>
+            <pattern>api/turnserver/*</pattern>
+        </patterns>
+    </page-services-turnserver>
+</acl>
diff --git a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml
new file mode 100644
index 0000000000..8b40dc89a1
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml
@@ -0,0 +1,5 @@
+<menu>
+    <Services>
+        <Turnserver VisibleName="Turnserver" cssClass="fa fa-comment-o fa-fw" url="/ui/turnserver"/>
+    </Services>
+</menu>
diff --git a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.php b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.php
new file mode 100644
index 0000000000..3d004cb77d
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.php
@@ -0,0 +1,53 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Frank Wall
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Turnserver;
+
+use OPNsense\Base\BaseModel;
+
+/**
+ * Class Turnserver
+ * @package OPNsense\Turnserver
+ */
+class Turnserver extends BaseModel
+{
+    /**
+     * check if module is enabled
+     * @return bool is the Turnserver service enabled
+     */
+    public function isEnabled()
+    {
+        if ((string)$this->settings->enabled === "1") {
+            return true;
+        }
+        return false;
+    }
+}
diff --git a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
new file mode 100644
index 0000000000..1acae266f7
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
@@ -0,0 +1,97 @@
+<model>
+    <mount>//OPNsense/turnserver</mount>
+    <version>1.0.0</version>
+    <description>The coturn STUN/TURN Server</description>
+    <items>
+        <settings>
+            <Enabled type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </Enabled>
+            <ListenIP type="NetworkField">
+                <default>127.0.0.1</default>
+                <FieldSeparator>,</FieldSeparator>
+                <asList>Y</asList>
+                <Required>Y</Required>
+            </ListenIP>
+            <ListenPort type="PortField">
+                <Default>3478</Default>
+                <Required>Y</Required>
+            </ListenPort>
+            <MinPort type="PortField">
+                <Default>49152</Default>
+                <Required>Y</Required>
+            </MinPort>
+            <MaxPort type="PortField">
+                <Default>65535</Default>
+                <Required>Y</Required>
+            </MaxPort>
+            <TlsEnabled type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </TlsEnabled>
+            <TlsCertificate type="CertificateField">
+                <Required>N</Required>
+                <Multiple>N</Multiple>
+                <ValidationMessage>Please select a valid certificate from the list.</ValidationMessage>
+            </TlsCertificate>
+            <TlsPort type="PortField">
+                <Default>5349</Default>
+                <Required>Y</Required>
+            </TlsPort>
+            <UseAuthSecret type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </UseAuthSecret>
+            <StaticAuthSecret type="TextField">
+                <Required>N</Required>
+                <mask>/^.{16,128}$/u</mask>
+                <ValidationMessage>Should be a string between 16 and 128 characters.</ValidationMessage>
+            </StaticAuthSecret>
+            <Realm type="TextField">
+                <Required>N</Required>
+                <mask>/^.{1,128}$/u</mask>
+                <ValidationMessage>Should be a string between 1 and 128 characters.</ValidationMessage>
+            </Realm>
+            <FingerprintsEnabled type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </FingerprintsEnabled>
+            <UserQuota type="IntegerField">
+                <default>0</default>
+                <MinimumValue>0</MinimumValue>
+                <MaximumValue>1000000000</MaximumValue>
+                <ValidationMessage>Please specify a value between 0 and 1000000000.</ValidationMessage>
+                <Required>Y</Required>
+            </UserQuota>
+            <TotalQuota type="IntegerField">
+                <default>0</default>
+                <MinimumValue>0</MinimumValue>
+                <MaximumValue>1000000000</MaximumValue>
+                <ValidationMessage>Please specify a value between 0 and 1000000000.</ValidationMessage>
+                <Required>Y</Required>
+            </TotalQuota>
+            <StaleNonce type="IntegerField">
+                <default>600</default>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>1000000000</MaximumValue>
+                <ValidationMessage>Please specify a value between 1 and 1000000000.</ValidationMessage>
+                <Required>Y</Required>
+            </StaleNonce>
+            <ChannelLifetime type="IntegerField">
+                <default>600</default>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>1000000000</MaximumValue>
+                <ValidationMessage>Please specify a value between 1 and 1000000000.</ValidationMessage>
+                <Required>Y</Required>
+            </ChannelLifetime>
+            <PermissionLifetime type="IntegerField">
+                <default>300</default>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>1000000000</MaximumValue>
+                <ValidationMessage>Please specify a value between 1 and 1000000000.</ValidationMessage>
+                <Required>Y</Required>
+            </PermissionLifetime>
+        </settings>
+    </items>
+</model>
diff --git a/net/turnserver/src/opnsense/mvc/app/views/OPNsense/Turnserver/index.volt b/net/turnserver/src/opnsense/mvc/app/views/OPNsense/Turnserver/index.volt
new file mode 100644
index 0000000000..950b9d7685
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/views/OPNsense/Turnserver/index.volt
@@ -0,0 +1,57 @@
+{#
+
+Copyright (C) 2025 Frank Wall
+OPNsense® is Copyright © 2014 – 2015 by Deciso B.V.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<script>
+    $( document ).ready(function() {
+        mapDataToFormUI({'frm_Settings':"/api/turnserver/settings/get"}).done(function(data){
+            formatTokenizersUI();
+        });
+
+        // link save button to API set action
+        $("#saveAct").click(function(){
+            saveFormToEndpoint("/api/turnserver/settings/set",'frm_Settings',function(){
+                // reconfigure service
+                ajaxCall(url="/api/turnserver/service/reconfigure", sendData={},callback=function(data,status) {
+                });
+            });
+        });
+    });
+</script>
+
+<div class="alert alert-info hidden" role="alert" id="responseMsg">
+
+</div>
+
+<div  class="col-md-12">
+    {{ partial("layout_partials/base_form",['fields':settingsForm,'id':'frm_Settings'])}}
+</div>
+
+<div class="col-md-12">
+    <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Apply') }}</b></button>
+</div>
diff --git a/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/export_certs.php b/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/export_certs.php
new file mode 100755
index 0000000000..247d301fee
--- /dev/null
+++ b/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/export_certs.php
@@ -0,0 +1,61 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ *    Copyright (C) 2025 Frank Wall
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once('script/load_phalcon.php');
+
+use OPNsense\Core\Config;
+use OPNsense\Trust\Cert;
+use OPNsense\Trust\Store as CertStore;
+
+$cert_filename = '/usr/local/etc/turnserver_cert.pem';
+$pkey_filename = '/usr/local/etc/turnserver_pkey.pem';
+
+$configObj = Config::getInstance()->object();
+if (isset($configObj->OPNsense->turnserver->settings->TlsCertificate) and !empty((string)$configObj->OPNsense->turnserver->settings->TlsCertificate)) {
+    $cert_refid = (string)$configObj->OPNsense->turnserver->settings->TlsCertificate;
+    foreach ((new Cert())->cert->iterateItems() as $cert) {
+        $refid = (string)$cert->refid;
+
+        if ($cert_refid == $refid) {
+            $cert_content = str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->crt)));
+            $pkey_content = str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->prv)));
+
+            if (!empty((string)$cert->caref)) {
+                $ca = CertStore::getCaChain((string)$cert->caref);
+                if ($ca) {
+                    $cert_content .= "\n" . $ca;
+                }
+            }
+
+            file_put_contents($cert_filename, $cert_content);
+            file_put_contents($pkey_filename, $pkey_content);
+            chmod($pkey_filename, 0600);
+        }
+    }
+}
diff --git a/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/setup.sh b/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/setup.sh
new file mode 100755
index 0000000000..137843af5f
--- /dev/null
+++ b/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/setup.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+/usr/local/opnsense/scripts/OPNsense/Turnserver/export_certs.php > /dev/null 2>&1
+exit 0
diff --git a/net/turnserver/src/opnsense/service/conf/actions.d/actions_turnserver.conf b/net/turnserver/src/opnsense/service/conf/actions.d/actions_turnserver.conf
new file mode 100644
index 0000000000..372e02aa3b
--- /dev/null
+++ b/net/turnserver/src/opnsense/service/conf/actions.d/actions_turnserver.conf
@@ -0,0 +1,26 @@
+[start]
+command:/usr/local/opnsense/scripts/OPNsense/Turnserver/setup.sh; /usr/local/etc/rc.d/turnserver start
+parameters:
+type:script
+description:Start Turnserver
+message:starting turnserver
+
+[stop]
+command:/usr/local/etc/rc.d/turnserver onestop
+parameters:
+type:script
+description:Stop Turnserver
+message:stopping turnserver
+
+[restart]
+command:/usr/local/opnsense/scripts/OPNsense/Turnserver/setup.sh; /usr/local/etc/rc.d/turnserver restart
+parameters:
+type:script
+description:Restart Turnserver
+message:restarting turnserver
+
+[status]
+command:/usr/local/etc/rc.d/turnserver status || exit 0
+parameters:
+type:script_output
+message:requesting turnserver status
diff --git a/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/+TARGETS b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/+TARGETS
new file mode 100644
index 0000000000..52ca689507
--- /dev/null
+++ b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/+TARGETS
@@ -0,0 +1,2 @@
+turnserver.conf:/usr/local/etc/turnserver.conf
+rc.conf.d:/etc/rc.conf.d/turnserver
diff --git a/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/rc.conf.d b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/rc.conf.d
new file mode 100644
index 0000000000..f292a04861
--- /dev/null
+++ b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/rc.conf.d
@@ -0,0 +1,5 @@
+{% if helpers.exists('OPNsense.turnserver.settings.Enabled') and OPNsense.turnserver.settings.Enabled|default("0") == "1" %}
+turnserver_enable=YES
+{% else %}
+turnserver_enable=NO
+{% endif %}
diff --git a/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf
new file mode 100644
index 0000000000..67c96cbabb
--- /dev/null
+++ b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf
@@ -0,0 +1,60 @@
+# General
+{% if helpers.exists('OPNsense.turnserver.settings.ListenIP') and OPNsense.turnserver.settings.ListenIP|default("") != "" %}
+{%   for listenip in OPNsense.turnserver.settings.ListenIP.split(",") %}
+listening-ip={{ listenip }}
+{%   endfor %}
+{% endif %}
+listening-port={{ OPNsense.turnserver.settings.ListenPort }}
+min-port={{ OPNsense.turnserver.settings.MinPort }}
+max-port={{ OPNsense.turnserver.settings.MaxPort }}
+
+# TLS
+{% if helpers.exists('OPNsense.turnserver.settings.TlsEnabled') and OPNsense.turnserver.settings.TlsEnabled|default("") == "1" %}
+{%   if OPNsense.turnserver.settings.TlsCertificate|default("") != "" %}
+tls-listening-port={{ OPNsense.turnserver.settings.TlsPort }}
+cert=/usr/local/etc/turnserver_cert.pem
+pkey=/usr/local/etc/turnserver_pkey.pem
+{%   else %}
+# ERROR: Required TLS certificate was not specified. TLS support will be disabled.
+no-tls
+no-dtls
+{%   endif %}
+{% else %}
+no-tls
+no-dtls
+{% endif %}
+
+# Security
+{% if helpers.exists('OPNsense.turnserver.settings.UseAuthSecret') and OPNsense.turnserver.settings.UseAuthSecret|default("") == "1" %}
+{%   if OPNsense.turnserver.settings.StaticAuthSecret|default("") != "" %}
+use-auth-secret
+static-auth-secret={{ OPNsense.turnserver.settings.StaticAuthSecret }}
+{%   else %}
+# ERROR: Required Auth Secret was not specified; this feature will be disabled.
+{%   endif %}
+{% endif %}
+
+# Features
+{% if OPNsense.turnserver.settings.Realm|default("") != "" %}
+realm={{ OPNsense.turnserver.settings.Realm }}
+{% endif %}
+{% if OPNsense.turnserver.settings.FingerprintsEnabled|default("") == "1" %}
+fingerprint
+{% endif %}
+
+# Tuning
+user-quota={{ OPNsense.turnserver.settings.UserQuota }}
+total-quota={{ OPNsense.turnserver.settings.TotalQuota }}
+stale-nonce={{ OPNsense.turnserver.settings.StaleNonce }}
+channel-lifetime={{ OPNsense.turnserver.settings.ChannelLifetime }}
+permission-lifetime={{ OPNsense.turnserver.settings.PermissionLifetime }}
+
+# Defaults
+no-cli
+no-software-attribute
+no-multicast-peers
+no-tlsv1
+no-tlsv1_1
+no-rfc5780
+no-stun-backward-compatibility
+response-origin-only-with-rfc5780

From 57d70c0ca187f55b0fb359f150d4f2b2a64b015a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 5 Mar 2025 08:03:57 +0100
Subject: [PATCH 2355/3088] www/caddy: style

---
 .../app/library/OPNsense/System/Status/CaddyOverrideStatus.php   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php b/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php
index 0acbacf7b3..73b383cb06 100644
--- a/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php
+++ b/www/caddy/src/opnsense/mvc/app/library/OPNsense/System/Status/CaddyOverrideStatus.php
@@ -1,4 +1,5 @@
 <?php
+
 /*
  * Copyright (C) 2025 Cedrik Pischem
  * Copyright (C) 2025 Deciso B.V.

From 213385d56fcc2d3174644cac95850797655cc932 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 5 Mar 2025 08:04:09 +0100
Subject: [PATCH 2356/3088] LICENSE: sync

---
 LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index baf0a1005e..c838c25bb6 100644
--- a/LICENSE
+++ b/LICENSE
@@ -67,13 +67,13 @@ Copyright (c) 2010 Seth Mos <seth.mos@dds.nl>
 Copyright (c) 2024 Sheridan Computers
 Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
 Copyright (c) 2017-2019 Smart-Soft
-Copyright (c) 2013 Stanley P. Miller \ stan-qaz
 Copyright (c) 2020 Starkstromkonsument
 Copyright (c) 2023-2024 Thomas Cekal <thomas@cekal.org>
 Copyright (c) 2020 Tobias Boehnert
 Copyright (c) 2024 txr13
 Copyright (c) 2024 W516
 Copyright (c) 2022 Wouter Deurholt
+Copyright (c) 2025 Yann Bayart
 Copyright (c) 2015 YoungJoo.Kim <vozltx@gmail.com>
 All rights reserved.
 

From 9bd5e3df7a53247c023a46efaec510492ddc08be Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 5 Mar 2025 08:52:09 +0100
Subject: [PATCH 2357/3088] README: sync

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index de7ef15853..713b0e245e 100644
--- a/README.md
+++ b/README.md
@@ -107,6 +107,7 @@ sysutils/nextcloud-backup -- Track config changes using NextCloud
 sysutils/node_exporter -- Prometheus exporter for machine metrics
 sysutils/nut -- Network UPS Tools
 sysutils/puppet-agent -- Manage Puppet Agent
+sysutils/sftp-backup -- Backup configurations using sftp
 sysutils/smart -- SMART tools
 sysutils/virtualbox -- VirtualBox guest additions
 sysutils/vmware -- VMware tools

From 0782d64db693250447d2143f4ddcdaeda45093c0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 5 Mar 2025 09:00:47 +0100
Subject: [PATCH 2358/3088] sysutils/sftp-backup: prep for release

---
 README.md                                     |  2 +-
 sysutils/sftp-backup/Makefile                 |  2 +-
 sysutils/sftp-backup/pkg-descr                |  5 ++-
 .../mvc/app/library/OPNsense/Backup/Sftp.php  | 42 +++++++++----------
 .../models/OPNsense/Backup/SftpSettings.xml   |  2 +-
 5 files changed, 26 insertions(+), 27 deletions(-)

diff --git a/README.md b/README.md
index 713b0e245e..e195524f7d 100644
--- a/README.md
+++ b/README.md
@@ -107,7 +107,7 @@ sysutils/nextcloud-backup -- Track config changes using NextCloud
 sysutils/node_exporter -- Prometheus exporter for machine metrics
 sysutils/nut -- Network UPS Tools
 sysutils/puppet-agent -- Manage Puppet Agent
-sysutils/sftp-backup -- Backup configurations using sftp
+sysutils/sftp-backup -- Backup configurations using SFTP
 sysutils/smart -- SMART tools
 sysutils/virtualbox -- VirtualBox guest additions
 sysutils/vmware -- VMware tools
diff --git a/sysutils/sftp-backup/Makefile b/sysutils/sftp-backup/Makefile
index 918b74903f..680b17fe05 100644
--- a/sysutils/sftp-backup/Makefile
+++ b/sysutils/sftp-backup/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		sftp-backup
 PLUGIN_VERSION=		1.0
-PLUGIN_COMMENT=		Backup configurations using sftp
+PLUGIN_COMMENT=		Backup configurations using SFTP
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2
 
diff --git a/sysutils/sftp-backup/pkg-descr b/sysutils/sftp-backup/pkg-descr
index f9dcd53e91..372f032a00 100644
--- a/sysutils/sftp-backup/pkg-descr
+++ b/sysutils/sftp-backup/pkg-descr
@@ -1,3 +1,4 @@
-This package adds a backup option using sftp (secure copy).
+This plugin adds a backup option using SFTP (secure copy).
 
-Due to the sensitive nature of the data being send to the backup, we strongly advise to not use a public service to send backups to.
+Due to the sensitive nature of the data being send to the backup,
+we strongly advise to not use a public service to send backups to.
diff --git a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
index 5c49ac0080..052783eb7b 100644
--- a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
+++ b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2025 Deciso B.V.
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2025 Deciso B.V.
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Backup;
diff --git a/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml b/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml
index a6f5397f0b..d5ba6c324d 100644
--- a/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml
+++ b/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml
@@ -45,7 +45,7 @@
         <passwordconfirm type="TextField" volatile="true"/>
         <backupcount type="IntegerField">
             <Default>60</Default>
-            <Require>Y</Require>
+            <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
         </backupcount>
     </items>

From e2b1afe2cc821a51add1994279fc4c206ca3b9d1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 5 Mar 2025 09:02:11 +0100
Subject: [PATCH 2359/3088] security/intrusion-detection-content-pt-open: prep
 for release

---
 security/intrusion-detection-content-pt-open/Makefile  | 1 +
 security/intrusion-detection-content-pt-open/pkg-descr | 1 +
 2 files changed, 2 insertions(+)

diff --git a/security/intrusion-detection-content-pt-open/Makefile b/security/intrusion-detection-content-pt-open/Makefile
index 6941de8be3..5190a1fd90 100644
--- a/security/intrusion-detection-content-pt-open/Makefile
+++ b/security/intrusion-detection-content-pt-open/Makefile
@@ -3,4 +3,5 @@ PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		IDS Positive Technologies ESC ruleset
 PLUGIN_MAINTAINER=	kulikov.a@gmail.com
 PLUGIN_WWW=		https://rules.ptsecurity.com
+
 .include "../../Mk/plugins.mk"
diff --git a/security/intrusion-detection-content-pt-open/pkg-descr b/security/intrusion-detection-content-pt-open/pkg-descr
index ee22fba6c0..ff3dc89206 100644
--- a/security/intrusion-detection-content-pt-open/pkg-descr
+++ b/security/intrusion-detection-content-pt-open/pkg-descr
@@ -1,5 +1,6 @@
 IDS PT ESC open ruleset designed to detect a variety of network threats,
 including those communicated under TLS.
+
 PT Rules is an open-source project focused on enhancing network security
 through proactive threat detection. As the PT Expert Security Center attack
 detection team, we are a dedicated group of cybersecurity experts committed

From cbb54cb3d89aeb0f1a38775dd8c8bab92b3dbbb1 Mon Sep 17 00:00:00 2001
From: Ethazeriel <10165790+Ethazeriel@users.noreply.github.com>
Date: Thu, 6 Mar 2025 03:03:08 -0800
Subject: [PATCH 2360/3088] sysutils/dmidecode: new dashboard widget (#4554)

---
 sysutils/dmidecode/Makefile                   |  3 +-
 .../DmiDecode/Api/ServiceController.php}      | 36 +++-----
 .../app/models/OPNsense/DmiDecode/ACL/ACL.xml |  8 ++
 .../src/opnsense/www/js/widgets/DmiDecode.js  | 90 +++++++++++++++++++
 .../www/js/widgets/Metadata/DmiDecode.xml     | 20 +++++
 .../src/www/widgets/include/dmidecode.inc     |  3 -
 6 files changed, 133 insertions(+), 27 deletions(-)
 rename sysutils/dmidecode/src/{www/widgets/widgets/dmidecode.widget.php => opnsense/mvc/app/controllers/OPNsense/DmiDecode/Api/ServiceController.php} (60%)
 create mode 100644 sysutils/dmidecode/src/opnsense/mvc/app/models/OPNsense/DmiDecode/ACL/ACL.xml
 create mode 100644 sysutils/dmidecode/src/opnsense/www/js/widgets/DmiDecode.js
 create mode 100644 sysutils/dmidecode/src/opnsense/www/js/widgets/Metadata/DmiDecode.xml
 delete mode 100644 sysutils/dmidecode/src/www/widgets/include/dmidecode.inc

diff --git a/sysutils/dmidecode/Makefile b/sysutils/dmidecode/Makefile
index 428d1621a2..590aef8fa9 100644
--- a/sysutils/dmidecode/Makefile
+++ b/sysutils/dmidecode/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		dmidecode
-PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		Display hardware information on the dashboard
 PLUGIN_DEPENDS=		dmidecode
 PLUGIN_MAINTAINER=	evbevz@gmail.com
diff --git a/sysutils/dmidecode/src/www/widgets/widgets/dmidecode.widget.php b/sysutils/dmidecode/src/opnsense/mvc/app/controllers/OPNsense/DmiDecode/Api/ServiceController.php
similarity index 60%
rename from sysutils/dmidecode/src/www/widgets/widgets/dmidecode.widget.php
rename to sysutils/dmidecode/src/opnsense/mvc/app/controllers/OPNsense/DmiDecode/Api/ServiceController.php
index c1fc7723ed..f586629bd8 100644
--- a/sysutils/dmidecode/src/www/widgets/widgets/dmidecode.widget.php
+++ b/sysutils/dmidecode/src/opnsense/mvc/app/controllers/OPNsense/DmiDecode/Api/ServiceController.php
@@ -2,6 +2,7 @@
 
 /*
  * Copyright (C) 2019 Smart-Soft
+ * Copyright (C) 2025 Neil Merchant
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -26,27 +27,18 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-require_once("widgets/include/dmidecode.inc");
+namespace OPNsense\DmiDecode\Api;
 
-$hardwareData = parse_ini_string(configd_run("dmidecode system"), FALSE, INI_SCANNER_RAW);
-$biosData = parse_ini_string(configd_run("dmidecode bios"), FALSE, INI_SCANNER_RAW);
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\Core\Backend;
 
-?>
-<table class="table table-striped table-condensed">
-    <tbody>
-        <tr><th colspan="2"><?=gettext("Platform");?></th></tr>
-        <?php foreach($hardwareData as $key => $val) { ?>
-        <tr>
-            <td style="width: 30%;"><?=gettext($key);?></td>
-            <td><?=html_safe($val);?></td>
-        </tr>
-        <?php } ?>
-        <tr><th colspan="2"><?=gettext("BIOS");?></th></tr>
-        <?php foreach($biosData as $key => $val) { ?>
-        <tr>
-            <td style="width: 30%;"><?=gettext($key);?></td>
-            <td><?=html_safe($val);?></td>
-        </tr>
-        <?php } ?>
-    </tbody>
-</table>
+class ServiceController extends ApiControllerBase
+{
+    public function getAction()
+    {
+        $system = parse_ini_string(trim((new Backend())->configdRun('dmidecode system')), false, INI_SCANNER_RAW);
+        $bios = parse_ini_string(trim((new Backend())->configdRun('dmidecode bios')), false, INI_SCANNER_RAW);
+        $status = "ok";
+        return ["status" => $status, "system" => $system, "bios" => $bios];
+    }
+}
diff --git a/sysutils/dmidecode/src/opnsense/mvc/app/models/OPNsense/DmiDecode/ACL/ACL.xml b/sysutils/dmidecode/src/opnsense/mvc/app/models/OPNsense/DmiDecode/ACL/ACL.xml
new file mode 100644
index 0000000000..a9f6054621
--- /dev/null
+++ b/sysutils/dmidecode/src/opnsense/mvc/app/models/OPNsense/DmiDecode/ACL/ACL.xml
@@ -0,0 +1,8 @@
+<acl>
+    <page-service-dmidecode>
+        <name>Service: DMI Decoder Widget</name>
+        <patterns>
+            <pattern>api/dmidecode/service/get</pattern>
+        </patterns>
+    </page-service-dmidecode>
+</acl>
diff --git a/sysutils/dmidecode/src/opnsense/www/js/widgets/DmiDecode.js b/sysutils/dmidecode/src/opnsense/www/js/widgets/DmiDecode.js
new file mode 100644
index 0000000000..89b5da1830
--- /dev/null
+++ b/sysutils/dmidecode/src/opnsense/www/js/widgets/DmiDecode.js
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2025 Neil Merchant
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+export default class DmiDecode extends BaseTableWidget {
+  constructor() {
+    super();
+    this.title = 'DmiDecode Data';
+  }
+
+  getMarkup() {
+    let $container = $('<div></div>');
+    // make table for system output, add header
+    let $system_table = super.createTable('system-table', { headerPosition: 'left' });
+    $container.append(`<h3>${this.translations.system}</h3>`)
+    $container.append($system_table);
+    // same for bios output
+    let $bios_table = super.createTable('bios-table', { headerPosition: 'left' });
+    $container.append(`<h3>${this.translations.bios}</h3>`)
+    $container.append($bios_table);
+    return $container;
+  }
+
+  async onMarkupRendered() {
+    const dmiData = await this.ajaxCall('/api/dmidecode/service/get');
+    if (!dmiData || dmiData?.status !== 'ok') {
+      this.displayError('dmi lookup failed');
+      return;
+    }
+    this.processDMIData(dmiData);
+  }
+
+  processDMIData(data) {
+    const sysrows = [];
+    for (const [key, value] of Object.entries(data.system)) {
+      const row = [];
+      // try to find translation for key, fallback to output value
+      // have to split on spaces here because those aren't valid in xml tags
+      const translationIndex = key.split(" ")[0]
+      const dispKey = this.translations[translationIndex] || key
+      row.push(`<div><b>${dispKey}</b></div>`, `<div>${value}</div>`);
+      sysrows.push(row);
+    }
+    const biosrows = [];
+    for (const [key, value] of Object.entries(data.bios)) {
+      const row = [];
+      // try to find translation for key, fallback to output value
+      // have to split on spaces here because those aren't valid in xml tags
+      const translationIndex = key.split(" ")[0]
+      const dispKey = this.translations[translationIndex] || key
+      row.push(`<div><b>${dispKey}</b></div>`, `<div>${value}</div>`);
+      biosrows.push(row);
+    }
+    super.updateTable('system-table', sysrows);
+    super.updateTable('bios-table', biosrows);
+  }
+
+  displayError(message) {
+    // if something went wrong, display error message in system table
+    const $error = $(`
+        <div>
+            ${message}
+        </div>
+    `);
+    $('#system-table').empty().append($error);
+}
+
+}
diff --git a/sysutils/dmidecode/src/opnsense/www/js/widgets/Metadata/DmiDecode.xml b/sysutils/dmidecode/src/opnsense/www/js/widgets/Metadata/DmiDecode.xml
new file mode 100644
index 0000000000..6fedccf822
--- /dev/null
+++ b/sysutils/dmidecode/src/opnsense/www/js/widgets/Metadata/DmiDecode.xml
@@ -0,0 +1,20 @@
+<metadata>
+  <dmidecode>
+    <filename>DmiDecode.js</filename>
+    <endpoints>
+      <endpoint>/api/dmidecode/service/get</endpoint>
+    </endpoints>
+    <translations>
+      <title>Hardware Information</title>
+      <system>Platform</system>
+      <bios>BIOS</bios>
+      <Manufacturer>Manufacturer</Manufacturer>
+      <Product>Product Name</Product>
+      <Version>Version</Version>
+      <Serial>Serial Number</Serial>
+      <Family>Family</Family>
+      <Vendor>Vendor</Vendor>
+      <Release>Release Date</Release>
+    </translations>
+  </dmidecode>
+</metadata>
diff --git a/sysutils/dmidecode/src/www/widgets/include/dmidecode.inc b/sysutils/dmidecode/src/www/widgets/include/dmidecode.inc
deleted file mode 100644
index 0fd5de9f66..0000000000
--- a/sysutils/dmidecode/src/www/widgets/include/dmidecode.inc
+++ /dev/null
@@ -1,3 +0,0 @@
-<?php
-
-$dmidecode_title = gettext('Hardware information');

From 77deb1d204b9e2211793e3108abd57a6eb2ce9c0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 6 Mar 2025 12:07:07 +0100
Subject: [PATCH 2361/3088] sysutils/dmidecode: adjust namespace

---
 .../{DmiDecode => Dmidecode}/Api/ServiceController.php        | 2 +-
 .../app/models/OPNsense/{DmiDecode => Dmidecode}/ACL/ACL.xml  | 2 +-
 .../opnsense/www/js/widgets/{DmiDecode.js => Dmidecode.js}    | 4 ++--
 .../www/js/widgets/Metadata/{DmiDecode.xml => Dmidecode.xml}  | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)
 rename sysutils/dmidecode/src/opnsense/mvc/app/controllers/OPNsense/{DmiDecode => Dmidecode}/Api/ServiceController.php (98%)
 rename sysutils/dmidecode/src/opnsense/mvc/app/models/OPNsense/{DmiDecode => Dmidecode}/ACL/ACL.xml (77%)
 rename sysutils/dmidecode/src/opnsense/www/js/widgets/{DmiDecode.js => Dmidecode.js} (97%)
 rename sysutils/dmidecode/src/opnsense/www/js/widgets/Metadata/{DmiDecode.xml => Dmidecode.xml} (93%)

diff --git a/sysutils/dmidecode/src/opnsense/mvc/app/controllers/OPNsense/DmiDecode/Api/ServiceController.php b/sysutils/dmidecode/src/opnsense/mvc/app/controllers/OPNsense/Dmidecode/Api/ServiceController.php
similarity index 98%
rename from sysutils/dmidecode/src/opnsense/mvc/app/controllers/OPNsense/DmiDecode/Api/ServiceController.php
rename to sysutils/dmidecode/src/opnsense/mvc/app/controllers/OPNsense/Dmidecode/Api/ServiceController.php
index f586629bd8..4646bc8c36 100644
--- a/sysutils/dmidecode/src/opnsense/mvc/app/controllers/OPNsense/DmiDecode/Api/ServiceController.php
+++ b/sysutils/dmidecode/src/opnsense/mvc/app/controllers/OPNsense/Dmidecode/Api/ServiceController.php
@@ -27,7 +27,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-namespace OPNsense\DmiDecode\Api;
+namespace OPNsense\Dmidecode\Api;
 
 use OPNsense\Base\ApiControllerBase;
 use OPNsense\Core\Backend;
diff --git a/sysutils/dmidecode/src/opnsense/mvc/app/models/OPNsense/DmiDecode/ACL/ACL.xml b/sysutils/dmidecode/src/opnsense/mvc/app/models/OPNsense/Dmidecode/ACL/ACL.xml
similarity index 77%
rename from sysutils/dmidecode/src/opnsense/mvc/app/models/OPNsense/DmiDecode/ACL/ACL.xml
rename to sysutils/dmidecode/src/opnsense/mvc/app/models/OPNsense/Dmidecode/ACL/ACL.xml
index a9f6054621..d5ef40eb16 100644
--- a/sysutils/dmidecode/src/opnsense/mvc/app/models/OPNsense/DmiDecode/ACL/ACL.xml
+++ b/sysutils/dmidecode/src/opnsense/mvc/app/models/OPNsense/Dmidecode/ACL/ACL.xml
@@ -1,6 +1,6 @@
 <acl>
     <page-service-dmidecode>
-        <name>Service: DMI Decoder Widget</name>
+        <name>Service: DMI Data Widget</name>
         <patterns>
             <pattern>api/dmidecode/service/get</pattern>
         </patterns>
diff --git a/sysutils/dmidecode/src/opnsense/www/js/widgets/DmiDecode.js b/sysutils/dmidecode/src/opnsense/www/js/widgets/Dmidecode.js
similarity index 97%
rename from sysutils/dmidecode/src/opnsense/www/js/widgets/DmiDecode.js
rename to sysutils/dmidecode/src/opnsense/www/js/widgets/Dmidecode.js
index 89b5da1830..32a7dbcd78 100644
--- a/sysutils/dmidecode/src/opnsense/www/js/widgets/DmiDecode.js
+++ b/sysutils/dmidecode/src/opnsense/www/js/widgets/Dmidecode.js
@@ -24,10 +24,10 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-export default class DmiDecode extends BaseTableWidget {
+export default class Dmidecode extends BaseTableWidget {
   constructor() {
     super();
-    this.title = 'DmiDecode Data';
+    this.title = 'DMI Data';
   }
 
   getMarkup() {
diff --git a/sysutils/dmidecode/src/opnsense/www/js/widgets/Metadata/DmiDecode.xml b/sysutils/dmidecode/src/opnsense/www/js/widgets/Metadata/Dmidecode.xml
similarity index 93%
rename from sysutils/dmidecode/src/opnsense/www/js/widgets/Metadata/DmiDecode.xml
rename to sysutils/dmidecode/src/opnsense/www/js/widgets/Metadata/Dmidecode.xml
index 6fedccf822..33a8a8f022 100644
--- a/sysutils/dmidecode/src/opnsense/www/js/widgets/Metadata/DmiDecode.xml
+++ b/sysutils/dmidecode/src/opnsense/www/js/widgets/Metadata/Dmidecode.xml
@@ -1,6 +1,6 @@
 <metadata>
   <dmidecode>
-    <filename>DmiDecode.js</filename>
+    <filename>Dmidecode.js</filename>
     <endpoints>
       <endpoint>/api/dmidecode/service/get</endpoint>
     </endpoints>

From ec5990bd61bd09de40fdbf643b3f0fab48df4a9c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 6 Mar 2025 12:21:40 +0100
Subject: [PATCH 2362/3088] system/dmidecode: missed this, also rename in list

---
 .../www/js/widgets/Metadata/Dmidecode.xml     | 36 +++++++++----------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/sysutils/dmidecode/src/opnsense/www/js/widgets/Metadata/Dmidecode.xml b/sysutils/dmidecode/src/opnsense/www/js/widgets/Metadata/Dmidecode.xml
index 33a8a8f022..8bc482bece 100644
--- a/sysutils/dmidecode/src/opnsense/www/js/widgets/Metadata/Dmidecode.xml
+++ b/sysutils/dmidecode/src/opnsense/www/js/widgets/Metadata/Dmidecode.xml
@@ -1,20 +1,20 @@
 <metadata>
-  <dmidecode>
-    <filename>Dmidecode.js</filename>
-    <endpoints>
-      <endpoint>/api/dmidecode/service/get</endpoint>
-    </endpoints>
-    <translations>
-      <title>Hardware Information</title>
-      <system>Platform</system>
-      <bios>BIOS</bios>
-      <Manufacturer>Manufacturer</Manufacturer>
-      <Product>Product Name</Product>
-      <Version>Version</Version>
-      <Serial>Serial Number</Serial>
-      <Family>Family</Family>
-      <Vendor>Vendor</Vendor>
-      <Release>Release Date</Release>
-    </translations>
-  </dmidecode>
+    <dmidecode>
+        <filename>Dmidecode.js</filename>
+        <endpoints>
+            <endpoint>/api/dmidecode/service/get</endpoint>
+        </endpoints>
+        <translations>
+            <title>DMI Data</title>
+            <system>Platform</system>
+            <bios>BIOS</bios>
+            <Manufacturer>Manufacturer</Manufacturer>
+            <Product>Product Name</Product>
+            <Version>Version</Version>
+            <Serial>Serial Number</Serial>
+            <Family>Family</Family>
+            <Vendor>Vendor</Vendor>
+            <Release>Release Date</Release>
+        </translations>
+    </dmidecode>
 </metadata>

From 51fd4b5bb4541c149658fdcfd5b641f5fef9948c Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 6 Mar 2025 18:03:41 +0100
Subject: [PATCH 2363/3088] www/caddy: add propagation_timeout and
 propagation_delay, cleanup macro definition, bump version and add changelog
 (#4557)

---
 www/caddy/Makefile                            |  2 +-
 www/caddy/pkg-descr                           |  5 +++
 .../OPNsense/Caddy/forms/general.xml          | 16 +++++++-
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  8 ++++
 .../templates/OPNsense/Caddy/Caddyfile        | 39 +++++++++----------
 5 files changed, 47 insertions(+), 23 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 6c8288cf3c..ed4434653e 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.8.2
+PLUGIN_VERSION=		1.8.3
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 0dfa6ca707..640ead7eaf 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -13,6 +13,11 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.8.3
+
+* Add: Update DNS Providers with new optional choices (opnsense/plugins/issues/4543)
+* Add: propagation_timeout and propagation_delay (opnsense/plugins/issues/4544)
+
 1.8.2
 
 * Add: client_ip_headers (opnsense/plugins/issues/4517)
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 573fbce1d6..89796552da 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -164,7 +164,21 @@
             <id>caddy.general.TlsDnsPropagationTimeout</id>
             <label>Disable Propagation Timeout</label>
             <type>checkbox</type>
-            <help><![CDATA[Propagation Timeout is a duration value that sets the maximum time to wait for the DNS TXT records to appear when using the DNS challenge. The default is 2 minutes. Disabling this will set propagation_timeout to -1 (checking propagation infinitely) and additionally set a propagation_delay of 30s (wait time before starting propagation checks). This can help when the DNS Challenge continues to fail because the local DNS Server does not know the new DNS TXT records yet in the default timeframe of 2 minutes.]]></help>
+            <help><![CDATA[This will disable propagation_timeout.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.TlsDnsPropagationTimeoutPeriod</id>
+            <label>Propagation Timeout</label>
+            <type>text</type>
+            <hint>120</hint>
+            <help><![CDATA[propagation_timeout is a duration value in seconds that sets the maximum time to wait for the DNS TXT records to appear when using the DNS challenge.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.TlsDnsPropagationDelay</id>
+            <label>Propagation Delay</label>
+            <type>text</type>
+            <hint>0</hint>
+            <help><![CDATA[propagation_delay is a duration value in seconds that sets how long to wait before starting DNS TXT records propagation checks when using the DNS challenge.]]></help>
         </field>
     </tab>
     <tab id="general-dynamicdns" description="Dynamic DNS">
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 7a851ce706..4cbd45be71 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -71,6 +71,14 @@
             <TlsDnsOptionalField3 type="TextField"/>
             <TlsDnsOptionalField4 type="TextField"/>
             <TlsDnsPropagationTimeout type="BooleanField"/>
+            <TlsDnsPropagationTimeoutPeriod type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <ValidationMessage>Please enter a minimum number of 1 or leave empty for default.</ValidationMessage>
+            </TlsDnsPropagationTimeoutPeriod>
+            <TlsDnsPropagationDelay type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <ValidationMessage>Please enter a minimum number of 1 or leave empty for default.</ValidationMessage>
+            </TlsDnsPropagationDelay>
             <TlsDnsPropagationResolvers type="NetworkField">
                 <NetMaskAllowed>N</NetMaskAllowed>
             </TlsDnsPropagationResolvers>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index afe9898087..5e866607ca 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -305,15 +305,6 @@ http://{{ domain }} {
 #   Purpose: Configures TLS settings based on the DNS provider, API keys, and optional fields.
 #            Sets up the Caddyfile to update TXT Records with the chosen DNS Provider and receive
 #            certificates with the DNS-01 challenge. Refer to Dynamic DNS section for more details.
-#   Parameters:
-#   - @param dnsProvider (string): The DNS provider used for the DNS challenge.
-#   - @param dnsApiKey (string): API key for the DNS provider, essential for authentication.
-#   - @param customCert (string, optional): The config extracted name of a certificate.
-#   - @param dnsChallenge (boolean): Indicates if a DNS challenge is used for certificate authentication.
-#   - @param dnsSecretApiKey (string, optional): A secret API key or token for additional security, depending on the provider.
-#   - @param TlsDnsOptionalField1 to 4 (string, optional): Additional fields for specific DNS provider configurations.
-#   - @param TlsDnsPropagationTimeout (boolean, optional): Disables Propagation Timeout for DNS Challenge.
-#   - @param TlsDnsPropagationResolvers (string, optional): Set custom nameserver for DNS Challenge.
 #}
 {% macro tls_configuration(
     customCert,
@@ -326,6 +317,8 @@ http://{{ domain }} {
     tlsDnsOptionalField3,
     tlsDnsOptionalField4,
     tlsDnsPropagationTimeout,
+    tlsDnsPropagationTimeoutPeriod,
+    tlsDnsPropagationDelay,
     tlsDnsPropagationResolvers
 ) %}
     {% if customCert or (dnsChallenge == "1" and dnsProvider) %}
@@ -340,8 +333,12 @@ http://{{ domain }} {
                 resolvers {{ tlsDnsPropagationResolvers }}
                 {% endif %}
                 {% if tlsDnsPropagationTimeout|default("0") == "1" %}
-                propagation_delay 30s
                 propagation_timeout -1
+                {% elif tlsDnsPropagationTimeoutPeriod %}
+                propagation_timeout {{ tlsDnsPropagationTimeoutPeriod }}s
+                {% endif %}
+                {% if tlsDnsPropagationDelay %}
+                propagation_delay {{ tlsDnsPropagationDelay }}s
                 {% endif %}
             }
         }{% endif %}
@@ -597,19 +594,19 @@ http://{{ domain }} {
                     }
                 {% endif %}
             {% endif %}
-            {% set customCert = reverse.CustomCertificate|default("") %}
-            {% set dnsChallenge = reverse.DnsChallenge|default("0") %}
             {{ tls_configuration(
-                customCert,
-                dnsChallenge,
-                dnsProvider,
-                dnsApiKey,
-                dnsSecretApiKey,
-                tlsDnsOptionalField1,
-                tlsDnsOptionalField2,
-                tlsDnsOptionalField3,
-                tlsDnsOptionalField4,
+                reverse.CustomCertificate|default(""),
+                reverse.DnsChallenge|default("0"),
+                generalSettings.TlsDnsProvider,
+                generalSettings.TlsDnsApiKey,
+                generalSettings.TlsDnsSecretApiKey,
+                generalSettings.TlsDnsOptionalField1,
+                generalSettings.TlsDnsOptionalField2,
+                generalSettings.TlsDnsOptionalField3,
+                generalSettings.TlsDnsOptionalField4,
                 generalSettings.TlsDnsPropagationTimeout,
+                generalSettings.TlsDnsPropagationTimeoutPeriod,
+                generalSettings.TlsDnsPropagationDelay,
                 generalSettings.TlsDnsPropagationResolvers
             ) }}
 

From 5610d1a88e04559c155b4686df75cef46728beb4 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 6 Mar 2025 18:05:22 +0100
Subject: [PATCH 2364/3088] www/caddy: Update DNS Provider list and improve
 maintainability (#4556)

* www/caddy: Consolidate all selective DNS Provider logic to includeDnsProvider

* www/caddy: Update list of DNS providers with optional remaining or new ones from caddy-dns
---
 .../OPNsense/Caddy/forms/general.xml          |  16 +--
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  27 ++++
 .../templates/OPNsense/Caddy/Caddyfile        |  10 +-
 .../OPNsense/Caddy/includeDnsProvider         | 121 ++++++++++++++++++
 4 files changed, 160 insertions(+), 14 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 89796552da..87ee5a58fb 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -108,7 +108,7 @@
             <id>caddy.general.TlsDnsProvider</id>
             <label>DNS Provider</label>
             <type>dropdown</type>
-            <help><![CDATA[Select the DNS Provider for the DNS-01 Challenge and Dynamic DNS. Providers marked as "optional" must be installed manually, see https://caddyserver.com/docs/command-line#caddy-add-package. For more information, visit https://github.com/caddy-dns where each module is community maintained.]]></help>
+            <help><![CDATA[Select the DNS Provider for the DNS-01 Challenge and Dynamic DNS. Providers marked as "optional" must be installed manually, see https://caddyserver.com/docs/command-line#caddy-add-package. Important: When the version of the caddy binary changes, "optional" provider must be reinstalled. For more information, visit https://github.com/caddy-dns where each module is community maintained.]]></help>
         </field>
         <field>
             <type>header</type>
@@ -118,37 +118,37 @@
             <id>caddy.general.TlsDnsApiKey</id>
             <label>API Field 1</label>
             <type>text</type>
-            <help><![CDATA[This is the standard field for the API Key. Field can be left empty if optional: Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Njalla "api_token", Google Cloud DNS "gcp_project", Azure "tenant_id", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url", DNS Made Easy "api_key", Bunny "access_key", Civo "api_token", Scaleway "secret_key", ACME Proxy "username", INWX "username", Netcup "customer_number", RFC2136 "key_name", Name.com "token", EasyDNS "api_token", Infomaniak "api_token", DirectAdmin "host", Hosttech "api_token", Vultr "api_token", Hetzner "api_token", ClouDNS "auth_id".]]></help>
+            <help><![CDATA[This is the standard field for the API Key. Field can be left empty if optional for the chosen provider. Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Njalla "api_token", Google Cloud DNS "gcp_project", Azure "tenant_id", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url", DNS Made Easy "api_key", Bunny "access_key", Civo "api_token", Scaleway "secret_key", ACME Proxy "username", INWX "username", Netcup "customer_number", RFC2136 "key_name", Name.com "token", EasyDNS "api_token", Infomaniak "api_token", DirectAdmin "host", Hosttech "api_token", Vultr "api_token", Hetzner "api_token", ClouDNS "auth_id", Gcore "api_token", Huawei Cloud "access_key_id", DNSExit "api_token", Nanelo "api_token", Katapult "api_token", Regfish "api_key", Leaseweb "api_token", DreamHost "api_key", Exoscale "api_key", TransIP "account_name", Selectel "user", LuaDNS "email", Hurricane Electric "api_key", Namesilo "api_token", Dode "api_token", Dynu "api_token", Glesys "project", NFSN "login", GoDaddy "api_token", Vercel "api_token", Loopia "username", DNSPod "api_token", Mythic Beasts "key_id", Dynv6 "api_token", AliDNS "access_key_id", Metaname "api_key"]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsSecretApiKey</id>
             <label>API Field 2</label>
             <type>text</type>
-            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Azure "client_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address", DNS Made Easy "secret_key", Scaleway "organization_id", ACME Proxy "password", INWX "password", Netcup "api_key", RFC2136 "key_alg", Name.com "server", EasyDNS "api_key", DirectAdmin "user", ClouDNS "auth_password".]]></help>
+            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional for the chosen provider. Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Azure "client_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address", DNS Made Easy "secret_key", Scaleway "organization_id", ACME Proxy "password", INWX "password", Netcup "api_key", RFC2136 "key_alg", Name.com "server", EasyDNS "api_key", DirectAdmin "user", ClouDNS "auth_password", Huawei Cloud "secret_access_key", Exoscale "api_secret", TransIP "private_key_path", Selectel "password", LuaDNS "api_key", Dynu "own_domain", Glesys "api_key", NFSN "api_key", Loopia "password", Mythic Beasts "secret", AliDNS "access_key_secret", Metaname "account_reference"]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsOptionalField1</id>
             <label>API Field 3</label>
             <type>text</type>
-            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "hosted_zone_id", ACME-DNS "subdomain", Azure "client_secret", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password", DNS Made Easy "api_endpoint", ACME Proxy "endpoint", INWX "shared_secret", Netcup "api_password", Name.com "user", EasyDNS "api_url", DirectAdmin "login_key", RFC2136 "key", ClouDNS "sub_auth_id".]]></help>
+            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional for the chosen provider. Route53 "hosted_zone_id", ACME-DNS "subdomain", Azure "client_secret", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password", DNS Made Easy "api_endpoint", ACME Proxy "endpoint", INWX "shared_secret", Netcup "api_password", Name.com "user", EasyDNS "api_url", DirectAdmin "login_key", RFC2136 "key", ClouDNS "sub_auth_id", Selectel "account_id"]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsOptionalField2</id>
             <label>API Field 4</label>
             <type>text</type>
-            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "profile", ACME-DNS "server_url", Azure "subscription_id", OVH "consumer_key", Namecheap "client_ip", DDNS "password", INWX "endpoint_url", DirectAdmin "insecure_requests", RFC2136 "server".]]></help>
+            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional for the chosen provider. Route53 "profile", ACME-DNS "server_url", Azure "subscription_id", OVH "consumer_key", Namecheap "client_ip", DDNS "password", INWX "endpoint_url", DirectAdmin "insecure_requests", RFC2136 "server", Selectel "project_name"]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsOptionalField3</id>
             <label>API Field 5</label>
             <type>text</type>
-            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "region", Azure "resource_group_name".]]></help>
+            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional for the chosen provider. Route53 "region", Azure "resource_group_name"]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsOptionalField4</id>
             <label>API Field 6</label>
             <type>text</type>
-            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional: Route53 "session_token".]]></help>
+            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional for the chosen provider. Route53 "session_token"]]></help>
         </field>
         <field>
             <type>header</type>
@@ -262,4 +262,4 @@
         </field>
     </tab>
     <activetab>general-settings</activetab>
-</form>
+</form>
\ No newline at end of file
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 4cbd45be71..bf5c3cbfe9 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -62,6 +62,33 @@
                     <easydns>EasyDNS (optional)</easydns>
                     <hosttech>Hosttech (optional)</hosttech>
                     <cloudns>ClouDNS (optional)</cloudns>
+                    <gcore>Gcore (optional)</gcore>
+                    <huaweicloud>Huawei Cloud (optional)</huaweicloud>
+                    <dnsexit>DNSExit (optional)</dnsexit>
+                    <nanelo>Nanelo (optional)</nanelo>
+                    <katapult>Katapult (optional)</katapult>
+                    <regfish>Regfish (optional)</regfish>
+                    <leaseweb>Leaseweb (optional)</leaseweb>
+                    <dreamhost>DreamHost (optional)</dreamhost>
+                    <exoscale>Exoscale (optional)</exoscale>
+                    <transip>TransIP (optional)</transip>
+                    <selectel>Selectel (optional)</selectel>
+                    <dnsimple>DNSimple (optional)</dnsimple>
+                    <luadns>LuaDNS (optional)</luadns>
+                    <he>Hurricane Electric (optional)</he>
+                    <namesilo>Namesilo (optional)</namesilo>
+                    <dode>Dode (optional)</dode>
+                    <dynu>Dynu (optional)</dynu>
+                    <glesys>Glesys (optional)</glesys>
+                    <nfsn>NFSN (optional)</nfsn>
+                    <godaddy>GoDaddy (optional)</godaddy>
+                    <vercel>Vercel (optional)</vercel>
+                    <loopia>Loopia (optional)</loopia>
+                    <dnspod>DNSPod (optional)</dnspod>
+                    <mythicbeasts>Mythic Beasts (optional)</mythicbeasts>
+                    <dynv6>Dynv6 (optional)</dynv6>
+                    <alidns>AliDNS (optional)</alidns>
+                    <metaname>Metaname (optional)</metaname>
                 </OptionValues>
             </TlsDnsProvider>
             <TlsDnsApiKey type="TextField"/>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 5e866607ca..fe712251f4 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -174,12 +174,8 @@
         {% endfor %}
     {% endfor %}
 
-    {#
-    # Define special DNS Providers that have more than one API key, or special requirements that do not allow the use of the default.
-    # The same providers have to be added to "OPNsense/Caddy/includeDnsProvider", best in the same order as in this array for maintainability.
-    # For a new provider to work, it has to be compiled into the caddy binary.
-    #}
-    {% set dnsProviderSpecialConfig = ['duckdns', 'porkbun', 'desec', 'route53', 'acmedns', 'googleclouddns', 'azure', 'ovh', 'namecheap', 'powerdns', 'ddnss', 'linode', 'tencentcloud', 'dinahosting', 'hexonet', 'mailinabox', 'netcup', 'rfc2136', 'dnsmadeeasy', 'civo', 'scaleway', 'acmeproxy', 'inwx', 'namedotcom', 'easydns', 'directadmin', 'cloudns'] %}
+    {% import "OPNsense/Caddy/includeDnsProvider" as dns_includes %}
+    {% set dnsProviderSpecialConfig = dns_includes.dnsProviderSpecialConfig() %}
 
     {# Conditionally add the dynamic_dns section, acmedns provider is special, it does not support dynamic_dns. #}
     {% if dnsProvider and dynDnsDomains|length > 0 and dnsProvider != "acmedns" %}
@@ -187,6 +183,7 @@
             {# duckdns provider is special, it has a different configuration for dynamic dns than for the dns-01 challenge. #}
             {% if dnsProvider in dnsProviderSpecialConfig and dnsProvider != "duckdns" %}
                 provider {{ dnsProvider }} {
+                    {% set context_var = 'dnsProviderSpecialLogic' %}
                     {% include "OPNsense/Caddy/includeDnsProvider" %}
                 }
             {% else %}
@@ -325,6 +322,7 @@ http://{{ domain }} {
         tls {% if customCert %}/var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.pem /var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.key{% endif %} {% if not customCert and dnsChallenge == "1" and dnsProvider %}{
             issuer acme {
                 dns {{ dnsProvider }} {% if dnsProvider not in dnsProviderSpecialConfig %}{{ dnsApiKey }}{% else %}{
+                    {% set context_var = 'dnsProviderSpecialLogic' %}
                     {% include "OPNsense/Caddy/includeDnsProvider" %}
                 }
                 {% endif %}
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider
index e771a66b74..aa76b2ef76 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider
@@ -6,6 +6,53 @@
 # It only includes DNS Providers that need specific settings and do not default to
 # "dns {{ dnsProvider }} {{ dnsApiKey }}"
 #}
+{% macro dnsProviderSpecialConfig() %}
+    [
+        'duckdns',
+        'porkbun',
+        'desec',
+        'route53',
+        'acmedns',
+        'googleclouddns',
+        'azure',
+        'ovh',
+        'namecheap',
+        'powerdns',
+        'ddnss',
+        'linode',
+        'tencentcloud',
+        'dinahosting',
+        'hexonet',
+        'mailinabox',
+        'netcup',
+        'rfc2136',
+        'dnsmadeeasy',
+        'civo',
+        'scaleway',
+        'acmeproxy',
+        'inwx',
+        'namedotcom',
+        'easydns',
+        'directadmin',
+        'cloudns',
+        'huaweicloud',
+        'regfish',
+        'dreamhost',
+        'exoscale',
+        'transip',
+        'selectel',
+        'luadns',
+        'he',
+        'dynu',
+        'glesys',
+        'nfsn',
+        'loopia',
+        'mythicbeasts',
+        'alidns',
+        'metaname'
+    ]
+{% endmacro %}
+{% if context_var == 'dnsProviderSpecialLogic' %}
 {% if dnsProvider == 'duckdns' %}
     {% if dnsApiKey %}api_token {{ dnsApiKey }}
     {% endif %}
@@ -190,4 +237,78 @@
     {% endif %}
     {% if dnsOptionalField1 %}sub_auth_id {{ dnsOptionalField1 }}
     {% endif %}
+{% elif dnsProvider == 'huaweicloud' %}
+    {% if dnsApiKey %}access_key_id {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}secret_access_key {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'regfish' %}
+    {% if dnsApiKey %}api_key {{ dnsApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'dreamhost' %}
+    {% if dnsApiKey %}api_key {{ dnsApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'exoscale' %}
+    {% if dnsApiKey %}api_key {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}api_secret {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'transip' %}
+    {% if dnsApiKey %}account_name {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}private_key_path {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'selectel' %}
+    {% if dnsApiKey %}user {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
+    {% endif %}
+    {% if dnsOptionalField1 %}account_id {{ dnsOptionalField1 }}
+    {% endif %}
+    {% if dnsOptionalField2 %}project_name {{ dnsOptionalField2 }}
+    {% endif %}
+{% elif dnsProvider == 'luadns' %}
+    {% if dnsApiKey %}email {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'he' %}
+    {% if dnsApiKey %}api_key {{ dnsApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'dynu' %}
+    {% if dnsApiKey %}api_token {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}own_domain {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'glesys' %}
+    {% if dnsApiKey %}project {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'nfsn' %}
+    {% if dnsApiKey %}login {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'loopia' %}
+    {% if dnsApiKey %}username {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'mythicbeasts' %}
+    {% if dnsApiKey %}key_id {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}secret {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'alidns' %}
+    {% if dnsApiKey %}access_key_id {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}access_key_secret {{ dnsSecretApiKey }}
+    {% endif %}
+{% elif dnsProvider == 'metaname' %}
+    {% if dnsApiKey %}api_key {{ dnsApiKey }}
+    {% endif %}
+    {% if dnsSecretApiKey %}account_reference {{ dnsSecretApiKey }}
+    {% endif %}
+{% endif %}
 {% endif %}

From 6e5bef6fd4734c4d831a51d01f36d4f405ad547d Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Fri, 7 Mar 2025 21:26:39 +0100
Subject: [PATCH 2365/3088] net-mgmt/zabbix-agent: Add 7.2 (#4575)

---
 net-mgmt/zabbix-agent/Makefile  | 7 +++++--
 net-mgmt/zabbix-agent/pkg-descr | 4 ++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index e778bc29a8..1666be5f4f 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,8 +1,11 @@
 PLUGIN_NAME=		zabbix-agent
-PLUGIN_VERSION=		1.14
+PLUGIN_VERSION=		1.15
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
-PLUGIN_VARIANTS=	zabbix7 zabbix6 zabbix64 zabbix5
+PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix6 zabbix64 zabbix5
+
+zabbix72_NAME=		zabbix72-agent
+zabbix72_DEPENDS=	zabbix72-agent
 
 zabbix7_NAME=		zabbix7-agent
 zabbix7_DEPENDS=	zabbix7-agent
diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index d8097f7c1e..23e4693561 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.15
+
+* Plugin variant for Zabbix Agent 7.2
+
 1.14
 
 * Plugin variant for Zabbix Agent 7

From 1ac4769e9953523160cb90167c41c40c027ff964 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Fri, 7 Mar 2025 21:27:16 +0100
Subject: [PATCH 2366/3088] net-mgmt/zabbix-proxy: Add 7.2  (#4576)

---
 net-mgmt/zabbix-proxy/Makefile  | 7 +++++--
 net-mgmt/zabbix-proxy/pkg-descr | 4 ++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 748d8a5f2e..2f8bc93078 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -1,8 +1,11 @@
 PLUGIN_NAME=		zabbix-proxy
-PLUGIN_VERSION=		1.11
+PLUGIN_VERSION=		1.12
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_VARIANTS=	zabbix7 zabbix6 zabbix64 zabbix5
+PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix6 zabbix64 zabbix5
+
+zabbix72_NAME=		zabbix72-proxy
+zabbix72_DEPENDS=	zabbix72-proxy
 
 zabbix7_NAME=		zabbix7-proxy
 zabbix7_DEPENDS=	zabbix7-proxy
diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index 1aab6b36ad..e8c6b4ded9 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.12
+
+* Add plugin variant for Zabbix Proxy 7.2
+
 1.11
 
 * Add plugin variant for Zabbix Proxy 7

From 7d885fdbce61b6606f13ab03abf75ed08d97f641 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 9 Mar 2025 08:23:09 +0100
Subject: [PATCH 2367/3088] net-mgmt/zabbix-*: 6.4 is EoL, style tweaks

---
 net-mgmt/zabbix-agent/Makefile  | 9 +++------
 net-mgmt/zabbix-agent/pkg-descr | 4 +++-
 net-mgmt/zabbix-proxy/Makefile  | 9 +++------
 net-mgmt/zabbix-proxy/pkg-descr | 2 +-
 4 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index 1666be5f4f..0d855b112b 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -2,16 +2,13 @@ PLUGIN_NAME=		zabbix-agent
 PLUGIN_VERSION=		1.15
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
-PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix6 zabbix64 zabbix5
-
-zabbix72_NAME=		zabbix72-agent
-zabbix72_DEPENDS=	zabbix72-agent
+PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix6 zabbix5
 
 zabbix7_NAME=		zabbix7-agent
 zabbix7_DEPENDS=	zabbix7-agent
 
-zabbix64_NAME=		zabbix64-agent
-zabbix64_DEPENDS=	zabbix64-agent
+zabbix72_NAME=		zabbix72-agent
+zabbix72_DEPENDS=	zabbix72-agent
 
 zabbix6_NAME=		zabbix6-agent
 zabbix6_DEPENDS=	zabbix6-agent
diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index 23e4693561..5b4ed65938 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -14,10 +14,12 @@ Plugin Changelog
 
 1.15
 
-* Plugin variant for Zabbix Agent 7.2
+Added:
+* Plugin variant for Zabbix Agent 7.2, 6.4 is EoL and was removed
 
 1.14
 
+Added:
 * Plugin variant for Zabbix Agent 7
 
 1.13
diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 2f8bc93078..426d7aabd1 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -2,16 +2,13 @@ PLUGIN_NAME=		zabbix-proxy
 PLUGIN_VERSION=		1.12
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix6 zabbix64 zabbix5
-
-zabbix72_NAME=		zabbix72-proxy
-zabbix72_DEPENDS=	zabbix72-proxy
+PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix6 zabbix5
 
 zabbix7_NAME=		zabbix7-proxy
 zabbix7_DEPENDS=	zabbix7-proxy
 
-zabbix64_NAME=		zabbix64-proxy
-zabbix64_DEPENDS=	zabbix64-proxy
+zabbix72_NAME=		zabbix72-proxy
+zabbix72_DEPENDS=	zabbix72-proxy
 
 zabbix6_NAME=		zabbix6-proxy
 zabbix6_DEPENDS=	zabbix6-proxy
diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index e8c6b4ded9..49159ff30d 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -14,7 +14,7 @@ Plugin Changelog
 
 1.12
 
-* Add plugin variant for Zabbix Proxy 7.2
+* Add plugin variant for Zabbix Proxy 7.2, 6.4 is EoL and was removed
 
 1.11
 

From e57f1ab9dcfac0b5dc4c1b9f0349c07a5cea9e6e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 9 Mar 2025 08:24:50 +0100
Subject: [PATCH 2368/3088] LICENSE: sync

---
 LICENSE | 1 +
 1 file changed, 1 insertion(+)

diff --git a/LICENSE b/LICENSE
index c838c25bb6..d368fe7cb2 100644
--- a/LICENSE
+++ b/LICENSE
@@ -54,6 +54,7 @@ Copyright (c) 2024 Mike Shuey
 Copyright (c) 2023-2024 Mikhail Kharisov
 Copyright (c) 2023 mleinart
 Copyright (c) 2024 MVZ Labor Ludwigsburg GbR
+Copyright (c) 2025 Neil Merchant
 Copyright (c) 2021-2024 Nicola Pellegrini
 Copyright (c) 2022 Nikolaj Brinch Jørgensen
 Copyright (c) 2021 Nim G

From 897ad8a807e442a03931e48d37edd387e27698e6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 10 Mar 2025 08:35:51 +0100
Subject: [PATCH 2369/3088] sysutils/dmidecode: this file was new, remove
 spurious older copyright

---
 .../controllers/OPNsense/Dmidecode/Api/ServiceController.php  | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/sysutils/dmidecode/src/opnsense/mvc/app/controllers/OPNsense/Dmidecode/Api/ServiceController.php b/sysutils/dmidecode/src/opnsense/mvc/app/controllers/OPNsense/Dmidecode/Api/ServiceController.php
index 4646bc8c36..6dc1ed86eb 100644
--- a/sysutils/dmidecode/src/opnsense/mvc/app/controllers/OPNsense/Dmidecode/Api/ServiceController.php
+++ b/sysutils/dmidecode/src/opnsense/mvc/app/controllers/OPNsense/Dmidecode/Api/ServiceController.php
@@ -1,7 +1,6 @@
 <?php
 
 /*
- * Copyright (C) 2019 Smart-Soft
  * Copyright (C) 2025 Neil Merchant
  * All rights reserved.
  *
@@ -38,7 +37,6 @@ public function getAction()
     {
         $system = parse_ini_string(trim((new Backend())->configdRun('dmidecode system')), false, INI_SCANNER_RAW);
         $bios = parse_ini_string(trim((new Backend())->configdRun('dmidecode bios')), false, INI_SCANNER_RAW);
-        $status = "ok";
-        return ["status" => $status, "system" => $system, "bios" => $bios];
+        return ['status' => 'ok', 'system' => $system, 'bios' => $bios];
     }
 }

From 11bb18d97dbd0058f67e0d4d4b7041829401399b Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Tue, 11 Mar 2025 15:44:42 +0100
Subject: [PATCH 2370/3088] www/squid: change cache_dir from ufs to rock
 (#4487)

---
 .../controllers/OPNsense/Proxy/forms/main.xml | 19 ++++++++-----
 .../mvc/app/models/OPNsense/Proxy/Proxy.xml   | 27 ++++++++++---------
 .../templates/OPNsense/Proxy/squid.conf       |  2 +-
 3 files changed, 29 insertions(+), 19 deletions(-)

diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
index 998bd76b40..dca5a45f39 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -148,17 +148,24 @@
                 <advanced>true</advanced>
             </field>
             <field>
-                <id>proxy.general.cache.local.l1</id>
-                <label>Number of first-level subdirectories</label>
+                <id>proxy.general.cache.local.swap_timeout</id>
+                <label>Disk I/O Timeout for Swap Operations (msec)</label>
                 <type>text</type>
-                <help>Enter the number of first-level subdirectories for the local cache (default is 16).</help>
+                <help>Prevents Squid from reading/writing to disk if the operation exceeds the specified timelimit in milliseconds (default 0 = disable when left empty).</help>
                 <advanced>true</advanced>
             </field>
             <field>
-                <id>proxy.general.cache.local.l2</id>
-                <label>Number of second-level subdirectories</label>
+                <id>proxy.general.cache.local.max_swap_rate</id>
+                <label>Disk I/O Timeout for Swap Operations (swaps/sec)</label>
                 <type>text</type>
-                <help>Enter the number of second-level subdirectories for the local cache (default is 256).</help>
+                <help>Limits disk access by setting a maximum I/O rate in swaps per second (default 0 = disable when left empty).</help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.general.cache.local.slot_size</id>
+                <label>Cache Database-Record Size (bytes)</label>
+                <type>text</type>
+                <help>Defines the size of a database record used to store cached responses. Value should be a multiple of the OS I/O page size (default 16384 when left empty).</help>
                 <advanced>true</advanced>
             </field>
             <field>
diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index 3d77eabfef..84dc90de76 100644
--- a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -124,18 +124,21 @@
                         <ValidationMessage>Specify a positive cache size. (number of MB's)</ValidationMessage>
                         <Required>Y</Required>
                     </size>
-                    <l1 type="IntegerField">
-                        <Default>16</Default>
-                        <MinimumValue>1</MinimumValue>
-                        <ValidationMessage>Specify a positive number of first-level subdirectories.</ValidationMessage>
-                        <Required>Y</Required>
-                    </l1>
-                    <l2 type="IntegerField">
-                        <Default>256</Default>
-                        <MinimumValue>1</MinimumValue>
-                        <ValidationMessage>Specify a positive number of second-level subdirectories.</ValidationMessage>
-                        <Required>Y</Required>
-                    </l2>
+                    <swap_timeout type="IntegerField">
+                        <MinimumValue>0</MinimumValue>
+                        <ValidationMessage>Specify a valid swap-timeout.</ValidationMessage>
+                        <Required>N</Required>
+                    </swap_timeout>
+                    <max_swap_rate type="IntegerField">
+                        <MinimumValue>0</MinimumValue>
+                        <ValidationMessage>Specify a valid swap-rate.</ValidationMessage>
+                        <Required>N</Required>
+                    </max_swap_rate>
+                    <slot_size type="IntegerField">
+                        <MinimumValue>4096</MinimumValue>
+                        <ValidationMessage>Specify a multiple of operating system I/O page size.</ValidationMessage>
+                        <Required>N</Required>
+                    </slot_size>
                     <cache_linux_packages type="BooleanField">
                         <Default>0</Default>
                         <Required>Y</Required>
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
index d42e8dfa78..f3ff389363 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -320,7 +320,7 @@ maximum_object_size_in_memory {{OPNsense.proxy.general.cache.local.maximum_objec
 memory_cache_mode {{OPNsense.proxy.general.cache.local.memory_cache_mode}}
 {%  endif %}
 {%   if OPNsense.proxy.general.cache.local.enabled == '1' %}
-cache_dir ufs {{OPNsense.proxy.general.cache.local.directory}} {{OPNsense.proxy.general.cache.local.size}} {{OPNsense.proxy.general.cache.local.l1}} {{OPNsense.proxy.general.cache.local.l2}}
+cache_dir rock {{OPNsense.proxy.general.cache.local.directory}} {{OPNsense.proxy.general.cache.local.size}}{% if not helpers.empty('OPNsense.proxy.general.cache.local.swap_timeout') %} swap-timeout={{OPNsense.proxy.general.cache.local.swap_timeout}}{% endif %}{% if not helpers.empty('OPNsense.proxy.general.cache.local.max_swap_rate') %} max-swap-rate={{OPNsense.proxy.general.cache.local.max_swap_rate}}{% endif %}{% if not helpers.empty('OPNsense.proxy.general.cache.local.slot_size') %} slot-size={{OPNsense.proxy.general.cache.local.slot_size}}{% endif %}
 {%   endif %}
 {%  endif %}
 {% endif %}

From 00cb3e9dbeb3ebc35641738f09dee805fb48450c Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 11 Mar 2025 19:08:58 +0100
Subject: [PATCH 2371/3088] sysutils/sftp-backup :  remove carriage return for
 windows users and possible excess line endings, closes
 https://github.com/opnsense/plugins/issues/4582

---
 .../src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
index 052783eb7b..90c2e5aba7 100644
--- a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
+++ b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
@@ -178,7 +178,7 @@ private function getIdentity()
             mkdir($confdir);
         }
         if (!is_file($identfile) || file_get_contents($identfile) != $this->model->privkey) {
-            File::file_put_contents($identfile, $this->model->privkey, 0600);
+            File::file_put_contents($identfile, trim(str_replace("\r", "", $this->model->privkey)) . "\n", 0600);
         }
         return $identfile;
     }

From 22bf308bdab8118756eef141592ebc91f62cfa5d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 12 Mar 2025 07:45:33 +0100
Subject: [PATCH 2372/3088] sysutils/sftp-backup: bump revision after previous

---
 sysutils/sftp-backup/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysutils/sftp-backup/Makefile b/sysutils/sftp-backup/Makefile
index 680b17fe05..ca782f04be 100644
--- a/sysutils/sftp-backup/Makefile
+++ b/sysutils/sftp-backup/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		sftp-backup
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Backup configurations using SFTP
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2

From cfc1269ca7db3d7294578a1d4887f95ed93370a2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 12 Mar 2025 08:05:18 +0100
Subject: [PATCH 2373/3088] LICENSE: sync

---
 LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index d368fe7cb2..2032184223 100644
--- a/LICENSE
+++ b/LICENSE
@@ -67,7 +67,7 @@ Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
 Copyright (c) 2010 Seth Mos <seth.mos@dds.nl>
 Copyright (c) 2024 Sheridan Computers
 Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
-Copyright (c) 2017-2019 Smart-Soft
+Copyright (c) 2017-2018 Smart-Soft
 Copyright (c) 2020 Starkstromkonsument
 Copyright (c) 2023-2024 Thomas Cekal <thomas@cekal.org>
 Copyright (c) 2020 Tobias Boehnert

From 16c993aa1ae924500dfa01b8396897011950a7fc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 12 Mar 2025 08:03:41 +0100
Subject: [PATCH 2374/3088] sysutils/gdrive-backup: moved here from core

PR: https://github.com/opnsense/core/issues/8343
---
 README.md                                     |   1 +
 sysutils/gdrive-backup/Makefile               |   8 +
 sysutils/gdrive-backup/pkg-descr              |   4 +
 .../src/etc/inc/plugins.inc.d/gdrive.inc      |  40 +++
 .../mvc/app/library/Google/API/Drive.php      | 148 +++++++++
 .../app/library/OPNsense/Backup/GDrive.php    | 306 ++++++++++++++++++
 6 files changed, 507 insertions(+)
 create mode 100644 sysutils/gdrive-backup/Makefile
 create mode 100644 sysutils/gdrive-backup/pkg-descr
 create mode 100644 sysutils/gdrive-backup/src/etc/inc/plugins.inc.d/gdrive.inc
 create mode 100644 sysutils/gdrive-backup/src/opnsense/mvc/app/library/Google/API/Drive.php
 create mode 100644 sysutils/gdrive-backup/src/opnsense/mvc/app/library/OPNsense/Backup/GDrive.php

diff --git a/README.md b/README.md
index e195524f7d..c3b757df19 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,7 @@ sysutils/apuled -- PC Engine APU LED control (development only)
 sysutils/cpu-microcode -- CPU microcode updates
 sysutils/dec-hw -- Deciso hardware specific information
 sysutils/dmidecode -- Display hardware information on the dashboard
+sysutils/gdrive-backup -- Backup configurations using Google Drive
 sysutils/git-backup -- Track config changes using git
 sysutils/hw-probe -- Collect hardware diagnostics
 sysutils/lcdproc-sdeclcd -- LCDProc for SDEC LCD devices
diff --git a/sysutils/gdrive-backup/Makefile b/sysutils/gdrive-backup/Makefile
new file mode 100644
index 0000000000..4372dbfc80
--- /dev/null
+++ b/sysutils/gdrive-backup/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		gdrive-backup
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		Backup configurations using Google Drive
+PLUGIN_DEPENDS=		php${PLUGIN_PHP}-google-api-php-client
+PLUGIN_MAINTAINER=	ad@opnsense.org
+PLUGIN_TIER=		2
+
+.include "../../Mk/plugins.mk"
diff --git a/sysutils/gdrive-backup/pkg-descr b/sysutils/gdrive-backup/pkg-descr
new file mode 100644
index 0000000000..68fc6ad30c
--- /dev/null
+++ b/sysutils/gdrive-backup/pkg-descr
@@ -0,0 +1,4 @@
+This plugin adds a backup option using Google Drive.
+
+Due to the sensitive nature of the data being send to the backup,
+we strongly advise to not use a public service to send backups to.
diff --git a/sysutils/gdrive-backup/src/etc/inc/plugins.inc.d/gdrive.inc b/sysutils/gdrive-backup/src/etc/inc/plugins.inc.d/gdrive.inc
new file mode 100644
index 0000000000..bad2cfa6bf
--- /dev/null
+++ b/sysutils/gdrive-backup/src/etc/inc/plugins.inc.d/gdrive.inc
@@ -0,0 +1,40 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ *  sync configuration via xmlrpc
+ * @return array
+ */
+function gdrive_xmlrpc_sync()
+{
+    return [[
+        'description' => gettext('Backup - Google Drive'),
+        'section' => 'system.remotebackup',
+        'id' => 'remotebackup',
+    ]];
+}
diff --git a/sysutils/gdrive-backup/src/opnsense/mvc/app/library/Google/API/Drive.php b/sysutils/gdrive-backup/src/opnsense/mvc/app/library/Google/API/Drive.php
new file mode 100644
index 0000000000..ef1ffb437b
--- /dev/null
+++ b/sysutils/gdrive-backup/src/opnsense/mvc/app/library/Google/API/Drive.php
@@ -0,0 +1,148 @@
+<?php
+
+/*
+ * Copyright (C) 2015-2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace Google\API;
+
+/**
+ * Class Drive wrapper around Google API for Drive support
+ * @package Google\API
+ */
+class Drive
+{
+    /**
+     * @var null|\Google_Service_Drive service pointer
+     */
+    private $service = null;
+
+    /**
+     * @var null|\Google_Client pointer to client
+     */
+    private $client = null;
+
+    /**
+     * construct a new Drive object
+     */
+    public function __construct()
+    {
+        // hook in Google's autoloader
+        require_once("/usr/local/share/google-api-php-client/vendor/autoload.php");
+    }
+
+    /**
+     * login to google drive
+     * @param $client_id
+     * @param $privateKeyB64 P12 key placed in a base64 container
+     */
+    public function login($client_id, $privateKeyB64)
+    {
+        openssl_pkcs12_read(base64_decode($privateKeyB64), $certinfo, "notasecret");
+        if (empty($certinfo)) {
+            throw new \Exception("Invalid P12 key, openssl_pkcs12_read() failed");
+        }
+        $this->client = new \Google_Client();
+
+        $service_account = [
+            "type" => "service_account",
+            "private_key" => $certinfo['pkey'],
+            "client_email" => $client_id,
+            "client_id" => $client_id,
+            "auth_uri" => "https://accounts.google.com/o/oauth2/auth",
+            "token_uri" => "https://oauth2.googleapis.com/token",
+            "auth_provider_x509_cert_url" => "https://www.googleapis.com/oauth2/v1/certs"
+        ];
+
+        $this->client->setAuthConfig($service_account);
+        $this->client->addScope("https://www.googleapis.com/auth/drive");
+        $this->client->setApplicationName("OPNsense");
+
+        $this->service = new \Google_Service_Drive($this->client);
+    }
+
+    /**
+     * retrieve directory listing
+     * @param $directoryId parent directory id
+     * @param $filename title/filename of object
+     * @return mixed list of files
+     */
+    public function listFiles($directoryId, $filename = null)
+    {
+        $query = "'" . $directoryId . "' in parents ";
+        if ($filename != null) {
+            $query .= " and title in '" . $filename . "'";
+        }
+        return $this->service->files->listFiles(['q' => $query, 'supportsAllDrives' => true]);
+    }
+
+
+    /**
+     * download a file by given GDrive file handle
+     * @param $fileHandle (object from listFiles)
+     * @return null|string
+     */
+    public function download($fileHandle)
+    {
+        $response = $this->service->files->get($fileHandle->id, ['alt' => 'media', 'supportsAllDrives' => true]);
+        return $response->getBody()->getContents();
+    }
+
+    /**
+     * Upload file
+     * @param string $directoryId (parent id)
+     * @param string $filename
+     * @param string $content
+     * @param string $mimetype
+     * @return \Google_Service_Drive_DriveFile handle
+     */
+    public function upload($directoryId, $filename, $content, $mimetype = 'text/plain')
+    {
+
+        $file = new \Google_Service_Drive_DriveFile();
+        $file->setName($filename);
+        $file->setDescription($filename);
+        $file->setMimeType('text/plain');
+        $file->setParents([$directoryId]);
+
+        $createdFile = $this->service->files->create($file, [
+            'data' => $content,
+            'mimeType' => $mimetype,
+            'uploadType' => 'media',
+            'supportsAllDrives' => true
+        ]);
+
+        return $createdFile;
+    }
+
+    /**
+     * delete file
+     * @param $fileHandle (object from listFiles)
+     */
+    public function delete($fileHandle)
+    {
+        $this->service->files->delete($fileHandle['id'], ['supportsAllDrives' => true]);
+    }
+}
diff --git a/sysutils/gdrive-backup/src/opnsense/mvc/app/library/OPNsense/Backup/GDrive.php b/sysutils/gdrive-backup/src/opnsense/mvc/app/library/OPNsense/Backup/GDrive.php
new file mode 100644
index 0000000000..089ff08cd4
--- /dev/null
+++ b/sysutils/gdrive-backup/src/opnsense/mvc/app/library/OPNsense/Backup/GDrive.php
@@ -0,0 +1,306 @@
+<?php
+
+/*
+ * Copyright (C) 2018 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Backup;
+
+use OPNsense\Core\Config;
+
+/**
+ * Class google drive backup
+ * @package OPNsense\Backup
+ */
+class Gdrive extends Base implements IBackupProvider
+{
+    /**
+     * get required (user interface) fields for backup connector
+     * @return array configuration fields, types and description
+     */
+    public function getConfigurationFields()
+    {
+        $fields = array();
+
+        $fields[] = array(
+            "name" => "GDriveEnabled",
+            "type" => "checkbox",
+            "label" => gettext("Enable"),
+            "value" => null
+        );
+        $fields[] = array(
+            "name" => "GDriveEmail",
+            "type" => "text",
+            "label" => gettext("Email Address"),
+            "help" => gettext("Client-ID in the Google cloud console"),
+            "value" => null
+        );
+        $fields[] = array(
+            "name" => "GDriveP12key",
+            "type" => "file",
+            "label" => gettext("P12 key"),
+            "help" => sprintf(
+                gettext('You need a private key in p12 format to use Google Drive, ' .
+                'instructions on how to acquire one can be found %shere%s.'),
+                '<a href="https://docs.opnsense.org/manual/how-tos/cloud_backup.html" target="_blank">',
+                '</a>'
+            ),
+            "value" => null
+        );
+        $fields[] = array(
+            "name" => "GDriveFolderID",
+            "type" => "text",
+            "label" => gettext("Folder ID"),
+            "value" => null
+        );
+        $fields[] = array(
+            "name" => "GDrivePrefixHostname",
+            "type" => "checkbox",
+            "label" => gettext("Prefix hostname to backupfile"),
+            "help" => gettext("Normally the config xml will be written as config-stamp.xml, with this option set " .
+            "the filename will use the systems host and domain name."),
+            "value" => null
+        );
+        $fields[] = array(
+            "name" => "GDriveBackupCount",
+            "type" => "text",
+            "label" => gettext("Backup Count"),
+            "value" => 60
+        );
+        $fields[] = array(
+            "name" => "GDrivePassword",
+            "type" => "password",
+            "label" => gettext("Password"),
+            "value" => null
+        );
+        $fields[] = array(
+            "name" => "GDrivePasswordConfirm",
+            "type" => "password",
+            "label" => gettext("Confirm"),
+            "value" => null
+        );
+        $cnf = Config::getInstance();
+        if ($cnf->isValid()) {
+            $config = $cnf->object();
+            foreach ($fields as &$field) {
+                $fieldname = $field['name'];
+                if (isset($config->system->remotebackup->$fieldname)) {
+                    $field['value'] = (string)$config->system->remotebackup->$fieldname;
+                } elseif (
+                    $fieldname == "GDrivePasswordConfirm" &&
+                        isset($config->system->remotebackup->GDrivePassword)
+                ) {
+                    $field['value'] = (string)$config->system->remotebackup->GDrivePassword;
+                }
+            }
+        }
+
+        return $fields;
+    }
+
+    /**
+     * backup provider name
+     * @return string user friendly name
+     */
+    public function getName()
+    {
+        return gettext("Google Drive");
+    }
+
+    /**
+     * validate and set configuration
+     * @param array $conf configuration array
+     * @return array of validation errors when not saved
+     */
+    public function setConfiguration($conf)
+    {
+        $input_errors = array();
+        if ($conf['GDrivePasswordConfirm'] != $conf['GDrivePassword']) {
+            $input_errors[] = gettext("The supplied 'Password' and 'Confirm' field values must match.");
+        }
+        if (count($input_errors) == 0) {
+            $config = Config::getInstance()->object();
+            if (!isset($config->system->remotebackup)) {
+                $config->system->addChild('remotebackup');
+            }
+            foreach ($this->getConfigurationFields() as $field) {
+                $fieldname = $field['name'];
+                if ($field['type'] == 'file') {
+                    if (!empty($conf[$field['name']])) {
+                        $config->system->remotebackup->$fieldname = base64_encode($conf[$field['name']]);
+                    }
+                } elseif ($field['name'] == 'GDrivePasswordConfirm') {
+                    /* skip password confirm field */
+                } elseif (!empty($conf[$field['name']])) {
+                    $config->system->remotebackup->$fieldname = $conf[$field['name']];
+                } else {
+                    unset($config->system->remotebackup->$fieldname);
+                }
+            }
+            // remove private key when disabled
+            if (
+                empty($config->system->remotebackup->GDriveEnabled) &&
+                    isset($config->system->remotebackup->GDriveP12key)
+            ) {
+                unset($config->system->remotebackup->GDriveP12key);
+            }
+            Config::getInstance()->save();
+        }
+
+        return $input_errors;
+    }
+
+    /**
+     * @return array filelist
+     */
+    public function backup()
+    {
+        $cnf = Config::getInstance();
+        if ($cnf->isValid()) {
+            $config = $cnf->object();
+            if (
+                isset($config->system->remotebackup) && isset($config->system->remotebackup->GDriveEnabled)
+                    && !empty($config->system->remotebackup->GDriveEnabled)
+            ) {
+                if (!empty($config->system->remotebackup->GDrivePrefixHostname)) {
+                    $fileprefix = (string)$config->system->hostname . "." . (string)$config->system->domain . "-";
+                } else {
+                    $fileprefix = "config-";
+                }
+                try {
+                    $client = new \Google\API\Drive();
+                    $client->login(
+                        (string)$config->system->remotebackup->GDriveEmail,
+                        (string)$config->system->remotebackup->GDriveP12key
+                    );
+                } catch (\Error | \Exception $e) {
+                    syslog(LOG_ERR, "error connecting to Google Drive");
+                    return array();
+                }
+
+                // backup source data to local strings (plain/encrypted)
+                $confdata = file_get_contents('/conf/config.xml');
+                $confdata_enc = $this->encrypt($confdata, (string)$config->system->remotebackup->GDrivePassword);
+
+                // read filelist ({prefix}*.xml)
+                try {
+                    $files = $client->listFiles((string)$config->system->remotebackup->GDriveFolderID);
+                } catch (\Error | \Exception $e) {
+                    syslog(LOG_ERR, "error while fetching filelist from Google Drive");
+                    return array();
+                }
+
+                $configfiles = array();
+                foreach ($files as $file) {
+                    if (fnmatch("{$fileprefix}*.xml", $file['name'])) {
+                        $configfiles[$file['name']] = $file;
+                    }
+                }
+                krsort($configfiles);
+
+
+                // backup new file if changed (or if first in backup)
+                $target_filename = $fileprefix . time() . ".xml";
+                if (count($configfiles) > 1) {
+                    // compare last backup with current, only save new
+                    try {
+                        $bck_data_enc = $client->download($configfiles[array_keys($configfiles)[0]]);
+                        if (strpos(substr($bck_data_enc, 0, 100), '---') !== false) {
+                            // base64 string is wrapped into tags
+                            $start_at = strpos($bck_data_enc, "---\n") + 4;
+                            $end_at = strpos($bck_data_enc, "\n---");
+                            $bck_data_enc = substr($bck_data_enc, $start_at, ($end_at - $start_at));
+                        }
+                        $bck_data = $this->decrypt(
+                            $bck_data_enc,
+                            (string)$config->system->remotebackup->GDrivePassword
+                        );
+                        if ($bck_data == $confdata) {
+                            $target_filename = null;
+                        }
+                    } catch (\Error | \Exception $e) {
+                        syslog(LOG_ERR, "unable to download " .
+                            $configfiles[array_keys($configfiles)[0]]->description . " from Google Drive (" . $e . ")");
+                    }
+                }
+                if (!is_null($target_filename)) {
+                    syslog(LOG_NOTICE, "backup configuration as " . $target_filename);
+                    try {
+                        $configfiles[$target_filename] = $client->upload(
+                            (string)$config->system->remotebackup->GDriveFolderID,
+                            $target_filename,
+                            $confdata_enc
+                        );
+                    } catch (\Error | \Exception $e) {
+                        syslog(LOG_ERR, "unable to upload " . $target_filename . " to Google Drive (" . $e . ")");
+                        return array();
+                    }
+
+                    krsort($configfiles);
+                }
+
+                // cleanup old files
+                if (
+                    isset($config->system->remotebackup->GDriveBackupCount)
+                        && is_numeric((string)$config->system->remotebackup->GDriveBackupCount)
+                ) {
+                    $fcount = 0;
+                    foreach ($configfiles as $filename => $file) {
+                        if ($fcount >= (string)$config->system->remotebackup->GDriveBackupCount) {
+                            syslog(LOG_NOTICE, "remove " . $filename . " from Google Drive");
+                            try {
+                                $client->delete($file);
+                            } catch (Google_Service_Exception $e) {
+                                syslog(LOG_ERR, "unable to remove " . $filename . " from Google Drive");
+                            }
+                        }
+                        $fcount++;
+                    }
+                }
+
+                // return filelist
+                return array_keys($configfiles);
+            }
+        }
+
+        // not configured / issue, return empty list
+        return array();
+    }
+
+    /**
+     * Is this provider enabled
+     * @return boolean enabled status
+     */
+    public function isEnabled()
+    {
+        $cnf = Config::getInstance();
+        if ($cnf->isValid()) {
+            $config = $cnf->object();
+            return isset($config->system->remotebackup) && isset($config->system->remotebackup->GDriveEnabled)
+                && !empty($config->system->remotebackup->GDriveEnabled);
+        }
+        return false;
+    }
+}

From 931f2c5d7a73f4158748fdf14c1a1f8ba3c5d20e Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 12 Mar 2025 17:19:47 +0100
Subject: [PATCH 2375/3088] www/OPNProxy - compatibility fix for new member
 attribute, closes https://github.com/opnsense/plugins/issues/4589

---
 .../src/opnsense/scripts/OPNProxy/redis_sync_users.py    | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/www/OPNProxy/src/opnsense/scripts/OPNProxy/redis_sync_users.py b/www/OPNProxy/src/opnsense/scripts/OPNProxy/redis_sync_users.py
index 3e22e09099..30098333ea 100755
--- a/www/OPNProxy/src/opnsense/scripts/OPNProxy/redis_sync_users.py
+++ b/www/OPNProxy/src/opnsense/scripts/OPNProxy/redis_sync_users.py
@@ -60,9 +60,12 @@
     membership = dict()
     for group in xmlroot.findall('./system/group'):
         for member in group.findall('member'):
-            if member.text not in membership:
-                membership[member.text] = list()
-            membership[member.text].append(group.findtext('name'))
+            if  member.text is None:
+               continue
+            for item in member.text.split(','):
+                if item not in membership:
+                    membership[item] = list()
+                membership[item].append(group.findtext('name'))
 
     for user in xmlroot.findall('./system/user'):
         if args.username is None or args.username == user.findtext('name'):

From 8e95b6ed461fc4dca2e2dbfeac4c2139013055b7 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 13 Mar 2025 19:33:00 +0100
Subject: [PATCH 2376/3088] net/frr: Fix passive interface generation in ospf
 (#4594)

---
 net/frr/Makefile                                    |  1 +
 .../service/templates/OPNsense/Quagga/ospfd.conf    | 13 +++++--------
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 46155e8a8f..c7cbc732ca 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.43
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
index b937c735bb..b6da96c22c 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
@@ -9,20 +9,17 @@
 agentx
 {%   endif %}
 {% endif %}
-{% set passive_interfaces = [] %}
-{% if helpers.exists('OPNsense.quagga.ospf.passiveinterfaces') and OPNsense.quagga.ospf.passiveinterfaces != '' %}
-{%     for line in OPNsense.quagga.ospf.passiveinterfaces.split(',') %}
-{%         set iface = physical_interface(line) %}
-{%         set _ = passive_interfaces.append(iface) %}
-interface {{ iface }}
+{% if OPNsense.quagga.ospf.passiveinterfaces %}
+{%     for iface in OPNsense.quagga.ospf.passiveinterfaces.split(',') %}
+interface {{ helpers.physical_interface(iface) }}
   ip ospf passive
 {%     endfor %}
 {% endif %}
-{# Render only the enabled non-passive interfaces past this point #}
+{# vtysh automatically merges passive interfaces with interfaces below #}
 {% if helpers.exists('OPNsense.quagga.ospf.interfaces.interface') %}
 {%     for interface in helpers.toList('OPNsense.quagga.ospf.interfaces.interface') %}
 {%         set iface = physical_interface(interface.interfacename) %}
-{%         if interface.enabled == '1' and iface not in passive_interfaces %}
+{%         if interface.enabled == '1' %}
 interface {{ iface }}
 {%             if interface.bfd|default('') == '1' %}
   ip ospf bfd

From 2b961b6d8c1a3aae92432e27c8bfa7b71155a759 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 14 Mar 2025 08:12:12 +0100
Subject: [PATCH 2377/3088] www/OPNProxy: bump revision

---
 www/OPNProxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/OPNProxy/Makefile b/www/OPNProxy/Makefile
index 3c1b5d9995..20aa92ff16 100644
--- a/www/OPNProxy/Makefile
+++ b/www/OPNProxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		OPNProxy
 PLUGIN_VERSION=		1.0.5
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		OPNsense proxy additions
 PLUGIN_DEPENDS=		os-redis${PLUGIN_PKGSUFFIX} \
 			os-squid${PLUGIN_PKGSUFFIX} \

From 8d03cdfee3a16b5beb12ac409a6287b7bdb10f95 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 14 Mar 2025 10:01:07 +0100
Subject: [PATCH 2378/3088] sysutils/gdrive-backup: make this dev only for now

---
 README.md                       | 2 +-
 sysutils/gdrive-backup/Makefile | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index c3b757df19..d19657ee95 100644
--- a/README.md
+++ b/README.md
@@ -98,7 +98,7 @@ sysutils/apuled -- PC Engine APU LED control (development only)
 sysutils/cpu-microcode -- CPU microcode updates
 sysutils/dec-hw -- Deciso hardware specific information
 sysutils/dmidecode -- Display hardware information on the dashboard
-sysutils/gdrive-backup -- Backup configurations using Google Drive
+sysutils/gdrive-backup -- Backup configurations using Google Drive (development only)
 sysutils/git-backup -- Track config changes using git
 sysutils/hw-probe -- Collect hardware diagnostics
 sysutils/lcdproc-sdeclcd -- LCDProc for SDEC LCD devices
diff --git a/sysutils/gdrive-backup/Makefile b/sysutils/gdrive-backup/Makefile
index 4372dbfc80..25d2ea24c2 100644
--- a/sysutils/gdrive-backup/Makefile
+++ b/sysutils/gdrive-backup/Makefile
@@ -1,7 +1,8 @@
 PLUGIN_NAME=		gdrive-backup
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		0.1
 PLUGIN_COMMENT=		Backup configurations using Google Drive
 PLUGIN_DEPENDS=		php${PLUGIN_PHP}-google-api-php-client
+PLUGIN_DEVEL=		yes
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2
 

From 99d22e1691aefd1848673ab44de0553afc133ef6 Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Fri, 14 Mar 2025 11:14:42 +0100
Subject: [PATCH 2379/3088] Update squid workers helptext. (#4597)

---
 .../opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
index dca5a45f39..309053bf1e 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -350,7 +350,7 @@
                 <id>proxy.forward.workers</id>
                 <label>Number of squid workers</label>
                 <type>text</type>
-                <help>Start N main Squid process daemons (i.e., SMP mode). Requires Restart. Do not enable when using local cache.</help>
+                <help>Start N main Squid process daemons (i.e., SMP mode). Requires Restart.</help>
                 <hint>1</hint>
                 <advanced>true</advanced>
             </field>

From 50c9cb095a04c05f83367c2922ecdea0d79aa8d4 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 14 Mar 2025 13:23:25 +0100
Subject: [PATCH 2380/3088] sysutils/sftp-backup :  fix identity comparison for
 https://github.com/opnsense/plugins/issues/4582

---
 .../src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php    | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
index 90c2e5aba7..75846a6525 100644
--- a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
+++ b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
@@ -177,8 +177,9 @@ private function getIdentity()
         if (!is_dir($confdir)) {
             mkdir($confdir);
         }
-        if (!is_file($identfile) || file_get_contents($identfile) != $this->model->privkey) {
-            File::file_put_contents($identfile, trim(str_replace("\r", "", $this->model->privkey)) . "\n", 0600);
+        $this_key = trim(str_replace("\r", "", $this->model->privkey)) . "\n";
+        if (!is_file($identfile) || file_get_contents($identfile) != $this_key) {
+            File::file_put_contents($identfile, $this_key, 0600);
         }
         return $identfile;
     }

From 8b5dd05fd4e067bf368177888003f636de53508a Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 19 Mar 2025 08:59:47 +0100
Subject: [PATCH 2381/3088] ddclient: remove deprecated domains, closes
 https://github.com/opnsense/plugins/issues/4607

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml      | 2 --
 dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py       | 2 --
 2 files changed, 4 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 600e17517b..4554ff7514 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -146,8 +146,6 @@
                         <web_freedns>freedns</web_freedns>
                         <web_he>he</web_he>
                         <web_icanhazip>icanhazip</web_icanhazip>
-                        <web_ip4only_me value="web_ip4only.me">ip4only.me</web_ip4only_me>
-                        <web_ip6only_me value="web_ip6only.me">ip6only.me</web_ip6only_me>
                         <web_ipify_ipv4 value="web_ipify-ipv4">ipify-ipv4</web_ipify_ipv4>
                         <web_ipify_ipv6 value="web_ipify-ipv6">ipify-ipv6</web_ipify_ipv6>
                         <web_loopia>loopia</web_loopia>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
index d1dc1c6ab1..fd444ac071 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
@@ -36,8 +36,6 @@
   'freedns': '%s://freedns.afraid.org/dynamic/check.php',
   'he': '%s://checkip.dns.he.net/',
   'icanhazip': '%s://icanhazip.com/',
-  'ip4only.me': '%s://ip4only.me/api/',
-  'ip6only.me': '%s://ip6only.me/api/',
   'ipify-ipv4': '%s://api.ipify.org/',
   'ipify-ipv6': '%s://api6.ipify.org/',
   'loopia': '%s://dns.loopia.se/checkip/checkip.php',

From 8d5a15555320068dfd37f748c916da5164459f26 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 19 Mar 2025 14:13:22 +0100
Subject: [PATCH 2382/3088] www/caddy: Add client auth mtls to domains (#4601)

---
 www/caddy/Makefile                            |  2 +-
 www/caddy/pkg-descr                           |  4 ++++
 .../Caddy/forms/dialogReverseProxy.xml        | 19 +++++++++++++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 12 ++++++++++
 .../scripts/OPNsense/Caddy/caddy_certs.php    | 16 +++++++++++--
 .../templates/OPNsense/Caddy/Caddyfile        | 23 ++++++++++++++++---
 6 files changed, 70 insertions(+), 6 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index ed4434653e..b8195f4da6 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.8.3
+PLUGIN_VERSION=		1.8.4
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 640ead7eaf..67443a08c5 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -13,6 +13,10 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.8.4
+
+* Add: Client Auth (mTLS) to domains (opnsense/plugins/issues/4089)
+
 1.8.3
 
 * Add: Update DNS Providers with new optional choices (opnsense/plugins/issues/4543)
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index a8163b33f1..86a0bd1bb8 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -104,6 +104,25 @@
             <visible>false</visible>
         </grid_view>
     </field>
+    <field>
+        <id>reverse.ClientAuthTrustPool</id>
+        <label>Client Auth Trust Pool</label>
+        <type>select_multiple</type>
+        <help><![CDATA[Choose multiple CAs or self-signed certificates from "System - Trust - Authorities". Client Auth is activated as soon as at least one certificate has been chosen. Important: Certificate revocation lists are not evaluated. If you need granular control, provide individual self-signed certificates for each device, and unset them to block access. Though keep in mind that if no certificate is left in this field, Client Auth will be deactivated.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
+    <field>
+        <id>reverse.ClientAuthMode</id>
+        <label>Client Auth Mode</label>
+        <type>dropdown</type>
+        <advanced>true</advanced>
+        <help><![CDATA["request" - Ask clients for a certificate, but allow even if there isn't one; do not verify it. "require" - Require clients to present a certificate, but do not verify it. "verify_if_given" - Ask clients for a certificate; allow even if there isn't one, but verify it if there is. "require_and_verify" - Require clients to present a valid certificate that is verified.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
     <field>
         <id>reverse.AccessLog</id>
         <label>HTTP Access Log</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index bf5c3cbfe9..0deb5239cc 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -276,6 +276,18 @@
                         <http value="1">http://</http>
                     </OptionValues>
                 </DisableTls>
+                <ClientAuthMode type="OptionField">
+                    <BlankDesc>require_and_verify</BlankDesc>
+                    <OptionValues>
+                        <request>request</request>
+                        <require>require</require>
+                        <verify_if_given>verify_if_given</verify_if_given>
+                    </OptionValues>
+                </ClientAuthMode>
+                <ClientAuthTrustPool type="CertificateField">
+                    <Type>ca</Type>
+                    <Multiple>Y</Multiple>
+                </ClientAuthTrustPool>
             </reverse>
             <subdomain type="ArrayField">
                 <enabled type="BooleanField">
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
index 67618d75aa..f4b43e0deb 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
@@ -87,14 +87,26 @@
     }
 }
 
+foreach ((new Caddy())->reverseproxy->reverse->iterateItems() as $reverseItem) {
+    $caCertField = (string)$reverseItem->ClientAuthTrustPool;
+
+    if (!empty($caCertField)) {
+        $refs = array_map('trim', explode(',', $caCertField));
+        foreach ($refs as $ref) {
+
+            if (!empty($ref)) {
+                $caCertRefs[] = $ref;
+            }
+        }
+    }
+}
+
 $caCertRefs = array_unique($caCertRefs);
 
 foreach ((new Ca())->ca->iterateItems() as $caItem) {
     $refid = (string)$caItem->refid;
-
     if (in_array($refid, $caCertRefs, true)) {
         $caCert = base64_decode((string)$caItem->crt);
-
         $writeFileIfChanged($tempDir . $refid . '.pem', $caCert);
     }
 }
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index fe712251f4..d5bdb2b663 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -306,6 +306,8 @@ http://{{ domain }} {
 {% macro tls_configuration(
     customCert,
     dnsChallenge,
+    clientAuthTrustPool,
+    clientAuthMode,
     dnsProvider,
     dnsApiKey,
     dnsSecretApiKey,
@@ -318,8 +320,9 @@ http://{{ domain }} {
     tlsDnsPropagationDelay,
     tlsDnsPropagationResolvers
 ) %}
-    {% if customCert or (dnsChallenge == "1" and dnsProvider) %}
-        tls {% if customCert %}/var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.pem /var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.key{% endif %} {% if not customCert and dnsChallenge == "1" and dnsProvider %}{
+    {% if customCert or (dnsChallenge == "1" and dnsProvider) or clientAuthTrustPool %}
+        tls {% if customCert %}/var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.pem /var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.key{% endif %} {
+            {% if not customCert and (dnsChallenge == "1" and dnsProvider) %}
             issuer acme {
                 dns {{ dnsProvider }} {% if dnsProvider not in dnsProviderSpecialConfig %}{{ dnsApiKey }}{% else %}{
                     {% set context_var = 'dnsProviderSpecialLogic' %}
@@ -339,7 +342,19 @@ http://{{ domain }} {
                 propagation_delay {{ tlsDnsPropagationDelay }}s
                 {% endif %}
             }
-        }{% endif %}
+            {% endif %}
+
+            {% if clientAuthTrustPool %}
+                client_auth {
+                    {% for ca in clientAuthTrustPool.split(',') %}
+                    trust_pool file /var/db/caddy/data/caddy/certificates/temp/{{ ca.strip() }}.pem
+                    {% endfor %}
+                    {% if clientAuthMode %}
+                    mode {{ clientAuthMode }}
+                    {% endif %}
+                }
+            {% endif %}
+        }
     {% endif %}
 {% endmacro %}
 
@@ -595,6 +610,8 @@ http://{{ domain }} {
             {{ tls_configuration(
                 reverse.CustomCertificate|default(""),
                 reverse.DnsChallenge|default("0"),
+                reverse.ClientAuthTrustPool|default(""),
+                reverse.ClientAuthMode|default(""),
                 generalSettings.TlsDnsProvider,
                 generalSettings.TlsDnsApiKey,
                 generalSettings.TlsDnsSecretApiKey,

From ae6185094e5fe8873d3e3a6ee984e16987c35fce Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 19 Mar 2025 15:17:36 +0100
Subject: [PATCH 2383/3088] plugins: style sweep

---
 .../src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php | 8 ++++----
 .../mvc/app/controllers/OPNsense/Caddy/forms/general.xml  | 2 +-
 .../src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php   | 1 -
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
index 75846a6525..dc09fe3422 100644
--- a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
+++ b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
@@ -187,13 +187,13 @@ private function getIdentity()
     /**
      * @return list of files on remote location
      */
-    private function ls($pattern='')
+    private function ls($pattern = '')
     {
         $result = [];
-        foreach (explode("\n", $this->sftpCmd('ls -lnt '. $pattern)['stdout']) as $line) {
+        foreach (explode("\n", $this->sftpCmd('ls -lnt ' . $pattern)['stdout']) as $line) {
             $parts = preg_split('/\s+/', $line, -1, PREG_SPLIT_NO_EMPTY);
             if (count($parts) >= 7) {
-                $result[] = $parts[count($parts)-1];
+                $result[] = $parts[count($parts) - 1];
             }
         }
         return $result;
@@ -249,7 +249,7 @@ public function backup()
         /* cleanup */
         rsort($remote_backups);
         if (count($remote_backups) > (int)$this->model->backupcount->getCurrentValue()) {
-            for ($i = $this->model->backupcount->getCurrentValue() ; $i < count($remote_backups); $i++) {
+            for ($i = $this->model->backupcount->getCurrentValue(); $i < count($remote_backups); $i++) {
                 $this->del($remote_backups[$i]);
             }
             $remote_backups = $this->ls('config-*.xml');
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 87ee5a58fb..b6f0c86d10 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -262,4 +262,4 @@
         </field>
     </tab>
     <activetab>general-settings</activetab>
-</form>
\ No newline at end of file
+</form>
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
index f4b43e0deb..a6494eb977 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
@@ -93,7 +93,6 @@
     if (!empty($caCertField)) {
         $refs = array_map('trim', explode(',', $caCertField));
         foreach ($refs as $ref) {
-
             if (!empty($ref)) {
                 $caCertRefs[] = $ref;
             }

From ef54f31c73465eba69427fdbe6af6439f75800fe Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 19 Mar 2025 15:19:11 +0100
Subject: [PATCH 2384/3088] plugins: add pull target

---
 Mk/defaults.mk | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 9cf73ce3a6..9795559485 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -157,6 +157,11 @@ rebase:
 log:
 	@git log --stat -p ${PLUGIN_STABLE}
 
+pull:
+	@git checkout ${PLUGIN_STABLE}
+	@git pull
+	@git checkout ${PLUGIN_MAIN}
+
 push:
 	@git checkout ${PLUGIN_STABLE}
 	@git push

From 64c4272413d6af24a38f4d6683e21b78059967d3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 19 Mar 2025 15:20:23 +0100
Subject: [PATCH 2385/3088] sysutils/sftp-backup: bump revision again

---
 sysutils/sftp-backup/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/sftp-backup/Makefile b/sysutils/sftp-backup/Makefile
index ca782f04be..d1ce650946 100644
--- a/sysutils/sftp-backup/Makefile
+++ b/sysutils/sftp-backup/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		sftp-backup
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Backup configurations using SFTP
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2

From 6dfe5ab003989ec96e9e9dabab2adc7d1400ca1d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 19 Mar 2025 15:25:22 +0100
Subject: [PATCH 2386/3088] dns/ddclient: bump revision and document

---
 dns/ddclient/Makefile  | 1 +
 dns/ddclient/pkg-descr | 1 +
 2 files changed, 2 insertions(+)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 1d004d5588..cb55c5f2c9 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.27
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 3e91a0e2a1..0d3991e442 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -10,6 +10,7 @@ Plugin Changelog
 
 * Add support for altering IPv6 addresses in native backend (contributed by SaarLAN-Pissbeutel)
 * Fix Netcup host/domain recognition (contributed by SaarLAN-Pissbeutel)
+* Removed defunct ip4only.me and ip6only.me
 
 1.26
 

From 037cb532ea32241661f3d7ddb07c36f1dd49c536 Mon Sep 17 00:00:00 2001
From: beposec <46341010+beposec@users.noreply.github.com>
Date: Wed, 19 Mar 2025 22:13:46 +0100
Subject: [PATCH 2387/3088] sftp-backup: Add hostname prefix and allow usage of
 filedrop sftp server (#4602)

* Add possibility for hostname prefix for backups and allow usage of filedrop only sftp server

* Move config variable into else block

* Set value in case no backups where found on the server and housekeeping is disabled.

---------

Co-authored-by: Ad Schellevis <AdSchellevis@users.noreply.github.com>
---
 .../mvc/app/library/OPNsense/Backup/Sftp.php  | 86 ++++++++++++-------
 .../models/OPNsense/Backup/SftpSettings.xml   |  6 +-
 2 files changed, 58 insertions(+), 34 deletions(-)

diff --git a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
index dc09fe3422..32f7b8a509 100644
--- a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
+++ b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
@@ -74,11 +74,20 @@ public function getConfigurationFields()
                 "help" => gettext("The private key used to setup the connection."),
                 "value" => null
            ],
+           [
+                "name" => "prefixhostname",
+                "type" => "checkbox",
+                "label" => gettext("Prefix hostname to backupfile"),
+                "help" => gettext("Normally the config xml will be written as config-stamp.xml, with this option set " .
+                "the filename will use the systems host and domain name."),
+                "value" => null
+           ],
            [
                 "name" => "backupcount",
                 "type" => "text",
                 "label" => gettext("Backup Count"),
-                "value" => null
+                "help" => gettext("Amount of backups to be kept at remote location. Set to 0 to upload latest only without housekeeping"),
+                "value" => 60
            ],
            [
                 "name" => "password",
@@ -221,41 +230,52 @@ private function del($filename)
      */
     public function backup()
     {
-        if ($this->model->enabled->isEmpty()) {
+        $cnf = Config::getInstance();
+        if (!$this->model->enabled->isEmpty() && $cnf->isValid()) {
+            if ($this->model->prefixhostname->isEmpty()) {
+                $fileprefix = "config-";
+            } else {
+                $config = $cnf->object();
+                $fileprefix = sprintf('%s.%s-', (string)$config->system->hostname, (string)$config->system->domain);
+            }
+            /**
+             * Collect most recent backup, since /conf/backup/ always contains the latests, we can use the filename
+             * for easy comparison.
+             **/
+            $all_backups = glob('/conf/backup/config-*.xml');
+            $most_recent = $all_backups[count($all_backups) - 1];
+            $confdata = file_get_contents($most_recent);
+            if (!$this->model->password->isEmpty()) {
+                $confdata = $this->encrypt($confdata, (string)$this->model->password);
+            }
+            $remote_backups = $this->ls(sprintf('%s*.xml', $fileprefix));
+            $target_filename = strtolower(preg_replace('/^config-/', $fileprefix, basename($most_recent)));
+
+            if (!in_array($target_filename, $remote_backups)) {
+                syslog(LOG_NOTICE, "backup configuration as " . $target_filename);
+                $tmpfilename = sprintf("/conf/backup/sftp/%s", $target_filename);
+                File::file_put_contents($tmpfilename, $confdata, 0600);
+                $this->put($tmpfilename, $target_filename);
+                unlink($tmpfilename);
+                $remote_backups = $this->ls(sprintf('%s*.xml', $fileprefix));
+            }
+            /* cleanup only if backup count is > 0*/
+            if ($this->model->backupcount->asFloat() > 0) {
+                rsort($remote_backups);
+                if (count($remote_backups) > (int)$this->model->backupcount->getCurrentValue()) {
+                    for ($i = $this->model->backupcount->getCurrentValue() ; $i < count($remote_backups); $i++) {
+                        $this->del($remote_backups[$i]);
+                    }
+                    $remote_backups = $this->ls(sprintf('%s*.xml', $fileprefix));
+                }
+                return $remote_backups;
+            } else {
+                return $this->ls(sprintf('%s*.xml', $fileprefix)) ?: [];
+            }
+        } else {
             /* disabled */
             return;
         }
-        /**
-         * Collect most recent backup, since /conf/backup/ always contains the latests, we can use the filename
-         * for easy comparison.
-         **/
-        $all_backups = glob('/conf/backup/config-*.xml');
-        $most_recent = $all_backups[count($all_backups) - 1];
-        $confdata = file_get_contents($most_recent);
-        if (!$this->model->password->isEmpty()) {
-            $confdata = $this->encrypt($confdata, (string)$this->model->password);
-        }
-        /* backup filename when not already on remote location */
-        $remote_backups = $this->ls('config-*.xml');
-        $target_filename = basename($most_recent);
-        if (!in_array($target_filename, $remote_backups)) {
-            syslog(LOG_NOTICE, "backup configuration as " . $target_filename);
-            $tmpfilename = sprintf("/conf/backup/sftp/%s", $target_filename);
-            File::file_put_contents($tmpfilename, $confdata, 0600);
-            $this->put($tmpfilename, $target_filename);
-            unlink($tmpfilename);
-            $remote_backups = $this->ls('config-*.xml');
-        }
-        /* cleanup */
-        rsort($remote_backups);
-        if (count($remote_backups) > (int)$this->model->backupcount->getCurrentValue()) {
-            for ($i = $this->model->backupcount->getCurrentValue(); $i < count($remote_backups); $i++) {
-                $this->del($remote_backups[$i]);
-            }
-            $remote_backups = $this->ls('config-*.xml');
-        }
-
-        return $remote_backups;
     }
 
     /**
diff --git a/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml b/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml
index d5ba6c324d..3756f971d0 100644
--- a/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml
+++ b/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml
@@ -46,7 +46,11 @@
         <backupcount type="IntegerField">
             <Default>60</Default>
             <Required>Y</Required>
-            <MinimumValue>1</MinimumValue>
+            <MinimumValue>0</MinimumValue>
         </backupcount>
+        <prefixhostname type="BooleanField">
+          <Default>0</Default>
+          <Required>N</Required>
+        </prefixhostname>
     </items>
 </model>

From 4a202ebcd2d72c521121f61353b1e62cf88cff28 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 21 Mar 2025 07:54:37 +0100
Subject: [PATCH 2388/3088] net/frr: Add BGP remote-as internal and external to
 neighbors and peergroups (#4611)

---
 net/frr/Makefile                                  |  3 +--
 net/frr/pkg-descr                                 |  4 ++++
 .../Quagga/forms/dialogEditBGPNeighbor.xml        |  9 +++++++++
 .../Quagga/forms/dialogEditBGPPeergroups.xml      |  9 +++++++++
 .../mvc/app/models/OPNsense/Quagga/BGP.xml        | 15 ++++++++++++++-
 .../service/templates/OPNsense/Quagga/bgpd.conf   |  8 ++++++--
 6 files changed, 43 insertions(+), 5 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index c7cbc732ca..2b6b1acfff 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.43
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.44
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 6a19f73797..3ca6855575 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.44
+
+* Add BGP remote-as internal and external (opnsense/plugins/issues/4609)
+
 1.43
 
 * Use frr-reload instead of restarting the service on configuration changes (opnsense/plugins/issues/4529)
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 9c2d176bef..d2a91df99d 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -21,6 +21,15 @@
     <type>text</type>
     <help>Specify the IP address of the BGP neighbor.</help>
   </field>
+  <field>
+    <id>neighbor.remote_as_mode</id>
+    <label>Remote AS mode</label>
+    <type>dropdown</type>
+    <help>"Use Remote AS Number" will use the number specified in the "Remote AS" field, while "External" or "Internal" will ignore it in favor of the alternative "remote-as internal" and "remote-as external" settings.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
+  </field>
   <field>
     <id>neighbor.remoteas</id>
     <label>Remote AS</label>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml
index a42ece7628..4f29080fcc 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml
@@ -15,6 +15,15 @@
     <type>text</type>
     <help>Name of the peer group.</help>
   </field>
+  <field>
+    <id>peergroup.remote_as_mode</id>
+    <label>Remote AS mode</label>
+    <type>dropdown</type>
+    <help>"Use Remote AS Number" will use the number specified in the "Remote AS" field, while "External" or "Internal" will ignore it in favor of the alternative "remote-as internal" and "remote-as external" settings.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
+  </field>
   <field>
     <id>peergroup.remoteas</id>
     <label>Remote AS</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index a7239218ec..88f5e92bde 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -63,6 +63,13 @@
                                 <default></default>
                                 <Required>Y</Required>
                         </address>
+                        <remote_as_mode type="OptionField">
+                                <BlankDesc>Use Remote AS Number</BlankDesc>
+                                <OptionValues>
+                                        <internal>Internal</internal>
+                                        <external>External</external>
+                                </OptionValues>
+                        </remote_as_mode>
                         <remoteas type="IntegerField">
                                 <MinimumValue>1</MinimumValue>
                                 <MaximumValue>4294967295</MaximumValue>
@@ -418,8 +425,14 @@
                         <name type="TextField">
                                 <Required>Y</Required>
                         </name>
+                        <remote_as_mode type="OptionField">
+                                <BlankDesc>Use Remote AS Number</BlankDesc>
+                                <OptionValues>
+                                        <internal>Internal</internal>
+                                        <external>External</external>
+                                </OptionValues>
+                        </remote_as_mode>
                         <remoteas type="IntegerField">
-                                <Required>Y</Required>
                                 <MinimumValue>1</MinimumValue>
                                 <MaximumValue>4294967295</MaximumValue>
                         </remoteas>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index e560f3c25b..55023713a0 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -51,8 +51,10 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%   for peergroup in helpers.toList('OPNsense.quagga.bgp.peergroups.peergroup') %}
 {%     if peergroup.enabled == '1' %}
  neighbor {{ peergroup.name }} peer-group
-{%       if 'remoteas' in peergroup and peergroup.remoteas != '' %}
+{%       if 'remoteas' in peergroup and peergroup.remoteas and not peergroup.remote_as_mode %}
  neighbor {{ peergroup.name }} remote-as {{ peergroup.remoteas }}
+{%       else %}
+ neighbor {{ peergroup.name }} remote-as {{ peergroup.remote_as_mode }}
 {%       endif %}
 {%       if peergroup.updatesource %}
  neighbor {{ peergroup.name }} update-source {{ physical_interface(peergroup.updatesource) }}
@@ -101,8 +103,10 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%   if helpers.exists('OPNsense.quagga.bgp.neighbors.neighbor') %}
 {%     for neighbor in helpers.toList('OPNsense.quagga.bgp.neighbors.neighbor') %}
 {%       if neighbor.enabled == '1' %}
-{%         if 'remoteas' in neighbor and neighbor.remoteas != '' %}
+{%         if 'remoteas' in neighbor and neighbor.remoteas and not neighbor.remote_as_mode %}
  neighbor {{ neighbor.address }} remote-as {{ neighbor.remoteas }}
+{%         else %}
+ neighbor {{ neighbor.address }} remote-as {{ neighbor.remote_as_mode }}
 {%         endif %}
 {%         if neighbor.bfd|default('') == '1' %}
  neighbor {{ neighbor.address }} bfd

From 30c2b1a1ab54aa3a015ea684a101b86173e0cbd9 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 21 Mar 2025 07:55:33 +0100
Subject: [PATCH 2389/3088] net/frr: Add BGP/OSPF/OSPF6 route redistribution
 with route-map feature (#4578)

* net/frr: Add BGP route redistribution with route-map feature. Add migration.

* net/frr: Small template fix in redistribution since route-map is optional

* net/frr: Add OSPF and OSPF6 route redistribution with route-map feature. Adjust migration to migrate OSPF, OSPF6 and BGP models.

* net/frr: make sweep

* net/frr: Fix wrong diff in ospf6 template

* net/frr: Add a little css to make the redistribution grid look like its part of the base form, more seamless integration

* net/frr: Show route-map in grid and hide description
---
 net/frr/pkg-descr                             |  2 +
 .../OPNsense/Quagga/Api/BgpController.php     | 31 ++++++
 .../Quagga/Api/Ospf6settingsController.php    | 25 +++++
 .../Quagga/Api/OspfsettingsController.php     | 26 +++++
 .../OPNsense/Quagga/BgpController.php         |  3 +
 .../OPNsense/Quagga/Ospf6Controller.php       |  3 +
 .../OPNsense/Quagga/OspfController.php        |  3 +
 .../controllers/OPNsense/Quagga/forms/bgp.xml |  6 --
 .../Quagga/forms/dialogEditRedistribution.xml | 33 +++++++
 .../OPNsense/Quagga/forms/ospf.xml            | 12 ---
 .../OPNsense/Quagga/forms/ospf6.xml           | 12 ---
 .../mvc/app/models/OPNsense/Quagga/BGP.xml    | 45 ++++++---
 .../OPNsense/Quagga/Migrations/M1_1_0.php     | 96 +++++++++++++++++++
 .../mvc/app/models/OPNsense/Quagga/OSPF.xml   | 58 ++++++-----
 .../mvc/app/models/OPNsense/Quagga/OSPF6.xml  | 52 ++++++----
 .../mvc/app/views/OPNsense/Quagga/bgp.volt    | 35 +++++++
 .../mvc/app/views/OPNsense/Quagga/ospf.volt   | 35 +++++++
 .../mvc/app/views/OPNsense/Quagga/ospf6.volt  | 35 ++++++-
 .../templates/OPNsense/Quagga/bgpd.conf       | 10 +-
 .../templates/OPNsense/Quagga/ospf6d.conf     | 10 +-
 .../templates/OPNsense/Quagga/ospfd.conf      | 10 +-
 21 files changed, 437 insertions(+), 105 deletions(-)
 create mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditRedistribution.xml
 create mode 100644 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Migrations/M1_1_0.php

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 3ca6855575..aa57d45c41 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -14,6 +14,8 @@ Plugin Changelog
 
 1.44
 
+* Add route-map functionality to route redistribution in bgp (opnsense/plugins/issues/4570)
+* Add route-map functionality to route redistribution in ospf/ospf6 (opnsense/plugins/issues/4580)
 * Add BGP remote-as internal and external (opnsense/plugins/issues/4609)
 
 1.43
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
index 2d1759dcec..3a4a931584 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
@@ -187,6 +187,31 @@ public function setPeergroupAction($uuid)
         return $this->setBase('peergroup', 'peergroups.peergroup', $uuid);
     }
 
+    public function searchRedistributionAction()
+    {
+        return $this->searchBase('redistributions.redistribution');
+    }
+
+    public function getRedistributionAction($uuid = null)
+    {
+        return $this->getBase('redistribution', 'redistributions.redistribution', $uuid);
+    }
+
+    public function addRedistributionAction()
+    {
+        return $this->addBase('redistribution', 'redistributions.redistribution');
+    }
+
+    public function delRedistributionAction($uuid)
+    {
+        return $this->delBase('redistributions.redistribution', $uuid);
+    }
+
+    public function setRedistributionAction($uuid)
+    {
+        return $this->setBase('redistribution', 'redistributions.redistribution', $uuid);
+    }
+
     public function toggleCommunitylistAction($uuid)
     {
         return $this->toggleBase('communitylists.communitylist', $uuid);
@@ -216,4 +241,10 @@ public function togglePeergroupAction($uuid)
     {
         return $this->toggleBase('peergroups.peergroup', $uuid);
     }
+
+    public function toggleRedistributionAction($uuid)
+    {
+        return $this->toggleBase('redistributions.redistribution', $uuid);
+    }
+
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php
index 5019e029be..65c2610b53 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php
@@ -137,4 +137,29 @@ public function toggleRoutemapAction($uuid)
     {
         return $this->toggleBase('routemaps.routemap', $uuid);
     }
+    public function searchRedistributionAction()
+    {
+        return $this->searchBase('redistributions.redistribution');
+    }
+    public function getRedistributionAction($uuid = null)
+    {
+        return $this->getBase('redistribution', 'redistributions.redistribution', $uuid);
+    }
+    public function addRedistributionAction()
+    {
+        return $this->addBase('redistribution', 'redistributions.redistribution');
+    }
+    public function delRedistributionAction($uuid)
+    {
+        return $this->delBase('redistributions.redistribution', $uuid);
+    }
+    public function setRedistributionAction($uuid)
+    {
+        return $this->setBase('redistribution', 'redistributions.redistribution', $uuid);
+    }
+    public function toggleRedistributionAction($uuid)
+    {
+        return $this->toggleBase('redistributions.redistribution', $uuid);
+    }
+
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
index cb495c1c24..7634494206 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
@@ -133,4 +133,30 @@ public function toggleRoutemapAction($uuid)
     {
         return $this->toggleBase('routemaps.routemap', $uuid);
     }
+
+    public function searchRedistributionAction()
+    {
+        return $this->searchBase('redistributions.redistribution');
+    }
+    public function getRedistributionAction($uuid = null)
+    {
+        return $this->getBase('redistribution', 'redistributions.redistribution', $uuid);
+    }
+    public function addRedistributionAction()
+    {
+        return $this->addBase('redistribution', 'redistributions.redistribution');
+    }
+    public function delRedistributionAction($uuid)
+    {
+        return $this->delBase('redistributions.redistribution', $uuid);
+    }
+    public function setRedistributionAction($uuid)
+    {
+        return $this->setBase('redistribution', 'redistributions.redistribution', $uuid);
+    }
+    public function toggleRedistributionAction($uuid)
+    {
+        return $this->toggleBase('redistributions.redistribution', $uuid);
+    }
+
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
index 1374be541d..6949d12e3d 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/BgpController.php
@@ -52,6 +52,9 @@ public function indexAction()
         $this->view->formDialogEditBGPPeergroups = $this->getForm("dialogEditBGPPeergroups");
         $this->view->formGridEditBGPPeergroups = $this->getFormGrid("dialogEditBGPPeergroups");
 
+        $this->view->formDialogEditRedistribution = $this->getForm("dialogEditRedistribution");
+        $this->view->formGridEditRedistribution = $this->getFormGrid("dialogEditRedistribution");
+
         $this->view->pick('OPNsense/Quagga/bgp');
     }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Ospf6Controller.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Ospf6Controller.php
index 107cafa782..e782096b92 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Ospf6Controller.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Ospf6Controller.php
@@ -43,6 +43,9 @@ public function indexAction()
         $this->view->formDialogEditRouteMaps = $this->getForm("dialogEditOSPF6RouteMaps");
         $this->view->formGridEditRouteMaps = $this->getFormGrid("dialogEditOSPF6RouteMaps");
 
+        $this->view->formDialogEditRedistribution = $this->getForm("dialogEditRedistribution");
+        $this->view->formGridEditRedistribution = $this->getFormGrid("dialogEditRedistribution");
+
         $this->view->pick('OPNsense/Quagga/ospf6');
     }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php
index 0ab2f15881..584c5da005 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php
@@ -46,6 +46,9 @@ public function indexAction()
         $this->view->formDialogEditRouteMaps = $this->getForm("dialogEditOSPFRouteMaps");
         $this->view->formGridEditRouteMaps = $this->getFormGrid("dialogEditOSPFRouteMaps");
 
+        $this->view->formDialogEditRedistribution = $this->getForm("dialogEditRedistribution");
+        $this->view->formGridEditRedistribution = $this->getFormGrid("dialogEditRedistribution");
+
         $this->view->pick('OPNsense/Quagga/ospf');
     }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
index 85e104b23f..f515a7b714 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
@@ -53,10 +53,4 @@
         <type>checkbox</type>
         <help>Enable extended logging of BGP neighbor changes.</help>
     </field>
-    <field>
-        <id>bgp.redistribute</id>
-        <label>Route Redistribution</label>
-        <type>select_multiple</type>
-        <help>Select routing sources to redistribute to other nodes.</help>
-    </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditRedistribution.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditRedistribution.xml
new file mode 100644
index 0000000000..cd3eb2a08c
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditRedistribution.xml
@@ -0,0 +1,33 @@
+<form>
+    <field>
+        <id>redistribution.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <grid_view>
+            <width>6em</width>
+            <type>boolean</type>
+            <formatter>rowtoggle</formatter>
+        </grid_view>
+    </field>
+    <field>
+        <id>redistribution.redistribute</id>
+        <label>Route Redistribution</label>
+        <type>dropdown</type>
+        <help>Select routing sources to redistribute to other nodes.</help>
+    </field>
+    <field>
+        <id>redistribution.linkedRoutemap</id>
+        <label>Route-Map</label>
+        <type>dropdown</type>
+        <help>Optional Route-map to apply to this redistribution.</help>
+    </field>
+    <field>
+        <id>redistribution.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Optional description for this redistribution.</help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
+</form>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml
index 3600e8497c..e6935b8a89 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf.xml
@@ -31,18 +31,6 @@
         <type>select_multiple</type>
         <help>Select the interfaces where no OSPF packets should be sent.</help>
     </field>
-    <field>
-        <id>ospf.redistribute</id>
-        <label>Route Redistribution</label>
-        <type>select_multiple</type>
-        <help>Select other routing sources to redistribute to other nodes.</help>
-    </field>
-    <field>
-        <id>ospf.redistributemap</id>
-        <label>Redistribution Map</label>
-        <type>dropdown</type>
-        <help>Route Map to set for Redistribution, can be used to send a specific network as advertisement when it is defined in a Prefix List attached to a Route Map.</help>
-    </field>
     <field>
         <id>ospf.logadjacencychanges</id>
         <label>Log Adjacency Changes</label>
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml
index 5432da38f7..8b4b014559 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/ospf6.xml
@@ -11,18 +11,6 @@
         <type>checkbox</type>
         <help>Register CARP status monitor. When no neighbors are found, consider this node less attractive. Requires syslog enabled with “Debugging” logging. Incompatible with “Enable CARP Failover”.</help>
     </field>
-    <field>
-        <id>ospf6.redistribute</id>
-        <label>Route Redistribution</label>
-        <type>select_multiple</type>
-        <help>Select other routing sources to redistribute to other nodes.</help>
-    </field>
-    <field>
-        <id>ospf6.redistributemap</id>
-        <label>Redistribution Map</label>
-        <type>dropdown</type>
-        <help>Route Map to set for Redistribution, can be used to send a specific network as advertisement when it is defined in a Prefix List attached to a Route Map.</help>
-    </field>
     <field>
         <id>ospf6.routerid</id>
         <label>Router ID</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 88f5e92bde..108c857145 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/bgp</mount>
     <description>BGP Routing configuration</description>
-    <version>1.0.9</version>
+    <version>1.1.0</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -37,18 +37,6 @@
             <default></default>
             <Required>N</Required>
         </networks>
-        <redistribute type="OptionField">
-                <Required>N</Required>
-                <multiple>Y</multiple>
-                <default></default>
-                <OptionValues>
-                        <ospf>Open Shortest Path First (OSPF)</ospf>
-                        <connected>Connected routes (directly attached subnet or host)</connected>
-                        <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
-                        <rip>Routing Information Protocol (RIP)</rip>
-                        <static>Statically configured routes</static>
-                </OptionValues>
-        </redistribute>
         <neighbors>
                 <neighbor type="ArrayField">
                         <enabled type="BooleanField">
@@ -493,5 +481,36 @@
                         </linkedRoutemapOut>
             </peergroup>
         </peergroups>
+        <redistributions>
+                <redistribution type="ArrayField">
+                        <enabled type="BooleanField">
+                                <default>1</default>
+                                <Required>Y</Required>
+                        </enabled>
+                        <description type="DescriptionField"/>
+                        <redistribute type="OptionField">
+                                <Required>Y</Required>
+                                <Default>connected</Default>
+                                <OptionValues>
+                                        <ospf>Open Shortest Path First (OSPF)</ospf>
+                                        <connected>Connected routes (directly attached subnet or host)</connected>
+                                        <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
+                                        <rip>Routing Information Protocol (RIP)</rip>
+                                        <static>Statically configured routes</static>
+                                </OptionValues>
+                        </redistribute>
+                        <linkedRoutemap type="ModelRelationField">
+                                <Model>
+                                        <template>
+                                                <source>OPNsense.quagga.bgp</source>
+                                                <items>routemaps.routemap</items>
+                                                <display>name</display>
+                                                <group>name</group>
+                                        </template>
+                                </Model>
+                                <ValidationMessage>Related Route-Map item not found</ValidationMessage>
+                        </linkedRoutemap>
+                </redistribution>
+        </redistributions>
     </items>
 </model>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Migrations/M1_1_0.php b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Migrations/M1_1_0.php
new file mode 100644
index 0000000000..9bcb8a2b7a
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/Migrations/M1_1_0.php
@@ -0,0 +1,96 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Quagga\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+use OPNsense\Core\Config;
+
+class M1_1_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        $config = Config::getInstance()->object();
+
+        if ($model->getNodeByReference('redistributions') === null) {
+            $model->addChild('redistributions');
+        }
+        $redistributions = $model->getNodeByReference('redistributions.redistribution');
+
+        // We migrate multiple models at the same time
+        $protocols = ['bgp', 'ospf', 'ospf6'];
+
+        foreach ($protocols as $protocol) {
+            if (isset($config->OPNsense->quagga->{$protocol})) {
+                $this->migrateRedistribute(
+                    $redistributions,
+                    $config->OPNsense->quagga->{$protocol},
+                    $protocol
+                );
+            }
+        }
+    }
+
+    private function migrateRedistribute($redistributions, $configNode, $protocol)
+    {
+        if (!$configNode || empty($configNode->redistribute)) {
+            return;
+        }
+
+        $redistributeValues = explode(',', (string)$configNode->redistribute);
+        $redistributemap = isset($configNode->redistributemap) ? (string)$configNode->redistributemap : '';
+
+        if ($redistributions === null) {
+            $redistributions = $model->addChild('redistributions');
+        }
+
+        // Collect existing redistribution values to prevent duplicates
+        $existingRedistributions = [];
+        foreach ($redistributions->iterateItems() as $existing) {
+            if (!empty((string)$existing->redistribute)) {
+                $existingRedistributions[] = (string)$existing->redistribute;
+            }
+        }
+
+        foreach ($redistributeValues as $value) {
+            $value = trim($value);
+            if (empty($value) || in_array($value, $existingRedistributions, true)) {
+                continue;
+            }
+
+            // Create a new redistribution entry
+            $redistributionNode = $redistributions->add();
+            $redistributionNode->enabled = '1';
+            $redistributionNode->description = "Migrated route redistribution ($protocol)";
+            $redistributionNode->redistribute = $value;
+            $redistributionNode->linkedRoutemap = !empty($redistributemap) ? $redistributemap : '';
+        }
+    }
+
+    // Model is saved by 'run_migrations.php'
+}
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index 755d553c79..1fa0885e67 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/ospf</mount>
     <description>OSPF Routing configuration</description>
-    <version>1.0.5</version>
+    <version>1.1.0</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -49,31 +49,6 @@
                     <enable>/^(?!0).*$/</enable>
                 </filters>
         </passiveinterfaces>
-        <redistribute type="OptionField">
-                <Required>N</Required>
-                <multiple>Y</multiple>
-                <default></default>
-                <OptionValues>
-                        <bgp>Border Gateway Protocol (BGP)</bgp>
-                        <connected>Connected routes (directly attached subnet or host)</connected>
-                        <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
-                        <rip>Routing Information Protocol (RIP)</rip>
-                        <static>Statically configured routes</static>
-                </OptionValues>
-        </redistribute>
-        <redistributemap type="ModelRelationField">
-                <Model>
-                        <template>
-                                <source>OPNsense.quagga.ospf</source>
-                                <items>routemaps.routemap</items>
-                                <display>name</display>
-                                <group>name</group>
-                        </template>
-                </Model>
-                <ValidationMessage>Related Route-Map item not found</ValidationMessage>
-                <Multiple>N</Multiple>
-                <Required>N</Required>
-        </redistributemap>
         <networks>
                 <network type="ArrayField">
                         <enabled type="BooleanField">
@@ -311,5 +286,36 @@
                         </set>
                 </routemap>
         </routemaps>
+        <redistributions>
+                <redistribution type="ArrayField">
+                        <enabled type="BooleanField">
+                                <default>1</default>
+                                <Required>Y</Required>
+                        </enabled>
+                        <description type="DescriptionField"/>
+                        <redistribute type="OptionField">
+                                <Required>Y</Required>
+                                <Default>connected</Default>
+                                <OptionValues>
+                                        <ospf>Open Shortest Path First (OSPF)</ospf>
+                                        <connected>Connected routes (directly attached subnet or host)</connected>
+                                        <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
+                                        <rip>Routing Information Protocol (RIP)</rip>
+                                        <static>Statically configured routes</static>
+                                </OptionValues>
+                        </redistribute>
+                        <linkedRoutemap type="ModelRelationField">
+                                <Model>
+                                        <template>
+                                                <source>OPNsense.quagga.ospf</source>
+                                                <items>routemaps.routemap</items>
+                                                <display>name</display>
+                                                <group>name</group>
+                                        </template>
+                                </Model>
+                                <ValidationMessage>Related Route-Map item not found</ValidationMessage>
+                        </linkedRoutemap>
+                </redistribution>
+        </redistributions>
     </items>
 </model>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
index 5bd6613ac9..3e2675ece2 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/ospf6</mount>
     <description>OSPFv3 Routing configuration</description>
-    <version>1.0.4</version>
+    <version>1.1.0</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>
@@ -11,25 +11,6 @@
             <default>0</default>
             <Required>Y</Required>
         </carp_demote>
-        <redistribute type="OptionField">
-                <multiple>Y</multiple>
-                <OptionValues>
-                        <connected>Connected routes (directly attached subnet or host)</connected>
-                        <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
-                        <static>Statically configured routes</static>
-                </OptionValues>
-        </redistribute>
-        <redistributemap type="ModelRelationField">
-                <Model>
-                        <template>
-                                <source>OPNsense.quagga.ospf6</source>
-                                <items>routemaps.routemap</items>
-                                <display>name</display>
-                                <group>name</group>
-                        </template>
-                </Model>
-                <ValidationMessage>Related Route-Map item not found</ValidationMessage>
-        </redistributemap>
         <routerid type="TextField">
                 <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
         </routerid>
@@ -224,5 +205,36 @@
                         <set type="TextField"/>
                 </routemap>
         </routemaps>
+        <redistributions>
+                <redistribution type="ArrayField">
+                        <enabled type="BooleanField">
+                                <default>1</default>
+                                <Required>Y</Required>
+                        </enabled>
+                        <description type="DescriptionField"/>
+                        <redistribute type="OptionField">
+                                <Required>Y</Required>
+                                <Default>connected</Default>
+                                <OptionValues>
+                                        <ospf>Open Shortest Path First (OSPF)</ospf>
+                                        <connected>Connected routes (directly attached subnet or host)</connected>
+                                        <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
+                                        <rip>Routing Information Protocol (RIP)</rip>
+                                        <static>Statically configured routes</static>
+                                </OptionValues>
+                        </redistribute>
+                        <linkedRoutemap type="ModelRelationField">
+                                <Model>
+                                        <template>
+                                                <source>OPNsense.quagga.ospf6</source>
+                                                <items>routemaps.routemap</items>
+                                                <display>name</display>
+                                                <group>name</group>
+                                        </template>
+                                </Model>
+                                <ValidationMessage>Related Route-Map item not found</ValidationMessage>
+                        </linkedRoutemap>
+                </redistribution>
+        </redistributions>
     </items>
 </model>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
index a1835c5981..04c561ca97 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
@@ -95,9 +95,42 @@ POSSIBILITY OF SUCH DAMAGE.
             'del':'/api/quagga/bgp/delPeergroup/',
             'toggle':'/api/quagga/bgp/togglePeergroup/'
         });
+        $("#{{formGridEditRedistribution['table_id']}}").UIBootgrid({
+            'search':'/api/quagga/bgp/searchRedistribution',
+            'get':'/api/quagga/bgp/getRedistribution/',
+            'set':'/api/quagga/bgp/setRedistribution/',
+            'add':'/api/quagga/bgp/addRedistribution/',
+            'del':'/api/quagga/bgp/delRedistribution/',
+            'toggle':'/api/quagga/bgp/toggleRedistribution/'
+        });
+
+        const $header = $(".bootgrid-header[id*='{{formGridEditRedistribution['table_id']}}']");
+        if ($header.length) {
+            $header.find("div.actionBar").parent().prepend(
+                '<td class="col-sm-2 theading-text">' +
+                '<span class="fa fa-info-circle text-muted" style="margin-right: 5px;"></span>' +
+                '<strong>{{ lang._("Route Redistribution") }}</strong>' +
+                '</td>'
+            );
+        }
+
     });
 </script>
 
+<style>
+    /* Some trickery to make the redistribution grid look like its part of the base form */
+    .bootgrid-header[id*='{{ formGridEditRedistribution['table_id'] }}'] {
+        padding-left: 10px;
+    }
+    #{{ formGridEditRedistribution['table_id'] }}.bootgrid-table {
+        margin-left: 25%;
+        width: 75%;
+    }
+    .bootgrid-footer[id*='{{ formGridEditRedistribution['table_id'] }}'] {
+        margin-left: 24%;
+    }
+</style>
+
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
@@ -112,6 +145,7 @@ POSSIBILITY OF SUCH DAMAGE.
     <!-- Tab: General -->
     <div id="general" class="tab-pane fade in active">
         {{ partial("layout_partials/base_form",['fields':bgpForm,'id':'frm_bgp_settings'])}}
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditRedistribution)}}
     </div>
     <!-- Tab: Neighbors -->
     <div id="neighbors" class="tab-pane fade in">
@@ -145,3 +179,4 @@ POSSIBILITY OF SUCH DAMAGE.
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPCommunityLists,'id':formGridEditBGPCommunityLists['edit_dialog_id'],'label':lang._('Edit Community Lists')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPRouteMaps,'id':formGridEditBGPRouteMaps['edit_dialog_id'],'label':lang._('Edit Route Maps')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPPeergroups,'id':formGridEditBGPPeergroups['edit_dialog_id'],'label':lang._('Edit Peer Groups')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditRedistribution,'id':formGridEditRedistribution['edit_dialog_id'],'label':lang._('Edit Route Redistribution')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
index fcdba3c814..3cbbddce5d 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
@@ -83,9 +83,42 @@ POSSIBILITY OF SUCH DAMAGE.
             'del':'/api/quagga/ospfsettings/delRoutemap/',
             'toggle':'/api/quagga/ospfsettings/toggleRoutemap/'
         });
+        $("#{{formGridEditRedistribution['table_id']}}").UIBootgrid({
+            'search':'/api/quagga/ospfsettings/searchRedistribution',
+            'get':'/api/quagga/ospfsettings/getRedistribution/',
+            'set':'/api/quagga/ospfsettings/setRedistribution/',
+            'add':'/api/quagga/ospfsettings/addRedistribution/',
+            'del':'/api/quagga/ospfsettings/delRedistribution/',
+            'toggle':'/api/quagga/ospfsettings/toggleRedistribution/'
+        });
+
+        const $header = $(".bootgrid-header[id*='{{formGridEditRedistribution['table_id']}}']");
+        if ($header.length) {
+            $header.find("div.actionBar").parent().prepend(
+                '<td class="col-sm-2 theading-text">' +
+                '<span class="fa fa-info-circle text-muted" style="margin-right: 5px;"></span>' +
+                '<strong>{{ lang._("Route Redistribution") }}</strong>' +
+                '</td>'
+            );
+        }
+
     });
 </script>
 
+<style>
+    /* Some trickery to make the redistribution grid look like its part of the base form */
+    .bootgrid-header[id*='{{ formGridEditRedistribution['table_id'] }}'] {
+        padding-left: 10px;
+    }
+    #{{ formGridEditRedistribution['table_id'] }}.bootgrid-table {
+        margin-left: 25%;
+        width: 75%;
+    }
+    .bootgrid-footer[id*='{{ formGridEditRedistribution['table_id'] }}'] {
+        margin-left: 24%;
+    }
+</style>
+
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
@@ -98,6 +131,7 @@ POSSIBILITY OF SUCH DAMAGE.
     <!-- Tab: General -->
     <div id="general" class="tab-pane fade in active">
         {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_ospf_settings'])}}
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditRedistribution)}}
     </div>
     <!-- Tab: Networks -->
     <div id="networks" class="tab-pane fade in">
@@ -121,3 +155,4 @@ POSSIBILITY OF SUCH DAMAGE.
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditInterface,'id':formGridEditInterface['edit_dialog_id'],'label':lang._('Edit Interface')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditPrefixLists,'id':formGridEditPrefixLists['edit_dialog_id'],'label':lang._('Edit Prefix Lists')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditRouteMaps,'id':formGridEditRouteMaps['edit_dialog_id'],'label':lang._('Edit Route Maps')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditRedistribution,'id':formGridEditRedistribution['edit_dialog_id'],'label':lang._('Edit Route Redistribution')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
index 0f67ec6322..36802ad66b 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
@@ -78,6 +78,14 @@
             'del':'/api/quagga/ospf6settings/delRoutemap/',
             'toggle':'/api/quagga/ospf6settings/toggleRoutemap/'
         });
+        $("#{{formGridEditRedistribution['table_id']}}").UIBootgrid({
+            'search':'/api/quagga/ospf6settings/searchRedistribution',
+            'get':'/api/quagga/ospf6settings/getRedistribution/',
+            'set':'/api/quagga/ospf6settings/setRedistribution/',
+            'add':'/api/quagga/ospf6settings/addRedistribution/',
+            'del':'/api/quagga/ospf6settings/delRedistribution/',
+            'toggle':'/api/quagga/ospf6settings/toggleRedistribution/'
+        });
 
         // hook checkbox item with conditional options
         $("#ospf6\\.originate").change(function(){
@@ -87,10 +95,33 @@
                 $(".ospf6_originate").closest('tr').hide();
             }
         });
+
+        const $header = $(".bootgrid-header[id*='{{formGridEditRedistribution['table_id']}}']");
+        if ($header.length) {
+            $header.find("div.actionBar").parent().prepend(
+                '<td class="col-sm-2 theading-text">' +
+                '<span class="fa fa-info-circle text-muted" style="margin-right: 5px;"></span>' +
+                '<strong>{{ lang._("Route Redistribution") }}</strong>' +
+                '</td>'
+            );
+        }
+
     });
 </script>
 
-
+<style>
+    /* Some trickery to make the redistribution grid look like its part of the base form */
+    .bootgrid-header[id*='{{ formGridEditRedistribution['table_id'] }}'] {
+        padding-left: 10px;
+    }
+    #{{ formGridEditRedistribution['table_id'] }}.bootgrid-table {
+        margin-left: 25%;
+        width: 75%;
+    }
+    .bootgrid-footer[id*='{{ formGridEditRedistribution['table_id'] }}'] {
+        margin-left: 24%;
+    }
+</style>
 
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
@@ -104,6 +135,7 @@
     <!-- Tab: General -->
     <div id="general" class="tab-pane fade in active">
         {{ partial("layout_partials/base_form",['fields':ospf6Form,'id':'frm_ospf6_settings'])}}
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditRedistribution)}}
     </div>
     <!-- Tab: Networks -->
     <div id="networks" class="tab-pane fade in">
@@ -127,3 +159,4 @@
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditInterface,'id':formGridEditInterface['edit_dialog_id'],'label':lang._('Edit Interface')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditPrefixLists,'id':formGridEditPrefixLists['edit_dialog_id'],'label':lang._('Edit Prefix Lists')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditRouteMaps,'id':formGridEditRouteMaps['edit_dialog_id'],'label':lang._('Edit Route Maps')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditRedistribution,'id':formGridEditRedistribution['edit_dialog_id'],'label':lang._('Edit Route Redistribution')])}}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 55023713a0..97657e2d8f 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -150,11 +150,11 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 
 {%  for addressFamily in addressFamilies %}
  address-family {{ addressFamily }} unicast
-{%   if helpers.exists('OPNsense.quagga.bgp.redistribute') and OPNsense.quagga.bgp.redistribute != '' %}
-{%     for bgp_redistribute in OPNsense.quagga.bgp.redistribute.split(',') %}
-  redistribute {{ bgp_redistribute }}
-{%     endfor %}
-{%   endif %}
+{%   for redistribution in helpers.toList('OPNsense.quagga.bgp.redistributions.redistribution') %}
+{%     if redistribution.enabled == '1' %}
+ redistribute {{ redistribution.redistribute }}{% if redistribution.linkedRoutemap %} route-map {{ helpers.getUUID(redistribution.linkedRoutemap).name }}{% endif +%}
+{%     endif %}
+{%   endfor %}
 {%   for network in networks[addressFamily] %}
   network {{ network }}
 {%   endfor %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
index f581d001ab..91666f3a61 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
@@ -37,11 +37,11 @@ router ospf6
  default-information originate{% if not helpers.empty('OPNsense.quagga.ospf6.originatealways')  %} always {% endif %}{% if OPNsense.quagga.ospf6.originatemetric|default('') != '' %} metric {{ OPNsense.quagga.ospf6.originatemetric }}{% endif %}
 
 {% endif %}
-{% if not helpers.empty('OPNsense.quagga.ospf6.redistribute')%}
-{% for line in OPNsense.quagga.ospf6.redistribute.split(',') %}
-{% if not helpers.empty('OPNsense.quagga.ospf6.redistributemap') %}{% set line = line + " route-map " + helpers.getUUID(OPNsense.quagga.ospf6.redistributemap).name %}{% endif %}
- redistribute {{ line }}
-{% endfor %}{% endif %}
+{% for redistribution in helpers.toList('OPNsense.quagga.ospf6.redistributions.redistribution') %}
+{%   if redistribution.enabled == '1' %}
+ redistribute {{ redistribution.redistribute }}{% if redistribution.linkedRoutemap %} route-map {{ helpers.getUUID(redistribution.linkedRoutemap).name }}{% endif +%}
+{%   endif %}
+{% endfor %}
 {% if helpers.exists('OPNsense.quagga.ospf6.networks.network') %}
 {%   for network in helpers.toList('OPNsense.quagga.ospf6.networks.network') %}
 {%     if network.enabled == '1' %}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
index b6da96c22c..bd52044927 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
@@ -53,11 +53,11 @@ router ospf
 {% if helpers.exists('OPNsense.quagga.ospf.routerid') and OPNsense.quagga.ospf.routerid != '' %}
  ospf router-id {{ OPNsense.quagga.ospf.routerid }}
 {% endif %}
-{% if helpers.exists('OPNsense.quagga.ospf.redistribute') and OPNsense.quagga.ospf.redistribute != '' %}
-{% for line in OPNsense.quagga.ospf.redistribute.split(',') %}
-{% if helpers.exists('OPNsense.quagga.ospf.redistributemap') and OPNsense.quagga.ospf.redistributemap != '' %}{% set line = line + " route-map " + helpers.getUUID(OPNsense.quagga.ospf.redistributemap).name %}{% endif %}
- redistribute {{ line }}
-{% endfor %}{% endif %}
+{% for redistribution in helpers.toList('OPNsense.quagga.ospf.redistributions.redistribution') %}
+{%   if redistribution.enabled == '1' %}
+ redistribute {{ redistribution.redistribute }}{% if redistribution.linkedRoutemap %} route-map {{ helpers.getUUID(redistribution.linkedRoutemap).name }}{% endif +%}
+{%   endif %}
+{% endfor %}
 {% if helpers.exists('OPNsense.quagga.ospf.networks.network') %}
 {%   for network in helpers.toList('OPNsense.quagga.ospf.networks.network') %}
 {%     if network.enabled == '1' %}

From 25b07f8913c04febbe0232ab14c07aa5f4474767 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 21 Mar 2025 08:19:13 +0100
Subject: [PATCH 2390/3088] net/frr: Add BGP allowas-in (#4610)

---
 net/frr/pkg-descr                                 |  1 +
 .../Quagga/forms/dialogEditBGPNeighbor.xml        |  9 +++++++++
 .../mvc/app/models/OPNsense/Quagga/BGP.xml        | 15 +++++++++++++++
 .../service/templates/OPNsense/Quagga/bgpd.conf   |  3 +++
 4 files changed, 28 insertions(+)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index aa57d45c41..1ade2ccc62 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -14,6 +14,7 @@ Plugin Changelog
 
 1.44
 
+* Add BGP allowas-in (opnsense/plugins/issues/4586)
 * Add route-map functionality to route redistribution in bgp (opnsense/plugins/issues/4570)
 * Add route-map functionality to route redistribution in ospf/ospf6 (opnsense/plugins/issues/4580)
 * Add BGP remote-as internal and external (opnsense/plugins/issues/4609)
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index d2a91df99d..501c6d8789 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -217,6 +217,15 @@
       <visible>false</visible>
     </grid_view>
   </field>
+  <field>
+    <id>neighbor.allowas_in</id>
+    <label>Allow AS In</label>
+    <type>dropdown</type>
+    <help>Accept incoming routes with AS path containing AS number with the same value as the current system AS.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
+  </field>
   <field>
     <id>neighbor.disable_connected_check</id>
     <label>Disable Connected Check</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 108c857145..2d90959720 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -143,6 +143,21 @@
                                 <default>0</default>
                                 <Required>N</Required>
                         </asoverride>
+                        <allowas_in type="OptionField">
+                                <OptionValues>
+                                        <val1 value="1">1</val1>
+                                        <val2 value="2">2</val2>
+                                        <val3 value="3">3</val3>
+                                        <val4 value="4">4</val4>
+                                        <val5 value="5">5</val5>
+                                        <val6 value="6">6</val6>
+                                        <val7 value="7">7</val7>
+                                        <val8 value="8">8</val8>
+                                        <val9 value="9">9</val9>
+                                        <val10 value="10">10</val10>
+                                        <origin>origin</origin>
+                                </OptionValues>
+                        </allowas_in>
                         <disable_connected_check type="BooleanField">
                                 <default>0</default>
                                 <Required>N</Required>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 97657e2d8f..ba1faa37cf 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -176,6 +176,9 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%     if 'asoverride' in neighbor and neighbor.asoverride == '1' %}
   neighbor {{ neighbor.address }} as-override
 {%         endif %}
+{%     if 'allowas_in' in neighbor and neighbor.allowas_in %}
+  neighbor {{ neighbor.address }} allowas-in {{ neighbor.allowas_in }}
+{%         endif %}
 {%     if neighbor.linkedPrefixlistIn|default("") != "" %}
 {%       for prefixlist in neighbor.linkedPrefixlistIn.split(",") %}
 {%         set prefixlist2_data = helpers.getUUID(prefixlist) %}

From ed7eeb2035a27723e99bbea9d5aaa0db136fda2a Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 23 Mar 2025 17:29:54 +0100
Subject: [PATCH 2391/3088] Squashed commit of the following:

commit 7de5868bfc2fce4dceecd4fa1f8db71d976acbe0
Author: Ad Schellevis <ad@opnsense.org>
Date:   Sun Mar 23 17:28:31 2025 +0100

    sysutils/beats8: remove revision from makefile

commit d091cac6ddb537832792e15d300fee1564d37e19
Author: Maxime THIEBAUT <46688461+0xThiebaut@users.noreply.github.com>
Date:   Wed Mar 12 21:05:12 2025 +0000

    sysutils/beats8: initial Filebeat support
---
 sysutils/beats8/Makefile                      |   7 +
 sysutils/beats8/pkg-descr                     |  13 +
 .../Filebeat/Api/ServiceController.php        |  49 ++
 .../Filebeat/Api/SettingsController.php       |  43 ++
 .../OPNsense/Filebeat/IndexController.php     |  46 ++
 .../OPNsense/Filebeat/forms/filebeat.xml      |  53 ++
 .../app/models/OPNsense/Beats8/ACL/ACL.xml    |   9 +
 .../app/models/OPNsense/Beats8/Filebeat.php   |  64 +++
 .../app/models/OPNsense/Beats8/Filebeat.xml   |  54 ++
 .../app/models/OPNsense/Beats8/Menu/Menu.xml  |   7 +
 .../app/views/OPNsense/Beats8/filebeat.volt   |  54 ++
 .../conf/actions.d/actions_filebeat.conf      |  23 +
 .../templates/OPNsense/Filebeat/+TARGETS      |   2 +
 .../templates/OPNsense/Filebeat/filebeat      |   1 +
 .../templates/OPNsense/Filebeat/filebeat.yml  | 460 ++++++++++++++++++
 15 files changed, 885 insertions(+)
 create mode 100644 sysutils/beats8/Makefile
 create mode 100644 sysutils/beats8/pkg-descr
 create mode 100755 sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/ServiceController.php
 create mode 100755 sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/SettingsController.php
 create mode 100755 sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/IndexController.php
 create mode 100755 sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/forms/filebeat.xml
 create mode 100644 sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/ACL/ACL.xml
 create mode 100644 sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php
 create mode 100644 sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.xml
 create mode 100644 sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Menu/Menu.xml
 create mode 100644 sysutils/beats8/src/opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt
 create mode 100644 sysutils/beats8/src/opnsense/service/conf/actions.d/actions_filebeat.conf
 create mode 100644 sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/+TARGETS
 create mode 100755 sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/filebeat
 create mode 100644 sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/filebeat.yml

diff --git a/sysutils/beats8/Makefile b/sysutils/beats8/Makefile
new file mode 100644
index 0000000000..c4b8aac4dc
--- /dev/null
+++ b/sysutils/beats8/Makefile
@@ -0,0 +1,7 @@
+PLUGIN_NAME=		beats8
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		Send logs, network, metrics and heartbeat to elasticsearch
+PLUGIN_DEPENDS=		beats8
+PLUGIN_MAINTAINER=	0xThiebaut
+
+.include "../../Mk/plugins.mk"
diff --git a/sysutils/beats8/pkg-descr b/sysutils/beats8/pkg-descr
new file mode 100644
index 0000000000..aa24fdd2ac
--- /dev/null
+++ b/sysutils/beats8/pkg-descr
@@ -0,0 +1,13 @@
+Beats is the platform for building lightweight, open source data
+shippers for many types of operational data you want to enrich with
+Logstash, search and analyze in Elasticsearch, and visualize in Kibana.
+
+Filebeat is a lightweight, open source shipper for log file data. As the
+next-generation Logstash Forwarder, Filebeat tails logs and quickly
+sends this information to Logstash for further parsing and enrichment or
+to Elasticsearch for centralized storage and analysis.
+
+The OPNsense Beats plugin only initializes Elasticsearch;
+It doesn't load Kibana dashboards.
+
+WWW: https://www.elastic.co/guide/en/beats
diff --git a/sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/ServiceController.php b/sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/ServiceController.php
new file mode 100755
index 0000000000..5557852487
--- /dev/null
+++ b/sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/ServiceController.php
@@ -0,0 +1,49 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Maxime THIEBAUT
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Filebeat\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+
+/**
+ * Class ServiceController
+ * @package OPNsense\Filebeat
+ */
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Beats8\Filebeat';
+    protected static $internalServiceTemplate = 'OPNsense/Filebeat';
+    protected static $internalServiceEnabled = 'enabled';
+    protected static $internalServiceName = 'filebeat';
+    protected function reconfigureForceRestart()
+    {
+        return 0;
+    }
+}
diff --git a/sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/SettingsController.php b/sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/SettingsController.php
new file mode 100755
index 0000000000..f8258c81b9
--- /dev/null
+++ b/sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/SettingsController.php
@@ -0,0 +1,43 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Maxime THIEBAUT
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Filebeat\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+/**
+ * Class SettingsController Handles settings related API actions for the HelloWorld module
+ * @package OPNsense\Filebeat
+ */
+class SettingsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelClass = 'OPNsense\Beats8\Filebeat';
+    protected static $internalModelName = 'filebeat';
+}
diff --git a/sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/IndexController.php b/sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/IndexController.php
new file mode 100755
index 0000000000..5c3784e4ed
--- /dev/null
+++ b/sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/IndexController.php
@@ -0,0 +1,46 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Maxime THIEBAUT
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Filebeat;
+
+/**
+ * Class IndexController
+ * @package OPNsense\Filebeat
+ */
+class IndexController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        // pick the template to serve to our users.
+        $this->view->pick('OPNsense/Beats8/filebeat');
+        // fetch form data "general" in
+        $this->view->generalForm = $this->getForm("filebeat");
+    }
+}
diff --git a/sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/forms/filebeat.xml b/sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/forms/filebeat.xml
new file mode 100755
index 0000000000..bb047330bf
--- /dev/null
+++ b/sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/forms/filebeat.xml
@@ -0,0 +1,53 @@
+<form>
+    <field>
+        <id>filebeat.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>Enable the Filebeat service.</help>
+    </field>
+    <field>
+        <id>filebeat.modules.enabled</id>
+        <label>Modules</label>
+        <type>select_multiple</type>
+        <help>The Filebeat modules to enable.</help>
+    </field>
+    <field>
+        <id>filebeat.inputs.enabled</id>
+        <label>Inputs</label>
+        <type>select_multiple</type>
+        <help>The Filebeat inputs to enable.</help>
+    </field>
+    <field>
+        <label>Elasticsearch</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>filebeat.output.elasticsearch.hosts</id>
+        <label>Host</label>
+        <type>text</type>
+        <help>The Elasticsearch host to which Filebeat should send its logs. IPv6 addresses should always be defined as: https://[2001:db8::1]:9200.</help>
+        <hint>http://localhost:9200</hint>
+    </field>
+    <field>
+        <id>filebeat.output.elasticsearch.api_key</id>
+        <label>API Key</label>
+        <type>password</type>
+        <help>The authentication API key in its id:api_key format.</help>
+        <hint>id:api_key</hint>
+    </field>
+    <field>
+        <id>filebeat.output.elasticsearch.ssl.verification_mode</id>
+        <label>SSL Verification</label>
+        <type>dropdown</type>
+        <help>Controls the verification of certificates. The full mode verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server's hostname (or IP address) matches the names identified within the certificate. The strict mode is similar to full mode, but requires the Subject Alternative Name to be defined as well. The certificate mode verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>filebeat.output.elasticsearch.ssl.ca_trusted_fingerprint</id>
+        <label>SSL Fingerprint</label>
+        <type>text</type>
+        <help>A HEX encoded root CA SHA256 fingerprint added to the list of trusted CAs before SSL validation happens.</help>
+        <hint>CA:FE:BA:BE:...</hint>
+        <advanced>true</advanced>
+    </field>
+</form>
diff --git a/sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/ACL/ACL.xml b/sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/ACL/ACL.xml
new file mode 100644
index 0000000000..b0a9bd1d7d
--- /dev/null
+++ b/sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+    <page-services-beats8>
+        <name>Services: Beats8</name>
+        <patterns>
+            <pattern>ui/filebeat/*</pattern>
+            <pattern>api/filebeat/*</pattern>
+        </patterns>
+    </page-services-beats8>
+</acl>
diff --git a/sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php b/sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php
new file mode 100644
index 0000000000..8a4c3c2b23
--- /dev/null
+++ b/sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php
@@ -0,0 +1,64 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Maxime THIEBAUT
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Beats8;
+
+use OPNsense\Base\BaseModel;
+use OPNsense\Base\Messages\Message;
+
+class Filebeat extends BaseModel
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function performValidation($validateFullModel = false)
+    {
+        $messages = parent::performValidation($validateFullModel);
+
+        if ($validateFullModel || $this->modules->enabled->isFieldChanged() || $this->inputs->enabled->isFieldChanged()) {
+            if ($this->modules->enabled->isEmpty() && $this->inputs->enabled->isEmpty()) {
+                $messages->appendMessage(
+                    new Message(
+                        gettext("Either an input or module needs to be specified."),
+                        $this->modules->enabled->__reference
+                    )
+                );
+                $messages->appendMessage(
+                    new Message(
+                        gettext("Either an input or module needs to be specified."),
+                        $this->inputs->enabled->__reference
+                    )
+                );
+            }
+        }
+
+        return $messages;
+    }
+}
diff --git a/sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.xml b/sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.xml
new file mode 100644
index 0000000000..d4028a54d9
--- /dev/null
+++ b/sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.xml
@@ -0,0 +1,54 @@
+<model>
+    <mount>//OPNsense/filebeat</mount>
+    <description>
+        Send logs to elasticsearch
+    </description>
+    <items>
+        <enabled type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </enabled>
+        <modules>
+            <enabled type="OptionField">
+                <OptionValues>
+                    <suricata>Suricata (Intrusion Detection)</suricata>
+                </OptionValues>
+                <Multiple>Y</Multiple>
+            </enabled>
+        </modules>
+        <inputs>
+            <enabled type="OptionField">
+                <OptionValues>
+                    <audit>Audit</audit>
+                    <configd>Backend</configd>
+                    <boot>Boot</boot>
+                    <system>General</system>
+                    <lighttpd>Web GUI</lighttpd>
+                </OptionValues>
+                <Multiple>Y</Multiple>
+            </enabled>
+        </inputs>
+        <output>
+            <elasticsearch>
+                <hosts type="UrlField">
+                    <Required>Y</Required>
+                </hosts>
+                <api_key type="UpdateOnlyTextField">
+                    <Required>Y</Required>
+                </api_key>
+                <ssl>
+                    <verification_mode type="OptionField">
+                        <Default>Full</Default>
+                        <OptionValues>
+                            <strict>Strict</strict>
+                            <full>Full</full>
+                            <certificate>Certificate</certificate>
+                        </OptionValues>
+                        <Required>Y</Required>
+                    </verification_mode>
+                    <ca_trusted_fingerprint type="TextField"/>
+                </ssl>
+            </elasticsearch>
+        </output>
+    </items>
+</model>
diff --git a/sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Menu/Menu.xml b/sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Menu/Menu.xml
new file mode 100644
index 0000000000..40674d06ac
--- /dev/null
+++ b/sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Menu/Menu.xml
@@ -0,0 +1,7 @@
+<menu>
+    <Services>
+        <Beats8 cssClass="fa fa-heartbeat fa-fw">
+            <Filebeat url="/ui/filebeat"/>
+        </Beats8>
+    </Services>
+</menu>
diff --git a/sysutils/beats8/src/opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt b/sysutils/beats8/src/opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt
new file mode 100644
index 0000000000..03f6342ab0
--- /dev/null
+++ b/sysutils/beats8/src/opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt
@@ -0,0 +1,54 @@
+{#
+
+Copyright (C) 2025 Maxime THIEBAUT
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<script>
+    $( document ).ready(function() {
+        mapDataToFormUI({'frm_GeneralSettings':"/api/filebeat/settings/get"}).done(function(data){
+            updateServiceControlUI('filebeat');
+            $('.selectpicker').selectpicker('refresh');
+        });
+
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/filebeat/settings/set", 'frm_GeneralSettings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
+                return dfObj;
+            },
+            onAction: function(data, status) {
+                updateServiceControlUI('filebeat');
+            }
+        });
+    });
+</script>
+
+<div class="content-box __mb">
+    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}}
+</div>
+
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/filebeat/service/reconfigure'}) }}
diff --git a/sysutils/beats8/src/opnsense/service/conf/actions.d/actions_filebeat.conf b/sysutils/beats8/src/opnsense/service/conf/actions.d/actions_filebeat.conf
new file mode 100644
index 0000000000..b7c8aa371c
--- /dev/null
+++ b/sysutils/beats8/src/opnsense/service/conf/actions.d/actions_filebeat.conf
@@ -0,0 +1,23 @@
+[start]
+command:/usr/local/etc/rc.d/filebeat start
+parameters:
+type:script
+message:starting Filebeat
+
+[stop]
+command:/usr/local/etc/rc.d/filebeat stop
+parameters:
+type:script
+message:stopping Filebeat
+
+[restart]
+command:/usr/local/etc/rc.d/filebeat restart
+parameters:
+type:script
+message:restarting Filebeat
+
+[status]
+command:/usr/local/etc/rc.d/filebeat status; exit 0
+parameters:
+type:script_output
+message:requesting Filebeat status
\ No newline at end of file
diff --git a/sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/+TARGETS b/sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/+TARGETS
new file mode 100644
index 0000000000..88dd74dea3
--- /dev/null
+++ b/sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/+TARGETS
@@ -0,0 +1,2 @@
+filebeat.yml:/usr/local/etc/beats/filebeat.yml
+filebeat:/etc/rc.conf.d/filebeat
\ No newline at end of file
diff --git a/sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/filebeat b/sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/filebeat
new file mode 100755
index 0000000000..7b65a5fa8b
--- /dev/null
+++ b/sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/filebeat
@@ -0,0 +1 @@
+filebeat_enable="{{ 'YES' if not helpers.empty('OPNsense.filebeat.enabled') else 'NO' }}"
\ No newline at end of file
diff --git a/sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/filebeat.yml b/sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/filebeat.yml
new file mode 100644
index 0000000000..cf893f1e26
--- /dev/null
+++ b/sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/filebeat.yml
@@ -0,0 +1,460 @@
+######################## Filebeat Configuration ############################
+
+#==========================  Modules configuration =============================
+{% set filebeat_modules_enabled = (OPNsense.filebeat.modules.enabled|default('')).split(',') %}
+filebeat.modules:
+{% if 'suricata' in filebeat_modules_enabled %}
+#-------------------------------- Suricata Module --------------------------------
+- module: suricata
+  # EVE
+  eve:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+    # Internal network configuration (advanced) can be added under this section.
+    #var.internal_networks:
+{% endif %}
+
+
+#=========================== Filebeat inputs =============================
+
+# List of inputs to fetch data.
+{% set filebeat_inputs_enabled = (OPNsense.filebeat.inputs.enabled|default('')).split(',') %}
+filebeat.inputs:
+# Each - is an input. Most options can be set at the input level, so
+# you can use different inputs for various configurations.
+# Below are the input specific configurations.
+
+# Type of the files. Based on this the way the file is read is decided.
+# The different types cannot be mixed in one input
+#
+# Possible options are:
+# * filestream: Reads every line of the log file
+# * log: Reads every line of the log file (deprecated)
+# * stdin: Reads the standard in
+
+#--------------------------- Filestream input ----------------------------
+- type: filestream
+
+  # Unique ID among all inputs, an ID is required.
+  id: audit
+  tags: ['audit']
+
+  # Change to true to enable this input configuration.
+  enabled: {{ 'true' if 'audit' in filebeat_inputs_enabled else 'false' }}
+
+  # Paths that should be crawled and fetched. Glob based paths.
+  # To fetch all ".log" files from a specific level of subdirectories
+  # /var/log/*/*.log can be used.
+  # For each file found under this path, a harvester is started.
+  # Make sure not file is defined twice as this can lead to unexpected behaviour.
+  paths:
+    - /var/log/audit/audit_*.log
+
+  ### Parsers configuration
+
+  #### Syslog configuration
+
+  parsers:
+    - syslog:
+        format: auto
+        log_errors: true
+        add_error_key: true
+
+#--------------------------- Filestream input ----------------------------
+- type: filestream
+
+  # Unique ID among all inputs, an ID is required.
+  id: configd
+  tags: ['configd']
+
+  # Change to true to enable this input configuration.
+  enabled: {{ 'true' if 'configd' in filebeat_inputs_enabled else 'false' }}
+
+  # Paths that should be crawled and fetched. Glob based paths.
+  # To fetch all ".log" files from a specific level of subdirectories
+  # /var/log/*/*.log can be used.
+  # For each file found under this path, a harvester is started.
+  # Make sure not file is defined twice as this can lead to unexpected behaviour.
+  paths:
+    - /var/log/configd/configd_*.log
+
+  ### Parsers configuration
+
+  #### Syslog configuration
+
+  parsers:
+    - syslog:
+        format: auto
+        log_errors: true
+        add_error_key: true
+
+#--------------------------- Filestream input ----------------------------
+- type: filestream
+
+  # Unique ID among all inputs, an ID is required.
+  id: 'boot'
+  tags: ['boot']
+
+  # Change to true to enable this input configuration.
+  enabled: {{ 'true' if 'boot' in filebeat_inputs_enabled else 'false' }}
+
+  # Paths that should be crawled and fetched. Glob based paths.
+  # To fetch all ".log" files from a specific level of subdirectories
+  # /var/log/*/*.log can be used.
+  # For each file found under this path, a harvester is started.
+  # Make sure not file is defined twice as this can lead to unexpected behaviour.
+  paths:
+    - /var/log/boot.log
+
+  close.reader.on_eof: true
+  prospector:
+    scanner:
+      resend_on_touch: true
+
+  ### Parsers configuration
+
+  #### Syslog configuration
+
+  parsers:
+    - syslog:
+        format: auto
+        log_errors: true
+        add_error_key: true
+
+#--------------------------- Filestream input ----------------------------
+- type: filestream
+
+  # Unique ID among all inputs, an ID is required.
+  id: 'system'
+  tags: ['system']
+
+  # Change to true to enable this input configuration.
+  enabled: {{ 'true' if 'system' in filebeat_inputs_enabled else 'false' }}
+
+  # Paths that should be crawled and fetched. Glob based paths.
+  # To fetch all ".log" files from a specific level of subdirectories
+  # /var/log/*/*.log can be used.
+  # For each file found under this path, a harvester is started.
+  # Make sure not file is defined twice as this can lead to unexpected behaviour.
+  paths:
+    - /var/log/system/system_*.log
+
+  ### Parsers configuration
+
+  #### Syslog configuration
+
+  parsers:
+    - syslog:
+        format: auto
+        log_errors: true
+        add_error_key: true
+
+#--------------------------- Filestream input ----------------------------
+- type: filestream
+
+  # Unique ID among all inputs, an ID is required.
+  id: 'lighttpd'
+  tags: ['lighttpd']
+
+  # Change to true to enable this input configuration.
+  enabled: {{ 'true' if 'lighttpd' in filebeat_inputs_enabled else 'false' }}
+
+  # Paths that should be crawled and fetched. Glob based paths.
+  # To fetch all ".log" files from a specific level of subdirectories
+  # /var/log/*/*.log can be used.
+  # For each file found under this path, a harvester is started.
+  # Make sure not file is defined twice as this can lead to unexpected behaviour.
+  paths:
+    - /var/log/lighttpd/lighttpd_*.log
+
+  ### Parsers configuration
+
+  #### Syslog configuration
+
+  parsers:
+    - syslog:
+        format: auto
+        log_errors: true
+        add_error_key: true
+
+# ================================== Outputs ===================================
+
+# Configure what output to use when sending the data collected by the beat.
+
+# ---------------------------- Elasticsearch Output ----------------------------
+output.elasticsearch:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Array of hosts to connect to.
+  # Scheme and port can be left out and will be set to the default (http and 9200)
+  # In case you specify and additional path, the scheme is required: http://localhost:9200/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
+  hosts: ["{{ OPNsense.filebeat.output.elasticsearch.hosts }}"]
+
+  # Performance presets configure other output fields to recommended values
+  # based on a performance priority.
+  # Options are "balanced", "throughput", "scale", "latency" and "custom".
+  # Default if unspecified: "custom"
+  preset: balanced
+
+  # Set gzip compression level. Set to 0 to disable compression.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 1.
+  #compression_level: 1
+
+  # Configure escaping HTML symbols in strings.
+  #escape_html: false
+
+  # Protocol - either `http` (default) or `https`.
+  #protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  api_key: "{{ OPNsense.filebeat.output.elasticsearch.api_key }}"
+  #username: "elastic"
+  #password: "changeme"
+
+  # Dictionary of HTTP parameters to pass within the URL with index operations.
+  #parameters:
+    #param1: value1
+    #param2: value2
+
+  # Number of workers per Elasticsearch host.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  #worker: 1
+
+  # If set to true and multiple hosts are configured, the output plugin load
+  # balances published events onto all Elasticsearch hosts. If set to false,
+  # the output plugin sends all events to only one host (determined at random)
+  # and will switch to another host if the currently selected one becomes
+  # unreachable. The default value is true.
+  #loadbalance: true
+
+  # Optional data stream or index name. The default is "filebeat-%{[agent.version]}".
+  # In case you modify this pattern you must update setup.template.name and setup.template.pattern accordingly.
+  #index: "filebeat-%{[agent.version]}"
+
+  # Optional ingest pipeline. By default, no pipeline will be used.
+  #pipeline: ""
+
+  # Optional HTTP path
+  #path: "/elasticsearch"
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Proxy server URL
+  #proxy_url: http://proxy:3128
+
+  # Whether to disable proxy settings for outgoing connections. If true, this
+  # takes precedence over both the proxy_url field and any environment settings
+  # (HTTP_PROXY, HTTPS_PROXY). The default is false.
+  #proxy_disable: false
+
+  # The number of times a particular Elasticsearch index operation is attempted. If
+  # the indexing operation doesn't succeed after this many retries, the events are
+  # dropped. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 1600.
+  #bulk_max_size: 1600
+
+  # The number of seconds to wait before trying to reconnect to Elasticsearch
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Elasticsearch after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum amount of time an idle connection will remain idle
+  # before closing itself.  Zero means use the default of 60s. The
+  # format is a Go language duration (example 60s is 60 seconds).
+  # This field may conflict with performance presets. To set it
+  # manually use "preset: custom".
+  # The default is 3s.
+  # idle_connection_timeout: 3s
+
+  # Configure HTTP request timeout before failing a request to Elasticsearch.
+  #timeout: 90
+
+  # Prevents filebeat from connecting to older Elasticsearch versions when set to `false`
+  #allow_older_versions: true
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Controls the verification of certificates. Valid values are:
+  # * full, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate.
+  # * strict, which verifies that the provided certificate is signed by a trusted
+  # authority (CA) and also verifies that the server's hostname (or IP address)
+  # matches the names identified within the certificate. If the Subject Alternative
+  # Name is empty, it returns an error.
+  # * certificate, which verifies that the provided certificate is signed by a
+  # trusted authority (CA), but does not perform any hostname verification.
+  #  * none, which performs no verification of the server's certificate. This
+  # mode disables many of the security benefits of SSL/TLS and should only be used
+  # after very careful consideration. It is primarily intended as a temporary
+  # diagnostic mechanism when attempting to resolve TLS errors; its use in
+  # production environments is strongly discouraged.
+  # The default value is full.
+  ssl.verification_mode: {{ OPNsense.filebeat.output.elasticsearch.ssl.verification_mode|default('full') }}
+
+  # List of supported/valid TLS versions. By default all TLS versions from 1.1
+  # up to 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client certificate key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the certificate key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE-based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # Configure a pin that can be used to do extra validation of the verified certificate chain,
+  # this allow you to ensure that a specific certificate is used to validate the chain of trust.
+  #
+  # The pin is a base64 encoded string of the SHA-256 fingerprint.
+  #ssl.ca_sha256: ""
+
+  # A root CA HEX encoded fingerprint. During the SSL handshake if the
+  # fingerprint matches the root CA certificate, it will be added to
+  # the provided list of root CAs (`certificate_authorities`), if the
+  # list is empty or not defined, the matching certificate will be the
+  # only one in the list. Then the normal SSL validation happens.
+{% if not helpers.empty('OPNsense.filebeat.output.elasticsearch.ssl.ca_trusted_fingerprint') %}
+  ssl.ca_trusted_fingerprint: "{{ OPNsense.filebeat.output.elasticsearch.ssl.ca_trusted_fingerprint|replace(':','') }}"
+{% else %}
+  #ssl.ca_trusted_fingerprint: ""
+{% endif %}
+
+  # Enables restarting filebeat if any file listed by `key`,
+  # `certificate`, or `certificate_authorities` is modified.
+  # This feature IS NOT supported on Windows.
+  #ssl.restart_on_cert_change.enabled: false
+
+  # Period to scan for changes on CA certificate files
+  #ssl.restart_on_cert_change.period: 1m
+
+  # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
+  #kerberos.enabled: true
+
+  # Authentication type to use with Kerberos. Available options: keytab, password.
+  #kerberos.auth_type: password
+
+  # Path to the keytab file. It is used when auth_type is set to keytab.
+  #kerberos.keytab: /etc/elastic.keytab
+
+  # Path to the Kerberos configuration.
+  #kerberos.config_path: /etc/krb5.conf
+
+  # Name of the Kerberos user.
+  #kerberos.username: elastic
+
+  # Password of the Kerberos user. It is used when auth_type is set to password.
+  #kerberos.password: changeme
+
+  # Kerberos realm.
+  #kerberos.realm: ELASTIC
+
+
+# ================================== Logging ===================================
+
+# There are four options for the log output: file, stderr, syslog, eventlog
+# The file output is the default.
+
+# Sets log level. The default log level is info.
+# Available log levels are: error, warning, info, debug
+#logging.level: info
+
+# Enable debug output for selected components. To enable all selectors use ["*"]
+# Other available selectors are "beat", "publisher", "service"
+# Multiple selectors can be chained.
+#logging.selectors: [ ]
+
+# Send all logging output to stderr. The default is false.
+#logging.to_stderr: false
+
+# Send all logging output to syslog. The default is false.
+logging.to_syslog: true
+
+# Send all logging output to Windows Event Logs. The default is false.
+#logging.to_eventlog: false
+
+# If enabled, Filebeat periodically logs its internal metrics that have changed
+# in the last period. For each metric that changed, the delta from the value at
+# the beginning of the period is logged. Also, the total values for
+# all non-zero internal metrics are logged on shutdown. The default is true.
+# This is disabled on FreeBSD due to procfs not providing /proc/curproc/stat
+logging.metrics.enabled: false
+
+# The period after which to log the internal metrics. The default is 30s.
+#logging.metrics.period: 30s
+
+# A list of metrics namespaces to report in the logs. Defaults to [stats].
+# `stats` contains general Beat metrics. `dataset` may be present in some
+# Beats and contains module or input metrics.
+#logging.metrics.namespaces: [stats]
+
+# Logging to rotating files. Set logging.to_files to false to disable logging to
+# files.
+logging.to_files: false
+logging.files:
+  # Configure the path where the logs are written. The default is the logs directory
+  # under the home path (the binary location).
+  #path: /var/log/filebeat
+
+  # The name of the files where the logs are written to.
+  #name: filebeat
+
+  # Configure log file size limit. If the limit is reached, log file will be
+  # automatically rotated.
+  #rotateeverybytes: 10485760 # = 10MB
+
+  # Number of rotated log files to keep. The oldest files will be deleted first.
+  #keepfiles: 7
+
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
+
+  # Enable log file rotation on time intervals in addition to the size-based rotation.
+  # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+  # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+  # reported by the local system clock. All other intervals are calculated from the
+  # Unix epoch. Defaults to disabled.
+  #interval: 0
+
+  # Rotate existing logs on startup rather than appending them to the existing
+  # file. Defaults to true.
+  # rotateonstartup: true

From 18fac64e22cbac8418a214673238520964ad919a Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sun, 23 Mar 2025 20:37:58 +0100
Subject: [PATCH 2392/3088] www/caddy: Add missing selectpicker style to
 dropdowns which have other styles attached (#4616)

* www/caddy: Add missing selectpicker style to dropdowns which have other styles attached

* www/caddy: Change style order to generic to specific, add changelog
---
 www/caddy/pkg-descr                                       | 1 +
 .../app/controllers/OPNsense/Caddy/forms/dialogHandle.xml | 6 +++---
 .../app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml | 8 ++++----
 .../OPNsense/Caddy/forms/dialogReverseProxy.xml           | 2 +-
 4 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 67443a08c5..745a694cf0 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -16,6 +16,7 @@ Plugin Changelog
 1.8.4
 
 * Add: Client Auth (mTLS) to domains (opnsense/plugins/issues/4089)
+* Fix: Some selectpickers had incorrect style (opnsense/plugins/pull/4616)
 
 1.8.3
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 3efcdb8dd1..83cf1a5dfc 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -116,7 +116,7 @@
         <type>dropdown</type>
         <type>select_multiple</type>
         <size>5</size>
-        <style>style_reverse_proxy selectpicker</style>
+        <style>selectpicker style_reverse_proxy</style>
         <help><![CDATA[Select one or multiple headers. Caddy sets "X-Forwarded-For", "X-Forwarded-Proto" and "X-Forwarded-Host" by default, adding them here is not needed. Setting a wrong configuration can be a security risk or break functionality.]]></help>
         <advanced>true</advanced>
         <grid_view>
@@ -181,7 +181,7 @@
         <id>handle.HttpTlsTrustedCaCerts</id>
         <label>TLS Trust Pool</label>
         <type>dropdown</type>
-        <style>style_tls style_reverse_proxy</style>
+        <style>selectpicker style_tls style_reverse_proxy</style>
         <help><![CDATA[Choose a CA or self-signed certificate to trust from "System - Trust - Authorities". Useful if the upstream destination only accepts TLS connections and offers a self signed certificate. Adding that certificate here will allow for the encrypted connection to succeed.]]></help>
         <grid_view>
             <visible>false</visible>
@@ -218,7 +218,7 @@
         <id>handle.lb_policy</id>
         <label>Load Balance Policy</label>
         <type>dropdown</type>
-        <style>style_reverse_proxy</style>
+        <style>selectpicker style_reverse_proxy</style>
         <help><![CDATA[lb_policy is the name of the load balancing policy, along with any options. For policies that involve hashing, the highest-random-weight (HRW) algorithm is used to ensure that a client or request with the same hash key is mapped to the same upstream, even if the list of upstreams change.]]></help>
         <advanced>true</advanced>
         <grid_view>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
index 9cabfaf42b..9a24f737d6 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
@@ -39,7 +39,7 @@
         <id>layer4.Protocol</id>
         <label>Protocol</label>
         <type>dropdown</type>
-        <style>style_type</style>
+        <style>selectpicker style_type</style>
         <help><![CDATA[Match the received traffic on OSI Layer 4, either TCP or UDP. When "Routing Type" is "listener_wrappers", currently only TCP will match.]]></help>
     </field>
     <field>
@@ -74,7 +74,7 @@
         <id>layer4.FromOpenvpnModes</id>
         <label>OpenVPN Mode</label>
         <type>dropdown</type>
-        <style>style_matchers matchers_openvpn</style>
+        <style>selectpicker style_matchers matchers_openvpn</style>
         <help><![CDATA[Select the mode matching the OpenVPN Server or Client.]]></help>
         <grid_view>
             <visible>false</visible>
@@ -84,7 +84,7 @@
         <id>layer4.FromOpenvpnStaticKey</id>
         <label>OpenVPN Static Key</label>
         <type>select_multiple</type>
-        <style>style_matchers selectpicker matchers_openvpn</style>
+        <style>selectpicker style_matchers matchers_openvpn</style>
         <hint>Any</hint>
         <size>5</size>
         <help><![CDATA[Select a Static Key to match. Multiple Static Keys are only supported for tls-crypt2_client mode.]]></help>
@@ -153,7 +153,7 @@
         <id>layer4.lb_policy</id>
         <label>Load Balance Policy</label>
         <type>dropdown</type>
-        <style>style_reverse_proxy</style>
+        <style>selectpicker style_reverse_proxy</style>
         <help><![CDATA[lb_policy is the name of the load balancing policy, along with any options. For policies that involve hashing, the highest-random-weight (HRW) algorithm is used to ensure that a client or request with the same hash key is mapped to the same upstream, even if the list of upstreams change.]]></help>
         <advanced>true</advanced>
         <grid_view>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index 86a0bd1bb8..ab5f3e9715 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -42,7 +42,7 @@
         <id>reverse.CustomCertificate</id>
         <label>Certificate</label>
         <type>dropdown</type>
-        <style>style_tls</style>
+        <style>selectpicker style_tls</style>
         <help><![CDATA[Choose ACME to get automatic certificates with the built in ACME client; no additional plugin required. The "HTTP-01", "TLS-ALPN-01" or "DNS-01" challenge will be used to get automatic "Let's Encrypt" or "ZeroSSL" certificates. Alternatively, choose a custom certificate from "System - Trust - Certificates" for this domain. Make sure the full chain has been imported.]]></help>
         <grid_view>
             <visible>false</visible>

From e2799bb11b4cb8899ef7603ad4bc4109ebb229d6 Mon Sep 17 00:00:00 2001
From: opnsenseuser <rene@team-rebellion.net>
Date: Sat, 22 Mar 2025 20:26:29 +0100
Subject: [PATCH 2393/3088] All Themes updates /fixes

logo updates und some other changes
---
 misc/theme-cicada/Makefile                    |     2 +-
 .../cicada/assets/stylesheets/main.scss       |    34 +-
 .../cicada/build/css/jquery.bootgrid.css      |    25 +-
 .../www/themes/cicada/build/css/main.css      |    32 +-
 .../cicada/build/images/default-logo.png      |   Bin 15520 -> 27885 bytes
 .../themes/cicada/build/images/favicon.png    |   Bin 2938 -> 2100 bytes
 .../themes/cicada/build/images/icon-logo.png  |   Bin 4195 -> 0 bytes
 .../themes/cicada/build/images/icon-logo.svg  |     7 +
 misc/theme-tukan/Makefile                     |     2 +-
 .../themes/tukan/assets/stylesheets/main.scss | 11545 +++++++++++-----
 .../tukan/build/css/jquery.bootgrid.css       |    26 +-
 .../www/themes/tukan/build/css/main.css       |    29 +-
 .../tukan/build/images/default-logo.png       |   Bin 15520 -> 27885 bytes
 .../www/themes/tukan/build/images/favicon.png |   Bin 2938 -> 2100 bytes
 .../themes/tukan/build/images/icon-logo.png   |   Bin 4195 -> 0 bytes
 .../themes/tukan/build/images/icon-logo.svg   |     7 +
 misc/theme-vicuna/Makefile                    |     2 +-
 .../vicuna/assets/stylesheets/main.scss       |    32 +-
 .../vicuna/build/css/jquery.bootgrid.css      |    26 +-
 .../www/themes/vicuna/build/css/main.css      |    26 +-
 .../vicuna/build/images/default-logo.png      |   Bin 15520 -> 27885 bytes
 .../themes/vicuna/build/images/favicon.png    |   Bin 2938 -> 2100 bytes
 .../themes/vicuna/build/images/icon-logo.png  |   Bin 4195 -> 0 bytes
 .../themes/vicuna/build/images/icon-logo.svg  |     7 +
 24 files changed, 7957 insertions(+), 3845 deletions(-)
 delete mode 100644 misc/theme-cicada/src/opnsense/www/themes/cicada/build/images/icon-logo.png
 create mode 100644 misc/theme-cicada/src/opnsense/www/themes/cicada/build/images/icon-logo.svg
 delete mode 100644 misc/theme-tukan/src/opnsense/www/themes/tukan/build/images/icon-logo.png
 create mode 100644 misc/theme-tukan/src/opnsense/www/themes/tukan/build/images/icon-logo.svg
 delete mode 100644 misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/images/icon-logo.png
 create mode 100644 misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/images/icon-logo.svg

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index bb86392603..5ab8d3841b 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.38
+PLUGIN_VERSION=		1.39
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index a7e374d6bb..ea34555bd2 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -5363,7 +5363,7 @@ tbody.collapse.in {
   &.pull-right {
     right: 0;
     left: auto;
-    background-color: #e5e5e5;
+    background-color: #222;
   }
 
   .divider {
@@ -6242,6 +6242,8 @@ a:focus {
 }
 
 .navbar-header {
+  padding-top: 12px;
+
   &:before {
     content: " ";
     display: table;
@@ -6384,22 +6386,9 @@ a:focus {
   border-width: 1px 0 0;
 }
 
-.navbar-brand {
-  float: left;
-  padding: 15px 20px;
-  font-size: 18px;
-  height: 50px;
-
-  &:hover, &:focus {
-    text-decoration: none;
-  }
-}
-
-@media (min-width: 768px) {
-  .navbar > {
-    .container .navbar-brand, .container-fluid .navbar-brand {
-      margin-left: -20px;
-    }
+.navbar-brand img {
+  &.brand-logo, &.brand-icon {
+    height: 30px;
   }
 }
 
@@ -7923,8 +7912,8 @@ a.list-group-item-danger {
 
 .panel-footer {
   padding: 10px 15px;
-  background-color: #f5f5f5;
-  border-top: 1px solid #ddd;
+  background-color: #2d2d2d;
+  border-top: 1px solid #191919;
   border-bottom-right-radius: 2px;
   border-bottom-left-radius: 2px;
 }
@@ -9758,7 +9747,7 @@ main.page-content.col-lg-12 {
       }
 
       a.list-group-item.active-menu-title {
-        color: #bac3ca !important;
+        color: #dd630d !important;
         background-color: #151515 !important;
       }
     }
@@ -9906,6 +9895,7 @@ button.toggle-sidebar {
   margin-top: 18px;
   float: left;
   outline: none;
+  padding-left: 20px;
 }
 
 /* COLLAPSE SIDEBAR END*/
@@ -10138,10 +10128,6 @@ button.toggle-sidebar {
   border-radius: 0 !important;
 }
 
-.navbar-brand {
-  padding: 10px 20px;
-}
-
 .label-opnsense {
   /* emulates btn */
   display: inline-block;
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/jquery.bootgrid.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/jquery.bootgrid.css
index c455999db8..9f4c326e39 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/jquery.bootgrid.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/jquery.bootgrid.css
@@ -18,12 +18,14 @@
   vertical-align: middle;
   width: 180px;
 }
-.bootgrid-header .search .glyphicon,
-.bootgrid-footer .search .glyphicon {
+.bootgrid-header .search .fa-solid,
+.bootgrid-footer .search .fa-solid {
   top: 0;
 }
 .bootgrid-header .search .fa,
-.bootgrid-footer .search .fa {
+.bootgrid-header .search .fa-solid,
+.bootgrid-footer .search .fa,
+.bootgrid-footer .search .fa-solid {
   display: table-cell;
 }
 .bootgrid-header .search.search-field::-ms-clear,
@@ -42,9 +44,6 @@
 }
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu,
 .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu {
-  color: #fff;
-  background-color: #2a2a2a;
-  border-color: #1d1d1d;
   text-align: left;
 }
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item,
@@ -59,9 +58,9 @@
 .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item:hover,
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item:focus,
 .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item:focus {
-  color: #fff;
+  color: #FFF;
   text-decoration: none;
-  background-color: #ec6d12;
+  background-color: #dd630d;
 }
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item.dropdown-item-checkbox,
 .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item.dropdown-item-checkbox,
@@ -81,7 +80,7 @@
   outline: 0;
 }
 .bootgrid-table th > .column-header-anchor {
-  color: #fff;
+  color: #e8f1f9;
   cursor: not-allowed;
   display: block;
   position: relative;
@@ -100,18 +99,14 @@
   white-space: nowrap;
 }
 .bootgrid-table th > .column-header-anchor > .icon {
-  color: #fff;
   display: block;
   position: absolute;
   right: 0;
   top: 2px;
 }
-.bootgrid-table th > .column-header-anchor > .glyphicon {
-  color: #fff;
-}
 .bootgrid-table th:hover,
 .bootgrid-table th:active {
-  background: #4b4b4b;
+  background: #fafafa;
 }
 .bootgrid-table td {
   overflow: hidden;
@@ -122,7 +117,7 @@
 }
 .bootgrid-table td.loading,
 .bootgrid-table td.no-results {
-  background: none;
+  background: #202020;
   text-align: center;
 }
 .bootgrid-table th.select-cell,
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index a932ab707b..d4e2bcbbc9 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -3192,7 +3192,7 @@ tbody.collapse.in {
   .dropdown-menu.pull-right {
     right: 0;
     left: auto;
-	background-color: #e5e5e5;}
+	background-color: #222;}
 
   .dropdown-menu .divider {
     height: 1px;
@@ -3717,6 +3717,10 @@ tbody.collapse.in {
     .navbar {
       border-radius: 0; } }
 
+.navbar-header {
+  padding-top: 12px;
+}
+
 .navbar-header:before, .navbar-header:after {
   content: " ";
   display: table; }
@@ -3806,18 +3810,12 @@ tbody.collapse.in {
   margin-bottom: 0;
   border-width: 1px 0 0; }
 
-.navbar-brand {
-  float: left;
-  padding: 15px 20px;
-  font-size: 18px;
-  height: 50px; }
-  .navbar-brand:hover, .navbar-brand:focus {
-    text-decoration: none; }
-
-  @media (min-width: 768px) {
-    .navbar > .container .navbar-brand, .navbar > .container-fluid .navbar-brand {
-      margin-left: -20px; } }
-
+.navbar-brand img.brand-logo {
+  height: 30px;
+}
+.navbar-brand img.brand-icon {
+  height: 30px;
+}
 .navbar-toggle {
   position: relative;
   float: left;
@@ -4718,8 +4716,8 @@ a.list-group-item-danger {
 
 .panel-footer {
   padding: 10px 15px;
-  background-color: #f5f5f5;
-  border-top: 1px solid #ddd;
+  background-color: #2d2d2d;
+  border-top: 1px solid #191919;
   border-bottom-right-radius: 2px;
   border-bottom-left-radius: 2px; }
 
@@ -6058,6 +6056,7 @@ button.toggle-sidebar {
   margin-top: 18px;
   float:left;
   outline:none;
+  padding-left: 20px;
 }
 
 /* COLLAPSE SIDEBAR END*/
@@ -6220,9 +6219,6 @@ button.toggle-sidebar {
 .nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a, .nav-tabs.nav-justified > li > a {
   border-radius: 0 !important; }
 
-.navbar-brand {
-  padding: 10px 20px; }
-
 .label-opnsense {
   /* emulates btn */
   display: inline-block;
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/images/default-logo.png b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/images/default-logo.png
index 9f98843f0aa597da90303ce6c86652073abc4c2d..35122b0fcbb81ef25bd4e348ae7b9fe03e2bd5f6 100644
GIT binary patch
literal 27885
zcmbSzby!qg7w=f8ucRmp9U>^wjS?cD0s<04Hv&?FbcY3qlprA~Au&TE%>YVEOSec2
zox(`Y-3NH@_uYH{xc9m9JUD01IcKlE*Is+A--_+Kr%I2A{-OQ{27?jFJ(f|0!Oj=J
zU}r2Y5rAJxnG5jX>x`r7qX)3OPTB>~IBy}PC<TKRhFv)@z5v>nUp&@!gu#gGp}#ZD
zc3IEBk8mehEhjZQb0=402Q%1HV@sqHmy)bHqaYVAm%!D@jMw0qQZp?%b2&M7*d@@o
z0HZ#00d@vl$%8+d(`zsq*sU|?j(<N3u6fU#g^_}99q?xvaQ^srD{u{cjKClC{=eV<
z8&TLf7%coE>^yjahmW7<%;%F{p*JpkKI!QrxQ0GwK|g1YpHvkU0avGQ@$&FMcL(RH
zm@spOUtuuo1UVTgbvJ{RL*H;ctoP)uPqL#D$*o>##n;~Lj5I;ggtlvDRvlC9o$}G9
z#AVBFnjhYOR@mf>@nin{PQ9kk<#L|>@4Sy3-{jLVs-jG8()V;#8U2{94MtU;fy-40
zN8f?bsm*O8&pvgor%|9kASE}h?|ncbdX?x&vSSS{%-y5=@Xx|zt&(f4A!4gpOq_q*
z(MJp`mb`U93eD^P`0%%sUzoQs_1=h)nJL#Lo~i4JBG)x^zH<C<toeB@@1egfzf0k_
z%V+BvveQjwU`!NHCq~h3$TNPo%^S$0ic4b{kNf3+3A++2_(ltA_)$swU1(>1zyUSt
z2$|~6nqNPC^C79xnc`s5E6^RDbC(MIv>ydRQUi;1IImSF#@GNYE9?pHSq>uuQj_C>
zWL!H#!J~Ys5V`?V3j}0@Ps!Yd$lN$3a}AK0`<IM7AhY!^nG1l7`ze_g(X$+|)7SNG
z)SWGOeKMACwewmqB-07`8PYQpeh*KdN&x+KpLP{~13Xnkb}}x9SFkJhtxun#Wdu*r
zpHA}or2?4K!_#>&0)peG9Y47QI$k|}pVbe%Z+AK`(}#W+KD(ZF#>)&kV>q2xESSnX
z!)ecipl3q=Q}&sF!4RCz3(f?{)JvVvgp)xH>C?s;s3CjW;DZ|fzQYU}Y5%@+6>9wZ
z&RMAO?>i7TdTyMsh7b(8&h2z%_GJ7n7<rw}z#DLY$KZ4Z^khb7;F1rH1>imj81xf@
zlNo$g0E1=?IGI8B1wbb9l*~NT^UNu4MnGrbB&VHGfcIxEp1jX^4h+WYl$|2b4U*H2
ziJ=?JC!^E?L^j`_5V`Mnff08yMx#|Qtd`SZ#ae@hGR~d6-OdR{(t9ckb5}uE3lB~>
z<`@8m_2-13U&RA3;kzeetQ&(Sj5+O@3#?Ks@?^j~ThN66C1VN5nEy+L1CS{`C1Vbe
z89pV$50P0uCG!a)BXmlp9U@b8N`@68V|z+w8<1(2IAL<E6(BQrO6CbPo2^qa84#J>
zQ!;80nS)a@*$^3tQ!;%#Gy!Y3s@~2s^2U4#m-t0-&XJ4sMiXbdc$9iDt(IuvHUf7O
z+JW~aVneoNov-vrndIdscq}QE!DB6Gmfr8n%m%@=Ul_KDpNyzQ(4X`yJP2r%L7ABh
zU5V>(B}lQuDuATJPKV<TU7sqAa7Z$qhMg>$0~jYv?_{3gcfgJCx2HE=gBv=h6VL;!
z@pCz4&2PYs&*Z1vxCIz6e=2fM2+vT!oKB^I6>M6V$EnPlJ_6)1Co<z#2sWLc&xvH$
z4FNviuRZOV1N3Y}dNLRupr&9vw@%2wZv!%Lg3|^S)Sx(RT!tE~r;WQ%L+G@@4mB>E
zHmIS-_0z^bP~+xl0}ciqOnoAqgm1v0n_ix9U=QNi^eF?qfpYS*Kb=7mknXzjll8o>
z3=R6~$qYV2qRw;sWCq>W0h!qJMAD@<x`fbzl)nYNv#tr1K@Hf8D}eCv#~}p#e*8IJ
zGU&<=Qklm;-OmHWj;|O80j1+lxV5>dx61efr|{UNJDC%ey_^Jd<4un!Ca>Ojj}*Q8
zbXaHi_W&J|7kc<fn*5idIF{BM%th?X3aH9w!Nb?cRQm5U#lEjutJUJ5$S<!Q{pXB^
zB+%VYfFS~l1K#49Wsmxy8o?5VUNkmsFWUE@pfRW8j*{=H%&&kyI2JFMUrkioZ02u~
z8V=^>N}_xjndL6}u+({n3O%28Zw&pvv-8l%R*z1-RcZ7ZeG|8h9A;cnzb4CeCrW;9
z67ckRKKGRYH7nX?%3xmfsx`_3fk;O5KSFFzsb)X(n&d_;)|W23BQT3cNxX9}Xq&M`
z4>;!P7B4y)o%s}d4z1k&5;AN?LF(*LH)#w62`Sb4(M_?YUsM;=z1{E3I_wsp==qz*
z)C}`bl&=}x%C$I<13xYm>`D1uc*b0}NPcEutitDTPa3Hmm(iAl70mr^66{{A#bMyo
z1~~60_bxRn8ykg^VDO)s+ABg1@hq3~W*8H5AjGfxPkk7{o!2@9`-6|nX!{+^npMBn
z=P*S;QB(GroXo)T&u@z3=&CQMc))MwqT9@rvNJ(z`}tRqpl73mAG4b(WbRG3eNxrg
z>GIXt(WpHoYzcuUZq>V$Gcxh%axCxM?aaTAbA>7YdxhfUW*yu)1_vvRma4Jt*bv_Q
z0oRfw4QQr;U-jRaKkPf(s@S!~rKA>C#k-QGIEf2;vcxN%Vf%4*7a4$r!Md-E>MlAQ
zzFFB8&riK|*DlzS+V*MJL@hne8?TL{W{~a4-b>O#RZ^Y*hG{ghkA$Ha&THLgJ)0vz
zX4H{xe?f~g;rfSSAV2dH*PgtmQ2sU7>P{wVhxK*49ky>Dyg%=it?n_znLuDV_K-+@
zdx3{AtYQ`hBm99W&0g&1A#}xlTV$<6wZ>uPU5=Wf_CyP<1_d>k&clp$Xh}b)$wjCG
z&U|vHIM5o9=V~bttfJl4u43o{^41Ilr(P!8(S$Q7H4@1L;7p)@Qe#tW4MQy4R3nl_
zbUONdiwbtXSw;rhEwQ#2WoFcAn`7E$H`N@e{n}p%l8Gj<w3^YFE1GDHG{8-XM|Xu_
zu(~%ucxLwy7ZKYXO40*}ZFhus<?0dw`)Gh25ELskh9~9XMNQiszNl*71Y&DMJmmgQ
z=uJ5XQ7{gbYq=GYud@qTnKOZ)+jyFFD6Cal0LK2JI1BUJcpTAyAx?I#>2hEvtT!#m
zXS_6^zHN0#(qO-Qq+i&3dpT(OFAUl)j!kgKA-E$K=<-iXoWaiJ`3;d!?sk>1oXAx*
z0KIwWQHv4+ORRNPM%b##-_aJ&|Bg1nJ%E1T$q(iYSPB1{IhRG*)m|tykbNtNtKFmP
zu4%g}*f1gnXJE0Ha1v>gvgR&q&tnpoJbNcEzxvEHquPHHXernWj?n2g!mc=EQ!K)?
zy~3eFYzMK{^bROOKd(!#KHqk8pfaT|hc?MzzM=1}pwvfTfhzXgzsksXP1-HCA~-0<
z4RqF6pbc#jtj*VyP+0%ZWrB>+LTDVD>rbn!$nKDzh4Dz))4Do#xrr(EZdt}92{$D;
zd)j9&Do`0CC;-NU!Ca_JiJR@kwxoN^6M4-AL#MCsOBnXOycGl~*jQDRhv21G?PM@2
zlHWp?!TR1mXWG6gMkpKaT$18aEGEzgcP!WAVsHT)x9+h(4&glUh2^&>B!N_c6`Ql&
z)n@zpNuefSa$tVZp*{6xmHqzyoo+3T4$;zgVX)2bi8lI(s)a)Q8<YeG^P|NpA-oE5
z5nrn$Ez3*Mi?R@-x+7MmzP}mnU7HCeVN2M?lfeAmwZ+;Tl418*Q69X6^;<ygd_+ks
zRUbTwUvjOVB!2aa16tepXCa8mjO6ivT;$bE>SJDbG@5J#p$u}p?Si!zzr?u0{ejNw
z-zyRc?J6H!yA?#-N209WFZ{ldSsa?Gg^TKov#)NOODAQ-H)unawN5Jmg@1@hUYs4F
zIseTV;a$9g;WZaEHJh?XSnCQ3Jf3JCsfl7Oh44H6diu0gMQ-3CMlfCqtvaL5Jvd=f
z=+*;w?7J=TbgA{aY>!+S4ncbU5oD%de^Mz-DrRHZFaDS<@|+go2lAD6>+WjwIhfzK
z>+c&Ch5d>KCnAgZpS;LbXa6*!3HK+uLm3qKQT~hCwxnsT((w8Zx(K)GQdOqo*}vm8
zkLtgishdB3m>I%5w_z|h19bLyF?ms~x}iDc(SkMV6);rlTrpkcQ&FfI>hs@Lr6H>i
z>*n{2<SWLwnI|T4TMc;LP7F@Xil4=tf!z;##VGPisfCOAA}~UFTrpK1Pt9MWPb|{K
zMZ;q0izIy>hL<7w@cUI?!ag`Q#Wv3|{t~U{{RdXJ4$a~o)BY;zjR`}<yOu&0Id-5y
zp8)g44&*z}u=c2Xdufm%D0Th=&_wDLdJ-`#a<Vd^!;`~i_2?47yDv2f$E>oA)+~v?
zxJpY=Y(AiA0JK;{P~-1L#!DLGQ*WG!hx`_8;xe$k0^)YTqIZ~^WmvYD;^>6R^*AWF
zEAt`i?pM>XhjMZJ^#O38>Sq^65&A}<2P+JA<0%J)a6ONnT7Tw}CfhP#OEyY5z_?sT
z(x%|pzQUoMK|RM=_a|`rZ>+A6_448;eeMk+7|es*f2xr2QnYP&KTl2p9Rh<wDPNQ-
zp!GK%^@JP{7!P4rcfHwNu&v_*ye(q>CT+i40!jitO0%Q|_iw9No4muUoV8et+KbrQ
z&IuHo+CRb=!?^;C-Et85Xb*sMU`9qRu>()KG6mWqSU$a{cLLmPn{}waIu36A1ssS{
z&2|zatWPtB=ZP9VQuy-I-Zf%Jsl910wGu+VgPKYh=S*F~_NtIDj+&bfDaIX~J{Og2
zHs;<NGkH=5bWqHo<|J-yW!s!Z;hJo7Ft2jO?6eUZv-nyx?zx=IqGqkGU{iJR>VCC*
zp*s8aH4{Y#1|oR`19AO}Ztt<4^wJNB(&;NagfLhJ(f?{bSI%<KgzFU={(f_F`&)Bd
zAP0@<YPP5Np!)VM58=htDZXs~+Tel>Lx5bSMGOR+XemBC8XIH-l1^2YlPI^ECY8Nt
zPI{iiBKL*BlgN>WX?Ohr?^pm1hw+%WIQ+0U!7es~3-vCcex|^9<nQ0r)vVDF4yYp|
zbMHAEbvMPT#VsIK_JHQhe`D-c3IM>mcWo9*xk{2>PUV^zmxcKIU|t1#+T?_Qidvxi
zu0t#j4opnnG`=S~+v5|!F)VssssAFwYYsIrtM<43+O`pDlQ;(Te$DYgwr9w*92F&e
zQ=(<GFxU*a^rii8qz@RO?*`KE5O6Cb=~(bb)m%IOZSGb88v=q(*XTM%$K+ky1~B6}
zti3<d{S8{r`x_2>yHCKk{PssgfSxvnyU-o8ITDrhPyKqJt^^^N{<MUD6$0=|eftdA
z2LZ(x+4QA}xFl?1OyaMN4wZpicW_e!v7Klcmp76!XWL&oIDzprbTE|01Kd}Hn&@rZ
zs9JEJXmr18VBMUxoG__xsGz=`y0#x*<mgj-w*^x#fa-rQ7r{Ygx`^$xnGM3aYX<Xb
z2Jm9%zcK+Jc!nbU9Sp4u(CfR@=N<4!^aMF-FN1gPdA9o9*%~2s7lSWqO|b!EgRGX_
z1b@=0kNDnnO_0!-=zns854VYFMUFkH7eaYUWZMd$@R^iR@@9f^5drGX{qSP3AbKB^
zM-RN%5=)kIfk15%Rs&f<p)4KrsL$)W+{{?Swh8I^{7%#QGR;y0pBDdrtPknyQI(d#
z6}OlzyeEC_N6IjmHMh^D`s&W^kDKT7MugNL_<d)m9CLTY*vNMDU5n1Ry&x$9bBmcW
zgqIS$V>wc$!uH>=63wl0Es?KDY%W?k=vX<vlpBwIsNysR-zwLYxQ+6-Nm%bWzKK*s
zO>vXk900hJ#=IG<E1|SSZKVCkpH4#AibnA_JWrjyO)f&rgyxxe?sHKa=a=8yyS6&9
z;(aJ}c3|nmQc>2-4t4O}!hrtIHh*2Me!i5yCW~#}hGmTQKLQZSbO%n~YHw3^XkWGB
z=&3jGKJ__njNV17A6;2DR}FCOoOnT@@zD*G$LBVBjdLpfiey0JS=95iAC6^XOo%yP
zb$!`@l<1XwgMVHb*+zu;0cbe#Zo=^!yjU+={h?2qkb*o=6aef;hxLjn&LmB-G~3ug
z&Ir)U96_m9<RbJaK1`=s{lR@FxDQ6l0gwd1ivV|#%J%TPk2FK82LKfKO=jjJ@7%h`
z_dA7-b?;g>Smd}KsW^S}7vj&=UpEPx1y~Ig*pjV6-|RA)3?LZfxUlEHm+K4dx)sFU
z6kFUBo3>IqRSq|`LhmNYN6b99CL85Y;gzAsB^e!KYZ;c=oOY`+fu;2VnW#|cy1dPy
z#ZpAE$~A-yMtI{;hy(0bzwAhs))pj(=ND8L(A&`gnOUW{$H)gcBB3NzX7lqox;*9;
z<-5rrfytk}{i_A7V=4)Nn2=lRp-^$iL|W-L&tY%x1b`%;0>cQ<<~N}RHWWpcjLOHQ
z`({s3al?W6_oBl>?%e;VE45Szz#_O4zaIy%!_d>c?;_IuKEqwEbp$$K++u}}DAjC^
zM=F1U#gjsn@2(dc5A*<@09oNLUJnlfmW;<)U64|GcDdl2UT(Q2dz4c4Vli^}P5S})
zAz7@GU(`OM$;VTj)K75mIpLR8PRJqCl1J7ukF3g94KPG1(@sLu)p+CLkd?6u>}gkJ
zd*X=r**t)LjSk@jh&b-~xSFq*lJu?dAi4*_8qUts7e>`=P4){z&Nan4MoM%N$O04?
z%kJ{`SA$)S`nKXdn-|N%@`*!JZ^)Bzb?{;Vl912Fi{?HQ!O_R?P>+-J!$p;Abb-_5
zLf6c#Xe0-;0zARczuXE^8hQK3fl{x+>ZLre-NFjeVT)znV2#J%j>w<l&lUmF95wiC
zDqd^z*TGyTw2LcvyQY00gq-9-m04IZuw<f?B(FVB#$!*5ot;~JL0^xip2U%$7vqt;
z=V#1(6+;r1%PP!+wL?<p({&}n7Qe^vyIU=jJhwTcaZT3Rp4PCl{^>V~oDLH^4o@V5
zYui>G!F)`!;KvFVuTY21eETb}j5s1I?>U>UzD9fOY|(Sav{^LK#S$N{hApd4q!|_y
z_vdMTDKMuQysRYkG|dj=5~fWKTOm6T;{Oru*v7T%gOsn2acR10BnuXIWtJa7)ZpPl
zoXD?oP0{IXA5%p$0da*y(#q4h4>%w6(p#aDW{YThF})n%aJrNm<%NCWqKz%BV1NL1
zuQ^AXZJ9{`aj3KVp3m@Z0c#~{ygd5R#fLMW<diOn$${<F>aVHRTd?r$vGngsCT)Il
zKWfuZCC_}BdjbyZofb4EAvvy3k~~w09v}>z+x$C-soMM3d!_pPJCqdykJ(8LIuX4n
zOxXOs@wZme1W9WH&C}w7MWVSFlmtJg@J_udrGa8)4PDfS?d~kwDzQHl^g^cXQ<fx!
z830ED-JD_v;Blz3Lik|7hs4pMUh9>00b;7<^t?gC)qLmUjrW12wc&L*<0YjEGj|IA
zsbM+XcN6-YB=KJqMh;Da32e&d<=Ci}OW2lA8wS?QZ?qy`7{y}l+rs#xB3)fAS+J!;
zwrtG&p3DDp%&5CP1nDRVNi$5oj0;kpRs4w`41KY9=b0--u!o3p(vavYhjBluzFTuG
zp90oVO`RmdU!PuB88-NQZcrRd7=f@b<|=ma_d&MNzR?ui(Q$QvH;-mP7(L@5F*QL&
zQaR@OB#!N{Vse3kQJ2_XH*|Sn`)hH%duRD<F-uTt2^GB#3*UE9hu<PTtQQBf3O_Zc
zlth|HzkP|FcoH%5N!0B=-yiE(@lFegYE+@4$*j;k<c~ceLSULXX($oi{A+heN>u^g
z2uAe`gt%Mv5q(R?c2KqUE>RT;P1k3d@A{&t_IM4rV!}E-*0HE<d8amBzA&Pncbaw>
z<NlnBu!k@1>I-L%>lI4BW%HJdcn9eWK~}0aaMR8zGd1(nsZp^GhCc355%&g8hD?<X
zA_0Zv_3U@tp*%J&$OLy0<p7W1(Fv-Gm0TYArr6nAK?JK*Z#r#^hFmdeDCG*X;^#wy
z1uSw(ol^NF8V;f#!yy9K9Z3D2c=`$U#a9|M+KVk5#(3J(G9)_r@dQ=8H1Fdt7P{D7
zE$|{>Sh{|vGZts?I1Kx1PmG)1@k%A{qbaa?jCZ7DxjdOd>OZF}obda5`Z-cW;&Yfl
z7ULyW>N>?D+?YTCMufGJ?<1;aCOV}=JMLUdr?+6wU6){gjTkJGQ_@%Cj;=SI!MttW
z1ESs+413LE)oy~A!57hgwsnDFjw<tu1B3PBdSfio1AG3o-iv*h1ks@{{HHn#+Gg8D
za&~Fi5>3sy$kq+HwKC(_OalVx>?^iu$kY@^1Gp)Do9+!)jYj*i-U_RwO!wG*d4FeQ
zTc?Xe(rar6t{KkHtk7CsL9!6Yki;JVoWmJ9%`aM^!dkc3L-<yUJkirO!C&x^5^Zy{
zgTut!1KMVO!E~W!kAKo4SQc)t$2mw>_yd$@X4<azM`!8h4fo0>$o0sOl^mZ7c=hXI
z{YjY41B4*BxTVAW`wNnVn_~M}<T6~gB}TQ{8hJ&C>*qt{&k2)bdYbCsTj9C`p{Si}
zZcM)7p{yP7;*Xh(A0ZCx+Bb66xdBb|7=-yES+e1#n*ySX@9Uorg}p{e+-t8;@}IeX
zO;(M{MA5_Nn?3b_z4W=VPrT-q0~A6nXnO3oxcDtkxOl;(%;Ib-<XJ1oS($5QIhT{|
z{*O(tdls<1f;ss>y#x4@qQ`~ioy*~64GXC*MoNX+0!Kdsr8!Q?+6s4clc!l%b3_t<
zt7FQgljr}y6azpZN`jmDk=LYe0pzsCtnHHowHyO-jD1R3ms^AV*!GJ&15cZdD!IJM
zOjJH<u@|*hu(sb==~$J8A{h-3Ca+kfGS%4P>q;EfGE^@krDK`f`;lF?>h%7ld)dZ^
z#<GT%RNYWw^-_(Ra_0cu;D^9C@i#qrCJRS+-zKcjuH{Y6uoY?Tx*G-}n>!=ttX20P
zBa(^h*JBe8j;eX*5?8yPM4%+7{in2BzX>_C6+c<$Hz-NjYuqzxg%@k<ZUa!d$N?*~
zsf`ZiCFzTDl|>{I)xY>mU<HgEJ9Ah0Y+457>b<Cr-|9=EX>O)7$XYaq`^%P9C*BI`
z4BL0?^kah{RvC{%g<jHQT|<N+N-}1tuM_trIGf1|cL{yixAaA|wcHF7l$yo2TCrl&
z)txrZMR85GhnGxrq)Ujp`vdUoesIzXpUv?B`s)*jrONpAN685mrH8HG%+Ii-QQ9o-
zOrccxqT02k`^1W&KY-tzuu$EZ|I(`fpz|BWY|@mPcBv5C03Xty|CVi1DDon#8+gCh
znm15HmC?5KWoGc7Z7!BK0pe?dmraTDxx~}Wm)h%c2c@b_(-Y6`AH8lg=^^6O0Rde7
zvSxb_mXnW2{~a9`l*s+ZjkAv7WA3Cib{mDtqc&Z&_sui!hTRED1t5bTxqB;naZ8Gn
zc7-)IPdLTe&=B`eeG};eNXoR5+3!{&yN#;VOVDh)?&`oppR?gAwAA}luw>-^REjj`
zt+AU8d@5?_@^C$mm?3*qC~$}c2<uBKr<{Pdyd?xfQDxB=ZA}MrR!8WL=3v+5WmpL7
z>!;~e;msQjH048N%^M<N{gl9~r_pe`S?WVlzitEfZw4#!l7}#6<wfPA@e0y_uS1<$
zVfqMf3Ggn)U(=*ak@UPNy2=c@HOKrM(ga36!CU47{aZxT50w%5JEJ0<SMH@x0e?)c
zgw*<bihUkfbZ&7+0u?ZYk*7;9;Qk6VYm(1B?-E{1P&B%k$3`%2UbDtPkF6G+CjRR$
zhXA5pEOg*CL~v92eam|#(jarwiqN6%y&R$(P47wWkv-qfTMg8sV=l)bxR>-bLzPpP
z%e>S99(0er`2JW?2lJj26eH-{(z{b9z|-VJ>(567=5_mCg)<TaXG3@^v@5bhj0Fzv
z7NPqRKgpbH*_ja$dkz=qoUlUeS(R<kmZ*V%N3(kp+NzDoz}<|k%SVK;eim{O*0;R8
z*OEa%W99s)8u>FK>Y<$nh-CJdHdDGh_MN|6QSzAtiKBU{**T%^tLUTvBJ<l(^3Bau
zPqD`RIzWZgsXy&691pB$@>1iMKW{%|M$<x`9PX_3okuL8jMQ45a4c}~+shLd0Sf7Y
zNKp3DV7{aPXFX@L=$j@u{|h&S>A8u*^W41y=h}AKmqecQ?i`4kYu+EHtBkg&r$&tu
zc_urd^ti0SMzqkJ^3GAse$u!R&eAGUzksf%wGwTwOub?{s+0?v{O-4w6_>3oBBT;{
z%@abNIaz#W8*qOnos<1suah5STzKaS0%;X`|9C~PL;-IE3`g&pY}ZE+0N<jp8Q#rr
z+Hv=qWY9S`NWC*@ZK;zN<6{3IX^yeTk%SJe$tdz=KxQU3FadH}D)a_G3>Lh}56$UT
z5Pj<?Zz^i~KulVk^3hYxuhJwy!B+Bi=B;Z-uux$;I=W?51bQ;fsT3?tiwu_grj2wI
z)kxkYv@}*&)~5*GyN%zV_%>h);=l~L+*ux`t0@~++$r)gO)f+s({46WhPCS39gLUu
z;(BvH3Z-@QH(745qnq}<Qj3W*WTNK5qVd;lhPypf&$NmxMWq;cHV^l5k(`PCf77Ps
zAn{=`m@{I<i`@Mhm^u&TN6NhP_Ox`oQ<Ghzhy6!4KNHQ!t)wBN!$Cd;gij2qwysWB
z^mGWJfa8e<-s6k5txo^nSlJmb((~Lz9%8P1ozwb=e7LE<c(tpoUcK+Km#V(tPY~?1
z3#PJgV=UUDN~Uv~NWT@72RCh!z-n@1UBL?9>uhZekU|KD@Pe*@>&w0Eu-2V#KVgVk
z%qDAJ8tLEQxixBS&$0a&WL5u@A3|HJT+<f-_JE!Zfw}5Gg#q)3{iA4;t<HzkzBg^d
z(HU<*9kT*-rt_#98jKhOfRdX@(WAEN{GCmsml7$Vyo;n{5D!piAgEEOtSbH`Y2M}R
z-em%<bAzvewMlMxK!iz{j6`Jyw06GqFpx=Na7s4&G(hTmb@K&xJJ57>0#qJp>AC=c
zRd)<`bKVPUZ}^U`CN!=?=D$u6hHbV;l&o0?cGG(FaK=6WKK2;#Ju%T&#=YbWclkNh
z1#!}s0@O)D9amFo&P#>wcMZwec8Y<l0T46bOg0CIN=^t6x_4YLZEskTg7%&OmAmk!
z%WsjSA53rLBA!%|NiOGY&Ud|kP5kMTQ0WJc2F^#3*>*DnXh9bcWT;@0aEpDsW@tnT
z;^V(L6h-XLeVhgh2|AZv&=#`2W6^mJ>a~xj>4`wy)en|*5_}6?;tPjDIQ4DBBrcQB
zk4_y#er_@=m(P})wWGB{dUYaLC{u5Fn0M3DOzXWQP5Xl4t}x?A4sB&CCWteH$*MTH
zcTYt3cAJux9RqUzwf*|}%}HU9J^@A&MOv3P&)?lKPWr^Dw&Nbc8zdo0RNAiya6*O@
z;XT3G9BNWnF4{KQ40jX=oi^TSI-Bv3^t^t@BcYJx_3w`Liy?0hpp5R55D+#t`>8*L
za7G~`ev7PHr4Fk6^U4oq{oqnQvJf5E`CU)>2HE*<4NE~Pd`&r5O^oS>Ju^QMW#yWJ
z2$0hiUQZ~krPj!mE5-}f&vM}{6nJC9SVg01<lXqFP<vOW5I2r}R5Vi5g{DHeYPPrm
zUMv&%)*Zz9dgLTww1TGX#t(9ap`3iI5IIr7Gd4KfO(M$vaRdvAumky|;Z_S*v69>D
zEsFQ?z~qscm|dw~AIh<duOz*La~9#@*wNv+PBKYg94rc=?pUkB2>T!PsGrAf7vF+=
zL4%N=!&TyvXLi3>#c>FF)`{dh$H<G;f9eUzMVdE6g~VMRc5i$xNWCx`DC-dDn^Hsm
z9<&qyRB}M(B)aRf#k`p)AGsj{g48^S<%n+gd8QYP`O3Rco|t}aQMF&#!p*sOOr;<D
zno*0mKD^2FA`q6;m3M-@Qi_sL>{)bJ=punWhA>vh7*3z~dKb7A5f)>7?F7f7!`n1t
zCO2=fDa4=wkOK(*=qW{eNw$%e_Nev8*yN+@ZPr#ne&Bsmte$^&r1`m;{sb`&I2DlS
z*GJmd&Yuytb8P2&zVSv^!gSzL)+3YOBrV75!e)W-P@22h@I%|}CUZpQp@5@J`3nF5
z1U>Y(Gu7D>uYS0J6s7hs>DUZU%cH3%rk^7sm-0A@lK(P|+IvAiCqNyAWOxcUWtHF{
z9zPZsx+)!wBx-VUl0qm}N|f)wyY?DYL*>tOX5e}Cb5Fh85g5U_TfqF8i={8<7HW-s
zl@6uX=#Lp2w2&!t7EXCWX)a3oNf3mf%fva8lX{ry!+_gjR@VImbzW;c-fd03xUeP*
z$#nN|`*xI?-S`5<xh>@MjrVr%KFF5Q(q-A?df6`#m%&$t>uzaAt^@7HL)bhKe*=Ii
zW(U4U;`uU&<g)r}dmz-q>yHy~Q<3T1t4WSG{uDX#$mMNgin1!mCf_z~H%0CWP)`Zz
zkbf{e4#j3fp^*N@T25{HKxGLxiLFM5y&`&<!IvP^q_=QW3ltI@l!vh$W9B@Mi4t-U
zN#dPL(3P-C6REW&Sv6&L7=mvp;kIwPr1x%Ufjtnxk`1u036?SbM>of%S85<{otm8Z
z-<j*}#t9q!*3pn??+Djtw9=K!LT;#0<mU7YNNv0xn|Z=c+j?cRe!V&{f#lUMFM|hY
z4={(c=hgi(Do#Bh1g<M#`>-NpMkA~%4T_RFhVAct-SEbLGbtP@wfH6yhC@o1Xy5ni
zuTn{x6lxb`WCposGBCnFCO{kgqNoHZQxX0Tp()flrk9vtM(o1`hxTP&KY>pPVqd^G
zw`WD$g9xnxxP<b)Sl;TZA1E(g&Noj))mX6^<a>)-2fPqNp-5unZ-VrW704HY$f{x(
z+T952^`m!vMvtB1z2@>p#WFz0JAV^LnEd4;oYXYK4pL-7c+Im%D=Peq!6WfdWdt;&
zeIFH>P=H!{?+U0RsyrBZ=k}~wJ@%CT5eLN)Bpi(7;9G_yr)IW<GI|=YWz!qqDE0c%
z=+cz^XrrWX{RMp&pNyB(p3}=Kzo=(>SG4)Ey#*Ez`EPE^>!wXSTmgax9LNE6XKfh`
z*=K@lqeby6f-j990`%+E&6zCt2Vi&M=A~OhmG&J;y=YXW7?HS!!j}m9Hoa+DW{!LN
z>nd}XS4g1jr&=4q1NSw53`nt`B>SLZfJ`V!_Y}+qejm8D{Q%p%OP&7&%n*y5!!Xdq
z*r|Sn*Z!JyEKsU%l-!zvO_06<C}5B+qAL^sI`ExG4`lb7l+NR`R&uwiSG;3mY{z)p
zA-y-foM-`s^=@fyiJ8<4%hGlFgUlCrui(l%I7mt%`U7NV-s#x2+b7*gbQ-4d8N+e1
zRUPQPI5r<Tr01I*`Yu_u`YZh>L=6(DBTvy&z;1)sqIM)pg;B7mwKUqYqK9f<&DdyY
z+3PVKR#6HEAgQ7C0U%dSf!wVz%&|V0^UnIIMN`ofTklR(2&4#@0+q=$q4dAiM0sJu
zj#U&$aV<){Fvr-5Jdx0Q5`REcaSXcyCH^<zCV(>_(4yp0{A!xzWN<)900gq7_$O}P
zEVy-6QJT^q9e3UQt$1{E4Qf6e7(=GxqJ|K&vlgT1w1L0kKyw$Z<VMBQ(>ga9)DDv_
zInd8F6p6o5eyE~eh)HHU`qYg9k#P~=twF+T|CStRV-x)s81r*Wnd8avU+r-P*Jw;Y
z02}mdQMnK$DGwrI6~L7@7#ziek{(mhhaShFK@YH+f6MK}x*sDZ|9DG=k^ea7U3^DY
zd@8z&&$Jx{U@`FbS8jSV3Ar^7sMYxgOy?+9#--gMtS^q7-_R`+X@QCtN-uxD11tpy
z_U7nuC4>4M6VLN&o!>-OE6_afdlvnuKw9O9nIfWx;NJWP`wO>(3M8VNJwcFBCL^7v
ziMFKoiI`xXQ6Y$zAD8p&-Da1War3srSMMCK0W;nnWH02>y)1Hv#Drql@4&sxi=yPY
z7+nF;#1#<#_egBZH#9|xT_1lX#QL+P1YmJc@&sVKQZ#@^I?KgLP^U~Z8scUFMVb*n
z5b%@da_0<aXL<cntVJ|zcsxKIgOFT=d@k;bc-}*oqhZqwbhlfA*JScg`r^*PUGvwC
zSA^QBe@KAXQrpgf&yStY)!{61H$g6BB_pfgiv0{Rnsnzi;?m0}IS+=|G?-{XN<fLq
zv}wnQ`W~n~f%{8idOr32<I4B#dQwJ5`c6;!jxqqXcbHA7G=#H!%2XuLsO&|MLQADH
zC<CcES=07@pR=}AKZd1+ctn?LB-k-I@)nxf)xV;ZBTxpsO?oQ*z*vr0mBlAv^{<i1
z^?sf5RqOv!`OsPu?|SET-rY9#HyD~<2dnP7ppt^DLhD|Q*W~0_m8+ehqxP^PmI)z#
zw=?^yhv-8`ovvic4~pQCJ6S95K{j#R=x5$h<ulK*ihO5VEo^H6D6|5_i7g=Hz;-q#
zr7$EJQ1%=f<hcuZxNI2uIJvhs`0h^|O#l?FXoVlzn>`TVpqX3~0;zmI-Z_vKyTqn$
zX<<V2#el}@@cbG6<#!;SF~+$(z*1_Kzh4z~o3Mb3<m&VC#qUd{1VpL?{R)19+1_!F
zKtYthF*io7`4!U}nBOPhTMNHtG@32g@Gu#gx*q<h)JMB*dW=*0qv*$Hq@|h4y(ZVG
z49R=V>NN7P>qZ*0&aq^1ME7J+y80C>g9Vdino^`r<1`?AuqA4E+1W;ih$cw@f+tT3
zjeqDVR*Fe+6K~GY#R>^E+!cHGuDY2ehA3L4xIVq|;f=Cy-O|d0lLd3~@eeV?7D<~?
zxdH4X=;TTWhVWY?vFayXLwNV&4huU}&dtacY5}ZZ(qR%Pm~Skjd?vc_JJUUQk>mw{
z$=hJ)Wcp&rBuLf@zh@oy<bnzljaUIX`$!Ys^Ryq#Q3TW~c+$C?Yd=5Q>qv2KY%G^h
zh!_lBP*Mp43JHQ*-XnLbTTRbVewr(C{gMd7SV)n!n;cFQixHDS(TetT(NFp2%QkK$
zP1TyQu0nMpzoV6lHQKVf_z>PDlROi+!!-U8@_aUTTJtxoj;=^ui}6>;YXE?u_HuM3
z0vueC<iKe*r(ha*L1u6!Wcg|2r{^=kyi_cw02DeK?TiM#rg06ehq2<jihH$)ZL2ag
ziTUMMzu=DJv-z4_(2O$3Oo#$j%wG7d|MUEs|5T55tRr{mbj4Ci3d(M;X42K~CU9XQ
zdW|1G=X1rD1rj<T2Q^BQum;iY%TWptR(5}*^*VdIntDc#m8T78=^Wrh%&M8MdOQbd
zM4teXfq0xK<<?M(Y~<K>I@L|jNxr9kH(hR}@S5jQ+JK!}akmyqu{fr1HN-8k&0<vh
zH3544g1z3I<gF^%!SpbX`gWQ*O}RAHk?@+hpn6o)B@n)pZkmSbgmj0(w5i!A!m4wP
z<e<UO0DRNC^D%am=7Yh|x|OY#@XI<5^p#dDUqh@AsD7-U_eOwdN`Cv&QF8r@XQ=kk
zgOkwBG;){G+$_s2*}>TdV(MHdhRofGo`!l{wLcStrRdDhk;FQy(VNU7OR~v4fUP7d
zd3ndByyw~){^g8qEE)1s+3pG`z2OP+q}+!&(Mxk2SD;w}h)MLy$emy=mx>*#Hz5fy
z7WtSWSXZ6>7LF9%ltSe1)%Xr^GEh|EV=}!&EW3d4p$#O|%#(IHKBy?Ullo5?levHA
zOtyzA9cEtAsg|=cE4NRRZxM2XxbBZ<D|JRT=N1EXlPn+vS)^@>#Zb$w1$#K&#WJVZ
z`gF*Wa3H)vAqA0`y(gQ?Y)=4owuaYk@EGxrfx5wF!0p81rlvfde6(t|z@|SP54Vl9
z)kIPsHad~g!uBJEf3bf~FCpzBOU2@sm%FK`E`MW@(*Cm`)MvLwgH5IM1#!`iT}8lu
zzeK;mPP_H>>ap;lhy5Qw=x)LJ0%5YZYVy93SWxPxRdN2-e)T2#@b*3Do5DnT0-uJr
zs#Yb;ZKe<*7`ue`1_$ms@1XRC-(3ir3$r{@-$w24ae(cH*j@l}uI8R``dAA`u?;(}
z8Dps+9qB<XdOpX&>j;ch@RZK0LR9WYv4wp&jVgDSm3Tg?>!K9T&U!6Watz~xim*Vf
z4tlYkc{6o?PoRh>^M({D2Uw53n=@y=QUE_NL3vT!QCvWM`z9zEY43e?4O+eW7w#JL
z;X|f-kKz7egsp|u9mWD#Bhn%?Pq55d*+f)3-uMaaOGV2<K48Oo0<I)v?jKjhja;f<
z2PL0(jqK!;5`Q9pbB{z_hyevZ*<#~?u&vKX)iphTEh*B3qU}+RH|&~-?H=Gn2u&jL
ztw<i*gh#cRrbg-14;ZLvT+Yk*{(;Ja6lb%-l(4Tu-<Oe=bwRt=rR(`p8r!mv1kgkI
z<&ykRsXxr=+r&p&Fy_|I$S7RX#Cv9k2HYV8wd-g#>z)CS@`9d5z<GPL2t@fuTCs-h
z(-yX-!dW2TnzL_0Kg?(?xJL4L@c|luXgyHN!ZY}BK?UTzhcDX8-V5Fyw){tF1v5Zi
zvj)(r*j*x$DJv-r((@&s@0L0K>VI%&bkwQ@z`?F9AxOb}e&mvrGv1Vhk`P~rCkKkx
zMR$@Yci#5GjKYcPo#o3S-KT<TplH0fhwm>vR-(a_d_J16Bwk!%2=CKZV=c|KHQEM|
zf7<}#fd}a9O9US}h#l`)hm{~`o{Q(8l(C!zrQ)}fOPVJgCZwY@poB0HY7it5Mk<|B
z#f!&4j-s306_Z=^f1Vm}rD4$aQV8a#oSnaKW<C2}*R{McRtX?5kV+Lq=$D}Ra;Z%x
z7LLXkZR*X{WIErs>@r^BQko9YzXu+2S4B^pmwI8QgPdWtRNa40vD1}RHl9_cGLAJQ
z|8SE``}zlvRT5wAB7UEE>mU_naP7lZFSW*YDnL(-_SNjn)}W{qp)b@V_6wpQy_XuO
zC(xt^Jf{PZ00RvG+(klT#x_A1#K;kjHyuBsLIVe?1P{_3Ij9mxubHjq!vTI!Wy}h%
zNCci+dHL`+3S+28*C?dXuNlItX@ha+z4U6U*QfTeUq8uN;J2L7NWN4s_h4MnW8hiq
zwwdO#CI(bri@uk-?l(*>tCFjPeydw$L)yz;Q2xB$owvybwb*F<mZ&(L>%PrM4b@<*
zzjcspy8+o~eEAgHOX9_PT(G0)lH0ZHd&x^d<@uH=8ouT>lV<yfF7be_wm|7lxf}mo
zh6EM0cT<4!bm#*1-*x+t+(MrgL1?2wpBZYXJ`wu-e;fly%F=T@IYb8Yt6pzt;XXN&
z0BGh{gYzKx(*sN}nEULzz|*rt;GPScJ=@9o9oT((!JG$=Pfp-~J}fU4yg51j0E3D4
zUNgGP^zYzU`0K7d_;<`QZ7_wC6A$2Q-#OcJ94F^QpgL-2!vFL@-iPqJ`Q~)WvEh0D
z_1yVC|J8X@4)#C&@jUdtpmloc0_MlNaPL2KgTLKB6aDWrj2Z}t|3m7Az{mgUg1Lzk
z-q*DEyGnKzZSpL6f295Y65Rlmbxq)T3CFbc+Wwf`Y<xWK0Qsk5kI(3;h{Q`9X_A6x
z^bf$9qEpfG2j?&BlLM=}Y(N6h1NZ)iJ~Ok)j0723+NSt*cU_qVw>>-cKb-oHxdL0-
z?y!~4ONp5Z4N&6TN55g!JET(`q^tkjsSFout|2HWtobWNwkz-bX_(l@6MrQtY%u0b
zWZlN)XEY<E-#rM~&clLx!O&_H!Z^LZs~>90%z!t&RB`Gg^S1rCMd&ZdD$5gP?4i5;
zQb)Uz)K`x(LOG~KlV!)C%IU@0Cxu6=f3t|b@tmt(`Q^Cq!0RbaeQjVAC7E}nl}&M(
z!NHdp2;Z)7#0mdQH}}5XTN6g$uM<UdSuwfC?0aawa*_k&vNDr}g<ntF8#X!p>^smz
zerlLVLz01aH|?ICEX%{??bogowR8=Xd&GHs@EejZ+ISL!Tav5Hz8^J`>hJ#2U#kTp
zqS-e5^BYvj3OuAf7BC|jtEs5J3$OO$0s|W+M&}+*U3cUcu`Yc*IdNF2;?@}bC?dAu
zQ1H5YFK4}zD)*s|w3JEd6%%^9TjvPEYfSeKOPGF?aFe+w?}Ov8MlWuV9E%0dGw7@o
z%D{p3PBk9_Kgue|5Xp$K!^h;+y5bjpr0pAKd3oWM6b2`)+kBsRVMZH{BInFsXqeck
z$;gNu=IsmfCOR>>BQ5Y0M|ER_om>rXFRn=(9uAHrgA=Xyk3w!93uYbZry<Gow=-;U
zKhQ^-U&C`&BzFfWE43|=vke0!hh26)NQm0ibX@$9uj=cW3pgxKB64MNskQ*`G^_Ic
z4me@5AXs|B{Q8JkT%~NrqG9)gO*i3hh-jUmp0zbV4hBywBsks`a00<Km-h|Ic(N&S
z@H<a@6a5JjpFXs+{wuLFp`lE}whWyi=HU<4<xv7mSfhx_5Bjj6gVeftT@c?14htpq
zcs90#RW^buT)fw8pKe%r<MWlD-+sqevelTDG44!6Gh(<w+y#=^ehnu6!dk=Xuc=8I
zGBdL(zBL&*3NoSyg`L?CwRn-fqeqc(sSOiFTr8BV8?}NqOSX8aebHwhlfPKvLpO$~
z{pGxmR94Xn0YP004-S@;HUc!1Yz~vugea*?ovnf*JR0o>q_)@AY%h|0xw4_K^Cbf}
zp=EgRIne7%O}ov-S`7Z}kLIPehppm5jgi956`0B?pC+kJhB9J!Gyd*7T>H-#D~rFY
z;f))gVr+Xt49W(1%115q25;F<dXD-&b)iUI*w>3UgW}v47K#>u7d}V%vNKzZJ^0%A
zHv3TwF~wxJxc&S!<(!`K!kY4~h9f4qYQv|JyLYapE39@sHo2-s#6^{spYHkFS0d-I
z26|?cSmJi}uC*o8Ztb(&_FK%%@5*dZNBv4`zO%1gF_M^E4^+()oH|3x-mubG?e&9S
zrIWsc!)tUl2idw1OFzZG)m&<;rg>Z6R*OqMYJ@b;n)&*0pR%v^t3Nw?$sZb6-ZC7t
z_~P;=_a*Tv-i7-|KO6B5+dbZRQ-}Qye9DgZp#|X5n1$-rnQVgERG-a>j4meTtDceq
zg?P@(KZ~hZxW9VlBl|Ge{eFeXJ8x&Wa271Q@7}#$d)HFiBi_&5zc%VqDwRL7QZ}+Q
z(ebM|JJT04i>-A=iirky4ZKhyXzemfq7<*O8^C8vZFXkV(t*C;;a#M)6Zckpw?EXn
zacNg?#8~I=N{(%jtcp6W;3w9v(CHoauUq_NJOalU?qhuW+EOn-yAVtjUp6ovwl6uf
z73JA!;8<V5T4LI#epox;z|gkpvTM50Yxl<!>4mE^6r;n>htwME*OX$8d1Z^Awt6PM
zbcmsOYd60CWr?IOhKQQfCWm{KU-%#Vli-}bAFmjyr>ovmA9!svqVJ(c%(D_nP;=rs
zk5?`4`dC?EOMdv0a*JnPX>~lbDb^?o#kOw^DEr>tiW@M~FZ1MTnm9ugk!+=6hm32$
zOQw_hYKtH0plkbc{kLlC1+~Qvz4Zen_3=q7dFL?C#|AfiHu_zCn~v77Ur6!q_we4`
z)5T506vKnL^h@7W792c@^uqek{f3d{O#_RZau^cJ@Po#7?;BNXzWVA%?eIf>9R2FZ
z4IGE2;(_Nz*wJp4RqfR=Ew>*SwnbU=-ip2je%jFTpmihO&F|(tnn2Pku@~60;kyds
z>LYcGT;6VLW!t5Tz)E~V;UDQd_AyInHe6|XM839WKJn+PG3uyx;K8Qv3T|tpsd?==
zDPDC>(cmIbY%Y)*LhkZ-ek}KG8zW3T%)BEx@K>$uYo#%F7Vh4t!Djx5ttl{oKaRNd
z?PA9!y?xOuc!!00PrQ~Lx+ZhSdxhT);yMDKKoOB_a}YA{q#uuD+QyF>yn5rYBaTnj
zd3+SNuXE2u>UC|QgUOPP<mhM3+?{x?hGe19qvrm>Nt@xvt~XhE-{FRRXqHNv;!p=9
zE1@y0@8q8R#^)oYOAQ9_!<pkNzJO>gx(u;4;eB(Xv{5-m*PCDv+9dBVgJT39=&h=#
zW25G=w+qhW9r=qttj&8nBZVs|MIHI_Jv@@iCwhvTdRw95CToX2D$3q71S}~Ik@Qy3
z7>_KG^t^nDi%w_nD;G<04tE<Wz{-Uh{VlUk*(W#u?*7B6?L))Ln$i1o>S#QEz&&1K
zcm*qfz*p%!o|s;38zh-<_w83WGSqooc{H}Y9kZ{)R%I;n`|u&RbBX6sStYT+k*f8f
zL9${$UX7E5BtK!Oa=;4j<mpAMO6l<qUj=mFJD(jX$-Qv{)opy_MsIDe-MnbFwGC&v
zsxpHem5%ekIz4iHXsM(j%3ZNs<!>jn96D#b##s3-M!y#=^rK3N_@k?G7Q>Tt<U7X4
z$s%cOvbGSCh#b0MVds^EP?ntR?MV6Zb|znL*&7QP<h7cC&VLcagR5&ntJ(DP3+DMr
zakalFW+QqUZ6%K)Lq~^NNXAl)-4A~y;uMy>GcyT#IwgDtT}Tb*tr-|9rqd$aG(9kd
z(TO<kf@D+ctYEG<6y8k#vBa=5NOk>2=R;_sAMcQlEfQy|&5_z14sCwlrfEp|+b{;@
zn=*)_3+(ajUB@JI#rAo9PRYUGDyE_W1NRnml<|-HeQR}D-p&}7%L+p3;&^q$A9`K^
zhf4ox)u(1j7DV8e#J!bbVvYi{_pqaHHPZlYDp&SC?C}5I08CE5A@WwSOIXL-zk~aE
z#my;G)hkDi5PD&mh}yf0UCj5FEC#T|<8pqwhVQmLJrWY+Lfls%K?X~UBfEB}qdS<I
z{3VE8+z9*w$w3Ri*xT=1XMd)AQGWkN@@DgAXX8pzhL1y@wzPxc<4e{IqY7YbiwjuA
ze&5o;!yO1VB{vA}Xy}J~6|Jqa^Nuoa7O9Q=g=TD9i!R_-8xZ`a5U>HWFse8~+1;<5
zn2z3H{Diw153|6uxaa_zF%#{7OmGD0;a)A?wwfka9r**>I~XGxSXSGZnXjgo;jX?I
z!ifWwJRF*Ge;H#tS!H=ok$k%-fG{pzilxxiIySmT()RBsCKXAH_h^_Qa*t535a-f%
zc;}w*hf%39HPd#9PlsM@-U+cQBZd8&e~X%<;g~LOOWMBqt`frQSBu9B*7%+??P{xS
zE4x&UFIQ~Hx8XkOj^?g-QbttmS&HE}@38!^68ZYe_Tums8^MBVnbZ)pIk$f%Ti&uM
z=4nDc?Y^B*jkqYtkgQQ_EF0pn7xOh-0C(xdqGX!+^OY-}If<@#*GRY8sBKcavI(TK
zP17;za|X&M2yEIf9qxw=iE9B$AvIOwSQ}6AZ1j?Wq#O2dBPrf@9+{?}xY+T)L6h6~
zXRfvBo(ir+-+9{{efR#A)~fVHLsH4{rJ8{dXrtnR^ggGe?jNW8S}n1^@Cs~rf$ZV6
znm(c`&YB4a$)I9Ros|Ga{l)E(ezZ=@@a7)7GuGj~H|xFq6={rEUG?U-DgbBIYXO^R
zrvwLV_8IId>;Q+JQjXoKPTD?V-I;V+q8=yr%|7xR7EQ*RmyM=RK)fLO*|hX@8Iuca
z4v`soMEnW7)7KF#bnal8u&bCgNj5@dCdUkU0@#JI@TW5$j<2`ix4Z9xRO*WB^8$F(
z6X@%(6-oVF-i>V}`Mz>o{5NgfLzx37<IymDdauQptpG)Yp_3sw*#{KPzl<(HD0??H
z(ChK5KN9;BZOoe~<G6eeyTHIe?4N^{JBD`RZ}U9tVr}vKCAN2@JPcQS?*Oe&R4dFO
zwReL^TyGIqINtetX`FeJ$?l#=qI={@=9P@a<h8G1jY58L9xhrLi@u`(BL7};SQ#1-
zuPHt3ibdg9{0-N8-$pmLWnEZssK=Ffvu!eMI9K>g3VI_IuC#KykbfU?+-&<KE^e~6
zGQRa4Sr)oBUb%5l6zG+8)TVxz!}im+?NAhJjgzbJ*b{t*@!yT;Q}AV-#>7JwUO}<)
z9)o)1>gxiW9Fr}a-s~zq9(gXi30jEj*C6`ihhAvn%F*;WQ()qRwho?SF!!!3zVdId
z@f`hTiN(YyT1m`(Il|{o;RuXqJ`<&U%HEqq_Lh4Z4!A!@9Wi_Yyngkk2B`d_Jm{Z^
z<A40O?g}z&mA>u;zR10A9dCVqABCh``8mEj#A52ZYM=}zU*4SCg4D-t+j8$}5@9TL
z`r@ma-+JnQHI5i2mY9vUDBMrCq)|9@$wLdfF8KkrR}D7AJ#dJr@~tWas>=>6A`AaD
z`#gQ;eYXmPcsesaQg=X3Uw>%qjsx2z)OhmP2t~<$WN;UwPbJUey0K2BmI`k!YfoVH
z$1^+{R*N+TwTXU)x%5uYLrN?8U_OLj8-sc19WoAZVP=xVYIOWDe^d=Ay%zSWiWbk}
z1IiB1;p~7*s+gP~exxNl_%vpCM{;$Q670pv#W)^hMeMn@#ssZ85J0SSa6m6SI3N7I
zsWMUebG-XqohK0^VUQF0;Pp%~(!FfUrP^n`bH5DpS5NJAVLh#Z_7+*-5Sz>5VImS6
zF|0ND=|=if&guj~VKvDu(XYRcID3uhKjer?THUox=2+d=wZ&7qu10zQxzfGTs#DeV
zbkOhlKO$hgO7SzghA-Nzg$9bT{EIFOYi|;cm;@IluN#i`H`<m#pjB9|y;QDx(n>fJ
zu@b8ug&pe}M=GVn<x~Vdv+zAs;ADBEgURo!b+rmr2tRs!Xg%I8+}p)FR|&jNVJGEn
zY~t@w-?SB%n8b(0*M9c9;A_ABWq7hIS%Kf}=<1JYMUq4=mc=cOfsM7XZRd(IT-mkf
zL-!1J99hL-zht!GOAH2fmcDig128Z5Ti^2e*iCa?FI&;U_F3sh%Aaq`jnBRy_cZKg
z^hWis1xpX$YtirTX6ow?etz!_$}P&3Q4_Mb%3Fmv>B~PE*8YOP@Q0+ZR*TW?tkvHm
zC0)d3wuCj63BCDw^m}@0hlZKG8=@_Ta#da33*Me)WrKGVN$5=0Y^N7`xNzEAg@aRW
zpZ*96S>yjW+Vz6}R$<MAtKNgNtC0fV%QAzys6iwS&Q2%h03=e1f7_wV+3+^m%H!4I
zKR<7dtBHS3@-eu&_T$TI&szJ1!Y|4;fBvf5L(vV?k-sj|?*7OG?ZBA#-hRFulfJWL
zF^0_3&|5nMBZVJDR;Xiy8wO_~A2%-^7d_%~4|u*sppvZUThCME`komL%(nhc;i%@7
z)_ei+%Tb-;Chack**P>zZ_C$>g!kS4r-#hMB^JB=#$)+vBnR-aakT}z*)GW#mnYQQ
zN1^+16u*;^u1UzR9;tMmhV$3_ACG%-vwTyos(0^GASv@)O99S9xvcp;Eyp%J#rlhg
zuT%Sp1dq)VRlCwN?1^I=Y^=kpyPukuIrl5Xd2$W;nc!Q?YPvgi1|B#xG#IFbkJ^S+
zvA!E#y%tU=&6)n<b%ciWMQZ`U5b0o`wB!ObZTmY%iJg^3EAukmugfn_Mm(roOnMD$
zar}^E-&2iDif85f>0zdu_K|U6X4~hN{N*|>0ycn2swFN;W}^dG9<RBs5mokY9zDzC
zT6XjOxlT1!*{$qj8|$3%?oe8B3eoQ=4YUyb&T#(!DC*kdq1xWJa-xo;yO7+9IyEi{
zNeCsKTsjF!LkKZ0$z?Jw;~b$*iSjMCm_+1Wiebz}5ebb9V=`tYm&h<i7=tl0zqOU~
z^ZEE=eP->w_I}q|?|R?odDhy%sp%-WukWUJc0Tn9ne>Evzwi6jvFEmOX3w&`?7BN=
zlA=NiEN1?RUcQz_BxS@x8K4oqdaTZ5jM_YMcm<O<krD8B+8v=5Lk6j74(~GU#q_Bz
zmNzpI8Jl)sCgz8Ny~O8Q5`_%}W;`@1d}D%sFU(dfbRO+wW-12Ne=QDDx~(A}9fG7t
zyl@3emfiB3sM}@PNrT3`$bT~DUb+R}i^2E3{4qsgp*y7x#~QRGz27Sm_qY4?sYd0O
z=uMWfD%T*C_R7u{XF{=G{8y-E#eowt-Sh^9hllseK9nDj@^*YNLi@1G47g!TJ-XN_
z_dGN;bYOeMQL$MiQer~{-N&%oJLGjA>KYg+2D077*@_r-b^6=W1JCSjhme8On-VIL
zqZN*2wl#~;K<&T*+RUJKoPA(?x|AGJK&pgZZY${k?SIXJb=Vi51lg#;xzM1?C5hkf
z^z}rSDEXRPE7h_cimjz{F226;PAV$)c)Tu1RrIGEhztb04oYGi;or;5%W>DCIq|RI
zrqszF7azE(QMd4kRlRF>HsM>KR%+9J<4*7t>DztJhLBiy7|0aDAJMrTrV|!954I5|
zbN*@%T0uhNwJUn^{@u~ti>r4&X09yLy$^mH4fo=jWNd=P9-AmCwxFiG!H5WP+LP?@
zJ}AG6bq(ky<t-{4X7;_{BbTCBC5}AiHG{0Vx|=0@GKxV3^#+s>di|(tHUVa7Tbg4U
zSYqKy&zxOmMYOkS>d^rv*bfW#gN&$m;~gxc=Lk8-DLuQz_-SO`HKej3wH<{DI$y=#
zV_~`yp)|i$p=LZ!T+s2OuEQSbbla!y;lE^3!QS59EXprp9&}%-QY2OZ++k>^f}Z%S
zIUVOS{MstD;Sg>!1_^e28REoaP+X3r9Hcx?yos(757XvCnZDErb+4hXm#f~!gOo7R
zYE8k=p0S4Nwfz=r?cg?fh~Gb(&^G)%+>*S_iJRh{(3uS#X>>2Mm@#9Y%`VNwy&M~M
zw7x9gkAM$veoqqzRJH!wQ~O8{P0D}ye(lcsx)xkm>O7Ghc-nRB95%f^<f;RcnANL+
ze0W271tNPYeQ^E&TSR$udY=uq$__Qoylt?dn;xOISO`+Y;D`q-XyuISt~=i+G5GQ0
zoeIRW8@PO3?+@fpvZrRkcs^11{9QZJQ82CaJsII@ai3umS0S6GqgdrS6xA<u_QFRL
zyCku2xGO#KQU%p`ljbJTOAI+UTEoEb$|<I+IJOfC4q?r*2P3kM9_=Fw{$=>(p-3Jc
zMb@wReJ``-92AM%uG#XE!Mx0q@(;(dlQevL4#*B%$Il~o!zM^;*!e3q$wm*Hqahqp
zbES7^DEC*t(zoSI*rl*G0l#&x7)?F*wQMDcX`-F3aN;&ZR<n;ixaW<N0Z4RZR>1WV
zVmZe+GaD1IKundWWPZG3X!`LIEo&MVda*)pl*`8{Pxu3m*=uzap>+~5d1l-x0o}*-
z`%o%FQLPWz)mnB(*dkEyf2D}Xs7Af~bJDzPnsC*_TbjdQ%o<QBNy(4Z)k{a~J*n$f
z8U#IM<(ZLQ?`O}<LwP7(RZ6j(`pE>$dA?6_<rB{t?@bJkK=QH;Js$&PA!wTyq00Z^
z*qWvt06?$vQDF9kTRpfrCJn~Emo+Io#?8dacnP7}fQc=BkglxxVo^qxC716>1hX~U
zMOH*`Guvq`?t!tB2#Z8_59;wruU31mnx9#b84GLu{MFx|4a0Y<g8>(o&`@-}tsl6c
zi->YxgVF4F+U-f_(a(wHb_LiH(QNp%Q^{d*2u~Ey#1G1(iTMd}NmAD6(V6@q^Kvo3
zl<!WJ1`{?azeyQr5x+_scy2M{TCyastvn!*rAsa(3?HTT`~ObIeWOM&JXqB+EZB!?
z$ivA#Ov2@3BtH4LNO9uUW1{hznhJYqk1m;J-XzQ&3dA{_a}Y-e`Gjs&|L>jtWbx#L
zi(EE)wt3)!gP5OGz2~a?SkLm+CccS}T^}t@<plLA5vi2*wh*IDI{+i<zrm><+}!cq
z!Yu@HS&G6O*~B|%q&D0-?E_B4f{2=pSD=L#3?!0^iZ6sBO_A@=Hka9vlTnI=KM{Ii
z+?mPT8{#6+(|h)n9H62}j<kV`jn^`p1%ppzpH=RH`!7V=$j(|Q>D52hdvi`WS1=Vt
zZFiyEn&w!xs#VM8qg_0T;$~bf9r4Oek}J)KvkT^3S;X?HY80#&%#iyX%7))pWE7I~
z?r005NPXvC%oND7QXlMmC{0OR80G<ZMU<1I!VdlZR92&U%=wSK$niWjneKFir2dMZ
z+pfZl{xS1*$h<y$<bG-`EkvV0Jp|`tOx<2;DEpb+^wIvd2!_S)8@p-H`!$-eM=3~w
zgR+5BpUFw~C6+|B2y?6kFHbc0nQo0nj}Xy19(GnoU$fJ8U-ovf4}|OI#l3^cztUK9
znElULX@1^#O|mm}`wqosIjle_D;+D>RS@;RBF$g$f6u!^u)QQN7v%u9sG^iK=>Gk6
z@Mg}fX-|^JRND3}04Yxz+~x`&Y}Ff+(d+;qi+Z@{Z(}2MJ(e%v6{9yoC)ANNj7hT7
zUC&#trmrtiVG5puo9q8xMvul|4l*_=mqWm%FI{Zw=y1p-jhV-Ej#XuBQ#lWCo(W5h
zUFI6yyPg@SkYg2|O4INAm&zdD<rI;-I4+J31G^m^NWLK2DUT*g)oOz{K(c1fr3|?p
z9^Z?!!9jBocK4Pet@5jgAY<u0=d6Rc?V~2DcKe^S<Bp${f{pX!<|Zgsb1ZmvDnV{n
zPPx{HU8G!`=hOTrjE?~?eLLlcE6;u3BxqNBoT1?Se3TThpQhk$`dC~8E5O#Ds`nbX
zVwCa$1-StZ+H=-XCUmg4qw}3gouK%6zomwg_}zpw7te}SNH13BUT=?gb`H3^X%QC~
zEahh+<!WGoie7<S1olP|e=AqgbhkU(E#;Tv5E_V?`8A_Am1|05esVo0kr<H(QKWdJ
zlXRt4m}Km5I9d}#ryVKp4mK?Z1e}m+E0bmU@fsym)lI^-)sOY4dc4iSiaGAl^o?JA
zkoV1uuJ(Vp_@jeUU-M9J_h)76x(9k|;^@W|hc#99JTp-uI==oqEj;SeGd}gi03d-r
zrJ}a-q$^r0%?cbm#OwY)N#|M*x&>RkKBHETFuAQWH=DQ182PC(e@-==Yk>k6A{pLM
zPpfj?ekl^9d)jnFQle!Sz7>l?>O#_uRxD)>kGc>8uY?`F8p+O?kFZE%5|x{kB{`7m
z$M*>QWD{YUVdN+H*v7>5)@^m`C|AMBqKs!VPI{I;n?@}D=zWy#meL+7>G-ufe<%#M
zS&aIRTx9e@oR0Z^u%Itwfkyx!a4I!JmR`p)Lb%=j@Qa$Eetw?tULU7rc22<ji4?;!
zPLh{Ba)n)Y<3t%}RhWWSz&4uJa7|)IBT-Rke(b(^L$Ii-%t_76B=d>cOlJ^fmA&`-
z-q*#aza3J-X>CHVa+DHX=F#Iz(Msq)N4mYwV!BlQGu^JG@j0h;1a(T#z_gJcN@xH<
zZgXD)qV?@_tFxHeu)?cEcgkFtNu;?8bpo(>bo5MxPESVfRgO16Dq^`Zk19uH0(~H7
z2cdl}j%7la>24*)hb2t)eM}1PeJq&eqo1%n!O^^rQjT1Gx+vip)1y~aWc;IMJT4$j
z+}Fzyvr;_sq=VtK(oLWGb(&~qS!nEgzs+0fS2ISW%%vykgd0_uZeQ_LPP^w5Ou^SF
zk2Cn7ACzwvSQjljZVm+z=m`I+Wj;(bRj+LgRD%cc7m;k2S(I?|S^jRY!D&FtiR;z0
z?DC3V``dUdM>N0J&PT2sYzJ5)(emAg-<F9QC*K>qv(O$aAI789JRpQPr&itD@T6g=
zaw&m&PlS<WacwJ2yL73!%ws8M%g9?BhTMnG9V#FlsSfkrn5}8e?=_-}f)jcR-J2+3
z$b~C*RNZ$;dz7a>`sccg1XL#96Ae72qx|-@wP=a$!fx8ppeV<>gA!a{G@4~07H97;
zF&Y-h8=Ct>UxVe8vNqe?zI{ziH10_ld*cRyS9gU;PTOkImNOE9RnoKNu1ZN&WI|C3
zzn2@Smgx*JHYJ$(ZpxAmKSrfx(Rk}r%_j%>YScQ}Tmca_x@+?N{>oQ&(3ticBO`VP
z(4HAN5gz59I;?2Dt1iN3bcAyzhgoN=+xwGIPEv!|&H*+3l}Msl>>Hc4y<0_T&blTY
znhmzQ>)Ks)QrNM*lz-hc?~E_rnO{NQo+z0Z7%384VG8Z;00mi4mEHVWIi~c$?o74$
zQM~78N!VU4JKPZyrqf_W-OCdpz62erZ<2oP(s-$Dm-R&%(q#P?UF_pC_*stPAy-}(
zu-QsVY$(fX%a#f3K4Rmp>m>Ft+%7fF0U(*m$nGE?C=!J2O*KlqX#dohe>~_itjj^Z
z-~IyQE%ZnLtO#$XxBY(i_0E6B6G759^?N?&YA!b+52KMDT9Mu?=(MPHaj~8z4%f9*
z(iUg$Js6!e^L~KQl=&gA1kB5?O(1jPxFCkgJjriHm*pSwD>D1J1W7<v2V|rUW2UHA
z;?&9IIi=tS|BA>70}>HFcrJZ_^3DN5;6LKm7$xY0nw9lXstkD32ltxOLnKEa^r$Ls
z1`)j2@neq9P`AUA=o3G(<xMQ=`*d0E6)tU`j_*q;3-bBY=~o}-4W$JuG*HRn3CDti
zWuapqOOuxds1R;%J88<88$tVx^9RYV^;MPjEBj{`l&38>tNwk)WZqQYd5u0d{OqWc
zW9s|dVbOK-*1`{;E}sA#);m~;)<K&L%O!82R0?#b3v=ij?IxjQ<d!XVonuRkodsT1
z5mWdZ=AXIqZ0Ea(NeA0@17}lVc67+&#p&MsytvK^ERY5?0$USP?zPeF3>H{)(~b`b
zU~@90Xc_%jb9%}(vV92x-^dq)RYnG*m&#jwFz<})eRmgP&-SW}kKh1nT4$tMfbxje
z7lkPOjzlSjoBD^gD_!>x(_ruJuM9bMZg{&uq38{`4*>BzBAf2J7Rvl6W?0|Z{;&aL
zY&WXtK^LWRW9kpsR$B!Q3?@{tOR|gd)M}U}oel$7lZ`6d{hj1^uPTfpE#IVGON;A?
zwOgL!eyjQM1_ZGEmWszG4b^)A8AZAEaaUG`U2n+btG=<CP_48s5I%E$??zAVEU6-W
znF#gdo^kg_El}1$$<s0Ogz&Zt!Z1Sc-M{+lsadShc0jn{=V;wp);w3g5k>lRTni;h
z?Tss--{JZJim49tyXJ_Q$PL~4vaGSLj^9?~1!3Ow3t|<B6(`OO5?GV`q*mtsIJnFi
zM{mlD#a7pp7myKv{2<Rw8<5I?kV6R%{p4)^Fhh=iWg1n+Ojov8`{Y9P?p2}bFf3P)
z3(<Agbhrm|El*(E7eA$c^Z=CF7ke&cMhed+<Xg;GS}7>fbc;e4E~YWH?;xM&#NvU0
zx!n&;%>DoYUlGT=!1+?A!v&i-=TcE(aIG5wa_kwKrcA@euY|rXW3^}M+uz$g$ws<;
zVCSp8;;RAgM|YCs)P^SSxbq=-pgzKO_p)aL$&pgJryH<=MQl=crx@=U?OsxB#{={W
zYf955r?9~REj9pfXz#i2Wh73k4t7ZlfqXnvP?}priOCi;-5ojW>r<T3&$^yG4c7QF
z`ep?14J>G_Vs09eu}fLh{*vs*3f@0QN#v*!yEsHBt<-W7|FiQU5=hv+AxGie!9unJ
zH(Cfl8DU>yH0!&;?TM9)Z;#Z{_&-u@e$i1EH6zCQzR7V3H+dO+q0ZC<Z{~W6P>xIT
z>xE4eI)~u?&iWHs*3_S@V9$juzJvmOAIBRQL&p`@*?8F|ZjQ_<h#o>hI-!8H80W3C
zOV8!F!g+x8kuM*6GdB)QD2FprS2AHdH@^vif0vKd@s%EC_USj3m5Sj|iqwt(&LWG3
zaF6=KCS$U*@1U}I6JW$VmZq5@e-6Pv1HvuB!Jr2jC=L*kas7BM2QXsK*&g5Lh+sVz
z4?+!&f@lI;R@C1UU;dW^i5jj?4AWRvD_OEL8o`RHhQhW+v)XWL$g>YSq9EG1-*PLy
zszh(JSZ0M>6Qihhk({D_Ft$N?pG`;=I+psSWmu*D+j*O*YC7kMsjpj}5(J<uf!M?S
zf6e&H=u+u$hviSfNl8Ak6F^I&?Z_id5nb%)({<F%cFW=dqOD9DxgjN^e9%!Fc@d-?
zf^0>11uIE6Fg5)l+HjNyMgF0wpO=CT0Y1=|Tn4b<oeyjLUuXml(>c7?J-!%H2>)0F
z0F*EFQVb%-!e%8O=e8i*!T7i~7V|^VS!2g5HD@n(Qq0Q*hw55>lB}6+FZvYFX3Z<P
zw^gVHbymo*Ewe5u_be;iANcVZYVSca9?YuBrM~D##x6NDL3%E3`Vn*DUBE?y@pEG*
ztLYP_c63Cs_Ts5K1TNHBwsf*9J@^$r8;lqVy;QFGZitvaMefU)Gl+yn<vbG`CkDbE
zdWJckKLo&ObSBT7+9PrS2BBRD(bV)uR$U5#M&veutZ6hDk@9v{b-jX*M|$42z%qA$
znf+5e)FHXHaed)=xN&_iUsj?kC51P-uTmdy`JvYd^A$^Nsp0tX?_RE6uP|>f2z3yE
zKIGR(0em}sp`j_~hz;`#Tk{LN|7iO;7Pjedn=&?xG0%Au1PEgdkUVv>2?2(OAFmCm
z3A|~v<l4`G2Q)Bd#&hRpMe6EM$6k_uSd=H<;KfbWoF{3i`)oO|BC6nEGK11lV{g)y
zpUwW+O76Ow&&4LZ2LS(WDp5sH@3|V`;=Wauf15fL`8XNq+DaJ?>ef@+KCAH1)Az+J
zQ$JE)<kZ8T#71HLU+xqu_&4nWrm7x&2;p#+hODWWs0}M#vH)0c;@*Yv6$ioJ=VIP!
zeK27+wt{{7H3#i0mdTNQJN8@y8FRr@7!#XiLy0<6P0<xRIASw}s3BB~;z&}9Vz`hR
z;ks0k&|s=bpo#T?Qt;mLKG}y2hsi=3{YU`w1xBVUhpZa8Ybf#@L6vAIhWnRpyVS=}
z2RZLQzxg+L!5EX6%G$)aOY%EKSH$BJq_2<VN{8pSHgtN4JNvQ96Y1Lb8_vMJUw<-w
zP{iLh{!DuskXQg=8As`19&_R8nI~fi4H<~Hg&miF2A+)_C=C7Dhmo=>pdjRw_1c|C
z0j`i!WU(Kcw@38nXm<+_D3X%MT|=YiPM*A1S$9f%ELI7lN}U*uMb-`q28I*`g)_xD
zIC@`C5G#^iOP~H7``vQp34ov7_PAM~8ko+)P(sC$JNO^YqMPf{MRLp^FJ6ovJ>7DM
zW@<FxM8C{<qGS*t`p4~mr=ZBje~<Pn2VMxLm_LR0TfTpDTw3l8YRDac-j?k`*8AzV
z*^eeYZ#CcprnwD^CcH>&gtbFCJc4dKyYL3Azm*`gX54a#s)pd8A9F9<@{GBEl|6c=
zNFH8MOBP|BRIb$!K+S^S=*t~B!KrO?wQR}x%XpL7fmA|g?w(`JsirFT719H6CDQs6
zlAs%^CxW-=z2dLi(2f4~80r0jzv1y;<GYx=VF+rqi-89#+Fv9)$Sa!p-3@Z~KJOUb
ze!0G(W&WbPO>eXY5D*RSL{8suCNC*&6L@fVmvj&4E3G8i9i<RO=?gMmH)hP7x*pxv
zWFZKIr{mv-2woY6?zd&+vU3u_$sGkWd!Pn*JuSWNhvMjS|L0S&=u$?f&1n;QCFk7#
zR)*z<Zh-)Wp+(aJ1sF9vn*jy)0t{<;!1D6VmzW?Ra=-#I;Tucfkn8d|N3C{nzV1wC
z>(ZCthOOzDfL;b&)IN3A)%jQ=p)!|w4%XydvTkqabaHT%ol%oCV!-njub)8u1l?A#
z(1Ay&@aA&j*o@<^tSXcw9nIk{O7nvD|C@mBKiu`*+G{Jw&g|g*%qcwufrFu)FLRwE
zPsb*WX?`s;pel!NAgj-@o(zJ>?u5AmTNeKo+`uN?#H4`-`2sowJxn}usFoR*3dv%h
z&K9x>o&d=R9{rrtV_<kwP|M|o1yX?)iOw(!tiVEjy~}v;G53bNT-&RxpTc0@l_wQA
z5P6AEp8IcAJIEd(R+pLb4huvT>_2S&?5IT+OvAtwwvK@_#g^ZO3CxW>D_zeqj}^*;
zJhZd(YkB=&3-+z#D=Zd$ll|Q)Bp3P#MervI=J*~I%W7wtSsaQ5><&}`=LMvOMGU9&
zc`W9g${WI4TU)Q-?L==NW(Atc5a1^;>`_xT9zYy_2{ZU(GO?@+QE1|{&H$<Jz?)eX
zbJj~pmNviH%55;GRKzh!?!#u<%NF!TLp}Pa@1UG*fSI#-M%tFBVnG-oCP`a1g0v2*
z-6w{LIi~PrgPNs$OjtpseI2A9C?M=^Xz=8Aehs9nw&!WQrDJ2sv2EWN`;QL?yFkhk
zfR7L+t-wMLv~*Q|%ej5h<DV%nE4+cF*~z&<m&;U8RY+-L!^0cH2l{b8LV-f#&nCa6
z!5}x@HUrjd!)GIq_0zvtzjXz_pjwCj3d{`EKiaTaK90?l|05a2aE9;tF0L}V26qWb
zJ65;T)<z9(@Jd_=j9yX8D`K?NGMANVf{uUiOLJ>&VbNk~)O`DCU@#vq@fk3j`Iwjq
znfb7dc=Qs%VOOE{Wb4Y92GZTjK<5Cutp%98yH@)F12@O(7o}U`a1e#dn{gH3T3STu
zygr)yePMK*(NfX&ZYMwVn>cbdE!t#aiFpukP}TQOfpw5>H=QA`Z}L-IrFUi1p^<py
z>{+vI0>M6mPgjSQih!~e2w&quByg_;3bjJ%Q?~GU-F|+^A~7${C1Ipnmx=ur{aafZ
zU}B_%f@`oaI+BJJc4+C}4GwB(93MZr99G>M{iSy}Y2GZVr&N@iEGEcjjoq+I4pStw
z4Ny(`%0AZBhK@$*<qMzGo1U~jFTcr)A68UEJF*dZlCP9bbI9V>BNhaE5udDq5@ZS;
zHw&>5hDIxqUIBEFLp_w&IBezqDICy*hWC`Pn>T431r+(V{j0zOJ3)EpTw6hwisi-B
z!COEo?Vic`>NwSmXOELA#d{>cH!ijbk`><_-16f*7h~smbKmUF6(1#$DOsh0pN->D
zQVq9jYJ#ATBI^ULFA4%04aZ*Awf(lX-K_yh+l-Ju)Ao3U6*&|O#KXbdGXG1OO5pJK
zU?_zySt8>IRYknKE0v>-H}tf2>RyG8@0Wzo5x?M_?goFbD5}C@kcfpxC)7i^TA(!M
zy!oQRkKT}*dU|w5<?#*RJYN=+Q*VoQKy(dgxB;z<B6q{+F(@0pQU^9bUQq>ci^}!~
zRg*jSYW^sFD|Sh_Y-laE!fht?Ov|Vb0jaTn0J9=-p~`TbOZ7H)$jkqfc4q*Cg*VK+
zB~6#1=$&Fi#y0WnrK~$b;j@`7KoIt2fuhcgyuJjD?SUD8UH;1JHbEzsOV)>98>awe
zem9Kk=2e@J6TOExhAard>45W{$C0Zt%2pWJ3qXK1X?Q=yXpc7hr@y~>*@JBrx(I0L
zTEN-f1jl-B)W;3&^eIJ!*oNKQ_uEA*wB;fG3?*^I7}5a&6m72_eQE+;0`xpI^o{<I
z^WZRSmt*(i^+1vV<P82Koh$3}69#WJN<iOgu!3k+a^a|?<~-WoF${Bi;DB|;0A`zk
zQS%4Pzn{%}6BqEe@y9tvFC-+Mnz*11mb04AisBp{%KL>D01!qk)wqJJxbfqO+w10_
zBmW?6`Pz+Y9gWw)p;_QBep$6K;MYepBve(_zwH0@bs>q&<7>+|t!@<2yem;Av$`83
z-73EK*B3Y>;@eak*=v67G-+G_+k1iNb>+@i@Ze}M(CkV<*9`hR#jkxUyX4lEuUXv+
za&ONXYW!+5)^{Zk>;EexOCW6iD<nuDZm$-SQY8={{wsiMe*3Qgt~vQ%0bFxywIFpm
z-oR`14HDEE6(xV|h=~_%xstNFSLOtI{mYisH+YKt?V|UuFBD01DXlHvuxgv{;Gu7=
zzCk!>^Pkmbj%hSz>#p8;e*McE@xRRR)L?D-lhx}#SjRuoSbdmIP-}Iw&(keyoHwm*
z1RAi6f8@AY%LLT=^?@acc!`7jUkx_mL4#|5Rk{K`Zeq9LSL?b}>t7bF|J5^@r(0kr
zL}1Dj-Oew<wm9DKkko7&*uR@4ZeW=Yf`j3~pYCn3Iq$*LhDI&=dZ>Knl>Ny{%Par<
EAL6cb%K!iX

literal 15520
zcmZX5Wk6J2*Y*&~AfN+CBOOY2NQZO?GIR|g-5}iq($XL)-Cfc!l(cjSC`flo^BugO
zH}3cQ!8uHvJ!|i^S6%Dcp>LI>v7Qh=0f9hRvNDpYAP_PP_}>Hk7`XoNgue!ENKUHK
z;-K;o(k<Wxs+pLg7zkAL3F8L#2zZTdFQerI0zK_|_(STmD>MP#ByxVE>HN;_y|XLK
z(G+A4v#@n$u{Cw3;9_B8;b04<*Fph-1R=7LVrp*sd+F%T&u2c@$GIWZ*(Y|6&^Xb>
z2|3`<J8^J+;P`wQm)0FO6gxE3FOu>5CbWi+{e2u9RooEYxQ2x7`u$;Vlql2V8gxiW
zH=QVx5q9c_B3^X=ZaRniKa94Fi&G7G+r``amRp{q?#d<d4Q)*>6~%4R4YpA4Le8nl
z$*&BIRz4~!P|o)1rYmz(sLLZS418;}=4v{L50v3OMpc@nCgW2j8Y22yTDJ^1O}tE<
zHR*Q2Z1@kK#VX@XP2C4c>XRqV&h;Dr*Sqow2~!p_D}TCTUkfx2L3)8fnADF8vx^zz
zKYyQ--Pqnv39Z)AVtN>ZUuz8t6_Gf$ouGI6;MgeVlu%e&s!QLT`0&$AiSM8q8h>PI
z_SKo)cYx8fbn`kjIxt~>AEos#*KcjQov*Ws|7wb(LF-=6d24o9Tv!O%ly|s1Hm%N~
zQ~)0pj&59I-sn}#TpQSC9yFG3=jZ1yIW`zGv@hSY*KW)Rk&Q09($37x_=@dQ0Rp)&
zC&b6+W(c^J@7-LUWS5pI=r%gOiBC%6jGzrFLG9!`o6D0=>JGvnK)q5;<97-cet`x%
z9pVSg9Q@Efc>QT+0W*Bx&~Hp+fUXi+hlQ1il8bqC;pJJC&a#kkk*Y=Q%1<XwBK%nM
z&cJ%Z#@deF>+y%KyK>7bdYOIU@E*BbrA(n~IR}R-KKJ8XKJTmAm(0vlvHY|y#L%L`
zFJo0`vhCT$O|^iw5{ipcHjpevt8iDX*4FB{=3S0f-iRG4cuRSseZlYhL{88b^&;mW
z%AYOmkX$_06N&zwLG!bDbM;<uWlDa2A5wJ<_I0_Bj^0>R02^^=!cP~S_Th3{K#PNv
zuhn(Ej(>Iru6)muSlJxQ(Z(q-VUd0}FWtw$$QW+_Q<zD^nD(t-h2?hUy8<PPLj{PU
zx3ssWrsm71q<o@-q)0GSOunsyF?#=f69LMh)uS88d13to)P@)SOYj`~(<twgDxK4X
zZI<_7<0{hZo12?=%^&t~JkNKrum2p(#9sXB`dBv>-?2G6=d__T9x7jskgNR8x=`pF
zMaoYV78ZsocG~8BT`T;f)w4k~Gb|t=0K3`^0snnTWB)6R0o|E?;Smhb_p^{0W~uf7
z8+v%-;=X=Jqkenj{`<c(oUgTbH;hK^MNx0FkWXtTw-Wz7P`WQHJp5h*-;7@rv?fTr
zH{a~a+L<`p=u|LUW&Cma<7Cq2yDEp(Ubt{+0$q-$SKDAQ>i0!!G&qu^4_x!lX;pLJ
zUO;7abv4;V!B0O+lEq<Qt0qd+e%PBQad&q&>I%j(I$0k!+L<oX7N3cX5_%P0LrUT2
zNQQKBzPHem$gETA<9UDkr|0Ty=h4|(3bz&NmCF|<GS{)fS4yW`om!tkO{rz#$qRdT
zYOc+wMApp|m<~%SJqJ<$EMt9r{XD1H$nN0qaO=nJGFnHu&CVQS&p-RO5lkbFe&2cB
zx#r*eY_VN@jm%Qzab{WNxF&~Ob22<U+{4#TXHA3IzwcU%>+4zv1)p4aVL%<4!}t8y
znyyvwnwwK7BYGS|_LtjPzm=7hX+)6;X@^Mqkc;L=7QT%wF!|Iy0$Ha(YC10bq+X^?
zt6r)}naH9i=M8nZy*d*=H6=MS%ch7Rlkku8%Dc;5PPci45F{Jbz|Mh^*9gopz<+7F
zp*pZ^uYNG&gjZ=kRRJN8+nhE==7c=YNe$Y(8WVqSjpO48N+bu?TF+It(8?!*Ij;J!
z_9T`UvG)5U#gh9~DpM<u-KCzoqLj{OLUaPyG7s>eL;EHrko9v9--@t>^kKji@k@4w
z3d}moT3w&-<;h$)e-5V{5<~V{LyAsiU|=|}t*hfMxnfm;1jCaGUT-n#D)+PNE605b
z0$k1fyD9@%Js3u>#@@AiL<%asA<Xohnw`A}HDTXwmT43btA7HU?Zt=c23d4F@Ynw#
zxtODI5m^*|_0JC%qmuo;#=^pqj^52o?4h>Yk04SW{mi*xFgq=1HC_5?fDZbEel!CL
zg_eK}eDn;0_^=_tHshw`#8avn7lFDPf3EMP$`fnDxZxJAC+@9(&W@fhN!YMz$TReR
z94S68S_ENCK!WS<Um6j*6YkhpZ%8}V<>L9B9N=B!zYlrPUw|6A?yqK<D-4I9KHBB@
z`Exbz@elzv!>BdYvJ&umU$FOgG;fvi9g@7PuM&j*3ES`r-q^*1-wd*4ni9$9+Ei}@
zTX($M4*H?7N)CRNzG^*_3wtNDCckHG*#Wi5(m|0mh(Hwki_J4$8zbqmz--BrN*XXg
zosjo|P)IP3?>_LEnU0Q5f_IK16$K{xL31%~+tO*aMWdW5<22;)#YGfD#*#B9T$gt1
zxfQspsr_xwWMin*i!}yWX25V6`*Y=fGRT8-La(#)@_JkWb0Q`E_KE{jB3bcia3u+^
ztyg<vW8)!UPsk7{*Gh(KsWnMaLY$6KHF~dfyKgJ96`B&7t;_ey#cm!FvhJ^9pQC|E
zzJwJyRWW6p8UfxYR-qWRy!t5ul|q4wn;Xi*!*kw=bjt<`pd5OP3+LwIy4gG1nK?m%
zIS0aJsKD3CQ|Ja8JJoLEz)os1!h(@yvdZIe&K62!{r7<Jr7^XOS2X3Ws9;>co?6se
zV7FJQcxsiAo@1$YVaHZ8(;&n?G6F6Ore4c75MgZQvo!+0OQmG0CPeJwNf3r7z!6AW
z0Z!2^B!*C<0|+A8WE0=rp}bbDRJ&0XopARX-35c7+uO<MX;lQa9~%q@0d8xfYv$hn
zKf`n*{4WXo%4B8MnVWvwf)U$0I~K8(d_Ff{HIJ7(<$fC8&z)=x<2JkQ;jFE#WtW#L
zeO<Jzfz%Ut|IwR^M8}m#p2vj6^g!NM5F#{7Stv-q_+o8phy3<ojo!@huPiQRz+!rW
zfzhKAPQZwiE8w}G#y=n4Fvz0+JRu<=yQyiO37#%#AjH_r{OjM6O$EVG&SYt>bT52r
zA?hkBl+n4}K%A`|%Lu~2f9anq;6AcDH;*x{oGHv)uG^UHUn~o54rp_KdKa?GARR)f
zU=v*V%?Mnh0eD<>g6B_X4=9cZlKm?OlUT#6t2rEwR(jTfNHwevgqb8@YhD-auTx7$
zwYWVM7ce)p#6fJ25jgV}Q!9VLgjsUJ-{4Cmw?6EKrb-ZO6d9oe4240!5;8un>aadU
z^vsZ{;LDdU1(*wYF2}$7eTBWRPW@}lM#D}vMsXuj{442dg@lsIk}!8<*x^OP5PU66
z*m)RWf!iyH&TDMZStk&Dkd9ITgy;^%r5^|n55NAszAj87;ri-@z=z#bAb5|mzIrvr
zB9a2H6fobBz3>tbcBv&qOuh$)GX=AG_5iNT1$RsglW!9RT*8SCLx#|S7|ouM3*V$+
zrk(<>?CQr@j<i#ifsJ!gA+S`>I);PVsk-Qb{?8bkNTeQ@w|AtZH#5Vcgnn;GUpt5F
z=Q0Vp9sc}dI-5HI1lbJHTLL44eNui$_)k?&wU6lF1^3%4mo@p8be3SYIwAxWu=DjF
z?0-?suc8kL7I)~rKm!j&L3;}BP`DdO7ig#Ldaa+zW8=8D*vxBoe|PI6nq1HNo&wWG
z15;q#0r!13B%en@(}W#9#|YSXNh${9TuXFTTvRhv7K{rd1r`f+RvP<&O^dL0y;gek
z=+QG2{OjGN*5)U`v|$JuctTd|rUNc{Vpg2`zxAh?0)i>)HGi;)BLbuR1dAqr8y#)0
zaoL#;@~cuFs6;2|#MwUm5%ofV1@vI?$?!^IQBCrA`FYf0f`4sxCiRfNJ0a>boUO`c
zfybliCUQ8HS9$)c!>TcdwRo+?L_WFiVJDh2=s_6@;+oX+GzI15EYRRRj{mdQA8}iZ
z=jKU##9}0R45+N-_Zl{}oKy#}ADM`52N-E9I*fZGUb(yM&c;?90^`f|Dks0?fUR`L
zh92&`E65la9Bh7k(PV-1AhPvr<*(PGyCv1y4pTth;EMd8dDH`;b8;v{sM&etcfWSC
zf+$HOiHN=xt7QXwMO$$lb=}6dv7EZ|ybok|$Aj9<@2-t6JKe+aX>WvL82-<u4H(d?
z$#(=y$Y}QPSGL`9Tek20ol!@JKNT~xqKSz~h}h@PR91(E>?YqJF+$FT--vh=K*Xqq
ziV>vTauGnL(8BRP!p&w^v+DgYF;?4<C?P09|N6vOtL&@gZ7`N_4Mb{f$!!%2=^Kup
zI{OnF4x`^PNMCV4jO<+W(k5nR;hpAPL#0gY=HDq|GBQ{mXM3Yz5>fz@EvP#?CF1NZ
zo+>HA@}(?Ud-;C_rve8)a{q-0qC)%527yR@iAFN~h6=|P#YB?9d<4hVgcwGE;Mn#M
zw+KqG=N>ovhaY_G7UML;Q{#qtj1q)<T|XL~diZuZkv2>GDmB0eP#!fBj1?D-q+TS%
z4MypH|A+$9p2Y7*(Yu1Mgc5a&J>~acr(i-v>3^9-C|*?AM~9Jn^by9bLrK!OK!>N-
zcJl9{11On(HlD0obiC;h&EZ9bq2h2AOF*Rj#Bzjy7i3&dBq_v2IeZYP?AR1M-dE05
z==M-GwaGjR>(LA$qaz(Vi%NdjiX^-3jT?I+1tvs}I)IBqh8oVLDnlJi49{Y=piv2A
z6J@U3`8{JmFsM-qws7T;NapN@yx04WFOrL>_4;|z8n9X-MP}yeu-_Cms&jnp;^w3H
zZerCDZ&iHdSs>f-_77cl&k<5AD)Z;k&Cg{a_+Nnw9qXI%m(h=5pjdPu(s1M}e9lIC
z;jdmTK{$2YN-N(TU-YhLXSP8$j@}BwlR<%bC<~GLD<E(S;xdv+vO_nwpoy7}5q0Sw
z&x7r~VEeadVeR%&_f~0EN<U|tKAueJoCz=gLEbR+^65VKBNDW%+;fonlc8bZ*2d;d
zj`)g(xMqiQ5tH5QJ+5)^Q_IX}QhwOU&!m2efy8sfh~Y>I=J7ItY@k8FM7v2Q3c}xn
z6NEE^(o6y?^$x=l7<(c<bJjH)ysHwaKw+UrLD1pAkzUuy$D+dg|8p^~nQ^)biIZrj
z<QXB%w_Y{mg!4;a!lwT#4qg-&6&3MD6@}X;EF9dMHEO;h%{1_re>?r@WPaxN%1BW6
zG9^4l{@O?1jYG93k1`XtCb$*iAe{W+RV)RjpZFK?lk|KfUGwov1<|3>xtbo&gVqB7
zs0m7IwC$wS)RM^G!)e^|Lmk2p1swPom|To5@?z{8d8gTR3tO$Uq5f>`FYlhvT|2Pv
zx%8Wf!@lmK{`+$4<^NC2FsU|s1@4*4+vVH?pg2n6J7A(&b*-`Y`5a=(dU1RAY3#tt
z$|_Uz^0;tBK;|Z0T+?P6msm2IB={U>qo$qaedI2IgD_zvjs-+2#}EmO@@?obeE73~
z#!#w=0h3O>LLeEv_$*M6*QGuOcWlP)G697pItqO38(HKbHvCNr0gv&dsDtxtLlEn=
z@!no9BvBWL*+3Ne8_;@``IdwuSGQQw&3;n_R1;}_z{qU8_#v}FaCvJfA<@-m`k8#p
zVe><CWGgF4s0afX<11{_cxCrHeb4Tg1@=au1>~`PmI@6P0>p*Ng9^g{@!PRz=j!d#
zfE<zGWjgKpEw>{AM!$fR>k<Rs+=bRW7h5oZEkKrdE}V<i`aBua!Tf>~k$QVnc}~R%
zr~UN5?Dz<G<OQ|8Aos7YR=&|K@XFVh&^SQXynC}JZdU_uYWFSDGSvqvUSNd!qInfl
z&zRo5DS5*1?QXZPdn>I#n?RA&1LOM?@}}kIrzqOmAXerYn4bbhM~SI0=7lAaR~=Kp
zvd8saqU(}(!`dRPd<qiz%*pXF&heLVAXcSow|QMgx~dR}Y7S;MERAoY5n3TdSe!kM
zt^-lk-6FlM2Ysu(MUAgxN=b9t`CfSMG%9q8`v+?C+<psAeyz4gVqGgCE?Ud^Z}%9M
zY0uR9%r4%5yNCjFur23>C)sGl8rADRW2=ni-zuipWaW>FzfjHIbrv<W1nPz#I@vX9
zH$*qvjrty%Hd>zTWmU6IaK9-}bpCgI!xQ<X`8v?pw&|u=R$LQfM9AMAW_5V`I^8Vb
zlfccsvZjx+PaO+21fR`t_pzZdvCsZE+d5J7F;=a-!|Hea7g0WsfYjIhf4Qm$Nni9`
z8kaweILpjr@Nv}2p3%og%XcVC*O!65U0Z_-f?p}ZIE6+*5}4WiJmQj5&%m)DZ`bad
zlFh_{li7Q)JQ+J&3yA4|)4CP<wAAU9n<@#PDH=+JX425rT^PEtFlj2~L2K`yElnRK
zKtfJHLcQV~`41dw<HZ(k6{8;G@9KFlWh41S$~pi4{h^5BAh_tzyqFmqE=~~vH$G;+
zc#`;{)8P-ccJS!OqgI@Z3cP9wzse_gYJ@JvA1q0XcFzi$+n6NiBH!LGEs2#s0v4M2
z>Nc#`d9FHtG)E*F7N_*@Y-XjPx3^dMr(5<6j$&ds0{9iv+gjt%)yrp>w++YF%T|we
z-%dp9XCCDil-dx+dT2Z&7)xgPHI^sXluIumpkBz@IU^|WGkiU23Tu;Su>_Np?%x^Q
z5nfcI1z-OBws%|Rz=22~ziIBde9_g_ReN`}EML+sug^U+zMxOrI;Oo|W2tnK71Yav
z+`C`o*HyR`OQtv99Fu;<Pc+Xie(Nz|D$&#_YH(n#m}Inbb<UQMn@)G5!VZ5m^iMkc
zq>ln9Z1AKl+&eZF!dJKPquL49jPia6FSlo>k+ew~(h>AYwRIL5Os-3RPEI4U?wEZ+
z4C@+=N^UW@R{eB9=>0=dIzJT$<cNFdl+^gj|KByh4S*abg&Et`3AR1`wPCQ@a%N&|
zyh;z!G3fr2*`;&X%#&spc6egY4>e|Wl^U4YIyN${KkDNuR7kopU&8ZI0@qHSA6zmw
znGg=I(y8T-aV}HLFx~uEBOCP>0aEaw|Kz>D2u*-80f#1S=l;<~+Av@5{AnMl7kHz3
z!(ms5CR_y4k<CwLJET;H%8G<yBsEyv2c7+B3H8qA*2|x2P-N1*yXopOom%~0ir{~Q
zurJ@ix~KRSbyL8pwM|qOaL!11ja%z2-C$L^t@QwjzV>bQZoBVfzw8PQ4jvsa2*MzN
zA_Cs+jmmi|stc7P&rTL?ud3y=HJkiv=pGVa=q<$!lN7WFrxA<Mj(AJ2rSJC>ipyJ>
z60;}<!Oz?{RTE*C6k(KIJ!*FfGa4;K<*t=`UG|T*NqP80C(O+GeGCqi<X`oe`MXA2
zJzjL9>q^GoqbE%}9Of%6GbdW42)-iow^F%J?7$=0%V(X>^nays*jPllh<9AdP?Bvk
z(E&E9kkCmF5ZJ!QpUs(~WzK`_luCM<sbCVZ<Y%Yee!mZ|+M~K4_IfvW|Ljg_=a*CA
zDjBf&x*j+2n8xh^jM13y!JO|WlPH;bAEL*kZ-$RAV)v*tu_p&8+ve3NFgFO~T8!<Z
z_>InN-8hUEC94-iPeRt{tZ`|TJC;-@>*fd4aA-EvK_eCeA{Vw#h|4!lw+lXzl#MBs
zaimQ@<ErZsp*c%z)1|?6HWWG6vassjT4dvMc|KnovTnW8fL%6rk1CXEd?bn5eZbsV
zf-t(Dct;}F`ni1OXi?vM(r#$$-x7)#w2OF5n15y>s{`sU9t_wN>)C~wZ{lFt>kUnA
z|ECnIC<6N-(k)9Nbw8fUOp@?_GhTO(;t@+ePa*Mm;?Fwaq5|y=K~ibhq~k0zQYp+g
z_+<9|p1nWF@j1gXFV`7{qf>s68>)d_*1g?MgYnd+ukSE9`EBTrc$Xrc6%$T45vPRa
zE|9J$>R0@+m^9$_=k9)K=HWvPEZ3Mg;m9jg?w!*lJ0q9~DC<gjJ&sh!4x2qit!l5j
zWvGEWWiY;8R8xDvg?LedjO#Wy#m~a0+SPE>ZeZKxWjxwsZmHzGj>o(|_Qa<48OEm@
z1>4t_Sq2$YZ&iEh2et1D@}AE+epanRqEDq9N+v=Wu?Dj_iF=cOxb|w7T--Uk&aUk<
zzJm`z@}0RL!6)cK1V`{YQe63o#nS{|x8EAoPlDf2t5p%+hM5FV<|Li(0uYMx#-QU=
zp^sT_Vf(Yp7y9}+%Q^Sq0W;xs=#C7&*WV6I@i4<P8f75`VMG`?x5O6ZSwC9%i;xB8
zFk!ub|M3J&tm$h-QbNL6v?9)fPNE(o%#{+hNpY=kL#FPw#>fXOof(?cq>{LxRYn%X
zE}XF;dw!Lgv#GzdUzQZc+ePmvPI*+-KQ>|&ygH~RP7jk3wQyF(V@#B~UzTjUZ7P*I
zRej`AO@xT}Ov!X^1P%{R`nJwS3wYZ|aY9;xl#-m+ecfGmltm4Z3bXlRFH<&h!?2$X
zx;wszddZK6*tC74)x$Q{oQ8|UgEUb{CuF6jPM>W~Mj44yY}DQL6Q_Mkz#NK{ZXL{K
z3_t>{gb1Vk1)$rINN2$bFR~#-jKBL(G{SnsCFCInJZRs>__mBhIp?X4sY|>g16;^0
zy2-;9_sTcUGTm)HX{{Jx_R+6oc=TN<iSoqqmr^BXL|9K%y=(N2m$4G-;Ju=Mn9k1i
zpW1`6Rh4f-Y(0tm*t2LN^Q&pa>ATK72V|Fdr5->27V*jaC{YT_ctj9jXGsBuShB=t
z&|~AHNHbwt6eT5L?&vOPOSn07yx$gb=F9+(@%~)yP@S@eaP)XC8{TG36;c0!ssu0p
z%Kw#t{BLuc4%8ZFSvB=RqU>M%kZo;ZRW;~*;nr)B7?#CEMu|SXLNrCCwBNpLF)CWh
zIr*;2)2CZUwU~>h|H$%+0Q8(`*}emkUylv$au?8XxeMz(W~ts$H_(wj88@jzz%MR~
zU9#EF&oZV2-$?0E-7(Lh!?cwY<Si;Ogw^)K+eiu-NFwil+)q;wU5Y5HGb&sxN=>~U
zo9(@0O`MV|eM{7o{`u$NxUb4_r{ndW&p-uUmj0<<OCuMNvca-B(>-7Kn38h;cUfT1
z14v2s2co+~Vdm7%*atU&4CCW1Q%!G<Ail57Kp%?B8hgT+!@#GpKgp1X>m!}Rowy#*
zFCemIaen&g+>NnA)c(1JZL}U_y-(!GfAAw0!H6XbRgQNTOWwFsy_#txphyOc$+-2z
ztPEbYwFttqcVsyiFV5QYZlyCbdkUuSL%8Rk%#JsOk}{1G!}Y5pUsQ3yi9pXiEb1}$
z__8wU1u>&Cn#I4!`sQ*tkB9w@r!N&)+t1v{;uH-52+NWrpt3f;wb&^Ud+@~Qn;=;?
zr;t&Q({FSlI!Ua+cTQ?+IqZ=a-|SP~jt&+(N=5pPZ+v@8S&e}JVNoVMMH*ayu4Pv}
zaV+i5i=n+0<a~H~jV#$wEErwI_(O#=^wJztzdz;|*I3*UbS)y~t7vdoMX|oysYq$G
zEl}Z=*DF7JC(DSPEy8u<FjknECm>V%YYo-Fv5w*I>S8vI?VPO>`Ujc=>aUOaAjOf5
zjl6bQ%xS#%jzgh&^ESA+S_)H!kF^UPLPk-{U^jW(QueV2<;ro4@VdMurh^4+MLNCn
zhDbH;#V3f$6w#i&E_6DiYX1#UzMfy71@Lr)+Zu;LNNLn`zl!q0ofd`hEe;Vw8zPul
zsB<PWVLn7DB_LCv1p`r(EuU{5c&lFFJ<;4@@-6ot;1pX?c~Ars?9rHCwB^vaQ2(&R
zfz+_IVyAd)<Hbszgbi2I%aI7TB$H$a%)P3(Ma9^=9dn9>k($S(yEG<C+yo6?^kwYH
z4^&Jr28l&?H3w9SI^QP-HXlSPA_a(wU7;O}j-5zQJV3%dZI_reA9UA%dLFVBleNNV
zJ^LI!Ci%xCn6=e>ALY(Xv5Qbb^Z45<$oiQ_rt7uWC~f$W>#<Wnkfy&z<-_&_!}2qS
zqFkQ!v+ZT~VH6Dzv#;nSz{KHeGiqy*DaVO`U^Kr3p;|flujno?2hBc+5^gWN?5e}K
zbP6c8=92m`!J*q+TFWe?C>m@*pm+W*f!k;@Pya!{R3BeDqMhaFtogNJ`_>!=t4XeO
z21<?EN=_9q!q>S(0`grGddO|3**efMx}HhOEANAEn6Q580#Ts%wNI-7+j`J2VACRT
z`393^#99`FX|KhB1#n;~i+>O?aS1!*tSh#8DhA@%6@4hpFpCO<QM-Q2%a=|@mikdS
z*s7^s#$eUGd9V7Q+X=A;-8Q|HPOAJdej-riLpV9!@&P($9wAJ`+|{EzOC$ja78wyZ
zer=lsXKmfSI=vtpcA99Ap!uf^NP94EtSI>B45I)VQl5`!p%!0@OR;lUEWz^1RnEro
zW`-B0EXq;?&BfI~LXJIPzgLZpKp3Lh3&=rvh^cL7*YufcIB<v`H>lH%QR~l!(4r4A
zFA{~Gb$v;6tOQmwABm1=gse=nYQ^D#RiIj6aq5>Z4c1(%c1d-{Y=g`3!JX4|sn+OF
zipc%vOAl84o1qoM_CHIU2U{)nzr>SD)phGEr;01Kc5qZR_^f>m=VzYL-TpFL<M*vW
z@Lp6Y+36ONA73mKpJSZ^ZAgW7dDg^#iaH12wm<<Vy4z5(Yl3FxzyJ0&WjC0O>EOj)
z!sAwKUQ9%(eiW4_rz%3f!4wxB)EW80HH7N#gi7858uwt)^=|);meh-iC>3|p4pR=c
zOyZs3mH?)mqi<!(=NaGpUXhmRwIcvE3=D8#dMm`Qdnpc)#L@LelC#n&q`jn5OrfD`
zziUe7a4Amau}N_=zH(+aUROXe#ID&G!gd1s6(<Bt5Da{l=RmnngWrCZs9A3mq}lEx
zblLZSiZ;3Iv{+4-<Jq;|)@#<fRcT(Vr)t007|vu}A4+F@Kb*n*KKpLMYzQ*3<R+oe
z)7C0%8kWrEUY#7`O(p^hNIucd=Q}^10Du7pQ=OPmg`1*k@4(jg!zl*eEcxaBR%o;j
zg&GN*Z36eCzfFOF_UN3E?9{}wJGUW7a_@LqP*5E(0i$~gH_!JGv+VwCG`|!9<FF2>
ztdzZX-g@`22lly%%JnqgTeKyx4nhfThPXU1anJII3~q-dVASC>wKaJKI20dBDTbD2
z9#b7jW5F(-z0oDSGG%vl7CG83sR*0tjq(P;{9-}@U?x`qOO)_u5QP+g0b+GxiOt3W
zs9bL(NzeLlYTc-$*z6S+i5Gy#k8j7MrZO(YL!>(R&|K)i)X`~C-jrbK4zCy2G7zbs
z{AAa{04930ZB-HaIcK8#=+`oS+wP~JS|T8=0V?!$F91@oK}GDkK}ke0DGGd8v!LAT
zryjC(!{!k*q$FT@`TnF|^A8(iiZ>Xdo(n`%3kIc9x*}@fNH{}-)#PknvS_jZvuP%#
z*{A4>oPf&htW2B}{kt4OZp(PLwFHfB!T`38K0Z-!BpASV__AWC0DOm;D<D^l&@fmk
z(Y)IN*UxOB-o|J!kvYo0@|p03sP$qKv}9&`s)QR%ZJ(<GU_8ij#EaBm>hHNKBEXC9
zRUnmsN{!wK>>TM&_!H8n1oTdAuWshZZR`YsD}Q54B%kyE{-ra9O-Da$mppA=^`uYQ
zm#S+%e@DXeOv8qi7{zd(3by~OK2ys6xoHmjJj<@>h%6dx>y;JMG^fs2X4?iRSb+ZT
zwENExGk2Q!jM1V4-<#F9MZo;WGTv0DoP$H#-+=`d{$Q+Z|7^$i{OGNrK(wS0LC7v1
zfeMeL1EV-YyuQmofJrCOpd*kUF28B}A7S8w1Jct4T*Gc|y!ymvfyPDcYun{EJtn=j
zmRnUCF+zV@BszaOB>KoZY`<}HipVE8$x+DgNK$^)mYd^2qxr+6?zt@GC$7E5Ml+?I
z1Ls&gf1%g^Qlytwd1x`JaW9vVf48%Yi1JX_E|B&TU3<J$uhHv&3{zh}EZQA))<c<{
zJ5LeruEm5^am=42m*xwJuY3Z-N}QbPVoK2GP$bX4XHl8Wvax$z*dIB95Fiq+;~X)~
zpRu_{`h<ETe_0Mot)6eh#QbN0-j1s1EYKLPdp+Sw+#1eB9s!D%La|Vb?ueH{mj)q%
zQ4qmd!@=vnLt-R2x=B|1Le?17UoN~h3}!P6p&Yt=a8Y15<>%A<7-a8&Dx;LjPpEZq
zOYSdujkTYCtgPI~r6qyG-0iySPw&iHw}>o3RYIWZif_Zo_$&PQ2(?k!8X6iOTKHHC
zGjV_azyMC*M@;Owxj8B{HueYr8nej#DCK4Tn|{274Y|@~XC@qIZJ94M*cqsb&)(f$
z_jCrL)va-9FpYb$5#!N-sYUa~#F5pJXR<)El;&Nfoq;`u$rQFd0|_u2rGNSZe*;FO
zC?R_PWe7vRCU@+$5Y1|&`g%A!T<C2nfa|Q~FO$#5)XkjcX?ZG=uQ(fkbDB{sav6n$
z^e~CJWJ~~zniPyMm;5O80l4MTue7jrpc{%m$HNPi`1mvwfk3bz!D?Bhqe#cLg`C!h
z(2}T7PC7SLbJL#X>xE&863$0RVRM5ebe;|jJtra}njb|iDp9Whr29gM_(wW%!q&bd
zGTtw8TpyC9v|F}bl>{7Qb20>1qJ;rVWlZ;*1Qfrc#l7uAz}7Z`8DV_8j|Q`AKZzoI
zYQMSM-cHD8|3wA`j?H9(Ol*#727XXJ&3`W6TPoKEldLLLb#<8lCdoW4<u1UmnZHwU
zC&tTB5k(&B@M1$&LxvJ_)7aDc<&8-qYa=f>*IH?7rx3Ck`kkk*502#-1hZ}Ym-b)6
zW1?wnK7Uz`xea`0_vRX6_m7w{WTLSiLd{IDG<`|iulFkT*P^om2W>j?)V$vM9<rx<
z3mSoyNT@JBQ~;@N%u*pC?jKtZLSmTT2!geCw6J+B%>YcK9-zJR(5P(^guf8+(T$If
z4~e5!wsfHfK}XPXRM-O8{Fsnz9*Yrzl0+LsC`t|5eO72|h3Ytm({)-s&h8VY9OHqE
z3cw)K{!?nk4@3#{M$BfeIqr}j6Uk!2o;{Eq4m_``bu~_Rx)G-=TPeaq8HuU;Z(lBZ
zQ&{i9(ODy32=IIq^to{x#-&&C`q>}nL?^HOnd8j~(AVG^O=g!ksm5c>N0w7cNK9N3
zaaxbi0@}XOa|x-b*Ki>I2ibf=hI0db?1=*9aG+QHWVhK2Ai<QpA4%hnn5X@&<o_X6
zA<>4&d|A{JZT=p55y`uB5nGy=^S74LTmfz$xFAyEMq5~r=2B&zs!ASr5g}84pM85Z
zIOVQCKz*Qz&$?rssvyANeP6I7eLo>TDX{B%({?SItOYc$ypE371{+OHO>GERbRm9h
z$T8-WyTTMq1V2xpL_9ELknj`2-N2^FRR2n#jUFCOz#1l>#FF0bxHjO#hwY;oypQug
zDT#nKn3}Tjl#VZKjWo+}VsjyKcXG6U_+uy_$qEu6$<E%eJu{umbOkxaM4-O61hw)H
zX`<jt8F9xeHB-|yaj&IEaCFgRHWZj&njVNuLL%;H5(tpwDDbr}K8k;P^OElFmode~
z#pL~!|Eb?_=z%<MSX5KA&e!AgBiBdy1g~8lS|cw8X-NQ;04dCNY46#uk&|5}l)i6{
zeSttO_N?j?8AEY{I_%a1=rpdyxUi2M5n_`?5qhuX(ql*NuCLD7CSHAMZez1Y<JU7B
z7WTxShIUAFHbclW42f@apfYL-NXRlkOiIY`MRuUkU&&BhQgUKtX?dp<tf>7L(NE-i
zh{BH$GN<N9H2cUUtlxQz4D!R5V1$p2K8Pkiu{6pnM~2ZLQ<ugmCq0E8?Q)6U5DRx*
zkq<IS5S~-+*1eH^B`2j{!CTPQwuF)l=msE=41hRgT|Yl{xqFg^0dBU#K}hQ9Eqc>T
z=+4HRv_|~HxabZADwq-o{#(6FvgH%AJf1?FwDiXziixS#1OS{!iwvy5*32r=X}bpA
zgpwy(<NI%l^%#Rh2zv^V$=TUiG}(Mow0002Jr1Id0^UKfcb5!Sl0%}p&nhf5FOUW2
zm@t59TyK5u5$o&g%7c}%)PD=TziQYEV8e;kvU^CXoh?}TI_E6VJt%W10aJ>X0aL@g
zQyA+DVfNcL-nz{|2=_qAq`dufut<Wi{qglk_uadRx!ztWISzn3zztG&1ThqGSSLX`
zj<qfTwgfJ~TUr6y%e+~#7niFXrK><T0PqtYOrSm;f)7#5mQr27E0I_8i&SWQrC0^8
zEEW+wwz}C*)6%#*|JBB!*4)GZe<aDP;s$gKdMsCjTL)Eb<!}>wFcHN*f4<$LUX4c#
zX8Q8!1y>vV*<ZZ&k(ZaJ1c`wVk~#d~=0~ER)igCP2mpz2l^n?*n+v0Xn+<_xzo-Tm
zFYopKkH)w_Hz8B=zJE&e2PN!j0-MqW#lvSIbE|loUa&+eVEH9))~iH-L1v?oz-!sP
z=jbX;obZ6!T~+I@74K=XpN0N_(=mk;!N-<UfKs#X_r45i?J~088VdLyCWQI}1w(eS
zqEJR1@A-2<%*|bZYr=yLTLFj|D?qr$v$3)9{{HM)|M#eW>f6wVTNRuQ2M1e7!!pd*
zetY=mZ<8LG<N^~nML;pXxd5Z36Z+|rCc=2u<fHQ*tFn=z%L-Awj|Ah>6ah#Dx4Ixv
zlD{;JYkH+Lz7~(Qfi!+jGvVbIt>&EpB4o4ezGsb28!3w7$$-V+ZHB9!hEm(<8~!Cr
z{Vi3%@F}d_%Z4R|8BEUdodt>O)PjON>MWa@RTep#q1R<bs(vX+Y7aPsr3@xan?x{g
zTZcNoPxCEicfQ%6P3<ZU_ckH2g64D`B_`SyeWxBq%;`Y~vIqtzL<;vHiA9U*{b)*0
zFu_nJ>j&%Q^2nzEL&xt~)+e8r&4bwg<DVY#5p0|9^aME{3WDgeQiMO<b!^w<z0FMJ
zNTXw_p+@gRMO5Cu0d`6(7NUjdl{|po5MCQFbeWIuXV>vDgb6n?cUd5+m(+i;s6&Fk
z_L&xL1_hq5gJx)GE=k1DMJ&Mr-rMn-jYdH@lCw44*}Tioug~|VM2BeLkJ3H~bDoyh
zX@>uWaQ^NOHwnTb$^~Mk!nn#h?0QWx!s%sdiMkR22|{$6<M@QT*qz`Xl%dIqWW=Nr
z0Jea>r^ffvvx8q|+g2}j#`-y80HAQ~93OY5&DA6vc0N68K4{4i(ilR9$1MERJzXX+
zb)}R1-<441+0}2ONd|D&@she!*V{~WqGCPG57N--LgU9Ui&vKq6W@0<`CAc7l>(+b
zWdL3J>UpalJPvo8mYOkg;pbpB1;CF+do~}`{XiNY?w3U$8#%!xMMV}_NjjtHoYLqd
zyHTxPa~yjr_;diBqIt6*XmeD#e?PM1e}XN5Vl+NTB4bN$nha5?25eyk44EzkAP3Y(
z9BLtzg23+<s#GXG2xLbyR44NQqa37R;!-h*R4~}h^0xvgxrKO(lqr8;?^O)Nt~b;@
zN9u<jhuVhtitrct-*T=X7_$sVMSH8;kt&{UWzLB|3flV|MR`Slmf(|SvU)fF5H*Mp
zf4x?uXfiLgsg}J_Xm5u9E3*fg9MuzejY>VGfeJBEtLggbnVL9Zq)8zF;ly5O1Iq?v
z-ECs!jepUn|3-$e2U7*aS*7#y+)mfB*{A;uzNJJsT0t@rtD(W$x?!m0wa5rtfXmSN
z>0R0!rx}a7*du}0qbb}wfB3|FzE)Ko@r!DH1{`dhb?|hjgPLn#Wl9QhlF>b4_spZ6
zS|b!FYXN#gemy(bsWnfTMJkfUSp`6Dey)ElZox*e);3B0fGr7NLfqS1iCN-s4>A?N
z$$*AP0eNM?FuOtkEt;>;4MvZ_`}*d7IRQYZ+>)TCk;K<!L((D5%D|dC?6y!#xUc|>
zQGPH&+itO`4su6ABo4R`Av$oJqFhoKITHK~2|mRJ=T|;EJ2QB@YmlrmGN~&R%(k;_
z3t2z8yn9pk>2<@en?vkIImxkWVkmlVNKAM602?LZc%t}NDgr+Dva1$ja0Czsz{8>e
zLDvc%z^e|KU`vf^F+!m%eL&sRk!(f+AA$D?0V8-Jk64bQ)sz}~PsAXp>7xlqdaG4r
zY*ILq_m_A&_z3PTQBF(+a27~0VMxE=pTp`$k>K3LS5l_Im9rTA0(w=xuyWwsKun1w
zfcNig2UEi;iqBOx=(JiSxZnSg)1W1!mcl7Xf{B}${zhhJ1eVf${GBiWmH-PV<Q1&D
zLIu;QyQ-FACQpUnbIwsj&~=so>$xp?fQ@B^a(b`jt(BvGtC)4K0Vtr(t0%Vjo^^YW
z*ahgF2k8Hz`Danx$YZbm{AQ3tLad`u?N^q4Cfj95<x<!TT=Ii?czt8myN3fMe0{N%
z^^IU`gGQCFhekg%8|a_8xX^=7u5XoLzP6ixlz(wF%6$|U-?BLu@~h1d#)k1PzOcB8
zLFNjhlc*a^T1$Dr$5m#Sh?H=DuGXk$h~y#Dsve6GUfm<*GR$lZ0T9*Wfww7@5m%Y|
z-DOP6pU3WDz6~KsIlyBij|-w=e{sQx_8PX5#&Vd2IO5rhaNIgvfe5Ge_U+rN^94KC
z)EP|LKpvZUu4k9N^jC$@WiupBc#jm2MhaDCw)gr>ZlBBBd@_sC<+cR+`x>r5b4Uzz
zBhY6y>G5sbn?sLA%Yy9O3OOz*Owre2$~N)-!hkv#0({BKgu(=#R{c;#&|GuqacQ-*
zW?bkK-&~tVdbCwQl?qG(*<ur7<ZG$*7@qF?PK>5g=R`Hv$vpyaIe#H717$A}Y~agf
z#bzH>X%DBTr;D?*v)=*vDxQ2I6E-GnWPBij@dU`+=y>dwye@%cB50FSRfhaEA!0t7
zkd?lyb%}2A&e{6YhFP`y-(}AljYUQP-EUSTRepQlo8eP`-yqY`F?QhcSoh%MHa>B6
zW4U9s(wE$j+;;m<5w&q^mSau&6WOma3FZ;R=*M)is*O{UvQjv{it3D#A-<weVd5O0
z;Si^~P9q@;)bE-5SJkE3A+gv9P<-=)70l!LO4Of<v_6#uzF*j!CqUF+Xn=9nKIJiv
zV!HKcz1p((dD_>7`S})FTH3zop9|nNFyevPAAL%MAk76>&>LlX&FZE4t=c=8z!464
z;2?on!1Z`1WIEjo>Gm+hI-?NiIqJ!x!1NEELKlr-qO);;$OC3D$F}su96gwmt4!Uk
zr_W%NEABiD8Ck20jg}gYBqv=s(6`{XFfDUZx{a3aHN0!;)ExOC;!c+;?mQBp;gUYK
zUes#y;ulLw{P}9ELZ?9qAVK;AME?0E7po-z;_3l1`MSIQ;o+&P2fm!y147aZS%-KE
z-czRb0<{>x&tsYdRoXbl1;e|=lRTM(AX87N8}|~Rs$oB+>+}Wp$YVX4bI|Ad!LW-L
zdQ#TklRh=5w0Bj@$&Jw(PI(-0-R3|np4UoHs*t(^CpNrG)XQ)H5<m9CF%RIx1M=Xe
zW0EL>V4=az4D1yB<jIriy&sM5tQYDPzw10HtSB4>ry!a90ocsm&*>MCs@;I@8U9LS
zwU)vIi<}T4{zLuX#KkQzLGE;j5jq~4WbqtT_WYIBi#&4<A;T)!I-i!^L1)F7DHR4H
z$_V&vO0G7&e!fcim5-2smx$v72Sk>OX}rtE)Fu0!VQsh+6fmJ&S{J!}fL;uFIBFwv
zVRW$6iV1r<o+a_|95~mJDb-dhoZUvHIUN}lB(zO6Z3MP*EdowY6<Xs@{AFoXQg{kZ
z{9ez-!BMa?NZctF-s&D)I*re(W_VHTV>sH55}n+ZIvO@69CV?k&w}+*ixRWFpnp4m
z+1YRkbXeK&tWeUa>N|eo60PO5BZu$DTXGe#96hcE8Gy;FBflU2`x%+wOW<tJ=A#Kf
zuCciqGf$x0zUc*s%#REec5=M0&n+qya*QWG>C{_ijaB)^m2?AXWeO`&SQ|}hH_%fn
z9R$NWVXlikI#t1J-J`hTf;7AYb>_K9UsSS`g{ye#WuGZ>r~P=q@AX^6FkJ*gN0oMx
zOM$AE2>D3<>deTd152o4(Eh&p`uygjTVOJ(niELs3GrU`AN()`Lfqlv5GE$u_Vue~
znxMOCd_sb^9=;i^rfCw34I^+&OaENaTf!SvX4>%c)u*eNtLJRD&_+2xwd;$(Q9F}6
z!^u!UyO`q1Yw~^ScoJYMiCuJc5EF$Q7uO%Dwl3w*(YqWrC=2spnK{B4o8x&v#aQvl
zqQUe9?=Le67lrp=>MYW;`+2uTRHUz=PdZQ>&2qh7+#XEzg$FT5`aOEiHBSowf^<OQ
zOerTPS4*SZe+QglTLFO3{3Y+cYUNWepqedi1epCRfOkUe)m}~$@>EZI?IO3syDdWe
zA`q)JvD?<g7+liZ)*iy+tH~3@3~0XG_9?9IsNu-F5q&}JkI^UJW3xsD5tTO1YqWx;
z(wo(sdj?)JxsZv4xR_%W&|1B4+lzc@;>ni7P35(9%vW=iOkd`cJiO4>M!(1Xf>xEL
z%qNmb`)4Y4VU_IwMf&-(sylPcgslU)Hk}D#zZm2kz4&jhvN8o+m2|(_i|IBw%gUe6
zM4vJ;lr%uqr+!!Cu7(wFdwKDwt3xpy@x0a5!>ne?Lm!y_0A^s>K}z_d%dBX3>1%PS
z*zAj@3C!yoRXshuVryib2XC|pL0Dq%2;JD+X$D7yzPzN+ijv}B5f`ssJI)kgtczLq
z{bjZjsu;$SGd>uvGWtY7>JSWRC3-dZvit`e=7I;tD6Cih<lF6mR_QJOY!HjkX5qK2
zazFP(eGL3-Yb(H$+tf1UIrHVblhT;e>U;J`s@dEm2<HkoMET~;n@2d_csRnBVk>3>
zV^D38E$P0)OOm-(2Ry&u6`NwQdUL{=2lVqhFu{zz-?n`Ur!>wUvTkNd-Gye=;M-G9
zkgP2|&&}buCi)>4(a6V7StImFpH2;bTFyRO4nm1`QD!Oef2MM);zKO#8{Yot9cx$v
z0}Xx3S0QwC{$(MyH3l3D3A0g~Yyq+u!bQyjIEw>ijG1wx&0!vnkn)oS?NA%Cu6nDg
zVRi4;0L7%mxAjQEXm(P_`2^aj<mqB7QW5Oxx)TL`51qZuD#C|m*1BrHy-N5z>a7Tw
zP3?;|ahvzK_bMZiK75hFS{vj>Wj2xDGPkatAaT`u!u8pf=0u*I{)ArX^e&%1Dy>P-
zw}Y>p&&0&?(mD`p!4Bn=CcY(4yFQcZi)S4%1<szjg~sAV-cXF0*3(~?PO_i2I%rl9
z7{?A}KcC8CFPM=pT-ZE+EtiwQ)f9jDny#ewj(onPV)}mb&zBFwxje24_p5f;XHO39
zclpjmXb=3L=o#sPQsniC8XEVyADAD`uxc{VhfB9LMKKna_|i5f{B!JdB2R98m&V!j
zY^PfOpL43Tf$`|+=?ZNIDo}2*5A=VZEH#OtDyoU=n@ULFPRuCidKe6!QB0NQL;b3r
z3(;W$S;@w`hxfvJ!U9j9JvJ5io-hUM;u14;=oBUcYsGEw?(4q?X*Fd_o_TNHqu@m?
WIjl{59tRE(gJj<*NtTNn2K+zH4wtk5

diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/images/favicon.png b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/images/favicon.png
index 3e6dde97264d7a9305e8efb15b48002d2bb63484..9a8472bc4faa57ecc19539c58f42b5fc61099cb1 100644
GIT binary patch
literal 2100
zcma)7c~BEq99|9uQIJ7Iv}m_WMGKQ`5(Lef7()Vta)=lt9HWF}lk7mUVY4v-k4meE
zg13xXDLU9Xr~?-2eWEg6R76J|K`mMxKnsXei>X@sl5i>2=^vZyd*AoFk6j%f7wPUc
z!3}~S_b7=t0sM2UkLz&oJ4sMb1wq5c5>gp0i;ck)q?RdHk{LMDtknY?f_MV6UarW*
zX*dH{6FNTf?8F%aCX{?6DI}H^s~6!KLXu12^K#>)irh>ESBVH_x$(>xP@u(WIc(Nu
z=?s{ekJ$8L;N5zSBCw4@XYvtQY&<L?DI5-AhA>&kEH{`(DOFg4IHFe=ocM@_ru7(#
znoK69DVRx8YLw08a#0os<!~5)!7$|LXt|l8Gx%Fo*ma0;gMuRTG(qZMt4?_aX{7lG
z0&uv`Gp)W~xz5lVJ;(!Umg`YAlZ6f@>op`z8Z_ibMEc<&g1DI&h~YgmR%8gBCR87x
zTah7jkn7mkPe-BEz88pr4qpTk(VNuw9O{ePAkER^Xaa5^jg$fpUxe#ue_JkqHB3a|
zavB$dhmUYroM{X;hrwb?*)uQ>2jj4VSZo%npBzgn302O2l7lf$C?I2l*`Pg?a$5d>
z`27jTtZchepfx|~(SVGI%pxh^9Ec&<=Ij6zB@)F`q>9J_m?0rD42}vHg|fM!p$ra_
zZR1+&hQ$+RJWD1fw7AXydW?^R*rOf*lRpC5Y|jIu1q|2~S}Ti1Y2|7>iBQs-eq96i
zF}P0sAz-afmeJbai8=yQlw)(wCL<fb_y{)?9b_hX2xJ`@m}hGwOhOoFlFG4N+2?2;
zo^3zbk6DCmfMD3xMwnb-wa-WN6sa^SaHY)!pw5mONEL08Q@BtKI*5-5RVo5_ngfH`
zB-A>bf;lh;41UP_QYH-!G=5OXLEVD(dWTxay3aixIwSy|jWB2r06F^|*e_sFq5Yc*
z9Qt=1t^-{}flU^EvAG0-9P$Xz4@3F@f~IaXZmf$A6MC-_9BRX*-q*`kt~hjMs?*-s
z4PHKyg7Gh!+O9@EctjoWx)G`g@)m1z8Bfu2Z3E`I1}V5*S=c1KSAVOffOo#c(lWi(
zPgTD>q$J@+?tRve!Cc1U9?ZvQtDpPic3Io59eWDO_HRC$zWn>YmZ4P{N0`6N?>PER
z1s<{|D4p;wjh8Z}@ECrwYkLEpxthMZd}&|T_O4w4<GfD?ztpUZ4ww@7hN$-Ou+%g$
z+a+&)Z$syAN=cC|SQq@ml^{V6dtt_UyrosyvAMA@&Q-9$?^o8!(WCu~3VR-$ySkyh
ze4`+(e&^(%V{6RCjuSG!lx$MO-#jT@e|f?<et>`Y+4gtMr=LEbYx?Q<{gE%P<v(v4
z?S8i_aaz%O|MRb~;djTRsrFeKMZSy2oRZxtacMX_qBSXzaeU;s)P_IHBMwTEt1lnC
z@TiM&t0-*9ak^SpT>7@e&<#Cwx9rQjb9a@)YBJR_+;OM+=>3zO&%h^XgkF+tfFO@r
z>*G)y<nbA((2OXtP^!u6xWm?+WBKMkoZh%Utaa3}*)E+mTb$HaCi>>)joO~->9Rb}
zRVdjZ2+*Es?w%Rp(e2Nz&d#r@3{0xoYFsjVW_s$)4)vuv%el=td)yo7M2k;%wU={g
zO}P;E-0hkN6$Lu0GPZoda@y_T;D5o%d6X~exvfU|cAfUguvfCIl*0=mOV^e{)s=yB
zE_}}SHfDyS2}#9^i+txq|8aN~-ZIwFsYva5Fa4xw*Tq`M;ZCh%_Pe!d(VmCA#1+nS
zgM>G~?t2Zq)Olt~m6-eUWXG7_7E;G9K8D!om7kw5#e^<tXucPc)>)W8aoN&{o>NYd
zbu})oF&Y0<8|NNbTvu~_Y3(D<>qVj$`Ic;T&x-B5GV|GO^(m8BEu!6+>h_bQ@xiZs
h53CvSx1g+m>lDw(Jl!a)_|E#Vj|z_ySB9m3`!C-M>Ky<8

literal 2938
zcmV-=3x)KFP)<h;3K|Lk000e1NJLTq001xm001xu1^@s6R|5Hm00004b3#c}2nYxW
zd<bNS00009a7bBm000XT000XT0n*)m`~Uy|9CSrkbW?9;ba!ELWdK2BZ(?O2Mrm?o
zcW-iQb09-gHt4*vi~s-t7<5HgbVG7wVRUJ4ZXi@?ZDjy5I4v<TEiy1MG`&gH`v3q6
z&`Cr=RA_<KS#5As)fs-yJ@<37yUB(P3;BQqBE--nQ#;7S5rGP}qksgaKudyku+u?n
zp{>YLbr7utDoT}FTSci_WfH4|kLlQ{+5r(!TP0CQCBPC$h>7`PvtRezz4!D-vP-~C
z*a#)`nc3OoyyrdldG0yqJ@0v!aL)1n3^DcxAtc^dS-E~SfYkt8!@wyic)e=~&`$sW
zJh6F`!XoT>01E*q!$B-5oO{>j3t$oU2SP~2RlBSR01jBD6>o|QSmX8nI1~)sp(qNd
zNMp^%dtLf#9u{x_IhJWDOlM$>#SL)*t*xyqHBF;-yB&(Egj7{sKnQso!!LkC0`wmJ
zJ;qpRAP_((6p9<;0x~l*Q`_6yt+uu{!C`lN@$~PvyfrLz2f)e|D<XkF0HP>bnVFgK
zH69l*W5$f`?(XiK&p!JMCr_T#hll3C=<e<|#*7(*qM{<6mX;>O+T#L(!64N%jh2>{
zqOh<qzpSim;qCM0RRh4Hg$thp;6d+lx)LA&B30GZivjSRH8pc|T`zPv9N?VONF;Ku
zV=UtA*}eM+fNKFj5CoW}2_tIk4Tr;zzVX*L{z54oMJY}2tjiD6G+~;iHT9;cbH|Pu
zyPQ&bn<PoFtaH(4_MABc0EB*iivc_XfX6y=i%+AJzFm4lX}Z(tgkc!x4RX0*Sr!b#
zKuSsqCQqJhc}9Bnn5KDK%+`k&0Zfhk6Q6<DNxXa4uIm7-<($uDtT$v?+(I}UhR^52
zsZ*y~L%~qJD2jGMh<rJSbIuLZG<y_9$<N8j$<EEoh23rk0f8*bkYyQ^(tiMWc+T9p
z2l{*x3y5LY&Yia~#vW#jmFi4~VHhw?6Ol;dOQy4@a&vPxFIv3#vTSzCvdG2_8}5~5
z`94)sb10>~#3dQBB7Z7L(j#SM^J^{;J-C1vwr_u}T-Wsn8DkT5ri1AWeTPY-uIua9
zS5`iEDdg99z2%Z5J)|hg1X-3LD>4*Cfh@~DS(ewAmse~}<d?L77;1Lx_(?}+$128H
zzW=PBL?RLBx{gRBQp*@yXS3OAe*5_2Nk^%>moL9nmgTjIqFk>i3N%fF-EQZyA~)LY
z_9vGtDc>@f|DXaE%%5NK`QgJ)9X)!~1PBO0)UqtU+wHz)>Ww!RO_?%9pp>G!yBm>6
z1d&JtjIjrw-@5g&WXRvOY}wtCBt4@j3RG1^YHBJt=cui%<^TTVllpKtbj0Hs<w#9U
zl{8I-s;HtQN~^10uReI805Q=6G))^(Qd~SO-Q_}keLcF*`T+p#?d{l6Q-k*p9Kej}
z(@{`R0994d7nie>A>W5g0FY%FqA23?!-w(l#~-1yvy)_GWE7^l^9oZOsc>o(k|d)q
ze2+>rP(lHWF-{1<xbgXzFg_PEq)+hN{x%#q)&syqTU#5ds;iNmm4zu&rXVXT3qv_0
zD5YEw1e`v78lN9NjP~}g;BvW;UoZ)xEe$1Z6Z1y5;?4GPXbbhFpaUGD2?Y>B`~d27
z#w<u8=H-U2Ezc#&OaJj;)4pI={h43`2y9Kw%}Vo*9lWHZM4U9K@JzA-!r^f1$;QSL
zCr+G*+U+SMcl-p#6=!flI>wb{emUY6M*|_S%r`Nvo^u!=5CL>1<eJPT?(#aD1@KI#
zLJ;9%w_);U9i!cw$j=%Q4mwouZN+wf!>N@5_zH!v5n+=O3qmwa@sB3!(4NqzkGGJ>
zm;hf`An4WsW<=AtWv=OIZmkPG;Jlab)h;Q&2>jZy%zxBZ3(I`ev@Cbfl!(<!s~#qa
zT+Bb|FxusH-ih9O@&ufJKR5#5Q2?*IHu%kCNOyUi0)W{7)&jWh0<#am6Rr*ZX9gSN
zYf-4n>wFzR#sK}J0L}skC9o9&*bd-&0KdFAeE`6{0Dd=sEeK#nm)AKDfHcS$(}D9h
z@hkwTNfJnetReJu4`TaP-zO>b-vgJLW)9`9aM|t^{b%4K47`La^e&;%01A+J^LGs4
zx&8s#Ie-QLrvW$tTr@z$1-Lf&zdu;VF0XS5fCupP3;sy}l>lD3*u(l^3xE~?4*{5X
zfsF#Fa&7QGKiB}gviCdLb6^jE+W>%^oBd9K;7Nzvvze?*xVbM1z6nxKhvOd3v6}a#
z3jEyrIhZE)e3$%&hZFh^B^&MXI?oXB(VAeugy=Upw%X;uMzRiV--P(r$o$Eb7CvRJ
z0{C)~M_nO{f<rLVT>cScHO>xMz@mi<O8`7=a#*rRg{Sh~nVd#~+Ix`+*wsF^<4BLA
zE`>%lksB%iXqrYvQGE5qZQC{`LwIRL#ZQ}>o9=09YBC)T2OO>pJu2CQMJ{8~?W3AK
z(`^kfIm}f}-}|s7C@@*z6u|1L>go?J6p%0%0x$x=O$2}l3x|w6yx-}@zs{yZM07+N
zjm)qt3yP}3;c$Rb3dUGoGUNe3Rn?q=i3LUO5pFabYe3V<V@OX=N4=4bFZ_9U*F74u
zN48K7aznpp;Yl>sKmq^&0s)xG@oZy0qLu{>VOXXKNz>qVyOENT0>dy63WdNqPdW@+
zmc=>e$j!|~ettfDJ|Al9YSGr#h77kG?+4Rys67X%N)%L}7_2Zjkbo`#`+(lKMlELY
zsNok?b<C*j>~Fi>z2{IU6zX3s_$pZe=nJ`wF$jWy;^JZy78c@A?IG0G)*a@ZUB@y!
zBOP!!L`_v8%L)WRXiZu`Rdw~J0H*bCd*zjv7Y71?2N+`rhr-ZxJ+=-T2qC`_1Y!FS
z1Z*LMGy`~ub6yk<hoNa2rcaxWSu<xzDfX0|6%|XjB{R@PqtI)wy*igMwpQ2m>tbaV
zrZece-o_Z)1Ypbh%F2sojft?v>lHZX%Vk;iDvFYQ!KMC)EX$9SmseCJ@=d0!Qpy-x
z#|$=0*Uyzz^oZVWFyoI|*;yNZv}8%(n-ISc2S4~g+Pin}uS7{)p{lBfQcC)jRrbr0
z{P4W8vUidauzT083Fw{L^8SUbNF;*B##1=e*x1<9({qSYY7+$Eviyp}IcL#mG?<c-
zGASn~XZ+aQvBYMxohxi9GN?e`1n|h5xpQk13fQxI_cZ|S1n>(0D(4)GF&I$;EoWMy
z_4V~)M@I()D)dE$%MZ)4V45b<($X-oV4|6wolPZCidE(Sz(j8v^5@xe=F|e`CuMH{
zSOY*6gx+RB5I#0dbKd^_``bD@J0VHZ|BQU!^B_qQ{C+<^Jous2(cZC`Qo1i@LvNn6
z62PIDPdo~7&IzRyq9`H|2y{x4bpQMX3tj+#ML$@$7zA0k^pra(P)Z4<H2m`wE2;og
z?X0Q!VK^M#Y`5Dzu~~{CzJ&hy?z^A*{r;l5x;lFN`0<ZkdimukSAuM^xMS(kzvt!U
z-BMg!Y&xAz;pUk$1)$#y?Ay0bYiVgA!C(+}yFJ;<{uP7WZkK#MA6i;kNM>dxZk{<4
zKtBOKpKp|+D1yi1fubndurW=5^^ZOFop3l@Vzb#02m}P5&lk^7;{q}=GHjwKLen%z
zl5|aF<@!Uoaz7~z1`eRWX0vIM)Ekka(P+FN5EtNZIHIB`N>rraoXY@8hJ)>ZAb_mM
z5GC<%o{^q-5jnor6-DV1L?M1aT!n~o&fk(`sbbk(cNww9xBw1rT@?!^F*tx1IOn&n
ky6^t;%9-RUe&b2uzp$9K#m3Z@`2YX_07*qoM6N<$g7gSppa1{>

diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/images/icon-logo.png b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/images/icon-logo.png
deleted file mode 100644
index 31f8b2b248ccb831234284b39d34eaf80dacaf8e..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 4195
zcmV-p5S;IcP)<h;3K|Lk000e1NJLTq003VA003eL1^@s6HmDDV00004XF*Lt006O%
z3;baP00009a7bBm000ic000ic0Tn1pfB*mh8FWQhbW?9;ba!ELWdLwtX>N2bZe?^J
zG%heMGBAcGSpxt758z2eK~#8N?VW3ERL2#^EwxbyBnl}~h13tFRnwwYRgt1pX{D-2
z{lbTS;9H|A60}WQH@u9^`oVK~ClD|ggCSs>w-az!h%pYqU<VUpf?+Y>2L@;3y}Nb*
z<2BDUHu&`X$8$I9WsLXk+i;Kcm)E;<XU_cYxpVKGnL9Tr7;`urBQ#B$*y?g6Ynt0?
zDl(FIpEL$OmJ{S@E|)`dxye-IB~cHwR!z&~A3cGIO+{7`cfX0|#pNywOk^rLlGyuA
zbGwUFiA+U7n(KS`PN(*<GLfl>%jI%0e61h;H{X2oQ*LtloK7dX-0BTXg(sKz+YkNQ
zZ@;CMmX?0_jg5`AhK2@eZf+J|wzjtR?;W8hGcsjF{lGcE>FU+1)YQ~O_4W01@#4jP
z_-D_a?X9h?r3)7>(B;dQMFJ$`qd~MyPE9Mvbv`aX#RjGYZ3t)%Zo###u8z*1KTph?
zYHDgIi6j1(Cr+H8lP6D7b#*nJIdeuNz@EX;aP8W)i!vY6LNL4CP6%vp1>dTwDypok
zq~phrQ_`VBhu%7T_%MC``R7z#UM_w(b?OwIK7Cs3A>LzVw1;6|ef5<H?23vC!T0FV
zqjcoR5h^Jup`<Uq_#%1#{{3{|zybQ~v(Lm2{2j@op<U)-T8IXgWo2cA0Ovp_o6SbW
z#l`f=C!bK#<HwJ!4<A0f$`N0WFYv>`g9k-oJ{lY{57R<4u>ADXPif!2eN<FbM7wwI
zM$2-(x3||V;P>_Q5%l1}gG(IwO-O{qypah%OxwG6FYVg3ONiU~dIY-8djNc0w{PD*
z$9qiUy=1}<({}FMNu{Nw4g_`}XC-`HH*elNMnr?2a5v=Skg1%3eKdaN^?Ju4kX3A<
zr^4sosHdmL%ZG~9<ME7^dHPJ{$nz+P!)N#I-5blyvbkMXa@92?d}P2G;e6oXy_mvB
z!U$Q0313R$NJ4<#y?fWntPrq*or<e2Bk+kcrmn88_KuE@sVGe4$nz+4#WRx>4o(k8
zJ#lj*m<<V^BY8Z3um%1A4FaD!J3Dbcupi({D3vqMlS=sBh`~F+gyE9`_=Vzdf$>h5
z$X`_WCl~@gefQmWq8p-!FQ-(FJ<BTQ8`H*y2D*OzI^YW?LBh8&>j@J3K;sQ2Gjux=
z1_QsXtxfdWp`)m<pg`&9v!va8y^g*w^!lRi2H;m9z$NCV+oMO1rm`Ht!q@w#(KobZ
z^Jb;v!&wFS`GkHNbPelW?!mxEAS0k9*5D0SHhig>(%s$d2^K!Oq8l3<z4i6=*>=1A
ziObXBX6RUKXlN+Ba^;Gsn*sRkEOB8Hmhny)egFP_>zzAyyurZt8!+(jA(~lHQQ^Bh
z9WI8zsjI77$#w9eYux~R53?F@Ngfg7jK?zkYy<E~_Gh=BIddjiW|Po{Kw)1q*=G+1
zmo8npB*ry@fbV7a%A3)M8W%8*3$z)4uMZ|TPM$nzy#0%jojP?YnSE^k`s=Uh+_`gN
zWG_hgdHgrF;~re#1a_bzSoj#A!9dNIUw&!l2n+7a9|L1wCUa0Ya6*NT2H@M;+uO&<
zY~o`Ke<H)T8-OncYs$;Z%Z?sBs=nrpfgL+`Y$E$`8ly}YZ88AAg5k%_Z>3$kcI|C;
z&|v_+7*;DSEiEc5D~nkK9X@<`0+&~YQ6~6c0KT0yNoEsWn=)m}h}9o{NbkS@K7H`P
z2efL{Dq6jIHGRn6ty!~%)@El@_PTYnZvA>%kL%$L8z?t7SBy_$q&`^q7`nvB8HO@t
z(NQyflnz6C!NRxm-(qy7aQ$+)p6j{3>$u+8T>rIe*9sP30yba-R$#V@|ChyvW_$MT
zrDe;O(X?sPgl5c`K{IE~qLkUQDK#yP=2$G0k&!`JSy?o1-aJ~cU;!<%T50);6=EmU
zawUR=4=}RWs2RqogM|+ru-VAEcrh(nv`Ewqb<E_trgNQ9cQ8mvNuilDXVUcP)9JnU
z-V<8E^#?myY-qM`|9*mY@@@6frAr0;Sqy(R!%v$thb-yol#!W9bLY;b`Sa(~!i5XT
z%J7$PTI@7L2jHUnVYtADuLvAO^HQ$E;w4K&K<V%iXb3nTd}e`w1RDh1?mc@1Ge{O2
zn(3M7D%`$ZfSsM1D&VIx{7irN93hAl0e|^&TDfwiI1D##+$buX$nfDCpMNNan-?@2
zh+YKH5{8d}LSUheSzK2H90Csv5Qx}8yLRs$zzUMZhGv18>Drc`Pn#_N5QiTQLtm4_
z@Zks|X1NX@=L(!BxP9EVZJU@QlxXk)ealB52_MmRBVgb=0tkVGfI?saJ^~E^hrr8Y
z1_($MBS;n-nyE6>b!F-pYEOBM&Sp%YHFN(*3pg@xc<S&GIpV~_@No#^1dWq3A`8tJ
z0K^+UpcfPtiVFr@JP7#gD*^`a5kS7CN4EQ@t3CZUqVDzo`-PH?E?I17rpi#)^^{lX
zPSz_zH!ZKx>8#(=`h_!mO^y#fu8`!_kq$qXo1sm4d9=5vNWh3S{1O)C(7*@y0-xX;
zd_<riVDzR(hmX3Q$$W!4ETet(ZcF>Il8r7|Y-py+P?tY^T{qIlP~pOVec$Bp;fuo<
z5rxPSm!y0-x^dGc%G<nI9O_%SDf)QdJ~5k178^A?c<7MW;V2VjE8%mXAYgR(8<(ci
z>3M(Ty8Y;h`bHK0)9mJqmmUN<19hdp+{eGwwf*PCH)YacYp6qK>d5P=dO}>!>oRF<
zZ7}${JeE<|2{oNFN4_pM88+52ZNzWc_j3p&Ro!$YEPP$O6CQKg6a0CM+%#bgfpTNU
zOH~M*z<Q{Z@bGnc=8WpSIrF6={+w_-0X{MGqX-m#pNCT1;Jg0$!e2X6M|o6EJx!fy
zqq;k0joiwg<GvH%0|Ekp;qPNGLfzf}e(_H-tJoVmF$N$RsG*|(;%)BTnmuw2e~$T1
zK$+qA-H|dfmp>=Q5e!FU1oikk8jLuCI=Dg$`E%4OgEFwgxx736J_IA)rkm@yoj*s$
z&(<j~yu<BQO{ByTaj7fgWkc<zF5do}bSo;xWsJd&4lFkq@m0?w)Ge^S;Rq+q8dYKO
z5c~2#a*B#^8GjBeGoCWx$5AHyILd?{N15>BC=-4hWx|i6;LsQroQi}d@l95-$1=*x
zpOpm;CfvZ_o<nkqig7t1cO~#Pce!2#{CN^fRd>UZZiR2?;|S#j1|VYH*@m)0=|qEW
zrH*V%m~jd?!p%k9Q2pM4LdAKzxOOue?LO8e2a9UZ=P$F0y*d8=gKVRYBRw2XqyZK=
za1u%Y^*P@8VV2A$w#E(z-6JTYC838FhZ-_eiR+ZugDE%{#I@hsfU&>m^<06z`oMaq
zl(6v8Z5yxt`fv?C%l`g*{&fmeRN?zig9wyr>Iihp@+#FW`~&UHT}B^aYRJ~DVy0St
zem)fx6i{JdA#LBjop$WlL0FXo)9f(6Q7ixyW&4=Rz<eDn!Gf~k17@6I;#5BShM9Qq
z6+XlFJzR&&^WPA4Qq?tK=IwM^UZJ|I-_eG}DgBeC{O9c`CQa${c6KlXOqhz*q$$h~
z0`SdSwhTUR$8XXU=4<9yXVImMUy~<2!QjK8hV)-i_JZlY>4I>0z;r<cd_)?SzKX|m
zL6nK|FnJ1-xB{mO>hLk^*nhfU&fNb}qvdt3^ULvt-|+5FsCmxMXl=&3>WQ*`@b!tZ
zs30O9(2pHE7WcWD@Bv2xg24yhZ=x(_-VK;2%XP#=*>#qw)NJ`VU7R*v$wrqfHZ)UZ
zi0O84Fmq07|14#Fia0ywKSexn${?cN#(?pZdZNuzhEG^u4o4@Z3c_bJn*(Mk%PHch
zt3E|MBW<>LIt5HrtYopFnSVw&Sz!`sT3VWKe!lYI2*3IHr~tsDVwnG)=nqF=-AmL{
zZ|{9g4jzu+y7@mGVX;{HS>Qnt{);0A+xjz;#fD~jCU^!3g$#Hyg$oq$*%9AkK>^dm
z_wZE=p7a=Qj|Jf~u7>>Ed;cd>274?BpK<<(2z)%?hK!Swlf|<}C;<PX5dE1fI5Oaw
zEOr!^ZUAoNfw)A1uRjo1U0p4%$o$)T{lN$v`KjCj1U{1mRtQY6lf}lynwy*7YHDh#
zF!CrU;Fpw?*!jd4^#`LF{$z&l2o}EIqo6jf*LaytVwuC?7~j&;Vl(&<G~hc*OG{(E
zBmkG0%<$U{z}FvwE=-sOy|LzirfG!+AOFV!pY2@vxGsjl&`0p4W+n%M#{hghf$nv=
zT-m%6;<Ka;R@Y$g*==oYUW02dc(~FDwG0gVGMeG9Wcc17;p=NJc$k3|3*5=9qH9=3
z=GLuS)*Cl&cnq#O;^nKJm8hu9D&dTM8_V$X48SLbk5xyo;$n)-COUTe_U)9euCDeF
z*4xQr_`_x?c-{fy7{1K_e0{Ma$KAVk-<H`##=5(^C*Qw+9~lR=%$E+ouCC6;;1lx-
zAqZpt-{JtOFaTd)=F83s@5-&Ww|64TZe)QwIEZ$0=Z+o9h2n;zaHCjz_N)>3Vu8D!
zo*t|yXl!X1Y=ET*jV$d5_!qc|!Se5_3OozKOCIp<lVIV4om|!tYiT}xNgE_ULb*ZE
z>uTbV!~*>)ho42^4jD(e0r<M|nDM}KAHKj30SSkMk7&o8qRPQ%T^n<A#Z4lPdIRvm
z)XRTYGV{?`y!37Pg({&EK3{5j7`_z_s2qEqgaurgM>fO9>ViYU*Trl-hE@@m>uP4}
z%NMGgc^(B8-29AXK83-;hm62S#sk_bl_SriBo1M`1I9CaTSVY<vxJP4mrE)~o<~U>
z1B`dTL|kgBxat}dK5txi{P^)InU`rHT6J}G4ex{|72_x1BVkol)g}3QA@glPVH#d}
zh1WIN?e;2eMKpibKKS_I{Q2`Wm{5cpC2Uk&Tx`M*)38vU{#H1?N%J-}HB~a}>jFNX
zAky&#euR)vA8I>t<cJABOv4K(F<OV^#4ue3YlpJB91cfi65p9xF?NbQgyB3S^c&qV
z;fG-uvp_!=W<-D|xZ<W1ti^aW|6|3(A?zW{T|q(&8e{OIwzk%UABNS}*H6aEx)>V(
zPmGl5L#P-(PGZ27_!84Q@CsJE4+I;?mlF5Nd`vTFEl%f~EiEm5=n2Kkh%qjJu?;ZB
z(ZJ06lK9I?e2IY%^uePqUhg_}YT83hb6ZUrl-pgXx!hjy8g9Stc630>aSrfqO=8fM
z`n%7O2#JNBc$c@Skfrs%Paa*-e4-V>&H7sse^Ck8=%0rA6Dl$=6%n~utxji`Xqy;(
zCB9H4G!=O{HCGo0`ClY_cdjatsi+9kY`!1c6(<OFLQ|2I$LVxVlGyvrgdYQG?mXq}
tHWPm2<<#7EzPho2Ew}H3%w9-J`ac2Gxdj2|%;x|A002ovPDHLkV1fs1AAbM<

diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/images/icon-logo.svg b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/images/icon-logo.svg
new file mode 100644
index 0000000000..ce38f02f0b
--- /dev/null
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/images/icon-logo.svg
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 20010904//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
+<svg version="1.0" width="71.25pt" height="73.5pt" viewBox="0 0 71.25 73.5" preserveAspectRatio="xMidYMid meet" xmlns="http://www.w3.org/2000/svg">
+  <g transform="translate(0,73.5)scale(.075,.075)" fill="#DD630D">
+    <path id="path1" d="M 220 -875 l 0 105 265 0 265 0 0 275 0 275 95 0 95 0 0 -228 0 -227 -153 -153 -152 -152 -208 0 -207 0 0 105 z M 0 -537 l 0 222 153 153 152 152 213 0 212 0 0 -100 0 -100 -265 0 -265 0 0 -275 0 -275 -100 0 -100 0 0 223 z " />
+  </g>
+</svg>
\ No newline at end of file
diff --git a/misc/theme-tukan/Makefile b/misc/theme-tukan/Makefile
index 68fc232d70..4afe2aa3f8 100644
--- a/misc/theme-tukan/Makefile
+++ b/misc/theme-tukan/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-tukan
-PLUGIN_VERSION=		1.28
+PLUGIN_VERSION=		1.29
 PLUGIN_COMMENT=		The tukan theme - blue/white
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
index ea1ae3c641..7f614311e1 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/assets/stylesheets/main.scss
@@ -1,4 +1,5 @@
 @charset "UTF-8";
+
 .widgetdiv .content-box-head {
   background: #354248 !important;
   color: #FFF !important;
@@ -7,290 +8,350 @@
   padding-right: 1px !important;
   padding-left: 4px !important;
   min-height: 25px !important;
-  border: 1px solid #2f2f2f; }
+  border: 1px solid #2f2f2f;
 
-  .widgetdiv .content-box-head .btn-group .btn {
+  .btn-group .btn {
     color: #FFFFFF !important;
     background: none;
-    border: 0px; }
-    .widgetdiv .content-box-head .btn-group .btn .glyphicon {
-      color: #FFFFFF !important; }
-  .widgetdiv .content-box-head .list-inline li > h3 {
-    padding-top: 4px; }
+    border: 0px;
+
+    .glyphicon {
+      color: #FFFFFF !important;
+    }
+  }
+
+  .list-inline li > h3 {
+    padding-top: 4px;
+  }
+}
 
 @font-face {
   font-family: 'SourceSansProBold';
-  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.ttf") format("truetype"); }
+  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.ttf") format("truetype");
+}
+
 @font-face {
   font-family: 'SourceSansProSemibold';
-  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.ttf") format("truetype"); }
+  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.ttf") format("truetype");
+}
+
 @font-face {
   font-family: 'SourceSansProRegular';
-  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf") format("truetype"); }
+  src: url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff") format("woff"), url("/ui/themes/tukan/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf") format("truetype");
+}
 
 /*! normalize.css v3.0.1 | MIT License | git.io/normalize */
-table
-html {
+
+table html {
   font-family: sans-serif;
   -ms-text-size-adjust: 100%;
-  -webkit-text-size-adjust: 100%; }
+  -webkit-text-size-adjust: 100%;
+}
 
 body {
-  margin: 0; }
-
-article,
-aside,
-details,
-figcaption,
-figure,
-footer,
-header,
-hgroup,
-main,
-nav,
-section,
-summary {
-  display: block; }
-
-audio,
-canvas,
-progress,
-video {
+  margin: 0;
+}
+
+article, aside, details, figcaption, figure, footer, header, hgroup, main, nav, section, summary {
+  display: block;
+}
+
+audio, canvas, progress, video {
   display: inline-block;
-  vertical-align: baseline; }
+  vertical-align: baseline;
+}
 
 audio:not([controls]) {
   display: none;
-  height: 0; }
+  height: 0;
+}
 
-[hidden],
-template {
-  display: none; }
+[hidden], template {
+  display: none;
+}
 
 a {
   color: #D95E04;
   text-decoration: none;
   background: transparent;
-  outline: 0;  }
+  outline: 0;
 
-  a:link, a:active {
-	outline: 0; }
+  &:link, &:active {
+    outline: 0;
+  }
 
-  a:hover, a:focus {
+  &:hover, &:focus {
     color: #D95E04;
-    text-decoration: underline; }
+    text-decoration: underline;
+  }
+}
 
 abbr[title] {
-  border-bottom: 1px dotted; }
+  border-bottom: 1px dotted;
+}
 
-b,
-strong {
-  font-weight: bold; }
+b, strong {
+  font-weight: bold;
+}
 
 dfn {
-  font-style: italic; }
+  font-style: italic;
+}
 
 h1 {
   font-size: 8em;
-  margin: 0.67em 0; }
+  margin: 0.67em 0;
+}
 
 mark {
   background: #ff0;
-  color: #000; }
+  color: #000;
+}
 
 small {
-  font-size: 80%; }
+  font-size: 80%;
+}
 
-sub,
-sup {
+sub {
   font-size: 75%;
   line-height: 0;
   position: relative;
-  vertical-align: baseline; }
+  vertical-align: baseline;
+}
 
 sup {
-  top: -0.5em; }
+  font-size: 75%;
+  line-height: 0;
+  position: relative;
+  vertical-align: baseline;
+  top: -0.5em;
+}
 
 sub {
-  bottom: -0.25em; }
+  bottom: -0.25em;
+}
 
 img {
-  border: 0; }
+  border: 0;
+}
 
 svg:not(:root) {
-  overflow: hidden; }
+  overflow: hidden;
+}
 
 figure {
-  margin: 1em 40px; }
+  margin: 1em 40px;
+}
 
 hr {
   -moz-box-sizing: content-box;
   box-sizing: content-box;
-  height: 0; }
+  height: 0;
+}
 
 pre {
-  overflow: auto; }
+  overflow: auto;
+}
 
-code,
-kbd,
-pre,
-samp {
+code, kbd, pre, samp {
   font-family: monospace, monospace;
-  font-size: 1em; }
+  font-size: 1em;
+}
 
-button,
-input,
-optgroup,
-select,
-textarea {
+button, input, optgroup, select, textarea {
   color: inherit;
   font: inherit;
-  margin: 0; }
+  margin: 0;
+}
 
 button {
-  overflow: visible; }
+  overflow: visible;
+  text-transform: none;
+}
 
-button,
 select {
-  text-transform: none; }
+  text-transform: none;
+}
 
-button,
-html input[type="button"],
-input[type="reset"],
-input[type="submit"] {
+button, html input[type="button"] {
   -webkit-appearance: button;
-  cursor: pointer; }
+  cursor: pointer;
+}
 
-button[disabled],
-html input[disabled] {
-  cursor: default; }
+input {
+  &[type="reset"], &[type="submit"] {
+    -webkit-appearance: button;
+    cursor: pointer;
+  }
+}
+
+button[disabled], html input[disabled] {
+  cursor: default;
+}
 
-button::-moz-focus-inner,
-input::-moz-focus-inner {
+button::-moz-focus-inner {
   border: 0;
-  padding: 0; }
+  padding: 0;
+}
 
 input {
-  line-height: normal; }
-
-input[type="checkbox"],
-input[type="radio"] {
-  box-sizing: border-box;
-  padding: 0; }
+  &::-moz-focus-inner {
+    border: 0;
+    padding: 0;
+  }
 
-input[type="number"]::-webkit-inner-spin-button,
-input[type="number"]::-webkit-outer-spin-button {
-  height: auto; }
+  line-height: normal;
 
-input[type="search"] {
-  -webkit-appearance: textfield;
-  -moz-box-sizing: content-box;
-  -webkit-box-sizing: content-box;
-  box-sizing: content-box; }
+  &[type="checkbox"], &[type="radio"] {
+    box-sizing: border-box;
+    padding: 0;
+  }
 
-input[type="search"]::-webkit-search-cancel-button,
-input[type="search"]::-webkit-search-decoration {
-  -webkit-appearance: none; }
+  &[type="number"] {
+    &::-webkit-inner-spin-button, &::-webkit-outer-spin-button {
+      height: auto;
+    }
+  }
+
+  &[type="search"] {
+    -webkit-appearance: textfield;
+    -moz-box-sizing: content-box;
+    -webkit-box-sizing: content-box;
+    box-sizing: content-box;
+
+    &::-webkit-search-cancel-button, &::-webkit-search-decoration {
+      -webkit-appearance: none;
+    }
+  }
+}
 
 fieldset {
   border: 1px solid #c0c0c0;
   margin: 0 2px;
-  padding: 0.35em 0.625em 0.75em; }
+  padding: 0.35em 0.625em 0.75em;
+}
 
 legend {
   border: 0;
-  padding: 0; }
+  padding: 0;
+}
 
 textarea {
-  overflow: auto; }
+  overflow: auto;
+}
 
 optgroup {
-  font-weight: bold; }
+  font-weight: bold;
+}
 
 table {
   border-collapse: none;
   border-spacing: 0;
   color: #000;
   background-color: #fff;
-  width: 100%; }
+  width: 100%;
+}
 
-td,
-th {
-  padding: 0;  }
+td, th {
+  padding: 0;
+}
 
 @media print {
   * {
     text-shadow: none !important;
     color: #000 !important;
     background: transparent !important;
-    box-shadow: none !important; }
+    box-shadow: none !important;
+  }
 
-  a,
-  a:visited {
-    text-decoration: underline; }
+  a {
+    text-decoration: underline;
+
+    &:visited {
+      text-decoration: underline;
+    }
 
-  a[href]:after {
-    content: " (" attr(href) ")"; }
+    &[href]:after {
+      content: " (" attr(href) ")";
+    }
+  }
 
   abbr[title]:after {
-    content: " (" attr(title) ")"; }
+    content: " (" attr(title) ")";
+  }
 
-  a[href^="javascript:"]:after,
-  a[href^="#"]:after {
-    content: ""; }
+  a {
+    &[href^="javascript:"]:after, &[href^="#"]:after {
+      content: "";
+    }
+  }
 
-  pre,
-  blockquote {
+  pre, blockquote {
     border: 1px solid #999;
-    page-break-inside: avoid; }
+    page-break-inside: avoid;
+  }
 
   thead {
-    display: table-header-group; }
+    display: table-header-group;
+  }
 
-  tr,
-  img {
-    page-break-inside: avoid; }
+  tr {
+    page-break-inside: avoid;
+  }
 
   img {
-    max-width: 100% !important; }
+    page-break-inside: avoid;
+    max-width: 100% !important;
+  }
 
-  p,
-  h2,
-  h3 {
+  p, h2, h3 {
     orphans: 3;
-    widows: 3; }
+    widows: 3;
+  }
 
-  h2,
-  h3 {
-    page-break-after: avoid; }
+  h2, h3 {
+    page-break-after: avoid;
+  }
 
   select {
-    background: #fff !important; }
+    background: #fff !important;
+  }
 
   .navbar {
-    display: none; }
+    display: none;
+  }
 
-  .table td,
-  .table th {
-    background-color: #fff !important; }
+  .table {
+    td, th {
+      background-color: #fff !important;
+    }
+  }
 
-  .btn > .caret,
-  .dropup > .btn > .caret {
-    border-top-color: #000 !important; }
+  .btn > .caret, .dropup > .btn > .caret {
+    border-top-color: #000 !important;
+  }
 
   .label {
-    border: 1px solid #000; }
+    border: 1px solid #000;
+  }
 
   .table {
-    border-collapse: collapse !important; }
+    border-collapse: collapse !important;
+  }
+
+  .table-bordered {
+    th, td {
+      border: 1px solid #ddd !important;
+    }
+  }
+}
 
-  .table-bordered th,
-  .table-bordered td {
-    border: 1px solid #ddd !important; } }
 @font-face {
   font-family: 'Glyphicons Halflings';
   src: url("../fonts/bootstrap/glyphicons-halflings-regular.eot");
-  src: url("../fonts/bootstrap/glyphicons-halflings-regular.eot?#iefix") format("embedded-opentype"), url("../fonts/bootstrap/glyphicons-halflings-regular.woff") format("woff"), url("../fonts/bootstrap/glyphicons-halflings-regular.ttf") format("truetype"), url("../fonts/bootstrap/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") format("svg"); }
+  src: url("../fonts/bootstrap/glyphicons-halflings-regular.eot?#iefix") format("embedded-opentype"), url("../fonts/bootstrap/glyphicons-halflings-regular.woff") format("woff"), url("../fonts/bootstrap/glyphicons-halflings-regular.ttf") format("truetype"), url("../fonts/bootstrap/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") format("svg");
+}
+
 .glyphicon {
   position: relative;
   top: 1px;
@@ -300,658 +361,863 @@ th {
   font-weight: normal;
   line-height: 1;
   -webkit-font-smoothing: antialiased;
-  -moz-osx-font-smoothing: grayscale; }
+  -moz-osx-font-smoothing: grayscale;
+}
 
 .glyphicon-asterisk:before {
-  content: "\2a"; }
+  content: "\2a";
+}
 
 .glyphicon-plus:before {
-  content: "\2b"; }
+  content: "\2b";
+}
 
 .glyphicon-euro:before {
-  content: "\20ac"; }
+  content: "\20ac";
+}
 
 .glyphicon-minus:before {
-  content: "\2212"; }
+  content: "\2212";
+}
 
 .glyphicon-cloud:before {
-  content: "\2601"; }
+  content: "\2601";
+}
 
 .glyphicon-envelope:before {
-  content: "\2709"; }
+  content: "\2709";
+}
 
 .glyphicon-pencil:before {
-  content: "\270f"; }
+  content: "\270f";
+}
 
 .glyphicon-glass:before {
-  content: "\e001"; }
+  content: "\e001";
+}
 
 .glyphicon-music:before {
-  content: "\e002"; }
+  content: "\e002";
+}
 
 .icon.glyphicon.input-group-addon.glyphicon-search:before, .glyphicon-search:before {
   content: "\e003";
-  color: #FFF !important; }
+  color: #FFF !important;
+}
 
 .glyphicon-heart:before {
-  content: "\e005"; }
+  content: "\e005";
+}
 
 .glyphicon-star:before {
-  content: "\e006"; }
+  content: "\e006";
+}
 
 .glyphicon-star-empty:before {
-  content: "\e007"; }
+  content: "\e007";
+}
 
 .glyphicon-user:before {
-  content: "\e008"; }
+  content: "\e008";
+}
 
 .glyphicon-film:before {
-  content: "\e009"; }
+  content: "\e009";
+}
 
 .glyphicon-th-large:before {
-  content: "\e010"; }
+  content: "\e010";
+}
 
 .glyphicon-th:before {
-  content: "\e011"; }
+  content: "\e011";
+}
 
 .glyphicon-th-list:before {
-  content: "\e012"; }
+  content: "\e012";
+}
 
 .glyphicon-ok:before {
-  content: "\e013"; }
+  content: "\e013";
+}
 
 .glyphicon-remove:before {
-  content: "\e014"; }
+  content: "\e014";
+}
 
 .glyphicon-zoom-in:before {
-  content: "\e015"; }
+  content: "\e015";
+}
 
 .glyphicon-zoom-out:before {
-  content: "\e016"; }
+  content: "\e016";
+}
 
 .glyphicon-off:before {
-  content: "\e017"; }
+  content: "\e017";
+}
 
 .glyphicon-signal:before {
-  content: "\e018"; }
+  content: "\e018";
+}
 
 .glyphicon-cog:before {
-  content: "\e019"; }
+  content: "\e019";
+}
 
 .glyphicon-trash:before {
-  content: "\e020"; }
+  content: "\e020";
+}
 
 .glyphicon-home:before {
-  content: "\e021"; }
+  content: "\e021";
+}
 
 .glyphicon-file:before {
-  content: "\e022"; }
+  content: "\e022";
+}
 
 .glyphicon-time:before {
-  content: "\e023"; }
+  content: "\e023";
+}
 
 .glyphicon-road:before {
-  content: "\e024"; }
+  content: "\e024";
+}
 
 .glyphicon-download-alt:before {
-  content: "\e025"; }
+  content: "\e025";
+}
 
 .glyphicon-download:before {
-  content: "\e026"; }
+  content: "\e026";
+}
 
 .glyphicon-upload:before {
-  content: "\e027"; }
+  content: "\e027";
+}
 
 .glyphicon-inbox:before {
-  content: "\e028"; }
+  content: "\e028";
+}
 
 .glyphicon-play-circle:before {
-  content: "\e029"; }
+  content: "\e029";
+}
 
 .glyphicon-repeat:before {
-  content: "\e030"; }
+  content: "\e030";
+}
 
 .glyphicon-refresh:before {
-  content: "\e031"; }
+  content: "\e031";
+}
 
 .glyphicon-list-alt:before {
-  content: "\e032"; }
+  content: "\e032";
+}
 
 .glyphicon-lock:before {
-  content: "\e033"; }
+  content: "\e033";
+}
 
 .glyphicon-flag:before {
-  content: "\e034"; }
+  content: "\e034";
+}
 
 .glyphicon-headphones:before {
-  content: "\e035"; }
+  content: "\e035";
+}
 
 .glyphicon-volume-off:before {
-  content: "\e036"; }
+  content: "\e036";
+}
 
 .glyphicon-volume-down:before {
-  content: "\e037"; }
+  content: "\e037";
+}
 
 .glyphicon-volume-up:before {
-  content: "\e038"; }
+  content: "\e038";
+}
 
 .glyphicon-qrcode:before {
-  content: "\e039"; }
+  content: "\e039";
+}
 
 .glyphicon-barcode:before {
-  content: "\e040"; }
+  content: "\e040";
+}
 
 .glyphicon-tag:before {
-  content: "\e041"; }
+  content: "\e041";
+}
 
 .glyphicon-tags:before {
-  content: "\e042"; }
+  content: "\e042";
+}
 
 .glyphicon-book:before {
-  content: "\e043"; }
+  content: "\e043";
+}
 
 .glyphicon-bookmark:before {
-  content: "\e044"; }
+  content: "\e044";
+}
 
 .glyphicon-print:before {
-  content: "\e045"; }
+  content: "\e045";
+}
 
 .glyphicon-camera:before {
-  content: "\e046"; }
+  content: "\e046";
+}
 
 .glyphicon-font:before {
-  content: "\e047"; }
+  content: "\e047";
+}
 
 .glyphicon-bold:before {
-  content: "\e048"; }
+  content: "\e048";
+}
 
 .glyphicon-italic:before {
-  content: "\e049"; }
+  content: "\e049";
+}
 
 .glyphicon-text-height:before {
-  content: "\e050"; }
+  content: "\e050";
+}
 
 .glyphicon-text-width:before {
-  content: "\e051"; }
+  content: "\e051";
+}
 
 .glyphicon-align-left:before {
-  content: "\e052"; }
+  content: "\e052";
+}
 
 .glyphicon-align-center:before {
-  content: "\e053"; }
+  content: "\e053";
+}
 
 .glyphicon-align-right:before {
-  content: "\e054"; }
+  content: "\e054";
+}
 
 .glyphicon-align-justify:before {
-  content: "\e055"; }
+  content: "\e055";
+}
 
 .glyphicon-list:before {
-  content: "\e056"; }
+  content: "\e056";
+}
 
 .glyphicon-indent-left:before {
-  content: "\e057"; }
+  content: "\e057";
+}
 
 .glyphicon-indent-right:before {
-  content: "\e058"; }
+  content: "\e058";
+}
 
 .glyphicon-facetime-video:before {
-  content: "\e059"; }
+  content: "\e059";
+}
 
 .glyphicon-picture:before {
-  content: "\e060"; }
+  content: "\e060";
+}
 
 .glyphicon-map-marker:before {
-  content: "\e062"; }
+  content: "\e062";
+}
 
 .glyphicon-adjust:before {
-  content: "\e063"; }
+  content: "\e063";
+}
 
 .glyphicon-tint:before {
-  color:#3F0;
-  content: "\e064"; }
+  color: #3F0;
+  content: "\e064";
+}
 
 .glyphicon-edit:before {
-  content: "\e065"; }
+  content: "\e065";
+}
 
 .glyphicon-share:before {
-  content: "\e066"; }
+  content: "\e066";
+}
 
 .glyphicon-check:before {
-  content: "\e067"; }
+  content: "\e067";
+}
 
 .glyphicon-move:before {
-  content: "\e068"; }
+  content: "\e068";
+}
 
 .glyphicon-step-backward:before {
-  content: "\e069"; }
+  content: "\e069";
+}
 
 .glyphicon-fast-backward:before {
-  content: "\e070"; }
+  content: "\e070";
+}
 
 .glyphicon-backward:before {
-  content: "\e071"; }
+  content: "\e071";
+}
 
 .glyphicon-play:before {
-  content: "\e072"; }
+  content: "\e072";
+}
 
 .glyphicon-pause:before {
-  content: "\e073"; }
+  content: "\e073";
+}
 
 .glyphicon-stop:before {
-  content: "\e074"; }
+  content: "\e074";
+}
 
 .glyphicon-forward:before {
-  content: "\e075"; }
+  content: "\e075";
+}
 
 .glyphicon-fast-forward:before {
-  content: "\e076"; }
+  content: "\e076";
+}
 
 .glyphicon-step-forward:before {
-  content: "\e077"; }
+  content: "\e077";
+}
 
 .glyphicon-eject:before {
-  content: "\e078"; }
+  content: "\e078";
+}
 
 .glyphicon-chevron-left:before {
-  content: "\e079"; }
+  content: "\e079";
+}
 
 .glyphicon-chevron-right:before {
-  content: "\e080"; }
+  content: "\e080";
+}
 
 .glyphicon-plus-sign:before {
-  content: "\e081"; }
+  content: "\e081";
+}
 
 .glyphicon-minus-sign:before {
-  content: "\e082"; }
+  content: "\e082";
+}
 
 .glyphicon-remove-sign:before {
-  content: "\e083"; }
+  content: "\e083";
+}
 
 .glyphicon-ok-sign:before {
-  content: "\e084"; }
+  content: "\e084";
+}
 
 .glyphicon-question-sign:before {
-  content: "\e085"; }
+  content: "\e085";
+}
 
 .glyphicon-info-sign:before {
-  content: "\e086"; }
+  content: "\e086";
+}
 
 .glyphicon-screenshot:before {
-  content: "\e087"; }
+  content: "\e087";
+}
 
 .glyphicon-remove-circle:before {
-  content: "\e088"; }
+  content: "\e088";
+}
 
 .glyphicon-ok-circle:before {
-  content: "\e089"; }
+  content: "\e089";
+}
 
 .glyphicon-ban-circle:before {
-  content: "\e090"; }
+  content: "\e090";
+}
 
 .glyphicon-arrow-left:before {
-  content: "\e091"; }
+  content: "\e091";
+}
 
 .glyphicon-arrow-right:before {
-  content: "\e092"; }
+  content: "\e092";
+}
 
 .glyphicon-arrow-up:before {
   content: "\e093";
-  color: #4FB654 !important; }
+  color: #4FB654 !important;
+}
 
 .glyphicon-arrow-down:before {
   content: "\e094";
-  color: #FF5E3B !important; }
+  color: #FF5E3B !important;
+}
 
 .glyphicon-share-alt:before {
-  content: "\e095"; }
+  content: "\e095";
+}
 
 .glyphicon-resize-full:before {
-  content: "\e096"; }
+  content: "\e096";
+}
 
 .glyphicon-resize-small:before {
-  content: "\e097"; }
+  content: "\e097";
+}
 
 .glyphicon-exclamation-sign:before {
-  content: "\e101"; }
+  content: "\e101";
+}
 
 .glyphicon-gift:before {
-  content: "\e102"; }
+  content: "\e102";
+}
 
 .glyphicon-leaf:before {
-  content: "\e103"; }
+  content: "\e103";
+}
 
 .glyphicon-fire:before {
-  content: "\e104"; }
+  content: "\e104";
+}
 
 .glyphicon-eye-open:before {
-  content: "\e105"; }
+  content: "\e105";
+}
 
 .glyphicon-eye-close:before {
-  content: "\e106"; }
+  content: "\e106";
+}
 
 .glyphicon-warning-sign:before {
-  content: "\e107"; }
+  content: "\e107";
+}
 
 .glyphicon-plane:before {
-  content: "\e108"; }
+  content: "\e108";
+}
 
 .glyphicon-calendar:before {
-  content: "\e109"; }
+  content: "\e109";
+}
 
 .glyphicon-random:before {
-  content: "\e110"; }
+  content: "\e110";
+}
 
 .glyphicon-comment:before {
-  content: "\e111"; }
+  content: "\e111";
+}
 
 .glyphicon-magnet:before {
-  content: "\e112"; }
+  content: "\e112";
+}
 
 .glyphicon-chevron-up:before {
-  content: "\e113"; }
+  content: "\e113";
+}
 
 .glyphicon-chevron-down:before {
-  content: "\e114"; }
+  content: "\e114";
+}
 
 .glyphicon-retweet:before {
-  content: "\e115"; }
+  content: "\e115";
+}
 
 .glyphicon-shopping-cart:before {
-  content: "\e116"; }
+  content: "\e116";
+}
 
 .glyphicon-folder-close:before {
-  content: "\e117"; }
+  content: "\e117";
+}
 
 .glyphicon-folder-open:before {
-  content: "\e118"; }
+  content: "\e118";
+}
 
 .glyphicon-resize-vertical:before {
-  content: "\e119"; }
+  content: "\e119";
+}
 
 .glyphicon-resize-horizontal:before {
-  content: "\e120"; }
+  content: "\e120";
+}
 
 .glyphicon-hdd:before {
-  content: "\e121"; }
+  content: "\e121";
+}
 
 .glyphicon-bullhorn:before {
-  content: "\e122"; }
+  content: "\e122";
+}
 
 .glyphicon-bell:before {
-  content: "\e123"; }
+  content: "\e123";
+}
 
 .glyphicon-certificate:before {
-  content: "\e124"; }
+  content: "\e124";
+}
 
 .glyphicon-thumbs-up:before {
-  content: "\e125"; }
+  content: "\e125";
+}
 
 .glyphicon-thumbs-down:before {
-  content: "\e126"; }
+  content: "\e126";
+}
 
 .glyphicon-hand-right:before {
-  content: "\e127"; }
+  content: "\e127";
+}
 
 .glyphicon-hand-left:before {
-  content: "\e128"; }
+  content: "\e128";
+}
 
 .glyphicon-hand-up:before {
-  content: "\e129"; }
+  content: "\e129";
+}
 
 .glyphicon-hand-down:before {
-  content: "\e130"; }
+  content: "\e130";
+}
 
 .glyphicon-circle-arrow-right:before {
-  content: "\e131"; }
+  content: "\e131";
+}
 
 .glyphicon-circle-arrow-left:before {
-  content: "\e132"; }
+  content: "\e132";
+}
 
 .glyphicon-circle-arrow-up:before {
-  content: "\e133"; }
+  content: "\e133";
+}
 
 .glyphicon-circle-arrow-down:before {
-  content: "\e134"; }
+  content: "\e134";
+}
 
 .glyphicon-globe:before {
-  content: "\e135"; }
+  content: "\e135";
+}
 
 .glyphicon-wrench:before {
-  content: "\e136"; }
+  content: "\e136";
+}
 
 .glyphicon-tasks:before {
-  content: "\e137"; }
+  content: "\e137";
+}
 
 .glyphicon-filter:before {
-  content: "\e138"; }
+  content: "\e138";
+}
 
 .glyphicon-briefcase:before {
-  content: "\e139"; }
+  content: "\e139";
+}
 
 .glyphicon-fullscreen:before {
-  content: "\e140"; }
+  content: "\e140";
+}
 
 .glyphicon-dashboard:before {
-  content: "\e141"; }
+  content: "\e141";
+}
 
 .glyphicon-paperclip:before {
-  content: "\e142"; }
+  content: "\e142";
+}
 
 .glyphicon-heart-empty:before {
-  content: "\e143"; }
+  content: "\e143";
+}
 
 .glyphicon-link:before {
-  content: "\e144"; }
+  content: "\e144";
+}
 
 .glyphicon-phone:before {
-  content: "\e145"; }
+  content: "\e145";
+}
 
 .glyphicon-pushpin:before {
-  content: "\e146"; }
+  content: "\e146";
+}
 
 .glyphicon-usd:before {
-  content: "\e148"; }
+  content: "\e148";
+}
 
 .glyphicon-gbp:before {
-  content: "\e149"; }
+  content: "\e149";
+}
 
 .glyphicon-sort:before {
-  content: "\e150"; }
+  content: "\e150";
+}
 
 .glyphicon-sort-by-alphabet:before {
-  content: "\e151"; }
+  content: "\e151";
+}
 
 .glyphicon-sort-by-alphabet-alt:before {
-  content: "\e152"; }
+  content: "\e152";
+}
 
 .glyphicon-sort-by-order:before {
-  content: "\e153"; }
+  content: "\e153";
+}
 
 .glyphicon-sort-by-order-alt:before {
-  content: "\e154"; }
+  content: "\e154";
+}
 
 .glyphicon-sort-by-attributes:before {
-  content: "\e155"; }
+  content: "\e155";
+}
 
 .glyphicon-sort-by-attributes-alt:before {
-  content: "\e156"; }
+  content: "\e156";
+}
 
 .glyphicon-unchecked:before {
-  content: "\e157"; }
+  content: "\e157";
+}
 
 .glyphicon-expand:before {
-  content: "\e158"; }
+  content: "\e158";
+}
 
 .glyphicon-collapse-down:before {
-  content: "\e159"; }
+  content: "\e159";
+}
 
 .glyphicon-collapse-up:before {
-  content: "\e160"; }
+  content: "\e160";
+}
 
 .glyphicon-log-in:before {
-  content: "\e161"; }
+  content: "\e161";
+}
 
 .glyphicon-flash:before {
-  content: "\e162"; }
+  content: "\e162";
+}
 
 .glyphicon-log-out:before {
-  content: "\e163"; }
+  content: "\e163";
+}
 
 .glyphicon-new-window:before {
-  content: "\e164"; }
+  content: "\e164";
+}
 
 .glyphicon-record:before {
-  content: "\e165"; }
+  content: "\e165";
+}
 
 .glyphicon-save:before {
-  content: "\e166"; }
+  content: "\e166";
+}
 
 .glyphicon-open:before {
-  content: "\e167"; }
+  content: "\e167";
+}
 
 .glyphicon-saved:before {
-  content: "\e168"; }
+  content: "\e168";
+}
 
 .glyphicon-import:before {
-  content: "\e169"; }
+  content: "\e169";
+}
 
 .glyphicon-export:before {
-  content: "\e170"; }
+  content: "\e170";
+}
 
 .glyphicon-send:before {
-  content: "\e171"; }
+  content: "\e171";
+}
 
 .glyphicon-floppy-disk:before {
-  content: "\e172"; }
+  content: "\e172";
+}
 
 .glyphicon-floppy-saved:before {
-  content: "\e173"; }
+  content: "\e173";
+}
 
 .glyphicon-floppy-remove:before {
-  content: "\e174"; }
+  content: "\e174";
+}
 
 .glyphicon-floppy-save:before {
-  content: "\e175"; }
+  content: "\e175";
+}
 
 .glyphicon-floppy-open:before {
-  content: "\e176"; }
+  content: "\e176";
+}
 
 .glyphicon-credit-card:before {
-  content: "\e177"; }
+  content: "\e177";
+}
 
 .glyphicon-transfer:before {
   content: "\e178";
-  color:#4FB654 !important; }
+  color: #4FB654 !important;
+}
 
 .glyphicon-cutlery:before {
-  content: "\e179"; }
+  content: "\e179";
+}
 
 .glyphicon-header:before {
-  content: "\e180"; }
+  content: "\e180";
+}
 
 .glyphicon-compressed:before {
-  content: "\e181"; }
+  content: "\e181";
+}
 
 .glyphicon-earphone:before {
-  content: "\e182"; }
+  content: "\e182";
+}
 
 .glyphicon-phone-alt:before {
-  content: "\e183"; }
+  content: "\e183";
+}
 
 .glyphicon-tower:before {
-  content: "\e184"; }
+  content: "\e184";
+}
 
 .glyphicon-stats:before {
-  content: "\e185"; }
+  content: "\e185";
+}
 
 .glyphicon-sd-video:before {
-  content: "\e186"; }
+  content: "\e186";
+}
 
 .glyphicon-hd-video:before {
-  content: "\e187"; }
+  content: "\e187";
+}
 
 .glyphicon-subtitles:before {
-  content: "\e188"; }
+  content: "\e188";
+}
 
 .glyphicon-sound-stereo:before {
-  content: "\e189"; }
+  content: "\e189";
+}
 
 .glyphicon-sound-dolby:before {
-  content: "\e190"; }
+  content: "\e190";
+}
 
 .glyphicon-sound-5-1:before {
-  content: "\e191"; }
+  content: "\e191";
+}
 
 .glyphicon-sound-6-1:before {
-  content: "\e192"; }
+  content: "\e192";
+}
 
 .glyphicon-sound-7-1:before {
-  content: "\e193"; }
+  content: "\e193";
+}
 
 .glyphicon-copyright-mark:before {
-  content: "\e194"; }
+  content: "\e194";
+}
 
 .glyphicon-registration-mark:before {
-  content: "\e195"; }
+  content: "\e195";
+}
 
 .glyphicon-cloud-download:before {
-  content: "\e197"; }
+  content: "\e197";
+}
 
 .glyphicon-cloud-upload:before {
-  content: "\e198"; }
+  content: "\e198";
+}
 
 .glyphicon-tree-conifer:before {
-  content: "\e199"; }
+  content: "\e199";
+}
 
 .glyphicon-tree-deciduous:before {
-  content: "\e200"; }
+  content: "\e200";
+}
 
 * {
   -webkit-box-sizing: border-box;
   -moz-box-sizing: border-box;
   box-sizing: border-box;
-  text-decoration:none;}
+  text-decoration: none;
 
-*:before,
-*:after {
-  -webkit-box-sizing: border-box;
-  -moz-box-sizing: border-box;
-  box-sizing: border-box; }
+  &:before, &:after {
+    -webkit-box-sizing: border-box;
+    -moz-box-sizing: border-box;
+    box-sizing: border-box;
+  }
+}
 
 html {
   font-size: 10px;
-  -webkit-tap-highlight-color: transparent; }
+  -webkit-tap-highlight-color: transparent;
+}
 
 body {
   font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
-  font-size:14px;
+  font-size: 14px;
   line-height: 1.428571429;
   color: #000;
 }
 
-input,
-button,
-select,
-textarea {
+input, button, select, textarea {
   font-family: inherit;
   font-size: inherit;
-  line-height: inherit; }
+  line-height: inherit;
+}
 
 figure {
-  margin: 0; }
+  margin: 0;
+}
 
 img {
-  vertical-align: middle; }
+  vertical-align: middle;
+}
 
 .img-responsive {
   display: block;
   width: 100% \9;
   max-width: 100%;
-  height: auto; }
+  height: auto;
+}
 
 .img-rounded {
-  border-radius: 6px; }
+  border-radius: 6px;
+}
 
 .img-thumbnail {
   padding: 4px;
@@ -965,16 +1231,19 @@ img {
   display: inline-block;
   width: 100% \9;
   max-width: 100%;
-  height: auto; }
+  height: auto;
+}
 
 .img-circle {
-  border-radius: 50%; }
+  border-radius: 50%;
+}
 
 hr {
   margin-top: 20px;
   margin-bottom: 20px;
   border: 0;
-  border-top: 1px solid #eeeeee; }
+  border-top: 1px solid #eeeeee;
+}
 
 .sr-only {
   position: absolute;
@@ -984,338 +1253,557 @@ hr {
   padding: 0;
   overflow: hidden;
   clip: rect(0, 0, 0, 0);
-  border: 0; }
-
-.sr-only-focusable:active, .sr-only-focusable:focus {
-  position: static;
-  width: auto;
-  height: auto;
-  margin: 0;
-  overflow: visible;
-  clip: auto; }
+  border: 0;
+}
 
+.sr-only-focusable {
+  &:active, &:focus {
+    position: static;
+    width: auto;
+    height: auto;
+    margin: 0;
+    overflow: visible;
+    clip: auto;
+  }
+}
 
-h1, h2, h3, h4, h5, h6,
-.h1, .h2, .h3, .h4, .h5, .h6 {
+h1, h2, h3, h4, h5, h6, .h1, .h2, .h3, .h4, .h5, .h6 {
   font-weight: 100;
   line-height: 1.4;
-  color: inherit; }
-  h1 small,
-  h1 .small, h2 small,
-  h2 .small, h3 small,
-  h3 .small, h4 small,
-  h4 .small, h5 small,
-  h5 .small, h6 small,
-  h6 .small,
-  .h1 small,
-  .h1 .small, .h2 small,
-  .h2 .small, .h3 small,
-  .h3 .small, .h4 small,
-  .h4 .small, .h5 small,
-  .h5 .small, .h6 small,
-  .h6 .small {
+  color: inherit;
+}
+
+h1 {
+  small, .small {
     font-weight: normal;
     line-height: 1;
-    color: #b6b6b6; }
+    color: #b6b6b6;
+  }
+}
 
-h1, .h1,
-h2, .h2,
-h3, .h3 {
+h2 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+h3 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+h4 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+h5 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+h6 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+.h1 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+.h2 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+.h3 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+.h4 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+.h5 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+.h6 {
+  small, .small {
+    font-weight: normal;
+    line-height: 1;
+    color: #b6b6b6;
+  }
+}
+
+h1, .h1, h2, .h2, h3, .h3 {
   margin-top: 20px;
-  margin-bottom: 10px; }
-  h1 small,
-  h1 .small, .h1 small,
-  .h1 .small,
-  h2 small,
-  h2 .small, .h2 small,
-  .h2 .small,
-  h3 small,
-  h3 .small, .h3 small,
-  .h3 .small {
-    font-size: 65%; }
-
-h4, .h4,
-h5, .h5,
-h6, .h6 {
+  margin-bottom: 10px;
+}
+
+h1 {
+  small, .small {
+    font-size: 65%;
+  }
+}
+
+.h1 {
+  small, .small {
+    font-size: 65%;
+  }
+}
+
+h2 {
+  small, .small {
+    font-size: 65%;
+  }
+}
+
+.h2 {
+  small, .small {
+    font-size: 65%;
+  }
+}
+
+h3 {
+  small, .small {
+    font-size: 65%;
+  }
+}
+
+.h3 {
+  small, .small {
+    font-size: 65%;
+  }
+}
+
+h4, .h4, h5, .h5, h6, .h6 {
   margin-top: 10px;
-  margin-bottom: 10px; }
-  h4 small,
-  h4 .small, .h4 small,
-  .h4 .small,
-  h5 small,
-  h5 .small, .h5 small,
-  .h5 .small,
-  h6 small,
-  h6 .small, .h6 small,
-  .h6 .small {
-    font-size: 75%; }
+  margin-bottom: 10px;
+}
+
+h4 {
+  small, .small {
+    font-size: 75%;
+  }
+}
+
+.h4 {
+  small, .small {
+    font-size: 75%;
+  }
+}
+
+h5 {
+  small, .small {
+    font-size: 75%;
+  }
+}
+
+.h5 {
+  small, .small {
+    font-size: 75%;
+  }
+}
+
+h6 {
+  small, .small {
+    font-size: 75%;
+  }
+}
+
+.h6 {
+  small, .small {
+    font-size: 75%;
+  }
+}
 
 h1, .h1 {
   font-size: 24px;
-  font-weight: bold;  }
+  font-weight: bold;
+}
 
 h2, .h2 {
-  font-size: 16px; }
+  font-size: 16px;
+}
 
 h3, .h3 {
-  font-size:14px; }
+  font-size: 14px;
+}
 
 h4, .h4 {
-  font-size: 18px; }
+  font-size: 18px;
+}
 
 h5, .h5 {
-  font-size:14px; }
+  font-size: 14px;
+}
 
 h6, .h6 {
-  font-size:12px; }
+  font-size: 12px;
+}
 
 p {
-  margin: 0 0 10px; }
+  margin: 0 0 10px;
+}
 
 .lead {
   margin-bottom: 20px;
   font-size: 16px;
   font-weight: 300;
-  line-height: 1.4; }
-  @media (min-width: 768px) {
-    .lead {
-      font-size: 21px; } }
+  line-height: 1.4;
+}
 
-small,
-.small {
-  font-size: 85%; }
+@media (min-width: 768px) {
+  .lead {
+    font-size: 21px;
+  }
+}
+
+small, .small {
+  font-size: 85%;
+}
 
 cite {
-  font-style: normal; }
+  font-style: normal;
+}
 
-mark,
-.mark {
+mark, .mark {
   background-color: #fcf8e3;
-  padding: .2em; }
+  padding: .2em;
+}
 
 .text-left {
-  text-align: left; }
+  text-align: left;
+}
 
 .text-right {
-  text-align: right; }
+  text-align: right;
+}
 
 .text-center {
-  text-align: center; }
+  text-align: center;
+}
 
 .text-justify {
-  text-align: justify; }
+  text-align: justify;
+}
 
 .text-nowrap {
-  white-space: nowrap; }
+  white-space: nowrap;
+}
 
 .text-lowercase {
-  text-transform: lowercase; }
+  text-transform: lowercase;
+}
 
 .text-uppercase {
-  text-transform: uppercase; }
+  text-transform: uppercase;
+}
 
 .text-capitalize {
-  text-transform: capitalize; }
+  text-transform: capitalize;
+}
 
 .text-muted {
-  color: inherit; }
+  color: inherit;
+}
 
 .text-primary {
-  color: #FF8B00; }
+  color: #FF8B00;
+}
 
 a.text-primary:hover {
-  color: #b85904; }
+  color: #b85904;
+}
 
 .text-success {
-  color: #4FB654; }
+  color: #4FB654;
+}
 
 a.text-success:hover {
-  color: #7fc54f; }
+  color: #7fc54f;
+}
 
 .text-info {
-  color: #ff6e05; }
+  color: #ff6e05;
+}
 
 a.text-info:hover {
-  color: #245269; }
+  color: #245269;
+}
 
 .text-warning {
-  color: #f0ad4e; }
+  color: #f0ad4e;
+}
 
 a.text-warning:hover {
-  color: #ec971f; }
+  color: #ec971f;
+}
 
 .text-danger {
-  color: #CB4326; }
+  color: #CB4326;
+}
 
 a.text-danger:hover {
-  color: #D8482A; }
-
-.bg-primary {
-  color: #fff; }
+  color: #D8482A;
+}
 
 .bg-primary {
-  background-color: #FF8B00; }
+  color: #fff;
+  background-color: #FF8B00;
+}
 
 a.bg-primary:hover {
-  background-color: #b85904; }
+  background-color: #b85904;
+}
 
 .bg-success {
-  background-color: #9BD275; }
+  background-color: #9BD275;
+}
 
 a.bg-success:hover {
-  background-color: #7fc54f; }
+  background-color: #7fc54f;
+}
 
 .bg-info {
-  background-color: #d9edf7; }
+  background-color: #d9edf7;
+}
 
 a.bg-info:hover {
-  background-color: #afd9ee; }
+  background-color: #afd9ee;
+}
 
 .bg-warning {
-  background-color: #fcf8e3; }
+  background-color: #fcf8e3;
+}
 
 a.bg-warning:hover {
-  background-color: #f7ecb5; }
+  background-color: #f7ecb5;
+}
 
 .bg-danger {
-  background-color: #F05050; }
+  background-color: #F05050;
+}
 
 a.bg-danger:hover {
-  background-color: #ec2121; }
+  background-color: #ec2121;
+}
 
 fa.fa-long-arrow-right {
-  color: #d951ff !important; }
+  color: #d951ff !important;
+}
 
 .page-header {
   padding-bottom: 9px;
   margin: 40px 0 20px;
-  border-bottom: 1px solid #eeeeee; }
+  border-bottom: 1px solid #eeeeee;
+}
 
-ul,
-ol {
+ul, ol {
   margin-top: 0;
-  margin-bottom: 10px; }
-  ul ul,
-  ul ol,
-  ol ul,
-  ol ol {
-    margin-bottom: 0; }
-
-.list-unstyled, .list-inline {
+  margin-bottom: 10px;
+}
+
+ul {
+  ul, ol {
+    margin-bottom: 0;
+  }
+}
+
+ol {
+  ul, ol {
+    margin-bottom: 0;
+  }
+}
+
+.list-unstyled {
   padding-left: 0;
-  list-style: none; }
+  list-style: none;
+}
 
 .list-inline {
-  margin-left: -5px; }
-  .list-inline > li {
+  padding-left: 0;
+  list-style: none;
+  margin-left: -5px;
+
+  > li {
     float: left;
     padding-left: 5px;
-    padding-right: 5px; }
+    padding-right: 5px;
+  }
+}
 
 dl {
   margin-top: 0;
-  margin-bottom: 20px; }
+  margin-bottom: 20px;
+}
 
-dt,
-dd {
-  line-height: 1.428571429; }
+dt, dd {
+  line-height: 1.428571429;
+}
 
 dt {
-  font-weight: bold; }
+  font-weight: bold;
+}
 
 dd {
-  margin-left: 0; }
+  margin-left: 0;
+}
 
-.dl-horizontal dd:before, .dl-horizontal dd:after {
-  content: " ";
-  display: table; }
-.dl-horizontal dd:after {
-  clear: both; }
-@media (min-width: 768px) {
-  .dl-horizontal dt {
-    float: left;
-    width: 160px;
-    clear: left;
-    text-align: right;
-    overflow: hidden;
-    text-overflow: ellipsis;
-    white-space: nowrap; }
-  .dl-horizontal dd {
-    margin-left: 180px; } }
+.dl-horizontal dd {
+  &:before {
+    content: " ";
+    display: table;
+  }
+
+  &:after {
+    content: " ";
+    display: table;
+    clear: both;
+  }
+}
 
-abbr[title],
-abbr[data-original-title] {
-  cursor: help;
-  border-bottom: 1px dotted #777777; }
+@media (min-width: 768px) {
+  .dl-horizontal {
+    dt {
+      float: left;
+      width: 160px;
+      clear: left;
+      text-align: right;
+      overflow: hidden;
+      text-overflow: ellipsis;
+      white-space: nowrap;
+    }
+
+    dd {
+      margin-left: 180px;
+    }
+  }
+}
+
+abbr {
+  &[title], &[data-original-title] {
+    cursor: help;
+    border-bottom: 1px dotted #777777;
+  }
+}
 
 .initialism {
   font-size: 90%;
-  text-transform: uppercase; }
+  text-transform: uppercase;
+}
 
 blockquote {
   padding: 10px 20px;
   margin: 0 0 20px;
   font-size: 17.5px;
-  border-left: 5px solid #eeeeee; }
-  blockquote p:last-child,
-  blockquote ul:last-child,
-  blockquote ol:last-child {
-    margin-bottom: 0; }
-  blockquote footer,
-  blockquote small,
-  blockquote .small {
+  border-left: 5px solid #eeeeee;
+
+  p:last-child, ul:last-child, ol:last-child {
+    margin-bottom: 0;
+  }
+
+  footer, small, .small {
     display: block;
     font-size: 80%;
     line-height: 1.428571429;
-    color: #777777; }
-    blockquote footer:before,
-    blockquote small:before,
-    blockquote .small:before {
-      content: '\2014 \00A0'; }
+    color: #777777;
+  }
 
-.blockquote-reverse,
-blockquote.pull-right {
+  footer:before, small:before, .small:before {
+    content: '\2014 \00A0';
+  }
+}
+
+.blockquote-reverse, blockquote.pull-right {
   padding-right: 15px;
   padding-left: 0;
   border-right: 5px solid #eeeeee;
   border-left: 0;
-  text-align: right; }
-  .blockquote-reverse footer:before,
-  .blockquote-reverse small:before,
-  .blockquote-reverse .small:before,
-  blockquote.pull-right footer:before,
-  blockquote.pull-right small:before,
-  blockquote.pull-right .small:before {
-    content: ''; }
-  .blockquote-reverse footer:after,
-  .blockquote-reverse small:after,
-  .blockquote-reverse .small:after,
-  blockquote.pull-right footer:after,
-  blockquote.pull-right small:after,
-  blockquote.pull-right .small:after {
-    content: '\00A0 \2014'; }
-
-blockquote:before,
-blockquote:after {
-  content: ""; }
+  text-align: right;
+}
+
+.blockquote-reverse {
+  footer:before, small:before, .small:before {
+    content: '';
+  }
+}
+
+blockquote.pull-right {
+  footer:before, small:before, .small:before {
+    content: '';
+  }
+}
+
+.blockquote-reverse {
+  footer:after, small:after, .small:after {
+    content: '\00A0 \2014';
+  }
+}
+
+blockquote {
+  &.pull-right {
+    footer:after, small:after, .small:after {
+      content: '\00A0 \2014';
+    }
+  }
+
+  &:before, &:after {
+    content: "";
+  }
+}
 
 address {
   margin-bottom: 20px;
   font-style: normal;
-  line-height: 1.428571429; }
+  line-height: 1.428571429;
+}
 
-code,
-kbd,
-pre,
-samp {
-  font-family: Menlo, Monaco, Consolas, "Courier New", monospace; }
+code, kbd, pre, samp {
+  font-family: Menlo, Monaco, Consolas, "Courier New", monospace;
+}
 
 code {
   padding: 2px 4px;
   font-size: 90%;
   color: #c7254e;
   background-color: #f9f2f4;
-  border-radius: 3px; }
+  border-radius: 3px;
+}
 
 kbd {
   padding: 2px 4px;
@@ -1323,11 +1811,14 @@ kbd {
   color: #fff;
   background-color: #2d2d2d;
   border-radius: 3px;
-  box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.25); }
-  kbd kbd {
+  box-shadow: inset 0 -1px 0 rgba(0, 0, 0, 0.25);
+
+  kbd {
     padding: 0;
     font-size: 100%;
-    box-shadow: none; }
+    box-shadow: none;
+  }
+}
 
 pre {
   display: block;
@@ -1340,846 +1831,1360 @@ pre {
   color: #000;
   background-color: inherit;
   border: inherit;
-  border-radius: 3px; }
-  pre code {
+  border-radius: 3px;
+
+  code {
     padding: 0;
     font-size: inherit;
     color: inherit;
     white-space: pre-wrap;
     background-color: transparent;
-    border-radius: 0; }
+    border-radius: 0;
+  }
+}
 
 .pre-scrollable {
   max-height: 340px;
-  overflow-y: scroll; }
+  overflow-y: scroll;
+}
 
-.container {
+.container, .container-fluid {
   margin-right: auto;
   margin-left: auto;
   padding-left: 20px;
-  padding-right: 20px; }
-  .container:before, .container:after {
+  padding-right: 20px;
+
+  &:before {
     content: " ";
-    display: table; }
-  .container:after {
-    clear: both; }
-  @media (min-width: 768px) {
-    .container {
-      width: 760px; } }
-  @media (min-width: 992px) {
-    .container {
-      width: 980px; } }
-  @media (min-width: 1200px) {
-    .container {
-      width: 1180px; } }
-
-.container-fluid {
-  margin-right: auto;
-  margin-left: auto;
-  padding-left: 20px;
-  padding-right: 20px; }
-  .container-fluid:before, .container-fluid:after {
+    display: table;
+  }
+
+  &:after {
     content: " ";
-    display: table; }
-  .container-fluid:after {
-    clear: both; }
+    display: table;
+    clear: both;
+  }
+}
+
+@media (min-width: 768px) {
+  .container {
+    width: 760px;
+  }
+}
+
+@media (min-width: 992px) {
+  .container {
+    width: 980px;
+  }
+}
+
+@media (min-width: 1200px) {
+  .container {
+    width: 1180px;
+  }
+}
 
 .row {
   margin-left: -20px;
-  margin-right: -20px; }
-  .row:before, .row:after {
+  margin-right: -20px;
+
+  &:before {
+    content: " ";
+    display: table;
+  }
+
+  &:after {
     content: " ";
-    display: table; }
-  .row:after {
-    clear: both; }
+    display: table;
+    clear: both;
+  }
+}
 
 .col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12 {
   position: relative;
   min-height: 1px;
   padding-left: 20px;
-  padding-right: 20px; }
+  padding-right: 20px;
+}
 
 .col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12 {
-  float: left; }
+  float: left;
+}
 
 .col-xs-1 {
-  width: 8.33333%; }
+  width: 8.33333%;
+}
 
 .col-xs-2 {
-  width: 16.66667%; }
+  width: 16.66667%;
+}
 
 .col-xs-3 {
-  width: 25%; }
+  width: 25%;
+}
 
 .col-xs-4 {
-  width: 33.33333%; }
+  width: 33.33333%;
+}
 
 .col-xs-5 {
-  width: 41.66667%; }
+  width: 41.66667%;
+}
 
 .col-xs-6 {
-  width: 50%; }
+  width: 50%;
+}
 
 .col-xs-7 {
-  width: 58.33333%; }
+  width: 58.33333%;
+}
 
 .col-xs-8 {
-  width: 66.66667%; }
+  width: 66.66667%;
+}
 
 .col-xs-9 {
-  width: 75%; }
+  width: 75%;
+}
 
 .col-xs-10 {
-  width: 83.33333%; }
+  width: 83.33333%;
+}
 
 .col-xs-11 {
-  width: 91.66667%; }
+  width: 91.66667%;
+}
 
 .col-xs-12 {
-  width: 100%; }
+  width: 100%;
+}
 
 .col-xs-pull-0 {
-  right: auto; }
+  right: auto;
+}
 
 .col-xs-pull-1 {
-  right: 8.33333%; }
+  right: 8.33333%;
+}
 
 .col-xs-pull-2 {
-  right: 16.66667%; }
+  right: 16.66667%;
+}
 
 .col-xs-pull-3 {
-  right: 25%; }
+  right: 25%;
+}
 
 .col-xs-pull-4 {
-  right: 33.33333%; }
+  right: 33.33333%;
+}
 
 .col-xs-pull-5 {
-  right: 41.66667%; }
+  right: 41.66667%;
+}
 
 .col-xs-pull-6 {
-  right: 50%; }
+  right: 50%;
+}
 
 .col-xs-pull-7 {
-  right: 58.33333%; }
+  right: 58.33333%;
+}
 
 .col-xs-pull-8 {
-  right: 66.66667%; }
+  right: 66.66667%;
+}
 
 .col-xs-pull-9 {
-  right: 75%; }
+  right: 75%;
+}
 
 .col-xs-pull-10 {
-  right: 83.33333%; }
+  right: 83.33333%;
+}
 
 .col-xs-pull-11 {
-  right: 91.66667%; }
+  right: 91.66667%;
+}
 
 .col-xs-pull-12 {
-  right: 100%; }
+  right: 100%;
+}
 
 .col-xs-push-0 {
-  left: auto; }
+  left: auto;
+}
 
 .col-xs-push-1 {
-  left: 8.33333%; }
+  left: 8.33333%;
+}
 
 .col-xs-push-2 {
-  left: 16.66667%; }
+  left: 16.66667%;
+}
 
 .col-xs-push-3 {
-  left: 25%; }
+  left: 25%;
+}
 
 .col-xs-push-4 {
-  left: 33.33333%; }
+  left: 33.33333%;
+}
 
 .col-xs-push-5 {
-  left: 41.66667%; }
+  left: 41.66667%;
+}
 
 .col-xs-push-6 {
-  left: 50%; }
+  left: 50%;
+}
 
 .col-xs-push-7 {
-  left: 58.33333%; }
+  left: 58.33333%;
+}
 
 .col-xs-push-8 {
-  left: 66.66667%; }
+  left: 66.66667%;
+}
 
 .col-xs-push-9 {
-  left: 75%; }
+  left: 75%;
+}
 
 .col-xs-push-10 {
-  left: 83.33333%; }
+  left: 83.33333%;
+}
 
 .col-xs-push-11 {
-  left: 91.66667%; }
+  left: 91.66667%;
+}
 
 .col-xs-push-12 {
-  left: 100%; }
+  left: 100%;
+}
 
 .col-xs-offset-0 {
-  margin-left: 0%; }
+  margin-left: 0%;
+}
 
 .col-xs-offset-1 {
-  margin-left: 8.33333%; }
+  margin-left: 8.33333%;
+}
 
 .col-xs-offset-2 {
-  margin-left: 16.66667%; }
+  margin-left: 16.66667%;
+}
 
 .col-xs-offset-3 {
-  margin-left: 25%; }
+  margin-left: 25%;
+}
 
 .col-xs-offset-4 {
-  margin-left: 33.33333%; }
+  margin-left: 33.33333%;
+}
 
 .col-xs-offset-5 {
-  margin-left: 41.66667%; }
+  margin-left: 41.66667%;
+}
 
 .col-xs-offset-6 {
-  margin-left: 50%; }
+  margin-left: 50%;
+}
 
 .col-xs-offset-7 {
-  margin-left: 58.33333%; }
+  margin-left: 58.33333%;
+}
 
 .col-xs-offset-8 {
-  margin-left: 66.66667%; }
+  margin-left: 66.66667%;
+}
 
 .col-xs-offset-9 {
-  margin-left: 75%; }
+  margin-left: 75%;
+}
 
 .col-xs-offset-10 {
-  margin-left: 83.33333%; }
+  margin-left: 83.33333%;
+}
 
 .col-xs-offset-11 {
-  margin-left: 91.66667%; }
+  margin-left: 91.66667%;
+}
 
 .col-xs-offset-12 {
-  margin-left: 100%; }
+  margin-left: 100%;
+}
 
 @media (min-width: 768px) {
   .col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12 {
-    float: left; }
+    float: left;
+  }
 
   .col-sm-1 {
-    width: 8.33333%; }
+    width: 8.33333%;
+  }
 
   .col-sm-2 {
-    width: 16.66667%; }
+    width: 16.66667%;
+  }
 
   .col-sm-3 {
-    width: 25%; }
+    width: 25%;
+  }
 
   .col-sm-4 {
-    width: 33.33333%; }
+    width: 33.33333%;
+  }
 
   .col-sm-5 {
-    width: 41.66667%; }
+    width: 41.66667%;
+  }
 
   .col-sm-6 {
-    width: 50%; }
+    width: 50%;
+  }
 
   .col-sm-7 {
-    width: 58.33333%; }
+    width: 58.33333%;
+  }
 
   .col-sm-8 {
-    width: 66.66667%; }
+    width: 66.66667%;
+  }
 
   .col-sm-9 {
-    width: 75%; }
+    width: 75%;
+  }
 
   .col-sm-10 {
-    width: 83.33333%; }
+    width: 83.33333%;
+  }
 
   .col-sm-11 {
-    width: 91.66667%; }
+    width: 91.66667%;
+  }
 
   .col-sm-12 {
-    width: 100%; }
+    width: 100%;
+  }
 
   .col-sm-pull-0 {
-    right: auto; }
+    right: auto;
+  }
 
   .col-sm-pull-1 {
-    right: 8.33333%; }
+    right: 8.33333%;
+  }
 
   .col-sm-pull-2 {
-    right: 16.66667%; }
+    right: 16.66667%;
+  }
 
   .col-sm-pull-3 {
-    right: 25%; }
+    right: 25%;
+  }
 
   .col-sm-pull-4 {
-    right: 33.33333%; }
+    right: 33.33333%;
+  }
 
   .col-sm-pull-5 {
-    right: 41.66667%; }
+    right: 41.66667%;
+  }
 
   .col-sm-pull-6 {
-    right: 50%; }
+    right: 50%;
+  }
 
   .col-sm-pull-7 {
-    right: 58.33333%; }
+    right: 58.33333%;
+  }
 
   .col-sm-pull-8 {
-    right: 66.66667%; }
+    right: 66.66667%;
+  }
 
   .col-sm-pull-9 {
-    right: 75%; }
+    right: 75%;
+  }
 
   .col-sm-pull-10 {
-    right: 83.33333%; }
+    right: 83.33333%;
+  }
 
   .col-sm-pull-11 {
-    right: 91.66667%; }
+    right: 91.66667%;
+  }
 
   .col-sm-pull-12 {
-    right: 100%; }
+    right: 100%;
+  }
 
   .col-sm-push-0 {
-    left: auto; }
+    left: auto;
+  }
 
   .col-sm-push-1 {
-    left: 8.33333%; }
+    left: 8.33333%;
+  }
 
   .col-sm-push-2 {
-    left: 16.66667%; }
+    left: 16.66667%;
+  }
 
   .col-sm-push-3 {
-    left: 25%; }
+    left: 25%;
+  }
 
   .col-sm-push-4 {
-    left: 33.33333%; }
+    left: 33.33333%;
+  }
 
   .col-sm-push-5 {
-    left: 41.66667%; }
+    left: 41.66667%;
+  }
 
   .col-sm-push-6 {
-    left: 50%; }
+    left: 50%;
+  }
 
   .col-sm-push-7 {
-    left: 58.33333%; }
+    left: 58.33333%;
+  }
 
   .col-sm-push-8 {
-    left: 66.66667%; }
+    left: 66.66667%;
+  }
 
   .col-sm-push-9 {
-    left: 75%; }
+    left: 75%;
+  }
 
   .col-sm-push-10 {
-    left: 83.33333%; }
+    left: 83.33333%;
+  }
 
   .col-sm-push-11 {
-    left: 91.66667%; }
+    left: 91.66667%;
+  }
 
   .col-sm-push-12 {
-    left: 100%; }
+    left: 100%;
+  }
 
   .col-sm-offset-0 {
-    margin-left: 0%; }
+    margin-left: 0%;
+  }
 
   .col-sm-offset-1 {
-    margin-left: 8.33333%; }
+    margin-left: 8.33333%;
+  }
 
   .col-sm-offset-2 {
-    margin-left: 16.66667%; }
+    margin-left: 16.66667%;
+  }
 
   .col-sm-offset-3 {
-    margin-left: 25%; }
+    margin-left: 25%;
+  }
 
   .col-sm-offset-4 {
-    margin-left: 33.33333%; }
+    margin-left: 33.33333%;
+  }
 
   .col-sm-offset-5 {
-    margin-left: 41.66667%; }
+    margin-left: 41.66667%;
+  }
 
   .col-sm-offset-6 {
-    margin-left: 50%; }
+    margin-left: 50%;
+  }
 
   .col-sm-offset-7 {
-    margin-left: 58.33333%; }
+    margin-left: 58.33333%;
+  }
 
   .col-sm-offset-8 {
-    margin-left: 66.66667%; }
+    margin-left: 66.66667%;
+  }
 
   .col-sm-offset-9 {
-    margin-left: 75%; }
+    margin-left: 75%;
+  }
 
   .col-sm-offset-10 {
-    margin-left: 83.33333%; }
+    margin-left: 83.33333%;
+  }
 
   .col-sm-offset-11 {
-    margin-left: 91.66667%; }
+    margin-left: 91.66667%;
+  }
 
   .col-sm-offset-12 {
-    margin-left: 100%; } }
+    margin-left: 100%;
+  }
+}
+
 @media (min-width: 992px) {
   .col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12 {
-    float: left; }
+    float: left;
+  }
 
   .col-md-1 {
-    width: 8.33333%; }
+    width: 8.33333%;
+  }
 
   .col-md-2 {
-    width: 16.66667%; }
+    width: 16.66667%;
+  }
 
   .col-md-3 {
-    width: 25%; }
+    width: 25%;
+  }
 
   .col-md-4 {
-    width: 33.33333%; }
+    width: 33.33333%;
+  }
 
   .col-md-5 {
-    width: 41.66667%; }
+    width: 41.66667%;
+  }
 
   .col-md-6 {
-    width: 50%; }
+    width: 50%;
+  }
 
   .col-md-7 {
-    width: 58.33333%; }
+    width: 58.33333%;
+  }
 
   .col-md-8 {
-    width: 66.66667%; }
+    width: 66.66667%;
+  }
 
   .col-md-9 {
-    width: 75%; }
+    width: 75%;
+  }
 
   .col-md-10 {
-    width: 83.33333%; }
+    width: 83.33333%;
+  }
 
   .col-md-11 {
-    width: 91.66667%; }
+    width: 91.66667%;
+  }
 
   .col-md-12 {
-    width: 100%; }
+    width: 100%;
+  }
 
   .col-md-pull-0 {
-    right: auto; }
+    right: auto;
+  }
 
   .col-md-pull-1 {
-    right: 8.33333%; }
+    right: 8.33333%;
+  }
 
   .col-md-pull-2 {
-    right: 16.66667%; }
+    right: 16.66667%;
+  }
 
   .col-md-pull-3 {
-    right: 25%; }
+    right: 25%;
+  }
 
   .col-md-pull-4 {
-    right: 33.33333%; }
+    right: 33.33333%;
+  }
 
   .col-md-pull-5 {
-    right: 41.66667%; }
+    right: 41.66667%;
+  }
 
   .col-md-pull-6 {
-    right: 50%; }
+    right: 50%;
+  }
 
   .col-md-pull-7 {
-    right: 58.33333%; }
+    right: 58.33333%;
+  }
 
   .col-md-pull-8 {
-    right: 66.66667%; }
+    right: 66.66667%;
+  }
 
   .col-md-pull-9 {
-    right: 75%; }
+    right: 75%;
+  }
 
   .col-md-pull-10 {
-    right: 83.33333%; }
+    right: 83.33333%;
+  }
 
   .col-md-pull-11 {
-    right: 91.66667%; }
+    right: 91.66667%;
+  }
 
   .col-md-pull-12 {
-    right: 100%; }
+    right: 100%;
+  }
 
   .col-md-push-0 {
-    left: auto; }
+    left: auto;
+  }
 
   .col-md-push-1 {
-    left: 8.33333%; }
+    left: 8.33333%;
+  }
 
   .col-md-push-2 {
-    left: 16.66667%; }
+    left: 16.66667%;
+  }
 
   .col-md-push-3 {
-    left: 25%; }
+    left: 25%;
+  }
 
   .col-md-push-4 {
-    left: 33.33333%; }
+    left: 33.33333%;
+  }
 
   .col-md-push-5 {
-    left: 41.66667%; }
+    left: 41.66667%;
+  }
 
   .col-md-push-6 {
-    left: 50%; }
+    left: 50%;
+  }
 
   .col-md-push-7 {
-    left: 58.33333%; }
+    left: 58.33333%;
+  }
 
   .col-md-push-8 {
-    left: 66.66667%; }
+    left: 66.66667%;
+  }
 
   .col-md-push-9 {
-    left: 75%; }
+    left: 75%;
+  }
 
   .col-md-push-10 {
-    left: 83.33333%; }
+    left: 83.33333%;
+  }
 
   .col-md-push-11 {
-    left: 91.66667%; }
+    left: 91.66667%;
+  }
 
   .col-md-push-12 {
-    left: 100%; }
+    left: 100%;
+  }
 
   .col-md-offset-0 {
-    margin-left: 0%; }
+    margin-left: 0%;
+  }
 
   .col-md-offset-1 {
-    margin-left: 8.33333%; }
+    margin-left: 8.33333%;
+  }
 
   .col-md-offset-2 {
-    margin-left: 16.66667%; }
+    margin-left: 16.66667%;
+  }
 
   .col-md-offset-3 {
-    margin-left: 25%; }
+    margin-left: 25%;
+  }
 
   .col-md-offset-4 {
-    margin-left: 33.33333%; }
+    margin-left: 33.33333%;
+  }
 
   .col-md-offset-5 {
-    margin-left: 41.66667%; }
+    margin-left: 41.66667%;
+  }
 
   .col-md-offset-6 {
-    margin-left: 50%; }
+    margin-left: 50%;
+  }
 
   .col-md-offset-7 {
-    margin-left: 58.33333%; }
+    margin-left: 58.33333%;
+  }
 
   .col-md-offset-8 {
-    margin-left: 66.66667%; }
+    margin-left: 66.66667%;
+  }
 
   .col-md-offset-9 {
-    margin-left: 75%; }
+    margin-left: 75%;
+  }
 
   .col-md-offset-10 {
-    margin-left: 83.33333%; }
+    margin-left: 83.33333%;
+  }
 
   .col-md-offset-11 {
-    margin-left: 91.66667%; }
+    margin-left: 91.66667%;
+  }
 
   .col-md-offset-12 {
-    margin-left: 100%; } }
+    margin-left: 100%;
+  }
+}
+
 @media (min-width: 1200px) {
   .col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12 {
-    float: left; }
+    float: left;
+  }
 
   .col-lg-1 {
-    width: 8.33333%; }
+    width: 8.33333%;
+  }
 
   .col-lg-2 {
-    width: 16.66667%; }
+    width: 16.66667%;
+  }
 
   .col-lg-3 {
-    width: 25%; }
+    width: 25%;
+  }
 
   .col-lg-4 {
-    width: 33.33333%; }
+    width: 33.33333%;
+  }
 
   .col-lg-5 {
-    width: 41.66667%; }
+    width: 41.66667%;
+  }
 
   .col-lg-6 {
-    width: 50%; }
+    width: 50%;
+  }
 
   .col-lg-7 {
-    width: 58.33333%; }
+    width: 58.33333%;
+  }
 
   .col-lg-8 {
-    width: 66.66667%; }
+    width: 66.66667%;
+  }
 
   .col-lg-9 {
-    width: 75%; }
+    width: 75%;
+  }
 
   .col-lg-10 {
-    width: 83.33333%; }
+    width: 83.33333%;
+  }
 
   .col-lg-11 {
-    width: 91.66667%; }
+    width: 91.66667%;
+  }
 
   .col-lg-12 {
-    width: 100%; }
+    width: 100%;
+  }
 
   .col-lg-pull-0 {
-    right: auto; }
+    right: auto;
+  }
 
   .col-lg-pull-1 {
-    right: 8.33333%; }
+    right: 8.33333%;
+  }
 
   .col-lg-pull-2 {
-    right: 16.66667%; }
+    right: 16.66667%;
+  }
 
   .col-lg-pull-3 {
-    right: 25%; }
+    right: 25%;
+  }
 
   .col-lg-pull-4 {
-    right: 33.33333%; }
+    right: 33.33333%;
+  }
 
   .col-lg-pull-5 {
-    right: 41.66667%; }
+    right: 41.66667%;
+  }
 
   .col-lg-pull-6 {
-    right: 50%; }
+    right: 50%;
+  }
 
   .col-lg-pull-7 {
-    right: 58.33333%; }
+    right: 58.33333%;
+  }
 
   .col-lg-pull-8 {
-    right: 66.66667%; }
+    right: 66.66667%;
+  }
 
   .col-lg-pull-9 {
-    right: 75%; }
+    right: 75%;
+  }
 
   .col-lg-pull-10 {
-    right: 83.33333%; }
+    right: 83.33333%;
+  }
 
   .col-lg-pull-11 {
-    right: 91.66667%; }
+    right: 91.66667%;
+  }
 
   .col-lg-pull-12 {
-    right: 100%; }
+    right: 100%;
+  }
 
   .col-lg-push-0 {
-    left: auto; }
+    left: auto;
+  }
 
   .col-lg-push-1 {
-    left: 8.33333%; }
+    left: 8.33333%;
+  }
 
   .col-lg-push-2 {
-    left: 16.66667%; }
+    left: 16.66667%;
+  }
 
   .col-lg-push-3 {
-    left: 25%; }
+    left: 25%;
+  }
 
   .col-lg-push-4 {
-    left: 33.33333%; }
+    left: 33.33333%;
+  }
 
   .col-lg-push-5 {
-    left: 41.66667%; }
+    left: 41.66667%;
+  }
 
   .col-lg-push-6 {
-    left: 50%; }
+    left: 50%;
+  }
 
   .col-lg-push-7 {
-    left: 58.33333%; }
+    left: 58.33333%;
+  }
 
   .col-lg-push-8 {
-    left: 66.66667%; }
+    left: 66.66667%;
+  }
 
   .col-lg-push-9 {
-    left: 75%; }
+    left: 75%;
+  }
 
   .col-lg-push-10 {
-    left: 83.33333%; }
+    left: 83.33333%;
+  }
 
   .col-lg-push-11 {
-    left: 91.66667%; }
+    left: 91.66667%;
+  }
 
   .col-lg-push-12 {
-    left: 100%; }
+    left: 100%;
+  }
 
   .col-lg-offset-0 {
-    margin-left: 0%; }
+    margin-left: 0%;
+  }
 
   .col-lg-offset-1 {
-    margin-left: 8.33333%; }
+    margin-left: 8.33333%;
+  }
 
   .col-lg-offset-2 {
-    margin-left: 16.66667%; }
+    margin-left: 16.66667%;
+  }
 
   .col-lg-offset-3 {
-    margin-left: 25%; }
+    margin-left: 25%;
+  }
 
   .col-lg-offset-4 {
-    margin-left: 33.33333%; }
+    margin-left: 33.33333%;
+  }
 
   .col-lg-offset-5 {
-    margin-left: 41.66667%; }
+    margin-left: 41.66667%;
+  }
 
   .col-lg-offset-6 {
-    margin-left: 50%; }
+    margin-left: 50%;
+  }
 
   .col-lg-offset-7 {
-    margin-left: 58.33333%; }
+    margin-left: 58.33333%;
+  }
 
   .col-lg-offset-8 {
-    margin-left: 66.66667%; }
+    margin-left: 66.66667%;
+  }
 
   .col-lg-offset-9 {
-    margin-left: 75%; }
+    margin-left: 75%;
+  }
 
   .col-lg-offset-10 {
-    margin-left: 83.33333%; }
+    margin-left: 83.33333%;
+  }
 
   .col-lg-offset-11 {
-    margin-left: 91.66667%; }
+    margin-left: 91.66667%;
+  }
 
   .col-lg-offset-12 {
-    margin-left: 100%; } }
+    margin-left: 100%;
+  }
+}
 
 th {
-  text-align: left; }
+  text-align: left;
+}
 
 .table {
   width: 100%;
   max-width: 100%;
-  margin-bottom: 20px; }
-  .table > thead > tr > th,
-  .table > thead > tr > td,
-  .table > tbody > tr > th,
-  .table > tbody > tr > td,
-  .table > tfoot > tr > th,
-  .table > tfoot > tr > td {
-    padding: 10px 0px 10px 20px;
-    line-height: 1.428571429;
-    vertical-align: top;
-    border-top: 1px solid #f0f0f0; }
-  .table > thead > tr > th {
-    vertical-align: bottom;  }
-  .table > caption + thead > tr:first-child > th,
-  .table > caption + thead > tr:first-child > td,
-  .table > colgroup + thead > tr:first-child > th,
-  .table > colgroup + thead > tr:first-child > td,
-  .table > thead:first-child > tr:first-child > th,
-  .table > thead:first-child > tr:first-child > td {
-    border-top: 0;
-    font-family: 'SourceSansProSemibold';
-    font-weight: normal;
-    border-bottom: 1px solid #5e5e5e;
-    background-color: #45565f;
-    color: #FFF;}
-  .table > tbody + tbody {
-    border-top: 2px solid #5e5e5e; }
-  .table .table {
-    background-color: none; }
-
-.table-condensed > thead > tr > th,
-.table-condensed > thead > tr > td,
-.table-condensed > tbody > tr > th,
-.table-condensed > tbody > tr > td,
-.table-condensed > tfoot > tr > th,
-.table-condensed > tfoot > tr > td {
-  padding: 5px; }
+  margin-bottom: 20px;
+
+  > {
+    thead > tr > {
+      th, td {
+        padding: 10px 0px 10px 20px;
+        line-height: 1.428571429;
+        vertical-align: top;
+        border-top: 1px solid #f0f0f0;
+      }
+    }
+
+    tbody > tr > {
+      th, td {
+        padding: 10px 0px 10px 20px;
+        line-height: 1.428571429;
+        vertical-align: top;
+        border-top: 1px solid #f0f0f0;
+      }
+    }
+
+    tfoot > tr > {
+      th, td {
+        padding: 10px 0px 10px 20px;
+        line-height: 1.428571429;
+        vertical-align: top;
+        border-top: 1px solid #f0f0f0;
+      }
+    }
+
+    thead > tr > th {
+      vertical-align: bottom;
+    }
+
+    caption + thead > tr:first-child > {
+      th, td {
+        border-top: 0;
+        font-family: 'SourceSansProSemibold';
+        font-weight: normal;
+        border-bottom: 1px solid #5e5e5e;
+        background-color: #45565f;
+        color: #FFF;
+      }
+    }
+
+    colgroup + thead > tr:first-child > {
+      th, td {
+        border-top: 0;
+        font-family: 'SourceSansProSemibold';
+        font-weight: normal;
+        border-bottom: 1px solid #5e5e5e;
+        background-color: #45565f;
+        color: #FFF;
+      }
+    }
+
+    thead:first-child > tr:first-child > {
+      th, td {
+        border-top: 0;
+        font-family: 'SourceSansProSemibold';
+        font-weight: normal;
+        border-bottom: 1px solid #5e5e5e;
+        background-color: #45565f;
+        color: #FFF;
+      }
+    }
+
+    tbody + tbody {
+      border-top: 2px solid #5e5e5e;
+    }
+  }
+
+  .table {
+    background-color: none;
+  }
+}
+
+.table-condensed > {
+  thead > tr > {
+    th, td {
+      padding: 5px;
+    }
+  }
+
+  tbody > tr > {
+    th, td {
+      padding: 5px;
+    }
+  }
+
+  tfoot > tr > {
+    th, td {
+      padding: 5px;
+    }
+  }
+}
 
 .table-bordered {
-  border: 1px solid #dbdbdb; }
-  .table-bordered > thead > tr > th,
-  .table-bordered > thead > tr > td,
-  .table-bordered > tbody > tr > th,
-  .table-bordered > tbody > tr > td,
-  .table-bordered > tfoot > tr > th,
-  .table-bordered > tfoot > tr > td {
-    border: 1px solid #dbdbdb; }
-  .table-bordered > thead > tr > th,
-  .table-bordered > thead > tr > td {
-    border-bottom-width: 2px; }
-
-.table-striped > tbody > tr:nth-child(odd) > td,
-.table-striped > tbody > tr:nth-child(odd) > th {
-  background-color: #fff; }
-
-.table-hover > tbody > tr:hover > td,
-.table-hover > tbody > tr:hover > th {
-  background-color: #738087;
-  color: #FFF; }
-
-table col[class*="col-"] {
-  position: static;
-  float: none;
-  display: table-column; }
+  border: 1px solid #dbdbdb;
+
+  > {
+    thead > tr > {
+      th, td {
+        border: 1px solid #dbdbdb;
+      }
+    }
+
+    tbody > tr > {
+      th, td {
+        border: 1px solid #dbdbdb;
+      }
+    }
+
+    tfoot > tr > {
+      th, td {
+        border: 1px solid #dbdbdb;
+      }
+    }
+
+    thead > tr > {
+      th, td {
+        border-bottom-width: 2px;
+      }
+    }
+  }
+}
 
-table td[class*="col-"],
-table th[class*="col-"] {
-  position: static;
-  float: none;
-  display: table-cell; }
-
-.table > thead > tr > td.active,
-.table > thead > tr > th.active, .table > thead > tr.active > td, .table > thead > tr.active > th,
-.table > tbody > tr > td.active,
-.table > tbody > tr > th.active,
-.table > tbody > tr.active > td,
-.table > tbody > tr.active > th,
-.table > tfoot > tr > td.active,
-.table > tfoot > tr > th.active,
-.table > tfoot > tr.active > td,
-.table > tfoot > tr.active > th {
-  background-color: #E2F5FF; }
-
-.table-hover > tbody > tr > td.active:hover,
-.table-hover > tbody > tr > th.active:hover, .table-hover > tbody > tr.active:hover > td, .table-hover > tbody > tr:hover > .active, .table-hover > tbody > tr.active:hover > th {
-  background-color: #FF8B00; }
-
-.table > thead > tr > td.success,
-.table > thead > tr > th.success, .table > thead > tr.success > td, .table > thead > tr.success > th,
-.table > tbody > tr > td.success,
-.table > tbody > tr > th.success,
-.table > tbody > tr.success > td,
-.table > tbody > tr.success > th,
-.table > tfoot > tr > td.success,
-.table > tfoot > tr > th.success,
-.table > tfoot > tr.success > td,
-.table > tfoot > tr.success > th {
-  background-color: #9BD275; }
-
-.table-hover > tbody > tr > td.success:hover,
-.table-hover > tbody > tr > th.success:hover, .table-hover > tbody > tr.success:hover > td, .table-hover > tbody > tr:hover > .success, .table-hover > tbody > tr.success:hover > th {
-  background-color: #8dcc62; }
-
-.table > thead > tr > td.info,
-.table > thead > tr > th.info, .table > thead > tr.info > td, .table > thead > tr.info > th,
-.table > tbody > tr > td.info,
-.table > tbody > tr > th.info,
-.table > tbody > tr.info > td,
-.table > tbody > tr.info > th,
-.table > tfoot > tr > td.info,
-.table > tfoot > tr > th.info,
-.table > tfoot > tr.info > td,
-.table > tfoot > tr.info > th {
-  background-color: #d9edf7; }
-
-.table-hover > tbody > tr > td.info:hover,
-.table-hover > tbody > tr > th.info:hover, .table-hover > tbody > tr.info:hover > td, .table-hover > tbody > tr:hover > .info, .table-hover > tbody > tr.info:hover > th {
-  background-color: #c4e3f3; }
-
-.table > thead > tr > td.warning,
-.table > thead > tr > th.warning, .table > thead > tr.warning > td, .table > thead > tr.warning > th,
-.table > tbody > tr > td.warning,
-.table > tbody > tr > th.warning,
-.table > tbody > tr.warning > td,
-.table > tbody > tr.warning > th,
-.table > tfoot > tr > td.warning,
-.table > tfoot > tr > th.warning,
-.table > tfoot > tr.warning > td,
-.table > tfoot > tr.warning > th {
-  background-color: #fcf8e3; }
-
-.table-hover > tbody > tr > td.warning:hover,
-.table-hover > tbody > tr > th.warning:hover, .table-hover > tbody > tr.warning:hover > td, .table-hover > tbody > tr:hover > .warning, .table-hover > tbody > tr.warning:hover > th {
-  background-color: #faf2cc; }
-
-.table > thead > tr > td.danger,
-.table > thead > tr > th.danger, .table > thead > tr.danger > td, .table > thead > tr.danger > th,
-.table > tbody > tr > td.danger,
-.table > tbody > tr > th.danger,
-.table > tbody > tr.danger > td,
-.table > tbody > tr.danger > th,
-.table > tfoot > tr > td.danger,
-.table > tfoot > tr > th.danger,
-.table > tfoot > tr.danger > td,
-.table > tfoot > tr.danger > th {
-  background-color: #F05050; }
-
-.table-hover > tbody > tr > td.danger:hover,
-.table-hover > tbody > tr > th.danger:hover, .table-hover > tbody > tr.danger:hover > td, .table-hover > tbody > tr:hover > .danger, .table-hover > tbody > tr.danger:hover > th {
-  background-color: #ee3939; }
+.table-striped > tbody > tr:nth-child(odd) > {
+  td, th {
+    background-color: #fff;
+  }
+}
+
+.table-hover > tbody > tr:hover > {
+  td, th {
+    background-color: #738087;
+    color: #FFF;
+  }
+}
+
+table {
+  col[class*="col-"] {
+    position: static;
+    float: none;
+    display: table-column;
+  }
+
+  td[class*="col-"], th[class*="col-"] {
+    position: static;
+    float: none;
+    display: table-cell;
+  }
+}
+
+.table > {
+  thead > tr {
+    > {
+      td.active, th.active {
+        background-color: #E2F5FF;
+      }
+    }
+
+    &.active > {
+      td, th {
+        background-color: #E2F5FF;
+      }
+    }
+  }
+
+  tbody > tr {
+    > {
+      td.active, th.active {
+        background-color: #E2F5FF;
+      }
+    }
+
+    &.active > {
+      td, th {
+        background-color: #E2F5FF;
+      }
+    }
+  }
+
+  tfoot > tr {
+    > {
+      td.active, th.active {
+        background-color: #E2F5FF;
+      }
+    }
+
+    &.active > {
+      td, th {
+        background-color: #E2F5FF;
+      }
+    }
+  }
+}
+
+.table-hover > tbody > tr {
+  > {
+    td.active:hover, th.active:hover {
+      background-color: #FF8B00;
+    }
+  }
+
+  &.active:hover > td, &:hover > .active, &.active:hover > th {
+    background-color: #FF8B00;
+  }
+}
+
+.table > {
+  thead > tr {
+    > {
+      td.success, th.success {
+        background-color: #9BD275;
+      }
+    }
+
+    &.success > {
+      td, th {
+        background-color: #9BD275;
+      }
+    }
+  }
+
+  tbody > tr {
+    > {
+      td.success, th.success {
+        background-color: #9BD275;
+      }
+    }
+
+    &.success > {
+      td, th {
+        background-color: #9BD275;
+      }
+    }
+  }
+
+  tfoot > tr {
+    > {
+      td.success, th.success {
+        background-color: #9BD275;
+      }
+    }
+
+    &.success > {
+      td, th {
+        background-color: #9BD275;
+      }
+    }
+  }
+}
+
+.table-hover > tbody > tr {
+  > {
+    td.success:hover, th.success:hover {
+      background-color: #8dcc62;
+    }
+  }
+
+  &.success:hover > td, &:hover > .success, &.success:hover > th {
+    background-color: #8dcc62;
+  }
+}
+
+.table > {
+  thead > tr {
+    > {
+      td.info, th.info {
+        background-color: #d9edf7;
+      }
+    }
+
+    &.info > {
+      td, th {
+        background-color: #d9edf7;
+      }
+    }
+  }
+
+  tbody > tr {
+    > {
+      td.info, th.info {
+        background-color: #d9edf7;
+      }
+    }
+
+    &.info > {
+      td, th {
+        background-color: #d9edf7;
+      }
+    }
+  }
+
+  tfoot > tr {
+    > {
+      td.info, th.info {
+        background-color: #d9edf7;
+      }
+    }
+
+    &.info > {
+      td, th {
+        background-color: #d9edf7;
+      }
+    }
+  }
+}
+
+.table-hover > tbody > tr {
+  > {
+    td.info:hover, th.info:hover {
+      background-color: #c4e3f3;
+    }
+  }
+
+  &.info:hover > td, &:hover > .info, &.info:hover > th {
+    background-color: #c4e3f3;
+  }
+}
+
+.table > {
+  thead > tr {
+    > {
+      td.warning, th.warning {
+        background-color: #fcf8e3;
+      }
+    }
+
+    &.warning > {
+      td, th {
+        background-color: #fcf8e3;
+      }
+    }
+  }
+
+  tbody > tr {
+    > {
+      td.warning, th.warning {
+        background-color: #fcf8e3;
+      }
+    }
+
+    &.warning > {
+      td, th {
+        background-color: #fcf8e3;
+      }
+    }
+  }
+
+  tfoot > tr {
+    > {
+      td.warning, th.warning {
+        background-color: #fcf8e3;
+      }
+    }
+
+    &.warning > {
+      td, th {
+        background-color: #fcf8e3;
+      }
+    }
+  }
+}
+
+.table-hover > tbody > tr {
+  > {
+    td.warning:hover, th.warning:hover {
+      background-color: #faf2cc;
+    }
+  }
+
+  &.warning:hover > td, &:hover > .warning, &.warning:hover > th {
+    background-color: #faf2cc;
+  }
+}
+
+.table > {
+  thead > tr {
+    > {
+      td.danger, th.danger {
+        background-color: #F05050;
+      }
+    }
+
+    &.danger > {
+      td, th {
+        background-color: #F05050;
+      }
+    }
+  }
+
+  tbody > tr {
+    > {
+      td.danger, th.danger {
+        background-color: #F05050;
+      }
+    }
+
+    &.danger > {
+      td, th {
+        background-color: #F05050;
+      }
+    }
+  }
+
+  tfoot > tr {
+    > {
+      td.danger, th.danger {
+        background-color: #F05050;
+      }
+    }
+
+    &.danger > {
+      td, th {
+        background-color: #F05050;
+      }
+    }
+  }
+}
+
+.table-hover > tbody > tr {
+  > {
+    td.danger:hover, th.danger:hover {
+      background-color: #ee3939;
+    }
+  }
+
+  &.danger:hover > td, &:hover > .danger, &.danger:hover > th {
+    background-color: #ee3939;
+  }
+}
 
 @media screen and (max-width: 767px) {
   .table-responsive {
@@ -2188,44 +3193,98 @@ table th[class*="col-"] {
     overflow-y: hidden;
     overflow-x: auto;
     -ms-overflow-style: -ms-autohiding-scrollbar;
+
     /*     border: 1px solid $table-border-color; */
-    -webkit-overflow-scrolling: touch; }
-    .table-responsive > .table {
-      margin-bottom: 0; }
-      .table-responsive > .table > thead > tr > th,
-      .table-responsive > .table > thead > tr > td,
-      .table-responsive > .table > tbody > tr > th,
-      .table-responsive > .table > tbody > tr > td,
-      .table-responsive > .table > tfoot > tr > th,
-      .table-responsive > .table > tfoot > tr > td {
-        white-space: nowrap; }
-    .table-responsive > .table-bordered {
-      border: 0; }
-      .table-responsive > .table-bordered > thead > tr > th:first-child,
-      .table-responsive > .table-bordered > thead > tr > td:first-child,
-      .table-responsive > .table-bordered > tbody > tr > th:first-child,
-      .table-responsive > .table-bordered > tbody > tr > td:first-child,
-      .table-responsive > .table-bordered > tfoot > tr > th:first-child,
-      .table-responsive > .table-bordered > tfoot > tr > td:first-child {
-        border-left: 0; }
-      .table-responsive > .table-bordered > thead > tr > th:last-child,
-      .table-responsive > .table-bordered > thead > tr > td:last-child,
-      .table-responsive > .table-bordered > tbody > tr > th:last-child,
-      .table-responsive > .table-bordered > tbody > tr > td:last-child,
-      .table-responsive > .table-bordered > tfoot > tr > th:last-child,
-      .table-responsive > .table-bordered > tfoot > tr > td:last-child {
-        border-right: 0; }
-      .table-responsive > .table-bordered > tbody > tr:last-child > th,
-      .table-responsive > .table-bordered > tbody > tr:last-child > td,
-      .table-responsive > .table-bordered > tfoot > tr:last-child > th,
-      .table-responsive > .table-bordered > tfoot > tr:last-child > td {
-        border-bottom: 0; } }
+    -webkit-overflow-scrolling: touch;
+
+    > {
+      .table {
+        margin-bottom: 0;
+
+        > {
+          thead > tr > {
+            th, td {
+              white-space: nowrap;
+            }
+          }
+
+          tbody > tr > {
+            th, td {
+              white-space: nowrap;
+            }
+          }
+
+          tfoot > tr > {
+            th, td {
+              white-space: nowrap;
+            }
+          }
+        }
+      }
+
+      .table-bordered {
+        border: 0;
+
+        > {
+          thead > tr > {
+            th:first-child, td:first-child {
+              border-left: 0;
+            }
+          }
+
+          tbody > tr > {
+            th:first-child, td:first-child {
+              border-left: 0;
+            }
+          }
+
+          tfoot > tr > {
+            th:first-child, td:first-child {
+              border-left: 0;
+            }
+          }
+
+          thead > tr > {
+            th:last-child, td:last-child {
+              border-right: 0;
+            }
+          }
+
+          tbody > tr > {
+            th:last-child, td:last-child {
+              border-right: 0;
+            }
+          }
+
+          tfoot > tr > {
+            th:last-child, td:last-child {
+              border-right: 0;
+            }
+          }
+
+          tbody > tr:last-child > {
+            th, td {
+              border-bottom: 0;
+            }
+          }
+
+          tfoot > tr:last-child > {
+            th, td {
+              border-bottom: 0;
+            }
+          }
+        }
+      }
+    }
+  }
+}
 
 fieldset {
   padding: 0;
   margin: 0;
   border: 0;
-  min-width: 0; }
+  min-width: 0;
+}
 
 legend {
   display: block;
@@ -2236,73 +3295,67 @@ legend {
   line-height: inherit;
   color: #2d2d2d;
   border: 0;
-  border-bottom: 1px solid #e5e5e5; }
+  border-bottom: 1px solid #e5e5e5;
+}
 
 label {
   display: inline-block;
   max-width: 100%;
   margin-bottom: 5px;
-  font-weight: normal; }
-
-input[type="search"] {
-  -webkit-box-sizing: border-box;
-  -moz-box-sizing: border-box;
-  box-sizing: border-box; }
-
-input[type="radio"],
-input[type="checkbox"] {
-  margin: 4px 0 0;
-  margin-top: 1px \9;
-  line-height: normal; }
-
-input[type="file"] {
-  display: block; }
+  font-weight: normal;
+}
 
-input[type="range"] {
-  display: block;
-  width: 100%; }
+input {
+  &[type="search"] {
+    -webkit-box-sizing: border-box;
+    -moz-box-sizing: border-box;
+    box-sizing: border-box;
+  }
+
+  &[type="radio"], &[type="checkbox"] {
+    margin: 4px 0 0;
+    margin-top: 1px \9;
+    line-height: normal;
+  }
+
+  &[type="file"] {
+    display: block;
+  }
 
-select[multiple],
-select[size] {
-  height: auto; }
+  &[type="range"] {
+    display: block;
+    width: 100%;
+  }
+}
 
-input[type="file"]:focus,
-input[type="radio"]:focus,
-input[type="checkbox"]:focus {
-  outline: none;
-  outline: 5px auto -webkit-focus-ring-color;
-  outline-offset: -2px; }
+select {
+  &[multiple], &[size] {
+    height: auto;
+  }
+}
 
+input {
+  &[type="file"]:focus, &[type="radio"]:focus, &[type="checkbox"]:focus {
+    outline: none;
+    outline: 5px auto -webkit-focus-ring-color;
+    outline-offset: -2px;
+  }
+}
 
 output {
   display: block;
   padding-top: 7px;
-  font-size:14px;
+  font-size: 14px;
   line-height: 1.428571429;
-  color: #000; }
-
-select,
-textarea,
-input[type="text"],
-input[type="password"],
-input[type="datetime"],
-input[type="datetime-local"],
-input[type="date"],
-input[type="month"],
-input[type="time"],
-input[type="week"],
-input[type="number"],
-input[type="email"],
-input[type="url"],
-input[type="search"],
-input[type="tel"],
-input[type="color"]
- {
+  color: #000;
+}
+
+select, textarea {
   display: block;
   width: 100%;
   height: 34px;
   padding: 6px 12px;
-  font-size:14px;
+  font-size: 14px;
   line-height: 1.428571429;
   color: #000;
   background-color: #FFF;
@@ -2313,398 +3366,1172 @@ input[type="color"]
   max-width: 348px;
   -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
   -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
-  transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s; }
-
-  select:hover,
-  textarea:hover,
-  input[type="text"]:hover,
-  input[type="password"]:hover,
-  input[type="datetime"]:hover,
-  input[type="datetime-local"]:hover,
-  input[type="date"]:hover,
-  input[type="month"]:hover,
-  input[type="time"]:hover,
-  input[type="week"]:hover,
-  input[type="number"]:hover,
-  input[type="email"]:hover,
-  input[type="url"]:hover,
-  input[type="search"]:hover,
-  input[type="tel"]:hover,
-  input[type="color"]:hover
-   {
-	color: #000;
-	background-color: none;
-  border-color: #ff6e05;
-	outline: 0; }
-
-  select:focus,
-  textarea:focus,
-  input[type="text"]:focus,
-  input[type="password"]:focus,
-  input[type="datetime"]:focus,
-  input[type="datetime-local"]:focus,
-  input[type="date"]:focus,
-  input[type="month"]:focus,
-  input[type="time"]:focus,
-  input[type="week"]:focus,
-  input[type="number"]:focus,
-  input[type="email"]:focus,
-  input[type="url"]:focus,
-  input[type="search"]:focus,
-  input[type="tel"]:focus,
-  input[type="color"]:focus
-
-   {
-     color: #000;
-     border-color: #FF6E05;
-     background-color: none;
-     outline: 0; }
-
-  select::-moz-placeholder,
-  textarea::-moz-placeholder,
-  input[type="text"]::-moz-placeholder,
-  input[type="password"]::-moz-placeholder,
-  input[type="datetime"]::-moz-placeholder,
-  input[type="datetime-local"]::-moz-placeholder,
-  input[type="date"]::-moz-placeholder,
-  input[type="month"]::-moz-placeholder,
-  input[type="time"]::-moz-placeholder,
-  input[type="week"]::-moz-placeholder,
-  input[type="number"]::-moz-placeholder,
-  input[type="email"]::-moz-placeholder,
-  input[type="url"]::-moz-placeholder,
-  input[type="search"]::-moz-placeholder,
-  input[type="tel"]::-moz-placeholder,
-  input[type="color"]::-moz-placeholder
-   {
-    color: #b7b7b7;
-    opacity: 1;
-	filter: alpha(opacity=100);	}
-
-  select:-ms-input-placeholder,
-  textarea:-ms-input-placeholder,
-  input[type="text"]:-ms-input-placeholder,
-  input[type="password"]:-ms-input-placeholder,
-  input[type="datetime"]:-ms-input-placeholder,
-  input[type="datetime-local"]:-ms-input-placeholder,
-  input[type="date"]:-ms-input-placeholder,
-  input[type="month"]:-ms-input-placeholder,
-  input[type="time"]:-ms-input-placeholder,
-  input[type="week"]:-ms-input-placeholder,
-  input[type="number"]:-ms-input-placeholder,
-  input[type="email"]:-ms-input-placeholder,
-  input[type="url"]:-ms-input-placeholder,
-  input[type="search"]:-ms-input-placeholder,
-  input[type="tel"]:-ms-input-placeholder,
-  input[type="color"]:-ms-input-placeholder
-   {
-    color: #777777; }
-
-  select::-webkit-input-placeholder,
-  textarea::-webkit-input-placeholder,
-  input[type="text"]::-webkit-input-placeholder,
-  input[type="password"]::-webkit-input-placeholder,
-  input[type="datetime"]::-webkit-input-placeholder,
-  input[type="datetime-local"]::-webkit-input-placeholder,
-  input[type="date"]::-webkit-input-placeholder,
-  input[type="month"]::-webkit-input-placeholder,
-  input[type="time"]::-webkit-input-placeholder,
-  input[type="week"]::-webkit-input-placeholder,
-  input[type="number"]::-webkit-input-placeholder,
-  input[type="email"]::-webkit-input-placeholder,
-  input[type="url"]::-webkit-input-placeholder,
-  input[type="search"]::-webkit-input-placeholder,
-  input[type="tel"]::-webkit-input-placeholder,
-  input[type="color"]::-webkit-input-placeholder
-   {
-    color: #777777; }
-
-  select[disabled], select[readonly], fieldset[disabled] select,
-  textarea[disabled],
-  textarea[readonly], fieldset[disabled]
-  textarea,
-  input[type="text"][disabled],
-  input[type="text"][readonly], fieldset[disabled]
-  input[type="text"],
-  input[type="password"][disabled],
-  input[type="password"][readonly], fieldset[disabled]
-  input[type="password"],
-  input[type="datetime"][disabled],
-  input[type="datetime"][readonly], fieldset[disabled]
-  input[type="datetime"],
-  input[type="datetime-local"][disabled],
-  input[type="datetime-local"][readonly], fieldset[disabled]
-  input[type="datetime-local"],
-  input[type="date"][disabled],
-  input[type="date"][readonly], fieldset[disabled]
-  input[type="date"],
-  input[type="month"][disabled],
-  input[type="month"][readonly], fieldset[disabled]
-  input[type="month"],
-  input[type="time"][disabled],
-  input[type="time"][readonly], fieldset[disabled]
-  input[type="time"],
-  input[type="week"][disabled],
-  input[type="week"][readonly], fieldset[disabled]
-  input[type="week"],
-  input[type="number"][disabled],
-  input[type="number"][readonly], fieldset[disabled]
-  input[type="number"],
-  input[type="email"][disabled],
-  input[type="email"][readonly], fieldset[disabled]
-  input[type="email"],
-  input[type="url"][disabled],
-  input[type="url"][readonly], fieldset[disabled]
-  input[type="url"],
-  input[type="search"][disabled],
-  input[type="search"][readonly], fieldset[disabled]
-  input[type="search"],
-  input[type="tel"][disabled],
-  input[type="tel"][readonly], fieldset[disabled]
-  input[type="tel"],
-  input[type="color"][disabled],
-  input[type="color"][readonly], fieldset[disabled]
-  input[type="color"]
-{
-	cursor: not-allowed;
-	background-color: #f0f0f0;
-	opacity: 1.0;
-	filter: alpha(opacity=100);
-	border-color: #a8a8a8;
-	color:#a8a8a8;}
-
-  select[disabled]:hover, select[readonly]:hover, fieldset[disabled]:hover,
-  textarea[disabled]:hover,
-  textarea[readonly]:hover, fieldset[disabled]:hover
-  textarea:hover,
-  input[type="text"][disabled]:hover,
-  input[type="text"][readonly]:hover, fieldset[disabled]:hover
-  input[type="text"]:hover,
-  input[type="password"][disabled]:hover,
-  input[type="password"][readonly]:hover, fieldset[disabled]:hover
-  input[type="password"]:hover,
-  input[type="datetime"][disabled]:hover,
-  input[type="datetime"][readonly]:hover, fieldset[disabled]:hover
-  input[type="datetime"]:hover,
-  input[type="datetime-local"][disabled]:hover,
-  input[type="datetime-local"][readonly]:hover, fieldset[disabled]:hover
-  input[type="datetime-local"]:hover,
-  input[type="date"][disabled]:hover,
-  input[type="date"][readonly]:hover, fieldset[disabled]:hover
-  input[type="date"]:hover,
-  input[type="month"][disabled]:hover,
-  input[type="month"][readonly]:hover, fieldset[disabled]:hover
-  input[type="month"]:hover,
-  input[type="time"][disabled]:hover,
-  input[type="time"][readonly]:hover, fieldset[disabled]:hover
-  input[type="time"]:hover,
-  input[type="week"][disabled]:hover,
-  input[type="week"][readonly]:hover, fieldset[disabled]:hover
-  input[type="week"]:hover,
-  input[type="number"][disabled]:hover,
-  input[type="number"][readonly]:hover, fieldset[disabled]:hover
-  input[type="number"]:hover,
-  input[type="email"][disabled]:hover,
-  input[type="email"][readonly]:hover, fieldset[disabled]:hover
-  input[type="email"]:hover,
-  input[type="url"][disabled]:hover,
-  input[type="url"][readonly]:hover, fieldset[disabled]:hover
-  input[type="url"]:hover,
-  input[type="search"][disabled]:hover,
-  input[type="search"][readonly]:hover, fieldset[disabled]:hover
-  input[type="search"]:hover,
-  input[type="tel"][disabled]:hover,
-  input[type="tel"][readonly]:hover, fieldset[disabled]:hover
-  input[type="tel"]:hover,
-  input[type="color"][disabled]:hover,
-  input[type="color"][readonly]:hover, fieldset[disabled]:hover
-  input[type="color"]:hover
-
-   {
-	cursor: not-allowed;
-	background-color: #f0f0f0;
-	color:#a8a8a8;
-	opacity: 1.0;
-	filter: alpha(opacity=100);
-	-webkit-box-shadow: none;
-	box-shadow: none; }
+  transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
+}
 
-textarea {
-  height: auto; }
+input {
+  &[type="text"], &[type="password"], &[type="datetime"], &[type="datetime-local"], &[type="date"], &[type="month"], &[type="time"], &[type="week"], &[type="number"], &[type="email"], &[type="url"], &[type="search"], &[type="tel"], &[type="color"] {
+    display: block;
+    width: 100%;
+    height: 34px;
+    padding: 6px 12px;
+    font-size: 14px;
+    line-height: 1.428571429;
+    color: #000;
+    background-color: #FFF;
+    background-image: none;
+    border: 1px solid #1b4257;
+    border-radius: 3px;
+    text-overflow: ellipsis;
+    max-width: 348px;
+    -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
+    -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
+    transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
+  }
+}
 
-input[type="search"] {
-  -webkit-appearance: none; }
+select:hover, textarea:hover {
+  color: #000;
+  background-color: none;
+  border-color: #ff6e05;
+  outline: 0;
+}
 
-input[type="date"],
-input[type="time"],
-input[type="datetime-local"],
-input[type="month"] {
-  line-height: 34px;
-  line-height: 1.42857 \0; }
-  input[type="date"].input-sm, .form-horizontal .form-group-sm input[type="date"].form-control, .input-group-sm > input[type="date"].form-control,
-  .input-group-sm > input[type="date"].input-group-addon,
-  .input-group-sm > .input-group-btn > input[type="date"].btn,
-  input[type="time"].input-sm,
-  .form-horizontal .form-group-sm input[type="time"].form-control,
-  .input-group-sm > input[type="time"].form-control,
-  .input-group-sm > input[type="time"].input-group-addon,
-  .input-group-sm > .input-group-btn > input[type="time"].btn,
-  input[type="datetime-local"].input-sm,
-  .form-horizontal .form-group-sm input[type="datetime-local"].form-control,
-  .input-group-sm > input[type="datetime-local"].form-control,
-  .input-group-sm > input[type="datetime-local"].input-group-addon,
-  .input-group-sm > .input-group-btn > input[type="datetime-local"].btn,
-  input[type="month"].input-sm,
-  .form-horizontal .form-group-sm input[type="month"].form-control,
-  .input-group-sm > input[type="month"].form-control,
-  .input-group-sm > input[type="month"].input-group-addon,
-  .input-group-sm > .input-group-btn > input[type="month"].btn {
-    line-height: 30px; }
-  input[type="date"].input-lg, .form-horizontal .form-group-lg input[type="date"].form-control, .input-group-lg > input[type="date"].form-control,
-  .input-group-lg > input[type="date"].input-group-addon,
-  .input-group-lg > .input-group-btn > input[type="date"].btn,
-  input[type="time"].input-lg,
-  .form-horizontal .form-group-lg input[type="time"].form-control,
-  .input-group-lg > input[type="time"].form-control,
-  .input-group-lg > input[type="time"].input-group-addon,
-  .input-group-lg > .input-group-btn > input[type="time"].btn,
-  input[type="datetime-local"].input-lg,
-  .form-horizontal .form-group-lg input[type="datetime-local"].form-control,
-  .input-group-lg > input[type="datetime-local"].form-control,
-  .input-group-lg > input[type="datetime-local"].input-group-addon,
-  .input-group-lg > .input-group-btn > input[type="datetime-local"].btn,
-  input[type="month"].input-lg,
-  .form-horizontal .form-group-lg input[type="month"].form-control,
-  .input-group-lg > input[type="month"].form-control,
-  .input-group-lg > input[type="month"].input-group-addon,
-  .input-group-lg > .input-group-btn > input[type="month"].btn {
-    line-height: 46px; }
+input {
+  &[type="text"]:hover, &[type="password"]:hover, &[type="datetime"]:hover, &[type="datetime-local"]:hover, &[type="date"]:hover, &[type="month"]:hover, &[type="time"]:hover, &[type="week"]:hover, &[type="number"]:hover, &[type="email"]:hover, &[type="url"]:hover, &[type="search"]:hover, &[type="tel"]:hover, &[type="color"]:hover {
+    color: #000;
+    background-color: none;
+    border-color: #ff6e05;
+    outline: 0;
+  }
+}
 
-.form-group {
-  margin-bottom: 15px; }
+select:focus, textarea:focus {
+  color: #000;
+  border-color: #FF6E05;
+  background-color: none;
+  outline: 0;
+}
+
+input {
+  &[type="text"]:focus, &[type="password"]:focus, &[type="datetime"]:focus, &[type="datetime-local"]:focus, &[type="date"]:focus, &[type="month"]:focus, &[type="time"]:focus, &[type="week"]:focus, &[type="number"]:focus, &[type="email"]:focus, &[type="url"]:focus, &[type="search"]:focus, &[type="tel"]:focus, &[type="color"]:focus {
+    color: #000;
+    border-color: #FF6E05;
+    background-color: none;
+    outline: 0;
+  }
+}
+
+select::-moz-placeholder, textarea::-moz-placeholder {
+  color: #b7b7b7;
+  opacity: 1;
+  filter: alpha(opacity = 100);
+}
+
+input {
+  &[type="text"]::-moz-placeholder, &[type="password"]::-moz-placeholder, &[type="datetime"]::-moz-placeholder, &[type="datetime-local"]::-moz-placeholder, &[type="date"]::-moz-placeholder, &[type="month"]::-moz-placeholder, &[type="time"]::-moz-placeholder, &[type="week"]::-moz-placeholder, &[type="number"]::-moz-placeholder, &[type="email"]::-moz-placeholder, &[type="url"]::-moz-placeholder, &[type="search"]::-moz-placeholder, &[type="tel"]::-moz-placeholder, &[type="color"]::-moz-placeholder {
+    color: #b7b7b7;
+    opacity: 1;
+    filter: alpha(opacity = 100);
+  }
+}
+
+select:-ms-input-placeholder, textarea:-ms-input-placeholder {
+  color: #777777;
+}
+
+input {
+  &[type="text"]:-ms-input-placeholder, &[type="password"]:-ms-input-placeholder, &[type="datetime"]:-ms-input-placeholder, &[type="datetime-local"]:-ms-input-placeholder, &[type="date"]:-ms-input-placeholder, &[type="month"]:-ms-input-placeholder, &[type="time"]:-ms-input-placeholder, &[type="week"]:-ms-input-placeholder, &[type="number"]:-ms-input-placeholder, &[type="email"]:-ms-input-placeholder, &[type="url"]:-ms-input-placeholder, &[type="search"]:-ms-input-placeholder, &[type="tel"]:-ms-input-placeholder, &[type="color"]:-ms-input-placeholder {
+    color: #777777;
+  }
+}
+
+select::-webkit-input-placeholder, textarea::-webkit-input-placeholder {
+  color: #777777;
+}
+
+input {
+  &[type="text"]::-webkit-input-placeholder, &[type="password"]::-webkit-input-placeholder, &[type="datetime"]::-webkit-input-placeholder, &[type="datetime-local"]::-webkit-input-placeholder, &[type="date"]::-webkit-input-placeholder, &[type="month"]::-webkit-input-placeholder, &[type="time"]::-webkit-input-placeholder, &[type="week"]::-webkit-input-placeholder, &[type="number"]::-webkit-input-placeholder, &[type="email"]::-webkit-input-placeholder, &[type="url"]::-webkit-input-placeholder, &[type="search"]::-webkit-input-placeholder, &[type="tel"]::-webkit-input-placeholder, &[type="color"]::-webkit-input-placeholder {
+    color: #777777;
+  }
+}
+
+select {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #a8a8a8;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] select {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #a8a8a8;
+  color: #a8a8a8;
+}
+
+textarea {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #a8a8a8;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] textarea {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #a8a8a8;
+  color: #a8a8a8;
+}
+
+input[type="text"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #a8a8a8;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="text"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #a8a8a8;
+  color: #a8a8a8;
+}
+
+input[type="password"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #a8a8a8;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="password"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #a8a8a8;
+  color: #a8a8a8;
+}
+
+input[type="datetime"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #a8a8a8;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="datetime"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #a8a8a8;
+  color: #a8a8a8;
+}
+
+input[type="datetime-local"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #a8a8a8;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="datetime-local"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #a8a8a8;
+  color: #a8a8a8;
+}
+
+input[type="date"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #a8a8a8;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="date"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #a8a8a8;
+  color: #a8a8a8;
+}
+
+input[type="month"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #a8a8a8;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="month"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #a8a8a8;
+  color: #a8a8a8;
+}
+
+input[type="time"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #a8a8a8;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="time"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #a8a8a8;
+  color: #a8a8a8;
+}
+
+input[type="week"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #a8a8a8;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="week"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #a8a8a8;
+  color: #a8a8a8;
+}
+
+input[type="number"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #a8a8a8;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="number"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #a8a8a8;
+  color: #a8a8a8;
+}
+
+input[type="email"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #a8a8a8;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="email"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #a8a8a8;
+  color: #a8a8a8;
+}
+
+input[type="url"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #a8a8a8;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="url"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #a8a8a8;
+  color: #a8a8a8;
+}
+
+input[type="search"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #a8a8a8;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="search"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #a8a8a8;
+  color: #a8a8a8;
+}
+
+input[type="tel"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #a8a8a8;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="tel"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #a8a8a8;
+  color: #a8a8a8;
+}
+
+input[type="color"] {
+  &[disabled], &[readonly] {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    border-color: #a8a8a8;
+    color: #a8a8a8;
+  }
+}
+
+fieldset[disabled] input[type="color"] {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  border-color: #a8a8a8;
+  color: #a8a8a8;
+}
+
+select {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+textarea {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover textarea:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="text"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="text"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="password"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="password"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="datetime"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="datetime"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="datetime-local"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="datetime-local"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="date"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
 
-.radio,
-.checkbox {
+fieldset[disabled]:hover input[type="date"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="month"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="month"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="time"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="time"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="week"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="week"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="number"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="number"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="email"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="email"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="url"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="url"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="search"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="search"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="tel"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="tel"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+input[type="color"] {
+  &[disabled]:hover, &[readonly]:hover {
+    cursor: not-allowed;
+    background-color: #f0f0f0;
+    color: #a8a8a8;
+    opacity: 1.0;
+    filter: alpha(opacity = 100);
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled]:hover input[type="color"]:hover {
+  cursor: not-allowed;
+  background-color: #f0f0f0;
+  color: #a8a8a8;
+  opacity: 1.0;
+  filter: alpha(opacity = 100);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+textarea {
+  height: auto;
+}
+
+input {
+  &[type="search"] {
+    -webkit-appearance: none;
+  }
+
+  &[type="date"], &[type="time"], &[type="datetime-local"], &[type="month"] {
+    line-height: 34px;
+    line-height: 1.42857 \0;
+  }
+
+  &[type="date"].input-sm {
+    line-height: 30px;
+  }
+}
+
+.form-horizontal .form-group-sm input[type="date"].form-control {
+  line-height: 30px;
+}
+
+.input-group-sm > {
+  input[type="date"] {
+    &.form-control, &.input-group-addon {
+      line-height: 30px;
+    }
+  }
+
+  .input-group-btn > input[type="date"].btn {
+    line-height: 30px;
+  }
+}
+
+input[type="time"].input-sm, .form-horizontal .form-group-sm input[type="time"].form-control {
+  line-height: 30px;
+}
+
+.input-group-sm > {
+  input[type="time"] {
+    &.form-control, &.input-group-addon {
+      line-height: 30px;
+    }
+  }
+
+  .input-group-btn > input[type="time"].btn {
+    line-height: 30px;
+  }
+}
+
+input[type="datetime-local"].input-sm, .form-horizontal .form-group-sm input[type="datetime-local"].form-control {
+  line-height: 30px;
+}
+
+.input-group-sm > {
+  input[type="datetime-local"] {
+    &.form-control, &.input-group-addon {
+      line-height: 30px;
+    }
+  }
+
+  .input-group-btn > input[type="datetime-local"].btn {
+    line-height: 30px;
+  }
+}
+
+input[type="month"].input-sm, .form-horizontal .form-group-sm input[type="month"].form-control {
+  line-height: 30px;
+}
+
+.input-group-sm > {
+  input[type="month"] {
+    &.form-control, &.input-group-addon {
+      line-height: 30px;
+    }
+  }
+
+  .input-group-btn > input[type="month"].btn {
+    line-height: 30px;
+  }
+}
+
+input[type="date"].input-lg, .form-horizontal .form-group-lg input[type="date"].form-control {
+  line-height: 46px;
+}
+
+.input-group-lg > {
+  input[type="date"] {
+    &.form-control, &.input-group-addon {
+      line-height: 46px;
+    }
+  }
+
+  .input-group-btn > input[type="date"].btn {
+    line-height: 46px;
+  }
+}
+
+input[type="time"].input-lg, .form-horizontal .form-group-lg input[type="time"].form-control {
+  line-height: 46px;
+}
+
+.input-group-lg > {
+  input[type="time"] {
+    &.form-control, &.input-group-addon {
+      line-height: 46px;
+    }
+  }
+
+  .input-group-btn > input[type="time"].btn {
+    line-height: 46px;
+  }
+}
+
+input[type="datetime-local"].input-lg, .form-horizontal .form-group-lg input[type="datetime-local"].form-control {
+  line-height: 46px;
+}
+
+.input-group-lg > {
+  input[type="datetime-local"] {
+    &.form-control, &.input-group-addon {
+      line-height: 46px;
+    }
+  }
+
+  .input-group-btn > input[type="datetime-local"].btn {
+    line-height: 46px;
+  }
+}
+
+input[type="month"].input-lg, .form-horizontal .form-group-lg input[type="month"].form-control {
+  line-height: 46px;
+}
+
+.input-group-lg > {
+  input[type="month"] {
+    &.form-control, &.input-group-addon {
+      line-height: 46px;
+    }
+  }
+
+  .input-group-btn > input[type="month"].btn {
+    line-height: 46px;
+  }
+}
+
+.form-group {
+  margin-bottom: 15px;
+}
+
+.radio, .checkbox {
   position: relative;
   display: block;
   min-height: 20px;
   margin-top: 10px;
-  margin-bottom: 10px; }
-  .radio label,
-  .checkbox label {
-    padding-left: 20px;
-    margin-bottom: 0;
-    font-weight: normal;
-    cursor: pointer; }
+  margin-bottom: 10px;
+}
+
+.radio label, .checkbox label {
+  padding-left: 20px;
+  margin-bottom: 0;
+  font-weight: normal;
+  cursor: pointer;
+}
 
-.radio input[type="radio"],
-.radio-inline input[type="radio"],
-.checkbox input[type="checkbox"],
-.checkbox-inline input[type="checkbox"] {
+.radio input[type="radio"], .radio-inline input[type="radio"], .checkbox input[type="checkbox"], .checkbox-inline input[type="checkbox"] {
   position: absolute;
   margin-left: -20px;
-  margin-top: 4px \9; }
+  margin-top: 4px \9;
+}
 
-.radio + .radio,
-.checkbox + .checkbox {
-  margin-top: -5px; }
+.radio + .radio, .checkbox + .checkbox {
+  margin-top: -5px;
+}
 
-.radio-inline,
-.checkbox-inline {
+.radio-inline, .checkbox-inline {
   display: inline-block;
   padding-left: 20px;
   margin-bottom: 0;
   vertical-align: middle;
   font-weight: normal;
-  cursor: pointer; }
+  cursor: pointer;
+}
 
-.radio-inline + .radio-inline,
-.checkbox-inline + .checkbox-inline {
+.radio-inline + .radio-inline, .checkbox-inline + .checkbox-inline {
   margin-top: 0;
-  margin-left: 10px; }
+  margin-left: 10px;
+}
 
-input[type="radio"][disabled], input[type="radio"].disabled, fieldset[disabled] input[type="radio"],
-input[type="checkbox"][disabled],
-input[type="checkbox"].disabled, fieldset[disabled]
-input[type="checkbox"] {
-  cursor: not-allowed; }
+input[type="radio"] {
+  &[disabled], &.disabled {
+    cursor: not-allowed;
+  }
+}
 
-.radio-inline.disabled, fieldset[disabled] .radio-inline,
-.checkbox-inline.disabled, fieldset[disabled]
-.checkbox-inline {
-  cursor: not-allowed; }
+fieldset[disabled] input[type="radio"] {
+  cursor: not-allowed;
+}
 
-.radio.disabled label, fieldset[disabled] .radio label,
-.checkbox.disabled label, fieldset[disabled]
-.checkbox label {
-  cursor: not-allowed; }
+input[type="checkbox"] {
+  &[disabled], &.disabled {
+    cursor: not-allowed;
+  }
+}
+
+fieldset[disabled] input[type="checkbox"], .radio-inline.disabled, fieldset[disabled] .radio-inline, .checkbox-inline.disabled, fieldset[disabled] .checkbox-inline, .radio.disabled label, fieldset[disabled] .radio label, .checkbox.disabled label, fieldset[disabled] .checkbox label {
+  cursor: not-allowed;
+}
 
 .form-control-static {
   padding-top: 7px;
   padding-bottom: 7px;
-  margin-bottom: 0; }
-  .form-control-static.input-lg, .form-horizontal .form-group-lg .form-control-static.form-control, .input-group-lg > .form-control-static.form-control,
-  .input-group-lg > .form-control-static.input-group-addon,
-  .input-group-lg > .input-group-btn > .form-control-static.btn, .form-control-static.input-sm, .form-horizontal .form-group-sm .form-control-static.form-control, .input-group-sm > .form-control-static.form-control,
-  .input-group-sm > .form-control-static.input-group-addon,
-  .input-group-sm > .input-group-btn > .form-control-static.btn {
+  margin-bottom: 0;
+
+  &.input-lg {
+    padding-left: 0;
+    padding-right: 0;
+  }
+}
+
+.form-horizontal .form-group-lg .form-control-static.form-control {
+  padding-left: 0;
+  padding-right: 0;
+}
+
+.input-group-lg > {
+  .form-control-static {
+    &.form-control, &.input-group-addon {
+      padding-left: 0;
+      padding-right: 0;
+    }
+  }
+
+  .input-group-btn > .form-control-static.btn {
+    padding-left: 0;
+    padding-right: 0;
+  }
+}
+
+.form-control-static.input-sm, .form-horizontal .form-group-sm .form-control-static.form-control {
+  padding-left: 0;
+  padding-right: 0;
+}
+
+.input-group-sm > {
+  .form-control-static {
+    &.form-control, &.input-group-addon {
+      padding-left: 0;
+      padding-right: 0;
+    }
+  }
+
+  .input-group-btn > .form-control-static.btn {
     padding-left: 0;
-    padding-right: 0; }
+    padding-right: 0;
+  }
+}
 
-.input-sm, .form-horizontal .form-group-sm .form-control, .input-group-sm > .form-control,
-.input-group-sm > .input-group-addon,
-.input-group-sm > .input-group-btn > .btn {
+.input-sm, .form-horizontal .form-group-sm .form-control {
   height: 30px;
   padding: 5px 10px;
   font-size: 12px;
   line-height: 1.5;
-  border-radius: 3px; }
+  border-radius: 3px;
+}
 
-select.input-sm, .form-horizontal .form-group-sm select.form-control, .input-group-sm > select.form-control,
-.input-group-sm > select.input-group-addon,
-.input-group-sm > .input-group-btn > select.btn {
+.input-group-sm > {
+  .form-control, .input-group-addon, .input-group-btn > .btn {
+    height: 30px;
+    padding: 5px 10px;
+    font-size: 12px;
+    line-height: 1.5;
+    border-radius: 3px;
+  }
+}
+
+select.input-sm, .form-horizontal .form-group-sm select.form-control {
   height: 30px;
-  line-height: 30px; }
-
-textarea.input-sm, .form-horizontal .form-group-sm textarea.form-control, .input-group-sm > textarea.form-control,
-.input-group-sm > textarea.input-group-addon,
-.input-group-sm > .input-group-btn > textarea.btn,
-select[multiple].input-sm,
-.form-horizontal .form-group-sm select[multiple].form-control,
-.input-group-sm > select[multiple].form-control,
-.input-group-sm > select[multiple].input-group-addon,
-.input-group-sm > .input-group-btn > select[multiple].btn {
-  height: auto; }
-
-.input-lg, .form-horizontal .form-group-lg .form-control, .input-group-lg > .form-control,
-.input-group-lg > .input-group-addon,
-.input-group-lg > .input-group-btn > .btn {
+  line-height: 30px;
+}
+
+.input-group-sm > {
+  select {
+    &.form-control, &.input-group-addon {
+      height: 30px;
+      line-height: 30px;
+    }
+  }
+
+  .input-group-btn > select.btn {
+    height: 30px;
+    line-height: 30px;
+  }
+}
+
+textarea.input-sm, .form-horizontal .form-group-sm textarea.form-control {
+  height: auto;
+}
+
+.input-group-sm > {
+  textarea {
+    &.form-control, &.input-group-addon {
+      height: auto;
+    }
+  }
+
+  .input-group-btn > textarea.btn {
+    height: auto;
+  }
+}
+
+select[multiple].input-sm, .form-horizontal .form-group-sm select[multiple].form-control {
+  height: auto;
+}
+
+.input-group-sm > {
+  select[multiple] {
+    &.form-control, &.input-group-addon {
+      height: auto;
+    }
+  }
+
+  .input-group-btn > select[multiple].btn {
+    height: auto;
+  }
+}
+
+.input-lg, .form-horizontal .form-group-lg .form-control {
   height: 46px;
   padding: 10px 16px;
   font-size: 18px;
   line-height: 1.33;
-  border-radius: 6px; }
+  border-radius: 6px;
+}
+
+.input-group-lg > {
+  .form-control, .input-group-addon, .input-group-btn > .btn {
+    height: 46px;
+    padding: 10px 16px;
+    font-size: 18px;
+    line-height: 1.33;
+    border-radius: 6px;
+  }
+}
 
-select.input-lg, .form-horizontal .form-group-lg select.form-control, .input-group-lg > select.form-control,
-.input-group-lg > select.input-group-addon,
-.input-group-lg > .input-group-btn > select.btn {
+select.input-lg, .form-horizontal .form-group-lg select.form-control {
   height: 46px;
-  line-height: 46px; }
-
-textarea.input-lg, .form-horizontal .form-group-lg textarea.form-control, .input-group-lg > textarea.form-control,
-.input-group-lg > textarea.input-group-addon,
-.input-group-lg > .input-group-btn > textarea.btn,
-select[multiple].input-lg,
-.form-horizontal .form-group-lg select[multiple].form-control,
-.input-group-lg > select[multiple].form-control,
-.input-group-lg > select[multiple].input-group-addon,
-.input-group-lg > .input-group-btn > select[multiple].btn {
-  height: auto; }
+  line-height: 46px;
+}
+
+.input-group-lg > {
+  select {
+    &.form-control, &.input-group-addon {
+      height: 46px;
+      line-height: 46px;
+    }
+  }
+
+  .input-group-btn > select.btn {
+    height: 46px;
+    line-height: 46px;
+  }
+}
+
+textarea.input-lg, .form-horizontal .form-group-lg textarea.form-control {
+  height: auto;
+}
+
+.input-group-lg > {
+  textarea {
+    &.form-control, &.input-group-addon {
+      height: auto;
+    }
+  }
+
+  .input-group-btn > textarea.btn {
+    height: auto;
+  }
+}
+
+select[multiple].input-lg, .form-horizontal .form-group-lg select[multiple].form-control {
+  height: auto;
+}
+
+.input-group-lg > {
+  select[multiple] {
+    &.form-control, &.input-group-addon {
+      height: auto;
+    }
+  }
+
+  .input-group-btn > select[multiple].btn {
+    height: auto;
+  }
+}
 
 .has-feedback {
-  position: relative; }
-  .has-feedback .form-control {
-    padding-right: 42.5px; }
+  position: relative;
+
+  .form-control {
+    padding-right: 42.5px;
+  }
+}
 
 .form-control-feedback {
   position: absolute;
@@ -2715,173 +4542,236 @@ select[multiple].input-lg,
   width: 34px;
   height: 34px;
   line-height: 34px;
-  text-align: center; }
+  text-align: center;
+}
 
-.input-lg + .form-control-feedback, .form-horizontal .form-group-lg .form-control + .form-control-feedback, .input-group-lg > .form-control + .form-control-feedback,
-.input-group-lg > .input-group-addon + .form-control-feedback,
-.input-group-lg > .input-group-btn > .btn + .form-control-feedback {
+.input-lg + .form-control-feedback, .form-horizontal .form-group-lg .form-control + .form-control-feedback {
   width: 46px;
   height: 46px;
-  line-height: 46px; }
+  line-height: 46px;
+}
+
+.input-group-lg > {
+  .form-control + .form-control-feedback, .input-group-addon + .form-control-feedback, .input-group-btn > .btn + .form-control-feedback {
+    width: 46px;
+    height: 46px;
+    line-height: 46px;
+  }
+}
 
-.input-sm + .form-control-feedback, .form-horizontal .form-group-sm .form-control + .form-control-feedback, .input-group-sm > .form-control + .form-control-feedback,
-.input-group-sm > .input-group-addon + .form-control-feedback,
-.input-group-sm > .input-group-btn > .btn + .form-control-feedback {
+.input-sm + .form-control-feedback, .form-horizontal .form-group-sm .form-control + .form-control-feedback {
   width: 30px;
   height: 30px;
-  line-height: 30px; }
-
-.has-success .help-block,
-.has-success .control-label,
-.has-success .radio,
-.has-success .checkbox,
-.has-success .radio-inline,
-.has-success .checkbox-inline {
-  color: #9BD275; }
-.has-success .form-control {
-  border-color: #9BD275;
-  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); }
-  .has-success .form-control:focus {
-    border-color: #7fc54f;
-    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #d3ebc2;
-    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #d3ebc2; }
-
-.has-success .input-group-addon {
-  color: #9BD275;
-  border-color: #9BD275;
-  background-color: #9BD275; }
-.has-success .form-control-feedback {
-  color: #9BD275; }
-
-.has-warning .help-block,
-.has-warning .control-label,
-.has-warning .radio,
-.has-warning .checkbox,
-.has-warning .radio-inline,
-.has-warning .checkbox-inline {
-  color: #f0ad4e; }
-.has-warning .form-control {
-  border-color: #f0ad4e;
-  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); }
-  .has-warning .form-control:focus {
-    border-color: #ec971f;
-    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac;
-    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac; }
-.has-warning .input-group-addon {
-  color: #f0ad4e;
-  border-color: #f0ad4e;
-  background-color: #fcf8e3; }
-.has-warning .form-control-feedback {
-  color: #f0ad4e; }
-
-.has-error .help-block,
-.has-error .control-label,
-.has-error .radio,
-.has-error .checkbox,
-.has-error .radio-inline,
-.has-error .checkbox-inline {
-  color: #FC3803; }
-.has-error .form-control {
-  border-color: #FC3803;
-  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
-  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); }
-  .has-error .form-control:focus {
-    border-color: #FC2E03;
-    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae;
-    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae; }
-
-.has-error .input-group-addon {
-  color: #F05050;
-  border-color: #F05050;
-  background-color: #F05050; }
-.has-error .form-control-feedback {
-  color: #F05050; }
+  line-height: 30px;
+}
+
+.input-group-sm > {
+  .form-control + .form-control-feedback, .input-group-addon + .form-control-feedback, .input-group-btn > .btn + .form-control-feedback {
+    width: 30px;
+    height: 30px;
+    line-height: 30px;
+  }
+}
+
+.has-success {
+  .help-block, .control-label, .radio, .checkbox, .radio-inline, .checkbox-inline {
+    color: #9BD275;
+  }
+
+  .form-control {
+    border-color: #9BD275;
+    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+
+    &:focus {
+      border-color: #7fc54f;
+      -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #d3ebc2;
+      box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #d3ebc2;
+    }
+  }
+
+  .input-group-addon {
+    color: #9BD275;
+    border-color: #9BD275;
+    background-color: #9BD275;
+  }
+
+  .form-control-feedback {
+    color: #9BD275;
+  }
+}
+
+.has-warning {
+  .help-block, .control-label, .radio, .checkbox, .radio-inline, .checkbox-inline {
+    color: #f0ad4e;
+  }
+
+  .form-control {
+    border-color: #f0ad4e;
+    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+
+    &:focus {
+      border-color: #ec971f;
+      -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac;
+      box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8d9ac;
+    }
+  }
+
+  .input-group-addon {
+    color: #f0ad4e;
+    border-color: #f0ad4e;
+    background-color: #fcf8e3;
+  }
+
+  .form-control-feedback {
+    color: #f0ad4e;
+  }
+}
+
+.has-error {
+  .help-block, .control-label, .radio, .checkbox, .radio-inline, .checkbox-inline {
+    color: #FC3803;
+  }
+
+  .form-control {
+    border-color: #FC3803;
+    -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+    box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+
+    &:focus {
+      border-color: #FC2E03;
+      -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae;
+      box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075), 0 0 6px #f8aeae;
+    }
+  }
+
+  .input-group-addon {
+    color: #F05050;
+    border-color: #F05050;
+    background-color: #F05050;
+  }
+
+  .form-control-feedback {
+    color: #F05050;
+  }
+}
 
 .has-feedback label.sr-only ~ .form-control-feedback {
-  top: 0; }
+  top: 0;
+}
 
 .help-block {
   display: block;
   margin-top: 5px;
   margin-bottom: 10px;
-  color: #7c7c7a; }
+  color: #7c7c7a;
+}
 
 @media (min-width: 768px) {
   .form-inline .form-group, .navbar-form .form-group {
     display: inline-block;
     margin-bottom: 0;
-    vertical-align: middle; }
+    vertical-align: middle;
+  }
+
   .form-inline .form-control, .navbar-form .form-control {
     display: inline-block;
     width: auto;
-    vertical-align: middle; }
+    vertical-align: middle;
+  }
+
   .form-inline .input-group, .navbar-form .input-group {
     display: inline-table;
-    vertical-align: middle; }
-    .form-inline .input-group .input-group-addon, .navbar-form .input-group .input-group-addon,
-    .form-inline .input-group .input-group-btn,
-    .navbar-form .input-group .input-group-btn,
-    .form-inline .input-group .form-control,
-    .navbar-form .input-group .form-control {
-      width: auto; }
+    vertical-align: middle;
+  }
+
+  .form-inline .input-group .input-group-addon, .navbar-form .input-group .input-group-addon, .form-inline .input-group .input-group-btn, .navbar-form .input-group .input-group-btn, .form-inline .input-group .form-control, .navbar-form .input-group .form-control {
+    width: auto;
+  }
+
   .form-inline .input-group > .form-control, .navbar-form .input-group > .form-control {
-    width: 100%; }
+    width: 100%;
+  }
+
   .form-inline .control-label, .navbar-form .control-label {
     margin-bottom: 0;
-    vertical-align: middle; }
-  .form-inline .radio, .navbar-form .radio,
-  .form-inline .checkbox,
-  .navbar-form .checkbox {
+    vertical-align: middle;
+  }
+
+  .form-inline .radio, .navbar-form .radio, .form-inline .checkbox, .navbar-form .checkbox {
     display: inline-block;
     margin-top: 0;
     margin-bottom: 0;
-    vertical-align: middle; }
-    .form-inline .radio label, .navbar-form .radio label,
-    .form-inline .checkbox label,
-    .navbar-form .checkbox label {
-      padding-left: 0; }
-  .form-inline .radio input[type="radio"], .navbar-form .radio input[type="radio"],
-  .form-inline .checkbox input[type="checkbox"],
-  .navbar-form .checkbox input[type="checkbox"] {
+    vertical-align: middle;
+  }
+
+  .form-inline .radio label, .navbar-form .radio label, .form-inline .checkbox label, .navbar-form .checkbox label {
+    padding-left: 0;
+  }
+
+  .form-inline .radio input[type="radio"], .navbar-form .radio input[type="radio"], .form-inline .checkbox input[type="checkbox"], .navbar-form .checkbox input[type="checkbox"] {
     position: relative;
-    margin-left: 0; }
+    margin-left: 0;
+  }
+
   .form-inline .has-feedback .form-control-feedback, .navbar-form .has-feedback .form-control-feedback {
-    top: 0; } }
+    top: 0;
+  }
+}
+
+.form-horizontal {
+  .radio, .checkbox, .radio-inline, .checkbox-inline {
+    margin-top: 0;
+    margin-bottom: 0;
+    padding-top: 7px;
+  }
+
+  .radio, .checkbox {
+    min-height: 27px;
+  }
+
+  .form-group {
+    margin-left: -20px;
+    margin-right: -20px;
+
+    &:before {
+      content: " ";
+      display: table;
+    }
+
+    &:after {
+      content: " ";
+      display: table;
+      clear: both;
+    }
+  }
+
+  .has-feedback control-feedback {
+    top: 0;
+    right: 20px;
+  }
+}
 
-.form-horizontal .radio,
-.form-horizontal .checkbox,
-.form-horizontal .radio-inline,
-.form-horizontal .checkbox-inline {
-  margin-top: 0;
-  margin-bottom: 0;
-  padding-top: 7px; }
-.form-horizontal .radio,
-.form-horizontal .checkbox {
-  min-height: 27px; }
-.form-horizontal .form-group {
-  margin-left: -20px;
-  margin-right: -20px; }
-  .form-horizontal .form-group:before, .form-horizontal .form-group:after {
-    content: " ";
-    display: table; }
-  .form-horizontal .form-group:after {
-    clear: both; }
 @media (min-width: 768px) {
   .form-horizontal .control-label {
     text-align: right;
     margin-bottom: 0;
-    padding-top: 7px; } }
-.form-horizontal .has-feedback control-feedback {
-  top: 0;
-  right: 20px; }
+    padding-top: 7px;
+  }
+}
+
 @media (min-width: 768px) {
   .form-horizontal .form-group-lg .control-label {
-    padding-top: 14.3px; } }
+    padding-top: 14.3px;
+  }
+}
+
 @media (min-width: 768px) {
   .form-horizontal .form-group-sm .control-label {
-    padding-top: 6px; } }
+    padding-top: 6px;
+  }
+}
 
 .btn {
   display: inline-block;
@@ -2893,7 +4783,7 @@ select[multiple].input-lg,
   background-image: none;
   white-space: nowrap;
   padding: 6px 12px;
-  font-size:14px;
+  font-size: 14px;
   line-height: 1.428571429;
   border-radius: 3px;
   -webkit-user-select: none;
@@ -2903,233 +4793,641 @@ select[multiple].input-lg,
   color: #000;
   background-color: none;
   border: 1px solid #1b4257;
-  outline:0; }
-.btn:active, .btn.active, .open > .btn.dropdown-toggle {
+  outline: 0;
+
+  &:active, &.active {
+    color: #000;
+    background-color: none;
+    outline: 0;
+    border-color: #1d1d1d;
+    text-decoration: none;
+  }
+}
+
+.open > .btn.dropdown-toggle {
   color: #000;
   background-color: none;
-  outline:0;
+  outline: 0;
   border-color: #1d1d1d;
-  text-decoration: none; }
-.btn:hover, .btn:focus {
-	background-color: #dbdbdb;
-	color: #000;
-	border-radius: 3px;
-	border: 1px solid #1b4257;
-	text-decoration: none;}
-
-  .btn:active, .btn.active, .open > .btn.dropdown-toggle {
+  text-decoration: none;
+}
+
+.btn {
+  &:hover, &:focus {
+    background-color: #dbdbdb;
+    color: #000;
+    border-radius: 3px;
+    border: 1px solid #1b4257;
+    text-decoration: none;
+  }
+
+  &:active, &.active {
     background-image: none;
-	outline:0; }
-  .btn.disabled, .btn.disabled:hover, .btn.disabled:focus, .btn.disabled:active, .btn.disabled.active, .btn[disabled], .btn[disabled]:hover, .btn[disabled]:focus, .btn[disabled]:active, .btn[disabled].active, fieldset[disabled] .btn, fieldset[disabled] .btn:hover, fieldset[disabled] .btn:focus, fieldset[disabled] .btn:active, fieldset[disabled] .btn.active {
+    outline: 0;
+  }
+}
+
+.open > .btn.dropdown-toggle {
+  background-image: none;
+  outline: 0;
+}
+
+.btn {
+  &.disabled {
+    background-color: #FFFFFF;
+    border-color: #1d1d1d;
+    outline: 0;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #FFFFFF;
+      border-color: #1d1d1d;
+      outline: 0;
+    }
+  }
+
+  &[disabled] {
+    background-color: #FFFFFF;
+    border-color: #1d1d1d;
+    outline: 0;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #FFFFFF;
+      border-color: #1d1d1d;
+      outline: 0;
+    }
+  }
+}
+
+fieldset[disabled] .btn {
+  background-color: #FFFFFF;
+  border-color: #1d1d1d;
+  outline: 0;
+
+  &:hover, &:focus, &:active, &.active {
     background-color: #FFFFFF;
     border-color: #1d1d1d;
-	outline:0; }
+    outline: 0;
+  }
+}
 
-  .btn .badge {
+.btn {
+  .badge {
     color: #FFFFFF;
-    background-color: #3e3e3e; }
-  .btn:focus, .btn:active:focus, .btn.active:focus {
+    background-color: #3e3e3e;
+  }
+
+  &:focus, &:active:focus, &.active:focus {
     outline: thin dotted;
     outline: 5px auto -webkit-focus-ring-color;
     outline-offset: -2px;
-	outline:0; }
+    outline: 0;
+  }
+
+  &:active, &.active {
+    outline: 0;
+  }
 
-  .btn:active, .btn.active {
-    outline: 0;  }
-  .btn.disabled, .btn[disabled], fieldset[disabled] .btn {
+  &.disabled, &[disabled] {
     cursor: not-allowed;
     pointer-events: none;
     opacity: 0.30;
-    filter: alpha(opacity=30);
+    filter: alpha(opacity = 30);
     -webkit-box-shadow: none;
-    box-shadow: none; }
+    box-shadow: none;
+  }
+}
 
-.act_flush:hover, .act_flush:focus {
-  color: #000;
+fieldset[disabled] .btn {
+  cursor: not-allowed;
+  pointer-events: none;
+  opacity: 0.30;
+  filter: alpha(opacity = 30);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+.act_flush {
+  &:hover, &:focus {
+    color: #000;
+    background-color: #dbdbdb;
+    border-color: 1px solid #1d1d1d;
+    outline: 0;
+  }
+}
+
+.btn-default {
+  &:active, &.active {
+    background-color: #dbdbdb;
+    color: #000;
+    outline: 0;
+  }
+}
+
+.open > .btn-default.dropdown-toggle {
   background-color: #dbdbdb;
+  color: #000;
+  outline: 0;
+}
+
+.btn-default {
+  &.disabled {
+    background-color: #FFFFFF;
+    border-color: 1px solid #1d1d1d;
+    outline: 0;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #FFFFFF;
+      border-color: 1px solid #1d1d1d;
+      outline: 0;
+    }
+  }
+
+  &[disabled] {
+    background-color: #FFFFFF;
+    border-color: 1px solid #1d1d1d;
+    outline: 0;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #FFFFFF;
+      border-color: 1px solid #1d1d1d;
+      outline: 0;
+    }
+  }
+}
+
+fieldset[disabled] .btn-default {
+  background-color: #FFFFFF;
   border-color: 1px solid #1d1d1d;
-  outline:0; }
+  outline: 0;
 
-  .btn-default:active, .btn-default.active, .open > .btn-default.dropdown-toggle {
-    background-color: #dbdbdb;
-    color:#000;
-    outline:0; }
-  .btn-default.disabled, .btn-default.disabled:hover, .btn-default.disabled:focus, .btn-default.disabled:active, .btn-default.disabled.active, .btn-default[disabled], .btn-default[disabled]:hover, .btn-default[disabled]:focus, .btn-default[disabled]:active, .btn-default[disabled].active, fieldset[disabled] .btn-default, fieldset[disabled] .btn-default:hover, fieldset[disabled] .btn-default:focus, fieldset[disabled] .btn-default:active, fieldset[disabled] .btn-default.active {
+  &:hover, &:focus, &:active, &.active {
     background-color: #FFFFFF;
     border-color: 1px solid #1d1d1d;
-    outline:0; }
-  .btn-default .badge {
-    color: #FFFFFF;
-    background-color: #3e3e3e;
-    outline:0; }
+    outline: 0;
+  }
+}
+
+.btn-default .badge {
+  color: #FFFFFF;
+  background-color: #3e3e3e;
+  outline: 0;
+}
 
 .btn-primary {
   color: #fff !important;
   background-color: #FF6E05;
   border: 1px solid #1b4257;
-  outline:0;   }
-  .btn-primary:hover, .btn-primary:focus, .btn-primary:active, .btn-primary.active, .open > .btn-primary.dropdown-toggle {
+  outline: 0;
+
+  &:hover, &:focus, &:active, &.active {
     color: #fff;
     background-color: #EC7726;
     border-color: 1px solid #1b4257;
-    outline:0; }
+    outline: 0;
+  }
+}
+
+.open > .btn-primary.dropdown-toggle {
+  color: #fff;
+  background-color: #EC7726;
+  border-color: 1px solid #1b4257;
+  outline: 0;
+}
+
+.btn-primary {
+  &:active, &.active {
+    background-image: none;
+  }
+}
+
+.open > .btn-primary.dropdown-toggle {
+  background-image: none;
+}
 
-  .btn-primary:active, .btn-primary.active, .open > .btn-primary.dropdown-toggle {
-    background-image: none; }
-  .btn-primary.disabled, .btn-primary.disabled:hover, .btn-primary.disabled:focus, .btn-primary.disabled:active, .btn-primary.disabled.active, .btn-primary[disabled], .btn-primary[disabled]:hover, .btn-primary[disabled]:focus, .btn-primary[disabled]:active, .btn-primary[disabled].active, fieldset[disabled] .btn-primary, fieldset[disabled] .btn-primary:hover, fieldset[disabled] .btn-primary:focus, fieldset[disabled] .btn-primary:active, fieldset[disabled] .btn-primary.active {
+.btn-primary {
+  &.disabled {
     background-color: #FF6E05;
     border-color: #1b4257;
-    outline:0; }
+    outline: 0;
 
-  .btn-primary .badge {
-    color: #FF8B00;
-    background-color: #fff; }
+    &:hover, &:focus, &:active, &.active {
+      background-color: #FF6E05;
+      border-color: #1b4257;
+      outline: 0;
+    }
+  }
+
+  &[disabled] {
+    background-color: #FF6E05;
+    border-color: #1b4257;
+    outline: 0;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #FF6E05;
+      border-color: #1b4257;
+      outline: 0;
+    }
+  }
+}
+
+fieldset[disabled] .btn-primary {
+  background-color: #FF6E05;
+  border-color: #1b4257;
+  outline: 0;
+
+  &:hover, &:focus, &:active, &.active {
+    background-color: #FF6E05;
+    border-color: #1b4257;
+    outline: 0;
+  }
+}
+
+.btn-primary .badge {
+  color: #FF8B00;
+  background-color: #fff;
+}
 
 .btn-success {
   color: #fff;
   background-color: #85ce53;
-  border-color: #323232; }
-  .btn-success:hover, .btn-success:focus, .btn-success:active, .btn-success.active, .open > .btn-success.dropdown-toggle {
+  border-color: #323232;
+
+  &:hover, &:focus, &:active, &.active {
     color: #fff;
     background-color: #7fc54f;
     border-color: #323232;
-	outline:0; }
-  .btn-success:active, .btn-success.active, .open > .btn-success.dropdown-toggle {
-    background-image: none; }
-  .btn-success.disabled, .btn-success.disabled:hover, .btn-success.disabled:focus, .btn-success.disabled:active, .btn-success.disabled.active, .btn-success[disabled], .btn-success[disabled]:hover, .btn-success[disabled]:focus, .btn-success[disabled]:active, .btn-success[disabled].active, fieldset[disabled] .btn-success, fieldset[disabled] .btn-success:hover, fieldset[disabled] .btn-success:focus, fieldset[disabled] .btn-success:active, fieldset[disabled] .btn-success.active {
+    outline: 0;
+  }
+}
+
+.open > .btn-success.dropdown-toggle {
+  color: #fff;
+  background-color: #7fc54f;
+  border-color: #323232;
+  outline: 0;
+}
+
+.btn-success {
+  &:active, &.active {
+    background-image: none;
+  }
+}
+
+.open > .btn-success.dropdown-toggle {
+  background-image: none;
+}
+
+.btn-success {
+  &.disabled {
     background-color: #9BD275;
     border-color: #8dcc62;
-	outline:0; }
+    outline: 0;
 
-  .btn-success .badge {
-    color: #9BD275;
-    background-color: #fff; }
+    &:hover, &:focus, &:active, &.active {
+      background-color: #9BD275;
+      border-color: #8dcc62;
+      outline: 0;
+    }
+  }
+
+  &[disabled] {
+    background-color: #9BD275;
+    border-color: #8dcc62;
+    outline: 0;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #9BD275;
+      border-color: #8dcc62;
+      outline: 0;
+    }
+  }
+}
+
+fieldset[disabled] .btn-success {
+  background-color: #9BD275;
+  border-color: #8dcc62;
+  outline: 0;
+
+  &:hover, &:focus, &:active, &.active {
+    background-color: #9BD275;
+    border-color: #8dcc62;
+    outline: 0;
+  }
+}
+
+.btn-success .badge {
+  color: #9BD275;
+  background-color: #fff;
+}
 
 .btn-info {
   color: #fff;
   background-color: #B0CDDB;
-  border-color: #9ec2d3; }
-  .btn-info:hover, .btn-info:focus, .btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
+  border-color: #9ec2d3;
+
+  &:hover, &:focus, &:active, &.active {
     color: #fff;
     background-color: #8db7cb;
-    border-color: #74a7c0; }
+    border-color: #74a7c0;
+  }
+}
+
+.open > .btn-info.dropdown-toggle {
+  color: #fff;
+  background-color: #8db7cb;
+  border-color: #74a7c0;
+}
+
+.btn-info {
+  &:active, &.active {
+    background-image: none;
+  }
+}
+
+.open > .btn-info.dropdown-toggle {
+  background-image: none;
+}
+
+.btn-info {
+  &.disabled {
+    background-color: #B0CDDB;
+    border-color: #9ec2d3;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #B0CDDB;
+      border-color: #9ec2d3;
+    }
+  }
 
-  .btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
-    background-image: none; }
-  .btn-info.disabled, .btn-info.disabled:hover, .btn-info.disabled:focus, .btn-info.disabled:active, .btn-info.disabled.active, .btn-info[disabled], .btn-info[disabled]:hover, .btn-info[disabled]:focus, .btn-info[disabled]:active, .btn-info[disabled].active, fieldset[disabled] .btn-info, fieldset[disabled] .btn-info:hover, fieldset[disabled] .btn-info:focus, fieldset[disabled] .btn-info:active, fieldset[disabled] .btn-info.active {
+  &[disabled] {
     background-color: #B0CDDB;
-    border-color: #9ec2d3; }
+    border-color: #9ec2d3;
 
-  .btn-info .badge {
-    color: #B0CDDB;
-    background-color: #fff; }
+    &:hover, &:focus, &:active, &.active {
+      background-color: #B0CDDB;
+      border-color: #9ec2d3;
+    }
+  }
+}
+
+fieldset[disabled] .btn-info {
+  background-color: #B0CDDB;
+  border-color: #9ec2d3;
+
+  &:hover, &:focus, &:active, &.active {
+    background-color: #B0CDDB;
+    border-color: #9ec2d3;
+  }
+}
+
+.btn-info .badge {
+  color: #B0CDDB;
+  background-color: #fff;
+}
 
 .btn-warning {
   color: #fff;
   background-color: #FF6E05;
-  border-color: #1b4257; }
-  .btn-warning:hover, .btn-warning:focus, .btn-warning:active, .btn-warning.active, .open > .btn-warning.dropdown-toggle {
+  border-color: #1b4257;
+
+  &:hover, &:focus, &:active, &.active {
     color: #fff;
     background-color: #EC7726;
-    border-color: #1b4257; }
+    border-color: #1b4257;
+  }
+}
+
+.open > .btn-warning.dropdown-toggle {
+  color: #fff;
+  background-color: #EC7726;
+  border-color: #1b4257;
+}
+
+.btn-warning {
+  &:active, &.active {
+    background-image: none;
+  }
+}
+
+.open > .btn-warning.dropdown-toggle {
+  background-image: none;
+}
 
-  .btn-warning:active, .btn-warning.active, .open > .btn-warning.dropdown-toggle {
-    background-image: none; }
-  .btn-warning.disabled, .btn-warning.disabled:hover, .btn-warning.disabled:focus, .btn-warning.disabled:active, .btn-warning.disabled.active, .btn-warning[disabled], .btn-warning[disabled]:hover, .btn-warning[disabled]:focus, .btn-warning[disabled]:active, .btn-warning[disabled].active, fieldset[disabled] .btn-warning, fieldset[disabled] .btn-warning:hover, fieldset[disabled] .btn-warning:focus, fieldset[disabled] .btn-warning:active, fieldset[disabled] .btn-warning.active {
+.btn-warning {
+  &.disabled {
     background-color: #f0ad4e;
-    border-color: #eea236; }
+    border-color: #eea236;
 
-  .btn-warning .badge {
-    color: #f0ad4e;
-    background-color: #fff; }
+    &:hover, &:focus, &:active, &.active {
+      background-color: #f0ad4e;
+      border-color: #eea236;
+    }
+  }
+
+  &[disabled] {
+    background-color: #f0ad4e;
+    border-color: #eea236;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #f0ad4e;
+      border-color: #eea236;
+    }
+  }
+}
+
+fieldset[disabled] .btn-warning {
+  background-color: #f0ad4e;
+  border-color: #eea236;
+
+  &:hover, &:focus, &:active, &.active {
+    background-color: #f0ad4e;
+    border-color: #eea236;
+  }
+}
+
+.btn-warning .badge {
+  color: #f0ad4e;
+  background-color: #fff;
+}
 
 .btn-danger {
   color: #fff;
   background-color: #CB4326;
-  border-color: #1B4257; }
-  .btn-danger:hover, .btn-danger:focus, .btn-danger:active, .btn-danger.active, .open > .btn-danger.dropdown-toggle {
+  border-color: #1B4257;
+
+  &:hover, &:focus, &:active, &.active {
     color: #fff;
     background-color: #B63B21;
-    border-color: #1B4257; }
-  .btn-danger:active, .btn-danger.active, .open > .btn-danger.dropdown-toggle {
-    background-image: none; }
-  .btn-danger.disabled, .btn-danger.disabled:hover, .btn-danger.disabled:focus, .btn-danger.disabled:active, .btn-danger.disabled.active, .btn-danger[disabled], .btn-danger[disabled]:hover, .btn-danger[disabled]:focus, .btn-danger[disabled]:active, .btn-danger[disabled].active, fieldset[disabled] .btn-danger, fieldset[disabled] .btn-danger:hover, fieldset[disabled] .btn-danger:focus, fieldset[disabled] .btn-danger:active, fieldset[disabled] .btn-danger.active {
+    border-color: #1B4257;
+  }
+}
+
+.open > .btn-danger.dropdown-toggle {
+  color: #fff;
+  background-color: #B63B21;
+  border-color: #1B4257;
+}
+
+.btn-danger {
+  &:active, &.active {
+    background-image: none;
+  }
+}
+
+.open > .btn-danger.dropdown-toggle {
+  background-image: none;
+}
+
+.btn-danger {
+  &.disabled {
     background-color: #F05050;
-    border-color: #ee3939; }
-  .btn-danger .badge {
-    color: #F05050;
-    background-color: #fff; }
+    border-color: #ee3939;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #F05050;
+      border-color: #ee3939;
+    }
+  }
+
+  &[disabled] {
+    background-color: #F05050;
+    border-color: #ee3939;
+
+    &:hover, &:focus, &:active, &.active {
+      background-color: #F05050;
+      border-color: #ee3939;
+    }
+  }
+}
+
+fieldset[disabled] .btn-danger {
+  background-color: #F05050;
+  border-color: #ee3939;
+
+  &:hover, &:focus, &:active, &.active {
+    background-color: #F05050;
+    border-color: #ee3939;
+  }
+}
+
+.btn-danger .badge {
+  color: #F05050;
+  background-color: #fff;
+}
 
 .btn-link {
   color: #FF8B00;
   font-weight: normal;
   cursor: pointer;
-  border-radius: 0; }
-  .btn-link, .btn-link:active, .btn-link[disabled], fieldset[disabled] .btn-link {
+  border-radius: 0;
+  background-color: transparent;
+  -webkit-box-shadow: none;
+  box-shadow: none;
+
+  &:active, &[disabled] {
     background-color: transparent;
     -webkit-box-shadow: none;
-    box-shadow: none; }
-  .btn-link, .btn-link:hover, .btn-link:focus, .btn-link:active {
-    border-color: transparent; }
-  .btn-link:hover, .btn-link:focus {
+    box-shadow: none;
+  }
+}
+
+fieldset[disabled] .btn-link {
+  background-color: transparent;
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+.btn-link {
+  border-color: transparent;
+
+  &:hover, &:focus, &:active {
+    border-color: transparent;
+  }
+
+  &:hover, &:focus {
     color: #9f4d03;
     text-decoration: underline;
-    background-color: transparent; }
+    background-color: transparent;
+  }
+
+  &[disabled] {
+    &:hover, &:focus {
+      color: #777777;
+      text-decoration: none;
+    }
+  }
+}
 
-  .btn-link[disabled]:hover, .btn-link[disabled]:focus, fieldset[disabled] .btn-link:hover, fieldset[disabled] .btn-link:focus {
+fieldset[disabled] .btn-link {
+  &:hover, &:focus {
     color: #777777;
-    text-decoration: none; }
-
+    text-decoration: none;
+  }
+}
 
 .btn-lg, .btn-group-lg > .btn {
   padding: 9px 12px;
   font-size: 18px;
-  line-height: 1.33; }
+  line-height: 1.33;
+}
 
 .btn-sm, .btn-group-sm > .btn {
   padding: 5px 10px;
   font-size: 12px;
   line-height: 1.5;
-  border-radius: 3px; }
+  border-radius: 3px;
+}
 
 .btn-xs, .btn-group-xs > .btn {
   padding: 1px 4px;
   font-size: 12px;
   line-height: 1.5;
-  border-radius: 3px; }
+  border-radius: 3px;
+}
 
 .btn-block {
   display: block;
-  width: 100%; }
+  width: 100%;
 
-.btn-block + .btn-block {
-  margin-top: 5px; }
+  + .btn-block {
+    margin-top: 5px;
+  }
+}
 
-input[type="submit"].btn-block,
-input[type="reset"].btn-block,
-input[type="button"].btn-block {
-  width: 100%; }
+input {
+  &[type="submit"].btn-block, &[type="reset"].btn-block, &[type="button"].btn-block {
+    width: 100%;
+  }
+}
 
 .fade {
   opacity: 0;
-  filter: alpha(opacity=0);
+  filter: alpha(opacity = 0);
   -webkit-transition: opacity 0.15s linear;
   -o-transition: opacity 0.15s linear;
-  transition: opacity 0.15s linear; }
-  .fade.in {
-    opacity: 1; filter: alpha(opacity=100); }
+  transition: opacity 0.15s linear;
 
+  &.in {
+    opacity: 1;
+    filter: alpha(opacity = 100);
+  }
+}
 
 .collapse {
-  display: none; }
-  .collapse.in {
-    display: block; }
+  display: none;
+
+  &.in {
+    display: block;
+  }
+}
 
 tr.collapse.in {
-  display: table-row; }
+  display: table-row;
+}
 
 tbody.collapse.in {
-  display: table-row-group; }
+  display: table-row-group;
+}
 
 .collapsing {
   position: relative;
@@ -3137,7 +5435,8 @@ tbody.collapse.in {
   overflow: hidden;
   -webkit-transition: height 0.35s ease;
   -o-transition: height 0.35s ease;
-  transition: height 0.35s ease; }
+  transition: height 0.35s ease;
+}
 
 .caret {
   display: inline-block;
@@ -3147,14 +5446,16 @@ tbody.collapse.in {
   vertical-align: middle;
   border-top: 4px solid;
   border-right: 4px solid transparent;
-  border-left: 4px solid transparent; }
+  border-left: 4px solid transparent;
+}
 
 .dropdown {
-  position: relative; }
-
+  position: relative;
+}
 
 .dropdown-toggle:focus {
-  outline: 0; }
+  outline: 0;
+}
 
 .dropdown-menu {
   position: absolute;
@@ -3167,7 +5468,7 @@ tbody.collapse.in {
   padding: 5px 0;
   margin: 2px 0 0;
   list-style: none;
-  font-size:14px;
+  font-size: 14px;
   text-align: left;
   background-color: #f0f0f0;
   color: #000;
@@ -3178,65 +5479,93 @@ tbody.collapse.in {
   -webkit-box-shadow: 0 6px 12px rgba(0, 0, 0, 0.175);
   box-shadow: 0 6px 12px rgba(0, 0, 0, 0.175);
   background-clip: padding-box;
-  -webkit-box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.60);
-  -moz-box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.60);
-  box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.60);
-  opacity: 0.97; }
+  -webkit-box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.6);
+  -moz-box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.6);
+  box-shadow: 3px 8px 10px 0px rgba(0, 0, 0, 0.6);
+  opacity: 0.97;
 
-  .dropdown-menu.pull-right {
+  &.pull-right {
     right: 0;
     left: auto;
-    background-color: #e5e5e5; }
+    background-color: #e5e5e5;
+  }
 
-  .dropdown-menu .divider {
+  .divider {
     height: 1px;
     margin: 9px 0;
     overflow: hidden;
-    background-color: #e5e5e5; }
-  .dropdown-menu > li > a {
-    display: block;
-    padding: 3px 20px;
-    clear: both;
-    font-weight: normal;
-    line-height: 1.428571429;
-    color: #000;
-    white-space: nowrap;
-	outline:0;}
+    background-color: #e5e5e5;
+  }
 
-.dropdown-menu > li > a:hover, .dropdown-menu > li > a:focus {
-  text-decoration: none;
-  color: #FFFFFF;
-  background-color: #FF6E05; }
+  > {
+    li > a {
+      display: block;
+      padding: 3px 20px;
+      clear: both;
+      font-weight: normal;
+      line-height: 1.428571429;
+      color: #000;
+      white-space: nowrap;
+      outline: 0;
 
-.dropdown-menu > .active > a, .dropdown-menu > .active > a:hover, .dropdown-menu > .active > a:focus {
-  color: #fff;
-  text-decoration: none;
-  outline: 0;
-  background-color: #FF6E05; }
+      &:hover, &:focus {
+        text-decoration: none;
+        color: #FFFFFF;
+        background-color: #FF6E05;
+      }
+    }
 
-.dropdown-menu > .disabled > a, .dropdown-menu > .disabled > a:hover, .dropdown-menu > .disabled > a:focus {
-  color: #777777; }
+    .active > a {
+      color: #fff;
+      text-decoration: none;
+      outline: 0;
+      background-color: #FF6E05;
 
-.dropdown-menu > .disabled > a:hover, .dropdown-menu > .disabled > a:focus {
-  text-decoration: none;
-  background-color: transparent;
-  background-image: none;
-  filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
-  cursor: not-allowed; }
+      &:hover, &:focus {
+        color: #fff;
+        text-decoration: none;
+        outline: 0;
+        background-color: #FF6E05;
+      }
+    }
+
+    .disabled > a {
+      color: #777777;
+
+      &:hover, &:focus {
+        color: #777777;
+      }
+
+      &:hover, &:focus {
+        text-decoration: none;
+        background-color: transparent;
+        background-image: none;
+        filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
+        cursor: not-allowed;
+      }
+    }
+  }
+}
 
+.open > {
+  .dropdown-menu {
+    display: block;
+  }
 
-.open > .dropdown-menu {
-  display: block; }
-.open > a {
-  outline: 0; }
+  a {
+    outline: 0;
+  }
+}
 
 .dropdown-menu-right {
   left: auto;
-  right: 0; }
+  right: 0;
+}
 
 .dropdown-menu-left {
   left: 0;
-  right: auto; }
+  right: auto;
+}
 
 .dropdown-header {
   display: block;
@@ -3244,7 +5573,8 @@ tbody.collapse.in {
   font-size: 12px;
   line-height: 1.428571429;
   color: #b0b0b0;
-  white-space: nowrap; }
+  white-space: nowrap;
+}
 
 .dropdown-backdrop {
   position: fixed;
@@ -3252,467 +5582,807 @@ tbody.collapse.in {
   right: 0;
   bottom: 0;
   top: 0;
-  z-index: 990; }
+  z-index: 990;
+}
 
 .pull-right > .dropdown-menu {
   right: 0;
-  left: auto; }
+  left: auto;
+}
 
-.dropup .caret,
-.navbar-fixed-bottom .dropdown .caret {
+.dropup .caret, .navbar-fixed-bottom .dropdown .caret {
   border-top: 0;
   border-bottom: 4px solid;
-  content: ""; }
-.dropup .dropdown-menu,
-.navbar-fixed-bottom .dropdown .dropdown-menu {
+  content: "";
+}
+
+.dropup .dropdown-menu, .navbar-fixed-bottom .dropdown .dropdown-menu {
   top: auto;
   bottom: 100%;
-  margin-bottom: 1px; }
+  margin-bottom: 1px;
+}
 
 @media (min-width: 768px) {
-  .navbar-right .dropdown-menu {
-    right: 0;
-    left: auto; }
-  .navbar-right .dropdown-menu-left {
-    left: 0;
-    right: auto; } }
-.btn-group,
-.btn-group-vertical {
+  .navbar-right {
+    .dropdown-menu {
+      right: 0;
+      left: auto;
+    }
+
+    .dropdown-menu-left {
+      left: 0;
+      right: auto;
+    }
+  }
+}
+
+.btn-group, .btn-group-vertical {
   position: relative;
   display: inline-block;
-  vertical-align: middle; }
-  .btn-group > .btn,
-  .btn-group-vertical > .btn {
-    position: relative;
-    float: left; }
-    .btn-group > .btn:hover, .btn-group > .btn:focus, .btn-group > .btn:active, .btn-group > .btn.active,
-    .btn-group-vertical > .btn:hover,
-    .btn-group-vertical > .btn:focus,
-    .btn-group-vertical > .btn:active,
-    .btn-group-vertical > .btn.active {
-      z-index: 2;
-	  -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
-	  -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
-	  transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important; }
-    .btn-group > .btn:focus,
-    .btn-group-vertical > .btn:focus {
-      outline: 0; }
-
-.btn-group .btn + .btn,
-.btn-group .btn + .btn-group,
-.btn-group .btn-group + .btn,
-.btn-group .btn-group + .btn-group {
-  margin-left: -1px; }
+  vertical-align: middle;
+}
+
+.btn-group > .btn, .btn-group-vertical > .btn {
+  position: relative;
+  float: left;
+}
+
+.btn-group > .btn {
+  &:hover, &:focus, &:active, &.active {
+    z-index: 2;
+    -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
+    -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
+    transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
+  }
+}
+
+.btn-group-vertical > .btn {
+  &:hover, &:focus, &:active, &.active {
+    z-index: 2;
+    -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
+    -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
+    transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s !important;
+  }
+}
+
+.btn-group > .btn:focus, .btn-group-vertical > .btn:focus {
+  outline: 0;
+}
+
+.btn-group {
+  .btn + {
+    .btn, .btn-group {
+      margin-left: -1px;
+    }
+  }
+
+  .btn-group + {
+    .btn, .btn-group {
+      margin-left: -1px;
+    }
+  }
+}
 
 .btn-toolbar {
-  margin-left: -5px; }
-  .btn-toolbar:before, .btn-toolbar:after {
-    content: " ";
-    display: table; }
-  .btn-toolbar:after {
-    clear: both; }
-  .btn-toolbar .btn-group,
-  .btn-toolbar .input-group {
-    float: left; }
-  .btn-toolbar > .btn,
-  .btn-toolbar > .btn-group,
-  .btn-toolbar > .input-group {
-    margin-left: 5px; }
-
-.btn-group > .btn:not(:first-child):not(:last-child):not(.dropdown-toggle) {
-  border-radius: 0; }
-
-.btn-group > .btn:first-child {
-  margin-left: 0; }
-  .btn-group > .btn:first-child:not(:last-child):not(.dropdown-toggle) {
-    border-bottom-right-radius: 0;
-    border-top-right-radius: 0; }
-
-.btn-group > .btn:last-child:not(:first-child),
-.btn-group > .dropdown-toggle:not(:first-child) {
-  border-bottom-left-radius: 0;
-  border-top-left-radius: 0; }
+  margin-left: -5px;
 
-.btn-group > .btn-group {
-  float: left; }
+  &:before {
+    content: " ";
+    display: table;
+  }
 
-.btn-group > .btn-group:not(:first-child):not(:last-child) > .btn {
-  border-radius: 0; }
+  &:after {
+    content: " ";
+    display: table;
+    clear: both;
+  }
 
-.btn-group > .btn-group:first-child > .btn:last-child,
-.btn-group > .btn-group:first-child > .dropdown-toggle {
-  border-bottom-right-radius: 0;
-  border-top-right-radius: 0; }
+  .btn-group, .input-group {
+    float: left;
+  }
 
-.btn-group > .btn-group:last-child > .btn:first-child {
-  border-bottom-left-radius: 0;
-  border-top-left-radius: 0; }
+  > {
+    .btn, .btn-group, .input-group {
+      margin-left: 5px;
+    }
+  }
+}
 
-.btn-group .dropdown-toggle:active, .btn-group .dropdown-toggle:hover, .btn-group.open .dropdown-toggle {
-  outline: 0;
-  color: #000;
-  background-color: none;
-  border-color: #000; }
+.btn-group {
+  > {
+    .btn {
+      &:not(:first-child):not(:last-child):not(.dropdown-toggle) {
+        border-radius: 0;
+      }
+
+      &:first-child {
+        margin-left: 0;
+
+        &:not(:last-child):not(.dropdown-toggle) {
+          border-bottom-right-radius: 0;
+          border-top-right-radius: 0;
+        }
+      }
+
+      &:last-child:not(:first-child) {
+        border-bottom-left-radius: 0;
+        border-top-left-radius: 0;
+      }
+    }
+
+    .dropdown-toggle:not(:first-child) {
+      border-bottom-left-radius: 0;
+      border-top-left-radius: 0;
+    }
+
+    .btn-group {
+      float: left;
 
-.btn-group > .btn + .dropdown-toggle {
-  padding-left: 8px;
-  padding-right: 8px; }
+      &:not(:first-child):not(:last-child) > .btn {
+        border-radius: 0;
+      }
+
+      &:first-child > {
+        .btn:last-child, .dropdown-toggle {
+          border-bottom-right-radius: 0;
+          border-top-right-radius: 0;
+        }
+      }
+
+      &:last-child > .btn:first-child {
+        border-bottom-left-radius: 0;
+        border-top-left-radius: 0;
+      }
+    }
+  }
+
+  .dropdown-toggle {
+    &:active, &:hover {
+      outline: 0;
+      color: #000;
+      background-color: none;
+      border-color: #000;
+    }
+  }
+
+  &.open .dropdown-toggle {
+    outline: 0;
+    color: #000;
+    background-color: none;
+    border-color: #000;
+  }
+
+  > {
+    .btn + .dropdown-toggle {
+      padding-left: 8px;
+      padding-right: 8px;
+    }
+
+    .btn-lg + .dropdown-toggle {
+      padding-left: 12px;
+      padding-right: 12px;
+    }
+  }
+}
 
-.btn-group > .btn-lg + .dropdown-toggle, .btn-group-lg.btn-group > .btn + .dropdown-toggle {
+.btn-group-lg.btn-group > .btn + .dropdown-toggle {
   padding-left: 12px;
-  padding-right: 12px; }
+  padding-right: 12px;
+}
 
-.btn-group.open .dropdown-toggle {}
-  .btn-group.open .dropdown-toggle.btn-link {
-    -webkit-box-shadow: none;
-    box-shadow: none; }
+.btn-group.open .dropdown-toggle.btn-link {
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
 
 .btn .caret {
-  margin-left: 0; }
+  margin-left: 0;
+}
 
 .btn-lg .caret, .btn-group-lg > .btn .caret {
   border-width: 5px 5px 0;
-  border-bottom-width: 0; }
+  border-bottom-width: 0;
+}
 
-.dropup .btn-lg .caret, .dropup .btn-group-lg > .btn .caret {
-  border-width: 0 5px 5px; }
+.dropup {
+  .btn-lg .caret, .btn-group-lg > .btn .caret {
+    border-width: 0 5px 5px;
+  }
+}
 
-.btn-group-vertical > .btn,
-.btn-group-vertical > .btn-group,
-.btn-group-vertical > .btn-group > .btn {
-  display: block;
-  float: none;
-  width: 100%;
-  max-width: 100%; }
-.btn-group-vertical > .btn-group:before, .btn-group-vertical > .btn-group:after {
-  content: " ";
-  display: table; }
-.btn-group-vertical > .btn-group:after {
-  clear: both; }
-.btn-group-vertical > .btn-group > .btn {
-  float: none; }
-.btn-group-vertical > .btn + .btn,
-.btn-group-vertical > .btn + .btn-group,
-.btn-group-vertical > .btn-group + .btn,
-.btn-group-vertical > .btn-group + .btn-group {
-  margin-top: -1px;
-  margin-left: 0; }
+.btn-group-vertical > {
+  .btn {
+    display: block;
+    float: none;
+    width: 100%;
+    max-width: 100%;
+  }
 
-.btn-group-vertical > .btn:not(:first-child):not(:last-child) {
-  border-radius: 0; }
-.btn-group-vertical > .btn:first-child:not(:last-child) {
-  border-top-right-radius: 3px;
-  border-bottom-right-radius: 0;
-  border-bottom-left-radius: 0; }
-.btn-group-vertical > .btn:last-child:not(:first-child) {
-  border-bottom-left-radius: 3px;
-  border-top-right-radius: 0;
-  border-top-left-radius: 0; }
+  .btn-group {
+    display: block;
+    float: none;
+    width: 100%;
+    max-width: 100%;
 
-.btn-group-vertical > .btn-group:not(:first-child):not(:last-child) > .btn {
-  border-radius: 0; }
+    > .btn {
+      display: block;
+      float: none;
+      width: 100%;
+      max-width: 100%;
+    }
 
-.btn-group-vertical > .btn-group:first-child:not(:last-child) > .btn:last-child,
-.btn-group-vertical > .btn-group:first-child:not(:last-child) > .dropdown-toggle {
-  border-bottom-right-radius: 0;
-  border-bottom-left-radius: 0; }
+    &:before {
+      content: " ";
+      display: table;
+    }
 
-.btn-group-vertical > .btn-group:last-child:not(:first-child) > .btn:first-child {
-  border-top-right-radius: 0;
-  border-top-left-radius: 0; }
+    &:after {
+      content: " ";
+      display: table;
+      clear: both;
+    }
+
+    > .btn {
+      float: none;
+    }
+  }
+
+  .btn + {
+    .btn, .btn-group {
+      margin-top: -1px;
+      margin-left: 0;
+    }
+  }
+
+  .btn-group + {
+    .btn, .btn-group {
+      margin-top: -1px;
+      margin-left: 0;
+    }
+  }
+
+  .btn {
+    &:not(:first-child):not(:last-child) {
+      border-radius: 0;
+    }
+
+    &:first-child:not(:last-child) {
+      border-top-right-radius: 3px;
+      border-bottom-right-radius: 0;
+      border-bottom-left-radius: 0;
+    }
+
+    &:last-child:not(:first-child) {
+      border-bottom-left-radius: 3px;
+      border-top-right-radius: 0;
+      border-top-left-radius: 0;
+    }
+  }
+
+  .btn-group {
+    &:not(:first-child):not(:last-child) > .btn {
+      border-radius: 0;
+    }
+
+    &:first-child:not(:last-child) > {
+      .btn:last-child, .dropdown-toggle {
+        border-bottom-right-radius: 0;
+        border-bottom-left-radius: 0;
+      }
+    }
+
+    &:last-child:not(:first-child) > .btn:first-child {
+      border-top-right-radius: 0;
+      border-top-left-radius: 0;
+    }
+  }
+}
 
 .btn-group-justified {
   display: table;
   width: 100%;
   table-layout: fixed;
-  border-collapse: separate; }
-  .btn-group-justified > .btn,
-  .btn-group-justified > .btn-group {
-    float: none;
-    display: table-cell;
-    width: 1%; }
-  .btn-group-justified > .btn-group .btn {
-    width: 100%; }
-  .btn-group-justified > .btn-group .dropdown-menu {
-    left: auto; }
-
-[data-toggle="buttons"] > .btn > input[type="radio"],
-[data-toggle="buttons"] > .btn > input[type="checkbox"] {
-  position: absolute;
-  z-index: -1;
-  opacity: 0;
-  filter: alpha(opacity=0); }
+  border-collapse: separate;
+
+  > {
+    .btn {
+      float: none;
+      display: table-cell;
+      width: 1%;
+    }
+
+    .btn-group {
+      float: none;
+      display: table-cell;
+      width: 1%;
+
+      .btn {
+        width: 100%;
+      }
+
+      .dropdown-menu {
+        left: auto;
+      }
+    }
+  }
+}
+
+[data-toggle="buttons"] > .btn > input {
+  &[type="radio"], &[type="checkbox"] {
+    position: absolute;
+    z-index: -1;
+    opacity: 0;
+    filter: alpha(opacity = 0);
+  }
+}
 
 .input-group {
   position: relative;
   display: table;
-  border-collapse: separate; }
-  .input-group[class*="col-"] {
+  border-collapse: separate;
+
+  &[class*="col-"] {
     float: none;
     padding-left: 0;
-    padding-right: 0; }
-  .input-group .form-control {
+    padding-right: 0;
+  }
+
+  .form-control {
     position: relative;
     z-index: 2;
     float: left;
     width: 100%;
-    margin-bottom: 0; }
-
-.input-group-addon,
-.input-group-btn,
-.input-group .form-control {
-  display: table-cell; }
-  .input-group-addon:not(:first-child):not(:last-child),
-  .input-group-btn:not(:first-child):not(:last-child),
-  .input-group .form-control:not(:first-child):not(:last-child) {
-    border-radius: 0; }
-
-.input-group-addon,
-.input-group-btn {
+    margin-bottom: 0;
+  }
+}
+
+.input-group-addon, .input-group-btn, .input-group .form-control {
+  display: table-cell;
+}
+
+.input-group-addon:not(:first-child):not(:last-child), .input-group-btn:not(:first-child):not(:last-child), .input-group .form-control:not(:first-child):not(:last-child) {
+  border-radius: 0;
+}
+
+.input-group-addon, .input-group-btn {
   width: 1%;
   white-space: nowrap;
-  vertical-align: middle; }
+  vertical-align: middle;
+}
 
 .input-group-addon {
   padding: 6px 12px;
-  font-size:14px;
+  font-size: 14px;
   font-weight: normal;
   line-height: 1;
   color: #FFF;
   text-align: center;
   background-color: #eeeeee;
   border: 1px solid #ccc;
-  border-radius: 3px; }
-  .input-group-addon.input-sm, .form-horizontal .form-group-sm .input-group-addon.form-control,
-  .input-group-sm > .input-group-addon,
-  .input-group-sm > .input-group-btn > .input-group-addon.btn {
+  border-radius: 3px;
+
+  &.input-sm {
+    padding: 5px 10px;
+    font-size: 12px;
+    border-radius: 3px;
+  }
+}
+
+.form-horizontal .form-group-sm .input-group-addon.form-control {
+  padding: 5px 10px;
+  font-size: 12px;
+  border-radius: 3px;
+}
+
+.input-group-sm > {
+  .input-group-addon, .input-group-btn > .input-group-addon.btn {
     padding: 5px 10px;
     font-size: 12px;
-    border-radius: 3px; }
-  .input-group-addon.input-lg, .form-horizontal .form-group-lg .input-group-addon.form-control,
-  .input-group-lg > .input-group-addon,
-  .input-group-lg > .input-group-btn > .input-group-addon.btn {
+    border-radius: 3px;
+  }
+}
+
+.input-group-addon.input-lg, .form-horizontal .form-group-lg .input-group-addon.form-control {
+  padding: 10px 16px;
+  font-size: 18px;
+  border-radius: 6px;
+}
+
+.input-group-lg > {
+  .input-group-addon, .input-group-btn > .input-group-addon.btn {
     padding: 10px 16px;
     font-size: 18px;
-    border-radius: 6px; }
-  .input-group-addon input[type="radio"],
-  .input-group-addon input[type="checkbox"] {
-    margin-top: 0; }
-
-.input-group .form-control:first-child,
-.input-group-addon:first-child,
-.input-group-btn:first-child > .btn,
-.input-group-btn:first-child > .btn-group > .btn,
-.input-group-btn:first-child > .dropdown-toggle,
-.input-group-btn:last-child > .btn:not(:last-child):not(.dropdown-toggle),
-.input-group-btn:last-child > .btn-group:not(:last-child) > .btn {
+    border-radius: 6px;
+  }
+}
+
+.input-group-addon input {
+  &[type="radio"], &[type="checkbox"] {
+    margin-top: 0;
+  }
+}
+
+.input-group .form-control:first-child, .input-group-addon:first-child {
   border-bottom-right-radius: 0;
-  border-top-right-radius: 0; }
+  border-top-right-radius: 0;
+}
+
+.input-group-btn {
+  &:first-child > {
+    .btn, .btn-group > .btn, .dropdown-toggle {
+      border-bottom-right-radius: 0;
+      border-top-right-radius: 0;
+    }
+  }
+
+  &:last-child > {
+    .btn:not(:last-child):not(.dropdown-toggle), .btn-group:not(:last-child) > .btn {
+      border-bottom-right-radius: 0;
+      border-top-right-radius: 0;
+    }
+  }
+}
 
 .input-group-addon:first-child {
-  border-right: 0; }
-
-.input-group .form-control:last-child,
-.input-group-addon:last-child,
-.input-group-btn:last-child > .btn,
-.input-group-btn:last-child > .btn-group > .btn,
-.input-group-btn:last-child > .dropdown-toggle,
-.input-group-btn:first-child > .btn:not(:first-child),
-.input-group-btn:first-child > .btn-group:not(:first-child) > .btn {
+  border-right: 0;
+}
+
+.input-group .form-control:last-child, .input-group-addon:last-child {
   border-bottom-left-radius: 0;
-  border-top-left-radius: 0; }
+  border-top-left-radius: 0;
+}
+
+.input-group-btn {
+  &:last-child > {
+    .btn, .btn-group > .btn, .dropdown-toggle {
+      border-bottom-left-radius: 0;
+      border-top-left-radius: 0;
+    }
+  }
+
+  &:first-child > {
+    .btn:not(:first-child), .btn-group:not(:first-child) > .btn {
+      border-bottom-left-radius: 0;
+      border-top-left-radius: 0;
+    }
+  }
+}
 
 .input-group-addon:last-child {
-  border-left: 0; }
+  border-left: 0;
+}
 
 .input-group-btn {
   position: relative;
   font-size: 0;
-  white-space: nowrap; }
-  .input-group-btn > .btn {
-    position: relative; }
-    .input-group-btn > .btn + .btn {
-      margin-left: -1px; }
-    .input-group-btn > .btn:hover, .input-group-btn > .btn:focus, .input-group-btn > .btn:active {
-      z-index: 2; }
-  .input-group-btn:first-child > .btn,
-  .input-group-btn:first-child > .btn-group {
-    margin-right: -1px; }
-  .input-group-btn:last-child > .btn,
-  .input-group-btn:last-child > .btn-group {
-    margin-left: -1px; }
+  white-space: nowrap;
+
+  > .btn {
+    position: relative;
+
+    + .btn {
+      margin-left: -1px;
+    }
+
+    &:hover, &:focus, &:active {
+      z-index: 2;
+    }
+  }
+
+  &:first-child > {
+    .btn, .btn-group {
+      margin-right: -1px;
+    }
+  }
+
+  &:last-child > {
+    .btn, .btn-group {
+      margin-left: -1px;
+    }
+  }
+}
 
 .nav {
   margin-bottom: 0;
   padding-left: 0;
-  list-style: none; }
-  .nav:before, .nav:after {
+  list-style: none;
+
+  &:before {
+    content: " ";
+    display: table;
+  }
+
+  &:after {
     content: " ";
-    display: table; }
-  .nav:after {
-    clear: both; }
-  .nav > li {
+    display: table;
+    clear: both;
+  }
+
+  > li {
     position: relative;
-    display: block; }
-    .nav > li > a, .nav-tabs > li > a {
-		position: relative;
-		display: block;
-		padding: 10px 15px;
-		color: #FFF;
-		border-radius: 0px;
-		border-top-right-radius: 10px;
-		margin-right: 0px;
-		background-color: #172c38;
-		opacity: 0.6;
-		filter: alpha(opacity=50);}
-	.nav > li#menu_messages > a {
+    display: block;
+
+    > a {
+      position: relative;
+      display: block;
+      padding: 10px 15px;
+      color: #FFF;
+      border-radius: 0px;
+      border-top-right-radius: 10px;
+      margin-right: 0px;
+      background-color: #172c38;
+      opacity: 0.6;
+      filter: alpha(opacity = 50);
+    }
+  }
+}
+
+.nav-tabs > li > a {
+  position: relative;
+  display: block;
+  padding: 10px 15px;
+  color: #FFF;
+  border-radius: 0px;
+  border-top-right-radius: 10px;
+  margin-right: 0px;
+  background-color: #172c38;
+  opacity: 0.6;
+  filter: alpha(opacity = 50);
+}
+
+.nav > li {
+  &#menu_messages {
+    > a {
       position: relative;
       display: block;
       padding: none;
-	  color:#FF6E05;
-	  background-color:transparent;
-	  margin-right: 10px;
-	  border:none;
-	  opacity: 1.0;}
-      .nav > li > a:hover, .nav > li > a:focus {
-        text-decoration: none;
-        background-color: #172c38;
-		color: #FFF;
-		opacity: 0.8; }
-		.nav > li#menu_messages > a:hover, a:focus {
-		text-decoration: underline; }
-
-    .nav > li.disabled > a {
-		color: #fff; }
-      .nav > li.disabled > a:hover, .nav > li.disabled > a:focus {
-		  color: #fff;
-		  text-decoration: none;
-		  background-color: #839caa;
-		  opacity:0.9;
-		  cursor: not-allowed; }
-
-  .nav .open > a, .nav .open > a:hover, .nav .open > a:focus {
+      color: #FF6E05;
+      background-color: transparent;
+      margin-right: 10px;
+      border: none;
+      opacity: 1.0;
+    }
+
+    > a:hover {
+      text-decoration: underline;
+    }
+  }
+
+  > a {
+    &:hover, &:focus {
+      text-decoration: none;
+      background-color: #172c38;
+      color: #FFF;
+      opacity: 0.8;
+    }
+  }
+}
+
+a:focus {
+  text-decoration: underline;
+}
+
+.nav {
+  > li.disabled > a {
+    color: #fff;
+
+    &:hover, &:focus {
+      color: #fff;
+      text-decoration: none;
+      background-color: #839caa;
+      opacity: 0.9;
+      cursor: not-allowed;
+    }
+  }
+
+  .open > a {
     background-color: #172c38;
-    cursor:pointer; }
+    cursor: pointer;
+
+    &:hover, &:focus {
+      background-color: #172c38;
+      cursor: pointer;
+    }
+  }
 
-  .nav .nav-divider {
+  .nav-divider {
     height: 1px;
     margin: 9px 0;
     overflow: hidden;
-    background-color: #e5e5e5; }
-  .nav > li > a > img {
-    max-width: none; }
+    background-color: #e5e5e5;
+  }
+
+  > li > a > img {
+    max-width: none;
+  }
+}
 
 .nav-tabs {
-  margin-right: 1px; }
-  .nav-tabs > li {
-    float: left; }
-    .nav-tabs > li > a {
+  margin-right: 1px;
+
+  > li {
+    float: left;
+
+    > a {
       line-height: 1.428571429;
-	  border:none;
-	  cursor:pointer;}
-	.nav-tabs > li > a:hover {opacity: 0.8; filter: alpha(opacity=80);}
-    .nav-tabs > li.active > a, .nav-tabs > li.active > a:hover, .nav-tabs > li.active > a:focus {
+      border: none;
+      cursor: pointer;
+
+      &:hover {
+        opacity: 0.8;
+        filter: alpha(opacity = 80);
+      }
+    }
+
+    &.active > a {
       color: #FFF;
       background-color: #393939;
       border-bottom-color: transparent;
       cursor: pointer;
-	  opacity: 1;
-	  filter: alpha(opacity=100);}
-
-	  .nav-pills > li {
-  float: left; }
-  .nav-pills > li > a {
-    border-radius: 0; }
-  .nav-pills > li.active > a, .nav-pills > li.active > a:hover, .nav-pills > li.active > a:focus {
+      opacity: 1;
+      filter: alpha(opacity = 100);
+
+      &:hover, &:focus {
+        color: #FFF;
+        background-color: #393939;
+        border-bottom-color: transparent;
+        cursor: pointer;
+        opacity: 1;
+        filter: alpha(opacity = 100);
+      }
+    }
+  }
+}
+
+.nav-pills > li {
+  float: left;
+
+  > a {
+    border-radius: 0;
+  }
+
+  &.active > a {
     color: #fff;
     background-color: #1b4257;
-	opacity: 1.0; }
+    opacity: 1.0;
+
+    &:hover, &:focus {
+      color: #fff;
+      background-color: #1b4257;
+      opacity: 1.0;
+    }
+  }
+}
 
 .nav-stacked > li {
-  float: none; }
-  .nav-stacked > li + li {
+  float: none;
+
+  + li {
     margin-top: 2px;
-    margin-left: 0; }
+    margin-left: 0;
+  }
+}
 
 .nav-justified, .nav-tabs.nav-justified {
-  width: 100%; }
+  width: 100%;
+}
+
+.nav-justified > li, .nav-tabs.nav-justified > li {
+  float: none;
+}
+
+.nav-justified > li > a, .nav-tabs.nav-justified > li > a {
+  text-align: left;
+  margin-bottom: 5px;
+}
+
+.nav-justified > .dropdown .dropdown-menu {
+  top: auto;
+  left: auto;
+}
+
+@media (min-width: 768px) {
   .nav-justified > li, .nav-tabs.nav-justified > li {
-    float: none; }
-    .nav-justified > li > a, .nav-tabs.nav-justified > li > a {
-      text-align: left;
-      margin-bottom: 5px; }
-  .nav-justified > .dropdown .dropdown-menu {
-    top: auto;
-    left: auto; }
-  @media (min-width: 768px) {
-    .nav-justified > li, .nav-tabs.nav-justified > li {
-      display: table-cell;
-      width: 1%; }
-      .nav-justified > li > a, .nav-tabs.nav-justified > li > a {
-        margin-bottom: 0; } }
+    display: table-cell;
+    width: 1%;
+  }
+
+  .nav-justified > li > a, .nav-tabs.nav-justified > li > a {
+    margin-bottom: 0;
+  }
+}
 
 .nav-tabs-justified, .nav-tabs.nav-justified {
-  border-bottom: 0; }
+  border-bottom: 0;
+}
+
+.nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
+  margin-right: 0;
+  border-radius: 3px;
+}
+
+.nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a, .nav-tabs-justified > .active > a:hover, .nav-tabs.nav-justified > .active > a:hover, .nav-tabs-justified > .active > a:focus, .nav-tabs.nav-justified > .active > a:focus {
+  border: 1px solid #656565;
+}
+
+@media (min-width: 768px) {
   .nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
-    margin-right: 0;
-    border-radius: 3px; }
-  .nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a,
-  .nav-tabs-justified > .active > a:hover,
-  .nav-tabs.nav-justified > .active > a:hover,
-  .nav-tabs-justified > .active > a:focus,
-  .nav-tabs.nav-justified > .active > a:focus {
-    border: 1px solid #656565; }
-  @media (min-width: 768px) {
-    .nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
-      border-bottom: 1px solid #656565;
-      border-radius: 3px 3px 0 0; }
-    .nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a,
-    .nav-tabs-justified > .active > a:hover,
-    .nav-tabs.nav-justified > .active > a:hover,
-    .nav-tabs-justified > .active > a:focus,
-    .nav-tabs.nav-justified > .active > a:focus {
-      border-bottom-color: transparent; } }
-
-.tab-content > .tab-pane {
-  display: none; }
-  .tab-content > .active {
-  display: block; }
+    border-bottom: 1px solid #656565;
+    border-radius: 3px 3px 0 0;
+  }
+
+  .nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a, .nav-tabs-justified > .active > a:hover, .nav-tabs.nav-justified > .active > a:hover, .nav-tabs-justified > .active > a:focus, .nav-tabs.nav-justified > .active > a:focus {
+    border-bottom-color: transparent;
+  }
+}
+
+.tab-content > {
+  .tab-pane {
+    display: none;
+  }
+
+  .active {
+    display: block;
+  }
+}
 
 .tab-pane .content-box {
-  border:none !important;
+  border: none !important;
   box-shadow: none;
-  -webkit-box-shadow: none; }
+  -webkit-box-shadow: none;
+}
 
 .nav-tabs .dropdown-menu {
   margin-top: -1px;
   border-top-right-radius: 0;
   border-top-left-radius: 0;
-  cursor:pointer;}
-
+  cursor: pointer;
+}
 
 .navbar {
   position: relative;
   min-height: 50px;
   margin-bottom: 0;
-  border: 1px solid transparent; }
-  .navbar:before, .navbar:after {
+  border: 1px solid transparent;
+
+  &:before {
     content: " ";
-    display: table; }
-  .navbar:after {
-    clear: both; }
-  @media (min-width: 768px) {
-    .navbar {
-      border-radius: 0; } }
-
-.navbar-header:before, .navbar-header:after {
-  content: " ";
-  display: table; }
-.navbar-header:after {
-  clear: both; }
+    display: table;
+  }
+
+  &:after {
+    content: " ";
+    display: table;
+    clear: both;
+  }
+}
+
+@media (min-width: 768px) {
+  .navbar {
+    border-radius: 0;
+  }
+}
+
+.navbar-header {
+  &:before {
+    content: " ";
+    display: table;
+  }
+
+  &:after {
+    content: " ";
+    display: table;
+    clear: both;
+  }
+
+  padding-top: 12px;
+}
+
 @media (min-width: 768px) {
   .navbar-header {
-    float: left; } }
+    float: left;
+  }
+}
 
 .navbar-collapse {
   overflow-x: visible;
@@ -3720,92 +6390,124 @@ tbody.collapse.in {
   padding-left: 20px;
   border-top: 1px solid transparent;
   box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1);
-  -webkit-overflow-scrolling: touch; }
-  .navbar-collapse:before, .navbar-collapse:after {
+  -webkit-overflow-scrolling: touch;
+
+  &:before {
     content: " ";
-    display: table; }
-  .navbar-collapse:after {
-    clear: both; }
-  .navbar-collapse.in {
-    overflow-y: auto; }
-  @media (min-width: 768px) {
-    .navbar-collapse {
-      width: auto;
-      border-top: 0;
-      box-shadow: none; }
-      .navbar-collapse.collapse {
-        display: block !important;
-        height: auto !important;
-        padding-bottom: 0;
-        overflow: visible !important; }
-      .navbar-collapse.in {
-        overflow-y: visible; }
-      .navbar-fixed-top .navbar-collapse, .navbar-static-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
-        padding-left: 0;
-        padding-right: 0; } }
-
-.navbar-fixed-top .navbar-collapse,
-.navbar-fixed-bottom .navbar-collapse {
-  max-height: 340px; }
-  @media (max-width: 480px) and (orientation: landscape) {
-    .navbar-fixed-top .navbar-collapse,
-    .navbar-fixed-bottom .navbar-collapse {
-      max-height: 200px; } }
-
-.container > .navbar-header,
-.container > .navbar-collapse,
-.container-fluid > .navbar-header,
-.container-fluid > .navbar-collapse {
-  margin-right: -20px;
-  margin-left: -20px; }
-  @media (min-width: 768px) {
-    .container > .navbar-header,
-    .container > .navbar-collapse,
-    .container-fluid > .navbar-header,
-    .container-fluid > .navbar-collapse {
+    display: table;
+  }
+
+  &:after {
+    content: " ";
+    display: table;
+    clear: both;
+  }
+
+  &.in {
+    overflow-y: auto;
+  }
+}
+
+@media (min-width: 768px) {
+  .navbar-collapse {
+    width: auto;
+    border-top: 0;
+    box-shadow: none;
+
+    &.collapse {
+      display: block !important;
+      height: auto !important;
+      padding-bottom: 0;
+      overflow: visible !important;
+    }
+
+    &.in {
+      overflow-y: visible;
+    }
+  }
+
+  .navbar-fixed-top .navbar-collapse, .navbar-static-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
+    padding-left: 0;
+    padding-right: 0;
+  }
+}
+
+.navbar-fixed-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
+  max-height: 340px;
+}
+
+@media (max-width: 480px) and (orientation: landscape) {
+  .navbar-fixed-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
+    max-height: 200px;
+  }
+}
+
+.container > {
+  .navbar-header, .navbar-collapse {
+    margin-right: -20px;
+    margin-left: -20px;
+  }
+}
+
+.container-fluid > {
+  .navbar-header, .navbar-collapse {
+    margin-right: -20px;
+    margin-left: -20px;
+  }
+}
+
+@media (min-width: 768px) {
+  .container > {
+    .navbar-header, .navbar-collapse {
+      margin-right: 0;
+      margin-left: 0;
+    }
+  }
+
+  .container-fluid > {
+    .navbar-header, .navbar-collapse {
       margin-right: 0;
-      margin-left: 0; } }
+      margin-left: 0;
+    }
+  }
+}
 
 .navbar-static-top {
   z-index: 1000;
-  border-width: 0 0 1px; }
-  @media (min-width: 768px) {
-    .navbar-static-top {
-      border-radius: 0; } }
+  border-width: 0 0 1px;
+}
 
-.navbar-fixed-top,
-.navbar-fixed-bottom {
+@media (min-width: 768px) {
+  .navbar-static-top {
+    border-radius: 0;
+  }
+}
+
+.navbar-fixed-top, .navbar-fixed-bottom {
   position: fixed;
   right: 0;
   left: 0;
   z-index: 1030;
   -webkit-transform: translate3d(0, 0, 0);
-  transform: translate3d(0, 0, 0); }
-  @media (min-width: 768px) {
-    .navbar-fixed-top,
-    .navbar-fixed-bottom {
-      border-radius: 0; } }
+  transform: translate3d(0, 0, 0);
+}
+
+@media (min-width: 768px) {
+  .navbar-fixed-top, .navbar-fixed-bottom {
+    border-radius: 0;
+  }
+}
 
 .navbar-fixed-top {
   top: 0;
-  border-width: 0 0 1px; }
+  border-width: 0 0 1px;
+}
 
 .navbar-fixed-bottom {
   bottom: 0;
   margin-bottom: 0;
-  border-width: 1px 0 0; }
-
-.navbar-brand {
-  float: left;
-  padding: 15px 20px;
-  font-size: 18px;
-  height: 50px; }
-  .navbar-brand:hover, .navbar-brand:focus {
-    text-decoration: none; }
-
-  @media (min-width: 768px) {
-    .navbar > .container .navbar-brand, .navbar > .container-fluid .navbar-brand {
-      margin-left: -20px; } }
+  border-width: 1px 0 0;
+}
 
 .navbar-toggle {
   position: relative;
@@ -3817,60 +6519,100 @@ tbody.collapse.in {
   background-color: transparent;
   background-image: none;
   border: 1px solid transparent;
-  border-radius: 3px; }
-  .navbar-toggle:focus {
-    outline: 0; }
-  .navbar-toggle .icon-bar {
+  border-radius: 3px;
+
+  &:focus {
+    outline: 0;
+  }
+
+  .icon-bar {
     display: block;
     width: 22px;
     height: 2px;
-    border-radius: 1px; }
-  .navbar-toggle .icon-bar + .icon-bar {
-    margin-top: 4px; }
-  @media (min-width: 768px) {
-    .navbar-toggle {
-      display: none; } }
+    border-radius: 1px;
+
+    + .icon-bar {
+      margin-top: 4px;
+    }
+  }
+}
+
+@media (min-width: 768px) {
+  .navbar-toggle {
+    display: none;
+  }
+}
+
+.navbar-brand img {
+  &.brand-logo, &.brand-icon {
+    height: 30px;
+  }
+}
 
 .navbar-nav {
-  margin: 7.5px -20px; }
-  .navbar-nav > li > a {
+  margin: 7.5px -20px;
+
+  > li > a {
     padding-top: 10px;
     padding-bottom: 10px;
-    line-height: 20px; }
-  @media (max-width: 767px) {
-    .navbar-nav .open .dropdown-menu {
-      position: static;
-      float: none;
-      width: auto;
-      margin-top: 0;
-      background-color: transparent;
-      border: 0;
-      box-shadow: none; }
-      .navbar-nav .open .dropdown-menu > li > a,
-      .navbar-nav .open .dropdown-menu .dropdown-header {
-        padding: 5px 15px 5px 25px; }
-      .navbar-nav .open .dropdown-menu > li > a {
-        line-height: 20px; }
-        .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-nav .open .dropdown-menu > li > a:focus {
-          background-image: none; } }
-  @media (min-width: 768px) {
-    .navbar-nav {
+    line-height: 20px;
+  }
+}
+
+@media (max-width: 767px) {
+  .navbar-nav .open .dropdown-menu {
+    position: static;
+    float: none;
+    width: auto;
+    margin-top: 0;
+    background-color: transparent;
+    border: 0;
+    box-shadow: none;
+
+    > li > a, .dropdown-header {
+      padding: 5px 15px 5px 25px;
+    }
+
+    > li > a {
+      line-height: 20px;
+
+      &:hover, &:focus {
+        background-image: none;
+      }
+    }
+  }
+}
+
+@media (min-width: 768px) {
+  .navbar-nav {
+    float: left;
+    margin: 0;
+
+    > li {
       float: left;
-      margin: 0; }
-      .navbar-nav > li {
-        float: left; }
-        .navbar-nav > li > a {
-          padding-top: 15px;
-          padding-bottom: 15px; }
-      .navbar-nav.navbar-right:last-child {
-        margin-right: -20px; } }
+
+      > a {
+        padding-top: 15px;
+        padding-bottom: 15px;
+      }
+    }
+
+    &.navbar-right:last-child {
+      margin-right: -20px;
+    }
+  }
+}
 
 @media (min-width: 768px) {
   .navbar-left {
-    float: left !important; }
+    float: left !important;
+  }
 
   .navbar-right {
-    float: right !important; } }
+    float: right !important;
+  }
+}
+
 .navbar-form {
   margin-left: -20px;
   margin-right: -20px;
@@ -3880,306 +6622,613 @@ tbody.collapse.in {
   -webkit-box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1), 0 1px 0 rgba(255, 255, 255, 0.1);
   box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.1), 0 1px 0 rgba(255, 255, 255, 0.1);
   margin-top: 8px;
-  margin-bottom: 8px; }
-  @media (max-width: 767px) {
-    .navbar-form .form-group {
-      margin-bottom: 5px; } }
-  @media (min-width: 768px) {
-    .navbar-form {
-      width: auto;
-      border: 0;
-      margin-left: 0;
-      margin-right: 0;
-      padding-top: 0;
-      padding-bottom: 0;
-      -webkit-box-shadow: none;
-      box-shadow: none; }
-      .navbar-form.navbar-right:last-child {
-        margin-right: -20px; } }
+  margin-bottom: 8px;
+}
+
+@media (max-width: 767px) {
+  .navbar-form .form-group {
+    margin-bottom: 5px;
+  }
+}
+
+@media (min-width: 768px) {
+  .navbar-form {
+    width: auto;
+    border: 0;
+    margin-left: 0;
+    margin-right: 0;
+    padding-top: 0;
+    padding-bottom: 0;
+    -webkit-box-shadow: none;
+    box-shadow: none;
+
+    &.navbar-right:last-child {
+      margin-right: -20px;
+    }
+  }
+}
 
 .navbar-nav > li > .dropdown-menu {
   margin-top: 0;
   border-top-right-radius: 0;
-  border-top-left-radius: 0; }
+  border-top-left-radius: 0;
+}
 
 .navbar-fixed-bottom .navbar-nav > li > .dropdown-menu {
   border-bottom-right-radius: 0;
-  border-bottom-left-radius: 0; }
+  border-bottom-left-radius: 0;
+}
+
+.navbar-btn {
+  margin-top: 8px;
+  margin-bottom: 8px;
+
+  &.btn-sm {
+    margin-top: 10px;
+    margin-bottom: 10px;
+  }
+}
+
+.btn-group-sm > .navbar-btn.btn {
+  margin-top: 10px;
+  margin-bottom: 10px;
+}
+
+.navbar-btn.btn-xs, .btn-group-xs > .navbar-btn.btn {
+  margin-top: 14px;
+  margin-bottom: 14px;
+}
+
+.navbar-text {
+  margin-top: 15px;
+  margin-bottom: 15px;
+}
+
+@media (min-width: 768px) {
+  .navbar-text {
+    float: left;
+    margin-left: 20px;
+    margin-right: 20px;
+
+    &.navbar-right:last-child {
+      margin-right: 0;
+    }
+  }
+}
+
+.navbar-default {
+  background-color: transparent;
+  border-color: none;
+
+  .navbar-brand {
+    color: #F7F7F7;
+
+    &:hover, &:focus {
+      color: #dedede;
+      background-color: transparent;
+    }
+  }
+
+  .navbar-text {
+    color: #F7F7F7;
+  }
+
+  .navbar-nav > {
+    li > a {
+      color: #F7F7F7;
+
+      &:hover, &:focus {
+        color: #FF6E05;
+        background-color: transparent;
+      }
+    }
+
+    .active > a {
+      color: #555;
+      background-color: #2b2b2b;
+
+      &:hover, &:focus {
+        color: #555;
+        background-color: #2b2b2b;
+      }
+    }
+
+    .disabled > a {
+      color: #ccc;
+      background-color: transparent;
+
+      &:hover, &:focus {
+        color: #ccc;
+        background-color: transparent;
+      }
+    }
+  }
+
+  .navbar-toggle {
+    border-color: #FFF;
+
+    &:hover, &:focus {
+      background-color: #555;
+    }
+
+    .icon-bar {
+      background-color: #FFF;
+    }
+  }
+
+  .navbar-nav > .open > a {
+    background-color: #2b2b2b;
+    color: #555;
+
+    &:hover, &:focus {
+      background-color: #2b2b2b;
+      color: #555;
+    }
+  }
+
+  .navbar-link {
+    color: #F7F7F7;
 
-.navbar-btn {
-  margin-top: 8px;
-  margin-bottom: 8px; }
-  .navbar-btn.btn-sm, .btn-group-sm > .navbar-btn.btn {
-    margin-top: 10px;
-    margin-bottom: 10px; }
-  .navbar-btn.btn-xs, .btn-group-xs > .navbar-btn.btn {
-    margin-top: 14px;
-    margin-bottom: 14px; }
+    &:hover {
+      color: #FF8B00;
+    }
+  }
 
-.navbar-text {
-  margin-top: 15px;
-  margin-bottom: 15px; }
-  @media (min-width: 768px) {
-    .navbar-text {
-      float: left;
-      margin-left: 20px;
-      margin-right: 20px; }
-      .navbar-text.navbar-right:last-child {
-        margin-right: 0; } }
+  .btn-link {
+    color: #F7F7F7;
 
-.navbar-default {
-  background-color: transparent;
-  border-color: none; }
-  .navbar-default .navbar-brand {
-    color: #F7F7F7; }
-    .navbar-default .navbar-brand:hover, .navbar-default .navbar-brand:focus {
-      color: #dedede;
-      background-color: transparent; }
-  .navbar-default .navbar-text {
-    color: #F7F7F7; }
-  .navbar-default .navbar-nav > li > a {
-    color: #F7F7F7; }
-    .navbar-default .navbar-nav > li > a:hover, .navbar-default .navbar-nav > li > a:focus {
-      color: #FF6E05;
-      background-color: transparent; }
+    &:hover, &:focus {
+      color: #FF8B00;
+    }
+
+    &[disabled] {
+      &:hover, &:focus {
+        color: #ccc;
+      }
+    }
+  }
+}
 
-  .navbar-default .navbar-nav > .active > a, .navbar-default .navbar-nav > .active > a:hover, .navbar-default .navbar-nav > .active > a:focus {
-    color: #555;
-    background-color: #2b2b2b; }
-  .navbar-default .navbar-nav > .disabled > a, .navbar-default .navbar-nav > .disabled > a:hover, .navbar-default .navbar-nav > .disabled > a:focus {
-    color: #ccc;
-    background-color: transparent; }
-  .navbar-default .navbar-toggle {
-    border-color: #FFF; }
-    .navbar-default .navbar-toggle:hover, .navbar-default .navbar-toggle:focus {
-      background-color: #555; }
-    .navbar-default .navbar-toggle .icon-bar {
-      background-color: #FFF; }
-	.navbar-default .navbar-nav > .open > a, .navbar-default .navbar-nav > .open > a:hover, .navbar-default .navbar-nav > .open > a:focus {
-    background-color: #2b2b2b;
-    color: #555; }
-  @media (max-width: 767px) {
-    .navbar-default .navbar-nav .open .dropdown-menu > li > a {
-      color: #F7F7F7; }
-      .navbar-default .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > li > a:focus {
+@media (max-width: 767px) {
+  .navbar-default .navbar-nav .open .dropdown-menu > {
+    li > a {
+      color: #F7F7F7;
+
+      &:hover, &:focus {
         color: #FF8B00;
-        background-color: transparent; }
- .navbar-default .navbar-nav .open .dropdown-menu > .active > a, .navbar-default .navbar-nav .open .dropdown-menu > .active > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > .active > a:focus {
+        background-color: transparent;
+      }
+    }
+
+    .active > a {
       color: #555;
-      background-color: #2b2b2b; }
-    .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a, .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:focus {
+      background-color: #2b2b2b;
+
+      &:hover, &:focus {
+        color: #555;
+        background-color: #2b2b2b;
+      }
+    }
+
+    .disabled > a {
       color: #ccc;
-      background-color: transparent; } }
-  .navbar-default .navbar-link {
-    color: #F7F7F7; }
-    .navbar-default .navbar-link:hover {
-      color: #FF8B00; }
-  .navbar-default .btn-link {
-    color: #F7F7F7; }
-    .navbar-default .btn-link:hover, .navbar-default .btn-link:focus {
-      color: #FF8B00; }
-    .navbar-default .btn-link[disabled]:hover, .navbar-default .btn-link[disabled]:focus, fieldset[disabled] .navbar-default .btn-link:hover, fieldset[disabled] .navbar-default .btn-link:focus {
-      color: #ccc; }
+      background-color: transparent;
+
+      &:hover, &:focus {
+        color: #ccc;
+        background-color: transparent;
+      }
+    }
+  }
+}
+
+fieldset[disabled] .navbar-default .btn-link {
+  &:hover, &:focus {
+    color: #ccc;
+  }
+}
 
 .navbar-inverse {
   background-color: #222;
-  border-color: #090909; }
-  .navbar-inverse .navbar-brand {
-    color: #777777; }
-    .navbar-inverse .navbar-brand:hover, .navbar-inverse .navbar-brand:focus {
-      color: #fff;
-      background-color: transparent; }
+  border-color: #090909;
 
-  .navbar-inverse .navbar-text {
-    color: #777777; }
-  .navbar-inverse .navbar-nav > li > a {
-    color: #777777; }
-    .navbar-inverse .navbar-nav > li > a:hover, .navbar-inverse .navbar-nav > li > a:focus {
+  .navbar-brand {
+    color: #777777;
+
+    &:hover, &:focus {
       color: #fff;
-      background-color: transparent; }
-  .navbar-inverse .navbar-nav > .active > a, .navbar-inverse .navbar-nav > .active > a:hover, .navbar-inverse .navbar-nav > .active > a:focus {
-    color: #fff;
-    background-color: #090909; }
-  .navbar-inverse .navbar-nav > .disabled > a, .navbar-inverse .navbar-nav > .disabled > a:hover, .navbar-inverse .navbar-nav > .disabled > a:focus {
-    color: #3e3e3e;
-    background-color: transparent; }
-  .navbar-inverse .navbar-toggle {
-    border-color: #2d2d2d; }
-    .navbar-inverse .navbar-toggle:hover, .navbar-inverse .navbar-toggle:focus {
-      background-color: #2d2d2d; }
-
-    .navbar-inverse .navbar-toggle .icon-bar {
-      background-color: #fff; }
-  .navbar-inverse .navbar-collapse,
-  .navbar-inverse .navbar-form {
-    border-color: #101010; }
-  .navbar-inverse .navbar-nav > .open > a, .navbar-inverse .navbar-nav > .open > a:hover, .navbar-inverse .navbar-nav > .open > a:focus {
-    background-color: #090909;
-    color: #fff; }
-  @media (max-width: 767px) {
-    .navbar-inverse .navbar-nav .open .dropdown-menu > .dropdown-header {
-      border-color: #090909; }
-    .navbar-inverse .navbar-nav .open .dropdown-menu .divider {
-      background-color: #090909; }
-    .navbar-inverse .navbar-nav .open .dropdown-menu > li > a {
-      color: #777777; }
-      .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:focus {
+      background-color: transparent;
+    }
+  }
+
+  .navbar-text {
+    color: #777777;
+  }
+
+  .navbar-nav > {
+    li > a {
+      color: #777777;
+
+      &:hover, &:focus {
         color: #fff;
-        background-color: transparent; }
+        background-color: transparent;
+      }
+    }
 
- .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a, .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:focus {
+    .active > a {
       color: #fff;
-      background-color: #090909; }
+      background-color: #090909;
+
+      &:hover, &:focus {
+        color: #fff;
+        background-color: #090909;
+      }
+    }
 
-    .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a, .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:focus {
+    .disabled > a {
       color: #3e3e3e;
-      background-color: transparent; } }
+      background-color: transparent;
+
+      &:hover, &:focus {
+        color: #3e3e3e;
+        background-color: transparent;
+      }
+    }
+  }
+
+  .navbar-toggle {
+    border-color: #2d2d2d;
+
+    &:hover, &:focus {
+      background-color: #2d2d2d;
+    }
+
+    .icon-bar {
+      background-color: #fff;
+    }
+  }
+
+  .navbar-collapse, .navbar-form {
+    border-color: #101010;
+  }
+
+  .navbar-nav > .open > a {
+    background-color: #090909;
+    color: #fff;
+
+    &:hover, &:focus {
+      background-color: #090909;
+      color: #fff;
+    }
+  }
+
+  .navbar-link {
+    color: #777777;
+
+    &:hover {
+      color: #fff;
+    }
+  }
 
-  .navbar-inverse .navbar-link {
-    color: #777777; }
-    .navbar-inverse .navbar-link:hover {
-      color: #fff; }
-  .navbar-inverse .btn-link {
-    color: #777777; }
-    .navbar-inverse .btn-link:hover, .navbar-inverse .btn-link:focus {
-      color: #fff; }
+  .btn-link {
+    color: #777777;
+
+    &:hover, &:focus {
+      color: #fff;
+    }
+
+    &[disabled] {
+      &:hover, &:focus {
+        color: #3e3e3e;
+      }
+    }
+  }
+}
+
+@media (max-width: 767px) {
+  .navbar-inverse .navbar-nav .open .dropdown-menu {
+    > .dropdown-header {
+      border-color: #090909;
+    }
+
+    .divider {
+      background-color: #090909;
+    }
+
+    > {
+      li > a {
+        color: #777777;
+
+        &:hover, &:focus {
+          color: #fff;
+          background-color: transparent;
+        }
+      }
+
+      .active > a {
+        color: #fff;
+        background-color: #090909;
+
+        &:hover, &:focus {
+          color: #fff;
+          background-color: #090909;
+        }
+      }
+
+      .disabled > a {
+        color: #3e3e3e;
+        background-color: transparent;
+
+        &:hover, &:focus {
+          color: #3e3e3e;
+          background-color: transparent;
+        }
+      }
+    }
+  }
+}
 
-    .navbar-inverse .btn-link[disabled]:hover, .navbar-inverse .btn-link[disabled]:focus, fieldset[disabled] .navbar-inverse .btn-link:hover, fieldset[disabled] .navbar-inverse .btn-link:focus {
-      color: #3e3e3e; }
+fieldset[disabled] .navbar-inverse .btn-link {
+  &:hover, &:focus {
+    color: #3e3e3e;
+  }
+}
 
 .breadcrumb {
   padding: 8px 15px;
   margin-bottom: 20px;
   list-style: none;
   background-color: #f5f5f5;
-  border-radius: 3px; }
-  .breadcrumb > li {
-    display: inline-block; }
-    .breadcrumb > li + li:before {
-      content: "/ ";
-      padding: 0 5px;
-      color: #ccc; }
-  .breadcrumb > .active {
-    color: #777777; }
+  border-radius: 3px;
+
+  > {
+    li {
+      display: inline-block;
+
+      + li:before {
+        content: "/ ";
+        padding: 0 5px;
+        color: #ccc;
+      }
+    }
+
+    .active {
+      color: #777777;
+    }
+  }
+}
 
 .pagination {
   display: inline-block;
   padding-left: 0;
   margin: 20px 0;
-  border-radius: 3px; }
-  .pagination > li {
-    display: inline; }
-    .pagination > li > a,
-    .pagination > li > span {
-      position: relative;
-      float: left;
-      padding: 6px 12px;
-      line-height: 1.428571429;
-      text-decoration: none;
-      color: #FFF;
-      background-color: #45565f;
-      border: 1px solid rgba(23, 44, 56, 0.4);
-      margin-left: -1px;
-      cursor: pointer; }
-    .pagination > li:first-child > a,
-    .pagination > li:first-child > span {
-      margin-left: 0;
-      border-bottom-left-radius: 3px;
-      border-top-left-radius: 3px; }
-    .pagination > li:last-child > a,
-    .pagination > li:last-child > span {
-      border-bottom-right-radius: 3px;
-      border-top-right-radius: 3px; }
-  .pagination > li > a:hover, .pagination > li > a:focus,
-  .pagination > li > span:hover,
-  .pagination > li > span:focus {
-    color: #FFFFFF;
-    background-color: #FF6E05; }
+  border-radius: 3px;
 
-  .pagination > .active > a, .pagination > .active > a:hover, .pagination > .active > a:focus,
-  .pagination > .active > span,
-  .pagination > .active > span:hover,
-  .pagination > .active > span:focus {
-    z-index: 2;
-    color: #FFFFFF;
-    background-color: #FF6E05;
-    cursor: default; }
-
-  .pagination > .disabled > span,
-  .pagination > .disabled > span:hover,
-  .pagination > .disabled > span:focus,
-  .pagination > .disabled > a,
-  .pagination > .disabled > a:hover,
-  .pagination > .disabled > a:focus {
-    color: #000;
-    background-color: #e3e3e3;
-    cursor: not-allowed; }
+  > {
+    li {
+      display: inline;
+
+      > {
+        a, span {
+          position: relative;
+          float: left;
+          padding: 6px 12px;
+          line-height: 1.428571429;
+          text-decoration: none;
+          color: #FFF;
+          background-color: #45565f;
+          border: 1px solid rgba(23, 44, 56, 0.4);
+          margin-left: -1px;
+          cursor: pointer;
+        }
+      }
+
+      &:first-child > {
+        a, span {
+          margin-left: 0;
+          border-bottom-left-radius: 3px;
+          border-top-left-radius: 3px;
+        }
+      }
+
+      &:last-child > {
+        a, span {
+          border-bottom-right-radius: 3px;
+          border-top-right-radius: 3px;
+        }
+      }
+
+      > {
+        a {
+          &:hover, &:focus {
+            color: #FFFFFF;
+            background-color: #FF6E05;
+          }
+        }
+
+        span {
+          &:hover, &:focus {
+            color: #FFFFFF;
+            background-color: #FF6E05;
+          }
+        }
+      }
+    }
+
+    .active > {
+      a {
+        z-index: 2;
+        color: #FFFFFF;
+        background-color: #FF6E05;
+        cursor: default;
+
+        &:hover, &:focus {
+          z-index: 2;
+          color: #FFFFFF;
+          background-color: #FF6E05;
+          cursor: default;
+        }
+      }
+
+      span {
+        z-index: 2;
+        color: #FFFFFF;
+        background-color: #FF6E05;
+        cursor: default;
+
+        &:hover, &:focus {
+          z-index: 2;
+          color: #FFFFFF;
+          background-color: #FF6E05;
+          cursor: default;
+        }
+      }
+    }
+
+    .disabled > {
+      span {
+        color: #000;
+        background-color: #e3e3e3;
+        cursor: not-allowed;
+
+        &:hover, &:focus {
+          color: #000;
+          background-color: #e3e3e3;
+          cursor: not-allowed;
+        }
+      }
+
+      a {
+        color: #000;
+        background-color: #e3e3e3;
+        cursor: not-allowed;
+
+        &:hover, &:focus {
+          color: #000;
+          background-color: #e3e3e3;
+          cursor: not-allowed;
+        }
+      }
+    }
+  }
+}
+
+.pagination-lg > li {
+  > {
+    a, span {
+      padding: 10px 16px;
+      font-size: 18px;
+    }
+  }
+
+  &:first-child > {
+    a, span {
+      border-bottom-left-radius: 6px;
+      border-top-left-radius: 6px;
+    }
+  }
+
+  &:last-child > {
+    a, span {
+      border-bottom-right-radius: 6px;
+      border-top-right-radius: 6px;
+    }
+  }
+}
 
+.pagination-sm > li {
+  > {
+    a, span {
+      padding: 5px 10px;
+      font-size: 12px;
+    }
+  }
 
-.pagination-lg > li > a,
-.pagination-lg > li > span {
-  padding: 10px 16px;
-  font-size: 18px; }
-.pagination-lg > li:first-child > a,
-.pagination-lg > li:first-child > span {
-  border-bottom-left-radius: 6px;
-  border-top-left-radius: 6px; }
-.pagination-lg > li:last-child > a,
-.pagination-lg > li:last-child > span {
-  border-bottom-right-radius: 6px;
-  border-top-right-radius: 6px; }
-
-.pagination-sm > li > a,
-.pagination-sm > li > span {
-  padding: 5px 10px;
-  font-size: 12px; }
-.pagination-sm > li:first-child > a,
-.pagination-sm > li:first-child > span {
-  border-bottom-left-radius: 3px;
-  border-top-left-radius: 3px; }
-.pagination-sm > li:last-child > a,
-.pagination-sm > li:last-child > span {
-  border-bottom-right-radius: 3px;
-  border-top-right-radius: 3px; }
+  &:first-child > {
+    a, span {
+      border-bottom-left-radius: 3px;
+      border-top-left-radius: 3px;
+    }
+  }
+
+  &:last-child > {
+    a, span {
+      border-bottom-right-radius: 3px;
+      border-top-right-radius: 3px;
+    }
+  }
+}
 
 .pager {
   padding-left: 0;
   margin: 20px 0;
   list-style: none;
-  text-align: center; }
-  .pager:before, .pager:after {
+  text-align: center;
+
+  &:before {
     content: " ";
-    display: table; }
-  .pager:after {
-    clear: both; }
-  .pager li {
-    display: inline; }
-    .pager li > a,
-    .pager li > span {
-      display: inline-block;
-      padding: 5px 14px;
+    display: table;
+  }
+
+  &:after {
+    content: " ";
+    display: table;
+    clear: both;
+  }
+
+  li {
+    display: inline;
+
+    > {
+      a, span {
+        display: inline-block;
+        padding: 5px 14px;
+        background-color: #fff;
+        border: 1px solid #ddd;
+        border-radius: 15px;
+      }
+
+      a {
+        &:hover, &:focus {
+          text-decoration: none;
+          background-color: #eeeeee;
+        }
+      }
+    }
+  }
+
+  .next > {
+    a, span {
+      float: right;
+    }
+  }
+
+  .previous > {
+    a, span {
+      float: left;
+    }
+  }
+
+  .disabled > {
+    a {
+      color: #777777;
       background-color: #fff;
-      border: 1px solid #ddd;
-      border-radius: 15px; }
-    .pager li > a:hover,
-    .pager li > a:focus {
-      text-decoration: none;
-      background-color: #eeeeee; }
-
-  .pager .next > a,
-  .pager .next > span {
-    float: right; }
-  .pager .previous > a,
-  .pager .previous > span {
-    float: left; }
-  .pager .disabled > a,
-  .pager .disabled > a:hover,
-  .pager .disabled > a:focus,
-  .pager .disabled > span {
-    color: #777777;
-    background-color: #fff;
-    cursor: not-allowed; }
+      cursor: not-allowed;
 
+      &:hover, &:focus {
+        color: #777777;
+        background-color: #fff;
+        cursor: not-allowed;
+      }
+    }
+
+    span {
+      color: #777777;
+      background-color: #fff;
+      cursor: not-allowed;
+    }
+  }
+}
 
 .label {
   display: inline;
@@ -4191,60 +7240,91 @@ tbody.collapse.in {
   text-align: center;
   white-space: nowrap;
   vertical-align: baseline;
-  border-radius: .25em; }
-  .label:empty {
-    display: none; }
-  .btn .label {
-    position: relative;
-    top: -1px; }
+  border-radius: .25em;
 
-a.label:hover, a.label:focus {
-  color: #fff;
-  text-decoration: none;
-  cursor: pointer; }
+  &:empty {
+    display: none;
+  }
+}
 
+.btn .label {
+  position: relative;
+  top: -1px;
+}
 
-.label-default {
-  background-color: #777777; }
-  .label-default[href]:hover, .label-default[href]:focus {
-    background-color: #5e5e5e;
-	border-color: #323232;}
+a.label {
+  &:hover, &:focus {
+    color: #fff;
+    text-decoration: none;
+    cursor: pointer;
+  }
+}
 
+.label-default {
+  background-color: #777777;
+
+  &[href] {
+    &:hover, &:focus {
+      background-color: #5e5e5e;
+      border-color: #323232;
+    }
+  }
+}
 
 .label-primary {
-  background-color: #FF8B00; }
-  .label-primary[href]:hover, .label-primary[href]:focus {
-    background-color: #b85904; }
+  background-color: #FF8B00;
 
+  &[href] {
+    &:hover, &:focus {
+      background-color: #b85904;
+    }
+  }
+}
 
 .label-success {
   background-color: #397E37;
-  border-color: #323232;}
-  .label-success[href]:hover, .label-success[href]:focus {
-    background-color: #7fc54f;
-	border-color: #323232;	}
-
+  border-color: #323232;
+
+  &[href] {
+    &:hover, &:focus {
+      background-color: #7fc54f;
+      border-color: #323232;
+    }
+  }
+}
 
 .label-info {
-  background-color: #B0CDDB; }
-  .label-info[href]:hover, .label-info[href]:focus {
-    background-color: #8db7cb;
-	border-color: #323232;	}
+  background-color: #B0CDDB;
 
+  &[href] {
+    &:hover, &:focus {
+      background-color: #8db7cb;
+      border-color: #323232;
+    }
+  }
+}
 
 .label-warning {
-  background-color: #f0ad4e; }
-  .label-warning[href]:hover, .label-warning[href]:focus {
-    background-color: #ec971f;
-	border-color: #323232;}
-
+  background-color: #f0ad4e;
+
+  &[href] {
+    &:hover, &:focus {
+      background-color: #ec971f;
+      border-color: #323232;
+    }
+  }
+}
 
 .label-danger {
-  background-color: #DA4829; }
-  .label-danger[href]:hover, .label-danger[href]:focus {
-    background-color: #ec2121;
-	border-color: #323232;}
-
+  background-color: #DA4829;
+
+  &[href] {
+    &:hover, &:focus {
+      background-color: #ec2121;
+      border-color: #323232;
+    }
+  }
+}
 
 .badge {
   display: inline-block;
@@ -4258,55 +7338,93 @@ a.label:hover, a.label:focus {
   white-space: nowrap;
   text-align: center;
   background-color: #ff6e05;
-  border-radius: 10px; }
-  .badge:empty {
-    display: none; }
-  .btn .badge {
-    position: relative;
-    top: -1px; }
-  .btn-xs .badge, .btn-group-xs > .btn .badge {
-    top: 0;
-    padding: 1px 5px; }
-  a.list-group-item.active > .badge, .nav-pills > .active > a > .badge {
+  border-radius: 10px;
+
+  &:empty {
+    display: none;
+  }
+}
+
+.btn .badge {
+  position: relative;
+  top: -1px;
+}
+
+.btn-xs .badge, .btn-group-xs > .btn .badge {
+  top: 0;
+  padding: 1px 5px;
+}
+
+a.list-group-item.active > .badge {
+  color: #FF8B00;
+  background-color: #fff;
+}
+
+.nav-pills > {
+  .active > a > .badge {
     color: #FF8B00;
-    background-color: #fff; }
-  .nav-pills > li > a > .badge {
-    margin-left: 3px; }
+    background-color: #fff;
+  }
 
-a.badge:hover, a.badge:focus {
-  color: #fff;
-  text-decoration: none;
-  cursor: pointer; }
+  li > a > .badge {
+    margin-left: 3px;
+  }
+}
 
+a.badge {
+  &:hover, &:focus {
+    color: #fff;
+    text-decoration: none;
+    cursor: pointer;
+  }
+}
 
 .jumbotron {
   padding: 30px;
   margin-bottom: 30px;
   color: inherit;
-  background-color: #eeeeee; }
-  .jumbotron h1,
-  .jumbotron .h1 {
-    color: inherit; }
-  .jumbotron p {
+  background-color: #eeeeee;
+
+  h1, .h1 {
+    color: inherit;
+  }
+
+  p {
     margin-bottom: 15px;
     font-size: 21px;
-    font-weight: 200; }
-  .jumbotron > hr {
-    border-top-color: #d5d5d5; }
+    font-weight: 200;
+  }
+
+  > hr {
+    border-top-color: #d5d5d5;
+  }
+}
+
+.container .jumbotron {
+  border-radius: 6px;
+}
+
+.jumbotron .container {
+  max-width: 100%;
+}
+
+@media screen and (min-width: 768px) {
+  .jumbotron {
+    padding-top: 48px;
+    padding-bottom: 48px;
+  }
+
   .container .jumbotron {
-    border-radius: 6px; }
-  .jumbotron .container {
-    max-width: 100%; }
-  @media screen and (min-width: 768px) {
-    .jumbotron {
-      padding-top: 48px;
-      padding-bottom: 48px; }
-      .container .jumbotron {
-        padding-left: 60px;
-        padding-right: 60px; }
-      .jumbotron h1,
-      .jumbotron .h1 {
-        font-size: 63px; } }
+    padding-left: 60px;
+    padding-right: 60px;
+  }
+
+  .jumbotron {
+    h1, .h1 {
+      font-size: 63px;
+    }
+  }
+}
 
 .thumbnail {
   display: block;
@@ -4318,104 +7436,145 @@ a.badge:hover, a.badge:focus {
   border-radius: 3px;
   -webkit-transition: all 0.2s ease-in-out;
   -o-transition: all 0.2s ease-in-out;
-  transition: all 0.2s ease-in-out; }
-  .thumbnail > img,
-  .thumbnail a > img {
+  transition: all 0.2s ease-in-out;
+
+  > img, a > img {
     display: block;
     width: 100% \9;
     max-width: 100%;
     height: auto;
     margin-left: auto;
-    margin-right: auto; }
-  .thumbnail .caption {
-    padding: 9px;
-    color: #3C3C3B; }
+    margin-right: auto;
+  }
 
-a.thumbnail:hover,
-a.thumbnail:focus,
-a.thumbnail.active {
-  border-color: #FF8B00; }
+  .caption {
+    padding: 9px;
+    color: #3C3C3B;
+  }
+}
 
+a.thumbnail {
+  &:hover, &:focus, &.active {
+    border-color: #FF8B00;
+  }
+}
 
 .alert {
   padding: 15px;
   margin-bottom: 20px;
   border: 1px solid #b0b0b0;
   border-radius: 3px;
-  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-}
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
 
-  .alert h4 {
+  h4 {
     margin-top: 0;
-    color: inherit; }
-  .alert .alert-link {
-    font-weight: bold; }
-  .alert > p,
-  .alert > ul {
-    margin-bottom: 0; }
-  .alert > p + p {
-    margin-top: 5px; }
-
-.alert-dismissable,
-.alert-dismissible {
-  padding-right: 35px; }
-  .alert-dismissable .close,
-  .alert-dismissible .close {
-    position: relative;
-    top: -2px;
-    right: -21px;
-    color: inherit; }
+    color: inherit;
+  }
+
+  .alert-link {
+    font-weight: bold;
+  }
+
+  > {
+    p, ul {
+      margin-bottom: 0;
+    }
+
+    p + p {
+      margin-top: 5px;
+    }
+  }
+}
+
+.alert-dismissable, .alert-dismissible {
+  padding-right: 35px;
+}
+
+.alert-dismissable .close, .alert-dismissible .close {
+  position: relative;
+  top: -2px;
+  right: -21px;
+  color: inherit;
+}
 
 .alert-success {
-	background-color: #fbfbfb;
-	border-color: #a5a5a5;
-	color: #000; }
-  .alert-success hr {
-    border-top-color: #8dcc62; }
-  .alert-success .alert-link {
-    color: #72bd3e; }
+  background-color: #fbfbfb;
+  border-color: #a5a5a5;
+  color: #000;
 
-.alert-info {
-	background-color: #fbfbfb;
-	border-color: #a5a5a5;
-	color: #000;
-  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
+  hr {
+    border-top-color: #8dcc62;
+  }
+
+  .alert-link {
+    color: #72bd3e;
+  }
 }
 
-  .alert-info hr {
-    border-top-color: #DA4829; }
-  .alert-info .alert-link {
-    color: #DA4829; }
+.alert-info {
+  background-color: #fbfbfb;
+  border-color: #a5a5a5;
+  color: #000;
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+
+  hr {
+    border-top-color: #DA4829;
+  }
+
+  .alert-link {
+    color: #DA4829;
+  }
+}
 
 .alert-warning {
-	background-color: #fff;
-	border: 1px solid #d12d0a;
-	color: #000;}
-  .alert-warning hr {
-    border-top-color: #f7e1b5; }
-  .alert-warning .alert-link {
-    color: #df8a13; }
+  background-color: #fff;
+  border: 1px solid #d12d0a;
+  color: #000;
+
+  hr {
+    border-top-color: #f7e1b5;
+  }
+
+  .alert-link {
+    color: #df8a13;
+  }
+}
 
 .alert-danger {
-	background-color: #45565f;
-	border-color: #f00; }
-  .alert-danger hr {
-    border-top-color: #DA4829; }
-  .alert-danger .alert-link {
-    color: #DA4829; }
+  background-color: #45565f;
+  border-color: #f00;
+
+  hr {
+    border-top-color: #DA4829;
+  }
+
+  .alert-link {
+    color: #DA4829;
+  }
+}
 
 @-webkit-keyframes progress-bar-stripes {
   from {
-    background-position: 40px 0; }
+    background-position: 40px 0;
+  }
+
   to {
-    background-position: 0 0; } }
+    background-position: 0 0;
+  }
+}
+
 @keyframes progress-bar-stripes {
   from {
-    background-position: 40px 0; }
+    background-position: 40px 0;
+  }
+
   to {
-    background-position: 0 0; } }
+    background-position: 0 0;
+  }
+}
+
 .progress {
   margin-bottom: 3px;
   color: #000;
@@ -4423,7 +7582,8 @@ a.thumbnail.active {
   height: 20px;
   background-color: #EAEAEA;
   border: 1px solid #b9b9b9;
-  position: relative; }
+  position: relative;
+}
 
 .progress-bar {
   float: left;
@@ -4439,514 +7599,948 @@ a.thumbnail.active {
   box-shadow: inset 0 20px 0 rgba(0, 0, 0, 0.15);
   -webkit-transition: width 0.6s ease;
   -o-transition: width 0.6s ease;
-  transition: width 0.6s ease; }
+  transition: width 0.6s ease;
+}
 
-.progress-striped .progress-bar,
-.progress-bar-striped {
+.progress-striped .progress-bar, .progress-bar-striped {
   background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
   background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
   background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-  background-size: 40px 40px; }
+  background-size: 40px 40px;
+}
 
-.progress.active .progress-bar,
-.progress-bar.active {
+.progress.active .progress-bar {
   -webkit-animation: progress-bar-stripes 2s linear infinite;
   -o-animation: progress-bar-stripes 2s linear infinite;
-  animation: progress-bar-stripes 2s linear infinite; }
+  animation: progress-bar-stripes 2s linear infinite;
+}
 
-.progress-bar[aria-valuenow="1"], .progress-bar[aria-valuenow="2"] {
-  min-width: 30px; }
-.progress-bar[aria-valuenow="0"] {
-  color: #777777;
-  min-width: 30px;
-  background-color: transparent;
-  background-image: none;
-  box-shadow: none; }
+.progress-bar {
+  &.active {
+    -webkit-animation: progress-bar-stripes 2s linear infinite;
+    -o-animation: progress-bar-stripes 2s linear infinite;
+    animation: progress-bar-stripes 2s linear infinite;
+  }
+
+  &[aria-valuenow="1"], &[aria-valuenow="2"] {
+    min-width: 30px;
+  }
+
+  &[aria-valuenow="0"] {
+    color: #777777;
+    min-width: 30px;
+    background-color: transparent;
+    background-image: none;
+    box-shadow: none;
+  }
+}
 
 .progress-bar-success {
-  background-color: #4FB654; }
-  .progress-striped .progress-bar-success {
-    background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-    background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-    background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
+  background-color: #4FB654;
+}
+
+.progress-striped .progress-bar-success {
+  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+}
 
 .progress-bar-info {
-  background-color: #45565f; }
-  .progress-striped .progress-bar-info {
-    background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-    background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-    background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
+  background-color: #45565f;
+}
+
+.progress-striped .progress-bar-info {
+  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+}
 
 .progress-bar-warning {
   background-color: #CCB60F;
-  color: #FFFFFF !important; }
-  .progress-striped .progress-bar-warning {
-    background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-    background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-    background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
+  color: #FFFFFF !important;
+}
+
+.progress-striped .progress-bar-warning {
+  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+}
+
+.progress-bar-danger {
+  background-color: #CC2400;
+}
+
+.progress-striped .progress-bar-danger {
+  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+}
 
-.progress-bar-danger {
-  background-color: #CC2400; }
-  .progress-striped .progress-bar-danger {
-    background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-    background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
-    background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
-
-.media,
-.media-body {
+.media, .media-body {
   overflow: hidden;
-  zoom: 1; }
+  zoom: 1;
+}
+
+.media {
+  margin-top: 15px;
 
-.media,
-.media .media {
-  margin-top: 15px; }
+  .media {
+    margin-top: 15px;
+  }
 
-.media:first-child {
-  margin-top: 0; }
+  &:first-child {
+    margin-top: 0;
+  }
+}
 
 .media-object {
-  display: block; }
+  display: block;
+}
 
 .media-heading {
-  margin: 0 0 5px; }
+  margin: 0 0 5px;
+}
+
+.media > {
+  .pull-left {
+    margin-right: 10px;
+  }
 
-.media > .pull-left {
-  margin-right: 10px; }
-.media > .pull-right {
-  margin-left: 10px; }
+  .pull-right {
+    margin-left: 10px;
+  }
+}
 
 .media-list {
   padding-left: 0;
-  list-style: none; }
+  list-style: none;
+}
 
 .list-group {
   margin-bottom: 20px;
-  padding-left: 0; }
+  padding-left: 0;
+}
 
 .list-group-item {
   position: relative;
   display: block;
   padding: 6px 8px;
   margin-bottom: -1px;
-  background-color: #172c38; }
-  .list-group-item:last-child {
-    margin-bottom: 0; }
-  .list-group-item > .badge {
-    float: right; }
-  .list-group-item > .badge + .badge {
-    margin-right: 5px; }
+  background-color: #172c38;
+
+  &:last-child {
+    margin-bottom: 0;
+  }
+
+  > .badge {
+    float: right;
+
+    + .badge {
+      margin-right: 5px;
+    }
+  }
+}
 
 a.list-group-item {
   color: #FFFFFF;
   border-radius: 0;
-  outline:0; }
+  outline: 0;
+
+  .list-group-item-heading {
+    color: #2d2d2d;
+  }
 
-  a.list-group-item .list-group-item-heading {
-    color: #2d2d2d; }
-  a.list-group-item:hover, a.list-group-item:focus {
+  &:hover, &:focus {
     text-decoration: none;
     color: #000;
-    background-color: #FFF; }
-
-    a.list-group-item:hover:before, a.list-group-item:focus:before {
-      background: #FFFFFF;
-      content: "";
-      height: 42px;
-      left: 0;
-      position: absolute;
-      top: 0;
-      width: 3px; }
+    background-color: #FFF;
+  }
 
-.list-group-item.disabled, .list-group-item.disabled:hover, .list-group-item.disabled:focus {
-  background-color: #eeeeee;
-  color: #777777; }
-
-  .list-group-item.disabled .list-group-item-heading, .list-group-item.disabled:hover .list-group-item-heading, .list-group-item.disabled:focus .list-group-item-heading {
-    color: inherit; }
-
-  .list-group-item.disabled .list-group-item-text, .list-group-item.disabled:hover .list-group-item-text, .list-group-item.disabled:focus .list-group-item-text {
-    color: #777777; }
-
-.list-group-item.active, .list-group-item.active:hover, .list-group-item.active:focus {
-  z-index: 2; }
-  .list-group-item.active:before, .list-group-item.active:hover:before, .list-group-item.active:focus:before {
-    background: #ff8b00;
-    content: "";
-    height: 42px;
-    left: 0;
-    position: absolute;
-    top: 0px;
-    width: 3px; }
-
-  .list-group-item.active .list-group-item-heading,
-  .list-group-item.active .list-group-item-heading > small,
-  .list-group-item.active .list-group-item-heading > .small, .list-group-item.active:hover .list-group-item-heading,
-  .list-group-item.active:hover .list-group-item-heading > small,
-  .list-group-item.active:hover .list-group-item-heading > .small, .list-group-item.active:focus .list-group-item-heading,
-  .list-group-item.active:focus .list-group-item-heading > small,
-  .list-group-item.active:focus .list-group-item-heading > .small {
-    color: inherit; }
-  .list-group-item.active .list-group-item-text, .list-group-item.active:hover .list-group-item-text, .list-group-item.active:focus .list-group-item-text {
-    color: #fedcbd; }
-  .list-group-item.active + .collapse > .list-group-item:before, .list-group-item.active:hover + .collapse > .list-group-item:before, .list-group-item.active:focus + .collapse > .list-group-item:before {
-    background: #FF8B00;
+  &:hover:before, &:focus:before {
+    background: #FFFFFF;
     content: "";
     height: 42px;
     left: 0;
     position: absolute;
-    top: 0px;
-    width: 3px; }
+    top: 0;
+    width: 3px;
+  }
+}
+
+.list-group-item {
+  &.disabled {
+    background-color: #eeeeee;
+    color: #777777;
+
+    &:hover, &:focus {
+      background-color: #eeeeee;
+      color: #777777;
+    }
+
+    .list-group-item-heading, &:hover .list-group-item-heading, &:focus .list-group-item-heading {
+      color: inherit;
+    }
+
+    .list-group-item-text, &:hover .list-group-item-text, &:focus .list-group-item-text {
+      color: #777777;
+    }
+  }
+
+  &.active {
+    z-index: 2;
+
+    &:hover, &:focus {
+      z-index: 2;
+    }
+
+    &:before, &:hover:before, &:focus:before {
+      background: #ff8b00;
+      content: "";
+      height: 42px;
+      left: 0;
+      position: absolute;
+      top: 0px;
+      width: 3px;
+    }
+
+    .list-group-item-heading {
+      color: inherit;
+
+      > {
+        small, .small {
+          color: inherit;
+        }
+      }
+    }
+
+    &:hover .list-group-item-heading {
+      color: inherit;
+
+      > {
+        small, .small {
+          color: inherit;
+        }
+      }
+    }
+
+    &:focus .list-group-item-heading {
+      color: inherit;
+
+      > {
+        small, .small {
+          color: inherit;
+        }
+      }
+    }
+
+    .list-group-item-text, &:hover .list-group-item-text, &:focus .list-group-item-text {
+      color: #fedcbd;
+    }
+
+    + .collapse > .list-group-item:before, &:hover + .collapse > .list-group-item:before, &:focus + .collapse > .list-group-item:before {
+      background: #FF8B00;
+      content: "";
+      height: 42px;
+      left: 0;
+      position: absolute;
+      top: 0px;
+      width: 3px;
+    }
+  }
+}
 
 .list-group-item-success {
   color: #9BD275;
-  background-color: #9BD275; }
+  background-color: #9BD275;
+}
 
 a.list-group-item-success {
-  color: #9BD275; }
-  a.list-group-item-success .list-group-item-heading {
-    color: inherit; }
-  a.list-group-item-success:hover, a.list-group-item-success:focus {
+  color: #9BD275;
+
+  .list-group-item-heading {
+    color: inherit;
+  }
+
+  &:hover, &:focus {
     color: #9BD275;
-    background-color: #8dcc62; }
-  a.list-group-item-success.active, a.list-group-item-success.active:hover, a.list-group-item-success.active:focus {
+    background-color: #8dcc62;
+  }
+
+  &.active {
     color: #fff;
     background-color: #9BD275;
-    border-color: #9BD275; }
+    border-color: #9BD275;
+
+    &:hover, &:focus {
+      color: #fff;
+      background-color: #9BD275;
+      border-color: #9BD275;
+    }
+  }
+}
 
 .list-group-item-info {
   color: #31708f;
-  background-color: #d9edf7; }
+  background-color: #d9edf7;
+}
 
 a.list-group-item-info {
-  color: #31708f; }
-  a.list-group-item-info .list-group-item-heading {
-    color: inherit; }
-  a.list-group-item-info:hover, a.list-group-item-info:focus {
+  color: #31708f;
+
+  .list-group-item-heading {
+    color: inherit;
+  }
+
+  &:hover, &:focus {
     color: #31708f;
-    background-color: #c4e3f3; }
-  a.list-group-item-info.active, a.list-group-item-info.active:hover, a.list-group-item-info.active:focus {
+    background-color: #c4e3f3;
+  }
+
+  &.active {
     color: #fff;
     background-color: #31708f;
-    border-color: #31708f; }
+    border-color: #31708f;
+
+    &:hover, &:focus {
+      color: #fff;
+      background-color: #31708f;
+      border-color: #31708f;
+    }
+  }
+}
 
 .list-group-item-warning {
   color: #f0ad4e;
-  background-color: #fcf8e3; }
+  background-color: #fcf8e3;
+}
 
 a.list-group-item-warning {
-  color: #f0ad4e; }
-  a.list-group-item-warning .list-group-item-heading {
-    color: inherit; }
-  a.list-group-item-warning:hover, a.list-group-item-warning:focus {
+  color: #f0ad4e;
+
+  .list-group-item-heading {
+    color: inherit;
+  }
+
+  &:hover, &:focus {
     color: #f0ad4e;
-    background-color: #faf2cc; }
-  a.list-group-item-warning.active, a.list-group-item-warning.active:hover, a.list-group-item-warning.active:focus {
+    background-color: #faf2cc;
+  }
+
+  &.active {
     color: #fff;
     background-color: #f0ad4e;
-    border-color: #f0ad4e; }
+    border-color: #f0ad4e;
+
+    &:hover, &:focus {
+      color: #fff;
+      background-color: #f0ad4e;
+      border-color: #f0ad4e;
+    }
+  }
+}
 
 .list-group-item-danger {
   color: #F05050;
-  background-color: #F05050; }
+  background-color: #F05050;
+}
 
 a.list-group-item-danger {
-  color: #F05050; }
-  a.list-group-item-danger .list-group-item-heading {
-    color: inherit; }
-  a.list-group-item-danger:hover, a.list-group-item-danger:focus {
+  color: #F05050;
+
+  .list-group-item-heading {
+    color: inherit;
+  }
+
+  &:hover, &:focus {
     color: #F05050;
-    background-color: #ee3939; }
-  a.list-group-item-danger.active, a.list-group-item-danger.active:hover, a.list-group-item-danger.active:focus {
+    background-color: #ee3939;
+  }
+
+  &.active {
     color: #fff;
     background-color: #F05050;
-    border-color: #F05050; }
+    border-color: #F05050;
+
+    &:hover, &:focus {
+      color: #fff;
+      background-color: #F05050;
+      border-color: #F05050;
+    }
+  }
+}
 
 .list-group-item-heading {
   margin-top: 0;
-  margin-bottom: 5px; }
+  margin-bottom: 5px;
+}
 
 .list-group-item-text {
   margin-bottom: 0;
-  line-height: 1.3; }
+  line-height: 1.3;
+}
 
 .panel {
   border: 1px solid #b0b0b0;
-  margin-bottom: 20px; }
+  margin-bottom: 20px;
+}
 
 .panel-body {
   padding: 15px;
-  background-color: #F0F0F0;}
-  .panel-body:before, .panel-body:after {
+  background-color: #F0F0F0;
+
+  &:before {
     content: " ";
-    display: table; }
-  .panel-body:after {
-    clear: both; }
+    display: table;
+  }
+
+  &:after {
+    content: " ";
+    display: table;
+    clear: both;
+  }
+}
 
 .panel-heading {
   padding: 10px 15px;
   border-bottom: 1px solid #b0b0b0;
   border-top-right-radius: 2px;
   border-top-left-radius: 2px;
-  background-color: #45565f; }
+  background-color: #45565f;
 
-  .panel-heading > .dropdown .dropdown-toggle {
-    color: inherit; }
+  > .dropdown .dropdown-toggle {
+    color: inherit;
+  }
+}
 
 .panel-title {
   margin-top: 0;
   margin-bottom: 0;
   font-size: 16px;
-  color: inherit; }
-  .panel-title > a {
-    color: inherit; }
+  color: inherit;
+
+  > a {
+    color: inherit;
+  }
+}
 
 .panel-footer {
   padding: 10px 15px;
   background-color: #f5f5f5;
   border-top: 1px solid #ddd;
   border-bottom-right-radius: 2px;
-  border-bottom-left-radius: 2px; }
+  border-bottom-left-radius: 2px;
+}
 
 .panel > .list-group {
-  margin-bottom: 0; }
-  .panel > .list-group .list-group-item {
+  margin-bottom: 0;
+
+  .list-group-item {
     border-width: 1px 0;
-    border-radius: 0; }
-  .panel > .list-group:first-child .list-group-item:first-child {
-    border-top: 0; }
-  .panel > .list-group:last-child .list-group-item:last-child {
-    border-bottom: 0; }
-
-.panel-heading + .list-group .list-group-item:first-child {
-  border-top-width: 0; }
-
-.list-group + .panel-footer {
-  border-top-width: 0; }
-
-.panel > .table,
-.panel > .table-responsive > .table,
-.panel > .panel-collapse > .table {
-  margin-bottom: 0; }
-.panel > .table:first-child,
-.panel > .table-responsive:first-child > .table:first-child {
-  border-top-right-radius: 2px;
-  border-top-left-radius: 2px; }
-  .panel > .table:first-child > thead:first-child > tr:first-child td:first-child,
-  .panel > .table:first-child > thead:first-child > tr:first-child th:first-child,
-  .panel > .table:first-child > tbody:first-child > tr:first-child td:first-child,
-  .panel > .table:first-child > tbody:first-child > tr:first-child th:first-child,
-  .panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:first-child,
-  .panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:first-child,
-  .panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:first-child,
-  .panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:first-child {
-    border-top-left-radius: 2px; }
-  .panel > .table:first-child > thead:first-child > tr:first-child td:last-child,
-  .panel > .table:first-child > thead:first-child > tr:first-child th:last-child,
-  .panel > .table:first-child > tbody:first-child > tr:first-child td:last-child,
-  .panel > .table:first-child > tbody:first-child > tr:first-child th:last-child,
-  .panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:last-child,
-  .panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:last-child,
-  .panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:last-child,
-  .panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:last-child {
-    border-top-right-radius: 2px; }
-.panel > .table:last-child,
-.panel > .table-responsive:last-child > .table:last-child {
-  border-bottom-right-radius: 2px;
-  border-bottom-left-radius: 2px; }
-  .panel > .table:last-child > tbody:last-child > tr:last-child td:first-child,
-  .panel > .table:last-child > tbody:last-child > tr:last-child th:first-child,
-  .panel > .table:last-child > tfoot:last-child > tr:last-child td:first-child,
-  .panel > .table:last-child > tfoot:last-child > tr:last-child th:first-child,
-  .panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:first-child,
-  .panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:first-child,
-  .panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:first-child,
-  .panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:first-child {
-    border-bottom-left-radius: 2px; }
-  .panel > .table:last-child > tbody:last-child > tr:last-child td:last-child,
-  .panel > .table:last-child > tbody:last-child > tr:last-child th:last-child,
-  .panel > .table:last-child > tfoot:last-child > tr:last-child td:last-child,
-  .panel > .table:last-child > tfoot:last-child > tr:last-child th:last-child,
-  .panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:last-child,
-  .panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:last-child,
-  .panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:last-child,
-  .panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:last-child {
-    border-bottom-right-radius: 2px; }
-.panel > .panel-body + .table,
-.panel > .panel-body + .table-responsive {
-  border-top: 1px solid #eee; }
-.panel > .table > tbody:first-child > tr:first-child th,
-.panel > .table > tbody:first-child > tr:first-child td {
-  border-top: 0; }
-.panel > .table-bordered,
-.panel > .table-responsive > .table-bordered {
-  border: 0; }
-  .panel > .table-bordered > thead > tr > th:first-child,
-  .panel > .table-bordered > thead > tr > td:first-child,
-  .panel > .table-bordered > tbody > tr > th:first-child,
-  .panel > .table-bordered > tbody > tr > td:first-child,
-  .panel > .table-bordered > tfoot > tr > th:first-child,
-  .panel > .table-bordered > tfoot > tr > td:first-child,
-  .panel > .table-responsive > .table-bordered > thead > tr > th:first-child,
-  .panel > .table-responsive > .table-bordered > thead > tr > td:first-child,
-  .panel > .table-responsive > .table-bordered > tbody > tr > th:first-child,
-  .panel > .table-responsive > .table-bordered > tbody > tr > td:first-child,
-  .panel > .table-responsive > .table-bordered > tfoot > tr > th:first-child,
-  .panel > .table-responsive > .table-bordered > tfoot > tr > td:first-child {
-    border-left: 0; }
-  .panel > .table-bordered > thead > tr > th:last-child,
-  .panel > .table-bordered > thead > tr > td:last-child,
-  .panel > .table-bordered > tbody > tr > th:last-child,
-  .panel > .table-bordered > tbody > tr > td:last-child,
-  .panel > .table-bordered > tfoot > tr > th:last-child,
-  .panel > .table-bordered > tfoot > tr > td:last-child,
-  .panel > .table-responsive > .table-bordered > thead > tr > th:last-child,
-  .panel > .table-responsive > .table-bordered > thead > tr > td:last-child,
-  .panel > .table-responsive > .table-bordered > tbody > tr > th:last-child,
-  .panel > .table-responsive > .table-bordered > tbody > tr > td:last-child,
-  .panel > .table-responsive > .table-bordered > tfoot > tr > th:last-child,
-  .panel > .table-responsive > .table-bordered > tfoot > tr > td:last-child {
-    border-right: 0; }
-  .panel > .table-bordered > thead > tr:first-child > td,
-  .panel > .table-bordered > thead > tr:first-child > th,
-  .panel > .table-bordered > tbody > tr:first-child > td,
-  .panel > .table-bordered > tbody > tr:first-child > th,
-  .panel > .table-responsive > .table-bordered > thead > tr:first-child > td,
-  .panel > .table-responsive > .table-bordered > thead > tr:first-child > th,
-  .panel > .table-responsive > .table-bordered > tbody > tr:first-child > td,
-  .panel > .table-responsive > .table-bordered > tbody > tr:first-child > th {
-    border-bottom: 0; }
-  .panel > .table-bordered > tbody > tr:last-child > td,
-  .panel > .table-bordered > tbody > tr:last-child > th,
-  .panel > .table-bordered > tfoot > tr:last-child > td,
-  .panel > .table-bordered > tfoot > tr:last-child > th,
-  .panel > .table-responsive > .table-bordered > tbody > tr:last-child > td,
-  .panel > .table-responsive > .table-bordered > tbody > tr:last-child > th,
-  .panel > .table-responsive > .table-bordered > tfoot > tr:last-child > td,
-  .panel > .table-responsive > .table-bordered > tfoot > tr:last-child > th {
-    border-bottom: 0; }
-.panel > .table-responsive {
-  border: 0;
-  margin-bottom: 0; }
+    border-radius: 0;
+  }
+
+  &:first-child .list-group-item:first-child {
+    border-top: 0;
+  }
+
+  &:last-child .list-group-item:last-child {
+    border-bottom: 0;
+  }
+}
+
+.panel-heading + .list-group .list-group-item:first-child, .list-group + .panel-footer {
+  border-top-width: 0;
+}
+
+.panel > {
+  .table, .table-responsive > .table, .panel-collapse > .table {
+    margin-bottom: 0;
+  }
+
+  .table:first-child, .table-responsive:first-child > .table:first-child {
+    border-top-right-radius: 2px;
+    border-top-left-radius: 2px;
+  }
+
+  .table:first-child > {
+    thead:first-child > tr:first-child {
+      td:first-child, th:first-child {
+        border-top-left-radius: 2px;
+      }
+    }
+
+    tbody:first-child > tr:first-child {
+      td:first-child, th:first-child {
+        border-top-left-radius: 2px;
+      }
+    }
+  }
+
+  .table-responsive:first-child > .table:first-child > {
+    thead:first-child > tr:first-child {
+      td:first-child, th:first-child {
+        border-top-left-radius: 2px;
+      }
+    }
+
+    tbody:first-child > tr:first-child {
+      td:first-child, th:first-child {
+        border-top-left-radius: 2px;
+      }
+    }
+  }
+
+  .table:first-child > {
+    thead:first-child > tr:first-child {
+      td:last-child, th:last-child {
+        border-top-right-radius: 2px;
+      }
+    }
+
+    tbody:first-child > tr:first-child {
+      td:last-child, th:last-child {
+        border-top-right-radius: 2px;
+      }
+    }
+  }
+
+  .table-responsive:first-child > .table:first-child > {
+    thead:first-child > tr:first-child {
+      td:last-child, th:last-child {
+        border-top-right-radius: 2px;
+      }
+    }
+
+    tbody:first-child > tr:first-child {
+      td:last-child, th:last-child {
+        border-top-right-radius: 2px;
+      }
+    }
+  }
+
+  .table:last-child, .table-responsive:last-child > .table:last-child {
+    border-bottom-right-radius: 2px;
+    border-bottom-left-radius: 2px;
+  }
+
+  .table:last-child > {
+    tbody:last-child > tr:last-child {
+      td:first-child, th:first-child {
+        border-bottom-left-radius: 2px;
+      }
+    }
+
+    tfoot:last-child > tr:last-child {
+      td:first-child, th:first-child {
+        border-bottom-left-radius: 2px;
+      }
+    }
+  }
+
+  .table-responsive:last-child > .table:last-child > {
+    tbody:last-child > tr:last-child {
+      td:first-child, th:first-child {
+        border-bottom-left-radius: 2px;
+      }
+    }
+
+    tfoot:last-child > tr:last-child {
+      td:first-child, th:first-child {
+        border-bottom-left-radius: 2px;
+      }
+    }
+  }
+
+  .table:last-child > {
+    tbody:last-child > tr:last-child {
+      td:last-child, th:last-child {
+        border-bottom-right-radius: 2px;
+      }
+    }
+
+    tfoot:last-child > tr:last-child {
+      td:last-child, th:last-child {
+        border-bottom-right-radius: 2px;
+      }
+    }
+  }
+
+  .table-responsive:last-child > .table:last-child > {
+    tbody:last-child > tr:last-child {
+      td:last-child, th:last-child {
+        border-bottom-right-radius: 2px;
+      }
+    }
+
+    tfoot:last-child > tr:last-child {
+      td:last-child, th:last-child {
+        border-bottom-right-radius: 2px;
+      }
+    }
+  }
+
+  .panel-body + {
+    .table, .table-responsive {
+      border-top: 1px solid #eee;
+    }
+  }
+
+  .table > tbody:first-child > tr:first-child {
+    th, td {
+      border-top: 0;
+    }
+  }
+
+  .table-bordered, .table-responsive > .table-bordered {
+    border: 0;
+  }
+
+  .table-bordered > {
+    thead > tr > {
+      th:first-child, td:first-child {
+        border-left: 0;
+      }
+    }
+
+    tbody > tr > {
+      th:first-child, td:first-child {
+        border-left: 0;
+      }
+    }
+
+    tfoot > tr > {
+      th:first-child, td:first-child {
+        border-left: 0;
+      }
+    }
+  }
+
+  .table-responsive > .table-bordered > {
+    thead > tr > {
+      th:first-child, td:first-child {
+        border-left: 0;
+      }
+    }
+
+    tbody > tr > {
+      th:first-child, td:first-child {
+        border-left: 0;
+      }
+    }
+
+    tfoot > tr > {
+      th:first-child, td:first-child {
+        border-left: 0;
+      }
+    }
+  }
+
+  .table-bordered > {
+    thead > tr > {
+      th:last-child, td:last-child {
+        border-right: 0;
+      }
+    }
+
+    tbody > tr > {
+      th:last-child, td:last-child {
+        border-right: 0;
+      }
+    }
+
+    tfoot > tr > {
+      th:last-child, td:last-child {
+        border-right: 0;
+      }
+    }
+  }
+
+  .table-responsive > .table-bordered > {
+    thead > tr > {
+      th:last-child, td:last-child {
+        border-right: 0;
+      }
+    }
+
+    tbody > tr > {
+      th:last-child, td:last-child {
+        border-right: 0;
+      }
+    }
+
+    tfoot > tr > {
+      th:last-child, td:last-child {
+        border-right: 0;
+      }
+    }
+  }
+
+  .table-bordered > {
+    thead > tr:first-child > {
+      td, th {
+        border-bottom: 0;
+      }
+    }
+
+    tbody > tr:first-child > {
+      td, th {
+        border-bottom: 0;
+      }
+    }
+  }
+
+  .table-responsive > .table-bordered > {
+    thead > tr:first-child > {
+      td, th {
+        border-bottom: 0;
+      }
+    }
+
+    tbody > tr:first-child > {
+      td, th {
+        border-bottom: 0;
+      }
+    }
+  }
+
+  .table-bordered > {
+    tbody > tr:last-child > {
+      td, th {
+        border-bottom: 0;
+      }
+    }
+
+    tfoot > tr:last-child > {
+      td, th {
+        border-bottom: 0;
+      }
+    }
+  }
+
+  .table-responsive {
+    > .table-bordered > {
+      tbody > tr:last-child > {
+        td, th {
+          border-bottom: 0;
+        }
+      }
+
+      tfoot > tr:last-child > {
+        td, th {
+          border-bottom: 0;
+        }
+      }
+    }
+
+    border: 0;
+    margin-bottom: 0;
+  }
+}
 
 .panel-group {
-  margin-bottom: 20px; }
-  .panel-group .panel {
+  margin-bottom: 20px;
+
+  .panel {
     margin-bottom: 0;
-    border-radius: 3px; }
-    .panel-group .panel + .panel {
-      margin-top: 5px; }
-  .panel-group .panel-heading {
-    border-bottom: 0; }
-    .panel-group .panel-heading + .panel-collapse > .panel-body {
-      border-top: 1px solid #ddd; }
-  .panel-group .panel-footer {
-    border-top: 0; }
-    .panel-group .panel-footer + .panel-collapse .panel-body {
-      border-bottom: 1px solid #ddd; }
-  .panel-default {
-	-webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-    box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
-  .panel-default > .panel-heading {
-	color: #fff;
-	border-color: #b0b0b0; }
-    .panel-default > .panel-heading + .panel-collapse > .panel-body {
-      border-top-color: #b0b0b0; }
-    .panel-default > .panel-heading .badge {
-      color: #f5f5f5;
-      background-color: #2d2d2d; }
-  .panel-default > .panel-footer + .panel-collapse > .panel-body {
-    border-bottom-color: #b0b0b0; }
-  .panel-primary {
-	-webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-    box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
-  .panel-primary > .panel-heading {
-    color: #FFF;
-    border-color: #b0b0b0; }
-    .panel-primary > .panel-heading + .panel-collapse > .panel-body {
-      border-top-color: #FF8B00; }
-    .panel-primary > .panel-heading .badge {
-      color: #FF8B00;
-      background-color: #fff; }
-  .panel-primary > .panel-footer + .panel-collapse > .panel-body {
-    border-bottom-color: #FF8B00; }
+    border-radius: 3px;
+
+    + .panel {
+      margin-top: 5px;
+    }
+  }
+
+  .panel-heading {
+    border-bottom: 0;
+
+    + .panel-collapse > .panel-body {
+      border-top: 1px solid #ddd;
+    }
+  }
+
+  .panel-footer {
+    border-top: 0;
+
+    + .panel-collapse .panel-body {
+      border-bottom: 1px solid #ddd;
+    }
+  }
+}
+
+.panel-default {
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+
+  > {
+    .panel-heading {
+      color: #fff;
+      border-color: #b0b0b0;
+
+      + .panel-collapse > .panel-body {
+        border-top-color: #b0b0b0;
+      }
+
+      .badge {
+        color: #f5f5f5;
+        background-color: #2d2d2d;
+      }
+    }
+
+    .panel-footer + .panel-collapse > .panel-body {
+      border-bottom-color: #b0b0b0;
+    }
+  }
+}
+
+.panel-primary {
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+
+  > {
+    .panel-heading {
+      color: #FFF;
+      border-color: #b0b0b0;
+
+      + .panel-collapse > .panel-body {
+        border-top-color: #FF8B00;
+      }
+
+      .badge {
+        color: #FF8B00;
+        background-color: #fff;
+      }
+    }
+
+    .panel-footer + .panel-collapse > .panel-body {
+      border-bottom-color: #FF8B00;
+    }
+  }
+}
 
 .panel-success {
-  border-color: #9BD275; }
-  .panel-success > .panel-heading {
-    color: #9BD275;
-    background-color: #9BD275;
-    border-color: #9BD275; }
-    .panel-success > .panel-heading + .panel-collapse > .panel-body {
-      border-top-color: #9BD275; }
-    .panel-success > .panel-heading .badge {
+  border-color: #9BD275;
+
+  > {
+    .panel-heading {
       color: #9BD275;
-      background-color: #9BD275; }
-  .panel-success > .panel-footer + .panel-collapse > .panel-body {
-    border-bottom-color: #9BD275; }
+      background-color: #9BD275;
+      border-color: #9BD275;
+
+      + .panel-collapse > .panel-body {
+        border-top-color: #9BD275;
+      }
+
+      .badge {
+        color: #9BD275;
+        background-color: #9BD275;
+      }
+    }
+
+    .panel-footer + .panel-collapse > .panel-body {
+      border-bottom-color: #9BD275;
+    }
+  }
+}
 
 .panel-info {
-  border-color: #b0b0b0; }
-  .panel-info > .panel-heading {
-    color: #31708f;
-    background-color: #d9edf7;
-    border-color: #b0b0b0; }
-    .panel-info > .panel-heading + .panel-collapse > .panel-body {
-      border-top-color: #b0b0b0; }
-    .panel-info > .panel-heading .badge {
-      color: #d9edf7;
-      background-color: #31708f; }
-  .panel-info > .panel-footer + .panel-collapse > .panel-body {
-    border-bottom-color: #b0b0b0; }
+  border-color: #b0b0b0;
+
+  > {
+    .panel-heading {
+      color: #31708f;
+      background-color: #d9edf7;
+      border-color: #b0b0b0;
+
+      + .panel-collapse > .panel-body {
+        border-top-color: #b0b0b0;
+      }
+
+      .badge {
+        color: #d9edf7;
+        background-color: #31708f;
+      }
+    }
+
+    .panel-footer + .panel-collapse > .panel-body {
+      border-bottom-color: #b0b0b0;
+    }
+  }
+}
 
 .panel-warning {
-  border-color: #faebcc; }
-  .panel-warning > .panel-heading {
-    color: #f0ad4e;
-    background-color: #fcf8e3;
-    border-color: #faebcc; }
-    .panel-warning > .panel-heading + .panel-collapse > .panel-body {
-      border-top-color: #faebcc; }
-    .panel-warning > .panel-heading .badge {
-      color: #fcf8e3;
-      background-color: #f0ad4e; }
-  .panel-warning > .panel-footer + .panel-collapse > .panel-body {
-    border-bottom-color: #faebcc; }
+  border-color: #faebcc;
+
+  > {
+    .panel-heading {
+      color: #f0ad4e;
+      background-color: #fcf8e3;
+      border-color: #faebcc;
+
+      + .panel-collapse > .panel-body {
+        border-top-color: #faebcc;
+      }
+
+      .badge {
+        color: #fcf8e3;
+        background-color: #f0ad4e;
+      }
+    }
+
+    .panel-footer + .panel-collapse > .panel-body {
+      border-bottom-color: #faebcc;
+    }
+  }
+}
 
 .panel-danger {
-  border-color: #F05050; }
-  .panel-danger > .panel-heading {
-    color: #F05050;
-    background-color: #F05050;
-    border-color: #F05050; }
-    .panel-danger > .panel-heading + .panel-collapse > .panel-body {
-      border-top-color: #F05050; }
-    .panel-danger > .panel-heading .badge {
+  border-color: #F05050;
+
+  > {
+    .panel-heading {
       color: #F05050;
-      background-color: #F05050; }
-  .panel-danger > .panel-footer + .panel-collapse > .panel-body {
-    border-bottom-color: #F05050; }
+      background-color: #F05050;
+      border-color: #F05050;
+
+      + .panel-collapse > .panel-body {
+        border-top-color: #F05050;
+      }
+
+      .badge {
+        color: #F05050;
+        background-color: #F05050;
+      }
+    }
+
+    .panel-footer + .panel-collapse > .panel-body {
+      border-bottom-color: #F05050;
+    }
+  }
+}
 
 .embed-responsive {
   position: relative;
   display: block;
   height: 0;
   padding: 0;
-  overflow: hidden; }
-  .embed-responsive .embed-responsive-item,
-  .embed-responsive iframe,
-  .embed-responsive embed,
-  .embed-responsive object {
+  overflow: hidden;
+
+  .embed-responsive-item, iframe, embed, object {
     position: absolute;
     top: 0;
     left: 0;
     bottom: 0;
     height: 100%;
     width: 100%;
-    border: 0; }
-  .embed-responsive.embed-responsive-16by9 {
-    padding-bottom: 56.25%; }
-  .embed-responsive.embed-responsive-4by3 {
-    padding-bottom: 75%; }
+    border: 0;
+  }
+
+  &.embed-responsive-16by9 {
+    padding-bottom: 56.25%;
+  }
+
+  &.embed-responsive-4by3 {
+    padding-bottom: 75%;
+  }
+}
 
 .well {
   min-height: 20px;
@@ -4954,44 +8548,54 @@ a.list-group-item-danger {
   margin-bottom: 20px;
   background-color: none;
   border: none;
-  border-radius: none; }
-  .well blockquote {
+  border-radius: none;
+
+  blockquote {
     border-color: #ddd;
-    border-color: rgba(0, 0, 0, 0.15); }
+    border-color: rgba(0, 0, 0, 0.15);
+  }
+}
 
 .well-lg {
   padding: 24px;
-  border-radius: 6px; }
+  border-radius: 6px;
+}
 
 .well-sm {
   padding: 9px;
-  border-radius: 3px; }
+  border-radius: 3px;
+}
 
 .close {
-  float:right;
+  float: right;
   font-size: 21px;
   font-weight: bold;
   line-height: 1;
   color: #FFFFFF;
   text-shadow: 0 1px 0 #000;
   opacity: 1;
-  filter: alpha(opacity=100); }
-  .close:hover, .close:focus {
+  filter: alpha(opacity = 100);
+
+  &:hover, &:focus {
     color: #000;
     text-decoration: none;
     cursor: pointer;
     opacity: 1;
-    filter: alpha(opacity=100); }
+    filter: alpha(opacity = 100);
+  }
+}
 
 button.close {
   padding: 0;
   cursor: pointer;
   background: transparent;
   border: 0;
-  -webkit-appearance: none; }
+  -webkit-appearance: none;
+}
 
 .modal-open {
-  overflow: hidden; }
+  overflow: hidden;
+}
 
 .modal {
   display: none;
@@ -5003,27 +8607,34 @@ button.close {
   left: 0;
   z-index: 1050;
   -webkit-overflow-scrolling: touch;
-  outline: 0; }
-  .modal.fade .modal-dialog {
+  outline: 0;
+
+  &.fade .modal-dialog {
     -webkit-transform: translate3d(0, -25%, 0);
     transform: translate3d(0, -25%, 0);
     -webkit-transition: -webkit-transform 0.3s ease-out;
     -moz-transition: -moz-transform 0.3s ease-out;
     -o-transition: -o-transform 0.3s ease-out;
-    transition: transform 0.3s ease-out; }
-  .modal.in .modal-dialog {
+    transition: transform 0.3s ease-out;
+  }
+
+  &.in .modal-dialog {
     -webkit-transform: translate3d(0, 0, 0);
-    transform: translate3d(0, 0, 0); }
+    transform: translate3d(0, 0, 0);
+  }
+}
 
 .modal-open .modal {
   overflow-x: hidden;
-  overflow-y: auto; }
+  overflow-y: auto;
+}
 
 .modal-dialog {
   position: relative;
   width: auto;
   margin: 62px 10px 10px 10px;
-  border: 1px solid #7a7a7a;}
+  border: 1px solid #7a7a7a;
+}
 
 .modal-content {
   position: relative;
@@ -5033,7 +8644,8 @@ button.close {
   -webkit-box-shadow: 0 5px 15px rgb(30, 30, 30);
   box-shadow: 0 5px 15px rgb(5, 5, 5);
   background-clip: padding-box;
-  outline: 0; }
+  outline: 0;
+}
 
 .modal-backdrop {
   position: fixed;
@@ -5042,79 +8654,113 @@ button.close {
   bottom: 0;
   left: 0;
   z-index: 1040;
-  background-color: #000; }
-  .modal-backdrop.fade {
+  background-color: #000;
+
+  &.fade {
     opacity: 0;
-    filter: alpha(opacity=0); }
-  .modal-backdrop.in {
+    filter: alpha(opacity = 0);
+  }
+
+  &.in {
     opacity: 0.5;
-    filter: alpha(opacity=50); }
+    filter: alpha(opacity = 50);
+  }
+}
 
 .modal-header {
-  padding-left:10px;
-  padding-right:10px;
-  padding-top:3px;
-  padding-bottom:1px;
+  padding-left: 10px;
+  padding-right: 10px;
+  padding-top: 3px;
+  padding-bottom: 1px;
   border-bottom: 1px solid #4a4a4a;
   min-height: 16.42857px;
   background-color: #45565f;
-  color: #FFF; }
+  color: #FFF;
 
-.modal-header .close {
-  margin-top: -2px; }
+  .close {
+    margin-top: -2px;
+  }
+}
 
 .modal-title {
   margin: 0;
-  line-height: 1.428571429; }
+  line-height: 1.428571429;
+}
 
 .modal-body {
   position: relative;
   padding: 5px;
-  background-color: #FFF;}
-.modal-body .table-hover > tbody > tr:hover > td,
-.modal-body .table-hover > tbody > tr:hover > th {
-  background-color: #f06702;
-  color: #FFF; }
+  background-color: #FFF;
+
+  .table-hover > tbody > tr:hover > {
+    td, th {
+      background-color: #f06702;
+      color: #FFF;
+    }
+  }
+}
 
 .modal-footer {
   padding: 5px;
   text-align: right;
   background-color: #ddd;
-  border-top: 1px solid inherit; }
-  .modal-footer:before, .modal-footer:after {
+  border-top: 1px solid inherit;
+
+  &:before {
+    content: " ";
+    display: table;
+  }
+
+  &:after {
     content: " ";
-    display: table; }
-  .modal-footer:after {
-    clear: both; }
-  .modal-footer .btn + .btn {
+    display: table;
+    clear: both;
+  }
+
+  .btn + .btn {
     margin-left: 5px;
-    margin-bottom: 0; }
-  .modal-footer .btn-group .btn + .btn {
-    margin-left: -1px; }
-  .modal-footer .btn-block + .btn-block {
-    margin-left: 0; }
+    margin-bottom: 0;
+  }
+
+  .btn-group .btn + .btn {
+    margin-left: -1px;
+  }
+
+  .btn-block + .btn-block {
+    margin-left: 0;
+  }
+}
 
 .modal-scrollbar-measure {
   position: absolute;
   top: -9999px;
   width: 50px;
   height: 50px;
-  overflow: scroll; }
+  overflow: scroll;
+}
 
 @media (min-width: 768px) {
   .modal-dialog {
     width: 600px;
-    margin: 82px auto 30px auto; }
+    margin: 82px auto 30px auto;
+  }
 
   .modal-content {
     -webkit-box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5);
-    box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5); }
+    box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5);
+  }
 
   .modal-sm {
-    width: 300px; } }
+    width: 300px;
+  }
+}
+
 @media (min-width: 992px) {
   .modal-lg {
-    width: 900px; } }
+    width: 900px;
+  }
+}
+
 .tooltip {
   position: absolute;
   z-index: 1070;
@@ -5123,22 +8769,33 @@ button.close {
   font-size: 12px;
   line-height: 1.4;
   opacity: 0;
-  filter: alpha(opacity=0); }
-  .tooltip.in {
+  filter: alpha(opacity = 0);
+
+  &.in {
     opacity: 0.9;
-    filter: alpha(opacity=90); }
-  .tooltip.top {
+    filter: alpha(opacity = 90);
+  }
+
+  &.top {
     margin-top: -3px;
-    padding: 5px 0; }
-  .tooltip.right {
+    padding: 5px 0;
+  }
+
+  &.right {
     margin-left: 3px;
-    padding: 0 5px; }
-  .tooltip.bottom {
+    padding: 0 5px;
+  }
+
+  &.bottom {
     margin-top: 3px;
-    padding: 5px 0; }
-  .tooltip.left {
+    padding: 5px 0;
+  }
+
+  &.left {
     margin-left: -3px;
-    padding: 0 5px; }
+    padding: 0 5px;
+  }
+}
 
 .tooltip-inner {
   max-width: 200px;
@@ -5147,59 +8804,78 @@ button.close {
   text-align: center;
   text-decoration: none;
   background-color: #000;
-  border-radius: 3px; }
+  border-radius: 3px;
+}
+
+.tooltip-arrow {
+  position: absolute;
+  width: 0;
+  height: 0;
+  border-color: transparent;
+  border-style: solid;
+}
+
+.tooltip {
+  &.top .tooltip-arrow {
+    bottom: 0;
+    left: 50%;
+    margin-left: -5px;
+    border-width: 5px 5px 0;
+    border-top-color: #000;
+  }
+
+  &.top-left .tooltip-arrow {
+    bottom: 0;
+    left: 5px;
+    border-width: 5px 5px 0;
+    border-top-color: #000;
+  }
+
+  &.top-right .tooltip-arrow {
+    bottom: 0;
+    right: 5px;
+    border-width: 5px 5px 0;
+    border-top-color: #000;
+  }
+
+  &.right .tooltip-arrow {
+    top: 50%;
+    left: 0;
+    margin-top: -5px;
+    border-width: 5px 5px 5px 0;
+    border-right-color: #000;
+  }
 
-.tooltip-arrow {
-  position: absolute;
-  width: 0;
-  height: 0;
-  border-color: transparent;
-  border-style: solid; }
+  &.left .tooltip-arrow {
+    top: 50%;
+    right: 0;
+    margin-top: -5px;
+    border-width: 5px 0 5px 5px;
+    border-left-color: #000;
+  }
 
-.tooltip.top .tooltip-arrow {
-  bottom: 0;
-  left: 50%;
-  margin-left: -5px;
-  border-width: 5px 5px 0;
-  border-top-color: #000; }
-.tooltip.top-left .tooltip-arrow {
-  bottom: 0;
-  left: 5px;
-  border-width: 5px 5px 0;
-  border-top-color: #000; }
-.tooltip.top-right .tooltip-arrow {
-  bottom: 0;
-  right: 5px;
-  border-width: 5px 5px 0;
-  border-top-color: #000; }
-.tooltip.right .tooltip-arrow {
-  top: 50%;
-  left: 0;
-  margin-top: -5px;
-  border-width: 5px 5px 5px 0;
-  border-right-color: #000; }
-.tooltip.left .tooltip-arrow {
-  top: 50%;
-  right: 0;
-  margin-top: -5px;
-  border-width: 5px 0 5px 5px;
-  border-left-color: #000; }
-.tooltip.bottom .tooltip-arrow {
-  top: 0;
-  left: 50%;
-  margin-left: -5px;
-  border-width: 0 5px 5px;
-  border-bottom-color: #000; }
-.tooltip.bottom-left .tooltip-arrow {
-  top: 0;
-  left: 5px;
-  border-width: 0 5px 5px;
-  border-bottom-color: #000; }
-.tooltip.bottom-right .tooltip-arrow {
-  top: 0;
-  right: 5px;
-  border-width: 0 5px 5px;
-  border-bottom-color: #000; }
+  &.bottom .tooltip-arrow {
+    top: 0;
+    left: 50%;
+    margin-left: -5px;
+    border-width: 0 5px 5px;
+    border-bottom-color: #000;
+  }
+
+  &.bottom-left .tooltip-arrow {
+    top: 0;
+    left: 5px;
+    border-width: 0 5px 5px;
+    border-bottom-color: #000;
+  }
+
+  &.bottom-right .tooltip-arrow {
+    top: 0;
+    right: 5px;
+    border-width: 0 5px 5px;
+    border-bottom-color: #000;
+  }
+}
 
 .popover {
   position: absolute;
@@ -5213,143 +8889,201 @@ button.close {
   background-color: #fff;
   background-clip: padding-box;
   border: 1px solid #ccc;
-  border: 1px solid rgba(0, 0, 0, 0.30);
+  border: 1px solid rgba(0, 0, 0, 0.3);
   border-radius: 6px;
-  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-  white-space: normal; }
-  .popover.top {
-    margin-top: -10px; }
-  .popover.right {
-    margin-left: 10px; }
-  .popover.bottom {
-    margin-top: 10px; }
-  .popover.left {
-    margin-left: -10px; }
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  white-space: normal;
+
+  &.top {
+    margin-top: -10px;
+  }
+
+  &.right {
+    margin-left: 10px;
+  }
+
+  &.bottom {
+    margin-top: 10px;
+  }
+
+  &.left {
+    margin-left: -10px;
+  }
+}
 
 .popover-title {
   margin: 0;
   padding: 8px 14px;
-  font-size:14px;
+  font-size: 14px;
   font-weight: normal;
   line-height: 18px;
   background-color: #f7f7f7;
   border-bottom: 1px solid #ebebeb;
-  border-radius: 5px 5px 0 0; }
+  border-radius: 5px 5px 0 0;
+}
 
 .popover-content {
-  padding: 9px 14px; }
+  padding: 9px 14px;
+}
 
-.popover > .arrow, .popover > .arrow:after {
-  position: absolute;
-  display: block;
-  width: 0;
-  height: 0;
-  border-color: transparent;
-  border-style: solid; }
+.popover {
+  > .arrow {
+    position: absolute;
+    display: block;
+    width: 0;
+    height: 0;
+    border-color: transparent;
+    border-style: solid;
 
-.popover > .arrow {
-  border-width: 11px; }
+    &:after {
+      position: absolute;
+      display: block;
+      width: 0;
+      height: 0;
+      border-color: transparent;
+      border-style: solid;
+      border-width: 10px;
+      content: "";
+    }
 
-.popover > .arrow:after {
-  border-width: 10px;
-  content: ""; }
+    border-width: 11px;
+  }
 
-.popover.top > .arrow {
-  left: 50%;
-  margin-left: -11px;
-  border-bottom-width: 0;
-  border-top-color: #999999;
-  border-top-color: rgba(0, 0, 0, 0.25);
-  bottom: -11px; }
-  .popover.top > .arrow:after {
-    content: " ";
-    bottom: 1px;
-    margin-left: -10px;
+  &.top > .arrow {
+    left: 50%;
+    margin-left: -11px;
     border-bottom-width: 0;
-    border-top-color: #fff; }
-.popover.right > .arrow {
-  top: 50%;
-  left: -11px;
-  margin-top: -11px;
-  border-left-width: 0;
-  border-right-color: #999999;
-  border-right-color: rgba(0, 0, 0, 0.25); }
-  .popover.right > .arrow:after {
-    content: " ";
-    left: 1px;
-    bottom: -10px;
+    border-top-color: #999999;
+    border-top-color: rgba(0, 0, 0, 0.25);
+    bottom: -11px;
+
+    &:after {
+      content: " ";
+      bottom: 1px;
+      margin-left: -10px;
+      border-bottom-width: 0;
+      border-top-color: #fff;
+    }
+  }
+
+  &.right > .arrow {
+    top: 50%;
+    left: -11px;
+    margin-top: -11px;
     border-left-width: 0;
-    border-right-color: #fff; }
-.popover.bottom > .arrow {
-  left: 50%;
-  margin-left: -11px;
-  border-top-width: 0;
-  border-bottom-color: #999999;
-  border-bottom-color: rgba(0, 0, 0, 0.25);
-  top: -11px; }
-  .popover.bottom > .arrow:after {
-    content: " ";
-    top: 1px;
-    margin-left: -10px;
+    border-right-color: #999999;
+    border-right-color: rgba(0, 0, 0, 0.25);
+
+    &:after {
+      content: " ";
+      left: 1px;
+      bottom: -10px;
+      border-left-width: 0;
+      border-right-color: #fff;
+    }
+  }
+
+  &.bottom > .arrow {
+    left: 50%;
+    margin-left: -11px;
     border-top-width: 0;
-    border-bottom-color: #fff; }
-.popover.left > .arrow {
-  top: 50%;
-  right: -11px;
-  margin-top: -11px;
-  border-right-width: 0;
-  border-left-color: #999999;
-  border-left-color: rgba(0, 0, 0, 0.25); }
-  .popover.left > .arrow:after {
-    content: " ";
-    right: 1px;
+    border-bottom-color: #999999;
+    border-bottom-color: rgba(0, 0, 0, 0.25);
+    top: -11px;
+
+    &:after {
+      content: " ";
+      top: 1px;
+      margin-left: -10px;
+      border-top-width: 0;
+      border-bottom-color: #fff;
+    }
+  }
+
+  &.left > .arrow {
+    top: 50%;
+    right: -11px;
+    margin-top: -11px;
     border-right-width: 0;
-    border-left-color: #fff;
-    bottom: -10px; }
+    border-left-color: #999999;
+    border-left-color: rgba(0, 0, 0, 0.25);
+
+    &:after {
+      content: " ";
+      right: 1px;
+      border-right-width: 0;
+      border-left-color: #fff;
+      bottom: -10px;
+    }
+  }
+}
 
 .carousel {
-  position: relative; }
+  position: relative;
+}
 
 .carousel-inner {
   position: relative;
   overflow: hidden;
-  width: 100%; }
-  .carousel-inner > .item {
-    display: none;
-    position: relative;
-    -webkit-transition: 0.6s ease-in-out left;
-    -o-transition: 0.6s ease-in-out left;
-    transition: 0.6s ease-in-out left; }
-    .carousel-inner > .item > img,
-    .carousel-inner > .item > a > img {
+  width: 100%;
+
+  > {
+    .item {
+      display: none;
+      position: relative;
+      -webkit-transition: 0.6s ease-in-out left;
+      -o-transition: 0.6s ease-in-out left;
+      transition: 0.6s ease-in-out left;
+
+      > {
+        img, a > img {
+          display: block;
+          width: 100% \9;
+          max-width: 100%;
+          height: auto;
+          line-height: 1;
+        }
+      }
+    }
+
+    .active, .next, .prev {
       display: block;
-      width: 100% \9;
-      max-width: 100%;
-      height: auto;
-      line-height: 1; }
-  .carousel-inner > .active,
-  .carousel-inner > .next,
-  .carousel-inner > .prev {
-    display: block; }
-  .carousel-inner > .active {
-    left: 0; }
-  .carousel-inner > .next,
-  .carousel-inner > .prev {
-    position: absolute;
-    top: 0;
-    width: 100%; }
-  .carousel-inner > .next {
-    left: 100%; }
-  .carousel-inner > .prev {
-    left: -100%; }
-  .carousel-inner > .next.left,
-  .carousel-inner > .prev.right {
-    left: 0; }
-  .carousel-inner > .active.left {
-    left: -100%; }
-  .carousel-inner > .active.right {
-    left: 100%; }
+    }
+
+    .active {
+      left: 0;
+    }
+
+    .next, .prev {
+      position: absolute;
+      top: 0;
+      width: 100%;
+    }
+
+    .next {
+      left: 100%;
+    }
+
+    .prev {
+      left: -100%;
+    }
+
+    .next.left, .prev.right {
+      left: 0;
+    }
+
+    .active {
+      &.left {
+        left: -100%;
+      }
+
+      &.right {
+        left: 100%;
+      }
+    }
+  }
+}
 
 .carousel-control {
   position: absolute;
@@ -5358,57 +9092,70 @@ button.close {
   bottom: 0;
   width: 15%;
   opacity: 0.5;
-  filter: alpha(opacity=50);
+  filter: alpha(opacity = 50);
   font-size: 20px;
   color: #fff;
   text-align: center;
-  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6); }
-  .carousel-control.left {
+  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6);
+
+  &.left {
     background-image: -webkit-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
     background-image: -o-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
     background-image: linear-gradient(to right, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);
     background-repeat: repeat-x;
-    filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1); }
-  .carousel-control.right {
+    filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);
+  }
+
+  &.right {
     left: auto;
     right: 0;
     background-image: -webkit-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);
     background-image: -o-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);
     background-image: linear-gradient(to right, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);
     background-repeat: repeat-x;
-    filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1); }
-  .carousel-control:hover, .carousel-control:focus {
+    filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);
+  }
+
+  &:hover, &:focus {
     outline: 0;
     color: #fff;
     text-decoration: none;
     opacity: 0.9;
-    filter: alpha(opacity=90); }
-  .carousel-control .icon-prev,
-  .carousel-control .icon-next,
-  .carousel-control .glyphicon-chevron-left,
-  .carousel-control .glyphicon-chevron-right {
+    filter: alpha(opacity = 90);
+  }
+
+  .icon-prev, .icon-next, .glyphicon-chevron-left, .glyphicon-chevron-right {
     position: absolute;
     top: 50%;
     z-index: 5;
-    display: inline-block; }
-  .carousel-control .icon-prev,
-  .carousel-control .glyphicon-chevron-left {
+    display: inline-block;
+  }
+
+  .icon-prev, .glyphicon-chevron-left {
     left: 50%;
-    margin-left: -10px; }
-  .carousel-control .icon-next,
-  .carousel-control .glyphicon-chevron-right {
+    margin-left: -10px;
+  }
+
+  .icon-next, .glyphicon-chevron-right {
     right: 50%;
-    margin-right: -10px; }
-  .carousel-control .icon-prev,
-  .carousel-control .icon-next {
+    margin-right: -10px;
+  }
+
+  .icon-prev, .icon-next {
     width: 20px;
     height: 20px;
     margin-top: -10px;
-    font-family: serif; }
-  .carousel-control .icon-prev:before {
-    content: '\2039'; }
-  .carousel-control .icon-next:before {
-    content: '\203a'; }
+    font-family: serif;
+  }
+
+  .icon-prev:before {
+    content: '\2039';
+  }
+
+  .icon-next:before {
+    content: '\203a';
+  }
+}
 
 .carousel-indicators {
   position: absolute;
@@ -5419,8 +9166,9 @@ button.close {
   margin-left: -30%;
   padding-left: 0;
   list-style: none;
-  text-align: center; }
-  .carousel-indicators li {
+  text-align: center;
+
+  li {
     display: inline-block;
     width: 10px;
     height: 10px;
@@ -5430,12 +9178,16 @@ button.close {
     border-radius: 10px;
     cursor: pointer;
     background-color: #000 \9;
-    background-color: transparent; }
-  .carousel-indicators .active {
+    background-color: transparent;
+  }
+
+  .active {
     margin: 0;
     width: 12px;
     height: 12px;
-    background-color: #fff; }
+    background-color: #fff;
+  }
+}
 
 .carousel-caption {
   position: absolute;
@@ -5447,255 +9199,330 @@ button.close {
   padding-bottom: 20px;
   color: #fff;
   text-align: center;
-  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6); }
-  .carousel-caption .btn {
-    text-shadow: none; }
+  text-shadow: 0 1px 2px rgba(0, 0, 0, 0.6);
+
+  .btn {
+    text-shadow: none;
+  }
+}
 
 @media screen and (min-width: 768px) {
-  .carousel-control .glyphicon-chevron-left,
-  .carousel-control .glyphicon-chevron-right,
-  .carousel-control .icon-prev,
-  .carousel-control .icon-next {
-    width: 30px;
-    height: 30px;
-    margin-top: -15px;
-    font-size: 30px; }
-  .carousel-control .glyphicon-chevron-left,
-  .carousel-control .icon-prev {
-    margin-left: -15px; }
-  .carousel-control .glyphicon-chevron-right,
-  .carousel-control .icon-next {
-    margin-right: -15px; }
+  .carousel-control {
+    .glyphicon-chevron-left, .glyphicon-chevron-right, .icon-prev, .icon-next {
+      width: 30px;
+      height: 30px;
+      margin-top: -15px;
+      font-size: 30px;
+    }
+
+    .glyphicon-chevron-left, .icon-prev {
+      margin-left: -15px;
+    }
+
+    .glyphicon-chevron-right, .icon-next {
+      margin-right: -15px;
+    }
+  }
 
   .carousel-caption {
     left: 20%;
     right: 20%;
-    padding-bottom: 30px; }
+    padding-bottom: 30px;
+  }
 
   .carousel-indicators {
-    bottom: 20px; } }
+    bottom: 20px;
+  }
+}
+
 .clearfix:before, .content-box:before, .clearfix:after, .content-box:after {
   content: " ";
-  display: table; }
+  display: table;
+}
+
 .clearfix:after, .content-box:after {
-  clear: both; }
+  clear: both;
+}
 
 .center-block {
   display: block;
   margin-left: auto;
-  margin-right: auto; }
+  margin-right: auto;
+}
 
 .pull-right {
   float: right !important;
-  margin-top: 0px;}
+  margin-top: 0px;
+}
 
 .pull-left {
   float: left !important;
-  margin-top: 0px;}
+  margin-top: 0px;
+}
 
 .hide {
-  display: none !important; }
+  display: none !important;
+}
 
 .show {
   display: block !important;
-  color: #2ba632; }
+  color: #2ba632;
+}
 
 .invisible {
-  visibility: hidden; }
+  visibility: hidden;
+}
 
 .text-hide {
   font: 0/0 a;
   color: transparent;
   text-shadow: none;
   background-color: transparent;
-  border: 0; }
+  border: 0;
+}
 
 .hidden {
   display: none !important;
-  visibility: hidden !important; }
+  visibility: hidden !important;
+}
 
 .affix {
   position: fixed;
   -webkit-transform: translate3d(0, 0, 0);
-  transform: translate3d(0, 0, 0); }
+  transform: translate3d(0, 0, 0);
+}
 
 @-ms-viewport {
-  width: device-width; }
-.visible-xs, .visible-sm, .visible-md, .visible-lg {
-  display: none !important; }
-
-.visible-xs-block,
-.visible-xs-inline,
-.visible-xs-inline-block,
-.visible-sm-block,
-.visible-sm-inline,
-.visible-sm-inline-block,
-.visible-md-block,
-.visible-md-inline,
-.visible-md-inline-block,
-.visible-lg-block,
-.visible-lg-inline,
-.visible-lg-inline-block {
-  display: none !important; }
+  width: device-width;
+}
+
+.visible-xs, .visible-sm, .visible-md, .visible-lg, .visible-xs-block, .visible-xs-inline, .visible-xs-inline-block, .visible-sm-block, .visible-sm-inline, .visible-sm-inline-block, .visible-md-block, .visible-md-inline, .visible-md-inline-block, .visible-lg-block, .visible-lg-inline, .visible-lg-inline-block, .visible-print, .visible-print-block, .visible-print-inline, .visible-print-inline-block {
+  display: none !important;
+}
 
 @media (max-width: 767px) {
   .visible-xs {
-    display: block !important; }
+    display: block !important;
+  }
 
   table.visible-xs {
-    display: table; }
+    display: table;
+  }
 
   tr.visible-xs {
-    display: table-row !important; }
+    display: table-row !important;
+  }
+
+  th.visible-xs, td.visible-xs {
+    display: table-cell !important;
+  }
+}
 
-  th.visible-xs,
-  td.visible-xs {
-    display: table-cell !important; } }
 @media (max-width: 767px) {
   .visible-xs-block {
-    display: block !important; } }
+    display: block !important;
+  }
+}
 
 @media (max-width: 767px) {
   .visible-xs-inline {
-    display: inline !important; } }
+    display: inline !important;
+  }
+}
 
 @media (max-width: 767px) {
   .visible-xs-inline-block {
-    display: inline-block !important; } }
+    display: inline-block !important;
+  }
+}
 
 @media (min-width: 768px) and (max-width: 991px) {
   .visible-sm {
-    display: block !important; }
+    display: block !important;
+  }
 
   table.visible-sm {
-    display: table; }
+    display: table;
+  }
 
   tr.visible-sm {
-    display: table-row !important; }
+    display: table-row !important;
+  }
+
+  th.visible-sm, td.visible-sm {
+    display: table-cell !important;
+  }
+}
 
-  th.visible-sm,
-  td.visible-sm {
-    display: table-cell !important; } }
 @media (min-width: 768px) and (max-width: 991px) {
   .visible-sm-block {
-    display: block !important; } }
+    display: block !important;
+  }
+}
 
 @media (min-width: 768px) and (max-width: 991px) {
   .visible-sm-inline {
-    display: inline !important; } }
+    display: inline !important;
+  }
+}
 
 @media (min-width: 768px) and (max-width: 991px) {
   .visible-sm-inline-block {
-    display: inline-block !important; } }
+    display: inline-block !important;
+  }
+}
 
 @media (min-width: 992px) and (max-width: 1199px) {
   .visible-md {
-    display: block !important; }
+    display: block !important;
+  }
 
   table.visible-md {
-    display: table; }
+    display: table;
+  }
 
   tr.visible-md {
-    display: table-row !important; }
+    display: table-row !important;
+  }
+
+  th.visible-md, td.visible-md {
+    display: table-cell !important;
+  }
+}
 
-  th.visible-md,
-  td.visible-md {
-    display: table-cell !important; } }
 @media (min-width: 992px) and (max-width: 1199px) {
   .visible-md-block {
-    display: block !important; } }
+    display: block !important;
+  }
+}
 
 @media (min-width: 992px) and (max-width: 1199px) {
   .visible-md-inline {
-    display: inline !important; } }
+    display: inline !important;
+  }
+}
 
 @media (min-width: 992px) and (max-width: 1199px) {
   .visible-md-inline-block {
-    display: inline-block !important; } }
+    display: inline-block !important;
+  }
+}
 
 @media (min-width: 1200px) {
   .visible-lg {
-    display: block !important; }
+    display: block !important;
+  }
 
   table.visible-lg {
-    display: table; }
+    display: table;
+  }
 
   tr.visible-lg {
-    display: table-row !important; }
+    display: table-row !important;
+  }
+
+  th.visible-lg, td.visible-lg {
+    display: table-cell !important;
+  }
+}
 
-  th.visible-lg,
-  td.visible-lg {
-    display: table-cell !important; } }
 @media (min-width: 1200px) {
   .visible-lg-block {
-    display: block !important; } }
+    display: block !important;
+  }
+}
 
 @media (min-width: 1200px) {
   .visible-lg-inline {
-    display: inline !important; } }
+    display: inline !important;
+  }
+}
 
 @media (min-width: 1200px) {
   .visible-lg-inline-block {
-    display: inline-block !important; } }
+    display: inline-block !important;
+  }
+}
 
 @media (max-width: 767px) {
   .hidden-xs, .page-side {
-    display: none !important; } }
+    display: none !important;
+  }
+}
+
 @media (min-width: 768px) and (max-width: 991px) {
   .hidden-sm {
-    display: none !important; } }
+    display: none !important;
+  }
+}
+
 /* COLLAPSE SIDEBAR @media*/
 @media (max-width: 768px), (max-height: 669px) {
   .toggle-sidebar {
-    display: none !important; } }
+    display: none !important;
+  }
+}
+
 /* COLLAPSE SIDEBAR @media END*/
 @media (min-width: 992px) and (max-width: 1199px) {
   .hidden-md {
-    display: none !important; } }
+    display: none !important;
+  }
+}
+
 @media (min-width: 1200px) {
   .hidden-lg {
-    display: none !important; } }
-.visible-print {
-  display: none !important; }
+    display: none !important;
+  }
+}
 
 @media print {
   .visible-print {
-    display: block !important; }
+    display: block !important;
+  }
 
   table.visible-print {
-    display: table; }
+    display: table;
+  }
 
   tr.visible-print {
-    display: table-row !important; }
-
-  th.visible-print,
-  td.visible-print {
-    display: table-cell !important; } }
-.visible-print-block {
-  display: none !important; }
-  @media print {
-    .visible-print-block {
-      display: block !important; } }
-
-.visible-print-inline {
-  display: none !important; }
-  @media print {
-    .visible-print-inline {
-      display: inline !important; } }
-
-.visible-print-inline-block {
-  display: none !important; }
-  @media print {
-    .visible-print-inline-block {
-      display: inline-block !important; } }
+    display: table-row !important;
+  }
+
+  th.visible-print, td.visible-print {
+    display: table-cell !important;
+  }
+}
+
+@media print {
+  .visible-print-block {
+    display: block !important;
+  }
+}
+
+@media print {
+  .visible-print-inline {
+    display: inline !important;
+  }
+}
+
+@media print {
+  .visible-print-inline-block {
+    display: inline-block !important;
+  }
+}
 
 @media print {
   .hidden-print {
-    display: none !important; } }
+    display: none !important;
+  }
+}
+
 * {
-  -webkit-font-smoothing: antialiased; }
+  -webkit-font-smoothing: antialiased;
+}
 
-html, body {
+html {
   height: 100%;
   font-family: 'SourceSansProRegular';
   scrollbar-width: thin;
@@ -5704,12 +9531,18 @@ html, body {
 }
 
 body {
+  height: 100%;
+  font-family: 'SourceSansProRegular';
+  scrollbar-width: thin;
+  scrollbar-color: #45565f #e3e3e3;
+  background-color: #fff;
   touch-action: manipulation;
   min-width: 320px;
 }
 
 .widget-sort-handle {
-  touch-action: none; }
+  touch-action: none;
+}
 
 .page-head {
   top: 0;
@@ -5717,7 +9550,7 @@ body {
   position: fixed;
   width: 100%;
   z-index: 2;
-  background-color:#172c38;
+  background-color: #172c38;
   border-bottom: 1px solid #171717;
 }
 
@@ -5725,39 +9558,53 @@ body {
   height: calc(100% - 52px);
   padding-top: 52px;
   position: relative;
-  z-index: 1; }
-  .page-content > .row {
-    height: 100%; }
-.page-content-head .container-fluid {
-  color:#000;
-  background-color: none;
-  margin-right: 20px;
-  margin-left: 20px;
-  border-bottom: 1px solid #aeaeae;
-  border-radius: 0px;
-  min-height: 46px;
-  height: 46px;
-  padding: 9px 14px 5px 0px; }
+  z-index: 1;
+
+  > .row {
+    height: 100%;
+  }
+}
+
+.page-content-head {
+  .container-fluid {
+    color: #000;
+    background-color: none;
+    margin-right: 20px;
+    margin-left: 20px;
+    border-bottom: 1px solid #aeaeae;
+    border-radius: 0px;
+    min-height: 46px;
+    height: 46px;
+    padding: 9px 14px 5px 0px;
+  }
+
+  padding-bottom: 5px;
+  padding-top: 10px;
+  color: #000;
+}
 
-.page-content-head, .content-box-head {
+.content-box-head {
   padding-bottom: 5px;
   padding-top: 10px;
-  color:#000;
+  color: #000;
+}
+
+.page-content-head .navbar-nav, .content-box-head .navbar-nav {
+  width: 100%;
 }
 
-  .page-content-head .navbar-nav, .content-box-head .navbar-nav {
-    width: 100%; }
-  .page-content-head h1, .content-box-head h1, .page-content-head h2, .content-box-head h2, .page-content-head h3, .content-box-head h3 {
-	line-height: inherit;
-    margin: 0; }
+.page-content-head h1, .content-box-head h1, .page-content-head h2, .content-box-head h2, .page-content-head h3, .content-box-head h3 {
+  line-height: inherit;
+  margin: 0;
+}
 
 .page-content-head h1, content-box-head h1 {
-    padding-left: 10px;
-    padding-right: 10px;
-    color: #000;
-    text-decoration-line: none;
-    font-weight: bold;
-    text-transform: uppercase;
+  padding-left: 10px;
+  padding-right: 10px;
+  color: #000;
+  text-decoration-line: none;
+  font-weight: bold;
+  text-transform: uppercase;
 }
 
 .page-content-main {
@@ -5767,7 +9614,7 @@ body {
 
 .page-side {
   background: #172c38;
-  border:none;
+  border: none;
   height: 100% !important;
   height: calc(100% - 52px) !important;
   left: 0;
@@ -5775,11 +9622,13 @@ body {
   margin-top: 52px;
   position: fixed;
   top: 0;
-  z-index: 3; }
+  z-index: 3;
+}
 
 .page-side-nav--active {
   background: #F7F7F7;
-  border-left: 3px solid #FF8B00; }
+  border-left: 3px solid #FF8B00;
+}
 
 .page-foot {
   bottom: 0;
@@ -5790,7 +9639,7 @@ body {
   position: fixed;
   height: 20px;
   background: #172c38;
-  color:#FFF;
+  color: #FFF;
   border-top: 1px solid #162b36;
 }
 
@@ -5799,391 +9648,571 @@ body {
   margin: 0px 0px;
   background: none;
   border: 1px solid #a8a8a8;
-  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
-.content-box hr {
-	border:none; }
-  .content-box-main {
-    padding-bottom: 15px;
-    padding-top: 15px; }
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+
+  hr {
+    border: none;
+  }
+}
+
+.content-box-main {
+  padding-bottom: 15px;
+  padding-top: 15px;
+}
+
 .tab-content {
-   padding: 0px 0px;
-   margin: 0px 0px; }
-  .tab-content > .tab-content {
-    padding: 0 15px; }
-  .tab-content .tab-content:last-child {
-    margin-bottom: 0; }
+  padding: 0px 0px;
+  margin: 0px 0px;
+
+  > .tab-content {
+    padding: 0 15px;
+  }
+
+  .tab-content:last-child {
+    margin-bottom: 0;
+  }
+}
 
 .page-content-main section[class^="col-"] + section[class^="col-"] {
-  padding-top: 20px; }
+  padding-top: 20px;
+}
 
 .brand-logo {
-  display: none; }
-  @media (min-width: 768px) {
-    .brand-logo {
-      display: inline-block; } }
+  display: none;
+}
+
+@media (min-width: 768px) {
+  .brand-logo {
+    display: inline-block;
+  }
+}
 
 .brand-icon {
-  display: inline-block; }
-  @media (min-width: 768px) {
-    .brand-icon {
-      display: none; } }
+  display: inline-block;
+}
+
+@media (min-width: 768px) {
+  .brand-icon {
+    display: none;
+  }
+}
 
 @media (min-width: 768px) {
   .col-sm-disable-spacer {
-    padding-top: 0 !important; } }
+    padding-top: 0 !important;
+  }
+}
 
 @media (min-width: 992px) {
   .col-md-disable-spacer {
-    padding-top: 0 !important; } }
+    padding-top: 0 !important;
+  }
+}
 
 @media (min-width: 1200px) {
   .col-lg-disable-spacer {
-    padding-top: 0 !important; } }
+    padding-top: 0 !important;
+  }
+}
 
 .page-login {
-  background: #FFF; }
-  .page-login .container {
+  background: #FFF;
+
+  .container {
     min-height: 100%;
-    margin-bottom: -60px; }
-    .page-login .container:after {
-      height: 60px; }
-.page-login .login-foot {color:#FFF;}
+    margin-bottom: -60px;
+
+    &:after {
+      height: 60px;
+    }
+  }
+
+  .login-foot {
+    color: #FFF;
+  }
+}
 
 .login-foot {
   font-size: 12px;
   max-width: 400px;
   margin: 0px auto 0px auto;
-  background-color: #172c38;}
+  background-color: #172c38;
+}
 
 .login-modal-container {
-  color:#FFF;
+  color: #FFF;
   border: none;
   max-width: 400px;
   margin: 100px auto 0px auto;
-  background-color: #172c38;}
+  background-color: #172c38;
+}
+
 .login-modal-head {
   height: 75px;
-  padding: 0 20px; }
+  padding: 20px 20px;
+}
+
 .login-modal-content {
-  padding: 20px 20px 20px 20px; }
+  padding: 20px 20px 20px 20px;
+}
+
 .login-modal-foot {
   border-top: 1px solid #E5E5E5;
   height: 60px;
-  padding: 20px 20px 0 20px; }
-  .login-modal-foot a {
+  padding: 20px 20px 0 20px;
+
+  a {
     color: #7D7D7D;
-    text-decoration: none; }
-    .login-modal-foot a:hover {
+    text-decoration: none;
+
+    &:hover {
       color: #646464;
-      text-decoration: underline; }
+      text-decoration: underline;
+    }
+  }
+}
 
 @media (min-width: 768px) {
   .list-inline .btn-group-container {
-    float: right;} }
+    float: right;
+  }
+}
 
 .btn.btn-fixed {
   max-width: 174px;
-  width: 100%; }
+  width: 100%;
+}
 
 .progress-bar-placeholder {
   font-size: 12px;
   position: absolute;
   text-align: center;
   width: 100%;
-  z-index: 1; }
+  z-index: 1;
+}
 
 /* BOOTSTRAP EDIT */
+
 .list-group-item {
   border-left: none;
-  border-right: none; }
-  .list-group-item.collapsed .caret {
+  border-right: none;
+
+  &.collapsed .caret {
     border-bottom: 4px solid green;
-    border-top: 0; }
+    border-top: 0;
+  }
+}
+
 /* BOOTSTRAP EDIT END */
 
 /* COLLAPSE SIDEBAR */
+
 main.page-content.col-lg-12 {
   padding-left: 90px;
 }
 
 #navigation.col-sidebar-left {
-  width:70px;
+  width: 70px;
   background-color: transparent !important;
   overflow: hidden;
-}
-
-#navigation.col-sidebar-left > div.row {
-  height:100% !important;
-}
-
-#navigation.col-sidebar-left > div.row > nav.page-side-nav {
-  width:70px;
-  background-color:#172c38 !important;
-  height:100% !important;
-  border-right: 1px solid #162b36;
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item {
-  font-size:14px;
-  text-align:center;
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.fa,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.glyphicon {
-  visibility: visible;
-  font-size:20px;
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.__iconspacer {
-  width:50px;
-  height:25px;
-  padding:0px;
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item {
-  width: 70px;
-  height: 70px;
-  padding-left: 0px;
-  padding-right: 0px;
-  padding-top:15px;
-  border-bottom:2px solid #515151;
-}
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsing > a.list-group-item {
-  padding-left: 10px !important;
-  font-size:14px !important;
-  display: block !important;
-  position: absolute !important;
-  left: 70px !important;
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapsing > a.list-group-item {
-  padding-left: 10px !important;
-  font-size:14px !important;
-  display: block !important;
-  position: absolute !important;
-  left: 166px !important;
+  > div {
+    &.row {
+      height: 100% !important;
+
+      > nav.page-side-nav {
+        width: 70px;
+        background-color: #172c38 !important;
+        height: 100% !important;
+        border-right: 1px solid #162b36;
+      }
+    }
+
+    > nav > #mainmenu > div > {
+      a.list-group-item {
+        font-size: 14px;
+        text-align: center;
+
+        > span {
+          &.fa, &.glyphicon {
+            visibility: visible;
+            font-size: 20px;
+          }
+
+          &.__iconspacer {
+            width: 50px;
+            height: 25px;
+            padding: 0px;
+          }
+        }
+
+        width: 70px;
+        height: 70px;
+        padding-left: 0px;
+        padding-right: 0px;
+        padding-top: 15px;
+        border-bottom: 2px solid #515151;
+      }
+
+      div {
+        &.collapsing > a.list-group-item {
+          padding-left: 10px !important;
+          font-size: 14px !important;
+          display: block !important;
+          position: absolute !important;
+          left: 70px !important;
+        }
+
+        &.collapse.in > div.collapsing > a.list-group-item {
+          padding-left: 10px !important;
+          font-size: 14px !important;
+          display: block !important;
+          position: absolute !important;
+          left: 166px !important;
+        }
+      }
+
+      a.list-group-item.active-menu-title {
+        color: #000 !important;
+        background-color: #FFF !important;
+      }
+    }
+  }
 }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item.active-menu-title, a.list-group-item.active-menu-title.collapsed,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item[aria-expanded="true"],
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item[aria-expanded="true"],
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item.menu-level-3-item.active {
+a.list-group-item.active-menu-title.collapsed {
   color: #000 !important;
   background-color: #FFF !important;
 }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > a.list-group-item,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item {
-  padding-left: 10px !important;
-  font-size:14px !important;
-  background-color: #172c38 !important;
-  opacity: 0.98;
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > {
+  a.list-group-item[aria-expanded="true"] {
+    color: #000 !important;
+    background-color: #FFF !important;
+  }
+
+  div {
+    &.collapse {
+      &.in {
+        > {
+          a.list-group-item[aria-expanded="true"], div.collapse.in > a.list-group-item.menu-level-3-item.active {
+            color: #000 !important;
+            background-color: #FFF !important;
+          }
+        }
+
+        > div.collapse.in > a.list-group-item {
+          padding-left: 10px !important;
+          font-size: 14px !important;
+          background-color: #172c38 !important;
+          opacity: 0.98;
+        }
+      }
+
+      > a.list-group-item {
+        padding-left: 10px !important;
+        font-size: 14px !important;
+        background-color: #172c38 !important;
+        opacity: 0.98;
+      }
+
+      > div.collapse > a.list-group-item {
+        padding-left: 10px !important;
+        font-size: 14px !important;
+      }
+    }
+
+    &.collapsed > a.list-group-item {
+      padding-left: 10px !important;
+      font-size: 14px !important;
+    }
+
+    &.collapse {
+      > {
+        a.list-group-item, div.collapse > a.list-group-item {
+          padding: 3px 8px !important;
+        }
+      }
+
+      &.in > div.collapse.in > a.list-group-item:hover {
+        text-decoration: none !important;
+        color: #000 !important;
+        background-color: #FFF !important;
+      }
+    }
+  }
 }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > div.collapse > a.list-group-item,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsed > a.list-group-item {
-  padding-left: 10px !important;
-  font-size:14px !important;
+a.list-group-item:focus {
+  text-decoration: none !important;
+  color: #000 !important;
+  background-color: #FFF !important;
 }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > a.list-group-item,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > div.collapse > a.list-group-item {
-  padding: 3px 8px !important;
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item {
+  &.active-menu-title, &:hover {
+    color: #000 !important;
+    background-color: #FFF !important;
+  }
 }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item:hover, a.list-group-item:focus {
-  text-decoration: none !important;
+a.list-group-item:focus {
   color: #000 !important;
   background-color: #FFF !important;
 }
 
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item.active-menu-title,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item:hover, a.list-group-item:focus,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item.collapsed:focus,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item:focus,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.active-menu.collapse.in >a.list-group-item.active {
-  color: #000 !important;
-  background-color: #FFF !important;
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div {
+  &.collapse.in > a.list-group-item {
+    &.collapsed:focus, &:focus {
+      color: #000 !important;
+      background-color: #FFF !important;
+    }
+  }
+
+  &.active-menu.collapse.in > a.list-group-item.active {
+    color: #000 !important;
+    background-color: #FFF !important;
+  }
+
+  &.collapse.in {
+    width: 168px;
+    font-size: 13px;
+    z-index: 10;
+    position: absolute;
+    left: 70px;
+    margin-top: -70px;
+    border: 1px solid #1f3a4a;
+    -webkit-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
+    -moz-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
+    box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
+
+    > div.collapse.in {
+      width: 168px;
+      font-size: 13px;
+      z-index: 10;
+      position: absolute;
+      left: 166px;
+      margin-top: -26px;
+      border: 1px solid #1f3a4a;
+      -webkit-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
+      -moz-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
+      box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.5);
+    }
+  }
+
+  &.collapsing, &.collapse.in > div.collapsing {
+    display: none;
+  }
 }
 
 /* Sub Level One */
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in {
-  width:168px;
-  font-size:13px;
-  z-index: 10;
-  position: absolute;
-  left: 70px;
-  margin-top:-70px;
-  border:1px solid #1f3a4a;
-  -webkit-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
-  -moz-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
-  box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
-}
 
 /* Sub Level Two */
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in {
-  width:168px;
-  font-size:13px;
-  z-index: 10;
-  position: absolute;
-  left: 166px;
-  margin-top:-26px;
-  border:1px solid #1f3a4a;
-  -webkit-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
-  -moz-box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
-  box-shadow: 5px 5px 6px 0px rgba(0, 0, 0, 0.50);
-}
-
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsing,
-#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapsing {
-  display:none;
-}
 
 button.toggle-sidebar {
-  color:#FFF;
-  background-color:transparent;
-  font-size:14px;
-  border:none;
+  color: #FFF;
+  background-color: transparent;
+  font-size: 14px;
+  border: none;
   margin-top: 18px;
-  float:left;
-  outline:none;
+  float: left;
+  outline: none;
+  padding-left: 20px;
 }
 
 /* COLLAPSE SIDEBAR END*/
 
 #navigation.collapse.in {
-  display: block !important; }
+  display: block !important;
+}
 
-.list-group-submenu .list-group-item:last-child,
-.collapse .list-group-item:last-child {
-  border-bottom: none; }
+.list-group-submenu .list-group-item:last-child, .collapse .list-group-item:last-child {
+  border-bottom: none;
+}
 
-.dropdown-menu > li > a,
-.dropdown-header {
-  padding: 3px 10px; }
+.dropdown-menu > li > a, .dropdown-header {
+  padding: 3px 10px;
+}
 
-.nav-tabs > li {
-  border-radius: 0px;
-  border-top-right-radius: 10px;
-  margin-right: 2px; }
+.nav-tabs {
+  > {
+    li {
+      border-radius: 0px;
+      border-top-right-radius: 10px;
+      margin-right: 2px;
+
+      > a {
+        border-radius: 0px;
+        border-top-right-radius: 10px;
+        margin-right: 0px;
+        -webkit-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
+        -moz-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
+        box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
+      }
+    }
+
+    .dropdown > a {
+      -webkit-box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.6);
+      -moz-box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.6);
+      box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.6);
+
+      &.pull-right {
+        -webkit-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
+        -moz-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
+        box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.6);
+      }
+    }
+
+    li {
+      > a {
+        outline: 0;
+        font-weight: 100;
+
+        &:hover, &:focus {
+          outline: 0;
+          font-weight: 100;
+        }
+      }
+
+      &.active > a {
+        background: #172c38 !important;
+        outline: 0;
+        font-weight: 100;
+      }
+
+      > a.visible-lg-inline-block {
+        &:not(.pull-right) {
+          border-top-right-radius: 0px !important;
+          padding-left: 10px !important;
+          padding-right: 5px !important;
+        }
+
+        &.pull-right {
+          border-left: 0px !important;
+          padding-left: 5px !important;
+          padding-right: 10px !important;
+        }
+      }
+    }
+  }
+
+  &.nav-justified {
+    border-right: 1px solid #656565;
+
+    > li {
+      border-bottom: 1px solid #656565;
+      border-top: 1px solid #656565;
+      border-left: 1px solid #656565;
+      border-radius: 0px;
+      background: #818180;
+
+      > a {
+        color: #FFFFFF;
+        font-family: 'SourceSansProSemibold';
+      }
+    }
+  }
+}
 
-.nav-tabs > li > a {
-  border-radius: 0px;
-  border-top-right-radius: 10px;
-  margin-right: 0px;
-  -webkit-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60);
-  -moz-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60);
-  box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60); }
-
-.nav-tabs > .dropdown > a {
-  -webkit-box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.60);
-  -moz-box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.60);
-  box-shadow: 0px 0px 2px 0px rgba(0, 0, 0, 0.60); }
-
-.nav-tabs > .dropdown > a.pull-right {
-  -webkit-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60);
-  -moz-box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60);
-  box-shadow: 2px 0px 2px 0px rgba(0, 0, 0, 0.60); }
-
-.nav-tabs > li > a,
-.nav-tabs > li > a:hover,
-.nav-tabs > li > a:focus {
- outline:0;
- font-weight: 100; }
-
-.nav-tabs > li.active > a {
-  background: #172c38 !important;
-  outline:0;
-  font-weight: 100;  }
-
-.nav-tabs > li > a.visible-lg-inline-block:not(.pull-right) {
-  border-top-right-radius: 0px !important;
-  padding-left: 10px !important;
-  padding-right: 5px !important; }
-
-.nav-tabs > li > a.visible-lg-inline-block.pull-right {
-  border-left: 0px !important;
-  padding-left: 5px !important;
-  padding-right: 10px !important; }
-
-.nav-tabs.nav-justified {
-  border-right: 1px solid #656565; }
-  .nav-tabs.nav-justified > li {
-    border-bottom: 1px solid #656565;
-    border-top: 1px solid #656565;
-    border-left: 1px solid #656565;
-    border-radius: 0px;
-    background: #818180; }
-    .nav-tabs.nav-justified > li > a {
-      color: #FFFFFF;
-      font-family: 'SourceSansProSemibold'; }
-      @media (min-width: 768px) {
-        .nav-tabs.nav-justified > li > a {
-          border-bottom: 1px solid transparent; } }
-  @media (max-width: 767px) {
-    .nav-tabs.nav-justified > li.active > a {
-      border-right: 0 !important; } }
+@media (min-width: 768px) {
+  .nav-tabs.nav-justified > li > a {
+    border-bottom: 1px solid transparent;
+  }
+}
+
+@media (max-width: 767px) {
+  .nav-tabs.nav-justified > li.active > a {
+    border-right: 0 !important;
+  }
+}
 
 @media (min-width: 768px) {
   > li.active + li > a {
-    border-left: 1px solid transparent; } }
+    border-left: 1px solid transparent;
+  }
+}
 
 > li:last-child > a {
-  border-right: 1px solid transparent !important; }
-  @media (max-width: 767px) {
-    > li:last-child > a {
-      margin-bottom: 0; } }
+  border-right: 1px solid transparent !important;
+}
+
+@media (max-width: 767px) {
+  > li:last-child > a {
+    margin-bottom: 0;
+  }
+}
 
 .btn .glyphicon {
-  vertical-align: -1px; }
-.table { width:100%; }
+  vertical-align: -1px;
+}
+
 .table {
-  margin-bottom: 0px !important; }
+  width: 100%;
+  margin-bottom: 0px !important;
+}
 
-.nav-tabs-justified .nav-tabs.nav-justified > .active > a:focus, .nav-tabs.nav-justified .nav-tabs.nav-justified > .active > a:focus, .nav-tabs.nav-justified .nav-tabs.nav-justified > .active > a:focus {
-  border: 0px !important; }
+.nav-tabs-justified .nav-tabs.nav-justified > .active > a:focus, .nav-tabs.nav-justified .nav-tabs.nav-justified > .active > a:focus {
+  border: 0px !important;
+}
 
 .table th, strong, b {
-  font-weight: 100;  }
+  font-weight: 100;
+}
 
 .table > tbody > tr > td:last-child {
-  padding-right: 5px; }
+  padding-right: 5px;
+}
 
 /* helpers */
+
 .__nowrap {
-  white-space: nowrap; }
+  white-space: nowrap;
+}
 
 .__nomb {
-  margin-bottom: 0; }
+  margin-bottom: 0;
+}
 
 .__mb {
-  margin-bottom: 15px; }
+  margin-bottom: 15px;
+}
 
 .__mt {
-  margin-top: 15px; }
+  margin-top: 15px;
+}
 
 .__ml {
-  margin-left: 15px; }
+  margin-left: 15px;
+}
 
 .__mr {
-  margin-right: 15px; }
+  margin-right: 15px;
+}
 
 .__iconspacer {
-  padding-right: 10px; }
+  padding-right: 10px;
+}
 
 #mainmenu .glyphicon {
-  vertical-align: -2px; }
+  vertical-align: -2px;
+}
 
 .list-group-item {
   overflow: hidden;
-  text-overflow: ellipsis; }
-  .list-group-item + div.collapse {
-    margin-bottom: -1px; }
-  .list-group-item + div > a {
-    padding-left: 44px; }
-  .list-group-item:before {
+  text-overflow: ellipsis;
+
+  + div {
+    &.collapse {
+      margin-bottom: -1px;
+    }
+
+    > a {
+      padding-left: 44px;
+    }
+  }
+
+  &:before {
     background: #FF8B00;
     content: "";
     height: 42px;
@@ -6195,32 +10224,47 @@ button.toggle-sidebar {
     -webkit-transition: width .2s;
     -moz-transition: width .2s;
     -o-transition: width .2s;
-    transition: width .2s; }
+    transition: width .2s;
+  }
+}
 
 .list-group-submenu a {
-  padding-left: 56px; }
+  padding-left: 56px;
+}
 
 .active-menu-title, .active-menu a {
   text-decoration: none;
   position: relative;
-  background-color: #24323a; }
-  .active-menu-title:before, .active-menu a:before {
-    width: 3px; }
-  .active-menu-title.active, .active-menu a.active {
-	background-color: #fff;
-	color: #000; }
+  background-color: #24323a;
+}
 
-.active-menu a:before {
-  background: #FF8B00; }
+.active-menu-title:before, .active-menu a:before {
+  width: 3px;
+}
 
-.alert.alert-danger {
-  color: #FFF !important; }
+.active-menu-title.active {
+  background-color: #fff;
+  color: #000;
+}
 
-.nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a, .nav-tabs.nav-justified > li > a {
-  border-radius: 0 !important; }
+.active-menu a {
+  &.active {
+    background-color: #fff;
+    color: #000;
+  }
+
+  &:before {
+    background: #FF8B00;
+  }
+}
+
+.alert.alert-danger {
+  color: #FFF !important;
+}
 
-.navbar-brand {
-  padding: 10px 20px; }
+.nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
+  border-radius: 0 !important;
+}
 
 .label-opnsense {
   /* emulates btn */
@@ -6229,41 +10273,50 @@ button.toggle-sidebar {
   font-size: 12px;
   line-height: 1.5;
   border-radius: 3px;
-  border-color: #323232;}
+  border-color: #323232;
+}
 
 .label-opnsense-sm {
   /* emulates btn-sm */
   padding: 6px 11px;
-  border-color: #323232;}
+  border-color: #323232;
+}
 
 .label-opnsense-xs {
   /* emulates btn-xs */
   padding: 2px 5px;
-  border-color: #323232;}
+  border-color: #323232;
+}
 
 ::-webkit-scrollbar {
-  width: 8px; }
+  width: 8px;
+}
 
 ::-webkit-scrollbar-button {
   width: 8px;
-  height: 0px; }
+  height: 0px;
+}
 
 ::-webkit-scrollbar-track {
   background: #e3e3e3;
   box-shadow: 0px 0px 0px;
-  border-radius: 0; }
+  border-radius: 0;
+}
 
 ::-webkit-scrollbar-thumb {
   background: #172c38;
   border: thin solid #e5e5e5;
-  border-radius: 0px; }
+  border-radius: 0px;
 
-::-webkit-scrollbar-thumb:hover {
-  background: #ec6d12; }
+  &:hover {
+    background: #ec6d12;
+  }
+}
 
 .widgetdiv {
   padding-top: 0px !important;
-  padding-bottom: 20px; }
+  padding-bottom: 20px;
+}
 
 select {
   overflow: hidden;
@@ -6276,63 +10329,94 @@ select {
   cursor: pointer;
   background-repeat: no-repeat;
   background-position: right;
-  background-image: url(/ui/themes/tukan/build/images/caret.png) !important; }
+  background-image: url(/ui/themes/tukan/build/images/caret.png) !important;
 
-select:hover, select:active, select:focus {
-  overflow: hidden;
-  border: 1px solid #1d1d1d;
-  background-color: #f0f0f0;
-  color: #000;
-  -webkit-appearance: none;
-  -moz-appearance: none;
-  appearance: none;
-  cursor: pointer;
-  background-repeat: no-repeat;
-  background-position: right;
-  background-image: url(/ui/themes/tukan/build/images/caret.png) !important; }
+  &:hover, &:active, &:focus {
+    overflow: hidden;
+    border: 1px solid #1d1d1d;
+    background-color: #f0f0f0;
+    color: #000;
+    -webkit-appearance: none;
+    -moz-appearance: none;
+    appearance: none;
+    cursor: pointer;
+    background-repeat: no-repeat;
+    background-position: right;
+    background-image: url(/ui/themes/tukan/build/images/caret.png) !important;
+  }
+}
 
-option:hover, option:active, option:focus {
-    background-color:#FF6E05;
-	}
+option {
+  &:hover, &:active, &:focus {
+    background-color: #FF6E05;
+  }
+}
+
+#grid-log th[data-column-id="__timestamp__"], #filter-log-entries th[data-column-id="__timestamp__"] {
+  min-width: 3.5em;
+}
 
-#grid-log th[data-column-id="__timestamp__"],
-#filter-log-entries th[data-column-id="__timestamp__"] {
-  min-width: 3.5em; }
 #grid-top {
-    -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30);
-    box-shadow: 0 5px 10px rgba(0, 0, 0, 0.30); }
+  -webkit-box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+  box-shadow: 0 5px 10px rgba(0, 0, 0, 0.3);
+}
 
 @media screen and (max-width: 767px) {
   .table-responsive {
-    margin-bottom: 0; }
-    .table-responsive > .table > thead > tr > th,
-    .table-responsive > .table > thead > tr > td,
-    .table-responsive > .table > tbody > tr > th,
-    .table-responsive > .table > tbody > tr > td,
-    .table-responsive > .table > tfoot > tr > th,
-    .table-responsive > .table > tfoot > tr > td {
-      white-space: normal; } }
-
-label > input[type="checkbox"],
-label > input[type="radio"] {
-  margin-right: .4em;
-  float: left; }
-
-#log-settings label[for^="act"] {
-  margin-right: 1.5em; }
-
-#log-settings table>tbody>tr>td {
-  vertical-align: middle; }
-
-#log-settings select#filterlogentries,
-#log-settings select#filterlogentriesupdateinterval {
-  width: 5em; }
-
-#log-settings select#filterlogentriesinterfaces {
-  min-width: 100%;
-  max-width: 100%; }
+    margin-bottom: 0;
+
+    > .table > {
+      thead > tr > {
+        th, td {
+          white-space: normal;
+        }
+      }
+
+      tbody > tr > {
+        th, td {
+          white-space: normal;
+        }
+      }
+
+      tfoot > tr > {
+        th, td {
+          white-space: normal;
+        }
+      }
+    }
+  }
+}
+
+label > input {
+  &[type="checkbox"], &[type="radio"] {
+    margin-right: .4em;
+    float: left;
+  }
+}
+
+#log-settings {
+  label[for^="act"] {
+    margin-right: 1.5em;
+  }
+
+  table > tbody > tr > td {
+    vertical-align: middle;
+  }
+
+  select {
+    &#filterlogentries, &#filterlogentriesupdateinterval {
+      width: 5em;
+    }
+
+    &#filterlogentriesinterfaces {
+      min-width: 100%;
+      max-width: 100%;
+    }
+  }
+}
 
 /* fields in firewall schedule */
+
 [data-state="lightcoral"] {
   background-color: #ffe83e;
 }
@@ -6345,50 +10429,64 @@ label > input[type="radio"] {
   background-color: #ffe83e;
 }
 
-#ipsec #ipsec-mobile, #ipsec #ipsec-tunnel, #ipsec #ipsec-overview {
-	background-color: #f0f0f0 !important;
-}
+#ipsec {
+  #ipsec-mobile, #ipsec-tunnel, #ipsec-overview {
+    background-color: #f0f0f0 !important;
+  }
 
-#ipsec .ipsec-tab {
-	background-color: #45565f !important;
-	color: #FFF !important;
-}
+  .ipsec-tab {
+    background-color: #45565f !important;
+    color: #FFF !important;
 
-#ipsec .ipsec-tab.activetab {
-	background-color: #172c38 !important;
-	color: #FFF !important;
+    &.activetab {
+      background-color: #172c38 !important;
+      color: #FFF !important;
+    }
+  }
 }
+
 .fw_pass {
   background-color: #295f2b !important;
-  color:#FFF;
+  color: #FFF;
 }
+
 .fw_block {
   background-color: #A22626 !important;
-  color:#FFF;
+  color: #FFF;
 }
+
 .fw_nat {
   background-color: #CBA026 !important;
-  color:#FFF;
+  color: #FFF;
 }
-  /*additional extensions for theme-tukan*/
+
+/*additional extensions for theme-tukan*/
 
 #tab_1 #maintabs {
   border-bottom: 1px solid #b0b0b0;
 }
 
-textarea#update_status, textarea#update_status:hover {
-  color:inherit !important;
-  -webkit-box-shadow:none !important;
-  box-shadow:none !important;
-  border:none !important;
+textarea#update_status {
+  color: inherit !important;
+  -webkit-box-shadow: none !important;
+  box-shadow: none !important;
+  border: none !important;
+
+  &:hover {
+    color: inherit !important;
+    -webkit-box-shadow: none !important;
+    box-shadow: none !important;
+    border: none !important;
+  }
 }
 
 .fa-toggle-off::before {
-  color:#FF8B00 !important;
-  outline:none !important; }
+  color: #FF8B00 !important;
+  outline: none !important;
+}
 
 .fa-toggle-on::before {
-  outline:none !important;
+  outline: none !important;
 }
 
 .fa-search::before, .glyphicon-search::before {
@@ -6396,7 +10494,7 @@ textarea#update_status, textarea#update_status:hover {
 }
 
 .glyphicon.glyphicon-search::before {
-  color:#000 !important;
+  color: #000 !important;
 }
 
 .fa-times-circle::before {
@@ -6408,30 +10506,42 @@ textarea#update_status, textarea#update_status:hover {
   content: "\f059";
   cursor: pointer;
 }
+
 .fa-refresh::before {
   content: "\f021";
 }
 
-.bootgrid-header .search .glyphicon, .bootgrid-footer .search .glyphicon,.input-group-addon {
+.bootgrid-header .search .glyphicon, .bootgrid-footer .search .glyphicon, .input-group-addon {
   top: 0;
   background-color: #FF6E05 !important;
   border: 1px solid #FF6E05 !important;
 }
 
-div.container-fluid >.fa-search::before, div.container-fluid >.fa-refresh::before {
-  color: #FFFFFF !important; }
+div.container-fluid > {
+  .fa-search::before, .fa-refresh::before {
+    color: #FFFFFF !important;
+  }
+}
 
-.panel-heading h3:hover, h3:focus {
+.panel-heading h3:hover {
   color: #FFFFFF;
   text-decoration: none;
 }
 
-h3:link {
-  color:#FFFFFF;text-decoration: underline;
-}
+h3 {
+  &:focus {
+    color: #FFFFFF;
+    text-decoration: none;
+  }
 
-h3:hover, h3:focus {
-  text-decoration: underline;
+  &:link {
+    color: #FFFFFF;
+    text-decoration: underline;
+  }
+
+  &:hover, &:focus {
+    text-decoration: underline;
+  }
 }
 
 #grid-log {
@@ -6439,32 +10549,67 @@ h3:hover, h3:focus {
 }
 
 .table-condensed.table-hover {
-    border: 1px solid #bdbdbd;
+  border: 1px solid #bdbdbd;
 }
 
 #rules.table-condensed.table-hover {
-    border: none;
+  border: none;
 }
 
-.btn-group.bootstrap-select.open, .btn-group.bootstrap-select:hover {
-  border-color: #323232 !important;
-  color:#FFFFFF !important;
+.btn-group.bootstrap-select {
+  &.open, &:hover {
+    border-color: #323232 !important;
+    color: #FFFFFF !important;
+  }
 }
 
-.glyphicon.glyphicon-play.text-muted, .glyphicon.glyphicon-remove.text-muted, .glyphicon.glyphicon-remove-sign.text-muted, .glyphicon.glyphicon-info-sign.text-muted,.fa.fa-exclamation.fa-fw.text-muted,.fa.fa-arrows-h.fa-fw.text-muted,.fa.fa-long-arrow-left,.fa.fa-long-arrow-left::before,.fa.fa-info-circle.text-muted,.fa.fa-times-circle.text-muted,.fa.fa-times-circle.text-muted::before,.fa.fa-times.text-muted,.fa.fa-times.text-muted::before,.fa.fa-play.text-muted::before {
-  color: #000 !important;
+.glyphicon {
+  &.glyphicon-play.text-muted, &.glyphicon-remove.text-muted, &.glyphicon-remove-sign.text-muted, &.glyphicon-info-sign.text-muted {
+    color: #000 !important;
+  }
+}
+
+.fa {
+  &.fa-exclamation.fa-fw.text-muted, &.fa-arrows-h.fa-fw.text-muted {
+    color: #000 !important;
+  }
+
+  &.fa-long-arrow-left {
+    color: #000 !important;
+
+    &::before {
+      color: #000 !important;
+    }
+  }
+
+  &.fa-info-circle.text-muted {
+    color: #000 !important;
+  }
+
+  &.fa-times-circle.text-muted, &.fa-times.text-muted {
+    color: #000 !important;
+
+    &::before {
+      color: #000 !important;
+    }
+  }
+
+  &.fa-play.text-muted::before {
+    color: #000 !important;
+  }
 }
 
 #system_log-widgets.content-box {
-  border:none; box-shadow: none;
+  border: none;
+  box-shadow: none;
 }
 
-#chart,#chart_intf_in,#chart_intf_out,#chart_top_ports,#chart_top_sources,#traffic_graph_widget_chart_in,#traffic_graph_widget_chart_out {
+#chart, #chart_intf_in, #chart_intf_out, #chart_top_ports, #chart_top_sources, #traffic_graph_widget_chart_in, #traffic_graph_widget_chart_out {
   background-color: #FFF;
   border: 1px solid #b0b0b0;
 }
 
-  /*additional extensions for sensei*/
+/*additional extensions for sensei*/
 
 .preloader-wrapper {
   background-color: #e3e3e3 !important;
@@ -6480,38 +10625,50 @@ h3:hover, h3:focus {
   box-shadow: none !important;
 }
 
-input[type="checkbox"].checkbox-switch + i::before, input[type="checkbox"].checkbox-icon + i::before, input[type="checkbox"].checkbox-switch + i::before {
-  color: #CB4326 !important;
-}
-
-input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox"].checkbox-icon:checked + i::before, input[type="checkbox"].checkbox-icon-2:checked + i::before {
-  color: #4FB654 !important;
+input[type="checkbox"] {
+  &.checkbox-switch + i::before, &.checkbox-icon + i::before {
+    color: #CB4326 !important;
+  }
+
+  &.checkbox-switch {
+    + i::before {
+      color: #CB4326 !important;
+    }
+
+    &:checked + i::before {
+      color: #4FB654 !important;
+    }
+  }
+
+  &.checkbox-icon:checked + i::before, &.checkbox-icon-2:checked + i::before {
+    color: #4FB654 !important;
+  }
 }
 
 .modal-header > span {
   color: #000;
 }
 
-.bootstrap-datetimepicker-widget table td span:hover {
-    background: none !important;
-}
-
 .bootstrap-datetimepicker-widget {
-  background-color:#FF6E05 !important;
-}
+  table td span:hover {
+    background: none !important;
+  }
 
-.modal-side > .p-15 {
-  padding-left: 10px;
-  padding-right: 10px;
-  padding-top: 3px;
-  padding-bottom: 1px;
-  border-bottom: 1px solid #4a4a4a;
-  min-height: 16.42857px;
-  background-color: #45565f;
-  color: #FFF;
+  background-color: #FF6E05 !important;
 }
 
 .modal-side {
+  > .p-15 {
+    padding-left: 10px;
+    padding-right: 10px;
+    padding-top: 3px;
+    padding-bottom: 1px;
+    border-bottom: 1px solid #4a4a4a;
+    min-height: 16.42857px;
+    background-color: #45565f;
+    color: #FFF;
+  }
+
   background-color: #f0f0f0 !important;
 }
 
@@ -6520,7 +10677,7 @@ input[type="checkbox"].checkbox-switch:checked + i::before, input[type="checkbox
 }
 
 .alert-primary {
-  background-color:none !important;
+  background-color: none !important;
   color: #000 !important;
 }
 
@@ -6532,18 +10689,20 @@ label.btn.au-target {
   border: 1px solid #bdbdbd;
 }
 
-.rule.text-muted > td:nth-child(1n+3) {
-  text-decoration: line-through;
-}
+.rule.text-muted > td {
+  &:nth-child(1n+3) {
+    text-decoration: line-through;
+  }
 
-.rule.text-muted > td:last-child {
-  text-decoration:none;
+  &:last-child {
+    text-decoration: none;
+  }
 }
 
 #reports-tab {
-    border-bottom: 1px solid #a5a5a5;
+  border-bottom: 1px solid #a5a5a5;
 }
 
 .top-list .list-group-item {
-    background-color: #fff;
+  background-color: #fff;
 }
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/jquery.bootgrid.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/jquery.bootgrid.css
index 3440c283d3..b2b05058c2 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/jquery.bootgrid.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/jquery.bootgrid.css
@@ -18,9 +18,14 @@
   vertical-align: middle;
   width: 180px;
 }
-
+.bootgrid-header .search .fa-solid,
+.bootgrid-footer .search .fa-solid {
+  top: 0;
+}
 .bootgrid-header .search .fa,
-.bootgrid-footer .search .fa {
+.bootgrid-header .search .fa-solid,
+.bootgrid-footer .search .fa,
+.bootgrid-footer .search .fa-solid {
   display: table-cell;
 }
 .bootgrid-header .search.search-field::-ms-clear,
@@ -39,9 +44,6 @@
 }
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu,
 .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu {
-  color: #000;
-  background-color: #f0f0f0;
-  border-color: #1d1d1d;
   text-align: left;
 }
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item,
@@ -56,9 +58,9 @@
 .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item:hover,
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item:focus,
 .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item:focus {
-  color: #fff;
+  color: #FFF;
   text-decoration: none;
-  background-color: #ff7e25;
+  background-color: #dd630d;
 }
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item.dropdown-item-checkbox,
 .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item.dropdown-item-checkbox,
@@ -78,7 +80,7 @@
   outline: 0;
 }
 .bootgrid-table th > .column-header-anchor {
-  color: #000;
+  color: #e8f1f9;
   cursor: not-allowed;
   display: block;
   position: relative;
@@ -95,21 +97,16 @@
   -o-text-overflow: ellipsis;
   text-overflow: ellipsis;
   white-space: nowrap;
-  color:#FFF;
 }
 .bootgrid-table th > .column-header-anchor > .icon {
-  color: #000;
   display: block;
   position: absolute;
   right: 0;
   top: 2px;
 }
-.bootgrid-table th > .column-header-anchor > .glyphicon {
-  color: #000;
-}
 .bootgrid-table th:hover,
 .bootgrid-table th:active {
-  background: #f2fafe;
+  background: #fafafa;
 }
 .bootgrid-table td {
   overflow: hidden;
@@ -142,7 +139,6 @@
   -o-text-overflow: inherit !important;
   text-overflow: inherit !important;
   white-space: inherit !important;
-  color: #FFF;
 }
 .table-responsive .bootgrid-table td {
   overflow: inherit !important;
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
index ea1ae3c641..3fc27afd3e 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
@@ -3713,7 +3713,9 @@ tbody.collapse.in {
 @media (min-width: 768px) {
   .navbar-header {
     float: left; } }
-
+.navbar-header {
+  padding-top: 12px;
+}
 .navbar-collapse {
   overflow-x: visible;
   padding-right: 20px;
@@ -3795,18 +3797,6 @@ tbody.collapse.in {
   margin-bottom: 0;
   border-width: 1px 0 0; }
 
-.navbar-brand {
-  float: left;
-  padding: 15px 20px;
-  font-size: 18px;
-  height: 50px; }
-  .navbar-brand:hover, .navbar-brand:focus {
-    text-decoration: none; }
-
-  @media (min-width: 768px) {
-    .navbar > .container .navbar-brand, .navbar > .container-fluid .navbar-brand {
-      margin-left: -20px; } }
-
 .navbar-toggle {
   position: relative;
   float: left;
@@ -3830,7 +3820,12 @@ tbody.collapse.in {
   @media (min-width: 768px) {
     .navbar-toggle {
       display: none; } }
-
+.navbar-brand img.brand-logo {
+  height: 30px;
+}
+.navbar-brand img.brand-icon {
+  height: 30px;
+}
 .navbar-nav {
   margin: 7.5px -20px; }
   .navbar-nav > li > a {
@@ -5864,7 +5859,7 @@ body {
   background-color: #172c38;}
 .login-modal-head {
   height: 75px;
-  padding: 0 20px; }
+  padding: 20px 20px; }
 .login-modal-content {
   padding: 20px 20px 20px 20px; }
 .login-modal-foot {
@@ -6049,6 +6044,7 @@ button.toggle-sidebar {
   margin-top: 18px;
   float:left;
   outline:none;
+  padding-left: 20px;
 }
 
 /* COLLAPSE SIDEBAR END*/
@@ -6219,9 +6215,6 @@ button.toggle-sidebar {
 .nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a, .nav-tabs.nav-justified > li > a {
   border-radius: 0 !important; }
 
-.navbar-brand {
-  padding: 10px 20px; }
-
 .label-opnsense {
   /* emulates btn */
   display: inline-block;
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/images/default-logo.png b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/images/default-logo.png
index 9f98843f0aa597da90303ce6c86652073abc4c2d..35122b0fcbb81ef25bd4e348ae7b9fe03e2bd5f6 100644
GIT binary patch
literal 27885
zcmbSzby!qg7w=f8ucRmp9U>^wjS?cD0s<04Hv&?FbcY3qlprA~Au&TE%>YVEOSec2
zox(`Y-3NH@_uYH{xc9m9JUD01IcKlE*Is+A--_+Kr%I2A{-OQ{27?jFJ(f|0!Oj=J
zU}r2Y5rAJxnG5jX>x`r7qX)3OPTB>~IBy}PC<TKRhFv)@z5v>nUp&@!gu#gGp}#ZD
zc3IEBk8mehEhjZQb0=402Q%1HV@sqHmy)bHqaYVAm%!D@jMw0qQZp?%b2&M7*d@@o
z0HZ#00d@vl$%8+d(`zsq*sU|?j(<N3u6fU#g^_}99q?xvaQ^srD{u{cjKClC{=eV<
z8&TLf7%coE>^yjahmW7<%;%F{p*JpkKI!QrxQ0GwK|g1YpHvkU0avGQ@$&FMcL(RH
zm@spOUtuuo1UVTgbvJ{RL*H;ctoP)uPqL#D$*o>##n;~Lj5I;ggtlvDRvlC9o$}G9
z#AVBFnjhYOR@mf>@nin{PQ9kk<#L|>@4Sy3-{jLVs-jG8()V;#8U2{94MtU;fy-40
zN8f?bsm*O8&pvgor%|9kASE}h?|ncbdX?x&vSSS{%-y5=@Xx|zt&(f4A!4gpOq_q*
z(MJp`mb`U93eD^P`0%%sUzoQs_1=h)nJL#Lo~i4JBG)x^zH<C<toeB@@1egfzf0k_
z%V+BvveQjwU`!NHCq~h3$TNPo%^S$0ic4b{kNf3+3A++2_(ltA_)$swU1(>1zyUSt
z2$|~6nqNPC^C79xnc`s5E6^RDbC(MIv>ydRQUi;1IImSF#@GNYE9?pHSq>uuQj_C>
zWL!H#!J~Ys5V`?V3j}0@Ps!Yd$lN$3a}AK0`<IM7AhY!^nG1l7`ze_g(X$+|)7SNG
z)SWGOeKMACwewmqB-07`8PYQpeh*KdN&x+KpLP{~13Xnkb}}x9SFkJhtxun#Wdu*r
zpHA}or2?4K!_#>&0)peG9Y47QI$k|}pVbe%Z+AK`(}#W+KD(ZF#>)&kV>q2xESSnX
z!)ecipl3q=Q}&sF!4RCz3(f?{)JvVvgp)xH>C?s;s3CjW;DZ|fzQYU}Y5%@+6>9wZ
z&RMAO?>i7TdTyMsh7b(8&h2z%_GJ7n7<rw}z#DLY$KZ4Z^khb7;F1rH1>imj81xf@
zlNo$g0E1=?IGI8B1wbb9l*~NT^UNu4MnGrbB&VHGfcIxEp1jX^4h+WYl$|2b4U*H2
ziJ=?JC!^E?L^j`_5V`Mnff08yMx#|Qtd`SZ#ae@hGR~d6-OdR{(t9ckb5}uE3lB~>
z<`@8m_2-13U&RA3;kzeetQ&(Sj5+O@3#?Ks@?^j~ThN66C1VN5nEy+L1CS{`C1Vbe
z89pV$50P0uCG!a)BXmlp9U@b8N`@68V|z+w8<1(2IAL<E6(BQrO6CbPo2^qa84#J>
zQ!;80nS)a@*$^3tQ!;%#Gy!Y3s@~2s^2U4#m-t0-&XJ4sMiXbdc$9iDt(IuvHUf7O
z+JW~aVneoNov-vrndIdscq}QE!DB6Gmfr8n%m%@=Ul_KDpNyzQ(4X`yJP2r%L7ABh
zU5V>(B}lQuDuATJPKV<TU7sqAa7Z$qhMg>$0~jYv?_{3gcfgJCx2HE=gBv=h6VL;!
z@pCz4&2PYs&*Z1vxCIz6e=2fM2+vT!oKB^I6>M6V$EnPlJ_6)1Co<z#2sWLc&xvH$
z4FNviuRZOV1N3Y}dNLRupr&9vw@%2wZv!%Lg3|^S)Sx(RT!tE~r;WQ%L+G@@4mB>E
zHmIS-_0z^bP~+xl0}ciqOnoAqgm1v0n_ix9U=QNi^eF?qfpYS*Kb=7mknXzjll8o>
z3=R6~$qYV2qRw;sWCq>W0h!qJMAD@<x`fbzl)nYNv#tr1K@Hf8D}eCv#~}p#e*8IJ
zGU&<=Qklm;-OmHWj;|O80j1+lxV5>dx61efr|{UNJDC%ey_^Jd<4un!Ca>Ojj}*Q8
zbXaHi_W&J|7kc<fn*5idIF{BM%th?X3aH9w!Nb?cRQm5U#lEjutJUJ5$S<!Q{pXB^
zB+%VYfFS~l1K#49Wsmxy8o?5VUNkmsFWUE@pfRW8j*{=H%&&kyI2JFMUrkioZ02u~
z8V=^>N}_xjndL6}u+({n3O%28Zw&pvv-8l%R*z1-RcZ7ZeG|8h9A;cnzb4CeCrW;9
z67ckRKKGRYH7nX?%3xmfsx`_3fk;O5KSFFzsb)X(n&d_;)|W23BQT3cNxX9}Xq&M`
z4>;!P7B4y)o%s}d4z1k&5;AN?LF(*LH)#w62`Sb4(M_?YUsM;=z1{E3I_wsp==qz*
z)C}`bl&=}x%C$I<13xYm>`D1uc*b0}NPcEutitDTPa3Hmm(iAl70mr^66{{A#bMyo
z1~~60_bxRn8ykg^VDO)s+ABg1@hq3~W*8H5AjGfxPkk7{o!2@9`-6|nX!{+^npMBn
z=P*S;QB(GroXo)T&u@z3=&CQMc))MwqT9@rvNJ(z`}tRqpl73mAG4b(WbRG3eNxrg
z>GIXt(WpHoYzcuUZq>V$Gcxh%axCxM?aaTAbA>7YdxhfUW*yu)1_vvRma4Jt*bv_Q
z0oRfw4QQr;U-jRaKkPf(s@S!~rKA>C#k-QGIEf2;vcxN%Vf%4*7a4$r!Md-E>MlAQ
zzFFB8&riK|*DlzS+V*MJL@hne8?TL{W{~a4-b>O#RZ^Y*hG{ghkA$Ha&THLgJ)0vz
zX4H{xe?f~g;rfSSAV2dH*PgtmQ2sU7>P{wVhxK*49ky>Dyg%=it?n_znLuDV_K-+@
zdx3{AtYQ`hBm99W&0g&1A#}xlTV$<6wZ>uPU5=Wf_CyP<1_d>k&clp$Xh}b)$wjCG
z&U|vHIM5o9=V~bttfJl4u43o{^41Ilr(P!8(S$Q7H4@1L;7p)@Qe#tW4MQy4R3nl_
zbUONdiwbtXSw;rhEwQ#2WoFcAn`7E$H`N@e{n}p%l8Gj<w3^YFE1GDHG{8-XM|Xu_
zu(~%ucxLwy7ZKYXO40*}ZFhus<?0dw`)Gh25ELskh9~9XMNQiszNl*71Y&DMJmmgQ
z=uJ5XQ7{gbYq=GYud@qTnKOZ)+jyFFD6Cal0LK2JI1BUJcpTAyAx?I#>2hEvtT!#m
zXS_6^zHN0#(qO-Qq+i&3dpT(OFAUl)j!kgKA-E$K=<-iXoWaiJ`3;d!?sk>1oXAx*
z0KIwWQHv4+ORRNPM%b##-_aJ&|Bg1nJ%E1T$q(iYSPB1{IhRG*)m|tykbNtNtKFmP
zu4%g}*f1gnXJE0Ha1v>gvgR&q&tnpoJbNcEzxvEHquPHHXernWj?n2g!mc=EQ!K)?
zy~3eFYzMK{^bROOKd(!#KHqk8pfaT|hc?MzzM=1}pwvfTfhzXgzsksXP1-HCA~-0<
z4RqF6pbc#jtj*VyP+0%ZWrB>+LTDVD>rbn!$nKDzh4Dz))4Do#xrr(EZdt}92{$D;
zd)j9&Do`0CC;-NU!Ca_JiJR@kwxoN^6M4-AL#MCsOBnXOycGl~*jQDRhv21G?PM@2
zlHWp?!TR1mXWG6gMkpKaT$18aEGEzgcP!WAVsHT)x9+h(4&glUh2^&>B!N_c6`Ql&
z)n@zpNuefSa$tVZp*{6xmHqzyoo+3T4$;zgVX)2bi8lI(s)a)Q8<YeG^P|NpA-oE5
z5nrn$Ez3*Mi?R@-x+7MmzP}mnU7HCeVN2M?lfeAmwZ+;Tl418*Q69X6^;<ygd_+ks
zRUbTwUvjOVB!2aa16tepXCa8mjO6ivT;$bE>SJDbG@5J#p$u}p?Si!zzr?u0{ejNw
z-zyRc?J6H!yA?#-N209WFZ{ldSsa?Gg^TKov#)NOODAQ-H)unawN5Jmg@1@hUYs4F
zIseTV;a$9g;WZaEHJh?XSnCQ3Jf3JCsfl7Oh44H6diu0gMQ-3CMlfCqtvaL5Jvd=f
z=+*;w?7J=TbgA{aY>!+S4ncbU5oD%de^Mz-DrRHZFaDS<@|+go2lAD6>+WjwIhfzK
z>+c&Ch5d>KCnAgZpS;LbXa6*!3HK+uLm3qKQT~hCwxnsT((w8Zx(K)GQdOqo*}vm8
zkLtgishdB3m>I%5w_z|h19bLyF?ms~x}iDc(SkMV6);rlTrpkcQ&FfI>hs@Lr6H>i
z>*n{2<SWLwnI|T4TMc;LP7F@Xil4=tf!z;##VGPisfCOAA}~UFTrpK1Pt9MWPb|{K
zMZ;q0izIy>hL<7w@cUI?!ag`Q#Wv3|{t~U{{RdXJ4$a~o)BY;zjR`}<yOu&0Id-5y
zp8)g44&*z}u=c2Xdufm%D0Th=&_wDLdJ-`#a<Vd^!;`~i_2?47yDv2f$E>oA)+~v?
zxJpY=Y(AiA0JK;{P~-1L#!DLGQ*WG!hx`_8;xe$k0^)YTqIZ~^WmvYD;^>6R^*AWF
zEAt`i?pM>XhjMZJ^#O38>Sq^65&A}<2P+JA<0%J)a6ONnT7Tw}CfhP#OEyY5z_?sT
z(x%|pzQUoMK|RM=_a|`rZ>+A6_448;eeMk+7|es*f2xr2QnYP&KTl2p9Rh<wDPNQ-
zp!GK%^@JP{7!P4rcfHwNu&v_*ye(q>CT+i40!jitO0%Q|_iw9No4muUoV8et+KbrQ
z&IuHo+CRb=!?^;C-Et85Xb*sMU`9qRu>()KG6mWqSU$a{cLLmPn{}waIu36A1ssS{
z&2|zatWPtB=ZP9VQuy-I-Zf%Jsl910wGu+VgPKYh=S*F~_NtIDj+&bfDaIX~J{Og2
zHs;<NGkH=5bWqHo<|J-yW!s!Z;hJo7Ft2jO?6eUZv-nyx?zx=IqGqkGU{iJR>VCC*
zp*s8aH4{Y#1|oR`19AO}Ztt<4^wJNB(&;NagfLhJ(f?{bSI%<KgzFU={(f_F`&)Bd
zAP0@<YPP5Np!)VM58=htDZXs~+Tel>Lx5bSMGOR+XemBC8XIH-l1^2YlPI^ECY8Nt
zPI{iiBKL*BlgN>WX?Ohr?^pm1hw+%WIQ+0U!7es~3-vCcex|^9<nQ0r)vVDF4yYp|
zbMHAEbvMPT#VsIK_JHQhe`D-c3IM>mcWo9*xk{2>PUV^zmxcKIU|t1#+T?_Qidvxi
zu0t#j4opnnG`=S~+v5|!F)VssssAFwYYsIrtM<43+O`pDlQ;(Te$DYgwr9w*92F&e
zQ=(<GFxU*a^rii8qz@RO?*`KE5O6Cb=~(bb)m%IOZSGb88v=q(*XTM%$K+ky1~B6}
zti3<d{S8{r`x_2>yHCKk{PssgfSxvnyU-o8ITDrhPyKqJt^^^N{<MUD6$0=|eftdA
z2LZ(x+4QA}xFl?1OyaMN4wZpicW_e!v7Klcmp76!XWL&oIDzprbTE|01Kd}Hn&@rZ
zs9JEJXmr18VBMUxoG__xsGz=`y0#x*<mgj-w*^x#fa-rQ7r{Ygx`^$xnGM3aYX<Xb
z2Jm9%zcK+Jc!nbU9Sp4u(CfR@=N<4!^aMF-FN1gPdA9o9*%~2s7lSWqO|b!EgRGX_
z1b@=0kNDnnO_0!-=zns854VYFMUFkH7eaYUWZMd$@R^iR@@9f^5drGX{qSP3AbKB^
zM-RN%5=)kIfk15%Rs&f<p)4KrsL$)W+{{?Swh8I^{7%#QGR;y0pBDdrtPknyQI(d#
z6}OlzyeEC_N6IjmHMh^D`s&W^kDKT7MugNL_<d)m9CLTY*vNMDU5n1Ry&x$9bBmcW
zgqIS$V>wc$!uH>=63wl0Es?KDY%W?k=vX<vlpBwIsNysR-zwLYxQ+6-Nm%bWzKK*s
zO>vXk900hJ#=IG<E1|SSZKVCkpH4#AibnA_JWrjyO)f&rgyxxe?sHKa=a=8yyS6&9
z;(aJ}c3|nmQc>2-4t4O}!hrtIHh*2Me!i5yCW~#}hGmTQKLQZSbO%n~YHw3^XkWGB
z=&3jGKJ__njNV17A6;2DR}FCOoOnT@@zD*G$LBVBjdLpfiey0JS=95iAC6^XOo%yP
zb$!`@l<1XwgMVHb*+zu;0cbe#Zo=^!yjU+={h?2qkb*o=6aef;hxLjn&LmB-G~3ug
z&Ir)U96_m9<RbJaK1`=s{lR@FxDQ6l0gwd1ivV|#%J%TPk2FK82LKfKO=jjJ@7%h`
z_dA7-b?;g>Smd}KsW^S}7vj&=UpEPx1y~Ig*pjV6-|RA)3?LZfxUlEHm+K4dx)sFU
z6kFUBo3>IqRSq|`LhmNYN6b99CL85Y;gzAsB^e!KYZ;c=oOY`+fu;2VnW#|cy1dPy
z#ZpAE$~A-yMtI{;hy(0bzwAhs))pj(=ND8L(A&`gnOUW{$H)gcBB3NzX7lqox;*9;
z<-5rrfytk}{i_A7V=4)Nn2=lRp-^$iL|W-L&tY%x1b`%;0>cQ<<~N}RHWWpcjLOHQ
z`({s3al?W6_oBl>?%e;VE45Szz#_O4zaIy%!_d>c?;_IuKEqwEbp$$K++u}}DAjC^
zM=F1U#gjsn@2(dc5A*<@09oNLUJnlfmW;<)U64|GcDdl2UT(Q2dz4c4Vli^}P5S})
zAz7@GU(`OM$;VTj)K75mIpLR8PRJqCl1J7ukF3g94KPG1(@sLu)p+CLkd?6u>}gkJ
zd*X=r**t)LjSk@jh&b-~xSFq*lJu?dAi4*_8qUts7e>`=P4){z&Nan4MoM%N$O04?
z%kJ{`SA$)S`nKXdn-|N%@`*!JZ^)Bzb?{;Vl912Fi{?HQ!O_R?P>+-J!$p;Abb-_5
zLf6c#Xe0-;0zARczuXE^8hQK3fl{x+>ZLre-NFjeVT)znV2#J%j>w<l&lUmF95wiC
zDqd^z*TGyTw2LcvyQY00gq-9-m04IZuw<f?B(FVB#$!*5ot;~JL0^xip2U%$7vqt;
z=V#1(6+;r1%PP!+wL?<p({&}n7Qe^vyIU=jJhwTcaZT3Rp4PCl{^>V~oDLH^4o@V5
zYui>G!F)`!;KvFVuTY21eETb}j5s1I?>U>UzD9fOY|(Sav{^LK#S$N{hApd4q!|_y
z_vdMTDKMuQysRYkG|dj=5~fWKTOm6T;{Oru*v7T%gOsn2acR10BnuXIWtJa7)ZpPl
zoXD?oP0{IXA5%p$0da*y(#q4h4>%w6(p#aDW{YThF})n%aJrNm<%NCWqKz%BV1NL1
zuQ^AXZJ9{`aj3KVp3m@Z0c#~{ygd5R#fLMW<diOn$${<F>aVHRTd?r$vGngsCT)Il
zKWfuZCC_}BdjbyZofb4EAvvy3k~~w09v}>z+x$C-soMM3d!_pPJCqdykJ(8LIuX4n
zOxXOs@wZme1W9WH&C}w7MWVSFlmtJg@J_udrGa8)4PDfS?d~kwDzQHl^g^cXQ<fx!
z830ED-JD_v;Blz3Lik|7hs4pMUh9>00b;7<^t?gC)qLmUjrW12wc&L*<0YjEGj|IA
zsbM+XcN6-YB=KJqMh;Da32e&d<=Ci}OW2lA8wS?QZ?qy`7{y}l+rs#xB3)fAS+J!;
zwrtG&p3DDp%&5CP1nDRVNi$5oj0;kpRs4w`41KY9=b0--u!o3p(vavYhjBluzFTuG
zp90oVO`RmdU!PuB88-NQZcrRd7=f@b<|=ma_d&MNzR?ui(Q$QvH;-mP7(L@5F*QL&
zQaR@OB#!N{Vse3kQJ2_XH*|Sn`)hH%duRD<F-uTt2^GB#3*UE9hu<PTtQQBf3O_Zc
zlth|HzkP|FcoH%5N!0B=-yiE(@lFegYE+@4$*j;k<c~ceLSULXX($oi{A+heN>u^g
z2uAe`gt%Mv5q(R?c2KqUE>RT;P1k3d@A{&t_IM4rV!}E-*0HE<d8amBzA&Pncbaw>
z<NlnBu!k@1>I-L%>lI4BW%HJdcn9eWK~}0aaMR8zGd1(nsZp^GhCc355%&g8hD?<X
zA_0Zv_3U@tp*%J&$OLy0<p7W1(Fv-Gm0TYArr6nAK?JK*Z#r#^hFmdeDCG*X;^#wy
z1uSw(ol^NF8V;f#!yy9K9Z3D2c=`$U#a9|M+KVk5#(3J(G9)_r@dQ=8H1Fdt7P{D7
zE$|{>Sh{|vGZts?I1Kx1PmG)1@k%A{qbaa?jCZ7DxjdOd>OZF}obda5`Z-cW;&Yfl
z7ULyW>N>?D+?YTCMufGJ?<1;aCOV}=JMLUdr?+6wU6){gjTkJGQ_@%Cj;=SI!MttW
z1ESs+413LE)oy~A!57hgwsnDFjw<tu1B3PBdSfio1AG3o-iv*h1ks@{{HHn#+Gg8D
za&~Fi5>3sy$kq+HwKC(_OalVx>?^iu$kY@^1Gp)Do9+!)jYj*i-U_RwO!wG*d4FeQ
zTc?Xe(rar6t{KkHtk7CsL9!6Yki;JVoWmJ9%`aM^!dkc3L-<yUJkirO!C&x^5^Zy{
zgTut!1KMVO!E~W!kAKo4SQc)t$2mw>_yd$@X4<azM`!8h4fo0>$o0sOl^mZ7c=hXI
z{YjY41B4*BxTVAW`wNnVn_~M}<T6~gB}TQ{8hJ&C>*qt{&k2)bdYbCsTj9C`p{Si}
zZcM)7p{yP7;*Xh(A0ZCx+Bb66xdBb|7=-yES+e1#n*ySX@9Uorg}p{e+-t8;@}IeX
zO;(M{MA5_Nn?3b_z4W=VPrT-q0~A6nXnO3oxcDtkxOl;(%;Ib-<XJ1oS($5QIhT{|
z{*O(tdls<1f;ss>y#x4@qQ`~ioy*~64GXC*MoNX+0!Kdsr8!Q?+6s4clc!l%b3_t<
zt7FQgljr}y6azpZN`jmDk=LYe0pzsCtnHHowHyO-jD1R3ms^AV*!GJ&15cZdD!IJM
zOjJH<u@|*hu(sb==~$J8A{h-3Ca+kfGS%4P>q;EfGE^@krDK`f`;lF?>h%7ld)dZ^
z#<GT%RNYWw^-_(Ra_0cu;D^9C@i#qrCJRS+-zKcjuH{Y6uoY?Tx*G-}n>!=ttX20P
zBa(^h*JBe8j;eX*5?8yPM4%+7{in2BzX>_C6+c<$Hz-NjYuqzxg%@k<ZUa!d$N?*~
zsf`ZiCFzTDl|>{I)xY>mU<HgEJ9Ah0Y+457>b<Cr-|9=EX>O)7$XYaq`^%P9C*BI`
z4BL0?^kah{RvC{%g<jHQT|<N+N-}1tuM_trIGf1|cL{yixAaA|wcHF7l$yo2TCrl&
z)txrZMR85GhnGxrq)Ujp`vdUoesIzXpUv?B`s)*jrONpAN685mrH8HG%+Ii-QQ9o-
zOrccxqT02k`^1W&KY-tzuu$EZ|I(`fpz|BWY|@mPcBv5C03Xty|CVi1DDon#8+gCh
znm15HmC?5KWoGc7Z7!BK0pe?dmraTDxx~}Wm)h%c2c@b_(-Y6`AH8lg=^^6O0Rde7
zvSxb_mXnW2{~a9`l*s+ZjkAv7WA3Cib{mDtqc&Z&_sui!hTRED1t5bTxqB;naZ8Gn
zc7-)IPdLTe&=B`eeG};eNXoR5+3!{&yN#;VOVDh)?&`oppR?gAwAA}luw>-^REjj`
zt+AU8d@5?_@^C$mm?3*qC~$}c2<uBKr<{Pdyd?xfQDxB=ZA}MrR!8WL=3v+5WmpL7
z>!;~e;msQjH048N%^M<N{gl9~r_pe`S?WVlzitEfZw4#!l7}#6<wfPA@e0y_uS1<$
zVfqMf3Ggn)U(=*ak@UPNy2=c@HOKrM(ga36!CU47{aZxT50w%5JEJ0<SMH@x0e?)c
zgw*<bihUkfbZ&7+0u?ZYk*7;9;Qk6VYm(1B?-E{1P&B%k$3`%2UbDtPkF6G+CjRR$
zhXA5pEOg*CL~v92eam|#(jarwiqN6%y&R$(P47wWkv-qfTMg8sV=l)bxR>-bLzPpP
z%e>S99(0er`2JW?2lJj26eH-{(z{b9z|-VJ>(567=5_mCg)<TaXG3@^v@5bhj0Fzv
z7NPqRKgpbH*_ja$dkz=qoUlUeS(R<kmZ*V%N3(kp+NzDoz}<|k%SVK;eim{O*0;R8
z*OEa%W99s)8u>FK>Y<$nh-CJdHdDGh_MN|6QSzAtiKBU{**T%^tLUTvBJ<l(^3Bau
zPqD`RIzWZgsXy&691pB$@>1iMKW{%|M$<x`9PX_3okuL8jMQ45a4c}~+shLd0Sf7Y
zNKp3DV7{aPXFX@L=$j@u{|h&S>A8u*^W41y=h}AKmqecQ?i`4kYu+EHtBkg&r$&tu
zc_urd^ti0SMzqkJ^3GAse$u!R&eAGUzksf%wGwTwOub?{s+0?v{O-4w6_>3oBBT;{
z%@abNIaz#W8*qOnos<1suah5STzKaS0%;X`|9C~PL;-IE3`g&pY}ZE+0N<jp8Q#rr
z+Hv=qWY9S`NWC*@ZK;zN<6{3IX^yeTk%SJe$tdz=KxQU3FadH}D)a_G3>Lh}56$UT
z5Pj<?Zz^i~KulVk^3hYxuhJwy!B+Bi=B;Z-uux$;I=W?51bQ;fsT3?tiwu_grj2wI
z)kxkYv@}*&)~5*GyN%zV_%>h);=l~L+*ux`t0@~++$r)gO)f+s({46WhPCS39gLUu
z;(BvH3Z-@QH(745qnq}<Qj3W*WTNK5qVd;lhPypf&$NmxMWq;cHV^l5k(`PCf77Ps
zAn{=`m@{I<i`@Mhm^u&TN6NhP_Ox`oQ<Ghzhy6!4KNHQ!t)wBN!$Cd;gij2qwysWB
z^mGWJfa8e<-s6k5txo^nSlJmb((~Lz9%8P1ozwb=e7LE<c(tpoUcK+Km#V(tPY~?1
z3#PJgV=UUDN~Uv~NWT@72RCh!z-n@1UBL?9>uhZekU|KD@Pe*@>&w0Eu-2V#KVgVk
z%qDAJ8tLEQxixBS&$0a&WL5u@A3|HJT+<f-_JE!Zfw}5Gg#q)3{iA4;t<HzkzBg^d
z(HU<*9kT*-rt_#98jKhOfRdX@(WAEN{GCmsml7$Vyo;n{5D!piAgEEOtSbH`Y2M}R
z-em%<bAzvewMlMxK!iz{j6`Jyw06GqFpx=Na7s4&G(hTmb@K&xJJ57>0#qJp>AC=c
zRd)<`bKVPUZ}^U`CN!=?=D$u6hHbV;l&o0?cGG(FaK=6WKK2;#Ju%T&#=YbWclkNh
z1#!}s0@O)D9amFo&P#>wcMZwec8Y<l0T46bOg0CIN=^t6x_4YLZEskTg7%&OmAmk!
z%WsjSA53rLBA!%|NiOGY&Ud|kP5kMTQ0WJc2F^#3*>*DnXh9bcWT;@0aEpDsW@tnT
z;^V(L6h-XLeVhgh2|AZv&=#`2W6^mJ>a~xj>4`wy)en|*5_}6?;tPjDIQ4DBBrcQB
zk4_y#er_@=m(P})wWGB{dUYaLC{u5Fn0M3DOzXWQP5Xl4t}x?A4sB&CCWteH$*MTH
zcTYt3cAJux9RqUzwf*|}%}HU9J^@A&MOv3P&)?lKPWr^Dw&Nbc8zdo0RNAiya6*O@
z;XT3G9BNWnF4{KQ40jX=oi^TSI-Bv3^t^t@BcYJx_3w`Liy?0hpp5R55D+#t`>8*L
za7G~`ev7PHr4Fk6^U4oq{oqnQvJf5E`CU)>2HE*<4NE~Pd`&r5O^oS>Ju^QMW#yWJ
z2$0hiUQZ~krPj!mE5-}f&vM}{6nJC9SVg01<lXqFP<vOW5I2r}R5Vi5g{DHeYPPrm
zUMv&%)*Zz9dgLTww1TGX#t(9ap`3iI5IIr7Gd4KfO(M$vaRdvAumky|;Z_S*v69>D
zEsFQ?z~qscm|dw~AIh<duOz*La~9#@*wNv+PBKYg94rc=?pUkB2>T!PsGrAf7vF+=
zL4%N=!&TyvXLi3>#c>FF)`{dh$H<G;f9eUzMVdE6g~VMRc5i$xNWCx`DC-dDn^Hsm
z9<&qyRB}M(B)aRf#k`p)AGsj{g48^S<%n+gd8QYP`O3Rco|t}aQMF&#!p*sOOr;<D
zno*0mKD^2FA`q6;m3M-@Qi_sL>{)bJ=punWhA>vh7*3z~dKb7A5f)>7?F7f7!`n1t
zCO2=fDa4=wkOK(*=qW{eNw$%e_Nev8*yN+@ZPr#ne&Bsmte$^&r1`m;{sb`&I2DlS
z*GJmd&Yuytb8P2&zVSv^!gSzL)+3YOBrV75!e)W-P@22h@I%|}CUZpQp@5@J`3nF5
z1U>Y(Gu7D>uYS0J6s7hs>DUZU%cH3%rk^7sm-0A@lK(P|+IvAiCqNyAWOxcUWtHF{
z9zPZsx+)!wBx-VUl0qm}N|f)wyY?DYL*>tOX5e}Cb5Fh85g5U_TfqF8i={8<7HW-s
zl@6uX=#Lp2w2&!t7EXCWX)a3oNf3mf%fva8lX{ry!+_gjR@VImbzW;c-fd03xUeP*
z$#nN|`*xI?-S`5<xh>@MjrVr%KFF5Q(q-A?df6`#m%&$t>uzaAt^@7HL)bhKe*=Ii
zW(U4U;`uU&<g)r}dmz-q>yHy~Q<3T1t4WSG{uDX#$mMNgin1!mCf_z~H%0CWP)`Zz
zkbf{e4#j3fp^*N@T25{HKxGLxiLFM5y&`&<!IvP^q_=QW3ltI@l!vh$W9B@Mi4t-U
zN#dPL(3P-C6REW&Sv6&L7=mvp;kIwPr1x%Ufjtnxk`1u036?SbM>of%S85<{otm8Z
z-<j*}#t9q!*3pn??+Djtw9=K!LT;#0<mU7YNNv0xn|Z=c+j?cRe!V&{f#lUMFM|hY
z4={(c=hgi(Do#Bh1g<M#`>-NpMkA~%4T_RFhVAct-SEbLGbtP@wfH6yhC@o1Xy5ni
zuTn{x6lxb`WCposGBCnFCO{kgqNoHZQxX0Tp()flrk9vtM(o1`hxTP&KY>pPVqd^G
zw`WD$g9xnxxP<b)Sl;TZA1E(g&Noj))mX6^<a>)-2fPqNp-5unZ-VrW704HY$f{x(
z+T952^`m!vMvtB1z2@>p#WFz0JAV^LnEd4;oYXYK4pL-7c+Im%D=Peq!6WfdWdt;&
zeIFH>P=H!{?+U0RsyrBZ=k}~wJ@%CT5eLN)Bpi(7;9G_yr)IW<GI|=YWz!qqDE0c%
z=+cz^XrrWX{RMp&pNyB(p3}=Kzo=(>SG4)Ey#*Ez`EPE^>!wXSTmgax9LNE6XKfh`
z*=K@lqeby6f-j990`%+E&6zCt2Vi&M=A~OhmG&J;y=YXW7?HS!!j}m9Hoa+DW{!LN
z>nd}XS4g1jr&=4q1NSw53`nt`B>SLZfJ`V!_Y}+qejm8D{Q%p%OP&7&%n*y5!!Xdq
z*r|Sn*Z!JyEKsU%l-!zvO_06<C}5B+qAL^sI`ExG4`lb7l+NR`R&uwiSG;3mY{z)p
zA-y-foM-`s^=@fyiJ8<4%hGlFgUlCrui(l%I7mt%`U7NV-s#x2+b7*gbQ-4d8N+e1
zRUPQPI5r<Tr01I*`Yu_u`YZh>L=6(DBTvy&z;1)sqIM)pg;B7mwKUqYqK9f<&DdyY
z+3PVKR#6HEAgQ7C0U%dSf!wVz%&|V0^UnIIMN`ofTklR(2&4#@0+q=$q4dAiM0sJu
zj#U&$aV<){Fvr-5Jdx0Q5`REcaSXcyCH^<zCV(>_(4yp0{A!xzWN<)900gq7_$O}P
zEVy-6QJT^q9e3UQt$1{E4Qf6e7(=GxqJ|K&vlgT1w1L0kKyw$Z<VMBQ(>ga9)DDv_
zInd8F6p6o5eyE~eh)HHU`qYg9k#P~=twF+T|CStRV-x)s81r*Wnd8avU+r-P*Jw;Y
z02}mdQMnK$DGwrI6~L7@7#ziek{(mhhaShFK@YH+f6MK}x*sDZ|9DG=k^ea7U3^DY
zd@8z&&$Jx{U@`FbS8jSV3Ar^7sMYxgOy?+9#--gMtS^q7-_R`+X@QCtN-uxD11tpy
z_U7nuC4>4M6VLN&o!>-OE6_afdlvnuKw9O9nIfWx;NJWP`wO>(3M8VNJwcFBCL^7v
ziMFKoiI`xXQ6Y$zAD8p&-Da1War3srSMMCK0W;nnWH02>y)1Hv#Drql@4&sxi=yPY
z7+nF;#1#<#_egBZH#9|xT_1lX#QL+P1YmJc@&sVKQZ#@^I?KgLP^U~Z8scUFMVb*n
z5b%@da_0<aXL<cntVJ|zcsxKIgOFT=d@k;bc-}*oqhZqwbhlfA*JScg`r^*PUGvwC
zSA^QBe@KAXQrpgf&yStY)!{61H$g6BB_pfgiv0{Rnsnzi;?m0}IS+=|G?-{XN<fLq
zv}wnQ`W~n~f%{8idOr32<I4B#dQwJ5`c6;!jxqqXcbHA7G=#H!%2XuLsO&|MLQADH
zC<CcES=07@pR=}AKZd1+ctn?LB-k-I@)nxf)xV;ZBTxpsO?oQ*z*vr0mBlAv^{<i1
z^?sf5RqOv!`OsPu?|SET-rY9#HyD~<2dnP7ppt^DLhD|Q*W~0_m8+ehqxP^PmI)z#
zw=?^yhv-8`ovvic4~pQCJ6S95K{j#R=x5$h<ulK*ihO5VEo^H6D6|5_i7g=Hz;-q#
zr7$EJQ1%=f<hcuZxNI2uIJvhs`0h^|O#l?FXoVlzn>`TVpqX3~0;zmI-Z_vKyTqn$
zX<<V2#el}@@cbG6<#!;SF~+$(z*1_Kzh4z~o3Mb3<m&VC#qUd{1VpL?{R)19+1_!F
zKtYthF*io7`4!U}nBOPhTMNHtG@32g@Gu#gx*q<h)JMB*dW=*0qv*$Hq@|h4y(ZVG
z49R=V>NN7P>qZ*0&aq^1ME7J+y80C>g9Vdino^`r<1`?AuqA4E+1W;ih$cw@f+tT3
zjeqDVR*Fe+6K~GY#R>^E+!cHGuDY2ehA3L4xIVq|;f=Cy-O|d0lLd3~@eeV?7D<~?
zxdH4X=;TTWhVWY?vFayXLwNV&4huU}&dtacY5}ZZ(qR%Pm~Skjd?vc_JJUUQk>mw{
z$=hJ)Wcp&rBuLf@zh@oy<bnzljaUIX`$!Ys^Ryq#Q3TW~c+$C?Yd=5Q>qv2KY%G^h
zh!_lBP*Mp43JHQ*-XnLbTTRbVewr(C{gMd7SV)n!n;cFQixHDS(TetT(NFp2%QkK$
zP1TyQu0nMpzoV6lHQKVf_z>PDlROi+!!-U8@_aUTTJtxoj;=^ui}6>;YXE?u_HuM3
z0vueC<iKe*r(ha*L1u6!Wcg|2r{^=kyi_cw02DeK?TiM#rg06ehq2<jihH$)ZL2ag
ziTUMMzu=DJv-z4_(2O$3Oo#$j%wG7d|MUEs|5T55tRr{mbj4Ci3d(M;X42K~CU9XQ
zdW|1G=X1rD1rj<T2Q^BQum;iY%TWptR(5}*^*VdIntDc#m8T78=^Wrh%&M8MdOQbd
zM4teXfq0xK<<?M(Y~<K>I@L|jNxr9kH(hR}@S5jQ+JK!}akmyqu{fr1HN-8k&0<vh
zH3544g1z3I<gF^%!SpbX`gWQ*O}RAHk?@+hpn6o)B@n)pZkmSbgmj0(w5i!A!m4wP
z<e<UO0DRNC^D%am=7Yh|x|OY#@XI<5^p#dDUqh@AsD7-U_eOwdN`Cv&QF8r@XQ=kk
zgOkwBG;){G+$_s2*}>TdV(MHdhRofGo`!l{wLcStrRdDhk;FQy(VNU7OR~v4fUP7d
zd3ndByyw~){^g8qEE)1s+3pG`z2OP+q}+!&(Mxk2SD;w}h)MLy$emy=mx>*#Hz5fy
z7WtSWSXZ6>7LF9%ltSe1)%Xr^GEh|EV=}!&EW3d4p$#O|%#(IHKBy?Ullo5?levHA
zOtyzA9cEtAsg|=cE4NRRZxM2XxbBZ<D|JRT=N1EXlPn+vS)^@>#Zb$w1$#K&#WJVZ
z`gF*Wa3H)vAqA0`y(gQ?Y)=4owuaYk@EGxrfx5wF!0p81rlvfde6(t|z@|SP54Vl9
z)kIPsHad~g!uBJEf3bf~FCpzBOU2@sm%FK`E`MW@(*Cm`)MvLwgH5IM1#!`iT}8lu
zzeK;mPP_H>>ap;lhy5Qw=x)LJ0%5YZYVy93SWxPxRdN2-e)T2#@b*3Do5DnT0-uJr
zs#Yb;ZKe<*7`ue`1_$ms@1XRC-(3ir3$r{@-$w24ae(cH*j@l}uI8R``dAA`u?;(}
z8Dps+9qB<XdOpX&>j;ch@RZK0LR9WYv4wp&jVgDSm3Tg?>!K9T&U!6Watz~xim*Vf
z4tlYkc{6o?PoRh>^M({D2Uw53n=@y=QUE_NL3vT!QCvWM`z9zEY43e?4O+eW7w#JL
z;X|f-kKz7egsp|u9mWD#Bhn%?Pq55d*+f)3-uMaaOGV2<K48Oo0<I)v?jKjhja;f<
z2PL0(jqK!;5`Q9pbB{z_hyevZ*<#~?u&vKX)iphTEh*B3qU}+RH|&~-?H=Gn2u&jL
ztw<i*gh#cRrbg-14;ZLvT+Yk*{(;Ja6lb%-l(4Tu-<Oe=bwRt=rR(`p8r!mv1kgkI
z<&ykRsXxr=+r&p&Fy_|I$S7RX#Cv9k2HYV8wd-g#>z)CS@`9d5z<GPL2t@fuTCs-h
z(-yX-!dW2TnzL_0Kg?(?xJL4L@c|luXgyHN!ZY}BK?UTzhcDX8-V5Fyw){tF1v5Zi
zvj)(r*j*x$DJv-r((@&s@0L0K>VI%&bkwQ@z`?F9AxOb}e&mvrGv1Vhk`P~rCkKkx
zMR$@Yci#5GjKYcPo#o3S-KT<TplH0fhwm>vR-(a_d_J16Bwk!%2=CKZV=c|KHQEM|
zf7<}#fd}a9O9US}h#l`)hm{~`o{Q(8l(C!zrQ)}fOPVJgCZwY@poB0HY7it5Mk<|B
z#f!&4j-s306_Z=^f1Vm}rD4$aQV8a#oSnaKW<C2}*R{McRtX?5kV+Lq=$D}Ra;Z%x
z7LLXkZR*X{WIErs>@r^BQko9YzXu+2S4B^pmwI8QgPdWtRNa40vD1}RHl9_cGLAJQ
z|8SE``}zlvRT5wAB7UEE>mU_naP7lZFSW*YDnL(-_SNjn)}W{qp)b@V_6wpQy_XuO
zC(xt^Jf{PZ00RvG+(klT#x_A1#K;kjHyuBsLIVe?1P{_3Ij9mxubHjq!vTI!Wy}h%
zNCci+dHL`+3S+28*C?dXuNlItX@ha+z4U6U*QfTeUq8uN;J2L7NWN4s_h4MnW8hiq
zwwdO#CI(bri@uk-?l(*>tCFjPeydw$L)yz;Q2xB$owvybwb*F<mZ&(L>%PrM4b@<*
zzjcspy8+o~eEAgHOX9_PT(G0)lH0ZHd&x^d<@uH=8ouT>lV<yfF7be_wm|7lxf}mo
zh6EM0cT<4!bm#*1-*x+t+(MrgL1?2wpBZYXJ`wu-e;fly%F=T@IYb8Yt6pzt;XXN&
z0BGh{gYzKx(*sN}nEULzz|*rt;GPScJ=@9o9oT((!JG$=Pfp-~J}fU4yg51j0E3D4
zUNgGP^zYzU`0K7d_;<`QZ7_wC6A$2Q-#OcJ94F^QpgL-2!vFL@-iPqJ`Q~)WvEh0D
z_1yVC|J8X@4)#C&@jUdtpmloc0_MlNaPL2KgTLKB6aDWrj2Z}t|3m7Az{mgUg1Lzk
z-q*DEyGnKzZSpL6f295Y65Rlmbxq)T3CFbc+Wwf`Y<xWK0Qsk5kI(3;h{Q`9X_A6x
z^bf$9qEpfG2j?&BlLM=}Y(N6h1NZ)iJ~Ok)j0723+NSt*cU_qVw>>-cKb-oHxdL0-
z?y!~4ONp5Z4N&6TN55g!JET(`q^tkjsSFout|2HWtobWNwkz-bX_(l@6MrQtY%u0b
zWZlN)XEY<E-#rM~&clLx!O&_H!Z^LZs~>90%z!t&RB`Gg^S1rCMd&ZdD$5gP?4i5;
zQb)Uz)K`x(LOG~KlV!)C%IU@0Cxu6=f3t|b@tmt(`Q^Cq!0RbaeQjVAC7E}nl}&M(
z!NHdp2;Z)7#0mdQH}}5XTN6g$uM<UdSuwfC?0aawa*_k&vNDr}g<ntF8#X!p>^smz
zerlLVLz01aH|?ICEX%{??bogowR8=Xd&GHs@EejZ+ISL!Tav5Hz8^J`>hJ#2U#kTp
zqS-e5^BYvj3OuAf7BC|jtEs5J3$OO$0s|W+M&}+*U3cUcu`Yc*IdNF2;?@}bC?dAu
zQ1H5YFK4}zD)*s|w3JEd6%%^9TjvPEYfSeKOPGF?aFe+w?}Ov8MlWuV9E%0dGw7@o
z%D{p3PBk9_Kgue|5Xp$K!^h;+y5bjpr0pAKd3oWM6b2`)+kBsRVMZH{BInFsXqeck
z$;gNu=IsmfCOR>>BQ5Y0M|ER_om>rXFRn=(9uAHrgA=Xyk3w!93uYbZry<Gow=-;U
zKhQ^-U&C`&BzFfWE43|=vke0!hh26)NQm0ibX@$9uj=cW3pgxKB64MNskQ*`G^_Ic
z4me@5AXs|B{Q8JkT%~NrqG9)gO*i3hh-jUmp0zbV4hBywBsks`a00<Km-h|Ic(N&S
z@H<a@6a5JjpFXs+{wuLFp`lE}whWyi=HU<4<xv7mSfhx_5Bjj6gVeftT@c?14htpq
zcs90#RW^buT)fw8pKe%r<MWlD-+sqevelTDG44!6Gh(<w+y#=^ehnu6!dk=Xuc=8I
zGBdL(zBL&*3NoSyg`L?CwRn-fqeqc(sSOiFTr8BV8?}NqOSX8aebHwhlfPKvLpO$~
z{pGxmR94Xn0YP004-S@;HUc!1Yz~vugea*?ovnf*JR0o>q_)@AY%h|0xw4_K^Cbf}
zp=EgRIne7%O}ov-S`7Z}kLIPehppm5jgi956`0B?pC+kJhB9J!Gyd*7T>H-#D~rFY
z;f))gVr+Xt49W(1%115q25;F<dXD-&b)iUI*w>3UgW}v47K#>u7d}V%vNKzZJ^0%A
zHv3TwF~wxJxc&S!<(!`K!kY4~h9f4qYQv|JyLYapE39@sHo2-s#6^{spYHkFS0d-I
z26|?cSmJi}uC*o8Ztb(&_FK%%@5*dZNBv4`zO%1gF_M^E4^+()oH|3x-mubG?e&9S
zrIWsc!)tUl2idw1OFzZG)m&<;rg>Z6R*OqMYJ@b;n)&*0pR%v^t3Nw?$sZb6-ZC7t
z_~P;=_a*Tv-i7-|KO6B5+dbZRQ-}Qye9DgZp#|X5n1$-rnQVgERG-a>j4meTtDceq
zg?P@(KZ~hZxW9VlBl|Ge{eFeXJ8x&Wa271Q@7}#$d)HFiBi_&5zc%VqDwRL7QZ}+Q
z(ebM|JJT04i>-A=iirky4ZKhyXzemfq7<*O8^C8vZFXkV(t*C;;a#M)6Zckpw?EXn
zacNg?#8~I=N{(%jtcp6W;3w9v(CHoauUq_NJOalU?qhuW+EOn-yAVtjUp6ovwl6uf
z73JA!;8<V5T4LI#epox;z|gkpvTM50Yxl<!>4mE^6r;n>htwME*OX$8d1Z^Awt6PM
zbcmsOYd60CWr?IOhKQQfCWm{KU-%#Vli-}bAFmjyr>ovmA9!svqVJ(c%(D_nP;=rs
zk5?`4`dC?EOMdv0a*JnPX>~lbDb^?o#kOw^DEr>tiW@M~FZ1MTnm9ugk!+=6hm32$
zOQw_hYKtH0plkbc{kLlC1+~Qvz4Zen_3=q7dFL?C#|AfiHu_zCn~v77Ur6!q_we4`
z)5T506vKnL^h@7W792c@^uqek{f3d{O#_RZau^cJ@Po#7?;BNXzWVA%?eIf>9R2FZ
z4IGE2;(_Nz*wJp4RqfR=Ew>*SwnbU=-ip2je%jFTpmihO&F|(tnn2Pku@~60;kyds
z>LYcGT;6VLW!t5Tz)E~V;UDQd_AyInHe6|XM839WKJn+PG3uyx;K8Qv3T|tpsd?==
zDPDC>(cmIbY%Y)*LhkZ-ek}KG8zW3T%)BEx@K>$uYo#%F7Vh4t!Djx5ttl{oKaRNd
z?PA9!y?xOuc!!00PrQ~Lx+ZhSdxhT);yMDKKoOB_a}YA{q#uuD+QyF>yn5rYBaTnj
zd3+SNuXE2u>UC|QgUOPP<mhM3+?{x?hGe19qvrm>Nt@xvt~XhE-{FRRXqHNv;!p=9
zE1@y0@8q8R#^)oYOAQ9_!<pkNzJO>gx(u;4;eB(Xv{5-m*PCDv+9dBVgJT39=&h=#
zW25G=w+qhW9r=qttj&8nBZVs|MIHI_Jv@@iCwhvTdRw95CToX2D$3q71S}~Ik@Qy3
z7>_KG^t^nDi%w_nD;G<04tE<Wz{-Uh{VlUk*(W#u?*7B6?L))Ln$i1o>S#QEz&&1K
zcm*qfz*p%!o|s;38zh-<_w83WGSqooc{H}Y9kZ{)R%I;n`|u&RbBX6sStYT+k*f8f
zL9${$UX7E5BtK!Oa=;4j<mpAMO6l<qUj=mFJD(jX$-Qv{)opy_MsIDe-MnbFwGC&v
zsxpHem5%ekIz4iHXsM(j%3ZNs<!>jn96D#b##s3-M!y#=^rK3N_@k?G7Q>Tt<U7X4
z$s%cOvbGSCh#b0MVds^EP?ntR?MV6Zb|znL*&7QP<h7cC&VLcagR5&ntJ(DP3+DMr
zakalFW+QqUZ6%K)Lq~^NNXAl)-4A~y;uMy>GcyT#IwgDtT}Tb*tr-|9rqd$aG(9kd
z(TO<kf@D+ctYEG<6y8k#vBa=5NOk>2=R;_sAMcQlEfQy|&5_z14sCwlrfEp|+b{;@
zn=*)_3+(ajUB@JI#rAo9PRYUGDyE_W1NRnml<|-HeQR}D-p&}7%L+p3;&^q$A9`K^
zhf4ox)u(1j7DV8e#J!bbVvYi{_pqaHHPZlYDp&SC?C}5I08CE5A@WwSOIXL-zk~aE
z#my;G)hkDi5PD&mh}yf0UCj5FEC#T|<8pqwhVQmLJrWY+Lfls%K?X~UBfEB}qdS<I
z{3VE8+z9*w$w3Ri*xT=1XMd)AQGWkN@@DgAXX8pzhL1y@wzPxc<4e{IqY7YbiwjuA
ze&5o;!yO1VB{vA}Xy}J~6|Jqa^Nuoa7O9Q=g=TD9i!R_-8xZ`a5U>HWFse8~+1;<5
zn2z3H{Diw153|6uxaa_zF%#{7OmGD0;a)A?wwfka9r**>I~XGxSXSGZnXjgo;jX?I
z!ifWwJRF*Ge;H#tS!H=ok$k%-fG{pzilxxiIySmT()RBsCKXAH_h^_Qa*t535a-f%
zc;}w*hf%39HPd#9PlsM@-U+cQBZd8&e~X%<;g~LOOWMBqt`frQSBu9B*7%+??P{xS
zE4x&UFIQ~Hx8XkOj^?g-QbttmS&HE}@38!^68ZYe_Tums8^MBVnbZ)pIk$f%Ti&uM
z=4nDc?Y^B*jkqYtkgQQ_EF0pn7xOh-0C(xdqGX!+^OY-}If<@#*GRY8sBKcavI(TK
zP17;za|X&M2yEIf9qxw=iE9B$AvIOwSQ}6AZ1j?Wq#O2dBPrf@9+{?}xY+T)L6h6~
zXRfvBo(ir+-+9{{efR#A)~fVHLsH4{rJ8{dXrtnR^ggGe?jNW8S}n1^@Cs~rf$ZV6
znm(c`&YB4a$)I9Ros|Ga{l)E(ezZ=@@a7)7GuGj~H|xFq6={rEUG?U-DgbBIYXO^R
zrvwLV_8IId>;Q+JQjXoKPTD?V-I;V+q8=yr%|7xR7EQ*RmyM=RK)fLO*|hX@8Iuca
z4v`soMEnW7)7KF#bnal8u&bCgNj5@dCdUkU0@#JI@TW5$j<2`ix4Z9xRO*WB^8$F(
z6X@%(6-oVF-i>V}`Mz>o{5NgfLzx37<IymDdauQptpG)Yp_3sw*#{KPzl<(HD0??H
z(ChK5KN9;BZOoe~<G6eeyTHIe?4N^{JBD`RZ}U9tVr}vKCAN2@JPcQS?*Oe&R4dFO
zwReL^TyGIqINtetX`FeJ$?l#=qI={@=9P@a<h8G1jY58L9xhrLi@u`(BL7};SQ#1-
zuPHt3ibdg9{0-N8-$pmLWnEZssK=Ffvu!eMI9K>g3VI_IuC#KykbfU?+-&<KE^e~6
zGQRa4Sr)oBUb%5l6zG+8)TVxz!}im+?NAhJjgzbJ*b{t*@!yT;Q}AV-#>7JwUO}<)
z9)o)1>gxiW9Fr}a-s~zq9(gXi30jEj*C6`ihhAvn%F*;WQ()qRwho?SF!!!3zVdId
z@f`hTiN(YyT1m`(Il|{o;RuXqJ`<&U%HEqq_Lh4Z4!A!@9Wi_Yyngkk2B`d_Jm{Z^
z<A40O?g}z&mA>u;zR10A9dCVqABCh``8mEj#A52ZYM=}zU*4SCg4D-t+j8$}5@9TL
z`r@ma-+JnQHI5i2mY9vUDBMrCq)|9@$wLdfF8KkrR}D7AJ#dJr@~tWas>=>6A`AaD
z`#gQ;eYXmPcsesaQg=X3Uw>%qjsx2z)OhmP2t~<$WN;UwPbJUey0K2BmI`k!YfoVH
z$1^+{R*N+TwTXU)x%5uYLrN?8U_OLj8-sc19WoAZVP=xVYIOWDe^d=Ay%zSWiWbk}
z1IiB1;p~7*s+gP~exxNl_%vpCM{;$Q670pv#W)^hMeMn@#ssZ85J0SSa6m6SI3N7I
zsWMUebG-XqohK0^VUQF0;Pp%~(!FfUrP^n`bH5DpS5NJAVLh#Z_7+*-5Sz>5VImS6
zF|0ND=|=if&guj~VKvDu(XYRcID3uhKjer?THUox=2+d=wZ&7qu10zQxzfGTs#DeV
zbkOhlKO$hgO7SzghA-Nzg$9bT{EIFOYi|;cm;@IluN#i`H`<m#pjB9|y;QDx(n>fJ
zu@b8ug&pe}M=GVn<x~Vdv+zAs;ADBEgURo!b+rmr2tRs!Xg%I8+}p)FR|&jNVJGEn
zY~t@w-?SB%n8b(0*M9c9;A_ABWq7hIS%Kf}=<1JYMUq4=mc=cOfsM7XZRd(IT-mkf
zL-!1J99hL-zht!GOAH2fmcDig128Z5Ti^2e*iCa?FI&;U_F3sh%Aaq`jnBRy_cZKg
z^hWis1xpX$YtirTX6ow?etz!_$}P&3Q4_Mb%3Fmv>B~PE*8YOP@Q0+ZR*TW?tkvHm
zC0)d3wuCj63BCDw^m}@0hlZKG8=@_Ta#da33*Me)WrKGVN$5=0Y^N7`xNzEAg@aRW
zpZ*96S>yjW+Vz6}R$<MAtKNgNtC0fV%QAzys6iwS&Q2%h03=e1f7_wV+3+^m%H!4I
zKR<7dtBHS3@-eu&_T$TI&szJ1!Y|4;fBvf5L(vV?k-sj|?*7OG?ZBA#-hRFulfJWL
zF^0_3&|5nMBZVJDR;Xiy8wO_~A2%-^7d_%~4|u*sppvZUThCME`komL%(nhc;i%@7
z)_ei+%Tb-;Chack**P>zZ_C$>g!kS4r-#hMB^JB=#$)+vBnR-aakT}z*)GW#mnYQQ
zN1^+16u*;^u1UzR9;tMmhV$3_ACG%-vwTyos(0^GASv@)O99S9xvcp;Eyp%J#rlhg
zuT%Sp1dq)VRlCwN?1^I=Y^=kpyPukuIrl5Xd2$W;nc!Q?YPvgi1|B#xG#IFbkJ^S+
zvA!E#y%tU=&6)n<b%ciWMQZ`U5b0o`wB!ObZTmY%iJg^3EAukmugfn_Mm(roOnMD$
zar}^E-&2iDif85f>0zdu_K|U6X4~hN{N*|>0ycn2swFN;W}^dG9<RBs5mokY9zDzC
zT6XjOxlT1!*{$qj8|$3%?oe8B3eoQ=4YUyb&T#(!DC*kdq1xWJa-xo;yO7+9IyEi{
zNeCsKTsjF!LkKZ0$z?Jw;~b$*iSjMCm_+1Wiebz}5ebb9V=`tYm&h<i7=tl0zqOU~
z^ZEE=eP->w_I}q|?|R?odDhy%sp%-WukWUJc0Tn9ne>Evzwi6jvFEmOX3w&`?7BN=
zlA=NiEN1?RUcQz_BxS@x8K4oqdaTZ5jM_YMcm<O<krD8B+8v=5Lk6j74(~GU#q_Bz
zmNzpI8Jl)sCgz8Ny~O8Q5`_%}W;`@1d}D%sFU(dfbRO+wW-12Ne=QDDx~(A}9fG7t
zyl@3emfiB3sM}@PNrT3`$bT~DUb+R}i^2E3{4qsgp*y7x#~QRGz27Sm_qY4?sYd0O
z=uMWfD%T*C_R7u{XF{=G{8y-E#eowt-Sh^9hllseK9nDj@^*YNLi@1G47g!TJ-XN_
z_dGN;bYOeMQL$MiQer~{-N&%oJLGjA>KYg+2D077*@_r-b^6=W1JCSjhme8On-VIL
zqZN*2wl#~;K<&T*+RUJKoPA(?x|AGJK&pgZZY${k?SIXJb=Vi51lg#;xzM1?C5hkf
z^z}rSDEXRPE7h_cimjz{F226;PAV$)c)Tu1RrIGEhztb04oYGi;or;5%W>DCIq|RI
zrqszF7azE(QMd4kRlRF>HsM>KR%+9J<4*7t>DztJhLBiy7|0aDAJMrTrV|!954I5|
zbN*@%T0uhNwJUn^{@u~ti>r4&X09yLy$^mH4fo=jWNd=P9-AmCwxFiG!H5WP+LP?@
zJ}AG6bq(ky<t-{4X7;_{BbTCBC5}AiHG{0Vx|=0@GKxV3^#+s>di|(tHUVa7Tbg4U
zSYqKy&zxOmMYOkS>d^rv*bfW#gN&$m;~gxc=Lk8-DLuQz_-SO`HKej3wH<{DI$y=#
zV_~`yp)|i$p=LZ!T+s2OuEQSbbla!y;lE^3!QS59EXprp9&}%-QY2OZ++k>^f}Z%S
zIUVOS{MstD;Sg>!1_^e28REoaP+X3r9Hcx?yos(757XvCnZDErb+4hXm#f~!gOo7R
zYE8k=p0S4Nwfz=r?cg?fh~Gb(&^G)%+>*S_iJRh{(3uS#X>>2Mm@#9Y%`VNwy&M~M
zw7x9gkAM$veoqqzRJH!wQ~O8{P0D}ye(lcsx)xkm>O7Ghc-nRB95%f^<f;RcnANL+
ze0W271tNPYeQ^E&TSR$udY=uq$__Qoylt?dn;xOISO`+Y;D`q-XyuISt~=i+G5GQ0
zoeIRW8@PO3?+@fpvZrRkcs^11{9QZJQ82CaJsII@ai3umS0S6GqgdrS6xA<u_QFRL
zyCku2xGO#KQU%p`ljbJTOAI+UTEoEb$|<I+IJOfC4q?r*2P3kM9_=Fw{$=>(p-3Jc
zMb@wReJ``-92AM%uG#XE!Mx0q@(;(dlQevL4#*B%$Il~o!zM^;*!e3q$wm*Hqahqp
zbES7^DEC*t(zoSI*rl*G0l#&x7)?F*wQMDcX`-F3aN;&ZR<n;ixaW<N0Z4RZR>1WV
zVmZe+GaD1IKundWWPZG3X!`LIEo&MVda*)pl*`8{Pxu3m*=uzap>+~5d1l-x0o}*-
z`%o%FQLPWz)mnB(*dkEyf2D}Xs7Af~bJDzPnsC*_TbjdQ%o<QBNy(4Z)k{a~J*n$f
z8U#IM<(ZLQ?`O}<LwP7(RZ6j(`pE>$dA?6_<rB{t?@bJkK=QH;Js$&PA!wTyq00Z^
z*qWvt06?$vQDF9kTRpfrCJn~Emo+Io#?8dacnP7}fQc=BkglxxVo^qxC716>1hX~U
zMOH*`Guvq`?t!tB2#Z8_59;wruU31mnx9#b84GLu{MFx|4a0Y<g8>(o&`@-}tsl6c
zi->YxgVF4F+U-f_(a(wHb_LiH(QNp%Q^{d*2u~Ey#1G1(iTMd}NmAD6(V6@q^Kvo3
zl<!WJ1`{?azeyQr5x+_scy2M{TCyastvn!*rAsa(3?HTT`~ObIeWOM&JXqB+EZB!?
z$ivA#Ov2@3BtH4LNO9uUW1{hznhJYqk1m;J-XzQ&3dA{_a}Y-e`Gjs&|L>jtWbx#L
zi(EE)wt3)!gP5OGz2~a?SkLm+CccS}T^}t@<plLA5vi2*wh*IDI{+i<zrm><+}!cq
z!Yu@HS&G6O*~B|%q&D0-?E_B4f{2=pSD=L#3?!0^iZ6sBO_A@=Hka9vlTnI=KM{Ii
z+?mPT8{#6+(|h)n9H62}j<kV`jn^`p1%ppzpH=RH`!7V=$j(|Q>D52hdvi`WS1=Vt
zZFiyEn&w!xs#VM8qg_0T;$~bf9r4Oek}J)KvkT^3S;X?HY80#&%#iyX%7))pWE7I~
z?r005NPXvC%oND7QXlMmC{0OR80G<ZMU<1I!VdlZR92&U%=wSK$niWjneKFir2dMZ
z+pfZl{xS1*$h<y$<bG-`EkvV0Jp|`tOx<2;DEpb+^wIvd2!_S)8@p-H`!$-eM=3~w
zgR+5BpUFw~C6+|B2y?6kFHbc0nQo0nj}Xy19(GnoU$fJ8U-ovf4}|OI#l3^cztUK9
znElULX@1^#O|mm}`wqosIjle_D;+D>RS@;RBF$g$f6u!^u)QQN7v%u9sG^iK=>Gk6
z@Mg}fX-|^JRND3}04Yxz+~x`&Y}Ff+(d+;qi+Z@{Z(}2MJ(e%v6{9yoC)ANNj7hT7
zUC&#trmrtiVG5puo9q8xMvul|4l*_=mqWm%FI{Zw=y1p-jhV-Ej#XuBQ#lWCo(W5h
zUFI6yyPg@SkYg2|O4INAm&zdD<rI;-I4+J31G^m^NWLK2DUT*g)oOz{K(c1fr3|?p
z9^Z?!!9jBocK4Pet@5jgAY<u0=d6Rc?V~2DcKe^S<Bp${f{pX!<|Zgsb1ZmvDnV{n
zPPx{HU8G!`=hOTrjE?~?eLLlcE6;u3BxqNBoT1?Se3TThpQhk$`dC~8E5O#Ds`nbX
zVwCa$1-StZ+H=-XCUmg4qw}3gouK%6zomwg_}zpw7te}SNH13BUT=?gb`H3^X%QC~
zEahh+<!WGoie7<S1olP|e=AqgbhkU(E#;Tv5E_V?`8A_Am1|05esVo0kr<H(QKWdJ
zlXRt4m}Km5I9d}#ryVKp4mK?Z1e}m+E0bmU@fsym)lI^-)sOY4dc4iSiaGAl^o?JA
zkoV1uuJ(Vp_@jeUU-M9J_h)76x(9k|;^@W|hc#99JTp-uI==oqEj;SeGd}gi03d-r
zrJ}a-q$^r0%?cbm#OwY)N#|M*x&>RkKBHETFuAQWH=DQ182PC(e@-==Yk>k6A{pLM
zPpfj?ekl^9d)jnFQle!Sz7>l?>O#_uRxD)>kGc>8uY?`F8p+O?kFZE%5|x{kB{`7m
z$M*>QWD{YUVdN+H*v7>5)@^m`C|AMBqKs!VPI{I;n?@}D=zWy#meL+7>G-ufe<%#M
zS&aIRTx9e@oR0Z^u%Itwfkyx!a4I!JmR`p)Lb%=j@Qa$Eetw?tULU7rc22<ji4?;!
zPLh{Ba)n)Y<3t%}RhWWSz&4uJa7|)IBT-Rke(b(^L$Ii-%t_76B=d>cOlJ^fmA&`-
z-q*#aza3J-X>CHVa+DHX=F#Iz(Msq)N4mYwV!BlQGu^JG@j0h;1a(T#z_gJcN@xH<
zZgXD)qV?@_tFxHeu)?cEcgkFtNu;?8bpo(>bo5MxPESVfRgO16Dq^`Zk19uH0(~H7
z2cdl}j%7la>24*)hb2t)eM}1PeJq&eqo1%n!O^^rQjT1Gx+vip)1y~aWc;IMJT4$j
z+}Fzyvr;_sq=VtK(oLWGb(&~qS!nEgzs+0fS2ISW%%vykgd0_uZeQ_LPP^w5Ou^SF
zk2Cn7ACzwvSQjljZVm+z=m`I+Wj;(bRj+LgRD%cc7m;k2S(I?|S^jRY!D&FtiR;z0
z?DC3V``dUdM>N0J&PT2sYzJ5)(emAg-<F9QC*K>qv(O$aAI789JRpQPr&itD@T6g=
zaw&m&PlS<WacwJ2yL73!%ws8M%g9?BhTMnG9V#FlsSfkrn5}8e?=_-}f)jcR-J2+3
z$b~C*RNZ$;dz7a>`sccg1XL#96Ae72qx|-@wP=a$!fx8ppeV<>gA!a{G@4~07H97;
zF&Y-h8=Ct>UxVe8vNqe?zI{ziH10_ld*cRyS9gU;PTOkImNOE9RnoKNu1ZN&WI|C3
zzn2@Smgx*JHYJ$(ZpxAmKSrfx(Rk}r%_j%>YScQ}Tmca_x@+?N{>oQ&(3ticBO`VP
z(4HAN5gz59I;?2Dt1iN3bcAyzhgoN=+xwGIPEv!|&H*+3l}Msl>>Hc4y<0_T&blTY
znhmzQ>)Ks)QrNM*lz-hc?~E_rnO{NQo+z0Z7%384VG8Z;00mi4mEHVWIi~c$?o74$
zQM~78N!VU4JKPZyrqf_W-OCdpz62erZ<2oP(s-$Dm-R&%(q#P?UF_pC_*stPAy-}(
zu-QsVY$(fX%a#f3K4Rmp>m>Ft+%7fF0U(*m$nGE?C=!J2O*KlqX#dohe>~_itjj^Z
z-~IyQE%ZnLtO#$XxBY(i_0E6B6G759^?N?&YA!b+52KMDT9Mu?=(MPHaj~8z4%f9*
z(iUg$Js6!e^L~KQl=&gA1kB5?O(1jPxFCkgJjriHm*pSwD>D1J1W7<v2V|rUW2UHA
z;?&9IIi=tS|BA>70}>HFcrJZ_^3DN5;6LKm7$xY0nw9lXstkD32ltxOLnKEa^r$Ls
z1`)j2@neq9P`AUA=o3G(<xMQ=`*d0E6)tU`j_*q;3-bBY=~o}-4W$JuG*HRn3CDti
zWuapqOOuxds1R;%J88<88$tVx^9RYV^;MPjEBj{`l&38>tNwk)WZqQYd5u0d{OqWc
zW9s|dVbOK-*1`{;E}sA#);m~;)<K&L%O!82R0?#b3v=ij?IxjQ<d!XVonuRkodsT1
z5mWdZ=AXIqZ0Ea(NeA0@17}lVc67+&#p&MsytvK^ERY5?0$USP?zPeF3>H{)(~b`b
zU~@90Xc_%jb9%}(vV92x-^dq)RYnG*m&#jwFz<})eRmgP&-SW}kKh1nT4$tMfbxje
z7lkPOjzlSjoBD^gD_!>x(_ruJuM9bMZg{&uq38{`4*>BzBAf2J7Rvl6W?0|Z{;&aL
zY&WXtK^LWRW9kpsR$B!Q3?@{tOR|gd)M}U}oel$7lZ`6d{hj1^uPTfpE#IVGON;A?
zwOgL!eyjQM1_ZGEmWszG4b^)A8AZAEaaUG`U2n+btG=<CP_48s5I%E$??zAVEU6-W
znF#gdo^kg_El}1$$<s0Ogz&Zt!Z1Sc-M{+lsadShc0jn{=V;wp);w3g5k>lRTni;h
z?Tss--{JZJim49tyXJ_Q$PL~4vaGSLj^9?~1!3Ow3t|<B6(`OO5?GV`q*mtsIJnFi
zM{mlD#a7pp7myKv{2<Rw8<5I?kV6R%{p4)^Fhh=iWg1n+Ojov8`{Y9P?p2}bFf3P)
z3(<Agbhrm|El*(E7eA$c^Z=CF7ke&cMhed+<Xg;GS}7>fbc;e4E~YWH?;xM&#NvU0
zx!n&;%>DoYUlGT=!1+?A!v&i-=TcE(aIG5wa_kwKrcA@euY|rXW3^}M+uz$g$ws<;
zVCSp8;;RAgM|YCs)P^SSxbq=-pgzKO_p)aL$&pgJryH<=MQl=crx@=U?OsxB#{={W
zYf955r?9~REj9pfXz#i2Wh73k4t7ZlfqXnvP?}priOCi;-5ojW>r<T3&$^yG4c7QF
z`ep?14J>G_Vs09eu}fLh{*vs*3f@0QN#v*!yEsHBt<-W7|FiQU5=hv+AxGie!9unJ
zH(Cfl8DU>yH0!&;?TM9)Z;#Z{_&-u@e$i1EH6zCQzR7V3H+dO+q0ZC<Z{~W6P>xIT
z>xE4eI)~u?&iWHs*3_S@V9$juzJvmOAIBRQL&p`@*?8F|ZjQ_<h#o>hI-!8H80W3C
zOV8!F!g+x8kuM*6GdB)QD2FprS2AHdH@^vif0vKd@s%EC_USj3m5Sj|iqwt(&LWG3
zaF6=KCS$U*@1U}I6JW$VmZq5@e-6Pv1HvuB!Jr2jC=L*kas7BM2QXsK*&g5Lh+sVz
z4?+!&f@lI;R@C1UU;dW^i5jj?4AWRvD_OEL8o`RHhQhW+v)XWL$g>YSq9EG1-*PLy
zszh(JSZ0M>6Qihhk({D_Ft$N?pG`;=I+psSWmu*D+j*O*YC7kMsjpj}5(J<uf!M?S
zf6e&H=u+u$hviSfNl8Ak6F^I&?Z_id5nb%)({<F%cFW=dqOD9DxgjN^e9%!Fc@d-?
zf^0>11uIE6Fg5)l+HjNyMgF0wpO=CT0Y1=|Tn4b<oeyjLUuXml(>c7?J-!%H2>)0F
z0F*EFQVb%-!e%8O=e8i*!T7i~7V|^VS!2g5HD@n(Qq0Q*hw55>lB}6+FZvYFX3Z<P
zw^gVHbymo*Ewe5u_be;iANcVZYVSca9?YuBrM~D##x6NDL3%E3`Vn*DUBE?y@pEG*
ztLYP_c63Cs_Ts5K1TNHBwsf*9J@^$r8;lqVy;QFGZitvaMefU)Gl+yn<vbG`CkDbE
zdWJckKLo&ObSBT7+9PrS2BBRD(bV)uR$U5#M&veutZ6hDk@9v{b-jX*M|$42z%qA$
znf+5e)FHXHaed)=xN&_iUsj?kC51P-uTmdy`JvYd^A$^Nsp0tX?_RE6uP|>f2z3yE
zKIGR(0em}sp`j_~hz;`#Tk{LN|7iO;7Pjedn=&?xG0%Au1PEgdkUVv>2?2(OAFmCm
z3A|~v<l4`G2Q)Bd#&hRpMe6EM$6k_uSd=H<;KfbWoF{3i`)oO|BC6nEGK11lV{g)y
zpUwW+O76Ow&&4LZ2LS(WDp5sH@3|V`;=Wauf15fL`8XNq+DaJ?>ef@+KCAH1)Az+J
zQ$JE)<kZ8T#71HLU+xqu_&4nWrm7x&2;p#+hODWWs0}M#vH)0c;@*Yv6$ioJ=VIP!
zeK27+wt{{7H3#i0mdTNQJN8@y8FRr@7!#XiLy0<6P0<xRIASw}s3BB~;z&}9Vz`hR
z;ks0k&|s=bpo#T?Qt;mLKG}y2hsi=3{YU`w1xBVUhpZa8Ybf#@L6vAIhWnRpyVS=}
z2RZLQzxg+L!5EX6%G$)aOY%EKSH$BJq_2<VN{8pSHgtN4JNvQ96Y1Lb8_vMJUw<-w
zP{iLh{!DuskXQg=8As`19&_R8nI~fi4H<~Hg&miF2A+)_C=C7Dhmo=>pdjRw_1c|C
z0j`i!WU(Kcw@38nXm<+_D3X%MT|=YiPM*A1S$9f%ELI7lN}U*uMb-`q28I*`g)_xD
zIC@`C5G#^iOP~H7``vQp34ov7_PAM~8ko+)P(sC$JNO^YqMPf{MRLp^FJ6ovJ>7DM
zW@<FxM8C{<qGS*t`p4~mr=ZBje~<Pn2VMxLm_LR0TfTpDTw3l8YRDac-j?k`*8AzV
z*^eeYZ#CcprnwD^CcH>&gtbFCJc4dKyYL3Azm*`gX54a#s)pd8A9F9<@{GBEl|6c=
zNFH8MOBP|BRIb$!K+S^S=*t~B!KrO?wQR}x%XpL7fmA|g?w(`JsirFT719H6CDQs6
zlAs%^CxW-=z2dLi(2f4~80r0jzv1y;<GYx=VF+rqi-89#+Fv9)$Sa!p-3@Z~KJOUb
ze!0G(W&WbPO>eXY5D*RSL{8suCNC*&6L@fVmvj&4E3G8i9i<RO=?gMmH)hP7x*pxv
zWFZKIr{mv-2woY6?zd&+vU3u_$sGkWd!Pn*JuSWNhvMjS|L0S&=u$?f&1n;QCFk7#
zR)*z<Zh-)Wp+(aJ1sF9vn*jy)0t{<;!1D6VmzW?Ra=-#I;Tucfkn8d|N3C{nzV1wC
z>(ZCthOOzDfL;b&)IN3A)%jQ=p)!|w4%XydvTkqabaHT%ol%oCV!-njub)8u1l?A#
z(1Ay&@aA&j*o@<^tSXcw9nIk{O7nvD|C@mBKiu`*+G{Jw&g|g*%qcwufrFu)FLRwE
zPsb*WX?`s;pel!NAgj-@o(zJ>?u5AmTNeKo+`uN?#H4`-`2sowJxn}usFoR*3dv%h
z&K9x>o&d=R9{rrtV_<kwP|M|o1yX?)iOw(!tiVEjy~}v;G53bNT-&RxpTc0@l_wQA
z5P6AEp8IcAJIEd(R+pLb4huvT>_2S&?5IT+OvAtwwvK@_#g^ZO3CxW>D_zeqj}^*;
zJhZd(YkB=&3-+z#D=Zd$ll|Q)Bp3P#MervI=J*~I%W7wtSsaQ5><&}`=LMvOMGU9&
zc`W9g${WI4TU)Q-?L==NW(Atc5a1^;>`_xT9zYy_2{ZU(GO?@+QE1|{&H$<Jz?)eX
zbJj~pmNviH%55;GRKzh!?!#u<%NF!TLp}Pa@1UG*fSI#-M%tFBVnG-oCP`a1g0v2*
z-6w{LIi~PrgPNs$OjtpseI2A9C?M=^Xz=8Aehs9nw&!WQrDJ2sv2EWN`;QL?yFkhk
zfR7L+t-wMLv~*Q|%ej5h<DV%nE4+cF*~z&<m&;U8RY+-L!^0cH2l{b8LV-f#&nCa6
z!5}x@HUrjd!)GIq_0zvtzjXz_pjwCj3d{`EKiaTaK90?l|05a2aE9;tF0L}V26qWb
zJ65;T)<z9(@Jd_=j9yX8D`K?NGMANVf{uUiOLJ>&VbNk~)O`DCU@#vq@fk3j`Iwjq
znfb7dc=Qs%VOOE{Wb4Y92GZTjK<5Cutp%98yH@)F12@O(7o}U`a1e#dn{gH3T3STu
zygr)yePMK*(NfX&ZYMwVn>cbdE!t#aiFpukP}TQOfpw5>H=QA`Z}L-IrFUi1p^<py
z>{+vI0>M6mPgjSQih!~e2w&quByg_;3bjJ%Q?~GU-F|+^A~7${C1Ipnmx=ur{aafZ
zU}B_%f@`oaI+BJJc4+C}4GwB(93MZr99G>M{iSy}Y2GZVr&N@iEGEcjjoq+I4pStw
z4Ny(`%0AZBhK@$*<qMzGo1U~jFTcr)A68UEJF*dZlCP9bbI9V>BNhaE5udDq5@ZS;
zHw&>5hDIxqUIBEFLp_w&IBezqDICy*hWC`Pn>T431r+(V{j0zOJ3)EpTw6hwisi-B
z!COEo?Vic`>NwSmXOELA#d{>cH!ijbk`><_-16f*7h~smbKmUF6(1#$DOsh0pN->D
zQVq9jYJ#ATBI^ULFA4%04aZ*Awf(lX-K_yh+l-Ju)Ao3U6*&|O#KXbdGXG1OO5pJK
zU?_zySt8>IRYknKE0v>-H}tf2>RyG8@0Wzo5x?M_?goFbD5}C@kcfpxC)7i^TA(!M
zy!oQRkKT}*dU|w5<?#*RJYN=+Q*VoQKy(dgxB;z<B6q{+F(@0pQU^9bUQq>ci^}!~
zRg*jSYW^sFD|Sh_Y-laE!fht?Ov|Vb0jaTn0J9=-p~`TbOZ7H)$jkqfc4q*Cg*VK+
zB~6#1=$&Fi#y0WnrK~$b;j@`7KoIt2fuhcgyuJjD?SUD8UH;1JHbEzsOV)>98>awe
zem9Kk=2e@J6TOExhAard>45W{$C0Zt%2pWJ3qXK1X?Q=yXpc7hr@y~>*@JBrx(I0L
zTEN-f1jl-B)W;3&^eIJ!*oNKQ_uEA*wB;fG3?*^I7}5a&6m72_eQE+;0`xpI^o{<I
z^WZRSmt*(i^+1vV<P82Koh$3}69#WJN<iOgu!3k+a^a|?<~-WoF${Bi;DB|;0A`zk
zQS%4Pzn{%}6BqEe@y9tvFC-+Mnz*11mb04AisBp{%KL>D01!qk)wqJJxbfqO+w10_
zBmW?6`Pz+Y9gWw)p;_QBep$6K;MYepBve(_zwH0@bs>q&<7>+|t!@<2yem;Av$`83
z-73EK*B3Y>;@eak*=v67G-+G_+k1iNb>+@i@Ze}M(CkV<*9`hR#jkxUyX4lEuUXv+
za&ONXYW!+5)^{Zk>;EexOCW6iD<nuDZm$-SQY8={{wsiMe*3Qgt~vQ%0bFxywIFpm
z-oR`14HDEE6(xV|h=~_%xstNFSLOtI{mYisH+YKt?V|UuFBD01DXlHvuxgv{;Gu7=
zzCk!>^Pkmbj%hSz>#p8;e*McE@xRRR)L?D-lhx}#SjRuoSbdmIP-}Iw&(keyoHwm*
z1RAi6f8@AY%LLT=^?@acc!`7jUkx_mL4#|5Rk{K`Zeq9LSL?b}>t7bF|J5^@r(0kr
zL}1Dj-Oew<wm9DKkko7&*uR@4ZeW=Yf`j3~pYCn3Iq$*LhDI&=dZ>Knl>Ny{%Par<
EAL6cb%K!iX

literal 15520
zcmZX5Wk6J2*Y*&~AfN+CBOOY2NQZO?GIR|g-5}iq($XL)-Cfc!l(cjSC`flo^BugO
zH}3cQ!8uHvJ!|i^S6%Dcp>LI>v7Qh=0f9hRvNDpYAP_PP_}>Hk7`XoNgue!ENKUHK
z;-K;o(k<Wxs+pLg7zkAL3F8L#2zZTdFQerI0zK_|_(STmD>MP#ByxVE>HN;_y|XLK
z(G+A4v#@n$u{Cw3;9_B8;b04<*Fph-1R=7LVrp*sd+F%T&u2c@$GIWZ*(Y|6&^Xb>
z2|3`<J8^J+;P`wQm)0FO6gxE3FOu>5CbWi+{e2u9RooEYxQ2x7`u$;Vlql2V8gxiW
zH=QVx5q9c_B3^X=ZaRniKa94Fi&G7G+r``amRp{q?#d<d4Q)*>6~%4R4YpA4Le8nl
z$*&BIRz4~!P|o)1rYmz(sLLZS418;}=4v{L50v3OMpc@nCgW2j8Y22yTDJ^1O}tE<
zHR*Q2Z1@kK#VX@XP2C4c>XRqV&h;Dr*Sqow2~!p_D}TCTUkfx2L3)8fnADF8vx^zz
zKYyQ--Pqnv39Z)AVtN>ZUuz8t6_Gf$ouGI6;MgeVlu%e&s!QLT`0&$AiSM8q8h>PI
z_SKo)cYx8fbn`kjIxt~>AEos#*KcjQov*Ws|7wb(LF-=6d24o9Tv!O%ly|s1Hm%N~
zQ~)0pj&59I-sn}#TpQSC9yFG3=jZ1yIW`zGv@hSY*KW)Rk&Q09($37x_=@dQ0Rp)&
zC&b6+W(c^J@7-LUWS5pI=r%gOiBC%6jGzrFLG9!`o6D0=>JGvnK)q5;<97-cet`x%
z9pVSg9Q@Efc>QT+0W*Bx&~Hp+fUXi+hlQ1il8bqC;pJJC&a#kkk*Y=Q%1<XwBK%nM
z&cJ%Z#@deF>+y%KyK>7bdYOIU@E*BbrA(n~IR}R-KKJ8XKJTmAm(0vlvHY|y#L%L`
zFJo0`vhCT$O|^iw5{ipcHjpevt8iDX*4FB{=3S0f-iRG4cuRSseZlYhL{88b^&;mW
z%AYOmkX$_06N&zwLG!bDbM;<uWlDa2A5wJ<_I0_Bj^0>R02^^=!cP~S_Th3{K#PNv
zuhn(Ej(>Iru6)muSlJxQ(Z(q-VUd0}FWtw$$QW+_Q<zD^nD(t-h2?hUy8<PPLj{PU
zx3ssWrsm71q<o@-q)0GSOunsyF?#=f69LMh)uS88d13to)P@)SOYj`~(<twgDxK4X
zZI<_7<0{hZo12?=%^&t~JkNKrum2p(#9sXB`dBv>-?2G6=d__T9x7jskgNR8x=`pF
zMaoYV78ZsocG~8BT`T;f)w4k~Gb|t=0K3`^0snnTWB)6R0o|E?;Smhb_p^{0W~uf7
z8+v%-;=X=Jqkenj{`<c(oUgTbH;hK^MNx0FkWXtTw-Wz7P`WQHJp5h*-;7@rv?fTr
zH{a~a+L<`p=u|LUW&Cma<7Cq2yDEp(Ubt{+0$q-$SKDAQ>i0!!G&qu^4_x!lX;pLJ
zUO;7abv4;V!B0O+lEq<Qt0qd+e%PBQad&q&>I%j(I$0k!+L<oX7N3cX5_%P0LrUT2
zNQQKBzPHem$gETA<9UDkr|0Ty=h4|(3bz&NmCF|<GS{)fS4yW`om!tkO{rz#$qRdT
zYOc+wMApp|m<~%SJqJ<$EMt9r{XD1H$nN0qaO=nJGFnHu&CVQS&p-RO5lkbFe&2cB
zx#r*eY_VN@jm%Qzab{WNxF&~Ob22<U+{4#TXHA3IzwcU%>+4zv1)p4aVL%<4!}t8y
znyyvwnwwK7BYGS|_LtjPzm=7hX+)6;X@^Mqkc;L=7QT%wF!|Iy0$Ha(YC10bq+X^?
zt6r)}naH9i=M8nZy*d*=H6=MS%ch7Rlkku8%Dc;5PPci45F{Jbz|Mh^*9gopz<+7F
zp*pZ^uYNG&gjZ=kRRJN8+nhE==7c=YNe$Y(8WVqSjpO48N+bu?TF+It(8?!*Ij;J!
z_9T`UvG)5U#gh9~DpM<u-KCzoqLj{OLUaPyG7s>eL;EHrko9v9--@t>^kKji@k@4w
z3d}moT3w&-<;h$)e-5V{5<~V{LyAsiU|=|}t*hfMxnfm;1jCaGUT-n#D)+PNE605b
z0$k1fyD9@%Js3u>#@@AiL<%asA<Xohnw`A}HDTXwmT43btA7HU?Zt=c23d4F@Ynw#
zxtODI5m^*|_0JC%qmuo;#=^pqj^52o?4h>Yk04SW{mi*xFgq=1HC_5?fDZbEel!CL
zg_eK}eDn;0_^=_tHshw`#8avn7lFDPf3EMP$`fnDxZxJAC+@9(&W@fhN!YMz$TReR
z94S68S_ENCK!WS<Um6j*6YkhpZ%8}V<>L9B9N=B!zYlrPUw|6A?yqK<D-4I9KHBB@
z`Exbz@elzv!>BdYvJ&umU$FOgG;fvi9g@7PuM&j*3ES`r-q^*1-wd*4ni9$9+Ei}@
zTX($M4*H?7N)CRNzG^*_3wtNDCckHG*#Wi5(m|0mh(Hwki_J4$8zbqmz--BrN*XXg
zosjo|P)IP3?>_LEnU0Q5f_IK16$K{xL31%~+tO*aMWdW5<22;)#YGfD#*#B9T$gt1
zxfQspsr_xwWMin*i!}yWX25V6`*Y=fGRT8-La(#)@_JkWb0Q`E_KE{jB3bcia3u+^
ztyg<vW8)!UPsk7{*Gh(KsWnMaLY$6KHF~dfyKgJ96`B&7t;_ey#cm!FvhJ^9pQC|E
zzJwJyRWW6p8UfxYR-qWRy!t5ul|q4wn;Xi*!*kw=bjt<`pd5OP3+LwIy4gG1nK?m%
zIS0aJsKD3CQ|Ja8JJoLEz)os1!h(@yvdZIe&K62!{r7<Jr7^XOS2X3Ws9;>co?6se
zV7FJQcxsiAo@1$YVaHZ8(;&n?G6F6Ore4c75MgZQvo!+0OQmG0CPeJwNf3r7z!6AW
z0Z!2^B!*C<0|+A8WE0=rp}bbDRJ&0XopARX-35c7+uO<MX;lQa9~%q@0d8xfYv$hn
zKf`n*{4WXo%4B8MnVWvwf)U$0I~K8(d_Ff{HIJ7(<$fC8&z)=x<2JkQ;jFE#WtW#L
zeO<Jzfz%Ut|IwR^M8}m#p2vj6^g!NM5F#{7Stv-q_+o8phy3<ojo!@huPiQRz+!rW
zfzhKAPQZwiE8w}G#y=n4Fvz0+JRu<=yQyiO37#%#AjH_r{OjM6O$EVG&SYt>bT52r
zA?hkBl+n4}K%A`|%Lu~2f9anq;6AcDH;*x{oGHv)uG^UHUn~o54rp_KdKa?GARR)f
zU=v*V%?Mnh0eD<>g6B_X4=9cZlKm?OlUT#6t2rEwR(jTfNHwevgqb8@YhD-auTx7$
zwYWVM7ce)p#6fJ25jgV}Q!9VLgjsUJ-{4Cmw?6EKrb-ZO6d9oe4240!5;8un>aadU
z^vsZ{;LDdU1(*wYF2}$7eTBWRPW@}lM#D}vMsXuj{442dg@lsIk}!8<*x^OP5PU66
z*m)RWf!iyH&TDMZStk&Dkd9ITgy;^%r5^|n55NAszAj87;ri-@z=z#bAb5|mzIrvr
zB9a2H6fobBz3>tbcBv&qOuh$)GX=AG_5iNT1$RsglW!9RT*8SCLx#|S7|ouM3*V$+
zrk(<>?CQr@j<i#ifsJ!gA+S`>I);PVsk-Qb{?8bkNTeQ@w|AtZH#5Vcgnn;GUpt5F
z=Q0Vp9sc}dI-5HI1lbJHTLL44eNui$_)k?&wU6lF1^3%4mo@p8be3SYIwAxWu=DjF
z?0-?suc8kL7I)~rKm!j&L3;}BP`DdO7ig#Ldaa+zW8=8D*vxBoe|PI6nq1HNo&wWG
z15;q#0r!13B%en@(}W#9#|YSXNh${9TuXFTTvRhv7K{rd1r`f+RvP<&O^dL0y;gek
z=+QG2{OjGN*5)U`v|$JuctTd|rUNc{Vpg2`zxAh?0)i>)HGi;)BLbuR1dAqr8y#)0
zaoL#;@~cuFs6;2|#MwUm5%ofV1@vI?$?!^IQBCrA`FYf0f`4sxCiRfNJ0a>boUO`c
zfybliCUQ8HS9$)c!>TcdwRo+?L_WFiVJDh2=s_6@;+oX+GzI15EYRRRj{mdQA8}iZ
z=jKU##9}0R45+N-_Zl{}oKy#}ADM`52N-E9I*fZGUb(yM&c;?90^`f|Dks0?fUR`L
zh92&`E65la9Bh7k(PV-1AhPvr<*(PGyCv1y4pTth;EMd8dDH`;b8;v{sM&etcfWSC
zf+$HOiHN=xt7QXwMO$$lb=}6dv7EZ|ybok|$Aj9<@2-t6JKe+aX>WvL82-<u4H(d?
z$#(=y$Y}QPSGL`9Tek20ol!@JKNT~xqKSz~h}h@PR91(E>?YqJF+$FT--vh=K*Xqq
ziV>vTauGnL(8BRP!p&w^v+DgYF;?4<C?P09|N6vOtL&@gZ7`N_4Mb{f$!!%2=^Kup
zI{OnF4x`^PNMCV4jO<+W(k5nR;hpAPL#0gY=HDq|GBQ{mXM3Yz5>fz@EvP#?CF1NZ
zo+>HA@}(?Ud-;C_rve8)a{q-0qC)%527yR@iAFN~h6=|P#YB?9d<4hVgcwGE;Mn#M
zw+KqG=N>ovhaY_G7UML;Q{#qtj1q)<T|XL~diZuZkv2>GDmB0eP#!fBj1?D-q+TS%
z4MypH|A+$9p2Y7*(Yu1Mgc5a&J>~acr(i-v>3^9-C|*?AM~9Jn^by9bLrK!OK!>N-
zcJl9{11On(HlD0obiC;h&EZ9bq2h2AOF*Rj#Bzjy7i3&dBq_v2IeZYP?AR1M-dE05
z==M-GwaGjR>(LA$qaz(Vi%NdjiX^-3jT?I+1tvs}I)IBqh8oVLDnlJi49{Y=piv2A
z6J@U3`8{JmFsM-qws7T;NapN@yx04WFOrL>_4;|z8n9X-MP}yeu-_Cms&jnp;^w3H
zZerCDZ&iHdSs>f-_77cl&k<5AD)Z;k&Cg{a_+Nnw9qXI%m(h=5pjdPu(s1M}e9lIC
z;jdmTK{$2YN-N(TU-YhLXSP8$j@}BwlR<%bC<~GLD<E(S;xdv+vO_nwpoy7}5q0Sw
z&x7r~VEeadVeR%&_f~0EN<U|tKAueJoCz=gLEbR+^65VKBNDW%+;fonlc8bZ*2d;d
zj`)g(xMqiQ5tH5QJ+5)^Q_IX}QhwOU&!m2efy8sfh~Y>I=J7ItY@k8FM7v2Q3c}xn
z6NEE^(o6y?^$x=l7<(c<bJjH)ysHwaKw+UrLD1pAkzUuy$D+dg|8p^~nQ^)biIZrj
z<QXB%w_Y{mg!4;a!lwT#4qg-&6&3MD6@}X;EF9dMHEO;h%{1_re>?r@WPaxN%1BW6
zG9^4l{@O?1jYG93k1`XtCb$*iAe{W+RV)RjpZFK?lk|KfUGwov1<|3>xtbo&gVqB7
zs0m7IwC$wS)RM^G!)e^|Lmk2p1swPom|To5@?z{8d8gTR3tO$Uq5f>`FYlhvT|2Pv
zx%8Wf!@lmK{`+$4<^NC2FsU|s1@4*4+vVH?pg2n6J7A(&b*-`Y`5a=(dU1RAY3#tt
z$|_Uz^0;tBK;|Z0T+?P6msm2IB={U>qo$qaedI2IgD_zvjs-+2#}EmO@@?obeE73~
z#!#w=0h3O>LLeEv_$*M6*QGuOcWlP)G697pItqO38(HKbHvCNr0gv&dsDtxtLlEn=
z@!no9BvBWL*+3Ne8_;@``IdwuSGQQw&3;n_R1;}_z{qU8_#v}FaCvJfA<@-m`k8#p
zVe><CWGgF4s0afX<11{_cxCrHeb4Tg1@=au1>~`PmI@6P0>p*Ng9^g{@!PRz=j!d#
zfE<zGWjgKpEw>{AM!$fR>k<Rs+=bRW7h5oZEkKrdE}V<i`aBua!Tf>~k$QVnc}~R%
zr~UN5?Dz<G<OQ|8Aos7YR=&|K@XFVh&^SQXynC}JZdU_uYWFSDGSvqvUSNd!qInfl
z&zRo5DS5*1?QXZPdn>I#n?RA&1LOM?@}}kIrzqOmAXerYn4bbhM~SI0=7lAaR~=Kp
zvd8saqU(}(!`dRPd<qiz%*pXF&heLVAXcSow|QMgx~dR}Y7S;MERAoY5n3TdSe!kM
zt^-lk-6FlM2Ysu(MUAgxN=b9t`CfSMG%9q8`v+?C+<psAeyz4gVqGgCE?Ud^Z}%9M
zY0uR9%r4%5yNCjFur23>C)sGl8rADRW2=ni-zuipWaW>FzfjHIbrv<W1nPz#I@vX9
zH$*qvjrty%Hd>zTWmU6IaK9-}bpCgI!xQ<X`8v?pw&|u=R$LQfM9AMAW_5V`I^8Vb
zlfccsvZjx+PaO+21fR`t_pzZdvCsZE+d5J7F;=a-!|Hea7g0WsfYjIhf4Qm$Nni9`
z8kaweILpjr@Nv}2p3%og%XcVC*O!65U0Z_-f?p}ZIE6+*5}4WiJmQj5&%m)DZ`bad
zlFh_{li7Q)JQ+J&3yA4|)4CP<wAAU9n<@#PDH=+JX425rT^PEtFlj2~L2K`yElnRK
zKtfJHLcQV~`41dw<HZ(k6{8;G@9KFlWh41S$~pi4{h^5BAh_tzyqFmqE=~~vH$G;+
zc#`;{)8P-ccJS!OqgI@Z3cP9wzse_gYJ@JvA1q0XcFzi$+n6NiBH!LGEs2#s0v4M2
z>Nc#`d9FHtG)E*F7N_*@Y-XjPx3^dMr(5<6j$&ds0{9iv+gjt%)yrp>w++YF%T|we
z-%dp9XCCDil-dx+dT2Z&7)xgPHI^sXluIumpkBz@IU^|WGkiU23Tu;Su>_Np?%x^Q
z5nfcI1z-OBws%|Rz=22~ziIBde9_g_ReN`}EML+sug^U+zMxOrI;Oo|W2tnK71Yav
z+`C`o*HyR`OQtv99Fu;<Pc+Xie(Nz|D$&#_YH(n#m}Inbb<UQMn@)G5!VZ5m^iMkc
zq>ln9Z1AKl+&eZF!dJKPquL49jPia6FSlo>k+ew~(h>AYwRIL5Os-3RPEI4U?wEZ+
z4C@+=N^UW@R{eB9=>0=dIzJT$<cNFdl+^gj|KByh4S*abg&Et`3AR1`wPCQ@a%N&|
zyh;z!G3fr2*`;&X%#&spc6egY4>e|Wl^U4YIyN${KkDNuR7kopU&8ZI0@qHSA6zmw
znGg=I(y8T-aV}HLFx~uEBOCP>0aEaw|Kz>D2u*-80f#1S=l;<~+Av@5{AnMl7kHz3
z!(ms5CR_y4k<CwLJET;H%8G<yBsEyv2c7+B3H8qA*2|x2P-N1*yXopOom%~0ir{~Q
zurJ@ix~KRSbyL8pwM|qOaL!11ja%z2-C$L^t@QwjzV>bQZoBVfzw8PQ4jvsa2*MzN
zA_Cs+jmmi|stc7P&rTL?ud3y=HJkiv=pGVa=q<$!lN7WFrxA<Mj(AJ2rSJC>ipyJ>
z60;}<!Oz?{RTE*C6k(KIJ!*FfGa4;K<*t=`UG|T*NqP80C(O+GeGCqi<X`oe`MXA2
zJzjL9>q^GoqbE%}9Of%6GbdW42)-iow^F%J?7$=0%V(X>^nays*jPllh<9AdP?Bvk
z(E&E9kkCmF5ZJ!QpUs(~WzK`_luCM<sbCVZ<Y%Yee!mZ|+M~K4_IfvW|Ljg_=a*CA
zDjBf&x*j+2n8xh^jM13y!JO|WlPH;bAEL*kZ-$RAV)v*tu_p&8+ve3NFgFO~T8!<Z
z_>InN-8hUEC94-iPeRt{tZ`|TJC;-@>*fd4aA-EvK_eCeA{Vw#h|4!lw+lXzl#MBs
zaimQ@<ErZsp*c%z)1|?6HWWG6vassjT4dvMc|KnovTnW8fL%6rk1CXEd?bn5eZbsV
zf-t(Dct;}F`ni1OXi?vM(r#$$-x7)#w2OF5n15y>s{`sU9t_wN>)C~wZ{lFt>kUnA
z|ECnIC<6N-(k)9Nbw8fUOp@?_GhTO(;t@+ePa*Mm;?Fwaq5|y=K~ibhq~k0zQYp+g
z_+<9|p1nWF@j1gXFV`7{qf>s68>)d_*1g?MgYnd+ukSE9`EBTrc$Xrc6%$T45vPRa
zE|9J$>R0@+m^9$_=k9)K=HWvPEZ3Mg;m9jg?w!*lJ0q9~DC<gjJ&sh!4x2qit!l5j
zWvGEWWiY;8R8xDvg?LedjO#Wy#m~a0+SPE>ZeZKxWjxwsZmHzGj>o(|_Qa<48OEm@
z1>4t_Sq2$YZ&iEh2et1D@}AE+epanRqEDq9N+v=Wu?Dj_iF=cOxb|w7T--Uk&aUk<
zzJm`z@}0RL!6)cK1V`{YQe63o#nS{|x8EAoPlDf2t5p%+hM5FV<|Li(0uYMx#-QU=
zp^sT_Vf(Yp7y9}+%Q^Sq0W;xs=#C7&*WV6I@i4<P8f75`VMG`?x5O6ZSwC9%i;xB8
zFk!ub|M3J&tm$h-QbNL6v?9)fPNE(o%#{+hNpY=kL#FPw#>fXOof(?cq>{LxRYn%X
zE}XF;dw!Lgv#GzdUzQZc+ePmvPI*+-KQ>|&ygH~RP7jk3wQyF(V@#B~UzTjUZ7P*I
zRej`AO@xT}Ov!X^1P%{R`nJwS3wYZ|aY9;xl#-m+ecfGmltm4Z3bXlRFH<&h!?2$X
zx;wszddZK6*tC74)x$Q{oQ8|UgEUb{CuF6jPM>W~Mj44yY}DQL6Q_Mkz#NK{ZXL{K
z3_t>{gb1Vk1)$rINN2$bFR~#-jKBL(G{SnsCFCInJZRs>__mBhIp?X4sY|>g16;^0
zy2-;9_sTcUGTm)HX{{Jx_R+6oc=TN<iSoqqmr^BXL|9K%y=(N2m$4G-;Ju=Mn9k1i
zpW1`6Rh4f-Y(0tm*t2LN^Q&pa>ATK72V|Fdr5->27V*jaC{YT_ctj9jXGsBuShB=t
z&|~AHNHbwt6eT5L?&vOPOSn07yx$gb=F9+(@%~)yP@S@eaP)XC8{TG36;c0!ssu0p
z%Kw#t{BLuc4%8ZFSvB=RqU>M%kZo;ZRW;~*;nr)B7?#CEMu|SXLNrCCwBNpLF)CWh
zIr*;2)2CZUwU~>h|H$%+0Q8(`*}emkUylv$au?8XxeMz(W~ts$H_(wj88@jzz%MR~
zU9#EF&oZV2-$?0E-7(Lh!?cwY<Si;Ogw^)K+eiu-NFwil+)q;wU5Y5HGb&sxN=>~U
zo9(@0O`MV|eM{7o{`u$NxUb4_r{ndW&p-uUmj0<<OCuMNvca-B(>-7Kn38h;cUfT1
z14v2s2co+~Vdm7%*atU&4CCW1Q%!G<Ail57Kp%?B8hgT+!@#GpKgp1X>m!}Rowy#*
zFCemIaen&g+>NnA)c(1JZL}U_y-(!GfAAw0!H6XbRgQNTOWwFsy_#txphyOc$+-2z
ztPEbYwFttqcVsyiFV5QYZlyCbdkUuSL%8Rk%#JsOk}{1G!}Y5pUsQ3yi9pXiEb1}$
z__8wU1u>&Cn#I4!`sQ*tkB9w@r!N&)+t1v{;uH-52+NWrpt3f;wb&^Ud+@~Qn;=;?
zr;t&Q({FSlI!Ua+cTQ?+IqZ=a-|SP~jt&+(N=5pPZ+v@8S&e}JVNoVMMH*ayu4Pv}
zaV+i5i=n+0<a~H~jV#$wEErwI_(O#=^wJztzdz;|*I3*UbS)y~t7vdoMX|oysYq$G
zEl}Z=*DF7JC(DSPEy8u<FjknECm>V%YYo-Fv5w*I>S8vI?VPO>`Ujc=>aUOaAjOf5
zjl6bQ%xS#%jzgh&^ESA+S_)H!kF^UPLPk-{U^jW(QueV2<;ro4@VdMurh^4+MLNCn
zhDbH;#V3f$6w#i&E_6DiYX1#UzMfy71@Lr)+Zu;LNNLn`zl!q0ofd`hEe;Vw8zPul
zsB<PWVLn7DB_LCv1p`r(EuU{5c&lFFJ<;4@@-6ot;1pX?c~Ars?9rHCwB^vaQ2(&R
zfz+_IVyAd)<Hbszgbi2I%aI7TB$H$a%)P3(Ma9^=9dn9>k($S(yEG<C+yo6?^kwYH
z4^&Jr28l&?H3w9SI^QP-HXlSPA_a(wU7;O}j-5zQJV3%dZI_reA9UA%dLFVBleNNV
zJ^LI!Ci%xCn6=e>ALY(Xv5Qbb^Z45<$oiQ_rt7uWC~f$W>#<Wnkfy&z<-_&_!}2qS
zqFkQ!v+ZT~VH6Dzv#;nSz{KHeGiqy*DaVO`U^Kr3p;|flujno?2hBc+5^gWN?5e}K
zbP6c8=92m`!J*q+TFWe?C>m@*pm+W*f!k;@Pya!{R3BeDqMhaFtogNJ`_>!=t4XeO
z21<?EN=_9q!q>S(0`grGddO|3**efMx}HhOEANAEn6Q580#Ts%wNI-7+j`J2VACRT
z`393^#99`FX|KhB1#n;~i+>O?aS1!*tSh#8DhA@%6@4hpFpCO<QM-Q2%a=|@mikdS
z*s7^s#$eUGd9V7Q+X=A;-8Q|HPOAJdej-riLpV9!@&P($9wAJ`+|{EzOC$ja78wyZ
zer=lsXKmfSI=vtpcA99Ap!uf^NP94EtSI>B45I)VQl5`!p%!0@OR;lUEWz^1RnEro
zW`-B0EXq;?&BfI~LXJIPzgLZpKp3Lh3&=rvh^cL7*YufcIB<v`H>lH%QR~l!(4r4A
zFA{~Gb$v;6tOQmwABm1=gse=nYQ^D#RiIj6aq5>Z4c1(%c1d-{Y=g`3!JX4|sn+OF
zipc%vOAl84o1qoM_CHIU2U{)nzr>SD)phGEr;01Kc5qZR_^f>m=VzYL-TpFL<M*vW
z@Lp6Y+36ONA73mKpJSZ^ZAgW7dDg^#iaH12wm<<Vy4z5(Yl3FxzyJ0&WjC0O>EOj)
z!sAwKUQ9%(eiW4_rz%3f!4wxB)EW80HH7N#gi7858uwt)^=|);meh-iC>3|p4pR=c
zOyZs3mH?)mqi<!(=NaGpUXhmRwIcvE3=D8#dMm`Qdnpc)#L@LelC#n&q`jn5OrfD`
zziUe7a4Amau}N_=zH(+aUROXe#ID&G!gd1s6(<Bt5Da{l=RmnngWrCZs9A3mq}lEx
zblLZSiZ;3Iv{+4-<Jq;|)@#<fRcT(Vr)t007|vu}A4+F@Kb*n*KKpLMYzQ*3<R+oe
z)7C0%8kWrEUY#7`O(p^hNIucd=Q}^10Du7pQ=OPmg`1*k@4(jg!zl*eEcxaBR%o;j
zg&GN*Z36eCzfFOF_UN3E?9{}wJGUW7a_@LqP*5E(0i$~gH_!JGv+VwCG`|!9<FF2>
ztdzZX-g@`22lly%%JnqgTeKyx4nhfThPXU1anJII3~q-dVASC>wKaJKI20dBDTbD2
z9#b7jW5F(-z0oDSGG%vl7CG83sR*0tjq(P;{9-}@U?x`qOO)_u5QP+g0b+GxiOt3W
zs9bL(NzeLlYTc-$*z6S+i5Gy#k8j7MrZO(YL!>(R&|K)i)X`~C-jrbK4zCy2G7zbs
z{AAa{04930ZB-HaIcK8#=+`oS+wP~JS|T8=0V?!$F91@oK}GDkK}ke0DGGd8v!LAT
zryjC(!{!k*q$FT@`TnF|^A8(iiZ>Xdo(n`%3kIc9x*}@fNH{}-)#PknvS_jZvuP%#
z*{A4>oPf&htW2B}{kt4OZp(PLwFHfB!T`38K0Z-!BpASV__AWC0DOm;D<D^l&@fmk
z(Y)IN*UxOB-o|J!kvYo0@|p03sP$qKv}9&`s)QR%ZJ(<GU_8ij#EaBm>hHNKBEXC9
zRUnmsN{!wK>>TM&_!H8n1oTdAuWshZZR`YsD}Q54B%kyE{-ra9O-Da$mppA=^`uYQ
zm#S+%e@DXeOv8qi7{zd(3by~OK2ys6xoHmjJj<@>h%6dx>y;JMG^fs2X4?iRSb+ZT
zwENExGk2Q!jM1V4-<#F9MZo;WGTv0DoP$H#-+=`d{$Q+Z|7^$i{OGNrK(wS0LC7v1
zfeMeL1EV-YyuQmofJrCOpd*kUF28B}A7S8w1Jct4T*Gc|y!ymvfyPDcYun{EJtn=j
zmRnUCF+zV@BszaOB>KoZY`<}HipVE8$x+DgNK$^)mYd^2qxr+6?zt@GC$7E5Ml+?I
z1Ls&gf1%g^Qlytwd1x`JaW9vVf48%Yi1JX_E|B&TU3<J$uhHv&3{zh}EZQA))<c<{
zJ5LeruEm5^am=42m*xwJuY3Z-N}QbPVoK2GP$bX4XHl8Wvax$z*dIB95Fiq+;~X)~
zpRu_{`h<ETe_0Mot)6eh#QbN0-j1s1EYKLPdp+Sw+#1eB9s!D%La|Vb?ueH{mj)q%
zQ4qmd!@=vnLt-R2x=B|1Le?17UoN~h3}!P6p&Yt=a8Y15<>%A<7-a8&Dx;LjPpEZq
zOYSdujkTYCtgPI~r6qyG-0iySPw&iHw}>o3RYIWZif_Zo_$&PQ2(?k!8X6iOTKHHC
zGjV_azyMC*M@;Owxj8B{HueYr8nej#DCK4Tn|{274Y|@~XC@qIZJ94M*cqsb&)(f$
z_jCrL)va-9FpYb$5#!N-sYUa~#F5pJXR<)El;&Nfoq;`u$rQFd0|_u2rGNSZe*;FO
zC?R_PWe7vRCU@+$5Y1|&`g%A!T<C2nfa|Q~FO$#5)XkjcX?ZG=uQ(fkbDB{sav6n$
z^e~CJWJ~~zniPyMm;5O80l4MTue7jrpc{%m$HNPi`1mvwfk3bz!D?Bhqe#cLg`C!h
z(2}T7PC7SLbJL#X>xE&863$0RVRM5ebe;|jJtra}njb|iDp9Whr29gM_(wW%!q&bd
zGTtw8TpyC9v|F}bl>{7Qb20>1qJ;rVWlZ;*1Qfrc#l7uAz}7Z`8DV_8j|Q`AKZzoI
zYQMSM-cHD8|3wA`j?H9(Ol*#727XXJ&3`W6TPoKEldLLLb#<8lCdoW4<u1UmnZHwU
zC&tTB5k(&B@M1$&LxvJ_)7aDc<&8-qYa=f>*IH?7rx3Ck`kkk*502#-1hZ}Ym-b)6
zW1?wnK7Uz`xea`0_vRX6_m7w{WTLSiLd{IDG<`|iulFkT*P^om2W>j?)V$vM9<rx<
z3mSoyNT@JBQ~;@N%u*pC?jKtZLSmTT2!geCw6J+B%>YcK9-zJR(5P(^guf8+(T$If
z4~e5!wsfHfK}XPXRM-O8{Fsnz9*Yrzl0+LsC`t|5eO72|h3Ytm({)-s&h8VY9OHqE
z3cw)K{!?nk4@3#{M$BfeIqr}j6Uk!2o;{Eq4m_``bu~_Rx)G-=TPeaq8HuU;Z(lBZ
zQ&{i9(ODy32=IIq^to{x#-&&C`q>}nL?^HOnd8j~(AVG^O=g!ksm5c>N0w7cNK9N3
zaaxbi0@}XOa|x-b*Ki>I2ibf=hI0db?1=*9aG+QHWVhK2Ai<QpA4%hnn5X@&<o_X6
zA<>4&d|A{JZT=p55y`uB5nGy=^S74LTmfz$xFAyEMq5~r=2B&zs!ASr5g}84pM85Z
zIOVQCKz*Qz&$?rssvyANeP6I7eLo>TDX{B%({?SItOYc$ypE371{+OHO>GERbRm9h
z$T8-WyTTMq1V2xpL_9ELknj`2-N2^FRR2n#jUFCOz#1l>#FF0bxHjO#hwY;oypQug
zDT#nKn3}Tjl#VZKjWo+}VsjyKcXG6U_+uy_$qEu6$<E%eJu{umbOkxaM4-O61hw)H
zX`<jt8F9xeHB-|yaj&IEaCFgRHWZj&njVNuLL%;H5(tpwDDbr}K8k;P^OElFmode~
z#pL~!|Eb?_=z%<MSX5KA&e!AgBiBdy1g~8lS|cw8X-NQ;04dCNY46#uk&|5}l)i6{
zeSttO_N?j?8AEY{I_%a1=rpdyxUi2M5n_`?5qhuX(ql*NuCLD7CSHAMZez1Y<JU7B
z7WTxShIUAFHbclW42f@apfYL-NXRlkOiIY`MRuUkU&&BhQgUKtX?dp<tf>7L(NE-i
zh{BH$GN<N9H2cUUtlxQz4D!R5V1$p2K8Pkiu{6pnM~2ZLQ<ugmCq0E8?Q)6U5DRx*
zkq<IS5S~-+*1eH^B`2j{!CTPQwuF)l=msE=41hRgT|Yl{xqFg^0dBU#K}hQ9Eqc>T
z=+4HRv_|~HxabZADwq-o{#(6FvgH%AJf1?FwDiXziixS#1OS{!iwvy5*32r=X}bpA
zgpwy(<NI%l^%#Rh2zv^V$=TUiG}(Mow0002Jr1Id0^UKfcb5!Sl0%}p&nhf5FOUW2
zm@t59TyK5u5$o&g%7c}%)PD=TziQYEV8e;kvU^CXoh?}TI_E6VJt%W10aJ>X0aL@g
zQyA+DVfNcL-nz{|2=_qAq`dufut<Wi{qglk_uadRx!ztWISzn3zztG&1ThqGSSLX`
zj<qfTwgfJ~TUr6y%e+~#7niFXrK><T0PqtYOrSm;f)7#5mQr27E0I_8i&SWQrC0^8
zEEW+wwz}C*)6%#*|JBB!*4)GZe<aDP;s$gKdMsCjTL)Eb<!}>wFcHN*f4<$LUX4c#
zX8Q8!1y>vV*<ZZ&k(ZaJ1c`wVk~#d~=0~ER)igCP2mpz2l^n?*n+v0Xn+<_xzo-Tm
zFYopKkH)w_Hz8B=zJE&e2PN!j0-MqW#lvSIbE|loUa&+eVEH9))~iH-L1v?oz-!sP
z=jbX;obZ6!T~+I@74K=XpN0N_(=mk;!N-<UfKs#X_r45i?J~088VdLyCWQI}1w(eS
zqEJR1@A-2<%*|bZYr=yLTLFj|D?qr$v$3)9{{HM)|M#eW>f6wVTNRuQ2M1e7!!pd*
zetY=mZ<8LG<N^~nML;pXxd5Z36Z+|rCc=2u<fHQ*tFn=z%L-Awj|Ah>6ah#Dx4Ixv
zlD{;JYkH+Lz7~(Qfi!+jGvVbIt>&EpB4o4ezGsb28!3w7$$-V+ZHB9!hEm(<8~!Cr
z{Vi3%@F}d_%Z4R|8BEUdodt>O)PjON>MWa@RTep#q1R<bs(vX+Y7aPsr3@xan?x{g
zTZcNoPxCEicfQ%6P3<ZU_ckH2g64D`B_`SyeWxBq%;`Y~vIqtzL<;vHiA9U*{b)*0
zFu_nJ>j&%Q^2nzEL&xt~)+e8r&4bwg<DVY#5p0|9^aME{3WDgeQiMO<b!^w<z0FMJ
zNTXw_p+@gRMO5Cu0d`6(7NUjdl{|po5MCQFbeWIuXV>vDgb6n?cUd5+m(+i;s6&Fk
z_L&xL1_hq5gJx)GE=k1DMJ&Mr-rMn-jYdH@lCw44*}Tioug~|VM2BeLkJ3H~bDoyh
zX@>uWaQ^NOHwnTb$^~Mk!nn#h?0QWx!s%sdiMkR22|{$6<M@QT*qz`Xl%dIqWW=Nr
z0Jea>r^ffvvx8q|+g2}j#`-y80HAQ~93OY5&DA6vc0N68K4{4i(ilR9$1MERJzXX+
zb)}R1-<441+0}2ONd|D&@she!*V{~WqGCPG57N--LgU9Ui&vKq6W@0<`CAc7l>(+b
zWdL3J>UpalJPvo8mYOkg;pbpB1;CF+do~}`{XiNY?w3U$8#%!xMMV}_NjjtHoYLqd
zyHTxPa~yjr_;diBqIt6*XmeD#e?PM1e}XN5Vl+NTB4bN$nha5?25eyk44EzkAP3Y(
z9BLtzg23+<s#GXG2xLbyR44NQqa37R;!-h*R4~}h^0xvgxrKO(lqr8;?^O)Nt~b;@
zN9u<jhuVhtitrct-*T=X7_$sVMSH8;kt&{UWzLB|3flV|MR`Slmf(|SvU)fF5H*Mp
zf4x?uXfiLgsg}J_Xm5u9E3*fg9MuzejY>VGfeJBEtLggbnVL9Zq)8zF;ly5O1Iq?v
z-ECs!jepUn|3-$e2U7*aS*7#y+)mfB*{A;uzNJJsT0t@rtD(W$x?!m0wa5rtfXmSN
z>0R0!rx}a7*du}0qbb}wfB3|FzE)Ko@r!DH1{`dhb?|hjgPLn#Wl9QhlF>b4_spZ6
zS|b!FYXN#gemy(bsWnfTMJkfUSp`6Dey)ElZox*e);3B0fGr7NLfqS1iCN-s4>A?N
z$$*AP0eNM?FuOtkEt;>;4MvZ_`}*d7IRQYZ+>)TCk;K<!L((D5%D|dC?6y!#xUc|>
zQGPH&+itO`4su6ABo4R`Av$oJqFhoKITHK~2|mRJ=T|;EJ2QB@YmlrmGN~&R%(k;_
z3t2z8yn9pk>2<@en?vkIImxkWVkmlVNKAM602?LZc%t}NDgr+Dva1$ja0Czsz{8>e
zLDvc%z^e|KU`vf^F+!m%eL&sRk!(f+AA$D?0V8-Jk64bQ)sz}~PsAXp>7xlqdaG4r
zY*ILq_m_A&_z3PTQBF(+a27~0VMxE=pTp`$k>K3LS5l_Im9rTA0(w=xuyWwsKun1w
zfcNig2UEi;iqBOx=(JiSxZnSg)1W1!mcl7Xf{B}${zhhJ1eVf${GBiWmH-PV<Q1&D
zLIu;QyQ-FACQpUnbIwsj&~=so>$xp?fQ@B^a(b`jt(BvGtC)4K0Vtr(t0%Vjo^^YW
z*ahgF2k8Hz`Danx$YZbm{AQ3tLad`u?N^q4Cfj95<x<!TT=Ii?czt8myN3fMe0{N%
z^^IU`gGQCFhekg%8|a_8xX^=7u5XoLzP6ixlz(wF%6$|U-?BLu@~h1d#)k1PzOcB8
zLFNjhlc*a^T1$Dr$5m#Sh?H=DuGXk$h~y#Dsve6GUfm<*GR$lZ0T9*Wfww7@5m%Y|
z-DOP6pU3WDz6~KsIlyBij|-w=e{sQx_8PX5#&Vd2IO5rhaNIgvfe5Ge_U+rN^94KC
z)EP|LKpvZUu4k9N^jC$@WiupBc#jm2MhaDCw)gr>ZlBBBd@_sC<+cR+`x>r5b4Uzz
zBhY6y>G5sbn?sLA%Yy9O3OOz*Owre2$~N)-!hkv#0({BKgu(=#R{c;#&|GuqacQ-*
zW?bkK-&~tVdbCwQl?qG(*<ur7<ZG$*7@qF?PK>5g=R`Hv$vpyaIe#H717$A}Y~agf
z#bzH>X%DBTr;D?*v)=*vDxQ2I6E-GnWPBij@dU`+=y>dwye@%cB50FSRfhaEA!0t7
zkd?lyb%}2A&e{6YhFP`y-(}AljYUQP-EUSTRepQlo8eP`-yqY`F?QhcSoh%MHa>B6
zW4U9s(wE$j+;;m<5w&q^mSau&6WOma3FZ;R=*M)is*O{UvQjv{it3D#A-<weVd5O0
z;Si^~P9q@;)bE-5SJkE3A+gv9P<-=)70l!LO4Of<v_6#uzF*j!CqUF+Xn=9nKIJiv
zV!HKcz1p((dD_>7`S})FTH3zop9|nNFyevPAAL%MAk76>&>LlX&FZE4t=c=8z!464
z;2?on!1Z`1WIEjo>Gm+hI-?NiIqJ!x!1NEELKlr-qO);;$OC3D$F}su96gwmt4!Uk
zr_W%NEABiD8Ck20jg}gYBqv=s(6`{XFfDUZx{a3aHN0!;)ExOC;!c+;?mQBp;gUYK
zUes#y;ulLw{P}9ELZ?9qAVK;AME?0E7po-z;_3l1`MSIQ;o+&P2fm!y147aZS%-KE
z-czRb0<{>x&tsYdRoXbl1;e|=lRTM(AX87N8}|~Rs$oB+>+}Wp$YVX4bI|Ad!LW-L
zdQ#TklRh=5w0Bj@$&Jw(PI(-0-R3|np4UoHs*t(^CpNrG)XQ)H5<m9CF%RIx1M=Xe
zW0EL>V4=az4D1yB<jIriy&sM5tQYDPzw10HtSB4>ry!a90ocsm&*>MCs@;I@8U9LS
zwU)vIi<}T4{zLuX#KkQzLGE;j5jq~4WbqtT_WYIBi#&4<A;T)!I-i!^L1)F7DHR4H
z$_V&vO0G7&e!fcim5-2smx$v72Sk>OX}rtE)Fu0!VQsh+6fmJ&S{J!}fL;uFIBFwv
zVRW$6iV1r<o+a_|95~mJDb-dhoZUvHIUN}lB(zO6Z3MP*EdowY6<Xs@{AFoXQg{kZ
z{9ez-!BMa?NZctF-s&D)I*re(W_VHTV>sH55}n+ZIvO@69CV?k&w}+*ixRWFpnp4m
z+1YRkbXeK&tWeUa>N|eo60PO5BZu$DTXGe#96hcE8Gy;FBflU2`x%+wOW<tJ=A#Kf
zuCciqGf$x0zUc*s%#REec5=M0&n+qya*QWG>C{_ijaB)^m2?AXWeO`&SQ|}hH_%fn
z9R$NWVXlikI#t1J-J`hTf;7AYb>_K9UsSS`g{ye#WuGZ>r~P=q@AX^6FkJ*gN0oMx
zOM$AE2>D3<>deTd152o4(Eh&p`uygjTVOJ(niELs3GrU`AN()`Lfqlv5GE$u_Vue~
znxMOCd_sb^9=;i^rfCw34I^+&OaENaTf!SvX4>%c)u*eNtLJRD&_+2xwd;$(Q9F}6
z!^u!UyO`q1Yw~^ScoJYMiCuJc5EF$Q7uO%Dwl3w*(YqWrC=2spnK{B4o8x&v#aQvl
zqQUe9?=Le67lrp=>MYW;`+2uTRHUz=PdZQ>&2qh7+#XEzg$FT5`aOEiHBSowf^<OQ
zOerTPS4*SZe+QglTLFO3{3Y+cYUNWepqedi1epCRfOkUe)m}~$@>EZI?IO3syDdWe
zA`q)JvD?<g7+liZ)*iy+tH~3@3~0XG_9?9IsNu-F5q&}JkI^UJW3xsD5tTO1YqWx;
z(wo(sdj?)JxsZv4xR_%W&|1B4+lzc@;>ni7P35(9%vW=iOkd`cJiO4>M!(1Xf>xEL
z%qNmb`)4Y4VU_IwMf&-(sylPcgslU)Hk}D#zZm2kz4&jhvN8o+m2|(_i|IBw%gUe6
zM4vJ;lr%uqr+!!Cu7(wFdwKDwt3xpy@x0a5!>ne?Lm!y_0A^s>K}z_d%dBX3>1%PS
z*zAj@3C!yoRXshuVryib2XC|pL0Dq%2;JD+X$D7yzPzN+ijv}B5f`ssJI)kgtczLq
z{bjZjsu;$SGd>uvGWtY7>JSWRC3-dZvit`e=7I;tD6Cih<lF6mR_QJOY!HjkX5qK2
zazFP(eGL3-Yb(H$+tf1UIrHVblhT;e>U;J`s@dEm2<HkoMET~;n@2d_csRnBVk>3>
zV^D38E$P0)OOm-(2Ry&u6`NwQdUL{=2lVqhFu{zz-?n`Ur!>wUvTkNd-Gye=;M-G9
zkgP2|&&}buCi)>4(a6V7StImFpH2;bTFyRO4nm1`QD!Oef2MM);zKO#8{Yot9cx$v
z0}Xx3S0QwC{$(MyH3l3D3A0g~Yyq+u!bQyjIEw>ijG1wx&0!vnkn)oS?NA%Cu6nDg
zVRi4;0L7%mxAjQEXm(P_`2^aj<mqB7QW5Oxx)TL`51qZuD#C|m*1BrHy-N5z>a7Tw
zP3?;|ahvzK_bMZiK75hFS{vj>Wj2xDGPkatAaT`u!u8pf=0u*I{)ArX^e&%1Dy>P-
zw}Y>p&&0&?(mD`p!4Bn=CcY(4yFQcZi)S4%1<szjg~sAV-cXF0*3(~?PO_i2I%rl9
z7{?A}KcC8CFPM=pT-ZE+EtiwQ)f9jDny#ewj(onPV)}mb&zBFwxje24_p5f;XHO39
zclpjmXb=3L=o#sPQsniC8XEVyADAD`uxc{VhfB9LMKKna_|i5f{B!JdB2R98m&V!j
zY^PfOpL43Tf$`|+=?ZNIDo}2*5A=VZEH#OtDyoU=n@ULFPRuCidKe6!QB0NQL;b3r
z3(;W$S;@w`hxfvJ!U9j9JvJ5io-hUM;u14;=oBUcYsGEw?(4q?X*Fd_o_TNHqu@m?
WIjl{59tRE(gJj<*NtTNn2K+zH4wtk5

diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/images/favicon.png b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/images/favicon.png
index 3e6dde97264d7a9305e8efb15b48002d2bb63484..9a8472bc4faa57ecc19539c58f42b5fc61099cb1 100644
GIT binary patch
literal 2100
zcma)7c~BEq99|9uQIJ7Iv}m_WMGKQ`5(Lef7()Vta)=lt9HWF}lk7mUVY4v-k4meE
zg13xXDLU9Xr~?-2eWEg6R76J|K`mMxKnsXei>X@sl5i>2=^vZyd*AoFk6j%f7wPUc
z!3}~S_b7=t0sM2UkLz&oJ4sMb1wq5c5>gp0i;ck)q?RdHk{LMDtknY?f_MV6UarW*
zX*dH{6FNTf?8F%aCX{?6DI}H^s~6!KLXu12^K#>)irh>ESBVH_x$(>xP@u(WIc(Nu
z=?s{ekJ$8L;N5zSBCw4@XYvtQY&<L?DI5-AhA>&kEH{`(DOFg4IHFe=ocM@_ru7(#
znoK69DVRx8YLw08a#0os<!~5)!7$|LXt|l8Gx%Fo*ma0;gMuRTG(qZMt4?_aX{7lG
z0&uv`Gp)W~xz5lVJ;(!Umg`YAlZ6f@>op`z8Z_ibMEc<&g1DI&h~YgmR%8gBCR87x
zTah7jkn7mkPe-BEz88pr4qpTk(VNuw9O{ePAkER^Xaa5^jg$fpUxe#ue_JkqHB3a|
zavB$dhmUYroM{X;hrwb?*)uQ>2jj4VSZo%npBzgn302O2l7lf$C?I2l*`Pg?a$5d>
z`27jTtZchepfx|~(SVGI%pxh^9Ec&<=Ij6zB@)F`q>9J_m?0rD42}vHg|fM!p$ra_
zZR1+&hQ$+RJWD1fw7AXydW?^R*rOf*lRpC5Y|jIu1q|2~S}Ti1Y2|7>iBQs-eq96i
zF}P0sAz-afmeJbai8=yQlw)(wCL<fb_y{)?9b_hX2xJ`@m}hGwOhOoFlFG4N+2?2;
zo^3zbk6DCmfMD3xMwnb-wa-WN6sa^SaHY)!pw5mONEL08Q@BtKI*5-5RVo5_ngfH`
zB-A>bf;lh;41UP_QYH-!G=5OXLEVD(dWTxay3aixIwSy|jWB2r06F^|*e_sFq5Yc*
z9Qt=1t^-{}flU^EvAG0-9P$Xz4@3F@f~IaXZmf$A6MC-_9BRX*-q*`kt~hjMs?*-s
z4PHKyg7Gh!+O9@EctjoWx)G`g@)m1z8Bfu2Z3E`I1}V5*S=c1KSAVOffOo#c(lWi(
zPgTD>q$J@+?tRve!Cc1U9?ZvQtDpPic3Io59eWDO_HRC$zWn>YmZ4P{N0`6N?>PER
z1s<{|D4p;wjh8Z}@ECrwYkLEpxthMZd}&|T_O4w4<GfD?ztpUZ4ww@7hN$-Ou+%g$
z+a+&)Z$syAN=cC|SQq@ml^{V6dtt_UyrosyvAMA@&Q-9$?^o8!(WCu~3VR-$ySkyh
ze4`+(e&^(%V{6RCjuSG!lx$MO-#jT@e|f?<et>`Y+4gtMr=LEbYx?Q<{gE%P<v(v4
z?S8i_aaz%O|MRb~;djTRsrFeKMZSy2oRZxtacMX_qBSXzaeU;s)P_IHBMwTEt1lnC
z@TiM&t0-*9ak^SpT>7@e&<#Cwx9rQjb9a@)YBJR_+;OM+=>3zO&%h^XgkF+tfFO@r
z>*G)y<nbA((2OXtP^!u6xWm?+WBKMkoZh%Utaa3}*)E+mTb$HaCi>>)joO~->9Rb}
zRVdjZ2+*Es?w%Rp(e2Nz&d#r@3{0xoYFsjVW_s$)4)vuv%el=td)yo7M2k;%wU={g
zO}P;E-0hkN6$Lu0GPZoda@y_T;D5o%d6X~exvfU|cAfUguvfCIl*0=mOV^e{)s=yB
zE_}}SHfDyS2}#9^i+txq|8aN~-ZIwFsYva5Fa4xw*Tq`M;ZCh%_Pe!d(VmCA#1+nS
zgM>G~?t2Zq)Olt~m6-eUWXG7_7E;G9K8D!om7kw5#e^<tXucPc)>)W8aoN&{o>NYd
zbu})oF&Y0<8|NNbTvu~_Y3(D<>qVj$`Ic;T&x-B5GV|GO^(m8BEu!6+>h_bQ@xiZs
h53CvSx1g+m>lDw(Jl!a)_|E#Vj|z_ySB9m3`!C-M>Ky<8

literal 2938
zcmV-=3x)KFP)<h;3K|Lk000e1NJLTq001xm001xu1^@s6R|5Hm00004b3#c}2nYxW
zd<bNS00009a7bBm000XT000XT0n*)m`~Uy|9CSrkbW?9;ba!ELWdK2BZ(?O2Mrm?o
zcW-iQb09-gHt4*vi~s-t7<5HgbVG7wVRUJ4ZXi@?ZDjy5I4v<TEiy1MG`&gH`v3q6
z&`Cr=RA_<KS#5As)fs-yJ@<37yUB(P3;BQqBE--nQ#;7S5rGP}qksgaKudyku+u?n
zp{>YLbr7utDoT}FTSci_WfH4|kLlQ{+5r(!TP0CQCBPC$h>7`PvtRezz4!D-vP-~C
z*a#)`nc3OoyyrdldG0yqJ@0v!aL)1n3^DcxAtc^dS-E~SfYkt8!@wyic)e=~&`$sW
zJh6F`!XoT>01E*q!$B-5oO{>j3t$oU2SP~2RlBSR01jBD6>o|QSmX8nI1~)sp(qNd
zNMp^%dtLf#9u{x_IhJWDOlM$>#SL)*t*xyqHBF;-yB&(Egj7{sKnQso!!LkC0`wmJ
zJ;qpRAP_((6p9<;0x~l*Q`_6yt+uu{!C`lN@$~PvyfrLz2f)e|D<XkF0HP>bnVFgK
zH69l*W5$f`?(XiK&p!JMCr_T#hll3C=<e<|#*7(*qM{<6mX;>O+T#L(!64N%jh2>{
zqOh<qzpSim;qCM0RRh4Hg$thp;6d+lx)LA&B30GZivjSRH8pc|T`zPv9N?VONF;Ku
zV=UtA*}eM+fNKFj5CoW}2_tIk4Tr;zzVX*L{z54oMJY}2tjiD6G+~;iHT9;cbH|Pu
zyPQ&bn<PoFtaH(4_MABc0EB*iivc_XfX6y=i%+AJzFm4lX}Z(tgkc!x4RX0*Sr!b#
zKuSsqCQqJhc}9Bnn5KDK%+`k&0Zfhk6Q6<DNxXa4uIm7-<($uDtT$v?+(I}UhR^52
zsZ*y~L%~qJD2jGMh<rJSbIuLZG<y_9$<N8j$<EEoh23rk0f8*bkYyQ^(tiMWc+T9p
z2l{*x3y5LY&Yia~#vW#jmFi4~VHhw?6Ol;dOQy4@a&vPxFIv3#vTSzCvdG2_8}5~5
z`94)sb10>~#3dQBB7Z7L(j#SM^J^{;J-C1vwr_u}T-Wsn8DkT5ri1AWeTPY-uIua9
zS5`iEDdg99z2%Z5J)|hg1X-3LD>4*Cfh@~DS(ewAmse~}<d?L77;1Lx_(?}+$128H
zzW=PBL?RLBx{gRBQp*@yXS3OAe*5_2Nk^%>moL9nmgTjIqFk>i3N%fF-EQZyA~)LY
z_9vGtDc>@f|DXaE%%5NK`QgJ)9X)!~1PBO0)UqtU+wHz)>Ww!RO_?%9pp>G!yBm>6
z1d&JtjIjrw-@5g&WXRvOY}wtCBt4@j3RG1^YHBJt=cui%<^TTVllpKtbj0Hs<w#9U
zl{8I-s;HtQN~^10uReI805Q=6G))^(Qd~SO-Q_}keLcF*`T+p#?d{l6Q-k*p9Kej}
z(@{`R0994d7nie>A>W5g0FY%FqA23?!-w(l#~-1yvy)_GWE7^l^9oZOsc>o(k|d)q
ze2+>rP(lHWF-{1<xbgXzFg_PEq)+hN{x%#q)&syqTU#5ds;iNmm4zu&rXVXT3qv_0
zD5YEw1e`v78lN9NjP~}g;BvW;UoZ)xEe$1Z6Z1y5;?4GPXbbhFpaUGD2?Y>B`~d27
z#w<u8=H-U2Ezc#&OaJj;)4pI={h43`2y9Kw%}Vo*9lWHZM4U9K@JzA-!r^f1$;QSL
zCr+G*+U+SMcl-p#6=!flI>wb{emUY6M*|_S%r`Nvo^u!=5CL>1<eJPT?(#aD1@KI#
zLJ;9%w_);U9i!cw$j=%Q4mwouZN+wf!>N@5_zH!v5n+=O3qmwa@sB3!(4NqzkGGJ>
zm;hf`An4WsW<=AtWv=OIZmkPG;Jlab)h;Q&2>jZy%zxBZ3(I`ev@Cbfl!(<!s~#qa
zT+Bb|FxusH-ih9O@&ufJKR5#5Q2?*IHu%kCNOyUi0)W{7)&jWh0<#am6Rr*ZX9gSN
zYf-4n>wFzR#sK}J0L}skC9o9&*bd-&0KdFAeE`6{0Dd=sEeK#nm)AKDfHcS$(}D9h
z@hkwTNfJnetReJu4`TaP-zO>b-vgJLW)9`9aM|t^{b%4K47`La^e&;%01A+J^LGs4
zx&8s#Ie-QLrvW$tTr@z$1-Lf&zdu;VF0XS5fCupP3;sy}l>lD3*u(l^3xE~?4*{5X
zfsF#Fa&7QGKiB}gviCdLb6^jE+W>%^oBd9K;7Nzvvze?*xVbM1z6nxKhvOd3v6}a#
z3jEyrIhZE)e3$%&hZFh^B^&MXI?oXB(VAeugy=Upw%X;uMzRiV--P(r$o$Eb7CvRJ
z0{C)~M_nO{f<rLVT>cScHO>xMz@mi<O8`7=a#*rRg{Sh~nVd#~+Ix`+*wsF^<4BLA
zE`>%lksB%iXqrYvQGE5qZQC{`LwIRL#ZQ}>o9=09YBC)T2OO>pJu2CQMJ{8~?W3AK
z(`^kfIm}f}-}|s7C@@*z6u|1L>go?J6p%0%0x$x=O$2}l3x|w6yx-}@zs{yZM07+N
zjm)qt3yP}3;c$Rb3dUGoGUNe3Rn?q=i3LUO5pFabYe3V<V@OX=N4=4bFZ_9U*F74u
zN48K7aznpp;Yl>sKmq^&0s)xG@oZy0qLu{>VOXXKNz>qVyOENT0>dy63WdNqPdW@+
zmc=>e$j!|~ettfDJ|Al9YSGr#h77kG?+4Rys67X%N)%L}7_2Zjkbo`#`+(lKMlELY
zsNok?b<C*j>~Fi>z2{IU6zX3s_$pZe=nJ`wF$jWy;^JZy78c@A?IG0G)*a@ZUB@y!
zBOP!!L`_v8%L)WRXiZu`Rdw~J0H*bCd*zjv7Y71?2N+`rhr-ZxJ+=-T2qC`_1Y!FS
z1Z*LMGy`~ub6yk<hoNa2rcaxWSu<xzDfX0|6%|XjB{R@PqtI)wy*igMwpQ2m>tbaV
zrZece-o_Z)1Ypbh%F2sojft?v>lHZX%Vk;iDvFYQ!KMC)EX$9SmseCJ@=d0!Qpy-x
z#|$=0*Uyzz^oZVWFyoI|*;yNZv}8%(n-ISc2S4~g+Pin}uS7{)p{lBfQcC)jRrbr0
z{P4W8vUidauzT083Fw{L^8SUbNF;*B##1=e*x1<9({qSYY7+$Eviyp}IcL#mG?<c-
zGASn~XZ+aQvBYMxohxi9GN?e`1n|h5xpQk13fQxI_cZ|S1n>(0D(4)GF&I$;EoWMy
z_4V~)M@I()D)dE$%MZ)4V45b<($X-oV4|6wolPZCidE(Sz(j8v^5@xe=F|e`CuMH{
zSOY*6gx+RB5I#0dbKd^_``bD@J0VHZ|BQU!^B_qQ{C+<^Jous2(cZC`Qo1i@LvNn6
z62PIDPdo~7&IzRyq9`H|2y{x4bpQMX3tj+#ML$@$7zA0k^pra(P)Z4<H2m`wE2;og
z?X0Q!VK^M#Y`5Dzu~~{CzJ&hy?z^A*{r;l5x;lFN`0<ZkdimukSAuM^xMS(kzvt!U
z-BMg!Y&xAz;pUk$1)$#y?Ay0bYiVgA!C(+}yFJ;<{uP7WZkK#MA6i;kNM>dxZk{<4
zKtBOKpKp|+D1yi1fubndurW=5^^ZOFop3l@Vzb#02m}P5&lk^7;{q}=GHjwKLen%z
zl5|aF<@!Uoaz7~z1`eRWX0vIM)Ekka(P+FN5EtNZIHIB`N>rraoXY@8hJ)>ZAb_mM
z5GC<%o{^q-5jnor6-DV1L?M1aT!n~o&fk(`sbbk(cNww9xBw1rT@?!^F*tx1IOn&n
ky6^t;%9-RUe&b2uzp$9K#m3Z@`2YX_07*qoM6N<$g7gSppa1{>

diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/images/icon-logo.png b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/images/icon-logo.png
deleted file mode 100644
index 31f8b2b248ccb831234284b39d34eaf80dacaf8e..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 4195
zcmV-p5S;IcP)<h;3K|Lk000e1NJLTq003VA003eL1^@s6HmDDV00004XF*Lt006O%
z3;baP00009a7bBm000ic000ic0Tn1pfB*mh8FWQhbW?9;ba!ELWdLwtX>N2bZe?^J
zG%heMGBAcGSpxt758z2eK~#8N?VW3ERL2#^EwxbyBnl}~h13tFRnwwYRgt1pX{D-2
z{lbTS;9H|A60}WQH@u9^`oVK~ClD|ggCSs>w-az!h%pYqU<VUpf?+Y>2L@;3y}Nb*
z<2BDUHu&`X$8$I9WsLXk+i;Kcm)E;<XU_cYxpVKGnL9Tr7;`urBQ#B$*y?g6Ynt0?
zDl(FIpEL$OmJ{S@E|)`dxye-IB~cHwR!z&~A3cGIO+{7`cfX0|#pNywOk^rLlGyuA
zbGwUFiA+U7n(KS`PN(*<GLfl>%jI%0e61h;H{X2oQ*LtloK7dX-0BTXg(sKz+YkNQ
zZ@;CMmX?0_jg5`AhK2@eZf+J|wzjtR?;W8hGcsjF{lGcE>FU+1)YQ~O_4W01@#4jP
z_-D_a?X9h?r3)7>(B;dQMFJ$`qd~MyPE9Mvbv`aX#RjGYZ3t)%Zo###u8z*1KTph?
zYHDgIi6j1(Cr+H8lP6D7b#*nJIdeuNz@EX;aP8W)i!vY6LNL4CP6%vp1>dTwDypok
zq~phrQ_`VBhu%7T_%MC``R7z#UM_w(b?OwIK7Cs3A>LzVw1;6|ef5<H?23vC!T0FV
zqjcoR5h^Jup`<Uq_#%1#{{3{|zybQ~v(Lm2{2j@op<U)-T8IXgWo2cA0Ovp_o6SbW
z#l`f=C!bK#<HwJ!4<A0f$`N0WFYv>`g9k-oJ{lY{57R<4u>ADXPif!2eN<FbM7wwI
zM$2-(x3||V;P>_Q5%l1}gG(IwO-O{qypah%OxwG6FYVg3ONiU~dIY-8djNc0w{PD*
z$9qiUy=1}<({}FMNu{Nw4g_`}XC-`HH*elNMnr?2a5v=Skg1%3eKdaN^?Ju4kX3A<
zr^4sosHdmL%ZG~9<ME7^dHPJ{$nz+P!)N#I-5blyvbkMXa@92?d}P2G;e6oXy_mvB
z!U$Q0313R$NJ4<#y?fWntPrq*or<e2Bk+kcrmn88_KuE@sVGe4$nz+4#WRx>4o(k8
zJ#lj*m<<V^BY8Z3um%1A4FaD!J3Dbcupi({D3vqMlS=sBh`~F+gyE9`_=Vzdf$>h5
z$X`_WCl~@gefQmWq8p-!FQ-(FJ<BTQ8`H*y2D*OzI^YW?LBh8&>j@J3K;sQ2Gjux=
z1_QsXtxfdWp`)m<pg`&9v!va8y^g*w^!lRi2H;m9z$NCV+oMO1rm`Ht!q@w#(KobZ
z^Jb;v!&wFS`GkHNbPelW?!mxEAS0k9*5D0SHhig>(%s$d2^K!Oq8l3<z4i6=*>=1A
ziObXBX6RUKXlN+Ba^;Gsn*sRkEOB8Hmhny)egFP_>zzAyyurZt8!+(jA(~lHQQ^Bh
z9WI8zsjI77$#w9eYux~R53?F@Ngfg7jK?zkYy<E~_Gh=BIddjiW|Po{Kw)1q*=G+1
zmo8npB*ry@fbV7a%A3)M8W%8*3$z)4uMZ|TPM$nzy#0%jojP?YnSE^k`s=Uh+_`gN
zWG_hgdHgrF;~re#1a_bzSoj#A!9dNIUw&!l2n+7a9|L1wCUa0Ya6*NT2H@M;+uO&<
zY~o`Ke<H)T8-OncYs$;Z%Z?sBs=nrpfgL+`Y$E$`8ly}YZ88AAg5k%_Z>3$kcI|C;
z&|v_+7*;DSEiEc5D~nkK9X@<`0+&~YQ6~6c0KT0yNoEsWn=)m}h}9o{NbkS@K7H`P
z2efL{Dq6jIHGRn6ty!~%)@El@_PTYnZvA>%kL%$L8z?t7SBy_$q&`^q7`nvB8HO@t
z(NQyflnz6C!NRxm-(qy7aQ$+)p6j{3>$u+8T>rIe*9sP30yba-R$#V@|ChyvW_$MT
zrDe;O(X?sPgl5c`K{IE~qLkUQDK#yP=2$G0k&!`JSy?o1-aJ~cU;!<%T50);6=EmU
zawUR=4=}RWs2RqogM|+ru-VAEcrh(nv`Ewqb<E_trgNQ9cQ8mvNuilDXVUcP)9JnU
z-V<8E^#?myY-qM`|9*mY@@@6frAr0;Sqy(R!%v$thb-yol#!W9bLY;b`Sa(~!i5XT
z%J7$PTI@7L2jHUnVYtADuLvAO^HQ$E;w4K&K<V%iXb3nTd}e`w1RDh1?mc@1Ge{O2
zn(3M7D%`$ZfSsM1D&VIx{7irN93hAl0e|^&TDfwiI1D##+$buX$nfDCpMNNan-?@2
zh+YKH5{8d}LSUheSzK2H90Csv5Qx}8yLRs$zzUMZhGv18>Drc`Pn#_N5QiTQLtm4_
z@Zks|X1NX@=L(!BxP9EVZJU@QlxXk)ealB52_MmRBVgb=0tkVGfI?saJ^~E^hrr8Y
z1_($MBS;n-nyE6>b!F-pYEOBM&Sp%YHFN(*3pg@xc<S&GIpV~_@No#^1dWq3A`8tJ
z0K^+UpcfPtiVFr@JP7#gD*^`a5kS7CN4EQ@t3CZUqVDzo`-PH?E?I17rpi#)^^{lX
zPSz_zH!ZKx>8#(=`h_!mO^y#fu8`!_kq$qXo1sm4d9=5vNWh3S{1O)C(7*@y0-xX;
zd_<riVDzR(hmX3Q$$W!4ETet(ZcF>Il8r7|Y-py+P?tY^T{qIlP~pOVec$Bp;fuo<
z5rxPSm!y0-x^dGc%G<nI9O_%SDf)QdJ~5k178^A?c<7MW;V2VjE8%mXAYgR(8<(ci
z>3M(Ty8Y;h`bHK0)9mJqmmUN<19hdp+{eGwwf*PCH)YacYp6qK>d5P=dO}>!>oRF<
zZ7}${JeE<|2{oNFN4_pM88+52ZNzWc_j3p&Ro!$YEPP$O6CQKg6a0CM+%#bgfpTNU
zOH~M*z<Q{Z@bGnc=8WpSIrF6={+w_-0X{MGqX-m#pNCT1;Jg0$!e2X6M|o6EJx!fy
zqq;k0joiwg<GvH%0|Ekp;qPNGLfzf}e(_H-tJoVmF$N$RsG*|(;%)BTnmuw2e~$T1
zK$+qA-H|dfmp>=Q5e!FU1oikk8jLuCI=Dg$`E%4OgEFwgxx736J_IA)rkm@yoj*s$
z&(<j~yu<BQO{ByTaj7fgWkc<zF5do}bSo;xWsJd&4lFkq@m0?w)Ge^S;Rq+q8dYKO
z5c~2#a*B#^8GjBeGoCWx$5AHyILd?{N15>BC=-4hWx|i6;LsQroQi}d@l95-$1=*x
zpOpm;CfvZ_o<nkqig7t1cO~#Pce!2#{CN^fRd>UZZiR2?;|S#j1|VYH*@m)0=|qEW
zrH*V%m~jd?!p%k9Q2pM4LdAKzxOOue?LO8e2a9UZ=P$F0y*d8=gKVRYBRw2XqyZK=
za1u%Y^*P@8VV2A$w#E(z-6JTYC838FhZ-_eiR+ZugDE%{#I@hsfU&>m^<06z`oMaq
zl(6v8Z5yxt`fv?C%l`g*{&fmeRN?zig9wyr>Iihp@+#FW`~&UHT}B^aYRJ~DVy0St
zem)fx6i{JdA#LBjop$WlL0FXo)9f(6Q7ixyW&4=Rz<eDn!Gf~k17@6I;#5BShM9Qq
z6+XlFJzR&&^WPA4Qq?tK=IwM^UZJ|I-_eG}DgBeC{O9c`CQa${c6KlXOqhz*q$$h~
z0`SdSwhTUR$8XXU=4<9yXVImMUy~<2!QjK8hV)-i_JZlY>4I>0z;r<cd_)?SzKX|m
zL6nK|FnJ1-xB{mO>hLk^*nhfU&fNb}qvdt3^ULvt-|+5FsCmxMXl=&3>WQ*`@b!tZ
zs30O9(2pHE7WcWD@Bv2xg24yhZ=x(_-VK;2%XP#=*>#qw)NJ`VU7R*v$wrqfHZ)UZ
zi0O84Fmq07|14#Fia0ywKSexn${?cN#(?pZdZNuzhEG^u4o4@Z3c_bJn*(Mk%PHch
zt3E|MBW<>LIt5HrtYopFnSVw&Sz!`sT3VWKe!lYI2*3IHr~tsDVwnG)=nqF=-AmL{
zZ|{9g4jzu+y7@mGVX;{HS>Qnt{);0A+xjz;#fD~jCU^!3g$#Hyg$oq$*%9AkK>^dm
z_wZE=p7a=Qj|Jf~u7>>Ed;cd>274?BpK<<(2z)%?hK!Swlf|<}C;<PX5dE1fI5Oaw
zEOr!^ZUAoNfw)A1uRjo1U0p4%$o$)T{lN$v`KjCj1U{1mRtQY6lf}lynwy*7YHDh#
zF!CrU;Fpw?*!jd4^#`LF{$z&l2o}EIqo6jf*LaytVwuC?7~j&;Vl(&<G~hc*OG{(E
zBmkG0%<$U{z}FvwE=-sOy|LzirfG!+AOFV!pY2@vxGsjl&`0p4W+n%M#{hghf$nv=
zT-m%6;<Ka;R@Y$g*==oYUW02dc(~FDwG0gVGMeG9Wcc17;p=NJc$k3|3*5=9qH9=3
z=GLuS)*Cl&cnq#O;^nKJm8hu9D&dTM8_V$X48SLbk5xyo;$n)-COUTe_U)9euCDeF
z*4xQr_`_x?c-{fy7{1K_e0{Ma$KAVk-<H`##=5(^C*Qw+9~lR=%$E+ouCC6;;1lx-
zAqZpt-{JtOFaTd)=F83s@5-&Ww|64TZe)QwIEZ$0=Z+o9h2n;zaHCjz_N)>3Vu8D!
zo*t|yXl!X1Y=ET*jV$d5_!qc|!Se5_3OozKOCIp<lVIV4om|!tYiT}xNgE_ULb*ZE
z>uTbV!~*>)ho42^4jD(e0r<M|nDM}KAHKj30SSkMk7&o8qRPQ%T^n<A#Z4lPdIRvm
z)XRTYGV{?`y!37Pg({&EK3{5j7`_z_s2qEqgaurgM>fO9>ViYU*Trl-hE@@m>uP4}
z%NMGgc^(B8-29AXK83-;hm62S#sk_bl_SriBo1M`1I9CaTSVY<vxJP4mrE)~o<~U>
z1B`dTL|kgBxat}dK5txi{P^)InU`rHT6J}G4ex{|72_x1BVkol)g}3QA@glPVH#d}
zh1WIN?e;2eMKpibKKS_I{Q2`Wm{5cpC2Uk&Tx`M*)38vU{#H1?N%J-}HB~a}>jFNX
zAky&#euR)vA8I>t<cJABOv4K(F<OV^#4ue3YlpJB91cfi65p9xF?NbQgyB3S^c&qV
z;fG-uvp_!=W<-D|xZ<W1ti^aW|6|3(A?zW{T|q(&8e{OIwzk%UABNS}*H6aEx)>V(
zPmGl5L#P-(PGZ27_!84Q@CsJE4+I;?mlF5Nd`vTFEl%f~EiEm5=n2Kkh%qjJu?;ZB
z(ZJ06lK9I?e2IY%^uePqUhg_}YT83hb6ZUrl-pgXx!hjy8g9Stc630>aSrfqO=8fM
z`n%7O2#JNBc$c@Skfrs%Paa*-e4-V>&H7sse^Ck8=%0rA6Dl$=6%n~utxji`Xqy;(
zCB9H4G!=O{HCGo0`ClY_cdjatsi+9kY`!1c6(<OFLQ|2I$LVxVlGyvrgdYQG?mXq}
tHWPm2<<#7EzPho2Ew}H3%w9-J`ac2Gxdj2|%;x|A002ovPDHLkV1fs1AAbM<

diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/images/icon-logo.svg b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/images/icon-logo.svg
new file mode 100644
index 0000000000..ce38f02f0b
--- /dev/null
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/images/icon-logo.svg
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 20010904//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
+<svg version="1.0" width="71.25pt" height="73.5pt" viewBox="0 0 71.25 73.5" preserveAspectRatio="xMidYMid meet" xmlns="http://www.w3.org/2000/svg">
+  <g transform="translate(0,73.5)scale(.075,.075)" fill="#DD630D">
+    <path id="path1" d="M 220 -875 l 0 105 265 0 265 0 0 275 0 275 95 0 95 0 0 -228 0 -227 -153 -153 -152 -152 -208 0 -207 0 0 105 z M 0 -537 l 0 222 153 153 152 152 213 0 212 0 0 -100 0 -100 -265 0 -265 0 0 -275 0 -275 -100 0 -100 0 0 223 z " />
+  </g>
+</svg>
\ No newline at end of file
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index f5fa4eaf10..9a6bc449d3 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.48
+PLUGIN_VERSION=		1.49
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
index 8d0bb9bf8c..c53e7fcab9 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
@@ -5474,7 +5474,7 @@ tbody.collapse.in {
   &.pull-right {
     right: 0;
     left: auto;
-    background-color: #e5e5e5;
+    background-color: #1b272f;
   }
 
   .divider {
@@ -6360,6 +6360,8 @@ a:focus {
     display: table;
     clear: both;
   }
+
+  padding-top: 12px;
 }
 
 @media (min-width: 768px) {
@@ -6493,25 +6495,6 @@ a:focus {
   border-width: 1px 0 0;
 }
 
-.navbar-brand {
-  float: left;
-  padding: 15px 20px;
-  font-size: 18px;
-  height: 50px;
-
-  &:hover, &:focus {
-    text-decoration: none;
-  }
-}
-
-@media (min-width: 768px) {
-  .navbar > {
-    .container .navbar-brand, .container-fluid .navbar-brand {
-      margin-left: -20px;
-    }
-  }
-}
-
 .navbar-toggle {
   position: relative;
   float: left;
@@ -8023,8 +8006,8 @@ a.list-group-item-danger {
 
 .panel-footer {
   padding: 10px 15px;
-  background-color: #f5f5f5;
-  border-top: 1px solid #ddd;
+  background-color: #172229;
+  border-top: 1px solid #191919;
   border-bottom-right-radius: 2px;
   border-bottom-left-radius: 2px;
 }
@@ -10022,6 +10005,7 @@ button.toggle-sidebar {
   margin-top: 18px;
   float: left;
   outline: none;
+  padding-left: 20px;
 }
 
 /* COLLAPSE SIDEBAR END*/
@@ -10267,10 +10251,6 @@ button.toggle-sidebar {
   border-radius: 0 !important;
 }
 
-.navbar-brand {
-  padding: 10px 20px;
-}
-
 .label-opnsense {
   /* emulates btn */
   display: inline-block;
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/jquery.bootgrid.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/jquery.bootgrid.css
index 7306ee798d..28d81cdfcd 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/jquery.bootgrid.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/jquery.bootgrid.css
@@ -18,9 +18,14 @@
   vertical-align: middle;
   width: 180px;
 }
-
+.bootgrid-header .search .fa-solid,
+.bootgrid-footer .search .fa-solid {
+  top: 0;
+}
 .bootgrid-header .search .fa,
-.bootgrid-footer .search .fa {
+.bootgrid-header .search .fa-solid,
+.bootgrid-footer .search .fa,
+.bootgrid-footer .search .fa-solid {
   display: table-cell;
 }
 .bootgrid-header .search.search-field::-ms-clear,
@@ -39,9 +44,6 @@
 }
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu,
 .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu {
-  color: #fff;
-  background-color: #1c2931;
-  border-color: #191919;
   text-align: left;
 }
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item,
@@ -56,9 +58,9 @@
 .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item:hover,
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item:focus,
 .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item:focus {
-  color: #fff;
+  color: #FFF;
   text-decoration: none;
-  background-color: #ff7e25;
+  background-color: #dd630d;
 }
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item.dropdown-item-checkbox,
 .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item.dropdown-item-checkbox,
@@ -78,7 +80,7 @@
   outline: 0;
 }
 .bootgrid-table th > .column-header-anchor {
-  color: #FFF;
+  color: #e8f1f9;
   cursor: not-allowed;
   display: block;
   position: relative;
@@ -97,18 +99,14 @@
   white-space: nowrap;
 }
 .bootgrid-table th > .column-header-anchor > .icon {
-  color: #000;
   display: block;
   position: absolute;
   right: 0;
   top: 2px;
 }
-.bootgrid-table th > .column-header-anchor > .glyphicon {
-  color: #000;
-}
 .bootgrid-table th:hover,
 .bootgrid-table th:active {
-  background: #f2fafe;
+  background: #fafafa;
 }
 .bootgrid-table td {
   overflow: hidden;
@@ -119,7 +117,7 @@
 }
 .bootgrid-table td.loading,
 .bootgrid-table td.no-results {
-  background: none;
+  background: #172229;
   text-align: center;
 }
 .bootgrid-table th.select-cell,
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
index 3b43e7ea98..3007cd0b11 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
@@ -3178,7 +3178,7 @@ tbody.collapse.in {
   .dropdown-menu.pull-right {
     right: 0;
     left: auto;
-    background-color: #e5e5e5; }
+    background-color: #1b272f; }
 
   .dropdown-menu .divider {
     height: 1px;
@@ -3704,7 +3704,9 @@ tbody.collapse.in {
 @media (min-width: 768px) {
   .navbar-header {
     float: left; } }
-
+.navbar-header {
+  padding-top: 12px;
+}
 .navbar-collapse {
   overflow-x: visible;
   padding-right: 20px;
@@ -3786,18 +3788,6 @@ tbody.collapse.in {
   margin-bottom: 0;
   border-width: 1px 0 0; }
 
-.navbar-brand {
-  float: left;
-  padding: 15px 20px;
-  font-size: 18px;
-  height: 50px; }
-  .navbar-brand:hover, .navbar-brand:focus {
-    text-decoration: none; }
-
-  @media (min-width: 768px) {
-    .navbar > .container .navbar-brand, .navbar > .container-fluid .navbar-brand {
-      margin-left: -20px; } }
-
 .navbar-toggle {
   position: relative;
   float: left;
@@ -4691,8 +4681,8 @@ a.list-group-item-danger {
 
 .panel-footer {
   padding: 10px 15px;
-  background-color: #f5f5f5;
-  border-top: 1px solid #ddd;
+  background-color: #172229;
+  border-top: 1px solid #191919;
   border-bottom-right-radius: 2px;
   border-bottom-left-radius: 2px; }
 
@@ -6038,6 +6028,7 @@ button.toggle-sidebar {
   margin-top: 18px;
   float:left;
   outline:none;
+  padding-left: 20px;
 }
 
 /* COLLAPSE SIDEBAR END*/
@@ -6207,9 +6198,6 @@ button.toggle-sidebar {
 .nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a, .nav-tabs.nav-justified > li > a {
   border-radius: 0 !important; }
 
-.navbar-brand {
-  padding: 10px 20px; }
-
 .label-opnsense {
   /* emulates btn */
   display: inline-block;
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/images/default-logo.png b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/images/default-logo.png
index 9f98843f0aa597da90303ce6c86652073abc4c2d..35122b0fcbb81ef25bd4e348ae7b9fe03e2bd5f6 100644
GIT binary patch
literal 27885
zcmbSzby!qg7w=f8ucRmp9U>^wjS?cD0s<04Hv&?FbcY3qlprA~Au&TE%>YVEOSec2
zox(`Y-3NH@_uYH{xc9m9JUD01IcKlE*Is+A--_+Kr%I2A{-OQ{27?jFJ(f|0!Oj=J
zU}r2Y5rAJxnG5jX>x`r7qX)3OPTB>~IBy}PC<TKRhFv)@z5v>nUp&@!gu#gGp}#ZD
zc3IEBk8mehEhjZQb0=402Q%1HV@sqHmy)bHqaYVAm%!D@jMw0qQZp?%b2&M7*d@@o
z0HZ#00d@vl$%8+d(`zsq*sU|?j(<N3u6fU#g^_}99q?xvaQ^srD{u{cjKClC{=eV<
z8&TLf7%coE>^yjahmW7<%;%F{p*JpkKI!QrxQ0GwK|g1YpHvkU0avGQ@$&FMcL(RH
zm@spOUtuuo1UVTgbvJ{RL*H;ctoP)uPqL#D$*o>##n;~Lj5I;ggtlvDRvlC9o$}G9
z#AVBFnjhYOR@mf>@nin{PQ9kk<#L|>@4Sy3-{jLVs-jG8()V;#8U2{94MtU;fy-40
zN8f?bsm*O8&pvgor%|9kASE}h?|ncbdX?x&vSSS{%-y5=@Xx|zt&(f4A!4gpOq_q*
z(MJp`mb`U93eD^P`0%%sUzoQs_1=h)nJL#Lo~i4JBG)x^zH<C<toeB@@1egfzf0k_
z%V+BvveQjwU`!NHCq~h3$TNPo%^S$0ic4b{kNf3+3A++2_(ltA_)$swU1(>1zyUSt
z2$|~6nqNPC^C79xnc`s5E6^RDbC(MIv>ydRQUi;1IImSF#@GNYE9?pHSq>uuQj_C>
zWL!H#!J~Ys5V`?V3j}0@Ps!Yd$lN$3a}AK0`<IM7AhY!^nG1l7`ze_g(X$+|)7SNG
z)SWGOeKMACwewmqB-07`8PYQpeh*KdN&x+KpLP{~13Xnkb}}x9SFkJhtxun#Wdu*r
zpHA}or2?4K!_#>&0)peG9Y47QI$k|}pVbe%Z+AK`(}#W+KD(ZF#>)&kV>q2xESSnX
z!)ecipl3q=Q}&sF!4RCz3(f?{)JvVvgp)xH>C?s;s3CjW;DZ|fzQYU}Y5%@+6>9wZ
z&RMAO?>i7TdTyMsh7b(8&h2z%_GJ7n7<rw}z#DLY$KZ4Z^khb7;F1rH1>imj81xf@
zlNo$g0E1=?IGI8B1wbb9l*~NT^UNu4MnGrbB&VHGfcIxEp1jX^4h+WYl$|2b4U*H2
ziJ=?JC!^E?L^j`_5V`Mnff08yMx#|Qtd`SZ#ae@hGR~d6-OdR{(t9ckb5}uE3lB~>
z<`@8m_2-13U&RA3;kzeetQ&(Sj5+O@3#?Ks@?^j~ThN66C1VN5nEy+L1CS{`C1Vbe
z89pV$50P0uCG!a)BXmlp9U@b8N`@68V|z+w8<1(2IAL<E6(BQrO6CbPo2^qa84#J>
zQ!;80nS)a@*$^3tQ!;%#Gy!Y3s@~2s^2U4#m-t0-&XJ4sMiXbdc$9iDt(IuvHUf7O
z+JW~aVneoNov-vrndIdscq}QE!DB6Gmfr8n%m%@=Ul_KDpNyzQ(4X`yJP2r%L7ABh
zU5V>(B}lQuDuATJPKV<TU7sqAa7Z$qhMg>$0~jYv?_{3gcfgJCx2HE=gBv=h6VL;!
z@pCz4&2PYs&*Z1vxCIz6e=2fM2+vT!oKB^I6>M6V$EnPlJ_6)1Co<z#2sWLc&xvH$
z4FNviuRZOV1N3Y}dNLRupr&9vw@%2wZv!%Lg3|^S)Sx(RT!tE~r;WQ%L+G@@4mB>E
zHmIS-_0z^bP~+xl0}ciqOnoAqgm1v0n_ix9U=QNi^eF?qfpYS*Kb=7mknXzjll8o>
z3=R6~$qYV2qRw;sWCq>W0h!qJMAD@<x`fbzl)nYNv#tr1K@Hf8D}eCv#~}p#e*8IJ
zGU&<=Qklm;-OmHWj;|O80j1+lxV5>dx61efr|{UNJDC%ey_^Jd<4un!Ca>Ojj}*Q8
zbXaHi_W&J|7kc<fn*5idIF{BM%th?X3aH9w!Nb?cRQm5U#lEjutJUJ5$S<!Q{pXB^
zB+%VYfFS~l1K#49Wsmxy8o?5VUNkmsFWUE@pfRW8j*{=H%&&kyI2JFMUrkioZ02u~
z8V=^>N}_xjndL6}u+({n3O%28Zw&pvv-8l%R*z1-RcZ7ZeG|8h9A;cnzb4CeCrW;9
z67ckRKKGRYH7nX?%3xmfsx`_3fk;O5KSFFzsb)X(n&d_;)|W23BQT3cNxX9}Xq&M`
z4>;!P7B4y)o%s}d4z1k&5;AN?LF(*LH)#w62`Sb4(M_?YUsM;=z1{E3I_wsp==qz*
z)C}`bl&=}x%C$I<13xYm>`D1uc*b0}NPcEutitDTPa3Hmm(iAl70mr^66{{A#bMyo
z1~~60_bxRn8ykg^VDO)s+ABg1@hq3~W*8H5AjGfxPkk7{o!2@9`-6|nX!{+^npMBn
z=P*S;QB(GroXo)T&u@z3=&CQMc))MwqT9@rvNJ(z`}tRqpl73mAG4b(WbRG3eNxrg
z>GIXt(WpHoYzcuUZq>V$Gcxh%axCxM?aaTAbA>7YdxhfUW*yu)1_vvRma4Jt*bv_Q
z0oRfw4QQr;U-jRaKkPf(s@S!~rKA>C#k-QGIEf2;vcxN%Vf%4*7a4$r!Md-E>MlAQ
zzFFB8&riK|*DlzS+V*MJL@hne8?TL{W{~a4-b>O#RZ^Y*hG{ghkA$Ha&THLgJ)0vz
zX4H{xe?f~g;rfSSAV2dH*PgtmQ2sU7>P{wVhxK*49ky>Dyg%=it?n_znLuDV_K-+@
zdx3{AtYQ`hBm99W&0g&1A#}xlTV$<6wZ>uPU5=Wf_CyP<1_d>k&clp$Xh}b)$wjCG
z&U|vHIM5o9=V~bttfJl4u43o{^41Ilr(P!8(S$Q7H4@1L;7p)@Qe#tW4MQy4R3nl_
zbUONdiwbtXSw;rhEwQ#2WoFcAn`7E$H`N@e{n}p%l8Gj<w3^YFE1GDHG{8-XM|Xu_
zu(~%ucxLwy7ZKYXO40*}ZFhus<?0dw`)Gh25ELskh9~9XMNQiszNl*71Y&DMJmmgQ
z=uJ5XQ7{gbYq=GYud@qTnKOZ)+jyFFD6Cal0LK2JI1BUJcpTAyAx?I#>2hEvtT!#m
zXS_6^zHN0#(qO-Qq+i&3dpT(OFAUl)j!kgKA-E$K=<-iXoWaiJ`3;d!?sk>1oXAx*
z0KIwWQHv4+ORRNPM%b##-_aJ&|Bg1nJ%E1T$q(iYSPB1{IhRG*)m|tykbNtNtKFmP
zu4%g}*f1gnXJE0Ha1v>gvgR&q&tnpoJbNcEzxvEHquPHHXernWj?n2g!mc=EQ!K)?
zy~3eFYzMK{^bROOKd(!#KHqk8pfaT|hc?MzzM=1}pwvfTfhzXgzsksXP1-HCA~-0<
z4RqF6pbc#jtj*VyP+0%ZWrB>+LTDVD>rbn!$nKDzh4Dz))4Do#xrr(EZdt}92{$D;
zd)j9&Do`0CC;-NU!Ca_JiJR@kwxoN^6M4-AL#MCsOBnXOycGl~*jQDRhv21G?PM@2
zlHWp?!TR1mXWG6gMkpKaT$18aEGEzgcP!WAVsHT)x9+h(4&glUh2^&>B!N_c6`Ql&
z)n@zpNuefSa$tVZp*{6xmHqzyoo+3T4$;zgVX)2bi8lI(s)a)Q8<YeG^P|NpA-oE5
z5nrn$Ez3*Mi?R@-x+7MmzP}mnU7HCeVN2M?lfeAmwZ+;Tl418*Q69X6^;<ygd_+ks
zRUbTwUvjOVB!2aa16tepXCa8mjO6ivT;$bE>SJDbG@5J#p$u}p?Si!zzr?u0{ejNw
z-zyRc?J6H!yA?#-N209WFZ{ldSsa?Gg^TKov#)NOODAQ-H)unawN5Jmg@1@hUYs4F
zIseTV;a$9g;WZaEHJh?XSnCQ3Jf3JCsfl7Oh44H6diu0gMQ-3CMlfCqtvaL5Jvd=f
z=+*;w?7J=TbgA{aY>!+S4ncbU5oD%de^Mz-DrRHZFaDS<@|+go2lAD6>+WjwIhfzK
z>+c&Ch5d>KCnAgZpS;LbXa6*!3HK+uLm3qKQT~hCwxnsT((w8Zx(K)GQdOqo*}vm8
zkLtgishdB3m>I%5w_z|h19bLyF?ms~x}iDc(SkMV6);rlTrpkcQ&FfI>hs@Lr6H>i
z>*n{2<SWLwnI|T4TMc;LP7F@Xil4=tf!z;##VGPisfCOAA}~UFTrpK1Pt9MWPb|{K
zMZ;q0izIy>hL<7w@cUI?!ag`Q#Wv3|{t~U{{RdXJ4$a~o)BY;zjR`}<yOu&0Id-5y
zp8)g44&*z}u=c2Xdufm%D0Th=&_wDLdJ-`#a<Vd^!;`~i_2?47yDv2f$E>oA)+~v?
zxJpY=Y(AiA0JK;{P~-1L#!DLGQ*WG!hx`_8;xe$k0^)YTqIZ~^WmvYD;^>6R^*AWF
zEAt`i?pM>XhjMZJ^#O38>Sq^65&A}<2P+JA<0%J)a6ONnT7Tw}CfhP#OEyY5z_?sT
z(x%|pzQUoMK|RM=_a|`rZ>+A6_448;eeMk+7|es*f2xr2QnYP&KTl2p9Rh<wDPNQ-
zp!GK%^@JP{7!P4rcfHwNu&v_*ye(q>CT+i40!jitO0%Q|_iw9No4muUoV8et+KbrQ
z&IuHo+CRb=!?^;C-Et85Xb*sMU`9qRu>()KG6mWqSU$a{cLLmPn{}waIu36A1ssS{
z&2|zatWPtB=ZP9VQuy-I-Zf%Jsl910wGu+VgPKYh=S*F~_NtIDj+&bfDaIX~J{Og2
zHs;<NGkH=5bWqHo<|J-yW!s!Z;hJo7Ft2jO?6eUZv-nyx?zx=IqGqkGU{iJR>VCC*
zp*s8aH4{Y#1|oR`19AO}Ztt<4^wJNB(&;NagfLhJ(f?{bSI%<KgzFU={(f_F`&)Bd
zAP0@<YPP5Np!)VM58=htDZXs~+Tel>Lx5bSMGOR+XemBC8XIH-l1^2YlPI^ECY8Nt
zPI{iiBKL*BlgN>WX?Ohr?^pm1hw+%WIQ+0U!7es~3-vCcex|^9<nQ0r)vVDF4yYp|
zbMHAEbvMPT#VsIK_JHQhe`D-c3IM>mcWo9*xk{2>PUV^zmxcKIU|t1#+T?_Qidvxi
zu0t#j4opnnG`=S~+v5|!F)VssssAFwYYsIrtM<43+O`pDlQ;(Te$DYgwr9w*92F&e
zQ=(<GFxU*a^rii8qz@RO?*`KE5O6Cb=~(bb)m%IOZSGb88v=q(*XTM%$K+ky1~B6}
zti3<d{S8{r`x_2>yHCKk{PssgfSxvnyU-o8ITDrhPyKqJt^^^N{<MUD6$0=|eftdA
z2LZ(x+4QA}xFl?1OyaMN4wZpicW_e!v7Klcmp76!XWL&oIDzprbTE|01Kd}Hn&@rZ
zs9JEJXmr18VBMUxoG__xsGz=`y0#x*<mgj-w*^x#fa-rQ7r{Ygx`^$xnGM3aYX<Xb
z2Jm9%zcK+Jc!nbU9Sp4u(CfR@=N<4!^aMF-FN1gPdA9o9*%~2s7lSWqO|b!EgRGX_
z1b@=0kNDnnO_0!-=zns854VYFMUFkH7eaYUWZMd$@R^iR@@9f^5drGX{qSP3AbKB^
zM-RN%5=)kIfk15%Rs&f<p)4KrsL$)W+{{?Swh8I^{7%#QGR;y0pBDdrtPknyQI(d#
z6}OlzyeEC_N6IjmHMh^D`s&W^kDKT7MugNL_<d)m9CLTY*vNMDU5n1Ry&x$9bBmcW
zgqIS$V>wc$!uH>=63wl0Es?KDY%W?k=vX<vlpBwIsNysR-zwLYxQ+6-Nm%bWzKK*s
zO>vXk900hJ#=IG<E1|SSZKVCkpH4#AibnA_JWrjyO)f&rgyxxe?sHKa=a=8yyS6&9
z;(aJ}c3|nmQc>2-4t4O}!hrtIHh*2Me!i5yCW~#}hGmTQKLQZSbO%n~YHw3^XkWGB
z=&3jGKJ__njNV17A6;2DR}FCOoOnT@@zD*G$LBVBjdLpfiey0JS=95iAC6^XOo%yP
zb$!`@l<1XwgMVHb*+zu;0cbe#Zo=^!yjU+={h?2qkb*o=6aef;hxLjn&LmB-G~3ug
z&Ir)U96_m9<RbJaK1`=s{lR@FxDQ6l0gwd1ivV|#%J%TPk2FK82LKfKO=jjJ@7%h`
z_dA7-b?;g>Smd}KsW^S}7vj&=UpEPx1y~Ig*pjV6-|RA)3?LZfxUlEHm+K4dx)sFU
z6kFUBo3>IqRSq|`LhmNYN6b99CL85Y;gzAsB^e!KYZ;c=oOY`+fu;2VnW#|cy1dPy
z#ZpAE$~A-yMtI{;hy(0bzwAhs))pj(=ND8L(A&`gnOUW{$H)gcBB3NzX7lqox;*9;
z<-5rrfytk}{i_A7V=4)Nn2=lRp-^$iL|W-L&tY%x1b`%;0>cQ<<~N}RHWWpcjLOHQ
z`({s3al?W6_oBl>?%e;VE45Szz#_O4zaIy%!_d>c?;_IuKEqwEbp$$K++u}}DAjC^
zM=F1U#gjsn@2(dc5A*<@09oNLUJnlfmW;<)U64|GcDdl2UT(Q2dz4c4Vli^}P5S})
zAz7@GU(`OM$;VTj)K75mIpLR8PRJqCl1J7ukF3g94KPG1(@sLu)p+CLkd?6u>}gkJ
zd*X=r**t)LjSk@jh&b-~xSFq*lJu?dAi4*_8qUts7e>`=P4){z&Nan4MoM%N$O04?
z%kJ{`SA$)S`nKXdn-|N%@`*!JZ^)Bzb?{;Vl912Fi{?HQ!O_R?P>+-J!$p;Abb-_5
zLf6c#Xe0-;0zARczuXE^8hQK3fl{x+>ZLre-NFjeVT)znV2#J%j>w<l&lUmF95wiC
zDqd^z*TGyTw2LcvyQY00gq-9-m04IZuw<f?B(FVB#$!*5ot;~JL0^xip2U%$7vqt;
z=V#1(6+;r1%PP!+wL?<p({&}n7Qe^vyIU=jJhwTcaZT3Rp4PCl{^>V~oDLH^4o@V5
zYui>G!F)`!;KvFVuTY21eETb}j5s1I?>U>UzD9fOY|(Sav{^LK#S$N{hApd4q!|_y
z_vdMTDKMuQysRYkG|dj=5~fWKTOm6T;{Oru*v7T%gOsn2acR10BnuXIWtJa7)ZpPl
zoXD?oP0{IXA5%p$0da*y(#q4h4>%w6(p#aDW{YThF})n%aJrNm<%NCWqKz%BV1NL1
zuQ^AXZJ9{`aj3KVp3m@Z0c#~{ygd5R#fLMW<diOn$${<F>aVHRTd?r$vGngsCT)Il
zKWfuZCC_}BdjbyZofb4EAvvy3k~~w09v}>z+x$C-soMM3d!_pPJCqdykJ(8LIuX4n
zOxXOs@wZme1W9WH&C}w7MWVSFlmtJg@J_udrGa8)4PDfS?d~kwDzQHl^g^cXQ<fx!
z830ED-JD_v;Blz3Lik|7hs4pMUh9>00b;7<^t?gC)qLmUjrW12wc&L*<0YjEGj|IA
zsbM+XcN6-YB=KJqMh;Da32e&d<=Ci}OW2lA8wS?QZ?qy`7{y}l+rs#xB3)fAS+J!;
zwrtG&p3DDp%&5CP1nDRVNi$5oj0;kpRs4w`41KY9=b0--u!o3p(vavYhjBluzFTuG
zp90oVO`RmdU!PuB88-NQZcrRd7=f@b<|=ma_d&MNzR?ui(Q$QvH;-mP7(L@5F*QL&
zQaR@OB#!N{Vse3kQJ2_XH*|Sn`)hH%duRD<F-uTt2^GB#3*UE9hu<PTtQQBf3O_Zc
zlth|HzkP|FcoH%5N!0B=-yiE(@lFegYE+@4$*j;k<c~ceLSULXX($oi{A+heN>u^g
z2uAe`gt%Mv5q(R?c2KqUE>RT;P1k3d@A{&t_IM4rV!}E-*0HE<d8amBzA&Pncbaw>
z<NlnBu!k@1>I-L%>lI4BW%HJdcn9eWK~}0aaMR8zGd1(nsZp^GhCc355%&g8hD?<X
zA_0Zv_3U@tp*%J&$OLy0<p7W1(Fv-Gm0TYArr6nAK?JK*Z#r#^hFmdeDCG*X;^#wy
z1uSw(ol^NF8V;f#!yy9K9Z3D2c=`$U#a9|M+KVk5#(3J(G9)_r@dQ=8H1Fdt7P{D7
zE$|{>Sh{|vGZts?I1Kx1PmG)1@k%A{qbaa?jCZ7DxjdOd>OZF}obda5`Z-cW;&Yfl
z7ULyW>N>?D+?YTCMufGJ?<1;aCOV}=JMLUdr?+6wU6){gjTkJGQ_@%Cj;=SI!MttW
z1ESs+413LE)oy~A!57hgwsnDFjw<tu1B3PBdSfio1AG3o-iv*h1ks@{{HHn#+Gg8D
za&~Fi5>3sy$kq+HwKC(_OalVx>?^iu$kY@^1Gp)Do9+!)jYj*i-U_RwO!wG*d4FeQ
zTc?Xe(rar6t{KkHtk7CsL9!6Yki;JVoWmJ9%`aM^!dkc3L-<yUJkirO!C&x^5^Zy{
zgTut!1KMVO!E~W!kAKo4SQc)t$2mw>_yd$@X4<azM`!8h4fo0>$o0sOl^mZ7c=hXI
z{YjY41B4*BxTVAW`wNnVn_~M}<T6~gB}TQ{8hJ&C>*qt{&k2)bdYbCsTj9C`p{Si}
zZcM)7p{yP7;*Xh(A0ZCx+Bb66xdBb|7=-yES+e1#n*ySX@9Uorg}p{e+-t8;@}IeX
zO;(M{MA5_Nn?3b_z4W=VPrT-q0~A6nXnO3oxcDtkxOl;(%;Ib-<XJ1oS($5QIhT{|
z{*O(tdls<1f;ss>y#x4@qQ`~ioy*~64GXC*MoNX+0!Kdsr8!Q?+6s4clc!l%b3_t<
zt7FQgljr}y6azpZN`jmDk=LYe0pzsCtnHHowHyO-jD1R3ms^AV*!GJ&15cZdD!IJM
zOjJH<u@|*hu(sb==~$J8A{h-3Ca+kfGS%4P>q;EfGE^@krDK`f`;lF?>h%7ld)dZ^
z#<GT%RNYWw^-_(Ra_0cu;D^9C@i#qrCJRS+-zKcjuH{Y6uoY?Tx*G-}n>!=ttX20P
zBa(^h*JBe8j;eX*5?8yPM4%+7{in2BzX>_C6+c<$Hz-NjYuqzxg%@k<ZUa!d$N?*~
zsf`ZiCFzTDl|>{I)xY>mU<HgEJ9Ah0Y+457>b<Cr-|9=EX>O)7$XYaq`^%P9C*BI`
z4BL0?^kah{RvC{%g<jHQT|<N+N-}1tuM_trIGf1|cL{yixAaA|wcHF7l$yo2TCrl&
z)txrZMR85GhnGxrq)Ujp`vdUoesIzXpUv?B`s)*jrONpAN685mrH8HG%+Ii-QQ9o-
zOrccxqT02k`^1W&KY-tzuu$EZ|I(`fpz|BWY|@mPcBv5C03Xty|CVi1DDon#8+gCh
znm15HmC?5KWoGc7Z7!BK0pe?dmraTDxx~}Wm)h%c2c@b_(-Y6`AH8lg=^^6O0Rde7
zvSxb_mXnW2{~a9`l*s+ZjkAv7WA3Cib{mDtqc&Z&_sui!hTRED1t5bTxqB;naZ8Gn
zc7-)IPdLTe&=B`eeG};eNXoR5+3!{&yN#;VOVDh)?&`oppR?gAwAA}luw>-^REjj`
zt+AU8d@5?_@^C$mm?3*qC~$}c2<uBKr<{Pdyd?xfQDxB=ZA}MrR!8WL=3v+5WmpL7
z>!;~e;msQjH048N%^M<N{gl9~r_pe`S?WVlzitEfZw4#!l7}#6<wfPA@e0y_uS1<$
zVfqMf3Ggn)U(=*ak@UPNy2=c@HOKrM(ga36!CU47{aZxT50w%5JEJ0<SMH@x0e?)c
zgw*<bihUkfbZ&7+0u?ZYk*7;9;Qk6VYm(1B?-E{1P&B%k$3`%2UbDtPkF6G+CjRR$
zhXA5pEOg*CL~v92eam|#(jarwiqN6%y&R$(P47wWkv-qfTMg8sV=l)bxR>-bLzPpP
z%e>S99(0er`2JW?2lJj26eH-{(z{b9z|-VJ>(567=5_mCg)<TaXG3@^v@5bhj0Fzv
z7NPqRKgpbH*_ja$dkz=qoUlUeS(R<kmZ*V%N3(kp+NzDoz}<|k%SVK;eim{O*0;R8
z*OEa%W99s)8u>FK>Y<$nh-CJdHdDGh_MN|6QSzAtiKBU{**T%^tLUTvBJ<l(^3Bau
zPqD`RIzWZgsXy&691pB$@>1iMKW{%|M$<x`9PX_3okuL8jMQ45a4c}~+shLd0Sf7Y
zNKp3DV7{aPXFX@L=$j@u{|h&S>A8u*^W41y=h}AKmqecQ?i`4kYu+EHtBkg&r$&tu
zc_urd^ti0SMzqkJ^3GAse$u!R&eAGUzksf%wGwTwOub?{s+0?v{O-4w6_>3oBBT;{
z%@abNIaz#W8*qOnos<1suah5STzKaS0%;X`|9C~PL;-IE3`g&pY}ZE+0N<jp8Q#rr
z+Hv=qWY9S`NWC*@ZK;zN<6{3IX^yeTk%SJe$tdz=KxQU3FadH}D)a_G3>Lh}56$UT
z5Pj<?Zz^i~KulVk^3hYxuhJwy!B+Bi=B;Z-uux$;I=W?51bQ;fsT3?tiwu_grj2wI
z)kxkYv@}*&)~5*GyN%zV_%>h);=l~L+*ux`t0@~++$r)gO)f+s({46WhPCS39gLUu
z;(BvH3Z-@QH(745qnq}<Qj3W*WTNK5qVd;lhPypf&$NmxMWq;cHV^l5k(`PCf77Ps
zAn{=`m@{I<i`@Mhm^u&TN6NhP_Ox`oQ<Ghzhy6!4KNHQ!t)wBN!$Cd;gij2qwysWB
z^mGWJfa8e<-s6k5txo^nSlJmb((~Lz9%8P1ozwb=e7LE<c(tpoUcK+Km#V(tPY~?1
z3#PJgV=UUDN~Uv~NWT@72RCh!z-n@1UBL?9>uhZekU|KD@Pe*@>&w0Eu-2V#KVgVk
z%qDAJ8tLEQxixBS&$0a&WL5u@A3|HJT+<f-_JE!Zfw}5Gg#q)3{iA4;t<HzkzBg^d
z(HU<*9kT*-rt_#98jKhOfRdX@(WAEN{GCmsml7$Vyo;n{5D!piAgEEOtSbH`Y2M}R
z-em%<bAzvewMlMxK!iz{j6`Jyw06GqFpx=Na7s4&G(hTmb@K&xJJ57>0#qJp>AC=c
zRd)<`bKVPUZ}^U`CN!=?=D$u6hHbV;l&o0?cGG(FaK=6WKK2;#Ju%T&#=YbWclkNh
z1#!}s0@O)D9amFo&P#>wcMZwec8Y<l0T46bOg0CIN=^t6x_4YLZEskTg7%&OmAmk!
z%WsjSA53rLBA!%|NiOGY&Ud|kP5kMTQ0WJc2F^#3*>*DnXh9bcWT;@0aEpDsW@tnT
z;^V(L6h-XLeVhgh2|AZv&=#`2W6^mJ>a~xj>4`wy)en|*5_}6?;tPjDIQ4DBBrcQB
zk4_y#er_@=m(P})wWGB{dUYaLC{u5Fn0M3DOzXWQP5Xl4t}x?A4sB&CCWteH$*MTH
zcTYt3cAJux9RqUzwf*|}%}HU9J^@A&MOv3P&)?lKPWr^Dw&Nbc8zdo0RNAiya6*O@
z;XT3G9BNWnF4{KQ40jX=oi^TSI-Bv3^t^t@BcYJx_3w`Liy?0hpp5R55D+#t`>8*L
za7G~`ev7PHr4Fk6^U4oq{oqnQvJf5E`CU)>2HE*<4NE~Pd`&r5O^oS>Ju^QMW#yWJ
z2$0hiUQZ~krPj!mE5-}f&vM}{6nJC9SVg01<lXqFP<vOW5I2r}R5Vi5g{DHeYPPrm
zUMv&%)*Zz9dgLTww1TGX#t(9ap`3iI5IIr7Gd4KfO(M$vaRdvAumky|;Z_S*v69>D
zEsFQ?z~qscm|dw~AIh<duOz*La~9#@*wNv+PBKYg94rc=?pUkB2>T!PsGrAf7vF+=
zL4%N=!&TyvXLi3>#c>FF)`{dh$H<G;f9eUzMVdE6g~VMRc5i$xNWCx`DC-dDn^Hsm
z9<&qyRB}M(B)aRf#k`p)AGsj{g48^S<%n+gd8QYP`O3Rco|t}aQMF&#!p*sOOr;<D
zno*0mKD^2FA`q6;m3M-@Qi_sL>{)bJ=punWhA>vh7*3z~dKb7A5f)>7?F7f7!`n1t
zCO2=fDa4=wkOK(*=qW{eNw$%e_Nev8*yN+@ZPr#ne&Bsmte$^&r1`m;{sb`&I2DlS
z*GJmd&Yuytb8P2&zVSv^!gSzL)+3YOBrV75!e)W-P@22h@I%|}CUZpQp@5@J`3nF5
z1U>Y(Gu7D>uYS0J6s7hs>DUZU%cH3%rk^7sm-0A@lK(P|+IvAiCqNyAWOxcUWtHF{
z9zPZsx+)!wBx-VUl0qm}N|f)wyY?DYL*>tOX5e}Cb5Fh85g5U_TfqF8i={8<7HW-s
zl@6uX=#Lp2w2&!t7EXCWX)a3oNf3mf%fva8lX{ry!+_gjR@VImbzW;c-fd03xUeP*
z$#nN|`*xI?-S`5<xh>@MjrVr%KFF5Q(q-A?df6`#m%&$t>uzaAt^@7HL)bhKe*=Ii
zW(U4U;`uU&<g)r}dmz-q>yHy~Q<3T1t4WSG{uDX#$mMNgin1!mCf_z~H%0CWP)`Zz
zkbf{e4#j3fp^*N@T25{HKxGLxiLFM5y&`&<!IvP^q_=QW3ltI@l!vh$W9B@Mi4t-U
zN#dPL(3P-C6REW&Sv6&L7=mvp;kIwPr1x%Ufjtnxk`1u036?SbM>of%S85<{otm8Z
z-<j*}#t9q!*3pn??+Djtw9=K!LT;#0<mU7YNNv0xn|Z=c+j?cRe!V&{f#lUMFM|hY
z4={(c=hgi(Do#Bh1g<M#`>-NpMkA~%4T_RFhVAct-SEbLGbtP@wfH6yhC@o1Xy5ni
zuTn{x6lxb`WCposGBCnFCO{kgqNoHZQxX0Tp()flrk9vtM(o1`hxTP&KY>pPVqd^G
zw`WD$g9xnxxP<b)Sl;TZA1E(g&Noj))mX6^<a>)-2fPqNp-5unZ-VrW704HY$f{x(
z+T952^`m!vMvtB1z2@>p#WFz0JAV^LnEd4;oYXYK4pL-7c+Im%D=Peq!6WfdWdt;&
zeIFH>P=H!{?+U0RsyrBZ=k}~wJ@%CT5eLN)Bpi(7;9G_yr)IW<GI|=YWz!qqDE0c%
z=+cz^XrrWX{RMp&pNyB(p3}=Kzo=(>SG4)Ey#*Ez`EPE^>!wXSTmgax9LNE6XKfh`
z*=K@lqeby6f-j990`%+E&6zCt2Vi&M=A~OhmG&J;y=YXW7?HS!!j}m9Hoa+DW{!LN
z>nd}XS4g1jr&=4q1NSw53`nt`B>SLZfJ`V!_Y}+qejm8D{Q%p%OP&7&%n*y5!!Xdq
z*r|Sn*Z!JyEKsU%l-!zvO_06<C}5B+qAL^sI`ExG4`lb7l+NR`R&uwiSG;3mY{z)p
zA-y-foM-`s^=@fyiJ8<4%hGlFgUlCrui(l%I7mt%`U7NV-s#x2+b7*gbQ-4d8N+e1
zRUPQPI5r<Tr01I*`Yu_u`YZh>L=6(DBTvy&z;1)sqIM)pg;B7mwKUqYqK9f<&DdyY
z+3PVKR#6HEAgQ7C0U%dSf!wVz%&|V0^UnIIMN`ofTklR(2&4#@0+q=$q4dAiM0sJu
zj#U&$aV<){Fvr-5Jdx0Q5`REcaSXcyCH^<zCV(>_(4yp0{A!xzWN<)900gq7_$O}P
zEVy-6QJT^q9e3UQt$1{E4Qf6e7(=GxqJ|K&vlgT1w1L0kKyw$Z<VMBQ(>ga9)DDv_
zInd8F6p6o5eyE~eh)HHU`qYg9k#P~=twF+T|CStRV-x)s81r*Wnd8avU+r-P*Jw;Y
z02}mdQMnK$DGwrI6~L7@7#ziek{(mhhaShFK@YH+f6MK}x*sDZ|9DG=k^ea7U3^DY
zd@8z&&$Jx{U@`FbS8jSV3Ar^7sMYxgOy?+9#--gMtS^q7-_R`+X@QCtN-uxD11tpy
z_U7nuC4>4M6VLN&o!>-OE6_afdlvnuKw9O9nIfWx;NJWP`wO>(3M8VNJwcFBCL^7v
ziMFKoiI`xXQ6Y$zAD8p&-Da1War3srSMMCK0W;nnWH02>y)1Hv#Drql@4&sxi=yPY
z7+nF;#1#<#_egBZH#9|xT_1lX#QL+P1YmJc@&sVKQZ#@^I?KgLP^U~Z8scUFMVb*n
z5b%@da_0<aXL<cntVJ|zcsxKIgOFT=d@k;bc-}*oqhZqwbhlfA*JScg`r^*PUGvwC
zSA^QBe@KAXQrpgf&yStY)!{61H$g6BB_pfgiv0{Rnsnzi;?m0}IS+=|G?-{XN<fLq
zv}wnQ`W~n~f%{8idOr32<I4B#dQwJ5`c6;!jxqqXcbHA7G=#H!%2XuLsO&|MLQADH
zC<CcES=07@pR=}AKZd1+ctn?LB-k-I@)nxf)xV;ZBTxpsO?oQ*z*vr0mBlAv^{<i1
z^?sf5RqOv!`OsPu?|SET-rY9#HyD~<2dnP7ppt^DLhD|Q*W~0_m8+ehqxP^PmI)z#
zw=?^yhv-8`ovvic4~pQCJ6S95K{j#R=x5$h<ulK*ihO5VEo^H6D6|5_i7g=Hz;-q#
zr7$EJQ1%=f<hcuZxNI2uIJvhs`0h^|O#l?FXoVlzn>`TVpqX3~0;zmI-Z_vKyTqn$
zX<<V2#el}@@cbG6<#!;SF~+$(z*1_Kzh4z~o3Mb3<m&VC#qUd{1VpL?{R)19+1_!F
zKtYthF*io7`4!U}nBOPhTMNHtG@32g@Gu#gx*q<h)JMB*dW=*0qv*$Hq@|h4y(ZVG
z49R=V>NN7P>qZ*0&aq^1ME7J+y80C>g9Vdino^`r<1`?AuqA4E+1W;ih$cw@f+tT3
zjeqDVR*Fe+6K~GY#R>^E+!cHGuDY2ehA3L4xIVq|;f=Cy-O|d0lLd3~@eeV?7D<~?
zxdH4X=;TTWhVWY?vFayXLwNV&4huU}&dtacY5}ZZ(qR%Pm~Skjd?vc_JJUUQk>mw{
z$=hJ)Wcp&rBuLf@zh@oy<bnzljaUIX`$!Ys^Ryq#Q3TW~c+$C?Yd=5Q>qv2KY%G^h
zh!_lBP*Mp43JHQ*-XnLbTTRbVewr(C{gMd7SV)n!n;cFQixHDS(TetT(NFp2%QkK$
zP1TyQu0nMpzoV6lHQKVf_z>PDlROi+!!-U8@_aUTTJtxoj;=^ui}6>;YXE?u_HuM3
z0vueC<iKe*r(ha*L1u6!Wcg|2r{^=kyi_cw02DeK?TiM#rg06ehq2<jihH$)ZL2ag
ziTUMMzu=DJv-z4_(2O$3Oo#$j%wG7d|MUEs|5T55tRr{mbj4Ci3d(M;X42K~CU9XQ
zdW|1G=X1rD1rj<T2Q^BQum;iY%TWptR(5}*^*VdIntDc#m8T78=^Wrh%&M8MdOQbd
zM4teXfq0xK<<?M(Y~<K>I@L|jNxr9kH(hR}@S5jQ+JK!}akmyqu{fr1HN-8k&0<vh
zH3544g1z3I<gF^%!SpbX`gWQ*O}RAHk?@+hpn6o)B@n)pZkmSbgmj0(w5i!A!m4wP
z<e<UO0DRNC^D%am=7Yh|x|OY#@XI<5^p#dDUqh@AsD7-U_eOwdN`Cv&QF8r@XQ=kk
zgOkwBG;){G+$_s2*}>TdV(MHdhRofGo`!l{wLcStrRdDhk;FQy(VNU7OR~v4fUP7d
zd3ndByyw~){^g8qEE)1s+3pG`z2OP+q}+!&(Mxk2SD;w}h)MLy$emy=mx>*#Hz5fy
z7WtSWSXZ6>7LF9%ltSe1)%Xr^GEh|EV=}!&EW3d4p$#O|%#(IHKBy?Ullo5?levHA
zOtyzA9cEtAsg|=cE4NRRZxM2XxbBZ<D|JRT=N1EXlPn+vS)^@>#Zb$w1$#K&#WJVZ
z`gF*Wa3H)vAqA0`y(gQ?Y)=4owuaYk@EGxrfx5wF!0p81rlvfde6(t|z@|SP54Vl9
z)kIPsHad~g!uBJEf3bf~FCpzBOU2@sm%FK`E`MW@(*Cm`)MvLwgH5IM1#!`iT}8lu
zzeK;mPP_H>>ap;lhy5Qw=x)LJ0%5YZYVy93SWxPxRdN2-e)T2#@b*3Do5DnT0-uJr
zs#Yb;ZKe<*7`ue`1_$ms@1XRC-(3ir3$r{@-$w24ae(cH*j@l}uI8R``dAA`u?;(}
z8Dps+9qB<XdOpX&>j;ch@RZK0LR9WYv4wp&jVgDSm3Tg?>!K9T&U!6Watz~xim*Vf
z4tlYkc{6o?PoRh>^M({D2Uw53n=@y=QUE_NL3vT!QCvWM`z9zEY43e?4O+eW7w#JL
z;X|f-kKz7egsp|u9mWD#Bhn%?Pq55d*+f)3-uMaaOGV2<K48Oo0<I)v?jKjhja;f<
z2PL0(jqK!;5`Q9pbB{z_hyevZ*<#~?u&vKX)iphTEh*B3qU}+RH|&~-?H=Gn2u&jL
ztw<i*gh#cRrbg-14;ZLvT+Yk*{(;Ja6lb%-l(4Tu-<Oe=bwRt=rR(`p8r!mv1kgkI
z<&ykRsXxr=+r&p&Fy_|I$S7RX#Cv9k2HYV8wd-g#>z)CS@`9d5z<GPL2t@fuTCs-h
z(-yX-!dW2TnzL_0Kg?(?xJL4L@c|luXgyHN!ZY}BK?UTzhcDX8-V5Fyw){tF1v5Zi
zvj)(r*j*x$DJv-r((@&s@0L0K>VI%&bkwQ@z`?F9AxOb}e&mvrGv1Vhk`P~rCkKkx
zMR$@Yci#5GjKYcPo#o3S-KT<TplH0fhwm>vR-(a_d_J16Bwk!%2=CKZV=c|KHQEM|
zf7<}#fd}a9O9US}h#l`)hm{~`o{Q(8l(C!zrQ)}fOPVJgCZwY@poB0HY7it5Mk<|B
z#f!&4j-s306_Z=^f1Vm}rD4$aQV8a#oSnaKW<C2}*R{McRtX?5kV+Lq=$D}Ra;Z%x
z7LLXkZR*X{WIErs>@r^BQko9YzXu+2S4B^pmwI8QgPdWtRNa40vD1}RHl9_cGLAJQ
z|8SE``}zlvRT5wAB7UEE>mU_naP7lZFSW*YDnL(-_SNjn)}W{qp)b@V_6wpQy_XuO
zC(xt^Jf{PZ00RvG+(klT#x_A1#K;kjHyuBsLIVe?1P{_3Ij9mxubHjq!vTI!Wy}h%
zNCci+dHL`+3S+28*C?dXuNlItX@ha+z4U6U*QfTeUq8uN;J2L7NWN4s_h4MnW8hiq
zwwdO#CI(bri@uk-?l(*>tCFjPeydw$L)yz;Q2xB$owvybwb*F<mZ&(L>%PrM4b@<*
zzjcspy8+o~eEAgHOX9_PT(G0)lH0ZHd&x^d<@uH=8ouT>lV<yfF7be_wm|7lxf}mo
zh6EM0cT<4!bm#*1-*x+t+(MrgL1?2wpBZYXJ`wu-e;fly%F=T@IYb8Yt6pzt;XXN&
z0BGh{gYzKx(*sN}nEULzz|*rt;GPScJ=@9o9oT((!JG$=Pfp-~J}fU4yg51j0E3D4
zUNgGP^zYzU`0K7d_;<`QZ7_wC6A$2Q-#OcJ94F^QpgL-2!vFL@-iPqJ`Q~)WvEh0D
z_1yVC|J8X@4)#C&@jUdtpmloc0_MlNaPL2KgTLKB6aDWrj2Z}t|3m7Az{mgUg1Lzk
z-q*DEyGnKzZSpL6f295Y65Rlmbxq)T3CFbc+Wwf`Y<xWK0Qsk5kI(3;h{Q`9X_A6x
z^bf$9qEpfG2j?&BlLM=}Y(N6h1NZ)iJ~Ok)j0723+NSt*cU_qVw>>-cKb-oHxdL0-
z?y!~4ONp5Z4N&6TN55g!JET(`q^tkjsSFout|2HWtobWNwkz-bX_(l@6MrQtY%u0b
zWZlN)XEY<E-#rM~&clLx!O&_H!Z^LZs~>90%z!t&RB`Gg^S1rCMd&ZdD$5gP?4i5;
zQb)Uz)K`x(LOG~KlV!)C%IU@0Cxu6=f3t|b@tmt(`Q^Cq!0RbaeQjVAC7E}nl}&M(
z!NHdp2;Z)7#0mdQH}}5XTN6g$uM<UdSuwfC?0aawa*_k&vNDr}g<ntF8#X!p>^smz
zerlLVLz01aH|?ICEX%{??bogowR8=Xd&GHs@EejZ+ISL!Tav5Hz8^J`>hJ#2U#kTp
zqS-e5^BYvj3OuAf7BC|jtEs5J3$OO$0s|W+M&}+*U3cUcu`Yc*IdNF2;?@}bC?dAu
zQ1H5YFK4}zD)*s|w3JEd6%%^9TjvPEYfSeKOPGF?aFe+w?}Ov8MlWuV9E%0dGw7@o
z%D{p3PBk9_Kgue|5Xp$K!^h;+y5bjpr0pAKd3oWM6b2`)+kBsRVMZH{BInFsXqeck
z$;gNu=IsmfCOR>>BQ5Y0M|ER_om>rXFRn=(9uAHrgA=Xyk3w!93uYbZry<Gow=-;U
zKhQ^-U&C`&BzFfWE43|=vke0!hh26)NQm0ibX@$9uj=cW3pgxKB64MNskQ*`G^_Ic
z4me@5AXs|B{Q8JkT%~NrqG9)gO*i3hh-jUmp0zbV4hBywBsks`a00<Km-h|Ic(N&S
z@H<a@6a5JjpFXs+{wuLFp`lE}whWyi=HU<4<xv7mSfhx_5Bjj6gVeftT@c?14htpq
zcs90#RW^buT)fw8pKe%r<MWlD-+sqevelTDG44!6Gh(<w+y#=^ehnu6!dk=Xuc=8I
zGBdL(zBL&*3NoSyg`L?CwRn-fqeqc(sSOiFTr8BV8?}NqOSX8aebHwhlfPKvLpO$~
z{pGxmR94Xn0YP004-S@;HUc!1Yz~vugea*?ovnf*JR0o>q_)@AY%h|0xw4_K^Cbf}
zp=EgRIne7%O}ov-S`7Z}kLIPehppm5jgi956`0B?pC+kJhB9J!Gyd*7T>H-#D~rFY
z;f))gVr+Xt49W(1%115q25;F<dXD-&b)iUI*w>3UgW}v47K#>u7d}V%vNKzZJ^0%A
zHv3TwF~wxJxc&S!<(!`K!kY4~h9f4qYQv|JyLYapE39@sHo2-s#6^{spYHkFS0d-I
z26|?cSmJi}uC*o8Ztb(&_FK%%@5*dZNBv4`zO%1gF_M^E4^+()oH|3x-mubG?e&9S
zrIWsc!)tUl2idw1OFzZG)m&<;rg>Z6R*OqMYJ@b;n)&*0pR%v^t3Nw?$sZb6-ZC7t
z_~P;=_a*Tv-i7-|KO6B5+dbZRQ-}Qye9DgZp#|X5n1$-rnQVgERG-a>j4meTtDceq
zg?P@(KZ~hZxW9VlBl|Ge{eFeXJ8x&Wa271Q@7}#$d)HFiBi_&5zc%VqDwRL7QZ}+Q
z(ebM|JJT04i>-A=iirky4ZKhyXzemfq7<*O8^C8vZFXkV(t*C;;a#M)6Zckpw?EXn
zacNg?#8~I=N{(%jtcp6W;3w9v(CHoauUq_NJOalU?qhuW+EOn-yAVtjUp6ovwl6uf
z73JA!;8<V5T4LI#epox;z|gkpvTM50Yxl<!>4mE^6r;n>htwME*OX$8d1Z^Awt6PM
zbcmsOYd60CWr?IOhKQQfCWm{KU-%#Vli-}bAFmjyr>ovmA9!svqVJ(c%(D_nP;=rs
zk5?`4`dC?EOMdv0a*JnPX>~lbDb^?o#kOw^DEr>tiW@M~FZ1MTnm9ugk!+=6hm32$
zOQw_hYKtH0plkbc{kLlC1+~Qvz4Zen_3=q7dFL?C#|AfiHu_zCn~v77Ur6!q_we4`
z)5T506vKnL^h@7W792c@^uqek{f3d{O#_RZau^cJ@Po#7?;BNXzWVA%?eIf>9R2FZ
z4IGE2;(_Nz*wJp4RqfR=Ew>*SwnbU=-ip2je%jFTpmihO&F|(tnn2Pku@~60;kyds
z>LYcGT;6VLW!t5Tz)E~V;UDQd_AyInHe6|XM839WKJn+PG3uyx;K8Qv3T|tpsd?==
zDPDC>(cmIbY%Y)*LhkZ-ek}KG8zW3T%)BEx@K>$uYo#%F7Vh4t!Djx5ttl{oKaRNd
z?PA9!y?xOuc!!00PrQ~Lx+ZhSdxhT);yMDKKoOB_a}YA{q#uuD+QyF>yn5rYBaTnj
zd3+SNuXE2u>UC|QgUOPP<mhM3+?{x?hGe19qvrm>Nt@xvt~XhE-{FRRXqHNv;!p=9
zE1@y0@8q8R#^)oYOAQ9_!<pkNzJO>gx(u;4;eB(Xv{5-m*PCDv+9dBVgJT39=&h=#
zW25G=w+qhW9r=qttj&8nBZVs|MIHI_Jv@@iCwhvTdRw95CToX2D$3q71S}~Ik@Qy3
z7>_KG^t^nDi%w_nD;G<04tE<Wz{-Uh{VlUk*(W#u?*7B6?L))Ln$i1o>S#QEz&&1K
zcm*qfz*p%!o|s;38zh-<_w83WGSqooc{H}Y9kZ{)R%I;n`|u&RbBX6sStYT+k*f8f
zL9${$UX7E5BtK!Oa=;4j<mpAMO6l<qUj=mFJD(jX$-Qv{)opy_MsIDe-MnbFwGC&v
zsxpHem5%ekIz4iHXsM(j%3ZNs<!>jn96D#b##s3-M!y#=^rK3N_@k?G7Q>Tt<U7X4
z$s%cOvbGSCh#b0MVds^EP?ntR?MV6Zb|znL*&7QP<h7cC&VLcagR5&ntJ(DP3+DMr
zakalFW+QqUZ6%K)Lq~^NNXAl)-4A~y;uMy>GcyT#IwgDtT}Tb*tr-|9rqd$aG(9kd
z(TO<kf@D+ctYEG<6y8k#vBa=5NOk>2=R;_sAMcQlEfQy|&5_z14sCwlrfEp|+b{;@
zn=*)_3+(ajUB@JI#rAo9PRYUGDyE_W1NRnml<|-HeQR}D-p&}7%L+p3;&^q$A9`K^
zhf4ox)u(1j7DV8e#J!bbVvYi{_pqaHHPZlYDp&SC?C}5I08CE5A@WwSOIXL-zk~aE
z#my;G)hkDi5PD&mh}yf0UCj5FEC#T|<8pqwhVQmLJrWY+Lfls%K?X~UBfEB}qdS<I
z{3VE8+z9*w$w3Ri*xT=1XMd)AQGWkN@@DgAXX8pzhL1y@wzPxc<4e{IqY7YbiwjuA
ze&5o;!yO1VB{vA}Xy}J~6|Jqa^Nuoa7O9Q=g=TD9i!R_-8xZ`a5U>HWFse8~+1;<5
zn2z3H{Diw153|6uxaa_zF%#{7OmGD0;a)A?wwfka9r**>I~XGxSXSGZnXjgo;jX?I
z!ifWwJRF*Ge;H#tS!H=ok$k%-fG{pzilxxiIySmT()RBsCKXAH_h^_Qa*t535a-f%
zc;}w*hf%39HPd#9PlsM@-U+cQBZd8&e~X%<;g~LOOWMBqt`frQSBu9B*7%+??P{xS
zE4x&UFIQ~Hx8XkOj^?g-QbttmS&HE}@38!^68ZYe_Tums8^MBVnbZ)pIk$f%Ti&uM
z=4nDc?Y^B*jkqYtkgQQ_EF0pn7xOh-0C(xdqGX!+^OY-}If<@#*GRY8sBKcavI(TK
zP17;za|X&M2yEIf9qxw=iE9B$AvIOwSQ}6AZ1j?Wq#O2dBPrf@9+{?}xY+T)L6h6~
zXRfvBo(ir+-+9{{efR#A)~fVHLsH4{rJ8{dXrtnR^ggGe?jNW8S}n1^@Cs~rf$ZV6
znm(c`&YB4a$)I9Ros|Ga{l)E(ezZ=@@a7)7GuGj~H|xFq6={rEUG?U-DgbBIYXO^R
zrvwLV_8IId>;Q+JQjXoKPTD?V-I;V+q8=yr%|7xR7EQ*RmyM=RK)fLO*|hX@8Iuca
z4v`soMEnW7)7KF#bnal8u&bCgNj5@dCdUkU0@#JI@TW5$j<2`ix4Z9xRO*WB^8$F(
z6X@%(6-oVF-i>V}`Mz>o{5NgfLzx37<IymDdauQptpG)Yp_3sw*#{KPzl<(HD0??H
z(ChK5KN9;BZOoe~<G6eeyTHIe?4N^{JBD`RZ}U9tVr}vKCAN2@JPcQS?*Oe&R4dFO
zwReL^TyGIqINtetX`FeJ$?l#=qI={@=9P@a<h8G1jY58L9xhrLi@u`(BL7};SQ#1-
zuPHt3ibdg9{0-N8-$pmLWnEZssK=Ffvu!eMI9K>g3VI_IuC#KykbfU?+-&<KE^e~6
zGQRa4Sr)oBUb%5l6zG+8)TVxz!}im+?NAhJjgzbJ*b{t*@!yT;Q}AV-#>7JwUO}<)
z9)o)1>gxiW9Fr}a-s~zq9(gXi30jEj*C6`ihhAvn%F*;WQ()qRwho?SF!!!3zVdId
z@f`hTiN(YyT1m`(Il|{o;RuXqJ`<&U%HEqq_Lh4Z4!A!@9Wi_Yyngkk2B`d_Jm{Z^
z<A40O?g}z&mA>u;zR10A9dCVqABCh``8mEj#A52ZYM=}zU*4SCg4D-t+j8$}5@9TL
z`r@ma-+JnQHI5i2mY9vUDBMrCq)|9@$wLdfF8KkrR}D7AJ#dJr@~tWas>=>6A`AaD
z`#gQ;eYXmPcsesaQg=X3Uw>%qjsx2z)OhmP2t~<$WN;UwPbJUey0K2BmI`k!YfoVH
z$1^+{R*N+TwTXU)x%5uYLrN?8U_OLj8-sc19WoAZVP=xVYIOWDe^d=Ay%zSWiWbk}
z1IiB1;p~7*s+gP~exxNl_%vpCM{;$Q670pv#W)^hMeMn@#ssZ85J0SSa6m6SI3N7I
zsWMUebG-XqohK0^VUQF0;Pp%~(!FfUrP^n`bH5DpS5NJAVLh#Z_7+*-5Sz>5VImS6
zF|0ND=|=if&guj~VKvDu(XYRcID3uhKjer?THUox=2+d=wZ&7qu10zQxzfGTs#DeV
zbkOhlKO$hgO7SzghA-Nzg$9bT{EIFOYi|;cm;@IluN#i`H`<m#pjB9|y;QDx(n>fJ
zu@b8ug&pe}M=GVn<x~Vdv+zAs;ADBEgURo!b+rmr2tRs!Xg%I8+}p)FR|&jNVJGEn
zY~t@w-?SB%n8b(0*M9c9;A_ABWq7hIS%Kf}=<1JYMUq4=mc=cOfsM7XZRd(IT-mkf
zL-!1J99hL-zht!GOAH2fmcDig128Z5Ti^2e*iCa?FI&;U_F3sh%Aaq`jnBRy_cZKg
z^hWis1xpX$YtirTX6ow?etz!_$}P&3Q4_Mb%3Fmv>B~PE*8YOP@Q0+ZR*TW?tkvHm
zC0)d3wuCj63BCDw^m}@0hlZKG8=@_Ta#da33*Me)WrKGVN$5=0Y^N7`xNzEAg@aRW
zpZ*96S>yjW+Vz6}R$<MAtKNgNtC0fV%QAzys6iwS&Q2%h03=e1f7_wV+3+^m%H!4I
zKR<7dtBHS3@-eu&_T$TI&szJ1!Y|4;fBvf5L(vV?k-sj|?*7OG?ZBA#-hRFulfJWL
zF^0_3&|5nMBZVJDR;Xiy8wO_~A2%-^7d_%~4|u*sppvZUThCME`komL%(nhc;i%@7
z)_ei+%Tb-;Chack**P>zZ_C$>g!kS4r-#hMB^JB=#$)+vBnR-aakT}z*)GW#mnYQQ
zN1^+16u*;^u1UzR9;tMmhV$3_ACG%-vwTyos(0^GASv@)O99S9xvcp;Eyp%J#rlhg
zuT%Sp1dq)VRlCwN?1^I=Y^=kpyPukuIrl5Xd2$W;nc!Q?YPvgi1|B#xG#IFbkJ^S+
zvA!E#y%tU=&6)n<b%ciWMQZ`U5b0o`wB!ObZTmY%iJg^3EAukmugfn_Mm(roOnMD$
zar}^E-&2iDif85f>0zdu_K|U6X4~hN{N*|>0ycn2swFN;W}^dG9<RBs5mokY9zDzC
zT6XjOxlT1!*{$qj8|$3%?oe8B3eoQ=4YUyb&T#(!DC*kdq1xWJa-xo;yO7+9IyEi{
zNeCsKTsjF!LkKZ0$z?Jw;~b$*iSjMCm_+1Wiebz}5ebb9V=`tYm&h<i7=tl0zqOU~
z^ZEE=eP->w_I}q|?|R?odDhy%sp%-WukWUJc0Tn9ne>Evzwi6jvFEmOX3w&`?7BN=
zlA=NiEN1?RUcQz_BxS@x8K4oqdaTZ5jM_YMcm<O<krD8B+8v=5Lk6j74(~GU#q_Bz
zmNzpI8Jl)sCgz8Ny~O8Q5`_%}W;`@1d}D%sFU(dfbRO+wW-12Ne=QDDx~(A}9fG7t
zyl@3emfiB3sM}@PNrT3`$bT~DUb+R}i^2E3{4qsgp*y7x#~QRGz27Sm_qY4?sYd0O
z=uMWfD%T*C_R7u{XF{=G{8y-E#eowt-Sh^9hllseK9nDj@^*YNLi@1G47g!TJ-XN_
z_dGN;bYOeMQL$MiQer~{-N&%oJLGjA>KYg+2D077*@_r-b^6=W1JCSjhme8On-VIL
zqZN*2wl#~;K<&T*+RUJKoPA(?x|AGJK&pgZZY${k?SIXJb=Vi51lg#;xzM1?C5hkf
z^z}rSDEXRPE7h_cimjz{F226;PAV$)c)Tu1RrIGEhztb04oYGi;or;5%W>DCIq|RI
zrqszF7azE(QMd4kRlRF>HsM>KR%+9J<4*7t>DztJhLBiy7|0aDAJMrTrV|!954I5|
zbN*@%T0uhNwJUn^{@u~ti>r4&X09yLy$^mH4fo=jWNd=P9-AmCwxFiG!H5WP+LP?@
zJ}AG6bq(ky<t-{4X7;_{BbTCBC5}AiHG{0Vx|=0@GKxV3^#+s>di|(tHUVa7Tbg4U
zSYqKy&zxOmMYOkS>d^rv*bfW#gN&$m;~gxc=Lk8-DLuQz_-SO`HKej3wH<{DI$y=#
zV_~`yp)|i$p=LZ!T+s2OuEQSbbla!y;lE^3!QS59EXprp9&}%-QY2OZ++k>^f}Z%S
zIUVOS{MstD;Sg>!1_^e28REoaP+X3r9Hcx?yos(757XvCnZDErb+4hXm#f~!gOo7R
zYE8k=p0S4Nwfz=r?cg?fh~Gb(&^G)%+>*S_iJRh{(3uS#X>>2Mm@#9Y%`VNwy&M~M
zw7x9gkAM$veoqqzRJH!wQ~O8{P0D}ye(lcsx)xkm>O7Ghc-nRB95%f^<f;RcnANL+
ze0W271tNPYeQ^E&TSR$udY=uq$__Qoylt?dn;xOISO`+Y;D`q-XyuISt~=i+G5GQ0
zoeIRW8@PO3?+@fpvZrRkcs^11{9QZJQ82CaJsII@ai3umS0S6GqgdrS6xA<u_QFRL
zyCku2xGO#KQU%p`ljbJTOAI+UTEoEb$|<I+IJOfC4q?r*2P3kM9_=Fw{$=>(p-3Jc
zMb@wReJ``-92AM%uG#XE!Mx0q@(;(dlQevL4#*B%$Il~o!zM^;*!e3q$wm*Hqahqp
zbES7^DEC*t(zoSI*rl*G0l#&x7)?F*wQMDcX`-F3aN;&ZR<n;ixaW<N0Z4RZR>1WV
zVmZe+GaD1IKundWWPZG3X!`LIEo&MVda*)pl*`8{Pxu3m*=uzap>+~5d1l-x0o}*-
z`%o%FQLPWz)mnB(*dkEyf2D}Xs7Af~bJDzPnsC*_TbjdQ%o<QBNy(4Z)k{a~J*n$f
z8U#IM<(ZLQ?`O}<LwP7(RZ6j(`pE>$dA?6_<rB{t?@bJkK=QH;Js$&PA!wTyq00Z^
z*qWvt06?$vQDF9kTRpfrCJn~Emo+Io#?8dacnP7}fQc=BkglxxVo^qxC716>1hX~U
zMOH*`Guvq`?t!tB2#Z8_59;wruU31mnx9#b84GLu{MFx|4a0Y<g8>(o&`@-}tsl6c
zi->YxgVF4F+U-f_(a(wHb_LiH(QNp%Q^{d*2u~Ey#1G1(iTMd}NmAD6(V6@q^Kvo3
zl<!WJ1`{?azeyQr5x+_scy2M{TCyastvn!*rAsa(3?HTT`~ObIeWOM&JXqB+EZB!?
z$ivA#Ov2@3BtH4LNO9uUW1{hznhJYqk1m;J-XzQ&3dA{_a}Y-e`Gjs&|L>jtWbx#L
zi(EE)wt3)!gP5OGz2~a?SkLm+CccS}T^}t@<plLA5vi2*wh*IDI{+i<zrm><+}!cq
z!Yu@HS&G6O*~B|%q&D0-?E_B4f{2=pSD=L#3?!0^iZ6sBO_A@=Hka9vlTnI=KM{Ii
z+?mPT8{#6+(|h)n9H62}j<kV`jn^`p1%ppzpH=RH`!7V=$j(|Q>D52hdvi`WS1=Vt
zZFiyEn&w!xs#VM8qg_0T;$~bf9r4Oek}J)KvkT^3S;X?HY80#&%#iyX%7))pWE7I~
z?r005NPXvC%oND7QXlMmC{0OR80G<ZMU<1I!VdlZR92&U%=wSK$niWjneKFir2dMZ
z+pfZl{xS1*$h<y$<bG-`EkvV0Jp|`tOx<2;DEpb+^wIvd2!_S)8@p-H`!$-eM=3~w
zgR+5BpUFw~C6+|B2y?6kFHbc0nQo0nj}Xy19(GnoU$fJ8U-ovf4}|OI#l3^cztUK9
znElULX@1^#O|mm}`wqosIjle_D;+D>RS@;RBF$g$f6u!^u)QQN7v%u9sG^iK=>Gk6
z@Mg}fX-|^JRND3}04Yxz+~x`&Y}Ff+(d+;qi+Z@{Z(}2MJ(e%v6{9yoC)ANNj7hT7
zUC&#trmrtiVG5puo9q8xMvul|4l*_=mqWm%FI{Zw=y1p-jhV-Ej#XuBQ#lWCo(W5h
zUFI6yyPg@SkYg2|O4INAm&zdD<rI;-I4+J31G^m^NWLK2DUT*g)oOz{K(c1fr3|?p
z9^Z?!!9jBocK4Pet@5jgAY<u0=d6Rc?V~2DcKe^S<Bp${f{pX!<|Zgsb1ZmvDnV{n
zPPx{HU8G!`=hOTrjE?~?eLLlcE6;u3BxqNBoT1?Se3TThpQhk$`dC~8E5O#Ds`nbX
zVwCa$1-StZ+H=-XCUmg4qw}3gouK%6zomwg_}zpw7te}SNH13BUT=?gb`H3^X%QC~
zEahh+<!WGoie7<S1olP|e=AqgbhkU(E#;Tv5E_V?`8A_Am1|05esVo0kr<H(QKWdJ
zlXRt4m}Km5I9d}#ryVKp4mK?Z1e}m+E0bmU@fsym)lI^-)sOY4dc4iSiaGAl^o?JA
zkoV1uuJ(Vp_@jeUU-M9J_h)76x(9k|;^@W|hc#99JTp-uI==oqEj;SeGd}gi03d-r
zrJ}a-q$^r0%?cbm#OwY)N#|M*x&>RkKBHETFuAQWH=DQ182PC(e@-==Yk>k6A{pLM
zPpfj?ekl^9d)jnFQle!Sz7>l?>O#_uRxD)>kGc>8uY?`F8p+O?kFZE%5|x{kB{`7m
z$M*>QWD{YUVdN+H*v7>5)@^m`C|AMBqKs!VPI{I;n?@}D=zWy#meL+7>G-ufe<%#M
zS&aIRTx9e@oR0Z^u%Itwfkyx!a4I!JmR`p)Lb%=j@Qa$Eetw?tULU7rc22<ji4?;!
zPLh{Ba)n)Y<3t%}RhWWSz&4uJa7|)IBT-Rke(b(^L$Ii-%t_76B=d>cOlJ^fmA&`-
z-q*#aza3J-X>CHVa+DHX=F#Iz(Msq)N4mYwV!BlQGu^JG@j0h;1a(T#z_gJcN@xH<
zZgXD)qV?@_tFxHeu)?cEcgkFtNu;?8bpo(>bo5MxPESVfRgO16Dq^`Zk19uH0(~H7
z2cdl}j%7la>24*)hb2t)eM}1PeJq&eqo1%n!O^^rQjT1Gx+vip)1y~aWc;IMJT4$j
z+}Fzyvr;_sq=VtK(oLWGb(&~qS!nEgzs+0fS2ISW%%vykgd0_uZeQ_LPP^w5Ou^SF
zk2Cn7ACzwvSQjljZVm+z=m`I+Wj;(bRj+LgRD%cc7m;k2S(I?|S^jRY!D&FtiR;z0
z?DC3V``dUdM>N0J&PT2sYzJ5)(emAg-<F9QC*K>qv(O$aAI789JRpQPr&itD@T6g=
zaw&m&PlS<WacwJ2yL73!%ws8M%g9?BhTMnG9V#FlsSfkrn5}8e?=_-}f)jcR-J2+3
z$b~C*RNZ$;dz7a>`sccg1XL#96Ae72qx|-@wP=a$!fx8ppeV<>gA!a{G@4~07H97;
zF&Y-h8=Ct>UxVe8vNqe?zI{ziH10_ld*cRyS9gU;PTOkImNOE9RnoKNu1ZN&WI|C3
zzn2@Smgx*JHYJ$(ZpxAmKSrfx(Rk}r%_j%>YScQ}Tmca_x@+?N{>oQ&(3ticBO`VP
z(4HAN5gz59I;?2Dt1iN3bcAyzhgoN=+xwGIPEv!|&H*+3l}Msl>>Hc4y<0_T&blTY
znhmzQ>)Ks)QrNM*lz-hc?~E_rnO{NQo+z0Z7%384VG8Z;00mi4mEHVWIi~c$?o74$
zQM~78N!VU4JKPZyrqf_W-OCdpz62erZ<2oP(s-$Dm-R&%(q#P?UF_pC_*stPAy-}(
zu-QsVY$(fX%a#f3K4Rmp>m>Ft+%7fF0U(*m$nGE?C=!J2O*KlqX#dohe>~_itjj^Z
z-~IyQE%ZnLtO#$XxBY(i_0E6B6G759^?N?&YA!b+52KMDT9Mu?=(MPHaj~8z4%f9*
z(iUg$Js6!e^L~KQl=&gA1kB5?O(1jPxFCkgJjriHm*pSwD>D1J1W7<v2V|rUW2UHA
z;?&9IIi=tS|BA>70}>HFcrJZ_^3DN5;6LKm7$xY0nw9lXstkD32ltxOLnKEa^r$Ls
z1`)j2@neq9P`AUA=o3G(<xMQ=`*d0E6)tU`j_*q;3-bBY=~o}-4W$JuG*HRn3CDti
zWuapqOOuxds1R;%J88<88$tVx^9RYV^;MPjEBj{`l&38>tNwk)WZqQYd5u0d{OqWc
zW9s|dVbOK-*1`{;E}sA#);m~;)<K&L%O!82R0?#b3v=ij?IxjQ<d!XVonuRkodsT1
z5mWdZ=AXIqZ0Ea(NeA0@17}lVc67+&#p&MsytvK^ERY5?0$USP?zPeF3>H{)(~b`b
zU~@90Xc_%jb9%}(vV92x-^dq)RYnG*m&#jwFz<})eRmgP&-SW}kKh1nT4$tMfbxje
z7lkPOjzlSjoBD^gD_!>x(_ruJuM9bMZg{&uq38{`4*>BzBAf2J7Rvl6W?0|Z{;&aL
zY&WXtK^LWRW9kpsR$B!Q3?@{tOR|gd)M}U}oel$7lZ`6d{hj1^uPTfpE#IVGON;A?
zwOgL!eyjQM1_ZGEmWszG4b^)A8AZAEaaUG`U2n+btG=<CP_48s5I%E$??zAVEU6-W
znF#gdo^kg_El}1$$<s0Ogz&Zt!Z1Sc-M{+lsadShc0jn{=V;wp);w3g5k>lRTni;h
z?Tss--{JZJim49tyXJ_Q$PL~4vaGSLj^9?~1!3Ow3t|<B6(`OO5?GV`q*mtsIJnFi
zM{mlD#a7pp7myKv{2<Rw8<5I?kV6R%{p4)^Fhh=iWg1n+Ojov8`{Y9P?p2}bFf3P)
z3(<Agbhrm|El*(E7eA$c^Z=CF7ke&cMhed+<Xg;GS}7>fbc;e4E~YWH?;xM&#NvU0
zx!n&;%>DoYUlGT=!1+?A!v&i-=TcE(aIG5wa_kwKrcA@euY|rXW3^}M+uz$g$ws<;
zVCSp8;;RAgM|YCs)P^SSxbq=-pgzKO_p)aL$&pgJryH<=MQl=crx@=U?OsxB#{={W
zYf955r?9~REj9pfXz#i2Wh73k4t7ZlfqXnvP?}priOCi;-5ojW>r<T3&$^yG4c7QF
z`ep?14J>G_Vs09eu}fLh{*vs*3f@0QN#v*!yEsHBt<-W7|FiQU5=hv+AxGie!9unJ
zH(Cfl8DU>yH0!&;?TM9)Z;#Z{_&-u@e$i1EH6zCQzR7V3H+dO+q0ZC<Z{~W6P>xIT
z>xE4eI)~u?&iWHs*3_S@V9$juzJvmOAIBRQL&p`@*?8F|ZjQ_<h#o>hI-!8H80W3C
zOV8!F!g+x8kuM*6GdB)QD2FprS2AHdH@^vif0vKd@s%EC_USj3m5Sj|iqwt(&LWG3
zaF6=KCS$U*@1U}I6JW$VmZq5@e-6Pv1HvuB!Jr2jC=L*kas7BM2QXsK*&g5Lh+sVz
z4?+!&f@lI;R@C1UU;dW^i5jj?4AWRvD_OEL8o`RHhQhW+v)XWL$g>YSq9EG1-*PLy
zszh(JSZ0M>6Qihhk({D_Ft$N?pG`;=I+psSWmu*D+j*O*YC7kMsjpj}5(J<uf!M?S
zf6e&H=u+u$hviSfNl8Ak6F^I&?Z_id5nb%)({<F%cFW=dqOD9DxgjN^e9%!Fc@d-?
zf^0>11uIE6Fg5)l+HjNyMgF0wpO=CT0Y1=|Tn4b<oeyjLUuXml(>c7?J-!%H2>)0F
z0F*EFQVb%-!e%8O=e8i*!T7i~7V|^VS!2g5HD@n(Qq0Q*hw55>lB}6+FZvYFX3Z<P
zw^gVHbymo*Ewe5u_be;iANcVZYVSca9?YuBrM~D##x6NDL3%E3`Vn*DUBE?y@pEG*
ztLYP_c63Cs_Ts5K1TNHBwsf*9J@^$r8;lqVy;QFGZitvaMefU)Gl+yn<vbG`CkDbE
zdWJckKLo&ObSBT7+9PrS2BBRD(bV)uR$U5#M&veutZ6hDk@9v{b-jX*M|$42z%qA$
znf+5e)FHXHaed)=xN&_iUsj?kC51P-uTmdy`JvYd^A$^Nsp0tX?_RE6uP|>f2z3yE
zKIGR(0em}sp`j_~hz;`#Tk{LN|7iO;7Pjedn=&?xG0%Au1PEgdkUVv>2?2(OAFmCm
z3A|~v<l4`G2Q)Bd#&hRpMe6EM$6k_uSd=H<;KfbWoF{3i`)oO|BC6nEGK11lV{g)y
zpUwW+O76Ow&&4LZ2LS(WDp5sH@3|V`;=Wauf15fL`8XNq+DaJ?>ef@+KCAH1)Az+J
zQ$JE)<kZ8T#71HLU+xqu_&4nWrm7x&2;p#+hODWWs0}M#vH)0c;@*Yv6$ioJ=VIP!
zeK27+wt{{7H3#i0mdTNQJN8@y8FRr@7!#XiLy0<6P0<xRIASw}s3BB~;z&}9Vz`hR
z;ks0k&|s=bpo#T?Qt;mLKG}y2hsi=3{YU`w1xBVUhpZa8Ybf#@L6vAIhWnRpyVS=}
z2RZLQzxg+L!5EX6%G$)aOY%EKSH$BJq_2<VN{8pSHgtN4JNvQ96Y1Lb8_vMJUw<-w
zP{iLh{!DuskXQg=8As`19&_R8nI~fi4H<~Hg&miF2A+)_C=C7Dhmo=>pdjRw_1c|C
z0j`i!WU(Kcw@38nXm<+_D3X%MT|=YiPM*A1S$9f%ELI7lN}U*uMb-`q28I*`g)_xD
zIC@`C5G#^iOP~H7``vQp34ov7_PAM~8ko+)P(sC$JNO^YqMPf{MRLp^FJ6ovJ>7DM
zW@<FxM8C{<qGS*t`p4~mr=ZBje~<Pn2VMxLm_LR0TfTpDTw3l8YRDac-j?k`*8AzV
z*^eeYZ#CcprnwD^CcH>&gtbFCJc4dKyYL3Azm*`gX54a#s)pd8A9F9<@{GBEl|6c=
zNFH8MOBP|BRIb$!K+S^S=*t~B!KrO?wQR}x%XpL7fmA|g?w(`JsirFT719H6CDQs6
zlAs%^CxW-=z2dLi(2f4~80r0jzv1y;<GYx=VF+rqi-89#+Fv9)$Sa!p-3@Z~KJOUb
ze!0G(W&WbPO>eXY5D*RSL{8suCNC*&6L@fVmvj&4E3G8i9i<RO=?gMmH)hP7x*pxv
zWFZKIr{mv-2woY6?zd&+vU3u_$sGkWd!Pn*JuSWNhvMjS|L0S&=u$?f&1n;QCFk7#
zR)*z<Zh-)Wp+(aJ1sF9vn*jy)0t{<;!1D6VmzW?Ra=-#I;Tucfkn8d|N3C{nzV1wC
z>(ZCthOOzDfL;b&)IN3A)%jQ=p)!|w4%XydvTkqabaHT%ol%oCV!-njub)8u1l?A#
z(1Ay&@aA&j*o@<^tSXcw9nIk{O7nvD|C@mBKiu`*+G{Jw&g|g*%qcwufrFu)FLRwE
zPsb*WX?`s;pel!NAgj-@o(zJ>?u5AmTNeKo+`uN?#H4`-`2sowJxn}usFoR*3dv%h
z&K9x>o&d=R9{rrtV_<kwP|M|o1yX?)iOw(!tiVEjy~}v;G53bNT-&RxpTc0@l_wQA
z5P6AEp8IcAJIEd(R+pLb4huvT>_2S&?5IT+OvAtwwvK@_#g^ZO3CxW>D_zeqj}^*;
zJhZd(YkB=&3-+z#D=Zd$ll|Q)Bp3P#MervI=J*~I%W7wtSsaQ5><&}`=LMvOMGU9&
zc`W9g${WI4TU)Q-?L==NW(Atc5a1^;>`_xT9zYy_2{ZU(GO?@+QE1|{&H$<Jz?)eX
zbJj~pmNviH%55;GRKzh!?!#u<%NF!TLp}Pa@1UG*fSI#-M%tFBVnG-oCP`a1g0v2*
z-6w{LIi~PrgPNs$OjtpseI2A9C?M=^Xz=8Aehs9nw&!WQrDJ2sv2EWN`;QL?yFkhk
zfR7L+t-wMLv~*Q|%ej5h<DV%nE4+cF*~z&<m&;U8RY+-L!^0cH2l{b8LV-f#&nCa6
z!5}x@HUrjd!)GIq_0zvtzjXz_pjwCj3d{`EKiaTaK90?l|05a2aE9;tF0L}V26qWb
zJ65;T)<z9(@Jd_=j9yX8D`K?NGMANVf{uUiOLJ>&VbNk~)O`DCU@#vq@fk3j`Iwjq
znfb7dc=Qs%VOOE{Wb4Y92GZTjK<5Cutp%98yH@)F12@O(7o}U`a1e#dn{gH3T3STu
zygr)yePMK*(NfX&ZYMwVn>cbdE!t#aiFpukP}TQOfpw5>H=QA`Z}L-IrFUi1p^<py
z>{+vI0>M6mPgjSQih!~e2w&quByg_;3bjJ%Q?~GU-F|+^A~7${C1Ipnmx=ur{aafZ
zU}B_%f@`oaI+BJJc4+C}4GwB(93MZr99G>M{iSy}Y2GZVr&N@iEGEcjjoq+I4pStw
z4Ny(`%0AZBhK@$*<qMzGo1U~jFTcr)A68UEJF*dZlCP9bbI9V>BNhaE5udDq5@ZS;
zHw&>5hDIxqUIBEFLp_w&IBezqDICy*hWC`Pn>T431r+(V{j0zOJ3)EpTw6hwisi-B
z!COEo?Vic`>NwSmXOELA#d{>cH!ijbk`><_-16f*7h~smbKmUF6(1#$DOsh0pN->D
zQVq9jYJ#ATBI^ULFA4%04aZ*Awf(lX-K_yh+l-Ju)Ao3U6*&|O#KXbdGXG1OO5pJK
zU?_zySt8>IRYknKE0v>-H}tf2>RyG8@0Wzo5x?M_?goFbD5}C@kcfpxC)7i^TA(!M
zy!oQRkKT}*dU|w5<?#*RJYN=+Q*VoQKy(dgxB;z<B6q{+F(@0pQU^9bUQq>ci^}!~
zRg*jSYW^sFD|Sh_Y-laE!fht?Ov|Vb0jaTn0J9=-p~`TbOZ7H)$jkqfc4q*Cg*VK+
zB~6#1=$&Fi#y0WnrK~$b;j@`7KoIt2fuhcgyuJjD?SUD8UH;1JHbEzsOV)>98>awe
zem9Kk=2e@J6TOExhAard>45W{$C0Zt%2pWJ3qXK1X?Q=yXpc7hr@y~>*@JBrx(I0L
zTEN-f1jl-B)W;3&^eIJ!*oNKQ_uEA*wB;fG3?*^I7}5a&6m72_eQE+;0`xpI^o{<I
z^WZRSmt*(i^+1vV<P82Koh$3}69#WJN<iOgu!3k+a^a|?<~-WoF${Bi;DB|;0A`zk
zQS%4Pzn{%}6BqEe@y9tvFC-+Mnz*11mb04AisBp{%KL>D01!qk)wqJJxbfqO+w10_
zBmW?6`Pz+Y9gWw)p;_QBep$6K;MYepBve(_zwH0@bs>q&<7>+|t!@<2yem;Av$`83
z-73EK*B3Y>;@eak*=v67G-+G_+k1iNb>+@i@Ze}M(CkV<*9`hR#jkxUyX4lEuUXv+
za&ONXYW!+5)^{Zk>;EexOCW6iD<nuDZm$-SQY8={{wsiMe*3Qgt~vQ%0bFxywIFpm
z-oR`14HDEE6(xV|h=~_%xstNFSLOtI{mYisH+YKt?V|UuFBD01DXlHvuxgv{;Gu7=
zzCk!>^Pkmbj%hSz>#p8;e*McE@xRRR)L?D-lhx}#SjRuoSbdmIP-}Iw&(keyoHwm*
z1RAi6f8@AY%LLT=^?@acc!`7jUkx_mL4#|5Rk{K`Zeq9LSL?b}>t7bF|J5^@r(0kr
zL}1Dj-Oew<wm9DKkko7&*uR@4ZeW=Yf`j3~pYCn3Iq$*LhDI&=dZ>Knl>Ny{%Par<
EAL6cb%K!iX

literal 15520
zcmZX5Wk6J2*Y*&~AfN+CBOOY2NQZO?GIR|g-5}iq($XL)-Cfc!l(cjSC`flo^BugO
zH}3cQ!8uHvJ!|i^S6%Dcp>LI>v7Qh=0f9hRvNDpYAP_PP_}>Hk7`XoNgue!ENKUHK
z;-K;o(k<Wxs+pLg7zkAL3F8L#2zZTdFQerI0zK_|_(STmD>MP#ByxVE>HN;_y|XLK
z(G+A4v#@n$u{Cw3;9_B8;b04<*Fph-1R=7LVrp*sd+F%T&u2c@$GIWZ*(Y|6&^Xb>
z2|3`<J8^J+;P`wQm)0FO6gxE3FOu>5CbWi+{e2u9RooEYxQ2x7`u$;Vlql2V8gxiW
zH=QVx5q9c_B3^X=ZaRniKa94Fi&G7G+r``amRp{q?#d<d4Q)*>6~%4R4YpA4Le8nl
z$*&BIRz4~!P|o)1rYmz(sLLZS418;}=4v{L50v3OMpc@nCgW2j8Y22yTDJ^1O}tE<
zHR*Q2Z1@kK#VX@XP2C4c>XRqV&h;Dr*Sqow2~!p_D}TCTUkfx2L3)8fnADF8vx^zz
zKYyQ--Pqnv39Z)AVtN>ZUuz8t6_Gf$ouGI6;MgeVlu%e&s!QLT`0&$AiSM8q8h>PI
z_SKo)cYx8fbn`kjIxt~>AEos#*KcjQov*Ws|7wb(LF-=6d24o9Tv!O%ly|s1Hm%N~
zQ~)0pj&59I-sn}#TpQSC9yFG3=jZ1yIW`zGv@hSY*KW)Rk&Q09($37x_=@dQ0Rp)&
zC&b6+W(c^J@7-LUWS5pI=r%gOiBC%6jGzrFLG9!`o6D0=>JGvnK)q5;<97-cet`x%
z9pVSg9Q@Efc>QT+0W*Bx&~Hp+fUXi+hlQ1il8bqC;pJJC&a#kkk*Y=Q%1<XwBK%nM
z&cJ%Z#@deF>+y%KyK>7bdYOIU@E*BbrA(n~IR}R-KKJ8XKJTmAm(0vlvHY|y#L%L`
zFJo0`vhCT$O|^iw5{ipcHjpevt8iDX*4FB{=3S0f-iRG4cuRSseZlYhL{88b^&;mW
z%AYOmkX$_06N&zwLG!bDbM;<uWlDa2A5wJ<_I0_Bj^0>R02^^=!cP~S_Th3{K#PNv
zuhn(Ej(>Iru6)muSlJxQ(Z(q-VUd0}FWtw$$QW+_Q<zD^nD(t-h2?hUy8<PPLj{PU
zx3ssWrsm71q<o@-q)0GSOunsyF?#=f69LMh)uS88d13to)P@)SOYj`~(<twgDxK4X
zZI<_7<0{hZo12?=%^&t~JkNKrum2p(#9sXB`dBv>-?2G6=d__T9x7jskgNR8x=`pF
zMaoYV78ZsocG~8BT`T;f)w4k~Gb|t=0K3`^0snnTWB)6R0o|E?;Smhb_p^{0W~uf7
z8+v%-;=X=Jqkenj{`<c(oUgTbH;hK^MNx0FkWXtTw-Wz7P`WQHJp5h*-;7@rv?fTr
zH{a~a+L<`p=u|LUW&Cma<7Cq2yDEp(Ubt{+0$q-$SKDAQ>i0!!G&qu^4_x!lX;pLJ
zUO;7abv4;V!B0O+lEq<Qt0qd+e%PBQad&q&>I%j(I$0k!+L<oX7N3cX5_%P0LrUT2
zNQQKBzPHem$gETA<9UDkr|0Ty=h4|(3bz&NmCF|<GS{)fS4yW`om!tkO{rz#$qRdT
zYOc+wMApp|m<~%SJqJ<$EMt9r{XD1H$nN0qaO=nJGFnHu&CVQS&p-RO5lkbFe&2cB
zx#r*eY_VN@jm%Qzab{WNxF&~Ob22<U+{4#TXHA3IzwcU%>+4zv1)p4aVL%<4!}t8y
znyyvwnwwK7BYGS|_LtjPzm=7hX+)6;X@^Mqkc;L=7QT%wF!|Iy0$Ha(YC10bq+X^?
zt6r)}naH9i=M8nZy*d*=H6=MS%ch7Rlkku8%Dc;5PPci45F{Jbz|Mh^*9gopz<+7F
zp*pZ^uYNG&gjZ=kRRJN8+nhE==7c=YNe$Y(8WVqSjpO48N+bu?TF+It(8?!*Ij;J!
z_9T`UvG)5U#gh9~DpM<u-KCzoqLj{OLUaPyG7s>eL;EHrko9v9--@t>^kKji@k@4w
z3d}moT3w&-<;h$)e-5V{5<~V{LyAsiU|=|}t*hfMxnfm;1jCaGUT-n#D)+PNE605b
z0$k1fyD9@%Js3u>#@@AiL<%asA<Xohnw`A}HDTXwmT43btA7HU?Zt=c23d4F@Ynw#
zxtODI5m^*|_0JC%qmuo;#=^pqj^52o?4h>Yk04SW{mi*xFgq=1HC_5?fDZbEel!CL
zg_eK}eDn;0_^=_tHshw`#8avn7lFDPf3EMP$`fnDxZxJAC+@9(&W@fhN!YMz$TReR
z94S68S_ENCK!WS<Um6j*6YkhpZ%8}V<>L9B9N=B!zYlrPUw|6A?yqK<D-4I9KHBB@
z`Exbz@elzv!>BdYvJ&umU$FOgG;fvi9g@7PuM&j*3ES`r-q^*1-wd*4ni9$9+Ei}@
zTX($M4*H?7N)CRNzG^*_3wtNDCckHG*#Wi5(m|0mh(Hwki_J4$8zbqmz--BrN*XXg
zosjo|P)IP3?>_LEnU0Q5f_IK16$K{xL31%~+tO*aMWdW5<22;)#YGfD#*#B9T$gt1
zxfQspsr_xwWMin*i!}yWX25V6`*Y=fGRT8-La(#)@_JkWb0Q`E_KE{jB3bcia3u+^
ztyg<vW8)!UPsk7{*Gh(KsWnMaLY$6KHF~dfyKgJ96`B&7t;_ey#cm!FvhJ^9pQC|E
zzJwJyRWW6p8UfxYR-qWRy!t5ul|q4wn;Xi*!*kw=bjt<`pd5OP3+LwIy4gG1nK?m%
zIS0aJsKD3CQ|Ja8JJoLEz)os1!h(@yvdZIe&K62!{r7<Jr7^XOS2X3Ws9;>co?6se
zV7FJQcxsiAo@1$YVaHZ8(;&n?G6F6Ore4c75MgZQvo!+0OQmG0CPeJwNf3r7z!6AW
z0Z!2^B!*C<0|+A8WE0=rp}bbDRJ&0XopARX-35c7+uO<MX;lQa9~%q@0d8xfYv$hn
zKf`n*{4WXo%4B8MnVWvwf)U$0I~K8(d_Ff{HIJ7(<$fC8&z)=x<2JkQ;jFE#WtW#L
zeO<Jzfz%Ut|IwR^M8}m#p2vj6^g!NM5F#{7Stv-q_+o8phy3<ojo!@huPiQRz+!rW
zfzhKAPQZwiE8w}G#y=n4Fvz0+JRu<=yQyiO37#%#AjH_r{OjM6O$EVG&SYt>bT52r
zA?hkBl+n4}K%A`|%Lu~2f9anq;6AcDH;*x{oGHv)uG^UHUn~o54rp_KdKa?GARR)f
zU=v*V%?Mnh0eD<>g6B_X4=9cZlKm?OlUT#6t2rEwR(jTfNHwevgqb8@YhD-auTx7$
zwYWVM7ce)p#6fJ25jgV}Q!9VLgjsUJ-{4Cmw?6EKrb-ZO6d9oe4240!5;8un>aadU
z^vsZ{;LDdU1(*wYF2}$7eTBWRPW@}lM#D}vMsXuj{442dg@lsIk}!8<*x^OP5PU66
z*m)RWf!iyH&TDMZStk&Dkd9ITgy;^%r5^|n55NAszAj87;ri-@z=z#bAb5|mzIrvr
zB9a2H6fobBz3>tbcBv&qOuh$)GX=AG_5iNT1$RsglW!9RT*8SCLx#|S7|ouM3*V$+
zrk(<>?CQr@j<i#ifsJ!gA+S`>I);PVsk-Qb{?8bkNTeQ@w|AtZH#5Vcgnn;GUpt5F
z=Q0Vp9sc}dI-5HI1lbJHTLL44eNui$_)k?&wU6lF1^3%4mo@p8be3SYIwAxWu=DjF
z?0-?suc8kL7I)~rKm!j&L3;}BP`DdO7ig#Ldaa+zW8=8D*vxBoe|PI6nq1HNo&wWG
z15;q#0r!13B%en@(}W#9#|YSXNh${9TuXFTTvRhv7K{rd1r`f+RvP<&O^dL0y;gek
z=+QG2{OjGN*5)U`v|$JuctTd|rUNc{Vpg2`zxAh?0)i>)HGi;)BLbuR1dAqr8y#)0
zaoL#;@~cuFs6;2|#MwUm5%ofV1@vI?$?!^IQBCrA`FYf0f`4sxCiRfNJ0a>boUO`c
zfybliCUQ8HS9$)c!>TcdwRo+?L_WFiVJDh2=s_6@;+oX+GzI15EYRRRj{mdQA8}iZ
z=jKU##9}0R45+N-_Zl{}oKy#}ADM`52N-E9I*fZGUb(yM&c;?90^`f|Dks0?fUR`L
zh92&`E65la9Bh7k(PV-1AhPvr<*(PGyCv1y4pTth;EMd8dDH`;b8;v{sM&etcfWSC
zf+$HOiHN=xt7QXwMO$$lb=}6dv7EZ|ybok|$Aj9<@2-t6JKe+aX>WvL82-<u4H(d?
z$#(=y$Y}QPSGL`9Tek20ol!@JKNT~xqKSz~h}h@PR91(E>?YqJF+$FT--vh=K*Xqq
ziV>vTauGnL(8BRP!p&w^v+DgYF;?4<C?P09|N6vOtL&@gZ7`N_4Mb{f$!!%2=^Kup
zI{OnF4x`^PNMCV4jO<+W(k5nR;hpAPL#0gY=HDq|GBQ{mXM3Yz5>fz@EvP#?CF1NZ
zo+>HA@}(?Ud-;C_rve8)a{q-0qC)%527yR@iAFN~h6=|P#YB?9d<4hVgcwGE;Mn#M
zw+KqG=N>ovhaY_G7UML;Q{#qtj1q)<T|XL~diZuZkv2>GDmB0eP#!fBj1?D-q+TS%
z4MypH|A+$9p2Y7*(Yu1Mgc5a&J>~acr(i-v>3^9-C|*?AM~9Jn^by9bLrK!OK!>N-
zcJl9{11On(HlD0obiC;h&EZ9bq2h2AOF*Rj#Bzjy7i3&dBq_v2IeZYP?AR1M-dE05
z==M-GwaGjR>(LA$qaz(Vi%NdjiX^-3jT?I+1tvs}I)IBqh8oVLDnlJi49{Y=piv2A
z6J@U3`8{JmFsM-qws7T;NapN@yx04WFOrL>_4;|z8n9X-MP}yeu-_Cms&jnp;^w3H
zZerCDZ&iHdSs>f-_77cl&k<5AD)Z;k&Cg{a_+Nnw9qXI%m(h=5pjdPu(s1M}e9lIC
z;jdmTK{$2YN-N(TU-YhLXSP8$j@}BwlR<%bC<~GLD<E(S;xdv+vO_nwpoy7}5q0Sw
z&x7r~VEeadVeR%&_f~0EN<U|tKAueJoCz=gLEbR+^65VKBNDW%+;fonlc8bZ*2d;d
zj`)g(xMqiQ5tH5QJ+5)^Q_IX}QhwOU&!m2efy8sfh~Y>I=J7ItY@k8FM7v2Q3c}xn
z6NEE^(o6y?^$x=l7<(c<bJjH)ysHwaKw+UrLD1pAkzUuy$D+dg|8p^~nQ^)biIZrj
z<QXB%w_Y{mg!4;a!lwT#4qg-&6&3MD6@}X;EF9dMHEO;h%{1_re>?r@WPaxN%1BW6
zG9^4l{@O?1jYG93k1`XtCb$*iAe{W+RV)RjpZFK?lk|KfUGwov1<|3>xtbo&gVqB7
zs0m7IwC$wS)RM^G!)e^|Lmk2p1swPom|To5@?z{8d8gTR3tO$Uq5f>`FYlhvT|2Pv
zx%8Wf!@lmK{`+$4<^NC2FsU|s1@4*4+vVH?pg2n6J7A(&b*-`Y`5a=(dU1RAY3#tt
z$|_Uz^0;tBK;|Z0T+?P6msm2IB={U>qo$qaedI2IgD_zvjs-+2#}EmO@@?obeE73~
z#!#w=0h3O>LLeEv_$*M6*QGuOcWlP)G697pItqO38(HKbHvCNr0gv&dsDtxtLlEn=
z@!no9BvBWL*+3Ne8_;@``IdwuSGQQw&3;n_R1;}_z{qU8_#v}FaCvJfA<@-m`k8#p
zVe><CWGgF4s0afX<11{_cxCrHeb4Tg1@=au1>~`PmI@6P0>p*Ng9^g{@!PRz=j!d#
zfE<zGWjgKpEw>{AM!$fR>k<Rs+=bRW7h5oZEkKrdE}V<i`aBua!Tf>~k$QVnc}~R%
zr~UN5?Dz<G<OQ|8Aos7YR=&|K@XFVh&^SQXynC}JZdU_uYWFSDGSvqvUSNd!qInfl
z&zRo5DS5*1?QXZPdn>I#n?RA&1LOM?@}}kIrzqOmAXerYn4bbhM~SI0=7lAaR~=Kp
zvd8saqU(}(!`dRPd<qiz%*pXF&heLVAXcSow|QMgx~dR}Y7S;MERAoY5n3TdSe!kM
zt^-lk-6FlM2Ysu(MUAgxN=b9t`CfSMG%9q8`v+?C+<psAeyz4gVqGgCE?Ud^Z}%9M
zY0uR9%r4%5yNCjFur23>C)sGl8rADRW2=ni-zuipWaW>FzfjHIbrv<W1nPz#I@vX9
zH$*qvjrty%Hd>zTWmU6IaK9-}bpCgI!xQ<X`8v?pw&|u=R$LQfM9AMAW_5V`I^8Vb
zlfccsvZjx+PaO+21fR`t_pzZdvCsZE+d5J7F;=a-!|Hea7g0WsfYjIhf4Qm$Nni9`
z8kaweILpjr@Nv}2p3%og%XcVC*O!65U0Z_-f?p}ZIE6+*5}4WiJmQj5&%m)DZ`bad
zlFh_{li7Q)JQ+J&3yA4|)4CP<wAAU9n<@#PDH=+JX425rT^PEtFlj2~L2K`yElnRK
zKtfJHLcQV~`41dw<HZ(k6{8;G@9KFlWh41S$~pi4{h^5BAh_tzyqFmqE=~~vH$G;+
zc#`;{)8P-ccJS!OqgI@Z3cP9wzse_gYJ@JvA1q0XcFzi$+n6NiBH!LGEs2#s0v4M2
z>Nc#`d9FHtG)E*F7N_*@Y-XjPx3^dMr(5<6j$&ds0{9iv+gjt%)yrp>w++YF%T|we
z-%dp9XCCDil-dx+dT2Z&7)xgPHI^sXluIumpkBz@IU^|WGkiU23Tu;Su>_Np?%x^Q
z5nfcI1z-OBws%|Rz=22~ziIBde9_g_ReN`}EML+sug^U+zMxOrI;Oo|W2tnK71Yav
z+`C`o*HyR`OQtv99Fu;<Pc+Xie(Nz|D$&#_YH(n#m}Inbb<UQMn@)G5!VZ5m^iMkc
zq>ln9Z1AKl+&eZF!dJKPquL49jPia6FSlo>k+ew~(h>AYwRIL5Os-3RPEI4U?wEZ+
z4C@+=N^UW@R{eB9=>0=dIzJT$<cNFdl+^gj|KByh4S*abg&Et`3AR1`wPCQ@a%N&|
zyh;z!G3fr2*`;&X%#&spc6egY4>e|Wl^U4YIyN${KkDNuR7kopU&8ZI0@qHSA6zmw
znGg=I(y8T-aV}HLFx~uEBOCP>0aEaw|Kz>D2u*-80f#1S=l;<~+Av@5{AnMl7kHz3
z!(ms5CR_y4k<CwLJET;H%8G<yBsEyv2c7+B3H8qA*2|x2P-N1*yXopOom%~0ir{~Q
zurJ@ix~KRSbyL8pwM|qOaL!11ja%z2-C$L^t@QwjzV>bQZoBVfzw8PQ4jvsa2*MzN
zA_Cs+jmmi|stc7P&rTL?ud3y=HJkiv=pGVa=q<$!lN7WFrxA<Mj(AJ2rSJC>ipyJ>
z60;}<!Oz?{RTE*C6k(KIJ!*FfGa4;K<*t=`UG|T*NqP80C(O+GeGCqi<X`oe`MXA2
zJzjL9>q^GoqbE%}9Of%6GbdW42)-iow^F%J?7$=0%V(X>^nays*jPllh<9AdP?Bvk
z(E&E9kkCmF5ZJ!QpUs(~WzK`_luCM<sbCVZ<Y%Yee!mZ|+M~K4_IfvW|Ljg_=a*CA
zDjBf&x*j+2n8xh^jM13y!JO|WlPH;bAEL*kZ-$RAV)v*tu_p&8+ve3NFgFO~T8!<Z
z_>InN-8hUEC94-iPeRt{tZ`|TJC;-@>*fd4aA-EvK_eCeA{Vw#h|4!lw+lXzl#MBs
zaimQ@<ErZsp*c%z)1|?6HWWG6vassjT4dvMc|KnovTnW8fL%6rk1CXEd?bn5eZbsV
zf-t(Dct;}F`ni1OXi?vM(r#$$-x7)#w2OF5n15y>s{`sU9t_wN>)C~wZ{lFt>kUnA
z|ECnIC<6N-(k)9Nbw8fUOp@?_GhTO(;t@+ePa*Mm;?Fwaq5|y=K~ibhq~k0zQYp+g
z_+<9|p1nWF@j1gXFV`7{qf>s68>)d_*1g?MgYnd+ukSE9`EBTrc$Xrc6%$T45vPRa
zE|9J$>R0@+m^9$_=k9)K=HWvPEZ3Mg;m9jg?w!*lJ0q9~DC<gjJ&sh!4x2qit!l5j
zWvGEWWiY;8R8xDvg?LedjO#Wy#m~a0+SPE>ZeZKxWjxwsZmHzGj>o(|_Qa<48OEm@
z1>4t_Sq2$YZ&iEh2et1D@}AE+epanRqEDq9N+v=Wu?Dj_iF=cOxb|w7T--Uk&aUk<
zzJm`z@}0RL!6)cK1V`{YQe63o#nS{|x8EAoPlDf2t5p%+hM5FV<|Li(0uYMx#-QU=
zp^sT_Vf(Yp7y9}+%Q^Sq0W;xs=#C7&*WV6I@i4<P8f75`VMG`?x5O6ZSwC9%i;xB8
zFk!ub|M3J&tm$h-QbNL6v?9)fPNE(o%#{+hNpY=kL#FPw#>fXOof(?cq>{LxRYn%X
zE}XF;dw!Lgv#GzdUzQZc+ePmvPI*+-KQ>|&ygH~RP7jk3wQyF(V@#B~UzTjUZ7P*I
zRej`AO@xT}Ov!X^1P%{R`nJwS3wYZ|aY9;xl#-m+ecfGmltm4Z3bXlRFH<&h!?2$X
zx;wszddZK6*tC74)x$Q{oQ8|UgEUb{CuF6jPM>W~Mj44yY}DQL6Q_Mkz#NK{ZXL{K
z3_t>{gb1Vk1)$rINN2$bFR~#-jKBL(G{SnsCFCInJZRs>__mBhIp?X4sY|>g16;^0
zy2-;9_sTcUGTm)HX{{Jx_R+6oc=TN<iSoqqmr^BXL|9K%y=(N2m$4G-;Ju=Mn9k1i
zpW1`6Rh4f-Y(0tm*t2LN^Q&pa>ATK72V|Fdr5->27V*jaC{YT_ctj9jXGsBuShB=t
z&|~AHNHbwt6eT5L?&vOPOSn07yx$gb=F9+(@%~)yP@S@eaP)XC8{TG36;c0!ssu0p
z%Kw#t{BLuc4%8ZFSvB=RqU>M%kZo;ZRW;~*;nr)B7?#CEMu|SXLNrCCwBNpLF)CWh
zIr*;2)2CZUwU~>h|H$%+0Q8(`*}emkUylv$au?8XxeMz(W~ts$H_(wj88@jzz%MR~
zU9#EF&oZV2-$?0E-7(Lh!?cwY<Si;Ogw^)K+eiu-NFwil+)q;wU5Y5HGb&sxN=>~U
zo9(@0O`MV|eM{7o{`u$NxUb4_r{ndW&p-uUmj0<<OCuMNvca-B(>-7Kn38h;cUfT1
z14v2s2co+~Vdm7%*atU&4CCW1Q%!G<Ail57Kp%?B8hgT+!@#GpKgp1X>m!}Rowy#*
zFCemIaen&g+>NnA)c(1JZL}U_y-(!GfAAw0!H6XbRgQNTOWwFsy_#txphyOc$+-2z
ztPEbYwFttqcVsyiFV5QYZlyCbdkUuSL%8Rk%#JsOk}{1G!}Y5pUsQ3yi9pXiEb1}$
z__8wU1u>&Cn#I4!`sQ*tkB9w@r!N&)+t1v{;uH-52+NWrpt3f;wb&^Ud+@~Qn;=;?
zr;t&Q({FSlI!Ua+cTQ?+IqZ=a-|SP~jt&+(N=5pPZ+v@8S&e}JVNoVMMH*ayu4Pv}
zaV+i5i=n+0<a~H~jV#$wEErwI_(O#=^wJztzdz;|*I3*UbS)y~t7vdoMX|oysYq$G
zEl}Z=*DF7JC(DSPEy8u<FjknECm>V%YYo-Fv5w*I>S8vI?VPO>`Ujc=>aUOaAjOf5
zjl6bQ%xS#%jzgh&^ESA+S_)H!kF^UPLPk-{U^jW(QueV2<;ro4@VdMurh^4+MLNCn
zhDbH;#V3f$6w#i&E_6DiYX1#UzMfy71@Lr)+Zu;LNNLn`zl!q0ofd`hEe;Vw8zPul
zsB<PWVLn7DB_LCv1p`r(EuU{5c&lFFJ<;4@@-6ot;1pX?c~Ars?9rHCwB^vaQ2(&R
zfz+_IVyAd)<Hbszgbi2I%aI7TB$H$a%)P3(Ma9^=9dn9>k($S(yEG<C+yo6?^kwYH
z4^&Jr28l&?H3w9SI^QP-HXlSPA_a(wU7;O}j-5zQJV3%dZI_reA9UA%dLFVBleNNV
zJ^LI!Ci%xCn6=e>ALY(Xv5Qbb^Z45<$oiQ_rt7uWC~f$W>#<Wnkfy&z<-_&_!}2qS
zqFkQ!v+ZT~VH6Dzv#;nSz{KHeGiqy*DaVO`U^Kr3p;|flujno?2hBc+5^gWN?5e}K
zbP6c8=92m`!J*q+TFWe?C>m@*pm+W*f!k;@Pya!{R3BeDqMhaFtogNJ`_>!=t4XeO
z21<?EN=_9q!q>S(0`grGddO|3**efMx}HhOEANAEn6Q580#Ts%wNI-7+j`J2VACRT
z`393^#99`FX|KhB1#n;~i+>O?aS1!*tSh#8DhA@%6@4hpFpCO<QM-Q2%a=|@mikdS
z*s7^s#$eUGd9V7Q+X=A;-8Q|HPOAJdej-riLpV9!@&P($9wAJ`+|{EzOC$ja78wyZ
zer=lsXKmfSI=vtpcA99Ap!uf^NP94EtSI>B45I)VQl5`!p%!0@OR;lUEWz^1RnEro
zW`-B0EXq;?&BfI~LXJIPzgLZpKp3Lh3&=rvh^cL7*YufcIB<v`H>lH%QR~l!(4r4A
zFA{~Gb$v;6tOQmwABm1=gse=nYQ^D#RiIj6aq5>Z4c1(%c1d-{Y=g`3!JX4|sn+OF
zipc%vOAl84o1qoM_CHIU2U{)nzr>SD)phGEr;01Kc5qZR_^f>m=VzYL-TpFL<M*vW
z@Lp6Y+36ONA73mKpJSZ^ZAgW7dDg^#iaH12wm<<Vy4z5(Yl3FxzyJ0&WjC0O>EOj)
z!sAwKUQ9%(eiW4_rz%3f!4wxB)EW80HH7N#gi7858uwt)^=|);meh-iC>3|p4pR=c
zOyZs3mH?)mqi<!(=NaGpUXhmRwIcvE3=D8#dMm`Qdnpc)#L@LelC#n&q`jn5OrfD`
zziUe7a4Amau}N_=zH(+aUROXe#ID&G!gd1s6(<Bt5Da{l=RmnngWrCZs9A3mq}lEx
zblLZSiZ;3Iv{+4-<Jq;|)@#<fRcT(Vr)t007|vu}A4+F@Kb*n*KKpLMYzQ*3<R+oe
z)7C0%8kWrEUY#7`O(p^hNIucd=Q}^10Du7pQ=OPmg`1*k@4(jg!zl*eEcxaBR%o;j
zg&GN*Z36eCzfFOF_UN3E?9{}wJGUW7a_@LqP*5E(0i$~gH_!JGv+VwCG`|!9<FF2>
ztdzZX-g@`22lly%%JnqgTeKyx4nhfThPXU1anJII3~q-dVASC>wKaJKI20dBDTbD2
z9#b7jW5F(-z0oDSGG%vl7CG83sR*0tjq(P;{9-}@U?x`qOO)_u5QP+g0b+GxiOt3W
zs9bL(NzeLlYTc-$*z6S+i5Gy#k8j7MrZO(YL!>(R&|K)i)X`~C-jrbK4zCy2G7zbs
z{AAa{04930ZB-HaIcK8#=+`oS+wP~JS|T8=0V?!$F91@oK}GDkK}ke0DGGd8v!LAT
zryjC(!{!k*q$FT@`TnF|^A8(iiZ>Xdo(n`%3kIc9x*}@fNH{}-)#PknvS_jZvuP%#
z*{A4>oPf&htW2B}{kt4OZp(PLwFHfB!T`38K0Z-!BpASV__AWC0DOm;D<D^l&@fmk
z(Y)IN*UxOB-o|J!kvYo0@|p03sP$qKv}9&`s)QR%ZJ(<GU_8ij#EaBm>hHNKBEXC9
zRUnmsN{!wK>>TM&_!H8n1oTdAuWshZZR`YsD}Q54B%kyE{-ra9O-Da$mppA=^`uYQ
zm#S+%e@DXeOv8qi7{zd(3by~OK2ys6xoHmjJj<@>h%6dx>y;JMG^fs2X4?iRSb+ZT
zwENExGk2Q!jM1V4-<#F9MZo;WGTv0DoP$H#-+=`d{$Q+Z|7^$i{OGNrK(wS0LC7v1
zfeMeL1EV-YyuQmofJrCOpd*kUF28B}A7S8w1Jct4T*Gc|y!ymvfyPDcYun{EJtn=j
zmRnUCF+zV@BszaOB>KoZY`<}HipVE8$x+DgNK$^)mYd^2qxr+6?zt@GC$7E5Ml+?I
z1Ls&gf1%g^Qlytwd1x`JaW9vVf48%Yi1JX_E|B&TU3<J$uhHv&3{zh}EZQA))<c<{
zJ5LeruEm5^am=42m*xwJuY3Z-N}QbPVoK2GP$bX4XHl8Wvax$z*dIB95Fiq+;~X)~
zpRu_{`h<ETe_0Mot)6eh#QbN0-j1s1EYKLPdp+Sw+#1eB9s!D%La|Vb?ueH{mj)q%
zQ4qmd!@=vnLt-R2x=B|1Le?17UoN~h3}!P6p&Yt=a8Y15<>%A<7-a8&Dx;LjPpEZq
zOYSdujkTYCtgPI~r6qyG-0iySPw&iHw}>o3RYIWZif_Zo_$&PQ2(?k!8X6iOTKHHC
zGjV_azyMC*M@;Owxj8B{HueYr8nej#DCK4Tn|{274Y|@~XC@qIZJ94M*cqsb&)(f$
z_jCrL)va-9FpYb$5#!N-sYUa~#F5pJXR<)El;&Nfoq;`u$rQFd0|_u2rGNSZe*;FO
zC?R_PWe7vRCU@+$5Y1|&`g%A!T<C2nfa|Q~FO$#5)XkjcX?ZG=uQ(fkbDB{sav6n$
z^e~CJWJ~~zniPyMm;5O80l4MTue7jrpc{%m$HNPi`1mvwfk3bz!D?Bhqe#cLg`C!h
z(2}T7PC7SLbJL#X>xE&863$0RVRM5ebe;|jJtra}njb|iDp9Whr29gM_(wW%!q&bd
zGTtw8TpyC9v|F}bl>{7Qb20>1qJ;rVWlZ;*1Qfrc#l7uAz}7Z`8DV_8j|Q`AKZzoI
zYQMSM-cHD8|3wA`j?H9(Ol*#727XXJ&3`W6TPoKEldLLLb#<8lCdoW4<u1UmnZHwU
zC&tTB5k(&B@M1$&LxvJ_)7aDc<&8-qYa=f>*IH?7rx3Ck`kkk*502#-1hZ}Ym-b)6
zW1?wnK7Uz`xea`0_vRX6_m7w{WTLSiLd{IDG<`|iulFkT*P^om2W>j?)V$vM9<rx<
z3mSoyNT@JBQ~;@N%u*pC?jKtZLSmTT2!geCw6J+B%>YcK9-zJR(5P(^guf8+(T$If
z4~e5!wsfHfK}XPXRM-O8{Fsnz9*Yrzl0+LsC`t|5eO72|h3Ytm({)-s&h8VY9OHqE
z3cw)K{!?nk4@3#{M$BfeIqr}j6Uk!2o;{Eq4m_``bu~_Rx)G-=TPeaq8HuU;Z(lBZ
zQ&{i9(ODy32=IIq^to{x#-&&C`q>}nL?^HOnd8j~(AVG^O=g!ksm5c>N0w7cNK9N3
zaaxbi0@}XOa|x-b*Ki>I2ibf=hI0db?1=*9aG+QHWVhK2Ai<QpA4%hnn5X@&<o_X6
zA<>4&d|A{JZT=p55y`uB5nGy=^S74LTmfz$xFAyEMq5~r=2B&zs!ASr5g}84pM85Z
zIOVQCKz*Qz&$?rssvyANeP6I7eLo>TDX{B%({?SItOYc$ypE371{+OHO>GERbRm9h
z$T8-WyTTMq1V2xpL_9ELknj`2-N2^FRR2n#jUFCOz#1l>#FF0bxHjO#hwY;oypQug
zDT#nKn3}Tjl#VZKjWo+}VsjyKcXG6U_+uy_$qEu6$<E%eJu{umbOkxaM4-O61hw)H
zX`<jt8F9xeHB-|yaj&IEaCFgRHWZj&njVNuLL%;H5(tpwDDbr}K8k;P^OElFmode~
z#pL~!|Eb?_=z%<MSX5KA&e!AgBiBdy1g~8lS|cw8X-NQ;04dCNY46#uk&|5}l)i6{
zeSttO_N?j?8AEY{I_%a1=rpdyxUi2M5n_`?5qhuX(ql*NuCLD7CSHAMZez1Y<JU7B
z7WTxShIUAFHbclW42f@apfYL-NXRlkOiIY`MRuUkU&&BhQgUKtX?dp<tf>7L(NE-i
zh{BH$GN<N9H2cUUtlxQz4D!R5V1$p2K8Pkiu{6pnM~2ZLQ<ugmCq0E8?Q)6U5DRx*
zkq<IS5S~-+*1eH^B`2j{!CTPQwuF)l=msE=41hRgT|Yl{xqFg^0dBU#K}hQ9Eqc>T
z=+4HRv_|~HxabZADwq-o{#(6FvgH%AJf1?FwDiXziixS#1OS{!iwvy5*32r=X}bpA
zgpwy(<NI%l^%#Rh2zv^V$=TUiG}(Mow0002Jr1Id0^UKfcb5!Sl0%}p&nhf5FOUW2
zm@t59TyK5u5$o&g%7c}%)PD=TziQYEV8e;kvU^CXoh?}TI_E6VJt%W10aJ>X0aL@g
zQyA+DVfNcL-nz{|2=_qAq`dufut<Wi{qglk_uadRx!ztWISzn3zztG&1ThqGSSLX`
zj<qfTwgfJ~TUr6y%e+~#7niFXrK><T0PqtYOrSm;f)7#5mQr27E0I_8i&SWQrC0^8
zEEW+wwz}C*)6%#*|JBB!*4)GZe<aDP;s$gKdMsCjTL)Eb<!}>wFcHN*f4<$LUX4c#
zX8Q8!1y>vV*<ZZ&k(ZaJ1c`wVk~#d~=0~ER)igCP2mpz2l^n?*n+v0Xn+<_xzo-Tm
zFYopKkH)w_Hz8B=zJE&e2PN!j0-MqW#lvSIbE|loUa&+eVEH9))~iH-L1v?oz-!sP
z=jbX;obZ6!T~+I@74K=XpN0N_(=mk;!N-<UfKs#X_r45i?J~088VdLyCWQI}1w(eS
zqEJR1@A-2<%*|bZYr=yLTLFj|D?qr$v$3)9{{HM)|M#eW>f6wVTNRuQ2M1e7!!pd*
zetY=mZ<8LG<N^~nML;pXxd5Z36Z+|rCc=2u<fHQ*tFn=z%L-Awj|Ah>6ah#Dx4Ixv
zlD{;JYkH+Lz7~(Qfi!+jGvVbIt>&EpB4o4ezGsb28!3w7$$-V+ZHB9!hEm(<8~!Cr
z{Vi3%@F}d_%Z4R|8BEUdodt>O)PjON>MWa@RTep#q1R<bs(vX+Y7aPsr3@xan?x{g
zTZcNoPxCEicfQ%6P3<ZU_ckH2g64D`B_`SyeWxBq%;`Y~vIqtzL<;vHiA9U*{b)*0
zFu_nJ>j&%Q^2nzEL&xt~)+e8r&4bwg<DVY#5p0|9^aME{3WDgeQiMO<b!^w<z0FMJ
zNTXw_p+@gRMO5Cu0d`6(7NUjdl{|po5MCQFbeWIuXV>vDgb6n?cUd5+m(+i;s6&Fk
z_L&xL1_hq5gJx)GE=k1DMJ&Mr-rMn-jYdH@lCw44*}Tioug~|VM2BeLkJ3H~bDoyh
zX@>uWaQ^NOHwnTb$^~Mk!nn#h?0QWx!s%sdiMkR22|{$6<M@QT*qz`Xl%dIqWW=Nr
z0Jea>r^ffvvx8q|+g2}j#`-y80HAQ~93OY5&DA6vc0N68K4{4i(ilR9$1MERJzXX+
zb)}R1-<441+0}2ONd|D&@she!*V{~WqGCPG57N--LgU9Ui&vKq6W@0<`CAc7l>(+b
zWdL3J>UpalJPvo8mYOkg;pbpB1;CF+do~}`{XiNY?w3U$8#%!xMMV}_NjjtHoYLqd
zyHTxPa~yjr_;diBqIt6*XmeD#e?PM1e}XN5Vl+NTB4bN$nha5?25eyk44EzkAP3Y(
z9BLtzg23+<s#GXG2xLbyR44NQqa37R;!-h*R4~}h^0xvgxrKO(lqr8;?^O)Nt~b;@
zN9u<jhuVhtitrct-*T=X7_$sVMSH8;kt&{UWzLB|3flV|MR`Slmf(|SvU)fF5H*Mp
zf4x?uXfiLgsg}J_Xm5u9E3*fg9MuzejY>VGfeJBEtLggbnVL9Zq)8zF;ly5O1Iq?v
z-ECs!jepUn|3-$e2U7*aS*7#y+)mfB*{A;uzNJJsT0t@rtD(W$x?!m0wa5rtfXmSN
z>0R0!rx}a7*du}0qbb}wfB3|FzE)Ko@r!DH1{`dhb?|hjgPLn#Wl9QhlF>b4_spZ6
zS|b!FYXN#gemy(bsWnfTMJkfUSp`6Dey)ElZox*e);3B0fGr7NLfqS1iCN-s4>A?N
z$$*AP0eNM?FuOtkEt;>;4MvZ_`}*d7IRQYZ+>)TCk;K<!L((D5%D|dC?6y!#xUc|>
zQGPH&+itO`4su6ABo4R`Av$oJqFhoKITHK~2|mRJ=T|;EJ2QB@YmlrmGN~&R%(k;_
z3t2z8yn9pk>2<@en?vkIImxkWVkmlVNKAM602?LZc%t}NDgr+Dva1$ja0Czsz{8>e
zLDvc%z^e|KU`vf^F+!m%eL&sRk!(f+AA$D?0V8-Jk64bQ)sz}~PsAXp>7xlqdaG4r
zY*ILq_m_A&_z3PTQBF(+a27~0VMxE=pTp`$k>K3LS5l_Im9rTA0(w=xuyWwsKun1w
zfcNig2UEi;iqBOx=(JiSxZnSg)1W1!mcl7Xf{B}${zhhJ1eVf${GBiWmH-PV<Q1&D
zLIu;QyQ-FACQpUnbIwsj&~=so>$xp?fQ@B^a(b`jt(BvGtC)4K0Vtr(t0%Vjo^^YW
z*ahgF2k8Hz`Danx$YZbm{AQ3tLad`u?N^q4Cfj95<x<!TT=Ii?czt8myN3fMe0{N%
z^^IU`gGQCFhekg%8|a_8xX^=7u5XoLzP6ixlz(wF%6$|U-?BLu@~h1d#)k1PzOcB8
zLFNjhlc*a^T1$Dr$5m#Sh?H=DuGXk$h~y#Dsve6GUfm<*GR$lZ0T9*Wfww7@5m%Y|
z-DOP6pU3WDz6~KsIlyBij|-w=e{sQx_8PX5#&Vd2IO5rhaNIgvfe5Ge_U+rN^94KC
z)EP|LKpvZUu4k9N^jC$@WiupBc#jm2MhaDCw)gr>ZlBBBd@_sC<+cR+`x>r5b4Uzz
zBhY6y>G5sbn?sLA%Yy9O3OOz*Owre2$~N)-!hkv#0({BKgu(=#R{c;#&|GuqacQ-*
zW?bkK-&~tVdbCwQl?qG(*<ur7<ZG$*7@qF?PK>5g=R`Hv$vpyaIe#H717$A}Y~agf
z#bzH>X%DBTr;D?*v)=*vDxQ2I6E-GnWPBij@dU`+=y>dwye@%cB50FSRfhaEA!0t7
zkd?lyb%}2A&e{6YhFP`y-(}AljYUQP-EUSTRepQlo8eP`-yqY`F?QhcSoh%MHa>B6
zW4U9s(wE$j+;;m<5w&q^mSau&6WOma3FZ;R=*M)is*O{UvQjv{it3D#A-<weVd5O0
z;Si^~P9q@;)bE-5SJkE3A+gv9P<-=)70l!LO4Of<v_6#uzF*j!CqUF+Xn=9nKIJiv
zV!HKcz1p((dD_>7`S})FTH3zop9|nNFyevPAAL%MAk76>&>LlX&FZE4t=c=8z!464
z;2?on!1Z`1WIEjo>Gm+hI-?NiIqJ!x!1NEELKlr-qO);;$OC3D$F}su96gwmt4!Uk
zr_W%NEABiD8Ck20jg}gYBqv=s(6`{XFfDUZx{a3aHN0!;)ExOC;!c+;?mQBp;gUYK
zUes#y;ulLw{P}9ELZ?9qAVK;AME?0E7po-z;_3l1`MSIQ;o+&P2fm!y147aZS%-KE
z-czRb0<{>x&tsYdRoXbl1;e|=lRTM(AX87N8}|~Rs$oB+>+}Wp$YVX4bI|Ad!LW-L
zdQ#TklRh=5w0Bj@$&Jw(PI(-0-R3|np4UoHs*t(^CpNrG)XQ)H5<m9CF%RIx1M=Xe
zW0EL>V4=az4D1yB<jIriy&sM5tQYDPzw10HtSB4>ry!a90ocsm&*>MCs@;I@8U9LS
zwU)vIi<}T4{zLuX#KkQzLGE;j5jq~4WbqtT_WYIBi#&4<A;T)!I-i!^L1)F7DHR4H
z$_V&vO0G7&e!fcim5-2smx$v72Sk>OX}rtE)Fu0!VQsh+6fmJ&S{J!}fL;uFIBFwv
zVRW$6iV1r<o+a_|95~mJDb-dhoZUvHIUN}lB(zO6Z3MP*EdowY6<Xs@{AFoXQg{kZ
z{9ez-!BMa?NZctF-s&D)I*re(W_VHTV>sH55}n+ZIvO@69CV?k&w}+*ixRWFpnp4m
z+1YRkbXeK&tWeUa>N|eo60PO5BZu$DTXGe#96hcE8Gy;FBflU2`x%+wOW<tJ=A#Kf
zuCciqGf$x0zUc*s%#REec5=M0&n+qya*QWG>C{_ijaB)^m2?AXWeO`&SQ|}hH_%fn
z9R$NWVXlikI#t1J-J`hTf;7AYb>_K9UsSS`g{ye#WuGZ>r~P=q@AX^6FkJ*gN0oMx
zOM$AE2>D3<>deTd152o4(Eh&p`uygjTVOJ(niELs3GrU`AN()`Lfqlv5GE$u_Vue~
znxMOCd_sb^9=;i^rfCw34I^+&OaENaTf!SvX4>%c)u*eNtLJRD&_+2xwd;$(Q9F}6
z!^u!UyO`q1Yw~^ScoJYMiCuJc5EF$Q7uO%Dwl3w*(YqWrC=2spnK{B4o8x&v#aQvl
zqQUe9?=Le67lrp=>MYW;`+2uTRHUz=PdZQ>&2qh7+#XEzg$FT5`aOEiHBSowf^<OQ
zOerTPS4*SZe+QglTLFO3{3Y+cYUNWepqedi1epCRfOkUe)m}~$@>EZI?IO3syDdWe
zA`q)JvD?<g7+liZ)*iy+tH~3@3~0XG_9?9IsNu-F5q&}JkI^UJW3xsD5tTO1YqWx;
z(wo(sdj?)JxsZv4xR_%W&|1B4+lzc@;>ni7P35(9%vW=iOkd`cJiO4>M!(1Xf>xEL
z%qNmb`)4Y4VU_IwMf&-(sylPcgslU)Hk}D#zZm2kz4&jhvN8o+m2|(_i|IBw%gUe6
zM4vJ;lr%uqr+!!Cu7(wFdwKDwt3xpy@x0a5!>ne?Lm!y_0A^s>K}z_d%dBX3>1%PS
z*zAj@3C!yoRXshuVryib2XC|pL0Dq%2;JD+X$D7yzPzN+ijv}B5f`ssJI)kgtczLq
z{bjZjsu;$SGd>uvGWtY7>JSWRC3-dZvit`e=7I;tD6Cih<lF6mR_QJOY!HjkX5qK2
zazFP(eGL3-Yb(H$+tf1UIrHVblhT;e>U;J`s@dEm2<HkoMET~;n@2d_csRnBVk>3>
zV^D38E$P0)OOm-(2Ry&u6`NwQdUL{=2lVqhFu{zz-?n`Ur!>wUvTkNd-Gye=;M-G9
zkgP2|&&}buCi)>4(a6V7StImFpH2;bTFyRO4nm1`QD!Oef2MM);zKO#8{Yot9cx$v
z0}Xx3S0QwC{$(MyH3l3D3A0g~Yyq+u!bQyjIEw>ijG1wx&0!vnkn)oS?NA%Cu6nDg
zVRi4;0L7%mxAjQEXm(P_`2^aj<mqB7QW5Oxx)TL`51qZuD#C|m*1BrHy-N5z>a7Tw
zP3?;|ahvzK_bMZiK75hFS{vj>Wj2xDGPkatAaT`u!u8pf=0u*I{)ArX^e&%1Dy>P-
zw}Y>p&&0&?(mD`p!4Bn=CcY(4yFQcZi)S4%1<szjg~sAV-cXF0*3(~?PO_i2I%rl9
z7{?A}KcC8CFPM=pT-ZE+EtiwQ)f9jDny#ewj(onPV)}mb&zBFwxje24_p5f;XHO39
zclpjmXb=3L=o#sPQsniC8XEVyADAD`uxc{VhfB9LMKKna_|i5f{B!JdB2R98m&V!j
zY^PfOpL43Tf$`|+=?ZNIDo}2*5A=VZEH#OtDyoU=n@ULFPRuCidKe6!QB0NQL;b3r
z3(;W$S;@w`hxfvJ!U9j9JvJ5io-hUM;u14;=oBUcYsGEw?(4q?X*Fd_o_TNHqu@m?
WIjl{59tRE(gJj<*NtTNn2K+zH4wtk5

diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/images/favicon.png b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/images/favicon.png
index 3e6dde97264d7a9305e8efb15b48002d2bb63484..9a8472bc4faa57ecc19539c58f42b5fc61099cb1 100644
GIT binary patch
literal 2100
zcma)7c~BEq99|9uQIJ7Iv}m_WMGKQ`5(Lef7()Vta)=lt9HWF}lk7mUVY4v-k4meE
zg13xXDLU9Xr~?-2eWEg6R76J|K`mMxKnsXei>X@sl5i>2=^vZyd*AoFk6j%f7wPUc
z!3}~S_b7=t0sM2UkLz&oJ4sMb1wq5c5>gp0i;ck)q?RdHk{LMDtknY?f_MV6UarW*
zX*dH{6FNTf?8F%aCX{?6DI}H^s~6!KLXu12^K#>)irh>ESBVH_x$(>xP@u(WIc(Nu
z=?s{ekJ$8L;N5zSBCw4@XYvtQY&<L?DI5-AhA>&kEH{`(DOFg4IHFe=ocM@_ru7(#
znoK69DVRx8YLw08a#0os<!~5)!7$|LXt|l8Gx%Fo*ma0;gMuRTG(qZMt4?_aX{7lG
z0&uv`Gp)W~xz5lVJ;(!Umg`YAlZ6f@>op`z8Z_ibMEc<&g1DI&h~YgmR%8gBCR87x
zTah7jkn7mkPe-BEz88pr4qpTk(VNuw9O{ePAkER^Xaa5^jg$fpUxe#ue_JkqHB3a|
zavB$dhmUYroM{X;hrwb?*)uQ>2jj4VSZo%npBzgn302O2l7lf$C?I2l*`Pg?a$5d>
z`27jTtZchepfx|~(SVGI%pxh^9Ec&<=Ij6zB@)F`q>9J_m?0rD42}vHg|fM!p$ra_
zZR1+&hQ$+RJWD1fw7AXydW?^R*rOf*lRpC5Y|jIu1q|2~S}Ti1Y2|7>iBQs-eq96i
zF}P0sAz-afmeJbai8=yQlw)(wCL<fb_y{)?9b_hX2xJ`@m}hGwOhOoFlFG4N+2?2;
zo^3zbk6DCmfMD3xMwnb-wa-WN6sa^SaHY)!pw5mONEL08Q@BtKI*5-5RVo5_ngfH`
zB-A>bf;lh;41UP_QYH-!G=5OXLEVD(dWTxay3aixIwSy|jWB2r06F^|*e_sFq5Yc*
z9Qt=1t^-{}flU^EvAG0-9P$Xz4@3F@f~IaXZmf$A6MC-_9BRX*-q*`kt~hjMs?*-s
z4PHKyg7Gh!+O9@EctjoWx)G`g@)m1z8Bfu2Z3E`I1}V5*S=c1KSAVOffOo#c(lWi(
zPgTD>q$J@+?tRve!Cc1U9?ZvQtDpPic3Io59eWDO_HRC$zWn>YmZ4P{N0`6N?>PER
z1s<{|D4p;wjh8Z}@ECrwYkLEpxthMZd}&|T_O4w4<GfD?ztpUZ4ww@7hN$-Ou+%g$
z+a+&)Z$syAN=cC|SQq@ml^{V6dtt_UyrosyvAMA@&Q-9$?^o8!(WCu~3VR-$ySkyh
ze4`+(e&^(%V{6RCjuSG!lx$MO-#jT@e|f?<et>`Y+4gtMr=LEbYx?Q<{gE%P<v(v4
z?S8i_aaz%O|MRb~;djTRsrFeKMZSy2oRZxtacMX_qBSXzaeU;s)P_IHBMwTEt1lnC
z@TiM&t0-*9ak^SpT>7@e&<#Cwx9rQjb9a@)YBJR_+;OM+=>3zO&%h^XgkF+tfFO@r
z>*G)y<nbA((2OXtP^!u6xWm?+WBKMkoZh%Utaa3}*)E+mTb$HaCi>>)joO~->9Rb}
zRVdjZ2+*Es?w%Rp(e2Nz&d#r@3{0xoYFsjVW_s$)4)vuv%el=td)yo7M2k;%wU={g
zO}P;E-0hkN6$Lu0GPZoda@y_T;D5o%d6X~exvfU|cAfUguvfCIl*0=mOV^e{)s=yB
zE_}}SHfDyS2}#9^i+txq|8aN~-ZIwFsYva5Fa4xw*Tq`M;ZCh%_Pe!d(VmCA#1+nS
zgM>G~?t2Zq)Olt~m6-eUWXG7_7E;G9K8D!om7kw5#e^<tXucPc)>)W8aoN&{o>NYd
zbu})oF&Y0<8|NNbTvu~_Y3(D<>qVj$`Ic;T&x-B5GV|GO^(m8BEu!6+>h_bQ@xiZs
h53CvSx1g+m>lDw(Jl!a)_|E#Vj|z_ySB9m3`!C-M>Ky<8

literal 2938
zcmV-=3x)KFP)<h;3K|Lk000e1NJLTq001xm001xu1^@s6R|5Hm00004b3#c}2nYxW
zd<bNS00009a7bBm000XT000XT0n*)m`~Uy|9CSrkbW?9;ba!ELWdK2BZ(?O2Mrm?o
zcW-iQb09-gHt4*vi~s-t7<5HgbVG7wVRUJ4ZXi@?ZDjy5I4v<TEiy1MG`&gH`v3q6
z&`Cr=RA_<KS#5As)fs-yJ@<37yUB(P3;BQqBE--nQ#;7S5rGP}qksgaKudyku+u?n
zp{>YLbr7utDoT}FTSci_WfH4|kLlQ{+5r(!TP0CQCBPC$h>7`PvtRezz4!D-vP-~C
z*a#)`nc3OoyyrdldG0yqJ@0v!aL)1n3^DcxAtc^dS-E~SfYkt8!@wyic)e=~&`$sW
zJh6F`!XoT>01E*q!$B-5oO{>j3t$oU2SP~2RlBSR01jBD6>o|QSmX8nI1~)sp(qNd
zNMp^%dtLf#9u{x_IhJWDOlM$>#SL)*t*xyqHBF;-yB&(Egj7{sKnQso!!LkC0`wmJ
zJ;qpRAP_((6p9<;0x~l*Q`_6yt+uu{!C`lN@$~PvyfrLz2f)e|D<XkF0HP>bnVFgK
zH69l*W5$f`?(XiK&p!JMCr_T#hll3C=<e<|#*7(*qM{<6mX;>O+T#L(!64N%jh2>{
zqOh<qzpSim;qCM0RRh4Hg$thp;6d+lx)LA&B30GZivjSRH8pc|T`zPv9N?VONF;Ku
zV=UtA*}eM+fNKFj5CoW}2_tIk4Tr;zzVX*L{z54oMJY}2tjiD6G+~;iHT9;cbH|Pu
zyPQ&bn<PoFtaH(4_MABc0EB*iivc_XfX6y=i%+AJzFm4lX}Z(tgkc!x4RX0*Sr!b#
zKuSsqCQqJhc}9Bnn5KDK%+`k&0Zfhk6Q6<DNxXa4uIm7-<($uDtT$v?+(I}UhR^52
zsZ*y~L%~qJD2jGMh<rJSbIuLZG<y_9$<N8j$<EEoh23rk0f8*bkYyQ^(tiMWc+T9p
z2l{*x3y5LY&Yia~#vW#jmFi4~VHhw?6Ol;dOQy4@a&vPxFIv3#vTSzCvdG2_8}5~5
z`94)sb10>~#3dQBB7Z7L(j#SM^J^{;J-C1vwr_u}T-Wsn8DkT5ri1AWeTPY-uIua9
zS5`iEDdg99z2%Z5J)|hg1X-3LD>4*Cfh@~DS(ewAmse~}<d?L77;1Lx_(?}+$128H
zzW=PBL?RLBx{gRBQp*@yXS3OAe*5_2Nk^%>moL9nmgTjIqFk>i3N%fF-EQZyA~)LY
z_9vGtDc>@f|DXaE%%5NK`QgJ)9X)!~1PBO0)UqtU+wHz)>Ww!RO_?%9pp>G!yBm>6
z1d&JtjIjrw-@5g&WXRvOY}wtCBt4@j3RG1^YHBJt=cui%<^TTVllpKtbj0Hs<w#9U
zl{8I-s;HtQN~^10uReI805Q=6G))^(Qd~SO-Q_}keLcF*`T+p#?d{l6Q-k*p9Kej}
z(@{`R0994d7nie>A>W5g0FY%FqA23?!-w(l#~-1yvy)_GWE7^l^9oZOsc>o(k|d)q
ze2+>rP(lHWF-{1<xbgXzFg_PEq)+hN{x%#q)&syqTU#5ds;iNmm4zu&rXVXT3qv_0
zD5YEw1e`v78lN9NjP~}g;BvW;UoZ)xEe$1Z6Z1y5;?4GPXbbhFpaUGD2?Y>B`~d27
z#w<u8=H-U2Ezc#&OaJj;)4pI={h43`2y9Kw%}Vo*9lWHZM4U9K@JzA-!r^f1$;QSL
zCr+G*+U+SMcl-p#6=!flI>wb{emUY6M*|_S%r`Nvo^u!=5CL>1<eJPT?(#aD1@KI#
zLJ;9%w_);U9i!cw$j=%Q4mwouZN+wf!>N@5_zH!v5n+=O3qmwa@sB3!(4NqzkGGJ>
zm;hf`An4WsW<=AtWv=OIZmkPG;Jlab)h;Q&2>jZy%zxBZ3(I`ev@Cbfl!(<!s~#qa
zT+Bb|FxusH-ih9O@&ufJKR5#5Q2?*IHu%kCNOyUi0)W{7)&jWh0<#am6Rr*ZX9gSN
zYf-4n>wFzR#sK}J0L}skC9o9&*bd-&0KdFAeE`6{0Dd=sEeK#nm)AKDfHcS$(}D9h
z@hkwTNfJnetReJu4`TaP-zO>b-vgJLW)9`9aM|t^{b%4K47`La^e&;%01A+J^LGs4
zx&8s#Ie-QLrvW$tTr@z$1-Lf&zdu;VF0XS5fCupP3;sy}l>lD3*u(l^3xE~?4*{5X
zfsF#Fa&7QGKiB}gviCdLb6^jE+W>%^oBd9K;7Nzvvze?*xVbM1z6nxKhvOd3v6}a#
z3jEyrIhZE)e3$%&hZFh^B^&MXI?oXB(VAeugy=Upw%X;uMzRiV--P(r$o$Eb7CvRJ
z0{C)~M_nO{f<rLVT>cScHO>xMz@mi<O8`7=a#*rRg{Sh~nVd#~+Ix`+*wsF^<4BLA
zE`>%lksB%iXqrYvQGE5qZQC{`LwIRL#ZQ}>o9=09YBC)T2OO>pJu2CQMJ{8~?W3AK
z(`^kfIm}f}-}|s7C@@*z6u|1L>go?J6p%0%0x$x=O$2}l3x|w6yx-}@zs{yZM07+N
zjm)qt3yP}3;c$Rb3dUGoGUNe3Rn?q=i3LUO5pFabYe3V<V@OX=N4=4bFZ_9U*F74u
zN48K7aznpp;Yl>sKmq^&0s)xG@oZy0qLu{>VOXXKNz>qVyOENT0>dy63WdNqPdW@+
zmc=>e$j!|~ettfDJ|Al9YSGr#h77kG?+4Rys67X%N)%L}7_2Zjkbo`#`+(lKMlELY
zsNok?b<C*j>~Fi>z2{IU6zX3s_$pZe=nJ`wF$jWy;^JZy78c@A?IG0G)*a@ZUB@y!
zBOP!!L`_v8%L)WRXiZu`Rdw~J0H*bCd*zjv7Y71?2N+`rhr-ZxJ+=-T2qC`_1Y!FS
z1Z*LMGy`~ub6yk<hoNa2rcaxWSu<xzDfX0|6%|XjB{R@PqtI)wy*igMwpQ2m>tbaV
zrZece-o_Z)1Ypbh%F2sojft?v>lHZX%Vk;iDvFYQ!KMC)EX$9SmseCJ@=d0!Qpy-x
z#|$=0*Uyzz^oZVWFyoI|*;yNZv}8%(n-ISc2S4~g+Pin}uS7{)p{lBfQcC)jRrbr0
z{P4W8vUidauzT083Fw{L^8SUbNF;*B##1=e*x1<9({qSYY7+$Eviyp}IcL#mG?<c-
zGASn~XZ+aQvBYMxohxi9GN?e`1n|h5xpQk13fQxI_cZ|S1n>(0D(4)GF&I$;EoWMy
z_4V~)M@I()D)dE$%MZ)4V45b<($X-oV4|6wolPZCidE(Sz(j8v^5@xe=F|e`CuMH{
zSOY*6gx+RB5I#0dbKd^_``bD@J0VHZ|BQU!^B_qQ{C+<^Jous2(cZC`Qo1i@LvNn6
z62PIDPdo~7&IzRyq9`H|2y{x4bpQMX3tj+#ML$@$7zA0k^pra(P)Z4<H2m`wE2;og
z?X0Q!VK^M#Y`5Dzu~~{CzJ&hy?z^A*{r;l5x;lFN`0<ZkdimukSAuM^xMS(kzvt!U
z-BMg!Y&xAz;pUk$1)$#y?Ay0bYiVgA!C(+}yFJ;<{uP7WZkK#MA6i;kNM>dxZk{<4
zKtBOKpKp|+D1yi1fubndurW=5^^ZOFop3l@Vzb#02m}P5&lk^7;{q}=GHjwKLen%z
zl5|aF<@!Uoaz7~z1`eRWX0vIM)Ekka(P+FN5EtNZIHIB`N>rraoXY@8hJ)>ZAb_mM
z5GC<%o{^q-5jnor6-DV1L?M1aT!n~o&fk(`sbbk(cNww9xBw1rT@?!^F*tx1IOn&n
ky6^t;%9-RUe&b2uzp$9K#m3Z@`2YX_07*qoM6N<$g7gSppa1{>

diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/images/icon-logo.png b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/images/icon-logo.png
deleted file mode 100644
index 31f8b2b248ccb831234284b39d34eaf80dacaf8e..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 4195
zcmV-p5S;IcP)<h;3K|Lk000e1NJLTq003VA003eL1^@s6HmDDV00004XF*Lt006O%
z3;baP00009a7bBm000ic000ic0Tn1pfB*mh8FWQhbW?9;ba!ELWdLwtX>N2bZe?^J
zG%heMGBAcGSpxt758z2eK~#8N?VW3ERL2#^EwxbyBnl}~h13tFRnwwYRgt1pX{D-2
z{lbTS;9H|A60}WQH@u9^`oVK~ClD|ggCSs>w-az!h%pYqU<VUpf?+Y>2L@;3y}Nb*
z<2BDUHu&`X$8$I9WsLXk+i;Kcm)E;<XU_cYxpVKGnL9Tr7;`urBQ#B$*y?g6Ynt0?
zDl(FIpEL$OmJ{S@E|)`dxye-IB~cHwR!z&~A3cGIO+{7`cfX0|#pNywOk^rLlGyuA
zbGwUFiA+U7n(KS`PN(*<GLfl>%jI%0e61h;H{X2oQ*LtloK7dX-0BTXg(sKz+YkNQ
zZ@;CMmX?0_jg5`AhK2@eZf+J|wzjtR?;W8hGcsjF{lGcE>FU+1)YQ~O_4W01@#4jP
z_-D_a?X9h?r3)7>(B;dQMFJ$`qd~MyPE9Mvbv`aX#RjGYZ3t)%Zo###u8z*1KTph?
zYHDgIi6j1(Cr+H8lP6D7b#*nJIdeuNz@EX;aP8W)i!vY6LNL4CP6%vp1>dTwDypok
zq~phrQ_`VBhu%7T_%MC``R7z#UM_w(b?OwIK7Cs3A>LzVw1;6|ef5<H?23vC!T0FV
zqjcoR5h^Jup`<Uq_#%1#{{3{|zybQ~v(Lm2{2j@op<U)-T8IXgWo2cA0Ovp_o6SbW
z#l`f=C!bK#<HwJ!4<A0f$`N0WFYv>`g9k-oJ{lY{57R<4u>ADXPif!2eN<FbM7wwI
zM$2-(x3||V;P>_Q5%l1}gG(IwO-O{qypah%OxwG6FYVg3ONiU~dIY-8djNc0w{PD*
z$9qiUy=1}<({}FMNu{Nw4g_`}XC-`HH*elNMnr?2a5v=Skg1%3eKdaN^?Ju4kX3A<
zr^4sosHdmL%ZG~9<ME7^dHPJ{$nz+P!)N#I-5blyvbkMXa@92?d}P2G;e6oXy_mvB
z!U$Q0313R$NJ4<#y?fWntPrq*or<e2Bk+kcrmn88_KuE@sVGe4$nz+4#WRx>4o(k8
zJ#lj*m<<V^BY8Z3um%1A4FaD!J3Dbcupi({D3vqMlS=sBh`~F+gyE9`_=Vzdf$>h5
z$X`_WCl~@gefQmWq8p-!FQ-(FJ<BTQ8`H*y2D*OzI^YW?LBh8&>j@J3K;sQ2Gjux=
z1_QsXtxfdWp`)m<pg`&9v!va8y^g*w^!lRi2H;m9z$NCV+oMO1rm`Ht!q@w#(KobZ
z^Jb;v!&wFS`GkHNbPelW?!mxEAS0k9*5D0SHhig>(%s$d2^K!Oq8l3<z4i6=*>=1A
ziObXBX6RUKXlN+Ba^;Gsn*sRkEOB8Hmhny)egFP_>zzAyyurZt8!+(jA(~lHQQ^Bh
z9WI8zsjI77$#w9eYux~R53?F@Ngfg7jK?zkYy<E~_Gh=BIddjiW|Po{Kw)1q*=G+1
zmo8npB*ry@fbV7a%A3)M8W%8*3$z)4uMZ|TPM$nzy#0%jojP?YnSE^k`s=Uh+_`gN
zWG_hgdHgrF;~re#1a_bzSoj#A!9dNIUw&!l2n+7a9|L1wCUa0Ya6*NT2H@M;+uO&<
zY~o`Ke<H)T8-OncYs$;Z%Z?sBs=nrpfgL+`Y$E$`8ly}YZ88AAg5k%_Z>3$kcI|C;
z&|v_+7*;DSEiEc5D~nkK9X@<`0+&~YQ6~6c0KT0yNoEsWn=)m}h}9o{NbkS@K7H`P
z2efL{Dq6jIHGRn6ty!~%)@El@_PTYnZvA>%kL%$L8z?t7SBy_$q&`^q7`nvB8HO@t
z(NQyflnz6C!NRxm-(qy7aQ$+)p6j{3>$u+8T>rIe*9sP30yba-R$#V@|ChyvW_$MT
zrDe;O(X?sPgl5c`K{IE~qLkUQDK#yP=2$G0k&!`JSy?o1-aJ~cU;!<%T50);6=EmU
zawUR=4=}RWs2RqogM|+ru-VAEcrh(nv`Ewqb<E_trgNQ9cQ8mvNuilDXVUcP)9JnU
z-V<8E^#?myY-qM`|9*mY@@@6frAr0;Sqy(R!%v$thb-yol#!W9bLY;b`Sa(~!i5XT
z%J7$PTI@7L2jHUnVYtADuLvAO^HQ$E;w4K&K<V%iXb3nTd}e`w1RDh1?mc@1Ge{O2
zn(3M7D%`$ZfSsM1D&VIx{7irN93hAl0e|^&TDfwiI1D##+$buX$nfDCpMNNan-?@2
zh+YKH5{8d}LSUheSzK2H90Csv5Qx}8yLRs$zzUMZhGv18>Drc`Pn#_N5QiTQLtm4_
z@Zks|X1NX@=L(!BxP9EVZJU@QlxXk)ealB52_MmRBVgb=0tkVGfI?saJ^~E^hrr8Y
z1_($MBS;n-nyE6>b!F-pYEOBM&Sp%YHFN(*3pg@xc<S&GIpV~_@No#^1dWq3A`8tJ
z0K^+UpcfPtiVFr@JP7#gD*^`a5kS7CN4EQ@t3CZUqVDzo`-PH?E?I17rpi#)^^{lX
zPSz_zH!ZKx>8#(=`h_!mO^y#fu8`!_kq$qXo1sm4d9=5vNWh3S{1O)C(7*@y0-xX;
zd_<riVDzR(hmX3Q$$W!4ETet(ZcF>Il8r7|Y-py+P?tY^T{qIlP~pOVec$Bp;fuo<
z5rxPSm!y0-x^dGc%G<nI9O_%SDf)QdJ~5k178^A?c<7MW;V2VjE8%mXAYgR(8<(ci
z>3M(Ty8Y;h`bHK0)9mJqmmUN<19hdp+{eGwwf*PCH)YacYp6qK>d5P=dO}>!>oRF<
zZ7}${JeE<|2{oNFN4_pM88+52ZNzWc_j3p&Ro!$YEPP$O6CQKg6a0CM+%#bgfpTNU
zOH~M*z<Q{Z@bGnc=8WpSIrF6={+w_-0X{MGqX-m#pNCT1;Jg0$!e2X6M|o6EJx!fy
zqq;k0joiwg<GvH%0|Ekp;qPNGLfzf}e(_H-tJoVmF$N$RsG*|(;%)BTnmuw2e~$T1
zK$+qA-H|dfmp>=Q5e!FU1oikk8jLuCI=Dg$`E%4OgEFwgxx736J_IA)rkm@yoj*s$
z&(<j~yu<BQO{ByTaj7fgWkc<zF5do}bSo;xWsJd&4lFkq@m0?w)Ge^S;Rq+q8dYKO
z5c~2#a*B#^8GjBeGoCWx$5AHyILd?{N15>BC=-4hWx|i6;LsQroQi}d@l95-$1=*x
zpOpm;CfvZ_o<nkqig7t1cO~#Pce!2#{CN^fRd>UZZiR2?;|S#j1|VYH*@m)0=|qEW
zrH*V%m~jd?!p%k9Q2pM4LdAKzxOOue?LO8e2a9UZ=P$F0y*d8=gKVRYBRw2XqyZK=
za1u%Y^*P@8VV2A$w#E(z-6JTYC838FhZ-_eiR+ZugDE%{#I@hsfU&>m^<06z`oMaq
zl(6v8Z5yxt`fv?C%l`g*{&fmeRN?zig9wyr>Iihp@+#FW`~&UHT}B^aYRJ~DVy0St
zem)fx6i{JdA#LBjop$WlL0FXo)9f(6Q7ixyW&4=Rz<eDn!Gf~k17@6I;#5BShM9Qq
z6+XlFJzR&&^WPA4Qq?tK=IwM^UZJ|I-_eG}DgBeC{O9c`CQa${c6KlXOqhz*q$$h~
z0`SdSwhTUR$8XXU=4<9yXVImMUy~<2!QjK8hV)-i_JZlY>4I>0z;r<cd_)?SzKX|m
zL6nK|FnJ1-xB{mO>hLk^*nhfU&fNb}qvdt3^ULvt-|+5FsCmxMXl=&3>WQ*`@b!tZ
zs30O9(2pHE7WcWD@Bv2xg24yhZ=x(_-VK;2%XP#=*>#qw)NJ`VU7R*v$wrqfHZ)UZ
zi0O84Fmq07|14#Fia0ywKSexn${?cN#(?pZdZNuzhEG^u4o4@Z3c_bJn*(Mk%PHch
zt3E|MBW<>LIt5HrtYopFnSVw&Sz!`sT3VWKe!lYI2*3IHr~tsDVwnG)=nqF=-AmL{
zZ|{9g4jzu+y7@mGVX;{HS>Qnt{);0A+xjz;#fD~jCU^!3g$#Hyg$oq$*%9AkK>^dm
z_wZE=p7a=Qj|Jf~u7>>Ed;cd>274?BpK<<(2z)%?hK!Swlf|<}C;<PX5dE1fI5Oaw
zEOr!^ZUAoNfw)A1uRjo1U0p4%$o$)T{lN$v`KjCj1U{1mRtQY6lf}lynwy*7YHDh#
zF!CrU;Fpw?*!jd4^#`LF{$z&l2o}EIqo6jf*LaytVwuC?7~j&;Vl(&<G~hc*OG{(E
zBmkG0%<$U{z}FvwE=-sOy|LzirfG!+AOFV!pY2@vxGsjl&`0p4W+n%M#{hghf$nv=
zT-m%6;<Ka;R@Y$g*==oYUW02dc(~FDwG0gVGMeG9Wcc17;p=NJc$k3|3*5=9qH9=3
z=GLuS)*Cl&cnq#O;^nKJm8hu9D&dTM8_V$X48SLbk5xyo;$n)-COUTe_U)9euCDeF
z*4xQr_`_x?c-{fy7{1K_e0{Ma$KAVk-<H`##=5(^C*Qw+9~lR=%$E+ouCC6;;1lx-
zAqZpt-{JtOFaTd)=F83s@5-&Ww|64TZe)QwIEZ$0=Z+o9h2n;zaHCjz_N)>3Vu8D!
zo*t|yXl!X1Y=ET*jV$d5_!qc|!Se5_3OozKOCIp<lVIV4om|!tYiT}xNgE_ULb*ZE
z>uTbV!~*>)ho42^4jD(e0r<M|nDM}KAHKj30SSkMk7&o8qRPQ%T^n<A#Z4lPdIRvm
z)XRTYGV{?`y!37Pg({&EK3{5j7`_z_s2qEqgaurgM>fO9>ViYU*Trl-hE@@m>uP4}
z%NMGgc^(B8-29AXK83-;hm62S#sk_bl_SriBo1M`1I9CaTSVY<vxJP4mrE)~o<~U>
z1B`dTL|kgBxat}dK5txi{P^)InU`rHT6J}G4ex{|72_x1BVkol)g}3QA@glPVH#d}
zh1WIN?e;2eMKpibKKS_I{Q2`Wm{5cpC2Uk&Tx`M*)38vU{#H1?N%J-}HB~a}>jFNX
zAky&#euR)vA8I>t<cJABOv4K(F<OV^#4ue3YlpJB91cfi65p9xF?NbQgyB3S^c&qV
z;fG-uvp_!=W<-D|xZ<W1ti^aW|6|3(A?zW{T|q(&8e{OIwzk%UABNS}*H6aEx)>V(
zPmGl5L#P-(PGZ27_!84Q@CsJE4+I;?mlF5Nd`vTFEl%f~EiEm5=n2Kkh%qjJu?;ZB
z(ZJ06lK9I?e2IY%^uePqUhg_}YT83hb6ZUrl-pgXx!hjy8g9Stc630>aSrfqO=8fM
z`n%7O2#JNBc$c@Skfrs%Paa*-e4-V>&H7sse^Ck8=%0rA6Dl$=6%n~utxji`Xqy;(
zCB9H4G!=O{HCGo0`ClY_cdjatsi+9kY`!1c6(<OFLQ|2I$LVxVlGyvrgdYQG?mXq}
tHWPm2<<#7EzPho2Ew}H3%w9-J`ac2Gxdj2|%;x|A002ovPDHLkV1fs1AAbM<

diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/images/icon-logo.svg b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/images/icon-logo.svg
new file mode 100644
index 0000000000..ce38f02f0b
--- /dev/null
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/images/icon-logo.svg
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 20010904//EN" "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
+<svg version="1.0" width="71.25pt" height="73.5pt" viewBox="0 0 71.25 73.5" preserveAspectRatio="xMidYMid meet" xmlns="http://www.w3.org/2000/svg">
+  <g transform="translate(0,73.5)scale(.075,.075)" fill="#DD630D">
+    <path id="path1" d="M 220 -875 l 0 105 265 0 265 0 0 275 0 275 95 0 95 0 0 -228 0 -227 -153 -153 -152 -152 -208 0 -207 0 0 105 z M 0 -537 l 0 222 153 153 152 152 213 0 212 0 0 -100 0 -100 -265 0 -265 0 0 -275 0 -275 -100 0 -100 0 0 223 z " />
+  </g>
+</svg>
\ No newline at end of file

From 06d6a317060caf1948c59956c1b0700ced0a7e31 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 Mar 2025 10:01:54 +0100
Subject: [PATCH 2394/3088] sysultils/beats: align with our directory structure

---
 sysutils/beats/Makefile                                   | 8 ++++++++
 sysutils/{beats8 => beats}/pkg-descr                      | 5 +----
 .../OPNsense/Filebeat/Api/ServiceController.php           | 0
 .../OPNsense/Filebeat/Api/SettingsController.php          | 0
 .../app/controllers/OPNsense/Filebeat/IndexController.php | 0
 .../app/controllers/OPNsense/Filebeat/forms/filebeat.xml  | 0
 .../opnsense/mvc/app/models/OPNsense/Beats8/ACL/ACL.xml   | 0
 .../opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php  | 0
 .../opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.xml  | 0
 .../opnsense/mvc/app/models/OPNsense/Beats8/Menu/Menu.xml | 0
 .../opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt  | 0
 .../opnsense/service/conf/actions.d/actions_filebeat.conf | 2 +-
 .../opnsense/service/templates/OPNsense/Filebeat/+TARGETS | 2 +-
 .../opnsense/service/templates/OPNsense/Filebeat/filebeat | 2 +-
 .../service/templates/OPNsense/Filebeat/filebeat.yml      | 0
 sysutils/beats8/Makefile                                  | 7 -------
 16 files changed, 12 insertions(+), 14 deletions(-)
 create mode 100644 sysutils/beats/Makefile
 rename sysutils/{beats8 => beats}/pkg-descr (72%)
 rename sysutils/{beats8 => beats}/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/ServiceController.php (100%)
 rename sysutils/{beats8 => beats}/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/SettingsController.php (100%)
 rename sysutils/{beats8 => beats}/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/IndexController.php (100%)
 rename sysutils/{beats8 => beats}/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/forms/filebeat.xml (100%)
 rename sysutils/{beats8 => beats}/src/opnsense/mvc/app/models/OPNsense/Beats8/ACL/ACL.xml (100%)
 rename sysutils/{beats8 => beats}/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php (100%)
 rename sysutils/{beats8 => beats}/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.xml (100%)
 rename sysutils/{beats8 => beats}/src/opnsense/mvc/app/models/OPNsense/Beats8/Menu/Menu.xml (100%)
 rename sysutils/{beats8 => beats}/src/opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt (100%)
 rename sysutils/{beats8 => beats}/src/opnsense/service/conf/actions.d/actions_filebeat.conf (91%)
 rename sysutils/{beats8 => beats}/src/opnsense/service/templates/OPNsense/Filebeat/+TARGETS (58%)
 rename sysutils/{beats8 => beats}/src/opnsense/service/templates/OPNsense/Filebeat/filebeat (71%)
 rename sysutils/{beats8 => beats}/src/opnsense/service/templates/OPNsense/Filebeat/filebeat.yml (100%)
 delete mode 100644 sysutils/beats8/Makefile

diff --git a/sysutils/beats/Makefile b/sysutils/beats/Makefile
new file mode 100644
index 0000000000..cf63c1365f
--- /dev/null
+++ b/sysutils/beats/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		beats
+PLUGIN_VERSION=		0.1
+PLUGIN_DEVEL=		yes
+PLUGIN_COMMENT=		Send logs, network, metrics and heartbeat to Elasticsearch
+PLUGIN_DEPENDS=		beats8
+PLUGIN_MAINTAINER=	0xThiebaut
+
+.include "../../Mk/plugins.mk"
diff --git a/sysutils/beats8/pkg-descr b/sysutils/beats/pkg-descr
similarity index 72%
rename from sysutils/beats8/pkg-descr
rename to sysutils/beats/pkg-descr
index aa24fdd2ac..f84f52a3b3 100644
--- a/sysutils/beats8/pkg-descr
+++ b/sysutils/beats/pkg-descr
@@ -1,13 +1,10 @@
 Beats is the platform for building lightweight, open source data
 shippers for many types of operational data you want to enrich with
-Logstash, search and analyze in Elasticsearch, and visualize in Kibana.
+Logstash, search and analyze in Elasticsearch.
 
 Filebeat is a lightweight, open source shipper for log file data. As the
 next-generation Logstash Forwarder, Filebeat tails logs and quickly
 sends this information to Logstash for further parsing and enrichment or
 to Elasticsearch for centralized storage and analysis.
 
-The OPNsense Beats plugin only initializes Elasticsearch;
-It doesn't load Kibana dashboards.
-
 WWW: https://www.elastic.co/guide/en/beats
diff --git a/sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/ServiceController.php b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/ServiceController.php
similarity index 100%
rename from sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/ServiceController.php
rename to sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/ServiceController.php
diff --git a/sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/SettingsController.php b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/SettingsController.php
similarity index 100%
rename from sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/SettingsController.php
rename to sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/SettingsController.php
diff --git a/sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/IndexController.php b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/IndexController.php
similarity index 100%
rename from sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/IndexController.php
rename to sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/IndexController.php
diff --git a/sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/forms/filebeat.xml b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/forms/filebeat.xml
similarity index 100%
rename from sysutils/beats8/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/forms/filebeat.xml
rename to sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/forms/filebeat.xml
diff --git a/sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/ACL/ACL.xml b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/ACL/ACL.xml
similarity index 100%
rename from sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/ACL/ACL.xml
rename to sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/ACL/ACL.xml
diff --git a/sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php
similarity index 100%
rename from sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php
rename to sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php
diff --git a/sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.xml b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.xml
similarity index 100%
rename from sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.xml
rename to sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.xml
diff --git a/sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Menu/Menu.xml b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Menu/Menu.xml
similarity index 100%
rename from sysutils/beats8/src/opnsense/mvc/app/models/OPNsense/Beats8/Menu/Menu.xml
rename to sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Menu/Menu.xml
diff --git a/sysutils/beats8/src/opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt b/sysutils/beats/src/opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt
similarity index 100%
rename from sysutils/beats8/src/opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt
rename to sysutils/beats/src/opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt
diff --git a/sysutils/beats8/src/opnsense/service/conf/actions.d/actions_filebeat.conf b/sysutils/beats/src/opnsense/service/conf/actions.d/actions_filebeat.conf
similarity index 91%
rename from sysutils/beats8/src/opnsense/service/conf/actions.d/actions_filebeat.conf
rename to sysutils/beats/src/opnsense/service/conf/actions.d/actions_filebeat.conf
index b7c8aa371c..47a4226d32 100644
--- a/sysutils/beats8/src/opnsense/service/conf/actions.d/actions_filebeat.conf
+++ b/sysutils/beats/src/opnsense/service/conf/actions.d/actions_filebeat.conf
@@ -20,4 +20,4 @@ message:restarting Filebeat
 command:/usr/local/etc/rc.d/filebeat status; exit 0
 parameters:
 type:script_output
-message:requesting Filebeat status
\ No newline at end of file
+message:requesting Filebeat status
diff --git a/sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/+TARGETS b/sysutils/beats/src/opnsense/service/templates/OPNsense/Filebeat/+TARGETS
similarity index 58%
rename from sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/+TARGETS
rename to sysutils/beats/src/opnsense/service/templates/OPNsense/Filebeat/+TARGETS
index 88dd74dea3..408300f171 100644
--- a/sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/+TARGETS
+++ b/sysutils/beats/src/opnsense/service/templates/OPNsense/Filebeat/+TARGETS
@@ -1,2 +1,2 @@
 filebeat.yml:/usr/local/etc/beats/filebeat.yml
-filebeat:/etc/rc.conf.d/filebeat
\ No newline at end of file
+filebeat:/etc/rc.conf.d/filebeat
diff --git a/sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/filebeat b/sysutils/beats/src/opnsense/service/templates/OPNsense/Filebeat/filebeat
similarity index 71%
rename from sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/filebeat
rename to sysutils/beats/src/opnsense/service/templates/OPNsense/Filebeat/filebeat
index 7b65a5fa8b..c3a61aa37a 100755
--- a/sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/filebeat
+++ b/sysutils/beats/src/opnsense/service/templates/OPNsense/Filebeat/filebeat
@@ -1 +1 @@
-filebeat_enable="{{ 'YES' if not helpers.empty('OPNsense.filebeat.enabled') else 'NO' }}"
\ No newline at end of file
+filebeat_enable="{{ 'YES' if not helpers.empty('OPNsense.filebeat.enabled') else 'NO' }}"
diff --git a/sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/filebeat.yml b/sysutils/beats/src/opnsense/service/templates/OPNsense/Filebeat/filebeat.yml
similarity index 100%
rename from sysutils/beats8/src/opnsense/service/templates/OPNsense/Filebeat/filebeat.yml
rename to sysutils/beats/src/opnsense/service/templates/OPNsense/Filebeat/filebeat.yml
diff --git a/sysutils/beats8/Makefile b/sysutils/beats8/Makefile
deleted file mode 100644
index c4b8aac4dc..0000000000
--- a/sysutils/beats8/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-PLUGIN_NAME=		beats8
-PLUGIN_VERSION=		1.0
-PLUGIN_COMMENT=		Send logs, network, metrics and heartbeat to elasticsearch
-PLUGIN_DEPENDS=		beats8
-PLUGIN_MAINTAINER=	0xThiebaut
-
-.include "../../Mk/plugins.mk"

From 576d1761ec65bde5b09ee425ee45562ac40f8126 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 Mar 2025 10:02:34 +0100
Subject: [PATCH 2395/3088] net/frr: style sweep

---
 .../mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php    | 1 -
 .../controllers/OPNsense/Quagga/Api/Ospf6settingsController.php  | 1 -
 .../controllers/OPNsense/Quagga/Api/OspfsettingsController.php   | 1 -
 3 files changed, 3 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
index 3a4a931584..29d2180364 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/BgpController.php
@@ -246,5 +246,4 @@ public function toggleRedistributionAction($uuid)
     {
         return $this->toggleBase('redistributions.redistribution', $uuid);
     }
-
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php
index 65c2610b53..d616af37c0 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php
@@ -161,5 +161,4 @@ public function toggleRedistributionAction($uuid)
     {
         return $this->toggleBase('redistributions.redistribution', $uuid);
     }
-
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
index 7634494206..ab971af24a 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
@@ -158,5 +158,4 @@ public function toggleRedistributionAction($uuid)
     {
         return $this->toggleBase('redistributions.redistribution', $uuid);
     }
-
 }

From 79006b88178cdd45349de2f64f2f6ed0cdf82a9a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 Mar 2025 10:02:46 +0100
Subject: [PATCH 2396/3088] sysutils/sfpt-backup: style sweep

---
 .../src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
index 32f7b8a509..0a81b101cf 100644
--- a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
+++ b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
@@ -263,7 +263,7 @@ public function backup()
             if ($this->model->backupcount->asFloat() > 0) {
                 rsort($remote_backups);
                 if (count($remote_backups) > (int)$this->model->backupcount->getCurrentValue()) {
-                    for ($i = $this->model->backupcount->getCurrentValue() ; $i < count($remote_backups); $i++) {
+                    for ($i = $this->model->backupcount->getCurrentValue(); $i < count($remote_backups); $i++) {
                         $this->del($remote_backups[$i]);
                     }
                     $remote_backups = $this->ls(sprintf('%s*.xml', $fileprefix));

From 593bee2bb9ccb477bbf0afb89de7fb2371622c99 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 Mar 2025 10:11:34 +0100
Subject: [PATCH 2397/3088] sysutils/beats: more style changes

---
 LICENSE                                       |  1 +
 README.md                                     |  1 +
 .../Filebeat/Api/ServiceController.php        | 42 ++++++++-------
 .../Filebeat/Api/SettingsController.php       | 42 ++++++++-------
 .../OPNsense/Filebeat/IndexController.php     | 42 ++++++++-------
 .../app/models/OPNsense/Beats8/Filebeat.php   | 42 ++++++++-------
 .../app/models/OPNsense/Beats8/Filebeat.xml   |  4 +-
 .../app/views/OPNsense/Beats8/filebeat.volt   | 51 +++++++++----------
 8 files changed, 107 insertions(+), 118 deletions(-)

diff --git a/LICENSE b/LICENSE
index 2032184223..7469b45fef 100644
--- a/LICENSE
+++ b/LICENSE
@@ -48,6 +48,7 @@ Copyright (c) 2021 Markus Peter <mpeter@one-it.de>
 Copyright (c) 2022 Markus Reiter <me@reitermark.us>
 Copyright (c) 2020 Martin Wasley
 Copyright (c) 2022 Marvo2011
+Copyright (c) 2025 Maxime Thiebaut
 Copyright (c) 2017-2024 Michael Muenz <m.muenz@gmail.com>
 Copyright (c) 2024 Michał Brzeziński
 Copyright (c) 2024 Mike Shuey
diff --git a/README.md b/README.md
index d19657ee95..ea219dbe85 100644
--- a/README.md
+++ b/README.md
@@ -95,6 +95,7 @@ security/tor -- The Onion Router
 security/wazuh-agent -- Agent for the open source security platform Wazuh
 sysutils/apcupsd -- APCUPSD - APC UPS daemon
 sysutils/apuled -- PC Engine APU LED control (development only)
+sysutils/beats -- Send logs, network, metrics and heartbeat to Elasticsearch (development only)
 sysutils/cpu-microcode -- CPU microcode updates
 sysutils/dec-hw -- Deciso hardware specific information
 sysutils/dmidecode -- Display hardware information on the dashboard
diff --git a/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/ServiceController.php b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/ServiceController.php
index 5557852487..4911fb7ed4 100755
--- a/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/ServiceController.php
+++ b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/ServiceController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2025 Maxime THIEBAUT
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2025 Maxime Thiebaut
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Filebeat\Api;
diff --git a/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/SettingsController.php b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/SettingsController.php
index f8258c81b9..e6851410f4 100755
--- a/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/SettingsController.php
+++ b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/SettingsController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2025 Maxime THIEBAUT
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2025 Maxime Thiebaut
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Filebeat\Api;
diff --git a/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/IndexController.php b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/IndexController.php
index 5c3784e4ed..3125f43f62 100755
--- a/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/IndexController.php
+++ b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/IndexController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2025 Maxime THIEBAUT
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2025 Maxime Thiebaut
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Filebeat;
diff --git a/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php
index 8a4c3c2b23..137fec7094 100644
--- a/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php
+++ b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2025 Maxime THIEBAUT
+/*
+ * Copyright (C) 2025 Maxime Thiebaut
+ * All rights reserved.
  *
- *    All rights reserved.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Beats8;
diff --git a/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.xml b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.xml
index d4028a54d9..e155e047ed 100644
--- a/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.xml
+++ b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.xml
@@ -1,8 +1,6 @@
 <model>
     <mount>//OPNsense/filebeat</mount>
-    <description>
-        Send logs to elasticsearch
-    </description>
+    <description>Send logs to Elasticsearch</description>
     <items>
         <enabled type="BooleanField">
             <Default>0</Default>
diff --git a/sysutils/beats/src/opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt b/sysutils/beats/src/opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt
index 03f6342ab0..3118ff63c5 100644
--- a/sysutils/beats/src/opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt
+++ b/sysutils/beats/src/opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt
@@ -1,31 +1,28 @@
 {#
-
-Copyright (C) 2025 Maxime THIEBAUT
-
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-this list of conditions and the following disclaimer in the documentation
-and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
+ # Copyright (C) 2025 Maxime Thiebaut
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
 
 <script>
     $( document ).ready(function() {

From 4cd80cbe54a0187167bde75b6a86edd371df492d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 Mar 2025 10:48:13 +0100
Subject: [PATCH 2398/3088] misc: fix theme revision after version bump

---
 misc/theme-cicada/Makefile | 1 -
 misc/theme-vicuna/Makefile | 1 -
 2 files changed, 2 deletions(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index 5ab8d3841b..88df0e4643 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		theme-cicada
 PLUGIN_VERSION=		1.39
-PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index 9a6bc449d3..c22184756a 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
 PLUGIN_VERSION=		1.49
-PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes

From ee39ee775a8d399058ed8601bf2ea0a85ce66064 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 Mar 2025 10:50:58 +0100
Subject: [PATCH 2399/3088] sysutils/sftp-backup: bump revision after changes

---
 sysutils/sftp-backup/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/sftp-backup/Makefile b/sysutils/sftp-backup/Makefile
index d1ce650946..d73ec5bdc0 100644
--- a/sysutils/sftp-backup/Makefile
+++ b/sysutils/sftp-backup/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		sftp-backup
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Backup configurations using SFTP
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2

From d2619d5377fc14c0f3d35f1df8c9ff9f15f7136f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 Mar 2025 10:54:27 +0100
Subject: [PATCH 2400/3088] www/squid: bump revision

---
 www/squid/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index a70692d4f3..15857a9c0f 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		squid
 PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_TIER=		2

From e1786e0771fa71924b8984cfa30674310b1e8da6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaka=20Pra=C5=A1nikar?= <Jackysi@users.noreply.github.com>
Date: Thu, 27 Mar 2025 15:06:08 +0100
Subject: [PATCH 2401/3088] misc/theme-advanced: Fix issues with tables and
 navigation subtitle (#4621)

o fix tables issue with action buttons
o change subtitle in navigation
---
 .../advanced/assets/stylesheets/main.scss     | 37 ++++++++++++++-----
 .../www/themes/advanced/build/css/main.css    |  2 +-
 2 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss
index 0498b12cec..3dd6c75aa1 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss
@@ -149,10 +149,6 @@ body {
     touch-action: manipulation;
 }
 
-.widget-sort-handle {
-    touch-action: none;
-}
-
 .page-head {
     position: fixed;
     z-index: map-get($zindex, header);
@@ -198,7 +194,7 @@ body {
             font-size: 12px;
             font-weight: 400;
             display: inline-block;
-            content: "AdvancedOPN Theme";
+            content: "Advanced Theme";
             color: #fafafa;
         }
 
@@ -1090,11 +1086,6 @@ select {
     appearance: none;
 }
 
-#grid-log th[data-column-id="__timestamp__"],
-#filter-log-entries th[data-column-id="__timestamp__"] {
-    min-width: 3.5em;
-}
-
 .table-responsive {
     @media screen and (max-width: $screen-xs-max) {
         margin-bottom: 0;
@@ -1268,3 +1259,29 @@ div[data-for*="help_for"] {
         margin-bottom: -4px;
     }
 }
+
+/**
+* HACKS
+*/
+.widget-sort-handle {
+    touch-action: none;
+}
+
+.bootgrid-table {
+    table-layout: auto !important;
+}
+
+table#tunable.bootgrid-table td {
+    white-space: normal !important;
+}
+
+@media (min-width: $screen-lg-desktop) {
+    table#grid-leases tr td:nth-child(3) {
+        width: 15% !important;
+    }
+}
+
+#grid-log th[data-column-id="__timestamp__"],
+#filter-log-entries th[data-column-id="__timestamp__"] {
+    min-width: 3.5em;
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/main.css b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/main.css
index 9333e6d6b6..72b2b553f1 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/main.css
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/main.css
@@ -1 +1 @@
-.widgetdiv .content-box-head{overflow:hidden;min-height:25px !important;padding:8px !important;color:#3c3c3b !important;border-top-left-radius:3px;border-top-right-radius:3px;background:#e8e8e8 !important}.widgetdiv .content-box-head .btn-group .btn{color:#3c3c3b !important;border:0px;background:#e8e8e8 !important}.widgetdiv .content-box-head .btn-group .btn .glyphicon{color:#3c3c3b !important}.widgetdiv .content-box-head .list-inline li>h3{padding-top:4px}@font-face{font-family:"Inter";font-style:normal;font-weight:600;font-display:swap;src:url("/ui/themes/advanced/build/fonts/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2") format("woff2");unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+2000-206F,U+2074,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD}@font-face{font-family:"Inter";font-style:normal;font-weight:500;font-display:swap;src:url("/ui/themes/advanced/build/fonts/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2") format("woff2");unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+2000-206F,U+2074,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD}@font-face{font-family:"Inter";font-style:normal;font-weight:400;font-display:swap;src:url("/ui/themes/advanced/build/fonts/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2") format("woff2");unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+2000-206F,U+2074,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD}/*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:rgba(0,0,0,0)}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{-moz-box-sizing:content-box;box-sizing:content-box;height:0}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}input{line-height:normal}input[type=checkbox],input[type=radio]{box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-appearance:textfield;-moz-box-sizing:content-box;-webkit-box-sizing:content-box;box-sizing:content-box}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{border:1px solid silver;margin:0 2px;padding:.35em .625em .75em}legend{border:0;padding:0}textarea{overflow:auto}optgroup{font-weight:bold}table{border-collapse:collapse;border-spacing:0}td,th{padding:0}@media print{*{text-shadow:none !important;color:#000 !important;background:rgba(0,0,0,0) !important;box-shadow:none !important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100% !important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff !important}.navbar{display:none}.table td,.table th{background-color:#fff !important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000 !important}.label{border:1px solid #000}.table{border-collapse:collapse !important}.table-bordered th,.table-bordered td{border:1px solid #ddd !important}}@font-face{font-family:"Glyphicons Halflings";src:url("../fonts/bootstrap/glyphicons-halflings-regular.eot");src:url("../fonts/bootstrap/glyphicons-halflings-regular.eot?#iefix") format("embedded-opentype"),url("../fonts/bootstrap/glyphicons-halflings-regular.woff") format("woff"),url("../fonts/bootstrap/glyphicons-halflings-regular.ttf") format("truetype"),url("../fonts/bootstrap/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") format("svg")}.glyphicon{position:relative;top:1px;display:inline-block;font-family:"Glyphicons Halflings";font-style:normal;font-weight:normal;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"*"}.glyphicon-plus:before{content:"+"}.glyphicon-euro:before{content:"€"}.glyphicon-minus:before{content:"−"}.glyphicon-cloud:before{content:"☁"}.glyphicon-envelope:before{content:"✉"}.glyphicon-pencil:before{content:"✏"}.glyphicon-glass:before{content:""}.glyphicon-music:before{content:""}.glyphicon-search:before{content:""}.glyphicon-heart:before{content:""}.glyphicon-star:before{content:""}.glyphicon-star-empty:before{content:""}.glyphicon-user:before{content:""}.glyphicon-film:before{content:""}.glyphicon-th-large:before{content:""}.glyphicon-th:before{content:""}.glyphicon-th-list:before{content:""}.glyphicon-ok:before{content:""}.glyphicon-remove:before{content:""}.glyphicon-zoom-in:before{content:""}.glyphicon-zoom-out:before{content:""}.glyphicon-off:before{content:""}.glyphicon-signal:before{content:""}.glyphicon-cog:before{content:""}.glyphicon-trash:before{content:""}.glyphicon-home:before{content:""}.glyphicon-file:before{content:""}.glyphicon-time:before{content:""}.glyphicon-road:before{content:""}.glyphicon-download-alt:before{content:""}.glyphicon-download:before{content:""}.glyphicon-upload:before{content:""}.glyphicon-inbox:before{content:""}.glyphicon-play-circle:before{content:""}.glyphicon-repeat:before{content:""}.glyphicon-refresh:before{content:""}.glyphicon-list-alt:before{content:""}.glyphicon-lock:before{content:""}.glyphicon-flag:before{content:""}.glyphicon-headphones:before{content:""}.glyphicon-volume-off:before{content:""}.glyphicon-volume-down:before{content:""}.glyphicon-volume-up:before{content:""}.glyphicon-qrcode:before{content:""}.glyphicon-barcode:before{content:""}.glyphicon-tag:before{content:""}.glyphicon-tags:before{content:""}.glyphicon-book:before{content:""}.glyphicon-bookmark:before{content:""}.glyphicon-print:before{content:""}.glyphicon-camera:before{content:""}.glyphicon-font:before{content:""}.glyphicon-bold:before{content:""}.glyphicon-italic:before{content:""}.glyphicon-text-height:before{content:""}.glyphicon-text-width:before{content:""}.glyphicon-align-left:before{content:""}.glyphicon-align-center:before{content:""}.glyphicon-align-right:before{content:""}.glyphicon-align-justify:before{content:""}.glyphicon-list:before{content:""}.glyphicon-indent-left:before{content:""}.glyphicon-indent-right:before{content:""}.glyphicon-facetime-video:before{content:""}.glyphicon-picture:before{content:""}.glyphicon-map-marker:before{content:""}.glyphicon-adjust:before{content:""}.glyphicon-tint:before{content:""}.glyphicon-edit:before{content:""}.glyphicon-share:before{content:""}.glyphicon-check:before{content:""}.glyphicon-move:before{content:""}.glyphicon-step-backward:before{content:""}.glyphicon-fast-backward:before{content:""}.glyphicon-backward:before{content:""}.glyphicon-play:before{content:""}.glyphicon-pause:before{content:""}.glyphicon-stop:before{content:""}.glyphicon-forward:before{content:""}.glyphicon-fast-forward:before{content:""}.glyphicon-step-forward:before{content:""}.glyphicon-eject:before{content:""}.glyphicon-chevron-left:before{content:""}.glyphicon-chevron-right:before{content:""}.glyphicon-plus-sign:before{content:""}.glyphicon-minus-sign:before{content:""}.glyphicon-remove-sign:before{content:""}.glyphicon-ok-sign:before{content:""}.glyphicon-question-sign:before{content:""}.glyphicon-info-sign:before{content:""}.glyphicon-screenshot:before{content:""}.glyphicon-remove-circle:before{content:""}.glyphicon-ok-circle:before{content:""}.glyphicon-ban-circle:before{content:""}.glyphicon-arrow-left:before{content:""}.glyphicon-arrow-right:before{content:""}.glyphicon-arrow-up:before{content:""}.glyphicon-arrow-down:before{content:""}.glyphicon-share-alt:before{content:""}.glyphicon-resize-full:before{content:""}.glyphicon-resize-small:before{content:""}.glyphicon-exclamation-sign:before{content:""}.glyphicon-gift:before{content:""}.glyphicon-leaf:before{content:""}.glyphicon-fire:before{content:""}.glyphicon-eye-open:before{content:""}.glyphicon-eye-close:before{content:""}.glyphicon-warning-sign:before{content:""}.glyphicon-plane:before{content:""}.glyphicon-calendar:before{content:""}.glyphicon-random:before{content:""}.glyphicon-comment:before{content:""}.glyphicon-magnet:before{content:""}.glyphicon-chevron-up:before{content:""}.glyphicon-chevron-down:before{content:""}.glyphicon-retweet:before{content:""}.glyphicon-shopping-cart:before{content:""}.glyphicon-folder-close:before{content:""}.glyphicon-folder-open:before{content:""}.glyphicon-resize-vertical:before{content:""}.glyphicon-resize-horizontal:before{content:""}.glyphicon-hdd:before{content:""}.glyphicon-bullhorn:before{content:""}.glyphicon-bell:before{content:""}.glyphicon-certificate:before{content:""}.glyphicon-thumbs-up:before{content:""}.glyphicon-thumbs-down:before{content:""}.glyphicon-hand-right:before{content:""}.glyphicon-hand-left:before{content:""}.glyphicon-hand-up:before{content:""}.glyphicon-hand-down:before{content:""}.glyphicon-circle-arrow-right:before{content:""}.glyphicon-circle-arrow-left:before{content:""}.glyphicon-circle-arrow-up:before{content:""}.glyphicon-circle-arrow-down:before{content:""}.glyphicon-globe:before{content:""}.glyphicon-wrench:before{content:""}.glyphicon-tasks:before{content:""}.glyphicon-filter:before{content:""}.glyphicon-briefcase:before{content:""}.glyphicon-fullscreen:before{content:""}.glyphicon-dashboard:before{content:""}.glyphicon-paperclip:before{content:""}.glyphicon-heart-empty:before{content:""}.glyphicon-link:before{content:""}.glyphicon-phone:before{content:""}.glyphicon-pushpin:before{content:""}.glyphicon-usd:before{content:""}.glyphicon-gbp:before{content:""}.glyphicon-sort:before{content:""}.glyphicon-sort-by-alphabet:before{content:""}.glyphicon-sort-by-alphabet-alt:before{content:""}.glyphicon-sort-by-order:before{content:""}.glyphicon-sort-by-order-alt:before{content:""}.glyphicon-sort-by-attributes:before{content:""}.glyphicon-sort-by-attributes-alt:before{content:""}.glyphicon-unchecked:before{content:""}.glyphicon-expand:before{content:""}.glyphicon-collapse-down:before{content:""}.glyphicon-collapse-up:before{content:""}.glyphicon-log-in:before{content:""}.glyphicon-flash:before{content:""}.glyphicon-log-out:before{content:""}.glyphicon-new-window:before{content:""}.glyphicon-record:before{content:""}.glyphicon-save:before{content:""}.glyphicon-open:before{content:""}.glyphicon-saved:before{content:""}.glyphicon-import:before{content:""}.glyphicon-export:before{content:""}.glyphicon-send:before{content:""}.glyphicon-floppy-disk:before{content:""}.glyphicon-floppy-saved:before{content:""}.glyphicon-floppy-remove:before{content:""}.glyphicon-floppy-save:before{content:""}.glyphicon-floppy-open:before{content:""}.glyphicon-credit-card:before{content:""}.glyphicon-transfer:before{content:""}.glyphicon-cutlery:before{content:""}.glyphicon-header:before{content:""}.glyphicon-compressed:before{content:""}.glyphicon-earphone:before{content:""}.glyphicon-phone-alt:before{content:""}.glyphicon-tower:before{content:""}.glyphicon-stats:before{content:""}.glyphicon-sd-video:before{content:""}.glyphicon-hd-video:before{content:""}.glyphicon-subtitles:before{content:""}.glyphicon-sound-stereo:before{content:""}.glyphicon-sound-dolby:before{content:""}.glyphicon-sound-5-1:before{content:""}.glyphicon-sound-6-1:before{content:""}.glyphicon-sound-7-1:before{content:""}.glyphicon-copyright-mark:before{content:""}.glyphicon-registration-mark:before{content:""}.glyphicon-cloud-download:before{content:""}.glyphicon-cloud-upload:before{content:""}.glyphicon-tree-conifer:before{content:""}.glyphicon-tree-deciduous:before{content:""}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}*:before,*:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;line-height:1.428571429;color:#3c3c3b;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#51aded;text-decoration:none}a:hover,a:focus{color:#178adb;text-decoration:underline}a:focus{outline:none}figure{margin:0}img{vertical-align:middle}.img-responsive{display:block;width:100% \9 ;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{padding:4px;line-height:1.428571429;background-color:#fff;border:1px solid #ddd;border-radius:3px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out;display:inline-block;width:100% \9 ;max-width:100%;height:auto}.img-circle{border-radius:50%}hr{margin-top:18px;margin-bottom:18px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;margin:-1px;padding:0;overflow:hidden;clip:rect(0, 0, 0, 0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:"Inter";font-weight:500;line-height:1.4;color:inherit}h1 small,h1 .small,h2 small,h2 .small,h3 small,h3 .small,h4 small,h4 .small,h5 small,h5 .small,h6 small,h6 .small,.h1 small,.h1 .small,.h2 small,.h2 .small,.h3 small,.h3 .small,.h4 small,.h4 .small,.h5 small,.h5 .small,.h6 small,.h6 .small{font-weight:normal;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:18px;margin-bottom:9px}h1 small,h1 .small,.h1 small,.h1 .small,h2 small,h2 .small,.h2 small,.h2 .small,h3 small,h3 .small,.h3 small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:9px;margin-bottom:9px}h4 small,h4 .small,.h4 small,.h4 .small,h5 small,h5 .small,.h5 small,.h5 .small,h6 small,h6 .small,.h6 small,.h6 .small{font-size:75%}h1,.h1{font-size:22px}h2,.h2{font-size:14px}h3,.h3{font-size:13px}h4,.h4{font-size:17px}h5,.h5{font-size:13px}h6,.h6{font-size:12px}p{margin:0 0 9px}.lead{margin-bottom:18px;font-size:14px;font-weight:300;line-height:1.4}@media(min-width: 768px){.lead{font-size:19.5px}}small,.small{font-size:92%}cite{font-style:normal}mark,.mark{background-color:#fcf8e3;padding:.2em}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#51aded}a.text-primary:hover{color:#2397e8}.text-success{color:#7ebc59}a.text-success:hover{color:#65a141}.text-info{color:#31708f}a.text-info:hover{color:#245269}.text-warning{color:#f0ad4e}a.text-warning:hover{color:#ec971f}.text-danger{color:#ee451f}a.text-danger:hover{color:#cb320f}.bg-primary{color:#fff}.bg-primary{background-color:#51aded}a.bg-primary:hover{background-color:#2397e8}.bg-success{background-color:#7ebc59}a.bg-success:hover{background-color:#65a141}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#ee451f}a.bg-danger:hover{background-color:#cb320f}.page-header{padding-bottom:8px;margin:36px 0 18px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:9px}ul ul,ul ol,ol ul,ol ol{margin-bottom:0}.list-unstyled,.list-inline{padding-left:0;list-style:none}.list-inline{margin-left:-5px}.list-inline>li{float:left;padding-left:5px;padding-right:5px}dl{margin-top:0;margin-bottom:18px}dt,dd{line-height:1.428571429}dt{font-weight:bold}dd{margin-left:0}.dl-horizontal dd:before,.dl-horizontal dd:after{content:" ";display:table}.dl-horizontal dd:after{clear:both}@media(min-width: 768px){.dl-horizontal dt{float:left;width:160px;clear:left;text-align:right;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:9px 18px;margin:0 0 18px;font-size:16.25px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.428571429;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:"— "}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;border-right:5px solid #eee;border-left:0;text-align:right}.blockquote-reverse footer:before,.blockquote-reverse small:before,.blockquote-reverse .small:before,blockquote.pull-right footer:before,blockquote.pull-right small:before,blockquote.pull-right .small:before{content:""}.blockquote-reverse footer:after,.blockquote-reverse small:after,.blockquote-reverse .small:after,blockquote.pull-right footer:after,blockquote.pull-right small:after,blockquote.pull-right .small:after{content:" —"}blockquote:before,blockquote:after{content:""}address{margin-bottom:18px;font-style:normal;line-height:1.428571429}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:3px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;box-shadow:none}pre{display:block;padding:calc((18px - 100%)/2);margin:0 0 9px;font-size:12px;line-height:1.428571429;word-break:break-all;word-wrap:break-word;color:#333;background-color:#f5f5f5;border:1px solid #ccc;border-radius:3px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:rgba(0,0,0,0);border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{margin-right:auto;margin-left:auto;padding-left:20px;padding-right:20px}.container:before,.container:after{content:" ";display:table}.container:after{clear:both}@media(min-width: 768px){.container{width:760px}}@media(min-width: 992px){.container{width:980px}}@media(min-width: 1200px){.container{width:1180px}}.container-fluid{margin-right:auto;margin-left:auto;padding-left:20px;padding-right:20px}.container-fluid:before,.container-fluid:after{content:" ";display:table}.container-fluid:after{clear:both}.row{margin-left:-20px;margin-right:-20px}.row:before,.row:after{content:" ";display:table}.row:after{clear:both}.col-xs-1,.col-sm-1,.col-md-1,.col-lg-1,.col-xs-2,.col-sm-2,.col-md-2,.col-lg-2,.col-xs-3,.col-sm-3,.col-md-3,.col-lg-3,.col-xs-4,.col-sm-4,.col-md-4,.col-lg-4,.col-xs-5,.col-sm-5,.col-md-5,.col-lg-5,.col-xs-6,.col-sm-6,.col-md-6,.col-lg-6,.col-xs-7,.col-sm-7,.col-md-7,.col-lg-7,.col-xs-8,.col-sm-8,.col-md-8,.col-lg-8,.col-xs-9,.col-sm-9,.col-md-9,.col-lg-9,.col-xs-10,.col-sm-10,.col-md-10,.col-lg-10,.col-xs-11,.col-sm-11,.col-md-11,.col-lg-11,.col-xs-12,.col-sm-12,.col-md-12,.col-lg-12{position:relative;min-height:1px;padding-left:20px;padding-right:20px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12{float:left}.col-xs-1{width:8.3333333333%}.col-xs-2{width:16.6666666667%}.col-xs-3{width:25%}.col-xs-4{width:33.3333333333%}.col-xs-5{width:41.6666666667%}.col-xs-6{width:50%}.col-xs-7{width:58.3333333333%}.col-xs-8{width:66.6666666667%}.col-xs-9{width:75%}.col-xs-10{width:83.3333333333%}.col-xs-11{width:91.6666666667%}.col-xs-12{width:100%}.col-xs-pull-0{right:auto}.col-xs-pull-1{right:8.3333333333%}.col-xs-pull-2{right:16.6666666667%}.col-xs-pull-3{right:25%}.col-xs-pull-4{right:33.3333333333%}.col-xs-pull-5{right:41.6666666667%}.col-xs-pull-6{right:50%}.col-xs-pull-7{right:58.3333333333%}.col-xs-pull-8{right:66.6666666667%}.col-xs-pull-9{right:75%}.col-xs-pull-10{right:83.3333333333%}.col-xs-pull-11{right:91.6666666667%}.col-xs-pull-12{right:100%}.col-xs-push-0{left:auto}.col-xs-push-1{left:8.3333333333%}.col-xs-push-2{left:16.6666666667%}.col-xs-push-3{left:25%}.col-xs-push-4{left:33.3333333333%}.col-xs-push-5{left:41.6666666667%}.col-xs-push-6{left:50%}.col-xs-push-7{left:58.3333333333%}.col-xs-push-8{left:66.6666666667%}.col-xs-push-9{left:75%}.col-xs-push-10{left:83.3333333333%}.col-xs-push-11{left:91.6666666667%}.col-xs-push-12{left:100%}.col-xs-offset-0{margin-left:0%}.col-xs-offset-1{margin-left:8.3333333333%}.col-xs-offset-2{margin-left:16.6666666667%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-4{margin-left:33.3333333333%}.col-xs-offset-5{margin-left:41.6666666667%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-7{margin-left:58.3333333333%}.col-xs-offset-8{margin-left:66.6666666667%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-10{margin-left:83.3333333333%}.col-xs-offset-11{margin-left:91.6666666667%}.col-xs-offset-12{margin-left:100%}@media(min-width: 768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12{float:left}.col-sm-1{width:8.3333333333%}.col-sm-2{width:16.6666666667%}.col-sm-3{width:25%}.col-sm-4{width:33.3333333333%}.col-sm-5{width:41.6666666667%}.col-sm-6{width:50%}.col-sm-7{width:58.3333333333%}.col-sm-8{width:66.6666666667%}.col-sm-9{width:75%}.col-sm-10{width:83.3333333333%}.col-sm-11{width:91.6666666667%}.col-sm-12{width:100%}.col-sm-pull-0{right:auto}.col-sm-pull-1{right:8.3333333333%}.col-sm-pull-2{right:16.6666666667%}.col-sm-pull-3{right:25%}.col-sm-pull-4{right:33.3333333333%}.col-sm-pull-5{right:41.6666666667%}.col-sm-pull-6{right:50%}.col-sm-pull-7{right:58.3333333333%}.col-sm-pull-8{right:66.6666666667%}.col-sm-pull-9{right:75%}.col-sm-pull-10{right:83.3333333333%}.col-sm-pull-11{right:91.6666666667%}.col-sm-pull-12{right:100%}.col-sm-push-0{left:auto}.col-sm-push-1{left:8.3333333333%}.col-sm-push-2{left:16.6666666667%}.col-sm-push-3{left:25%}.col-sm-push-4{left:33.3333333333%}.col-sm-push-5{left:41.6666666667%}.col-sm-push-6{left:50%}.col-sm-push-7{left:58.3333333333%}.col-sm-push-8{left:66.6666666667%}.col-sm-push-9{left:75%}.col-sm-push-10{left:83.3333333333%}.col-sm-push-11{left:91.6666666667%}.col-sm-push-12{left:100%}.col-sm-offset-0{margin-left:0%}.col-sm-offset-1{margin-left:8.3333333333%}.col-sm-offset-2{margin-left:16.6666666667%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-4{margin-left:33.3333333333%}.col-sm-offset-5{margin-left:41.6666666667%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-7{margin-left:58.3333333333%}.col-sm-offset-8{margin-left:66.6666666667%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-10{margin-left:83.3333333333%}.col-sm-offset-11{margin-left:91.6666666667%}.col-sm-offset-12{margin-left:100%}}@media(min-width: 992px){.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12{float:left}.col-md-1{width:8.3333333333%}.col-md-2{width:16.6666666667%}.col-md-3{width:25%}.col-md-4{width:33.3333333333%}.col-md-5{width:41.6666666667%}.col-md-6{width:50%}.col-md-7{width:58.3333333333%}.col-md-8{width:66.6666666667%}.col-md-9{width:75%}.col-md-10{width:83.3333333333%}.col-md-11{width:91.6666666667%}.col-md-12{width:100%}.col-md-pull-0{right:auto}.col-md-pull-1{right:8.3333333333%}.col-md-pull-2{right:16.6666666667%}.col-md-pull-3{right:25%}.col-md-pull-4{right:33.3333333333%}.col-md-pull-5{right:41.6666666667%}.col-md-pull-6{right:50%}.col-md-pull-7{right:58.3333333333%}.col-md-pull-8{right:66.6666666667%}.col-md-pull-9{right:75%}.col-md-pull-10{right:83.3333333333%}.col-md-pull-11{right:91.6666666667%}.col-md-pull-12{right:100%}.col-md-push-0{left:auto}.col-md-push-1{left:8.3333333333%}.col-md-push-2{left:16.6666666667%}.col-md-push-3{left:25%}.col-md-push-4{left:33.3333333333%}.col-md-push-5{left:41.6666666667%}.col-md-push-6{left:50%}.col-md-push-7{left:58.3333333333%}.col-md-push-8{left:66.6666666667%}.col-md-push-9{left:75%}.col-md-push-10{left:83.3333333333%}.col-md-push-11{left:91.6666666667%}.col-md-push-12{left:100%}.col-md-offset-0{margin-left:0%}.col-md-offset-1{margin-left:8.3333333333%}.col-md-offset-2{margin-left:16.6666666667%}.col-md-offset-3{margin-left:25%}.col-md-offset-4{margin-left:33.3333333333%}.col-md-offset-5{margin-left:41.6666666667%}.col-md-offset-6{margin-left:50%}.col-md-offset-7{margin-left:58.3333333333%}.col-md-offset-8{margin-left:66.6666666667%}.col-md-offset-9{margin-left:75%}.col-md-offset-10{margin-left:83.3333333333%}.col-md-offset-11{margin-left:91.6666666667%}.col-md-offset-12{margin-left:100%}}@media(min-width: 1200px){.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{float:left}.col-lg-1{width:8.3333333333%}.col-lg-2{width:16.6666666667%}.col-lg-3{width:25%}.col-lg-4{width:33.3333333333%}.col-lg-5{width:41.6666666667%}.col-lg-6{width:50%}.col-lg-7{width:58.3333333333%}.col-lg-8{width:66.6666666667%}.col-lg-9{width:75%}.col-lg-10{width:83.3333333333%}.col-lg-11{width:91.6666666667%}.col-lg-12{width:100%}.col-lg-pull-0{right:auto}.col-lg-pull-1{right:8.3333333333%}.col-lg-pull-2{right:16.6666666667%}.col-lg-pull-3{right:25%}.col-lg-pull-4{right:33.3333333333%}.col-lg-pull-5{right:41.6666666667%}.col-lg-pull-6{right:50%}.col-lg-pull-7{right:58.3333333333%}.col-lg-pull-8{right:66.6666666667%}.col-lg-pull-9{right:75%}.col-lg-pull-10{right:83.3333333333%}.col-lg-pull-11{right:91.6666666667%}.col-lg-pull-12{right:100%}.col-lg-push-0{left:auto}.col-lg-push-1{left:8.3333333333%}.col-lg-push-2{left:16.6666666667%}.col-lg-push-3{left:25%}.col-lg-push-4{left:33.3333333333%}.col-lg-push-5{left:41.6666666667%}.col-lg-push-6{left:50%}.col-lg-push-7{left:58.3333333333%}.col-lg-push-8{left:66.6666666667%}.col-lg-push-9{left:75%}.col-lg-push-10{left:83.3333333333%}.col-lg-push-11{left:91.6666666667%}.col-lg-push-12{left:100%}.col-lg-offset-0{margin-left:0%}.col-lg-offset-1{margin-left:8.3333333333%}.col-lg-offset-2{margin-left:16.6666666667%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-4{margin-left:33.3333333333%}.col-lg-offset-5{margin-left:41.6666666667%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-7{margin-left:58.3333333333%}.col-lg-offset-8{margin-left:66.6666666667%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-10{margin-left:83.3333333333%}.col-lg-offset-11{margin-left:91.6666666667%}.col-lg-offset-12{margin-left:100%}}table{background-color:rgba(0,0,0,0);color:#444}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:18px}.table>thead>tr>th,.table>thead>tr>td,.table>tbody>tr>th,.table>tbody>tr>td,.table>tfoot>tr>th,.table>tfoot>tr>td{padding:10px 0px 10px 20px;line-height:1.428571429;vertical-align:top;border-top:1px solid #eee}.table>thead>tr>th{vertical-align:bottom;border-bottom:1px solid #eee}.table>caption+thead>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>th,.table>thead:first-child>tr:first-child>td{border-top:0;font-family:"Inter";font-weight:normal}.table>tbody+tbody{border-top:2px solid #eee}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>th,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>th,.table-condensed>tfoot>tr>td{padding:8px}.table-bordered{border:1px solid #eee}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>th,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>th,.table-bordered>tfoot>tr>td{border:1px solid #eee}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#fbfbfb}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*=col-]{position:static;float:none;display:table-column}table td[class*=col-],table th[class*=col-]{position:static;float:none;display:table-cell}.table>thead>tr>td.active,.table>thead>tr>th.active,.table>thead>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr>td.active,.table>tbody>tr>th.active,.table>tbody>tr.active>td,.table>tbody>tr.active>th,.table>tfoot>tr>td.active,.table>tfoot>tr>th.active,.table>tfoot>tr.active>td,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>thead>tr>th.success,.table>thead>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr>td.success,.table>tbody>tr>th.success,.table>tbody>tr.success>td,.table>tbody>tr.success>th,.table>tfoot>tr>td.success,.table>tfoot>tr>th.success,.table>tfoot>tr.success>td,.table>tfoot>tr.success>th{background-color:#7ebc59}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#70b348}.table>thead>tr>td.info,.table>thead>tr>th.info,.table>thead>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr>td.info,.table>tbody>tr>th.info,.table>tbody>tr.info>td,.table>tbody>tr.info>th,.table>tfoot>tr>td.info,.table>tfoot>tr>th.info,.table>tfoot>tr.info>td,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>thead>tr>th.warning,.table>thead>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr>td.warning,.table>tbody>tr>th.warning,.table>tbody>tr.warning>td,.table>tbody>tr.warning>th,.table>tfoot>tr>td.warning,.table>tfoot>tr>th.warning,.table>tfoot>tr.warning>td,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>thead>tr>th.danger,.table>thead>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr>td.danger,.table>tbody>tr>th.danger,.table>tbody>tr.danger>td,.table>tbody>tr.danger>th,.table>tfoot>tr>td.danger,.table>tfoot>tr>th.danger,.table>tfoot>tr.danger>td,.table>tfoot>tr.danger>th{background-color:#ee451f}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#e23811}@media screen and (max-width: 767px){.table-responsive{width:100%;margin-bottom:13.5px;overflow-y:hidden;overflow-x:auto;-ms-overflow-style:-ms-autohiding-scrollbar;-webkit-overflow-scrolling:touch}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{padding:0;margin:0;border:0;min-width:0}legend{display:block;width:100%;padding:0;margin-bottom:18px;font-size:19.5px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:normal}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=radio],input[type=checkbox]{margin:4px 0 0;margin-top:1px \9 ;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=radio]:focus,input[type=checkbox]:focus{outline:none}output{display:block;padding-top:7px;font-size:13px;line-height:1.428571429;color:#555}select,textarea,input[type=text],input[type=password],input[type=datetime],input[type=datetime-local],input[type=date],input[type=month],input[type=time],input[type=week],input[type=number],input[type=email],input[type=url],input[type=search],input[type=tel],input[type=color]{display:block;width:100%;height:32px;padding:6px 12px;font-size:13px;line-height:1.428571429;color:#555;background-color:#fff;background-image:none;border:1px solid #e4eaec;border-radius:3px;text-overflow:ellipsis;max-width:450px;transition:none;-webkit-transition:border-color ease-in-out .1s,box-shadow ease-in-out .1s;-o-transition:border-color ease-in-out .1s,box-shadow ease-in-out .1s;transition:border-color ease-in-out .1s,box-shadow ease-in-out .1s}select:focus,textarea:focus,input[type=text]:focus,input[type=password]:focus,input[type=datetime]:focus,input[type=datetime-local]:focus,input[type=date]:focus,input[type=month]:focus,input[type=time]:focus,input[type=week]:focus,input[type=number]:focus,input[type=email]:focus,input[type=url]:focus,input[type=search]:focus,input[type=tel]:focus,input[type=color]:focus{border-color:#66afe9;outline:0;transition:border-color 250ms ease}select::-moz-placeholder,textarea::-moz-placeholder,input[type=text]::-moz-placeholder,input[type=password]::-moz-placeholder,input[type=datetime]::-moz-placeholder,input[type=datetime-local]::-moz-placeholder,input[type=date]::-moz-placeholder,input[type=month]::-moz-placeholder,input[type=time]::-moz-placeholder,input[type=week]::-moz-placeholder,input[type=number]::-moz-placeholder,input[type=email]::-moz-placeholder,input[type=url]::-moz-placeholder,input[type=search]::-moz-placeholder,input[type=tel]::-moz-placeholder,input[type=color]::-moz-placeholder{color:#777;opacity:1}select:-ms-input-placeholder,textarea:-ms-input-placeholder,input[type=text]:-ms-input-placeholder,input[type=password]:-ms-input-placeholder,input[type=datetime]:-ms-input-placeholder,input[type=datetime-local]:-ms-input-placeholder,input[type=date]:-ms-input-placeholder,input[type=month]:-ms-input-placeholder,input[type=time]:-ms-input-placeholder,input[type=week]:-ms-input-placeholder,input[type=number]:-ms-input-placeholder,input[type=email]:-ms-input-placeholder,input[type=url]:-ms-input-placeholder,input[type=search]:-ms-input-placeholder,input[type=tel]:-ms-input-placeholder,input[type=color]:-ms-input-placeholder{color:#777}select::-webkit-input-placeholder,textarea::-webkit-input-placeholder,input[type=text]::-webkit-input-placeholder,input[type=password]::-webkit-input-placeholder,input[type=datetime]::-webkit-input-placeholder,input[type=datetime-local]::-webkit-input-placeholder,input[type=date]::-webkit-input-placeholder,input[type=month]::-webkit-input-placeholder,input[type=time]::-webkit-input-placeholder,input[type=week]::-webkit-input-placeholder,input[type=number]::-webkit-input-placeholder,input[type=email]::-webkit-input-placeholder,input[type=url]::-webkit-input-placeholder,input[type=search]::-webkit-input-placeholder,input[type=tel]::-webkit-input-placeholder,input[type=color]::-webkit-input-placeholder{color:#777}select[disabled],select[readonly],fieldset[disabled] select,textarea[disabled],textarea[readonly],fieldset[disabled] textarea,input[type=text][disabled],input[type=text][readonly],fieldset[disabled] input[type=text],input[type=password][disabled],input[type=password][readonly],fieldset[disabled] input[type=password],input[type=datetime][disabled],input[type=datetime][readonly],fieldset[disabled] input[type=datetime],input[type=datetime-local][disabled],input[type=datetime-local][readonly],fieldset[disabled] input[type=datetime-local],input[type=date][disabled],input[type=date][readonly],fieldset[disabled] input[type=date],input[type=month][disabled],input[type=month][readonly],fieldset[disabled] input[type=month],input[type=time][disabled],input[type=time][readonly],fieldset[disabled] input[type=time],input[type=week][disabled],input[type=week][readonly],fieldset[disabled] input[type=week],input[type=number][disabled],input[type=number][readonly],fieldset[disabled] input[type=number],input[type=email][disabled],input[type=email][readonly],fieldset[disabled] input[type=email],input[type=url][disabled],input[type=url][readonly],fieldset[disabled] input[type=url],input[type=search][disabled],input[type=search][readonly],fieldset[disabled] input[type=search],input[type=tel][disabled],input[type=tel][readonly],fieldset[disabled] input[type=tel],input[type=color][disabled],input[type=color][readonly],fieldset[disabled] input[type=color]{cursor:not-allowed;background-color:#eee;opacity:1}textarea{height:auto}input[type=search]{-webkit-appearance:none}input[type=date],input[type=time],input[type=datetime-local],input[type=month]{line-height:32px;line-height:1.428571429 \0 }input[type=date].input-sm,.input-group-sm>input[type=date].form-control,.input-group-sm>input[type=date].input-group-addon,.input-group-sm>.input-group-btn>input[type=date].btn,.form-horizontal .form-group-sm input[type=date].form-control,input[type=time].input-sm,.input-group-sm>input[type=time].form-control,.input-group-sm>input[type=time].input-group-addon,.input-group-sm>.input-group-btn>input[type=time].btn,.form-horizontal .form-group-sm input[type=time].form-control,input[type=datetime-local].input-sm,.input-group-sm>input[type=datetime-local].form-control,.input-group-sm>input[type=datetime-local].input-group-addon,.input-group-sm>.input-group-btn>input[type=datetime-local].btn,.form-horizontal .form-group-sm input[type=datetime-local].form-control,input[type=month].input-sm,.input-group-sm>input[type=month].form-control,.input-group-sm>input[type=month].input-group-addon,.input-group-sm>.input-group-btn>input[type=month].btn,.form-horizontal .form-group-sm input[type=month].form-control{line-height:30px}input[type=date].input-lg,.input-group-lg>input[type=date].form-control,.input-group-lg>input[type=date].input-group-addon,.input-group-lg>.input-group-btn>input[type=date].btn,.form-horizontal .form-group-lg input[type=date].form-control,input[type=time].input-lg,.input-group-lg>input[type=time].form-control,.input-group-lg>input[type=time].input-group-addon,.input-group-lg>.input-group-btn>input[type=time].btn,.form-horizontal .form-group-lg input[type=time].form-control,input[type=datetime-local].input-lg,.input-group-lg>input[type=datetime-local].form-control,.input-group-lg>input[type=datetime-local].input-group-addon,.input-group-lg>.input-group-btn>input[type=datetime-local].btn,.form-horizontal .form-group-lg input[type=datetime-local].form-control,input[type=month].input-lg,.input-group-lg>input[type=month].form-control,.input-group-lg>input[type=month].input-group-addon,.input-group-lg>.input-group-btn>input[type=month].btn,.form-horizontal .form-group-lg input[type=month].form-control{line-height:45px}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;min-height:18px;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{padding-left:20px;margin-bottom:0;font-weight:normal;cursor:pointer}.radio input[type=radio],.radio-inline input[type=radio],.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox]{position:absolute;margin-left:-20px;margin-top:4px \9 }.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;vertical-align:middle;font-weight:normal;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type=radio][disabled],input[type=radio].disabled,fieldset[disabled] input[type=radio],input[type=checkbox][disabled],input[type=checkbox].disabled,fieldset[disabled] input[type=checkbox]{cursor:not-allowed}.radio-inline.disabled,fieldset[disabled] .radio-inline,.checkbox-inline.disabled,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,fieldset[disabled] .radio label,.checkbox.disabled label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.input-group-lg>.form-control-static.form-control,.input-group-lg>.form-control-static.input-group-addon,.input-group-lg>.input-group-btn>.form-control-static.btn,.form-horizontal .form-group-lg .form-control-static.form-control,.form-control-static.input-sm,.input-group-sm>.form-control-static.form-control,.input-group-sm>.form-control-static.input-group-addon,.input-group-sm>.input-group-btn>.form-control-static.btn,.form-horizontal .form-group-sm .form-control-static.form-control{padding-left:0;padding-right:0}.input-sm,.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn,.form-horizontal .form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm,.input-group-sm>select.form-control,.input-group-sm>select.input-group-addon,.input-group-sm>.input-group-btn>select.btn,.form-horizontal .form-group-sm select.form-control{height:30px;line-height:30px}textarea.input-sm,.input-group-sm>textarea.form-control,.input-group-sm>textarea.input-group-addon,.input-group-sm>.input-group-btn>textarea.btn,.form-horizontal .form-group-sm textarea.form-control,select[multiple].input-sm,.input-group-sm>select[multiple].form-control,.input-group-sm>select[multiple].input-group-addon,.input-group-sm>.input-group-btn>select[multiple].btn,.form-horizontal .form-group-sm select[multiple].form-control{height:auto}.input-lg,.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn,.form-horizontal .form-group-lg .form-control{height:45px;padding:10px 16px;font-size:17px;line-height:1.33;border-radius:6px}select.input-lg,.input-group-lg>select.form-control,.input-group-lg>select.input-group-addon,.input-group-lg>.input-group-btn>select.btn,.form-horizontal .form-group-lg select.form-control{height:45px;line-height:45px}textarea.input-lg,.input-group-lg>textarea.form-control,.input-group-lg>textarea.input-group-addon,.input-group-lg>.input-group-btn>textarea.btn,.form-horizontal .form-group-lg textarea.form-control,select[multiple].input-lg,.input-group-lg>select[multiple].form-control,.input-group-lg>select[multiple].input-group-addon,.input-group-lg>.input-group-btn>select[multiple].btn,.form-horizontal .form-group-lg select[multiple].form-control{height:auto}.has-feedback{position:relative}.has-feedback .form-control{padding-right:40px}.form-control-feedback{position:absolute;top:23px;right:0;z-index:2;display:block;width:32px;height:32px;line-height:32px;text-align:center}.input-lg+.form-control-feedback,.input-group-lg>.form-control+.form-control-feedback,.input-group-lg>.input-group-addon+.form-control-feedback,.input-group-lg>.input-group-btn>.btn+.form-control-feedback,.form-horizontal .form-group-lg .form-control+.form-control-feedback{width:45px;height:45px;line-height:45px}.input-sm+.form-control-feedback,.input-group-sm>.form-control+.form-control-feedback,.input-group-sm>.input-group-addon+.form-control-feedback,.input-group-sm>.input-group-btn>.btn+.form-control-feedback,.form-horizontal .form-group-sm .form-control+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#7ebc59}.has-success .form-control{border-color:#7ebc59;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#65a141;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #b6d9a2;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #b6d9a2}.has-success .input-group-addon{color:#7ebc59;border-color:#7ebc59;background-color:#7ebc59}.has-success .form-control-feedback{color:#7ebc59}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#f0ad4e}.has-warning .form-control{border-color:#f0ad4e;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#ec971f;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #f8d9ac;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #f8d9ac}.has-warning .input-group-addon{color:#f0ad4e;border-color:#f0ad4e;background-color:#fcf8e3}.has-warning .form-control-feedback{color:#f0ad4e}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#ee451f}.has-error .form-control{border-color:#ee451f;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#cb320f;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #f5947e;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #f5947e}.has-error .input-group-addon{color:#ee451f;border-color:#ee451f;background-color:#ee451f}.has-error .form-control-feedback{color:#ee451f}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#7c7c7a}@media(min-width: 768px){.form-inline .form-group,.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control,.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .input-group,.navbar-form .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.navbar-form .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.navbar-form .input-group .input-group-btn,.form-inline .input-group .form-control,.navbar-form .input-group .form-control{width:auto}.form-inline .input-group>.form-control,.navbar-form .input-group>.form-control{width:100%}.form-inline .control-label,.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.navbar-form .radio,.form-inline .checkbox,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.navbar-form .radio label,.form-inline .checkbox label,.navbar-form .checkbox label{padding-left:0}.form-inline .radio input[type=radio],.navbar-form .radio input[type=radio],.form-inline .checkbox input[type=checkbox],.navbar-form .checkbox input[type=checkbox]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback,.navbar-form .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{margin-top:0;margin-bottom:0;padding-top:7px}.form-horizontal .radio,.form-horizontal .checkbox{min-height:25px}.form-horizontal .form-group{margin-left:-20px;margin-right:-20px}.form-horizontal .form-group:before,.form-horizontal .form-group:after{content:" ";display:table}.form-horizontal .form-group:after{clear:both}@media(min-width: 768px){.form-horizontal .control-label{text-align:right;margin-bottom:0;padding-top:7px}}.form-horizontal .has-feedback control-feedback{top:0;right:20px}@media(min-width: 768px){.form-horizontal .form-group-lg .control-label{padding-top:14.3px}}@media(min-width: 768px){.form-horizontal .form-group-sm .control-label{padding-top:6px}}.btn{display:inline-block;margin-bottom:0;font-weight:normal;text-align:center;vertical-align:middle;cursor:pointer;background-image:none;border:1px solid rgba(0,0,0,0);white-space:nowrap;padding:6px 12px;font-size:13px;line-height:1.428571429;border-radius:3px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;color:#fff;background-color:#536270;border-color:#536270}.btn:hover,.btn:focus,.btn:active,.btn.active,.open>.btn.dropdown-toggle{color:#fff;background-color:#3d4853;border-color:#39434d}.btn:active,.btn.active,.open>.btn.dropdown-toggle{background-image:none}.btn.disabled,.btn.disabled:hover,.btn.disabled:focus,.btn.disabled:active,.btn.disabled.active,.btn[disabled],.btn[disabled]:hover,.btn[disabled]:focus,.btn[disabled]:active,.btn[disabled].active,fieldset[disabled] .btn,fieldset[disabled] .btn:hover,fieldset[disabled] .btn:focus,fieldset[disabled] .btn:active,fieldset[disabled] .btn.active{background-color:#536270;border-color:#536270}.btn .badge{color:#536270;background-color:#fff}.btn:focus,.btn:active:focus,.btn.active:focus{outline:none}.btn:hover,.btn:focus{color:#fff;text-decoration:none}.btn:active,.btn.active{outline:0;background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{cursor:not-allowed;pointer-events:none;opacity:.65;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none}.btn-default{color:#fff;background-color:#536270;border-color:#536270}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open>.btn-default.dropdown-toggle{color:#fff;background-color:#3d4853;border-color:#39434d}.btn-default:active,.btn-default.active,.open>.btn-default.dropdown-toggle{background-image:none}.btn-default.disabled,.btn-default.disabled:hover,.btn-default.disabled:focus,.btn-default.disabled:active,.btn-default.disabled.active,.btn-default[disabled],.btn-default[disabled]:hover,.btn-default[disabled]:focus,.btn-default[disabled]:active,.btn-default[disabled].active,fieldset[disabled] .btn-default,fieldset[disabled] .btn-default:hover,fieldset[disabled] .btn-default:focus,fieldset[disabled] .btn-default:active,fieldset[disabled] .btn-default.active{background-color:#536270;border-color:#536270}.btn-default .badge{color:#536270;background-color:#fff}.btn-primary{color:#fff;background-color:#51aded;border-color:#51aded}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open>.btn-primary.dropdown-toggle{color:#fff;background-color:#2397e8;border-color:#1a93e7}.btn-primary:active,.btn-primary.active,.open>.btn-primary.dropdown-toggle{background-image:none}.btn-primary.disabled,.btn-primary.disabled:hover,.btn-primary.disabled:focus,.btn-primary.disabled:active,.btn-primary.disabled.active,.btn-primary[disabled],.btn-primary[disabled]:hover,.btn-primary[disabled]:focus,.btn-primary[disabled]:active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary,fieldset[disabled] .btn-primary:hover,fieldset[disabled] .btn-primary:focus,fieldset[disabled] .btn-primary:active,fieldset[disabled] .btn-primary.active{background-color:#51aded;border-color:#51aded}.btn-primary .badge{color:#51aded;background-color:#fff}.btn-success{color:#fff;background-color:#7ebc59;border-color:#70b348}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open>.btn-success.dropdown-toggle{color:#fff;background-color:#65a141;border-color:#558837}.btn-success:active,.btn-success.active,.open>.btn-success.dropdown-toggle{background-image:none}.btn-success.disabled,.btn-success.disabled:hover,.btn-success.disabled:focus,.btn-success.disabled:active,.btn-success.disabled.active,.btn-success[disabled],.btn-success[disabled]:hover,.btn-success[disabled]:focus,.btn-success[disabled]:active,.btn-success[disabled].active,fieldset[disabled] .btn-success,fieldset[disabled] .btn-success:hover,fieldset[disabled] .btn-success:focus,fieldset[disabled] .btn-success:active,fieldset[disabled] .btn-success.active{background-color:#7ebc59;border-color:#70b348}.btn-success .badge{color:#7ebc59;background-color:#fff}.btn-info{color:#fff;background-color:#368cbf;border-color:#307dab}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open>.btn-info.dropdown-toggle{color:#fff;background-color:#2b6f97;border-color:#235a7b}.btn-info:active,.btn-info.active,.open>.btn-info.dropdown-toggle{background-image:none}.btn-info.disabled,.btn-info.disabled:hover,.btn-info.disabled:focus,.btn-info.disabled:active,.btn-info.disabled.active,.btn-info[disabled],.btn-info[disabled]:hover,.btn-info[disabled]:focus,.btn-info[disabled]:active,.btn-info[disabled].active,fieldset[disabled] .btn-info,fieldset[disabled] .btn-info:hover,fieldset[disabled] .btn-info:focus,fieldset[disabled] .btn-info:active,fieldset[disabled] .btn-info.active{background-color:#368cbf;border-color:#307dab}.btn-info .badge{color:#368cbf;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open>.btn-warning.dropdown-toggle{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.btn-warning.dropdown-toggle{background-image:none}.btn-warning.disabled,.btn-warning.disabled:hover,.btn-warning.disabled:focus,.btn-warning.disabled:active,.btn-warning.disabled.active,.btn-warning[disabled],.btn-warning[disabled]:hover,.btn-warning[disabled]:focus,.btn-warning[disabled]:active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning,fieldset[disabled] .btn-warning:hover,fieldset[disabled] .btn-warning:focus,fieldset[disabled] .btn-warning:active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#ee451f;border-color:#e23811}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open>.btn-danger.dropdown-toggle{color:#fff;background-color:#cb320f;border-color:#a92a0d}.btn-danger:active,.btn-danger.active,.open>.btn-danger.dropdown-toggle{background-image:none}.btn-danger.disabled,.btn-danger.disabled:hover,.btn-danger.disabled:focus,.btn-danger.disabled:active,.btn-danger.disabled.active,.btn-danger[disabled],.btn-danger[disabled]:hover,.btn-danger[disabled]:focus,.btn-danger[disabled]:active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger,fieldset[disabled] .btn-danger:hover,fieldset[disabled] .btn-danger:focus,fieldset[disabled] .btn-danger:active,fieldset[disabled] .btn-danger.active{background-color:#ee451f;border-color:#e23811}.btn-danger .badge{color:#ee451f;background-color:#fff}.btn-link{color:#51aded;font-weight:normal;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:rgba(0,0,0,0);-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:rgba(0,0,0,0)}.btn-link:hover,.btn-link:focus{color:#178adb;text-decoration:underline;background-color:rgba(0,0,0,0)}.btn-link[disabled]:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:hover,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:17px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=submit].btn-block,input[type=reset].btn-block,input[type=button].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid;border-right:4px solid rgba(0,0,0,0);border-left:4px solid rgba(0,0,0,0)}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;list-style:none;font-size:13px;text-align:left;background-color:#fff;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:3px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175);background-clip:padding-box}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:8px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:normal;line-height:1.428571429;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{text-decoration:none;color:#262626;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;outline:0;background-color:#51aded}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#777}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;background-color:rgba(0,0,0,0);background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled = false);cursor:not-allowed}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{left:auto;right:0}.dropdown-menu-left{left:0;right:auto}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.428571429;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;left:0;right:0;bottom:0;top:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{border-top:0;border-bottom:4px solid;content:""}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media(min-width: 768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{left:0;right:auto}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group>.btn:focus,.btn-group>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn:hover,.btn-group-vertical>.btn:focus,.btn-group-vertical>.btn:active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar:before,.btn-toolbar:after{content:" ";display:table}.btn-toolbar:after{clear:both}.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-bottom-left-radius:0;border-top-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-left:8px;padding-right:8px}.btn-group>.btn-lg+.dropdown-toggle,.btn-group-lg.btn-group>.btn+.dropdown-toggle{padding-left:12px;padding-right:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret,.btn-group-lg>.btn .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret,.dropup .btn-group-lg>.btn .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after{content:" ";display:table}.btn-group-vertical>.btn-group:after{clear:both}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:3px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-bottom-left-radius:3px;border-top-right-radius:0;border-top-left-radius:0}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-right-radius:0;border-top-left-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{float:none;display:table-cell;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn>input[type=radio],[data-toggle=buttons]>.btn>input[type=checkbox]{position:absolute;z-index:-1;opacity:0;filter:alpha(opacity=0)}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-left:0;padding-right:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:13px;font-weight:normal;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #e4eaec;border-radius:3px}.input-group-addon.input-sm,.form-horizontal .form-group-sm .input-group-addon.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.input-group-addon.btn{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg,.form-horizontal .form-group-lg .input-group-addon.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.input-group-addon.btn{padding:10px 16px;font-size:17px;border-radius:6px}.input-group-addon input[type=radio],.input-group-addon input[type=checkbox]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-bottom-right-radius:0;border-top-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-bottom-left-radius:0;border-top-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{margin-left:-1px}.nav{margin-bottom:0;padding-left:0;list-style:none}.nav:before,.nav:after{content:" ";display:table}.nav:after{clear:both}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;background-color:rgba(0,0,0,0);cursor:not-allowed}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#51aded}.nav .nav-divider{height:1px;margin:8px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #e5e5e5}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.428571429;border:1px solid rgba(0,0,0,0);border-radius:3px 3px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #e5e5e5}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;background-color:#fff;border:1px solid #ddd;border-bottom-color:rgba(0,0,0,0);cursor:default}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:0}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#51aded}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified,.nav-tabs.nav-justified{width:100%}.nav-justified>li,.nav-tabs.nav-justified>li{float:none}.nav-justified>li>a,.nav-tabs.nav-justified>li>a{text-align:left;margin-bottom:5px}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media(min-width: 768px){.nav-justified>li,.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a,.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified,.nav-tabs.nav-justified{border-bottom:0}.nav-tabs-justified>li>a,.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:3px}.nav-tabs-justified>.active>a,.nav-tabs.nav-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media(min-width: 768px){.nav-tabs-justified>li>a,.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:3px 3px 0 0}.nav-tabs-justified>.active>a,.nav-tabs.nav-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-right-radius:0;border-top-left-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:0;border:1px solid rgba(0,0,0,0)}.navbar:before,.navbar:after{content:" ";display:table}.navbar:after{clear:both}@media(min-width: 768px){.navbar{border-radius:0}}.navbar-header:before,.navbar-header:after{content:" ";display:table}.navbar-header:after{clear:both}@media(min-width: 768px){.navbar-header{float:left}}.navbar-collapse{overflow-x:visible;padding-right:20px;padding-left:20px;border-top:1px solid rgba(0,0,0,0);box-shadow:inset 0 1px 0 rgba(255,255,255,.1);-webkit-overflow-scrolling:touch}.navbar-collapse:before,.navbar-collapse:after{content:" ";display:table}.navbar-collapse:after{clear:both}.navbar-collapse.in{overflow-y:auto}@media(min-width: 768px){.navbar-collapse{width:auto;border-top:0;box-shadow:none}.navbar-collapse.collapse{display:block !important;height:auto !important;padding-bottom:0;overflow:visible !important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-left:0;padding-right:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media(max-width: 480px)and (orientation: landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-header,.container-fluid>.navbar-collapse{margin-right:-20px;margin-left:-20px}@media(min-width: 768px){.container>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-header,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media(min-width: 768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;-webkit-transform:translate3d(0, 0, 0);transform:translate3d(0, 0, 0)}@media(min-width: 768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;padding:15px 20px;font-size:17px;height:50px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media(min-width: 768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-20px}}.navbar-toggle{position:relative;float:left;margin-right:20px;padding:9px 10px;margin-top:8px;margin-bottom:8px;background-color:rgba(0,0,0,0);background-image:none;border:1px solid rgba(0,0,0,0);border-radius:3px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media(min-width: 768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -20px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:18px}@media(max-width: 767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:rgba(0,0,0,0);border:0;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:18px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media(min-width: 768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}.navbar-nav.navbar-right:last-child{margin-right:-20px}}@media(min-width: 768px){.navbar-left{float:left !important}.navbar-right{float:right !important}}.navbar-form{margin-left:-20px;margin-right:-20px;padding:10px 0px;border-top:1px solid rgba(0,0,0,0);border-bottom:1px solid rgba(0,0,0,0);-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);margin-top:9px;margin-bottom:9px}@media(max-width: 767px){.navbar-form .form-group{margin-bottom:5px}}@media(min-width: 768px){.navbar-form{width:auto;border:0;margin-left:0;margin-right:0;padding-top:0;padding-bottom:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-20px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-right-radius:0;border-top-left-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:9px;margin-bottom:9px}.navbar-btn.btn-sm,.btn-group-sm>.navbar-btn.btn{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs,.btn-group-xs>.navbar-btn.btn{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:16px;margin-bottom:16px}@media(min-width: 768px){.navbar-text{float:left;margin-left:20px;margin-right:20px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#3c3c3b;border-color:#2b2b2b}.navbar-default .navbar-brand{color:#f7f7f7}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#dedede;background-color:rgba(0,0,0,0)}.navbar-default .navbar-text{color:#f7f7f7}.navbar-default .navbar-nav>li>a{color:#f7f7f7}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{background-color:rgba(0,0,0,0)}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#2b2b2b}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:rgba(0,0,0,0)}.navbar-default .navbar-toggle{border-color:#fff}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#555}.navbar-default .navbar-toggle .icon-bar{background-color:#fff}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#2b2b2b}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{background-color:#2b2b2b;color:#555}@media(max-width: 767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#f7f7f7}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{background-color:rgba(0,0,0,0)}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#2b2b2b}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:rgba(0,0,0,0)}}.navbar-default .navbar-link{color:#f7f7f7}.navbar-default .btn-link{color:#f7f7f7}.navbar-default .btn-link[disabled]:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:hover,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#090909}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:rgba(0,0,0,0)}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:rgba(0,0,0,0)}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#090909}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:rgba(0,0,0,0)}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{background-color:#090909;color:#fff}@media(max-width: 767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#090909}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#090909}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:rgba(0,0,0,0)}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#090909}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:rgba(0,0,0,0)}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:hover,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:18px;list-style:none;background-color:#f5f5f5;border-radius:3px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{content:"/ ";padding:0 5px;color:#ccc}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:18px 0;border-radius:3px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;line-height:1.428571429;text-decoration:none;color:#51aded;background-color:#fff;border:1px solid #ddd;margin-left:-1px}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-bottom-left-radius:3px;border-top-left-radius:3px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-bottom-right-radius:3px;border-top-right-radius:3px}.pagination>li>a:hover,.pagination>li>a:focus,.pagination>li>span:hover,.pagination>li>span:focus{color:#178adb;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>a:hover,.pagination>.active>a:focus,.pagination>.active>span,.pagination>.active>span:hover,.pagination>.active>span:focus{z-index:2;color:#fff;background-color:#51aded;border-color:#51aded;cursor:default}.pagination>.disabled>span,.pagination>.disabled>span:hover,.pagination>.disabled>span:focus,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#777;background-color:#fff;border-color:#ddd;cursor:not-allowed}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:17px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-bottom-left-radius:6px;border-top-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-bottom-right-radius:6px;border-top-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-bottom-left-radius:3px;border-top-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-bottom-right-radius:3px;border-top-right-radius:3px}.pager{padding-left:0;margin:18px 0;list-style:none;text-align:center}.pager:before,.pager:after{content:" ";display:table}.pager:after{clear:both}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#777;background-color:#fff;cursor:not-allowed}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}.label:empty{display:none}.btn .label{position:relative;top:-1px}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#51aded}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#2397e8}.label-success{background-color:#7ebc59}.label-success[href]:hover,.label-success[href]:focus{background-color:#65a141}.label-info{background-color:#368cbf}.label-info[href]:hover,.label-info[href]:focus{background-color:#2b6f97}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#ee451f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#cb320f}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:bold;color:#fff;line-height:1;vertical-align:baseline;white-space:nowrap;text-align:center;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge,.btn-group-xs>.btn .badge{top:0;padding:1px 5px}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#51aded;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}.jumbotron{padding:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron h1,.jumbotron .h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:20px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron{border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width: 768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-left:60px;padding-right:60px}.jumbotron h1,.jumbotron .h1{font-size:58.5px}}.thumbnail{display:block;padding:4px;margin-bottom:18px;line-height:1.428571429;background-color:#fff;border:1px solid #ddd;border-radius:3px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img,.thumbnail a>img{display:block;width:100% \9 ;max-width:100%;height:auto;margin-left:auto;margin-right:auto}.thumbnail .caption{padding:9px;color:#3c3c3b}a.thumbnail:hover,a.thumbnail:focus,a.thumbnail.active{border-color:#51aded}.alert{padding:15px;margin-bottom:18px;border:1px solid rgba(0,0,0,0);border-radius:3px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:bold}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{background-color:#7ebc59;border-color:#7ebc59;color:#4e7d32}.alert-success hr{border-top-color:#70b348}.alert-success .alert-link{color:#598f3a}.alert-info{background-color:#d9edf7;border-color:#bce8f1;color:#173543}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#1d4356}.alert-warning{background-color:#fcf8e3;border-color:#faebcc;color:#c77c11}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#df8a13}.alert-danger{background-color:#ee451f;border-color:#ee451f;color:#9b260c}.alert-danger hr{border-top-color:#e23811}.alert-danger .alert-link{color:#b32c0e}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{overflow:hidden;height:18px;background-color:#f5f5f5;border-radius:3px;position:relative;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0%;height:100%;font-size:12px;line-height:18px;color:#fff;text-align:center;background-color:#51aded;position:relative;z-index:2;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar[aria-valuenow="1"],.progress-bar[aria-valuenow="2"]{min-width:30px}.progress-bar[aria-valuenow="0"]{color:#777;min-width:30px;background-color:rgba(0,0,0,0);background-image:none;box-shadow:none}.progress-bar-success{background-color:#7ebc59}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent)}.progress-bar-info{background-color:#368cbf}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent)}.progress-bar-danger{background-color:#ee451f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{display:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{margin-bottom:20px;padding-left:0}.list-group-item{position:relative;display:block;padding:6px 8px;margin-bottom:-1px;background-color:#fff}.list-group-item:last-child{margin-bottom:0}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#3c3c3b;border-radius:0}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{text-decoration:none;background-color:#f5f5f5}a.list-group-item:hover:before,a.list-group-item:focus:before{background:#3498db;content:"";height:42px;left:0;position:absolute;top:0;width:3px}.list-group-item.disabled,.list-group-item.disabled:hover,.list-group-item.disabled:focus{background-color:#eee;color:#777}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2}.list-group-item.active:before,.list-group-item.active:hover:before,.list-group-item.active:focus:before{background:#3498db;content:"";height:42px;left:0;position:absolute;top:0px;width:3px}.list-group-item.active .list-group-item-heading,.list-group-item.active .list-group-item-heading>small,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading>.small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#fff}.list-group-item.active+.collapse>.list-group-item:before,.list-group-item.active:hover+.collapse>.list-group-item:before,.list-group-item.active:focus+.collapse>.list-group-item:before{background:#3498db;content:"";height:42px;left:0;position:absolute;top:0px;width:3px}.list-group-item-success{color:#7ebc59;background-color:#7ebc59}a.list-group-item-success{color:#7ebc59}a.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:hover,a.list-group-item-success:focus{color:#7ebc59;background-color:#70b348}a.list-group-item-success.active,a.list-group-item-success.active:hover,a.list-group-item-success.active:focus{color:#fff;background-color:#7ebc59;border-color:#7ebc59}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:hover,a.list-group-item-info:focus{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:hover,a.list-group-item-info.active:focus{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#f0ad4e;background-color:#fcf8e3}a.list-group-item-warning{color:#f0ad4e}a.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:hover,a.list-group-item-warning:focus{color:#f0ad4e;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:hover,a.list-group-item-warning.active:focus{color:#fff;background-color:#f0ad4e;border-color:#f0ad4e}.list-group-item-danger{color:#ee451f;background-color:#ee451f}a.list-group-item-danger{color:#ee451f}a.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:hover,a.list-group-item-danger:focus{color:#ee451f;background-color:#e23811}a.list-group-item-danger.active,a.list-group-item-danger.active:hover,a.list-group-item-danger.active:focus{color:#fff;background-color:#ee451f;border-color:#ee451f}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:18px;background-color:#fff;border:1px solid rgba(0,0,0,0);border-radius:3px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-body:before,.panel-body:after{content:" ";display:table}.panel-body:after{clear:both}.panel-heading{padding:10px 15px;border-bottom:1px solid rgba(0,0,0,0);border-top-right-radius:2px;border-top-left-radius:2px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:15px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:2px;border-bottom-left-radius:2px}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-right-radius:2px;border-top-left-radius:2px}.panel>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:2px;border-bottom-left-radius:2px}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-right-radius:2px;border-top-left-radius:2px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:2px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:2px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:2px;border-bottom-left-radius:2px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:2px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:2px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #eee}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{border:0;margin-bottom:0}.panel-group{margin-bottom:18px}.panel-group .panel{margin-bottom:0;border-radius:3px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#51aded}.panel-primary>.panel-heading{color:#fff;background-color:#51aded;border-color:#51aded}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#51aded}.panel-primary>.panel-heading .badge{color:#51aded;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#51aded}.panel-success{border-color:#7ebc59}.panel-success>.panel-heading{color:#7ebc59;background-color:#7ebc59;border-color:#7ebc59}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#7ebc59}.panel-success>.panel-heading .badge{color:#7ebc59;background-color:#7ebc59}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#7ebc59}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#f0ad4e;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#f0ad4e}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ee451f}.panel-danger>.panel-heading{color:#ee451f;background-color:#ee451f;border-color:#ee451f}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ee451f}.panel-danger>.panel-heading .badge{color:#ee451f;background-color:#ee451f}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ee451f}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object{position:absolute;top:0;left:0;bottom:0;height:100%;width:100%;border:0}.embed-responsive.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:3px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:19.5px;font-weight:bold;line-height:1;color:#000;text-shadow:0 1px 0 #fff;opacity:.2;filter:alpha(opacity=20)}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;opacity:.5;filter:alpha(opacity=50)}button.close{padding:0;cursor:pointer;background:rgba(0,0,0,0);border:0;-webkit-appearance:none}.modal-open{overflow:hidden}.modal{display:none;overflow:hidden;position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transform:translate3d(0, -25%, 0);transform:translate3d(0, -25%, 0);-webkit-transition:-webkit-transform .3s ease-out;-moz-transition:-moz-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out}.modal.in .modal-dialog{-webkit-transform:translate3d(0, 0, 0);transform:translate3d(0, 0, 0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:62px 10px 10px 10px}.modal-content{position:relative;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5);background-clip:padding-box;outline:0}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{opacity:0;filter:alpha(opacity=0)}.modal-backdrop.in{opacity:.5;filter:alpha(opacity=50)}.modal-header{padding:15px;border-bottom:1px solid #e5e5e5;min-height:16.428571429px}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.428571429}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer:before,.modal-footer:after{content:" ";display:table}.modal-footer:after{clear:both}.modal-footer .btn+.btn{margin-left:5px;margin-bottom:0}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media(min-width: 768px){.modal-dialog{width:600px;margin:82px auto 30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media(min-width: 992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;visibility:visible;font-size:12px;line-height:1.4;opacity:0;filter:alpha(opacity=0)}.tooltip.in{opacity:.9;filter:alpha(opacity=90)}.tooltip.top{margin-top:-3px;padding:5px 0}.tooltip.right{margin-left:3px;padding:0 5px}.tooltip.bottom{margin-top:3px;padding:5px 0}.tooltip.left{margin-left:-3px;padding:0 5px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:3px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:rgba(0,0,0,0);border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{bottom:0;right:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;text-align:left;background-color:#fff;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2);white-space:normal}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{margin:0;padding:8px 14px;font-size:13px;font-weight:normal;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:rgba(0,0,0,0);border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{border-width:10px;content:""}.popover.top>.arrow{left:50%;margin-left:-11px;border-bottom-width:0;border-top-color:#999;border-top-color:rgba(0,0,0,.25);bottom:-11px}.popover.top>.arrow:after{content:" ";bottom:1px;margin-left:-10px;border-bottom-width:0;border-top-color:#fff}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-left-width:0;border-right-color:#999;border-right-color:rgba(0,0,0,.25)}.popover.right>.arrow:after{content:" ";left:1px;bottom:-10px;border-left-width:0;border-right-color:#fff}.popover.bottom>.arrow{left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25);top:-11px}.popover.bottom>.arrow:after{content:" ";top:1px;margin-left:-10px;border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{content:" ";right:1px;border-right-width:0;border-left-color:#fff;bottom:-10px}.carousel{position:relative}.carousel-inner{position:relative;overflow:hidden;width:100%}.carousel-inner>.item{display:none;position:relative;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:block;width:100% \9 ;max-width:100%;height:auto;line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;left:0;bottom:0;width:15%;opacity:.5;filter:alpha(opacity=50);font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-control.left{background-image:-webkit-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);background-image:-o-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);background-image:linear-gradient(to right, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr="#80000000", endColorstr="#00000000", GradientType=1)}.carousel-control.right{left:auto;right:0;background-image:-webkit-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);background-image:-o-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);background-image:linear-gradient(to right, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr="#00000000", endColorstr="#80000000", GradientType=1)}.carousel-control:hover,.carousel-control:focus{outline:0;color:#fff;text-decoration:none;opacity:.9;filter:alpha(opacity=90)}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right{position:absolute;top:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .glyphicon-chevron-left{left:50%;margin-left:-10px}.carousel-control .icon-next,.carousel-control .glyphicon-chevron-right{right:50%;margin-right:-10px}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;font-family:serif}.carousel-control .icon-prev:before{content:"‹"}.carousel-control .icon-next:before{content:"›"}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;margin-left:-30%;padding-left:0;list-style:none;text-align:center}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;border:1px solid #fff;border-radius:10px;cursor:pointer;background-color:#000 \9 ;background-color:rgba(0,0,0,0)}.carousel-indicators .active{margin:0;width:12px;height:12px;background-color:#fff}.carousel-caption{position:absolute;left:15%;right:15%;bottom:20px;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width: 768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-prev,.carousel-control .icon-next{width:30px;height:30px;margin-top:-15px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-15px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-15px}.carousel-caption{left:20%;right:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.clearfix:before,.content-box:before,.clearfix:after,.content-box:after{content:" ";display:table}.clearfix:after,.content-box:after{clear:both}.center-block{display:block;margin-left:auto;margin-right:auto}.pull-right{float:right !important}.pull-left{float:left !important}.hide{display:none !important}.show{display:block !important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:rgba(0,0,0,0);text-shadow:none;background-color:rgba(0,0,0,0);border:0}.hidden{display:none !important;visibility:hidden !important}.affix{position:fixed;-webkit-transform:translate3d(0, 0, 0);transform:translate3d(0, 0, 0)}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none !important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none !important}@media(max-width: 767px){.visible-xs{display:block !important}table.visible-xs{display:table}tr.visible-xs{display:table-row !important}th.visible-xs,td.visible-xs{display:table-cell !important}}@media(max-width: 767px){.visible-xs-block{display:block !important}}@media(max-width: 767px){.visible-xs-inline{display:inline !important}}@media(max-width: 767px){.visible-xs-inline-block{display:inline-block !important}}@media(min-width: 768px)and (max-width: 991px){.visible-sm{display:block !important}table.visible-sm{display:table}tr.visible-sm{display:table-row !important}th.visible-sm,td.visible-sm{display:table-cell !important}}@media(min-width: 768px)and (max-width: 991px){.visible-sm-block{display:block !important}}@media(min-width: 768px)and (max-width: 991px){.visible-sm-inline{display:inline !important}}@media(min-width: 768px)and (max-width: 991px){.visible-sm-inline-block{display:inline-block !important}}@media(min-width: 992px)and (max-width: 1199px){.visible-md{display:block !important}table.visible-md{display:table}tr.visible-md{display:table-row !important}th.visible-md,td.visible-md{display:table-cell !important}}@media(min-width: 992px)and (max-width: 1199px){.visible-md-block{display:block !important}}@media(min-width: 992px)and (max-width: 1199px){.visible-md-inline{display:inline !important}}@media(min-width: 992px)and (max-width: 1199px){.visible-md-inline-block{display:inline-block !important}}@media(min-width: 1200px){.visible-lg{display:block !important}table.visible-lg{display:table}tr.visible-lg{display:table-row !important}th.visible-lg,td.visible-lg{display:table-cell !important}}@media(min-width: 1200px){.visible-lg-block{display:block !important}}@media(min-width: 1200px){.visible-lg-inline{display:inline !important}}@media(min-width: 1200px){.visible-lg-inline-block{display:inline-block !important}}@media(max-width: 767px){.hidden-xs,.page-side{display:none !important}}@media(min-width: 768px)and (max-width: 991px){.hidden-sm{display:none !important}}@media(max-width: 768px),(max-height: 669px){.toggle-sidebar{display:none !important}}@media(min-width: 992px)and (max-width: 1199px){.hidden-md{display:none !important}}@media(min-width: 1200px){.hidden-lg{display:none !important}}.visible-print{display:none !important}@media print{.visible-print{display:block !important}table.visible-print{display:table}tr.visible-print{display:table-row !important}th.visible-print,td.visible-print{display:table-cell !important}}.visible-print-block{display:none !important}@media print{.visible-print-block{display:block !important}}.visible-print-inline{display:none !important}@media print{.visible-print-inline{display:inline !important}}.visible-print-inline-block{display:none !important}@media print{.visible-print-inline-block{display:inline-block !important}}@media print{.hidden-print{display:none !important}}*{-webkit-font-smoothing:antialiased}html,body{font-family:"Inter",serif;font-weight:400;height:100%;background-color:#fff}body{min-width:320px;touch-action:manipulation}.widget-sort-handle{touch-action:none}.page-head{position:fixed;z-index:2;top:0;right:0;left:0;background:#3c3c3b}.page-head .navbar-default{min-height:60px;color:rgba(87,87,87,.67);border:0;background:#fff;box-shadow:0 2px 4px rgba(0,0,0,.08)}.page-head .navbar-text{color:#494949}.page-head .navbar-right{margin-top:6px}.page-head .navbar-brand{display:flex;flex-direction:column;width:250px;height:100%;text-align:center;color:#000;background:#3498db}.page-head .navbar-brand::before{font-size:16px;font-weight:500;display:inline-block;content:"OPNSense";color:#fff}.page-head .navbar-brand::after{font-size:12px;font-weight:400;display:inline-block;content:"AdvancedOPN Theme";color:#fafafa}.page-head .navbar-brand:hover,.page-head .navbar-brand:focus{background:#3498db}.page-head .navbar-brand .brand-logo,.page-head .navbar-brand .brand-icon{width:1px;height:1px}.page-head .navbar-toggle{margin-top:14px}.page-head .navbar-toggle .icon-bar{background-color:#363636}.page-head .navbar-toggle:hover,.page-head .navbar-toggle:focus{background-color:rgba(0,0,0,0)}.page-head .navbar-toggle:hover .icon-bar,.page-head .navbar-toggle:focus .icon-bar{background-color:#3498db}.page-content{position:relative;z-index:1;height:calc(100% - 60px);padding-top:60px}.page-content>.row{height:100%}@media(min-width: 768px){.page-content.col-lg-10,.page-content.col-sm-9{width:calc(100% - 250px)}.page-content.col-lg-push-2,.page-content.col-sm-push-3{left:250px}}.page-content-head,.content-box-head{padding-top:20px;padding-bottom:15px;border-bottom:1px solid rgba(217,217,217,.5);background:#fbfbfb}.page-content-head .navbar-nav,.content-box-head .navbar-nav{width:100%}.page-content-head h1,.content-box-head h1,.page-content-head h2,.content-box-head h2,.page-content-head h3,.content-box-head h3{line-height:1;margin:0}.page-content-main{min-height:calc(100% - 64px);padding:15px 0 73px;background:#f7f7f7}.page-side{position:fixed;z-index:3;top:0;left:0;overflow:auto;width:250px;height:100% !important;height:calc(100% - 60px) !important;margin-top:60px;border-right:1px solid rgba(0,0,0,.15);background:#263238}.page-side-nav--active{border-left:3px solid;background:#f7f7f7}.page-side-nav .panel{background:#263238}.page-foot{font-size:12px;position:fixed;z-index:2;bottom:0;width:100%;padding:20px 0;border-top:1px solid rgba(217,217,217,.5);background:#fbfbfb}.content-box{border:1px solid #eaeaea;border-radius:3px;background:#fff}.content-box-main{padding-top:15px;padding-bottom:15px}div.content-box.wizard div img{filter:invert(25%)}.tab-content{padding:0px 0;border-top:0px}.tab-content>.tab-content{margin-bottom:0;padding:0 15px}.tab-content .tab-content:last-child{margin-bottom:0}.page-content-main section[class^=col-]+section[class^=col-]{padding-top:20px}.brand-logo{display:none}@media(min-width: 768px){.brand-logo{display:inline-block}}.brand-icon{display:inline-block}@media(min-width: 768px){.brand-icon{display:none}}@media(min-width: 768px){.col-sm-disable-spacer{padding-top:0 !important}}@media(min-width: 992px){.col-md-disable-spacer{padding-top:0 !important}}@media(min-width: 1200px){.col-lg-disable-spacer{padding-top:0 !important}}.page-login{background:linear-gradient(#eff2f5, #f5f7f8)}.page-login .container{display:flex;align-items:center;flex-direction:column;justify-content:center;min-height:100%}.page-login .container:after{height:60px}.login-foot{font-size:12px}.login-modal-container{width:100%;max-width:400px;margin-bottom:8px;border-radius:4px;background:#fff;box-shadow:0 1px 8px rgba(0,0,0,.1)}.login-modal-head{height:50px;padding:0 20px;border-top-left-radius:4px;border-top-right-radius:4px;background:#51aded}.login-modal-head img{display:none}.login-modal-head .navbar-brand{display:flex;float:none;align-items:center;flex-direction:column;justify-content:center;text-align:center}.login-modal-head .navbar-brand::before{font-size:16px;font-weight:500;display:inline-block;content:"OPNSense";color:#fff}.login-modal-head .navbar-brand::after{font-size:11px;font-weight:400;display:inline-block;content:"AdvancedOPN Theme";color:#fafafa}.login-modal-content{padding:20px 20px 20px 20px}.login-modal-foot{height:60px;padding:20px 20px 0 20px;border-top:1px solid #eaeaea;background:#f7f7f7}.login-modal-foot a{text-decoration:none;color:#7d7d7d}.login-modal-foot a:hover{text-decoration:underline;color:#646464}@media(min-width: 768px){.list-inline .btn-group-container{float:right}}.btn.btn-fixed{width:100%;max-width:174px}.progress-bar-placeholder{font-size:12px;position:absolute;z-index:1;width:100%;text-align:center}.list-group-item{border-right:none;border-left:none}.list-group-item.collapsed .caret{border-top:0;border-bottom:4px solid green}main.page-content.col-lg-12{padding-left:90px}#navigation .panel.list-group .fa:not(.__iconspacer){width:auto;padding-right:10px}#navigation .panel.list-group a.list-group-item{font-size:14px;position:relative;padding:12px 16px;text-decoration:none;color:#a6adb3;background:#263238}#navigation .panel.list-group a.list-group-item:hover{color:#e1e4e6;background:rgba(255,255,255,.03)}#navigation .panel.list-group a.list-group-item:hover::before{background-color:#3498db}#navigation .panel.list-group a.list-group-item.active{color:#e1e4e6;background:rgba(255,255,255,.02)}#navigation .panel.list-group>.list-group-item:not(.collapsed).active-menu-title::before{width:3px;transition:opacity 200ms;background-color:#3498db}#navigation .panel.list-group>div .list-group-item{font-size:13px;position:relative;padding:5px 0 5px 35px}#navigation .panel.list-group>div .list-group-item::before{position:absolute;z-index:1;top:-11px;bottom:13px;left:12px;display:block;width:0;content:"";opacity:.8;border-left:1px dotted #3e474e !important}#navigation .panel.list-group>div .list-group-item::after{position:absolute;z-index:1;top:13px;left:12px;display:block;width:12px;content:"";border-bottom:1px dotted #3e474e !important}#navigation .panel.list-group>div .list-group-item:hover::before,#navigation .panel.list-group>div .list-group-item.active::before,#navigation .panel.list-group>div .list-group-item:focus::before{opacity:1;background-color:#3e474e}#navigation.col-sidebar-left{overflow:hidden;width:70px;border:none !important;background-color:rgba(0,0,0,0) !important}#navigation.col-sidebar-left>div.row{height:100% !important}#navigation.col-sidebar-left>div.row>nav.page-side-nav{width:70px;height:100% !important;border-right:1px solid #304047;background:#263238}#navigation.col-sidebar-left>div>nav>#mainmenu>div>a.list-group-item{font-size:13px;width:70px;height:70px;padding-top:12px;padding-right:0px;padding-left:0px;text-align:center;color:#a6adb3;border-right:1px solid #304047;border-bottom:2px solid #lightergrey}#navigation.col-sidebar-left>div>nav>#mainmenu>div>a.list-group-item>span.fa,#navigation.col-sidebar-left>div>nav>#mainmenu>div>a.list-group-item>span.glyphicon{font-size:20px;visibility:visible}#navigation.col-sidebar-left>div>nav>#mainmenu>div>a.list-group-item>span.__iconspacer{display:block;height:30px;padding:0px;text-align:center}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapsing>a.list-group-item{font-size:14px !important;position:absolute !important;left:70px !important;display:block !important;padding-left:10px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>div.collapsing>a.list-group-item{font-size:14px !important;position:absolute !important;left:166px !important;display:block !important;padding-left:10px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>a.list-group-item,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>div.collapse.in>a.list-group-item{background-color:#263238 !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>div.collapse.in>a.list-group-item{font-size:14px !important;padding-left:10px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>div.collapse>a.list-group-item,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>a.list-group-item{font-size:14px !important;padding-left:10px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>div.collapse>a.list-group-item::before,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>div.collapse>a.list-group-item::after,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>a.list-group-item::before,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>a.list-group-item::after{display:none}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapsed>a.list-group-item{font-size:14px !important;padding-left:10px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>a.list-group-item,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>div.collapse>a.list-group-item{padding:3px 8px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in{font-size:14px;position:absolute;z-index:10;left:70px;width:168px;margin-top:-70px;border:1px solid #304047;-moz-box-shadow:2px 2px 1px 0px rgba(234,234,234,.5);-webkit-box-shadow:2px 2px 1px 0px rgba(234,234,234,.5);box-shadow:2px 2px 1px 0px rgba(234,234,234,.5)}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>div.collapse.in{font-size:14px;position:absolute;z-index:10;left:166px;width:168px;margin-top:-26px;border:1px solid #304047;-moz-box-shadow:2px 2px 1px 0px rgba(234,234,234,.5);-webkit-box-shadow:2px 2px 1px 0px rgba(234,234,234,.5);box-shadow:2px 2px 1px 0px rgba(234,234,234,.5)}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapsing,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>div.collapsing{display:none}button.toggle-sidebar{font-size:14px;float:left;margin-top:20px;color:#575757;border:none;outline:none;background-color:rgba(0,0,0,0)}#navigation.collapse.in{display:block !important}.list-group-submenu .list-group-item:last-child,.collapse .list-group-item:last-child{border-bottom:none}ul.nav>li.dropdown>ul.dropdown-menu>li>a{padding:3px 10px}.nav-tabs{margin-right:1px;border-bottom:2px solid #eaeaea}.nav-tabs>li{margin-right:2px;border-radius:0px;border-top-right-radius:10px}.nav-tabs>li>a{margin-right:0px;cursor:pointer;color:#777;border-top-left-radius:4px;border-top-right-radius:4px;background:#fcfcfc}.nav-tabs>li>a{border:none;background:rgba(0,0,0,0)}.nav-tabs>li>a:hover,.nav-tabs>li>a:focus{border-bottom:2px solid #e0e0e0;background-color:#efefef}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#51aded;border-top:none;border-right:none;border-bottom:2px solid #51aded;border-left:none;background:rgba(0,0,0,0)}.nav-tabs>li>a.visible-lg-inline-block:not(.pull-right){padding-right:6px !important;padding-left:12px !important;border-top-right-radius:0px !important}.nav-tabs>li>a.visible-lg-inline-block.pull-right{padding-right:12px !important;padding-left:6px !important;border-left:0px !important;border-top-left-radius:0}.nav-tabs.nav-justified{border-right:1px solid #eaeaea}.nav-tabs.nav-justified>li{border-top:1px solid #eaeaea;border-bottom:1px solid #eaeaea;border-left:1px solid #eaeaea;border-radius:0px;background:#f7f7f7}.nav-tabs.nav-justified>li>a{font-family:"Inter",serif;color:#3c3c3b}@media(min-width: 768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid rgba(0,0,0,0)}}@media(max-width: 767px){.nav-tabs.nav-justified>li.active>a{border-right:0 !important}}@media(min-width: 768px){>li.active+li>a{border-left:1px solid rgba(0,0,0,0)}}>li:last-child>a{border-right:1px solid rgba(0,0,0,0) !important}@media(max-width: 767px){>li:last-child>a{margin-bottom:0}}#opn-status-list .btn{color:#565656;border:1px solid #ecedf1;background:rgba(0,0,0,0)}#opn-status-list .btn:hover{background:#f9f9f9}.bootstrap-dialog-title{font-size:15px;font-weight:500}.bootstrap-select .btn-default{color:#76838f;border:1px solid #e4eaec;background:#fff}.bootstrap-select .btn-default:focus{border-color:#66afe9;background:#fff}.bootstrap-select.open>.btn-default{color:#76838f;border-color:#66afe9;background:#fff}.bootstrap-select .dropdown-toggle:focus{outline-color:#fff !important}.btn .glyphicon{vertical-align:-1px}.btn-default .glyphicon{color:#757575}table{width:100%}.table{margin-bottom:0px !important}.nav-tabs-justified .nav-tabs.nav-justified>.active>a:focus,.nav-tabs.nav-justified .nav-tabs.nav-justified>.active>a:focus{border:0px !important}.table th,strong,b{font-family:"Inter",serif;font-weight:500}.table>tbody>tr>td:last-child{padding-right:15px}.__nowrap{white-space:nowrap}.__nomb{margin-bottom:0}.__mb{margin-bottom:15px}.__mt{margin-top:15px}.__ml{margin-left:15px}.__mr{margin-right:15px}.__iconspacer{padding-right:10px}#mainmenu .glyphicon{vertical-align:-2px}.list-group-item{overflow:hidden;text-overflow:ellipsis}.list-group-item+div.collapse{margin-bottom:-1px}.list-group-item+div>a{padding-left:44px}.list-group-item:before{position:absolute;top:0px;left:0;width:0;height:42px;min-height:100%;content:"";transition:opacity 0ms;opacity:0}.list-group-submenu a{padding-left:56px}.active-menu-title,.active-menu a{position:relative;text-decoration:none;background-color:#242f35}.active-menu-title:before,.active-menu a:before{width:3px}.active-menu-title.active,.active-menu a.active{background-color:#242f35}.active-menu a:before{background:#242f35}.alert.alert-danger{color:#fff !important}.nav-tabs-justified>li>a,.nav-tabs.nav-justified>li>a{border-radius:0 !important}.navbar-brand{padding:10px 20px}.label-opnsense{font-size:12px;line-height:1.5;display:inline-block;vertical-align:middle;border:1px solid rgba(0,0,0,0);border-radius:3px}.label-opnsense-sm{padding:5px 10px}.label-opnsense-xs,.btn-xs,.btn-group-xs>.btn{padding:1px 3px}::-webkit-scrollbar{width:8px}::-webkit-scrollbar-button{width:8px;height:5px}::-webkit-scrollbar-track{border-radius:0;background:#dcdcdc;box-shadow:0px 0px 0px}::-webkit-scrollbar-thumb{border:thin solid #e5e5e5;border-radius:0px;background:#afafaf}::-webkit-scrollbar-thumb:hover{background:#e5e5e5}.widgetdiv{padding-top:0px !important;padding-bottom:20px}select{overflow:hidden;cursor:pointer;border:1px solid #ccc;background-image:url("/ui/themes/advanced/build/images/caret.png") !important;background-repeat:no-repeat;background-position:right;-webkit-appearance:none;-moz-appearance:none;appearance:none}#grid-log th[data-column-id=__timestamp__],#filter-log-entries th[data-column-id=__timestamp__]{min-width:3.5em}@media screen and (max-width: 767px){.table-responsive{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>tfoot>tr>td{white-space:normal}}label>input[type=checkbox],label>input[type=radio]{float:left;margin-right:.4em}input[type=checkbox],input[type=radio]{font:inherit;display:inline-flex;align-items:center;justify-content:center;width:20px;height:20px;margin:0;cursor:pointer;transition:border-color 150ms ease,background-color 150ms ease;transform:translateY(1px);color:#3f3f3f;border:1px solid #e4eaec;border-radius:.15em;background-color:#fff;-webkit-appearance:none;appearance:none}input[type=checkbox]::before,input[type=radio]::before{visibility:hidden;width:10px;height:10px;content:"";transition:transform 120ms ease-out 60ms,opacity 120ms ease-out,visibility 120ms ease-out;transform:scale(0.65);opacity:0;background-color:#fafafa;box-shadow:inset 1em 1em var(--form-control-color);clip-path:polygon(14% 44%, 0 65%, 50% 100%, 100% 16%, 80% 0%, 43% 62%)}input[type=checkbox]:checked,input[type=radio]:checked{border-color:#3498db;background-color:#3498db}input[type=checkbox]:checked::before,input[type=radio]:checked::before{visibility:visible;transform:scale(1);opacity:1;background-color:#fff}input[type=checkbox]:hover,input[type=radio]:hover{border-color:#3498db}input[type=checkbox]:disabled,input[type=radio]:disabled{cursor:not-allowed;color:var(--form-control-disabled);--form-control-color: var(--form-control-disabled)}input[type=radio]{border-radius:50%}div[data-for*=help_for]{font-size:.85em;font-style:italic;padding-top:.5em}#log-settings label[for^=act]{margin-right:1.5em}#log-settings table>tbody>tr>td{vertical-align:middle}#log-settings select#filterlogentries,#log-settings select#filterlogentriesupdateinterval{width:5em}#log-settings select#filterlogentriesinterfaces{min-width:100%;max-width:100%}[data-state=lightcoral]{background-color:#f08080}[data-state=white]{background-color:#fff}[data-state=red]{background-color:red}.tokens-container{margin-top:0px;margin-bottom:0px}.actionBar .btn.btn-default{color:#767676;border-color:#d8d8d8;background:#fafafa}.bootgrid-table td.select-cell{overflow:visible;width:30px !important}.act_toggle{font-size:15px}.fa.command-toggle{font-size:16px;padding-top:5px;vertical-align:middle}.form-control:hover{border-color:#d1e5f2}.table input[type=checkbox]{margin-top:-4px;margin-bottom:-4px}.table .btn-xs,.table .btn-group-xs>.btn{margin-top:-4px;margin-bottom:-4px}/*# sourceMappingURL=main.css.map */
+.widgetdiv .content-box-head{overflow:hidden;min-height:25px !important;padding:8px !important;color:#3c3c3b !important;border-top-left-radius:3px;border-top-right-radius:3px;background:#e8e8e8 !important}.widgetdiv .content-box-head .btn-group .btn{color:#3c3c3b !important;border:0px;background:#e8e8e8 !important}.widgetdiv .content-box-head .btn-group .btn .glyphicon{color:#3c3c3b !important}.widgetdiv .content-box-head .list-inline li>h3{padding-top:4px}@font-face{font-family:"Inter";font-style:normal;font-weight:600;font-display:swap;src:url("/ui/themes/advanced/build/fonts/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2") format("woff2");unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+2000-206F,U+2074,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD}@font-face{font-family:"Inter";font-style:normal;font-weight:500;font-display:swap;src:url("/ui/themes/advanced/build/fonts/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2") format("woff2");unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+2000-206F,U+2074,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD}@font-face{font-family:"Inter";font-style:normal;font-weight:400;font-display:swap;src:url("/ui/themes/advanced/build/fonts/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2") format("woff2");unicode-range:U+0000-00FF,U+0131,U+0152-0153,U+02BB-02BC,U+02C6,U+02DA,U+02DC,U+2000-206F,U+2074,U+20AC,U+2122,U+2191,U+2193,U+2212,U+2215,U+FEFF,U+FFFD}/*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:rgba(0,0,0,0)}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{-moz-box-sizing:content-box;box-sizing:content-box;height:0}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}input{line-height:normal}input[type=checkbox],input[type=radio]{box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-appearance:textfield;-moz-box-sizing:content-box;-webkit-box-sizing:content-box;box-sizing:content-box}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{border:1px solid silver;margin:0 2px;padding:.35em .625em .75em}legend{border:0;padding:0}textarea{overflow:auto}optgroup{font-weight:bold}table{border-collapse:collapse;border-spacing:0}td,th{padding:0}@media print{*{text-shadow:none !important;color:#000 !important;background:rgba(0,0,0,0) !important;box-shadow:none !important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100% !important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff !important}.navbar{display:none}.table td,.table th{background-color:#fff !important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000 !important}.label{border:1px solid #000}.table{border-collapse:collapse !important}.table-bordered th,.table-bordered td{border:1px solid #ddd !important}}@font-face{font-family:"Glyphicons Halflings";src:url("../fonts/bootstrap/glyphicons-halflings-regular.eot");src:url("../fonts/bootstrap/glyphicons-halflings-regular.eot?#iefix") format("embedded-opentype"),url("../fonts/bootstrap/glyphicons-halflings-regular.woff") format("woff"),url("../fonts/bootstrap/glyphicons-halflings-regular.ttf") format("truetype"),url("../fonts/bootstrap/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") format("svg")}.glyphicon{position:relative;top:1px;display:inline-block;font-family:"Glyphicons Halflings";font-style:normal;font-weight:normal;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"*"}.glyphicon-plus:before{content:"+"}.glyphicon-euro:before{content:"€"}.glyphicon-minus:before{content:"−"}.glyphicon-cloud:before{content:"☁"}.glyphicon-envelope:before{content:"✉"}.glyphicon-pencil:before{content:"✏"}.glyphicon-glass:before{content:""}.glyphicon-music:before{content:""}.glyphicon-search:before{content:""}.glyphicon-heart:before{content:""}.glyphicon-star:before{content:""}.glyphicon-star-empty:before{content:""}.glyphicon-user:before{content:""}.glyphicon-film:before{content:""}.glyphicon-th-large:before{content:""}.glyphicon-th:before{content:""}.glyphicon-th-list:before{content:""}.glyphicon-ok:before{content:""}.glyphicon-remove:before{content:""}.glyphicon-zoom-in:before{content:""}.glyphicon-zoom-out:before{content:""}.glyphicon-off:before{content:""}.glyphicon-signal:before{content:""}.glyphicon-cog:before{content:""}.glyphicon-trash:before{content:""}.glyphicon-home:before{content:""}.glyphicon-file:before{content:""}.glyphicon-time:before{content:""}.glyphicon-road:before{content:""}.glyphicon-download-alt:before{content:""}.glyphicon-download:before{content:""}.glyphicon-upload:before{content:""}.glyphicon-inbox:before{content:""}.glyphicon-play-circle:before{content:""}.glyphicon-repeat:before{content:""}.glyphicon-refresh:before{content:""}.glyphicon-list-alt:before{content:""}.glyphicon-lock:before{content:""}.glyphicon-flag:before{content:""}.glyphicon-headphones:before{content:""}.glyphicon-volume-off:before{content:""}.glyphicon-volume-down:before{content:""}.glyphicon-volume-up:before{content:""}.glyphicon-qrcode:before{content:""}.glyphicon-barcode:before{content:""}.glyphicon-tag:before{content:""}.glyphicon-tags:before{content:""}.glyphicon-book:before{content:""}.glyphicon-bookmark:before{content:""}.glyphicon-print:before{content:""}.glyphicon-camera:before{content:""}.glyphicon-font:before{content:""}.glyphicon-bold:before{content:""}.glyphicon-italic:before{content:""}.glyphicon-text-height:before{content:""}.glyphicon-text-width:before{content:""}.glyphicon-align-left:before{content:""}.glyphicon-align-center:before{content:""}.glyphicon-align-right:before{content:""}.glyphicon-align-justify:before{content:""}.glyphicon-list:before{content:""}.glyphicon-indent-left:before{content:""}.glyphicon-indent-right:before{content:""}.glyphicon-facetime-video:before{content:""}.glyphicon-picture:before{content:""}.glyphicon-map-marker:before{content:""}.glyphicon-adjust:before{content:""}.glyphicon-tint:before{content:""}.glyphicon-edit:before{content:""}.glyphicon-share:before{content:""}.glyphicon-check:before{content:""}.glyphicon-move:before{content:""}.glyphicon-step-backward:before{content:""}.glyphicon-fast-backward:before{content:""}.glyphicon-backward:before{content:""}.glyphicon-play:before{content:""}.glyphicon-pause:before{content:""}.glyphicon-stop:before{content:""}.glyphicon-forward:before{content:""}.glyphicon-fast-forward:before{content:""}.glyphicon-step-forward:before{content:""}.glyphicon-eject:before{content:""}.glyphicon-chevron-left:before{content:""}.glyphicon-chevron-right:before{content:""}.glyphicon-plus-sign:before{content:""}.glyphicon-minus-sign:before{content:""}.glyphicon-remove-sign:before{content:""}.glyphicon-ok-sign:before{content:""}.glyphicon-question-sign:before{content:""}.glyphicon-info-sign:before{content:""}.glyphicon-screenshot:before{content:""}.glyphicon-remove-circle:before{content:""}.glyphicon-ok-circle:before{content:""}.glyphicon-ban-circle:before{content:""}.glyphicon-arrow-left:before{content:""}.glyphicon-arrow-right:before{content:""}.glyphicon-arrow-up:before{content:""}.glyphicon-arrow-down:before{content:""}.glyphicon-share-alt:before{content:""}.glyphicon-resize-full:before{content:""}.glyphicon-resize-small:before{content:""}.glyphicon-exclamation-sign:before{content:""}.glyphicon-gift:before{content:""}.glyphicon-leaf:before{content:""}.glyphicon-fire:before{content:""}.glyphicon-eye-open:before{content:""}.glyphicon-eye-close:before{content:""}.glyphicon-warning-sign:before{content:""}.glyphicon-plane:before{content:""}.glyphicon-calendar:before{content:""}.glyphicon-random:before{content:""}.glyphicon-comment:before{content:""}.glyphicon-magnet:before{content:""}.glyphicon-chevron-up:before{content:""}.glyphicon-chevron-down:before{content:""}.glyphicon-retweet:before{content:""}.glyphicon-shopping-cart:before{content:""}.glyphicon-folder-close:before{content:""}.glyphicon-folder-open:before{content:""}.glyphicon-resize-vertical:before{content:""}.glyphicon-resize-horizontal:before{content:""}.glyphicon-hdd:before{content:""}.glyphicon-bullhorn:before{content:""}.glyphicon-bell:before{content:""}.glyphicon-certificate:before{content:""}.glyphicon-thumbs-up:before{content:""}.glyphicon-thumbs-down:before{content:""}.glyphicon-hand-right:before{content:""}.glyphicon-hand-left:before{content:""}.glyphicon-hand-up:before{content:""}.glyphicon-hand-down:before{content:""}.glyphicon-circle-arrow-right:before{content:""}.glyphicon-circle-arrow-left:before{content:""}.glyphicon-circle-arrow-up:before{content:""}.glyphicon-circle-arrow-down:before{content:""}.glyphicon-globe:before{content:""}.glyphicon-wrench:before{content:""}.glyphicon-tasks:before{content:""}.glyphicon-filter:before{content:""}.glyphicon-briefcase:before{content:""}.glyphicon-fullscreen:before{content:""}.glyphicon-dashboard:before{content:""}.glyphicon-paperclip:before{content:""}.glyphicon-heart-empty:before{content:""}.glyphicon-link:before{content:""}.glyphicon-phone:before{content:""}.glyphicon-pushpin:before{content:""}.glyphicon-usd:before{content:""}.glyphicon-gbp:before{content:""}.glyphicon-sort:before{content:""}.glyphicon-sort-by-alphabet:before{content:""}.glyphicon-sort-by-alphabet-alt:before{content:""}.glyphicon-sort-by-order:before{content:""}.glyphicon-sort-by-order-alt:before{content:""}.glyphicon-sort-by-attributes:before{content:""}.glyphicon-sort-by-attributes-alt:before{content:""}.glyphicon-unchecked:before{content:""}.glyphicon-expand:before{content:""}.glyphicon-collapse-down:before{content:""}.glyphicon-collapse-up:before{content:""}.glyphicon-log-in:before{content:""}.glyphicon-flash:before{content:""}.glyphicon-log-out:before{content:""}.glyphicon-new-window:before{content:""}.glyphicon-record:before{content:""}.glyphicon-save:before{content:""}.glyphicon-open:before{content:""}.glyphicon-saved:before{content:""}.glyphicon-import:before{content:""}.glyphicon-export:before{content:""}.glyphicon-send:before{content:""}.glyphicon-floppy-disk:before{content:""}.glyphicon-floppy-saved:before{content:""}.glyphicon-floppy-remove:before{content:""}.glyphicon-floppy-save:before{content:""}.glyphicon-floppy-open:before{content:""}.glyphicon-credit-card:before{content:""}.glyphicon-transfer:before{content:""}.glyphicon-cutlery:before{content:""}.glyphicon-header:before{content:""}.glyphicon-compressed:before{content:""}.glyphicon-earphone:before{content:""}.glyphicon-phone-alt:before{content:""}.glyphicon-tower:before{content:""}.glyphicon-stats:before{content:""}.glyphicon-sd-video:before{content:""}.glyphicon-hd-video:before{content:""}.glyphicon-subtitles:before{content:""}.glyphicon-sound-stereo:before{content:""}.glyphicon-sound-dolby:before{content:""}.glyphicon-sound-5-1:before{content:""}.glyphicon-sound-6-1:before{content:""}.glyphicon-sound-7-1:before{content:""}.glyphicon-copyright-mark:before{content:""}.glyphicon-registration-mark:before{content:""}.glyphicon-cloud-download:before{content:""}.glyphicon-cloud-upload:before{content:""}.glyphicon-tree-conifer:before{content:""}.glyphicon-tree-deciduous:before{content:""}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}*:before,*:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;line-height:1.428571429;color:#3c3c3b;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#51aded;text-decoration:none}a:hover,a:focus{color:#178adb;text-decoration:underline}a:focus{outline:none}figure{margin:0}img{vertical-align:middle}.img-responsive{display:block;width:100% \9 ;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{padding:4px;line-height:1.428571429;background-color:#fff;border:1px solid #ddd;border-radius:3px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out;display:inline-block;width:100% \9 ;max-width:100%;height:auto}.img-circle{border-radius:50%}hr{margin-top:18px;margin-bottom:18px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;margin:-1px;padding:0;overflow:hidden;clip:rect(0, 0, 0, 0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:"Inter";font-weight:500;line-height:1.4;color:inherit}h1 small,h1 .small,h2 small,h2 .small,h3 small,h3 .small,h4 small,h4 .small,h5 small,h5 .small,h6 small,h6 .small,.h1 small,.h1 .small,.h2 small,.h2 .small,.h3 small,.h3 .small,.h4 small,.h4 .small,.h5 small,.h5 .small,.h6 small,.h6 .small{font-weight:normal;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:18px;margin-bottom:9px}h1 small,h1 .small,.h1 small,.h1 .small,h2 small,h2 .small,.h2 small,.h2 .small,h3 small,h3 .small,.h3 small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:9px;margin-bottom:9px}h4 small,h4 .small,.h4 small,.h4 .small,h5 small,h5 .small,.h5 small,.h5 .small,h6 small,h6 .small,.h6 small,.h6 .small{font-size:75%}h1,.h1{font-size:22px}h2,.h2{font-size:14px}h3,.h3{font-size:13px}h4,.h4{font-size:17px}h5,.h5{font-size:13px}h6,.h6{font-size:12px}p{margin:0 0 9px}.lead{margin-bottom:18px;font-size:14px;font-weight:300;line-height:1.4}@media(min-width: 768px){.lead{font-size:19.5px}}small,.small{font-size:92%}cite{font-style:normal}mark,.mark{background-color:#fcf8e3;padding:.2em}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#51aded}a.text-primary:hover{color:#2397e8}.text-success{color:#7ebc59}a.text-success:hover{color:#65a141}.text-info{color:#31708f}a.text-info:hover{color:#245269}.text-warning{color:#f0ad4e}a.text-warning:hover{color:#ec971f}.text-danger{color:#ee451f}a.text-danger:hover{color:#cb320f}.bg-primary{color:#fff}.bg-primary{background-color:#51aded}a.bg-primary:hover{background-color:#2397e8}.bg-success{background-color:#7ebc59}a.bg-success:hover{background-color:#65a141}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#ee451f}a.bg-danger:hover{background-color:#cb320f}.page-header{padding-bottom:8px;margin:36px 0 18px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:9px}ul ul,ul ol,ol ul,ol ol{margin-bottom:0}.list-unstyled,.list-inline{padding-left:0;list-style:none}.list-inline{margin-left:-5px}.list-inline>li{float:left;padding-left:5px;padding-right:5px}dl{margin-top:0;margin-bottom:18px}dt,dd{line-height:1.428571429}dt{font-weight:bold}dd{margin-left:0}.dl-horizontal dd:before,.dl-horizontal dd:after{content:" ";display:table}.dl-horizontal dd:after{clear:both}@media(min-width: 768px){.dl-horizontal dt{float:left;width:160px;clear:left;text-align:right;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:9px 18px;margin:0 0 18px;font-size:16.25px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.428571429;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:"— "}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;border-right:5px solid #eee;border-left:0;text-align:right}.blockquote-reverse footer:before,.blockquote-reverse small:before,.blockquote-reverse .small:before,blockquote.pull-right footer:before,blockquote.pull-right small:before,blockquote.pull-right .small:before{content:""}.blockquote-reverse footer:after,.blockquote-reverse small:after,.blockquote-reverse .small:after,blockquote.pull-right footer:after,blockquote.pull-right small:after,blockquote.pull-right .small:after{content:" —"}blockquote:before,blockquote:after{content:""}address{margin-bottom:18px;font-style:normal;line-height:1.428571429}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:3px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;box-shadow:none}pre{display:block;padding:calc((18px - 100%)/2);margin:0 0 9px;font-size:12px;line-height:1.428571429;word-break:break-all;word-wrap:break-word;color:#333;background-color:#f5f5f5;border:1px solid #ccc;border-radius:3px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:rgba(0,0,0,0);border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{margin-right:auto;margin-left:auto;padding-left:20px;padding-right:20px}.container:before,.container:after{content:" ";display:table}.container:after{clear:both}@media(min-width: 768px){.container{width:760px}}@media(min-width: 992px){.container{width:980px}}@media(min-width: 1200px){.container{width:1180px}}.container-fluid{margin-right:auto;margin-left:auto;padding-left:20px;padding-right:20px}.container-fluid:before,.container-fluid:after{content:" ";display:table}.container-fluid:after{clear:both}.row{margin-left:-20px;margin-right:-20px}.row:before,.row:after{content:" ";display:table}.row:after{clear:both}.col-xs-1,.col-sm-1,.col-md-1,.col-lg-1,.col-xs-2,.col-sm-2,.col-md-2,.col-lg-2,.col-xs-3,.col-sm-3,.col-md-3,.col-lg-3,.col-xs-4,.col-sm-4,.col-md-4,.col-lg-4,.col-xs-5,.col-sm-5,.col-md-5,.col-lg-5,.col-xs-6,.col-sm-6,.col-md-6,.col-lg-6,.col-xs-7,.col-sm-7,.col-md-7,.col-lg-7,.col-xs-8,.col-sm-8,.col-md-8,.col-lg-8,.col-xs-9,.col-sm-9,.col-md-9,.col-lg-9,.col-xs-10,.col-sm-10,.col-md-10,.col-lg-10,.col-xs-11,.col-sm-11,.col-md-11,.col-lg-11,.col-xs-12,.col-sm-12,.col-md-12,.col-lg-12{position:relative;min-height:1px;padding-left:20px;padding-right:20px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12{float:left}.col-xs-1{width:8.3333333333%}.col-xs-2{width:16.6666666667%}.col-xs-3{width:25%}.col-xs-4{width:33.3333333333%}.col-xs-5{width:41.6666666667%}.col-xs-6{width:50%}.col-xs-7{width:58.3333333333%}.col-xs-8{width:66.6666666667%}.col-xs-9{width:75%}.col-xs-10{width:83.3333333333%}.col-xs-11{width:91.6666666667%}.col-xs-12{width:100%}.col-xs-pull-0{right:auto}.col-xs-pull-1{right:8.3333333333%}.col-xs-pull-2{right:16.6666666667%}.col-xs-pull-3{right:25%}.col-xs-pull-4{right:33.3333333333%}.col-xs-pull-5{right:41.6666666667%}.col-xs-pull-6{right:50%}.col-xs-pull-7{right:58.3333333333%}.col-xs-pull-8{right:66.6666666667%}.col-xs-pull-9{right:75%}.col-xs-pull-10{right:83.3333333333%}.col-xs-pull-11{right:91.6666666667%}.col-xs-pull-12{right:100%}.col-xs-push-0{left:auto}.col-xs-push-1{left:8.3333333333%}.col-xs-push-2{left:16.6666666667%}.col-xs-push-3{left:25%}.col-xs-push-4{left:33.3333333333%}.col-xs-push-5{left:41.6666666667%}.col-xs-push-6{left:50%}.col-xs-push-7{left:58.3333333333%}.col-xs-push-8{left:66.6666666667%}.col-xs-push-9{left:75%}.col-xs-push-10{left:83.3333333333%}.col-xs-push-11{left:91.6666666667%}.col-xs-push-12{left:100%}.col-xs-offset-0{margin-left:0%}.col-xs-offset-1{margin-left:8.3333333333%}.col-xs-offset-2{margin-left:16.6666666667%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-4{margin-left:33.3333333333%}.col-xs-offset-5{margin-left:41.6666666667%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-7{margin-left:58.3333333333%}.col-xs-offset-8{margin-left:66.6666666667%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-10{margin-left:83.3333333333%}.col-xs-offset-11{margin-left:91.6666666667%}.col-xs-offset-12{margin-left:100%}@media(min-width: 768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12{float:left}.col-sm-1{width:8.3333333333%}.col-sm-2{width:16.6666666667%}.col-sm-3{width:25%}.col-sm-4{width:33.3333333333%}.col-sm-5{width:41.6666666667%}.col-sm-6{width:50%}.col-sm-7{width:58.3333333333%}.col-sm-8{width:66.6666666667%}.col-sm-9{width:75%}.col-sm-10{width:83.3333333333%}.col-sm-11{width:91.6666666667%}.col-sm-12{width:100%}.col-sm-pull-0{right:auto}.col-sm-pull-1{right:8.3333333333%}.col-sm-pull-2{right:16.6666666667%}.col-sm-pull-3{right:25%}.col-sm-pull-4{right:33.3333333333%}.col-sm-pull-5{right:41.6666666667%}.col-sm-pull-6{right:50%}.col-sm-pull-7{right:58.3333333333%}.col-sm-pull-8{right:66.6666666667%}.col-sm-pull-9{right:75%}.col-sm-pull-10{right:83.3333333333%}.col-sm-pull-11{right:91.6666666667%}.col-sm-pull-12{right:100%}.col-sm-push-0{left:auto}.col-sm-push-1{left:8.3333333333%}.col-sm-push-2{left:16.6666666667%}.col-sm-push-3{left:25%}.col-sm-push-4{left:33.3333333333%}.col-sm-push-5{left:41.6666666667%}.col-sm-push-6{left:50%}.col-sm-push-7{left:58.3333333333%}.col-sm-push-8{left:66.6666666667%}.col-sm-push-9{left:75%}.col-sm-push-10{left:83.3333333333%}.col-sm-push-11{left:91.6666666667%}.col-sm-push-12{left:100%}.col-sm-offset-0{margin-left:0%}.col-sm-offset-1{margin-left:8.3333333333%}.col-sm-offset-2{margin-left:16.6666666667%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-4{margin-left:33.3333333333%}.col-sm-offset-5{margin-left:41.6666666667%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-7{margin-left:58.3333333333%}.col-sm-offset-8{margin-left:66.6666666667%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-10{margin-left:83.3333333333%}.col-sm-offset-11{margin-left:91.6666666667%}.col-sm-offset-12{margin-left:100%}}@media(min-width: 992px){.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12{float:left}.col-md-1{width:8.3333333333%}.col-md-2{width:16.6666666667%}.col-md-3{width:25%}.col-md-4{width:33.3333333333%}.col-md-5{width:41.6666666667%}.col-md-6{width:50%}.col-md-7{width:58.3333333333%}.col-md-8{width:66.6666666667%}.col-md-9{width:75%}.col-md-10{width:83.3333333333%}.col-md-11{width:91.6666666667%}.col-md-12{width:100%}.col-md-pull-0{right:auto}.col-md-pull-1{right:8.3333333333%}.col-md-pull-2{right:16.6666666667%}.col-md-pull-3{right:25%}.col-md-pull-4{right:33.3333333333%}.col-md-pull-5{right:41.6666666667%}.col-md-pull-6{right:50%}.col-md-pull-7{right:58.3333333333%}.col-md-pull-8{right:66.6666666667%}.col-md-pull-9{right:75%}.col-md-pull-10{right:83.3333333333%}.col-md-pull-11{right:91.6666666667%}.col-md-pull-12{right:100%}.col-md-push-0{left:auto}.col-md-push-1{left:8.3333333333%}.col-md-push-2{left:16.6666666667%}.col-md-push-3{left:25%}.col-md-push-4{left:33.3333333333%}.col-md-push-5{left:41.6666666667%}.col-md-push-6{left:50%}.col-md-push-7{left:58.3333333333%}.col-md-push-8{left:66.6666666667%}.col-md-push-9{left:75%}.col-md-push-10{left:83.3333333333%}.col-md-push-11{left:91.6666666667%}.col-md-push-12{left:100%}.col-md-offset-0{margin-left:0%}.col-md-offset-1{margin-left:8.3333333333%}.col-md-offset-2{margin-left:16.6666666667%}.col-md-offset-3{margin-left:25%}.col-md-offset-4{margin-left:33.3333333333%}.col-md-offset-5{margin-left:41.6666666667%}.col-md-offset-6{margin-left:50%}.col-md-offset-7{margin-left:58.3333333333%}.col-md-offset-8{margin-left:66.6666666667%}.col-md-offset-9{margin-left:75%}.col-md-offset-10{margin-left:83.3333333333%}.col-md-offset-11{margin-left:91.6666666667%}.col-md-offset-12{margin-left:100%}}@media(min-width: 1200px){.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{float:left}.col-lg-1{width:8.3333333333%}.col-lg-2{width:16.6666666667%}.col-lg-3{width:25%}.col-lg-4{width:33.3333333333%}.col-lg-5{width:41.6666666667%}.col-lg-6{width:50%}.col-lg-7{width:58.3333333333%}.col-lg-8{width:66.6666666667%}.col-lg-9{width:75%}.col-lg-10{width:83.3333333333%}.col-lg-11{width:91.6666666667%}.col-lg-12{width:100%}.col-lg-pull-0{right:auto}.col-lg-pull-1{right:8.3333333333%}.col-lg-pull-2{right:16.6666666667%}.col-lg-pull-3{right:25%}.col-lg-pull-4{right:33.3333333333%}.col-lg-pull-5{right:41.6666666667%}.col-lg-pull-6{right:50%}.col-lg-pull-7{right:58.3333333333%}.col-lg-pull-8{right:66.6666666667%}.col-lg-pull-9{right:75%}.col-lg-pull-10{right:83.3333333333%}.col-lg-pull-11{right:91.6666666667%}.col-lg-pull-12{right:100%}.col-lg-push-0{left:auto}.col-lg-push-1{left:8.3333333333%}.col-lg-push-2{left:16.6666666667%}.col-lg-push-3{left:25%}.col-lg-push-4{left:33.3333333333%}.col-lg-push-5{left:41.6666666667%}.col-lg-push-6{left:50%}.col-lg-push-7{left:58.3333333333%}.col-lg-push-8{left:66.6666666667%}.col-lg-push-9{left:75%}.col-lg-push-10{left:83.3333333333%}.col-lg-push-11{left:91.6666666667%}.col-lg-push-12{left:100%}.col-lg-offset-0{margin-left:0%}.col-lg-offset-1{margin-left:8.3333333333%}.col-lg-offset-2{margin-left:16.6666666667%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-4{margin-left:33.3333333333%}.col-lg-offset-5{margin-left:41.6666666667%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-7{margin-left:58.3333333333%}.col-lg-offset-8{margin-left:66.6666666667%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-10{margin-left:83.3333333333%}.col-lg-offset-11{margin-left:91.6666666667%}.col-lg-offset-12{margin-left:100%}}table{background-color:rgba(0,0,0,0);color:#444}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:18px}.table>thead>tr>th,.table>thead>tr>td,.table>tbody>tr>th,.table>tbody>tr>td,.table>tfoot>tr>th,.table>tfoot>tr>td{padding:10px 0px 10px 20px;line-height:1.428571429;vertical-align:top;border-top:1px solid #eee}.table>thead>tr>th{vertical-align:bottom;border-bottom:1px solid #eee}.table>caption+thead>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>th,.table>thead:first-child>tr:first-child>td{border-top:0;font-family:"Inter";font-weight:normal}.table>tbody+tbody{border-top:2px solid #eee}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>th,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>th,.table-condensed>tfoot>tr>td{padding:8px}.table-bordered{border:1px solid #eee}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>th,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>th,.table-bordered>tfoot>tr>td{border:1px solid #eee}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#fbfbfb}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*=col-]{position:static;float:none;display:table-column}table td[class*=col-],table th[class*=col-]{position:static;float:none;display:table-cell}.table>thead>tr>td.active,.table>thead>tr>th.active,.table>thead>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr>td.active,.table>tbody>tr>th.active,.table>tbody>tr.active>td,.table>tbody>tr.active>th,.table>tfoot>tr>td.active,.table>tfoot>tr>th.active,.table>tfoot>tr.active>td,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>thead>tr>th.success,.table>thead>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr>td.success,.table>tbody>tr>th.success,.table>tbody>tr.success>td,.table>tbody>tr.success>th,.table>tfoot>tr>td.success,.table>tfoot>tr>th.success,.table>tfoot>tr.success>td,.table>tfoot>tr.success>th{background-color:#7ebc59}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#70b348}.table>thead>tr>td.info,.table>thead>tr>th.info,.table>thead>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr>td.info,.table>tbody>tr>th.info,.table>tbody>tr.info>td,.table>tbody>tr.info>th,.table>tfoot>tr>td.info,.table>tfoot>tr>th.info,.table>tfoot>tr.info>td,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>thead>tr>th.warning,.table>thead>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr>td.warning,.table>tbody>tr>th.warning,.table>tbody>tr.warning>td,.table>tbody>tr.warning>th,.table>tfoot>tr>td.warning,.table>tfoot>tr>th.warning,.table>tfoot>tr.warning>td,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>thead>tr>th.danger,.table>thead>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr>td.danger,.table>tbody>tr>th.danger,.table>tbody>tr.danger>td,.table>tbody>tr.danger>th,.table>tfoot>tr>td.danger,.table>tfoot>tr>th.danger,.table>tfoot>tr.danger>td,.table>tfoot>tr.danger>th{background-color:#ee451f}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#e23811}@media screen and (max-width: 767px){.table-responsive{width:100%;margin-bottom:13.5px;overflow-y:hidden;overflow-x:auto;-ms-overflow-style:-ms-autohiding-scrollbar;-webkit-overflow-scrolling:touch}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{padding:0;margin:0;border:0;min-width:0}legend{display:block;width:100%;padding:0;margin-bottom:18px;font-size:19.5px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:normal}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=radio],input[type=checkbox]{margin:4px 0 0;margin-top:1px \9 ;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=radio]:focus,input[type=checkbox]:focus{outline:none}output{display:block;padding-top:7px;font-size:13px;line-height:1.428571429;color:#555}select,textarea,input[type=text],input[type=password],input[type=datetime],input[type=datetime-local],input[type=date],input[type=month],input[type=time],input[type=week],input[type=number],input[type=email],input[type=url],input[type=search],input[type=tel],input[type=color]{display:block;width:100%;height:32px;padding:6px 12px;font-size:13px;line-height:1.428571429;color:#555;background-color:#fff;background-image:none;border:1px solid #e4eaec;border-radius:3px;text-overflow:ellipsis;max-width:450px;transition:none;-webkit-transition:border-color ease-in-out .1s,box-shadow ease-in-out .1s;-o-transition:border-color ease-in-out .1s,box-shadow ease-in-out .1s;transition:border-color ease-in-out .1s,box-shadow ease-in-out .1s}select:focus,textarea:focus,input[type=text]:focus,input[type=password]:focus,input[type=datetime]:focus,input[type=datetime-local]:focus,input[type=date]:focus,input[type=month]:focus,input[type=time]:focus,input[type=week]:focus,input[type=number]:focus,input[type=email]:focus,input[type=url]:focus,input[type=search]:focus,input[type=tel]:focus,input[type=color]:focus{border-color:#66afe9;outline:0;transition:border-color 250ms ease}select::-moz-placeholder,textarea::-moz-placeholder,input[type=text]::-moz-placeholder,input[type=password]::-moz-placeholder,input[type=datetime]::-moz-placeholder,input[type=datetime-local]::-moz-placeholder,input[type=date]::-moz-placeholder,input[type=month]::-moz-placeholder,input[type=time]::-moz-placeholder,input[type=week]::-moz-placeholder,input[type=number]::-moz-placeholder,input[type=email]::-moz-placeholder,input[type=url]::-moz-placeholder,input[type=search]::-moz-placeholder,input[type=tel]::-moz-placeholder,input[type=color]::-moz-placeholder{color:#777;opacity:1}select:-ms-input-placeholder,textarea:-ms-input-placeholder,input[type=text]:-ms-input-placeholder,input[type=password]:-ms-input-placeholder,input[type=datetime]:-ms-input-placeholder,input[type=datetime-local]:-ms-input-placeholder,input[type=date]:-ms-input-placeholder,input[type=month]:-ms-input-placeholder,input[type=time]:-ms-input-placeholder,input[type=week]:-ms-input-placeholder,input[type=number]:-ms-input-placeholder,input[type=email]:-ms-input-placeholder,input[type=url]:-ms-input-placeholder,input[type=search]:-ms-input-placeholder,input[type=tel]:-ms-input-placeholder,input[type=color]:-ms-input-placeholder{color:#777}select::-webkit-input-placeholder,textarea::-webkit-input-placeholder,input[type=text]::-webkit-input-placeholder,input[type=password]::-webkit-input-placeholder,input[type=datetime]::-webkit-input-placeholder,input[type=datetime-local]::-webkit-input-placeholder,input[type=date]::-webkit-input-placeholder,input[type=month]::-webkit-input-placeholder,input[type=time]::-webkit-input-placeholder,input[type=week]::-webkit-input-placeholder,input[type=number]::-webkit-input-placeholder,input[type=email]::-webkit-input-placeholder,input[type=url]::-webkit-input-placeholder,input[type=search]::-webkit-input-placeholder,input[type=tel]::-webkit-input-placeholder,input[type=color]::-webkit-input-placeholder{color:#777}select[disabled],select[readonly],fieldset[disabled] select,textarea[disabled],textarea[readonly],fieldset[disabled] textarea,input[type=text][disabled],input[type=text][readonly],fieldset[disabled] input[type=text],input[type=password][disabled],input[type=password][readonly],fieldset[disabled] input[type=password],input[type=datetime][disabled],input[type=datetime][readonly],fieldset[disabled] input[type=datetime],input[type=datetime-local][disabled],input[type=datetime-local][readonly],fieldset[disabled] input[type=datetime-local],input[type=date][disabled],input[type=date][readonly],fieldset[disabled] input[type=date],input[type=month][disabled],input[type=month][readonly],fieldset[disabled] input[type=month],input[type=time][disabled],input[type=time][readonly],fieldset[disabled] input[type=time],input[type=week][disabled],input[type=week][readonly],fieldset[disabled] input[type=week],input[type=number][disabled],input[type=number][readonly],fieldset[disabled] input[type=number],input[type=email][disabled],input[type=email][readonly],fieldset[disabled] input[type=email],input[type=url][disabled],input[type=url][readonly],fieldset[disabled] input[type=url],input[type=search][disabled],input[type=search][readonly],fieldset[disabled] input[type=search],input[type=tel][disabled],input[type=tel][readonly],fieldset[disabled] input[type=tel],input[type=color][disabled],input[type=color][readonly],fieldset[disabled] input[type=color]{cursor:not-allowed;background-color:#eee;opacity:1}textarea{height:auto}input[type=search]{-webkit-appearance:none}input[type=date],input[type=time],input[type=datetime-local],input[type=month]{line-height:32px;line-height:1.428571429 \0 }input[type=date].input-sm,.input-group-sm>input[type=date].form-control,.input-group-sm>input[type=date].input-group-addon,.input-group-sm>.input-group-btn>input[type=date].btn,.form-horizontal .form-group-sm input[type=date].form-control,input[type=time].input-sm,.input-group-sm>input[type=time].form-control,.input-group-sm>input[type=time].input-group-addon,.input-group-sm>.input-group-btn>input[type=time].btn,.form-horizontal .form-group-sm input[type=time].form-control,input[type=datetime-local].input-sm,.input-group-sm>input[type=datetime-local].form-control,.input-group-sm>input[type=datetime-local].input-group-addon,.input-group-sm>.input-group-btn>input[type=datetime-local].btn,.form-horizontal .form-group-sm input[type=datetime-local].form-control,input[type=month].input-sm,.input-group-sm>input[type=month].form-control,.input-group-sm>input[type=month].input-group-addon,.input-group-sm>.input-group-btn>input[type=month].btn,.form-horizontal .form-group-sm input[type=month].form-control{line-height:30px}input[type=date].input-lg,.input-group-lg>input[type=date].form-control,.input-group-lg>input[type=date].input-group-addon,.input-group-lg>.input-group-btn>input[type=date].btn,.form-horizontal .form-group-lg input[type=date].form-control,input[type=time].input-lg,.input-group-lg>input[type=time].form-control,.input-group-lg>input[type=time].input-group-addon,.input-group-lg>.input-group-btn>input[type=time].btn,.form-horizontal .form-group-lg input[type=time].form-control,input[type=datetime-local].input-lg,.input-group-lg>input[type=datetime-local].form-control,.input-group-lg>input[type=datetime-local].input-group-addon,.input-group-lg>.input-group-btn>input[type=datetime-local].btn,.form-horizontal .form-group-lg input[type=datetime-local].form-control,input[type=month].input-lg,.input-group-lg>input[type=month].form-control,.input-group-lg>input[type=month].input-group-addon,.input-group-lg>.input-group-btn>input[type=month].btn,.form-horizontal .form-group-lg input[type=month].form-control{line-height:45px}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;min-height:18px;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{padding-left:20px;margin-bottom:0;font-weight:normal;cursor:pointer}.radio input[type=radio],.radio-inline input[type=radio],.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox]{position:absolute;margin-left:-20px;margin-top:4px \9 }.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;vertical-align:middle;font-weight:normal;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type=radio][disabled],input[type=radio].disabled,fieldset[disabled] input[type=radio],input[type=checkbox][disabled],input[type=checkbox].disabled,fieldset[disabled] input[type=checkbox]{cursor:not-allowed}.radio-inline.disabled,fieldset[disabled] .radio-inline,.checkbox-inline.disabled,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,fieldset[disabled] .radio label,.checkbox.disabled label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.input-group-lg>.form-control-static.form-control,.input-group-lg>.form-control-static.input-group-addon,.input-group-lg>.input-group-btn>.form-control-static.btn,.form-horizontal .form-group-lg .form-control-static.form-control,.form-control-static.input-sm,.input-group-sm>.form-control-static.form-control,.input-group-sm>.form-control-static.input-group-addon,.input-group-sm>.input-group-btn>.form-control-static.btn,.form-horizontal .form-group-sm .form-control-static.form-control{padding-left:0;padding-right:0}.input-sm,.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn,.form-horizontal .form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm,.input-group-sm>select.form-control,.input-group-sm>select.input-group-addon,.input-group-sm>.input-group-btn>select.btn,.form-horizontal .form-group-sm select.form-control{height:30px;line-height:30px}textarea.input-sm,.input-group-sm>textarea.form-control,.input-group-sm>textarea.input-group-addon,.input-group-sm>.input-group-btn>textarea.btn,.form-horizontal .form-group-sm textarea.form-control,select[multiple].input-sm,.input-group-sm>select[multiple].form-control,.input-group-sm>select[multiple].input-group-addon,.input-group-sm>.input-group-btn>select[multiple].btn,.form-horizontal .form-group-sm select[multiple].form-control{height:auto}.input-lg,.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn,.form-horizontal .form-group-lg .form-control{height:45px;padding:10px 16px;font-size:17px;line-height:1.33;border-radius:6px}select.input-lg,.input-group-lg>select.form-control,.input-group-lg>select.input-group-addon,.input-group-lg>.input-group-btn>select.btn,.form-horizontal .form-group-lg select.form-control{height:45px;line-height:45px}textarea.input-lg,.input-group-lg>textarea.form-control,.input-group-lg>textarea.input-group-addon,.input-group-lg>.input-group-btn>textarea.btn,.form-horizontal .form-group-lg textarea.form-control,select[multiple].input-lg,.input-group-lg>select[multiple].form-control,.input-group-lg>select[multiple].input-group-addon,.input-group-lg>.input-group-btn>select[multiple].btn,.form-horizontal .form-group-lg select[multiple].form-control{height:auto}.has-feedback{position:relative}.has-feedback .form-control{padding-right:40px}.form-control-feedback{position:absolute;top:23px;right:0;z-index:2;display:block;width:32px;height:32px;line-height:32px;text-align:center}.input-lg+.form-control-feedback,.input-group-lg>.form-control+.form-control-feedback,.input-group-lg>.input-group-addon+.form-control-feedback,.input-group-lg>.input-group-btn>.btn+.form-control-feedback,.form-horizontal .form-group-lg .form-control+.form-control-feedback{width:45px;height:45px;line-height:45px}.input-sm+.form-control-feedback,.input-group-sm>.form-control+.form-control-feedback,.input-group-sm>.input-group-addon+.form-control-feedback,.input-group-sm>.input-group-btn>.btn+.form-control-feedback,.form-horizontal .form-group-sm .form-control+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#7ebc59}.has-success .form-control{border-color:#7ebc59;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#65a141;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #b6d9a2;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #b6d9a2}.has-success .input-group-addon{color:#7ebc59;border-color:#7ebc59;background-color:#7ebc59}.has-success .form-control-feedback{color:#7ebc59}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#f0ad4e}.has-warning .form-control{border-color:#f0ad4e;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#ec971f;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #f8d9ac;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #f8d9ac}.has-warning .input-group-addon{color:#f0ad4e;border-color:#f0ad4e;background-color:#fcf8e3}.has-warning .form-control-feedback{color:#f0ad4e}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#ee451f}.has-error .form-control{border-color:#ee451f;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#cb320f;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #f5947e;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #f5947e}.has-error .input-group-addon{color:#ee451f;border-color:#ee451f;background-color:#ee451f}.has-error .form-control-feedback{color:#ee451f}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#7c7c7a}@media(min-width: 768px){.form-inline .form-group,.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control,.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .input-group,.navbar-form .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.navbar-form .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.navbar-form .input-group .input-group-btn,.form-inline .input-group .form-control,.navbar-form .input-group .form-control{width:auto}.form-inline .input-group>.form-control,.navbar-form .input-group>.form-control{width:100%}.form-inline .control-label,.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.navbar-form .radio,.form-inline .checkbox,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.navbar-form .radio label,.form-inline .checkbox label,.navbar-form .checkbox label{padding-left:0}.form-inline .radio input[type=radio],.navbar-form .radio input[type=radio],.form-inline .checkbox input[type=checkbox],.navbar-form .checkbox input[type=checkbox]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback,.navbar-form .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{margin-top:0;margin-bottom:0;padding-top:7px}.form-horizontal .radio,.form-horizontal .checkbox{min-height:25px}.form-horizontal .form-group{margin-left:-20px;margin-right:-20px}.form-horizontal .form-group:before,.form-horizontal .form-group:after{content:" ";display:table}.form-horizontal .form-group:after{clear:both}@media(min-width: 768px){.form-horizontal .control-label{text-align:right;margin-bottom:0;padding-top:7px}}.form-horizontal .has-feedback control-feedback{top:0;right:20px}@media(min-width: 768px){.form-horizontal .form-group-lg .control-label{padding-top:14.3px}}@media(min-width: 768px){.form-horizontal .form-group-sm .control-label{padding-top:6px}}.btn{display:inline-block;margin-bottom:0;font-weight:normal;text-align:center;vertical-align:middle;cursor:pointer;background-image:none;border:1px solid rgba(0,0,0,0);white-space:nowrap;padding:6px 12px;font-size:13px;line-height:1.428571429;border-radius:3px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;color:#fff;background-color:#536270;border-color:#536270}.btn:hover,.btn:focus,.btn:active,.btn.active,.open>.btn.dropdown-toggle{color:#fff;background-color:#3d4853;border-color:#39434d}.btn:active,.btn.active,.open>.btn.dropdown-toggle{background-image:none}.btn.disabled,.btn.disabled:hover,.btn.disabled:focus,.btn.disabled:active,.btn.disabled.active,.btn[disabled],.btn[disabled]:hover,.btn[disabled]:focus,.btn[disabled]:active,.btn[disabled].active,fieldset[disabled] .btn,fieldset[disabled] .btn:hover,fieldset[disabled] .btn:focus,fieldset[disabled] .btn:active,fieldset[disabled] .btn.active{background-color:#536270;border-color:#536270}.btn .badge{color:#536270;background-color:#fff}.btn:focus,.btn:active:focus,.btn.active:focus{outline:none}.btn:hover,.btn:focus{color:#fff;text-decoration:none}.btn:active,.btn.active{outline:0;background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{cursor:not-allowed;pointer-events:none;opacity:.65;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none}.btn-default{color:#fff;background-color:#536270;border-color:#536270}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open>.btn-default.dropdown-toggle{color:#fff;background-color:#3d4853;border-color:#39434d}.btn-default:active,.btn-default.active,.open>.btn-default.dropdown-toggle{background-image:none}.btn-default.disabled,.btn-default.disabled:hover,.btn-default.disabled:focus,.btn-default.disabled:active,.btn-default.disabled.active,.btn-default[disabled],.btn-default[disabled]:hover,.btn-default[disabled]:focus,.btn-default[disabled]:active,.btn-default[disabled].active,fieldset[disabled] .btn-default,fieldset[disabled] .btn-default:hover,fieldset[disabled] .btn-default:focus,fieldset[disabled] .btn-default:active,fieldset[disabled] .btn-default.active{background-color:#536270;border-color:#536270}.btn-default .badge{color:#536270;background-color:#fff}.btn-primary{color:#fff;background-color:#51aded;border-color:#51aded}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open>.btn-primary.dropdown-toggle{color:#fff;background-color:#2397e8;border-color:#1a93e7}.btn-primary:active,.btn-primary.active,.open>.btn-primary.dropdown-toggle{background-image:none}.btn-primary.disabled,.btn-primary.disabled:hover,.btn-primary.disabled:focus,.btn-primary.disabled:active,.btn-primary.disabled.active,.btn-primary[disabled],.btn-primary[disabled]:hover,.btn-primary[disabled]:focus,.btn-primary[disabled]:active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary,fieldset[disabled] .btn-primary:hover,fieldset[disabled] .btn-primary:focus,fieldset[disabled] .btn-primary:active,fieldset[disabled] .btn-primary.active{background-color:#51aded;border-color:#51aded}.btn-primary .badge{color:#51aded;background-color:#fff}.btn-success{color:#fff;background-color:#7ebc59;border-color:#70b348}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open>.btn-success.dropdown-toggle{color:#fff;background-color:#65a141;border-color:#558837}.btn-success:active,.btn-success.active,.open>.btn-success.dropdown-toggle{background-image:none}.btn-success.disabled,.btn-success.disabled:hover,.btn-success.disabled:focus,.btn-success.disabled:active,.btn-success.disabled.active,.btn-success[disabled],.btn-success[disabled]:hover,.btn-success[disabled]:focus,.btn-success[disabled]:active,.btn-success[disabled].active,fieldset[disabled] .btn-success,fieldset[disabled] .btn-success:hover,fieldset[disabled] .btn-success:focus,fieldset[disabled] .btn-success:active,fieldset[disabled] .btn-success.active{background-color:#7ebc59;border-color:#70b348}.btn-success .badge{color:#7ebc59;background-color:#fff}.btn-info{color:#fff;background-color:#368cbf;border-color:#307dab}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open>.btn-info.dropdown-toggle{color:#fff;background-color:#2b6f97;border-color:#235a7b}.btn-info:active,.btn-info.active,.open>.btn-info.dropdown-toggle{background-image:none}.btn-info.disabled,.btn-info.disabled:hover,.btn-info.disabled:focus,.btn-info.disabled:active,.btn-info.disabled.active,.btn-info[disabled],.btn-info[disabled]:hover,.btn-info[disabled]:focus,.btn-info[disabled]:active,.btn-info[disabled].active,fieldset[disabled] .btn-info,fieldset[disabled] .btn-info:hover,fieldset[disabled] .btn-info:focus,fieldset[disabled] .btn-info:active,fieldset[disabled] .btn-info.active{background-color:#368cbf;border-color:#307dab}.btn-info .badge{color:#368cbf;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open>.btn-warning.dropdown-toggle{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.btn-warning.dropdown-toggle{background-image:none}.btn-warning.disabled,.btn-warning.disabled:hover,.btn-warning.disabled:focus,.btn-warning.disabled:active,.btn-warning.disabled.active,.btn-warning[disabled],.btn-warning[disabled]:hover,.btn-warning[disabled]:focus,.btn-warning[disabled]:active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning,fieldset[disabled] .btn-warning:hover,fieldset[disabled] .btn-warning:focus,fieldset[disabled] .btn-warning:active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#ee451f;border-color:#e23811}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open>.btn-danger.dropdown-toggle{color:#fff;background-color:#cb320f;border-color:#a92a0d}.btn-danger:active,.btn-danger.active,.open>.btn-danger.dropdown-toggle{background-image:none}.btn-danger.disabled,.btn-danger.disabled:hover,.btn-danger.disabled:focus,.btn-danger.disabled:active,.btn-danger.disabled.active,.btn-danger[disabled],.btn-danger[disabled]:hover,.btn-danger[disabled]:focus,.btn-danger[disabled]:active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger,fieldset[disabled] .btn-danger:hover,fieldset[disabled] .btn-danger:focus,fieldset[disabled] .btn-danger:active,fieldset[disabled] .btn-danger.active{background-color:#ee451f;border-color:#e23811}.btn-danger .badge{color:#ee451f;background-color:#fff}.btn-link{color:#51aded;font-weight:normal;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:rgba(0,0,0,0);-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:rgba(0,0,0,0)}.btn-link:hover,.btn-link:focus{color:#178adb;text-decoration:underline;background-color:rgba(0,0,0,0)}.btn-link[disabled]:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:hover,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:17px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=submit].btn-block,input[type=reset].btn-block,input[type=button].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid;border-right:4px solid rgba(0,0,0,0);border-left:4px solid rgba(0,0,0,0)}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;list-style:none;font-size:13px;text-align:left;background-color:#fff;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:3px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175);background-clip:padding-box}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:8px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:normal;line-height:1.428571429;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{text-decoration:none;color:#262626;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;outline:0;background-color:#51aded}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#777}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;background-color:rgba(0,0,0,0);background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled = false);cursor:not-allowed}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{left:auto;right:0}.dropdown-menu-left{left:0;right:auto}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.428571429;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;left:0;right:0;bottom:0;top:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{border-top:0;border-bottom:4px solid;content:""}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media(min-width: 768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{left:0;right:auto}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group>.btn:focus,.btn-group>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn:hover,.btn-group-vertical>.btn:focus,.btn-group-vertical>.btn:active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar:before,.btn-toolbar:after{content:" ";display:table}.btn-toolbar:after{clear:both}.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-bottom-left-radius:0;border-top-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-left:8px;padding-right:8px}.btn-group>.btn-lg+.dropdown-toggle,.btn-group-lg.btn-group>.btn+.dropdown-toggle{padding-left:12px;padding-right:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret,.btn-group-lg>.btn .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret,.dropup .btn-group-lg>.btn .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after{content:" ";display:table}.btn-group-vertical>.btn-group:after{clear:both}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:3px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-bottom-left-radius:3px;border-top-right-radius:0;border-top-left-radius:0}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-right-radius:0;border-top-left-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{float:none;display:table-cell;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn>input[type=radio],[data-toggle=buttons]>.btn>input[type=checkbox]{position:absolute;z-index:-1;opacity:0;filter:alpha(opacity=0)}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-left:0;padding-right:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:13px;font-weight:normal;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #e4eaec;border-radius:3px}.input-group-addon.input-sm,.form-horizontal .form-group-sm .input-group-addon.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.input-group-addon.btn{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg,.form-horizontal .form-group-lg .input-group-addon.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.input-group-addon.btn{padding:10px 16px;font-size:17px;border-radius:6px}.input-group-addon input[type=radio],.input-group-addon input[type=checkbox]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-bottom-right-radius:0;border-top-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-bottom-left-radius:0;border-top-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{margin-left:-1px}.nav{margin-bottom:0;padding-left:0;list-style:none}.nav:before,.nav:after{content:" ";display:table}.nav:after{clear:both}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;background-color:rgba(0,0,0,0);cursor:not-allowed}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#51aded}.nav .nav-divider{height:1px;margin:8px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #e5e5e5}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.428571429;border:1px solid rgba(0,0,0,0);border-radius:3px 3px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #e5e5e5}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;background-color:#fff;border:1px solid #ddd;border-bottom-color:rgba(0,0,0,0);cursor:default}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:0}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#51aded}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified,.nav-tabs.nav-justified{width:100%}.nav-justified>li,.nav-tabs.nav-justified>li{float:none}.nav-justified>li>a,.nav-tabs.nav-justified>li>a{text-align:left;margin-bottom:5px}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media(min-width: 768px){.nav-justified>li,.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a,.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified,.nav-tabs.nav-justified{border-bottom:0}.nav-tabs-justified>li>a,.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:3px}.nav-tabs-justified>.active>a,.nav-tabs.nav-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media(min-width: 768px){.nav-tabs-justified>li>a,.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:3px 3px 0 0}.nav-tabs-justified>.active>a,.nav-tabs.nav-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-right-radius:0;border-top-left-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:0;border:1px solid rgba(0,0,0,0)}.navbar:before,.navbar:after{content:" ";display:table}.navbar:after{clear:both}@media(min-width: 768px){.navbar{border-radius:0}}.navbar-header:before,.navbar-header:after{content:" ";display:table}.navbar-header:after{clear:both}@media(min-width: 768px){.navbar-header{float:left}}.navbar-collapse{overflow-x:visible;padding-right:20px;padding-left:20px;border-top:1px solid rgba(0,0,0,0);box-shadow:inset 0 1px 0 rgba(255,255,255,.1);-webkit-overflow-scrolling:touch}.navbar-collapse:before,.navbar-collapse:after{content:" ";display:table}.navbar-collapse:after{clear:both}.navbar-collapse.in{overflow-y:auto}@media(min-width: 768px){.navbar-collapse{width:auto;border-top:0;box-shadow:none}.navbar-collapse.collapse{display:block !important;height:auto !important;padding-bottom:0;overflow:visible !important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-left:0;padding-right:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media(max-width: 480px)and (orientation: landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-header,.container-fluid>.navbar-collapse{margin-right:-20px;margin-left:-20px}@media(min-width: 768px){.container>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-header,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media(min-width: 768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;-webkit-transform:translate3d(0, 0, 0);transform:translate3d(0, 0, 0)}@media(min-width: 768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;padding:15px 20px;font-size:17px;height:50px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media(min-width: 768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-20px}}.navbar-toggle{position:relative;float:left;margin-right:20px;padding:9px 10px;margin-top:8px;margin-bottom:8px;background-color:rgba(0,0,0,0);background-image:none;border:1px solid rgba(0,0,0,0);border-radius:3px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media(min-width: 768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -20px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:18px}@media(max-width: 767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:rgba(0,0,0,0);border:0;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:18px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media(min-width: 768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}.navbar-nav.navbar-right:last-child{margin-right:-20px}}@media(min-width: 768px){.navbar-left{float:left !important}.navbar-right{float:right !important}}.navbar-form{margin-left:-20px;margin-right:-20px;padding:10px 0px;border-top:1px solid rgba(0,0,0,0);border-bottom:1px solid rgba(0,0,0,0);-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);margin-top:9px;margin-bottom:9px}@media(max-width: 767px){.navbar-form .form-group{margin-bottom:5px}}@media(min-width: 768px){.navbar-form{width:auto;border:0;margin-left:0;margin-right:0;padding-top:0;padding-bottom:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-20px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-right-radius:0;border-top-left-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:9px;margin-bottom:9px}.navbar-btn.btn-sm,.btn-group-sm>.navbar-btn.btn{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs,.btn-group-xs>.navbar-btn.btn{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:16px;margin-bottom:16px}@media(min-width: 768px){.navbar-text{float:left;margin-left:20px;margin-right:20px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#3c3c3b;border-color:#2b2b2b}.navbar-default .navbar-brand{color:#f7f7f7}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#dedede;background-color:rgba(0,0,0,0)}.navbar-default .navbar-text{color:#f7f7f7}.navbar-default .navbar-nav>li>a{color:#f7f7f7}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{background-color:rgba(0,0,0,0)}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#2b2b2b}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:rgba(0,0,0,0)}.navbar-default .navbar-toggle{border-color:#fff}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#555}.navbar-default .navbar-toggle .icon-bar{background-color:#fff}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#2b2b2b}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{background-color:#2b2b2b;color:#555}@media(max-width: 767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#f7f7f7}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{background-color:rgba(0,0,0,0)}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#2b2b2b}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:rgba(0,0,0,0)}}.navbar-default .navbar-link{color:#f7f7f7}.navbar-default .btn-link{color:#f7f7f7}.navbar-default .btn-link[disabled]:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:hover,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#090909}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:rgba(0,0,0,0)}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:rgba(0,0,0,0)}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#090909}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:rgba(0,0,0,0)}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{background-color:#090909;color:#fff}@media(max-width: 767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#090909}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#090909}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:rgba(0,0,0,0)}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#090909}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:rgba(0,0,0,0)}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:hover,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:18px;list-style:none;background-color:#f5f5f5;border-radius:3px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{content:"/ ";padding:0 5px;color:#ccc}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:18px 0;border-radius:3px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;line-height:1.428571429;text-decoration:none;color:#51aded;background-color:#fff;border:1px solid #ddd;margin-left:-1px}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-bottom-left-radius:3px;border-top-left-radius:3px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-bottom-right-radius:3px;border-top-right-radius:3px}.pagination>li>a:hover,.pagination>li>a:focus,.pagination>li>span:hover,.pagination>li>span:focus{color:#178adb;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>a:hover,.pagination>.active>a:focus,.pagination>.active>span,.pagination>.active>span:hover,.pagination>.active>span:focus{z-index:2;color:#fff;background-color:#51aded;border-color:#51aded;cursor:default}.pagination>.disabled>span,.pagination>.disabled>span:hover,.pagination>.disabled>span:focus,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#777;background-color:#fff;border-color:#ddd;cursor:not-allowed}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:17px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-bottom-left-radius:6px;border-top-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-bottom-right-radius:6px;border-top-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-bottom-left-radius:3px;border-top-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-bottom-right-radius:3px;border-top-right-radius:3px}.pager{padding-left:0;margin:18px 0;list-style:none;text-align:center}.pager:before,.pager:after{content:" ";display:table}.pager:after{clear:both}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#777;background-color:#fff;cursor:not-allowed}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}.label:empty{display:none}.btn .label{position:relative;top:-1px}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#51aded}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#2397e8}.label-success{background-color:#7ebc59}.label-success[href]:hover,.label-success[href]:focus{background-color:#65a141}.label-info{background-color:#368cbf}.label-info[href]:hover,.label-info[href]:focus{background-color:#2b6f97}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#ee451f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#cb320f}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:bold;color:#fff;line-height:1;vertical-align:baseline;white-space:nowrap;text-align:center;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge,.btn-group-xs>.btn .badge{top:0;padding:1px 5px}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#51aded;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}.jumbotron{padding:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron h1,.jumbotron .h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:20px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron{border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width: 768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-left:60px;padding-right:60px}.jumbotron h1,.jumbotron .h1{font-size:58.5px}}.thumbnail{display:block;padding:4px;margin-bottom:18px;line-height:1.428571429;background-color:#fff;border:1px solid #ddd;border-radius:3px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img,.thumbnail a>img{display:block;width:100% \9 ;max-width:100%;height:auto;margin-left:auto;margin-right:auto}.thumbnail .caption{padding:9px;color:#3c3c3b}a.thumbnail:hover,a.thumbnail:focus,a.thumbnail.active{border-color:#51aded}.alert{padding:15px;margin-bottom:18px;border:1px solid rgba(0,0,0,0);border-radius:3px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:bold}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{background-color:#7ebc59;border-color:#7ebc59;color:#4e7d32}.alert-success hr{border-top-color:#70b348}.alert-success .alert-link{color:#598f3a}.alert-info{background-color:#d9edf7;border-color:#bce8f1;color:#173543}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#1d4356}.alert-warning{background-color:#fcf8e3;border-color:#faebcc;color:#c77c11}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#df8a13}.alert-danger{background-color:#ee451f;border-color:#ee451f;color:#9b260c}.alert-danger hr{border-top-color:#e23811}.alert-danger .alert-link{color:#b32c0e}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{overflow:hidden;height:18px;background-color:#f5f5f5;border-radius:3px;position:relative;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0%;height:100%;font-size:12px;line-height:18px;color:#fff;text-align:center;background-color:#51aded;position:relative;z-index:2;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar[aria-valuenow="1"],.progress-bar[aria-valuenow="2"]{min-width:30px}.progress-bar[aria-valuenow="0"]{color:#777;min-width:30px;background-color:rgba(0,0,0,0);background-image:none;box-shadow:none}.progress-bar-success{background-color:#7ebc59}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent)}.progress-bar-info{background-color:#368cbf}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent)}.progress-bar-danger{background-color:#ee451f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{display:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{margin-bottom:20px;padding-left:0}.list-group-item{position:relative;display:block;padding:6px 8px;margin-bottom:-1px;background-color:#fff}.list-group-item:last-child{margin-bottom:0}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#3c3c3b;border-radius:0}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{text-decoration:none;background-color:#f5f5f5}a.list-group-item:hover:before,a.list-group-item:focus:before{background:#3498db;content:"";height:42px;left:0;position:absolute;top:0;width:3px}.list-group-item.disabled,.list-group-item.disabled:hover,.list-group-item.disabled:focus{background-color:#eee;color:#777}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2}.list-group-item.active:before,.list-group-item.active:hover:before,.list-group-item.active:focus:before{background:#3498db;content:"";height:42px;left:0;position:absolute;top:0px;width:3px}.list-group-item.active .list-group-item-heading,.list-group-item.active .list-group-item-heading>small,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading>.small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#fff}.list-group-item.active+.collapse>.list-group-item:before,.list-group-item.active:hover+.collapse>.list-group-item:before,.list-group-item.active:focus+.collapse>.list-group-item:before{background:#3498db;content:"";height:42px;left:0;position:absolute;top:0px;width:3px}.list-group-item-success{color:#7ebc59;background-color:#7ebc59}a.list-group-item-success{color:#7ebc59}a.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:hover,a.list-group-item-success:focus{color:#7ebc59;background-color:#70b348}a.list-group-item-success.active,a.list-group-item-success.active:hover,a.list-group-item-success.active:focus{color:#fff;background-color:#7ebc59;border-color:#7ebc59}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:hover,a.list-group-item-info:focus{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:hover,a.list-group-item-info.active:focus{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#f0ad4e;background-color:#fcf8e3}a.list-group-item-warning{color:#f0ad4e}a.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:hover,a.list-group-item-warning:focus{color:#f0ad4e;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:hover,a.list-group-item-warning.active:focus{color:#fff;background-color:#f0ad4e;border-color:#f0ad4e}.list-group-item-danger{color:#ee451f;background-color:#ee451f}a.list-group-item-danger{color:#ee451f}a.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:hover,a.list-group-item-danger:focus{color:#ee451f;background-color:#e23811}a.list-group-item-danger.active,a.list-group-item-danger.active:hover,a.list-group-item-danger.active:focus{color:#fff;background-color:#ee451f;border-color:#ee451f}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:18px;background-color:#fff;border:1px solid rgba(0,0,0,0);border-radius:3px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-body:before,.panel-body:after{content:" ";display:table}.panel-body:after{clear:both}.panel-heading{padding:10px 15px;border-bottom:1px solid rgba(0,0,0,0);border-top-right-radius:2px;border-top-left-radius:2px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:15px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:2px;border-bottom-left-radius:2px}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-right-radius:2px;border-top-left-radius:2px}.panel>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:2px;border-bottom-left-radius:2px}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-right-radius:2px;border-top-left-radius:2px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:2px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:2px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:2px;border-bottom-left-radius:2px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:2px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:2px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #eee}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{border:0;margin-bottom:0}.panel-group{margin-bottom:18px}.panel-group .panel{margin-bottom:0;border-radius:3px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#51aded}.panel-primary>.panel-heading{color:#fff;background-color:#51aded;border-color:#51aded}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#51aded}.panel-primary>.panel-heading .badge{color:#51aded;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#51aded}.panel-success{border-color:#7ebc59}.panel-success>.panel-heading{color:#7ebc59;background-color:#7ebc59;border-color:#7ebc59}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#7ebc59}.panel-success>.panel-heading .badge{color:#7ebc59;background-color:#7ebc59}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#7ebc59}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#f0ad4e;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#f0ad4e}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ee451f}.panel-danger>.panel-heading{color:#ee451f;background-color:#ee451f;border-color:#ee451f}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ee451f}.panel-danger>.panel-heading .badge{color:#ee451f;background-color:#ee451f}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ee451f}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object{position:absolute;top:0;left:0;bottom:0;height:100%;width:100%;border:0}.embed-responsive.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:3px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:19.5px;font-weight:bold;line-height:1;color:#000;text-shadow:0 1px 0 #fff;opacity:.2;filter:alpha(opacity=20)}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;opacity:.5;filter:alpha(opacity=50)}button.close{padding:0;cursor:pointer;background:rgba(0,0,0,0);border:0;-webkit-appearance:none}.modal-open{overflow:hidden}.modal{display:none;overflow:hidden;position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transform:translate3d(0, -25%, 0);transform:translate3d(0, -25%, 0);-webkit-transition:-webkit-transform .3s ease-out;-moz-transition:-moz-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out}.modal.in .modal-dialog{-webkit-transform:translate3d(0, 0, 0);transform:translate3d(0, 0, 0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:62px 10px 10px 10px}.modal-content{position:relative;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5);background-clip:padding-box;outline:0}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{opacity:0;filter:alpha(opacity=0)}.modal-backdrop.in{opacity:.5;filter:alpha(opacity=50)}.modal-header{padding:15px;border-bottom:1px solid #e5e5e5;min-height:16.428571429px}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.428571429}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer:before,.modal-footer:after{content:" ";display:table}.modal-footer:after{clear:both}.modal-footer .btn+.btn{margin-left:5px;margin-bottom:0}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media(min-width: 768px){.modal-dialog{width:600px;margin:82px auto 30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media(min-width: 992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;visibility:visible;font-size:12px;line-height:1.4;opacity:0;filter:alpha(opacity=0)}.tooltip.in{opacity:.9;filter:alpha(opacity=90)}.tooltip.top{margin-top:-3px;padding:5px 0}.tooltip.right{margin-left:3px;padding:0 5px}.tooltip.bottom{margin-top:3px;padding:5px 0}.tooltip.left{margin-left:-3px;padding:0 5px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:3px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:rgba(0,0,0,0);border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{bottom:0;right:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;text-align:left;background-color:#fff;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2);white-space:normal}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{margin:0;padding:8px 14px;font-size:13px;font-weight:normal;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:rgba(0,0,0,0);border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{border-width:10px;content:""}.popover.top>.arrow{left:50%;margin-left:-11px;border-bottom-width:0;border-top-color:#999;border-top-color:rgba(0,0,0,.25);bottom:-11px}.popover.top>.arrow:after{content:" ";bottom:1px;margin-left:-10px;border-bottom-width:0;border-top-color:#fff}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-left-width:0;border-right-color:#999;border-right-color:rgba(0,0,0,.25)}.popover.right>.arrow:after{content:" ";left:1px;bottom:-10px;border-left-width:0;border-right-color:#fff}.popover.bottom>.arrow{left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25);top:-11px}.popover.bottom>.arrow:after{content:" ";top:1px;margin-left:-10px;border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{content:" ";right:1px;border-right-width:0;border-left-color:#fff;bottom:-10px}.carousel{position:relative}.carousel-inner{position:relative;overflow:hidden;width:100%}.carousel-inner>.item{display:none;position:relative;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:block;width:100% \9 ;max-width:100%;height:auto;line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;left:0;bottom:0;width:15%;opacity:.5;filter:alpha(opacity=50);font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-control.left{background-image:-webkit-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);background-image:-o-linear-gradient(left, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);background-image:linear-gradient(to right, rgba(0, 0, 0, 0.5) 0%, rgba(0, 0, 0, 0.0001) 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr="#80000000", endColorstr="#00000000", GradientType=1)}.carousel-control.right{left:auto;right:0;background-image:-webkit-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);background-image:-o-linear-gradient(left, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);background-image:linear-gradient(to right, rgba(0, 0, 0, 0.0001) 0%, rgba(0, 0, 0, 0.5) 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr="#00000000", endColorstr="#80000000", GradientType=1)}.carousel-control:hover,.carousel-control:focus{outline:0;color:#fff;text-decoration:none;opacity:.9;filter:alpha(opacity=90)}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right{position:absolute;top:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .glyphicon-chevron-left{left:50%;margin-left:-10px}.carousel-control .icon-next,.carousel-control .glyphicon-chevron-right{right:50%;margin-right:-10px}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;font-family:serif}.carousel-control .icon-prev:before{content:"‹"}.carousel-control .icon-next:before{content:"›"}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;margin-left:-30%;padding-left:0;list-style:none;text-align:center}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;border:1px solid #fff;border-radius:10px;cursor:pointer;background-color:#000 \9 ;background-color:rgba(0,0,0,0)}.carousel-indicators .active{margin:0;width:12px;height:12px;background-color:#fff}.carousel-caption{position:absolute;left:15%;right:15%;bottom:20px;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width: 768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-prev,.carousel-control .icon-next{width:30px;height:30px;margin-top:-15px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-15px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-15px}.carousel-caption{left:20%;right:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.clearfix:before,.content-box:before,.clearfix:after,.content-box:after{content:" ";display:table}.clearfix:after,.content-box:after{clear:both}.center-block{display:block;margin-left:auto;margin-right:auto}.pull-right{float:right !important}.pull-left{float:left !important}.hide{display:none !important}.show{display:block !important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:rgba(0,0,0,0);text-shadow:none;background-color:rgba(0,0,0,0);border:0}.hidden{display:none !important;visibility:hidden !important}.affix{position:fixed;-webkit-transform:translate3d(0, 0, 0);transform:translate3d(0, 0, 0)}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none !important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none !important}@media(max-width: 767px){.visible-xs{display:block !important}table.visible-xs{display:table}tr.visible-xs{display:table-row !important}th.visible-xs,td.visible-xs{display:table-cell !important}}@media(max-width: 767px){.visible-xs-block{display:block !important}}@media(max-width: 767px){.visible-xs-inline{display:inline !important}}@media(max-width: 767px){.visible-xs-inline-block{display:inline-block !important}}@media(min-width: 768px)and (max-width: 991px){.visible-sm{display:block !important}table.visible-sm{display:table}tr.visible-sm{display:table-row !important}th.visible-sm,td.visible-sm{display:table-cell !important}}@media(min-width: 768px)and (max-width: 991px){.visible-sm-block{display:block !important}}@media(min-width: 768px)and (max-width: 991px){.visible-sm-inline{display:inline !important}}@media(min-width: 768px)and (max-width: 991px){.visible-sm-inline-block{display:inline-block !important}}@media(min-width: 992px)and (max-width: 1199px){.visible-md{display:block !important}table.visible-md{display:table}tr.visible-md{display:table-row !important}th.visible-md,td.visible-md{display:table-cell !important}}@media(min-width: 992px)and (max-width: 1199px){.visible-md-block{display:block !important}}@media(min-width: 992px)and (max-width: 1199px){.visible-md-inline{display:inline !important}}@media(min-width: 992px)and (max-width: 1199px){.visible-md-inline-block{display:inline-block !important}}@media(min-width: 1200px){.visible-lg{display:block !important}table.visible-lg{display:table}tr.visible-lg{display:table-row !important}th.visible-lg,td.visible-lg{display:table-cell !important}}@media(min-width: 1200px){.visible-lg-block{display:block !important}}@media(min-width: 1200px){.visible-lg-inline{display:inline !important}}@media(min-width: 1200px){.visible-lg-inline-block{display:inline-block !important}}@media(max-width: 767px){.hidden-xs,.page-side{display:none !important}}@media(min-width: 768px)and (max-width: 991px){.hidden-sm{display:none !important}}@media(max-width: 768px),(max-height: 669px){.toggle-sidebar{display:none !important}}@media(min-width: 992px)and (max-width: 1199px){.hidden-md{display:none !important}}@media(min-width: 1200px){.hidden-lg{display:none !important}}.visible-print{display:none !important}@media print{.visible-print{display:block !important}table.visible-print{display:table}tr.visible-print{display:table-row !important}th.visible-print,td.visible-print{display:table-cell !important}}.visible-print-block{display:none !important}@media print{.visible-print-block{display:block !important}}.visible-print-inline{display:none !important}@media print{.visible-print-inline{display:inline !important}}.visible-print-inline-block{display:none !important}@media print{.visible-print-inline-block{display:inline-block !important}}@media print{.hidden-print{display:none !important}}*{-webkit-font-smoothing:antialiased}html,body{font-family:"Inter",serif;font-weight:400;height:100%;background-color:#fff}body{min-width:320px;touch-action:manipulation}.page-head{position:fixed;z-index:2;top:0;right:0;left:0;background:#3c3c3b}.page-head .navbar-default{min-height:60px;color:rgba(87,87,87,.67);border:0;background:#fff;box-shadow:0 2px 4px rgba(0,0,0,.08)}.page-head .navbar-text{color:#494949}.page-head .navbar-right{margin-top:6px}.page-head .navbar-brand{display:flex;flex-direction:column;width:250px;height:100%;text-align:center;color:#000;background:#3498db}.page-head .navbar-brand::before{font-size:16px;font-weight:500;display:inline-block;content:"OPNSense";color:#fff}.page-head .navbar-brand::after{font-size:12px;font-weight:400;display:inline-block;content:"Advanced Theme";color:#fafafa}.page-head .navbar-brand:hover,.page-head .navbar-brand:focus{background:#3498db}.page-head .navbar-brand .brand-logo,.page-head .navbar-brand .brand-icon{width:1px;height:1px}.page-head .navbar-toggle{margin-top:14px}.page-head .navbar-toggle .icon-bar{background-color:#363636}.page-head .navbar-toggle:hover,.page-head .navbar-toggle:focus{background-color:rgba(0,0,0,0)}.page-head .navbar-toggle:hover .icon-bar,.page-head .navbar-toggle:focus .icon-bar{background-color:#3498db}.page-content{position:relative;z-index:1;height:calc(100% - 60px);padding-top:60px}.page-content>.row{height:100%}@media(min-width: 768px){.page-content.col-lg-10,.page-content.col-sm-9{width:calc(100% - 250px)}.page-content.col-lg-push-2,.page-content.col-sm-push-3{left:250px}}.page-content-head,.content-box-head{padding-top:20px;padding-bottom:15px;border-bottom:1px solid rgba(217,217,217,.5);background:#fbfbfb}.page-content-head .navbar-nav,.content-box-head .navbar-nav{width:100%}.page-content-head h1,.content-box-head h1,.page-content-head h2,.content-box-head h2,.page-content-head h3,.content-box-head h3{line-height:1;margin:0}.page-content-main{min-height:calc(100% - 64px);padding:15px 0 73px;background:#f7f7f7}.page-side{position:fixed;z-index:3;top:0;left:0;overflow:auto;width:250px;height:100% !important;height:calc(100% - 60px) !important;margin-top:60px;border-right:1px solid rgba(0,0,0,.15);background:#263238}.page-side-nav--active{border-left:3px solid;background:#f7f7f7}.page-side-nav .panel{background:#263238}.page-foot{font-size:12px;position:fixed;z-index:2;bottom:0;width:100%;padding:20px 0;border-top:1px solid rgba(217,217,217,.5);background:#fbfbfb}.content-box{border:1px solid #eaeaea;border-radius:3px;background:#fff}.content-box-main{padding-top:15px;padding-bottom:15px}div.content-box.wizard div img{filter:invert(25%)}.tab-content{padding:0px 0;border-top:0px}.tab-content>.tab-content{margin-bottom:0;padding:0 15px}.tab-content .tab-content:last-child{margin-bottom:0}.page-content-main section[class^=col-]+section[class^=col-]{padding-top:20px}.brand-logo{display:none}@media(min-width: 768px){.brand-logo{display:inline-block}}.brand-icon{display:inline-block}@media(min-width: 768px){.brand-icon{display:none}}@media(min-width: 768px){.col-sm-disable-spacer{padding-top:0 !important}}@media(min-width: 992px){.col-md-disable-spacer{padding-top:0 !important}}@media(min-width: 1200px){.col-lg-disable-spacer{padding-top:0 !important}}.page-login{background:linear-gradient(#eff2f5, #f5f7f8)}.page-login .container{display:flex;align-items:center;flex-direction:column;justify-content:center;min-height:100%}.page-login .container:after{height:60px}.login-foot{font-size:12px}.login-modal-container{width:100%;max-width:400px;margin-bottom:8px;border-radius:4px;background:#fff;box-shadow:0 1px 8px rgba(0,0,0,.1)}.login-modal-head{height:50px;padding:0 20px;border-top-left-radius:4px;border-top-right-radius:4px;background:#51aded}.login-modal-head img{display:none}.login-modal-head .navbar-brand{display:flex;float:none;align-items:center;flex-direction:column;justify-content:center;text-align:center}.login-modal-head .navbar-brand::before{font-size:16px;font-weight:500;display:inline-block;content:"OPNSense";color:#fff}.login-modal-head .navbar-brand::after{font-size:11px;font-weight:400;display:inline-block;content:"AdvancedOPN Theme";color:#fafafa}.login-modal-content{padding:20px 20px 20px 20px}.login-modal-foot{height:60px;padding:20px 20px 0 20px;border-top:1px solid #eaeaea;background:#f7f7f7}.login-modal-foot a{text-decoration:none;color:#7d7d7d}.login-modal-foot a:hover{text-decoration:underline;color:#646464}@media(min-width: 768px){.list-inline .btn-group-container{float:right}}.btn.btn-fixed{width:100%;max-width:174px}.progress-bar-placeholder{font-size:12px;position:absolute;z-index:1;width:100%;text-align:center}.list-group-item{border-right:none;border-left:none}.list-group-item.collapsed .caret{border-top:0;border-bottom:4px solid green}main.page-content.col-lg-12{padding-left:90px}#navigation .panel.list-group .fa:not(.__iconspacer){width:auto;padding-right:10px}#navigation .panel.list-group a.list-group-item{font-size:14px;position:relative;padding:12px 16px;text-decoration:none;color:#a6adb3;background:#263238}#navigation .panel.list-group a.list-group-item:hover{color:#e1e4e6;background:rgba(255,255,255,.03)}#navigation .panel.list-group a.list-group-item:hover::before{background-color:#3498db}#navigation .panel.list-group a.list-group-item.active{color:#e1e4e6;background:rgba(255,255,255,.02)}#navigation .panel.list-group>.list-group-item:not(.collapsed).active-menu-title::before{width:3px;transition:opacity 200ms;background-color:#3498db}#navigation .panel.list-group>div .list-group-item{font-size:13px;position:relative;padding:5px 0 5px 35px}#navigation .panel.list-group>div .list-group-item::before{position:absolute;z-index:1;top:-11px;bottom:13px;left:12px;display:block;width:0;content:"";opacity:.8;border-left:1px dotted #3e474e !important}#navigation .panel.list-group>div .list-group-item::after{position:absolute;z-index:1;top:13px;left:12px;display:block;width:12px;content:"";border-bottom:1px dotted #3e474e !important}#navigation .panel.list-group>div .list-group-item:hover::before,#navigation .panel.list-group>div .list-group-item.active::before,#navigation .panel.list-group>div .list-group-item:focus::before{opacity:1;background-color:#3e474e}#navigation.col-sidebar-left{overflow:hidden;width:70px;border:none !important;background-color:rgba(0,0,0,0) !important}#navigation.col-sidebar-left>div.row{height:100% !important}#navigation.col-sidebar-left>div.row>nav.page-side-nav{width:70px;height:100% !important;border-right:1px solid #304047;background:#263238}#navigation.col-sidebar-left>div>nav>#mainmenu>div>a.list-group-item{font-size:13px;width:70px;height:70px;padding-top:12px;padding-right:0px;padding-left:0px;text-align:center;color:#a6adb3;border-right:1px solid #304047;border-bottom:2px solid #lightergrey}#navigation.col-sidebar-left>div>nav>#mainmenu>div>a.list-group-item>span.fa,#navigation.col-sidebar-left>div>nav>#mainmenu>div>a.list-group-item>span.glyphicon{font-size:20px;visibility:visible}#navigation.col-sidebar-left>div>nav>#mainmenu>div>a.list-group-item>span.__iconspacer{display:block;height:30px;padding:0px;text-align:center}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapsing>a.list-group-item{font-size:14px !important;position:absolute !important;left:70px !important;display:block !important;padding-left:10px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>div.collapsing>a.list-group-item{font-size:14px !important;position:absolute !important;left:166px !important;display:block !important;padding-left:10px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>a.list-group-item,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>div.collapse.in>a.list-group-item{background-color:#263238 !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>div.collapse.in>a.list-group-item{font-size:14px !important;padding-left:10px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>div.collapse>a.list-group-item,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>a.list-group-item{font-size:14px !important;padding-left:10px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>div.collapse>a.list-group-item::before,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>div.collapse>a.list-group-item::after,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>a.list-group-item::before,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>a.list-group-item::after{display:none}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapsed>a.list-group-item{font-size:14px !important;padding-left:10px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>a.list-group-item,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse>div.collapse>a.list-group-item{padding:3px 8px !important}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in{font-size:14px;position:absolute;z-index:10;left:70px;width:168px;margin-top:-70px;border:1px solid #304047;-moz-box-shadow:2px 2px 1px 0px rgba(234,234,234,.5);-webkit-box-shadow:2px 2px 1px 0px rgba(234,234,234,.5);box-shadow:2px 2px 1px 0px rgba(234,234,234,.5)}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>div.collapse.in{font-size:14px;position:absolute;z-index:10;left:166px;width:168px;margin-top:-26px;border:1px solid #304047;-moz-box-shadow:2px 2px 1px 0px rgba(234,234,234,.5);-webkit-box-shadow:2px 2px 1px 0px rgba(234,234,234,.5);box-shadow:2px 2px 1px 0px rgba(234,234,234,.5)}#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapsing,#navigation.col-sidebar-left>div>nav>#mainmenu>div>div.collapse.in>div.collapsing{display:none}button.toggle-sidebar{font-size:14px;float:left;margin-top:20px;color:#575757;border:none;outline:none;background-color:rgba(0,0,0,0)}#navigation.collapse.in{display:block !important}.list-group-submenu .list-group-item:last-child,.collapse .list-group-item:last-child{border-bottom:none}ul.nav>li.dropdown>ul.dropdown-menu>li>a{padding:3px 10px}.nav-tabs{margin-right:1px;border-bottom:2px solid #eaeaea}.nav-tabs>li{margin-right:2px;border-radius:0px;border-top-right-radius:10px}.nav-tabs>li>a{margin-right:0px;cursor:pointer;color:#777;border-top-left-radius:4px;border-top-right-radius:4px;background:#fcfcfc}.nav-tabs>li>a{border:none;background:rgba(0,0,0,0)}.nav-tabs>li>a:hover,.nav-tabs>li>a:focus{border-bottom:2px solid #e0e0e0;background-color:#efefef}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#51aded;border-top:none;border-right:none;border-bottom:2px solid #51aded;border-left:none;background:rgba(0,0,0,0)}.nav-tabs>li>a.visible-lg-inline-block:not(.pull-right){padding-right:6px !important;padding-left:12px !important;border-top-right-radius:0px !important}.nav-tabs>li>a.visible-lg-inline-block.pull-right{padding-right:12px !important;padding-left:6px !important;border-left:0px !important;border-top-left-radius:0}.nav-tabs.nav-justified{border-right:1px solid #eaeaea}.nav-tabs.nav-justified>li{border-top:1px solid #eaeaea;border-bottom:1px solid #eaeaea;border-left:1px solid #eaeaea;border-radius:0px;background:#f7f7f7}.nav-tabs.nav-justified>li>a{font-family:"Inter",serif;color:#3c3c3b}@media(min-width: 768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid rgba(0,0,0,0)}}@media(max-width: 767px){.nav-tabs.nav-justified>li.active>a{border-right:0 !important}}@media(min-width: 768px){>li.active+li>a{border-left:1px solid rgba(0,0,0,0)}}>li:last-child>a{border-right:1px solid rgba(0,0,0,0) !important}@media(max-width: 767px){>li:last-child>a{margin-bottom:0}}#opn-status-list .btn{color:#565656;border:1px solid #ecedf1;background:rgba(0,0,0,0)}#opn-status-list .btn:hover{background:#f9f9f9}.bootstrap-dialog-title{font-size:15px;font-weight:500}.bootstrap-select .btn-default{color:#76838f;border:1px solid #e4eaec;background:#fff}.bootstrap-select .btn-default:focus{border-color:#66afe9;background:#fff}.bootstrap-select.open>.btn-default{color:#76838f;border-color:#66afe9;background:#fff}.bootstrap-select .dropdown-toggle:focus{outline-color:#fff !important}.btn .glyphicon{vertical-align:-1px}.btn-default .glyphicon{color:#757575}table{width:100%}.table{margin-bottom:0px !important}.nav-tabs-justified .nav-tabs.nav-justified>.active>a:focus,.nav-tabs.nav-justified .nav-tabs.nav-justified>.active>a:focus{border:0px !important}.table th,strong,b{font-family:"Inter",serif;font-weight:500}.table>tbody>tr>td:last-child{padding-right:15px}.__nowrap{white-space:nowrap}.__nomb{margin-bottom:0}.__mb{margin-bottom:15px}.__mt{margin-top:15px}.__ml{margin-left:15px}.__mr{margin-right:15px}.__iconspacer{padding-right:10px}#mainmenu .glyphicon{vertical-align:-2px}.list-group-item{overflow:hidden;text-overflow:ellipsis}.list-group-item+div.collapse{margin-bottom:-1px}.list-group-item+div>a{padding-left:44px}.list-group-item:before{position:absolute;top:0px;left:0;width:0;height:42px;min-height:100%;content:"";transition:opacity 0ms;opacity:0}.list-group-submenu a{padding-left:56px}.active-menu-title,.active-menu a{position:relative;text-decoration:none;background-color:#242f35}.active-menu-title:before,.active-menu a:before{width:3px}.active-menu-title.active,.active-menu a.active{background-color:#242f35}.active-menu a:before{background:#242f35}.alert.alert-danger{color:#fff !important}.nav-tabs-justified>li>a,.nav-tabs.nav-justified>li>a{border-radius:0 !important}.navbar-brand{padding:10px 20px}.label-opnsense{font-size:12px;line-height:1.5;display:inline-block;vertical-align:middle;border:1px solid rgba(0,0,0,0);border-radius:3px}.label-opnsense-sm{padding:5px 10px}.label-opnsense-xs,.btn-xs,.btn-group-xs>.btn{padding:1px 3px}::-webkit-scrollbar{width:8px}::-webkit-scrollbar-button{width:8px;height:5px}::-webkit-scrollbar-track{border-radius:0;background:#dcdcdc;box-shadow:0px 0px 0px}::-webkit-scrollbar-thumb{border:thin solid #e5e5e5;border-radius:0px;background:#afafaf}::-webkit-scrollbar-thumb:hover{background:#e5e5e5}.widgetdiv{padding-top:0px !important;padding-bottom:20px}select{overflow:hidden;cursor:pointer;border:1px solid #ccc;background-image:url("/ui/themes/advanced/build/images/caret.png") !important;background-repeat:no-repeat;background-position:right;-webkit-appearance:none;-moz-appearance:none;appearance:none}@media screen and (max-width: 767px){.table-responsive{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>tfoot>tr>td{white-space:normal}}label>input[type=checkbox],label>input[type=radio]{float:left;margin-right:.4em}input[type=checkbox],input[type=radio]{font:inherit;display:inline-flex;align-items:center;justify-content:center;width:20px;height:20px;margin:0;cursor:pointer;transition:border-color 150ms ease,background-color 150ms ease;transform:translateY(1px);color:#3f3f3f;border:1px solid #e4eaec;border-radius:.15em;background-color:#fff;-webkit-appearance:none;appearance:none}input[type=checkbox]::before,input[type=radio]::before{visibility:hidden;width:10px;height:10px;content:"";transition:transform 120ms ease-out 60ms,opacity 120ms ease-out,visibility 120ms ease-out;transform:scale(0.65);opacity:0;background-color:#fafafa;box-shadow:inset 1em 1em var(--form-control-color);clip-path:polygon(14% 44%, 0 65%, 50% 100%, 100% 16%, 80% 0%, 43% 62%)}input[type=checkbox]:checked,input[type=radio]:checked{border-color:#3498db;background-color:#3498db}input[type=checkbox]:checked::before,input[type=radio]:checked::before{visibility:visible;transform:scale(1);opacity:1;background-color:#fff}input[type=checkbox]:hover,input[type=radio]:hover{border-color:#3498db}input[type=checkbox]:disabled,input[type=radio]:disabled{cursor:not-allowed;color:var(--form-control-disabled);--form-control-color: var(--form-control-disabled)}input[type=radio]{border-radius:50%}div[data-for*=help_for]{font-size:.85em;font-style:italic;padding-top:.5em}#log-settings label[for^=act]{margin-right:1.5em}#log-settings table>tbody>tr>td{vertical-align:middle}#log-settings select#filterlogentries,#log-settings select#filterlogentriesupdateinterval{width:5em}#log-settings select#filterlogentriesinterfaces{min-width:100%;max-width:100%}[data-state=lightcoral]{background-color:#f08080}[data-state=white]{background-color:#fff}[data-state=red]{background-color:red}.tokens-container{margin-top:0px;margin-bottom:0px}.actionBar .btn.btn-default{color:#767676;border-color:#d8d8d8;background:#fafafa}.bootgrid-table td.select-cell{overflow:visible;width:30px !important}.act_toggle{font-size:15px}.fa.command-toggle{font-size:16px;padding-top:5px;vertical-align:middle}.form-control:hover{border-color:#d1e5f2}.table input[type=checkbox]{margin-top:-4px;margin-bottom:-4px}.table .btn-xs,.table .btn-group-xs>.btn{margin-top:-4px;margin-bottom:-4px}.widget-sort-handle{touch-action:none}.bootgrid-table{table-layout:auto !important}table#tunable.bootgrid-table td{white-space:normal !important}@media(min-width: 1200px){table#grid-leases tr td:nth-child(3){width:15% !important}}#grid-log th[data-column-id=__timestamp__],#filter-log-entries th[data-column-id=__timestamp__]{min-width:3.5em}/*# sourceMappingURL=main.css.map */

From 69f283109c494cf404bf76c98f365b6284ccf8c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Fri, 28 Mar 2025 09:21:53 +0100
Subject: [PATCH 2402/3088] Cicada/Vicuna Theme color modification (#4626)

1. a view color modifications
2. h1 set to 21px instead of 22px
---
 misc/theme-cicada/Makefile                    |  1 +
 .../cicada/assets/stylesheets/main.scss       | 26 +++++++++----------
 .../www/themes/cicada/build/css/main.css      | 14 +++++-----
 misc/theme-vicuna/Makefile                    |  1 +
 .../vicuna/assets/stylesheets/main.scss       | 12 ++++-----
 .../www/themes/vicuna/build/css/main.css      |  6 ++---
 6 files changed, 31 insertions(+), 29 deletions(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index 88df0e4643..31e06d83b9 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		theme-cicada
 PLUGIN_VERSION=		1.39
+PLUGIN_REVISION=		1
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index ea34555bd2..4234977963 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -1453,7 +1453,7 @@ h6 {
 }
 
 h1, .h1 {
-  font-size: 22px;
+  font-size: 21px;
   text-transform: uppercase;
 }
 
@@ -6890,7 +6890,7 @@ fieldset[disabled] .navbar-inverse .btn-link {
           line-height: 1.428571429;
           text-decoration: none;
           color: #bac3ca;
-          background-color: #505050;
+          background-color: #282828;
           border: 1px solid #191919;
           margin-left: -1px;
           cursor: pointer;
@@ -6967,28 +6967,28 @@ fieldset[disabled] .navbar-inverse .btn-link {
 
     .disabled > {
       span {
-        color: #000;
-        background-color: #757575;
+        color: #4f4f4f;
+        background-color: #282828;
         border-color: #191919;
         cursor: not-allowed;
 
         &:hover, &:focus {
-          color: #000;
-          background-color: #757575;
+          color: #4f4f4f;
+          background-color: #282828;
           border-color: #191919;
           cursor: not-allowed;
         }
       }
 
       a {
-        color: #000;
-        background-color: #757575;
+        color: #4f4f4f;
+        background-color: #282828;
         border-color: #191919;
         cursor: not-allowed;
 
         &:hover, &:focus {
-          color: #000;
-          background-color: #757575;
+          color: #4f4f4f;
+          background-color: #282828;
           border-color: #191919;
           cursor: not-allowed;
         }
@@ -7892,7 +7892,7 @@ a.list-group-item-danger {
   border-bottom: 1px solid #191919;
   border-top-right-radius: 2px;
   border-top-left-radius: 2px;
-  background-color: #2D2D2D !important;
+  background-color: #202020 !important;
 
   > .dropdown .dropdown-toggle {
     color: inherit;
@@ -7912,7 +7912,7 @@ a.list-group-item-danger {
 
 .panel-footer {
   padding: 10px 15px;
-  background-color: #2d2d2d;
+  background-color: #202020;
   border-top: 1px solid #191919;
   border-bottom-right-radius: 2px;
   border-bottom-left-radius: 2px;
@@ -9150,7 +9150,7 @@ button.close {
 
 .show {
   display: block !important;
-  color: #FFF;
+  color: #3c8014;
 }
 
 .invisible {
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index d4e2bcbbc9..d097eb55ea 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -1050,7 +1050,7 @@ h6, .h6 {
     font-size: 75%; }
 
 h1, .h1 {
-  font-size: 22px;
+  font-size: 21px;
   text-transform: uppercase; }
 
 h2, .h2 {
@@ -4085,7 +4085,7 @@ tbody.collapse.in {
       line-height: 1.428571429;
       text-decoration: none;
       color: #bac3ca;
-      background-color: #505050;
+      background-color: #282828;
       border: 1px solid #191919;
       margin-left: -1px;
 	  cursor: pointer; }
@@ -4122,8 +4122,8 @@ tbody.collapse.in {
   .pagination > .disabled > a,
   .pagination > .disabled > a:hover,
   .pagination > .disabled > a:focus {
-    color: #000;
-    background-color: #757575;
+    color: #4f4f4f;
+    background-color: #282828;
     border-color: #191919;
     cursor: not-allowed; }
 
@@ -4701,7 +4701,7 @@ a.list-group-item-danger {
   border-bottom: 1px solid #191919;
   border-top-right-radius: 2px;
   border-top-left-radius: 2px;
-  background-color: #2D2D2D !important; }
+  background-color: #202020 !important; }
 
   .panel-heading > .dropdown .dropdown-toggle {
     color: inherit; }
@@ -4716,7 +4716,7 @@ a.list-group-item-danger {
 
 .panel-footer {
   padding: 10px 15px;
-  background-color: #2d2d2d;
+  background-color: #202020;
   border-top: 1px solid #191919;
   border-bottom-right-radius: 2px;
   border-bottom-left-radius: 2px; }
@@ -5508,7 +5508,7 @@ button.close {
 
 .show {
   display: block !important;
-  color: #FFF; }
+  color: #3c8014; }
 
 .invisible {
   visibility: hidden; }
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index c22184756a..623976c695 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		theme-vicuna
 PLUGIN_VERSION=		1.49
+PLUGIN_REVISION=		1
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
index c53e7fcab9..4b0341812f 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
@@ -1452,7 +1452,7 @@ h6 {
 }
 
 h1, .h1 {
-  font-size: 22px;
+  font-size: 21px;
   text-transform: uppercase;
 }
 
@@ -6996,7 +6996,7 @@ fieldset[disabled] .navbar-inverse .btn-link {
           line-height: 1.428571429;
           text-decoration: none;
           color: #bac3ca;
-          background-color: #273946;
+          background-color: #1d2c37;
           border: 1px solid #191919;
           margin-left: -1px;
           cursor: pointer;
@@ -7068,24 +7068,24 @@ fieldset[disabled] .navbar-inverse .btn-link {
     .disabled > {
       span {
         color: #bac3ca;
-        background-color: #273946;
+        background-color: #1d2c37;
         cursor: not-allowed;
 
         &:hover, &:focus {
           color: #bac3ca;
-          background-color: #273946;
+          background-color: #1d2c37;
           cursor: not-allowed;
         }
       }
 
       a {
         color: #bac3ca;
-        background-color: #273946;
+        background-color: #1d2c37;
         cursor: not-allowed;
 
         &:hover, &:focus {
           color: #bac3ca;
-          background-color: #273946;
+          background-color: #1d2c37;
           cursor: not-allowed;
         }
       }
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
index 3007cd0b11..6cf410f8cf 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
@@ -1050,7 +1050,7 @@ h6, .h6 {
     font-size: 75%; }
 
 h1, .h1 {
-  font-size: 22px;
+  font-size: 21px;
   text-transform: uppercase; }
 
 h2, .h2 {
@@ -4058,7 +4058,7 @@ tbody.collapse.in {
       line-height: 1.428571429;
       text-decoration: none;
       color: #bac3ca;
-      background-color: #273946;
+      background-color: #1d2c37;
       border: 1px solid #191919;
       margin-left: -1px;
       cursor: pointer; }
@@ -4093,7 +4093,7 @@ tbody.collapse.in {
   .pagination > .disabled > a:hover,
   .pagination > .disabled > a:focus {
     color: #bac3ca;
-    background-color: #273946;
+    background-color: #1d2c37;
     cursor: not-allowed; }
 
 

From cc57c78ba6f66d97b6a560e1721a065700831dc8 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sat, 29 Mar 2025 07:52:25 +0100
Subject: [PATCH 2403/3088] www/caddy: Add basic_auth support to handlers
 (#4620)

* www/caddy: Add basic_auth support to handlers

* www/caddy: Move scope of basic_auth into handler

* www/caddy: Changelog and small comments cleanup.

* www/caddy: Remove matcher from basic_auth since thats not used
---
 www/caddy/Makefile                                 |  2 +-
 www/caddy/pkg-descr                                |  4 ++++
 .../OPNsense/Caddy/forms/dialogHandle.xml          | 12 +++++++++++-
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml        | 11 +++++++++++
 .../service/templates/OPNsense/Caddy/Caddyfile     | 14 +++++++-------
 5 files changed, 34 insertions(+), 9 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index b8195f4da6..c7bbdcac69 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.8.4
+PLUGIN_VERSION=		1.8.5
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 745a694cf0..d489a5da2c 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -13,6 +13,10 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+1.8.5
+
+* Add: basic_auth per handler (opnsense/plugins/issues/4619)
+
 1.8.4
 
 * Add: Client Auth (mTLS) to domains (opnsense/plugins/issues/4089)
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 83cf1a5dfc..52fd8618ed 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -73,6 +73,16 @@
             <visible>false</visible>
         </grid_view>
     </field>
+    <field>
+        <id>handle.basicauth</id>
+        <label>Basic Auth</label>
+        <type>select_multiple</type>
+        <size>5</size>
+        <help><![CDATA[Select Users to restrict access to this path. If unset, any user is allowed access.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
     <field>
         <id>handle.ForwardAuth</id>
         <label>Forward Auth</label>
@@ -103,7 +113,7 @@
         <id>handle.HttpVersion</id>
         <label>HTTP Version</label>
         <type>dropdown</type>
-        <style>style_reverse_proxy</style>
+        <style>selectpicker style_reverse_proxy</style>
         <help><![CDATA[The default versions are highly recommended. Choose a HTTP version for the upstream destination. HTTP/3 (HTTP over QUIC) requires HTTPS, and only establishes connections to webservers that also support HTTP/3.]]></help>
         <advanced>true</advanced>
         <grid_view>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 0deb5239cc..e07d56a0ce 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -383,6 +383,17 @@
                         </reverseproxy>
                     </Model>
                 </accesslist>
+                <basicauth type="ModelRelationField">
+                    <Model>
+                        <reverseproxy>
+                            <source>OPNsense.Caddy.Caddy</source>
+                            <items>reverseproxy.basicauth</items>
+                            <display>basicauthuser,description</display>
+                            <display_format>%s %s</display_format>
+                        </reverseproxy>
+                    </Model>
+                    <Multiple>Y</Multiple>
+                </basicauth>
                 <header type="ModelRelationField">
                     <Model>
                         <reverseproxy>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index d5bdb2b663..fa96c74d4f 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -410,6 +410,7 @@ http://{{ domain }} {
 {% macro reverse_proxy_configuration(handle) %}
     {{ handle.HandleType }} {{ handle.HandlePath|default("") }} {
         {{ handle_accesslist(handle.accesslist) }}
+        {{ render_basic_auth(handle.basicauth) }}
         {# All IPs not matched by accesslist will continue processing #}
         {% if handle.ForwardAuth|default("0") == "1" %}
             {% include "OPNsense/Caddy/includeAuthProvider" %}
@@ -558,14 +559,11 @@ http://{{ domain }} {
 
 {#
 #   Macro: render_handles
-#   Purpose: Renders the handles in the correct order (path-specific first, then catch-all),
-#            including basic authentication configuration.
+#   Purpose: Renders the handles in the correct order (path-specific first, then catch-all).
 #   Parameters:
 #   @param handles (list): A list of handle objects to be rendered.
-#   @param basicauth_uuids (string): A comma-separated list of UUIDs for basic authentication.
 #}
-{% macro render_handles(handles, basicauth_uuids=None) %}
-    {{ render_basic_auth(basicauth_uuids) }}
+{% macro render_handles(handles) %}
     {% for handle in handles %}
         {% if handle.enabled|default("0") == "1" and handle.HandlePath %}
             {{ reverse_proxy_configuration(handle) }}
@@ -634,7 +632,8 @@ http://{{ domain }} {
                         {% set subdomain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('subdomain', 'equalto', subdomain['@uuid']) | list %}
                         {{ handle_accesslist(subdomain.accesslist, subdomain.FromDomain) }}
                         {# All IPs not matched by accesslist will continue processing #}
-                        {{ render_handles(subdomain_handles, subdomain.basicauth) }}
+                        {{ render_basic_auth(subdomain.basicauth) }}
+                        {{ render_handles(subdomain_handles) }}
                     }
                 {% endif %}
             {% endfor %}
@@ -642,7 +641,8 @@ http://{{ domain }} {
             {% set domain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('reverse', 'equalto', reverse['@uuid']) | selectattr('subdomain', 'undefined') | list %}
             {{ handle_accesslist(reverse.accesslist, reverse.FromDomain) }}
             {# All IPs not matched by accesslist will continue processing #}
-            {{ render_handles(domain_handles, reverse.basicauth) }}
+            {{ render_basic_auth(reverse.basicauth) }}
+            {{ render_handles(domain_handles) }}
         }
     {% endif %}
 {% endfor %}

From a6b126270144cd257005a1f5f92e375742edf472 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 1 Apr 2025 08:34:16 +0200
Subject: [PATCH 2404/3088] net/frr: Fix wrong route redistribution option for
 ospf (bgp missing) (#4635)

---
 net/frr/Makefile                                              | 1 +
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml  | 2 +-
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 2b6b1acfff..200a3cda59 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.44
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index 1fa0885e67..f303a35bea 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -297,7 +297,7 @@
                                 <Required>Y</Required>
                                 <Default>connected</Default>
                                 <OptionValues>
-                                        <ospf>Open Shortest Path First (OSPF)</ospf>
+                                        <bgp>Border Gateway Protocol (BGP)</bgp>
                                         <connected>Connected routes (directly attached subnet or host)</connected>
                                         <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
                                         <rip>Routing Information Protocol (RIP)</rip>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
index 3e2675ece2..4f06e179ae 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
@@ -216,7 +216,7 @@
                                 <Required>Y</Required>
                                 <Default>connected</Default>
                                 <OptionValues>
-                                        <ospf>Open Shortest Path First (OSPF)</ospf>
+                                        <bgp>Border Gateway Protocol (BGP)</bgp>
                                         <connected>Connected routes (directly attached subnet or host)</connected>
                                         <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
                                         <rip>Routing Information Protocol (RIP)</rip>

From 9e420dde8053197c72dc8b98b647d9b940c4449b Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 1 Apr 2025 16:44:57 +0200
Subject: [PATCH 2405/3088] www/caddy: Fix ACL privileges. There is just a
 single ACL now that matches the whole plugin. (#4631)

---
 www/caddy/pkg-descr                           |  1 +
 .../mvc/app/models/OPNsense/Caddy/ACL/ACL.xml | 36 ++++---------------
 2 files changed, 7 insertions(+), 30 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index d489a5da2c..46c80403a1 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -16,6 +16,7 @@ Plugin Changelog
 1.8.5
 
 * Add: basic_auth per handler (opnsense/plugins/issues/4619)
+* Change: the ACL has been changed to "page-caddy" in "System: Access: Privileges". Privilege must be reassigned if used. (opnsense/plugins/issues/4623)
 
 1.8.4
 
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml
index 0aaba284cd..dac86d7e1a 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml
@@ -1,34 +1,10 @@
 <acl>
-    <page-caddy-general>
-        <name>Services: Caddy Web Server: General Settings</name>
-        <description>Allow access to Caddy General Settings</description>
+    <page-caddy>
+        <name>Services: Caddy</name>
+        <description>Allow access to Caddy</description>
         <patterns>
-            <pattern>ui/caddy/general/*</pattern>
-            <pattern>api/caddy/general/*</pattern>
+            <pattern>ui/caddy/*</pattern>
+            <pattern>api/caddy/*</pattern>
         </patterns>
-    </page-caddy-general>
-    <page-caddy-reverse-proxy>
-        <name>Services: Caddy Web Server: Reverse Proxy</name>
-        <description>Allow access to Caddy Reverse Proxy</description>
-        <patterns>
-            <pattern>ui/caddy/reverse_proxy/*</pattern>
-            <pattern>api/caddy/reverse_proxy/*</pattern>
-        </patterns>
-    </page-caddy-reverse-proxy>
-    <page-caddy-layer4-routes>
-        <name>Services: Caddy Web Server: Layer4 Proxy</name>
-        <description>Allow access to Caddy Layer4 Proxy</description>
-        <patterns>
-            <pattern>ui/caddy/layer4/*</pattern>
-            <pattern>api/caddy/reverse_proxy/*</pattern>
-        </patterns>
-    </page-caddy-layer4-routes>
-    <page-caddy-diagnostics>
-        <name>Services: Caddy Web Server: Diagnostics</name>
-        <description>Allow access to Caddy Diagnostics</description>
-        <patterns>
-            <pattern>ui/caddy/diagnostics/*</pattern>
-            <pattern>api/caddy/diagnostics/*</pattern>
-        </patterns>
-    </page-caddy-diagnostics>
+    </page-caddy>
 </acl>

From 82a0b947d9d664252c27b497c6286ffdc81a88ac Mon Sep 17 00:00:00 2001
From: Maxime Thiebaut <46688461+0xThiebaut@users.noreply.github.com>
Date: Wed, 2 Apr 2025 16:38:06 +0200
Subject: [PATCH 2406/3088] sysutils/beats: Refactor namespace (#4633)

* sysutils/beats: Refactor namespace

* Update sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats/ACL/ACL.xml

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 .../{Filebeat => Beats}/Api/ServiceController.php      | 10 +++++-----
 .../{Filebeat => Beats}/Api/SettingsController.php     |  6 +++---
 .../OPNsense/{Filebeat => Beats}/IndexController.php   |  4 ++--
 .../OPNsense/{Filebeat => Beats}/forms/filebeat.xml    |  0
 .../opnsense/mvc/app/models/OPNsense/Beats/ACL/ACL.xml |  9 +++++++++
 .../app/models/OPNsense/{Beats8 => Beats}/Filebeat.php |  2 +-
 .../app/models/OPNsense/{Beats8 => Beats}/Filebeat.xml |  0
 .../mvc/app/models/OPNsense/Beats/Menu/Menu.xml        |  7 +++++++
 .../mvc/app/models/OPNsense/Beats8/ACL/ACL.xml         |  9 ---------
 .../mvc/app/models/OPNsense/Beats8/Menu/Menu.xml       |  7 -------
 .../app/views/OPNsense/{Beats8 => Beats}/filebeat.volt | 10 +++++-----
 .../{actions_filebeat.conf => actions_beats.conf}      |  0
 .../templates/OPNsense/{Filebeat => Beats}/+TARGETS    |  0
 .../templates/OPNsense/{Filebeat => Beats}/filebeat    |  0
 .../OPNsense/{Filebeat => Beats}/filebeat.yml          |  0
 15 files changed, 32 insertions(+), 32 deletions(-)
 rename sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/{Filebeat => Beats}/Api/ServiceController.php (85%)
 rename sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/{Filebeat => Beats}/Api/SettingsController.php (92%)
 rename sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/{Filebeat => Beats}/IndexController.php (95%)
 rename sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/{Filebeat => Beats}/forms/filebeat.xml (100%)
 create mode 100644 sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats/ACL/ACL.xml
 rename sysutils/beats/src/opnsense/mvc/app/models/OPNsense/{Beats8 => Beats}/Filebeat.php (98%)
 rename sysutils/beats/src/opnsense/mvc/app/models/OPNsense/{Beats8 => Beats}/Filebeat.xml (100%)
 create mode 100644 sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats/Menu/Menu.xml
 delete mode 100644 sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/ACL/ACL.xml
 delete mode 100644 sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Menu/Menu.xml
 rename sysutils/beats/src/opnsense/mvc/app/views/OPNsense/{Beats8 => Beats}/filebeat.volt (82%)
 rename sysutils/beats/src/opnsense/service/conf/actions.d/{actions_filebeat.conf => actions_beats.conf} (100%)
 rename sysutils/beats/src/opnsense/service/templates/OPNsense/{Filebeat => Beats}/+TARGETS (100%)
 rename sysutils/beats/src/opnsense/service/templates/OPNsense/{Filebeat => Beats}/filebeat (100%)
 rename sysutils/beats/src/opnsense/service/templates/OPNsense/{Filebeat => Beats}/filebeat.yml (100%)

diff --git a/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/ServiceController.php b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Beats/Api/ServiceController.php
similarity index 85%
rename from sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/ServiceController.php
rename to sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Beats/Api/ServiceController.php
index 4911fb7ed4..25187e3f55 100755
--- a/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/ServiceController.php
+++ b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Beats/Api/ServiceController.php
@@ -26,20 +26,20 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-namespace OPNsense\Filebeat\Api;
+namespace OPNsense\Beats\Api;
 
 use OPNsense\Base\ApiMutableServiceControllerBase;
 
 /**
  * Class ServiceController
- * @package OPNsense\Filebeat
+ * @package OPNsense\Beats
  */
 class ServiceController extends ApiMutableServiceControllerBase
 {
-    protected static $internalServiceClass = '\OPNsense\Beats8\Filebeat';
-    protected static $internalServiceTemplate = 'OPNsense/Filebeat';
+    protected static $internalServiceClass = '\OPNsense\Beats\Filebeat';
+    protected static $internalServiceTemplate = 'OPNsense/Beats';
     protected static $internalServiceEnabled = 'enabled';
-    protected static $internalServiceName = 'filebeat';
+    protected static $internalServiceName = 'beats';
     protected function reconfigureForceRestart()
     {
         return 0;
diff --git a/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/SettingsController.php b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Beats/Api/SettingsController.php
similarity index 92%
rename from sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/SettingsController.php
rename to sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Beats/Api/SettingsController.php
index e6851410f4..e4f40c4078 100755
--- a/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/Api/SettingsController.php
+++ b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Beats/Api/SettingsController.php
@@ -26,16 +26,16 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-namespace OPNsense\Filebeat\Api;
+namespace OPNsense\Beats\Api;
 
 use OPNsense\Base\ApiMutableModelControllerBase;
 
 /**
  * Class SettingsController Handles settings related API actions for the HelloWorld module
- * @package OPNsense\Filebeat
+ * @package OPNsense\Beats
  */
 class SettingsController extends ApiMutableModelControllerBase
 {
-    protected static $internalModelClass = 'OPNsense\Beats8\Filebeat';
+    protected static $internalModelClass = 'OPNsense\Beats\Filebeat';
     protected static $internalModelName = 'filebeat';
 }
diff --git a/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/IndexController.php b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Beats/IndexController.php
similarity index 95%
rename from sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/IndexController.php
rename to sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Beats/IndexController.php
index 3125f43f62..e80879d0e0 100755
--- a/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/IndexController.php
+++ b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Beats/IndexController.php
@@ -26,7 +26,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-namespace OPNsense\Filebeat;
+namespace OPNsense\Beats;
 
 /**
  * Class IndexController
@@ -37,7 +37,7 @@ class IndexController extends \OPNsense\Base\IndexController
     public function indexAction()
     {
         // pick the template to serve to our users.
-        $this->view->pick('OPNsense/Beats8/filebeat');
+        $this->view->pick('OPNsense/Beats/filebeat');
         // fetch form data "general" in
         $this->view->generalForm = $this->getForm("filebeat");
     }
diff --git a/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/forms/filebeat.xml b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Beats/forms/filebeat.xml
similarity index 100%
rename from sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Filebeat/forms/filebeat.xml
rename to sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Beats/forms/filebeat.xml
diff --git a/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats/ACL/ACL.xml b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats/ACL/ACL.xml
new file mode 100644
index 0000000000..84efad19ec
--- /dev/null
+++ b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+    <page-services-beats>
+        <name>Services: Beats</name>
+        <patterns>
+            <pattern>ui/beats</pattern>
+            <pattern>api/beats/*</pattern>
+        </patterns>
+    </page-services-beats>
+</acl>
diff --git a/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats/Filebeat.php
similarity index 98%
rename from sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php
rename to sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats/Filebeat.php
index 137fec7094..948db321c5 100644
--- a/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.php
+++ b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats/Filebeat.php
@@ -26,7 +26,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-namespace OPNsense\Beats8;
+namespace OPNsense\Beats;
 
 use OPNsense\Base\BaseModel;
 use OPNsense\Base\Messages\Message;
diff --git a/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.xml b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats/Filebeat.xml
similarity index 100%
rename from sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Filebeat.xml
rename to sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats/Filebeat.xml
diff --git a/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats/Menu/Menu.xml b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats/Menu/Menu.xml
new file mode 100644
index 0000000000..bf659a0bfa
--- /dev/null
+++ b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats/Menu/Menu.xml
@@ -0,0 +1,7 @@
+<menu>
+    <Services>
+        <Beats cssClass="fa fa-heartbeat fa-fw">
+            <Filebeat url="/ui/beats"/>
+        </Beats>
+    </Services>
+</menu>
diff --git a/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/ACL/ACL.xml b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/ACL/ACL.xml
deleted file mode 100644
index b0a9bd1d7d..0000000000
--- a/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/ACL/ACL.xml
+++ /dev/null
@@ -1,9 +0,0 @@
-<acl>
-    <page-services-beats8>
-        <name>Services: Beats8</name>
-        <patterns>
-            <pattern>ui/filebeat/*</pattern>
-            <pattern>api/filebeat/*</pattern>
-        </patterns>
-    </page-services-beats8>
-</acl>
diff --git a/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Menu/Menu.xml b/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Menu/Menu.xml
deleted file mode 100644
index 40674d06ac..0000000000
--- a/sysutils/beats/src/opnsense/mvc/app/models/OPNsense/Beats8/Menu/Menu.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-<menu>
-    <Services>
-        <Beats8 cssClass="fa fa-heartbeat fa-fw">
-            <Filebeat url="/ui/filebeat"/>
-        </Beats8>
-    </Services>
-</menu>
diff --git a/sysutils/beats/src/opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt b/sysutils/beats/src/opnsense/mvc/app/views/OPNsense/Beats/filebeat.volt
similarity index 82%
rename from sysutils/beats/src/opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt
rename to sysutils/beats/src/opnsense/mvc/app/views/OPNsense/Beats/filebeat.volt
index 3118ff63c5..b04e78091c 100644
--- a/sysutils/beats/src/opnsense/mvc/app/views/OPNsense/Beats8/filebeat.volt
+++ b/sysutils/beats/src/opnsense/mvc/app/views/OPNsense/Beats/filebeat.volt
@@ -26,19 +26,19 @@
 
 <script>
     $( document ).ready(function() {
-        mapDataToFormUI({'frm_GeneralSettings':"/api/filebeat/settings/get"}).done(function(data){
-            updateServiceControlUI('filebeat');
+        mapDataToFormUI({'frm_GeneralSettings':"/api/beats/settings/get"}).done(function(data){
+            updateServiceControlUI('beats');
             $('.selectpicker').selectpicker('refresh');
         });
 
         $("#reconfigureAct").SimpleActionButton({
             onPreAction: function() {
                 const dfObj = new $.Deferred();
-                saveFormToEndpoint("/api/filebeat/settings/set", 'frm_GeneralSettings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
+                saveFormToEndpoint("/api/beats/settings/set", 'frm_GeneralSettings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
                 return dfObj;
             },
             onAction: function(data, status) {
-                updateServiceControlUI('filebeat');
+                updateServiceControlUI('beats');
             }
         });
     });
@@ -48,4 +48,4 @@
     {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings'])}}
 </div>
 
-{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/filebeat/service/reconfigure'}) }}
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/beats/service/reconfigure'}) }}
diff --git a/sysutils/beats/src/opnsense/service/conf/actions.d/actions_filebeat.conf b/sysutils/beats/src/opnsense/service/conf/actions.d/actions_beats.conf
similarity index 100%
rename from sysutils/beats/src/opnsense/service/conf/actions.d/actions_filebeat.conf
rename to sysutils/beats/src/opnsense/service/conf/actions.d/actions_beats.conf
diff --git a/sysutils/beats/src/opnsense/service/templates/OPNsense/Filebeat/+TARGETS b/sysutils/beats/src/opnsense/service/templates/OPNsense/Beats/+TARGETS
similarity index 100%
rename from sysutils/beats/src/opnsense/service/templates/OPNsense/Filebeat/+TARGETS
rename to sysutils/beats/src/opnsense/service/templates/OPNsense/Beats/+TARGETS
diff --git a/sysutils/beats/src/opnsense/service/templates/OPNsense/Filebeat/filebeat b/sysutils/beats/src/opnsense/service/templates/OPNsense/Beats/filebeat
similarity index 100%
rename from sysutils/beats/src/opnsense/service/templates/OPNsense/Filebeat/filebeat
rename to sysutils/beats/src/opnsense/service/templates/OPNsense/Beats/filebeat
diff --git a/sysutils/beats/src/opnsense/service/templates/OPNsense/Filebeat/filebeat.yml b/sysutils/beats/src/opnsense/service/templates/OPNsense/Beats/filebeat.yml
similarity index 100%
rename from sysutils/beats/src/opnsense/service/templates/OPNsense/Filebeat/filebeat.yml
rename to sysutils/beats/src/opnsense/service/templates/OPNsense/Beats/filebeat.yml

From cd1455806e7fdf06808f9a85701e36bdf434a7bd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Apr 2025 16:58:49 +0200
Subject: [PATCH 2407/3088] net/turnserver: review, mostly style and
 simplification

---
 README.md                                     |  1 +
 net/turnserver/Makefile                       |  3 ++-
 .../models/OPNsense/Turnserver/ACL/ACL.xml    |  2 +-
 .../models/OPNsense/Turnserver/Menu/Menu.xml  |  2 +-
 .../models/OPNsense/Turnserver/Turnserver.xml | 21 +++++++++----------
 .../scripts/OPNsense/Turnserver/setup.sh      |  3 ---
 .../conf/actions.d/actions_turnserver.conf    |  8 +++----
 .../templates/OPNsense/Turnserver/rc.conf.d   |  5 +++--
 8 files changed, 22 insertions(+), 23 deletions(-)
 delete mode 100755 net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/setup.sh

diff --git a/README.md b/README.md
index ea219dbe85..3d041c3072 100644
--- a/README.md
+++ b/README.md
@@ -64,6 +64,7 @@ net/shadowsocks -- Secure socks5 proxy
 net/siproxd -- Siproxd is a proxy daemon for the SIP protocol
 net/sslh -- sslh configuration front-end
 net/tayga -- Tayga NAT64
+net/turnserver -- The coturn STUN/TURN Server (development only)
 net/udpbroadcastrelay -- Control udpbroadcastrelay processes
 net/upnp -- Universal Plug and Play (UPnP IGD & PCP/NAT-PMP) Service
 net/vnstat -- Network traffic monitor
diff --git a/net/turnserver/Makefile b/net/turnserver/Makefile
index dfe3b1ce6e..8952e2a3f2 100644
--- a/net/turnserver/Makefile
+++ b/net/turnserver/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		turnserver
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		0.1
+PLUGIN_DEVEL=		yes
 PLUGIN_COMMENT=		The coturn STUN/TURN Server
 PLUGIN_DEPENDS=		turnserver
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml
index 2fa8a37a6d..dfc800ea50 100644
--- a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml
+++ b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml
@@ -2,7 +2,7 @@
     <page-services-turnserver>
         <name>Services: Turnserver</name>
         <patterns>
-            <pattern>ui/turnserver/*</pattern>
+            <pattern>ui/turnserver</pattern>
             <pattern>api/turnserver/*</pattern>
         </patterns>
     </page-services-turnserver>
diff --git a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml
index 8b40dc89a1..4134d75c29 100644
--- a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml
+++ b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml
@@ -1,5 +1,5 @@
 <menu>
     <Services>
-        <Turnserver VisibleName="Turnserver" cssClass="fa fa-comment-o fa-fw" url="/ui/turnserver"/>
+        <Turnserver cssClass="fa fa-comment-o fa-fw" url="/ui/turnserver"/>
     </Services>
 </menu>
diff --git a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
index 1acae266f7..9c0346aef2 100644
--- a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
+++ b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
@@ -5,11 +5,11 @@
     <items>
         <settings>
             <Enabled type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </Enabled>
             <ListenIP type="NetworkField">
-                <default>127.0.0.1</default>
+                <Default>127.0.0.1</Default>
                 <FieldSeparator>,</FieldSeparator>
                 <asList>Y</asList>
                 <Required>Y</Required>
@@ -27,12 +27,11 @@
                 <Required>Y</Required>
             </MaxPort>
             <TlsEnabled type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </TlsEnabled>
             <TlsCertificate type="CertificateField">
                 <Required>N</Required>
-                <Multiple>N</Multiple>
                 <ValidationMessage>Please select a valid certificate from the list.</ValidationMessage>
             </TlsCertificate>
             <TlsPort type="PortField">
@@ -40,7 +39,7 @@
                 <Required>Y</Required>
             </TlsPort>
             <UseAuthSecret type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </UseAuthSecret>
             <StaticAuthSecret type="TextField">
@@ -54,39 +53,39 @@
                 <ValidationMessage>Should be a string between 1 and 128 characters.</ValidationMessage>
             </Realm>
             <FingerprintsEnabled type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </FingerprintsEnabled>
             <UserQuota type="IntegerField">
-                <default>0</default>
+                <Default>0</Default>
                 <MinimumValue>0</MinimumValue>
                 <MaximumValue>1000000000</MaximumValue>
                 <ValidationMessage>Please specify a value between 0 and 1000000000.</ValidationMessage>
                 <Required>Y</Required>
             </UserQuota>
             <TotalQuota type="IntegerField">
-                <default>0</default>
+                <Default>0</Default>
                 <MinimumValue>0</MinimumValue>
                 <MaximumValue>1000000000</MaximumValue>
                 <ValidationMessage>Please specify a value between 0 and 1000000000.</ValidationMessage>
                 <Required>Y</Required>
             </TotalQuota>
             <StaleNonce type="IntegerField">
-                <default>600</default>
+                <Default>600</Default>
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>1000000000</MaximumValue>
                 <ValidationMessage>Please specify a value between 1 and 1000000000.</ValidationMessage>
                 <Required>Y</Required>
             </StaleNonce>
             <ChannelLifetime type="IntegerField">
-                <default>600</default>
+                <Default>600</Default>
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>1000000000</MaximumValue>
                 <ValidationMessage>Please specify a value between 1 and 1000000000.</ValidationMessage>
                 <Required>Y</Required>
             </ChannelLifetime>
             <PermissionLifetime type="IntegerField">
-                <default>300</default>
+                <Default>300</Default>
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>1000000000</MaximumValue>
                 <ValidationMessage>Please specify a value between 1 and 1000000000.</ValidationMessage>
diff --git a/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/setup.sh b/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/setup.sh
deleted file mode 100755
index 137843af5f..0000000000
--- a/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/setup.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-/usr/local/opnsense/scripts/OPNsense/Turnserver/export_certs.php > /dev/null 2>&1
-exit 0
diff --git a/net/turnserver/src/opnsense/service/conf/actions.d/actions_turnserver.conf b/net/turnserver/src/opnsense/service/conf/actions.d/actions_turnserver.conf
index 372e02aa3b..358637c93c 100644
--- a/net/turnserver/src/opnsense/service/conf/actions.d/actions_turnserver.conf
+++ b/net/turnserver/src/opnsense/service/conf/actions.d/actions_turnserver.conf
@@ -1,26 +1,26 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Turnserver/setup.sh; /usr/local/etc/rc.d/turnserver start
+command:/usr/local/etc/rc.d/turnserver start
 parameters:
 type:script
 description:Start Turnserver
 message:starting turnserver
 
 [stop]
-command:/usr/local/etc/rc.d/turnserver onestop
+command:/usr/local/etc/rc.d/turnserver stop
 parameters:
 type:script
 description:Stop Turnserver
 message:stopping turnserver
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Turnserver/setup.sh; /usr/local/etc/rc.d/turnserver restart
+command:/usr/local/etc/rc.d/turnserver restart
 parameters:
 type:script
 description:Restart Turnserver
 message:restarting turnserver
 
 [status]
-command:/usr/local/etc/rc.d/turnserver status || exit 0
+command:/usr/local/etc/rc.d/turnserver status; exit 0
 parameters:
 type:script_output
 message:requesting turnserver status
diff --git a/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/rc.conf.d b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/rc.conf.d
index f292a04861..fdf9b7be43 100644
--- a/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/rc.conf.d
+++ b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/rc.conf.d
@@ -1,5 +1,6 @@
 {% if helpers.exists('OPNsense.turnserver.settings.Enabled') and OPNsense.turnserver.settings.Enabled|default("0") == "1" %}
-turnserver_enable=YES
+turnserver_enable="YES"
+turnserver_setup="/usr/local/opnsense/scripts/OPNsense/Turnserver/export_certs.php"
 {% else %}
-turnserver_enable=NO
+turnserver_enable="NO"
 {% endif %}

From 5e57d89c7c7307622a55701653edf1afc47b7d3a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Apr 2025 17:33:15 +0200
Subject: [PATCH 2408/3088] www/caddy: fix dashboard lint, ACL checker only
 goes up one directory

---
 www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js | 4 ++--
 www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js      | 2 +-
 www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml  | 6 +++---
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
index 7a3834294b..d3108ac4be 100644
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
@@ -48,7 +48,7 @@ export default class CaddyCertificate extends BaseTableWidget {
     }
 
     async onWidgetTick() {
-        const proxyData = await this.ajaxCall('/api/caddy/reverse_proxy/get');
+        const proxyData = await this.ajaxCall(`/api/caddy/reverse_proxy/${'get'}`);
         if (!proxyData.caddy.general || proxyData.caddy.general.enabled === "0") {
             this.displayError(`${this.translations.unconfigured}`);
             return;
@@ -58,7 +58,7 @@ export default class CaddyCertificate extends BaseTableWidget {
             .map(proxy => proxy.FromDomain)
             .filter(Boolean);
 
-        const certificates = (await this.ajaxCall('/api/caddy/diagnostics/certificate')).content || [];
+        const certificates = (await this.ajaxCall(`/api/caddy/diagnostics/${'certificate'}`)).content || [];
 
         // Display certificate if hostname in config and CN of stored cert on disk match
         const matchingCertificates = certificates.filter(cert => domains.includes(cert.hostname));
diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
index ecfbf0f242..63fe9ee754 100644
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
+++ b/www/caddy/src/opnsense/www/js/widgets/CaddyDomain.js
@@ -48,7 +48,7 @@ export default class CaddyDomain extends BaseTableWidget {
 
     async onWidgetTick() {
         // Check if caddy is enabled
-        const data = await this.ajaxCall('/api/caddy/reverse_proxy/get');
+        const data = await this.ajaxCall(`/api/caddy/reverse_proxy/${'get'}`);
         if (!data.caddy.general || data.caddy.general.enabled === "0") {
             this.displayError(`${this.translations.unconfigured}`);
             return;
diff --git a/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml b/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml
index c423f6163d..56233471b3 100644
--- a/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml
+++ b/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml
@@ -3,7 +3,7 @@
         <filename>CaddyDomain.js</filename>
         <link>/ui/caddy/reverse_proxy</link>
         <endpoints>
-            <endpoint>/api/caddy/reverse_proxy/get</endpoint>
+            <endpoint>/api/caddy/reverse_proxy/*</endpoint>
         </endpoints>
         <translations>
             <title>Caddy Domains</title>
@@ -17,8 +17,8 @@
         <filename>CaddyCertificate.js</filename>
         <link>/ui/caddy/reverse_proxy</link>
         <endpoints>
-            <endpoint>/api/caddy/diagnostics/certificate</endpoint>
-            <endpoint>/api/caddy/reverse_proxy/get</endpoint>
+            <endpoint>/api/caddy/diagnostics/*</endpoint>
+            <endpoint>/api/caddy/reverse_proxy/*</endpoint>
         </endpoints>
         <translations>
             <title>Caddy Certificates</title>

From 998b7b205233b5c518f80eeb74935554fd399d34 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 2 Apr 2025 20:29:26 +0200
Subject: [PATCH 2409/3088] www/caddy: Also add log file pattern to ACL (#4636)

* www/caddy: Also add log file pattern to ACL

* Update www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml

Co-authored-by: Franco Fichtner <franco@opnsense.org>

---------

Co-authored-by: Franco Fichtner <franco@opnsense.org>
---
 .../src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml      | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml
index dac86d7e1a..56bd973028 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/ACL/ACL.xml
@@ -4,7 +4,9 @@
         <description>Allow access to Caddy</description>
         <patterns>
             <pattern>ui/caddy/*</pattern>
+            <pattern>ui/diagnostics/log/core/caddy</pattern>
             <pattern>api/caddy/*</pattern>
+            <pattern>api/diagnostics/log/core/caddy/*</pattern>
         </patterns>
     </page-caddy>
 </acl>

From 50d71f192ae74bbd1a6bab11d35f40f1083fca3f Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sun, 6 Apr 2025 08:18:16 +0200
Subject: [PATCH 2410/3088] www/caddy: Remove CaddyCertificate.js widget in
 favor of using the default core provided widget (#4637)

* www/caddy: Remove CaddyCertificates.js widget in favor of using the default core provided widget.
---
 www/caddy/pkg-descr                           |   1 +
 www/caddy/src/etc/ssl/ext_sources/caddy.conf  |   4 +
 .../Caddy/Api/DiagnosticsController.php       |  18 ---
 .../OPNsense/Caddy/caddy_diagnostics.py       |  81 +-----------
 .../service/conf/actions.d/actions_caddy.conf |   6 -
 .../www/js/widgets/CaddyCertificate.js        | 121 ------------------
 .../www/js/widgets/Metadata/Caddy.xml         |  17 ---
 7 files changed, 6 insertions(+), 242 deletions(-)
 create mode 100644 www/caddy/src/etc/ssl/ext_sources/caddy.conf
 delete mode 100644 www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 46c80403a1..c86f8a3f8a 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -17,6 +17,7 @@ Plugin Changelog
 
 * Add: basic_auth per handler (opnsense/plugins/issues/4619)
 * Change: the ACL has been changed to "page-caddy" in "System: Access: Privileges". Privilege must be reassigned if used. (opnsense/plugins/issues/4623)
+* Change: standalone certificate widget has been removed, use system default certificate widget instead. (opnsense/plugins/pull/4637)
 
 1.8.4
 
diff --git a/www/caddy/src/etc/ssl/ext_sources/caddy.conf b/www/caddy/src/etc/ssl/ext_sources/caddy.conf
new file mode 100644
index 0000000000..08b1368b56
--- /dev/null
+++ b/www/caddy/src/etc/ssl/ext_sources/caddy.conf
@@ -0,0 +1,4 @@
+[location]
+base=/var/db/caddy/data/caddy/certificates
+pattern=.*\.crt$
+description=Caddy
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
index edcb55389e..e7ba77be4a 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
@@ -82,22 +82,4 @@ public function caddyfileAction()
         return ["status" => "success", "content" => $responseArray['content']];
     }
 
-    /**
-     * Fetch the hostnames, validity and expiration dates of automatic certificates as JSON. Consumed by Caddy widget.
-     */
-    public function certificateAction()
-    {
-        $backend = new Backend();
-        $response = $backend->configdRun('caddy certificate');
-
-        // Decode JSON to PHP array
-        $responseArray = json_decode($response, true);
-
-        if (isset($responseArray['error'])) {
-            return ["status" => "failed", "message" => $responseArray['message']];
-        }
-
-        // Return the response as an array which gets automatically encoded to JSON
-        return ["status" => "success", "content" => $responseArray];
-    }
 }
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
index 9a15eb01f7..27f933d996 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py
@@ -30,8 +30,6 @@
 import json
 import os
 import subprocess
-import asyncio
-from datetime import datetime
 
 
 # Function to show the Caddy configuration from a JSON file
@@ -69,88 +67,11 @@ def show_caddyfile():
         print(json.dumps({"error": "General Error", "message": str(e)}))
 
 
-# Function to extract certificate information using openssl command
-async def extract_certificate_info(cert_path):
-    try:
-        # Execute the openssl command to get the expiration date with a timeout
-        result = await asyncio.wait_for(
-            asyncio.create_subprocess_exec(
-                'openssl', 'x509', '-in', cert_path, '-noout', '-enddate',
-                stdout=subprocess.PIPE, stderr=subprocess.PIPE),
-            timeout=10)  # Make sure tasks are cleaned up if they hang
-
-        stdout, stderr = await result.communicate()
-
-        # Check for errors in the execution
-        if result.returncode != 0:
-            error_message = stderr.decode().strip()
-            raise RuntimeError(f"Subprocess failed with error: {error_message}")
-
-        # Decode output and process the information
-        expiration_date_str = stdout.decode().strip().split('=')[1]
-
-        # Convert expiration date string to datetime object
-        expiration_date = datetime.strptime(expiration_date_str, "%b %d %H:%M:%S %Y GMT")
-
-        # Determine the current date
-        now = datetime.now()
-
-        # Calculate remaining days until expiration
-        remaining_days = (expiration_date - now).days
-        remaining_days = max(remaining_days, 0)  # Ensure non-negative days
-
-        # Extract the hostname from the filename
-        hostname = os.path.basename(cert_path).replace('.crt', '').lower()
-        if hostname.startswith("wildcard_"):
-            hostname = hostname.replace("wildcard_", "*", 1)
-
-        return {'hostname': hostname, 'expiration_date': expiration_date_str, 'remaining_days': remaining_days}
-    except asyncio.TimeoutError as e:
-        # Handle timeout specific errors
-        raise RuntimeError(f"Timeout occurred while processing {cert_path}: {str(e)}")
-    except Exception as e:
-        raise RuntimeError(f"Error extracting certificate info for {cert_path}: {str(e)}")
-
-
-# Function to find certificates and create tasks to extract info
-async def find_certificates(base_dir):
-    tasks = []
-    for root, dirs, files in os.walk(base_dir):
-        # Skip any directories named 'temp'
-        dirs[:] = [d for d in dirs if d != 'temp']
-        for file in files:
-            if file.endswith('.crt'):
-                cert_path = os.path.join(root, file)
-                task = asyncio.create_task(extract_certificate_info(cert_path))
-                tasks.append(task)
-
-    if not tasks:
-        raise RuntimeError("No certificates were found in the specified directory.")
-
-    results = await asyncio.gather(*tasks, return_exceptions=True)
-    return [result for result in results if not isinstance(result, Exception)]
-
-
-# Function to show certificates, processing all found in the given directory
-async def show_certificates():
-    # Function to show certificates, processing all found in the given directory
-    base_dir = '/var/db/caddy/data/caddy/certificates'
-    try:
-        certificates_data = await find_certificates(base_dir)
-        if certificates_data:
-            print(json.dumps(certificates_data))
-        else:
-            raise RuntimeError("No valid certificate data found.")
-    except Exception as e:
-        print(json.dumps({"error": "General Error", "message": str(e)}))
-
-
 # Action handler
 def perform_action(cmd_action):
     actions = {
         "config": show_caddy_config,
-        "caddyfile": show_caddyfile,
-        "certificate": lambda: asyncio.run(show_certificates())
+        "caddyfile": show_caddyfile
     }
 
     action_func = actions.get(cmd_action)
diff --git a/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf b/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
index be0997b93a..0d768ce42b 100644
--- a/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
+++ b/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
@@ -47,9 +47,3 @@ command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py caddyfil
 parameters:
 type:script_output
 message:Request Caddyfile
-
-[certificate]
-command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_diagnostics.py certificate
-parameters:
-type:script_output
-message:Check validity of automatic certificates
diff --git a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js b/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
deleted file mode 100644
index d3108ac4be..0000000000
--- a/www/caddy/src/opnsense/www/js/widgets/CaddyCertificate.js
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * Copyright (C) 2024 Cedrik Pischem
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-export default class CaddyCertificate extends BaseTableWidget {
-    constructor() {
-        super();
-        this.tickTimeout = 30;
-    }
-
-    getGridOptions() {
-        return {
-            // trigger overflow-y:scroll after 650px height
-            sizeToContent: 650
-        };
-    }
-
-    getMarkup() {
-        const $container = $('<div></div>');
-        const $caddyCertificateTable = this.createTable('caddyCertificateTable', {
-            headerPosition: 'none'
-        });
-
-        $container.append($caddyCertificateTable);
-        return $container;
-    }
-
-    async onWidgetTick() {
-        const proxyData = await this.ajaxCall(`/api/caddy/reverse_proxy/${'get'}`);
-        if (!proxyData.caddy.general || proxyData.caddy.general.enabled === "0") {
-            this.displayError(`${this.translations.unconfigured}`);
-            return;
-        }
-
-        const domains = Object.values(proxyData.caddy.reverseproxy?.reverse || [])
-            .map(proxy => proxy.FromDomain)
-            .filter(Boolean);
-
-        const certificates = (await this.ajaxCall(`/api/caddy/diagnostics/${'certificate'}`)).content || [];
-
-        // Display certificate if hostname in config and CN of stored cert on disk match
-        const matchingCertificates = certificates.filter(cert => domains.includes(cert.hostname));
-
-        if (matchingCertificates.length === 0) {
-            this.displayError(`${this.translations.nocerts}`);
-            return;
-        }
-
-        this.clearError();
-        this.processCertificates(matchingCertificates);
-    }
-
-    displayError(message) {
-        const $error = $(`<div class="error-message"><a href="/ui/caddy/general">${message}</a></div>`);
-        $('#caddyCertificateTable').empty().append($error);
-    }
-
-    clearError() {
-        $('#caddyCertificateTable .error-message').remove();
-    }
-
-    processCertificates(certificates) {
-        $('.caddy-certificate-tooltip').tooltip('hide');
-
-        const rows = certificates.map(certificate => {
-            const colorClass = certificate.remaining_days === 0
-                ? 'text-danger'
-                : certificate.remaining_days < 14
-                ? 'text-warning'
-                : 'text-success';
-
-            const statusText = certificate.remaining_days === 0
-                ? this.translations.expired
-                : this.translations.valid;
-
-            const row = `
-                <div>
-                    <i class="fa fa-lock ${colorClass} caddy-certificate-tooltip" style="cursor: pointer;"
-                        data-tooltip="caddy-certificate-${certificate.hostname}" title="${statusText}">
-                    </i>
-                    &nbsp;
-                    <span><b>${certificate.hostname}</b></span>
-                    <br/>
-                    <div style="margin-top: 5px; margin-bottom: 5px;">
-                        <i>${this.translations.expires}</i> ${certificate.remaining_days} ${this.translations.days},
-                        ${new Date(certificate.expiration_date).toLocaleString()}
-                    </div>
-                </div>`;
-            return { html: row, expirationDate: new Date(certificate.expiration_date) };
-        });
-
-        rows.sort((a, b) => a.expirationDate - b.expirationDate);
-
-        const sortedRows = rows.map(row => [row.html]);
-        super.updateTable('caddyCertificateTable', sortedRows);
-
-        $('.caddy-certificate-tooltip').tooltip({ container: 'body' });
-    }
-}
diff --git a/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml b/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml
index 56233471b3..230bb1aeed 100644
--- a/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml
+++ b/www/caddy/src/opnsense/www/js/widgets/Metadata/Caddy.xml
@@ -13,21 +13,4 @@
             <nodomains>Caddy does not manage any domains.</nodomains>
         </translations>
     </caddydomain>
-    <caddycertificate>
-        <filename>CaddyCertificate.js</filename>
-        <link>/ui/caddy/reverse_proxy</link>
-        <endpoints>
-            <endpoint>/api/caddy/diagnostics/*</endpoint>
-            <endpoint>/api/caddy/reverse_proxy/*</endpoint>
-        </endpoints>
-        <translations>
-            <title>Caddy Certificates</title>
-            <valid>Valid</valid>
-            <expired>Expired</expired>
-            <unconfigured>Caddy is disabled or not configured.</unconfigured>
-            <nocerts>Caddy does not manage any automatic certificates.</nocerts>
-            <expires>Expires:</expires>
-            <days>days</days>
-        </translations>
-    </caddycertificate>
 </metadata>

From b850e22ee82b12a8aa0801f9844dbdc582c490d5 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 7 Apr 2025 19:32:36 +0200
Subject: [PATCH 2411/3088] www/caddy: Cleanup volt templates (#4634)

- Cleanup of styles, formatters, and dialog layouts
- Dialog element hiding logic was improved
- "Filter by Domain" can filter subdomains
- "Filter by Domain" will preselect domain and subdomain in handler add dialog
- Grids are now responsive with automatic overflow on small screens
- Grids now lazy load on tab switch for improved performance
- Grids format domains and upstreams with protocol, domain, port and path in a single line
- "Layer4 Proxy" and "Reverse Proxy" now use the same volt template
- "Search Handler" and "Add Handler" buttons added to domain and subdomain grids
- Step buttons (Add Domain, Add Handler) have been removed since they are redundant
- Success messages on configuration apply have been removed, only errors will be shown
- Tabs use URL hash to preserve selection on refresh
---
 www/caddy/pkg-descr                           |  13 +
 .../Caddy/Api/ReverseProxyController.php      | 134 ++--
 .../OPNsense/Caddy/Layer4Controller.php       |   7 +-
 .../OPNsense/Caddy/ReverseProxyController.php |  13 +-
 .../OPNsense/Caddy/forms/dialogHandle.xml     |  71 +-
 .../OPNsense/Caddy/forms/dialogLayer4.xml     |  42 +-
 .../Caddy/forms/dialogReverseProxy.xml        |  27 +-
 .../OPNsense/Caddy/forms/dialogSubdomain.xml  |  18 +-
 .../mvc/app/views/OPNsense/Caddy/general.volt |   3 +-
 .../mvc/app/views/OPNsense/Caddy/layer4.volt  | 181 -----
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 644 +++++++++++-------
 11 files changed, 592 insertions(+), 561 deletions(-)
 delete mode 100644 www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index c86f8a3f8a..9fa23bafa6 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -18,6 +18,19 @@ Plugin Changelog
 * Add: basic_auth per handler (opnsense/plugins/issues/4619)
 * Change: the ACL has been changed to "page-caddy" in "System: Access: Privileges". Privilege must be reassigned if used. (opnsense/plugins/issues/4623)
 * Change: standalone certificate widget has been removed, use system default certificate widget instead. (opnsense/plugins/pull/4637)
+* Cleanup: UI improvements (opnsense/plugins/pull/4634)
+    * Cleanup of styles, formatters, and dialog layouts
+    * Dialog element hiding logic was improved
+    * "Filter by Domain" can filter subdomains
+    * "Filter by Domain" will preselect domain and subdomain in handler add dialog
+    * Grids are now responsive with automatic overflow on small screens
+    * Grids now lazy load on tab switch for improved performance
+    * Grids format domains and upstreams with protocol, domain, port and path in a single line
+    * "Layer4 Proxy" and "Reverse Proxy" now use the same volt template
+    * "Search Handler" and "Add Handler" buttons added to domain and subdomain grids
+    * Step buttons (Add Domain, Add Handler) have been removed since they are redundant
+    * Success messages on configuration apply have been removed, only errors will be shown
+    * Tabs use URL hash to preserve selection on refresh
 
 1.8.4
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
index 742fb4e177..e6970cfa00 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
@@ -38,77 +38,94 @@ class ReverseProxyController extends ApiMutableModelControllerBase
     protected static $internalModelUseSafeDelete = true;
 
     /**
-     * Function for search filter dropdown
-     *
-     * @return array containing rows of domain and port combinations.
+     * Return selectpicker options for reverse proxy domains and ports
      */
     public function getAllReverseDomainsAction()
     {
-        $result = array("rows" => array());
-
-        $mdlCaddy = new \OPNsense\Caddy\Caddy();
-        $reverseNodes = $mdlCaddy->reverseproxy->reverse->iterateItems();
+        $result = [
+            'domains' => [
+                'label' => gettext('Domains'),
+                'icon'  => 'fa fa-fw fa-globe text-success',
+                'items' => []
+            ],
+            'subdomains' => [
+                'label' => gettext('Subdomains'),
+                'icon'  => 'fa fa-fw fa-globe text-warning',
+                'items' => []
+            ],
+        ];
+
+        foreach ((new \OPNsense\Caddy\Caddy())->reverseproxy->reverse->iterateItems() as $reverse) {
+            if (!empty($reverse->FromDomain)) {
+                $port = (string)$reverse->FromPort;
+                $combined = (string)$reverse->FromDomain . ($port !== '' ? ':' . $port : '');
+
+                $result['domains']['items'][] = [
+                    'value' => (string)$reverse->getAttributes()['uuid'],
+                    'label' => $combined
+                ];
+            }
+        }
 
-        foreach ($reverseNodes as $item) {
-            if (!empty($item->FromDomain)) {
-                // Conditionally concatenate port if it exists
-                $domain = (string)$item->FromDomain;
-                $port = (string)$item->FromPort;
-                $combinedDomainPort = $domain . (!empty($port) ? ':' . $port : '');
+        foreach ((new \OPNsense\Caddy\Caddy())->reverseproxy->subdomain->iterateItems() as $subdomain) {
+            if (!empty($subdomain->FromDomain)) {
 
-                $result['rows'][] = array(
-                    'id' => (string)$item->getAttributes()['uuid'],
-                    'domainPort' => $combinedDomainPort  // Combined domain and port, conditionally adding port
-                );
+                $result['subdomains']['items'][] = [
+                    'value' => (string)$subdomain->getAttributes()['uuid'],
+                    'label' => (string)$subdomain->FromDomain
+                ];
             }
         }
 
+        foreach (array_keys($result) as $key) {
+            usort($result[$key]['items'], fn($a, $b) => strcasecmp($a['label'], $b['label']));
+        }
+
         return $result;
     }
 
     /**
-     * Generalized helper function for searching across different sections of the reverse proxy setup.
-     * This function mostly helps when model relation fields are used.
-     * It filters entries based on UUIDs provided as an argument. The section or key used for the UUID
-     * can be specified, allowing for direct or indirect UUID referencing.
+     * Build a UUID filter function.
      *
-     * @param string $modelPath The data model path identifier, pointing to section of model being searched.
-     * @param string $uuidSearchBase The request parameter name for the comma-separated list of UUIDs.
-     * @param string|null $uuidReferenceKey Attribute key used to fetch the UUID for filtering.
-     *                                      If null, uses item's own UUID.
-     * @return array Filtered search results.
+     * @return callable|null
      */
-    private function searchActionHelper($modelPath, $uuidSearchBase, $uuidReferenceKey = null)
-    {
-        // Fetch the comma-separated UUIDs string from the request using the provided parameter name.
-        $uuidList = $this->request->get($uuidSearchBase);
-        // Ensure the retrieved UUID list is a string and not empty before attempting to explode it.
-        $uuidArray = (!empty($uuidList) && is_string($uuidList)) ? explode(',', $uuidList) : [];
-
-        // Define a filter function to determine which items to include based on the UUID.
-        $filterFunction = function ($modelItem) use ($uuidArray, $uuidReferenceKey) {
-            // Extract UUID from the item, using the specified UUID key if provided, else default to direct UUID access.
-            if ($uuidReferenceKey !== null) {
-                $modelUUID = (string)$modelItem->$uuidReferenceKey;
-            } else {
-                $modelUUID = (string)$modelItem->getAttributes()['uuid'];
+    private function buildFilterFunction(): ?callable
+    {
+        $domainUuids = $this->request->get('domainUuids');
+        if (empty($domainUuids)) {
+            return null;
+        }
+
+        return function ($record) use ($domainUuids): bool {
+            $fieldsToCheck = ['reverse', 'subdomain'];
+            $uuids = [];
+
+            // Add the record's own UUID
+            $uuidAttr = $record->getAttributes()['uuid'] ?? null;
+            if (is_scalar($uuidAttr)) {
+                $uuids[] = trim((string)$uuidAttr);
             }
-            // Include the item if the UUID array is empty or if the item's UUID is in the array.
-            return empty($uuidArray) || in_array($modelUUID, $uuidArray, true);
-        };
 
-        // Perform the search using the specified model path and the filter function, returning the results.
-        // Note: This uses the existing search function of the ApiMutableModelControllerBase
-        return $this->searchBase($modelPath, null, 'description', $filterFunction);
-    }
+            // Add UUIDs from model relation fields
+            foreach ($fieldsToCheck as $field) {
+                $value = $record->{$field} ?? null;
 
+                foreach ((array)$value as $item) {
+                    if (is_scalar($item)) {
+                        $uuids[] = trim((string)$item);
+                    }
+                }
+            }
+
+            return (bool) array_intersect($uuids, $domainUuids);
+        };
+    }
 
     // ReverseProxy Section
 
     public function searchReverseProxyAction()
     {
-        // For domains, use their domain UUIDs directly, $uuidReferenceKey null added for explicit clarity
-        return $this->searchActionHelper("reverseproxy.reverse", "reverseUuids", null);
+        return $this->searchBase('reverseproxy.reverse', null, null, $this->buildFilterFunction());
     }
 
     public function setReverseProxyAction($uuid)
@@ -141,9 +158,7 @@ public function toggleReverseProxyAction($uuid, $enabled = null)
 
     public function searchSubdomainAction()
     {
-        // For subdomains, compare 'reverseUuids' (which contain domain UUIDs)
-        // to 'reverse' (which contain the same domain UUIDs due to model relation field)
-        return $this->searchActionHelper("reverseproxy.subdomain", "reverseUuids", "reverse");
+        return $this->searchBase('reverseproxy.subdomain', null, null, $this->buildFilterFunction());
     }
 
     public function setSubdomainAction($uuid)
@@ -174,12 +189,9 @@ public function toggleSubdomainAction($uuid, $enabled = null)
 
     // Handler Section
 
-    // Adjusted for search filter dropdown, using helper function
     public function searchHandleAction()
     {
-        // For handles, compare 'reverseUuids' (which contain domain UUIDs)
-        // to 'reverse' (which contain the same domain UUIDs due to model relation field)
-        return $this->searchActionHelper("reverseproxy.handle", "reverseUuids", "reverse");
+        return $this->searchBase('reverseproxy.handle', null, null, $this->buildFilterFunction());
     }
 
     public function setHandleAction($uuid)
@@ -211,7 +223,7 @@ public function toggleHandleAction($uuid, $enabled = null)
 
     public function searchAccessListAction()
     {
-        return $this->searchBase("reverseproxy.accesslist", null, 'description');
+        return $this->searchBase("reverseproxy.accesslist");
     }
 
     public function setAccessListAction($uuid)
@@ -239,7 +251,7 @@ public function delAccessListAction($uuid)
 
     public function searchBasicAuthAction()
     {
-        return $this->searchBase("reverseproxy.basicauth", null, 'description');
+        return $this->searchBase("reverseproxy.basicauth");
     }
 
     public function setBasicAuthAction($uuid)
@@ -291,7 +303,7 @@ public function delBasicAuthAction($uuid)
 
     public function searchHeaderAction()
     {
-        return $this->searchBase("reverseproxy.header", null, 'description');
+        return $this->searchBase("reverseproxy.header");
     }
 
     public function setHeaderAction($uuid)
@@ -319,7 +331,7 @@ public function delHeaderAction($uuid)
 
     public function searchLayer4Action()
     {
-        return $this->searchBase("reverseproxy.layer4", null, 'description');
+        return $this->searchBase("reverseproxy.layer4");
     }
 
     public function setLayer4Action($uuid)
@@ -352,7 +364,7 @@ public function toggleLayer4Action($uuid, $enabled = null)
 
     public function searchLayer4OpenvpnAction()
     {
-        return $this->searchBase("reverseproxy.layer4openvpn", null, 'description');
+        return $this->searchBase("reverseproxy.layer4openvpn");
     }
 
     public function setLayer4OpenvpnAction($uuid)
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
index b1366ab72a..7ea9478e13 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
@@ -36,12 +36,13 @@ class Layer4Controller extends IndexController
 {
     public function indexAction()
     {
-        $this->view->pick('OPNsense/Caddy/layer4');
+        $this->view->entrypoint = 'layer4';
+        $this->view->pick('OPNsense/Caddy/reverse_proxy');
 
         $this->view->formDialogLayer4 = $this->getForm('dialogLayer4');
-        $this->view->formGridLayer4 = $this->getFormGrid('dialogLayer4', null, 'ConfChangeMessage');
+        $this->view->formGridLayer4 = $this->getFormGrid('dialogLayer4', 'Layer4');
 
         $this->view->formDialogLayer4Openvpn = $this->getForm('dialogLayer4Openvpn');
-        $this->view->formGridLayer4Openvpn = $this->getFormGrid('dialogLayer4Openvpn', null, 'ConfChangeMessage');
+        $this->view->formGridLayer4Openvpn = $this->getFormGrid('dialogLayer4Openvpn', 'Layer4Openvpn');
     }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
index e30315299a..dc780dcd62 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
@@ -36,24 +36,25 @@ class ReverseProxyController extends IndexController
 {
     public function indexAction()
     {
+        $this->view->entrypoint = 'reverse_proxy';
         $this->view->pick('OPNsense/Caddy/reverse_proxy');
 
         $this->view->formDialogReverseProxy = $this->getForm("dialogReverseProxy");
-        $this->view->formGridReverseProxy = $this->getFormGrid('dialogReverseProxy', null, 'ConfChangeMessage');
+        $this->view->formGridReverseProxy = $this->getFormGrid('dialogReverseProxy', 'ReverseProxy');
 
         $this->view->formDialogSubdomain = $this->getForm("dialogSubdomain");
-        $this->view->formGridSubdomain = $this->getFormGrid('dialogSubdomain', null, 'ConfChangeMessage');
+        $this->view->formGridSubdomain = $this->getFormGrid('dialogSubdomain', 'Subdomain');
 
         $this->view->formDialogHandle = $this->getForm("dialogHandle");
-        $this->view->formGridHandle = $this->getFormGrid('dialogHandle', null, 'ConfChangeMessage');
+        $this->view->formGridHandle = $this->getFormGrid('dialogHandle', 'Handle');
 
         $this->view->formDialogAccessList = $this->getForm("dialogAccessList");
-        $this->view->formGridAccessList = $this->getFormGrid('dialogAccessList', null, 'ConfChangeMessage');
+        $this->view->formGridAccessList = $this->getFormGrid('dialogAccessList', 'AccessList');
 
         $this->view->formDialogBasicAuth = $this->getForm("dialogBasicAuth");
-        $this->view->formGridBasicAuth = $this->getFormGrid('dialogBasicAuth', null, 'ConfChangeMessage');
+        $this->view->formGridBasicAuth = $this->getFormGrid('dialogBasicAuth', 'BasicAuth');
 
         $this->view->formDialogHeader = $this->getForm("dialogHeader");
-        $this->view->formGridHeader = $this->getFormGrid('dialogHeader', null, 'ConfChangeMessage');
+        $this->view->formGridHeader = $this->getFormGrid('dialogHeader', 'Header');
     }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 52fd8618ed..d80d495cfd 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -5,17 +5,11 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this handler.]]></help>
         <grid_view>
-            <width>6em</width>
+            <width>2em</width>
             <type>boolean</type>
             <formatter>rowtoggle</formatter>
         </grid_view>
     </field>
-    <field>
-        <id>handle.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <help><![CDATA[Enter a description for this handler.]]></help>
-    </field>
     <field>
         <type>header</type>
         <label>Frontend</label>
@@ -25,17 +19,22 @@
         <label>Domain</label>
         <type>dropdown</type>
         <help><![CDATA[Select a domain to handle.]]></help>
+        <grid_view>
+            <formatter>model_relation_domain</formatter>
+        </grid_view>
     </field>
     <field>
         <id>handle.subdomain</id>
         <label>Subdomain</label>
         <type>dropdown</type>
         <help><![CDATA[Select a subdomain to handle. Make sure to additionaly choose a wildcard domain as "Domain". Leave unset, if not using subdomains.]]></help>
+        <grid_view>
+            <formatter>model_relation_domain</formatter>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
         <label>Handler</label>
-        <advanced>true</advanced>
     </field>
     <field>
         <id>handle.HandleType</id>
@@ -53,7 +52,6 @@
         <type>text</type>
         <hint>any</hint>
         <help><![CDATA[Enter a path to handle. Choose a pattern like "/*" or "/example/*". Leave empty to handle any paths (recommended). Any request matching this pattern will be handled by the chosen directive.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -61,14 +59,15 @@
     <field>
         <type>header</type>
         <label>Access</label>
-        <advanced>true</advanced>
+        <collapse>true</collapse>
+        <style>style_reverse_proxy</style>
     </field>
     <field>
         <id>handle.accesslist</id>
         <label>Access List</label>
         <type>dropdown</type>
+        <style>style_reverse_proxy</style>
         <help><![CDATA[Select an Access List to restrict access to this handler. If unset, any local or remote client is allowed access.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -78,6 +77,7 @@
         <label>Basic Auth</label>
         <type>select_multiple</type>
         <size>5</size>
+        <style>selectpicker style_reverse_proxy</style>
         <help><![CDATA[Select Users to restrict access to this path. If unset, any user is allowed access.]]></help>
         <grid_view>
             <visible>false</visible>
@@ -87,8 +87,8 @@
         <id>handle.ForwardAuth</id>
         <label>Forward Auth</label>
         <type>checkbox</type>
+        <style>style_reverse_proxy</style>
         <help><![CDATA[Enable or disable Forward Auth. Requires an "Auth Provider" in "General Settings". Headers are set automatically to the standard of the chosen provider. Enabling this option will additionally generate the forward_auth directive in front of the reverse_proxy directive inside the scope of this handler.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
             <type>boolean</type>
@@ -107,7 +107,9 @@
     </field>
     <field>
         <type>header</type>
-        <label>Upstream</label>
+        <label>Transport</label>
+        <collapse>true</collapse>
+        <style>style_reverse_proxy</style>
     </field>
     <field>
         <id>handle.HttpVersion</id>
@@ -115,7 +117,6 @@
         <type>dropdown</type>
         <style>selectpicker style_reverse_proxy</style>
         <help><![CDATA[The default versions are highly recommended. Choose a HTTP version for the upstream destination. HTTP/3 (HTTP over QUIC) requires HTTPS, and only establishes connections to webservers that also support HTTP/3.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -128,7 +129,6 @@
         <size>5</size>
         <style>selectpicker style_reverse_proxy</style>
         <help><![CDATA[Select one or multiple headers. Caddy sets "X-Forwarded-For", "X-Forwarded-Proto" and "X-Forwarded-Host" by default, adding them here is not needed. Setting a wrong configuration can be a security risk or break functionality.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -140,16 +140,22 @@
         <hint>120</hint>
         <style>style_reverse_proxy</style>
         <help><![CDATA[Leave empty to use default. Keepalive is either 0 (off) or a duration value that specifies how long to keep connections open (timeout) in seconds.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
     </field>
+    <field>
+        <type>header</type>
+        <label>Upstream</label>
+    </field>
     <field>
         <id>handle.HttpTls</id>
         <label>Protocol</label>
         <type>dropdown</type>
         <help><![CDATA[Enable or disable HTTP over TLS (HTTPS) to communicate with the upstream destination. Caddy uses HTTP with the upstream destination by default.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.ToDomain</id>
@@ -158,19 +164,24 @@
         <style>tokenize</style>
         <allownew>true</allownew>
         <help><![CDATA[Enter a domain name or IP address of the upstream destination. If multiple are chosen, they will be load balanced with the default random policy. A health check can be activated by populating "Upstream Fail Duration" in advanced mode. When directive is "redir", only the first domain will be evaluated.]]></help>
+        <grid_view>
+            <formatter>to_domain</formatter>
+        </grid_view>
     </field>
     <field>
         <id>handle.ToPort</id>
         <label>Upstream Port</label>
         <type>text</type>
         <help><![CDATA[Leave empty to use the default port or choose a custom port for the upstream destination.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.ToPath</id>
         <label>Upstream Path</label>
         <type>text</type>
         <help><![CDATA[When directive is "reverse_proxy", enter a path prefix like "/guacamole" that should be prepended to the upstream request. This is useful for destinations that have a virtual directory as their base path. When directive is "redir", add the path the request should be redirected to; leaving it empty will append {uri}.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -179,7 +190,7 @@
         <id>handle.HttpTlsInsecureSkipVerify</id>
         <label>TLS Insecure Skip Verify</label>
         <type>checkbox</type>
-        <style>style_tls style_reverse_proxy</style>
+        <style>style_tls_handle</style>
         <help><![CDATA[Caddy uses HTTP by default to connect to the Upstream. If the Upstream is only reachable via HTTPS, this option disables the TLS handshake verification. This makes the connection insecure and vulnerable to man-in-the-middle attacks. In private networks the risk is low, though do not use in production if possible. It is advised to either use plain HTTP, or proper TLS handling by using the options in "Trust".]]></help>
         <grid_view>
             <visible>false</visible>
@@ -191,7 +202,7 @@
         <id>handle.HttpTlsTrustedCaCerts</id>
         <label>TLS Trust Pool</label>
         <type>dropdown</type>
-        <style>selectpicker style_tls style_reverse_proxy</style>
+        <style>selectpicker style_tls_handle</style>
         <help><![CDATA[Choose a CA or self-signed certificate to trust from "System - Trust - Authorities". Useful if the upstream destination only accepts TLS connections and offers a self signed certificate. Adding that certificate here will allow for the encrypted connection to succeed.]]></help>
         <grid_view>
             <visible>false</visible>
@@ -201,7 +212,7 @@
         <id>handle.HttpTlsServerName</id>
         <label>TLS Server Name</label>
         <type>text</type>
-        <style>style_tls style_reverse_proxy</style>
+        <style>style_tls_handle</style>
         <help><![CDATA[Enter a hostname or IP address that matches the SAN "Subject Alternative Name" of the offered upstream certificate. This will change the SNI "Server Name Indication" of Caddy. Setting an IP address as "Upstream Domain", enabling "TLS" and selecting a "TLS Trust Pool", would make the SAN of the offered upstream certificate not match with the SNI of Caddy, since it will be an IP address instead of a hostname. Setting the hostname of the certificate here, fixes this issue. Please note that only SAN certificates are supported; CN "Common Name" will not work.]]></help>
         <grid_view>
             <visible>false</visible>
@@ -211,7 +222,7 @@
         <id>handle.HttpNtlm</id>
         <label>NTLM</label>
         <type>checkbox</type>
-        <style>style_tls style_reverse_proxy</style>
+        <style>style_tls_handle</style>
         <help><![CDATA[Enable or disable NTLM. Needed to reverse proxy an Exchange Server. Warning: NTLM has been deprecated by Microsoft. This option will stay for as long as the optional http.reverse_proxy.transport.http_ntlm module can be compiled without errors.]]></help>
         <grid_view>
             <visible>false</visible>
@@ -219,10 +230,17 @@
             <formatter>boolean</formatter>
         </grid_view>
     </field>
+    <field>
+        <id>handle.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help><![CDATA[Enter a description for this handler.]]></help>
+    </field>
     <field>
         <type>header</type>
         <label>Load Balancing</label>
-        <advanced>true</advanced>
+        <collapse>true</collapse>
+        <style>style_reverse_proxy</style>
     </field>
     <field>
         <id>handle.lb_policy</id>
@@ -230,7 +248,6 @@
         <type>dropdown</type>
         <style>selectpicker style_reverse_proxy</style>
         <help><![CDATA[lb_policy is the name of the load balancing policy, along with any options. For policies that involve hashing, the highest-random-weight (HRW) algorithm is used to ensure that a client or request with the same hash key is mapped to the same upstream, even if the list of upstreams change.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -242,7 +259,6 @@
         <style>style_reverse_proxy</style>
         <hint>off</hint>
         <help><![CDATA[lb_retries is how many times to retry selecting available backends for each request if the next available host is down. If lb_try_duration is also configured, then retries may stop early if the duration is reached. In other words, the retry duration takes precedence over the retry count.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -254,7 +270,6 @@
         <style>style_reverse_proxy</style>
         <hint>0</hint>
         <help><![CDATA[lb_try_duration is a duration value that defines how long to try selecting available backends for each request if the next available host is down. Clients will wait for up to this long while the load balancer tries to find an available upstream host. A reasonable starting point might be 5s since the HTTP transport's default dial timeout is 3s, so that should allow for at least one retry if the first selected upstream cannot be reached.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -266,7 +281,6 @@
         <style>style_reverse_proxy</style>
         <hint>250</hint>
         <help><![CDATA[lb_try_interval is a duration value that defines how long to wait between selecting the next host from the pool. Only relevant when a request to an upstream host fails. Be aware that setting this to 0 with a non-zero lb_try_duration can cause the CPU to spin if all backends are down and latency is very low.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -278,7 +292,6 @@
         <style>style_reverse_proxy</style>
         <hint>off</hint>
         <help><![CDATA[fail_duration enables a passive health check when multiple destinations in "Upstream Domain" are set. It is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking. A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -290,7 +303,6 @@
         <style>style_reverse_proxy</style>
         <hint>1</hint>
         <help><![CDATA[max_fails is the maximum number of failed requests within fail_duration that are needed before considering an upstream to be down.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -302,7 +314,6 @@
         <style>style_reverse_proxy</style>
         <hint>off</hint>
         <help><![CDATA[unhealthy_status counts a request as failed if the response comes back with one of these status codes. Can be a 3-digit status code or a status code class ending in xx, for example: 404 or 5xx.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -314,7 +325,6 @@
         <style>style_reverse_proxy</style>
         <hint>off</hint>
         <help><![CDATA[unhealthy_latency is a duration value in ms that counts a request as failed if it takes this long to get a response.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -326,7 +336,6 @@
         <style>style_reverse_proxy</style>
         <hint>off</hint>
         <help><![CDATA[unhealthy_request_count is the permissible number of simultaneous requests to a backend before marking it as down. In other words, if a particular backend is currently handling this many requests, then it is considered "overloaded" and other backends will be preferred instead. This should be a reasonably large number; configuring this means that the proxy will have a limit of unhealthy_request_count × upstreams_count total simultaneous requests, and any requests after that point will result in an error due to no upstreams being available.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
index 9a24f737d6..4a691fbe74 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
@@ -5,7 +5,7 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this Layer4 route.]]></help>
         <grid_view>
-            <width>6em</width>
+            <width>2em</width>
             <type>boolean</type>
             <formatter>rowtoggle</formatter>
         </grid_view>
@@ -15,12 +15,9 @@
         <label>Sequence</label>
         <type>text</type>
         <help><![CDATA[Rules are sorted based on the sequence number, higher number means lower priority. Rules without a sequence number will be processed first.]]></help>
-    </field>
-    <field>
-        <id>layer4.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <help><![CDATA[Enter a description for this Layer4 route.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
@@ -41,6 +38,9 @@
         <type>dropdown</type>
         <style>selectpicker style_type</style>
         <help><![CDATA[Match the received traffic on OSI Layer 4, either TCP or UDP. When "Routing Type" is "listener_wrappers", currently only TCP will match.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>layer4.FromPort</id>
@@ -66,7 +66,7 @@
         <id>layer4.FromDomain</id>
         <label>Domain</label>
         <type>select_multiple</type>
-        <style>style_matchers tokenize matchers_domain</style>
+        <style>tokenize style_domain</style>
         <allownew>true</allownew>
         <help><![CDATA[Enter one or multiple domains to route via SNI or Host Header. Wildcard domains and host wildcards are allowed, e.g. "*.example.com" and "*".]]></help>
     </field>
@@ -74,7 +74,7 @@
         <id>layer4.FromOpenvpnModes</id>
         <label>OpenVPN Mode</label>
         <type>dropdown</type>
-        <style>selectpicker style_matchers matchers_openvpn</style>
+        <style>selectpicker style_openvpn</style>
         <help><![CDATA[Select the mode matching the OpenVPN Server or Client.]]></help>
         <grid_view>
             <visible>false</visible>
@@ -84,7 +84,7 @@
         <id>layer4.FromOpenvpnStaticKey</id>
         <label>OpenVPN Static Key</label>
         <type>select_multiple</type>
-        <style>selectpicker style_matchers matchers_openvpn</style>
+        <style>selectpicker style_openvpn</style>
         <hint>Any</hint>
         <size>5</size>
         <help><![CDATA[Select a Static Key to match. Multiple Static Keys are only supported for tls-crypt2_client mode.]]></help>
@@ -108,7 +108,7 @@
         <id>layer4.TerminateTls</id>
         <label>Terminate TLS</label>
         <type>checkbox</type>
-        <style>style_matchers matchers_domain</style>
+        <style>style_domain</style>
         <help><![CDATA[Terminate TLS before routing to the upstream. Since this requires a certificate, ensure there is a domain configured in "Reverse Proxy" that matches the SNI of "Domain". The best matching SAN or wildcard certificate will be used automatically for this route.]]></help>
         <grid_view>
             <visible>false</visible>
@@ -127,35 +127,45 @@
         <style>tokenize</style>
         <allownew>true</allownew>
         <help><![CDATA[Enter a domain name or IP address of the upstream destination. If multiple are chosen, they will be load balanced with the default random policy.]]></help>
+        <grid_view>
+            <formatter>to_domain</formatter>
+        </grid_view>
     </field>
     <field>
         <id>layer4.ToPort</id>
         <label>Upstream Port</label>
         <type>text</type>
         <help><![CDATA[Choose a custom port for the upstream destination.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>layer4.ProxyProtocol</id>
         <label>Proxy Protocol</label>
         <type>dropdown</type>
         <help><![CDATA[Add the HA Proxy Protocol header. Either version 1 or 2 can be chosen. The default is off, since it is only needed when the upstream can use the Proxy Protocol header.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
     </field>
+    <field>
+        <id>layer4.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help><![CDATA[Enter a description for this Layer4 route.]]></help>
+    </field>
     <field>
         <type>header</type>
         <label>Load Balancing</label>
-        <advanced>true</advanced>
+        <collapse>true</collapse>
     </field>
     <field>
         <id>layer4.lb_policy</id>
         <label>Load Balance Policy</label>
         <type>dropdown</type>
-        <style>selectpicker style_reverse_proxy</style>
+        <style>selectpicker</style>
         <help><![CDATA[lb_policy is the name of the load balancing policy, along with any options. For policies that involve hashing, the highest-random-weight (HRW) algorithm is used to ensure that a client or request with the same hash key is mapped to the same upstream, even if the list of upstreams change.]]></help>
-        <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -164,7 +174,6 @@
         <id>layer4.PassiveHealthFailDuration</id>
         <label>Passive Health Fail Duration (s)</label>
         <type>text</type>
-        <style>style_reverse_proxy</style>
         <hint>off</hint>
         <help><![CDATA[fail_duration enables a passive health check when multiple destinations in "Upstream Domain" are set. It is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking. A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
         <advanced>true</advanced>
@@ -176,7 +185,6 @@
         <id>layer4.PassiveHealthMaxFails</id>
         <label>Passive Health Max Fails</label>
         <type>text</type>
-        <style>style_reverse_proxy</style>
         <hint>1</hint>
         <help><![CDATA[max_fails is the maximum number of failed requests within fail_duration that are needed before considering an upstream to be down.]]></help>
         <advanced>true</advanced>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index ab5f3e9715..c9a7ff26da 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -5,17 +5,11 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this domain.]]></help>
         <grid_view>
-            <width>6em</width>
+            <width>2em</width>
             <type>boolean</type>
             <formatter>rowtoggle</formatter>
         </grid_view>
     </field>
-    <field>
-        <id>reverse.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <help><![CDATA[Enter a description for this domain.]]></help>
-    </field>
     <field>
         <type>header</type>
         <label>Frontend</label>
@@ -25,24 +19,33 @@
         <label>Protocol</label>
         <type>dropdown</type>
         <help><![CDATA[When choosing HTTP, automatic certificate management will be disabled and all traffic to and from this domain will be unencrypted.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>reverse.FromDomain</id>
         <label>Domain</label>
         <type>text</type>
         <help><![CDATA[Enter a domain name. For a base domain, use "example.com" or "opn.example.com". For a wildcard domain, use "*.example.com". Using a wildcard domain with subdomains requires a "DNS Provider" and the "DNS-01 Challenge" or a custom certificate.]]></help>
+        <grid_view>
+            <formatter>from_domain</formatter>
+        </grid_view>
     </field>
     <field>
         <id>reverse.FromPort</id>
         <label>Port</label>
         <type>text</type>
         <help><![CDATA[Leave empty to use ports 80 and 443 with automatic redirection from HTTP to HTTPS or choose a custom port. Don't forget to allow these ports with a Firewall rule. If the default ports have been changed in "General Settings", leaving this empty will use the chosen alternative ports instead.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>reverse.CustomCertificate</id>
         <label>Certificate</label>
         <type>dropdown</type>
-        <style>selectpicker style_tls</style>
+        <style>selectpicker style_tls_reverse</style>
         <help><![CDATA[Choose ACME to get automatic certificates with the built in ACME client; no additional plugin required. The "HTTP-01", "TLS-ALPN-01" or "DNS-01" challenge will be used to get automatic "Let's Encrypt" or "ZeroSSL" certificates. Alternatively, choose a custom certificate from "System - Trust - Certificates" for this domain. Make sure the full chain has been imported.]]></help>
         <grid_view>
             <visible>false</visible>
@@ -62,7 +65,7 @@
         <id>reverse.DnsChallenge</id>
         <label>DNS-01 Challenge</label>
         <type>checkbox</type>
-        <style>style_tls</style>
+        <style>style_tls_reverse</style>
         <help><![CDATA[Enable the DNS-01 Challenge for this domain. Requires a "DNS Provider" in "General Settings". This is only needed for wildcard domains, or when the default challenges can not be used due to restrictive firewall policies.]]></help>
         <grid_view>
             <visible>false</visible>
@@ -81,6 +84,12 @@
             <formatter>boolean</formatter>
         </grid_view>
     </field>
+    <field>
+        <id>reverse.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help><![CDATA[Enter a description for this domain.]]></help>
+    </field>
     <field>
         <type>header</type>
         <label>Access</label>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
index 5db43f6f22..558c702a2e 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -5,17 +5,11 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this subdomain.]]></help>
         <grid_view>
-            <width>6em</width>
+            <width>2em</width>
             <type>boolean</type>
             <formatter>rowtoggle</formatter>
         </grid_view>
     </field>
-    <field>
-        <id>subdomain.description</id>
-        <label>Description</label>
-        <type>text</type>
-        <help><![CDATA[Enter a description for this subdomain.]]></help>
-    </field>
     <field>
         <type>header</type>
         <label>Frontend</label>
@@ -25,6 +19,10 @@
         <label>Domain</label>
         <type>dropdown</type>
         <help><![CDATA[Select a wildcard domain for this subdomain.]]></help>
+        <grid_view>
+            <visible>false</visible>
+            <formatter>model_relation_domain</formatter>
+        </grid_view>
     </field>
     <field>
         <id>subdomain.FromDomain</id>
@@ -54,6 +52,12 @@
             <visible>false</visible>
         </grid_view>
     </field>
+    <field>
+        <id>subdomain.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help><![CDATA[Enter a description for this subdomain.]]></help>
+    </field>
     <field>
         <type>header</type>
         <label>Access</label>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
index ef58bada00..46c0ea63ff 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
@@ -1,5 +1,5 @@
 {#
- # Copyright (c) 2023-2024 Cedrik Pischem
+ # Copyright (c) 2023-2025 Cedrik Pischem
  # All rights reserved.
  #
  # Redistribution and use in source and binary forms, with or without modification,
@@ -72,7 +72,6 @@
                 if (status !== "success" || data.status !== 'ok') {
                     showAlert("{{ lang._('Error applying configuration: ') }}" + JSON.stringify(data), "error");
                 } else {
-                    showAlert("{{ lang._('Configuration applied successfully.') }}", "success");
                     updateServiceControlUI('caddy');
                 }
                 setSpinner(generalId, 'stop');
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
deleted file mode 100644
index be371635c6..0000000000
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/layer4.volt
+++ /dev/null
@@ -1,181 +0,0 @@
-{#
- # Copyright (c) 2024-2025 Cedrik Pischem
- # All rights reserved.
- #
- # Redistribution and use in source and binary forms, with or without modification,
- # are permitted provided that the following conditions are met:
- #
- # 1. Redistributions of source code must retain the above copyright notice,
- #    this list of conditions and the following disclaimer.
- #
- # 2. Redistributions in binary form must reproduce the above copyright notice,
- #    this list of conditions and the following disclaimer in the documentation
- #    and/or other materials provided with the distribution.
- #
- # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- # POSSIBILITY OF SUCH DAMAGE.
- #}
-
-<script>
-    $(document).ready(function() {
-        // Bootgrid Setup
-        $("#{{formGridLayer4['table_id']}}").UIBootgrid({
-            search:'/api/caddy/ReverseProxy/searchLayer4/',
-            get:'/api/caddy/ReverseProxy/getLayer4/',
-            set:'/api/caddy/ReverseProxy/setLayer4/',
-            add:'/api/caddy/ReverseProxy/addLayer4/',
-            del:'/api/caddy/ReverseProxy/delLayer4/',
-            toggle:'/api/caddy/ReverseProxy/toggleLayer4/',
-        });
-
-        $("#{{formGridLayer4Openvpn['table_id']}}").UIBootgrid({
-            search:'/api/caddy/ReverseProxy/searchLayer4Openvpn/',
-            get:'/api/caddy/ReverseProxy/getLayer4Openvpn/',
-            set:'/api/caddy/ReverseProxy/setLayer4Openvpn/',
-            add:'/api/caddy/ReverseProxy/addLayer4Openvpn/',
-            del:'/api/caddy/ReverseProxy/delLayer4Openvpn/',
-            toggle:'/api/caddy/ReverseProxy/toggleLayer4Openvpn/',
-        });
-
-        /**
-         * Displays an alert message to the user.
-         *
-         * @param {string} message - The message to display.
-         * @param {string} [type="error"] - The type of alert (error or success).
-         */
-        function showAlert(message, type = "error") {
-            const alertClass = type === "error" ? "alert-danger" : "alert-success";
-            const messageArea = $("#messageArea");
-
-            messageArea.stop(true, true).hide();
-            messageArea.removeClass("alert-success alert-danger").addClass(alertClass).html(message);
-            messageArea.fadeIn(500).delay(15000).fadeOut(500, function() {
-                $(this).html('');
-            });
-        }
-
-        $('input, select, textarea').on('change', function() {
-            $("#messageArea").hide();
-        });
-
-        $("#reconfigureAct").SimpleActionButton({
-            onPreAction: function() {
-                const dfObj = new $.Deferred();
-
-                // Perform configuration validation
-                ajaxGet("/api/caddy/service/validate", null, function(data, status) {
-                    if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
-                        dfObj.resolve();
-                    } else {
-                        showAlert(data['message'], "error");
-                        dfObj.reject();
-                    }
-                }).fail(function(xhr, status, error) {
-                    showAlert("{{ lang._('Validation request failed: ') }}" + error, "error");
-                    dfObj.reject();
-                });
-
-                return dfObj.promise();
-            },
-            onAction: function(data, status) {
-                if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
-                    showAlert("{{ lang._('Configuration applied successfully.') }}", "{{ lang._('Apply Success') }}");
-                    updateServiceControlUI('caddy');
-                } else {
-                    showAlert("{{ lang._('Action was not successful or an error occurred.') }}", "error");
-                }
-            }
-        });
-
-        $("#layer4\\.Matchers").change(function() {
-            $(".style_matchers").closest('tr').hide();
-            const selectedVal = $(this).val();
-
-            if (selectedVal === "tlssni" || selectedVal === "httphost" || selectedVal === "quicsni") {
-                $(".matchers_domain").closest('tr').show();
-            } else if (selectedVal === "openvpn") {
-                $(".matchers_openvpn").closest('tr').show();
-            }
-        });
-
-        $("#layer4\\.Type").change(function() {
-            if ($(this).val() === "global") {
-                $(".style_type").closest('tr').show();
-            } else {
-                $(".style_type").closest('tr').hide();
-            }
-        });
-
-        updateServiceControlUI('caddy');
-    });
-</script>
-
-<style>
-    .custom-header {
-        font-weight: 800;
-        font-size: 16px;
-        font-style: italic;
-    }
-</style>
-
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li id="tab-layer4" class="active"><a data-toggle="tab" href="#layer4Tab">{{ lang._('Layer4 Routes') }}</a></li>
-    <li id="tab-matcher"><a data-toggle="tab" href="#matcherTab">{{ lang._('Layer7 Matcher Settings') }}</a></li>
-</ul>
-
-<div class="tab-content content-box">
-    <!-- Layer4 Tab -->
-    <div id="layer4Tab" class="tab-pane fade active in">
-        <div style="padding-left: 16px;">
-            <h1 class="custom-header">{{ lang._('Layer4 Routes') }}</h1>
-            <div style="display: block;">
-                {{ partial('layout_partials/base_bootgrid_table', formGridLayer4)}}
-            </div>
-        </div>
-    </div>
-
-    <!-- Layer7 Tab -->
-    <div id="matcherTab" class="tab-pane fade">
-        <div style="padding-left: 16px;">
-            <!-- OpenVPN Matcher -->
-            <h1 class="custom-header">{{ lang._('OpenVPN Static Keys') }}</h1>
-            <div style="display: block;">
-                {{ partial('layout_partials/base_bootgrid_table', formGridLayer4Openvpn)}}
-            </div>
-        </div>
-    </div>
-</div>
-
-
-<!-- Reconfigure Button -->
-<section class="page-content-main">
-    <div class="content-box">
-        <div class="col-md-12">
-            <br/>
-            <button class="btn btn-primary" id="reconfigureAct"
-                    data-endpoint="/api/caddy/service/reconfigure"
-                    data-label="{{ lang._('Apply') }}"
-                    data-error-title="{{ lang._('Error reconfiguring Caddy') }}"
-                    type="button"
-            ></button>
-            <br/><br/>
-            <!-- Message Area for error/success messages -->
-            <div id="messageArea" class="alert alert-info" style="display: none;"></div>
-            <!-- Message Area to hint user to apply changes when data is changed in bootgrids -->
-            <div id="ConfChangeMessage" class="alert alert-info" style="display: none;">
-            {{ lang._('Please do not forget to apply the configuration.') }}
-            </div>
-        </div>
-    </div>
-</section>
-
-{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4,'id':formGridLayer4['edit_dialog_id'],'label':lang._('Edit Layer4 Route')])}}
-{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4Openvpn,'id':formGridLayer4Openvpn['edit_dialog_id'],'label':lang._('Edit OpenVPN Static Key')])}}
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index cf3010b4e0..672cd81aae 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -26,88 +26,227 @@
 
 <script>
     $(document).ready(function() {
-        // Bootgrid Setup
-        $("#{{formGridReverseProxy['table_id']}}").UIBootgrid({
-            search:'/api/caddy/ReverseProxy/searchReverseProxy/',
-            get:'/api/caddy/ReverseProxy/getReverseProxy/',
-            set:'/api/caddy/ReverseProxy/setReverseProxy/',
-            add:'/api/caddy/ReverseProxy/addReverseProxy/',
-            del:'/api/caddy/ReverseProxy/delReverseProxy/',
-            toggle:'/api/caddy/ReverseProxy/toggleReverseProxy/',
-            options: {
-                requestHandler: addDomainFilterToRequest,
-                rowCount: [4,7,14,20,50,100,-1]
-            }
-        });
+        // Update the URL hash when tabs are clicked
+        if (location.hash) {
+            $(`#maintabs a[href="${location.hash}"]`).tab('show');
+        }
 
-        $("#{{formGridSubdomain['table_id']}}").UIBootgrid({
-            search:'/api/caddy/ReverseProxy/searchSubdomain/',
-            get:'/api/caddy/ReverseProxy/getSubdomain/',
-            set:'/api/caddy/ReverseProxy/setSubdomain/',
-            add:'/api/caddy/ReverseProxy/addSubdomain/',
-            del:'/api/caddy/ReverseProxy/delSubdomain/',
-            toggle:'/api/caddy/ReverseProxy/toggleSubdomain/',
-            options: {
-                requestHandler: addDomainFilterToRequest,
-                rowCount: [4,7,14,20,50,100,-1]
+        $('a[data-toggle="tab"]').on('shown.bs.tab', function (e) {
+            const hash = e.target.hash;
+            if (history.replaceState) {
+                history.replaceState(null, null, hash);
+            } else {
+                location.hash = hash;
             }
         });
 
-        $("#{{formGridHandle['table_id']}}").UIBootgrid({
-            search:'/api/caddy/ReverseProxy/searchHandle/',
-            get:'/api/caddy/ReverseProxy/getHandle/',
-            set:'/api/caddy/ReverseProxy/setHandle/',
-            add:'/api/caddy/ReverseProxy/addHandle/',
-            del:'/api/caddy/ReverseProxy/delHandle/',
-            toggle:'/api/caddy/ReverseProxy/toggleHandle/',
-            options: {
-                requestHandler: addDomainFilterToRequest
-            }
+        $(window).on('hashchange', function () {
+            $(`#maintabs a[href="${location.hash}"]`).tab('show');
         });
 
-        $("#{{formGridAccessList['table_id']}}").UIBootgrid({
-            search:'/api/caddy/ReverseProxy/searchAccessList/',
-            get:'/api/caddy/ReverseProxy/getAccessList/',
-            set:'/api/caddy/ReverseProxy/setAccessList/',
-            add:'/api/caddy/ReverseProxy/addAccessList/',
-            del:'/api/caddy/ReverseProxy/delAccessList/',
-            options:{
-                rowCount: [4,7,14,20,50,100,-1]
+        // Bootgrid Setup
+        const all_grids = {};
+
+        $('a[data-toggle="tab"]').on('shown.bs.tab', function (e) {
+            let grid_ids = [];
+
+{% if entrypoint == 'reverse_proxy' %}
+
+            switch (e.target.hash) {
+                case '#domains':
+                    grid_ids = ["{{ formGridReverseProxy['table_id'] }}", "{{ formGridSubdomain['table_id'] }}"];
+                    break;
+                case '#handlers':
+                    grid_ids = ["{{ formGridHandle['table_id'] }}"];
+                    break;
+                case '#access':
+                    grid_ids = ["{{ formGridAccessList['table_id'] }}", "{{ formGridBasicAuth['table_id'] }}"];
+                    break;
+                case '#headers':
+                    grid_ids = ["{{ formGridHeader['table_id'] }}"];
+                    break;
             }
-        });
 
-        $("#{{formGridBasicAuth['table_id']}}").UIBootgrid({
-            search:'/api/caddy/ReverseProxy/searchBasicAuth/',
-            get:'/api/caddy/ReverseProxy/getBasicAuth/',
-            set:'/api/caddy/ReverseProxy/setBasicAuth/',
-            add:'/api/caddy/ReverseProxy/addBasicAuth/',
-            del:'/api/caddy/ReverseProxy/delBasicAuth/',
-            options:{
-                rowCount: [4,7,14,20,50,100,-1]
+{% elseif entrypoint == 'layer4' %}
+
+            switch (e.target.hash) {
+                case '#routes':
+                    grid_ids = ["{{ formGridLayer4['table_id'] }}"];
+                    break;
+                case '#matchers':
+                    grid_ids = ["{{ formGridLayer4Openvpn['table_id'] }}"];
+                    break;
             }
-        });
 
-        $("#{{formGridHeader['table_id']}}").UIBootgrid({
-            search:'/api/caddy/ReverseProxy/searchHeader/',
-            get:'/api/caddy/ReverseProxy/getHeader/',
-            set:'/api/caddy/ReverseProxy/setHeader/',
-            add:'/api/caddy/ReverseProxy/addHeader/',
-            del:'/api/caddy/ReverseProxy/delHeader/',
-        });
+{% endif %}
+
+            const labels = {
+                upstream: "{{ lang._('Upstream') }}",
+                domain: '<i class="fa fa-fw fa-globe text-success"></i>' + "{{ lang._('Domain') }}",
+                subdomain: '<i class="fa fa-fw fa-globe text-warning"></i>' + "{{ lang._('Subdomain') }}",
+            };
+
+            if (grid_ids.length > 0) {
+                grid_ids.forEach(function(grid_id) {
+                    if (!all_grids[grid_id]) {
+                        // Define commands only for the specific grids
+                        let commands = {};
+
+{% if entrypoint == 'reverse_proxy' %}
+
+                        if (["{{ formGridReverseProxy['table_id'] }}", "{{ formGridSubdomain['table_id'] }}"].includes(grid_id)) {
+                            const update_filter = function (selectValues) {
+                                $('#reverseFilter')
+                                    // Refresh selectpicker with latest data so button always works even on new domains
+                                    .fetch_options('/api/caddy/ReverseProxy/getAllReverseDomains')
+                                    .done(function () {
+                                        $('#reverseFilter')
+                                            .selectpicker('val', selectValues)
+                                            .selectpicker('refresh')
+                                            .trigger('change');
+                                    });
+
+                                $('#maintabs a[href="#handlers"]').tab('show');
+                            };
+
+                            commands.search_handler = {
+                                method: function () {
+                                    const rowUuid = $(this).data("row-id");
+                                    if (!rowUuid) return;
+
+                                    update_filter([rowUuid]);
+                                },
+                                classname: 'fa fa-fw fa-search',
+                                title: "{{ lang._('Search Handler') }}",
+                                sequence: 20
+                            };
+
+                            commands.add_handler = {
+                                method: function () {
+                                    const rowUuid = $(this).data("row-id");
+                                    if (!rowUuid) return;
+
+                                    open_add_dialog = function (selectValues) {
+                                        update_filter(selectValues);
+
+                                        // Ensure selectpicker has values selected before click on add button
+                                        $('#reverseFilter').one('changed.bs.select', function (e) {
+                                            $("#" + "{{ formGridHandle['table_id'] }}")
+                                                .closest('.bootgrid-box')
+                                                .find("button[data-action='add']")
+                                                .trigger('click');
+                                        });
+                                    };
+
+                                    // Resolve reverse domains, as subdomains need wildcard domain and subdomain in dialog
+                                    if (grid_id === "{{ formGridSubdomain['table_id'] }}") {
+                                        ajaxGet(`/api/caddy/ReverseProxy/get{{ formGridSubdomain['table_id'] }}/` + rowUuid, {}, function (rowData) {
+                                            const reverseUuids = rowData?.subdomain?.reverse || {};
+                                            const selectedReverse = Object.entries(reverseUuids).find(([uuid, entry]) => entry.selected === 1);
+                                            const selectValues = selectedReverse ? [selectedReverse[0], rowUuid] : [rowUuid];
+                                            open_add_dialog(selectValues);
+                                        });
+                                    } else {
+                                        open_add_dialog([rowUuid]);
+                                    }
+                                },
+                                classname: 'fa fa-fw fa-plus',
+                                title: "{{ lang._('Add Handler') }}",
+                                sequence: 10
+                            };
+                        }
+
+{% endif %}
+
+                        all_grids[grid_id] = $("#" + grid_id)
+                        .UIBootgrid({
+                            search: `/api/caddy/ReverseProxy/search${grid_id}/`,
+                            get: `/api/caddy/ReverseProxy/get${grid_id}/`,
+                            set: `/api/caddy/ReverseProxy/set${grid_id}/`,
+                            add: `/api/caddy/ReverseProxy/add${grid_id}/`,
+                            del: `/api/caddy/ReverseProxy/del${grid_id}/`,
+                            toggle: `/api/caddy/ReverseProxy/toggle${grid_id}/`,
+                            options: {
+                                requestHandler: function (request) {
+                                    const selectedDomains = $('#reverseFilter').val();
+                                    if (selectedDomains && selectedDomains.length > 0) {
+                                        request['domainUuids'] = selectedDomains;
+                                    }
+                                    return request;
+                                },
+                                headerFormatters: {
+                                    enabled: function (column) { return "" },
+                                    ToDomain: function (column) { return labels.upstream; },
+                                    FromDomain: function (column) {
+                                        if (grid_id === "Subdomain") {
+                                            return labels.subdomain;
+                                        } else {
+                                            return labels.domain;
+                                        }
+                                    },
+                                    reverse: function (column) {
+                                        return labels.domain;
+                                    },
+                                    subdomain: function (column) {
+                                        return labels.subdomain;
+                                    },
+                                },
+                                formatters: {
+                                    model_relation_domain: function (column, row) {
+                                        let result = (row[column.id] || "").trim();
+                                        if (column.id === "reverse") {
+                                            result = result.replace(" ", ":");
+                                            if (!row["subdomain"] && row["HandlePath"]) {
+                                                result += row["HandlePath"];
+                                            }
+                                        } else if (column.id === "subdomain") {
+                                            if (row["subdomain"] && row["HandlePath"]) {
+                                                result += row["HandlePath"];
+                                            }
+                                        }
+                                        return result;
+                                    },
+                                    from_domain: function (column, row) {
+                                        return (
+                                            (row["DisableTls"] || "") +
+                                            (row["FromDomain"] || "") +
+                                            (row["FromPort"] ? `:${row["FromPort"]}` : "")
+                                        );
+                                    },
+                                    to_domain: function (column, row) {
+                                        return (
+                                            (row["HttpTls"] || "") +
+                                            (row["ToDomain"] || "") +
+                                            (row["ToPort"] ? `:${row["ToPort"]}` : "") +
+                                            (row["ToPath"] || "")
+                                        );
+                                    },
+                                },
+                            },
+                            commands: commands
+                        });
+
+                        $("#" + grid_id).wrap('<div class="bootgrid-box"></div>');
 
-        /**
-         * Modifies the search request to include domain filter.
-         *
-         * @param {Object} request - The original request object.
-         * @returns {Object} The modified request object with domain filter.
-         */
-        function addDomainFilterToRequest(request) {
-            let selectedDomains = $('#reverseFilter').val();
-            if (selectedDomains && selectedDomains.length > 0) {
-                request['reverseUuids'] = selectedDomains.join(',');
+                    }
+
+{% if entrypoint == 'reverse_proxy' %}
+
+                    // insert buttons and selectpicker
+                    if (['{{formGridReverseProxy["table_id"]}}', '{{formGridHandle["table_id"]}}'].includes(grid_id)) {
+                        const header = $("#" + grid_id + "-header");
+                        const $actionBar = header.find('.actionBar');
+                        if ($actionBar.length) {
+                            $('#add_filter_container').detach().insertBefore($actionBar.find('.search'));
+                            $('#add_filter_container').show();
+                        }
+                    }
+
+{% endif %}
+
+                });
             }
-            return request;
-        }
+        });
 
         /**
          * Displays an alert message to the user.
@@ -126,54 +265,21 @@
             });
         }
 
-        /**
-         * Loads domain filters from the server and populates the filter dropdown.
-         */
-        function loadDomainFilters() {
-            ajaxGet('/api/caddy/ReverseProxy/getAllReverseDomains', null, function(data, status) {
-                let select = $('#reverseFilter');
-                select.empty();
-                if (status === "success" && data && data.rows) {
-                    data.rows.forEach(function(item) {
-                        select.append($('<option>').val(item.id).text(item.domainPort));
-                    });
-                } else {
-                    select.html(`<option value="">{{ lang._('Failed to load data') }}</option>`);
-                }
-                select.selectpicker('refresh');
-            }).fail(function() {
-                $('#reverseFilter').html(`<option value="">{{ lang._('Failed to load data') }}</option>`).selectpicker('refresh');
-            });
-        }
-
-        /**
-         * Controls the visibility of the selectpicker and add buttons based on the active tab.
-         *
-         * @param {string} tab - The currently active tab.
-         */
-        function toggleVisibility(tab) {
-            if (tab === 'handlesTab' || tab === 'domainsTab') {
-                $("#addDomainBtn").show();
-                $("#addHandleBtn").show();
-                $('.common-filter').show();
-            } else {
-                $("#addDomainBtn").hide();
-                $("#addHandleBtn").hide();
-                $('.common-filter').hide();
-            }
-        }
-
-        function reloadGrids() {
-            $("#{{formGridReverseProxy['table_id']}}").bootgrid("reload");
-            $("#{{formGridSubdomain['table_id']}}").bootgrid("reload");
-            $("#{{formGridHandle['table_id']}}").bootgrid("reload");
-        }
-
         // Hide message area when starting new actions
         $('input, select, textarea').on('change', function() {
             $("#messageArea").hide();
         });
 
+        // Populate domain filter selectpicker
+        $('#reverseFilter').fetch_options('/api/caddy/ReverseProxy/getAllReverseDomains');
+
+        // Clear domain filter selectpicker
+        $('#reverseFilterClear').on('click', function () {
+            $('#reverseFilter').selectpicker('val', []);
+            $('#reverseFilter').selectpicker('refresh');
+            $('#reverseFilter').trigger('change');
+        });
+
         // Reconfigure button with custom validation
         $("#reconfigureAct").SimpleActionButton({
             onPreAction: function() {
@@ -195,7 +301,6 @@
             },
             onAction: function(data, status) {
                 if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
-                    showAlert("{{ lang._('Configuration applied successfully.') }}", "{{ lang._('Apply Success') }}");
                     updateServiceControlUI('caddy');
                 } else {
                     showAlert("{{ lang._('Action was not successful or an error occurred.') }}", "error");
@@ -203,150 +308,186 @@
             }
         });
 
-        $("#clearDomains").on("click", function(e) {
-            e.preventDefault();
-            $('#reverseFilter').val([]);
-            $('#reverseFilter').selectpicker('refresh');
+{% if entrypoint == 'reverse_proxy' %}
+
+        // Safe reload on filter change, ensures all grids are initalized beforehand
+        $('#reverseFilter').change(function () {
+            Object.keys(all_grids).forEach(function (grid_id) {
+                if ([
+                    '{{ formGridReverseProxy["table_id"] }}',
+                    '{{ formGridSubdomain["table_id"] }}',
+                    '{{ formGridHandle["table_id"] }}'
+                ].includes(grid_id)) {
+                    all_grids[grid_id].bootgrid('reload');
+                }
 
-            reloadGrids();
-        });
+            });
 
-        // Reload Bootgrid on filter change
-        $('#reverseFilter').on('changed.bs.select', function() {
-            reloadGrids();
+            $('#reverseFilterIcon').toggleClass('text-success', ($(this).val() || []).length > 0);
         });
 
-        // Initialize visibility based on the active tab on page load
-        let activeTab = $('#maintabs .active a').attr('href').replace('#', '');
-        toggleVisibility(activeTab);
-
-        // Change event when switching tabs
-        $('#maintabs a').on('click', function (e) {
-            let currentTab = $(this).attr('href').replace('#', '');
-            toggleVisibility(currentTab);
-        });
+        // Autofill domain and subdomain when add dialog is opened
+        $('#{{ formGridHandle["edit_dialog_id"] }}, #{{ formGridSubdomain["edit_dialog_id"] }}').on('opnsense_bootgrid_mapped', function(e, actionType) {
+            if (actionType === 'add') {
+                const selectedDomains = $('#reverseFilter').val();
 
-        // Add click event listener for "Add Handler" button
-        $("#addHandleBtn").on("click", function() {
-            if ($('#maintabs .active a').attr('href') === "#handlesTab") {
-                $(`#{{formGridHandle['table_id']}} button[data-action="add"]`).click();
-            } else {
-                $('#maintabs a[href="#handlesTab"]').tab('show').one('shown.bs.tab', function() {
-                    $(`#{{formGridHandle['table_id']}} button[data-action="add"]`).click();
-                });
+                if (selectedDomains && selectedDomains.length > 0) {
+                    $('#handle\\.reverse, #handle\\.subdomain, #subdomain\\.reverse')
+                        .selectpicker('val', selectedDomains)
+                        .selectpicker('refresh');
+                }
             }
         });
 
-        // Add click event listener for "Add Domain" button
-        $("#addDomainBtn").on("click", function() {
-            if ($('#maintabs .active a').attr('href') === "#domainsTab") {
-                $(`#{{formGridReverseProxy['table_id']}} button[data-action="add"]`).click();
-            } else {
-                $('#maintabs a[href="#domainsTab"]').tab('show').one('shown.bs.tab', function() {
-                    $(`#{{formGridReverseProxy['table_id']}} button[data-action="add"]`).click();
+{% endif %}
+
+        $("#handle\\.HttpTls, #handle\\.HandleDirective, #reverse\\.DisableTls, #layer4\\.Matchers, #layer4\\.Type").on("keyup change", function () {
+            const http_tls = String($("#handle\\.HttpTls").val() || "")
+            const handle_directive = String($("#handle\\.HandleDirective").val() || "")
+            const disable_tls = String($("#reverse\\.DisableTls").val() || "")
+            const layer4_matchers = String($("#layer4\\.Matchers").val() || "")
+            const layer4_type = String($("#layer4\\.Type").val() || "")
+
+            const styleVisibility = [
+                {
+                    class: "style_tls_reverse",
+                    visible: disable_tls === "0"
+                },
+                {
+                    class: "style_tls_handle",
+                    visible: http_tls === "1" && handle_directive === "reverse_proxy"
+                },
+                {
+                    class: "style_reverse_proxy",
+                    visible: handle_directive === "reverse_proxy"
+                },
+                {
+                    class: "style_domain",
+                    visible: layer4_matchers === "tlssni" || layer4_matchers === "httphost"
+                },
+                {
+                    class: "style_openvpn",
+                    visible: layer4_matchers === "openvpn"
+                },
+                {
+                    class: "style_type",
+                    visible: layer4_type === "global"
+                },
+            ];
+
+            styleVisibility.forEach(style => {
+                // hide/show rows with the class
+                const elements = $("." + style.class).closest("tr");
+                style.visible ? elements.show() : elements.hide();
+
+                // hide/show thead only if its parent container has the same class
+                $(".table-responsive." + style.class).find("thead").each(function () {
+                    style.visible ? $(this).show() : $(this).hide();
                 });
-            }
-        });
-
-        // Hide TLS specific options when http or h2c is selected
-        $("#handle\\.HttpTls").change(function() {
-            if ($(this).val() != "1") {
-                $(".style_tls").closest('tr').hide();
-            } else {
-                $(".style_tls").closest('tr').show();
-            }
-        });
-
-        $("#handle\\.HandleDirective").change(function() {
-            if ($(this).val() === "redir") {
-                $(".style_reverse_proxy").prop('disabled', true);
-                $("#handle\\.header").selectpicker('refresh');
-            } else {
-                $(".style_reverse_proxy").prop('disabled', false);
-                $("#handle\\.header").selectpicker('refresh');
-            }
-        });
-
-        // Hide TLS specific options when http is selected
-        $("#reverse\\.DisableTls").change(function() {
-            if ($(this).val() === "1") {
-                $(".style_tls").closest('tr').hide();
-            } else {
-                $(".style_tls").closest('tr').show();
-            }
+            });
         });
 
-        $("#layer4\\.Matchers").change(function() {
-            if ($(this).val() !== "tlssni" && $(this).val() !== "httphost") {
-                $(".style_matchers").closest('tr').hide();
-            } else {
-                $(".style_matchers").closest('tr').show();
-            }
-        });
+        // Trigger bootgrid setup for handlers tab too (even if not active) to ensure command buttons always work
+        $('a[href="#handlers"]').trigger('shown.bs.tab');
 
         updateServiceControlUI('caddy');
-        loadDomainFilters();
+        $('<div id="messageArea" class="alert alert-info" style="display: none;"></div>').insertBefore('#change_message_base_form');
+        $('a[data-toggle="tab"].active, #maintabs li.active a').trigger('shown.bs.tab');
     });
+
 </script>
 
 <style>
-    .common-filter {
-        align-items: center;
-        margin-top: 20px;
-        margin-right: 5px;
-        padding: 0 15px;
+    #add_filter_container {
+        margin-left: 10px;
+        margin-right: 20px;
     }
-
-    .filter-actions {
-        display: flex;
-        flex-direction: column;
-        align-items: flex-end;
+    #add_domain_container {
+        float: left;
     }
-
-    #clearDomains {
-        margin-top: 5px;
+    #add_handle_container {
+        margin-left: 10px;
+        float: left;
+    }
+    .actionBar {
+        padding-left: 0px;
     }
-
     .custom-header {
         font-weight: 800;
         font-size: 16px;
         font-style: italic;
     }
-
+    /* Prevent bootgrid to break out of content box*/
+    .content-box {
+        overflow-x: auto;
+    }
+    .bootgrid-header,
+    .bootgrid-box,
+    .bootgrid-footer {
+        width: 100%;
+        background: none;
+        border: none;
+        max-width: 100%;
+        /* Prevents the grid from collapsing all dynamic columns completely */
+        min-width: 700px;
+    }
+    /* Not all dropdowns support data-container="body", ensure minimal vertical space for them */
+    .bootgrid-box {
+        min-height: 150px;
+    }
+    /* Limit size of grid dropdown */
+    .actions .dropdown-menu.pull-right {
+        max-height: 200px;
+        min-width: max-content;
+        overflow-y: auto;
+        overflow-x: hidden;
+    }
+    #reverseFilterClear {
+        border-right: none;
+    }
+    #add_filter_container .bootstrap-select > .dropdown-toggle {
+        border-top-left-radius: 0;
+        border-bottom-left-radius: 0;
+    }
 </style>
 
+<div id="add_filter_container" class="btn-group" style="display: none;">
+    <button type="button" id="reverseFilterClear" class="btn btn-default" title="Clear Selection">
+        <i id="reverseFilterIcon" class="fa fa-fw fa-filter-circle-xmark"></i>
+    </button>
+    <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="200px" data-size="10" data-container="body" title="{{ lang._('Filter by Domain') }}">
+    </select>
+</div>
+
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li id="tab-domains" class="active"><a data-toggle="tab" href="#domainsTab">{{ lang._('Domains') }}</a></li>
-    <li id="tab-handlers"><a data-toggle="tab" href="#handlesTab">{{ lang._('Handlers') }}</a></li>
-    <li id="tab-access"><a data-toggle="tab" href="#accessTab">{{ lang._('Access') }}</a></li>
-    <li id="tab-headers"><a data-toggle="tab" href="#headerTab">{{ lang._('Headers') }}</a></li>
+
+{% if entrypoint == 'reverse_proxy' %}
+
+    <li id="tab-domains" class="active"><a data-toggle="tab" href="#domains">{{ lang._('Domains') }}</a></li>
+    <li id="tab-handlers"><a data-toggle="tab" href="#handlers">{{ lang._('Handlers') }}</a></li>
+    <li id="tab-access"><a data-toggle="tab" href="#access">{{ lang._('Access') }}</a></li>
+    <li id="tab-headers"><a data-toggle="tab" href="#headers">{{ lang._('Headers') }}</a></li>
+
+{% elseif entrypoint == 'layer4' %}
+
+    <li id="tab-layer4" class="active"><a data-toggle="tab" href="#routes">{{ lang._('Layer4 Routes') }}</a></li>
+    <li id="tab-matcher"><a data-toggle="tab" href="#matchers">{{ lang._('Layer7 Matcher Settings') }}</a></li>
+
+{% endif %}
+
 </ul>
 
 <div class="tab-content content-box">
-    <!-- Container using flexbox -->
-    <div class="form-group common-filter" style="display: flex; justify-content: space-between; align-items: center;">
-        <!-- Button group on the left -->
-        <div>
-            <button id="addDomainBtn" type="button" class="btn btn-secondary">{{ lang._('Step 1: Add Domain') }}</button>
-            <button id="addHandleBtn" type="button" class="btn btn-secondary">{{ lang._('Step 2: Add Handler') }}</button>
-        </div>
-        <!-- Selectpicker and Clear All on the right -->
-        <div class="filter-actions" style="display: flex; flex-direction: column; align-items: flex-end;">
-            <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="334px" data-size="7" title="{{ lang._('Filter by Domain') }}">
-            </select>
-            <a href="#" class="text-danger" id="clearDomains" style="margin-top: 5px;">
-                <i class="fa fa-times-circle"></i> <small>Clear All</small>
-            </a>
-        </div>
-    </div>
+
+{% if entrypoint == 'reverse_proxy' %}
 
     <!-- Combined Domains Tab -->
-    <div id="domainsTab" class="tab-pane fade in active">
+    <div id="domains" class="tab-pane fade in active">
         <div style="padding-left: 16px;">
             <!-- Reverse Proxy -->
             <h1 class="custom-header">{{ lang._('Domains') }}</h1>
             <div style="display: block;">
-                {{ partial('layout_partials/base_bootgrid_table', formGridReverseProxy)}}
+                {{ partial('layout_partials/base_bootgrid_table', formGridReverseProxy + {'command_width': '11em'})}}
             </div>
         </div>
 
@@ -354,13 +495,13 @@
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Subdomains') }}</h1>
             <div style="display: block;">
-                {{ partial('layout_partials/base_bootgrid_table', formGridSubdomain)}}
+                {{ partial('layout_partials/base_bootgrid_table', formGridSubdomain + {'command_width': '11em'})}}
             </div>
         </div>
     </div>
 
     <!-- Handle Tab -->
-    <div id="handlesTab" class="tab-pane fade">
+    <div id="handlers" class="tab-pane fade">
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Handlers') }}</h1>
             <div style="display: block;">
@@ -370,7 +511,7 @@
     </div>
 
     <!-- Combined Access Tab -->
-    <div id="accessTab" class="tab-pane fade">
+    <div id="access" class="tab-pane fade">
         <!-- Access Lists Section -->
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Access Lists') }}</h1>
@@ -389,7 +530,7 @@
     </div>
 
     <!-- Header Tab -->
-    <div id="headerTab" class="tab-pane fade">
+    <div id="headers" class="tab-pane fade">
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Headers') }}</h1>
             <div style="display: block;">
@@ -397,29 +538,37 @@
             </div>
         </div>
     </div>
-</div>
 
-<!-- Reconfigure Button -->
-<section class="page-content-main">
-    <div class="content-box">
-        <div class="col-md-12">
-            <br/>
-            <button class="btn btn-primary" id="reconfigureAct"
-                    data-endpoint="/api/caddy/service/reconfigure"
-                    data-label="{{ lang._('Apply') }}"
-                    data-error-title="{{ lang._('Error reconfiguring Caddy') }}"
-                    type="button"
-            ></button>
-            <br/><br/>
-            <!-- Message Area for error/success messages -->
-            <div id="messageArea" class="alert alert-info" style="display: none;"></div>
-            <!-- Message Area to hint user to apply changes when data is changed in bootgrids -->
-            <div id="ConfChangeMessage" class="alert alert-info" style="display: none;">
-            {{ lang._('Please do not forget to apply the configuration.') }}
+{% elseif entrypoint == 'layer4' %}
+
+    <!-- Layer4 Tab -->
+    <div id="routes" class="tab-pane fade active in">
+        <div style="padding-left: 16px;">
+            <h1 class="custom-header">{{ lang._('Layer4 Routes') }}</h1>
+            <div style="display: block;">
+                {{ partial('layout_partials/base_bootgrid_table', formGridLayer4)}}
+            </div>
+        </div>
+    </div>
+
+    <!-- Layer7 Tab -->
+    <div id="matchers" class="tab-pane fade">
+        <div style="padding-left: 16px;">
+            <!-- OpenVPN Matcher -->
+            <h1 class="custom-header">{{ lang._('OpenVPN Static Keys') }}</h1>
+            <div style="display: block;">
+                {{ partial('layout_partials/base_bootgrid_table', formGridLayer4Openvpn)}}
             </div>
         </div>
     </div>
-</section>
+
+{% endif %}
+
+</div>
+
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/caddy/service/reconfigure'}) }}
+
+{% if entrypoint == 'reverse_proxy' %}
 
 {{ partial("layout_partials/base_dialog",['fields':formDialogReverseProxy,'id':formGridReverseProxy['edit_dialog_id'],'label':lang._('Edit Domain')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogSubdomain,'id':formGridSubdomain['edit_dialog_id'],'label':lang._('Edit Subdomain')])}}
@@ -427,3 +576,10 @@
 {{ partial("layout_partials/base_dialog",['fields':formDialogAccessList,'id':formGridAccessList['edit_dialog_id'],'label':lang._('Edit Access List')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogBasicAuth,'id':formGridBasicAuth['edit_dialog_id'],'label':lang._('Edit Basic Auth')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogHeader,'id':formGridHeader['edit_dialog_id'],'label':lang._('Edit Header')])}}
+
+{% elseif entrypoint == 'layer4' %}
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4,'id':formGridLayer4['edit_dialog_id'],'label':lang._('Edit Layer4 Route')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4Openvpn,'id':formGridLayer4Openvpn['edit_dialog_id'],'label':lang._('Edit OpenVPN Static Key')])}}
+
+{% endif %}

From 53d706efdbcfebcdf1f1a0f4ca1cccf78d28ba07 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 10 Apr 2025 10:37:28 +0200
Subject: [PATCH 2412/3088] misc/theme-advanced: bump revision

---
 misc/theme-advanced/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/theme-advanced/Makefile b/misc/theme-advanced/Makefile
index a784ed7a50..c125b98685 100644
--- a/misc/theme-advanced/Makefile
+++ b/misc/theme-advanced/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		theme-advanced
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		OPNsense theme based on AdvancedTomato GUI
 PLUGIN_MAINTAINER=	jacky@prahec.com
 PLUGIN_WWW=		https://prahec.com/

From 5795a254ba575df01b821efa1239aac27cd1e06e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 10 Apr 2025 10:40:52 +0200
Subject: [PATCH 2413/3088] sysutils/sftp-backup: release these changes as new
 version

---
 sysutils/sftp-backup/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/sysutils/sftp-backup/Makefile b/sysutils/sftp-backup/Makefile
index d73ec5bdc0..0a740a766a 100644
--- a/sysutils/sftp-backup/Makefile
+++ b/sysutils/sftp-backup/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		sftp-backup
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Backup configurations using SFTP
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2

From 82753a4aedaba577870cf2e3df64e081f71865b5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Apr 2025 08:35:45 +0200
Subject: [PATCH 2414/3088] net/turnserver: prep for release

---
 README.md               | 2 +-
 net/turnserver/Makefile | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 3d041c3072..775f70a03d 100644
--- a/README.md
+++ b/README.md
@@ -64,7 +64,7 @@ net/shadowsocks -- Secure socks5 proxy
 net/siproxd -- Siproxd is a proxy daemon for the SIP protocol
 net/sslh -- sslh configuration front-end
 net/tayga -- Tayga NAT64
-net/turnserver -- The coturn STUN/TURN Server (development only)
+net/turnserver -- The coturn STUN/TURN Server
 net/udpbroadcastrelay -- Control udpbroadcastrelay processes
 net/upnp -- Universal Plug and Play (UPnP IGD & PCP/NAT-PMP) Service
 net/vnstat -- Network traffic monitor
diff --git a/net/turnserver/Makefile b/net/turnserver/Makefile
index 8952e2a3f2..dfe3b1ce6e 100644
--- a/net/turnserver/Makefile
+++ b/net/turnserver/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		turnserver
-PLUGIN_VERSION=		0.1
-PLUGIN_DEVEL=		yes
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		The coturn STUN/TURN Server
 PLUGIN_DEPENDS=		turnserver
 PLUGIN_MAINTAINER=	opnsense@moov.de

From 3b2345c7df2fe7449efe10fc993c9629bc4713a6 Mon Sep 17 00:00:00 2001
From: Martin Wasley <mjwasley@queens-park.com>
Date: Tue, 15 Apr 2025 10:10:45 +0100
Subject: [PATCH 2415/3088] Bootgrid Corrections (#4645)

---
 misc/theme-rebellion/Makefile                 |  3 +-
 .../rebellion/build/css/jquery.bootgrid.css   | 33 +++++++++++++++----
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/misc/theme-rebellion/Makefile b/misc/theme-rebellion/Makefile
index 4059bd27e5..0711ceeae1 100644
--- a/misc/theme-rebellion/Makefile
+++ b/misc/theme-rebellion/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		theme-rebellion
-PLUGIN_VERSION=		1.9.2
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.9.3
 PLUGIN_COMMENT=		A suitably dark theme
 PLUGIN_MAINTAINER=	martin@queens-park.com
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/jquery.bootgrid.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/jquery.bootgrid.css
index 7599c8f755..a3a76216bf 100644
--- a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/jquery.bootgrid.css
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/jquery.bootgrid.css
@@ -18,12 +18,14 @@
   vertical-align: middle;
   width: 180px;
 }
-.bootgrid-header .search .glyphicon,
-.bootgrid-footer .search .glyphicon {
+.bootgrid-header .search .fa-solid,
+.bootgrid-footer .search .fa-solid {
   top: 0;
 }
 .bootgrid-header .search .fa,
-.bootgrid-footer .search .fa {
+.bootgrid-header .search .fa-solid,
+.bootgrid-footer .search .fa,
+.bootgrid-footer .search .fa-solid {
   display: table-cell;
 }
 .bootgrid-header .search.search-field::-ms-clear,
@@ -59,6 +61,7 @@
   color: #262626;
   text-decoration: none;
   background-color: #f5f5f5;
+
 }
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item.dropdown-item-checkbox,
 .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item.dropdown-item-checkbox,
@@ -78,7 +81,7 @@
   outline: 0;
 }
 .bootgrid-table th > .column-header-anchor {
-    background-color: #444444;
+  background-color: #444444;
   color: #eee;
   cursor: not-allowed;
   display: block;
@@ -106,6 +109,7 @@
 .bootgrid-table th:hover,
 .bootgrid-table th:active {
   background: #fafafa;
+  text-decoration: underline;
 }
 .bootgrid-table td {
   overflow: hidden;
@@ -114,11 +118,28 @@
   text-overflow: ellipsis;
   white-space: nowrap;
 }
-.bootgrid-table td.loading,
 .bootgrid-table td.no-results {
-  background: #fff;
   text-align: center;
 }
+.bootgrid-table tbody {
+    position: relative;
+}
+.bootgrid-table tbody > .overlay {
+    position: absolute;
+    top: 0;
+    left: 0;
+    right: 0;
+    bottom: 0;
+    background: rgba(0, 0, 0, 0.5);
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    z-index: 1;
+}
+.overlay > i {
+    font-size: 20px;
+    color: white;
+}
 .bootgrid-table th.select-cell,
 .bootgrid-table td.select-cell {
   text-align: center;

From efab3474f9a8e91f990b67dac21cb61ed3199abb Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 16 Apr 2025 08:20:54 +0200
Subject: [PATCH 2416/3088] www/caddy: Show only wildcard domains in subdomain
 selection, show only wildcard domains in handler selection if a subdomain is
 selected (#4646)

---
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  3 +++
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 23 +++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index e07d56a0ce..225d501107 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -302,6 +302,9 @@
                             <items>reverseproxy.reverse</items>
                             <display>FromDomain,FromPort</display>
                             <display_format>%s %s</display_format>
+                            <filters>
+                                <FromDomain>/^\*\./</FromDomain>
+                            </filters>
                         </reverseproxy>
                     </Model>
                 </reverse>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 672cd81aae..abb23a0a44 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -336,6 +336,9 @@
                         .selectpicker('val', selectedDomains)
                         .selectpicker('refresh');
                 }
+
+                // Trigger to filter the dropdowns if subdomains are selected
+                $("#handle\\.subdomain").trigger("change");
             }
         });
 
@@ -387,6 +390,26 @@
             });
         });
 
+        // When subdomain is selected in handler show only wildcard domains
+        $("#handle\\.subdomain").on("change", function () {
+            const subdomainSelected = $("#handle\\.subdomain").val() !== "";
+
+            $("#handle\\.reverse").find("option").each(function () {
+                const isWildcard = $(this).text().includes("*.");
+                $(this).toggle(!subdomainSelected || isWildcard);
+            });
+
+            if (subdomainSelected) {
+                const selectedText = $("#handle\\.reverse").find("option:selected").text();
+                if (!selectedText.includes("*.")) {
+                    // Clear selection if not a wildcard
+                    $("#handle\\.reverse").val("").change();
+                }
+            }
+
+            $("#handle\\.reverse").selectpicker("refresh");
+        });
+
         // Trigger bootgrid setup for handlers tab too (even if not active) to ensure command buttons always work
         $('a[href="#handlers"]').trigger('shown.bs.tab');
 

From 71e11b4d7f9d3668a1fb47bad199c68f5416eff1 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 16 Apr 2025 08:22:05 +0200
Subject: [PATCH 2417/3088] www/caddy: Revise dns providers for caddy-v2.10.0
 (#4644)

* www/caddy-custom: Revise dns providers for caddy-v2.10.0

https://github.com/opnsense/plugins/issues/4643

* Update www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml

Co-authored-by: Franco Fichtner <franco@opnsense.org>

---------

Co-authored-by: Franco Fichtner <franco@opnsense.org>
---
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 52 +++++++++----------
 1 file changed, 26 insertions(+), 26 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 225d501107..493bbf7652 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -24,32 +24,32 @@
             <TlsDnsProvider type="OptionField">
                 <BlankDesc>None (default)</BlankDesc>
                 <OptionValues>
-                    <cloudflare>Cloudflare</cloudflare>
-                    <duckdns>Duck DNS</duckdns>
-                    <gandi>Gandi</gandi>
-                    <ionos>IONOS</ionos>
-                    <desec>Desec</desec>
-                    <porkbun>Porkbun</porkbun>
-                    <acmedns>ACME-DNS</acmedns>
-                    <azure>Azure</azure>
-                    <ovh>OVH</ovh>
-                    <namecheap>Namecheap</namecheap>
-                    <powerdns>PowerDNS</powerdns>
-                    <linode>Linode</linode>
-                    <hexonet>Hexonet</hexonet>
-                    <mailinabox>Mail-in-a-Box</mailinabox>
-                    <rfc2136>RFC2136</rfc2136>
-                    <dnsmadeeasy>DNS Made Easy</dnsmadeeasy>
-                    <bunny>Bunny</bunny>
-                    <scaleway>Scaleway</scaleway>
-                    <acmeproxy>ACME Proxy</acmeproxy>
-                    <inwx>INWX</inwx>
-                    <netcup>Netcup</netcup>
-                    <namedotcom>Name.com</namedotcom>
-                    <infomaniak>Infomaniak</infomaniak>
-                    <directadmin>DirectAdmin</directadmin>
-                    <vultr>Vultr</vultr>
-                    <hetzner>Hetzner</hetzner>
+                    <cloudflare>Cloudflare (embedded)</cloudflare>
+                    <duckdns>Duck DNS (optional)</duckdns>
+                    <gandi>Gandi (optional)</gandi>
+                    <ionos>IONOS (optional)</ionos>
+                    <desec>Desec (optional)</desec>
+                    <porkbun>Porkbun (optional)</porkbun>
+                    <acmedns>ACME-DNS (optional)</acmedns>
+                    <azure>Azure (optional)</azure>
+                    <ovh>OVH (optional)</ovh>
+                    <namecheap>Namecheap (optional)</namecheap>
+                    <powerdns>PowerDNS (optional)</powerdns>
+                    <linode>Linode (optional)</linode>
+                    <hexonet>Hexonet (optional)</hexonet>
+                    <mailinabox>Mail-in-a-Box (optional)</mailinabox>
+                    <rfc2136>RFC2136 (optional)</rfc2136>
+                    <dnsmadeeasy>DNS Made Easy (optional)</dnsmadeeasy>
+                    <bunny>Bunny (optional)</bunny>
+                    <scaleway>Scaleway (optional)</scaleway>
+                    <acmeproxy>ACME Proxy (optional)</acmeproxy>
+                    <inwx>INWX (optional)</inwx>
+                    <netcup>Netcup (optional)</netcup>
+                    <namedotcom>Name.com (optional)</namedotcom>
+                    <infomaniak>Infomaniak (optional)</infomaniak>
+                    <directadmin>DirectAdmin (optional)</directadmin>
+                    <vultr>Vultr (optional)</vultr>
+                    <hetzner>Hetzner (optional)</hetzner>
                     <digitalocean>DigitalOcean (optional)</digitalocean>
                     <route53>Route53 (optional)</route53>
                     <googleclouddns>Google Cloud DNS (optional)</googleclouddns>

From 8d2972a4ac7045ad5ec403adc736da817cc540b9 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 17 Apr 2025 10:05:16 +0200
Subject: [PATCH 2418/3088] www/caddy: Fix missing translation and toggle
 filter icon correctly (#4648)

---
 .../mvc/app/views/OPNsense/Caddy/reverse_proxy.volt       | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index abb23a0a44..f7d9bbe624 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -323,7 +323,9 @@
 
             });
 
-            $('#reverseFilterIcon').toggleClass('text-success', ($(this).val() || []).length > 0);
+            $('#reverseFilterIcon')
+                .toggleClass('text-success fa-filter-circle-xmark', ($(this).val() || []).length > 0)
+                .toggleClass('fa-filter', !($(this).val() || []).length);
         });
 
         // Autofill domain and subdomain when add dialog is opened
@@ -475,8 +477,8 @@
 </style>
 
 <div id="add_filter_container" class="btn-group" style="display: none;">
-    <button type="button" id="reverseFilterClear" class="btn btn-default" title="Clear Selection">
-        <i id="reverseFilterIcon" class="fa fa-fw fa-filter-circle-xmark"></i>
+    <button type="button" id="reverseFilterClear" class="btn btn-default" title="{{ lang._('Clear Selection') }}">
+        <i id="reverseFilterIcon" class="fa fa-fw fa-filter"></i>
     </button>
     <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="200px" data-size="10" data-container="body" title="{{ lang._('Filter by Domain') }}">
     </select>

From a16e9a0eeaa005019b3cfb727f261a7d58a92465 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 22 Apr 2025 22:57:41 +0200
Subject: [PATCH 2419/3088] net/turnserver: hide protocol violating options,
 refs #4495

---
 net/turnserver/pkg-descr                                 | 9 +++++++++
 .../controllers/OPNsense/Turnserver/forms/settings.xml   | 6 ++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/net/turnserver/pkg-descr b/net/turnserver/pkg-descr
index f801217423..c2673e293f 100644
--- a/net/turnserver/pkg-descr
+++ b/net/turnserver/pkg-descr
@@ -2,3 +2,12 @@ Coturn is a free open source implementation of TURN and STUN Server.
 The TURN Server is a VoIP media traffic NAT traversal server and gateway.
 
 WWW: https://github.com/coturn/coturn
+
+1.1
+
+Changed:
+* hide protocol violating options
+
+1.0
+
+Initial release
diff --git a/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml
index 37f6633cb3..4f6c322d35 100644
--- a/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml
+++ b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml
@@ -116,12 +116,14 @@
         <id>turnserver.settings.ChannelLifetime</id>
         <label>Channel Lifetime</label>
         <type>text</type>
-        <help>The lifetime for the channel (in seconds). Default value is 600 secs (10 minutes).</help>
+        <help>The lifetime for the channel (in seconds). Default value is 600 secs (10 minutes). MUST NOT be changed, because this would violate RFC 5766.</help>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>turnserver.settings.PermissionLifetime</id>
         <label>Permission Lifetime</label>
         <type>text</type>
-        <help>The permission lifetime (in seconds). Default value is 300 secs (5 minutes).</help>
+        <help>The permission lifetime (in seconds). Default value is 300 secs (5 minutes). MUST NOT be changed, because this would violate RFC 5766.</help>
+        <advanced>true</advanced>
     </field>
 </form>

From 431a5527186bff3a2b438d7ad8f10e558869518c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 23 Apr 2025 08:08:37 +0200
Subject: [PATCH 2420/3088] www/caddy: style sweep

---
 .../app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php | 1 -
 .../controllers/OPNsense/Caddy/Api/ReverseProxyController.php    | 1 -
 2 files changed, 2 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
index e7ba77be4a..f8de1f2c13 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/DiagnosticsController.php
@@ -81,5 +81,4 @@ public function caddyfileAction()
         // Return the response as an array which gets automatically encoded to JSON
         return ["status" => "success", "content" => $responseArray['content']];
     }
-
 }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
index e6970cfa00..70a63b0d28 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ReverseProxyController.php
@@ -69,7 +69,6 @@ public function getAllReverseDomainsAction()
 
         foreach ((new \OPNsense\Caddy\Caddy())->reverseproxy->subdomain->iterateItems() as $subdomain) {
             if (!empty($subdomain->FromDomain)) {
-
                 $result['subdomains']['items'][] = [
                     'value' => (string)$subdomain->getAttributes()['uuid'],
                     'label' => (string)$subdomain->FromDomain

From a3a4a3b986ba128cd8600c544eed7ce128ba873a Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Fri, 25 Apr 2025 09:42:41 +0200
Subject: [PATCH 2421/3088] security/wazuh-agent: make agent_name configurable
 (#4657)

---
 .../app/controllers/OPNsense/WazuhAgent/forms/settings.xml | 7 +++++++
 .../mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml      | 4 ++++
 .../service/templates/OPNsense/WazuhAgent/ossec.conf       | 3 +++
 3 files changed, 14 insertions(+)

diff --git a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
index 8c92582f1f..18f9d6196a 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
@@ -15,6 +15,13 @@
         <type>text</type>
         <help>Specifies the IP address or the hostname of the Wazuh manager.</help>
     </field>
+    <field>
+        <id>agent.general.agent_name</id>
+        <label>Agent hostname</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Specifies the hostname of this agent.</help>
+    </field>
     <field>
         <id>agent.general.protocol</id>
         <label>Protocol</label>
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
index 79697b050e..678fed08c5 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
@@ -12,6 +12,10 @@
                 <Required>Y</Required>
                 <IpAllowed>Y</IpAllowed>
             </server_address>
+            <agent_name type="HostnameField">
+                <Required>N</Required>
+                <IpAllowed>N</IpAllowed>
+            </agent_name>
             <protocol type="OptionField">
                 <default>tcp</default>
                 <Required>Y</Required>
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
index 2cddc9323e..5abdacd54a 100644
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
@@ -7,6 +7,9 @@
     </server>
     <crypto_method>aes</crypto_method>
     <enrollment>
+{%   if not helpers.empty('OPNsense.WazuhAgent.general.agent_name') %}
+      <agent_name>{{ OPNsense.WazuhAgent.general.agent_name }}</agent_name>
+{%   endif %}
       <port>{{OPNsense.WazuhAgent.auth.port}}</port>
     </enrollment>
   </client>

From 1936e007361bde7cca4b510cf7ece6be80dd7668 Mon Sep 17 00:00:00 2001
From: Rajiv Aaron Manglani <rajiv@alum.mit.edu>
Date: Mon, 28 Apr 2025 14:46:39 -0400
Subject: [PATCH 2422/3088] dns/ddclient: Add Akamai to checkip providers.
 (#4660)

---
 dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
index fd444ac071..e7dd3edef0 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
@@ -29,6 +29,9 @@
 from urllib.parse import urlparse
 
 checkip_service_list = {
+  'akamai': '%s://whatismyip.akamai.com',
+  'akamai-ipv4': '%s://ipv4.whatismyip.akamai.com',
+  'akamai-ipv6': '%s://ipv6.whatismyip.akamai.com',
   'cloudflare': '%s://one.one.one.one/cdn-cgi/trace',
   'cloudflare-ipv4': '%s://1.1.1.1/cdn-cgi/trace',
   'cloudflare-ipv6': '%s://[2606:4700:4700::1111]/cdn-cgi/trace',

From 5c2207906b2db5c95c31aca29468ec245996c169 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 30 Apr 2025 07:26:50 +0200
Subject: [PATCH 2423/3088] dns/rfc2136: function renamed for clarity

---
 dns/rfc2136/Makefile                              | 2 +-
 dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dns/rfc2136/Makefile b/dns/rfc2136/Makefile
index 13df9955f7..37d29c8e9d 100644
--- a/dns/rfc2136/Makefile
+++ b/dns/rfc2136/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		rfc2136
 PLUGIN_VERSION=		1.9
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		RFC-2136 Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_DEPENDS=		bind-tools
diff --git a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
index 349f07dde8..bf346cd29b 100644
--- a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
+++ b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
@@ -222,7 +222,7 @@ function get_rfc2136_ip_address($int, $ipver = 4)
         return 'down';
     }
 
-    if ($ipver != 6 && is_private_ip($ip_address)) {
+    if ($ipver != 6 && is_private_ipv4($ip_address)) {
         $ip_ch = curl_init('http://checkip.dyndns.org');
         curl_setopt($ip_ch, CURLOPT_RETURNTRANSFER, 1);
         curl_setopt($ip_ch, CURLOPT_INTERFACE, $ip_address);

From 7e8c9e1f6142912794d7fade24645a22651c84b4 Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Thu, 1 May 2025 21:01:41 +0200
Subject: [PATCH 2424/3088] www/squid: authenticate before blacklist (#4670)

---
 .../opnsense/service/templates/OPNsense/Proxy/squid.acl.conf  | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
index b9e1f87873..16a07929d3 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
@@ -28,6 +28,10 @@ adaptation_access request_mod allow whiteList
 http_access allow whiteList
 {% endif %}
 
+{%   if not helpers.empty('OPNsense.proxy.forward.authentication.method') %}
+http_access deny !local_auth
+{% endif %}
+
 {% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
 
 #

From 1ad7c634c754abd71f079e44cd038fb2326cd89f Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Mon, 5 May 2025 16:52:33 +0200
Subject: [PATCH 2425/3088] www/c-icap: move to syslog (#4674)

---
 .../src/etc/inc/plugins.inc.d/cicap.inc       |  9 +++++++++
 .../app/models/OPNsense/CICAP/Menu/Menu.xml   |  2 +-
 .../opnsense/scripts/OPNsense/CICAP/setup.sh  |  6 ------
 .../service/templates/OPNsense/CICAP/+TARGETS |  1 -
 .../templates/OPNsense/CICAP/c-icap.conf      | 20 ++++++++++++++-----
 .../templates/OPNsense/CICAP/newsyslog.conf   |  7 -------
 .../service/templates/Syslog/local/cicap.conf |  6 ++++++
 7 files changed, 31 insertions(+), 20 deletions(-)
 delete mode 100644 www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/newsyslog.conf
 create mode 100644 www/c-icap/src/opnsense/service/templates/Syslog/local/cicap.conf

diff --git a/www/c-icap/src/etc/inc/plugins.inc.d/cicap.inc b/www/c-icap/src/etc/inc/plugins.inc.d/cicap.inc
index 305408d15a..d2528499d2 100644
--- a/www/c-icap/src/etc/inc/plugins.inc.d/cicap.inc
+++ b/www/c-icap/src/etc/inc/plugins.inc.d/cicap.inc
@@ -26,6 +26,15 @@
     POSSIBILITY OF SUCH DAMAGE.
 */
 
+function cicap_syslog()
+{
+    return [
+        'cicap' => [
+            'facility' => ['c-icap']
+        ]
+    ];
+}
+
 function cicap_services()
 {
     global $config;
diff --git a/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/Menu/Menu.xml b/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/Menu/Menu.xml
index 326a689d0b..f408f8109b 100644
--- a/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/Menu/Menu.xml
+++ b/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/Menu/Menu.xml
@@ -2,7 +2,7 @@
   <Services>
     <C_ICAP VisibleName="C-ICAP" cssClass="fa fa-ambulance">
         <Configuration order="10" url="/ui/cicap/general/index"/>
-        <LogFile VisibleName="Log File" order="20" url="/ui/diagnostics/log/cicap/server"/>
+        <LogFile VisibleName="Log File" order="20" url="/ui/diagnostics/log/core/cicap"/>
     </C_ICAP>
   </Services>
 </menu>
diff --git a/www/c-icap/src/opnsense/scripts/OPNsense/CICAP/setup.sh b/www/c-icap/src/opnsense/scripts/OPNsense/CICAP/setup.sh
index 8e29386a1a..b5b2195631 100755
--- a/www/c-icap/src/opnsense/scripts/OPNsense/CICAP/setup.sh
+++ b/www/c-icap/src/opnsense/scripts/OPNsense/CICAP/setup.sh
@@ -4,11 +4,5 @@ mkdir -p /var/run/c-icap
 chown -R c_icap:c_icap /var/run/c-icap
 chmod 750 /var/run/c-icap
 
-mkdir -p /var/log/c-icap
-chown -R c_icap:c_icap /var/log/c-icap
-chmod 750 /var/log/c-icap
-(cd /var/log && ln -s c-icap cicap)
-chown -R c_icap:c_icap /var/log/cicap
-
 mkdir -p /tmp/c-icap/templates/virus_scan/en
 chmod -R 755 /tmp/c-icap/
diff --git a/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/+TARGETS b/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/+TARGETS
index 4be92f8264..07687be790 100644
--- a/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/+TARGETS
+++ b/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/+TARGETS
@@ -1,6 +1,5 @@
 c_icap:/etc/rc.conf.d/c_icap
 c-icap.conf:/usr/local/etc/c-icap/c-icap.conf
-newsyslog.conf:/etc/newsyslog.conf.d/c-icap
 virus_scan.conf:/usr/local/etc/c-icap/virus_scan.conf
 VIRUS_FOUND:/tmp/c-icap/templates/virus_scan/en/VIRUS_FOUND
 VIR_MODE_HEAD:/tmp/c-icap/templates/virus_scan/en/VIR_MODE_HEAD
diff --git a/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf b/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf
index 27b16b44ef..8f25c2638b 100644
--- a/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf
+++ b/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf
@@ -46,7 +46,11 @@ ServerName {{ system.hostname }}
 {%      if helpers.exists('OPNsense.proxy.forward.icap.SendUsername') and OPNsense.proxy.forward.icap.SendUsername == '1' %}
 RemoteProxyUsers on
 acl AUTH auth *
-acl localserver srvip 127.0.0.1
+{%   if not helpers.empty('OPNsense.cicap.general.listenaddress') %}
+acl localserver srvip {{ OPNsense.cicap.general.listenaddress }}
+{%      else %}
+acl localserver srvip ::1
+{% endif %}
 icap_access allow AUTH localserver
 {%      else %}
 RemoteProxyUsers off
@@ -62,7 +66,11 @@ RemoteProxyUserHeader {{OPNsense.proxy.forward.icap.UsernameHeader}}
 {% else %}
 RemoteProxyUsers on
 acl AUTH auth *
-acl localserver srvip 127.0.0.1
+{%   if not helpers.empty('OPNsense.cicap.general.listenaddress') %}
+acl localserver srvip {{ OPNsense.cicap.general.listenaddress }}
+{%      else %}
+acl localserver srvip ::1
+{% endif %}
 icap_access allow AUTH localserver
 RemoteProxyUserHeaderEncoded on
 RemoteProxyUserHeader X-Authenticated-User
@@ -77,9 +85,11 @@ ServicesDir /usr/local/lib/c_icap
 TemplateDir /tmp/c-icap/templates/
 TemplateDefaultLanguage en
 LoadMagicFile /usr/local/etc/c-icap/c-icap.magic
-ServerLog /var/log/c-icap/server.log
-{% if helpers.exists('OPNsense.cicap.general.enable_accesslog') and OPNsense.cicap.general.enable_accesslog == '1' %}
-AccessLog /var/log/c-icap/access.log
+Module logger sys_logger.so
+Logger sys_logger
+sys_logger.Prefix "c-icap"
+{% if helpers.exists('OPNsense.cicap.general.enable_accesslog') and OPNsense.cicap.general.enable_accesslog == '0' %}
+sys_logger.access !localserver
 {% endif %}
 Service echo srv_echo.so
 Include virus_scan.conf
diff --git a/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/newsyslog.conf b/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/newsyslog.conf
deleted file mode 100644
index 1edd4401f9..0000000000
--- a/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/newsyslog.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-# logfilename                   [owner:group]   mode    count size      when    flags   [/pid_file]               [sig_num]
-{% if helpers.exists('OPNsense.cicap.general.enabled') and OPNsense.cicap.general.enabled|default("0") == "1" %}
-{% if helpers.exists('OPNsense.cicap.general.enable_accesslog') and OPNsense.cicap.general.enable_accesslog == '1' %}
-/var/log/c-icap/access.log    c_icap:c_icap     644     7       *       @T00     ZB      /var/run/c-icap/c-icap.pid
-{% endif %}
-/var/log/c-icap/server.log    c_icap:c_icap     644     7       *       @T00     ZB      /var/run/c-icap/c-icap.pid
-{% endif %}
diff --git a/www/c-icap/src/opnsense/service/templates/Syslog/local/cicap.conf b/www/c-icap/src/opnsense/service/templates/Syslog/local/cicap.conf
new file mode 100644
index 0000000000..53a9a536da
--- /dev/null
+++ b/www/c-icap/src/opnsense/service/templates/Syslog/local/cicap.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [cicap].
+###################################################################
+filter f_local_cicap {
+    program("c-icap");
+};
\ No newline at end of file

From 820bb85d6d8621b3d603304b5a05b52ff2c0dcc6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 May 2025 09:04:53 +0200
Subject: [PATCH 2426/3088] dns/ddclient: test drive errors:no

---
 dns/ddclient/Makefile                                          | 2 +-
 dns/ddclient/pkg-descr                                         | 1 +
 .../src/opnsense/service/conf/actions.d/actions_ddclient.conf  | 3 ++-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index cb55c5f2c9..fe09e3613f 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.27
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 0d3991e442..2809acd262 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 1.27
 
 * Add support for altering IPv6 addresses in native backend (contributed by SaarLAN-Pissbeutel)
+* Add Akamai to checkip providers (contributed by Rajiv Aaron Manglani)
 * Fix Netcup host/domain recognition (contributed by SaarLAN-Pissbeutel)
 * Removed defunct ip4only.me and ip6only.me
 
diff --git a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
index 8500bfa483..8349ebdfec 100644
--- a/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/conf/actions.d/actions_ddclient.conf
@@ -6,7 +6,8 @@ type:script
 message:starting ddclient
 
 [stop]
-command:pkill -F /var/run/ddclient.pid 2> /dev/null; /usr/local/etc/rc.d/ddclient_opn onestop 2> /dev/null; exit 0
+command:pkill -F /var/run/ddclient.pid 2> /dev/null; /usr/local/etc/rc.d/ddclient_opn onestop 2> /dev/null
+errors:no
 type:script
 message:stopping ddclient
 

From d70df18c9dbc2321f3ed1c92a787c23096192b74 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 6 May 2025 15:33:47 +0200
Subject: [PATCH 2427/3088] net/ndproxy: Disable promiscuous mode forced by
 port (#4676)

* net/ndproxy: Disable promiscuous mode forced by port

* net/ndproxy: Bump version, add release notes, put variable inside conditional.

* Update net/ndproxy/pkg-descr

Co-authored-by: Franco Fichtner <franco@opnsense.org>

---------

Co-authored-by: Franco Fichtner <franco@opnsense.org>
---
 net/ndproxy/Makefile                                          | 2 +-
 net/ndproxy/pkg-descr                                         | 4 ++++
 .../service/templates/OPNsense/Ndproxy/rc.conf.d/ndproxy      | 2 ++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/ndproxy/Makefile b/net/ndproxy/Makefile
index 17d6902560..9c7a2855ba 100644
--- a/net/ndproxy/Makefile
+++ b/net/ndproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ndproxy
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.1
 PLUGIN_DEPENDS=		ndproxy
 PLUGIN_COMMENT=		Neighbor Discovery Proxy
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/net/ndproxy/pkg-descr b/net/ndproxy/pkg-descr
index ee59b68dd7..a0c380fb0d 100644
--- a/net/ndproxy/pkg-descr
+++ b/net/ndproxy/pkg-descr
@@ -3,6 +3,10 @@ Ndproxy is a kernel module that implements IPv6 Neighbor Discovery proxying over
 Plugin Changelog
 ================
 
+1.1
+
+* Promiscuous mode for the Uplink Interface is no longer enabled
+
 1.0
 
 * Initial Release
diff --git a/net/ndproxy/src/opnsense/service/templates/OPNsense/Ndproxy/rc.conf.d/ndproxy b/net/ndproxy/src/opnsense/service/templates/OPNsense/Ndproxy/rc.conf.d/ndproxy
index f907ee0329..aa5066c63d 100644
--- a/net/ndproxy/src/opnsense/service/templates/OPNsense/Ndproxy/rc.conf.d/ndproxy
+++ b/net/ndproxy/src/opnsense/service/templates/OPNsense/Ndproxy/rc.conf.d/ndproxy
@@ -2,6 +2,8 @@
 {% set generalSettings = helpers.getNodeByTag('OPNsense.ndproxy.general') %}
 {% if generalSettings.enabled|default("0") == "1" %}
 ndproxy_enable="YES"
+{# Always disable promiscuous mode forced by port since it should be controlled via interface settings if needed. #}
+ndproxy_promisc_enable="NO"
 {%     if generalSettings.ndproxy_uplink_interface %}
 ndproxy_uplink_interface="{{ helpers.physical_interface(generalSettings.ndproxy_uplink_interface) }}"
 {%     endif %}

From cff07b040193779e147b5a13013f085dfbebf62b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 6 May 2025 09:09:53 +0200
Subject: [PATCH 2428/3088] sysutils/smart: add errors:no here too

---
 sysutils/smart/Makefile                       |  1 +
 .../service/conf/actions.d/actions_smart.conf | 27 ++++++++++++-------
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/sysutils/smart/Makefile b/sysutils/smart/Makefile
index 2afa17e450..23820a8df2 100644
--- a/sysutils/smart/Makefile
+++ b/sysutils/smart/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		smart
 PLUGIN_VERSION=		2.3
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		SMART tools
 PLUGIN_DEPENDS=		smartmontools
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/sysutils/smart/src/opnsense/service/conf/actions.d/actions_smart.conf b/sysutils/smart/src/opnsense/service/conf/actions.d/actions_smart.conf
index 03a594580e..b24bc6d56f 100644
--- a/sysutils/smart/src/opnsense/service/conf/actions.d/actions_smart.conf
+++ b/sysutils/smart/src/opnsense/service/conf/actions.d/actions_smart.conf
@@ -12,59 +12,68 @@ message:list installed devices
 
 [info]
 command:/usr/local/sbin/smartctl
-parameters:-%s %s; exit 0
+parameters:-%s %s
+errors:no
 type:script_output
 message:exec smartctl -%s for device %s
 
 [info_json]
 command:/usr/local/sbin/smartctl
-parameters:-%s --json=c %s; exit 0
+parameters:-%s --json=c %s
+errors:no
 type:script_output
 message:exec smartctl -%s (JSON) for device %s
 
 [log.error]
 command:/usr/local/sbin/smartctl -l error
-parameters:%s; exit 0
+parameters:%s
+errors:no
 type:script_output
 message:Get error log for device %s
 
 [log.selftest]
 command:/usr/local/sbin/smartctl -l selftest
-parameters:%s; exit 0
+parameters:%s
+errors:no
 type:script_output
 message:Get selftest log for device %s
 
 [test.offline]
 command:/usr/local/sbin/smartctl -t offline
-parameters:%s; exit 0
+parameters:%s
+errors:no
 type:script_output
 message:Testing device %s (offline)
 description:Run SMART test (offline)
 
 [test.short]
 command:/usr/local/sbin/smartctl -t short
-parameters:%s; exit 0
+parameters:%s
+errors:no
 type:script_output
 message:Testing device %s (short)
 description:Run SMART test (short)
 
 [test.long]
 command:/usr/local/sbin/smartctl -t long
-parameters:%s; exit 0
+parameters:%s
+errors:no
 type:script_output
 message:Testing device %s (long)
 description:Run SMART test (long)
 
 [test.conveyance]
 command:/usr/local/sbin/smartctl -t conveyance
-parameters:%s; exit 0
+parameters:%s
+errors:no
 type:script_output
 message:Testing device %s (conveyance)
 description:Run SMART test (conveyance)
 
 [abort]
 command:/usr/local/sbin/smartctl -X
-parameters:%s; exit 0
+parameters:%s
+errors:no
 type:script_output
 message:Abort test on device %s
 description:Abort SMART tests

From 28863b8201aacba127dcfd65a627c877ac794298 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 7 May 2025 08:22:17 +0200
Subject: [PATCH 2429/3088] www/squid: wrap up new version, model bump to flush
 old values

---
 www/squid/Makefile                                           | 3 +--
 www/squid/pkg-descr                                          | 5 +++++
 .../src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml     | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index 15857a9c0f..4b52c49d89 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		squid
-PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_TIER=		2
diff --git a/www/squid/pkg-descr b/www/squid/pkg-descr
index 3ffe8644c5..9cf9b217d8 100644
--- a/www/squid/pkg-descr
+++ b/www/squid/pkg-descr
@@ -5,6 +5,11 @@ content serving applications.
 Plugin Changelog
 ================
 
+1.2
+
+* Change cache_dir from "ufs" to "rock" (contributed by Andy Binder)
+* Authenticate before blocklist (contributed by Andy Binder)
+
 1.1
 
 * Syslog corrections and implementation of "workers" (contributed by Andy Binder)
diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index 84dc90de76..9421f1ee3c 100644
--- a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/proxy</mount>
-    <version>1.0.7</version>
+    <version>1.0.8</version>
     <description>Squid web proxy settings</description>
     <items>
         <general>

From 13fb91293e332046b38314e70d766d9a7d1c8098 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 7 May 2025 08:27:23 +0200
Subject: [PATCH 2430/3088] www/caddy: bump revision to track these changes

---
 www/caddy/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index c7bbdcac69..c4d64d5759 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		1.8.5
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com

From b84ce663cd27bf4c6f5b05021e0334a892e6475c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 7 May 2025 08:29:30 +0200
Subject: [PATCH 2431/3088] security/wazuh-agent: document change and update
 revision

---
 security/wazuh-agent/Makefile  | 1 +
 security/wazuh-agent/pkg-descr | 1 +
 2 files changed, 2 insertions(+)

diff --git a/security/wazuh-agent/Makefile b/security/wazuh-agent/Makefile
index fcc6e3fd7b..c9f4d49539 100644
--- a/security/wazuh-agent/Makefile
+++ b/security/wazuh-agent/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		wazuh-agent
 PLUGIN_VERSION=		1.2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Agent for the open source security platform Wazuh
 PLUGIN_DEPENDS=		wazuh-agent
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/security/wazuh-agent/pkg-descr b/security/wazuh-agent/pkg-descr
index f42ab3aa9c..7a6dd7666d 100644
--- a/security/wazuh-agent/pkg-descr
+++ b/security/wazuh-agent/pkg-descr
@@ -11,6 +11,7 @@ Plugin Changelog
 1.2
 
 * Implement options to change server ports (contributed by 999eagle)
+* Make agent_name configurable (contributed by Andy Binder)
 
 1.1
 

From fe457505c1af4eef2d7be1943e886e976f99a824 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 7 May 2025 08:33:28 +0200
Subject: [PATCH 2432/3088] www/c-icap: package new version for 25.1.7

---
 www/c-icap/Makefile                                        | 3 +--
 www/c-icap/pkg-descr                                       | 7 ++++++-
 .../src/opnsense/service/templates/Syslog/local/cicap.conf | 2 +-
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/www/c-icap/Makefile b/www/c-icap/Makefile
index 90a88fdf19..c3c56aedf7 100644
--- a/www/c-icap/Makefile
+++ b/www/c-icap/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		c-icap
-PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	5
+PLUGIN_VERSION=		1.8
 PLUGIN_COMMENT=		c-icap connects the web proxy with a virus scanner
 PLUGIN_DEPENDS=		c-icap c-icap-modules
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/www/c-icap/pkg-descr b/www/c-icap/pkg-descr
index 5ae299e86b..287a95eeac 100644
--- a/www/c-icap/pkg-descr
+++ b/www/c-icap/pkg-descr
@@ -2,4 +2,9 @@ c-icap is an implementation of an ICAP server. It can be used with HTTP
 proxies that support the ICAP protocol to implement content adaptation
 and filtering services.
 
-WWW: http://c-icap.sourceforge.net/
+Plugin Changelog
+================
+
+1.8
+
+* Move logging to syslog (contributed by Andy Binder)
diff --git a/www/c-icap/src/opnsense/service/templates/Syslog/local/cicap.conf b/www/c-icap/src/opnsense/service/templates/Syslog/local/cicap.conf
index 53a9a536da..9eee81b260 100644
--- a/www/c-icap/src/opnsense/service/templates/Syslog/local/cicap.conf
+++ b/www/c-icap/src/opnsense/service/templates/Syslog/local/cicap.conf
@@ -3,4 +3,4 @@
 ###################################################################
 filter f_local_cicap {
     program("c-icap");
-};
\ No newline at end of file
+};

From 0fe43c6f9c2b3e64d972da5e9171ec7bde7f5b79 Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Wed, 7 May 2025 09:14:37 +0200
Subject: [PATCH 2433/3088] www/c-icap: move syslog conf to correct location
 (#4683)

---
 .../service/templates/{ => OPNsense}/Syslog/local/cicap.conf      | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename www/c-icap/src/opnsense/service/templates/{ => OPNsense}/Syslog/local/cicap.conf (100%)

diff --git a/www/c-icap/src/opnsense/service/templates/Syslog/local/cicap.conf b/www/c-icap/src/opnsense/service/templates/OPNsense/Syslog/local/cicap.conf
similarity index 100%
rename from www/c-icap/src/opnsense/service/templates/Syslog/local/cicap.conf
rename to www/c-icap/src/opnsense/service/templates/OPNsense/Syslog/local/cicap.conf

From 70ced7841ea78b244f047591a800ef677037eb32 Mon Sep 17 00:00:00 2001
From: spawntty <42645225+spawntty@users.noreply.github.com>
Date: Wed, 7 May 2025 10:58:26 +0200
Subject: [PATCH 2434/3088] www/caddy: Add Request Matcher option to Access
 List (#4680)

* www/caddy: Add Request Matcher option to Access List

* www/caddy: Bump model version
---
 .../OPNsense/Caddy/forms/dialogAccessList.xml          |  7 +++++++
 .../opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml   | 10 +++++++++-
 .../service/templates/OPNsense/Caddy/Caddyfile         |  2 +-
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
index 774ebd997e..3f33391980 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
@@ -44,6 +44,13 @@
             <visible>false</visible>
         </grid_view>
     </field>
+    <field>
+        <id>accesslist.RequestMatcher</id>
+        <label>Request Matcher</label>
+        <type>dropdown</type>
+        <help><![CDATA[Set the request matcher that will be applied to this access list.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>accesslist.description</id>
         <label>Description</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 493bbf7652..3e1fdc2170 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>Caddy Reverse Proxy</description>
-    <version>1.3.5</version>
+    <version>1.3.6</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -530,6 +530,14 @@
                     <ValidationMessage>Please enter a valid HTTP response code between 100 and 599</ValidationMessage>
                 </HttpResponseCode>
                 <HttpResponseMessage type="DescriptionField"/>
+                <RequestMatcher type="OptionField">
+                    <Required>Y</Required>
+                    <Default>client_ip</Default>
+                    <OptionValues>
+                        <client_ip>client_ip</client_ip>
+                        <remote_ip>remote_ip</remote_ip>
+                    </OptionValues>
+                </RequestMatcher>
                 <description type="DescriptionField"/>
             </accesslist>
             <basicauth type="ArrayField">
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index fa96c74d4f..8e027500b7 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -524,7 +524,7 @@ http://{{ domain }} {
             {% set client_ips = accesslist_obj.clientIps.split(',') | join(' ') %}
             {{ unique_identifier }} {
                 {# Non-inverted access lists have "not" as default, inverted ones '' #}
-                {{ 'not' if accesslist_obj.accesslistInvert|default("0") == "0" else '' }} client_ip {{ client_ips }}
+                {{ 'not' if accesslist_obj.accesslistInvert|default("0") == "0" else '' }} {{ accesslist_obj.RequestMatcher }} {{ client_ips }}
             }
             {# When IP is matched, abort or send response code. This will end processing and drop the request #}
             handle {{ unique_identifier }} {

From b8af35970ea0963cb4cdf405334f5294311e2382 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 7 May 2025 10:58:59 +0200
Subject: [PATCH 2435/3088] www/caddy: Change template generation of
 wildcard+subdomain pattern to support ECH and mTLS (#4673)

* www/caddy: Change wildcard domain with subdomain pattern to align with caddy-v2.10.0

* www/caddy: Allow Client Auth (mTLS) inside subdomains as supported by new wildcard domain and subdomain pattern

* www/caddy: Add encrypted client hello (ECH)
---
 .../OPNsense/Caddy/forms/dialogSubdomain.xml  |  19 +++
 .../OPNsense/Caddy/forms/general.xml          |  10 ++
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  15 ++
 .../scripts/OPNsense/Caddy/caddy_certs.php    |  13 ++
 .../templates/OPNsense/Caddy/Caddyfile        | 128 +++++++++++-------
 5 files changed, 133 insertions(+), 52 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
index 558c702a2e..ccfc1c2bab 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -81,4 +81,23 @@
             <visible>false</visible>
         </grid_view>
     </field>
+    <field>
+        <id>subdomain.ClientAuthTrustPool</id>
+        <label>Client Auth Trust Pool</label>
+        <type>select_multiple</type>
+        <help><![CDATA[Choose multiple CAs or self-signed certificates from "System - Trust - Authorities". Client Auth is activated as soon as at least one certificate has been chosen. Important: Certificate revocation lists are not evaluated. If you need granular control, provide individual self-signed certificates for each device, and unset them to block access. Though keep in mind that if no certificate is left in this field, Client Auth will be deactivated.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
+    <field>
+        <id>subdomain.ClientAuthMode</id>
+        <label>Client Auth Mode</label>
+        <type>dropdown</type>
+        <advanced>true</advanced>
+        <help><![CDATA["request" - Ask clients for a certificate, but allow even if there isn't one; do not verify it. "require" - Require clients to present a certificate, but do not verify it. "verify_if_given" - Ask clients for a certificate; allow even if there isn't one, but verify it if there is. "require_and_verify" - Require clients to present a valid certificate that is verified.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index b6f0c86d10..2d5a1167b9 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -180,6 +180,16 @@
             <hint>0</hint>
             <help><![CDATA[propagation_delay is a duration value in seconds that sets how long to wait before starting DNS TXT records propagation checks when using the DNS challenge.]]></help>
         </field>
+        <field>
+            <type>header</type>
+            <label>ECH</label>
+        </field>
+        <field>
+            <id>caddy.general.TlsDnsEchDomain</id>
+            <label>ECH Domain</label>
+            <type>text</type>
+            <help><![CDATA[Enables Encrypted ClientHello (ECH) by using the specified public domain name as the plaintext server name (SNI) in TLS handshakes. More information: https://caddyserver.com/docs/caddyfile/options#ech]]></help>
+        </field>
     </tab>
     <tab id="general-dynamicdns" description="Dynamic DNS">
         <field>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 3e1fdc2170..7e9d03c246 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -109,6 +109,9 @@
             <TlsDnsPropagationResolvers type="NetworkField">
                 <NetMaskAllowed>N</NetMaskAllowed>
             </TlsDnsPropagationResolvers>
+            <TlsDnsEchDomain type="HostnameField">
+                <IpAllowed>N</IpAllowed>
+            </TlsDnsEchDomain>
             <accesslist type="ModelRelationField">
                 <Model>
                     <reverseproxy>
@@ -337,6 +340,18 @@
                 <description type="DescriptionField"/>
                 <DynDns type="BooleanField"/>
                 <AcmePassthrough type="HostnameField"/>
+                <ClientAuthMode type="OptionField">
+                    <BlankDesc>require_and_verify</BlankDesc>
+                    <OptionValues>
+                        <request>request</request>
+                        <require>require</require>
+                        <verify_if_given>verify_if_given</verify_if_given>
+                    </OptionValues>
+                </ClientAuthMode>
+                <ClientAuthTrustPool type="CertificateField">
+                    <Type>ca</Type>
+                    <Multiple>Y</Multiple>
+                </ClientAuthTrustPool>
             </subdomain>
             <handle type="ArrayField">
                 <enabled type="BooleanField">
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
index a6494eb977..0c14379c4d 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
@@ -100,6 +100,19 @@
     }
 }
 
+foreach ((new Caddy())->reverseproxy->subdomain->iterateItems() as $subdomainItem) {
+    $caCertField = (string)$subdomainItem->ClientAuthTrustPool;
+
+    if (!empty($caCertField)) {
+        $refs = array_map('trim', explode(',', $caCertField));
+        foreach ($refs as $ref) {
+            if (!empty($ref)) {
+                $caCertRefs[] = $ref;
+            }
+        }
+    }
+}
+
 $caCertRefs = array_unique($caCertRefs);
 
 foreach ((new Ca())->ca->iterateItems() as $caItem) {
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 8e027500b7..acbf13bc67 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -1,5 +1,5 @@
 {#
-# Copyright (c) 2023-2024 Cedrik Pischem
+# Copyright (c) 2023-2025 Cedrik Pischem
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -220,6 +220,19 @@
     }
     {% endif %}
 
+    {#
+    #   Section: Encrypted ClientHello (ECH) Configuration
+    #            https://caddyserver.com/docs/caddyfile/options#ech
+    #}
+    {% if generalSettings.TlsDnsEchDomain|default("") and dnsProvider %}
+        dns {{ dnsProvider }} {% if dnsProvider not in dnsProviderSpecialConfig %}{{ dnsApiKey }}{% else %}{
+            {% set context_var = 'dnsProviderSpecialLogic' %}
+            {% include "OPNsense/Caddy/includeDnsProvider" %}
+        }
+        {% endif +%}
+        ech {{ generalSettings.TlsDnsEchDomain }}
+    {% endif %}
+
     {#
     #   Section: ACME Email, Auto HTTPS selection and global import statement
     #   Purpose: The ACME email is optional for receiving certificate notices.
@@ -304,21 +317,21 @@ http://{{ domain }} {
 #            certificates with the DNS-01 challenge. Refer to Dynamic DNS section for more details.
 #}
 {% macro tls_configuration(
-    customCert,
-    dnsChallenge,
-    clientAuthTrustPool,
-    clientAuthMode,
-    dnsProvider,
-    dnsApiKey,
-    dnsSecretApiKey,
-    tlsDnsOptionalField1,
-    tlsDnsOptionalField2,
-    tlsDnsOptionalField3,
-    tlsDnsOptionalField4,
-    tlsDnsPropagationTimeout,
-    tlsDnsPropagationTimeoutPeriod,
-    tlsDnsPropagationDelay,
-    tlsDnsPropagationResolvers
+    customCert="",
+    dnsChallenge="0",
+    clientAuthTrustPool="",
+    clientAuthMode="",
+    dnsProvider="",
+    dnsApiKey="",
+    dnsSecretApiKey="",
+    tlsDnsOptionalField1="",
+    tlsDnsOptionalField2="",
+    tlsDnsOptionalField3="",
+    tlsDnsOptionalField4="",
+    tlsDnsPropagationTimeout="",
+    tlsDnsPropagationTimeoutPeriod="",
+    tlsDnsPropagationDelay="",
+    tlsDnsPropagationResolvers=""
 ) %}
     {% if customCert or (dnsChallenge == "1" and dnsProvider) or clientAuthTrustPool %}
         tls {% if customCert %}/var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.pem /var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.key{% endif %} {
@@ -586,13 +599,10 @@ http://{{ domain }} {
 #   - render_handles: Renders the handles in the correct order, including basic authentication.
 #   - reverse_proxy_configuration: Sets up the handle with reverse proxy configurations.
 #   - handle_response: Manages the response logic for access lists and aborts.
-#   Important Details:
-#   - Order of Path specific Handles: Prioritizes order of specific path handles over catch-all handles.
-#   - Order of Wildcard Domains and Subdomains: Handles for wildcard domains come after all subdomains.
 #}
+
 {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
     {% if reverse.enabled|default("0") == "1" %}
-        # Reverse Proxy Domain: "{{ reverse['@uuid'] }}"
         {% if reverse.DisableTls|default("0") == "1" %}http://{% endif %}{{ reverse.FromDomain|default("") }}{% if reverse.FromPort %}:{{ reverse.FromPort }}{% endif %} {
             {% if reverse.AccessLog|default("0") == "1" %}
                 {% if generalSettings.LogAccessPlain|default("0") == "0" %}
@@ -606,44 +616,58 @@ http://{{ domain }} {
                 {% endif %}
             {% endif %}
             {{ tls_configuration(
-                reverse.CustomCertificate|default(""),
-                reverse.DnsChallenge|default("0"),
-                reverse.ClientAuthTrustPool|default(""),
-                reverse.ClientAuthMode|default(""),
-                generalSettings.TlsDnsProvider,
-                generalSettings.TlsDnsApiKey,
-                generalSettings.TlsDnsSecretApiKey,
-                generalSettings.TlsDnsOptionalField1,
-                generalSettings.TlsDnsOptionalField2,
-                generalSettings.TlsDnsOptionalField3,
-                generalSettings.TlsDnsOptionalField4,
-                generalSettings.TlsDnsPropagationTimeout,
-                generalSettings.TlsDnsPropagationTimeoutPeriod,
-                generalSettings.TlsDnsPropagationDelay,
-                generalSettings.TlsDnsPropagationResolvers
+                customCert=reverse.CustomCertificate|default(""),
+                dnsChallenge=reverse.DnsChallenge|default("0"),
+                clientAuthTrustPool=reverse.ClientAuthTrustPool|default(""),
+                clientAuthMode=reverse.ClientAuthMode|default(""),
+                dnsProvider=generalSettings.TlsDnsProvider,
+                dnsApiKey=generalSettings.TlsDnsApiKey,
+                dnsSecretApiKey=generalSettings.TlsDnsSecretApiKey,
+                tlsDnsOptionalField1=generalSettings.TlsDnsOptionalField1,
+                tlsDnsOptionalField2=generalSettings.TlsDnsOptionalField2,
+                tlsDnsOptionalField3=generalSettings.TlsDnsOptionalField3,
+                tlsDnsOptionalField4=generalSettings.TlsDnsOptionalField4,
+                tlsDnsPropagationTimeout=generalSettings.TlsDnsPropagationTimeout,
+                tlsDnsPropagationTimeoutPeriod=generalSettings.TlsDnsPropagationTimeoutPeriod,
+                tlsDnsPropagationDelay=generalSettings.TlsDnsPropagationDelay,
+                tlsDnsPropagationResolvers=generalSettings.TlsDnsPropagationResolvers
             ) }}
-
-            {% for subdomain in helpers.toList('Pischem.caddy.reverseproxy.subdomain') %}
-                {% if subdomain.enabled|default("0") == "1" and subdomain.reverse == reverse['@uuid'] %}
-                    @{{ subdomain['@uuid'] }} {
-                        host {{ subdomain.FromDomain }}
-                    }
-                    handle @{{ subdomain['@uuid'] }} {
-                        {% set subdomain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('subdomain', 'equalto', subdomain['@uuid']) | list %}
-                        {{ handle_accesslist(subdomain.accesslist, subdomain.FromDomain) }}
-                        {# All IPs not matched by accesslist will continue processing #}
-                        {{ render_basic_auth(subdomain.basicauth) }}
-                        {{ render_handles(subdomain_handles) }}
-                    }
-                {% endif %}
-            {% endfor %}
-
             {% set domain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('reverse', 'equalto', reverse['@uuid']) | selectattr('subdomain', 'undefined') | list %}
             {{ handle_accesslist(reverse.accesslist, reverse.FromDomain) }}
-            {# All IPs not matched by accesslist will continue processing #}
             {{ render_basic_auth(reverse.basicauth) }}
             {{ render_handles(domain_handles) }}
         }
+
+    {% endif %}
+{% endfor %}
+
+{% for subdomain in helpers.toList('Pischem.caddy.reverseproxy.subdomain') %}
+    {% if subdomain.enabled|default("0") == "1" %}
+        {% set reverse = helpers.toList('Pischem.caddy.reverseproxy.reverse') | selectattr('@uuid', 'equalto', subdomain.reverse) | first %}
+        {% if reverse and reverse.enabled|default("0") == "1" %}
+            {% if reverse.DisableTls|default("0") == "1" %}http://{% endif %}{{ subdomain.FromDomain|default("") }}{% if reverse.FromPort %}:{{ reverse.FromPort }}{% endif %} {
+                {% if reverse.AccessLog|default("0") == "1" %}
+                    {% if generalSettings.LogAccessPlain|default("0") == "0" %}
+                        log {{ subdomain['@uuid'] }}
+                    {% else %}
+                        log {
+                            output file /var/log/caddy/access/{{ subdomain['@uuid'] }}.log {
+                                roll_keep_for {{ generalSettings.LogAccessPlainKeep|default("10") }}d
+                            }
+                        }
+                    {% endif %}
+                {% endif %}
+                {{ tls_configuration(
+                    clientAuthTrustPool=subdomain.ClientAuthTrustPool|default(""),
+                    clientAuthMode=subdomain.ClientAuthMode|default("")
+                ) }}
+                {% set subdomain_handles = helpers.toList('Pischem.caddy.reverseproxy.handle') | selectattr('subdomain', 'equalto', subdomain['@uuid']) | list %}
+                {{ handle_accesslist(subdomain.accesslist, subdomain.FromDomain) }}
+                {{ render_basic_auth(subdomain.basicauth) }}
+                {{ render_handles(subdomain_handles) }}
+            }
+
+        {% endif %}
     {% endif %}
 {% endfor %}
 

From 9fea9fd5e505e1946bce255b7d51c5ee49c31a26 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 8 May 2025 12:47:16 +0200
Subject: [PATCH 2436/3088] security/clamav: Add Restart command to cron
 (#4685)

---
 security/clamav/Makefile                                        | 2 +-
 .../src/opnsense/service/conf/actions.d/actions_clamav.conf     | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/clamav/Makefile b/security/clamav/Makefile
index f4d90f2093..992e58d017 100644
--- a/security/clamav/Makefile
+++ b/security/clamav/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		clamav
 PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Antivirus engine for detecting malicious threats
 PLUGIN_DEPENDS=		clamav
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/clamav/src/opnsense/service/conf/actions.d/actions_clamav.conf b/security/clamav/src/opnsense/service/conf/actions.d/actions_clamav.conf
index 59ad71ea7d..2e20af3ab3 100644
--- a/security/clamav/src/opnsense/service/conf/actions.d/actions_clamav.conf
+++ b/security/clamav/src/opnsense/service/conf/actions.d/actions_clamav.conf
@@ -20,6 +20,7 @@ command:
     /usr/local/etc/rc.d/clamav_clamd restart
 parameters:
 type:script
+description:Restart ClamAV
 message:restarting ClamAV
 
 [status]

From 1d2d2b09c87110752acc6f2924048e50a3f4964b Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Mon, 12 May 2025 10:07:29 +0200
Subject: [PATCH 2437/3088] net/frr: add neighbor config to ospf (#4694)

---
 .../Quagga/Api/OspfsettingsController.php     | 29 +++++++++++++++
 .../OPNsense/Quagga/OspfController.php        |  3 ++
 .../Quagga/forms/dialogEditOSPFNeighbor.xml   | 36 +++++++++++++++++++
 .../mvc/app/models/OPNsense/Quagga/OSPF.xml   | 24 +++++++++++++
 .../mvc/app/views/OPNsense/Quagga/ospf.volt   | 14 ++++++++
 .../templates/OPNsense/Quagga/ospfd.conf      |  7 ++++
 6 files changed, 113 insertions(+)
 create mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFNeighbor.xml

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
index ab971af24a..b81d126cd5 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
@@ -37,6 +37,31 @@ class OspfsettingsController extends ApiMutableModelControllerBase
     protected static $internalModelName = 'ospf';
     protected static $internalModelClass = '\OPNsense\Quagga\OSPF';
 
+    public function searchNeighborAction()
+    {
+        return $this->searchBase('neighbors.neighbor');
+    }
+
+    public function getNeighborAction($uuid = null)
+    {
+        return $this->getBase('neighbor', 'neighbors.neighbor', $uuid);
+    }
+
+    public function addNeighborAction()
+    {
+        return $this->addBase('neighbor', 'neighbors.neighbor');
+    }
+
+    public function delNeighborAction($uuid)
+    {
+        return $this->delBase('neighbors.neighbor', $uuid);
+    }
+
+    public function setNeighborAction($uuid)
+    {
+        return $this->setBase('neighbor', 'neighbors.neighbor', $uuid);
+    }
+
     public function searchNetworkAction()
     {
         return $this->searchBase('networks.network');
@@ -117,6 +142,10 @@ public function setRoutemapAction($uuid)
     {
         return $this->setBase('routemap', 'routemaps.routemap', $uuid);
     }
+    public function toggleNeighborAction($uuid)
+    {
+        return $this->toggleBase('neighbors.neighbor', $uuid);
+    }
     public function toggleNetworkAction($uuid)
     {
         return $this->toggleBase('networks.network', $uuid);
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php
index 584c5da005..434767c470 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php
@@ -34,6 +34,9 @@ public function indexAction()
     {
         $this->view->generalForm = $this->getForm("ospf");
 
+        $this->view->formDialogEditOSPFNeighbor = $this->getForm("dialogEditOSPFNeighbor");
+        $this->view->formGridEditOSPFNeighbor = $this->getFormGrid("dialogEditOSPFNeighbor");
+
         $this->view->formDialogEditNetwork = $this->getForm("dialogEditOSPFNetwork");
         $this->view->formGridEditNetwork = $this->getFormGrid("dialogEditOSPFNetwork");
 
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFNeighbor.xml
new file mode 100644
index 0000000000..ebb004765f
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFNeighbor.xml
@@ -0,0 +1,36 @@
+<form>
+  <field>
+    <id>neighbor.enabled</id>
+    <label>Enabled</label>
+    <type>checkbox</type>
+    <grid_view>
+      <width>6em</width>
+      <type>boolean</type>
+      <formatter>rowtoggle</formatter>
+    </grid_view>
+  </field>
+  <field>
+    <id>neighbor.description</id>
+    <label>Description</label>
+    <type>text</type>
+    <help>Optional description for the neighbor.</help>
+  </field>
+  <field>
+    <id>neighbor.address</id>
+    <label>Peer-IP</label>
+    <type>text</type>
+    <help>Specify the IP address of the OSPF neighbor.</help>
+  </field>
+  <field>
+    <id>neighbor.pollinterval</id>
+    <label>Poll-Interval</label>
+    <type>text</type>
+    <help>The poll-interval specifies the rate for sending hello packets to neighbors that are not active. When the configured neighbor is discovered, hello packets will be sent at the rate of the hello-interval. The default poll-interval is 60 seconds.</help>
+  </field>
+  <field>
+    <id>neighbor.priority</id>
+    <label>Priority</label>
+    <type>text</type>
+    <help>The priority is used to for the Designated Router (DR) election on non-broadcast multi-access networks.</help>
+  </field>
+</form>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index f303a35bea..646ece6572 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -103,6 +103,30 @@
                         </linkedPrefixlistOut>
                 </network>
         </networks>
+        <neighbors>
+                <neighbor type="ArrayField">
+                        <enabled type="BooleanField">
+                                <default>1</default>
+                                <Required>Y</Required>
+                        </enabled>
+                        <description type="DescriptionField">
+                                <Required>N</Required>
+                        </description>
+                        <address type="NetworkField">
+                                <Required>Y</Required>
+                        </address>
+                        <pollinterval type="IntegerField">
+                                <Required>N</Required>
+                                <MinimumValue>1</MinimumValue>
+                                <MaximumValue>65535</MaximumValue>
+                        </pollinterval>
+                        <priority type="IntegerField">
+                                <Required>N</Required>
+                                <MinimumValue>0</MinimumValue>
+                                <MaximumValue>255</MaximumValue>
+                        </priority>
+                </neighbor>
+        </neighbors>
         <interfaces>
                 <interface type="ArrayField">
                         <enabled type="BooleanField">
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
index 3cbbddce5d..036c55fb2a 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
@@ -51,6 +51,14 @@ POSSIBILITY OF SUCH DAMAGE.
             }
         });
 
+        $("#{{formGridEditOSPFNeighbor['table_id']}}").UIBootgrid({
+            'search':'/api/quagga/ospfsettings/search_neighbor',
+            'get':'/api/quagga/ospfsettings/get_neighbor/',
+            'set':'/api/quagga/ospfsettings/set_neighbor/',
+            'add':'/api/quagga/ospfsettings/add_neighbor/',
+            'del':'/api/quagga/ospfsettings/del_neighbor/',
+            'toggle':'/api/quagga/ospfsettings/toggle_neighbor/'
+        });
         $("#{{formGridEditNetwork['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospfsettings/searchNetwork',
             'get':'/api/quagga/ospfsettings/getNetwork/',
@@ -122,6 +130,7 @@ POSSIBILITY OF SUCH DAMAGE.
 <!-- Navigation bar -->
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
+    <li><a data-toggle="tab" href="#neighbors">{{ lang._('Neighbors') }}</a></li>
     <li><a data-toggle="tab" href="#networks">{{ lang._('Networks') }}</a></li>
     <li><a data-toggle="tab" href="#interfaces">{{ lang._('Interfaces') }}</a></li>
     <li><a data-toggle="tab" href="#prefixlists">{{ lang._('Prefix Lists') }}</a></li>
@@ -133,6 +142,10 @@ POSSIBILITY OF SUCH DAMAGE.
         {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_ospf_settings'])}}
         {{ partial('layout_partials/base_bootgrid_table', formGridEditRedistribution)}}
     </div>
+    <!-- Tab: Neighbors -->
+    <div id="neighbors" class="tab-pane fade in">
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditOSPFNeighbor)}}
+    </div>
     <!-- Tab: Networks -->
     <div id="networks" class="tab-pane fade in">
         {{ partial('layout_partials/base_bootgrid_table', formGridEditNetwork)}}
@@ -151,6 +164,7 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 </div>
 {{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/quagga/service/reconfigure', 'data_service_widget': 'quagga'}) }}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditOSPFNeighbor,'id':formGridEditOSPFNeighbor['edit_dialog_id'],'label':lang._('Edit Neighbor')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditNetwork,'id':formGridEditNetwork['edit_dialog_id'],'label':lang._('Edit Network')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditInterface,'id':formGridEditInterface['edit_dialog_id'],'label':lang._('Edit Interface')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditPrefixLists,'id':formGridEditPrefixLists['edit_dialog_id'],'label':lang._('Edit Prefix Lists')])}}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
index bd52044927..41ec0c5d6c 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
@@ -58,6 +58,13 @@ router ospf
  redistribute {{ redistribution.redistribute }}{% if redistribution.linkedRoutemap %} route-map {{ helpers.getUUID(redistribution.linkedRoutemap).name }}{% endif +%}
 {%   endif %}
 {% endfor %}
+{%   if helpers.exists('OPNsense.quagga.ospf.neighbors.neighbor') %}
+{%     for neighbor in helpers.toList('OPNsense.quagga.ospf.neighbors.neighbor') %}
+{%       if neighbor.enabled == '1' %}
+ neighbor {{ neighbor.address }}{% if 'pollinterval' in neighbor and neighbor.pollinterval != '' %} poll-interval {{ neighbor.pollinterval }} {% endif %}{% if 'priority' in neighbor and neighbor.priority != '' %} priority {{ neighbor.priority }} {% endif +%}
+{%       endif %}
+{%     endfor %}
+{%   endif %}
 {% if helpers.exists('OPNsense.quagga.ospf.networks.network') %}
 {%   for network in helpers.toList('OPNsense.quagga.ospf.networks.network') %}
 {%     if network.enabled == '1' %}

From b0ab9598b201190d60c87963095596cb34bd1fd9 Mon Sep 17 00:00:00 2001
From: e-alfred <e-alfred@users.noreply.github.com>
Date: Tue, 13 May 2025 11:51:28 +0200
Subject: [PATCH 2438/3088] mail/postfix: Disable NTLM login because of
 deprectation (#4663)

* Disable NTLM login because of deprectation

As NTLMv1 gets disabled and removed by Microsoft [1] and NTLMv2 authentication is broken (causing authentication failures), NTLM should be disabled altogether in Postfix to force other auth options. If a SMTP server replies with AUTH NTLM LOGIN, it tries to use NTLM which fails if only NTLM v2 is enabled on the server.

[1] https://borncity.com/win/2024/12/23/windows-11-24h2-server-2025-ntlmv1-has-been-removed/

* Update pkg-descr

* Update Makefile

* Update mail/postfix/Makefile

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 mail/postfix/Makefile                                         | 3 +--
 mail/postfix/pkg-descr                                        | 4 ++++
 .../src/opnsense/service/templates/OPNsense/Postfix/main.cf   | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index f0c2159c3b..5feb4c74f5 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		postfix
-PLUGIN_VERSION=		1.23
-PLUGIN_REVISION=	4
+PLUGIN_VERSION=		1.24
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index 6bce690ce3..f9756bc691 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -6,6 +6,10 @@ is completely different.
 Plugin Changelog
 ================
 
+1.24
+
+* Disable broken, insecure, legacy NTLM authentication (contributed by Alfred Egger)
+
 1.23
 
 * Add support for Opportunistic DANE as SMTP client security level
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index 2d462bb425..49419f5d14 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -157,7 +157,7 @@ relayhost = {{ OPNsense.postfix.general.relayhost }}
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/usr/local/etc/postfix/smtp_auth
 smtp_sasl_security_options =
-smtp_sasl_mechanism_filter = !gssapi, !external, static:all
+smtp_sasl_mechanism_filter = !gssapi, !ntlm, !external, static:all
 {% endif %}
 
 {% if helpers.exists('OPNsense.postfix.general.permit_sasl_authenticated') and OPNsense.postfix.general.permit_sasl_authenticated == '1' %}

From 05584f96dfa4ea9569de0c84d2e4d9452ca2e38f Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 13 May 2025 19:37:30 +0200
Subject: [PATCH 2439/3088] www/caddy: Remove DNS Provider subsystem except
 cloudflare in favor of global custom config file (#4691)

* www/caddy: Remove DNS Provider subsystem except cloudflare. Since caddy-v2.10.0, a global DNS Provider can be set. This enables users to drop in a custom configuration file with their DNS Provider configuration into global settings, if they plan to supply their own custom build anyway. This change fixes the maintainability issues completely.

* www/caddy: Remove includeDnsProvider template

* www/caddy: Some minor cleanups in the form to reflect the Auto HTTPS and DNS Provider changes better
---
 .../Caddy/forms/dialogReverseProxy.xml        |   2 +-
 .../OPNsense/Caddy/forms/general.xml          |  60 +---
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  75 +----
 .../templates/OPNsense/Caddy/Caddyfile        |  57 +---
 .../OPNsense/Caddy/includeDnsProvider         | 314 ------------------
 5 files changed, 21 insertions(+), 487 deletions(-)
 delete mode 100644 www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index c9a7ff26da..06646cbfa3 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -46,7 +46,7 @@
         <label>Certificate</label>
         <type>dropdown</type>
         <style>selectpicker style_tls_reverse</style>
-        <help><![CDATA[Choose ACME to get automatic certificates with the built in ACME client; no additional plugin required. The "HTTP-01", "TLS-ALPN-01" or "DNS-01" challenge will be used to get automatic "Let's Encrypt" or "ZeroSSL" certificates. Alternatively, choose a custom certificate from "System - Trust - Certificates" for this domain. Make sure the full chain has been imported.]]></help>
+        <help><![CDATA[Choose "Auto HTTPS" to get automatic "Let's Encrypt" or "ZeroSSL" certificates; no additional plugin required. Alternatively, choose a custom certificate from "System - Trust - Certificates" for this domain, e.g., certificates managed by the optional os-acme-client plugin.]]></help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 2d5a1167b9..849ea61d7d 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -56,7 +56,7 @@
             <id>caddy.general.accesslist</id>
             <label>Trusted Proxies</label>
             <type>dropdown</type>
-            <help><![CDATA[Select an Access List to set IP ranges of Trusted Proxies. If Caddy is not the first server being connected to by clients (for example, when a "CDN" is in front of Caddy), configure "Trusted Proxies" with a list of IP ranges (CIDRs) from which incoming requests are trusted to have sent good values for these headers. Additionally, set the same Access List to the domains the Trusted Proxies connect to.]]></help>
+            <help><![CDATA[Select an Access List to set IP ranges of Trusted Proxies. Access Lists can be added in "Reverse Proxy - Access". If Caddy is not the first server being connected to by clients (for example, when a "CDN" is in front of Caddy), configure "Trusted Proxies" with a list of IP ranges (CIDRs) from which incoming requests are trusted to have sent good values for these headers. Additionally, set the same Access List to the domains the Trusted Proxies connect to.]]></help>
         </field>
         <field>
             <id>caddy.general.ClientIpHeaders</id>
@@ -108,47 +108,13 @@
             <id>caddy.general.TlsDnsProvider</id>
             <label>DNS Provider</label>
             <type>dropdown</type>
-            <help><![CDATA[Select the DNS Provider for the DNS-01 Challenge and Dynamic DNS. Providers marked as "optional" must be installed manually, see https://caddyserver.com/docs/command-line#caddy-add-package. Important: When the version of the caddy binary changes, "optional" provider must be reinstalled. For more information, visit https://github.com/caddy-dns where each module is community maintained.]]></help>
-        </field>
-        <field>
-            <type>header</type>
-            <label>API Fields</label>
+            <help><![CDATA[Select the DNS Provider. If you cannot find your provider here, consider using os-acme-client for the DNS-01 Challenge and os-ddclient for Dynamic DNS as alternatives.]]></help>
         </field>
         <field>
             <id>caddy.general.TlsDnsApiKey</id>
-            <label>API Field 1</label>
-            <type>text</type>
-            <help><![CDATA[This is the standard field for the API Key. Field can be left empty if optional for the chosen provider. Cloudflare "api_token", Duckdns "api_token", DigitalOcean "auth_token", Godaddy "api_token", Gandi "bearer_token", IONOS "api_token", deSEC "token", Route53 "access_key_id", Porkbun "api_key", ACME-DNS "username", Netlify "personal_access_token", Njalla "api_token", Google Cloud DNS "gcp_project", Azure "tenant_id", OVH "endpoint", Namecheap "api_key", PowerDNS "server_url", DDNSS "api_token", Linode "api_token", Tencent Cloud "secret_id", Dinahosting "username", Hexonet "username", Mail-in-a-Box "api_url", DNS Made Easy "api_key", Bunny "access_key", Civo "api_token", Scaleway "secret_key", ACME Proxy "username", INWX "username", Netcup "customer_number", RFC2136 "key_name", Name.com "token", EasyDNS "api_token", Infomaniak "api_token", DirectAdmin "host", Hosttech "api_token", Vultr "api_token", Hetzner "api_token", ClouDNS "auth_id", Gcore "api_token", Huawei Cloud "access_key_id", DNSExit "api_token", Nanelo "api_token", Katapult "api_token", Regfish "api_key", Leaseweb "api_token", DreamHost "api_key", Exoscale "api_key", TransIP "account_name", Selectel "user", LuaDNS "email", Hurricane Electric "api_key", Namesilo "api_token", Dode "api_token", Dynu "api_token", Glesys "project", NFSN "login", GoDaddy "api_token", Vercel "api_token", Loopia "username", DNSPod "api_token", Mythic Beasts "key_id", Dynv6 "api_token", AliDNS "access_key_id", Metaname "api_key"]]></help>
-        </field>
-        <field>
-            <id>caddy.general.TlsDnsSecretApiKey</id>
-            <label>API Field 2</label>
-            <type>text</type>
-            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional for the chosen provider. Duckdns "override_domain", Route53 "secret_access_key", Porkbun "api_secret_key", ACME-DNS "password", Azure "client_id", OVH "application_key", Namecheap "user", PowerDNS "api_token", DDNSS "username", Linode "api_url", Tencent Cloud "secret_key", Dinahosting "password", Hexonet "password", Mail-in-a-Box "email_address", DNS Made Easy "secret_key", Scaleway "organization_id", ACME Proxy "password", INWX "password", Netcup "api_key", RFC2136 "key_alg", Name.com "server", EasyDNS "api_key", DirectAdmin "user", ClouDNS "auth_password", Huawei Cloud "secret_access_key", Exoscale "api_secret", TransIP "private_key_path", Selectel "password", LuaDNS "api_key", Dynu "own_domain", Glesys "api_key", NFSN "api_key", Loopia "password", Mythic Beasts "secret", AliDNS "access_key_secret", Metaname "account_reference"]]></help>
-        </field>
-        <field>
-            <id>caddy.general.TlsDnsOptionalField1</id>
-            <label>API Field 3</label>
-            <type>text</type>
-            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional for the chosen provider. Route53 "hosted_zone_id", ACME-DNS "subdomain", Azure "client_secret", OVH "application_secret", Namecheap "api_endpoint", DDNSS "password", Linode "api_version", Mail-in-a-Box "password", DNS Made Easy "api_endpoint", ACME Proxy "endpoint", INWX "shared_secret", Netcup "api_password", Name.com "user", EasyDNS "api_url", DirectAdmin "login_key", RFC2136 "key", ClouDNS "sub_auth_id", Selectel "account_id"]]></help>
-        </field>
-        <field>
-            <id>caddy.general.TlsDnsOptionalField2</id>
-            <label>API Field 4</label>
-            <type>text</type>
-            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional for the chosen provider. Route53 "profile", ACME-DNS "server_url", Azure "subscription_id", OVH "consumer_key", Namecheap "client_ip", DDNS "password", INWX "endpoint_url", DirectAdmin "insecure_requests", RFC2136 "server", Selectel "project_name"]]></help>
-        </field>
-        <field>
-            <id>caddy.general.TlsDnsOptionalField3</id>
-            <label>API Field 5</label>
+            <label>API Key</label>
             <type>text</type>
-            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional for the chosen provider. Route53 "region", Azure "resource_group_name"]]></help>
-        </field>
-        <field>
-            <id>caddy.general.TlsDnsOptionalField4</id>
-            <label>API Field 6</label>
-            <type>text</type>
-            <help><![CDATA[Leave empty if your DNS Provider isn't specified here. Field can be left empty if optional for the chosen provider. Route53 "session_token"]]></help>
+            <help><![CDATA[This is the standard field for the API Key.]]></help>
         </field>
         <field>
             <type>header</type>
@@ -190,42 +156,44 @@
             <type>text</type>
             <help><![CDATA[Enables Encrypted ClientHello (ECH) by using the specified public domain name as the plaintext server name (SNI) in TLS handshakes. More information: https://caddyserver.com/docs/caddyfile/options#ech]]></help>
         </field>
-    </tab>
-    <tab id="general-dynamicdns" description="Dynamic DNS">
+        <field>
+            <type>header</type>
+            <label>Dynamic DNS</label>
+        </field>
         <field>
             <id>caddy.general.DynDnsIpVersions</id>
-            <label>DynDns IP Version</label>
+            <label>IP Version</label>
             <type>dropdown</type>
             <help><![CDATA[Select the DynDns IP Version: "IPv4+IPv6" to set IPv4 A-Records and IPv6 AAAA-Records, "IPv4 only" for only A-Records, "IPv6 only" for only AAAA-Records.]]></help>
         </field>
         <field>
             <id>caddy.general.DynDnsUpdateOnly</id>
-            <label>DynDns Update Only</label>
+            <label>Update Only</label>
             <type>checkbox</type>
             <help><![CDATA[If enabled, no new DNS records will be created. Only existing records will be updated. This means that the A or AAAA records need to be created manually ahead of time.]]></help>
         </field>
         <field>
             <id>caddy.general.DynDnsInterval</id>
-            <label>DynDns Check Interval</label>
+            <label>Check Interval</label>
             <type>text</type>
             <hint>1800</hint>
             <help><![CDATA[Set the interval in seconds to poll for changes in the IP address. Leave empty to use system defaults.]]></help>
         </field>
         <field>
             <id>caddy.general.DynDnsTtl</id>
-            <label>DynDns TTL</label>
+            <label>Time to Live</label>
             <type>text</type>
             <help><![CDATA[Set the TTL (Time to Live) for DNS records in seconds. Leave empty to use the default of an already existing TTL (when updating only) or the default of the provider API (when creating new records). If explicitely set, values should be as defined in rfc2181 section 8.]]></help>
         </field>
         <field>
             <id>caddy.general.DynDnsSimpleHttp</id>
-            <label>DynDns Check Http</label>
+            <label>Check Http</label>
             <type>text</type>
             <help><![CDATA[Enter a URL to test the current IP address of the firewall via the HTTP protocol. This is generally not needed as Caddy uses default providers to test the current IP addresses. If a custom provider is preferred, enter the "https://" link to an IP address testing website.]]></help>
         </field>
         <field>
             <id>caddy.general.DynDnsInterface</id>
-            <label>DynDns Check Interface</label>
+            <label>Check Interface</label>
             <type>dropdown</type>
             <help><![CDATA[Select an interface to extract the current IP addresses of the firewall. This is generally not needed as Caddy uses default providers to test the current IP addresses. Depending on the specified DynDns IP Version, at most one IPv6 Global Unicast Address and one IPv4 non-RFC1918 Address will be extracted.]]></help>
         </field>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 7e9d03c246..b86ec3044d 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>Caddy Reverse Proxy</description>
-    <version>1.3.6</version>
+    <version>1.3.7</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -24,79 +24,10 @@
             <TlsDnsProvider type="OptionField">
                 <BlankDesc>None (default)</BlankDesc>
                 <OptionValues>
-                    <cloudflare>Cloudflare (embedded)</cloudflare>
-                    <duckdns>Duck DNS (optional)</duckdns>
-                    <gandi>Gandi (optional)</gandi>
-                    <ionos>IONOS (optional)</ionos>
-                    <desec>Desec (optional)</desec>
-                    <porkbun>Porkbun (optional)</porkbun>
-                    <acmedns>ACME-DNS (optional)</acmedns>
-                    <azure>Azure (optional)</azure>
-                    <ovh>OVH (optional)</ovh>
-                    <namecheap>Namecheap (optional)</namecheap>
-                    <powerdns>PowerDNS (optional)</powerdns>
-                    <linode>Linode (optional)</linode>
-                    <hexonet>Hexonet (optional)</hexonet>
-                    <mailinabox>Mail-in-a-Box (optional)</mailinabox>
-                    <rfc2136>RFC2136 (optional)</rfc2136>
-                    <dnsmadeeasy>DNS Made Easy (optional)</dnsmadeeasy>
-                    <bunny>Bunny (optional)</bunny>
-                    <scaleway>Scaleway (optional)</scaleway>
-                    <acmeproxy>ACME Proxy (optional)</acmeproxy>
-                    <inwx>INWX (optional)</inwx>
-                    <netcup>Netcup (optional)</netcup>
-                    <namedotcom>Name.com (optional)</namedotcom>
-                    <infomaniak>Infomaniak (optional)</infomaniak>
-                    <directadmin>DirectAdmin (optional)</directadmin>
-                    <vultr>Vultr (optional)</vultr>
-                    <hetzner>Hetzner (optional)</hetzner>
-                    <digitalocean>DigitalOcean (optional)</digitalocean>
-                    <route53>Route53 (optional)</route53>
-                    <googleclouddns>Google Cloud DNS (optional)</googleclouddns>
-                    <netlify>Netlify (optional)</netlify>
-                    <ddnss>DDNSS (optional)</ddnss>
-                    <njalla>Njalla (optional)</njalla>
-                    <tencentcloud>Tencent Cloud (optional)</tencentcloud>
-                    <dinahosting>Dinahosting (optional)</dinahosting>
-                    <civo>Civo (optional)</civo>
-                    <easydns>EasyDNS (optional)</easydns>
-                    <hosttech>Hosttech (optional)</hosttech>
-                    <cloudns>ClouDNS (optional)</cloudns>
-                    <gcore>Gcore (optional)</gcore>
-                    <huaweicloud>Huawei Cloud (optional)</huaweicloud>
-                    <dnsexit>DNSExit (optional)</dnsexit>
-                    <nanelo>Nanelo (optional)</nanelo>
-                    <katapult>Katapult (optional)</katapult>
-                    <regfish>Regfish (optional)</regfish>
-                    <leaseweb>Leaseweb (optional)</leaseweb>
-                    <dreamhost>DreamHost (optional)</dreamhost>
-                    <exoscale>Exoscale (optional)</exoscale>
-                    <transip>TransIP (optional)</transip>
-                    <selectel>Selectel (optional)</selectel>
-                    <dnsimple>DNSimple (optional)</dnsimple>
-                    <luadns>LuaDNS (optional)</luadns>
-                    <he>Hurricane Electric (optional)</he>
-                    <namesilo>Namesilo (optional)</namesilo>
-                    <dode>Dode (optional)</dode>
-                    <dynu>Dynu (optional)</dynu>
-                    <glesys>Glesys (optional)</glesys>
-                    <nfsn>NFSN (optional)</nfsn>
-                    <godaddy>GoDaddy (optional)</godaddy>
-                    <vercel>Vercel (optional)</vercel>
-                    <loopia>Loopia (optional)</loopia>
-                    <dnspod>DNSPod (optional)</dnspod>
-                    <mythicbeasts>Mythic Beasts (optional)</mythicbeasts>
-                    <dynv6>Dynv6 (optional)</dynv6>
-                    <alidns>AliDNS (optional)</alidns>
-                    <metaname>Metaname (optional)</metaname>
+                    <cloudflare>Cloudflare</cloudflare>
                 </OptionValues>
             </TlsDnsProvider>
             <TlsDnsApiKey type="TextField"/>
-            <TlsDnsSecretApiKey type="TextField"/>
-            <TlsDnsOptionalField1 type="TextField"/>
-            <TlsDnsOptionalField2 type="TextField"/>
-            <TlsDnsOptionalField3 type="TextField"/>
-            <TlsDnsOptionalField4 type="TextField"/>
             <TlsDnsPropagationTimeout type="BooleanField"/>
             <TlsDnsPropagationTimeoutPeriod type="IntegerField">
                 <MinimumValue>1</MinimumValue>
@@ -266,7 +197,7 @@
                 <description type="DescriptionField"/>
                 <DnsChallenge type="BooleanField"/>
                 <CustomCertificate type="CertificateField">
-                    <BlankDesc>ACME</BlankDesc>
+                    <BlankDesc>Auto HTTPS</BlankDesc>
                 </CustomCertificate>
                 <AccessLog type="BooleanField"/>
                 <DynDns type="BooleanField"/>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index acbf13bc67..da616b4ed7 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -122,29 +122,9 @@
     #   Purpose: Sets up global configuration for Dynamic DNS. Caddy needs to be compiled with
     #            https://github.com/mholt/caddy-dynamicdns and https://github.com/caddy-dns. Otherwise the
     #            generated Caddyfile won't run. Each DNS Provider that is added below has to be compiled in.
-    #            Some Providers don't support setting A and AAAA-Records, like acmedns.
-    #            Most need specific configurations. Since only one provider can be used at the same time,
-    #            they all share the same fields for configuration.
-    #   Parameters:
-    #   - @param dnsProvider (string): Specifies the DNS provider for DDNS updates.
-    #   - @param dnsApiKey (string): The API key for authenticating with the DNS provider.
-    #   - @param dnsSecretApiKey (string): A secret API key or token for additional authentication security.
-    #   - @param dnsOptionalField1 to 4 (string): Optional configuration field for the DNS provider.
-    #   - @param dynDnsSimpleHttp (string): URL for a simple HTTP-based service to discover the server's public IP.
-    #   - @param dynDnsInterface (string): Network interface(s) to use for IP discovery.
-    #   - @param dynDnsCheckInterval (integer): Interval in seconds to check for IP changes. Can be empty for defaults.
-    #   - @param dynDnsIpVersions (string): The IP version(s) (IPv4, IPv6) for the DDNS update.
-    #   - @param dynDnsTtl (integer): Time-To-Live for the DNS records, in seconds. Can be empty for defaults.
-    #   - @param dynDnsDomains (list): Domains and subdomains list for which DDNS updates are enabled.
-    #   - @param dynDnsUpdateOnly (boolean): If set, only updates DNS records, not creating new ones.
     #}
     {% set dnsProvider = helpers.toList('Pischem.caddy.general.TlsDnsProvider') | first %}
     {% set dnsApiKey = generalSettings.TlsDnsApiKey %}
-    {% set dnsSecretApiKey = generalSettings.TlsDnsSecretApiKey %}
-    {% set dnsOptionalField1 = generalSettings.TlsDnsOptionalField1 %}
-    {% set dnsOptionalField2 = generalSettings.TlsDnsOptionalField2 %}
-    {% set dnsOptionalField3 = generalSettings.TlsDnsOptionalField3 %}
-    {% set dnsOptionalField4 = generalSettings.TlsDnsOptionalField4 %}
     {% set dynDnsSimpleHttp = generalSettings.DynDnsSimpleHttp %}
     {% set dynDnsInterface = generalSettings.DynDnsInterface %}
     {% set dynDnsUpdateOnly = generalSettings.DynDnsUpdateOnly %}
@@ -174,22 +154,9 @@
         {% endfor %}
     {% endfor %}
 
-    {% import "OPNsense/Caddy/includeDnsProvider" as dns_includes %}
-    {% set dnsProviderSpecialConfig = dns_includes.dnsProviderSpecialConfig() %}
-
-    {# Conditionally add the dynamic_dns section, acmedns provider is special, it does not support dynamic_dns. #}
-    {% if dnsProvider and dynDnsDomains|length > 0 and dnsProvider != "acmedns" %}
+    {% if dnsProvider and dynDnsDomains|length > 0 %}
         dynamic_dns {
-            {# duckdns provider is special, it has a different configuration for dynamic dns than for the dns-01 challenge. #}
-            {% if dnsProvider in dnsProviderSpecialConfig and dnsProvider != "duckdns" %}
-                provider {{ dnsProvider }} {
-                    {% set context_var = 'dnsProviderSpecialLogic' %}
-                    {% include "OPNsense/Caddy/includeDnsProvider" %}
-                }
-            {% else %}
-                {# Other DNS Providers fall under this default #}
                 provider {{ dnsProvider }} {{ dnsApiKey }}
-            {% endif %}
             domains {
                 {% for domain in dynDnsDomains %}
                     {{ domain }}
@@ -225,11 +192,7 @@
     #            https://caddyserver.com/docs/caddyfile/options#ech
     #}
     {% if generalSettings.TlsDnsEchDomain|default("") and dnsProvider %}
-        dns {{ dnsProvider }} {% if dnsProvider not in dnsProviderSpecialConfig %}{{ dnsApiKey }}{% else %}{
-            {% set context_var = 'dnsProviderSpecialLogic' %}
-            {% include "OPNsense/Caddy/includeDnsProvider" %}
-        }
-        {% endif +%}
+        dns {{ dnsProvider }} {{ dnsApiKey }}
         ech {{ generalSettings.TlsDnsEchDomain }}
     {% endif %}
 
@@ -323,11 +286,6 @@ http://{{ domain }} {
     clientAuthMode="",
     dnsProvider="",
     dnsApiKey="",
-    dnsSecretApiKey="",
-    tlsDnsOptionalField1="",
-    tlsDnsOptionalField2="",
-    tlsDnsOptionalField3="",
-    tlsDnsOptionalField4="",
     tlsDnsPropagationTimeout="",
     tlsDnsPropagationTimeoutPeriod="",
     tlsDnsPropagationDelay="",
@@ -337,11 +295,7 @@ http://{{ domain }} {
         tls {% if customCert %}/var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.pem /var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.key{% endif %} {
             {% if not customCert and (dnsChallenge == "1" and dnsProvider) %}
             issuer acme {
-                dns {{ dnsProvider }} {% if dnsProvider not in dnsProviderSpecialConfig %}{{ dnsApiKey }}{% else %}{
-                    {% set context_var = 'dnsProviderSpecialLogic' %}
-                    {% include "OPNsense/Caddy/includeDnsProvider" %}
-                }
-                {% endif %}
+                dns {{ dnsProvider }} {{ dnsApiKey }}
 
                 {% if tlsDnsPropagationResolvers %}
                 resolvers {{ tlsDnsPropagationResolvers }}
@@ -622,11 +576,6 @@ http://{{ domain }} {
                 clientAuthMode=reverse.ClientAuthMode|default(""),
                 dnsProvider=generalSettings.TlsDnsProvider,
                 dnsApiKey=generalSettings.TlsDnsApiKey,
-                dnsSecretApiKey=generalSettings.TlsDnsSecretApiKey,
-                tlsDnsOptionalField1=generalSettings.TlsDnsOptionalField1,
-                tlsDnsOptionalField2=generalSettings.TlsDnsOptionalField2,
-                tlsDnsOptionalField3=generalSettings.TlsDnsOptionalField3,
-                tlsDnsOptionalField4=generalSettings.TlsDnsOptionalField4,
                 tlsDnsPropagationTimeout=generalSettings.TlsDnsPropagationTimeout,
                 tlsDnsPropagationTimeoutPeriod=generalSettings.TlsDnsPropagationTimeoutPeriod,
                 tlsDnsPropagationDelay=generalSettings.TlsDnsPropagationDelay,
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider
deleted file mode 100644
index aa76b2ef76..0000000000
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeDnsProvider
+++ /dev/null
@@ -1,314 +0,0 @@
-{#
-# This file gets imported in two sections of the Caddyfile template
-# - Section: Dynamic DNS Global Configuration
-# - Macro: tls_configuration
-#
-# It only includes DNS Providers that need specific settings and do not default to
-# "dns {{ dnsProvider }} {{ dnsApiKey }}"
-#}
-{% macro dnsProviderSpecialConfig() %}
-    [
-        'duckdns',
-        'porkbun',
-        'desec',
-        'route53',
-        'acmedns',
-        'googleclouddns',
-        'azure',
-        'ovh',
-        'namecheap',
-        'powerdns',
-        'ddnss',
-        'linode',
-        'tencentcloud',
-        'dinahosting',
-        'hexonet',
-        'mailinabox',
-        'netcup',
-        'rfc2136',
-        'dnsmadeeasy',
-        'civo',
-        'scaleway',
-        'acmeproxy',
-        'inwx',
-        'namedotcom',
-        'easydns',
-        'directadmin',
-        'cloudns',
-        'huaweicloud',
-        'regfish',
-        'dreamhost',
-        'exoscale',
-        'transip',
-        'selectel',
-        'luadns',
-        'he',
-        'dynu',
-        'glesys',
-        'nfsn',
-        'loopia',
-        'mythicbeasts',
-        'alidns',
-        'metaname'
-    ]
-{% endmacro %}
-{% if context_var == 'dnsProviderSpecialLogic' %}
-{% if dnsProvider == 'duckdns' %}
-    {% if dnsApiKey %}api_token {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}override_domain {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'porkbun' %}
-    {% if dnsApiKey %}api_key {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}api_secret_key {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'desec' %}
-    {% if dnsApiKey %}token {{ dnsApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'route53' %}
-    {% if dnsApiKey %}access_key_id {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}secret_access_key {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}hosted_zone_id {{ dnsOptionalField1 }}
-    {% endif %}
-    {% if dnsOptionalField2 %}profile {{ dnsOptionalField2 }}
-    {% endif %}
-    {% if dnsOptionalField3 %}region {{ dnsOptionalField3 }}
-    {% endif %}
-    {% if dnsOptionalField4 %}session_token {{ dnsOptionalField4 }}
-    {% endif %}
-{% elif dnsProvider == 'acmedns' %}
-    {% if dnsApiKey %}username {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}subdomain {{ dnsOptionalField1 }}
-    {% endif %}
-    {% if dnsOptionalField2 %}server_url {{ dnsOptionalField2 }}
-    {% endif %}
-{% elif dnsProvider == 'googleclouddns' %}
-    {% if dnsApiKey %}gcp_project {{ dnsApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'azure' %}
-    {% if dnsApiKey %}tenant_id {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}client_id {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}client_secret {{ dnsOptionalField1 }}
-    {% endif %}
-    {% if dnsOptionalField2 %}subscription_id {{ dnsOptionalField2 }}
-    {% endif %}
-    {% if dnsOptionalField3 %}resource_group_name {{ dnsOptionalField3 }}
-    {% endif %}
-{% elif dnsProvider == 'ovh' %}
-    {% if dnsApiKey %}endpoint {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}application_key {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}application_secret {{ dnsOptionalField1 }}
-    {% endif %}
-    {% if dnsOptionalField2 %}consumer_key {{ dnsOptionalField2 }}
-    {% endif %}
-{% elif dnsProvider == 'namecheap' %}
-    {% if dnsApiKey %}api_key {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}user {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}api_endpoint {{ dnsOptionalField1 }}
-    {% endif %}
-    {% if dnsOptionalField2 %}client_ip {{ dnsOptionalField2 }}
-    {% endif %}
-{% elif dnsProvider == 'powerdns' %}
-    {% if dnsApiKey %}server_url {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}api_token {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'ddnss' %}
-    {% if dnsApiKey %}api_token {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}username {{ dnsSecretApiKey }}
-    {% endif %}
-    password {{ dnsOptionalField1 }}
-{% elif dnsProvider == 'linode' %}
-    {% if dnsApiKey %}api_token {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}api_url {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}api_version {{ dnsOptionalField1 }}
-    {% endif %}
-{% elif dnsProvider == 'tencentcloud' %}
-    {% if dnsApiKey %}secret_id {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}secret_key {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'dinahosting' %}
-    {% if dnsApiKey %}username {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'hexonet' %}
-    {% if dnsApiKey %}username {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'mailinabox' %}
-    {% if dnsApiKey %}api_url {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}email_address {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}password {{ dnsOptionalField1 }}
-    {% endif %}
-{% elif dnsProvider == 'netcup' %}
-    {% if dnsApiKey %}customer_number {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}api_password {{ dnsOptionalField1 }}
-    {% endif %}
-{% elif dnsProvider == 'rfc2136' %}
-    {% if dnsApiKey %}key_name {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}key_alg {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}key {{ dnsOptionalField1 }}
-    {% endif %}
-    {% if dnsOptionalField2 %}server {{ dnsOptionalField2 }}
-    {% endif %}
-{% elif dnsProvider == 'dnsmadeeasy' %}
-    {% if dnsApiKey %}api_key {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}secret_key {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}api_endpoint {{ dnsOptionalField1 }}
-    {% endif %}
-{% elif dnsProvider == 'civo' %}
-    {% if dnsApiKey %}api_token {{ dnsApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'scaleway' %}
-    {% if dnsApiKey %}secret_key {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}organization_id {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'acmeproxy' %}
-    {% if dnsApiKey %}username {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}endpoint {{ dnsOptionalField1 }}
-    {% endif %}
-{% elif dnsProvider == 'inwx' %}
-    {% if dnsApiKey %}username {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}shared_secret {{ dnsOptionalField1 }}
-    {% endif %}
-    {% if dnsOptionalField2 %}endpoint_url {{ dnsOptionalField2 }}
-    {% endif %}
-{% elif dnsProvider == 'namedotcom' %}
-    {% if dnsApiKey %}token {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}server {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}user {{ dnsOptionalField1 }}
-    {% endif %}
-{% elif dnsProvider == 'easydns' %}
-    {% if dnsApiKey %}api_token {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}api_url {{ dnsOptionalField1 }}
-    {% endif %}
-{% elif dnsProvider == 'directadmin' %}
-    {% if dnsApiKey %}host {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}user {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}login_key {{ dnsOptionalField1 }}
-    {% endif %}
-    {% if dnsOptionalField2 %}insecure_requests {{ dnsOptionalField2 }}
-    {% endif %}
-{% elif dnsProvider == 'cloudns' %}
-    {% if dnsApiKey %}auth_id {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}auth_password {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}sub_auth_id {{ dnsOptionalField1 }}
-    {% endif %}
-{% elif dnsProvider == 'huaweicloud' %}
-    {% if dnsApiKey %}access_key_id {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}secret_access_key {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'regfish' %}
-    {% if dnsApiKey %}api_key {{ dnsApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'dreamhost' %}
-    {% if dnsApiKey %}api_key {{ dnsApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'exoscale' %}
-    {% if dnsApiKey %}api_key {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}api_secret {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'transip' %}
-    {% if dnsApiKey %}account_name {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}private_key_path {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'selectel' %}
-    {% if dnsApiKey %}user {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
-    {% endif %}
-    {% if dnsOptionalField1 %}account_id {{ dnsOptionalField1 }}
-    {% endif %}
-    {% if dnsOptionalField2 %}project_name {{ dnsOptionalField2 }}
-    {% endif %}
-{% elif dnsProvider == 'luadns' %}
-    {% if dnsApiKey %}email {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'he' %}
-    {% if dnsApiKey %}api_key {{ dnsApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'dynu' %}
-    {% if dnsApiKey %}api_token {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}own_domain {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'glesys' %}
-    {% if dnsApiKey %}project {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'nfsn' %}
-    {% if dnsApiKey %}login {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}api_key {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'loopia' %}
-    {% if dnsApiKey %}username {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}password {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'mythicbeasts' %}
-    {% if dnsApiKey %}key_id {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}secret {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'alidns' %}
-    {% if dnsApiKey %}access_key_id {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}access_key_secret {{ dnsSecretApiKey }}
-    {% endif %}
-{% elif dnsProvider == 'metaname' %}
-    {% if dnsApiKey %}api_key {{ dnsApiKey }}
-    {% endif %}
-    {% if dnsSecretApiKey %}account_reference {{ dnsSecretApiKey }}
-    {% endif %}
-{% endif %}
-{% endif %}

From 72b3fef223c10f29858b31b1612df1987560ef41 Mon Sep 17 00:00:00 2001
From: Marcel Ritter <marcel+it+github@linux-ng.de>
Date: Wed, 14 May 2025 08:36:01 +0200
Subject: [PATCH 2440/3088] Added AccountingServer options (#4669)

Co-authored-by: Marcel Ritter <marcel+git@linux-ng.de>
---
 .../service/templates/OPNsense/RadSecProxy/radsecproxy.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf
index 45dcc4c3ab..57ccea9fe5 100644
--- a/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf
+++ b/net/radsecproxy/src/opnsense/service/templates/OPNsense/RadSecProxy/radsecproxy.conf
@@ -221,6 +221,12 @@ realm {{ realm.realm }} {
   Server {{ server.identifier }}
 {% endfor %}
 {% endif %}
+{% if realm.accountingServer is defined and realm.accountingServer != "" %}
+{% for serverUuid in realm.accountingServer.split(',') %}
+{% set accountingServer = helpers.getUUID(serverUuid) %}
+  AccountingServer {{ accountingServer.identifier }}
+{% endfor %}
+{% endif %}
 {% if realm.replyMessage is defined and realm.replyMessage != "" %}
   ReplyMessage "{{ realm.replyMessage }}"
 {% endif %}

From 88f680415fc76d9e7600e06f6b69f73d2ee34589 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 May 2025 08:39:36 +0200
Subject: [PATCH 2441/3088] net/radsecproxy: new version

---
 net/radsecproxy/Makefile  |  3 +--
 net/radsecproxy/pkg-descr | 11 +++++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/net/radsecproxy/Makefile b/net/radsecproxy/Makefile
index e358659a05..bd0443bdc6 100644
--- a/net/radsecproxy/Makefile
+++ b/net/radsecproxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		radsecproxy
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
 PLUGIN_DEPENDS=		radsecproxy
 PLUGIN_MAINTAINER=	tobias@boehnert.dev
diff --git a/net/radsecproxy/pkg-descr b/net/radsecproxy/pkg-descr
index ef872b8a71..b7d0cefc83 100644
--- a/net/radsecproxy/pkg-descr
+++ b/net/radsecproxy/pkg-descr
@@ -3,3 +3,14 @@ transport, also supports TLS (RadSec), as well as RADIUS
 over TCP and DTLS. The aim is for the proxy to have
 sufficient features to be flexible, while at the same time
 to be small, efficient and easy to configure.
+
+Plugin Changelog
+================
+
+1.1
+
+* Added AccountingServer options (contributed by Marcel Ritter)
+
+1.0
+
+* Initial release (contributed by Tobias Boehnert)

From 10993e82989115054529525b50c4dedfc522abda Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 14 May 2025 08:51:08 +0200
Subject: [PATCH 2442/3088] Update squid.conf (#4688)

---
 .../src/opnsense/service/templates/OPNsense/Proxy/squid.conf     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
index f3ff389363..63d948db3d 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -84,6 +84,7 @@ ssl_bump peek bump_step2 bump_nobumpsites
 ssl_bump splice bump_step3 bump_nobumpsites
 ssl_bump stare bump_step2
 ssl_bump bump bump_step3
+sslproxy_cert_error allow bump_nobumpsites
 {% endif %}
 
 sslproxy_cert_error deny all

From 84904b71aa529ee1ed0d7fd1494c96aeeaf882bd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 May 2025 08:52:06 +0200
Subject: [PATCH 2443/3088] sysutils/beats: final changes before release

---
 README.md                                                      | 2 +-
 sysutils/beats/Makefile                                        | 3 +--
 .../app/controllers/OPNsense/Beats/Api/ServiceController.php   | 1 +
 .../src/opnsense/service/conf/actions.d/actions_beats.conf     | 3 ++-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 775f70a03d..fd94485a85 100644
--- a/README.md
+++ b/README.md
@@ -96,7 +96,7 @@ security/tor -- The Onion Router
 security/wazuh-agent -- Agent for the open source security platform Wazuh
 sysutils/apcupsd -- APCUPSD - APC UPS daemon
 sysutils/apuled -- PC Engine APU LED control (development only)
-sysutils/beats -- Send logs, network, metrics and heartbeat to Elasticsearch (development only)
+sysutils/beats -- Send logs, network, metrics and heartbeat to Elasticsearch
 sysutils/cpu-microcode -- CPU microcode updates
 sysutils/dec-hw -- Deciso hardware specific information
 sysutils/dmidecode -- Display hardware information on the dashboard
diff --git a/sysutils/beats/Makefile b/sysutils/beats/Makefile
index cf63c1365f..1c44aecf4d 100644
--- a/sysutils/beats/Makefile
+++ b/sysutils/beats/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		beats
-PLUGIN_VERSION=		0.1
-PLUGIN_DEVEL=		yes
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		Send logs, network, metrics and heartbeat to Elasticsearch
 PLUGIN_DEPENDS=		beats8
 PLUGIN_MAINTAINER=	0xThiebaut
diff --git a/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Beats/Api/ServiceController.php b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Beats/Api/ServiceController.php
index 25187e3f55..f0526d7be8 100755
--- a/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Beats/Api/ServiceController.php
+++ b/sysutils/beats/src/opnsense/mvc/app/controllers/OPNsense/Beats/Api/ServiceController.php
@@ -40,6 +40,7 @@ class ServiceController extends ApiMutableServiceControllerBase
     protected static $internalServiceTemplate = 'OPNsense/Beats';
     protected static $internalServiceEnabled = 'enabled';
     protected static $internalServiceName = 'beats';
+
     protected function reconfigureForceRestart()
     {
         return 0;
diff --git a/sysutils/beats/src/opnsense/service/conf/actions.d/actions_beats.conf b/sysutils/beats/src/opnsense/service/conf/actions.d/actions_beats.conf
index 47a4226d32..4fb0ea897b 100644
--- a/sysutils/beats/src/opnsense/service/conf/actions.d/actions_beats.conf
+++ b/sysutils/beats/src/opnsense/service/conf/actions.d/actions_beats.conf
@@ -17,7 +17,8 @@ type:script
 message:restarting Filebeat
 
 [status]
-command:/usr/local/etc/rc.d/filebeat status; exit 0
+command:/usr/local/etc/rc.d/filebeat status
 parameters:
+errors:no
 type:script_output
 message:requesting Filebeat status

From 856d3ab7cec680a3419d901cf12cb1f0a24ad359 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 May 2025 09:09:23 +0200
Subject: [PATCH 2444/3088] net/frr: new version for later release

---
 net/frr/Makefile  | 3 +--
 net/frr/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 200a3cda59..0b628771b8 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.44
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.45
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr8-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 1ade2ccc62..b017951127 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.45
+
+* Add neighbor config to OSPF (contributed by Andy Binder)
+
 1.44
 
 * Add BGP allowas-in (opnsense/plugins/issues/4586)

From 601e0ee2eeb633a9eec9d96df1dcd6f1258a8191 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 May 2025 09:11:25 +0200
Subject: [PATCH 2445/3088] www/squid: new revision

---
 www/squid/Makefile  | 1 +
 www/squid/pkg-descr | 1 +
 2 files changed, 2 insertions(+)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index 4b52c49d89..64751adc7d 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		squid
 PLUGIN_VERSION=		1.2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_TIER=		2
diff --git a/www/squid/pkg-descr b/www/squid/pkg-descr
index 9cf9b217d8..aa23c609c6 100644
--- a/www/squid/pkg-descr
+++ b/www/squid/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 
 * Change cache_dir from "ufs" to "rock" (contributed by Andy Binder)
 * Authenticate before blocklist (contributed by Andy Binder)
+* Do not reject no-bump sites when certificate validation fails (contributed by Michael Muenz)
 
 1.1
 

From a5fdb9ccd1ccdf885156a702cda8920f08bb16fd Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 14 May 2025 13:07:48 +0200
Subject: [PATCH 2446/3088] www/caddy: Add changelogs and bump plugin to
 version 2.0.0 (#4703)

* www/caddy: Update pkg-descr

* www/caddy: Bump version

* www/caddy: Sync pkg-descr with available description in github.com/caddyserver
---
 www/caddy/Makefile  |  3 +--
 www/caddy/pkg-descr | 23 +++++++++++++++--------
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index c4d64d5759..a96b003698 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		1.8.5
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		2.0.0
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 9fa23bafa6..5675bdbf04 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -1,11 +1,4 @@
-Caddy - The Ultimate Server - makes your sites more secure, more reliable, and more scalable than any other solution.
-By default, Caddy automatically obtains and renews TLS certificates (Let's Encrypt and ZeroSSL) for all your sites.
-It's the most advanced HTTPS server in the world.
-
-* Reverse Proxy HTTP, HTTPS and WebSockets
-* Route UDP/TCP traffic with the included Layer4 module: https://github.com/mholt/caddy-l4
-* Dynamic DNS module included: https://github.com/mholt/caddy-dynamicdns
-* Large selection of DNS Providers available: https://github.com/caddy-dns
+Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
 
 WWW: https://caddyserver.com/
 DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
@@ -13,6 +6,20 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+2.0.0
+
+* Attention - Breaking Change: All DNS Providers except Cloudflare have been removed and will not come back (opnsense/plugins/pull/4691)
+              Going forward, if DNS-01 challenge or Dynamic DNS is a requirement, you could use os-acme-client and os-ddclient.
+              Another option is to migrate to Cloudflare, as this module will stay a core component.
+
+* Add: Request Matcher option to Access List (contributed by spawntty) (opnsense/plugins/pull/4680)
+* Add: ECH can configure encrypted client hello with Cloudflare (opnsense/plugins/pull/4673)
+* Add: Client Auth (mTLS) to subdomains (opnsense/plugins/pull/4673)
+* Build: Update to caddy-v2.10.0 (opnsense/tools/pull/469)
+* Change: Render subdomains in a new pattern in the Caddyfile to adhere to caddy-v2.10.0 standard (opnsense/plugins/pull/4673)
+* Change: Show only wildcard domains in subdomain selection (opnsense/plugins/pull/4646)
+* Fix: Missing translation and toggle filter icon (opnsense/plugins/pull/4648)
+
 1.8.5
 
 * Add: basic_auth per handler (opnsense/plugins/issues/4619)

From a3575183ddc7b6841b395954963d9911e8f0e99a Mon Sep 17 00:00:00 2001
From: Meliox <5264368+Meliox@users.noreply.github.com>
Date: Wed, 21 May 2025 08:57:53 +0200
Subject: [PATCH 2447/3088] dns/ddclient: empty ip send to dns provider &
 replace dyndns by dynu (#4448)

* check for empty string ip address

* Replace dyndns ipv4 by dynu ipv6 and ipv4

* Add services and cleaner check of no ip

* PR feedback - revert

* Update dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py

---------

Co-authored-by: Meliox <na>
Co-authored-by: Ad Schellevis <AdSchellevis@users.noreply.github.com>
---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml     | 3 ++-
 .../src/opnsense/scripts/ddclient/lib/account/__init__.py      | 2 +-
 dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py      | 3 ++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 4554ff7514..609ff3a1ba 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -142,7 +142,8 @@
                         <web_cloudflare>cloudflare</web_cloudflare>
                         <web_cloudflare_ipv4 value="cloudflare-ipv4">cloudflare-ipv4</web_cloudflare_ipv4>
                         <web_cloudflare_ipv6 value="cloudflare-ipv6">cloudflare-ipv6</web_cloudflare_ipv6>
-                        <web_dyndns>dyndns</web_dyndns>
+                        <web_dynu_ipv4 value="dynu-ipv4">dynu-ipv4</web_dynu_ipv4>
+                        <web_dynu_ipv6 value="dynu-ipv6">dynu-ipv6</web_dynu_ipv6>
                         <web_freedns>freedns</web_freedns>
                         <web_he>he</web_he>
                         <web_icanhazip>icanhazip</web_icanhazip>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
index 7b600eb579..811733acee 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/__init__.py
@@ -122,7 +122,7 @@ def execute(self):
             dynipv6host = self.settings['dynipv6host'] if self.settings.get('dynipv6host' ,'').strip() != '' else None
         )
 
-        if self._current_address == None:
+        if not self._current_address:
             syslog.syslog(
                 syslog.LOG_WARNING,
                 "Account %s no global IP address detected, check config if warning persists" % (self.description)
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
index e7dd3edef0..44ad79299a 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
@@ -35,7 +35,8 @@
   'cloudflare': '%s://one.one.one.one/cdn-cgi/trace',
   'cloudflare-ipv4': '%s://1.1.1.1/cdn-cgi/trace',
   'cloudflare-ipv6': '%s://[2606:4700:4700::1111]/cdn-cgi/trace',
-  'dyndns': '%s://checkip.dyndns.org/',
+  'dynu-ipv4': '%s://ipcheck.dynu.com/',
+  'dynu-ipv6': '%s://ipcheckv6.dynu.com/',
   'freedns': '%s://freedns.afraid.org/dynamic/check.php',
   'he': '%s://checkip.dns.he.net/',
   'icanhazip': '%s://icanhazip.com/',

From 024f1017fb070ff12e89b5e8491a0b65752041eb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 22 May 2025 08:10:36 +0200
Subject: [PATCH 2448/3088] dns/ddclient: pick up this fix

---
 dns/ddclient/Makefile  | 2 +-
 dns/ddclient/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index fe09e3613f..36532cc4a0 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.27
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 2809acd262..f50bc5346b 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -11,6 +11,7 @@ Plugin Changelog
 * Add support for altering IPv6 addresses in native backend (contributed by SaarLAN-Pissbeutel)
 * Add Akamai to checkip providers (contributed by Rajiv Aaron Manglani)
 * Fix Netcup host/domain recognition (contributed by SaarLAN-Pissbeutel)
+* Empty IP send to DNS provider and replace dyndns by dynu (contributed by Meliox)
 * Removed defunct ip4only.me and ip6only.me
 
 1.26

From eac547341aead0d2830328c02f2bb21e9cabf924 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 22 May 2025 08:14:56 +0200
Subject: [PATCH 2449/3088] Framwwork: stray newline

---
 Mk/defaults.mk | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 9795559485..62a0643513 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -66,7 +66,6 @@ _PLUGIN_PYTHON!=${PYTHONLINK} -V
 PLUGIN_PYTHON?=	${_PLUGIN_PYTHON:[2]:S/./ /g:[1..2]:tW:S/ //}
 .endif
 
-
 .for REPLACEMENT in ABI PHP PYTHON
 . if empty(PLUGIN_${REPLACEMENT})
 .  warning Cannot build without PLUGIN_${REPLACEMENT} set

From f1ffc53eb786c79c19a14d1f9f7530353ff5f4b9 Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Thu, 22 May 2025 08:44:49 +0200
Subject: [PATCH 2450/3088] www/squid: select behavior for banned hosts (#4710)

---
 .../controllers/OPNsense/Proxy/forms/main.xml  |  6 ++++++
 .../mvc/app/models/OPNsense/Proxy/Proxy.xml    |  4 ++++
 .../templates/OPNsense/Proxy/squid.acl.conf    | 18 +++++++++++++++++-
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
index 309053bf1e..8c01e6af79 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -421,6 +421,12 @@
                 <help>Type IP addresses you want to deny access to the proxy server.</help>
                 <allownew>true</allownew>
             </field>
+            <field>
+                <id>proxy.forward.acl.allowWhitelistBannedHosts</id>
+                <label>Whitelist access for banned hosts</label>
+                <type>checkbox</type>
+                <help>Allows banned hosts to access domains listed in whitelist.</help>
+            </field>
             <field>
                 <id>proxy.forward.acl.whiteList</id>
                 <label>Whitelist</label>
diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index 9421f1ee3c..4954eefff2 100644
--- a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -355,6 +355,10 @@
                 <bannedHosts type="CSVListField">
                     <Mask>/^([\/0-9a-fA-F.:,])*/u</Mask>
                 </bannedHosts>
+                <allowWhitelistBannedHosts type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </allowWhitelistBannedHosts>
                 <whiteList type="CSVListField"/>
                 <blackList type="CSVListField"/>
                 <browser type="CSVListField"/>
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
index 16a07929d3..b30258cb3e 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
@@ -14,6 +14,20 @@ adaptation_access request_mod allow unrestricted
 http_access allow unrestricted
 {% endif %}
 
+{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') and OPNsense.proxy.forward.acl.allowWhitelistBannedHosts|default('1') == '0' %}
+
+# ACL list (Deny) banned hosts
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
+adaptation_access response_mod deny bannedHosts
+{%   endif %}
+{%   if helpers.exists('OPNsense.proxy.forward.icap.RequestURL') %}
+adaptation_access request_mod deny bannedHosts
+{%   endif %}
+{% endif %}
+http_access deny bannedHosts
+{% endif %}
+
 {% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
 
 # ACL list (Allow) whitelist
@@ -139,7 +153,9 @@ adaptation_access request_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNs
 
 http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
 
-{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
+{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') and OPNsense.proxy.forward.acl.allowWhitelistBannedHosts|default('1')  == '1' %}
+
+# ACL list (Deny) banned hosts
 {% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
 {%   if helpers.exists('OPNsense.proxy.forward.icap.ResponseURL') %}
 adaptation_access response_mod deny bannedHosts

From c0e59df84fba98d86f03796e90a9b582771add97 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 22 May 2025 09:25:23 +0200
Subject: [PATCH 2451/3088] www/squid: bump

---
 www/squid/Makefile                                             | 2 +-
 www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index 64751adc7d..68c864957f 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		squid
 PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_TIER=		2
diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index 4954eefff2..76cd139f4e 100644
--- a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/proxy</mount>
-    <version>1.0.8</version>
+    <version>1.0.9</version>
     <description>Squid web proxy settings</description>
     <items>
         <general>

From d64bc86a955a2b4d0037201191af2b09a16766ae Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 23 May 2025 10:48:42 +0200
Subject: [PATCH 2452/3088] security/acme-client: reload www/caddy automation
 added (#4692)

* security/acme-client: reload www/caddy automation added
---
 .../LeAutomation/ConfigdReloadCaddy.php       | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdReloadCaddy.php

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdReloadCaddy.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdReloadCaddy.php
new file mode 100644
index 0000000000..3acd8c0085
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/ConfigdReloadCaddy.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Cedrik Pischem
+ * Copyright (C) 2020-2021 Frank Wall
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Caddy only needs a reload when certificates change
+ * @package OPNsense\AcmeClient
+ */
+class ConfigdReloadCaddy extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $this->command = 'caddy reload';
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 571de00bc7..b1efacf4ac 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1338,6 +1338,7 @@
                         <configd_restart_gui>Restart OPNsense Web UI</configd_restart_gui>
                         <configd_restart_haproxy>Restart HAProxy (OPNsense plugin)</configd_restart_haproxy>
                         <configd_restart_nginx>Restart Nginx (OPNsense plugin)</configd_restart_nginx>
+                        <configd_reload_caddy>Reload Caddy (OPNsense plugin)</configd_reload_caddy>
                         <configd_upload_sftp>Upload certificate via SFTP</configd_upload_sftp>
                         <configd_remote_ssh>Remote Command via SSH</configd_remote_ssh>
                         <acme_fritzbox>Upload certificate to FRITZ!Box router</acme_fritzbox>

From bc2bb3d9827b8725d0df3064befc48ee0374bc29 Mon Sep 17 00:00:00 2001
From: Zach Bensley <zach+github@bensley.id.au>
Date: Fri, 23 May 2025 21:42:38 +0800
Subject: [PATCH 2453/3088] www/caddy: Add active health checks (#4721)

* www/caddy: Add active health checks

* www/caddy: Update Caddy model validation rules for health checks

Adjusted regex masks for `health_uri`, `health_upstream`, and `health_status` fields to improve validation accuracy. Changed `health_upstream` to `IPPortField` for better type handling.

* www/caddy: Moved Active checks after Passive checks in UI.
Use defaults for health_upstream IPPortField

* www/caddy: fix default for `health_follow_redirects`
---
 .../OPNsense/Caddy/forms/dialogHandle.xml     | 107 ++++++++++++++++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  32 ++++++
 .../templates/OPNsense/Caddy/Caddyfile        |  30 +++++
 3 files changed, 169 insertions(+)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index d80d495cfd..33407457ca 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -340,4 +340,111 @@
             <visible>false</visible>
         </grid_view>
     </field>
+    <field>
+        <id>handle.health_uri</id>
+        <label>Active Health URI</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <help><![CDATA[health_uri is the URI path (and optional query) for active health checks.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
+    <field>
+        <id>handle.health_upstream</id>
+        <label>Active Health Upstream</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <help><![CDATA[health_upstream is the ip:port to use for active health checks, if different from the upstream. This should be used in tandem with health_header and {http.reverse_proxy.active.target_upstream}]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
+    <field>
+        <id>handle.health_port</id>
+        <label>Active Health Port</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <help><![CDATA[health_port is the port to use for active health checks, if different from the upstream's port. Ignored if health_upstream is used.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
+    <field>
+        <id>handle.health_interval</id>
+        <label>Active Health Interval</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <hint>30</hint>
+        <help><![CDATA[health_interval is a duration value that defines how often to perform active health checks. Default: 30s.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
+    <field>
+        <id>handle.health_passes</id>
+        <label>Active Health Passes</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <hint>1</hint>
+        <help><![CDATA[health_passes is the number of consecutive health checks required before marking the backend as healthy again. Default: 1.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
+    <field>
+        <id>handle.health_fails</id>
+        <label>Active Health Fails</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <hint>1</hint>
+        <help><![CDATA[health_fails is the number of consecutive health checks required before marking the backend as unhealthy. Default: 1.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
+    <field>
+        <id>handle.health_timeout</id>
+        <label>Active Health Timeout</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <hint>5</hint>
+        <help><![CDATA[health_timeout is a duration value that defines how long to wait for a reply before marking the backend as down. Default: 5s.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
+    <field>
+        <id>handle.health_status</id>
+        <label>Active Health Status</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <hint>200</hint>
+        <help><![CDATA[health_status is the HTTP status code to expect from a healthy backend. Can be a 3-digit status code, or a status code class ending in xx. For example: 200 (which is the default), or 2xx.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
+    <field>
+        <id>handle.health_body</id>
+        <label>Active Health Body</label>
+        <type>text</type>
+        <style>style_reverse_proxy</style>
+        <help><![CDATA[health_body is a substring or regular expression to match on the response body of an active health check. If the backend does not return a matching body, it will be marked as down.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
+    <field>
+        <id>handle.health_follow_redirects</id>
+        <label>Active Health Follow Redirects</label>
+        <type>checkbox</type>
+        <style>style_reverse_proxy</style>
+        <help><![CDATA[health_follow_redirects will cause the health check to follow redirects provided by upstream. By default, a redirect response would cause the health check to count as a fail.]]></help>
+        <grid_view>
+            <visible>false</visible>
+            <type>boolean</type>
+            <formatter>boolean</formatter>
+        </grid_view>
+    </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index b86ec3044d..3bf5aa4c3b 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -457,6 +457,38 @@
                     <ValidationMessage>Please enter a minimum value of 1 or leave empty for defaults.</ValidationMessage>
                 </PassiveHealthUnhealthyRequestCount>
                 <description type="DescriptionField"/>
+                <health_uri type="TextField">
+                    <mask>/^(\/.*)?$/u</mask>
+                    <ValidationMessage>Please enter a valid 'URI' that starts with '/'.</ValidationMessage>
+                </health_uri>
+                <health_upstream type="IPPortField"/>
+                <health_port type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>65535</MaximumValue>
+                    <ValidationMessage>Please enter a minimum value of 1-65535 or leave empty for defaults.</ValidationMessage>
+                </health_port>
+                <health_interval type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>Please enter a minimum value of 1 or leave empty for defaults.</ValidationMessage>
+                </health_interval>
+                <health_passes type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>Please enter a minimum value of 1 or leave empty for defaults.</ValidationMessage>
+                </health_passes>
+                <health_fails type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>Please enter a minimum value of 1 or leave empty for defaults.</ValidationMessage>
+                </health_fails>
+                <health_timeout type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <ValidationMessage>Please enter a minimum value of 1 or leave empty for defaults.</ValidationMessage>
+                </health_timeout>
+                <health_status type="TextField">
+                    <mask>/^(100|[1-5][0-9]{2}|[1-5]xx)$/u</mask>
+                    <ValidationMessage>Please enter a 3-digit status code or a status code ending in xx or leave empty for defaults.</ValidationMessage>
+                </health_status>
+                <health_body type="TextField"/>
+                <health_follow_redirects type="BooleanField"/>
             </handle>
             <accesslist type="ArrayField">
                 <accesslistName type="DescriptionField">
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index da616b4ed7..b8fc14f8c3 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -415,6 +415,36 @@ http://{{ domain }} {
             {% if handle.lb_try_interval|default("") %}
                 lb_try_interval {{ handle.lb_try_interval }}ms
             {% endif %}
+            {% if handle.health_uri|default("") %}
+                health_uri {{ handle.health_uri }}
+            {% endif %}
+            {% if handle.health_upstream|default("") %}
+                health_uri {{ handle.health_upstream }}
+            {% endif %}
+            {% if handle.health_port|default("") %}
+                health_uri {{ handle.health_port }}
+            {% endif %}
+            {% if handle.health_interval|default("") %}
+                health_uri {{ handle.health_interval }}s
+            {% endif %}
+            {% if handle.health_passes|default("") %}
+                health_uri {{ handle.health_passes }}
+            {% endif %}
+            {% if handle.health_fails|default("") %}
+                health_uri {{ handle.health_fails }}
+            {% endif %}
+            {% if handle.health_timeout|default("") %}
+                health_uri {{ handle.health_timeout }}s
+            {% endif %}
+            {% if handle.health_status|default("") %}
+                health_uri {{ handle.health_status }}
+            {% endif %}
+            {% if handle.health_body|default("") %}
+                health_uri {{ handle.health_body }}
+            {% endif %}
+            {% if handle.health_follow_redirects|default("0") == "1" %}
+                health_follow_redirects
+            {% endif %}
             {% if handle.PassiveHealthFailDuration|default("") %}
                 fail_duration {{ handle.PassiveHealthFailDuration }}s
             {% endif %}

From 90fedaaee3a238b839e16458d6afe89e884035fb Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sun, 25 May 2025 16:06:16 +0200
Subject: [PATCH 2454/3088] www/caddy: Fix active health check in template from
 https://github.com/opnsense/plugins/pull/4721 (#4725)

---
 .../service/templates/OPNsense/Caddy/Caddyfile   | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index b8fc14f8c3..7c30c2f682 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -419,28 +419,28 @@ http://{{ domain }} {
                 health_uri {{ handle.health_uri }}
             {% endif %}
             {% if handle.health_upstream|default("") %}
-                health_uri {{ handle.health_upstream }}
+                health_upstream {{ handle.health_upstream }}
             {% endif %}
             {% if handle.health_port|default("") %}
-                health_uri {{ handle.health_port }}
+                health_port {{ handle.health_port }}
             {% endif %}
             {% if handle.health_interval|default("") %}
-                health_uri {{ handle.health_interval }}s
+                health_interval {{ handle.health_interval }}s
             {% endif %}
             {% if handle.health_passes|default("") %}
-                health_uri {{ handle.health_passes }}
+                health_passes {{ handle.health_passes }}
             {% endif %}
             {% if handle.health_fails|default("") %}
-                health_uri {{ handle.health_fails }}
+                health_fails {{ handle.health_fails }}
             {% endif %}
             {% if handle.health_timeout|default("") %}
-                health_uri {{ handle.health_timeout }}s
+                health_timeout {{ handle.health_timeout }}s
             {% endif %}
             {% if handle.health_status|default("") %}
-                health_uri {{ handle.health_status }}
+                health_status {{ handle.health_status }}
             {% endif %}
             {% if handle.health_body|default("") %}
-                health_uri {{ handle.health_body }}
+                health_body {{ handle.health_body }}
             {% endif %}
             {% if handle.health_follow_redirects|default("0") == "1" %}
                 health_follow_redirects

From 248fa0c978a0f5dcc049f93ad9d92840ced3be87 Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Tue, 27 May 2025 14:34:14 +0200
Subject: [PATCH 2455/3088] crowdsec: 1.0.10 (#4706)

* Update crowdsec rule reference ($ -> <>); bump release

* php cleanup

* javascript: reformat

* backport js changes from pfsense: var -> const, let, function order

* backport name change

* backport changes: const -> var; id =

* prettier

* tabs

* backport callback style

* cron: avoid spamming stdout when the hub index is updated

* icon

* add outgoing rules

* blacklists -> blocklists

* some python typing

* enroll to console from the settings

* v1.0.10 with option to disable rule generation
---
 security/crowdsec/+POST_DEINSTALL.post        |   4 +-
 security/crowdsec/Makefile                    |   2 +-
 security/crowdsec/pkg-descr                   |   7 +
 .../src/etc/inc/plugins.inc.d/crowdsec.inc    |  90 +-
 .../CrowdSec/Api/AlertsController.php         |  12 +-
 .../CrowdSec/Api/BouncersController.php       |  12 +-
 .../CrowdSec/Api/DecisionsController.php      |  25 +-
 .../OPNsense/CrowdSec/Api/HubController.php   |  12 +-
 .../CrowdSec/Api/MachinesController.php       |  12 +-
 .../CrowdSec/Api/ServiceController.php        |  20 +-
 .../CrowdSec/Api/VersionController.php        |   6 +-
 .../OPNsense/CrowdSec/forms/general.xml       |  18 +
 .../app/models/OPNsense/CrowdSec/General.xml  |  12 +-
 .../app/views/OPNsense/CrowdSec/general.volt  |  22 +-
 .../app/views/OPNsense/CrowdSec/overview.volt |  10 +-
 .../scripts/OPNsense/CrowdSec/hub-upgrade.sh  |   4 +-
 .../scripts/OPNsense/CrowdSec/reconfigure.py  |  50 +-
 .../src/opnsense/www/js/CrowdSec/crowdsec.js  | 850 +++++++++---------
 18 files changed, 644 insertions(+), 524 deletions(-)

diff --git a/security/crowdsec/+POST_DEINSTALL.post b/security/crowdsec/+POST_DEINSTALL.post
index 536a325294..5934e52d49 100755
--- a/security/crowdsec/+POST_DEINSTALL.post
+++ b/security/crowdsec/+POST_DEINSTALL.post
@@ -41,8 +41,8 @@ function removeAlias($name)
     }
 }
 
-removeAlias('crowdsec_blacklists');
-removeAlias('crowdsec6_blacklists');
+removeAlias('crowdsec_blocklists');
+removeAlias('crowdsec6_blocklists');
 EOT
 
 
diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index 7218bfb389..f61c6c0a0c 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		crowdsec
-PLUGIN_VERSION=		1.0.9
+PLUGIN_VERSION=		1.0.10
 PLUGIN_DEPENDS=		crowdsec
 PLUGIN_COMMENT=		Lightweight and collaborative security engine
 PLUGIN_MAINTAINER=	marco@crowdsec.net
diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index f7889b32dc..c1410526bb 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -8,6 +8,13 @@ WWW: https://crowdsec.net/
 Plugin Changelog
 ================
 
+1.0.10
+ * changed alias names crowdsec*blacklists -> crowdsec*blocklists
+ * added rules for outgoing connections too
+ * added enroll_key to settings for automatic enrollment
+ * option to disable rule generation (bring your own rules!)
+ * code cleanup, reformat, typing
+
 1.0.9
 
  * Update rule reference ($ -> <>) for opnsense 25.1
diff --git a/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc b/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc
index a1c149a1cf..b226f424a6 100644
--- a/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc
+++ b/security/crowdsec/src/etc/inc/plugins.inc.d/crowdsec.inc
@@ -43,39 +43,69 @@ function crowdsec_firewall(Plugin $fw)
         $rules_tag = $general['rules_tag'];
     }
 
-    add_alias_if_not_exist('crowdsec_blacklists', 'CrowdSec (IPv4)', 'IPv4');
+    add_alias_if_not_exist('crowdsec_blocklists', 'CrowdSec (IPv4)', 'IPv4');
+    add_alias_if_not_exist('crowdsec6_blocklists', 'CrowdSec (IPv6)', 'IPv6');
 
     // https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
 
-    $fw->registerFilterRule(
-        1, /* priority */
-        array(
-            'ipprotocol' => 'inet',
-            'descr'      => 'CrowdSec (IPv4)',
-            'from'       => '<crowdsec_blacklists>',
-            'direction'  => 'in',
-            'type'       => 'block',
-            'log'        => $rules_log_enabled,
-            'tag'        => $rules_tag,
-            'quick'      => true
-        )
-    );
-
-    add_alias_if_not_exist('crowdsec6_blacklists', 'CrowdSec (IPv6)', 'IPv6');
-
-    $fw->registerFilterRule(
-        1, /* priority */
-        array(
-            'ipprotocol' => 'inet6',
-            'descr'      => 'CrowdSec (IPv6)',
-            'from'       => '<crowdsec6_blacklists>',
-            'direction'  => 'in',
-            'type'       => 'block',
-            'log'        => $rules_log_enabled,
-            'tag'        => $rules_tag,
-            'quick'      => true
-        )
-    );
+    // if missing, default to true
+    if (!isset($general['rules_enabled']) || $general['rules_enabled'] != 0) {
+        $fw->registerFilterRule(
+            1, /* priority */
+            array(
+                'ipprotocol' => 'inet',
+                'descr'      => 'CrowdSec (IPv4) in',
+                'from'       => '<crowdsec_blocklists>',
+                'direction'  => 'in',
+                'type'       => 'block',
+                'log'        => $rules_log_enabled,
+                'tag'        => $rules_tag,
+                'quick'      => true
+            )
+        );
+
+        $fw->registerFilterRule(
+            1, /* priority */
+            array(
+                'ipprotocol' => 'inet',
+                'descr'      => 'CrowdSec (IPv4) out',
+                'to'         => '<crowdsec_blocklists>',
+                'direction'  => 'out',
+                'type'       => 'block',
+                'log'        => $rules_log_enabled,
+                'tag'        => $rules_tag,
+                'quick'      => true
+            )
+        );
+
+        $fw->registerFilterRule(
+            1, /* priority */
+            array(
+                'ipprotocol' => 'inet6',
+                'descr'      => 'CrowdSec (IPv6) in',
+                'from'       => '<crowdsec6_blocklists>',
+                'direction'  => 'in',
+                'type'       => 'block',
+                'log'        => $rules_log_enabled,
+                'tag'        => $rules_tag,
+                'quick'      => true
+            )
+        );
+
+        $fw->registerFilterRule(
+            1, /* priority */
+            array(
+                'ipprotocol' => 'inet6',
+                'descr'      => 'CrowdSec (IPv6) out',
+                'to'         => '<crowdsec6_blocklists>',
+                'direction'  => 'out',
+                'type'       => 'block',
+                'log'        => $rules_log_enabled,
+                'tag'        => $rules_tag,
+                'quick'      => true
+            )
+        );
+    }
 }
 
 function crowdsec_services()
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AlertsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AlertsController.php
index 6aff27e81e..eb11d24403 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AlertsController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AlertsController.php
@@ -15,19 +15,19 @@
 class AlertsController extends ApiControllerBase
 {
     /**
-     * retrieve list of alerts
+     * Retrieve list of alerts
+     *
      * @return array of alerts
      * @throws \OPNsense\Base\ModelException
      * @throws \ReflectionException
      */
     public function getAction()
     {
-        $backend = new Backend();
-        $bckresult = json_decode(trim($backend->configdRun("crowdsec alerts-list")), true);
-        if ($bckresult !== null) {
+        $result = json_decode(trim((new Backend())->configdRun("crowdsec alerts-list")), true);
+        if ($result !== null) {
             // only return valid json type responses
-            return $bckresult;
+            return $result;
         }
-        return array("message" => "unable to list alerts");
+        return ["message" => "unable to list alerts"];
     }
 }
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/BouncersController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/BouncersController.php
index 94de1a8772..5fbc29524c 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/BouncersController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/BouncersController.php
@@ -15,19 +15,19 @@
 class BouncersController extends ApiControllerBase
 {
     /**
-     * retrieve list of bouncers
+     * Retrieve list of bouncers
+     *
      * @return array of bouncers
      * @throws \OPNsense\Base\ModelException
      * @throws \ReflectionException
      */
     public function getAction()
     {
-        $backend = new Backend();
-        $bckresult = json_decode(trim($backend->configdRun("crowdsec bouncers-list")), true);
-        if ($bckresult !== null) {
+        $result = json_decode(trim((new Backend())->configdRun("crowdsec bouncers-list")), true);
+        if ($result !== null) {
             // only return valid json type responses
-            return $bckresult;
+            return $result;
         }
-        return array("message" => "unable to list bouncers");
+        return ["message" => "unable to list bouncers"];
     }
 }
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php
index 7421e74e4b..e49754fa1c 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php
@@ -15,36 +15,35 @@
 class DecisionsController extends ApiControllerBase
 {
     /**
-     * retrieve list of decisions
+     * Retrieve list of decisions
+     *
      * @return array of decisions
      * @throws \OPNsense\Base\ModelException
      * @throws \ReflectionException
      */
     public function getAction()
     {
-        $backend = new Backend();
-        $bckresult = json_decode(trim($backend->configdRun("crowdsec decisions-list")), true);
-        if ($bckresult !== null) {
+        $result = json_decode(trim((new Backend())->configdRun("crowdsec decisions-list")), true);
+        if ($result !== null) {
             // only return valid json type responses
-            return $bckresult;
+            return $result;
         }
-        return array("message" => "unable to list decisions");
+        return ["message" => "unable to list decisions"];
     }
 
     public function deleteAction($decision_id)
     {
         if ($this->request->isDelete()) {
-            $backend = new Backend();
-            $bckresult = $backend->configdRun("crowdsec decisions-delete ${decision_id}");
-            if ($bckresult !== null) {
+            $result = (new Backend())->configdRun("crowdsec decisions-delete ${decision_id}");
+            if ($result !== null) {
                 // why does the action return \n\n for empty output?
-                if (trim($bckresult) === '') {
-                    return array("message" => "OK");
+                if (trim($result) === '') {
+                    return ["message" => "OK"];
                 }
                 // TODO handle error
-                return array("message" => $bckresult);
+                return ["message" => result];
             }
-            return array("message" => "OK");
+            return ["message" => "OK"];
         } else {
             $this->response->setStatusCode(405, "Method Not Allowed");
             $this->response->setHeader("Allow", "DELETE");
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/HubController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/HubController.php
index a8114ff2cd..1bc0fcb899 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/HubController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/HubController.php
@@ -15,19 +15,19 @@
 class HubController extends ApiControllerBase
 {
     /**
-     * retrieve the registered hub items
+     * Retrieve the registered hub items
+     *
      * @return dictionary of items, by type
      * @throws \OPNsense\Base\ModelException
      * @throws \ReflectionException
      */
     public function getAction()
     {
-        $backend = new Backend();
-        $bckresult = json_decode(trim($backend->configdRun("crowdsec hub-items")), true);
-        if ($bckresult !== null) {
+        $result = json_decode(trim((new Backend())->configdRun("crowdsec hub-items")), true);
+        if ($result !== null) {
             // only return valid json type responses
-            return $bckresult;
+            return $result;
         }
-        return array("message" => "unable to list hub items");
+        return ["message" => "unable to list hub items"];
     }
 }
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/MachinesController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/MachinesController.php
index 617e43bf41..98e37400bd 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/MachinesController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/MachinesController.php
@@ -15,19 +15,19 @@
 class MachinesController extends ApiControllerBase
 {
     /**
-     * retrieve list of registered machines
+     * Retrieve list of registered machines
+     *
      * @return array of machines
      * @throws \OPNsense\Base\ModelException
      * @throws \ReflectionException
      */
     public function getAction()
     {
-        $backend = new Backend();
-        $bckresult = json_decode(trim($backend->configdRun("crowdsec machines-list")), true);
-        if ($bckresult !== null) {
+        $result = json_decode(trim((new Backend())->configdRun("crowdsec machines-list")), true);
+        if ($result !== null) {
             // only return valid json type responses
-            return $bckresult;
+            return $result;
         }
-        return array("message" => "unable to list machines");
+        return ["message" => "unable to list machines"];
     }
 }
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
index 4774004183..eaa3a84d38 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
@@ -30,11 +30,12 @@ public function reloadAction()
                 }
             }
         }
-        return array("status" => $status);
+        return ["status" => $status];
     }
 
     /**
-     * retrieve status of crowdsec
+     * Retrieve status of crowdsec
+     *
      * @return array
      * @throws \Exception
      */
@@ -59,20 +60,9 @@ public function statusAction()
             $firewall_status = "running";
         }
 
-        return array(
+        return [
             "crowdsec-status" => $status,
             "crowdsec-firewall-status" => $firewall_status,
-        );
-    }
-
-    /**
-     * return debug information
-     * @return array
-     */
-    public function debugAction()
-    {
-        $backend = new Backend();
-        $response = $backend->configdRun("crowdsec debug");
-        return array("message" => $response);
+        ];
     }
 }
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/VersionController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/VersionController.php
index d236c26f87..d6f09e0c11 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/VersionController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/VersionController.php
@@ -15,14 +15,14 @@
 class VersionController extends ApiControllerBase
 {
     /**
-     * retrieve version description
+     * Retrieve version description
+     *
      * @return version description
      * @throws \OPNsense\Base\ModelException
      * @throws \ReflectionException
      */
     public function getAction()
     {
-        $backend = new Backend();
-        return $backend->configdRun("crowdsec version");
+        return (new Backend())->configdRun("crowdsec version");
     }
 }
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml
index 45d9d3f249..849e04ebaf 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml
@@ -27,6 +27,14 @@
       packets from the attacking IP addresses.</help>
   </field>
 
+  <!-- enroll_key  -->
+  <field>
+    <id>general.enroll_key</id>
+    <label>Enrollment key from https://app.crowdsec.net</label>
+    <type>text</type>
+    <help>Click "Enroll command" on the the website and copy the key here.</help>
+  </field>
+
   <!-- lapi_manual_configuration -->
   <field>
     <id>general.lapi_manual_configuration</id>
@@ -66,6 +74,16 @@
       services.</help>
   </field>
 
+  <!-- rules_enabled -->
+  <field>
+    <id>general.rules_enabled</id>
+    <label>Create blocklist rules</label>
+    <type>checkbox</type>
+    <help>Generate block rules from the Crowdsec blocklists.
+    They are applied t all interfaces, ipv4/v6, ingress and egress.
+    If you disable this, you'll have to write your own rules to block anything.</help>
+  </field>
+
   <!-- rules_log -->
   <field>
     <id>general.rules_log</id>
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
index 4208065f48..da4dbe0f92 100644
--- a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
@@ -1,7 +1,7 @@
 <model>
   <mount>//OPNsense/crowdsec/general</mount>
   <description>CrowdSec general configuration</description>
-  <version>1.0.9</version>
+  <version>1.0.10</version>
   <items>
 
     <agent_enabled type="BooleanField">
@@ -37,6 +37,11 @@
       <EnableRanges>N</EnableRanges>
     </lapi_listen_port>
 
+    <rules_enabled type="BooleanField">
+      <default>1</default>
+      <Required>Y</Required>
+    </rules_enabled>
+
     <rules_log type="BooleanField">
       <default>0</default>
       <Required>Y</Required>
@@ -47,6 +52,11 @@
       <ValidationMessage>A tag must only contain numbers and letters and must be between 1 and 63 characters.</ValidationMessage>
     </rules_tag>
 
+    <enroll_key type="TextField">
+      <Mask>/^([0-9a-zA-Z]{1,63})$/u</Mask>
+      <ValidationMessage>The enrollment key can only contain numbers and letters and must be between 1 and 63 characters. Did you take it from app.crowdsec.net?</ValidationMessage>
+    </enroll_key>
+
     <crowdsec_firewall_verbose type="BooleanField">
       <default>0</default>
       <Required>Y</Required>
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
index c7ae96adf5..be347ee53e 100644
--- a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
@@ -3,7 +3,7 @@
 
 <script>
     $( document ).ready(function() {
-        var data_get_map = {'frm_GeneralSettings':"/api/crowdsec/general/get"};
+        const data_get_map = {'frm_GeneralSettings':"/api/crowdsec/general/get"};
         mapDataToFormUI(data_get_map).done(function(data){
             // place actions to run after load, for example update form styles.
         });
@@ -64,8 +64,8 @@
         <a href="https://doc.crowdsec.net/docs/next/user_guides/multiserver_setup">any other agent</a>
         connected to the same LAPI node. Other types of remediation are possible (ex. captcha test for scraping attempts).</p>
 
-	We recommend you to <a href="https://app.crowdsec.net/">register to the Console</a>. This helps you manage your instances,
-	and us to have better overall metrics.
+        We recommend you to <a href="https://app.crowdsec.net/">register to the Console</a>. This helps you manage your instances,
+        and us to have better overall metrics.
 
         <p>Please refer to the <a href="https://crowdsec.net/blog/category/tutorial/">tutorials</a> to explore
         the possibilities.</p>
@@ -148,16 +148,16 @@
         <p>
             It might be a good idea to have a secondary IP from which you can
             connect, should anything go wrong.
-	</p>
+        </p>
 
-	<pre><code>[root@OPNsense ~]# cscli decisions add -t ban -d 2m -i &lt;your_ip_address&gt;</code></pre>
+        <pre><code>[root@OPNsense ~]# cscli decisions add -t ban -d 2m -i &lt;your_ip_address&gt;</code></pre>
 
-	<p>
-	    This is a more secure way to test than attempting to brute-force
-	    yourself: the default ban period is 4 hours, and Crowdsec reads the
-	    logs from the beginning, so it could ban you even if you failed ssh
-	    login 10 times in 30 seconds two hours before installing it.
-	</p>
+        <p>
+            This is a more secure way to test than attempting to brute-force
+            yourself: the default ban period is 4 hours, and Crowdsec reads the
+            logs from the beginning, so it could ban you even if you failed ssh
+            login 10 times in 30 seconds two hours before installing it.
+        </p>
 
         <div>
             <a class="btn btn-default btn-info" href="https://github.com/crowdsecurity/crowdsec">
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/overview.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/overview.volt
index a51cbb5bff..93f0f20042 100644
--- a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/overview.volt
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/overview.volt
@@ -45,7 +45,6 @@ ul.nav>li>a {
     <li><a data-toggle="tab" id="postoverflows_tab" href="#postoverflows">Postoverflows</a></li>
     <li class="spaced"><a data-toggle="tab" id="alerts_tab" href="#alerts">Alerts</a></li>
     <li><a data-toggle="tab" id="decisions_tab" href="#decisions">Decisions</a></li>
-    <li class="pull-right"><a data-toggle="tab" id="debug_tab" href="#debug" style="display:none">Debug</a></li>
 </ul>
 
 <div class="tab-content content-box">
@@ -223,13 +222,8 @@ ul.nav>li>a {
         </table>
     </div>
 
-    <div id="debug" class="tab-pane fade in">
-        <pre>
-        </pre>
-    </div>
-
     <!-- Modal popup to confirm decision deletion -->
-    <div class="modal fade" id="delete-decision-modal" tabindex="-1" role="dialog" aria-labelledby="modalLabel" aria-hidden="true">
+    <div class="modal fade" id="remove-decision-modal" tabindex="-1" role="dialog" aria-labelledby="modalLabel" aria-hidden="true">
         <div class="modal-dialog" role="document">
             <div class="modal-content">
                 <div class="modal-header">
@@ -243,7 +237,7 @@ ul.nav>li>a {
                 </div>
                 <div class="modal-footer">
                     <button type="button" class="btn btn-secondary" data-dismiss="modal">No, cancel</button>
-                    <button type="button" class="btn btn-danger" data-dismiss="modal" id="delete-decision-confirm">Yes, delete</button>
+                    <button type="button" class="btn btn-danger" data-dismiss="modal" id="remove-decision-confirm">Yes, delete</button>
                 </div>
             </div>
         </div>
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
index 50b81c744e..2b6d7731b4 100755
--- a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh
@@ -2,9 +2,9 @@
 
 test -x /usr/local/bin/cscli || exit 0
 
-/usr/local/bin/cscli --error hub update
+/usr/local/bin/cscli --error -o human hub update >/dev/null
 
-upgraded=$(/usr/local/bin/cscli --error hub upgrade)
+upgraded=$(/usr/local/bin/cscli --error -o human hub upgrade)
 
 if [ ! -e "/usr/local/etc/crowdsec/collections/opnsense.yaml" ]; then
     /usr/local/bin/cscli --error collections install crowdsecurity/opnsense
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
index 31fb26643f..04d61a028e 100755
--- a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
@@ -2,33 +2,35 @@
 
 import logging
 import json
+import subprocess
 import urllib.parse
+from typing import cast, Any
 import yaml
 
 logging.basicConfig(level=logging.INFO)
 
 
-def load_config(filename):
+def load_config(filename: str) -> dict[str, Any]:
     with open(filename) as fin:
         return yaml.safe_load(fin)
 
 
 # only save if some value has changed
-def save_config(filename, new_config):
+def save_config(filename: str, new_config: dict[str, Any]):
     old_config = load_config(filename)
     if old_config != new_config:
         with open(filename, 'w') as fout:
             yaml.dump(new_config, fout)
 
 
-def get_netloc(settings):
+def get_netloc(settings: dict[str, str]):
     # defaults if config has not been saved yet
     listen_address = settings.get('lapi_listen_address', '127.0.0.1')
     listen_port = settings.get('lapi_listen_port', '8080')
     return '{}:{}'.format(listen_address, listen_port)
 
 
-def get_new_url(old_url, settings):
+def get_new_url(old_url: str, settings: dict[str, str]):
     old_tuple = urllib.parse.urlsplit(old_url)
     new_tuple = old_tuple._replace(netloc=get_netloc(settings))
     new_url = urllib.parse.urlunsplit(new_tuple)
@@ -39,7 +41,7 @@ def get_new_url(old_url, settings):
     return new_url
 
 
-def configure_agent(settings):
+def configure_agent(settings: dict[str, str]):
     config_path = '/usr/local/etc/crowdsec/config.yaml'
     config = load_config(config_path)
 
@@ -53,7 +55,7 @@ def configure_agent(settings):
     save_config(config_path, config)
 
 
-def configure_lapi(settings):
+def configure_lapi(settings: dict[str, str]):
     config_path = '/usr/local/etc/crowdsec/config.yaml'
     config = load_config(config_path)
 
@@ -63,7 +65,7 @@ def configure_lapi(settings):
     save_config(config_path, config)
 
 
-def configure_lapi_credentials(settings):
+def configure_lapi_credentials(settings: dict[str, str]):
     config_path = '/usr/local/etc/crowdsec/local_api_credentials.yaml'
     config = load_config(config_path)
 
@@ -73,13 +75,13 @@ def configure_lapi_credentials(settings):
     save_config(config_path, config)
 
 
-def configure_bouncer(settings):
+def configure_bouncer(settings: dict[str, str]):
     config_path = '/usr/local/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml'
     config = load_config(config_path)
 
     config['log_dir'] = '/var/log/crowdsec'
-    config['blacklists_ipv4'] = 'crowdsec_blacklists'
-    config['blacklists_ipv6'] = 'crowdsec6_blacklists'
+    config['blacklists_ipv4'] = 'crowdsec_blocklists'
+    config['blacklists_ipv6'] = 'crowdsec6_blocklists'
     config['retry_initial_connect'] = True
     config['pf'] = {'anchor_name': ''}
 
@@ -89,10 +91,35 @@ def configure_bouncer(settings):
     save_config(config_path, config)
 
 
+def enroll(settings: dict[str, str]):
+    enroll_key = settings.get('enroll_key')
+    if enroll_key:
+        try:
+            p = subprocess.run(['cscli', 'capi', 'status'], check=True, text=True, stdout=subprocess.PIPE)
+            if "instance is enrolled" in p.stdout:
+                logging.info("crowdsec instance is already enrolled")
+                return
+        except subprocess.CalledProcessError:
+            return
+        except Exception as e:
+            logging.error("could not run command 'cscli' to perform enrollment: %s", e)
+
+        try:
+            logging.info("enrolling crowdsec instance, please accept the enrollment on https://app.crowdsec.net")
+            _ = subprocess.run(
+                    ['cscli', 'console', 'enroll', '-e', 'context', enroll_key],
+                    check=True, text=True)
+        except subprocess.CalledProcessError as e:
+            logging.error("enrollment failed: %s", e)
+            return
+        except Exception as e:
+            logging.error("could not run command 'cscli' to perform enrollment: %s", e)
+
+
 def main():
     try:
         with open('/usr/local/etc/crowdsec/opnsense/settings.json') as f:
-            settings = json.load(f)
+            settings = cast(dict[str, str], json.load(f))
     except FileNotFoundError:
         logging.info("settings.json not found, won't change crowdsec config")
         return
@@ -100,6 +127,7 @@ def main():
     configure_agent(settings)
     configure_lapi(settings)
     configure_lapi_credentials(settings)
+    enroll(settings)
     configure_bouncer(settings)
 
 
diff --git a/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js b/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js
index 09f16c12e5..45149807e3 100644
--- a/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js
+++ b/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js
@@ -3,427 +3,471 @@
 /* eslint no-undef: "error" */
 /* eslint semi: "error" */
 
-var CrowdSec = (function () {
-    'use strict';
-
-    var crowdsec_path = '/usr/local/etc/crowdsec/';
-    var _refreshTemplate = '<button class="btn btn-default" type="button" title="Refresh"><span class="icon glyphicon glyphicon-refresh"></span></button>';
-
-    var _dataFormatters = {
-        yesno: function (column, row) {
-            return _yesno2html(row[column.id]);
-        },
-
-        delete: function (column, row) {
-            var val = row.id;
-            if (isNaN(val)) {
-                return '';
-            }
-            return '<button type="button" class="btn btn-secondary btn-sm" value="' + val + '" onclick="CrowdSec.deleteDecision(' + val + ')"><i class="fa fa-trash" /></button>';
-        },
-
-        duration: function (column, row) {
-            var duration = row[column.id];
-            if (!duration) {
-                return 'n/a';
-            }
-            return $('<div>').attr({
-                'data-toggle': 'tooltip',
-                'data-placement': 'left',
-                title: duration
-            }).text(_humanizeDuration(duration)).prop('outerHTML');
-        },
-
-        datetime: function (column, row) {
-            var dt = row[column.id];
-            var parsed = moment(dt);
-            if (!dt) {
-                return '';
-            }
-            if (!parsed.isValid()) {
-                console.error('Cannot parse timestamp: %s', dt);
-                return '???';
-            }
-            return $('<div>').attr({
-                'data-toggle': 'tooltip',
-                'data-placement': 'left',
-                title: parsed.format()
-            }).text(_humanizeDate(dt)).prop('outerHTML');
-        }
-    };
-
-    function _parseDuration (duration) {
-        var re = /(-?)(?:(?:(\d+)h)?(\d+)m)?(\d+).\d+(m?)s/m;
-        var matches = duration.match(re);
-        var seconds = 0;
-
-        if (!matches.length) {
-            throw new Error('Unable to parse the following duration: ' + duration + '.');
-        }
-        if (typeof matches[2] !== 'undefined') {
-            seconds += parseInt(matches[2], 10) * 3600; // hours
-        }
-        if (typeof matches[3] !== 'undefined') {
-            seconds += parseInt(matches[3], 10) * 60; // minutes
-        }
-        if (typeof matches[4] !== 'undefined') {
-            seconds += parseInt(matches[4], 10); // seconds
-        }
-        if (parseInt(matches[5], 10) === 'm') {
-            // units in milliseconds
-            seconds *= 0.001;
-        }
-        if (parseInt(matches[1], 10) === '-') {
-            // negative
-            seconds = -seconds;
-        }
-        return seconds;
+const CrowdSec = (function () {
+  'use strict';
+
+  const crowdsec_path = '/usr/local/etc/crowdsec/';
+  const _refreshTemplate =
+    '<button class="btn btn-default" type="button" title="Refresh"><span class="icon fa fa-refresh"></span></button>';
+
+  const _dataFormatters = {
+    yesno: function (column, row) {
+      return _yesno2html(row[column.id]);
+    },
+
+    delete: function (column, row) {
+      const val = row.id;
+      if (isNaN(val)) {
+        return '';
+      }
+      return (
+        '<button type="button" class="btn btn-secondary btn-sm" value="' +
+        val +
+        '" onclick="CrowdSec.deleteDecision(' +
+        val +
+        ')"><i class="fa fa-trash" /></button>'
+      );
+    },
+
+    duration: function (column, row) {
+      const duration = row[column.id];
+      if (!duration) {
+        return 'n/a';
+      }
+      return $('<div>')
+        .attr({
+          'data-toggle': 'tooltip',
+          'data-placement': 'left',
+          title: duration,
+        })
+        .text(_humanizeDuration(duration))
+        .prop('outerHTML');
+    },
+
+    datetime: function (column, row) {
+      const dt = row[column.id];
+      const parsed = moment(dt);
+      if (!dt) {
+        return '';
+      }
+      if (!parsed.isValid()) {
+        console.error('Cannot parse timestamp: %s', dt);
+        return '???';
+      }
+      return $('<div>')
+        .attr({
+          'data-toggle': 'tooltip',
+          'data-placement': 'left',
+          title: parsed.format(),
+        })
+        .text(_humanizeDate(dt))
+        .prop('outerHTML');
+    },
+  };
+  function _decisionsByType(decisions) {
+    const dectypes = {};
+    if (!decisions) {
+      return '';
     }
-
-    function _updateFreshness (selector, timestamp) {
-        var $freshness = $(selector).find('.actionBar .freshness');
-        if (timestamp) {
-            $freshness.data('refresh_timestamp', timestamp);
-        } else {
-            timestamp = $freshness.data('refresh_timestamp');
-        }
-        var howlongHuman = '???';
-        var howlongms;
-        if (timestamp) {
-            howlongms = moment() - moment(timestamp);
-            howlongHuman = moment.duration(howlongms).humanize();
-        }
-        $freshness.text(howlongHuman + ' ago');
+    decisions.map(function (decision) {
+      // TODO ignore negative expiration?
+      dectypes[decision.type] = dectypes[decision.type]
+        ? dectypes[decision.type] + 1
+        : 1;
+    });
+    let ret = '';
+    for (const type in dectypes) {
+      if (ret !== '') {
+        ret += ' ';
+      }
+      ret += type + ':' + dectypes[type];
     }
-
-    function _addFreshness (selector) {
-        // this creates one timer per tab
-        var freshnessTemplate = '<span style="float:left">Last refresh: <span class="freshness"></span></span>';
-        $(selector).find('.actionBar').prepend(freshnessTemplate);
-        setInterval(function () {
-           _updateFreshness(selector);
-        }, 5000);
-    }
-
-    function _humanizeDate (text) {
-        return moment(text).fromNow();
+    return ret;
+  }
+
+  function _updateFreshness(selector, timestamp) {
+    const $freshness = $(selector).find('.actionBar .freshness');
+    if (timestamp) {
+      $freshness.data('refresh_timestamp', timestamp);
+    } else {
+      timestamp = $freshness.data('refresh_timestamp');
     }
-
-    function _humanizeDuration (text) {
-        return moment.duration(_parseDuration(text), 'seconds').humanize();
-    }
-
-    function _yesno2html (val) {
-        if (val) {
-            return '<i class="fa fa-check text-success"></i>';
-        } else {
-        return '<i class="fa fa-times text-danger"></i>';
-        }
-    }
-
-    function _decisionsByType (decisions) {
-        var dectypes = {};
-        if (!decisions) {
-            return '';
-        }
-        decisions.map(function (decision) {
-            // TODO ignore negative expiration?
-            dectypes[decision.type] = dectypes[decision.type] ? (dectypes[decision.type] + 1) : 1;
-        });
-        var ret = '';
-        var type;
-        for (type in dectypes) {
-            if (ret !== '') {
-                ret += ' ';
-            }
-            ret += (type + ':' + dectypes[type]);
-        }
-        return ret;
-    }
-
-    function _initService () {
-        $.ajax({
-            url: '/api/crowdsec/service/status',
-            cache: false
-        }).done(function (data) {
-            // TODO handle errors
-            var crowdsecStatus = data['crowdsec-status'];
-            if (crowdsecStatus === 'unknown') {
-                crowdsecStatus = '<span class="text-danger">Unknown</span>';
-            } else {
-                crowdsecStatus = _yesno2html(crowdsecStatus === 'running');
-            }
-            $('#crowdsec-status').html(crowdsecStatus);
-
-            var crowdsecFirewallStatus = data['crowdsec-firewall-status'];
-            if (crowdsecFirewallStatus === 'unknown') {
-                crowdsecFirewallStatus = '<span class="text-danger">Unknown</span>';
-            } else {
-                crowdsecFirewallStatus = _yesno2html(crowdsecFirewallStatus === 'running');
-            }
-            $('#crowdsec-firewall-status').html(crowdsecFirewallStatus);
-        });
-    }
-
-    function _initDebug () {
-        $.ajax({
-            url: '/api/crowdsec/service/debug',
-            cache: false
-        }).done(function (data) {
-            $('#debug pre').text(data.message);
-        });
-    }
-
-    function _initTab (selector, url, dataCallback) {
-        var $tab = $(selector);
-        if ($tab.find('table.bootgrid-table').length) {
-            return;
-        }
-        $tab.find('table').
-            on('initialized.rs.jquery.bootgrid', function () {
-                $(_refreshTemplate).on('click', function () {
-                    _refreshTab(selector, url, dataCallback);
-                }).insertBefore($tab.find('.actionBar .actions .dropdown:first'));
-                _addFreshness(selector);
-                _refreshTab(selector, url, dataCallback);
-            }).
-            bootgrid({
-                caseSensitive: false,
-                formatters: _dataFormatters
-            });
+    const howlongHuman = '???';
+    if (timestamp) {
+      const howlongms = moment() - moment(timestamp);
+      howlongHuman = moment.duration(howlongms).humanize();
     }
-
-    function _refreshTab (selector, url, dataCallback) {
-        $.ajax({
-            url: url,
-            cache: false
-        }).done(dataCallback);
+    $freshness.text(howlongHuman + ' ago');
+  }
+
+  function _addFreshness(selector) {
+    // this creates one timer per tab
+    const freshnessTemplate =
+      '<span style="float:left">Last refresh: <span class="freshness"></span></span>';
+    $(selector).find('.actionBar').prepend(freshnessTemplate);
+    setInterval(function () {
+      _updateFreshness(selector);
+    }, 5000);
+  }
+
+  function _refreshTab(selector, url, dataCallback) {
+    $.ajax({
+      url: url,
+      cache: false,
+      success: dataCallback,
+      complete: function () {
         _updateFreshness(selector, moment());
+      },
+    });
+  }
+
+  function _parseDuration(duration) {
+    const re = /(-?)(?:(?:(\d+)h)?(\d+)m)?(\d+).\d+(m?)s/m;
+    const matches = duration.match(re);
+    let seconds = 0;
+
+    if (!matches.length) {
+      throw new Error(
+        'Unable to parse the following duration: ' + duration + '.',
+      );
     }
-
-    function _initMachines () {
-        var url = '/api/crowdsec/machines/get';
-        var dataCallback = function (data) {
-            var rows = [];
-            data.map(function (row) {
-                rows.push({
-                    name: row.machineId,
-                    ip_address: row.ipAddress || ' ',
-                    last_update: row.updated_at || ' ',
-                    validated: row.isValidated,
-                    version: row.version || ' '
-                });
-            });
-        $('#machines table').bootgrid('clear').bootgrid('append', rows);
-        };
-        _initTab('#machines', url, dataCallback);
+    if (typeof matches[2] !== 'undefined') {
+      seconds += parseInt(matches[2], 10) * 3600; // hours
     }
-
-    function _initCollections () {
-        var url = '/api/crowdsec/hub/get';
-        var dataCallback = function (data) {
-            var rows = [];
-            data.collections.map(function (row) {
-                rows.push({
-                    name: row.name,
-                    status: row.status,
-                    local_version: row.local_version || ' ',
-                    local_path: row.local_path ? row.local_path.replace(crowdsec_path, '') : ' ',
-                    description: row.description || ' '
-                });
-            });
-        $('#collections table').bootgrid('clear').bootgrid('append', rows);
-        };
-        _initTab('#collections', url, dataCallback);
+    if (typeof matches[3] !== 'undefined') {
+      seconds += parseInt(matches[3], 10) * 60; // minutes
     }
-
-    function _initScenarios () {
-        var url = '/api/crowdsec/hub/get';
-        var dataCallback = function (data) {
-            var rows = [];
-            data.scenarios.map(function (row) {
-                rows.push({
-                    name: row.name,
-                    status: row.status,
-                    local_version: row.local_version || ' ',
-                    local_path: row.local_path ? row.local_path.replace(crowdsec_path, '') : ' ',
-                    description: row.description || ' '
-                });
-            });
-            $('#scenarios table').bootgrid('clear').bootgrid('append', rows);
-        };
-        _initTab('#scenarios', url, dataCallback);
+    if (typeof matches[4] !== 'undefined') {
+      seconds += parseInt(matches[4], 10); // seconds
     }
-
-    function _initParsers () {
-        var url = '/api/crowdsec/hub/get';
-        var dataCallback = function (data) {
-            var rows = [];
-            data.parsers.map(function (row) {
-                rows.push({
-                    name: row.name,
-                    status: row.status,
-                    local_version: row.local_version || ' ',
-                    local_path: row.local_path ? row.local_path.replace(crowdsec_path, '') : ' ',
-                    description: row.description || ' '
-                });
-            });
-            $('#parsers table').bootgrid('clear').bootgrid('append', rows);
-        };
-        _initTab('#parsers ', url, dataCallback);
+    if (parseInt(matches[5], 10) === 'm') {
+      // units in milliseconds
+      seconds *= 0.001;
     }
-
-    function _initPostoverflows () {
-        var url = '/api/crowdsec/hub/get';
-        var dataCallback = function (data) {
-            var rows = [];
-            data.postoverflows.map(function (row) {
-                rows.push({
-                    name: row.name,
-                    status: row.status,
-                    local_version: row.local_version || ' ',
-                    local_path: row.local_path ? row.local_path.replace(crowdsec_path, '') : ' ',
-                    description: row.description || ' '
-                });
-            });
-            $('#postoverflows table').bootgrid('clear').bootgrid('append', rows);
-        };
-        _initTab('#postoverflows ', url, dataCallback);
+    if (parseInt(matches[1], 10) === '-') {
+      // negative
+      seconds = -seconds;
     }
-
-    function _initBouncers () {
-        var url = '/api/crowdsec/bouncers/get';
-        var dataCallback = function (data) {
-            var rows = [];
-            data.map(function (row) {
-                // TODO - remove || ' ' later, it was fixed for 1.3.3
-                rows.push({
-                    name: row.name,
-                    ip_address: row.ip_address || ' ',
-                    valid: row.revoked ? false : true,
-                    last_pull: row.last_pull,
-                    type: row.type || ' ',
-                    version: row.version || ' '
-                });
-            });
-            $('#bouncers table').bootgrid('clear').bootgrid('append', rows);
-        };
-        _initTab('#bouncers ', url, dataCallback);
-    }
-
-    function _initAlerts () {
-        var url = '/api/crowdsec/alerts/get';
-        var dataCallback = function (data) {
-            var rows = [];
-            data.map(function (row) {
-                rows.push({
-                    id: row.id,
-                    value: row.source.scope + (row.source.value ? (':' + row.source.value) : ''),
-                    reason: row.scenario || ' ',
-                    country: row.source.cn || ' ',
-                    as: row.source.as_name || ' ',
-                    decisions: _decisionsByType(row.decisions) || ' ',
-                    created_at: row.created_at
-                });
-            });
-            $('#alerts table').bootgrid('clear').bootgrid('append', rows);
-        };
-        _initTab('#alerts ', url, dataCallback);
+    return seconds;
+  }
+
+  function _humanizeDate(text) {
+    return moment(text).fromNow();
+  }
+
+  function _humanizeDuration(text) {
+    return moment.duration(_parseDuration(text), 'seconds').humanize();
+  }
+
+  function _yesno2html(val) {
+    if (val) {
+      return '<i class="fa fa-check text-success"></i>';
+    } else {
+      return '<i class="fa fa-times text-danger"></i>';
     }
+  }
 
-    function _initDecisions () {
-        var url = '/api/crowdsec/decisions/get';
-        var dataCallback = function (data) {
-            var rows = [];
-            data.map(function (row) {
-                row.decisions.map(function (decision) {
-                    // ignore deleted decisions
-                    if (decision.duration.startsWith('-')) {
-                        return;
-                    }
-                    rows.push({
-                        // search will break on empty values when using .append(). so we use spaces
-                        delete: '',
-                        id: decision.id,
-                        source: decision.origin || ' ',
-                        scope_value: decision.scope + (decision.value ? (':' + decision.value) : ''),
-                        reason: decision.scenario || ' ',
-                        action: decision.type || ' ',
-                        country: row.source.cn || ' ',
-                        as: row.source.as_name || ' ',
-                        events_count: row.events_count,
-                        // XXX pre-parse duration to seconds, and integer type, for sorting
-                        expiration: decision.duration || ' ',
-                        alert_id: row.id || ' '
-                    });
-                });
-            });
-            $('#decisions table').bootgrid('clear').bootgrid('append', rows);
-        };
-        _initTab('#decisions ', url, dataCallback);
+  function _initTab(selector, url, dataCallback) {
+    const $tab = $(selector);
+    if ($tab.find('table.bootgrid-table').length) {
+      return;
     }
-
-    function deleteDecision (decisionId) {
-        var $modal = $('#delete-decision-modal');
-        $modal.find('.modal-title').text('Delete decision #' + decisionId);
-        $modal.find('.modal-body').text('Are you sure?');
-        $modal.find('#delete-decision-confirm').on('click', function () {
-            $.ajax({
-                // XXX handle errors
-                url: '/api/crowdsec/decisions/delete/' + decisionId,
-                type: 'DELETE',
-                success: function (result) {
-                    if (result && result.message === 'OK') {
-                        $('#decisions table').bootgrid('remove', [decisionId]);
-                        $modal.modal('hide');
-                    }
-                }
-            });
+    $tab
+      .find('table')
+      .on('initialized.rs.jquery.bootgrid', function () {
+        $(_refreshTemplate)
+          .on('click', function () {
+            _refreshTab(selector, url, dataCallback);
+          })
+          .insertBefore($tab.find('.actionBar .actions .dropdown:first'));
+        _addFreshness(selector);
+        _refreshTab(selector, url, dataCallback);
+      })
+      .bootgrid({
+        caseSensitive: false,
+        formatters: _dataFormatters,
+      });
+  }
+
+  function _initStatusMachines() {
+    const url = '/api/crowdsec/machines/get';
+    const id = '#machines';
+    const dataCallback = function (data) {
+      const rows = [];
+      data.map(function (row) {
+        rows.push({
+          name: row.machineId,
+          ip_address: row.ipAddress || ' ',
+          last_update: row.updated_at || ' ',
+          validated: row.isValidated,
+          version: row.version || ' ',
         });
-        $modal.modal('show');
-    }
-
-    function init () {
-        _initService();
-
-        $('#machines_tab').on('click', _initMachines);
-        $('#collections_tab').on('click', _initCollections);
-        $('#scenarios_tab').on('click', _initScenarios);
-        $('#parsers_tab').on('click', _initParsers);
-        $('#postoverflows_tab').on('click', _initPostoverflows);
-        $('#bouncers_tab').on('click', _initBouncers);
-        $('#alerts_tab').on('click', _initAlerts);
-        $('#decisions_tab').on('click', _initDecisions);
-
-        $('[data-toggle="tooltip"]').tooltip();
-
-        if (window.location.hash) {
-            // activate a tab from the hash, if it exists
-            $(window.location.hash + '_tab').click();
-        } else {
-            // otherwise, machines
-            $('#machines_tab').click();
-        }
-
-        $(window).on('hashchange', function (e) {
-            $(window.location.hash + '_tab').click();
+      });
+      $(id + ' table')
+        .bootgrid('clear')
+        .bootgrid('append', rows);
+    };
+    _initTab(id, url, dataCallback);
+  }
+
+  function _initStatusCollections() {
+    const url = '/api/crowdsec/hub/get';
+    const id = '#collections';
+    const dataCallback = function (data) {
+      const rows = [];
+      data.collections.map(function (row) {
+        rows.push({
+          name: row.name,
+          status: row.status,
+          local_version: row.local_version || ' ',
+          local_path: row.local_path
+            ? row.local_path.replace(crowdsec_path, '')
+            : ' ',
+          description: row.description || ' ',
         });
-
-        if (new URLSearchParams(window.location.search).has('debug')) {
-            $('#debug_tab').show().on('click', _initDebug);
+      });
+      $(id + ' table')
+        .bootgrid('clear')
+        .bootgrid('append', rows);
+    };
+    _initTab(id, url, dataCallback);
+  }
+
+  function _initStatusScenarios() {
+    const url = '/api/crowdsec/hub/get';
+    const id = '#scenarios';
+    const dataCallback = function (data) {
+      const rows = [];
+      data.scenarios.map(function (row) {
+        rows.push({
+          name: row.name,
+          status: row.status,
+          local_version: row.local_version || ' ',
+          local_path: row.local_path
+            ? row.local_path.replace(crowdsec_path, '')
+            : ' ',
+          description: row.description || ' ',
+        });
+      });
+      $(id + ' table')
+        .bootgrid('clear')
+        .bootgrid('append', rows);
+    };
+    _initTab(id, url, dataCallback);
+  }
+
+  function _initStatusParsers() {
+    const url = '/api/crowdsec/hub/get';
+    const id = '#parsers';
+    const dataCallback = function (data) {
+      const rows = [];
+      data.parsers.map(function (row) {
+        rows.push({
+          name: row.name,
+          status: row.status,
+          local_version: row.local_version || ' ',
+          local_path: row.local_path
+            ? row.local_path.replace(crowdsec_path, '')
+            : ' ',
+          description: row.description || ' ',
+        });
+      });
+      $(id + ' table')
+        .bootgrid('clear')
+        .bootgrid('append', rows);
+    };
+    _initTab(id, url, dataCallback);
+  }
+
+  function _initStatusPostoverflows() {
+    const url = '/api/crowdsec/hub/get';
+    const id = '#postoverflows';
+    const dataCallback = function (data) {
+      const rows = [];
+      data.postoverflows.map(function (row) {
+        rows.push({
+          name: row.name,
+          status: row.status,
+          local_version: row.local_version || ' ',
+          local_path: row.local_path
+            ? row.local_path.replace(crowdsec_path, '')
+            : ' ',
+          description: row.description || ' ',
+        });
+      });
+      $(id + ' table')
+        .bootgrid('clear')
+        .bootgrid('append', rows);
+    };
+    _initTab(id, url, dataCallback);
+  }
+
+  function _initStatusBouncers() {
+    const url = '/api/crowdsec/bouncers/get';
+    const id = '#bouncers';
+    const dataCallback = function (data) {
+      const rows = [];
+      data.map(function (row) {
+        // TODO - remove || ' ' later, it was fixed for 1.3.3
+        rows.push({
+          name: row.name,
+          ip_address: row.ip_address || ' ',
+          valid: row.revoked ? false : true,
+          last_pull: row.last_pull,
+          type: row.type || ' ',
+          version: row.version || ' ',
+        });
+      });
+      $(id + ' table')
+        .bootgrid('clear')
+        .bootgrid('append', rows);
+    };
+    _initTab(id, url, dataCallback);
+  }
+
+  function _initStatusAlerts() {
+    const url = '/api/crowdsec/alerts/get';
+    const id = '#alerts';
+    const dataCallback = function (data) {
+      const rows = [];
+      data.map(function (row) {
+        rows.push({
+          id: row.id,
+          value:
+            row.source.scope + (row.source.value ? ':' + row.source.value : ''),
+          reason: row.scenario || ' ',
+          country: row.source.cn || ' ',
+          as: row.source.as_name || ' ',
+          decisions: _decisionsByType(row.decisions) || ' ',
+          created_at: row.created_at,
+        });
+      });
+      $(id + ' table')
+        .bootgrid('clear')
+        .bootgrid('append', rows);
+    };
+    _initTab(id, url, dataCallback);
+  }
+
+  function _initStatusDecisions() {
+    const url = '/api/crowdsec/decisions/get';
+    const id = '#decisions';
+    const dataCallback = function (data) {
+      const rows = [];
+      data.map(function (row) {
+        row.decisions.map(function (decision) {
+          // ignore deleted decisions
+          if (decision.duration.startsWith('-')) {
+            return;
+          }
+          rows.push({
+            // search will break on empty values when using .append(). so we use spaces
+            delete: '',
+            id: decision.id,
+            source: decision.origin || ' ',
+            scope_value:
+              decision.scope + (decision.value ? ':' + decision.value : ''),
+            reason: decision.scenario || ' ',
+            action: decision.type || ' ',
+            country: row.source.cn || ' ',
+            as: row.source.as_name || ' ',
+            events_count: row.events_count,
+            // XXX pre-parse duration to seconds, and integer type, for sorting
+            expiration: decision.duration || ' ',
+            alert_id: row.id || ' ',
+          });
+        });
+      });
+      $(id + ' table')
+        .bootgrid('clear')
+        .bootgrid('append', rows);
+    };
+    _initTab(id, url, dataCallback);
+  }
+
+  function initService() {
+    $.ajax({
+      url: '/api/crowdsec/service/status',
+      cache: false,
+      success: function (data) {
+        let crowdsecStatus = data['crowdsec-status'];
+        if (crowdsecStatus === 'unknown') {
+          crowdsecStatus = '<span class="text-danger">Unknown</span>';
+        } else {
+          crowdsecStatus = _yesno2html(crowdsecStatus === 'running');
         }
+        $('#crowdsec-status').html(crowdsecStatus);
 
-        // navigation
-        if (window.location.hash !== '') {
-            $('a[href="' + window.location.hash + '"]').click();
+        let crowdsecFirewallStatus = data['crowdsec-firewall-status'];
+        if (crowdsecFirewallStatus === 'unknown') {
+          crowdsecFirewallStatus = '<span class="text-danger">Unknown</span>';
+        } else {
+          crowdsecFirewallStatus = _yesno2html(
+            crowdsecFirewallStatus === 'running',
+          );
         }
-        $('.nav-tabs a').on('shown.bs.tab', function (e) {
-            history.pushState(null, null, e.target.hash);
-        });
+        $('#crowdsec-firewall-status').html(crowdsecFirewallStatus);
+      },
+    });
+  }
+
+  function deleteDecision(decisionId) {
+    const $modal = $('#remove-decision-modal');
+    $modal.find('.modal-title').text('Delete decision #' + decisionId);
+    $modal.find('.modal-body').text('Are you sure?');
+    $modal.find('#remove-decision-confirm').on('click', function () {
+      $.ajax({
+        // XXX handle errors
+        url: '/api/crowdsec/decisions/delete/' + decisionId,
+        method: 'DELETE',
+        success: function (result) {
+          if (result && result.message === 'OK') {
+            $('#decisions table').bootgrid('remove', [decisionId]);
+            $modal.modal('hide');
+          }
+        },
+      });
+    });
+    $modal.modal('show');
+  }
+
+  function init() {
+    initService();
+
+    $('#machines_tab').on('click', _initStatusMachines);
+    $('#collections_tab').on('click', _initStatusCollections);
+    $('#scenarios_tab').on('click', _initStatusScenarios);
+    $('#parsers_tab').on('click', _initStatusParsers);
+    $('#postoverflows_tab').on('click', _initStatusPostoverflows);
+    $('#bouncers_tab').on('click', _initStatusBouncers);
+    $('#alerts_tab').on('click', _initStatusAlerts);
+    $('#decisions_tab').on('click', _initStatusDecisions);
+
+    $('[data-toggle="tooltip"]').tooltip();
+
+    if (window.location.hash) {
+      // activate a tab from the hash, if it exists
+      $(window.location.hash + '_tab').click();
+    } else {
+      // otherwise, machines
+      $('#machines_tab').click();
     }
 
-    return {
-        deleteDecision: deleteDecision,
-        init: init
-    };
-}());
+    $(window).on('hashchange', function (e) {
+      $(window.location.hash + '_tab').click();
+    });
+
+    // navigation
+    if (window.location.hash !== '') {
+      $('a[href="' + window.location.hash + '"]').click();
+    }
+    $('.nav-tabs a').on('shown.bs.tab', function (e) {
+      history.pushState(null, null, e.target.hash);
+    });
+  }
+
+  return {
+    deleteDecision: deleteDecision,
+    init: init,
+  };
+})();

From b24cec32088b118b3e1cf6de1a1abc27c326eb2a Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 27 May 2025 17:01:17 +0200
Subject: [PATCH 2456/3088] net/frr: Add bgp listen range to peer groups
 (#4722)

---
 .../OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml     | 8 ++++++++
 .../src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml   | 7 +++++++
 .../opnsense/service/templates/OPNsense/Quagga/bgpd.conf  | 5 +++++
 3 files changed, 20 insertions(+)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml
index 4f29080fcc..50f122d474 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml
@@ -33,6 +33,14 @@
       <visible>false</visible>
     </grid_view>
   </field>
+  <field>
+    <id>peergroup.listenranges</id>
+    <label>Listen Ranges</label>
+    <type>select_multiple</type>
+    <style>tokenize</style>
+    <allownew>true</allownew>
+    <help>Enter one or multiple IP networks in CIDR notation. Accept connections from any peers in the specified prefix.</help>
+  </field>
   <field>
     <id>peergroup.updatesource</id>
     <label>Update-Source Interface</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 2d90959720..53a356be7e 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -439,6 +439,13 @@
                                 <MinimumValue>1</MinimumValue>
                                 <MaximumValue>4294967295</MaximumValue>
                         </remoteas>
+                        <listenranges type="NetworkField">
+                                <FieldSeparator>,</FieldSeparator>
+                                <AsList>Y</AsList>
+                                <Strict>Y</Strict>
+                                <NetMaskRequired>Y</NetMaskRequired>
+                                <ValidationMessage>Please enter one or multiple valid IP networks in CIDR notation.</ValidationMessage>
+                        </listenranges>
                         <updatesource type="InterfaceField">
                                 <AllowDynamic>Y</AllowDynamic>
                                 <filters>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index ba1faa37cf..51c0ba3d92 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -98,6 +98,11 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%           endif %}
 {%         endfor %}
 {%       endif %}
+{%       if peergroup.listenranges %}
+{%           for prefix in peergroup.listenranges.split(',') %}
+ bgp listen range {{ prefix }} peer-group {{ peergroup.name }}
+{%           endfor %}
+{%       endif %}
 {%     endif %}
 {%   endfor %}
 {%   if helpers.exists('OPNsense.quagga.bgp.neighbors.neighbor') %}

From 62d098db8e644a2c7ae1e7f7439e57edc8f9ecf5 Mon Sep 17 00:00:00 2001
From: Rajiv Aaron Manglani <rajiv@alum.mit.edu>
Date: Thu, 29 May 2025 05:05:33 -0400
Subject: [PATCH 2457/3088] dns/ddclient: Add Akamai to option values. (#4728)

---
 .../src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml     | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 609ff3a1ba..7157664393 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -139,6 +139,9 @@
                     <Default>web_dyndns</Default>
                     <ValidationMessage>An IP service type is required.</ValidationMessage>
                     <OptionValues>
+                        <web_akamai>akamai</web_akamai>
+                        <web_akamai_ipv4 value="akamai-ipv4">akamai-ipv4</web_akamai_ipv4>
+                        <web_akamai_ipv6 value="akamai-ipv6">akamai-ipv6</web_akamai_ipv6>
                         <web_cloudflare>cloudflare</web_cloudflare>
                         <web_cloudflare_ipv4 value="cloudflare-ipv4">cloudflare-ipv4</web_cloudflare_ipv4>
                         <web_cloudflare_ipv6 value="cloudflare-ipv6">cloudflare-ipv6</web_cloudflare_ipv6>

From ba6dedd977d7304b2b6c4bd309fb83b2b4fdbf2c Mon Sep 17 00:00:00 2001
From: Hasan UCAK <hasan@sunnyvalley.io>
Date: Mon, 2 Jun 2025 16:23:08 +0300
Subject: [PATCH 2458/3088] update os-sunnyvalley repo hostname (#4736)

---
 vendor/sunnyvalley/Makefile                               | 8 ++++----
 .../src/etc/pkg/repos/SunnyValley.conf.shadow.in          | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/vendor/sunnyvalley/Makefile b/vendor/sunnyvalley/Makefile
index 4a44d5a877..a575cccfbb 100644
--- a/vendor/sunnyvalley/Makefile
+++ b/vendor/sunnyvalley/Makefile
@@ -1,8 +1,8 @@
 PLUGIN_NAME=		sunnyvalley
-PLUGIN_VERSION=		1.4
-PLUGIN_REVISION=	3
-PLUGIN_COMMENT=		Vendor Repository for Zenarmor (a.k.a Sensei, Next Generation Firewall Extensions)
-PLUGIN_MAINTAINER=	opensource@sunnyvalley.io
+PLUGIN_VERSION=		1.5
+PLUGIN_REVISION=	1
+PLUGIN_COMMENT=		Vendor Repository for Zenarmor (Enterprise Security Modules - NGFW, SSE, SASE, f.k.a Sensei)
+PLUGIN_MAINTAINER=	opensource@zenarmor.com
 PLUGIN_WWW=		https://www.zenarmor.com
 
 .include "../../Mk/plugins.mk"
diff --git a/vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.shadow.in b/vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.shadow.in
index 4bc181315e..8aced05ba6 100644
--- a/vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.shadow.in
+++ b/vendor/sunnyvalley/src/etc/pkg/repos/SunnyValley.conf.shadow.in
@@ -1,6 +1,6 @@
 SunnyValley: {
   fingerprints: "/usr/local/etc/pkg/fingerprints/SunnyValley",
-  url: "https://updates.zenarmor.com/opnsense/${ABI}/%%PLUGIN_ABI%%/latest",
+  url: "https://updates.zenarmor.net/opnsense/${ABI}/%%PLUGIN_ABI%%/latest",
   signature_type: "fingerprints",
   priority: 7,
   enabled: yes

From f7c0282132d57596d1ff3436918e619762aaa062 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 2 Jun 2025 16:00:23 +0200
Subject: [PATCH 2459/3088] vendor/sunnyvalley - remove revision on new version

---
 vendor/sunnyvalley/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/vendor/sunnyvalley/Makefile b/vendor/sunnyvalley/Makefile
index a575cccfbb..ac1e0d0041 100644
--- a/vendor/sunnyvalley/Makefile
+++ b/vendor/sunnyvalley/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		sunnyvalley
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Vendor Repository for Zenarmor (Enterprise Security Modules - NGFW, SSE, SASE, f.k.a Sensei)
 PLUGIN_MAINTAINER=	opensource@zenarmor.com
 PLUGIN_WWW=		https://www.zenarmor.com

From 2da22da18bb43783b27d2d522787c9dfe64b188b Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 5 Jun 2025 08:53:33 +0200
Subject: [PATCH 2460/3088] net/frr: Upgrade from frr8 to frr10 (#4741)

* net/frr: Update dependency to frr10 for testing

* net/frr: Add mgmtd daemon before zebra as its mandatory in frr10
---
 net/frr/Makefile                                           | 2 +-
 net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 0b628771b8..e32c37a32c 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.45
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
-PLUGIN_DEPENDS=		frr8-pythontools
+PLUGIN_DEPENDS=		frr10-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2
 
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
index 7235af5106..c9069cd810 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
@@ -6,7 +6,7 @@ frr_enable="YES"
 {% if helpers.exists('OPNsense.quagga.general.enablecarp') and OPNsense.quagga.general.enablecarp == '1' %}
 start_precmd="ifconfig | grep 'carp: MASTER'"
 {% endif %}
-frr_daemons="zebra{%
+frr_daemons="mgmtd zebra{%
 if helpers.exists('OPNsense.quagga.ospf.enabled') and OPNsense.quagga.ospf.enabled == '1' %} ospfd{% endif %}{%
 if helpers.exists('OPNsense.quagga.rip.enabled') and OPNsense.quagga.rip.enabled == '1' %} ripd{% endif %}{%
 if helpers.exists('OPNsense.quagga.bfd.enabled') and OPNsense.quagga.bfd.enabled == '1' %} bfdd{% endif %}{%

From bb1721640d1f0ceda42d6930b72cea1ee2667cb5 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 11 Jun 2025 09:09:45 +0200
Subject: [PATCH 2461/3088] www/caddy: Fix add handler command causing all
 domain and subdomain selections being cleared sometimes (#4748)

---
 www/caddy/Makefile                              |  2 +-
 www/caddy/pkg-descr                             |  5 +++++
 .../app/views/OPNsense/Caddy/reverse_proxy.volt | 17 +++++++----------
 3 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index a96b003698..08f8f247a4 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		2.0.0
+PLUGIN_VERSION=		2.0.1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 5675bdbf04..6eb887b280 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -6,6 +6,11 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+2.0.1
+
+Add: Active health checks to handlers (contributed by zaben903) (opnsense/plugins/pull/4721)
+Fix: Add handler command sometimes clearing domain selection in open dialogue (opnsense/plugins/pull/4748)
+
 2.0.0
 
 * Attention - Breaking Change: All DNS Providers except Cloudflare have been removed and will not come back (opnsense/plugins/pull/4691)
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index f7d9bbe624..63c32b2688 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -394,17 +394,14 @@
 
         // When subdomain is selected in handler show only wildcard domains
         $("#handle\\.subdomain").on("change", function () {
-            const subdomainSelected = $("#handle\\.subdomain").val() !== "";
-
-            $("#handle\\.reverse").find("option").each(function () {
-                const isWildcard = $(this).text().includes("*.");
-                $(this).toggle(!subdomainSelected || isWildcard);
-            });
+            if (!$(this).val()) {
+                $("#handle\\.reverse option").show();
+            } else {
+                $("#handle\\.reverse option").each(function () {
+                    $(this).toggle($(this).text().includes("*."));
+                });
 
-            if (subdomainSelected) {
-                const selectedText = $("#handle\\.reverse").find("option:selected").text();
-                if (!selectedText.includes("*.")) {
-                    // Clear selection if not a wildcard
+                if (!$("#handle\\.reverse option:selected").text().includes("*.")) {
                     $("#handle\\.reverse").val("").change();
                 }
             }

From 5c8d9e658efb20208647e9a7cc30befba5927284 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 11 Jun 2025 10:05:41 +0200
Subject: [PATCH 2462/3088] net/frr: document

---
 net/frr/pkg-descr | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index b017951127..f78f74d8e3 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -15,6 +15,8 @@ Plugin Changelog
 1.45
 
 * Add neighbor config to OSPF (contributed by Andy Binder)
+* Add BGP listen range to peer groups
+* Switch to FRR 10
 
 1.44
 

From ee32616322b8405bd4963f8aaf65e513caf5fbe7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 11 Jun 2025 10:06:35 +0200
Subject: [PATCH 2463/3088] security/crowdsec: blurp

---
 security/crowdsec/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index c1410526bb..7629c64957 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 ================
 
 1.0.10
+
  * changed alias names crowdsec*blacklists -> crowdsec*blocklists
  * added rules for outgoing connections too
  * added enroll_key to settings for automatic enrollment

From 1df2eba6c29e1fb9b83c0db0125399a17698e6c8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 11 Jun 2025 10:09:17 +0200
Subject: [PATCH 2464/3088] www/squid: yep

---
 www/squid/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/squid/pkg-descr b/www/squid/pkg-descr
index aa23c609c6..71c2e36f35 100644
--- a/www/squid/pkg-descr
+++ b/www/squid/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 
 * Change cache_dir from "ufs" to "rock" (contributed by Andy Binder)
 * Authenticate before blocklist (contributed by Andy Binder)
+* Select behavior for banned hosts (contributed by Andy Binder)
 * Do not reject no-bump sites when certificate validation fails (contributed by Michael Muenz)
 
 1.1

From 200436b06ea7ee4b91f59eaee61a5a9263c4bf0f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 16 Jun 2025 18:00:13 +0200
Subject: [PATCH 2465/3088] security/acme-client: fix acme.sh is always called
 with "--days 1", refs #4711

---
 security/acme-client/pkg-descr                               | 5 +++++
 .../mvc/app/library/OPNsense/AcmeClient/LeCertificate.php    | 3 ++-
 .../app/library/OPNsense/AcmeClient/LeValidation/Base.php    | 4 ++--
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 9a3c8d0133..0e86634118 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.10
+
+Fixed:
+* acme.sh is always called with "--days 1" (#4711)
+
 4.9
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 518a2c0f7e..edc3c23565 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -642,7 +642,8 @@ public function setValidation()
 
             // Configure validation object
             $val->setNames($this->config->name, $this->config->altNames, $this->config->aliasmode, $this->config->domainalias, $this->config->challengealias);
-            $val->setRenewal((int)$this->config->renewInterval);
+            $renewInterval = (string)$this->config->renewInterval;
+            $val->setRenewal((int)$renewInterval);
             $val->setForce($this->force);
             $val->setOcsp((string)$this->config->ocsp == 1 ? true : false);
             // strip prefix from key value
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index b28effbb6d..1946ab3b9f 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020-2024 Frank Wall
+ * Copyright (C) 2020-2025 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * Copyright (C) 2018 Franco Fichtner <franco@opnsense.org>
  * All rights reserved.
@@ -286,6 +286,6 @@ public function setOcsp(bool $ocsp = false)
      */
     public function setRenewal(int $interval = 60)
     {
-        $this->acme_args[] = LeUtils::execSafe('--days %s', (string)$interval);
+        $this->acme_args[] = LeUtils::execSafe('--days %s', $interval);
     }
 }

From 18d2c753d42744dee8537b311d3a1406c38084b0 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 16 Jun 2025 18:02:45 +0200
Subject: [PATCH 2466/3088] security/acme-client: bump version

---
 security/acme-client/Makefile  | 2 +-
 security/acme-client/pkg-descr | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 809895dc03..a81e74fb70 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.9
+PLUGIN_VERSION=		4.10
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 0e86634118..ff4b768bb4 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,6 +10,9 @@ Plugin Changelog
 
 4.10
 
+Added:
+* new automation to reload www/caddy (#4692)
+
 Fixed:
 * acme.sh is always called with "--days 1" (#4711)
 

From 5458836c03132b9b9e1b4c0c1c030619a29c0e26 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 16 Jun 2025 18:20:47 +0200
Subject: [PATCH 2467/3088] security/acme-client: avoid startup error, refs
 #4743

---
 security/acme-client/pkg-descr                               | 1 +
 .../src/opnsense/scripts/OPNsense/AcmeClient/setup.sh        | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index ff4b768bb4..4c69017f36 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -15,6 +15,7 @@ Added:
 
 Fixed:
 * acme.sh is always called with "--days 1" (#4711)
+* avoid startup error: "rmdir... Not a directory" (#4743)
 
 4.9
 
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh
index 8a63526528..567364b401 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/setup.sh
@@ -20,7 +20,10 @@ chmod 750 ${ACME_BASE} ${ACME_BASE}/*
 # This should guard against manual misconfiguration.
 for link in ${ACME_LINKS}; do
     # First remove any existing file/directory.
-    if [ -f "${ACME_BASE}/home/${link}" ]; then
+    if [ -L "${ACME_BASE}/home/${link}" ]; then
+        # Already a symlink, skip this enty.
+        continue
+    elif [ -f "${ACME_BASE}/home/${link}" ]; then
         rm ${ACME_BASE}/home/${link}
     elif [ -d "${ACME_BASE}/home/${link}" ]; then
         rmdir ${ACME_BASE}/home/${link}

From 82cff66d04290962b3ca2c3d0aa93cf75a21c823 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 17 Jun 2025 12:00:48 +0200
Subject: [PATCH 2468/3088] security/acme-client: automatically resolve cron
 job mismatch, fixes #4627

---
 security/acme-client/pkg-descr                |   4 +
 .../AcmeClient/Api/SettingsController.php     | 101 ++++++++++++------
 2 files changed, 75 insertions(+), 30 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 4c69017f36..4650976daf 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -13,9 +13,13 @@ Plugin Changelog
 Added:
 * new automation to reload www/caddy (#4692)
 
+Changed:
+* automatically resolve cron job mismatch (#4627)
+
 Fixed:
 * acme.sh is always called with "--days 1" (#4711)
 * avoid startup error: "rmdir... Not a directory" (#4743)
+* fails to create/update cron job on UUID mismatch (#4627)
 
 4.9
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
index 695239e5b8..5251a32f7c 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2017-2021 Frank Wall
+ *    Copyright (C) 2017-2025 Frank Wall
  *    Copyright (C) 2015 Deciso B.V.
  *
  *    All rights reserved.
@@ -59,39 +59,79 @@ public function fetchCronIntegrationAction()
             $mdlAcme = $this->getModel();
             $backend = new Backend();
 
-            // Setup cronjob if AcmeClient and AutoRenewal is enabled.
+            // Setup cron job if AcmeClient and AutoRenewal is enabled.
             if (
-                (string)$mdlAcme->settings->UpdateCron == "" and
                 (string)$mdlAcme->settings->autoRenewal == "1" and
                 (string)$mdlAcme->settings->enabled == "1"
             ) {
-                $mdlCron = new Cron();
-                // NOTE: Only configd actions are valid commands for cronjobs
-                //       and they *must* provide a description that is not empty.
-                $cron_uuid = $mdlCron->newDailyJob(
-                    "AcmeClient",
-                    "acmeclient cron-auto-renew",
-                    "AcmeClient Cronjob for Certificate AutoRenewal",
-                    "*",
-                    "1"
-                );
-                $mdlAcme->settings->UpdateCron = $cron_uuid;
-
-                // Save updated configuration.
-                if ($mdlCron->performValidation()->count() == 0) {
-                    $mdlCron->serializeToConfig();
-                    // save data to config, do not validate because the current in memory model doesn't know about the
-                    // cron item just created.
-                    $mdlAcme->serializeToConfig($validateFullModel = false, $disable_validation = true);
-                    Config::getInstance()->save();
-                    // Refresh the crontab
-                    $backend->configdRun('template reload OPNsense/Cron');
-                    // (res)start daemon
-                    $backend->configdRun("cron restart");
-                    $result['result'] = "new";
-                    $result['uuid'] = $cron_uuid;
-                } else {
-                    $result['result'] = "unable to add cron";
+                // Check if a cron job UUID is available.
+                $cron_uuid = (string)$mdlAcme->settings->UpdateCron;
+                $cron_found = 0;
+                if ($cron_uuid != "") {
+                    // Try to get cron job data from system config.
+                    $cron_job = (new Cron())->getNodeByReference('jobs.job.' . $cron_uuid);
+                    if ($cron_job != null) {
+                        // Cron job found, no changes required.
+                        $cron_found = 1;
+                        $this->getLogger()->notice("AcmeClient: successfully validated cron job");
+                    } else {
+                        // Cron job NOT found. This should not happen, try to fix
+                        // this automatically.
+                        $this->getLogger()->error("AcmeClient: cron job with stored UUID not found in system config: ${cron_uuid}");
+
+                        // Search for existing AcmeClient cron job.
+                        foreach ((new Cron())->getNodeByReference('jobs.job')->iterateItems() as $cron) {
+                            $_uuid = $cron->getAttributes()["uuid"];
+                            $_origin = (string)$cron->origin;
+                            if ($_origin == 'AcmeClient') {
+                                // Found a matching AcmeClient cron job.
+                                $cron_found = 1;
+                                $this->getLogger()->notice("AcmeClient: found existing AcmeClient cron job, fixing inconsistency in config (new UUID: ${_uuid})");
+                                // Update UUID in Acme Client config.
+                                $mdlAcme->settings->UpdateCron = $_uuid;
+                                // Save updated configuration.
+                                // TODO: need to disable validation?
+                                $mdlAcme->serializeToConfig();
+                                Config::getInstance()->save();
+                                $result['result'] = "new";
+                                $result['uuid'] = $_uuid;
+                                break;
+                            }
+                        }
+                    }
+                }
+
+                // No matching cron job found. Create a new one.
+                if ($cron_found == 0) {
+                    $this->getLogger()->notice("AcmeClient: no cron job for AutoRenewal found, creating a new one");
+                    $mdlCron = new Cron();
+                    // NOTE: Only configd actions are valid commands for cronjobs
+                    //       and they *must* provide a description that is not empty.
+                    $cron_uuid = $mdlCron->newDailyJob(
+                        "AcmeClient",
+                        "acmeclient cron-auto-renew",
+                        "AcmeClient Cronjob for Certificate AutoRenewal",
+                        "*",
+                        "1"
+                    );
+                    $mdlAcme->settings->UpdateCron = $cron_uuid;
+
+                    // Save updated configuration.
+                    if ($mdlCron->performValidation()->count() == 0) {
+                        $mdlCron->serializeToConfig();
+                        // save data to config, do not validate because the current in memory model doesn't know about the
+                        // cron item just created.
+                        $mdlAcme->serializeToConfig($validateFullModel = false, $disable_validation = true);
+                        Config::getInstance()->save();
+                        // Refresh the crontab
+                        $backend->configdRun('template reload OPNsense/Cron');
+                        // (res)start daemon
+                        $backend->configdRun("cron restart");
+                        $result['result'] = "new";
+                        $result['uuid'] = $cron_uuid;
+                    } else {
+                        $result['result'] = "unable to add cron";
+                    }
                 }
             // Delete cronjob if AcmeClient or AutoRenewal is disabled.
             } elseif (
@@ -99,6 +139,7 @@ public function fetchCronIntegrationAction()
                 ((string)$mdlAcme->settings->autoRenewal == "0" or
                 (string)$mdlAcme->settings->enabled == "0")
             ) {
+                $this->getLogger()->notice("AcmeClient: plugin or AutoRenewal is disabled, removing existing cron job");
                 // Get UUID, clean existin entry
                 $cron_uuid = (string)$mdlAcme->settings->UpdateCron;
                 $mdlAcme->settings->UpdateCron = "";

From 417ad699e24a538acf107b56bb6f463f257e425d Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 17 Jun 2025 14:44:16 +0200
Subject: [PATCH 2469/3088] security/acme-client: add support for Websupport.sk
 DNS API, closes #4540

---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsWebsupport.php | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 4 files changed, 67 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsWebsupport.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 4650976daf..7bf1c46d5d 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 
 Added:
 * new automation to reload www/caddy (#4692)
+* add support for Websupport.sk DNS API (#4540)
 
 Changed:
 * automatically resolve cron job mismatch (#4627)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index b0f4e09a2a..d710440361 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1779,6 +1779,21 @@
         <label>ClientSecret</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Websupport.sk</label>
+        <type>header</type>
+        <style>table_dns table_dns_websupport</style>
+    </field>
+    <field>
+        <id>validation.dns_websupport_api_key</id>
+        <label>Identifier</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_websupport_api_secret</id>
+        <label>Secret key</label>
+        <type>password</type>
+    </field>
     <field>
         <label>World4You</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsWebsupport.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsWebsupport.php
new file mode 100644
index 0000000000..83393e3eb7
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsWebsupport.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Frank Wall
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Websupport DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsWebsupport extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['WS_ApiKey'] = (string)$this->config->dns_websupport_api_key;
+        $this->acme_env['WS_ApiSecret'] = (string)$this->config->dns_websupport_api_secret;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index b1efacf4ac..4a3a31dcf1 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -525,6 +525,7 @@
                         <dns_variomedia>Variomedia.de</dns_variomedia>
                         <dns_vscale>Vscale</dns_vscale>
                         <dns_vultr>Vultr</dns_vultr>
+                        <dns_websupport>Websupport.sk</dns_websupport>
                         <dns_world4you>World4You</dns_world4you>
                         <dns_yandex>Yandex PDD</dns_yandex>
                         <dns_zilore>Zilore</dns_zilore>
@@ -1247,6 +1248,12 @@
                 <dns_nic_secret type="TextField">
                     <Required>N</Required>
                 </dns_nic_secret>
+                <dns_websupport_api_key type="TextField">
+                    <Required>N</Required>
+                </dns_websupport_api_key>
+                <dns_websupport_api_secret type="TextField">
+                    <Required>N</Required>
+                </dns_websupport_api_secret>
                 <dns_world4you_username type="TextField">
                     <Required>N</Required>
                 </dns_world4you_username>

From a713be09744c5bb0419e466b45af3b89240ba17e Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 17 Jun 2025 15:18:14 +0200
Subject: [PATCH 2470/3088] net/haproxy: rename input field + improve help
 text, refs #4650

---
 net/haproxy/pkg-descr                                       | 6 ++++++
 .../app/controllers/OPNsense/HAProxy/forms/dialogAction.xml | 4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index daac185c39..13a4f948b6 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,12 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+4.6
+
+Changed:
+* improve help text for "http-request redirect" rules (#4650)
+* rename "http-request redirect" input field (#4650)
+
 4.5
 
 Changed:
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index e0e5e345df..0386b9f1ae 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -87,9 +87,9 @@
     </field>
     <field>
         <id>action.http_request_redirect</id>
-        <label>HTTP Redirect</label>
+        <label>Redirect Command</label>
         <type>text</type>
-        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. See <a href="http://docs.haproxy.org/3.0/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. A full redirect command is required, e.g. "location https://www.example.net/" or "scheme https code 301". See <a href="http://docs.haproxy.org/3.0/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>

From 61ecefd7322d02540f0e88cf11926813f26221f8 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 17 Jun 2025 15:20:33 +0200
Subject: [PATCH 2471/3088] net/haproxy: switch to net/haproxy30 port, refs
 #4758

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index e629b6ca0e..8752101154 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		4.5
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
-PLUGIN_DEPENDS=		haproxy py${PLUGIN_PYTHON}-haproxy-cli
+PLUGIN_DEPENDS=		haproxy30 py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de
 
 .include "../../Mk/plugins.mk"

From a56c6fd856f81afe78ce6d0cb6ec211723594b6b Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 17 Jun 2025 15:20:52 +0200
Subject: [PATCH 2472/3088] net/haproxy: bump version

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 8752101154..c478e619d5 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		4.5
+PLUGIN_VERSION=		4.6
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy30 py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de

From a3193a92b0f6abc570cb0731a91b24c3a22aa21e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 18 Jun 2025 16:24:46 +0200
Subject: [PATCH 2473/3088] security: add OpenVPN and IPsec (Strongswan) legacy
 plugins

No content yet to make the backport easier.
---
 README.md                            | 4 +++-
 security/openvpn-legacy/Makefile     | 9 +++++++++
 security/openvpn-legacy/pkg-descr    | 1 +
 security/strongswan-legacy/Makefile  | 9 +++++++++
 security/strongswan-legacy/pkg-descr | 1 +
 5 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 security/openvpn-legacy/Makefile
 create mode 100644 security/openvpn-legacy/pkg-descr
 create mode 100644 security/strongswan-legacy/Makefile
 create mode 100644 security/strongswan-legacy/pkg-descr

diff --git a/README.md b/README.md
index fd94485a85..c1bd798107 100644
--- a/README.md
+++ b/README.md
@@ -88,7 +88,9 @@ security/intrusion-detection-content-pt-open -- IDS Positive Technologies ESC ru
 security/intrusion-detection-content-snort-vrt -- IDS Snort VRT ruleset (needs registration or subscription)
 security/maltrail -- Malicious traffic detection system
 security/openconnect -- OpenConnect Client
+security/openvpn-legacy -- OpenVPN legacy support (development only)
 security/softether -- Cross-platform Multi-protocol VPN Program (development only)
+security/strongswan-legacy -- IPsec legacy support (development only)
 security/stunnel -- Stunnel TLS proxy
 security/tailscale -- VPN mesh securely connecting clients using WireGuard
 security/tinc -- Tinc VPN
@@ -115,7 +117,7 @@ sysutils/smart -- SMART tools
 sysutils/virtualbox -- VirtualBox guest additions
 sysutils/vmware -- VMware tools
 sysutils/xen -- Xen guest utilities
-vendor/sunnyvalley -- Vendor Repository for Zenarmor (a.k.a Sensei, Next Generation Firewall Extensions)
+vendor/sunnyvalley -- Vendor Repository for Zenarmor (Enterprise Security Modules - NGFW, SSE, SASE, f.k.a Sensei)
 www/OPNProxy -- OPNsense proxy additions
 www/c-icap -- c-icap connects the web proxy with a virus scanner
 www/cache -- Webserver cache
diff --git a/security/openvpn-legacy/Makefile b/security/openvpn-legacy/Makefile
new file mode 100644
index 0000000000..2d4fb4c6f6
--- /dev/null
+++ b/security/openvpn-legacy/Makefile
@@ -0,0 +1,9 @@
+PLUGIN_NAME=		openvpn-legacy
+PLUGIN_VERSION=		0.1
+PLUGIN_COMMENT=		OpenVPN legacy support
+PLUGIN_DEPENDS=		# openvpn
+PLUGIN_DEVEL=		yes
+PLUGIN_MAINTAINER=	ad@opnsense.org
+PLUGIN_TIER=		2
+
+.include "../../Mk/plugins.mk"
diff --git a/security/openvpn-legacy/pkg-descr b/security/openvpn-legacy/pkg-descr
new file mode 100644
index 0000000000..aba0dbd28e
--- /dev/null
+++ b/security/openvpn-legacy/pkg-descr
@@ -0,0 +1 @@
+This plugin adds the legacy OpenVPN server/client configuration pages.
diff --git a/security/strongswan-legacy/Makefile b/security/strongswan-legacy/Makefile
new file mode 100644
index 0000000000..a2f7792d08
--- /dev/null
+++ b/security/strongswan-legacy/Makefile
@@ -0,0 +1,9 @@
+PLUGIN_NAME=		strongswan-legacy
+PLUGIN_VERSION=		0.1
+PLUGIN_COMMENT=		IPsec legacy support
+PLUGIN_DEPENDS=		# strongswan
+PLUGIN_DEVEL=		yes
+PLUGIN_MAINTAINER=	ad@opnsense.org
+PLUGIN_TIER=		2
+
+.include "../../Mk/plugins.mk"
diff --git a/security/strongswan-legacy/pkg-descr b/security/strongswan-legacy/pkg-descr
new file mode 100644
index 0000000000..4d829ceb3c
--- /dev/null
+++ b/security/strongswan-legacy/pkg-descr
@@ -0,0 +1 @@
+This plugin adds the legacy IPsec tunnel and mobile configuration pages.

From 7f589bdbae3d58722a19f80640bf32044a9e4190 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 18 Jun 2025 16:27:31 +0200
Subject: [PATCH 2474/3088] security/openvpn-legacy: fill in the code

This is basically it for the plugin.  The harder part is taking care
of the core support and detecting the plugin use.

PR: https://github.com/opnsense/core/issues/8347
---
 .../app/models/OPNsense/OpenVPN/ACL/ACL.xml   |   14 +
 .../app/models/OPNsense/OpenVPN/Menu/Menu.xml |   12 +
 .../src/www/vpn_openvpn_client.php            | 1231 ++++++++++++
 .../src/www/vpn_openvpn_server.php            | 1710 +++++++++++++++++
 4 files changed, 2967 insertions(+)
 create mode 100644 security/openvpn-legacy/src/opnsense/mvc/app/models/OPNsense/OpenVPN/ACL/ACL.xml
 create mode 100644 security/openvpn-legacy/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Menu/Menu.xml
 create mode 100644 security/openvpn-legacy/src/www/vpn_openvpn_client.php
 create mode 100644 security/openvpn-legacy/src/www/vpn_openvpn_server.php

diff --git a/security/openvpn-legacy/src/opnsense/mvc/app/models/OPNsense/OpenVPN/ACL/ACL.xml b/security/openvpn-legacy/src/opnsense/mvc/app/models/OPNsense/OpenVPN/ACL/ACL.xml
new file mode 100644
index 0000000000..0060530434
--- /dev/null
+++ b/security/openvpn-legacy/src/opnsense/mvc/app/models/OPNsense/OpenVPN/ACL/ACL.xml
@@ -0,0 +1,14 @@
+<acl>
+    <page-openvpn-client>
+        <name>VPN: OpenVPN: Client</name>
+        <patterns>
+            <pattern>vpn_openvpn_client.php*</pattern>
+        </patterns>
+    </page-openvpn-client>
+    <page-openvpn-server>
+        <name>VPN: OpenVPN: Server</name>
+        <patterns>
+            <pattern>vpn_openvpn_server.php*</pattern>
+        </patterns>
+    </page-openvpn-server>
+</acl>
diff --git a/security/openvpn-legacy/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Menu/Menu.xml b/security/openvpn-legacy/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Menu/Menu.xml
new file mode 100644
index 0000000000..c611e9fc6a
--- /dev/null
+++ b/security/openvpn-legacy/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Menu/Menu.xml
@@ -0,0 +1,12 @@
+<menu>
+    <VPN>
+        <OpenVPN>
+            <Servers VisibleName="Servers [legacy]" order="20" url="/vpn_openvpn_server.php">
+                <Edit url="/vpn_openvpn_server.php?*" visibility="hidden"/>
+            </Servers>
+            <Clients VisibleName="Clients [legacy]" order="22" url="/vpn_openvpn_client.php">
+                <Edit url="/vpn_openvpn_client.php?*" visibility="hidden"/>
+            </Clients>
+        </OpenVPN>
+    </VPN>
+</menu>
diff --git a/security/openvpn-legacy/src/www/vpn_openvpn_client.php b/security/openvpn-legacy/src/www/vpn_openvpn_client.php
new file mode 100644
index 0000000000..bded6628b1
--- /dev/null
+++ b/security/openvpn-legacy/src/www/vpn_openvpn_client.php
@@ -0,0 +1,1231 @@
+<?php
+
+/*
+ * Copyright (C) 2014-2016 Deciso B.V.
+ * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("interfaces.inc");
+require_once("plugins.inc.d/openvpn.inc");
+
+$a_client = &config_read_array('openvpn', 'openvpn-client');
+
+$vpnid = 0;
+$act = null;
+if ($_SERVER['REQUEST_METHOD'] === 'GET') {
+    if (isset($_GET['dup']) && isset($a_client[$_GET['dup']]))  {
+        $configId = $_GET['dup'];
+    } elseif (isset($_GET['id']) && isset($a_client[$_GET['id']])) {
+        $id = $_GET['id'];
+        $configId = $id;
+    }
+
+    if (isset($_GET['act'])) {
+        $act = $_GET['act'];
+    }
+
+    $pconfig = array();
+    // set defaults
+    $pconfig['autokey_enable'] = "yes"; // just in case the modes switch
+    $pconfig['autotls_enable'] = "yes"; // just in case the modes switch
+    $pconfig['tlsmode'] = "auth";
+    $pconfig['digest'] = "SHA1";
+    $pconfig['verbosity_level'] = 1; // Default verbosity is 1
+
+        // edit existing.
+    if (isset($configId)) {
+        // 1 on 1 copy of config attributes
+        $copy_fields = "auth_user,auth_pass,disable,mode,protocol,interface
+            ,local_port,server_addr,server_port,resolve_retry,remote_random,reneg-sec
+            ,proxy_addr,proxy_port,proxy_user,proxy_passwd,proxy_authtype,description
+            ,custom_options,ns_cert_type,dev_mode,tlsmode,caref,certref,crypto,digest
+            ,tunnel_network,tunnel_networkv6,remote_network,remote_networkv6,use_shaper
+            ,compression,passtos,route_no_pull,route_no_exec,verbosity_level";
+
+        foreach (explode(",", $copy_fields) as $fieldname) {
+            $fieldname = trim($fieldname);
+            if (isset($a_client[$configId][$fieldname])) {
+                $pconfig[$fieldname] = $a_client[$configId][$fieldname];
+            } elseif (!isset($pconfig[$fieldname])) {
+                // initialize element
+                $pconfig[$fieldname] = null;
+            }
+        }
+
+        // load / convert
+        if (!empty($a_client[$configId]['ipaddr'])) {
+            $pconfig['interface'] = $pconfig['interface'] . '|' . $a_client[$configId]['ipaddr'];
+        }
+
+        if (isset($a_client[$configId]['tls'])) {
+            $pconfig['tls'] = base64_decode($a_client[$configId]['tls']);
+        } else {
+            $pconfig['tls'] = null;
+            $pconfig['tlsmode'] = null;
+        }
+
+        if (isset($a_client[$configId]['shared_key'])) {
+            $pconfig['shared_key'] = base64_decode($a_client[$configId]['shared_key']);
+        } else {
+            $pconfig['shared_key'] = null ;
+        }
+
+        if (isset($id)) {
+            $vpnid = $a_client[$id]['vpnid'];
+        }
+    } elseif ($act=="new") {
+        // create new
+        $pconfig['interface'] = 'any';
+        $init_fields = "auth_user,auth_pass,disable,mode,protocol,interface
+            ,local_port,server_addr,server_port,resolve_retry,remote_random,reneg-sec
+            ,proxy_addr,proxy_port,proxy_user,proxy_passwd,proxy_authtype,description
+            ,custom_options,ns_cert_type,dev_mode,caref,certref,crypto,digest,tlsmode
+            ,tunnel_network,tunnel_networkv6,remote_network,remote_networkv6,use_shaper
+            ,compression,passtos,route_no_pull,route_no_exec,verbosity_level";
+
+        foreach (explode(",", $init_fields) as $fieldname) {
+            $fieldname = trim($fieldname);
+            if (!isset($pconfig[$fieldname])) {
+                $pconfig[$fieldname] = null;
+            }
+        }
+    }
+} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $pconfig = $_POST;
+    $input_errors = array();
+    if (isset($_POST['id']) && isset($a_client[$_POST['id']])) {
+        $id = $_POST['id'];
+    }
+    if (isset($_POST['act'])) {
+        $act = $_POST['act'];
+    }
+
+    if ($act == "del") {
+        $response = ["status" => "failed", "message" => gettext("not found")];
+        if (isset($id) && !empty($a_client[$id])) {
+            openvpn_delete('client', $a_client[$id]);
+            unset($a_client[$id]);
+            write_config();
+            $response = ["status" => "ok"];
+        }
+        echo json_encode($response);
+        exit;
+    } elseif ($act == "del_x") {
+        if (!empty($pconfig['rule']) && is_array($pconfig['rule'])) {
+            foreach ($pconfig['rule'] as $rulei) {
+                $vpn_id = !empty($a_client[$rulei]) ? $a_client[$rulei]['vpnid'] : null;
+                if (!empty($a_client[$rulei])) {
+                    openvpn_delete('client', $a_client[$rulei]);
+                    unset($a_client[$rulei]);
+                }
+            }
+            write_config();
+        }
+        header(url_safe('Location: /vpn_openvpn_client.php'));
+        exit;
+    } elseif ($act == "move"){
+      // move selected items
+      if (!isset($id)) {
+          // if id not set/found, move to end
+          $id = count($a_client);
+      }
+      $a_client = legacy_move_config_list_items($a_client, $id,  $pconfig['rule']);
+      write_config();
+      header(url_safe('Location: /vpn_openvpn_client.php'));
+      exit;
+    } elseif ($act == "toggle") {
+        if (isset($id)) {
+            if (isset($a_client[$id]['disable'])) {
+                unset($a_client[$id]['disable']);
+            } else {
+                $a_client[$id]['disable'] = true;
+            }
+            write_config();
+            openvpn_configure_single($a_client[$id]['vpnid']);
+        }
+        header(url_safe('Location: /vpn_openvpn_client.php'));
+        exit;
+    } else {
+        // update client (after validation)
+        if (isset($id)) {
+            $vpnid = $a_client[$id]['vpnid'];
+        }
+        if (isset($pconfig['mode']) && $pconfig['mode'] != "p2p_shared_key") {
+            $tls_mode = true;
+        } else {
+            $tls_mode = false;
+        }
+
+        // generate new key
+        if (!empty($pconfig['autokey_enable'])) {
+            $pconfig['shared_key'] = openvpn_create_key();
+        }
+
+        /* input validation */
+        if (strpos($pconfig['interface'], '|') !== false) {
+            list($iv_iface, $iv_ip) = explode("|", $pconfig['interface']);
+        } else {
+            $iv_iface = $pconfig['interface'];
+            $iv_ip = null;
+        }
+
+        if (is_ipaddrv4($iv_ip) && (stristr($pconfig['protocol'], "6") !== false)) {
+            $input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv6 protocol and an IPv4 address.");
+        } elseif (is_ipaddrv6($iv_ip) && (stristr($pconfig['protocol'], "6") === false)) {
+            $input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv4 protocol and an IPv6 address.");
+        } elseif ((stristr($pconfig['protocol'], "6") === false) && !get_interface_ip($iv_iface) && ($pconfig['interface'] != "any")) {
+            $input_errors[] = gettext("An IPv4 protocol was selected, but the selected interface has no IPv4 address.");
+        } elseif ((stristr($pconfig['protocol'], "6") !== false) && !get_interface_ipv6($iv_iface) && ($pconfig['interface'] != "any")) {
+            $input_errors[] = gettext("An IPv6 protocol was selected, but the selected interface has no IPv6 address.");
+        }
+        if (!empty($pconfig['local_port'])) {
+            if (!is_numeric($pconfig['local_port']) || $pconfig['local_port'] < 0 || ($pconfig['local_port'] > 65535)) {
+                $input_errors[] = gettext("The field 'Local port' must contain a valid port, ranging from 0 to 65535.");
+            }
+            $portused = openvpn_port_used($pconfig['protocol'], $pconfig['interface'], $pconfig['local_port'], $vpnid);
+            if (($portused != $vpnid) && ($portused != 0)) {
+                $input_errors[] = gettext("The specified 'Local port' is in use. Please select another value");
+            }
+        }
+
+        $server_addr_a = array();
+        $server_port_a = array();
+
+        foreach (array_keys($pconfig['server_addr']) as $i) {
+            if (empty($pconfig['server_addr'][$i]) && empty($pconfig['server_port'][$i])) {
+                continue;
+            }
+            if (empty($pconfig['server_addr'][$i]) || (!is_domain($pconfig['server_addr'][$i]) && !is_ipaddr($pconfig['server_addr'][$i]))) {
+                $input_errors[] = gettext("The field 'Server host or address' must contain a valid IP address or domain name.") ;
+            }
+            if (empty($pconfig['server_port'][$i]) || !is_numeric($pconfig['server_port'][$i]) || $pconfig['server_port'][$i] < 0 || $pconfig['server_port'][$i] > 65535) {
+                $input_errors[] = gettext("The field 'Server port' must contain a valid port, ranging from 0 to 65535.");
+            }
+            $server_addr_a[] = $pconfig['server_addr'][$i];
+            $server_port_a[] = $pconfig['server_port'][$i];
+        }
+
+        $pconfig['server_addr'] = implode(',', $server_addr_a);
+        $pconfig['server_port'] = implode(',', $server_port_a);
+
+        if (empty($pconfig['server_addr']) || empty($pconfig['server_port'])) {
+            $input_errors[] = gettext("At least one remote server must be specified.");
+        }
+
+        if (isset($pconfig['reneg-sec']) && $pconfig['reneg-sec'] != "" && (string)((int)$pconfig['reneg-sec']) != $pconfig['reneg-sec']) {
+            $input_errors[] = gettext("Renegotiate time should contain a valid number of seconds.");
+        }
+
+        if (!empty($pconfig['proxy_addr'])) {
+            if (empty($pconfig['proxy_addr']) || (!is_domain($pconfig['proxy_addr']) && !is_ipaddr($pconfig['proxy_addr']))) {
+                $input_errors[] = gettext("The field 'Proxy host or address' must contain a valid IP address or domain name.");
+            }
+            if (empty($pconfig['proxy_port']) || !is_numeric($pconfig['proxy_port']) || $pconfig['proxy_port'] < 0 || ($pconfig['proxy_port'] > 65535)) {
+                $input_errors[] = gettext("The field 'Proxy port' must contain a valid port, ranging from 0 to 65535.");
+            }
+            if (isset($pconfig['proxy_authtype']) && $pconfig['proxy_authtype'] != "none") {
+                if (empty($pconfig['proxy_user']) || empty($pconfig['proxy_passwd'])) {
+                    $input_errors[] = gettext("User name and password are required for proxy with authentication.");
+                }
+            }
+        }
+        if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], gettext('IPv4 Tunnel Network'), false, 'ipv4')) {
+            $input_errors[] = $result;
+        }
+        if ($result = openvpn_validate_cidr($pconfig['tunnel_networkv6'], gettext('IPv6 Tunnel Network'), false, 'ipv6')) {
+            $input_errors[] = $result;
+        }
+        if ($result = openvpn_validate_cidr($pconfig['remote_network'], gettext('IPv4 Remote Network'), true, 'ipv4')) {
+            $input_errors[] = $result;
+        }
+        if ($result = openvpn_validate_cidr($pconfig['remote_networkv6'], gettext('IPv6 Remote Network'), true, 'ipv6')) {
+            $input_errors[] = $result;
+        }
+        if (!empty($pconfig['use_shaper']) && (!is_numeric($pconfig['use_shaper']) || ($pconfig['use_shaper'] <= 0))) {
+            $input_errors[] = gettext("The bandwidth limit must be a positive numeric value.");
+        }
+        if (!$tls_mode && empty($pconfig['autokey_enable'])) {
+            if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") ||
+                !strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) {
+                $input_errors[] = gettext("The field 'Shared Key' does not appear to be valid");
+            }
+        }
+        if ($tls_mode && !empty($pconfig['tlsmode']) && empty($pconfig['autotls_enable'])) {
+            if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") ||
+                !strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) {
+                $input_errors[] = gettext("The field 'TLS Shared Key' does not appear to be valid");
+            }
+        }
+
+        /* If we are not in shared key mode, then we need the CA/Cert. */
+        if (isset($pconfig['mode']) && $pconfig['mode'] != "p2p_shared_key") {
+            $reqdfields = explode(" ", "caref");
+            $reqdfieldsn = array(gettext("Certificate Authority"));
+        } elseif (empty($pconfig['autokey_enable'])) {
+            /* We only need the shared key filled in if we are in shared key mode and autokey is not selected. */
+            $reqdfields = array('shared_key');
+            $reqdfieldsn = array(gettext('Shared key'));
+        }
+
+        do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);
+
+        if (($pconfig['mode'] != "p2p_shared_key") && empty($pconfig['certref']) && empty($pconfig['auth_user']) && empty($pconfig['auth_pass'])) {
+            $input_errors[] = gettext("If no Client Certificate is selected, a username and password must be entered.");
+        }
+        $prev_opt = (isset($id) && !empty($a_client[$id])) ? $a_client[$id]['custom_options'] : "";
+        if ($prev_opt != str_replace("\r\n", "\n", $pconfig['custom_options']) && !userIsAdmin($_SESSION['Username'])) {
+            $input_errors[] = gettext('Advanced options may only be edited by system administrators due to the increased possibility of privilege escalation.');
+        }
+
+        if (count($input_errors) == 0) {
+            // save data
+            $client = array();
+            // 1 on 1 copy of config attributes
+            $copy_fields = "auth_user,auth_pass,protocol,dev_mode,local_port,reneg-sec
+                ,server_addr,server_port,resolve_retry,proxy_addr,proxy_port,remote_random
+                ,proxy_authtype,proxy_user,proxy_passwd,description,mode,crypto,digest
+                ,tunnel_network,tunnel_networkv6,remote_network,remote_networkv6
+                ,use_shaper,compression,passtos,route_no_pull,route_no_exec,tlsmode
+                ,verbosity_level,interface";
+
+            foreach (explode(",", $copy_fields) as $fieldname) {
+                $fieldname = trim($fieldname);
+                if (!empty($pconfig[$fieldname]) || $pconfig[$fieldname] == '0') {
+                    $client[$fieldname] = $pconfig[$fieldname];
+                }
+            }
+
+            // attributes containing some kind of logic
+            if ($vpnid) {
+                $client['vpnid'] = $vpnid;
+            } else {
+                $client['vpnid'] = openvpn_vpnid_next();
+            }
+            if (isset($pconfig['disable']) && $pconfig['disable'] == "yes") {
+                $client['disable'] = true;
+            }
+
+            if (strpos($pconfig['interface'], "|") !== false) {
+                    list($client['interface'], $client['ipaddr']) = explode("|", $pconfig['interface']);
+            }
+            $client['custom_options'] = str_replace("\r\n", "\n", $pconfig['custom_options']);
+
+            if ($tls_mode) {
+                $client['caref'] = $pconfig['caref'];
+                $client['certref'] = $pconfig['certref'];
+                if (!empty($pconfig['tlsmode'])) {
+                    if (!empty($pconfig['autotls_enable'])) {
+                        $pconfig['tls'] = openvpn_create_key();
+                    }
+                    $client['tls'] = base64_encode($pconfig['tls']);
+                }
+            } else {
+                $client['shared_key'] = base64_encode($pconfig['shared_key']);
+            }
+
+            if (isset($id)) {
+                $a_client[$id] = $client;
+            } else {
+                $a_client[] = $client;
+            }
+
+            write_config();
+
+            openvpn_configure_single($client['vpnid']);
+
+            header(url_safe('Location: /vpn_openvpn_client.php'));
+            exit;
+        }
+    }
+}
+
+// escape form output before processing
+legacy_html_escape_form_data($pconfig);
+
+include("head.inc");
+
+?>
+<body>
+<?php include("fbegin.inc"); ?>
+<script>
+//<![CDATA[
+$( document ).ready(function() {
+  // link delete buttons
+  $(".act_delete").click(function(){
+    var id = $(this).data("id");
+    if (id != 'x') {
+      BootstrapDialog.show({
+          type:BootstrapDialog.TYPE_DANGER,
+          title: "<?= gettext("OpenVPN");?>",
+          message: "<?= gettext("Do you really want to delete this client?"); ?>",
+          buttons: [{
+                  label: "<?= gettext("No");?>",
+                  action: function(dialogRef) {
+                      dialogRef.close();
+                  }}, {
+                    label: "<?= gettext("Yes");?>",
+                    action: function(dialogRef) {
+                      $.post(window.location, {act: 'del', id:id}, function(data) {
+                          if (data.status == 'failed' && data.message !== undefined) {
+                              dialogRef.close();
+                              BootstrapDialog.show({
+                                  type:BootstrapDialog.TYPE_DANGER,
+                                  title: "<?= gettext("OpenVPN");?>",
+                                  message: data.message,
+                                  buttons: [
+                                    {
+                                      label: "<?= gettext("Close");?>",
+                                      action: function(dialogRef) {
+                                        dialogRef.close();
+                                      }
+                                    }
+                                  ]
+                              });
+                              return;
+                          } else {
+                              location.reload();
+                          }
+                      }, 'json');
+                      dialogRef.close();
+                  }
+              }]
+      });
+    } else {
+      // delete selected
+      BootstrapDialog.show({
+        type:BootstrapDialog.TYPE_DANGER,
+        title: "<?=gettext("OpenVPN");?>",
+        message: "<?=gettext("Do you really want to delete the selected clients?");?>",
+        buttons: [{
+                  label: "<?= gettext("No");?>",
+                  action: function(dialogRef) {
+                    dialogRef.close();
+                  }}, {
+                  label: "<?= gettext("Yes");?>",
+                  action: function(dialogRef) {
+                    $("#id").val("");
+                    $("#action").val("del_x");
+                    $("#iform2").submit()
+                }
+              }]
+      });
+    }
+  });
+
+  function removeRow() {
+      if ( $('#maintable > tbody > tr').length == 1 ) {
+          $('#maintable > tbody > tr:last > td > input').each(function () { $(this).val(""); });
+      } else {
+          $(this).parent().parent().remove();
+      }
+  }
+  function addRow() {
+      // copy last row and reset values
+      $('#maintable > tbody > tr:last > td > label').removeClass('act-addrow').addClass('act-removerow');
+      $('#maintable > tbody > tr:last > td > label').unbind('click');
+      $('#maintable > tbody > tr:last > td > label').click(removeRow);
+      $('#maintable > tbody > tr:last > td > label > span:first').removeClass('fa-plus').addClass('fa-minus');
+      $('#maintable > tbody').append('<tr>'+$('#maintable > tbody > tr:last').html()+'</tr>');
+      $('#maintable > tbody > tr:last > td > input').each(function () { $(this).val(""); });
+      $('#maintable > tbody > tr:last > td > label').removeClass('act-removerow').addClass('act-addrow');
+      $('#maintable > tbody > tr:last > td > label').unbind('click');
+      $('#maintable > tbody > tr:last > td > label').click(addRow);
+      $('#maintable > tbody > tr:last > td > label > span:first').removeClass('fa-minus').addClass('fa-plus');
+  }
+  $(".act-removerow").click(removeRow);
+  $(".act-addrow").click(addRow);
+
+  // link toggle buttons
+  $(".act_toggle").click(function(event){
+      event.preventDefault();
+      $.post(window.location, {act: 'toggle', id:$(this).data("id")}, function(data) {
+          location.reload();
+      });
+  });
+
+  // link move buttons
+  $(".act_move").click(function(event){
+    event.preventDefault();
+    $("#id").val($(this).data("id"));
+    $("#action").val("move");
+    $("#iform2").submit();
+  });
+  // watch scroll position and set to last known on page load
+  watchScrollPosition();
+
+  $("#mode").change(function(){
+      switch($(this).val()) {
+          case "p2p_tls":
+            $(".tls_option").show();
+            $(".psk_option").hide();
+            break;
+          case "p2p_shared_key":
+            $(".psk_option").show();
+            $(".tls_option").hide();
+            break;
+      }
+  });
+  $("#mode").change();
+
+  $("#autokey_enable").change(function(){
+      if ($("#autokey_enable:checked").val() != undefined) {
+          $("#autokey_opts").hide();
+      } else {
+          $("#autokey_opts").show();
+      }
+  });
+  $("#autokey_enable").change();
+
+  $("#proxy_authtype").change(function(){
+      if ($('#proxy_authtype').val() != 'none') {
+        $('#proxy_authtype_opts').show();
+      } else {
+        $('#proxy_authtype_opts').hide();
+      }
+  });
+  $("#proxy_authtype").change();
+
+  $("#autotls_enable,#tlsmode").change(function(){
+      if ($("#autotls_enable").length !== 0 && $("#autotls_enable").is(":checked")) {
+          $("#autotls_opts").hide();
+      } else {
+          $("#autotls_opts").show();
+      }
+      if ($("#tlsmode").val() === "") {
+          $(".tls_input_field").prop("disabled", true);
+      } else {
+          $(".tls_input_field").prop("disabled", false);
+      }
+  });
+  $("#autotls_enable").change();
+
+});
+//]]>
+</script>
+  <section class="page-content-main">
+    <div class="container-fluid">
+      <div class="row">
+<?php
+      if (isset($input_errors) && count($input_errors) > 0) {
+          print_input_errors($input_errors);
+      }
+      if (isset($savemsg)) {
+          print_info_box($savemsg);
+      }?>
+<?php
+      if ($act=="new" || $act=="edit") :?>
+      <form method="post" name="iform" id="iform">
+        <section class="col-xs-12">
+         <div class="tab-content content-box col-xs-12">
+          <div class="table-responsive">
+          <table class="table table-striped opnsense_standard_table_form">
+            <tr>
+              <td style="width:22%"><strong><?=gettext("General information"); ?></strong></td>
+              <td style="width:78%; text-align:right">
+                <small><?=gettext("full help"); ?> </small>
+                <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page"></i>
+              </td>
+            </tr>
+            <tr>
+              <td><a id="help_for_disable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Disabled"); ?></td>
+              <td>
+                <input name="disable" type="checkbox" value="yes" <?= !empty($pconfig['disable']) ? "checked=\"checked\"" : "";?> />
+                <div class="hidden" data-for="help_for_disable">
+                  <small><?=gettext("Set this option to disable this client without removing it from the list"); ?>.</small>
+                </div>
+              </td>
+            </tr>
+            <tr>
+              <td><a id="help_for_description" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Description"); ?></td>
+              <td>
+                <input name="description" type="text" class="form-control unknown" size="30" value="<?=$pconfig['description'];?>" />
+                <div class="hidden" data-for="help_for_description">
+                  <?=gettext("You may enter a description here for your reference (not parsed)."); ?>
+                </div>
+              </td>
+            </tr>
+            <tr>
+              <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Server Mode");?></td>
+              <td>
+                <select name="mode" id="mode">
+<?php
+                $openvpn_client_modes = array(
+                    'p2p_tls' => gettext("Peer to Peer ( SSL/TLS )"),
+                    'p2p_shared_key' => gettext("Peer to Peer ( Shared Key )") );
+                foreach ($openvpn_client_modes as $name => $desc) :
+                    $selected = "";
+                    if ($pconfig['mode'] == $name) {
+                        $selected = "selected=\"selected\"";
+                    }?>
+                  <option value="<?=$name;?>" <?=$selected;?>><?=$desc;?></option>
+<?php
+                endforeach; ?>
+                </select>
+              </td>
+            </tr>
+            <tr>
+              <td><a id="help_for_protocol" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Protocol");?></td>
+              <td>
+                <select name='protocol' class="form-control">
+<?php
+                foreach (openvpn_get_protocols() as $prot):
+                    $selected = "";
+                    if ($pconfig['protocol'] == $prot) {
+                        $selected = "selected=\"selected\"";
+                    }?>
+                  <option value="<?=$prot;?>" <?=$selected;?>><?=$prot;?></option>
+<?php
+                endforeach; ?>
+              </select>
+              <div class="hidden" data-for="help_for_protocol">
+                <?= gettext('Select the protocol family to be used. Note that using both families with UDP/TCP ' .
+                            'does not work with an explicit interface as OpenVPN does not support listening to more ' .
+                            'than one specified IP address. In this case IPv4 is currently assumed.') ?>
+              </div>
+            </td>
+          </tr>
+          <tr>
+            <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Device mode");?></td>
+              <td>
+              <select name="dev_mode" id="dev_mode">
+<?php
+              foreach (array("tun", "tap") as $mode) :
+                  $selected = "";
+                  if ($pconfig['dev_mode'] == $mode) {
+                      $selected = "selected=\"selected\"";
+                  }?>
+                <option value="<?=$mode;?>" <?=$selected;?>><?=$mode;?></option>
+<?php
+              endforeach; ?>
+              </select>
+            </td>
+          </tr>
+          <tr>
+            <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Interface"); ?></td>
+            <td>
+              <select name="interface" class="form-control">
+<?php
+              $interfaces = get_configured_interface_with_descr();
+              foreach (config_read_array('virtualip', 'vip') as $vip) {
+                  $label = $vip['subnet'] . (empty($vip['descr']) ? '' : " ({$vip['descr']})");
+                  if ($vip['mode'] == 'carp') {
+                      $value = "{$vip['interface']}_vip{$vip['vhid']}";
+                  } elseif ($vip['mode'] == 'ipalias') {
+                      $value = $vip['interface'];
+                  } else {
+                      continue;
+                  }
+                  $interfaces["{$value}|{$vip['subnet']}"] = $label;
+              }
+              $interfaces['lo0'] = "Localhost";
+              $interfaces['any'] = "any";
+              foreach ($interfaces as $iface => $ifacename) :
+                  $selected = "";
+                  if ($iface == $pconfig['interface']) {
+                      $selected = "selected=\"selected\"";
+                  }?>
+              <option value="<?=$iface;?>" <?=$selected;?>><?=htmlspecialchars($ifacename);?></option>
+<?php
+              endforeach; ?>
+              </select>
+            </td>
+          </tr>
+          <tr>
+            <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Remote server");?></td>
+            <td>
+              <table class="table table-striped table-condensed" id="maintable">
+                <thead>
+                  <tr>
+                    <th></th>
+                    <th><?= gettext('Host or address') ?></th>
+                    <th><?= gettext('Port') ?></th>
+                  </tr>
+                </thead>
+                <tbody>
+<?php
+                $pconfig['server_addr'] = !empty($pconfig['server_addr']) ? explode(',', $pconfig['server_addr']) : array();
+                $pconfig['server_port'] = !empty($pconfig['server_port']) ? explode(',', $pconfig['server_port']) : array();
+                $pconfig['server_addr'][] = '';
+                $pconfig['server_port'][] = '';
+
+                foreach ($pconfig['server_addr'] as $i => $item): ?>
+                  <tr>
+                    <td>
+<?php
+                  if (!empty($item)): ?>
+                      <label class="act-removerow btn btn-default btn-xs">
+                        <span class="fa fa-minus fa-fw"></span>
+                        <span class="sr-only"><?= gettext('Remove') ?></span>
+                      </label>
+<?php
+                  else: ?>
+                      <label class="act-addrow btn btn-default btn-xs">
+                        <span class="fa fa-plus fa-fw"></span>
+                        <span class="sr-only"><?= gettext('Add') ?></span>
+                      </label>
+<?php
+                  endif ?>
+                    </td>
+                    <td>
+                      <input name="server_addr[]" type="text" value="<?= $pconfig['server_addr'][$i] ?>" />
+                    </td>
+                    <td>
+                      <input name="server_port[]" type="text" value="<?= $pconfig['server_port'][$i] ?>" />
+                    </td>
+                  </tr>
+<?php
+                        endforeach ?>
+                </tbody>
+              </table>
+              <br/>
+              <input name="remote_random" type="checkbox" value="yes" <?= !empty($pconfig['remote_random']) ? 'checked="checked"' : '' ?>/>
+              <?= gettext('Select remote server at random') ?>
+            </td>
+          </tr>
+          <tr>
+            <td><a id="help_for_resolve_retry" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Retry DNS resolution"); ?></td>
+            <td>
+              <input name="resolve_retry" type="checkbox" value="yes" <?= !empty($pconfig['resolve_retry']) ? 'checked="checked"' : '' ?>/>
+              <?= gettext('Infinitely resolve remote server') ?>
+              <div class="hidden" data-for="help_for_resolve_retry">
+                <div><small><?=gettext("Continuously attempt to resolve the server host name. Useful when communicating with a server that is not permanently connected to the Internet"); ?></small></div>
+              </div>
+            </td>
+          </tr>
+          <tr>
+            <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Proxy host or address");?></td>
+            <td>
+              <input name="proxy_addr" type="text" class="form-control unknown" size="30" value="<?=$pconfig['proxy_addr'];?>" />
+            </td>
+          </tr>
+          <tr>
+            <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Proxy port");?></td>
+            <td>
+              <input name="proxy_port" type="text" class="form-control unknown" size="5" value="<?=$pconfig['proxy_port'];?>" />
+            </td>
+          </tr>
+          <tr>
+            <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Proxy authentication extra options");?></td>
+            <td>
+              <?=gettext("Authentication method"); ?>
+              <select name="proxy_authtype" id="proxy_authtype" class="form-control select">
+                <option value="none"  <?=$pconfig['proxy_authtype'] == "none" ? "selected=\"selected\"" : "" ?> > <?=gettext("none"); ?></option>
+                <option value="basic" <?=$pconfig['proxy_authtype'] == "basic" ? "selected=\"selected\"" : "" ?> > <?=gettext("basic"); ?></option>
+                <option value="basic" <?=$pconfig['proxy_authtype'] == "ntlm" ? "selected=\"selected\"" : "" ?> > <?=gettext("ntlm"); ?></option>
+              </select>
+              <div style="display:none" id="proxy_authtype_opts">
+                <div><?=gettext("Username"); ?> <br/></div>
+                <div><input name="proxy_user" id="proxy_user" class="form-control unknown" type="text" size="20" value="<?=$pconfig['proxy_user'];?>" /></div>
+                <div><?=gettext("Password"); ?> </div>
+                <div><input name="proxy_passwd" id="proxy_passwd" type="password" autocomplete="new-password" class="form-control pwd" size="20" value="<?=$pconfig['proxy_passwd'];?>" /></div>
+              </div>
+            </td>
+          </tr>
+          <tr>
+            <td><a id="help_for_local_port" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Local port");?></td>
+            <td>
+              <input name="local_port" type="text" class="form-control unknown" size="5" value="<?=$pconfig['local_port'];?>" />
+              <div class="hidden" data-for="help_for_local_port">
+                <em><small><?=gettext("Set this option if you would like to bind to a specific port. Leave this blank or enter 0 for a random dynamic port."); ?></small></em>
+              </div>
+            </td>
+          </tr>
+         </table>
+        </div>
+       </div>
+      </section>
+      <section class="col-xs-12">
+       <div class="tab-content content-box col-xs-12">
+        <div class="table-responsive">
+         <table class="table table-striped opnsense_standard_table_form">
+          <tr>
+            <td colspan="2"><strong><?=gettext("User Authentication Settings"); ?></strong></td>
+          </tr>
+          <tr>
+            <td style="width:22%"><a id="help_for_auth_user_pass" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("User name/pass"); ?></td>
+            <td style="width:78%">
+              <div><?=gettext("Username"); ?></div>
+              <div><input name="auth_user" id="auth_user" class="form-control unknown" type="text" size="20" value="<?=$pconfig['auth_user'];?>" /></div>
+              <div><?=gettext("Password"); ?></div>
+              <div><input name="auth_pass" id="auth_pass" type="password" autocomplete="new-password" class="form-control pwd" size="20" value="<?=$pconfig['auth_pass'];?>" /></div>
+              <div class="hidden" data-for="help_for_auth_user_pass">
+                <?=gettext("Leave empty when no user name and password are needed."); ?>
+              </div>
+              <br/>
+            </td>
+          </tr>
+          <tr>
+            <td><a id="help_for_reneg-sec" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Renegotiate time"); ?></td>
+            <td>
+              <input type="text" name="reneg-sec" value="<?=$pconfig['reneg-sec'];?>">
+              <div class="hidden" data-for="help_for_reneg-sec">
+                <?= gettext('Renegotiate data channel key after n seconds (default=3600). Set to 0 to disable.') ?>
+              </div>
+            </td>
+           </tr>
+          </table>
+         </div>
+        </div>
+       </section>
+       <section class="col-xs-12">
+        <div class="tab-content content-box col-xs-12">
+         <div class="table-responsive">
+          <table class="table table-striped opnsense_standard_table_form">
+          <tr>
+            <td style="width:22%"><strong><?=gettext("Cryptographic Settings"); ?></strong></td>
+            <td style="width:78%"></td>
+          </tr>
+          <tr class="tls_option">
+            <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("TLS Authentication"); ?></td>
+            <td>
+                <select id="tlsmode" name='tlsmode' class="form-control">
+                    <option value="" <?= empty($pconfig['tlsmode']) ? "selected=\"selected\"" : "";?>>
+                        <?=gettext("Disabled");?>
+                    </option>
+                    <option value="auth" <?= $pconfig['tlsmode'] === "auth" ? "selected=\"selected\"" : "";?>>
+                        <?=gettext("Enabled - Authentication only");?>
+                    </option>
+                    <option value="crypt" <?= $pconfig['tlsmode'] === "crypt" ? "selected=\"selected\"" : "";?>>
+                        <?=gettext("Enabled - Authentication & encryption");?>
+                    </option>
+                </select>
+            </td>
+          </tr>
+          <tr class="tls_option">
+            <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("TLS Shared Key"); ?></td>
+            <td>
+<?php
+              if (empty($pconfig['tls'])) :?>
+              <input name="autotls_enable" id="autotls_enable" class="tls_input_field" type="checkbox" value="yes" <?= !empty($pconfig['autotls_enable']) ? "checked=\"checked\"" : "";?> >
+              <?=gettext("Automatically generate a shared TLS authentication key"); ?>.
+<?php
+              endif; ?>
+              <div id="autotls_opts">
+                  <textarea id="tls" name="tls" cols="65" rows="7" class="tls_input_field formpre"><?=isset($pconfig['tls'])?$pconfig['tls']:"";?></textarea>
+                    <p class="text-muted"><em><small><?=gettext("Paste your shared key here"); ?>.</small></em></p>
+              </div>
+            </td>
+          </tr>
+          <tr class="tls_option">
+            <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Peer Certificate Authority"); ?></td>
+            <td>
+<?php
+              if (isset($config['ca'])) :?>
+              <select name='caref' class="form-control">
+<?php
+              foreach ($config['ca'] as $ca) :
+                  $selected = "";
+                  if (isset($pconfig['caref']) && $pconfig['caref'] == $ca['refid']) {
+                      $selected = "selected=\"selected\"";
+                  }?>
+                <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option>
+<?php
+              endforeach; ?>
+              </select>
+<?php
+              else :?>
+              <b><?=gettext("No Certificate Authorities defined.");?></b> <br />
+              <?=gettext("Create one under");?> <a href="system_camanager.php"><?=gettext("System: Certificates");?></a>.
+<?php
+              endif; ?>
+            </td>
+          </tr>
+          <tr class="tls_option">
+            <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Client Certificate"); ?></td>
+            <td>
+              <select name='certref' class="form-control">
+<?php
+              foreach (isset($config['cert']) ? $config['cert'] : array() as $cert) :
+                  $selected = "";
+                  $caname = "";
+                  $inuse = "";
+                  $revoked = "";
+                  if (isset($cert['caref'])) {
+                      $ca = lookup_ca($cert['caref']);
+                      if (!empty($ca)) {
+                          $caname = " (CA: {$ca['descr']})";
+                      }
+                  }
+                  if (isset($pconfig['certref']) && $pconfig['certref'] == $cert['refid']) {
+                      $selected = "selected=\"selected\"";
+                  }
+                  if (isset($cert['refid']) && cert_in_use($cert['refid'])) {
+                      $inuse = " *In Use";
+                  }
+                  if (is_cert_revoked($cert)) {
+                      $revoked = " *Revoked";
+                  }?>
+                <option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'] . $caname . $inuse . $revoked;?></option>
+<?php
+                endforeach; ?>
+                <option value="" <?=empty($pconfig['certref'])?  "selected=\"selected\"" : "";?>>
+                  <?=gettext("None");?> <?=gettext("(Username and Password required)");?>
+                </option>
+              </select>
+<?php
+              if (!isset($config['cert']) || count($config['cert']) == 0) :?>
+                <b><?=gettext("No Certificates defined.");?></b> <br /><?=gettext("Create one under");?>
+                <a href="system_certmanager.php"><?=gettext("System: Certificates");?></a> <?=gettext("if one is required for this connection.");?>
+<?php
+              endif; ?>
+            </td>
+          </tr>
+          <tr  class="psk_option">
+            <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Shared Key"); ?></td>
+            <td>
+<?php
+              if (empty($pconfig['shared_key'])) :?>
+              <input name="autokey_enable" id="autokey_enable" type="checkbox" value="yes" <?= !empty($pconfig['autokey_enable']) ? "checked=\"checked\"" : "";?> />
+              <?=gettext("Automatically generate a shared key"); ?>.
+<?php
+              endif; ?>
+              <div id="autokey_opts">
+                <textarea name="shared_key" cols="65" rows="7" class="formpre"><?=isset($pconfig['shared_key']) ? $pconfig['shared_key'] : "";?></textarea>
+                <em><small><?=gettext("Paste your shared key here"); ?>.</small></em>
+              </div>
+            </td>
+          </tr>
+          <tr>
+            <td><a id="help_for_crypto" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Encryption algorithm (deprecated)"); ?></td>
+            <td>
+              <select name="crypto" class="form-control">
+<?php
+              foreach (openvpn_get_cipherlist() as $name => $desc) :
+                $selected = $name == $pconfig['crypto'] ? " selected=\"selected\"" : "";?>
+                  <option value="<?=$name;?>"<?=$selected?>><?=htmlspecialchars($desc);?></option>
+<?php
+              endforeach; ?>
+              </select>
+              <div class="hidden" data-for="help_for_crypto">
+                <?= gettext('Cipher selection for older clients. Only preserved for backwards compatibility reasons.') ?>
+              </div>
+            </td>
+          </tr>
+          <tr>
+            <td><a id="help_for_digest" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Auth Digest Algorithm"); ?></td>
+            <td>
+              <select name="digest" class="form-control">
+<?php
+              $digestlist = openvpn_get_digestlist();
+              foreach ($digestlist as $name => $desc) :
+                  $selected = "";
+                  if ($name == $pconfig['digest']) {
+                      $selected = " selected=\"selected\"";
+                  }?>
+                <option value="<?=$name;?>"<?=$selected?>><?=htmlspecialchars($desc);?></option>
+<?php
+              endforeach; ?>
+              </select>
+              <div class="hidden" data-for="help_for_digest">
+                <?=gettext("NOTE: Leave this set to SHA1 unless the server is set to match. SHA1 is the default for OpenVPN."); ?>
+              </div>
+            </td>
+          </tr>
+         </table>
+        </div>
+       </div>
+      </section>
+      <section class="col-xs-12">
+       <div class="tab-content content-box col-xs-12">
+        <div class="table-responsive">
+        <table class="table table-striped opnsense_standard_table_form">
+          <tr>
+            <td colspan="2"><strong><?=gettext("Tunnel Settings"); ?></strong></td>
+          </tr>
+          <tr>
+            <td style="width:22%"><a id="help_for_tunnel_network" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPv4 Tunnel Network"); ?></td>
+            <td style="width:78%">
+              <input name="tunnel_network" type="text" class="form-control unknown" size="20" value="<?=$pconfig['tunnel_network'];?>" />
+              <div class="hidden" data-for="help_for_tunnel_network">
+                <?=gettext("This is the IPv4 virtual network used for private " .
+                                "communications between this client and the " .
+                                "server expressed using CIDR (eg. 10.0.8.0/24). " .
+                                "The first network address is assumed to be the " .
+                                "server address and the second network address " .
+                                "will be assigned to the client virtual " .
+                                "interface"); ?>.
+              </div>
+            </td>
+          </tr>
+          <tr>
+            <td><a id="help_for_tunnel_networkv6" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPv6 Tunnel Network"); ?></td>
+            <td>
+              <input name="tunnel_networkv6" type="text" class="form-control unknown" size="20" value="<?=$pconfig['tunnel_networkv6'];?>" />
+              <div class="hidden" data-for="help_for_tunnel_networkv6">
+                <?=gettext("This is the IPv6 virtual network used for private " .
+                                "communications between this client and the " .
+                                "server expressed using CIDR (eg. fe80::/64). " .
+                                "The first network address is assumed to be the " .
+                                "server address and the second network address " .
+                                "will be assigned to the client virtual " .
+                                "interface"); ?>.
+              </div>
+            </td>
+          </tr>
+          <tr>
+            <td><a id="help_for_remote_network" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPv4 Remote Network"); ?></td>
+            <td>
+              <input name="remote_network" type="text" class="form-control unknown" size="40" value="<?=$pconfig['remote_network'];?>" />
+              <div class="hidden" data-for="help_for_remote_network">
+                <?=gettext("These are the IPv4 networks that will be routed through " .
+                                "the tunnel, so that a site-to-site VPN can be " .
+                                "established without manually changing the routing tables. " .
+                                "Expressed as a comma-separated list of one or more CIDR ranges. " .
+                                "If this is a site-to-site VPN, enter the " .
+                                "remote LAN/s here. You may leave this blank to " .
+                                "only communicate with other clients"); ?>.
+              </div>
+            </td>
+          </tr>
+          <tr>
+            <td><a id="help_for_remote_networkv6" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPv6 Remote Network"); ?></td>
+            <td>
+              <input name="remote_networkv6" type="text" class="form-control unknown" size="40" value="<?=$pconfig['remote_networkv6'];?>" />
+              <div class="hidden" data-for="help_for_remote_networkv6">
+                <?=gettext("These are the IPv6 networks that will be routed through " .
+                                "the tunnel, so that a site-to-site VPN can be " .
+                                "established without manually changing the routing tables. " .
+                                "Expressed as a comma-separated list of one or more IP/PREFIX. " .
+                                "If this is a site-to-site VPN, enter the " .
+                                "remote LAN/s here. You may leave this blank to " .
+                                "only communicate with other clients"); ?>.
+              </div>
+            </td>
+          </tr>
+          <tr>
+            <td><a id="help_for_use_shaper" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Limit outgoing bandwidth");?></td>
+            <td>
+              <input name="use_shaper" type="text" class="form-control unknown" size="5" value="<?=$pconfig['use_shaper'];?>" />
+              <div class="hidden" data-for="help_for_use_shaper">
+                <?=gettext("Maximum outgoing bandwidth for this tunnel. " .
+                                "Leave empty for no limit. The input value has " .
+                                "to be something between 100 bytes/sec and 100 " .
+                                "Mbytes/sec (entered as bytes per second)"); ?>.
+              </div>
+            </td>
+          </tr>
+          <tr>
+            <td><a id="help_for_compression" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Compression"); ?></td>
+            <td>
+              <select name="compression" class="form-control">
+                <?php
+                                foreach (openvpn_compression_modes() as $cmode => $cmodedesc):
+                                    $selected = "";
+                                    if ($cmode == $pconfig['compression']) {
+                                        $selected = " selected=\"selected\"";
+                                    }
+                                ?>
+                <option value="<?= $cmode ?>" <?= $selected ?>><?= $cmodedesc ?></option>
+                <?php
+                                endforeach; ?>
+              </select>
+              <div class="hidden" data-for="help_for_compression">
+                <?=gettext("Compress tunnel packets using the LZ4/LZO algorithm. The LZ4 generally offers the best performance with least CPU usage. For backwards compatibility use the LZO (which is identical to the older option --comp-lzo yes). In the partial mode (the option --compress with an empty algorithm) compression is turned off, but the packet framing for compression is still enabled, allowing a different setting to be pushed later. The legacy LZO algorithm with adaptive compression mode will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently."); ?>
+              </div>
+            </td>
+          </tr>
+          <tr>
+            <td><a id="help_for_passtos" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Type-of-Service"); ?></td>
+            <td>
+              <input name="passtos" type="checkbox" value="yes" <?=!empty($pconfig['passtos']) ? "checked=\"checked\"" : "" ;?>  />
+              <div class="hidden" data-for="help_for_passtos">
+                <?=gettext("Set the TOS IP header value of tunnel packets to match the encapsulated packet value"); ?>.
+              </div>
+            </td>
+          </tr>
+          <tr id="chkboxRouteNoPull">
+            <td><a id="help_for_route_no_pull" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Don't pull routes"); ?></td>
+            <td>
+              <input name="route_no_pull" type="checkbox" value="yes" <?=!empty($pconfig['route_no_pull']) ? "checked=\"checked\"" : "" ;?> />
+              <div class="hidden" data-for="help_for_route_no_pull">
+                <?=gettext("This option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface"); ?>.
+              </div>
+            </td>
+          </tr>
+          <tr id="chkboxRouteNoExec">
+            <td><a id="help_for_route_no_exec" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Don't add/remove routes"); ?></td>
+            <td>
+              <input name="route_no_exec" type="checkbox" value="yes" <?=!empty($pconfig['route_no_exec']) ? "checked=\"checked\"" : "" ;?> />
+              <div class="hidden" data-for="help_for_route_no_exec">
+                <?= gettext('Do not add or remove routes automatically. Instead pass routes to "--route-up" script using environmental variables.') ?>
+              </div>
+            </td>
+          </tr>
+         </table>
+        </div>
+       </div>
+      </section>
+      <section class="col-xs-12">
+       <div class="tab-content content-box col-xs-12">
+        <div class="table-responsive">
+         <table class="table table-striped opnsense_standard_table_form">
+          <tr>
+            <td colspan="2"><strong><?=gettext("Advanced configuration"); ?></strong></td>
+          </tr>
+          <tr>
+            <td style="width:22%"><a id="help_for_custom_options" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Advanced"); ?></td>
+            <td style="width:78%">
+              <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=$pconfig['custom_options'];?></textarea>
+              <?=gettext("This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.");?>
+              <div class="hidden" data-for="help_for_custom_options">
+                <?=gettext("Enter any additional options you would like to add to the configuration file here."); ?>
+              </div>
+            </td>
+          </tr>
+          <tr id="comboboxVerbosityLevel">
+              <td><a id="help_for_verbosity_level" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Verbosity level");?></td>
+              <td>
+              <select name="verbosity_level" class="form-control">
+              <?php
+                            foreach (openvpn_verbosity_level() as $verb_value => $verb_desc):
+                                $selected = '';
+                                if ($pconfig['verbosity_level'] == $verb_value) {
+                                    $selected = 'selected="selected"';
+                                }
+                            ?>
+                            <option value="<?=$verb_value; ?>" <?=$selected; ?>><?=$verb_desc;?></option>
+              <?php endforeach; ?>
+              </select>
+              <div class="hidden" data-for="help_for_verbosity_level">
+                <?=gettext("Each level shows all info from the previous levels. Level 3 is recommended if you want a good summary of what's happening without being swamped by output.") ?> <br /> <br />
+                <?=sprintf(gettext("%snone%s -- No output except fatal errors."),'<strong>','</strong>') ?> <br />
+                <?=sprintf(gettext("%sdefault%s-%s4%s -- Normal usage range."),'<strong>','</strong>','<strong>','</strong>'); ?> <br />
+                <?=sprintf(gettext("%s5%s -- Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets."),'<strong>','</strong>') ?> <br />
+                <?=sprintf(gettext("%s6%s-%s11%s -- Debug info range."),'<strong>','</strong>','<strong>','</strong>') ?>
+              </div>
+              </td>
+          </tr>
+        </table>
+       </div>
+      </div>
+     </section>
+     <section class="col-xs-12">
+      <div class="tab-content content-box col-xs-12">
+       <div class="table-responsive">
+        <table class="table table-striped opnsense_standard_table_form">
+          <tr>
+            <td>&nbsp;</td>
+            <td style="width:78%">
+              <input name="save" type="submit" class="btn btn-primary" value="<?=html_safe(gettext('Save')); ?>" />
+              <input name="act" type="hidden" value="<?=$act;?>" />
+<?php
+              if (isset($id) && $a_client[$id]) :?>
+              <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" />
+<?php
+              endif; ?>
+            </td>
+          </tr>
+        </table>
+        </div>
+        </div>
+</section>
+        </form>
+<?php
+    else:?>
+     <form method="post" name="iform2" id="iform2">
+       <section class="col-xs-12">
+          <div class="alert alert-warning" role="alert">
+              <strong>
+                <?php $eol_this_month = explode('.', product::getInstance()->version())[1] ?? '1';?>
+                  <?=sprintf(
+                      gettext("This component is reaching the end of the line, official maintenance will end as of version %s"),
+                      in_array($eol_this_month, ['1', '7']) ? '26.1' : '26.4');?>
+              </strong>
+          </div>
+         <div class="tab-content content-box col-xs-12">
+          <input type="hidden" id="id" name="id" value="" />
+          <input type="hidden" id="action" name="act" value="" />
+          <table class="table table-striped">
+            <thead>
+              <tr>
+                <td></td>
+                <td><?=gettext("Protocol"); ?></td>
+                <td><?=gettext("Server"); ?></td>
+                <td><?=gettext("Description"); ?></td>
+                <td class="text-nowrap">
+                  <a href="vpn_openvpn_client.php?act=new" class="btn btn-primary btn-xs" data-toggle="tooltip" title="<?= html_safe(gettext('Add')) ?>">
+                    <i class="fa fa-plus fa-fw"></i>
+                  </a>
+                  <a data-id="<?= count($a_client) ?>" data-toggle="tooltip" title="<?=gettext("Move selected items to end");?>" class="act_move btn btn-default btn-xs">
+                    <span class="fa fa-arrow-down fa-fw"></span>
+                  </a>
+                  <a data-id="x" title="<?=gettext("delete selected rules"); ?>" data-toggle="tooltip"  class="act_delete btn btn-default btn-xs">
+                    <span class="fa fa-trash-o fa-fw"></span>
+                  </a>
+                </td>
+              </tr>
+            </thead>
+            <tbody>
+<?php
+            $i = 0;
+            foreach ($a_client as $client) :
+              $server_addr_a = explode(',', $client['server_addr']);
+              $server_port_a = explode(',', $client['server_port']);
+              $server = array();
+              foreach (array_keys($server_addr_a) as $j) {
+                  $server[] = "{$server_addr_a[$j]}:{$server_port_a[$j]}";
+              } ?>
+              <tr>
+                <td>
+                  <input type="checkbox" name="rule[]" value="<?=$i;?>"  />
+                  &nbsp;
+                  <a href="#" class="act_toggle" data-id="<?=$i;?>" data-toggle="tooltip" title="<?=(empty($client['disable'])) ? gettext("Disable") : gettext("Enable");?>">
+                    <span class="fa fa-play fa-fw <?=(empty($client['disable'])) ? "text-success" : "text-muted";?>"></span>
+                  </a>
+                </td>
+                <td><?= htmlspecialchars($client['protocol']) ?></td>
+                <td><?= htmlspecialchars(implode(', ', $server)) ?></td>
+                <td><?= htmlspecialchars($client['description']) ?></td>
+                <td class="text-nowrap">
+                    <a data-id="<?=$i;?>" data-toggle="tooltip" title="<?=gettext("Move selected before this item");?>" class="act_move btn btn-default btn-xs">
+                      <span class="fa fa-arrow-left fa-fw"></span>
+                    </a>
+                    <a href="vpn_openvpn_client.php?act=edit&amp;id=<?=$i;?>" class="btn btn-default btn-xs">
+                      <span class="fa fa-pencil fa-fw"></span>
+                    </a>
+                    <a data-id="<?=$i;?>" title="<?=gettext("delete client"); ?>" class="act_delete btn btn-default btn-xs">
+                      <span class="fa fa-trash-o fa-fw"></span>
+                    </a>
+                    <a href="vpn_openvpn_client.php?act=new&amp;dup=<?=$i;?>" class="btn btn-default btn-xs" data-toggle="tooltip" title="<?=gettext("clone client");?>">
+                      <span class="fa fa-clone fa-fw"></span>
+                    </a>
+                </td>
+              </tr>
+<?php
+              $i++;
+              endforeach;?>
+            </tbody>
+          </table>
+          </div>
+          </section>
+        </form>
+<?php
+      endif; ?>
+
+    </div>
+  </div>
+</section>
+<?php include("foot.inc"); ?>
diff --git a/security/openvpn-legacy/src/www/vpn_openvpn_server.php b/security/openvpn-legacy/src/www/vpn_openvpn_server.php
new file mode 100644
index 0000000000..da97ce84ac
--- /dev/null
+++ b/security/openvpn-legacy/src/www/vpn_openvpn_server.php
@@ -0,0 +1,1710 @@
+<?php
+
+/*
+ * Copyright (C) 2014-2022 Deciso B.V.
+ * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("interfaces.inc");
+require_once("plugins.inc.d/openvpn.inc");
+
+$a_server = &config_read_array('openvpn', 'openvpn-server');
+
+$act = null;
+if ($_SERVER['REQUEST_METHOD'] === 'GET') {
+    // fetch id if provided
+    if (isset($_GET['dup']) && isset($a_server[$_GET['dup']]))  {
+        $configId = $_GET['dup'];
+    } elseif (isset($_GET['id']) && is_numericint($_GET['id'])) {
+        $id = $_GET['id'];
+        $configId = $id;
+    }
+    if (isset($_GET['act'])) {
+        $act = $_GET['act'];
+    }
+    $pconfig = array();
+    // defaults
+    $vpnid = 0;
+    $pconfig['verbosity_level'] = 1;
+    $pconfig['digest'] = "SHA1"; // OpenVPN Defaults to SHA1 if unset
+    $pconfig['crypto'] = "";
+    $pconfig['tlsmode'] = "auth";
+    $pconfig['autokey_enable'] = "yes";
+    $pconfig['autotls_enable'] = "yes";
+    if (isset($configId) && isset($a_server[$configId])) {
+        if ($a_server[$configId]['mode'] != "p2p_shared_key") {
+            $pconfig['cert_depth'] = 1;
+        }
+
+        // 1 on 1 copy of config attributes
+        $copy_fields = "mode,protocol,authmode,dev_mode,interface,local_port
+            ,description,custom_options,crypto,tunnel_network
+            ,tunnel_networkv6,remote_network,remote_networkv6,gwredir,local_network
+            ,local_networkv6,maxclients,compression,passtos,client2client
+            ,dynamic_ip,topology_subnet,serverbridge_dhcp
+            ,serverbridge_interface,serverbridge_dhcp_start,serverbridge_dhcp_end
+            ,dns_server1,dns_server2,dns_server3,dns_server4,ntp_server1
+            ,ntp_server2,netbios_enable,netbios_ntype,netbios_scope,wins_server1
+            ,wins_server2,push_register_dns,push_block_outside_dns,dns_domain,dns_domain_search,local_group
+            ,client_mgmt_port,verbosity_level,tlsmode,caref,crlref,certref
+            ,cert_depth,strictusercn,digest,disable,duplicate_cn,vpnid,reneg-sec,use-common-name,cso_login_matching";
+
+        foreach (explode(",", $copy_fields) as $fieldname) {
+            $fieldname = trim($fieldname);
+            if (isset($a_server[$configId][$fieldname])) {
+                $pconfig[$fieldname] = $a_server[$configId][$fieldname];
+            } elseif (!isset($pconfig[$fieldname])) {
+              // initialize element
+                $pconfig[$fieldname] = null;
+            }
+        }
+
+        // load / convert
+        if (!empty($a_server[$configId]['ipaddr'])) {
+            $pconfig['interface'] = $pconfig['interface'] . '|' . $a_server[$configId]['ipaddr'];
+        }
+        if (!empty($a_server[$configId]['shared_key'])) {
+            $pconfig['shared_key'] = base64_decode($a_server[$configId]['shared_key']);
+        } else {
+            $pconfig['shared_key'] = null;
+        }
+        if (!empty($a_server[$configId]['tls'])) {
+            $pconfig['tls'] = base64_decode($a_server[$configId]['tls']);
+        } else {
+            $pconfig['tls'] = null;
+            $pconfig['tlsmode'] = null;
+        }
+    } elseif ($act == "new") {
+        $pconfig['dev_mode'] = "tun";
+        $pconfig['interface'] = 'any';
+        $pconfig['protocol'] = 'UDP';
+        $pconfig['local_port'] = openvpn_port_next($pconfig['protocol']);
+        $pconfig['cert_depth'] = 1;
+        // init all fields used in the form
+        $init_fields = "mode,protocol,authmode,dev_mode,interface,local_port
+            ,description,custom_options,crypto,tunnel_network
+            ,tunnel_networkv6,remote_network,remote_networkv6,gwredir,local_network
+            ,local_networkv6,maxclients,compression,passtos,client2client
+            ,dynamic_ip,topology_subnet,serverbridge_dhcp
+            ,serverbridge_interface,serverbridge_dhcp_start,serverbridge_dhcp_end
+            ,dns_server1,dns_server2,dns_server3,dns_server4,ntp_server1
+            ,ntp_server2,netbios_enable,netbios_ntype,netbios_scope,wins_server1
+            ,wins_server2,push_register_dns,push_block_outside_dns,dns_domain,dns_domain_search
+            ,client_mgmt_port,verbosity_level,tlsmode,caref,crlref,certref
+            ,cert_depth,strictusercn,digest,disable,duplicate_cn,vpnid,shared_key,tls,reneg-sec,use-common-name
+            ,cso_login_matching";
+        foreach (explode(",", $init_fields) as $fieldname) {
+            $fieldname = trim($fieldname);
+            if (!isset($pconfig[$fieldname])) {
+                $pconfig[$fieldname] = null;
+            }
+        }
+
+    }
+} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    if (isset($_POST['id']) && isset($a_server[$_POST['id']])) {
+        $id = $_POST['id'];
+    }
+    if (isset($_POST['act'])) {
+        $act = $_POST['act'];
+    }
+
+    if ($act == "del") {
+        $response = ["status" => "failed", "message" => gettext("not found")];
+        if (isset($id) && !empty($a_client[$id])) {
+            openvpn_delete('server', $a_server[$id]);
+            unset($a_server[$id]);
+            write_config();
+            $response = ["status" => "ok"];
+        }
+        echo json_encode($response);
+        exit;
+    } elseif ($act == "toggle") {
+        if (isset($id)) {
+            if (isset($a_server[$id]['disable'])) {
+                unset($a_server[$id]['disable']);
+            } else {
+                $a_server[$id]['disable'] = true;
+            }
+            write_config();
+            openvpn_configure_single($a_server[$id]['vpnid']);
+        }
+        header(url_safe('Location: /vpn_openvpn_server.php'));
+        exit;
+    } else {
+        // action add/update
+        $input_errors = array();
+        $pconfig = $_POST;
+
+        $vpnid = (isset($id) && $a_server[$id]) ? $a_server[$id]['vpnid'] : 0;
+        $tls_mode = ($pconfig['mode'] != "p2p_shared_key");
+
+        if (!empty($pconfig['autokey_enable'])) {
+            $pconfig['shared_key'] = openvpn_create_key();
+        }
+
+        // all input validators
+        if (strpos($pconfig['interface'], '|') !== false) {
+            list($iv_iface, $iv_ip) = explode("|", $pconfig['interface']);
+        } else {
+            $iv_iface = $pconfig['interface'];
+            $iv_ip = null;
+        }
+
+        if (is_ipaddrv4($iv_ip) && (stristr($pconfig['protocol'], "6") !== false)) {
+            $input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv6 protocol and an IPv4 IP address.");
+        } elseif (is_ipaddrv6($iv_ip) && (stristr($pconfig['protocol'], "6") === false)) {
+            $input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv4 protocol and an IPv6 IP address.");
+        } elseif ((stristr($pconfig['protocol'], "6") === false) && !get_interface_ip($iv_iface) && ($pconfig['interface'] != "any")) {
+            $input_errors[] = gettext("An IPv4 protocol was selected, but the selected interface has no IPv4 address.");
+        } elseif ((stristr($pconfig['protocol'], "6") !== false) && !get_interface_ipv6($iv_iface) && ($pconfig['interface'] != "any")) {
+            $input_errors[] = gettext("An IPv6 protocol was selected, but the selected interface has no IPv6 address.");
+        }
+
+        if (empty($pconfig['authmode']) && (($pconfig['mode'] == "server_user") || ($pconfig['mode'] == "server_tls_user"))) {
+            $input_errors[] = gettext("You must select a Backend for Authentication if the server mode requires User Auth.");
+        }
+
+        if ($result = openvpn_validate_port($pconfig['local_port'], gettext('Local port'))) {
+            $input_errors[] = $result;
+        }
+
+        if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], gettext('IPv4 Tunnel Network'), false, 'ipv4')) {
+            $input_errors[] = $result;
+        } elseif (!empty($pconfig['tunnel_network']) && (strpos($pconfig['mode'], "p2p_") === false)) {
+            // Check IPv4 tunnel_network pool size for Remote Access modes
+            list($ipv4tunnel_base, $ipv4tunnel_prefix) = explode('/',trim($pconfig['tunnel_network']));
+            if ($pconfig['dev_mode'] == "tun") {
+                if ($ipv4tunnel_prefix > 28 && empty($pconfig['topology_subnet'])) {
+                    $input_errors[] = gettext('A prefix longer than 28 cannot be used with a net30 topology.');
+                } elseif ($ipv4tunnel_prefix > 29 && !empty($pconfig['topology_subnet'])) {
+                    $input_errors[] = gettext('A prefix longer than 29 cannot be used for tunnel network.');
+                }
+            } elseif ($pconfig['dev_mode'] == "tap" && $ipv4tunnel_prefix > 29) {
+                $input_errors[] = gettext('A prefix longer than 29 cannot be used for tunnel network.');
+            }
+        }
+
+        if ($result = openvpn_validate_cidr($pconfig['tunnel_networkv6'], gettext('IPv6 Tunnel Network'), false, 'ipv6')) {
+            $input_errors[] = $result;
+        }
+
+        if ($result = openvpn_validate_cidr($pconfig['remote_network'], gettext('IPv4 Remote Network'), true, 'ipv4')) {
+            $input_errors[] = $result;
+        }
+
+        if ($result = openvpn_validate_cidr($pconfig['remote_networkv6'], gettext('IPv6 Remote Network'), true, 'ipv6')) {
+            $input_errors[] = $result;
+        }
+
+        if ($result = openvpn_validate_cidr($pconfig['local_network'], gettext('IPv4 Local Network'), true, 'ipv4')) {
+            $input_errors[] = $result;
+        }
+
+        if ($result = openvpn_validate_cidr($pconfig['local_networkv6'], gettext('IPv6 Local Network'), true, 'ipv6')) {
+            $input_errors[] = $result;
+        }
+
+        if (!empty($pconfig['local_port'])) {
+            $portused = openvpn_port_used($pconfig['protocol'], $pconfig['interface'], $pconfig['local_port'], $vpnid);
+            if ($portused) {
+                $input_errors[] = gettext("The specified 'Local port' is in use. Please select another value");
+            }
+        }
+
+        if (!$tls_mode && empty($pconfig['autokey_enable'])) {
+            if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") ||
+                !strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) {
+                $input_errors[] = gettext("The field 'Shared Key' does not appear to be valid");
+            }
+        }
+
+        if ($tls_mode && !empty($pconfig['tlsmode']) && empty($pconfig['autotls_enable'])) {
+            if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") ||
+                !strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) {
+                $input_errors[] = gettext("The field 'TLS Shared Key' does not appear to be valid");
+            }
+        }
+
+        if (!empty($pconfig['dns_domain_search'])) {
+            $tmp_ok_domain = 0;
+            $tmp_nok_domain = 0;
+            foreach (explode(",", $pconfig['dns_domain_search'] ?? "") as $domain) {
+                if (is_domain($domain)) {
+                    $tmp_ok_domain++;
+                } else {
+                    $tmp_nok_domain++;
+                }
+            }
+            if ($tmp_nok_domain > 0) {
+                $input_errors[] = gettext("The field 'DNS Domain search list' must contain valid domain names");
+            } elseif ($tmp_ok_domain > 10) {
+                $input_errors[] = gettext("The field 'DNS Domain search list' may contain max 10 entries");
+            }
+        }
+
+        if (!empty($pconfig['dns_server1']) && !is_ipaddr(trim($pconfig['dns_server1']))) {
+            $input_errors[] = gettext("The field 'DNS Server #1' must contain a valid IP address");
+        }
+        if (!empty($pconfig['dns_server2']) && !is_ipaddr(trim($pconfig['dns_server2']))) {
+            $input_errors[] = gettext("The field 'DNS Server #2' must contain a valid IP address");
+        }
+        if (!empty($pconfig['dns_server3']) && !is_ipaddr(trim($pconfig['dns_server3']))) {
+            $input_errors[] = gettext("The field 'DNS Server #3' must contain a valid IP address");
+        }
+        if (!empty($pconfig['dns_server4']) && !is_ipaddr(trim($pconfig['dns_server4']))) {
+            $input_errors[] = gettext("The field 'DNS Server #4' must contain a valid IP address");
+        }
+
+        if (!empty($pconfig['ntp_server1']) && !is_ipaddr(trim($pconfig['ntp_server1']))) {
+            $input_errors[] = gettext("The field 'NTP Server #1' must contain a valid IP address");
+        }
+        if (!empty($pconfig['ntp_server2']) && !is_ipaddr(trim($pconfig['ntp_server2']))) {
+            $input_errors[] = gettext("The field 'NTP Server #2' must contain a valid IP address");
+        }
+
+        if (!empty($pconfig['wins_server_enable'])) {
+            if (!empty($pconfig['wins_server1']) && !is_ipaddr(trim($pconfig['wins_server1']))) {
+                $input_errors[] = gettext("The field 'WINS Server #1' must contain a valid IP address");
+            }
+            if (!empty($pconfig['wins_server2']) && !is_ipaddr(trim($pconfig['wins_server2']))) {
+                $input_errors[] = gettext("The field 'WINS Server #2' must contain a valid IP address");
+            }
+        }
+
+        if (!empty($pconfig['client_mgmt_port_enable'])) {
+            if ($result = openvpn_validate_port($pconfig['client_mgmt_port'], gettext('Client management port'))) {
+                $input_errors[] = $result;
+            }
+        }
+
+        if (!empty($pconfig['maxclients']) && !is_numeric($pconfig['maxclients'])) {
+            $input_errors[] = gettext("The field 'Concurrent connections' must be numeric.");
+        }
+
+        /* If we are not in shared key mode, then we need the CA/Cert. */
+        if (isset($pconfig['mode']) && $pconfig['mode'] != "p2p_shared_key") {
+            $reqdfields = explode(" ", "caref certref");
+            $reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate"));
+        } elseif (empty($pconfig['autokey_enable'])) {
+            /* We only need the shared key filled in if we are in shared key mode and autokey is not selected. */
+            $reqdfields = array('shared_key');
+            $reqdfieldsn = array(gettext('Shared key'));
+        }
+
+        $reqdfields[] = 'local_port';
+        $reqdfieldsn[] = gettext('Local port');
+
+        if ($pconfig['dev_mode'] != "tap") {
+            $reqdfields[] = 'tunnel_network,tunnel_networkv6';
+            $reqdfieldsn[] = gettext('Tunnel Network');
+        } else {
+            if ($pconfig['serverbridge_dhcp'] && ($pconfig['tunnel_network'] || $pconfig['tunnel_networkv6'])) {
+                $input_errors[] = gettext("Using a tunnel network and server bridge settings together is not allowed.");
+            }
+            if (($pconfig['serverbridge_dhcp_start'] && !$pconfig['serverbridge_dhcp_end'])
+            || (!$pconfig['serverbridge_dhcp_start'] && $pconfig['serverbridge_dhcp_end'])) {
+                $input_errors[] = gettext("Server Bridge DHCP Start and End must both be empty, or defined.");
+            }
+            if (($pconfig['serverbridge_dhcp_start'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_start']))) {
+                $input_errors[] = gettext("Server Bridge DHCP Start must be an IPv4 address.");
+            }
+            if (($pconfig['serverbridge_dhcp_end'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_end']))) {
+                $input_errors[] = gettext("Server Bridge DHCP End must be an IPv4 address.");
+            }
+            if (ip2ulong($pconfig['serverbridge_dhcp_start']) > ip2ulong($pconfig['serverbridge_dhcp_end'])) {
+                $input_errors[] = gettext("The Server Bridge DHCP range is invalid (start higher than end).");
+            }
+        }
+        if (isset($pconfig['reneg-sec']) && $pconfig['reneg-sec'] != "" && (string)((int)$pconfig['reneg-sec']) != $pconfig['reneg-sec']) {
+            $input_errors[] = gettext("Renegotiate time should contain a valid number of seconds.");
+        }
+
+        if (!empty($pconfig['certref'])) {
+            foreach ($config['cert'] as $cert) {
+                if ($cert['refid'] == $pconfig['certref']) {
+                    if (cert_get_purpose($cert['crt'])['id-kp-serverAuth'] == 'No') {
+                        $input_errors[] = gettext(
+                            sprintf('Certificate %s is not intended for server use.', $cert['descr'])
+                        );
+                    }
+                }
+            }
+        }
+
+        $prev_opt = (isset($id) && !empty($a_server[$id])) ? $a_server[$id]['custom_options'] : "";
+        if ($prev_opt != str_replace("\r\n", "\n", $pconfig['custom_options']) && !userIsAdmin($_SESSION['Username'])) {
+            $input_errors[] = gettext('Advanced options may only be edited by system administrators due to the increased possibility of privilege escalation.');
+        }
+
+        do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);
+
+        if (count($input_errors) == 0) {
+            // validation correct, save data
+            $server = array();
+
+            // delete(rename) old interface so a new TUN or TAP interface can be created.
+            if (isset($id) && $pconfig['dev_mode'] != $a_server[$id]['dev_mode']) {
+                openvpn_delete('server', $a_server[$id]);
+            }
+            // 1 on 1 copy of config attributes
+            $copy_fields = "mode,protocol,dev_mode,local_port,description,crypto,digest
+                ,tunnel_network,tunnel_networkv6,remote_network,remote_networkv6
+                ,gwredir,local_network,local_networkv6,maxclients,compression
+                ,passtos,client2client,dynamic_ip,topology_subnet,local_group
+                ,serverbridge_dhcp,serverbridge_interface,serverbridge_dhcp_start
+                ,serverbridge_dhcp_end,dns_domain,dns_domain_search,dns_server1,dns_server2,dns_server3
+                ,dns_server4,push_register_dns,push_block_outside_dns,ntp_server1,ntp_server2,netbios_enable
+                ,netbios_ntype,netbios_scope,verbosity_level,wins_server1,tlsmode
+                ,wins_server2,client_mgmt_port,strictusercn,reneg-sec,use-common-name,cso_login_matching";
+
+            foreach (explode(",", $copy_fields) as $fieldname) {
+                $fieldname = trim($fieldname);
+                if (!empty($pconfig[$fieldname]) || $pconfig[$fieldname] == '0') {
+                    $server[$fieldname] = $pconfig[$fieldname];
+                }
+            }
+
+            // attributes containing some kind of logic
+            if ($vpnid != 0) {
+                $server['vpnid'] = $vpnid;
+            } else {
+                $server['vpnid'] = openvpn_vpnid_next();
+            }
+
+            if ($pconfig['disable'] == "yes") {
+                $server['disable'] = true;
+            }
+            if (!empty($pconfig['authmode'])) {
+                $server['authmode'] = implode(",", $pconfig['authmode']);
+            }
+            if (strpos($pconfig['interface'], "|") !== false) {
+                list($server['interface'], $server['ipaddr']) = explode("|", $pconfig['interface']);
+            } else {
+                $server['interface'] = $pconfig['interface'];
+            }
+
+            $server['custom_options'] = str_replace("\r\n", "\n", $pconfig['custom_options']);
+
+            if ($tls_mode) {
+                if ($pconfig['tlsmode']) {
+                    if (!empty($pconfig['autotls_enable'])) {
+                        $pconfig['tls'] = openvpn_create_key();
+                    }
+                    $server['tls'] = base64_encode($pconfig['tls']);
+                }
+                foreach (['caref', 'crlref', 'certref', 'cert_depth'] as $cpKey) {
+                    if (isset($pconfig[$cpKey])) {
+                        $server[$cpKey] = $pconfig[$cpKey];
+                    }
+                }
+                if (isset($pconfig['mode']) && $pconfig['mode'] == "server_tls_user" && isset($server['strictusercn'])) {
+                    $server['strictusercn'] = $pconfig['strictusercn'];
+                }
+            } else {
+                $server['shared_key'] = base64_encode($pconfig['shared_key']);
+            }
+
+            if (isset($_POST['duplicate_cn']) && $_POST['duplicate_cn'] == "yes") {
+                $server['duplicate_cn'] = true;
+            }
+
+            // update or add to config
+            if (isset($id) && $a_server[$id]) {
+                $a_server[$id] = $server;
+            } else {
+                $a_server[] = $server;
+            }
+
+            write_config();
+
+            openvpn_configure_single($server['vpnid']);
+
+            header(url_safe('Location: /vpn_openvpn_server.php'));
+            exit;
+        } elseif (!empty($pconfig['authmode'])) {
+            $pconfig['authmode'] = implode(",", $pconfig['authmode']);
+        }
+    }
+}
+
+include("head.inc");
+
+legacy_html_escape_form_data($pconfig);
+
+?>
+<body>
+<?php include("fbegin.inc"); ?>
+<script>
+$( document ).ready(function() {
+  // watch scroll position and set to last known on page load
+  watchScrollPosition();
+  // link delete buttons
+  $(".act_delete").click(function(){
+    var id = $(this).attr("id").split('_').pop(-1);
+    BootstrapDialog.show({
+        type:BootstrapDialog.TYPE_DANGER,
+        title: "<?= gettext("OpenVPN");?>",
+        message: "<?= gettext("Do you really want to delete this server?"); ?>",
+        buttons: [{
+                label: "<?= gettext("No");?>",
+                action: function(dialogRef) {
+                    dialogRef.close();
+                }}, {
+                  label: "<?= gettext("Yes");?>",
+                  action: function(dialogRef) {
+                    $.post(window.location, {act: 'del', id:id}, function(data) {
+                      if (data.status == 'failed' && data.message !== undefined) {
+                          dialogRef.close();
+                          BootstrapDialog.show({
+                              type:BootstrapDialog.TYPE_DANGER,
+                              title: "<?= gettext("OpenVPN");?>",
+                              message: data.message,
+                              buttons: [
+                                {
+                                  label: "<?= gettext("Close");?>",
+                                  action: function(dialogRef) {
+                                    dialogRef.close();
+                                  }
+                                }
+                              ]
+                          });
+                          return;
+                      } else {
+                          location.reload();
+                      }
+                    }, 'json');
+                    dialogRef.close();
+                }
+            }]
+    });
+  });
+
+  // link toggle buttons
+  $(".act_toggle").click(function(event){
+      event.preventDefault();
+      $.post(window.location, {act: 'toggle', id:$(this).data("id")}, function(data) {
+          location.reload();
+      });
+  });
+
+  // input form events
+  if ($("#iform").length) {
+      $("#mode,#gwredir").change(function(){
+          $(".opt_mode").hide();
+          $(".opt_mode :input").prop( "disabled", true );
+          $(".opt_mode_"+$("#mode").val()).show();
+          $(".opt_mode_"+$("#mode").val()+" :input").prop( "disabled", false );
+          if ($("#gwredir").is(":checked")) {
+              $(".opt_gwredir").hide();
+          }
+          $("#dev_mode").change();
+          $('.selectpicker').selectpicker('refresh');
+          $(window).resize();
+      });
+      $("#mode").change();
+
+      $("#dev_mode,#serverbridge_dhcp").change(function(){
+          $(".dev_mode").hide();
+          $(".dev_mode_"+$("#dev_mode").val()).show();
+          if ($("#mode").val().indexOf('p2p_tls') == 0) {
+              $("#serverbridge_dhcp").prop('disabled', true);
+          } else {
+              $("#serverbridge_dhcp").prop('disabled', false);
+          }
+
+          if ($("#mode").val().indexOf('p2p_tls') == 0 || $("#serverbridge_dhcp").is(':checked') == false) {
+              $("#serverbridge_interface").prop('disabled', true);
+              $("#serverbridge_dhcp_start").prop('disabled', true);
+              $("#serverbridge_dhcp_end").prop('disabled', true);
+          } else {
+              $("#serverbridge_interface").prop('disabled', false);
+              $("#serverbridge_dhcp_start").prop('disabled', false);
+              $("#serverbridge_dhcp_end").prop('disabled', false);
+          }
+          $('.selectpicker').selectpicker('refresh');
+      });
+      $("#dev_mode").change();
+
+      $("#autokey_enable").change(function(){
+          if ($("#autokey_enable").is(':checked')) {
+              $("#autokey_opts").hide();
+          } else {
+              $("#autokey_opts").show();
+          }
+      });
+      $("#autokey_enable").change();
+
+      $("#autotls_enable,#tlsmode").change(function(){
+          if ($("#autotls_enable").length !== 0 && $("#autotls_enable").is(":checked")) {
+              $("#autotls_opts").hide();
+          } else {
+              $("#autotls_opts").show();
+          }
+          if ($("#tlsmode").val() === "") {
+              $(".tls_input_field").prop("disabled", true);
+          } else {
+              $(".tls_input_field").prop("disabled", false);
+          }
+      });
+      $("#autotls_enable").change();
+
+      $("#dns_domain_enable").change(function(){
+          if ($("#dns_domain_enable").is(':checked')) {
+              $("#dns_domain_data").show();
+          } else {
+              $("#dns_domain_data").hide();
+          }
+      });
+      $("#dns_domain_enable").change();
+
+      $("#dns_domain_search_enable").change(function(){
+          if ($("#dns_domain_search_enable").is(':checked')) {
+              $("#dns_domain_search_data").show();
+          } else {
+              $("#dns_domain_search_data").hide();
+          }
+      });
+      $("#dns_domain_search_enable").change();
+
+      $("#dns_server_enable").change(function(){
+          if ($("#dns_server_enable").is(':checked')) {
+              $("#dns_server_data").show();
+          } else {
+              $("#dns_server_data").hide();
+          }
+      });
+      $("#dns_server_enable").change();
+
+      $("#wins_server_enable").change(function(){
+          if ($("#wins_server_enable").is(':checked')) {
+              $("#wins_server_data").show();
+          } else {
+              $("#wins_server_data").hide();
+          }
+      });
+      $("#wins_server_enable").change();
+
+      $("#netbios_enable").change(function(){
+          if ($("#netbios_enable").is(':checked')) {
+              $("#wins_opts").show();
+              $("#netbios_data").show();
+          } else {
+              $("#wins_opts").hide();
+              $("#netbios_data").hide();
+          }
+      });
+      $("#netbios_enable").change();
+
+      $("#ntp_server_enable").change(function(){
+          if ($("#ntp_server_enable").is(':checked')) {
+              $("#ntp_server_data").show();
+          } else {
+              $("#ntp_server_data").hide();
+          }
+      });
+      $("#ntp_server_enable").change();
+
+      $("#client_mgmt_port_enable").change(function(){
+          if ($("#client_mgmt_port_enable").is(':checked')) {
+              $("#client_mgmt_port_data").show();
+          } else {
+              $("#client_mgmt_port_data").hide();
+          }
+      });
+      $("#client_mgmt_port_enable").change();
+      $(window).resize();
+  }
+
+});
+</script>
+
+  <section class="page-content-main">
+    <div class="container-fluid">
+      <div class="row">
+<?php
+        if (isset($input_errors) && count($input_errors) > 0) {
+            print_input_errors($input_errors);
+        }
+        if (isset($savemsg)) {
+            print_info_box($savemsg);
+        }?>
+<?php
+          if ($act=="new" || $act=="edit") :?>
+          <form method="post" name="iform" id="iform">
+            <section class="col-xs-12">
+              <div class="tab-content content-box col-xs-12">
+                <div class="table-responsive">
+                  <table class="table table-striped opnsense_standard_table_form">
+                    <tr>
+                      <td style="width:22%"><strong><?=gettext("General information"); ?></strong></td>
+                      <td style="width:78%; text-align:right">
+                        <small><?=gettext("full help"); ?> </small>
+                        <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page"></i>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td>
+                        <a id="help_for_disable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Disabled"); ?>
+                      </td>
+                      <td>
+                        <div>
+                          <input name="disable" type="checkbox" value="yes" <?= !empty($pconfig['disable']) ? "checked=\"checked\"" : "";?> />
+                        </div>
+                        <div class="hidden" data-for="help_for_disable">
+                        <?=gettext("Set this option to disable this server without removing it from the list"); ?>.
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td style="width:22%"><a id="help_for_description" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Description"); ?></td>
+                      <td>
+                        <input name="description" type="text" class="form-control unknown" size="30" value="<?=htmlspecialchars($pconfig['description']);?>" />
+                        <div class="hidden" data-for="help_for_description">
+                          <?=gettext("You may enter a description here for your reference (not parsed)."); ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Server Mode");?></td>
+                        <td>
+                        <select name='mode' id="mode" class="selectpicker">
+<?php
+                      $openvpn_server_modes = array(
+                        'p2p_tls' => gettext("Peer to Peer ( SSL/TLS )"),
+                        'p2p_shared_key' => gettext("Peer to Peer ( Shared Key )"),
+                        'server_tls' => gettext("Remote Access ( SSL/TLS )"),
+                        'server_user' => gettext("Remote Access ( User Auth )"),
+                        'server_tls_user' => gettext("Remote Access ( SSL/TLS + User Auth )"));
+                        foreach ($openvpn_server_modes as $name => $desc) :
+                            $selected = "";
+                            if ($pconfig['mode'] == $name) {
+                                $selected = "selected=\"selected\"";
+                            }?>
+                        <option value="<?=$name;?>" <?=$selected;?>><?=$desc;?></option>
+<?php
+                        endforeach; ?>
+                        </select>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_server_user opt_mode_server_tls_user" style="display:none">
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Backend for authentication");?></td>
+                      <td>
+                        <select name='authmode[]' id='authmode' class="selectpicker" multiple="multiple" size="5">
+<?php
+                        if (isset($pconfig['authmode'])) {
+                            $authmodes = explode(",", $pconfig['authmode']);
+                        } else {
+                            $authmodes = array();
+                        }
+                        $auth_servers = auth_get_authserver_list();
+                        foreach ($auth_servers as $auth_key => $auth_server) :
+                                $selected = "";
+                            if (in_array($auth_key, $authmodes)) {
+                                    $selected = "selected=\"selected\"";
+                            }?>
+                            <option value="<?=htmlspecialchars($auth_key); ?>" <?=$selected; ?>><?=htmlspecialchars($auth_server['name']);?></option>
+<?php
+                        endforeach; ?>
+                        </select>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_server_user opt_mode_server_tls_user" style="display:none">
+                      <td><a id="help_for_local_group" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Enforce local group') ?></td>
+                      <td>
+                        <select name='local_group' id="local_group" class="selectpicker">
+                          <option value="" <?= empty($pconfig['local_group']) ? 'selected="selected"' : '' ?>>(<?= gettext('none') ?>)</option>
+<?php
+                        foreach (config_read_array('system', 'group') as $group):
+                            $selected = $pconfig['local_group'] == $group['name'] ? 'selected="selected"' : ''; ?>
+                          <option value="<?= $group['name'] ?>" <?= $selected ?>><?= $group['name'] ?></option>
+<?php
+                        endforeach; ?>
+                        </select>
+                        <div class="hidden" data-for="help_for_local_group">
+                          <?= gettext('Restrict access to users in the selected local group. Please be aware ' .
+                            'that other authentication backends will refuse to authenticate when using this option.') ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_protocol" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Protocol");?></td>
+                        <td>
+                          <select name='protocol' class="selectpicker">
+<?php
+                          foreach (openvpn_get_protocols() as $prot):
+                              $selected = "";
+                              if ($pconfig['protocol'] == $prot) {
+                                  $selected = "selected=\"selected\"";
+                              }?>
+                            <option value="<?=$prot;?>" <?=$selected;?>><?=$prot;?></option>
+<?php
+                          endforeach; ?>
+                        </select>
+                        <div class="hidden" data-for="help_for_protocol">
+                          <?= gettext('Select the protocol family to be used. Note that using both families with UDP/TCP ' .
+                                      'does not work with an explicit interface as OpenVPN does not support listening to more ' .
+                                      'than one specified IP address. In this case IPv4 is currently assumed.') ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Device Mode"); ?></td>
+                      <td>
+                        <select name="dev_mode" id="dev_mode" class="selectpicker">
+<?php
+                        foreach (array("tun", "tap") as $device) :
+                               $selected = "";
+                            if (! empty($pconfig['dev_mode'])) {
+                                if ($pconfig['dev_mode'] == $device) {
+                                        $selected = "selected=\"selected\"";
+                                }
+                            } else {
+                                if ($device == "tun") {
+                                        $selected = "selected=\"selected\"";
+                                }
+                            }?>
+                        <option value="<?=$device;?>" <?=$selected;?>><?=$device;?></option>
+<?php
+                        endforeach; ?>
+                        </select>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_interface" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Interface"); ?></td>
+                      <td>
+                        <select name="interface" class="selectpicker" data-size="5" data-live-search="true">
+<?php
+                        $interfaces = get_configured_interface_with_descr();
+                        foreach (config_read_array('virtualip', 'vip') as $vip) {
+                            $label = $vip['subnet'] . (empty($vip['descr']) ? '' : " ({$vip['descr']})");
+                            if ($vip['mode'] == 'carp') {
+                                $value = "{$vip['interface']}_vip{$vip['vhid']}";
+                            } elseif ($vip['mode'] == 'ipalias') {
+                                $value = $vip['interface'];
+                            } else {
+                                continue;
+                            }
+                            $interfaces["{$value}|{$vip['subnet']}"] = $label;
+                        }
+                        $interfaces['lo0'] = "Localhost";
+                        $interfaces['any'] = "any";
+                        foreach ($interfaces as $iface => $ifacename) :?>
+                          <option value="<?=$iface; ?>"<?=$iface == $pconfig['interface'] ? ' selected="selected"' : '';?>>
+                            <?=htmlspecialchars($ifacename);?>
+                          </option>
+<?php
+                        endforeach; ?>
+                        </select>
+                        <div class="hidden" data-for="help_for_interface">
+                            <?=gettext(
+                              "When selecting any in combination with UDP, we will assume the server is used multi-homed. ".
+                              "This has some small performance implications to assure proper return address lookup."
+                            ); ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Local port");?></td>
+                      <td>
+                        <input name="local_port" type="text" class="form-control unknown" size="5" value="<?=$pconfig['local_port'];?>" />
+                      </td>
+                    </tr>
+                  </table>
+                </div>
+              </div>
+            </section>
+            <section class="col-xs-12">
+              <div class="tab-content content-box col-xs-12">
+                <div class="table-responsive">
+                  <table class="table table-striped opnsense_standard_table_form">
+                    <tr>
+                      <td colspan="2"><strong><?=gettext("Cryptographic Settings"); ?></strong></td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_p2p_tls opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user">
+                      <td style="width:22%"><i class="fa fa-info-circle text-muted"></i> <?=gettext("TLS Authentication"); ?></td>
+                      <td style="width:78%">
+                        <select name='tlsmode' id='tlsmode' class="selectpicker">
+                            <option value="" <?= empty($pconfig['tlsmode']) ? "selected=\"selected\"" : "";?>>
+                                <?=gettext("Disabled");?>
+                            </option>
+                            <option value="auth" <?= $pconfig['tlsmode'] === "auth" ? "selected=\"selected\"" : "";?>>
+                                <?=gettext("Enabled - Authentication only");?>
+                            </option>
+                            <option value="crypt" <?= $pconfig['tlsmode'] === "crypt" ? "selected=\"selected\"" : "";?>>
+                                <?=gettext("Enabled - Authentication & encryption");?>
+                            </option>
+                        </select>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_p2p_tls opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user">
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("TLS Shared Key"); ?></td>
+                      <td>
+                        <?php if (!$pconfig['tls']) :?>
+                        <input name="autotls_enable" id="autotls_enable" class="tls_input_field" type="checkbox" value="yes" <?=!empty($pconfig['autotls_enable']) ? "checked=\"checked\"" : "" ;?>  />
+                        <?=gettext("Automatically generate a shared TLS authentication key"); ?>.
+                        <?php endif; ?>
+                        <div id="autotls_opts">
+                          <textarea id="tls" name="tls" cols="65" rows="7" class="tls_input_field formpre"><?=$pconfig['tls'];?></textarea>
+                          <p class="text-muted"><em><small><?=gettext("Paste your shared key here"); ?>.</small></em></p>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_p2p_tls opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user">
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Peer Certificate Authority"); ?></td>
+                        <td>
+<?php
+                        if (isset($config['ca'])) :?>
+                          <select name='caref' class="selectpicker" data-size="5" data-live-search="true">
+<?php
+                          foreach ($config['ca'] as $ca) :
+                              $selected = "";
+                              if ($pconfig['caref'] == $ca['refid']) {
+                                  $selected = "selected=\"selected\"";
+                              }
+                          ?>
+                            <option value="<?=htmlspecialchars($ca['refid']);?>" <?=$selected;?>>
+                              <?=htmlspecialchars($ca['descr']);?>
+                            </option>
+<?php
+                          endforeach; ?>
+                          </select>
+<?php
+                        else :?>
+                          <b><?=gettext("No Certificate Authorities defined.");?></b>
+                          <br /><?=gettext("Create one under")?> <a href="system_camanager.php"> <?=gettext("System: Certificates");?></a>.
+<?php
+                        endif; ?>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_p2p_tls opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user">
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Peer Certificate Revocation List"); ?></td>
+                      <td>
+<?php
+                        if (isset($config['crl'])) :?>
+                        <select name='crlref' class="selectpicker" data-size="5" data-live-search="true">
+                          <option value="">None</option>
+<?php
+                          foreach ($config['crl'] as $crl) :
+                              if (!isset($crl['refid'])) {
+                                  continue;
+                              }
+                              $ca = lookup_ca($crl['caref']);
+                              if ($ca) {
+                                  $selected = $pconfig['crlref'] == $crl['refid'] ? 'selected="selected"' : ''; ?>
+                            <option value="<?=htmlspecialchars($crl['refid']);?>" <?=$selected;?>><?=htmlspecialchars("{$crl['descr']} ({$ca['descr']})");?></option>
+<?php
+                              }
+                          endforeach; ?>
+                        </select>
+<?php
+                        else :?>
+                        <b><?=gettext("No Certificate Revocation Lists (CRLs) defined.");?></b>
+                        <br /><?=gettext("Create one under");?> <a href="system_crlmanager.php"><?=gettext("System: Certificates");?></a>.
+<?php
+                        endif; ?>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_p2p_tls opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user">
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Server Certificate"); ?></td>
+                      <td>
+<?php
+                      if (isset($config['cert'])) :?>
+                        <select name='certref' class="selectpicker" data-size="5" data-live-search="true">
+<?php
+                        foreach ($config['cert'] as $cert) :
+                            $selected = "";
+                            $caname = "";
+                            $inuse = "";
+                            $revoked = "";
+                            if (!isset($cert['prv'])) {
+                                continue;
+                            }
+                            if (isset($cert['caref'])) {
+                                $ca = lookup_ca($cert['caref']);
+                                if (!empty($ca)) {
+                                    $caname = " ({$ca['descr']})";
+                                }
+                            }
+                            if ($pconfig['certref'] == $cert['refid']) {
+                                $selected = "selected=\"selected\"";
+                            }
+                            if (cert_in_use($cert['refid'])) {
+                                $inuse = " *In Use";
+                            }
+                            if (is_cert_revoked($cert)) {
+                                $revoked = " *Revoked";
+                            }
+                        ?>
+                          <option value="<?=htmlspecialchars($cert['refid']);?>" <?=$selected;?>>
+                            <?=htmlspecialchars($cert['descr'] . $caname . $inuse . $revoked);?>
+                          </option>
+<?php
+                        endforeach; ?>
+                        </select>
+<?php
+                      else :?>
+                          <b><?=gettext("No Certificates defined.");?></b>
+                          <br /><?=gettext("Create one under");?> <a href="system_certmanager.php"><?=gettext("System: Certificates");?></a>.
+<?php
+                      endif; ?>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_p2p_shared_key">
+                      <td style="width:22%"><i class="fa fa-info-circle text-muted"></i> <?=gettext("Shared Key"); ?></td>
+                      <td>
+<?php
+                        if (empty($pconfig['shared_key'])) :?>
+                        <div>
+                          <input name="autokey_enable" id="autokey_enable" type="checkbox" value="yes"  <?=!empty($pconfig['autokey_enable']) ? "checked=\"checked\"" : "" ;?>  />
+                          <?=gettext("Automatically generate a shared key"); ?>.
+                        </div>
+<?php
+                        endif; ?>
+                        <div id="autokey_opts">
+                          <textarea name="shared_key" cols="65" rows="7"><?=$pconfig['shared_key'];?></textarea>
+                          <?=gettext("Paste your shared key here"); ?>.
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_crypto" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Encryption algorithm (deprecated)"); ?></td>
+                      <td>
+                        <select name="crypto" class="selectpicker">
+<?php
+                        foreach (openvpn_get_cipherlist() as $name => $desc) :
+                            $selected = $name == $pconfig['crypto'] ? " selected=\"selected\"" : "";?>
+                          <option value="<?=$name;?>"<?=$selected?>>
+                            <?=htmlspecialchars($desc);?>
+                          </option>
+<?php
+                        endforeach; ?>
+                        </select>
+                        <div class="hidden" data-for="help_for_crypto">
+                          <?= gettext('Cipher selection for older clients. Only preserved for backwards compatibility reasons.') ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_digest" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Auth Digest Algorithm"); ?></td>
+                      <td>
+                        <select name="digest" class="selectpicker" data-size="5" data-live-search="true">
+<?php
+                        $digestlist = openvpn_get_digestlist();
+                        foreach ($digestlist as $name => $desc) :
+                            $selected = "";
+                            if ($name == $pconfig['digest']) {
+                                $selected = " selected=\"selected\"";
+                            }
+                        ?>
+                          <option value="<?=$name;?>"<?=$selected?>>
+                            <?=htmlspecialchars($desc);?>
+                          </option>
+<?php
+                        endforeach; ?>
+                        </select>
+                        <div class="hidden" data-for="help_for_digest">
+                            <?= gettext('Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN.') ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_p2p_tls opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user">
+                      <td style="width:22%"><a id="help_for_cert_depth" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Certificate Depth"); ?></td>
+                      <td>
+                        <table>
+                        <tr><td>
+                        <select name="cert_depth" class="selectpicker">
+                          <option value=""><?=gettext('Do Not Check') ?></option>
+<?php
+                          $openvpn_cert_depths = array(
+                            1 => gettext('One (Client+Server)'),
+                            2 => gettext('Two (Client+Intermediate+Server)'),
+                            3 => gettext('Three (Client+2xIntermediate+Server)'),
+                            4 => gettext('Four (Client+3xIntermediate+Server)'),
+                            5 => gettext('Five (Client+4xIntermediate+Server)')
+                          );
+                          foreach ($openvpn_cert_depths as $depth => $depthdesc) :
+                              $selected = "";
+                              if ($depth == $pconfig['cert_depth']) {
+                                  $selected = " selected=\"selected\"";
+                              }
+                          ?>
+                            <option value="<?= $depth ?>" <?= $selected ?>><?= $depthdesc ?></option>
+<?php
+                        endforeach; ?>
+                        </select>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td>
+                        <div class="hidden" data-for="help_for_cert_depth">
+                          <span>
+                            <?=gettext("When a certificate-based client logs in, do not accept certificates below this depth. Useful for denying certificates made with intermediate CAs generated from the same CA as the server."); ?>
+                          </span>
+                        </div>
+                        </td></tr>
+                        </table>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_server_tls_user">
+                      <td style="width:22%"><a id="help_for_strictusercn" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Strict User/CN Matching"); ?></td>
+                      <td>
+                        <input name="strictusercn" type="checkbox" value="yes" <?=!empty($pconfig['strictusercn']) ? "checked=\"checked\"" : "" ;?> />
+                        <div class="hidden" data-for="help_for_strictusercn">
+                          <span>
+                              <?=gettext("When authenticating users, enforce a match between the Common Name of the client certificate and the username given at login."); ?>
+                          </span>
+                        </div>
+                      </td>
+                    </tr>
+                </table>
+              </div>
+            </div>
+          </section>
+          <section class="col-xs-12">
+            <div class="tab-content content-box col-xs-12">
+              <div class="table-responsive">
+                <table class="table table-striped opnsense_standard_table_form">
+                    <tr>
+                      <td colspan="2"><strong><?=gettext("Tunnel Settings"); ?></strong></td>
+                    </tr>
+                    <tr>
+                      <td style="width:22%" id="ipv4_tunnel_network"><a id="help_for_tunnel_network" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPv4 Tunnel Network"); ?></td>
+                      <td style="width:78%">
+                        <input name="tunnel_network" type="text" class="form-control unknown" size="20" value="<?=$pconfig['tunnel_network'];?>" />
+                        <div class="hidden" data-for="help_for_tunnel_network">
+                            <?=gettext("This is the IPv4 virtual network used for private " .
+                                                  "communications between this server and client " .
+                                                  "hosts expressed using CIDR (eg. 10.0.8.0/24). " .
+                                                  "The first network address will be assigned to " .
+                                                  "the server virtual interface. The remaining " .
+                                                  "network addresses can optionally be assigned " .
+                                                  "to connecting clients. (see Address Pool)"); ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td style="width:22%"><a id="help_for_tunnel_networkv6" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPv6 Tunnel Network"); ?></td>
+                      <td>
+                        <input name="tunnel_networkv6" type="text" class="form-control unknown" size="20" value="<?=$pconfig['tunnel_networkv6'];?>" />
+                        <div class="hidden" data-for="help_for_tunnel_networkv6">
+                            <?=gettext("This is the IPv6 virtual network used for private " .
+                                                  "communications between this server and client " .
+                                                  "hosts expressed using CIDR (eg. fe80::/64). " .
+                                                  "The first network address will be assigned to " .
+                                                  "the server virtual interface. The remaining " .
+                                                  "network addresses can optionally be assigned " .
+                                                  "to connecting clients. (see Address Pool)"); ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="dev_mode dev_mode_tap">
+                      <td style="width:22%"><a id="help_for_serverbridge_dhcp" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Bridge DHCP"); ?></td>
+                      <td>
+                              <input id="serverbridge_dhcp" name="serverbridge_dhcp" type="checkbox" value="yes" <?=!empty($pconfig['serverbridge_dhcp']) ? "checked=\"checked\"" : "" ;?>/>
+                              <div class="hidden" data-for="help_for_serverbridge_dhcp">
+                                <span>
+                                    <?=gettext("Allow clients on the bridge to obtain DHCP."); ?><br />
+                                </span>
+                              </div>
+                      </td>
+                    </tr>
+                    <tr class="dev_mode dev_mode_tap">
+                      <td style="width:22%"><a id="help_for_serverbridge_interface" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Bridge Interface"); ?></td>
+                      <td>
+                        <select id="serverbridge_interface" name="serverbridge_interface" class="selectpicker" data-size="5" data-live-search="true">
+<?php
+                        $serverbridge_interface['none'] = "none";
+                        $serverbridge_interface = array_merge($serverbridge_interface, get_configured_interface_with_descr());
+                        foreach (config_read_array('virtualip', 'vip') as $vip) {
+                            $label = $vip['subnet'] . (empty($vip['descr']) ? '' : " ({$vip['descr']})");
+                            if ($vip['mode'] == 'carp') {
+                                $value = "{$vip['interface']}_vip{$vip['vhid']}";
+                            } elseif ($vip['mode'] == 'ipalias') {
+                                $value = $vip['interface'];
+                            } else {
+                                continue;
+                            }
+                            $serverbridge_interface["{$value}|{$vip['subnet']}"] = $label;
+                        }
+                        foreach ($serverbridge_interface as $iface => $ifacename) :
+                          $selected = "";
+                          if ($iface == $pconfig['serverbridge_interface']) {
+                              $selected = "selected=\"selected\"";
+                          }
+                        ?>
+                            <option value="<?=$iface;?>" <?=$selected;?>>
+                                <?=htmlspecialchars($ifacename);?>
+                            </option>
+<?php
+                        endforeach; ?>
+                        </select>
+                        <div class="hidden" data-for="help_for_serverbridge_interface">
+                            <?=gettext("The interface to which this tap instance will be " .
+                                                  "bridged. This is not done automatically. You must assign this " .
+                                                  "interface and create the bridge separately. " .
+                                                  "This setting controls which existing IP address and subnet " .
+                                                  "mask are used by OpenVPN for the bridge. Setting this to " .
+                                                  "'none' will cause the Server Bridge DHCP settings below to be ignored."); ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="dev_mode dev_mode_tap">
+                      <td style="width:22%"><a id="help_for_serverbridge_dhcp_start" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Server Bridge DHCP Start"); ?></td>
+                      <td>
+                        <input  id="serverbridge_dhcp_start" name="serverbridge_dhcp_start" type="text" class="form-control unknown" size="20" value="<?=$pconfig['serverbridge_dhcp_start'];?>" />
+                        <div class="hidden" data-for="help_for_serverbridge_dhcp_start">
+                            <?=gettext("When using tap mode as a multi-point server, " .
+                                                  "you may optionally supply a DHCP range to use on the " .
+                                                  "interface to which this tap instance is bridged. " .
+                                                  "If these settings are left blank, DHCP will be passed " .
+                                                  "through to the LAN, and the interface setting above " .
+                                                  "will be ignored."); ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="dev_mode dev_mode_tap">
+                      <td style="width:22%"><i class="fa fa-info-circle text-muted"></i> <?=gettext("Server Bridge DHCP End"); ?></td>
+                      <td>
+                        <input id="serverbridge_dhcp_end" name="serverbridge_dhcp_end" type="text" class="form-control unknown" size="20" value="<?=$pconfig['serverbridge_dhcp_end'];?>" />
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_p2p_tls opt_mode_p2p_shared_key opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user">
+                      <td style="width:22%"><a id="help_for_gwredir" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Redirect Gateway"); ?></td>
+                      <td>
+                        <input name="gwredir" id="gwredir" type="checkbox" value="yes" <?=!empty($pconfig['gwredir']) ? "checked=\"checked\"" : "" ;?> />
+                        <div class="hidden" data-for="help_for_gwredir">
+                            <span>
+                                <?= gettext('Force all client generated traffic through the tunnel.') ?>
+                            </span>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_p2p_tls opt_mode_p2p_shared_key opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user opt_gwredir">
+                      <td style="width:22%"><a id="help_local_network" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPv4 Local Network"); ?></td>
+                      <td>
+                        <input name="local_network" type="text" class="form-control unknown" size="40" value="<?=$pconfig['local_network'];?>" />
+                        <div class="hidden" data-for="help_local_network">
+                            <?=gettext("These are the IPv4 networks that will be accessible " .
+                                                  "from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. " .
+                                                  "You may leave this blank if you don't " .
+                                                  "want to add a route to the local network " .
+                                                  "through this tunnel on the remote machine. " .
+                                                  "This is generally set to your LAN network"); ?>.
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_p2p_tls opt_mode_p2p_shared_key opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user opt_gwredir">
+                      <td style="width:22%"><a id="help_for_local_networkv6" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPv6 Local Network"); ?></td>
+                      <td>
+                        <input name="local_networkv6" type="text" class="form-control unknown" size="40" value="<?=$pconfig['local_networkv6'];?>" />
+                        <div class="hidden" data-for="help_for_local_networkv6">
+                            <?=gettext("These are the IPv6 networks that will be accessible " .
+                                                  "from the remote endpoint. Expressed as a comma-separated list of one or more IP/PREFIX. " .
+                                                  "You may leave this blank if you don't " .
+                                                  "want to add a route to the local network " .
+                                                  "through this tunnel on the remote machine. " .
+                                                  "This is generally set to your LAN network"); ?>.
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_p2p_tls opt_mode_p2p_shared_key opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user">
+                      <td style="width:22%"><a id="help_for_remote_network" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPv4 Remote Network"); ?></td>
+                      <td>
+                        <input name="remote_network" type="text" class="form-control unknown" size="40" value="<?=$pconfig['remote_network'];?>" />
+                        <div class="hidden" data-for="help_for_remote_network">
+                            <?=gettext("These are the IPv4 networks that will be routed through " .
+                                                  "the tunnel, so that a site-to-site VPN can be " .
+                                                  "established without manually changing the routing tables. " .
+                                                  "Expressed as a comma-separated list of one or more CIDR ranges. " .
+                                                  "If this is a site-to-site VPN, enter the " .
+                                                  "remote LAN/s here. You may leave this blank if " .
+                                                  "you don't want a site-to-site VPN"); ?>.
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_p2p_tls opt_mode_p2p_shared_key opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user">
+                      <td style="width:22%"><a id="help_for_remote_networkv6" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPv6 Remote Network"); ?></td>
+                      <td>
+                        <input name="remote_networkv6" type="text" class="form-control unknown" size="40" value="<?=$pconfig['remote_networkv6'];?>" />
+                        <div class="hidden" data-for="help_for_remote_networkv6">
+                            <?=gettext("These are the IPv6 networks that will be routed through " .
+                                                  "the tunnel, so that a site-to-site VPN can be " .
+                                                  "established without manually changing the routing tables. " .
+                                                  "Expressed as a comma-separated list of one or more IP/PREFIX. " .
+                                                  "If this is a site-to-site VPN, enter the " .
+                                                  "remote LAN/s here. You may leave this blank if " .
+                                                  "you don't want a site-to-site VPN"); ?>.
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td style="width:22%"><a id="help_for_maxclients" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Concurrent connections");?></td>
+                      <td>
+                        <input name="maxclients" type="text" class="form-control unknown" size="5" value="<?=$pconfig['maxclients'];?>" />
+                        <div class="hidden" data-for="help_for_maxclients">
+                            <?=gettext("Specify the maximum number of clients allowed to concurrently connect to this server"); ?>.
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td style="width:22%"><a id="help_for_compression" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Compression"); ?></td>
+                      <td>
+                        <select name="compression" class="selectpicker">
+<?php
+                        foreach (openvpn_compression_modes() as $cmode => $cmodedesc):
+                            $selected = "";
+                            if ($cmode == $pconfig['compression']) {
+                                $selected = " selected=\"selected\"";
+                            }
+                          ?>
+                            <option value="<?= $cmode ?>" <?= $selected ?>><?= $cmodedesc ?></option>
+<?php
+                        endforeach; ?>
+                        </select>
+                        <div class="hidden" data-for="help_for_compression">
+                            <?=gettext("Compress tunnel packets using the LZ4/LZO algorithm. The LZ4 generally offers the best performance with least CPU usage. For backwards compatibility use the LZO (which is identical to the older option --comp-lzo yes). In the partial mode (the option --compress with an empty algorithm) compression is turned off, but the packet framing for compression is still enabled, allowing a different setting to be pushed later. The legacy LZO algorithm with adaptive compression mode will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently."); ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td style="width:22%"><a id="help_for_passtos" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Type-of-Service"); ?></td>
+                      <td>
+                        <input name="passtos" type="checkbox" value="yes" <?=!empty($pconfig['passtos']) ? "checked=\"checked\"" : "" ;?> />
+                        <div class="hidden" data-for="help_for_passtos">
+                          <span>
+                            <?=gettext("Set the TOS IP header value of tunnel packets to match the encapsulated packet value"); ?>.
+                          </span>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user">
+                      <td style="width:22%"><a id="help_for_client2client" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Inter-client communication"); ?></td>
+                      <td>
+                          <input name="client2client" type="checkbox" value="yes"  <?=!empty($pconfig['client2client']) ? "checked=\"checked\"" : "" ;?> />
+                          <div class="hidden" data-for="help_for_client2client">
+                            <span>
+                                <?=gettext("Allow communication between clients connected to this server"); ?>
+                            </span>
+                          </div>
+                      </td>
+                    </tr>
+                    <tr id="duplicate_cn">
+                      <td style="width:22%"><a id="help_for_duplicate_cn" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Duplicate Connections"); ?></td>
+                      <td>
+                            <input name="duplicate_cn" type="checkbox" value="yes" <?=!empty($pconfig['duplicate_cn']) ? "checked=\"checked\"" : "" ;?> />
+                            <div class="hidden" data-for="help_for_duplicate_cn">
+                              <span>
+                                <?=gettext("Allow multiple concurrent connections from clients using the same Common Name.<br />NOTE: This is not generally recommended, but may be needed for some scenarios."); ?>
+                              </span>
+                            </div>
+                      </td>
+                    </tr>
+                  </table>
+                </div>
+              </div>
+            </section>
+            <section class="col-xs-12">
+              <div class="tab-content content-box col-xs-12">
+                <div class="table-responsive">
+                  <table class="table table-striped opnsense_standard_table_form">
+                    <tr>
+                      <td colspan="2"><strong><?=gettext("Client Settings"); ?></strong></td>
+                    </tr>
+                    <tr>
+                      <td style="width:22%"><a id="help_for_dynamic_ip" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Dynamic IP"); ?></td>
+                      <td style="width:78%">
+                        <input name="dynamic_ip" type="checkbox" id="dynamic_ip" value="yes" <?=!empty($pconfig['dynamic_ip']) ? "checked=\"checked\"" : "" ;?> />
+                        <div class="hidden" data-for="help_for_dynamic_ip">
+                          <span>
+                            <?=gettext("Allow connected clients to retain their connections if their IP address changes"); ?>.<br />
+                          </span>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="dev_mode dev_mode_tun" id="topology_subnet_opt">
+                      <td style="width:22%"><a id="help_for_topology_subnet" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Topology"); ?></td>
+                      <td>
+                        <input name="topology_subnet" type="checkbox" id="topology_subnet" value="yes"  <?=!empty($pconfig['topology_subnet']) ? "checked=\"checked\"" : "" ;?> />
+                        <div class="hidden" data-for="help_for_topology_subnet">
+                          <span>
+                            <?=gettext("Allocate only one IP per client (topology subnet), rather than an isolated subnet per client (topology net30)."); ?><br />
+                            <?=gettext("Relevant when supplying a virtual adapter IP address to clients when using tun mode on IPv4."); ?><br />
+                            <?=gettext("Some clients may require this even for IPv6, such as OpenVPN Connect (iOS/Android). Others may break if it is present, such as older versions of OpenVPN or clients such as Yealink phones."); ?><br />
+                          </span>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user" style="display:none">
+                      <td style="width:22%"><a id="help_for_dns_domain" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("DNS Default Domain"); ?></td>
+                      <td>
+                        <input name="dns_domain_enable" type="checkbox" id="dns_domain_enable" value="yes" <?=!empty($pconfig['dns_domain']) ? "checked=\"checked\"" : "" ;?> />
+                        <div id="dns_domain_data">
+                              <input name="dns_domain" type="text" class="form-control unknown" id="dns_domain" size="30" value="<?=htmlspecialchars($pconfig['dns_domain']);?>" />
+                        </div>
+                        <div class="hidden" data-for="help_for_dns_domain">
+                          <span>
+                              <?=gettext("Provide a default domain name to clients"); ?><br />
+                          </span>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user" style="display:none">
+                      <td style="width:22%"><a id="help_for_dns_domain_search" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("DNS Domain search list"); ?></td>
+                      <td>
+                        <input name="dns_domain_search_enable" type="checkbox" id="dns_domain_search_enable" value="yes" <?=!empty($pconfig['dns_domain_search']) ? "checked=\"checked\"" : "" ;?> />
+                        <div id="dns_domain_search_data">
+                            <input name="dns_domain_search" type="text" class="form-control unknown" value="<?=htmlspecialchars($pconfig['dns_domain_search']);?>" />
+                        </div>
+                        <div class="hidden" data-for="help_for_dns_domain_search">
+                          <span>
+                              <?=gettext("Add name to the domain search list. Repeat this option to add more entries. Expressed as a comma-separated list up to 10 domains are supported."); ?><br />
+                          </span>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user" style="display:none">
+                      <td style="width:22%"><a id="help_for_dns_server" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("DNS Servers"); ?></td>
+                      <td>
+                        <input name="dns_server_enable" type="checkbox" id="dns_server_enable" value="yes" <?=!empty($pconfig['dns_server1']) || !empty($pconfig['dns_server2']) || !empty($pconfig['dns_server3']) || !empty($pconfig['dns_server4']) ? "checked=\"checked\"" : "" ;?> />
+                        <div id="dns_server_data">
+                              <span>
+                                <?=gettext("Server #1:"); ?>&nbsp;
+                              </span>
+                              <input name="dns_server1" type="text" class="form-control unknown" id="dns_server1" size="20" value="<?=$pconfig['dns_server1'];?>" />
+                              <span>
+                                <?=gettext("Server #2:"); ?>&nbsp;
+                              </span>
+                              <input name="dns_server2" type="text" class="form-control unknown" id="dns_server2" size="20" value="<?=$pconfig['dns_server2'];?>" />
+                              <span>
+                                <?=gettext("Server #3:"); ?>&nbsp;
+                              </span>
+                              <input name="dns_server3" type="text" class="form-control unknown" id="dns_server3" size="20" value="<?=$pconfig['dns_server3'];?>" />
+                              <span>
+                                <?=gettext("Server #4:"); ?>&nbsp;
+                              </span>
+                              <input name="dns_server4" type="text" class="form-control unknown" id="dns_server4" size="20" value="<?=$pconfig['dns_server4'];?>" />
+                        </div>
+                        <div class="hidden" data-for="help_for_dns_server">
+                          <span>
+                            <?=gettext("Provide a DNS server list to clients"); ?><br />
+                          </span>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr id="chkboxPushRegisterDNS" class="opt_mode opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user" style="display:none">
+                      <td style="width:22%"><a id="help_for_push_register_dns" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Force DNS cache update"); ?></td>
+                      <td>
+                        <input name="push_register_dns" type="checkbox" value="yes" <?=!empty($pconfig['push_register_dns']) ? "checked=\"checked\"" : "" ;?> />
+                        <div class="hidden" data-for="help_for_push_register_dns">
+                          <span>
+                            <?=gettext("Run ''net stop dnscache'', ''net start dnscache'', ''ipconfig /flushdns'' and ''ipconfig /registerdns'' on connection initiation. This is known to kick Windows into recognizing pushed DNS servers."); ?><br />
+                          </span>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr id="chkboxBlockOutsideDNS" class="opt_mode opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user" style="display:none">
+                      <td style="width:22%"><a id="help_for_push_block_outside_dns" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Prevent DNS leaks"); ?></td>
+                      <td>
+                        <input name="push_block_outside_dns" type="checkbox" value="yes" <?=!empty($pconfig['push_block_outside_dns']) ? "checked=\"checked\"" : "" ;?> />
+                        <div class="hidden" data-for="help_for_push_block_outside_dns">
+                          <span>
+                            <?=gettext("Block DNS servers on other network adapters to prevent DNS leaks. Compatible with Windows clients only."); ?><br />
+                          </span>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user" style="display:none">
+                      <td style="width:22%"><a id="help_for_ntp_server_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("NTP Servers"); ?></td>
+                      <td>
+                        <input name="ntp_server_enable" type="checkbox" id="ntp_server_enable" value="yes" <?=!empty($pconfig['ntp_server1']) || !empty($pconfig['ntp_server2']) ? "checked=\"checked\"" : "" ;?>  />
+                        <div id="ntp_server_data">
+                          <span>
+                            <?=gettext("Server #1:"); ?>&nbsp;
+                          </span>
+                          <input name="ntp_server1" type="text" class="form-control unknown" id="ntp_server1" size="20" value="<?=$pconfig['ntp_server1'];?>" />
+                          <span>
+                            <?=gettext("Server #2:"); ?>&nbsp;
+                          </span>
+                          <input name="ntp_server2" type="text" class="form-control unknown" id="ntp_server2" size="20" value="<?=$pconfig['ntp_server2'];?>" />
+                        </div>
+                        <div class="hidden" data-for="help_for_ntp_server_enable">
+                          <span>
+                            <?=gettext("Provide a NTP server list to clients"); ?><br />
+                          </span>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_server_tls opt_mode_server_user opt_mode_server_tls_user" style="display:none">
+                      <td style="width:22%"><a id="help_for_netbios_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("NetBIOS Options"); ?></td>
+                      <td>
+                        <input name="netbios_enable" type="checkbox" id="netbios_enable" value="yes" <?=!empty($pconfig['netbios_enable']) ? "checked=\"checked\"" : "" ;?>  />
+                        <div class="hidden" data-for="help_for_netbios_enable">
+                          <span>
+                            <?=gettext("Enable NetBIOS over TCP/IP"); ?><br />
+                            <?=gettext("If this option is not set, all NetBIOS-over-TCP/IP options (including WINS) will be disabled"); ?>.
+                          </span>
+                        </div>
+                        <div id="netbios_data">
+                          <span>
+                            <?=gettext("Node Type"); ?>:&nbsp;
+                          </span><br>
+                          <select name='netbios_ntype' class="selectpicker">
+<?php
+                          foreach ($netbios_nodetypes as $type => $name) :
+                              $selected = "";
+                              if ($pconfig['netbios_ntype'] == $type) {
+                                  $selected = "selected=\"selected\"";
+                              }
+                          ?>
+                            <option value="<?=$type;?>" <?=$selected;?>><?=$name;?></option>
+<?php
+                          endforeach; ?>
+                          </select>
+                          <div class="hidden" data-for="help_for_netbios_enable">
+                            <?=gettext("Possible options: b-node (broadcasts), p-node " .
+                                                        "(point-to-point name queries to a WINS server), " .
+                                                        "m-node (broadcast then query name server), and " .
+                                                        "h-node (query name server, then broadcast)."); ?>
+                          </div><br>
+                          <span>
+                            <?=gettext("Scope ID"); ?>:&nbsp;
+                          </span>
+                          <input name="netbios_scope" type="text" class="form-control unknown" id="netbios_scope" size="30" value="<?=$pconfig['netbios_scope'];?>" />
+                          <div class="hidden" data-for="help_for_netbios_enable">
+                            <?=gettext("A NetBIOS Scope ID provides an extended naming " .
+                                                        "service for NetBIOS over TCP/IP. The NetBIOS " .
+                                                        "Scope ID isolates NetBIOS traffic on a single " .
+                                                        "network to only those nodes with the same " .
+                                                        "NetBIOS Scope ID."); ?>
+                          </div>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr id="wins_opts">
+                      <td style="width:22%"><a id="help_for_wins_server" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("WINS Servers"); ?></td>
+                      <td>
+                        <input name="wins_server_enable" type="checkbox" id="wins_server_enable" value="yes" <?=!empty($pconfig['wins_server1']) || !empty($pconfig['wins_server2']) ? "checked=\"checked\"" : "" ;?> />
+                        <div class="hidden" data-for="help_for_wins_server">
+                          <span>
+                            <?=gettext("Provide a WINS server list to clients"); ?><br />
+                          </span>
+                        </div>
+                        <div id="wins_server_data">
+                          <span>
+                            <?=gettext("Server #1:"); ?>&nbsp;
+                          </span>
+                          <input name="wins_server1" type="text" class="form-control unknown" id="wins_server1" size="20" value="<?=$pconfig['wins_server1'];?>" />
+                          <span>
+                            <?=gettext("Server #2:"); ?>&nbsp;
+                          </span>
+                          <input name="wins_server2" type="text" class="form-control unknown" id="wins_server2" size="20" value="<?=$pconfig['wins_server2'];?>" />
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td style="width:22%"><a id="help_for_client_mgmt_port" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Client Management Port"); ?></td>
+                      <td>
+                        <input name="client_mgmt_port_enable" type="checkbox" id="client_mgmt_port_enable" value="yes" <?=!empty($pconfig['client_mgmt_port']) ? "checked=\"checked\"" : "" ;?> />
+                        <div id="client_mgmt_port_data">
+                              <input name="client_mgmt_port" type="text" class="form-control unknown" id="client_mgmt_port" size="30" value="<?=htmlspecialchars($pconfig['client_mgmt_port']);?>" />
+                        </div>
+                        <div class="hidden" data-for="help_for_client_mgmt_port">
+                          <span>
+                            <?=gettext("Use a different management port on clients. The default port is 166. Specify a different port if the client machines need to select from multiple OpenVPN links."); ?><br />
+                          </span>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_server_tls_user">
+                      <td style="width:22%"><a id="help_for_use-common-name" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Use common name"); ?></td>
+                      <td>
+                        <input name="use-common-name" type="checkbox" value="1" <?=!empty($pconfig['use-common-name']) ? "checked=\"checked\"" : "" ;?> />
+                        <div class="hidden" data-for="help_for_use-common-name">
+                          <span>
+                            <?=gettext("When using a client certificate, use certificate common name for indexing purposes instead of username"); ?><br />
+                          </span>
+                        </div>
+                      </td>
+                    </tr>
+                  </table>
+                </div>
+              </div>
+            </section>
+            <section class="col-xs-12">
+              <div class="tab-content content-box col-xs-12">
+                <div class="table-responsive">
+                  <table class="table table-striped opnsense_standard_table_form">
+                    <tr>
+                      <td colspan="2"><strong><?=gettext("Advanced configuration"); ?></strong></td>
+                    </tr>
+                    <tr>
+                      <td style="width:22%"><a id="help_for_custom_options" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Advanced"); ?></td>
+                      <td>
+                        <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=$pconfig['custom_options'];?></textarea>
+                        <?=gettext("This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.");?>
+                        <div class="hidden" data-for="help_for_custom_options">
+                          <?=gettext("Enter any additional options you would like to add to the configuration file here."); ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr id="comboboxVerbosityLevel">
+                      <td style="width:22%"><a id="help_for_verbosity_level" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Verbosity level");?></td>
+                      <td>
+                        <select name="verbosity_level" class="selectpicker">
+<?php
+                        foreach (openvpn_verbosity_level() as $verb_value => $verb_desc):
+                            $selected = '';
+                            if ($pconfig['verbosity_level'] == $verb_value) {
+                                $selected = 'selected="selected"';
+                            }
+                        ?>
+                          <option value="<?=$verb_value; ?>" <?=$selected; ?>><?=$verb_desc;?></option>
+<?php
+                        endforeach; ?>
+                        </select>
+                        <div class="hidden" data-for="help_for_verbosity_level">
+                          <?=gettext("Each level shows all info from the previous levels. Level 3 is recommended if you want a good summary of what's happening without being swamped by output."); ?><br /> <br />
+                          <?=sprintf(gettext("%s0%s -- No output except fatal errors."),'<strong>','</strong>') ?> <br />
+                          <?=sprintf(gettext("%s1%s -- startup info + connection initiated messages + non-fatal encryption & net errors."),'<strong>','</strong>') ?> <br />
+                          <?=sprintf(gettext("%s2,3%s -- show TLS negotiations & route info."),'<strong>','</strong>') ?> <br />
+                          <?=sprintf(gettext("%s4%s -- Normal usage range."),'<strong>','</strong>') ?> <br />
+                          <?=sprintf(gettext("%s5%s -- Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets."),'<strong>','</strong>') ?> <br />
+                          <?=sprintf(gettext("%s6%s-%s11%s -- Debug info range."),'<strong>','</strong>','<strong>','</strong>') ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr class="opt_mode opt_mode_server_tls_user opt_mode_server_user">
+                      <td><a id="help_for_reneg-sec" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Renegotiate time"); ?></td>
+                      <td>
+                        <input type="text" name="reneg-sec" value="<?=$pconfig['reneg-sec'];?>">
+                        <div class="hidden" data-for="help_for_reneg-sec">
+                          <?=sprintf(
+                              gettext('Renegotiate data channel key after n seconds (default=3600).%s' .
+                                     'When using a one time password, be advised that your connection will automatically drop because your password is not valid anymore.%sSet to 0 to disable, remember to change your client as well.'),
+                                     '<br/>','<br/>');?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr id="chkboxLoginMatching">
+                      <td style="width:22%"><a id="help_for_cso_login_matching" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Force CSO Login Matching"); ?></td>
+                      <td>
+                        <input name="cso_login_matching" type="checkbox" value="yes" <?=!empty($pconfig['cso_login_matching']) ? "checked=\"checked\"" : "" ;?> />
+                        <div class="hidden" data-for="help_for_cso_login_matching">
+                          <span>
+                            <?=gettext("Use username instead of common name to match client specific override."); ?><br />
+                          </span>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td style="width:22%">&nbsp;</td>
+                      <td style="width:78%">
+                        <input name="save" type="submit" class="btn btn-primary" value="<?=html_safe(gettext('Save')); ?>" />
+                        <input name="act" type="hidden" value="<?=$act;?>" />
+<?php
+                        if (isset($id) && $a_server[$id]) :?>
+                        <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>" />
+<?php
+                        endif; ?>
+                      </td>
+                    </tr>
+                  </table>
+                </div>
+               </div>
+             </section>
+           </form>
+
+<?php
+              else :?>
+          <section class="col-xs-12">
+            <div class="alert alert-warning" role="alert">
+                <strong>
+                  <?php $eol_this_month = explode('.', product::getInstance()->version())[1] ?? '1';?>
+                    <?=sprintf(
+                        gettext("This component is reaching the end of the line, official maintenance will end as of version %s"),
+                        in_array($eol_this_month, ['1', '7']) ? '26.1' : '26.4');?>
+                </strong>
+            </div>
+            <div class="tab-content content-box col-xs-12">
+              <table class="table table-striped">
+                <thead>
+                <tr>
+                  <td></td>
+                  <td><?=gettext("Protocol / Port"); ?></td>
+                  <td><?=gettext("Tunnel Network"); ?></td>
+                  <td><?=gettext("Description"); ?></td>
+                  <td class="text-nowrap">
+                    <a href="vpn_openvpn_server.php?act=new" class="btn btn-primary btn-xs" data-toggle="tooltip" title="<?= html_safe(gettext('Add')) ?>">
+                      <i class="fa fa-plus fa-fw"></i>
+                    </a>
+                  </td>
+                </tr>
+                </thead>
+
+                <tbody>
+<?php
+                  $i = 0;
+                  foreach ($a_server as $server) :?>
+                  <tr>
+                    <td>
+                      <a href="#" class="act_toggle" data-id="<?=$i;?>" data-toggle="tooltip" title="<?=(empty($server['disable'])) ? gettext("Disable") : gettext("Enable");?>">
+                        <span class="fa fa-play <?=(empty($server['disable'])) ? "text-success" : "text-muted";?>"></span>
+                      </a>
+                    </td>
+                    <td>
+                        <?=htmlspecialchars($server['protocol']);?> / <?=htmlspecialchars($server['local_port']);?>
+                    </td>
+                    <td>
+                        <?= htmlspecialchars($server['tunnel_network'])  ?>
+                        <?= !empty($server['tunnel_networkv6']) && !empty($server['tunnel_network']) ? ',' : '' ?>
+                        <?= htmlspecialchars($server['tunnel_networkv6']) ?>
+                    </td>
+                    <td>
+                        <?=htmlspecialchars($server['description']);?>
+                    </td>
+                    <td class="text-nowrap">
+                        <a href="vpn_openvpn_server.php?act=edit&amp;id=<?=$i;?>"  title="<?= html_safe(gettext('Edit')) ?>" data-toggle="tooltip" class="btn btn-default btn-xs"><i class="fa fa-pencil fa-fw"></i></a>
+                        <a id="del_<?=$i;?>" title="<?= html_safe(gettext('Delete')) ?>" data-toggle="tooltip" class="act_delete btn btn-default btn-xs"><i class="fa fa-trash fa-fw"></i></a>
+                        <a href="vpn_openvpn_server.php?act=new&amp;dup=<?=$i;?>" class="btn btn-default btn-xs" data-toggle="tooltip" title="<?= html_safe(gettext('Clone')) ?>">
+                          <span class="fa fa-clone fa-fw"></span>
+                        </a>
+                    </td>
+                  </tr>
+<?php
+                  $i++;
+                  endforeach;?>
+                </tbody>
+              </table>
+            </div>
+          </section>
+<?php
+              endif; ?>
+      </div>
+    </div>
+  </section>
+
+<?php include("foot.inc"); ?>

From aabc7e3daaddc890bbc4e2c660009c4678bd73bb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 19 Jun 2025 19:26:37 +0200
Subject: [PATCH 2475/3088] net/openvpn-legacy: follow fix from core

---
 security/openvpn-legacy/src/www/vpn_openvpn_server.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/openvpn-legacy/src/www/vpn_openvpn_server.php b/security/openvpn-legacy/src/www/vpn_openvpn_server.php
index da97ce84ac..4bf340fe4b 100644
--- a/security/openvpn-legacy/src/www/vpn_openvpn_server.php
+++ b/security/openvpn-legacy/src/www/vpn_openvpn_server.php
@@ -134,7 +134,7 @@
 
     if ($act == "del") {
         $response = ["status" => "failed", "message" => gettext("not found")];
-        if (isset($id) && !empty($a_client[$id])) {
+        if (isset($id) && !empty($a_server[$id])) {
             openvpn_delete('server', $a_server[$id]);
             unset($a_server[$id]);
             write_config();

From 81681053d3e13a0505f0154b4f6e2c90da9f6ad3 Mon Sep 17 00:00:00 2001
From: Christian Heimlich <chris@pcserenity.com>
Date: Sun, 22 Jun 2025 11:39:14 -0400
Subject: [PATCH 2476/3088] security/tailscale: Fix subnet router dialog help
 text

The original help text appears to be a potential copy-and-paste
leftover from an unrelated subnet field for some kind of DHCP
configuration dialog.

Changes the help text so that it is contextually relevant to the
plugin.
---
 .../app/controllers/OPNsense/Tailscale/forms/dialogSubnet4.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/dialogSubnet4.xml b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/dialogSubnet4.xml
index ce35d9f3d1..4e2ae94286 100644
--- a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/dialogSubnet4.xml
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/dialogSubnet4.xml
@@ -3,7 +3,7 @@
         <id>subnet4.subnet</id>
         <label>Subnet</label>
         <type>text</type>
-        <help>Subnet to use, should be large enough to hold the specified pools and reservations</help>
+        <help>Local subnet to route to your tailnet in CIDR notation (e.g. 192.168.1.0/24).</help>
     </field>
     <field>
         <id>subnet4.description</id>

From 4b4ec29ecaf161cc426dfebb72f5ec658bbd6658 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 23 Jun 2025 14:45:51 +0200
Subject: [PATCH 2477/3088] mvc: Replace camelCase API notation with snake_case
  (#4767)

* mvc: Replace camelCase API notation with snake_case

* mvc: Replace camelCase API notation with snake_case, fixed some special cases in www/caddy
---
 .../app/views/OPNsense/GridExample/index.volt |  12 +-
 .../mvc/app/views/OPNsense/Bind/general.volt  |  40 ++---
 .../views/OPNsense/Dnscryptproxy/general.volt |  40 ++---
 .../app/views/OPNsense/Postfix/address.volt   |  10 +-
 .../app/views/OPNsense/Postfix/domain.volt    |  10 +-
 .../views/OPNsense/Postfix/headerchecks.volt  |  10 +-
 .../app/views/OPNsense/Postfix/recipient.volt |  10 +-
 .../views/OPNsense/Postfix/recipientbcc.volt  |  10 +-
 .../app/views/OPNsense/Postfix/sender.volt    |  10 +-
 .../app/views/OPNsense/Postfix/senderbcc.volt |  10 +-
 .../OPNsense/Postfix/sendercanonical.volt     |  10 +-
 .../app/views/OPNsense/Netsnmp/general.volt   |  10 +-
 .../mvc/app/views/OPNsense/Nrpe/general.volt  |  10 +-
 .../app/views/OPNsense/Telegraf/general.volt  |  10 +-
 .../app/views/OPNsense/ZabbixAgent/index.volt |  20 +--
 .../app/views/OPNsense/Freeradius/client.volt |  10 +-
 .../app/views/OPNsense/Freeradius/dhcp.volt   |  10 +-
 .../app/views/OPNsense/Freeradius/lease.volt  |  10 +-
 .../app/views/OPNsense/Freeradius/proxy.volt  |  30 ++--
 .../app/views/OPNsense/Freeradius/user.volt   |  20 +--
 .../mvc/app/views/OPNsense/Quagga/bfd.volt    |  10 +-
 .../mvc/app/views/OPNsense/Quagga/bgp.volt    |  70 ++++-----
 .../mvc/app/views/OPNsense/Quagga/ospf.volt   |  50 +++----
 .../mvc/app/views/OPNsense/Quagga/ospf6.volt  |  50 +++----
 .../mvc/app/views/OPNsense/Quagga/static.volt |  10 +-
 .../app/views/OPNsense/FtpProxy/index.volt    |  14 +-
 .../mvc/app/views/OPNsense/HAProxy/index.volt | 138 +++++++++---------
 .../views/OPNsense/RadSecProxy/clients.volt   |  12 +-
 .../views/OPNsense/RadSecProxy/realms.volt    |  12 +-
 .../views/OPNsense/RadSecProxy/rewrites.volt  |  12 +-
 .../views/OPNsense/RadSecProxy/servers.volt   |  12 +-
 .../app/views/OPNsense/RadSecProxy/tls.volt   |  12 +-
 .../app/views/OPNsense/Siproxd/general.volt   |  20 +--
 .../OPNsense/UDPBroadcastRelay/index.volt     |  14 +-
 .../mvc/app/views/OPNsense/Wol/index.volt     |   8 +-
 .../app/views/OPNsense/ClamAV/general.volt    |  10 +-
 .../app/views/OPNsense/Stunnel/services.volt  |  12 +-
 .../mvc/app/views/OPNsense/Tinc/index.volt    |  20 +--
 .../mvc/app/views/Deciso/Proxy/acl.volt       |  24 +--
 .../views/OPNsense/Caddy/reverse_proxy.volt   |  24 +--
 .../mvc/app/views/OPNsense/Proxy/index.volt   |  36 ++---
 41 files changed, 438 insertions(+), 434 deletions(-)

diff --git a/devel/grid_example/src/opnsense/mvc/app/views/OPNsense/GridExample/index.volt b/devel/grid_example/src/opnsense/mvc/app/views/OPNsense/GridExample/index.volt
index 0061bcb4f4..51f35f527b 100644
--- a/devel/grid_example/src/opnsense/mvc/app/views/OPNsense/GridExample/index.volt
+++ b/devel/grid_example/src/opnsense/mvc/app/views/OPNsense/GridExample/index.volt
@@ -28,12 +28,12 @@
 
     $( document ).ready(function() {
         $("#grid-addresses").UIBootgrid(
-            {   search:'/api/gridexample/settings/searchItem/',
-                get:'/api/gridexample/settings/getItem/',
-                set:'/api/gridexample/settings/setItem/',
-                add:'/api/gridexample/settings/addItem/',
-                del:'/api/gridexample/settings/delItem/',
-                toggle:'/api/gridexample/settings/toggleItem/'
+            {   search:'/api/gridexample/settings/search_item/',
+                get:'/api/gridexample/settings/get_item/',
+                set:'/api/gridexample/settings/set_item/',
+                add:'/api/gridexample/settings/add_item/',
+                del:'/api/gridexample/settings/del_item/',
+                toggle:'/api/gridexample/settings/toggle_item/'
             }
         );
     });
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index 0649c0eb2c..43888287e4 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -355,20 +355,20 @@ $(document).ready(function() {
 
     $("#grid-acls").UIBootgrid({
         'search': '/api/bind/acl/searchAcl',
-        'get': '/api/bind/acl/getAcl/',
-        'set': '/api/bind/acl/setAcl/',
-        'add': '/api/bind/acl/addAcl/',
-        'del': '/api/bind/acl/delAcl/',
-        'toggle': '/api/bind/acl/toggleAcl/'
+        'get': '/api/bind/acl/get_acl/',
+        'set': '/api/bind/acl/set_acl/',
+        'add': '/api/bind/acl/add_acl/',
+        'del': '/api/bind/acl/del_acl/',
+        'toggle': '/api/bind/acl/toggle_acl/'
     });
 
     $("#grid-primary-domains").UIBootgrid({
         'search': '/api/bind/domain/searchPrimaryDomain',
-        'get': '/api/bind/domain/getDomain/',
-        'set': '/api/bind/domain/setDomain/',
-        'add': '/api/bind/domain/addPrimaryDomain/',
-        'del': '/api/bind/domain/delDomain/',
-        'toggle': '/api/bind/domain/toggleDomain/',
+        'get': '/api/bind/domain/get_domain/',
+        'set': '/api/bind/domain/set_domain/',
+        'add': '/api/bind/domain/add_primary_domain/',
+        'del': '/api/bind/domain/del_domain/',
+        'toggle': '/api/bind/domain/toggle_domain/',
         commands: {
             'bind-checkzone': {
                 'title': "Check & preview",
@@ -415,11 +415,11 @@ $(document).ready(function() {
 
     $("#grid-secondary-domains").UIBootgrid({
         'search': '/api/bind/domain/searchSecondaryDomain',
-        'get': '/api/bind/domain/getDomain/',
-        'set': '/api/bind/domain/setDomain/',
-        'add': '/api/bind/domain/addSecondaryDomain/',
-        'del': '/api/bind/domain/delDomain/',
-        'toggle': '/api/bind/domain/toggleDomain/',
+        'get': '/api/bind/domain/get_domain/',
+        'set': '/api/bind/domain/set_domain/',
+        'add': '/api/bind/domain/add_secondary_domain/',
+        'del': '/api/bind/domain/del_domain/',
+        'toggle': '/api/bind/domain/toggle_domain/',
         options: {
             selection: false,
             multiSelect: false,
@@ -435,11 +435,11 @@ $(document).ready(function() {
 
     $("#grid-primary-records").UIBootgrid({
         'search': '/api/bind/record/searchRecord',
-        'get': '/api/bind/record/getRecord/',
-        'set': '/api/bind/record/setRecord/',
-        'add': '/api/bind/record/addRecord/',
-        'del': '/api/bind/record/delRecord/',
-        'toggle': '/api/bind/record/toggleRecord/',
+        'get': '/api/bind/record/get_record/',
+        'set': '/api/bind/record/set_record/',
+        'add': '/api/bind/record/add_record/',
+        'del': '/api/bind/record/del_record/',
+        'toggle': '/api/bind/record/toggle_record/',
         options: {
             useRequestHandlerOnGet: true,
             requestHandler: function(request) {
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt b/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt
index 606b631960..3d42a13027 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt
@@ -187,41 +187,41 @@ $( document ).ready(function() {
 
     $("#grid-forwards").UIBootgrid(
         {   'search':'/api/dnscryptproxy/forward/searchForward',
-            'get':'/api/dnscryptproxy/forward/getForward/',
-            'set':'/api/dnscryptproxy/forward/setForward/',
-            'add':'/api/dnscryptproxy/forward/addForward/',
-            'del':'/api/dnscryptproxy/forward/delForward/',
-            'toggle':'/api/dnscryptproxy/forward/toggleForward/'
+            'get':'/api/dnscryptproxy/forward/get_forward/',
+            'set':'/api/dnscryptproxy/forward/set_forward/',
+            'add':'/api/dnscryptproxy/forward/add_forward/',
+            'del':'/api/dnscryptproxy/forward/del_forward/',
+            'toggle':'/api/dnscryptproxy/forward/toggle_forward/'
         }
     );
 
     $("#grid-cloaks").UIBootgrid(
         {   'search':'/api/dnscryptproxy/cloak/searchCloak',
-            'get':'/api/dnscryptproxy/cloak/getCloak/',
-            'set':'/api/dnscryptproxy/cloak/setCloak/',
-            'add':'/api/dnscryptproxy/cloak/addCloak/',
-            'del':'/api/dnscryptproxy/cloak/delCloak/',
-            'toggle':'/api/dnscryptproxy/cloak/toggleCloak/'
+            'get':'/api/dnscryptproxy/cloak/get_cloak/',
+            'set':'/api/dnscryptproxy/cloak/set_cloak/',
+            'add':'/api/dnscryptproxy/cloak/add_cloak/',
+            'del':'/api/dnscryptproxy/cloak/del_cloak/',
+            'toggle':'/api/dnscryptproxy/cloak/toggle_cloak/'
         }
     );
 
     $("#grid-whitelists").UIBootgrid(
         {   'search':'/api/dnscryptproxy/whitelist/searchWhitelist',
-            'get':'/api/dnscryptproxy/whitelist/getWhitelist/',
-            'set':'/api/dnscryptproxy/whitelist/setWhitelist/',
-            'add':'/api/dnscryptproxy/whitelist/addWhitelist/',
-            'del':'/api/dnscryptproxy/whitelist/delWhitelist/',
-            'toggle':'/api/dnscryptproxy/whitelist/toggleWhitelist/'
+            'get':'/api/dnscryptproxy/whitelist/get_whitelist/',
+            'set':'/api/dnscryptproxy/whitelist/set_whitelist/',
+            'add':'/api/dnscryptproxy/whitelist/add_whitelist/',
+            'del':'/api/dnscryptproxy/whitelist/del_whitelist/',
+            'toggle':'/api/dnscryptproxy/whitelist/toggle_whitelist/'
         }
     );
 
     $("#grid-servers").UIBootgrid(
         {   'search':'/api/dnscryptproxy/server/searchServer',
-            'get':'/api/dnscryptproxy/server/getServer/',
-            'set':'/api/dnscryptproxy/server/setServer/',
-            'add':'/api/dnscryptproxy/server/addServer/',
-            'del':'/api/dnscryptproxy/server/delServer/',
-            'toggle':'/api/dnscryptproxy/server/toggleServer/'
+            'get':'/api/dnscryptproxy/server/get_server/',
+            'set':'/api/dnscryptproxy/server/set_server/',
+            'add':'/api/dnscryptproxy/server/add_server/',
+            'del':'/api/dnscryptproxy/server/del_server/',
+            'toggle':'/api/dnscryptproxy/server/toggle_server/'
         }
     );
 
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/address.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/address.volt
index c6bc57777d..54258396c3 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/address.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/address.volt
@@ -36,11 +36,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-addresses").UIBootgrid(
             {   'search':'/api/postfix/address/searchAddress',
-                'get':'/api/postfix/address/getAddress/',
-                'set':'/api/postfix/address/setAddress/',
-                'add':'/api/postfix/address/addAddress/',
-                'del':'/api/postfix/address/delAddress/',
-                'toggle':'/api/postfix/address/toggleAddress/'
+                'get':'/api/postfix/address/get_address/',
+                'set':'/api/postfix/address/set_address/',
+                'add':'/api/postfix/address/add_address/',
+                'del':'/api/postfix/address/del_address/',
+                'toggle':'/api/postfix/address/toggle_address/'
             }
         );
 
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/domain.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/domain.volt
index bf7e0b1af2..d5e2c6e98c 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/domain.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/domain.volt
@@ -36,11 +36,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-domains").UIBootgrid(
             {   'search':'/api/postfix/domain/searchDomain',
-                'get':'/api/postfix/domain/getDomain/',
-                'set':'/api/postfix/domain/setDomain/',
-                'add':'/api/postfix/domain/addDomain/',
-                'del':'/api/postfix/domain/delDomain/',
-                'toggle':'/api/postfix/domain/toggleDomain/'
+                'get':'/api/postfix/domain/get_domain/',
+                'set':'/api/postfix/domain/set_domain/',
+                'add':'/api/postfix/domain/add_domain/',
+                'del':'/api/postfix/domain/del_domain/',
+                'toggle':'/api/postfix/domain/toggle_domain/'
             }
         );
 
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/headerchecks.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/headerchecks.volt
index c33b317d44..b84f268c36 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/headerchecks.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/headerchecks.volt
@@ -35,11 +35,11 @@
 
         $("#grid-headerchecks").UIBootgrid(
             {   'search':'/api/postfix/headerchecks/searchHeaderchecks',
-                'get':'/api/postfix/headerchecks/getHeadercheck/',
-                'set':'/api/postfix/headerchecks/setHeadercheck/',
-                'add':'/api/postfix/headerchecks/addHeadercheck/',
-                'del':'/api/postfix/headerchecks/delHeadercheck/',
-                'toggle':'/api/postfix/headerchecks/toggleHeadercheck/'
+                'get':'/api/postfix/headerchecks/get_headercheck/',
+                'set':'/api/postfix/headerchecks/set_headercheck/',
+                'add':'/api/postfix/headerchecks/add_headercheck/',
+                'del':'/api/postfix/headerchecks/del_headercheck/',
+                'toggle':'/api/postfix/headerchecks/toggle_headercheck/'
             }
         );
 
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/recipient.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/recipient.volt
index ed1e62be1d..99c818537f 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/recipient.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/recipient.volt
@@ -36,11 +36,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-recipients").UIBootgrid(
             {   'search':'/api/postfix/recipient/searchRecipient',
-                'get':'/api/postfix/recipient/getRecipient/',
-                'set':'/api/postfix/recipient/setRecipient/',
-                'add':'/api/postfix/recipient/addRecipient/',
-                'del':'/api/postfix/recipient/delRecipient/',
-                'toggle':'/api/postfix/recipient/toggleRecipient/'
+                'get':'/api/postfix/recipient/get_recipient/',
+                'set':'/api/postfix/recipient/set_recipient/',
+                'add':'/api/postfix/recipient/add_recipient/',
+                'del':'/api/postfix/recipient/del_recipient/',
+                'toggle':'/api/postfix/recipient/toggle_recipient/'
             }
         );
 
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/recipientbcc.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/recipientbcc.volt
index 39bd7edc70..76a5b1df4a 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/recipientbcc.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/recipientbcc.volt
@@ -36,11 +36,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-recipientbccs").UIBootgrid(
             {   'search':'/api/postfix/recipientbcc/searchRecipientbcc',
-                'get':'/api/postfix/recipientbcc/getRecipientbcc/',
-                'set':'/api/postfix/recipientbcc/setRecipientbcc/',
-                'add':'/api/postfix/recipientbcc/addRecipientbcc/',
-                'del':'/api/postfix/recipientbcc/delRecipientbcc/',
-                'toggle':'/api/postfix/recipientbcc/toggleRecipientbcc/'
+                'get':'/api/postfix/recipientbcc/get_recipientbcc/',
+                'set':'/api/postfix/recipientbcc/set_recipientbcc/',
+                'add':'/api/postfix/recipientbcc/add_recipientbcc/',
+                'del':'/api/postfix/recipientbcc/del_recipientbcc/',
+                'toggle':'/api/postfix/recipientbcc/toggle_recipientbcc/'
             }
         );
 
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/sender.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/sender.volt
index 078e6d3869..f800f0f862 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/sender.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/sender.volt
@@ -36,11 +36,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-senders").UIBootgrid(
             {   'search':'/api/postfix/sender/searchSender',
-                'get':'/api/postfix/sender/getSender/',
-                'set':'/api/postfix/sender/setSender/',
-                'add':'/api/postfix/sender/addSender/',
-                'del':'/api/postfix/sender/delSender/',
-                'toggle':'/api/postfix/sender/toggleSender/'
+                'get':'/api/postfix/sender/get_sender/',
+                'set':'/api/postfix/sender/set_sender/',
+                'add':'/api/postfix/sender/add_sender/',
+                'del':'/api/postfix/sender/del_sender/',
+                'toggle':'/api/postfix/sender/toggle_sender/'
             }
         );
 
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/senderbcc.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/senderbcc.volt
index 7b22a077bd..530eba0d16 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/senderbcc.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/senderbcc.volt
@@ -36,11 +36,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-senderbccs").UIBootgrid(
             {   'search':'/api/postfix/senderbcc/searchSenderbcc',
-                'get':'/api/postfix/senderbcc/getSenderbcc/',
-                'set':'/api/postfix/senderbcc/setSenderbcc/',
-                'add':'/api/postfix/senderbcc/addSenderbcc/',
-                'del':'/api/postfix/senderbcc/delSenderbcc/',
-                'toggle':'/api/postfix/senderbcc/toggleSenderbcc/'
+                'get':'/api/postfix/senderbcc/get_senderbcc/',
+                'set':'/api/postfix/senderbcc/set_senderbcc/',
+                'add':'/api/postfix/senderbcc/add_senderbcc/',
+                'del':'/api/postfix/senderbcc/del_senderbcc/',
+                'toggle':'/api/postfix/senderbcc/toggle_senderbcc/'
             }
         );
 
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/sendercanonical.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/sendercanonical.volt
index 5324769fb7..ec067b0b16 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/sendercanonical.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/sendercanonical.volt
@@ -37,11 +37,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-sendercanonicals").UIBootgrid(
             {   'search':'/api/postfix/sendercanonical/searchSendercanonical',
-                'get':'/api/postfix/sendercanonical/getSendercanonical/',
-                'set':'/api/postfix/sendercanonical/setSendercanonical/',
-                'add':'/api/postfix/sendercanonical/addSendercanonical/',
-                'del':'/api/postfix/sendercanonical/delSendercanonical/',
-                'toggle':'/api/postfix/sendercanonical/toggleSendercanonical/'
+                'get':'/api/postfix/sendercanonical/get_sendercanonical/',
+                'set':'/api/postfix/sendercanonical/set_sendercanonical/',
+                'add':'/api/postfix/sendercanonical/add_sendercanonical/',
+                'del':'/api/postfix/sendercanonical/del_sendercanonical/',
+                'toggle':'/api/postfix/sendercanonical/toggle_sendercanonical/'
             }
         );
 
diff --git a/net-mgmt/net-snmp/src/opnsense/mvc/app/views/OPNsense/Netsnmp/general.volt b/net-mgmt/net-snmp/src/opnsense/mvc/app/views/OPNsense/Netsnmp/general.volt
index 1a638dc048..e81adfa516 100644
--- a/net-mgmt/net-snmp/src/opnsense/mvc/app/views/OPNsense/Netsnmp/general.volt
+++ b/net-mgmt/net-snmp/src/opnsense/mvc/app/views/OPNsense/Netsnmp/general.volt
@@ -90,11 +90,11 @@ $( document ).ready(function() {
 
     $("#grid-users").UIBootgrid(
         {   'search':'/api/netsnmp/user/searchUser',
-            'get':'/api/netsnmp/user/getUser/',
-            'set':'/api/netsnmp/user/setUser/',
-            'add':'/api/netsnmp/user/addUser/',
-            'del':'/api/netsnmp/user/delUser/',
-            'toggle':'/api/netsnmp/user/toggleUser/'
+            'get':'/api/netsnmp/user/get_user/',
+            'set':'/api/netsnmp/user/set_user/',
+            'add':'/api/netsnmp/user/add_user/',
+            'del':'/api/netsnmp/user/del_user/',
+            'toggle':'/api/netsnmp/user/toggle_user/'
         }
     );
 
diff --git a/net-mgmt/nrpe/src/opnsense/mvc/app/views/OPNsense/Nrpe/general.volt b/net-mgmt/nrpe/src/opnsense/mvc/app/views/OPNsense/Nrpe/general.volt
index fd6e0cd3d3..86b7dfa936 100644
--- a/net-mgmt/nrpe/src/opnsense/mvc/app/views/OPNsense/Nrpe/general.volt
+++ b/net-mgmt/nrpe/src/opnsense/mvc/app/views/OPNsense/Nrpe/general.volt
@@ -87,11 +87,11 @@ $(function() {
 
     $("#grid-command").UIBootgrid(
         {   'search':'/api/nrpe/command/searchCommand',
-            'get':'/api/nrpe/command/getCommand/',
-            'set':'/api/nrpe/command/setCommand/',
-            'add':'/api/nrpe/command/addCommand/',
-            'del':'/api/nrpe/command/delCommand/',
-            'toggle':'/api/nrpe/command/toggleCommand/'
+            'get':'/api/nrpe/command/get_command/',
+            'set':'/api/nrpe/command/set_command/',
+            'add':'/api/nrpe/command/add_command/',
+            'del':'/api/nrpe/command/del_command/',
+            'toggle':'/api/nrpe/command/toggle_command/'
         }
     );
 
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/views/OPNsense/Telegraf/general.volt b/net-mgmt/telegraf/src/opnsense/mvc/app/views/OPNsense/Telegraf/general.volt
index 91a096f6b6..21bc9bea81 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/views/OPNsense/Telegraf/general.volt
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/views/OPNsense/Telegraf/general.volt
@@ -85,11 +85,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
     $("#grid-keys").UIBootgrid(
         {   'search':'/api/telegraf/key/searchKey',
-            'get':'/api/telegraf/key/getKey/',
-            'set':'/api/telegraf/key/setKey/',
-            'add':'/api/telegraf/key/addKey/',
-            'del':'/api/telegraf/key/delKey/',
-            'toggle':'/api/telegraf/key/toggleKey/'
+            'get':'/api/telegraf/key/get_key/',
+            'set':'/api/telegraf/key/set_key/',
+            'add':'/api/telegraf/key/add_key/',
+            'del':'/api/telegraf/key/del_key/',
+            'toggle':'/api/telegraf/key/toggle_key/'
         }
     );
 
diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/views/OPNsense/ZabbixAgent/index.volt b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/views/OPNsense/ZabbixAgent/index.volt
index d18d688125..adea8b8ad3 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/views/OPNsense/ZabbixAgent/index.volt
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/views/OPNsense/ZabbixAgent/index.volt
@@ -42,11 +42,11 @@ $( document ).ready(function() {
 
     $("#grid-userparameters").UIBootgrid(
         {   search:'/api/zabbixagent/settings/searchUserparameters',
-            get:'/api/zabbixagent/settings/getUserparameter/',
-            set:'/api/zabbixagent/settings/setUserparameter/',
-            add:'/api/zabbixagent/settings/addUserparameter/',
-            del:'/api/zabbixagent/settings/delUserparameter/',
-            toggle:'/api/zabbixagent/settings/toggleUserparameter/',
+            get:'/api/zabbixagent/settings/get_userparameter/',
+            set:'/api/zabbixagent/settings/set_userparameter/',
+            add:'/api/zabbixagent/settings/add_userparameter/',
+            del:'/api/zabbixagent/settings/del_userparameter/',
+            toggle:'/api/zabbixagent/settings/toggle_userparameter/',
             options: {
                 rowCount:[10,25,50,100,500,1000]
             }
@@ -55,11 +55,11 @@ $( document ).ready(function() {
 
     $("#grid-aliases").UIBootgrid(
         {   search:'/api/zabbixagent/settings/searchAliases',
-            get:'/api/zabbixagent/settings/getAlias/',
-            set:'/api/zabbixagent/settings/setAlias/',
-            add:'/api/zabbixagent/settings/addAlias/',
-            del:'/api/zabbixagent/settings/delAlias/',
-            toggle:'/api/zabbixagent/settings/toggleAlias/',
+            get:'/api/zabbixagent/settings/get_alias/',
+            set:'/api/zabbixagent/settings/set_alias/',
+            add:'/api/zabbixagent/settings/add_alias/',
+            del:'/api/zabbixagent/settings/del_alias/',
+            toggle:'/api/zabbixagent/settings/toggle_alias/',
             options: {
                 rowCount:[10,25,50,100,500,1000]
             }
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/client.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/client.volt
index 9c01f8c789..56281fc50e 100644
--- a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/client.volt
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/client.volt
@@ -38,11 +38,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-clients").UIBootgrid(
             {   'search':'/api/freeradius/client/searchClient',
-                'get':'/api/freeradius/client/getClient/',
-                'set':'/api/freeradius/client/setClient/',
-                'add':'/api/freeradius/client/addClient/',
-                'del':'/api/freeradius/client/delClient/',
-                'toggle':'/api/freeradius/client/toggleClient/'
+                'get':'/api/freeradius/client/get_client/',
+                'set':'/api/freeradius/client/set_client/',
+                'add':'/api/freeradius/client/add_client/',
+                'del':'/api/freeradius/client/del_client/',
+                'toggle':'/api/freeradius/client/toggle_client/'
             }
         );
 
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/dhcp.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/dhcp.volt
index 66a9355631..9558aec39e 100644
--- a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/dhcp.volt
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/dhcp.volt
@@ -38,11 +38,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-dhcps").UIBootgrid(
             {   'search':'/api/freeradius/dhcp/searchDhcp',
-                'get':'/api/freeradius/dhcp/getDhcp/',
-                'set':'/api/freeradius/dhcp/setDhcp/',
-                'add':'/api/freeradius/dhcp/addDhcp/',
-                'del':'/api/freeradius/dhcp/delDhcp/',
-                'toggle':'/api/freeradius/dhcp/toggleDhcp/'
+                'get':'/api/freeradius/dhcp/get_dhcp/',
+                'set':'/api/freeradius/dhcp/set_dhcp/',
+                'add':'/api/freeradius/dhcp/add_dhcp/',
+                'del':'/api/freeradius/dhcp/del_dhcp/',
+                'toggle':'/api/freeradius/dhcp/toggle_dhcp/'
             }
         );
 
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/lease.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/lease.volt
index 2499fc12dc..925179b52a 100644
--- a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/lease.volt
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/lease.volt
@@ -38,11 +38,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-leases").UIBootgrid(
             {   'search':'/api/freeradius/lease/searchLease',
-                'get':'/api/freeradius/lease/getLease/',
-                'set':'/api/freeradius/lease/setLease/',
-                'add':'/api/freeradius/lease/addLease/',
-                'del':'/api/freeradius/lease/delLease/',
-                'toggle':'/api/freeradius/lease/toggleLease/'
+                'get':'/api/freeradius/lease/get_lease/',
+                'set':'/api/freeradius/lease/set_lease/',
+                'add':'/api/freeradius/lease/add_lease/',
+                'del':'/api/freeradius/lease/del_lease/',
+                'toggle':'/api/freeradius/lease/toggle_lease/'
             }
         );
 
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt
index a4bf2d1984..8de4b4726e 100644
--- a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt
@@ -44,11 +44,11 @@ $( document ).ready(function() {
 
         $("#grid-homeservers").UIBootgrid(
             {   'search':'/api/freeradius/proxy/searchHomeserver',
-                'get':'/api/freeradius/proxy/getHomeserver/',
-                'set':'/api/freeradius/proxy/setHomeserver/',
-                'add':'/api/freeradius/proxy/addHomeserver/',
-                'del':'/api/freeradius/proxy/delHomeserver/',
-                'toggle':'/api/freeradius/proxy/toggleHomeserver/',
+                'get':'/api/freeradius/proxy/get_homeserver/',
+                'set':'/api/freeradius/proxy/set_homeserver/',
+                'add':'/api/freeradius/proxy/add_homeserver/',
+                'del':'/api/freeradius/proxy/del_homeserver/',
+                'toggle':'/api/freeradius/proxy/toggle_homeserver/',
             options: {
                 rowCount:[10,25,50,100,500,1000]
                 }
@@ -56,11 +56,11 @@ $( document ).ready(function() {
         );
         $("#grid-homeserverpools").UIBootgrid(
             {   'search':'/api/freeradius/proxy/searchHomeserverpool',
-                'get':'/api/freeradius/proxy/getHomeserverpool/',
-                'set':'/api/freeradius/proxy/setHomeserverpool/',
-                'add':'/api/freeradius/proxy/addHomeserverpool/',
-                'del':'/api/freeradius/proxy/delHomeserverpool/',
-                'toggle':'/api/freeradius/proxy/toggleHomeserverpool/',
+                'get':'/api/freeradius/proxy/get_homeserverpool/',
+                'set':'/api/freeradius/proxy/set_homeserverpool/',
+                'add':'/api/freeradius/proxy/add_homeserverpool/',
+                'del':'/api/freeradius/proxy/del_homeserverpool/',
+                'toggle':'/api/freeradius/proxy/toggle_homeserverpool/',
             options: {
                 rowCount:[10,25,50,100,500,1000]
                 }
@@ -68,11 +68,11 @@ $( document ).ready(function() {
         );
         $("#grid-realms").UIBootgrid(
             {   'search':'/api/freeradius/proxy/searchRealm',
-                'get':'/api/freeradius/proxy/getRealm/',
-                'set':'/api/freeradius/proxy/setRealm/',
-                'add':'/api/freeradius/proxy/addRealm/',
-                'del':'/api/freeradius/proxy/delRealm/',
-                'toggle':'/api/freeradius/proxy/toggleRealm/',
+                'get':'/api/freeradius/proxy/get_realm/',
+                'set':'/api/freeradius/proxy/set_realm/',
+                'add':'/api/freeradius/proxy/add_realm/',
+                'del':'/api/freeradius/proxy/del_realm/',
+                'toggle':'/api/freeradius/proxy/toggle_realm/',
             options: {
                 rowCount:[10,25,50,100,500,1000]
                 }
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/user.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/user.volt
index 65b5278268..79b57714d4 100644
--- a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/user.volt
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/user.volt
@@ -34,21 +34,21 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-users").UIBootgrid(
             {   'search':'/api/freeradius/user/searchUser',
-                'get':'/api/freeradius/user/getUser/',
-                'set':'/api/freeradius/user/setUser/',
-                'add':'/api/freeradius/user/addUser/',
-                'del':'/api/freeradius/user/delUser/',
-                'toggle':'/api/freeradius/user/toggleUser/'
+                'get':'/api/freeradius/user/get_user/',
+                'set':'/api/freeradius/user/set_user/',
+                'add':'/api/freeradius/user/add_user/',
+                'del':'/api/freeradius/user/del_user/',
+                'toggle':'/api/freeradius/user/toggle_user/'
             }
         );
 
         $("#grid-avpairs").UIBootgrid(
             {   'search':'/api/freeradius/avpair/searchAvpair',
-                'get':'/api/freeradius/avpair/getAvpair/',
-                'set':'/api/freeradius/avpair/setAvpair/',
-                'add':'/api/freeradius/avpair/addAvpair/',
-                'del':'/api/freeradius/avpair/delAvpair/',
-                'toggle':'/api/freeradius/avpair/toggleAvpair/'
+                'get':'/api/freeradius/avpair/get_avpair/',
+                'set':'/api/freeradius/avpair/set_avpair/',
+                'add':'/api/freeradius/avpair/add_avpair/',
+                'del':'/api/freeradius/avpair/del_avpair/',
+                'toggle':'/api/freeradius/avpair/toggle_avpair/'
             }
         );
 
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
index 909fdaced3..a202513188 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
@@ -38,11 +38,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#{{formGridEditBFDNeighbor['table_id']}}").UIBootgrid({
             'search':'/api/quagga/bfd/searchNeighbor',
-            'get':'/api/quagga/bfd/getNeighbor/',
-            'set':'/api/quagga/bfd/setNeighbor/',
-            'add':'/api/quagga/bfd/addNeighbor/',
-            'del':'/api/quagga/bfd/delNeighbor/',
-            'toggle':'/api/quagga/bfd/toggleNeighbor/'
+            'get':'/api/quagga/bfd/get_neighbor/',
+            'set':'/api/quagga/bfd/set_neighbor/',
+            'add':'/api/quagga/bfd/add_neighbor/',
+            'del':'/api/quagga/bfd/del_neighbor/',
+            'toggle':'/api/quagga/bfd/toggle_neighbor/'
         });
 
         $("#reconfigureAct").SimpleActionButton({
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
index 04c561ca97..7ae7c754b6 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
@@ -49,59 +49,59 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#{{formGridEditBGPNeighbor['table_id']}}").UIBootgrid({
             'search':'/api/quagga/bgp/searchNeighbor',
-            'get':'/api/quagga/bgp/getNeighbor/',
-            'set':'/api/quagga/bgp/setNeighbor/',
-            'add':'/api/quagga/bgp/addNeighbor/',
-            'del':'/api/quagga/bgp/delNeighbor/',
-            'toggle':'/api/quagga/bgp/toggleNeighbor/'
+            'get':'/api/quagga/bgp/get_neighbor/',
+            'set':'/api/quagga/bgp/set_neighbor/',
+            'add':'/api/quagga/bgp/add_neighbor/',
+            'del':'/api/quagga/bgp/del_neighbor/',
+            'toggle':'/api/quagga/bgp/toggle_neighbor/'
         });
         $("#{{formGridEditBGPASPaths['table_id']}}").UIBootgrid({
             'search':'/api/quagga/bgp/searchAspath',
-            'get':'/api/quagga/bgp/getAspath/',
-            'set':'/api/quagga/bgp/setAspath/',
-            'add':'/api/quagga/bgp/addAspath/',
-            'del':'/api/quagga/bgp/delAspath/',
-            'toggle':'/api/quagga/bgp/toggleAspath/'
+            'get':'/api/quagga/bgp/get_aspath/',
+            'set':'/api/quagga/bgp/set_aspath/',
+            'add':'/api/quagga/bgp/add_aspath/',
+            'del':'/api/quagga/bgp/del_aspath/',
+            'toggle':'/api/quagga/bgp/toggle_aspath/'
         });
         $("#{{formGridEditBGPPrefixLists['table_id']}}").UIBootgrid({
             'search':'/api/quagga/bgp/searchPrefixlist',
-            'get':'/api/quagga/bgp/getPrefixlist/',
-            'set':'/api/quagga/bgp/setPrefixlist/',
-            'add':'/api/quagga/bgp/addPrefixlist/',
-            'del':'/api/quagga/bgp/delPrefixlist/',
-            'toggle':'/api/quagga/bgp/togglePrefixlist/'
+            'get':'/api/quagga/bgp/get_prefixlist/',
+            'set':'/api/quagga/bgp/set_prefixlist/',
+            'add':'/api/quagga/bgp/add_prefixlist/',
+            'del':'/api/quagga/bgp/del_prefixlist/',
+            'toggle':'/api/quagga/bgp/toggle_prefixlist/'
         });
         $("#{{formGridEditBGPCommunityLists['table_id']}}").UIBootgrid({
             'search':'/api/quagga/bgp/searchCommunitylist',
-            'get':'/api/quagga/bgp/getCommunitylist/',
-            'set':'/api/quagga/bgp/setCommunitylist/',
-            'add':'/api/quagga/bgp/addCommunitylist/',
-            'del':'/api/quagga/bgp/delCommunitylist/',
-            'toggle':'/api/quagga/bgp/toggleCommunitylist/'
+            'get':'/api/quagga/bgp/get_communitylist/',
+            'set':'/api/quagga/bgp/set_communitylist/',
+            'add':'/api/quagga/bgp/add_communitylist/',
+            'del':'/api/quagga/bgp/del_communitylist/',
+            'toggle':'/api/quagga/bgp/toggle_communitylist/'
         });
         $("#{{formGridEditBGPRouteMaps['table_id']}}").UIBootgrid({
             'search':'/api/quagga/bgp/searchRoutemap',
-            'get':'/api/quagga/bgp/getRoutemap/',
-            'set':'/api/quagga/bgp/setRoutemap/',
-            'add':'/api/quagga/bgp/addRoutemap/',
-            'del':'/api/quagga/bgp/delRoutemap/',
-            'toggle':'/api/quagga/bgp/toggleRoutemap/'
+            'get':'/api/quagga/bgp/get_routemap/',
+            'set':'/api/quagga/bgp/set_routemap/',
+            'add':'/api/quagga/bgp/add_routemap/',
+            'del':'/api/quagga/bgp/del_routemap/',
+            'toggle':'/api/quagga/bgp/toggle_routemap/'
         });
         $("#{{formGridEditBGPPeergroups['table_id']}}").UIBootgrid({
             'search':'/api/quagga/bgp/searchPeergroup',
-            'get':'/api/quagga/bgp/getPeergroup/',
-            'set':'/api/quagga/bgp/setPeergroup/',
-            'add':'/api/quagga/bgp/addPeergroup/',
-            'del':'/api/quagga/bgp/delPeergroup/',
-            'toggle':'/api/quagga/bgp/togglePeergroup/'
+            'get':'/api/quagga/bgp/get_peergroup/',
+            'set':'/api/quagga/bgp/set_peergroup/',
+            'add':'/api/quagga/bgp/add_peergroup/',
+            'del':'/api/quagga/bgp/del_peergroup/',
+            'toggle':'/api/quagga/bgp/toggle_peergroup/'
         });
         $("#{{formGridEditRedistribution['table_id']}}").UIBootgrid({
             'search':'/api/quagga/bgp/searchRedistribution',
-            'get':'/api/quagga/bgp/getRedistribution/',
-            'set':'/api/quagga/bgp/setRedistribution/',
-            'add':'/api/quagga/bgp/addRedistribution/',
-            'del':'/api/quagga/bgp/delRedistribution/',
-            'toggle':'/api/quagga/bgp/toggleRedistribution/'
+            'get':'/api/quagga/bgp/get_redistribution/',
+            'set':'/api/quagga/bgp/set_redistribution/',
+            'add':'/api/quagga/bgp/add_redistribution/',
+            'del':'/api/quagga/bgp/del_redistribution/',
+            'toggle':'/api/quagga/bgp/toggle_redistribution/'
         });
 
         const $header = $(".bootgrid-header[id*='{{formGridEditRedistribution['table_id']}}']");
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
index 036c55fb2a..5afb5eb4ab 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
@@ -61,43 +61,43 @@ POSSIBILITY OF SUCH DAMAGE.
         });
         $("#{{formGridEditNetwork['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospfsettings/searchNetwork',
-            'get':'/api/quagga/ospfsettings/getNetwork/',
-            'set':'/api/quagga/ospfsettings/setNetwork/',
-            'add':'/api/quagga/ospfsettings/addNetwork/',
-            'del':'/api/quagga/ospfsettings/delNetwork/',
-            'toggle':'/api/quagga/ospfsettings/toggleNetwork/'
+            'get':'/api/quagga/ospfsettings/get_network/',
+            'set':'/api/quagga/ospfsettings/set_network/',
+            'add':'/api/quagga/ospfsettings/add_network/',
+            'del':'/api/quagga/ospfsettings/del_network/',
+            'toggle':'/api/quagga/ospfsettings/toggle_network/'
         });
         $("#{{formGridEditInterface['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospfsettings/searchInterface',
-            'get':'/api/quagga/ospfsettings/getInterface/',
-            'set':'/api/quagga/ospfsettings/setInterface/',
-            'add':'/api/quagga/ospfsettings/addInterface/',
-            'del':'/api/quagga/ospfsettings/delInterface/',
-            'toggle':'/api/quagga/ospfsettings/toggleInterface/'
+            'get':'/api/quagga/ospfsettings/get_interface/',
+            'set':'/api/quagga/ospfsettings/set_interface/',
+            'add':'/api/quagga/ospfsettings/add_interface/',
+            'del':'/api/quagga/ospfsettings/del_interface/',
+            'toggle':'/api/quagga/ospfsettings/toggle_interface/'
         });
         $("#{{formGridEditPrefixLists['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospfsettings/searchPrefixlist',
-            'get':'/api/quagga/ospfsettings/getPrefixlist/',
-            'set':'/api/quagga/ospfsettings/setPrefixlist/',
-            'add':'/api/quagga/ospfsettings/addPrefixlist/',
-            'del':'/api/quagga/ospfsettings/delPrefixlist/',
-            'toggle':'/api/quagga/ospfsettings/togglePrefixlist/'
+            'get':'/api/quagga/ospfsettings/get_prefixlist/',
+            'set':'/api/quagga/ospfsettings/set_prefixlist/',
+            'add':'/api/quagga/ospfsettings/add_prefixlist/',
+            'del':'/api/quagga/ospfsettings/del_prefixlist/',
+            'toggle':'/api/quagga/ospfsettings/toggle_prefixlist/'
         });
         $("#{{formGridEditRouteMaps['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospfsettings/searchRoutemap',
-            'get':'/api/quagga/ospfsettings/getRoutemap/',
-            'set':'/api/quagga/ospfsettings/setRoutemap/',
-            'add':'/api/quagga/ospfsettings/addRoutemap/',
-            'del':'/api/quagga/ospfsettings/delRoutemap/',
-            'toggle':'/api/quagga/ospfsettings/toggleRoutemap/'
+            'get':'/api/quagga/ospfsettings/get_routemap/',
+            'set':'/api/quagga/ospfsettings/set_routemap/',
+            'add':'/api/quagga/ospfsettings/add_routemap/',
+            'del':'/api/quagga/ospfsettings/del_routemap/',
+            'toggle':'/api/quagga/ospfsettings/toggle_routemap/'
         });
         $("#{{formGridEditRedistribution['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospfsettings/searchRedistribution',
-            'get':'/api/quagga/ospfsettings/getRedistribution/',
-            'set':'/api/quagga/ospfsettings/setRedistribution/',
-            'add':'/api/quagga/ospfsettings/addRedistribution/',
-            'del':'/api/quagga/ospfsettings/delRedistribution/',
-            'toggle':'/api/quagga/ospfsettings/toggleRedistribution/'
+            'get':'/api/quagga/ospfsettings/get_redistribution/',
+            'set':'/api/quagga/ospfsettings/set_redistribution/',
+            'add':'/api/quagga/ospfsettings/add_redistribution/',
+            'del':'/api/quagga/ospfsettings/del_redistribution/',
+            'toggle':'/api/quagga/ospfsettings/toggle_redistribution/'
         });
 
         const $header = $(".bootgrid-header[id*='{{formGridEditRedistribution['table_id']}}']");
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
index 36802ad66b..a239e93a33 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
@@ -48,43 +48,43 @@
 
         $("#{{formGridEditNetwork['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospf6settings/searchNetwork',
-            'get':'/api/quagga/ospf6settings/getNetwork/',
-            'set':'/api/quagga/ospf6settings/setNetwork/',
-            'add':'/api/quagga/ospf6settings/addNetwork/',
-            'del':'/api/quagga/ospf6settings/delNetwork/',
-            'toggle':'/api/quagga/ospf6settings/toggleNetwork/'
+            'get':'/api/quagga/ospf6settings/get_network/',
+            'set':'/api/quagga/ospf6settings/set_network/',
+            'add':'/api/quagga/ospf6settings/add_network/',
+            'del':'/api/quagga/ospf6settings/del_network/',
+            'toggle':'/api/quagga/ospf6settings/toggle_network/'
         });
         $("#{{formGridEditInterface['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospf6settings/searchInterface',
-            'get':'/api/quagga/ospf6settings/getInterface/',
-            'set':'/api/quagga/ospf6settings/setInterface/',
-            'add':'/api/quagga/ospf6settings/addInterface/',
-            'del':'/api/quagga/ospf6settings/delInterface/',
-            'toggle':'/api/quagga/ospf6settings/toggleInterface/'
+            'get':'/api/quagga/ospf6settings/get_interface/',
+            'set':'/api/quagga/ospf6settings/set_interface/',
+            'add':'/api/quagga/ospf6settings/add_interface/',
+            'del':'/api/quagga/ospf6settings/del_interface/',
+            'toggle':'/api/quagga/ospf6settings/toggle_interface/'
         });
         $("#{{formGridEditPrefixLists['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospf6settings/searchPrefixlist',
-            'get':'/api/quagga/ospf6settings/getPrefixlist/',
-            'set':'/api/quagga/ospf6settings/setPrefixlist/',
-            'add':'/api/quagga/ospf6settings/addPrefixlist/',
-            'del':'/api/quagga/ospf6settings/delPrefixlist/',
-            'toggle':'/api/quagga/ospf6settings/togglePrefixlist/'
+            'get':'/api/quagga/ospf6settings/get_prefixlist/',
+            'set':'/api/quagga/ospf6settings/set_prefixlist/',
+            'add':'/api/quagga/ospf6settings/add_prefixlist/',
+            'del':'/api/quagga/ospf6settings/del_prefixlist/',
+            'toggle':'/api/quagga/ospf6settings/toggle_prefixlist/'
         });
         $("#{{formGridEditRouteMaps['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospf6settings/searchRoutemap',
-            'get':'/api/quagga/ospf6settings/getRoutemap/',
-            'set':'/api/quagga/ospf6settings/setRoutemap/',
-            'add':'/api/quagga/ospf6settings/addRoutemap/',
-            'del':'/api/quagga/ospf6settings/delRoutemap/',
-            'toggle':'/api/quagga/ospf6settings/toggleRoutemap/'
+            'get':'/api/quagga/ospf6settings/get_routemap/',
+            'set':'/api/quagga/ospf6settings/set_routemap/',
+            'add':'/api/quagga/ospf6settings/add_routemap/',
+            'del':'/api/quagga/ospf6settings/del_routemap/',
+            'toggle':'/api/quagga/ospf6settings/toggle_routemap/'
         });
         $("#{{formGridEditRedistribution['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospf6settings/searchRedistribution',
-            'get':'/api/quagga/ospf6settings/getRedistribution/',
-            'set':'/api/quagga/ospf6settings/setRedistribution/',
-            'add':'/api/quagga/ospf6settings/addRedistribution/',
-            'del':'/api/quagga/ospf6settings/delRedistribution/',
-            'toggle':'/api/quagga/ospf6settings/toggleRedistribution/'
+            'get':'/api/quagga/ospf6settings/get_redistribution/',
+            'set':'/api/quagga/ospf6settings/set_redistribution/',
+            'add':'/api/quagga/ospf6settings/add_redistribution/',
+            'del':'/api/quagga/ospf6settings/del_redistribution/',
+            'toggle':'/api/quagga/ospf6settings/toggle_redistribution/'
         });
 
         // hook checkbox item with conditional options
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
index 6227fed7eb..f9ec9e64fe 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
@@ -35,11 +35,11 @@
 
         $("#{{formGridEditSTATICRoute['table_id']}}").UIBootgrid({
             'search':'/api/quagga/static/searchRoute',
-            'get':'/api/quagga/static/getRoute/',
-            'set':'/api/quagga/static/setRoute/',
-            'add':'/api/quagga/static/addRoute/',
-            'del':'/api/quagga/static/delRoute/',
-            'toggle':'/api/quagga/static/toggleRoute/'
+            'get':'/api/quagga/static/get_route/',
+            'set':'/api/quagga/static/set_route/',
+            'add':'/api/quagga/static/add_route/',
+            'del':'/api/quagga/static/del_route/',
+            'toggle':'/api/quagga/static/toggle_route/'
         });
 
         $("#reconfigureAct").SimpleActionButton({
diff --git a/net/ftp-proxy/src/opnsense/mvc/app/views/OPNsense/FtpProxy/index.volt b/net/ftp-proxy/src/opnsense/mvc/app/views/OPNsense/FtpProxy/index.volt
index 58f543270e..01b4b9bf32 100644
--- a/net/ftp-proxy/src/opnsense/mvc/app/views/OPNsense/FtpProxy/index.volt
+++ b/net/ftp-proxy/src/opnsense/mvc/app/views/OPNsense/FtpProxy/index.volt
@@ -34,8 +34,8 @@ POSSIBILITY OF SUCH DAMAGE.
          */
         function openDialog(uuid) {
             var editDlg = "DialogEdit";
-            var setUrl = "/api/ftpproxy/settings/setProxy/";
-            var getUrl = "/api/ftpproxy/settings/getProxy/";
+            var setUrl = "/api/ftpproxy/settings/set_proxy/";
+            var getUrl = "/api/ftpproxy/settings/get_proxy/";
             var urlMap = {};
             urlMap['frm_' + editDlg] = getUrl + uuid;
             mapDataToFormUI(urlMap).done(function () {
@@ -57,11 +57,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-proxies").UIBootgrid(
                 {   'search':'/api/ftpproxy/settings/searchProxy',
-                    'get':'/api/ftpproxy/settings/getProxy/',
-                    'set':'/api/ftpproxy/settings/setProxy/',
-                    'add':'/api/ftpproxy/settings/addProxy/',
-                    'del':'/api/ftpproxy/settings/delProxy/',
-                    'toggle':'/api/ftpproxy/settings/toggleProxy/',
+                    'get':'/api/ftpproxy/settings/get_proxy/',
+                    'set':'/api/ftpproxy/settings/set_proxy/',
+                    'add':'/api/ftpproxy/settings/add_proxy/',
+                    'del':'/api/ftpproxy/settings/del_proxy/',
+                    'toggle':'/api/ftpproxy/settings/toggle_proxy/',
                     'options':{selection:false, multiSelect:false}
                 }
         );
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index fd025caccd..909df30a35 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -50,11 +50,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-frontends").UIBootgrid(
             {   search:'/api/haproxy/settings/searchFrontends',
-                get:'/api/haproxy/settings/getFrontend/',
-                set:'/api/haproxy/settings/setFrontend/',
-                add:'/api/haproxy/settings/addFrontend/',
-                del:'/api/haproxy/settings/delFrontend/',
-                toggle:'/api/haproxy/settings/toggleFrontend/',
+                get:'/api/haproxy/settings/get_frontend/',
+                set:'/api/haproxy/settings/set_frontend/',
+                add:'/api/haproxy/settings/add_frontend/',
+                del:'/api/haproxy/settings/del_frontend/',
+                toggle:'/api/haproxy/settings/toggle_frontend/',
                 options: {
                     rowCount:[10,25,50,100,500,1000]
                 }
@@ -63,11 +63,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-backends").UIBootgrid(
             {   search:'/api/haproxy/settings/searchBackends',
-                get:'/api/haproxy/settings/getBackend/',
-                set:'/api/haproxy/settings/setBackend/',
-                add:'/api/haproxy/settings/addBackend/',
-                del:'/api/haproxy/settings/delBackend/',
-                toggle:'/api/haproxy/settings/toggleBackend/',
+                get:'/api/haproxy/settings/get_backend/',
+                set:'/api/haproxy/settings/set_backend/',
+                add:'/api/haproxy/settings/add_backend/',
+                del:'/api/haproxy/settings/del_backend/',
+                toggle:'/api/haproxy/settings/toggle_backend/',
                 options: {
                     rowCount:[10,25,50,100,500,1000]
                 }
@@ -76,11 +76,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-servers").UIBootgrid(
             {   search:'/api/haproxy/settings/searchServers',
-                get:'/api/haproxy/settings/getServer/',
-                set:'/api/haproxy/settings/setServer/',
-                add:'/api/haproxy/settings/addServer/',
-                del:'/api/haproxy/settings/delServer/',
-                toggle:'/api/haproxy/settings/toggleServer/',
+                get:'/api/haproxy/settings/get_server/',
+                set:'/api/haproxy/settings/set_server/',
+                add:'/api/haproxy/settings/add_server/',
+                del:'/api/haproxy/settings/del_server/',
+                toggle:'/api/haproxy/settings/toggle_server/',
                 options: {
                     rowCount:[10,25,50,100,500,1000]
                 }
@@ -89,10 +89,10 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-healthchecks").UIBootgrid(
             {   search:'/api/haproxy/settings/searchHealthchecks',
-                get:'/api/haproxy/settings/getHealthcheck/',
-                set:'/api/haproxy/settings/setHealthcheck/',
-                add:'/api/haproxy/settings/addHealthcheck/',
-                del:'/api/haproxy/settings/delHealthcheck/',
+                get:'/api/haproxy/settings/get_healthcheck/',
+                set:'/api/haproxy/settings/set_healthcheck/',
+                add:'/api/haproxy/settings/add_healthcheck/',
+                del:'/api/haproxy/settings/del_healthcheck/',
                 options: {
                     rowCount:[10,25,50,100,500,1000]
                 }
@@ -101,10 +101,10 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-actions").UIBootgrid(
             {   search:'/api/haproxy/settings/searchActions',
-                get:'/api/haproxy/settings/getAction/',
-                set:'/api/haproxy/settings/setAction/',
-                add:'/api/haproxy/settings/addAction/',
-                del:'/api/haproxy/settings/delAction/',
+                get:'/api/haproxy/settings/get_action/',
+                set:'/api/haproxy/settings/set_action/',
+                add:'/api/haproxy/settings/add_action/',
+                del:'/api/haproxy/settings/del_action/',
                 options: {
                     rowCount:[10,25,50,100,500,1000]
                 }
@@ -113,10 +113,10 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-acls").UIBootgrid(
             {   search:'/api/haproxy/settings/searchAcls',
-                get:'/api/haproxy/settings/getAcl/',
-                set:'/api/haproxy/settings/setAcl/',
-                add:'/api/haproxy/settings/addAcl/',
-                del:'/api/haproxy/settings/delAcl/',
+                get:'/api/haproxy/settings/get_acl/',
+                set:'/api/haproxy/settings/set_acl/',
+                add:'/api/haproxy/settings/add_acl/',
+                del:'/api/haproxy/settings/del_acl/',
                 options: {
                     rowCount:[10,25,50,100,500,1000]
                 }
@@ -125,11 +125,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-users").UIBootgrid(
             {   search:'/api/haproxy/settings/searchUsers',
-                get:'/api/haproxy/settings/getUser/',
-                set:'/api/haproxy/settings/setUser/',
-                add:'/api/haproxy/settings/addUser/',
-                del:'/api/haproxy/settings/delUser/',
-                toggle:'/api/haproxy/settings/toggleUser/',
+                get:'/api/haproxy/settings/get_user/',
+                set:'/api/haproxy/settings/set_user/',
+                add:'/api/haproxy/settings/add_user/',
+                del:'/api/haproxy/settings/del_user/',
+                toggle:'/api/haproxy/settings/toggle_user/',
                 options: {
                     rowCount:[10,25,50,100,500,1000]
                 }
@@ -138,11 +138,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-groups").UIBootgrid(
             {   search:'/api/haproxy/settings/searchGroups',
-                get:'/api/haproxy/settings/getGroup/',
-                set:'/api/haproxy/settings/setGroup/',
-                add:'/api/haproxy/settings/addGroup/',
-                del:'/api/haproxy/settings/delGroup/',
-                toggle:'/api/haproxy/settings/toggleGroup/',
+                get:'/api/haproxy/settings/get_group/',
+                set:'/api/haproxy/settings/set_group/',
+                add:'/api/haproxy/settings/add_group/',
+                del:'/api/haproxy/settings/del_group/',
+                toggle:'/api/haproxy/settings/toggle_group/',
                 options: {
                     rowCount:[10,25,50,100,500,1000]
                 }
@@ -151,11 +151,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-luas").UIBootgrid(
             {   search:'/api/haproxy/settings/searchLuas',
-                get:'/api/haproxy/settings/getLua/',
-                set:'/api/haproxy/settings/setLua/',
-                add:'/api/haproxy/settings/addLua/',
-                del:'/api/haproxy/settings/delLua/',
-                toggle:'/api/haproxy/settings/toggleLua/',
+                get:'/api/haproxy/settings/get_lua/',
+                set:'/api/haproxy/settings/set_lua/',
+                add:'/api/haproxy/settings/add_lua/',
+                del:'/api/haproxy/settings/del_lua/',
+                toggle:'/api/haproxy/settings/toggle_lua/',
                 options: {
                     rowCount:[10,25,50,100,500,1000]
                 }
@@ -164,10 +164,10 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-fcgis").UIBootgrid(
             {   search:'/api/haproxy/settings/searchFcgis',
-                get:'/api/haproxy/settings/getFcgi/',
-                set:'/api/haproxy/settings/setFcgi/',
-                add:'/api/haproxy/settings/addFcgi/',
-                del:'/api/haproxy/settings/delFcgi/',
+                get:'/api/haproxy/settings/get_fcgi/',
+                set:'/api/haproxy/settings/set_fcgi/',
+                add:'/api/haproxy/settings/add_fcgi/',
+                del:'/api/haproxy/settings/del_fcgi/',
                 options: {
                     rowCount:[10,25,50,100,500,1000]
                 }
@@ -176,10 +176,10 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-errorfiles").UIBootgrid(
             {   search:'/api/haproxy/settings/searchErrorfiles',
-                get:'/api/haproxy/settings/getErrorfile/',
-                set:'/api/haproxy/settings/setErrorfile/',
-                add:'/api/haproxy/settings/addErrorfile/',
-                del:'/api/haproxy/settings/delErrorfile/',
+                get:'/api/haproxy/settings/get_errorfile/',
+                set:'/api/haproxy/settings/set_errorfile/',
+                add:'/api/haproxy/settings/add_errorfile/',
+                del:'/api/haproxy/settings/del_errorfile/',
                 options: {
                     rowCount:[10,25,50,100,500,1000]
                 }
@@ -188,10 +188,10 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-mapfiles").UIBootgrid(
             {   search:'/api/haproxy/settings/searchMapfiles',
-                get:'/api/haproxy/settings/getMapfile/',
-                set:'/api/haproxy/settings/setMapfile/',
-                add:'/api/haproxy/settings/addMapfile/',
-                del:'/api/haproxy/settings/delMapfile/',
+                get:'/api/haproxy/settings/get_mapfile/',
+                set:'/api/haproxy/settings/set_mapfile/',
+                add:'/api/haproxy/settings/add_mapfile/',
+                del:'/api/haproxy/settings/del_mapfile/',
                 options: {
                     rowCount:[10,25,50,100,500,1000]
                 }
@@ -200,11 +200,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-cpus").UIBootgrid(
             {   search:'/api/haproxy/settings/searchCpus',
-                get:'/api/haproxy/settings/getCpu/',
-                set:'/api/haproxy/settings/setCpu/',
-                add:'/api/haproxy/settings/addCpu/',
-                del:'/api/haproxy/settings/delCpu/',
-                toggle:'/api/haproxy/settings/toggleCpu/',
+                get:'/api/haproxy/settings/get_cpu/',
+                set:'/api/haproxy/settings/set_cpu/',
+                add:'/api/haproxy/settings/add_cpu/',
+                del:'/api/haproxy/settings/del_cpu/',
+                toggle:'/api/haproxy/settings/toggle_cpu/',
                 options: {
                     rowCount:[10,25,50,100,500,1000]
                 }
@@ -213,11 +213,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-resolvers").UIBootgrid(
             {   search:'/api/haproxy/settings/searchResolvers',
-                get:'/api/haproxy/settings/getResolver/',
-                set:'/api/haproxy/settings/setResolver/',
-                add:'/api/haproxy/settings/addResolver/',
-                del:'/api/haproxy/settings/delResolver/',
-                toggle:'/api/haproxy/settings/toggleResolver/',
+                get:'/api/haproxy/settings/get_resolver/',
+                set:'/api/haproxy/settings/set_resolver/',
+                add:'/api/haproxy/settings/add_resolver/',
+                del:'/api/haproxy/settings/del_resolver/',
+                toggle:'/api/haproxy/settings/toggle_resolver/',
                 options: {
                     rowCount:[10,25,50,100,500,1000]
                 }
@@ -226,11 +226,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-mailers").UIBootgrid(
             {   search:'/api/haproxy/settings/searchMailers',
-                get:'/api/haproxy/settings/getMailer/',
-                set:'/api/haproxy/settings/setMailer/',
-                add:'/api/haproxy/settings/addMailer/',
-                del:'/api/haproxy/settings/delMailer/',
-                toggle:'/api/haproxy/settings/toggleMailer/',
+                get:'/api/haproxy/settings/get_mailer/',
+                set:'/api/haproxy/settings/set_mailer/',
+                add:'/api/haproxy/settings/add_mailer/',
+                del:'/api/haproxy/settings/del_mailer/',
+                toggle:'/api/haproxy/settings/toggle_mailer/',
                 options: {
                     rowCount:[10,25,50,100,500,1000]
                 }
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt
index ea71368b58..5909db4c47 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/clients.volt
@@ -1,12 +1,12 @@
 <script>
     $( document ).ready(function() {
         $("#grid-addresses").UIBootgrid(
-            {   search:'/api/radsecproxy/clients/searchItem/',
-                get:'/api/radsecproxy/clients/getItem/',
-                set:'/api/radsecproxy/clients/setItem/',
-                add:'/api/radsecproxy/clients/addItem/',
-                del:'/api/radsecproxy/clients/delItem/',
-                toggle:'/api/radsecproxy/clients/toggleItem/'
+            {   search:'/api/radsecproxy/clients/search_item/',
+                get:'/api/radsecproxy/clients/get_item/',
+                set:'/api/radsecproxy/clients/set_item/',
+                add:'/api/radsecproxy/clients/add_item/',
+                del:'/api/radsecproxy/clients/del_item/',
+                toggle:'/api/radsecproxy/clients/toggle_item/'
             }
         );
         updateServiceControlUI('radsecproxy');
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt
index 9afdea0380..ddc99d63d7 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/realms.volt
@@ -1,12 +1,12 @@
 <script>
     $( document ).ready(function() {
         $("#grid-addresses").UIBootgrid(
-            {   search:'/api/radsecproxy/realms/searchItem/',
-                get:'/api/radsecproxy/realms/getItem/',
-                set:'/api/radsecproxy/realms/setItem/',
-                add:'/api/radsecproxy/realms/addItem/',
-                del:'/api/radsecproxy/realms/delItem/',
-                toggle:'/api/radsecproxy/realms/toggleItem/'
+            {   search:'/api/radsecproxy/realms/search_item/',
+                get:'/api/radsecproxy/realms/get_item/',
+                set:'/api/radsecproxy/realms/set_item/',
+                add:'/api/radsecproxy/realms/add_item/',
+                del:'/api/radsecproxy/realms/del_item/',
+                toggle:'/api/radsecproxy/realms/toggle_item/'
             }
         );
         updateServiceControlUI('radsecproxy');
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt
index a6283441e6..ddcd19cd42 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/rewrites.volt
@@ -1,12 +1,12 @@
 <script>
     $( document ).ready(function() {
         $("#grid-addresses").UIBootgrid(
-            {   search:'/api/radsecproxy/rewrites/searchItem/',
-                get:'/api/radsecproxy/rewrites/getItem/',
-                set:'/api/radsecproxy/rewrites/setItem/',
-                add:'/api/radsecproxy/rewrites/addItem/',
-                del:'/api/radsecproxy/rewrites/delItem/',
-                toggle:'/api/radsecproxy/rewrites/toggleItem/'
+            {   search:'/api/radsecproxy/rewrites/search_item/',
+                get:'/api/radsecproxy/rewrites/get_item/',
+                set:'/api/radsecproxy/rewrites/set_item/',
+                add:'/api/radsecproxy/rewrites/add_item/',
+                del:'/api/radsecproxy/rewrites/del_item/',
+                toggle:'/api/radsecproxy/rewrites/toggle_item/'
             }
         );
         updateServiceControlUI('radsecproxy');
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt
index 86a51c1ffd..ac13379150 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/servers.volt
@@ -1,12 +1,12 @@
 <script>
     $( document ).ready(function() {
         $("#grid-addresses").UIBootgrid(
-            {   search:'/api/radsecproxy/servers/searchItem/',
-                get:'/api/radsecproxy/servers/getItem/',
-                set:'/api/radsecproxy/servers/setItem/',
-                add:'/api/radsecproxy/servers/addItem/',
-                del:'/api/radsecproxy/servers/delItem/',
-                toggle:'/api/radsecproxy/servers/toggleItem/'
+            {   search:'/api/radsecproxy/servers/search_item/',
+                get:'/api/radsecproxy/servers/get_item/',
+                set:'/api/radsecproxy/servers/set_item/',
+                add:'/api/radsecproxy/servers/add_item/',
+                del:'/api/radsecproxy/servers/del_item/',
+                toggle:'/api/radsecproxy/servers/toggle_item/'
             }
         );
         updateServiceControlUI('radsecproxy');
diff --git a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt
index 5aedde0847..4d29c9dddc 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt
+++ b/net/radsecproxy/src/opnsense/mvc/app/views/OPNsense/RadSecProxy/tls.volt
@@ -1,12 +1,12 @@
 <script>
     $( document ).ready(function() {
         $("#grid-addresses").UIBootgrid(
-            {   search:'/api/radsecproxy/tls/searchItem/',
-                get:'/api/radsecproxy/tls/getItem/',
-                set:'/api/radsecproxy/tls/setItem/',
-                add:'/api/radsecproxy/tls/addItem/',
-                del:'/api/radsecproxy/tls/delItem/',
-                toggle:'/api/radsecproxy/tls/toggleItem/'
+            {   search:'/api/radsecproxy/tls/search_item/',
+                get:'/api/radsecproxy/tls/get_item/',
+                set:'/api/radsecproxy/tls/set_item/',
+                add:'/api/radsecproxy/tls/add_item/',
+                del:'/api/radsecproxy/tls/del_item/',
+                toggle:'/api/radsecproxy/tls/toggle_item/'
             }
         );
         updateServiceControlUI('radsecproxy');
diff --git a/net/siproxd/src/opnsense/mvc/app/views/OPNsense/Siproxd/general.volt b/net/siproxd/src/opnsense/mvc/app/views/OPNsense/Siproxd/general.volt
index f9d6b0b0a0..5f656ebaea 100644
--- a/net/siproxd/src/opnsense/mvc/app/views/OPNsense/Siproxd/general.volt
+++ b/net/siproxd/src/opnsense/mvc/app/views/OPNsense/Siproxd/general.volt
@@ -128,21 +128,21 @@ $( document ).ready(function() {
 
     $("#grid-users").UIBootgrid(
         {   'search':'/api/siproxd/user/searchUser',
-            'get':'/api/siproxd/user/getUser/',
-            'set':'/api/siproxd/user/setUser/',
-            'add':'/api/siproxd/user/addUser/',
-            'del':'/api/siproxd/user/delUser/',
-            'toggle':'/api/siproxd/user/toggleUser/'
+            'get':'/api/siproxd/user/get_user/',
+            'set':'/api/siproxd/user/set_user/',
+            'add':'/api/siproxd/user/add_user/',
+            'del':'/api/siproxd/user/del_user/',
+            'toggle':'/api/siproxd/user/toggle_user/'
         }
     );
 
     $("#grid-domains").UIBootgrid(
         {   'search':'/api/siproxd/domain/searchDomain',
-            'get':'/api/siproxd/domain/getDomain/',
-            'set':'/api/siproxd/domain/setDomain/',
-            'add':'/api/siproxd/domain/addDomain/',
-            'del':'/api/siproxd/domain/delDomain/',
-            'toggle':'/api/siproxd/domain/toggleDomain/'
+            'get':'/api/siproxd/domain/get_domain/',
+            'set':'/api/siproxd/domain/set_domain/',
+            'add':'/api/siproxd/domain/add_domain/',
+            'del':'/api/siproxd/domain/del_domain/',
+            'toggle':'/api/siproxd/domain/toggle_domain/'
         }
     );
 
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt b/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
index cd84f0720a..3648bce8fa 100644
--- a/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
@@ -33,8 +33,8 @@ POSSIBILITY OF SUCH DAMAGE.
          */
         function openDialog(uuid) {
             var editDlg = "DialogEdit";
-            var setUrl = "/api/udpbroadcastrelay/settings/setRelay/";
-            var getUrl = "/api/udpbroadcastrelay/settings/getRelay/";
+            var setUrl = "/api/udpbroadcastrelay/settings/set_relay/";
+            var getUrl = "/api/udpbroadcastrelay/settings/get_relay/";
             var urlMap = {};
             urlMap['frm_' + editDlg] = getUrl + uuid;
             mapDataToFormUI(urlMap).done(function () {
@@ -56,11 +56,11 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-proxies").UIBootgrid(
                 {   'search':'/api/udpbroadcastrelay/settings/searchRelay',
-                    'get':'/api/udpbroadcastrelay/settings/getRelay/',
-                    'set':'/api/udpbroadcastrelay/settings/setRelay/',
-                    'add':'/api/udpbroadcastrelay/settings/addRelay/',
-                    'del':'/api/udpbroadcastrelay/settings/delRelay/',
-                    'toggle':'/api/udpbroadcastrelay/settings/toggleRelay/',
+                    'get':'/api/udpbroadcastrelay/settings/get_relay/',
+                    'set':'/api/udpbroadcastrelay/settings/set_relay/',
+                    'add':'/api/udpbroadcastrelay/settings/add_relay/',
+                    'del':'/api/udpbroadcastrelay/settings/del_relay/',
+                    'toggle':'/api/udpbroadcastrelay/settings/toggle_relay/',
                     'options':{selection:false, multiSelect:false}
                 }
         );
diff --git a/net/wol/src/opnsense/mvc/app/views/OPNsense/Wol/index.volt b/net/wol/src/opnsense/mvc/app/views/OPNsense/Wol/index.volt
index 0e4454452c..16201d6157 100644
--- a/net/wol/src/opnsense/mvc/app/views/OPNsense/Wol/index.volt
+++ b/net/wol/src/opnsense/mvc/app/views/OPNsense/Wol/index.volt
@@ -42,10 +42,10 @@ $( document ).ready(function() {
 
   var grid = $("#grid-wol-settings").UIBootgrid(
       { 'search':'/api/wol/wol/searchHost',
-        'get':'/api/wol/wol/getHost/',
-        'set':'/api/wol/wol/setHost/',
-        'add':'/api/wol/wol/addHost/',
-        'del':'/api/wol/wol/delHost/',
+        'get':'/api/wol/wol/get_host/',
+        'set':'/api/wol/wol/set_host/',
+        'add':'/api/wol/wol/add_host/',
+        'del':'/api/wol/wol/del_host/',
         'options':{
             selection:false,
             multiSelect:false,
diff --git a/security/clamav/src/opnsense/mvc/app/views/OPNsense/ClamAV/general.volt b/security/clamav/src/opnsense/mvc/app/views/OPNsense/ClamAV/general.volt
index c0765170ef..fd4773ebde 100644
--- a/security/clamav/src/opnsense/mvc/app/views/OPNsense/ClamAV/general.volt
+++ b/security/clamav/src/opnsense/mvc/app/views/OPNsense/ClamAV/general.volt
@@ -113,11 +113,11 @@ $( document ).ready(function() {
 
     $("#grid-lists").UIBootgrid(
         {   'search':'/api/clamav/url/searchUrl',
-            'get':'/api/clamav/url/getUrl/',
-            'set':'/api/clamav/url/setUrl/',
-            'add':'/api/clamav/url/addUrl/',
-            'del':'/api/clamav/url/delUrl/',
-            'toggle':'/api/clamav/url/toggleUrl/'
+            'get':'/api/clamav/url/get_url/',
+            'set':'/api/clamav/url/set_url/',
+            'add':'/api/clamav/url/add_url/',
+            'del':'/api/clamav/url/del_url/',
+            'toggle':'/api/clamav/url/toggle_url/'
         }
     );
 
diff --git a/security/stunnel/src/opnsense/mvc/app/views/OPNsense/Stunnel/services.volt b/security/stunnel/src/opnsense/mvc/app/views/OPNsense/Stunnel/services.volt
index fe9967c40c..18e1f479a0 100644
--- a/security/stunnel/src/opnsense/mvc/app/views/OPNsense/Stunnel/services.volt
+++ b/security/stunnel/src/opnsense/mvc/app/views/OPNsense/Stunnel/services.volt
@@ -27,12 +27,12 @@
 <script>
     $( document ).ready(function() {
         $("#grid-services").UIBootgrid(
-            {   search:'/api/stunnel/services/searchItem/',
-                get:'/api/stunnel/services/getItem/',
-                set:'/api/stunnel/services/setItem/',
-                add:'/api/stunnel/services/addItem/',
-                del:'/api/stunnel/services/delItem/',
-                toggle:'/api/stunnel/services/toggleItem/'
+            {   search:'/api/stunnel/services/search_item/',
+                get:'/api/stunnel/services/get_item/',
+                set:'/api/stunnel/services/set_item/',
+                add:'/api/stunnel/services/add_item/',
+                del:'/api/stunnel/services/del_item/',
+                toggle:'/api/stunnel/services/toggle_item/'
             }
         );
         $("#reconfigureAct").SimpleActionButton({
diff --git a/security/tinc/src/opnsense/mvc/app/views/OPNsense/Tinc/index.volt b/security/tinc/src/opnsense/mvc/app/views/OPNsense/Tinc/index.volt
index 9196054553..500d1a56ab 100644
--- a/security/tinc/src/opnsense/mvc/app/views/OPNsense/Tinc/index.volt
+++ b/security/tinc/src/opnsense/mvc/app/views/OPNsense/Tinc/index.volt
@@ -35,21 +35,21 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-networks").UIBootgrid(
             {   search:'/api/tinc/settings/searchNetwork',
-                get:'/api/tinc/settings/getNetwork/',
-                set:'/api/tinc/settings/setNetwork/',
-                add:'/api/tinc/settings/setNetwork/',
-                del:'/api/tinc/settings/delNetwork/',
-                toggle:'/api/tinc/settings/toggleNetwork/'
+                get:'/api/tinc/settings/get_network/',
+                set:'/api/tinc/settings/set_network/',
+                add:'/api/tinc/settings/set_network/',
+                del:'/api/tinc/settings/del_network/',
+                toggle:'/api/tinc/settings/toggle_network/'
             }
         );
 
         $("#grid-hosts").UIBootgrid(
                 {   search:'/api/tinc/settings/searchHost',
-                    get:'/api/tinc/settings/getHost/',
-                    set:'/api/tinc/settings/setHost/',
-                    add:'/api/tinc/settings/setHost/',
-                    del:'/api/tinc/settings/delHost/',
-                    toggle:'/api/tinc/settings/toggleHost/'
+                    get:'/api/tinc/settings/get_host/',
+                    set:'/api/tinc/settings/set_host/',
+                    add:'/api/tinc/settings/set_host/',
+                    del:'/api/tinc/settings/del_host/',
+                    toggle:'/api/tinc/settings/toggle_host/'
                 }
         );
 
diff --git a/www/OPNProxy/src/opnsense/mvc/app/views/Deciso/Proxy/acl.volt b/www/OPNProxy/src/opnsense/mvc/app/views/Deciso/Proxy/acl.volt
index 9d25467fdf..1abc4ff78a 100644
--- a/www/OPNProxy/src/opnsense/mvc/app/views/Deciso/Proxy/acl.volt
+++ b/www/OPNProxy/src/opnsense/mvc/app/views/Deciso/Proxy/acl.volt
@@ -4,22 +4,22 @@
             $("#apply_div").show();
             if (e.target.id == 'policies_tab') {
                 $("#grid-policies").UIBootgrid(
-                    {   search:'/api/proxy/acl/searchPolicy/',
-                        get:'/api/proxy/acl/getPolicy/',
-                        set:'/api/proxy/acl/setPolicy/',
-                        add:'/api/proxy/acl/addPolicy/',
-                        del:'/api/proxy/acl/delPolicy/',
-                        toggle:'/api/proxy/acl/togglePolicy/'
+                    {   search:'/api/proxy/acl/search_policy/',
+                        get:'/api/proxy/acl/get_policy/',
+                        set:'/api/proxy/acl/set_policy/',
+                        add:'/api/proxy/acl/add_policy/',
+                        del:'/api/proxy/acl/del_policy/',
+                        toggle:'/api/proxy/acl/toggle_policy/'
                     }
                 );
             } else if (e.target.id == 'custom_policies_tab') {
                 $("#grid-custom_policies").UIBootgrid(
-                    {   search:'/api/proxy/acl/searchCustomPolicy/',
-                        get:'/api/proxy/acl/getCustomPolicy/',
-                        set:'/api/proxy/acl/setCustomPolicy/',
-                        add:'/api/proxy/acl/addCustomPolicy/',
-                        del:'/api/proxy/acl/delCustomPolicy/',
-                        toggle:'/api/proxy/acl/toggleCustomPolicy/'
+                    {   search:'/api/proxy/acl/search_custom_policy/',
+                        get:'/api/proxy/acl/get_custom_policy/',
+                        set:'/api/proxy/acl/set_custom_policy/',
+                        add:'/api/proxy/acl/add_custom_policy/',
+                        del:'/api/proxy/acl/del_custom_policy/',
+                        toggle:'/api/proxy/acl/toggle_custom_policy/'
                     }
                 );
             } else if (e.target.id == 'policy_tester_tab') {
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 63c32b2688..ced0f239c6 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -44,6 +44,10 @@
             $(`#maintabs a[href="${location.hash}"]`).tab('show');
         });
 
+        function to_snake_case(str) {
+            return str.replace(/([a-z0-9])([A-Z])/g, '$1_$2').toLowerCase();
+        }
+
         // Bootgrid Setup
         const all_grids = {};
 
@@ -98,7 +102,7 @@
                             const update_filter = function (selectValues) {
                                 $('#reverseFilter')
                                     // Refresh selectpicker with latest data so button always works even on new domains
-                                    .fetch_options('/api/caddy/ReverseProxy/getAllReverseDomains')
+                                    .fetch_options('/api/caddy/reverse_proxy/get_all_reverse_domains')
                                     .done(function () {
                                         $('#reverseFilter')
                                             .selectpicker('val', selectValues)
@@ -140,7 +144,7 @@
 
                                     // Resolve reverse domains, as subdomains need wildcard domain and subdomain in dialog
                                     if (grid_id === "{{ formGridSubdomain['table_id'] }}") {
-                                        ajaxGet(`/api/caddy/ReverseProxy/get{{ formGridSubdomain['table_id'] }}/` + rowUuid, {}, function (rowData) {
+                                        ajaxGet(`/api/caddy/reverse_proxy/get_{{ formGridSubdomain['table_id'] }}/` + rowUuid, {}, function (rowData) {
                                             const reverseUuids = rowData?.subdomain?.reverse || {};
                                             const selectedReverse = Object.entries(reverseUuids).find(([uuid, entry]) => entry.selected === 1);
                                             const selectValues = selectedReverse ? [selectedReverse[0], rowUuid] : [rowUuid];
@@ -157,15 +161,15 @@
                         }
 
 {% endif %}
-
+                        const api_grid_id = to_snake_case(grid_id);
                         all_grids[grid_id] = $("#" + grid_id)
                         .UIBootgrid({
-                            search: `/api/caddy/ReverseProxy/search${grid_id}/`,
-                            get: `/api/caddy/ReverseProxy/get${grid_id}/`,
-                            set: `/api/caddy/ReverseProxy/set${grid_id}/`,
-                            add: `/api/caddy/ReverseProxy/add${grid_id}/`,
-                            del: `/api/caddy/ReverseProxy/del${grid_id}/`,
-                            toggle: `/api/caddy/ReverseProxy/toggle${grid_id}/`,
+                            search: `/api/caddy/reverse_proxy/search_${api_grid_id}/`,
+                            get: `/api/caddy/reverse_proxy/get_${api_grid_id}/`,
+                            set: `/api/caddy/reverse_proxy/set_${api_grid_id}/`,
+                            add: `/api/caddy/reverse_proxy/add_${api_grid_id}/`,
+                            del: `/api/caddy/reverse_proxy/del_${api_grid_id}/`,
+                            toggle: `/api/caddy/reverse_proxy/toggle_${api_grid_id}/`,
                             options: {
                                 requestHandler: function (request) {
                                     const selectedDomains = $('#reverseFilter').val();
@@ -271,7 +275,7 @@
         });
 
         // Populate domain filter selectpicker
-        $('#reverseFilter').fetch_options('/api/caddy/ReverseProxy/getAllReverseDomains');
+        $('#reverseFilter').fetch_options('/api/caddy/reverse_proxy/get_all_reverse_domains');
 
         // Clear domain filter selectpicker
         $('#reverseFilterClear').on('click', function () {
diff --git a/www/squid/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt b/www/squid/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt
index bda232e0d4..00d342dd9c 100644
--- a/www/squid/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt
+++ b/www/squid/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt
@@ -53,19 +53,19 @@
 
         $("#grid-remote-blacklists").UIBootgrid(
                 {   'search':'/api/proxy/settings/searchRemoteBlacklists',
-                    'get':'/api/proxy/settings/getRemoteBlacklist/',
-                    'set':'/api/proxy/settings/setRemoteBlacklist/',
-                    'add':'/api/proxy/settings/addRemoteBlacklist/',
-                    'del':'/api/proxy/settings/delRemoteBlacklist/',
-                    'toggle':'/api/proxy/settings/toggleRemoteBlacklist/'
+                    'get':'/api/proxy/settings/get_remote_blacklist/',
+                    'set':'/api/proxy/settings/set_remote_blacklist/',
+                    'add':'/api/proxy/settings/add_remote_blacklist/',
+                    'del':'/api/proxy/settings/del_remote_blacklist/',
+                    'toggle':'/api/proxy/settings/toggle_remote_blacklist/'
                 }
         );
         $("#grid-pac-match").UIBootgrid(
                 {   'search':'/api/proxy/settings/searchPACMatch',
-                    'get':'/api/proxy/settings/getPACMatch/',
-                    'set':'/api/proxy/settings/setPACMatch/',
-                    'add':'/api/proxy/settings/addPACMatch/',
-                    'del':'/api/proxy/settings/delPACMatch/',
+                    'get':'/api/proxy/settings/get_pac_match/',
+                    'set':'/api/proxy/settings/set_pac_match/',
+                    'add':'/api/proxy/settings/add_pac_match/',
+                    'del':'/api/proxy/settings/del_pac_match/',
                     'options': {
                         responseHandler: function (response) {
                             // concatenate fields for not.
@@ -82,19 +82,19 @@
         );
         $("#grid-pac-rule").UIBootgrid(
                 {   'search':'/api/proxy/settings/searchPACRule',
-                    'get':'/api/proxy/settings/getPACRule/',
-                    'set':'/api/proxy/settings/setPACRule/',
-                    'add':'/api/proxy/settings/addPACRule/',
-                    'del':'/api/proxy/settings/delPACRule/',
-                    'toggle':'/api/proxy/settings/togglePACRule/'
+                    'get':'/api/proxy/settings/get_pac_rule/',
+                    'set':'/api/proxy/settings/set_pac_rule/',
+                    'add':'/api/proxy/settings/add_pac_rule/',
+                    'del':'/api/proxy/settings/del_pac_rule/',
+                    'toggle':'/api/proxy/settings/toggle_pac_rule/'
                 }
         );
         $("#grid-pac-proxy").UIBootgrid(
                 {   'search':'/api/proxy/settings/searchPACProxy',
-                    'get':'/api/proxy/settings/getPACProxy/',
-                    'set':'/api/proxy/settings/setPACProxy/',
-                    'add':'/api/proxy/settings/addPACProxy/',
-                    'del':'/api/proxy/settings/delPACProxy/'
+                    'get':'/api/proxy/settings/get_pac_proxy/',
+                    'set':'/api/proxy/settings/set_pac_proxy/',
+                    'add':'/api/proxy/settings/add_pac_proxy/',
+                    'del':'/api/proxy/settings/del_pac_proxy/'
                 }
         );
 

From 089aaa256db505285473622056ad26df10956904 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 23 Jun 2025 17:32:56 +0200
Subject: [PATCH 2478/3088] mvc: Replace camelCase API notation with
 snake_case, some more spots that were missed (#4768)

---
 .../mvc/app/views/OPNsense/Bind/general.volt  |  8 ++---
 .../views/OPNsense/Dnscryptproxy/general.volt |  8 ++---
 .../app/views/OPNsense/Postfix/address.volt   |  2 +-
 .../app/views/OPNsense/Postfix/domain.volt    |  2 +-
 .../views/OPNsense/Postfix/headerchecks.volt  |  2 +-
 .../app/views/OPNsense/Postfix/recipient.volt |  2 +-
 .../views/OPNsense/Postfix/recipientbcc.volt  |  2 +-
 .../app/views/OPNsense/Postfix/sender.volt    |  2 +-
 .../app/views/OPNsense/Postfix/senderbcc.volt |  2 +-
 .../OPNsense/Postfix/sendercanonical.volt     |  2 +-
 .../app/views/OPNsense/Netsnmp/general.volt   |  2 +-
 .../mvc/app/views/OPNsense/Nrpe/general.volt  |  2 +-
 .../app/views/OPNsense/Telegraf/general.volt  |  2 +-
 .../app/views/OPNsense/ZabbixAgent/index.volt |  4 +--
 .../app/views/OPNsense/Freeradius/client.volt |  2 +-
 .../app/views/OPNsense/Freeradius/dhcp.volt   |  2 +-
 .../app/views/OPNsense/Freeradius/lease.volt  |  2 +-
 .../app/views/OPNsense/Freeradius/proxy.volt  |  6 ++--
 .../app/views/OPNsense/Freeradius/user.volt   |  4 +--
 .../mvc/app/views/OPNsense/Quagga/bfd.volt    |  2 +-
 .../mvc/app/views/OPNsense/Quagga/bgp.volt    | 14 ++++-----
 .../mvc/app/views/OPNsense/Quagga/ospf.volt   | 10 +++----
 .../mvc/app/views/OPNsense/Quagga/ospf6.volt  | 10 +++----
 .../mvc/app/views/OPNsense/Quagga/static.volt |  2 +-
 .../app/views/OPNsense/FtpProxy/index.volt    |  2 +-
 .../mvc/app/views/OPNsense/HAProxy/index.volt | 30 +++++++++----------
 .../views/OPNsense/HAProxy/maintenance.volt   | 22 +++++++-------
 .../app/views/OPNsense/Siproxd/general.volt   |  4 +--
 .../OPNsense/UDPBroadcastRelay/index.volt     |  2 +-
 .../mvc/app/views/OPNsense/Wol/index.volt     |  2 +-
 .../OPNsense/AcmeClient/certificates.volt     |  4 +--
 .../views/OPNsense/AcmeClient/settings.volt   |  8 ++---
 .../OPNsense/AcmeClient/validations.volt      |  4 +--
 .../app/views/OPNsense/ClamAV/general.volt    |  2 +-
 .../mvc/app/views/OPNsense/Tinc/index.volt    |  4 +--
 .../app/views/OPNsense/Apcupsd/status.volt    |  2 +-
 .../mvc/app/views/OPNsense/Proxy/index.volt   | 12 ++++----
 37 files changed, 97 insertions(+), 97 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index 43888287e4..82856aa720 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -354,7 +354,7 @@ $(document).ready(function() {
     updateServiceControlUI('bind');
 
     $("#grid-acls").UIBootgrid({
-        'search': '/api/bind/acl/searchAcl',
+        'search': '/api/bind/acl/search_acl',
         'get': '/api/bind/acl/get_acl/',
         'set': '/api/bind/acl/set_acl/',
         'add': '/api/bind/acl/add_acl/',
@@ -363,7 +363,7 @@ $(document).ready(function() {
     });
 
     $("#grid-primary-domains").UIBootgrid({
-        'search': '/api/bind/domain/searchPrimaryDomain',
+        'search': '/api/bind/domain/search_primary_domain',
         'get': '/api/bind/domain/get_domain/',
         'set': '/api/bind/domain/set_domain/',
         'add': '/api/bind/domain/add_primary_domain/',
@@ -414,7 +414,7 @@ $(document).ready(function() {
     });
 
     $("#grid-secondary-domains").UIBootgrid({
-        'search': '/api/bind/domain/searchSecondaryDomain',
+        'search': '/api/bind/domain/search_secondary_domain',
         'get': '/api/bind/domain/get_domain/',
         'set': '/api/bind/domain/set_domain/',
         'add': '/api/bind/domain/add_secondary_domain/',
@@ -434,7 +434,7 @@ $(document).ready(function() {
     });
 
     $("#grid-primary-records").UIBootgrid({
-        'search': '/api/bind/record/searchRecord',
+        'search': '/api/bind/record/search_record',
         'get': '/api/bind/record/get_record/',
         'set': '/api/bind/record/set_record/',
         'add': '/api/bind/record/add_record/',
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt b/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt
index 3d42a13027..c73357a0bc 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/views/OPNsense/Dnscryptproxy/general.volt
@@ -186,7 +186,7 @@ $( document ).ready(function() {
     });
 
     $("#grid-forwards").UIBootgrid(
-        {   'search':'/api/dnscryptproxy/forward/searchForward',
+        {   'search':'/api/dnscryptproxy/forward/search_forward',
             'get':'/api/dnscryptproxy/forward/get_forward/',
             'set':'/api/dnscryptproxy/forward/set_forward/',
             'add':'/api/dnscryptproxy/forward/add_forward/',
@@ -196,7 +196,7 @@ $( document ).ready(function() {
     );
 
     $("#grid-cloaks").UIBootgrid(
-        {   'search':'/api/dnscryptproxy/cloak/searchCloak',
+        {   'search':'/api/dnscryptproxy/cloak/search_cloak',
             'get':'/api/dnscryptproxy/cloak/get_cloak/',
             'set':'/api/dnscryptproxy/cloak/set_cloak/',
             'add':'/api/dnscryptproxy/cloak/add_cloak/',
@@ -206,7 +206,7 @@ $( document ).ready(function() {
     );
 
     $("#grid-whitelists").UIBootgrid(
-        {   'search':'/api/dnscryptproxy/whitelist/searchWhitelist',
+        {   'search':'/api/dnscryptproxy/whitelist/search_whitelist',
             'get':'/api/dnscryptproxy/whitelist/get_whitelist/',
             'set':'/api/dnscryptproxy/whitelist/set_whitelist/',
             'add':'/api/dnscryptproxy/whitelist/add_whitelist/',
@@ -216,7 +216,7 @@ $( document ).ready(function() {
     );
 
     $("#grid-servers").UIBootgrid(
-        {   'search':'/api/dnscryptproxy/server/searchServer',
+        {   'search':'/api/dnscryptproxy/server/search_server',
             'get':'/api/dnscryptproxy/server/get_server/',
             'set':'/api/dnscryptproxy/server/set_server/',
             'add':'/api/dnscryptproxy/server/add_server/',
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/address.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/address.volt
index 54258396c3..7f1695ee1c 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/address.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/address.volt
@@ -35,7 +35,7 @@ POSSIBILITY OF SUCH DAMAGE.
          *************************************************************************************************************/
 
         $("#grid-addresses").UIBootgrid(
-            {   'search':'/api/postfix/address/searchAddress',
+            {   'search':'/api/postfix/address/search_address',
                 'get':'/api/postfix/address/get_address/',
                 'set':'/api/postfix/address/set_address/',
                 'add':'/api/postfix/address/add_address/',
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/domain.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/domain.volt
index d5e2c6e98c..a98dd06557 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/domain.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/domain.volt
@@ -35,7 +35,7 @@ POSSIBILITY OF SUCH DAMAGE.
          *************************************************************************************************************/
 
         $("#grid-domains").UIBootgrid(
-            {   'search':'/api/postfix/domain/searchDomain',
+            {   'search':'/api/postfix/domain/search_domain',
                 'get':'/api/postfix/domain/get_domain/',
                 'set':'/api/postfix/domain/set_domain/',
                 'add':'/api/postfix/domain/add_domain/',
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/headerchecks.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/headerchecks.volt
index b84f268c36..3cbd1be086 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/headerchecks.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/headerchecks.volt
@@ -34,7 +34,7 @@
          *************************************************************************************************************/
 
         $("#grid-headerchecks").UIBootgrid(
-            {   'search':'/api/postfix/headerchecks/searchHeaderchecks',
+            {   'search':'/api/postfix/headerchecks/search_headerchecks',
                 'get':'/api/postfix/headerchecks/get_headercheck/',
                 'set':'/api/postfix/headerchecks/set_headercheck/',
                 'add':'/api/postfix/headerchecks/add_headercheck/',
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/recipient.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/recipient.volt
index 99c818537f..e1bf839c7f 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/recipient.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/recipient.volt
@@ -35,7 +35,7 @@ POSSIBILITY OF SUCH DAMAGE.
          *************************************************************************************************************/
 
         $("#grid-recipients").UIBootgrid(
-            {   'search':'/api/postfix/recipient/searchRecipient',
+            {   'search':'/api/postfix/recipient/search_recipient',
                 'get':'/api/postfix/recipient/get_recipient/',
                 'set':'/api/postfix/recipient/set_recipient/',
                 'add':'/api/postfix/recipient/add_recipient/',
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/recipientbcc.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/recipientbcc.volt
index 76a5b1df4a..856734592d 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/recipientbcc.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/recipientbcc.volt
@@ -35,7 +35,7 @@ POSSIBILITY OF SUCH DAMAGE.
          *************************************************************************************************************/
 
         $("#grid-recipientbccs").UIBootgrid(
-            {   'search':'/api/postfix/recipientbcc/searchRecipientbcc',
+            {   'search':'/api/postfix/recipientbcc/search_recipientbcc',
                 'get':'/api/postfix/recipientbcc/get_recipientbcc/',
                 'set':'/api/postfix/recipientbcc/set_recipientbcc/',
                 'add':'/api/postfix/recipientbcc/add_recipientbcc/',
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/sender.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/sender.volt
index f800f0f862..217ce8186a 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/sender.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/sender.volt
@@ -35,7 +35,7 @@ POSSIBILITY OF SUCH DAMAGE.
          *************************************************************************************************************/
 
         $("#grid-senders").UIBootgrid(
-            {   'search':'/api/postfix/sender/searchSender',
+            {   'search':'/api/postfix/sender/search_sender',
                 'get':'/api/postfix/sender/get_sender/',
                 'set':'/api/postfix/sender/set_sender/',
                 'add':'/api/postfix/sender/add_sender/',
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/senderbcc.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/senderbcc.volt
index 530eba0d16..96f324696f 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/senderbcc.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/senderbcc.volt
@@ -35,7 +35,7 @@ POSSIBILITY OF SUCH DAMAGE.
          *************************************************************************************************************/
 
         $("#grid-senderbccs").UIBootgrid(
-            {   'search':'/api/postfix/senderbcc/searchSenderbcc',
+            {   'search':'/api/postfix/senderbcc/search_senderbcc',
                 'get':'/api/postfix/senderbcc/get_senderbcc/',
                 'set':'/api/postfix/senderbcc/set_senderbcc/',
                 'add':'/api/postfix/senderbcc/add_senderbcc/',
diff --git a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/sendercanonical.volt b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/sendercanonical.volt
index ec067b0b16..85848ec9ac 100644
--- a/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/sendercanonical.volt
+++ b/mail/postfix/src/opnsense/mvc/app/views/OPNsense/Postfix/sendercanonical.volt
@@ -36,7 +36,7 @@ POSSIBILITY OF SUCH DAMAGE.
          *************************************************************************************************************/
 
         $("#grid-sendercanonicals").UIBootgrid(
-            {   'search':'/api/postfix/sendercanonical/searchSendercanonical',
+            {   'search':'/api/postfix/sendercanonical/search_sendercanonical',
                 'get':'/api/postfix/sendercanonical/get_sendercanonical/',
                 'set':'/api/postfix/sendercanonical/set_sendercanonical/',
                 'add':'/api/postfix/sendercanonical/add_sendercanonical/',
diff --git a/net-mgmt/net-snmp/src/opnsense/mvc/app/views/OPNsense/Netsnmp/general.volt b/net-mgmt/net-snmp/src/opnsense/mvc/app/views/OPNsense/Netsnmp/general.volt
index e81adfa516..f38ad0b3f5 100644
--- a/net-mgmt/net-snmp/src/opnsense/mvc/app/views/OPNsense/Netsnmp/general.volt
+++ b/net-mgmt/net-snmp/src/opnsense/mvc/app/views/OPNsense/Netsnmp/general.volt
@@ -89,7 +89,7 @@ $( document ).ready(function() {
     });
 
     $("#grid-users").UIBootgrid(
-        {   'search':'/api/netsnmp/user/searchUser',
+        {   'search':'/api/netsnmp/user/search_user',
             'get':'/api/netsnmp/user/get_user/',
             'set':'/api/netsnmp/user/set_user/',
             'add':'/api/netsnmp/user/add_user/',
diff --git a/net-mgmt/nrpe/src/opnsense/mvc/app/views/OPNsense/Nrpe/general.volt b/net-mgmt/nrpe/src/opnsense/mvc/app/views/OPNsense/Nrpe/general.volt
index 86b7dfa936..b030dbcbd3 100644
--- a/net-mgmt/nrpe/src/opnsense/mvc/app/views/OPNsense/Nrpe/general.volt
+++ b/net-mgmt/nrpe/src/opnsense/mvc/app/views/OPNsense/Nrpe/general.volt
@@ -86,7 +86,7 @@ $(function() {
     });
 
     $("#grid-command").UIBootgrid(
-        {   'search':'/api/nrpe/command/searchCommand',
+        {   'search':'/api/nrpe/command/search_command',
             'get':'/api/nrpe/command/get_command/',
             'set':'/api/nrpe/command/set_command/',
             'add':'/api/nrpe/command/add_command/',
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/views/OPNsense/Telegraf/general.volt b/net-mgmt/telegraf/src/opnsense/mvc/app/views/OPNsense/Telegraf/general.volt
index 21bc9bea81..5b4399125a 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/views/OPNsense/Telegraf/general.volt
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/views/OPNsense/Telegraf/general.volt
@@ -84,7 +84,7 @@ POSSIBILITY OF SUCH DAMAGE.
     updateServiceControlUI('telegraf');
 
     $("#grid-keys").UIBootgrid(
-        {   'search':'/api/telegraf/key/searchKey',
+        {   'search':'/api/telegraf/key/search_key',
             'get':'/api/telegraf/key/get_key/',
             'set':'/api/telegraf/key/set_key/',
             'add':'/api/telegraf/key/add_key/',
diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/views/OPNsense/ZabbixAgent/index.volt b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/views/OPNsense/ZabbixAgent/index.volt
index adea8b8ad3..3339872a8a 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/views/OPNsense/ZabbixAgent/index.volt
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/views/OPNsense/ZabbixAgent/index.volt
@@ -41,7 +41,7 @@ $( document ).ready(function() {
      **********************************************************************/
 
     $("#grid-userparameters").UIBootgrid(
-        {   search:'/api/zabbixagent/settings/searchUserparameters',
+        {   search:'/api/zabbixagent/settings/search_userparameters',
             get:'/api/zabbixagent/settings/get_userparameter/',
             set:'/api/zabbixagent/settings/set_userparameter/',
             add:'/api/zabbixagent/settings/add_userparameter/',
@@ -54,7 +54,7 @@ $( document ).ready(function() {
     );
 
     $("#grid-aliases").UIBootgrid(
-        {   search:'/api/zabbixagent/settings/searchAliases',
+        {   search:'/api/zabbixagent/settings/search_aliases',
             get:'/api/zabbixagent/settings/get_alias/',
             set:'/api/zabbixagent/settings/set_alias/',
             add:'/api/zabbixagent/settings/add_alias/',
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/client.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/client.volt
index 56281fc50e..1b70b798ac 100644
--- a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/client.volt
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/client.volt
@@ -37,7 +37,7 @@ POSSIBILITY OF SUCH DAMAGE.
          *************************************************************************************************************/
 
         $("#grid-clients").UIBootgrid(
-            {   'search':'/api/freeradius/client/searchClient',
+            {   'search':'/api/freeradius/client/search_client',
                 'get':'/api/freeradius/client/get_client/',
                 'set':'/api/freeradius/client/set_client/',
                 'add':'/api/freeradius/client/add_client/',
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/dhcp.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/dhcp.volt
index 9558aec39e..8da325de67 100644
--- a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/dhcp.volt
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/dhcp.volt
@@ -37,7 +37,7 @@ POSSIBILITY OF SUCH DAMAGE.
          *************************************************************************************************************/
 
         $("#grid-dhcps").UIBootgrid(
-            {   'search':'/api/freeradius/dhcp/searchDhcp',
+            {   'search':'/api/freeradius/dhcp/search_dhcp',
                 'get':'/api/freeradius/dhcp/get_dhcp/',
                 'set':'/api/freeradius/dhcp/set_dhcp/',
                 'add':'/api/freeradius/dhcp/add_dhcp/',
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/lease.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/lease.volt
index 925179b52a..9852d32c44 100644
--- a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/lease.volt
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/lease.volt
@@ -37,7 +37,7 @@ POSSIBILITY OF SUCH DAMAGE.
          *************************************************************************************************************/
 
         $("#grid-leases").UIBootgrid(
-            {   'search':'/api/freeradius/lease/searchLease',
+            {   'search':'/api/freeradius/lease/search_lease',
                 'get':'/api/freeradius/lease/get_lease/',
                 'set':'/api/freeradius/lease/set_lease/',
                 'add':'/api/freeradius/lease/add_lease/',
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt
index 8de4b4726e..e979d8bb62 100644
--- a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt
@@ -43,7 +43,7 @@ $( document ).ready(function() {
          *************************************************************************************************************/
 
         $("#grid-homeservers").UIBootgrid(
-            {   'search':'/api/freeradius/proxy/searchHomeserver',
+            {   'search':'/api/freeradius/proxy/search_homeserver',
                 'get':'/api/freeradius/proxy/get_homeserver/',
                 'set':'/api/freeradius/proxy/set_homeserver/',
                 'add':'/api/freeradius/proxy/add_homeserver/',
@@ -55,7 +55,7 @@ $( document ).ready(function() {
             }
         );
         $("#grid-homeserverpools").UIBootgrid(
-            {   'search':'/api/freeradius/proxy/searchHomeserverpool',
+            {   'search':'/api/freeradius/proxy/search_homeserverpool',
                 'get':'/api/freeradius/proxy/get_homeserverpool/',
                 'set':'/api/freeradius/proxy/set_homeserverpool/',
                 'add':'/api/freeradius/proxy/add_homeserverpool/',
@@ -67,7 +67,7 @@ $( document ).ready(function() {
             }
         );
         $("#grid-realms").UIBootgrid(
-            {   'search':'/api/freeradius/proxy/searchRealm',
+            {   'search':'/api/freeradius/proxy/search_realm',
                 'get':'/api/freeradius/proxy/get_realm/',
                 'set':'/api/freeradius/proxy/set_realm/',
                 'add':'/api/freeradius/proxy/add_realm/',
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/user.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/user.volt
index 79b57714d4..e41190e5fc 100644
--- a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/user.volt
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/user.volt
@@ -33,7 +33,7 @@ POSSIBILITY OF SUCH DAMAGE.
         updateServiceControlUI('freeradius');
 
         $("#grid-users").UIBootgrid(
-            {   'search':'/api/freeradius/user/searchUser',
+            {   'search':'/api/freeradius/user/search_user',
                 'get':'/api/freeradius/user/get_user/',
                 'set':'/api/freeradius/user/set_user/',
                 'add':'/api/freeradius/user/add_user/',
@@ -43,7 +43,7 @@ POSSIBILITY OF SUCH DAMAGE.
         );
 
         $("#grid-avpairs").UIBootgrid(
-            {   'search':'/api/freeradius/avpair/searchAvpair',
+            {   'search':'/api/freeradius/avpair/search_avpair',
                 'get':'/api/freeradius/avpair/get_avpair/',
                 'set':'/api/freeradius/avpair/set_avpair/',
                 'add':'/api/freeradius/avpair/add_avpair/',
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
index a202513188..d7598f4668 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
@@ -37,7 +37,7 @@ POSSIBILITY OF SUCH DAMAGE.
         });
 
         $("#{{formGridEditBFDNeighbor['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/bfd/searchNeighbor',
+            'search':'/api/quagga/bfd/search_neighbor',
             'get':'/api/quagga/bfd/get_neighbor/',
             'set':'/api/quagga/bfd/set_neighbor/',
             'add':'/api/quagga/bfd/add_neighbor/',
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
index 7ae7c754b6..1014b83ada 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
@@ -48,7 +48,7 @@ POSSIBILITY OF SUCH DAMAGE.
         });
 
         $("#{{formGridEditBGPNeighbor['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/bgp/searchNeighbor',
+            'search':'/api/quagga/bgp/search_neighbor',
             'get':'/api/quagga/bgp/get_neighbor/',
             'set':'/api/quagga/bgp/set_neighbor/',
             'add':'/api/quagga/bgp/add_neighbor/',
@@ -56,7 +56,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'toggle':'/api/quagga/bgp/toggle_neighbor/'
         });
         $("#{{formGridEditBGPASPaths['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/bgp/searchAspath',
+            'search':'/api/quagga/bgp/search_aspath',
             'get':'/api/quagga/bgp/get_aspath/',
             'set':'/api/quagga/bgp/set_aspath/',
             'add':'/api/quagga/bgp/add_aspath/',
@@ -64,7 +64,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'toggle':'/api/quagga/bgp/toggle_aspath/'
         });
         $("#{{formGridEditBGPPrefixLists['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/bgp/searchPrefixlist',
+            'search':'/api/quagga/bgp/search_prefixlist',
             'get':'/api/quagga/bgp/get_prefixlist/',
             'set':'/api/quagga/bgp/set_prefixlist/',
             'add':'/api/quagga/bgp/add_prefixlist/',
@@ -72,7 +72,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'toggle':'/api/quagga/bgp/toggle_prefixlist/'
         });
         $("#{{formGridEditBGPCommunityLists['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/bgp/searchCommunitylist',
+            'search':'/api/quagga/bgp/search_communitylist',
             'get':'/api/quagga/bgp/get_communitylist/',
             'set':'/api/quagga/bgp/set_communitylist/',
             'add':'/api/quagga/bgp/add_communitylist/',
@@ -80,7 +80,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'toggle':'/api/quagga/bgp/toggle_communitylist/'
         });
         $("#{{formGridEditBGPRouteMaps['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/bgp/searchRoutemap',
+            'search':'/api/quagga/bgp/search_routemap',
             'get':'/api/quagga/bgp/get_routemap/',
             'set':'/api/quagga/bgp/set_routemap/',
             'add':'/api/quagga/bgp/add_routemap/',
@@ -88,7 +88,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'toggle':'/api/quagga/bgp/toggle_routemap/'
         });
         $("#{{formGridEditBGPPeergroups['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/bgp/searchPeergroup',
+            'search':'/api/quagga/bgp/search_peergroup',
             'get':'/api/quagga/bgp/get_peergroup/',
             'set':'/api/quagga/bgp/set_peergroup/',
             'add':'/api/quagga/bgp/add_peergroup/',
@@ -96,7 +96,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'toggle':'/api/quagga/bgp/toggle_peergroup/'
         });
         $("#{{formGridEditRedistribution['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/bgp/searchRedistribution',
+            'search':'/api/quagga/bgp/search_redistribution',
             'get':'/api/quagga/bgp/get_redistribution/',
             'set':'/api/quagga/bgp/set_redistribution/',
             'add':'/api/quagga/bgp/add_redistribution/',
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
index 5afb5eb4ab..488a908312 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
@@ -60,7 +60,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'toggle':'/api/quagga/ospfsettings/toggle_neighbor/'
         });
         $("#{{formGridEditNetwork['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/ospfsettings/searchNetwork',
+            'search':'/api/quagga/ospfsettings/search_network',
             'get':'/api/quagga/ospfsettings/get_network/',
             'set':'/api/quagga/ospfsettings/set_network/',
             'add':'/api/quagga/ospfsettings/add_network/',
@@ -68,7 +68,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'toggle':'/api/quagga/ospfsettings/toggle_network/'
         });
         $("#{{formGridEditInterface['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/ospfsettings/searchInterface',
+            'search':'/api/quagga/ospfsettings/search_interface',
             'get':'/api/quagga/ospfsettings/get_interface/',
             'set':'/api/quagga/ospfsettings/set_interface/',
             'add':'/api/quagga/ospfsettings/add_interface/',
@@ -76,7 +76,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'toggle':'/api/quagga/ospfsettings/toggle_interface/'
         });
         $("#{{formGridEditPrefixLists['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/ospfsettings/searchPrefixlist',
+            'search':'/api/quagga/ospfsettings/search_prefixlist',
             'get':'/api/quagga/ospfsettings/get_prefixlist/',
             'set':'/api/quagga/ospfsettings/set_prefixlist/',
             'add':'/api/quagga/ospfsettings/add_prefixlist/',
@@ -84,7 +84,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'toggle':'/api/quagga/ospfsettings/toggle_prefixlist/'
         });
         $("#{{formGridEditRouteMaps['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/ospfsettings/searchRoutemap',
+            'search':'/api/quagga/ospfsettings/search_routemap',
             'get':'/api/quagga/ospfsettings/get_routemap/',
             'set':'/api/quagga/ospfsettings/set_routemap/',
             'add':'/api/quagga/ospfsettings/add_routemap/',
@@ -92,7 +92,7 @@ POSSIBILITY OF SUCH DAMAGE.
             'toggle':'/api/quagga/ospfsettings/toggle_routemap/'
         });
         $("#{{formGridEditRedistribution['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/ospfsettings/searchRedistribution',
+            'search':'/api/quagga/ospfsettings/search_redistribution',
             'get':'/api/quagga/ospfsettings/get_redistribution/',
             'set':'/api/quagga/ospfsettings/set_redistribution/',
             'add':'/api/quagga/ospfsettings/add_redistribution/',
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
index a239e93a33..0bb6e9f5b8 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
@@ -47,7 +47,7 @@
         });
 
         $("#{{formGridEditNetwork['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/ospf6settings/searchNetwork',
+            'search':'/api/quagga/ospf6settings/search_network',
             'get':'/api/quagga/ospf6settings/get_network/',
             'set':'/api/quagga/ospf6settings/set_network/',
             'add':'/api/quagga/ospf6settings/add_network/',
@@ -55,7 +55,7 @@
             'toggle':'/api/quagga/ospf6settings/toggle_network/'
         });
         $("#{{formGridEditInterface['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/ospf6settings/searchInterface',
+            'search':'/api/quagga/ospf6settings/search_interface',
             'get':'/api/quagga/ospf6settings/get_interface/',
             'set':'/api/quagga/ospf6settings/set_interface/',
             'add':'/api/quagga/ospf6settings/add_interface/',
@@ -63,7 +63,7 @@
             'toggle':'/api/quagga/ospf6settings/toggle_interface/'
         });
         $("#{{formGridEditPrefixLists['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/ospf6settings/searchPrefixlist',
+            'search':'/api/quagga/ospf6settings/search_prefixlist',
             'get':'/api/quagga/ospf6settings/get_prefixlist/',
             'set':'/api/quagga/ospf6settings/set_prefixlist/',
             'add':'/api/quagga/ospf6settings/add_prefixlist/',
@@ -71,7 +71,7 @@
             'toggle':'/api/quagga/ospf6settings/toggle_prefixlist/'
         });
         $("#{{formGridEditRouteMaps['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/ospf6settings/searchRoutemap',
+            'search':'/api/quagga/ospf6settings/search_routemap',
             'get':'/api/quagga/ospf6settings/get_routemap/',
             'set':'/api/quagga/ospf6settings/set_routemap/',
             'add':'/api/quagga/ospf6settings/add_routemap/',
@@ -79,7 +79,7 @@
             'toggle':'/api/quagga/ospf6settings/toggle_routemap/'
         });
         $("#{{formGridEditRedistribution['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/ospf6settings/searchRedistribution',
+            'search':'/api/quagga/ospf6settings/search_redistribution',
             'get':'/api/quagga/ospf6settings/get_redistribution/',
             'set':'/api/quagga/ospf6settings/set_redistribution/',
             'add':'/api/quagga/ospf6settings/add_redistribution/',
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
index f9ec9e64fe..e0fb2d4f4c 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
@@ -34,7 +34,7 @@
         });
 
         $("#{{formGridEditSTATICRoute['table_id']}}").UIBootgrid({
-            'search':'/api/quagga/static/searchRoute',
+            'search':'/api/quagga/static/search_route',
             'get':'/api/quagga/static/get_route/',
             'set':'/api/quagga/static/set_route/',
             'add':'/api/quagga/static/add_route/',
diff --git a/net/ftp-proxy/src/opnsense/mvc/app/views/OPNsense/FtpProxy/index.volt b/net/ftp-proxy/src/opnsense/mvc/app/views/OPNsense/FtpProxy/index.volt
index 01b4b9bf32..7a51ca9e53 100644
--- a/net/ftp-proxy/src/opnsense/mvc/app/views/OPNsense/FtpProxy/index.volt
+++ b/net/ftp-proxy/src/opnsense/mvc/app/views/OPNsense/FtpProxy/index.volt
@@ -56,7 +56,7 @@ POSSIBILITY OF SUCH DAMAGE.
          *************************************************************************************************************/
 
         $("#grid-proxies").UIBootgrid(
-                {   'search':'/api/ftpproxy/settings/searchProxy',
+                {   'search':'/api/ftpproxy/settings/search_proxy',
                     'get':'/api/ftpproxy/settings/get_proxy/',
                     'set':'/api/ftpproxy/settings/set_proxy/',
                     'add':'/api/ftpproxy/settings/add_proxy/',
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 909df30a35..cae271d222 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -49,7 +49,7 @@ POSSIBILITY OF SUCH DAMAGE.
          **********************************************************************/
 
         $("#grid-frontends").UIBootgrid(
-            {   search:'/api/haproxy/settings/searchFrontends',
+            {   search:'/api/haproxy/settings/search_frontends',
                 get:'/api/haproxy/settings/get_frontend/',
                 set:'/api/haproxy/settings/set_frontend/',
                 add:'/api/haproxy/settings/add_frontend/',
@@ -62,7 +62,7 @@ POSSIBILITY OF SUCH DAMAGE.
         );
 
         $("#grid-backends").UIBootgrid(
-            {   search:'/api/haproxy/settings/searchBackends',
+            {   search:'/api/haproxy/settings/search_backends',
                 get:'/api/haproxy/settings/get_backend/',
                 set:'/api/haproxy/settings/set_backend/',
                 add:'/api/haproxy/settings/add_backend/',
@@ -75,7 +75,7 @@ POSSIBILITY OF SUCH DAMAGE.
         );
 
         $("#grid-servers").UIBootgrid(
-            {   search:'/api/haproxy/settings/searchServers',
+            {   search:'/api/haproxy/settings/search_servers',
                 get:'/api/haproxy/settings/get_server/',
                 set:'/api/haproxy/settings/set_server/',
                 add:'/api/haproxy/settings/add_server/',
@@ -88,7 +88,7 @@ POSSIBILITY OF SUCH DAMAGE.
         );
 
         $("#grid-healthchecks").UIBootgrid(
-            {   search:'/api/haproxy/settings/searchHealthchecks',
+            {   search:'/api/haproxy/settings/search_healthchecks',
                 get:'/api/haproxy/settings/get_healthcheck/',
                 set:'/api/haproxy/settings/set_healthcheck/',
                 add:'/api/haproxy/settings/add_healthcheck/',
@@ -100,7 +100,7 @@ POSSIBILITY OF SUCH DAMAGE.
         );
 
         $("#grid-actions").UIBootgrid(
-            {   search:'/api/haproxy/settings/searchActions',
+            {   search:'/api/haproxy/settings/search_actions',
                 get:'/api/haproxy/settings/get_action/',
                 set:'/api/haproxy/settings/set_action/',
                 add:'/api/haproxy/settings/add_action/',
@@ -112,7 +112,7 @@ POSSIBILITY OF SUCH DAMAGE.
         );
 
         $("#grid-acls").UIBootgrid(
-            {   search:'/api/haproxy/settings/searchAcls',
+            {   search:'/api/haproxy/settings/search_acls',
                 get:'/api/haproxy/settings/get_acl/',
                 set:'/api/haproxy/settings/set_acl/',
                 add:'/api/haproxy/settings/add_acl/',
@@ -124,7 +124,7 @@ POSSIBILITY OF SUCH DAMAGE.
         );
 
         $("#grid-users").UIBootgrid(
-            {   search:'/api/haproxy/settings/searchUsers',
+            {   search:'/api/haproxy/settings/search_users',
                 get:'/api/haproxy/settings/get_user/',
                 set:'/api/haproxy/settings/set_user/',
                 add:'/api/haproxy/settings/add_user/',
@@ -137,7 +137,7 @@ POSSIBILITY OF SUCH DAMAGE.
         );
 
         $("#grid-groups").UIBootgrid(
-            {   search:'/api/haproxy/settings/searchGroups',
+            {   search:'/api/haproxy/settings/search_groups',
                 get:'/api/haproxy/settings/get_group/',
                 set:'/api/haproxy/settings/set_group/',
                 add:'/api/haproxy/settings/add_group/',
@@ -150,7 +150,7 @@ POSSIBILITY OF SUCH DAMAGE.
         );
 
         $("#grid-luas").UIBootgrid(
-            {   search:'/api/haproxy/settings/searchLuas',
+            {   search:'/api/haproxy/settings/search_luas',
                 get:'/api/haproxy/settings/get_lua/',
                 set:'/api/haproxy/settings/set_lua/',
                 add:'/api/haproxy/settings/add_lua/',
@@ -163,7 +163,7 @@ POSSIBILITY OF SUCH DAMAGE.
         );
 
         $("#grid-fcgis").UIBootgrid(
-            {   search:'/api/haproxy/settings/searchFcgis',
+            {   search:'/api/haproxy/settings/search_fcgis',
                 get:'/api/haproxy/settings/get_fcgi/',
                 set:'/api/haproxy/settings/set_fcgi/',
                 add:'/api/haproxy/settings/add_fcgi/',
@@ -175,7 +175,7 @@ POSSIBILITY OF SUCH DAMAGE.
         );
 
         $("#grid-errorfiles").UIBootgrid(
-            {   search:'/api/haproxy/settings/searchErrorfiles',
+            {   search:'/api/haproxy/settings/search_errorfiles',
                 get:'/api/haproxy/settings/get_errorfile/',
                 set:'/api/haproxy/settings/set_errorfile/',
                 add:'/api/haproxy/settings/add_errorfile/',
@@ -187,7 +187,7 @@ POSSIBILITY OF SUCH DAMAGE.
         );
 
         $("#grid-mapfiles").UIBootgrid(
-            {   search:'/api/haproxy/settings/searchMapfiles',
+            {   search:'/api/haproxy/settings/search_mapfiles',
                 get:'/api/haproxy/settings/get_mapfile/',
                 set:'/api/haproxy/settings/set_mapfile/',
                 add:'/api/haproxy/settings/add_mapfile/',
@@ -199,7 +199,7 @@ POSSIBILITY OF SUCH DAMAGE.
         );
 
         $("#grid-cpus").UIBootgrid(
-            {   search:'/api/haproxy/settings/searchCpus',
+            {   search:'/api/haproxy/settings/search_cpus',
                 get:'/api/haproxy/settings/get_cpu/',
                 set:'/api/haproxy/settings/set_cpu/',
                 add:'/api/haproxy/settings/add_cpu/',
@@ -212,7 +212,7 @@ POSSIBILITY OF SUCH DAMAGE.
         );
 
         $("#grid-resolvers").UIBootgrid(
-            {   search:'/api/haproxy/settings/searchResolvers',
+            {   search:'/api/haproxy/settings/search_resolvers',
                 get:'/api/haproxy/settings/get_resolver/',
                 set:'/api/haproxy/settings/set_resolver/',
                 add:'/api/haproxy/settings/add_resolver/',
@@ -225,7 +225,7 @@ POSSIBILITY OF SUCH DAMAGE.
         );
 
         $("#grid-mailers").UIBootgrid(
-            {   search:'/api/haproxy/settings/searchMailers',
+            {   search:'/api/haproxy/settings/search_mailers',
                 get:'/api/haproxy/settings/get_mailer/',
                 set:'/api/haproxy/settings/set_mailer/',
                 add:'/api/haproxy/settings/add_mailer/',
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
index 50eb005110..e140eeb27f 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
@@ -79,7 +79,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 // save data for this tab
                 saveFormToEndpoint(url="/api/haproxy/maintenance/set",formid=frm_id,callback_ok=function(){
                     // Handle cron integration
-                    ajaxCall(url="/api/haproxy/maintenance/fetchCronIntegration", sendData={}, callback=function(data,status) {
+                    ajaxCall(url="/api/haproxy/maintenance/fetch_cron_integration", sendData={}, callback=function(data,status) {
                     });
 
                     // when done, disable progress animation
@@ -127,7 +127,7 @@ POSSIBILITY OF SUCH DAMAGE.
         }
 
         function showDiffDialog(payload) {
-            $.post('/api/haproxy/maintenance/certDiff', payload, function(data) {
+            $.post('/api/haproxy/maintenance/cert_diff', payload, function(data) {
                 BootstrapDialog.show({
                     type: BootstrapDialog.TYPE_INFO,
                     title: "{{ lang._('Diff between configured and active SSL certificates') }}",
@@ -143,7 +143,7 @@ POSSIBILITY OF SUCH DAMAGE.
         }
 
         function applyDiffDialog(payload, requested_count) {
-            $.post('/api/haproxy/maintenance/certActions', payload, function(data_actions) {
+            $.post('/api/haproxy/maintenance/cert_actions', payload, function(data_actions) {
                 question = ''
                 question += `<pre>${data_actions}</pre>`;
                 question += '<b>{{ lang._('Apply SSL certificates to HAProxy?') }}</b></br></br>';
@@ -151,7 +151,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 stdDialogConfirm('{{ lang._('Confirmation Required') }}',
                     question,
                     '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
-                    $.post('/api/haproxy/maintenance/certSync', payload, function(data) {
+                    $.post('/api/haproxy/maintenance/cert_sync', payload, function(data) {
                         modified_count = data.result.add_count + data.result.remove_count + data.result.update_count;
 
                         if (requested_count != modified_count) {
@@ -176,7 +176,7 @@ POSSIBILITY OF SUCH DAMAGE.
 
         $("#grid-certificates").bootgrid('destroy');
         var grid_certificates = $("#grid-certificates").UIBootgrid({
-            search: '/api/haproxy/maintenance/searchCertificateDiff',
+            search: '/api/haproxy/maintenance/search_certificate_diff',
             options: {
                 ajax: true,
                 selection: true,
@@ -262,7 +262,7 @@ POSSIBILITY OF SUCH DAMAGE.
             });
 
             var payload = {};
-            $.post('/api/haproxy/maintenance/certSyncBulk', payload, function(data) {
+            $.post('/api/haproxy/maintenance/cert_sync_bulk', payload, function(data) {
                 modified_count = data.result.add_count + data.result.remove_count + data.result.update_count;
                 if (requested_count != modified_count) {
                     var error_msg = syncErrorMessage(data.result.modified, data.result.deleted);
@@ -286,7 +286,7 @@ POSSIBILITY OF SUCH DAMAGE.
         // grid-status
         $("#grid-status").bootgrid('destroy');
         var grid_status = $("#grid-status").UIBootgrid({
-            search: '/api/haproxy/maintenance/searchServer',
+            search: '/api/haproxy/maintenance/search_server',
             options: {
                 ajax: true,
                 selection: true,
@@ -328,7 +328,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 stdDialogConfirm('{{ lang._('Confirmation Required') }}',
                     question,
                     '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
-                        $.post('/api/haproxy/maintenance/serverState', payload, function(data) {
+                        $.post('/api/haproxy/maintenance/server_state', payload, function(data) {
                             if (data.status != 'ok') {
                                 BootstrapDialog.show({
                                     type: BootstrapDialog.TYPE_DANGER,
@@ -372,7 +372,7 @@ POSSIBILITY OF SUCH DAMAGE.
                       'weight': $("#newWeight").val()
                     };
 
-                    $.post('/api/haproxy/maintenance/serverWeight', payload, function(data) {
+                    $.post('/api/haproxy/maintenance/server_weight', payload, function(data) {
                         if (data.status != 'ok') {
                             BootstrapDialog.show({
                                 type: BootstrapDialog.TYPE_DANGER,
@@ -415,7 +415,7 @@ POSSIBILITY OF SUCH DAMAGE.
                     stdDialogConfirm('{{ lang._('Confirmation Required') }}',
                         question,
                         '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
-                            $.post('/api/haproxy/maintenance/serverStateBulk', payload, function(data) {
+                            $.post('/api/haproxy/maintenance/server_state_bulk', payload, function(data) {
                                 if (data.status != 'ok') {
                                     BootstrapDialog.show({
                                         type: BootstrapDialog.TYPE_DANGER,
@@ -465,7 +465,7 @@ POSSIBILITY OF SUCH DAMAGE.
                               'weight': $("#newBulkWeight").val()
                             };
 
-                            $.post('/api/haproxy/maintenance/serverWeightBulk', payload, function(data) {
+                            $.post('/api/haproxy/maintenance/server_weight_bulk', payload, function(data) {
                                 if (data.status != 'ok') {
                                     BootstrapDialog.show({
                                         type: BootstrapDialog.TYPE_DANGER,
diff --git a/net/siproxd/src/opnsense/mvc/app/views/OPNsense/Siproxd/general.volt b/net/siproxd/src/opnsense/mvc/app/views/OPNsense/Siproxd/general.volt
index 5f656ebaea..6e2772c997 100644
--- a/net/siproxd/src/opnsense/mvc/app/views/OPNsense/Siproxd/general.volt
+++ b/net/siproxd/src/opnsense/mvc/app/views/OPNsense/Siproxd/general.volt
@@ -127,7 +127,7 @@ $( document ).ready(function() {
     });
 
     $("#grid-users").UIBootgrid(
-        {   'search':'/api/siproxd/user/searchUser',
+        {   'search':'/api/siproxd/user/search_user',
             'get':'/api/siproxd/user/get_user/',
             'set':'/api/siproxd/user/set_user/',
             'add':'/api/siproxd/user/add_user/',
@@ -137,7 +137,7 @@ $( document ).ready(function() {
     );
 
     $("#grid-domains").UIBootgrid(
-        {   'search':'/api/siproxd/domain/searchDomain',
+        {   'search':'/api/siproxd/domain/search_domain',
             'get':'/api/siproxd/domain/get_domain/',
             'set':'/api/siproxd/domain/set_domain/',
             'add':'/api/siproxd/domain/add_domain/',
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt b/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
index 3648bce8fa..a59babcc02 100644
--- a/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
@@ -55,7 +55,7 @@ POSSIBILITY OF SUCH DAMAGE.
          *************************************************************************************************************/
 
         $("#grid-proxies").UIBootgrid(
-                {   'search':'/api/udpbroadcastrelay/settings/searchRelay',
+                {   'search':'/api/udpbroadcastrelay/settings/search_relay',
                     'get':'/api/udpbroadcastrelay/settings/get_relay/',
                     'set':'/api/udpbroadcastrelay/settings/set_relay/',
                     'add':'/api/udpbroadcastrelay/settings/add_relay/',
diff --git a/net/wol/src/opnsense/mvc/app/views/OPNsense/Wol/index.volt b/net/wol/src/opnsense/mvc/app/views/OPNsense/Wol/index.volt
index 16201d6157..2fccf74d63 100644
--- a/net/wol/src/opnsense/mvc/app/views/OPNsense/Wol/index.volt
+++ b/net/wol/src/opnsense/mvc/app/views/OPNsense/Wol/index.volt
@@ -41,7 +41,7 @@ $( document ).ready(function() {
 
 
   var grid = $("#grid-wol-settings").UIBootgrid(
-      { 'search':'/api/wol/wol/searchHost',
+      { 'search':'/api/wol/wol/search_host',
         'get':'/api/wol/wol/get_host/',
         'set':'/api/wol/wol/set_host/',
         'add':'/api/wol/wol/add_host/',
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index 7c6fa8ae76..dedd86c575 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -330,7 +330,7 @@ POSSIBILITY OF SUCH DAMAGE.
                         '{{ lang._('Forcefully issue or renew the selected certificate?') }}',
                         '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
                         // Handle HAProxy integration (no-op if not applicable)
-                        ajaxCall(url="/api/acmeclient/settings/fetchHAProxyIntegration", sendData={}, callback=function(data,status) {
+                        ajaxCall(url="/api/acmeclient/settings/fetch_ha_proxy_integration", sendData={}, callback=function(data,status) {
                             ajaxCall(url=gridParams['sign'] + uuid,sendData={},callback=function(data,status){
                                 // reload grid after sign
                                 $("#"+gridId).bootgrid("reload");
@@ -440,7 +440,7 @@ POSSIBILITY OF SUCH DAMAGE.
         $("#signallcertsAct").click(function(){
             //$("#signallcertsAct_progress").addClass("fa fa-spinner fa-pulse");
             // Handle HAProxy integration (no-op if not applicable)
-            ajaxCall(url="/api/acmeclient/settings/fetchHAProxyIntegration", sendData={}, callback=function(data,status) {
+            ajaxCall(url="/api/acmeclient/settings/fetch_ha_proxy_integration", sendData={}, callback=function(data,status) {
                 ajaxCall(url="/api/acmeclient/service/signallcerts", sendData={}, callback=function(data,status) {
                     // when done, disable progress animation.
                     //$("#signallcertsAct_progress").removeClass("fa fa-spinner fa-pulse");
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
index 287d8ad06b..38e05c5e84 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/settings.volt
@@ -87,11 +87,11 @@ POSSIBILITY OF SUCH DAMAGE.
                                 });
 
                                 // Handle cron integration
-                                ajaxCall(url="/api/acmeclient/settings/fetchCronIntegration", sendData={}, callback=function(data,status) {
+                                ajaxCall(url="/api/acmeclient/settings/fetch_cron_integration", sendData={}, callback=function(data,status) {
                                 });
 
                                 // Handle HAProxy integration
-                                ajaxCall(url="/api/acmeclient/settings/fetchHAProxyIntegration", sendData={}, callback=function(data,status) {
+                                ajaxCall(url="/api/acmeclient/settings/fetch_ha_proxy_integration", sendData={}, callback=function(data,status) {
                                 });
 
                                 // when done, disable progress animation
@@ -128,9 +128,9 @@ POSSIBILITY OF SUCH DAMAGE.
                         }
 
                         // Handle cron integration
-                        ajaxCall(url="/api/acmeclient/settings/fetchCronIntegration", sendData={}, callback=function(data,status) {
+                        ajaxCall(url="/api/acmeclient/settings/fetch_cron_integration", sendData={}, callback=function(data,status) {
                             // Handle HAProxy integration
-                            ajaxCall(url="/api/acmeclient/settings/fetchHAProxyIntegration", sendData={}, callback=function(data,status) {
+                            ajaxCall(url="/api/acmeclient/settings/fetch_ha_proxy_integration", sendData={}, callback=function(data,status) {
                                 // when done, disable progress animation
                                 $('[id*="reconfigureAct_progress"]').each(function(){
                                     $(this).removeClass("fa fa-spinner fa-pulse");
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
index c095c42988..c3ed80d05d 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
@@ -57,13 +57,13 @@ POSSIBILITY OF SUCH DAMAGE.
                     $("."+service_id).show();
                 }
                 // Show a warning if the Google Cloud SDK plugin is missing.
-                ajaxCall(url="/api/acmeclient/settings/getGcloudPluginStatus", sendData={}, callback=function(data,status) {
+                ajaxCall(url="/api/acmeclient/settings/get_gcloud_plugin_status", sendData={}, callback=function(data,status) {
                     if (data['result'] != 0) {
                         $(".gcloud_plugin_warning").hide();
                     }
                 });
                 // Show a warning if the BIND plugin is missing.
-                ajaxCall(url="/api/acmeclient/settings/getBindPluginStatus", sendData={}, callback=function(data,status) {
+                ajaxCall(url="/api/acmeclient/settings/get_bind_plugin_status", sendData={}, callback=function(data,status) {
                     if (data['result'] != 0) {
                         $(".bind_plugin_warning").hide();
                     }
diff --git a/security/clamav/src/opnsense/mvc/app/views/OPNsense/ClamAV/general.volt b/security/clamav/src/opnsense/mvc/app/views/OPNsense/ClamAV/general.volt
index fd4773ebde..a3cafb7383 100644
--- a/security/clamav/src/opnsense/mvc/app/views/OPNsense/ClamAV/general.volt
+++ b/security/clamav/src/opnsense/mvc/app/views/OPNsense/ClamAV/general.volt
@@ -112,7 +112,7 @@ $( document ).ready(function() {
     });
 
     $("#grid-lists").UIBootgrid(
-        {   'search':'/api/clamav/url/searchUrl',
+        {   'search':'/api/clamav/url/search_url',
             'get':'/api/clamav/url/get_url/',
             'set':'/api/clamav/url/set_url/',
             'add':'/api/clamav/url/add_url/',
diff --git a/security/tinc/src/opnsense/mvc/app/views/OPNsense/Tinc/index.volt b/security/tinc/src/opnsense/mvc/app/views/OPNsense/Tinc/index.volt
index 500d1a56ab..2c1ff6e8de 100644
--- a/security/tinc/src/opnsense/mvc/app/views/OPNsense/Tinc/index.volt
+++ b/security/tinc/src/opnsense/mvc/app/views/OPNsense/Tinc/index.volt
@@ -34,7 +34,7 @@ POSSIBILITY OF SUCH DAMAGE.
          *************************************************************************************************************/
 
         $("#grid-networks").UIBootgrid(
-            {   search:'/api/tinc/settings/searchNetwork',
+            {   search:'/api/tinc/settings/search_network',
                 get:'/api/tinc/settings/get_network/',
                 set:'/api/tinc/settings/set_network/',
                 add:'/api/tinc/settings/set_network/',
@@ -44,7 +44,7 @@ POSSIBILITY OF SUCH DAMAGE.
         );
 
         $("#grid-hosts").UIBootgrid(
-                {   search:'/api/tinc/settings/searchHost',
+                {   search:'/api/tinc/settings/search_host',
                     get:'/api/tinc/settings/get_host/',
                     set:'/api/tinc/settings/set_host/',
                     add:'/api/tinc/settings/set_host/',
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/views/OPNsense/Apcupsd/status.volt b/sysutils/apcupsd/src/opnsense/mvc/app/views/OPNsense/Apcupsd/status.volt
index 951f112a78..0e3cf28da4 100644
--- a/sysutils/apcupsd/src/opnsense/mvc/app/views/OPNsense/Apcupsd/status.volt
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/views/OPNsense/Apcupsd/status.volt
@@ -30,7 +30,7 @@
 <script>
     $(document).ready(function() {
         var refreshStatus = function() {
-            ajaxCall('/api/apcupsd/service/getUpsStatus', {}, function(data, status) {
+            ajaxCall('/api/apcupsd/service/get_ups_status', {}, function(data, status) {
                 if (status === 'success') {
                     $('#apcupsd-status').text(data.error || data.output);
                     setTimeout(refreshStatus, 5000);
diff --git a/www/squid/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt b/www/squid/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt
index 00d342dd9c..d8c8fe40b1 100644
--- a/www/squid/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt
+++ b/www/squid/src/opnsense/mvc/app/views/OPNsense/Proxy/index.volt
@@ -52,7 +52,7 @@
          *************************************************************************************************************/
 
         $("#grid-remote-blacklists").UIBootgrid(
-                {   'search':'/api/proxy/settings/searchRemoteBlacklists',
+                {   'search':'/api/proxy/settings/search_remote_blacklists',
                     'get':'/api/proxy/settings/get_remote_blacklist/',
                     'set':'/api/proxy/settings/set_remote_blacklist/',
                     'add':'/api/proxy/settings/add_remote_blacklist/',
@@ -61,7 +61,7 @@
                 }
         );
         $("#grid-pac-match").UIBootgrid(
-                {   'search':'/api/proxy/settings/searchPACMatch',
+                {   'search':'/api/proxy/settings/search_pac_match',
                     'get':'/api/proxy/settings/get_pac_match/',
                     'set':'/api/proxy/settings/set_pac_match/',
                     'add':'/api/proxy/settings/add_pac_match/',
@@ -81,7 +81,7 @@
                 }
         );
         $("#grid-pac-rule").UIBootgrid(
-                {   'search':'/api/proxy/settings/searchPACRule',
+                {   'search':'/api/proxy/settings/search_pac_rule',
                     'get':'/api/proxy/settings/get_pac_rule/',
                     'set':'/api/proxy/settings/set_pac_rule/',
                     'add':'/api/proxy/settings/add_pac_rule/',
@@ -90,7 +90,7 @@
                 }
         );
         $("#grid-pac-proxy").UIBootgrid(
-                {   'search':'/api/proxy/settings/searchPACProxy',
+                {   'search':'/api/proxy/settings/search_pac_proxy',
                     'get':'/api/proxy/settings/get_pac_proxy/',
                     'set':'/api/proxy/settings/set_pac_proxy/',
                     'add':'/api/proxy/settings/add_pac_proxy/',
@@ -166,7 +166,7 @@
 
         $('.reload-pac-btn').click(function () {
             $('.reload-pac-btn .fa-refresh').addClass('fa-spin');
-            ajaxCall("/api/proxy/service/refreshTemplate", {}, function(data,status) {
+            ajaxCall("/api/proxy/service/refresh_template", {}, function(data,status) {
                 $('.reload-pac-btn .fa-refresh').removeClass('fa-spin');
             });
         });
@@ -192,7 +192,7 @@
          */
         $("#ScheduleAct").click(function() {
             $("#scheduleAct_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall("/api/proxy/settings/fetchRBCron", {}, function(data,status) {
+            ajaxCall("/api/proxy/settings/fetch_rb_cron", {}, function(data,status) {
                 $("#scheduleAct_progress").removeClass("fa fa-spinner fa-pulse");
                 if (data.uuid !=undefined) {
                     // redirect to cron page

From 2bbbc7789505acb565313a9204166ec4ae5af317 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 25 Jun 2025 13:51:12 +0200
Subject: [PATCH 2479/3088] Framework: replacement of variables in package
 scripts

While here reorder a bit and document what we have and how
it interacts.
---
 Mk/plugins.mk | 33 ++++++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 33d5be9106..210b6b4438 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -1,4 +1,4 @@
-# Copyright (c) 2015-2024 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2015-2025 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -146,13 +146,26 @@ manifest: check
 	    echo "annotations $$(cat ${WRKSRC}${LOCALBASE}/opnsense/version/${PLUGIN_NAME})"; \
 	fi
 
-scripts: check scripts-pre scripts-auto scripts-manual scripts-post
+# Package scripts generation handling 101:
+#
+# "auto" generates automatic hooks that a plugin may need in order to
+# reload on the fly. ".pre" and ".post" suffixed files can be used to
+# extend the auto-generated content.
+#
+# "manual" overwrites the automatic script and also ignores ".pre" and
+# ".post" files since they do not make sense in manual mode.
+#
+# Furthermore, variable replacement via %%PLUGINS_VAR%% takes place in
+# "manual" as well as ".pre" and ".post" scripts provided.
+
+scripts: check scripts-pre scripts-auto scripts-post scripts-manual
 
 scripts-pre:
 	@for SCRIPT in ${PLUGIN_SCRIPTS}; do \
 		rm -f ${DESTDIR}/$${SCRIPT}; \
 		if [ -f ${.CURDIR}/$${SCRIPT}.pre ]; then \
-			cp ${.CURDIR}/$${SCRIPT}.pre ${DESTDIR}/$${SCRIPT}; \
+			sed ${SED_REPLACE} -- ${.CURDIR}/$${SCRIPT}.pre > \
+			    ${DESTDIR}/$${SCRIPT}; \
 		fi; \
 	done
 
@@ -203,17 +216,19 @@ scripts-auto:
 		done \
 	fi
 
-scripts-manual:
+scripts-post:
 	@for SCRIPT in ${PLUGIN_SCRIPTS}; do \
-		if [ -f ${.CURDIR}/$${SCRIPT} ]; then \
-			cp ${.CURDIR}/$${SCRIPT} ${DESTDIR}/$${SCRIPT}; \
+		if [ -f ${.CURDIR}/$${SCRIPT}.post ]; then \
+			sed ${SED_REPLACE} -- ${.CURDIR}/$${SCRIPT}.post >> \
+			    ${DESTDIR}/$${SCRIPT}; \
 		fi; \
 	done
 
-scripts-post:
+scripts-manual:
 	@for SCRIPT in ${PLUGIN_SCRIPTS}; do \
-		if [ -f ${.CURDIR}/$${SCRIPT}.post ]; then \
-			cat ${.CURDIR}/$${SCRIPT}.post >> ${DESTDIR}/$${SCRIPT}; \
+		if [ -f ${.CURDIR}/$${SCRIPT} ]; then \
+			sed ${SED_REPLACE} -- ${.CURDIR}/$${SCRIPT} > \
+			    ${DESTDIR}/$${SCRIPT}; \
 		fi; \
 	done
 

From 00556eaf28bd485a6799b81c80e6835c9f15ff9e Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sun, 29 Jun 2025 13:01:29 +0200
Subject: [PATCH 2480/3088] www/caddy: Fix snake_case usage in controller
 (#4776)

---
 .../OPNsense/Caddy/Layer4Controller.php       |  4 ++--
 .../OPNsense/Caddy/ReverseProxyController.php | 12 ++++++------
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 19 +++++++------------
 3 files changed, 15 insertions(+), 20 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
index 7ea9478e13..88de730d27 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Layer4Controller.php
@@ -40,9 +40,9 @@ public function indexAction()
         $this->view->pick('OPNsense/Caddy/reverse_proxy');
 
         $this->view->formDialogLayer4 = $this->getForm('dialogLayer4');
-        $this->view->formGridLayer4 = $this->getFormGrid('dialogLayer4', 'Layer4');
+        $this->view->formGridLayer4 = $this->getFormGrid('dialogLayer4', 'layer4');
 
         $this->view->formDialogLayer4Openvpn = $this->getForm('dialogLayer4Openvpn');
-        $this->view->formGridLayer4Openvpn = $this->getFormGrid('dialogLayer4Openvpn', 'Layer4Openvpn');
+        $this->view->formGridLayer4Openvpn = $this->getFormGrid('dialogLayer4Openvpn', 'layer4_openvpn');
     }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
index dc780dcd62..49a08c4c41 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/ReverseProxyController.php
@@ -40,21 +40,21 @@ public function indexAction()
         $this->view->pick('OPNsense/Caddy/reverse_proxy');
 
         $this->view->formDialogReverseProxy = $this->getForm("dialogReverseProxy");
-        $this->view->formGridReverseProxy = $this->getFormGrid('dialogReverseProxy', 'ReverseProxy');
+        $this->view->formGridReverseProxy = $this->getFormGrid('dialogReverseProxy', 'reverse_proxy');
 
         $this->view->formDialogSubdomain = $this->getForm("dialogSubdomain");
-        $this->view->formGridSubdomain = $this->getFormGrid('dialogSubdomain', 'Subdomain');
+        $this->view->formGridSubdomain = $this->getFormGrid('dialogSubdomain', 'subdomain');
 
         $this->view->formDialogHandle = $this->getForm("dialogHandle");
-        $this->view->formGridHandle = $this->getFormGrid('dialogHandle', 'Handle');
+        $this->view->formGridHandle = $this->getFormGrid('dialogHandle', 'handle');
 
         $this->view->formDialogAccessList = $this->getForm("dialogAccessList");
-        $this->view->formGridAccessList = $this->getFormGrid('dialogAccessList', 'AccessList');
+        $this->view->formGridAccessList = $this->getFormGrid('dialogAccessList', 'access_list');
 
         $this->view->formDialogBasicAuth = $this->getForm("dialogBasicAuth");
-        $this->view->formGridBasicAuth = $this->getFormGrid('dialogBasicAuth', 'BasicAuth');
+        $this->view->formGridBasicAuth = $this->getFormGrid('dialogBasicAuth', 'basic_auth');
 
         $this->view->formDialogHeader = $this->getForm("dialogHeader");
-        $this->view->formGridHeader = $this->getFormGrid('dialogHeader', 'Header');
+        $this->view->formGridHeader = $this->getFormGrid('dialogHeader', 'header');
     }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index ced0f239c6..d0b037f3de 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -44,10 +44,6 @@
             $(`#maintabs a[href="${location.hash}"]`).tab('show');
         });
 
-        function to_snake_case(str) {
-            return str.replace(/([a-z0-9])([A-Z])/g, '$1_$2').toLowerCase();
-        }
-
         // Bootgrid Setup
         const all_grids = {};
 
@@ -161,15 +157,14 @@
                         }
 
 {% endif %}
-                        const api_grid_id = to_snake_case(grid_id);
                         all_grids[grid_id] = $("#" + grid_id)
                         .UIBootgrid({
-                            search: `/api/caddy/reverse_proxy/search_${api_grid_id}/`,
-                            get: `/api/caddy/reverse_proxy/get_${api_grid_id}/`,
-                            set: `/api/caddy/reverse_proxy/set_${api_grid_id}/`,
-                            add: `/api/caddy/reverse_proxy/add_${api_grid_id}/`,
-                            del: `/api/caddy/reverse_proxy/del_${api_grid_id}/`,
-                            toggle: `/api/caddy/reverse_proxy/toggle_${api_grid_id}/`,
+                            search: `/api/caddy/reverse_proxy/search_${grid_id}/`,
+                            get: `/api/caddy/reverse_proxy/get_${grid_id}/`,
+                            set: `/api/caddy/reverse_proxy/set_${grid_id}/`,
+                            add: `/api/caddy/reverse_proxy/add_${grid_id}/`,
+                            del: `/api/caddy/reverse_proxy/del_${grid_id}/`,
+                            toggle: `/api/caddy/reverse_proxy/toggle_${grid_id}/`,
                             options: {
                                 requestHandler: function (request) {
                                     const selectedDomains = $('#reverseFilter').val();
@@ -182,7 +177,7 @@
                                     enabled: function (column) { return "" },
                                     ToDomain: function (column) { return labels.upstream; },
                                     FromDomain: function (column) {
-                                        if (grid_id === "Subdomain") {
+                                        if (grid_id === "subdomain") {
                                             return labels.subdomain;
                                         } else {
                                             return labels.domain;

From 1a28c9ba9e14d1b7dd88e47437f260c4b1b367cf Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 30 Jun 2025 10:05:31 +0200
Subject: [PATCH 2481/3088] www/caddy: Use SimpleActionButton in general.volt,
 remove onAction in template since we use data-service-widget (#4779)

---
 .../mvc/app/views/OPNsense/Caddy/general.volt | 91 ++++++++-----------
 .../views/OPNsense/Caddy/reverse_proxy.volt   |  9 +-
 2 files changed, 41 insertions(+), 59 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
index 46c0ea63ff..fd56411d1f 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
@@ -49,38 +49,6 @@
             });
         }
 
-        /**
-         * Manages the spinner icon.
-         * @param {string} generalId - The ID of the general form.
-         * @param {string} action - The action to perform ("start" or "stop").
-         */
-        function setSpinner(generalId, action) {
-            const $progressIcon = $("#" + generalId + "_progress");
-            if (action === 'start') {
-                $progressIcon.addClass("fa fa-spinner fa-pulse");
-            } else if (action === 'stop') {
-                $progressIcon.removeClass("fa fa-spinner fa-pulse");
-            }
-        }
-
-        /**
-         * Reconfigures the service.
-         * @param {string} generalId - The ID of the general form (used for controlling the spinner).
-         */
-        function reconfigureService(generalId) {
-            ajaxCall("/api/caddy/service/reconfigure", {}, function(data, status) {
-                if (status !== "success" || data.status !== 'ok') {
-                    showAlert("{{ lang._('Error applying configuration: ') }}" + JSON.stringify(data), "error");
-                } else {
-                    updateServiceControlUI('caddy');
-                }
-                setSpinner(generalId, 'stop');
-            }).fail(function() {
-                handleError("error", "{{ lang._('Reconfiguration request failed.') }}");
-                setSpinner(generalId, 'stop');
-            });
-        }
-
         /**
          * Centralizes error handling.
          * @param {string} type - The type of error.
@@ -91,27 +59,48 @@
         }
 
         // Event binding for saving forms
-        $('[id*="save_general-"]').on('click', function() {
-            const generalId = this.form.id;
-            setSpinner(generalId, 'start');
-            saveFormToEndpoint("/api/caddy/general/set", generalId, function() {
-                // Validate Caddyfile after saving the form
-                ajaxGet("/api/caddy/service/validate", {}, function(data, status) {
-                    if (status === "success" && data && data.status.toLowerCase() === 'ok') {
-                        reconfigureService(generalId);
-                    } else {
-                        handleError("error", data.message || "{{ lang._('Validation Error') }}");
-                        setSpinner(generalId, 'stop');
-                    }
-                }).fail(function() {
-                    handleError("error", "{{ lang._('Validation request failed.') }}");
-                    setSpinner(generalId, 'stop');
-                });
-            }, true, function(errorData) {
-                handleError("error", errorData.message || "{{ lang._('Validation Error') }}");
-                setSpinner(generalId, 'stop');
+        $('[id^="save_general-"]').each(function () {
+            const $btn = $(this);
+            const formId = this.id.replace(/^save_/, 'frm_');
+
+            $btn.attr({
+                'data-label'    : "{{ lang._('Apply') }}",
+                'data-endpoint' : "/api/caddy/service/reconfigure",
+                'data-service-widget' : "caddy"
+            });
+
+            $btn.SimpleActionButton({
+                onPreAction: function () {
+                    const dfObj = new $.Deferred();
+
+                    saveFormToEndpoint(
+                        "/api/caddy/general/set",
+                        formId,
+                        function () {
+                            ajaxGet("/api/caddy/service/validate", null, function (data, status) {
+                                if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
+                                    dfObj.resolve();
+                                } else {
+                                    showAlert(data?.message || "{{ lang._('Validation Error') }}", "error");
+                                    dfObj.reject();
+                                }
+                            }).fail(function(xhr, status, error) {
+                                showAlert("{{ lang._('Validation request failed: ') }}" + error, "error");
+                                dfObj.reject();
+                            });
+                        },
+                        true,
+                        function (errorData) {
+                            showAlert(errorData.message || "{{ lang._('Validation Error') }}", "error");
+                            dfObj.reject();
+                        }
+                    );
+
+                    return dfObj.promise();
+                }
             });
         });
+
     });
 </script>
 
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index d0b037f3de..acfc85732d 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -297,13 +297,6 @@
                 });
 
                 return dfObj.promise();
-            },
-            onAction: function(data, status) {
-                if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
-                    updateServiceControlUI('caddy');
-                } else {
-                    showAlert("{{ lang._('Action was not successful or an error occurred.') }}", "error");
-                }
             }
         });
 
@@ -587,7 +580,7 @@
 
 </div>
 
-{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/caddy/service/reconfigure'}) }}
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/caddy/service/reconfigure', 'data_service_widget': 'caddy'}) }}
 
 {% if entrypoint == 'reverse_proxy' %}
 

From c590eef1e27d54a3844f34c8476bd7a64a17936c Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 30 Jun 2025 10:06:10 +0200
Subject: [PATCH 2482/3088] www/caddy: Add global servers timeouts options
 (#4778)

* www/caddy: Add global servers timeouts options

* www/caddy: Bump version and changelog

* www/caddy: Add changelog
---
 www/caddy/Makefile                            |  2 +-
 www/caddy/pkg-descr                           |  6 +++
 .../OPNsense/Caddy/forms/general.xml          | 40 +++++++++++++++++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   | 16 ++++++++
 .../templates/OPNsense/Caddy/Caddyfile        | 20 ++++++++++
 5 files changed, 83 insertions(+), 1 deletion(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 08f8f247a4..5b9504ba7d 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		2.0.1
+PLUGIN_VERSION=		2.0.2
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 6eb887b280..9845f3f37d 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -6,6 +6,12 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+2.0.2
+
+Add: Global server timeout options (opnsense/plugins/pull/4778)
+Cleanup: Change all camelCase to snake_case in api notations (opnsense/plugins/pull/4767,4768,4776)
+Cleanup: Use SimpleActionButton in general.volt (opnsense/plugins/pull/4779)
+
 2.0.1
 
 Add: Active health checks to handlers (contributed by zaben903) (opnsense/plugins/pull/4721)
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 849ea61d7d..bb7d29b7b0 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -26,12 +26,20 @@
         </field>
     </tab>
     <tab id="general-advanced" description="Advanced Settings">
+        <field>
+            <type>header</type>
+            <label>Security Settings</label>
+        </field>
         <field>
             <id>caddy.general.DisableSuperuser</id>
             <label>System User</label>
             <type>dropdown</type>
             <help><![CDATA[Run this service as "www" user and group, instead of "root". This setting increases security, but comes with the hard restriction that the well-known port range can not be used anymore. After enabling and saving this setting, the service has to be totally restarted. For this, please disable Caddy and press Apply. Afterwards enable Caddy and press Apply. This setting is reversible by following the same steps.]]></help>
         </field>
+        <field>
+            <type>header</type>
+            <label>HTTP Settings</label>
+        </field>
         <field>
             <id>caddy.general.HttpVersions</id>
             <label>HTTP Versions</label>
@@ -52,6 +60,10 @@
             <hint>443</hint>
             <help><![CDATA[If the default HTTPS port is changed to e.g. 8443, then a port forward from port 443 to 8443 is necessary to issue automatic certificates with the TLS-ALPN-01 challenge and serve clients the reverse proxied resources.]]></help>
         </field>
+        <field>
+            <type>header</type>
+            <label>Server Settings</label>
+        </field>
         <field>
             <id>caddy.general.accesslist</id>
             <label>Trusted Proxies</label>
@@ -75,6 +87,34 @@
             <hint>10</hint>
             <help><![CDATA[Defines the grace period for shutting down Caddy during a reload in seconds. If clients do not finish their requests within the grace period, the server will be forcefully terminated to allow the reload to complete and free up resources. This can influence how long "Apply" of new configurations take, since Caddy waits for all open connections to close. If the grace period is over and Caddy is unresponsive, there will be a forced kill and service restart.]]></help>
         </field>
+        <field>
+            <id>caddy.general.timeout_read_body</id>
+            <label>Read Body Timeout</label>
+            <type>text</type>
+            <hint>no timout</hint>
+            <help><![CDATA[read_body is a duration value in seconds that sets how long to allow a read from a client's upload. Setting this to a short, non-zero value can mitigate slowloris attacks, but may also affect legitimately slow clients.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.timeout_read_header</id>
+            <label>Read Header Timeout</label>
+            <type>text</type>
+            <hint>no timout</hint>
+            <help><![CDATA[read_header is a duration value in seconds that sets how long to allow a read from a client's request headers.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.timeout_write</id>
+            <label>Write Timeout</label>
+            <type>text</type>
+            <hint>no timout</hint>
+            <help><![CDATA[write is a duration value in seconds that sets how long to allow a write to a client. Note that setting this to a small value when serving large files may negatively affect legitimately slow clients.]]></help>
+        </field>
+        <field>
+            <id>caddy.general.timeout_idle</id>
+            <label>Idle Timeout</label>
+            <type>text</type>
+            <hint>300</hint>
+            <help><![CDATA[idle is a duration value in seconds that sets the maximum time to wait for the next request when keep-alives are enabled. Defaults value helps to avoid resource exhaustion.]]></help>
+        </field>
     </tab>
     <tab id="general-logsettings" description="Log Settings">
         <field>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 3bf5aa4c3b..a1b829a4ac 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -89,6 +89,22 @@
                     <h3>HTTP/3</h3>
                 </OptionValues>
             </HttpVersions>
+            <timeout_read_body type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+                <ValidationMessage>Please enter a minimum value of 0 or leave empty for defaults.</ValidationMessage>
+            </timeout_read_body>
+            <timeout_read_header type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+                <ValidationMessage>Please enter a minimum value of 0 or leave empty for defaults.</ValidationMessage>
+            </timeout_read_header>
+            <timeout_write type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+                <ValidationMessage>Please enter a minimum value of 0 or leave empty for defaults.</ValidationMessage>
+            </timeout_write>
+            <timeout_idle type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+                <ValidationMessage>Please enter a minimum value of 0 or leave empty for defaults.</ValidationMessage>
+            </timeout_idle>
             <LogCredentials type="BooleanField"/>
             <LogAccessPlain type="BooleanField"/>
             <LogAccessPlainKeep type="IntegerField">
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 7c30c2f682..997a746f49 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -93,9 +93,29 @@
                 {% endif %}
             {% endfor %}
         {% endif %}
+
         {% if generalSettings.LogCredentials|default("0") == "1" %}
             log_credentials
         {% endif %}
+        {% if generalSettings.timeout_read_body or
+            generalSettings.timeout_read_header or
+            generalSettings.timeout_write or
+            generalSettings.timeout_idle %}
+        timeouts {
+            {% if generalSettings.timeout_read_body %}
+                read_body {{ generalSettings.timeout_read_body }}s
+            {% endif %}
+            {% if generalSettings.timeout_read_header %}
+                read_header {{ generalSettings.timeout_read_header }}s
+            {% endif %}
+            {% if generalSettings.timeout_write %}
+                write {{ generalSettings.timeout_write }}s
+            {% endif %}
+            {% if generalSettings.timeout_idle %}
+                idle {{ generalSettings.timeout_idle }}s
+            {% endif %}
+        }
+        {% endif %}
         {% if generalSettings.EnableLayer4|default("0") == "1" %}
             listener_wrappers {
                 layer4 {

From 09855f41c30fba6bd314a1ba9e9b58f866efbe6a Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 30 Jun 2025 10:06:27 +0200
Subject: [PATCH 2483/3088] net/frr: Activate peergroup in address family
 (#4777)

---
 .../opnsense/service/templates/OPNsense/Quagga/bgpd.conf    | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 51c0ba3d92..4e29d37076 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -59,7 +59,6 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%       if peergroup.updatesource %}
  neighbor {{ peergroup.name }} update-source {{ physical_interface(peergroup.updatesource) }}
 {%       endif %}
- neighbor {{ peergroup.name }} activate
 {%       if  peergroup.nexthopself|default('0') == '1' %}
  neighbor {{ peergroup.name }} next-hop-self
 {%       endif %}
@@ -163,6 +162,11 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%   for network in networks[addressFamily] %}
   network {{ network }}
 {%   endfor %}
+{%   for peergroup in helpers.toList('OPNsense.quagga.bgp.peergroups.peergroup') %}
+{%     if peergroup.enabled == '1' %}
+  neighbor {{ peergroup.name }} activate
+{%     endif %}
+{%   endfor %}
 {%   for neighbor in neighbors[addressFamily] %}
   neighbor {{ neighbor.address }} activate
 {%     if 'nexthopself' in neighbor and neighbor.nexthopself == '1' %}

From 0908f3aad96f94447e5f5108e790f7d53eb05382 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 30 Jun 2025 12:22:30 +0200
Subject: [PATCH 2484/3088] sysutils/sftp-backup: replace getCurrentValue() use

---
 sysutils/sftp-backup/Makefile                                 | 1 +
 .../src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php     | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/sysutils/sftp-backup/Makefile b/sysutils/sftp-backup/Makefile
index 0a740a766a..448f13de18 100644
--- a/sysutils/sftp-backup/Makefile
+++ b/sysutils/sftp-backup/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		sftp-backup
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Backup configurations using SFTP
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2
diff --git a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
index 0a81b101cf..a255fc7250 100644
--- a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
+++ b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
@@ -262,8 +262,8 @@ public function backup()
             /* cleanup only if backup count is > 0*/
             if ($this->model->backupcount->asFloat() > 0) {
                 rsort($remote_backups);
-                if (count($remote_backups) > (int)$this->model->backupcount->getCurrentValue()) {
-                    for ($i = $this->model->backupcount->getCurrentValue(); $i < count($remote_backups); $i++) {
+                if (count($remote_backups) > (int)$this->model->backupcount->getValue()) {
+                    for ($i = $this->model->backupcount->getValue(); $i < count($remote_backups); $i++) {
                         $this->del($remote_backups[$i]);
                     }
                     $remote_backups = $this->ls(sprintf('%s*.xml', $fileprefix));

From 8fa0a9783e76ddd738222f25dc3395c289b0450f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 30 Jun 2025 13:31:31 +0200
Subject: [PATCH 2485/3088] Framework: typo

---
 Mk/plugins.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 210b6b4438..ad87013609 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -155,7 +155,7 @@ manifest: check
 # "manual" overwrites the automatic script and also ignores ".pre" and
 # ".post" files since they do not make sense in manual mode.
 #
-# Furthermore, variable replacement via %%PLUGINS_VAR%% takes place in
+# Furthermore, variable replacement via %%PLUGIN_VAR%% takes place in
 # "manual" as well as ".pre" and ".post" scripts provided.
 
 scripts: check scripts-pre scripts-auto scripts-post scripts-manual

From 13d7441af09dd7622c9012762b72cb40988c89c9 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 30 Jun 2025 16:27:58 +0200
Subject: [PATCH 2486/3088] net/frr: update pkg-descr (#4782)

---
 net/frr/pkg-descr | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index f78f74d8e3..92bbbd4dfa 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -14,9 +14,10 @@ Plugin Changelog
 
 1.45
 
-* Add neighbor config to OSPF (contributed by Andy Binder)
-* Add BGP listen range to peer groups
-* Switch to FRR 10
+* Add neighbor config to OSPF (contributed by Andy Binder) (opnsense/plugins/pull/4694)
+* Add BGP listen range to peer groups (opnsense/plugins/pull/4722)
+* Fix peer group activation (opnsense/plugins/pull/4777)
+* Switch to FRR 10 (opnsense/plugins/pull/4741)
 
 1.44
 

From 4215dae9d51a59c10dac39dd144998161b0091e9 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 1 Jul 2025 16:02:47 +0200
Subject: [PATCH 2487/3088] security/acme-client: fix account config, closes
 #4622

---
 security/acme-client/pkg-descr                |  2 ++
 .../library/OPNsense/AcmeClient/LeAccount.php | 29 ++++++++++---------
 .../OPNsense/AcmeClient/LeCertificate.php     |  2 ++
 3 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 7bf1c46d5d..d9d83c57bc 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -15,9 +15,11 @@ Added:
 * add support for Websupport.sk DNS API (#4540)
 
 Changed:
+* automatically fix account config if CERT_HOME is set (#4622)
 * automatically resolve cron job mismatch (#4627)
 
 Fixed:
+* deploy hooks may use the old CERT_HOME (#4622)
 * acme.sh is always called with "--days 1" (#4711)
 * avoid startup error: "rmdir... Not a directory" (#4743)
 * fails to create/update cron job on UUID mismatch (#4627)
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
index e643696f23..0bf429dba3 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020-2024 Frank Wall
+ * Copyright (C) 2020-2025 Frank Wall
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -224,9 +224,6 @@ public function register()
                 return false;
             }
 
-            // Fix account config
-            $this->fixConfig();
-
             // Update account status.
             LeUtils::log('account registration successful for ' . $this->config->name);
             $this->setStatus(200);
@@ -234,6 +231,9 @@ public function register()
             LeUtils::log_debug('account already registered: ' . (string)$this->config->name, $this->debug);
         }
 
+        // Always check (and fix) account config
+        $this->fixConfig();
+
         return true;
     }
 
@@ -251,18 +251,21 @@ public function fixConfig()
                 // Parse config file and remove property
                 $account_conf = parse_ini_file($account_conf_file);
                 if (isset($account_conf['CERT_HOME'])) {
+                    LeUtils::log('fixing invalid account config (CERT_HOME): ' . $this->config->name);
                     unset($account_conf['CERT_HOME']);
-                }
 
-                // Convert array back to ini file format
-                $new_account_conf = array();
-                foreach ($account_conf as $key => $value) {
-                    $new_account_conf[] = "{$key}='{$value}'";
+                    // Convert array back to ini file format
+                    $new_account_conf = array();
+                    foreach ($account_conf as $key => $value) {
+                        $new_account_conf[] = "{$key}='{$value}'";
+                    }
+
+                    // Write changes back to file
+                    file_put_contents($account_conf_file, implode("\n", $new_account_conf) . "\n");
+                    chmod($account_conf_file, 0600);
+                } else {
+                    LeUtils::log('account config is valid (CERT_HOME): ' . $this->config->name);
                 }
-
-                // Write changes back to file
-                file_put_contents($account_conf_file, implode("\n", $new_account_conf) . "\n");
-                chmod($account_conf_file, 0600);
             }
         }
     }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index edc3c23565..ff43613378 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -618,6 +618,8 @@ public function setAccount()
             $this->loadConfig(self::CONFIG_PATH, $this->uuid);
         }
         LeUtils::log('account is registered: ' . (string)$account->config->name);
+        // Always check (and fix) account config
+        $account->fixConfig();
         return true;
     }
 

From f28fd30af5fa6b73b4d37c1158b2e4785bb6de11 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 1 Jul 2025 17:44:33 +0200
Subject: [PATCH 2488/3088] security/acme-client: add SFTP option to (not)
 preserve mod time, refs #3862

---
 security/acme-client/pkg-descr                |  2 ++
 .../AcmeClient/forms/dialogAction.xml         |  6 +++++
 .../OPNsense/AcmeClient/SftpUploader.php      | 26 +++++++++++++++----
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  6 ++++-
 4 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index d9d83c57bc..8f7f21ace1 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -13,10 +13,12 @@ Plugin Changelog
 Added:
 * new automation to reload www/caddy (#4692)
 * add support for Websupport.sk DNS API (#4540)
+* add SFTP option: Preserve Modification Time (#3862)
 
 Changed:
 * automatically fix account config if CERT_HOME is set (#4622)
 * automatically resolve cron job mismatch (#4627)
+* change default SFTP options to NOT preserve modification time (#3862)
 
 Fixed:
 * deploy hooks may use the old CERT_HOME (#4622)
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index a2fb434eb4..292fd9c236 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -68,6 +68,12 @@
               The path can be absolute or relative to home and must exist.
               Leave blank to not change path after login.</help>
     </field>
+    <field>
+        <id>action.sftp_modtime</id>
+        <label>Preserve Modification Time</label>
+        <type>checkbox</type>
+        <help>Preserves modification times from the source file. Note that this is not supported by all SFTP servers and may cause the upload to fail, e.g. on VMware</help>
+    </field>
     <field>
         <id>action.sftp_chmod</id>
         <label>Permission (Public Keys)</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpUploader.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpUploader.php
index 3534958802..d7b5df79a4 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpUploader.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpUploader.php
@@ -1,6 +1,7 @@
 <?php
 
 /*
+ * Copyright (C) 2025 Frank Wall
  * Copyright (C) 2019 Juergen Kellerer
  * All rights reserved.
  *
@@ -28,6 +29,8 @@
 
 namespace OPNsense\AcmeClient;
 
+use OPNsense\AcmeClient\LeUtils;
+
 /**
  * Handles file uploads via SFTP.
  * @package OPNsense\AcmeClient
@@ -67,9 +70,10 @@ public function __destruct()
      * @param string $remote_file the remote path to copy the file to or empty to use the files name.
      * @param bool $chmod the 4 digit unix permission to apply or false to leave it unchanged.
      * @param bool $chgrp the numeric group on the remote server to apply or false to leave it unchanged.
+     * @param bool $modtime a boolean to indicate that the modification times should be preserved.
      * @return string the name of the normalized local file.
      */
-    public function addFile(string $local_file, $remote_file = "", $chmod = false, $chgrp = false): string
+    public function addFile(string $local_file, $remote_file = "", $chmod = false, $chgrp = false, $modtime = false): string
     {
         Utils::requireThat(is_file($local_file) && is_readable($local_file), "Not a file or not readable: '$local_file'");
         $local_file = realpath($local_file);
@@ -80,7 +84,8 @@ public function addFile(string $local_file, $remote_file = "", $chmod = false, $
             "source" => $local_file,
             "target" => $remote_file,
             "mode" => $chmod,
-            "group" => $chgrp
+            "group" => $chgrp,
+            "modtime" => $modtime
         ];
 
         return $local_file;
@@ -94,9 +99,10 @@ public function addFile(string $local_file, $remote_file = "", $chmod = false, $
      * @param int $content_last_modified the unix timestamp when the content was last modified (is preserved when chmod is also specified).
      * @param bool $chmod the 4 digit unix permission to apply or false to leave it unchanged.
      * @param bool $chgrp the numeric group on the remote server to apply or false to leave it unchanged.
+     * @param bool $modtime a boolean to indicate that the modification times should be preserved.
      * @return string the name of the remote file.
      */
-    public function addContent(string $content, string $remote_file = "", $content_last_modified = 0, $chmod = false, $chgrp = false): string
+    public function addContent(string $content, string $remote_file = "", $content_last_modified = 0, $chmod = false, $chgrp = false, $modtime = false): string
     {
         $local_file = $this->temporaryFile();
         Utils::requireThat($local_file, "Failed creating temporary file for '$remote_file'");
@@ -113,7 +119,7 @@ public function addContent(string $content, string $remote_file = "", $content_l
             $remote_file = basename($local_file);
         }
 
-        $local_file = $this->addFile($local_file, $remote_file, $chmod, $chgrp);
+        $local_file = $this->addFile($local_file, $remote_file, $chmod, $chgrp, $modtime);
         $this->pending_files[$local_file]["delete_source"] = true;
 
         return $remote_file;
@@ -252,16 +258,24 @@ public function upload(): int
                 $chmod = $file["mode"] ?? "";
                 $chmod = preg_match('/^0\d{3}$/', $chmod) ? (string)$chmod : false;
 
+                // Preserving the modification time is not supported by all SFTP servers.
+                $preserve = $file["modtime"];
+                if ($preserve !== false) {
+                    LeUtils::log("Sftp upload will try to preserve file modification time");
+                } else {
+                    LeUtils::log("Sftp upload will not preserve file modification time");
+                }
 
                 // Initial upload when permissions are properly set.
                 $should_upload_with_permission_change =
                     $chmod !== false
                     && isset($remote_files[$remote_filename]);
 
+                // Upload file.
                 if (!$remote_is_readonly) {
                     $preserve_times_and_mod = $chmod !== false;
 
-                    if ($error = $this->sftp->put($local_file, $remote_filename, $preserve_times_and_mod)->lastError()) {
+                    if ($error = $this->sftp->put($local_file, $remote_filename, $preserve)->lastError()) {
                         if ($error["permission_denied"] !== true) {
                             $should_upload_with_permission_change = false;
                         }
@@ -281,11 +295,13 @@ public function upload(): int
                 if ($should_upload_with_permission_change && $this->isFileOwnedByConnection($remote_file, $connection)) {
                     Utils::log()->info("Trying to upload file '{$local_file}' to '{$file["target"]}' with adjusted permissions");
 
+                    // Change file permission to make it writable.
                     if ($error = $this->sftp->chmod($remote_filename, '0600')->lastError()) {
                         Utils::log()->error("Failed changing permission to '0600' for '{$file["target"]}'. ", $error);
                         $this->sftp->clearError();
                     }
 
+                    // Try again to upload file.
                     if ($error = $this->sftp->put($local_file, $remote_filename)->lastError()) {
                         Utils::log()->error("Failed uploading file (with adjusted permissions) '{$local_file}' to '{$file["target"]}'", $error);
                         return self::UPLOAD_ERROR_NO_PERMISSION;
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 4a3a31dcf1..8d4b884759 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>4.2.0</version>
+    <version>4.3.0</version>
     <description>A secure ACME Client plugin</description>
     <items>
         <settings>
@@ -1410,6 +1410,10 @@
                     <mask>/^0[0-9]{3}$/u</mask>
                     <ValidationMessage>A unix permission, 4 digits (e.g. 0400).</ValidationMessage>
                 </sftp_chmod_key>
+                <sftp_modtime type="BooleanField">
+                    <Required>N</Required>
+                    <default>0</default>
+                </sftp_modtime>
                 <sftp_filename_cert type="TextField">
                     <Required>N</Required>
                     <mask>/^(?![\/\\])[\w\d_\-@.\/{}%]{1,255}(?&lt;![\/\\])$/ui</mask>

From fb01f6c448176f18b99d141a61c3605eac7fec57 Mon Sep 17 00:00:00 2001
From: Nick2253 <nick2253@gmail.com>
Date: Tue, 1 Jul 2025 23:19:53 -0700
Subject: [PATCH 2489/3088] dns/bind (os-bind) Adds `named.conf.d` and
 appropriate `include` for custom BIND configurations. (#4775)

* Adds named.conf.d and appropriate include for custom configurations.

* Move 00-README.conf file from template to literal

* Remove log example from custom config README

* Add custom config warning banner.

* Fixed test on glob

* Update dns/bind/src/opnsense/mvc/app/library/OPNsense/System/Status/BindOverrideStatus.php

* Update dns/bind/src/etc/namedb/named.conf.d/00-README.conf

---------

Co-authored-by: Nicholas Card <nick@nicholascard.com>
Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 .../etc/namedb/named.conf.d/00-README.conf    |  7 +++
 .../System/Status/BindOverrideStatus.php      | 57 +++++++++++++++++++
 .../templates/OPNsense/Bind/named.conf        |  2 +
 3 files changed, 66 insertions(+)
 create mode 100644 dns/bind/src/etc/namedb/named.conf.d/00-README.conf
 create mode 100644 dns/bind/src/opnsense/mvc/app/library/OPNsense/System/Status/BindOverrideStatus.php

diff --git a/dns/bind/src/etc/namedb/named.conf.d/00-README.conf b/dns/bind/src/etc/namedb/named.conf.d/00-README.conf
new file mode 100644
index 0000000000..fac2f0d6bc
--- /dev/null
+++ b/dns/bind/src/etc/namedb/named.conf.d/00-README.conf
@@ -0,0 +1,7 @@
+# Custom BIND Configuration Directory
+#
+# Place your custom BIND directives in .conf files in this directory
+# Files are included in alphabetical order
+#
+# Examples:
+# server 192.168.1.100 { edns no; };
diff --git a/dns/bind/src/opnsense/mvc/app/library/OPNsense/System/Status/BindOverrideStatus.php b/dns/bind/src/opnsense/mvc/app/library/OPNsense/System/Status/BindOverrideStatus.php
new file mode 100644
index 0000000000..f0474a54ac
--- /dev/null
+++ b/dns/bind/src/opnsense/mvc/app/library/OPNsense/System/Status/BindOverrideStatus.php
@@ -0,0 +1,57 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Nick Card
+ * Copyright (C) 2025 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\System\Status;
+
+use OPNsense\System\AbstractStatus;
+use OPNsense\System\SystemStatusCode;
+
+class BindOverrideStatus extends AbstractStatus
+{
+    public function __construct()
+    {
+        $this->internalPriority = 2;
+        $this->internalPersistent = true;
+        $this->internalIsBanner = true;
+        $this->internalTitle = gettext('BIND config override');
+        $this->internalScope = [
+            '/ui/bind/general/index'
+        ];
+    }
+
+    public function collectStatus()
+    {
+        if (count(glob('/usr/local/etc/namedb/named.conf.d/*'))>1) {
+            $this->internalMessage = gettext(
+                'The configuration contains manual overwrites, these may interfere with the settings configured here.'
+            );
+            $this->internalStatus = SystemStatusCode::NOTICE;
+        }
+    }
+}
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 6b833e19a9..1f0b0c3c45 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -112,6 +112,8 @@ controls {
 };
 {% endif %}
 
+include "/usr/local/etc/namedb/named.conf.d/*.conf";
+
 zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };
 
 zone "localhost"        { type primary; file "/usr/local/etc/namedb/primary/localhost-forward.db"; };

From 4040c379a0c6bbc526ca1ccb2f3dccb83989cbc0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Jul 2025 08:25:13 +0200
Subject: [PATCH 2490/3088] dns/bind: style sweep

---
 .../app/library/OPNsense/System/Status/BindOverrideStatus.php   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/bind/src/opnsense/mvc/app/library/OPNsense/System/Status/BindOverrideStatus.php b/dns/bind/src/opnsense/mvc/app/library/OPNsense/System/Status/BindOverrideStatus.php
index f0474a54ac..eb15970e6a 100644
--- a/dns/bind/src/opnsense/mvc/app/library/OPNsense/System/Status/BindOverrideStatus.php
+++ b/dns/bind/src/opnsense/mvc/app/library/OPNsense/System/Status/BindOverrideStatus.php
@@ -47,7 +47,7 @@ public function __construct()
 
     public function collectStatus()
     {
-        if (count(glob('/usr/local/etc/namedb/named.conf.d/*'))>1) {
+        if (count(glob('/usr/local/etc/namedb/named.conf.d/*')) > 1) {
             $this->internalMessage = gettext(
                 'The configuration contains manual overwrites, these may interfere with the settings configured here.'
             );

From 2d22b81afde2d94e7126f413e7d88dc5edbb91cd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Jul 2025 08:32:19 +0200
Subject: [PATCH 2491/3088] net-mgmt/telegraf: dns_lookup is DEPREBROKEN

So https://github.com/influxdata/telegraf/blob/master/plugins/inputs/ntpq/README.md
tells us to use options "-n" here instead.

PR: https://forum.opnsense.org/index.php?topic=47814.0
---
 .../service/templates/OPNsense/Telegraf/telegraf.conf         | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index a4db82bf8e..fb03f9b8be 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -348,9 +348,7 @@
 {% if helpers.exists('OPNsense.telegraf.input.ntpq') and OPNsense.telegraf.input.ntpq == '1' %}
 [[inputs.ntpq]]
 {%   if helpers.exists('OPNsense.telegraf.input.ntpq_dns_lookup') and OPNsense.telegraf.input.ntpq_dns_lookup == '1' %}
-  dns_lookup = true
-{%   else %}
-  dns_lookup = false
+  options = "-n"
 {%   endif %}
 {% endif %}
 

From 9a337a87c082c50eedc972b92566ab20f47ee84a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Jul 2025 08:35:21 +0200
Subject: [PATCH 2492/3088] net-mgmt/telegraf: rev for latest upstream version

---
 net-mgmt/telegraf/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index f9615b538f..74af3207ad 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		telegraf
 PLUGIN_VERSION=		1.12.12
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 0f1b8b2666c9ae39168f17fff63b9c8744509d24 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Jul 2025 10:45:40 +0200
Subject: [PATCH 2493/3088] Framework: improve style-model pass

---
 Makefile      |  2 +-
 Mk/plugins.mk | 16 ++++++++++------
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/Makefile b/Makefile
index b8928dbc9f..981c92f2ab 100644
--- a/Makefile
+++ b/Makefile
@@ -44,7 +44,7 @@ list:
 .endfor
 
 # shared targets that are sane to run from the root directory
-TARGETS=	clean glint lint plist-fix revision style style-fix style-python sweep test
+TARGETS=	clean glint lint plist-fix revision style style-fix style-model style-python sweep test
 
 .for TARGET in ${TARGETS}
 ${TARGET}:
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index ad87013609..5a4721d26e 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -469,12 +469,16 @@ style-python: check
 	fi
 
 style-model:
-	@for MODEL in $$(find ${.CURDIR}/src/opnsense/mvc/app/models -depth 3 \
-	    -name "*.xml"); do \
-		perl -i -pe 's/<default>(.*?)<\/default>/<Default>$$1<\/Default>/g' $${MODEL}; \
-		perl -i -pe 's/<multiple>(.*?)<\/multiple>/<Multiple>$$1<\/Multiple>/g' $${MODEL}; \
-		perl -i -pe 's/<required>(.*?)<\/required>/<Required>$$1<\/Required>/g' $${MODEL}; \
-	done
+	@if [ -d ${.CURDIR}/src/opnsense/mvc/app/models ]; then \
+		for MODEL in $$(find ${.CURDIR}/src/opnsense/mvc/app/models -depth 3 \
+		    -name "*.xml"); do \
+			perl -i -pe 's/<default>(.*?)<\/default>/<Default>$$1<\/Default>/g' $${MODEL}; \
+			perl -i -pe 's/<multiple>(.*?)<\/multiple>/<Multiple>$$1<\/Multiple>/g' $${MODEL}; \
+			perl -i -pe 's/<required>(.*?)<\/required>/<Required>$$1<\/Required>/g' $${MODEL}; \
+			perl -i -pe 's/<mask>(.*?)<\/mask>/<Mask>$$1<\/Mask>/g' $${MODEL}; \
+			perl -i -pe 's/<asList>(.*?)<\/asList>/<AsList>$$1<\/AsList>/g' $${MODEL}; \
+		done; \
+	fi
 
 test: check
 	@if [ -d ${.CURDIR}/src/opnsense/mvc/tests ]; then \

From f240ec0fce25add731286d046628d65d105fda5a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Jul 2025 10:46:07 +0200
Subject: [PATCH 2494/3088] plugins: run style-model

---
 .../models/OPNsense/iperf/FakeInstance.xml    |   4 +-
 .../mvc/app/models/OPNsense/Redis/Redis.xml   |  26 +-
 .../OPNsense/GridExample/GridExample.xml      |   2 +-
 .../models/OPNsense/HelloWorld/HelloWorld.xml |   4 +-
 .../mvc/app/models/OPNsense/Bind/Acl.xml      |   4 +-
 .../mvc/app/models/OPNsense/Bind/Domain.xml   |   4 +-
 .../mvc/app/models/OPNsense/Bind/General.xml  |  10 +-
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml |  10 +-
 .../models/OPNsense/Dnscryptproxy/Cloak.xml   |   2 +-
 .../models/OPNsense/Dnscryptproxy/Dnsbl.xml   |   2 +-
 .../models/OPNsense/Dnscryptproxy/Forward.xml |   2 +-
 .../models/OPNsense/Dnscryptproxy/General.xml |  56 +-
 .../models/OPNsense/Dnscryptproxy/Server.xml  |   2 +-
 .../OPNsense/Dnscryptproxy/Whitelist.xml      |   2 +-
 .../QemuGuestAgent/QemuGuestAgent.xml         |   6 +-
 .../mvc/app/models/OPNsense/Tftp/General.xml  |   4 +-
 .../app/models/OPNsense/Postfix/Address.xml   |   2 +-
 .../app/models/OPNsense/Postfix/Antispam.xml  |   4 +-
 .../app/models/OPNsense/Postfix/Domain.xml    |   8 +-
 .../app/models/OPNsense/Postfix/General.xml   |  74 +-
 .../models/OPNsense/Postfix/Headerchecks.xml  |   2 +-
 .../app/models/OPNsense/Postfix/Recipient.xml |   2 +-
 .../models/OPNsense/Postfix/Recipientbcc.xml  |   2 +-
 .../app/models/OPNsense/Postfix/Sender.xml    |   2 +-
 .../app/models/OPNsense/Postfix/Senderbcc.xml |   2 +-
 .../OPNsense/Postfix/Sendercanonical.xml      |   2 +-
 .../mvc/app/models/OPNsense/Rspamd/RSpamd.xml | 100 +--
 .../app/models/OPNsense/Collectd/General.xml  |  76 +-
 .../mvc/app/models/OPNsense/Lldpd/General.xml |  12 +-
 .../app/models/OPNsense/Netsnmp/General.xml   |  18 +-
 .../mvc/app/models/OPNsense/Netsnmp/User.xml  |  16 +-
 .../app/models/OPNsense/Netdata/General.xml   |   6 +-
 .../mvc/app/models/OPNsense/Nrpe/Command.xml  |   6 +-
 .../mvc/app/models/OPNsense/Nrpe/General.xml  |  20 +-
 .../app/models/OPNsense/Telegraf/General.xml  |  26 +-
 .../app/models/OPNsense/Telegraf/Input.xml    |  48 +-
 .../mvc/app/models/OPNsense/Telegraf/Key.xml  |  10 +-
 .../app/models/OPNsense/Telegraf/Output.xml   |  96 +--
 .../OPNsense/ZabbixAgent/ZabbixAgent.xml      |  74 +-
 .../models/OPNsense/Zabbixproxy/General.xml   |  62 +-
 .../app/models/OPNsense/Chrony/General.xml    |  14 +-
 .../app/models/OPNsense/Freeradius/Avpair.xml |   4 +-
 .../app/models/OPNsense/Freeradius/Client.xml |   4 +-
 .../app/models/OPNsense/Freeradius/Dhcp.xml   |   2 +-
 .../app/models/OPNsense/Freeradius/Eap.xml    |  18 +-
 .../models/OPNsense/Freeradius/General.xml    |  44 +-
 .../app/models/OPNsense/Freeradius/Ldap.xml   |  12 +-
 .../app/models/OPNsense/Freeradius/Lease.xml  |   4 +-
 .../app/models/OPNsense/Freeradius/Proxy.xml  |  58 +-
 .../app/models/OPNsense/Freeradius/User.xml   |  22 +-
 .../mvc/app/models/OPNsense/Quagga/BFD.xml    |  10 +-
 .../mvc/app/models/OPNsense/Quagga/BGP.xml    | 106 +--
 .../app/models/OPNsense/Quagga/General.xml    |  18 +-
 .../mvc/app/models/OPNsense/Quagga/OSPF.xml   |  92 +--
 .../mvc/app/models/OPNsense/Quagga/OSPF6.xml  |  30 +-
 .../mvc/app/models/OPNsense/Quagga/RIP.xml    |  14 +-
 .../app/models/OPNsense/Quagga/STATICd.xml    |   6 +-
 .../app/models/OPNsense/FtpProxy/FtpProxy.xml |  26 +-
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 746 +++++++++---------
 .../app/models/OPNsense/Ntopng/General.xml    |   4 +-
 .../OPNsense/RadSecProxy/RadSecProxy.xml      |  46 +-
 .../mvc/app/models/OPNsense/Relayd/Relayd.xml |  20 +-
 .../models/OPNsense/Shadowsocks/General.xml   |  14 +-
 .../app/models/OPNsense/Shadowsocks/Local.xml |  14 +-
 .../app/models/OPNsense/Siproxd/Domain.xml    |   8 +-
 .../app/models/OPNsense/Siproxd/General.xml   |  70 +-
 .../mvc/app/models/OPNsense/Siproxd/User.xml  |  10 +-
 .../mvc/app/models/OPNsense/Sslh/Settings.xml |   8 +-
 .../mvc/app/models/OPNsense/Tayga/General.xml |  14 +-
 .../models/OPNsense/Turnserver/Turnserver.xml |   6 +-
 .../UDPBroadcastRelay/UDPBroadcastRelay.xml   |  28 +-
 .../app/models/OPNsense/Vnstat/General.xml    |   4 +-
 .../mvc/app/models/OPNsense/Wol/Wol.xml       |  14 +-
 .../app/models/OPNsense/Zerotier/Zerotier.xml |  10 +-
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 226 +++---
 .../app/models/OPNsense/ClamAV/General.xml    |  70 +-
 .../mvc/app/models/OPNsense/ClamAV/Url.xml    |   4 +-
 .../app/models/OPNsense/CrowdSec/General.xml  |  18 +-
 .../app/models/OPNsense/Maltrail/General.xml  |  10 +-
 .../app/models/OPNsense/Maltrail/Sensor.xml   |   8 +-
 .../app/models/OPNsense/Maltrail/Server.xml   |   8 +-
 .../app/models/OPNsense/Softether/General.xml |   8 +-
 .../app/models/OPNsense/Stunnel/Stunnel.xml   |   2 +-
 .../OPNsense/Tailscale/Authentication.xml     |   2 +-
 .../models/OPNsense/Tailscale/Settings.xml    |  16 +-
 .../mvc/app/models/OPNsense/Tinc/Tinc.xml     |   6 +-
 .../app/models/OPNsense/Tor/ACLExitPolicy.xml |   6 +-
 .../models/OPNsense/Tor/ACLSocksPolicy.xml    |   6 +-
 .../mvc/app/models/OPNsense/Tor/General.xml   |  56 +-
 .../app/models/OPNsense/Tor/HiddenService.xml |  10 +-
 .../models/OPNsense/Tor/HiddenServiceACL.xml  |   8 +-
 .../mvc/app/models/OPNsense/Tor/Relay.xml     |  34 +-
 .../models/OPNsense/WazuhAgent/WazuhAgent.xml |  26 +-
 .../app/models/OPNsense/Apcupsd/Apcupsd.xml   |  36 +-
 .../models/OPNsense/Backup/GitSettings.xml    |   2 +-
 .../app/models/OPNsense/Hwprobe/General.xml   |   2 +-
 .../models/OPNsense/Backup/MailerSettings.xml |   6 +-
 .../app/models/OPNsense/Muninnode/General.xml |   8 +-
 .../OPNsense/Backup/NextcloudSettings.xml     |   8 +-
 .../models/OPNsense/NodeExporter/General.xml  |  28 +-
 .../mvc/app/models/OPNsense/Nut/Nut.xml       |  56 +-
 .../OPNsense/PuppetAgent/PuppetAgent.xml      |  18 +-
 .../models/OPNsense/Backup/SftpSettings.xml   |   2 +-
 .../mvc/app/models/Deciso/Proxy/ACL.xml       |   8 +-
 .../app/models/OPNsense/CICAP/Antivirus.xml   |  16 +-
 .../mvc/app/models/OPNsense/CICAP/General.xml |  30 +-
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |   6 +-
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml   | 500 ++++++------
 .../app/models/OPNsense/ProxySSO/ProxySSO.xml |   4 +-
 109 files changed, 1782 insertions(+), 1782 deletions(-)

diff --git a/benchmarks/iperf/src/opnsense/mvc/app/models/OPNsense/iperf/FakeInstance.xml b/benchmarks/iperf/src/opnsense/mvc/app/models/OPNsense/iperf/FakeInstance.xml
index 939f4e21f0..1ca2f112ed 100644
--- a/benchmarks/iperf/src/opnsense/mvc/app/models/OPNsense/iperf/FakeInstance.xml
+++ b/benchmarks/iperf/src/opnsense/mvc/app/models/OPNsense/iperf/FakeInstance.xml
@@ -3,9 +3,9 @@
   <description>Fake model for the API - will be never stored to config (only used for defaults, validation etc.).</description>
   <items>
     <interface type="InterfaceField">
-      <default>lan</default>
+      <Default>lan</Default>
       <Required>Y</Required>
-      <multiple>N</multiple>
+      <Multiple>N</Multiple>
     </interface>
   </items>
 </model>
diff --git a/databases/redis/src/opnsense/mvc/app/models/OPNsense/Redis/Redis.xml b/databases/redis/src/opnsense/mvc/app/models/OPNsense/Redis/Redis.xml
index 0750ed1d80..2a2f05d315 100644
--- a/databases/redis/src/opnsense/mvc/app/models/OPNsense/Redis/Redis.xml
+++ b/databases/redis/src/opnsense/mvc/app/models/OPNsense/Redis/Redis.xml
@@ -4,27 +4,27 @@
   <items>
     <general>
       <enabled type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </enabled>
       <listen type="InterfaceField">
         <Required>N</Required>
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
       </listen>
       <protected_mode type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
       </protected_mode>
       <port type="IntegerField">
         <MinimumValue>1</MinimumValue>
         <MaximumValue>65536</MaximumValue>
         <Required>N</Required>
-        <default>6379</default>
+        <Default>6379</Default>
         <ValidationMessage>This must be a valid port number.</ValidationMessage>
       </port>
       <log_level type="OptionField">
         <Required>Y</Required>
-        <default>warning</default>
+        <Default>warning</Default>
         <OptionValues>
           <debug>Debug</debug>
           <verbose>Verbose</verbose>
@@ -33,12 +33,12 @@
         </OptionValues>
       </log_level>
       <syslog_enabled type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </syslog_enabled>
       <syslog_facility type="OptionField">
         <Required>Y</Required>
-        <default>LOCAL0</default>
+        <Default>LOCAL0</Default>
         <OptionValues>
           <USER>USER</USER>
           <LOCAL0>LOCAL0</LOCAL0>
@@ -54,7 +54,7 @@
       <databases type="IntegerField">
         <MinimumValue>0</MinimumValue>
         <Required>Y</Required>
-        <default>16</default>
+        <Default>16</Default>
       </databases>
     </general>
     <security>
@@ -68,7 +68,7 @@
       <maxclients type="IntegerField">
         <MinimumValue>0</MinimumValue>
         <Required>N</Required>
-        <default>10000</default>
+        <Default>10000</Default>
       </maxclients>
       <maxmemory type="IntegerField">
         <MinimumValue>0</MinimumValue>
@@ -76,7 +76,7 @@
       </maxmemory>
       <maxmemory_policy type="OptionField">
         <Required>Y</Required>
-        <default>noeviction</default>
+        <Default>noeviction</Default>
         <OptionValues>
           <noeviction>noeviction</noeviction>
           <volatile-ttl>volatile-ttl</volatile-ttl>
@@ -89,19 +89,19 @@
       <maxmemory_samples type="IntegerField">
         <MinimumValue>0</MinimumValue>
         <Required>N</Required>
-        <default>5</default>
+        <Default>5</Default>
       </maxmemory_samples>
     </limits>
     <slowlog>
       <slower_than type="IntegerField">
         <MinimumValue>0</MinimumValue>
         <Required>N</Required>
-        <default>10000</default>
+        <Default>10000</Default>
       </slower_than>
       <max_len type="IntegerField">
         <MinimumValue>0</MinimumValue>
         <Required>N</Required>
-        <default>128</default>
+        <Default>128</Default>
       </max_len>
     </slowlog>
   </items>
diff --git a/devel/grid_example/src/opnsense/mvc/app/models/OPNsense/GridExample/GridExample.xml b/devel/grid_example/src/opnsense/mvc/app/models/OPNsense/GridExample/GridExample.xml
index 7208836b36..bffca06161 100644
--- a/devel/grid_example/src/opnsense/mvc/app/models/OPNsense/GridExample/GridExample.xml
+++ b/devel/grid_example/src/opnsense/mvc/app/models/OPNsense/GridExample/GridExample.xml
@@ -7,7 +7,7 @@
         <addresses>
             <address type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <email type="EmailField">
diff --git a/devel/helloworld/src/opnsense/mvc/app/models/OPNsense/HelloWorld/HelloWorld.xml b/devel/helloworld/src/opnsense/mvc/app/models/OPNsense/HelloWorld/HelloWorld.xml
index 097da52437..825a579b42 100644
--- a/devel/helloworld/src/opnsense/mvc/app/models/OPNsense/HelloWorld/HelloWorld.xml
+++ b/devel/helloworld/src/opnsense/mvc/app/models/OPNsense/HelloWorld/HelloWorld.xml
@@ -8,14 +8,14 @@
         <general>
             <!-- fields -->
             <Enabled type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </Enabled>
             <SMTPHost type="NetworkField">
                 <Required>Y</Required>
             </SMTPHost>
             <FromEmail type="EmailField">
-                <default>sample@example.com</default>
+                <Default>sample@example.com</Default>
                 <Required>Y</Required>
             </FromEmail>
             <ToEmail type="EmailField">
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
index 870ee9ec03..3adae8986b 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
@@ -11,7 +11,7 @@
                 </enabled>
                 <name type="TextField">
                     <Required>Y</Required>
-                    <mask>/^(?!any$|localhost$|localnets$|none$)[0-9a-zA-Z_\-]{1,32}$/u</mask>
+                    <Mask>/^(?!any$|localhost$|localnets$|none$)[0-9a-zA-Z_\-]{1,32}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9, a-z, A-Z, _ and -. Built-in ACL names must not be used: any, localhost, localnets, none.</ValidationMessage>
                      <Constraints>
                         <check001>
@@ -23,7 +23,7 @@
                 <networks type="NetworkField">
                     <FieldSeparator>,</FieldSeparator>
                     <Required>Y</Required>
-                    <asList>Y</asList>
+                    <AsList>Y</AsList>
                 </networks>
             </acl>
         </acls>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
index 4f885f4bae..4a939da393 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
@@ -19,7 +19,7 @@
                 </type>
                 <primaryip type="NetworkField">
                     <FieldSeparator>,</FieldSeparator>
-                    <asList>Y</asList>
+                    <AsList>Y</AsList>
                 </primaryip>
                 <transferkeyalgo type="OptionField">
                     <OptionValues>
@@ -35,7 +35,7 @@
                 <transferkey type="TextField"/>
                 <allownotifysecondary type="NetworkField">
                     <FieldSeparator>,</FieldSeparator>
-                    <asList>Y</asList>
+                    <AsList>Y</AsList>
                 </allownotifysecondary>
                 <domainname type="TextField">
                     <Required>Y</Required>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index 72e771fbc8..0752ddcad3 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -19,13 +19,13 @@
             <Default>0.0.0.0</Default>
             <FieldSeparator>,</FieldSeparator>
             <Required>Y</Required>
-            <asList>Y</asList>
+            <AsList>Y</AsList>
         </listenv4>
         <listenv6 type="NetworkField">
             <Default>::</Default>
             <FieldSeparator>,</FieldSeparator>
             <Required>Y</Required>
-            <asList>Y</asList>
+            <AsList>Y</AsList>
         </listenv6>
         <querysource type="NetworkField">
             <AddressFamily>ipv4</AddressFamily>
@@ -49,7 +49,7 @@
         </port>
         <forwarders type="NetworkField">
             <FieldSeparator>,</FieldSeparator>
-            <asList>Y</asList>
+            <AsList>Y</AsList>
         </forwarders>
         <filteraaaav4 type="BooleanField">
             <Default>0</Default>
@@ -61,7 +61,7 @@
         </filteraaaav6>
         <filteraaaaacl type="NetworkField">
             <FieldSeparator>,</FieldSeparator>
-            <asList>Y</asList>
+            <AsList>Y</AsList>
         </filteraaaaacl>
         <logsize type="IntegerField">
             <Default>5</Default>
@@ -154,7 +154,7 @@
             <Default>0.0.0.0,::</Default>
             <FieldSeparator>,</FieldSeparator>
             <Required>Y</Required>
-            <asList>Y</asList>
+            <AsList>Y</AsList>
         </ratelimitexcept>
         <rndcalgo type="OptionField">
             <Required>Y</Required>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 7157664393..d1652a3755 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -105,16 +105,16 @@
                 </server>
                 <username type="TextField">
                     <Required>N</Required>
-                    <mask>/^([a-zA-Z0-9\-.@_:+\%])*$/u</mask>
+                    <Mask>/^([a-zA-Z0-9\-.@_:+\%])*$/u</Mask>
                     <ValidationMessage>The username contains invalid characters.</ValidationMessage>
                 </username>
                 <password type="UpdateOnlyTextField">
                     <Required>N</Required>
-                    <mask>/^[^\n]*$/</mask>
+                    <Mask>/^[^\n]*$/</Mask>
                 </password>
                 <resourceId type="TextField">
                     <Required>N</Required>
-                    <mask>/^[^\n]*$/</mask>
+                    <Mask>/^[^\n]*$/</Mask>
                     <ValidationMessage>resourceId contains invalid characters.</ValidationMessage>
                 </resourceId>
                 <hostnames type="HostnameField">
@@ -169,7 +169,7 @@
                 </checkip>
                 <dynipv6host type="TextField">
                     <Required>N</Required>
-                    <mask>/^::(([0-9a-fA-F]{1,4}:){0,3}[0-9a-fA-F]{1,4})?$/u</mask>
+                    <Mask>/^::(([0-9a-fA-F]{1,4}:){0,3}[0-9a-fA-F]{1,4})?$/u</Mask>
                     <ValidationMessage>Entry is not a valid partial ipv6 address definition (e.g. ::1000).</ValidationMessage>
                 </dynipv6host>
                 <checkip_timeout type="IntegerField">
@@ -201,7 +201,7 @@
                 </interface>
                 <description type="TextField">
                     <Required>N</Required>
-                    <mask>/^(.){1,255}$/u</mask>
+                    <Mask>/^(.){1,255}$/u</Mask>
                     <ValidationMessage>Description should be a string between 1 and 255 characters</ValidationMessage>
                 </description>
             </account>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Cloak.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Cloak.xml
index fd1c125db5..a76121b983 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Cloak.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Cloak.xml
@@ -6,7 +6,7 @@
         <cloaks>
             <cloak type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Dnsbl.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Dnsbl.xml
index 95a89c1288..4b056064dd 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Dnsbl.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Dnsbl.xml
@@ -4,7 +4,7 @@
     <version>1.0.0</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <type type="OptionField">
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Forward.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Forward.xml
index 5632cc3a61..243cca945f 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Forward.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Forward.xml
@@ -6,7 +6,7 @@
         <forwards>
             <forward type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <domain type="HostnameField">
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
index f7a64b9072..16cd57a7ce 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
@@ -4,130 +4,130 @@
     <version>0.1.2</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <listen_addresses type="CSVListField">
-            <default>0.0.0.0:5353</default>
+            <Default>0.0.0.0:5353</Default>
             <Required>Y</Required>
         </listen_addresses>
         <allowprivileged type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </allowprivileged>
         <max_clients type="IntegerField">
-            <default>250</default>
+            <Default>250</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>10000</MaximumValue>
             <ValidationMessage>Choose a number between 1 and 10000.</ValidationMessage>
         </max_clients>
         <ipv4_servers type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </ipv4_servers>
         <ipv6_servers type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </ipv6_servers>
         <dnscrypt_servers type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </dnscrypt_servers>
         <doh_servers type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </doh_servers>
         <require_dnssec type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </require_dnssec>
         <require_nolog type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </require_nolog>
         <require_nofilter type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </require_nofilter>
         <force_tcp type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </force_tcp>
         <proxy type="TextField">
             <Required>N</Required>
         </proxy>
         <timeout type="IntegerField">
-            <default>2500</default>
+            <Default>2500</Default>
             <Required>Y</Required>
             <MinimumValue>100</MinimumValue>
             <MaximumValue>10000</MaximumValue>
             <ValidationMessage>Choose a number between 100 and 10000.</ValidationMessage>
         </timeout>
         <keepalive type="IntegerField">
-            <default>30</default>
+            <Default>30</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>600</MaximumValue>
             <ValidationMessage>Choose a number between 1 and 600.</ValidationMessage>
         </keepalive>
         <cert_refresh_delay type="IntegerField">
-            <default>240</default>
+            <Default>240</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>3600</MaximumValue>
             <ValidationMessage>Choose a number between 1 and 3600.</ValidationMessage>
         </cert_refresh_delay>
         <dnscrypt_ephemeral_keys type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </dnscrypt_ephemeral_keys>
         <tls_disable_session_tickets type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </tls_disable_session_tickets>
         <fallback_resolver type="TextField">
-            <default>9.9.9.9:53</default>
+            <Default>9.9.9.9:53</Default>
             <Required>Y</Required>
         </fallback_resolver>
         <block_ipv6 type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </block_ipv6>
         <cache type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </cache>
         <cache_size type="IntegerField">
-            <default>512</default>
+            <Default>512</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>20480</MaximumValue>
             <ValidationMessage>Choose a number between 1 and 20480.</ValidationMessage>
         </cache_size>
         <cache_min_ttl type="IntegerField">
-            <default>600</default>
+            <Default>600</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>3600</MaximumValue>
             <ValidationMessage>Choose a number between 1 and 3600.</ValidationMessage>
         </cache_min_ttl>
         <cache_max_ttl type="IntegerField">
-            <default>86400</default>
+            <Default>86400</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>86400</MaximumValue>
             <ValidationMessage>Choose a number between 1 and 86400.</ValidationMessage>
         </cache_max_ttl>
         <cache_neg_min_ttl type="IntegerField">
-            <default>60</default>
+            <Default>60</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>3600</MaximumValue>
             <ValidationMessage>Choose a number between 1 and 3600.</ValidationMessage>
         </cache_neg_min_ttl>
         <cache_neg_max_ttl type="IntegerField">
-            <default>600</default>
+            <Default>600</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>86400</MaximumValue>
@@ -137,12 +137,12 @@
             <Required>N</Required>
         </serverlist>
         <query_logs type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </query_logs>
         <disabled_serverlist type="CSVListField">
-            <mask>/^[A-Za-z0-9\._\-]{1,70}(,[A-Za-z0-9\._\-]{1,70})*$/</mask>
-            <default></default>
+            <Mask>/^[A-Za-z0-9\._\-]{1,70}(,[A-Za-z0-9\._\-]{1,70})*$/</Mask>
+            <Default></Default>
             <Required>N</Required>
             <ValidationMessage>Please use valid server names.</ValidationMessage>
         </disabled_serverlist>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Server.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Server.xml
index 873cfaf6e6..2af1f6abb1 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Server.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Server.xml
@@ -6,7 +6,7 @@
         <servers>
             <server type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Whitelist.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Whitelist.xml
index f13e2463d3..ae33ad3f66 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Whitelist.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Whitelist.xml
@@ -6,7 +6,7 @@
         <whitelists>
             <whitelist type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
diff --git a/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.xml b/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.xml
index 8c037740b5..605cb30b83 100644
--- a/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.xml
+++ b/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.xml
@@ -5,16 +5,16 @@
     <items>
         <general>
             <Enabled type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </Enabled>
             <LogDebug type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>N</Required>
             </LogDebug>
             <DisabledRPCs type="OptionField">
                 <Required>N</Required>
-                <default></default>
+                <Default></Default>
                 <Sorted>Y</Sorted>
                 <Multiple>Y</Multiple>
                 <OptionValues>
diff --git a/ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/General.xml b/ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/General.xml
index 42284290b8..68a2ba78a7 100644
--- a/ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/General.xml
+++ b/ftp/tftp/src/opnsense/mvc/app/models/OPNsense/Tftp/General.xml
@@ -4,11 +4,11 @@
     <version>0.0.1</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <listen type="HostnameField">
-            <default>127.0.0.1</default>
+            <Default>127.0.0.1</Default>
             <Required>Y</Required>
         </listen>
     </items>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Address.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Address.xml
index ffaf8c949e..73baf4a493 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Address.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Address.xml
@@ -6,7 +6,7 @@
         <addresses>
             <address type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <from type="TextField">
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Antispam.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Antispam.xml
index fdb3cac7fd..037907446a 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Antispam.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Antispam.xml
@@ -4,11 +4,11 @@
     <version>1.0.2</version>
     <items>
         <enable_rspamd type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enable_rspamd>
         <default_action type="OptionField">
-            <default>accept</default>
+            <Default>accept</Default>
             <Required>Y</Required>
             <OptionValues>
                 <accept>accept</accept>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Domain.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Domain.xml
index f74d697d70..a4af4ed775 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Domain.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Domain.xml
@@ -6,17 +6,17 @@
         <domains>
                 <domain type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <domainname type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                         </domainname>
                         <destination type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>N</Required>
-                                <mask>/^([0-9a-zA-Z.:\-\[\]]){1,64}$/u</mask>
+                                <Mask>/^([0-9a-zA-Z.:\-\[\]]){1,64}$/u</Mask>
                                 <ValidationMessage>Only 64 of the following characters are allowed: 0-9a-zA-Z.:-[]</ValidationMessage>
                         </destination>
             </domain>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
index 5a7c0c41ac..a78a6b5b8f 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
@@ -4,31 +4,31 @@
     <version>1.2.7</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <myhostname type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </myhostname>
         <mydomain type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </mydomain>
         <myorigin type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </myorigin>
         <inet_interfaces type="TextField">
-            <default>all</default>
+            <Default>all</Default>
             <Required>Y</Required>
         </inet_interfaces>
         <inet_port type="PortField">
-            <default>25</default>
+            <Default>25</Default>
             <Required>Y</Required>
         </inet_port>
         <ip_version type="OptionField">
-            <default>all</default>
+            <Default>all</Default>
             <Required>Y</Required>
             <OptionValues>
                 <all>All</all>
@@ -45,24 +45,24 @@
             <AddressFamily>ipv6</AddressFamily>
         </bind_address6>
         <mynetworks type="CSVListField">
-            <default>127.0.0.0/8,[::ffff:127.0.0.0]/104,[::1]/128</default>
+            <Default>127.0.0.0/8,[::ffff:127.0.0.0]/104,[::1]/128</Default>
             <Required>Y</Required>
         </mynetworks>
         <banner type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </banner>
         <message_size_limit type="IntegerField">
-            <default>51200000</default>
+            <Default>51200000</Default>
             <Required>Y</Required>
         </message_size_limit>
         <masquerade_domains type="CSVListField">
             <Required>N</Required>
-            <mask>/^([0-9a-z\.\-\_]{1,128})(,[0-9a-z\.\-\_]{1,128})*$/ui</mask>
+            <Mask>/^([0-9a-z\.\-\_]{1,128})(,[0-9a-z\.\-\_]{1,128})*$/ui</Mask>
             <ValidationMessage>Only up to 128 of the following characters are allowed: 0-9a-zA-Z.-_</ValidationMessage>
         </masquerade_domains>
         <tls_server_compatibility type="OptionField">
-            <default>intermediate</default>
+            <Default>intermediate</Default>
             <Required>Y</Required>
             <OptionValues>
                 <modern>Modern</modern>
@@ -71,7 +71,7 @@
             </OptionValues>
         </tls_server_compatibility>
         <tls_client_compatibility type="OptionField">
-            <default>intermediate</default>
+            <Default>intermediate</Default>
             <Required>Y</Required>
             <OptionValues>
                 <modern>Modern</modern>
@@ -80,7 +80,7 @@
             </OptionValues>
         </tls_client_compatibility>
         <tlswrappermode type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </tlswrappermode>
         <certificate type="CertificateField">
@@ -92,7 +92,7 @@
             <Required>N</Required>
         </ca>
         <smtpclient_security type="OptionField">
-            <default>may</default>
+            <Default>may</Default>
             <Required>Y</Required>
             <OptionValues>
                 <none>none</none>
@@ -103,91 +103,91 @@
         </smtpclient_security>
         <relayhost type="TextField">
             <Required>N</Required>
-            <mask>/^([0-9a-zA-Z.:\-\[\]]){1,64}$/u</mask>
+            <Mask>/^([0-9a-zA-Z.:\-\[\]]){1,64}$/u</Mask>
             <ValidationMessage>Only 64 of the following characters are allowed: 0-9a-zA-Z.:-[]</ValidationMessage>
         </relayhost>
         <smtpauth_enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </smtpauth_enabled>
         <smtpauth_user type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </smtpauth_user>
         <smtpauth_password type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </smtpauth_password>
         <enforce_recipient_check type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enforce_recipient_check>
         <extensive_helo_restrictions type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </extensive_helo_restrictions>
         <extensive_sender_restrictions type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </extensive_sender_restrictions>
         <reject_unknown_client_hostname type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </reject_unknown_client_hostname>
         <reject_non_fqdn_helo_hostname type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </reject_non_fqdn_helo_hostname>
         <reject_invalid_helo_hostname type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </reject_invalid_helo_hostname>
         <reject_unknown_helo_hostname type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </reject_unknown_helo_hostname>
         <reject_unauth_pipelining type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </reject_unauth_pipelining>
         <reject_unknown_sender_domain type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </reject_unknown_sender_domain>
         <reject_unknown_recipient_domain type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </reject_unknown_recipient_domain>
         <reject_non_fqdn_sender type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </reject_non_fqdn_sender>
         <reject_non_fqdn_recipient type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </reject_non_fqdn_recipient>
         <permit_sasl_authenticated type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </permit_sasl_authenticated>
         <permit_tls_clientcerts type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </permit_tls_clientcerts>
         <permit_mynetworks type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </permit_mynetworks>
         <reject_unauth_destination type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </reject_unauth_destination>
         <reject_unverified_recipient type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </reject_unverified_recipient>
         <delay_warning_time type="IntegerField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
             <MinimumValue>0</MinimumValue>
             <MaximumValue>24</MaximumValue>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Headerchecks.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Headerchecks.xml
index 8e8b48377a..6846562502 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Headerchecks.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Headerchecks.xml
@@ -6,7 +6,7 @@
         <headerchecks>
             <headercheck type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <expression type="TextField">
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Recipient.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Recipient.xml
index 40b5c48b46..5782e4a535 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Recipient.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Recipient.xml
@@ -6,7 +6,7 @@
         <recipients>
                 <recipient type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <address type="TextField">
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Recipientbcc.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Recipientbcc.xml
index f763871c34..1adf180358 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Recipientbcc.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Recipientbcc.xml
@@ -6,7 +6,7 @@
         <recipientbccs>
             <recipientbcc type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <from type="TextField">
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Sender.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Sender.xml
index ad250f8027..6408af54d1 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Sender.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Sender.xml
@@ -6,7 +6,7 @@
         <senders>
                 <sender type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <address type="TextField">
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Senderbcc.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Senderbcc.xml
index 7f2610a926..4d696bffd5 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Senderbcc.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Senderbcc.xml
@@ -6,7 +6,7 @@
         <senderbccs>
             <senderbcc type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <from type="TextField">
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Sendercanonical.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Sendercanonical.xml
index 46b342438f..0662d4d1f7 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Sendercanonical.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Sendercanonical.xml
@@ -6,7 +6,7 @@
         <sendercanonicals>
             <sendercanonical type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <from type="TextField">
diff --git a/mail/rspamd/src/opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml b/mail/rspamd/src/opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml
index 66453a0fe7..5bd77ea2f4 100644
--- a/mail/rspamd/src/opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml
+++ b/mail/rspamd/src/opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml
@@ -5,15 +5,15 @@
   <items>
     <general>
       <enabled type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </enabled>
       <enable_redis_plugin type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </enable_redis_plugin>
       <enable_bayes_autolearn type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </enable_bayes_autolearn>
       <rejectscore type="IntegerField">
@@ -120,47 +120,47 @@
         <Required>N</Required>
       </rewritesubject>
       <historyrows type="IntegerField">
-        <default>200</default>
+        <Default>200</Default>
         <Required>Y</Required>
         <MinimumValue>1</MinimumValue>
         <MaximumValue>100000</MaximumValue>
         <ValidationMessage>Choose a value between 1 and 100000.</ValidationMessage>
       </historyrows>
       <nameserver type="HostnameField">
-        <default>127.0.0.1</default>
+        <Default>127.0.0.1</Default>
         <Required>Y</Required>
         <FieldSeparator>,</FieldSeparator>
-        <asList>Y</asList>
+        <AsList>Y</AsList>
       </nameserver>
     </general>
 
     <milter_headers>
       <enabled type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </enabled>
       <enable_extended_spam_headers type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </enable_extended_spam_headers>
       <enable_authentication_results type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </enable_authentication_results>
       <enable_spamd_bar type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </enable_spamd_bar>
       <skip_local type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </skip_local>
       <skip_authenticated type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </skip_authenticated>
       <extended_headers_rcpt type="CSVListField">
-        <mask>/[a-z0-9\.\-_@,]+/i</mask>
+        <Mask>/[a-z0-9\.\-_@,]+/i</Mask>
         <Required>N</Required>
       </extended_headers_rcpt>
     </milter_headers>
@@ -182,18 +182,18 @@
         <Required>N</Required>
         <MaximumValue>32</MaximumValue>
         <ValidationMessage>A valid IPv4 mask must be between 1 and 32 bits.</ValidationMessage>
-        <default>19</default>
+        <Default>19</Default>
       </ipv4mask>
       <ipv6mask type="IntegerField">
         <MinimumValue>1</MinimumValue>
         <Required>N</Required>
         <MaximumValue>128</MaximumValue>
-        <default>64</default>
+        <Default>64</Default>
         <ValidationMessage>A valid IPv6 mask must be between 1 and 128 bits. 64 bits are recommended as this is the recommended subnet size in IPv6.</ValidationMessage>
       </ipv6mask>
       <whitelist_ip type="CSVListField">
         <Required>N</Required>
-        <mask>/^([a-fA-F0-9\.:\[\]\/]*?,)*([a-fA-F0-9\.:\[\]\/]*)$/</mask>
+        <Mask>/^([a-fA-F0-9\.:\[\]\/]*?,)*([a-fA-F0-9\.:\[\]\/]*)$/</Mask>
       </whitelist_ip>
     </graylist>
 
@@ -214,44 +214,44 @@
         <ValidationMessage>A valid time jitter must be set.</ValidationMessage>
       </time_jitter>
       <trusted_only type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </trusted_only>
       <skip_multi type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </skip_multi>
       <!-- dkim signing -->
       <allow_envfrom_empty type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
       </allow_envfrom_empty>
       <allow_hdrfrom_mismatch type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </allow_hdrfrom_mismatch>
       <allow_hdrfrom_multiple type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </allow_hdrfrom_multiple>
       <allow_username_mismatch type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </allow_username_mismatch>
       <auth_only type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
       </auth_only>
       <sign_local type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
       </sign_local>
       <try_fallback type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </try_fallback>
       <use_domain type="OptionField">
-        <default>header</default>
+        <Default>header</Default>
         <Required>Y</Required>
         <OptionValues>
           <header>Header</header>
@@ -259,43 +259,43 @@
         </OptionValues>
       </use_domain>
       <use_esld type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
       </use_esld>
     </dkim>
 
     <mx-check>
       <enabled type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </enabled>
       <expire type="IntegerField">
         <MinimumValue>1</MinimumValue>
         <Required>N</Required>
-        <default>86400</default>
+        <Default>86400</Default>
         <ValidationMessage>A valid cache expiration must be set.</ValidationMessage>
       </expire>
     </mx-check>
 
     <phishing>
       <openphish_enabled type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </openphish_enabled>
       <openphish_map type="TextField">
-        <default></default>
+        <Default></Default>
         <Required>N</Required>
       </openphish_map>
       <openphish_premium_enabled type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </openphish_premium_enabled>
       <phishtank_enabled type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </phishtank_enabled>
       <phishtank_map type="TextField">
-        <default></default>
+        <Default></Default>
         <Required>N</Required>
       </phishtank_map>
       <exclusion type="CSVListField">
@@ -316,7 +316,7 @@
           <ValidationMessage>The time must be a positive integer.</ValidationMessage>
         </time>
         <time_unit type="OptionField">
-          <default>m</default>
+          <Default>m</Default>
           <Required>Y</Required>
           <OptionValues>
             <s>Seconds</s>
@@ -337,7 +337,7 @@
           <ValidationMessage>The time must be a positive integer.</ValidationMessage>
         </time>
         <time_unit type="OptionField">
-          <default>m</default>
+          <Default>m</Default>
           <Required>Y</Required>
           <OptionValues>
             <s>Seconds</s>
@@ -358,7 +358,7 @@
           <ValidationMessage>The time must be a positive integer.</ValidationMessage>
         </time>
         <time_unit type="OptionField">
-          <default>m</default>
+          <Default>m</Default>
           <Required>Y</Required>
           <OptionValues>
             <s>Seconds</s>
@@ -379,7 +379,7 @@
           <ValidationMessage>The time must be a positive integer.</ValidationMessage>
         </time>
         <time_unit type="OptionField">
-          <default>m</default>
+          <Default>m</Default>
           <Required>Y</Required>
           <OptionValues>
             <s>Seconds</s>
@@ -400,7 +400,7 @@
           <ValidationMessage>The time must be a positive integer.</ValidationMessage>
         </time>
         <time_unit type="OptionField">
-          <default>m</default>
+          <Default>m</Default>
           <Required>Y</Required>
           <OptionValues>
             <s>Seconds</s>
@@ -421,7 +421,7 @@
           <ValidationMessage>The time must be a positive integer.</ValidationMessage>
         </time>
         <time_unit type="OptionField">
-          <default>m</default>
+          <Default>m</Default>
           <Required>Y</Required>
           <OptionValues>
             <s>Seconds</s>
@@ -431,26 +431,26 @@
         </time_unit>
       </user>
       <whitelisted_rcpts type="CSVListField">
-        <default>postmaster,mailer-daemon</default>
+        <Default>postmaster,mailer-daemon</Default>
       </whitelisted_rcpts>
       <max_rcpt type="IntegerField">
         <MinimumValue>1</MinimumValue>
         <Required>Y</Required>
-        <default>20</default>
+        <Default>20</Default>
       </max_rcpt>
     </rate_limit>
 
     <spamtrap>
       <enabled type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </enabled>
       <fuzzy_learning type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </fuzzy_learning>
       <spam_learning type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
       </spam_learning>
       <spam_recipients type="CSVListField">
@@ -462,7 +462,7 @@
       <spf_cache_size type="IntegerField">
         <MinimumValue>1</MinimumValue>
         <Required>N</Required>
-        <default>2</default>
+        <Default>2</Default>
         <ValidationMessage>A valid cache size in kilobytes must be set.</ValidationMessage>
       </spf_cache_size>
       <spf_cache_expire type="IntegerField">
@@ -474,16 +474,16 @@
 
     <av>
       <force-reject type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
       </force-reject>
       <attachments-only type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
       </attachments-only>
       <max-size type="IntegerField">
         <MinimumValue>1</MinimumValue>
-        <default>20000000</default>
+        <Default>20000000</Default>
         <Required>N</Required>
         <ValidationMessage>A valid maximum size in bytes must be set.</ValidationMessage>
       </max-size>
@@ -504,7 +504,7 @@
     <multimap>
       <badfileextension type="CSVListField">
         <Required>N</Required>
-        <default>exe,dll,scr,com,cmd,js,bat,vbs,ps1,bat,cpl,lnk,msi,msp,reg</default>
+        <Default>exe,dll,scr,com,cmd,js,bat,vbs,ps1,bat,cpl,lnk,msi,msp,reg</Default>
       </badfileextension>
       <whitelistsender type="CSVListField">
         <Required>N</Required>
diff --git a/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml b/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml
index ead3dcf6c9..35ca8d0b2b 100644
--- a/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml
+++ b/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml
@@ -4,141 +4,141 @@
     <version>1.0.3</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <hostname type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
-	    <mask>/^.{1,64}$/u</mask>
+	    <Mask>/^.{1,64}$/u</Mask>
         </hostname>
         <fqdnlookup type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </fqdnlookup>
         <interval type="IntegerField">
-            <default>10</default>
+            <Default>10</Default>
             <Required>N</Required>
         </interval>
         <p_network_enable type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </p_network_enable>
         <p_network_host type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
-	    <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
-	    <mask>/^([0-9a-zA-Z\-\.]){1,1024}$/u</mask>
+	    <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
+	    <Mask>/^([0-9a-zA-Z\-\.]){1,1024}$/u</Mask>
         </p_network_host>
         <p_network_port type="IntegerField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
 	    <MinimumValue>1</MinimumValue>
 	    <MaximumValue>65535</MaximumValue>
         </p_network_port>
         <p_network_username type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
-            <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
+            <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
         </p_network_username>
             <p_network_password type="TextField">
-                <default></default>
+                <Default></Default>
             <Required>N</Required>
-            <mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=]){1,128}$/u</mask>
+            <Mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=]){1,128}$/u</Mask>
         </p_network_password>
             <p_network_encryption type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
             <Required>N</Required>
         </p_network_encryption>
         <p_graphite_enable type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </p_graphite_enable>
         <p_graphite_node type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </p_graphite_node>
         <p_graphite_host type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
-	    <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
+	    <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
         </p_graphite_host>
         <p_graphite_port type="IntegerField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
 	    <MinimumValue>1</MinimumValue>
 	    <MaximumValue>65535</MaximumValue>
         </p_graphite_port>
         <p_graphite_prefix type="TextField">
-            <default>collectd</default>
+            <Default>collectd</Default>
             <Required>N</Required>
         </p_graphite_prefix>
         <p_graphite_postfix type="TextField">
-            <default>collectd</default>
+            <Default>collectd</Default>
             <Required>N</Required>
         </p_graphite_postfix>
         <p_graphite_separate_instances type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </p_graphite_separate_instances>
         <p_contextswitch_enable type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </p_contextswitch_enable>
         <p_cpu_enable type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </p_cpu_enable>
         <p_cpu_percent type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </p_cpu_percent>
         <p_cpu_aggregates type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </p_cpu_aggregates>
         <p_disk_enable type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </p_disk_enable>
         <p_df_enable type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </p_df_enable>
         <p_interface_enable type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </p_interface_enable>
         <p_load_enable type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </p_load_enable>
         <p_memory_enable type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </p_memory_enable>
         <p_swap_enable type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </p_swap_enable>
         <p_processes_enable type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </p_processes_enable>
         <p_uptime_enable type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </p_uptime_enable>
         <p_users_enable type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </p_users_enable>
         <p_tcpconns type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </p_tcpconns>
         <p_ipstats type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </p_ipstats>
     </items>
diff --git a/net-mgmt/lldpd/src/opnsense/mvc/app/models/OPNsense/Lldpd/General.xml b/net-mgmt/lldpd/src/opnsense/mvc/app/models/OPNsense/Lldpd/General.xml
index 30304bf6f0..1385c882b1 100644
--- a/net-mgmt/lldpd/src/opnsense/mvc/app/models/OPNsense/Lldpd/General.xml
+++ b/net-mgmt/lldpd/src/opnsense/mvc/app/models/OPNsense/Lldpd/General.xml
@@ -4,27 +4,27 @@
     <version>1.0.1</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <cdp type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </cdp>
         <fdp type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </fdp>
         <edp type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </edp>
         <sonmp type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </sonmp>
         <agentx type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </agentx>
         <interface type="TextField">
diff --git a/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml b/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml
index aad29a1693..c3e0d7e951 100644
--- a/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml
+++ b/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml
@@ -4,41 +4,41 @@
     <version>1.0.5</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <community type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </community>
         <syslocation type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </syslocation>
         <syscontact type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </syscontact>
         <l3visibility type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </l3visibility>
         <versionoid type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </versionoid>
         <enableagentx type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enableagentx>
         <enableobservium type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enableobservium>
         <listen type="NetworkField">
             <FieldSeparator>,</FieldSeparator>
             <Required>N</Required>
-            <asList>Y</asList>
+            <AsList>Y</AsList>
         </listen>
     </items>
 </model>
diff --git a/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/User.xml b/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/User.xml
index 89aff6d46d..9a705d5320 100644
--- a/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/User.xml
+++ b/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/User.xml
@@ -6,29 +6,29 @@
         <users>
             <user type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <username type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z._\-]){1,64}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-]){1,64}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 64 characters. Allowed characters are 0-9a-zA-Z._-</ValidationMessage>
                 </username>
                 <password type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=]){8,64}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=]){8,64}$/u</Mask>
                     <ValidationMessage>Should be a string between 8 and 64 characters. Allowed characters are 0-9a-zA-Z._-!$%/()+#=</ValidationMessage>
                 </password>
                 <enckey type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=]){8,64}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=]){8,64}$/u</Mask>
                     <ValidationMessage>Should be a string between 8 and 64 characters. Allowed characters are 0-9a-zA-Z._-!$%/()+#=</ValidationMessage>
                 </enckey>
                 <readwrite type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </readwrite>
             </user>
diff --git a/net-mgmt/netdata/src/opnsense/mvc/app/models/OPNsense/Netdata/General.xml b/net-mgmt/netdata/src/opnsense/mvc/app/models/OPNsense/Netdata/General.xml
index dc986088ee..18d1fd9f27 100644
--- a/net-mgmt/netdata/src/opnsense/mvc/app/models/OPNsense/Netdata/General.xml
+++ b/net-mgmt/netdata/src/opnsense/mvc/app/models/OPNsense/Netdata/General.xml
@@ -4,15 +4,15 @@
     <version>0.0.1</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <listen type="HostnameField">
-            <default>127.0.0.1</default>
+            <Default>127.0.0.1</Default>
             <Required>Y</Required>
         </listen>
         <port type="PortField">
-            <default>19999</default>
+            <Default>19999</Default>
             <Required>Y</Required>
         </port>
     </items>
diff --git a/net-mgmt/nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/Command.xml b/net-mgmt/nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/Command.xml
index 594bf0845a..a158754a3e 100644
--- a/net-mgmt/nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/Command.xml
+++ b/net-mgmt/nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/Command.xml
@@ -6,13 +6,13 @@
         <commands>
             <command type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>Y</Required>
-                    <mask>/^[0-9a-z_\-]{1,32}$/ui</mask>
+                    <Mask>/^[0-9a-z_\-]{1,32}$/ui</Mask>
                     <ValidationMessage>Only alphanumeric characters, dashes and underscores allowed.</ValidationMessage>
                 </name>
                 <nrpecommand type="TextField">
diff --git a/net-mgmt/nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/General.xml b/net-mgmt/nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/General.xml
index 8f7907e74d..b1ed611e84 100644
--- a/net-mgmt/nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/General.xml
+++ b/net-mgmt/nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/General.xml
@@ -4,42 +4,42 @@
     <version>0.0.1</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <server_port type="PortField">
-            <default>5666</default>
+            <Default>5666</Default>
             <Required>Y</Required>
         </server_port>
         <server_address type="NetworkField">
-            <default>127.0.0.1</default>
+            <Default>127.0.0.1</Default>
             <Required>Y</Required>
             <FieldSeparator>,</FieldSeparator>
-            <asList>Y</asList>
+            <AsList>Y</AsList>
         </server_address>
         <allowed_hosts type="NetworkField">
-            <default>127.0.0.1,::1</default>
+            <Default>127.0.0.1,::1</Default>
             <Required>Y</Required>
             <FieldSeparator>,</FieldSeparator>
-            <asList>Y</asList>
+            <AsList>Y</AsList>
         </allowed_hosts>
         <dont_blame_nrpe type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </dont_blame_nrpe>
         <allow_bash_command_substitution type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </allow_bash_command_substitution>
         <command_timeout type="IntegerField">
-            <default>60</default>
+            <Default>60</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>900</MaximumValue>
             <ValidationMessage>Value must be between 1 and 900.</ValidationMessage>
         </command_timeout>
         <connection_timeout type="IntegerField">
-            <default>300</default>
+            <Default>300</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>900</MaximumValue>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/General.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/General.xml
index ed05705e35..f3ef2714ce 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/General.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/General.xml
@@ -4,55 +4,55 @@
     <version>1.0.2</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <wheelgroup type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </wheelgroup>
         <interval type="IntegerField">
-            <default>10</default>
+            <Default>10</Default>
             <Required>Y</Required>
         </interval>
         <roundinterval type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </roundinterval>
         <metric_batch_size type="IntegerField">
-            <default>1000</default>
+            <Default>1000</Default>
             <Required>Y</Required>
         </metric_batch_size>
         <metric_buffer_limit type="IntegerField">
-            <default>10000</default>
+            <Default>10000</Default>
             <Required>Y</Required>
         </metric_buffer_limit>
         <collection_jitter type="IntegerField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </collection_jitter>
         <flush_interval type="IntegerField">
-            <default>10</default>
+            <Default>10</Default>
             <Required>Y</Required>
         </flush_interval>
         <flush_jitter type="IntegerField">
-            <default>0</default>
+            <Default>0</Default>
 	        <Required>Y</Required>
 	    </flush_jitter>
         <hostname type="TextField">
-            <default></default>
+            <Default></Default>
 	        <Required>N</Required>
 	    </hostname>
         <omit_hostname type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
 	        <Required>Y</Required>
 	    </omit_hostname>
         <quiet type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </quiet>
         <debug type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </debug>
     </items>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
index 51b8e4645d..f2edc64a37 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
@@ -4,75 +4,75 @@
     <version>1.0.3</version>
     <items>
         <cpu type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </cpu>
         <cpu_percpu type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </cpu_percpu>
         <cpu_totalcpu type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </cpu_totalcpu>
         <collect_cpu_time type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </collect_cpu_time>
         <disk type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </disk>
         <disk_mount_points type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </disk_mount_points>
         <disk_ignore_fs type="CSVListField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </disk_ignore_fs>
         <diskio type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </diskio>
         <internet_speed type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </internet_speed>
         <internet_speed_file type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </internet_speed_file>
         <internet_speed_interval type="IntegerField">
-            <default>360</default>
+            <Default>360</Default>
             <Required>N</Required>
         </internet_speed_interval>
         <mem type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </mem>
         <processes type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </processes>
         <swap type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </swap>
         <system type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </system>
         <network type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </network>
         <pf type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </pf>
         <ping type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </ping>
         <ping_count type="IntegerField">
@@ -82,7 +82,7 @@
             <Required>N</Required>
         </ping_hosts>
         <ping6 type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </ping6>
         <ping6_count type="IntegerField">
@@ -92,23 +92,23 @@
             <Required>N</Required>
         </ping6_hosts>
         <haproxy type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </haproxy>
         <zfs type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </zfs>
         <ntpq type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </ntpq>
         <ntpq_dns_lookup type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </ntpq_dns_lookup>
         <intrusion_detection_alerts type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </intrusion_detection_alerts>
         <unbound type="BooleanField">
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Key.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Key.xml
index 855b93bef1..c49ccdb334 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Key.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Key.xml
@@ -6,19 +6,19 @@
         <keys>
             <key type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>N</Required>
-                    <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
                     <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen allowed. Do not use more than 128 characters.</ValidationMessage>
                 </name>
                 <value type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>N</Required>
-                    <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
                     <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen allowed. Do not use more than 128 characters.</ValidationMessage>
                 </value>
             </key>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index 6118dcb98b..21c424e128 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -4,35 +4,35 @@
     <version>1.4.6</version>
     <items>
         <influx_enable type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </influx_enable>
         <influx_url type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </influx_url>
         <influx_database type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </influx_database>
         <influx_timeout type="IntegerField">
-            <default>5</default>
+            <Default>5</Default>
             <Required>N</Required>
         </influx_timeout>
         <influx_username type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </influx_username>
         <influx_password type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </influx_password>
         <influx_insecure_skip_verify type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </influx_insecure_skip_verify>
         <graphite_enable type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </graphite_enable>
         <graphite_server type="TextField">
@@ -45,26 +45,26 @@
             <Required>N</Required>
         </graphite_template>
         <graphite_ssl_disable type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </graphite_ssl_disable>
         <graphite_verify type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </graphite_verify>
         <graphite_tagsupport type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </graphite_tagsupport>
         <graylog_enable type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </graylog_enable>
         <graylog_server type="TextField">
             <Required>N</Required>
         </graylog_server>
         <elastic_enable type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </elastic_enable>
         <elastic_url type="TextField">
@@ -77,82 +77,82 @@
             <Required>N</Required>
         </elastic_password>
         <elastic_timeout type="IntegerField">
-            <default>5</default>
+            <Default>5</Default>
             <Required>N</Required>
         </elastic_timeout>
         <elastic_indexname type="TextField">
-            <default>telegraf-%Y.%m.%d</default>
+            <Default>telegraf-%Y.%m.%d</Default>
             <Required>N</Required>
         </elastic_indexname>
         <prometheus_enable type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </prometheus_enable>
         <prometheus_listen type="PortField">
-            <default>9273</default>
+            <Default>9273</Default>
             <Required>N</Required>
         </prometheus_listen>
         <prometheus_exclude type="CSVListField">
             <Required>N</Required>
         </prometheus_exclude>
         <prometheus_stringaslabel type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </prometheus_stringaslabel>
         <influx_v2_enable type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </influx_v2_enable>
         <influx_v2_url type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </influx_v2_url>
         <influx_v2_token type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </influx_v2_token>
         <influx_v2_organization type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </influx_v2_organization>
         <influx_v2_bucket type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </influx_v2_bucket>
         <influx_v2_insecure_skip_verify type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </influx_v2_insecure_skip_verify>
         <influx_v2_timeout type="IntegerField">
-            <default>5</default>
+            <Default>5</Default>
             <Required>N</Required>
         </influx_v2_timeout>
         <datadog_enable type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </datadog_enable>
         <datadog_url type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </datadog_url>
         <datadog_apikey type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </datadog_apikey>
         <mqtt_enable type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </mqtt_enable>
         <mqtt_topic_prefix type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
-            <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
+            <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
             <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen are allowed. Do not use more than 128 characters.</ValidationMessage>
         </mqtt_topic_prefix>
         <mqtt_topic type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
-            <mask>/^([0-9a-zA-Z._\-\/{}]){1,200}$/u</mask>
+            <Mask>/^([0-9a-zA-Z._\-\/{}]){1,200}$/u</Mask>
             <ValidationMessage>Only characters, numbers, a dot, underscore, hyphen, slash and curly braces are allowed. Do not use more than 200 characters.</ValidationMessage>
         </mqtt_topic>
         <mqtt_servers type="CSVListField">
@@ -161,17 +161,17 @@
             <FieldSeparator>,</FieldSeparator>
         </mqtt_servers>
         <mqtt_insecure_skip_verify type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </mqtt_insecure_skip_verify>
         <mqtt_client_id type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
-            <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
+            <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
             <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen allowed. Do not use more than 128 characters.</ValidationMessage>
         </mqtt_client_id>
         <mqtt_qos type="OptionField">
-            <default>2</default>
+            <Default>2</Default>
             <Required>Y</Required>
             <OptionValues>
                 <qos0 value="0">(0) At most once</qos0>
@@ -180,25 +180,25 @@
             </OptionValues>
         </mqtt_qos>
         <mqtt_retain type="BooleanField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </mqtt_retain>
         <mqtt_timeout type="IntegerField">
-            <default>5</default>
+            <Default>5</Default>
             <Required>N</Required>
         </mqtt_timeout>
         <mqtt_username type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
-            <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
+            <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
             <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen allowed. Do not use more than 128 characters.</ValidationMessage>
         </mqtt_username>
         <mqtt_password type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </mqtt_password>
         <mqtt_layout type="OptionField">
-            <default>non-batch</default>
+            <Default>non-batch</Default>
             <Required>Y</Required>
             <OptionValues>
                 <non-batch>(non-batch) send individual messages, one for each metric</non-batch>
@@ -207,7 +207,7 @@
             </OptionValues>
         </mqtt_layout>
         <mqtt_data_format type="OptionField">
-            <default>influx</default>
+            <Default>influx</Default>
             <Required>Y</Required>
             <OptionValues>
                 <carbon2>Carbon2</carbon2>
@@ -225,22 +225,22 @@
             </OptionValues>
         </mqtt_data_format>
         <opentelemetry_enable type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </opentelemetry_enable>
         <opentelemetry_server type="TextField">
             <Required>N</Required>
         </opentelemetry_server>
         <opentelemetry_insecure_skip_verify type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </opentelemetry_insecure_skip_verify>
         <opentelemetry_timeout type="IntegerField">
-            <default>5</default>
+            <Default>5</Default>
             <Required>N</Required>
         </opentelemetry_timeout>
         <opentelemetry_compression type="OptionField">
-            <default>gzip</default>
+            <Default>gzip</Default>
             <Required>Y</Required>
             <OptionValues>
                 <gzip>gzip</gzip>
diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
index 6e09e77d48..9527d03286 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
@@ -6,38 +6,38 @@
         <!-- local settings that should NOT be synced to another node -->
         <local>
             <hostname type="TextField">
-                <default>Zabbix agent</default>
+                <Default>Zabbix agent</Default>
                 <Required>Y</Required>
-                <mask>/^.{1,255}$/u</mask>
+                <Mask>/^.{1,255}$/u</Mask>
                 <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
             </hostname>
         </local>
         <settings>
             <main>
                 <enabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </enabled>
                 <serverList type="CSVListField">
-                    <default>127.0.0.1</default>
+                    <Default>127.0.0.1</Default>
                     <Required>Y</Required>
-                    <multiple>Y</multiple>
-                    <mask>/^([a-zA-Z0-9\.:\[\]\-\/]*?,)*([a-zA-Z0-9\.:\[\]\-\/]*)$/</mask>
+                    <Multiple>Y</Multiple>
+                    <Mask>/^([a-zA-Z0-9\.:\[\]\-\/]*?,)*([a-zA-Z0-9\.:\[\]\-\/]*)$/</Mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please provide valid Zabbix server addresses, i.e. zabbix.example.com, 10.0.0.2 or 10.0.0.0/24.</ValidationMessage>
                 </serverList>
                 <listenPort type="IntegerField">
-                    <default>10050</default>
+                    <Default>10050</Default>
                     <MinimumValue>1024</MinimumValue>
                     <MaximumValue>65535</MaximumValue>
                     <Required>Y</Required>
                 </listenPort>
                 <listenIP type="NetworkField">
-                    <default>0.0.0.0</default>
+                    <Default>0.0.0.0</Default>
                     <Required>Y</Required>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <NetMaskAllowed>N</NetMaskAllowed>
-                    <asList>Y</asList>
+                    <AsList>Y</AsList>
                     <FieldSeparator>,</FieldSeparator>
                     <ValidationMessage>Please provide one or more valid IP addresses, i.e. 10.0.0.1.</ValidationMessage>
                 </listenIP>
@@ -47,17 +47,17 @@
                     <ValidationMessage>Please provide a valid IP address, i.e. 10.0.0.1.</ValidationMessage>
                 </sourceIP>
                 <syslogEnable type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </syslogEnable>
                 <logFileSize type="IntegerField">
-                    <default>100</default>
+                    <Default>100</Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>5000</MaximumValue>
                     <Required>Y</Required>
                 </logFileSize>
                 <debugLevel type="OptionField">
-                    <default>val_3</default>
+                    <Default>val_3</Default>
                     <OptionValues>
                         <val_0>basic information (0)</val_0>
                         <val_1>critical information (1)</val_1>
@@ -69,41 +69,41 @@
                     <Required>Y</Required>
                 </debugLevel>
                 <sudoRoot type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </sudoRoot>
             </main>
             <tuning>
                 <startAgents type="IntegerField">
-                    <default>3</default>
+                    <Default>3</Default>
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>20</MaximumValue>
                     <Required>Y</Required>
                     <ValidationMessage>Should be a number between 0 and 20.</ValidationMessage>
                 </startAgents>
                 <bufferSend type="IntegerField">
-                    <default>5</default>
+                    <Default>5</Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>3600</MaximumValue>
                     <Required>Y</Required>
                     <ValidationMessage>Should be a number between 1 and 3600.</ValidationMessage>
                 </bufferSend>
                 <bufferSize type="IntegerField">
-                    <default>100</default>
+                    <Default>100</Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>10000</MaximumValue>
                     <Required>Y</Required>
                     <ValidationMessage>Should be a number between 1 and 10000.</ValidationMessage>
                 </bufferSize>
                 <maxLinesPerSecond type="IntegerField">
-                    <default>100</default>
+                    <Default>100</Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>10000</MaximumValue>
                     <Required>Y</Required>
                     <ValidationMessage>Should be a number between 1 and 10000.</ValidationMessage>
                 </maxLinesPerSecond>
                 <timeout type="IntegerField">
-                    <default>3</default>
+                    <Default>3</Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>30</MaximumValue>
                     <Required>Y</Required>
@@ -112,43 +112,43 @@
             </tuning>
             <features>
                 <enableActiveChecks type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enableActiveChecks>
                 <activeCheckServers type="CSVListField">
                     <Required>N</Required>
-                    <multiple>Y</multiple>
-                    <mask>/^([a-zA-Z0-9\.:\[\]\-]*?,)*([a-zA-Z0-9\.:\[\]\-]*)$/</mask>
+                    <Multiple>Y</Multiple>
+                    <Mask>/^([a-zA-Z0-9\.:\[\]\-]*?,)*([a-zA-Z0-9\.:\[\]\-]*)$/</Mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please provide valid active check receivers, i.e. 10.0.0.1:10051, zabbix.example.com or [::1]:30051.</ValidationMessage>
                 </activeCheckServers>
                 <refreshActiveChecks type="IntegerField">
-                    <default>120</default>
+                    <Default>120</Default>
                     <MinimumValue>10</MinimumValue>
                     <MaximumValue>3600</MaximumValue>
                     <Required>Y</Required>
                     <ValidationMessage>Should be a number between 10 and 3600.</ValidationMessage>
                 </refreshActiveChecks>
                 <enableRemoteCommands type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </enableRemoteCommands>
                 <logRemoteCommands type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </logRemoteCommands>
                 <encryption type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </encryption>
                 <encryptionidentity type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>N</Required>
-                    <mask>/^.{1,128}$/</mask>
+                    <Mask>/^.{1,128}$/</Mask>
                     <ValidationMessage>Should be a string between 1 and 128 characters.</ValidationMessage>
                 </encryptionidentity>
                 <encryptionpsk type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>N</Required>
                 </encryptionpsk>
             </features>
@@ -159,21 +159,21 @@
                     <Required>Y</Required>
                 </id>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <key type="TextField">
-                    <mask>/^[^\t^,^;^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <Mask>/^[^\t^,^;^\[^\]^\{^\}]{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </key>
                 <command type="TextField">
-                    <mask>/^[^\t]{1,4096}$/u</mask>
+                    <Mask>/^[^\t]{1,4096}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 4096 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </command>
                 <acceptParams type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </acceptParams>
             </userparameter>
@@ -184,21 +184,21 @@
                     <Required>Y</Required>
                 </id>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <key type="TextField">
-                    <mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <Mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </key>
                 <sourceKey type="TextField">
-                    <mask>/^[^\t]{1,4096}$/u</mask>
+                    <Mask>/^[^\t]{1,4096}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 4096 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </sourceKey>
                 <acceptParams type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </acceptParams>
             </alias>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
index e9a060522f..a80586fbbf 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
@@ -4,84 +4,84 @@
     <version>2.0.4</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <proxymode type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </proxymode>
         <remotecommands type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </remotecommands>
         <server type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </server>
         <serverport type="TextField">
-            <default>10051</default>
+            <Default>10051</Default>
             <Required>N</Required>
         </serverport>
         <hostname type="TextField">
-            <default>Zabbix proxy</default>
+            <Default>Zabbix proxy</Default>
             <Required>Y</Required>
         </hostname>
         <listenport type="TextField">
-            <default>10051</default>
+            <Default>10051</Default>
             <Required>N</Required>
         </listenport>
         <listenip type="NetworkField">
-            <default></default>
+            <Default></Default>
             <FieldSeparator>,</FieldSeparator>
-            <asList>Y</asList>
+            <AsList>Y</AsList>
             <Required>N</Required>
         </listenip>
         <sourceip type="NetworkField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </sourceip>
         <startpollers type="TextField">
-            <default>5</default>
+            <Default>5</Default>
             <Required>N</Required>
         </startpollers>
         <startipmipollers type="IntegerField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </startipmipollers>
         <startpollersunreachable type="IntegerField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </startpollersunreachable>
         <starttrappers type="IntegerField">
-            <default>5</default>
+            <Default>5</Default>
             <Required>N</Required>
         </starttrappers>
         <startpingers type="IntegerField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </startpingers>
         <startdiscoverers type="IntegerField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </startdiscoverers>
         <startvmwarecollectors type="IntegerField">
             <Required>N</Required>
         </startvmwarecollectors>
         <starthttppollers type="IntegerField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </starthttppollers>
         <cachesize type="TextField">
-            <default>8M</default>
+            <Default>8M</Default>
             <Required>N</Required>
         </cachesize>
         <historycachesize type="TextField">
-            <default>16M</default>
+            <Default>16M</Default>
             <Required>N</Required>
         </historycachesize>
         <historyindexcachesize type="TextField">
-            <default>4M</default>
+            <Default>4M</Default>
             <Required>N</Required>
         </historyindexcachesize>
         <proxyofflinebuffer type="IntegerField">
@@ -91,7 +91,7 @@
             <ValidationMessage>Set a number between 1 and 720.</ValidationMessage>
         </proxyofflinebuffer>
         <timeout type="IntegerField">
-            <default>4</default>
+            <Default>4</Default>
             <Required>N</Required>
         </timeout>
         <configfrequency type="IntegerField">
@@ -101,23 +101,23 @@
             <Required>N</Required>
         </datasenderfrequency>
         <statsip type="NetworkField">
-            <default></default>
+            <Default></Default>
             <FieldSeparator>,</FieldSeparator>
-            <asList>Y</asList>
+            <AsList>Y</AsList>
             <Required>N</Required>
         </statsip>
         <syslogEnable type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </syslogEnable>
         <logFileSize type="IntegerField">
-            <default>100</default>
+            <Default>100</Default>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>1024</MaximumValue>
             <Required>Y</Required>
         </logFileSize>
         <debugLevel type="OptionField">
-            <default>val_3</default>
+            <Default>val_3</Default>
             <OptionValues>
                 <val_0>basic information (0)</val_0>
                 <val_1>critical information (1)</val_1>
@@ -129,19 +129,19 @@
             <Required>Y</Required>
         </debugLevel>
         <encryption type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </encryption>
         <encryptionidentity type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
-            <mask>/^.{1,128}$/</mask>
+            <Mask>/^.{1,128}$/</Mask>
             <ValidationMessage>Should be a string between 1 and 128 characters.</ValidationMessage>
         </encryptionidentity>
         <encryptionpsk type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
-            <mask>/^[A-Fa-f0-9]{32,512}$/</mask>
+            <Mask>/^[A-Fa-f0-9]{32,512}$/</Mask>
             <ValidationMessage>Should be a hexadecimal string between 32 and 512 characters.</ValidationMessage>
         </encryptionpsk>
     </items>
diff --git a/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
index c74a00cc4c..08d29de0cf 100644
--- a/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
+++ b/net/chrony/src/opnsense/mvc/app/models/OPNsense/Chrony/General.xml
@@ -4,26 +4,26 @@
     <version>0.0.2</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <port type="PortField">
-            <default>323</default>
+            <Default>323</Default>
             <Required>Y</Required>
         </port>
         <ntsclient type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </ntsclient>
         <ntsnocert type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </ntsnocert>
         <peers type="HostnameField">
-            <default>0.opnsense.pool.ntp.org</default>
+            <Default>0.opnsense.pool.ntp.org</Default>
             <Required>Y</Required>
             <FieldSeparator>,</FieldSeparator>
-            <asList>Y</asList>
+            <AsList>Y</AsList>
         </peers>
         <fallbackpeers type="HostnameField">
             <Required>N</Required>
@@ -31,7 +31,7 @@
         <allowednetworks type="NetworkField">
             <Required>N</Required>
             <FieldSeparator>,</FieldSeparator>
-            <asList>Y</asList>
+            <AsList>Y</AsList>
         </allowednetworks>
     </items>
 </model>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Avpair.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Avpair.xml
index 706f84cfcd..d20ae79865 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Avpair.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Avpair.xml
@@ -6,7 +6,7 @@
         <avpairs>
             <avpair type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
@@ -14,7 +14,7 @@
                 </name>
                 <operator type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([\-\+\~\=]){1,2}$/</mask>
+                    <Mask>/^([\-\+\~\=]){1,2}$/</Mask>
                 </operator>
                 <value type="TextField">
                     <Required>Y</Required>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
index 97f2a43245..40338baa6a 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
@@ -6,7 +6,7 @@
         <clients>
             <client type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
@@ -19,7 +19,7 @@
                     <Required>N</Required>
                 </ip>
                 <require_ma type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </require_ma>
             </client>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Dhcp.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Dhcp.xml
index e7e7ef49b3..cae3203c57 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Dhcp.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Dhcp.xml
@@ -6,7 +6,7 @@
         <dhcps>
             <dhcp type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <dns type="CSVListField">
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index 991e9bd526..9bab64ac50 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -4,9 +4,9 @@
     <version>1.9.17</version>
     <items>
         <default_eap_type type="OptionField">
-            <default>md5</default>
+            <Default>md5</Default>
             <Required>Y</Required>
-            <multiple>N</multiple>
+            <Multiple>N</Multiple>
             <OptionValues>
                 <md5>MD5</md5>
                 <mschapv2>MSCHAPv2</mschapv2>
@@ -16,22 +16,22 @@
             </OptionValues>
         </default_eap_type>
         <elliptic_curve type="OptionField">
-            <default>prime256v1</default>
+            <Default>prime256v1</Default>
             <Required>Y</Required>
-            <multiple>N</multiple>
+            <Multiple>N</Multiple>
             <OptionValues>
                 <prime256v1>prime256v1</prime256v1>
                 <secp384r1>secp384r1</secp384r1>
             </OptionValues>
         </elliptic_curve>
         <enable_client_cert type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enable_client_cert>
         <ca type="CertificateField">
             <Type>ca</Type>
             <Required>N</Required>
-            <multiple>Y</multiple>
+            <Multiple>Y</Multiple>
         </ca>
         <certificate type="CertificateField">
             <Type>cert</Type>
@@ -42,13 +42,13 @@
             <Required>N</Required>
         </crl>
         <check_tls_names type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </check_tls_names>
         <tls_min_version type="OptionField">
-            <default>1.0</default>
+            <Default>1.0</Default>
             <Required>Y</Required>
-            <multiple>N</multiple>
+            <Multiple>N</Multiple>
             <OptionValues>
                 <Option1 value="1.0">1.0</Option1>
                 <Option2 value="1.1">1.1</Option2>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
index 49590e8f78..790839e8cc 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
@@ -4,15 +4,15 @@
     <version>1.0.2</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <vlanassign type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </vlanassign>
         <fallbackvlan_enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
             <Constraints>
                 <check001>
@@ -34,27 +34,27 @@
             </Constraints>
         </fallbackvlan_id>
         <ldap_enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </ldap_enabled>
         <exos type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </exos>
         <wispr type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </wispr>
         <chillispot type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </chillispot>
         <mikrotik type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </mikrotik>
         <sqlite type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
             <Constraints>
                 <check001>
@@ -67,11 +67,11 @@
             </Constraints>
         </sqlite>
         <sessionlimit type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </sessionlimit>
         <log_destination type="OptionField">
-            <default>files</default>
+            <Default>files</Default>
             <Required>Y</Required>
             <OptionValues>
                 <files>files</files>
@@ -79,19 +79,19 @@
             </OptionValues>
         </log_destination>
         <log_authentication_request type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </log_authentication_request>
         <log_authbadpass type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </log_authbadpass>
         <log_authgoodpass type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </log_authgoodpass>
         <dhcpenabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
             <Constraints>
                 <check001>
@@ -116,7 +116,7 @@
             </Constraints>
         </dhcplistenip>
         <mysql type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
             <Constraints>
                 <check001>
@@ -129,27 +129,27 @@
             </Constraints>
         </mysql>
         <mysqlserver type="HostnameField">
-            <default>127.0.0.1</default>
+            <Default>127.0.0.1</Default>
             <Required>Y</Required>
         </mysqlserver>
         <mysqlport type="PortField">
-            <default>3306</default>
+            <Default>3306</Default>
             <Required>Y</Required>
         </mysqlport>
         <mysqluser type="TextField">
-            <default>radius</default>
+            <Default>radius</Default>
             <Required>Y</Required>
         </mysqluser>
         <mysqlpassword type="TextField">
-            <default>radpass</default>
+            <Default>radpass</Default>
             <Required>Y</Required>
         </mysqlpassword>
         <mysqldb type="TextField">
-            <default>radius</default>
+            <Default>radius</Default>
             <Required>Y</Required>
         </mysqldb>
         <fallbackproxy type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </fallbackproxy>
     </items>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
index 0ee417c475..a6165dd99b 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
@@ -4,11 +4,11 @@
     <version>1.0.1</version>
     <items>
         <innertunnel type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </innertunnel>
         <protocol type="OptionField">
-            <default>LDAPS</default>
+            <Default>LDAPS</Default>
             <Required>Y</Required>
             <OptionValues>
                 <LDAP>LDAP</LDAP>
@@ -26,7 +26,7 @@
             <Required>N</Required>
         </ldapcert>
         <ldapstarttls type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </ldapstarttls>
         <identity type="TextField">
@@ -36,15 +36,15 @@
             <Required>N</Required>
         </password>
         <base_dn type="TextField">
-            <default>dc=example,dc=domain,dc=com</default>
+            <Default>dc=example,dc=domain,dc=com</Default>
             <Required>N</Required>
         </base_dn>
         <user_filter type="TextField">
-            <default>(uid=%{%{Stripped-User-Name}:-%{User-Name}})</default>
+            <Default>(uid=%{%{Stripped-User-Name}:-%{User-Name}})</Default>
             <Required>N</Required>
         </user_filter>
         <group_filter type="TextField">
-            <default>(objectClass=posixGroup)</default>
+            <Default>(objectClass=posixGroup)</Default>
             <Required>N</Required>
         </group_filter>
     </items>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Lease.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Lease.xml
index e8292a1116..8235249763 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Lease.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Lease.xml
@@ -6,12 +6,12 @@
         <leases>
             <lease type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <mac type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-fA-F:]){17}$/u</mask>
+                    <Mask>/^([0-9a-fA-F:]){17}$/u</Mask>
                 </mac>
                 <ip type="NetworkField">
                     <Required>Y</Required>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml
index 14256fc174..f5b7673619 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml
@@ -6,14 +6,14 @@
         <homeservers>
             <homeserver type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
                     <Required>Y</Required>
                 </name>
                 <type type="OptionField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                     <OptionValues>
                         <auth>auth</auth>
@@ -23,7 +23,7 @@
                     </OptionValues>
                 </type>
                 <addresstype type="OptionField">
-                    <default>ipv4</default>
+                    <Default>ipv4</Default>
                     <Required>Y</Required>
                     <OptionValues>
                         <ipv4>ipv4</ipv4>
@@ -32,25 +32,25 @@
                     </OptionValues>
                 </addresstype>
                 <ipaddr type="TextField">
-                    <default>172.0.0.1</default>
+                    <Default>172.0.0.1</Default>
                     <Required>N</Required>
                 </ipaddr>
                 <ipaddr6 type="TextField">
-                    <default>::1</default>
+                    <Default>::1</Default>
                     <Required>N</Required>
                 </ipaddr6>
                 <virtualserver type="TextField">
-                    <default>foo</default>
+                    <Default>foo</Default>
                     <Required>N</Required>
                 </virtualserver>
                 <port type="IntegerField">
-                    <default>1812</default>
+                    <Default>1812</Default>
                     <Required>Y</Required>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>65535</MaximumValue>
                 </port>
                 <proto type="OptionField">
-                    <default>udp</default>
+                    <Default>udp</Default>
                     <Required>Y</Required>
                     <OptionValues>
                         <udp>udp</udp>
@@ -58,14 +58,14 @@
                     </OptionValues>
                 </proto>
                 <secret type="TextField">
-                    <default>testing123</default>
+                    <Default>testing123</Default>
                     <Required>N</Required>
                 </secret>
                 <sourceip type="TextField">
                     <Required>N</Required>
                 </sourceip>
                 <response_window type="IntegerField">
-                    <default>20</default>
+                    <Default>20</Default>
                     <Required>Y</Required>
                     <MinimumValue>5</MinimumValue>
                     <MaximumValue>60</MaximumValue>
@@ -74,19 +74,19 @@
                     <Required>N</Required>
                 </no_response_fail>
                 <zombieperiod type="IntegerField">
-                    <default>40</default>
+                    <Default>40</Default>
                     <Required>Y</Required>
                     <MinimumValue>20</MinimumValue>
                     <MaximumValue>120</MaximumValue>
                 </zombieperiod>
                 <reviveinterval type="IntegerField">
-                    <default>120</default>
+                    <Default>120</Default>
                     <Required>Y</Required>
                     <MinimumValue>60</MinimumValue>
                     <MaximumValue>3600</MaximumValue>
                 </reviveinterval>
                 <statuscheck type="OptionField">
-                    <default>status-server</default>
+                    <Default>status-server</Default>
                     <Required>Y</Required>
                     <OptionValues>
                         <none>none</none>
@@ -95,35 +95,35 @@
                     </OptionValues>
                 </statuscheck>
                 <checkinterval type="IntegerField">
-                    <default>30</default>
+                    <Default>30</Default>
                     <Required>Y</Required>
                     <MinimumValue>6</MinimumValue>
                     <MaximumValue>120</MaximumValue>
                 </checkinterval>
                 <numanswersalive type="IntegerField">
-                    <default>3</default>
+                    <Default>3</Default>
                     <Required>Y</Required>
                     <MinimumValue>3</MinimumValue>
                     <MaximumValue>10</MaximumValue>
                 </numanswersalive>
                 <max_outstanding type="IntegerField">
-                    <default>65536</default>
+                    <Default>65536</Default>
                     <Required>Y</Required>
                 </max_outstanding>
                 <limit_maxconnections type="IntegerField">
-                    <default>16</default>
+                    <Default>16</Default>
                     <Required>Y</Required>
                 </limit_maxconnections>
                 <limit_maxrequests type="IntegerField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </limit_maxrequests>
                 <limit_lifetime type="IntegerField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </limit_lifetime>
                 <limit_idletimeout type="IntegerField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </limit_idletimeout>
             </homeserver>
@@ -131,14 +131,14 @@
         <homeserverpools>
             <homeserverpool type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
                     <Required>Y</Required>
                 </name>
                 <type type="OptionField">
-                    <default>fail-over</default>
+                    <Default>fail-over</Default>
                     <Required>Y</Required>
                     <OptionValues>
                         <fail-over>fail-over</fail-over>
@@ -152,15 +152,15 @@
                     <Required>N</Required>
                 </virtualserver>
                 <homeservers type="CSVListField">
-                    <default>localhost</default>
+                    <Default>localhost</Default>
                     <Required>Y</Required>
-                    <multiple>Y</multiple>
-                    <mask>/^([a-zA-Z0-9\.:\[\]\-\/]*?,)*([a-zA-Z0-9\.:\[\]\-\/]*)$/</mask>
+                    <Multiple>Y</Multiple>
+                    <Mask>/^([a-zA-Z0-9\.:\[\]\-\/]*?,)*([a-zA-Z0-9\.:\[\]\-\/]*)$/</Mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please provide valid server addresses, i.e. radius.example.com, 10.0.0.2 or 10.0.0.0/24.</ValidationMessage>
                 </homeservers>
                 <fallback type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>N</Required>
                 </fallback>
             </homeserverpool>
@@ -168,18 +168,18 @@
         <realms>
             <realm type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
                     <Required>Y</Required>
                 </name>
                 <auth_pool type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>N</Required>
                 </auth_pool>
                 <acct_pool type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>N</Required>
                 </acct_pool>
                 <nostrip type="BooleanField">
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
index 822e7c92bb..308802c78a 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
@@ -6,21 +6,21 @@
         <users>
             <user type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <username type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z@._\-\/:]){1,128}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z@._\-\/:]){1,128}$/u</Mask>
                 </username>
                 <password type="TextField">
                     <Required>Y</Required>
-                    <mask><![CDATA[/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}:&]){1,128}$/u]]></mask>
+                    <Mask><![CDATA[/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}:&]){1,128}$/u]]></Mask>
                 </password>
                 <passwordencryption type="OptionField">
-                    <default>Cleartext-Password</default>
+                    <Default>Cleartext-Password</Default>
                     <Required>Y</Required>
-                    <multiple>N</multiple>
+                    <Multiple>N</Multiple>
                     <OptionValues>
                         <cleartext value="Cleartext-Password">Cleartext-Password</cleartext>
                         <ntprehashed value="NT-Password">NT-Password (pre-hashed)</ntprehashed>
@@ -31,15 +31,15 @@
                 </description>
                 <ip type="TextField">
                     <Required>N</Required>
-                    <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
+                    <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
                 </ip>
                 <subnet type="TextField">
                     <Required>N</Required>
-                    <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
+                    <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
                 </subnet>
                 <route type="CSVListField">
                     <Required>N</Required>
-                    <mask>/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2},)*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})$/</mask>
+                    <Mask>/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2},)*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})$/</Mask>
                 </route>
                 <ip6 type="NetworkField">
                     <Required>N</Required>
@@ -51,7 +51,7 @@
                 </vlan>
                 <logintime type="TextField">
                     <Required>N</Required>
-                    <mask>/^([0-9a-zA-Z\-\,]){1,128}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z\-\,]){1,128}$/u</Mask>
                 </logintime>
                 <simuse type="IntegerField">
                     <Required>N</Required>
@@ -64,7 +64,7 @@
                 </exos_vlan_untagged>
                 <exos_vlan_tagged type="CSVListField">
                     <Required>N</Required>
-                    <mask>/^(\d{1,4},)*(\d{1,4})$/</mask>
+                    <Mask>/^(\d{1,4},)*(\d{1,4})$/</Mask>
                 </exos_vlan_tagged>
                 <exos_policy type="TextField">
                     <Required>N</Required>
@@ -98,7 +98,7 @@
                 </sessionlimit_max_session_limit>
                 <servicetype type="OptionField">
                     <Required>N</Required>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <OptionValues>
                         <Option1 value="1">1</Option1>
                         <Option2 value="2">2</Option2>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
index 00c2dd22ba..91b35955ca 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
@@ -4,25 +4,25 @@
     <version>1.0.1</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <neighbors>
             <neighbor type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <description type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>N</Required>
                 </description>
                 <address type="NetworkField">
-                    <default></default>
+                    <Default></Default>
                     <Required>Y</Required>
                 </address>
                 <multihop type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </multihop>
             </neighbor>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 53a356be7e..5253f02333 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -4,11 +4,11 @@
     <version>1.1.0</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <asnumber type="IntegerField">
-            <default>65551</default>
+            <Default>65551</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>4294967295</MaximumValue>
@@ -19,36 +19,36 @@
         </distance>
         <routerid type="TextField">
             <Required>N</Required>
-            <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
+            <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
         </routerid>
         <graceful type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </graceful>
         <networkimportcheck type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </networkimportcheck>
         <logneighborchanges type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </logneighborchanges>
         <networks type="CSVListField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </networks>
         <neighbors>
                 <neighbor type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <description type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>N</Required>
                         </description>
                         <address type="NetworkField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                         </address>
                         <remote_as_mode type="OptionField">
@@ -66,7 +66,7 @@
                                 <Required>N</Required>
                         </password>
                         <weight type="IntegerField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>N</Required>
                                 <MinimumValue>0</MinimumValue>
                                 <MaximumValue>65535</MaximumValue>
@@ -75,49 +75,49 @@
                                 <Required>N</Required>
                         </localip>
                         <updatesource type="InterfaceField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>N</Required>
-                                <multiple>N</multiple>
+                                <Multiple>N</Multiple>
                                 <AllowDynamic>Y</AllowDynamic>
                                 <filters>
                                         <enable>/^(?!0).*$/</enable>
                                 </filters>
                         </updatesource>
                         <linklocalinterface type="InterfaceField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>N</Required>
-                                <multiple>N</multiple>
+                                <Multiple>N</Multiple>
                                 <AllowDynamic>Y</AllowDynamic>
                                 <filters>
                                         <enable>/^(?!0).*$/</enable>
                                 </filters>
                         </linklocalinterface>
                         <nexthopself type="BooleanField">
-                                <default>0</default>
+                                <Default>0</Default>
                                 <Required>N</Required>
                         </nexthopself>
                         <nexthopselfall type="BooleanField">
-                                <default>0</default>
+                                <Default>0</Default>
                                 <Required>N</Required>
                         </nexthopselfall>
                         <multihop type="BooleanField">
-                                <default>0</default>
+                                <Default>0</Default>
                                 <Required>N</Required>
                         </multihop>
                         <multiprotocol type="BooleanField">
-                                <default>0</default>
+                                <Default>0</Default>
                                 <Required>N</Required>
                         </multiprotocol>
                         <rrclient type="BooleanField">
-                                <default>0</default>
+                                <Default>0</Default>
                                 <Required>N</Required>
                         </rrclient>
                         <soft_reconfiguration_inbound type="BooleanField">
-                                <default>0</default>
+                                <Default>0</Default>
                                 <Required>N</Required>
                         </soft_reconfiguration_inbound>
                         <bfd type="BooleanField">
-                                <default>0</default>
+                                <Default>0</Default>
                                 <Required>N</Required>
                         </bfd>
                         <keepalive type="IntegerField">
@@ -136,11 +136,11 @@
                                 <MaximumValue>65000</MaximumValue>
                         </connecttimer>
                         <defaultoriginate type="BooleanField">
-                                <default>0</default>
+                                <Default>0</Default>
                                 <Required>N</Required>
                         </defaultoriginate>
                         <asoverride type="BooleanField">
-                                <default>0</default>
+                                <Default>0</Default>
                                 <Required>N</Required>
                         </asoverride>
                         <allowas_in type="OptionField">
@@ -159,11 +159,11 @@
                                 </OptionValues>
                         </allowas_in>
                         <disable_connected_check type="BooleanField">
-                                <default>0</default>
+                                <Default>0</Default>
                                 <Required>N</Required>
                         </disable_connected_check>
                         <attributeunchanged type="OptionField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>N</Required>
                                 <OptionValues>
                                         <as-path>as-path</as-path>
@@ -240,21 +240,21 @@
         <aspaths>
                 <aspath type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <description type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>N</Required>
                         </description>
                         <number type="IntegerField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                                 <MinimumValue>0</MinimumValue>
                                 <MaximumValue>4294967295</MaximumValue>
                         </number>
                         <action type="OptionField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                                 <OptionValues>
                                         <permit>Permit</permit>
@@ -262,7 +262,7 @@
                                 </OptionValues>
                         </action>
                         <as type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                         </as>
                 </aspath>
@@ -270,21 +270,21 @@
         <prefixlists>
                 <prefixlist type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <description type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>N</Required>
                         </description>
                         <name type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
-                                <mask>/^[a-zA-Z0-9._-]{1,64}$/</mask>
+                                <Mask>/^[a-zA-Z0-9._-]{1,64}$/</Mask>
                                 <ValidationMessage>The name should only contain alphanumeric characters, dashes, underscores or a dot.</ValidationMessage>
                         </name>
                         <version type="OptionField">
-                                <default>IPv4</default>
+                                <Default>IPv4</Default>
                                 <Required>Y</Required>
                                 <OptionValues>
                                     <IPv4>IPv4</IPv4>
@@ -292,13 +292,13 @@
                                 </OptionValues>
                         </version>
                         <seqnumber type="IntegerField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                                 <MinimumValue>1</MinimumValue>
                                 <MaximumValue>4294967294</MaximumValue>
                         </seqnumber>
                         <action type="OptionField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                                 <OptionValues>
                                         <permit>Permit</permit>
@@ -306,7 +306,7 @@
                                 </OptionValues>
                         </action>
                         <network type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                         </network>
                 </prefixlist>
@@ -314,28 +314,28 @@
         <communitylists>
                 <communitylist type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <description type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>N</Required>
                         </description>
                         <number type="IntegerField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                                 <MinimumValue>1</MinimumValue>
                                 <MaximumValue>500</MaximumValue>
                                 <ValidationMessage>Set a number between 1 and 500.</ValidationMessage>
                         </number>
                         <seqnumber type="IntegerField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                                 <MinimumValue>10</MinimumValue>
                                 <MaximumValue>99</MaximumValue>
                         </seqnumber>
                         <action type="OptionField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                                 <OptionValues>
                                         <permit>Permit</permit>
@@ -343,7 +343,7 @@
                                 </OptionValues>
                         </action>
                         <community type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                         </community>
                 </communitylist>
@@ -351,21 +351,21 @@
         <routemaps>
                 <routemap type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <description type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>N</Required>
                         </description>
                         <name type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
-                                <mask>/^[a-zA-Z0-9._-]{1,64}$/</mask>
+                                <Mask>/^[a-zA-Z0-9._-]{1,64}$/</Mask>
                                 <ValidationMessage>The name should only contain alphanumeric characters, dashes, underscores or a dot.</ValidationMessage>
                         </name>
                         <action type="OptionField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                                 <OptionValues>
                                         <permit>Permit</permit>
@@ -373,7 +373,7 @@
                                 </OptionValues>
                         </action>
                         <id type="IntegerField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                                 <MinimumValue>1</MinimumValue>
                                 <MaximumValue>65535</MaximumValue>
@@ -422,7 +422,7 @@
         <peergroups>
                 <peergroup type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <name type="TextField">
@@ -506,7 +506,7 @@
         <redistributions>
                 <redistribution type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <description type="DescriptionField"/>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
index 473e47bec5..53ab692d22 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
@@ -4,34 +4,34 @@
     <version>1.0.3</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <profile type="OptionField">
             <Required>Y</Required>
-            <multiple>N</multiple>
-            <default>traditional</default>
+            <Multiple>N</Multiple>
+            <Default>traditional</Default>
             <OptionValues>
                 <traditional>Traditional</traditional>
                 <datacenter>Datacenter</datacenter>
             </OptionValues>
         </profile>
         <enablecarp type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enablecarp>
         <enablesyslog type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </enablesyslog>
         <enablesnmp type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enablesnmp>
         <sysloglevel type="OptionField">
             <Required>Y</Required>
-            <multiple>N</multiple>
-            <default>notifications</default>
+            <Multiple>N</Multiple>
+            <Default>notifications</Default>
             <OptionValues>
                 <critical>Critical</critical>
                 <emergencies>Emergencies</emergencies>
@@ -44,7 +44,7 @@
             </OptionValues>
         </sysloglevel>
         <fwrules type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </fwrules>
     </items>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index 646ece6572..dab6380a38 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -4,17 +4,17 @@
     <version>1.1.0</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <carp_demote type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </carp_demote>
         <routerid type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
-            <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
+            <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
         </routerid>
         <costreference type="IntegerField">
             <Required>N</Required>
@@ -23,15 +23,15 @@
             <ValidationMessage>Must be a number between 1 and 4294967.</ValidationMessage>
         </costreference>
         <logadjacencychanges type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </logadjacencychanges>
         <originate type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </originate>
         <originatealways type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </originatealways>
         <originatemetric type="IntegerField">
@@ -42,8 +42,8 @@
         </originatemetric>
         <passiveinterfaces type="InterfaceField">
                 <Required>N</Required>
-                <multiple>Y</multiple>
-                <default></default>
+                <Multiple>Y</Multiple>
+                <Default></Default>
                 <AllowDynamic>Y</AllowDynamic>
                 <filters>
                     <enable>/^(?!0).*$/</enable>
@@ -52,21 +52,21 @@
         <networks>
                 <network type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <ipaddr type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
-                                <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
+                                <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
                         </ipaddr>
                         <area type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
-                                <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
+                                <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
                         </area>
                         <netmask type="IntegerField">
-                                <default>24</default>
+                                <Default>24</Default>
                                 <MinimumValue>0</MinimumValue>
                                 <Required>Y</Required>
                                 <MaximumValue>32</MaximumValue>
@@ -106,7 +106,7 @@
         <neighbors>
                 <neighbor type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <description type="DescriptionField">
@@ -130,13 +130,13 @@
         <interfaces>
                 <interface type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <interfacename type="InterfaceField">
                                  <Required>N</Required>
-                                 <multiple>N</multiple>
-                                 <default></default>
+                                 <Multiple>N</Multiple>
+                                 <Default></Default>
                                  <AllowDynamic>Y</AllowDynamic>
                                  <filters>
                                          <enable>/^(?!0).*$/</enable>
@@ -144,39 +144,39 @@
                         </interfacename>
                         <authtype type="OptionField">
                                 <Required>N</Required>
-                                <multiple>N</multiple>
-                                <default></default>
+                                <Multiple>N</Multiple>
+                                <Default></Default>
                                 <OptionValues>
                                         <message-digest>MD5</message-digest>
                                         <plain>plain</plain>
                                 </OptionValues>
                         </authtype>
                         <authkey type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>N</Required>
-                                <mask>/^\S+$/</mask>
+                                <Mask>/^\S+$/</Mask>
                         </authkey>
                         <authkey_id type="IntegerField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <MinimumValue>1</MinimumValue>
                                 <MaximumValue>255</MaximumValue>
                                 <Required>Y</Required>
                                 <ValidationMessage>The authentication key ID must be between 1 and 255.</ValidationMessage>
                         </authkey_id>
                         <area type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>N</Required>
-                                <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
+                                <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
                         </area>
                         <cost type="IntegerField">
-                                <default></default>
+                                <Default></Default>
                                 <MinimumValue>1</MinimumValue>
                                 <Required>N</Required>
                                 <MaximumValue>65535</MaximumValue>
                                 <ValidationMessage>Cost must be between 1 and 65535.</ValidationMessage>
                         </cost>
                         <cost_demoted type="IntegerField">
-                                <default>65535</default>
+                                <Default>65535</Default>
                                 <MinimumValue>1</MinimumValue>
                                 <Required>N</Required>
                                 <MaximumValue>65535</MaximumValue>
@@ -187,48 +187,48 @@
                             <Required>N</Required>
                         </carp_depend_on>
                         <hellointerval type="IntegerField">
-                                <default></default>
+                                <Default></Default>
                                 <MinimumValue>0</MinimumValue>
                                 <Required>N</Required>
                                 <MaximumValue>4294967295</MaximumValue>
                                 <ValidationMessage>Hello interval must be between 0 and 4294967295.</ValidationMessage>
                         </hellointerval>
                         <deadinterval type="IntegerField">
-                                <default></default>
+                                <Default></Default>
                                 <MinimumValue>0</MinimumValue>
                                 <Required>N</Required>
                                 <MaximumValue>4294967295</MaximumValue>
                                 <ValidationMessage>Dead interval must be between 0 and 4294967295.</ValidationMessage>
                         </deadinterval>
                         <retransmitinterval type="IntegerField">
-                                <default></default>
+                                <Default></Default>
                                 <MinimumValue>0</MinimumValue>
                                 <Required>N</Required>
                                 <MaximumValue>4294967295</MaximumValue>
                                 <ValidationMessage>Retransmit interval must be between 0 and 4294967295.</ValidationMessage>
                         </retransmitinterval>
                         <transmitdelay type="IntegerField">
-                                <default></default>
+                                <Default></Default>
                                 <MinimumValue>0</MinimumValue>
                                 <Required>N</Required>
                                 <MaximumValue>4294967295</MaximumValue>
                                 <ValidationMessage>Transmit delay must be between 0 and 4294967295.</ValidationMessage>
                         </transmitdelay>
                         <priority type="IntegerField">
-                                <default></default>
+                                <Default></Default>
                                 <MinimumValue>0</MinimumValue>
                                 <Required>N</Required>
                                 <MaximumValue>4294967295</MaximumValue>
                                 <ValidationMessage>Priority must be between 0 and 4294967295.</ValidationMessage>
                         </priority>
                         <bfd type="BooleanField">
-                                <default>0</default>
+                                <Default>0</Default>
                                 <Required>N</Required>
                         </bfd>
                         <networktype type="OptionField">
                                 <Required>N</Required>
-                                <multiple>N</multiple>
-                                <default></default>
+                                <Multiple>N</Multiple>
+                                <Default></Default>
                                 <OptionValues>
                                         <broadcast>Broadcast multi-access network</broadcast>
                                         <non-broadcast>NBMA network</non-broadcast>
@@ -241,23 +241,23 @@
         <prefixlists>
                 <prefixlist type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <name type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
-                                <mask>/^([0-9a-zA-Z\._\-]){1,64}$/u</mask>
+                                <Mask>/^([0-9a-zA-Z\._\-]){1,64}$/u</Mask>
                                 <ValidationMessage>The name should only contain alphanumeric characters, dashes, underscores or a dot.</ValidationMessage>
                         </name>
                         <seqnumber type="IntegerField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                                 <MinimumValue>10</MinimumValue>
                                 <MaximumValue>99</MaximumValue>
                         </seqnumber>
                         <action type="OptionField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                                 <OptionValues>
                                         <permit>Permit</permit>
@@ -265,7 +265,7 @@
                                 </OptionValues>
                         </action>
                         <network type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                         </network>
                 </prefixlist>
@@ -273,11 +273,11 @@
         <routemaps>
                 <routemap type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <name type="TextField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                         </name>
                         <action type="OptionField">
@@ -288,7 +288,7 @@
                                 </OptionValues>
                         </action>
                         <id type="IntegerField">
-                                <default></default>
+                                <Default></Default>
                                 <Required>Y</Required>
                                 <MinimumValue>10</MinimumValue>
                                 <MaximumValue>99</MaximumValue>
@@ -313,7 +313,7 @@
         <redistributions>
                 <redistribution type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <description type="DescriptionField"/>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
index 4f06e179ae..db29c74af1 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
@@ -4,22 +4,22 @@
     <version>1.1.0</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <carp_demote type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </carp_demote>
         <routerid type="TextField">
-                <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
+                <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
         </routerid>
         <originate type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </originate>
         <originatealways type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </originatealways>
         <originatemetric type="IntegerField">
@@ -30,7 +30,7 @@
         <networks>
                 <network type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <!-- XXX: it would make sense to merge both into a single field "network" -->
@@ -41,7 +41,7 @@
                                 <AddressFamily>ipv6</AddressFamily>
                         </ipaddr>
                         <netmask type="IntegerField">
-                                <default>64</default>
+                                <Default>64</Default>
                                 <MinimumValue>0</MinimumValue>
                                 <Required>Y</Required>
                                 <MaximumValue>128</MaximumValue>
@@ -49,7 +49,7 @@
                         </netmask>
                         <area type="TextField">
                                 <Required>Y</Required>
-                                <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
+                                <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
                         </area>
                         <arearange type="TextField"/>
                         <linkedPrefixlistIn type="ModelRelationField">
@@ -79,7 +79,7 @@
         <interfaces>
                 <interface type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <interfacename type="InterfaceField">
@@ -90,10 +90,10 @@
                         </interfacename>
                         <area type="TextField">
                                 <Required>Y</Required>
-                                <mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</mask>
+                                <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
                         </area>
                         <passive type="BooleanField">
-                                <default>0</default>
+                                <Default>0</Default>
                                 <Required>Y</Required>
                         </passive>
                         <cost type="IntegerField">
@@ -146,12 +146,12 @@
         <prefixlists>
                 <prefixlist type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <name type="TextField">
                                 <Required>Y</Required>
-                                <mask>/^([0-9a-zA-Z\._\-]){1,64}$/u</mask>
+                                <Mask>/^([0-9a-zA-Z\._\-]){1,64}$/u</Mask>
                                 <ValidationMessage>The name should only contain alphanumeric characters, dashes, underscores or a dot.</ValidationMessage>
                         </name>
                         <seqnumber type="IntegerField">
@@ -174,7 +174,7 @@
         <routemaps>
                 <routemap type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <name type="TextField">
@@ -208,7 +208,7 @@
         <redistributions>
                 <redistribution type="ArrayField">
                         <enabled type="BooleanField">
-                                <default>1</default>
+                                <Default>1</Default>
                                 <Required>Y</Required>
                         </enabled>
                         <description type="DescriptionField"/>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/RIP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/RIP.xml
index f9838ca8b7..27e95e96c7 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/RIP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/RIP.xml
@@ -4,23 +4,23 @@
     <version>1.0.3</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <version type="IntegerField">
             <MinimumValue>1</MinimumValue>
             <MaximumValue>2</MaximumValue>
-            <default>2</default>
+            <Default>2</Default>
             <Required>Y</Required>
         </version>
         <networks type="CSVListField">
             <Required>N</Required>
-            <mask>/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2},)*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})$/</mask>
+            <Mask>/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2},)*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})$/</Mask>
         </networks>
         <passiveinterfaces type="InterfaceField">
                 <Required>N</Required>
-                <multiple>Y</multiple>
-                <default></default>
+                <Multiple>Y</Multiple>
+                <Default></Default>
                 <AllowDynamic>Y</AllowDynamic>
                 <filters>
                     <enable>/^(?!0).*$/</enable>
@@ -28,8 +28,8 @@
         </passiveinterfaces>
         <redistribute type="OptionField">
                 <Required>N</Required>
-                <multiple>Y</multiple>
-                <default></default>
+                <Multiple>Y</Multiple>
+                <Default></Default>
                 <OptionValues>
                         <bgp>Border Gateway Protocol (BGP)</bgp>
                         <connected>Connected routes (directly attached subnet or host)</connected>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.xml
index f0c7d37c24..095b46f589 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.xml
@@ -4,13 +4,13 @@
     <version>1.0.0</version>
     <items>
 		<enabled type="BooleanField">
-			<default>0</default>
+			<Default>0</Default>
 			<Required>Y</Required>
 		</enabled>
 		<routes>
 			<route type="ArrayField">
 				<enabled type="BooleanField">
-					<default>1</default>
+					<Default>1</Default>
 					<Required>Y</Required>
 				</enabled>
 				<network type="NetworkField">
@@ -23,7 +23,7 @@
 					<Required>N</Required>
 				</gateway>
 				<interfacename type="InterfaceField">
-					<multiple>N</multiple>
+					<Multiple>N</Multiple>
 					<AllowDynamic>Y</AllowDynamic>
 					<filters>
 						<enable>/^(?!0).*$/</enable>
diff --git a/net/ftp-proxy/src/opnsense/mvc/app/models/OPNsense/FtpProxy/FtpProxy.xml b/net/ftp-proxy/src/opnsense/mvc/app/models/OPNsense/FtpProxy/FtpProxy.xml
index 34d241a977..a2c7447f3a 100644
--- a/net/ftp-proxy/src/opnsense/mvc/app/models/OPNsense/FtpProxy/FtpProxy.xml
+++ b/net/ftp-proxy/src/opnsense/mvc/app/models/OPNsense/FtpProxy/FtpProxy.xml
@@ -5,17 +5,17 @@
    <items>
       <ftpproxy type="ArrayField">
          <enabled type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
          </enabled>
          <listenaddress type="TextField">
             <Required>Y</Required>
-            <default>127.0.0.1</default>
-            <mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</mask>
+            <Default>127.0.0.1</Default>
+            <Mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</Mask>
             <ValidationMessage>Listen address must be a valid IPv4 address</ValidationMessage>
          </listenaddress>
          <listenport type="IntegerField">
-            <default>8021</default>
+            <Default>8021</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>65535</MaximumValue>
@@ -23,22 +23,22 @@
          </listenport>
          <sourceaddress type="TextField">
             <Required>N</Required>
-            <mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</mask>
+            <Mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</Mask>
             <ValidationMessage>Source address must be a valid IPv4 address</ValidationMessage>
          </sourceaddress>
          <rewritesourceport  type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
          </rewritesourceport>
          <idletimeout type="IntegerField">
-            <default>86400</default>
+            <Default>86400</Default>
             <Required>N</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>86400</MaximumValue>
             <ValidationMessage>Idle timeout needs to be an integer value between 1 and 86400</ValidationMessage>
          </idletimeout>
          <maxsessions type="IntegerField">
-            <default>100</default>
+            <Default>100</Default>
             <Required>N</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>500</MaximumValue>
@@ -46,22 +46,22 @@
          </maxsessions>
          <reverseaddress type="TextField">
             <Required>N</Required>
-            <mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</mask>
+            <Mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</Mask>
             <ValidationMessage>Reverse address must be a valid IPv4 address</ValidationMessage>
          </reverseaddress>
          <reverseport type="IntegerField">
-            <default>21</default>
+            <Default>21</Default>
             <Required>N</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>65535</MaximumValue>
             <ValidationMessage>Reverse port needs to be an integer value between 1 and 65535</ValidationMessage>
          </reverseport>
          <logconnections type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
          </logconnections>
          <debuglevel type="IntegerField">
-            <default>5</default>
+            <Default>5</Default>
             <Required>N</Required>
             <MinimumValue>0</MinimumValue>
             <MaximumValue>7</MaximumValue>
@@ -69,7 +69,7 @@
          </debuglevel>
          <description type="TextField">
             <Required>N</Required>
-            <mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</mask>
+            <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
             <ValidationMessage>Enter a description.</ValidationMessage>
          </description>
       </ftpproxy>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 92270f886d..720e418532 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -5,39 +5,39 @@
     <items>
         <general>
             <enabled type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </enabled>
             <gracefulStop type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </gracefulStop>
             <hardStopAfter type="TextField">
-                <default>60s</default>
-                <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                <Default>60s</Default>
+                <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                 <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                 <Required>N</Required>
             </hardStopAfter>
             <closeSpreadTime type="TextField">
-                <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                 <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                 <Required>N</Required>
             </closeSpreadTime>
             <seamlessReload type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </seamlessReload>
             <!-- XXX: old value, required for model migration to 4.1.0 -->
             <storeOcsp type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>N</Required>
             </storeOcsp>
             <showIntro type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
             </showIntro>
             <peers>
                 <enabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name1 type="HostnameField">
@@ -47,7 +47,7 @@
                     <Required>N</Required>
                 </listen1>
                 <port1 type="IntegerField">
-                    <default>1024</default>
+                    <Default>1024</Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>65535</MaximumValue>
                     <ValidationMessage>Please specify a value between 1 and 65535.</ValidationMessage>
@@ -60,7 +60,7 @@
                     <Required>N</Required>
                 </listen2>
                 <port2 type="IntegerField">
-                    <default>1024</default>
+                    <Default>1024</Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>65535</MaximumValue>
                     <ValidationMessage>Please specify a value between 1 and 65535.</ValidationMessage>
@@ -69,7 +69,7 @@
             </peers>
             <tuning>
                 <root type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </root>
                 <maxConnections type="IntegerField">
@@ -79,7 +79,7 @@
                     <Required>N</Required>
                 </maxConnections>
                 <nbthread type="IntegerField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>1024</MaximumValue>
                     <ValidationMessage>Please specify a value between 1 and 1024.</ValidationMessage>
@@ -87,7 +87,7 @@
                 </nbthread>
                 <resolversPrefer type="OptionField">
                     <Required>N</Required>
-                    <default>ipv4</default>
+                    <Default>ipv4</Default>
                     <OptionValues>
                         <ipv4>IPv4</ipv4>
                         <ipv6>IPv6</ipv6>
@@ -95,40 +95,40 @@
                 </resolversPrefer>
                 <sslServerVerify type="OptionField">
                     <Required>Y</Required>
-                    <default>ignore</default>
+                    <Default>ignore</Default>
                     <OptionValues>
                         <ignore>no preference [default]</ignore>
-                        <required>enforce verify</required>
+                        <Required>enforce verify</Required>
                         <none>disable verify</none>
                     </OptionValues>
                 </sslServerVerify>
                 <maxDHSize type="IntegerField">
-                    <default>2048</default>
+                    <Default>2048</Default>
                     <MinimumValue>1024</MinimumValue>
                     <MaximumValue>16384</MaximumValue>
                     <ValidationMessage>Please specify a value between 1024 and 16384.</ValidationMessage>
                     <Required>Y</Required>
                 </maxDHSize>
                 <bufferSize type="IntegerField">
-                    <default>16384</default>
+                    <Default>16384</Default>
                     <MinimumValue>1024</MinimumValue>
                     <MaximumValue>1048576</MaximumValue>
                     <ValidationMessage>Please specify a value between 1024 and 1048576.</ValidationMessage>
                     <Required>N</Required>
                 </bufferSize>
                 <spreadChecks type="IntegerField">
-                    <default>2</default>
+                    <Default>2</Default>
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>50</MaximumValue>
                     <ValidationMessage>Please specify a value between 0 and 50.</ValidationMessage>
                     <Required>Y</Required>
                 </spreadChecks>
                 <bogusProxyEnabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </bogusProxyEnabled>
                 <luaMaxMem type="IntegerField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>1024</MaximumValue>
                     <ValidationMessage>Please specify a value between 0 and 1024.</ValidationMessage>
@@ -138,30 +138,30 @@
                     <Required>N</Required>
                 </customOptions>
                 <ocspUpdateEnabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </ocspUpdateEnabled>
                 <ocspUpdateMinDelay type="IntegerField">
-                    <default>300</default>
+                    <Default>300</Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>86400</MaximumValue>
                     <ValidationMessage>Please specify a value between 1 and 86400.</ValidationMessage>
                     <Required>N</Required>
                 </ocspUpdateMinDelay>
                 <ocspUpdateMaxDelay type="IntegerField">
-                    <default>3600</default>
+                    <Default>3600</Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>86400</MaximumValue>
                     <ValidationMessage>Please specify a value between 1 and 86400.</ValidationMessage>
                     <Required>N</Required>
                 </ocspUpdateMaxDelay>
                 <ssl_defaultsEnabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </ssl_defaultsEnabled>
                 <ssl_bindOptions type="OptionField">
                     <Required>N</Required>
-                    <default>prefer-client-ciphers</default>
+                    <Default>prefer-client-ciphers</Default>
                     <Sorted>Y</Sorted>
                     <Multiple>Y</Multiple>
                     <OptionValues>
@@ -182,7 +182,7 @@
                 </ssl_bindOptions>
                 <ssl_minVersion type="OptionField">
                     <Required>N</Required>
-                    <default>TLSv1.2</default>
+                    <Default>TLSv1.2</Default>
                     <OptionValues>
                         <SSLv3>SSLv3</SSLv3>
                         <TLSv1.0>TLSv1.0</TLSv1.0>
@@ -202,11 +202,11 @@
                     </OptionValues>
                 </ssl_maxVersion>
                 <ssl_cipherList type="TextField">
-                    <default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256</default>
+                    <Default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256</Default>
                     <Required>N</Required>
                 </ssl_cipherList>
                 <ssl_cipherSuites type="TextField">
-                    <default>TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256</default>
+                    <Default>TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256</Default>
                     <Required>N</Required>
                 </ssl_cipherSuites>
                 <h2_initialWindowSize type="IntegerField">
@@ -260,38 +260,38 @@
                     <Required>N</Required>
                 </maxConnectionsServers>
                 <timeoutClient type="TextField">
-                    <default>30s</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>30s</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </timeoutClient>
                 <timeoutConnect type="TextField">
-                    <default>30s</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>30s</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </timeoutConnect>
                 <timeoutCheck type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </timeoutCheck>
                 <timeoutServer type="TextField">
-                    <default>30s</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>30s</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </timeoutServer>
                 <retries type="IntegerField">
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>100</MaximumValue>
-                    <default>3</default>
+                    <Default>3</Default>
                     <ValidationMessage>Please specify a value between 0 and 100.</ValidationMessage>
                     <Required>Y</Required>
                 </retries>
                 <redispatch type="OptionField">
                     <Required>N</Required>
-                    <default>x-1</default>
+                    <Default>x-1</Default>
                     <OptionValues>
                         <x3>redispatch on every 3rd retry</x3>
                         <x2>redispatch on every 2nd retry</x2>
@@ -304,7 +304,7 @@
                 </redispatch>
                 <init_addr type="OptionField">
                     <Required>N</Required>
-                    <default>last,libc</default>
+                    <Default>last,libc</Default>
                     <Multiple>Y</Multiple>
                     <Sorted>Y</Sorted>
                     <OptionValues>
@@ -319,15 +319,15 @@
             </defaults>
             <logging>
                 <host type="TextField">
-                    <default>127.0.0.1</default>
-                    <mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</mask>
+                    <Default>127.0.0.1</Default>
+                    <Mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</Mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please specify a valid servername or IP address.</ValidationMessage>
                     <Required>Y</Required>
                 </host>
                 <facility type="OptionField">
                     <Required>Y</Required>
-                    <default>local0</default>
+                    <Default>local0</Default>
                     <OptionValues>
                         <alert>alert</alert>
                         <audit>audit</audit>
@@ -357,7 +357,7 @@
                 </facility>
                 <level type="OptionField">
                     <Required>N</Required>
-                    <default>info</default>
+                    <Default>info</Default>
                     <OptionValues>
                         <alert>alert</alert>
                         <crit>crit</crit>
@@ -378,36 +378,36 @@
             </logging>
             <stats>
                 <enabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </enabled>
                 <port type="IntegerField">
                     <MinimumValue>1024</MinimumValue>
                     <MaximumValue>65535</MaximumValue>
-                    <default>8822</default>
+                    <Default>8822</Default>
                     <ValidationMessage>Please specify a value between 1024 and 65535.</ValidationMessage>
                     <Required>Y</Required>
                 </port>
                 <remoteEnabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </remoteEnabled>
                 <!-- XXX: filter localhost and variations of it -->
                 <remoteBind type="CSVListField">
                     <Required>N</Required>
-                    <multiple>Y</multiple>
-                    <mask>/^((([0-9a-zA-Z._\-]+:[0-9a-zA-Z._\-]+)([,]){0,1}))*/u</mask>
+                    <Multiple>Y</Multiple>
+                    <Mask>/^((([0-9a-zA-Z._\-]+:[0-9a-zA-Z._\-]+)([,]){0,1}))*/u</Mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please provide a valid listen address, i.e. 10.0.0.1:8080 or haproxy.example.com:8999.</ValidationMessage>
                 </remoteBind>
                 <authEnabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </authEnabled>
                 <users type="CSVListField">
                     <Required>N</Required>
-                    <multiple>Y</multiple>
-                    <mask>/^((([0-9a-zA-Z._\-]+:[0-9a-zA-Z._\-]+)([,]){0,1}))*/u</mask>
+                    <Multiple>Y</Multiple>
+                    <Mask>/^((([0-9a-zA-Z._\-]+:[0-9a-zA-Z._\-]+)([,]){0,1}))*/u</Mask>
                     <ValidationMessage>Please provide a valid user and password, i.e. user:secret123.</ValidationMessage>
                 </users>
                 <allowedUsers type="ModelRelationField">
@@ -419,7 +419,7 @@
                         </template>
                     </Model>
                     <ValidationMessage>Related user not found</ValidationMessage>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </allowedUsers>
                 <allowedGroups type="ModelRelationField">
@@ -431,47 +431,47 @@
                         </template>
                     </Model>
                     <ValidationMessage>Related group not found</ValidationMessage>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </allowedGroups>
                 <customOptions type="TextField">
                     <Required>N</Required>
                 </customOptions>
                 <prometheus_enabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </prometheus_enabled>
                 <prometheus_bind type="CSVListField">
-                    <default>*:8404</default>
+                    <Default>*:8404</Default>
                     <Required>N</Required>
-                    <multiple>Y</multiple>
-                    <mask>/^((([0-9a-zA-Z._\-\*:\[\]]+:+[0-9]+(-[0-9]+)?|unix@[0-9a-z_\-]+)([,]){0,1}))*/u</mask>
+                    <Multiple>Y</Multiple>
+                    <Mask>/^((([0-9a-zA-Z._\-\*:\[\]]+:+[0-9]+(-[0-9]+)?|unix@[0-9a-z_\-]+)([,]){0,1}))*/u</Mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please provide a valid listen address, i.e. 10.0.0.1:8404 or haproxy.example.com:8404.</ValidationMessage>
                 </prometheus_bind>
                 <prometheus_path type="TextField">
-                    <default>/metrics</default>
+                    <Default>/metrics</Default>
                     <Required>N</Required>
-                    <mask>/^.{1,2048}$/u</mask>
+                    <Mask>/^.{1,2048}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 2048 characters.</ValidationMessage>
                 </prometheus_path>
             </stats>
             <cache>
                 <enabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </enabled>
                 <totalMaxSize type="IntegerField">
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>4095</MaximumValue>
-                    <default>4</default>
+                    <Default>4</Default>
                     <Required>Y</Required>
                     <ValidationMessage>Please specify a value between 1 and 4095.</ValidationMessage>
                 </totalMaxSize>
                 <maxAge type="IntegerField">
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>3600</MaximumValue>
-                    <default>60</default>
+                    <Default>60</Default>
                     <Required>N</Required>
                     <ValidationMessage>Please specify a value between 1 and 3600.</ValidationMessage>
                 </maxAge>
@@ -482,11 +482,11 @@
                     <ValidationMessage>Please specify a value between 1 and 2146435072.</ValidationMessage>
                 </maxObjectSize>
                 <processVary type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </processVary>
                 <maxSecondaryEntries type="IntegerField">
-                    <default>10</default>
+                    <Default>10</Default>
                     <MinimumValue>1</MinimumValue>
                     <Required>N</Required>
                     <ValidationMessage>Please specify a positive integer value.</ValidationMessage>
@@ -499,23 +499,23 @@
                     <Required>N</Required>
                 </id>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z._\-]){1,255}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-]){1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                 </name>
                 <description type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                 </description>
                 <bind type="CSVListField">
                     <Required>Y</Required>
-                    <multiple>Y</multiple>
-                    <mask>/^((([0-9a-zA-Z._\-\*:\[\]]+:+[0-9]+(-[0-9]+)?|unix@[0-9a-z_\-]+)([,]){0,1}))*/u</mask>
+                    <Multiple>Y</Multiple>
+                    <Mask>/^((([0-9a-zA-Z._\-\*:\[\]]+:+[0-9]+(-[0-9]+)?|unix@[0-9a-z_\-]+)([,]){0,1}))*/u</Mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please provide a valid listen address, i.e. 127.0.0.1:8080, [::1]:8080, www.example.com:443 or unix@socket-name. Port range as start-end, i.e. 127.0.0.1:1220-1240.</ValidationMessage>
                 </bind>
@@ -524,7 +524,7 @@
                 </bindOptions>
                 <mode type="OptionField">
                     <Required>Y</Required>
-                    <default>http</default>
+                    <Default>http</Default>
                     <OptionValues>
                         <http>HTTP / HTTPS (SSL offloading) [default]</http>
                         <ssl>SSL / HTTPS (TCP mode)</ssl>
@@ -543,7 +543,7 @@
                     <Required>N</Required>
                 </defaultBackend>
                 <ssl_enabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </ssl_enabled>
                 <ssl_certificates type="CertificateField">
@@ -560,12 +560,12 @@
                     <Required>N</Required>
                 </ssl_customOptions>
                 <ssl_advancedEnabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </ssl_advancedEnabled>
                 <ssl_bindOptions type="OptionField">
                     <Required>N</Required>
-                    <default>prefer-client-ciphers</default>
+                    <Default>prefer-client-ciphers</Default>
                     <Sorted>Y</Sorted>
                     <Multiple>Y</Multiple>
                     <OptionValues>
@@ -586,7 +586,7 @@
                 </ssl_bindOptions>
                 <ssl_minVersion type="OptionField">
                     <Required>N</Required>
-                    <default>TLSv1.2</default>
+                    <Default>TLSv1.2</Default>
                     <OptionValues>
                         <SSLv3>SSLv3</SSLv3>
                         <TLSv1.0>TLSv1.0</TLSv1.0>
@@ -606,43 +606,43 @@
                     </OptionValues>
                 </ssl_maxVersion>
                 <ssl_cipherList type="TextField">
-                    <default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256</default>
+                    <Default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256</Default>
                     <Required>N</Required>
                 </ssl_cipherList>
                 <ssl_cipherSuites type="TextField">
-                    <default>TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256</default>
+                    <Default>TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256</Default>
                     <Required>N</Required>
                 </ssl_cipherSuites>
                 <ssl_hstsEnabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </ssl_hstsEnabled>
                 <ssl_hstsIncludeSubDomains type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </ssl_hstsIncludeSubDomains>
                 <ssl_hstsPreload type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </ssl_hstsPreload>
                 <ssl_hstsMaxAge type="IntegerField">
-                    <default>15768000</default>
+                    <Default>15768000</Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>1000000000</MaximumValue>
                     <ValidationMessage>Please specify a value between 1 and 1000000000.</ValidationMessage>
                     <Required>Y</Required>
                 </ssl_hstsMaxAge>
                 <ssl_clientAuthEnabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </ssl_clientAuthEnabled>
                 <ssl_clientAuthVerify type="OptionField">
                     <Required>N</Required>
-                    <default>required</default>
+                    <Default>required</Default>
                     <OptionValues>
                         <none>none</none>
                         <optional>optional</optional>
-                        <required>required</required>
+                        <Required>required</Required>
                     </OptionValues>
                 </ssl_clientAuthVerify>
                 <ssl_clientAuthCAs type="CertificateField">
@@ -658,7 +658,7 @@
                     <ValidationMessage>Please select a valid CA from the list.</ValidationMessage>
                 </ssl_clientAuthCRLs>
                 <basicAuthEnabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </basicAuthEnabled>
                 <basicAuthUsers type="ModelRelationField">
@@ -670,7 +670,7 @@
                         </template>
                     </Model>
                     <ValidationMessage>Related user not found</ValidationMessage>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </basicAuthUsers>
                 <basicAuthGroups type="ModelRelationField">
@@ -682,7 +682,7 @@
                         </template>
                     </Model>
                     <ValidationMessage>Related group not found</ValidationMessage>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </basicAuthGroups>
                 <tuning_maxConnections type="IntegerField">
@@ -692,17 +692,17 @@
                     <Required>N</Required>
                 </tuning_maxConnections>
                 <tuning_timeoutClient type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </tuning_timeoutClient>
                 <tuning_timeoutHttpReq type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </tuning_timeoutHttpReq>
                 <tuning_timeoutHttpKeepAlive type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </tuning_timeoutHttpKeepAlive>
@@ -725,23 +725,23 @@
                     <Required>N</Required>
                 </tuning_shards>
                 <logging_dontLogNull type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </logging_dontLogNull>
                 <logging_dontLogNormal type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </logging_dontLogNormal>
                 <logging_logSeparateErrors type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </logging_logSeparateErrors>
                 <logging_detailedLog type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </logging_detailedLog>
                 <logging_socketStats type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </logging_socketStats>
                 <stickiness_pattern type="OptionField">
@@ -775,26 +775,26 @@
                 </stickiness_dataTypes>
                 <stickiness_expire type="TextField">
                     <Required>Y</Required>
-                    <default>30m</default>
-                    <mask>/^([0-9]{1,5}(?:ms|s|m|h|d)?)/u</mask>
+                    <Default>30m</Default>
+                    <Mask>/^([0-9]{1,5}(?:ms|s|m|h|d)?)/u</Mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Should be a number between 1 and 5 characters followed by either "d", "h", "m", "s" or "ms".</ValidationMessage>
                 </stickiness_expire>
                 <stickiness_size type="TextField">
                     <Required>Y</Required>
-                    <default>50k</default>
-                    <mask>/^([0-9]{1,5}[k|m|g]{1})*/u</mask>
+                    <Default>50k</Default>
+                    <Mask>/^([0-9]{1,5}[k|m|g]{1})*/u</Mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Should be a number between 1 and 5 characters followed by either "k", "m" or "g".</ValidationMessage>
                 </stickiness_size>
                 <stickiness_counter type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>N</Required>
                 </stickiness_counter>
                 <stickiness_counter_key type="TextField">
-                    <default>src</default>
+                    <Default>src</Default>
                     <Required>N</Required>
-                    <mask>/^([0-9a-zA-Z._]){1,32}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._]){1,32}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 32 characters.</ValidationMessage>
                 </stickiness_counter_key>
                 <stickiness_length type="IntegerField">
@@ -804,52 +804,52 @@
                     <Required>N</Required>
                 </stickiness_length>
                 <stickiness_connRatePeriod type="TextField">
-                    <default>10s</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>10s</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </stickiness_connRatePeriod>
                 <stickiness_sessRatePeriod type="TextField">
-                    <default>10s</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>10s</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </stickiness_sessRatePeriod>
                 <stickiness_httpReqRatePeriod type="TextField">
-                    <default>10s</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>10s</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </stickiness_httpReqRatePeriod>
                 <stickiness_httpErrRatePeriod type="TextField">
-                    <default>10s</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>10s</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </stickiness_httpErrRatePeriod>
                 <stickiness_bytesInRatePeriod type="TextField">
-                    <default>1m</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>1m</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </stickiness_bytesInRatePeriod>
                 <stickiness_bytesOutRatePeriod type="TextField">
-                    <default>1m</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>1m</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </stickiness_bytesOutRatePeriod>
                 <http2Enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>N</Required>
                 </http2Enabled>
                 <http2Enabled_nontls type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </http2Enabled_nontls>
                 <advertised_protocols type="OptionField">
                     <Required>N</Required>
-                    <default>h2,http11</default>
+                    <Default>h2,http11</Default>
                     <Sorted>Y</Sorted>
                     <Multiple>Y</Multiple>
                     <OptionValues>
@@ -860,22 +860,22 @@
                 </advertised_protocols>
                 <!-- XXX: deprecated option (scheduled removal in os-haproxy 5.0) -->
                 <forwardFor type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </forwardFor>
                 <prometheus_enabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </prometheus_enabled>
                 <prometheus_path type="TextField">
-                    <default>/metrics</default>
+                    <Default>/metrics</Default>
                     <Required>N</Required>
-                    <mask>/^.{1,2048}$/u</mask>
+                    <Mask>/^.{1,2048}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 2048 characters.</ValidationMessage>
                 </prometheus_path>
                 <connectionBehaviour type="OptionField">
                     <Required>Y</Required>
-                    <default>http-keep-alive</default>
+                    <Default>http-keep-alive</Default>
                     <OptionValues>
                         <http-keep-alive>http-keep-alive [default]</http-keep-alive>
                         <httpclose>httpclose</httpclose>
@@ -895,7 +895,7 @@
                     </Model>
                     <ValidationMessage>Related action item not found</ValidationMessage>
                     <Sorted>Y</Sorted>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </linkedActions>
                 <linkedErrorfiles type="ModelRelationField">
@@ -907,7 +907,7 @@
                         </template>
                     </Model>
                     <ValidationMessage>Related error file item not found</ValidationMessage>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </linkedErrorfiles>
             </frontend>
@@ -918,22 +918,22 @@
                     <Required>N</Required>
                 </id>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z._\-]){1,255}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-]){1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                 </name>
                 <description type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                 </description>
                 <mode type="OptionField">
                     <Required>Y</Required>
-                    <default>http</default>
+                    <Default>http</Default>
                     <OptionValues>
                         <http>HTTP (Layer 7) [default]</http>
                         <tcp>TCP (Layer 4)</tcp>
@@ -941,7 +941,7 @@
                 </mode>
                 <algorithm type="OptionField">
                     <Required>Y</Required>
-                    <default>source</default>
+                    <Default>source</Default>
                     <OptionValues>
                         <source>Source-IP Hash [default]</source>
                         <roundrobin>Round Robin</roundrobin>
@@ -953,7 +953,7 @@
                 </algorithm>
                 <random_draws type="IntegerField">
                     <Required>Y</Required>
-                    <default>2</default>
+                    <Default>2</Default>
                     <MinimumValue>2</MinimumValue>
                     <MaximumValue>1000</MaximumValue>
                     <ValidationMessage>Please specify a value between 2 and 1000.</ValidationMessage>
@@ -998,7 +998,7 @@
                         </template>
                     </Model>
                     <ValidationMessage>Related resolver not found</ValidationMessage>
-                    <multiple>N</multiple>
+                    <Multiple>N</Multiple>
                     <Required>N</Required>
                 </linkedResolver>
                 <resolverOpts type="OptionField">
@@ -1020,13 +1020,13 @@
                     </OptionValues>
                 </resolvePrefer>
                 <source type="TextField">
-                    <mask>/^((([0-9a-zA-Z._\-\*:]+)))*/u</mask>
+                    <Mask>/^((([0-9a-zA-Z._\-\*:]+)))*/u</Mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please specify a valid source address, i.e. 10.0.0.1 or loadbalancer.example.com:50000. Port range as start-end, i.e. 10.0.0.1:50000-60000.</ValidationMessage>
                     <Required>N</Required>
                 </source>
                 <healthCheckEnabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </healthCheckEnabled>
                 <healthCheck type="ModelRelationField">
@@ -1042,16 +1042,16 @@
                     <Required>N</Required>
                 </healthCheck>
                 <healthCheckLogStatus type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </healthCheckLogStatus>
                 <checkInterval type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </checkInterval>
                 <checkDownInterval type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </checkDownInterval>
@@ -1076,20 +1076,20 @@
                         </template>
                     </Model>
                     <ValidationMessage>Related mailer not found</ValidationMessage>
-                    <multiple>N</multiple>
+                    <Multiple>N</Multiple>
                     <Required>N</Required>
                 </linkedMailer>
                 <http2Enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>N</Required>
                 </http2Enabled>
                 <http2Enabled_nontls type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </http2Enabled_nontls>
                 <ba_advertised_protocols type="OptionField">
                     <Required>N</Required>
-                    <default>h2,http11</default>
+                    <Default>h2,http11</Default>
                     <Sorted>Y</Sorted>
                     <Multiple>Y</Multiple>
                     <OptionValues>
@@ -1099,11 +1099,11 @@
                     </OptionValues>
                 </ba_advertised_protocols>
                 <forwardFor type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </forwardFor>
                 <forwardedHeader type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </forwardedHeader>
                 <forwardedHeaderParameters type="OptionField">
@@ -1121,7 +1121,7 @@
                 </forwardedHeaderParameters>
                 <persistence type="OptionField">
                     <Required>N</Required>
-                    <default>sticktable</default>
+                    <Default>sticktable</Default>
                     <OptionValues>
                         <sticktable>Stick-table persistence [default]</sticktable>
                         <cookie>Cookie-based persistence (HTTP/HTTPS only)</cookie>
@@ -1129,25 +1129,25 @@
                 </persistence>
                 <persistence_cookiemode type="OptionField">
                     <Required>Y</Required>
-                    <default>piggyback</default>
+                    <Default>piggyback</Default>
                     <OptionValues>
                         <piggyback>Piggyback on existing cookie</piggyback>
                         <new>Insert new cookie</new>
                     </OptionValues>
                 </persistence_cookiemode>
                 <persistence_cookiename type="TextField">
-                    <default>SRVCOOKIE</default>
+                    <Default>SRVCOOKIE</Default>
                     <Required>N</Required>
-                    <mask>/^([0-9a-zA-Z\.,_\-:]){1,1024}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z\.,_\-:]){1,1024}$/u</Mask>
                     <ValidationMessage>Does not look like a valid cookie name (most special characters are not allowed).</ValidationMessage>
                 </persistence_cookiename>
                 <persistence_stripquotes type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </persistence_stripquotes>
                 <stickiness_pattern type="OptionField">
                     <Required>N</Required>
-                    <default>sourceipv4</default>
+                    <Default>sourceipv4</Default>
                     <OptionValues>
                         <sourceipv4>Source-IP [default]</sourceipv4>
                         <sourceipv6>Source-IPv6</sourceipv6>
@@ -1176,21 +1176,21 @@
                 </stickiness_dataTypes>
                 <stickiness_expire type="TextField">
                     <Required>Y</Required>
-                    <default>30m</default>
-                    <mask>/^([0-9]{1,5}(?:ms|s|m|h|d)?)/u</mask>
+                    <Default>30m</Default>
+                    <Mask>/^([0-9]{1,5}(?:ms|s|m|h|d)?)/u</Mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Should be a number between 1 and 5 characters followed by either "d", "h", "m", "s" or "ms".</ValidationMessage>
                 </stickiness_expire>
                 <stickiness_size type="TextField">
                     <Required>Y</Required>
-                    <default>50k</default>
-                    <mask>/^([0-9]{1,5}[k|m|g]{1})*/u</mask>
+                    <Default>50k</Default>
+                    <Mask>/^([0-9]{1,5}[k|m|g]{1})*/u</Mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Should be a number between 1 and 5 characters followed by either "k", "m" or "g".</ValidationMessage>
                 </stickiness_size>
                 <stickiness_cookiename type="TextField">
                     <Required>N</Required>
-                    <mask>/^([0-9a-zA-Z\.,_\-:]){1,1024}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z\.,_\-:]){1,1024}$/u</Mask>
                     <ValidationMessage>Does not look like a valid cookie name (most special characters are not allowed).</ValidationMessage>
                 </stickiness_cookiename>
                 <stickiness_cookielength type="IntegerField">
@@ -1200,43 +1200,43 @@
                     <Required>N</Required>
                 </stickiness_cookielength>
                 <stickiness_connRatePeriod type="TextField">
-                    <default>10s</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>10s</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </stickiness_connRatePeriod>
                 <stickiness_sessRatePeriod type="TextField">
-                    <default>10s</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>10s</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </stickiness_sessRatePeriod>
                 <stickiness_httpReqRatePeriod type="TextField">
-                    <default>10s</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>10s</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </stickiness_httpReqRatePeriod>
                 <stickiness_httpErrRatePeriod type="TextField">
-                    <default>10s</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>10s</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </stickiness_httpErrRatePeriod>
                 <stickiness_bytesInRatePeriod type="TextField">
-                    <default>1m</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>1m</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </stickiness_bytesInRatePeriod>
                 <stickiness_bytesOutRatePeriod type="TextField">
-                    <default>1m</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>1m</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </stickiness_bytesOutRatePeriod>
                 <basicAuthEnabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </basicAuthEnabled>
                 <basicAuthUsers type="ModelRelationField">
@@ -1248,7 +1248,7 @@
                         </template>
                     </Model>
                     <ValidationMessage>Related user not found</ValidationMessage>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </basicAuthUsers>
                 <basicAuthGroups type="ModelRelationField">
@@ -1260,21 +1260,21 @@
                         </template>
                     </Model>
                     <ValidationMessage>Related group not found</ValidationMessage>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </basicAuthGroups>
                 <tuning_timeoutConnect type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </tuning_timeoutConnect>
                 <tuning_timeoutCheck type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </tuning_timeoutCheck>
                 <tuning_timeoutServer type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </tuning_timeoutServer>
@@ -1291,12 +1291,12 @@
                     <Required>N</Required>
                 </tuning_defaultserver>
                 <tuning_noport type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </tuning_noport>
                 <tuning_httpreuse type="OptionField">
                     <Required>N</Required>
-                    <default>safe</default>
+                    <Default>safe</Default>
                     <OptionValues>
                         <never>Never</never>
                         <safe>Safe [default]</safe>
@@ -1305,7 +1305,7 @@
                     </OptionValues>
                 </tuning_httpreuse>
                 <tuning_caching type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </tuning_caching>
                 <linkedActions type="ModelRelationField">
@@ -1318,7 +1318,7 @@
                     </Model>
                     <ValidationMessage>Related action item not found</ValidationMessage>
                     <Sorted>Y</Sorted>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </linkedActions>
                 <linkedErrorfiles type="ModelRelationField">
@@ -1330,7 +1330,7 @@
                         </template>
                     </Model>
                     <ValidationMessage>Related error file item not found</ValidationMessage>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </linkedErrorfiles>
             </backend>
@@ -1341,21 +1341,21 @@
                     <Required>Y</Required>
                 </id>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <mask>/^([0-9a-zA-Z._\-]){1,255}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-]){1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </name>
                 <description type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </description>
                 <address type="TextField">
-                    <mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</Mask>
                     <ValidationMessage>Please specify a valid servername or IP address.</ValidationMessage>
                     <Required>N</Required>
                 </address>
@@ -1366,7 +1366,7 @@
                     <Required>N</Required>
                 </port>
                 <checkport type="IntegerField">
-                    <default></default>
+                    <Default></Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>65535</MaximumValue>
                     <ValidationMessage>Please specify a value between 1 and 65535.</ValidationMessage>
@@ -1374,7 +1374,7 @@
                 </checkport>
                 <mode type="OptionField">
                     <Required>N</Required>
-                    <default>active</default>
+                    <Default>active</Default>
                     <OptionValues>
                         <active>active [default]</active>
                         <backup>backup</backup>
@@ -1383,7 +1383,7 @@
                 </mode>
                 <multiplexer_protocol type="OptionField">
                     <Required>N</Required>
-                    <default>unspecified</default>
+                    <Default>unspecified</Default>
                     <OptionValues>
                         <unspecified>auto-selection [recommended]</unspecified>
                         <fcgi>FastCGI</fcgi>
@@ -1393,7 +1393,7 @@
                 </multiplexer_protocol>
                 <type type="OptionField">
                     <Required>Y</Required>
-                    <default>static</default>
+                    <Default>static</Default>
                     <OptionValues>
                         <static>static</static>
                         <template>template</template>
@@ -1401,12 +1401,12 @@
                     </OptionValues>
                 </type>
                 <serviceName type="TextField">
-                    <mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</Mask>
                     <ValidationMessage>Please specify a valid service name.</ValidationMessage>
                     <Required>N</Required>
                 </serviceName>
                 <number type="TextField">
-                    <mask>/^[0-9]+(-[0-9]+)?/u</mask>
+                    <Mask>/^[0-9]+(-[0-9]+)?/u</Mask>
                     <ValidationMessage>Please specify a valid number or range.</ValidationMessage>
                     <Required>N</Required>
                 </number>
@@ -1419,7 +1419,7 @@
                         </template>
                     </Model>
                     <ValidationMessage>Related resolver not found</ValidationMessage>
-                    <multiple>N</multiple>
+                    <Multiple>N</Multiple>
                     <Required>N</Required>
                 </linkedResolver>
                 <resolverOpts type="OptionField">
@@ -1441,16 +1441,16 @@
                     </OptionValues>
                 </resolvePrefer>
                 <ssl type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </ssl>
                 <sslSNI type="TextField">
-                    <mask>/^([0-9a-zA-Z._\-]){1,255}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-]){1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </sslSNI>
                 <sslVerify type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </sslVerify>
                 <sslCA type="CertificateField">
@@ -1482,17 +1482,17 @@
                     <Required>N</Required>
                 </weight>
                 <checkInterval type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </checkInterval>
                 <checkDownInterval type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </checkDownInterval>
                 <source type="TextField">
-                    <mask>/^((([0-9a-zA-Z._\-\*:]+)))*/u</mask>
+                    <Mask>/^((([0-9a-zA-Z._\-\*:]+)))*/u</Mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please specify a valid source address, i.e. 10.0.0.1 or loadbalancer.example.com:50000. Port range as start-end, i.e. 10.0.0.1:50000-60000.</ValidationMessage>
                     <Required>N</Required>
@@ -1520,18 +1520,18 @@
         <healthchecks>
             <healthcheck type="ArrayField">
                 <name type="TextField">
-                    <mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <Mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </name>
                 <description type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </description>
                 <type type="OptionField">
                     <Required>Y</Required>
-                    <default>http</default>
+                    <Default>http</Default>
                     <OptionValues>
                         <tcp>TCP</tcp>
                         <http>HTTP [default]</http>
@@ -1546,14 +1546,14 @@
                     </OptionValues>
                 </type>
                 <interval type="TextField">
-                    <default>2s</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>2s</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>Y</Required>
                 </interval>
                 <ssl type="OptionField">
                     <Required>N</Required>
-                    <default>nopref</default>
+                    <Default>nopref</Default>
                     <OptionValues>
                         <nopref>Use server settings</nopref>
                         <ssl>Force SSL for health checks</ssl>
@@ -1562,17 +1562,17 @@
                     </OptionValues>
                 </ssl>
                 <sslSNI type="TextField">
-                    <mask>/^([0-9a-zA-Z._\-]){1,255}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-]){1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </sslSNI >
                 <!-- XXX: old value, required for model migration to 3.5.0 -->
                 <force_ssl type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </force_ssl>
                 <checkport type="IntegerField">
-                    <default></default>
+                    <Default></Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>65535</MaximumValue>
                     <ValidationMessage>Please specify a value between 1 and 65535.</ValidationMessage>
@@ -1580,7 +1580,7 @@
                 </checkport>
                 <http_method type="OptionField">
                     <Required>N</Required>
-                    <default>options</default>
+                    <Default>options</Default>
                     <OptionValues>
                         <options>OPTIONS [default]</options>
                         <head>HEAD</head>
@@ -1592,14 +1592,14 @@
                     </OptionValues>
                 </http_method>
                 <http_uri type="TextField">
-                    <default>/</default>
-                    <mask>/^(.*){1,255}$/u</mask>
+                    <Default>/</Default>
+                    <Mask>/^(.*){1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </http_uri>
                 <http_version type="OptionField">
                     <Required>N</Required>
-                    <default>http10</default>
+                    <Default>http10</Default>
                     <OptionValues>
                         <http10>HTTP/1.0 [default]</http10>
                         <http11>HTTP/1.1</http11>
@@ -1607,13 +1607,13 @@
                     </OptionValues>
                 </http_version>
                 <http_host type="TextField">
-                    <default>localhost</default>
-                    <mask>/^([0-9a-zA-Z._\-]){1,255}$/u</mask>
+                    <Default>localhost</Default>
+                    <Mask>/^([0-9a-zA-Z._\-]){1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </http_host>
                 <http_expressionEnabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </http_expressionEnabled>
                 <http_expression type="OptionField">
@@ -1626,14 +1626,14 @@
                     </OptionValues>
                 </http_expression>
                 <http_negate type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </http_negate>
                 <http_value type="TextField">
                     <Required>N</Required>
                 </http_value>
                 <tcp_enabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </tcp_enabled>
                 <tcp_sendValue type="TextField">
@@ -1641,7 +1641,7 @@
                 </tcp_sendValue>
                 <tcp_matchType type="OptionField">
                     <Required>N</Required>
-                    <default>string</default>
+                    <Default>string</Default>
                     <OptionValues>
                         <string>test the exact string match in the response buffer [default]</string>
                         <rstring>test a regular expression on the response buffer</rstring>
@@ -1649,7 +1649,7 @@
                     </OptionValues>
                 </tcp_matchType>
                 <tcp_negate type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </tcp_negate>
                 <tcp_matchValue type="TextField">
@@ -1662,26 +1662,26 @@
                     <Required>N</Required>
                 </agent_port>
                 <mysql_user type="TextField">
-                    <mask>/^([0-9a-zA-Z._\-]){1,255}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-]){1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </mysql_user>
                 <mysql_post41 type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </mysql_post41>
                 <pgsql_user type="TextField">
-                    <mask>/^([0-9a-zA-Z._\-]){1,255}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-]){1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </pgsql_user>
                 <smtp_domain type="TextField">
-                    <mask>/^([0-9a-zA-Z._\-]){1,255}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-]){1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </smtp_domain>
                 <esmtp_domain type="TextField">
-                    <mask>/^([0-9a-zA-Z._\-]){1,255}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-]){1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </esmtp_domain>
@@ -1703,12 +1703,12 @@
                     <Required>N</Required>
                 </id>
                 <name type="TextField">
-                    <mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <Mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </name>
                 <description type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </description>
@@ -1772,124 +1772,124 @@
                     </OptionValues>
                 </expression>
                 <negate type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </negate>
                 <caseSensitive type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </caseSensitive>
                 <hdr_beg type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </hdr_beg>
                 <hdr_end type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </hdr_end>
                 <hdr type="TextField">
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                     <Required>N</Required>
                 </hdr>
                 <hdr_reg type="TextField">
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                     <Required>N</Required>
                 </hdr_reg>
                 <hdr_sub type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </hdr_sub>
                 <path_beg type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </path_beg>
                 <path_end type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </path_end>
                 <path type="TextField">
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                     <Required>N</Required>
                 </path>
                 <path_reg type="TextField">
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                     <Required>N</Required>
                 </path_reg>
                 <path_dir type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </path_dir>
                 <path_sub type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </path_sub>
                 <cust_hdr_beg_name type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </cust_hdr_beg_name>
                 <cust_hdr_beg type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </cust_hdr_beg>
                 <cust_hdr_end_name type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </cust_hdr_end_name>
                 <cust_hdr_end type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </cust_hdr_end>
                 <cust_hdr_name type="TextField">
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                     <Required>N</Required>
                 </cust_hdr_name>
                 <cust_hdr type="TextField">
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                     <Required>N</Required>
                 </cust_hdr>
                 <cust_hdr_reg_name type="TextField">
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                     <Required>N</Required>
                 </cust_hdr_reg_name>
                 <cust_hdr_reg type="TextField">
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                     <Required>N</Required>
                 </cust_hdr_reg>
                 <cust_hdr_sub_name type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </cust_hdr_sub_name>
                 <cust_hdr_sub type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </cust_hdr_sub>
                 <url_param type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </url_param>
                 <url_param_value type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </url_param_value>
                 <ssl_c_verify_code type="IntegerField">
@@ -1899,12 +1899,12 @@
                     <Required>N</Required>
                 </ssl_c_verify_code>
                 <ssl_c_ca_commonname type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </ssl_c_ca_commonname>
                 <ssl_hello_type type="OptionField">
                     <Required>N</Required>
-                    <default>x1</default>
+                    <Default>x1</Default>
                     <OptionValues>
                         <x0>0 - no client hello</x0>
                         <x1>1 - client hello</x1>
@@ -1912,12 +1912,12 @@
                     </OptionValues>
                 </ssl_hello_type>
                 <src type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </src>
                 <src_bytes_in_rate_comparison type="OptionField">
                     <Required>N</Required>
-                    <default>gt</default>
+                    <Default>gt</Default>
                     <OptionValues>
                         <gt>greater than</gt>
                         <ge>greater equal</ge>
@@ -1931,7 +1931,7 @@
                 </src_bytes_in_rate>
                 <src_bytes_out_rate_comparison type="OptionField">
                     <Required>N</Required>
-                    <default>gt</default>
+                    <Default>gt</Default>
                     <OptionValues>
                         <gt>greater than</gt>
                         <ge>greater equal</ge>
@@ -1945,7 +1945,7 @@
                 </src_bytes_out_rate>
                 <src_conn_cnt_comparison type="OptionField">
                     <Required>N</Required>
-                    <default>gt</default>
+                    <Default>gt</Default>
                     <OptionValues>
                         <gt>greater than</gt>
                         <ge>greater equal</ge>
@@ -1959,7 +1959,7 @@
                 </src_conn_cnt>
                 <src_conn_cur_comparison type="OptionField">
                     <Required>N</Required>
-                    <default>gt</default>
+                    <Default>gt</Default>
                     <OptionValues>
                         <gt>greater than</gt>
                         <ge>greater equal</ge>
@@ -1973,7 +1973,7 @@
                 </src_conn_cur>
                 <src_conn_rate_comparison type="OptionField">
                     <Required>N</Required>
-                    <default>gt</default>
+                    <Default>gt</Default>
                     <OptionValues>
                         <gt>greater than</gt>
                         <ge>greater equal</ge>
@@ -1987,7 +1987,7 @@
                 </src_conn_rate>
                 <src_http_err_cnt_comparison type="OptionField">
                     <Required>N</Required>
-                    <default>gt</default>
+                    <Default>gt</Default>
                     <OptionValues>
                         <gt>greater than</gt>
                         <ge>greater equal</ge>
@@ -2001,7 +2001,7 @@
                 </src_http_err_cnt>
                 <src_http_err_rate_comparison type="OptionField">
                     <Required>N</Required>
-                    <default>gt</default>
+                    <Default>gt</Default>
                     <OptionValues>
                         <gt>greater than</gt>
                         <ge>greater equal</ge>
@@ -2015,7 +2015,7 @@
                 </src_http_err_rate>
                 <src_http_req_cnt_comparison type="OptionField">
                     <Required>N</Required>
-                    <default>gt</default>
+                    <Default>gt</Default>
                     <OptionValues>
                         <gt>greater than</gt>
                         <ge>greater equal</ge>
@@ -2029,7 +2029,7 @@
                 </src_http_req_cnt>
                 <src_http_req_rate_comparison type="OptionField">
                     <Required>N</Required>
-                    <default>gt</default>
+                    <Default>gt</Default>
                     <OptionValues>
                         <gt>greater than</gt>
                         <ge>greater equal</ge>
@@ -2043,7 +2043,7 @@
                 </src_http_req_rate>
                 <src_kbytes_in_comparison type="OptionField">
                     <Required>N</Required>
-                    <default>gt</default>
+                    <Default>gt</Default>
                     <OptionValues>
                         <gt>greater than</gt>
                         <ge>greater equal</ge>
@@ -2057,7 +2057,7 @@
                 </src_kbytes_in>
                 <src_kbytes_out_comparison type="OptionField">
                     <Required>N</Required>
-                    <default>gt</default>
+                    <Default>gt</Default>
                     <OptionValues>
                         <gt>greater than</gt>
                         <ge>greater equal</ge>
@@ -2071,7 +2071,7 @@
                 </src_kbytes_out>
                 <src_port_comparison type="OptionField">
                     <Required>N</Required>
-                    <default>gt</default>
+                    <Default>gt</Default>
                     <OptionValues>
                         <gt>greater than</gt>
                         <ge>greater equal</ge>
@@ -2085,7 +2085,7 @@
                 </src_port>
                 <src_sess_cnt_comparison type="OptionField">
                     <Required>N</Required>
-                    <default>gt</default>
+                    <Default>gt</Default>
                     <OptionValues>
                         <gt>greater than</gt>
                         <ge>greater equal</ge>
@@ -2099,7 +2099,7 @@
                 </src_sess_cnt>
                 <src_sess_rate_comparison type="OptionField">
                     <Required>N</Required>
-                    <default>gt</default>
+                    <Default>gt</Default>
                     <OptionValues>
                         <gt>greater than</gt>
                         <ge>greater equal</ge>
@@ -2129,31 +2129,31 @@
                     <Required>N</Required>
                 </nbsrv_backend>
                 <ssl_fc_sni type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </ssl_fc_sni>
                 <ssl_sni type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </ssl_sni>
                 <ssl_sni_sub type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </ssl_sni_sub>
                 <ssl_sni_beg type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </ssl_sni_beg>
                 <ssl_sni_end type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </ssl_sni_end>
                 <ssl_sni_reg type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </ssl_sni_reg>
                 <custom_acl type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </custom_acl>
                 <!-- XXX old values, required for migration to model 2.0.0 -->
@@ -2184,7 +2184,7 @@
                         </template>
                     </Model>
                     <ValidationMessage>Related user not found</ValidationMessage>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </allowedUsers>
                 <allowedGroups type="ModelRelationField">
@@ -2196,7 +2196,7 @@
                         </template>
                     </Model>
                     <ValidationMessage>Related group not found</ValidationMessage>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </allowedGroups>
             </acl>
@@ -2204,18 +2204,18 @@
         <actions>
             <action type="ArrayField">
                 <name type="TextField">
-                    <mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <Mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </name>
                 <description type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </description>
                 <testType type="OptionField">
                     <Required>Y</Required>
-                    <default>if</default>
+                    <Default>if</Default>
                     <OptionValues>
                         <if>IF [default]</if>
                         <unless>UNLESS</unless>
@@ -2235,7 +2235,7 @@
                 </linkedAcls>
                 <operator type="OptionField">
                     <Required>N</Required>
-                    <default>and</default>
+                    <Default>and</Default>
                     <OptionValues>
                         <and>AND [default]</and>
                         <or>OR</or>
@@ -2314,75 +2314,75 @@
                     <Required>N</Required>
                 </use_server>
                 <fcgi_pass_header type="TextField">
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                     <Required>N</Required>
                 </fcgi_pass_header>
                 <fcgi_set_param type="TextField">
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                     <Required>N</Required>
                 </fcgi_set_param>
                 <http_request_auth type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_auth>
                 <!-- XXX: add support for all "redirect" parameters as separate fields -->
                 <http_request_redirect type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_redirect>
                 <http_request_lua type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_lua>
                 <http_request_use_service type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_use_service>
                 <http_request_add_header_name type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_add_header_name>
                 <http_request_add_header_content type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_add_header_content>
                 <http_request_set_header_name type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_set_header_name>
                 <http_request_set_header_content type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_set_header_content>
                 <http_request_del_header_name type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_del_header_name>
                 <http_request_replace_header_name type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_replace_header_name>
                 <http_request_replace_header_regex type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_replace_header_regex>
                 <http_request_replace_value_name type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_replace_value_name>
                 <http_request_replace_value_regex type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_replace_value_regex>
                 <http_request_set_path type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_set_path>
                 <http_request_set_var_scope type="OptionField">
                     <Required>N</Required>
-                    <default>txn</default>
+                    <Default>txn</Default>
                     <OptionValues>
                         <proc>variable is shared with the whole process</proc>
                         <sess>variable is shared with the whole session</sess>
@@ -2392,51 +2392,51 @@
                     </OptionValues>
                 </http_request_set_var_scope>
                 <http_request_set_var_name type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_set_var_name>
                 <http_request_set_var_expr type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_set_var_expr>
                 <http_response_lua type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_response_lua>
                 <http_response_add_header_name type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_response_add_header_name>
                 <http_response_add_header_content type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_response_add_header_content>
                 <http_response_set_header_name type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_response_set_header_name>
                 <http_response_set_header_content type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_response_set_header_content>
                 <http_response_del_header_name type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_response_del_header_name>
                 <http_response_replace_header_name type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_response_replace_header_name>
                 <http_response_replace_header_regex type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_response_replace_header_regex>
                 <http_response_replace_value_name type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_response_replace_value_name>
                 <http_response_replace_value_regex type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_response_replace_value_regex>
                 <http_response_set_status_code type="IntegerField">
@@ -2446,12 +2446,12 @@
                     <Required>N</Required>
                 </http_response_set_status_code>
                 <http_response_set_status_reason type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_response_set_status_reason>
                 <http_response_set_var_scope type="OptionField">
                     <Required>N</Required>
-                    <default>txn</default>
+                    <Default>txn</Default>
                     <OptionValues>
                         <proc>variable is shared with the whole process</proc>
                         <sess>variable is shared with the whole session</sess>
@@ -2461,39 +2461,39 @@
                     </OptionValues>
                 </http_response_set_var_scope>
                 <http_response_set_var_name type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_response_set_var_name>
                 <http_response_set_var_expr type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_response_set_var_expr>
                 <monitor_fail_uri type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </monitor_fail_uri>
                 <tcp_request_content_lua type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </tcp_request_content_lua>
                 <tcp_request_content_use_service type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </tcp_request_content_use_service>
                 <tcp_request_inspect_delay type="TextField">
-                    <mask>/^.{1,32}$/u</mask>
+                    <Mask>/^.{1,32}$/u</Mask>
                     <Required>N</Required>
                 </tcp_request_inspect_delay>
                 <tcp_response_content_lua type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </tcp_response_content_lua>
                 <tcp_response_inspect_delay type="TextField">
-                    <mask>/^.{1,32}$/u</mask>
+                    <Mask>/^.{1,32}$/u</Mask>
                     <Required>N</Required>
                 </tcp_response_inspect_delay>
                 <custom type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </custom>
                 <!-- XXX old values, required for migration to model 2.0.0 -->
@@ -2562,26 +2562,26 @@
                     <Required>Y</Required>
                 </id>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <Mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </name>
                 <description type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </description>
                 <preload type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </preload>
                 <filename_scheme type="OptionField">
                     <Required>Y</Required>
-                    <default>id</default>
+                    <Default>id</Default>
                     <OptionValues>
                         <id>Use a random ID for the filename [default]</id>
                         <name>Use the specified name as filename</name>
@@ -2598,48 +2598,48 @@
                     <Required>Y</Required>
                 </id>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <Mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </name>
                 <description type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </description>
                 <docroot type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 4096 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </docroot>
                 <index type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 4096 characters.</ValidationMessage>
                     <Required>N</Required>
                 </index>
                 <path_info type="TextField">
-                    <mask>/^.{1,4096}$/u</mask>
+                    <Mask>/^.{1,4096}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 4096 characters.</ValidationMessage>
                     <Required>N</Required>
                 </path_info>
                 <log_stderr type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </log_stderr>
                 <keep_conn type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>N</Required>
                 </keep_conn>
                 <get_values type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </get_values>
                 <mpxs_conns type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </mpxs_conns>
                 <max_reqs type="IntegerField">
@@ -2661,7 +2661,7 @@
                     </Model>
                     <ValidationMessage>Related action item not found</ValidationMessage>
                     <Sorted>Y</Sorted>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </linkedActions>
             </fcgi>
@@ -2672,18 +2672,18 @@
                     <Required>Y</Required>
                 </id>
                 <name type="TextField">
-                    <mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <Mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </name>
                 <description type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </description>
                 <code type="OptionField">
                     <Required>Y</Required>
-                    <default>503</default>
+                    <Default>503</Default>
                     <OptionValues>
                         <x200>200</x200>
                         <x400>400</x400>
@@ -2708,12 +2708,12 @@
                     <Required>Y</Required>
                 </id>
                 <name type="TextField">
-                    <mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <Mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </name>
                 <description type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </description>
@@ -2728,16 +2728,16 @@
                     <Required>Y</Required>
                 </id>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <Mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </name>
                 <description type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </description>
@@ -2754,7 +2754,7 @@
                     <Required>N</Required>
                 </members>
                 <add_userlist type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </add_userlist>
             </group>
@@ -2765,21 +2765,21 @@
                     <Required>Y</Required>
                 </id>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <Mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </name>
                 <description type="TextField">
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </description>
                 <password type="TextField">
-                    <mask>/^.{1,512}$/u</mask>
+                    <Mask>/^.{1,512}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 512 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </password>
@@ -2791,11 +2791,11 @@
                     <Required>Y</Required>
                 </id>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <Mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </name>
@@ -2951,47 +2951,47 @@
                     <Required>Y</Required>
                 </id>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <Mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </name>
                 <description type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                 </description>
                 <nameservers type="CSVListField">
                     <Required>N</Required>
                     <Sorted>Y</Sorted>
-                    <multiple>Y</multiple>
-                    <mask>/^((((udp@|tcp@)?[0-9a-zA-Z._\-\*:\[\]]+:[0-9]+(-[0-9]+)?)([,]){0,1}))*/u</mask>
+                    <Multiple>Y</Multiple>
+                    <Mask>/^((((udp@|tcp@)?[0-9a-zA-Z._\-\*:\[\]]+:[0-9]+(-[0-9]+)?)([,]){0,1}))*/u</Mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please provide a valid nameserver address, i.e. 127.0.0.1:53, [::1]:53 or tcp@192.168.1.1:53.</ValidationMessage>
                 </nameservers>
                 <parse_resolv_conf type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </parse_resolv_conf>
                 <resolve_retries type="IntegerField">
-                    <default>3</default>
+                    <Default>3</Default>
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>100000</MaximumValue>
                     <ValidationMessage>Please specify a value between 0 and 100000.</ValidationMessage>
                     <Required>N</Required>
                 </resolve_retries>
                 <timeout_resolve type="TextField">
-                    <default>1s</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>1s</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </timeout_resolve>
                 <timeout_retry type="TextField">
-                    <default>1s</default>
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Default>1s</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </timeout_retry>
@@ -3002,32 +3002,32 @@
                     <Required>N</Required>
                 </accepted_payload_size>
                 <hold_valid type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </hold_valid>
                 <hold_obsolete type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </hold_obsolete>
                 <hold_refused type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </hold_refused>
                 <hold_nx type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </hold_nx>
                 <hold_timeout type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </hold_timeout>
                 <hold_other type="TextField">
-                    <mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</mask>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </hold_other>
@@ -3039,24 +3039,24 @@
                     <Required>Y</Required>
                 </id>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</mask>
+                    <Mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>Y</Required>
                 </name>
                 <description type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                 </description>
                 <mailservers type="CSVListField">
                     <Required>Y</Required>
                     <Sorted>Y</Sorted>
-                    <multiple>Y</multiple>
-                    <mask>/^((([0-9a-zA-Z._\-\*:\[\]]+:[0-9]+(-[0-9]+)?)([,]){0,1}))*/u</mask>
+                    <Multiple>Y</Multiple>
+                    <Mask>/^((([0-9a-zA-Z._\-\*:\[\]]+:[0-9]+(-[0-9]+)?)([,]){0,1}))*/u</Mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please provide mailserver addresses, i.e. 192.168.1.1:25.</ValidationMessage>
                 </mailservers>
@@ -3068,7 +3068,7 @@
                 </recipient>
                 <loglevel type="OptionField">
                     <Required>Y</Required>
-                    <default>alert</default>
+                    <Default>alert</Default>
                     <OptionValues>
                         <emerg>emerg</emerg>
                         <alert>alert</alert>
@@ -3081,7 +3081,7 @@
                     </OptionValues>
                 </loglevel>
                 <timeout type="TextField">
-                    <default>30</default>
+                    <Default>30</Default>
                     <MinimumValue>4</MinimumValue>
                     <MaximumValue>10000</MaximumValue>
                     <ValidationMessage>Please specify a value between 4 and 10000 seconds.</ValidationMessage>
@@ -3095,7 +3095,7 @@
         <maintenance>
             <cronjobs>
                 <syncCerts type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </syncCerts>
                 <syncCertsCron type="ModelRelationField">
@@ -3114,7 +3114,7 @@
                 </syncCertsCron>
                 <!-- XXX: old value, required for model migration to 4.1.0 -->
                 <updateOcsp type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </updateOcsp>
                 <updateOcspCron type="ModelRelationField">
@@ -3132,7 +3132,7 @@
                     <Required>N</Required>
                 </updateOcspCron>
                 <reloadService type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </reloadService>
                 <reloadServiceCron type="ModelRelationField">
@@ -3150,7 +3150,7 @@
                     <Required>N</Required>
                 </reloadServiceCron>
                 <restartService type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </restartService>
                 <restartServiceCron type="ModelRelationField">
diff --git a/net/ntopng/src/opnsense/mvc/app/models/OPNsense/Ntopng/General.xml b/net/ntopng/src/opnsense/mvc/app/models/OPNsense/Ntopng/General.xml
index dea24b7d2e..580e20651f 100644
--- a/net/ntopng/src/opnsense/mvc/app/models/OPNsense/Ntopng/General.xml
+++ b/net/ntopng/src/opnsense/mvc/app/models/OPNsense/Ntopng/General.xml
@@ -4,7 +4,7 @@
     <version>0.0.2</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <interface type="InterfaceField">
@@ -14,7 +14,7 @@
         </interface>
         <httpport type="PortField">
             <Required>Y</Required>
-            <default>3000</default>
+            <Default>3000</Default>
         </httpport>
         <httpsport type="PortField">
             <Required>N</Required>
diff --git a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml
index 231a2e9ba7..273500536a 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml
+++ b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml
@@ -8,13 +8,13 @@
         <general>
 
             <enabled type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </enabled>
 
             <logLevel type="OptionField">
                 <Required>Y</Required>
-                <default>2</default>
+                <Default>2</Default>
                 <OptionValues>
                     <ll1 value="1">1 (only serious errors)</ll1>
                     <ll2 value="2">2 (default)</ll2>
@@ -26,7 +26,7 @@
 
             <logFullUsername type="OptionField">
                 <Required>Y</Required>
-                <default>off</default>
+                <Default>off</Default>
                 <OptionValues>
                     <on>On</on>
                     <off>Off</off>
@@ -35,7 +35,7 @@
 
             <logMac type="OptionField">
                 <Required>Y</Required>
-                <default>Original</default>
+                <Default>Original</Default>
                 <OptionValues>
                     <Static>Static</Static>
                     <Original>Original</Original>
@@ -48,7 +48,7 @@
 
             <loopPrevention type="OptionField">
                 <Required>Y</Required>
-                <default>on</default>
+                <Default>on</Default>
                 <OptionValues>
                     <on>On</on>
                     <off>Off</off>
@@ -93,13 +93,13 @@
             <client type="ArrayField">
 
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
 
                 <identifier type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z_\-]){1,25}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
                     <Constraints>
                         <check001>
@@ -125,7 +125,7 @@
 
                 <type type="OptionField">
                     <Required>Y</Required>
-                    <default>udp</default>
+                    <Default>udp</Default>
                     <OptionValues>
                         <udp>UDP</udp>
                         <tcp>TCP</tcp>
@@ -165,7 +165,7 @@
 
                 <certificateNameCheck type="OptionField">
                     <Required>Y</Required>
-                    <default>off</default>
+                    <Default>off</Default>
                     <OptionValues>
                         <on>On</on>
                         <off>Off</off>
@@ -206,7 +206,7 @@
 
                 <identifier type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z_\-]){1,25}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
                     <Constraints>
                         <check001>
@@ -231,7 +231,7 @@
 
                 <statusServer type="OptionField">
                     <Required>Y</Required>
-                    <default>off</default>
+                    <Default>off</Default>
                     <OptionValues>
                         <on>On</on>
                         <off>Off</off>
@@ -242,7 +242,7 @@
 
                 <type type="OptionField">
                     <Required>Y</Required>
-                    <default>udp</default>
+                    <Default>udp</Default>
                     <OptionValues>
                         <udp>UDP</udp>
                         <tcp>TCP</tcp>
@@ -282,7 +282,7 @@
 
                 <certificateNameCheck type="OptionField">
                     <Required>Y</Required>
-                    <default>off</default>
+                    <Default>off</Default>
                     <OptionValues>
                         <on>On</on>
                         <off>Off</off>
@@ -323,9 +323,9 @@
 
                 <name type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z_\-]){1,25}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
-                    <default>default</default>
+                    <Default>default</Default>
                     <Constraints>
                         <check001>
                             <type>UniqueConstraint</type>
@@ -352,12 +352,12 @@
 
                 <policyOids type="CSVListField">
                     <Required>N</Required>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                 </policyOids>
 
                 <crlCheck type="OptionField">
                     <Required>Y</Required>
-                    <default>off</default>
+                    <Default>off</Default>
                     <OptionValues>
                         <on>On</on>
                         <off>Off</off>
@@ -375,7 +375,7 @@
             <realm type="ArrayField">
 
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
 
@@ -424,7 +424,7 @@
 
                 <accountingResponse type="OptionField">
                     <Required>Y</Required>
-                    <default>off</default>
+                    <Default>off</Default>
                     <OptionValues>
                         <on>On</on>
                         <off>Off</off>
@@ -442,15 +442,15 @@
             <rewrite type="ArrayField">
 
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
 
                 <name type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z_\-]){1,25}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z_\-]){1,25}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 25 characters whithout special characters.</ValidationMessage>
-                    <default>default</default>
+                    <Default>default</Default>
                     <Constraints>
                         <check001>
                             <type>UniqueConstraint</type>
@@ -493,7 +493,7 @@
 
                 <whitelistMode type="OptionField">
                     <Required>Y</Required>
-                    <default>off</default>
+                    <Default>off</Default>
                     <OptionValues>
                         <on>On</on>
                         <off>Off</off>
diff --git a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
index 59e4e82365..45e1fd94bc 100644
--- a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
+++ b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
@@ -38,7 +38,7 @@
          </enabled>
          <name type="TextField">
             <Required>Y</Required>
-            <mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</mask>
+            <Mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</Mask>
             <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
             <Constraints>
                 <check001>
@@ -49,7 +49,7 @@
          </name>
          <address type="TextField">
             <Required>Y</Required>
-            <mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</mask>
+            <Mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</Mask>
             <ChangeCase>lower</ChangeCase>
             <ValidationMessage>Please specify a valid servername or IP address.</ValidationMessage>
          </address>
@@ -72,7 +72,7 @@
       <table type="ArrayField">
          <name type="TextField">
             <Required>Y</Required>
-            <mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</mask>
+            <Mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</Mask>
             <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
             <Constraints>
                 <check001>
@@ -101,7 +101,7 @@
       <tablecheck type="ArrayField">
          <name type="TextField">
             <Required>Y</Required>
-            <mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</mask>
+            <Mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</Mask>
             <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
          </name>
          <type type="OptionField">
@@ -120,7 +120,7 @@
             <Required>N</Required>
          </path>
          <host type="TextField">
-            <mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</mask>
+            <Mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</Mask>
             <ChangeCase>lower</ChangeCase>
             <ValidationMessage>Please specify a valid servername or IP address.</ValidationMessage>
             <Required>N</Required>
@@ -145,7 +145,7 @@
       <virtualserver type="ArrayField">
          <name type="TextField">
             <Required>Y</Required>
-            <mask>/^([0-9a-zA-Z\._\- ]){1,31}$/u</mask>
+            <Mask>/^([0-9a-zA-Z\._\- ]){1,31}$/u</Mask>
             <ValidationMessage>Should be a string between 1 and 31 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
             <Constraints>
                 <check001>
@@ -168,7 +168,7 @@
          </type>
          <listen_address type="TextField">
             <Required>Y</Required>
-            <mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</mask>
+            <Mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</Mask>
             <ChangeCase>lower</ChangeCase>
             <ValidationMessage>Please specify a valid servername or IP address.</ValidationMessage>
          </listen_address>
@@ -243,7 +243,7 @@
          </transport_timeout>
          <transport_tablemode type="OptionField">
             <Required>Y</Required>
-            <default>roundrobin</default>
+            <Default>roundrobin</Default>
             <OptionValues>
                <hash>Hash</hash>
                <least-states>Least States</least-states>
@@ -307,7 +307,7 @@
          </backuptransport_tablecheck>
          <backuptransport_tablemode type="OptionField">
             <Required>Y</Required>
-            <default>roundrobin</default>
+            <Default>roundrobin</Default>
             <OptionValues>
                <hash>Hash</hash>
                <least-states>Least States</least-states>
@@ -339,7 +339,7 @@
       <protocol type="ArrayField">
          <name type="TextField">
             <Required>Y</Required>
-            <mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</mask>
+            <Mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</Mask>
             <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
          </name>
          <type type="OptionField">
diff --git a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
index b255c07344..af91c85a95 100644
--- a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
+++ b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
@@ -4,34 +4,34 @@
     <version>1.0.1</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <serveraddress type="HostnameField">
-            <default>127.0.0.1</default>
+            <Default>127.0.0.1</Default>
             <Required>Y</Required>
             <ValidationMessage>Please provide a valid hostname or IP address.</ValidationMessage>
         </serveraddress>
         <serverport type="IntegerField">
-            <default>8388</default>
+            <Default>8388</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>65535</MaximumValue>
             <ValidationMessage>Please provide a valid port number between 1 and 65535.</ValidationMessage>
         </serverport>
         <localport type="IntegerField">
-            <default>1080</default>
+            <Default>1080</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>65535</MaximumValue>
             <ValidationMessage>Please provide a valid port number between 1 and 65535.</ValidationMessage>
         </localport>
         <password type="TextField">
-            <default>password</default>
+            <Default>password</Default>
             <Required>N</Required>
         </password>
         <cipher type="OptionField">
-            <default>AES-256-CFB</default>
+            <Default>AES-256-CFB</Default>
             <Required>Y</Required>
             <OptionValues>
                 <aes-256-cfb>AES-256-CFB</aes-256-cfb>
@@ -47,7 +47,7 @@
             </OptionValues>
         </cipher>
         <tcpudpmode type="OptionField">
-            <default>tcp_only</default>
+            <Default>tcp_only</Default>
             <Required>Y</Required>
             <OptionValues>
                 <tcp_only>TCP only</tcp_only>
diff --git a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml
index a08dbf0798..1ea0e8817c 100644
--- a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml
+++ b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml
@@ -4,39 +4,39 @@
     <version>1.0.1</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <serveraddress type="HostnameField">
-            <default>127.0.0.1</default>
+            <Default>127.0.0.1</Default>
             <Required>Y</Required>
             <ValidationMessage>Please provide a valid hostname or IP address.</ValidationMessage>
         </serveraddress>
         <serverport type="IntegerField">
-            <default>8388</default>
+            <Default>8388</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>65535</MaximumValue>
             <ValidationMessage>Please provide a valid port number between 1 and 65535.</ValidationMessage>
         </serverport>
         <localaddress type="HostnameField">
-            <default>127.0.0.1</default>
+            <Default>127.0.0.1</Default>
             <Required>Y</Required>
             <ValidationMessage>Please provide a valid hostname or IP address.</ValidationMessage>
         </localaddress>
         <localport type="IntegerField">
-            <default>1080</default>
+            <Default>1080</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>65535</MaximumValue>
             <ValidationMessage>Please provide a valid port number between 1 and 65535.</ValidationMessage>
         </localport>
         <password type="TextField">
-            <default>password</default>
+            <Default>password</Default>
             <Required>N</Required>
         </password>
         <cipher type="OptionField">
-            <default>AES-256-CFB</default>
+            <Default>AES-256-CFB</Default>
             <Required>Y</Required>
             <OptionValues>
                 <aes-256-cfb>AES-256-CFB</aes-256-cfb>
diff --git a/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/Domain.xml b/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/Domain.xml
index 977c7d3145..d2cf4bb516 100644
--- a/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/Domain.xml
+++ b/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/Domain.xml
@@ -6,19 +6,19 @@
         <domains>
             <domain type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>Y</Required>
                 </name>
                 <host type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>Y</Required>
                 </host>
                 <port type="IntegerField">
-                    <default>5060</default>
+                    <Default>5060</Default>
                     <Required>Y</Required>
                 </port>
             </domain>
diff --git a/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/General.xml b/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/General.xml
index f0fa8cf235..0154ec3bf8 100644
--- a/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/General.xml
+++ b/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/General.xml
@@ -4,119 +4,119 @@
     <version>1.1.0</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <if_inbound type="InterfaceField">
-            <default></default>
+            <Default></Default>
             <Required>Y</Required>
         </if_inbound>
         <if_outbound type="InterfaceField">
-            <default></default>
+            <Default></Default>
             <Required>Y</Required>
         </if_outbound>
         <host_outbound type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </host_outbound>
         <hosts_allow_reg type="NetworkField">
-            <default></default>
+            <Default></Default>
             <WildcardEnabled>N</WildcardEnabled>
             <NetMaskRequired>Y</NetMaskRequired>
             <FieldSeparator>,</FieldSeparator>
             <Required>N</Required>
         </hosts_allow_reg>
         <hosts_allow_sip type="NetworkField">
-            <default></default>
+            <Default></Default>
             <WildcardEnabled>N</WildcardEnabled>
             <NetMaskRequired>Y</NetMaskRequired>
             <FieldSeparator>,</FieldSeparator>
             <Required>N</Required>
         </hosts_allow_sip>
         <hosts_deny_sip type="NetworkField">
-            <default></default>
+            <Default></Default>
             <WildcardEnabled>N</WildcardEnabled>
             <NetMaskRequired>Y</NetMaskRequired>
             <FieldSeparator>,</FieldSeparator>
             <Required>N</Required>
         </hosts_deny_sip>
         <sip_listen_port type="IntegerField">
-            <default>5060</default>
+            <Default>5060</Default>
             <Required>Y</Required>
 	    <MinimumValue>1</MinimumValue>
 	    <MaximumValue>65535</MaximumValue>
         </sip_listen_port>
         <rtp_port_low type="IntegerField">
-            <default>7070</default>
+            <Default>7070</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>65535</MaximumValue>
         </rtp_port_low>
         <rtp_port_high type="IntegerField">
-            <default>7089</default>
+            <Default>7089</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>65535</MaximumValue>
         </rtp_port_high>
         <rtp_timeout type="IntegerField">
-            <default>300</default>
+            <Default>300</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>10000</MaximumValue>
         </rtp_timeout>
         <rtp_dscp type="IntegerField">
-            <default>46</default>
+            <Default>46</Default>
             <Required>Y</Required>
             <MinimumValue>0</MinimumValue>
             <MaximumValue>64</MaximumValue>
         </rtp_dscp>
         <sip_dscp type="IntegerField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
             <MinimumValue>0</MinimumValue>
             <MaximumValue>64</MaximumValue>
         </sip_dscp>
         <rtp_input_dejitter type="IntegerField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
             <MinimumValue>0</MinimumValue>
             <MaximumValue>5000</MaximumValue>
         </rtp_input_dejitter>
         <rtp_output_dejitter type="IntegerField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
             <MinimumValue>0</MinimumValue>
             <MaximumValue>5000</MaximumValue>
         </rtp_output_dejitter>
         <proxy_auth_enable type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </proxy_auth_enable>
         <tcp_timeout type="IntegerField">
-            <default>600</default>
+            <Default>600</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>10000</MaximumValue>
         </tcp_timeout>
         <tcp_connect_timeout type="IntegerField">
-            <default>500</default>
+            <Default>500</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>10000</MaximumValue>
         </tcp_connect_timeout>
         <tcp_keepalive type="IntegerField">
-            <default>20</default>
+            <Default>20</Default>
             <Required>Y</Required>
             <MinimumValue>0</MinimumValue>
             <MaximumValue>10000</MaximumValue>
         </tcp_keepalive>
         <ua_string type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </ua_string>
         <use_rport type="OptionField">
-            <default>Option1</default>
-            <multiple>N</multiple>
+            <Default>Option1</Default>
+            <Multiple>N</Multiple>
             <Required>Y</Required>
                 <OptionValues>
                     <Option1 value="0">Do not add ;rport to via header (0)</Option1>
@@ -126,64 +126,64 @@
                 </OptionValues>
         </use_rport>
         <plugin_defaulttarget_enable type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </plugin_defaulttarget_enable>
         <plugin_defaulttarget_log type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </plugin_defaulttarget_log>
         <plugin_defaulttarget_target type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </plugin_defaulttarget_target>
         <plugin_fix_bogus_via_enable type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </plugin_fix_bogus_via_enable>
         <plugin_fix_bogus_via_networks type="NetworkField">
-            <default>10.0.0.0/8,172.16.0.0/12,192.168.0.0/16</default>
+            <Default>10.0.0.0/8,172.16.0.0/12,192.168.0.0/16</Default>
             <WildcardEnabled>N</WildcardEnabled>
             <NetMaskRequired>Y</NetMaskRequired>
             <FieldSeparator>,</FieldSeparator>
             <Required>N</Required>
         </plugin_fix_bogus_via_networks>
         <plugin_fix_DTAG_enable type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </plugin_fix_DTAG_enable>
         <plugin_fix_DTAG_networks type="NetworkField">
-            <default>217.0.23.100/32</default>
+            <Default>217.0.23.100/32</Default>
             <WildcardEnabled>N</WildcardEnabled>
             <NetMaskRequired>Y</NetMaskRequired>
             <FieldSeparator>,</FieldSeparator>
             <Required>N</Required>
         </plugin_fix_DTAG_networks>
         <plugin_fbox_anoncall_enable type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </plugin_fbox_anoncall_enable>
         <plugin_fbox_anoncall_networks type="NetworkField">
-            <default>10.0.0.0/8,172.16.0.0/12,192.168.0.0/16</default>
+            <Default>10.0.0.0/8,172.16.0.0/12,192.168.0.0/16</Default>
             <WildcardEnabled>N</WildcardEnabled>
             <NetMaskRequired>Y</NetMaskRequired>
             <FieldSeparator>,</FieldSeparator>
             <Required>N</Required>
         </plugin_fbox_anoncall_networks>
         <plugin_stun_server_enable type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </plugin_stun_server_enable>
         <plugin_stun_server_host type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </plugin_stun_server_host>
         <plugin_stun_server_port type="IntegerField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </plugin_stun_server_port>
         <plugin_stun_server_period type="IntegerField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </plugin_stun_server_period>
     </items>
diff --git a/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/User.xml b/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/User.xml
index bba5fac7fc..57b7cc8af1 100644
--- a/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/User.xml
+++ b/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/User.xml
@@ -6,18 +6,18 @@
         <users>
             <user type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <username type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
                 </username>
                 <password type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=]){1,128}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=]){1,128}$/u</Mask>
                 </password>
             </user>
         </users>
diff --git a/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml b/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml
index 0250057c9a..540b23db0d 100644
--- a/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml
+++ b/net/sslh/src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml
@@ -4,16 +4,16 @@
     <items>
         <enabled type="BooleanField">
             <Required>Y</Required>
-            <default>0</default>
+            <Default>0</Default>
         </enabled>
         <listen_addresses type="CSVListField">
             <Required>Y</Required>
-            <default>localhost:443</default>
+            <Default>localhost:443</Default>
             <validationmessage>Please enter at least one hostname/IP:port combination.</validationmessage>
         </listen_addresses>
         <mode type="OptionField">
             <Required>Y</Required>
-            <default>fork</default>
+            <Default>fork</Default>
             <Multiple>N</Multiple>
             <OptionValues>
                 <option value="fork">fork</option>
@@ -46,7 +46,7 @@
         </anyprot_target>
         <on_timeout type="OptionField">
             <Required>Y</Required>
-            <default>ssh</default>
+            <Default>ssh</Default>
             <Multiple>N</Multiple>
             <OptionValues>
                 <option value="ssh">SSH</option>
diff --git a/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
index 3b8931b41a..0644ef6187 100644
--- a/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
+++ b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
@@ -4,34 +4,34 @@
     <version>1.2.0</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <v4address type="NetworkField">
-            <default>192.168.255.1</default>
+            <Default>192.168.255.1</Default>
             <Required>Y</Required>
         </v4address>
         <v4destination type="NetworkField">
-            <default>192.168.254.1</default>
+            <Default>192.168.254.1</Default>
             <Required>Y</Required>
         </v4destination>
         <v6address type="NetworkField">
             <Required>N</Required>
         </v6address>
         <v6destination type="NetworkField">
-            <default>2001:db8:1:ffff::1</default>
+            <Default>2001:db8:1:ffff::1</Default>
             <Required>Y</Required>
         </v6destination>
         <v6prefix type="NetworkField">
-            <default>64:ff9b::/96</default>
+            <Default>64:ff9b::/96</Default>
             <Required>Y</Required>
         </v6prefix>
         <v4pool type="NetworkField">
-            <default>192.168.255.0/24</default>
+            <Default>192.168.255.0/24</Default>
             <Required>Y</Required>
         </v4pool>
         <v6routedisabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </v6routedisabled>
     </items>
diff --git a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
index 9c0346aef2..573ff81230 100644
--- a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
+++ b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
@@ -11,7 +11,7 @@
             <ListenIP type="NetworkField">
                 <Default>127.0.0.1</Default>
                 <FieldSeparator>,</FieldSeparator>
-                <asList>Y</asList>
+                <AsList>Y</AsList>
                 <Required>Y</Required>
             </ListenIP>
             <ListenPort type="PortField">
@@ -44,12 +44,12 @@
             </UseAuthSecret>
             <StaticAuthSecret type="TextField">
                 <Required>N</Required>
-                <mask>/^.{16,128}$/u</mask>
+                <Mask>/^.{16,128}$/u</Mask>
                 <ValidationMessage>Should be a string between 16 and 128 characters.</ValidationMessage>
             </StaticAuthSecret>
             <Realm type="TextField">
                 <Required>N</Required>
-                <mask>/^.{1,128}$/u</mask>
+                <Mask>/^.{1,128}$/u</Mask>
                 <ValidationMessage>Should be a string between 1 and 128 characters.</ValidationMessage>
             </Realm>
             <FingerprintsEnabled type="BooleanField">
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.xml b/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.xml
index 20638487e7..48f0028d51 100644
--- a/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.xml
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.xml
@@ -5,29 +5,29 @@
    <items>
       <udpbroadcastrelay type="ArrayField">
          <enabled type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
          </enabled>
             <interfaces type="InterfaceField">
-            <default>lan</default>
+            <Default>lan</Default>
             <Required>Y</Required>
-            <multiple>Y</multiple>
+            <Multiple>Y</Multiple>
             </interfaces>
          <multicastaddress type="CSVListField">
             <Required>N</Required>
-            <default></default>
-            <multiple>Y</multiple>
-            <mask>/^([\/0-9.,])*/u</mask>
+            <Default></Default>
+            <Multiple>Y</Multiple>
+            <Mask>/^([\/0-9.,])*/u</Mask>
             <ValidationMessage>Broadcast address must be a valid IPv4 address</ValidationMessage>
          </multicastaddress>
          <sourceaddress  type="TextField">
             <Required>N</Required>
-            <default></default>
-            <mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</mask>
+            <Default></Default>
+            <Mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</Mask>
             <ValidationMessage>Source address must be a valid IPv4 address</ValidationMessage>
          </sourceaddress>
          <listenport type="IntegerField">
-            <default></default>
+            <Default></Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>65535</MaximumValue>
@@ -35,24 +35,24 @@
          </listenport>
          <sourceaddress  type="TextField">
             <Required>N</Required>
-            <default></default>
-            <mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</mask>
+            <Default></Default>
+            <Mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</Mask>
             <ValidationMessage>Source address must be a valid IPv4 address</ValidationMessage>
          </sourceaddress>
          <InstanceID type="IntegerField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>63</MaximumValue>
             <ValidationMessage>InstanceID needs to be an integer value between 1 and 63</ValidationMessage>
          </InstanceID>
          <RevertTTL type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
          </RevertTTL>
          <description type="TextField">
             <Required>N</Required>
-            <mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</mask>
+            <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
             <ValidationMessage>Enter a description.</ValidationMessage>
          </description>
       </udpbroadcastrelay>
diff --git a/net/vnstat/src/opnsense/mvc/app/models/OPNsense/Vnstat/General.xml b/net/vnstat/src/opnsense/mvc/app/models/OPNsense/Vnstat/General.xml
index fa94d7dc05..568eccc481 100644
--- a/net/vnstat/src/opnsense/mvc/app/models/OPNsense/Vnstat/General.xml
+++ b/net/vnstat/src/opnsense/mvc/app/models/OPNsense/Vnstat/General.xml
@@ -4,12 +4,12 @@
     <version>0.0.1</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <interface type="InterfaceField">
             <Required>N</Required>
-            <multiple>Y</multiple>
+            <Multiple>Y</Multiple>
         </interface>
     </items>
 </model>
diff --git a/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/Wol.xml b/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/Wol.xml
index d4fb195305..08c10cc1fb 100644
--- a/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/Wol.xml
+++ b/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/Wol.xml
@@ -6,23 +6,23 @@
       <wolentry type="ArrayField">
         <interface type="InterfaceField">
             <Required>Y</Required>
-            <multiple>N</multiple>
-            <default></default>
+            <Multiple>N</Multiple>
+            <Default></Default>
             <filters>
                 <enable>/^(?!0).*$/</enable>
             </filters>
         </interface>
         <mac type="TextField">
             <Required>Y</Required>
-            <multiple>N</multiple>
-            <mask>/^((?:[a-fA-F0-9]{2}:){5}(?:[a-fA-F0-9]{2}))$/</mask>
-            <default>00:00:00:00:00:00</default>
+            <Multiple>N</Multiple>
+            <Mask>/^((?:[a-fA-F0-9]{2}:){5}(?:[a-fA-F0-9]{2}))$/</Mask>
+            <Default>00:00:00:00:00:00</Default>
             <ValidationMessage>Should be 6 groups of 2 hex characters (a-fA-F0-9) separated by ':'</ValidationMessage>
         </mac>
         <descr type="TextField">
             <Required>N</Required>
-            <multiple>N</multiple>
-            <default></default>
+            <Multiple>N</Multiple>
+            <Default></Default>
         </descr>
       </wolentry>
     </items>
diff --git a/net/zerotier/src/opnsense/mvc/app/models/OPNsense/Zerotier/Zerotier.xml b/net/zerotier/src/opnsense/mvc/app/models/OPNsense/Zerotier/Zerotier.xml
index d081852fbb..1a5b010145 100644
--- a/net/zerotier/src/opnsense/mvc/app/models/OPNsense/Zerotier/Zerotier.xml
+++ b/net/zerotier/src/opnsense/mvc/app/models/OPNsense/Zerotier/Zerotier.xml
@@ -6,11 +6,11 @@
     <version>1.3.0</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <apiAccessToken type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </apiAccessToken>
         <localconf type="TextField">
@@ -19,15 +19,15 @@
         <networks>
             <network type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>Y</Required>
                 </enabled>
                 <networkId type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>Y</Required>
                 </networkId>
                 <description type="TextField">
-                    <default></default>
+                    <Default></Default>
                     <Required>N</Required>
                 </description>
             </network>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index b1efacf4ac..7932d6c704 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -5,11 +5,11 @@
     <items>
         <settings>
             <enabled type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </enabled>
             <autoRenewal type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </autoRenewal>
             <UpdateCron type="ModelRelationField">
@@ -28,32 +28,32 @@
             </UpdateCron>
             <environment type="OptionField">
                 <Required>N</Required>
-                <default>prod</default>
+                <Default>prod</Default>
                 <OptionValues>
                     <prod>Production Environment [default]</prod>
                     <stg>Staging Environment</stg>
                 </OptionValues>
             </environment>
             <challengePort type="PortField">
-                <default>43580</default>
+                <Default>43580</Default>
                 <MinimumValue>1024</MinimumValue>
                 <MaximumValue>65535</MaximumValue>
                 <Required>Y</Required>
             </challengePort>
             <TLSchallengePort type="PortField">
-                <default>43581</default>
+                <Default>43581</Default>
                 <MinimumValue>1024</MinimumValue>
                 <MaximumValue>65535</MaximumValue>
                 <Required>Y</Required>
             </TLSchallengePort>
             <restartTimeout type="IntegerField">
-                <default>600</default>
+                <Default>600</Default>
                 <MinimumValue>10</MinimumValue>
                 <MaximumValue>86400</MaximumValue>
                 <Required>Y</Required>
             </restartTimeout>
             <haproxyIntegration type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>N</Required>
             </haproxyIntegration>
             <haproxyAclRef type="ModelRelationField">
@@ -65,7 +65,7 @@
                     </acls>
                 </Model>
                 <ValidationMessage>Related HAProxy ACL not found.</ValidationMessage>
-                <multiple>N</multiple>
+                <Multiple>N</Multiple>
                 <Required>N</Required>
             </haproxyAclRef>
             <haproxyActionRef type="ModelRelationField">
@@ -77,7 +77,7 @@
                     </actions>
                 </Model>
                 <ValidationMessage>Related HAProxy action not found.</ValidationMessage>
-                <multiple>N</multiple>
+                <Multiple>N</Multiple>
                 <Required>N</Required>
             </haproxyActionRef>
             <haproxyServerRef type="ModelRelationField">
@@ -89,7 +89,7 @@
                     </servers>
                 </Model>
                 <ValidationMessage>Related HAProxy server not found.</ValidationMessage>
-                <multiple>N</multiple>
+                <Multiple>N</Multiple>
                 <Required>N</Required>
             </haproxyServerRef>
             <haproxyBackendRef type="ModelRelationField">
@@ -101,12 +101,12 @@
                     </backends>
                 </Model>
                 <ValidationMessage>Related HAProxy backend not found.</ValidationMessage>
-                <multiple>N</multiple>
+                <Multiple>N</Multiple>
                 <Required>N</Required>
             </haproxyBackendRef>
             <logLevel type="OptionField">
                 <Required>Y</Required>
-                <default>normal</default>
+                <Default>normal</Default>
                 <OptionValues>
                     <normal>normal</normal>
                     <extended>extended</extended>
@@ -117,7 +117,7 @@
             </logLevel>
             <showIntro type="BooleanField">
                 <Required>Y</Required>
-                <default>1</default>
+                <Default>1</Default>
             </showIntro>
         </settings>
         <accounts>
@@ -126,17 +126,17 @@
                     <Required>N</Required>
                 </id>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
                     <Required>Y</Required>
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                 </name>
                 <description type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                 </description>
                 <email type="EmailField">
@@ -144,7 +144,7 @@
                 </email>
                 <ca type="OptionField">
                     <Required>Y</Required>
-                    <default>letsencrypt</default>
+                    <Default>letsencrypt</Default>
                     <OptionValues>
                         <buypass>Buypass</buypass>
                         <buypass_test>Buypass Test CA</buypass_test>
@@ -159,17 +159,17 @@
                 </ca>
                 <custom_ca type="TextField">
                     <Required>N</Required>
-                    <mask>/^https?:\/\/.*[^\/]$/</mask>
+                    <Mask>/^https?:\/\/.*[^\/]$/</Mask>
                     <ValidationMessage>The URL must be a valid ACME endpoint without a trailing slash.</ValidationMessage>
                 </custom_ca>
                 <eab_kid type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,8192}$/u</mask>
+                    <Mask>/^.{1,8192}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 8192 characters.</ValidationMessage>
                 </eab_kid>
                 <eab_hmac type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,8192}$/u</mask>
+                    <Mask>/^.{1,8192}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 8192 characters.</ValidationMessage>
                 </eab_hmac>
                 <!-- hidden field; the private key for this account -->
@@ -179,7 +179,7 @@
                 <!-- hidden field; status of last operation -->
                 <statusCode type="IntegerField">
                     <Required>N</Required>
-                    <default>100</default>
+                    <Default>100</Default>
                     <MinimumValue>100</MinimumValue>
                     <MaximumValue>1000</MaximumValue>
                 </statusCode>
@@ -195,23 +195,23 @@
                     <Required>N</Required>
                 </id>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
                     <Required>Y</Required>
-                    <mask>/^[^\s^\t^,^;^\\^\/^(^)^\[^\]]{1,255}$/u</mask>
+                    <Mask>/^[^\s^\t^,^;^\\^\/^(^)^\[^\]]{1,255}$/u</Mask>
                     <ValidationMessage>Please provide a valid FQDN, i.e. www.example.com or mail.example.com (max 255 characters).</ValidationMessage>
                 </name>
                 <description type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                 </description>
                 <altNames type="CSVListField">
                     <Required>N</Required>
-                    <multiple>Y</multiple>
-                    <mask>/^[^\s^\t^;^\\^\/^(^)^\[^\]]{1,65535}$/u</mask>
+                    <Multiple>Y</Multiple>
+                    <Mask>/^[^\s^\t^;^\\^\/^(^)^\[^\]]{1,65535}$/u</Mask>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please provide one or more valid FQDNs, i.e. www.example.com or mail.example.com. Field length is limited to 65535 characters.</ValidationMessage>
                 </altNames>
@@ -227,7 +227,7 @@
                         </accounts>
                     </Model>
                     <ValidationMessage>Related item not found</ValidationMessage>
-                    <multiple>N</multiple>
+                    <Multiple>N</Multiple>
                     <Required>Y</Required>
                 </account>
                 <validationMethod type="ModelRelationField">
@@ -242,12 +242,12 @@
                         </validations>
                     </Model>
                     <ValidationMessage>Related item not found</ValidationMessage>
-                    <multiple>N</multiple>
+                    <Multiple>N</Multiple>
                     <Required>Y</Required>
                 </validationMethod>
                 <keyLength type="OptionField">
                     <Required>Y</Required>
-                    <default>key_4096</default>
+                    <Default>key_4096</Default>
                     <OptionValues>
                         <key_2048>2048 bit</key_2048>
                         <key_3072>3072 bit</key_3072>
@@ -257,7 +257,7 @@
                     </OptionValues>
                 </keyLength>
                 <ocsp type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </ocsp>
                 <restartActions type="ModelRelationField">
@@ -273,22 +273,22 @@
                     </Model>
                     <ValidationMessage>Related automation not found</ValidationMessage>
                     <Sorted>Y</Sorted>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </restartActions>
                 <autoRenewal type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </autoRenewal>
                 <renewInterval type="IntegerField">
                     <Required>Y</Required>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>5000</MaximumValue>
-                    <default>60</default>
+                    <Default>60</Default>
                 </renewInterval>
                 <aliasmode type="OptionField">
                     <Required>Y</Required>
-                    <default>none</default>
+                    <Default>none</Default>
                     <OptionValues>
                         <none>Not using DNS alias mode</none>
                         <automatic>Automatic Mode (uses DNS lookups)</automatic>
@@ -313,7 +313,7 @@
                 <!-- hidden field; status of last operation -->
                 <statusCode type="IntegerField">
                     <Required>N</Required>
-                    <default>100</default>
+                    <Default>100</Default>
                     <MinimumValue>100</MinimumValue>
                     <MaximumValue>1000</MaximumValue>
                 </statusCode>
@@ -329,22 +329,22 @@
                     <Required>N</Required>
                 </id>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
                     <Required>Y</Required>
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                 </name>
                 <description type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                 </description>
                 <method type="OptionField">
                     <Required>Y</Required>
-                    <default>dns01</default>
+                    <Default>dns01</Default>
                     <OptionValues>
                         <http01>HTTP-01</http01>
                         <dns01>DNS-01</dns01>
@@ -353,14 +353,14 @@
                 </method>
                 <http_service type="OptionField">
                     <Required>Y</Required>
-                    <default>opnsense</default>
+                    <Default>opnsense</Default>
                     <OptionValues>
                         <opnsense>OPNsense Web Service (automatic port forward)</opnsense>
                         <haproxy>HAProxy HTTP Frontend Integration (OPNsense plugin)</haproxy>
                     </OptionValues>
                 </http_service>
                 <http_opn_autodiscovery type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>N</Required>
                 </http_opn_autodiscovery>
                 <http_opn_interface type="InterfaceField">
@@ -371,10 +371,10 @@
                 </http_opn_interface>
                 <http_opn_ipaddresses type="CSVListField">
                     <Required>N</Required>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                 </http_opn_ipaddresses>
                 <http_haproxyInject type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>N</Required>
                 </http_haproxyInject>
                 <http_haproxyFrontends type="ModelRelationField">
@@ -390,18 +390,18 @@
                         </frontends>
                     </Model>
                     <ValidationMessage>Related HAProxy frontend not found</ValidationMessage>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </http_haproxyFrontends>
                 <tlsalpn_service type="OptionField">
                     <Required>Y</Required>
-                    <default>acme</default>
+                    <Default>acme</Default>
                     <OptionValues>
                         <acme>acme.sh TLS Web Server (automatic port forward)</acme>
                     </OptionValues>
                 </tlsalpn_service>
                 <tlsalpn_acme_autodiscovery type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>N</Required>
                 </tlsalpn_acme_autodiscovery>
                 <tlsalpn_acme_interface type="InterfaceField">
@@ -412,11 +412,11 @@
                 </tlsalpn_acme_interface>
                 <tlsalpn_acme_ipaddresses type="CSVListField">
                     <Required>N</Required>
-                    <multiple>Y</multiple>
+                    <Multiple>Y</Multiple>
                 </tlsalpn_acme_ipaddresses>
                 <dns_service type="OptionField">
                     <Required>Y</Required>
-                    <default>dns_freedns</default>
+                    <Default>dns_freedns</Default>
                     <OptionValues>
                         <dns_1984hosting>1984Hosting</dns_1984hosting>
                         <dns_acmedns>ACME DNS</dns_acmedns>
@@ -535,7 +535,7 @@
                 <dns_sleep type="IntegerField">
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>84600</MaximumValue>
-                    <default>0</default>
+                    <Default>0</Default>
                     <ValidationMessage>Please specify a value between 0 and 84600 seconds.</ValidationMessage>
                     <Required>Y</Required>
                 </dns_sleep>
@@ -622,7 +622,7 @@
                 </dns_da_key>
                 <dns_da_insecure type="BooleanField">
                     <Required>N</Required>
-                    <default>1</default>
+                    <Default>1</Default>
                 </dns_da_insecure>
                 <dns_ddnss_token type="TextField">
                     <Required>N</Required>
@@ -777,7 +777,7 @@
                 </dns_ispconfig_api>
                 <dns_ispconfig_insecure type="BooleanField">
                     <Required>N</Required>
-                    <default>1</default>
+                    <Default>1</Default>
                 </dns_ispconfig_insecure>
                 <dns_jd_id type="TextField">
                     <Required>N</Required>
@@ -808,7 +808,7 @@
                 </dns_knot_key>
                 <dns_lexicon_provider type="OptionField">
                     <Required>N</Required>
-                    <default>cloudflare</default>
+                    <Default>cloudflare</Default>
                     <OptionValues>
                         <aliyun>Aliyun.com (UNSUPPORTED)</aliyun>
                         <aurora>AuroraDNS (UNSUPPORTED)</aurora>
@@ -890,7 +890,7 @@
                 </dns_linode_v4_key>
                 <dns_loopia_api type="TextField">
                     <Required>N</Required>
-                    <default>https://api.loopia.se/RPCSERV</default>
+                    <Default>https://api.loopia.se/RPCSERV</Default>
                 </dns_loopia_api>
                 <dns_loopia_user type="TextField">
                     <Required>N</Required>
@@ -994,11 +994,11 @@
                 </dns_online_key>
                 <dns_opnsense_host type="TextField">
                     <Required>N</Required>
-                    <default>localhost</default>
+                    <Default>localhost</Default>
                 </dns_opnsense_host>
                 <dns_opnsense_port type="TextField">
                     <Required>N</Required>
-                    <default>443</default>
+                    <Default>443</Default>
                 </dns_opnsense_port>
                 <dns_opnsense_key type="TextField">
                     <Required>N</Required>
@@ -1008,7 +1008,7 @@
                 </dns_opnsense_token>
                 <dns_opnsense_insecure type="BooleanField">
                     <Required>N</Required>
-                    <default>0</default>
+                    <Default>0</Default>
                 </dns_opnsense_insecure>
                 <dns_ovh_app_key type="TextField">
                     <Required>N</Required>
@@ -1196,7 +1196,7 @@
                 </dns_kas_authdata>
                 <dns_kas_authtype type="OptionField">
                     <Required>N</Required>
-                    <default>plain</default>
+                    <Default>plain</Default>
                     <OptionValues>
                         <plain>plain</plain>
                         <sha1>SHA1 (deprecated in December 2022)</sha1>
@@ -1270,7 +1270,7 @@
                 </dns_conoha_tenantid>
                 <dns_conoha_idapi type="TextField">
                     <Required>N</Required>
-                    <default>https://identity.xxxx.conoha.io/v2.0</default>
+                    <Default>https://identity.xxxx.conoha.io/v2.0</Default>
                 </dns_conoha_idapi>
                 <dns_constellix_key type="TextField">
                     <Required>N</Required>
@@ -1319,17 +1319,17 @@
                     <Required>N</Required>
                 </id>
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
                     <Required>Y</Required>
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                 </name>
                 <description type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                 </description>
                 <type type="OptionField">
@@ -1353,26 +1353,26 @@
                 </type>
                 <sftp_host type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                 </sftp_host>
                 <sftp_host_key type="TextField">
                     <Required>N</Required>
                     <!-- Key format: (comment)? key-type :SPACE: key-base64 (:SPACE: comment)?
                          Reference: https://stackoverflow.com/a/475217 -->
-                    <mask>/^.+?\s(?:[a-z0-9+\/]{4})*(?:[a-z0-9+\/]{2}==|[a-z0-9+\/]{3}=)?(?:\s.+?)?$/i</mask>
+                    <Mask>/^.+?\s(?:[a-z0-9+\/]{4})*(?:[a-z0-9+\/]{2}==|[a-z0-9+\/]{3}=)?(?:\s.+?)?$/i</Mask>
                     <ValidationMessage>Should be a valid public SSH host key (see "known_hosts").</ValidationMessage>
                 </sftp_host_key>
                 <sftp_port type="IntegerField">
                     <Required>N</Required>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>65535</MaximumValue>
-                    <default>22</default>
+                    <Default>22</Default>
                     <ValidationMessage>Should be a valid port number between 1 and 65535.</ValidationMessage>
                 </sftp_port>
                 <sftp_user type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,128}$/u</mask>
+                    <Mask>/^.{1,128}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 128 characters.</ValidationMessage>
                 </sftp_user>
                 <sftp_identity_type type="OptionField">
@@ -1385,70 +1385,70 @@
                 </sftp_identity_type>
                 <sftp_remote_path type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,512}$/u</mask>
+                    <Mask>/^.{1,512}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 512 characters.</ValidationMessage>
                 </sftp_remote_path>
                 <sftp_chgrp type="TextField">
                     <Required>N</Required>
-                    <mask>/^[0-9]+$/u</mask>
+                    <Mask>/^[0-9]+$/u</Mask>
                     <ValidationMessage>Should be a numeric value.</ValidationMessage>
                 </sftp_chgrp>
                 <sftp_chmod type="TextField">
                     <Required>N</Required>
-                    <mask>/^0[0-9]{3}$/u</mask>
+                    <Mask>/^0[0-9]{3}$/u</Mask>
                     <ValidationMessage>A unix permission, 4 digits (e.g. 0440).</ValidationMessage>
                 </sftp_chmod>
                 <sftp_chmod_key type="TextField">
                     <Required>N</Required>
-                    <mask>/^0[0-9]{3}$/u</mask>
+                    <Mask>/^0[0-9]{3}$/u</Mask>
                     <ValidationMessage>A unix permission, 4 digits (e.g. 0400).</ValidationMessage>
                 </sftp_chmod_key>
                 <sftp_filename_cert type="TextField">
                     <Required>N</Required>
-                    <mask>/^(?![\/\\])[\w\d_\-@.\/{}%]{1,255}(?&lt;![\/\\])$/ui</mask>
+                    <Mask>/^(?![\/\\])[\w\d_\-@.\/{}%]{1,255}(?&lt;![\/\\])$/ui</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.
                                        Characters are limited to [a-z], [0-9] and [{}@./-_%] and the string must neither begin nor end with '/'.</ValidationMessage>
                 </sftp_filename_cert>
                 <sftp_filename_key type="TextField">
                     <Required>N</Required>
-                    <mask>/^(?![\/\\])[\w\d_\-@.\/{}%]{1,255}(?&lt;![\/\\])$/ui</mask>
+                    <Mask>/^(?![\/\\])[\w\d_\-@.\/{}%]{1,255}(?&lt;![\/\\])$/ui</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.
                                        Characters are limited to [a-z], [0-9] and [{}@./-_%] and the string must neither begin nor end with '/'.</ValidationMessage>
                 </sftp_filename_key>
                 <sftp_filename_ca type="TextField">
                     <Required>N</Required>
-                    <mask>/^(?![\/\\])[\w\d_\-@.\/{}%]{1,255}(?&lt;![\/\\])$/ui</mask>
+                    <Mask>/^(?![\/\\])[\w\d_\-@.\/{}%]{1,255}(?&lt;![\/\\])$/ui</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.
                                        Characters are limited to [a-z], [0-9] and [{}@./-_%] and the string must neither begin nor end with '/'.</ValidationMessage>
                 </sftp_filename_ca>
                 <sftp_filename_fullchain type="TextField">
                     <Required>N</Required>
-                    <mask>/^(?![\/\\])[\w\d_\-@.\/{}%]{1,255}(?&lt;![\/\\])$/ui</mask>
+                    <Mask>/^(?![\/\\])[\w\d_\-@.\/{}%]{1,255}(?&lt;![\/\\])$/ui</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.
                                        Characters are limited to [a-z], [0-9] and [{}@./-_%] and the string must neither begin nor end with '/'.</ValidationMessage>
                 </sftp_filename_fullchain>
                 <remote_ssh_host type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,255}$/u</mask>
+                    <Mask>/^.{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                 </remote_ssh_host>
                 <remote_ssh_host_key type="TextField">
                     <Required>N</Required>
                     <!-- Key format: (comment)? key-type :SPACE: key-base64 (:SPACE: comment)?
                          Reference: https://stackoverflow.com/a/475217 -->
-                    <mask>/^.+?\s(?:[a-z0-9+\/]{4})*(?:[a-z0-9+\/]{2}==|[a-z0-9+\/]{3}=)?(?:\s.+?)?$/i</mask>
+                    <Mask>/^.+?\s(?:[a-z0-9+\/]{4})*(?:[a-z0-9+\/]{2}==|[a-z0-9+\/]{3}=)?(?:\s.+?)?$/i</Mask>
                     <ValidationMessage>Should be a valid public SSH host key (see "known_hosts").</ValidationMessage>
                 </remote_ssh_host_key>
                 <remote_ssh_port type="IntegerField">
                     <Required>N</Required>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>65535</MaximumValue>
-                    <default>22</default>
+                    <Default>22</Default>
                     <ValidationMessage>Should be a valid port number between 1 and 65535.</ValidationMessage>
                 </remote_ssh_port>
                 <remote_ssh_user type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,128}$/u</mask>
+                    <Mask>/^.{1,128}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 128 characters.</ValidationMessage>
                 </remote_ssh_user>
                 <remote_ssh_identity_type type="OptionField">
@@ -1461,7 +1461,7 @@
                 </remote_ssh_identity_type>
                 <remote_ssh_command type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a shell command between 1 and 1024 characters.</ValidationMessage>
                 </remote_ssh_command>
                 <!-- old value, should be removed in next major release -->
@@ -1480,15 +1480,15 @@
                     <Required>N</Required>
                 </configd_generic_command>
                 <acme_synology_dsm_hostname type="HostnameField">
-                    <default></default>
+                    <Default></Default>
                     <Required>N</Required>
                 </acme_synology_dsm_hostname>
                 <acme_synology_dsm_port type="PortField">
-                    <default>5000</default>
+                    <Default>5000</Default>
                     <Required>N</Required>
                 </acme_synology_dsm_port>
                 <acme_synology_dsm_scheme type="OptionField">
-                    <default>http</default>
+                    <Default>http</Default>
                     <Required>N</Required>
                     <OptionValues>
                         <http>HTTP [default]</http>
@@ -1497,112 +1497,112 @@
                 </acme_synology_dsm_scheme>
                 <acme_synology_dsm_username type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_synology_dsm_username>
                 <acme_synology_dsm_password type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_synology_dsm_password>
                 <acme_synology_dsm_create type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                 </acme_synology_dsm_create>
                 <acme_synology_dsm_deviceid type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_synology_dsm_deviceid>
                 <acme_synology_dsm_devicename type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_synology_dsm_devicename>
                 <acme_synology_dsm_otpcode type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_synology_dsm_otpcode>
                 <acme_fritzbox_url type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_fritzbox_url>
                 <acme_fritzbox_username type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_fritzbox_username>
                 <acme_fritzbox_password type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_fritzbox_password>
                 <acme_panos_username type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_panos_username>
                 <acme_panos_password type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_panos_password>
                 <acme_panos_host type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_panos_host>
                 <acme_proxmoxve_user type="TextField">
-                    <default>root</default>
+                    <Default>root</Default>
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxve_user>
                 <acme_proxmoxve_server type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxve_server>
                 <acme_proxmoxve_port type="PortField">
-                    <default>8006</default>
+                    <Default>8006</Default>
                     <Required>N</Required>
                 </acme_proxmoxve_port>
                 <acme_proxmoxve_nodename type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxve_nodename>
                 <acme_proxmoxve_realm type="TextField">
-                    <default>pam</default>
+                    <Default>pam</Default>
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxve_realm>
                 <acme_proxmoxve_tokenid type="TextField">
-                    <default>acme</default>
+                    <Default>acme</Default>
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxve_tokenid>
                 <acme_proxmoxve_tokenkey type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxve_tokenkey>
                 <acme_truenas_apikey type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_truenas_apikey>
                 <acme_truenas_hostname type="HostnameField">
-                    <default>localhost</default>
+                    <Default>localhost</Default>
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_truenas_hostname>
                 <acme_truenas_scheme type="OptionField">
-                    <default>http</default>
+                    <Default>http</Default>
                     <Required>N</Required>
                     <OptionValues>
                         <http>HTTP [default]</http>
@@ -1610,27 +1610,27 @@
                     </OptionValues>
                 </acme_truenas_scheme>
                 <acme_unifi_keystore type="TextField">
-                    <default>/usr/local/share/java/unifi/data/keystore</default>
+                    <Default>/usr/local/share/java/unifi/data/keystore</Default>
                     <Required>N</Required>
                 </acme_unifi_keystore>
                 <acme_vault_url type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_vault_url>
                 <acme_vault_prefix type="TextField">
-                    <default>acme</default>
+                    <Default>acme</Default>
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_vault_prefix>
                 <acme_vault_token type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_vault_token>
                 <acme_vault_kvv2 type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                 </acme_vault_kvv2>
             </action>
         </actions>
diff --git a/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/General.xml b/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/General.xml
index 4765e7b793..138ab9e833 100644
--- a/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/General.xml
+++ b/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/General.xml
@@ -4,143 +4,143 @@
     <version>1.0.0</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <fc_enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </fc_enabled>
         <enabletcp type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </enabletcp>
         <maxthreads type="IntegerField">
-            <default>10</default>
+            <Default>10</Default>
             <Required>N</Required>
         </maxthreads>
         <maxqueue type="IntegerField">
-            <default>100</default>
+            <Default>100</Default>
             <Required>N</Required>
         </maxqueue>
         <idletimeout type="IntegerField">
-            <default>30</default>
+            <Default>30</Default>
             <Required>N</Required>
         </idletimeout>
         <maxdirrecursion type="IntegerField">
-            <default>20</default>
+            <Default>20</Default>
             <Required>N</Required>
         </maxdirrecursion>
         <followdirsym type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </followdirsym>
         <followfilesym type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
 	    <Required>N</Required>
 	</followfilesym>
         <disablecache type="TextField">
-            <default>0</default>
+            <Default>0</Default>
 	    <Required>N</Required>
 	</disablecache>
         <scanpe type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
 	    <Required>N</Required>
 	</scanpe>
         <scanelf type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </scanelf>
         <detectbroken type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </detectbroken>
         <scanole2 type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </scanole2>
         <ole2blockmarcros type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </ole2blockmarcros>
         <scanpdf type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </scanpdf>
         <scanswf type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </scanswf>
         <scanxmldocs type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </scanxmldocs>
         <scanhwp3 type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </scanhwp3>
         <scanmailfiles type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </scanmailfiles>
         <scanhtml type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </scanhtml>
         <scanarchive type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>N</Required>
         </scanarchive>
         <arcblockenc type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </arcblockenc>
         <maxscansize type="TextField">
-            <default>100M</default>
+            <Default>100M</Default>
             <Required>N</Required>
         </maxscansize>
 	<maxfilesize type="TextField">
-            <default>25M</default>
+            <Default>25M</Default>
             <Required>N</Required>
         </maxfilesize>
 	<maxrecursion type="IntegerField">
-            <default>16</default>
+            <Default>16</Default>
             <Required>N</Required>
         </maxrecursion>
 	<maxfiles type="IntegerField">
-            <default>10000</default>
+            <Default>10000</Default>
             <Required>N</Required>
 	</maxfiles>
         <logverbose type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </logverbose>
         <fc_logverbose type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </fc_logverbose>
         <fc_databasemirror type="TextField">
-            <default>database.clamav.net</default>
+            <Default>database.clamav.net</Default>
             <Required>Y</Required>
         </fc_databasemirror>
         <fc_timeout type="TextField">
-            <default>60</default>
+            <Default>60</Default>
             <Required>Y</Required>
         </fc_timeout>
         <fc_malwareexpert type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </fc_malwareexpert>
         <fc_blurl type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </fc_blurl>
         <fc_jurlbla type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </fc_jurlbla>
         <fc_bofhland type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>N</Required>
         </fc_bofhland>
     </items>
diff --git a/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/Url.xml b/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/Url.xml
index 84447c3b98..0300219bf0 100644
--- a/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/Url.xml
+++ b/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/Url.xml
@@ -6,7 +6,7 @@
         <lists>
             <list type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
@@ -14,7 +14,7 @@
                 </name>
                 <link type="TextField">
                     <Required>Y</Required>
-                    <mask>/^https?:\/\/.*$/i</mask>
+                    <Mask>/^https?:\/\/.*$/i</Mask>
                     <ValidationMessage>URL has to start with http:// or https://</ValidationMessage>
                 </link>
             </list>
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
index da4dbe0f92..829223928e 100644
--- a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
@@ -5,45 +5,45 @@
   <items>
 
     <agent_enabled type="BooleanField">
-      <default>1</default>
+      <Default>1</Default>
       <Required>Y</Required>
     </agent_enabled>
 
     <lapi_enabled type="BooleanField">
-      <default>1</default>
+      <Default>1</Default>
       <Required>Y</Required>
     </lapi_enabled>
 
     <firewall_bouncer_enabled type="BooleanField">
-      <default>1</default>
+      <Default>1</Default>
       <Required>Y</Required>
     </firewall_bouncer_enabled>
 
     <lapi_manual_configuration type="BooleanField">
-      <default>0</default>
+      <Default>0</Default>
       <Required>Y</Required>
     </lapi_manual_configuration>
 
     <lapi_listen_address type="TextField">
-      <default>127.0.0.1</default>
+      <Default>127.0.0.1</Default>
       <Required>Y</Required>
       <Mask>((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$))</Mask>
     </lapi_listen_address>
 
     <lapi_listen_port type="PortField">
-      <default>8080</default>
+      <Default>8080</Default>
       <Required>Y</Required>
       <EnableWellKnown>N</EnableWellKnown>
       <EnableRanges>N</EnableRanges>
     </lapi_listen_port>
 
     <rules_enabled type="BooleanField">
-      <default>1</default>
+      <Default>1</Default>
       <Required>Y</Required>
     </rules_enabled>
 
     <rules_log type="BooleanField">
-      <default>0</default>
+      <Default>0</Default>
       <Required>Y</Required>
     </rules_log>
 
@@ -58,7 +58,7 @@
     </enroll_key>
 
     <crowdsec_firewall_verbose type="BooleanField">
-      <default>0</default>
+      <Default>0</Default>
       <Required>Y</Required>
     </crowdsec_firewall_verbose>
 
diff --git a/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/General.xml b/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/General.xml
index 4d21fc9b7e..d789be99b8 100644
--- a/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/General.xml
+++ b/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/General.xml
@@ -4,23 +4,23 @@
     <version>0.0.2</version>
     <items>
         <heuristics type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </heuristics>
         <checkhostheader type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </checkhostheader>
         <updateperiod type="IntegerField">
-            <default>86400</default>
+            <Default>86400</Default>
             <Required>Y</Required>
         </updateperiod>
         <adminpassword type="TextField">
-            <default>9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc</default>
+            <Default>9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc</Default>
             <Required>Y</Required>
         </adminpassword>
         <monitorinterface type="InterfaceField">
-            <multiple>Y</multiple>
+            <Multiple>Y</Multiple>
             <Required>N</Required>
         </monitorinterface>
         <whitelist type="CSVListField">
diff --git a/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Sensor.xml b/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Sensor.xml
index 4a97c5757d..54512111fa 100644
--- a/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Sensor.xml
+++ b/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Sensor.xml
@@ -4,11 +4,11 @@
     <version>0.0.3</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <captureall type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </captureall>
         <capturebuffer type="IntegerField">
@@ -21,14 +21,14 @@
             <Required>N</Required>
         </remoteserver>
         <remoteport type="PortField">
-            <default>8337</default>
+            <Default>8337</Default>
             <Required>Y</Required>
         </remoteport>
         <syslogserver type="HostnameField">
             <Required>N</Required>
         </syslogserver>
         <syslogport type="PortField">
-            <default>514</default>
+            <Default>514</Default>
             <Required>Y</Required>
         </syslogport>
     </items>
diff --git a/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Server.xml b/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Server.xml
index 94df269c2c..a9db942855 100644
--- a/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Server.xml
+++ b/security/maltrail/src/opnsense/mvc/app/models/OPNsense/Maltrail/Server.xml
@@ -4,20 +4,20 @@
     <version>0.0.2</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <addblocklistalias type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </addblocklistalias>
         <listenaddress type="HostnameField">
-            <default>0.0.0.0</default>
+            <Default>0.0.0.0</Default>
             <Required>Y</Required>
             <ValidationMessage>Please provide a valid hostname or IP address.</ValidationMessage>
         </listenaddress>
         <listenport type="PortField">
-            <default>8338</default>
+            <Default>8338</Default>
             <Required>Y</Required>
         </listenport>
         <loglistenaddress type="HostnameField">
diff --git a/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/General.xml b/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/General.xml
index 05968a34c2..57d0c91828 100644
--- a/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/General.xml
+++ b/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/General.xml
@@ -4,17 +4,17 @@
     <version>0.0.1</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <enablecarp type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enablecarp>
         <carpinterfaces type="InterfaceField">
                 <Required>N</Required>
-                <multiple>Y</multiple>
-                <default></default>
+                <Multiple>Y</Multiple>
+                <Default></Default>
                 <AllowDynamic>Y</AllowDynamic>
                 <filters>
                     <enable>/^(?!0).*$/</enable>
diff --git a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
index 47970192db..dabfeef9f1 100644
--- a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
+++ b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
@@ -83,7 +83,7 @@
                 </servercert>
                 <description type="TextField">
                     <Required>N</Required>
-                    <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){0,255}$/u</mask>
+                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){0,255}$/u</Mask>
                     <ValidationMessage>Description should be a string between 1 and 255 characters</ValidationMessage>
                 </description>
             </service>
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.xml
index 358995b1aa..b1b404f48d 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.xml
@@ -3,7 +3,7 @@
     <description>Tailscale authentication settings</description>
     <items>
         <loginServer type="UrlField">
-            <default>https://controlplane.tailscale.com</default>
+            <Default>https://controlplane.tailscale.com</Default>
             <Required>Y</Required>
             <ValidationMessage>Please enter a valid URL</ValidationMessage>
         </loginServer>
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
index 39975013b2..e801d813e6 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
@@ -4,36 +4,36 @@
     <version>1.0.0</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <loginTimeout type="IntegerField">
-            <default>10</default>
+            <Default>10</Default>
             <Required>Y</Required>
         </loginTimeout>
         <listenPort type="PortField">
-            <default>41641</default>
+            <Default>41641</Default>
             <Required>Y</Required>
         </listenPort>
         <acceptDNS type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </acceptDNS>
         <advertiseExitNode type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </advertiseExitNode>
         <useExitNode type=".\ExitNodeField"/>
         <acceptSubnetRoutes type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </acceptSubnetRoutes>
         <enableSSH type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enableSSH>
         <disableSNAT type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </disableSNAT>
         <subnets>
diff --git a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
index 0d33dc7259..dc323b465e 100644
--- a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
+++ b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
@@ -13,12 +13,12 @@
                 </id>
                 <name type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z]){1,50}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z]){1,50}$/u</Mask>
                     <ValidationMessage>The name should contain only alphanumeric characters.</ValidationMessage>
                 </name>
                 <hostname type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z\_]){1,1024}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z\_]){1,1024}$/u</Mask>
                     <ValidationMessage>Please specify a valid hostname.</ValidationMessage>
                 </hostname>
                 <extaddress type="HostnameField">
@@ -127,7 +127,7 @@
                 </network>
                 <hostname type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([0-9a-zA-Z\_]){1,1024}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z\_]){1,1024}$/u</Mask>
                     <ValidationMessage>Please specify a valid hostname.</ValidationMessage>
                 </hostname>
                 <extport type="IntegerField">
diff --git a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/ACLExitPolicy.xml b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/ACLExitPolicy.xml
index 571c1d567b..644e47f344 100644
--- a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/ACLExitPolicy.xml
+++ b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/ACLExitPolicy.xml
@@ -4,11 +4,11 @@
   <items>
     <policy type="ArrayField">
       <enabled type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
       </enabled>
       <type type="OptionField">
-        <default>both</default>
+        <Default>both</Default>
         <Required>Y</Required>
         <OptionValues>
           <both>both</both>
@@ -32,7 +32,7 @@
         <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
       </endport>
       <action type="OptionField">
-          <default>accept</default>
+          <Default>accept</Default>
           <Required>Y</Required>
           <OptionValues>
             <accept>Accept</accept>
diff --git a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/ACLSocksPolicy.xml b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/ACLSocksPolicy.xml
index d0b1a98843..8d5e90a5e6 100644
--- a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/ACLSocksPolicy.xml
+++ b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/ACLSocksPolicy.xml
@@ -4,11 +4,11 @@
   <items>
     <policy type="ArrayField">
       <enabled type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
       </enabled>
       <type type="OptionField">
-        <default>v6</default>
+        <Default>v6</Default>
         <Required>Y</Required>
         <OptionValues>
           <v4>IPv4</v4>
@@ -19,7 +19,7 @@
         <Required>Y</Required>
       </network>
       <action type="OptionField">
-          <default>accept</default>
+          <Default>accept</Default>
           <Required>Y</Required>
           <OptionValues>
             <accept>Accept</accept>
diff --git a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/General.xml b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/General.xml
index 36d0f91bce..c5f9c22253 100644
--- a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/General.xml
+++ b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/General.xml
@@ -4,22 +4,22 @@
   <version>1.0.0</version>
   <items>
     <enabled type="BooleanField">
-      <default>0</default>
+      <Default>0</Default>
       <Required>Y</Required>
     </enabled>
     <socks_listen_ip type="InterfaceField">
       <Required>N</Required>
-      <multiple>Y</multiple>
+      <Multiple>Y</Multiple>
     </socks_listen_ip>
     <socks_listen_port type="IntegerField">
-      <default>9050</default>
+      <Default>9050</Default>
       <MinimumValue>0</MinimumValue>
       <Required>Y</Required>
       <MaximumValue>65535</MaximumValue>
       <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
     </socks_listen_port>
     <control_port type="IntegerField">
-      <default>9051</default>
+      <Default>9051</Default>
       <MinimumValue>1</MinimumValue>
       <Required>N</Required>
       <MaximumValue>65535</MaximumValue>
@@ -27,24 +27,24 @@
     </control_port>
     <control_port_password type="TextField">
       <Required>N</Required>
-      <mask>/^.+$/</mask>
+      <Mask>/^.+$/</Mask>
     </control_port_password>
     <control_port_password_hashed type="TextField">
       <Required>N</Required>
-      <mask>/^.+$/</mask>
+      <Mask>/^.+$/</Mask>
     </control_port_password_hashed>
     <enablelogfile type="BooleanField">
-      <default>0</default>
+      <Default>0</Default>
       <Required>Y</Required>
     </enablelogfile>
     <dormant_canceled_by_startup type="BooleanField">
-      <default>0</default>
+      <Default>0</Default>
       <Required>Y</Required>
     </dormant_canceled_by_startup>
     <logfilelevel type="OptionField">
       <Required>Y</Required>
-      <multiple>N</multiple>
-      <default>notifications</default>
+      <Multiple>N</Multiple>
+      <Default>notifications</Default>
       <OptionValues>
         <err>Errors</err>
         <warn>Warnings</warn>
@@ -54,13 +54,13 @@
       </OptionValues>
     </logfilelevel>
     <enablesyslog type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
     </enablesyslog>
     <sysloglevel type="OptionField">
       <Required>Y</Required>
-      <multiple>N</multiple>
-      <default>notifications</default>
+      <Multiple>N</Multiple>
+      <Default>notifications</Default>
       <OptionValues>
         <err>Errors</err>
         <warn>Warnings</warn>
@@ -71,8 +71,8 @@
     </sysloglevel>
     <scheduler type="OptionField">
       <Required>Y</Required>
-      <multiple>N</multiple>
-      <default>KISTLiteVanilla</default>
+      <Multiple>N</Multiple>
+      <Default>KISTLiteVanilla</Default>
       <OptionValues>
         <KISTLiteVanilla>KISTLite,Vanilla</KISTLiteVanilla>
         <VanillaKISTLite>Vanilla,KISTLite</VanillaKISTLite>
@@ -81,55 +81,55 @@
       </OptionValues>
     </scheduler>
     <fascist_firewall type="BooleanField">
-      <default>0</default>
+      <Default>0</Default>
       <Required>Y</Required>
     </fascist_firewall>
     <fascist_firewall_ports type="CSVListField">
-      <default>80,443</default>
+      <Default>80,443</Default>
       <Required>Y</Required>
-      <mask>/^(\d+,)*\d+$/</mask>
+      <Mask>/^(\d+,)*\d+$/</Mask>
     </fascist_firewall_ports>
     <enable_transparent type="BooleanField">
-      <default>0</default>
+      <Default>0</Default>
       <Required>Y</Required>
     </enable_transparent>
     <transparent_port type="IntegerField">
-      <default>9040</default>
+      <Default>9040</Default>
       <MinimumValue>0</MinimumValue>
       <Required>Y</Required>
       <MaximumValue>65535</MaximumValue>
       <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
     </transparent_port>
     <transparent_dns type="IntegerField">
-      <default>9053</default>
+      <Default>9053</Default>
       <MinimumValue>0</MinimumValue>
       <Required>Y</Required>
       <MaximumValue>65535</MaximumValue>
       <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
     </transparent_dns>
     <transparent_ip_pool type="NetworkField">
-      <default>172.29.0.0/16</default>
+      <Default>172.29.0.0/16</Default>
       <Required>Y</Required>
     </transparent_ip_pool>
     <dns_map_hosts type="BooleanField">
-      <default>0</default>
+      <Default>0</Default>
       <Required>Y</Required>
     </dns_map_hosts>
     <client_authentications>
       <client_auth type="ArrayField">
         <enabled type="BooleanField">
-          <default>1</default>
+          <Default>1</Default>
           <Required>Y</Required>
         </enabled>
         <onion_service type="TextField">
           <Required>Y</Required>
-          <default>exampleexample23.onion</default>
-          <mask>/^[a-z2-7]{16}\.onion$/i</mask>
+          <Default>exampleexample23.onion</Default>
+          <Mask>/^[a-z2-7]{16}\.onion$/i</Mask>
         </onion_service>
         <auth_cookie type="TextField">
           <Required>Y</Required>
-          <default>0000000000000000000000</default>
-          <mask>/^[a-z0-9\+\/]{22}$/i</mask>
+          <Default>0000000000000000000000</Default>
+          <Mask>/^[a-z0-9\+\/]{22}$/i</Mask>
         </auth_cookie>
       </client_auth>
     </client_authentications>
diff --git a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/HiddenService.xml b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/HiddenService.xml
index 19ece3abc1..e9af42514a 100644
--- a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/HiddenService.xml
+++ b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/HiddenService.xml
@@ -5,16 +5,16 @@
   <items>
     <service type="ArrayField">
       <enabled type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
       </enabled>
       <name type="TextField">
         <Required>Y</Required>
-        <mask>/^[a-z0-9_-]+$/i</mask>
+        <Mask>/^[a-z0-9_-]+$/i</Mask>
         <ValidationMessage>The name should only consist of alphanumeric characters, dashes and underscores.</ValidationMessage>
       </name>
       <type type="OptionField">
-        <default>basic</default>
+        <Default>basic</Default>
         <Required>Y</Required>
         <OptionValues>
             <basic>Basic</basic>
@@ -22,9 +22,9 @@
         </OptionValues>
       </type>
       <clients type="CSVListField">
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
         <Required>N</Required>
-        <mask>/^([a-z0-9_+-]+,)*([a-z0-9_+-]*)$/i</mask>
+        <Mask>/^([a-z0-9_+-]+,)*([a-z0-9_+-]*)$/i</Mask>
         <ValidationMessage>The authorized clients should only consist of alphanumeric characters, dashes, underscores and plus sign.</ValidationMessage>
       </clients>
     </service>
diff --git a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/HiddenServiceACL.xml b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/HiddenServiceACL.xml
index 54dfb89c87..4cda6c1d2b 100644
--- a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/HiddenServiceACL.xml
+++ b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/HiddenServiceACL.xml
@@ -4,7 +4,7 @@
   <items>
     <hiddenserviceacl type="ArrayField">
       <enabled type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
       </enabled>
       <hiddenservice type="ModelRelationField">
@@ -20,7 +20,7 @@
         <Required>Y</Required>
       </hiddenservice>
       <port type="IntegerField">
-        <default>80</default>
+        <Default>80</Default>
         <MinimumValue>1</MinimumValue>
         <Required>Y</Required>
         <MaximumValue>65535</MaximumValue>
@@ -28,10 +28,10 @@
       </port>
       <target_host type="NetworkField">
         <Required>Y</Required>
-        <default>127.0.0.1</default>
+        <Default>127.0.0.1</Default>
       </target_host>
       <target_port type="IntegerField">
-        <default>80</default>
+        <Default>80</Default>
         <MinimumValue>1</MinimumValue>
         <Required>Y</Required>
         <MaximumValue>65535</MaximumValue>
diff --git a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml
index 2d4ced170e..09eab593bc 100644
--- a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml
+++ b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml
@@ -4,31 +4,31 @@
   <description>Tor Relay configuration</description>
   <items>
     <enabled type="BooleanField">
-      <default>0</default>
+      <Default>0</Default>
       <Required>Y</Required>
     </enabled>
     <dir_frontpage type="BooleanField">
-      <default>0</default>
+      <Default>0</Default>
       <Required>Y</Required>
     </dir_frontpage>
     <host type="TextField">
       <Required>N</Required>
-      <mask>/^([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])$/</mask>
+      <Mask>/^([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])$/</Mask>
     </host>
     <hostv6 type="TextField">
       <Required>N</Required>
-      <mask>/^[a-f0-9:]{2,}$/i</mask>
+      <Mask>/^[a-f0-9:]{2,}$/i</Mask>
     </hostv6>
     <outboundbind type="TextField">
       <Required>N</Required>
-      <mask>/^([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])$/</mask>
+      <Mask>/^([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])$/</Mask>
     </outboundbind>
     <outboundbindv6 type="TextField">
       <Required>N</Required>
-      <mask>/^[a-f0-9:]{2,}$/i</mask>
+      <Mask>/^[a-f0-9:]{2,}$/i</Mask>
     </outboundbindv6>
     <port type="IntegerField">
-      <default>9001</default>
+      <Default>9001</Default>
       <MinimumValue>0</MinimumValue>
       <Required>Y</Required>
       <MaximumValue>65535</MaximumValue>
@@ -43,21 +43,21 @@
     <address type="TextField">
       <Required>N</Required>
       <!-- hostname -->
-      <mask>/^[a-z0-9.-]+$/i</mask>
+      <Mask>/^[a-z0-9.-]+$/i</Mask>
     </address>
     <nick type="TextField">
       <Required>N</Required>
       <!-- by docs -->
-      <mask>/^[a-zA-Z0-9]+$/</mask>
+      <Mask>/^[a-zA-Z0-9]+$/</Mask>
     </nick>
     <contact_info type="TextField">
       <Required>N</Required>
-      <mask><![CDATA[/^[a-zA-Z0-9 !§$%\/\(\)\\@,;.:_\-#+~*\?&<>]+$/]]></mask>
+      <Mask><![CDATA[/^[a-zA-Z0-9 !§$%\/\(\)\\@,;.:_\-#+~*\?&<>]+$/]]></Mask>
     </contact_info>
     <family type="TextField">
       <Required>N</Required>
       <!-- series of hex arrays -->
-      <mask>/^[a-fA-F0-9,]+$/</mask>
+      <Mask>/^[a-fA-F0-9,]+$/</Mask>
     </family>
     <bandwithrate type="IntegerField">
       <Required>N</Required>
@@ -66,27 +66,27 @@
       <Required>N</Required>
     </bandwithburst>
     <relay type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
     </relay>
     <exitrejectprivateip type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
     </exitrejectprivateip>
     <publish type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
     </publish>
     <exitenabled type="BooleanField">
-      <default>0</default>
+      <Default>0</Default>
       <Required>Y</Required>
     </exitenabled>
     <exitipv6 type="BooleanField">
-      <default>0</default>
+      <Default>0</Default>
       <Required>N</Required>
     </exitipv6>
     <exitrejectlocalif type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
     </exitrejectlocalif>
   </items>
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
index 678fed08c5..62941e94a7 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
@@ -5,7 +5,7 @@
     <items>
         <general>
             <enabled type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </enabled>
             <server_address type="HostnameField">
@@ -17,7 +17,7 @@
                 <IpAllowed>N</IpAllowed>
             </agent_name>
             <protocol type="OptionField">
-                <default>tcp</default>
+                <Default>tcp</Default>
                 <Required>Y</Required>
                 <OptionValues>
                     <tcp>TCP</tcp>
@@ -25,14 +25,14 @@
                 </OptionValues>
             </protocol>
             <port type="IntegerField">
-                <default>1514</default>
+                <Default>1514</Default>
                 <Required>Y</Required>
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>65536</MaximumValue>
                 <ValidationMessage>This must be a valid port number.</ValidationMessage>
             </port>
             <debug_level type="OptionField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
                 <OptionValues>
                     <val0 value="0">no debug</val0>
@@ -45,7 +45,7 @@
             <password type="TextField">
             </password>
             <port type="IntegerField">
-                <default>1515</default>
+                <Default>1515</Default>
                 <Required>Y</Required>
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>65536</MaximumValue>
@@ -54,13 +54,13 @@
         </auth>
         <logcollector>
             <remote_commands type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </remote_commands>
             <syslog_programs type="JsonKeyValueStoreField">
                 <Required>N</Required>
                 <Multiple>Y</Multiple>
-                <default>filterlog,openvpn,unbound,audit,sshd</default>
+                <Default>filterlog,openvpn,unbound,audit,sshd</Default>
                 <ConfigdPopulateAct>syslog list applications</ConfigdPopulateAct>
                 <SourceFile>/tmp/syslog_applications.json</SourceFile>
                 <ConfigdPopulateTTL>20</ConfigdPopulateTTL>
@@ -68,35 +68,35 @@
                 <ValidationMessage>Specify valid source applications.</ValidationMessage>
             </syslog_programs>
             <suricata_eve_log type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </suricata_eve_log>
         </logcollector>
         <rootcheck>
             <enabled type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </enabled>
         </rootcheck>
         <syscollector>
             <enabled type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </enabled>
         </syscollector>
         <syscheck>
             <enabled type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </enabled>
         </syscheck>
         <active_response>
             <enabled type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </enabled>
             <remote_commands type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </remote_commands>
             <fw_alias_ignore type="ModelRelationField">
diff --git a/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Apcupsd.xml b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Apcupsd.xml
index 4d1ad8f541..a5576be8f6 100644
--- a/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Apcupsd.xml
+++ b/sysutils/apcupsd/src/opnsense/mvc/app/models/OPNsense/Apcupsd/Apcupsd.xml
@@ -5,19 +5,19 @@
     <items>
         <general>
             <Enabled type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </Enabled>
             <UPSName type="TextField">
                 <Required>N</Required>
-                <mask>/^([0-9a-zA-Z._\- ]){1,99}$/</mask>
+                <Mask>/^([0-9a-zA-Z._\- ]){1,99}$/</Mask>
                 <ValidationMessage>
                     The name should be 1 to 99 characters and contain only alphanumeric characters,
                     dashes, underscores, dot or space.
                 </ValidationMessage>
             </UPSName>
             <UPSCable type="OptionField">
-                <default>smart</default>
+                <Default>smart</Default>
                 <Required>Y</Required>
                 <OptionValues>
                     <option value="simple">Simple</option>
@@ -42,7 +42,7 @@
                 </OptionValues>
             </UPSCable>
             <UPSType type="OptionField">
-                <default>apcsmart</default>
+                <Default>apcsmart</Default>
                 <Required>Y</Required>
                 <OptionValues>
                     <apcsmart>apcsmart</apcsmart>
@@ -60,74 +60,74 @@
             </Device>
             <Polltime type="IntegerField">
                 <Required>Y</Required>
-                <default>60</default>
+                <Default>60</Default>
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>86400</MaximumValue>
                 <ValidationMessage>Polltime must be between 1 and 86400.</ValidationMessage>
             </Polltime>
             <Netserver type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </Netserver>
             <NetserverAddress type="NetworkField">
-                <default>127.0.0.1</default>
+                <Default>127.0.0.1</Default>
                 <Required>Y</Required>
             </NetserverAddress>
             <NetserverPort type="PortField">
-                <default>3551</default>
+                <Default>3551</Default>
                 <Required>Y</Required>
             </NetserverPort>
             <OnBatteryDelay type="IntegerField">
-                <default>6</default>
+                <Default>6</Default>
                 <Required>Y</Required>
                 <MinimumValue>0</MinimumValue>
                 <MaximumValue>60</MaximumValue>
                 <ValidationMessage>On battery delay must be between 1 and 60.</ValidationMessage>
             </OnBatteryDelay>
             <BatteryLevel type="IntegerField">
-                <default>5</default>
+                <Default>5</Default>
                 <Required>Y</Required>
                 <MinimumValue>-1</MinimumValue>
                 <MaximumValue>99</MaximumValue>
                 <ValidationMessage>Battery level must be between -1 and 99 percent.</ValidationMessage>
             </BatteryLevel>
             <Minutes type="IntegerField">
-                <default>3</default>
+                <Default>3</Default>
                 <Required>Y</Required>
                 <MinimumValue>-1</MinimumValue>
                 <MaximumValue>60</MaximumValue>
                 <ValidationMessage>Remaining battery minutes must be between -1 and 60 minutes.</ValidationMessage>
             </Minutes>
             <Timeout type="IntegerField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
                 <MinimumValue>0</MinimumValue>
                 <MaximumValue>360</MaximumValue>
                 <ValidationMessage>Timeout must be between 0 and 360 seconds.</ValidationMessage>
             </Timeout>
             <Annoy type="IntegerField">
-                <default>300</default>
+                <Default>300</Default>
                 <Required>Y</Required>
                 <MinimumValue>10</MinimumValue>
                 <MaximumValue>360</MaximumValue>
                 <ValidationMessage>Annoy time must be between 10 and 360 seconds.</ValidationMessage>
             </Annoy>
             <AnnoyDelay type="IntegerField">
-                <default>60</default>
+                <Default>60</Default>
                 <Required>Y</Required>
                 <MinimumValue>10</MinimumValue>
                 <MaximumValue>360</MaximumValue>
                 <ValidationMessage>Annoy delay time must be between 10 and 360 seconds.</ValidationMessage>
             </AnnoyDelay>
             <KillDelay type="IntegerField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
                 <MinimumValue>0</MinimumValue>
                 <MaximumValue>360</MaximumValue>
                 <ValidationMessage>Kill delay time must be between 0 and 360 seconds.</ValidationMessage>
             </KillDelay>
             <UPSClass type="OptionField">
-                <default>standalone</default>
+                <Default>standalone</Default>
                 <Required>Y</Required>
                 <OptionValues>
                     <standalone>standalone</standalone>
@@ -136,7 +136,7 @@
                 </OptionValues>
             </UPSClass>
             <UPSMode type="OptionField">
-                <default>disable</default>
+                <Default>disable</Default>
                 <Required>Y</Required>
                 <OptionValues>
                     <disable>disable</disable>
@@ -144,7 +144,7 @@
                 </OptionValues>
             </UPSMode>
             <NoLogon type="OptionField">
-                <default>disable</default>
+                <Default>disable</Default>
                 <Required>Y</Required>
                 <OptionValues>
                     <disable>disable</disable>
diff --git a/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml b/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
index 7c18337709..08fafa1610 100644
--- a/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
+++ b/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
@@ -17,7 +17,7 @@
         </enabled>
         <url type="TextField">
             <Required>N</Required>
-            <mask>/^((https)|(ssh))?:\/\/.*[^\/]$/</mask>
+            <Mask>/^((https)|(ssh))?:\/\/.*[^\/]$/</Mask>
             <ValidationMessage>A valid git location must be provided. e.g. ssh://server/project.git, https://server/project.git</ValidationMessage>
             <Constraints>
                 <check001>
diff --git a/sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/General.xml b/sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/General.xml
index 96efb0749d..b2ec998fb7 100644
--- a/sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/General.xml
+++ b/sysutils/hw-probe/src/opnsense/mvc/app/models/OPNsense/Hwprobe/General.xml
@@ -4,7 +4,7 @@
     <version>0.0.1</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
     </items>
diff --git a/sysutils/mail-backup/src/opnsense/mvc/app/models/OPNsense/Backup/MailerSettings.xml b/sysutils/mail-backup/src/opnsense/mvc/app/models/OPNsense/Backup/MailerSettings.xml
index 0a74af8008..301849c9e3 100644
--- a/sysutils/mail-backup/src/opnsense/mvc/app/models/OPNsense/Backup/MailerSettings.xml
+++ b/sysutils/mail-backup/src/opnsense/mvc/app/models/OPNsense/Backup/MailerSettings.xml
@@ -4,7 +4,7 @@
     <description>OPNsense Mailer Backup Settings</description>
     <items>
         <Enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </Enabled>
         <Receiver type="EmailField">
@@ -30,11 +30,11 @@
             </Constraints>
         </SmtpHost>
         <SmtpPort type="PortField">
-            <default>25</default>
+            <Default>25</Default>
             <Required>Y</Required>
         </SmtpPort>
         <SmtpTLS type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </SmtpTLS>
         <SelfSigned type="BooleanField"/>
diff --git a/sysutils/munin-node/src/opnsense/mvc/app/models/OPNsense/Muninnode/General.xml b/sysutils/munin-node/src/opnsense/mvc/app/models/OPNsense/Muninnode/General.xml
index 64d22bdd62..85543a3e87 100644
--- a/sysutils/munin-node/src/opnsense/mvc/app/models/OPNsense/Muninnode/General.xml
+++ b/sysutils/munin-node/src/opnsense/mvc/app/models/OPNsense/Muninnode/General.xml
@@ -4,19 +4,19 @@
     <version>0.0.2</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <hostname type="TextField">
-            <default>OPNsense</default>
+            <Default>OPNsense</Default>
             <Required>Y</Required>
         </hostname>
         <port type="PortField">
-            <default>4949</default>
+            <Default>4949</Default>
             <Required>Y</Required>
         </port>
         <allowednetworks type="CSVListField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </allowednetworks>
     </items>
diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
index b8c63ab7fe..026ec4ce59 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
@@ -4,12 +4,12 @@
     <description>OPNsense Nextcloud Backup Settings</description>
     <items>
         <enabled type="BooleanField">
-          <default>0</default>
+          <Default>0</Default>
           <Required>Y</Required>
         </enabled>
         <url type="TextField">
             <Required>N</Required>
-            <mask>/^https?:\/\/.*[^\/]$/</mask>
+            <Mask>/^https?:\/\/.*[^\/]$/</Mask>
             <ValidationMessage>The url must be valid without a trailing slash. For example: https://nextcloud.example.com or https://example.com/nextcloud</ValidationMessage>
             <Constraints>
                 <check001>
@@ -48,8 +48,8 @@
         </password_encryption>
         <backupdir type="TextField">
             <Required>Y</Required>
-            <mask>/^([\w%+\-]+\/)*[\w+%\-]+$/</mask>
-            <default>OPNsense-Backup</default>
+            <Mask>/^([\w%+\-]+\/)*[\w+%\-]+$/</Mask>
+            <Default>OPNsense-Backup</Default>
             <ValidationMessage>The Backup Directory can only consist of alphanumeric characters, dash, underscores and slash. No leading or trailing slash.</ValidationMessage>
         </backupdir>
     </items>
diff --git a/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml b/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml
index 4f1d24539d..a3af1f8e68 100644
--- a/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml
+++ b/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml
@@ -6,62 +6,62 @@
     <version>0.2.0</version>
     <items>
         <enabled type="BooleanField">
-          <default>0</default>
+          <Default>0</Default>
           <Required>Y</Required>
         </enabled>
         <listenaddress type="NetworkField">
-          <default>0.0.0.0</default>
+          <Default>0.0.0.0</Default>
           <Required>Y</Required>
           <NetMaskAllowed>N</NetMaskAllowed>
           <ValidationMessage>Please provide a valid IP address.</ValidationMessage>
         </listenaddress>
         <listenport type="PortField">
-          <default>9100</default>
+          <Default>9100</Default>
           <Required>Y</Required>
           <ValidationMessage>Please provide a valid port number between 1 and 65535. Port 9100 is the default.</ValidationMessage>
         </listenport>
         <cpu type="BooleanField">
-          <default>1</default>
+          <Default>1</Default>
           <Required>N</Required>
         </cpu>
         <exec type="BooleanField">
-          <default>1</default>
+          <Default>1</Default>
           <Required>N</Required>
         </exec>
         <filesystem type="BooleanField">
-          <default>1</default>
+          <Default>1</Default>
           <Required>N</Required>
         </filesystem>
         <loadavg type="BooleanField">
-          <default>1</default>
+          <Default>1</Default>
           <Required>N</Required>
         </loadavg>
         <meminfo type="BooleanField">
-          <default>1</default>
+          <Default>1</Default>
           <Required>N</Required>
         </meminfo>
         <netdev type="BooleanField">
-          <default>1</default>
+          <Default>1</Default>
           <Required>N</Required>
         </netdev>
         <time type="BooleanField">
-          <default>1</default>
+          <Default>1</Default>
           <Required>N</Required>
         </time>
         <devstat type="BooleanField">
-          <default>0</default>
+          <Default>0</Default>
           <Required>N</Required>
         </devstat>
         <interrupts type="BooleanField">
-          <default>0</default>
+          <Default>0</Default>
           <Required>N</Required>
         </interrupts>
         <ntp type="BooleanField">
-          <default>0</default>
+          <Default>0</Default>
           <Required>N</Required>
         </ntp>
         <zfs type="BooleanField">
-          <default>0</default>
+          <Default>0</Default>
           <Required>N</Required>
         </zfs>
     </items>
diff --git a/sysutils/nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml b/sysutils/nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml
index 3ee149b386..9de3788b5e 100644
--- a/sysutils/nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml
+++ b/sysutils/nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml
@@ -5,11 +5,11 @@
   <items>
     <general>
       <enable type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </enable>
       <mode type="OptionField">
-        <default>standalone</default>
+        <Default>standalone</Default>
         <Required>Y</Required>
         <OptionValues>
           <standalone>standalone</standalone>
@@ -17,13 +17,13 @@
         </OptionValues>
       </mode>
       <name type="TextField">
-        <default>UPSName</default>
+        <Default>UPSName</Default>
         <Required>Y</Required>
-        <mask>/^([0-9a-zA-Z._\-]){1,128}$/u</mask>
+        <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
         <ValidationMessage>The name should only contain alphanumeric characters, dashes, underscores or a dot.</ValidationMessage>
       </name>
       <listen type="CSVListField">
-        <default>127.0.0.1,::1</default>
+        <Default>127.0.0.1,::1</Default>
         <Required>Y</Required>
       </listen>
     </general>
@@ -31,42 +31,42 @@
     <account>
       <admin_password type="TextField">
         <Required>Y</Required>
-        <default>Password</default>
+        <Default>Password</Default>
       </admin_password>
       <mon_password type="TextField">
         <Required>Y</Required>
-        <default>Password</default>
+        <Default>Password</Default>
       </mon_password>
     </account>
 
     <usbhid>
       <enable type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </enable>
       <args type="CSVListField">
-        <default>port=auto</default>
+        <Default>port=auto</Default>
         <Required>N</Required>
       </args>
     </usbhid>
     <apcsmart>
       <enable type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </enable>
       <args type="CSVListField">
-        <default>port=auto</default>
+        <Default>port=auto</Default>
         <Required>N</Required>
       </args>
     </apcsmart>
     <apcupsd>
       <enable type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </enable>
       <hostname type="HostnameField">
         <Required>Y</Required>
-        <default>localhost</default>
+        <Default>localhost</Default>
       </hostname>
       <port type="PortField">
         <Required>N</Required>
@@ -75,44 +75,44 @@
     <bcmxcpusb>
       <enable type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </enable>
       <args type="CSVListField">
-        <default>port=auto</default>
+        <Default>port=auto</Default>
         <Required>N</Required>
       </args>
     </bcmxcpusb>
     <blazerusb>
       <enable type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </enable>
       <args type="CSVListField">
-        <default>port=auto</default>
+        <Default>port=auto</Default>
         <Required>N</Required>
       </args>
     </blazerusb>
     <blazerser>
       <enable type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </enable>
       <args type="CSVListField">
-        <default>port=auto</default>
+        <Default>port=auto</Default>
         <Required>N</Required>
       </args>
     </blazerser>
     <netclient>
       <enable type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </enable>
       <address type="HostnameField">
-        <default></default>
+        <Default></Default>
         <Required>N</Required>
       </address>
       <port type="PortField">
-        <default>3493</default>
+        <Default>3493</Default>
         <Required>N</Required>
       </port>
       <user type="TextField">
@@ -125,30 +125,30 @@
     <qx>
       <enable type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </enable>
       <args type="CSVListField">
-        <default>port=auto</default>
+        <Default>port=auto</Default>
         <Required>N</Required>
       </args>
     </qx>
     <riello>
       <enable type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </enable>
       <args type="CSVListField">
-        <default>port=auto</default>
+        <Default>port=auto</Default>
         <Required>N</Required>
       </args>
     </riello>
     <snmp>
       <enable type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </enable>
       <args type="CSVListField">
-        <default>community=public</default>
+        <Default>community=public</Default>
         <Required>N</Required>
       </args>
     </snmp>
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
index ffba1a25d5..2e344467de 100644
--- a/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/models/OPNsense/PuppetAgent/PuppetAgent.xml
@@ -5,33 +5,33 @@
     <items>
         <general>
             <Enabled type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </Enabled>
             <FQDN type="HostnameField">
-                <default>puppet</default>
+                <Default>puppet</Default>
                 <Required>Y</Required>
             </FQDN>
             <Environment type="TextField">
-                <default>production</default>
+                <Default>production</Default>
                 <Required>Y</Required>
-                <mask>/^.{1,100}$/u</mask>
+                <Mask>/^.{1,100}$/u</Mask>
                 <ValidationMessage>Should be a string between 1 and 100 characters.</ValidationMessage>
             </Environment>
             <RunInterval type="TextField">
-                <default>30m</default>
-                <mask>/^([0-9]{1,8}(?:s|m|h|d|y)?)/u</mask>
+                <Default>30m</Default>
+                <Mask>/^([0-9]{1,8}(?:s|m|h|d|y)?)/u</Mask>
                 <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "y", "d", "h", "m" or "s".</ValidationMessage>
                 <Required>Y</Required>
             </RunInterval>
             <RunTimeout type="TextField">
-                <default>1h</default>
-                <mask>/^([0-9]{1,8}(?:s|m|h|d|y)?)/u</mask>
+                <Default>1h</Default>
+                <Mask>/^([0-9]{1,8}(?:s|m|h|d|y)?)/u</Mask>
                 <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "y", "d", "h", "m" or "s".</ValidationMessage>
                 <Required>Y</Required>
             </RunTimeout>
             <UseCacheOnFailure type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </UseCacheOnFailure>
         </general>
diff --git a/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml b/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml
index 3756f971d0..187a9b04c5 100644
--- a/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml
+++ b/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml
@@ -17,7 +17,7 @@
         </enabled>
         <url type="TextField">
             <Required>N</Required>
-            <mask>/^((sftp))?:\/\/.*[^\/]$/</mask>
+            <Mask>/^((sftp))?:\/\/.*[^\/]$/</Mask>
             <ValidationMessage>A valid location must be provided.</ValidationMessage>
             <Constraints>
                 <check001>
diff --git a/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/ACL.xml b/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/ACL.xml
index 345959ae33..4347f95f33 100644
--- a/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/ACL.xml
+++ b/www/OPNProxy/src/opnsense/mvc/app/models/Deciso/Proxy/ACL.xml
@@ -84,11 +84,11 @@
                     <Required>N</Required>
                     <WildcardEnabled>N</WildcardEnabled>
                     <FieldSeparator>,</FieldSeparator>
-                    <asList>Y</asList>
+                    <AsList>Y</AsList>
                 </source_net>
                 <description type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){1,255}$/u</mask>
+                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
                     <ValidationMessage>Description should be a string between 1 and 255 characters</ValidationMessage>
                 </description>
             </policy>
@@ -119,11 +119,11 @@
                     <Required>N</Required>
                     <WildcardEnabled>N</WildcardEnabled>
                     <FieldSeparator>,</FieldSeparator>
-                    <asList>Y</asList>
+                    <AsList>Y</AsList>
                 </source_net>
                 <description type="TextField">
                     <Required>Y</Required>
-                    <mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){1,255}$/u</mask>
+                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.\-,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
                     <ValidationMessage>Description should be a string between 1 and 255 characters</ValidationMessage>
                 </description>
             </policy>
diff --git a/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/Antivirus.xml b/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/Antivirus.xml
index a0310b9df1..d31805eb8d 100644
--- a/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/Antivirus.xml
+++ b/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/Antivirus.xml
@@ -4,12 +4,12 @@
     <version>1.0.0</version>
     <items>
         <enable_clamav type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enable_clamav>
         <scanfiletypes type="OptionField">
-            <default>TEXT,DATA,EXECUTABLE,ARCHIVE,GIF,JPEG,MSOFFICE</default>
-            <multiple>Y</multiple>
+            <Default>TEXT,DATA,EXECUTABLE,ARCHIVE,GIF,JPEG,MSOFFICE</Default>
+            <Multiple>Y</Multiple>
             <Required>Y</Required>
                 <OptionValues>
                     <TEXT>Text files</TEXT>
@@ -22,23 +22,23 @@
                 </OptionValues>
         </scanfiletypes>
         <sendpercentdata type="IntegerField">
-            <default>5</default>
+            <Default>5</Default>
             <Required>Y</Required>
         </sendpercentdata>
         <startsendpercentdataafter type="TextField">
-            <default>2M</default>
+            <Default>2M</Default>
             <Required>Y</Required>
         </startsendpercentdataafter>
         <allow204responses type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </allow204responses>
         <passonerror type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </passonerror>
         <maxobjectsize type="TextField">
-            <default>5M</default>
+            <Default>5M</Default>
             <Required>Y</Required>
         </maxobjectsize>
 	</items>
diff --git a/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/General.xml b/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/General.xml
index 7060936c04..8f1d7232a4 100644
--- a/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/General.xml
+++ b/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/General.xml
@@ -4,66 +4,66 @@
     <version>1.0.1</version>
     <items>
         <enabled type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enabled>
         <timeout type="IntegerField">
-            <default>300</default>
+            <Default>300</Default>
             <Required>Y</Required>
         </timeout>
         <maxkeepaliverequests type="IntegerField">
-            <default>100</default>
+            <Default>100</Default>
             <Required>Y</Required>
         </maxkeepaliverequests>
         <keepalivetimeout type="IntegerField">
-            <default>600</default>
+            <Default>600</Default>
             <Required>Y</Required>
         </keepalivetimeout>
         <startservers type="IntegerField">
-            <default>3</default>
+            <Default>3</Default>
             <Required>Y</Required>
         </startservers>
         <maxservers type="IntegerField">
-            <default>10</default>
+            <Default>10</Default>
             <Required>Y</Required>
         </maxservers>
         <minsparethreads type="IntegerField">
-            <default>10</default>
+            <Default>10</Default>
             <Required>Y</Required>
         </minsparethreads>
         <maxsparethreads type="IntegerField">
-            <default>20</default>
+            <Default>20</Default>
 	    <Required>Y</Required>
 	</maxsparethreads>
         <threadsperchild type="IntegerField">
-            <default>10</default>
+            <Default>10</Default>
 	    <Required>Y</Required>
 	</threadsperchild>
         <maxrequestsperchild type="IntegerField">
-            <default>0</default>
+            <Default>0</Default>
 	    <Required>Y</Required>
 	</maxrequestsperchild>
         <listenaddress type="NetworkField">
-            <default>::1</default>
+            <Default>::1</Default>
 	    <WildcardEnabled>N</WildcardEnabled>
 	    <NetMaskRequired>N</NetMaskRequired>
 	    <FieldSeparator>,</FieldSeparator>
             <Required>Y</Required>
         </listenaddress>
         <serveradmin type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </serveradmin>
         <servername type="TextField">
-            <default></default>
+            <Default></Default>
             <Required>N</Required>
         </servername>
         <enable_accesslog type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </enable_accesslog>
         <localSquid type="BooleanField">
-            <default>1</default>
+            <Default>1</Default>
             <Required>Y</Required>
         </localSquid>
     </items>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index a1b829a4ac..aea004e0fe 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -461,7 +461,7 @@
                     <ValidationMessage>Please enter a minimum value of 2 or leave empty for defaults.</ValidationMessage>
                 </PassiveHealthMaxFails>
                 <PassiveHealthUnhealthyStatus type="TextField">
-                    <mask>/^(100|[1-5][0-9]{2}|[1-5]xx)$/u</mask>
+                    <Mask>/^(100|[1-5][0-9]{2}|[1-5]xx)$/u</Mask>
                     <ValidationMessage>Please enter a valid HTTP response code like 404 a status code class like 4xx.</ValidationMessage>
                 </PassiveHealthUnhealthyStatus>
                 <PassiveHealthUnhealthyLatency type="IntegerField">
@@ -474,7 +474,7 @@
                 </PassiveHealthUnhealthyRequestCount>
                 <description type="DescriptionField"/>
                 <health_uri type="TextField">
-                    <mask>/^(\/.*)?$/u</mask>
+                    <Mask>/^(\/.*)?$/u</Mask>
                     <ValidationMessage>Please enter a valid 'URI' that starts with '/'.</ValidationMessage>
                 </health_uri>
                 <health_upstream type="IPPortField"/>
@@ -500,7 +500,7 @@
                     <ValidationMessage>Please enter a minimum value of 1 or leave empty for defaults.</ValidationMessage>
                 </health_timeout>
                 <health_status type="TextField">
-                    <mask>/^(100|[1-5][0-9]{2}|[1-5]xx)$/u</mask>
+                    <Mask>/^(100|[1-5][0-9]{2}|[1-5]xx)$/u</Mask>
                     <ValidationMessage>Please enter a 3-digit status code or a status code ending in xx or leave empty for defaults.</ValidationMessage>
                 </health_status>
                 <health_body type="TextField"/>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 22f15d3ff0..fdc25d56d8 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -5,11 +5,11 @@
   <items>
     <general>
       <enabled type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </enabled>
       <ban_ttl type="IntegerField">
-        <default>0</default>
+        <Default>0</Default>
         <MinimumValue>0</MinimumValue>
         <Required>Y</Required>
       </ban_ttl>
@@ -17,32 +17,32 @@
 
     <webgui>
       <limitnetworks type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </limitnetworks>
     </webgui>
 
     <http>
       <workerprocesses type="IntegerField">
-        <default>1</default>
+        <Default>1</Default>
         <MinimumValue>1</MinimumValue>
         <Required>Y</Required>
       </workerprocesses>
       <workerconnections type="IntegerField">
-        <default>1024</default>
+        <Default>1024</Default>
         <MinimumValue>1</MinimumValue>
         <Required>Y</Required>
       </workerconnections>
       <sendfile type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>N</Required>
       </sendfile>
       <keepalive_timeout type="IntegerField">
-        <default>60</default>
+        <Default>60</Default>
         <Required>N</Required>
       </keepalive_timeout>
       <reset_timedout type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </reset_timedout>
       <default_type type="TextField">
@@ -57,21 +57,21 @@
         <MinimumValue>1</MinimumValue>
       </server_names_hash_max_size>
       <ban_response type="OptionField">
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
         <OptionValues>
           <http_403 value="403">403 Forbidden</http_403>
           <http_444 value="444">444 Terminate Connection</http_444>
         </OptionValues>
         <Required>Y</Required>
-        <default>403</default>
+        <Default>403</Default>
       </ban_response>
       <log_perm_ban type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </log_perm_ban>
       <bots_ua type="CSVListField">
         <Required>Y</Required>
-        <default>Python-urllib,Nmap,python-requests,libwww-perl,MJ12bot,Jorgee,fasthttp,libwww,Telesphoreo,A6-Indexer,ltx71,okhttp,ZmEu,sqlmap,LMAO/2.0,l9explore,l9tcpid,Masscan,zgrab,Ronin/2.0,Hakai/2.0,Indy\sLibrary,^Mozilla/[\d\.]+$,Morfeus\sFucking\sScanner,MSIE\s[0-6]\.\d+</default>
+        <Default>Python-urllib,Nmap,python-requests,libwww-perl,MJ12bot,Jorgee,fasthttp,libwww,Telesphoreo,A6-Indexer,ltx71,okhttp,ZmEu,sqlmap,LMAO/2.0,l9explore,l9tcpid,Masscan,zgrab,Ronin/2.0,Hakai/2.0,Indy\sLibrary,^Mozilla/[\d\.]+$,Morfeus\sFucking\sScanner,MSIE\s[0-6]\.\d+</Default>
       </bots_ua>
       <headers_more_enable type="BooleanField">
         <Required>N</Required>
@@ -92,7 +92,7 @@
         </Model>
         <ValidationMessage>Selected user not found</ValidationMessage>
         <Required>Y</Required>
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
       </users>
     </userlist>
 
@@ -119,7 +119,7 @@
         </Model>
         <ValidationMessage>Selected server not found</ValidationMessage>
         <Required>Y</Required>
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
       </serverentries>
       <load_balancing_algorithm type="OptionField">
         <OptionValues>
@@ -145,20 +145,20 @@
         <Required>N</Required>
       </host_port>
       <x_forwarded_host_verbatim type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </x_forwarded_host_verbatim>
       <proxy_protocol type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </proxy_protocol>
       <store type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </store>
       <tls_enable type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </tls_enable>
       <tls_client_certificate type="CertificateField">
         <Type>cert</Type>
@@ -168,7 +168,7 @@
         <Required>N</Required>
       </tls_name_override>
       <tls_protocol_versions type="OptionField">
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
         <OptionValues>
           <TLSv1 value="TLSv1">TLSv1</TLSv1>
           <TLSv1_1 value="TLSv1.1">TLSv1.1</TLSv1_1>
@@ -179,20 +179,20 @@
       </tls_protocol_versions>
       <tls_session_reuse type="BooleanField">
         <Required>Y</Required>
-        <default>1</default>
+        <Default>1</Default>
       </tls_session_reuse>
       <tls_trusted_certificate type="CertificateField">
         <Type>ca</Type>
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
         <Required>N</Required>
       </tls_trusted_certificate>
       <tls_verify type="BooleanField">
         <Required>Y</Required>
-        <default>1</default>
+        <Default>1</Default>
       </tls_verify>
       <tls_verify_depth type="IntegerField">
         <Required>N</Required>
-        <default>1</default>
+        <Default>1</Default>
         <MinimumValue>1</MinimumValue>
       </tls_verify_depth>
     </upstream>
@@ -246,11 +246,11 @@
         <Required>N</Required>
       </matchtype>
       <enable_secrules type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </enable_secrules>
       <enable_learning_mode type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </enable_learning_mode>
       <secrules_errorpage type="ModelRelationField">
@@ -266,7 +266,7 @@
         </Model>
         <ValidationMessage>Selected error page(s) not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
       </secrules_errorpage>
       <xss_block_score type="IntegerField">
         <Required>N</Required>
@@ -284,7 +284,7 @@
         </Model>
         <ValidationMessage>Selected server not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
       </custom_policy>
       <upstream type="ModelRelationField">
         <Model>
@@ -296,11 +296,11 @@
         </Model>
         <ValidationMessage>Selected upstream not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
       </upstream>
       <path_prefix type="TextField">
         <Required>N</Required>
-        <mask>/^[^" \t]+$/</mask>
+        <Mask>/^[^" \t]+$/</Mask>
       </path_prefix>
       <cache_path type="ModelRelationField">
         <Model>
@@ -312,10 +312,10 @@
         </Model>
         <ValidationMessage>Selected cache directory not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
       </cache_path>
       <cache_use_stale type="OptionField">
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
         <OptionValues>
           <error>Error</error>
           <timeout>Timeout</timeout>
@@ -332,7 +332,7 @@
         <Required>N</Required>
       </cache_use_stale>
       <cache_methods type="OptionField">
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
         <OptionValues>
           <POST>Post</POST>
           <!-- it seems like it does not like the others required for REST - syntax error
@@ -347,22 +347,22 @@
       </cache_methods>
       <cache_min_uses type="IntegerField">
         <Required>Y</Required>
-        <default>1</default>
+        <Default>1</Default>
       </cache_min_uses>
       <cache_valid type="IntegerField">
         <Required>N</Required>
       </cache_valid>
       <cache_background_update type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </cache_background_update>
       <cache_lock type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </cache_lock>
       <cache_revalidate type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </cache_revalidate>
       <root type="TextField">
         <Required>N</Required>
@@ -377,7 +377,7 @@
         </Model>
         <ValidationMessage>Selected rewrite(s) not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
       </rewrites>
       <index type="CSVListField">
         <Required>N</Required>
@@ -398,10 +398,10 @@
         </Model>
         <ValidationMessage>Selected user file not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
       </authbasicuserfile>
       <advanced_acl type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </advanced_acl>
       <force_https type="TextField">
@@ -409,7 +409,7 @@
       </force_https>
       <php_enable type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </php_enable>
       <php_override_scriptname type="TextField">
         <Required>N</Required>
@@ -424,25 +424,25 @@
         </Model>
         <ValidationMessage>Selected limit zone not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
       </limit_request_connections>
       <max_body_size type="TextField">
         <Required>N</Required>
-        <mask>/^\d+[kmg]$/i</mask>
+        <Mask>/^\d+[kmg]$/i</Mask>
         <ValidationMessage>Enter a number followed by k, m or g.</ValidationMessage>
       </max_body_size>
       <body_buffer_size type="TextField">
         <Required>N</Required>
-        <mask>/^\d+[kmg]$/i</mask>
+        <Mask>/^\d+[kmg]$/i</Mask>
         <ValidationMessage>Enter a number followed by k, m or g.</ValidationMessage>
       </body_buffer_size>
       <honeypot type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </honeypot>
       <websocket type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
         <Constraints>
             <check001>
                 <ValidationMessage>WebSocket and Upstream Keepalive support can not be combined.</ValidationMessage>
@@ -455,7 +455,7 @@
       </websocket>
       <upstream_keepalive type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
         <Constraints>
             <check001>
                 <reference>websocket.check001</reference>
@@ -500,15 +500,15 @@
       </proxy_busy_buffers_size>
       <proxy_ignore_client_abort type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </proxy_ignore_client_abort>
       <proxy_request_buffering type="BooleanField">
         <Required>Y</Required>
-        <default>1</default>
+        <Default>1</Default>
       </proxy_request_buffering>
       <proxy_buffering type="BooleanField">
         <Required>Y</Required>
-        <default>1</default>
+        <Default>1</Default>
       </proxy_buffering>
       <proxy_read_timeout type="IntegerField">
         <Required>N</Required>
@@ -528,7 +528,7 @@
         </Model>
         <ValidationMessage>Selected ACL not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
       </ip_acl>
       <satisfy type="OptionField">
         <OptionValues>
@@ -543,7 +543,7 @@
       </proxy_max_temp_file_size>
       <proxy_ssl_server_name type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </proxy_ssl_server_name>
       <errorpages type="ModelRelationField">
         <Model>
@@ -555,7 +555,7 @@
         </Model>
         <ValidationMessage>Selected error page(s) not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
       </errorpages>
     </location>
 
@@ -573,14 +573,14 @@
         </Model>
         <ValidationMessage>Selected rule not found</ValidationMessage>
         <Required>Y</Required>
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
       </naxsi_rules>
       <value type="IntegerField">
         <Required>Y</Required>
       </value>
       <operator type="OptionField">
         <Required>Y</Required>
-        <default>&gt;=</default>
+        <Default>&gt;=</Default>
         <OptionValues>
           <option1 value="&gt;=">Bigger or Equal</option1>
           <option2 value="&gt;">Bigger</option2>
@@ -590,7 +590,7 @@
       </operator>
       <action type="OptionField">
         <Required>Y</Required>
-        <default>BLOCK</default>
+        <Default>BLOCK</Default>
         <OptionValues>
           <BLOCK>Block Request</BLOCK>
           <ALLOW>Allow Request</ALLOW>
@@ -649,7 +649,7 @@
       </match_value>
       <match_type type="OptionField">
         <Required>Y</Required>
-        <default>id</default>
+        <Default>id</Default>
         <OptionValues>
           <id>Blacklist</id>
           <wl>Whitelist</wl>
@@ -665,7 +665,7 @@
       </negate>
       <score type="IntegerField">
         <Required>N</Required>
-        <default>8</default>
+        <Default>8</Default>
         <Constraints>
           <check001>
             <ValidationMessage>This field must be set.</ValidationMessage>
@@ -682,14 +682,14 @@
         <Required>Y</Required>
       </args>
       <url type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </url>
       <headers type="BooleanField">
         <Required>Y</Required>
       </headers>
       <body type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </body>
       <dollar_args_var type="TextField">
@@ -726,13 +726,13 @@
         </Model>
         <ValidationMessage>Selected SYSLOG target not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
       </syslog_targets>
       <listen_http_address type="CSVListField">
         <Required>N</Required>
-        <multiple>Y</multiple>
-        <default>80,[::]:80</default>
-        <mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+))*$/i</mask>
+        <Multiple>Y</Multiple>
+        <Default>80,[::]:80</Default>
+        <Mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+))*$/i</Mask>
         <ValidationMessage>Please provide a valid listen address or port, i.e. 127.0.0.1:8080, [::1]:8080, 8080.</ValidationMessage>
         <Constraints>
           <check001>
@@ -742,14 +742,14 @@
       </listen_http_address>
       <listen_https_address type="CSVListField">
         <Required>N</Required>
-        <multiple>Y</multiple>
-        <default>443,[::]:443</default>
-        <mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+))*$/i</mask>
+        <Multiple>Y</Multiple>
+        <Default>443,[::]:443</Default>
+        <Mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+))*$/i</Mask>
         <ValidationMessage>Please provide a valid listen address or port, i.e. 127.0.0.1:8080, [::1]:8080, 8080.</ValidationMessage>
       </listen_https_address>
       <default_server type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
         <Constraints>
           <check001>
             <type>NgxUniqueDefaultServerConstraint</type>
@@ -757,17 +757,17 @@
         </Constraints>
       </default_server>
       <tls_reject_handshake type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </tls_reject_handshake>
       <proxy_protocol type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </proxy_protocol>
       <trusted_proxies type="CSVListField">
         <Required>N</Required>
-        <mask>/^((?:\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?(,?(?:(?:(\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?))*$/i</mask>
-        <multiple>Y</multiple>
+        <Mask>/^((?:\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?(,?(?:(?:(\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?))*$/i</Mask>
+        <Multiple>Y</Multiple>
       </trusted_proxies>
       <trusted_proxies_alias type="ModelRelationField">
         <Model>
@@ -782,7 +782,7 @@
         </Model>
         <ValidationMessage>Selected alias not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
       </trusted_proxies_alias>
       <real_ip_source type="OptionField">
         <OptionValues>
@@ -803,7 +803,7 @@
         </Model>
         <ValidationMessage>Selected location(s) not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
       </locations>
       <rewrites type="ModelRelationField">
         <Model>
@@ -815,7 +815,7 @@
         </Model>
         <ValidationMessage>Selected rewrite(s) not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
       </rewrites>
       <root type="TextField">
         <Required>N</Required>
@@ -829,7 +829,7 @@
         <Required>N</Required>
       </ca>
       <verify_client type="OptionField">
-        <default>Off</default>
+        <Default>Off</Default>
         <OptionValues>
           <off>Off</off>
           <on>On</on>
@@ -839,7 +839,7 @@
         <Required>Y</Required>
       </verify_client>
       <access_log_format type="OptionField">
-        <default>main</default>
+        <Default>main</Default>
         <OptionValues>
           <main>Default</main>
           <main_ext>Extended</main_ext>
@@ -849,7 +849,7 @@
         <Required>Y</Required>
       </access_log_format>
       <error_log_level type="OptionField">
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
         <OptionValues>
           <emerg value="emerg">Emergency</emerg>
           <alert value="alert">Alert</alert>
@@ -860,48 +860,48 @@
           <info value="info">Informational</info>
         </OptionValues>
         <Required>Y</Required>
-        <default>error</default>
+        <Default>error</Default>
       </error_log_level>
       <log_handshakes type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
       </log_handshakes>
       <enable_acme_support type="BooleanField">
         <Required>Y</Required>
-        <default>1</default>
+        <Default>1</Default>
       </enable_acme_support>
       <charset type="OptionField">
-        <default>utf-8</default>
+        <Default>utf-8</Default>
         <OptionValues>
           <utf-8>utf-8</utf-8>
         </OptionValues>
         <Required>N</Required>
       </charset>
       <https_only type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </https_only>
       <tls_protocols type="OptionField">
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
         <Sorted>Y</Sorted>
         <OptionValues>
           <TLSv1_2 value="TLSv1.2">TLSv1.2</TLSv1_2>
           <TLSv1_3 value="TLSv1.3">TLSv1.3</TLSv1_3>
         </OptionValues>
         <Required>Y</Required>
-        <default>TLSv1.2,TLSv1.3</default>
+        <Default>TLSv1.2,TLSv1.3</Default>
       </tls_protocols>
       <tls_ciphers type="TextField">
-        <default>ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256</default>
+        <Default>ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256</Default>
         <Required>N</Required>
-        <mask>/^((((!|\+|-)?[A-Z][A-Z\d\+-]+)|(@STRENGTH)):?)*$/i</mask>
+        <Mask>/^((((!|\+|-)?[A-Z][A-Z\d\+-]+)|(@STRENGTH)):?)*$/i</Mask>
       </tls_ciphers>
       <tls_ecdh_curve type="TextField">
         <Required>N</Required>
-        <mask>/^(([A-Z\d-]+):?)*$/i</mask>
+        <Mask>/^(([A-Z\d-]+):?)*$/i</Mask>
       </tls_ecdh_curve>
       <tls_prefer_server_ciphers type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
       </tls_prefer_server_ciphers>
       <resolver type="ModelRelationField">
@@ -914,54 +914,54 @@
         </Model>
         <ValidationMessage>Selected resolver not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
       </resolver>
       <ocsp_stapling type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </ocsp_stapling>
       <ocsp_verify type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </ocsp_verify>
       <block_nonpublic_data type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </block_nonpublic_data>
       <disable_bot_protection type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </disable_bot_protection>
       <disable_gzip type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </disable_gzip>
       <naxsi_whitelist_srcip type="CSVListField">
         <Required>N</Required>
-        <mask>/^((?:\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?(,?(?:(?:(\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?))*$/i</mask>
-        <multiple>Y</multiple>
+        <Mask>/^((?:\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?(,?(?:(?:(\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?))*$/i</Mask>
+        <Multiple>Y</Multiple>
       </naxsi_whitelist_srcip>
       <naxsi_extensive_log type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </naxsi_extensive_log>
       <sendfile type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
       </sendfile>
       <client_header_buffer_size type="IntegerField">
         <Required>Y</Required>
-        <default>1</default>
+        <Default>1</Default>
         <MinimumValue>1</MinimumValue>
       </client_header_buffer_size>
       <large_client_header_buffers_number type="IntegerField">
         <Required>Y</Required>
-        <default>4</default>
+        <Default>4</Default>
         <MinimumValue>1</MinimumValue>
       </large_client_header_buffers_number>
       <large_client_header_buffers_size type="IntegerField">
         <Required>Y</Required>
-        <default>8</default>
+        <Default>8</Default>
         <MinimumValue>1</MinimumValue>
       </large_client_header_buffers_size>
       <security_header type="ModelRelationField">
@@ -974,7 +974,7 @@
         </Model>
         <ValidationMessage>Selected security rule not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
       </security_header>
       <limit_request_connections type="ModelRelationField">
         <Model>
@@ -986,16 +986,16 @@
         </Model>
         <ValidationMessage>Selected limit zone not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
       </limit_request_connections>
       <max_body_size type="TextField">
         <Required>N</Required>
-        <mask>/^\d+[kmg]$/i</mask>
+        <Mask>/^\d+[kmg]$/i</Mask>
         <ValidationMessage>Enter a number followed by k, m or g.</ValidationMessage>
       </max_body_size>
       <body_buffer_size type="TextField">
         <Required>N</Required>
-        <mask>/^\d+[kmg]$/i</mask>
+        <Mask>/^\d+[kmg]$/i</Mask>
         <ValidationMessage>Enter a number followed by k, m or g.</ValidationMessage>
       </body_buffer_size>
       <ip_acl type="ModelRelationField">
@@ -1008,12 +1008,12 @@
         </Model>
         <ValidationMessage>Selected ACL not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
       </ip_acl>
       <advanced_acl_server type="AuthenticationServerField">
         <Required>N</Required>
-        <multiple>N</multiple>
-        <default>Local Database</default>
+        <Multiple>N</Multiple>
+        <Default>Local Database</Default>
       </advanced_acl_server>
       <satisfy type="OptionField">
         <OptionValues>
@@ -1024,7 +1024,7 @@
       </satisfy>
       <zero_rtt type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </zero_rtt>
       <errorpages type="ModelRelationField">
         <Model>
@@ -1036,15 +1036,15 @@
         </Model>
         <ValidationMessage>Selected error page(s) not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
       </errorpages>
     </http_server>
 
     <stream_server type="ArrayField">
       <listen_address type="CSVListField">
         <Required>N</Required>
-        <multiple>Y</multiple>
-        <mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+))*$/i</mask>
+        <Multiple>Y</Multiple>
+        <Mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+))*$/i</Mask>
         <ValidationMessage>Please provide a valid listen address or port, i.e. 127.0.0.1:8080, [::1]:8080, 8080.</ValidationMessage>
       </listen_address>
       <syslog_targets type="ModelRelationField">
@@ -1057,19 +1057,19 @@
         </Model>
         <ValidationMessage>Selected SYSLOG target not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
       </syslog_targets>
       <udp type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </udp>
       <trusted_proxies type="CSVListField">
         <Required>N</Required>
-        <mask>/^((?:\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?(,?(?:(?:(\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?))*$/i</mask>
-        <multiple>Y</multiple>
+        <Mask>/^((?:\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?(,?(?:(?:(\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?))*$/i</Mask>
+        <Multiple>Y</Multiple>
       </trusted_proxies>
       <proxy_protocol type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </proxy_protocol>
       <certificate type="CertificateField">
@@ -1081,7 +1081,7 @@
         <Required>N</Required>
       </ca>
       <verify_client type="OptionField">
-        <default>Off</default>
+        <Default>Off</Default>
         <OptionValues>
           <off>Off</off>
           <on>On</on>
@@ -1091,7 +1091,7 @@
         <Required>Y</Required>
       </verify_client>
       <access_log_format type="OptionField">
-        <default>main</default>
+        <Default>main</Default>
         <OptionValues>
           <main>Default</main>
           <main_ext>Extended</main_ext>
@@ -1101,7 +1101,7 @@
         <Required>Y</Required>
       </access_log_format>
       <error_log_level type="OptionField">
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
         <OptionValues>
           <emerg value="emerg">Emergency</emerg>
           <alert value="alert">Alert</alert>
@@ -1112,10 +1112,10 @@
           <info value="info">Informational (default)</info>
         </OptionValues>
         <Required>Y</Required>
-        <default>info</default>
+        <Default>info</Default>
       </error_log_level>
       <route_field type="OptionField">
-        <default>upstream</default>
+        <Default>upstream</Default>
         <OptionValues>
           <upstream>Upstream</upstream>
           <sni_upstream_map>SNI Upstream Mapping</sni_upstream_map>
@@ -1132,7 +1132,7 @@
         </Model>
         <ValidationMessage>Selected upstream not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
         <Constraints>
           <check001>
             <ValidationMessage>This field must be set.</ValidationMessage>
@@ -1152,7 +1152,7 @@
         </Model>
         <ValidationMessage>Selected upstream not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
         <Constraints>
           <check001>
             <ValidationMessage>This field must be set.</ValidationMessage>
@@ -1172,7 +1172,7 @@
         </Model>
         <ValidationMessage>Selected ACL not found</ValidationMessage>
         <Required>N</Required>
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
       </ip_acl>
       <proxy_responses type="IntegerField">
         <Required>N</Required>
@@ -1201,7 +1201,7 @@
               <display>hostname</display>
             </template>
           </Model>
-          <multiple>Y</multiple>
+          <Multiple>Y</Multiple>
           -->
           <Required>Y</Required>
       </data>
@@ -1220,7 +1220,7 @@
           </template>
         </Model>
         <Required>Y</Required>
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
       </upstream>
     </sni_hostname_upstream_map_item>
 
@@ -1237,7 +1237,7 @@
               <display>description</display>
             </template>
           </Model>
-          <multiple>Y</multiple>
+          <Multiple>Y</Multiple>
           -->
         <Required>Y</Required>
       </data>
@@ -1255,7 +1255,7 @@
         <Required>Y</Required>
       </network>
       <action type="OptionField">
-        <default>deny</default>
+        <Default>deny</Default>
         <OptionValues>
           <deny>Deny Access</deny>
           <allow>Allow Access</allow>
@@ -1267,12 +1267,12 @@
     <resolver type="ArrayField">
       <description type="TextField">
         <Required>Y</Required>
-        <mask>/^[^" \t]+$/i</mask>
+        <Mask>/^[^" \t]+$/i</Mask>
       </description>
       <address type="CSVListField">
         <Required>Y</Required>
-        <multiple>Y</multiple>
-        <mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\]))(:\d+|:?\d+)*)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\]))(:\d+|:?\d+)*))*$/i</mask>
+        <Multiple>Y</Multiple>
+        <Mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\]))(:\d+|:?\d+)*)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\]))(:\d+|:?\d+)*))*$/i</Mask>
         <ValidationMessage>Please provide a valid resolver address, i.e. 8.8.8.8, [2001:4860:4860::8888], 8.8.8.8:5353.</ValidationMessage>
       </address>
       <valid type="IntegerField">
@@ -1308,14 +1308,14 @@
     <http_rewrite type="ArrayField">
       <description type="TextField">
         <Required>Y</Required>
-        <mask>/^[^" \t]+$/i</mask>
+        <Mask>/^[^" \t]+$/i</Mask>
       </description>
       <source type="TextField">
         <Required>Y</Required>
       </source>
       <destination type="TextField">
         <Required>Y</Required>
-        <mask>/^[^" \t]+$/i</mask>
+        <Mask>/^[^" \t]+$/i</Mask>
       </destination>
       <flag type="OptionField">
         <OptionValues>
@@ -1333,7 +1333,7 @@
         <Required>Y</Required>
       </description>
       <referrer type="OptionField">
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
         <OptionValues>
           <no-referrer>No Referrer</no-referrer>
           <no-referrer-when-downgrade>No Referrer When Downgrading</no-referrer-when-downgrade>
@@ -1347,7 +1347,7 @@
         <Required>N</Required>
       </referrer>
       <xssprotection type="OptionField">
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
         <OptionValues>
           <val1 value="1; mode=block">Block</val1>
           <val2 value="0">Off</val2>
@@ -1363,411 +1363,411 @@
       </strict_transport_security_time>
       <strict_transport_security_include_subdomains type="BooleanField">
         <Required>Y</Required>
-        <default>1</default>
+        <Default>1</Default>
       </strict_transport_security_include_subdomains>
       <strict_transport_security_preload type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </strict_transport_security_preload>
       <enable_csp type="BooleanField">
         <Required>Y</Required>
       </enable_csp>
       <csp_log_violations type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_log_violations>
       <csp_report_only type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_report_only>
       <csp_default_src_enabled type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_default_src_enabled>
       <csp_default_src_data_urls type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_default_src_data_urls>
       <csp_default_src_http_urls type="CSVListField">
         <Required>N</Required>
       </csp_default_src_http_urls>
       <csp_default_src_inline type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_default_src_inline>
       <csp_default_src_eval type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_default_src_eval>
       <csp_default_src_self type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_default_src_self>
       <csp_default_src_blob type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_default_src_blob>
       <csp_default_src_mediastream type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_default_src_mediastream>
       <csp_default_src_filesystem type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_default_src_filesystem>
       <csp_default_src_none type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_default_src_none>
       <csp_script_src_enabled type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_script_src_enabled>
       <csp_script_src_data_urls type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_script_src_data_urls>
       <csp_script_src_http_urls type="CSVListField">
         <Required>N</Required>
       </csp_script_src_http_urls>
       <csp_script_src_inline type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_script_src_inline>
       <csp_script_src_eval type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_script_src_eval>
       <csp_script_src_self type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_script_src_self>
       <csp_script_src_blob type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_script_src_blob>
       <csp_script_src_mediastream type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_script_src_mediastream>
       <csp_script_src_filesystem type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_script_src_filesystem>
       <csp_script_src_none type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_script_src_none>
       <csp_img_src_enabled type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_img_src_enabled>
       <csp_img_src_data_urls type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_img_src_data_urls>
       <csp_img_src_http_urls type="CSVListField">
         <Required>N</Required>
       </csp_img_src_http_urls>
       <csp_img_src_inline type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_img_src_inline>
       <csp_img_src_eval type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_img_src_eval>
       <csp_img_src_self type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_img_src_self>
       <csp_img_src_blob type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_img_src_blob>
       <csp_img_src_mediastream type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_img_src_mediastream>
       <csp_img_src_filesystem type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_img_src_filesystem>
       <csp_img_src_none type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_img_src_none>
       <csp_style_src_enabled type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_style_src_enabled>
       <csp_style_src_data_urls type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_style_src_data_urls>
       <csp_style_src_http_urls type="CSVListField">
         <Required>N</Required>
       </csp_style_src_http_urls>
       <csp_style_src_inline type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_style_src_inline>
       <csp_style_src_eval type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_style_src_eval>
       <csp_style_src_self type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_style_src_self>
       <csp_style_src_blob type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_style_src_blob>
       <csp_style_src_mediastream type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_style_src_mediastream>
       <csp_style_src_filesystem type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_style_src_filesystem>
       <csp_style_src_none type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_style_src_none>
       <csp_media_src_enabled type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_media_src_enabled>
       <csp_media_src_data_urls type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_media_src_data_urls>
       <csp_media_src_http_urls type="CSVListField">
         <Required>N</Required>
       </csp_media_src_http_urls>
       <csp_media_src_inline type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_media_src_inline>
       <csp_media_src_eval type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_media_src_eval>
       <csp_media_src_self type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_media_src_self>
       <csp_media_src_blob type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_media_src_blob>
       <csp_media_src_mediastream type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_media_src_mediastream>
       <csp_media_src_filesystem type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_media_src_filesystem>
       <csp_media_src_none type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_media_src_none>
       <csp_font_src_enabled type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_font_src_enabled>
       <csp_font_src_data_urls type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_font_src_data_urls>
       <csp_font_src_http_urls type="CSVListField">
         <Required>N</Required>
       </csp_font_src_http_urls>
       <csp_font_src_inline type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_font_src_inline>
       <csp_font_src_eval type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_font_src_eval>
       <csp_font_src_self type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_font_src_self>
       <csp_font_src_blob type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_font_src_blob>
       <csp_font_src_mediastream type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_font_src_mediastream>
       <csp_font_src_filesystem type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_font_src_filesystem>
       <csp_font_src_none type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_font_src_none>
       <csp_frame_src_enabled type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_frame_src_enabled>
       <csp_frame_src_data_urls type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_frame_src_data_urls>
       <csp_frame_src_http_urls type="CSVListField">
         <Required>N</Required>
       </csp_frame_src_http_urls>
       <csp_frame_src_inline type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_frame_src_inline>
       <csp_frame_src_eval type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_frame_src_eval>
       <csp_frame_src_self type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_frame_src_self>
       <csp_frame_src_blob type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_frame_src_blob>
       <csp_frame_src_mediastream type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_frame_src_mediastream>
       <csp_frame_src_filesystem type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_frame_src_filesystem>
       <csp_frame_src_none type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_frame_src_none>
       <csp_frame_ancestors_enabled type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_frame_ancestors_enabled>
       <csp_frame_ancestors_data_urls type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_frame_ancestors_data_urls>
       <csp_frame_ancestors_http_urls type="CSVListField">
         <Required>N</Required>
       </csp_frame_ancestors_http_urls>
       <csp_frame_ancestors_self type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_frame_ancestors_self>
       <csp_frame_ancestors_blob type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_frame_ancestors_blob>
       <csp_frame_ancestors_mediastream type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_frame_ancestors_mediastream>
       <csp_frame_ancestors_filesystem type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_frame_ancestors_filesystem>
       <csp_frame_ancestors_none type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_frame_ancestors_none>
       <csp_connect_src_enabled type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_connect_src_enabled>
       <csp_connect_src_http_urls type="CSVListField">
         <Required>N</Required>
       </csp_connect_src_http_urls>
       <csp_connect_src_none type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_connect_src_none>
       <csp_worker_src_enabled type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_worker_src_enabled>
       <csp_worker_src_data_urls type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_worker_src_data_urls>
       <csp_worker_src_http_urls type="CSVListField">
         <Required>N</Required>
       </csp_worker_src_http_urls>
       <csp_worker_src_inline type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_worker_src_inline>
       <csp_worker_src_eval type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_worker_src_eval>
       <csp_worker_src_self type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_worker_src_self>
       <csp_worker_src_blob type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_worker_src_blob>
       <csp_worker_src_filesystem type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_worker_src_filesystem>
       <csp_worker_src_none type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_worker_src_none>
       <csp_form_action_enabled type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_form_action_enabled>
       <csp_form_action_data_urls type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_form_action_data_urls>
       <csp_form_action_http_urls type="CSVListField">
         <Required>N</Required>
       </csp_form_action_http_urls>
       <csp_form_action_inline type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_form_action_inline>
       <csp_form_action_eval type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_form_action_eval>
       <csp_form_action_self type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_form_action_self>
       <csp_form_action_blob type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_form_action_blob>
       <csp_form_action_mediastream type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_form_action_mediastream>
       <csp_form_action_filesystem type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_form_action_filesystem>
       <csp_form_action_none type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </csp_form_action_none>
     </security_header>
 
@@ -1776,14 +1776,14 @@
         <Required>Y</Required>
       </description>
       <key type="OptionField">
-        <default>binary_remote_addr</default>
+        <Default>binary_remote_addr</Default>
         <OptionValues>
           <binary_remote_addr>Remote IP Address</binary_remote_addr>
         </OptionValues>
         <Required>Y</Required>
       </key>
       <rate_unit type="OptionField">
-        <default>r/s</default>
+        <Default>r/s</Default>
         <OptionValues>
           <val1 value="r/s">Requests Per Second</val1>
           <val2 value="r/m">Requests Per Minute</val2>
@@ -1792,12 +1792,12 @@
       </rate_unit>
       <size type="IntegerField">
         <Required>Y</Required>
-        <default>10</default>
+        <Default>10</Default>
         <MinimumValue>1</MinimumValue>
       </size>
       <rate type="IntegerField">
         <Required>Y</Required>
-        <default>20</default>
+        <Default>20</Default>
         <MinimumValue>1</MinimumValue>
       </rate>
     </limit_zone>
@@ -1807,7 +1807,7 @@
         <Required>Y</Required>
       </name>
       <statuscodes type="OptionField">
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
         <OptionValues>
           <status_400 value="400">400 Bad Request</status_400>
           <status_401 value="401">401 Unauthorized</status_401>
@@ -1829,7 +1829,7 @@
         <Required>Y</Required>
       </statuscodes>
       <pagecontent type="Base64Field">
-        <default>PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDxtZXRhIGNoYXJzZXQ9IlVURi04Ij4KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsaW5pdGlhbC1zY2FsZT0xIiAvPgogICAgPHRpdGxlPkVycm9yPC90aXRsZT4KPC9oZWFkPgo8Ym9keT4KICAgIDxoMT5FcnJvcjwvaDE+CiAgICA8cD5Tb3JyeSwgYnV0IHNvbWV0aGluZyB3ZW50IHdyb25nLjwvcD4KPC9ib2R5Pgo8L2h0bWw+</default>
+        <Default>PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDxtZXRhIGNoYXJzZXQ9IlVURi04Ij4KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsaW5pdGlhbC1zY2FsZT0xIiAvPgogICAgPHRpdGxlPkVycm9yPC90aXRsZT4KPC9oZWFkPgo8Ym9keT4KICAgIDxoMT5FcnJvcjwvaDE+CiAgICA8cD5Tb3JyeSwgYnV0IHNvbWV0aGluZyB3ZW50IHdyb25nLjwvcD4KPC9ib2R5Pgo8L2h0bWw+</Default>
         <Constraints>
           <check001>
             <type>SingleSelectConstraint</type>
@@ -1850,7 +1850,7 @@
         </Constraints>
       </redirect>
       <response type="OptionField">
-        <multiple>N</multiple>
+        <Multiple>N</Multiple>
         <OptionValues>
           <status_200 value="200">200 OK</status_200>
           <status_300 value="300">300 Multiple Choice</status_300>
@@ -1875,18 +1875,18 @@
         <Required>Y</Required>
       </user_agent>
       <trusted type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
       </trusted>
       <curves type="TextField">
         <!-- OpenSSL curve list like the one used for configuring the supported ciphers by the web server -->
         <Required>N</Required>
-        <mask>/^(0x[0-9a-fA-F]{4,4}|[a-zA-Z_\-0-9]+)(?::((0x[0-9a-fA-F]{4,4}|[a-zA-Z_\-0-9]+)))*$/</mask>
+        <Mask>/^(0x[0-9a-fA-F]{4,4}|[a-zA-Z_\-0-9]+)(?::((0x[0-9a-fA-F]{4,4}|[a-zA-Z_\-0-9]+)))*$/</Mask>
       </curves>
       <ciphers type="TextField">
         <!-- OpenSSL cipher list like the one used for configuring the supported ciphers by the web server -->
         <Required>Y</Required>
-        <mask>/^(0x[0-9a-fA-F]{4,4}|[a-zA-Z_\-0-9]+)(?::((0x[0-9a-fA-F]{4,4}|[a-zA-Z_\-0-9]+)))*$/</mask>
+        <Mask>/^(0x[0-9a-fA-F]{4,4}|[a-zA-Z_\-0-9]+)(?::((0x[0-9a-fA-F]{4,4}|[a-zA-Z_\-0-9]+)))*$/</Mask>
       </ciphers>
     </tls_fingerprint>
 
@@ -1901,20 +1901,20 @@
         </Model>
         <ValidationMessage>Selected limit zone not found</ValidationMessage>
         <Required>Y</Required>
-        <multiple>Y</multiple>
+        <Multiple>Y</Multiple>
       </limit_zone>
       <connection_count type="IntegerField">
         <MinimumValue>1</MinimumValue>
         <Required>Y</Required>
-        <default>5</default>
+        <Default>5</Default>
       </connection_count>
       <burst type="IntegerField">
         <MinimumValue>1</MinimumValue>
         <Required>N</Required>
-        <default>20</default>
+        <Default>20</Default>
       </burst>
       <nodelay type="BooleanField">
-        <default>1</default>
+        <Default>1</Default>
         <Required>Y</Required>
       </nodelay>
       <description type="TextField">
@@ -1935,11 +1935,11 @@
     <cache_path type="ArrayField">
       <path type="TextField">
         <Required>Y</Required>
-        <mask>/\/(srv|var|tmp|mnt)[a-z0-9\-\._\:\,\/]+[a-z0-9\-\._\:\,]+/i</mask>
+        <Mask>/\/(srv|var|tmp|mnt)[a-z0-9\-\._\:\,\/]+[a-z0-9\-\._\:\,]+/i</Mask>
       </path>
       <size type="IntegerField">
         <MinimumValue>10</MinimumValue>
-        <default>10</default>
+        <Default>10</Default>
       </size>
       <inactive type="IntegerField">
         <Required>N</Required>
@@ -1947,7 +1947,7 @@
       </inactive>
       <use_temp_path type="BooleanField">
         <Required>Y</Required>
-        <default>0</default>
+        <Default>0</Default>
       </use_temp_path>
       <max_size type="IntegerField">
         <Required>N</Required>
@@ -1993,7 +1993,7 @@
           <local7>local7</local7>
         </OptionValues>
         <Required>Y</Required>
-        <default>local7</default>
+        <Default>local7</Default>
       </facility>
       <severity type="OptionField">
         <OptionValues>
@@ -2007,15 +2007,15 @@
           <emerg>emerg</emerg>
         </OptionValues>
         <Required>Y</Required>
-        <default>error</default>
+        <Default>error</Default>
       </severity>
       <tag type="TextField">
         <Required>N</Required>
-        <mask>/[a-z][a-z0-9]*/i</mask>
+        <Mask>/[a-z][a-z0-9]*/i</Mask>
       </tag>
       <nohostname type="BooleanField">
         <Required>Y</Required>
-        <default>N</default>
+        <Default>N</Default>
       </nohostname>
     </syslog_target>
   </items>
diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.xml b/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.xml
index f43f0389e3..963d01260c 100644
--- a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.xml
+++ b/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.xml
@@ -5,11 +5,11 @@
 </description>
 <items>
     <EnableSSO type="BooleanField">
-        <default>0</default>
+        <Default>0</Default>
         <Required>Y</Required>
     </EnableSSO>
     <ADKerberosImplementation type="OptionField">
-        <default>W2008</default>
+        <Default>W2008</Default>
         <Required>Y</Required>
         <OptionValues>
             <W2003>Windows 2003</W2003>

From e3717e63888680c3765bd245a9e48cf1a0618052 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 2 Jul 2025 14:17:18 +0200
Subject: [PATCH 2495/3088] security/acme-client: assorted logging enhancements

---
 security/acme-client/pkg-descr                |  6 ++
 .../library/OPNsense/AcmeClient/LeAccount.php | 18 ++---
 .../OPNsense/AcmeClient/LeAutomation/Base.php |  6 +-
 .../OPNsense/AcmeClient/LeCertificate.php     |  6 +-
 .../library/OPNsense/AcmeClient/LeUtils.php   | 16 +++-
 .../OPNsense/AcmeClient/LeValidation/Base.php |  2 +-
 .../library/OPNsense/AcmeClient/Process.php   |  9 ++-
 .../library/OPNsense/AcmeClient/SSHKeys.php   | 31 ++++----
 .../OPNsense/AcmeClient/SftpClient.php        | 15 ++--
 .../OPNsense/AcmeClient/SftpUploader.php      | 41 +++++-----
 .../app/library/OPNsense/AcmeClient/Utils.php | 79 ++-----------------
 .../OPNsense/AcmeClient/run_remote_ssh.php    | 22 +++---
 .../OPNsense/AcmeClient/upload_sftp.php       | 39 ++++-----
 13 files changed, 129 insertions(+), 161 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 8f7f21ace1..05a12c7b7f 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -19,6 +19,9 @@ Changed:
 * automatically fix account config if CERT_HOME is set (#4622)
 * automatically resolve cron job mismatch (#4627)
 * change default SFTP options to NOT preserve modification time (#3862)
+* migrate SFTP/SSH operations to AcmeClient logging
+* add detailed SFTP/SSH logging when debug logging is enabled
+* add new log messages and improve existing ones
 
 Fixed:
 * deploy hooks may use the old CERT_HOME (#4622)
@@ -26,6 +29,9 @@ Fixed:
 * avoid startup error: "rmdir... Not a directory" (#4743)
 * fails to create/update cron job on UUID mismatch (#4627)
 
+Removed:
+* remove stdout (CLI) logging from SFTP library
+
 4.9
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
index 0bf429dba3..4eef9200a6 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAccount.php
@@ -94,17 +94,17 @@ public function generateKey()
 
         // Check if account key already exists both in filesystem and in config
         if (!is_file($account_key_file) || empty((string)$this->config->key)) {
-            LeUtils::log_debug('creating account key for ' . (string)$this->config->name, $this->debug);
+            LeUtils::log_debug('creating account key for ' . (string)$this->config->name);
 
             // Check if we have an account key in our configuration
             if (!empty((string)$this->config->key)) {
-                LeUtils::log_debug('exporting existing account key to filesystem for ' . (string)$this->config->name, $this->debug);
+                LeUtils::log_debug('exporting existing account key to filesystem for ' . (string)$this->config->name);
                 // Write key to disk
                 file_put_contents($account_key_file, (string)base64_decode((string)$this->config->key));
                 chmod($account_key_file, 0600);
                 return true;
             } else {
-                LeUtils::log_debug('generating a new account key for ' . (string)$this->config->name, $this->debug);
+                LeUtils::log_debug('generating a new account key for ' . (string)$this->config->name);
 
                 // Preparation to run acme client
                 $proc_env = $this->acme_env; // add env variables
@@ -116,7 +116,7 @@ public function generateKey()
                   . implode(' ', $this->acme_args) . ' '
                   . LeUtils::execSafe('--accountkeylength %s', self::ACME_ACCOUNT_KEY_LENGTH) . ' '
                   . LeUtils::execSafe('--accountconf %s', $account_conf_file);
-                LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
+                LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd);
 
                 // Run acme.sh command
                 $result = LeUtils::run_shell_command($acmecmd, $proc_env);
@@ -156,7 +156,7 @@ public function generateKey()
                     LeUtils::log_error('failed to save account key for ' . (string)$this->config->name);
                     return false;
                 }
-                LeUtils::log_debug('successfully created account key for ' . (string)$this->config->name, $this->debug);
+                LeUtils::log_debug('successfully created account key for ' . (string)$this->config->name);
                 return true;
             }
         }
@@ -194,11 +194,11 @@ public function register()
 
         // Check if account is already registered
         if (!($this->isRegistered())) {
-            LeUtils::log_debug('starting account registration for ' . (string)$this->config->name, $this->debug);
+            LeUtils::log_debug('starting account registration for ' . (string)$this->config->name);
 
             // Check if ACME External Account Binding (EAB) is enabled
             if (!empty((string)$this->config->eab_kid) && !empty((string)$this->config->eab_hmac)) {
-                LeUtils::log_debug('enabling ACME EAB for this account', $this->debug);
+                LeUtils::log_debug('enabling ACME EAB for this account');
                 $this->acme_args[] = LeUtils::execSafe('--eab-kid %s', $this->config->eab_kid);
                 $this->acme_args[] = LeUtils::execSafe('--eab-hmac-key %s', $this->config->eab_hmac);
             }
@@ -212,7 +212,7 @@ public function register()
               . '--registeraccount '
               . implode(' ', $this->acme_args) . ' '
               . LeUtils::execSafe('--accountconf %s', $this->account_conf_file);
-            LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
+            LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd);
 
             // Run acme.sh command
             $result = LeUtils::run_shell_command($acmecmd, $proc_env);
@@ -228,7 +228,7 @@ public function register()
             LeUtils::log('account registration successful for ' . $this->config->name);
             $this->setStatus(200);
         } else {
-            LeUtils::log_debug('account already registered: ' . (string)$this->config->name, $this->debug);
+            LeUtils::log_debug('account already registered: ' . (string)$this->config->name);
         }
 
         // Always check (and fix) account config
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
index 138d64d814..0571a8e085 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/Base.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2020-2024 Frank Wall
+ * Copyright (C) 2020-2025 Frank Wall
  * Copyright (C) 2018 Deciso B.V.
  * Copyright (C) 2018 Franco Fichtner <franco@opnsense.org>
  * All rights reserved.
@@ -131,7 +131,7 @@ public function runAcme()
           . implode(' ', $this->acme_args);
 
         // Run acme.sh command
-        LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
+        LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd);
         $result = LeUtils::run_shell_command($acmecmd, $proc_env);
 
         // acme.sh records the last used deploy hook and would automatically
@@ -156,7 +156,7 @@ public function runAcme()
                 if (!file_put_contents($filename, $contents)) {
                     LeUtils::log_error('clearing recorded deploy hook from acme.sh failed (' . $filename . ')');
                 } else {
-                    LeUtils::log_debug('cleared recorded deploy deploy hook from acme.sh (' . $filename . ')', $this->debug);
+                    LeUtils::log_debug('cleared recorded deploy deploy hook from acme.sh (' . $filename . ')');
                 }
             }
         }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index ff43613378..e45f92dedd 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -358,7 +358,7 @@ public function issue()
         $configdir = (string)sprintf(self::ACME_CONFIG_DIR, (string)$this->config->id);
         foreach (array($certdir, $keydir, $configdir) as $dir) {
             if (!is_dir($dir)) {
-                LeUtils::log_debug("creating directory: {$dir}", $this->debug);
+                LeUtils::log_debug("creating directory: {$dir}");
                 mkdir($dir, 0700, true);
             }
         }
@@ -467,7 +467,7 @@ public function remove()
           . '--remove '
           . implode(' ', $this->acme_args) . ' '
           . LeUtils::execSafe('--domain %s', (string)$this->config->name);
-        LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
+        LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd);
 
         // Run acme.sh command
         $result = LeUtils::run_shell_command($acmecmd, $proc_env);
@@ -542,7 +542,7 @@ public function revoke()
           . implode(' ', $this->acme_args) . ' '
           . LeUtils::execSafe('--domain %s', (string)$this->config->name) . ' '
           . LeUtils::execSafe('--accountconf %s', $account_conf_file);
-        LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
+        LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd);
 
         // Run acme.sh command
         $result = LeUtils::run_shell_command($acmecmd, $proc_env);
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
index 6dfd33effd..ec51a01776 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
@@ -32,6 +32,7 @@
 namespace OPNsense\AcmeClient;
 
 use OPNsense\Core\Config;
+use OPNsense\AcmeClient\AcmeClient;
 
 /**
  * Helper functions for LeAcme
@@ -81,8 +82,13 @@ public static function log($msg)
     /**
      * log additional debug output
      */
-    public static function log_debug($msg, bool $debug = false)
+    public static function log_debug($msg)
     {
+        $log_config = (new AcmeClient())->getNodeByReference('settings.logLevel');
+        if (strpos($log_config, "debug") !== false) {
+            $debug = true;
+        }
+
         if ($debug) {
             syslog(LOG_NOTICE, "AcmeClient: {$msg}");
         }
@@ -91,9 +97,13 @@ public static function log_debug($msg, bool $debug = false)
     /**
      * log error messages
      */
-    public static function log_error($msg)
+    public static function log_error($msg, $error = null)
     {
-        syslog(LOG_ERR, "AcmeClient: {$msg}");
+        syslog(LOG_ERR,
+            $error
+                ? ("AcmeClient: $msg; Trace: " . json_encode($error, JSON_UNESCAPED_SLASHES))
+                : "AcmeClient: $msg"
+        );
     }
 
     /**
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index 1946ab3b9f..6163abadd3 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -167,7 +167,7 @@ public function run(bool $renew = false)
           . "--{$acme_action} "
           . implode(' ', $this->acme_args) . ' '
           . LeUtils::execSafe('--accountconf %s', $account_conf_file);
-        LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd, $this->debug);
+        LeUtils::log_debug('running acme.sh command: ' . (string)$acmecmd);
 
         // Run acme.sh command
         $result = LeUtils::run_shell_command($acmecmd, $proc_env);
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/Process.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/Process.php
index 59ed4808ff..0a0b150fe3 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/Process.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/Process.php
@@ -1,6 +1,7 @@
 <?php
 
 /*
+ * Copyright (C) 2025 Frank Wall
  * Copyright (C) 2019 Juergen Kellerer
  * All rights reserved.
  *
@@ -28,6 +29,8 @@
 
 namespace OPNsense\AcmeClient;
 
+use OPNsense\AcmeClient\LeUtils;
+
 /**
  * Utility class to execute shell processes and handle their IO.
  * @package OPNsense\AcmeClient
@@ -64,7 +67,7 @@ private static function manageOpenedProcess($process_handle, $release = false)
             register_shutdown_function(function () use (&$open_processes) {
                 foreach ($open_processes as $handle) {
                     if (is_resource($handle)) {
-                        Utils::log()->error("Terminating process: " . json_encode(proc_get_status($handle)));
+                        LeUtils::log_error("Terminating process: " . json_encode(proc_get_status($handle)));
                         @proc_terminate($handle);
                     }
                 }
@@ -102,7 +105,7 @@ public function __construct($cmd, $cwd = null, $env = null)
 
             self::manageOpenedProcess($this->handle);
         } else {
-            Utils::log()->error("Failed opening '$cmd' in '$cwd'");
+            LeUtils::log_error("Failed opening '$cmd' in '$cwd'");
         }
     }
 
@@ -181,7 +184,7 @@ public function close($force = false)
     {
         // Read up-to 10k remaining lines from STDOUT/ERR to release locks before closing.
         for ($i = 0; ($line = $this->get(0)) && $i < 10000; $i++) {
-            Utils::log()->error("WARN: process: $line");
+            LeUtils::log_error("WARN: process: $line");
         }
 
         if ($this->isRunning()) {
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SSHKeys.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SSHKeys.php
index 3d91cef69d..ac70602d26 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SSHKeys.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SSHKeys.php
@@ -1,6 +1,7 @@
 <?php
 
 /*
+ * Copyright (C) 2025 Frank Wall
  * Copyright (C) 2019 Juergen Kellerer
  * All rights reserved.
  *
@@ -28,6 +29,8 @@
 
 namespace OPNsense\AcmeClient;
 
+use OPNsense\AcmeClient\LeUtils;
+
 /**
  * Utility class for managing SSH host-keys (known_hosts) and identity keys.
  * @package OPNsense\AcmeClient
@@ -153,10 +156,10 @@ public function trustHost(string $host, $host_key = "", $port = self::DEFAULT_PO
         // Updating $host and $host_key from known_hosts and check if we need to update known_hosts.
         if ($host_key === false && $known_by_host) {
             if ($known_by_host_matches_port) {
-                Utils::log()->info("No host key specified, using existing known_hosts entry for '$host'");
+                LeUtils::log_debug("No host key specified, using existing known_hosts entry for '$host'");
                 $host_key = $known_by_host["key_info"];
             } else {
-                Utils::log()->info("No host key specified and existing entry for '$host' cannot be used as isn't matching port $port.");
+                LeUtils::log_debug("No host key specified and existing entry for '$host' cannot be used as isn't matching port $port.");
             }
         }
 
@@ -165,7 +168,7 @@ public function trustHost(string $host, $host_key = "", $port = self::DEFAULT_PO
             $is_key_known = true;
         } elseif ($known_by_key) {
             if (strcasecmp(trim($host), trim($known_by_key["host"])) != 0) {
-                Utils::log()->info("Host key is in known_hosts but hostname differs. Changing '$host' to '{$known_by_key["host"]}'.");
+                LeUtils::log_debug("Host key is in known_hosts but hostname differs. Changing '$host' to '{$known_by_key["host"]}'.");
                 $host = $known_by_key["host"];
             }
             $is_key_known = true;
@@ -196,15 +199,15 @@ public function trustHost(string $host, $host_key = "", $port = self::DEFAULT_PO
 
             if (!empty($matching_remote_host_keys)) {
                 if ($known_by_host && $known_by_host_matches_port) {
-                    Utils::log()->info("Removing known_hosts entry with differing key for '{$known_by_host["host_query"]}' as it is in the way.");
+                    LeUtils::log_debug("Removing known_hosts entry with differing key for '{$known_by_host["host_query"]}' as it is in the way.");
                     $this->removeKnownHost($known_by_host["host_query"]);
                 }
 
                 foreach ($matching_remote_host_keys as $key) {
-                    Utils::log()->info("Adding known_hosts entry: " . json_encode($key["key_info"], JSON_UNESCAPED_SLASHES));
+                    LeUtils::log_debug("Adding known_hosts entry: " . json_encode($key["key_info"], JSON_UNESCAPED_SLASHES));
                     $ok = file_put_contents($this->knownHostsFile(), $key["host_key"] . PHP_EOL, FILE_APPEND);
                     if (!$ok) {
-                        Utils::log()->error("Failed adding known_hosts entry {$key["host_key"]}");
+                        LeUtils::log_error("Failed adding SSH known_hosts entry {$key["host_key"]}");
                     }
                 }
 
@@ -331,12 +334,12 @@ public static function queryHostKey(string $host, $key_type = self::DEFAULT_KEY_
                     ? ""
                     : PHP_EOL . "ssh-keyscan: " . join(PHP_EOL . "ssh-keyscan: ", $lines);
 
-                Utils::log()->error("Failed querying host keys ($key_type) for [$names] port $port. Exit code: {$p->exitCode} (error-marker: $marker) $output");
+                LeUtils::log_error("Failed querying SSH host keys ($key_type) for [$names] port $port. Exit code: {$p->exitCode} (error-marker: $marker) $output");
             }
         }
 
         if (empty($keys)) {
-            Utils::log()->info("Couldn't fetch public host key ($key_type) from {$host}:{$port}");
+            LeUtils::log_debug("Couldn't fetch public host key ($key_type) from {$host}:{$port}");
 
             if (!is_array($error) || empty($error)) {
                 $error = ["connection_refused" => true];
@@ -384,13 +387,13 @@ public function getKnownHostKey(string $host, int $port = self::DEFAULT_PORT)
                         ? ""
                         : PHP_EOL . join(PHP_EOL, $lines);
 
-                    Utils::log()->error("Failed querying known hosts for $name_or_ip ($host). Exit code: {$p->exitCode} $output");
+                    LeUtils::log_error("Failed querying SSH known hosts for $name_or_ip ($host). Exit code: {$p->exitCode} $output");
                 }
             }
         }
 
         if (empty($keys)) {
-            Utils::log()->info("Didn't find $host in known_hosts");
+            LeUtils::log_debug("Could not find $host in known_hosts");
         }
 
         return $keys;
@@ -408,7 +411,7 @@ public function removeKnownHost(string $host)
         if ($p = Process::open(["ssh-keygen", "-R", $host, "-f", $this->knownHostsFile()])) {
             $ok = $p->close() === 0;
             if (!$ok) {
-                Utils::log()->error("Failed removing known hosts for $host. Return code was: {$p->exitCode}");
+                LeUtils::log_error("Failed removing SSH known hosts for $host. Return code was: {$p->exitCode}");
             }
         }
 
@@ -433,11 +436,11 @@ public static function getHostKeyInfo(string $host_key)
                     "key_length" => $matches[1]
                 ];
             } else {
-                Utils::log()->error("Unsupported hash type: $hash");
+                LeUtils::log_error("Unsupported hash type: $hash");
             }
         }
 
-        Utils::log()->error("Failed getting hash for host_key");
+        LeUtils::log_error("Failed getting hash for host_key");
         return false;
     }
 
@@ -472,7 +475,7 @@ public function getIdentity(string $identity_type = self::DEFAULT_IDENTITY_TYPE,
 
             if ($p = Process::open($generate_key)) {
                 while (($line = $p->get(10)) !== false) {
-                    Utils::log()->info("SSH keygen: $line");
+                    LeUtils::log_debug("SSH keygen: $line");
                 }
 
                 Utils::requireThat(
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpClient.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpClient.php
index 1804596af5..ff3982dc6c 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpClient.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpClient.php
@@ -1,6 +1,7 @@
 <?php
 
 /*
+ * Copyright (C) 2025 Frank Wall
  * Copyright (C) 2019 Juergen Kellerer
  * All rights reserved.
  *
@@ -28,6 +29,8 @@
 
 namespace OPNsense\AcmeClient;
 
+use OPNsense\AcmeClient\LeUtils;
+
 /**
  * Wrapper around the 'sftp' commandline client.
  * @package OPNsense\AcmeClient
@@ -71,13 +74,13 @@ public function connect($host, $username, $host_key = "", $port = SSHKeys::DEFAU
     {
         if (empty(trim($host)) || empty(trim($username))) {
             $this->failed_status = ["invalid_parameters" => true];
-            Utils::log()->error("Failed connecting to '$host'. Hostname or username is missing.");
+            LeUtils::log_error("Failed connecting to '$host'. Hostname or username is missing.");
             return false;
         }
 
         $trust = $this->ssh_keys->trustHost($host, $host_key, $port);
         if ($trust["ok"] !== true) {
-            Utils::log()->error("Failed establishing trust in '$host'; Cause: {$trust["error"]}");
+            LeUtils::log_error("Failed establishing trust in '$host'; Cause: {$trust["error"]}");
             unset($trust["ok"]);
             $this->failed_status = array_merge($trust, ["host_not_trusted" => true]);
             return false;
@@ -103,7 +106,7 @@ public function connect($host, $username, $host_key = "", $port = SSHKeys::DEFAU
                 "-oPreferredAuthentications=publickey"
             );
         } else {
-            Utils::log()->error("Failed adding client identity ($identity). Connect will likely fail.");
+            LeUtils::log_error("Failed adding client identity ($identity). Connect will likely fail.");
         }
 
         // Adding the host
@@ -113,7 +116,7 @@ public function connect($host, $username, $host_key = "", $port = SSHKeys::DEFAU
         if ($this->process = Process::open($cmd)) {
             $this->processAvailableInput(self::CONNECT_REPLY_TIMEOUT, 1, null, 0.75);
             if (($error = $this->lastError()) || !$this->process->isRunning()) {
-                Utils::log()->error("Failed connecting to '$host' (user: '$username')", $error);
+                LeUtils::log_error("Failed connecting to '$host' (user: '$username')", $error);
                 return false;
             }
             $this->connection_info = ["host" => $host, "port" => $port, "user" => $username];
@@ -151,7 +154,7 @@ private function processAvailableInput(float $timeout = 0, $expected_lines = 0,
 
             $consumed = ($lines_consumer && $lines_consumer($line) === true);
             if (!$consumed) {
-                Utils::log()->info("SFTP: " . rtrim($line));
+                LeUtils::log_debug("SFTP: " . rtrim($line));
             }
 
             if (!$lines_consumer || $consumed) {
@@ -286,7 +289,7 @@ public function put($local_file, $remote_file = "", $preserve = true)
                 . (empty($remote_file) ? "" : " " . escapeshellarg($remote_file)));
             $this->processAvailableInput(self::COMMAND_REPLY_TIMEOUT, 2);
         } else {
-            Utils::log()->info("put: File $local_file doesn't exist.");
+            LeUtils::log_debug("put: File $local_file doesn't exist.");
             $this->failed_status = ["file_not_found" => true, "error" => $local_file];
         }
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpUploader.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpUploader.php
index d7b5df79a4..bfd4b1885e 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpUploader.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpUploader.php
@@ -159,7 +159,7 @@ public function upload(): int
                     ->lastError();
 
                 if ($error) {
-                    Utils::log()->error("Cannot continue since changing to initial remote path '{$this->pending_base_path}' failed", $error);
+                    LeUtils::log_error("Cannot continue with SFTP upload since changing to initial remote path '{$this->pending_base_path}' failed", $error);
                     return self::UPLOAD_ERROR;
                 }
             }
@@ -189,7 +189,7 @@ public function upload(): int
             try {
                 $connection = $this->sftp->connected();
                 if (!$connection) {
-                    Utils::log()->error("The sftp client is not connected, upload stopped.");
+                    LeUtils::log_error("The SFTP client is not connected, upload stopped.");
                     return self::UPLOAD_ERROR;
                 }
 
@@ -211,7 +211,7 @@ public function upload(): int
                     foreach ($dir_names as $dir) {
                         if ($error = $this->sftp->cd($dir)->lastError()) {
                             if ($error["file_not_found"]) {
-                                Utils::log()->info("Creating remote directory: $dir");
+                                LeUtils::log_debug("SFTP creating remote directory: $dir");
                                 $this->sftp->clearError()
                                     ->mkdir($dir)
                                     ->cd($dir);
@@ -222,7 +222,7 @@ public function upload(): int
                     }
 
                     if ($error = $this->sftp->lastError()) {
-                        Utils::log()->error("Failed to cd into '$target_dir'.", $error);
+                        LeUtils::log_error("SFTP failed to cd into '$target_dir'", $error);
                         return self::UPLOAD_ERROR;
                     }
 
@@ -234,7 +234,7 @@ public function upload(): int
                 if (empty($remote_files)) {
                     $remote_files = $this->sftp->clearError()->ls();
                     if ($error = $this->sftp->lastError()) {
-                        Utils::log()->error("Failed listing remote files.", $error);
+                        LeUtils::log_error("SFTP failed listing remote files", $error);
                         return self::UPLOAD_ERROR;
                     }
                 }
@@ -245,10 +245,11 @@ public function upload(): int
                 $remote_file = $remote_files[$remote_filename] ?? ["type" => "-", "owner" => $username];
                 $remote_is_file = $remote_file["type"] === "-";
                 $remote_is_readonly = preg_match('/^[^wW]+$/', $remote_file["permissions"] ?? "");
+                LeUtils::log_debug("SFTP current remote file permissions: '{$remote_file["permissions"]}'");
 
                 // Check if a folder/socket/symlink, etc is in the way
                 if (!$remote_is_file) {
-                    Utils::log()->error("Failed uploading file '{$local_file}' as there is a non-file in the way at '{$file["target"]}'");
+                    LeUtils::log_error("SFTP failed uploading file '{$local_file}' as there is a non-file in the way at '{$file["target"]}'");
                     return self::UPLOAD_ERROR_NO_OVERWRITE;
                 }
 
@@ -261,9 +262,9 @@ public function upload(): int
                 // Preserving the modification time is not supported by all SFTP servers.
                 $preserve = $file["modtime"];
                 if ($preserve !== false) {
-                    LeUtils::log("Sftp upload will try to preserve file modification time");
+                    LeUtils::log("SFTP upload will try to preserve file modification time for '{$file["target"]}'");
                 } else {
-                    LeUtils::log("Sftp upload will not preserve file modification time");
+                    LeUtils::log("SFTP upload will not preserve file modification time for '{$file["target"]}'");
                 }
 
                 // Initial upload when permissions are properly set.
@@ -273,6 +274,7 @@ public function upload(): int
 
                 // Upload file.
                 if (!$remote_is_readonly) {
+                    LeUtils::log("Uploading file '{$local_file}' to '{$file["target"]}'");
                     $preserve_times_and_mod = $chmod !== false;
 
                     if ($error = $this->sftp->put($local_file, $remote_filename, $preserve)->lastError()) {
@@ -283,7 +285,7 @@ public function upload(): int
                         if ($should_upload_with_permission_change) {
                             $this->sftp->clearError();
                         } else {
-                            Utils::log()->error("Failed uploading file '{$local_file}' to '{$file["target"]}'", $error);
+                            LeUtils::log_error("SFTP failed uploading file '{$local_file}' to '{$file["target"]}'", $error);
                             return self::UPLOAD_ERROR_NO_PERMISSION;
                         }
                     } else {
@@ -293,21 +295,21 @@ public function upload(): int
 
                 // Second attempt when initial failed or was skipped due to write protection (only possible if we have chmod defined to reset permissions later)
                 if ($should_upload_with_permission_change && $this->isFileOwnedByConnection($remote_file, $connection)) {
-                    Utils::log()->info("Trying to upload file '{$local_file}' to '{$file["target"]}' with adjusted permissions");
+                    LeUtils::log("Trying to upload file '{$local_file}' to '{$file["target"]}' with adjusted permissions");
 
                     // Change file permission to make it writable.
                     if ($error = $this->sftp->chmod($remote_filename, '0600')->lastError()) {
-                        Utils::log()->error("Failed changing permission to '0600' for '{$file["target"]}'. ", $error);
+                        LeUtils::log_error("SFTP failed changing permission to '0600' for '{$file["target"]}'", $error);
                         $this->sftp->clearError();
                     }
 
                     // Try again to upload file.
-                    if ($error = $this->sftp->put($local_file, $remote_filename)->lastError()) {
-                        Utils::log()->error("Failed uploading file (with adjusted permissions) '{$local_file}' to '{$file["target"]}'", $error);
+                    if ($error = $this->sftp->put($local_file, $remote_filename, $preserve)->lastError()) {
+                        LeUtils::log_error("SFTP failed uploading file (with adjusted permissions) '{$local_file}' to '{$file["target"]}'", $error);
                         return self::UPLOAD_ERROR_NO_PERMISSION;
                     }
                 } elseif ($remote_is_readonly) {
-                    Utils::log()->error("Failed uploading file '{$local_file}' to '{$file["target"]}'. Existing file is write protected.");
+                    LeUtils::log_error("SFTP failed uploading file '{$local_file}' to '{$file["target"]}'. Existing file is write protected.");
                     return self::UPLOAD_ERROR_NO_PERMISSION;
                 }
 
@@ -315,14 +317,14 @@ public function upload(): int
                 // Applying chmod / chgrp if requested.
                 if ($chmod) {
                     if ($error = $this->sftp->chmod($remote_filename, $chmod)->lastError()) {
-                        Utils::log()->error("Failed chmod ($chmod) for '{$file["target"]}'", $error);
+                        LeUtils::log_error("SFTP failed chmod ($chmod) for '{$file["target"]}'", $error);
                         return self::UPLOAD_ERROR_CHMOD_FAILED;
                     }
                 }
 
                 if ($chgrp) {
                     if ($error = $this->sftp->chgrp($remote_filename, $chgrp)->lastError()) {
-                        Utils::log()->error("Failed chgrp ($chgrp) for '{$file["target"]}'", $error);
+                        LeUtils::log_error("SFTP failed chgrp ($chgrp) for '{$file["target"]}'", $error);
                         return self::UPLOAD_ERROR_CHGRP_FAILED;
                     }
                 }
@@ -359,8 +361,9 @@ private function isFileOwnedByConnection(array $remote_file, array $connection):
 
                     $this->sftp->clearError();
 
-                    if ($error = $this->sftp->put($local_test_file, $remote_test_file)->lastError()) {
-                        Utils::log()->error("Failed uploading test file to detect ownership. Next uploads may fail as well.", $error);
+                    // Perform test upload without preserving file modification time (extra safekeeping).
+                    if ($error = $this->sftp->put($local_test_file, $remote_test_file, false)->lastError()) {
+                        LeUtils::log_error("Failed uploading SFTP test file to detect ownership. Next uploads may fail as well", $error);
                     } else {
                         // Get owner of the test file
                         $file_info = $this->sftp->ls()[$remote_test_file] ?? ["owner" => -1];
@@ -416,7 +419,7 @@ private function temporaryFile($delete_all = false)
                 }
 
                 if ($count > 0) {
-                    Utils::log()->info("Removed $count files in shutdown hook instead of object destruction.");
+                    LeUtils::log_debug("Removed $count files in shutdown hook instead of object destruction.");
                 }
 
                 $shared_temporary_files = [];
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/Utils.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/Utils.php
index b5842d58f2..a06e7b8069 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/Utils.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/Utils.php
@@ -1,6 +1,7 @@
 <?php
 
 /*
+ * Copyright (C) 2025 Frank Wall
  * Copyright (C) 2019 Juergen Kellerer
  * All rights reserved.
  *
@@ -28,23 +29,7 @@
 
 namespace OPNsense\AcmeClient;
 
-// Optional include to get "log_error"
-@include_once("util.inc");
-
-// Syslog level used for verbose info log.
-// Change to "LOG_NOTICE" to make log output visible in the UI.
-const SYSLOG_INFO_LEVEL = LOG_INFO;
-
-/**
- * Interface for logging.
- * @package OPNsense\AcmeClient
- */
-interface ILogger
-{
-    function info($message);
-
-    function error($message, $error = null);
-}
+use OPNsense\AcmeClient\LeUtils;
 
 /**
  * Shared utilities.
@@ -52,55 +37,10 @@ function error($message, $error = null);
  */
 class Utils
 {
-    public static function &log($reconfigure_to_stdout = false): ILogger
-    {
-        static $logger;
-
-        if (!$logger || $reconfigure_to_stdout) {
-            if (!$reconfigure_to_stdout && function_exists("log_error")) {
-                $logger = new class implements ILogger
-                {
-                    function info($message)
-                    {
-                        syslog(SYSLOG_INFO_LEVEL, basename(__FILE__) . ": INFO: $message");
-                    }
-
-                    function error($message, $error = null)
-                    {
-                        log_error(
-                            $error
-                                ? ("$message ; Cause: " . json_encode($error, JSON_UNESCAPED_SLASHES))
-                                : $message
-                        );
-                    }
-                };
-            } else {
-                $logger = new class implements ILogger
-                {
-                    function info($message)
-                    {
-                        echo "INFO: {$message}" . PHP_EOL;
-                    }
-
-                    function error($message, $error = null)
-                    {
-                        echo "ERROR: "
-                            . ($error
-                                ? ("$message ; Cause: " . json_encode($error, JSON_UNESCAPED_SLASHES))
-                                : $message)
-                            . PHP_EOL;
-                    }
-                };
-            }
-        }
-
-        return $logger;
-    }
-
     public static function requireThat($expression, $message)
     {
         if (!$expression) {
-            self::log()->error("FATAL: $message");
+            LeUtils::log_error("FATAL: $message");
             throw new \AssertionError($message);
         }
         return $expression;
@@ -193,7 +133,6 @@ public static function printCLIHelp($about, $examples, $commands = [])
     {
         static $options = [
             "-h, --help          Print commandline help",
-            "--log               Enable log to stdout (instead of syslog)",
             "--automation-id     Read options from the action specified by id or uuid",
             "--no-error          Always exit with 0 (original exit codes are still logged)",
         ];
@@ -241,7 +180,7 @@ public static function runCLIMain(callable $help, callable $optionsByActionId, $
     {
         global $argv;
         $command = self::getSelectedCLICommand($commands);
-        $options = ["help", "log", "no-error"];
+        $options = ["help", "no-error"];
 
         $has_automation_id = preg_match('/--automation-id=\S+/', join(" ", $argv));
         if ($has_automation_id) {
@@ -255,10 +194,6 @@ public static function runCLIMain(callable $help, callable $optionsByActionId, $
             if (isset($options["h"]) || isset($options["help"])) {
                 $help();
             } else {
-                if (isset($options["log"])) {
-                    self::log(true)->info("Logging to stdout enabled");
-                }
-
                 $options = array_filter($options, function ($value) {
                     return !is_string($value)
                         || (!empty($value = trim($value)) && $value !== "__default_value");
@@ -268,7 +203,7 @@ public static function runCLIMain(callable $help, callable $optionsByActionId, $
                     if (is_array($config = $optionsByActionId($options["automation-id"]))) {
                         $options = array_merge($config, $options);
                     } else {
-                        self::log()->error("No usable config found for automation-id {$options["automation-id"]}");
+                        LeUtils::log_error("No usable config found for automation-id {$options["automation-id"]}");
                         exit(1);
                     }
                 }
@@ -277,7 +212,7 @@ public static function runCLIMain(callable $help, callable $optionsByActionId, $
                     $code = $runner($options);
 
                     if ($code != $exit_success) {
-                        self::log()->error("Command execution failed, exit code $code. Last input was: " . json_encode($options, JSON_UNESCAPED_SLASHES));
+                        LeUtils::log_error("Command execution failed, exit code $code. Last input was: " . json_encode($options, JSON_UNESCAPED_SLASHES));
                     }
 
                     exit(isset($options["no-error"]) ? $exit_success : $code);
@@ -290,7 +225,7 @@ public static function runCLIMain(callable $help, callable $optionsByActionId, $
                 $help();
             } else {
                 $cmd = join(" ", $argv);
-                self::log()->error("Parsing of '$cmd' failed at argument '{$argv[$index]}'");
+                LeUtils::log_error("Parsing of '$cmd' failed at argument '{$argv[$index]}'");
             }
             exit(1);
         }
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
index 019c44d819..5db3dd0729 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/run_remote_ssh.php
@@ -2,6 +2,7 @@
 <?php
 
 /*
+ * Copyright (C) 2025 Frank Wall
  * Copyright (C) 2022 Juergen Kellerer
  * All rights reserved.
  *
@@ -107,6 +108,7 @@
 use OPNsense\AcmeClient\Process;
 use OPNsense\AcmeClient\SSHKeys;
 use OPNsense\AcmeClient\Utils;
+use OPNsense\AcmeClient\LeUtils;
 
 // Implementing logic
 function commandShowIdentity(array &$options): int
@@ -127,7 +129,7 @@ function commandShowIdentity(array &$options): int
         echo file_get_contents($id_file);
         return EXITCODE_SUCCESS;
     } else {
-        Utils::log()->error("Failed getting identity. See log output for details.");
+        LeUtils::log_error("SSH failed getting identity. See log output for details.");
     }
     return EXITCODE_ERROR;
 }
@@ -156,14 +158,14 @@ function commandTestConnection(array &$options): int
 function commandRunRemote(array &$options): int
 {
     if (empty($options["run"])) {
-        Utils::log()->error("SSH: Command is empty, nothing to do.");
+        LeUtils::log_error("SSH: Command is empty, nothing to do.");
         return EXITCODE_ERROR;
     }
 
     $lines = runRemoteCommand($options, $error);
     if (!$error) {
         $host = $options["host"] . (($port = ($options["port"] ?? false)) ? ":$port" : "");
-        Utils::log()->info("SSH [$host]> {$options["run"]}:" . PHP_EOL . join(PHP_EOL, $lines));
+        LeUtils::log_debug("SSH [$host]> {$options["run"]}:" . PHP_EOL . join(PHP_EOL, $lines));
         return EXITCODE_SUCCESS;
     }
 
@@ -244,7 +246,7 @@ function runRemoteCommand(array $options, &$error): ?array
             "exit_code" => $exit_code
         ]);
         $error["connect_failed"] = $exit_code == 255;
-        Utils::log()->error("SSH failed with '$exit_code': $cl", $error);
+        LeUtils::log_error("SSH failed with '$exit_code': $cl", $error);
     }
 
     return $result;
@@ -253,7 +255,7 @@ function runRemoteCommand(array $options, &$error): ?array
 function buildSSHArguments(SSHKeys $ssh_keys, $host, $username, $identity_type = "", $host_key = "", $port = SSHKeys::DEFAULT_PORT): array
 {
     if (empty(trim($host)) || empty(trim($username))) {
-        Utils::log()->error("Failed connecting to '$host'. Hostname or username is missing.");
+        LeUtils::log_error("Failed connecting to '$host'. Hostname or username is missing.");
         return [false, ["invalid_parameters" => true]];
     }
 
@@ -263,7 +265,7 @@ function buildSSHArguments(SSHKeys $ssh_keys, $host, $username, $identity_type =
 
     $trust = $ssh_keys->trustHost($host, $host_key, $port);
     if ($trust["ok"] !== true) {
-        Utils::log()->error("Failed establishing trust in '$host'; Cause: {$trust["error"]}");
+        LeUtils::log_error("Failed establishing trust in '$host'; Cause: {$trust["error"]}");
         unset($trust["ok"]);
         return [false, array_merge($trust, ["host_not_trusted" => true])];
     } else {
@@ -288,7 +290,7 @@ function buildSSHArguments(SSHKeys $ssh_keys, $host, $username, $identity_type =
             "-oPreferredAuthentications=publickey"
         );
     } else {
-        Utils::log()->error("Failed adding client identity ($identity). Connect will likely fail.");
+        LeUtils::log_error("Failed adding SSH client identity ($identity). Connect will likely fail.");
     }
 
     // Adding the host
@@ -304,7 +306,7 @@ function help()
 
 function getOptionsById($automation_id)
 {
-    Utils::log()->info("Reading options from automation: $automation_id");
+    LeUtils::log_debug("Reading options from automation: $automation_id");
 
     if (is_object($action = Utils::getAutomationActionById($automation_id))) {
         if ($action->enabled && "configd_remote_ssh" === (string)$action->type) {
@@ -317,10 +319,10 @@ function getOptionsById($automation_id)
                 "run" => trim((string)$action->remote_ssh_command),
             ];
         } else {
-            Utils::log()->error("Ignoring disabled or invalid automation '$automation_id'");
+            LeUtils::log_error("Ignoring disabled or invalid automation '$automation_id'");
         }
     } else {
-        Utils::log()->error("No upload automation found with uuid = '$automation_id'");
+        LeUtils::log_error("No upload automation found with uuid = '$automation_id'");
     }
 
     return false;
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
index 2f42e46e5e..b3510b9097 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php
@@ -142,6 +142,7 @@
 use OPNsense\AcmeClient\SftpClient;
 use OPNsense\AcmeClient\SSHKeys;
 use OPNsense\AcmeClient\Utils;
+use OPNsense\AcmeClient\LeUtils;
 
 // Implementing logic
 function commandShowIdentity(array &$options): int
@@ -162,7 +163,7 @@ function commandShowIdentity(array &$options): int
         echo file_get_contents($id_file);
         return EXITCODE_SUCCESS;
     } else {
-        Utils::log()->error("Failed getting identity. See log output for details.");
+        LeUtils::log_error("SFTP failed getting identity. See log output for details.");
     }
     return EXITCODE_ERROR;
 }
@@ -214,7 +215,7 @@ function commandTestConnection(array &$options): int
 
         if ($remove_file) {
             if ($error = $sftp->clearError()->rm($filename)->lastError(3)) {
-                Utils::log()->error("Failed removing upload test file '$filename'", $error);
+                LeUtils::log_error("SFTP failed removing upload test file '$filename'", $error);
             }
         }
 
@@ -261,7 +262,7 @@ function commandUpload(array &$options): int
     } elseif (isset($options["host"])) {
         return uploadCertificatesToHost($options);
     } else {
-        Utils::log()->error("No work to do, neither --host nor --certificates is present.");
+        LeUtils::log_error("No work to do, neither --host nor --certificates is present.");
         return EXITCODE_ERROR_NOTHING_TO_UPLOAD;
     }
 }
@@ -270,7 +271,7 @@ function uploadCertificatesToHost(array $options): int
 {
     $sftp = connectWithServer($options, $error);
     if ($sftp === null) {
-        Utils::log()->error("Aborting after connect failure.");
+        LeUtils::log_error("SFTP aborting after connect failure.");
         return ($error["connect_failed"] ?? false)
             ? EXITCODE_ERROR
             : EXITCODE_ERROR_NO_PERMISSION;
@@ -289,7 +290,7 @@ function uploadCertificatesToHost(array $options): int
             $result = $uploader->upload();
 
             if ($result != SftpUploader::UPLOAD_SUCCESS) {
-                Utils::log()->error("Failed on " . json_encode($uploader->current(), JSON_UNESCAPED_SLASHES));
+                LeUtils::log_error("SFTP failed on " . json_encode($uploader->current(), JSON_UNESCAPED_SLASHES));
 
                 switch ($result) {
                     case SftpUploader::UPLOAD_ERROR_NO_PERMISSION:
@@ -336,7 +337,7 @@ function connectWithServer(array $options, &$error): ?SftpClient
         if ($err = $sftp->cd($remote_path)->lastError()) {
             $error = $err;
             $error["change_home_dir_failed"] = true;
-            Utils::log()->error("Failed cd into '{$remote_path}'", $err);
+            LeUtils::log_error("SFTP failed cd into '{$remote_path}'", $err);
             return null;
         }
     }
@@ -352,7 +353,7 @@ function help()
 function getOptionsById($automation_id, $silent = false)
 {
     if (!$silent) {
-        Utils::log()->info("Reading options from automation: $automation_id");
+        LeUtils::log_debug("Reading options from automation: $automation_id");
     }
 
     if (is_object($action = Utils::getAutomationActionById($automation_id))) {
@@ -367,6 +368,7 @@ function getOptionsById($automation_id, $silent = false)
                 "chgrp" => trim((string)$action->sftp_chgrp),
                 "chmod" => trim((string)$action->sftp_chmod),
                 "chmod-key" => trim((string)$action->sftp_chmod_key),
+                "modtime" => trim((string)$action->sftp_modtime),
                 "cert-name" => trim((string)$action->sftp_filename_cert),
                 "key-name" => trim((string)$action->sftp_filename_key),
                 "ca-name" => trim((string)$action->sftp_filename_ca),
@@ -374,10 +376,10 @@ function getOptionsById($automation_id, $silent = false)
                 "certificates" => "", // defaults to all (= empty), may be overridden via CLI
             ];
         } elseif (!$silent) {
-            Utils::log()->error("Ignoring disabled or invalid automation '$automation_id'");
+            LeUtils::log_error("SFTP ignoring disabled or invalid automation '$automation_id'");
         }
     } else {
-        Utils::log()->error("No upload automation found with uuid = '$automation_id'");
+        LeUtils::log_error("No SFTP upload automation found with uuid = '$automation_id'");
     }
 
     return false;
@@ -388,19 +390,20 @@ function addFilesToUpload(array $options, SftpUploader &$uploader)
     $chmod = isset($options["chmod"]) ? ($options["chmod"] ?: DEFAULT_CERT_MODE) : false;
     $chmod_key = isset($options["chmod-key"]) ? ($options["chmod-key"] ?: DEFAULT_KEY_MODE) : false;
     $chgrp = ($options["chgrp"] ?? "") ?: false;
+    $modtime = ($options["modtime"] ?? "") ?: false;
 
     if (isset($options["certificates"])) {
         $cert_ids = preg_split('/[,;\s]+/', $options["certificates"] ?: "", 0, PREG_SPLIT_NO_EMPTY);
 
         foreach (findCertificates($cert_ids) as $cert) {
             if (!isset($cert["content"])) {
-                Utils::log()->error("Ignoring upload for cert '{$cert["name"]}', since it is not available in trust storage.");
+                LeUtils::log_error("Ignoring SFTP upload for cert '{$cert["name"]}', since it is not available in trust storage.");
                 continue;
             }
 
             foreach ($cert["content"] as $name => $content) {
                 if (empty($content)) {
-                    Utils::log()->error("Content for '{$name}.pem' in cert '{$cert["name"]}' is empty, skipping it.");
+                    LeUtils::log_error("Content for '{$name}.pem' in cert '{$cert["name"]}' is empty, skipping SFTP upload.");
                     continue;
                 }
 
@@ -441,27 +444,27 @@ function ($m) use (&$cert) {
                         ? $chmod_key
                         : $chmod;
 
-                    $uploader->addContent($content, $target_path, $cert["updated"], $mod, $chgrp);
+                    $uploader->addContent($content, $target_path, $cert["updated"], $mod, $chgrp, $modtime);
                 } else {
-                    Utils::log()->error("Cannot add '{$name}.pem' since the upload path '$target_path' is invalid.");
+                    LeUtils::log_error("Cannot add '{$name}.pem' to SFTP upload since the upload path '$target_path' is invalid.");
                 }
             }
         }
 
         if (empty($uploader->pending())) {
-            Utils::log()->error("Didn't find any certificates to upload (cert-ids: " . (empty($cert_ids) ? "*all*" : join(", ", $cert_ids)) . ").");
+            LeUtils::log_error("Could not find any certificates for SFTP upload (cert-ids: " . (empty($cert_ids) ? "*all*" : join(", ", $cert_ids)) . ").");
         }
     } elseif (isset($options["files"])) {
         $files = preg_split('/[,;\s]+/', $options["files"] ?: "", 0, PREG_SPLIT_NO_EMPTY);
         foreach ($files as $file) {
-            $uploader->addFile($file, "", $chmod, $chgrp);
+            $uploader->addFile($file, "", $chmod, $chgrp, $modtime);
         }
 
         if (empty($uploader->pending())) {
-            Utils::log()->error("Didn't files to upload (files: " . join(", ", $files) . ").");
+            LeUtils::log_error("Could not find files for SFTP upload (files: " . join(", ", $files) . ").");
         }
     } else {
-        Utils::log()->error("Neither '--certificates' nor '--files' was specified. Have nothing to upload.");
+        LeUtils::log_error("Neither '--certificates' nor '--files' was specified. Have nothing to upload.");
     }
 }
 
@@ -489,7 +492,7 @@ function findCertificates(array $certificate_ids_or_names, $load_content = true)
         ) {
             if ($cert->enabled == 0) {
                 if (!empty($certificate_ids_or_names)) {
-                    Utils::log()->error("Certificate '{$name}' (id: $id) is disabled, skipping it.");
+                    LeUtils::log_error("Certificate '{$name}' (id: $id) is disabled, skipping SFTP upload.");
                 }
 
                 continue;

From 7cd45894e266427fcddb25f9af30477d8de1a69f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 2 Jul 2025 14:32:57 +0200
Subject: [PATCH 2496/3088] www: bring os-squid and os-OPNProxy to tier 3

---
 www/OPNProxy/Makefile | 1 -
 www/squid/Makefile    | 1 -
 2 files changed, 2 deletions(-)

diff --git a/www/OPNProxy/Makefile b/www/OPNProxy/Makefile
index 20aa92ff16..9d4a765455 100644
--- a/www/OPNProxy/Makefile
+++ b/www/OPNProxy/Makefile
@@ -6,6 +6,5 @@ PLUGIN_DEPENDS=		os-redis${PLUGIN_PKGSUFFIX} \
 			os-squid${PLUGIN_PKGSUFFIX} \
 			py${PLUGIN_PYTHON}-redis
 PLUGIN_MAINTAINER=	ad@opnsense.org
-PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"
diff --git a/www/squid/Makefile b/www/squid/Makefile
index 68c864957f..135f7c864c 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -3,7 +3,6 @@ PLUGIN_VERSION=		1.2
 PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
-PLUGIN_TIER=		2
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
 .include "../../Mk/plugins.mk"

From 6864606351e7ad3f684436bac8d8b00e5bf12d1d Mon Sep 17 00:00:00 2001
From: "Patrick M. Hausen" <hausen@punkt.de>
Date: Thu, 3 Jul 2025 14:21:44 +0200
Subject: [PATCH 2497/3088] security/stunnel Add LDAP and NNTP to supported
 STARTTLS protocols (#4788)

---
 security/stunnel/Makefile                                     | 3 +--
 .../src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml  | 4 +++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index a7e42ae0dc..344bb99381 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		stunnel
-PLUGIN_VERSION=		1.0.5
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.0.6
 PLUGIN_COMMENT=		Stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel
diff --git a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
index dabfeef9f1..c5197419ea 100644
--- a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
+++ b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/Stunnel</mount>
-    <version>1.0.3</version>
+    <version>1.0.4</version>
     <description>
         Stunnel TLS encryption proxy
     </description>
@@ -48,6 +48,8 @@
                 <protocol type="OptionField">
                     <OptionValues>
                         <imap>IMAP</imap>
+                        <ldap>LDAP</ldap>
+                        <nntp>NNTP</nntp>
                         <pop3>POP3</pop3>
                         <smtp>SMTP</smtp>
                     </OptionValues>

From 94a5bb5c283e8b6ed3aaf16f88774b9912177767 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Fri, 4 Jul 2025 18:07:45 +0000
Subject: [PATCH 2498/3088] security/acme: Fix accounts.volt and
 certificates.volt UIBootgrid

---
 .../opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt  | 4 +++-
 .../mvc/app/views/OPNsense/AcmeClient/certificates.volt       | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
index ec20a20e89..a9623ad107 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
@@ -115,7 +115,9 @@ POSSIBILITY OF SUCH DAMAGE.
         /**
          * copy actions for selected items from opnsense_bootgrid_plugin.js
          */
-        var grid_accounts = $("#grid-accounts").bootgrid(gridopt).on("loaded.rs.jquery.bootgrid", function (e)
+        const grid_accounts = $("#grid-accounts").UIBootgrid($.extend(gridParams, { options: gridopt }));
+
+        $("#grid-accounts").on("loaded.rs.jquery.bootgrid", function (e)
         {
             // toggle all rendered tooltips (once for all)
             $('.bootgrid-tooltip').tooltip();
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index dedd86c575..75cfd51547 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -140,7 +140,9 @@ POSSIBILITY OF SUCH DAMAGE.
         /**
          * copy actions for selected items from opnsense_bootgrid_plugin.js
          */
-        var grid_certificates = $("#grid-certificates").bootgrid(gridopt).on("loaded.rs.jquery.bootgrid", function (e)
+        const grid_certificates = $("#grid-certificates").UIBootgrid($.extend(gridParams, { options: gridopt }));
+
+        $("#grid_certificates").on("loaded.rs.jquery.bootgrid", function (e)
         {
             // toggle all rendered tooltips (once for all)
             $('.bootgrid-tooltip').tooltip();

From fa46d37418ae6f1d0c7fa2b07e25dc9d8438d0e8 Mon Sep 17 00:00:00 2001
From: Demony <60526467+HTDemony@users.noreply.github.com>
Date: Mon, 7 Jul 2025 12:17:12 +0200
Subject: [PATCH 2499/3088] security/acme-client: implement certificate
 deployment to Proxmox Backup Server (#4785)

closes #4764
---
 .../AcmeClient/forms/dialogAction.xml         | 41 +++++++++++++++
 .../AcmeClient/LeAutomation/AcmeProxmoxbs.php | 50 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 39 +++++++++++++++
 3 files changed, 130 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeProxmoxbs.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index 292fd9c236..93167a695c 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -331,6 +331,47 @@
         <type>text</type>
         <help>The API token. Required.</help>
     </field>
+    <field>
+        <label>Required Parameters</label>
+        <type>header</type>
+        <style>method_table method_table_acme_proxmoxbs</style>
+    </field>
+    <field>
+        <id>action.acme_proxmoxbs_user</id>
+        <label>Proxmox BS user</label>
+        <type>text</type>
+        <help>The user who owns the API key. Defaults to root.</help>
+    </field>
+    <field>
+        <id>action.acme_proxmoxbs_server</id>
+        <label>Proxmox BS server</label>
+        <type>text</type>
+        <help>The hostname of the proxmox BS node.</help>
+    </field>
+    <field>
+        <id>action.acme_proxmoxbs_port</id>
+        <label>Proxmox BS server port</label>
+        <type>text</type>
+        <help>The port number the management interface is on. Defaults to 8007.</help>
+    </field>
+    <field>
+        <id>action.acme_proxmoxbs_realm</id>
+        <label>Proxmox BS realm</label>
+        <type>text</type>
+        <help>The authentication realm the user authenticates with. Defaults to pam.</help>
+    </field>
+    <field>
+        <id>action.acme_proxmoxbs_tokenid</id>
+        <label>Proxmox BS token name</label>
+        <type>text</type>
+        <help>The name of the API token created for the user account. Defaults to acme.</help>
+    </field>
+    <field>
+        <id>action.acme_proxmoxbs_tokenkey</id>
+        <label>Proxmox BS token key</label>
+        <type>text</type>
+        <help>The API token. Required.</help>
+    </field>
     <field>
         <label>Required Parameters</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeProxmoxbs.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeProxmoxbs.php
new file mode 100644
index 0000000000..5a2c6b7013
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeProxmoxbs.php
@@ -0,0 +1,50 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Yann Demoulin
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Run acme.sh deploy hook proxmoxbs
+ * @package OPNsense\AcmeClient
+ */
+class AcmeProxmoxbs extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DEPLOY_PROXMOXBS_USER'] = (string)$this->config->acme_proxmoxbs_user;
+        $this->acme_env['DEPLOY_PROXMOXBS_SERVER'] = (string)$this->config->acme_proxmoxbs_server;
+        $this->acme_env['DEPLOY_PROXMOXBS_SERVER_PORT'] = (string)$this->config->acme_proxmoxbs_port;
+        $this->acme_env['DEPLOY_PROXMOXBS_USER_REALM'] = (string)$this->config->acme_proxmoxbs_realm;
+        $this->acme_env['DEPLOY_PROXMOXBS_API_TOKEN_NAME'] = (string)$this->config->acme_proxmoxbs_tokenid;
+        $this->acme_env['DEPLOY_PROXMOXBS_API_TOKEN_KEY'] = (string)$this->config->acme_proxmoxbs_tokenkey;
+        $this->acme_args[] = '--deploy-hook proxmoxbs';
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 2127a7bc61..76e57c6df8 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1350,6 +1350,7 @@
                         <configd_remote_ssh>Remote Command via SSH</configd_remote_ssh>
                         <acme_fritzbox>Upload certificate to FRITZ!Box router</acme_fritzbox>
                         <acme_panos>Upload certificate to Palo Alto Networks Firewall</acme_panos>
+                        <acme_proxmoxbs>Upload certificate to Proxmox Backup Environment</acme_proxmoxbs>
                         <acme_proxmoxve>Upload certificate to Proxmox VE</acme_proxmoxve>
                         <acme_vault>Upload certificate to HashiCorp Vault</acme_vault>
                         <acme_synology_dsm>Upload certificate to Synology DSM</acme_synology_dsm>
@@ -1601,6 +1602,44 @@
                     <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxve_tokenkey>
+                <acme_proxmoxbs_user type="TextField">
+                    <default>root</default>
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_proxmoxbs_user>
+                <acme_proxmoxbs_server type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_proxmoxbs_server>
+                <acme_proxmoxbs_port type="PortField">
+                    <default>8007</default>
+                    <Required>N</Required>
+                </acme_proxmoxbs_port>
+                <acme_proxmoxbs_nodename type="TextField">
+                    <Required>N</Required>
+                    <default>localhost</default>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_proxmoxbs_nodename>
+                <acme_proxmoxbs_realm type="TextField">
+                    <default>pam</default>
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_proxmoxbs_realm>
+                <acme_proxmoxbs_tokenid type="TextField">
+                    <default>acme</default>
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_proxmoxbs_tokenid>
+                <acme_proxmoxbs_tokenkey type="TextField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_proxmoxbs_tokenkey>
                 <acme_truenas_apikey type="TextField">
                     <Required>N</Required>
                     <Mask>/^.{1,1024}$/u</Mask>

From 1e65be71a8bfe0ad28d02a7d7724ea0769eec394 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 7 Jul 2025 12:21:19 +0200
Subject: [PATCH 2500/3088] security/acme-client: update changelog

---
 security/acme-client/pkg-descr | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 05a12c7b7f..f954107257 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 
 Added:
 * new automation to reload www/caddy (#4692)
+* new automation to upload to Proxmox Backup Server (#4785)
 * add support for Websupport.sk DNS API (#4540)
 * add SFTP option: Preserve Modification Time (#3862)
 
@@ -28,6 +29,7 @@ Fixed:
 * acme.sh is always called with "--days 1" (#4711)
 * avoid startup error: "rmdir... Not a directory" (#4743)
 * fails to create/update cron job on UUID mismatch (#4627)
+* accounts/certificates not visible on 25.7 alpha (#4790)
 
 Removed:
 * remove stdout (CLI) logging from SFTP library

From f909a4f18e04c40e61058b4281f75578927a7b52 Mon Sep 17 00:00:00 2001
From: Demony <60526467+HTDemony@users.noreply.github.com>
Date: Mon, 7 Jul 2025 21:39:39 +0200
Subject: [PATCH 2501/3088] security/acme-client: Renaming of the PBS entry
 (#4795)

security/acme-client: fix PBS name
---
 .../opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 76e57c6df8..0d21673493 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1350,7 +1350,7 @@
                         <configd_remote_ssh>Remote Command via SSH</configd_remote_ssh>
                         <acme_fritzbox>Upload certificate to FRITZ!Box router</acme_fritzbox>
                         <acme_panos>Upload certificate to Palo Alto Networks Firewall</acme_panos>
-                        <acme_proxmoxbs>Upload certificate to Proxmox Backup Environment</acme_proxmoxbs>
+                        <acme_proxmoxbs>Upload certificate to Proxmox Backup Server</acme_proxmoxbs>
                         <acme_proxmoxve>Upload certificate to Proxmox VE</acme_proxmoxve>
                         <acme_vault>Upload certificate to HashiCorp Vault</acme_vault>
                         <acme_synology_dsm>Upload certificate to Synology DSM</acme_synology_dsm>

From 45235845fb558a1ca77a700c68edc62a3c493915 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 8 Jul 2025 17:29:26 +0200
Subject: [PATCH 2502/3088] mvc: Turn camelCase into snake_case in missing
 javascript, ACL and volt files. (#4796)

---
 net/wol/src/opnsense/www/js/widgets/Metadata/WakeOnLan.xml    | 4 ++--
 net/wol/src/opnsense/www/js/widgets/WakeOnLan.js              | 4 ++--
 sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js       | 2 +-
 .../apcupsd/src/opnsense/www/js/widgets/Metadata/Apcupsd.xml  | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/wol/src/opnsense/www/js/widgets/Metadata/WakeOnLan.xml b/net/wol/src/opnsense/www/js/widgets/Metadata/WakeOnLan.xml
index 3ba307ae97..aa46ac5dfd 100644
--- a/net/wol/src/opnsense/www/js/widgets/Metadata/WakeOnLan.xml
+++ b/net/wol/src/opnsense/www/js/widgets/Metadata/WakeOnLan.xml
@@ -2,8 +2,8 @@
     <wol>
         <filename>WakeOnLan.js</filename>
         <endpoints>
-            <endpoint>/api/diagnostics/interface/getArp*</endpoint>
-            <endpoint>/api/wol/wol/searchHost</endpoint>
+            <endpoint>/api/diagnostics/interface/get_arp*</endpoint>
+            <endpoint>/api/wol/wol/search_host</endpoint>
             <endpoint>/api/wol/wol/set</endpoint>
         </endpoints>
         <translations>
diff --git a/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js b/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
index 988d60bd5d..f123776c9e 100644
--- a/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
+++ b/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
@@ -47,7 +47,7 @@ export default class WakeOnLan extends BaseTableWidget {
     }
 
     async onWidgetTick() {
-        const data = await this.ajaxCall('/api/wol/wol/searchHost');
+        const data = await this.ajaxCall('/api/wol/wol/search_host');
 
         let rows = [];
         if (data.total == 0) {
@@ -62,7 +62,7 @@ export default class WakeOnLan extends BaseTableWidget {
 
           //NOTE: this ARP list call is the most expensive one and can grow substantialy in big networks
           //With previous widget it had been done on the backend side with direct exec of 'arp -an | grep ...'
-          const arp = await this.ajaxCall(`/api/diagnostics/interface/getArp${''}`);
+          const arp = await this.ajaxCall(`/api/diagnostics/interface/get_arp${''}`);
 
           for(let it = 0; it < data.rows.length; it++){
               const item = data.rows[it];
diff --git a/sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js b/sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js
index c9c447b383..54f36bd134 100644
--- a/sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js
+++ b/sysutils/apcupsd/src/opnsense/www/js/widgets/Apcupsd.js
@@ -50,7 +50,7 @@ export default class ApcUpsd extends BaseTableWidget {
     }
 
     async onWidgetTick() {
-        const data = await this.ajaxCall('/api/apcupsd/service/getUpsStatus');
+        const data = await this.ajaxCall('/api/apcupsd/service/get_ups_status');
 
         if (data.error) {
             this.displayError(data.error);
diff --git a/sysutils/apcupsd/src/opnsense/www/js/widgets/Metadata/Apcupsd.xml b/sysutils/apcupsd/src/opnsense/www/js/widgets/Metadata/Apcupsd.xml
index 7be38f7ba2..17d802a013 100644
--- a/sysutils/apcupsd/src/opnsense/www/js/widgets/Metadata/Apcupsd.xml
+++ b/sysutils/apcupsd/src/opnsense/www/js/widgets/Metadata/Apcupsd.xml
@@ -2,7 +2,7 @@
     <apcupsd>
         <filename>Apcupsd.js</filename>
         <endpoints>
-            <endpoint>/api/apcupsd/service/getUpsStatus</endpoint>
+            <endpoint>/api/apcupsd/service/get_ups_status</endpoint>
         </endpoints>
         <translations>
             <title>Apcupsd</title>

From 8c3c1c5989ac4ead5f9c89c16ba0d92d88ce9094 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 9 Jul 2025 08:07:54 +0200
Subject: [PATCH 2503/3088] net-mgmt/zabbix-*: Zabbix 5.0 is no longer
 supported

---
 net-mgmt/zabbix-agent/Makefile | 5 +----
 net-mgmt/zabbix-proxy/Makefile | 5 +----
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index 0d855b112b..d6b91153fa 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		zabbix-agent
 PLUGIN_VERSION=		1.15
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
-PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix6 zabbix5
+PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix6
 
 zabbix7_NAME=		zabbix7-agent
 zabbix7_DEPENDS=	zabbix7-agent
@@ -13,7 +13,4 @@ zabbix72_DEPENDS=	zabbix72-agent
 zabbix6_NAME=		zabbix6-agent
 zabbix6_DEPENDS=	zabbix6-agent
 
-zabbix5_NAME=		zabbix-agent
-zabbix5_DEPENDS=	zabbix5-agent
-
 .include "../../Mk/plugins.mk"
diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 426d7aabd1..5e9d2a4246 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		zabbix-proxy
 PLUGIN_VERSION=		1.12
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix6 zabbix5
+PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix6
 
 zabbix7_NAME=		zabbix7-proxy
 zabbix7_DEPENDS=	zabbix7-proxy
@@ -13,7 +13,4 @@ zabbix72_DEPENDS=	zabbix72-proxy
 zabbix6_NAME=		zabbix6-proxy
 zabbix6_DEPENDS=	zabbix6-proxy
 
-zabbix5_NAME=		zabbix5-proxy
-zabbix5_DEPENDS=	zabbix5-proxy
-
 .include "../../Mk/plugins.mk"

From 43588d7929c16b4c33beacb9877df2e5c8486a94 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 10 Jul 2025 08:10:17 +0200
Subject: [PATCH 2504/3088] dns/bind: document change

---
 dns/bind/Makefile  | 3 +--
 dns/bind/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index b2d897b0f9..269b88c4c8 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.33
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.34
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind920
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 3457965b84..418a9b4b7c 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -9,6 +9,10 @@ WWW: https://www.isc.org
 Plugin Changelog
 ================
 
+1.34
+
+* Add custom configuration include directory /usr/local/etc/namedb/named.conf.d (contributed by Nicholas Card)
+
 1.33
 
 * Add option to allow the rndc-key for zone transfers (contributed by Naomi Rennie-Waldock)

From b84d43ccc67dadc6b6aa53e1bb2624d275facfe3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 10 Jul 2025 08:11:57 +0200
Subject: [PATCH 2505/3088] emulators/qemu-guest-agent: a bit more lint
 modelling

---
 .../app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.xml  | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.xml b/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.xml
index 605cb30b83..59b056bbc7 100644
--- a/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.xml
+++ b/emulators/qemu-guest-agent/src/opnsense/mvc/app/models/OPNsense/QemuGuestAgent/QemuGuestAgent.xml
@@ -8,13 +8,8 @@
                 <Default>1</Default>
                 <Required>Y</Required>
             </Enabled>
-            <LogDebug type="BooleanField">
-                <Default>0</Default>
-                <Required>N</Required>
-            </LogDebug>
+            <LogDebug type="BooleanField"/>
             <DisabledRPCs type="OptionField">
-                <Required>N</Required>
-                <Default></Default>
                 <Sorted>Y</Sorted>
                 <Multiple>Y</Multiple>
                 <OptionValues>

From 40ed36f6b01d60c5031868d6070b10d3bf3fe74c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 10 Jul 2025 08:15:25 +0200
Subject: [PATCH 2506/3088] net-mgmt/telegraf: wrap up version

---
 net-mgmt/telegraf/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index aec0d9c1ae..823f49d86f 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -15,6 +15,7 @@ Plugin Changelog
 1.12.12
 
 * Fix for mixed ping plugin config (contributed by Alex Baulé)
+* Fix incompatibility with obsolete dns_lookup setting
 
 1.12.11
 

From 3b77af0ce61ce9b91d0f6923fc2e7943f84a7637 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 10 Jul 2025 08:20:49 +0200
Subject: [PATCH 2507/3088] www/OPNProxy: bump revision

---
 www/OPNProxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/OPNProxy/Makefile b/www/OPNProxy/Makefile
index 9d4a765455..c225b41a17 100644
--- a/www/OPNProxy/Makefile
+++ b/www/OPNProxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		OPNProxy
 PLUGIN_VERSION=		1.0.5
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		OPNsense proxy additions
 PLUGIN_DEPENDS=		os-redis${PLUGIN_PKGSUFFIX} \
 			os-squid${PLUGIN_PKGSUFFIX} \

From de3713a06c71d569617d000892d430e4bf93de99 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 10 Jul 2025 08:22:47 +0200
Subject: [PATCH 2508/3088] www/squid: bump revision

---
 www/squid/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index 135f7c864c..c554a78709 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		squid
 PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_MAINTAINER=	franco@opnsense.org

From 6b2cbb2f31c0e7eab92e8efda86fae33836b4a34 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 10 Jul 2025 08:24:47 +0200
Subject: [PATCH 2509/3088] Framework: ready for release

---
 Mk/defaults.mk | 2 +-
 Mk/plugins.mk  | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 62a0643513..79c3358659 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -45,7 +45,7 @@ VERSIONBIN=	${LOCALBASE}/sbin/opnsense-version
 _PLUGIN_ABI!=	${VERSIONBIN} -a
 PLUGIN_ABI?=	${_PLUGIN_ABI}
 .else
-PLUGIN_ABI?=	25.1
+PLUGIN_ABI?=	25.7
 .endif
 
 PLUGIN_MAINS=	master main
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 5a4721d26e..dda43024d4 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -62,8 +62,6 @@ _PLUGIN_COMMENT:=	${PLUGIN_COMMENT}
 
 .if defined(_PLUGIN_DEVEL)
 PLUGIN_DEVEL?:=		${_PLUGIN_DEVEL}
-.else
-PLUGIN_DEVEL?=		yes
 .endif
 
 PLUGIN_PREFIX?=		os-

From 993eebb66dcadec5507cc8ebb6ece9aa98944120 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 10 Jul 2025 08:28:30 +0200
Subject: [PATCH 2510/3088] security/openvpn-legacy: prep for release

---
 security/openvpn-legacy/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/openvpn-legacy/Makefile b/security/openvpn-legacy/Makefile
index 2d4fb4c6f6..c6d9b0fea9 100644
--- a/security/openvpn-legacy/Makefile
+++ b/security/openvpn-legacy/Makefile
@@ -1,8 +1,7 @@
 PLUGIN_NAME=		openvpn-legacy
-PLUGIN_VERSION=		0.1
+PLUGIN_VERSION=		1
 PLUGIN_COMMENT=		OpenVPN legacy support
 PLUGIN_DEPENDS=		# openvpn
-PLUGIN_DEVEL=		yes
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2
 

From a09124b7ecdafccd1771566984678143c103efe7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 10 Jul 2025 08:28:53 +0200
Subject: [PATCH 2511/3088] sysutils/gdrive-backup: prep for release

---
 sysutils/gdrive-backup/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/sysutils/gdrive-backup/Makefile b/sysutils/gdrive-backup/Makefile
index 25d2ea24c2..4372dbfc80 100644
--- a/sysutils/gdrive-backup/Makefile
+++ b/sysutils/gdrive-backup/Makefile
@@ -1,8 +1,7 @@
 PLUGIN_NAME=		gdrive-backup
-PLUGIN_VERSION=		0.1
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		Backup configurations using Google Drive
 PLUGIN_DEPENDS=		php${PLUGIN_PHP}-google-api-php-client
-PLUGIN_DEVEL=		yes
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2
 

From bc2157eac0ec2161810280f2e83892252768e71c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 10 Jul 2025 08:29:22 +0200
Subject: [PATCH 2512/3088] LICENSE: sync

---
 LICENSE | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/LICENSE b/LICENSE
index 7469b45fef..41d43f0ec1 100644
--- a/LICENSE
+++ b/LICENSE
@@ -56,6 +56,7 @@ Copyright (c) 2023-2024 Mikhail Kharisov
 Copyright (c) 2023 mleinart
 Copyright (c) 2024 MVZ Labor Ludwigsburg GbR
 Copyright (c) 2025 Neil Merchant
+Copyright (c) 2025 Nick Card
 Copyright (c) 2021-2024 Nicola Pellegrini
 Copyright (c) 2022 Nikolaj Brinch Jørgensen
 Copyright (c) 2021 Nim G
@@ -76,6 +77,7 @@ Copyright (c) 2024 txr13
 Copyright (c) 2024 W516
 Copyright (c) 2022 Wouter Deurholt
 Copyright (c) 2025 Yann Bayart
+Copyright (c) 2025 Yann Demoulin
 Copyright (c) 2015 YoungJoo.Kim <vozltx@gmail.com>
 All rights reserved.
 

From ee49893e54e2d8e4489bca455bc88f3bf1207755 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 10 Jul 2025 08:29:30 +0200
Subject: [PATCH 2513/3088] README: sync

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index c1bd798107..cff1bbc874 100644
--- a/README.md
+++ b/README.md
@@ -88,7 +88,7 @@ security/intrusion-detection-content-pt-open -- IDS Positive Technologies ESC ru
 security/intrusion-detection-content-snort-vrt -- IDS Snort VRT ruleset (needs registration or subscription)
 security/maltrail -- Malicious traffic detection system
 security/openconnect -- OpenConnect Client
-security/openvpn-legacy -- OpenVPN legacy support (development only)
+security/openvpn-legacy -- OpenVPN legacy support
 security/softether -- Cross-platform Multi-protocol VPN Program (development only)
 security/strongswan-legacy -- IPsec legacy support (development only)
 security/stunnel -- Stunnel TLS proxy
@@ -102,7 +102,7 @@ sysutils/beats -- Send logs, network, metrics and heartbeat to Elasticsearch
 sysutils/cpu-microcode -- CPU microcode updates
 sysutils/dec-hw -- Deciso hardware specific information
 sysutils/dmidecode -- Display hardware information on the dashboard
-sysutils/gdrive-backup -- Backup configurations using Google Drive (development only)
+sysutils/gdrive-backup -- Backup configurations using Google Drive
 sysutils/git-backup -- Track config changes using git
 sysutils/hw-probe -- Collect hardware diagnostics
 sysutils/lcdproc-sdeclcd -- LCDProc for SDEC LCD devices

From 07d67b4dea011c09c9d097173a9842ece667489a Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Thu, 10 Jul 2025 10:08:47 +0200
Subject: [PATCH 2514/3088] dns/bind: Add Forward Zones (#4802)

---
 dns/bind/pkg-descr                            |  1 +
 .../OPNsense/Bind/Api/DomainController.php    | 17 ++++++
 .../OPNsense/Bind/GeneralController.php       |  1 +
 .../forms/dialogEditBindForwardDomain.xml     | 22 +++++++
 .../mvc/app/models/OPNsense/Bind/Domain.xml   |  6 +-
 .../mvc/app/views/OPNsense/Bind/general.volt  | 58 +++++++++++++++++++
 .../templates/OPNsense/Bind/named.conf        |  8 ++-
 7 files changed, 109 insertions(+), 4 deletions(-)
 create mode 100644 dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindForwardDomain.xml

diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 418a9b4b7c..dbf188bb00 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 1.34
 
 * Add custom configuration include directory /usr/local/etc/namedb/named.conf.d (contributed by Nicholas Card)
+* Add forward zones
 
 1.33
 
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
index 841588c02e..87c71db3f8 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/DomainController.php
@@ -73,6 +73,18 @@ function ($record) {
         );
     }
 
+    public function searchForwardDomainAction()
+    {
+        return $this->searchBase(
+            'domains.domain',
+            [ 'enabled', 'type', 'domainname', 'forwardserver' ],
+            'domainname',
+            function ($record) {
+                return $record->type->getNodeData()['forward']['selected'] === 1;
+            }
+        );
+    }
+
     public function getDomainAction($uuid = null)
     {
         return $this->getBase('domain', 'domains.domain', $uuid);
@@ -88,6 +100,11 @@ public function addSecondaryDomainAction($uuid = null)
         return $this->addBase('domain', 'domains.domain', ['type' => 'secondary']);
     }
 
+    public function addForwardDomainAction($uuid = null)
+    {
+        return $this->addBase('domain', 'domains.domain', ['type' => 'forward']);
+    }
+
     public function delDomainAction($uuid)
     {
         return $this->delBase('domains.domain', $uuid);
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
index 663acb0589..cfa86649db 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
@@ -37,6 +37,7 @@ public function indexAction()
         $this->view->formDialogEditBindAcl = $this->getForm("dialogEditBindAcl");
         $this->view->formDialogEditBindPrimaryDomain = $this->getForm("dialogEditBindPrimaryDomain");
         $this->view->formDialogEditBindSecondaryDomain = $this->getForm("dialogEditBindSecondaryDomain");
+        $this->view->formDialogEditBindForwardDomain = $this->getForm("dialogEditBindForwardDomain");
         $this->view->formDialogEditBindRecord = $this->getForm("dialogEditBindRecord");
         $this->view->pick('OPNsense/Bind/general');
     }
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindForwardDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindForwardDomain.xml
new file mode 100644
index 0000000000..4ca30f87c6
--- /dev/null
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindForwardDomain.xml
@@ -0,0 +1,22 @@
+<form>
+    <field>
+        <id>domain.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will enable or disable this zone.</help>
+    </field>
+    <field>
+        <id>domain.domainname</id>
+        <label>Zone Name</label>
+        <type>text</type>
+        <help>Set the name for this zone. Both forward and reverse zones may be specified, i.e. example.com or 0.168.192.in-addr.arpa.</help>
+    </field>
+    <field>
+        <id>domain.forwardserver</id>
+        <label>Primary IP</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>Set the IP address of server to forward requests to.</help>
+    </field>
+</form>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
index 4a939da393..f82783ffe0 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/bind/domain</mount>
     <description>BIND domain configuration</description>
-    <version>1.1.1</version>
+    <version>1.1.2</version>
     <items>
         <domains>
             <domain type="ArrayField">
@@ -15,12 +15,16 @@
                     <OptionValues>
                         <primary>primary</primary>
                         <secondary>secondary</secondary>
+                        <forward>forward</forward>
                     </OptionValues>
                 </type>
                 <primaryip type="NetworkField">
                     <FieldSeparator>,</FieldSeparator>
                     <AsList>Y</AsList>
                 </primaryip>
+                <forwardserver type="NetworkField">
+                    <AsList>Y</AsList>
+                </forwardserver>
                 <transferkeyalgo type="OptionField">
                     <OptionValues>
                         <hmac-sha512>HMAC-SHA512</hmac-sha512>
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index 82856aa720..30d3fcc1d3 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -33,6 +33,7 @@
     <li><a data-toggle="tab" href="#acls">{{ lang._('ACLs') }}</a></li>
     <li><a data-toggle="tab" href="#primary-domains">{{ lang._('Primary Zones') }}</a></li>
     <li><a data-toggle="tab" href="#secondary-domains">{{ lang._('Secondary Zones') }}</a></li>
+    <li><a data-toggle="tab" href="#forward-domains">{{ lang._('Forward Zones') }}</a></li>
 </ul>
 
 <div class="tab-content content-box tab-content">
@@ -189,11 +190,48 @@
             <br /><br />
         </div>
     </div>
+    <div id="forward-domains" class="tab-pane fade in">
+        <div class="col-md-12">
+            <h2>{{ lang._('Zones') }}</h2>
+        </div>
+        <div id="forward-domains-area" class="table-responsive">
+            <table id="grid-forward-domains" class="table table-condensed table-hover table-striped" data-editAlert="ChangeMessage" data-editDialog="dialogEditBindForwardDomain">
+                <thead>
+                    <tr>
+                        <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                        <th data-column-id="domainname" data-type="string" data-visible="true">{{ lang._('Zone') }}</th>
+                        <th data-column-id="forwardserver" data-type="string" data-visible="true">{{ lang._('Forwarder IPs') }}</th>
+                        <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                        <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    </tr>
+                </thead>
+                <tbody>
+                </tbody>
+                <tfoot>
+                    <tr>
+                        <td colspan="5"></td>
+                        <td>
+                            <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                        </td>
+                    </tr>
+                </tfoot>
+            </table>
+        </div>
+        <hr/>
+        <div class="col-md-12">
+            <div id="ChangeMessage" class="alert alert-info" style="display: none" role="alert">
+                {{ lang._('After changing settings, please remember to apply them with the button below') }}
+            </div>
+            <button class="btn btn-primary saveAct_domain" type="button"><b>{{ lang._('Save') }}</b> <i class="saveAct_domain_progress"></i></button>
+            <br /><br />
+        </div>
+    </div>
 </div>
 
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBindAcl,'id':'dialogEditBindAcl','label':lang._('Edit ACL')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBindPrimaryDomain,'id':'dialogEditBindPrimaryDomain','label':lang._('Edit Primary Zone')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBindSecondaryDomain,'id':'dialogEditBindSecondaryDomain','label':lang._('Edit Secondary Zone')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBindForwardDomain,'id':'dialogEditBindForwardDomain','label':lang._('Edit Forward Zone')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBindRecord,'id':'dialogEditBindRecord','label':lang._('Edit Record')])}}
 
 <style>
@@ -433,6 +471,26 @@ $(document).ready(function() {
         }
     });
 
+    $("#grid-forward-domains").UIBootgrid({
+        'search': '/api/bind/domain/search_forward_domain',
+        'get': '/api/bind/domain/get_domain/',
+        'set': '/api/bind/domain/set_domain/',
+        'add': '/api/bind/domain/add_forward_domain/',
+        'del': '/api/bind/domain/del_domain/',
+        'toggle': '/api/bind/domain/toggle_domain/',
+        options: {
+            selection: false,
+            multiSelect: false,
+            rowSelect: false,
+            rowCount: [7, 14, 20, 50, 100, -1]
+        }
+    }).on("loaded.rs.jquery.bootgrid", function(e) {
+        let ids = $("#grid-forward-domains").bootgrid("getCurrentRows");
+        if (ids.length > 0) {
+            $("#grid-forward-domains").bootgrid('select', [ids[0].uuid]);
+        }
+    });
+
     $("#grid-primary-records").UIBootgrid({
         'search': '/api/bind/record/search_record',
         'get': '/api/bind/record/get_record/',
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 1f0b0c3c45..9196b5de3e 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -153,7 +153,9 @@ zone "rpzbing" { type primary; file "/usr/local/etc/namedb/primary/bing.db"; not
 {%     if domain.enabled == '1' %}
 zone "{{ domain.domainname }}" {
         type {{ domain.type }};
-{%       if domain.type == 'secondary' %}
+{%       if domain.type == 'forward' %}
+        forwarders { {{ domain.forwardserver.replace(',', '; ') }}; };
+{%       elif domain.type == 'secondary' %}
 {%         if domain.transferkey is defined %}
         primaries { {{ domain.primaryip.replace(',', ' key "' ~ domain.transferkeyname ~ '"; ') }} key "{{ domain.transferkeyname }}"; };
 {%         else %}
@@ -163,7 +165,7 @@ zone "{{ domain.domainname }}" {
         allow-notify { {{ domain.allownotifysecondary.replace(',', '; ') }}; };
 {%         endif %}
         file "/usr/local/etc/namedb/secondary/{{ domain.domainname }}.db";
-{%       else %}
+{%       elif domain.type == 'primary' %}
         file "/usr/local/etc/namedb/primary/{{ domain.domainname }}.db";
 {%       endif %}
 {%      if domain.allowtransfer is defined or (domain.allowrndctransfer is defined and domain.allowrndctransfer == "1") %}
@@ -187,7 +189,7 @@ zone "{{ domain.domainname }}" {
 {%              endfor %}
         };
 {%      endif %}
-{%      if domain.allowrndcupdate is defined and domain.allowrndcupdate == "1" and domain.type != 'secondary' %}
+{%      if domain.allowrndcupdate is defined and domain.allowrndcupdate == "1" and domain.type == 'primary' %}
         update-policy {
 		grant rndc-key zonesub ANY;
         };

From 3093d47fd24506b1cfacdd9700e046d80461e658 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 10 Jul 2025 10:13:32 +0200
Subject: [PATCH 2515/3088] Framework: add more model linting

---
 Mk/plugins.mk | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index dda43024d4..a7a0d3a543 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -388,6 +388,17 @@ lint-model:
 		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and OptionValues[default[not(@value)] or multiple[not(@value)] or required[not(@value)]]]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
 			echo "$${MODEL}: $${LINE} option element default/multiple/required without value attribute"; \
 		done; \
+		(xmllint $${MODEL} --xpath '//*[@type="CSVListField" and Mask and (not(MaskPerItem) or MaskPerItem=N)]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
+			echo "$${MODEL}: $${LINE} uses Mask regex with MaskPerItem=N"; \
+		done; \
+		for TYPE in .\\AliasesField .\\DomainIPField HostnameField IPPortField NetworkField MacAddressField .\\RangeAddressField; do \
+			(xmllint $${MODEL} --xpath '//*[@type="'$${TYPE}'" and FieldSeparator=","]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
+				echo "$${MODEL}: $${LINE} FieldSeparator=, is the default"; \
+			done; \
+			(xmllint $${MODEL} --xpath '//*[@type="'$${TYPE}'" and AsList="N"]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
+				echo "$${MODEL}: $${LINE} AsList=N is the default"; \
+			done; \
+		done; \
 	done; fi
 
 ACLBIN?=	${.CURDIR}/../../../core/Scripts/dashboard-acl.sh

From fb9748c06d9ae120016e88ed0b8dd1b418d20abe Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 10 Jul 2025 10:13:48 +0200
Subject: [PATCH 2516/3088] dns/bind: more changes for models

---
 dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml   | 1 -
 .../src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml     | 2 --
 .../src/opnsense/mvc/app/models/OPNsense/Bind/General.xml    | 5 -----
 3 files changed, 8 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
index 3adae8986b..a628f28a5f 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
@@ -21,7 +21,6 @@
                     </Constraints>
                 </name>
                 <networks type="NetworkField">
-                    <FieldSeparator>,</FieldSeparator>
                     <Required>Y</Required>
                     <AsList>Y</AsList>
                 </networks>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
index f82783ffe0..6743b66ae4 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
@@ -19,7 +19,6 @@
                     </OptionValues>
                 </type>
                 <primaryip type="NetworkField">
-                    <FieldSeparator>,</FieldSeparator>
                     <AsList>Y</AsList>
                 </primaryip>
                 <forwardserver type="NetworkField">
@@ -38,7 +37,6 @@
                 <transferkeyname type="TextField"/>
                 <transferkey type="TextField"/>
                 <allownotifysecondary type="NetworkField">
-                    <FieldSeparator>,</FieldSeparator>
                     <AsList>Y</AsList>
                 </allownotifysecondary>
                 <domainname type="TextField">
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index 0752ddcad3..238c9dc248 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -17,13 +17,11 @@
         </enablerpz>
         <listenv4 type="NetworkField">
             <Default>0.0.0.0</Default>
-            <FieldSeparator>,</FieldSeparator>
             <Required>Y</Required>
             <AsList>Y</AsList>
         </listenv4>
         <listenv6 type="NetworkField">
             <Default>::</Default>
-            <FieldSeparator>,</FieldSeparator>
             <Required>Y</Required>
             <AsList>Y</AsList>
         </listenv6>
@@ -48,7 +46,6 @@
             <Required>Y</Required>
         </port>
         <forwarders type="NetworkField">
-            <FieldSeparator>,</FieldSeparator>
             <AsList>Y</AsList>
         </forwarders>
         <filteraaaav4 type="BooleanField">
@@ -60,7 +57,6 @@
             <Required>Y</Required>
         </filteraaaav6>
         <filteraaaaacl type="NetworkField">
-            <FieldSeparator>,</FieldSeparator>
             <AsList>Y</AsList>
         </filteraaaaacl>
         <logsize type="IntegerField">
@@ -152,7 +148,6 @@
         </ratelimitcount>
         <ratelimitexcept type="NetworkField">
             <Default>0.0.0.0,::</Default>
-            <FieldSeparator>,</FieldSeparator>
             <Required>Y</Required>
             <AsList>Y</AsList>
         </ratelimitexcept>

From 28cc6ca7b5ea0922c18490c8626968716fd72f05 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 11 Jul 2025 22:27:39 +0200
Subject: [PATCH 2517/3088] sysutils/puppet-agent: switch to Puppet 8

---
 sysutils/puppet-agent/Makefile                               | 4 ++--
 sysutils/puppet-agent/pkg-descr                              | 5 +++++
 .../opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt   | 4 ++--
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/sysutils/puppet-agent/Makefile b/sysutils/puppet-agent/Makefile
index a7112f55c0..f79acafee3 100644
--- a/sysutils/puppet-agent/Makefile
+++ b/sysutils/puppet-agent/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		puppet-agent
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		Manage Puppet Agent
-PLUGIN_DEPENDS=		puppet7 py${PLUGIN_PYTHON}-opn-cli
+PLUGIN_DEPENDS=		puppet8 py${PLUGIN_PYTHON}-opn-cli
 PLUGIN_MAINTAINER=	jan.wink93@gmail.com
 
 .include "../../Mk/plugins.mk"
diff --git a/sysutils/puppet-agent/pkg-descr b/sysutils/puppet-agent/pkg-descr
index 3e8426bcb5..0cd522fc50 100644
--- a/sysutils/puppet-agent/pkg-descr
+++ b/sysutils/puppet-agent/pkg-descr
@@ -9,6 +9,11 @@ WWW:  https://puppet.com/docs/puppet/latest/man/agent.html
 Plugin Changelog
 ================
 
+1.2
+
+Changed:
+* switch to Puppet 8 (#4800)
+
 1.1
 
 Added:
diff --git a/sysutils/puppet-agent/src/opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt b/sysutils/puppet-agent/src/opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt
index 7e0d533c56..c9ca842c13 100644
--- a/sysutils/puppet-agent/src/opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt
+++ b/sysutils/puppet-agent/src/opnsense/mvc/app/views/OPNsense/PuppetAgent/index.volt
@@ -61,8 +61,8 @@ POSSIBILITY OF SUCH DAMAGE.
             <p>{{ lang._("Welcome to the Puppet Agent plugin! This plugin allows you to integrate OPNsense with your Puppet environment.") }}</p>
             <p>{{ lang._("Keep in mind that you should not treat OPNsense like any other operating system. Most notably you should not modify system files or packages. Instead use the OPNsense API to make configuration changes and to manage plugins. The following tools are a good starting point when trying to automate OPNsense with Puppet:") }}</p>
             <ul>
-              <li>{{ lang._("%sopn-cli:%s A command line client to configure OPNsense core and plugin components through their respective APIs.") | format('<a href="https://github.com/andeman/opn-cli" target="_blank">', '</a>') }}</li>
-              <li>{{ lang._("%spuppet/opnsense:%s A read-to-use Puppet module for automating the OPNsense firewall.") | format('<a href="https://github.com/andeman/puppet-opnsense" target="_blank">', '</a>') }}</li>
+              <li>{{ lang._("%sopn-cli:%s A command line client to configure OPNsense core and plugin components through their respective APIs.") | format('<a href="https://github.com/andreas-stuerz/opn-cli" target="_blank">', '</a>') }}</li>
+              <li>{{ lang._("%spuppet/opnsense:%s A read-to-use Puppet module for automating the OPNsense firewall.") | format('<a href="https://github.com/andreas-stuerz/puppet-opnsense" target="_blank">', '</a>') }}</li>
             </ul>
             <p>{{ lang._("Note that these tools are not directly related to this plugin. Please report issues and missing features directly to the author.") }}</p>
         </div>

From 929721e9f25d9cf1fb79f216123096106ead2e3b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 14 Jul 2025 13:26:22 +0200
Subject: [PATCH 2518/3088] Revert "Framework: ready for release"

This reverts commit 6b2cbb2f31c0e7eab92e8efda86fae33836b4a34.
---
 Mk/defaults.mk | 2 +-
 Mk/plugins.mk  | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 79c3358659..62a0643513 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -45,7 +45,7 @@ VERSIONBIN=	${LOCALBASE}/sbin/opnsense-version
 _PLUGIN_ABI!=	${VERSIONBIN} -a
 PLUGIN_ABI?=	${_PLUGIN_ABI}
 .else
-PLUGIN_ABI?=	25.7
+PLUGIN_ABI?=	25.1
 .endif
 
 PLUGIN_MAINS=	master main
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index a7a0d3a543..923e8d77a3 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -62,6 +62,8 @@ _PLUGIN_COMMENT:=	${PLUGIN_COMMENT}
 
 .if defined(_PLUGIN_DEVEL)
 PLUGIN_DEVEL?:=		${_PLUGIN_DEVEL}
+.else
+PLUGIN_DEVEL?=		yes
 .endif
 
 PLUGIN_PREFIX?=		os-

From d42bd4e92874a5db859fe1ce9a3a6aa5a9f344d2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 14 Jul 2025 13:28:58 +0200
Subject: [PATCH 2519/3088] Framework: use tier 4 for development and unknown

---
 Mk/plugins.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 923e8d77a3..b9f2b0b76f 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -100,6 +100,7 @@ PLUGIN_DIR?=		${.CURDIR:S/\// /g:[-2]}/${.CURDIR:S/\// /g:[-1]}
 .if "${PLUGIN_DEVEL}" != ""
 PLUGIN_CONFLICTS+=	${PLUGIN_NAME}
 PLUGIN_PKGSUFFIX=	${PLUGIN_SUFFIX}
+PLUGIN_TIER=		4
 .else
 PLUGIN_CONFLICTS+=	${PLUGIN_NAME}${PLUGIN_SUFFIX}
 PLUGIN_PKGSUFFIX=	# empty

From dfc06a7b4e8fd4caa68b0f54c3da3a74353a9eb6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 14 Jul 2025 15:07:27 +0200
Subject: [PATCH 2520/3088] vendor/sunnyvalley: fix tier for 25.7 display

---
 vendor/sunnyvalley/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vendor/sunnyvalley/Makefile b/vendor/sunnyvalley/Makefile
index ac1e0d0041..2c9bc2d133 100644
--- a/vendor/sunnyvalley/Makefile
+++ b/vendor/sunnyvalley/Makefile
@@ -3,5 +3,6 @@ PLUGIN_VERSION=		1.5
 PLUGIN_COMMENT=		Vendor Repository for Zenarmor (Enterprise Security Modules - NGFW, SSE, SASE, f.k.a Sensei)
 PLUGIN_MAINTAINER=	opensource@zenarmor.com
 PLUGIN_WWW=		https://www.zenarmor.com
+PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"

From 9af5e18bcedb10a95c0942f24cc8f8ff52e61877 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 14 Jul 2025 15:35:29 +0200
Subject: [PATCH 2521/3088] security/tinc: lower support to Tier 3 (#4810)

---
 security/tinc/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index 7265c9cc06..70746e3fe6 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -4,6 +4,5 @@ PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org
-PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"

From a914b6214e997be4ea690534ff5a80f08694148f Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 14 Jul 2025 15:48:26 +0200
Subject: [PATCH 2522/3088] net/relayd: hook isSubsystemDirty() to bootgrid
 loaded event to fix grid loading issue (#4811)

---
 .../mvc/app/views/OPNsense/Relayd/index.volt      | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
index 11a7e3e0c5..98e6cff5b5 100644
--- a/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
+++ b/net/relayd/src/opnsense/mvc/app/views/OPNsense/Relayd/index.volt
@@ -43,16 +43,6 @@
          });
       }
 
-      /**
-       * chain std_bootgrid_reload from opnsense_bootgrid_plugin.js
-       * to get the isSubsystemDirty state on "UIBootgrid" changes
-       */
-      var opn_std_bootgrid_reload = std_bootgrid_reload;
-      std_bootgrid_reload = function(gridId) {
-         opn_std_bootgrid_reload(gridId);
-         isSubsystemDirty();
-      };
-
       /**
        * apply changes and reload relayd
        */
@@ -128,6 +118,11 @@
             endpoints['toggle'] = '/api/relayd/settings/toggle/' + element + '/';
          }
          $("#grid-" + element).UIBootgrid(endpoints);
+
+         // get the isSubsystemDirty state on "UIBootgrid" changes
+         $("#grid-" + element).on("loaded.rs.jquery.bootgrid", function () {
+            isSubsystemDirty();
+         });
       });
 
       // show/hide options depending on other options

From c804498cdf93fb93d1f234ce6f0b0ef6d9b10a74 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 14 Jul 2025 15:51:42 +0200
Subject: [PATCH 2523/3088] net/relayd: bump revision

---
 net/relayd/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index 9abfcd2221..7900b4f554 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		relayd
 PLUGIN_VERSION=		2.9
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com

From 5e78d55d002a44e7f4c06dd621ac5831f0c1ee7b Mon Sep 17 00:00:00 2001
From: DodoLeDev <59477313+DodoLeDev@users.noreply.github.com>
Date: Tue, 15 Jul 2025 08:58:41 +0200
Subject: [PATCH 2524/3088] www/nginx: Added the ability to override SNI for
 streams (#4804)

---
 .../opnsense/service/templates/OPNsense/Nginx/streams.conf    | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
index 9b696220fa..9904736ce5 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf
@@ -93,6 +93,10 @@
         proxy_ssl_certificate_key /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.key;
         proxy_ssl_certificate /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.pem;
 {%         endif %}
+{%         if upstream.tls_name_override is defined and upstream.tls_name_override != '' %}
+        proxy_ssl_server_name on;
+        proxy_ssl_name {{ upstream.tls_name_override }};
+{%         endif %}
 {%       endif %}
         proxy_ssl {% if upstream.tls_enable == '1' %}on{% else %}off{% endif %};
         proxy_pass upstream{{ server.upstream.replace('-','') }};

From b106c98260db7321bac5f115ba2eb8a7ae79aa59 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Jul 2025 09:10:03 +0200
Subject: [PATCH 2525/3088] net-mgmt/zabbix-agent: bump and document

---
 net-mgmt/zabbix-agent/Makefile                       |  2 +-
 net-mgmt/zabbix-agent/pkg-descr                      |  9 +++++++++
 .../app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml  | 12 ++----------
 3 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index d6b91153fa..796854acee 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		zabbix-agent
-PLUGIN_VERSION=		1.15
+PLUGIN_VERSION=		1.16
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix6
diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index 5b4ed65938..0cae91b594 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -12,6 +12,15 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.16
+
+Changed:
+* snake_case use in API URLs
+* Model style updates
+
+Removed:
+* Plugin variant for Zabbix Agent 5.0 is EoL and was removed
+
 1.15
 
 Added:
diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
index 9527d03286..0a181f74bf 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
@@ -46,10 +46,7 @@
                     <NetMaskAllowed>N</NetMaskAllowed>
                     <ValidationMessage>Please provide a valid IP address, i.e. 10.0.0.1.</ValidationMessage>
                 </sourceIP>
-                <syslogEnable type="BooleanField">
-                    <Default>0</Default>
-                    <Required>N</Required>
-                </syslogEnable>
+                <syslogEnable type="BooleanField"/>
                 <logFileSize type="IntegerField">
                     <Default>100</Default>
                     <MinimumValue>1</MinimumValue>
@@ -142,15 +139,10 @@
                     <Required>Y</Required>
                 </encryption>
                 <encryptionidentity type="TextField">
-                    <Default></Default>
-                    <Required>N</Required>
                     <Mask>/^.{1,128}$/</Mask>
                     <ValidationMessage>Should be a string between 1 and 128 characters.</ValidationMessage>
                 </encryptionidentity>
-                <encryptionpsk type="TextField">
-                    <Default></Default>
-                    <Required>N</Required>
-                </encryptionpsk>
+                <encryptionpsk type="TextField"/>
             </features>
         </settings>
         <userparameters>

From f0a5f994a25b13add279e6cbcb6abd0a30837f57 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Jul 2025 09:19:19 +0200
Subject: [PATCH 2526/3088] security/strongswan-legacy: move this out of
 development, too

The legacy code still missing but will follow later this week.
---
 README.md                           | 2 +-
 security/strongswan-legacy/Makefile | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/README.md b/README.md
index cff1bbc874..ccd7712dc6 100644
--- a/README.md
+++ b/README.md
@@ -90,7 +90,7 @@ security/maltrail -- Malicious traffic detection system
 security/openconnect -- OpenConnect Client
 security/openvpn-legacy -- OpenVPN legacy support
 security/softether -- Cross-platform Multi-protocol VPN Program (development only)
-security/strongswan-legacy -- IPsec legacy support (development only)
+security/strongswan-legacy -- IPsec legacy support
 security/stunnel -- Stunnel TLS proxy
 security/tailscale -- VPN mesh securely connecting clients using WireGuard
 security/tinc -- Tinc VPN
diff --git a/security/strongswan-legacy/Makefile b/security/strongswan-legacy/Makefile
index a2f7792d08..fceb923cf9 100644
--- a/security/strongswan-legacy/Makefile
+++ b/security/strongswan-legacy/Makefile
@@ -2,7 +2,6 @@ PLUGIN_NAME=		strongswan-legacy
 PLUGIN_VERSION=		0.1
 PLUGIN_COMMENT=		IPsec legacy support
 PLUGIN_DEPENDS=		# strongswan
-PLUGIN_DEVEL=		yes
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2
 

From 3c858b19a06371473e5d9c8556570ae239225e60 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Jul 2025 09:36:43 +0200
Subject: [PATCH 2527/3088] net-mgmt/zabbix-proxy: document and some cleanups

---
 net-mgmt/zabbix-proxy/Makefile                |  2 +-
 net-mgmt/zabbix-proxy/pkg-descr               |  6 ++
 .../OPNsense/Zabbixproxy/forms/general.xml    |  2 +
 .../models/OPNsense/Zabbixproxy/General.xml   | 96 ++++---------------
 4 files changed, 27 insertions(+), 79 deletions(-)

diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 5e9d2a4246..228a5a6437 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		zabbix-proxy
-PLUGIN_VERSION=		1.12
+PLUGIN_VERSION=		1.13
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix6
diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index 49159ff30d..7de9a21811 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -12,6 +12,12 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.13
+
+* Removed plugin variant for Zabbox Proxy 5.0 which is EoL
+* Use snake_case in API URLs
+* Model style updates
+
 1.12
 
 * Add plugin variant for Zabbix Proxy 7.2, 6.4 is EoL and was removed
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
index efef9db911..a75cc7eb2d 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
@@ -27,6 +27,7 @@
         <id>general.serverport</id>
         <label>Server Port</label>
         <type>text</type>
+        <hint>10051</hint>
         <help>Port of Zabbix trapper on Zabbix server. Default is fine for most scenarios.</help>
     </field>
     <field>
@@ -47,6 +48,7 @@
         <id>general.listenport</id>
         <label>Listen Port</label>
         <type>text</type>
+        <hint>10051</hint>
         <help>Listen port for trapper. Default is just fine.</help>
     </field>
     <field>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
index a80586fbbf..fc214f6917 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
@@ -15,96 +15,40 @@
             <Default>0</Default>
             <Required>Y</Required>
         </remotecommands>
-        <server type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </server>
-        <serverport type="TextField">
-            <Default>10051</Default>
-            <Required>N</Required>
-        </serverport>
+        <server type="TextField"/>
+        <serverport type="TextField"/>
         <hostname type="TextField">
             <Default>Zabbix proxy</Default>
             <Required>Y</Required>
         </hostname>
-        <listenport type="TextField">
-            <Default>10051</Default>
-            <Required>N</Required>
-        </listenport>
+        <listenport type="TextField"/>
         <listenip type="NetworkField">
-            <Default></Default>
             <FieldSeparator>,</FieldSeparator>
             <AsList>Y</AsList>
-            <Required>N</Required>
         </listenip>
-        <sourceip type="NetworkField">
-            <Default></Default>
-            <Required>N</Required>
-        </sourceip>
-        <startpollers type="TextField">
-            <Default>5</Default>
-            <Required>N</Required>
-        </startpollers>
-        <startipmipollers type="IntegerField">
-            <Default>0</Default>
-            <Required>N</Required>
-        </startipmipollers>
-        <startpollersunreachable type="IntegerField">
-            <Default>1</Default>
-            <Required>N</Required>
-        </startpollersunreachable>
-        <starttrappers type="IntegerField">
-            <Default>5</Default>
-            <Required>N</Required>
-        </starttrappers>
-        <startpingers type="IntegerField">
-            <Default>1</Default>
-            <Required>N</Required>
-        </startpingers>
-        <startdiscoverers type="IntegerField">
-            <Default>1</Default>
-            <Required>N</Required>
-        </startdiscoverers>
-        <startvmwarecollectors type="IntegerField">
-            <Required>N</Required>
-        </startvmwarecollectors>
-        <starthttppollers type="IntegerField">
-            <Default>1</Default>
-            <Required>N</Required>
-        </starthttppollers>
-        <cachesize type="TextField">
-            <Default>8M</Default>
-            <Required>N</Required>
-        </cachesize>
-        <historycachesize type="TextField">
-            <Default>16M</Default>
-            <Required>N</Required>
-        </historycachesize>
-        <historyindexcachesize type="TextField">
-            <Default>4M</Default>
-            <Required>N</Required>
-        </historyindexcachesize>
+        <sourceip type="NetworkField"/>
+        <startpollers type="TextField"/>
+        <startipmipollers type="IntegerField"/>
+        <startpollersunreachable type="IntegerField"/>
+        <starttrappers type="IntegerField"/>
+        <startpingers type="IntegerField"/>
+        <startdiscoverers type="IntegerField"/>
+        <startvmwarecollectors type="IntegerField"/>
+        <starthttppollers type="IntegerField"/>
+        <cachesize type="TextField"/>
+        <historycachesize type="TextField"/>
+        <historyindexcachesize type="TextField"/>
         <proxyofflinebuffer type="IntegerField">
-            <Required>N</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>720</MaximumValue>
             <ValidationMessage>Set a number between 1 and 720.</ValidationMessage>
         </proxyofflinebuffer>
-        <timeout type="IntegerField">
-            <Default>4</Default>
-            <Required>N</Required>
-        </timeout>
-        <configfrequency type="IntegerField">
-            <Required>N</Required>
-        </configfrequency>
-        <datasenderfrequency type="IntegerField">
-            <Required>N</Required>
-        </datasenderfrequency>
+        <timeout type="IntegerField"/>
+        <configfrequency type="IntegerField"/>
+        <datasenderfrequency type="IntegerField"/>
         <statsip type="NetworkField">
-            <Default></Default>
             <FieldSeparator>,</FieldSeparator>
             <AsList>Y</AsList>
-            <Required>N</Required>
         </statsip>
         <syslogEnable type="BooleanField">
             <Default>0</Default>
@@ -133,14 +77,10 @@
             <Required>Y</Required>
         </encryption>
         <encryptionidentity type="TextField">
-            <Default></Default>
-            <Required>N</Required>
             <Mask>/^.{1,128}$/</Mask>
             <ValidationMessage>Should be a string between 1 and 128 characters.</ValidationMessage>
         </encryptionidentity>
         <encryptionpsk type="TextField">
-            <Default></Default>
-            <Required>N</Required>
             <Mask>/^[A-Fa-f0-9]{32,512}$/</Mask>
             <ValidationMessage>Should be a hexadecimal string between 32 and 512 characters.</ValidationMessage>
         </encryptionpsk>

From 74ec76caaecfef935972a5ce4d23a26e04021781 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 15 Jul 2025 09:39:53 +0200
Subject: [PATCH 2528/3088] www/caddy: Change em into px, fix key/value display
 in formatter (#4807)

* www/caddy: Change em into px, fix key/value display in formatter

* www/caddy: Change $ to % for https://github.com/opnsense/core/commit/597eecc5dc5e2268a6745bdf178fff91b8708426

* www/caddy: Bump revision

* www/caddy: Add changelog
---
 www/caddy/Makefile                                       | 1 +
 www/caddy/pkg-descr                                      | 1 +
 .../OPNsense/Caddy/forms/dialogAccessList.xml            | 3 +++
 .../controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml | 3 +++
 .../controllers/OPNsense/Caddy/forms/dialogHandle.xml    | 2 +-
 .../controllers/OPNsense/Caddy/forms/dialogHeader.xml    | 3 +++
 .../controllers/OPNsense/Caddy/forms/dialogLayer4.xml    | 2 +-
 .../OPNsense/Caddy/forms/dialogReverseProxy.xml          | 2 +-
 .../controllers/OPNsense/Caddy/forms/dialogSubdomain.xml | 2 +-
 .../mvc/app/views/OPNsense/Caddy/reverse_proxy.volt      | 9 ++++-----
 10 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 5b9504ba7d..c2641be8c8 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		2.0.2
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 9845f3f37d..e75c90b9d6 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -11,6 +11,7 @@ Plugin Changelog
 Add: Global server timeout options (opnsense/plugins/pull/4778)
 Cleanup: Change all camelCase to snake_case in api notations (opnsense/plugins/pull/4767,4768,4776)
 Cleanup: Use SimpleActionButton in general.volt (opnsense/plugins/pull/4779)
+Cleanup: Change em into px, fix key/value display in formatter (opnsense/plugins/pull/4807)
 
 2.0.1
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
index 3f33391980..9c9fe2077c 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
@@ -50,6 +50,9 @@
         <type>dropdown</type>
         <help><![CDATA[Set the request matcher that will be applied to this access list.]]></help>
         <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>accesslist.description</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml
index 955479b265..72862167b4 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml
@@ -10,6 +10,9 @@
         <label>Password</label>
         <type>text</type>
         <help><![CDATA[Enter a password. It will be hashed with bcrypt. It can only be set and changed but will not be visible anymore.]]></help>
+        <grid_view>
+            <ignore>true</ignore>
+        </grid_view>
     </field>
     <field>
         <id>basicauth.description</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 33407457ca..7371e8820f 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -5,7 +5,7 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this handler.]]></help>
         <grid_view>
-            <width>2em</width>
+            <width>100</width>
             <type>boolean</type>
             <formatter>rowtoggle</formatter>
         </grid_view>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
index f7885bedd8..163b644517 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
@@ -4,6 +4,9 @@
         <label>Header</label>
         <type>dropdown</type>
         <help><![CDATA["header_up" sets, adds (with the "+" prefix), deletes (with the "-" prefix), or performs a replacement (by using two arguments, a search and replacement) in a request header going upstream to the backend. "header_down" sets, adds (with the "+" prefix), deletes (with the "-" prefix), or performs a replacement (by using two arguments, a search and replacement) in a response header coming downstream from the backend. For more information: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#headers]]></help>
+        <grid_view>
+            <width>120</width>
+        </grid_view>
     </field>
     <field>
         <id>header.HeaderType</id>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
index 4a691fbe74..5b82ff437e 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
@@ -5,7 +5,7 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this Layer4 route.]]></help>
         <grid_view>
-            <width>2em</width>
+            <width>100</width>
             <type>boolean</type>
             <formatter>rowtoggle</formatter>
         </grid_view>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index 06646cbfa3..0e4e7202e6 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -5,7 +5,7 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this domain.]]></help>
         <grid_view>
-            <width>2em</width>
+            <width>100</width>
             <type>boolean</type>
             <formatter>rowtoggle</formatter>
         </grid_view>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
index ccfc1c2bab..ee31bc02de 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -5,7 +5,7 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this subdomain.]]></help>
         <grid_view>
-            <width>2em</width>
+            <width>100</width>
             <type>boolean</type>
             <formatter>rowtoggle</formatter>
         </grid_view>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index acfc85732d..336c9ec27a 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -174,7 +174,6 @@
                                     return request;
                                 },
                                 headerFormatters: {
-                                    enabled: function (column) { return "" },
                                     ToDomain: function (column) { return labels.upstream; },
                                     FromDomain: function (column) {
                                         if (grid_id === "subdomain") {
@@ -207,14 +206,14 @@
                                     },
                                     from_domain: function (column, row) {
                                         return (
-                                            (row["DisableTls"] || "") +
+                                            (row["%DisableTls"] || "") +
                                             (row["FromDomain"] || "") +
                                             (row["FromPort"] ? `:${row["FromPort"]}` : "")
                                         );
                                     },
                                     to_domain: function (column, row) {
                                         return (
-                                            (row["HttpTls"] || "") +
+                                            (row["%HttpTls"] || "") +
                                             (row["ToDomain"] || "") +
                                             (row["ToPort"] ? `:${row["ToPort"]}` : "") +
                                             (row["ToPath"] || "")
@@ -501,7 +500,7 @@
             <!-- Reverse Proxy -->
             <h1 class="custom-header">{{ lang._('Domains') }}</h1>
             <div style="display: block;">
-                {{ partial('layout_partials/base_bootgrid_table', formGridReverseProxy + {'command_width': '11em'})}}
+                {{ partial('layout_partials/base_bootgrid_table', formGridReverseProxy + {'command_width': '160'})}}
             </div>
         </div>
 
@@ -509,7 +508,7 @@
         <div style="padding-left: 16px;">
             <h1 class="custom-header">{{ lang._('Subdomains') }}</h1>
             <div style="display: block;">
-                {{ partial('layout_partials/base_bootgrid_table', formGridSubdomain + {'command_width': '11em'})}}
+                {{ partial('layout_partials/base_bootgrid_table', formGridSubdomain + {'command_width': '160'})}}
             </div>
         </div>
     </div>

From b3de88095fe75427be1d32f0fab223afd39ca0b8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Jul 2025 09:43:31 +0200
Subject: [PATCH 2529/3088] security/tinc: bump revision

---
 security/tinc/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index 70746e3fe6..2ac0b3d60a 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		tinc
 PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org

From cf8304b6c767b5236bb5c8601bf70354d07d753c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Jul 2025 09:45:15 +0200
Subject: [PATCH 2530/3088] www/nginx: bump revision for latest change

---
 www/nginx/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 0b7db7007c..781e7d0018 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	6
+PLUGIN_REVISION=	7
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 9b31fedd44239ad426fd4903fadbfee4b1298916 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 15 Jul 2025 09:58:13 +0200
Subject: [PATCH 2531/3088] www/caddy: Remove obsolete model_relation_domain
 formatter (#4813)

* www/caddy: Remove obsolete model_relation_domain formatter

* www/caddy: Bump revision and changelog
---
 www/caddy/Makefile                                 |  2 +-
 www/caddy/pkg-descr                                |  1 +
 .../OPNsense/Caddy/forms/dialogHandle.xml          |  6 ------
 .../OPNsense/Caddy/forms/dialogSubdomain.xml       |  1 -
 .../app/views/OPNsense/Caddy/reverse_proxy.volt    | 14 --------------
 5 files changed, 2 insertions(+), 22 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index c2641be8c8..ecbffe28a2 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		2.0.2
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index e75c90b9d6..96041df58f 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -12,6 +12,7 @@ Add: Global server timeout options (opnsense/plugins/pull/4778)
 Cleanup: Change all camelCase to snake_case in api notations (opnsense/plugins/pull/4767,4768,4776)
 Cleanup: Use SimpleActionButton in general.volt (opnsense/plugins/pull/4779)
 Cleanup: Change em into px, fix key/value display in formatter (opnsense/plugins/pull/4807)
+Cleanup: Remove obsolete model_relation_domain formatter (opnsense/plugins/pull/4813)
 
 2.0.1
 
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 7371e8820f..1869739bdb 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -19,18 +19,12 @@
         <label>Domain</label>
         <type>dropdown</type>
         <help><![CDATA[Select a domain to handle.]]></help>
-        <grid_view>
-            <formatter>model_relation_domain</formatter>
-        </grid_view>
     </field>
     <field>
         <id>handle.subdomain</id>
         <label>Subdomain</label>
         <type>dropdown</type>
         <help><![CDATA[Select a subdomain to handle. Make sure to additionaly choose a wildcard domain as "Domain". Leave unset, if not using subdomains.]]></help>
-        <grid_view>
-            <formatter>model_relation_domain</formatter>
-        </grid_view>
     </field>
     <field>
         <type>header</type>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
index ee31bc02de..a70d8bcf9c 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -21,7 +21,6 @@
         <help><![CDATA[Select a wildcard domain for this subdomain.]]></help>
         <grid_view>
             <visible>false</visible>
-            <formatter>model_relation_domain</formatter>
         </grid_view>
     </field>
     <field>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 336c9ec27a..debf95f786 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -190,20 +190,6 @@
                                     },
                                 },
                                 formatters: {
-                                    model_relation_domain: function (column, row) {
-                                        let result = (row[column.id] || "").trim();
-                                        if (column.id === "reverse") {
-                                            result = result.replace(" ", ":");
-                                            if (!row["subdomain"] && row["HandlePath"]) {
-                                                result += row["HandlePath"];
-                                            }
-                                        } else if (column.id === "subdomain") {
-                                            if (row["subdomain"] && row["HandlePath"]) {
-                                                result += row["HandlePath"];
-                                            }
-                                        }
-                                        return result;
-                                    },
                                     from_domain: function (column, row) {
                                         return (
                                             (row["%DisableTls"] || "") +

From b7959fddb5990e69774126c63674cab8350aaa82 Mon Sep 17 00:00:00 2001
From: Monviech <gitacc@pischem.com>
Date: Tue, 15 Jul 2025 09:02:47 +0000
Subject: [PATCH 2532/3088] www/squid: Fix camelCase API endpoint notation for
 https://github.com/opnsense/plugins/commit/ef2e005e8

---
 .../OPNsense/Proxy/Api/SettingsController.php | 32 +++++++++----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
index faa8cfc6ce..fcca835101 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/SettingsController.php
@@ -113,7 +113,7 @@ public function toggleRemoteBlacklistAction($uuid)
      * create new cron item for remote acl or return already available one
      * @return array status action
      */
-    public function fetchRBCronAction()
+    public function fetchRbCronAction()
     {
         $result = array("result" => "failed");
 
@@ -150,7 +150,7 @@ public function fetchRBCronAction()
      * search PAC Rule
      * @return array
      */
-    public function searchPACRuleAction()
+    public function searchPacRuleAction()
     {
         return $this->searchBase('pac.rule', array("enabled", "description", "proxies", "matches"), "description");
     }
@@ -160,7 +160,7 @@ public function searchPACRuleAction()
      * @param $uuid item unique id
      * @return array
      */
-    public function getPACRuleAction($uuid = null)
+    public function getPacRuleAction($uuid = null)
     {
         return array("pac" => $this->getBase('rule', 'pac.rule', $uuid));
     }
@@ -181,7 +181,7 @@ public function addPACRuleAction()
      * @return array result status
      * @throws \OPNsense\Base\ValidationException
      */
-    public function setPACRuleAction($uuid)
+    public function setPacRuleAction($uuid)
     {
         $this->pac_set_helper();
         return $this->setBase('rule', 'pac.rule', $uuid);
@@ -192,7 +192,7 @@ public function setPACRuleAction($uuid)
      * @param $uuid item unique id
      * @return array status
      */
-    public function togglePACRuleAction($uuid)
+    public function togglePacRuleAction($uuid)
     {
         return $this->toggleBase('pac.rule', $uuid);
     }
@@ -202,7 +202,7 @@ public function togglePACRuleAction($uuid)
      * @param $uuid item unique id
      * @return array status
      */
-    public function delPACRuleAction($uuid)
+    public function delPacRuleAction($uuid)
     {
         return $this->delBase('pac.rule', $uuid);
     }
@@ -212,7 +212,7 @@ public function delPACRuleAction($uuid)
      * search PAC Proxy
      * @return array
      */
-    public function searchPACProxyAction()
+    public function searchPacProxyAction()
     {
         return $this->searchBase('pac.proxy', array("enabled","proxy_type", "name", "url", "description"), "description");
     }
@@ -222,7 +222,7 @@ public function searchPACProxyAction()
      * @param $uuid item unique id
      * @return array
      */
-    public function getPACProxyAction($uuid = null)
+    public function getPacProxyAction($uuid = null)
     {
         return array("pac" => $this->getBase('proxy', 'pac.proxy', $uuid));
     }
@@ -231,7 +231,7 @@ public function getPACProxyAction($uuid = null)
      * add new PAC Proxy and set with attributes from post
      * @return array
      */
-    public function addPACProxyAction()
+    public function addPacProxyAction()
     {
         $this->pac_set_helper();
         return $this->addBase('proxy', 'pac.proxy');
@@ -243,7 +243,7 @@ public function addPACProxyAction()
      * @return array result status
      * @throws \OPNsense\Base\ValidationException
      */
-    public function setPACProxyAction($uuid)
+    public function setPacProxyAction($uuid)
     {
         $this->pac_set_helper();
         return $this->setBase('proxy', 'pac.proxy', $uuid);
@@ -254,7 +254,7 @@ public function setPACProxyAction($uuid)
      * @param $uuid item unique id
      * @return array status
      */
-    public function delPACProxyAction($uuid)
+    public function delPacProxyAction($uuid)
     {
         return $this->delBase('pac.proxy', $uuid);
     }
@@ -263,7 +263,7 @@ public function delPACProxyAction($uuid)
      * search PAC Match
      * @return array
      */
-    public function searchPACMatchAction()
+    public function searchPacMatchAction()
     {
         return $this->searchBase('pac.match', array("enabled", "name", "description", "negate", "match_type"), "name");
     }
@@ -273,7 +273,7 @@ public function searchPACMatchAction()
      * @param $uuid item unique id
      * @return array
      */
-    public function getPACMatchAction($uuid = null)
+    public function getPacMatchAction($uuid = null)
     {
         return array("pac" => $this->getBase('match', 'pac.match', $uuid));
     }
@@ -282,7 +282,7 @@ public function getPACMatchAction($uuid = null)
      * add new PAC Proxy and set with attributes from post
      * @return array
      */
-    public function addPACMatchAction()
+    public function addPacMatchAction()
     {
         $this->pac_set_helper();
         return $this->addBase('match', 'pac.match');
@@ -294,7 +294,7 @@ public function addPACMatchAction()
      * @return array result status
      * @throws \OPNsense\Base\ValidationException
      */
-    public function setPACMatchAction($uuid)
+    public function setPacMatchAction($uuid)
     {
         $this->pac_set_helper();
         return $this->setBase('match', 'pac.match', $uuid);
@@ -305,7 +305,7 @@ public function setPACMatchAction($uuid)
      * @param $uuid item unique id
      * @return array status
      */
-    public function delPACMatchAction($uuid)
+    public function delPacMatchAction($uuid)
     {
         return $this->delBase('pac.match', $uuid);
     }

From 34d74d05eb41b8170fde4e372fd40d6f76786bb3 Mon Sep 17 00:00:00 2001
From: Gauss23 <gauss@gmx.de>
Date: Tue, 15 Jul 2025 12:20:48 +0200
Subject: [PATCH 2533/3088] Added a plugin for Netbird (#4531)

This is an initial version of a plugin for Netbird.

I've also created a pull request for the Netbird port, as a small patch is currently needed.

https://netbird.io/
---
 net/netbird/Makefile                          |   9 +
 net/netbird/pkg-descr                         |  18 ++
 .../src/etc/inc/plugins.inc.d/netbird.inc     |  57 ++++
 .../src/etc/rc.syshook.d/carp/30-netbird      |  78 +++++
 .../netbird/Api/InitialController.php         |  44 +++
 .../netbird/Api/ServiceController.php         | 291 ++++++++++++++++++
 .../netbird/Api/SettingsController.php        |  43 +++
 .../OPNsense/netbird/ConstatusController.php  |  43 +++
 .../OPNsense/netbird/IndexController.php      |  45 +++
 .../OPNsense/netbird/forms/general.xml        |  56 ++++
 .../OPNsense/netbird/forms/initialup.xml      |  25 ++
 .../app/models/OPNsense/netbird/ACL/ACL.xml   |   9 +
 .../app/models/OPNsense/netbird/Initial.php   |  37 +++
 .../app/models/OPNsense/netbird/Initial.xml   |  32 ++
 .../app/models/OPNsense/netbird/Menu/Menu.xml |   9 +
 .../app/models/OPNsense/netbird/Netbird.php   |  37 +++
 .../app/models/OPNsense/netbird/Netbird.xml   |  46 +++
 .../app/views/OPNsense/netbird/constatus.volt | 164 ++++++++++
 .../mvc/app/views/OPNsense/netbird/index.volt | 107 +++++++
 .../scripts/OPNsense/netbird/initialup.sh     |  16 +
 .../conf/actions.d/actions_netbird.conf       |  57 ++++
 .../OPNsense/Syslog/local/netbird.conf        |   6 +
 .../templates/OPNsense/netbird/+TARGETS       |   1 +
 .../templates/OPNsense/netbird/netbird        |   5 +
 24 files changed, 1235 insertions(+)
 create mode 100644 net/netbird/Makefile
 create mode 100644 net/netbird/pkg-descr
 create mode 100644 net/netbird/src/etc/inc/plugins.inc.d/netbird.inc
 create mode 100755 net/netbird/src/etc/rc.syshook.d/carp/30-netbird
 create mode 100644 net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/InitialController.php
 create mode 100644 net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/ServiceController.php
 create mode 100644 net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/SettingsController.php
 create mode 100644 net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/ConstatusController.php
 create mode 100644 net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/IndexController.php
 create mode 100644 net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/forms/general.xml
 create mode 100644 net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/forms/initialup.xml
 create mode 100644 net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/ACL/ACL.xml
 create mode 100644 net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Initial.php
 create mode 100644 net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Initial.xml
 create mode 100644 net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Menu/Menu.xml
 create mode 100644 net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Netbird.php
 create mode 100644 net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Netbird.xml
 create mode 100644 net/netbird/src/opnsense/mvc/app/views/OPNsense/netbird/constatus.volt
 create mode 100644 net/netbird/src/opnsense/mvc/app/views/OPNsense/netbird/index.volt
 create mode 100755 net/netbird/src/opnsense/scripts/OPNsense/netbird/initialup.sh
 create mode 100644 net/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf
 create mode 100644 net/netbird/src/opnsense/service/templates/OPNsense/Syslog/local/netbird.conf
 create mode 100644 net/netbird/src/opnsense/service/templates/OPNsense/netbird/+TARGETS
 create mode 100644 net/netbird/src/opnsense/service/templates/OPNsense/netbird/netbird

diff --git a/net/netbird/Makefile b/net/netbird/Makefile
new file mode 100644
index 0000000000..ab3854bc97
--- /dev/null
+++ b/net/netbird/Makefile
@@ -0,0 +1,9 @@
+PLUGIN_NAME=		netbird
+PLUGIN_VERSION=		0.1
+PLUGIN_DEPENDS=	    netbird
+PLUGIN_COMMENT=		Peer-to-peer VPN that seamlessly connects your devices
+PLUGIN_MAINTAINER=	opn-netbird@sun-ri.se
+PLUGIN_WWW=		    https://netbird.io
+PLUGIN_DEVEL=       yes
+
+.include "../../Mk/plugins.mk"
\ No newline at end of file
diff --git a/net/netbird/pkg-descr b/net/netbird/pkg-descr
new file mode 100644
index 0000000000..2bd1408875
--- /dev/null
+++ b/net/netbird/pkg-descr
@@ -0,0 +1,18 @@
+NetBird is an open-source WireGuard-based overlay network combined with
+Zero Trust Network Access, providing secure and reliable connectivity
+to internal resources.
+
+Key features:
+- Zero-config VPN: Easily create secure connections between devices without
+manual network setup.
+- Built on WireGuard: Leverages WireGuard's high-performance encryption for
+fast and secure communication.
+- Self-hosted or Cloud-managed: Users can deploy their own NetBird management
+server or use NetBird Cloud for centralized control.
+- Access Control & Routing: Fine-grained access control policies and automatic
+network routing simplify connectivity.
+- This FreeBSD port provides the NetBird client daemon and CLI tools, allowing
+FreeBSD systems to join a NetBird mesh network and securely communicate with
+other peers.
+
+For more details, visit: https://netbird.io
\ No newline at end of file
diff --git a/net/netbird/src/etc/inc/plugins.inc.d/netbird.inc b/net/netbird/src/etc/inc/plugins.inc.d/netbird.inc
new file mode 100644
index 0000000000..fb8b4fdcee
--- /dev/null
+++ b/net/netbird/src/etc/inc/plugins.inc.d/netbird.inc
@@ -0,0 +1,57 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
+ * Copyright (C) 2025 squared GmbH
+ * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function netbird_enabled()
+{
+    return !(new \OPNsense\netbird\Netbird())->general->Enabled->isEmpty();
+}
+
+function netbird_services()
+{
+    $services = array();
+
+    if (!netbird_enabled()) {
+        return $services;
+    }
+
+    $services[] = array(
+        'description' => gettext('Netbird'),
+        'configd' => array(
+            'restart' => array('netbird restart'),
+            'start' => array('netbird start'),
+            'stop' => array('netbird stop'),
+        ),
+        'name' => 'netbird',
+        'pidfile' => '/var/run/netbird.pid',
+    );
+
+    return $services;
+}
+
diff --git a/net/netbird/src/etc/rc.syshook.d/carp/30-netbird b/net/netbird/src/etc/rc.syshook.d/carp/30-netbird
new file mode 100755
index 0000000000..824d74f3bf
--- /dev/null
+++ b/net/netbird/src/etc/rc.syshook.d/carp/30-netbird
@@ -0,0 +1,78 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2004 Scott Ullrich <sullrich@gmail.com>
+ * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once('config.inc');
+require_once('util.inc');
+require_once('interfaces.inc');
+
+
+$model = new \OPNsense\netbird\Netbird();
+$enabled = $model->general->Enabled->__toString();
+
+
+if(!$enabled) {
+    exit(0);
+}
+
+$carpif = $model->general->CarpIf->__toString();
+
+if($carpif == '') {
+    exit(0);
+}
+
+$target_vhid = $model->general->VHID;
+$subsystem = !empty($argv[1]) ? $argv[1] : '';
+$type = !empty($argv[2]) ? $argv[2] : '';
+
+if ($type != 'MASTER' && $type != 'BACKUP') {
+    exit(1);
+}
+
+if (!strstr($subsystem, '@')) {
+    exit(1);
+}
+
+list ($vhid, $iface) = explode('@', $subsystem);
+$friendly = convert_real_interface_to_friendly_interface_name($iface);
+
+
+if ($carpif != $friendly || $vhid != $target_vhid) {
+    exit(0);
+}
+
+switch ($type) {
+    case 'MASTER':
+        shell_exec('/usr/local/bin/netbird up');
+        break;
+    case 'BACKUP':
+        shell_exec('/usr/local/bin/netbird down');
+        break;
+}
+
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/InitialController.php b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/InitialController.php
new file mode 100644
index 0000000000..e74610aa99
--- /dev/null
+++ b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/InitialController.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
+ * Copyright (C) 2025 squared GmbH
+ * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\netbird\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+/**
+ * netbird settings controller
+ * @package OPNsense\netbird
+ */
+class InitialController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'netbird';
+    protected static $internalModelClass = 'OPNsense\netbird\Initial';
+
+}
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/ServiceController.php b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/ServiceController.php
new file mode 100644
index 0000000000..a20e78d17d
--- /dev/null
+++ b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/ServiceController.php
@@ -0,0 +1,291 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
+ * Copyright (C) 2025 squared GmbH
+ * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\netbird\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Backend;
+use OPNsense\Core\Config;
+use OPNsense\netbird\Initial;
+use OPNsense\netbird\Netbird;
+
+
+/**
+ * Class ServiceController
+ * @package OPNsense\netbird
+ */
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    const NETBIRD_CONFIG_JSON = '/usr/local/etc/netbird/config.json';
+    protected static $internalServiceClass = '\OPNsense\netbird\Netbird';
+    protected static $internalServiceEnabled = 'general.Enabled';
+    protected static $internalServiceTemplate = 'OPNsense/netbird';
+    protected static $internalServiceName = 'netbird';
+
+    public function conStatusAction(): string
+    {
+        $backend = new Backend();
+        $bckResult = $backend->configdRun("netbird con-status");
+        if ($bckResult !== null) {
+            return nl2br(htmlspecialchars($bckResult));
+        }
+        return "Error retrieving connection status";
+    }
+
+    public function searchFilter($array, $value): bool
+    {
+        foreach ($array as $val) {
+            if (str_contains(strval($val), strtolower($value))) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    public function upDownStatusAction(): string
+    {
+        $backend = new Backend();
+        $bckResult = $backend->configdRun("netbird status");
+        if (!str_contains($bckResult, "is running")) {
+            return json_encode(array('updown' => "NOT RUNNING", 'status' => "Netbird is not running"));
+        }
+        $bckResult = $backend->configdRun("netbird short-con-status");
+        $txtStatus = nl2br(htmlspecialchars($bckResult));
+        $bckResult = $backend->configdRun("netbird con-status-json");
+        $status = json_decode($bckResult, true);
+        if (!$status['publicKey']) {
+            return json_encode(array('updown' => "DOWN", 'status' => $txtStatus));
+        }
+        return json_encode(array('updown' => "UP", 'status' => $txtStatus));
+    }
+
+    public function searchAction(): string
+    {
+        $request = $this->request;
+        $backend = new Backend();
+        $bckResult = $backend->configdRun("netbird status");
+        if (!str_contains($bckResult, "is running")) {
+            return json_encode(array('current' => 1, 'rowCount' => 0, 'total' => 0, 'rows' => array()));
+        }
+        $bckResult = $backend->configdRun("netbird con-status-json");
+        $status = json_decode($bckResult, true);
+        $itemsPerPage = $request->get('rowCount', 'int', -1);
+        $currentPage = $request->get('current', 'int', 1);
+        $sortBy = array('status');
+        $sortDescending = false;
+
+
+        $searchPhrase = strtolower($request->get('searchPhrase', 'string', ''));
+        if (!$status['peers']['details']) {
+            return json_encode(array('current' => 1, 'rowCount' => 0, 'total' => 0, 'rows' => array()));
+        }
+        $details = $status['peers']['details'];
+        $details = array_filter($details, function ($item) use ($searchPhrase) {
+            return $this->searchFilter($item, $searchPhrase);
+        });
+        $detailsFlat = array();
+        foreach ($details as $detail) {
+            $detailsFlat[] = $this->flattenOneLevel($detail);
+        }
+        if ($request->hasPost('sort') && is_array($request->get("sort")) && !empty($request->get("sort"))) {
+            $sortBy = array_keys($request->get("sort"));
+            if (!empty($sortBy) && $request->get("sort")[$sortBy[0]] == "desc") {
+                $sortDescending = true;
+            }
+
+        }
+        $sortValues = array();
+        foreach ($detailsFlat as $detail) {
+            $sortValues[] = $detail[$sortBy[0]];
+        }
+        array_multisort($sortValues, $sortDescending ? SORT_DESC : SORT_ASC, $detailsFlat);
+        $page = array_slice($detailsFlat, ($currentPage - 1) * $itemsPerPage, $itemsPerPage);
+        $page = $this->convertFieldsToDisplay($page);
+        $result = array('current' => $currentPage, 'rowCount' => count($page), 'total' => count($detailsFlat), 'rows' => $page);
+        return json_encode($result);
+    }
+
+    private function flattenOneLevel($array): array
+    {
+        $result = array();
+        foreach ($array as $key => $value) {
+            if (is_array($value)) {
+                foreach ($value as $subkey => $subvalue) {
+                    if ($key == "routes") {
+                        $result[$key] = implode("<br />", $value);
+                    }
+                    else {
+                        $result[$key . "." . $subkey] = $subvalue;
+                    }
+                }
+            } else {
+                $result[$key] = $value;
+            }
+        }
+        return $result;
+    }
+
+    public function setUpAction(): string
+    {
+        $backend = new Backend();
+        try {
+            return $backend->configdRun("netbird set-up");
+        } catch (\Exception $e) {
+            return "Error running netbird up" . "\n" . $e->getMessage();
+        }
+    }
+
+    public function initialUpAction(): string
+    {
+        $backend = new Backend();
+        $mdlInitial = new Initial();
+        $key = $mdlInitial->initial->setupkey->__toString();
+        $api = $mdlInitial->initial->mgmtservice->__toString();
+        $hostname = $mdlInitial->initial->hostname->__toString();
+        if ($hostname == "") {
+            $hostname = gethostname();
+            if(!$hostname){
+                $hostname = "OPNsense";
+            }else{
+                if(str_contains($hostname, ".")){
+                    $hostname = explode(".", $hostname)[0];
+                }
+            }
+
+            $mdlInitial->initial->hostname = $hostname;
+        }
+        $mdlInitial->initial->setupkey = "00000000-0000-0000-0000-000000000000";
+        $mdlInitial->initial->initsure = 0;
+
+        $mdlInitial->serializeToConfig();
+        $cnf = Config::getInstance();
+        $cnf->save();
+
+        $bckresult = $backend->configdRun("netbird set-up-initial " . escapeshellarg($api) . " " . escapeshellarg($key) . " " . escapeshellarg($hostname));
+        return nl2br(htmlspecialchars($bckresult));
+    }
+
+    public function setDownAction(): string
+    {
+        $backend = new Backend();
+        try {
+            return $backend->configdRun("netbird set-down");
+        } catch (\Exception $e) {
+            return "Error running netbird down" . "\n" . $e->getMessage();
+        }
+    }
+
+    public function reloadAction()
+    {
+        $status = "failed";
+        if ($this->request->isPost()) {
+            try {
+                $mdlNetbird = new Netbird();
+                $backend = new Backend();
+                if (trim($backend->configdRun('template reload OPNsense/netbird')) == "OK") {
+                    $status = "ok";
+                }
+
+                $enabled = $mdlNetbird->general->Enabled->__toString() == 1;
+                $carpEnabled = $mdlNetbird->general->CarpIf->__toString() != '';
+                $disableClientRoutes = $mdlNetbird->general->DisableClientRoutes->__toString() == 1;
+                $disableServerRoutes = $mdlNetbird->general->DisableServerRoutes->__toString() == 1;
+                $disableDNS = $mdlNetbird->general->DisableDNS->__toString() == 1;
+                $rpEnabled = $mdlNetbird->general->QuantumEnabled->__toString() == 1;
+                $rpPermissive = $mdlNetbird->general->QuantumPermissive->__toString() == 1;
+                $wgPort = $mdlNetbird->general->WgPort->__toString();
+                $netbirdConfigJson = file_get_contents(self::NETBIRD_CONFIG_JSON);
+                $netbirdConfig = json_decode($netbirdConfigJson, true);
+                $netbirdConfig["DisableAutoConnect"] = $carpEnabled;
+                $netbirdConfig["DisableClientRoutes"] = $disableClientRoutes;
+                $netbirdConfig["DisableServerRoutes"] = $disableServerRoutes;
+                $netbirdConfig["DisableDNS"] = $disableDNS;
+                $netbirdConfig["RosenpassEnabled"] = $rpEnabled;
+                $netbirdConfig["RosenpassPermissive"] = $rpPermissive;
+                $netbirdConfig["WgPort"] = intval($wgPort);
+                $netbirdConfigJson = json_encode($netbirdConfig);
+                file_put_contents(self::NETBIRD_CONFIG_JSON, $netbirdConfigJson);
+                $action = $enabled ? "restart" : "stop";
+                $backend->configdRun("netbird $action");
+            } catch (\Exception $e) {
+                $status = "failed";
+                syslog(LOG_ERR, "netbird: failed to reload configuration: " . $e->getMessage());
+            }
+        }
+        return array("status" => $status);
+    }
+
+    /**
+     * @param array $page
+     * @return array
+     */
+    public function convertFieldsToDisplay(array $page): array
+    {
+        for ($i = 0; $i < count($page); $i++) {
+            $page[$i]['latency'] = round($page[$i]['latency'] / 1000000, 2) . " ms";
+            $received = $page[$i]['transferReceived'];
+            $rcvUnit = "KiB";
+            $received /= 1024;
+            if ($received > 1024) {
+                $received /= 1024;
+                $rcvUnit = "MiB";
+            }
+            if ($received > 1024) {
+                $received /= 1024;
+                $rcvUnit = "GiB";
+            }
+
+            $sent = $page[$i]['transferSent'];
+            $sentUnit = "KiB";
+            $sent /= 1024;
+            if ($sent > 1024) {
+                $sent /= 1024;
+                $sentUnit = "MiB";
+            }
+            if ($sent > 1024) {
+                $sent /= 1024;
+                $sentUnit = "GiB";
+            }
+            $page[$i]['transferReceived'] = round($received, 2) . " " . $rcvUnit;
+            $page[$i]['transferSent'] = round($sent, 2) . " " . $sentUnit;
+            $page[$i]['lastStatusUpdate'] = date("Y-m-d H:i:s", strtotime($page[$i]['lastStatusUpdate']));
+            $page[$i]['lastWireguardHandshake'] = date("Y-m-d H:i:s", strtotime($page[$i]['lastWireguardHandshake']));
+            foreach ($page[$i] as $key => $value) {
+                if ($value == "true") {
+                    $page[$i][$key] = 1;
+                } elseif ($value == "false") {
+                    $page[$i][$key] = 0;
+                }
+
+            }
+        }
+        return $page;
+    }
+}
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/SettingsController.php b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/SettingsController.php
new file mode 100644
index 0000000000..8f880f942a
--- /dev/null
+++ b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/SettingsController.php
@@ -0,0 +1,43 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
+ * Copyright (C) 2025 squared GmbH
+ * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\netbird\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+/**
+ * netbird settings controller
+ * @package OPNsense\netbird
+ */
+class SettingsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'netbird';
+    protected static $internalModelClass = 'OPNsense\netbird\Netbird';
+}
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/ConstatusController.php b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/ConstatusController.php
new file mode 100644
index 0000000000..a288e391ee
--- /dev/null
+++ b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/ConstatusController.php
@@ -0,0 +1,43 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
+ * Copyright (C) 2025 squared GmbH
+ * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\netbird;
+
+/**
+ * Class ConstatusController
+ * @package OPNsense\netbird
+ */
+class ConstatusController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/netbird/constatus');
+    }
+}
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/IndexController.php b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/IndexController.php
new file mode 100644
index 0000000000..f17874e21f
--- /dev/null
+++ b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/IndexController.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
+ * Copyright (C) 2025 squared GmbH
+ * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\netbird;
+
+/**
+ * Class IndexController
+ * @package OPNsense\netbird
+ */
+class IndexController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->generalForm = $this->getForm("general");
+        $this->view->initialUpForm = $this->getForm("initialup");
+        $this->view->pick('OPNsense/netbird/index');
+    }
+}
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/forms/general.xml b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/forms/general.xml
new file mode 100644
index 0000000000..94513a0cd5
--- /dev/null
+++ b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/forms/general.xml
@@ -0,0 +1,56 @@
+<form>
+    <field>
+        <id>netbird.general.Enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>Enable Netbird</help>
+    </field>
+    <field>
+        <id>netbird.general.WgPort</id>
+        <label>Wireguard Port</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>netbird.general.DisableDNS</id>
+        <label>Disable Netbird DNS lookups</label>
+        <type>checkbox</type>
+        <help>Disables DNS lookups for the Netbird network.</help>
+    </field>
+    <field>
+        <id>netbird.general.DisableServerRoutes</id>
+        <label>Disable Server Routes</label>
+        <type>checkbox</type>
+        <help>Prevents Netbird from being a routing peer for other Netbird peers.</help>
+    </field>
+    <field>
+        <id>netbird.general.DisableClientRoutes</id>
+        <label>Disable Client Routes</label>
+        <type>checkbox</type>
+        <help>Prevents Netbird from setting client routes to other remote peers.</help>
+    </field>
+    <field>
+        <id>netbird.general.QuantumEnabled</id>
+        <label>Rosenpass Enabled</label>
+        <type>checkbox</type>
+        <help>Enable Rosenpass</help>
+    </field>
+    <field>
+        <id>netbird.general.QuantumPermissive</id>
+        <label>Rosenpass Permissive Mode</label>
+        <type>checkbox</type>
+        <help>Enable Rosenpass permissive mode</help>
+    </field>
+    <field>
+        <id>netbird.general.CarpIf</id>
+        <label>CARP Interface</label>
+        <type>dropdown</type>
+        <help>If set to none Netbird up is executed and auto connect is enabled. If an interface is selected auto
+            connect is disabled. Please trigger a CARP event or execute Netbird up manually on the MASTER node.
+        </help>
+    </field>
+    <field>
+        <id>netbird.general.VHID</id>
+        <label>CARP VHID</label>
+        <type>text</type>
+    </field>
+</form>
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/forms/initialup.xml b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/forms/initialup.xml
new file mode 100644
index 0000000000..eb4db002f0
--- /dev/null
+++ b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/forms/initialup.xml
@@ -0,0 +1,25 @@
+<form>
+    <field>
+        <id>netbird.initial.mgmtservice</id>
+        <label>Management Service URL</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>netbird.initial.setupkey</id>
+        <label>Setup Key</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>netbird.initial.hostname</id>
+        <label>Hostname</label>
+        <type>text</type>
+        <help>If empty the system hostname excluding the domain part will be used.</help>
+    </field>
+        <field>
+        <id>netbird.initial.initsure</id>
+        <label>I know what I'm doing</label>
+        <type>checkbox</type>
+        <help>If you enable this checkbox and submit the form your old netbird config will be deleted. In case of an error it will get restored. Should something go terribly wrong you can find the backups
+        in the configuration folder. (/usr/local/etc/netbird)</help>
+    </field>
+</form>
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/ACL/ACL.xml b/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/ACL/ACL.xml
new file mode 100644
index 0000000000..d5e38af314
--- /dev/null
+++ b/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+    <page-vpn-netbird>
+        <name>VPN: Netbird</name>
+        <patterns>
+            <pattern>ui/netbird/*</pattern>
+            <pattern>api/netbird/*</pattern>
+        </patterns>
+    </page-vpn-netbird>
+</acl>
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Initial.php b/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Initial.php
new file mode 100644
index 0000000000..e629015fe1
--- /dev/null
+++ b/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Initial.php
@@ -0,0 +1,37 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
+ * Copyright (C) 2025 squared GmbH
+ * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\netbird;
+
+use OPNsense\Base\BaseModel;
+
+class Initial extends BaseModel
+{
+}
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Initial.xml b/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Initial.xml
new file mode 100644
index 0000000000..e38f97126a
--- /dev/null
+++ b/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Initial.xml
@@ -0,0 +1,32 @@
+<model>
+    <mount>//OPNsense/netbird-initial</mount>
+    <description>
+        Netbird initial setup
+    </description>
+    <items>
+        <!-- container -->
+        <initial>
+            <!-- fields -->
+            <setupkey type="TextField">
+                <Mask>/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i</Mask>
+                <ValidationMessage>Please specify a valid setup key.</ValidationMessage>
+            </setupkey>
+            <mgmtservice type="UrlField">
+                <Required>Y</Required>
+                <default>https://api.netbird.io:443</default>
+            </mgmtservice>
+            <hostname type="HostnameField">
+                <Required>N</Required>
+                <IpAllowed>N</IpAllowed>
+                <HostWildcardAllowed>N</HostWildcardAllowed>
+                <FqdnWildcardAllowed>N</FqdnWildcardAllowed>
+                <ZoneRootAllowed>N</ZoneRootAllowed>
+                <ValidationMessage>Please specify a valid hostname.</ValidationMessage>
+            </hostname>
+            <initsure type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </initsure>
+        </initial>
+    </items>
+</model>
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Menu/Menu.xml b/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Menu/Menu.xml
new file mode 100644
index 0000000000..b499dd889b
--- /dev/null
+++ b/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Menu/Menu.xml
@@ -0,0 +1,9 @@
+<menu>
+    <VPN>
+        <Netbird cssClass="fa fa-lock fa-fw">
+            <Settings order="40" url="/ui/netbird"/>
+            <ConStatus order="50" VisibleName="Status" url="/ui/netbird/constatus"/>
+            <LogFile VisibleName="Log File" order="60" url="/ui/diagnostics/log/core/netbird"/>
+        </netbird>
+    </VPN>
+</menu>
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Netbird.php b/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Netbird.php
new file mode 100644
index 0000000000..76dbf47846
--- /dev/null
+++ b/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Netbird.php
@@ -0,0 +1,37 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
+ * Copyright (C) 2025 squared GmbH
+ * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\netbird;
+
+use OPNsense\Base\BaseModel;
+
+class Netbird extends BaseModel
+{
+}
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Netbird.xml b/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Netbird.xml
new file mode 100644
index 0000000000..11712a7070
--- /dev/null
+++ b/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Netbird.xml
@@ -0,0 +1,46 @@
+<model>
+    <mount>//OPNsense/netbird</mount>
+    <version>0.8.1</version>
+    <description>Netbird plugin</description>
+    <items>
+        <!-- container -->
+        <general>
+            <!-- fields -->
+            <Enabled type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </Enabled>
+            <WgPort type="IntegerField">
+                <Required>Y</Required>
+                <default>51820</default>
+            </WgPort>
+            <QuantumEnabled type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </QuantumEnabled>
+            <DisableDNS type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </DisableDNS>
+            <DisableServerRoutes type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </DisableServerRoutes>
+            <DisableClientRoutes type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </DisableClientRoutes>
+            <QuantumPermissive type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </QuantumPermissive>
+            <CarpIf type="InterfaceField">
+                <Required>N</Required>
+            </CarpIf>
+            <VHID type="IntegerField">
+                <Required>N</Required>
+                <default>1</default>
+            </VHID>
+        </general>
+    </items>
+</model>
diff --git a/net/netbird/src/opnsense/mvc/app/views/OPNsense/netbird/constatus.volt b/net/netbird/src/opnsense/mvc/app/views/OPNsense/netbird/constatus.volt
new file mode 100644
index 0000000000..4d12f6127d
--- /dev/null
+++ b/net/netbird/src/opnsense/mvc/app/views/OPNsense/netbird/constatus.volt
@@ -0,0 +1,164 @@
+{#
+ # Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
+ # Copyright (C) 2025 squared GmbH
+ # Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1.  Redistributions of source code must retain the above copyright notice,
+ #     this list of conditions and the following disclaimer.
+ #
+ # 2.  Redistributions in binary form must reproduce the above copyright notice,
+ #     this list of conditions and the following disclaimer in the documentation
+ #     and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script>
+
+    $(document).ready(function () {
+
+        function refreshConStatus() {
+            $("#refreshAct_progress").addClass("fa fa-spinner fa-pulse");
+
+            ajaxCall(url = "/api/netbird/service/upDownStatus", sendData = {}, callback = function (data, status) {
+                if (data['updown'] == "UP") {
+                    $("#setUpAct").prop('disabled', true);
+                    $("#setDownAct").prop('disabled', false);
+                    $("#peers").prop('hidden', false);
+                } else if (data['updown'] == "DOWN") {
+                    $("#setUpAct").prop('disabled', false);
+                    $("#setDownAct").prop('disabled', true);
+                    $("#peers").prop('hidden', true);
+                } else {
+                    $("#setUpAct").prop('disabled', true);
+                    $("#setDownAct").prop('disabled', true);
+                    $("#peers").prop('hidden', true);
+                }
+                $("#updown").html(data['updown']);
+                $("#constatustxt").html(data['status']);
+                std_bootgrid_reload('grid-peers');
+                $("#refreshAct_progress").removeClass("fa fa-spinner fa-pulse");
+            });
+        }
+
+        $("#refreshAct").click(function () {
+            refreshConStatus();
+        });
+
+        $("#setUpAct").click(function () {
+            $("#setUp_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url = "/api/netbird/service/setup", sendData = {}, callback = function (data, status) {
+                setTimeout(function () {
+                    refreshConStatus();
+                    $("#setUp_progress").removeClass("fa fa-spinner fa-pulse");
+                }, 3000);
+
+            });
+        });
+
+        $("#setDownAct").click(function () {
+            $("#setDown_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url = "/api/netbird/service/setdown", sendData = {}, callback = function (data, status) {
+                setTimeout(function () {
+                    refreshConStatus();
+                    $("#setDown_progress").removeClass("fa fa-spinner fa-pulse");
+                }, 500);
+
+            });
+        });
+
+        $("#service_status_container").click(function () {
+            setTimeout(function () {
+                refreshConStatus();
+            }, 2000);
+        });
+
+        $("#grid-peers").UIBootgrid(
+            {
+                search: '/api/netbird/service/search'
+            }
+        );
+
+        refreshConStatus();
+        updateServiceControlUI('netbird');
+
+    });
+</script>
+<div class="col-md-12">
+    <h2>Netbird Connection</h2>
+    <span id="updown"></span>
+</div>
+<div class="col-md-12">
+    <button class="btn" id="setUpAct" type="button"><b>{{ lang._('Set UP') }}</b><i id="setUp_progress"></i></button>
+    <button class="btn" id="setDownAct" type="button"><b>{{ lang._('Set DOWN') }}</b><i id="setDown_progress"></i>
+    </button>
+</div>
+
+<div id="peers" class="col-md-12">
+    <h2>Peers</h2>
+    <table id="grid-peers" class="table table-condensed table-hover table-striped">
+        <thead>
+        <tr>
+            <th data-column-id="fqdn" data-type="string" data-identifier="false"
+                data-visible="true">{{ lang._('FQDN') }}</th>
+            <th data-column-id="routes" data-type="string" data-identifier="false"
+                data-visible="true">{{ lang._('Routes') }}</th>
+            <th data-width="8%" data-column-id="netbirdIp" data-type="string" data-identifier="false"
+                data-visible="true">{{ lang._('IP') }}</th>
+            <th data-width="5%" data-column-id="direct" data-type="string" data-identifier="false"
+                data-formatter="boolean"
+                data-visible="true">{{ lang._('Direct') }}</th>
+            <th data-width="5%" data-column-id="status" data-type="string" data-identifier="false"
+                data-visible="true">{{ lang._('Status') }}</th>
+            <th data-width="8%" data-column-id="lastWireguardHandshake" data-type="date" data-identifier="false"
+                data-visible="true">{{ lang._('Last Handshake') }}</th>
+            <th data-width="8%" data-column-id="lastStatusUpdate" data-type="date" data-identifier="false"
+                data-visible="true">{{ lang._('Last Status Update') }}</th>
+            <th data-width="5%" data-column-id="transferReceived" data-type="string" data-identifier="false"
+                data-visible="true">{{ lang._('Received') }}</th>
+            <th data-width="5%" data-column-id="transferSent" data-type="string" data-identifier="false"
+                data-visible="true">{{ lang._('Sent') }}</th>
+            <th data-width="5%" data-column-id="latency" data-type="string" data-identifier="false"
+                data-visible="true">{{ lang._('Latency') }}</th>
+            <th data-width="5%" data-column-id="connectionType" data-type="string" data-identifier="false"
+                data-visible="true">{{ lang._('Connection Type') }}</th>
+            <th data-width="5%" data-column-id="quantumResistance" data-type="string" data-identifier="false"
+                data-formatter="boolean"
+                data-visible="true">{{ lang._('QR') }}</th>
+            <th data-width="5%" data-column-id="iceCandidateType.local" data-type="string" data-identifier="false"
+                data-visible="true">{{ lang._('ICE TL') }}</th>
+            <th data-width="5%" data-column-id="iceCandidateType.remote" data-type="string" data-identifier="false"
+                data-visible="true">{{ lang._('ICE TR') }}</th>
+            <th data-width="8%" data-column-id="iceCandidateEndpoint.local" data-type="string" data-identifier="false"
+                data-visible="true">{{ lang._('ICE EP Local') }}</th>
+            <th data-width="8%" data-column-id="iceCandidateEndpoint.remote" data-type="string" data-identifier="false"
+                data-visible="true">{{ lang._('ICE EP Remote') }}</th>
+        </tr>
+        </thead>
+        <tbody>
+        </tbody>
+    </table>
+</div>
+<div class="col-md-12">
+    <h2>{{ lang._('Status Output') }}</h2>
+    <section id="constatustxt" class="col-xs-11">
+    </section>
+</div>
+
+<div class="col-md-12">
+    <button class="btn" id="refreshAct" type="button"><b>{{ lang._('Refresh') }}</b><i id="refreshAct_progress"></i>
+    </button>
+</div>
diff --git a/net/netbird/src/opnsense/mvc/app/views/OPNsense/netbird/index.volt b/net/netbird/src/opnsense/mvc/app/views/OPNsense/netbird/index.volt
new file mode 100644
index 0000000000..e3225bba83
--- /dev/null
+++ b/net/netbird/src/opnsense/mvc/app/views/OPNsense/netbird/index.volt
@@ -0,0 +1,107 @@
+{#
+ # Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
+ # Copyright (C) 2025 squared GmbH
+ # Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1.  Redistributions of source code must retain the above copyright notice,
+ #     this list of conditions and the following disclaimer.
+ #
+ # 2.  Redistributions in binary form must reproduce the above copyright notice,
+ #     this list of conditions and the following disclaimer in the documentation
+ #     and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script>
+
+    $(document).ready(function () {
+
+        $("#netbird\\.initial\\.initsure").click(function () {
+            if ($("#netbird\\.initial\\.initsure").prop('checked')) {
+                $("#initialAct").prop('disabled', false);
+            } else {
+                $("#initialAct").prop('disabled', true);
+            }
+        });
+
+        $("#saveAct").click(function () {
+            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
+            saveFormToEndpoint(url = "/api/netbird/settings/set", formid = 'frm_GeneralSettings', callback_ok = function () {
+                ajaxCall(url = "/api/netbird/service/reload", sendData = {}, callback = function (data, status) {
+                    updateServiceControlUI('netbird');
+                    $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
+                });
+            });
+        });
+
+        $("#initialAct").click(function () {
+            saveFormToEndpoint(url = "/api/netbird/initial/set", formid = 'frm_InitialUp', callback_ok = function () {
+                $("#initialAct_progress").addClass("fa fa-spinner fa-pulse");
+                ajaxCall(url = "/api/netbird/service/initialup", sendData = {}, callback = function (data, status) {
+                    $("#initialtxt").html(data.responseText);
+                    $("#resultdiv").prop('hidden', false);
+                    $("#initialAct").prop('disabled', true);
+                    var data_get_map_initial = {'frm_InitialUp': "/api/netbird/initial/get"};
+                    mapDataToFormUI(data_get_map_initial)
+                    ajaxCall(url = "/api/netbird/service/reload", sendData = {}, callback = function (data, status) {
+                        updateServiceControlUI('netbird');
+                        $("#initialAct_progress").removeClass("fa fa-spinner fa-pulse");
+                    });
+                });
+            }, true);
+        });
+
+
+        let data_get_map = {'frm_GeneralSettings': "/api/netbird/settings/get"};
+        mapDataToFormUI(data_get_map).done(function (data) {
+            updateServiceControlUI('netbird');
+            $('.selectpicker').selectpicker('refresh');
+        });
+
+        let data_get_map_initial = {'frm_InitialUp': "/api/netbird/initial/get"};
+        mapDataToFormUI(data_get_map_initial)
+    });
+</script>
+
+<div class="alert alert-info hidden" role="alert" id="responseMsg">
+
+</div>
+
+<div class="col-md-12">
+    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings']) }}
+</div>
+
+<div class="col-md-12">
+    <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b><i id="saveAct_progress"></i>
+    </button>
+</div>
+
+<div class="col-md-12">
+    {{ partial("layout_partials/base_form",['fields':initialUpForm,'id':'frm_InitialUp']) }}
+</div>
+
+<div class="col-md-12">
+    <button disabled="true" class="btn" id="initialAct" type="button"><b>{{ lang._('Setup') }}</b><i
+                id="initialAct_progress"></i>
+    </button>
+</div>
+
+<div class="col-md-12" id="resultdiv" hidden="true">
+    <h2>{{ lang._('Result') }}</h2>
+    <section id="initialtxt" class="col-xs-11">
+    </section>
+</div>
diff --git a/net/netbird/src/opnsense/scripts/OPNsense/netbird/initialup.sh b/net/netbird/src/opnsense/scripts/OPNsense/netbird/initialup.sh
new file mode 100755
index 0000000000..e338ef4054
--- /dev/null
+++ b/net/netbird/src/opnsense/scripts/OPNsense/netbird/initialup.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+timestamp=$(date +%s)
+/usr/local/etc/rc.d/netbird stop
+echo "Deleting old configuration file"
+mv /usr/local/etc/netbird/config.json /usr/local/etc/netbird/config.json.$timestamp
+/usr/local/etc/rc.d/netbird start
+/usr/local/bin/netbird up $@ 2>&1
+if [ $? -ne 0 ]; then
+    /usr/local/etc/rc.d/netbird stop
+    echo "Failed to bring up netbird"
+    echo "Restoring old configuration file"
+    mv /usr/local/etc/netbird/config.json /usr/local/etc/netbird/config.json.$timestamp.fail
+    mv /usr/local/etc/netbird/config.json.$timestamp /usr/local/etc/netbird/config.json
+    /usr/local/etc/rc.d/netbird start
+fi
+exit 0
\ No newline at end of file
diff --git a/net/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf b/net/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf
new file mode 100644
index 0000000000..65711c67c1
--- /dev/null
+++ b/net/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf
@@ -0,0 +1,57 @@
+[start]
+command:/usr/local/etc/rc.d/netbird start
+parameters:
+type:script
+message:starting netbird
+
+[stop]
+command:/usr/local/etc/rc.d/netbird stop
+parameters:
+type:script
+message:stopping netbird
+
+[restart]
+command:/usr/local/etc/rc.d/netbird restart
+parameters:
+type:script
+message:restarting netbird
+
+[status]
+command:/usr/local/etc/rc.d/netbird status
+errors:no
+type:script_output
+message:get netbird status
+
+[con-status]
+command:/usr/local/bin/netbird status -d
+errors:no
+type:script_output
+message:get netbird connection status
+
+[set-up]
+command:/usr/local/bin/netbird up
+type:script
+message:set netbird up
+
+[set-up-initial]
+command:/usr/local/opnsense/scripts/OPNsense/netbird/initialup.sh
+parameters: -m %s -k %s -n %s
+type:script_output
+message:setup netbird
+
+[set-down]
+command:/usr/local/bin/netbird down
+type:script
+message:set netbird down
+
+[short-con-status]
+command:/usr/local/bin/netbird status
+errors:no
+type:script_output
+message:get short netbird connection status
+
+[con-status-json]
+command:/usr/local/bin/netbird status --json
+errors:no
+type:script_output
+message:get netbird connection status
\ No newline at end of file
diff --git a/net/netbird/src/opnsense/service/templates/OPNsense/Syslog/local/netbird.conf b/net/netbird/src/opnsense/service/templates/OPNsense/Syslog/local/netbird.conf
new file mode 100644
index 0000000000..c16a43df75
--- /dev/null
+++ b/net/netbird/src/opnsense/service/templates/OPNsense/Syslog/local/netbird.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [netbird].
+###################################################################
+filter f_local_netbird {
+    program("netbird");
+};
diff --git a/net/netbird/src/opnsense/service/templates/OPNsense/netbird/+TARGETS b/net/netbird/src/opnsense/service/templates/OPNsense/netbird/+TARGETS
new file mode 100644
index 0000000000..123637703d
--- /dev/null
+++ b/net/netbird/src/opnsense/service/templates/OPNsense/netbird/+TARGETS
@@ -0,0 +1 @@
+netbird:/etc/rc.conf.d/netbird
\ No newline at end of file
diff --git a/net/netbird/src/opnsense/service/templates/OPNsense/netbird/netbird b/net/netbird/src/opnsense/service/templates/OPNsense/netbird/netbird
new file mode 100644
index 0000000000..fba7bdb83c
--- /dev/null
+++ b/net/netbird/src/opnsense/service/templates/OPNsense/netbird/netbird
@@ -0,0 +1,5 @@
+{% if helpers.exists('OPNsense.netbird.general.Enabled') and OPNsense.netbird.general.Enabled|default("0") == '1' %}
+netbird_enable="YES"
+{% else %}
+netbird_enable="NO"
+{% endif %}

From 9b67a27280e9f1a80f01b63c4e7886f90e8d941f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Jul 2025 12:22:37 +0200
Subject: [PATCH 2534/3088] net/netbird: initial style sweep ad XML fix

---
 net/netbird/Makefile                                            | 2 +-
 net/netbird/pkg-descr                                           | 2 +-
 net/netbird/src/etc/inc/plugins.inc.d/netbird.inc               | 1 -
 net/netbird/src/etc/rc.syshook.d/carp/30-netbird                | 1 -
 .../src/opnsense/mvc/app/models/OPNsense/netbird/Menu/Menu.xml  | 2 +-
 net/netbird/src/opnsense/scripts/OPNsense/netbird/initialup.sh  | 2 +-
 .../src/opnsense/service/conf/actions.d/actions_netbird.conf    | 2 +-
 .../src/opnsense/service/templates/OPNsense/netbird/+TARGETS    | 2 +-
 8 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/net/netbird/Makefile b/net/netbird/Makefile
index ab3854bc97..9765a5926e 100644
--- a/net/netbird/Makefile
+++ b/net/netbird/Makefile
@@ -6,4 +6,4 @@ PLUGIN_MAINTAINER=	opn-netbird@sun-ri.se
 PLUGIN_WWW=		    https://netbird.io
 PLUGIN_DEVEL=       yes
 
-.include "../../Mk/plugins.mk"
\ No newline at end of file
+.include "../../Mk/plugins.mk"
diff --git a/net/netbird/pkg-descr b/net/netbird/pkg-descr
index 2bd1408875..e3c155b98d 100644
--- a/net/netbird/pkg-descr
+++ b/net/netbird/pkg-descr
@@ -15,4 +15,4 @@ network routing simplify connectivity.
 FreeBSD systems to join a NetBird mesh network and securely communicate with
 other peers.
 
-For more details, visit: https://netbird.io
\ No newline at end of file
+For more details, visit: https://netbird.io
diff --git a/net/netbird/src/etc/inc/plugins.inc.d/netbird.inc b/net/netbird/src/etc/inc/plugins.inc.d/netbird.inc
index fb8b4fdcee..596fa5029c 100644
--- a/net/netbird/src/etc/inc/plugins.inc.d/netbird.inc
+++ b/net/netbird/src/etc/inc/plugins.inc.d/netbird.inc
@@ -54,4 +54,3 @@ function netbird_services()
 
     return $services;
 }
-
diff --git a/net/netbird/src/etc/rc.syshook.d/carp/30-netbird b/net/netbird/src/etc/rc.syshook.d/carp/30-netbird
index 824d74f3bf..875593e14c 100755
--- a/net/netbird/src/etc/rc.syshook.d/carp/30-netbird
+++ b/net/netbird/src/etc/rc.syshook.d/carp/30-netbird
@@ -75,4 +75,3 @@ switch ($type) {
         shell_exec('/usr/local/bin/netbird down');
         break;
 }
-
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Menu/Menu.xml b/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Menu/Menu.xml
index b499dd889b..a569a29427 100644
--- a/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Menu/Menu.xml
+++ b/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Menu/Menu.xml
@@ -4,6 +4,6 @@
             <Settings order="40" url="/ui/netbird"/>
             <ConStatus order="50" VisibleName="Status" url="/ui/netbird/constatus"/>
             <LogFile VisibleName="Log File" order="60" url="/ui/diagnostics/log/core/netbird"/>
-        </netbird>
+        </Netbird>
     </VPN>
 </menu>
diff --git a/net/netbird/src/opnsense/scripts/OPNsense/netbird/initialup.sh b/net/netbird/src/opnsense/scripts/OPNsense/netbird/initialup.sh
index e338ef4054..18fa891456 100755
--- a/net/netbird/src/opnsense/scripts/OPNsense/netbird/initialup.sh
+++ b/net/netbird/src/opnsense/scripts/OPNsense/netbird/initialup.sh
@@ -13,4 +13,4 @@ if [ $? -ne 0 ]; then
     mv /usr/local/etc/netbird/config.json.$timestamp /usr/local/etc/netbird/config.json
     /usr/local/etc/rc.d/netbird start
 fi
-exit 0
\ No newline at end of file
+exit 0
diff --git a/net/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf b/net/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf
index 65711c67c1..a995f09f14 100644
--- a/net/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf
+++ b/net/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf
@@ -54,4 +54,4 @@ message:get short netbird connection status
 command:/usr/local/bin/netbird status --json
 errors:no
 type:script_output
-message:get netbird connection status
\ No newline at end of file
+message:get netbird connection status
diff --git a/net/netbird/src/opnsense/service/templates/OPNsense/netbird/+TARGETS b/net/netbird/src/opnsense/service/templates/OPNsense/netbird/+TARGETS
index 123637703d..ee852218f5 100644
--- a/net/netbird/src/opnsense/service/templates/OPNsense/netbird/+TARGETS
+++ b/net/netbird/src/opnsense/service/templates/OPNsense/netbird/+TARGETS
@@ -1 +1 @@
-netbird:/etc/rc.conf.d/netbird
\ No newline at end of file
+netbird:/etc/rc.conf.d/netbird

From 449aed1ec7a09a4104472ad7e56e06096c0f730a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Jul 2025 12:27:45 +0200
Subject: [PATCH 2535/3088] net/netbird: more style

---
 .../OPNsense/netbird/Api/InitialController.php       |  1 -
 .../OPNsense/netbird/Api/ServiceController.php       | 12 ++++--------
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/InitialController.php b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/InitialController.php
index e74610aa99..03ea2b79b7 100644
--- a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/InitialController.php
+++ b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/InitialController.php
@@ -40,5 +40,4 @@ class InitialController extends ApiMutableModelControllerBase
 {
     protected static $internalModelName = 'netbird';
     protected static $internalModelClass = 'OPNsense\netbird\Initial';
-
 }
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/ServiceController.php b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/ServiceController.php
index a20e78d17d..4e58085e3f 100644
--- a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/ServiceController.php
+++ b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/ServiceController.php
@@ -36,7 +36,6 @@
 use OPNsense\netbird\Initial;
 use OPNsense\netbird\Netbird;
 
-
 /**
  * Class ServiceController
  * @package OPNsense\netbird
@@ -119,7 +118,6 @@ public function searchAction(): string
             if (!empty($sortBy) && $request->get("sort")[$sortBy[0]] == "desc") {
                 $sortDescending = true;
             }
-
         }
         $sortValues = array();
         foreach ($detailsFlat as $detail) {
@@ -140,8 +138,7 @@ private function flattenOneLevel($array): array
                 foreach ($value as $subkey => $subvalue) {
                     if ($key == "routes") {
                         $result[$key] = implode("<br />", $value);
-                    }
-                    else {
+                    } else {
                         $result[$key . "." . $subkey] = $subvalue;
                     }
                 }
@@ -171,10 +168,10 @@ public function initialUpAction(): string
         $hostname = $mdlInitial->initial->hostname->__toString();
         if ($hostname == "") {
             $hostname = gethostname();
-            if(!$hostname){
+            if (!$hostname) {
                 $hostname = "OPNsense";
-            }else{
-                if(str_contains($hostname, ".")){
+            } else {
+                if (str_contains($hostname, ".")) {
                     $hostname = explode(".", $hostname)[0];
                 }
             }
@@ -283,7 +280,6 @@ public function convertFieldsToDisplay(array $page): array
                 } elseif ($value == "false") {
                     $page[$i][$key] = 0;
                 }
-
             }
         }
         return $page;

From 0894c205b74379ca7a17bb118d033deee8a9f461 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 15 Jul 2025 12:39:20 +0200
Subject: [PATCH 2536/3088] net/netbird: use "OPNsense.Netbird" where possible

Not changing the config.xml mountpoint.
---
 net/netbird/Makefile                               |  6 +++---
 net/netbird/src/etc/inc/plugins.inc.d/netbird.inc  |  2 +-
 net/netbird/src/etc/rc.syshook.d/carp/30-netbird   | 10 +++-------
 .../{netbird => Netbird}/Api/InitialController.php |  6 +++---
 .../{netbird => Netbird}/Api/ServiceController.php | 14 +++++++-------
 .../Api/SettingsController.php                     |  8 ++++----
 .../{netbird => Netbird}/ConstatusController.php   |  6 +++---
 .../{netbird => Netbird}/IndexController.php       | 10 +++++-----
 .../{netbird => Netbird}/forms/general.xml         |  0
 .../{netbird => Netbird}/forms/initialup.xml       |  0
 .../OPNsense/{netbird => Netbird}/ACL/ACL.xml      |  0
 .../OPNsense/{netbird => Netbird}/Initial.php      |  2 +-
 .../OPNsense/{netbird => Netbird}/Initial.xml      |  0
 .../OPNsense/{netbird => Netbird}/Menu/Menu.xml    |  0
 .../OPNsense/{netbird => Netbird}/Netbird.php      |  2 +-
 .../OPNsense/{netbird => Netbird}/Netbird.xml      |  0
 .../OPNsense/{netbird => Netbird}/constatus.volt   |  0
 .../views/OPNsense/{netbird => Netbird}/index.volt |  0
 .../OPNsense/{netbird => Netbird}/initialup.sh     |  0
 .../service/conf/actions.d/actions_netbird.conf    |  2 +-
 .../OPNsense/{netbird => Netbird}/+TARGETS         |  0
 .../OPNsense/{netbird => Netbird}/netbird          |  0
 22 files changed, 32 insertions(+), 36 deletions(-)
 rename net/netbird/src/opnsense/mvc/app/controllers/OPNsense/{netbird => Netbird}/Api/InitialController.php (92%)
 rename net/netbird/src/opnsense/mvc/app/controllers/OPNsense/{netbird => Netbird}/Api/ServiceController.php (97%)
 rename net/netbird/src/opnsense/mvc/app/controllers/OPNsense/{netbird => Netbird}/Api/SettingsController.php (91%)
 rename net/netbird/src/opnsense/mvc/app/controllers/OPNsense/{netbird => Netbird}/ConstatusController.php (93%)
 rename net/netbird/src/opnsense/mvc/app/controllers/OPNsense/{netbird => Netbird}/IndexController.php (87%)
 rename net/netbird/src/opnsense/mvc/app/controllers/OPNsense/{netbird => Netbird}/forms/general.xml (100%)
 rename net/netbird/src/opnsense/mvc/app/controllers/OPNsense/{netbird => Netbird}/forms/initialup.xml (100%)
 rename net/netbird/src/opnsense/mvc/app/models/OPNsense/{netbird => Netbird}/ACL/ACL.xml (100%)
 rename net/netbird/src/opnsense/mvc/app/models/OPNsense/{netbird => Netbird}/Initial.php (98%)
 rename net/netbird/src/opnsense/mvc/app/models/OPNsense/{netbird => Netbird}/Initial.xml (100%)
 rename net/netbird/src/opnsense/mvc/app/models/OPNsense/{netbird => Netbird}/Menu/Menu.xml (100%)
 rename net/netbird/src/opnsense/mvc/app/models/OPNsense/{netbird => Netbird}/Netbird.php (98%)
 rename net/netbird/src/opnsense/mvc/app/models/OPNsense/{netbird => Netbird}/Netbird.xml (100%)
 rename net/netbird/src/opnsense/mvc/app/views/OPNsense/{netbird => Netbird}/constatus.volt (100%)
 rename net/netbird/src/opnsense/mvc/app/views/OPNsense/{netbird => Netbird}/index.volt (100%)
 rename net/netbird/src/opnsense/scripts/OPNsense/{netbird => Netbird}/initialup.sh (100%)
 rename net/netbird/src/opnsense/service/templates/OPNsense/{netbird => Netbird}/+TARGETS (100%)
 rename net/netbird/src/opnsense/service/templates/OPNsense/{netbird => Netbird}/netbird (100%)

diff --git a/net/netbird/Makefile b/net/netbird/Makefile
index 9765a5926e..a2450c455e 100644
--- a/net/netbird/Makefile
+++ b/net/netbird/Makefile
@@ -1,9 +1,9 @@
 PLUGIN_NAME=		netbird
 PLUGIN_VERSION=		0.1
-PLUGIN_DEPENDS=	    netbird
+PLUGIN_DEPENDS=		netbird
 PLUGIN_COMMENT=		Peer-to-peer VPN that seamlessly connects your devices
 PLUGIN_MAINTAINER=	opn-netbird@sun-ri.se
-PLUGIN_WWW=		    https://netbird.io
-PLUGIN_DEVEL=       yes
+PLUGIN_WWW=		https://netbird.io
+PLUGIN_DEVEL=		yes
 
 .include "../../Mk/plugins.mk"
diff --git a/net/netbird/src/etc/inc/plugins.inc.d/netbird.inc b/net/netbird/src/etc/inc/plugins.inc.d/netbird.inc
index 596fa5029c..57872cefe1 100644
--- a/net/netbird/src/etc/inc/plugins.inc.d/netbird.inc
+++ b/net/netbird/src/etc/inc/plugins.inc.d/netbird.inc
@@ -30,7 +30,7 @@
 
 function netbird_enabled()
 {
-    return !(new \OPNsense\netbird\Netbird())->general->Enabled->isEmpty();
+    return !(new \OPNsense\Netbird\Netbird())->general->Enabled->isEmpty();
 }
 
 function netbird_services()
diff --git a/net/netbird/src/etc/rc.syshook.d/carp/30-netbird b/net/netbird/src/etc/rc.syshook.d/carp/30-netbird
index 875593e14c..b4638afb7e 100755
--- a/net/netbird/src/etc/rc.syshook.d/carp/30-netbird
+++ b/net/netbird/src/etc/rc.syshook.d/carp/30-netbird
@@ -33,17 +33,13 @@ require_once('util.inc');
 require_once('interfaces.inc');
 
 
-$model = new \OPNsense\netbird\Netbird();
-$enabled = $model->general->Enabled->__toString();
+$model = new \OPNsense\Netbird\Netbird();
 
-
-if(!$enabled) {
+if ($model->general->Enabled->isEmpty()) {
     exit(0);
 }
 
-$carpif = $model->general->CarpIf->__toString();
-
-if($carpif == '') {
+if (!$model->general->CarpIf->isEqual('')) {
     exit(0);
 }
 
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/InitialController.php b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/InitialController.php
similarity index 92%
rename from net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/InitialController.php
rename to net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/InitialController.php
index 03ea2b79b7..a86b619d93 100644
--- a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/InitialController.php
+++ b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/InitialController.php
@@ -28,16 +28,16 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-namespace OPNsense\netbird\Api;
+namespace OPNsense\Netbird\Api;
 
 use OPNsense\Base\ApiMutableModelControllerBase;
 
 /**
  * netbird settings controller
- * @package OPNsense\netbird
+ * @package OPNsense\Netbird
  */
 class InitialController extends ApiMutableModelControllerBase
 {
     protected static $internalModelName = 'netbird';
-    protected static $internalModelClass = 'OPNsense\netbird\Initial';
+    protected static $internalModelClass = 'OPNsense\Netbird\Initial';
 }
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/ServiceController.php b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/ServiceController.php
similarity index 97%
rename from net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/ServiceController.php
rename to net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/ServiceController.php
index 4e58085e3f..466c56c682 100644
--- a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/ServiceController.php
+++ b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/ServiceController.php
@@ -28,24 +28,24 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-namespace OPNsense\netbird\Api;
+namespace OPNsense\Netbird\Api;
 
 use OPNsense\Base\ApiMutableServiceControllerBase;
 use OPNsense\Core\Backend;
 use OPNsense\Core\Config;
-use OPNsense\netbird\Initial;
-use OPNsense\netbird\Netbird;
+use OPNsense\Netbird\Initial;
+use OPNsense\Netbird\Netbird;
 
 /**
  * Class ServiceController
- * @package OPNsense\netbird
+ * @package OPNsense\Netbird
  */
 class ServiceController extends ApiMutableServiceControllerBase
 {
     const NETBIRD_CONFIG_JSON = '/usr/local/etc/netbird/config.json';
-    protected static $internalServiceClass = '\OPNsense\netbird\Netbird';
+    protected static $internalServiceClass = '\OPNsense\Netbird\Netbird';
     protected static $internalServiceEnabled = 'general.Enabled';
-    protected static $internalServiceTemplate = 'OPNsense/netbird';
+    protected static $internalServiceTemplate = 'OPNsense/Netbird';
     protected static $internalServiceName = 'netbird';
 
     public function conStatusAction(): string
@@ -206,7 +206,7 @@ public function reloadAction()
             try {
                 $mdlNetbird = new Netbird();
                 $backend = new Backend();
-                if (trim($backend->configdRun('template reload OPNsense/netbird')) == "OK") {
+                if (trim($backend->configdRun('template reload OPNsense/Netbird')) == "OK") {
                     $status = "ok";
                 }
 
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/SettingsController.php b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/SettingsController.php
similarity index 91%
rename from net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/SettingsController.php
rename to net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/SettingsController.php
index 8f880f942a..bd7ebc6033 100644
--- a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/Api/SettingsController.php
+++ b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/SettingsController.php
@@ -28,16 +28,16 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-namespace OPNsense\netbird\Api;
+namespace OPNsense\Netbird\Api;
 
 use OPNsense\Base\ApiMutableModelControllerBase;
 
 /**
- * netbird settings controller
- * @package OPNsense\netbird
+ * Netbird settings controller
+ * @package OPNsense\Netbird
  */
 class SettingsController extends ApiMutableModelControllerBase
 {
     protected static $internalModelName = 'netbird';
-    protected static $internalModelClass = 'OPNsense\netbird\Netbird';
+    protected static $internalModelClass = 'OPNsense\Netbird\Netbird';
 }
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/ConstatusController.php b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/ConstatusController.php
similarity index 93%
rename from net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/ConstatusController.php
rename to net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/ConstatusController.php
index a288e391ee..6c041912d0 100644
--- a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/ConstatusController.php
+++ b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/ConstatusController.php
@@ -28,16 +28,16 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-namespace OPNsense\netbird;
+namespace OPNsense\Netbird;
 
 /**
  * Class ConstatusController
- * @package OPNsense\netbird
+ * @package OPNsense\Netbird
  */
 class ConstatusController extends \OPNsense\Base\IndexController
 {
     public function indexAction()
     {
-        $this->view->pick('OPNsense/netbird/constatus');
+        $this->view->pick('OPNsense/Netbird/constatus');
     }
 }
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/IndexController.php b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/IndexController.php
similarity index 87%
rename from net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/IndexController.php
rename to net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/IndexController.php
index f17874e21f..3567b469d4 100644
--- a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/IndexController.php
+++ b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/IndexController.php
@@ -28,18 +28,18 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-namespace OPNsense\netbird;
+namespace OPNsense\Netbird;
 
 /**
  * Class IndexController
- * @package OPNsense\netbird
+ * @package OPNsense\Netbird
  */
 class IndexController extends \OPNsense\Base\IndexController
 {
     public function indexAction()
     {
-        $this->view->generalForm = $this->getForm("general");
-        $this->view->initialUpForm = $this->getForm("initialup");
-        $this->view->pick('OPNsense/netbird/index');
+        $this->view->generalForm = $this->getForm('general');
+        $this->view->initialUpForm = $this->getForm('initialup');
+        $this->view->pick('OPNsense/Netbird/index');
     }
 }
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/forms/general.xml b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/general.xml
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/forms/general.xml
rename to net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/general.xml
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/forms/initialup.xml b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/initialup.xml
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/controllers/OPNsense/netbird/forms/initialup.xml
rename to net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/initialup.xml
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/ACL/ACL.xml b/net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/ACL/ACL.xml
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/ACL/ACL.xml
rename to net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/ACL/ACL.xml
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Initial.php b/net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.php
similarity index 98%
rename from net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Initial.php
rename to net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.php
index e629015fe1..01176577cc 100644
--- a/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Initial.php
+++ b/net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.php
@@ -28,7 +28,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-namespace OPNsense\netbird;
+namespace OPNsense\Netbird;
 
 use OPNsense\Base\BaseModel;
 
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Initial.xml b/net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.xml
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Initial.xml
rename to net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.xml
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Menu/Menu.xml b/net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Menu/Menu.xml
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Menu/Menu.xml
rename to net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Menu/Menu.xml
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Netbird.php b/net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.php
similarity index 98%
rename from net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Netbird.php
rename to net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.php
index 76dbf47846..d562455d13 100644
--- a/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Netbird.php
+++ b/net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.php
@@ -28,7 +28,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-namespace OPNsense\netbird;
+namespace OPNsense\Netbird;
 
 use OPNsense\Base\BaseModel;
 
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Netbird.xml b/net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.xml
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/models/OPNsense/netbird/Netbird.xml
rename to net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.xml
diff --git a/net/netbird/src/opnsense/mvc/app/views/OPNsense/netbird/constatus.volt b/net/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/views/OPNsense/netbird/constatus.volt
rename to net/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt
diff --git a/net/netbird/src/opnsense/mvc/app/views/OPNsense/netbird/index.volt b/net/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/index.volt
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/views/OPNsense/netbird/index.volt
rename to net/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/index.volt
diff --git a/net/netbird/src/opnsense/scripts/OPNsense/netbird/initialup.sh b/net/netbird/src/opnsense/scripts/OPNsense/Netbird/initialup.sh
similarity index 100%
rename from net/netbird/src/opnsense/scripts/OPNsense/netbird/initialup.sh
rename to net/netbird/src/opnsense/scripts/OPNsense/Netbird/initialup.sh
diff --git a/net/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf b/net/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf
index a995f09f14..da49b4e3df 100644
--- a/net/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf
+++ b/net/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf
@@ -34,7 +34,7 @@ type:script
 message:set netbird up
 
 [set-up-initial]
-command:/usr/local/opnsense/scripts/OPNsense/netbird/initialup.sh
+command:/usr/local/opnsense/scripts/OPNsense/Netbird/initialup.sh
 parameters: -m %s -k %s -n %s
 type:script_output
 message:setup netbird
diff --git a/net/netbird/src/opnsense/service/templates/OPNsense/netbird/+TARGETS b/net/netbird/src/opnsense/service/templates/OPNsense/Netbird/+TARGETS
similarity index 100%
rename from net/netbird/src/opnsense/service/templates/OPNsense/netbird/+TARGETS
rename to net/netbird/src/opnsense/service/templates/OPNsense/Netbird/+TARGETS
diff --git a/net/netbird/src/opnsense/service/templates/OPNsense/netbird/netbird b/net/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird
similarity index 100%
rename from net/netbird/src/opnsense/service/templates/OPNsense/netbird/netbird
rename to net/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird

From 2e7ed155798f80dc0e14e7090fb68556fedadf64 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 16 Jul 2025 09:22:54 +0200
Subject: [PATCH 2537/3088] plugins: sync

---
 LICENSE   | 3 +++
 README.md | 1 +
 2 files changed, 4 insertions(+)

diff --git a/LICENSE b/LICENSE
index 41d43f0ec1..8f1fb9c800 100644
--- a/LICENSE
+++ b/LICENSE
@@ -8,6 +8,7 @@ Copyright (c) 2021 Axelrtgs
 Copyright (c) 2023 Bernhard Frenking <bernhard@frenking.eu>
 Copyright (c) 2023 Cannon Matthews <cannonmatthews@google.com>
 Copyright (c) 2023-2025 Cedrik Pischem
+Copyright (c) 2025 Christopher Linn, BackendMedia IT-Services GmbH
 Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
 Copyright (c) 2021 Dan Lundqvist
@@ -62,6 +63,7 @@ Copyright (c) 2022 Nikolaj Brinch Jørgensen
 Copyright (c) 2021 Nim G
 Copyright (c) 2023 Oliver Hartl
 Copyright (c) 2024 Olly Baker <ilumos@gmail.com>
+Copyright (c) 2025 Ralph Moser, PJ Monitoring GmbH
 Copyright (c) 2024 realizelol
 Copyright (c) 2022 Robbert Rijkse
 Copyright (c) 2023 sattamjh
@@ -70,6 +72,7 @@ Copyright (c) 2010 Seth Mos <seth.mos@dds.nl>
 Copyright (c) 2024 Sheridan Computers
 Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
 Copyright (c) 2017-2018 Smart-Soft
+Copyright (c) 2025 squared GmbH
 Copyright (c) 2020 Starkstromkonsument
 Copyright (c) 2023-2024 Thomas Cekal <thomas@cekal.org>
 Copyright (c) 2020 Tobias Boehnert
diff --git a/README.md b/README.md
index ccd7712dc6..2f294b2bb8 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,7 @@ net/haproxy -- Reliable, high performance TCP/HTTP load balancer
 net/igmp-proxy -- IGMP-Proxy Service
 net/mdns-repeater -- Proxy multicast DNS between networks
 net/ndproxy -- Neighbor Discovery Proxy
+net/netbird -- Peer-to-peer VPN that seamlessly connects your devices (development only)
 net/ntopng -- Traffic Analysis and Flow Collection
 net/radsecproxy -- RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
 net/realtek-re -- Realtek re(4) vendor driver

From 4ca070d108dca29b69b050bdbdcf2057e73d0fc8 Mon Sep 17 00:00:00 2001
From: Russ Kubes <rkubes@users.noreply.github.com>
Date: Wed, 16 Jul 2025 15:48:34 -0500
Subject: [PATCH 2538/3088] Update Sftp.php (#4820)

Fixed an issue where SFTP backup would not be able to list remote backups if hostname was prefixed and hostname or domain had uppercase characters.
---
 .../src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
index a255fc7250..e817c00a73 100644
--- a/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
+++ b/sysutils/sftp-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Sftp.php
@@ -236,7 +236,7 @@ public function backup()
                 $fileprefix = "config-";
             } else {
                 $config = $cnf->object();
-                $fileprefix = sprintf('%s.%s-', (string)$config->system->hostname, (string)$config->system->domain);
+                $fileprefix = strtolower(sprintf('%s.%s-', (string)$config->system->hostname, (string)$config->system->domain));
             }
             /**
              * Collect most recent backup, since /conf/backup/ always contains the latests, we can use the filename

From 3c40ecf67a72d235cb1e849125f717afa8506c21 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 17 Jul 2025 08:24:06 +0200
Subject: [PATCH 2539/3088] sysutils/sftp-backup: bump rev

---
 sysutils/sftp-backup/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/sftp-backup/Makefile b/sysutils/sftp-backup/Makefile
index 448f13de18..f5a6986350 100644
--- a/sysutils/sftp-backup/Makefile
+++ b/sysutils/sftp-backup/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		sftp-backup
 PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Backup configurations using SFTP
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_TIER=		2

From 6da8598a6bc8661df3945775719cae51836629a8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 17 Jul 2025 08:26:31 +0200
Subject: [PATCH 2540/3088] www/nginx: document this change

---
 www/nginx/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 464215e465..d6b49aa7d2 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -17,6 +17,7 @@ Plugin Changelog
 * Migrate from the deprecated 'listen … http2' directive to the 'http2' directive
 * Limit CSP log file size (migration notice: if you want to keep CSP violations logged, you will need to enable logging in the security policy)
 * Add basic support for forced caching (contributed by Eirik Øverby)
+* Add ability to override SNI for streams (contributed by DodoLeDev)
 
 1.33
 

From 06ea26bbb5fdfad0b392a93c4b439fcb3121ae87 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 17 Jul 2025 11:56:31 +0200
Subject: [PATCH 2541/3088] net/shadowsocks: switch to shadowsocks-rust; closes
 #4662

---
 net/shadowsocks/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/shadowsocks/Makefile b/net/shadowsocks/Makefile
index bd4abead24..762a18ad00 100644
--- a/net/shadowsocks/Makefile
+++ b/net/shadowsocks/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		shadowsocks
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		Secure socks5 proxy
-PLUGIN_DEPENDS=		shadowsocks-libev
+PLUGIN_DEPENDS=		shadowsocks-rust
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 
 .include "../../Mk/plugins.mk"

From e4f3b8f87303b63bbd53851ce625378fd09410cf Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 18 Jul 2025 15:57:43 +0200
Subject: [PATCH 2542/3088] devel/grid_example: Implement base_bootgrid_table
 and base_apply_button into grid example (#4815)

---
 .../GridExample/Api/ServiceController.php     | 49 +++++++++++++++++++
 .../GridExample/Api/SettingsController.php    |  5 +-
 .../OPNsense/GridExample/IndexController.php  |  4 +-
 .../GridExample/forms/dialogAddress.xml       | 19 ++++++-
 .../OPNsense/GridExample/GridExample.xml      |  1 +
 .../app/views/OPNsense/GridExample/index.volt | 44 ++++++-----------
 6 files changed, 89 insertions(+), 33 deletions(-)
 create mode 100644 devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/Api/ServiceController.php

diff --git a/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/Api/ServiceController.php b/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/Api/ServiceController.php
new file mode 100644
index 0000000000..00ae072e08
--- /dev/null
+++ b/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/Api/ServiceController.php
@@ -0,0 +1,49 @@
+<?php
+
+/**
+ *    Copyright (C) 2015-2025 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\GridExample\Api;
+
+use OPNsense\Base\ApiControllerBase;
+
+/**
+ * Class ServiceController
+ * @package OPNsense\GridExample
+ */
+class ServiceController extends ApiControllerBase
+{
+    /**
+     * non operational reconfigure for base_apply_button
+     */
+    public function reconfigureAction()
+    {
+        sleep(1); // simulate something happening
+        return ["status" => "ok"];
+    }
+}
diff --git a/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/Api/SettingsController.php b/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/Api/SettingsController.php
index 3cbe4725d4..af6fa7491d 100644
--- a/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/Api/SettingsController.php
+++ b/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/Api/SettingsController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2019 Deciso B.V.
+ *    Copyright (C) 2019-2025 Deciso B.V.
  *
  *    All rights reserved.
  *
@@ -43,7 +43,7 @@ class SettingsController extends ApiMutableModelControllerBase
 
     public function searchItemAction()
     {
-        return $this->searchBase("addresses.address", array('enabled', 'email'), "email");
+        return $this->searchBase("addresses.address", null, "email");
     }
 
     public function setItemAction($uuid)
@@ -70,4 +70,5 @@ public function toggleItemAction($uuid, $enabled = null)
     {
         return $this->toggleBase("addresses.address", $uuid, $enabled);
     }
+
 }
diff --git a/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/IndexController.php b/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/IndexController.php
index e3e86e6474..79d674d0b3 100644
--- a/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/IndexController.php
+++ b/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/IndexController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2019 Deciso B.V.
+ *    Copyright (C) 2019-2025 Deciso B.V.
  *
  *    All rights reserved.
  *
@@ -40,5 +40,7 @@ public function indexAction()
     {
         $this->view->pick('OPNsense/GridExample/index');
         $this->view->formDialogAddress = $this->getForm("dialogAddress");
+        // convert dialog for grid table
+        $this->view->formGridAddress = $this->getFormGrid("dialogAddress");
     }
 }
diff --git a/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/forms/dialogAddress.xml b/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/forms/dialogAddress.xml
index 9a65a91a77..74f842bd75 100644
--- a/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/forms/dialogAddress.xml
+++ b/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/forms/dialogAddress.xml
@@ -1,13 +1,30 @@
 <form>
     <field>
         <id>address.enabled</id>
-        <label>enabled</label>
+        <label>Enabled</label>
         <type>checkbox</type>
         <help>Enable this address</help>
+        <!-- Format the grid column for enabled button-->
+        <grid_view>
+            <width>6em</width>
+            <type>boolean</type>
+            <formatter>rowtoggle</formatter>
+        </grid_view>
     </field>
     <field>
         <id>address.email</id>
         <label>Email</label>
         <type>text</type>
+        <help>Enter the email address</help>
+    </field>
+    <field>
+        <id>address.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Enter an optional description</help>
+        <!-- Hide this grid column per default -->
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
 </form>
diff --git a/devel/grid_example/src/opnsense/mvc/app/models/OPNsense/GridExample/GridExample.xml b/devel/grid_example/src/opnsense/mvc/app/models/OPNsense/GridExample/GridExample.xml
index bffca06161..fc1146dd28 100644
--- a/devel/grid_example/src/opnsense/mvc/app/models/OPNsense/GridExample/GridExample.xml
+++ b/devel/grid_example/src/opnsense/mvc/app/models/OPNsense/GridExample/GridExample.xml
@@ -13,6 +13,7 @@
                 <email type="EmailField">
                     <Required>Y</Required>
                 </email>
+                <description type="DescriptionField"/>
             </address>
         </addresses>
     </items>
diff --git a/devel/grid_example/src/opnsense/mvc/app/views/OPNsense/GridExample/index.volt b/devel/grid_example/src/opnsense/mvc/app/views/OPNsense/GridExample/index.volt
index 51f35f527b..4f0ed8fd52 100644
--- a/devel/grid_example/src/opnsense/mvc/app/views/OPNsense/GridExample/index.volt
+++ b/devel/grid_example/src/opnsense/mvc/app/views/OPNsense/GridExample/index.volt
@@ -1,5 +1,5 @@
 {#
- # Copyright (c) 2019 Deciso B.V.
+ # Copyright (c) 2019-2025 Deciso B.V.
  # All rights reserved.
  #
  # Redistribution and use in source and binary forms, with or without modification,
@@ -25,9 +25,9 @@
 #}
 
 <script>
-
-    $( document ).ready(function() {
-        $("#grid-addresses").UIBootgrid(
+    $(document).ready(function() {
+        // set up the UIBootgrid API endpoints for the base_bootgrid_table
+        $("#{{formGridAddress['table_id']}}").UIBootgrid(
             {   search:'/api/gridexample/settings/search_item/',
                 get:'/api/gridexample/settings/get_item/',
                 set:'/api/gridexample/settings/set_item/',
@@ -36,32 +36,18 @@
                 toggle:'/api/gridexample/settings/toggle_item/'
             }
         );
+
+        // use SimpleActionButton() to call /api/gridexample/service/reconfigure as example
+        $("#reconfigureAct").SimpleActionButton();
     });
 
 </script>
 
-
-<table id="grid-addresses" class="table table-condensed table-hover table-striped" data-editDialog="DialogAddress">
-    <thead>
-        <tr>
-            <th data-column-id="uuid" data-type="string" data-identifier="true"  data-visible="false">{{ lang._('ID') }}</th>
-            <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-            <th data-column-id="email" data-type="string">{{ lang._('Email') }}</th>
-            <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
-        </tr>
-    </thead>
-    <tbody>
-    </tbody>
-    <tfoot>
-        <tr>
-            <td></td>
-            <td>
-                <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
-                <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
-            </td>
-        </tr>
-    </tfoot>
-</table>
-
-
-{{ partial("layout_partials/base_dialog",['fields':formDialogAddress,'id':'DialogAddress','label':lang._('Edit address')])}}
+<div class="content-box">
+    <!-- auto creates a bootgrid from the data in formGridAddress -->
+    {{ partial('layout_partials/base_bootgrid_table', formGridAddress) }}
+</div>
+<!-- general purpose apply button, used to trigger reconfigureAct -->
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/gridexample/service/reconfigure'}) }}
+<!-- base_dialog used by the base_bootgrid_table -->
+{{ partial("layout_partials/base_dialog",['fields':formDialogAddress,'id':formGridAddress['edit_dialog_id'],'label':lang._('Edit address')])}}

From fd49d06c602039384c789826627486ad8f082916 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 19 Jul 2025 15:47:31 +0200
Subject: [PATCH 2543/3088] security/strongswan-legacy: plugin done

PR: https://github.com/opnsense/core/issues/8348
---
 LICENSE                                       |    5 +-
 security/strongswan-legacy/Makefile           |    2 +-
 .../models/OPNsense/IPsecLegacy/ACL/ACL.xml   |   28 +
 .../models/OPNsense/IPsecLegacy/Menu/Menu.xml |   13 +
 .../src/www/vpn_ipsec_mobile.php              |  310 ++++
 .../src/www/vpn_ipsec_phase1.php              | 1351 +++++++++++++++++
 .../src/www/vpn_ipsec_phase2.php              |  842 ++++++++++
 7 files changed, 2548 insertions(+), 3 deletions(-)
 create mode 100644 security/strongswan-legacy/src/opnsense/mvc/app/models/OPNsense/IPsecLegacy/ACL/ACL.xml
 create mode 100644 security/strongswan-legacy/src/opnsense/mvc/app/models/OPNsense/IPsecLegacy/Menu/Menu.xml
 create mode 100644 security/strongswan-legacy/src/www/vpn_ipsec_mobile.php
 create mode 100644 security/strongswan-legacy/src/www/vpn_ipsec_phase1.php
 create mode 100644 security/strongswan-legacy/src/www/vpn_ipsec_phase2.php

diff --git a/LICENSE b/LICENSE
index 8f1fb9c800..5ac4735ef3 100644
--- a/LICENSE
+++ b/LICENSE
@@ -20,7 +20,7 @@ Copyright (c) 2020 devNan0 <nan0@nan0.dev>
 Copyright (c) 2023 Dmitry Shinkaruk
 Copyright (c) 2024 DollarSign23
 Copyright (c) 2006 Eric Friesen
-Copyright (c) 2008-2010 Ermal Luçi
+Copyright (c) 2008-2014 Ermal Luçi
 Copyright (c) 2016-2019 EURO-LOG AG
 Copyright (c) 2017-2020 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
@@ -42,7 +42,7 @@ Copyright (c) 2024 laraveluser
 Copyright (c) 2023 Liam Steckler <liam@liamsteckler.com>
 Copyright (c) 2020-2021 Manuel Faux
 Copyright (c) 2021 Manuel Hofmann
-Copyright (c) 2003-2004 Manuel Kasper <mk@neon1.net>
+Copyright (c) 2003-2005 Manuel Kasper <mk@neon1.net>
 Copyright (c) 2023 Marc Bartelt
 Copyright (c) 2021 Marcel Koepfli
 Copyright (c) 2021 Markus Peter <mpeter@one-it.de>
@@ -63,6 +63,7 @@ Copyright (c) 2022 Nikolaj Brinch Jørgensen
 Copyright (c) 2021 Nim G
 Copyright (c) 2023 Oliver Hartl
 Copyright (c) 2024 Olly Baker <ilumos@gmail.com>
+Copyright (c) 2019 Pascal Mathis <mail@pascalmathis.com>
 Copyright (c) 2025 Ralph Moser, PJ Monitoring GmbH
 Copyright (c) 2024 realizelol
 Copyright (c) 2022 Robbert Rijkse
diff --git a/security/strongswan-legacy/Makefile b/security/strongswan-legacy/Makefile
index fceb923cf9..2f2a02c733 100644
--- a/security/strongswan-legacy/Makefile
+++ b/security/strongswan-legacy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		strongswan-legacy
-PLUGIN_VERSION=		0.1
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		IPsec legacy support
 PLUGIN_DEPENDS=		# strongswan
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/security/strongswan-legacy/src/opnsense/mvc/app/models/OPNsense/IPsecLegacy/ACL/ACL.xml b/security/strongswan-legacy/src/opnsense/mvc/app/models/OPNsense/IPsecLegacy/ACL/ACL.xml
new file mode 100644
index 0000000000..7441c7c6c0
--- /dev/null
+++ b/security/strongswan-legacy/src/opnsense/mvc/app/models/OPNsense/IPsecLegacy/ACL/ACL.xml
@@ -0,0 +1,28 @@
+<acl>
+    <page-vpn-ipsec>
+        <name>VPN: IPsec: Tunnels [legacy]</name>
+        <patterns>
+            <pattern>ui/ipsec/tunnels</pattern>
+            <pattern>api/ipsec/tunnel/*</pattern>
+            <pattern>api/ipsec/legacy_subsystem/*</pattern>
+        </patterns>
+    </page-vpn-ipsec>
+    <page-vpn-ipsec-editphase1>
+        <name>VPN: IPsec: Edit Phase 1</name>
+        <patterns>
+            <pattern>vpn_ipsec_phase1.php*</pattern>
+        </patterns>
+    </page-vpn-ipsec-editphase1>
+    <page-vpn-ipsec-editphase2>
+        <name>VPN: IPsec: Edit Phase 2</name>
+        <patterns>
+            <pattern>vpn_ipsec_phase2.php*</pattern>
+        </patterns>
+    </page-vpn-ipsec-editphase2>
+    <page-vpn-ipsec-mobile>
+        <name>VPN: IPsec: Mobile [legacy]</name>
+        <patterns>
+            <pattern>vpn_ipsec_mobile.php*</pattern>
+        </patterns>
+    </page-vpn-ipsec-mobile>
+</acl>
diff --git a/security/strongswan-legacy/src/opnsense/mvc/app/models/OPNsense/IPsecLegacy/Menu/Menu.xml b/security/strongswan-legacy/src/opnsense/mvc/app/models/OPNsense/IPsecLegacy/Menu/Menu.xml
new file mode 100644
index 0000000000..6a33b6cf60
--- /dev/null
+++ b/security/strongswan-legacy/src/opnsense/mvc/app/models/OPNsense/IPsecLegacy/Menu/Menu.xml
@@ -0,0 +1,13 @@
+<menu>
+    <VPN>
+        <IPsec>
+            <Tunnels order="10" VisibleName="Tunnel Settings [legacy]" url="/ui/ipsec/tunnels">
+                <Phase1 url="/vpn_ipsec_phase1.php*" visibility="hidden"/>
+                <Phase2 url="/vpn_ipsec_phase2.php*" visibility="hidden"/>
+            </Tunnels>
+            <Mobile order="20" VisibleName="Mobile Clients [legacy]" url="/vpn_ipsec_mobile.php">
+                <Act url="/vpn_ipsec_mobile.php*" visibility="hidden"/>
+            </Mobile>
+        </IPsec>
+    </VPN>
+</menu>
diff --git a/security/strongswan-legacy/src/www/vpn_ipsec_mobile.php b/security/strongswan-legacy/src/www/vpn_ipsec_mobile.php
new file mode 100644
index 0000000000..23d00589aa
--- /dev/null
+++ b/security/strongswan-legacy/src/www/vpn_ipsec_mobile.php
@@ -0,0 +1,310 @@
+<?php
+
+/*
+ * Copyright (C) 2014-2025 Deciso B.V.
+ * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("interfaces.inc");
+require_once("filter.inc");
+require_once("system.inc");
+require_once("plugins.inc.d/ipsec.inc");
+
+config_read_array('ipsec', 'client');
+config_read_array('ipsec', 'phase1');
+
+// define formfields
+$form_fields = "pool_address,pool_netbits,pool_address_v6,pool_netbits_v6";
+
+if ($_SERVER['REQUEST_METHOD'] === 'GET') {
+    // pass savemessage
+    if (isset($_GET['savemsg'])) {
+        $savemsg = htmlspecialchars($_GET['savemsg']);
+    }
+    $pconfig = array();
+    // defaults
+    $pconfig['pool_netbits'] = 24;
+    $pconfig['pool_netbits_v6'] = 64;
+
+    // copy / initialize $pconfig attributes
+    foreach (explode(",", $form_fields) as $fieldname) {
+        $fieldname = trim($fieldname);
+        if (isset($config['ipsec']['client'][$fieldname])) {
+            $pconfig[$fieldname] = $config['ipsec']['client'][$fieldname];
+        } elseif (!isset($pconfig[$fieldname])) {
+          // initialize element
+            $pconfig[$fieldname] = null;
+        }
+    }
+    if (isset($config['ipsec']['client']['enable'])) {
+        $pconfig['enable'] = true;
+    }
+
+} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $input_errors = array();
+    $pconfig = $_POST;
+    if (isset($_POST['create'])) {
+        // create new phase1 entry
+        header(url_safe('Location: /vpn_ipsec_phase1.php?mobile=true'));
+        exit;
+    } elseif (isset($_POST['apply'])) {
+        // apply changes
+        ipsec_configure_do();
+        $savemsg = get_std_save_message(true);
+        clear_subsystem_dirty('ipsec');
+        header(url_safe('Location: /vpn_ipsec_mobile.php?savemsg=%s', array($savemsg)));
+        exit;
+    } elseif (isset($_POST['submit'])) {
+        // save form changes
+        if (!empty($pconfig['pool_address']) && !is_ipaddr($pconfig['pool_address'])) {
+            $input_errors[] = gettext("A valid IPv4 address for 'Virtual IPv4 Address Pool Network' must be specified.");
+        }
+
+        if (!empty($pconfig['pool_address_v6']) && !is_ipaddr($pconfig['pool_address_v6'])) {
+            $input_errors[] = gettext("A valid IPv6 address for 'Virtual IPv6 Address Pool Network' must be specified.");
+        }
+
+
+        if (count($input_errors) == 0) {
+            $client = array();
+            $copy_fields = "pool_address,pool_netbits,pool_address_v6,pool_netbits_v6";
+            foreach (explode(",", $copy_fields) as $fieldname) {
+                $fieldname = trim($fieldname);
+                if (!empty($pconfig[$fieldname])) {
+                    $client[$fieldname] = $pconfig[$fieldname];
+                }
+            }
+            if (!empty($pconfig['enable'])) {
+                $client['enable'] = true;
+            }
+
+            $config['ipsec']['client'] = $client;
+
+            write_config();
+            mark_subsystem_dirty('ipsec');
+            header(url_safe('Location: /vpn_ipsec_mobile.php'));
+            exit;
+        }
+    }
+
+    // initialize missing post attributes
+    foreach (explode(",", $form_fields) as $fieldname) {
+        $fieldname = trim($fieldname);
+        if (!isset($pconfig[$fieldname])) {
+            $pconfig[$fieldname] = null;
+        }
+    }
+}
+
+legacy_html_escape_form_data($pconfig);
+
+$service_hook = 'strongswan';
+
+include("head.inc");
+
+?>
+
+<body>
+
+<script>
+//<![CDATA[
+$( document ).ready(function() {
+  pool_change();
+  pool_v6_change();
+
+  $("#ike_mobile_enable").change(function(){
+      if ($(this).is(':checked')) {
+          $("#ike_extensions").find("tr:not(.ike_heading)").show();
+      } else {
+          $("#ike_extensions").find("tr:not(.ike_heading)").hide();
+      }
+  });
+  $("#ike_mobile_enable").change();
+
+});
+
+function pool_change() {
+
+  if (document.iform.pool_enable.checked) {
+    document.iform.pool_address.disabled = 0;
+    document.iform.pool_netbits.disabled = 0;
+  } else {
+    document.iform.pool_address.disabled = 1;
+    document.iform.pool_netbits.disabled = 1;
+  }
+}
+
+function pool_v6_change() {
+
+    if (document.iform.pool_enable_v6.checked) {
+        document.iform.pool_address_v6.disabled = 0;
+        document.iform.pool_netbits_v6.disabled = 0;
+    } else {
+        document.iform.pool_address_v6.disabled = 1;
+        document.iform.pool_netbits_v6.disabled = 1;
+    }
+}
+
+//]]>
+</script>
+
+<?php include("fbegin.inc"); ?>
+
+  <section class="page-content-main">
+    <div class="container-fluid">
+      <div class="row">
+<?php
+if (isset($savemsg)) {
+    print_info_box($savemsg);
+}
+if (isset($config['ipsec']['enable']) && is_subsystem_dirty('ipsec')) {
+    print_info_box_apply(gettext("The IPsec tunnel configuration has been changed") . ".<br />" . gettext("You must apply the changes in order for them to take effect."));
+}
+$ph1found = false;
+$legacy_radius_configured = false;
+foreach ($config['ipsec']['phase1'] as $ph1ent) {
+    if (!isset($ph1ent['disabled']) && isset($ph1ent['mobile'])) {
+        $ph1found = true;
+        if (($ph1ent['authentication_method'] ?? '') == 'eap-radius') {
+            $legacy_radius_configured = true;
+        }
+    }
+}
+
+function print_legacy_box($msg, $name, $value)
+{
+  $savebutton = "<form method=\"post\">";
+  $savebutton .= "<input name=\"{$name}\" type=\"submit\" class=\"btn btn-default\" id=\"{$name}\" value=\"{$value}\" />";
+  if (!empty($_POST['if'])) {
+    $savebutton .= "<input type=\"hidden\" name=\"if\" value=\"" . htmlspecialchars($_POST['if']) . "\" />";
+  }
+  $savebutton .= '</form>';
+
+  echo <<<EOFnp
+<div class="col-xs-12">
+  <div class="alert alert-info alert-dismissible" role="alert">
+    {$savebutton}
+    <p>{$msg}</p>
+  </div>
+</div>
+
+EOFnp;
+}
+
+if (!empty($pconfig['enable']) && !$ph1found && !(new OPNsense\IPsec\Swanctl())->isEnabled()) {
+    print_legacy_box(gettext("Support for IPsec Mobile clients is enabled but a Phase1 definition was not found") . ".<br />" . gettext("When using (legacy) tunnels, please click Create to define one."), "create", gettext("Create Phase1"));
+}
+if (isset($input_errors) && count($input_errors) > 0) {
+    print_input_errors($input_errors);
+}
+?>
+        <form method="post" name="iform" id="iform">
+          <section class="col-xs-12">
+             <div class="tab-content content-box col-xs-12">
+                <table class="table table-striped opnsense_standard_table_form" id="ike_extensions">
+                  <tr class="ike_heading">
+                      <td style="width:22%"><b><?=gettext("IKE Extensions"); ?> </b></td>
+                      <td style="width:78%; text-align:right">
+                        <small><?=gettext("full help"); ?> </small>
+                        <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page"></i>
+                      </td>
+                    </tr>
+                  <tr class="ike_heading">
+                    <td> <a id="help_for_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enable")?></td>
+                    <td>
+                      <input name="enable" id="ike_mobile_enable" type="checkbox" value="yes" <?= !empty($pconfig['enable']) ? "checked=\"checked\"" : "";?> />
+                      <?=gettext("Enable IPsec Mobile Client Support"); ?>
+                      <div class="hidden" data-for="help_for_enable">
+                        <?= gettext(
+                          'Enable mobile settings, '.
+                          'some of the settings below depend on configuration choices in configured tunnels, ' .
+                          'when not dependent on configured networks, they will also be used for configured connections when this option is checked.') ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                      <td colspan="2"><b><?=gettext("Client Configuration (mode-cfg)"); ?> </b></td>
+                    </tr>
+                  <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Virtual IPv4 Address Pool"); ?></td>
+                      <td>
+                          <input name="pool_enable" type="checkbox" id="pool_enable" value="yes" <?= !empty($pconfig['pool_address'])&&!empty($pconfig['pool_netbits']) ? "checked=\"checked\"" : "";?> onclick="pool_change()" />
+                          <?=gettext("Provide a virtual IPv4 address to clients"); ?>
+                          <div class="input-group">
+                              <input name="pool_address" type="text" class="form-control" id="pool_address" size="20" value="<?=$pconfig['pool_address'];?>" style="width:200px;" />
+                              <select name="pool_netbits" class="selectpicker form-control" id="pool_netbits" data-width="70px" data-size="10">
+<?php
+                              for ($i = 32; $i >= 0; $i--) :?>
+                                  <option value="<?=$i;?>" <?= ($i == $pconfig['pool_netbits']) ? "selected=\"selected\"" : "";?>>
+                                      <?=$i;?>
+                                  </option>
+<?php
+                              endfor; ?>
+                              </select>
+                          </div>
+                      </td>
+                  </tr>
+                  <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Virtual IPv6 Address Pool"); ?></td>
+                      <td>
+                          <input name="pool_enable_v6" type="checkbox" id="pool_enable_v6" value="yes" <?= !empty($pconfig['pool_address_v6'])&&!empty($pconfig['pool_netbits_v6']) ? "checked=\"checked\"" : "";?> onclick="pool_v6_change()" />
+                          <?=gettext("Provide a virtual IPv6 address to clients"); ?>
+                          <div class="input-group">
+                              <input name="pool_address_v6" type="text" class="form-control" id="pool_address_v6" size="20" value="<?=$pconfig['pool_address_v6'];?>" style="width:200px;" />
+                              <select name="pool_netbits_v6" class="selectpicker form-control" id="pool_netbits_v6" data-width="70px" data-size="10">
+<?php
+                              for ($i = 128; $i >= 0; $i--) :?>
+                                  <option value="<?=$i;?>" <?= ($i == $pconfig['pool_netbits_v6']) ? "selected=\"selected\"" : "";?>>
+                                      <?=$i;?>
+                                  </option>
+<?php
+                              endfor; ?>
+                              </select>
+                          </div>
+                      </td>
+                  </tr>
+                </table>
+            </div>
+        </section>
+        <section class="col-xs-12">
+            <div class="tab-content content-box col-xs-12">
+              <table class="table table-striped opnsense_standard_table_form" id="ike_extensions">
+                  <tr>
+                    <td style="width:22%">&nbsp;</td>
+                    <td style="width:78%;">
+                      <input name="submit" type="submit" class="btn btn-primary" value="<?=html_safe(gettext('Save')); ?>" />
+                    </td>
+                  </tr>
+                </table>
+               </div>
+            </div>
+          </section>
+        </form>
+      </div>
+  </div>
+</section>
+
+<?php include("foot.inc"); ?>
diff --git a/security/strongswan-legacy/src/www/vpn_ipsec_phase1.php b/security/strongswan-legacy/src/www/vpn_ipsec_phase1.php
new file mode 100644
index 0000000000..f2548491cb
--- /dev/null
+++ b/security/strongswan-legacy/src/www/vpn_ipsec_phase1.php
@@ -0,0 +1,1351 @@
+<?php
+
+/*
+ * Copyright (C) 2019 Pascal Mathis <mail@pascalmathis.com>
+ * Copyright (C) 2014-2015 Deciso B.V.
+ * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
+ * Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>
+ * Copyright (C) 2014 Ermal Luçi
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("system.inc");
+require_once("filter.inc");
+require_once("interfaces.inc");
+require_once("plugins.inc.d/ipsec.inc");
+
+/*
+ * ikeid management functions
+ */
+
+function ipsec_ikeid_used($ikeid) {
+    global $config;
+
+    if (!empty($config['ipsec']['phase1'])) {
+        foreach ($config['ipsec']['phase1'] as $ph1ent) {
+            if( $ikeid == $ph1ent['ikeid'] ) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+
+function ipsec_ikeid_next() {
+    $ikeid = 1;
+    while(ipsec_ikeid_used($ikeid)) {
+        $ikeid++;
+    }
+
+    return $ikeid;
+}
+
+function ipsec_keypairs()
+{
+    $mdl = new \OPNsense\IPsec\IPsec();
+    $node = $mdl->getNodeByReference('keyPairs.keyPair');
+
+    return $node ? $node->getNodes() : [];
+}
+
+config_read_array('ipsec', 'phase1');
+config_read_array('ipsec', 'phase2');
+
+if ($_SERVER['REQUEST_METHOD'] === 'GET') {
+    // fetch data
+    if (isset($_GET['dup']) && is_numericint($_GET['dup'])) {
+        $p1index = $_GET['dup'];
+    } elseif (isset($_GET['p1index']) && is_numericint($_GET['p1index'])) {
+        $p1index = $_GET['p1index'];
+    }
+    $pconfig = array();
+
+    // generice defaults
+    $pconfig['interface'] = "wan";
+    $pconfig['iketype'] = "ikev2";
+    $phase1_fields = "mode,protocol,myid_type,myid_data,peerid_type,peerid_data
+    ,encryption-algorithm,lifetime,authentication_method,descr,nat_traversal,rightallowany,inactivity_timeout
+    ,interface,iketype,dpd_delay,dpd_maxfail,dpd_action,remote-gateway,pre-shared-key,certref,margintime,rekeyfuzz
+    ,caref,local-kpref,peer-kpref,reauth_enable,rekey_enable,auto,tunnel_isolation,authservers,mobike,keyingtries
+    ,closeaction,unique";
+    if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index])) {
+        // 1-on-1 copy
+        foreach (explode(",", $phase1_fields) as $fieldname) {
+            $fieldname = trim($fieldname);
+            if(isset($config['ipsec']['phase1'][$p1index][$fieldname])) {
+                $pconfig[$fieldname] = $config['ipsec']['phase1'][$p1index][$fieldname];
+            } elseif (!isset($pconfig[$fieldname])) {
+                // initialize element
+                $pconfig[$fieldname] = null;
+            }
+        }
+
+        // attributes with some kind of logic behind them...
+        if (!isset($_GET['dup']) || !is_numericint($_GET['dup'])) {
+            // don't copy the ikeid on dup
+            $pconfig['ikeid'] = $config['ipsec']['phase1'][$p1index]['ikeid'];
+        }
+        $pconfig['disabled'] = isset($config['ipsec']['phase1'][$p1index]['disabled']);
+        $pconfig['sha256_96'] = !empty($config['ipsec']['phase1'][$p1index]['sha256_96']);
+        $pconfig['installpolicy'] = empty($config['ipsec']['phase1'][$p1index]['noinstallpolicy']); // XXX: reversed
+
+        foreach (array('authservers', 'dhgroup', 'hash-algorithm') as $fieldname) {
+            if (!empty($config['ipsec']['phase1'][$p1index][$fieldname])) {
+                $pconfig[$fieldname] = explode(',', $config['ipsec']['phase1'][$p1index][$fieldname]);
+            } else {
+                $pconfig[$fieldname] = array();
+            }
+        }
+
+        $pconfig['remotebits'] = null;
+        $pconfig['remotenet'] = null ;
+        if (isset($a_phase1[$p1index]['remote-subnet']) && strpos($config['ipsec']['phase1'][$p1index]['remote-subnet'],'/') !== false) {
+            list($pconfig['remotenet'],$pconfig['remotebits']) = explode("/", $config['ipsec']['phase1'][$p1index]['remote-subnet']);
+        } elseif (isset($config['ipsec']['phase1'][$p1index]['remote-subnet'])) {
+            $pconfig['remotenet'] = $config['ipsec']['phase1'][$p1index]['remote-subnet'];
+        }
+
+        if (isset($config['ipsec']['phase1'][$p1index]['mobile'])) {
+            $pconfig['mobile'] = true;
+        }
+    } else {
+        /* defaults new */
+        if (isset($config['interfaces']['lan'])) {
+            $pconfig['localnet'] = "lan";
+        }
+        $pconfig['mode'] = "main";
+        $pconfig['protocol'] = "inet";
+        $pconfig['myid_type'] = "myaddress";
+        $pconfig['peerid_type'] = "peeraddress";
+        $pconfig['authentication_method'] = "pre_shared_key";
+        $pconfig['encryption-algorithm'] = ["name" => "aes256gcm16"];
+        $pconfig['hash-algorithm'] = ['sha256'];
+        $pconfig['dhgroup'] = array('14');
+        $pconfig['nat_traversal'] = "on";
+        $pconfig['installpolicy'] = true;
+        $pconfig['authservers'] = array();
+
+        /* mobile client */
+        if (isset($_GET['mobile'])) {
+            $pconfig['mobile'] = true;
+        }
+        // init empty
+        foreach (explode(",", $phase1_fields) as $fieldname) {
+            $fieldname = trim($fieldname);
+            if (!isset($pconfig[$fieldname])) {
+                $pconfig[$fieldname] = null;
+            }
+        }
+    }
+} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $a_phase1 = &config_read_array('ipsec', 'phase1');
+    if (isset($_POST['p1index']) && is_numericint($_POST['p1index'])) {
+        $p1index = $_POST['p1index'];
+    }
+    $input_errors = array();
+    $pconfig = $_POST;
+    $old_ph1ent = $a_phase1[$p1index];
+
+    // unset dpd on post
+    if (!isset($pconfig['dpd_enable'])) {
+        unset($pconfig['dpd_delay']);
+        unset($pconfig['dpd_maxfail']);
+        unset($pconfig['dpd_action']);
+    }
+
+    /* My identity */
+    if ($pconfig['myid_type'] == "myaddress") {
+        $pconfig['myid_data'] = "";
+    }
+    /* Peer identity */
+    if ($pconfig['myid_type'] == "peeraddress") {
+        $pconfig['peerid_data'] = "";
+    }
+
+    /* input validation */
+    $method = $pconfig['authentication_method'];
+
+    // Only require PSK here for normal PSK tunnels (not mobile) or xauth.
+    // For RSA methods, require the CA/Cert.
+    switch ($method) {
+        case "eap-tls":
+        case "psk_eap-tls":
+        case "eap-mschapv2":
+        case "rsa_eap-mschapv2":
+        case "eap-radius":
+          if (!in_array($pconfig['iketype'], array('ikev2', 'ike'))) {
+              $input_errors[] = sprintf(gettext("%s can only be used with IKEv2 type VPNs."), strtoupper($method));
+          }
+          if ($method == 'eap-radius' && empty($pconfig['authservers'])) {
+              $input_errors[] = gettext("Please select radius servers to use.");
+          }
+          break;
+        case "pre_shared_key":
+            // If this is a mobile PSK tunnel the user PSKs go on
+            //    the PSK tab, not here, so skip the check.
+            if ($pconfig['mobile']) {
+                break;
+            }
+        case "xauth_psk_server":
+            $reqdfields = explode(" ", "pre-shared-key");
+            $reqdfieldsn = array(gettext("Pre-Shared Key"));
+            break;
+        case "hybrid_rsa_server":
+            $reqdfields = explode(' ', 'certref');
+            $reqdfieldsn = array(gettext("Certificate"));
+            break;
+        case "xauth_rsa_server":
+        case "rsasig":
+            $reqdfields = explode(" ", "caref certref");
+            $reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate"));
+            break;
+        case "pubkey":
+            $reqdfields = explode(" ", "local-kpref peer-kpref");
+            $reqdfieldsn = array(gettext("Local Key Pair"),gettext("Peer Key Pair"));
+            break;
+    }
+
+    if (empty($pconfig['mobile'])) {
+        $reqdfields[] = "remote-gateway";
+        $reqdfieldsn[] = gettext("Remote gateway");
+    }
+
+    do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);
+
+    if (!empty($pconfig['inactivity_timeout']) && !is_numericint($pconfig['inactivity_timeout'])) {
+        $input_errors[] = gettext("The inactivity timeout must be an integer.");
+    }
+    if (!empty($pconfig['keyingtries']) && !is_numericint($pconfig['keyingtries']) && $pconfig['keyingtries'] != "-1") {
+        $input_errors[] = gettext("The keyingtries must be an integer.");
+    }
+
+    if ((!empty($pconfig['lifetime']) && !is_numeric($pconfig['lifetime']))) {
+        $input_errors[] = gettext("The P1 lifetime must be an integer.");
+    }
+    if (!empty($pconfig['margintime'])) {
+        if (!is_numericint($pconfig['margintime'])) {
+            $input_errors[] = gettext("The margintime must be an integer.");
+        } else {
+            $rekeyfuzz = empty($pconfig['rekeyfuzz']) || !is_numeric($pconfig['rekeyfuzz']) ? 100 : $pconfig['rekeyfuzz'];
+            if (((int)$pconfig['margintime'] * 2) * ($rekeyfuzz / 100.0) > (int)$pconfig['lifetime']) {
+                $input_errors[] = gettext("The value margin... + margin... * rekeyfuzz must not exceed the original lifetime limit.");
+            }
+        }
+    }
+    if (!empty($pconfig['rekeyfuzz']) && !is_numericint($pconfig['rekeyfuzz'])) {
+        $input_errors[] = gettext("Rekeyfuzz must be an integer.");
+    }
+
+    if (!empty($pconfig['remote-gateway'])) {
+        if (!is_ipaddr($pconfig['remote-gateway']) && !is_domain($pconfig['remote-gateway'])) {
+            $input_errors[] = gettext("A valid remote gateway address or host name must be specified.");
+        } elseif (is_ipaddrv4($pconfig['remote-gateway']) && ($pconfig['protocol'] != "inet")) {
+            $input_errors[] = gettext("A valid remote gateway IPv4 address must be specified or you need to change protocol to IPv6");
+        } elseif (is_ipaddrv6($pconfig['remote-gateway']) && ($pconfig['protocol'] != "inet6")) {
+            $input_errors[] = gettext("A valid remote gateway IPv6 address must be specified or you need to change protocol to IPv4");
+        }
+    }
+
+    if (!empty($pconfig['remote-gateway']) && is_ipaddr($pconfig['remote-gateway']) && !isset($pconfig['disabled']) &&
+        (empty($pconfig['iketype']) || $pconfig['iketype'] == "ikev1")) {
+        $t = 0;
+        foreach ($a_phase1 as $ph1tmp) {
+            if ($p1index != $t) {
+                if (isset($ph1tmp['remote-gateway']) && $ph1tmp['remote-gateway'] == $pconfig['remote-gateway'] && !isset($ph1tmp['disabled'])) {
+                    $input_errors[] = sprintf(gettext('The remote gateway "%s" is already used by phase1 "%s".'), $pconfig['remote-gateway'], $ph1tmp['descr']);
+                }
+            }
+            $t++;
+        }
+    }
+
+    if ($pconfig['interface'] == 'any' && $pconfig['myid_type'] == "myaddress") {
+        $input_errors[] = gettext("Please select an identifier (My Identifier) other then 'any' when selecting 'Any' interface");
+    } elseif ($pconfig['myid_type'] == "address" && $pconfig['myid_data'] == "") {
+        $input_errors[] = gettext("Please enter an address for 'My Identifier'");
+    } elseif ($pconfig['myid_type'] == "keyid tag" && $pconfig['myid_data'] == "") {
+        $input_errors[] = gettext("Please enter a keyid tag for 'My Identifier'");
+    } elseif ($pconfig['myid_type'] == "fqdn" && $pconfig['myid_data'] == "") {
+        $input_errors[] = gettext("Please enter a fully qualified domain name for 'My Identifier'");
+    } elseif ($pconfig['myid_type'] == "user_fqdn" && $pconfig['myid_data'] == "") {
+        $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'My Identifier'");
+    } elseif ($pconfig['myid_type'] == "dyn_dns" && $pconfig['myid_data'] == "") {
+        $input_errors[] = gettext("Please enter a dynamic domain name for 'My Identifier'");
+    } elseif ((($pconfig['myid_type'] == "address") && !is_ipaddr($pconfig['myid_data']))) {
+        $input_errors[] = gettext("A valid IP address for 'My identifier' must be specified.");
+    } elseif ((($pconfig['myid_type'] == "fqdn") && !is_domain($pconfig['myid_data']))) {
+        $input_errors[] = gettext("A valid domain name for 'My identifier' must be specified.");
+    } elseif ($pconfig['myid_type'] == "fqdn" && !is_domain($pconfig['myid_data'])) {
+        $input_errors[] = gettext("A valid FQDN for 'My identifier' must be specified.");
+    } elseif ($pconfig['myid_type'] == "user_fqdn") {
+        $user_fqdn = explode("@", $pconfig['myid_data']);
+        if (is_domain($user_fqdn[1]) == false) {
+            $input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'My identifier' must be specified.");
+        }
+    } elseif ($pconfig['myid_type'] == "dyn_dns") {
+        if (is_domain($pconfig['myid_data']) == false) {
+            $input_errors[] = gettext("A valid Dynamic DNS address for 'My identifier' must be specified.");
+        }
+    }
+
+    // Only enforce peer ID if we are not dealing with a pure-psk mobile config.
+    if (!(($pconfig['authentication_method'] == "pre_shared_key") && !empty($pconfig['mobile']))) {
+        if ($pconfig['peerid_type'] == "address" and $pconfig['peerid_data'] == "") {
+            $input_errors[] = gettext("Please enter an address for 'Peer Identifier'");
+        }
+        if ($pconfig['peerid_type'] == "keyid tag" and $pconfig['peerid_data'] == "") {
+            $input_errors[] = gettext("Please enter a keyid tag for 'Peer Identifier'");
+        }
+        if ($pconfig['peerid_type'] == "fqdn" and $pconfig['peerid_data'] == "") {
+            $input_errors[] = gettext("Please enter a fully qualified domain name for 'Peer Identifier'");
+        }
+        if ($pconfig['peerid_type'] == "user_fqdn" and $pconfig['peerid_data'] == "") {
+            $input_errors[] = gettext("Please enter a user and fully qualified domain name for 'Peer Identifier'");
+        }
+        if ((($pconfig['peerid_type'] == "address") && !is_ipaddr($pconfig['peerid_data']))) {
+            $input_errors[] = gettext("A valid IP address for 'Peer identifier' must be specified.");
+        }
+        if ((($pconfig['peerid_type'] == "fqdn") && !is_domain($pconfig['peerid_data']))) {
+            $input_errors[] = gettext("A valid domain name for 'Peer identifier' must be specified.");
+        }
+        if ($pconfig['peerid_type'] == "fqdn") {
+            if (is_domain($pconfig['peerid_data']) == false) {
+                $input_errors[] = gettext("A valid FQDN for 'Peer identifier' must be specified.");
+            }
+        }
+        if ($pconfig['peerid_type'] == "user_fqdn") {
+            $user_fqdn = explode("@", $pconfig['peerid_data']);
+            if (is_domain($user_fqdn[1]) == false) {
+                $input_errors[] = gettext("A valid User FQDN in the form of user@my.domain.com for 'Peer identifier' must be specified.");
+            }
+        }
+    }
+
+    if (!empty($pconfig['closeaction']) && !in_array($pconfig['closeaction'], ['clear', 'hold', 'restart'])) {
+        $input_errors[] = gettext('Invalid argument for close action.');
+    }
+
+    if (!empty($pconfig['unique']) && !in_array($pconfig['unique'], ['no', 'replace', 'never', 'keep'])) {
+        $input_errors[] = gettext('Invalid argument for unique.');
+    }
+
+    if (!empty($pconfig['dpd_enable'])) {
+        if (!is_numeric($pconfig['dpd_delay'])) {
+            $input_errors[] = gettext("A numeric value must be specified for DPD delay.");
+        }
+        if (!is_numeric($pconfig['dpd_maxfail'])) {
+            $input_errors[] = gettext("A numeric value must be specified for DPD retries.");
+        }
+        if (!empty($pconfig['dpd_action']) && !in_array($pconfig['dpd_action'], array("restart", "clear"))) {
+            $input_errors[] = gettext('Invalid argument for DPD action.');
+        }
+    }
+
+    if (!empty($pconfig['iketype']) && !in_array($pconfig['iketype'], array("ike", "ikev1", "ikev2"))) {
+        $input_errors[] = gettext('Invalid argument for key exchange protocol version.');
+    }
+
+    /* build our encryption algorithms array */
+    if (!isset($pconfig['encryption-algorithm']) || !is_array($pconfig['encryption-algorithm'])) {
+        $pconfig['encryption-algorithm'] = array();
+    }
+    $pconfig['encryption-algorithm']['name'] = $pconfig['ealgo'];
+    if (!empty($pconfig['ealgo_keylen'])) {
+        $pconfig['encryption-algorithm']['keylen'] = $pconfig['ealgo_keylen'];
+    }
+
+    if (empty($pconfig['hash-algorithm'])) {
+        $input_errors[] = gettext("At least one hashing algorithm needs to be selected.");
+        $pconfig['hash-algorithm'] = array();
+    }
+
+    if (empty($pconfig['dhgroup'])) {
+        $pconfig['dhgroup'] = array();
+    }
+
+    foreach (ipsec_p1_ealgos() as $algo => $algodata) {
+        if (!empty($pconfig['iketype']) && !empty($pconfig['encryption-algorithm']['name']) && !empty($algodata['iketype'])
+          && $pconfig['iketype'] != $algodata['iketype'] && $pconfig['encryption-algorithm']['name'] == $algo) {
+            $input_errors[] = sprintf(gettext("%s can only be used with IKEv2 type VPNs."), $algodata['name']);
+        }
+    }
+
+    if (!empty($pconfig['ikeid']) && !empty($pconfig['installpolicy'])) {
+        foreach ($config['ipsec']['phase2'] as $phase2ent) {
+            if ($phase2ent['ikeid'] == $pconfig['ikeid'] && $phase2ent['mode'] == 'route-based') {
+                $input_errors[] = gettext(
+                    "Install policy on phase1 is not a valid option when using Route-based phase 2 entries."
+                );
+                break;
+            }
+        }
+    }
+
+    if (count($input_errors) == 0) {
+        $copy_fields = "ikeid,iketype,interface,mode,protocol,myid_type,myid_data
+        ,peerid_type,peerid_data,encryption-algorithm,margintime,rekeyfuzz,inactivity_timeout,keyingtries
+        ,lifetime,pre-shared-key,certref,caref,authentication_method,descr,local-kpref,peer-kpref
+        ,nat_traversal,auto,mobike,closeaction,unique";
+
+        foreach (explode(",",$copy_fields) as $fieldname) {
+            $fieldname = trim($fieldname);
+            if(!empty($pconfig[$fieldname])) {
+                $ph1ent[$fieldname] = $pconfig[$fieldname];
+            }
+        }
+
+        foreach (array('authservers', 'dhgroup', 'hash-algorithm') as $fieldname) {
+            if (!empty($pconfig[$fieldname])) {
+                $ph1ent[$fieldname] = implode(',', $pconfig[$fieldname]);
+            }
+        }
+
+        $ph1ent['disabled'] = !empty($pconfig['disabled']);
+        $ph1ent['sha256_96'] = !empty($pconfig['sha256_96']);
+        $ph1ent['noinstallpolicy'] = empty($pconfig['installpolicy']); // XXX: reversed
+        $ph1ent['private-key'] =isset($pconfig['privatekey']) ? base64_encode($pconfig['privatekey']) : null;
+        if (!empty($pconfig['mobile'])) {
+            $ph1ent['mobile'] = true;
+        } else {
+            $ph1ent['remote-gateway'] = $pconfig['remote-gateway'];
+        }
+        if (isset($pconfig['reauth_enable'])) {
+            $ph1ent['reauth_enable'] = true;
+        }
+        if (isset($pconfig['rekey_enable'])) {
+            $ph1ent['rekey_enable'] = true;
+        }
+
+        if (isset($pconfig['tunnel_isolation'])) {
+            $ph1ent['tunnel_isolation'] = true;
+        }
+
+        if (isset($pconfig['rightallowany'])) {
+            $ph1ent['rightallowany'] = true;
+        }
+
+        if (isset($pconfig['dpd_enable'])) {
+            $ph1ent['dpd_delay'] = $pconfig['dpd_delay'];
+            $ph1ent['dpd_maxfail'] = $pconfig['dpd_maxfail'];
+            $ph1ent['dpd_action'] = $pconfig['dpd_action'];
+        }
+
+        /* generate unique phase1 ikeid */
+        if ($ph1ent['ikeid'] == 0) {
+            $ph1ent['ikeid'] = ipsec_ikeid_next();
+        }
+
+        if (isset($p1index) && isset($a_phase1[$p1index])) {
+            $a_phase1[$p1index] = $ph1ent;
+        } else {
+            if (!empty($pconfig['clone_phase2']) && !empty($a_phase1[$_GET['dup']])
+              && !empty($config['ipsec']['phase2'])) {
+                // clone phase 2 entries in disabled state if requested.
+                $prev_ike_id = $a_phase1[$_GET['dup']]['ikeid'];
+                foreach ($config['ipsec']['phase2'] as $phase2ent) {
+                    if ($phase2ent['ikeid'] == $prev_ike_id) {
+                        $new_phase2 = $phase2ent;
+                        $new_phase2['disabled'] = true;
+                        $new_phase2['uniqid'] = uniqid();
+                        $new_phase2['ikeid'] = $ph1ent['ikeid'];
+                        unset($new_phase2['reqid']);
+                        $config['ipsec']['phase2'][] = $new_phase2;
+                    }
+                }
+            }
+            $a_phase1[] = $ph1ent;
+        }
+
+        write_config();
+        mark_subsystem_dirty('ipsec');
+
+        header(url_safe('Location: /ui/ipsec/tunnels'));
+        exit;
+    }
+}
+
+$service_hook = 'strongswan';
+
+legacy_html_escape_form_data($pconfig);
+include("head.inc");
+?>
+
+<body>
+<?php include("fbegin.inc"); ?>
+<script>
+    $( document ).ready(function() {
+        $("#iketype").change(function(){
+            if (['ike', 'ikev2'].includes($(this).val())) {
+                $("#mode").prop( "disabled", true );
+                $("#mode_tr").hide();
+            } else {
+                $("#mode").prop( "disabled", false );
+                $("#mode_tr").show();
+            }
+            $( window ).resize(); // call window resize, which will re-apply zebra
+        });
+        $("#iketype").change();
+        $("#myid_type").change(function(){
+            if ($("#myid_type").val() == 'myaddress') {
+                $("#myid_data").removeClass('show');
+                $("#myid_data").addClass('hidden');
+            } else {
+                $("#myid_data").removeClass('hidden');
+                $("#myid_data").addClass('show');
+            }
+        });
+        $("#myid_type").change();
+
+        $("#peerid_type").change(function(){
+            if ($("#peerid_type").val() == 'peeraddress') {
+               $("#peerid_data").removeClass('show');
+               $("#peerid_data").addClass('hidden');
+            } else {
+               $("#peerid_data").removeClass('hidden');
+               $("#peerid_data").addClass('show');
+            }
+        });
+        $("#peerid_type").change();
+
+        $("#authentication_method").change(function(){
+            $(".auth_opt").hide();
+            $(".auth_opt :input").prop( "disabled", true );
+            switch ($("#authentication_method").val()) {
+                case 'eap-tls':
+                    $(".auth_eap_tls_caref").show();
+                    $(".auth_eap_tls_caref :input").prop( "disabled", false );
+                    /* FALLTHROUGH */
+                case 'psk_eap-tls':
+                case 'eap-mschapv2':
+                case 'rsa_eap-mschapv2':
+                    $(".auth_eap_tls").show();
+                    $(".auth_eap_tls :input").prop( "disabled", false );
+                    break;
+                case 'eap-radius':
+                    $(".auth_eap_tls").show();
+                    $(".auth_eap_tls :input").prop( "disabled", false );
+                    $(".auth_eap_radius").show();
+                    $(".auth_eap_radius :input").prop( "disabled", false );
+                    break;
+                case 'pre_shared_key':
+                    if ($("#mobile").val() == undefined) {
+                        $(".auth_psk").show();
+                        $(".auth_psk :input").prop( "disabled", false );
+                    }
+                    break;
+                case 'hybrid_rsa_server':
+                    $('.auth_eap_tls').show();
+                    $('.auth_eap_tls :input').prop('disabled', false);
+                    break;
+                case 'xauth_rsa_server':
+                case 'rsasig':
+                case 'rsa_eap-mschapv2':
+                    $(".auth_eap_tls_caref").show();
+                    $(".auth_eap_tls_caref :input").prop( "disabled", false );
+                    $(".auth_eap_tls").show();
+                    $(".auth_eap_tls :input").prop( "disabled", false );
+                    break;
+                case "pubkey":
+                    $(".auth_pubkey").show();
+                    $(".auth_pubkey :input").prop("disabled", false);
+                    break;
+                default: /* psk modes*/
+                    $(".auth_psk").show();
+                    $(".auth_psk :input").prop( "disabled", false );
+                    break;
+            }
+            $(".selectpicker").selectpicker('refresh');
+        });
+        $("#authentication_method").change();
+
+        $("#ealgo").change(function(){
+            if ($("#ealgo option:selected").data('lo') != "") {
+                $("#ealgo_keylen").show();
+                $("#ealgo_keylen").prop('disabled', false);
+                $("#ealgo_keylen option").remove();
+                for (var i = $("#ealgo option:selected").data('lo'); i <= $("#ealgo option:selected").data('hi'); i += $("#ealgo option:selected").data('step')) {
+                    $("#ealgo_keylen").append($("<option/>").attr('value',i).text(i));
+                }
+                $("#ealgo_keylen").val($("#ealgo").data("default-keylen"));
+            } else {
+                $("#ealgo_keylen").hide();
+                $("#ealgo_keylen").prop('disabled', true);
+            }
+        });
+        $("#ealgo").change();
+
+        $("#dpd_enable").change(function(){
+            if ($(this).prop('checked')) {
+                $("#opt_dpd").show();
+                if ($("#dpd_delay").val() == "") {
+                    $("#dpd_delay").val("10");
+                }
+                if ($("#dpd_maxfail").val() == "") {
+                    $("#dpd_maxfail").val("5");
+                }
+            } else {
+                $("#opt_dpd").hide();
+            }
+        });
+        $("#dpd_enable").change();
+    });
+</script>
+
+<section class="page-content-main">
+  <div class="container-fluid">
+    <div class="row">
+<?php
+    if (isset($input_errors) && count($input_errors) > 0) {
+        print_input_errors($input_errors);
+    }
+?>
+
+      <section class="col-xs-12">
+        <div class="tab-content content-box col-xs-12">
+          <form method="post" name="iform" id="iform">
+            <div class="table-responsive">
+              <table class="table table-striped opnsense_standard_table_form">
+                <tbody>
+                  <tr>
+                    <td style="width:22%"><b><?=gettext("General information"); ?></b></td>
+                    <td style="width:78%; text-align:right">
+                      <small><?=gettext("full help"); ?> </small>
+                      <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page"></i>
+                    </td>
+                  </tr>
+<?php
+                  if (!empty($_GET['dup'])):?>
+                  <tr>
+                    <td><a id="help_for_clone_phase2" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Clone phase2"); ?></td>
+                    <td>
+                      <input name="clone_phase2" type="checkbox" id="clone_phase2" value="yes" <?=!empty($pconfig['clone_phase2'])?"checked=\"checked\"":"";?> />
+                      <div class="hidden" data-for="help_for_clone_phase2">
+                        <?=gettext("Clone related phase 2 entries as well, remember to change the networks. All phase 2 entries will be added in disabled state"); ?>
+                      </div>
+                    </td>
+                  </tr>
+<?php
+                  endif;?>
+                  <tr>
+                    <td style="width:22%"><a id="help_for_disabled" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Disabled"); ?></td>
+                    <td>
+                      <input name="disabled" type="checkbox" id="disabled" value="yes" <?=!empty($pconfig['disabled'])?"checked=\"checked\"":"";?> />
+                      <?= gettext('Disable this phase1 entry') ?>
+                      <div class="hidden" data-for="help_for_disabled">
+                        <?= gettext('Set this option to disable this phase1 without removing it from the list.') ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_auto" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Connection method"); ?></td>
+                    <td>
+
+                      <select name="auto">
+                        <option value="" <?=empty($pconfig['auto']) ?  "selected=\"selected\"" : ""; ?>><?=gettext("default");?></option>
+                        <option value="add" <?=$pconfig['auto'] == "add" ?  "selected=\"selected\"" : ""; ?>><?=gettext("Respond only");?></option>
+                        <option value="route" <?=$pconfig['auto'] == "route" ?  "selected=\"selected\"" : ""; ?>><?=gettext("Start on traffic");?></option>
+                        <option value="start" <?=$pconfig['auto'] == "start" ?  "selected=\"selected\"" : ""; ?>><?=gettext("Start immediate");?></option>
+                      </select>
+                      <div class="hidden" data-for="help_for_auto">
+                        <?=gettext("Choose the connect behaviour here, when using CARP you might want to consider the 'Respond only' option here (wait for the other side to connect)."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_iketype" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Key Exchange version"); ?></td>
+                    <td>
+
+                      <select name="iketype" id="iketype">
+<?php
+                      $keyexchange = array("ike" => "auto", "ikev1" => "V1", "ikev2" => "V2");
+                      foreach ($keyexchange as $kidx => $name) :
+                        ?>
+                        <option value="<?=$kidx;?>" <?= $kidx == $pconfig['iketype'] ? "selected=\"selected\"" : "";?> >
+                            <?=$name;?>
+                        </option>
+<?php                endforeach;
+?>
+                      </select>
+                      <div class="hidden" data-for="help_for_iketype">
+                        <?=gettext("Select the KeyExchange Protocol version to be used. Usually known as IKEv1 or IKEv2."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_protocol" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Internet Protocol"); ?></td>
+                    <td>
+                      <select name="protocol">
+                      <?php
+                      $protocols = array("inet" => "IPv4", "inet6" => "IPv6");
+                      if (!empty($pconfig['mobile'])) {
+                          $protocols["inet46"] = "IPv4+6";
+                      }
+                      foreach ($protocols as $protocol => $name) :
+                      ?>
+                        <option value="<?=$protocol;?>"  <?=$protocol == $pconfig['protocol'] ? "selected=\"selected\"" : "";?> >
+                            <?=$name?>
+                        </option>
+<?php                endforeach;
+?>
+                      </select>
+                      <div class="hidden" data-for="help_for_protocol">
+                        <?=gettext("Select the Internet Protocol family from this dropdown."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_interface" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Interface"); ?></td>
+                    <td>
+                      <select name="interface">
+<?php
+                      $interfaces = get_configured_interface_with_descr();
+                      foreach (config_read_array('virtualip', 'vip') as $vip) {
+                          $label = $vip['subnet'] . (empty($vip['descr']) ? '' : " ({$vip['descr']})");
+                          if ($vip['mode'] == 'carp') {
+                              $value = "{$vip['interface']}_vip{$vip['vhid']}";
+                          } elseif ($vip['mode'] == 'ipalias') {
+                              $value = $vip['subnet'];
+                          } else {
+                              continue;
+                          }
+                          $interfaces[$value] = $label;
+                      }
+                      foreach ($interfaces as $iface => $ifacename) :
+?>
+                        <option value="<?=$iface;?>" <?= $iface == $pconfig['interface'] ? "selected=\"selected\"" : "" ?> >
+                            <?=htmlspecialchars($ifacename);?>
+                        </option>
+<?php                  endforeach;
+?>
+                        <option value="any" <?= $pconfig['interface'] == "any" ? "selected=\"selected\"" : "" ?>>
+                            <?=gettext("Any");?>
+                        </option>
+                      </select>
+                      <div class="hidden" data-for="help_for_interface">
+                        <?=gettext("Select the interface for the local endpoint of this phase1 entry."); ?>
+                      </div>
+                    </td>
+                  </tr>
+<?php if (empty($pconfig['mobile'])): ?>
+                  <tr>
+                    <td><a id="help_for_remotegw" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Remote gateway"); ?></td>
+                    <td>
+                      <input name="remote-gateway" type="text" id="remotegw" size="28" value="<?=$pconfig['remote-gateway'];?>" />
+                      <div class="hidden" data-for="help_for_remotegw">
+                        <?= gettext('Enter the public IP address or host name of the remote gateway.') ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_rightallowany" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Dynamic gateway') ?></td>
+                    <td>
+                      <input name="rightallowany" type="checkbox" id="rightallowany" value="yes" <?= !empty($pconfig['rightallowany']) ? 'checked="checked"' : '' ?>/>
+                      <?= gettext('Allow any remote gateway to connect') ?>
+                      <div class="hidden" data-for="help_for_rightallowany">
+                        <?= gettext('Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec startup or update time.') ?>
+                      </div>
+                    </td>
+                  </tr>
+<?php endif ?>
+                  <tr>
+                    <td><a id="help_for_descr" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Description"); ?></td>
+                    <td>
+                      <input name="descr" type="text" id="descr" size="40" value="<?=$pconfig['descr'];?>" />
+                      <div class="hidden" data-for="help_for_descr">
+                        <?=gettext("You may enter a description here for your reference (not parsed)."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td colspan="2">&nbsp;</td>
+                  </tr>
+                  <tr>
+                    <td colspan="2"><b><?=gettext("Phase 1 proposal (Authentication)"); ?></b></td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_authmethod" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Authentication method"); ?></td>
+                    <td>
+                      <select name="authentication_method" id="authentication_method">
+<?php
+                      foreach (ipsec_p1_authentication_methods() as $method_type => $method_params) :
+                          if (empty($pconfig['mobile']) && $method_params['mobile']) {
+                              continue;
+                          }
+                        ?>
+                          <option value="<?=$method_type;?>" <?= $method_type == $pconfig['authentication_method'] ? "selected=\"selected\"" : "";?> >
+        <?=$method_params['name'];?>
+                          </option>
+<?php                endforeach;
+?>
+                      </select>
+                      <div class="hidden" data-for="help_for_authmethod">
+                        <?=gettext("Must match the setting chosen on the remote side."); ?><br />
+                        <?=sprintf(gettext("If you select EAP-RADIUS, you must define your RADIUS servers on the %sServers%s page."), '<a href="/system_authservers.php">', '</a>'); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr id="mode_tr">
+                    <td><a id="help_for_mode" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Negotiation mode"); ?></td>
+                    <td>
+                      <select id="mode" name="mode">
+                      <?php
+                      $modes = array("main" => "Main", "aggressive" => "Aggressive");
+                      foreach ($modes as $mode => $mdescr) :
+?>
+      <option value="<?=$mode;?>" <?= $mode == $pconfig['mode'] ? "selected=\"selected\"" : "" ;?> >
+                            <?=$mdescr;?>
+                        </option>
+<?php                endforeach;
+?>
+                      </select>
+                      <div class="hidden" data-for="help_for_mode">
+                        <?=gettext("Aggressive is more flexible, but less secure."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("My identifier"); ?></td>
+                    <td>
+                      <select name="myid_type" id="myid_type">
+<?php
+                      $my_identifier_list = array(
+                        'myaddress' => array( 'desc' => gettext('My IP address'), 'mobile' => true ),
+                        'address' => array( 'desc' => gettext('IP address'), 'mobile' => true ),
+                        'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ),
+                        'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ),
+                        'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ),
+                        'keyid tag' => array( 'desc' => gettext('KeyID tag'), 'mobile' => true ),
+                        'dyn_dns' => array( 'desc' => gettext('Dynamic DNS'), 'mobile' => true ),
+                        'auto' => array( 'desc' => gettext('Automatic'), 'mobile' => true ));
+                      foreach ($my_identifier_list as $id_type => $id_params) :
+?>
+                        <option value="<?=$id_type;?>" <?php if ($id_type == $pconfig['myid_type']) {
+                                                    echo "selected=\"selected\"";
+} ?>>
+                          <?=$id_params['desc'];?>
+                        </option>
+                      <?php
+endforeach; ?>
+                      </select>
+                      <div id="myid_data">
+                        <input name="myid_data" type="text" size="30" value="<?=$pconfig['myid_data'];?>" />
+                      </div>
+                    </td>
+                  </tr>
+<?php
+                  if (empty($pconfig['mobile'])):?>
+                  <tr class="auth_opt auth_eap_tls auth_psk auth_pubkey">
+                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Peer identifier"); ?></td>
+                    <td>
+                      <select name="peerid_type" id="peerid_type">
+<?php
+                      $peer_identifier_list = array(
+                        'peeraddress' => array( 'desc' => gettext('Peer IP address'), 'mobile' => false ),
+                        'address' => array( 'desc' => gettext('IP address'), 'mobile' => false ),
+                        'fqdn' => array( 'desc' => gettext('Distinguished name'), 'mobile' => true ),
+                        'user_fqdn' => array( 'desc' => gettext('User distinguished name'), 'mobile' => true ),
+                        'asn1dn' => array( 'desc' => gettext('ASN.1 distinguished Name'), 'mobile' => true ),
+                        'keyid tag' => array( 'desc' =>gettext('KeyID tag'), 'mobile' => true ),
+                        'auto' => array( 'desc' => gettext('Automatic'), 'mobile' => true ));
+                      foreach ($peer_identifier_list as $id_type => $id_params) :
+                        if (!empty($pconfig['mobile']) && !$id_params['mobile']) {
+                          continue;
+                        }
+?>
+                        <option value="<?=$id_type;?>" <?= $id_type == $pconfig['peerid_type'] ? "selected=\"selected\"" : "";?> >
+        <?=$id_params['desc'];?>
+                        </option>
+<?php                endforeach;
+?>
+                      </select>
+                      <input name="peerid_data" type="text" id="peerid_data" size="30" value="<?=$pconfig['peerid_data'];?>" />
+<?php if (!empty($pconfig['mobile'])) {
+?>
+                      <small><?=gettext("NOTE: This is known as the \"group\" setting on some VPN client implementations."); ?></small>
+                    <?php
+} ?>
+                    </td>
+                  </tr>
+<?php
+                  endif;?>
+                  <tr class="auth_opt auth_psk">
+                    <td><a id="help_for_psk" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Pre-Shared Key"); ?></td>
+                    <td>
+                      <input name="pre-shared-key" type="text" id="pskey" size="40"
+                             value="<?= $pconfig['authentication_method'] == "pre_shared_key" || $pconfig['authentication_method'] == "xauth_psk_server" ? $pconfig['pre-shared-key'] : "";?>" />
+                      <div class="hidden" data-for="help_for_psk">
+                        <?=gettext("Input your Pre-Shared Key string."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr class="auth_opt auth_eap_tls">
+                    <td><a id="help_for_certref" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("My Certificate"); ?></td>
+                    <td>
+                      <select name="certref">
+<?php
+                      if (isset($config['cert'])) :
+                        foreach ($config['cert'] as $cert) :
+?>
+                        <option value="<?=$cert['refid'];?>" <?= isset($pconfig['certref']) && $pconfig['certref'] == $cert['refid'] ? "selected=\"selected\"" : ""?>>
+                          <?=$cert['descr'];?>
+                        </option>
+<?php                endforeach;
+                      endif;
+?>
+                      </select>
+                      <div class="hidden" data-for="help_for_certref">
+                        <?=gettext("Select a certificate previously configured in the Certificate Manager."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr class="auth_opt auth_eap_tls_caref">
+                    <td><a id="help_for_caref" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Remote Certificate Authority"); ?></td>
+                    <td>
+                      <select name="caref">
+                          <option value=""><?=gettext("none");?></option>
+                      <?php
+                    $config__ca = isset($config['ca']) ? $config['ca'] : array();
+                        foreach ($config__ca as $ca) :
+                            $selected = "";
+                            if ($pconfig['caref'] == $ca['refid']) {
+                                $selected = "selected=\"selected\"";
+                            }
+                        ?>
+                          <option value="<?=$ca['refid'];?>" <?= isset($pconfig['caref']) && $pconfig['caref'] == $ca['refid'] ? "selected=\"selected\"":"";?>>
+                            <?=htmlspecialchars($ca['descr']);?>
+                          </option>
+<?php                endforeach;
+?>
+                      </select>
+                      <div class="hidden" data-for="help_for_caref">
+                        <?=gettext("Select a certificate authority previously configured in the Certificate Manager."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr class="auth_opt auth_pubkey">
+                      <td><a id="help_for_pubkey_local" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Local Key Pair"); ?></td>
+                      <td>
+                          <select name="local-kpref">
+                              <?php
+                              foreach (ipsec_keypairs() as $keypair_uuid => $keypair) :
+                                  if ($keypair['publicKey'] and $keypair['privateKey']) :
+                                      ?>
+                                      <option value="<?= $keypair_uuid; ?>" <?= isset($pconfig['local-kpref']) && $pconfig['local-kpref'] == $keypair_uuid ? "selected=\"selected\"" : "" ?>>
+                                          <?= $keypair['name']; ?>
+                                      </option>
+                                  <?php
+                                  endif;
+                              endforeach;
+                              ?>
+                          </select>
+                          <div class="hidden" data-for="help_for_pubkey_local">
+                              <?= gettext("Select a local key pair previously configured at IPsec \\ Key Pairs."); ?>
+                              <br />
+                              <?= gettext("This selection will only display key pairs which have both a public and private key."); ?>
+                          </div>
+                      </td>
+                  </tr>
+                  <tr class="auth_opt auth_pubkey">
+                      <td><a id="help_for_pubkey_peer" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Peer Key Pair"); ?></td>
+                      <td>
+                          <select name="peer-kpref">
+                              <?php
+                              foreach (ipsec_keypairs() as $keypair_uuid => $keypair) :
+                                  if ($keypair['publicKey']) :
+                                      ?>
+                                      <option value="<?= $keypair_uuid; ?>" <?= isset($pconfig['peer-kpref']) && $pconfig['peer-kpref'] == $keypair_uuid ? "selected=\"selected\"" : "" ?>>
+                                          <?= $keypair['name']; ?>
+                                      </option>
+                                  <?php
+                                  endif;
+                              endforeach;
+                              ?>
+                          </select>
+                          <div class="hidden" data-for="help_for_pubkey_peer">
+                              <?=gettext("Select a peer key pair previously configured at IPsec \\ Key Pairs."); ?>
+                              <br />
+                              <?= gettext("This selection will only display key pairs which have a public key."); ?>
+                          </div>
+                      </td>
+                  </tr>
+                  <tr class="auth_opt auth_eap_radius">
+                    <td><a id="help_for_authservers" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Radius servers"); ?></td>
+                    <td>
+                      <select name="authservers[]"  multiple="multiple" size="3" class="selectpicker" data-live-search="true">
+<?php
+                      foreach (auth_get_authserver_list() as $auth_server):
+                        if ($auth_server['type'] == "radius"):?>
+                        <option value="<?=$auth_server['name'];?>" <?=!empty($pconfig['authservers']) && in_array($auth_server['name'] ?? '', $pconfig['authservers']) ? 'selected="selected"' : "";?>>
+                          <?=htmlspecialchars($auth_server['name']);?>
+                        </option>
+<?php
+                        endif;
+                      endforeach;?>
+                      </select>
+                      <div class="hidden" data-for="help_for_authservers">
+                        <?=gettext("Select authentication servers to use."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td colspan="2"><b><?=gettext("Phase 1 proposal (Algorithms)"); ?></b></td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_encalg" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Encryption algorithm"); ?></td>
+                    <td>
+                      <select name="ealgo" id="ealgo" data-default-keylen="<?=$pconfig['encryption-algorithm']['keylen'];?>">
+<?php
+                      foreach (ipsec_p1_ealgos() as $algo => $algodata) :
+                      ?>
+                        <option value="<?=$algo;?>" <?= $algo == $pconfig['encryption-algorithm']['name'] ? "selected=\"selected\"" : "" ;?>
+                                data-hi="<?=$algodata['keysel']['hi'];?>"
+                                data-lo="<?=$algodata['keysel']['lo'];?>"
+                                data-step="<?=$algodata['keysel']['step'];?>"
+                            >
+                            <?=$algodata['name'];?>
+                        </option>
+<?php
+                      endforeach;
+?>
+                      </select>
+
+                      <select name="ealgo_keylen" id="ealgo_keylen" width="30">
+                      </select>
+                      <div class="hidden" data-for="help_for_encalg">
+                          <?=gettext("Note: For security reasons avoid the use of DES,3DES,CAST and BLOWFISH protocols"); ?>.
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_halgo" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Hash algorithm"); ?></td>
+                    <td>
+                      <select name="hash-algorithm[]" class="selectpicker" multiple="multiple">
+                      <?php
+                      $p1_halgos = array(
+                        'md5' => 'MD5',
+                        'sha1' => 'SHA1',
+                        'sha256' => 'SHA256',
+                        'sha384' => 'SHA384',
+                        'sha512' => 'SHA512',
+                        'aesxcbc' => 'AES-XCBC'
+                      );
+                      foreach ($p1_halgos as $algo => $algoname) :
+?>
+                        <option value="<?= html_safe($algo) ?>" <?= in_array($algo, $pconfig['hash-algorithm']) ? 'selected="selected"' : '' ?>>
+                          <?= html_safe($algoname) ?>
+                        </option>
+<?php                endforeach;
+?>
+                      </select>
+                      <div class="hidden" data-for="help_for_halgo">
+                        <?=gettext("Note: For security reasons avoid the use of MD5 and SHA1 algorithms."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_dhgroup" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("DH key group"); ?></td>
+                    <td>
+                      <select name="dhgroup[]" class="selectpicker" multiple="multiple">
+<?php
+                      $p1_dhgroups = array(
+                           1 => '1 (768 bits)',
+                           2 => '2 (1024 bits)',
+                           5 => '5 (1536 bits)',
+                           14 => '14 (2048 bits)',
+                           15 => '15 (3072 bits)',
+                           16 => '16 (4096 bits)',
+                           17 => '17 (6144 bits)',
+                           18 => '18 (8192 bits)',
+                           19 => '19 (NIST EC 256 bits)',
+                           20 => '20 (NIST EC 384 bits)',
+                           21 => '21 (NIST EC 521 bits)',
+                           22 => '22 (1024(sub 160) bits)',
+                           23 => '23 (2048(sub 224) bits)',
+                           24 => '24 (2048(sub 256) bits)',
+                           28 => '28 (Brainpool EC 256 bits)',
+                           29 => '29 (Brainpool EC 384 bits)',
+                           30 => '30 (Brainpool EC 512 bits)',
+                           31 => '31 (Elliptic Curve 25519)',
+                      );
+                      foreach ($p1_dhgroups as $keygroup => $keygroupname):
+?>
+                        <option value="<?= html_safe($keygroup) ?>" <?= in_array($keygroup, $pconfig['dhgroup']) ? 'selected="selected"' : '' ?>>
+                          <?= html_safe($keygroupname) ?>
+                        </option>
+<?php                endforeach;
+?>
+                      </select>
+                      <div class="hidden" data-for="help_for_dhgroup">
+                        <?=gettext("Must match the setting chosen on the remote side."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td colspan="2"><b><?=gettext("Advanced Options"); ?></b></td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_installpolicy" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Install policy");?></td>
+                    <td>
+                      <input name="installpolicy" type="checkbox" id="installpolicy" value="yes" <?= !empty($pconfig['installpolicy']) ? "checked=\"checked\"" : ""; ?> />
+                      <div class="hidden" data-for="help_for_installpolicy">
+                        <?=gettext("Decides whether IPsec policies are installed in the kernel by the charon daemon for a given connection. ".
+                                   "When using route-based mode (VTI) this needs to be disabled."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_rekey_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Disable Rekey");?></td>
+                    <td>
+                      <input name="rekey_enable" type="checkbox" id="rekey_enable" value="yes" <?= !empty($pconfig['rekey_enable']) ? "checked=\"checked\"" : ""; ?> />
+                      <div class="hidden" data-for="help_for_rekey_enable">
+                        <?=gettext("Whether a connection should be renegotiated when it is about to expire."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_reauth_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Disable Reauth");?></td>
+                    <td>
+                      <input name="reauth_enable" type="checkbox" id="reauth_enable" value="yes" <?= !empty($pconfig['reauth_enable']) ? "checked=\"checked\"" : "";?> />
+                      <div class="hidden" data-for="help_for_reauth_enable">
+                        <?=gettext("Whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_tunnel_isolation" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Tunnel Isolation') ?></td>
+                    <td>
+                      <input name="tunnel_isolation" type="checkbox" id="tunnel_isolation" value="yes" <?= !empty($pconfig['tunnel_isolation']) ? 'checked="checked"' : '' ?>/>
+                      <div class="hidden" data-for="help_for_tunnel_isolation">
+                        <?= gettext('This option will create a tunnel for each phase 2 entry for IKEv2 interoperability with e.g. FortiGate devices.') ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_sha256_96" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('SHA256 96 Bit Truncation') ?></td>
+                    <td>
+                      <input name="sha256_96" type="checkbox" id="sha256_96" value="yes" <?= !empty($pconfig['sha256_96']) ? 'checked="checked"' : '' ?>/>
+                      <div class="hidden" data-for="help_for_sha256_96">
+                        <?= gettext(
+                          "For compatibility with implementations that incorrectly use 96-bit (instead of 128-bit) truncation this ".
+                          "option may be enabled to configure the shorter truncation length. This is not negotiated, so this only works ".
+                          "with peers that use the incorrect truncation length (or have this option enabled), e.g. Forcepoint Sidewinder."
+                        ) ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_nat_traversal" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("NAT Traversal"); ?></td>
+                    <td>
+                      <select name="nat_traversal" class="selectpicker">
+                        <option value="off" <?= isset($pconfig['nat_traversal']) && $pconfig['nat_traversal'] == "off" ? "selected=\"selected\"" :"" ;?> >
+                          <?=gettext("Disable"); ?>
+                        </option>
+                        <option value="on" <?= isset($pconfig['nat_traversal']) && $pconfig['nat_traversal'] == "on" ? "selected=\"selected\"" :"" ;?> >
+                          <?=gettext("Enable"); ?>
+                        </option>
+                        <option value="force" <?= isset($pconfig['nat_traversal']) && $pconfig['nat_traversal'] == "force" ? "selected=\"selected\"" :"" ;?> >
+                          <?=gettext("Force"); ?>
+                        </option>
+                      </select>
+                      <div class="hidden" data-for="help_for_nat_traversal">
+                          <?=gettext("Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed, " .
+                                                  "which can help with clients that are behind restrictive firewalls."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_mobike" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Disable MOBIKE"); ?></td>
+                    <td>
+                      <input name="mobike" type="checkbox" id="mobike"  <?=!empty($pconfig['mobike']) ? "checked=\"checked\"":"";?> />
+                      <div class="hidden" data-for="help_for_mobike">
+                          <?=gettext("Disables the IKEv2 MOBIKE protocol defined by RFC 4555");?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_closeaction" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Close Action"); ?></td>
+                    <td>
+                      <select name="closeaction" class="selectpicker">
+                        <option value="" <?= empty($pconfig['closeaction']) ? "selected=\"selected\"" :"" ;?> >
+                          <?=gettext("None"); ?>
+                        </option>
+                        <option value="clear" <?= $pconfig['closeaction'] == "clear" ? "selected=\"selected\"" :"" ;?> >
+                          <?=gettext("Clear"); ?>
+                        </option>
+                        <option value="hold" <?= $pconfig['closeaction'] == "hold" ? "selected=\"selected\"" :"" ;?> >
+                          <?=gettext("Hold"); ?>
+                        </option>
+                        <option value="restart" <?= $pconfig['closeaction'] == "restart" ? "selected=\"selected\"" :"" ;?> >
+                          <?=gettext("Restart"); ?>
+                        </option>
+                      </select>
+                      <div class="hidden" data-for="help_for_closeaction">
+                          <?=gettext(
+                            "Defines the action to take if the remote peer unexpectedly closes a CHILD_SA. ".
+                            "A closeaction should not be used if the peer uses reauthentication or uniqueids checking, ".
+                            "as these events might trigger the defined action when not desired. "
+                          )?>
+                          <br/></br>
+                          <?=gettext(
+                            "With clear the connection is closed with no further actions taken. ".
+                            "hold installs a trap policy, which will catch matching traffic and tries to re-negotiate ".
+                            "the connection on demand. restart will immediately trigger an attempt ".
+                            "to re-negotiate the connection. The default is none and disables the close action."
+                          )?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_unique" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Unique"); ?></td>
+                    <td>
+                      <select name="unique" class="selectpicker">
+                        <option value="" <?= empty($pconfig['unique']) ? "selected=\"selected\"" :"" ;?> >
+                          <?=gettext("Replace"); ?>
+                        </option>
+                        <option value="no" <?= $pconfig['unique'] == "no" ? "selected=\"selected\"" :"" ;?> >
+                          <?=gettext("No"); ?>
+                        </option>
+                        <option value="never" <?= $pconfig['unique'] == "never" ? "selected=\"selected\"" :"" ;?> >
+                          <?=gettext("Never"); ?>
+                        </option>
+                        <option value="keep" <?= $pconfig['unique'] == "keep" ? "selected=\"selected\"" :"" ;?> >
+                          <?=gettext("Keep"); ?>
+                        </option>
+                      </select>
+                      <div class="hidden" data-for="help_for_unique">
+                          <?=gettext(
+                            "Connection uniqueness policy to enforce. To avoid multiple connections from the same user, a uniqueness policy can be enforced."
+                          )?>
+                      </div>
+                    </td>
+                  </tr>                  <tr>
+                    <td><a id="help_for_dpd_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Dead Peer Detection"); ?></td>
+                    <td>
+                      <input name="dpd_enable" type="checkbox" id="dpd_enable" value="yes" <?=!empty($pconfig['dpd_delay']) && !empty($pconfig['dpd_maxfail'])?"checked=\"checked\"":"";?> />
+                      <div class="hidden" data-for="help_for_dpd_enable">
+                        <?=gettext("Enable DPD"); ?>
+                      </div>
+                      <div id="opt_dpd">
+                        <br />
+                        <input name="dpd_delay" type="text" id="dpd_delay" size="5" value="<?=$pconfig['dpd_delay'];?>" />
+                        <?=gettext("seconds"); ?>
+                        <div class="hidden" data-for="help_for_dpd_enable">
+                          <?=gettext("Delay between requesting peer acknowledgement."); ?>
+                        </div>
+                        <br />
+                        <input name="dpd_maxfail" type="text" id="dpd_maxfail" size="5" value="<?=$pconfig['dpd_maxfail'];?>" />
+                        <?=gettext("retries"); ?>
+                        <div class="hidden" data-for="help_for_dpd_enable">
+                          <?=gettext("Number of consecutive failures allowed before disconnect."); ?>
+                        </div>
+                        <br />
+                        <select name="dpd_action" class="selectpicker">
+                          <option value="" <?=empty($pconfig['dpd_action']) ?  "selected=\"selected\"" : ""; ?>><?=gettext("default");?></option>
+                          <option value="restart" <?=$pconfig['dpd_action'] == "restart" ?  "selected=\"selected\"" : ""; ?>><?=gettext("Restart the tunnel");?></option>
+                          <option value="clear" <?=$pconfig['dpd_action'] == "clear" ?  "selected=\"selected\"" : ""; ?>><?=gettext("Stop the tunnel");?></option>
+                        </select>
+                        <?=gettext("DPD action"); ?>
+                        <div class="hidden" data-for="help_for_dpd_enable">
+                          <?=gettext("Choose the behavior here what to do if a peer is detected to be unresponsive to DPD requests."); ?>
+                        </div>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_inactivity_timeout" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Inactivity timeout"); ?></td>
+                    <td>
+                      <input name="inactivity_timeout" type="text" id="inactivity_timeout" value="<?=$pconfig['inactivity_timeout'];?>" />
+                      <div class="hidden" data-for="help_for_inactivity_timeout">
+                        <?=gettext("Time before closing inactive tunnels if they don't handle any traffic. (seconds)"); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_keyingtries" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Keyingtries"); ?></td>
+                    <td>
+                      <input name="keyingtries" type="text" id="keyingtries" value="<?=$pconfig['keyingtries'];?>" />
+                      <div class="hidden" data-for="help_for_keyingtries">
+                        <?=gettext(
+                          "How many attempts should be made to negotiate a connection, or a replacement for one, before giving up (default 3). ".
+                          "Leave empty for default, -1 for forever or any positive integer for the number of tries"
+                        ); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_lifetime" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Lifetime"); ?></td>
+                    <td>
+                      <input name="lifetime" type="text" id="lifetime" size="20" value="<?=$pconfig['lifetime'];?>" />
+                      <div class="hidden" data-for="help_for_lifetime">
+                        <?=gettext("seconds"); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_margintime" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Margintime"); ?></td>
+                    <td>
+                      <input name="margintime" type="text" id="margintime" value="<?=$pconfig['margintime'];?>" />
+                      <div class="hidden" data-for="help_for_margintime">
+                        <?=gettext("Time before SA expiry the rekeying should start. (seconds)"); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_rekeyfuzz" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Rekeyfuzz"); ?></td>
+                    <td>
+                      <input name="rekeyfuzz" type="text" id="rekeyfuzz" value="<?=$pconfig['rekeyfuzz'];?>" />
+                      <div class="hidden" data-for="help_for_rekeyfuzz">
+                        <?=gettext("Percentage by which margintime is randomly increased (may exceed 100%). Randomization may be disabled by setting rekeyfuzz=0%."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td>&nbsp;</td>
+                    <td>
+                      <?php if (isset($p1index) && isset($config['ipsec']['phase1'][$p1index]) && !isset($_GET['dup'])) :
+?>
+                      <input name="p1index" type="hidden" value="<?=$p1index;?>" />
+                      <?php
+endif; ?>
+                      <?php if (!empty($pconfig['mobile'])) :
+?>
+                      <input id="mobile" name="mobile" type="hidden" value="true" />
+                      <?php
+endif; ?>
+                      <input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>" />
+                      <input name="Submit" type="submit" class="btn btn-primary" value="<?=html_safe(gettext('Save')); ?>" />
+                    </td>
+                  </tr>
+                </tbody>
+              </table>
+            </div>
+          </form>
+        </div>
+      </section>
+    </div>
+  </div>
+</section>
+
+<?php include("foot.inc");
diff --git a/security/strongswan-legacy/src/www/vpn_ipsec_phase2.php b/security/strongswan-legacy/src/www/vpn_ipsec_phase2.php
new file mode 100644
index 0000000000..ecbed2e7d7
--- /dev/null
+++ b/security/strongswan-legacy/src/www/vpn_ipsec_phase2.php
@@ -0,0 +1,842 @@
+<?php
+
+/*
+ * Copyright (C) 2014 Deciso B.V.
+ * Copyright (C) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
+ * Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("interfaces.inc");
+require_once("plugins.inc.d/ipsec.inc");
+
+/**
+ * combine ealgos and keylen_* tags
+ */
+function pconfig_to_ealgos($pconfig)
+{
+    $ealgos = [];
+    if (isset($pconfig['ealgos'])) {
+        foreach (ipsec_p2_ealgos() as $algo_name => $algo_data) {
+            if (in_array($algo_name, $pconfig['ealgos'])) {
+                $ealgos[] = ['name' => $algo_name];
+            }
+        }
+    }
+    return $ealgos;
+}
+
+function ealgos_to_pconfig(& $ealgos, & $pconfig)
+{
+    $p2_ealgos = ipsec_p2_ealgos();
+    $pconfig['ealgos'] = [];
+    foreach ($ealgos as $cnf_algo_data) {
+        foreach ($p2_ealgos as $algo_name => $algo_data) {
+            if ($algo_name == $cnf_algo_data['name']) {
+                $pconfig['ealgos'][] = $algo_name;
+            } elseif ($algo_data['name'] == $cnf_algo_data['name']) {
+                // XXX: extract and convert legacy encryption-algorithm-option setting
+                if ($cnf_algo_data['keylen'] == $algo_data['keylen'] || $cnf_algo_data['keylen'] == "auto") {
+                    $pconfig['ealgos'][] = $algo_name;
+                }
+            }
+        }
+    }
+
+    return $ealgos;
+}
+
+/**
+ * convert <tag>id_address, <tag>id_netbits, <tag>id_type
+ * to type/address/netbits structure
+ */
+function pconfig_to_idinfo($prefix, $pconfig)
+{
+    $type = isset($pconfig[$prefix."id_type"]) ? $pconfig[$prefix."id_type"] : null;
+    $address = isset($pconfig[$prefix."id_address"]) ? $pconfig[$prefix."id_address"] : null;
+    $netbits = isset($pconfig[$prefix."id_netbits"]) ? $pconfig[$prefix."id_netbits"] : null;
+
+    switch ($type) {
+        case "address":
+            return array('type' => $type, 'address' => $address);
+        case "network":
+            return array('type' => $type, 'address' => $address, 'netbits' => $netbits);
+        default:
+            return array('type' => $type );
+    }
+}
+
+/**
+ * reverse pconfig_to_idinfo from $idinfo array to $pconfig
+ */
+function idinfo_to_pconfig($prefix, $idinfo, & $pconfig)
+{
+    switch ($idinfo['type']) {
+        case "address":
+            $pconfig[$prefix."id_type"] = $idinfo['type'];
+            $pconfig[$prefix."id_address"] = $idinfo['address'];
+            break;
+        case "network":
+            $pconfig[$prefix."id_type"] = $idinfo['type'];
+            $pconfig[$prefix."id_address"] = $idinfo['address'];
+            $pconfig[$prefix."id_netbits"] = $idinfo['netbits'];
+            break;
+        default:
+            $pconfig[$prefix."id_type"] = $idinfo['type'];
+            break;
+    }
+}
+
+/**
+ * search phase 2 entries for record with uniqid
+ */
+function getIndexByUniqueId($uniqid)
+{
+    global $config;
+    $p2index = null;
+    if ($uniqid != null) {
+        foreach ($config['ipsec']['phase2'] as $idx => $ph2) {
+            if ($ph2['uniqid'] == $uniqid) {
+                $p2index = $idx;
+                break;
+            }
+        }
+    }
+    return $p2index;
+}
+
+config_read_array('ipsec', 'client');
+config_read_array('ipsec', 'phase2');
+
+if ($_SERVER['REQUEST_METHOD'] === 'GET') {
+    // lookup p2index
+    if (!empty($_GET['dup'])) {
+        $p2index = getIndexByUniqueId($_GET['dup']);
+    } elseif (!empty($_GET['p2index'])) {
+        $p2index = getIndexByUniqueId($_GET['p2index']);
+    } else {
+        $p2index = null;
+    }
+    // initialize form data
+    $pconfig = array();
+
+    $phase2_fields = "ikeid,mode,descr,uniqid,proto,hash-algorithm-option,pfsgroup,lifetime,pinghost,protocol,spd,";
+    $phase2_fields .= "tunnel_local,tunnel_remote";
+    if ($p2index !== null) {
+        // 1-on-1 copy
+        foreach (explode(",", $phase2_fields) as $fieldname) {
+            $fieldname = trim($fieldname);
+            if (isset($config['ipsec']['phase2'][$p2index][$fieldname])) {
+                $pconfig[$fieldname] = $config['ipsec']['phase2'][$p2index][$fieldname];
+            } elseif (!isset($pconfig[$fieldname])) {
+                // initialize element
+                $pconfig[$fieldname] = null;
+            }
+        }
+        // fields with some kind of logic
+        $pconfig['disabled'] = isset($config['ipsec']['phase2'][$p2index]['disabled']);
+
+        idinfo_to_pconfig("local", $config['ipsec']['phase2'][$p2index]['localid'], $pconfig);
+        idinfo_to_pconfig("remote", $config['ipsec']['phase2'][$p2index]['remoteid'], $pconfig);
+        if (!empty($config['ipsec']['phase2'][$p2index]['encryption-algorithm-option'])) {
+            ealgos_to_pconfig($config['ipsec']['phase2'][$p2index]['encryption-algorithm-option'], $pconfig);
+        } else {
+            $pconfig['ealgos'] = [];
+        }
+
+        if (!empty($_GET['dup'])) {
+            $pconfig['uniqid'] = uniqid();
+        }
+    } else {
+        if (isset($_GET['ikeid'])) {
+            $pconfig['ikeid'] = $_GET['ikeid'];
+        }
+        /* defaults */
+        $pconfig['localid_type'] = "lan";
+        $pconfig['remoteid_type'] = "network";
+        $pconfig['protocol'] = "esp";
+        $pconfig['ealgos'] = ['aes256gcm16'];
+        $pconfig['hash-algorithm-option'] = ['hmac_sha256'];
+        $pconfig['pfsgroup'] = "0";
+        $pconfig['uniqid'] = uniqid();
+
+        // init empty
+        foreach (explode(",", $phase2_fields) as $fieldname) {
+            $fieldname = trim($fieldname);
+            if (!isset($pconfig[$fieldname])) {
+                $pconfig[$fieldname] = null;
+            }
+        }
+    }
+    /* mobile client */
+    foreach ($config['ipsec']['phase1'] as $phase1ent) {
+        if ($phase1ent['ikeid'] == $pconfig['ikeid'] && isset($phase1ent['mobile'])) {
+            $pconfig['mobile'] = true;
+            break;
+        }
+    }
+} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    if (!empty($_POST['uniqid'])) {
+        $p2index = getIndexByUniqueId($_POST['uniqid']);
+    } else {
+        $p2index = null;
+    }
+    $input_errors = array();
+    $pconfig = $_POST;
+
+    /* input validation */
+    if (!isset($_POST['ikeid'])) {
+        $input_errors[] = gettext("A valid ikeid must be specified.");
+    }
+    $reqdfields = explode(" ", "localid_type uniqid");
+    $reqdfieldsn = array(gettext("Local network type"), gettext("Unique Identifier"));
+    if (!isset($pconfig['mobile'])) {
+        $reqdfields[] = "remoteid_type";
+        $reqdfieldsn[] = gettext("Remote network type");
+    }
+
+    do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
+
+    if (($pconfig['mode'] == 'tunnel') || ($pconfig['mode'] == 'tunnel6')) {
+        switch ($pconfig['localid_type']) {
+            case 'network':
+                if (($pconfig['localid_netbits'] != 0 && !$pconfig['localid_netbits']) || !is_numeric($pconfig['localid_netbits'])) {
+                    $input_errors[] = gettext('A valid local network bit count must be specified.');
+                }
+                /* FALLTHROUGH */
+            case 'address':
+                if (!$pconfig['localid_address'] || !is_ipaddr($pconfig['localid_address'])) {
+                    $input_errors[] = gettext('A valid local network IP address must be specified.');
+                } elseif (is_ipaddrv4($pconfig['localid_address']) && ($pconfig['mode'] != 'tunnel')) {
+                    $input_errors[] = gettext('A valid local network IPv4 address must be specified or you need to change Mode to IPv6');
+                } elseif (is_ipaddrv6($pconfig['localid_address']) && ($pconfig['mode'] != 'tunnel6')) {
+                    $input_errors[] = gettext('A valid local network IPv6 address must be specified or you need to change Mode to IPv4');
+                }
+                break;
+            default:
+                if ($pconfig['mode'] == 'tunnel') {
+                    list (, $subnet) = interfaces_primary_address($pconfig['localid_type']);
+                    if (!is_subnetv4($subnet)) {
+                        $input_errors[] = sprintf(
+                            gettext('Invalid local network: %s has no valid IPv4 network.'),
+                            convert_friendly_interface_to_friendly_descr($pconfig['localid_type'])
+                        );
+                    }
+                } elseif ($pconfig['mode'] == 'tunnel6') {
+                    list (, $subnet) = interfaces_primary_address6($pconfig['localid_type']);
+                    if (!is_subnetv6($subnet)) {
+                        $input_errors[] = sprintf(
+                            gettext('Invalid local network: %s has no valid IPv6 network.'),
+                            convert_friendly_interface_to_friendly_descr($pconfig['localid_type'])
+                        );
+                    }
+                }
+                break;
+        }
+
+        switch ($pconfig['remoteid_type']) {
+            case "network":
+                if (($pconfig['remoteid_netbits'] != 0 && !$pconfig['remoteid_netbits']) || !is_numeric($pconfig['remoteid_netbits'])) {
+                    $input_errors[] = gettext("A valid remote network bit count must be specified.");
+                }
+                // address rules also apply to network type (hence, no break)
+            case "address":
+                if (!$pconfig['remoteid_address'] || !is_ipaddr($pconfig['remoteid_address'])) {
+                    $input_errors[] = gettext("A valid remote network IP address must be specified.");
+                } elseif (is_ipaddrv4($pconfig['remoteid_address']) && ($pconfig['mode'] != "tunnel")) {
+                    $input_errors[] = gettext("A valid remote network IPv4 address must be specified or you need to change Mode to IPv6");
+                } elseif (is_ipaddrv6($pconfig['remoteid_address']) && ($pconfig['mode'] != "tunnel6")) {
+                    $input_errors[] = gettext("A valid remote network IPv6 address must be specified or you need to change Mode to IPv4");
+                }
+                break;
+        }
+    } elseif ($pconfig['mode'] == 'route-based') {
+        // validate if both tunnel networks are using the correct address family
+        if (!is_ipaddr($pconfig['tunnel_local']) || !is_ipaddr($pconfig['tunnel_remote'])) {
+            if (!is_ipaddr($pconfig['tunnel_local'])) {
+                $input_errors[] = gettext('A valid local network IP address must be specified.');
+            }
+            if (!is_ipaddr($pconfig['tunnel_remote'])) {
+                $input_errors[] = gettext("A valid remote network IP address must be specified.");
+            }
+        } elseif(
+            !(is_ipaddrv4($pconfig['tunnel_local']) && is_ipaddrv4($pconfig['tunnel_remote'])) &&
+            !(is_ipaddrv6($pconfig['tunnel_local']) && is_ipaddrv6($pconfig['tunnel_remote']))
+        ) {
+            $input_errors[] = gettext("A valid local network IP address must be specified.");
+            $input_errors[] = gettext("A valid remote network IP address must be specified.");
+        }
+    }
+    /* Validate enabled phase2's are not duplicates */
+    if (isset($pconfig['mobile'])) {
+        /* User is adding phase 2 for mobile phase1 */
+        foreach ($config['ipsec']['phase2'] as $key => $name) {
+            if (isset($name['mobile']) && $pconfig['ikeid'] == $name['ikeid'] && $name['uniqid'] != $pconfig['uniqid']) {
+                /* check duplicate localids only for mobile clients */
+                $localid_data = ipsec_idinfo_to_cidr($name['localid'], false, $name['mode']);
+                $entered = array();
+                $entered['type'] = $pconfig['localid_type'];
+                if (isset($pconfig['localid_address'])) {
+                    $entered['address'] = $pconfig['localid_address'];
+                }
+                if (isset($pconfig['localid_netbits'])) {
+                    $entered['netbits'] = $pconfig['localid_netbits'];
+                }
+                $entered_localid_data = ipsec_idinfo_to_cidr($entered, false, $pconfig['mode']);
+                if ($localid_data == $entered_localid_data) {
+                    /* adding new p2 entry */
+                    $input_errors[] = gettext("Phase2 with this Local Network is already defined for mobile clients.");
+                    break;
+                }
+            }
+        }
+    } else {
+        /* User is adding phase 2 for site-to-site phase1 */
+        foreach ($config['ipsec']['phase2'] as $key => $name) {
+            if (!isset($name['mobile']) && $pconfig['mode'] != 'route-based' &&
+                    $pconfig['ikeid'] == $name['ikeid'] && $pconfig['uniqid'] != $name['uniqid']) {
+                /* check duplicate subnets only for given phase1 */
+                $localid_data = ipsec_idinfo_to_cidr($name['localid'], false, $name['mode']);
+                $remoteid_data = ipsec_idinfo_to_cidr($name['remoteid'], false, $name['mode']);
+                $entered_local = array();
+                $entered_local['type'] = $pconfig['localid_type'];
+                if (isset($pconfig['localid_address'])) {
+                    $entered_local['address'] = $pconfig['localid_address'];
+                }
+                if (isset($pconfig['localid_netbits'])) {
+                    $entered_local['netbits'] = $pconfig['localid_netbits'];
+                }
+                $entered_localid_data = ipsec_idinfo_to_cidr($entered_local, false, $pconfig['mode']);
+                $entered_remote = array();
+                $entered_remote['type'] = $pconfig['remoteid_type'];
+                if (isset($pconfig['remoteid_address'])) {
+                    $entered_remote['address'] = $pconfig['remoteid_address'];
+                }
+                if (isset($pconfig['remoteid_netbits'])) {
+                    $entered_remote['netbits'] = $pconfig['remoteid_netbits'];
+                }
+                $entered_remoteid_data = ipsec_idinfo_to_cidr($entered_remote, false, $pconfig['mode']);
+                if ($localid_data == $entered_localid_data && $remoteid_data == $entered_remoteid_data) {
+                    /* adding new p2 entry */
+                    $input_errors[] = gettext("Phase2 with this Local/Remote networks combination is already defined for this Phase1.");
+                    break;
+                }
+            }
+        }
+    }
+
+    if (!empty($pconfig['ikeid'])) {
+        foreach ($config['ipsec']['phase1'] as $phase1ent) {
+            if ($phase1ent['ikeid'] == $pconfig['ikeid'] &&
+                $pconfig['mode'] == 'route-based' &&
+                empty($phase1ent['noinstallpolicy'])
+            ) {
+                $input_errors[] = gettext(
+                    "Install policy on phase1 is not a valid option when using Route-based phase 2 entries."
+                );
+                break;
+            }
+        }
+    }
+
+    /* For ESP protocol, handle encryption algorithms */
+    if ($pconfig['protocol'] == "esp") {
+        $ealgos = pconfig_to_ealgos($pconfig);
+
+        if (!count($ealgos)) {
+            $input_errors[] = gettext("At least one encryption algorithm must be selected.");
+        } else {
+            if (empty($pconfig['hash-algorithm-option'])) {
+                foreach ($ealgos as $ealgo) {
+                    if (!strpos($ealgo['name'], "gcm")) {
+                        $input_errors[] = gettext("At least one hashing algorithm needs to be selected.");
+                        break;
+                    }
+                }
+                $pconfig['hash-algorithm-option'] = array();
+            }
+        }
+    }
+    if ((!empty($_POST['lifetime']) && !is_numeric($_POST['lifetime']))) {
+        $input_errors[] = gettext("The P2 lifetime must be an integer.");
+    }
+
+    if (!empty($pconfig['spd'])) {
+        foreach (explode(',', $pconfig['spd']) as $spd_entry) {
+            if (($pconfig['mode'] == "tunnel" && !is_subnetv4(trim($spd_entry))) ||
+              ($pconfig['mode'] == "tunnel6" && !is_subnetv6(trim($spd_entry)))) {
+                $input_errors[] = sprintf(gettext('SPD "%s" is not a valid network, it should match the tunnel type (IPv4/IPv6).'), $spd_entry) ;
+            }
+        }
+    }
+
+    if (count($input_errors) == 0) {
+        $ph2ent = array();
+        $copy_fields = "ikeid,uniqid,mode,pfsgroup,lifetime,pinghost,descr,protocol,spd";
+
+        // 1-on-1 copy
+        foreach (explode(",", $copy_fields) as $fieldname) {
+            $fieldname = trim($fieldname);
+            if (!empty($pconfig[$fieldname])) {
+                $ph2ent[$fieldname] = $pconfig[$fieldname];
+            }
+        }
+
+        // fields with some logic in them
+        $ph2ent['disabled'] = $pconfig['disabled'] ? true : false;
+        if (($ph2ent['mode'] == "tunnel") || ($ph2ent['mode'] == "tunnel6")) {
+            $ph2ent['localid'] = pconfig_to_idinfo("local", $pconfig);
+            $ph2ent['remoteid'] = pconfig_to_idinfo("remote", $pconfig);
+        } elseif ($ph2ent['mode'] == 'route-based') {
+            $ph2ent['tunnel_local'] = $pconfig['tunnel_local'];
+            $ph2ent['tunnel_remote'] = $pconfig['tunnel_remote'];
+        }
+
+        $ph2ent['encryption-algorithm-option'] = pconfig_to_ealgos($pconfig);
+
+        if (!empty($pconfig['hash-algorithm-option'])) {
+            $ph2ent['hash-algorithm-option'] = $pconfig['hash-algorithm-option'];
+        } else {
+            unset($ph2ent['hash-algorithm-option']);
+        }
+
+        // attach or generate reqid
+        if ($p2index !== null && !empty($config['ipsec']['phase2'][$p2index]['reqid'])) {
+            $ph2ent['reqid'] = $config['ipsec']['phase2'][$p2index]['reqid'];
+        } else {
+            $reqids = [];
+            foreach ($config['ipsec']['phase2'] as $tmp) {
+                if (!empty($tmp['reqid'])) {
+                    $reqids[] = $tmp['reqid'];
+                }
+            }
+            for ($i=1; $i < 65535; $i++) {
+                if (!in_array($i, $reqids)) {
+                    $ph2ent['reqid'] = $i;
+                    break;
+                }
+            }
+        }
+        // save to config
+        if ($p2index !== null) {
+            $config['ipsec']['phase2'][$p2index] = $ph2ent;
+        } else {
+            $config['ipsec']['phase2'][] = $ph2ent;
+        }
+
+
+        write_config();
+        mark_subsystem_dirty('ipsec');
+
+        header(url_safe('Location: /ui/ipsec/tunnels'));
+        exit;
+    }
+}
+
+$service_hook = 'strongswan';
+
+legacy_html_escape_form_data($pconfig);
+
+include("head.inc");
+
+?>
+
+<body>
+<?php include("fbegin.inc"); ?>
+<script>
+    $( document ).ready(function() {
+        $("#mode").change(function(){
+            $(".opt_localid").hide();
+            $(".opt_remoteid").hide();
+            $(".opt_route").hide();
+            if ($(this).val() == 'tunnel' || $(this).val() == 'tunnel6') {
+                $(".opt_localid").show();
+                if ($("#mobile").val() == undefined) {
+                    $(".opt_remoteid").show();
+                }
+            } else if ($(this).val() == 'route-based') {
+                $(".opt_route").show();
+            }
+            $(window).resize();
+        });
+        $("#mode").change();
+
+        $("#proto").change(function(){
+            if ($(this).val() == 'esp') {
+                $("#opt_enc").show();
+            } else {
+                $("#opt_enc").hide();
+            }
+            $(window).resize();
+        });
+        $("#proto").change();
+
+        ['localid', 'remoteid'].map(function(field){
+            $("#"+field+"_type").change(function(){
+                $("#"+field+"_netbits").prop("disabled", true);
+                $("#"+field+"_address").prop("disabled", true);
+                switch ($(this).val()) {
+                    case 'address':
+                        $("#"+field+"_address").prop("disabled", false);
+                        break;
+                    case 'network':
+                        $("#"+field+"_netbits").prop("disabled", false);
+                        $("#"+field+"_address").prop("disabled", false);
+                        break;
+                    default:
+                        break;
+                }
+                $(window).resize();
+            });
+            $("#"+field+"_type").change();
+        });
+
+        // hook in, ipv4/ipv6 selector events
+        hook_ipv4v6('ipv4v6net', 'network-id');
+    });
+</script>
+
+<?php
+if (isset($input_errors) && count($input_errors) > 0) {
+    print_input_errors($input_errors);
+}
+?>
+<section class="page-content-main">
+  <div class="container-fluid">
+    <div class="row">
+        <section class="col-xs-12">
+        <div class="tab-content content-box col-xs-12">
+          <form method="post" name="iform" id="iform">
+            <div class="table-responsive">
+              <table class="table table-striped opnsense_standard_table_form">
+                <tr>
+                  <td style="width:22%"><b><?=gettext("General information"); ?></b></td>
+                  <td style="width:78%; text-align:right">
+                    <small><?=gettext("full help"); ?> </small>
+                    <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page"></i>
+                  </td>
+                </tr>
+                <tr>
+                  <td style="width:22%"><a id="help_for_disabled" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Disabled"); ?></td>
+                  <td style="width:78%" class="vtable">
+                    <input name="disabled" type="checkbox" id="disabled" value="yes" <?= !empty($pconfig['disabled']) ? "checked=\"checked\"" : "" ;?> />
+                    <div class="hidden" data-for="help_for_disabled">
+                        <?=gettext("Disable this phase2 entry"); ?><br/>
+                        <?=gettext("Set this option to disable this phase2 entry without " .
+                                                  "removing it from the list"); ?>.
+                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><i class="fa fa-info-circle text-muted"></i>  <?=gettext("Mode"); ?></td>
+                  <td>
+                    <select name="mode" id="mode">
+                        <?php
+                        $p2_modes = array(
+                        'tunnel' => 'Tunnel IPv4',
+                        'tunnel6' => 'Tunnel IPv6',
+                        'route-based' => 'Route-based',
+                        'transport' => 'Transport');
+                        foreach ($p2_modes as $name => $value) :
+    ?>
+                        <option value="<?=$name;?>"
+                          <?=$name == $pconfig['mode'] ? "selected=\"selected\"":"" ;?>><?=$value;?>
+                        </option>
+<?php
+                        endforeach;
+?>
+                    </select>
+                  </td>
+                </tr>
+                <tr>
+                  <td><a id="help_for_descr" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Description"); ?></td>
+                  <td>
+                    <input name="descr" type="text" id="descr" size="40" value="<?=$pconfig['descr'];?>" />
+                    <div class="hidden" data-for="help_for_descr">
+                      <?=gettext("You may enter a description here for your reference (not parsed)."); ?>
+                    </div>
+                  </td>
+                </tr>
+                <!-- Route based tunnel -->
+                <tr class="opt_route">
+                  <td colspan="2"><b><?=gettext("Tunnel network");?></b></td>
+                </tr>
+                <tr class="opt_route">
+                  <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Local Address");?> </td>
+                  <td>
+                    <input name="tunnel_local" type="text" id="tunnel_local" size="28" value="<?=$pconfig['tunnel_local'];?>" />
+                  </td>
+                </tr>
+                <tr class="opt_route">
+                  <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Remote Address");?> </td>
+                  <td>
+                    <input name="tunnel_remote" type="text" id="tunnel_remote" size="28" value="<?=$pconfig['tunnel_remote'];?>" />
+                  </td>
+                </tr>
+                <!-- Tunnel settings -->
+                <tr class="opt_localid">
+                  <td colspan="2"><b><?=gettext("Local Network");?></b></td>
+                </tr>
+                <tr class="opt_localid">
+                  <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Type"); ?> </td>
+                  <td>
+                    <select name="localid_type" id="localid_type">
+                      <option value="address" <?=$pconfig['localid_type'] == "address" ? "selected=\"selected\"" : ""?> ><?=gettext("Address"); ?></option>
+                      <option value="network" <?=$pconfig['localid_type'] == "network" ? "selected=\"selected\"" : ""?> ><?=gettext("Network"); ?></option>
+<?php
+                      $iflist = get_configured_interface_with_descr();
+                      foreach ($iflist as $ifname => $ifdescr) :?>
+                        <option value="<?=htmlspecialchars($ifname);?>" <?= $pconfig['localid_type'] == $ifname ? "selected=\"selected\"" : "" ;?> >
+                          <?=sprintf(gettext("%s subnet"), htmlspecialchars($ifdescr)); ?>
+                        </option>
+<?php
+                      endforeach;?>
+                    </select>
+                  </td>
+                </tr>
+                <tr class="opt_localid">
+                  <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Address:");?>&nbsp;&nbsp;</td>
+                  <td>
+                    <table style="max-width: 348px">
+                      <tr>
+                        <td>
+                          <input name="localid_address" type="text" style="width: 278px" id="localid_address" size="28" value="<?=$pconfig['localid_address'];?>" />
+                        </td>
+                        <td>
+                          <select name="localid_netbits" data-network-id="localid_address" class="selectpicker ipv4v6net" data-size="10" data-width="70px" id="localid_netbits">
+<?php for ($i = 128; $i >= 0; $i--) : ?>
+                            <option value="<?=$i;?>" <?= isset($pconfig['localid_netbits']) && $i == $pconfig['localid_netbits'] ? "selected=\"selected\"" : "";?>>
+                              <?=$i;?>
+                            </option>
+<?php endfor ?>
+                          </select>
+                        </td>
+                      </tr>
+                    </table>
+                  </td>
+                </tr>
+<?php if (!isset($pconfig['mobile'])): ?>
+                <tr class="opt_remoteid">
+                  <td colspan="2"><b><?=gettext("Remote Network");?></b></td>
+                </tr>
+                <tr class="opt_remoteid">
+                  <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Type"); ?>:&nbsp;&nbsp;</td>
+                  <td>
+                    <select name="remoteid_type" id="remoteid_type">
+                      <option value="address" <?= $pconfig['remoteid_type'] == "address" ? "selected=\"selected\"" : "";?>>
+                        <?=gettext("Address"); ?>
+                      </option>
+                      <option value="network" <?= $pconfig['remoteid_type'] == "network" ? "selected=\"selected\"" : "";?>>
+                        <?=gettext("Network"); ?>
+                      </option>
+                    </select>
+                  </td>
+                </tr>
+                <tr class="opt_remoteid">
+                  <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Address"); ?>:&nbsp;&nbsp;</td>
+                  <td>
+                    <table style="max-width: 348px">
+                      <tr>
+                        <td>
+                          <input name="remoteid_address" type="text" style="width: 278px" id="remoteid_address" size="28" value="<?=$pconfig['remoteid_address'];?>" />
+                        </td>
+                        <td>
+                          <select name="remoteid_netbits" data-network-id="remoteid_address" class="selectpicker ipv4v6net" data-size="10" data-width="70px" id="remoteid_netbits">
+<?php for ($i = 128; $i >= 0; $i--): ?>
+                            <option value="<?=$i;?>" <?= isset($pconfig['remoteid_netbits']) && $i == $pconfig['remoteid_netbits'] ? "selected=\"selected\"" : "";?> >
+                              <?=$i;?>
+                            </option>
+<?php endfor ?>
+                          </select>
+                        </td>
+                      </tr>
+                    </table>
+                  </td>
+                </tr>
+
+<?php
+endif; ?>
+                <tr>
+                  <td colspan="2">
+                    <b><?=gettext("Phase 2 proposal (SA/Key Exchange)"); ?></b>
+                  </td>
+                </tr>
+                <tr>
+                  <td><a id="help_for_proto" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Protocol"); ?></td>
+                  <td style="width:78%" class="vtable">
+                    <select name="protocol" id="proto">
+<?php
+                    foreach (array('esp' => 'ESP','ah' => 'AH') as $proto => $protoname) :?>
+                      <option value="<?=$proto;?>" <?= $proto == $pconfig['protocol'] ? "selected=\"selected\"" : "";?>>
+                        <?=$protoname;?>
+                      </option>
+<?php
+                    endforeach; ?>
+                    </select>
+                    <br />
+                    <div class="hidden" data-for="help_for_proto">
+                        <?=gettext("ESP is encryption, AH is authentication only"); ?>
+                    </div>
+                  </td>
+                </tr>
+                <tr id="opt_enc">
+                  <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Encryption algorithms"); ?></td>
+                  <td>
+                      <select name="ealgos[]" class="selectpicker" multiple="multiple">
+<?php
+                      foreach (ipsec_p2_ealgos() as $algo => $algodata) :?>
+                          <option value="<?=$algo;?>" <?= (is_array($pconfig['ealgos']) && in_array($algo, $pconfig['ealgos'])) ? 'selected="selected"' : '' ?> >
+                            <?=$algodata['descr'];?>
+                          </option>
+<?php
+                      endforeach;?>
+
+                      </select>
+                  </td>
+                </tr>
+                <tr>
+                  <td><a id="help_for_hashalg" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Hash algorithms"); ?></td>
+                  <td style="width:78%" class="vtable">
+                    <select name="hash-algorithm-option[]" class="selectpicker" multiple="multiple">
+<?php foreach (ipsec_p2_halgos() as $algo => $algoname): ?>
+                      <option value="<?= html_safe($algo) ?>" <?= (is_array($pconfig['hash-algorithm-option']) && in_array($algo, $pconfig['hash-algorithm-option'])) ? 'selected="selected"' : '' ?>>
+                        <?= html_safe($algoname) ?>
+                      </option>
+<?php endforeach ?>
+                    </select>
+                    <div class="hidden" data-for="help_for_hashalg">
+                        <?=gettext("Note: For security reasons avoid the use of the SHA1 algorithm."); ?>
+                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("PFS key group"); ?></td>
+                  <td>
+<?php
+                  if (!isset($pconfig['mobile']) || !isset($config['ipsec']['client']['pfs_group'])) :?>
+                    <select name="pfsgroup">
+<?php
+                    $p2_dhgroups = array(
+                        0 => gettext('off'),
+                        1 => '1 (768 bits)',
+                        2 => '2 (1024 bits)',
+                        5 => '5 (1536 bits)',
+                        14 => '14 (2048 bits)',
+                        15 => '15 (3072 bits)',
+                        16 => '16 (4096 bits)',
+                        17 => '17 (6144 bits)',
+                        18 => '18 (8192 bits)',
+                        19 => '19 (NIST EC 256 bits)',
+                        20 => '20 (NIST EC 384 bits)',
+                        21 => '21 (NIST EC 521 bits)',
+                        22 => '22 (1024(sub 160) bits)',
+                        23 => '23 (2048(sub 224) bits)',
+                        24 => '24 (2048(sub 256) bits)',
+                        28 => '28 (Brainpool EC 256 bits)',
+                        29 => '29 (Brainpool EC 384 bits)',
+                        30 => '30 (Brainpool EC 512 bits)',
+                        31 => '31 (Elliptic Curve 25519)',
+                    );
+                    foreach ($p2_dhgroups as $keygroup => $keygroupname): ?>
+                      <option value="<?=$keygroup;?>" <?= $keygroup == $pconfig['pfsgroup'] ? "selected=\"selected\"" : "";?>>
+                        <?=$keygroupname;?>
+                      </option>
+<?php
+                    endforeach; ?>
+                    </select>
+<?php
+                  else :?>
+                    <select disabled="disabled">
+                      <option selected="selected"><?=$p2_pfskeygroups[$config['ipsec']['client']['pfs_group']];?></option>
+                    </select>
+                    <input name="pfsgroup" type="hidden" value="<?=$pconfig['pfsgroup'];?>" />
+                    <br />
+                    <em><?=gettext("Set globally in mobile client options"); ?></em>
+<?php
+                  endif; ?>
+                  </td>
+                </tr>
+                <tr>
+                  <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Lifetime"); ?></td>
+                  <td>
+                    <input name="lifetime" type="text" id="lifetime" size="20" value="<?=$pconfig['lifetime'];?>" />
+                    <?=gettext("seconds"); ?>
+                  </td>
+                </tr>
+                <tr>
+                  <td colspan="2">
+                    <b><?=gettext("Advanced Options"); ?></b>
+                  </td>
+                </tr>
+                <tr>
+                  <td><a id="help_for_pinghost" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Automatically ping host"); ?></td>
+                  <td>
+                    <input name="pinghost" type="text" id="pinghost" size="28" value="<?=$pconfig['pinghost'];?>" />
+                    <div class="hidden" data-for="help_for_pinghost">
+                        <?=gettext("IP address"); ?>
+                    </div>
+                  </td>
+                </tr>
+<?php
+                if (!isset($pconfig['mobile'])):?>
+                <tr class="opt_localid">
+                  <td><a id="help_for_spd" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Manual SPD entries"); ?></td>
+                  <td>
+                    <input name="spd" type="text" id="spd" value="<?= $pconfig['spd'];?>" />
+                    <div class="hidden" data-for="help_for_spd">
+                        <strong><?=gettext("Register additional Security Policy Database entries"); ?></strong><br/>
+                        <?=gettext("Strongswan automatically creates SPD policies for the networks defined in this phase2. ".
+                                   "If you need to allow other networks to use this ipsec tunnel, you can add them here as a comma-separated list.".
+                                   "When configured, you can use network address translation to push packets through this tunnel from these networks."); ?><br/>
+                        <small><?=gettext("e.g. 192.168.1.0/24, 192.168.2.0/24"); ?></small>
+                    </div>
+                  </td>
+                </tr>
+<?php
+                endif; ?>
+                <tr>
+                  <td>&nbsp;</td>
+                  <td style="width:78%">
+<?php
+                 if (isset($pconfig['mobile'])) :?>
+                    <input name="mobile" type="hidden" value="true" />
+                    <input name="remoteid_type" type="hidden" value="mobile" />
+<?php
+                 endif; ?>
+                    <input name="Submit" type="submit" class="btn btn-primary" value="<?=html_safe(gettext('Save')); ?>" />
+                    <input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>" />
+                    <input name="uniqid" type="hidden" value="<?=$pconfig['uniqid'];?>" />
+                  </td>
+                </tr>
+              </table>
+            </div>
+          </form>
+        </div>
+      </section>
+    </div>
+  </div>
+</section>
+
+<?php include("foot.inc"); ?>

From 259fb1ebb88f0d3779254131da905220f4fe78f8 Mon Sep 17 00:00:00 2001
From: Gauss23 <gauss@gmx.de>
Date: Sun, 20 Jul 2025 07:57:08 +0200
Subject: [PATCH 2544/3088] Netbird fixes (#4827)

* Changed routes to networks as Netbird changed the name

* Also changed the field name from routes to networks
---
 .../controllers/OPNsense/Netbird/Api/ServiceController.php    | 2 +-
 .../opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/ServiceController.php b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/ServiceController.php
index 466c56c682..f0b5e7e14d 100644
--- a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/ServiceController.php
+++ b/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/ServiceController.php
@@ -136,7 +136,7 @@ private function flattenOneLevel($array): array
         foreach ($array as $key => $value) {
             if (is_array($value)) {
                 foreach ($value as $subkey => $subvalue) {
-                    if ($key == "routes") {
+                    if ($key == "networks") {
                         $result[$key] = implode("<br />", $value);
                     } else {
                         $result[$key . "." . $subkey] = $subvalue;
diff --git a/net/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt b/net/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt
index 4d12f6127d..4cdc7654a6 100644
--- a/net/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt
+++ b/net/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt
@@ -114,8 +114,8 @@
         <tr>
             <th data-column-id="fqdn" data-type="string" data-identifier="false"
                 data-visible="true">{{ lang._('FQDN') }}</th>
-            <th data-column-id="routes" data-type="string" data-identifier="false"
-                data-visible="true">{{ lang._('Routes') }}</th>
+            <th data-column-id="networks" data-type="string" data-identifier="false"
+                data-visible="true">{{ lang._('Networks') }}</th>
             <th data-width="8%" data-column-id="netbirdIp" data-type="string" data-identifier="false"
                 data-visible="true">{{ lang._('IP') }}</th>
             <th data-width="5%" data-column-id="direct" data-type="string" data-identifier="false"

From 3b95aa598fa6174e91b998ef1908807a2485d9ba Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Sun, 20 Jul 2025 11:42:28 +0200
Subject: [PATCH 2545/3088] crowdsec: migrate bootgrid -> UIBootGrid (#4816)

* bootgrid -> UIBootGrid

* server-side filtering, pagination etc.

* version bump

* add some field defaults; lint
---
 security/crowdsec/Makefile                    |   2 +-
 security/crowdsec/pkg-descr                   |   5 +
 .../OPNsense/CrowdSec/AlertsController.php    |  18 +
 .../CrowdSec/Api/AlertsController.php         |  67 ++-
 .../CrowdSec/Api/AppsecconfigsController.php  |  47 ++
 .../CrowdSec/Api/AppsecrulesController.php    |  47 ++
 .../CrowdSec/Api/BouncersController.php       |  25 +-
 .../CrowdSec/Api/CollectionsController.php    |  47 ++
 .../CrowdSec/Api/DecisionsController.php      | 103 +++-
 .../OPNsense/CrowdSec/Api/HubController.php   |  33 --
 .../CrowdSec/Api/MachinesController.php       |  26 +-
 .../CrowdSec/Api/ParsersController.php        |  47 ++
 .../CrowdSec/Api/PostoverflowsController.php  |  47 ++
 .../CrowdSec/Api/ScenariosController.php      |  47 ++
 .../CrowdSec/Api/ServiceController.php        |  32 +-
 .../CrowdSec/Api/VersionController.php        |   3 +-
 .../CrowdSec/AppsecconfigsController.php      |  18 +
 .../CrowdSec/AppsecrulesController.php        |  18 +
 .../OPNsense/CrowdSec/BouncersController.php  |  18 +
 .../CrowdSec/CollectionsController.php        |  18 +
 .../OPNsense/CrowdSec/DecisionsController.php |  18 +
 .../OPNsense/CrowdSec/GeneralController.php   |   2 +-
 .../OPNsense/CrowdSec/MachinesController.php  |  18 +
 .../OPNsense/CrowdSec/OverviewController.php  |   2 +-
 .../OPNsense/CrowdSec/ParsersController.php   |  18 +
 .../CrowdSec/PostoverflowsController.php      |  18 +
 .../OPNsense/CrowdSec/ScenariosController.php |  18 +
 .../app/library/OPNsense/CrowdSec/Util.php    |  15 +
 .../app/models/OPNsense/CrowdSec/General.xml  |   2 +-
 .../models/OPNsense/CrowdSec/Menu/Menu.xml    |  11 +-
 .../app/views/OPNsense/CrowdSec/alerts.volt   |  62 +++
 .../OPNsense/CrowdSec/appsecconfigs.volt      |  36 ++
 .../views/OPNsense/CrowdSec/appsecrules.volt  |  36 ++
 .../app/views/OPNsense/CrowdSec/bouncers.volt |  44 ++
 .../views/OPNsense/CrowdSec/collections.volt  |  36 ++
 .../views/OPNsense/CrowdSec/decisions.volt    |  51 ++
 .../app/views/OPNsense/CrowdSec/machines.volt |  43 ++
 .../app/views/OPNsense/CrowdSec/overview.volt | 246 ---------
 .../app/views/OPNsense/CrowdSec/parsers.volt  |  36 ++
 .../OPNsense/CrowdSec/postoverflows.volt      |  36 ++
 .../views/OPNsense/CrowdSec/scenarios.volt    |  36 ++
 .../conf/actions.d/actions_crowdsec.conf      |  31 +-
 .../opnsense/www/js/CrowdSec/crowdsec-misc.js |  47 ++
 .../src/opnsense/www/js/CrowdSec/crowdsec.js  | 473 ------------------
 44 files changed, 1195 insertions(+), 808 deletions(-)
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/AlertsController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AppsecconfigsController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AppsecrulesController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php
 delete mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/HubController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ParsersController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/AppsecconfigsController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/AppsecrulesController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/BouncersController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/CollectionsController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/DecisionsController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/MachinesController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/ParsersController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/PostoverflowsController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/ScenariosController.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/library/OPNsense/CrowdSec/Util.php
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/alerts.volt
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/appsecconfigs.volt
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/appsecrules.volt
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/bouncers.volt
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/collections.volt
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/decisions.volt
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/machines.volt
 delete mode 100644 security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/overview.volt
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/parsers.volt
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/postoverflows.volt
 create mode 100644 security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/scenarios.volt
 create mode 100644 security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec-misc.js
 delete mode 100644 security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js

diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index f61c6c0a0c..4de446dd3e 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		crowdsec
-PLUGIN_VERSION=		1.0.10
+PLUGIN_VERSION=		1.0.11
 PLUGIN_DEPENDS=		crowdsec
 PLUGIN_COMMENT=		Lightweight and collaborative security engine
 PLUGIN_MAINTAINER=	marco@crowdsec.net
diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index 7629c64957..4fb585fffc 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://crowdsec.net/
 Plugin Changelog
 ================
 
+1.0.11
+
+ * convert tables to UIBootGrid (required for opnsense 25.7)
+ * separate page for each table
+
 1.0.10
 
  * changed alias names crowdsec*blacklists -> crowdsec*blocklists
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/AlertsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/AlertsController.php
new file mode 100644
index 0000000000..b37b606604
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/AlertsController.php
@@ -0,0 +1,18 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec;
+
+/**
+ * Class AlertsController
+ * @package OPNsense\CrowdSec
+ */
+class AlertsController extends \OPNsense\Base\IndexController
+{
+    public function indexAction(): void
+    {
+        $this->view->pick('OPNsense/CrowdSec/alerts');
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AlertsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AlertsController.php
index eb11d24403..ae648a7933 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AlertsController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AlertsController.php
@@ -6,7 +6,6 @@
 namespace OPNsense\CrowdSec\Api;
 
 use OPNsense\Base\ApiControllerBase;
-use OPNsense\CrowdSec\CrowdSec;
 use OPNsense\Core\Backend;
 
 /**
@@ -14,6 +13,48 @@
  */
 class AlertsController extends ApiControllerBase
 {
+    /**
+    * Format scope and value as "scope:value"
+    *
+    * @param array $source Array with 'scope' and 'value' keys (can be a decision)
+    * @return string Formatted string
+    */
+    private function formatScopeValue(array $source): string
+    {
+        $scope = $source['scope'] ?? '';
+        if ($source['value'] !== '') {
+            $scope = $scope . ':' . $source['value'];
+        }
+        return $scope;
+    }
+
+    /**
+     * Summarize decision types as "type1:count1 type2:count2 ..."
+     *
+     * @param array $decisions List of decision arrays
+     * @return string Summary string
+     */
+    private function formatDecisions(array $decisions): string
+    {
+        $counts = [];
+
+        foreach ($decisions as $decision) {
+            if (!isset($decision['type'])) {
+                continue;
+            }
+
+            $type = $decision['type'];
+            $counts[$type] = ($counts[$type] ?? 0) + 1;
+        }
+
+        $parts = [];
+        foreach ($counts as $type => $count) {
+            $parts[] = "{$type}:{$count}";
+        }
+
+        return implode(' ', $parts);
+    }
+
     /**
      * Retrieve list of alerts
      *
@@ -21,13 +62,27 @@ class AlertsController extends ApiControllerBase
      * @throws \OPNsense\Base\ModelException
      * @throws \ReflectionException
      */
-    public function getAction()
+    public function searchAction(): array
     {
         $result = json_decode(trim((new Backend())->configdRun("crowdsec alerts-list")), true);
-        if ($result !== null) {
-            // only return valid json type responses
-            return $result;
+        if ($result === null) {
+            return ["message" => "unable to retrieve data"];
         }
-        return ["message" => "unable to list alerts"];
+
+        $rows = [];
+        foreach ($result as $alert) {
+            $source = $alert['source'] ?? [];
+            $rows[] = [
+                'id'          => $alert['id'],
+                'value'       => $this->formatScopeValue($source ?? []),
+                'reason'      => $alert['scenario'] ?? '',
+                'country'     => $source['cn'] ?? '',
+                'as'          => $source['as_name'] ?? '',
+                'decisions'   => $this->formatDecisions($alert['decisions'] ?? []),
+                'created'  => $alert['created_at'] ?? '',
+            ];
+        }
+
+        return $this->searchRecordsetBase($rows);
     }
 }
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AppsecconfigsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AppsecconfigsController.php
new file mode 100644
index 0000000000..aa43e862e4
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AppsecconfigsController.php
@@ -0,0 +1,47 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\CrowdSec\Util;
+
+use OPNsense\Core\Backend;
+
+/**
+ * @package OPNsense\CrowdSec
+ */
+class AppsecconfigsController extends ApiControllerBase
+{
+    /**
+     * Retrieve the installed appsec-configs
+     *
+     * @return dictionary of items, by type
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function searchAction(): array
+    {
+        $result = json_decode(trim((new Backend())->configdRun("crowdsec appsec-configs-list")), true);
+        if ($result === null) {
+            return ["message" => "unable to retrieve data"];
+        }
+
+        $items = $result["appsec-configs"];
+
+        $rows = [];
+        foreach ($items as $item) {
+            $rows[] = [
+                'name' => $item['name'],
+                'status' => $item['status'] ?? '',
+                'local_version' => $item['local_version'] ?? '',
+                'local_path' => Util::trimLocalPath($item['local_path'] ?? ''),
+                'description' => $item['description'] ?? '',
+            ];
+        }
+
+        return $this->searchRecordsetBase($rows);
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AppsecrulesController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AppsecrulesController.php
new file mode 100644
index 0000000000..067788dab3
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AppsecrulesController.php
@@ -0,0 +1,47 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\CrowdSec\Util;
+
+use OPNsense\Core\Backend;
+
+/**
+ * @package OPNsense\CrowdSec
+ */
+class AppsecrulesController extends ApiControllerBase
+{
+    /**
+     * Retrieve the installed appsec-rules
+     *
+     * @return dictionary of items, by type
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function searchAction(): array
+    {
+        $result = json_decode(trim((new Backend())->configdRun("crowdsec appsec-rules-list")), true);
+        if ($result === null) {
+            return ["message" => "unable to retrieve data"];
+        }
+
+        $items = $result["appsec-rules"];
+
+        $rows = [];
+        foreach ($items as $item) {
+            $rows[] = [
+                'name' => $item['name'],
+                'status' => $item['status'] ?? '',
+                'local_version' => $item['local_version'] ?? '',
+                'local_path' => Util::trimLocalPath($item['local_path'] ?? ''),
+                'description' => $item['description'] ?? '',
+            ];
+        }
+
+        return $this->searchRecordsetBase($rows);
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/BouncersController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/BouncersController.php
index 5fbc29524c..ecaadbea4c 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/BouncersController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/BouncersController.php
@@ -6,7 +6,6 @@
 namespace OPNsense\CrowdSec\Api;
 
 use OPNsense\Base\ApiControllerBase;
-use OPNsense\CrowdSec\CrowdSec;
 use OPNsense\Core\Backend;
 
 /**
@@ -21,13 +20,27 @@ class BouncersController extends ApiControllerBase
      * @throws \OPNsense\Base\ModelException
      * @throws \ReflectionException
      */
-    public function getAction()
+    public function searchAction(): array
     {
         $result = json_decode(trim((new Backend())->configdRun("crowdsec bouncers-list")), true);
-        if ($result !== null) {
-            // only return valid json type responses
-            return $result;
+        if ($result === null) {
+            return ["message" => "unable to retrieve data"];
         }
-        return ["message" => "unable to list bouncers"];
+
+        $rows = [];
+        foreach ($result as $bouncer) {
+            $rows[] = [
+                'name' => $bouncer['name'],
+                'type' => $bouncer['type'] ?? '',
+                'version' => $bouncer['version'] ?? '',
+                'created' => $bouncer['created_at'] ?? '',
+                'valid' => ($bouncer['revoked'] ?? false) !== true,
+                'ip_address' => $bouncer['ip_address'] ?? '',
+                'last_seen' => $bouncer['last_pull'] ?? '',
+                'os' => $bouncer['os'] ?? '',
+            ];
+        }
+
+        return $this->searchRecordsetBase($rows);
     }
 }
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php
new file mode 100644
index 0000000000..7b98789946
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php
@@ -0,0 +1,47 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\CrowdSec\Util;
+
+use OPNsense\Core\Backend;
+
+/**
+ * @package OPNsense\CrowdSec
+ */
+class CollectionsController extends ApiControllerBase
+{
+    /**
+     * Retrieve the installed collections
+     *
+     * @return dictionary of items, by type
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function searchAction(): array
+    {
+        $result = json_decode(trim((new Backend())->configdRun("crowdsec collections-list")), true);
+        if ($result === null) {
+            return ["message" => "unable to retrieve data"];
+        }
+
+        $items = $result["collections"];
+
+        $rows = [];
+        foreach ($items as $item) {
+            $rows[] = [
+                'name' => $item['name'],
+                'status' => $item['status'] ?? '',
+                'local_version' => $item['local_version'] ?? '',
+                'local_path' => Util::trimLocalPath($item['local_path'] ?? ''),
+                'description' => $item['description'] ?? '',
+            ];
+        }
+
+        return $this->searchRecordsetBase($rows);
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php
index e49754fa1c..199063d01f 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php
@@ -6,14 +6,62 @@
 namespace OPNsense\CrowdSec\Api;
 
 use OPNsense\Base\ApiControllerBase;
-use OPNsense\CrowdSec\CrowdSec;
 use OPNsense\Core\Backend;
 
+
+function unrollDecisions(array $alerts): array
+{
+    $result = [];
+
+    foreach ($alerts as $alert) {
+        if (!isset($alert['decisions']) || !is_array($alert['decisions'])) {
+            continue;
+        }
+
+        foreach ($alert['decisions'] as $decision) {
+            // ignore deleted decisions
+            if (isset($decision['duration']) && str_starts_with($decision['duration'], '-')) {
+                continue;
+            }
+
+            $row = $decision;
+
+            // Add parent alert fields with prefix
+            foreach ($alert as $key => $value) {
+                if ($key === 'decisions') {
+                    continue; // skip nested array
+                }
+                $row["alert_" . $key] = $value;
+            }
+
+            $result[] = $row;
+        }
+    }
+
+    return $result;
+}
+
+
 /**
  * @package OPNsense\CrowdSec
  */
 class DecisionsController extends ApiControllerBase
 {
+    /**
+    * Format scope and value as "scope:value"
+    *
+    * @param array $source Array with 'scope' and 'value' keys
+    * @return string Formatted string
+    */
+    private function formatScopeValue(array $source): string
+    {
+        $scope = $source['scope'] ?? '';
+        if ($source['value'] !== '') {
+            $scope = $scope . ':' . $source['value'];
+        }
+        return $scope;
+    }
+
     /**
      * Retrieve list of decisions
      *
@@ -21,29 +69,50 @@ class DecisionsController extends ApiControllerBase
      * @throws \OPNsense\Base\ModelException
      * @throws \ReflectionException
      */
-    public function getAction()
+    public function searchAction(): array
     {
         $result = json_decode(trim((new Backend())->configdRun("crowdsec decisions-list")), true);
-        if ($result !== null) {
-            // only return valid json type responses
-            return $result;
+        if ($result === null) {
+            return ["message" => "unable to retrieve data"];
         }
-        return ["message" => "unable to list decisions"];
+
+        $decisions = unrollDecisions($result);
+
+        $rows = [];
+        foreach ($decisions as $dec) {
+            $alert_source = $dec['alert_source'] ?? [];
+
+            $rows[] = [
+                'id'           => $dec['id'],
+                'source'       => $dec['origin'] ?? '',
+                'scope_value'  => $this->formatScopeValue($dec),
+                'reason'       => $dec['scenario'] ?? '',
+                'action'       => $dec['type'] ?? '',
+                'country'      => $alert_source['cn'] ?? '',
+                'as'           => $alert_source['as_name'] ?? '',
+                'events_count' => $dec['alert_events_count'] ?? '',
+                'expiration'   => $dec['duration'] ?? '',
+                'alert_id'     => $dec['alert_id'],
+            ];
+        }
+
+        return $this->searchRecordsetBase($rows);
     }
 
-    public function deleteAction($decision_id)
+    public function delAction($decision_id): array
     {
-        if ($this->request->isDelete()) {
-            $result = (new Backend())->configdRun("crowdsec decisions-delete ${decision_id}");
-            if ($result !== null) {
-                // why does the action return \n\n for empty output?
-                if (trim($result) === '') {
-                    return ["message" => "OK"];
-                }
-                // TODO handle error
-                return ["message" => result];
+        if ($this->request->isPost()) {
+            $result = (new Backend())->configdRun("crowdsec decisions-delete {$decision_id}");
+            if ($result === null) {
+                return ["result" => "deleted"];
+            }
+
+            // why does the action return \n\n for empty output?
+            if (trim($result) === '') {
+                return ["result" => "deleted"];
             }
-            return ["message" => "OK"];
+            // TODO assume not found, should handle other errors
+            return ["result" => "not found"];
         } else {
             $this->response->setStatusCode(405, "Method Not Allowed");
             $this->response->setHeader("Allow", "DELETE");
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/HubController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/HubController.php
deleted file mode 100644
index 1bc0fcb899..0000000000
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/HubController.php
+++ /dev/null
@@ -1,33 +0,0 @@
-<?php
-
-// SPDX-License-Identifier: MIT
-// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
-
-namespace OPNsense\CrowdSec\Api;
-
-use OPNsense\Base\ApiControllerBase;
-use OPNsense\CrowdSec\CrowdSec;
-use OPNsense\Core\Backend;
-
-/**
- * @package OPNsense\CrowdSec
- */
-class HubController extends ApiControllerBase
-{
-    /**
-     * Retrieve the registered hub items
-     *
-     * @return dictionary of items, by type
-     * @throws \OPNsense\Base\ModelException
-     * @throws \ReflectionException
-     */
-    public function getAction()
-    {
-        $result = json_decode(trim((new Backend())->configdRun("crowdsec hub-items")), true);
-        if ($result !== null) {
-            // only return valid json type responses
-            return $result;
-        }
-        return ["message" => "unable to list hub items"];
-    }
-}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/MachinesController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/MachinesController.php
index 98e37400bd..714a5c2527 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/MachinesController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/MachinesController.php
@@ -6,7 +6,6 @@
 namespace OPNsense\CrowdSec\Api;
 
 use OPNsense\Base\ApiControllerBase;
-use OPNsense\CrowdSec\CrowdSec;
 use OPNsense\Core\Backend;
 
 /**
@@ -15,19 +14,32 @@
 class MachinesController extends ApiControllerBase
 {
     /**
-     * Retrieve list of registered machines
+     * Retrieve list of machines
      *
      * @return array of machines
      * @throws \OPNsense\Base\ModelException
      * @throws \ReflectionException
      */
-    public function getAction()
+    public function searchAction(): array
     {
         $result = json_decode(trim((new Backend())->configdRun("crowdsec machines-list")), true);
-        if ($result !== null) {
-            // only return valid json type responses
-            return $result;
+        if ($result === null) {
+            return ["message" => "unable to retrieve data"];
         }
-        return ["message" => "unable to list machines"];
+
+        $rows = [];
+        foreach ($result as $machine) {
+            $rows[] = [
+                'name' => $machine['machineId'],
+                'ip_address' => $machine['ipAddress'] ?? '',
+                'version' => $machine['version'] ?? '',
+                'validated' => $machine['isValidated'] ?? false,
+                'created' => $machine['created_at'] ?? '',
+                'last_seen' => $machine['last_heartbeat'] ?? '',
+                'os' => $machine['os'] ?? '',
+            ];
+        }
+
+        return $this->searchRecordsetBase($rows);
     }
 }
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ParsersController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ParsersController.php
new file mode 100644
index 0000000000..92ad8d112b
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ParsersController.php
@@ -0,0 +1,47 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\CrowdSec\Util;
+
+use OPNsense\Core\Backend;
+
+/**
+ * @package OPNsense\CrowdSec
+ */
+class ParsersController extends ApiControllerBase
+{
+    /**
+     * Retrieve the installed parsers
+     *
+     * @return dictionary of items, by type
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function searchAction(): array
+    {
+        $result = json_decode(trim((new Backend())->configdRun("crowdsec parsers-list")), true);
+        if ($result === null) {
+            return ["message" => "unable to retrieve data"];
+        }
+
+        $items = $result["parsers"];
+
+        $rows = [];
+        foreach ($items as $item) {
+            $rows[] = [
+                'name' => $item['name'],
+                'status' => $item['status'] ?? '',
+                'local_version' => $item['local_version'] ?? '',
+                'local_path' => Util::trimLocalPath($item['local_path'] ?? ''),
+                'description' => $item['description'] ?? '',
+            ];
+        }
+
+        return $this->searchRecordsetBase($rows);
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php
new file mode 100644
index 0000000000..0bd818fcbd
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php
@@ -0,0 +1,47 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\CrowdSec\Util;
+
+use OPNsense\Core\Backend;
+
+/**
+ * @package OPNsense\CrowdSec
+ */
+class PostoverflowsController extends ApiControllerBase
+{
+    /**
+     * Retrieve the installed postoverflows
+     *
+     * @return dictionary of items, by type
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function searchAction(): array
+    {
+        $result = json_decode(trim((new Backend())->configdRun("crowdsec postoverflows-list")), true);
+        if ($result === null) {
+            return ["message" => "unable to retrieve data"];
+        }
+
+        $items = $result["postoverflows"];
+
+        $rows = [];
+        foreach ($items as $item) {
+            $rows[] = [
+                'name' => $item['name'],
+                'status' => $item['status'] ?? '',
+                'local_version' => $item['local_version'] ?? '',
+                'local_path' => Util::trimLocalPath($item['local_path'] ?? ''),
+                'description' => $item['description'] ?? '',
+            ];
+        }
+
+        return $this->searchRecordsetBase($rows);
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php
new file mode 100644
index 0000000000..31f6b87f39
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php
@@ -0,0 +1,47 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\CrowdSec\Util;
+
+use OPNsense\Core\Backend;
+
+/**
+ * @package OPNsense\CrowdSec
+ */
+class ScenariosController extends ApiControllerBase
+{
+    /**
+     * Retrieve the installed scenarios
+     *
+     * @return dictionary of items, by type
+     * @throws \OPNsense\Base\ModelException
+     * @throws \ReflectionException
+     */
+    public function searchAction(): array
+    {
+        $result = json_decode(trim((new Backend())->configdRun("crowdsec scenarios-list")), true);
+        if ($result === null) {
+            return ["message" => "unable to retrieve data"];
+        }
+
+        $items = $result["scenarios"];
+
+        $rows = [];
+        foreach ($items as $item) {
+            $rows[] = [
+                'name' => $item['name'],
+                'status' => $item['status'] ?? '',
+                'local_version' => $item['local_version'] ?? '',
+                'local_path' => Util::trimLocalPath($item['local_path'] ?? ''),
+                'description' => $item['description'] ?? '',
+            ];
+        }
+
+        return $this->searchRecordsetBase($rows);
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
index eaa3a84d38..40403a9150 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
@@ -16,8 +16,10 @@ class ServiceController extends ApiControllerBase
 {
     /**
      * reconfigure CrowdSec
+     *
+     * @return array Status result
      */
-    public function reloadAction()
+    public function reloadAction(): array
     {
         $status = "failed";
         if ($this->request->isPost()) {
@@ -36,7 +38,11 @@ public function reloadAction()
     /**
      * Retrieve status of crowdsec
      *
-     * @return array
+     * @return array{
+     *     status: string,
+     *     crowdsec-status: string,
+     *     crowdsec-firewall-status: string
+     * }
      * @throws \Exception
      */
     public function statusAction()
@@ -44,24 +50,30 @@ public function statusAction()
         $backend = new Backend();
         $response = $backend->configdRun("crowdsec crowdsec-status");
 
-        $status = "unknown";
-        if (strpos($response, "not running") > 0) {
-            $status = "stopped";
-        } elseif (strpos($response, "is running") > 0) {
-            $status = "running";
+        $crowdsec_status = "unknown";
+        if (strpos($response, "not running") !== false) {
+            $crowdsec_status = "stopped";
+        } elseif (strpos($response, "is running") !== false) {
+            $crowdsec_status = "running";
         }
 
         $response = $backend->configdRun("crowdsec crowdsec-firewall-status");
 
         $firewall_status = "unknown";
-        if (strpos($response, "not running") > 0) {
+        if (strpos($response, "not running") !== false) {
             $firewall_status = "stopped";
-        } elseif (strpos($response, "is running") > 0) {
+        } elseif (strpos($response, "is running") !== false) {
             $firewall_status = "running";
         }
 
+        $status = "unknown";
+        if ($crowdsec_status == $firewall_status) {
+            $status = $crowdsec_status;
+        }
+
         return [
-            "crowdsec-status" => $status,
+            "status" => $status,
+            "crowdsec-status" => $crowdsec_status,
             "crowdsec-firewall-status" => $firewall_status,
         ];
     }
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/VersionController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/VersionController.php
index d6f09e0c11..cea95d0d7c 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/VersionController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/VersionController.php
@@ -6,7 +6,6 @@
 namespace OPNsense\CrowdSec\Api;
 
 use OPNsense\Base\ApiControllerBase;
-use OPNsense\CrowdSec\CrowdSec;
 use OPNsense\Core\Backend;
 
 /**
@@ -21,7 +20,7 @@ class VersionController extends ApiControllerBase
      * @throws \OPNsense\Base\ModelException
      * @throws \ReflectionException
      */
-    public function getAction()
+    public function getAction(): string
     {
         return (new Backend())->configdRun("crowdsec version");
     }
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/AppsecconfigsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/AppsecconfigsController.php
new file mode 100644
index 0000000000..d63e2f6a78
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/AppsecconfigsController.php
@@ -0,0 +1,18 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec;
+
+/**
+ * Class AppsecconfigsController
+ * @package OPNsense\CrowdSec
+ */
+class AppsecconfigsController extends \OPNsense\Base\IndexController
+{
+    public function indexAction(): void
+    {
+        $this->view->pick('OPNsense/CrowdSec/appsecconfigs');
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/AppsecrulesController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/AppsecrulesController.php
new file mode 100644
index 0000000000..ad06ba30ac
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/AppsecrulesController.php
@@ -0,0 +1,18 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec;
+
+/**
+ * Class AppsecrulesController
+ * @package OPNsense\CrowdSec
+ */
+class AppsecrulesController extends \OPNsense\Base\IndexController
+{
+    public function indexAction(): void
+    {
+        $this->view->pick('OPNsense/CrowdSec/appsecrules');
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/BouncersController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/BouncersController.php
new file mode 100644
index 0000000000..beb79086de
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/BouncersController.php
@@ -0,0 +1,18 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec;
+
+/**
+ * Class BouncersController
+ * @package OPNsense\CrowdSec
+ */
+class BouncersController extends \OPNsense\Base\IndexController
+{
+    public function indexAction(): void
+    {
+        $this->view->pick('OPNsense/CrowdSec/bouncers');
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/CollectionsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/CollectionsController.php
new file mode 100644
index 0000000000..814c1ebe6d
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/CollectionsController.php
@@ -0,0 +1,18 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec;
+
+/**
+ * Class CollectionsController
+ * @package OPNsense\CrowdSec
+ */
+class CollectionsController extends \OPNsense\Base\IndexController
+{
+    public function indexAction(): void
+    {
+        $this->view->pick('OPNsense/CrowdSec/collections');
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/DecisionsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/DecisionsController.php
new file mode 100644
index 0000000000..6cd08cc039
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/DecisionsController.php
@@ -0,0 +1,18 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec;
+
+/**
+ * Class DecisionsController
+ * @package OPNsense\CrowdSec
+ */
+class DecisionsController extends \OPNsense\Base\IndexController
+{
+    public function indexAction(): void
+    {
+        $this->view->pick('OPNsense/CrowdSec/decisions');
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/GeneralController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/GeneralController.php
index 115ca686cb..fc3ea58a30 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/GeneralController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/GeneralController.php
@@ -11,7 +11,7 @@
  */
 class GeneralController extends \OPNsense\Base\IndexController
 {
-    public function indexAction()
+    public function indexAction(): void
     {
         $this->view->pick('OPNsense/CrowdSec/general');
         $this->view->generalForm = $this->getForm("general");
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/MachinesController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/MachinesController.php
new file mode 100644
index 0000000000..efa867450e
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/MachinesController.php
@@ -0,0 +1,18 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec;
+
+/**
+ * Class MachinesController
+ * @package OPNsense\CrowdSec
+ */
+class MachinesController extends \OPNsense\Base\IndexController
+{
+    public function indexAction(): void
+    {
+        $this->view->pick('OPNsense/CrowdSec/machines');
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/OverviewController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/OverviewController.php
index 6dbd461d52..f15ca5218b 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/OverviewController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/OverviewController.php
@@ -11,7 +11,7 @@
  */
 class OverviewController extends \OPNsense\Base\IndexController
 {
-    public function indexAction()
+    public function indexAction(): void
     {
         $this->view->pick('OPNsense/CrowdSec/overview');
     }
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/ParsersController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/ParsersController.php
new file mode 100644
index 0000000000..adb1c6c142
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/ParsersController.php
@@ -0,0 +1,18 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec;
+
+/**
+ * Class ParsersController
+ * @package OPNsense\CrowdSec
+ */
+class ParsersController extends \OPNsense\Base\IndexController
+{
+    public function indexAction(): void
+    {
+        $this->view->pick('OPNsense/CrowdSec/parsers');
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/PostoverflowsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/PostoverflowsController.php
new file mode 100644
index 0000000000..d20de2e82a
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/PostoverflowsController.php
@@ -0,0 +1,18 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec;
+
+/**
+ * Class PostoverflowsController
+ * @package OPNsense\CrowdSec
+ */
+class PostoverflowsController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/CrowdSec/postoverflows');
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/ScenariosController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/ScenariosController.php
new file mode 100644
index 0000000000..d1bdbd4a0d
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/ScenariosController.php
@@ -0,0 +1,18 @@
+<?php
+
+// SPDX-License-Identifier: MIT
+// SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
+
+namespace OPNsense\CrowdSec;
+
+/**
+ * Class ScenariosController
+ * @package OPNsense\CrowdSec
+ */
+class ScenariosController extends \OPNsense\Base\IndexController
+{
+    public function indexAction(): void
+    {
+        $this->view->pick('OPNsense/CrowdSec/scenarios');
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/library/OPNsense/CrowdSec/Util.php b/security/crowdsec/src/opnsense/mvc/app/library/OPNsense/CrowdSec/Util.php
new file mode 100644
index 0000000000..e0eb5a0dbc
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/library/OPNsense/CrowdSec/Util.php
@@ -0,0 +1,15 @@
+<?php
+
+namespace OPNsense\CrowdSec;
+
+class Util
+{
+    public static function trimLocalPath($local_path): string
+    {
+        $prefix = '/usr/local/etc/crowdsec/';
+        if (str_starts_with($local_path, $prefix)) {
+            return substr($local_path, strlen($prefix));
+        }
+        return $local_path;
+    }
+}
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
index 829223928e..7a85d8bbc1 100644
--- a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
@@ -1,7 +1,7 @@
 <model>
   <mount>//OPNsense/crowdsec/general</mount>
   <description>CrowdSec general configuration</description>
-  <version>1.0.10</version>
+  <version>1.0.11</version>
   <items>
 
     <agent_enabled type="BooleanField">
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/Menu/Menu.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/Menu/Menu.xml
index c50b8cd43d..99e4d4e336 100644
--- a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/Menu/Menu.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/Menu/Menu.xml
@@ -2,7 +2,16 @@
     <Services>
       <CrowdSec cssClass="fa fa-globe fa-fw">
         <Settings order="1" url="/ui/crowdsec/general/index"/>
-        <Overview order="2" url="/ui/crowdsec/overview"/>
+        <Machines order="2" url="/ui/crowdsec/machines/index"/>
+        <Bouncers order="3" url="/ui/crowdsec/bouncers/index"/>
+        <Alerts order="5" url="/ui/crowdsec/alerts/index"/>
+        <Decisions order="6" url="/ui/crowdsec/decisions/index"/>
+        <Collections order="7" url="/ui/crowdsec/collections/index"/>
+        <Scenarios order="8" url="/ui/crowdsec/scenarios/index"/>
+        <Parsers order="9" url="/ui/crowdsec/parsers/index"/>
+        <Postoverflows order="10" url="/ui/crowdsec/postoverflows/index"/>
+        <Appsecrules order="11" url="/ui/crowdsec/appsecrules/index"/>
+        <Appsecconfigs order="12" url="/ui/crowdsec/appsecconfigs/index"/>
       </CrowdSec>
     </Services>
 </menu>
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/alerts.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/alerts.volt
new file mode 100644
index 0000000000..ea9f4214c0
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/alerts.volt
@@ -0,0 +1,62 @@
+{# SPDX-License-Identifier: MIT #}
+{# SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net> #}
+
+<script src="/ui/js/moment-with-locales.min.js"></script>
+<script src="/ui/js/CrowdSec/crowdsec-misc.js"></script>
+<script>
+    "use strict";
+
+    $(function() {
+        const decisionsByType = function(decisions) {
+            const dectypes = {};
+            if (!decisions) {
+                return '';
+            }
+            decisions.map(function (decision) {
+                // TODO ignore negative expiration?
+                dectypes[decision.type] = dectypes[decision.type]
+                    ? dectypes[decision.type] + 1
+                    : 1;
+            });
+            let ret = '';
+            for (const type in dectypes) {
+                if (ret !== '') {
+                    ret += ' ';
+                }
+                ret += type + ':' + dectypes[type];
+            }
+            return ret;
+        };
+
+        $("#cscli_alerts").UIBootgrid({
+            search: '/api/crowdsec/alerts/search/',
+            options: {
+                selection: false,
+                multiSelect: false,
+                formatters: {
+                    "created": CrowdSec.formatters.datetime,
+                },
+            }
+        });
+
+        updateServiceControlUI('crowdsec');
+    });
+</script>
+
+<table id="cscli_alerts" class="table table-condensed table-hover table-striped">
+    <thead>
+        <tr>
+            <th data-column-id="id" data-type="numeric" data-order="asc">ID</th>
+            <th data-column-id="value">Value</th>
+            <th data-column-id="reason">Reason</th>
+            <th data-column-id="country">Country</th>
+            <th data-column-id="as">AS</th>
+            <th data-column-id="decisions">Decisions</th>
+            <th data-column-id="created_at" data-formatter="created">Created</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+    </tfoot>
+</table>
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/appsecconfigs.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/appsecconfigs.volt
new file mode 100644
index 0000000000..53dcfd0ae1
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/appsecconfigs.volt
@@ -0,0 +1,36 @@
+{# SPDX-License-Identifier: MIT #}
+{# SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net> #}
+
+<script src="/ui/js/moment-with-locales.min.js"></script>
+<script src="/ui/js/CrowdSec/crowdsec-misc.js"></script>
+<script>
+    "use strict";
+
+    $(function() {
+        $("#cscli_appsecconfigs").UIBootgrid({
+            search: '/api/crowdsec/appsecconfigs/search/',
+            options: {
+                selection: false,
+                multiSelect: false,
+            }
+        });
+
+        updateServiceControlUI('crowdsec');
+    });
+</script>
+
+<table id="cscli_appsecconfigs" class="table table-condensed table-hover table-striped">
+    <thead>
+        <tr>
+            <th data-column-id="name">Name</th>
+            <th data-column-id="status">Status</th>
+            <th data-column-id="local_version">Version</th>
+            <th data-column-id="local_path" data-formatter="localpath" data-visible="false">Path</th>
+            <th data-column-id="description">Description</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+    </tfoot>
+</table>
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/appsecrules.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/appsecrules.volt
new file mode 100644
index 0000000000..8e6ce811be
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/appsecrules.volt
@@ -0,0 +1,36 @@
+{# SPDX-License-Identifier: MIT #}
+{# SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net> #}
+
+<script src="/ui/js/moment-with-locales.min.js"></script>
+<script src="/ui/js/CrowdSec/crowdsec-misc.js"></script>
+<script>
+    "use strict";
+
+    $(function() {
+        $("#cscli_appsecrules").UIBootgrid({
+            search: '/api/crowdsec/appsecrules/search/',
+            options: {
+                selection: false,
+                multiSelect: false,
+            }
+        });
+
+        updateServiceControlUI('crowdsec');
+    });
+</script>
+
+<table id="cscli_appsecrules" class="table table-condensed table-hover table-striped">
+    <thead>
+        <tr>
+            <th data-column-id="name">Name</th>
+            <th data-column-id="status">Status</th>
+            <th data-column-id="local_version">Version</th>
+            <th data-column-id="local_path" data-formatter="localpath" data-visible="false">Path</th>
+            <th data-column-id="description">Description</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+    </tfoot>
+</table>
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/bouncers.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/bouncers.volt
new file mode 100644
index 0000000000..43d4e0e7f1
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/bouncers.volt
@@ -0,0 +1,44 @@
+{# SPDX-License-Identifier: MIT #}
+{# SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net> #}
+
+<script src="/ui/js/moment-with-locales.min.js"></script>
+<script src="/ui/js/CrowdSec/crowdsec-misc.js"></script>
+<script>
+    "use strict";
+
+    $(function() {
+        $("#cscli_bouncers").UIBootgrid({
+            search: '/api/crowdsec/bouncers/search/',
+            options: {
+                selection: false,
+                multiSelect: false,
+                formatters: {
+                    "created": CrowdSec.formatters.datetime,
+                    "last_seen": CrowdSec.formatters.datetime,
+                    "valid": CrowdSec.formatters.yesno,
+                },
+            }
+        });
+
+        updateServiceControlUI('crowdsec');
+    });
+</script>
+
+<table id="cscli_bouncers" class="table table-condensed table-hover table-striped">
+    <thead>
+        <tr>
+            <th data-column-id="name">Name</th>
+            <th data-column-id="type">Type</th>
+            <th data-column-id="version">Version</th>
+            <th data-column-id="created" data-formatter="created" data-visible="false">Created</th>
+            <th data-column-id="valid" data-formatter="valid">Valid</th>
+            <th data-column-id="ip_address">IP Address</th>
+            <th data-column-id="last_seen" data-formatter="last_seen">Last Seen</th>
+            <th data-column-id="os" data-visible="false">OS</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+    </tfoot>
+</table>
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/collections.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/collections.volt
new file mode 100644
index 0000000000..ca85d2e7ba
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/collections.volt
@@ -0,0 +1,36 @@
+{# SPDX-License-Identifier: MIT #}
+{# SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net> #}
+
+<script src="/ui/js/moment-with-locales.min.js"></script>
+<script src="/ui/js/CrowdSec/crowdsec-misc.js"></script>
+<script>
+    "use strict";
+
+    $(function() {
+        $("#cscli_collections").UIBootgrid({
+            search: '/api/crowdsec/collections/search/',
+            options: {
+                selection: false,
+                multiSelect: false,
+            }
+        });
+
+        updateServiceControlUI('crowdsec');
+    });
+</script>
+
+<table id="cscli_collections" class="table table-condensed table-hover table-striped">
+    <thead>
+        <tr>
+            <th data-column-id="name">Name</th>
+            <th data-column-id="status">Status</th>
+            <th data-column-id="local_version">Version</th>
+            <th data-column-id="local_path" data-formatter="localpath" data-visible="false">Path</th>
+            <th data-column-id="description">Description</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+    </tfoot>
+</table>
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/decisions.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/decisions.volt
new file mode 100644
index 0000000000..0eb4bc1971
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/decisions.volt
@@ -0,0 +1,51 @@
+{# SPDX-License-Identifier: MIT #}
+{# SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net> #}
+
+<script src="/ui/js/moment-with-locales.min.js"></script>
+<script src="/ui/js/CrowdSec/crowdsec-misc.js"></script>
+<script>
+    "use strict";
+
+    $(function() {
+        $("#cscli_decisions").UIBootgrid({
+            search: '/api/crowdsec/decisions/search/',
+            del: '/api/crowdsec/decisions/del/',
+            datakey: "id",
+        });
+
+        updateServiceControlUI('crowdsec');
+    });
+</script>
+
+Note: the decisions coming from the CAPI (signals collected by the CrowdSec users) do not appear here.
+To show them, use <code>cscli decisions list -a</code> in a shell.
+
+<table id="cscli_decisions" class="table table-condensed table-hover table-striped">
+    <thead>
+        <tr>
+            <th data-column-id="id" data-type="numeric" data-visible="false" data-order="asc">ID</th>
+            <th data-column-id="source" data-visible="false">Source</th>
+            <th data-column-id="scope_value">Scope:Value</th>
+            <th data-column-id="reason">Reason</th>
+            <th data-column-id="action" data-visible="false">Action</th>
+            <th data-column-id="country">Country</th>
+            <th data-column-id="as">AS</th>
+            <th data-column-id="events_count" data-type="numeric">Events</th>
+            <th data-column-id="expiration">Expiration</th>
+            <th data-column-id="alert_id" data-type="numeric" data-visible="false">Alert&nbsp;ID</th>
+            <th data-column-id="commands" data-formatter="commands" data-sortable="false">Commands</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+            <tr>
+                <td/>
+                <td>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default">
+                        <span class="fa fa-trash-o fa-fw"></span>
+                    </button>
+                </td>
+            </tr>
+    </tfoot>
+</table>
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/machines.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/machines.volt
new file mode 100644
index 0000000000..2b4b81d1dc
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/machines.volt
@@ -0,0 +1,43 @@
+{# SPDX-License-Identifier: MIT #}
+{# SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net> #}
+
+<script src="/ui/js/moment-with-locales.min.js"></script>
+<script src="/ui/js/CrowdSec/crowdsec-misc.js"></script>
+<script>
+    "use strict";
+
+    $(function() {
+        $("#cscli_machines").UIBootgrid({
+            search: '/api/crowdsec/machines/search/',
+            options: {
+                selection: false,
+                multiSelect: false,
+                formatters: {
+                    "created": CrowdSec.formatters.datetime,
+                    "last_seen": CrowdSec.formatters.datetime,
+                    "validated": CrowdSec.formatters.yesno,
+                },
+            }
+        });
+
+        updateServiceControlUI('crowdsec');
+    });
+</script>
+
+<table id="cscli_machines" class="table table-condensed table-hover table-striped">
+    <thead>
+        <tr>
+            <th data-column-id="name">Name</th>
+            <th data-column-id="version">Version</th>
+            <th data-column-id="validated" data-formatter="validated">Validated?</th>
+            <th data-column-id="ip_address">IP Address</th>
+            <th data-column-id="created" data-formatter="created" data-visible="false">Created</th>
+            <th data-column-id="last_seen" data-formatter="last_seen">Last Seen</th>
+            <th data-column-id="os" data-visible="false">OS</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+    </tfoot>
+</table>
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/overview.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/overview.volt
deleted file mode 100644
index 93f0f20042..0000000000
--- a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/overview.volt
+++ /dev/null
@@ -1,246 +0,0 @@
-{# SPDX-License-Identifier: MIT #}
-{# SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net> #}
-
-<script src="/ui/js/moment-with-locales.min.js"></script>
-<script src="/ui/js/CrowdSec/crowdsec.js"></script>
-
-<script>
-    $(function() {
-        CrowdSec.init();
-    });
-</script>
-
-<style type="text/css">
-.content-box table {
-  table-layout: auto;
-}
-
-table.bootgrid-table tr .btn-sm {
-  padding: 2px 6px;
-}
-
-table.bootgrid-table tr > td {
-  padding: 3px;
-}
-
-li.spaced {
-  margin-left: 15px;
-}
-
-ul.nav>li>a {
-  padding: 6px;
-}
-</style>
-
-<div>
-  Service status: crowdsec <span id="crowdsec-status">...</span> - firewall bouncer <span id="crowdsec-firewall-status">...</span>
-</div>
-
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li><a data-toggle="tab" id="machines_tab" href="#machines">Machines</a></li>
-    <li><a data-toggle="tab" id="bouncers_tab" href="#bouncers">Bouncers</a></li>
-    <li class="spaced"><a data-toggle="tab" id="collections_tab" href="#collections">Collections</a></li>
-    <li><a data-toggle="tab" id="scenarios_tab" href="#scenarios">Scenarios</a></li>
-    <li><a data-toggle="tab" id="parsers_tab" href="#parsers">Parsers</a></li>
-    <li><a data-toggle="tab" id="postoverflows_tab" href="#postoverflows">Postoverflows</a></li>
-    <li class="spaced"><a data-toggle="tab" id="alerts_tab" href="#alerts">Alerts</a></li>
-    <li><a data-toggle="tab" id="decisions_tab" href="#decisions">Decisions</a></li>
-</ul>
-
-<div class="tab-content content-box">
-
-    <div id="machines" class="tab-pane fade in">
-        <table class="table table-condensed table-hover table-striped">
-            <thead>
-                <tr>
-                  <th data-column-id="name" data-order="asc">Name</th>
-                  <th data-column-id="ip_address">IP Address</th>
-                  <th data-column-id="last_update" data-formatter="datetime">Last Update</th>
-                  <th data-column-id="validated" data-formatter="yesno" data-searchable="false">Validated?</th>
-                  <th data-column-id="version">Version</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                </tr>
-            </tfoot>
-        </table>
-    </div>
-
-    <div id="bouncers" class="tab-pane fade in">
-        <table class="table table-condensed table-hover table-striped">
-            <thead>
-                <tr>
-                  <th data-column-id="name" data-order="asc">Name</th>
-                  <th data-column-id="ip_address">IP Address</th>
-                  <th data-column-id="valid" data-formatter="yesno" data-searchable="false">Valid</th>
-                  <th data-column-id="last_pull" data-formatter="datetime">Last API Pull</th>
-                  <th data-column-id="type">Type</th>
-                  <th data-column-id="version">Version</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                </tr>
-            </tfoot>
-        </table>
-    </div>
-
-    <div id="collections" class="tab-pane fade in">
-        <table class="table table-condensed table-hover table-striped">
-            <thead>
-                <tr>
-                  <th data-column-id="name" data-order="asc">Collection</th>
-                  <th data-column-id="status">Status</th>
-                  <th data-column-id="local_version">Version</th>
-                  <th data-visible="false" data-column-id="local_path">Path</th>
-                  <th data-column-id="description">Description</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                </tr>
-            </tfoot>
-        </table>
-    </div>
-
-    <div id="scenarios" class="tab-pane fade in">
-        <table class="table table-condensed table-hover table-striped">
-            <thead>
-                <tr>
-                  <th data-column-id="name" data-order="asc">Scenario</th>
-                  <th data-column-id="status">Status</th>
-                  <th data-column-id="local_version">Version</th>
-                  <th data-visible="false" data-column-id="local_path">Path</th>
-                  <th data-column-id="description">Description</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                </tr>
-            </tfoot>
-        </table>
-    </div>
-
-    <div id="parsers" class="tab-pane fade in">
-        <table class="table table-condensed table-hover table-striped">
-            <thead>
-                <tr>
-                  <th data-column-id="name" data-order="asc">Parser</th>
-                  <th data-column-id="status">Status</th>
-                  <th data-column-id="local_version">Version</th>
-                  <th data-visible="false" data-column-id="local_path">Path</th>
-                  <th data-column-id="description">Description</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                </tr>
-            </tfoot>
-        </table>
-    </div>
-
-    <div id="postoverflows" class="tab-pane fade in">
-        <table class="table table-condensed table-hover table-striped">
-            <thead>
-                <tr>
-                  <th data-column-id="name" data-order="asc">Postoverflow</th>
-                  <th data-column-id="status">Status</th>
-                  <th data-column-id="local_version">Version</th>
-                  <th data-visible="false" data-column-id="local_path">Path</th>
-                  <th data-column-id="description">Description</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                </tr>
-            </tfoot>
-        </table>
-    </div>
-
-    <div id="alerts" class="tab-pane fade in">
-        <table class="table table-condensed table-hover table-striped">
-            <thead>
-                <tr>
-                  <th data-column-id="id" data-type="numeric" data-order="asc">ID</th>
-                  <th data-column-id="value">Value</th>
-                  <th data-column-id="reason">Reason</th>
-                  <th data-column-id="country">Country</th>
-                  <th data-column-id="as">AS</th>
-                  <th data-column-id="decisions">Decisions</th>
-                  <th data-column-id="created_at" data-formatter="datetime">Created At</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                </tr>
-            </tfoot>
-        </table>
-    </div>
-
-    <div id="decisions" class="tab-pane fade in">
-        Note: the decisions coming from the CAPI (signals collected by the CrowdSec users) do not appear here.
-        To show them, use <code>cscli decisions list -a</code> in a shell.
-        <table class="table table-condensed table-hover table-striped">
-            <thead>
-                <tr>
-                  <th data-column-id="delete" data-formatter="delete"
-                  data-visible-in-selection="false"></th>
-                  <th data-column-id="id" data-visible="false" data-identifier="true" data-type="numeric"
-                  data-order="asc">ID</th>
-                  <th data-visible="false" data-column-id="source">Source</th>
-                  <th data-column-id="scope_value">Scope:Value</th>
-                  <th data-column-id="reason">Reason</th>
-                  <th data-visible="false" data-column-id="action">Action</th>
-                  <th data-column-id="country">Country</th>
-                  <th data-column-id="as">AS</th>
-                  <th data-column-id="events_count" data-type="numeric">Events</th>
-                  <th data-column-id="expiration" data-formatter="duration">Expiration</th>
-                  <th data-visible="false" data-column-id="alert_id" data-type="numeric">Alert&nbsp;ID</th>
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-            <tfoot>
-                <tr>
-                </tr>
-            </tfoot>
-        </table>
-    </div>
-
-    <!-- Modal popup to confirm decision deletion -->
-    <div class="modal fade" id="remove-decision-modal" tabindex="-1" role="dialog" aria-labelledby="modalLabel" aria-hidden="true">
-        <div class="modal-dialog" role="document">
-            <div class="modal-content">
-                <div class="modal-header">
-                    <button type="button" class="close" data-dismiss="modal" aria-label="Close">
-                        <span aria-hidden="true">&times;</span>
-                    </button>
-                    <h4 class="modal-title" id="modalLabel">Modal Title</h4>
-                </div>
-                <div class="modal-body">
-                    Modal content...
-                </div>
-                <div class="modal-footer">
-                    <button type="button" class="btn btn-secondary" data-dismiss="modal">No, cancel</button>
-                    <button type="button" class="btn btn-danger" data-dismiss="modal" id="remove-decision-confirm">Yes, delete</button>
-                </div>
-            </div>
-        </div>
-    </div>
-
-</div>
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/parsers.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/parsers.volt
new file mode 100644
index 0000000000..0ae9c2576c
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/parsers.volt
@@ -0,0 +1,36 @@
+{# SPDX-License-Identifier: MIT #}
+{# SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net> #}
+
+<script src="/ui/js/moment-with-locales.min.js"></script>
+<script src="/ui/js/CrowdSec/crowdsec-misc.js"></script>
+<script>
+    "use strict";
+
+    $(function() {
+        $("#cscli_parsers").UIBootgrid({
+            search: '/api/crowdsec/parsers/search/',
+            options: {
+                selection: false,
+                multiSelect: false,
+            }
+        });
+
+        updateServiceControlUI('crowdsec');
+    });
+</script>
+
+<table id="cscli_parsers" class="table table-condensed table-hover table-striped">
+    <thead>
+        <tr>
+            <th data-column-id="name">Name</th>
+            <th data-column-id="status">Status</th>
+            <th data-column-id="local_version">Version</th>
+            <th data-column-id="local_path" data-formatter="localpath" data-visible="false">Path</th>
+            <th data-column-id="description">Description</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+    </tfoot>
+</table>
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/postoverflows.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/postoverflows.volt
new file mode 100644
index 0000000000..9008ff2248
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/postoverflows.volt
@@ -0,0 +1,36 @@
+{# SPDX-License-Identifier: MIT #}
+{# SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net> #}
+
+<script src="/ui/js/moment-with-locales.min.js"></script>
+<script src="/ui/js/CrowdSec/crowdsec-misc.js"></script>
+<script>
+    "use strict";
+
+    $(function() {
+        $("#cscli_postoverflows").UIBootgrid({
+            search: '/api/crowdsec/postoverflows/search/',
+            options: {
+                selection: false,
+                multiSelect: false,
+            }
+        });
+
+        updateServiceControlUI('crowdsec');
+    });
+</script>
+
+<table id="cscli_postoverflows" class="table table-condensed table-hover table-striped">
+    <thead>
+        <tr>
+            <th data-column-id="name">Name</th>
+            <th data-column-id="status">Status</th>
+            <th data-column-id="local_version">Version</th>
+            <th data-column-id="local_path" data-formatter="localpath" data-visible="false">Path</th>
+            <th data-column-id="description">Description</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+    </tfoot>
+</table>
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/scenarios.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/scenarios.volt
new file mode 100644
index 0000000000..a42cd7a62d
--- /dev/null
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/scenarios.volt
@@ -0,0 +1,36 @@
+{# SPDX-License-Identifier: MIT #}
+{# SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net> #}
+
+<script src="/ui/js/moment-with-locales.min.js"></script>
+<script src="/ui/js/CrowdSec/crowdsec-misc.js"></script>
+<script>
+    "use strict";
+
+    $(function() {
+        $("#cscli_scenarios").UIBootgrid({
+            search: '/api/crowdsec/scenarios/search/',
+            options: {
+                selection: false,
+                multiSelect: false,
+            }
+        });
+
+        updateServiceControlUI('crowdsec');
+    });
+</script>
+
+<table id="cscli_scenarios" class="table table-condensed table-hover table-striped">
+    <thead>
+        <tr>
+            <th data-column-id="name">Name</th>
+            <th data-column-id="status">Status</th>
+            <th data-column-id="local_version">Version</th>
+            <th data-column-id="local_path" data-formatter="localpath" data-visible="false">Path</th>
+            <th data-column-id="description">Description</th>
+        </tr>
+    </thead>
+    <tbody>
+    </tbody>
+    <tfoot>
+    </tfoot>
+</table>
diff --git a/security/crowdsec/src/opnsense/service/conf/actions.d/actions_crowdsec.conf b/security/crowdsec/src/opnsense/service/conf/actions.d/actions_crowdsec.conf
index 371cf485d9..020fc4669d 100644
--- a/security/crowdsec/src/opnsense/service/conf/actions.d/actions_crowdsec.conf
+++ b/security/crowdsec/src/opnsense/service/conf/actions.d/actions_crowdsec.conf
@@ -57,10 +57,35 @@ parameters:--id %s
 type:script_output
 message:crowdsec decisions delete
 
-[hub-items]
-command:/usr/local/bin/cscli hub list -o json
+[collections-list]
+command:/usr/local/bin/cscli collections list -o json
 type:script_output
-message:crowdsec hub list
+message:crowdsec collections list
+
+[scenarios-list]
+command:/usr/local/bin/cscli scenarios list -o json
+type:script_output
+message:crowdsec scenarios list
+
+[parsers-list]
+command:/usr/local/bin/cscli parsers list -o json
+type:script_output
+message:crowdsec parsers list
+
+[postoverflows-list]
+command:/usr/local/bin/cscli postoverflows list -o json
+type:script_output
+message:crowdsec postoverflows list
+
+[appsec-rules-list]
+command:/usr/local/bin/cscli appsec-rules list -o json
+type:script_output
+message:crowdsec appsec-rules list
+
+[appsec-configs-list]
+command:/usr/local/bin/cscli appsec-configs list -o json
+type:script_output
+message:crowdsec appsec-configs list
 
 [machines-list]
 command:/usr/local/bin/cscli machines list -o json
diff --git a/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec-misc.js b/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec-misc.js
new file mode 100644
index 0000000000..23468edbd8
--- /dev/null
+++ b/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec-misc.js
@@ -0,0 +1,47 @@
+/* global moment, $ */
+/* exported CrowdSec */
+/* eslint no-undef: "error" */
+/* eslint semi: "error" */
+
+const CrowdSec = (function () {
+  'use strict';
+
+  function _humanizeDate(text) {
+    return moment(text).fromNow();
+  }
+
+  const formatters = {
+    yesno: function(column, row) {
+      const val = row[column.id];
+      if (val) {
+        return '<i class="fa fa-check text-success"></i>';
+      } else {
+        return '<i class="fa fa-times text-danger"></i>';
+      }
+    },
+
+    datetime: function (column, row) {
+      const val = row[column.id];
+      const parsed = moment(val);
+      if (!val) {
+        return '';
+      }
+      if (!parsed.isValid()) {
+        console.error('Cannot parse timestamp: %s', val);
+        return '???';
+      }
+      return $('<div>')
+        .attr({
+          'data-toggle': 'tooltip',
+          'data-placement': 'left',
+          title: parsed.format(),
+        })
+        .text(_humanizeDate(val))
+        .prop('outerHTML');
+    },
+  };
+
+  return {
+    formatters: formatters,
+  };
+})();
diff --git a/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js b/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js
deleted file mode 100644
index 45149807e3..0000000000
--- a/security/crowdsec/src/opnsense/www/js/CrowdSec/crowdsec.js
+++ /dev/null
@@ -1,473 +0,0 @@
-/* global moment, $ */
-/* exported CrowdSec */
-/* eslint no-undef: "error" */
-/* eslint semi: "error" */
-
-const CrowdSec = (function () {
-  'use strict';
-
-  const crowdsec_path = '/usr/local/etc/crowdsec/';
-  const _refreshTemplate =
-    '<button class="btn btn-default" type="button" title="Refresh"><span class="icon fa fa-refresh"></span></button>';
-
-  const _dataFormatters = {
-    yesno: function (column, row) {
-      return _yesno2html(row[column.id]);
-    },
-
-    delete: function (column, row) {
-      const val = row.id;
-      if (isNaN(val)) {
-        return '';
-      }
-      return (
-        '<button type="button" class="btn btn-secondary btn-sm" value="' +
-        val +
-        '" onclick="CrowdSec.deleteDecision(' +
-        val +
-        ')"><i class="fa fa-trash" /></button>'
-      );
-    },
-
-    duration: function (column, row) {
-      const duration = row[column.id];
-      if (!duration) {
-        return 'n/a';
-      }
-      return $('<div>')
-        .attr({
-          'data-toggle': 'tooltip',
-          'data-placement': 'left',
-          title: duration,
-        })
-        .text(_humanizeDuration(duration))
-        .prop('outerHTML');
-    },
-
-    datetime: function (column, row) {
-      const dt = row[column.id];
-      const parsed = moment(dt);
-      if (!dt) {
-        return '';
-      }
-      if (!parsed.isValid()) {
-        console.error('Cannot parse timestamp: %s', dt);
-        return '???';
-      }
-      return $('<div>')
-        .attr({
-          'data-toggle': 'tooltip',
-          'data-placement': 'left',
-          title: parsed.format(),
-        })
-        .text(_humanizeDate(dt))
-        .prop('outerHTML');
-    },
-  };
-  function _decisionsByType(decisions) {
-    const dectypes = {};
-    if (!decisions) {
-      return '';
-    }
-    decisions.map(function (decision) {
-      // TODO ignore negative expiration?
-      dectypes[decision.type] = dectypes[decision.type]
-        ? dectypes[decision.type] + 1
-        : 1;
-    });
-    let ret = '';
-    for (const type in dectypes) {
-      if (ret !== '') {
-        ret += ' ';
-      }
-      ret += type + ':' + dectypes[type];
-    }
-    return ret;
-  }
-
-  function _updateFreshness(selector, timestamp) {
-    const $freshness = $(selector).find('.actionBar .freshness');
-    if (timestamp) {
-      $freshness.data('refresh_timestamp', timestamp);
-    } else {
-      timestamp = $freshness.data('refresh_timestamp');
-    }
-    const howlongHuman = '???';
-    if (timestamp) {
-      const howlongms = moment() - moment(timestamp);
-      howlongHuman = moment.duration(howlongms).humanize();
-    }
-    $freshness.text(howlongHuman + ' ago');
-  }
-
-  function _addFreshness(selector) {
-    // this creates one timer per tab
-    const freshnessTemplate =
-      '<span style="float:left">Last refresh: <span class="freshness"></span></span>';
-    $(selector).find('.actionBar').prepend(freshnessTemplate);
-    setInterval(function () {
-      _updateFreshness(selector);
-    }, 5000);
-  }
-
-  function _refreshTab(selector, url, dataCallback) {
-    $.ajax({
-      url: url,
-      cache: false,
-      success: dataCallback,
-      complete: function () {
-        _updateFreshness(selector, moment());
-      },
-    });
-  }
-
-  function _parseDuration(duration) {
-    const re = /(-?)(?:(?:(\d+)h)?(\d+)m)?(\d+).\d+(m?)s/m;
-    const matches = duration.match(re);
-    let seconds = 0;
-
-    if (!matches.length) {
-      throw new Error(
-        'Unable to parse the following duration: ' + duration + '.',
-      );
-    }
-    if (typeof matches[2] !== 'undefined') {
-      seconds += parseInt(matches[2], 10) * 3600; // hours
-    }
-    if (typeof matches[3] !== 'undefined') {
-      seconds += parseInt(matches[3], 10) * 60; // minutes
-    }
-    if (typeof matches[4] !== 'undefined') {
-      seconds += parseInt(matches[4], 10); // seconds
-    }
-    if (parseInt(matches[5], 10) === 'm') {
-      // units in milliseconds
-      seconds *= 0.001;
-    }
-    if (parseInt(matches[1], 10) === '-') {
-      // negative
-      seconds = -seconds;
-    }
-    return seconds;
-  }
-
-  function _humanizeDate(text) {
-    return moment(text).fromNow();
-  }
-
-  function _humanizeDuration(text) {
-    return moment.duration(_parseDuration(text), 'seconds').humanize();
-  }
-
-  function _yesno2html(val) {
-    if (val) {
-      return '<i class="fa fa-check text-success"></i>';
-    } else {
-      return '<i class="fa fa-times text-danger"></i>';
-    }
-  }
-
-  function _initTab(selector, url, dataCallback) {
-    const $tab = $(selector);
-    if ($tab.find('table.bootgrid-table').length) {
-      return;
-    }
-    $tab
-      .find('table')
-      .on('initialized.rs.jquery.bootgrid', function () {
-        $(_refreshTemplate)
-          .on('click', function () {
-            _refreshTab(selector, url, dataCallback);
-          })
-          .insertBefore($tab.find('.actionBar .actions .dropdown:first'));
-        _addFreshness(selector);
-        _refreshTab(selector, url, dataCallback);
-      })
-      .bootgrid({
-        caseSensitive: false,
-        formatters: _dataFormatters,
-      });
-  }
-
-  function _initStatusMachines() {
-    const url = '/api/crowdsec/machines/get';
-    const id = '#machines';
-    const dataCallback = function (data) {
-      const rows = [];
-      data.map(function (row) {
-        rows.push({
-          name: row.machineId,
-          ip_address: row.ipAddress || ' ',
-          last_update: row.updated_at || ' ',
-          validated: row.isValidated,
-          version: row.version || ' ',
-        });
-      });
-      $(id + ' table')
-        .bootgrid('clear')
-        .bootgrid('append', rows);
-    };
-    _initTab(id, url, dataCallback);
-  }
-
-  function _initStatusCollections() {
-    const url = '/api/crowdsec/hub/get';
-    const id = '#collections';
-    const dataCallback = function (data) {
-      const rows = [];
-      data.collections.map(function (row) {
-        rows.push({
-          name: row.name,
-          status: row.status,
-          local_version: row.local_version || ' ',
-          local_path: row.local_path
-            ? row.local_path.replace(crowdsec_path, '')
-            : ' ',
-          description: row.description || ' ',
-        });
-      });
-      $(id + ' table')
-        .bootgrid('clear')
-        .bootgrid('append', rows);
-    };
-    _initTab(id, url, dataCallback);
-  }
-
-  function _initStatusScenarios() {
-    const url = '/api/crowdsec/hub/get';
-    const id = '#scenarios';
-    const dataCallback = function (data) {
-      const rows = [];
-      data.scenarios.map(function (row) {
-        rows.push({
-          name: row.name,
-          status: row.status,
-          local_version: row.local_version || ' ',
-          local_path: row.local_path
-            ? row.local_path.replace(crowdsec_path, '')
-            : ' ',
-          description: row.description || ' ',
-        });
-      });
-      $(id + ' table')
-        .bootgrid('clear')
-        .bootgrid('append', rows);
-    };
-    _initTab(id, url, dataCallback);
-  }
-
-  function _initStatusParsers() {
-    const url = '/api/crowdsec/hub/get';
-    const id = '#parsers';
-    const dataCallback = function (data) {
-      const rows = [];
-      data.parsers.map(function (row) {
-        rows.push({
-          name: row.name,
-          status: row.status,
-          local_version: row.local_version || ' ',
-          local_path: row.local_path
-            ? row.local_path.replace(crowdsec_path, '')
-            : ' ',
-          description: row.description || ' ',
-        });
-      });
-      $(id + ' table')
-        .bootgrid('clear')
-        .bootgrid('append', rows);
-    };
-    _initTab(id, url, dataCallback);
-  }
-
-  function _initStatusPostoverflows() {
-    const url = '/api/crowdsec/hub/get';
-    const id = '#postoverflows';
-    const dataCallback = function (data) {
-      const rows = [];
-      data.postoverflows.map(function (row) {
-        rows.push({
-          name: row.name,
-          status: row.status,
-          local_version: row.local_version || ' ',
-          local_path: row.local_path
-            ? row.local_path.replace(crowdsec_path, '')
-            : ' ',
-          description: row.description || ' ',
-        });
-      });
-      $(id + ' table')
-        .bootgrid('clear')
-        .bootgrid('append', rows);
-    };
-    _initTab(id, url, dataCallback);
-  }
-
-  function _initStatusBouncers() {
-    const url = '/api/crowdsec/bouncers/get';
-    const id = '#bouncers';
-    const dataCallback = function (data) {
-      const rows = [];
-      data.map(function (row) {
-        // TODO - remove || ' ' later, it was fixed for 1.3.3
-        rows.push({
-          name: row.name,
-          ip_address: row.ip_address || ' ',
-          valid: row.revoked ? false : true,
-          last_pull: row.last_pull,
-          type: row.type || ' ',
-          version: row.version || ' ',
-        });
-      });
-      $(id + ' table')
-        .bootgrid('clear')
-        .bootgrid('append', rows);
-    };
-    _initTab(id, url, dataCallback);
-  }
-
-  function _initStatusAlerts() {
-    const url = '/api/crowdsec/alerts/get';
-    const id = '#alerts';
-    const dataCallback = function (data) {
-      const rows = [];
-      data.map(function (row) {
-        rows.push({
-          id: row.id,
-          value:
-            row.source.scope + (row.source.value ? ':' + row.source.value : ''),
-          reason: row.scenario || ' ',
-          country: row.source.cn || ' ',
-          as: row.source.as_name || ' ',
-          decisions: _decisionsByType(row.decisions) || ' ',
-          created_at: row.created_at,
-        });
-      });
-      $(id + ' table')
-        .bootgrid('clear')
-        .bootgrid('append', rows);
-    };
-    _initTab(id, url, dataCallback);
-  }
-
-  function _initStatusDecisions() {
-    const url = '/api/crowdsec/decisions/get';
-    const id = '#decisions';
-    const dataCallback = function (data) {
-      const rows = [];
-      data.map(function (row) {
-        row.decisions.map(function (decision) {
-          // ignore deleted decisions
-          if (decision.duration.startsWith('-')) {
-            return;
-          }
-          rows.push({
-            // search will break on empty values when using .append(). so we use spaces
-            delete: '',
-            id: decision.id,
-            source: decision.origin || ' ',
-            scope_value:
-              decision.scope + (decision.value ? ':' + decision.value : ''),
-            reason: decision.scenario || ' ',
-            action: decision.type || ' ',
-            country: row.source.cn || ' ',
-            as: row.source.as_name || ' ',
-            events_count: row.events_count,
-            // XXX pre-parse duration to seconds, and integer type, for sorting
-            expiration: decision.duration || ' ',
-            alert_id: row.id || ' ',
-          });
-        });
-      });
-      $(id + ' table')
-        .bootgrid('clear')
-        .bootgrid('append', rows);
-    };
-    _initTab(id, url, dataCallback);
-  }
-
-  function initService() {
-    $.ajax({
-      url: '/api/crowdsec/service/status',
-      cache: false,
-      success: function (data) {
-        let crowdsecStatus = data['crowdsec-status'];
-        if (crowdsecStatus === 'unknown') {
-          crowdsecStatus = '<span class="text-danger">Unknown</span>';
-        } else {
-          crowdsecStatus = _yesno2html(crowdsecStatus === 'running');
-        }
-        $('#crowdsec-status').html(crowdsecStatus);
-
-        let crowdsecFirewallStatus = data['crowdsec-firewall-status'];
-        if (crowdsecFirewallStatus === 'unknown') {
-          crowdsecFirewallStatus = '<span class="text-danger">Unknown</span>';
-        } else {
-          crowdsecFirewallStatus = _yesno2html(
-            crowdsecFirewallStatus === 'running',
-          );
-        }
-        $('#crowdsec-firewall-status').html(crowdsecFirewallStatus);
-      },
-    });
-  }
-
-  function deleteDecision(decisionId) {
-    const $modal = $('#remove-decision-modal');
-    $modal.find('.modal-title').text('Delete decision #' + decisionId);
-    $modal.find('.modal-body').text('Are you sure?');
-    $modal.find('#remove-decision-confirm').on('click', function () {
-      $.ajax({
-        // XXX handle errors
-        url: '/api/crowdsec/decisions/delete/' + decisionId,
-        method: 'DELETE',
-        success: function (result) {
-          if (result && result.message === 'OK') {
-            $('#decisions table').bootgrid('remove', [decisionId]);
-            $modal.modal('hide');
-          }
-        },
-      });
-    });
-    $modal.modal('show');
-  }
-
-  function init() {
-    initService();
-
-    $('#machines_tab').on('click', _initStatusMachines);
-    $('#collections_tab').on('click', _initStatusCollections);
-    $('#scenarios_tab').on('click', _initStatusScenarios);
-    $('#parsers_tab').on('click', _initStatusParsers);
-    $('#postoverflows_tab').on('click', _initStatusPostoverflows);
-    $('#bouncers_tab').on('click', _initStatusBouncers);
-    $('#alerts_tab').on('click', _initStatusAlerts);
-    $('#decisions_tab').on('click', _initStatusDecisions);
-
-    $('[data-toggle="tooltip"]').tooltip();
-
-    if (window.location.hash) {
-      // activate a tab from the hash, if it exists
-      $(window.location.hash + '_tab').click();
-    } else {
-      // otherwise, machines
-      $('#machines_tab').click();
-    }
-
-    $(window).on('hashchange', function (e) {
-      $(window.location.hash + '_tab').click();
-    });
-
-    // navigation
-    if (window.location.hash !== '') {
-      $('a[href="' + window.location.hash + '"]').click();
-    }
-    $('.nav-tabs a').on('shown.bs.tab', function (e) {
-      history.pushState(null, null, e.target.hash);
-    });
-  }
-
-  return {
-    deleteDecision: deleteDecision,
-    init: init,
-  };
-})();

From a2fbbbf665f2473368e0a5f78291693a6e6129a9 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 20 Jul 2025 17:12:04 +0200
Subject: [PATCH 2546/3088] security/tinc - use configd caching to ease priv
 separation.

---
 .../tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml     | 2 --
 .../tinc/src/opnsense/service/conf/actions.d/actions_tinc.conf  | 1 +
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
index dc323b465e..078be08320 100644
--- a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
+++ b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
@@ -73,7 +73,6 @@
                 <cipher type="JsonKeyValueStoreField">
                     <Required>Y</Required>
                     <ConfigdPopulateAct>tinc list ciphers</ConfigdPopulateAct>
-                    <SourceFile>/tmp/tinc_current_cipher_options.index</SourceFile>
                     <Default>aes-256-cbc</Default>
                 </cipher>
                 <mode type="OptionField">
@@ -164,7 +163,6 @@
                 <cipher type="JsonKeyValueStoreField">
                     <Required>Y</Required>
                     <ConfigdPopulateAct>tinc list ciphers</ConfigdPopulateAct>
-                    <SourceFile>/tmp/tinc_current_cipher_options.index</SourceFile>
                     <Default>aes-256-cbc</Default>
                 </cipher>
                 <connectTo type="BooleanField">
diff --git a/security/tinc/src/opnsense/service/conf/actions.d/actions_tinc.conf b/security/tinc/src/opnsense/service/conf/actions.d/actions_tinc.conf
index 5bf01fa8eb..9a8e107c30 100644
--- a/security/tinc/src/opnsense/service/conf/actions.d/actions_tinc.conf
+++ b/security/tinc/src/opnsense/service/conf/actions.d/actions_tinc.conf
@@ -8,6 +8,7 @@ message:generate new keypair
 command:/usr/local/opnsense/scripts/OPNsense/Tinc/list_ciphers.py
 parameters:
 type:script_output
+cache_ttl:360
 message:list ciphers
 
 [stop]

From e08583f46b1d40feefa386bb9d8f8ab759594fd0 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 20 Jul 2025 17:14:15 +0200
Subject: [PATCH 2547/3088] security/stunnel - use configd caching to ease priv
 separation.

---
 .../src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml    | 2 --
 .../src/opnsense/service/conf/actions.d/actions_stunnel.conf    | 1 +
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
index c5197419ea..0b851ec5d0 100644
--- a/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
+++ b/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
@@ -74,8 +74,6 @@
                     <Required>Y</Required>
                     <Multiple>Y</Multiple>
                     <ConfigdPopulateAct>stunnel ssl ciphers</ConfigdPopulateAct>
-                    <SourceFile>/tmp/stunnel_ciphers_list.json</SourceFile>
-                    <ConfigdPopulateTTL>360</ConfigdPopulateTTL>
                     <ValidationMessage>Please specify valid tls ciphers.</ValidationMessage>
                 </ciphers>
                 <servercert type="CertificateField">
diff --git a/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf b/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf
index e869be423b..142f0d18a7 100644
--- a/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf
+++ b/security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf
@@ -2,6 +2,7 @@
 command:/usr/local/opnsense/scripts/system/ssl_ciphers.py  --format=key_value
 parameters:
 type:script_output
+cache_ttl:360
 message:List SSL ciphers
 
 [start]

From dab122e07a8167c90757f3c11714811c3eee9184 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 21 Jul 2025 09:01:42 +0200
Subject: [PATCH 2548/3088] plugins: default to 25.7

---
 Mk/defaults.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 62a0643513..79c3358659 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -45,7 +45,7 @@ VERSIONBIN=	${LOCALBASE}/sbin/opnsense-version
 _PLUGIN_ABI!=	${VERSIONBIN} -a
 PLUGIN_ABI?=	${_PLUGIN_ABI}
 .else
-PLUGIN_ABI?=	25.1
+PLUGIN_ABI?=	25.7
 .endif
 
 PLUGIN_MAINS=	master main

From 9a46a16e112782a47ebf5387a247c67a3c18de47 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 21 Jul 2025 09:02:51 +0200
Subject: [PATCH 2549/3088] devel/grid_example: Tabulator grid

---
 devel/grid_example/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/devel/grid_example/Makefile b/devel/grid_example/Makefile
index 3b7bda5db9..f6c9214c6c 100644
--- a/devel/grid_example/Makefile
+++ b/devel/grid_example/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		grid_example
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		A sample framework application
 PLUGIN_MAINTAINER=	ad@opnsense.org
 

From f624cb3fa0ff65e69485dc68f7d4efade0306072 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 21 Jul 2025 10:01:45 +0200
Subject: [PATCH 2550/3088] security/tinc: bump revision

---
 security/tinc/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index 2ac0b3d60a..4db6cb7a70 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		tinc
 PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 31f4ce787979bd7b569726931ac72c09c00b781a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 21 Jul 2025 10:03:57 +0200
Subject: [PATCH 2551/3088] security/stunnel: bump revision

---
 security/stunnel/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/stunnel/Makefile b/security/stunnel/Makefile
index 344bb99381..5de6a72ff8 100644
--- a/security/stunnel/Makefile
+++ b/security/stunnel/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		stunnel
 PLUGIN_VERSION=		1.0.6
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Stunnel TLS proxy
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		stunnel

From f9c9cf9a1e6d1b7e4f26f37086efc2327c045a3a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 21 Jul 2025 10:13:42 +0200
Subject: [PATCH 2552/3088] plugins: style sweep

---
 .../OPNsense/GridExample/Api/SettingsController.php            | 1 -
 .../opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php   | 3 ++-
 .../OPNsense/CrowdSec/Api/AppsecconfigsController.php          | 1 -
 .../OPNsense/CrowdSec/Api/AppsecrulesController.php            | 1 -
 .../OPNsense/CrowdSec/Api/CollectionsController.php            | 1 -
 .../controllers/OPNsense/CrowdSec/Api/DecisionsController.php  | 1 -
 .../controllers/OPNsense/CrowdSec/Api/ParsersController.php    | 1 -
 .../OPNsense/CrowdSec/Api/PostoverflowsController.php          | 1 -
 .../controllers/OPNsense/CrowdSec/Api/ScenariosController.php  | 1 -
 9 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/Api/SettingsController.php b/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/Api/SettingsController.php
index af6fa7491d..a7f63c2ddf 100644
--- a/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/Api/SettingsController.php
+++ b/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/Api/SettingsController.php
@@ -70,5 +70,4 @@ public function toggleItemAction($uuid, $enabled = null)
     {
         return $this->toggleBase("addresses.address", $uuid, $enabled);
     }
-
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
index ec51a01776..50ca996d85 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeUtils.php
@@ -99,7 +99,8 @@ public static function log_debug($msg)
      */
     public static function log_error($msg, $error = null)
     {
-        syslog(LOG_ERR,
+        syslog(
+            LOG_ERR,
             $error
                 ? ("AcmeClient: $msg; Trace: " . json_encode($error, JSON_UNESCAPED_SLASHES))
                 : "AcmeClient: $msg"
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AppsecconfigsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AppsecconfigsController.php
index aa43e862e4..320339f867 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AppsecconfigsController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AppsecconfigsController.php
@@ -7,7 +7,6 @@
 
 use OPNsense\Base\ApiControllerBase;
 use OPNsense\CrowdSec\Util;
-
 use OPNsense\Core\Backend;
 
 /**
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AppsecrulesController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AppsecrulesController.php
index 067788dab3..583b58bafb 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AppsecrulesController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AppsecrulesController.php
@@ -7,7 +7,6 @@
 
 use OPNsense\Base\ApiControllerBase;
 use OPNsense\CrowdSec\Util;
-
 use OPNsense\Core\Backend;
 
 /**
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php
index 7b98789946..40449fdeea 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php
@@ -7,7 +7,6 @@
 
 use OPNsense\Base\ApiControllerBase;
 use OPNsense\CrowdSec\Util;
-
 use OPNsense\Core\Backend;
 
 /**
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php
index 199063d01f..99c3fbb533 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php
@@ -8,7 +8,6 @@
 use OPNsense\Base\ApiControllerBase;
 use OPNsense\Core\Backend;
 
-
 function unrollDecisions(array $alerts): array
 {
     $result = [];
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ParsersController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ParsersController.php
index 92ad8d112b..7a904e66a1 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ParsersController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ParsersController.php
@@ -7,7 +7,6 @@
 
 use OPNsense\Base\ApiControllerBase;
 use OPNsense\CrowdSec\Util;
-
 use OPNsense\Core\Backend;
 
 /**
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php
index 0bd818fcbd..4a9ea031f2 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php
@@ -7,7 +7,6 @@
 
 use OPNsense\Base\ApiControllerBase;
 use OPNsense\CrowdSec\Util;
-
 use OPNsense\Core\Backend;
 
 /**
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php
index 31f6b87f39..4c1244576b 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php
@@ -7,7 +7,6 @@
 
 use OPNsense\Base\ApiControllerBase;
 use OPNsense\CrowdSec\Util;
-
 use OPNsense\Core\Backend;
 
 /**

From 61ef64fa13458730651e753be843f71367fbf415 Mon Sep 17 00:00:00 2001
From: BPplays <58504799+BPplays@users.noreply.github.com>
Date: Mon, 21 Jul 2025 14:49:20 -0700
Subject: [PATCH 2553/3088] security/crowdsec(fix): IPv6 validation for LAPI
 listen address broken (#4822)

---
 .../opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml    | 4 ++--
 .../src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py    | 5 +++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
index 7a85d8bbc1..63cf526f11 100644
--- a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
@@ -24,10 +24,10 @@
       <Required>Y</Required>
     </lapi_manual_configuration>
 
-    <lapi_listen_address type="TextField">
+    <lapi_listen_address type="NetworkField">
       <Default>127.0.0.1</Default>
       <Required>Y</Required>
-      <Mask>((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$))</Mask>
+      <NetMaskAllowed>N</NetMaskAllowed>
     </lapi_listen_address>
 
     <lapi_listen_port type="PortField">
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
index 04d61a028e..fa06700924 100755
--- a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
@@ -10,6 +10,9 @@
 logging.basicConfig(level=logging.INFO)
 
 
+def is_ipv6(ip: str) -> bool:
+    return ":" in ip
+
 def load_config(filename: str) -> dict[str, Any]:
     with open(filename) as fin:
         return yaml.safe_load(fin)
@@ -27,6 +30,8 @@ def get_netloc(settings: dict[str, str]):
     # defaults if config has not been saved yet
     listen_address = settings.get('lapi_listen_address', '127.0.0.1')
     listen_port = settings.get('lapi_listen_port', '8080')
+    if is_ipv6(listen_address):
+        listen_address = '[{}]'.format(listen_address)
     return '{}:{}'.format(listen_address, listen_port)
 
 

From d5f3a44ccaec0597c73e9bc860b0a7a5b8352e00 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 22 Jul 2025 07:38:53 +0200
Subject: [PATCH 2554/3088] security/crowdsec: revision bump due to last change

---
 security/crowdsec/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index 4de446dd3e..a039bb0c79 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		crowdsec
 PLUGIN_VERSION=		1.0.11
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		crowdsec
 PLUGIN_COMMENT=		Lightweight and collaborative security engine
 PLUGIN_MAINTAINER=	marco@crowdsec.net

From 6a23ebe572d26b39a717d469d40c42b4c20e6234 Mon Sep 17 00:00:00 2001
From: Kevin van Blokland <kevinvanblokland@bloklab.io>
Date: Tue, 22 Jul 2025 09:03:56 +0200
Subject: [PATCH 2555/3088] security/acme-client: add support for AzureDNS
 System Assigned Managed Identities.

---
 .../OPNsense/AcmeClient/forms/dialogValidation.xml          | 6 ++++++
 .../library/OPNsense/AcmeClient/LeValidation/DnsAzure.php   | 4 ++++
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml       | 4 ++++
 3 files changed, 14 insertions(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index d710440361..e669896d03 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -226,6 +226,12 @@
         <label>Client Secret</label>
         <type>text</type>
     </field>
+    <field>
+        <id>validation.dns_azuredns_managedidentity</id>
+        <label>Use System Assigned Managed Identity</label>
+        <type>checkbox</type>
+        <help><![CDATA[When System Assigned Managed Identity is enabled the Tenant ID, APP ID and Client Secret settings are ignored by the acme client. Access tokens are obtained using the Azure Instance Metadata Service for the System Assigned Managed Identity. See <a target="_blank" href="https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token">documentation</a>.]]></help>
+    </field>
     <field>
         <label>Bunny</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php
index 1b2acc9dcc..5f478d1432 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php
@@ -43,5 +43,9 @@ public function prepare()
         $this->acme_env['AZUREDNS_TENANTID'] = (string)$this->config->dns_azuredns_tenantid;
         $this->acme_env['AZUREDNS_APPID'] = (string)$this->config->dns_azuredns_appid;
         $this->acme_env['AZUREDNS_CLIENTSECRET'] = (string)$this->config->dns_azuredns_clientsecret;
+        
+        if ($this->config->dns_azuredns_managedidentity == '1') {
+            $this->acme_env['AZUREDNS_MANAGEDIDENTITY'] = 'true';
+        }
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 0d21673493..d1281cc9ea 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -579,6 +579,10 @@
                 <dns_azuredns_clientsecret type="TextField">
                     <Required>N</Required>
                 </dns_azuredns_clientsecret>
+                <dns_azuredns_managedidentity type="BooleanField">
+                    <Default>0</Default>
+                    <Required>N</Required>
+                </dns_azuredns_managedidentity>
                 <dns_bunny_api_key type="TextField">
                     <Required>N</Required>
                 </dns_bunny_api_key>

From 339ea9f491592ab2d865b4e82a4bca02d570a69c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 22 Jul 2025 16:05:41 +0200
Subject: [PATCH 2556/3088] security/netbird: new home as per #4831

---
 README.md                                                       | 2 +-
 {net => security}/netbird/Makefile                              | 0
 {net => security}/netbird/pkg-descr                             | 0
 {net => security}/netbird/src/etc/inc/plugins.inc.d/netbird.inc | 0
 {net => security}/netbird/src/etc/rc.syshook.d/carp/30-netbird  | 0
 .../app/controllers/OPNsense/Netbird/Api/InitialController.php  | 0
 .../app/controllers/OPNsense/Netbird/Api/ServiceController.php  | 0
 .../app/controllers/OPNsense/Netbird/Api/SettingsController.php | 0
 .../app/controllers/OPNsense/Netbird/ConstatusController.php    | 0
 .../mvc/app/controllers/OPNsense/Netbird/IndexController.php    | 0
 .../mvc/app/controllers/OPNsense/Netbird/forms/general.xml      | 0
 .../mvc/app/controllers/OPNsense/Netbird/forms/initialup.xml    | 0
 .../src/opnsense/mvc/app/models/OPNsense/Netbird/ACL/ACL.xml    | 0
 .../src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.php    | 0
 .../src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.xml    | 0
 .../src/opnsense/mvc/app/models/OPNsense/Netbird/Menu/Menu.xml  | 0
 .../src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.php    | 0
 .../src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.xml    | 0
 .../src/opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt  | 0
 .../src/opnsense/mvc/app/views/OPNsense/Netbird/index.volt      | 0
 .../netbird/src/opnsense/scripts/OPNsense/Netbird/initialup.sh  | 0
 .../src/opnsense/service/conf/actions.d/actions_netbird.conf    | 0
 .../src/opnsense/service/templates/OPNsense/Netbird/+TARGETS    | 0
 .../src/opnsense/service/templates/OPNsense/Netbird/netbird     | 0
 .../service/templates/OPNsense/Syslog/local/netbird.conf        | 0
 25 files changed, 1 insertion(+), 1 deletion(-)
 rename {net => security}/netbird/Makefile (100%)
 rename {net => security}/netbird/pkg-descr (100%)
 rename {net => security}/netbird/src/etc/inc/plugins.inc.d/netbird.inc (100%)
 rename {net => security}/netbird/src/etc/rc.syshook.d/carp/30-netbird (100%)
 rename {net => security}/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/InitialController.php (100%)
 rename {net => security}/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/ServiceController.php (100%)
 rename {net => security}/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/SettingsController.php (100%)
 rename {net => security}/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/ConstatusController.php (100%)
 rename {net => security}/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/IndexController.php (100%)
 rename {net => security}/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/general.xml (100%)
 rename {net => security}/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/initialup.xml (100%)
 rename {net => security}/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/ACL/ACL.xml (100%)
 rename {net => security}/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.php (100%)
 rename {net => security}/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.xml (100%)
 rename {net => security}/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Menu/Menu.xml (100%)
 rename {net => security}/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.php (100%)
 rename {net => security}/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.xml (100%)
 rename {net => security}/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt (100%)
 rename {net => security}/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/index.volt (100%)
 rename {net => security}/netbird/src/opnsense/scripts/OPNsense/Netbird/initialup.sh (100%)
 rename {net => security}/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf (100%)
 rename {net => security}/netbird/src/opnsense/service/templates/OPNsense/Netbird/+TARGETS (100%)
 rename {net => security}/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird (100%)
 rename {net => security}/netbird/src/opnsense/service/templates/OPNsense/Syslog/local/netbird.conf (100%)

diff --git a/README.md b/README.md
index 2f294b2bb8..171092c3d5 100644
--- a/README.md
+++ b/README.md
@@ -56,7 +56,6 @@ net/haproxy -- Reliable, high performance TCP/HTTP load balancer
 net/igmp-proxy -- IGMP-Proxy Service
 net/mdns-repeater -- Proxy multicast DNS between networks
 net/ndproxy -- Neighbor Discovery Proxy
-net/netbird -- Peer-to-peer VPN that seamlessly connects your devices (development only)
 net/ntopng -- Traffic Analysis and Flow Collection
 net/radsecproxy -- RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
 net/realtek-re -- Realtek re(4) vendor driver
@@ -88,6 +87,7 @@ security/intrusion-detection-content-et-pro -- IDS Proofpoint ET Pro ruleset (ne
 security/intrusion-detection-content-pt-open -- IDS Positive Technologies ESC ruleset
 security/intrusion-detection-content-snort-vrt -- IDS Snort VRT ruleset (needs registration or subscription)
 security/maltrail -- Malicious traffic detection system
+security/netbird -- Peer-to-peer VPN that seamlessly connects your devices (development only)
 security/openconnect -- OpenConnect Client
 security/openvpn-legacy -- OpenVPN legacy support
 security/softether -- Cross-platform Multi-protocol VPN Program (development only)
diff --git a/net/netbird/Makefile b/security/netbird/Makefile
similarity index 100%
rename from net/netbird/Makefile
rename to security/netbird/Makefile
diff --git a/net/netbird/pkg-descr b/security/netbird/pkg-descr
similarity index 100%
rename from net/netbird/pkg-descr
rename to security/netbird/pkg-descr
diff --git a/net/netbird/src/etc/inc/plugins.inc.d/netbird.inc b/security/netbird/src/etc/inc/plugins.inc.d/netbird.inc
similarity index 100%
rename from net/netbird/src/etc/inc/plugins.inc.d/netbird.inc
rename to security/netbird/src/etc/inc/plugins.inc.d/netbird.inc
diff --git a/net/netbird/src/etc/rc.syshook.d/carp/30-netbird b/security/netbird/src/etc/rc.syshook.d/carp/30-netbird
similarity index 100%
rename from net/netbird/src/etc/rc.syshook.d/carp/30-netbird
rename to security/netbird/src/etc/rc.syshook.d/carp/30-netbird
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/InitialController.php b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/InitialController.php
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/InitialController.php
rename to security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/InitialController.php
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/ServiceController.php b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/ServiceController.php
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/ServiceController.php
rename to security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/ServiceController.php
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/SettingsController.php b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/SettingsController.php
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/SettingsController.php
rename to security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/SettingsController.php
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/ConstatusController.php b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/ConstatusController.php
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/ConstatusController.php
rename to security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/ConstatusController.php
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/IndexController.php b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/IndexController.php
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/IndexController.php
rename to security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/IndexController.php
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/general.xml b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/general.xml
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/general.xml
rename to security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/general.xml
diff --git a/net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/initialup.xml b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/initialup.xml
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/initialup.xml
rename to security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/initialup.xml
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/ACL/ACL.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/ACL/ACL.xml
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/ACL/ACL.xml
rename to security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/ACL/ACL.xml
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.php b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.php
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.php
rename to security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.php
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.xml
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.xml
rename to security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.xml
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Menu/Menu.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Menu/Menu.xml
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Menu/Menu.xml
rename to security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Menu/Menu.xml
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.php b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.php
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.php
rename to security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.php
diff --git a/net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.xml
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.xml
rename to security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.xml
diff --git a/net/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt
rename to security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt
diff --git a/net/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/index.volt b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/index.volt
similarity index 100%
rename from net/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/index.volt
rename to security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/index.volt
diff --git a/net/netbird/src/opnsense/scripts/OPNsense/Netbird/initialup.sh b/security/netbird/src/opnsense/scripts/OPNsense/Netbird/initialup.sh
similarity index 100%
rename from net/netbird/src/opnsense/scripts/OPNsense/Netbird/initialup.sh
rename to security/netbird/src/opnsense/scripts/OPNsense/Netbird/initialup.sh
diff --git a/net/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf b/security/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf
similarity index 100%
rename from net/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf
rename to security/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf
diff --git a/net/netbird/src/opnsense/service/templates/OPNsense/Netbird/+TARGETS b/security/netbird/src/opnsense/service/templates/OPNsense/Netbird/+TARGETS
similarity index 100%
rename from net/netbird/src/opnsense/service/templates/OPNsense/Netbird/+TARGETS
rename to security/netbird/src/opnsense/service/templates/OPNsense/Netbird/+TARGETS
diff --git a/net/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird b/security/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird
similarity index 100%
rename from net/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird
rename to security/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird
diff --git a/net/netbird/src/opnsense/service/templates/OPNsense/Syslog/local/netbird.conf b/security/netbird/src/opnsense/service/templates/OPNsense/Syslog/local/netbird.conf
similarity index 100%
rename from net/netbird/src/opnsense/service/templates/OPNsense/Syslog/local/netbird.conf
rename to security/netbird/src/opnsense/service/templates/OPNsense/Syslog/local/netbird.conf

From b472a1d4e2f447100880dca966f21ec484b72691 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 23 Jul 2025 09:52:50 +0200
Subject: [PATCH 2557/3088] security/openvpn-legacy: version fix

---
 security/openvpn-legacy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/openvpn-legacy/Makefile b/security/openvpn-legacy/Makefile
index c6d9b0fea9..62af375318 100644
--- a/security/openvpn-legacy/Makefile
+++ b/security/openvpn-legacy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		openvpn-legacy
-PLUGIN_VERSION=		1
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		OpenVPN legacy support
 PLUGIN_DEPENDS=		# openvpn
 PLUGIN_MAINTAINER=	ad@opnsense.org

From b9a3582c8b9d536a1d32713fc61e7a987bef4f09 Mon Sep 17 00:00:00 2001
From: Bethuel Mmbaga <bethuelmbaga12@gmail.com>
Date: Fri, 25 Jul 2025 16:22:04 +0300
Subject: [PATCH 2558/3088] security/netbird: UI refactor and improvements
 (#4831)

---
 security/netbird/Makefile                     |   4 +-
 .../src/etc/inc/plugins.inc.d/netbird.inc     |  36 ++-
 .../src/etc/rc.syshook.d/carp/30-netbird      |  73 -----
 .../Netbird/Api/AuthenticationController.php  | 102 +++++++
 .../Netbird/Api/ServiceController.php         | 250 +---------------
 .../Netbird/Api/SettingsController.php        |  32 +-
 ...ialController.php => StatusController.php} |  20 +-
 ...oller.php => AuthenticationController.php} |  11 +-
 ...xController.php => SettingsController.php} |  13 +-
 .../OPNsense/Netbird/StatusController.php     |  41 +++
 .../OPNsense/Netbird/forms/authentication.xml |  14 +
 .../OPNsense/Netbird/forms/general.xml        |  56 ----
 .../OPNsense/Netbird/forms/initialup.xml      |  25 --
 .../OPNsense/Netbird/forms/settings.xml       |  93 ++++++
 .../app/models/OPNsense/Netbird/ACL/ACL.xml   |   2 +-
 .../{Initial.php => Authentication.php}       |   6 +-
 .../OPNsense/Netbird/Authentication.xml       |  17 ++
 .../app/models/OPNsense/Netbird/Initial.xml   |  32 --
 .../app/models/OPNsense/Netbird/Menu/Menu.xml |  11 +-
 .../app/models/OPNsense/Netbird/Netbird.xml   |  46 ---
 .../app/models/OPNsense/Netbird/Settings.php  |  64 ++++
 .../app/models/OPNsense/Netbird/Settings.xml  |  66 ++++
 .../Netbird/{Netbird.php => Status.php}       |   6 +-
 .../app/models/OPNsense/Netbird/Status.xml    |   6 +
 .../OPNsense/Netbird/authentication.volt      | 111 +++++++
 .../app/views/OPNsense/Netbird/constatus.volt | 164 ----------
 .../mvc/app/views/OPNsense/Netbird/index.volt | 107 -------
 .../app/views/OPNsense/Netbird/settings.volt  |  57 ++++
 .../app/views/OPNsense/Netbird/status.volt    | 281 ++++++++++++++++++
 .../scripts/OPNsense/Netbird/initialup.sh     |  16 -
 .../conf/actions.d/actions_netbird.conf       |  35 +--
 .../templates/OPNsense/Netbird/netbird        |   2 +-
 32 files changed, 960 insertions(+), 839 deletions(-)
 delete mode 100755 security/netbird/src/etc/rc.syshook.d/carp/30-netbird
 create mode 100644 security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/AuthenticationController.php
 rename security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/{InitialController.php => StatusController.php} (73%)
 rename security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/{ConstatusController.php => AuthenticationController.php} (81%)
 rename security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/{IndexController.php => SettingsController.php} (76%)
 create mode 100644 security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/StatusController.php
 create mode 100644 security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/authentication.xml
 delete mode 100644 security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/general.xml
 delete mode 100644 security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/initialup.xml
 create mode 100644 security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
 rename security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/{Initial.php => Authentication.php} (87%)
 create mode 100644 security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml
 delete mode 100644 security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.xml
 delete mode 100644 security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.xml
 create mode 100644 security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php
 create mode 100644 security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
 rename security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/{Netbird.php => Status.php} (87%)
 create mode 100644 security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Status.xml
 create mode 100644 security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/authentication.volt
 delete mode 100644 security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt
 delete mode 100644 security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/index.volt
 create mode 100644 security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/settings.volt
 create mode 100644 security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/status.volt
 delete mode 100755 security/netbird/src/opnsense/scripts/OPNsense/Netbird/initialup.sh

diff --git a/security/netbird/Makefile b/security/netbird/Makefile
index a2450c455e..619b7b3a9c 100644
--- a/security/netbird/Makefile
+++ b/security/netbird/Makefile
@@ -1,8 +1,8 @@
 PLUGIN_NAME=		netbird
-PLUGIN_VERSION=		0.1
+PLUGIN_VERSION=		0.2
 PLUGIN_DEPENDS=		netbird
 PLUGIN_COMMENT=		Peer-to-peer VPN that seamlessly connects your devices
-PLUGIN_MAINTAINER=	opn-netbird@sun-ri.se
+PLUGIN_MAINTAINER=	dev@netbird.io
 PLUGIN_WWW=		https://netbird.io
 PLUGIN_DEVEL=		yes
 
diff --git a/security/netbird/src/etc/inc/plugins.inc.d/netbird.inc b/security/netbird/src/etc/inc/plugins.inc.d/netbird.inc
index 57872cefe1..1d6b7fce09 100644
--- a/security/netbird/src/etc/inc/plugins.inc.d/netbird.inc
+++ b/security/netbird/src/etc/inc/plugins.inc.d/netbird.inc
@@ -4,6 +4,7 @@
  * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
  * Copyright (C) 2025 squared GmbH
  * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * Copyright (C) 2025 NetBird GmbH
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30,27 +31,40 @@
 
 function netbird_enabled()
 {
-    return !(new \OPNsense\Netbird\Netbird())->general->Enabled->isEmpty();
+    return !(new \OPNsense\Netbird\Settings())->general->enable->isEmpty();
 }
 
 function netbird_services()
 {
-    $services = array();
-
+    $services = [];
     if (!netbird_enabled()) {
         return $services;
     }
 
-    $services[] = array(
-        'description' => gettext('Netbird'),
-        'configd' => array(
-            'restart' => array('netbird restart'),
-            'start' => array('netbird start'),
-            'stop' => array('netbird stop'),
-        ),
+    $services[] = [
+        'description' => gettext('NetBird'),
+        'configd' => [
+            'restart' => ['netbird restart'],
+            'start' => ['netbird start'],
+            'stop' => ['netbird stop'],
+        ],
         'name' => 'netbird',
         'pidfile' => '/var/run/netbird.pid',
-    );
+    ];
 
     return $services;
 }
+
+function netbird_configure()
+{
+    return [
+        'netbird_sync_config' => ['netbird_configure_do']
+    ];
+}
+
+function netbird_configure_do($verbose = false)
+{
+    service_log('Sync NetBird config...', $verbose);
+    (new \OPNsense\Netbird\Settings())->syncConfig();
+    service_log("done.\n", $verbose);
+}
diff --git a/security/netbird/src/etc/rc.syshook.d/carp/30-netbird b/security/netbird/src/etc/rc.syshook.d/carp/30-netbird
deleted file mode 100755
index b4638afb7e..0000000000
--- a/security/netbird/src/etc/rc.syshook.d/carp/30-netbird
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/usr/local/bin/php
-<?php
-
-/*
- * Copyright (C) 2004 Scott Ullrich <sullrich@gmail.com>
- * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once('config.inc');
-require_once('util.inc');
-require_once('interfaces.inc');
-
-
-$model = new \OPNsense\Netbird\Netbird();
-
-if ($model->general->Enabled->isEmpty()) {
-    exit(0);
-}
-
-if (!$model->general->CarpIf->isEqual('')) {
-    exit(0);
-}
-
-$target_vhid = $model->general->VHID;
-$subsystem = !empty($argv[1]) ? $argv[1] : '';
-$type = !empty($argv[2]) ? $argv[2] : '';
-
-if ($type != 'MASTER' && $type != 'BACKUP') {
-    exit(1);
-}
-
-if (!strstr($subsystem, '@')) {
-    exit(1);
-}
-
-list ($vhid, $iface) = explode('@', $subsystem);
-$friendly = convert_real_interface_to_friendly_interface_name($iface);
-
-
-if ($carpif != $friendly || $vhid != $target_vhid) {
-    exit(0);
-}
-
-switch ($type) {
-    case 'MASTER':
-        shell_exec('/usr/local/bin/netbird up');
-        break;
-    case 'BACKUP':
-        shell_exec('/usr/local/bin/netbird down');
-        break;
-}
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/AuthenticationController.php b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/AuthenticationController.php
new file mode 100644
index 0000000000..86e22cb583
--- /dev/null
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/AuthenticationController.php
@@ -0,0 +1,102 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
+ * Copyright (C) 2025 squared GmbH
+ * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * Copyright (C) 2025 NetBird GmbH
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Netbird\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
+use OPNsense\Netbird\Authentication;
+
+/**
+ * netbird authentication controller
+ * @package OPNsense\Netbird
+ */
+class AuthenticationController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'authentication';
+    protected static $internalModelClass = '\OPNsense\Netbird\Authentication';
+
+    public function getAction(): array
+    {
+        $mdl = new Authentication();
+
+        $managementUrl = $mdl->managementUrl->__toString();
+        $setupKey = $mdl->setupKey->__toString();
+
+        $defaultKey = '00000000-0000-0000-0000-000000000000';
+        if (!empty($setupKey) && $setupKey !== $defaultKey) {
+            $visiblePart = substr($setupKey, 0, 4);
+            $maskedKey = $visiblePart . str_repeat('*', max(4, strlen($setupKey) - 4));
+        }else{
+            $maskedKey = $defaultKey;
+        }
+
+        return [
+            'authentication' => [
+                'managementUrl' => $managementUrl,
+                'setupKey' => $maskedKey
+            ]
+        ];
+    }
+
+    public function upAction()
+    {
+        $backend = new Backend();
+        $mdl = new Authentication();
+
+        $status = json_decode($backend->configdRun("netbird status-json"), true);
+        $connected = $status['management']['connected'] ?? false;
+
+        if (json_last_error() === JSON_ERROR_NONE && $connected === true) {
+            $backend->configdRun("netbird down");
+        }
+
+        $managementUrl = $mdl->managementUrl->__toString();
+        $setupKey = $mdl->setupKey->__toString();
+
+        $result = $backend->configdpRun("netbird up-setup-key", array($managementUrl, $setupKey));
+        return ['result' => trim($result)];
+    }
+
+    public function downAction(): array
+    {
+        $backend = new Backend();
+
+        $status = json_decode($backend->configdRun("netbird status-json"), true);
+        $connected = $status['management']['connected'] ?? false;
+
+        if (json_last_error() === JSON_ERROR_NONE && $connected === true) {
+            $result = $backend->configdRun("netbird down");
+            return ['result' => trim($result)];
+        }
+        return ['result' => 'already disconnected or not running'];
+    }
+}
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/ServiceController.php b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/ServiceController.php
index f0b5e7e14d..df7000d121 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/ServiceController.php
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/ServiceController.php
@@ -1,9 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
- * Copyright (C) 2025 squared GmbH
- * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * Copyright (C) 2025 NetBird GmbH
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -31,10 +29,6 @@
 namespace OPNsense\Netbird\Api;
 
 use OPNsense\Base\ApiMutableServiceControllerBase;
-use OPNsense\Core\Backend;
-use OPNsense\Core\Config;
-use OPNsense\Netbird\Initial;
-use OPNsense\Netbird\Netbird;
 
 /**
  * Class ServiceController
@@ -42,246 +36,8 @@
  */
 class ServiceController extends ApiMutableServiceControllerBase
 {
-    const NETBIRD_CONFIG_JSON = '/usr/local/etc/netbird/config.json';
-    protected static $internalServiceClass = '\OPNsense\Netbird\Netbird';
-    protected static $internalServiceEnabled = 'general.Enabled';
+    protected static $internalServiceClass = '\OPNsense\Netbird\Settings';
+    protected static $internalServiceEnabled = 'general.enable';
     protected static $internalServiceTemplate = 'OPNsense/Netbird';
     protected static $internalServiceName = 'netbird';
-
-    public function conStatusAction(): string
-    {
-        $backend = new Backend();
-        $bckResult = $backend->configdRun("netbird con-status");
-        if ($bckResult !== null) {
-            return nl2br(htmlspecialchars($bckResult));
-        }
-        return "Error retrieving connection status";
-    }
-
-    public function searchFilter($array, $value): bool
-    {
-        foreach ($array as $val) {
-            if (str_contains(strval($val), strtolower($value))) {
-                return true;
-            }
-        }
-        return false;
-    }
-
-    public function upDownStatusAction(): string
-    {
-        $backend = new Backend();
-        $bckResult = $backend->configdRun("netbird status");
-        if (!str_contains($bckResult, "is running")) {
-            return json_encode(array('updown' => "NOT RUNNING", 'status' => "Netbird is not running"));
-        }
-        $bckResult = $backend->configdRun("netbird short-con-status");
-        $txtStatus = nl2br(htmlspecialchars($bckResult));
-        $bckResult = $backend->configdRun("netbird con-status-json");
-        $status = json_decode($bckResult, true);
-        if (!$status['publicKey']) {
-            return json_encode(array('updown' => "DOWN", 'status' => $txtStatus));
-        }
-        return json_encode(array('updown' => "UP", 'status' => $txtStatus));
-    }
-
-    public function searchAction(): string
-    {
-        $request = $this->request;
-        $backend = new Backend();
-        $bckResult = $backend->configdRun("netbird status");
-        if (!str_contains($bckResult, "is running")) {
-            return json_encode(array('current' => 1, 'rowCount' => 0, 'total' => 0, 'rows' => array()));
-        }
-        $bckResult = $backend->configdRun("netbird con-status-json");
-        $status = json_decode($bckResult, true);
-        $itemsPerPage = $request->get('rowCount', 'int', -1);
-        $currentPage = $request->get('current', 'int', 1);
-        $sortBy = array('status');
-        $sortDescending = false;
-
-
-        $searchPhrase = strtolower($request->get('searchPhrase', 'string', ''));
-        if (!$status['peers']['details']) {
-            return json_encode(array('current' => 1, 'rowCount' => 0, 'total' => 0, 'rows' => array()));
-        }
-        $details = $status['peers']['details'];
-        $details = array_filter($details, function ($item) use ($searchPhrase) {
-            return $this->searchFilter($item, $searchPhrase);
-        });
-        $detailsFlat = array();
-        foreach ($details as $detail) {
-            $detailsFlat[] = $this->flattenOneLevel($detail);
-        }
-        if ($request->hasPost('sort') && is_array($request->get("sort")) && !empty($request->get("sort"))) {
-            $sortBy = array_keys($request->get("sort"));
-            if (!empty($sortBy) && $request->get("sort")[$sortBy[0]] == "desc") {
-                $sortDescending = true;
-            }
-        }
-        $sortValues = array();
-        foreach ($detailsFlat as $detail) {
-            $sortValues[] = $detail[$sortBy[0]];
-        }
-        array_multisort($sortValues, $sortDescending ? SORT_DESC : SORT_ASC, $detailsFlat);
-        $page = array_slice($detailsFlat, ($currentPage - 1) * $itemsPerPage, $itemsPerPage);
-        $page = $this->convertFieldsToDisplay($page);
-        $result = array('current' => $currentPage, 'rowCount' => count($page), 'total' => count($detailsFlat), 'rows' => $page);
-        return json_encode($result);
-    }
-
-    private function flattenOneLevel($array): array
-    {
-        $result = array();
-        foreach ($array as $key => $value) {
-            if (is_array($value)) {
-                foreach ($value as $subkey => $subvalue) {
-                    if ($key == "networks") {
-                        $result[$key] = implode("<br />", $value);
-                    } else {
-                        $result[$key . "." . $subkey] = $subvalue;
-                    }
-                }
-            } else {
-                $result[$key] = $value;
-            }
-        }
-        return $result;
-    }
-
-    public function setUpAction(): string
-    {
-        $backend = new Backend();
-        try {
-            return $backend->configdRun("netbird set-up");
-        } catch (\Exception $e) {
-            return "Error running netbird up" . "\n" . $e->getMessage();
-        }
-    }
-
-    public function initialUpAction(): string
-    {
-        $backend = new Backend();
-        $mdlInitial = new Initial();
-        $key = $mdlInitial->initial->setupkey->__toString();
-        $api = $mdlInitial->initial->mgmtservice->__toString();
-        $hostname = $mdlInitial->initial->hostname->__toString();
-        if ($hostname == "") {
-            $hostname = gethostname();
-            if (!$hostname) {
-                $hostname = "OPNsense";
-            } else {
-                if (str_contains($hostname, ".")) {
-                    $hostname = explode(".", $hostname)[0];
-                }
-            }
-
-            $mdlInitial->initial->hostname = $hostname;
-        }
-        $mdlInitial->initial->setupkey = "00000000-0000-0000-0000-000000000000";
-        $mdlInitial->initial->initsure = 0;
-
-        $mdlInitial->serializeToConfig();
-        $cnf = Config::getInstance();
-        $cnf->save();
-
-        $bckresult = $backend->configdRun("netbird set-up-initial " . escapeshellarg($api) . " " . escapeshellarg($key) . " " . escapeshellarg($hostname));
-        return nl2br(htmlspecialchars($bckresult));
-    }
-
-    public function setDownAction(): string
-    {
-        $backend = new Backend();
-        try {
-            return $backend->configdRun("netbird set-down");
-        } catch (\Exception $e) {
-            return "Error running netbird down" . "\n" . $e->getMessage();
-        }
-    }
-
-    public function reloadAction()
-    {
-        $status = "failed";
-        if ($this->request->isPost()) {
-            try {
-                $mdlNetbird = new Netbird();
-                $backend = new Backend();
-                if (trim($backend->configdRun('template reload OPNsense/Netbird')) == "OK") {
-                    $status = "ok";
-                }
-
-                $enabled = $mdlNetbird->general->Enabled->__toString() == 1;
-                $carpEnabled = $mdlNetbird->general->CarpIf->__toString() != '';
-                $disableClientRoutes = $mdlNetbird->general->DisableClientRoutes->__toString() == 1;
-                $disableServerRoutes = $mdlNetbird->general->DisableServerRoutes->__toString() == 1;
-                $disableDNS = $mdlNetbird->general->DisableDNS->__toString() == 1;
-                $rpEnabled = $mdlNetbird->general->QuantumEnabled->__toString() == 1;
-                $rpPermissive = $mdlNetbird->general->QuantumPermissive->__toString() == 1;
-                $wgPort = $mdlNetbird->general->WgPort->__toString();
-                $netbirdConfigJson = file_get_contents(self::NETBIRD_CONFIG_JSON);
-                $netbirdConfig = json_decode($netbirdConfigJson, true);
-                $netbirdConfig["DisableAutoConnect"] = $carpEnabled;
-                $netbirdConfig["DisableClientRoutes"] = $disableClientRoutes;
-                $netbirdConfig["DisableServerRoutes"] = $disableServerRoutes;
-                $netbirdConfig["DisableDNS"] = $disableDNS;
-                $netbirdConfig["RosenpassEnabled"] = $rpEnabled;
-                $netbirdConfig["RosenpassPermissive"] = $rpPermissive;
-                $netbirdConfig["WgPort"] = intval($wgPort);
-                $netbirdConfigJson = json_encode($netbirdConfig);
-                file_put_contents(self::NETBIRD_CONFIG_JSON, $netbirdConfigJson);
-                $action = $enabled ? "restart" : "stop";
-                $backend->configdRun("netbird $action");
-            } catch (\Exception $e) {
-                $status = "failed";
-                syslog(LOG_ERR, "netbird: failed to reload configuration: " . $e->getMessage());
-            }
-        }
-        return array("status" => $status);
-    }
-
-    /**
-     * @param array $page
-     * @return array
-     */
-    public function convertFieldsToDisplay(array $page): array
-    {
-        for ($i = 0; $i < count($page); $i++) {
-            $page[$i]['latency'] = round($page[$i]['latency'] / 1000000, 2) . " ms";
-            $received = $page[$i]['transferReceived'];
-            $rcvUnit = "KiB";
-            $received /= 1024;
-            if ($received > 1024) {
-                $received /= 1024;
-                $rcvUnit = "MiB";
-            }
-            if ($received > 1024) {
-                $received /= 1024;
-                $rcvUnit = "GiB";
-            }
-
-            $sent = $page[$i]['transferSent'];
-            $sentUnit = "KiB";
-            $sent /= 1024;
-            if ($sent > 1024) {
-                $sent /= 1024;
-                $sentUnit = "MiB";
-            }
-            if ($sent > 1024) {
-                $sent /= 1024;
-                $sentUnit = "GiB";
-            }
-            $page[$i]['transferReceived'] = round($received, 2) . " " . $rcvUnit;
-            $page[$i]['transferSent'] = round($sent, 2) . " " . $sentUnit;
-            $page[$i]['lastStatusUpdate'] = date("Y-m-d H:i:s", strtotime($page[$i]['lastStatusUpdate']));
-            $page[$i]['lastWireguardHandshake'] = date("Y-m-d H:i:s", strtotime($page[$i]['lastWireguardHandshake']));
-            foreach ($page[$i] as $key => $value) {
-                if ($value == "true") {
-                    $page[$i][$key] = 1;
-                } elseif ($value == "false") {
-                    $page[$i][$key] = 0;
-                }
-            }
-        }
-        return $page;
-    }
 }
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/SettingsController.php b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/SettingsController.php
index bd7ebc6033..f399d2891e 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/SettingsController.php
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/SettingsController.php
@@ -1,9 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
- * Copyright (C) 2025 squared GmbH
- * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * Copyright (C) 2025 NetBird GmbH
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -31,13 +29,35 @@
 namespace OPNsense\Netbird\Api;
 
 use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
 
 /**
- * Netbird settings controller
+ * netbird settings controller
  * @package OPNsense\Netbird
  */
 class SettingsController extends ApiMutableModelControllerBase
 {
-    protected static $internalModelName = 'netbird';
-    protected static $internalModelClass = 'OPNsense\Netbird\Netbird';
+    protected static $internalModelName = 'settings';
+    protected static $internalModelClass = '\OPNsense\Netbird\Settings';
+
+    public function syncAction()
+    {
+        $backend = new Backend();
+
+        $result = $backend->configdRun("netbird sync-config");
+        if (stripos($result, 'done') === false) {
+            return [
+                'result' => 'failed to sync config: ' . $result,
+            ];
+        }
+
+        $status = json_decode($backend->configdRun("netbird status-json"), true);
+        $connected = $status['management']['connected'] ?? false;
+        if (json_last_error() === JSON_ERROR_NONE && $connected === true) {
+            $backend->configdRun("netbird down");
+            $backend->configdRun("netbird up");
+        }
+
+        return ['result' => 'synced'];
+    }
 }
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/InitialController.php b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/StatusController.php
similarity index 73%
rename from security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/InitialController.php
rename to security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/StatusController.php
index a86b619d93..7a91116e8a 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/InitialController.php
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/StatusController.php
@@ -4,6 +4,7 @@
  * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
  * Copyright (C) 2025 squared GmbH
  * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * Copyright (C) 2025 NetBird GmbH
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -31,13 +32,24 @@
 namespace OPNsense\Netbird\Api;
 
 use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
 
 /**
- * netbird settings controller
+ * Class StatusController
  * @package OPNsense\Netbird
  */
-class InitialController extends ApiMutableModelControllerBase
+class StatusController extends ApiMutableModelControllerBase
 {
-    protected static $internalModelName = 'netbird';
-    protected static $internalModelClass = 'OPNsense\Netbird\Initial';
+    protected static $internalModelClass = '\OPNsense\Netbird\Status';
+    protected static $internalModelName = 'Netbird';
+
+    public function statusAction(): array
+    {
+        $backend =  new Backend();
+        $status = json_decode($backend->configdRun("netbird status-json"), true);
+        if (json_last_error() === JSON_ERROR_NONE && is_array($status)) {
+            return $status;
+        }
+        return [];
+    }
 }
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/ConstatusController.php b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/AuthenticationController.php
similarity index 81%
rename from security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/ConstatusController.php
rename to security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/AuthenticationController.php
index 6c041912d0..bc8790f2ad 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/ConstatusController.php
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/AuthenticationController.php
@@ -1,9 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
- * Copyright (C) 2025 squared GmbH
- * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * Copyright (C) 2025 NetBird GmbH
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -31,13 +29,14 @@
 namespace OPNsense\Netbird;
 
 /**
- * Class ConstatusController
+ * Class AuthenticationController
  * @package OPNsense\Netbird
  */
-class ConstatusController extends \OPNsense\Base\IndexController
+class AuthenticationController extends \OPNsense\Base\IndexController
 {
     public function indexAction()
     {
-        $this->view->pick('OPNsense/Netbird/constatus');
+        $this->view->authenticationForm = $this->getForm("authentication");
+        $this->view->pick('OPNsense/Netbird/authentication');
     }
 }
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/IndexController.php b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/SettingsController.php
similarity index 76%
rename from security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/IndexController.php
rename to security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/SettingsController.php
index 3567b469d4..b3677b198c 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/IndexController.php
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/SettingsController.php
@@ -1,9 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
- * Copyright (C) 2025 squared GmbH
- * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * Copyright (C) 2025 NetBird GmbH
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -31,15 +29,14 @@
 namespace OPNsense\Netbird;
 
 /**
- * Class IndexController
+ * Class SettingsController
  * @package OPNsense\Netbird
  */
-class IndexController extends \OPNsense\Base\IndexController
+class SettingsController extends \OPNsense\Base\IndexController
 {
     public function indexAction()
     {
-        $this->view->generalForm = $this->getForm('general');
-        $this->view->initialUpForm = $this->getForm('initialup');
-        $this->view->pick('OPNsense/Netbird/index');
+        $this->view->settingsForm = $this->getForm("settings");
+        $this->view->pick('OPNsense/Netbird/settings');
     }
 }
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/StatusController.php b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/StatusController.php
new file mode 100644
index 0000000000..55797b515e
--- /dev/null
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/StatusController.php
@@ -0,0 +1,41 @@
+<?php
+
+/*
+ * Copyright (C) 2025 NetBird GmbH
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Netbird;
+
+/**
+ * Class StatusController
+ * @package OPNsense\Netbird
+ */
+class StatusController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/Netbird/status');
+    }
+}
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/authentication.xml b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/authentication.xml
new file mode 100644
index 0000000000..75111fdaf3
--- /dev/null
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/authentication.xml
@@ -0,0 +1,14 @@
+<form>
+    <field>
+        <id>authentication.managementUrl</id>
+        <label>Management URL</label>
+        <type>text</type>
+        <help>Base URL of the management service</help>
+    </field>
+    <field>
+        <id>authentication.setupKey</id>
+        <label>Setup Key</label>
+        <type>text</type>
+        <help>Set the authentication setup key</help>
+    </field>
+</form>
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/general.xml b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/general.xml
deleted file mode 100644
index 94513a0cd5..0000000000
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/general.xml
+++ /dev/null
@@ -1,56 +0,0 @@
-<form>
-    <field>
-        <id>netbird.general.Enabled</id>
-        <label>Enabled</label>
-        <type>checkbox</type>
-        <help>Enable Netbird</help>
-    </field>
-    <field>
-        <id>netbird.general.WgPort</id>
-        <label>Wireguard Port</label>
-        <type>text</type>
-    </field>
-    <field>
-        <id>netbird.general.DisableDNS</id>
-        <label>Disable Netbird DNS lookups</label>
-        <type>checkbox</type>
-        <help>Disables DNS lookups for the Netbird network.</help>
-    </field>
-    <field>
-        <id>netbird.general.DisableServerRoutes</id>
-        <label>Disable Server Routes</label>
-        <type>checkbox</type>
-        <help>Prevents Netbird from being a routing peer for other Netbird peers.</help>
-    </field>
-    <field>
-        <id>netbird.general.DisableClientRoutes</id>
-        <label>Disable Client Routes</label>
-        <type>checkbox</type>
-        <help>Prevents Netbird from setting client routes to other remote peers.</help>
-    </field>
-    <field>
-        <id>netbird.general.QuantumEnabled</id>
-        <label>Rosenpass Enabled</label>
-        <type>checkbox</type>
-        <help>Enable Rosenpass</help>
-    </field>
-    <field>
-        <id>netbird.general.QuantumPermissive</id>
-        <label>Rosenpass Permissive Mode</label>
-        <type>checkbox</type>
-        <help>Enable Rosenpass permissive mode</help>
-    </field>
-    <field>
-        <id>netbird.general.CarpIf</id>
-        <label>CARP Interface</label>
-        <type>dropdown</type>
-        <help>If set to none Netbird up is executed and auto connect is enabled. If an interface is selected auto
-            connect is disabled. Please trigger a CARP event or execute Netbird up manually on the MASTER node.
-        </help>
-    </field>
-    <field>
-        <id>netbird.general.VHID</id>
-        <label>CARP VHID</label>
-        <type>text</type>
-    </field>
-</form>
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/initialup.xml b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/initialup.xml
deleted file mode 100644
index eb4db002f0..0000000000
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/initialup.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<form>
-    <field>
-        <id>netbird.initial.mgmtservice</id>
-        <label>Management Service URL</label>
-        <type>text</type>
-    </field>
-    <field>
-        <id>netbird.initial.setupkey</id>
-        <label>Setup Key</label>
-        <type>text</type>
-    </field>
-    <field>
-        <id>netbird.initial.hostname</id>
-        <label>Hostname</label>
-        <type>text</type>
-        <help>If empty the system hostname excluding the domain part will be used.</help>
-    </field>
-        <field>
-        <id>netbird.initial.initsure</id>
-        <label>I know what I'm doing</label>
-        <type>checkbox</type>
-        <help>If you enable this checkbox and submit the form your old netbird config will be deleted. In case of an error it will get restored. Should something go terribly wrong you can find the backups
-        in the configuration folder. (/usr/local/etc/netbird)</help>
-    </field>
-</form>
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
new file mode 100644
index 0000000000..99992db3cd
--- /dev/null
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
@@ -0,0 +1,93 @@
+<form>
+    <field>
+        <type>header</type>
+        <label>General</label>
+    </field>
+    <field>
+        <id>settings.general.enable</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>Enable NetBird</help>
+    </field>
+    <field>
+        <id>settings.general.wireguardPort</id>
+        <label>WireGuard Port</label>
+        <type>text</type>
+        <help>Wireguard interface listening port</help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Client Firewall</label>
+    </field>
+    <field>
+        <id>settings.firewall.allowConfig</id>
+        <label>Enable firewal</label>
+        <type>checkbox</type>
+        <help>Allow the client to filter traffic with its built-in firewall. If disabled, you must assign the NetBird interface and manage firewall rules via PFSense firewall management.
+            Additionally, NetBird routing and DNS may not function as intended.</help>
+    </field>
+    <field>
+        <id>settings.firewall.blockInboundConnection</id>
+        <label>Block Inbound Connection</label>
+        <type>checkbox</type>
+        <help>Block all inbound connections to the local machine from the WireGuard interface and any routed networks</help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>SSH</label>
+    </field>
+    <field>
+        <id>settings.ssh.enable</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>Allows incoming SSH connections</help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>DNS</label>
+    </field>
+    <field>
+        <id>settings.dns.enable</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>Allows the client to resolve and configure DNS on the host</help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Routing</label>
+    </field>
+    <field>
+        <id>settings.routing.accessLan</id>
+        <label>Access LAN</label>
+        <type>checkbox</type>
+        <help>Allow access to local networks (LAN) when using this peer as a routing peer or exit-node</help>
+    </field>
+    <field>
+        <id>settings.routing.acceptClientRoutes</id>
+        <label>Accept Client Routes</label>
+        <type>checkbox</type>
+        <help>Accept and process client routes received from the management</help>
+    </field>
+    <field>
+        <id>settings.routing.acceptServerRoutes</id>
+        <label>Accept Server Routes</label>
+        <type>checkbox</type>
+        <help>Enable this peer to act as a router for server routes received from the management</help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Post-Quantum</label>
+    </field>
+    <field>
+        <id>settings.postquantum.enableRosenpass</id>
+        <label>Enable Rosenpass</label>
+        <type>checkbox</type>
+        <help>Enable the Rosenpass to provide post-quantum secure connections (Experimental)</help>
+    </field>
+    <field>
+        <id>settings.postquantum.rosenpassPermissive</id>
+        <label>Rosenpass Permissive Mode</label>
+        <type>checkbox</type>
+        <help>Enable Rosenpass permissive mode</help>
+    </field>
+</form>
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/ACL/ACL.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/ACL/ACL.xml
index d5e38af314..bb0b3272fe 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/ACL/ACL.xml
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/ACL/ACL.xml
@@ -1,6 +1,6 @@
 <acl>
     <page-vpn-netbird>
-        <name>VPN: Netbird</name>
+        <name>VPN: NetBird</name>
         <patterns>
             <pattern>ui/netbird/*</pattern>
             <pattern>api/netbird/*</pattern>
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.php b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.php
similarity index 87%
rename from security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.php
rename to security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.php
index 01176577cc..3dc00c2a21 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.php
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.php
@@ -1,9 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
- * Copyright (C) 2025 squared GmbH
- * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * Copyright (C) 2025 NetBird GmbH
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -32,6 +30,6 @@
 
 use OPNsense\Base\BaseModel;
 
-class Initial extends BaseModel
+class Authentication extends BaseModel
 {
 }
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml
new file mode 100644
index 0000000000..00433f7cff
--- /dev/null
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml
@@ -0,0 +1,17 @@
+<model>
+    <mount>//OPNsense/netbird/authentication</mount>
+    <description>NetBird authentication</description>
+    <version>1.0.0</version>
+    <items>
+        <managementUrl type="UrlField">
+            <Required>Y</Required>
+            <default>https://api.netbird.io:443</default>
+            <ValidationMessage>Please specify a valid URL</ValidationMessage>
+        </managementUrl>
+        <setupKey type="TextField">
+            <Required>Y</Required>
+            <Mask>/^[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}$/i</Mask>
+            <ValidationMessage>Please specify a valid setup key</ValidationMessage>
+        </setupKey>
+    </items>
+</model>
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.xml
deleted file mode 100644
index e38f97126a..0000000000
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Initial.xml
+++ /dev/null
@@ -1,32 +0,0 @@
-<model>
-    <mount>//OPNsense/netbird-initial</mount>
-    <description>
-        Netbird initial setup
-    </description>
-    <items>
-        <!-- container -->
-        <initial>
-            <!-- fields -->
-            <setupkey type="TextField">
-                <Mask>/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i</Mask>
-                <ValidationMessage>Please specify a valid setup key.</ValidationMessage>
-            </setupkey>
-            <mgmtservice type="UrlField">
-                <Required>Y</Required>
-                <default>https://api.netbird.io:443</default>
-            </mgmtservice>
-            <hostname type="HostnameField">
-                <Required>N</Required>
-                <IpAllowed>N</IpAllowed>
-                <HostWildcardAllowed>N</HostWildcardAllowed>
-                <FqdnWildcardAllowed>N</FqdnWildcardAllowed>
-                <ZoneRootAllowed>N</ZoneRootAllowed>
-                <ValidationMessage>Please specify a valid hostname.</ValidationMessage>
-            </hostname>
-            <initsure type="BooleanField">
-                <default>0</default>
-                <Required>Y</Required>
-            </initsure>
-        </initial>
-    </items>
-</model>
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Menu/Menu.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Menu/Menu.xml
index a569a29427..6423021539 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Menu/Menu.xml
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Menu/Menu.xml
@@ -1,9 +1,10 @@
 <menu>
     <VPN>
-        <Netbird cssClass="fa fa-lock fa-fw">
-            <Settings order="40" url="/ui/netbird"/>
-            <ConStatus order="50" VisibleName="Status" url="/ui/netbird/constatus"/>
-            <LogFile VisibleName="Log File" order="60" url="/ui/diagnostics/log/core/netbird"/>
-        </Netbird>
+        <NetBird cssClass="fa fa-lock fa-fw">
+            <Authentication order="10" url="/ui/netbird/authentication"/>
+            <Settings order="20" url="/ui/netbird/settings"/>
+            <Status order="30" url="/ui/netbird/status"/>
+            <LogFile order="40" VisibleName="Log File" url="/ui/diagnostics/log/core/netbird"/>
+        </NetBird>
     </VPN>
 </menu>
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.xml
deleted file mode 100644
index 11712a7070..0000000000
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.xml
+++ /dev/null
@@ -1,46 +0,0 @@
-<model>
-    <mount>//OPNsense/netbird</mount>
-    <version>0.8.1</version>
-    <description>Netbird plugin</description>
-    <items>
-        <!-- container -->
-        <general>
-            <!-- fields -->
-            <Enabled type="BooleanField">
-                <default>0</default>
-                <Required>Y</Required>
-            </Enabled>
-            <WgPort type="IntegerField">
-                <Required>Y</Required>
-                <default>51820</default>
-            </WgPort>
-            <QuantumEnabled type="BooleanField">
-                <default>0</default>
-                <Required>Y</Required>
-            </QuantumEnabled>
-            <DisableDNS type="BooleanField">
-                <default>1</default>
-                <Required>Y</Required>
-            </DisableDNS>
-            <DisableServerRoutes type="BooleanField">
-                <default>1</default>
-                <Required>Y</Required>
-            </DisableServerRoutes>
-            <DisableClientRoutes type="BooleanField">
-                <default>1</default>
-                <Required>Y</Required>
-            </DisableClientRoutes>
-            <QuantumPermissive type="BooleanField">
-                <default>0</default>
-                <Required>Y</Required>
-            </QuantumPermissive>
-            <CarpIf type="InterfaceField">
-                <Required>N</Required>
-            </CarpIf>
-            <VHID type="IntegerField">
-                <Required>N</Required>
-                <default>1</default>
-            </VHID>
-        </general>
-    </items>
-</model>
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php
new file mode 100644
index 0000000000..ead5e45867
--- /dev/null
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php
@@ -0,0 +1,64 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
+ * Copyright (C) 2025 squared GmbH
+ * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * Copyright (C) 2025 NetBird GmbH
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Netbird;
+
+use OPNsense\Base\BaseModel;
+
+class Settings extends BaseModel
+{
+    public function syncConfig($target='/var/db/netbird/config.json')
+    {
+        $config = json_decode(file_get_contents($target), true);
+        if (!is_array($config)) {
+            $jsonError = json_last_error_msg();
+            syslog(LOG_ERR, "netbird: failed to decode configuration: $jsonError");
+            return;
+        }
+
+        $config["WgPort"] = (int)$this->general->wireguardPort->__toString();
+        $config["ServerSSHAllowed"] = $this->ssh->enable->__toString() == 1;
+        $config["DisableFirewall"] = $this->firewall->allowConfig->__toString() != 1;
+        $config["BlockInbound"] = $this->firewall->blockInboundConnection->__toString() == 1;
+        $config["DisableDNS"] = $this->dns->enable->__toString() != 1;
+        $config["BlockLANAccess"] = $this->routing->accessLan->__toString() != 1;
+        $config["DisableClientRoutes"] = $this->routing->acceptClientRoutes->__toString() != 1;
+        $config["DisableServerRoutes"] = $this->routing->acceptServerRoutes->__toString() != 1;
+        $config["RosenpassEnabled"] = $this->postquantum->enableRosenpass->__toString() == 1;
+        $config["RosenpassPermissive"] = $this->postquantum->rosenpassPermissive->__toString() == 1;
+
+
+        $result = file_put_contents($target, json_encode($config, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));
+        if ($result === false) {
+            syslog(LOG_ERR, "netbird: failed to write updated configuration to $target");
+        }
+    }
+}
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
new file mode 100644
index 0000000000..e76abf89ed
--- /dev/null
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
@@ -0,0 +1,66 @@
+<model>
+    <mount>//OPNsense/netbird/settings</mount>
+    <description>NetBird settings</description>
+    <version>1.0.0</version>
+    <items>
+        <general>
+            <enable type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </enable>
+            <wireguardPort type="IntegerField">
+                <default>51820</default>
+                <Required>Y</Required>
+                <minimum>1</minimum>
+                <maximum>65535</maximum>
+                <ValidationMessage>Please specify a valid port</ValidationMessage>
+            </wireguardPort>
+        </general>
+        <firewall>
+            <allowConfig type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </allowConfig>
+            <blockInboundConnection type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </blockInboundConnection>
+        </firewall>
+        <ssh>
+            <enable type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </enable>
+        </ssh>
+        <dns>
+            <enable type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </enable>
+        </dns>
+        <routing>
+            <accessLan type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </accessLan>
+            <acceptClientRoutes type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </acceptClientRoutes>
+            <acceptServerRoutes type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </acceptServerRoutes>
+        </routing>
+        <postquantum>
+            <enableRosenpass type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </enableRosenpass>
+            <rosenpassPermissive type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </rosenpassPermissive>
+        </postquantum>
+    </items>
+</model>
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.php b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Status.php
similarity index 87%
rename from security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.php
rename to security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Status.php
index d562455d13..da3298cf1f 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Netbird.php
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Status.php
@@ -1,9 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
- * Copyright (C) 2025 squared GmbH
- * Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ * Copyright (C) 2025 NetBird GmbH
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -32,6 +30,6 @@
 
 use OPNsense\Base\BaseModel;
 
-class Netbird extends BaseModel
+class Status extends BaseModel
 {
 }
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Status.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Status.xml
new file mode 100644
index 0000000000..eef4701d70
--- /dev/null
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Status.xml
@@ -0,0 +1,6 @@
+<model>
+    <mount>:memory:</mount>
+    <description>NetBird status</description>
+    <items>
+    </items>
+</model>
diff --git a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/authentication.volt b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/authentication.volt
new file mode 100644
index 0000000000..7d2652c4de
--- /dev/null
+++ b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/authentication.volt
@@ -0,0 +1,111 @@
+{#
+ # Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
+ # Copyright (C) 2025 squared GmbH
+ # Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ # Copyright (C) 2025 NetBird GmbH
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1.  Redistributions of source code must retain the above copyright notice,
+ #     this list of conditions and the following disclaimer.
+ #
+ # 2.  Redistributions in binary form must reproduce the above copyright notice,
+ #     this list of conditions and the following disclaimer in the documentation
+ #     and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script>
+    function updateNetBirdStatusUI() {
+        ajaxGet('/api/netbird/status/status', {}, (data) => {
+            const $connectBtn = $("#connectBtn");
+            const $disconnectBtn = $("#disconnectBtn");
+
+            $("#netbird-actions").removeClass("hidden");
+
+            const isConnected = data.management?.connected === true;
+            const message = isConnected ? "NetBird is connected" : "NetBird is not connected";
+            const type = isConnected ? "info" : "warning";
+
+            $connectBtn.toggleClass("hidden", isConnected);
+            $disconnectBtn.toggleClass("hidden", !isConnected);
+
+            $("#status").removeClass().addClass("alert alert-" + type).text(message).show();
+        });
+    }
+
+    $(document).ready(() => {
+        mapDataToFormUI({
+            'frmAuthentication': "/api/netbird/authentication/get"
+        }).done(() => {
+            updateServiceControlUI('netbird');
+            updateNetBirdStatusUI();
+        });
+
+        $("#connectBtn").SimpleActionButton({
+            onPreAction: () => {
+                const dfObj = new $.Deferred();
+                const setupKey = $("#authentication\\.setupKey").val();
+
+                if (setupKey.includes("*")) {
+                    dfObj.resolve();
+                } else {
+                    saveFormToEndpoint("/api/netbird/authentication/set", 'frmAuthentication', () => {
+                        dfObj.resolve();
+                    }, true, () => {
+                        dfObj.reject();
+                    });
+                }
+                return dfObj;
+            },
+            onAction: () => {
+                updateServiceControlUI('netbird');
+                updateNetBirdStatusUI();
+            }
+        });
+
+        $("#disconnectBtn").SimpleActionButton({
+            onAction: () => {
+                updateServiceControlUI('netbird');
+                updateNetBirdStatusUI();
+            }
+        });
+    });
+</script>
+
+<div class="alert hidden" role="alert" id="status"></div>
+<div class="content-box">
+    {{ partial("layout_partials/base_form",['fields':authenticationForm,'id':'frmAuthentication']) }}
+</div>
+<section class="page-content-main hidden" id="netbird-actions">
+    <div class="content-box">
+        <div class="col-md-12">
+            </br>
+            <button class="btn btn-primary hidden" id="connectBtn"
+                data-endpoint="/api/netbird/authentication/up"
+                data-label="{{ lang._('Connect') }}"
+                data-error-title="{{ lang._('Error connecting NetBird') }}"
+                type="button"
+            ></button>
+            <button class="btn btn-primary hidden" id="disconnectBtn"
+                data-endpoint="/api/netbird/authentication/down"
+                data-label="{{ lang._('Disconnect') }}"
+                data-error-title="{{ lang._('Error disconnecting NetBird') }}"
+                type="button"
+            ></button>
+            <br/><br/>
+        </div>
+    </div>
+</section>
diff --git a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt
deleted file mode 100644
index 4cdc7654a6..0000000000
--- a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/constatus.volt
+++ /dev/null
@@ -1,164 +0,0 @@
-{#
- # Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
- # Copyright (C) 2025 squared GmbH
- # Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
- # All rights reserved.
- #
- # Redistribution and use in source and binary forms, with or without modification,
- # are permitted provided that the following conditions are met:
- #
- # 1.  Redistributions of source code must retain the above copyright notice,
- #     this list of conditions and the following disclaimer.
- #
- # 2.  Redistributions in binary form must reproduce the above copyright notice,
- #     this list of conditions and the following disclaimer in the documentation
- #     and/or other materials provided with the distribution.
- #
- # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
- # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- # POSSIBILITY OF SUCH DAMAGE.
- #}
-
-<script>
-
-    $(document).ready(function () {
-
-        function refreshConStatus() {
-            $("#refreshAct_progress").addClass("fa fa-spinner fa-pulse");
-
-            ajaxCall(url = "/api/netbird/service/upDownStatus", sendData = {}, callback = function (data, status) {
-                if (data['updown'] == "UP") {
-                    $("#setUpAct").prop('disabled', true);
-                    $("#setDownAct").prop('disabled', false);
-                    $("#peers").prop('hidden', false);
-                } else if (data['updown'] == "DOWN") {
-                    $("#setUpAct").prop('disabled', false);
-                    $("#setDownAct").prop('disabled', true);
-                    $("#peers").prop('hidden', true);
-                } else {
-                    $("#setUpAct").prop('disabled', true);
-                    $("#setDownAct").prop('disabled', true);
-                    $("#peers").prop('hidden', true);
-                }
-                $("#updown").html(data['updown']);
-                $("#constatustxt").html(data['status']);
-                std_bootgrid_reload('grid-peers');
-                $("#refreshAct_progress").removeClass("fa fa-spinner fa-pulse");
-            });
-        }
-
-        $("#refreshAct").click(function () {
-            refreshConStatus();
-        });
-
-        $("#setUpAct").click(function () {
-            $("#setUp_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall(url = "/api/netbird/service/setup", sendData = {}, callback = function (data, status) {
-                setTimeout(function () {
-                    refreshConStatus();
-                    $("#setUp_progress").removeClass("fa fa-spinner fa-pulse");
-                }, 3000);
-
-            });
-        });
-
-        $("#setDownAct").click(function () {
-            $("#setDown_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall(url = "/api/netbird/service/setdown", sendData = {}, callback = function (data, status) {
-                setTimeout(function () {
-                    refreshConStatus();
-                    $("#setDown_progress").removeClass("fa fa-spinner fa-pulse");
-                }, 500);
-
-            });
-        });
-
-        $("#service_status_container").click(function () {
-            setTimeout(function () {
-                refreshConStatus();
-            }, 2000);
-        });
-
-        $("#grid-peers").UIBootgrid(
-            {
-                search: '/api/netbird/service/search'
-            }
-        );
-
-        refreshConStatus();
-        updateServiceControlUI('netbird');
-
-    });
-</script>
-<div class="col-md-12">
-    <h2>Netbird Connection</h2>
-    <span id="updown"></span>
-</div>
-<div class="col-md-12">
-    <button class="btn" id="setUpAct" type="button"><b>{{ lang._('Set UP') }}</b><i id="setUp_progress"></i></button>
-    <button class="btn" id="setDownAct" type="button"><b>{{ lang._('Set DOWN') }}</b><i id="setDown_progress"></i>
-    </button>
-</div>
-
-<div id="peers" class="col-md-12">
-    <h2>Peers</h2>
-    <table id="grid-peers" class="table table-condensed table-hover table-striped">
-        <thead>
-        <tr>
-            <th data-column-id="fqdn" data-type="string" data-identifier="false"
-                data-visible="true">{{ lang._('FQDN') }}</th>
-            <th data-column-id="networks" data-type="string" data-identifier="false"
-                data-visible="true">{{ lang._('Networks') }}</th>
-            <th data-width="8%" data-column-id="netbirdIp" data-type="string" data-identifier="false"
-                data-visible="true">{{ lang._('IP') }}</th>
-            <th data-width="5%" data-column-id="direct" data-type="string" data-identifier="false"
-                data-formatter="boolean"
-                data-visible="true">{{ lang._('Direct') }}</th>
-            <th data-width="5%" data-column-id="status" data-type="string" data-identifier="false"
-                data-visible="true">{{ lang._('Status') }}</th>
-            <th data-width="8%" data-column-id="lastWireguardHandshake" data-type="date" data-identifier="false"
-                data-visible="true">{{ lang._('Last Handshake') }}</th>
-            <th data-width="8%" data-column-id="lastStatusUpdate" data-type="date" data-identifier="false"
-                data-visible="true">{{ lang._('Last Status Update') }}</th>
-            <th data-width="5%" data-column-id="transferReceived" data-type="string" data-identifier="false"
-                data-visible="true">{{ lang._('Received') }}</th>
-            <th data-width="5%" data-column-id="transferSent" data-type="string" data-identifier="false"
-                data-visible="true">{{ lang._('Sent') }}</th>
-            <th data-width="5%" data-column-id="latency" data-type="string" data-identifier="false"
-                data-visible="true">{{ lang._('Latency') }}</th>
-            <th data-width="5%" data-column-id="connectionType" data-type="string" data-identifier="false"
-                data-visible="true">{{ lang._('Connection Type') }}</th>
-            <th data-width="5%" data-column-id="quantumResistance" data-type="string" data-identifier="false"
-                data-formatter="boolean"
-                data-visible="true">{{ lang._('QR') }}</th>
-            <th data-width="5%" data-column-id="iceCandidateType.local" data-type="string" data-identifier="false"
-                data-visible="true">{{ lang._('ICE TL') }}</th>
-            <th data-width="5%" data-column-id="iceCandidateType.remote" data-type="string" data-identifier="false"
-                data-visible="true">{{ lang._('ICE TR') }}</th>
-            <th data-width="8%" data-column-id="iceCandidateEndpoint.local" data-type="string" data-identifier="false"
-                data-visible="true">{{ lang._('ICE EP Local') }}</th>
-            <th data-width="8%" data-column-id="iceCandidateEndpoint.remote" data-type="string" data-identifier="false"
-                data-visible="true">{{ lang._('ICE EP Remote') }}</th>
-        </tr>
-        </thead>
-        <tbody>
-        </tbody>
-    </table>
-</div>
-<div class="col-md-12">
-    <h2>{{ lang._('Status Output') }}</h2>
-    <section id="constatustxt" class="col-xs-11">
-    </section>
-</div>
-
-<div class="col-md-12">
-    <button class="btn" id="refreshAct" type="button"><b>{{ lang._('Refresh') }}</b><i id="refreshAct_progress"></i>
-    </button>
-</div>
diff --git a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/index.volt b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/index.volt
deleted file mode 100644
index e3225bba83..0000000000
--- a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/index.volt
+++ /dev/null
@@ -1,107 +0,0 @@
-{#
- # Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
- # Copyright (C) 2025 squared GmbH
- # Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
- # All rights reserved.
- #
- # Redistribution and use in source and binary forms, with or without modification,
- # are permitted provided that the following conditions are met:
- #
- # 1.  Redistributions of source code must retain the above copyright notice,
- #     this list of conditions and the following disclaimer.
- #
- # 2.  Redistributions in binary form must reproduce the above copyright notice,
- #     this list of conditions and the following disclaimer in the documentation
- #     and/or other materials provided with the distribution.
- #
- # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
- # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- # POSSIBILITY OF SUCH DAMAGE.
- #}
-
-<script>
-
-    $(document).ready(function () {
-
-        $("#netbird\\.initial\\.initsure").click(function () {
-            if ($("#netbird\\.initial\\.initsure").prop('checked')) {
-                $("#initialAct").prop('disabled', false);
-            } else {
-                $("#initialAct").prop('disabled', true);
-            }
-        });
-
-        $("#saveAct").click(function () {
-            $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-            saveFormToEndpoint(url = "/api/netbird/settings/set", formid = 'frm_GeneralSettings', callback_ok = function () {
-                ajaxCall(url = "/api/netbird/service/reload", sendData = {}, callback = function (data, status) {
-                    updateServiceControlUI('netbird');
-                    $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-                });
-            });
-        });
-
-        $("#initialAct").click(function () {
-            saveFormToEndpoint(url = "/api/netbird/initial/set", formid = 'frm_InitialUp', callback_ok = function () {
-                $("#initialAct_progress").addClass("fa fa-spinner fa-pulse");
-                ajaxCall(url = "/api/netbird/service/initialup", sendData = {}, callback = function (data, status) {
-                    $("#initialtxt").html(data.responseText);
-                    $("#resultdiv").prop('hidden', false);
-                    $("#initialAct").prop('disabled', true);
-                    var data_get_map_initial = {'frm_InitialUp': "/api/netbird/initial/get"};
-                    mapDataToFormUI(data_get_map_initial)
-                    ajaxCall(url = "/api/netbird/service/reload", sendData = {}, callback = function (data, status) {
-                        updateServiceControlUI('netbird');
-                        $("#initialAct_progress").removeClass("fa fa-spinner fa-pulse");
-                    });
-                });
-            }, true);
-        });
-
-
-        let data_get_map = {'frm_GeneralSettings': "/api/netbird/settings/get"};
-        mapDataToFormUI(data_get_map).done(function (data) {
-            updateServiceControlUI('netbird');
-            $('.selectpicker').selectpicker('refresh');
-        });
-
-        let data_get_map_initial = {'frm_InitialUp': "/api/netbird/initial/get"};
-        mapDataToFormUI(data_get_map_initial)
-    });
-</script>
-
-<div class="alert alert-info hidden" role="alert" id="responseMsg">
-
-</div>
-
-<div class="col-md-12">
-    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_GeneralSettings']) }}
-</div>
-
-<div class="col-md-12">
-    <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b><i id="saveAct_progress"></i>
-    </button>
-</div>
-
-<div class="col-md-12">
-    {{ partial("layout_partials/base_form",['fields':initialUpForm,'id':'frm_InitialUp']) }}
-</div>
-
-<div class="col-md-12">
-    <button disabled="true" class="btn" id="initialAct" type="button"><b>{{ lang._('Setup') }}</b><i
-                id="initialAct_progress"></i>
-    </button>
-</div>
-
-<div class="col-md-12" id="resultdiv" hidden="true">
-    <h2>{{ lang._('Result') }}</h2>
-    <section id="initialtxt" class="col-xs-11">
-    </section>
-</div>
diff --git a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/settings.volt b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/settings.volt
new file mode 100644
index 0000000000..ba255057c8
--- /dev/null
+++ b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/settings.volt
@@ -0,0 +1,57 @@
+{#
+ # Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
+ # Copyright (C) 2025 squared GmbH
+ # Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ # Copyright (C) 2025 NetBird GmbH
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1.  Redistributions of source code must retain the above copyright notice,
+ #     this list of conditions and the following disclaimer.
+ #
+ # 2.  Redistributions in binary form must reproduce the above copyright notice,
+ #     this list of conditions and the following disclaimer in the documentation
+ #     and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script>
+    $(document).ready(() => {
+        mapDataToFormUI({
+            'frmSettings': "/api/netbird/settings/get"
+        }).done(() => {
+            updateServiceControlUI('netbird');
+        });
+
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: () => {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/netbird/settings/set", 'frmSettings', () => {
+                    dfObj.resolve();
+                }, true, () => {
+                    dfObj.reject();
+                });
+                return dfObj;
+            },
+            onAction: () => {
+                updateServiceControlUI('netbird');
+            }
+        });
+    });
+</script>
+<div class="content-box">
+    {{ partial("layout_partials/base_form",['fields':settingsForm,'id':'frmSettings']) }}
+</div>
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/netbird/settings/sync', 'data_service_widget': 'netbird'}) }}
diff --git a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/status.volt b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/status.volt
new file mode 100644
index 0000000000..14b06a98fd
--- /dev/null
+++ b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/status.volt
@@ -0,0 +1,281 @@
+{#
+ # Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
+ # Copyright (C) 2025 squared GmbH
+ # Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
+ # Copyright (C) 2025 NetBird GmbH
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1.  Redistributions of source code must retain the above copyright notice,
+ #     this list of conditions and the following disclaimer.
+ #
+ # 2.  Redistributions in binary form must reproduce the above copyright notice,
+ #     this list of conditions and the following disclaimer in the documentation
+ #     and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script>
+    $(document).ready(() =>{
+        function getElapsedTime(date) {
+            if (!(date instanceof Date) || isNaN(date) || date.getMonth() === 0) return "-";
+
+            const now = new Date();
+            const diff = now - date;
+            if (diff < 1000) return "Now";
+
+            const units = [{
+                    label: "day",
+                    ms: 86400000
+                },
+                {
+                    label: "hour",
+                    ms: 3600000
+                },
+                {
+                    label: "minute",
+                    ms: 60000
+                },
+                {
+                    label: "second",
+                    ms: 1000
+                },
+            ];
+
+            const parts = [];
+            let remaining = diff;
+
+            for (const {
+                    label,
+                    ms
+                }
+                of units) {
+                const val = Math.floor(remaining / ms);
+                if (val > 0) {
+                    parts.push(`${val} ${label}${val > 1 ? "s" : ""}`);
+                    remaining %= ms;
+                }
+                if (parts.length === 2) break;
+            }
+
+            return parts.join(", ") + " ago";
+        }
+
+        function formatBytes(bytes) {
+            const unit = 1024;
+
+            if (bytes < unit) {
+                return `${bytes} B`;
+            }
+
+            const units = ['Ki', 'Mi', 'Gi', 'Ti', 'Pi', 'Ei'];
+            const exp = Math.floor(Math.log(bytes) / Math.log(unit));
+            const prefix = units[exp - 1];
+            const value = bytes / Math.pow(unit, exp);
+
+            return `${value.toFixed(1)} ${prefix}B`;
+        }
+
+        function getPeerConnectionStatus(status) {
+            if (!status) return 'No status available.';
+
+            const fmtConn = ({
+                    connected,
+                    url,
+                    error
+                }) =>
+                connected ? `Connected${url ? ` to ${url}` : ''}` : `Disconnected${error ? `, reason: ${error}` : ''}`;
+
+            const fmtList = (items, fmtFn, fallback) =>
+                items?.length ? `\n${items.map(fmtFn).join("\n")}` : fallback;
+
+            const managementStr = fmtConn(status.management || {});
+            const signalStr = fmtConn(status.signal || {});
+
+            const interfaceType = status.kernelInterface ? "Kernel" : status.netbirdIp ? "Userspace" : "N/A";
+            const interfaceIp = status.netbirdIp || "N/A";
+
+            const relaysStr = fmtList(
+                status.relays?.details,
+                r => `  [${r.uri}] is ${r.available ? "Available" : "Unavailable"}${r.error ? `, reason: ${r.error}` : ""}`,
+                `${status.relays?.available || 0}/${status.relays?.total || 0} Available`
+            );
+
+            const dnsStr = fmtList(
+                status.dnsServers,
+                g => `  [${g.servers?.join(", ") || "N/A"}] for [${g.domains?.join(", ") || "."}] is ${g.enabled ? "Available" : "Unavailable"}${g.error ? `, reason: ${g.error}` : ""}`,
+                `${(status.dnsServers || []).filter(g => g.enabled).length}/${(status.dnsServers || []).length} Available`
+            );
+
+            const info = {
+                "Daemon version": status.daemonVersion,
+                "CLI version": status.cliVersion,
+                "Management": managementStr,
+                "Signal": signalStr,
+                "Relays": relaysStr,
+                "Nameservers": dnsStr,
+                "FQDN": status.fqdn,
+                "NetBird IP": interfaceIp,
+                "Interface type": interfaceType,
+                "Quantum resistance": status.rosenpassEnabled ? `true${status.rosenpassPermissive ? " (permissive)" : ""}` : "false",
+                "Lazy connection": status.lazyConnectionEnabled ? "true" : "false",
+                "Networks": status.networks?.join(", ") || "-",
+                "Forwarding rules": status.forwardingRules,
+                "Peers count": `${status.peers?.connected || 0}/${status.peers?.total || 0} Connected`
+            };
+            return Object.entries(info).map(([k, v]) => `${k}: ${v}`).join("\n");
+        }
+
+        function getPeersDetail(status) {
+            const {
+                peers,
+                rosenpassEnabled,
+                rosenpassPermissive
+            } = status;
+            const details = peers?.details || [];
+
+            return details.map(peer => {
+                const getOrDefault = (val, def = '-') => val ?? def;
+                const localIce = getOrDefault(peer.iceCandidateType?.local);
+                const remoteIce = getOrDefault(peer.iceCandidateType?.remote);
+
+                const quantumStatus = peer.quantumResistance ?
+                    (rosenpassEnabled ? 'true' : 'false (connection might not work without a remote permissive mode)') :
+                    rosenpassEnabled ?
+                    (rosenpassPermissive ?
+                        "false (remote didn't enable quantum resistance)" :
+                        "false (connection won't work without a permissive mode)") :
+                    'false';
+
+                const networks = Array.isArray(peer.networks) && peer.networks.length ?
+                    peer.networks.sort().join(', ') :
+                    '-';
+
+                const lastUpdate = new Date(peer.lastStatusUpdate || 0);
+                const handshake = new Date(peer.lastWireguardHandshake || 0);
+
+                const latency = typeof peer.latency === 'number' ?
+                    `${(peer.latency / 1_000_000).toFixed(2)} ms` :
+                    '-';
+
+                const indent = (line) => `  ${line}`; // 2-space indent
+
+                return [
+                    `${peer.fqdn}:`,
+                    indent(`NetBird IP: ${peer.netbirdIp}`),
+                    indent(`Public key: ${peer.publicKey}`),
+                    indent(`Status: ${peer.status}`),
+                    indent(`-- detail --`),
+                    indent(`Connection type: ${getOrDefault(peer.connectionType)}`),
+                    indent(`ICE candidate (Local/Remote): ${localIce}/${remoteIce}`),
+                    indent(`ICE candidate endpoints (Local/Remote): ${localIce}/${remoteIce}`),
+                    indent(`Relay server address: ${getOrDefault(peer.relayAddress)}`),
+                    indent(`Last connection update: ${getElapsedTime(lastUpdate)}`),
+                    indent(`Last WireGuard handshake: ${getElapsedTime(handshake)}`),
+                    indent(`Transfer status (received/sent): ${formatBytes(peer.transferReceived || 0)}/${formatBytes(peer.transferSent || 0)}`),
+                    indent(`Quantum resistance: ${quantumStatus}`),
+                    indent(`Networks: ${networks}`),
+                    indent(`Latency: ${latency}`)
+                ].join('\n');
+            }).join('\n\n');
+        }
+
+
+        function loadConnectionStatus() {
+            const $connStatus = $("#connStatus");
+            const $peersDetails = $("#peersDetail");
+            const $peersDetailContainer = $("#peersDetailContainer");
+
+            ajaxGet('/api/netbird/status/status', {}, (data) => {
+                const status = getPeerConnectionStatus(data);
+                const details = getPeersDetail(data);
+                
+                const isConnected = data.management?.connected === true;
+                $peersDetailContainer.toggleClass("hidden", !isConnected);
+                const renderPreTable = (content, maxHeight = null) => {
+                    const style = `padding: 10px;${maxHeight ? ` max-height: ${maxHeight}; overflow-y: auto;` : ''}`;
+                    return `
+                      <table class="table table-hover table-striped table-condensed">
+                        <tbody>
+                          <tr>
+                            <td><pre style="${style}">${content}</pre></td>
+                          </tr>
+                        </tbody>
+                      </table>
+                    `;
+                };
+
+                $connStatus.html(renderPreTable(status));
+                $peersDetails.html(renderPreTable(details, '500px'));
+            });
+        }
+
+        function loadVersionData() {
+            const $packages = $("#packages");
+
+            ajaxGet('/api/core/firmware/info', {}, (data) => {
+                const pkgs = data.package?.filter(pkg =>
+                    pkg.name?.toLowerCase().includes("netbird")
+                ) || [];
+
+                const rows = pkgs.map(pkg => `
+                <tr>
+                    <td>${pkg.name}</td>
+                    <td>${pkg.version}</td>
+                    <td>${pkg.comment}</td>
+                </tr>
+            `).join("");
+
+                const table = `
+                <table class="table table-hover table-striped table-condensed">
+                    <thead>
+                        <tr>
+                            <th>Name</th>
+                            <th>Version</th>
+                            <th>Comment</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        ${rows}
+                    </tbody>
+                </table>
+            `;
+                $packages.html(table);
+            });
+        }
+
+        loadConnectionStatus();
+        loadVersionData();
+    });
+</script>
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <h2>{{ lang._('Connection Status') }}</h2>
+            <div class="table-responsive" id="connStatus"></div>
+        </div>
+        <div class="col-md-12 hidden" id="peersDetailContainer">
+            <h2>{{ lang._('Peers Detail') }}</h2>
+            <div class="table-responsive" id="peersDetail"></div>
+        </div>
+    </div>
+    <br>
+    <div class="content-box">
+        <div class="col-md-12">
+            <h2>{{ lang._('Package Versions') }}</h2>
+            <div class="table-responsive" id="packages"></div>
+        </div>
+    </div>
+</section>
\ No newline at end of file
diff --git a/security/netbird/src/opnsense/scripts/OPNsense/Netbird/initialup.sh b/security/netbird/src/opnsense/scripts/OPNsense/Netbird/initialup.sh
deleted file mode 100755
index 18fa891456..0000000000
--- a/security/netbird/src/opnsense/scripts/OPNsense/Netbird/initialup.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh
-timestamp=$(date +%s)
-/usr/local/etc/rc.d/netbird stop
-echo "Deleting old configuration file"
-mv /usr/local/etc/netbird/config.json /usr/local/etc/netbird/config.json.$timestamp
-/usr/local/etc/rc.d/netbird start
-/usr/local/bin/netbird up $@ 2>&1
-if [ $? -ne 0 ]; then
-    /usr/local/etc/rc.d/netbird stop
-    echo "Failed to bring up netbird"
-    echo "Restoring old configuration file"
-    mv /usr/local/etc/netbird/config.json /usr/local/etc/netbird/config.json.$timestamp.fail
-    mv /usr/local/etc/netbird/config.json.$timestamp /usr/local/etc/netbird/config.json
-    /usr/local/etc/rc.d/netbird start
-fi
-exit 0
diff --git a/security/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf b/security/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf
index da49b4e3df..78ae619610 100644
--- a/security/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf
+++ b/security/netbird/src/opnsense/service/conf/actions.d/actions_netbird.conf
@@ -22,36 +22,29 @@ errors:no
 type:script_output
 message:get netbird status
 
-[con-status]
-command:/usr/local/bin/netbird status -d
-errors:no
-type:script_output
-message:get netbird connection status
-
-[set-up]
+[up]
 command:/usr/local/bin/netbird up
 type:script
 message:set netbird up
 
-[set-up-initial]
-command:/usr/local/opnsense/scripts/OPNsense/Netbird/initialup.sh
-parameters: -m %s -k %s -n %s
-type:script_output
-message:setup netbird
-
-[set-down]
+[down]
 command:/usr/local/bin/netbird down
 type:script
 message:set netbird down
 
-[short-con-status]
-command:/usr/local/bin/netbird status
+[status-json]
+command:/usr/local/bin/netbird status --json
 errors:no
 type:script_output
-message:get short netbird connection status
+message:get netbird status in json format
 
-[con-status-json]
-command:/usr/local/bin/netbird status --json
-errors:no
+[up-setup-key]
+command:/usr/local/bin/netbird up
+parameters: -m %s -k %s
+type:script_output
+message:set netbird up with setup key
+
+[sync-config]
+command:/usr/local/sbin/pluginctl -c netbird_sync_config
 type:script_output
-message:get netbird connection status
+message:sync netbird configuration
diff --git a/security/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird b/security/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird
index fba7bdb83c..4dbbedb8e5 100644
--- a/security/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird
+++ b/security/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird
@@ -1,4 +1,4 @@
-{% if helpers.exists('OPNsense.netbird.general.Enabled') and OPNsense.netbird.general.Enabled|default("0") == '1' %}
+{% if OPNsense.netbird.general.enable == '1' %}
 netbird_enable="YES"
 {% else %}
 netbird_enable="NO"

From d752990dfa3543ce57231c1eae181e5afe76c2de Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 25 Jul 2025 15:29:28 +0200
Subject: [PATCH 2559/3088] security/netbird: small 'make glint' update

---
 .../OPNsense/Netbird/Api/AuthenticationController.php         | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php | 2 +-
 .../src/opnsense/mvc/app/views/OPNsense/Netbird/status.volt   | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/AuthenticationController.php b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/AuthenticationController.php
index 86e22cb583..4691c3668d 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/AuthenticationController.php
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/AuthenticationController.php
@@ -55,7 +55,7 @@ public function getAction(): array
         if (!empty($setupKey) && $setupKey !== $defaultKey) {
             $visiblePart = substr($setupKey, 0, 4);
             $maskedKey = $visiblePart . str_repeat('*', max(4, strlen($setupKey) - 4));
-        }else{
+        } else {
             $maskedKey = $defaultKey;
         }
 
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php
index ead5e45867..0de5371db4 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php
@@ -35,7 +35,7 @@
 
 class Settings extends BaseModel
 {
-    public function syncConfig($target='/var/db/netbird/config.json')
+    public function syncConfig($target = '/var/db/netbird/config.json')
     {
         $config = json_decode(file_get_contents($target), true);
         if (!is_array($config)) {
diff --git a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/status.volt b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/status.volt
index 14b06a98fd..bea4167a4e 100644
--- a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/status.volt
+++ b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/status.volt
@@ -201,7 +201,7 @@
             ajaxGet('/api/netbird/status/status', {}, (data) => {
                 const status = getPeerConnectionStatus(data);
                 const details = getPeersDetail(data);
-                
+
                 const isConnected = data.management?.connected === true;
                 $peersDetailContainer.toggleClass("hidden", !isConnected);
                 const renderPreTable = (content, maxHeight = null) => {
@@ -278,4 +278,4 @@
             <div class="table-responsive" id="packages"></div>
         </div>
     </div>
-</section>
\ No newline at end of file
+</section>

From 4550a74e671641b0427d01336d33d1304f83a6aa Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 25 Jul 2025 18:57:48 +0200
Subject: [PATCH 2560/3088] dns/ddclient - refactor setInternalIsVirtual() to
 volatile fields to make sure these exist in the index

---
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml     |  2 ++
 .../OPNsense/DynDNS/FieldTypes/AccountField.php   | 15 ++++-----------
 2 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index d1652a3755..d1a19de7c7 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -204,6 +204,8 @@
                     <Mask>/^(.){1,255}$/u</Mask>
                     <ValidationMessage>Description should be a string between 1 and 255 characters</ValidationMessage>
                 </description>
+                <current_ip type="TextField" volatile="true"/>
+                <current_mtime type="TextField" volatile="true"/>
             </account>
         </accounts>
     </items>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
index 32ec0c854c..0697684326 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/FieldTypes/AccountField.php
@@ -40,29 +40,22 @@ class AccountField extends ArrayField
 
     private function addStatsFields($node)
     {
-        // generate new unattached fields, which are only usable to read data from (not synched to config.xml)
-        $current_ip = new TextField();
-        $current_ip->setInternalIsVirtual();
-        $current_mtime = new TextField();
-        $current_mtime->setInternalIsVirtual();
         if (isset(self::$current_stats[$node->getAttribute('uuid')])) {
             $stats = self::$current_stats[$node->getAttribute('uuid')];
             if (!empty($stats)) {
-                $current_ip->setValue($stats['ip']);
-                $current_mtime->setValue(date('c', (int)$stats['mtime']));
+                $node->current_ip->setValue($stats['ip']);
+                $node->current_mtime->setValue(date('c', (int)$stats['mtime']));
             }
         } elseif (!empty((string)$node->hostnames)) {
             foreach (explode(",", (string)$node->hostnames) as $hostname) {
                 if (!empty(self::$current_stats[$hostname]) && !empty(self::$current_stats[$hostname]['ip'])) {
                     $stats = self::$current_stats[$hostname];
-                    $current_ip->setValue($stats['ip']);
-                    $current_mtime->setValue(date('c', $stats['mtime']));
+                    $node->current_ip->setValue($stats['ip']);
+                    $node->current_mtime->setValue(date('c', $stats['mtime']));
                     break;
                 }
             }
         }
-        $node->addChildNode('current_ip', $current_ip);
-        $node->addChildNode('current_mtime', $current_mtime);
     }
 
     protected function actionPostLoadingEvent()

From 84394925030d65bfb86896325817a87299213797 Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Fri, 25 Jul 2025 19:18:06 +0200
Subject: [PATCH 2561/3088] www/c-icap: Define localserver acl once. (#4836)

* www/c-icap: Define localserver acl once.

* www/c-icap: Change maintainer.
---
 www/c-icap/Makefile                               |  2 +-
 .../service/templates/OPNsense/CICAP/c-icap.conf  | 15 +++++----------
 2 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/www/c-icap/Makefile b/www/c-icap/Makefile
index c3c56aedf7..7404101dd2 100644
--- a/www/c-icap/Makefile
+++ b/www/c-icap/Makefile
@@ -2,6 +2,6 @@ PLUGIN_NAME=		c-icap
 PLUGIN_VERSION=		1.8
 PLUGIN_COMMENT=		c-icap connects the web proxy with a virus scanner
 PLUGIN_DEPENDS=		c-icap c-icap-modules
-PLUGIN_MAINTAINER=	m.muenz@gmail.com
+PLUGIN_MAINTAINER=	andybinder@gmx.de
 
 .include "../../Mk/plugins.mk"
diff --git a/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf b/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf
index 8f25c2638b..f2ea03556f 100644
--- a/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf
+++ b/www/c-icap/src/opnsense/service/templates/OPNsense/CICAP/c-icap.conf
@@ -42,15 +42,15 @@ ServerName {{ OPNsense.cicap.general.servername }}
 {% else %}
 ServerName {{ system.hostname }}
 {% endif %}
+{% if not helpers.empty('OPNsense.cicap.general.listenaddress') %}
+acl localserver srvip {{ OPNsense.cicap.general.listenaddress }}
+{% else %}
+acl localserver srvip ::1
+{% endif %}
 {% if helpers.exists('OPNsense.cicap.general.localSquid') and OPNsense.cicap.general.localSquid == '1' %}
 {%      if helpers.exists('OPNsense.proxy.forward.icap.SendUsername') and OPNsense.proxy.forward.icap.SendUsername == '1' %}
 RemoteProxyUsers on
 acl AUTH auth *
-{%   if not helpers.empty('OPNsense.cicap.general.listenaddress') %}
-acl localserver srvip {{ OPNsense.cicap.general.listenaddress }}
-{%      else %}
-acl localserver srvip ::1
-{% endif %}
 icap_access allow AUTH localserver
 {%      else %}
 RemoteProxyUsers off
@@ -66,11 +66,6 @@ RemoteProxyUserHeader {{OPNsense.proxy.forward.icap.UsernameHeader}}
 {% else %}
 RemoteProxyUsers on
 acl AUTH auth *
-{%   if not helpers.empty('OPNsense.cicap.general.listenaddress') %}
-acl localserver srvip {{ OPNsense.cicap.general.listenaddress }}
-{%      else %}
-acl localserver srvip ::1
-{% endif %}
 icap_access allow AUTH localserver
 RemoteProxyUserHeaderEncoded on
 RemoteProxyUserHeader X-Authenticated-User

From 104ff3a683f51e06f57aedf286a0cec799879a46 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sat, 26 Jul 2025 19:01:52 +0200
Subject: [PATCH 2562/3088] net/zerotier: Fix column width (#4838)

* net/zerotier: Fix column width

* net/zerotier: Bump revision
---
 net/zerotier/Makefile                                     | 2 +-
 .../opnsense/mvc/app/views/OPNsense/Zerotier/index.volt   | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/zerotier/Makefile b/net/zerotier/Makefile
index aad751c0a0..bd40a597be 100644
--- a/net/zerotier/Makefile
+++ b/net/zerotier/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		zerotier
 PLUGIN_VERSION=		1.3.2
-PLUGIN_REVISION=	5
+PLUGIN_REVISION=	6
 PLUGIN_COMMENT=		Virtual Networks That Just Work
 PLUGIN_DEPENDS=		zerotier
 PLUGIN_MAINTAINER=	dharrigan@gmail.com
diff --git a/net/zerotier/src/opnsense/mvc/app/views/OPNsense/Zerotier/index.volt b/net/zerotier/src/opnsense/mvc/app/views/OPNsense/Zerotier/index.volt
index 55eb6159e9..f71aedc927 100644
--- a/net/zerotier/src/opnsense/mvc/app/views/OPNsense/Zerotier/index.volt
+++ b/net/zerotier/src/opnsense/mvc/app/views/OPNsense/Zerotier/index.volt
@@ -98,10 +98,10 @@ POSSIBILITY OF SUCH DAMAGE.
         <table id="grid-networks" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="dialogNetwork">
             <thead>
                 <tr>
-                    <th data-column-id="enabled" data-width="11%" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                    <th data-column-id="networkId" data-width="32%" data-type="string" data-visible="true">{{ lang._('Network Id') }}</th>
-                    <th data-column-id="description" data-width="46%" data-type="string" data-visible="true">{{ lang._('Local Description') }}</th>
-                    <th data-column-id="commands" data-width="11%" data-formatter="commandsWithInfo" data-visible="true" data-sortable="false">{{ lang._('Commands') }}</th>
+                    <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                    <th data-column-id="networkId" data-type="string" data-visible="true">{{ lang._('Network Id') }}</th>
+                    <th data-column-id="description" data-type="string" data-visible="true">{{ lang._('Local Description') }}</th>
+                    <th data-column-id="commands" data-width="130" data-formatter="commandsWithInfo" data-visible="true" data-sortable="false">{{ lang._('Commands') }}</th>
                     <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                 </tr>
             </thead>

From 55c9a9e82a811048cbdde931b6e69e59eaa07975 Mon Sep 17 00:00:00 2001
From: Pascal Herget <levelad@arcor.de>
Date: Sat, 26 Jul 2025 20:08:03 +0200
Subject: [PATCH 2563/3088] dns/dnscrypt-proxy: Fix ODoH servers not working
 (#4374)

---
 .../OPNsense/Dnscryptproxy/forms/general.xml  |  6 ++++
 .../models/OPNsense/Dnscryptproxy/General.xml |  6 +++-
 .../Dnscryptproxy/dnscrypt-proxy.toml         | 28 +++++++++++++++++--
 3 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
index 7f5d0e8538..02b73663a2 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/controllers/OPNsense/Dnscryptproxy/forms/general.xml
@@ -49,6 +49,12 @@
         <type>checkbox</type>
         <help>Let DNSCrypt-Proxy use servers with DNS-over-HTTPS protocol enabled.</help>
     </field>
+    <field>
+        <id>general.odoh_servers</id>
+        <label>Use Oblivious-DNS-over-HTTPS Servers</label>
+        <type>checkbox</type>
+        <help>Let DNSCrypt-Proxy use servers with Oblivious-DNS-over-HTTPS protocol enabled. Note: If checked you must provide ODoH target and relay servers manually!</help>
+    </field>
     <field>
         <id>general.require_dnssec</id>
         <label>Require DNSSEC</label>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
index 16cd57a7ce..435c9713b2 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/dnscryptproxy/general</mount>
     <description>dnscrypt-proxy configuration</description>
-    <version>0.1.2</version>
+    <version>0.1.3</version>
     <items>
         <enabled type="BooleanField">
             <Default>0</Default>
@@ -38,6 +38,10 @@
             <Default>1</Default>
             <Required>Y</Required>
         </doh_servers>
+        <odoh_servers type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </odoh_servers>
         <require_dnssec type="BooleanField">
             <Default>0</Default>
             <Required>Y</Required>
diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
index ce67f33cd2..84d98ff086 100644
--- a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
@@ -40,6 +40,12 @@ doh_servers = true
 doh_servers = false
 {%   endif %}
 
+{%   if helpers.exists('OPNsense.dnscryptproxy.general.odoh_servers') and OPNsense.dnscryptproxy.general.odoh_servers == '1' %}
+odoh_servers = true
+{%   else %}
+odoh_servers = false
+{%   endif %}
+
 {%   if helpers.exists('OPNsense.dnscryptproxy.general.require_dnssec') and OPNsense.dnscryptproxy.general.require_dnssec == '1' %}
 require_dnssec = true
 {%   else %}
@@ -146,7 +152,7 @@ cache = false
 
 [sources]
   [sources.'public-resolvers']
-  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
+  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']
   cache_file = 'public-resolvers.md'
   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
   refresh_delay = 72
@@ -155,12 +161,30 @@ cache = false
   ## Anonymized DNS relays
 
   [sources.'relays']
-  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
+  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md']
   cache_file = 'relays.md'
   minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
   refresh_delay = 72
   prefix = ''
 
+  ## Oblivious DoH servers
+
+  [sources.'odoh-servers']
+  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-servers.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-servers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-servers.md']
+  cache_file = 'odoh-servers.md'
+  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  refresh_delay = 72
+  prefix = ''
+
+  ## Oblivious DoH relays
+
+  [sources.'odoh-relays']
+  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/odoh-relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/odoh-relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/odoh-relays.md']
+  cache_file = 'odoh-relays.md'
+  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+  refresh_delay = 72
+  prefix = ''
+
 [anonymized_dns]
 
 {% if helpers.exists('OPNsense.dnscryptproxy.general.relaylist') and OPNsense.dnscryptproxy.general.relaylist != '' %}

From a8015681569cd525364f29f15b304450df2bda10 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sun, 27 Jul 2025 19:49:51 +0200
Subject: [PATCH 2564/3088] net/wol: Fix interface matching in widget to
 determine online status (#4842)

---
 net/wol/Makefile                                 | 2 +-
 net/wol/src/opnsense/www/js/widgets/WakeOnLan.js | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/wol/Makefile b/net/wol/Makefile
index b878db54f1..6d3d25beed 100644
--- a/net/wol/Makefile
+++ b/net/wol/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wol
 PLUGIN_VERSION=		2.5
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		wol
 PLUGIN_COMMENT=		Wake on LAN Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js b/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
index f123776c9e..be5f12b575 100644
--- a/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
+++ b/net/wol/src/opnsense/www/js/widgets/WakeOnLan.js
@@ -66,7 +66,7 @@ export default class WakeOnLan extends BaseTableWidget {
 
           for(let it = 0; it < data.rows.length; it++){
               const item = data.rows[it];
-              let is_active = this.checkActive(arp, item.mac, item.interface);
+              let is_active = this.checkActive(arp, item.mac, item["%interface"]);
               let row = [
                   `${item.descr.length !== 0 ? item.descr + '<br/>': ''} ${item.mac}`,
                   `${item.interface}`,

From fc1587400221a7e73f5a78513fb55d5d36d8d32a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 28 Jul 2025 09:42:38 +0200
Subject: [PATCH 2565/3088] www/c-icap: update version

---
 www/c-icap/Makefile  | 2 +-
 www/c-icap/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/www/c-icap/Makefile b/www/c-icap/Makefile
index 7404101dd2..c18f9d74ba 100644
--- a/www/c-icap/Makefile
+++ b/www/c-icap/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		c-icap
-PLUGIN_VERSION=		1.8
+PLUGIN_VERSION=		1.9
 PLUGIN_COMMENT=		c-icap connects the web proxy with a virus scanner
 PLUGIN_DEPENDS=		c-icap c-icap-modules
 PLUGIN_MAINTAINER=	andybinder@gmx.de
diff --git a/www/c-icap/pkg-descr b/www/c-icap/pkg-descr
index 287a95eeac..2369c75a18 100644
--- a/www/c-icap/pkg-descr
+++ b/www/c-icap/pkg-descr
@@ -5,6 +5,11 @@ and filtering services.
 Plugin Changelog
 ================
 
+1.9
+
+* Fix issue with localserver ACL defintion
+* Yield maintainership to Andy Binder
+
 1.8
 
 * Move logging to syslog (contributed by Andy Binder)

From c98840e8165d86407be130c40a4a7eafb5bfd04c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 28 Jul 2025 09:47:51 +0200
Subject: [PATCH 2566/3088] LICENSE: sync

---
 LICENSE | 1 +
 1 file changed, 1 insertion(+)

diff --git a/LICENSE b/LICENSE
index 5ac4735ef3..d2cb290674 100644
--- a/LICENSE
+++ b/LICENSE
@@ -57,6 +57,7 @@ Copyright (c) 2023-2024 Mikhail Kharisov
 Copyright (c) 2023 mleinart
 Copyright (c) 2024 MVZ Labor Ludwigsburg GbR
 Copyright (c) 2025 Neil Merchant
+Copyright (c) 2025 NetBird GmbH
 Copyright (c) 2025 Nick Card
 Copyright (c) 2021-2024 Nicola Pellegrini
 Copyright (c) 2022 Nikolaj Brinch Jørgensen

From edbd2dc25eeea3ead7e808a4043f92acb197f73f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 28 Jul 2025 09:58:46 +0200
Subject: [PATCH 2567/3088] dns/ddclient: bump revision after fix

---
 dns/ddclient/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 36532cc4a0..fb4a7b36cc 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.27
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From e5d312c0172680ff7eb74a8eceef3b23e2bf679e Mon Sep 17 00:00:00 2001
From: BPplays <58504799+BPplays@users.noreply.github.com>
Date: Mon, 28 Jul 2025 01:06:21 -0700
Subject: [PATCH 2568/3088] sysutils/nut(fix): IPv6 addresses in Netclient
 (#4823)

---
 .../nut/src/opnsense/service/templates/OPNsense/Nut/upsmon.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/upsmon.conf b/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/upsmon.conf
index da20af35da..e4d3ab405a 100644
--- a/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/upsmon.conf
+++ b/sysutils/nut/src/opnsense/service/templates/OPNsense/Nut/upsmon.conf
@@ -7,7 +7,7 @@ SHUTDOWNCMD "/usr/local/etc/rc.halt"
 POWERDOWNFLAG /etc/killpower
 {% endif %}
 {% if helpers.exists('OPNsense.Nut.netclient.enable') and OPNsense.Nut.netclient.enable == '1' %}
-MONITOR {{ OPNsense.Nut.general.name }}@{{ OPNsense.Nut.netclient.address }}{% if helpers.exists('OPNsense.Nut.netclient.port') %}:{{ OPNsense.Nut.netclient.port }}{% endif %} 1 {{ OPNsense.Nut.netclient.user }} {{ OPNsense.Nut.netclient.password }} slave
+MONITOR {{ OPNsense.Nut.general.name }}@{{ helpers.host_with_port('OPNsense.Nut.netclient.address', 'OPNsense.Nut.netclient.port') }} 1 {{ OPNsense.Nut.netclient.user }} {{ OPNsense.Nut.netclient.password }} slave
 SHUTDOWNCMD "/usr/local/etc/rc.halt"
 POWERDOWNFLAG /etc/killpower
 {% endif %}

From 98a0f9d6a602828d4e00ea70c92638dcf7b78c06 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 28 Jul 2025 10:21:01 +0200
Subject: [PATCH 2569/3088] sysutils/nut: bump revision

---
 sysutils/nut/Makefile  | 1 +
 sysutils/nut/pkg-descr | 1 +
 2 files changed, 2 insertions(+)

diff --git a/sysutils/nut/Makefile b/sysutils/nut/Makefile
index 4d749383bf..ed35203b97 100644
--- a/sysutils/nut/Makefile
+++ b/sysutils/nut/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		nut
 PLUGIN_VERSION=		1.9
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Network UPS Tools
 PLUGIN_DEPENDS=		nut
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/sysutils/nut/pkg-descr b/sysutils/nut/pkg-descr
index 15131a87ad..4018fb54db 100644
--- a/sysutils/nut/pkg-descr
+++ b/sysutils/nut/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 1.9
 
 * Add dashboard widget
+* Fix IPv6 port declaration (contributed by BPplays)
 
 1.8
 

From 71f05ef0f8014095a0fa2e76b21a953de094ba71 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 28 Jul 2025 10:27:42 +0200
Subject: [PATCH 2570/3088] security/crowdsec: Fix alert time not showing in
 grid (#4843)

---
 .../src/opnsense/mvc/app/views/OPNsense/CrowdSec/alerts.volt    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/alerts.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/alerts.volt
index ea9f4214c0..9ad6bc6e21 100644
--- a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/alerts.volt
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/alerts.volt
@@ -52,7 +52,7 @@
             <th data-column-id="country">Country</th>
             <th data-column-id="as">AS</th>
             <th data-column-id="decisions">Decisions</th>
-            <th data-column-id="created_at" data-formatter="created">Created</th>
+            <th data-column-id="created" data-formatter="created">Created</th>
         </tr>
     </thead>
     <tbody>

From 6e6ac06ff520f5114628377e78c8a7802d9c1a8c Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 28 Jul 2025 11:33:37 +0200
Subject: [PATCH 2571/3088] net/frr: Change column ids in ospf diagnostics as
 frr10 returns different keys, remove some data-width as they break the grid
 (#4844)

---
 .../views/OPNsense/Quagga/diagnostics.volt    | 26 +++++++++----------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
index 289f2bbf57..c6dbe668fa 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
@@ -294,13 +294,13 @@ POSSIBILITY OF SUCH DAMAGE.
                                 <th data-column-id="valid" data-searchable="false" data-formatter="boolean" data-sortable="false">{{ lang._('Valid') }}</th>
                                 <th data-column-id="bestpath" data-searchable="false" data-formatter="boolean" data-sortable="false">{{ lang._('Best') }}</th>
                                 <th data-column-id="internal" data-searchable="false" data-formatter="boolean" data-sortable="false">{{ lang._('Internal') }}</th>
-                                <th data-column-id="network" data-width="15%">{{ lang._('Network') }}</th>
-                                <th data-column-id="ip" data-width="25%">{{ lang._('Next Hop') }}</th>
+                                <th data-column-id="network" >{{ lang._('Network') }}</th>
+                                <th data-column-id="ip">{{ lang._('Next Hop') }}</th>
                                 <th data-column-id="metric" data-searchable="false">{{ lang._('Metric') }}</th>
                                 <th data-column-id="locPrf" data-searchable="false">{{ lang._('LocPrf') }}</th>
                                 <th data-column-id="weight" data-searchable="false">{{ lang._('Weight') }}</th>
-                                <th data-column-id="path" data-width="21%">{{ lang._('Path') }}</th>
-                                <th data-column-id="origin" data-width="10%" data-formatter="origin">{{ lang._('Origin') }}</th>
+                                <th data-column-id="path">{{ lang._('Path') }}</th>
+                                <th data-column-id="origin" data-formatter="origin">{{ lang._('Origin') }}</th>
                             </tr>
                             </thead>
                             <tbody>
@@ -332,8 +332,8 @@ POSSIBILITY OF SUCH DAMAGE.
                         <table id="grid-{{ tab['name'] }}" class="table table-condensed table-hover table-striped table-responsive">
                             <thead>
                             <tr>
-                                <th data-column-id="destinationType" data-width="5em" data-formatter="ospf6_dest_type" data-sortable="false">{{ lang._('Type') }}</th>
-                                <th data-column-id="isBestRoute" data-width="5em" data-formatter="boolean" data-searchable="false" data-sortable="false">{{ lang._('Best') }}</th>
+                                <th data-column-id="destinationType" data-formatter="ospf6_dest_type" data-sortable="false">{{ lang._('Type') }}</th>
+                                <th data-column-id="isBestRoute" data-formatter="boolean" data-searchable="false" data-sortable="false">{{ lang._('Best') }}</th>
                                 <th data-column-id="pathType" data-formatter="ospf6_path_type">{{ lang._('Path type') }}</th>
                                 <th data-column-id="network">{{ lang._('Network') }}</th>
                                 <th data-column-id="nextHop" data-type="string">{{ lang._('nextHop') }}</th>
@@ -353,14 +353,14 @@ POSSIBILITY OF SUCH DAMAGE.
                             <thead>
                             <tr>
                                 <th data-column-id="neighborid">{{ lang._('Neighbor ID') }}</th>
-                                <th data-column-id="priority" data-searchable="false">{{ lang._('Priority') }}</th>
-                                <th data-column-id="state">{{ lang._('State') }}</th>
-                                <th data-column-id="deadTimeMsecs" data-searchable="false">{{ lang._('Dead Time') }} &lsqb;ms&rsqb;</th>
-                                <th data-column-id="address">{{ lang._('Address') }}</th>
+                                <th data-column-id="nbrPriority" data-searchable="false">{{ lang._('Priority') }}</th>
+                                <th data-column-id="nbrState">{{ lang._('State') }}</th>
+                                <th data-column-id="routerDeadIntervalTimerDueMsec" data-searchable="false">{{ lang._('Dead Time') }} &lsqb;ms&rsqb;</th>
+                                <th data-column-id="ifaceAddress">{{ lang._('Address') }}</th>
                                 <th data-column-id="ifaceName">{{ lang._('Interface') }}</th>
-                                <th data-column-id="retransmitCounter" data-searchable="false">{{ lang._('Retransmit Counter') }}</th>
-                                <th data-column-id="requestCounter" data-searchable="false">{{ lang._('Request Counter') }}</th>
-                                <th data-column-id="dbSummaryCounter" data-searchable="false">{{ lang._('DB Summary Counter') }}</th>
+                                <th data-column-id="linkStateRetransmissionListCounter" data-searchable="false">{{ lang._('Retransmit Counter') }}</th>
+                                <th data-column-id="linkStateRequestListCounter" data-searchable="false">{{ lang._('Request Counter') }}</th>
+                                <th data-column-id="databaseSummaryListCounter" data-searchable="false">{{ lang._('DB Summary Counter') }}</th>
                             </tr>
                             </thead>
                             <tbody>

From 516eca6cfad9dfee1ae7cb37b84dc9f2c043a048 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 28 Jul 2025 13:10:44 +0200
Subject: [PATCH 2572/3088] security/crowdsec: changelog

---
 security/crowdsec/pkg-descr | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index 4fb585fffc..b4f8618971 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -10,20 +10,22 @@ Plugin Changelog
 
 1.0.11
 
- * convert tables to UIBootGrid (required for opnsense 25.7)
- * separate page for each table
+* convert tables to UIBootGrid (required for opnsense 25.7)
+* separate page for each table
+* IPv6 validation for LAPI listen address broken (contributed by BPplays)
+* Fix alert time not showing in grid
 
 1.0.10
 
- * changed alias names crowdsec*blacklists -> crowdsec*blocklists
- * added rules for outgoing connections too
- * added enroll_key to settings for automatic enrollment
- * option to disable rule generation (bring your own rules!)
- * code cleanup, reformat, typing
+* changed alias names crowdsec*blacklists -> crowdsec*blocklists
+* added rules for outgoing connections too
+* added enroll_key to settings for automatic enrollment
+* option to disable rule generation (bring your own rules!)
+* code cleanup, reformat, typing
 
 1.0.9
 
- * Update rule reference ($ -> <>) for opnsense 25.1
+* Update rule reference ($ -> <>) for opnsense 25.1
 
 1.0.8
 
@@ -40,7 +42,7 @@ Plugin Changelog
 
 1.0.6
 
- * default acquis.d/opnsense.yaml to "poll_without_inotify=true" which is now required
+* default acquis.d/opnsense.yaml to "poll_without_inotify=true" which is now required
    to acquire content from symlinks.
 
 1.0.5

From be813a0ab84aea5ba44c11ed07702f6c4cfe885e Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 28 Jul 2025 13:16:18 +0200
Subject: [PATCH 2573/3088] net/frr: Fix interface area not rendering in ospfv6
 in frr10 (#4845)

---
 .../service/templates/OPNsense/Quagga/ospf6d.conf         | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
index 91666f3a61..66896f7a7c 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospf6d.conf
@@ -12,6 +12,7 @@ agentx
 {% for interface in helpers.toList('OPNsense.quagga.ospf6.interfaces.interface') %}
 {%   if interface.enabled == '1' %}
 interface {{ physical_interface(interface.interfacename) }}
+  ipv6 ospf6 area {{ interface.area }}
 {%        if interface.bfd|default('') == '1' %}
   ipv6 ospf6 bfd
 {%        endif %}
@@ -68,13 +69,6 @@ router ospf6
 {%     endif %}
 {%   endfor %}
 {% endif %}
-{% if helpers.exists('OPNsense.quagga.ospf6.interfaces.interface') %}
-{%   for interface in helpers.toList('OPNsense.quagga.ospf6.interfaces.interface') %}
-{%     if interface.enabled == '1' %}
- interface {{ physical_interface(interface.interfacename) }} area {{ interface.area }}
-{%     endif %}
-{%   endfor %}
-{% endif %}
 {%   if helpers.exists('OPNsense.quagga.ospf6.prefixlists.prefixlist') %}
 {%     for prefixlist in helpers.sortDictList(OPNsense.quagga.ospf6.prefixlists.prefixlist, 'name', 'seqnumber' ) %}
 {%       if prefixlist.enabled == '1' %}

From b2668b72c90559203d7baa8ae93007122a61d87a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Tue, 29 Jul 2025 06:59:46 +0200
Subject: [PATCH 2574/3088] Themes update - Cicada/Vicuna/Tukan (#4846)

---
 misc/theme-cicada/Makefile                    |   3 +-
 .../cicada/build/css/opnsense-bootgrid.css    | 299 ++++++++++++++++++
 .../themes/cicada/build/css/tabulator.min.css |   2 +
 misc/theme-tukan/Makefile                     |   2 +-
 .../www/themes/tukan/build/css/main.css       |   4 +-
 .../tukan/build/css/opnsense-bootgrid.css     | 299 ++++++++++++++++++
 .../themes/tukan/build/css/tabulator.min.css  |   2 +
 misc/theme-vicuna/Makefile                    |   3 +-
 .../vicuna/build/css/opnsense-bootgrid.css    | 299 ++++++++++++++++++
 .../themes/vicuna/build/css/tabulator.min.css |   2 +
 10 files changed, 908 insertions(+), 7 deletions(-)
 create mode 100644 misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/opnsense-bootgrid.css
 create mode 100644 misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/tabulator.min.css
 create mode 100644 misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/opnsense-bootgrid.css
 create mode 100644 misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/tabulator.min.css
 create mode 100644 misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/opnsense-bootgrid.css
 create mode 100644 misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/tabulator.min.css

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index 31e06d83b9..e7d7ac36ee 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.39
-PLUGIN_REVISION=		1
+PLUGIN_VERSION=		1.40
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/opnsense-bootgrid.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/opnsense-bootgrid.css
new file mode 100644
index 0000000000..9fe95901a4
--- /dev/null
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/opnsense-bootgrid.css
@@ -0,0 +1,299 @@
+/**
+* Main theming elements
+*/
+.tabulator {
+  font-size: 15px;
+  background-color: transparent;
+  border: none;
+  border-top: 1px solid #191919;
+}
+
+/* theme: header */
+.tabulator .tabulator-header {
+  background-color: transparent;
+  border-bottom: none;
+  border-left: 1px solid #191919;
+
+}
+
+.tabulator .tabulator-header .tabulator-col {
+  border-right: 1px solid #191919;
+  background-color: #242424;
+  color: #bac3ca;
+}
+
+.tabulator .tabulator-header .tabulator-col.tabulator-sortable.tabulator-col-sorter-element:hover {
+  background-color: #151515;
+}
+
+.tabulator .tabulator-headers {
+  height: 100% !important; /* make sure the border below appears */
+  border-bottom: 1px solid #191919;
+}
+
+/*------------*/
+/* theme: body */
+.tabulator .tabulator-tableholder .tabulator-table {
+  background-color: transparent;
+  border-left: 1px solid #191919;
+}
+
+.tabulator-row {
+  background-color: transparent;
+  color: #bac3ca;
+}
+
+.tabulator-row.tabulator-row-odd {
+  background-color: #242424;
+}
+
+.tabulator-row.tabulator-row-odd.tabulator-selectable:hover:not(.tabulator-selected) {
+  background-color: #242424;
+}
+
+.tabulator-row.tabulator-row-even {
+  background-color: #242424;
+}
+
+.tabulator-row.tabulator-row-even.tabulator-selectable:hover:not(.tabulator-selected) {
+  background-color: #242424;
+}
+
+.tabulator .tabulator-tableholder {
+  background-color: transparent;
+}
+
+.tabulator-row.tabulator-selected {
+  background-color: #242424;
+}
+
+.tabulator-row.tabulator-selected:hover {
+  cursor: pointer;
+  background-color: #242424;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg {
+  color: #373736; /* spinner icon */
+}
+
+/* Command column styles */
+.tabulator-col.tabulator-frozen.tabulator-frozen-right {
+}
+
+.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right {
+}
+
+/* Checkbox column styles */
+.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-left {
+  border-right: 1px solid #191919; /* separates checkbox column from table rows */
+  border-left: 1px solid #191919;
+}
+
+.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left {
+  border-right: 1px solid #191919;
+  border-top: 1px solid #191919;
+  border-bottom: 1px solid #191919;
+  border-left: 1px solid #191919;
+}
+
+.tabulator-col.tabulator-row-header.tabulator-frozen.tabulator-frozen-left {
+}
+
+.tabulator-cell.tabulator-row-header.tabulator-frozen.tabulator-frozen-left {
+}
+
+/*------------*/
+/* theme: cells */
+.tabulator-row .tabulator-cell {
+  text-overflow: ellipsis;
+  white-space: nowrap;
+  line-height: 1.2;
+  vertical-align: top;
+  border-bottom: 1px solid #191919;
+  border-right: 1px solid #191919;
+}
+
+/*-------------*/
+/* theme: footer */
+.tabulator .tabulator-footer {
+  border-top: none;
+  background-color: transparent;
+}
+
+.tabulator .tabulator-footer .tabulator-page {
+  background-color: #262626;
+  color: #bac3ca;
+}
+
+.tabulator .tabulator-footer .tabulator-page.active {
+  background-color: #dd630d;
+  border-color: #191919;
+  cursor: default;
+  color: #bac3ca;
+}
+
+.tabulator .tabulator-footer .tabulator-page:not(disabled):hover {
+  color: #bac3ca;
+  background-color: #dd630d;
+  border-color: #191919;
+}
+
+.tabulator .tabulator-footer .tabulator-page:not(disabled).active:hover {
+  background-color: #dd630d;
+  border-color: #191919;
+  color: #bac3ca;
+  cursor: default;
+}
+
+.tabulator-page-counter {
+  color: #bac3ca;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator {
+  color: #bac3ca;
+}
+
+.tabulator .tabulator-footer .tabulator-page {
+  border-radius: 0px;
+  margin: 0px;
+  padding: 6px 12px;
+  border: 1px solid #191919;
+}
+
+/*----------*/
+/* end of main theming elements */
+.tabulator-paginator {
+  flex: 0 !important;
+}
+
+.tabulator-page-counter {
+  flex: 1;
+  text-align: right;
+}
+
+.tabulator-col-sorter i {
+  display: flex;
+  justify-content: center;
+  align-items: center;
+}
+
+.tabulator .tabulator-header .tabulator-col {
+  padding: 5px;
+}
+
+.tabulator .tabulator-headers > :first-child {
+  padding-left: 10px;
+}
+
+.opnsense-bootgrid-responsive {
+  white-space: wrap !important;
+  text-overflow: inherit !important;
+  overflow: visible !important;
+  word-break: break-word !important;
+}
+
+.opnsense-bootgrid-ellipsis {
+  overflow: hidden !important;
+  white-space: nowrap !important;
+  text-overflow: ellipsis !important;
+}
+
+.tabulator-row > :first-child {
+  padding-left: 10px;
+}
+
+.tabulator .tabulator-header .tabulator-col .tabulator-col-content {
+  padding: 0px;
+}
+
+.tabulator-page-counter {
+  padding-right: 20px;
+}
+
+.bootgrid-footer-commands {
+  width: 90px;
+  padding-left: 8px;
+}
+
+.tabulator-tableholder::after {
+  content: "";
+  display: block;
+  width: 1px;
+  height: 1px;
+  min-width: 100%;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator .tabulator-page:first-child {
+  border-bottom-left-radius: 3px;
+  border-top-left-radius: 3px;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator .tabulator-page:last-child {
+  border-bottom-right-radius: 3px;
+  border-top-right-radius: 3px;
+}
+
+/* border line corrections and hover/selection behavior */
+.tabulator-row:first-child > .tabulator-cell {
+  border-top: none;
+}
+
+.tabulator .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title {
+  padding: 0px;
+}
+
+/* Row highlight behavior */
+@keyframes highlight {
+  0% {
+    background: #242424;
+  }
+  100% {
+    background: none;
+  }
+}
+.highlight-bg {
+  animation: highlight 2s;
+}
+
+/* Tabulator "loading" and "error" overrides */
+.tabulator .tabulator-alert {
+  background: none;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg {
+  border: none;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg {
+  background: initial;
+  font-size: 18px;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-error {
+  border: none;
+}
+
+.bootgrid-placeholder {
+    font-size: 15px;
+    text-align: center;
+    white-space: normal;
+    font-weight: 400;
+    margin: 10px;
+}
+
+.bootgrid-overlay {
+    position: absolute;
+    top: 0;
+    left: 0;
+    right: 0;
+    bottom: 0;
+    background: #242424;
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    z-index: 99;
+}
+.overlay > i {
+    font-size: 20px;
+    color: black;
+}
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/tabulator.min.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/tabulator.min.css
new file mode 100644
index 0000000000..7034e96558
--- /dev/null
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/tabulator.min.css
@@ -0,0 +1,2 @@
+.tabulator{background-color:#888;border:1px solid #191919;font-size:14px;overflow:hidden;position:relative;text-align:left;-webkit-transform:translateZ(0);-moz-transform:translateZ(0);-ms-transform:translateZ(0);-o-transform:translateZ(0);transform:translateZ(0)}.tabulator[tabulator-layout=fitDataFill] .tabulator-tableholder .tabulator-table{min-width:100%}.tabulator[tabulator-layout=fitDataTable]{display:inline-block}.tabulator.tabulator-block-select,.tabulator.tabulator-ranges .tabulator-cell:not(.tabulator-editing){user-select:none; }.tabulator .tabulator-header{background-color:#e6e6e6;border-bottom:1px solid #999;box-sizing:border-box;color:#555;font-weight:700;outline:none;overflow:hidden;position:relative;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;white-space:nowrap;width:100%}.tabulator .tabulator-header.tabulator-header-hidden{display:none}.tabulator .tabulator-header .tabulator-header-contents{overflow:hidden;position:relative}.tabulator .tabulator-header .tabulator-header-contents .tabulator-headers{display:inline-block}.tabulator .tabulator-header .tabulator-col{background:#e6e6e6;border-right:1px solid #aaa;box-sizing:border-box;display:inline-flex;flex-direction:column;justify-content:flex-start;overflow:hidden;position:relative;text-align:left;vertical-align:bottom}.tabulator .tabulator-header .tabulator-col.tabulator-moving{background:#cdcdcd;border:1px solid #999;pointer-events:none;position:absolute}.tabulator .tabulator-header .tabulator-col.tabulator-range-highlight{background-color:#d6d6d6;color:#000}.tabulator .tabulator-header .tabulator-col.tabulator-range-selected{background-color:#3876ca;color:#fff}.tabulator .tabulator-header .tabulator-col .tabulator-col-content{box-sizing:border-box;padding:4px;position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-header-popup-button{padding:0 8px}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-header-popup-button:hover{cursor:pointer;opacity:.6}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title-holder{position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title{box-sizing:border-box;overflow:hidden;text-overflow:ellipsis;vertical-align:bottom;white-space:nowrap;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title.tabulator-col-title-wrap{text-overflow:clip;white-space:normal}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title .tabulator-title-editor{background:#fff;border:1px solid #999;box-sizing:border-box;padding:1px;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title .tabulator-header-popup-button+.tabulator-title-editor{width:calc(100% - 22px)}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter{align-items:center;bottom:0;display:flex;position:absolute;right:4px;top:0}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #bbb;border-left:6px solid transparent;border-right:6px solid transparent;height:0;width:0}.tabulator .tabulator-header .tabulator-col.tabulator-col-group .tabulator-col-group-cols{border-top:1px solid #aaa;display:flex;margin-right:-1px;overflow:hidden;position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter{box-sizing:border-box;margin-top:2px;position:relative;text-align:center;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter textarea{height:auto!important}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter svg{margin-top:3px}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter input::-ms-clear{height:0;width:0}.tabulator .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title{padding-right:25px}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable.tabulator-col-sorter-element:hover{background-color:#cdcdcd;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter{color:#bbb}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-bottom:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #bbb;border-top:none}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter{color:#666}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-bottom:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #666;border-top:none}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter{color:#666}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-top:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:none;border-top:6px solid #666;color:#666}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical .tabulator-col-content .tabulator-col-title{align-items:center;display:flex;justify-content:center;text-orientation:mixed;writing-mode:vertical-rl}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-col-vertical-flip .tabulator-col-title{transform:rotate(180deg)}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable .tabulator-col-title{padding-right:0;padding-top:20px}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable.tabulator-col-vertical-flip .tabulator-col-title{padding-bottom:20px;padding-right:0}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable .tabulator-col-sorter{bottom:auto;justify-content:center;left:0;right:0;top:4px}.tabulator .tabulator-header .tabulator-frozen{left:0;position:sticky;z-index:11}.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-left{border-right:2px solid #151515}.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-right{border-left:2px solid #151515}.tabulator .tabulator-header .tabulator-calcs-holder{background:#f3f3f3!important;border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;display:inline-block}.tabulator .tabulator-header .tabulator-calcs-holder .tabulator-row{background:#f3f3f3!important}.tabulator .tabulator-header .tabulator-calcs-holder .tabulator-row .tabulator-col-resize-handle{display:none}.tabulator .tabulator-header .tabulator-frozen-rows-holder{display:inline-block}.tabulator .tabulator-header .tabulator-frozen-rows-holder:empty{display:none}.tabulator .tabulator-tableholder{-webkit-overflow-scrolling:touch;overflow:auto;position:relative;white-space:nowrap;width:100%}.tabulator .tabulator-tableholder:focus{outline:none}.tabulator .tabulator-tableholder .tabulator-placeholder{align-items:center;box-sizing:border-box;display:flex;justify-content:center;min-width:100%;width:100%}.tabulator .tabulator-tableholder .tabulator-placeholder[tabulator-render-mode=virtual]{min-height:100%}.tabulator .tabulator-tableholder .tabulator-placeholder .tabulator-placeholder-contents{color:#ccc;display:inline-block;font-size:20px;font-weight:700;padding:10px;text-align:center;white-space:normal}.tabulator .tabulator-tableholder .tabulator-table{background-color:#fff;color:#333;display:inline-block;overflow:visible;position:relative;white-space:nowrap}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs{background:#e2e2e2!important;font-weight:700}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs.tabulator-calcs-top{border-bottom:2px solid #aaa}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs.tabulator-calcs-bottom{border-top:2px solid #aaa}.tabulator .tabulator-tableholder .tabulator-range-overlay{inset:0;pointer-events:none;position:absolute;z-index:10}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range{border:1px solid #2975dd;box-sizing:border-box;position:absolute}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range.tabulator-range-active:after{background-color:#2975dd;border-radius:999px;bottom:-3px;content:"";height:6px;position:absolute;right:-3px;width:6px}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range-cell-active{border:2px solid #2975dd;box-sizing:border-box;position:absolute}.tabulator .tabulator-footer{background-color:#e6e6e6;border-top:1px solid #999;color:#555;font-weight:700;user-select:none;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;white-space:nowrap}.tabulator .tabulator-footer .tabulator-footer-contents{align-items:center;display:flex;flex-direction:row;justify-content:space-between;padding:5px 10px}.tabulator .tabulator-footer .tabulator-footer-contents:empty{display:none}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs{margin-top:-5px;overflow-x:auto}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab{border:1px solid #999;border-bottom-left-radius:5px;border-bottom-right-radius:5px;border-top:none;display:inline-block;font-size:.9em;padding:5px}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab:hover{cursor:pointer;opacity:.7}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab.tabulator-spreadsheet-tab-active{background:#fff}.tabulator .tabulator-footer .tabulator-calcs-holder{background:#f3f3f3!important;border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;overflow:hidden;text-align:left;width:100%}.tabulator .tabulator-footer .tabulator-calcs-holder .tabulator-row{background:#f3f3f3!important;display:inline-block}.tabulator .tabulator-footer .tabulator-calcs-holder .tabulator-row .tabulator-col-resize-handle{display:none}.tabulator .tabulator-footer .tabulator-calcs-holder:only-child{border-bottom:none;margin-bottom:-5px}.tabulator .tabulator-footer>*+.tabulator-page-counter{margin-left:10px}.tabulator .tabulator-footer .tabulator-page-counter{font-weight:400}.tabulator .tabulator-footer .tabulator-paginator{color:#555;flex:1;font-family:inherit;font-size:inherit;font-weight:inherit;text-align:right}.tabulator .tabulator-footer .tabulator-page-size{border:1px solid #aaa;border-radius:3px;display:inline-block;margin:0 5px;padding:2px 5px}.tabulator .tabulator-footer .tabulator-pages{margin:0 7px}.tabulator .tabulator-footer .tabulator-page{background:hsla(0,0%,100%,.2);border:1px solid #aaa;border-radius:3px;display:inline-block;margin:0 2px;padding:2px 5px}.tabulator .tabulator-footer .tabulator-page.active{color:#d00}.tabulator .tabulator-footer .tabulator-page:disabled{opacity:.5}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-footer .tabulator-page:not(disabled):hover{background:rgba(0,0,0,.2);color:#fff;cursor:pointer}}.tabulator .tabulator-col-resize-handle{display:inline-block;margin-left:-3px;margin-right:-3px;position:relative;vertical-align:middle;width:6px;z-index:11}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-col-resize-handle:hover{cursor:ew-resize}}.tabulator .tabulator-col-resize-handle:last-of-type{margin-right:0;width:3px}.tabulator .tabulator-col-resize-guide{background-color:#999;height:100%;margin-left:-.5px;opacity:.5;position:absolute;top:0;width:4px}.tabulator .tabulator-row-resize-guide{background-color:#999;height:4px;left:0;margin-top:-.5px;opacity:.5;position:absolute;width:100%}.tabulator .tabulator-alert{align-items:center;background:rgba(0,0,0,.4);display:flex;height:100%;left:0;position:absolute;text-align:center;top:0;width:100%;z-index:100}.tabulator .tabulator-alert .tabulator-alert-msg{background:#fff;border-radius:10px;display:inline-block;font-size:16px;font-weight:700;margin:0 auto;padding:10px 20px}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg{border:4px solid #333;color:#000}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-error{border:4px solid #d00;color:#590000}.tabulator-row{background-color:#fff;box-sizing:border-box;min-height:22px;position:relative}.tabulator-row.tabulator-row-even{background-color:#efefef}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-selectable:hover{background-color:#bbb;cursor:pointer}}.tabulator-row.tabulator-selected{background-color:#9abcea}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-selected:hover{background-color:#769bcc;cursor:pointer}}.tabulator-row.tabulator-row-moving{background:#fff;border:1px solid #000}.tabulator-row.tabulator-moving{border-bottom:1px solid #aaa;border-top:1px solid #aaa;pointer-events:none;position:absolute;z-index:15}.tabulator-row.tabulator-range-highlight .tabulator-cell.tabulator-range-row-header{background-color:#d6d6d6;color:#000}.tabulator-row.tabulator-range-highlight.tabulator-range-selected .tabulator-cell.tabulator-range-row-header,.tabulator-row.tabulator-range-selected .tabulator-cell.tabulator-range-row-header{background-color:#3876ca;color:#fff}.tabulator-row .tabulator-row-resize-handle{bottom:0;height:5px;left:0;position:absolute;right:0}.tabulator-row .tabulator-row-resize-handle.prev{bottom:auto;top:0}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-row-resize-handle:hover{cursor:ns-resize}}.tabulator-row .tabulator-responsive-collapse{border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;padding:5px}.tabulator-row .tabulator-responsive-collapse:empty{display:none}.tabulator-row .tabulator-responsive-collapse table{font-size:14px}.tabulator-row .tabulator-responsive-collapse table tr td{position:relative}.tabulator-row .tabulator-responsive-collapse table tr td:first-of-type{padding-right:10px}.tabulator-row .tabulator-cell{border-right:1px solid #aaa;box-sizing:border-box;display:inline-block;outline:none;overflow:hidden;padding:4px;position:relative;text-overflow:ellipsis;vertical-align:middle;white-space:nowrap}.tabulator-row .tabulator-cell.tabulator-row-header{background:#e6e6e6;border-bottom:1px solid #aaa;border-right:1px solid #999}.tabulator-row .tabulator-cell.tabulator-frozen{background-color:inherit;display:inline-block;left:0;position:sticky;z-index:11}.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left{border-right:2px solid #151515}.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right{border-left:2px solid #151515}.tabulator-row .tabulator-cell.tabulator-editing{border:1px solid #1d68cd;outline:none;padding:0}.tabulator-row .tabulator-cell.tabulator-editing input,.tabulator-row .tabulator-cell.tabulator-editing select{background:transparent;border:1px;outline:none}.tabulator-row .tabulator-cell.tabulator-validation-fail{border:1px solid #d00}.tabulator-row .tabulator-cell.tabulator-validation-fail input,.tabulator-row .tabulator-cell.tabulator-validation-fail select{background:transparent;border:1px;color:#d00}.tabulator-row .tabulator-cell.tabulator-row-handle{align-items:center;display:inline-flex;justify-content:center;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none}.tabulator-row .tabulator-cell.tabulator-row-handle .tabulator-row-handle-box{width:80%}.tabulator-row .tabulator-cell.tabulator-row-handle .tabulator-row-handle-box .tabulator-row-handle-bar{background:#666;height:3px;margin-top:2px;width:100%}.tabulator-row .tabulator-cell.tabulator-range-selected:not(.tabulator-range-only-cell-selected):not(.tabulator-range-row-header){background-color:#9abcea}.tabulator-row .tabulator-cell .tabulator-data-tree-branch-empty{display:inline-block;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-branch{border-bottom:2px solid #aaa;border-bottom-left-radius:1px;border-left:2px solid #aaa;display:inline-block;height:9px;margin-right:5px;margin-top:-9px;vertical-align:middle;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-control{align-items:center;background:rgba(0,0,0,.1);border:1px solid #333;border-radius:2px;display:inline-flex;height:11px;justify-content:center;margin-right:5px;overflow:hidden;vertical-align:middle;width:11px}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-cell .tabulator-data-tree-control:hover{background:rgba(0,0,0,.2);cursor:pointer}}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-collapse{background:transparent;display:inline-block;height:7px;position:relative;width:1px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-collapse:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-expand{background:#333;display:inline-block;height:7px;position:relative;width:1px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-expand:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle{align-items:center;background:#666;border-radius:20px;color:#fff;display:inline-flex;font-size:1.1em;font-weight:700;height:15px;justify-content:center;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;width:15px}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle:hover{cursor:pointer;opacity:.7}}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle.open .tabulator-responsive-collapse-toggle-close{display:initial}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle.open .tabulator-responsive-collapse-toggle-open{display:none}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle svg{stroke:#fff}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle .tabulator-responsive-collapse-toggle-close{display:none}.tabulator-row .tabulator-cell .tabulator-traffic-light{border-radius:14px;display:inline-block;height:14px;width:14px}.tabulator-row.tabulator-group{background:#ccc;border-bottom:1px solid #999;border-right:1px solid #aaa;border-top:1px solid #999;box-sizing:border-box;font-weight:700;min-width:100%;padding:5px 5px 5px 10px}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-group:hover{background-color:rgba(0,0,0,.1);cursor:pointer}}.tabulator-row.tabulator-group.tabulator-group-visible .tabulator-arrow{border-bottom:0;border-left:6px solid transparent;border-right:6px solid transparent;border-top:6px solid #666;margin-right:10px}.tabulator-row.tabulator-group.tabulator-group-level-1{padding-left:30px}.tabulator-row.tabulator-group.tabulator-group-level-2{padding-left:50px}.tabulator-row.tabulator-group.tabulator-group-level-3{padding-left:70px}.tabulator-row.tabulator-group.tabulator-group-level-4{padding-left:90px}.tabulator-row.tabulator-group.tabulator-group-level-5{padding-left:110px}.tabulator-row.tabulator-group .tabulator-group-toggle{display:inline-block}.tabulator-row.tabulator-group .tabulator-arrow{border-bottom:6px solid transparent;border-left:6px solid #666;border-right:0;border-top:6px solid transparent;display:inline-block;height:0;margin-right:16px;vertical-align:middle;width:0}.tabulator-row.tabulator-group span{color:#d00;margin-left:10px}.tabulator-toggle{background:#dcdcdc;border:1px solid #ccc;box-sizing:border-box;display:flex;flex-direction:row}.tabulator-toggle.tabulator-toggle-on{background:#1c6cc2}.tabulator-toggle .tabulator-toggle-switch{background:#fff;border:1px solid #ccc;box-sizing:border-box}.tabulator-popup-container{-webkit-overflow-scrolling:touch;background:#fff;border:1px solid #aaa;box-shadow:0 0 5px 0 rgba(0,0,0,.2);box-sizing:border-box;display:inline-block;font-size:14px;overflow-y:auto;position:absolute;z-index:10000}.tabulator-popup{border-radius:3px;padding:5px}.tabulator-tooltip{border-radius:2px;box-shadow:none;font-size:12px;max-width:Min(500px,100%);padding:3px 5px;pointer-events:none}.tabulator-menu .tabulator-menu-item{box-sizing:border-box;padding:5px 10px;position:relative;user-select:none}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-disabled{opacity:.5}@media (hover:hover) and (pointer:fine){.tabulator-menu .tabulator-menu-item:not(.tabulator-menu-item-disabled):hover{background:#efefef;cursor:pointer}}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-submenu{padding-right:25px}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-submenu:after{border-color:#aaa;border-style:solid;border-width:1px 1px 0 0;content:"";display:inline-block;height:7px;position:absolute;right:10px;top:calc(5px + .4em);transform:rotate(45deg);vertical-align:top;width:7px}.tabulator-menu .tabulator-menu-separator{border-top:1px solid #aaa}.tabulator-edit-list{-webkit-overflow-scrolling:touch;font-size:14px;max-height:200px;overflow-y:auto}.tabulator-edit-list .tabulator-edit-list-item{color:#333;outline:none;padding:4px}.tabulator-edit-list .tabulator-edit-list-item.active{background:#1d68cd;color:#fff}.tabulator-edit-list .tabulator-edit-list-item.active.focused{outline:1px solid hsla(0,0%,100%,.5)}.tabulator-edit-list .tabulator-edit-list-item.focused{outline:1px solid #1d68cd}@media (hover:hover) and (pointer:fine){.tabulator-edit-list .tabulator-edit-list-item:hover{background:#1d68cd;color:#fff;cursor:pointer}}.tabulator-edit-list .tabulator-edit-list-placeholder{color:#333;padding:4px;text-align:center}.tabulator-edit-list .tabulator-edit-list-group{border-bottom:1px solid #aaa;color:#333;font-weight:700;padding:6px 4px 4px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-2,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-2{padding-left:12px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-3,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-3{padding-left:20px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-4,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-4{padding-left:28px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-5,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-5{padding-left:36px}.tabulator.tabulator-ltr{direction:ltr}.tabulator.tabulator-rtl{direction:rtl;text-align:initial}.tabulator.tabulator-rtl .tabulator-header .tabulator-col{border-left:1px solid #aaa;border-right:initial;text-align:initial}.tabulator.tabulator-rtl .tabulator-header .tabulator-col.tabulator-col-group .tabulator-col-group-cols{margin-left:-1px;margin-right:0}.tabulator.tabulator-rtl .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title{padding-left:25px;padding-right:0}.tabulator.tabulator-rtl .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter{left:8px;right:auto}.tabulator.tabulator-rtl .tabulator-tableholder .tabulator-range-overlay .tabulator-range.tabulator-range-active:after{background-color:#2975dd;border-radius:999px;bottom:-3px;content:"";height:6px;left:-3px;position:absolute;right:auto;width:6px}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell{border-left:1px solid #aaa;border-right:initial}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell .tabulator-data-tree-branch{border-bottom-left-radius:0;border-bottom-right-radius:1px;border-left:initial;border-right:2px solid #aaa;margin-left:5px;margin-right:0}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell .tabulator-data-tree-control{margin-left:5px;margin-right:0}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left{border-left:2px solid #aaa}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right{border-right:2px solid #aaa}.tabulator.tabulator-rtl .tabulator-row .tabulator-col-resize-handle:last-of-type{margin-left:0;margin-right:-3px;width:3px}.tabulator.tabulator-rtl .tabulator-footer .tabulator-calcs-holder{text-align:initial}.tabulator-print-fullscreen{bottom:0;left:0;position:absolute;right:0;top:0;z-index:10000}body.tabulator-print-fullscreen-hide>:not(.tabulator-print-fullscreen){display:none!important}.tabulator-print-table{border-collapse:collapse}.tabulator-print-table .tabulator-data-tree-branch{border-bottom:2px solid #aaa;border-bottom-left-radius:1px;border-left:2px solid #aaa;display:inline-block;height:9px;margin-right:5px;margin-top:-9px;vertical-align:middle;width:7px}.tabulator-print-table .tabulator-print-table-group{background:#ccc;border-bottom:1px solid #999;border-right:1px solid #aaa;border-top:1px solid #999;box-sizing:border-box;font-weight:700;min-width:100%;padding:5px 5px 5px 10px}@media (hover:hover) and (pointer:fine){.tabulator-print-table .tabulator-print-table-group:hover{background-color:rgba(0,0,0,.1);cursor:pointer}}.tabulator-print-table .tabulator-print-table-group.tabulator-group-visible .tabulator-arrow{border-bottom:0;border-left:6px solid transparent;border-right:6px solid transparent;border-top:6px solid #666;margin-right:10px}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-1 td{padding-left:30px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-2 td{padding-left:50px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-3 td{padding-left:70px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-4 td{padding-left:90px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-5 td{padding-left:110px!important}.tabulator-print-table .tabulator-print-table-group .tabulator-group-toggle{display:inline-block}.tabulator-print-table .tabulator-print-table-group .tabulator-arrow{border-bottom:6px solid transparent;border-left:6px solid #666;border-right:0;border-top:6px solid transparent;display:inline-block;height:0;margin-right:16px;vertical-align:middle;width:0}.tabulator-print-table .tabulator-print-table-group span{color:#d00;margin-left:10px}.tabulator-print-table .tabulator-data-tree-control{align-items:center;background:rgba(0,0,0,.1);border:1px solid #333;border-radius:2px;display:inline-flex;height:11px;justify-content:center;margin-right:5px;overflow:hidden;vertical-align:middle;width:11px}@media (hover:hover) and (pointer:fine){.tabulator-print-table .tabulator-data-tree-control:hover{background:rgba(0,0,0,.2);cursor:pointer}}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-collapse{background:transparent;display:inline-block;height:7px;position:relative;width:1px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-collapse:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-expand{background:#333;display:inline-block;height:7px;position:relative;width:1px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-expand:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}
+/*# sourceMappingURL=tabulator.min.css.map */
\ No newline at end of file
diff --git a/misc/theme-tukan/Makefile b/misc/theme-tukan/Makefile
index 4afe2aa3f8..cf339ac2d5 100644
--- a/misc/theme-tukan/Makefile
+++ b/misc/theme-tukan/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-tukan
-PLUGIN_VERSION=		1.29
+PLUGIN_VERSION=		1.30
 PLUGIN_COMMENT=		The tukan theme - blue/white
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
index 3fc27afd3e..b6c87a5880 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/main.css
@@ -2053,8 +2053,8 @@ th {
     font-family: 'SourceSansProSemibold';
     font-weight: normal;
     border-bottom: 1px solid #5e5e5e;
-    background-color: #45565f;
-    color: #FFF;}
+    background-color: #fff;
+    color: #000;}
   .table > tbody + tbody {
     border-top: 2px solid #5e5e5e; }
   .table .table {
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/opnsense-bootgrid.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/opnsense-bootgrid.css
new file mode 100644
index 0000000000..4e997565c3
--- /dev/null
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/opnsense-bootgrid.css
@@ -0,0 +1,299 @@
+/**
+* Main theming elements
+*/
+.tabulator {
+  font-size: 15px;
+  background-color: transparent;
+  border: none;
+  border-top: 1px solid #191919;
+}
+
+/* theme: header */
+.tabulator .tabulator-header {
+  background-color: transparent;
+  border-bottom: none;
+  border-left: 1px solid #191919;
+
+}
+
+.tabulator .tabulator-header .tabulator-col {
+  border-right: 1px solid #191919;
+  background-color: #fff;
+  color: #000;
+}
+
+.tabulator .tabulator-header .tabulator-col.tabulator-sortable.tabulator-col-sorter-element:hover {
+  background-color: #eee;
+}
+
+.tabulator .tabulator-headers {
+  height: 100% !important; /* make sure the border below appears */
+  border-bottom: 1px solid #191919;
+}
+
+/*------------*/
+/* theme: body */
+.tabulator .tabulator-tableholder .tabulator-table {
+  background-color: transparent;
+  border-left: 1px solid #191919;
+}
+
+.tabulator-row {
+  background-color: transparent;
+  color: #bac3ca;
+}
+
+.tabulator-row.tabulator-row-odd {
+  background-color: #eee;
+}
+
+.tabulator-row.tabulator-row-odd.tabulator-selectable:hover:not(.tabulator-selected) {
+  background-color: #eee;
+}
+
+.tabulator-row.tabulator-row-even {
+  background-color: #eee;
+}
+
+.tabulator-row.tabulator-row-even.tabulator-selectable:hover:not(.tabulator-selected) {
+  background-color: #eee;
+}
+
+.tabulator .tabulator-tableholder {
+  background-color: transparent;
+}
+
+.tabulator-row.tabulator-selected {
+  background-color: #eee;
+}
+
+.tabulator-row.tabulator-selected:hover {
+  cursor: pointer;
+  background-color: #eee;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg {
+  color: #373736; /* spinner icon */
+}
+
+/* Command column styles */
+.tabulator-col.tabulator-frozen.tabulator-frozen-right {
+}
+
+.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right {
+}
+
+/* Checkbox column styles */
+.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-left {
+  border-right: 1px solid #191919; /* separates checkbox column from table rows */
+  border-left: 1px solid #191919;
+}
+
+.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left {
+  border-right: 1px solid #191919;
+  border-top: 1px solid #191919;
+  border-bottom: 1px solid #191919;
+  border-left: 1px solid #191919;
+}
+
+.tabulator-col.tabulator-row-header.tabulator-frozen.tabulator-frozen-left {
+}
+
+.tabulator-cell.tabulator-row-header.tabulator-frozen.tabulator-frozen-left {
+}
+
+/*------------*/
+/* theme: cells */
+.tabulator-row .tabulator-cell {
+  text-overflow: ellipsis;
+  white-space: nowrap;
+  line-height: 1.2;
+  vertical-align: top;
+  border-bottom: 1px solid #191919;
+  border-right: 1px solid #191919;
+}
+
+/*-------------*/
+/* theme: footer */
+.tabulator .tabulator-footer {
+  border-top: none;
+  background-color: transparent;
+}
+
+.tabulator .tabulator-footer .tabulator-page {
+  background-color: #e9e9ed;
+  color: #101218;
+}
+
+.tabulator .tabulator-footer .tabulator-page.active {
+  background-color: #dd630d;
+  border-color: #191919;
+  cursor: default;
+  color: #101218;
+}
+
+.tabulator .tabulator-footer .tabulator-page:not(disabled):hover {
+  color: #101218;
+  background-color: #dd630d;
+  border-color: #191919;
+}
+
+.tabulator .tabulator-footer .tabulator-page:not(disabled).active:hover {
+  background-color: #dd630d;
+  border-color: #191919;
+  color: #101218;
+  cursor: default;
+}
+
+.tabulator-page-counter {
+  color: #101218;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator {
+  color: #101218;
+}
+
+.tabulator .tabulator-footer .tabulator-page {
+  border-radius: 0px;
+  margin: 0px;
+  padding: 6px 12px;
+  border: 1px solid #1b4257;
+}
+
+/*----------*/
+/* end of main theming elements */
+.tabulator-paginator {
+  flex: 0 !important;
+}
+
+.tabulator-page-counter {
+  flex: 1;
+  text-align: right;
+}
+
+.tabulator-col-sorter i {
+  display: flex;
+  justify-content: center;
+  align-items: center;
+}
+
+.tabulator .tabulator-header .tabulator-col {
+  padding: 5px;
+}
+
+.tabulator .tabulator-headers > :first-child {
+  padding-left: 10px;
+}
+
+.opnsense-bootgrid-responsive {
+  white-space: wrap !important;
+  text-overflow: inherit !important;
+  overflow: visible !important;
+  word-break: break-word !important;
+}
+
+.opnsense-bootgrid-ellipsis {
+  overflow: hidden !important;
+  white-space: nowrap !important;
+  text-overflow: ellipsis !important;
+}
+
+.tabulator-row > :first-child {
+  padding-left: 10px;
+}
+
+.tabulator .tabulator-header .tabulator-col .tabulator-col-content {
+  padding: 0px;
+}
+
+.tabulator-page-counter {
+  padding-right: 20px;
+}
+
+.bootgrid-footer-commands {
+  width: 90px;
+  padding-left: 8px;
+}
+
+.tabulator-tableholder::after {
+  content: "";
+  display: block;
+  width: 1px;
+  height: 1px;
+  min-width: 100%;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator .tabulator-page:first-child {
+  border-bottom-left-radius: 3px;
+  border-top-left-radius: 3px;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator .tabulator-page:last-child {
+  border-bottom-right-radius: 3px;
+  border-top-right-radius: 3px;
+}
+
+/* border line corrections and hover/selection behavior */
+.tabulator-row:first-child > .tabulator-cell {
+  border-top: none;
+}
+
+.tabulator .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title {
+  padding: 0px;
+}
+
+/* Row highlight behavior */
+@keyframes highlight {
+  0% {
+    background: #242424;
+  }
+  100% {
+    background: none;
+  }
+}
+.highlight-bg {
+  animation: highlight 2s;
+}
+
+/* Tabulator "loading" and "error" overrides */
+.tabulator .tabulator-alert {
+  background: none;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg {
+  border: none;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg {
+  background: initial;
+  font-size: 18px;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-error {
+  border: none;
+}
+
+.bootgrid-placeholder {
+    font-size: 15px;
+    text-align: center;
+    white-space: normal;
+    font-weight: 400;
+    margin: 10px;
+}
+
+.bootgrid-overlay {
+    position: absolute;
+    top: 0;
+    left: 0;
+    right: 0;
+    bottom: 0;
+    background: #fff;
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    z-index: 99;
+}
+.overlay > i {
+    font-size: 20px;
+    color: black;
+}
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/tabulator.min.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/tabulator.min.css
new file mode 100644
index 0000000000..7034e96558
--- /dev/null
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/tabulator.min.css
@@ -0,0 +1,2 @@
+.tabulator{background-color:#888;border:1px solid #191919;font-size:14px;overflow:hidden;position:relative;text-align:left;-webkit-transform:translateZ(0);-moz-transform:translateZ(0);-ms-transform:translateZ(0);-o-transform:translateZ(0);transform:translateZ(0)}.tabulator[tabulator-layout=fitDataFill] .tabulator-tableholder .tabulator-table{min-width:100%}.tabulator[tabulator-layout=fitDataTable]{display:inline-block}.tabulator.tabulator-block-select,.tabulator.tabulator-ranges .tabulator-cell:not(.tabulator-editing){user-select:none; }.tabulator .tabulator-header{background-color:#e6e6e6;border-bottom:1px solid #999;box-sizing:border-box;color:#555;font-weight:700;outline:none;overflow:hidden;position:relative;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;white-space:nowrap;width:100%}.tabulator .tabulator-header.tabulator-header-hidden{display:none}.tabulator .tabulator-header .tabulator-header-contents{overflow:hidden;position:relative}.tabulator .tabulator-header .tabulator-header-contents .tabulator-headers{display:inline-block}.tabulator .tabulator-header .tabulator-col{background:#e6e6e6;border-right:1px solid #aaa;box-sizing:border-box;display:inline-flex;flex-direction:column;justify-content:flex-start;overflow:hidden;position:relative;text-align:left;vertical-align:bottom}.tabulator .tabulator-header .tabulator-col.tabulator-moving{background:#cdcdcd;border:1px solid #999;pointer-events:none;position:absolute}.tabulator .tabulator-header .tabulator-col.tabulator-range-highlight{background-color:#d6d6d6;color:#000}.tabulator .tabulator-header .tabulator-col.tabulator-range-selected{background-color:#3876ca;color:#fff}.tabulator .tabulator-header .tabulator-col .tabulator-col-content{box-sizing:border-box;padding:4px;position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-header-popup-button{padding:0 8px}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-header-popup-button:hover{cursor:pointer;opacity:.6}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title-holder{position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title{box-sizing:border-box;overflow:hidden;text-overflow:ellipsis;vertical-align:bottom;white-space:nowrap;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title.tabulator-col-title-wrap{text-overflow:clip;white-space:normal}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title .tabulator-title-editor{background:#fff;border:1px solid #999;box-sizing:border-box;padding:1px;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title .tabulator-header-popup-button+.tabulator-title-editor{width:calc(100% - 22px)}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter{align-items:center;bottom:0;display:flex;position:absolute;right:4px;top:0}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #bbb;border-left:6px solid transparent;border-right:6px solid transparent;height:0;width:0}.tabulator .tabulator-header .tabulator-col.tabulator-col-group .tabulator-col-group-cols{border-top:1px solid #aaa;display:flex;margin-right:-1px;overflow:hidden;position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter{box-sizing:border-box;margin-top:2px;position:relative;text-align:center;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter textarea{height:auto!important}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter svg{margin-top:3px}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter input::-ms-clear{height:0;width:0}.tabulator .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title{padding-right:25px}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable.tabulator-col-sorter-element:hover{background-color:#cdcdcd;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter{color:#bbb}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-bottom:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #bbb;border-top:none}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter{color:#666}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-bottom:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #666;border-top:none}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter{color:#666}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-top:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:none;border-top:6px solid #666;color:#666}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical .tabulator-col-content .tabulator-col-title{align-items:center;display:flex;justify-content:center;text-orientation:mixed;writing-mode:vertical-rl}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-col-vertical-flip .tabulator-col-title{transform:rotate(180deg)}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable .tabulator-col-title{padding-right:0;padding-top:20px}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable.tabulator-col-vertical-flip .tabulator-col-title{padding-bottom:20px;padding-right:0}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable .tabulator-col-sorter{bottom:auto;justify-content:center;left:0;right:0;top:4px}.tabulator .tabulator-header .tabulator-frozen{left:0;position:sticky;z-index:11}.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-left{border-right:2px solid #151515}.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-right{border-left:2px solid #151515}.tabulator .tabulator-header .tabulator-calcs-holder{background:#f3f3f3!important;border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;display:inline-block}.tabulator .tabulator-header .tabulator-calcs-holder .tabulator-row{background:#f3f3f3!important}.tabulator .tabulator-header .tabulator-calcs-holder .tabulator-row .tabulator-col-resize-handle{display:none}.tabulator .tabulator-header .tabulator-frozen-rows-holder{display:inline-block}.tabulator .tabulator-header .tabulator-frozen-rows-holder:empty{display:none}.tabulator .tabulator-tableholder{-webkit-overflow-scrolling:touch;overflow:auto;position:relative;white-space:nowrap;width:100%}.tabulator .tabulator-tableholder:focus{outline:none}.tabulator .tabulator-tableholder .tabulator-placeholder{align-items:center;box-sizing:border-box;display:flex;justify-content:center;min-width:100%;width:100%}.tabulator .tabulator-tableholder .tabulator-placeholder[tabulator-render-mode=virtual]{min-height:100%}.tabulator .tabulator-tableholder .tabulator-placeholder .tabulator-placeholder-contents{color:#ccc;display:inline-block;font-size:20px;font-weight:700;padding:10px;text-align:center;white-space:normal}.tabulator .tabulator-tableholder .tabulator-table{background-color:#fff;color:#333;display:inline-block;overflow:visible;position:relative;white-space:nowrap}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs{background:#e2e2e2!important;font-weight:700}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs.tabulator-calcs-top{border-bottom:2px solid #aaa}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs.tabulator-calcs-bottom{border-top:2px solid #aaa}.tabulator .tabulator-tableholder .tabulator-range-overlay{inset:0;pointer-events:none;position:absolute;z-index:10}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range{border:1px solid #2975dd;box-sizing:border-box;position:absolute}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range.tabulator-range-active:after{background-color:#2975dd;border-radius:999px;bottom:-3px;content:"";height:6px;position:absolute;right:-3px;width:6px}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range-cell-active{border:2px solid #2975dd;box-sizing:border-box;position:absolute}.tabulator .tabulator-footer{background-color:#e6e6e6;border-top:1px solid #999;color:#555;font-weight:700;user-select:none;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;white-space:nowrap}.tabulator .tabulator-footer .tabulator-footer-contents{align-items:center;display:flex;flex-direction:row;justify-content:space-between;padding:5px 10px}.tabulator .tabulator-footer .tabulator-footer-contents:empty{display:none}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs{margin-top:-5px;overflow-x:auto}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab{border:1px solid #999;border-bottom-left-radius:5px;border-bottom-right-radius:5px;border-top:none;display:inline-block;font-size:.9em;padding:5px}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab:hover{cursor:pointer;opacity:.7}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab.tabulator-spreadsheet-tab-active{background:#fff}.tabulator .tabulator-footer .tabulator-calcs-holder{background:#f3f3f3!important;border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;overflow:hidden;text-align:left;width:100%}.tabulator .tabulator-footer .tabulator-calcs-holder .tabulator-row{background:#f3f3f3!important;display:inline-block}.tabulator .tabulator-footer .tabulator-calcs-holder .tabulator-row .tabulator-col-resize-handle{display:none}.tabulator .tabulator-footer .tabulator-calcs-holder:only-child{border-bottom:none;margin-bottom:-5px}.tabulator .tabulator-footer>*+.tabulator-page-counter{margin-left:10px}.tabulator .tabulator-footer .tabulator-page-counter{font-weight:400}.tabulator .tabulator-footer .tabulator-paginator{color:#555;flex:1;font-family:inherit;font-size:inherit;font-weight:inherit;text-align:right}.tabulator .tabulator-footer .tabulator-page-size{border:1px solid #aaa;border-radius:3px;display:inline-block;margin:0 5px;padding:2px 5px}.tabulator .tabulator-footer .tabulator-pages{margin:0 7px}.tabulator .tabulator-footer .tabulator-page{background:hsla(0,0%,100%,.2);border:1px solid #aaa;border-radius:3px;display:inline-block;margin:0 2px;padding:2px 5px}.tabulator .tabulator-footer .tabulator-page.active{color:#d00}.tabulator .tabulator-footer .tabulator-page:disabled{opacity:.5}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-footer .tabulator-page:not(disabled):hover{background:rgba(0,0,0,.2);color:#fff;cursor:pointer}}.tabulator .tabulator-col-resize-handle{display:inline-block;margin-left:-3px;margin-right:-3px;position:relative;vertical-align:middle;width:6px;z-index:11}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-col-resize-handle:hover{cursor:ew-resize}}.tabulator .tabulator-col-resize-handle:last-of-type{margin-right:0;width:3px}.tabulator .tabulator-col-resize-guide{background-color:#999;height:100%;margin-left:-.5px;opacity:.5;position:absolute;top:0;width:4px}.tabulator .tabulator-row-resize-guide{background-color:#999;height:4px;left:0;margin-top:-.5px;opacity:.5;position:absolute;width:100%}.tabulator .tabulator-alert{align-items:center;background:rgba(0,0,0,.4);display:flex;height:100%;left:0;position:absolute;text-align:center;top:0;width:100%;z-index:100}.tabulator .tabulator-alert .tabulator-alert-msg{background:#fff;border-radius:10px;display:inline-block;font-size:16px;font-weight:700;margin:0 auto;padding:10px 20px}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg{border:4px solid #333;color:#000}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-error{border:4px solid #d00;color:#590000}.tabulator-row{background-color:#fff;box-sizing:border-box;min-height:22px;position:relative}.tabulator-row.tabulator-row-even{background-color:#efefef}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-selectable:hover{background-color:#bbb;cursor:pointer}}.tabulator-row.tabulator-selected{background-color:#9abcea}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-selected:hover{background-color:#769bcc;cursor:pointer}}.tabulator-row.tabulator-row-moving{background:#fff;border:1px solid #000}.tabulator-row.tabulator-moving{border-bottom:1px solid #aaa;border-top:1px solid #aaa;pointer-events:none;position:absolute;z-index:15}.tabulator-row.tabulator-range-highlight .tabulator-cell.tabulator-range-row-header{background-color:#d6d6d6;color:#000}.tabulator-row.tabulator-range-highlight.tabulator-range-selected .tabulator-cell.tabulator-range-row-header,.tabulator-row.tabulator-range-selected .tabulator-cell.tabulator-range-row-header{background-color:#3876ca;color:#fff}.tabulator-row .tabulator-row-resize-handle{bottom:0;height:5px;left:0;position:absolute;right:0}.tabulator-row .tabulator-row-resize-handle.prev{bottom:auto;top:0}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-row-resize-handle:hover{cursor:ns-resize}}.tabulator-row .tabulator-responsive-collapse{border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;padding:5px}.tabulator-row .tabulator-responsive-collapse:empty{display:none}.tabulator-row .tabulator-responsive-collapse table{font-size:14px}.tabulator-row .tabulator-responsive-collapse table tr td{position:relative}.tabulator-row .tabulator-responsive-collapse table tr td:first-of-type{padding-right:10px}.tabulator-row .tabulator-cell{border-right:1px solid #aaa;box-sizing:border-box;display:inline-block;outline:none;overflow:hidden;padding:4px;position:relative;text-overflow:ellipsis;vertical-align:middle;white-space:nowrap}.tabulator-row .tabulator-cell.tabulator-row-header{background:#e6e6e6;border-bottom:1px solid #aaa;border-right:1px solid #999}.tabulator-row .tabulator-cell.tabulator-frozen{background-color:inherit;display:inline-block;left:0;position:sticky;z-index:11}.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left{border-right:2px solid #151515}.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right{border-left:2px solid #151515}.tabulator-row .tabulator-cell.tabulator-editing{border:1px solid #1d68cd;outline:none;padding:0}.tabulator-row .tabulator-cell.tabulator-editing input,.tabulator-row .tabulator-cell.tabulator-editing select{background:transparent;border:1px;outline:none}.tabulator-row .tabulator-cell.tabulator-validation-fail{border:1px solid #d00}.tabulator-row .tabulator-cell.tabulator-validation-fail input,.tabulator-row .tabulator-cell.tabulator-validation-fail select{background:transparent;border:1px;color:#d00}.tabulator-row .tabulator-cell.tabulator-row-handle{align-items:center;display:inline-flex;justify-content:center;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none}.tabulator-row .tabulator-cell.tabulator-row-handle .tabulator-row-handle-box{width:80%}.tabulator-row .tabulator-cell.tabulator-row-handle .tabulator-row-handle-box .tabulator-row-handle-bar{background:#666;height:3px;margin-top:2px;width:100%}.tabulator-row .tabulator-cell.tabulator-range-selected:not(.tabulator-range-only-cell-selected):not(.tabulator-range-row-header){background-color:#9abcea}.tabulator-row .tabulator-cell .tabulator-data-tree-branch-empty{display:inline-block;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-branch{border-bottom:2px solid #aaa;border-bottom-left-radius:1px;border-left:2px solid #aaa;display:inline-block;height:9px;margin-right:5px;margin-top:-9px;vertical-align:middle;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-control{align-items:center;background:rgba(0,0,0,.1);border:1px solid #333;border-radius:2px;display:inline-flex;height:11px;justify-content:center;margin-right:5px;overflow:hidden;vertical-align:middle;width:11px}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-cell .tabulator-data-tree-control:hover{background:rgba(0,0,0,.2);cursor:pointer}}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-collapse{background:transparent;display:inline-block;height:7px;position:relative;width:1px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-collapse:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-expand{background:#333;display:inline-block;height:7px;position:relative;width:1px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-expand:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle{align-items:center;background:#666;border-radius:20px;color:#fff;display:inline-flex;font-size:1.1em;font-weight:700;height:15px;justify-content:center;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;width:15px}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle:hover{cursor:pointer;opacity:.7}}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle.open .tabulator-responsive-collapse-toggle-close{display:initial}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle.open .tabulator-responsive-collapse-toggle-open{display:none}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle svg{stroke:#fff}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle .tabulator-responsive-collapse-toggle-close{display:none}.tabulator-row .tabulator-cell .tabulator-traffic-light{border-radius:14px;display:inline-block;height:14px;width:14px}.tabulator-row.tabulator-group{background:#ccc;border-bottom:1px solid #999;border-right:1px solid #aaa;border-top:1px solid #999;box-sizing:border-box;font-weight:700;min-width:100%;padding:5px 5px 5px 10px}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-group:hover{background-color:rgba(0,0,0,.1);cursor:pointer}}.tabulator-row.tabulator-group.tabulator-group-visible .tabulator-arrow{border-bottom:0;border-left:6px solid transparent;border-right:6px solid transparent;border-top:6px solid #666;margin-right:10px}.tabulator-row.tabulator-group.tabulator-group-level-1{padding-left:30px}.tabulator-row.tabulator-group.tabulator-group-level-2{padding-left:50px}.tabulator-row.tabulator-group.tabulator-group-level-3{padding-left:70px}.tabulator-row.tabulator-group.tabulator-group-level-4{padding-left:90px}.tabulator-row.tabulator-group.tabulator-group-level-5{padding-left:110px}.tabulator-row.tabulator-group .tabulator-group-toggle{display:inline-block}.tabulator-row.tabulator-group .tabulator-arrow{border-bottom:6px solid transparent;border-left:6px solid #666;border-right:0;border-top:6px solid transparent;display:inline-block;height:0;margin-right:16px;vertical-align:middle;width:0}.tabulator-row.tabulator-group span{color:#d00;margin-left:10px}.tabulator-toggle{background:#dcdcdc;border:1px solid #ccc;box-sizing:border-box;display:flex;flex-direction:row}.tabulator-toggle.tabulator-toggle-on{background:#1c6cc2}.tabulator-toggle .tabulator-toggle-switch{background:#fff;border:1px solid #ccc;box-sizing:border-box}.tabulator-popup-container{-webkit-overflow-scrolling:touch;background:#fff;border:1px solid #aaa;box-shadow:0 0 5px 0 rgba(0,0,0,.2);box-sizing:border-box;display:inline-block;font-size:14px;overflow-y:auto;position:absolute;z-index:10000}.tabulator-popup{border-radius:3px;padding:5px}.tabulator-tooltip{border-radius:2px;box-shadow:none;font-size:12px;max-width:Min(500px,100%);padding:3px 5px;pointer-events:none}.tabulator-menu .tabulator-menu-item{box-sizing:border-box;padding:5px 10px;position:relative;user-select:none}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-disabled{opacity:.5}@media (hover:hover) and (pointer:fine){.tabulator-menu .tabulator-menu-item:not(.tabulator-menu-item-disabled):hover{background:#efefef;cursor:pointer}}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-submenu{padding-right:25px}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-submenu:after{border-color:#aaa;border-style:solid;border-width:1px 1px 0 0;content:"";display:inline-block;height:7px;position:absolute;right:10px;top:calc(5px + .4em);transform:rotate(45deg);vertical-align:top;width:7px}.tabulator-menu .tabulator-menu-separator{border-top:1px solid #aaa}.tabulator-edit-list{-webkit-overflow-scrolling:touch;font-size:14px;max-height:200px;overflow-y:auto}.tabulator-edit-list .tabulator-edit-list-item{color:#333;outline:none;padding:4px}.tabulator-edit-list .tabulator-edit-list-item.active{background:#1d68cd;color:#fff}.tabulator-edit-list .tabulator-edit-list-item.active.focused{outline:1px solid hsla(0,0%,100%,.5)}.tabulator-edit-list .tabulator-edit-list-item.focused{outline:1px solid #1d68cd}@media (hover:hover) and (pointer:fine){.tabulator-edit-list .tabulator-edit-list-item:hover{background:#1d68cd;color:#fff;cursor:pointer}}.tabulator-edit-list .tabulator-edit-list-placeholder{color:#333;padding:4px;text-align:center}.tabulator-edit-list .tabulator-edit-list-group{border-bottom:1px solid #aaa;color:#333;font-weight:700;padding:6px 4px 4px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-2,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-2{padding-left:12px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-3,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-3{padding-left:20px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-4,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-4{padding-left:28px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-5,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-5{padding-left:36px}.tabulator.tabulator-ltr{direction:ltr}.tabulator.tabulator-rtl{direction:rtl;text-align:initial}.tabulator.tabulator-rtl .tabulator-header .tabulator-col{border-left:1px solid #aaa;border-right:initial;text-align:initial}.tabulator.tabulator-rtl .tabulator-header .tabulator-col.tabulator-col-group .tabulator-col-group-cols{margin-left:-1px;margin-right:0}.tabulator.tabulator-rtl .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title{padding-left:25px;padding-right:0}.tabulator.tabulator-rtl .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter{left:8px;right:auto}.tabulator.tabulator-rtl .tabulator-tableholder .tabulator-range-overlay .tabulator-range.tabulator-range-active:after{background-color:#2975dd;border-radius:999px;bottom:-3px;content:"";height:6px;left:-3px;position:absolute;right:auto;width:6px}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell{border-left:1px solid #aaa;border-right:initial}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell .tabulator-data-tree-branch{border-bottom-left-radius:0;border-bottom-right-radius:1px;border-left:initial;border-right:2px solid #aaa;margin-left:5px;margin-right:0}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell .tabulator-data-tree-control{margin-left:5px;margin-right:0}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left{border-left:2px solid #aaa}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right{border-right:2px solid #aaa}.tabulator.tabulator-rtl .tabulator-row .tabulator-col-resize-handle:last-of-type{margin-left:0;margin-right:-3px;width:3px}.tabulator.tabulator-rtl .tabulator-footer .tabulator-calcs-holder{text-align:initial}.tabulator-print-fullscreen{bottom:0;left:0;position:absolute;right:0;top:0;z-index:10000}body.tabulator-print-fullscreen-hide>:not(.tabulator-print-fullscreen){display:none!important}.tabulator-print-table{border-collapse:collapse}.tabulator-print-table .tabulator-data-tree-branch{border-bottom:2px solid #aaa;border-bottom-left-radius:1px;border-left:2px solid #aaa;display:inline-block;height:9px;margin-right:5px;margin-top:-9px;vertical-align:middle;width:7px}.tabulator-print-table .tabulator-print-table-group{background:#ccc;border-bottom:1px solid #999;border-right:1px solid #aaa;border-top:1px solid #999;box-sizing:border-box;font-weight:700;min-width:100%;padding:5px 5px 5px 10px}@media (hover:hover) and (pointer:fine){.tabulator-print-table .tabulator-print-table-group:hover{background-color:rgba(0,0,0,.1);cursor:pointer}}.tabulator-print-table .tabulator-print-table-group.tabulator-group-visible .tabulator-arrow{border-bottom:0;border-left:6px solid transparent;border-right:6px solid transparent;border-top:6px solid #666;margin-right:10px}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-1 td{padding-left:30px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-2 td{padding-left:50px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-3 td{padding-left:70px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-4 td{padding-left:90px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-5 td{padding-left:110px!important}.tabulator-print-table .tabulator-print-table-group .tabulator-group-toggle{display:inline-block}.tabulator-print-table .tabulator-print-table-group .tabulator-arrow{border-bottom:6px solid transparent;border-left:6px solid #666;border-right:0;border-top:6px solid transparent;display:inline-block;height:0;margin-right:16px;vertical-align:middle;width:0}.tabulator-print-table .tabulator-print-table-group span{color:#d00;margin-left:10px}.tabulator-print-table .tabulator-data-tree-control{align-items:center;background:rgba(0,0,0,.1);border:1px solid #333;border-radius:2px;display:inline-flex;height:11px;justify-content:center;margin-right:5px;overflow:hidden;vertical-align:middle;width:11px}@media (hover:hover) and (pointer:fine){.tabulator-print-table .tabulator-data-tree-control:hover{background:rgba(0,0,0,.2);cursor:pointer}}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-collapse{background:transparent;display:inline-block;height:7px;position:relative;width:1px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-collapse:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-expand{background:#333;display:inline-block;height:7px;position:relative;width:1px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-expand:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}
+/*# sourceMappingURL=tabulator.min.css.map */
\ No newline at end of file
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index 623976c695..80af9cb0ed 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.49
-PLUGIN_REVISION=		1
+PLUGIN_VERSION=		1.50
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/opnsense-bootgrid.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/opnsense-bootgrid.css
new file mode 100644
index 0000000000..21ce95b59e
--- /dev/null
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/opnsense-bootgrid.css
@@ -0,0 +1,299 @@
+/**
+* Main theming elements
+*/
+.tabulator {
+  font-size: 15px;
+  background-color: transparent;
+  border: none;
+  border-top: 1px solid #191919;
+}
+
+/* theme: header */
+.tabulator .tabulator-header {
+  background-color: transparent;
+  border-bottom: none;
+  border-left: 1px solid #191919;
+
+}
+
+.tabulator .tabulator-header .tabulator-col {
+  border-right: 1px solid #191919;
+  background-color: #1b272f;
+  color: #bac3ca;
+}
+
+.tabulator .tabulator-header .tabulator-col.tabulator-sortable.tabulator-col-sorter-element:hover {
+  background-color: #0e181e;
+}
+
+.tabulator .tabulator-headers {
+  height: 100% !important; /* make sure the border below appears */
+  border-bottom: 1px solid #191919;
+}
+
+/*------------*/
+/* theme: body */
+.tabulator .tabulator-tableholder .tabulator-table {
+  background-color: transparent;
+  border-left: 1px solid #191919;
+}
+
+.tabulator-row {
+  background-color: transparent;
+  color: #bac3ca;
+}
+
+.tabulator-row.tabulator-row-odd {
+  background-color: #1b272f;
+}
+
+.tabulator-row.tabulator-row-odd.tabulator-selectable:hover:not(.tabulator-selected) {
+  background-color: #1b272f;
+}
+
+.tabulator-row.tabulator-row-even {
+  background-color: #1b272f;
+}
+
+.tabulator-row.tabulator-row-even.tabulator-selectable:hover:not(.tabulator-selected) {
+  background-color: #1b272f;
+}
+
+.tabulator .tabulator-tableholder {
+  background-color: transparent;
+}
+
+.tabulator-row.tabulator-selected {
+  background-color: #1b272f;
+}
+
+.tabulator-row.tabulator-selected:hover {
+  cursor: pointer;
+  background-color: #1b272f;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg {
+  color: #373736; /* spinner icon */
+}
+
+/* Command column styles */
+.tabulator-col.tabulator-frozen.tabulator-frozen-right {
+}
+
+.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right {
+}
+
+/* Checkbox column styles */
+.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-left {
+  border-right: 1px solid #191919; /* separates checkbox column from table rows */
+  border-left: 1px solid #191919;
+}
+
+.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left {
+  border-right: 1px solid #191919;
+  border-top: 1px solid #191919;
+  border-bottom: 1px solid #191919;
+  border-left: 1px solid #191919;
+}
+
+.tabulator-col.tabulator-row-header.tabulator-frozen.tabulator-frozen-left {
+}
+
+.tabulator-cell.tabulator-row-header.tabulator-frozen.tabulator-frozen-left {
+}
+
+/*------------*/
+/* theme: cells */
+.tabulator-row .tabulator-cell {
+  text-overflow: ellipsis;
+  white-space: nowrap;
+  line-height: 1.2;
+  vertical-align: top;
+  border-bottom: 1px solid #191919;
+  border-right: 1px solid #191919;
+}
+
+/*-------------*/
+/* theme: footer */
+.tabulator .tabulator-footer {
+  border-top: none;
+  background-color: transparent;
+}
+
+.tabulator .tabulator-footer .tabulator-page {
+  background-color: #1b272f;
+  color: #bac3ca;
+}
+
+.tabulator .tabulator-footer .tabulator-page.active {
+  background-color: #dd630d;
+  border-color: #191919;
+  cursor: default;
+  color: #bac3ca;
+}
+
+.tabulator .tabulator-footer .tabulator-page:not(disabled):hover {
+  color: #bac3ca;
+  background-color: #dd630d;
+  border-color: #191919;
+}
+
+.tabulator .tabulator-footer .tabulator-page:not(disabled).active:hover {
+  background-color: #dd630d;
+  border-color: #191919;
+  color: #bac3ca;
+  cursor: default;
+}
+
+.tabulator-page-counter {
+  color: #bac3ca;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator {
+  color: #bac3ca;
+}
+
+.tabulator .tabulator-footer .tabulator-page {
+  border-radius: 0px;
+  margin: 0px;
+  padding: 6px 12px;
+  border: 1px solid #191919;
+}
+
+/*----------*/
+/* end of main theming elements */
+.tabulator-paginator {
+  flex: 0 !important;
+}
+
+.tabulator-page-counter {
+  flex: 1;
+  text-align: right;
+}
+
+.tabulator-col-sorter i {
+  display: flex;
+  justify-content: center;
+  align-items: center;
+}
+
+.tabulator .tabulator-header .tabulator-col {
+  padding: 5px;
+}
+
+.tabulator .tabulator-headers > :first-child {
+  padding-left: 10px;
+}
+
+.opnsense-bootgrid-responsive {
+  white-space: wrap !important;
+  text-overflow: inherit !important;
+  overflow: visible !important;
+  word-break: break-word !important;
+}
+
+.opnsense-bootgrid-ellipsis {
+  overflow: hidden !important;
+  white-space: nowrap !important;
+  text-overflow: ellipsis !important;
+}
+
+.tabulator-row > :first-child {
+  padding-left: 10px;
+}
+
+.tabulator .tabulator-header .tabulator-col .tabulator-col-content {
+  padding: 0px;
+}
+
+.tabulator-page-counter {
+  padding-right: 20px;
+}
+
+.bootgrid-footer-commands {
+  width: 90px;
+  padding-left: 8px;
+}
+
+.tabulator-tableholder::after {
+  content: "";
+  display: block;
+  width: 1px;
+  height: 1px;
+  min-width: 100%;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator .tabulator-page:first-child {
+  border-bottom-left-radius: 3px;
+  border-top-left-radius: 3px;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator .tabulator-page:last-child {
+  border-bottom-right-radius: 3px;
+  border-top-right-radius: 3px;
+}
+
+/* border line corrections and hover/selection behavior */
+.tabulator-row:first-child > .tabulator-cell {
+  border-top: none;
+}
+
+.tabulator .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title {
+  padding: 0px;
+}
+
+/* Row highlight behavior */
+@keyframes highlight {
+  0% {
+    background: #242424;
+  }
+  100% {
+    background: none;
+  }
+}
+.highlight-bg {
+  animation: highlight 2s;
+}
+
+/* Tabulator "loading" and "error" overrides */
+.tabulator .tabulator-alert {
+  background: none;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg {
+  border: none;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg {
+  background: initial;
+  font-size: 18px;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-error {
+  border: none;
+}
+
+.bootgrid-placeholder {
+    font-size: 15px;
+    text-align: center;
+    white-space: normal;
+    font-weight: 400;
+    margin: 10px;
+}
+
+.bootgrid-overlay {
+    position: absolute;
+    top: 0;
+    left: 0;
+    right: 0;
+    bottom: 0;
+    background: #1b272f;
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    z-index: 99;
+}
+.overlay > i {
+    font-size: 20px;
+    color: black;
+}
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/tabulator.min.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/tabulator.min.css
new file mode 100644
index 0000000000..7034e96558
--- /dev/null
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/tabulator.min.css
@@ -0,0 +1,2 @@
+.tabulator{background-color:#888;border:1px solid #191919;font-size:14px;overflow:hidden;position:relative;text-align:left;-webkit-transform:translateZ(0);-moz-transform:translateZ(0);-ms-transform:translateZ(0);-o-transform:translateZ(0);transform:translateZ(0)}.tabulator[tabulator-layout=fitDataFill] .tabulator-tableholder .tabulator-table{min-width:100%}.tabulator[tabulator-layout=fitDataTable]{display:inline-block}.tabulator.tabulator-block-select,.tabulator.tabulator-ranges .tabulator-cell:not(.tabulator-editing){user-select:none; }.tabulator .tabulator-header{background-color:#e6e6e6;border-bottom:1px solid #999;box-sizing:border-box;color:#555;font-weight:700;outline:none;overflow:hidden;position:relative;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;white-space:nowrap;width:100%}.tabulator .tabulator-header.tabulator-header-hidden{display:none}.tabulator .tabulator-header .tabulator-header-contents{overflow:hidden;position:relative}.tabulator .tabulator-header .tabulator-header-contents .tabulator-headers{display:inline-block}.tabulator .tabulator-header .tabulator-col{background:#e6e6e6;border-right:1px solid #aaa;box-sizing:border-box;display:inline-flex;flex-direction:column;justify-content:flex-start;overflow:hidden;position:relative;text-align:left;vertical-align:bottom}.tabulator .tabulator-header .tabulator-col.tabulator-moving{background:#cdcdcd;border:1px solid #999;pointer-events:none;position:absolute}.tabulator .tabulator-header .tabulator-col.tabulator-range-highlight{background-color:#d6d6d6;color:#000}.tabulator .tabulator-header .tabulator-col.tabulator-range-selected{background-color:#3876ca;color:#fff}.tabulator .tabulator-header .tabulator-col .tabulator-col-content{box-sizing:border-box;padding:4px;position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-header-popup-button{padding:0 8px}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-header-popup-button:hover{cursor:pointer;opacity:.6}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title-holder{position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title{box-sizing:border-box;overflow:hidden;text-overflow:ellipsis;vertical-align:bottom;white-space:nowrap;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title.tabulator-col-title-wrap{text-overflow:clip;white-space:normal}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title .tabulator-title-editor{background:#fff;border:1px solid #999;box-sizing:border-box;padding:1px;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title .tabulator-header-popup-button+.tabulator-title-editor{width:calc(100% - 22px)}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter{align-items:center;bottom:0;display:flex;position:absolute;right:4px;top:0}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #bbb;border-left:6px solid transparent;border-right:6px solid transparent;height:0;width:0}.tabulator .tabulator-header .tabulator-col.tabulator-col-group .tabulator-col-group-cols{border-top:1px solid #aaa;display:flex;margin-right:-1px;overflow:hidden;position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter{box-sizing:border-box;margin-top:2px;position:relative;text-align:center;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter textarea{height:auto!important}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter svg{margin-top:3px}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter input::-ms-clear{height:0;width:0}.tabulator .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title{padding-right:25px}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable.tabulator-col-sorter-element:hover{background-color:#cdcdcd;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter{color:#bbb}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-bottom:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #bbb;border-top:none}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter{color:#666}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-bottom:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #666;border-top:none}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter{color:#666}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-top:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:none;border-top:6px solid #666;color:#666}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical .tabulator-col-content .tabulator-col-title{align-items:center;display:flex;justify-content:center;text-orientation:mixed;writing-mode:vertical-rl}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-col-vertical-flip .tabulator-col-title{transform:rotate(180deg)}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable .tabulator-col-title{padding-right:0;padding-top:20px}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable.tabulator-col-vertical-flip .tabulator-col-title{padding-bottom:20px;padding-right:0}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable .tabulator-col-sorter{bottom:auto;justify-content:center;left:0;right:0;top:4px}.tabulator .tabulator-header .tabulator-frozen{left:0;position:sticky;z-index:11}.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-left{border-right:2px solid #151515}.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-right{border-left:2px solid #151515}.tabulator .tabulator-header .tabulator-calcs-holder{background:#f3f3f3!important;border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;display:inline-block}.tabulator .tabulator-header .tabulator-calcs-holder .tabulator-row{background:#f3f3f3!important}.tabulator .tabulator-header .tabulator-calcs-holder .tabulator-row .tabulator-col-resize-handle{display:none}.tabulator .tabulator-header .tabulator-frozen-rows-holder{display:inline-block}.tabulator .tabulator-header .tabulator-frozen-rows-holder:empty{display:none}.tabulator .tabulator-tableholder{-webkit-overflow-scrolling:touch;overflow:auto;position:relative;white-space:nowrap;width:100%}.tabulator .tabulator-tableholder:focus{outline:none}.tabulator .tabulator-tableholder .tabulator-placeholder{align-items:center;box-sizing:border-box;display:flex;justify-content:center;min-width:100%;width:100%}.tabulator .tabulator-tableholder .tabulator-placeholder[tabulator-render-mode=virtual]{min-height:100%}.tabulator .tabulator-tableholder .tabulator-placeholder .tabulator-placeholder-contents{color:#ccc;display:inline-block;font-size:20px;font-weight:700;padding:10px;text-align:center;white-space:normal}.tabulator .tabulator-tableholder .tabulator-table{background-color:#fff;color:#333;display:inline-block;overflow:visible;position:relative;white-space:nowrap}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs{background:#e2e2e2!important;font-weight:700}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs.tabulator-calcs-top{border-bottom:2px solid #aaa}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs.tabulator-calcs-bottom{border-top:2px solid #aaa}.tabulator .tabulator-tableholder .tabulator-range-overlay{inset:0;pointer-events:none;position:absolute;z-index:10}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range{border:1px solid #2975dd;box-sizing:border-box;position:absolute}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range.tabulator-range-active:after{background-color:#2975dd;border-radius:999px;bottom:-3px;content:"";height:6px;position:absolute;right:-3px;width:6px}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range-cell-active{border:2px solid #2975dd;box-sizing:border-box;position:absolute}.tabulator .tabulator-footer{background-color:#e6e6e6;border-top:1px solid #999;color:#555;font-weight:700;user-select:none;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;white-space:nowrap}.tabulator .tabulator-footer .tabulator-footer-contents{align-items:center;display:flex;flex-direction:row;justify-content:space-between;padding:5px 10px}.tabulator .tabulator-footer .tabulator-footer-contents:empty{display:none}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs{margin-top:-5px;overflow-x:auto}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab{border:1px solid #999;border-bottom-left-radius:5px;border-bottom-right-radius:5px;border-top:none;display:inline-block;font-size:.9em;padding:5px}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab:hover{cursor:pointer;opacity:.7}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab.tabulator-spreadsheet-tab-active{background:#fff}.tabulator .tabulator-footer .tabulator-calcs-holder{background:#f3f3f3!important;border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;overflow:hidden;text-align:left;width:100%}.tabulator .tabulator-footer .tabulator-calcs-holder .tabulator-row{background:#f3f3f3!important;display:inline-block}.tabulator .tabulator-footer .tabulator-calcs-holder .tabulator-row .tabulator-col-resize-handle{display:none}.tabulator .tabulator-footer .tabulator-calcs-holder:only-child{border-bottom:none;margin-bottom:-5px}.tabulator .tabulator-footer>*+.tabulator-page-counter{margin-left:10px}.tabulator .tabulator-footer .tabulator-page-counter{font-weight:400}.tabulator .tabulator-footer .tabulator-paginator{color:#555;flex:1;font-family:inherit;font-size:inherit;font-weight:inherit;text-align:right}.tabulator .tabulator-footer .tabulator-page-size{border:1px solid #aaa;border-radius:3px;display:inline-block;margin:0 5px;padding:2px 5px}.tabulator .tabulator-footer .tabulator-pages{margin:0 7px}.tabulator .tabulator-footer .tabulator-page{background:hsla(0,0%,100%,.2);border:1px solid #aaa;border-radius:3px;display:inline-block;margin:0 2px;padding:2px 5px}.tabulator .tabulator-footer .tabulator-page.active{color:#d00}.tabulator .tabulator-footer .tabulator-page:disabled{opacity:.5}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-footer .tabulator-page:not(disabled):hover{background:rgba(0,0,0,.2);color:#fff;cursor:pointer}}.tabulator .tabulator-col-resize-handle{display:inline-block;margin-left:-3px;margin-right:-3px;position:relative;vertical-align:middle;width:6px;z-index:11}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-col-resize-handle:hover{cursor:ew-resize}}.tabulator .tabulator-col-resize-handle:last-of-type{margin-right:0;width:3px}.tabulator .tabulator-col-resize-guide{background-color:#999;height:100%;margin-left:-.5px;opacity:.5;position:absolute;top:0;width:4px}.tabulator .tabulator-row-resize-guide{background-color:#999;height:4px;left:0;margin-top:-.5px;opacity:.5;position:absolute;width:100%}.tabulator .tabulator-alert{align-items:center;background:rgba(0,0,0,.4);display:flex;height:100%;left:0;position:absolute;text-align:center;top:0;width:100%;z-index:100}.tabulator .tabulator-alert .tabulator-alert-msg{background:#fff;border-radius:10px;display:inline-block;font-size:16px;font-weight:700;margin:0 auto;padding:10px 20px}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg{border:4px solid #333;color:#000}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-error{border:4px solid #d00;color:#590000}.tabulator-row{background-color:#fff;box-sizing:border-box;min-height:22px;position:relative}.tabulator-row.tabulator-row-even{background-color:#efefef}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-selectable:hover{background-color:#bbb;cursor:pointer}}.tabulator-row.tabulator-selected{background-color:#9abcea}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-selected:hover{background-color:#769bcc;cursor:pointer}}.tabulator-row.tabulator-row-moving{background:#fff;border:1px solid #000}.tabulator-row.tabulator-moving{border-bottom:1px solid #aaa;border-top:1px solid #aaa;pointer-events:none;position:absolute;z-index:15}.tabulator-row.tabulator-range-highlight .tabulator-cell.tabulator-range-row-header{background-color:#d6d6d6;color:#000}.tabulator-row.tabulator-range-highlight.tabulator-range-selected .tabulator-cell.tabulator-range-row-header,.tabulator-row.tabulator-range-selected .tabulator-cell.tabulator-range-row-header{background-color:#3876ca;color:#fff}.tabulator-row .tabulator-row-resize-handle{bottom:0;height:5px;left:0;position:absolute;right:0}.tabulator-row .tabulator-row-resize-handle.prev{bottom:auto;top:0}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-row-resize-handle:hover{cursor:ns-resize}}.tabulator-row .tabulator-responsive-collapse{border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;padding:5px}.tabulator-row .tabulator-responsive-collapse:empty{display:none}.tabulator-row .tabulator-responsive-collapse table{font-size:14px}.tabulator-row .tabulator-responsive-collapse table tr td{position:relative}.tabulator-row .tabulator-responsive-collapse table tr td:first-of-type{padding-right:10px}.tabulator-row .tabulator-cell{border-right:1px solid #aaa;box-sizing:border-box;display:inline-block;outline:none;overflow:hidden;padding:4px;position:relative;text-overflow:ellipsis;vertical-align:middle;white-space:nowrap}.tabulator-row .tabulator-cell.tabulator-row-header{background:#e6e6e6;border-bottom:1px solid #aaa;border-right:1px solid #999}.tabulator-row .tabulator-cell.tabulator-frozen{background-color:inherit;display:inline-block;left:0;position:sticky;z-index:11}.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left{border-right:2px solid #151515}.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right{border-left:2px solid #151515}.tabulator-row .tabulator-cell.tabulator-editing{border:1px solid #1d68cd;outline:none;padding:0}.tabulator-row .tabulator-cell.tabulator-editing input,.tabulator-row .tabulator-cell.tabulator-editing select{background:transparent;border:1px;outline:none}.tabulator-row .tabulator-cell.tabulator-validation-fail{border:1px solid #d00}.tabulator-row .tabulator-cell.tabulator-validation-fail input,.tabulator-row .tabulator-cell.tabulator-validation-fail select{background:transparent;border:1px;color:#d00}.tabulator-row .tabulator-cell.tabulator-row-handle{align-items:center;display:inline-flex;justify-content:center;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none}.tabulator-row .tabulator-cell.tabulator-row-handle .tabulator-row-handle-box{width:80%}.tabulator-row .tabulator-cell.tabulator-row-handle .tabulator-row-handle-box .tabulator-row-handle-bar{background:#666;height:3px;margin-top:2px;width:100%}.tabulator-row .tabulator-cell.tabulator-range-selected:not(.tabulator-range-only-cell-selected):not(.tabulator-range-row-header){background-color:#9abcea}.tabulator-row .tabulator-cell .tabulator-data-tree-branch-empty{display:inline-block;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-branch{border-bottom:2px solid #aaa;border-bottom-left-radius:1px;border-left:2px solid #aaa;display:inline-block;height:9px;margin-right:5px;margin-top:-9px;vertical-align:middle;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-control{align-items:center;background:rgba(0,0,0,.1);border:1px solid #333;border-radius:2px;display:inline-flex;height:11px;justify-content:center;margin-right:5px;overflow:hidden;vertical-align:middle;width:11px}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-cell .tabulator-data-tree-control:hover{background:rgba(0,0,0,.2);cursor:pointer}}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-collapse{background:transparent;display:inline-block;height:7px;position:relative;width:1px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-collapse:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-expand{background:#333;display:inline-block;height:7px;position:relative;width:1px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-expand:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle{align-items:center;background:#666;border-radius:20px;color:#fff;display:inline-flex;font-size:1.1em;font-weight:700;height:15px;justify-content:center;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;width:15px}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle:hover{cursor:pointer;opacity:.7}}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle.open .tabulator-responsive-collapse-toggle-close{display:initial}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle.open .tabulator-responsive-collapse-toggle-open{display:none}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle svg{stroke:#fff}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle .tabulator-responsive-collapse-toggle-close{display:none}.tabulator-row .tabulator-cell .tabulator-traffic-light{border-radius:14px;display:inline-block;height:14px;width:14px}.tabulator-row.tabulator-group{background:#ccc;border-bottom:1px solid #999;border-right:1px solid #aaa;border-top:1px solid #999;box-sizing:border-box;font-weight:700;min-width:100%;padding:5px 5px 5px 10px}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-group:hover{background-color:rgba(0,0,0,.1);cursor:pointer}}.tabulator-row.tabulator-group.tabulator-group-visible .tabulator-arrow{border-bottom:0;border-left:6px solid transparent;border-right:6px solid transparent;border-top:6px solid #666;margin-right:10px}.tabulator-row.tabulator-group.tabulator-group-level-1{padding-left:30px}.tabulator-row.tabulator-group.tabulator-group-level-2{padding-left:50px}.tabulator-row.tabulator-group.tabulator-group-level-3{padding-left:70px}.tabulator-row.tabulator-group.tabulator-group-level-4{padding-left:90px}.tabulator-row.tabulator-group.tabulator-group-level-5{padding-left:110px}.tabulator-row.tabulator-group .tabulator-group-toggle{display:inline-block}.tabulator-row.tabulator-group .tabulator-arrow{border-bottom:6px solid transparent;border-left:6px solid #666;border-right:0;border-top:6px solid transparent;display:inline-block;height:0;margin-right:16px;vertical-align:middle;width:0}.tabulator-row.tabulator-group span{color:#d00;margin-left:10px}.tabulator-toggle{background:#dcdcdc;border:1px solid #ccc;box-sizing:border-box;display:flex;flex-direction:row}.tabulator-toggle.tabulator-toggle-on{background:#1c6cc2}.tabulator-toggle .tabulator-toggle-switch{background:#fff;border:1px solid #ccc;box-sizing:border-box}.tabulator-popup-container{-webkit-overflow-scrolling:touch;background:#fff;border:1px solid #aaa;box-shadow:0 0 5px 0 rgba(0,0,0,.2);box-sizing:border-box;display:inline-block;font-size:14px;overflow-y:auto;position:absolute;z-index:10000}.tabulator-popup{border-radius:3px;padding:5px}.tabulator-tooltip{border-radius:2px;box-shadow:none;font-size:12px;max-width:Min(500px,100%);padding:3px 5px;pointer-events:none}.tabulator-menu .tabulator-menu-item{box-sizing:border-box;padding:5px 10px;position:relative;user-select:none}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-disabled{opacity:.5}@media (hover:hover) and (pointer:fine){.tabulator-menu .tabulator-menu-item:not(.tabulator-menu-item-disabled):hover{background:#efefef;cursor:pointer}}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-submenu{padding-right:25px}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-submenu:after{border-color:#aaa;border-style:solid;border-width:1px 1px 0 0;content:"";display:inline-block;height:7px;position:absolute;right:10px;top:calc(5px + .4em);transform:rotate(45deg);vertical-align:top;width:7px}.tabulator-menu .tabulator-menu-separator{border-top:1px solid #aaa}.tabulator-edit-list{-webkit-overflow-scrolling:touch;font-size:14px;max-height:200px;overflow-y:auto}.tabulator-edit-list .tabulator-edit-list-item{color:#333;outline:none;padding:4px}.tabulator-edit-list .tabulator-edit-list-item.active{background:#1d68cd;color:#fff}.tabulator-edit-list .tabulator-edit-list-item.active.focused{outline:1px solid hsla(0,0%,100%,.5)}.tabulator-edit-list .tabulator-edit-list-item.focused{outline:1px solid #1d68cd}@media (hover:hover) and (pointer:fine){.tabulator-edit-list .tabulator-edit-list-item:hover{background:#1d68cd;color:#fff;cursor:pointer}}.tabulator-edit-list .tabulator-edit-list-placeholder{color:#333;padding:4px;text-align:center}.tabulator-edit-list .tabulator-edit-list-group{border-bottom:1px solid #aaa;color:#333;font-weight:700;padding:6px 4px 4px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-2,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-2{padding-left:12px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-3,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-3{padding-left:20px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-4,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-4{padding-left:28px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-5,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-5{padding-left:36px}.tabulator.tabulator-ltr{direction:ltr}.tabulator.tabulator-rtl{direction:rtl;text-align:initial}.tabulator.tabulator-rtl .tabulator-header .tabulator-col{border-left:1px solid #aaa;border-right:initial;text-align:initial}.tabulator.tabulator-rtl .tabulator-header .tabulator-col.tabulator-col-group .tabulator-col-group-cols{margin-left:-1px;margin-right:0}.tabulator.tabulator-rtl .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title{padding-left:25px;padding-right:0}.tabulator.tabulator-rtl .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter{left:8px;right:auto}.tabulator.tabulator-rtl .tabulator-tableholder .tabulator-range-overlay .tabulator-range.tabulator-range-active:after{background-color:#2975dd;border-radius:999px;bottom:-3px;content:"";height:6px;left:-3px;position:absolute;right:auto;width:6px}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell{border-left:1px solid #aaa;border-right:initial}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell .tabulator-data-tree-branch{border-bottom-left-radius:0;border-bottom-right-radius:1px;border-left:initial;border-right:2px solid #aaa;margin-left:5px;margin-right:0}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell .tabulator-data-tree-control{margin-left:5px;margin-right:0}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left{border-left:2px solid #aaa}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right{border-right:2px solid #aaa}.tabulator.tabulator-rtl .tabulator-row .tabulator-col-resize-handle:last-of-type{margin-left:0;margin-right:-3px;width:3px}.tabulator.tabulator-rtl .tabulator-footer .tabulator-calcs-holder{text-align:initial}.tabulator-print-fullscreen{bottom:0;left:0;position:absolute;right:0;top:0;z-index:10000}body.tabulator-print-fullscreen-hide>:not(.tabulator-print-fullscreen){display:none!important}.tabulator-print-table{border-collapse:collapse}.tabulator-print-table .tabulator-data-tree-branch{border-bottom:2px solid #aaa;border-bottom-left-radius:1px;border-left:2px solid #aaa;display:inline-block;height:9px;margin-right:5px;margin-top:-9px;vertical-align:middle;width:7px}.tabulator-print-table .tabulator-print-table-group{background:#ccc;border-bottom:1px solid #999;border-right:1px solid #aaa;border-top:1px solid #999;box-sizing:border-box;font-weight:700;min-width:100%;padding:5px 5px 5px 10px}@media (hover:hover) and (pointer:fine){.tabulator-print-table .tabulator-print-table-group:hover{background-color:rgba(0,0,0,.1);cursor:pointer}}.tabulator-print-table .tabulator-print-table-group.tabulator-group-visible .tabulator-arrow{border-bottom:0;border-left:6px solid transparent;border-right:6px solid transparent;border-top:6px solid #666;margin-right:10px}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-1 td{padding-left:30px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-2 td{padding-left:50px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-3 td{padding-left:70px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-4 td{padding-left:90px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-5 td{padding-left:110px!important}.tabulator-print-table .tabulator-print-table-group .tabulator-group-toggle{display:inline-block}.tabulator-print-table .tabulator-print-table-group .tabulator-arrow{border-bottom:6px solid transparent;border-left:6px solid #666;border-right:0;border-top:6px solid transparent;display:inline-block;height:0;margin-right:16px;vertical-align:middle;width:0}.tabulator-print-table .tabulator-print-table-group span{color:#d00;margin-left:10px}.tabulator-print-table .tabulator-data-tree-control{align-items:center;background:rgba(0,0,0,.1);border:1px solid #333;border-radius:2px;display:inline-flex;height:11px;justify-content:center;margin-right:5px;overflow:hidden;vertical-align:middle;width:11px}@media (hover:hover) and (pointer:fine){.tabulator-print-table .tabulator-data-tree-control:hover{background:rgba(0,0,0,.2);cursor:pointer}}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-collapse{background:transparent;display:inline-block;height:7px;position:relative;width:1px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-collapse:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-expand{background:#333;display:inline-block;height:7px;position:relative;width:1px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-expand:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}
+/*# sourceMappingURL=tabulator.min.css.map */
\ No newline at end of file

From 047bab5022db620f8c6deb82bff1b88538f8b812 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 29 Jul 2025 09:42:11 +0200
Subject: [PATCH 2575/3088] make: kill the plugin lint code

For clarity we split core and plugins from the beginning although
plugins only really make sense with a core in mind.  To that end,
when dealing with plugins a core repository should always be available
in order to run the lint passes on the code.  This makes maintenance
a lot easier in the future.
---
 Makefile      |  2 +-
 Mk/plugins.mk | 82 +++------------------------------------------------
 2 files changed, 5 insertions(+), 79 deletions(-)

diff --git a/Makefile b/Makefile
index 981c92f2ab..77c5f41e00 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) 2015-2024 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2015-2025 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index b9f2b0b76f..b1d3482eba 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -350,89 +350,15 @@ clean: check
 	fi
 	@rm -rf ${.CURDIR}/work
 
+COREREFDIR=	${.CURDIR}/../../../core
+
+.-include "${COREREFDIR}/Mk/lint.mk"
+
 lint-desc: check
 	@if [ ! -f ${.CURDIR}/${PLUGIN_DESC} ]; then \
 		echo ">>> Missing ${PLUGIN_DESC}"; exit 1; \
 	fi
 
-lint-shell:
-	@for FILE in $$(find ${.CURDIR}/src -name "*.sh" -type f); do \
-	    if [ "$$(head $${FILE} | grep -c '^#!\/')" == "0" ]; then \
-	        echo "Missing shebang in $${FILE}"; exit 1; \
-	    fi; \
-	    sh -n "$${FILE}" || exit 1; \
-	done
-
-lint-xml:
-	@find ${.CURDIR}/src \
-	    -name "*.xml" -type f -print0 | xargs -0 -n1 xmllint --noout
-
-lint-model:
-	@if [ -d ${.CURDIR}/src/opnsense/mvc/app/models ]; then for MODEL in $$(find ${.CURDIR}/src/opnsense/mvc/app/models -depth 3 \
-	    -name "*.xml"); do \
-		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and (not(Required) or Required="N") and Default]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
-			echo "$${MODEL}: $${LINE} has a spurious default value set"; \
-		done; \
-		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and Default=""]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
-			echo "$${MODEL}: $${LINE} has an empty default value set"; \
-		done; \
-		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and BlankDesc="None"]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
-			echo "$${MODEL}: $${LINE} blank description is the default"; \
-		done; \
-		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and BlankDesc and Required="Y"]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
-			echo "$${MODEL}: $${LINE} blank description not applicable on required field"; \
-		done; \
-		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and BlankDesc and Multiple="Y"]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
-			echo "$${MODEL}: $${LINE} blank description not applicable on multiple field"; \
-		done; \
-		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and Multiple="N"]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
-			echo "$${MODEL}: $${LINE} Multiple=N is the default"; \
-		done; \
-		(xmllint $${MODEL} --xpath '//*[@type and not(@type="ArrayField") and OptionValues[default[not(@value)] or multiple[not(@value)] or required[not(@value)]]]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
-			echo "$${MODEL}: $${LINE} option element default/multiple/required without value attribute"; \
-		done; \
-		(xmllint $${MODEL} --xpath '//*[@type="CSVListField" and Mask and (not(MaskPerItem) or MaskPerItem=N)]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
-			echo "$${MODEL}: $${LINE} uses Mask regex with MaskPerItem=N"; \
-		done; \
-		for TYPE in .\\AliasesField .\\DomainIPField HostnameField IPPortField NetworkField MacAddressField .\\RangeAddressField; do \
-			(xmllint $${MODEL} --xpath '//*[@type="'$${TYPE}'" and FieldSeparator=","]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
-				echo "$${MODEL}: $${LINE} FieldSeparator=, is the default"; \
-			done; \
-			(xmllint $${MODEL} --xpath '//*[@type="'$${TYPE}'" and AsList="N"]' 2> /dev/null | grep '^<' || true) | while read LINE; do \
-				echo "$${MODEL}: $${LINE} AsList=N is the default"; \
-			done; \
-		done; \
-	done; fi
-
-ACLBIN?=	${.CURDIR}/../../../core/Scripts/dashboard-acl.sh
-
-lint-acl: check
-.if exists(${ACLBIN})
-	@${ACLBIN} ${.CURDIR}/../../../core
-.else
-	@echo "Did not find ACLBIN, please provide a core repository"; exit 1
-.endif
-
-lint-exec: check
-.for DIR in ${.CURDIR}/src/opnsense/scripts ${.CURDIR}/src/etc/rc.d ${.CURDIR}/src/etc/rc.syshook.d
-.if exists(${DIR})
-	@find ${DIR} -type f ! -name "*.xml" -print0 | \
-	    xargs -0 -t -n1 test -x || \
-	    (echo "Missing executable permission in ${DIR}"; exit 1)
-.endif
-.endfor
-
-LINTBIN?=	${.CURDIR}/../../../core/contrib/parallel-lint/parallel-lint
-
-lint-php: check
-.if exists(${LINTBIN})
-	@if [ -d ${.CURDIR}/src ]; then ${LINTBIN} src; fi
-.else
-	@echo "Did not find LINTBIN, please provide a core repository"; exit 1
-.endif
-
-lint: lint-desc lint-shell lint-xml lint-model lint-acl lint-exec lint-php
-
 plist-fix:
 
 sweep: check

From e7460d7301fe96047337172ae30b7535b772aca6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 29 Jul 2025 09:56:17 +0200
Subject: [PATCH 2576/3088] make: align files to look like core

---
 Mk/lint.mk    | 33 +++++++++++++++++++++++++++++++++
 Mk/plugins.mk | 11 ++---------
 2 files changed, 35 insertions(+), 9 deletions(-)
 create mode 100644 Mk/lint.mk

diff --git a/Mk/lint.mk b/Mk/lint.mk
new file mode 100644
index 0000000000..38427e747c
--- /dev/null
+++ b/Mk/lint.mk
@@ -0,0 +1,33 @@
+# Copyright (c) 2025 Franco Fichtner <franco@opnsense.org>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+COREREFDIR=	${PLUGINSDIR}/../core
+
+.-include "${COREREFDIR}/Mk/lint.mk"
+
+lint-desc: check
+	@if [ ! -f ${.CURDIR}/${PLUGIN_DESC} ]; then \
+		echo ">>> Missing ${PLUGIN_DESC}"; exit 1; \
+	fi
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index b1d3482eba..a0505d93d5 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -31,6 +31,8 @@ PLUGINSDIR?=		${.CURDIR}/../..
 SCRIPTSDIR=		${PLUGINSDIR}/Scripts
 TEMPLATESDIR=		${PLUGINSDIR}/Templates
 
+.include "lint.mk"
+
 .if exists(${GIT}) && exists(${GITVERSION})
 PLUGIN_COMMIT!=		${GITVERSION}
 .else
@@ -350,15 +352,6 @@ clean: check
 	fi
 	@rm -rf ${.CURDIR}/work
 
-COREREFDIR=	${.CURDIR}/../../../core
-
-.-include "${COREREFDIR}/Mk/lint.mk"
-
-lint-desc: check
-	@if [ ! -f ${.CURDIR}/${PLUGIN_DESC} ]; then \
-		echo ">>> Missing ${PLUGIN_DESC}"; exit 1; \
-	fi
-
 plist-fix:
 
 sweep: check

From a189c0ca1ff96b527d1e74c0204b8209ae796e3e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 29 Jul 2025 10:01:07 +0200
Subject: [PATCH 2577/3088] make: add devel marker file

This eases maintenance during a diff to stable.
---
 Mk/devel.mk   | 28 ++++++++++++++++++++++++++++
 Mk/plugins.mk |  2 +-
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 Mk/devel.mk

diff --git a/Mk/devel.mk b/Mk/devel.mk
new file mode 100644
index 0000000000..f1a8bfd79a
--- /dev/null
+++ b/Mk/devel.mk
@@ -0,0 +1,28 @@
+# Copyright (c) 2025 Franco Fichtner <franco@opnsense.org>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+# This file merely exists on the development
+# branch to force plugins to development mode:
+PLUGIN_DEVEL?=		yes
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index a0505d93d5..ccc496a2bc 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -65,7 +65,7 @@ _PLUGIN_COMMENT:=	${PLUGIN_COMMENT}
 .if defined(_PLUGIN_DEVEL)
 PLUGIN_DEVEL?:=		${_PLUGIN_DEVEL}
 .else
-PLUGIN_DEVEL?=		yes
+.-include "devel.mk"
 .endif
 
 PLUGIN_PREFIX?=		os-

From 7438d20dc74adcc2905a98f2c64685f0671cf432 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 29 Jul 2025 10:02:26 +0200
Subject: [PATCH 2578/3088] make: hmm

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 77c5f41e00..981c92f2ab 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) 2015-2025 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2015-2024 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions

From 964f212ac4fd5191b570b25fe47bd2d29919f82f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 29 Jul 2025 10:24:03 +0200
Subject: [PATCH 2579/3088] make: lint can now auto-detect the proper reference
 path

---
 Mk/lint.mk | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/Mk/lint.mk b/Mk/lint.mk
index 38427e747c..6114383ba3 100644
--- a/Mk/lint.mk
+++ b/Mk/lint.mk
@@ -23,9 +23,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 
-COREREFDIR=	${PLUGINSDIR}/../core
-
-.-include "${COREREFDIR}/Mk/lint.mk"
+.-include "${PLUGINSDIR}/../core/Mk/lint.mk"
 
 lint-desc: check
 	@if [ ! -f ${.CURDIR}/${PLUGIN_DESC} ]; then \

From 6c13dfb82e18a16497e8b9c5618e43b686dabfa2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 29 Jul 2025 10:28:27 +0200
Subject: [PATCH 2580/3088] www/caddy: try new lint inclusion and address
 complaints

---
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml     | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index aea004e0fe..a8d1234950 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -76,7 +76,7 @@
                 <Default>10</Default>
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>20</MaximumValue>
-                <ValidationMessage>Please enter a valid Grace Period between 1 and 20 seconds.</ValidationMessage>
+                <ValidationMessage>Please enter a valid grace period between 1 and 20 seconds.</ValidationMessage>
                 <Required>Y</Required>
             </GracePeriod>
             <HttpVersions type="OptionField">
@@ -162,7 +162,7 @@
             </AuthToTls>
             <AuthToUri type="TextField">
                 <Mask>/^(\/.*)?$/u</Mask>
-                <ValidationMessage>Please enter a valid 'URI' that starts with '/'.</ValidationMessage>
+                <ValidationMessage>Please enter a valid URI that starts with '/'.</ValidationMessage>
             </AuthToUri>
             <CopyHeaders type="ModelRelationField">
                 <Model>
@@ -336,7 +336,7 @@
                 </HandleType>
                 <HandlePath type="TextField">
                     <Mask>/^(\/.*)?$/u</Mask>
-                    <ValidationMessage>Please enter a valid Path that starts with '/'.</ValidationMessage>
+                    <ValidationMessage>Please enter a valid path that starts with '/'.</ValidationMessage>
                 </HandlePath>
                 <accesslist type="ModelRelationField">
                     <Model>
@@ -380,14 +380,13 @@
                 </HandleDirective>
                 <ToDomain type="HostnameField">
                     <Required>Y</Required>
-                    <FieldSeparator>,</FieldSeparator>
                     <AsList>Y</AsList>
                     <ValidationMessage>Please enter one or multiple valid IP addresses, hostnames or FQDNs.</ValidationMessage>
                 </ToDomain>
                 <ToPort type="PortField"/>
                 <ToPath type="TextField">
                     <Mask>/^(\/.*)?$/u</Mask>
-                    <ValidationMessage>Please enter a valid Path that starts with '/'.</ValidationMessage>
+                    <ValidationMessage>Please enter a valid path that starts with '/'.</ValidationMessage>
                 </ToPath>
                 <ForwardAuth type="BooleanField"/>
                 <HttpTls type="OptionField">
@@ -475,7 +474,7 @@
                 <description type="DescriptionField"/>
                 <health_uri type="TextField">
                     <Mask>/^(\/.*)?$/u</Mask>
-                    <ValidationMessage>Please enter a valid 'URI' that starts with '/'.</ValidationMessage>
+                    <ValidationMessage>Please enter a valid URI that starts with '/'.</ValidationMessage>
                 </health_uri>
                 <health_upstream type="IPPortField"/>
                 <health_port type="IntegerField">
@@ -512,7 +511,6 @@
                 </accesslistName>
                 <clientIps type="NetworkField">
                     <Required>Y</Required>
-                    <FieldSeparator>,</FieldSeparator>
                     <AsList>Y</AsList>
                     <Strict>Y</Strict>
                     <ValidationMessage>Please enter one or multiple valid IP addresses or networks.</ValidationMessage>
@@ -521,7 +519,7 @@
                 <HttpResponseCode type="IntegerField">
                     <MinimumValue>100</MinimumValue>
                     <MaximumValue>599</MaximumValue>
-                    <ValidationMessage>Please enter a valid HTTP response code between 100 and 599</ValidationMessage>
+                    <ValidationMessage>Please enter a valid HTTP response code between 100 and 599.</ValidationMessage>
                 </HttpResponseCode>
                 <HttpResponseMessage type="DescriptionField"/>
                 <RequestMatcher type="OptionField">
@@ -606,7 +604,6 @@
                     <IpAllowed>N</IpAllowed>
                     <FqdnWildcardAllowed>Y</FqdnWildcardAllowed>
                     <HostWildcardAllowed>Y</HostWildcardAllowed>
-                    <FieldSeparator>,</FieldSeparator>
                     <AsList>Y</AsList>
                     <ValidationMessage>Please enter one or multiple hostnames or FQDNs.</ValidationMessage>
                 </FromDomain>
@@ -660,7 +657,6 @@
                 <InvertMatchers type="BooleanField"/>
                 <ToDomain type="HostnameField">
                     <Required>Y</Required>
-                    <FieldSeparator>,</FieldSeparator>
                     <AsList>Y</AsList>
                     <ValidationMessage>Please enter one or multiple valid IP addresses, hostnames or FQDNs.</ValidationMessage>
                 </ToDomain>
@@ -695,7 +691,6 @@
                     <ValidationMessage>Please enter a minimum value of 2 or leave empty for defaults.</ValidationMessage>
                 </PassiveHealthMaxFails>
                 <RemoteIp type="NetworkField">
-                    <FieldSeparator>,</FieldSeparator>
                     <AsList>Y</AsList>
                     <Strict>Y</Strict>
                     <ValidationMessage>Please enter one or multiple valid IP addresses or networks.</ValidationMessage>

From ede32901227e6d8a4c224b8b5824605be2295600 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 29 Jul 2025 10:30:20 +0200
Subject: [PATCH 2581/3088] make: show package description on empty target

---
 Mk/plugins.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index ccc496a2bc..c9b297c362 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -24,6 +24,7 @@
 # SUCH DAMAGE.
 
 all: check
+	@cat ${.CURDIR}/pkg-descr | ${PAGER}
 
 .include "defaults.mk"
 

From 9686f6ca16719de2cbff56addfbf8370a6ab4110 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 29 Jul 2025 11:10:02 +0200
Subject: [PATCH 2582/3088] make: shuffle this test to core

---
 Makefile      | 2 +-
 Mk/lint.mk    | 5 -----
 Mk/plugins.mk | 6 +++---
 README.md     | 6 ++----
 4 files changed, 6 insertions(+), 13 deletions(-)

diff --git a/Makefile b/Makefile
index 981c92f2ab..0b57baf291 100644
--- a/Makefile
+++ b/Makefile
@@ -44,7 +44,7 @@ list:
 .endfor
 
 # shared targets that are sane to run from the root directory
-TARGETS=	clean glint lint plist-fix revision style style-fix style-model style-python sweep test
+TARGETS=	clean glint lint plist-fix revision style sweep test
 
 .for TARGET in ${TARGETS}
 ${TARGET}:
diff --git a/Mk/lint.mk b/Mk/lint.mk
index 6114383ba3..ddc3c2ad73 100644
--- a/Mk/lint.mk
+++ b/Mk/lint.mk
@@ -24,8 +24,3 @@
 # SUCH DAMAGE.
 
 .-include "${PLUGINSDIR}/../core/Mk/lint.mk"
-
-lint-desc: check
-	@if [ ! -f ${.CURDIR}/${PLUGIN_DESC} ]; then \
-		echo ">>> Missing ${PLUGIN_DESC}"; exit 1; \
-	fi
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index c9b297c362..cac2579b02 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -24,7 +24,7 @@
 # SUCH DAMAGE.
 
 all: check
-	@cat ${.CURDIR}/pkg-descr | ${PAGER}
+	@cat ${.CURDIR}/${PLUGIN_DESC} | ${PAGER}
 
 .include "defaults.mk"
 
@@ -32,8 +32,6 @@ PLUGINSDIR?=		${.CURDIR}/../..
 SCRIPTSDIR=		${PLUGINSDIR}/Scripts
 TEMPLATESDIR=		${PLUGINSDIR}/Templates
 
-.include "lint.mk"
-
 .if exists(${GIT}) && exists(${GITVERSION})
 PLUGIN_COMMIT!=		${GITVERSION}
 .else
@@ -54,6 +52,8 @@ PLUGIN_REVISION?=	0
 PLUGIN_REQUIRES=	PLUGIN_NAME PLUGIN_VERSION PLUGIN_COMMENT \
 			PLUGIN_MAINTAINER
 
+.include "lint.mk"
+
 check:
 .for PLUGIN_REQUIRE in ${PLUGIN_REQUIRES}
 .  if "${${PLUGIN_REQUIRE}}" == ""
diff --git a/README.md b/README.md
index 171092c3d5..6a421e8d27 100644
--- a/README.md
+++ b/README.md
@@ -150,9 +150,8 @@ The make targets for the root directory:
 * clean:	remove all changes and unknown files
 * lint:		run syntax checks
 * list:		print a list of all plugin directories with comments
-* style-fix:	apply style fixes
 * style:	run style checks
-* sweep:	apply whitespace fixes
+* sweep:	apply style fixes
 
 The make targets for any plugin directory:
 
@@ -163,6 +162,5 @@ The make targets for any plugin directory:
 * package:	creates a package
 * upgrade:	upgrades existing package
 * remove:	remove known files from target directory
-* style-fix:	apply style fixes
 * style:	run style checks
-* sweep:	apply whitespace fixes
+* sweep:	apply style fixes

From 2b645c896aee01b661e83b89285e526262e19615 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 29 Jul 2025 14:47:53 +0200
Subject: [PATCH 2583/3088] make: style and sweep to from core

---
 Makefile      |  2 +-
 Mk/common.mk  | 26 ++++++++++++++++++++++
 Mk/plugins.mk | 61 +++++----------------------------------------------
 Mk/style.mk   | 28 +++++++++++++++++++++++
 Mk/sweep.mk   | 26 ++++++++++++++++++++++
 5 files changed, 86 insertions(+), 57 deletions(-)
 create mode 100644 Mk/common.mk
 create mode 100644 Mk/style.mk
 create mode 100644 Mk/sweep.mk

diff --git a/Makefile b/Makefile
index 0b57baf291..e62676f339 100644
--- a/Makefile
+++ b/Makefile
@@ -44,7 +44,7 @@ list:
 .endfor
 
 # shared targets that are sane to run from the root directory
-TARGETS=	clean glint lint plist-fix revision style sweep test
+TARGETS=	clean glint lint revision style sweep test
 
 .for TARGET in ${TARGETS}
 ${TARGET}:
diff --git a/Mk/common.mk b/Mk/common.mk
new file mode 100644
index 0000000000..bfd8be9ffd
--- /dev/null
+++ b/Mk/common.mk
@@ -0,0 +1,26 @@
+# Copyright (c) 2025 Franco Fichtner <franco@opnsense.org>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+.-include "${PLUGINSDIR}/../core/Mk/common.mk"
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index cac2579b02..4b939330b0 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -52,7 +52,10 @@ PLUGIN_REVISION?=	0
 PLUGIN_REQUIRES=	PLUGIN_NAME PLUGIN_VERSION PLUGIN_COMMENT \
 			PLUGIN_MAINTAINER
 
+.include "common.mk"
 .include "lint.mk"
+.include "style.mk"
+.include "sweep.mk"
 
 check:
 .for PLUGIN_REQUIRE in ${PLUGIN_REQUIRES}
@@ -353,65 +356,11 @@ clean: check
 	fi
 	@rm -rf ${.CURDIR}/work
 
-plist-fix:
-
-sweep: check
-	find ${.CURDIR}/src -type f -name "*.map" -print0 | \
-	    xargs -0 -n1 rm
-	find ${.CURDIR}/src ! -name "*.min.*" ! -name "*.svg" \
-	    ! -name "*.ser" -type f -print0 | \
-	    xargs -0 -n1 ${SCRIPTSDIR}/cleanfile
-	find ${.CURDIR} -type f -depth 1 -print0 | \
-	    xargs -0 -n1 ${SCRIPTSDIR}/cleanfile
-
-glint: sweep style-fix plist-fix lint
+glint: sweep lint
 
 revision:
 	@MAKE=${MAKE} ${SCRIPTSDIR}/revbump.sh ${.CURDIR}
 
-STYLEDIRS?=	src/etc/inc src/opnsense
-
-style: check
-	@: > ${.CURDIR}/.style.out
-.for STYLEDIR in ${STYLEDIRS}
-	@if [ -d ${.CURDIR}/${STYLEDIR} ]; then \
-		(phpcs --standard=${PLUGINSDIR}/ruleset.xml \
-		    ${.CURDIR}/${STYLEDIR} || true) > \
-		    ${.CURDIR}/.style.out; \
-	fi
-.endfor
-	@echo -n "Total number of style warnings: "
-	@grep '| WARNING' ${.CURDIR}/.style.out | wc -l
-	@echo -n "Total number of style errors:   "
-	@grep '| ERROR' ${.CURDIR}/.style.out | wc -l
-	@cat ${.CURDIR}/.style.out
-	@rm ${.CURDIR}/.style.out
-
-style-fix: check
-.for STYLEDIR in ${STYLEDIRS}
-	@if [ -d ${.CURDIR}/${STYLEDIR} ]; then \
-		phpcbf --standard=${PLUGINSDIR}/ruleset.xml \
-		    ${.CURDIR}/${STYLEDIR} || true; \
-	fi
-.endfor
-
-style-python: check
-	@if [ -d ${.CURDIR}/src ]; then \
-		pycodestyle --ignore=E501 ${.CURDIR}/src || true; \
-	fi
-
-style-model:
-	@if [ -d ${.CURDIR}/src/opnsense/mvc/app/models ]; then \
-		for MODEL in $$(find ${.CURDIR}/src/opnsense/mvc/app/models -depth 3 \
-		    -name "*.xml"); do \
-			perl -i -pe 's/<default>(.*?)<\/default>/<Default>$$1<\/Default>/g' $${MODEL}; \
-			perl -i -pe 's/<multiple>(.*?)<\/multiple>/<Multiple>$$1<\/Multiple>/g' $${MODEL}; \
-			perl -i -pe 's/<required>(.*?)<\/required>/<Required>$$1<\/Required>/g' $${MODEL}; \
-			perl -i -pe 's/<mask>(.*?)<\/mask>/<Mask>$$1<\/Mask>/g' $${MODEL}; \
-			perl -i -pe 's/<asList>(.*?)<\/asList>/<AsList>$$1<\/AsList>/g' $${MODEL}; \
-		done; \
-	fi
-
 test: check
 	@if [ -d ${.CURDIR}/src/opnsense/mvc/tests ]; then \
 		cd ${LOCALBASE}/opnsense/mvc/tests && \
@@ -423,4 +372,4 @@ commit: ensure-workdirs
 	@/bin/echo -n "${.CURDIR:C/\// /g:[-2]}/${.CURDIR:C/\// /g:[-1]}: " > \
 	    ${WRKDIR}/.commitmsg && git commit -eF ${WRKDIR}/.commitmsg .
 
-.PHONY:	check plist-fix
+.PHONY:	check
diff --git a/Mk/style.mk b/Mk/style.mk
new file mode 100644
index 0000000000..ec11a8d2b3
--- /dev/null
+++ b/Mk/style.mk
@@ -0,0 +1,28 @@
+# Copyright (c) 2025 Franco Fichtner <franco@opnsense.org>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+CORE_PYTHON_DOT=       ${PLUGIN_PYTHON:C/./&./1}
+
+.-include "${PLUGINSDIR}/../core/Mk/style.mk"
diff --git a/Mk/sweep.mk b/Mk/sweep.mk
new file mode 100644
index 0000000000..ced1d0ea34
--- /dev/null
+++ b/Mk/sweep.mk
@@ -0,0 +1,26 @@
+# Copyright (c) 2025 Franco Fichtner <franco@opnsense.org>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+.-include "${PLUGINSDIR}/../core/Mk/sweep.mk"

From cd562d74eca4c49e963857e4c11c0d4a29bc6473 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 29 Jul 2025 15:04:18 +0200
Subject: [PATCH 2584/3088] make: functional glue for previous

---
 Makefile          |   3 +-
 Mk/style.mk       |   4 +-
 Scripts/cleanfile | 185 ----------------------------------------------
 ruleset.xml       |  10 ---
 4 files changed, 4 insertions(+), 198 deletions(-)
 delete mode 100755 Scripts/cleanfile
 delete mode 100644 ruleset.xml

diff --git a/Makefile b/Makefile
index e62676f339..e5292cca8a 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-# Copyright (c) 2015-2024 Franco Fichtner <franco@opnsense.org>
+# Copyright (c) 2015-2025 Franco Fichtner <franco@opnsense.org>
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
@@ -29,7 +29,6 @@ all:
 .include "Mk/defaults.mk"
 
 CATEGORIES!=	ls -1d [a-z0-9]*
-CATEGORIES:=	${CATEGORIES:Nruleset.xml}
 
 .for CATEGORY in ${CATEGORIES}
 _${CATEGORY}!=	ls -1d ${CATEGORY}/*
diff --git a/Mk/style.mk b/Mk/style.mk
index ec11a8d2b3..3168f94a8c 100644
--- a/Mk/style.mk
+++ b/Mk/style.mk
@@ -23,6 +23,8 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 
-CORE_PYTHON_DOT=       ${PLUGIN_PYTHON:C/./&./1}
+CORE_PYTHON_DOT=${PLUGIN_PYTHON:C/./&./1}
 
 .-include "${PLUGINSDIR}/../core/Mk/style.mk"
+
+style-php: ensure-workdirs
diff --git a/Scripts/cleanfile b/Scripts/cleanfile
deleted file mode 100755
index 8abf76025b..0000000000
--- a/Scripts/cleanfile
+++ /dev/null
@@ -1,185 +0,0 @@
-#!/usr/bin/env perl
-#
-# Clean a text file -- or directory of text files -- of stealth whitespace.
-# WARNING: this can be a highly destructive operation.  Use with caution.
-#
-
-use bytes;
-use File::Basename;
-
-# Default options
-$max_width = 0;
-
-# Clean up space-tab sequences, either by removing spaces or
-# replacing them with tabs.
-sub clean_space_tabs($)
-{
-    no bytes;			# Tab alignment depends on characters
-
-    my($li) = @_;
-    my($lo) = '';
-    my $pos = 0;
-    my $nsp = 0;
-    my($i, $c);
-
-    for ($i = 0; $i < length($li); $i++) {
-	$c = substr($li, $i, 1);
-	if ($c eq "\t") {
-	    my $npos = ($pos+$nsp+8) & ~7;
-	    my $ntab = ($npos >> 3) - ($pos >> 3);
-	    $lo .= "\t" x $ntab;
-	    $pos = $npos;
-	    $nsp = 0;
-	} elsif ($c eq "\n" || $c eq "\r") {
-	    $lo .= " " x $nsp;
-	    $pos += $nsp;
-	    $nsp = 0;
-	    $lo .= $c;
-	    $pos = 0;
-	} elsif ($c eq " ") {
-	    $nsp++;
-	} else {
-	    $lo .= " " x $nsp;
-	    $pos += $nsp;
-	    $nsp = 0;
-	    $lo .= $c;
-	    $pos++;
-	}
-    }
-    $lo .= " " x $nsp;
-    return $lo;
-}
-
-# Compute the visual width of a string
-sub strwidth($) {
-    no bytes;			# Tab alignment depends on characters
-
-    my($li) = @_;
-    my($c, $i);
-    my $pos = 0;
-    my $mlen = 0;
-
-    for ($i = 0; $i < length($li); $i++) {
-	$c = substr($li,$i,1);
-	if ($c eq "\t") {
-	    $pos = ($pos+8) & ~7;
-	} elsif ($c eq "\n") {
-	    $mlen = $pos if ($pos > $mlen);
-	    $pos = 0;
-	} else {
-	    $pos++;
-	}
-    }
-
-    $mlen = $pos if ($pos > $mlen);
-    return $mlen;
-}
-
-$name = basename($0);
-
-@files = ();
-
-while (defined($a = shift(@ARGV))) {
-    if ($a =~ /^-/) {
-	if ($a eq '-width' || $a eq '-w') {
-	    $max_width = shift(@ARGV)+0;
-	} else {
-	    print STDERR "Usage: $name [-width #] files...\n";
-	    exit 1;
-	}
-    } else {
-	push(@files, $a);
-    }
-}
-
-foreach $f ( @files ) {
-    print STDERR "$name: $f\n";
-
-    if (! -f $f) {
-	print STDERR "$f: not a file\n";
-	next;
-    }
-
-    if (!open(FILE, '+<', $f)) {
-	print STDERR "$name: Cannot open file: $f: $!\n";
-	next;
-    }
-
-    binmode FILE;
-
-    # First, verify that it is not a binary file; consider any file
-    # with a zero byte to be a binary file.  Is there any better, or
-    # additional, heuristic that should be applied?
-    $is_binary = 0;
-
-    while (read(FILE, $data, 65536) > 0) {
-	if ($data =~ /\0/) {
-	    $is_binary = 1;
-	    last;
-	}
-    }
-
-    if ($is_binary) {
-	print STDERR "$name: $f: binary file\n";
-	next;
-    }
-
-    seek(FILE, 0, 0);
-
-    $in_bytes = 0;
-    $out_bytes = 0;
-    $blank_bytes = 0;
-
-    @blanks = ();
-    @lines  = ();
-    $last = "\n";
-    $lineno = 0;
-
-    while ( defined($line = <FILE>) ) {
-	$lineno++;
-	$in_bytes += length($line);
-	$line =~ s/[ \t\r]*$//;		# Remove trailing spaces
-	$line = clean_space_tabs($line);
-	$last = $line;
-
-	if ( $line eq "\n" ) {
-	    push(@blanks, $line);
-	    $blank_bytes += length($line);
-	} else {
-	    push(@lines, @blanks);
-	    $out_bytes += $blank_bytes;
-	    push(@lines, $line);
-	    $out_bytes += length($line);
-	    @blanks = ();
-	    $blank_bytes = 0;
-	}
-
-	$l_width = strwidth($line);
-	if ($max_width && $l_width > $max_width) {
-	    print STDERR
-		"$f:$lineno: line exceeds $max_width characters ($l_width)\n";
-	}
-    }
-
-    if ( chop($last) ne "\n" ) {
-	# fix missing newline at EOF
-	push(@lines, "\n");
-	# increment input bytes to signal character append
-	$in_bytes += 1;
-    }
-
-    # Any blanks at the end of the file are discarded
-
-    if ($in_bytes != $out_bytes) {
-	# Only write to the file if changed
-	seek(FILE, 0, 0);
-	print FILE @lines;
-
-	if ( !defined($where = tell(FILE)) ||
-	     !truncate(FILE, $where) ) {
-	    die "$name: Failed to truncate modified file: $f: $!\n";
-	}
-    }
-
-    close(FILE);
-}
diff --git a/ruleset.xml b/ruleset.xml
deleted file mode 100644
index ff88d20ce9..0000000000
--- a/ruleset.xml
+++ /dev/null
@@ -1,10 +0,0 @@
-<?xml version="1.0"?>
-<ruleset name="PSR12+">
-  <description>Slightly enhanced version of the PSR12 standard</description>
-  <rule ref="Squiz.WhiteSpace.SemicolonSpacing"/>
-  <rule ref="Generic.CodeAnalysis.EmptyStatement"/>
-  <rule ref="Generic.CodeAnalysis.EmptyPHPStatement"/>
-  <rule ref="PSR12"/>
-  <exclude-pattern>*.css</exclude-pattern>
-  <exclude-pattern>*.js</exclude-pattern>
-</ruleset>

From 315502b57dd0af9b298fc34c0884ffe3a51c4467 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 29 Jul 2025 15:23:57 +0200
Subject: [PATCH 2585/3088] dns/dnscrypt-proxy: new version and lint pass

---
 dns/dnscrypt-proxy/Makefile                      |  3 +--
 dns/dnscrypt-proxy/pkg-descr                     |  5 ++++-
 .../app/models/OPNsense/Dnscryptproxy/Dnsbl.xml  |  1 -
 .../models/OPNsense/Dnscryptproxy/General.xml    | 16 ++++------------
 .../models/OPNsense/Dnscryptproxy/Whitelist.xml  |  4 +---
 5 files changed, 10 insertions(+), 19 deletions(-)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index 2f982bea54..d0b5eeb8bc 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		dnscrypt-proxy
-PLUGIN_VERSION=		1.15
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.16
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index 90d55760d8..f06697ce8b 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -1,10 +1,13 @@
 A flexible DNS proxy, with support for modern encrypted DNS protocols
 such as DNSCrypt v2 and DNS-over-HTTPS.
 
-
 Plugin Changelog
 ================
 
+1.16
+
+* Fix ODoH servers not working (contributed by Pascal Herget)
+
 1.15
 
 * Update plugin for dnscrypt-proxy 2.1 (contributed by Adrian Fedoreanu and Michael Muenz)
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Dnsbl.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Dnsbl.xml
index 4b056064dd..188564ee6c 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Dnsbl.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Dnsbl.xml
@@ -8,7 +8,6 @@
             <Required>Y</Required>
         </enabled>
         <type type="OptionField">
-            <Required>N</Required>
             <Multiple>Y</Multiple>
             <OptionValues>
                 <aa>AdAway List</aa>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
index 435c9713b2..b942d30b08 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/General.xml
@@ -39,7 +39,7 @@
             <Required>Y</Required>
         </doh_servers>
         <odoh_servers type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </odoh_servers>
         <require_dnssec type="BooleanField">
@@ -58,9 +58,7 @@
             <Default>0</Default>
             <Required>Y</Required>
         </force_tcp>
-        <proxy type="TextField">
-            <Required>N</Required>
-        </proxy>
+        <proxy type="TextField"/>
         <timeout type="IntegerField">
             <Default>2500</Default>
             <Required>Y</Required>
@@ -137,21 +135,15 @@
             <MaximumValue>86400</MaximumValue>
             <ValidationMessage>Choose a number between 1 and 86400.</ValidationMessage>
         </cache_neg_max_ttl>
-        <serverlist type="CSVListField">
-            <Required>N</Required>
-        </serverlist>
+        <serverlist type="CSVListField"/>
         <query_logs type="BooleanField">
             <Default>1</Default>
             <Required>Y</Required>
         </query_logs>
         <disabled_serverlist type="CSVListField">
             <Mask>/^[A-Za-z0-9\._\-]{1,70}(,[A-Za-z0-9\._\-]{1,70})*$/</Mask>
-            <Default></Default>
-            <Required>N</Required>
             <ValidationMessage>Please use valid server names.</ValidationMessage>
         </disabled_serverlist>
-        <relaylist type="CSVListField">
-            <Required>N</Required>
-        </relaylist>
+        <relaylist type="CSVListField"/>
     </items>
 </model>
diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Whitelist.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Whitelist.xml
index ae33ad3f66..c3d65113e7 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Whitelist.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Whitelist.xml
@@ -12,9 +12,7 @@
                 <name type="TextField">
                     <Required>Y</Required>
                 </name>
-                <description type="TextField">
-                    <Required>N</Required>
-                </description>
+                <description type="TextField"/>
             </whitelist>
         </whitelists>
     </items>

From da2712019ecfbe2238e7dd3bfffd8f736a0d7da4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 29 Jul 2025 15:26:05 +0200
Subject: [PATCH 2586/3088] security/acme-client: small lint fixes

---
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 32 +++++++++----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 0d21673493..e9dbfa6d1e 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -226,7 +226,7 @@
                             </filters>
                         </accounts>
                     </Model>
-                    <ValidationMessage>Related item not found</ValidationMessage>
+                    <ValidationMessage>Related item not found.</ValidationMessage>
                     <Multiple>N</Multiple>
                     <Required>Y</Required>
                 </account>
@@ -241,7 +241,7 @@
                             </filters>
                         </validations>
                     </Model>
-                    <ValidationMessage>Related item not found</ValidationMessage>
+                    <ValidationMessage>Related item not found.</ValidationMessage>
                     <Multiple>N</Multiple>
                     <Required>Y</Required>
                 </validationMethod>
@@ -271,7 +271,7 @@
                             </filters>
                         </actions>
                     </Model>
-                    <ValidationMessage>Related automation not found</ValidationMessage>
+                    <ValidationMessage>Related automation not found.</ValidationMessage>
                     <Sorted>Y</Sorted>
                     <Multiple>Y</Multiple>
                     <Required>N</Required>
@@ -389,7 +389,7 @@
                             </filters>
                         </frontends>
                     </Model>
-                    <ValidationMessage>Related HAProxy frontend not found</ValidationMessage>
+                    <ValidationMessage>Related HAProxy frontend not found.</ValidationMessage>
                     <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </http_haproxyFrontends>
@@ -1413,7 +1413,7 @@
                 </sftp_chmod_key>
                 <sftp_modtime type="BooleanField">
                     <Required>N</Required>
-                    <default>0</default>
+                    <Default>0</Default>
                 </sftp_modtime>
                 <sftp_filename_cert type="TextField">
                     <Required>N</Required>
@@ -1603,41 +1603,41 @@
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxve_tokenkey>
                 <acme_proxmoxbs_user type="TextField">
-                    <default>root</default>
+                    <Default>root</Default>
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxbs_user>
                 <acme_proxmoxbs_server type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxbs_server>
                 <acme_proxmoxbs_port type="PortField">
-                    <default>8007</default>
+                    <Default>8007</Default>
                     <Required>N</Required>
                 </acme_proxmoxbs_port>
                 <acme_proxmoxbs_nodename type="TextField">
                     <Required>N</Required>
-                    <default>localhost</default>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Default>localhost</Default>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxbs_nodename>
                 <acme_proxmoxbs_realm type="TextField">
-                    <default>pam</default>
+                    <Default>pam</Default>
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxbs_realm>
                 <acme_proxmoxbs_tokenid type="TextField">
-                    <default>acme</default>
+                    <Default>acme</Default>
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxbs_tokenid>
                 <acme_proxmoxbs_tokenkey type="TextField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxbs_tokenkey>
                 <acme_truenas_apikey type="TextField">

From fa2d3e97da5a4a328b05f5419f4e096a1c8957d5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 29 Jul 2025 15:28:34 +0200
Subject: [PATCH 2587/3088] security/netbird: small lint pass

---
 .../OPNsense/Netbird/Authentication.xml       |  5 ++--
 .../app/models/OPNsense/Netbird/Settings.xml  | 24 +++++++++----------
 2 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml
index 00433f7cff..c12afa3b2e 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml
@@ -5,13 +5,12 @@
     <items>
         <managementUrl type="UrlField">
             <Required>Y</Required>
-            <default>https://api.netbird.io:443</default>
-            <ValidationMessage>Please specify a valid URL</ValidationMessage>
+            <Default>https://api.netbird.io:443</Default>
         </managementUrl>
         <setupKey type="TextField">
             <Required>Y</Required>
             <Mask>/^[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}$/i</Mask>
-            <ValidationMessage>Please specify a valid setup key</ValidationMessage>
+            <ValidationMessage>Please specify a valid setup key.</ValidationMessage>
         </setupKey>
     </items>
 </model>
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
index e76abf89ed..0d9fa123c5 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
@@ -5,60 +5,60 @@
     <items>
         <general>
             <enable type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </enable>
             <wireguardPort type="IntegerField">
-                <default>51820</default>
+                <Default>51820</Default>
                 <Required>Y</Required>
                 <minimum>1</minimum>
                 <maximum>65535</maximum>
-                <ValidationMessage>Please specify a valid port</ValidationMessage>
+                <ValidationMessage>Please specify a valid port.</ValidationMessage>
             </wireguardPort>
         </general>
         <firewall>
             <allowConfig type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </allowConfig>
             <blockInboundConnection type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </blockInboundConnection>
         </firewall>
         <ssh>
             <enable type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </enable>
         </ssh>
         <dns>
             <enable type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </enable>
         </dns>
         <routing>
             <accessLan type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </accessLan>
             <acceptClientRoutes type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </acceptClientRoutes>
             <acceptServerRoutes type="BooleanField">
-                <default>1</default>
+                <Default>1</Default>
                 <Required>Y</Required>
             </acceptServerRoutes>
         </routing>
         <postquantum>
             <enableRosenpass type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </enableRosenpass>
             <rosenpassPermissive type="BooleanField">
-                <default>0</default>
+                <Default>0</Default>
                 <Required>Y</Required>
             </rosenpassPermissive>
         </postquantum>

From 752d5a940f546b92b1dbfcdde9a5ce0f71741ab9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 30 Jul 2025 09:34:54 +0200
Subject: [PATCH 2588/3088] make: migrate git glue

---
 Makefile       | 12 +++++---
 Mk/defaults.mk | 84 ++------------------------------------------------
 Mk/git.mk      | 30 ++++++++++++++++++
 Mk/plugins.mk  |  7 ++---
 4 files changed, 44 insertions(+), 89 deletions(-)
 create mode 100644 Mk/git.mk

diff --git a/Makefile b/Makefile
index e5292cca8a..a2fca2b398 100644
--- a/Makefile
+++ b/Makefile
@@ -23,10 +23,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 
-all:
-	@cat ${.CURDIR}/README.md | ${PAGER}
-
-.include "Mk/defaults.mk"
+PLUGINSDIR?=	${.CURDIR}
 
 CATEGORIES!=	ls -1d [a-z0-9]*
 
@@ -35,6 +32,13 @@ _${CATEGORY}!=	ls -1d ${CATEGORY}/*
 PLUGIN_DIRS+=	${_${CATEGORY}}
 .endfor
 
+all:
+	@cat ${.CURDIR}/README.md | ${PAGER}
+
+.include "Mk/defaults.mk"
+.include "Mk/common.mk"
+.include "Mk/git.mk"
+
 list:
 .for PLUGIN_DIR in ${PLUGIN_DIRS}
 	@echo ${PLUGIN_DIR} -- $$(${MAKE} -C ${PLUGIN_DIR} -v PLUGIN_COMMENT) \
diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 79c3358659..2a20886b11 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -34,6 +34,9 @@ PKG=		true
 .endif
 GIT!=		which git || echo true
 
+SCRIPTSDIR=	${PLUGINSDIR}/Scripts
+TEMPLATESDIR=	${PLUGINSDIR}/Templates
+
 GITVERSION=	${SCRIPTSDIR}/version.sh
 
 _PLUGIN_ARCH!=	uname -p
@@ -89,84 +92,3 @@ SED_REPLACE=	# empty
 .for REPLACEMENT in ${REPLACEMENTS}
 SED_REPLACE+=	-e "s=%%${REPLACEMENT}%%=${${REPLACEMENT}}=g"
 .endfor
-
-ARGS=	diff feed mfc
-
-# handle argument expansion for required targets
-.for TARGET in ${.TARGETS}
-_TARGET=		${TARGET:C/\-.*//}
-.if ${_TARGET} != ${TARGET}
-.for ARGUMENT in ${ARGS}
-.if ${_TARGET} == ${ARGUMENT}
-${_TARGET}_ARGS+=	${TARGET:C/^[^\-]*(\-|\$)//:S/,/ /g}
-${TARGET}: ${_TARGET}
-.endif
-.endfor
-${_TARGET}_ARG=		${${_TARGET}_ARGS:[0]}
-.endif
-.endfor
-
-ensure-stable:
-	@if ! git show-ref --verify --quiet refs/heads/${PLUGIN_STABLE}; then \
-		git update-ref refs/heads/${PLUGIN_STABLE} refs/remotes/origin/${PLUGIN_STABLE}; \
-		git config branch.${PLUGIN_STABLE}.merge refs/heads/${PLUGIN_STABLE}; \
-		git config branch.${PLUGIN_STABLE}.remote origin; \
-	fi
-
-diff_ARGS?= 	.
-
-diff: ensure-stable
-	@git diff --stat -p ${PLUGIN_STABLE} ${.CURDIR}/${diff_ARGS:[1]}
-
-feed: ensure-stable
-	@git log --stat -p --reverse ${PLUGIN_STABLE}...${feed_ARGS:[1]}~1
-
-mfc_ARGS?=	.
-
-mfc: ensure-stable
-.for MFC in ${mfc_ARGS}
-.if exists(${MFC})
-	@git diff --stat -p ${PLUGIN_STABLE} ${.CURDIR}/${MFC} > /tmp/mfc.diff
-	@git checkout ${PLUGIN_STABLE}
-	@git apply /tmp/mfc.diff
-	@git add ${.CURDIR}/${MFC}
-	@if ! git diff --quiet HEAD; then \
-		git commit -m "${MFC:S/^.$/${PLUGIN_DIR}/}: sync with ${PLUGIN_MAIN}"; \
-	fi
-.else
-	@git checkout ${PLUGIN_STABLE}
-	@if ! git cherry-pick -x ${MFC}; then \
-		git cherry-pick --abort; \
-	fi
-.endif
-	@git checkout ${PLUGIN_MAIN}
-.endfor
-
-stable:
-	@git checkout ${PLUGIN_STABLE}
-
-${PLUGIN_MAINS}:
-	@git checkout ${PLUGIN_MAIN}
-
-rebase:
-	@git checkout ${PLUGIN_STABLE}
-	@git rebase -i
-	@git checkout ${PLUGIN_MAIN}
-
-log:
-	@git log --stat -p ${PLUGIN_STABLE}
-
-pull:
-	@git checkout ${PLUGIN_STABLE}
-	@git pull
-	@git checkout ${PLUGIN_MAIN}
-
-push:
-	@git checkout ${PLUGIN_STABLE}
-	@git push
-	@git checkout ${PLUGIN_MAIN}
-
-reset:
-	@git checkout ${PLUGIN_STABLE}
-	@git reset --hard HEAD~1
-	@git checkout ${PLUGIN_MAIN}
diff --git a/Mk/git.mk b/Mk/git.mk
new file mode 100644
index 0000000000..5ef0bcd1f2
--- /dev/null
+++ b/Mk/git.mk
@@ -0,0 +1,30 @@
+# Copyright (c) 2025 Franco Fichtner <franco@opnsense.org>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+CORE_MAIN=	${PLUGIN_MAIN}
+CORE_MAINS=	${PLUGIN_MAINS}
+CORE_STABLE=	${PLUGIN_STABLE}
+
+.-include "${PLUGINSDIR}/../core/Mk/git.mk"
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 4b939330b0..e640b074b4 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -23,15 +23,13 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 
+PLUGINSDIR?=		${.CURDIR}/../..
+
 all: check
 	@cat ${.CURDIR}/${PLUGIN_DESC} | ${PAGER}
 
 .include "defaults.mk"
 
-PLUGINSDIR?=		${.CURDIR}/../..
-SCRIPTSDIR=		${PLUGINSDIR}/Scripts
-TEMPLATESDIR=		${PLUGINSDIR}/Templates
-
 .if exists(${GIT}) && exists(${GITVERSION})
 PLUGIN_COMMIT!=		${GITVERSION}
 .else
@@ -53,6 +51,7 @@ PLUGIN_REQUIRES=	PLUGIN_NAME PLUGIN_VERSION PLUGIN_COMMENT \
 			PLUGIN_MAINTAINER
 
 .include "common.mk"
+.include "git.mk"
 .include "lint.mk"
 .include "style.mk"
 .include "sweep.mk"

From 47f0d10114de8d56d22fa4edb6f7c7ea57cd7fe1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 30 Jul 2025 09:54:30 +0200
Subject: [PATCH 2589/3088] make: MFCDIR changes

Provide the work directory variables for standalone use.
---
 Mk/common.mk  |  5 +++++
 Mk/plugins.mk | 12 +++---------
 Mk/style.mk   |  2 --
 3 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/Mk/common.mk b/Mk/common.mk
index bfd8be9ffd..d0919334f8 100644
--- a/Mk/common.mk
+++ b/Mk/common.mk
@@ -23,4 +23,9 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 
+WRKDIR?=${.CURDIR}/work
+WRKSRC?=${WRKDIR}/src
+PKGDIR?=${WRKDIR}/pkg
+MFCDIR?=/tmp/mfc.dir
+
 .-include "${PLUGINSDIR}/../core/Mk/common.mk"
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index e640b074b4..246a626136 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -305,13 +305,6 @@ remove: check
 		fi; \
 	done
 
-WRKDIR?=${.CURDIR}/work
-WRKSRC?=${WRKDIR}/src
-PKGDIR?=${WRKDIR}/pkg
-
-ensure-workdirs:
-	@mkdir -p ${WRKSRC} ${PKGDIR}
-
 package: check
 	@rm -rf ${WRKSRC}
 	@mkdir -p ${WRKSRC} ${PKGDIR}
@@ -367,8 +360,9 @@ test: check
 		    ${.CURDIR}/src/opnsense/mvc/tests; \
 	fi
 
-commit: ensure-workdirs
+commit:
+	@mkdir -p ${MFCDIR}
 	@/bin/echo -n "${.CURDIR:C/\// /g:[-2]}/${.CURDIR:C/\// /g:[-1]}: " > \
-	    ${WRKDIR}/.commitmsg && git commit -eF ${WRKDIR}/.commitmsg .
+	    ${MFCDIR}/.commitmsg && git commit -eF ${MFCDIR}/.commitmsg .
 
 .PHONY:	check
diff --git a/Mk/style.mk b/Mk/style.mk
index 3168f94a8c..e9dcc839fd 100644
--- a/Mk/style.mk
+++ b/Mk/style.mk
@@ -26,5 +26,3 @@
 CORE_PYTHON_DOT=${PLUGIN_PYTHON:C/./&./1}
 
 .-include "${PLUGINSDIR}/../core/Mk/style.mk"
-
-style-php: ensure-workdirs

From df710980507be22d972461d03547d5300d0d9a0f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 30 Jul 2025 09:58:14 +0200
Subject: [PATCH 2590/3088] net/frr: bump revision

---
 net/frr/Makefile  | 1 +
 net/frr/pkg-descr | 1 +
 2 files changed, 2 insertions(+)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index e32c37a32c..18cc19683a 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.45
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr10-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 92bbbd4dfa..6ef350023c 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -18,6 +18,7 @@ Plugin Changelog
 * Add BGP listen range to peer groups (opnsense/plugins/pull/4722)
 * Fix peer group activation (opnsense/plugins/pull/4777)
 * Switch to FRR 10 (opnsense/plugins/pull/4741)
+* Further adjustments for FRR 10
 
 1.44
 

From 0980d86e071ca7b8c922d141a3686e6e1dcb7e17 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 31 Jul 2025 13:54:31 +0200
Subject: [PATCH 2591/3088] net/wol: Fix command buttons not in grid (#4854)

---
 net/wol/src/opnsense/mvc/app/views/OPNsense/Wol/index.volt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/wol/src/opnsense/mvc/app/views/OPNsense/Wol/index.volt b/net/wol/src/opnsense/mvc/app/views/OPNsense/Wol/index.volt
index 2fccf74d63..61dd88fd0c 100644
--- a/net/wol/src/opnsense/mvc/app/views/OPNsense/Wol/index.volt
+++ b/net/wol/src/opnsense/mvc/app/views/OPNsense/Wol/index.volt
@@ -50,7 +50,7 @@ $( document ).ready(function() {
             selection:false,
             multiSelect:false,
             formatters: {
-              "commandswithwake": function (column, row) {
+              "commands": function (column, row) {
                 return "<button type=\"button\" class=\"btn btn-xs btn-default command-wake\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-clock-o\"></span></button> " +
                     "<button type=\"button\" class=\"btn btn-xs btn-default command-edit\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-pencil\"></span></button> " +
                     "<button type=\"button\" class=\"btn btn-xs btn-default command-copy\" data-row-id=\"" + row.uuid + "\"><span class=\"fa fa-clone\"></span></button>" +
@@ -111,7 +111,7 @@ $( document ).ready(function() {
                 <th data-column-id="interface" data-type="string" data-visible="true">{{ lang._('Interface') }}</th>
                 <th data-column-id="mac" data-type="string" data-visible="true">{{ lang._('MAC') }}</th>
                 <th data-column-id="descr" data-type="string" data-identifier="true">{{ lang._('Description') }}</th>
-                <th data-column-id="commands" data-formatter="commandswithwake" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="commands" data-formatter="commands" data-sortable="false" data-width="130">{{ lang._('Commands') }}</th>
             </tr>
         </thead>
         <tbody>

From bb2097f8b7babd06efa9646174f84eaeff56a0cf Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 31 Jul 2025 21:11:30 +0200
Subject: [PATCH 2592/3088] net/wol: fix another one

---
 net/wol/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wol/Makefile b/net/wol/Makefile
index 6d3d25beed..19e6aa94dd 100644
--- a/net/wol/Makefile
+++ b/net/wol/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wol
 PLUGIN_VERSION=		2.5
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_DEPENDS=		wol
 PLUGIN_COMMENT=		Wake on LAN Service
 PLUGIN_MAINTAINER=	franco@opnsense.org

From a0b64a64bd1822b332ffaaa690412fa0509934dc Mon Sep 17 00:00:00 2001
From: Bethuel Mmbaga <bethuelmbaga12@gmail.com>
Date: Fri, 1 Aug 2025 09:07:12 +0300
Subject: [PATCH 2593/3088] security/netbird: Fix service startup failure
 (#4855)

---
 security/netbird/Makefile                                       | 1 +
 .../src/opnsense/service/templates/OPNsense/Netbird/netbird     | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/netbird/Makefile b/security/netbird/Makefile
index 619b7b3a9c..94eb027d84 100644
--- a/security/netbird/Makefile
+++ b/security/netbird/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		netbird
 PLUGIN_VERSION=		0.2
+PLUGIN_REVISION=		1
 PLUGIN_DEPENDS=		netbird
 PLUGIN_COMMENT=		Peer-to-peer VPN that seamlessly connects your devices
 PLUGIN_MAINTAINER=	dev@netbird.io
diff --git a/security/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird b/security/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird
index 4dbbedb8e5..d4d96d22cf 100644
--- a/security/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird
+++ b/security/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird
@@ -1,4 +1,4 @@
-{% if OPNsense.netbird.general.enable == '1' %}
+{% if OPNsense.netbird.settings.general.enable == '1' %}
 netbird_enable="YES"
 {% else %}
 netbird_enable="NO"

From 73ff21ea76ac552cd27bc5a2f9d514e7ca2df7dc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 1 Aug 2025 09:18:49 +0200
Subject: [PATCH 2594/3088] make: minor alignment to directory definitions

Belong to defaults so common should not offer them.
---
 Mk/common.mk   | 5 -----
 Mk/defaults.mk | 6 ++++++
 Mk/plugins.mk  | 9 ++++-----
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/Mk/common.mk b/Mk/common.mk
index d0919334f8..bfd8be9ffd 100644
--- a/Mk/common.mk
+++ b/Mk/common.mk
@@ -23,9 +23,4 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 
-WRKDIR?=${.CURDIR}/work
-WRKSRC?=${WRKDIR}/src
-PKGDIR?=${WRKDIR}/pkg
-MFCDIR?=/tmp/mfc.dir
-
 .-include "${PLUGINSDIR}/../core/Mk/common.mk"
diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 2a20886b11..5142592ea2 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -92,3 +92,9 @@ SED_REPLACE=	# empty
 .for REPLACEMENT in ${REPLACEMENTS}
 SED_REPLACE+=	-e "s=%%${REPLACEMENT}%%=${${REPLACEMENT}}=g"
 .endfor
+
+WRKDIR?=	${.CURDIR}/work
+MFCDIR?=	/tmp/mfc.dir
+PKGDIR?=	${WRKDIR}/pkg
+WRKSRC?=	${WRKDIR}/src
+TESTDIR?=	${.CURDIR}/src/opnsense/mvc/tests
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 246a626136..96427a06cc 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -354,11 +354,10 @@ revision:
 	@MAKE=${MAKE} ${SCRIPTSDIR}/revbump.sh ${.CURDIR}
 
 test: check
-	@if [ -d ${.CURDIR}/src/opnsense/mvc/tests ]; then \
-		cd ${LOCALBASE}/opnsense/mvc/tests && \
-		    phpunit --configuration PHPunit.xml \
-		    ${.CURDIR}/src/opnsense/mvc/tests; \
-	fi
+.if exists(${TESTDIR})
+	@cd ${TESTDIR} && phpunit || true; \
+	    rm -rf ${TESTDIR}/.phpunit.result.cache
+.endif
 
 commit:
 	@mkdir -p ${MFCDIR}

From 7a9c2eca888768c1c666c677b26ce3efe20aaa6b Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sat, 2 Aug 2025 12:38:09 +0200
Subject: [PATCH 2595/3088] net/frr: Add address family selection to peer
 groups (#4861)

* net/frr: Add address family selection to peer groups
---
 net/frr/Makefile                                      |  2 +-
 net/frr/pkg-descr                                     |  1 +
 .../OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml |  7 +++++++
 .../opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml   | 11 ++++++++++-
 .../service/templates/OPNsense/Quagga/bgpd.conf       |  2 +-
 5 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 18cc19683a..3a81472569 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.45
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr10-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 6ef350023c..40f4e95462 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -19,6 +19,7 @@ Plugin Changelog
 * Fix peer group activation (opnsense/plugins/pull/4777)
 * Switch to FRR 10 (opnsense/plugins/pull/4741)
 * Further adjustments for FRR 10
+* Add address family selection to peer groups (opnsense/plugins/pull/4861)
 
 1.44
 
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml
index 50f122d474..4f1ad2a72a 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPPeergroups.xml
@@ -33,6 +33,13 @@
       <visible>false</visible>
     </grid_view>
   </field>
+  <field>
+    <id>peergroup.family</id>
+    <label>Address Family</label>
+    <type>dropdown</type>
+    <type>select_multiple</type>
+    <help>Select which address families to activate for this peer group.</help>
+  </field>
   <field>
     <id>peergroup.listenranges</id>
     <label>Listen Ranges</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 5253f02333..eed6157a04 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/bgp</mount>
     <description>BGP Routing configuration</description>
-    <version>1.1.0</version>
+    <version>1.1.1</version>
     <items>
         <enabled type="BooleanField">
             <Default>0</Default>
@@ -439,6 +439,15 @@
                                 <MinimumValue>1</MinimumValue>
                                 <MaximumValue>4294967295</MaximumValue>
                         </remoteas>
+                        <family type="OptionField">
+                                <Required>Y</Required>
+                                <Default>ipv4</Default>
+                                <Multiple>Y</Multiple>
+                                <OptionValues>
+                                        <ipv4>IPv4</ipv4>
+                                        <ipv6>IPv6</ipv6>
+                                </OptionValues>
+                        </family>
                         <listenranges type="NetworkField">
                                 <FieldSeparator>,</FieldSeparator>
                                 <AsList>Y</AsList>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 4e29d37076..5f64a9bc39 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -163,7 +163,7 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
   network {{ network }}
 {%   endfor %}
 {%   for peergroup in helpers.toList('OPNsense.quagga.bgp.peergroups.peergroup') %}
-{%     if peergroup.enabled == '1' %}
+{%     if peergroup.enabled == '1' and (addressFamily in peergroup.family.split(',')) %}
   neighbor {{ peergroup.name }} activate
 {%     endif %}
 {%   endfor %}

From d51930bffad504573f570c1923b27a4e56d8a1f0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 4 Aug 2025 08:46:34 +0200
Subject: [PATCH 2596/3088] net/frr: new version is better when adding new
 fields

---
 net/frr/Makefile  | 3 +--
 net/frr/pkg-descr | 5 ++++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 3a81472569..685a0d63e2 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.45
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.46
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr10-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 40f4e95462..101a43e630 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.46
+
+* Add address family selection to peer groups (opnsense/plugins/pull/4861)
+
 1.45
 
 * Add neighbor config to OSPF (contributed by Andy Binder) (opnsense/plugins/pull/4694)
@@ -19,7 +23,6 @@ Plugin Changelog
 * Fix peer group activation (opnsense/plugins/pull/4777)
 * Switch to FRR 10 (opnsense/plugins/pull/4741)
 * Further adjustments for FRR 10
-* Add address family selection to peer groups (opnsense/plugins/pull/4861)
 
 1.44
 

From 4e0b1e95b6c5325271f1b15dad3c80d0568025e8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 5 Aug 2025 11:54:41 +0200
Subject: [PATCH 2597/3088] make: allow CATEGORY override

---
 Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index a2fca2b398..839ba7cce1 100644
--- a/Makefile
+++ b/Makefile
@@ -25,7 +25,8 @@
 
 PLUGINSDIR?=	${.CURDIR}
 
-CATEGORIES!=	ls -1d [a-z0-9]*
+_CATEGORIES!=	ls -1d [a-z0-9]*
+CATEGORIES?=	${_CATEGORIES}
 
 .for CATEGORY in ${CATEGORIES}
 _${CATEGORY}!=	ls -1d ${CATEGORY}/*

From 2244a208431896bff9280d1cecc62e44c7f7fef9 Mon Sep 17 00:00:00 2001
From: KS <scoon405@gmail.com>
Date: Tue, 5 Aug 2025 18:05:23 +0300
Subject: [PATCH 2598/3088] nginx: fix PHP 8.2+ deprecation warnings (#4872)

* fix PHP 8.2+ deprecation warnings

* revision bump
---
 www/nginx/Makefile                                     | 2 +-
 www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 781e7d0018..a952c7337f 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	7
+PLUGIN_REVISION=	8
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php b/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
index d43ea8f981..7a4ee048e8 100755
--- a/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
+++ b/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
@@ -76,7 +76,7 @@ function modify_blocklist($tablename, array $allIps, $operation = "add"): void
     foreach (array_chunk($allIps, $chunkSize) as $ips) {
         $escapedIps = join(" ", array_map("escapeshellarg", $ips));
 
-        exec_hidden("/sbin/pfctl -t ${tablename} -T ${operation} ${escapedIps}");
+        exec_hidden("/sbin/pfctl -t {$tablename} -T {$operation} {$escapedIps}");
     }
 }
 
@@ -89,7 +89,7 @@ function read_all_from_blocklist($tablename)
         2 => ['file', "/dev/null", "w"],
     ];
 
-    $process = proc_open("/sbin/pfctl -t ${tablename} -T show", $descriptorspec, $pipes);
+    $process = proc_open("/sbin/pfctl -t {$tablename} -T show", $descriptorspec, $pipes);
     if (is_resource($process)) {
         $ips = [];
         while ($ip = fgets($pipes[1], 96)) {

From f8b9581270f8ac623fd83542bc51e03d33a9bdc5 Mon Sep 17 00:00:00 2001
From: KS <scoon405@gmail.com>
Date: Tue, 5 Aug 2025 20:23:19 +0300
Subject: [PATCH 2599/3088] wazuh: check if dir exists before creating it
 (#4874)

---
 security/wazuh-agent/Makefile                             | 2 +-
 security/wazuh-agent/src/opnsense/scripts/wazuh/setup.php | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/security/wazuh-agent/Makefile b/security/wazuh-agent/Makefile
index c9f4d49539..d7443b529f 100644
--- a/security/wazuh-agent/Makefile
+++ b/security/wazuh-agent/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wazuh-agent
 PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Agent for the open source security platform Wazuh
 PLUGIN_DEPENDS=		wazuh-agent
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/security/wazuh-agent/src/opnsense/scripts/wazuh/setup.php b/security/wazuh-agent/src/opnsense/scripts/wazuh/setup.php
index edeebf971d..4b78ab5e0f 100755
--- a/security/wazuh-agent/src/opnsense/scripts/wazuh/setup.php
+++ b/security/wazuh-agent/src/opnsense/scripts/wazuh/setup.php
@@ -56,7 +56,11 @@
  * Temporary solution to link log files so we can view at least the last items in the file easily for debug purposes
  * It looks like ossec is not able to log to syslog directly, which means our log files live outside our normal bounds
  **/
-mkdir("/var/log/wazuhagent/ossec/", 0700, true);
-mkdir("/var/log/wazuhagent/activeresponses/", 0700, true);
+if (!is_dir("/var/log/wazuhagent/ossec/")) {
+    mkdir("/var/log/wazuhagent/ossec/", 0700, true);
+}
+if (!is_dir("/var/log/wazuhagent/activeresponses/")) {
+    mkdir("/var/log/wazuhagent/activeresponses/", 0700, true);
+}
 @symlink("/var/ossec/logs/ossec.log", "/var/log/wazuhagent/ossec/ossec_99991231.log");
 @symlink("/var/ossec/logs/active-responses.log", "/var/log/wazuhagent/activeresponses/activeresponses_99991231.log");

From b9d21c1dd495789c482102ef6fa59bbfd176097b Mon Sep 17 00:00:00 2001
From: KS <scoon405@gmail.com>
Date: Tue, 5 Aug 2025 20:25:43 +0300
Subject: [PATCH 2600/3088] Clamav: fix DetectBrokenExecutables option (#4873)

---
 security/clamav/Makefile                                      | 3 +--
 security/clamav/pkg-descr                                     | 4 ++++
 .../mvc/app/controllers/OPNsense/ClamAV/forms/general.xml     | 2 +-
 .../src/opnsense/service/templates/OPNsense/ClamAV/clamd.conf | 2 +-
 4 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/security/clamav/Makefile b/security/clamav/Makefile
index 992e58d017..92c7a19be6 100644
--- a/security/clamav/Makefile
+++ b/security/clamav/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		clamav
-PLUGIN_VERSION=		1.8
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.8.1
 PLUGIN_COMMENT=		Antivirus engine for detecting malicious threats
 PLUGIN_DEPENDS=		clamav
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/security/clamav/pkg-descr b/security/clamav/pkg-descr
index a601c42b35..ba2697c34f 100644
--- a/security/clamav/pkg-descr
+++ b/security/clamav/pkg-descr
@@ -9,6 +9,10 @@ database updates.
 Plugin Changelog
 ================
 
+1.8.1
+
+* Fixed detect broken executables option (contributed by @sopex)
+
 1.8
 
 * Use syslog for logging
diff --git a/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/forms/general.xml b/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/forms/general.xml
index aa7841f34d..d1cba308d0 100644
--- a/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/forms/general.xml
+++ b/security/clamav/src/opnsense/mvc/app/controllers/OPNsense/ClamAV/forms/general.xml
@@ -73,7 +73,7 @@
         <id>general.detectbroken</id>
         <label>Detect broken executables</label>
         <type>checkbox</type>
-        <help>With this option clamav will try to detect broken executables (both PE and ELF) and mark them as Broken.</help>
+        <help>With this option ClamAV will alert on broken executables (both PE and ELF) and mark them as Broken.</help>
     </field>
     <field>
         <id>general.scanole2</id>
diff --git a/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamd.conf b/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamd.conf
index 88778b060d..7116c54286 100644
--- a/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamd.conf
+++ b/security/clamav/src/opnsense/service/templates/OPNsense/ClamAV/clamd.conf
@@ -38,7 +38,7 @@ ScanPE yes
 ScanELF yes
 {% endif %}
 {% if helpers.exists('OPNsense.clamav.general.detectbroken') and OPNsense.clamav.general.detectbroken == '1' %}
-DetectBrokenExecutables yes
+AlertBrokenExecutables yes
 {% endif %}
 {% if helpers.exists('OPNsense.clamav.general.scanole2') and OPNsense.clamav.general.scanole2 == '1' %}
 ScanOLE2 yes

From 08660b2142412ba59265b65dd08d6765618a1187 Mon Sep 17 00:00:00 2001
From: Konstantinos Spartalis <scoon405@gmail.com>
Date: Wed, 6 Aug 2025 13:41:55 +0300
Subject: [PATCH 2601/3088] telegraf: fix internet speed tests saving mode
 (#4876)

---
 net-mgmt/telegraf/Makefile                                  | 3 +--
 net-mgmt/telegraf/pkg-descr                                 | 4 ++++
 .../mvc/app/controllers/OPNsense/Telegraf/forms/input.xml   | 6 +++---
 .../src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml | 6 +++---
 .../service/templates/OPNsense/Telegraf/telegraf.conf       | 4 ++--
 5 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index 74af3207ad..e16239dfc2 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.12.12
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.12.13
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 823f49d86f..bfcb0cd531 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 Plugin Changelog
 ================
 
+1.12.13
+
+* Implement memory_saving_mode formerly named enable_file_download (contributed by sopex)
+
 1.12.12
 
 * Fix for mixed ping plugin config (contributed by Alex Baulé)
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
index 8d79947185..4d1a16751c 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/input.xml
@@ -56,10 +56,10 @@
         <help>Enable the collection of data about the internet speed on the system.</help>
     </field>
     <field>
-        <id>input.internet_speed_file</id>
-        <label>Internet Speed File Download</label>
+        <id>input.internet_speed_saving</id>
+        <label>Internet Speed Test saving mode</label>
         <type>checkbox</type>
-        <help>Enable the file download speed test.</help>
+        <help>Not recommended if speed tests work. Reduces memory and computation needs, but accuracy is compromised at connections above 30Mbps.</help>
     </field>
     <field>
         <id>input.internet_speed_interval</id>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
index f2edc64a37..773ce46b0b 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/telegraf/input</mount>
     <description>Telegraf inputs configuration</description>
-    <version>1.0.3</version>
+    <version>1.0.4</version>
     <items>
         <cpu type="BooleanField">
             <Default>1</Default>
@@ -39,10 +39,10 @@
             <Default>0</Default>
             <Required>N</Required>
         </internet_speed>
-        <internet_speed_file type="BooleanField">
+        <internet_speed_saving type="BooleanField">
             <Default>0</Default>
             <Required>N</Required>
-        </internet_speed_file>
+        </internet_speed_saving>
         <internet_speed_interval type="IntegerField">
             <Default>360</Default>
             <Required>N</Required>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index fb03f9b8be..b5c1414c5c 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -279,8 +279,8 @@
 
 {% if helpers.exists('OPNsense.telegraf.input.internet_speed') and OPNsense.telegraf.input.internet_speed == '1' %}
 [[inputs.internet_speed]]
-{% if helpers.exists('OPNsense.telegraf.input.internet_speed_file') and OPNsense.telegraf.input.internet_speed_file == '1' %}
-  enable_file_download = true
+{% if helpers.exists('OPNsense.telegraf.input.internet_speed_saving') and OPNsense.telegraf.input.internet_speed_saving == '1' %}
+  memory_saving_mode = true
 {% endif %}
 {% if helpers.exists('OPNsense.telegraf.input.internet_speed_interval') and OPNsense.telegraf.input.internet_speed_interval != '' %}
   interval = "{{ OPNsense.telegraf.input.internet_speed_interval }}s"

From 8fe6a8dce69898cddd2a3bcfced8f5faf7f3eda9 Mon Sep 17 00:00:00 2001
From: mmetc <92726601+mmetc@users.noreply.github.com>
Date: Thu, 7 Aug 2025 08:31:54 +0200
Subject: [PATCH 2602/3088] security/crowdsec: refactor service management,
 bump version (#4868)

* crowdsec: refactor service management

* allow disabling agent or lapi separately
---
 security/crowdsec/Makefile                    |  3 +-
 security/crowdsec/pkg-descr                   |  4 +
 security/crowdsec/src/etc/rc.d/oscrowdsec     |  4 +
 .../CrowdSec/Api/ServiceController.php        | 80 +++++--------------
 .../OPNsense/CrowdSec/forms/general.xml       |  2 +-
 .../app/models/OPNsense/CrowdSec/General.xml  |  2 +-
 .../app/views/OPNsense/CrowdSec/general.volt  |  2 +-
 .../scripts/OPNsense/CrowdSec/reconfigure.py  |  4 +
 .../scripts/OPNsense/CrowdSec/reconfigure.sh  |  2 +-
 .../OPNsense/CrowdSec/crowdsec.rc.conf.d      |  6 +-
 10 files changed, 44 insertions(+), 65 deletions(-)

diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index a039bb0c79..1d6d54f333 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		crowdsec
-PLUGIN_VERSION=		1.0.11
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.0.12
 PLUGIN_DEPENDS=		crowdsec
 PLUGIN_COMMENT=		Lightweight and collaborative security engine
 PLUGIN_MAINTAINER=	marco@crowdsec.net
diff --git a/security/crowdsec/pkg-descr b/security/crowdsec/pkg-descr
index b4f8618971..6547b151f5 100644
--- a/security/crowdsec/pkg-descr
+++ b/security/crowdsec/pkg-descr
@@ -8,6 +8,10 @@ WWW: https://crowdsec.net/
 Plugin Changelog
 ================
 
+1.0.12
+
+ * Fix and update service management (start/stop/reload/configure)
+
 1.0.11
 
 * convert tables to UIBootGrid (required for opnsense 25.7)
diff --git a/security/crowdsec/src/etc/rc.d/oscrowdsec b/security/crowdsec/src/etc/rc.d/oscrowdsec
index 0d310efd6b..87a34c703b 100755
--- a/security/crowdsec/src/etc/rc.d/oscrowdsec
+++ b/security/crowdsec/src/etc/rc.d/oscrowdsec
@@ -53,6 +53,10 @@ oscrowdsec_status () {
     service crowdsec status
     ret=$?
 
+    if ! service crowdsec_firewall enabled; then
+        return $ret
+    fi
+
     if ! service crowdsec_firewall status; then
         ret=1
     fi
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
index 40403a9150..f1918a01ba 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
@@ -5,76 +5,40 @@
 
 namespace OPNsense\CrowdSec\Api;
 
-use OPNsense\Base\ApiControllerBase;
+use OPNsense\Base\ApiMutableServiceControllerBase;
 use OPNsense\Core\Backend;
 
 /**
  * Class ServiceController
  * @package OPNsense\CrowdSec
  */
-class ServiceController extends ApiControllerBase
+class ServiceController extends ApiMutableServiceControllerBase
 {
-    /**
-     * reconfigure CrowdSec
-     *
-     * @return array Status result
-     */
-    public function reloadAction(): array
-    {
-        $status = "failed";
-        if ($this->request->isPost()) {
-            $backend = new Backend();
-            $bckresult = trim($backend->configdRun('template reload OPNsense/CrowdSec'));
-            if ($bckresult == "OK") {
-                $bckresult = trim($backend->configdRun('crowdsec reconfigure'));
-                if ($bckresult == "OK") {
-                    $status = "ok";
-                }
-            }
-        }
-        return ["status" => $status];
+    protected static $internalServiceClass = '\OPNsense\CrowdSec\General';
+    protected static $internalServiceTemplate = 'OPNsense/CrowdSec';
+    protected static $internalServiceName = 'crowdsec';
+
+    protected function ServiceEnabled() {
+        $mdl = $this->getModel();
+
+        return (
+            $mdl->agent_enabled->__toString() === "1" ||
+            $mdl->lapi_enabled->__toString() === "1" ||
+            $mdl->firewall_bouncer_enabled->__toString() === "1"
+        );
     }
 
-    /**
-     * Retrieve status of crowdsec
-     *
-     * @return array{
-     *     status: string,
-     *     crowdsec-status: string,
-     *     crowdsec-firewall-status: string
-     * }
-     * @throws \Exception
-     */
-    public function statusAction()
+    public function reconfigureAction()
     {
-        $backend = new Backend();
-        $response = $backend->configdRun("crowdsec crowdsec-status");
-
-        $crowdsec_status = "unknown";
-        if (strpos($response, "not running") !== false) {
-            $crowdsec_status = "stopped";
-        } elseif (strpos($response, "is running") !== false) {
-            $crowdsec_status = "running";
-        }
+        // Run the default reconfigure logic
+        $result = parent::reconfigureAction();
 
-        $response = $backend->configdRun("crowdsec crowdsec-firewall-status");
-
-        $firewall_status = "unknown";
-        if (strpos($response, "not running") !== false) {
-            $firewall_status = "stopped";
-        } elseif (strpos($response, "is running") !== false) {
-            $firewall_status = "running";
-        }
-
-        $status = "unknown";
-        if ($crowdsec_status == $firewall_status) {
-            $status = $crowdsec_status;
+        // Now we generate the config.yaml and config-firewall-bouncer.yaml files
+        if (isset($result['status']) && $result['status'] === 'ok') {
+            $backend = new Backend();
+            $backend->configdRun('crowdsec reconfigure');
         }
 
-        return [
-            "status" => $status,
-            "crowdsec-status" => $crowdsec_status,
-            "crowdsec-firewall-status" => $firewall_status,
-        ];
+        return $result;
     }
 }
diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml
index 849e04ebaf..c4480f9f78 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/forms/general.xml
@@ -80,7 +80,7 @@
     <label>Create blocklist rules</label>
     <type>checkbox</type>
     <help>Generate block rules from the Crowdsec blocklists.
-    They are applied t all interfaces, ipv4/v6, ingress and egress.
+    They are applied to all interfaces, ipv4/v6, ingress and egress.
     If you disable this, you'll have to write your own rules to block anything.</help>
   </field>
 
diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
index 63cf526f11..cef04eb0cd 100644
--- a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
@@ -1,7 +1,7 @@
 <model>
   <mount>//OPNsense/crowdsec/general</mount>
   <description>CrowdSec general configuration</description>
-  <version>1.0.11</version>
+  <version>1.0.12</version>
   <items>
 
     <agent_enabled type="BooleanField">
diff --git a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
index be347ee53e..95b2577272 100644
--- a/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
+++ b/security/crowdsec/src/opnsense/mvc/app/views/OPNsense/CrowdSec/general.volt
@@ -13,7 +13,7 @@
             saveFormToEndpoint(url="/api/crowdsec/general/set",formid='frm_GeneralSettings',callback_ok=function(){
                 $("#settingsSavedMsg").text("Saving settings....").removeClass("hidden");
                 // action to run after successful save, for example reconfigure service.
-                ajaxCall(url="/api/crowdsec/service/reload", sendData={},callback=function(data,status) {
+                ajaxCall(url="/api/crowdsec/service/reconfigure", sendData={},callback=function(data,status) {
                     $("#settingsSavedMsg").html(
                         '<i class="fa fa-check text-success"></i> Settings have been saved, services restarted.'
                     ).removeClass("hidden");
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
index fa06700924..6d4869c5b9 100755
--- a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py
@@ -13,6 +13,7 @@
 def is_ipv6(ip: str) -> bool:
     return ":" in ip
 
+
 def load_config(filename: str) -> dict[str, Any]:
     with open(filename) as fin:
         return yaml.safe_load(fin)
@@ -54,6 +55,9 @@ def configure_agent(settings: dict[str, str]):
     config['crowdsec_service']['acquisition_dir'] = '/usr/local/etc/crowdsec/acquis.d/'
     config['db_config']['use_wal'] = True
 
+    enable = int(settings.get('agent_enabled', '0'))
+    config['crowdsec_service']['enable'] = bool(enable)
+
     if not int(settings.get('lapi_manual_configuration', '0')):
         config['api']['server']['listen_uri'] = get_netloc(settings)
 
diff --git a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh
index ce4660c502..9ecdd3f8e8 100755
--- a/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh
+++ b/security/crowdsec/src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh
@@ -2,7 +2,7 @@
 
 # This script is run
 #  - when the plugin is installed (by +POST_INSTALL.post)
-#  - when saving the "settings" form (which calls /api/crowdsec/service/reload)
+#  - when saving the "settings" form (which calls /api/crowdsec/service/reconfigure)
 #  - by hand, running "configctl crowdsec reconfigure"
 
 set -e
diff --git a/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/crowdsec.rc.conf.d b/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/crowdsec.rc.conf.d
index 6c0f4e9412..de9a90fad4 100644
--- a/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/crowdsec.rc.conf.d
+++ b/security/crowdsec/src/opnsense/service/templates/OPNsense/CrowdSec/crowdsec.rc.conf.d
@@ -1,5 +1,9 @@
 # DO NOT EDIT THIS FILE -- OPNsense auto-generated file
-{% if helpers.exists('OPNsense.crowdsec.general.agent_enabled') and OPNsense.crowdsec.general.agent_enabled|default("1") == "1" %}
+{% if
+  (helpers.exists('OPNsense.crowdsec.general.agent_enabled') and OPNsense.crowdsec.general.agent_enabled|default("1") == "1")
+  or
+  (helpers.exists('OPNsense.crowdsec.general.lapi_enabled') and OPNsense.crowdsec.general.lapi_enabled|default("1") == "1")
+%}
 crowdsec_enable="YES"
 {% else %}
 crowdsec_enable="NO"

From 0ef6277908ed0e44f50d481d90fbf06a4b929cce Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 7 Aug 2025 12:56:08 +0200
Subject: [PATCH 2603/3088] security/crowdsec: small style check

---
 .../controllers/OPNsense/CrowdSec/Api/ServiceController.php    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
index f1918a01ba..c18ebb0295 100644
--- a/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
+++ b/security/crowdsec/src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php
@@ -18,7 +18,8 @@ class ServiceController extends ApiMutableServiceControllerBase
     protected static $internalServiceTemplate = 'OPNsense/CrowdSec';
     protected static $internalServiceName = 'crowdsec';
 
-    protected function ServiceEnabled() {
+    protected function ServiceEnabled()
+    {
         $mdl = $this->getModel();
 
         return (

From 377b76a585f4f744a7a043754c21d6a3a6a52192 Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Thu, 7 Aug 2025 18:52:29 +0200
Subject: [PATCH 2604/3088] net/frr: ospfd add point-to-multipoint options
 (#4879)

---
 .../Quagga/forms/dialogEditOSPFInterface.xml  | 10 ++++++++
 .../mvc/app/models/OPNsense/Quagga/OSPF.xml   |  6 +++++
 .../mvc/app/views/OPNsense/Quagga/ospf.volt   | 23 +++++++++++++++++++
 .../templates/OPNsense/Quagga/ospfd.conf      |  8 +++++++
 4 files changed, 47 insertions(+)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
index bc08a4c8c7..62b423943d 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFInterface.xml
@@ -135,4 +135,14 @@
     <type>dropdown</type>
     <help>Defines the OSPF network type, impacting adjacency and LSA flooding methods. "Broadcast Multi-Access": Assumes networks supporting multiple routers with broadcast capability (e.g., Ethernet). "Non-Broadcast Multi-Access (NBMA)"": For networks without broadcast support (e.g., Frame Relay); requires manual neighbor setup. "Point-to-Multipoint": Connects multiple routers over a single interface, treating each as a point-to-point link. "Point-to-Point": Directly connects two routers, simplifying adjacency and LSA transmission.</help>
   </field>
+  <field>
+    <id>interface.p2mpoptions</id>
+    <label>P2MP options</label>
+    <type>dropdown</type>
+    <style>selectpicker style_networktype</style>
+    <help>Only for point-to-multipoint network type! non-broadcast: Disables multicast/broadcast, OSPF neighbors must be manually configured. delay-reflood: Delays LSA flooding until retransmission timer expires if no ACK received.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
+  </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index dab6380a38..1f28cebb47 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -236,6 +236,12 @@
                                         <point-to-point>Point-to-point network</point-to-point>
                                 </OptionValues>
                         </networktype>
+                        <p2mpoptions type="OptionField">
+                                <OptionValues>
+                                        <delay-reflood>Delay reflood</delay-reflood>
+                                        <non-broadcast>Non-broadcast</non-broadcast>
+                                </OptionValues>
+                        </p2mpoptions>
                 </interface>
         </interfaces>
         <prefixlists>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
index 488a908312..87260985a5 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
@@ -110,6 +110,29 @@ POSSIBILITY OF SUCH DAMAGE.
             );
         }
 
+        $("#interface\\.networktype").on("keyup change", function () {
+
+            const networktype = String($("#interface\\.networktype").val() || "")
+ 
+            const styleVisibility = [
+                {
+                    class: "style_networktype",
+                    visible: networktype === "point-to-multipoint"
+                },
+            ];
+
+            styleVisibility.forEach(style => {
+                // hide/show rows with the class
+                const elements = $("." + style.class).closest("tr");
+                style.visible ? elements.show() : elements.hide();
+
+                // hide/show thead only if its parent container has the same class
+                $(".table-responsive." + style.class).find("thead").each(function () {
+                    style.visible ? $(this).show() : $(this).hide();
+                });
+            });
+        });
+
     });
 </script>
 
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
index 41ec0c5d6c..381ffa8b4f 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
@@ -25,7 +25,15 @@ interface {{ iface }}
   ip ospf bfd
 {%             endif %}
 {%             if interface.networktype %}
+{%                 if interface.networktype == 'point-to-multipoint' %}
+{%                     if interface.p2mpoptions %}
+  {{ cline("network", "point-to-multipoint " ~ interface.p2mpoptions) }}
+{%                     else %}
+  {{ cline("network", "point-to-multipoint") }}
+{%                     endif %}
+{%                 else %}
   {{ cline("network", interface.networktype) }}
+{%                 endif %}
 {%             endif %}
 {%             if interface.authtype and interface.authtype == 'message-digest' %}
   {{ cline("authentication", interface.authtype) }}

From cbc910d318e25b2a3102b63a922b09e5f4579b21 Mon Sep 17 00:00:00 2001
From: senses3 <senses3@gmail.com>
Date: Sun, 10 Aug 2025 04:28:11 -0400
Subject: [PATCH 2605/3088] fixed pfsense typo (#4884)

---
 .../mvc/app/controllers/OPNsense/Netbird/forms/settings.xml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
index 99992db3cd..7be06a710a 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
@@ -23,7 +23,7 @@
         <id>settings.firewall.allowConfig</id>
         <label>Enable firewal</label>
         <type>checkbox</type>
-        <help>Allow the client to filter traffic with its built-in firewall. If disabled, you must assign the NetBird interface and manage firewall rules via PFSense firewall management.
+        <help>Allow the client to filter traffic with its built-in firewall. If disabled, you must assign the NetBird interface and manage firewall rules via OPNsense firewall management.
             Additionally, NetBird routing and DNS may not function as intended.</help>
     </field>
     <field>

From 09cfdf639a387ae29201660db175e1ffe9c69b20 Mon Sep 17 00:00:00 2001
From: poisonbl <6139658+poisonbl@users.noreply.github.com>
Date: Wed, 13 Aug 2025 03:24:26 -0400
Subject: [PATCH 2606/3088] Add Extended info (smartctl -x) for os-smart
 plugin. (#4508)

---
 .../app/controllers/OPNsense/Smart/Api/ServiceController.php   | 2 +-
 .../smart/src/opnsense/mvc/app/views/OPNsense/Smart/index.volt | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/sysutils/smart/src/opnsense/mvc/app/controllers/OPNsense/Smart/Api/ServiceController.php b/sysutils/smart/src/opnsense/mvc/app/controllers/OPNsense/Smart/Api/ServiceController.php
index d35feb29bb..2f039c551f 100644
--- a/sysutils/smart/src/opnsense/mvc/app/controllers/OPNsense/Smart/Api/ServiceController.php
+++ b/sysutils/smart/src/opnsense/mvc/app/controllers/OPNsense/Smart/Api/ServiceController.php
@@ -68,7 +68,7 @@ public function infoAction()
                 return array("message" => "Invalid device name");
             }
 
-            $valid_info_types = array("i", "H", "c", "A", "a");
+            $valid_info_types = array("i", "H", "c", "A", "a", "x");
 
             if (!in_array($type, $valid_info_types)) {
                 return array("message" => "Invalid info type");
diff --git a/sysutils/smart/src/opnsense/mvc/app/views/OPNsense/Smart/index.volt b/sysutils/smart/src/opnsense/mvc/app/views/OPNsense/Smart/index.volt
index acb740ffab..1e770f836e 100644
--- a/sysutils/smart/src/opnsense/mvc/app/views/OPNsense/Smart/index.volt
+++ b/sysutils/smart/src/opnsense/mvc/app/views/OPNsense/Smart/index.volt
@@ -138,7 +138,8 @@
 			<label><input type="radio" name="type" value="H" checked="checked" />{{ lang._('Health') }}</label>&nbsp;
 			<label><input type="radio" name="type" value="c" />{{ lang._('SMART Capabilities') }}</label>&nbsp;
 			<label><input type="radio" name="type" value="A" />{{ lang._('Attributes') }}</label>&nbsp;
-			<label><input type="radio" name="type" value="a" />{{ lang._('All') }}</label>
+			<label><input type="radio" name="type" value="a" />{{ lang._('All') }}</label>&nbsp;
+			<label><input type="radio" name="type" value="x" />{{ lang._('Extended') }}</label>
 		    </div>
 		    </td>
 		</tr>

From ded22afe17a99e02d3fa38f0ec3d54bdd7f9b661 Mon Sep 17 00:00:00 2001
From: Raushan Patel <96633931+Jhonraushan@users.noreply.github.com>
Date: Wed, 13 Aug 2025 03:39:23 -0400
Subject: [PATCH 2607/3088] misc/theme-advanced: Update logos and favicon
 (#4852)

---
 .../advanced/build/images/default-logo.svg    | 132 ++++++------------
 .../themes/advanced/build/images/favicon.png  | Bin 2938 -> 2100 bytes
 .../advanced/build/images/icon-logo.svg       |  84 +----------
 3 files changed, 44 insertions(+), 172 deletions(-)

diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/default-logo.svg b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/default-logo.svg
index 1fc57d76c7..688ba464e0 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/default-logo.svg
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/default-logo.svg
@@ -1,95 +1,41 @@
-<?xml version="1.0" encoding="UTF-8"?>
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<!-- Creator: CorelDRAW X8 -->
-<svg xmlns="http://www.w3.org/2000/svg" xml:space="preserve" width="171.889mm" height="34.3477mm" version="1.1" style="shape-rendering:geometricPrecision; text-rendering:geometricPrecision; image-rendering:optimizeQuality; fill-rule:evenodd; clip-rule:evenodd"
-viewBox="0 0 21856 4367"
- xmlns:xlink="http://www.w3.org/1999/xlink">
- <defs>
-  <style type="text/css">
-   <![CDATA[
-    .fil0 {fill:#EBECEC;fill-rule:nonzero}
-    .fil2 {fill:#E3E4E5;fill-rule:nonzero}
-    .fil8 {fill:#AAABAB;fill-rule:nonzero}
-    .fil5 {fill:#939292;fill-rule:nonzero}
-    .fil1 {fill:#D94F00;fill-rule:nonzero}
-    .fil11 {fill:url(#id0);fill-rule:nonzero}
-    .fil7 {fill:url(#id1);fill-rule:nonzero}
-    .fil10 {fill:url(#id2);fill-rule:nonzero}
-    .fil15 {fill:url(#id3);fill-rule:nonzero}
-    .fil14 {fill:url(#id4);fill-rule:nonzero}
-    .fil16 {fill:url(#id5);fill-rule:nonzero}
-    .fil9 {fill:url(#id6);fill-rule:nonzero}
-    .fil12 {fill:url(#id7);fill-rule:nonzero}
-    .fil13 {fill:url(#id8);fill-rule:nonzero}
-    .fil3 {fill:url(#id9);fill-rule:nonzero}
-    .fil4 {fill:url(#id10);fill-rule:nonzero}
-    .fil6 {fill:url(#id11);fill-rule:nonzero}
-   ]]>
-  </style>
-  <linearGradient id="id0" gradientUnits="userSpaceOnUse" x1="2258.18" y1="2586.09" x2="4329.89" y2="3125.08">
-   <stop offset="0" style="stop-opacity:1; stop-color:#AAABAB"/>
-   <stop offset="0.101961" style="stop-opacity:1; stop-color:#AAABAB"/>
-   <stop offset="1" style="stop-opacity:1; stop-color:#4E4E4E"/>
-  </linearGradient>
-  <linearGradient id="id1" gradientUnits="userSpaceOnUse" x1="4003.85" y1="4057.41" x2="4106.63" y2="3796.38">
-   <stop offset="0" style="stop-opacity:1; stop-color:#E4E4E4"/>
-   <stop offset="1" style="stop-opacity:1; stop-color:#A2A2A2"/>
-  </linearGradient>
-  <linearGradient id="id2" gradientUnits="userSpaceOnUse" xlink:href="#id0" x1="2258.16" y1="1781.29" x2="4329.9" y2="1242.3">
-  </linearGradient>
-  <linearGradient id="id3" gradientUnits="userSpaceOnUse" x1="4249.51" y1="3279.41" x2="2665.39" y2="3279.41">
-   <stop offset="0" style="stop-opacity:1; stop-color:#FEFEFE"/>
-   <stop offset="0.231373" style="stop-opacity:1; stop-color:#FEFEFE"/>
-   <stop offset="1" style="stop-opacity:1; stop-color:#B0B0B0"/>
-  </linearGradient>
-  <linearGradient id="id4" gradientUnits="userSpaceOnUse" xlink:href="#id3" x1="4249.51" y1="1087.97" x2="2665.39" y2="1087.97">
-  </linearGradient>
-  <linearGradient id="id5" gradientUnits="userSpaceOnUse" xlink:href="#id3" x1="-0.0127153" y1="3279.41" x2="1584.11" y2="3279.41">
-  </linearGradient>
-  <linearGradient id="id6" gradientUnits="userSpaceOnUse" xlink:href="#id0" x1="1991.34" y1="1781.31" x2="-80.3479" y2="1242.28">
-  </linearGradient>
-  <linearGradient id="id7" gradientUnits="userSpaceOnUse" xlink:href="#id0" x1="1991.33" y1="2586.07" x2="-80.3352" y2="3125.09">
-  </linearGradient>
-  <linearGradient id="id8" gradientUnits="userSpaceOnUse" xlink:href="#id3" x1="-0.0127153" y1="1087.97" x2="1584.11" y2="1087.97">
-  </linearGradient>
-  <linearGradient id="id9" gradientUnits="userSpaceOnUse" xlink:href="#id1" x1="4048.89" y1="285.509" x2="4123.28" y2="547.495">
-  </linearGradient>
-  <linearGradient id="id10" gradientUnits="userSpaceOnUse" xlink:href="#id1" x1="245.672" y1="309.973" x2="142.882" y2="571.018">
-  </linearGradient>
-  <linearGradient id="id11" gradientUnits="userSpaceOnUse" xlink:href="#id1" x1="200.647" y1="4081.86" x2="126.237" y2="3819.93">
-  </linearGradient>
- </defs>
- <g id="Layer_x0020_1">
-  <metadata id="CorelCorpID_0Corel-Layer"/>
-  <g id="_1932602954816">
-   <path class="fil0" d="M7629 276l-1838 0c-270,0 -491,221 -491,491l0 3135 0 166 166 0 1838 0c270,0 491,-220 491,-490l0 -3136 0 -166 -166 0zm4077 14l0 0 1838 0 165 0 0 166 0 3135c0,432 -348,500 -681,500 -56,0 -125,-3 -189,-6 -42,-2 -80,-4 -126,-4l0 -165 0 -166c32,0 84,3 140,5 50,3 105,5 175,5 171,0 350,-23 350,-169l0 -2970 -1590 0 -82 0 -6 0 0 0 -2 0 0 0 -2 1 -1 0 -1 0 0 0 -2 0 -1 0 -1 0 -1 0 -1 0 -1 0 -1 0 0 0 -2 1 0 0 -2 0 0 0 -1 0 -1 0 -1 0 -1 1 -1 0 -1 0 -1 0 -1 0 -1 1 -1 0 -1 0 -1 0 -1 0 -1 1 0 0 -2 0 0 0 -2 1 0 0 -2 0 0 0 -2 1 -1 0 0 0 -2 1 0 0 -2 0 0 1 -2 0 0 0 -1 1 -1 0 -1 0 -1 1 -1 0 0 0 -1 1 -1 0 -1 0 -1 1 -1 0 -1 1 -1 0 0 0 -1 1 -1 0 -1 0 -1 1 0 0 -2 1 0 0 -3 2 0 0 -2 0 0 1 -1 0 -1 1 -1 0 0 0 -2 1 -1 1 0 0 -2 1 0 0 -1 1 -1 0 -1 1 0 0 -2 1 0 0 -1 1 -2 1 0 1 -1 0 -1 1 -1 0 0 1 -1 1 -1 0 0 1 -1 0 -1 1 -1 0 0 1 -1 1 -1 0 -1 1 0 0 -1 1 0 0 -1 1 -1 1 -1 1 0 0 -1 1 0 0 -2 1 0 0 -1 2 0 0 -1 1c-29,29 -47,68 -47,112l0 3136 -3 0 0 165 -163 0 -165 0 0 -165 0 -3136c0,-135 55,-258 143,-346 89,-89 212,-144 347,-144zm-1190 -9l0 0 -1741 0c-252,0 -458,206 -458,458l0 1655 0 166 0 0 0 1502 333 0 0 -1502 1574 0c253,0 458,-206 458,-458l0 -1655 0 -166 -166 0zm-1741 333l0 0 1575 0 0 1488c0,6 -1,12 -2,18l0 0 0 4 0 0 -1 2 0 0 0 2 0 1 -1 0 0 2 0 1 -1 4 0 1 -1 1 0 2 -1 1 0 1 -1 3 0 0 -1 3 0 0 -1 3 -1 0 -1 3 0 0 -1 2 1 -1 -3 4 0 1 -1 2 0 1 -1 0 0 1 -2 4 -1 0 0 1 -1 0 -1 2 0 1 -1 1 0 1 -2 2 -2 3 -1 1 -3 3 0 1 -5 5 -6 5 -2 3 -6 5 -1 0 0 1 -4 2 0 0 -1 1 -1 1 -4 2 -1 1 -1 0 0 0 -3 2 0 0 -6 3 0 0 -5 2 0 0 -3 2 0 0c-3,1 -7,3 -12,4l-3 1 0 0 -4 1 -2 0 -3 1 0 0 -4 0 0 0c-6,1 -12,1 -18,1l-1575 0 0 -1488c0,-6 1,-12 2,-18l0 -3 0 0 1 -3 1 -3 0 0 0 -3 0 -1 1 -3 3 -8 0 0 0 1 0 -1 1 -4 0 1 2 -4 0 0 2 -4 0 0 3 -6 0 -1 2 -3 0 0 0 0 1 -1 2 -4 1 -1 1 -2 0 0 2 -3 3 -3 3 -4 0 -1 3 -2 0 0 5 -6 5 -5 1 0 3 -3 1 0 3 -2 0 -1 3 -1 1 -1 3 -2 0 0 1 -1 0 0 4 -3 1 0 0 0 1 0 2 -2 1 0 4 -2 -1 0 2 -1 0 0 3 -1 0 0 3 -1 3 -1 4 -2 -1 1 5 -2 5 -1 1 -1 2 0 0 0 1 0 0 0 2 -1 0 0 2 0 0 0 4 -1c6,-1 12,-1 18,-1zm1573 1506l0 0 0 0 0 0zm0 4l0 0 0 0 0 0zm-1 2l0 0 0 0 0 0zm0 3l0 0 -1 0 1 0zm-1 2l0 0 0 1 0 -1zm-1 5l0 0 0 1 0 -1zm-1 2l0 0 0 2 0 -2zm-1 3l0 0 0 1 0 -1zm-1 4l0 0 0 0 0 0zm-1 3l0 0 0 0 0 0zm-1 3l0 0 -1 0 1 0zm-2 3l0 0 0 0 0 0zm-3 5l0 0 0 1 0 -1zm-1 3l0 0 0 1 0 -1zm-1 1l0 0 0 1 0 -1zm-2 5l0 0 -1 0 1 0zm-1 1l0 0 -1 0 1 0zm-2 2l0 0 0 1 0 -1zm-1 2l0 0 0 1 0 -1zm-4 6l0 0 -1 1 1 -1zm-4 4l0 0 0 1 0 -1zm-20 19l0 0 0 1 0 -1zm-4 3l0 0 0 0 0 0zm-1 1l0 0 -1 1 1 -1zm-5 3l0 0 -1 1 1 -1zm-2 1l0 0 0 0 0 0zm-3 2l0 0 0 0 0 0zm-11 5l0 0 0 0 0 0zm-18 7l0 0 0 0 0 0zm-9 2l0 0 0 0 0 0zm-4 0l0 0 0 0 0 0zm-1591 -1505l0 0 0 -3 0 0 0 0 0 3zm2 -9l0 0 0 0 0 0zm0 -3l0 0 0 -1 0 1zm7 -19l0 0 0 0 0 0zm5 -10l0 0 0 -1 0 1zm2 -4l0 0 0 0 0 0zm0 0l0 0 1 -1 -1 1zm3 -5l0 0 1 -1 -1 1zm2 -3l0 0 0 0 0 0zm8 -10l0 0 0 -1 0 1zm3 -3l0 0 0 0 0 0zm10 -11l0 0 1 0 -1 0zm4 -3l0 0 1 0 -1 0zm4 -2l0 0 0 -1 0 1zm7 -5l0 0 0 0 0 0zm1 -1l0 0 0 0 0 0zm4 -3l0 0 1 0 -1 0zm1 0l0 0 1 0 -1 0zm3 -2l0 0 1 0 -1 0zm6 -3l0 0 0 0 0 0zm3 -1l0 0 0 0 0 0zm19 -6l0 0 1 -1 -1 1zm3 -1l0 0 0 0 0 0zm1 0l0 0 0 0 0 0zm2 -1l0 0 0 0 0 0zm2 0l0 0 0 0 0 0zm4 -1l0 0 -2966 -7 1672 0 0 2970c0,13 -5,40 -5,40l-6 18 0 0 0 -1 0 1 -1 1 0 1 -1 3 0 0 -1 3 -1 0 -6 13 0 0 -2 3 0 0 -4 6 0 0 -4 5 0 0 -2 3 0 0 -2 3 0 0 -1 1 0 0 -2 3 0 0 -2 2 -2 2 -1 1 -1 1 0 0 -5 5 0 0 -2 2 0 0 -2 2 -3 2 0 0 -2 2 -1 1 -1 1 0 0 -3 2 0 0 -2 2 -1 0 -5 4 0 0 -5 3 0 0 -3 2 -1 0 -12 7 -4 1 -2 2 -2 0 -18 6 -1 0 1 0 0 0 -1 0 0 1c-14,3 -25,5 -40,5l-1672 0 0 -2970c0,-13 5,-40 5,-40l6 -18 0 0 0 1 0 -1 1 -2 0 -1 1 -2 0 0 1 -3 1 -1 6 -12 0 0 2 -4 0 0 4 -5 0 0 4 -5 0 -1 2 -2 0 0 2 -3 0 0 1 -1 0 -1 2 -2 0 0 2 -2 2 -3 1 0 1 -2 0 0 5 -5 0 0 2 -1 0 -1 2 -1 3 -3 0 0 2 -2 1 0 1 -1 0 0 3 -2 0 0 2 -2 1 0 5 -4 0 0 5 -4 0 0 4 -2 0 0 12 -6 4 -2 0 0 2 -1 3 -1 18 -6 0 0 -1 0 1 0 0 0 0 0c14,-3 25,-5 40,-5l2966 7zm-1306 3022l0 0 0 1 0 -1zm-1 4l0 0 0 0 0 0zm-1 3l0 0 -1 0 1 0zm-7 13l0 0 0 0 0 0zm-2 3l0 0 0 0 0 0zm-4 6l0 0 0 0 0 0zm-4 5l0 0 0 0 0 0zm-2 3l0 0 0 0 0 0zm-2 3l0 0 0 0 0 0zm-1 1l0 0 0 0 0 0zm-6 7l0 0 -1 1 1 -1zm-2 2l0 0 0 0 0 0zm-5 5l0 0 0 0 0 0zm-2 2l0 0 0 0 0 0zm-7 6l0 0 -1 1 1 -1zm-2 2l0 0 0 0 0 0zm-3 2l0 0 0 0 0 0zm-2 2l0 0 -1 0 1 0zm-6 4l0 0 0 0 0 0zm-5 3l0 0 0 0 0 0zm-3 2l0 0 -1 0 1 0zm-17 8l0 0 -23 8 0 1 0 -1 23 -8zm-1723 -3016l0 0 0 -1 0 1zm1 -3l0 0 0 0 0 0zm1 -3l0 0 1 -1 -1 1zm7 -13l0 0 0 0 0 0zm2 -4l0 0 0 0 0 0zm4 -5l0 0 0 0 0 0zm4 -5l0 0 0 -1 0 1zm2 -3l0 0 0 0 0 0zm2 -3l0 0 0 0 0 0zm1 -1l0 0 0 -1 0 1zm6 -8l0 0 1 0 -1 0zm2 -2l0 0 0 0 0 0zm5 -5l0 0 0 0 0 0zm2 -1l0 0 0 -1 0 1zm7 -7l0 0 1 0 -1 0zm2 -1l0 0 0 0 0 0zm3 -2l0 0 0 0 0 0zm2 -2l0 0 1 0 -1 0zm6 -4l0 0 0 0 0 0zm5 -4l0 0 0 0 0 0zm4 -2l0 0 0 0 0 0zm16 -8l0 0 0 0 0 0zm23 -8l0 0 0 0 0 0z"/>
-  </g>
-  <g id="_1932602954464">
-   <path class="fil0" d="M21552 1415c51,0 101,13 150,39 48,27 86,64 113,113 28,49 41,100 41,152 0,53 -13,103 -40,152 -27,48 -64,85 -112,112 -49,27 -99,40 -152,40 -52,0 -103,-13 -151,-40 -48,-27 -86,-64 -113,-112 -26,-49 -40,-99 -40,-152 0,-52 14,-103 41,-152 27,-49 65,-86 114,-113 48,-26 98,-39 149,-39zm0 51l0 0c-42,0 -84,11 -125,32 -40,22 -72,54 -94,94 -23,41 -35,83 -35,127 0,44 12,86 34,126 22,41 54,72 94,94 40,23 82,34 126,34 44,0 86,-11 126,-34 41,-22 72,-53 94,-94 23,-40 34,-82 34,-126 0,-44 -12,-86 -34,-127 -23,-40 -55,-72 -95,-94 -41,-21 -82,-32 -125,-32z"/>
-   <path class="fil0" d="M21674 1822c-16,-29 -35,-51 -49,-64 -7,-7 -16,-14 -27,-18 28,-3 51,-13 68,-30 17,-18 26,-39 26,-63 0,-17 -5,-32 -16,-48 -10,-15 -23,-25 -41,-31 -17,-6 -45,-9 -83,-9l-113 0 0 327 53 0 0 -139 31 0c19,0 32,8 42,16 14,10 39,40 52,66 11,20 18,57 18,57l64 0c0,0 -9,-36 -25,-64zm-118 -120l0 0 -64 0 0 -99 60 0c26,0 44,2 53,6 10,4 17,9 23,17 5,8 8,16 8,26 0,15 -6,27 -17,36 -11,9 -32,14 -63,14z"/>
-  </g>
-  <path class="fil1" d="M15312 2714l-531 0 0 -107c0,-92 -5,-149 -16,-174 -10,-24 -36,-36 -78,-36 -34,0 -59,11 -76,33 -17,23 -25,56 -25,101 0,61 4,105 12,133 8,29 34,60 76,93 42,35 128,84 259,149 175,85 289,165 343,241 55,76 82,186 82,330 0,161 -21,283 -62,364 -42,82 -112,146 -210,190 -98,45 -215,66 -354,66 -152,0 -284,-23 -392,-71 -109,-48 -184,-112 -225,-194 -40,-81 -61,-204 -61,-369l0 -95 535 0 0 124c0,106 6,175 20,207 13,31 40,47 79,47 43,0 72,-10 89,-32 17,-21 25,-66 25,-135 0,-94 -10,-153 -32,-177 -23,-24 -140,-95 -350,-212 -176,-100 -284,-190 -323,-271 -39,-81 -58,-177 -58,-289 0,-158 21,-275 63,-349 41,-76 112,-134 212,-174 100,-41 216,-62 347,-62 132,0 243,17 335,50 92,34 162,78 212,133 48,54 78,105 89,152 10,47 15,120 15,219l0 115zm1572 391l0 0 -782 0 0 429c0,90 7,148 20,174 13,26 38,38 75,38 46,0 77,-17 93,-51 15,-35 23,-101 23,-200l0 -249 571 0 0 134c0,123 -8,217 -23,282 -16,66 -52,136 -108,211 -57,75 -129,131 -216,168 -87,38 -196,56 -327,56 -128,0 -240,-18 -338,-55 -97,-37 -173,-87 -227,-151 -55,-64 -92,-135 -113,-212 -21,-77 -31,-189 -31,-337l0 -577c0,-173 23,-310 70,-410 47,-100 123,-177 229,-230 107,-53 229,-80 368,-80 169,0 308,32 418,97 110,64 188,149 232,255 44,105 66,254 66,446l0 262zm-602 -321l0 0 0 -144c0,-103 -5,-169 -16,-199 -12,-30 -34,-44 -69,-44 -43,0 -69,12 -79,38 -11,25 -16,93 -16,205l0 144 180 0zm1409 -702l0 0 -10 151c61,-71 92,-98 155,-136 63,-36 142,-52 225,-52 103,0 187,25 253,74 66,48 108,110 127,184 19,74 28,197 28,370l0 1388 -601 0 0 -1372c0,-136 -5,-220 -14,-249 -9,-30 -34,-45 -75,-45 -43,0 -70,17 -81,51 -11,35 -17,127 -17,276l0 1339 -601 0 0 -1979 611 0zm2217 632l0 0 -532 0 0 -107c0,-92 -5,-149 -16,-174 -10,-24 -36,-36 -78,-36 -33,0 -59,11 -76,33 -16,23 -25,56 -25,101 0,61 4,105 13,133 8,29 33,60 75,93 42,35 129,84 259,149 175,85 289,165 343,241 55,76 82,186 82,330 0,161 -20,283 -62,364 -42,82 -112,146 -209,190 -99,45 -216,66 -355,66 -152,0 -284,-23 -392,-71 -109,-48 -184,-112 -224,-194 -41,-81 -61,-204 -61,-369l0 -95 534 0 0 124c0,106 7,175 20,207 14,31 40,47 79,47 43,0 72,-10 89,-32 17,-21 26,-66 26,-135 0,-94 -11,-153 -33,-177 -23,-24 -139,-95 -350,-212 -176,-100 -284,-190 -323,-271 -38,-81 -58,-177 -58,-289 0,-158 21,-275 63,-349 42,-76 112,-134 212,-174 100,-41 216,-62 348,-62 131,0 242,17 334,50 92,34 162,78 212,133 49,54 79,105 89,152 11,47 16,120 16,219l0 115zm1571 391l0 0 -781 0 0 429c0,90 6,148 19,174 13,26 38,38 75,38 46,0 78,-17 93,-51 16,-35 23,-101 23,-200l0 -249 571 0 0 134c0,123 -7,217 -23,282 -15,66 -51,136 -108,211 -57,75 -129,131 -216,168 -87,38 -196,56 -327,56 -127,0 -240,-18 -338,-55 -97,-37 -173,-87 -227,-151 -55,-64 -92,-135 -112,-212 -21,-77 -32,-189 -32,-337l0 -577c0,-173 23,-310 70,-410 47,-100 123,-177 230,-230 107,-53 229,-80 367,-80 169,0 309,32 419,97 109,64 187,149 231,255 44,105 66,254 66,446l0 262zm-601 -321l0 0 0 -144c0,-103 -6,-169 -17,-199 -11,-30 -34,-44 -69,-44 -43,0 -69,12 -79,38 -10,25 -15,93 -15,205l0 144 180 0z"/>
-  <path class="fil2" d="M4250 404l-327 0 0 -68 -3440 0c-14,0 -25,2 -39,5l0 0 0 0 -1 0 -17 6 -3 1 -2 1 -3 2 -13 7 0 0 -3 1 0 1 -6 3 0 0 -5 4 0 0 -2 2 0 0 -3 2 0 0 -2 1 0 1 -2 2 0 0 -3 2 -2 2 0 0 -2 2 0 0 -5 5 0 0 -1 2 0 0 -3 3 -2 1 1 0 -3 3 0 0 -1 1 0 1 -2 2 0 1 -2 2 0 0 -1 2 -343 0 0 -23c51,-218 243,-381 470,-381l0 0 3767 0 0 333 0 3 0 68z"/>
-  <polygon class="fil3" points="3923,337 4250,161 4250,333 4250,336 4250,497 3924,672 3923,672 "/>
-  <path class="fil4" d="M90 209l299 160 -3 2 0 0 -2 1 0 1 -2 2 0 0 -3 2 -2 2 0 0 -2 2 0 0 -5 5 0 0 -1 2 0 0 -3 3 -2 1 1 0 -3 3 0 0 -1 1 0 1 -2 2 0 1 -2 2 0 0 -3 5 -1 1 -3 5 0 0 -2 3 0 1 -7 12 0 1 -1 3 0 0 -1 2 -1 2 0 1 -6 19c0,-1 -5,26 -5,39l0 0 0 176 -327 -175 0 -1c0,-107 33,-206 90,-287z"/>
-  <polygon class="fil5" points="3596,1008 654,1008 654,672 3596,672 "/>
-  <path class="fil2" d="M0 3964l327 0 0 67 3440 0 0 0c14,0 25,-1 38,-5l1 0 0 0 0 0 18 -6 2 -1 2 -1 4 -1 12 -7 0 0 3 -2 1 0 5 -4 0 0 5 -3 0 -1 3 -2 0 0 3 -2 0 0 1 -1 0 0 3 -2 0 0 3 -3 1 -1 0 -1 2 -1 0 0 5 -5 0 -1 2 -1 0 0 2 -3 2 -2 0 0 2 -3 0 0 1 -1 0 0 2 -3 0 0 2 -3 1 0 1 -1 342 0 0 23c-51,218 -242,380 -469,380l0 0 -3767 0 0 -332 0 -4 0 -67z"/>
-  <polygon class="fil6" points="327,4031 0,4206 0,4035 0,4031 0,3870 325,3695 327,3695 "/>
-  <path class="fil7" d="M4160 4158l-299 -160 3 -2 0 0 1 -1 0 0 3 -2 0 0 3 -3 1 -1 0 -1 2 -1 0 0 5 -5 0 -1 2 -1 0 0 2 -3 2 -2 0 0 2 -3 0 0 1 -1 0 0 2 -3 0 0 2 -3 1 0 3 -5 0 0 4 -6 0 0 2 -3 0 0 6 -13 1 -1 1 -2 0 -1 1 -2 0 -1 1 -1 6 -19c0,0 5,-27 5,-40l0 0 0 -175 327 174 0 1c-1,107 -34,206 -90,287z"/>
-  <polygon class="fil8" points="1584,1680 327,1680 327,1344 1584,1344 "/>
-  <polygon class="fil9" points="949,1680 327,1346 327,1344 960,1344 1584,1678 1584,1680 "/>
-  <polygon class="fil8" points="2665,1680 3923,1680 3923,1344 2665,1344 "/>
-  <polygon class="fil10" points="3300,1680 3923,1346 3923,1344 3289,1344 2665,1678 2665,1680 "/>
-  <polygon class="fil8" points="2665,2688 3923,2688 3923,3024 2665,3024 "/>
-  <polygon class="fil11" points="3300,2688 3923,3021 3923,3024 3289,3024 2665,2689 2665,2688 "/>
-  <polygon class="fil8" points="1584,2688 327,2688 327,3024 1584,3024 "/>
-  <polygon class="fil12" points="949,2688 327,3021 327,3024 960,3024 1584,2689 1584,2688 "/>
-  <polygon class="fil13" points="1584,1680 0,832 0,496 1584,1344 "/>
-  <polygon class="fil14" points="2665,1680 4250,832 4250,496 2665,1344 "/>
-  <polygon class="fil5" points="3602,3695 660,3695 660,3360 3602,3360 "/>
-  <polygon class="fil15" points="2665,2688 4250,3535 4250,3871 2665,3024 "/>
-  <polygon class="fil16" points="1584,2688 0,3535 0,3871 1584,3024 "/>
-  <polygon class="fil1" points="4250,2016 3293,2016 3595,1854 3595,1518 2665,2016 2665,2016 2665,2016 2665,2351 2665,2352 2665,2352 2666,2352 3596,2849 3596,2513 3294,2352 4250,2352 "/>
-  <polygon class="fil1" points="654,1518 654,1854 957,2016 0,2016 0,2352 956,2352 654,2513 654,2849 1584,2352 1584,2352 1584,2352 1584,2351 1584,2016 1584,2016 1584,2016 "/>
- </g>
+<svg width="100%" height="100%" viewBox="0 0 1200 359" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;">
+    <g transform="matrix(4.16667,0,0,4.16667,0,0)">
+        <path d="M18.602,0.961L18.602,19.563L66.437,19.563L66.437,67.398L85.039,67.398L85.039,27.536L58.464,0.961L18.602,0.961Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M66.437,86L66.437,67.398L18.602,67.398L18.602,19.563L0,19.563L0,59.426L26.574,86L66.437,86Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M105.6,69.491C104.445,69.128 103.467,68.564 103.467,67.338C103.467,65.828 104.61,64.875 106.54,64.875C107.53,64.875 108.38,65.073 109.079,65.345L108.971,66.317C108.298,66.005 107.39,65.828 106.628,65.828C105.366,65.828 104.579,66.323 104.579,67.243C104.579,68.145 105.333,68.348 106.089,68.595L107.441,69.027C108.85,69.491 109.51,70.106 109.51,71.281C109.51,72.759 108.298,73.749 106.407,73.749C105.391,73.749 104.198,73.515 103.449,73.16L103.55,72.169C104.287,72.518 105.422,72.791 106.324,72.791C107.581,72.791 108.418,72.251 108.418,71.312C108.418,70.62 108.038,70.258 107.054,69.948L105.6,69.491Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M115.705,70.118C115.634,69.077 114.917,68.341 113.755,68.341C112.607,68.341 111.762,69.077 111.667,70.118L115.705,70.118ZM116.352,73.153C115.641,73.566 114.873,73.749 114.054,73.749C112.003,73.749 110.588,72.454 110.588,70.576C110.588,68.76 111.896,67.402 113.724,67.402C115.787,67.402 116.955,69.072 116.624,70.944L111.642,70.944C111.813,72.144 112.829,72.804 114.009,72.804C114.72,72.804 115.355,72.683 116.174,72.239L116.352,73.153Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M121.212,67.402C122.038,67.402 122.743,67.643 123.04,67.808L122.933,68.716C122.527,68.519 121.917,68.348 121.212,68.348C119.785,68.348 118.807,69.243 118.807,70.557C118.807,71.883 119.79,72.804 121.225,72.804C121.841,72.804 122.533,72.645 122.984,72.416L123.149,73.337C122.609,73.578 121.898,73.749 121.225,73.749C119.181,73.749 117.785,72.454 117.785,70.557C117.785,68.684 119.175,67.402 121.212,67.402Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M129.044,67.529L130.039,67.529L130.039,71.147C130.039,72.677 128.961,73.749 127.28,73.749C125.597,73.749 124.518,72.69 124.518,71.185L124.518,67.529L125.521,67.529L125.521,71.001C125.521,72.144 126.226,72.804 127.28,72.804C128.339,72.804 129.044,72.144 129.044,71.001L129.044,67.529Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M133.003,68.43C133.346,67.726 133.95,67.402 134.648,67.402C135.08,67.402 135.397,67.51 135.511,67.561L135.41,68.493C135.238,68.43 135.003,68.341 134.61,68.341C133.797,68.341 133.003,68.874 133.003,70.24L133.003,73.622L131.988,73.622L131.988,67.529L133.003,67.529L133.003,68.43Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M136.753,67.529L137.762,67.529L137.762,73.622L136.753,73.622L136.753,67.529ZM136.632,65.485C136.632,65.117 136.886,64.863 137.254,64.863C137.623,64.863 137.889,65.117 137.889,65.485C137.889,65.853 137.623,66.114 137.254,66.114C136.886,66.114 136.632,65.853 136.632,65.485Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M145.429,69.915L145.429,73.622L144.426,73.622L144.426,70.163C144.426,68.976 143.804,68.354 142.7,68.354C141.659,68.354 140.814,69.072 140.814,70.182L140.814,73.622L139.805,73.622L139.805,67.529L140.821,67.529L140.821,68.443C141.164,67.878 141.887,67.402 142.858,67.402C144.464,67.402 145.429,68.348 145.429,69.915Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M147.928,70.557C147.928,71.82 148.83,72.835 150.099,72.835C151.401,72.835 152.359,71.82 152.359,70.557C152.359,69.3 151.401,68.316 150.099,68.316C148.83,68.316 147.928,69.3 147.928,70.557ZM149.998,73.749C148.252,73.749 146.925,72.391 146.925,70.557C146.925,68.729 148.252,67.402 149.998,67.402C151.089,67.402 151.889,67.871 152.346,68.526L152.346,67.529L153.356,67.529L153.356,73.216C153.356,74.988 152.143,76.288 149.909,76.288C149.154,76.288 148.151,76.118 147.509,75.781L147.668,74.861C148.347,75.197 149.154,75.374 149.903,75.374C151.318,75.374 152.346,74.658 152.346,73.292L152.346,72.619C151.902,73.261 151.089,73.749 149.998,73.749Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M164.023,69.915L164.023,73.622L163.02,73.622L163.02,70.163C163.02,68.976 162.398,68.354 161.293,68.354C160.252,68.354 159.409,69.072 159.409,70.182L159.409,73.622L158.399,73.622L158.399,67.529L159.415,67.529L159.415,68.443C159.757,67.878 160.481,67.402 161.453,67.402C163.058,67.402 164.023,68.348 164.023,69.915Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M170.629,70.118C170.56,69.077 169.842,68.341 168.681,68.341C167.532,68.341 166.688,69.077 166.592,70.118L170.629,70.118ZM171.277,73.153C170.566,73.566 169.798,73.749 168.979,73.749C166.929,73.749 165.513,72.454 165.513,70.576C165.513,68.76 166.821,67.402 168.649,67.402C170.712,67.402 171.88,69.072 171.55,70.944L166.567,70.944C166.739,72.144 167.754,72.804 168.935,72.804C169.646,72.804 170.281,72.683 171.099,72.239L171.277,73.153Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M174.456,68.399L174.456,71.693C174.456,72.493 174.887,72.842 175.509,72.842C175.839,72.842 176.258,72.779 176.55,72.67L176.684,73.54C176.423,73.655 175.897,73.749 175.402,73.749C174.227,73.749 173.447,73.102 173.447,71.858L173.447,68.399L172.323,68.399L172.323,67.529L173.453,67.529L173.453,65.574L174.45,65.574L174.45,67.529L176.398,67.529L176.398,68.399L174.456,68.399Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M182.42,67.592L184.071,72.664L185.588,67.529L186.655,67.529L184.756,73.622L183.405,73.622L181.887,69.001L180.371,73.622L179.018,73.622L177.114,67.529L178.187,67.529L179.698,72.658L181.348,67.592L182.42,67.592Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M190.614,72.81C191.896,72.81 192.841,71.832 192.841,70.576C192.841,69.319 191.896,68.341 190.614,68.341C189.332,68.341 188.385,69.319 188.385,70.576C188.385,71.832 189.332,72.81 190.614,72.81ZM190.614,67.402C192.467,67.402 193.851,68.792 193.851,70.576C193.851,72.36 192.467,73.749 190.614,73.749C188.76,73.749 187.376,72.36 187.376,70.576C187.376,68.792 188.76,67.402 190.614,67.402Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M196.433,68.43C196.776,67.726 197.378,67.402 198.077,67.402C198.508,67.402 198.826,67.51 198.94,67.561L198.838,68.493C198.667,68.43 198.432,68.341 198.039,68.341C197.226,68.341 196.433,68.874 196.433,70.24L196.433,73.622L195.417,73.622L195.417,67.529L196.433,67.529L196.433,68.43Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M200.183,64.685L201.192,64.685L201.192,70.036L202.494,70.036L204.131,67.529L205.254,67.529L203.281,70.499L205.572,73.622L204.391,73.622L202.43,70.906L201.192,70.906L201.192,73.622L200.183,73.622L200.183,64.685Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M209.169,70.189C210.382,70.43 211.023,70.976 211.023,71.928C211.023,73.115 210.078,73.749 208.598,73.749C207.735,73.749 206.884,73.578 206.313,73.292L206.453,72.391C207.011,72.677 207.792,72.848 208.529,72.848C209.506,72.848 210.033,72.543 210.033,71.979C210.033,71.433 209.563,71.204 208.707,71.039L207.913,70.88C206.904,70.684 206.256,70.151 206.256,69.211C206.256,68.125 207.214,67.402 208.732,67.402C209.468,67.402 210.21,67.541 210.687,67.739L210.56,68.62C210.065,68.424 209.392,68.297 208.795,68.297C207.805,68.297 207.259,68.627 207.259,69.186C207.259,69.712 207.678,69.897 208.535,70.062L209.169,70.189Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M225.538,69.897L225.538,73.622L224.528,73.622L224.528,70.144C224.528,69.021 223.906,68.354 222.846,68.354C221.856,68.354 221.037,69.046 221.037,70.125L221.037,73.622L220.028,73.622L220.028,70.144C220.028,69.021 219.406,68.354 218.383,68.354C217.362,68.354 216.549,69.059 216.549,70.163L216.549,73.622L215.54,73.622L215.54,67.529L216.549,67.529L216.549,68.437C216.885,67.871 217.596,67.402 218.548,67.402C219.627,67.402 220.409,67.884 220.777,68.684C221.189,67.891 222.014,67.402 223.004,67.402C224.591,67.402 225.538,68.405 225.538,69.897Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M228.037,70.557C228.037,71.82 228.938,72.835 230.207,72.835C231.509,72.835 232.467,71.82 232.467,70.557C232.467,69.3 231.509,68.316 230.207,68.316C228.938,68.316 228.037,69.3 228.037,70.557ZM233.464,73.622L232.455,73.622L232.455,72.619C231.998,73.274 231.198,73.749 230.106,73.749C228.361,73.749 227.034,72.391 227.034,70.557C227.034,68.729 228.361,67.402 230.106,67.402C231.198,67.402 231.998,67.871 232.455,68.526L232.455,67.529L233.464,67.529L233.464,73.622Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M240.477,70.563C240.477,69.3 239.518,68.316 238.217,68.316C236.948,68.316 236.046,69.3 236.046,70.563C236.046,71.82 236.948,72.835 238.217,72.835C239.518,72.835 240.477,71.82 240.477,70.563ZM240.464,72.632C240.007,73.28 239.207,73.749 238.116,73.749C236.37,73.749 235.043,72.391 235.043,70.563C235.043,68.735 236.37,67.402 238.116,67.402C239.207,67.402 240.007,67.878 240.464,68.532L240.464,64.685L241.473,64.685L241.473,73.622L240.464,73.622L240.464,72.632Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M248.162,70.118C248.092,69.077 247.374,68.341 246.213,68.341C245.064,68.341 244.22,69.077 244.124,70.118L248.162,70.118ZM248.809,73.153C248.098,73.566 247.331,73.749 246.511,73.749C244.461,73.749 243.045,72.454 243.045,70.576C243.045,68.76 244.353,67.402 246.181,67.402C248.245,67.402 249.413,69.072 249.082,70.944L244.099,70.944C244.271,72.144 245.287,72.804 246.467,72.804C247.178,72.804 247.813,72.683 248.631,72.239L248.809,73.153Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M258.359,70.118C258.29,69.077 257.573,68.341 256.411,68.341C255.262,68.341 254.417,69.077 254.323,70.118L258.359,70.118ZM259.006,73.153C258.295,73.566 257.528,73.749 256.709,73.749C254.659,73.749 253.244,72.454 253.244,70.576C253.244,68.76 254.551,67.402 256.379,67.402C258.441,67.402 259.609,69.072 259.28,70.944L254.297,70.944C254.468,72.144 255.484,72.804 256.665,72.804C257.375,72.804 258.01,72.683 258.829,72.239L259.006,73.153Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M261.45,70.557C261.45,71.82 262.351,72.835 263.621,72.835C264.921,72.835 265.88,71.82 265.88,70.557C265.88,69.3 264.921,68.316 263.621,68.316C262.351,68.316 261.45,69.3 261.45,70.557ZM266.876,73.622L265.868,73.622L265.868,72.619C265.411,73.274 264.611,73.749 263.519,73.749C261.773,73.749 260.446,72.391 260.446,70.557C260.446,68.729 261.773,67.402 263.519,67.402C264.611,67.402 265.411,67.871 265.868,68.526L265.868,67.529L266.876,67.529L266.876,73.622Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M271.37,70.189C272.582,70.43 273.223,70.976 273.223,71.928C273.223,73.115 272.277,73.749 270.798,73.749C269.935,73.749 269.084,73.578 268.513,73.292L268.653,72.391C269.211,72.677 269.992,72.848 270.728,72.848C271.706,72.848 272.233,72.543 272.233,71.979C272.233,71.433 271.763,71.204 270.906,71.039L270.113,70.88C269.103,70.684 268.456,70.151 268.456,69.211C268.456,68.125 269.415,67.402 270.931,67.402C271.667,67.402 272.411,67.541 272.886,67.739L272.759,68.62C272.264,68.424 271.591,68.297 270.995,68.297C270.004,68.297 269.458,68.627 269.458,69.186C269.458,69.712 269.877,69.897 270.735,70.062L271.37,70.189Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M278.992,67.529L280.102,67.529L277.227,74.397C276.707,75.61 276.135,76.288 274.904,76.288C274.415,76.288 274.034,76.168 273.863,76.079L273.983,75.222C274.193,75.318 274.529,75.387 274.846,75.387C275.539,75.387 275.951,74.95 276.306,74.079L276.415,73.794L273.78,67.529L274.878,67.529L276.954,72.632L278.992,67.529Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
+        <path d="M140.024,37.345L140.024,43.579L144.106,43.579C146.277,43.579 147.668,42.503 147.668,40.462C147.668,38.309 146.351,37.345 144.106,37.345L140.024,37.345ZM140.024,49.665L140.024,56.437L132.621,56.437L132.621,31.24L145.368,31.24C151.658,31.24 155.183,35.229 155.183,40.313C155.183,45.453 151.658,49.665 145.368,49.665L140.024,49.665Z" style="fill:rgb(64,63,65);fill-rule:nonzero;"/>
+        <path d="M164.994,56.437L157.794,56.437L157.794,31.24L163.825,31.24L175.31,44.692L175.31,31.24L182.509,31.24L182.509,56.437L176.739,56.437L164.994,43.134L164.994,56.437Z" style="fill:rgb(64,63,65);fill-rule:nonzero;"/>
+        <path d="M195.603,45.527C199.332,46.177 200.854,47.809 200.854,50.927C200.854,54.601 197.848,56.809 192.82,56.809C190.074,56.809 187.309,56.4 185.398,55.732L186.047,50.389C187.272,50.815 189.74,51.446 192.003,51.446C193.488,51.446 194.36,51.279 194.36,50.834C194.36,50.426 193.729,50.296 192.133,50.073L190.964,49.906C186.938,49.331 185.12,47.754 185.12,44.358C185.12,40.536 188.33,38.254 193.673,38.254C195.974,38.254 198.683,38.718 199.926,39.182L199.24,44.6C198.331,44.21 195.918,43.765 194.249,43.765C192.337,43.765 191.484,43.987 191.484,44.488C191.484,44.896 192.263,44.952 194.434,45.323L195.603,45.527Z" style="fill:rgb(64,63,65);fill-rule:nonzero;"/>
+        <path d="M214.468,45.713C214.468,44.655 213.578,43.431 212.093,43.431C210.405,43.431 209.551,44.544 209.44,45.713L214.468,45.713ZM220.294,55.25C219.033,55.955 216.435,56.809 213.411,56.809C206.675,56.809 202.779,53.098 202.779,47.494C202.779,41.909 206.527,38.254 212.186,38.254C217.827,38.254 221.872,41.668 220.74,49.09L209.44,49.09C209.57,50.463 211.555,51.279 213.745,51.279C216.101,51.279 218.346,50.76 219.497,50.203L220.294,55.25Z" style="fill:rgb(64,63,65);fill-rule:nonzero;"/>
+        <path d="M242.054,44.488L242.054,56.437L234.929,56.437L234.929,46.603C234.929,45.342 234.039,44.47 232.758,44.47C231.478,44.47 230.606,45.342 230.606,46.603L230.606,56.437L223.481,56.437L223.481,38.625L229.975,38.625L230.142,40.332C231.144,39.107 233.129,38.254 235.671,38.254C239.457,38.254 242.054,40.777 242.054,44.488Z" style="fill:rgb(64,63,65);fill-rule:nonzero;"/>
+        <path d="M254.999,45.527C258.729,46.177 260.25,47.809 260.25,50.927C260.25,54.601 257.245,56.809 252.216,56.809C249.47,56.809 246.706,56.4 244.794,55.732L245.444,50.389C246.668,50.815 249.136,51.446 251.4,51.446C252.884,51.446 253.756,51.279 253.756,50.834C253.756,50.426 253.125,50.296 251.53,50.073L250.361,49.906C246.334,49.331 244.516,47.754 244.516,44.358C244.516,40.536 247.726,38.254 253.07,38.254C255.371,38.254 258.079,38.718 259.323,39.182L258.635,44.6C257.726,44.21 255.315,43.765 253.645,43.765C251.734,43.765 250.88,43.987 250.88,44.488C250.88,44.896 251.66,44.952 253.831,45.323L254.999,45.527Z" style="fill:rgb(64,63,65);fill-rule:nonzero;"/>
+        <path d="M273.865,45.713C273.865,44.655 272.974,43.431 271.49,43.431C269.801,43.431 268.948,44.544 268.836,45.713L273.865,45.713ZM279.691,55.25C278.429,55.955 275.832,56.809 272.807,56.809C266.072,56.809 262.175,53.098 262.175,47.494C262.175,41.909 265.923,38.254 271.582,38.254C277.223,38.254 281.268,41.668 280.136,49.09L268.836,49.09C268.966,50.463 270.952,51.279 273.141,51.279C275.498,51.279 277.743,50.76 278.893,50.203L279.691,55.25Z" style="fill:rgb(64,63,65);fill-rule:nonzero;"/>
+        <path d="M283.51,32.01L283.51,33.063L284.174,33.063C284.519,33.063 284.731,32.827 284.731,32.533C284.731,32.216 284.505,32.01 284.174,32.01L283.51,32.01ZM283.51,35.029L282.543,35.029L282.543,31.141L284.308,31.141C285.112,31.141 285.733,31.708 285.733,32.533C285.733,33.033 285.458,33.49 285.063,33.733L286.016,35.029L284.865,35.029L284.068,33.924L283.51,33.924L283.51,35.029ZM284.145,35.949C285.747,35.949 287.046,34.815 287.046,33.107C287.046,31.435 285.719,30.25 284.145,30.25C282.564,30.25 281.308,31.435 281.308,33.107C281.308,34.815 282.55,35.949 284.145,35.949ZM284.145,29.308C286.206,29.308 287.978,30.957 287.978,33.107C287.978,35.345 286.298,36.921 284.145,36.921C282.099,36.921 280.362,35.367 280.362,33.107C280.369,30.913 282.056,29.308 284.145,29.308Z" style="fill:rgb(64,63,65);fill-rule:nonzero;"/>
+        <path d="M116.372,50.222C112.753,50.222 110.323,47.624 110.323,43.82C110.323,40.072 112.753,37.512 116.372,37.512C119.915,37.512 122.272,40.072 122.272,43.82C122.272,47.624 119.915,50.222 116.372,50.222ZM116.334,30.869C115.277,30.869 114.267,30.968 113.303,31.146L113.303,38.254L103.958,38.254C103.23,39.902 102.827,41.766 102.827,43.802C102.827,51.465 108.337,56.809 116.334,56.809C124.294,56.809 129.768,51.483 129.768,43.82C129.768,36.194 124.294,30.869 116.334,30.869Z" style="fill:rgb(64,63,65);fill-rule:nonzero;"/>
+    </g>
 </svg>
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/favicon.png b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/favicon.png
index 3e6dde97264d7a9305e8efb15b48002d2bb63484..9a8472bc4faa57ecc19539c58f42b5fc61099cb1 100644
GIT binary patch
literal 2100
zcma)7c~BEq99|9uQIJ7Iv}m_WMGKQ`5(Lef7()Vta)=lt9HWF}lk7mUVY4v-k4meE
zg13xXDLU9Xr~?-2eWEg6R76J|K`mMxKnsXei>X@sl5i>2=^vZyd*AoFk6j%f7wPUc
z!3}~S_b7=t0sM2UkLz&oJ4sMb1wq5c5>gp0i;ck)q?RdHk{LMDtknY?f_MV6UarW*
zX*dH{6FNTf?8F%aCX{?6DI}H^s~6!KLXu12^K#>)irh>ESBVH_x$(>xP@u(WIc(Nu
z=?s{ekJ$8L;N5zSBCw4@XYvtQY&<L?DI5-AhA>&kEH{`(DOFg4IHFe=ocM@_ru7(#
znoK69DVRx8YLw08a#0os<!~5)!7$|LXt|l8Gx%Fo*ma0;gMuRTG(qZMt4?_aX{7lG
z0&uv`Gp)W~xz5lVJ;(!Umg`YAlZ6f@>op`z8Z_ibMEc<&g1DI&h~YgmR%8gBCR87x
zTah7jkn7mkPe-BEz88pr4qpTk(VNuw9O{ePAkER^Xaa5^jg$fpUxe#ue_JkqHB3a|
zavB$dhmUYroM{X;hrwb?*)uQ>2jj4VSZo%npBzgn302O2l7lf$C?I2l*`Pg?a$5d>
z`27jTtZchepfx|~(SVGI%pxh^9Ec&<=Ij6zB@)F`q>9J_m?0rD42}vHg|fM!p$ra_
zZR1+&hQ$+RJWD1fw7AXydW?^R*rOf*lRpC5Y|jIu1q|2~S}Ti1Y2|7>iBQs-eq96i
zF}P0sAz-afmeJbai8=yQlw)(wCL<fb_y{)?9b_hX2xJ`@m}hGwOhOoFlFG4N+2?2;
zo^3zbk6DCmfMD3xMwnb-wa-WN6sa^SaHY)!pw5mONEL08Q@BtKI*5-5RVo5_ngfH`
zB-A>bf;lh;41UP_QYH-!G=5OXLEVD(dWTxay3aixIwSy|jWB2r06F^|*e_sFq5Yc*
z9Qt=1t^-{}flU^EvAG0-9P$Xz4@3F@f~IaXZmf$A6MC-_9BRX*-q*`kt~hjMs?*-s
z4PHKyg7Gh!+O9@EctjoWx)G`g@)m1z8Bfu2Z3E`I1}V5*S=c1KSAVOffOo#c(lWi(
zPgTD>q$J@+?tRve!Cc1U9?ZvQtDpPic3Io59eWDO_HRC$zWn>YmZ4P{N0`6N?>PER
z1s<{|D4p;wjh8Z}@ECrwYkLEpxthMZd}&|T_O4w4<GfD?ztpUZ4ww@7hN$-Ou+%g$
z+a+&)Z$syAN=cC|SQq@ml^{V6dtt_UyrosyvAMA@&Q-9$?^o8!(WCu~3VR-$ySkyh
ze4`+(e&^(%V{6RCjuSG!lx$MO-#jT@e|f?<et>`Y+4gtMr=LEbYx?Q<{gE%P<v(v4
z?S8i_aaz%O|MRb~;djTRsrFeKMZSy2oRZxtacMX_qBSXzaeU;s)P_IHBMwTEt1lnC
z@TiM&t0-*9ak^SpT>7@e&<#Cwx9rQjb9a@)YBJR_+;OM+=>3zO&%h^XgkF+tfFO@r
z>*G)y<nbA((2OXtP^!u6xWm?+WBKMkoZh%Utaa3}*)E+mTb$HaCi>>)joO~->9Rb}
zRVdjZ2+*Es?w%Rp(e2Nz&d#r@3{0xoYFsjVW_s$)4)vuv%el=td)yo7M2k;%wU={g
zO}P;E-0hkN6$Lu0GPZoda@y_T;D5o%d6X~exvfU|cAfUguvfCIl*0=mOV^e{)s=yB
zE_}}SHfDyS2}#9^i+txq|8aN~-ZIwFsYva5Fa4xw*Tq`M;ZCh%_Pe!d(VmCA#1+nS
zgM>G~?t2Zq)Olt~m6-eUWXG7_7E;G9K8D!om7kw5#e^<tXucPc)>)W8aoN&{o>NYd
zbu})oF&Y0<8|NNbTvu~_Y3(D<>qVj$`Ic;T&x-B5GV|GO^(m8BEu!6+>h_bQ@xiZs
h53CvSx1g+m>lDw(Jl!a)_|E#Vj|z_ySB9m3`!C-M>Ky<8

literal 2938
zcmV-=3x)KFP)<h;3K|Lk000e1NJLTq001xm001xu1^@s6R|5Hm00004b3#c}2nYxW
zd<bNS00009a7bBm000XT000XT0n*)m`~Uy|9CSrkbW?9;ba!ELWdK2BZ(?O2Mrm?o
zcW-iQb09-gHt4*vi~s-t7<5HgbVG7wVRUJ4ZXi@?ZDjy5I4v<TEiy1MG`&gH`v3q6
z&`Cr=RA_<KS#5As)fs-yJ@<37yUB(P3;BQqBE--nQ#;7S5rGP}qksgaKudyku+u?n
zp{>YLbr7utDoT}FTSci_WfH4|kLlQ{+5r(!TP0CQCBPC$h>7`PvtRezz4!D-vP-~C
z*a#)`nc3OoyyrdldG0yqJ@0v!aL)1n3^DcxAtc^dS-E~SfYkt8!@wyic)e=~&`$sW
zJh6F`!XoT>01E*q!$B-5oO{>j3t$oU2SP~2RlBSR01jBD6>o|QSmX8nI1~)sp(qNd
zNMp^%dtLf#9u{x_IhJWDOlM$>#SL)*t*xyqHBF;-yB&(Egj7{sKnQso!!LkC0`wmJ
zJ;qpRAP_((6p9<;0x~l*Q`_6yt+uu{!C`lN@$~PvyfrLz2f)e|D<XkF0HP>bnVFgK
zH69l*W5$f`?(XiK&p!JMCr_T#hll3C=<e<|#*7(*qM{<6mX;>O+T#L(!64N%jh2>{
zqOh<qzpSim;qCM0RRh4Hg$thp;6d+lx)LA&B30GZivjSRH8pc|T`zPv9N?VONF;Ku
zV=UtA*}eM+fNKFj5CoW}2_tIk4Tr;zzVX*L{z54oMJY}2tjiD6G+~;iHT9;cbH|Pu
zyPQ&bn<PoFtaH(4_MABc0EB*iivc_XfX6y=i%+AJzFm4lX}Z(tgkc!x4RX0*Sr!b#
zKuSsqCQqJhc}9Bnn5KDK%+`k&0Zfhk6Q6<DNxXa4uIm7-<($uDtT$v?+(I}UhR^52
zsZ*y~L%~qJD2jGMh<rJSbIuLZG<y_9$<N8j$<EEoh23rk0f8*bkYyQ^(tiMWc+T9p
z2l{*x3y5LY&Yia~#vW#jmFi4~VHhw?6Ol;dOQy4@a&vPxFIv3#vTSzCvdG2_8}5~5
z`94)sb10>~#3dQBB7Z7L(j#SM^J^{;J-C1vwr_u}T-Wsn8DkT5ri1AWeTPY-uIua9
zS5`iEDdg99z2%Z5J)|hg1X-3LD>4*Cfh@~DS(ewAmse~}<d?L77;1Lx_(?}+$128H
zzW=PBL?RLBx{gRBQp*@yXS3OAe*5_2Nk^%>moL9nmgTjIqFk>i3N%fF-EQZyA~)LY
z_9vGtDc>@f|DXaE%%5NK`QgJ)9X)!~1PBO0)UqtU+wHz)>Ww!RO_?%9pp>G!yBm>6
z1d&JtjIjrw-@5g&WXRvOY}wtCBt4@j3RG1^YHBJt=cui%<^TTVllpKtbj0Hs<w#9U
zl{8I-s;HtQN~^10uReI805Q=6G))^(Qd~SO-Q_}keLcF*`T+p#?d{l6Q-k*p9Kej}
z(@{`R0994d7nie>A>W5g0FY%FqA23?!-w(l#~-1yvy)_GWE7^l^9oZOsc>o(k|d)q
ze2+>rP(lHWF-{1<xbgXzFg_PEq)+hN{x%#q)&syqTU#5ds;iNmm4zu&rXVXT3qv_0
zD5YEw1e`v78lN9NjP~}g;BvW;UoZ)xEe$1Z6Z1y5;?4GPXbbhFpaUGD2?Y>B`~d27
z#w<u8=H-U2Ezc#&OaJj;)4pI={h43`2y9Kw%}Vo*9lWHZM4U9K@JzA-!r^f1$;QSL
zCr+G*+U+SMcl-p#6=!flI>wb{emUY6M*|_S%r`Nvo^u!=5CL>1<eJPT?(#aD1@KI#
zLJ;9%w_);U9i!cw$j=%Q4mwouZN+wf!>N@5_zH!v5n+=O3qmwa@sB3!(4NqzkGGJ>
zm;hf`An4WsW<=AtWv=OIZmkPG;Jlab)h;Q&2>jZy%zxBZ3(I`ev@Cbfl!(<!s~#qa
zT+Bb|FxusH-ih9O@&ufJKR5#5Q2?*IHu%kCNOyUi0)W{7)&jWh0<#am6Rr*ZX9gSN
zYf-4n>wFzR#sK}J0L}skC9o9&*bd-&0KdFAeE`6{0Dd=sEeK#nm)AKDfHcS$(}D9h
z@hkwTNfJnetReJu4`TaP-zO>b-vgJLW)9`9aM|t^{b%4K47`La^e&;%01A+J^LGs4
zx&8s#Ie-QLrvW$tTr@z$1-Lf&zdu;VF0XS5fCupP3;sy}l>lD3*u(l^3xE~?4*{5X
zfsF#Fa&7QGKiB}gviCdLb6^jE+W>%^oBd9K;7Nzvvze?*xVbM1z6nxKhvOd3v6}a#
z3jEyrIhZE)e3$%&hZFh^B^&MXI?oXB(VAeugy=Upw%X;uMzRiV--P(r$o$Eb7CvRJ
z0{C)~M_nO{f<rLVT>cScHO>xMz@mi<O8`7=a#*rRg{Sh~nVd#~+Ix`+*wsF^<4BLA
zE`>%lksB%iXqrYvQGE5qZQC{`LwIRL#ZQ}>o9=09YBC)T2OO>pJu2CQMJ{8~?W3AK
z(`^kfIm}f}-}|s7C@@*z6u|1L>go?J6p%0%0x$x=O$2}l3x|w6yx-}@zs{yZM07+N
zjm)qt3yP}3;c$Rb3dUGoGUNe3Rn?q=i3LUO5pFabYe3V<V@OX=N4=4bFZ_9U*F74u
zN48K7aznpp;Yl>sKmq^&0s)xG@oZy0qLu{>VOXXKNz>qVyOENT0>dy63WdNqPdW@+
zmc=>e$j!|~ettfDJ|Al9YSGr#h77kG?+4Rys67X%N)%L}7_2Zjkbo`#`+(lKMlELY
zsNok?b<C*j>~Fi>z2{IU6zX3s_$pZe=nJ`wF$jWy;^JZy78c@A?IG0G)*a@ZUB@y!
zBOP!!L`_v8%L)WRXiZu`Rdw~J0H*bCd*zjv7Y71?2N+`rhr-ZxJ+=-T2qC`_1Y!FS
z1Z*LMGy`~ub6yk<hoNa2rcaxWSu<xzDfX0|6%|XjB{R@PqtI)wy*igMwpQ2m>tbaV
zrZece-o_Z)1Ypbh%F2sojft?v>lHZX%Vk;iDvFYQ!KMC)EX$9SmseCJ@=d0!Qpy-x
z#|$=0*Uyzz^oZVWFyoI|*;yNZv}8%(n-ISc2S4~g+Pin}uS7{)p{lBfQcC)jRrbr0
z{P4W8vUidauzT083Fw{L^8SUbNF;*B##1=e*x1<9({qSYY7+$Eviyp}IcL#mG?<c-
zGASn~XZ+aQvBYMxohxi9GN?e`1n|h5xpQk13fQxI_cZ|S1n>(0D(4)GF&I$;EoWMy
z_4V~)M@I()D)dE$%MZ)4V45b<($X-oV4|6wolPZCidE(Sz(j8v^5@xe=F|e`CuMH{
zSOY*6gx+RB5I#0dbKd^_``bD@J0VHZ|BQU!^B_qQ{C+<^Jous2(cZC`Qo1i@LvNn6
z62PIDPdo~7&IzRyq9`H|2y{x4bpQMX3tj+#ML$@$7zA0k^pra(P)Z4<H2m`wE2;og
z?X0Q!VK^M#Y`5Dzu~~{CzJ&hy?z^A*{r;l5x;lFN`0<ZkdimukSAuM^xMS(kzvt!U
z-BMg!Y&xAz;pUk$1)$#y?Ay0bYiVgA!C(+}yFJ;<{uP7WZkK#MA6i;kNM>dxZk{<4
zKtBOKpKp|+D1yi1fubndurW=5^^ZOFop3l@Vzb#02m}P5&lk^7;{q}=GHjwKLen%z
zl5|aF<@!Uoaz7~z1`eRWX0vIM)Ekka(P+FN5EtNZIHIB`N>rraoXY@8hJ)>ZAb_mM
z5GC<%o{^q-5jnor6-DV1L?M1aT!n~o&fk(`sbbk(cNww9xBw1rT@?!^F*tx1IOn&n
ky6^t;%9-RUe&b2uzp$9K#m3Z@`2YX_07*qoM6N<$g7gSppa1{>

diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/icon-logo.svg b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/icon-logo.svg
index 2e3ac8998c..702d2a847d 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/icon-logo.svg
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/images/icon-logo.svg
@@ -1,84 +1,10 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<svg width="100%" height="100%" viewBox="0 0 95 98" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:1.41421;">
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <path d="M94.747,9.011L87.457,9.011L87.457,7.495L10.768,7.495C10.456,7.495 10.21,7.539 9.898,7.606L9.876,7.606L9.497,7.74L9.43,7.762L9.386,7.785L9.319,7.829L9.029,7.985L8.962,8.007L8.962,8.03L8.828,8.097L8.717,8.186L8.672,8.23L8.605,8.275L8.561,8.297L8.561,8.32L8.516,8.364L8.449,8.409L8.405,8.453L8.36,8.498L8.249,8.609L8.226,8.654L8.159,8.721L8.115,8.743L8.137,8.743L8.07,8.81L8.048,8.832L8.048,8.855L8.003,8.899L8.003,8.922L7.959,8.966L7.936,9.011L0.29,9.011L0.29,8.498C1.427,3.638 5.707,0.004 10.768,0.004L94.747,0.004L94.747,9.011Z" style="fill:rgb(227,228,229);fill-rule:nonzero;"/>
+<svg width="100%" height="100%" viewBox="0 0 355 355" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;">
+    <g transform="matrix(4.16667,0,0,4.16667,0,-4.00417)">
+        <path d="M18.602,0.961L18.602,19.563L66.437,19.563L66.437,67.398L85.039,67.398L85.039,27.536L58.464,0.961L18.602,0.961Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
     </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <path d="M87.457,7.517L94.747,3.593L94.747,11.084L87.479,14.985L87.457,14.985L87.457,7.517Z" style="fill:url(#_Linear1);fill-rule:nonzero;"/>
+    <g transform="matrix(4.16667,0,0,4.16667,0,-4.00417)">
+        <path d="M66.437,86L66.437,67.398L18.602,67.398L18.602,19.563L0,19.563L0,59.426L26.574,86L66.437,86Z" style="fill:rgb(228,74,32);fill-rule:nonzero;"/>
     </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <path d="M2.006,4.663L8.672,8.23L8.605,8.275L8.561,8.297L8.561,8.32L8.516,8.364L8.449,8.409L8.405,8.453L8.36,8.498L8.249,8.609L8.226,8.654L8.159,8.721L8.115,8.743L8.137,8.743L8.07,8.81L8.048,8.832L8.048,8.855L8.003,8.899L8.003,8.922L7.959,8.966L7.892,9.078L7.87,9.1L7.803,9.211L7.758,9.278L7.758,9.3L7.602,9.568L7.602,9.59L7.58,9.657L7.557,9.702L7.535,9.746L7.535,9.769L7.401,10.192C7.401,10.17 7.29,10.772 7.29,11.062L7.29,14.985L0,11.084L0,11.062C0,8.676 0.736,6.469 2.006,4.663Z" style="fill:url(#_Linear2);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <rect x="14.58" y="14.985" width="65.587" height="7.491" style="fill:rgb(147,146,146);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <path d="M0,88.375L7.29,88.375L7.29,89.869L83.979,89.869C84.291,89.869 84.537,89.847 84.826,89.757L84.849,89.757L85.25,89.624L85.295,89.601L85.339,89.579L85.428,89.557L85.696,89.401L85.763,89.356L85.785,89.356L85.896,89.267L86.008,89.2L86.008,89.178L86.075,89.133L86.142,89.089L86.164,89.066L86.231,89.022L86.298,88.955L86.32,88.933L86.32,88.91L86.365,88.888L86.476,88.776L86.476,88.754L86.521,88.732L86.565,88.665L86.61,88.62L86.654,88.554L86.677,88.531L86.721,88.464L86.766,88.397L86.788,88.397L86.81,88.375L94.435,88.375L94.435,88.888C93.298,93.748 89.04,97.359 83.979,97.359L0,97.359L0,89.958L0,89.869L0,88.375Z" style="fill:rgb(227,228,229);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <path d="M7.29,89.869L0,93.77L0,89.958L0,89.869L0,86.28L7.245,82.378L7.29,82.378L7.29,89.869Z" style="fill:url(#_Linear3);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <path d="M92.741,92.7L86.075,89.133L86.142,89.089L86.164,89.066L86.231,89.022L86.298,88.955L86.32,88.933L86.32,88.91L86.365,88.888L86.476,88.776L86.476,88.754L86.521,88.732L86.565,88.665L86.61,88.62L86.654,88.554L86.677,88.531L86.721,88.464L86.766,88.397L86.788,88.397L86.855,88.286L86.944,88.152L86.989,88.085L87.123,87.796L87.145,87.773L87.167,87.729L87.167,87.706L87.189,87.662L87.189,87.639L87.212,87.617L87.346,87.194C87.346,87.194 87.457,86.592 87.457,86.302L87.457,82.401L94.747,86.28L94.747,86.302C94.725,88.687 93.989,90.894 92.741,92.7Z" style="fill:url(#_Linear4);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <rect x="7.29" y="29.966" width="28.023" height="7.491" style="fill:rgb(170,171,171);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <path d="M21.156,37.457L7.29,30.011L7.29,29.966L21.402,29.966L35.313,37.412L35.313,37.457L21.156,37.457Z" style="fill:url(#_Linear5);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <rect x="59.412" y="29.966" width="28.045" height="7.491" style="fill:rgb(170,171,171);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <path d="M73.568,37.457L87.457,30.011L87.457,29.966L73.323,29.966L59.412,37.412L59.412,37.457L73.568,37.457Z" style="fill:url(#_Linear6);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <rect x="59.412" y="59.929" width="28.045" height="7.491" style="fill:rgb(170,171,171);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <path d="M73.568,59.929L87.457,67.352L87.457,67.419L73.323,67.419L59.412,59.951L59.412,59.929L73.568,59.929Z" style="fill:url(#_Linear7);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <rect x="7.29" y="59.929" width="28.023" height="7.491" style="fill:rgb(170,171,171);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <path d="M21.156,59.929L7.29,67.352L7.29,67.419L21.402,67.419L35.313,59.951L35.313,59.929L21.156,59.929Z" style="fill:url(#_Linear8);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <path d="M35.313,37.457L0,18.552L0,11.062L35.313,29.966L35.313,37.457Z" style="fill:url(#_Linear9);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <path d="M59.412,37.457L94.747,18.552L94.747,11.062L59.412,29.966L59.412,37.457Z" style="fill:url(#_Linear10);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <rect x="14.714" y="74.91" width="65.587" height="7.468" style="fill:rgb(147,146,146);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <path d="M59.412,59.929L94.747,78.811L94.747,86.302L59.412,67.419L59.412,59.929Z" style="fill:url(#_Linear11);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <path d="M35.313,59.929L0,78.811L0,86.302L35.313,67.419L35.313,59.929Z" style="fill:url(#_Linear12);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <path d="M94.747,44.948L73.412,44.948L80.145,41.336L80.145,33.846L59.412,44.948L59.412,52.438L59.434,52.438L80.167,63.518L80.167,56.027L73.434,52.438L94.747,52.438L94.747,44.948Z" style="fill:rgb(217,79,0);fill-rule:nonzero;"/>
-    </g>
-    <g transform="matrix(1,0,0,1,0,-0.00415471)">
-        <path d="M14.58,33.846L14.58,41.336L21.335,44.948L0,44.948L0,52.438L21.312,52.438L14.58,56.027L14.58,63.518L35.313,52.438L35.313,52.416L35.313,44.948L14.58,33.846Z" style="fill:rgb(217,79,0);fill-rule:nonzero;"/>
-    </g>
-    <defs>
-        <linearGradient id="_Linear1" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(1.65841,5.84056,-5.84056,1.65841,90.2635,6.36912)"><stop offset="0" style="stop-color:rgb(228,228,228);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(162,162,162);stop-opacity:1"/></linearGradient>
-        <linearGradient id="_Linear2" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-2.29154,5.81958,-5.81958,-2.29154,5.47686,6.9145)"><stop offset="0" style="stop-color:rgb(228,228,228);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(162,162,162);stop-opacity:1"/></linearGradient>
-        <linearGradient id="_Linear3" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-1.65885,-5.83931,5.83931,-1.65885,4.4731,91.0027)"><stop offset="0" style="stop-color:rgb(228,228,228);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(162,162,162);stop-opacity:1"/></linearGradient>
-        <linearGradient id="_Linear4" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(2.29131,-5.81924,5.81924,2.29131,89.2594,90.4576)"><stop offset="0" style="stop-color:rgb(228,228,228);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(162,162,162);stop-opacity:1"/></linearGradient>
-        <linearGradient id="_Linear5" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-46.185,-12.0168,12.0168,-46.185,44.3937,39.7156)"><stop offset="0" style="stop-color:rgb(170,171,171);stop-opacity:1"/><stop offset="0.1" style="stop-color:rgb(170,171,171);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(78,78,78);stop-opacity:1"/></linearGradient>
-        <linearGradient id="_Linear6" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(46.1861,-12.0159,12.0159,46.1861,50.342,39.7152)"><stop offset="0" style="stop-color:rgb(170,171,171);stop-opacity:1"/><stop offset="0.1" style="stop-color:rgb(170,171,171);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(78,78,78);stop-opacity:1"/></linearGradient>
-        <linearGradient id="_Linear7" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(46.1854,12.0159,-12.0159,46.1854,50.3425,57.6569)"><stop offset="0" style="stop-color:rgb(170,171,171);stop-opacity:1"/><stop offset="0.1" style="stop-color:rgb(170,171,171);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(78,78,78);stop-opacity:1"/></linearGradient>
-        <linearGradient id="_Linear8" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-46.1844,12.0166,-12.0166,-46.1844,44.3935,57.6564)"><stop offset="0" style="stop-color:rgb(170,171,171);stop-opacity:1"/><stop offset="0.1" style="stop-color:rgb(170,171,171);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(78,78,78);stop-opacity:1"/></linearGradient>
-        <linearGradient id="_Linear9" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(35.3155,0,0,35.3155,-0.000283467,24.2587)"><stop offset="0" style="stop-color:rgb(254,254,254);stop-opacity:1"/><stop offset="0.23" style="stop-color:rgb(254,254,254);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(176,176,176);stop-opacity:1"/></linearGradient>
-        <linearGradient id="_Linear10" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-35.3154,4.32489e-15,-4.32489e-15,-35.3154,94.736,24.2587)"><stop offset="0" style="stop-color:rgb(254,254,254);stop-opacity:1"/><stop offset="0.23" style="stop-color:rgb(254,254,254);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(176,176,176);stop-opacity:1"/></linearGradient>
-        <linearGradient id="_Linear11" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(-35.3154,4.32489e-15,-4.32489e-15,-35.3154,94.736,73.1133)"><stop offset="0" style="stop-color:rgb(254,254,254);stop-opacity:1"/><stop offset="0.23" style="stop-color:rgb(254,254,254);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(176,176,176);stop-opacity:1"/></linearGradient>
-        <linearGradient id="_Linear12" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(35.3155,0,0,35.3155,-0.000283467,73.1133)"><stop offset="0" style="stop-color:rgb(254,254,254);stop-opacity:1"/><stop offset="0.23" style="stop-color:rgb(254,254,254);stop-opacity:1"/><stop offset="1" style="stop-color:rgb(176,176,176);stop-opacity:1"/></linearGradient>
-    </defs>
 </svg>

From 9e849c43bcddaaf185925e2b8bdb62199d0c3219 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 13 Aug 2025 09:46:40 +0200
Subject: [PATCH 2608/3088] misc/theme-advanced: bump for logo change

---
 misc/theme-advanced/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/theme-advanced/Makefile b/misc/theme-advanced/Makefile
index c125b98685..2c4c80b3b5 100644
--- a/misc/theme-advanced/Makefile
+++ b/misc/theme-advanced/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		theme-advanced
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		OPNsense theme based on AdvancedTomato GUI
 PLUGIN_MAINTAINER=	jacky@prahec.com
 PLUGIN_WWW=		https://prahec.com/

From 410c67a1a4c169da0b9e70f023aa8e2dca56c299 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 13 Aug 2025 09:50:43 +0200
Subject: [PATCH 2609/3088] net/frr: sweep

---
 net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
index 87260985a5..a5b5d063d9 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
@@ -113,7 +113,7 @@ POSSIBILITY OF SUCH DAMAGE.
         $("#interface\\.networktype").on("keyup change", function () {
 
             const networktype = String($("#interface\\.networktype").val() || "")
- 
+
             const styleVisibility = [
                 {
                     class: "style_networktype",

From 79866c7820f38aa576390eebac34df457f353c9b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 13 Aug 2025 09:53:02 +0200
Subject: [PATCH 2610/3088] net/frr: this too

---
 net/frr/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 101a43e630..e9a8bd2d80 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -15,6 +15,7 @@ Plugin Changelog
 1.46
 
 * Add address family selection to peer groups (opnsense/plugins/pull/4861)
+* Add OSPF point-to-multipoint options (contributed by Andy Binder)
 
 1.45
 

From 95162ce51d73fc371da579435cc17410967813e5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 13 Aug 2025 09:57:14 +0200
Subject: [PATCH 2611/3088] plugins: fix changelog styling

No GitHub handles, looks like broken mail addresses.  ;)
---
 net-mgmt/collectd/pkg-descr |  6 +++---
 net-mgmt/telegraf/pkg-descr |  4 ++--
 net/frr/pkg-descr           |  6 +++---
 security/clamav/pkg-descr   |  2 +-
 security/maltrail/pkg-descr |  2 +-
 www/nginx/pkg-descr         | 18 +++++++++---------
 6 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/net-mgmt/collectd/pkg-descr b/net-mgmt/collectd/pkg-descr
index b50a748d9a..10fdf4d22a 100644
--- a/net-mgmt/collectd/pkg-descr
+++ b/net-mgmt/collectd/pkg-descr
@@ -14,9 +14,9 @@ Plugin Changelog
 
 1.3
 
-* Add support for CPU aggregation (contributed by @pmhausen)
-* Make Graphite separate instances configurable (contributed by @pmhausen)
-* Add disk I/O plugin (contributed by @pmhausen)
+* Add support for CPU aggregation (contributed by pmhausen)
+* Make Graphite separate instances configurable (contributed by pmhausen)
+* Add disk I/O plugin (contributed by pmhausen)
 
 1.2
 
diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index bfcb0cd531..2be143db98 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -94,8 +94,8 @@ Plugin Changelog
 
 1.8.1
 
-* Fix 'flush interval' templating by @Jontron123
-* Add ability to disable TLS for Graphite by @primemaster
+* Fix 'flush interval' templating (contributed by Jontron123)
+* Add ability to disable TLS for Graphite (contributed by primemaster)
 
 1.8.0
 
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index e9a8bd2d80..f21cd30622 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -207,9 +207,9 @@ Plugin Changelog
 
 1.12
 
-* Add passive-interface to OSPFv3 (by Michael Muenz)
-* Allow to set area per interface for OSPFv2 (by @twoequaldots)
-* Allow to set ebgp-multihop in BGP (by @bpeavy and Greg Goodrich)
+* Add passive-interface to OSPFv3 (contributed by Michael Muenz)
+* Allow to set area per interface for OSPFv2 (contributed by twoequaldots)
+* Allow to set ebgp-multihop in BGP (contributed by bpeavy and Greg Goodrich)
 
 1.11
 
diff --git a/security/clamav/pkg-descr b/security/clamav/pkg-descr
index ba2697c34f..d54ada5824 100644
--- a/security/clamav/pkg-descr
+++ b/security/clamav/pkg-descr
@@ -11,7 +11,7 @@ Plugin Changelog
 
 1.8.1
 
-* Fixed detect broken executables option (contributed by @sopex)
+* Fixed detect broken executables option (contributed by sopex)
 
 1.8
 
diff --git a/security/maltrail/pkg-descr b/security/maltrail/pkg-descr
index 69ad13f616..cbc444bf12 100644
--- a/security/maltrail/pkg-descr
+++ b/security/maltrail/pkg-descr
@@ -35,7 +35,7 @@ Changelog
 
 1.5
 
-* Change whitelisting format (by @jkellerer)
+* Change whitelisting format (contributed by jkellerer)
 * Add alienvault to disabled feeds
 
 1.4
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index d6b49aa7d2..0f7cb8ac84 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -155,8 +155,8 @@ Plugin Changelog
 1.14
 
 * add load balancer algorithm option (ip_hash)
-* fix URL flag not stored (contributed by jkellerer) [1]
-* allow to whitelist specific source IPs in the web application firewall (contributed by Julio Cesar Camargo) [2]
+* fix URL flag not stored (contributed by jkellerer)[1]
+* allow to whitelist specific source IPs in the web application firewall (contributed by Julio Cesar Camargo)[2]
 
 [1] https://github.com/opnsense/plugins/pull/1375
 [2] https://github.com/opnsense/plugins/pull/1310
@@ -219,7 +219,7 @@ Plugin Changelog
 
 * Add proxy options for ignore client abort and disabling buffering
 * Add logviewer support for streams
-* Fix charset is not defined bug (contributed by ccesario [1])
+* Fix charset is not defined bug (contributed by ccesario)[1]
 * Add an existence check for locations
 * Add PROXY protocol for HTTP and Streams frontend
 * Add PROXY backend support for Streams
@@ -230,14 +230,14 @@ Plugin Changelog
 1.4 (Development only)
 
 * move upstreams from HTTP to their own menu because they are used for TCP load balancing as well
-* add TCP load balancing [1]
+* add TCP load balancing[1]
 * add support for IP based ACLs
-* add log rotation (contributed by Julius Cesar Camargo [2])
+* add log rotation (contributed by Julius Cesar Camargo)[2]
 * add support for satisfy, body size limitation
-* change: allow to disable internal bot protection (contributed by @fzoske) [3]
+* change: allow to disable internal bot protection (contributed by fzoske)[3]
 * change: do not save when no change in the list happened to prevent filling the log history
 * fix: translate a german string in upstream server to english
-* replace headers instead of just adding our own (duplication issue #971), suppress X-Powered-By from Upstream [4]
+* replace headers instead of just adding our own (duplication issue #971), suppress X-Powered-By from Upstream[4]
 
 [1] https://github.com/opnsense/plugins/pull/930
 [2] https://github.com/opnsense/plugins/pull/982
@@ -253,13 +253,13 @@ Plugin Changelog
 * add limiter support
 * add permanent ban feature (use alias in firewall rules)
 * add caching feature (local file system)
-* add path prefix support (contributed by @ccesario )
+* add path prefix support (contributed by ccesario)
 * add port to upstream server table
 * add support to download waf rules
 * improvement: export full chain instead of only the server certificate (fixes some issues with some tools which need it)
 * web interface (allow HTTP/2 server push to increase performance)
 * support for (secure) web sockets in reverse proxy mode
-* bugfix: fix issues with multiple hostnames (IPv6 issues with TLS SNI by @ccesario )
+* bugfix: fix issues with multiple hostnames  due to IPv6 issues with TLS SNI (contributed by ccesario)
 * bugfix: warning in certificate rendering
 
 1.1

From dc0d1c32a34439b3a3a7b79bed6a87e822ce03a0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 13 Aug 2025 10:02:26 +0200
Subject: [PATCH 2612/3088] sysutils/smart: new version

---
 sysutils/smart/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/sysutils/smart/Makefile b/sysutils/smart/Makefile
index 23820a8df2..132bbe4b30 100644
--- a/sysutils/smart/Makefile
+++ b/sysutils/smart/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		smart
-PLUGIN_VERSION=		2.3
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		2.4
 PLUGIN_COMMENT=		SMART tools
 PLUGIN_DEPENDS=		smartmontools
 PLUGIN_MAINTAINER=	franco@opnsense.org

From 87493655f7fdb72d16e051bffb7d2fc1b44cf8b1 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 15 Aug 2025 08:32:24 +0200
Subject: [PATCH 2613/3088] security/wazuh-agent - wrong model path used for
 skip_alias, closes https://github.com/opnsense/plugins/issues/4896

---
 .../service/templates/OPNsense/WazuhAgent/opnsense-fw.conf      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
index 778b549609..b97c634396 100644
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
@@ -1,4 +1,4 @@
 [general]
-{% if not helpers.empty('OPNsense.WazuhAgent.wazuh_command.fw_alias_ignore') and helpers.getUUID(OPNsense.WazuhAgent.wazuh_command.fw_alias_ignore) %}
+{% if not helpers.empty('OPNsense.WazuhAgent.active_response.fw_alias_ignore') and helpers.getUUID(OPNsense.WazuhAgent.active_response.fw_alias_ignore) %}
 skip_alias={{helpers.getUUID(OPNsense.WazuhAgent.wazuh_command.fw_alias_ignore).name}}
 {% endif %}

From b68c1acc7c9bdc669e9ffcf203e32b1348f9a251 Mon Sep 17 00:00:00 2001
From: benyamin-codez <115509179+benyamin-codez@users.noreply.github.com>
Date: Fri, 15 Aug 2025 18:31:37 +1000
Subject: [PATCH 2614/3088] dns/bind: Fix zone_test and grid-primary-domains
 (#4893)

1. Fixes zone_test empty zonename variable
2. Fixes command truncation in grid-primary-domains
---
 .../src/opnsense/mvc/app/views/OPNsense/Bind/general.volt   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index 30d3fcc1d3..0d9b55eda9 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -100,7 +100,7 @@
                         <th data-column-id="expire" data-type="string" data-visible="true">{{ lang._('Expire') }}</th>
                         <th data-column-id="negative" data-type="string" data-visible="true">{{ lang._('Negative TTL') }}</th>
                         <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                        <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                        <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                     </tr>
                 </thead>
                 <tbody>
@@ -427,8 +427,8 @@ $(document).ready(function() {
     }).on("loaded.rs.jquery.bootgrid", function(e) {
         // Checkzone button
         $("#grid-primary-domains").find(".command-bind-checkzone").off("click").on("click", function(ev) {
-            if (!$(this).closest("tr").hasClass("text-muted")) {
-                let zonename = $(this).closest('tr').find('td.zonename').text();
+            if (!$(this).closest(".tabulator-row").hasClass("text-muted")) {
+                let zonename = $(this).closest(".tabulator-row").find("[tabulator-field='domainname']").text();
                 zone_test(zonename);
             } else {
                 BootstrapDialog.show({

From fe59ff093b8e756cda821e4775fd54a44fa70949 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 15 Aug 2025 11:29:17 +0200
Subject: [PATCH 2615/3088] security/wazuh-agent: bump revision after fix

---
 security/wazuh-agent/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/wazuh-agent/Makefile b/security/wazuh-agent/Makefile
index d7443b529f..6f156d3d36 100644
--- a/security/wazuh-agent/Makefile
+++ b/security/wazuh-agent/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wazuh-agent
 PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Agent for the open source security platform Wazuh
 PLUGIN_DEPENDS=		wazuh-agent
 PLUGIN_MAINTAINER=	ad@opnsense.org

From e0e2ad99d5c06e22bcb8f0faed5ba625d8dee0cd Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 15 Aug 2025 16:29:28 +0200
Subject: [PATCH 2616/3088] net/frr: Add area configuration to ospf (#4880)

* net/frr: Add area configuration to ospf

* Simplify template and options

* Add changelog
---
 net/frr/pkg-descr                             |  3 +-
 .../Quagga/Api/OspfsettingsController.php     | 25 +++++++++++++++
 .../OPNsense/Quagga/OspfController.php        |  3 ++
 .../Quagga/forms/dialogEditOSPFArea.xml       | 24 ++++++++++++++
 .../mvc/app/models/OPNsense/Quagga/OSPF.xml   | 31 +++++++++++++++++++
 .../mvc/app/views/OPNsense/Quagga/ospf.volt   | 14 +++++++++
 .../templates/OPNsense/Quagga/ospfd.conf      |  5 +++
 7 files changed, 104 insertions(+), 1 deletion(-)
 create mode 100644 net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFArea.xml

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index f21cd30622..2f260d0da5 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -15,7 +15,8 @@ Plugin Changelog
 1.46
 
 * Add address family selection to peer groups (opnsense/plugins/pull/4861)
-* Add OSPF point-to-multipoint options (contributed by Andy Binder)
+* Add OSPF point-to-multipoint options (contributed by Andy Binder) (opnsense/plugins/pull/4879)
+* Add OSPF area configuration options (opnsense/plugins/pull/4880)
 
 1.45
 
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
index b81d126cd5..c0093c9379 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/OspfsettingsController.php
@@ -62,6 +62,31 @@ public function setNeighborAction($uuid)
         return $this->setBase('neighbor', 'neighbors.neighbor', $uuid);
     }
 
+    public function searchAreaAction()
+    {
+        return $this->searchBase('areas.area');
+    }
+    public function getAreaAction($uuid = null)
+    {
+        return $this->getBase('area', 'areas.area', $uuid);
+    }
+    public function addAreaAction()
+    {
+        return $this->addBase('area', 'areas.area');
+    }
+    public function delAreaAction($uuid)
+    {
+        return $this->delBase('areas.area', $uuid);
+    }
+    public function setAreaAction($uuid)
+    {
+        return $this->setBase('area', 'areas.area', $uuid);
+    }
+    public function toggleAreaAction($uuid)
+    {
+        return $this->toggleBase('areas.area', $uuid);
+    }
+
     public function searchNetworkAction()
     {
         return $this->searchBase('networks.network');
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php
index 434767c470..611adabffc 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/OspfController.php
@@ -34,6 +34,9 @@ public function indexAction()
     {
         $this->view->generalForm = $this->getForm("ospf");
 
+        $this->view->formDialogEditOSPFArea = $this->getForm("dialogEditOSPFArea");
+        $this->view->formGridEditOSPFArea = $this->getFormGrid("dialogEditOSPFArea");
+
         $this->view->formDialogEditOSPFNeighbor = $this->getForm("dialogEditOSPFNeighbor");
         $this->view->formGridEditOSPFNeighbor = $this->getFormGrid("dialogEditOSPFNeighbor");
 
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFArea.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFArea.xml
new file mode 100644
index 0000000000..a027c2187a
--- /dev/null
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFArea.xml
@@ -0,0 +1,24 @@
+<form>
+    <field>
+        <id>area.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <grid_view>
+            <width>6em</width>
+            <type>boolean</type>
+            <formatter>rowtoggle</formatter>
+        </grid_view>
+    </field>
+    <field>
+        <id>area.id</id>
+        <label>Area ID</label>
+        <type>text</type>
+        <help>Enter area ID in dotted (e.g. 0.0.0.1) format.</help>
+    </field>
+    <field>
+        <id>area.type</id>
+        <label>Area Type</label>
+        <type>dropdown</type>
+        <help>Select area behavior.</help>
+    </field>
+</form>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index 1f28cebb47..931286130a 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -49,6 +49,37 @@
                     <enable>/^(?!0).*$/</enable>
                 </filters>
         </passiveinterfaces>
+        <areas>
+                <area type="ArrayField">
+                        <enabled type="BooleanField">
+                                <Default>1</Default>
+                                <Required>Y</Required>
+                        </enabled>
+                        <id type="NetworkField">
+                                <Required>Y</Required>
+                                <AddressFamily>ipv4</AddressFamily>
+                                <NetMaskAllowed>N</NetMaskAllowed>
+                                <ValidationMessage>Please enter area ID in dotted (e.g. 0.0.0.1) format.</ValidationMessage>
+                                <Constraints>
+                                        <check001>
+                                                <type>UniqueConstraint</type>
+                                                <ValidationMessage>The area ID must be unique.</ValidationMessage>
+                                        </check001>
+                                </Constraints>
+                        </id>
+                        <type type="OptionField">
+                                <Required>Y</Required>
+                                <Default>standard</Default>
+                                <OptionValues>
+                                        <standard>standard</standard>
+                                        <stub>stub</stub>
+                                        <stub-no-summary value="stub no-summary">stub no-summary</stub-no-summary>
+                                        <nssa>nssa</nssa>
+                                        <nssa-no-summary value="nssa no-summary">nssa no-summary</nssa-no-summary>
+                                </OptionValues>
+                        </type>
+                </area>
+        </areas>
         <networks>
                 <network type="ArrayField">
                         <enabled type="BooleanField">
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
index a5b5d063d9..2a22a50394 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
@@ -59,6 +59,14 @@ POSSIBILITY OF SUCH DAMAGE.
             'del':'/api/quagga/ospfsettings/del_neighbor/',
             'toggle':'/api/quagga/ospfsettings/toggle_neighbor/'
         });
+        $("#{{formGridEditOSPFArea['table_id']}}").UIBootgrid({
+            'search':'/api/quagga/ospfsettings/search_area',
+            'get':'/api/quagga/ospfsettings/get_area/',
+            'set':'/api/quagga/ospfsettings/set_area/',
+            'add':'/api/quagga/ospfsettings/add_area/',
+            'del':'/api/quagga/ospfsettings/del_area/',
+            'toggle':'/api/quagga/ospfsettings/toggle_area/'
+        });
         $("#{{formGridEditNetwork['table_id']}}").UIBootgrid({
             'search':'/api/quagga/ospfsettings/search_network',
             'get':'/api/quagga/ospfsettings/get_network/',
@@ -154,6 +162,7 @@ POSSIBILITY OF SUCH DAMAGE.
 <ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
     <li><a data-toggle="tab" href="#neighbors">{{ lang._('Neighbors') }}</a></li>
+    <li><a data-toggle="tab" href="#areas">{{ lang._('Areas') }}</a></li>
     <li><a data-toggle="tab" href="#networks">{{ lang._('Networks') }}</a></li>
     <li><a data-toggle="tab" href="#interfaces">{{ lang._('Interfaces') }}</a></li>
     <li><a data-toggle="tab" href="#prefixlists">{{ lang._('Prefix Lists') }}</a></li>
@@ -169,6 +178,10 @@ POSSIBILITY OF SUCH DAMAGE.
     <div id="neighbors" class="tab-pane fade in">
         {{ partial('layout_partials/base_bootgrid_table', formGridEditOSPFNeighbor)}}
     </div>
+    <!-- Tab: Areas -->
+    <div id="areas" class="tab-pane fade in">
+        {{ partial('layout_partials/base_bootgrid_table', formGridEditOSPFArea)}}
+    </div>
     <!-- Tab: Networks -->
     <div id="networks" class="tab-pane fade in">
         {{ partial('layout_partials/base_bootgrid_table', formGridEditNetwork)}}
@@ -187,6 +200,7 @@ POSSIBILITY OF SUCH DAMAGE.
     </div>
 </div>
 {{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/quagga/service/reconfigure', 'data_service_widget': 'quagga'}) }}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditOSPFArea,'id':formGridEditOSPFArea['edit_dialog_id'],'label':lang._('Edit Area')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditOSPFNeighbor,'id':formGridEditOSPFNeighbor['edit_dialog_id'],'label':lang._('Edit Neighbor')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditNetwork,'id':formGridEditNetwork['edit_dialog_id'],'label':lang._('Edit Network')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditInterface,'id':formGridEditInterface['edit_dialog_id'],'label':lang._('Edit Interface')])}}
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
index 381ffa8b4f..bbb3d4b0a2 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/ospfd.conf
@@ -66,6 +66,11 @@ router ospf
  redistribute {{ redistribution.redistribute }}{% if redistribution.linkedRoutemap %} route-map {{ helpers.getUUID(redistribution.linkedRoutemap).name }}{% endif +%}
 {%   endif %}
 {% endfor %}
+{% for area in helpers.toList('OPNsense.quagga.ospf.areas.area') %}
+{%   if area.enabled == '1' %}
+ area {{ area.id }} {{ area.type }}
+{%   endif %}
+{% endfor %}
 {%   if helpers.exists('OPNsense.quagga.ospf.neighbors.neighbor') %}
 {%     for neighbor in helpers.toList('OPNsense.quagga.ospf.neighbors.neighbor') %}
 {%       if neighbor.enabled == '1' %}

From e3ab911da7bc5c4eb71fc4a0999b0986b41f53d4 Mon Sep 17 00:00:00 2001
From: Konstantinos Spartalis <scoon405@gmail.com>
Date: Sat, 16 Aug 2025 09:33:51 +0300
Subject: [PATCH 2617/3088] net/siproxd: add commonly used username characters
 (#4899)

---
 net/siproxd/Makefile                                            | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Siproxd/User.xml       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/siproxd/Makefile b/net/siproxd/Makefile
index 0cd01392e0..33a6c291c3 100644
--- a/net/siproxd/Makefile
+++ b/net/siproxd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		siproxd
 PLUGIN_VERSION=		1.3
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Siproxd is a proxy daemon for the SIP protocol
 PLUGIN_DEPENDS=		siproxd
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/User.xml b/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/User.xml
index 57b7cc8af1..6c4d1c4df9 100644
--- a/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/User.xml
+++ b/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/User.xml
@@ -12,7 +12,7 @@
                 <username type="TextField">
                     <Default></Default>
                     <Required>Y</Required>
-                    <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
+                    <Mask>/^([0-9a-zA-Z._\-\+\@]){1,128}$/u</Mask>
                 </username>
                 <password type="TextField">
                     <Default></Default>

From 972776d7e1a81ee46638b301fb3c0c43e86ba5d7 Mon Sep 17 00:00:00 2001
From: Matthew Bratschun <25390936+mbrat2005@users.noreply.github.com>
Date: Mon, 18 Aug 2025 22:47:23 -0600
Subject: [PATCH 2618/3088] haproxy-fix-client-cert-required-value-casing
 (#4900)

'Required' --> 'required'

[NOTICE] (18212) : haproxy version is 3.0.11-9e587df
[NOTICE] (18212) : path to executable is /usr/local/sbin/haproxy
[ALERT] (18212) : config : parsing [/usr/local/etc/haproxy.conf.staging:66] : 'bind 0.0.0.0:123' in section 'frontend' : 'verify' : unknown verify method 'Required', only 'none', 'optional', and 'required' are supported
[ALERT] (18212) : config : Error(s) found in configuration file : /usr/local/etc/haproxy.conf.staging
[ALERT] (18212) : config : Fatal errors found in configuration.
---
 .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 720e418532..d758919670 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -642,7 +642,7 @@
                     <OptionValues>
                         <none>none</none>
                         <optional>optional</optional>
-                        <Required>required</Required>
+                        <required>required</required>
                     </OptionValues>
                 </ssl_clientAuthVerify>
                 <ssl_clientAuthCAs type="CertificateField">

From cf8faee5a2070e5ad3d561cde86d2819bfdcc780 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 19 Aug 2025 07:02:48 +0200
Subject: [PATCH 2619/3088] net/haproxy: the other one #4900

---
 net/haproxy/Makefile                                            | 1 +
 .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml    | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index c478e619d5..0e7ae42d4c 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		4.6
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy30 py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index d758919670..e4704470a9 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -98,7 +98,7 @@
                     <Default>ignore</Default>
                     <OptionValues>
                         <ignore>no preference [default]</ignore>
-                        <Required>enforce verify</Required>
+                        <required>enforce verify</required>
                         <none>disable verify</none>
                     </OptionValues>
                 </sslServerVerify>

From 5015b95aa94f5c2900cfe9cd0bed9dfd4a4c4e55 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 19 Aug 2025 07:22:39 +0200
Subject: [PATCH 2620/3088] dns/bind: bump

---
 dns/bind/Makefile  | 1 +
 dns/bind/pkg-descr | 1 +
 2 files changed, 2 insertions(+)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 269b88c4c8..d1c8e3f2d7 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.34
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind920
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index dbf188bb00..d3cbd8afa0 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 
 * Add custom configuration include directory /usr/local/etc/namedb/named.conf.d (contributed by Nicholas Card)
 * Add forward zones
+* Fix primary zones grid and command column (contributed by benyamin-codez)
 
 1.33
 

From 15281980f340bbf5bfb41a565e881c90217c147c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 19 Aug 2025 07:24:24 +0200
Subject: [PATCH 2621/3088] net/frr: better start a new version with feature
 changes

---
 net/frr/Makefile  | 2 +-
 net/frr/pkg-descr | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 685a0d63e2..63a0a654c7 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.46
+PLUGIN_VERSION=		1.47
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr10-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 2f260d0da5..43bd5813b7 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,11 +12,14 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.47
+
+* Add OSPF area configuration options (opnsense/plugins/pull/4880)
+
 1.46
 
 * Add address family selection to peer groups (opnsense/plugins/pull/4861)
 * Add OSPF point-to-multipoint options (contributed by Andy Binder) (opnsense/plugins/pull/4879)
-* Add OSPF area configuration options (opnsense/plugins/pull/4880)
 
 1.45
 

From d0842ec3e46f77a43a1a36fad7b3f3dc162fde7e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 20 Aug 2025 15:51:53 +0200
Subject: [PATCH 2622/3088] devel/helloworld: update according to latest docs
 and core changes

---
 devel/helloworld/Makefile                                       | 1 +
 .../{OPNsense/HelloWorld => helloworld}/testConnection.py       | 0
 .../src/opnsense/service/conf/actions.d/actions_helloworld.conf | 2 +-
 3 files changed, 2 insertions(+), 1 deletion(-)
 rename devel/helloworld/src/opnsense/scripts/{OPNsense/HelloWorld => helloworld}/testConnection.py (100%)

diff --git a/devel/helloworld/Makefile b/devel/helloworld/Makefile
index a7e4092dc9..86a8690adb 100644
--- a/devel/helloworld/Makefile
+++ b/devel/helloworld/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		helloworld
 PLUGIN_VERSION=		1.4
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		A sample framework application
 PLUGIN_MAINTAINER=	ad@opnsense.org
 
diff --git a/devel/helloworld/src/opnsense/scripts/OPNsense/HelloWorld/testConnection.py b/devel/helloworld/src/opnsense/scripts/helloworld/testConnection.py
similarity index 100%
rename from devel/helloworld/src/opnsense/scripts/OPNsense/HelloWorld/testConnection.py
rename to devel/helloworld/src/opnsense/scripts/helloworld/testConnection.py
diff --git a/devel/helloworld/src/opnsense/service/conf/actions.d/actions_helloworld.conf b/devel/helloworld/src/opnsense/service/conf/actions.d/actions_helloworld.conf
index c5c5217933..1bb2afb595 100644
--- a/devel/helloworld/src/opnsense/service/conf/actions.d/actions_helloworld.conf
+++ b/devel/helloworld/src/opnsense/service/conf/actions.d/actions_helloworld.conf
@@ -1,5 +1,5 @@
 [test]
-command:/usr/local/opnsense/scripts/OPNsense/HelloWorld/testConnection.py
+command:/usr/local/opnsense/scripts/helloworld/testConnection.py
 parameters:
 type:script_output
 message:hello world module test

From 3e018f4db8520207a4b02f8357c58eefff1bdd86 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 20 Aug 2025 17:15:07 +0200
Subject: [PATCH 2623/3088] make: contrib dir support

Made this very rudimentary compared to core because in practice we do not
need any fancy features from src dir (replacements, links, etc.)
---
 Mk/contrib.mk | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 Mk/plugins.mk | 11 ++++++++---
 2 files changed, 54 insertions(+), 3 deletions(-)
 create mode 100644 Mk/contrib.mk

diff --git a/Mk/contrib.mk b/Mk/contrib.mk
new file mode 100644
index 0000000000..22f9df38d2
--- /dev/null
+++ b/Mk/contrib.mk
@@ -0,0 +1,46 @@
+# Copyright (c) 2025 Franco Fichtner <franco@opnsense.org>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+.for TARGET in ${PLUGIN_CONTRIB}
+.if "${ROOT_${TARGET}}" == ""
+.error "No ROOT directory set for target: ${TARGET}"
+.endif
+
+# fixup root target dir
+ROOT_${TARGET}:=${ROOT_${TARGET}:S/^\/$//}
+
+install-${TARGET}:
+	@mkdir -p ${DESTDIR}${ROOT_${TARGET}}/${TARGET}
+	@tar -C ${TARGET} -cf - . | tar -C ${DESTDIR}${ROOT_${TARGET}}/${TARGET} -xf -
+
+install: install-${TARGET}
+
+plist-${TARGET}:
+	@(cd ${TARGET}; find * -type f) | while read FILE; do \
+		echo "${ROOT_${TARGET}}/${TARGET}/$${FILE}"; \
+	done
+
+plist: plist-${TARGET}
+.endfor
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 96427a06cc..3144a72851 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -240,6 +240,7 @@ scripts-manual:
 
 install: check
 	@mkdir -p ${DESTDIR}${LOCALBASE}/opnsense/version
+	@if [ -d ${.CURDIR}/contrib ]; then ${MAKE} DESTDIR=$$(readlink -f ${DESTDIR}) -C ${.CURDIR}/contrib install; fi
 	@(cd ${.CURDIR}/src 2> /dev/null && find * -type f) | while read FILE; do \
 		tar -C ${.CURDIR}/src -cpf - "$${FILE}" | \
 		    tar -C ${DESTDIR}${LOCALBASE} -xpf -; \
@@ -261,7 +262,10 @@ install: check
 	@cat ${TEMPLATESDIR}/version | sed ${SED_REPLACE} > "${DESTDIR}${LOCALBASE}/opnsense/version/${PLUGIN_NAME}"
 
 plist: check
-	@(cd ${.CURDIR}/src 2> /dev/null && find * -type f) | while read FILE; do \
+	@(if [ -d ${.CURDIR}/contrib ]; then \
+		${MAKE} -C ${.CURDIR}/contrib plist; \
+	 fi; \
+	 (cd ${.CURDIR}/src 2> /dev/null && find * -type f) | while read FILE; do \
 		if [ -f "$${FILE}.in" ]; then continue; fi; \
 		FILE="$${FILE%%.in}"; PREFIX=""; \
 		if [ "$${FILE%%.sample}" != "$${FILE}" ]; then \
@@ -274,8 +278,9 @@ plist: check
 			FILE="$${FILE}.gz"; \
 		fi; \
 		echo "$${PREFIX}${LOCALBASE}/$${FILE}"; \
-	done
-	@echo "${LOCALBASE}/opnsense/version/${PLUGIN_NAME}"
+	 done; \
+	 echo "${LOCALBASE}/opnsense/version/${PLUGIN_NAME}" \
+	) | sort
 
 description: check
 	@if [ -f ${.CURDIR}/${PLUGIN_DESC} ]; then \

From 9f69e909c2b9877ccf26b6bd996fb8c44c98e3c4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 20 Aug 2025 17:16:22 +0200
Subject: [PATCH 2624/3088] www/squid: make this plugin a community user of
 contrib dir support

---
 www/squid/Makefile                                           | 3 +--
 www/squid/contrib/Makefile                                   | 5 +++++
 .../template_error_pages/ERR_ACCESS_DENIED.html              | 0
 .../template_error_pages/ERR_ACL_TIME_QUOTA_EXCEEDED.html    | 0
 .../template_error_pages/ERR_AGENT_CONFIGURE.html            | 0
 .../template_error_pages/ERR_AGENT_WPAD.html                 | 0
 .../template_error_pages/ERR_CACHE_ACCESS_DENIED.html        | 0
 .../template_error_pages/ERR_CACHE_MGR_ACCESS_DENIED.html    | 0
 .../template_error_pages/ERR_CANNOT_FORWARD.html             | 0
 .../template_error_pages/ERR_CONFLICT_HOST.html              | 0
 .../template_error_pages/ERR_CONNECT_FAIL.html               | 0
 .../template_error_pages/ERR_DIR_LISTING.html                | 0
 .../proxy => contrib}/template_error_pages/ERR_DNS_FAIL.html | 0
 .../data/proxy => contrib}/template_error_pages/ERR_ESI.html | 0
 .../template_error_pages/ERR_FORWARDING_DENIED.html          | 0
 .../template_error_pages/ERR_FTP_DISABLED.html               | 0
 .../template_error_pages/ERR_FTP_FAILURE.html                | 0
 .../template_error_pages/ERR_FTP_FORBIDDEN.html              | 0
 .../template_error_pages/ERR_FTP_NOT_FOUND.html              | 0
 .../template_error_pages/ERR_FTP_PUT_CREATED.html            | 0
 .../template_error_pages/ERR_FTP_PUT_ERROR.html              | 0
 .../template_error_pages/ERR_FTP_PUT_MODIFIED.html           | 0
 .../template_error_pages/ERR_FTP_UNAVAILABLE.html            | 0
 .../template_error_pages/ERR_GATEWAY_FAILURE.html            | 0
 .../template_error_pages/ERR_ICAP_FAILURE.html               | 0
 .../template_error_pages/ERR_INVALID_REQ.html                | 0
 .../template_error_pages/ERR_INVALID_RESP.html               | 0
 .../template_error_pages/ERR_INVALID_URL.html                | 0
 .../template_error_pages/ERR_LIFETIME_EXP.html               | 0
 .../proxy => contrib}/template_error_pages/ERR_NO_RELAY.html | 0
 .../template_error_pages/ERR_ONLY_IF_CACHED_MISS.html        | 0
 .../template_error_pages/ERR_PRECONDITION_FAILED.html        | 0
 .../template_error_pages/ERR_PROTOCOL_UNKNOWN.html           | 0
 .../template_error_pages/ERR_READ_ERROR.html                 | 0
 .../template_error_pages/ERR_READ_TIMEOUT.html               | 0
 .../template_error_pages/ERR_SECURE_CONNECT_FAIL.html        | 0
 .../template_error_pages/ERR_SHUTTING_DOWN.html              | 0
 .../template_error_pages/ERR_SOCKET_FAILURE.html             | 0
 .../proxy => contrib}/template_error_pages/ERR_TOO_BIG.html  | 0
 .../template_error_pages/ERR_UNSUP_HTTPVERSION.html          | 0
 .../template_error_pages/ERR_UNSUP_REQ.html                  | 0
 .../template_error_pages/ERR_URN_RESOLVE.html                | 0
 .../template_error_pages/ERR_WRITE_ERROR.html                | 0
 .../template_error_pages/ERR_ZERO_SIZE_OBJECT.html           | 0
 .../proxy => contrib}/template_error_pages/error-details.txt | 0
 .../proxy => contrib}/template_error_pages/errorpage.css     | 0
 46 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 www/squid/contrib/Makefile
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_ACCESS_DENIED.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_ACL_TIME_QUOTA_EXCEEDED.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_AGENT_CONFIGURE.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_AGENT_WPAD.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_CACHE_ACCESS_DENIED.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_CACHE_MGR_ACCESS_DENIED.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_CANNOT_FORWARD.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_CONFLICT_HOST.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_CONNECT_FAIL.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_DIR_LISTING.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_DNS_FAIL.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_ESI.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_FORWARDING_DENIED.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_FTP_DISABLED.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_FTP_FAILURE.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_FTP_FORBIDDEN.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_FTP_NOT_FOUND.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_FTP_PUT_CREATED.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_FTP_PUT_ERROR.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_FTP_PUT_MODIFIED.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_FTP_UNAVAILABLE.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_GATEWAY_FAILURE.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_ICAP_FAILURE.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_INVALID_REQ.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_INVALID_RESP.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_INVALID_URL.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_LIFETIME_EXP.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_NO_RELAY.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_ONLY_IF_CACHED_MISS.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_PRECONDITION_FAILED.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_PROTOCOL_UNKNOWN.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_READ_ERROR.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_READ_TIMEOUT.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_SECURE_CONNECT_FAIL.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_SHUTTING_DOWN.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_SOCKET_FAILURE.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_TOO_BIG.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_UNSUP_HTTPVERSION.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_UNSUP_REQ.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_URN_RESOLVE.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_WRITE_ERROR.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/ERR_ZERO_SIZE_OBJECT.html (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/error-details.txt (100%)
 rename www/squid/{src/opnsense/data/proxy => contrib}/template_error_pages/errorpage.css (100%)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index c554a78709..6e9236529f 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		squid
-PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/www/squid/contrib/Makefile b/www/squid/contrib/Makefile
new file mode 100644
index 0000000000..15529e4b44
--- /dev/null
+++ b/www/squid/contrib/Makefile
@@ -0,0 +1,5 @@
+PLUGIN_CONTRIB=	template_error_pages
+
+ROOT_template_error_pages=	/usr/local/opnsense/data/proxy
+
+.include "../../../Mk/contrib.mk"
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ACCESS_DENIED.html b/www/squid/contrib/template_error_pages/ERR_ACCESS_DENIED.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ACCESS_DENIED.html
rename to www/squid/contrib/template_error_pages/ERR_ACCESS_DENIED.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ACL_TIME_QUOTA_EXCEEDED.html b/www/squid/contrib/template_error_pages/ERR_ACL_TIME_QUOTA_EXCEEDED.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ACL_TIME_QUOTA_EXCEEDED.html
rename to www/squid/contrib/template_error_pages/ERR_ACL_TIME_QUOTA_EXCEEDED.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_AGENT_CONFIGURE.html b/www/squid/contrib/template_error_pages/ERR_AGENT_CONFIGURE.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_AGENT_CONFIGURE.html
rename to www/squid/contrib/template_error_pages/ERR_AGENT_CONFIGURE.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_AGENT_WPAD.html b/www/squid/contrib/template_error_pages/ERR_AGENT_WPAD.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_AGENT_WPAD.html
rename to www/squid/contrib/template_error_pages/ERR_AGENT_WPAD.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CACHE_ACCESS_DENIED.html b/www/squid/contrib/template_error_pages/ERR_CACHE_ACCESS_DENIED.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CACHE_ACCESS_DENIED.html
rename to www/squid/contrib/template_error_pages/ERR_CACHE_ACCESS_DENIED.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CACHE_MGR_ACCESS_DENIED.html b/www/squid/contrib/template_error_pages/ERR_CACHE_MGR_ACCESS_DENIED.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CACHE_MGR_ACCESS_DENIED.html
rename to www/squid/contrib/template_error_pages/ERR_CACHE_MGR_ACCESS_DENIED.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CANNOT_FORWARD.html b/www/squid/contrib/template_error_pages/ERR_CANNOT_FORWARD.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CANNOT_FORWARD.html
rename to www/squid/contrib/template_error_pages/ERR_CANNOT_FORWARD.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CONFLICT_HOST.html b/www/squid/contrib/template_error_pages/ERR_CONFLICT_HOST.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CONFLICT_HOST.html
rename to www/squid/contrib/template_error_pages/ERR_CONFLICT_HOST.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CONNECT_FAIL.html b/www/squid/contrib/template_error_pages/ERR_CONNECT_FAIL.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_CONNECT_FAIL.html
rename to www/squid/contrib/template_error_pages/ERR_CONNECT_FAIL.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_DIR_LISTING.html b/www/squid/contrib/template_error_pages/ERR_DIR_LISTING.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_DIR_LISTING.html
rename to www/squid/contrib/template_error_pages/ERR_DIR_LISTING.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_DNS_FAIL.html b/www/squid/contrib/template_error_pages/ERR_DNS_FAIL.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_DNS_FAIL.html
rename to www/squid/contrib/template_error_pages/ERR_DNS_FAIL.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ESI.html b/www/squid/contrib/template_error_pages/ERR_ESI.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ESI.html
rename to www/squid/contrib/template_error_pages/ERR_ESI.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FORWARDING_DENIED.html b/www/squid/contrib/template_error_pages/ERR_FORWARDING_DENIED.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FORWARDING_DENIED.html
rename to www/squid/contrib/template_error_pages/ERR_FORWARDING_DENIED.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_DISABLED.html b/www/squid/contrib/template_error_pages/ERR_FTP_DISABLED.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_DISABLED.html
rename to www/squid/contrib/template_error_pages/ERR_FTP_DISABLED.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_FAILURE.html b/www/squid/contrib/template_error_pages/ERR_FTP_FAILURE.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_FAILURE.html
rename to www/squid/contrib/template_error_pages/ERR_FTP_FAILURE.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_FORBIDDEN.html b/www/squid/contrib/template_error_pages/ERR_FTP_FORBIDDEN.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_FORBIDDEN.html
rename to www/squid/contrib/template_error_pages/ERR_FTP_FORBIDDEN.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_NOT_FOUND.html b/www/squid/contrib/template_error_pages/ERR_FTP_NOT_FOUND.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_NOT_FOUND.html
rename to www/squid/contrib/template_error_pages/ERR_FTP_NOT_FOUND.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_CREATED.html b/www/squid/contrib/template_error_pages/ERR_FTP_PUT_CREATED.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_CREATED.html
rename to www/squid/contrib/template_error_pages/ERR_FTP_PUT_CREATED.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_ERROR.html b/www/squid/contrib/template_error_pages/ERR_FTP_PUT_ERROR.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_ERROR.html
rename to www/squid/contrib/template_error_pages/ERR_FTP_PUT_ERROR.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_MODIFIED.html b/www/squid/contrib/template_error_pages/ERR_FTP_PUT_MODIFIED.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_PUT_MODIFIED.html
rename to www/squid/contrib/template_error_pages/ERR_FTP_PUT_MODIFIED.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_UNAVAILABLE.html b/www/squid/contrib/template_error_pages/ERR_FTP_UNAVAILABLE.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_FTP_UNAVAILABLE.html
rename to www/squid/contrib/template_error_pages/ERR_FTP_UNAVAILABLE.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_GATEWAY_FAILURE.html b/www/squid/contrib/template_error_pages/ERR_GATEWAY_FAILURE.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_GATEWAY_FAILURE.html
rename to www/squid/contrib/template_error_pages/ERR_GATEWAY_FAILURE.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ICAP_FAILURE.html b/www/squid/contrib/template_error_pages/ERR_ICAP_FAILURE.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ICAP_FAILURE.html
rename to www/squid/contrib/template_error_pages/ERR_ICAP_FAILURE.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_REQ.html b/www/squid/contrib/template_error_pages/ERR_INVALID_REQ.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_REQ.html
rename to www/squid/contrib/template_error_pages/ERR_INVALID_REQ.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_RESP.html b/www/squid/contrib/template_error_pages/ERR_INVALID_RESP.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_RESP.html
rename to www/squid/contrib/template_error_pages/ERR_INVALID_RESP.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_URL.html b/www/squid/contrib/template_error_pages/ERR_INVALID_URL.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_INVALID_URL.html
rename to www/squid/contrib/template_error_pages/ERR_INVALID_URL.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_LIFETIME_EXP.html b/www/squid/contrib/template_error_pages/ERR_LIFETIME_EXP.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_LIFETIME_EXP.html
rename to www/squid/contrib/template_error_pages/ERR_LIFETIME_EXP.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_NO_RELAY.html b/www/squid/contrib/template_error_pages/ERR_NO_RELAY.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_NO_RELAY.html
rename to www/squid/contrib/template_error_pages/ERR_NO_RELAY.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ONLY_IF_CACHED_MISS.html b/www/squid/contrib/template_error_pages/ERR_ONLY_IF_CACHED_MISS.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ONLY_IF_CACHED_MISS.html
rename to www/squid/contrib/template_error_pages/ERR_ONLY_IF_CACHED_MISS.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_PRECONDITION_FAILED.html b/www/squid/contrib/template_error_pages/ERR_PRECONDITION_FAILED.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_PRECONDITION_FAILED.html
rename to www/squid/contrib/template_error_pages/ERR_PRECONDITION_FAILED.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_PROTOCOL_UNKNOWN.html b/www/squid/contrib/template_error_pages/ERR_PROTOCOL_UNKNOWN.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_PROTOCOL_UNKNOWN.html
rename to www/squid/contrib/template_error_pages/ERR_PROTOCOL_UNKNOWN.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_READ_ERROR.html b/www/squid/contrib/template_error_pages/ERR_READ_ERROR.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_READ_ERROR.html
rename to www/squid/contrib/template_error_pages/ERR_READ_ERROR.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_READ_TIMEOUT.html b/www/squid/contrib/template_error_pages/ERR_READ_TIMEOUT.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_READ_TIMEOUT.html
rename to www/squid/contrib/template_error_pages/ERR_READ_TIMEOUT.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SECURE_CONNECT_FAIL.html b/www/squid/contrib/template_error_pages/ERR_SECURE_CONNECT_FAIL.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SECURE_CONNECT_FAIL.html
rename to www/squid/contrib/template_error_pages/ERR_SECURE_CONNECT_FAIL.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SHUTTING_DOWN.html b/www/squid/contrib/template_error_pages/ERR_SHUTTING_DOWN.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SHUTTING_DOWN.html
rename to www/squid/contrib/template_error_pages/ERR_SHUTTING_DOWN.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SOCKET_FAILURE.html b/www/squid/contrib/template_error_pages/ERR_SOCKET_FAILURE.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_SOCKET_FAILURE.html
rename to www/squid/contrib/template_error_pages/ERR_SOCKET_FAILURE.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_TOO_BIG.html b/www/squid/contrib/template_error_pages/ERR_TOO_BIG.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_TOO_BIG.html
rename to www/squid/contrib/template_error_pages/ERR_TOO_BIG.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_UNSUP_HTTPVERSION.html b/www/squid/contrib/template_error_pages/ERR_UNSUP_HTTPVERSION.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_UNSUP_HTTPVERSION.html
rename to www/squid/contrib/template_error_pages/ERR_UNSUP_HTTPVERSION.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_UNSUP_REQ.html b/www/squid/contrib/template_error_pages/ERR_UNSUP_REQ.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_UNSUP_REQ.html
rename to www/squid/contrib/template_error_pages/ERR_UNSUP_REQ.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_URN_RESOLVE.html b/www/squid/contrib/template_error_pages/ERR_URN_RESOLVE.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_URN_RESOLVE.html
rename to www/squid/contrib/template_error_pages/ERR_URN_RESOLVE.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_WRITE_ERROR.html b/www/squid/contrib/template_error_pages/ERR_WRITE_ERROR.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_WRITE_ERROR.html
rename to www/squid/contrib/template_error_pages/ERR_WRITE_ERROR.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ZERO_SIZE_OBJECT.html b/www/squid/contrib/template_error_pages/ERR_ZERO_SIZE_OBJECT.html
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/ERR_ZERO_SIZE_OBJECT.html
rename to www/squid/contrib/template_error_pages/ERR_ZERO_SIZE_OBJECT.html
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/error-details.txt b/www/squid/contrib/template_error_pages/error-details.txt
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/error-details.txt
rename to www/squid/contrib/template_error_pages/error-details.txt
diff --git a/www/squid/src/opnsense/data/proxy/template_error_pages/errorpage.css b/www/squid/contrib/template_error_pages/errorpage.css
similarity index 100%
rename from www/squid/src/opnsense/data/proxy/template_error_pages/errorpage.css
rename to www/squid/contrib/template_error_pages/errorpage.css

From bc94cb0298634530d35e66df9372803a8bf7bb09 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 21 Aug 2025 08:25:32 +0200
Subject: [PATCH 2625/3088] www/squid: small lint pass

---
 .../mvc/app/models/OPNsense/Proxy/Proxy.xml   | 53 +++++++++----------
 1 file changed, 25 insertions(+), 28 deletions(-)

diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index 76cd139f4e..d870282407 100644
--- a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -18,7 +18,7 @@
             <icpPort type="IntegerField">
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>65535</MaximumValue>
-                <ValidationMessage>ICP port needs to be an integer value between 1 and 65535</ValidationMessage>
+                <ValidationMessage>ICP port needs to be an integer value between 1 and 65535.</ValidationMessage>
             </icpPort>
             <logging>
                 <enable>
@@ -97,18 +97,18 @@
                     <cache_mem type="IntegerField">
                         <Default>256</Default>
                         <MinimumValue>0</MinimumValue>
-                        <ValidationMessage>Specify a positive memory cache size. (number of MB's)</ValidationMessage>
+                        <ValidationMessage>Specify a positive memory cache size (number of MBs).</ValidationMessage>
                         <Required>Y</Required>
                     </cache_mem>
                     <maximum_object_size type="IntegerField">
                       <MinimumValue>1</MinimumValue>
                       <MaximumValue>99999</MaximumValue>
-                      <ValidationMessage>Specify a maximum object size. (number of MB's)</ValidationMessage>
+                      <ValidationMessage>Specify a maximum object size (number of MBs).</ValidationMessage>
                     </maximum_object_size>
                     <maximum_object_size_in_memory type="IntegerField">
                       <MinimumValue>1</MinimumValue>
                       <MaximumValue>99999</MaximumValue>
-                      <ValidationMessage>Specify a maximum object size in memory. (number of KB's)</ValidationMessage>
+                      <ValidationMessage>Specify a maximum object size in memory (number of KBs).</ValidationMessage>
                     </maximum_object_size_in_memory>
                     <memory_cache_mode type="OptionField">
                         <BlankDesc>Default</BlankDesc>
@@ -121,23 +121,20 @@
                     <size type="IntegerField">
                         <Default>100</Default>
                         <MinimumValue>1</MinimumValue>
-                        <ValidationMessage>Specify a positive cache size. (number of MB's)</ValidationMessage>
+                        <ValidationMessage>Specify a positive cache size (number of MBs).</ValidationMessage>
                         <Required>Y</Required>
                     </size>
                     <swap_timeout type="IntegerField">
                         <MinimumValue>0</MinimumValue>
                         <ValidationMessage>Specify a valid swap-timeout.</ValidationMessage>
-                        <Required>N</Required>
                     </swap_timeout>
                     <max_swap_rate type="IntegerField">
                         <MinimumValue>0</MinimumValue>
                         <ValidationMessage>Specify a valid swap-rate.</ValidationMessage>
-                        <Required>N</Required>
                     </max_swap_rate>
                     <slot_size type="IntegerField">
                         <MinimumValue>4096</MinimumValue>
                         <ValidationMessage>Specify a multiple of operating system I/O page size.</ValidationMessage>
-                        <Required>N</Required>
                     </slot_size>
                     <cache_linux_packages type="BooleanField">
                         <Default>0</Default>
@@ -167,7 +164,7 @@
                     <ValidationMessage>Specify the overall bandwidth for downloads in kilobits per second.</ValidationMessage>
                     <Constraints>
                         <check001>
-                            <ValidationMessage>Both throttling parameters should either be filled or empty</ValidationMessage>
+                            <ValidationMessage>Both throttling parameters should either be filled or empty.</ValidationMessage>
                             <type>AllOrNoneConstraint</type>
                             <addFields>
                                 <field1>perHostTrotteling</field1>
@@ -245,14 +242,14 @@
                 <Default>3128</Default>
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>65535</MaximumValue>
-                <ValidationMessage>Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
+                <ValidationMessage>Proxy port needs to be an integer value between 1 and 65535.</ValidationMessage>
                 <Required>Y</Required>
             </port>
             <sslbumpport type="IntegerField">
                 <Default>3129</Default>
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>65535</MaximumValue>
-                <ValidationMessage>SSL Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
+                <ValidationMessage>SSL Proxy port needs to be an integer value between 1 and 65535.</ValidationMessage>
                 <Required>Y</Required>
             </sslbumpport>
             <sslbump type="BooleanField">
@@ -260,7 +257,7 @@
                 <Required>Y</Required>
                 <Constraints>
                     <check001>
-                        <ValidationMessage>When enabling "Log SNI information only", SSL inspection must also be enabled</ValidationMessage>
+                        <ValidationMessage>When enabling "Log SNI information only", SSL inspection must also be enabled.</ValidationMessage>
                         <type>DependConstraint</type>
                         <addFields>
                             <field1>sslurlonly</field1>
@@ -279,30 +276,30 @@
             </sslurlonly>
             <sslcertificate type="CertificateField">
                 <Type>ca</Type>
-                <ValidationMessage>Please select a valid certificate from the list</ValidationMessage>
+                <ValidationMessage>Please select a valid certificate from the list.</ValidationMessage>
             </sslcertificate>
             <sslnobumpsites type="CSVListField">
               <Mask>/^([a-zA-Z0-9\.:\[\]\s\-]*?,)*([a-zA-Z0-9\.:\[\]\s\-]*)$/</Mask>
-              <ValidationMessage>Please enter ip addresses or domain names here</ValidationMessage>
+              <ValidationMessage>Please enter ip addresses or domain names here.</ValidationMessage>
             </sslnobumpsites>
             <workers type="IntegerField">
               <MinimumValue>1</MinimumValue>
               <MaximumValue>100</MaximumValue>
-              <ValidationMessage>worker number needs to be an integer value between 1 and 100</ValidationMessage>
+              <ValidationMessage>Worker number needs to be an integer value between 1 and 100.</ValidationMessage>
             </workers>
             <ssl_crtd_storage_max_size type="IntegerField">
               <Required>Y</Required>
               <Default>4</Default>
               <MinimumValue>1</MinimumValue>
               <MaximumValue>65535</MaximumValue>
-              <ValidationMessage>max size needs to be an integer value between 1 and 65535</ValidationMessage>
+              <ValidationMessage>Maximum size needs to be an integer value between 1 and 65535.</ValidationMessage>
             </ssl_crtd_storage_max_size>
             <sslcrtd_children type="IntegerField">
               <Required>Y</Required>
               <Default>5</Default>
               <MinimumValue>1</MinimumValue>
               <MaximumValue>32</MaximumValue>
-              <ValidationMessage>the number of sslrtd children needs to be an integer value between 1 and 32</ValidationMessage>
+              <ValidationMessage>The number of sslrtd children needs to be an integer value between 1 and 32.</ValidationMessage>
             </sslcrtd_children>
             <snmp_enable type="BooleanField">
                 <Default>0</Default>
@@ -311,7 +308,7 @@
             <snmp_port type="IntegerField">
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>65535</MaximumValue>
-                <ValidationMessage>SNMP port needs to be an integer value between 1 and 65535</ValidationMessage>
+                <ValidationMessage>SNMP port needs to be an integer value between 1 and 65535.</ValidationMessage>
                 <Required>Y</Required>
                 <Default>3401</Default>
             </snmp_port>
@@ -330,7 +327,7 @@
                 <Default>2121</Default>
                 <MinimumValue>1</MinimumValue>
                 <MaximumValue>65535</MaximumValue>
-                <ValidationMessage>FTP Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
+                <ValidationMessage>FTP Proxy port needs to be an integer value between 1 and 65535.</ValidationMessage>
                 <Required>Y</Required>
             </ftpPort>
             <ftpTransparentMode type="BooleanField">
@@ -365,7 +362,7 @@
                 <mimeType type="CSVListField"/>
                 <googleapps type="HostnameField">
                     <Mask>/^([a-zA-Z0-9]){0,}\.([a-zA-Z0-9].){0,}/</Mask>
-                    <ValidationMessage>Please enter a valid domain name here</ValidationMessage>
+                    <ValidationMessage>Please enter a valid domain name here.</ValidationMessage>
                 </googleapps>
                 <youtube type="OptionField">
                     <OptionValues>
@@ -396,7 +393,7 @@
                                 <ValidationMessage>The filename may only contain letters, digits and one dot (not required).</ValidationMessage>
                                 <Constraints>
                                     <check001>
-                                        <ValidationMessage>Filename should be unique</ValidationMessage>
+                                        <ValidationMessage>Filename should be unique.</ValidationMessage>
                                         <type>UniqueConstraint</type>
                                     </check001>
                                 </Constraints>
@@ -437,7 +434,7 @@
                                 </filters>
                             </queues>
                         </Model>
-                        <ValidationMessage>Related cron not found</ValidationMessage>
+                        <ValidationMessage>Related cron not found.</ValidationMessage>
                     </UpdateCron>
                 </remoteACLs>
             </acl>
@@ -491,11 +488,11 @@
                 </realm>
                 <credentialsttl type="IntegerField">
                     <MinimumValue>1</MinimumValue>
-                    <ValidationMessage>Credentials TTL needs to be an integer value above 0</ValidationMessage>
+                    <ValidationMessage>Credentials TTL needs to be an integer value above 0.</ValidationMessage>
                 </credentialsttl>
                 <children type="IntegerField">
                     <MinimumValue>1</MinimumValue>
-                    <ValidationMessage>Number of children needs to be an integer value above 0</ValidationMessage>
+                    <ValidationMessage>Number of children needs to be an integer value above 0.</ValidationMessage>
                 </children>
             </authentication>
         </forward>
@@ -506,7 +503,7 @@
                   <ValidationMessage>The proxy name must be set.</ValidationMessage>
                   <Constraints>
                       <check001>
-                          <ValidationMessage>Proxy name should be unique</ValidationMessage>
+                          <ValidationMessage>Proxy name should be unique.</ValidationMessage>
                           <type>UniqueConstraint</type>
                       </check001>
                   </Constraints>
@@ -536,7 +533,7 @@
                   <ValidationMessage>The match name must be set.</ValidationMessage>
                   <Constraints>
                       <check001>
-                          <ValidationMessage>Match name should be unique</ValidationMessage>
+                          <ValidationMessage>Match name should be unique.</ValidationMessage>
                           <type>UniqueConstraint</type>
                       </check001>
                   </Constraints>
@@ -584,7 +581,7 @@
               <time_to type="IntegerField">
                   <MinimumValue>0</MinimumValue>
                   <MaximumValue>23</MaximumValue>
-                  <ValidationMessage>The last hour of the day is 23!</ValidationMessage>
+                  <ValidationMessage>The last hour of the day is 23.</ValidationMessage>
               </time_to>
               <date_from type="OptionField">
                   <Required>Y</Required>
@@ -695,7 +692,7 @@
         <error_pages>
           <template type="TextField">
               <Mask>/[0-9a-zA-Z\+\=\/]{20,}/u</Mask>
-              <ValidationMessage>File content should be in (base64 encoded) zip format</ValidationMessage>
+              <ValidationMessage>File content should be in Base64-encoded ZIP format.</ValidationMessage>
           </template>
         </error_pages>
     </items>

From e0897e14300682325b73c750291313574add9bc5 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sat, 23 Aug 2025 15:34:23 +0200
Subject: [PATCH 2626/3088] www/caddy: Implement tabulator groupBy, fix
 tabulator 'Data Load Response Blocked' warning, remove unnecessary HTML
 (#4909)

* www/caddy: Implement tabulator groupBy into subdomain and handlers tabs, modernize style and html

* www/caddy: Fix search endpoints being fired multiple times on initial page load, and when using the command buttons. This fixes some tabulator warnings and improves performance.

* www/caddy: Bump version to 2.0.3 and add changelog
---
 www/caddy/Makefile                            |   3 +-
 www/caddy/pkg-descr                           |   6 +
 .../OPNsense/Caddy/forms/dialogHandle.xml     |   8 +-
 .../OPNsense/Caddy/forms/dialogLayer4.xml     |   2 +-
 .../Caddy/forms/dialogReverseProxy.xml        |   2 +-
 .../OPNsense/Caddy/forms/dialogSubdomain.xml  |   3 +-
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 206 +++++++++---------
 7 files changed, 114 insertions(+), 116 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index ecbffe28a2..652ac84d7b 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		2.0.2
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		2.0.3
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 96041df58f..4db418bc6c 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -6,6 +6,12 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+2.0.3
+
+Add: Tabulator groupBy of domain and subdomain (opnsense/plugins/pull/4909)
+Fix: Tabulator 'Data Load Response Blocked' warning
+Cleanup: Grid HTML and style
+
 2.0.2
 
 Add: Global server timeout options (opnsense/plugins/pull/4778)
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 1869739bdb..3e72c80e26 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -5,7 +5,7 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this handler.]]></help>
         <grid_view>
-            <width>100</width>
+            <width>20</width>
             <type>boolean</type>
             <formatter>rowtoggle</formatter>
         </grid_view>
@@ -19,12 +19,18 @@
         <label>Domain</label>
         <type>dropdown</type>
         <help><![CDATA[Select a domain to handle.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <id>handle.subdomain</id>
         <label>Subdomain</label>
         <type>dropdown</type>
         <help><![CDATA[Select a subdomain to handle. Make sure to additionaly choose a wildcard domain as "Domain". Leave unset, if not using subdomains.]]></help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
     </field>
     <field>
         <type>header</type>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
index 5b82ff437e..259cca425f 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
@@ -5,7 +5,7 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this Layer4 route.]]></help>
         <grid_view>
-            <width>100</width>
+            <width>20</width>
             <type>boolean</type>
             <formatter>rowtoggle</formatter>
         </grid_view>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index 0e4e7202e6..a2b3d67585 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -5,7 +5,7 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this domain.]]></help>
         <grid_view>
-            <width>100</width>
+            <width>20</width>
             <type>boolean</type>
             <formatter>rowtoggle</formatter>
         </grid_view>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
index a70d8bcf9c..4cdceffe36 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -5,7 +5,7 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this subdomain.]]></help>
         <grid_view>
-            <width>100</width>
+            <width>20</width>
             <type>boolean</type>
             <formatter>rowtoggle</formatter>
         </grid_view>
@@ -27,7 +27,6 @@
         <id>subdomain.FromDomain</id>
         <label>Subdomain</label>
         <type>text</type>
-        <hint>opn.example.com</hint>
         <help><![CDATA[Enter a subdomain. For example, "opn.example.com" if the wildcard domain is "*.example.com". All subdomains use the same ports and protocols as their parent wildcard domain.]]></help>
     </field>
     <field>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index debf95f786..bf6de62520 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -26,11 +26,6 @@
 
 <script>
     $(document).ready(function() {
-        // Update the URL hash when tabs are clicked
-        if (location.hash) {
-            $(`#maintabs a[href="${location.hash}"]`).tab('show');
-        }
-
         $('a[data-toggle="tab"]').on('shown.bs.tab', function (e) {
             const hash = e.target.hash;
             if (history.replaceState) {
@@ -41,12 +36,18 @@
         });
 
         $(window).on('hashchange', function () {
-            $(`#maintabs a[href="${location.hash}"]`).tab('show');
+            const $targetTab = $(`#maintabs a[href="${location.hash}"]`);
+            if ($targetTab.length) {
+                $targetTab.tab('show');
+            }
         });
 
         // Bootgrid Setup
         const all_grids = {};
 
+        // block change-driven grid reloads during programmatic updates of reverseFilter selectpicker
+        let suppressFilterReload = false;
+
         $('a[data-toggle="tab"]').on('shown.bs.tab', function (e) {
             let grid_ids = [];
 
@@ -96,17 +97,32 @@
 
                         if (["{{ formGridReverseProxy['table_id'] }}", "{{ formGridSubdomain['table_id'] }}"].includes(grid_id)) {
                             const update_filter = function (selectValues) {
-                                $('#reverseFilter')
-                                    // Refresh selectpicker with latest data so button always works even on new domains
+                                suppressFilterReload = true;
+
+                                return $('#reverseFilter')
                                     .fetch_options('/api/caddy/reverse_proxy/get_all_reverse_domains')
                                     .done(function () {
                                         $('#reverseFilter')
                                             .selectpicker('val', selectValues)
-                                            .selectpicker('refresh')
-                                            .trigger('change');
-                                    });
+                                            .selectpicker('refresh');
 
-                                $('#maintabs a[href="#handlers"]').tab('show');
+                                        // manually update icon (since we skip .change())
+                                        const hasSelection = Array.isArray(selectValues) && selectValues.length > 0;
+                                        $('#reverseFilterIcon')
+                                            .toggleClass('text-success fa-filter-circle-xmark', hasSelection)
+                                            .toggleClass('fa-filter', !hasSelection);
+
+                                        $('#maintabs a[href="#handlers"]').tab('show');
+
+                                        // manually reload just the handlers grid
+                                        const grid_id = "{{ formGridHandle['table_id'] }}";
+                                        if (all_grids[grid_id]) {
+                                            all_grids[grid_id].bootgrid('reload');
+                                        }
+                                    })
+                                    .always(function () {
+                                        suppressFilterReload = false;
+                                    });
                             };
 
                             commands.search_handler = {
@@ -132,7 +148,6 @@
                                         // Ensure selectpicker has values selected before click on add button
                                         $('#reverseFilter').one('changed.bs.select', function (e) {
                                             $("#" + "{{ formGridHandle['table_id'] }}")
-                                                .closest('.bootgrid-box')
                                                 .find("button[data-action='add']")
                                                 .trigger('click');
                                         });
@@ -157,6 +172,7 @@
                         }
 
 {% endif %}
+
                         all_grids[grid_id] = $("#" + grid_id)
                         .UIBootgrid({
                             search: `/api/caddy/reverse_proxy/search_${grid_id}/`,
@@ -165,7 +181,35 @@
                             add: `/api/caddy/reverse_proxy/add_${grid_id}/`,
                             del: `/api/caddy/reverse_proxy/del_${grid_id}/`,
                             toggle: `/api/caddy/reverse_proxy/toggle_${grid_id}/`,
+
+{% if entrypoint == 'reverse_proxy' %}
+
+                            tabulatorOptions: {
+                                groupBy: grid_id === "{{ formGridHandle['table_id'] }}"
+                                    ? ["%reverse", "%subdomain"]
+                                    : (grid_id === "{{ formGridSubdomain['table_id'] }}" ? "%reverse" : false),
+                                groupHeader: (value, count, data, group) => {
+                                    const isNested = group.getParentGroup() !== false;
+
+                                    if (isNested && !value) {
+                                        return ''; // remove empty subdomain group headers
+                                    }
+
+                                    const iconClass = isNested
+                                        ? 'text-warning'
+                                        : 'text-success';
+
+                                    const countValue = `<span class="badge chip">${count}</span>`;
+
+                                    return `<i class="fa fa-fw fa-globe ${iconClass}"></i> ${value} ${countValue}`;
+                                },
+                            },
+
+{% endif %}
+
                             options: {
+                                responsive: true,
+                                rowCount: [20,50,200,500,1000,-1],
                                 requestHandler: function (request) {
                                     const selectedDomains = $('#reverseFilter').val();
                                     if (selectedDomains && selectedDomains.length > 0) {
@@ -174,6 +218,9 @@
                                     return request;
                                 },
                                 headerFormatters: {
+                                    enabled: function (column) {
+                                        return '<i class="fa-solid fa-fw fa-check-square" data-toggle="tooltip" title="{{ lang._('Enabled') }}"></i>';;
+                                    },
                                     ToDomain: function (column) { return labels.upstream; },
                                     FromDomain: function (column) {
                                         if (grid_id === "subdomain") {
@@ -209,9 +256,6 @@
                             },
                             commands: commands
                         });
-
-                        $("#" + grid_id).wrap('<div class="bootgrid-box"></div>');
-
                     }
 
 {% if entrypoint == 'reverse_proxy' %}
@@ -221,8 +265,7 @@
                         const header = $("#" + grid_id + "-header");
                         const $actionBar = header.find('.actionBar');
                         if ($actionBar.length) {
-                            $('#add_filter_container').detach().insertBefore($actionBar.find('.search'));
-                            $('#add_filter_container').show();
+                            $('#add_filter_container').detach().insertBefore($actionBar.find('.search')).show();
                         }
                     }
 
@@ -289,6 +332,7 @@
 
         // Safe reload on filter change, ensures all grids are initalized beforehand
         $('#reverseFilter').change(function () {
+            if (suppressFilterReload) return;
             Object.keys(all_grids).forEach(function (grid_id) {
                 if ([
                     '{{ formGridReverseProxy["table_id"] }}',
@@ -386,61 +430,38 @@
             $("#handle\\.reverse").selectpicker("refresh");
         });
 
-        // Trigger bootgrid setup for handlers tab too (even if not active) to ensure command buttons always work
-        $('a[href="#handlers"]').trigger('shown.bs.tab');
+        // Trigger initial tab
+        const $tabs = $('#maintabs a[data-toggle="tab"]');
+        const $initial = $tabs.filter(`[href="${location.hash}"]`).first();
+        ($initial.length ? $initial : $tabs.first()).tab('show');
+
+        // Trigger handlers tab too (even if not active) to ensure command buttons always work
+        $(document).one('ajaxStop', function () {
+            $('a[href="#handlers"]').triggerHandler('shown.bs.tab');
+        });
 
         updateServiceControlUI('caddy');
         $('<div id="messageArea" class="alert alert-info" style="display: none;"></div>').insertBefore('#change_message_base_form');
-        $('a[data-toggle="tab"].active, #maintabs li.active a').trigger('shown.bs.tab');
     });
 
 </script>
 
 <style>
     #add_filter_container {
-        margin-left: 10px;
-        margin-right: 20px;
-    }
-    #add_domain_container {
         float: left;
     }
-    #add_handle_container {
-        margin-left: 10px;
-        float: left;
-    }
-    .actionBar {
-        padding-left: 0px;
+    .actions .dropdown-menu.pull-right {
+        max-height: 400px;
+        min-width: max-content;
+        overflow-y: auto;
+        overflow-x: hidden;
     }
     .custom-header {
+        padding-left: 20px;
         font-weight: 800;
         font-size: 16px;
         font-style: italic;
     }
-    /* Prevent bootgrid to break out of content box*/
-    .content-box {
-        overflow-x: auto;
-    }
-    .bootgrid-header,
-    .bootgrid-box,
-    .bootgrid-footer {
-        width: 100%;
-        background: none;
-        border: none;
-        max-width: 100%;
-        /* Prevents the grid from collapsing all dynamic columns completely */
-        min-width: 700px;
-    }
-    /* Not all dropdowns support data-container="body", ensure minimal vertical space for them */
-    .bootgrid-box {
-        min-height: 150px;
-    }
-    /* Limit size of grid dropdown */
-    .actions .dropdown-menu.pull-right {
-        max-height: 200px;
-        min-width: max-content;
-        overflow-y: auto;
-        overflow-x: hidden;
-    }
     #reverseFilterClear {
         border-right: none;
     }
@@ -454,7 +475,7 @@
     <button type="button" id="reverseFilterClear" class="btn btn-default" title="{{ lang._('Clear Selection') }}">
         <i id="reverseFilterIcon" class="fa fa-fw fa-filter"></i>
     </button>
-    <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="200px" data-size="10" data-container="body" title="{{ lang._('Filter by Domain') }}">
+    <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="300px" data-size="10" data-container="body" title="{{ lang._('Filter by Domain') }}">
     </select>
 </div>
 
@@ -462,14 +483,14 @@
 
 {% if entrypoint == 'reverse_proxy' %}
 
-    <li id="tab-domains" class="active"><a data-toggle="tab" href="#domains">{{ lang._('Domains') }}</a></li>
+    <li id="tab-domains"><a data-toggle="tab" href="#domains">{{ lang._('Domains') }}</a></li>
     <li id="tab-handlers"><a data-toggle="tab" href="#handlers">{{ lang._('Handlers') }}</a></li>
     <li id="tab-access"><a data-toggle="tab" href="#access">{{ lang._('Access') }}</a></li>
     <li id="tab-headers"><a data-toggle="tab" href="#headers">{{ lang._('Headers') }}</a></li>
 
 {% elseif entrypoint == 'layer4' %}
 
-    <li id="tab-layer4" class="active"><a data-toggle="tab" href="#routes">{{ lang._('Layer4 Routes') }}</a></li>
+    <li id="tab-layer4"><a data-toggle="tab" href="#routes">{{ lang._('Layer4 Routes') }}</a></li>
     <li id="tab-matcher"><a data-toggle="tab" href="#matchers">{{ lang._('Layer7 Matcher Settings') }}</a></li>
 
 {% endif %}
@@ -482,83 +503,50 @@
 
     <!-- Combined Domains Tab -->
     <div id="domains" class="tab-pane fade in active">
-        <div style="padding-left: 16px;">
-            <!-- Reverse Proxy -->
-            <h1 class="custom-header">{{ lang._('Domains') }}</h1>
-            <div style="display: block;">
-                {{ partial('layout_partials/base_bootgrid_table', formGridReverseProxy + {'command_width': '160'})}}
-            </div>
-        </div>
+        <!-- Reverse Proxy -->
+        <h1 class="custom-header">{{ lang._('Domains') }}</h1>
+        {{ partial('layout_partials/base_bootgrid_table', formGridReverseProxy + {'command_width': '160'})}}
 
         <!-- Subdomains Tab -->
-        <div style="padding-left: 16px;">
-            <h1 class="custom-header">{{ lang._('Subdomains') }}</h1>
-            <div style="display: block;">
-                {{ partial('layout_partials/base_bootgrid_table', formGridSubdomain + {'command_width': '160'})}}
-            </div>
-        </div>
+        <h1 class="custom-header">{{ lang._('Subdomains') }}</h1>
+        {{ partial('layout_partials/base_bootgrid_table', formGridSubdomain + {'command_width': '160'})}}
     </div>
 
     <!-- Handle Tab -->
     <div id="handlers" class="tab-pane fade">
-        <div style="padding-left: 16px;">
-            <h1 class="custom-header">{{ lang._('Handlers') }}</h1>
-            <div style="display: block;">
-                {{ partial('layout_partials/base_bootgrid_table', formGridHandle)}}
-            </div>
-        </div>
+        <h1 class="custom-header">{{ lang._('Handlers') }}</h1>
+        {{ partial('layout_partials/base_bootgrid_table', formGridHandle)}}
     </div>
 
     <!-- Combined Access Tab -->
     <div id="access" class="tab-pane fade">
         <!-- Access Lists Section -->
-        <div style="padding-left: 16px;">
-            <h1 class="custom-header">{{ lang._('Access Lists') }}</h1>
-            <div style="display: block;">
-                {{ partial('layout_partials/base_bootgrid_table', formGridAccessList)}}
-            </div>
-        </div>
+        <h1 class="custom-header">{{ lang._('Access Lists') }}</h1>
+        {{ partial('layout_partials/base_bootgrid_table', formGridAccessList)}}
 
         <!-- Basic Auth Section -->
-        <div style="padding-left: 16px;">
-            <h1 class="custom-header">{{ lang._('Basic Auth') }}</h1>
-            <div style="display: block;">
-                {{ partial('layout_partials/base_bootgrid_table', formGridBasicAuth)}}
-            </div>
-        </div>
+        <h1 class="custom-header">{{ lang._('Basic Auth') }}</h1>
+        {{ partial('layout_partials/base_bootgrid_table', formGridBasicAuth)}}
     </div>
 
     <!-- Header Tab -->
     <div id="headers" class="tab-pane fade">
-        <div style="padding-left: 16px;">
-            <h1 class="custom-header">{{ lang._('Headers') }}</h1>
-            <div style="display: block;">
-                {{ partial('layout_partials/base_bootgrid_table', formGridHeader)}}
-            </div>
-        </div>
+        <h1 class="custom-header">{{ lang._('Headers') }}</h1>
+        {{ partial('layout_partials/base_bootgrid_table', formGridHeader)}}
     </div>
 
 {% elseif entrypoint == 'layer4' %}
 
     <!-- Layer4 Tab -->
     <div id="routes" class="tab-pane fade active in">
-        <div style="padding-left: 16px;">
-            <h1 class="custom-header">{{ lang._('Layer4 Routes') }}</h1>
-            <div style="display: block;">
-                {{ partial('layout_partials/base_bootgrid_table', formGridLayer4)}}
-            </div>
-        </div>
+        <h1 class="custom-header">{{ lang._('Layer4 Routes') }}</h1>
+        {{ partial('layout_partials/base_bootgrid_table', formGridLayer4)}}
     </div>
 
     <!-- Layer7 Tab -->
     <div id="matchers" class="tab-pane fade">
-        <div style="padding-left: 16px;">
-            <!-- OpenVPN Matcher -->
-            <h1 class="custom-header">{{ lang._('OpenVPN Static Keys') }}</h1>
-            <div style="display: block;">
-                {{ partial('layout_partials/base_bootgrid_table', formGridLayer4Openvpn)}}
-            </div>
-        </div>
+        <h1 class="custom-header">{{ lang._('OpenVPN Static Keys') }}</h1>
+        {{ partial('layout_partials/base_bootgrid_table', formGridLayer4Openvpn)}}
     </div>
 
 {% endif %}

From a8a9bd9e186f8700b807003dc7bb5b9a620dc601 Mon Sep 17 00:00:00 2001
From: eguun <79050535+eguun@users.noreply.github.com>
Date: Tue, 26 Aug 2025 11:00:16 +0200
Subject: [PATCH 2627/3088] 25.7.2 patch for shadowsocks (#4913)

---
 .../src/etc/inc/plugins.inc.d/shadowsocks.inc |  4 +--
 .../src/etc/rc.d/opnsense-ss-local            | 29 ----------------
 .../conf/actions.d/actions_shadowsocks.conf   | 33 +++----------------
 .../actions.d/actions_shadowsockslocal.conf   |  9 ++---
 .../templates/OPNsense/Shadowsocks/+TARGETS   |  8 ++---
 .../Shadowsocks/{ss_local => sslocal}         |  5 ++-
 .../{shadowsocks_libev => ssserver}           |  5 ++-
 7 files changed, 20 insertions(+), 73 deletions(-)
 delete mode 100755 net/shadowsocks/src/etc/rc.d/opnsense-ss-local
 rename net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/{ss_local => sslocal} (68%)
 rename net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/{shadowsocks_libev => ssserver} (60%)

diff --git a/net/shadowsocks/src/etc/inc/plugins.inc.d/shadowsocks.inc b/net/shadowsocks/src/etc/inc/plugins.inc.d/shadowsocks.inc
index d4815eea8a..f522c47168 100644
--- a/net/shadowsocks/src/etc/inc/plugins.inc.d/shadowsocks.inc
+++ b/net/shadowsocks/src/etc/inc/plugins.inc.d/shadowsocks.inc
@@ -41,7 +41,7 @@ function shadowsocks_services()
                 'stop' => array('shadowsocks stop'),
             ),
             'name' => 'shadowsocks',
-            'pidfile' => '/var/run/shadowsocks-libev.pid'
+            'pidfile' => '/var/run/ssserver_rust.pid'
         );
     }
 
@@ -54,7 +54,7 @@ function shadowsocks_services()
                 'stop' => array('shadowsockslocal stop'),
             ),
             'name' => 'shadowsockslocal',
-            'pidfile' => '/var/run/ss-local.pid'
+            'pidfile' => '/var/run/sslocal_rust.pid'
         );
     }
 
diff --git a/net/shadowsocks/src/etc/rc.d/opnsense-ss-local b/net/shadowsocks/src/etc/rc.d/opnsense-ss-local
deleted file mode 100755
index f968c7c701..0000000000
--- a/net/shadowsocks/src/etc/rc.d/opnsense-ss-local
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/sh
-#
-# PROVIDE: ss-local
-# REQUIRE: LOGIN cleanvar
-# KEYWORD: shutdown
-
-# Add the following lines to /etc/rc.conf to enable shadowsocks-libev:
-# ss_local_enable (bool):  Set to "NO" by default.
-#      Set to "YES" to enable ss-local.
-# ss_local_config (path): Shadowsocks config file.
-#      Defaults to "/usr/local/etc/shadowsocks-libev/local.json"
-
-. /etc/rc.subr
-
-name="ss_local"
-rcvar=ss_local_enable
-
-load_rc_config $name
-
-: ${ss_local_enable:="NO"}
-: ${ss_local_config="/usr/local/etc/shadowsocks-libev/local.json"}
-
-command="/usr/local/bin/ss-local"
-pidfile="/var/run/ss-local.pid"
-required_files="${ss_local_config}"
-
-command_args="-f $pidfile -c $ss_local_config"
-
-run_rc_command "$1"
diff --git a/net/shadowsocks/src/opnsense/service/conf/actions.d/actions_shadowsocks.conf b/net/shadowsocks/src/opnsense/service/conf/actions.d/actions_shadowsocks.conf
index 825825bf1d..3723867705 100644
--- a/net/shadowsocks/src/opnsense/service/conf/actions.d/actions_shadowsocks.conf
+++ b/net/shadowsocks/src/opnsense/service/conf/actions.d/actions_shadowsocks.conf
@@ -1,47 +1,24 @@
 [start]
-command:/usr/local/etc/rc.d/shadowsocks_libev start
+command:/usr/local/etc/rc.d/ssserver-rust start
 parameters:
 type:script
 message:starting Shadowsocks
 
 [stop]
-command:/usr/local/etc/rc.d/shadowsocks_libev stop
+command:/usr/local/etc/rc.d/ssserver-rust stop
 parameters:
 type:script
 message:stopping Shadowsocks
 
 [restart]
-command:/usr/local/etc/rc.d/shadowsocks_libev restart
+command:/usr/local/etc/rc.d/ssserver-rust restart
 parameters:
 type:script
 message:restarting Shadowsocks
 
 [status]
-command:/usr/local/etc/rc.d/shadowsocks_libev status;exit 0
+command:/usr/local/etc/rc.d/ssserver-rust status
+errors:no
 parameters:
 type:script_output
 message:request Shadowsocks status
-
-[start-local]
-command:/usr/local/etc/rc.d/opnsense-ss-local start
-parameters:
-type:script
-message:starting Shadowsocks Local
-
-[stop-local]
-command:/usr/local/etc/rc.d/opnsense-ss-local stop
-parameters:
-type:script
-message:stopping Shadowsocks Local
-
-[restart-local]
-command:/usr/local/etc/rc.d/opnsense-ss-local restart
-parameters:
-type:script
-message:restarting Shadowsocks Local
-
-[status-local]
-command:/usr/local/etc/rc.d/opnsense-ss-local status;exit 0
-parameters:
-type:script_output
-message:request Shadowsocks Local status
diff --git a/net/shadowsocks/src/opnsense/service/conf/actions.d/actions_shadowsockslocal.conf b/net/shadowsocks/src/opnsense/service/conf/actions.d/actions_shadowsockslocal.conf
index a1c5404950..d472c2a3f5 100644
--- a/net/shadowsocks/src/opnsense/service/conf/actions.d/actions_shadowsockslocal.conf
+++ b/net/shadowsocks/src/opnsense/service/conf/actions.d/actions_shadowsockslocal.conf
@@ -1,23 +1,24 @@
 [start]
-command:/usr/local/etc/rc.d/opnsense-ss-local start
+command:/usr/local/etc/rc.d/sslocal-rust start
 parameters:
 type:script
 message:starting Shadowsocks Local
 
 [stop]
-command:/usr/local/etc/rc.d/opnsense-ss-local stop
+command:/usr/local/etc/rc.d/sslocal-rust stop
 parameters:
 type:script
 message:stopping Shadowsocks Local
 
 [restart]
-command:/usr/local/etc/rc.d/opnsense-ss-local restart
+command:/usr/local/etc/rc.d/sslocal-rust restart
 parameters:
 type:script
 message:restarting Shadowsocks Local
 
 [status]
-command:/usr/local/etc/rc.d/opnsense-ss-local status;exit 0
+command:/usr/local/etc/rc.d/sslocal-rust status
+errors:no
 parameters:
 type:script_output
 message:request Shadowsocks Local status
diff --git a/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/+TARGETS b/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/+TARGETS
index bb1dc94e91..a79c7369d2 100644
--- a/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/+TARGETS
+++ b/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/+TARGETS
@@ -1,4 +1,4 @@
-shadowsocks_libev:/etc/rc.conf.d/shadowsocks_libev
-shadowsocks.conf:/usr/local/etc/shadowsocks-libev/config.json
-ss_local:/etc/rc.conf.d/ss_local
-ss_local.conf:/usr/local/etc/shadowsocks-libev/local.json
+ssserver:/etc/rc.conf.d/ssserver_rust
+shadowsocks.conf:/usr/local/etc/shadowsocks-rust/config.json
+sslocal:/etc/rc.conf.d/sslocal_rust
+sslocal.conf:/usr/local/etc/shadowsocks-rust/local.json
diff --git a/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/ss_local b/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/sslocal
similarity index 68%
rename from net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/ss_local
rename to net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/sslocal
index 258b305d0f..d7fe2808ac 100644
--- a/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/ss_local
+++ b/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/sslocal
@@ -1,6 +1,5 @@
 {% if helpers.exists('OPNsense.shadowsocks.local.enabled') and OPNsense.shadowsocks.local.enabled == '1' %}
-ss_local_enable="YES"
-ss_local_flags=""
+sslocal_rust_enable="YES"
 {% else %}
-ss_local_enable="NO"
+sslocal_rust_enable="NO"
 {% endif %}
diff --git a/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/shadowsocks_libev b/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/ssserver
similarity index 60%
rename from net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/shadowsocks_libev
rename to net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/ssserver
index 11dd88f359..5a53f2819c 100644
--- a/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/shadowsocks_libev
+++ b/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/ssserver
@@ -1,6 +1,5 @@
 {% if helpers.exists('OPNsense.shadowsocks.general.enabled') and OPNsense.shadowsocks.general.enabled == '1' %}
-shadowsocks_libev_enable="YES"
-shadowsocks_libev_flags=""
+ssserver_rust_enable="YES"
 {% else %}
-shadowsocks_libev_enable="NO"
+ssserver_rust_enable="NO"
 {% endif %}

From 55576e88d750f5a01b6bd05b04b3a1ad4894ee10 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 26 Aug 2025 11:02:38 +0200
Subject: [PATCH 2628/3088] net/shadowsocks: cleanup

---
 net/shadowsocks/Makefile                                      | 1 +
 .../opnsense/service/templates/OPNsense/Shadowsocks/+TARGETS  | 4 ++--
 .../OPNsense/Shadowsocks/{shadowsocks.conf => config.json}    | 0
 .../OPNsense/Shadowsocks/{ss_local.conf => local.json}        | 0
 4 files changed, 3 insertions(+), 2 deletions(-)
 rename net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/{shadowsocks.conf => config.json} (100%)
 rename net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/{ss_local.conf => local.json} (100%)

diff --git a/net/shadowsocks/Makefile b/net/shadowsocks/Makefile
index 762a18ad00..ba50d1d293 100644
--- a/net/shadowsocks/Makefile
+++ b/net/shadowsocks/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		shadowsocks
 PLUGIN_VERSION=		1.2
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Secure socks5 proxy
 PLUGIN_DEPENDS=		shadowsocks-rust
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/+TARGETS b/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/+TARGETS
index a79c7369d2..bb1f9c5e44 100644
--- a/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/+TARGETS
+++ b/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/+TARGETS
@@ -1,4 +1,4 @@
 ssserver:/etc/rc.conf.d/ssserver_rust
-shadowsocks.conf:/usr/local/etc/shadowsocks-rust/config.json
+config.json:/usr/local/etc/shadowsocks-rust/config.json
 sslocal:/etc/rc.conf.d/sslocal_rust
-sslocal.conf:/usr/local/etc/shadowsocks-rust/local.json
+local.json:/usr/local/etc/shadowsocks-rust/local.json
diff --git a/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/shadowsocks.conf b/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/config.json
similarity index 100%
rename from net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/shadowsocks.conf
rename to net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/config.json
diff --git a/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/ss_local.conf b/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/local.json
similarity index 100%
rename from net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/ss_local.conf
rename to net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/local.json

From 9ee2c2834dcae91ca7d8d0f6bac6357c42906c3f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 26 Aug 2025 11:09:59 +0200
Subject: [PATCH 2629/3088] net/shadowsocks: tweaks and fixes

---
 .../mvc/app/models/OPNsense/Shadowsocks/General.xml        | 7 ++-----
 .../opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml | 7 ++-----
 .../mvc/app/views/OPNsense/Shadowsocks/general.volt        | 3 +--
 .../opnsense/mvc/app/views/OPNsense/Shadowsocks/local.volt | 3 +--
 4 files changed, 6 insertions(+), 14 deletions(-)

diff --git a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
index af91c85a95..b66a08112e 100644
--- a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
+++ b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
@@ -26,12 +26,9 @@
             <MaximumValue>65535</MaximumValue>
             <ValidationMessage>Please provide a valid port number between 1 and 65535.</ValidationMessage>
         </localport>
-        <password type="TextField">
-            <Default>password</Default>
-            <Required>N</Required>
-        </password>
+        <password type="TextField"/>
         <cipher type="OptionField">
-            <Default>AES-256-CFB</Default>
+            <Default>aes-256-cfb</Default>
             <Required>Y</Required>
             <OptionValues>
                 <aes-256-cfb>AES-256-CFB</aes-256-cfb>
diff --git a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml
index 1ea0e8817c..00ab061c40 100644
--- a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml
+++ b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml
@@ -31,12 +31,9 @@
             <MaximumValue>65535</MaximumValue>
             <ValidationMessage>Please provide a valid port number between 1 and 65535.</ValidationMessage>
         </localport>
-        <password type="TextField">
-            <Default>password</Default>
-            <Required>N</Required>
-        </password>
+        <password type="TextField"/>
         <cipher type="OptionField">
-            <Default>AES-256-CFB</Default>
+            <Default>aes-256-cfb</Default>
             <Required>Y</Required>
             <OptionValues>
                 <aes-256-cfb>AES-256-CFB</aes-256-cfb>
diff --git a/net/shadowsocks/src/opnsense/mvc/app/views/OPNsense/Shadowsocks/general.volt b/net/shadowsocks/src/opnsense/mvc/app/views/OPNsense/Shadowsocks/general.volt
index b33849bf44..16a1d5e1c6 100644
--- a/net/shadowsocks/src/opnsense/mvc/app/views/OPNsense/Shadowsocks/general.volt
+++ b/net/shadowsocks/src/opnsense/mvc/app/views/OPNsense/Shadowsocks/general.volt
@@ -28,8 +28,7 @@ POSSIBILITY OF SUCH DAMAGE.
 #}
 <div class="content-box" style="padding-bottom: 1.5em;">
     {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-    <div class="col-md-12">
-        <hr />
+    <div class="col-md-12 __mt">
         <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
     </div>
 </div>
diff --git a/net/shadowsocks/src/opnsense/mvc/app/views/OPNsense/Shadowsocks/local.volt b/net/shadowsocks/src/opnsense/mvc/app/views/OPNsense/Shadowsocks/local.volt
index 7cbcca40e6..cfa3020191 100644
--- a/net/shadowsocks/src/opnsense/mvc/app/views/OPNsense/Shadowsocks/local.volt
+++ b/net/shadowsocks/src/opnsense/mvc/app/views/OPNsense/Shadowsocks/local.volt
@@ -28,8 +28,7 @@ POSSIBILITY OF SUCH DAMAGE.
 #}
 <div class="content-box" style="padding-bottom: 1.5em;">
     {{ partial("layout_partials/base_form",['fields':localForm,'id':'frm_local_settings'])}}
-    <div class="col-md-12">
-        <hr />
+    <div class="col-md-12 __mt">
         <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
     </div>
 </div>

From 746d1532791f43fb9ea18a1ba5032101260e216a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 26 Aug 2025 11:14:39 +0200
Subject: [PATCH 2630/3088] net/shadowsocks: remove buzz words garbage and add
 changelog

---
 net/shadowsocks/pkg-descr | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/net/shadowsocks/pkg-descr b/net/shadowsocks/pkg-descr
index 048adba333..5ffafc5cd5 100644
--- a/net/shadowsocks/pkg-descr
+++ b/net/shadowsocks/pkg-descr
@@ -1,10 +1,9 @@
-A secure socks5 proxy, designed to protect your Internet traffic.
+Shadowsocks is a fast tunnel proxy that helps you bypass firewalls.
 
-Bleeding edge techniques using Asynchronous I/O and Event-driven
-programming. Secured with industry level encryption algorithm.
-Flexible to support custom algorithms. Optimized for mobile device
-and wireless network, without any keep-alive connections.
-Totally free and open source. A worldwide community devoted to
-deliver bug-free code and long-term support.
+Plugin Changelog
+================
 
-WWW: https://shadowsocks.org/
+1.2
+
+* Switch to shadowsocks-rust
+* Fix compatiblity of plugin (contributed by eguun)

From 940d34bddaf96d81849d13382d2c5b1883e0c89e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 26 Aug 2025 15:58:49 +0200
Subject: [PATCH 2631/3088] net/shadowsocks: fix typo

---
 net/shadowsocks/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/shadowsocks/pkg-descr b/net/shadowsocks/pkg-descr
index 5ffafc5cd5..a271c00c4f 100644
--- a/net/shadowsocks/pkg-descr
+++ b/net/shadowsocks/pkg-descr
@@ -6,4 +6,4 @@ Plugin Changelog
 1.2
 
 * Switch to shadowsocks-rust
-* Fix compatiblity of plugin (contributed by eguun)
+* Fix compatibility of plugin (contributed by eguun)

From 034e337747f3c69444d0f464a3e32bb7aa1a79a4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 29 Aug 2025 08:41:19 +0200
Subject: [PATCH 2632/3088] www/squid: new version

---
 www/squid/pkg-descr | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/www/squid/pkg-descr b/www/squid/pkg-descr
index 71c2e36f35..f885f0ccee 100644
--- a/www/squid/pkg-descr
+++ b/www/squid/pkg-descr
@@ -5,6 +5,11 @@ content serving applications.
 Plugin Changelog
 ================
 
+1.3
+
+* Repackage template files using new contrib directory feature
+* Clean up model and validation messages
+
 1.2
 
 * Change cache_dir from "ufs" to "rock" (contributed by Andy Binder)

From 0d30db0a8d4a30c16aa089465ae91321e9f545b6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 29 Aug 2025 09:46:53 +0200
Subject: [PATCH 2633/3088] net/frr: model style and new indent

---
 .../mvc/app/models/OPNsense/Quagga/BFD.xml    |   6 +-
 .../mvc/app/models/OPNsense/Quagga/BGP.xml    | 894 ++++++++----------
 .../app/models/OPNsense/Quagga/General.xml    |   2 -
 .../mvc/app/models/OPNsense/Quagga/OSPF.xml   | 592 ++++++------
 .../mvc/app/models/OPNsense/Quagga/OSPF6.xml  | 400 ++++----
 .../mvc/app/models/OPNsense/Quagga/RIP.xml    |  32 +-
 .../app/models/OPNsense/Quagga/STATICd.xml    |  56 +-
 7 files changed, 905 insertions(+), 1077 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
index 91b35955ca..4986cc173b 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
@@ -13,12 +13,8 @@
                     <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
-                <description type="TextField">
-                    <Default></Default>
-                    <Required>N</Required>
-                </description>
+                <description type="TextField"/>
                 <address type="NetworkField">
-                    <Default></Default>
                     <Required>Y</Required>
                 </address>
                 <multihop type="BooleanField">
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index eed6157a04..2a7c33da92 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -18,7 +18,6 @@
             <MaximumValue>255</MaximumValue>
         </distance>
         <routerid type="TextField">
-            <Required>N</Required>
             <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
         </routerid>
         <graceful type="BooleanField">
@@ -33,515 +32,418 @@
             <Default>0</Default>
             <Required>Y</Required>
         </logneighborchanges>
-        <networks type="CSVListField">
-            <Default></Default>
-            <Required>N</Required>
-        </networks>
+        <networks type="CSVListField"/>
         <neighbors>
-                <neighbor type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <description type="TextField">
-                                <Default></Default>
-                                <Required>N</Required>
-                        </description>
-                        <address type="NetworkField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                        </address>
-                        <remote_as_mode type="OptionField">
-                                <BlankDesc>Use Remote AS Number</BlankDesc>
-                                <OptionValues>
-                                        <internal>Internal</internal>
-                                        <external>External</external>
-                                </OptionValues>
-                        </remote_as_mode>
-                        <remoteas type="IntegerField">
-                                <MinimumValue>1</MinimumValue>
-                                <MaximumValue>4294967295</MaximumValue>
-                        </remoteas>
-                        <password type="TextField">
-                                <Required>N</Required>
-                        </password>
-                        <weight type="IntegerField">
-                                <Default></Default>
-                                <Required>N</Required>
-                                <MinimumValue>0</MinimumValue>
-                                <MaximumValue>65535</MaximumValue>
-                        </weight>
-                        <localip type="NetworkField">
-                                <Required>N</Required>
-                        </localip>
-                        <updatesource type="InterfaceField">
-                                <Default></Default>
-                                <Required>N</Required>
-                                <Multiple>N</Multiple>
-                                <AllowDynamic>Y</AllowDynamic>
-                                <filters>
-                                        <enable>/^(?!0).*$/</enable>
-                                </filters>
-                        </updatesource>
-                        <linklocalinterface type="InterfaceField">
-                                <Default></Default>
-                                <Required>N</Required>
-                                <Multiple>N</Multiple>
-                                <AllowDynamic>Y</AllowDynamic>
-                                <filters>
-                                        <enable>/^(?!0).*$/</enable>
-                                </filters>
-                        </linklocalinterface>
-                        <nexthopself type="BooleanField">
-                                <Default>0</Default>
-                                <Required>N</Required>
-                        </nexthopself>
-                        <nexthopselfall type="BooleanField">
-                                <Default>0</Default>
-                                <Required>N</Required>
-                        </nexthopselfall>
-                        <multihop type="BooleanField">
-                                <Default>0</Default>
-                                <Required>N</Required>
-                        </multihop>
-                        <multiprotocol type="BooleanField">
-                                <Default>0</Default>
-                                <Required>N</Required>
-                        </multiprotocol>
-                        <rrclient type="BooleanField">
-                                <Default>0</Default>
-                                <Required>N</Required>
-                        </rrclient>
-                        <soft_reconfiguration_inbound type="BooleanField">
-                                <Default>0</Default>
-                                <Required>N</Required>
-                        </soft_reconfiguration_inbound>
-                        <bfd type="BooleanField">
-                                <Default>0</Default>
-                                <Required>N</Required>
-                        </bfd>
-                        <keepalive type="IntegerField">
-                                <Required>N</Required>
-                                <MinimumValue>1</MinimumValue>
-                                <MaximumValue>1000</MaximumValue>
-                        </keepalive>
-                        <holddown type="IntegerField">
-                                <Required>N</Required>
-                                <MinimumValue>3</MinimumValue>
-                                <MaximumValue>3000</MaximumValue>
-                        </holddown>
-                        <connecttimer type="IntegerField">
-                                <Required>N</Required>
-                                <MinimumValue>1</MinimumValue>
-                                <MaximumValue>65000</MaximumValue>
-                        </connecttimer>
-                        <defaultoriginate type="BooleanField">
-                                <Default>0</Default>
-                                <Required>N</Required>
-                        </defaultoriginate>
-                        <asoverride type="BooleanField">
-                                <Default>0</Default>
-                                <Required>N</Required>
-                        </asoverride>
-                        <allowas_in type="OptionField">
-                                <OptionValues>
-                                        <val1 value="1">1</val1>
-                                        <val2 value="2">2</val2>
-                                        <val3 value="3">3</val3>
-                                        <val4 value="4">4</val4>
-                                        <val5 value="5">5</val5>
-                                        <val6 value="6">6</val6>
-                                        <val7 value="7">7</val7>
-                                        <val8 value="8">8</val8>
-                                        <val9 value="9">9</val9>
-                                        <val10 value="10">10</val10>
-                                        <origin>origin</origin>
-                                </OptionValues>
-                        </allowas_in>
-                        <disable_connected_check type="BooleanField">
-                                <Default>0</Default>
-                                <Required>N</Required>
-                        </disable_connected_check>
-                        <attributeunchanged type="OptionField">
-                                <Default></Default>
-                                <Required>N</Required>
-                                <OptionValues>
-                                        <as-path>as-path</as-path>
-                                        <next-hop>next-hop</next-hop>
-                                        <med>med</med>
-                                </OptionValues>
-                        </attributeunchanged>
-                        <linkedPrefixlistIn type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.bgp</source>
-                                                <items>prefixlists.prefixlist</items>
-                                                <display>name</display>
-                                                <group>name</group>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related Prefix-List item not found</ValidationMessage>
-                                <Multiple>N</Multiple>
-                                <Required>N</Required>
-                        </linkedPrefixlistIn>
-                        <linkedPrefixlistOut type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.bgp</source>
-                                                <items>prefixlists.prefixlist</items>
-                                                <display>name</display>
-                                                <group>name</group>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related Prefix-List item not found</ValidationMessage>
-                                <Multiple>N</Multiple>
-                                <Required>N</Required>
-                        </linkedPrefixlistOut>
-                        <linkedRoutemapIn type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.bgp</source>
-                                                <items>routemaps.routemap</items>
-                                                <display>name</display>
-                                                <group>name</group>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related Route-Map item not found</ValidationMessage>
-                                <Multiple>N</Multiple>
-                                <Required>N</Required>
-                        </linkedRoutemapIn>
-                        <linkedRoutemapOut type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.bgp</source>
-                                                <items>routemaps.routemap</items>
-                                                <display>name</display>
-                                                <group>name</group>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related Route-Map item not found</ValidationMessage>
-                                <Multiple>N</Multiple>
-                                <Required>N</Required>
-                        </linkedRoutemapOut>
-                        <peergroup type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.bgp</source>
-                                                <items>peergroups.peergroup</items>
-                                                <display>name</display>
-                                                <group>name</group>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related Peer Group item not found</ValidationMessage>
-                                <Multiple>N</Multiple>
-                        </peergroup>
-                </neighbor>
+            <neighbor type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <description type="TextField"/>
+                <address type="NetworkField">
+                    <Required>Y</Required>
+                </address>
+                <remote_as_mode type="OptionField">
+                    <BlankDesc>Use Remote AS Number</BlankDesc>
+                    <OptionValues>
+                        <internal>Internal</internal>
+                        <external>External</external>
+                    </OptionValues>
+                </remote_as_mode>
+                <remoteas type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>4294967295</MaximumValue>
+                </remoteas>
+                <password type="TextField"/>
+                <weight type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>65535</MaximumValue>
+                </weight>
+                <localip type="NetworkField"/>
+                <updatesource type="InterfaceField">
+                    <AllowDynamic>Y</AllowDynamic>
+                    <filters>
+                        <enable>/^(?!0).*$/</enable>
+                    </filters>
+                </updatesource>
+                <linklocalinterface type="InterfaceField">
+                    <AllowDynamic>Y</AllowDynamic>
+                    <filters>
+                        <enable>/^(?!0).*$/</enable>
+                    </filters>
+                </linklocalinterface>
+                <nexthopself type="BooleanField"/>
+                <nexthopselfall type="BooleanField"/>
+                <multihop type="BooleanField"/>
+                <multiprotocol type="BooleanField"/>
+                <rrclient type="BooleanField"/>
+                <soft_reconfiguration_inbound type="BooleanField"/>
+                <bfd type="BooleanField"/>
+                <keepalive type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>1000</MaximumValue>
+                </keepalive>
+                <holddown type="IntegerField">
+                    <MinimumValue>3</MinimumValue>
+                    <MaximumValue>3000</MaximumValue>
+                </holddown>
+                <connecttimer type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>65000</MaximumValue>
+                </connecttimer>
+                <defaultoriginate type="BooleanField"/>
+                <asoverride type="BooleanField"/>
+                <allowas_in type="OptionField">
+                    <OptionValues>
+                        <val1 value="1">1</val1>
+                        <val2 value="2">2</val2>
+                        <val3 value="3">3</val3>
+                        <val4 value="4">4</val4>
+                        <val5 value="5">5</val5>
+                        <val6 value="6">6</val6>
+                        <val7 value="7">7</val7>
+                        <val8 value="8">8</val8>
+                        <val9 value="9">9</val9>
+                        <val10 value="10">10</val10>
+                        <origin>origin</origin>
+                    </OptionValues>
+                </allowas_in>
+                <disable_connected_check type="BooleanField"/>
+                <attributeunchanged type="OptionField">
+                    <OptionValues>
+                        <as-path>as-path</as-path>
+                        <next-hop>next-hop</next-hop>
+                        <med>med</med>
+                    </OptionValues>
+                </attributeunchanged>
+                <linkedPrefixlistIn type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.bgp</source>
+                            <items>prefixlists.prefixlist</items>
+                            <display>name</display>
+                            <group>name</group>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related Prefix-List item not found.</ValidationMessage>
+                </linkedPrefixlistIn>
+                <linkedPrefixlistOut type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.bgp</source>
+                            <items>prefixlists.prefixlist</items>
+                            <display>name</display>
+                            <group>name</group>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related Prefix-List item not found.</ValidationMessage>
+                </linkedPrefixlistOut>
+                <linkedRoutemapIn type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.bgp</source>
+                            <items>routemaps.routemap</items>
+                            <display>name</display>
+                            <group>name</group>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related Route-Map item not found.</ValidationMessage>
+                </linkedRoutemapIn>
+                <linkedRoutemapOut type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.bgp</source>
+                            <items>routemaps.routemap</items>
+                            <display>name</display>
+                            <group>name</group>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related Route-Map item not found.</ValidationMessage>
+                </linkedRoutemapOut>
+                <peergroup type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.bgp</source>
+                            <items>peergroups.peergroup</items>
+                            <display>name</display>
+                            <group>name</group>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related Peer Group item not found.</ValidationMessage>
+                </peergroup>
+            </neighbor>
         </neighbors>
         <aspaths>
-                <aspath type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <description type="TextField">
-                                <Default></Default>
-                                <Required>N</Required>
-                        </description>
-                        <number type="IntegerField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <MinimumValue>0</MinimumValue>
-                                <MaximumValue>4294967295</MaximumValue>
-                        </number>
-                        <action type="OptionField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <OptionValues>
-                                        <permit>Permit</permit>
-                                        <deny>Deny</deny>
-                                </OptionValues>
-                        </action>
-                        <as type="TextField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                        </as>
-                </aspath>
+            <aspath type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <description type="TextField"/>
+                <number type="IntegerField">
+                    <Required>Y</Required>
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>4294967295</MaximumValue>
+                </number>
+                <action type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <permit>Permit</permit>
+                        <deny>Deny</deny>
+                    </OptionValues>
+                </action>
+                <as type="TextField">
+                    <Required>Y</Required>
+                </as>
+            </aspath>
         </aspaths>
         <prefixlists>
-                <prefixlist type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <description type="TextField">
-                                <Default></Default>
-                                <Required>N</Required>
-                        </description>
-                        <name type="TextField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <Mask>/^[a-zA-Z0-9._-]{1,64}$/</Mask>
-                                <ValidationMessage>The name should only contain alphanumeric characters, dashes, underscores or a dot.</ValidationMessage>
-                        </name>
-                        <version type="OptionField">
-                                <Default>IPv4</Default>
-                                <Required>Y</Required>
-                                <OptionValues>
-                                    <IPv4>IPv4</IPv4>
-                                    <IPv6>IPv6</IPv6>
-                                </OptionValues>
-                        </version>
-                        <seqnumber type="IntegerField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <MinimumValue>1</MinimumValue>
-                                <MaximumValue>4294967294</MaximumValue>
-                        </seqnumber>
-                        <action type="OptionField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <OptionValues>
-                                        <permit>Permit</permit>
-                                        <deny>Deny</deny>
-                                </OptionValues>
-                        </action>
-                        <network type="TextField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                        </network>
-                </prefixlist>
+            <prefixlist type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <description type="TextField"/>
+                <name type="TextField">
+                    <Required>Y</Required>
+                    <Mask>/^[a-zA-Z0-9._-]{1,64}$/</Mask>
+                    <ValidationMessage>The name should only contain alphanumeric characters, dashes, underscores or a dot.</ValidationMessage>
+                </name>
+                <version type="OptionField">
+                    <Default>IPv4</Default>
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <IPv4>IPv4</IPv4>
+                        <IPv6>IPv6</IPv6>
+                    </OptionValues>
+                </version>
+                <seqnumber type="IntegerField">
+                    <Required>Y</Required>
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>4294967294</MaximumValue>
+                </seqnumber>
+                <action type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <permit>Permit</permit>
+                        <deny>Deny</deny>
+                    </OptionValues>
+                </action>
+                <network type="TextField">
+                    <Required>Y</Required>
+                </network>
+            </prefixlist>
         </prefixlists>
         <communitylists>
-                <communitylist type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <description type="TextField">
-                                <Default></Default>
-                                <Required>N</Required>
-                        </description>
-                        <number type="IntegerField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <MinimumValue>1</MinimumValue>
-                                <MaximumValue>500</MaximumValue>
-                                <ValidationMessage>Set a number between 1 and 500.</ValidationMessage>
-                        </number>
-                        <seqnumber type="IntegerField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <MinimumValue>10</MinimumValue>
-                                <MaximumValue>99</MaximumValue>
-                        </seqnumber>
-                        <action type="OptionField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <OptionValues>
-                                        <permit>Permit</permit>
-                                        <deny>Deny</deny>
-                                </OptionValues>
-                        </action>
-                        <community type="TextField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                        </community>
-                </communitylist>
+            <communitylist type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <description type="TextField"/>
+                <number type="IntegerField">
+                    <Required>Y</Required>
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>500</MaximumValue>
+                    <ValidationMessage>Set a number between 1 and 500.</ValidationMessage>
+                </number>
+                <seqnumber type="IntegerField">
+                    <Required>Y</Required>
+                    <MinimumValue>10</MinimumValue>
+                    <MaximumValue>99</MaximumValue>
+                </seqnumber>
+                <action type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <permit>Permit</permit>
+                        <deny>Deny</deny>
+                    </OptionValues>
+                </action>
+                <community type="TextField">
+                    <Required>Y</Required>
+                </community>
+            </communitylist>
         </communitylists>
         <routemaps>
-                <routemap type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <description type="TextField">
-                                <Default></Default>
-                                <Required>N</Required>
-                        </description>
-                        <name type="TextField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <Mask>/^[a-zA-Z0-9._-]{1,64}$/</Mask>
-                                <ValidationMessage>The name should only contain alphanumeric characters, dashes, underscores or a dot.</ValidationMessage>
-                        </name>
-                        <action type="OptionField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <OptionValues>
-                                        <permit>Permit</permit>
-                                        <deny>Deny</deny>
-                                </OptionValues>
-                        </action>
-                        <id type="IntegerField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <MinimumValue>1</MinimumValue>
-                                <MaximumValue>65535</MaximumValue>
-                        </id>
-                        <match type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.bgp</source>
-                                                <items>aspaths.aspath</items>
-                                                <display>number</display>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related item not found</ValidationMessage>
-                                <Multiple>Y</Multiple>
-                                <Required>N</Required>
-                        </match>
-                        <match2 type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.bgp</source>
-                                                <items>prefixlists.prefixlist</items>
-                                                <display>name</display>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related item PrefixList not found</ValidationMessage>
-                                <Multiple>Y</Multiple>
-                                <Required>N</Required>
-                        </match2>
-                        <match3 type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.bgp</source>
-                                                <items>communitylists.communitylist</items>
-                                                <display>number</display>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related item CommunityList not found</ValidationMessage>
-                                <Multiple>Y</Multiple>
-                                <Required>N</Required>
-                        </match3>
-                        <set type="TextField">
-                                <Required>N</Required>
-                        </set>
-                </routemap>
+            <routemap type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <description type="TextField"/>
+                <name type="TextField">
+                    <Required>Y</Required>
+                    <Mask>/^[a-zA-Z0-9._-]{1,64}$/</Mask>
+                    <ValidationMessage>The name should only contain alphanumeric characters, dashes, underscores or a dot.</ValidationMessage>
+                </name>
+                <action type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <permit>Permit</permit>
+                        <deny>Deny</deny>
+                    </OptionValues>
+                </action>
+                <id type="IntegerField">
+                    <Required>Y</Required>
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>65535</MaximumValue>
+                </id>
+                <match type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.bgp</source>
+                            <items>aspaths.aspath</items>
+                            <display>number</display>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related item not found.</ValidationMessage>
+                    <Multiple>Y</Multiple>
+                </match>
+                <match2 type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.bgp</source>
+                            <items>prefixlists.prefixlist</items>
+                            <display>name</display>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related item PrefixList not found.</ValidationMessage>
+                    <Multiple>Y</Multiple>
+                </match2>
+                <match3 type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.bgp</source>
+                            <items>communitylists.communitylist</items>
+                            <display>number</display>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related item CommunityList not found.</ValidationMessage>
+                    <Multiple>Y</Multiple>
+                </match3>
+                <set type="TextField"/>
+            </routemap>
         </routemaps>
         <peergroups>
-                <peergroup type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <name type="TextField">
-                                <Required>Y</Required>
-                        </name>
-                        <remote_as_mode type="OptionField">
-                                <BlankDesc>Use Remote AS Number</BlankDesc>
-                                <OptionValues>
-                                        <internal>Internal</internal>
-                                        <external>External</external>
-                                </OptionValues>
-                        </remote_as_mode>
-                        <remoteas type="IntegerField">
-                                <MinimumValue>1</MinimumValue>
-                                <MaximumValue>4294967295</MaximumValue>
-                        </remoteas>
-                        <family type="OptionField">
-                                <Required>Y</Required>
-                                <Default>ipv4</Default>
-                                <Multiple>Y</Multiple>
-                                <OptionValues>
-                                        <ipv4>IPv4</ipv4>
-                                        <ipv6>IPv6</ipv6>
-                                </OptionValues>
-                        </family>
-                        <listenranges type="NetworkField">
-                                <FieldSeparator>,</FieldSeparator>
-                                <AsList>Y</AsList>
-                                <Strict>Y</Strict>
-                                <NetMaskRequired>Y</NetMaskRequired>
-                                <ValidationMessage>Please enter one or multiple valid IP networks in CIDR notation.</ValidationMessage>
-                        </listenranges>
-                        <updatesource type="InterfaceField">
-                                <AllowDynamic>Y</AllowDynamic>
-                                <filters>
-                                        <enable>/^(?!0).*$/</enable>
-                                        <type>/^(?!group).*$/</type>
-                                </filters>
-                        </updatesource>
-                        <nexthopself type="BooleanField"/>
-                        <defaultoriginate type="BooleanField"/>
-                        <linkedPrefixlistIn type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.bgp</source>
-                                                <items>prefixlists.prefixlist</items>
-                                                <display>name</display>
-                                                <group>name</group>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related Prefix-List item not found</ValidationMessage>
-                        </linkedPrefixlistIn>
-                        <linkedPrefixlistOut type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.bgp</source>
-                                                <items>prefixlists.prefixlist</items>
-                                                <display>name</display>
-                                                <group>name</group>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related Prefix-List item not found</ValidationMessage>
-                                <Multiple>N</Multiple>
-                                <Required>N</Required>
-                        </linkedPrefixlistOut>
-                        <linkedRoutemapIn type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.bgp</source>
-                                                <items>routemaps.routemap</items>
-                                                <display>name</display>
-                                                <group>name</group>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related Route-Map item not found</ValidationMessage>
-                        </linkedRoutemapIn>
-                        <linkedRoutemapOut type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.bgp</source>
-                                                <items>routemaps.routemap</items>
-                                                <display>name</display>
-                                                <group>name</group>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related Route-Map item not found</ValidationMessage>
-                        </linkedRoutemapOut>
+            <peergroup type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <name type="TextField">
+                    <Required>Y</Required>
+                </name>
+                <remote_as_mode type="OptionField">
+                    <BlankDesc>Use Remote AS Number</BlankDesc>
+                    <OptionValues>
+                        <internal>Internal</internal>
+                        <external>External</external>
+                    </OptionValues>
+                </remote_as_mode>
+                <remoteas type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>4294967295</MaximumValue>
+                </remoteas>
+                <family type="OptionField">
+                    <Required>Y</Required>
+                    <Default>ipv4</Default>
+                    <Multiple>Y</Multiple>
+                    <OptionValues>
+                        <ipv4>IPv4</ipv4>
+                        <ipv6>IPv6</ipv6>
+                    </OptionValues>
+                </family>
+                <listenranges type="NetworkField">
+                    <AsList>Y</AsList>
+                    <Strict>Y</Strict>
+                    <NetMaskRequired>Y</NetMaskRequired>
+                    <ValidationMessage>Please enter one or multiple valid IP networks in CIDR notation.</ValidationMessage>
+                </listenranges>
+                <updatesource type="InterfaceField">
+                    <AllowDynamic>Y</AllowDynamic>
+                    <filters>
+                        <enable>/^(?!0).*$/</enable>
+                        <type>/^(?!group).*$/</type>
+                    </filters>
+                </updatesource>
+                <nexthopself type="BooleanField"/>
+                <defaultoriginate type="BooleanField"/>
+                <linkedPrefixlistIn type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.bgp</source>
+                            <items>prefixlists.prefixlist</items>
+                            <display>name</display>
+                            <group>name</group>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related Prefix-List item not found.</ValidationMessage>
+                </linkedPrefixlistIn>
+                <linkedPrefixlistOut type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.bgp</source>
+                            <items>prefixlists.prefixlist</items>
+                            <display>name</display>
+                            <group>name</group>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related Prefix-List item not found.</ValidationMessage>
+                </linkedPrefixlistOut>
+                <linkedRoutemapIn type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.bgp</source>
+                            <items>routemaps.routemap</items>
+                            <display>name</display>
+                            <group>name</group>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related Route-Map item not found.</ValidationMessage>
+                </linkedRoutemapIn>
+                <linkedRoutemapOut type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.bgp</source>
+                            <items>routemaps.routemap</items>
+                            <display>name</display>
+                            <group>name</group>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related Route-Map item not found.</ValidationMessage>
+                </linkedRoutemapOut>
             </peergroup>
         </peergroups>
         <redistributions>
-                <redistribution type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <description type="DescriptionField"/>
-                        <redistribute type="OptionField">
-                                <Required>Y</Required>
-                                <Default>connected</Default>
-                                <OptionValues>
-                                        <ospf>Open Shortest Path First (OSPF)</ospf>
-                                        <connected>Connected routes (directly attached subnet or host)</connected>
-                                        <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
-                                        <rip>Routing Information Protocol (RIP)</rip>
-                                        <static>Statically configured routes</static>
-                                </OptionValues>
-                        </redistribute>
-                        <linkedRoutemap type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.bgp</source>
-                                                <items>routemaps.routemap</items>
-                                                <display>name</display>
-                                                <group>name</group>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related Route-Map item not found</ValidationMessage>
-                        </linkedRoutemap>
-                </redistribution>
+            <redistribution type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <description type="DescriptionField"/>
+                <redistribute type="OptionField">
+                    <Required>Y</Required>
+                    <Default>connected</Default>
+                    <OptionValues>
+                        <ospf>Open Shortest Path First (OSPF)</ospf>
+                        <connected>Connected routes (directly attached subnet or host)</connected>
+                        <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
+                        <rip>Routing Information Protocol (RIP)</rip>
+                        <static>Statically configured routes</static>
+                    </OptionValues>
+                </redistribute>
+                <linkedRoutemap type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.bgp</source>
+                            <items>routemaps.routemap</items>
+                            <display>name</display>
+                            <group>name</group>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related Route-Map item not found.</ValidationMessage>
+                </linkedRoutemap>
+            </redistribution>
         </redistributions>
     </items>
 </model>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
index 53ab692d22..6e9507e4b9 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/General.xml
@@ -9,7 +9,6 @@
         </enabled>
         <profile type="OptionField">
             <Required>Y</Required>
-            <Multiple>N</Multiple>
             <Default>traditional</Default>
             <OptionValues>
                 <traditional>Traditional</traditional>
@@ -30,7 +29,6 @@
         </enablesnmp>
         <sysloglevel type="OptionField">
             <Required>Y</Required>
-            <Multiple>N</Multiple>
             <Default>notifications</Default>
             <OptionValues>
                 <critical>Critical</critical>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index 931286130a..6e59b88816 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -12,12 +12,9 @@
             <Required>Y</Required>
         </carp_demote>
         <routerid type="TextField">
-            <Default></Default>
-            <Required>N</Required>
             <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
         </routerid>
         <costreference type="IntegerField">
-            <Required>N</Required>
             <MinimumValue>1</MinimumValue>
             <MaximumValue>4294967</MaximumValue>
             <ValidationMessage>Must be a number between 1 and 4294967.</ValidationMessage>
@@ -35,348 +32,291 @@
             <Required>Y</Required>
         </originatealways>
         <originatemetric type="IntegerField">
-            <Required>N</Required>
             <MinimumValue>0</MinimumValue>
             <MaximumValue>16777214</MaximumValue>
             <ValidationMessage>Must be a number between 0 and 16777214.</ValidationMessage>
         </originatemetric>
         <passiveinterfaces type="InterfaceField">
-                <Required>N</Required>
-                <Multiple>Y</Multiple>
-                <Default></Default>
-                <AllowDynamic>Y</AllowDynamic>
-                <filters>
-                    <enable>/^(?!0).*$/</enable>
-                </filters>
+            <Multiple>Y</Multiple>
+            <AllowDynamic>Y</AllowDynamic>
+            <filters>
+                <enable>/^(?!0).*$/</enable>
+            </filters>
         </passiveinterfaces>
         <areas>
-                <area type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <id type="NetworkField">
-                                <Required>Y</Required>
-                                <AddressFamily>ipv4</AddressFamily>
-                                <NetMaskAllowed>N</NetMaskAllowed>
-                                <ValidationMessage>Please enter area ID in dotted (e.g. 0.0.0.1) format.</ValidationMessage>
-                                <Constraints>
-                                        <check001>
-                                                <type>UniqueConstraint</type>
-                                                <ValidationMessage>The area ID must be unique.</ValidationMessage>
-                                        </check001>
-                                </Constraints>
-                        </id>
-                        <type type="OptionField">
-                                <Required>Y</Required>
-                                <Default>standard</Default>
-                                <OptionValues>
-                                        <standard>standard</standard>
-                                        <stub>stub</stub>
-                                        <stub-no-summary value="stub no-summary">stub no-summary</stub-no-summary>
-                                        <nssa>nssa</nssa>
-                                        <nssa-no-summary value="nssa no-summary">nssa no-summary</nssa-no-summary>
-                                </OptionValues>
-                        </type>
-                </area>
+            <area type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <id type="NetworkField">
+                    <Required>Y</Required>
+                    <AddressFamily>ipv4</AddressFamily>
+                    <NetMaskAllowed>N</NetMaskAllowed>
+                    <ValidationMessage>Please enter area ID in dotted (e.g. 0.0.0.1) format.</ValidationMessage>
+                    <Constraints>
+                        <check001>
+                            <type>UniqueConstraint</type>
+                            <ValidationMessage>The area ID must be unique.</ValidationMessage>
+                        </check001>
+                    </Constraints>
+                </id>
+                <type type="OptionField">
+                    <Required>Y</Required>
+                    <Default>standard</Default>
+                    <OptionValues>
+                        <standard>standard</standard>
+                        <stub>stub</stub>
+                        <stub-no-summary value="stub no-summary">stub no-summary</stub-no-summary>
+                        <nssa>nssa</nssa>
+                        <nssa-no-summary value="nssa no-summary">nssa no-summary</nssa-no-summary>
+                    </OptionValues>
+                </type>
+            </area>
         </areas>
         <networks>
-                <network type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <ipaddr type="TextField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
-                        </ipaddr>
-                        <area type="TextField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
-                        </area>
-                        <netmask type="IntegerField">
-                                <Default>24</Default>
-                                <MinimumValue>0</MinimumValue>
-                                <Required>Y</Required>
-                                <MaximumValue>32</MaximumValue>
-                                <ValidationMessage>Network mask must be between 0 and 32.</ValidationMessage>
-                        </netmask>
-                        <arearange type="NetworkField">
-                                <Required>N</Required>
-                        </arearange>
-                        <linkedPrefixlistIn type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.ospf</source>
-                                                <items>prefixlists.prefixlist</items>
-                                                <display>name</display>
-                                                <group>name</group>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related Prefix-List item not found</ValidationMessage>
-                                <Multiple>N</Multiple>
-                                <Required>N</Required>
-                        </linkedPrefixlistIn>
-                        <linkedPrefixlistOut type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.ospf</source>
-                                                <items>prefixlists.prefixlist</items>
-                                                <display>name</display>
-                                                <group>name</group>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related Prefix-List item not found</ValidationMessage>
-                                <Multiple>N</Multiple>
-                                <Required>N</Required>
-                        </linkedPrefixlistOut>
-                </network>
+            <network type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <ipaddr type="TextField">
+                    <Required>Y</Required>
+                    <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
+                </ipaddr>
+                <area type="TextField">
+                    <Required>Y</Required>
+                    <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
+                </area>
+                <netmask type="IntegerField">
+                    <Default>24</Default>
+                    <MinimumValue>0</MinimumValue>
+                    <Required>Y</Required>
+                    <MaximumValue>32</MaximumValue>
+                    <ValidationMessage>Network mask must be between 0 and 32.</ValidationMessage>
+                </netmask>
+                <arearange type="NetworkField"/>
+                <linkedPrefixlistIn type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.ospf</source>
+                            <items>prefixlists.prefixlist</items>
+                            <display>name</display>
+                            <group>name</group>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related Prefix-List item not found.</ValidationMessage>
+                </linkedPrefixlistIn>
+                <linkedPrefixlistOut type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.ospf</source>
+                            <items>prefixlists.prefixlist</items>
+                            <display>name</display>
+                            <group>name</group>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related Prefix-List item not found.</ValidationMessage>
+                </linkedPrefixlistOut>
+            </network>
         </networks>
         <neighbors>
-                <neighbor type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <description type="DescriptionField">
-                                <Required>N</Required>
-                        </description>
-                        <address type="NetworkField">
-                                <Required>Y</Required>
-                        </address>
-                        <pollinterval type="IntegerField">
-                                <Required>N</Required>
-                                <MinimumValue>1</MinimumValue>
-                                <MaximumValue>65535</MaximumValue>
-                        </pollinterval>
-                        <priority type="IntegerField">
-                                <Required>N</Required>
-                                <MinimumValue>0</MinimumValue>
-                                <MaximumValue>255</MaximumValue>
-                        </priority>
-                </neighbor>
+            <neighbor type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <description type="DescriptionField"/>
+                <address type="NetworkField">
+                    <Required>Y</Required>
+                </address>
+                <pollinterval type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>65535</MaximumValue>
+                </pollinterval>
+                <priority type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>255</MaximumValue>
+                </priority>
+            </neighbor>
         </neighbors>
         <interfaces>
-                <interface type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <interfacename type="InterfaceField">
-                                 <Required>N</Required>
-                                 <Multiple>N</Multiple>
-                                 <Default></Default>
-                                 <AllowDynamic>Y</AllowDynamic>
-                                 <filters>
-                                         <enable>/^(?!0).*$/</enable>
-                                 </filters>
-                        </interfacename>
-                        <authtype type="OptionField">
-                                <Required>N</Required>
-                                <Multiple>N</Multiple>
-                                <Default></Default>
-                                <OptionValues>
-                                        <message-digest>MD5</message-digest>
-                                        <plain>plain</plain>
-                                </OptionValues>
-                        </authtype>
-                        <authkey type="TextField">
-                                <Default></Default>
-                                <Required>N</Required>
-                                <Mask>/^\S+$/</Mask>
-                        </authkey>
-                        <authkey_id type="IntegerField">
-                                <Default>1</Default>
-                                <MinimumValue>1</MinimumValue>
-                                <MaximumValue>255</MaximumValue>
-                                <Required>Y</Required>
-                                <ValidationMessage>The authentication key ID must be between 1 and 255.</ValidationMessage>
-                        </authkey_id>
-                        <area type="TextField">
-                                <Default></Default>
-                                <Required>N</Required>
-                                <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
-                        </area>
-                        <cost type="IntegerField">
-                                <Default></Default>
-                                <MinimumValue>1</MinimumValue>
-                                <Required>N</Required>
-                                <MaximumValue>65535</MaximumValue>
-                                <ValidationMessage>Cost must be between 1 and 65535.</ValidationMessage>
-                        </cost>
-                        <cost_demoted type="IntegerField">
-                                <Default>65535</Default>
-                                <MinimumValue>1</MinimumValue>
-                                <Required>N</Required>
-                                <MaximumValue>65535</MaximumValue>
-                                <ValidationMessage>Cost must be between 1 and 65535.</ValidationMessage>
-                        </cost_demoted>
-                        <carp_depend_on type="VirtualIPField">
-                            <type>carp</type>
-                            <Required>N</Required>
-                        </carp_depend_on>
-                        <hellointerval type="IntegerField">
-                                <Default></Default>
-                                <MinimumValue>0</MinimumValue>
-                                <Required>N</Required>
-                                <MaximumValue>4294967295</MaximumValue>
-                                <ValidationMessage>Hello interval must be between 0 and 4294967295.</ValidationMessage>
-                        </hellointerval>
-                        <deadinterval type="IntegerField">
-                                <Default></Default>
-                                <MinimumValue>0</MinimumValue>
-                                <Required>N</Required>
-                                <MaximumValue>4294967295</MaximumValue>
-                                <ValidationMessage>Dead interval must be between 0 and 4294967295.</ValidationMessage>
-                        </deadinterval>
-                        <retransmitinterval type="IntegerField">
-                                <Default></Default>
-                                <MinimumValue>0</MinimumValue>
-                                <Required>N</Required>
-                                <MaximumValue>4294967295</MaximumValue>
-                                <ValidationMessage>Retransmit interval must be between 0 and 4294967295.</ValidationMessage>
-                        </retransmitinterval>
-                        <transmitdelay type="IntegerField">
-                                <Default></Default>
-                                <MinimumValue>0</MinimumValue>
-                                <Required>N</Required>
-                                <MaximumValue>4294967295</MaximumValue>
-                                <ValidationMessage>Transmit delay must be between 0 and 4294967295.</ValidationMessage>
-                        </transmitdelay>
-                        <priority type="IntegerField">
-                                <Default></Default>
-                                <MinimumValue>0</MinimumValue>
-                                <Required>N</Required>
-                                <MaximumValue>4294967295</MaximumValue>
-                                <ValidationMessage>Priority must be between 0 and 4294967295.</ValidationMessage>
-                        </priority>
-                        <bfd type="BooleanField">
-                                <Default>0</Default>
-                                <Required>N</Required>
-                        </bfd>
-                        <networktype type="OptionField">
-                                <Required>N</Required>
-                                <Multiple>N</Multiple>
-                                <Default></Default>
-                                <OptionValues>
-                                        <broadcast>Broadcast multi-access network</broadcast>
-                                        <non-broadcast>NBMA network</non-broadcast>
-                                        <point-to-multipoint>Point-to-multipoint network</point-to-multipoint>
-                                        <point-to-point>Point-to-point network</point-to-point>
-                                </OptionValues>
-                        </networktype>
-                        <p2mpoptions type="OptionField">
-                                <OptionValues>
-                                        <delay-reflood>Delay reflood</delay-reflood>
-                                        <non-broadcast>Non-broadcast</non-broadcast>
-                                </OptionValues>
-                        </p2mpoptions>
-                </interface>
+            <interface type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <interfacename type="InterfaceField">
+                    <AllowDynamic>Y</AllowDynamic>
+                    <filters>
+                        <enable>/^(?!0).*$/</enable>
+                    </filters>
+                </interfacename>
+                <authtype type="OptionField">
+                    <OptionValues>
+                        <message-digest>MD5</message-digest>
+                        <plain>plain</plain>
+                    </OptionValues>
+                </authtype>
+                <authkey type="TextField">
+                    <Mask>/^\S+$/</Mask>
+                </authkey>
+                <authkey_id type="IntegerField">
+                    <Default>1</Default>
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>255</MaximumValue>
+                    <Required>Y</Required>
+                    <ValidationMessage>The authentication key ID must be between 1 and 255.</ValidationMessage>
+                </authkey_id>
+                <area type="TextField">
+                    <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
+                </area>
+                <cost type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>65535</MaximumValue>
+                    <ValidationMessage>Cost must be between 1 and 65535.</ValidationMessage>
+                </cost>
+                <cost_demoted type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>65535</MaximumValue>
+                    <ValidationMessage>Cost must be between 1 and 65535.</ValidationMessage>
+                </cost_demoted>
+                <carp_depend_on type="VirtualIPField">
+                    <type>carp</type>
+                </carp_depend_on>
+                <hellointerval type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>4294967295</MaximumValue>
+                    <ValidationMessage>Hello interval must be between 0 and 4294967295.</ValidationMessage>
+                </hellointerval>
+                <deadinterval type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>4294967295</MaximumValue>
+                    <ValidationMessage>Dead interval must be between 0 and 4294967295.</ValidationMessage>
+                </deadinterval>
+                <retransmitinterval type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>4294967295</MaximumValue>
+                    <ValidationMessage>Retransmit interval must be between 0 and 4294967295.</ValidationMessage>
+                </retransmitinterval>
+                <transmitdelay type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>4294967295</MaximumValue>
+                    <ValidationMessage>Transmit delay must be between 0 and 4294967295.</ValidationMessage>
+                </transmitdelay>
+                <priority type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>4294967295</MaximumValue>
+                    <ValidationMessage>Priority must be between 0 and 4294967295.</ValidationMessage>
+                </priority>
+                <bfd type="BooleanField"/>
+                <networktype type="OptionField">
+                    <OptionValues>
+                        <broadcast>Broadcast multi-access network</broadcast>
+                        <non-broadcast>NBMA network</non-broadcast>
+                        <point-to-multipoint>Point-to-multipoint network</point-to-multipoint>
+                        <point-to-point>Point-to-point network</point-to-point>
+                    </OptionValues>
+                </networktype>
+                <p2mpoptions type="OptionField">
+                    <OptionValues>
+                        <delay-reflood>Delay reflood</delay-reflood>
+                        <non-broadcast>Non-broadcast</non-broadcast>
+                    </OptionValues>
+                </p2mpoptions>
+            </interface>
         </interfaces>
         <prefixlists>
-                <prefixlist type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <name type="TextField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <Mask>/^([0-9a-zA-Z\._\-]){1,64}$/u</Mask>
-                                <ValidationMessage>The name should only contain alphanumeric characters, dashes, underscores or a dot.</ValidationMessage>
-                        </name>
-                        <seqnumber type="IntegerField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <MinimumValue>10</MinimumValue>
-                                <MaximumValue>99</MaximumValue>
-                        </seqnumber>
-                        <action type="OptionField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <OptionValues>
-                                        <permit>Permit</permit>
-                                        <deny>Deny</deny>
-                                </OptionValues>
-                        </action>
-                        <network type="TextField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                        </network>
-                </prefixlist>
+            <prefixlist type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <name type="TextField">
+                    <Required>Y</Required>
+                    <Mask>/^([0-9a-zA-Z\._\-]){1,64}$/u</Mask>
+                    <ValidationMessage>The name should only contain alphanumeric characters, dashes, underscores or a dot.</ValidationMessage>
+                </name>
+                <seqnumber type="IntegerField">
+                    <Required>Y</Required>
+                    <MinimumValue>10</MinimumValue>
+                    <MaximumValue>99</MaximumValue>
+                </seqnumber>
+                <action type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <permit>Permit</permit>
+                        <deny>Deny</deny>
+                    </OptionValues>
+                </action>
+                <network type="TextField">
+                    <Required>Y</Required>
+                </network>
+            </prefixlist>
         </prefixlists>
         <routemaps>
-                <routemap type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <name type="TextField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                        </name>
-                        <action type="OptionField">
-                                <Required>Y</Required>
-                                <OptionValues>
-                                        <permit>Permit</permit>
-                                        <deny>Deny</deny>
-                                </OptionValues>
-                        </action>
-                        <id type="IntegerField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                                <MinimumValue>10</MinimumValue>
-                                <MaximumValue>99</MaximumValue>
-                        </id>
-                        <match2 type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.ospf</source>
-                                                <items>prefixlists.prefixlist</items>
-                                                <display>name</display>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related item not found</ValidationMessage>
-                                <Multiple>N</Multiple>
-                                <Required>N</Required>
-                        </match2>
-                        <set type="TextField">
-                                <Required>N</Required>
-                        </set>
-                </routemap>
+            <routemap type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <name type="TextField">
+                    <Required>Y</Required>
+                </name>
+                <action type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <permit>Permit</permit>
+                        <deny>Deny</deny>
+                    </OptionValues>
+                </action>
+                <id type="IntegerField">
+                    <MinimumValue>10</MinimumValue>
+                    <MaximumValue>99</MaximumValue>
+                </id>
+                <match2 type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.ospf</source>
+                            <items>prefixlists.prefixlist</items>
+                            <display>name</display>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related item not found.</ValidationMessage>
+                </match2>
+                <set type="TextField"/>
+            </routemap>
         </routemaps>
         <redistributions>
-                <redistribution type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <description type="DescriptionField"/>
-                        <redistribute type="OptionField">
-                                <Required>Y</Required>
-                                <Default>connected</Default>
-                                <OptionValues>
-                                        <bgp>Border Gateway Protocol (BGP)</bgp>
-                                        <connected>Connected routes (directly attached subnet or host)</connected>
-                                        <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
-                                        <rip>Routing Information Protocol (RIP)</rip>
-                                        <static>Statically configured routes</static>
-                                </OptionValues>
-                        </redistribute>
-                        <linkedRoutemap type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.ospf</source>
-                                                <items>routemaps.routemap</items>
-                                                <display>name</display>
-                                                <group>name</group>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related Route-Map item not found</ValidationMessage>
-                        </linkedRoutemap>
-                </redistribution>
+            <redistribution type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <description type="DescriptionField"/>
+                <redistribute type="OptionField">
+                    <Required>Y</Required>
+                    <Default>connected</Default>
+                    <OptionValues>
+                        <bgp>Border Gateway Protocol (BGP)</bgp>
+                        <connected>Connected routes (directly attached subnet or host)</connected>
+                        <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
+                        <rip>Routing Information Protocol (RIP)</rip>
+                        <static>Statically configured routes</static>
+                    </OptionValues>
+                </redistribute>
+                <linkedRoutemap type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.ospf</source>
+                            <items>routemaps.routemap</items>
+                            <display>name</display>
+                            <group>name</group>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related Route-Map item not found.</ValidationMessage>
+                </linkedRoutemap>
+            </redistribution>
         </redistributions>
     </items>
 </model>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
index db29c74af1..41387c7c2b 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF6.xml
@@ -12,7 +12,7 @@
             <Required>Y</Required>
         </carp_demote>
         <routerid type="TextField">
-                <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
+            <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
         </routerid>
         <originate type="BooleanField">
             <Default>0</Default>
@@ -28,213 +28,213 @@
             <ValidationMessage>Must be a number between 0 and 16777214.</ValidationMessage>
         </originatemetric>
         <networks>
-                <network type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <!-- XXX: it would make sense to merge both into a single field "network" -->
-                        <ipaddr type="NetworkField">
-                                <Required>Y</Required>
-                                <NetMaskAllowed>N</NetMaskAllowed>
-                                <WildcardEnabled>N</WildcardEnabled>
-                                <AddressFamily>ipv6</AddressFamily>
-                        </ipaddr>
-                        <netmask type="IntegerField">
-                                <Default>64</Default>
-                                <MinimumValue>0</MinimumValue>
-                                <Required>Y</Required>
-                                <MaximumValue>128</MaximumValue>
-                                <ValidationMessage>Network mask must be between 0 and 128.</ValidationMessage>
-                        </netmask>
-                        <area type="TextField">
-                                <Required>Y</Required>
-                                <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
-                        </area>
-                        <arearange type="TextField"/>
-                        <linkedPrefixlistIn type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.ospf6</source>
-                                                <items>prefixlists.prefixlist</items>
-                                                <display>name</display>
-                                                <group>name</group>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related Prefix-List item not found</ValidationMessage>
-                        </linkedPrefixlistIn>
-                        <linkedPrefixlistOut type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.ospf6</source>
-                                                <items>prefixlists.prefixlist</items>
-                                                <display>name</display>
-                                                <group>name</group>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related Prefix-List item not found</ValidationMessage>
-                        </linkedPrefixlistOut>
-                </network>
+            <network type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <!-- XXX: it would make sense to merge both into a single field "network" -->
+                <ipaddr type="NetworkField">
+                    <Required>Y</Required>
+                    <NetMaskAllowed>N</NetMaskAllowed>
+                    <WildcardEnabled>N</WildcardEnabled>
+                    <AddressFamily>ipv6</AddressFamily>
+                </ipaddr>
+                <netmask type="IntegerField">
+                    <Default>64</Default>
+                    <MinimumValue>0</MinimumValue>
+                    <Required>Y</Required>
+                    <MaximumValue>128</MaximumValue>
+                    <ValidationMessage>Network mask must be between 0 and 128.</ValidationMessage>
+                </netmask>
+                <area type="TextField">
+                    <Required>Y</Required>
+                    <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
+                </area>
+                <arearange type="TextField"/>
+                <linkedPrefixlistIn type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.ospf6</source>
+                            <items>prefixlists.prefixlist</items>
+                            <display>name</display>
+                            <group>name</group>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related Prefix-List item not found.</ValidationMessage>
+                </linkedPrefixlistIn>
+                <linkedPrefixlistOut type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.ospf6</source>
+                            <items>prefixlists.prefixlist</items>
+                            <display>name</display>
+                            <group>name</group>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related Prefix-List item not found.</ValidationMessage>
+                </linkedPrefixlistOut>
+            </network>
         </networks>
         <interfaces>
-                <interface type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <interfacename type="InterfaceField">
-                                 <AllowDynamic>Y</AllowDynamic>
-                                 <filters>
-                                         <enable>/^(?!0).*$/</enable>
-                                 </filters>
-                        </interfacename>
-                        <area type="TextField">
-                                <Required>Y</Required>
-                                <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
-                        </area>
-                        <passive type="BooleanField">
-                                <Default>0</Default>
-                                <Required>Y</Required>
-                        </passive>
-                        <cost type="IntegerField">
-                                <MinimumValue>0</MinimumValue>
-                                <MaximumValue>4294967295</MaximumValue>
-                                <ValidationMessage>Cost must be between 0 and 4294967295.</ValidationMessage>
-                        </cost>
-                        <cost_demoted type="IntegerField">
-                                <MinimumValue>1</MinimumValue>
-                                <MaximumValue>65535</MaximumValue>
-                                <ValidationMessage>Cost must be between 1 and 65535.</ValidationMessage>
-                        </cost_demoted>
-                        <carp_depend_on type="VirtualIPField">
-                            <type>carp</type>
-                        </carp_depend_on>
-                        <hellointerval type="IntegerField">
-                                <MinimumValue>0</MinimumValue>
-                                <MaximumValue>4294967295</MaximumValue>
-                                <ValidationMessage>Hello interval must be between 0 and 4294967295.</ValidationMessage>
-                        </hellointerval>
-                        <deadinterval type="IntegerField">
-                                <MinimumValue>0</MinimumValue>
-                                <MaximumValue>4294967295</MaximumValue>
-                                <ValidationMessage>Dead interval must be between 0 and 4294967295.</ValidationMessage>
-                        </deadinterval>
-                        <retransmitinterval type="IntegerField">
-                                <MinimumValue>0</MinimumValue>
-                                <MaximumValue>4294967295</MaximumValue>
-                                <ValidationMessage>Retransmit interval must be between 0 and 4294967295.</ValidationMessage>
-                        </retransmitinterval>
-                        <transmitdelay type="IntegerField">
-                                <MinimumValue>0</MinimumValue>
-                                <MaximumValue>4294967295</MaximumValue>
-                                <ValidationMessage>Transmit delay must be between 0 and 4294967295.</ValidationMessage>
-                        </transmitdelay>
-                        <priority type="IntegerField">
-                                <MinimumValue>0</MinimumValue>
-                                <MaximumValue>4294967295</MaximumValue>
-                                <ValidationMessage>Priority must be between 0 and 4294967295.</ValidationMessage>
-                        </priority>
-			<bfd type="BooleanField"/>
-                        <networktype type="OptionField">
-                                <OptionValues>
-                                        <broadcast>Broadcast multi-access network</broadcast>
-                                        <point-to-point>Point-to-point network</point-to-point>
-                                </OptionValues>
-                        </networktype>
-                </interface>
+            <interface type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <interfacename type="InterfaceField">
+                    <AllowDynamic>Y</AllowDynamic>
+                    <filters>
+                        <enable>/^(?!0).*$/</enable>
+                    </filters>
+                </interfacename>
+                <area type="TextField">
+                    <Required>Y</Required>
+                    <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
+                </area>
+                <passive type="BooleanField">
+                    <Default>0</Default>
+                    <Required>Y</Required>
+                </passive>
+                <cost type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>4294967295</MaximumValue>
+                    <ValidationMessage>Cost must be between 0 and 4294967295.</ValidationMessage>
+                </cost>
+                <cost_demoted type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>65535</MaximumValue>
+                    <ValidationMessage>Cost must be between 1 and 65535.</ValidationMessage>
+                </cost_demoted>
+                <carp_depend_on type="VirtualIPField">
+                    <type>carp</type>
+                </carp_depend_on>
+                <hellointerval type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>4294967295</MaximumValue>
+                    <ValidationMessage>Hello interval must be between 0 and 4294967295.</ValidationMessage>
+                </hellointerval>
+                <deadinterval type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>4294967295</MaximumValue>
+                    <ValidationMessage>Dead interval must be between 0 and 4294967295.</ValidationMessage>
+                </deadinterval>
+                <retransmitinterval type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>4294967295</MaximumValue>
+                    <ValidationMessage>Retransmit interval must be between 0 and 4294967295.</ValidationMessage>
+                </retransmitinterval>
+                <transmitdelay type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>4294967295</MaximumValue>
+                    <ValidationMessage>Transmit delay must be between 0 and 4294967295.</ValidationMessage>
+                </transmitdelay>
+                <priority type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>4294967295</MaximumValue>
+                    <ValidationMessage>Priority must be between 0 and 4294967295.</ValidationMessage>
+                </priority>
+                <bfd type="BooleanField"/>
+                <networktype type="OptionField">
+                    <OptionValues>
+                        <broadcast>Broadcast multi-access network</broadcast>
+                        <point-to-point>Point-to-point network</point-to-point>
+                    </OptionValues>
+                </networktype>
+            </interface>
         </interfaces>
         <prefixlists>
-                <prefixlist type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <name type="TextField">
-                                <Required>Y</Required>
-                                <Mask>/^([0-9a-zA-Z\._\-]){1,64}$/u</Mask>
-                                <ValidationMessage>The name should only contain alphanumeric characters, dashes, underscores or a dot.</ValidationMessage>
-                        </name>
-                        <seqnumber type="IntegerField">
-                                <Required>Y</Required>
-                                <MinimumValue>10</MinimumValue>
-                                <MaximumValue>99</MaximumValue>
-                        </seqnumber>
-                        <action type="OptionField">
-                                <Required>Y</Required>
-                                <OptionValues>
-                                        <permit>Permit</permit>
-                                        <deny>Deny</deny>
-                                </OptionValues>
-                        </action>
-                        <network type="TextField">
-                                <Required>Y</Required>
-                        </network>
-                </prefixlist>
+            <prefixlist type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <name type="TextField">
+                    <Required>Y</Required>
+                    <Mask>/^([0-9a-zA-Z\._\-]){1,64}$/u</Mask>
+                    <ValidationMessage>The name should only contain alphanumeric characters, dashes, underscores or a dot.</ValidationMessage>
+                </name>
+                <seqnumber type="IntegerField">
+                    <Required>Y</Required>
+                    <MinimumValue>10</MinimumValue>
+                    <MaximumValue>99</MaximumValue>
+                </seqnumber>
+                <action type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <permit>Permit</permit>
+                        <deny>Deny</deny>
+                    </OptionValues>
+                </action>
+                <network type="TextField">
+                    <Required>Y</Required>
+                </network>
+            </prefixlist>
         </prefixlists>
         <routemaps>
-                <routemap type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <name type="TextField">
-                                <Required>Y</Required>
-                        </name>
-                        <action type="OptionField">
-                                <Required>Y</Required>
-                                <OptionValues>
-                                        <permit>Permit</permit>
-                                        <deny>Deny</deny>
-                                </OptionValues>
-                        </action>
-                        <id type="IntegerField">
-                                <Required>Y</Required>
-                                <MinimumValue>10</MinimumValue>
-                                <MaximumValue>99</MaximumValue>
-                        </id>
-                        <match2 type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.ospf6</source>
-                                                <items>prefixlists.prefixlist</items>
-                                                <display>name</display>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related item not found</ValidationMessage>
-                        </match2>
-                        <set type="TextField"/>
-                </routemap>
+            <routemap type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <name type="TextField">
+                    <Required>Y</Required>
+                </name>
+                <action type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <permit>Permit</permit>
+                        <deny>Deny</deny>
+                    </OptionValues>
+                </action>
+                <id type="IntegerField">
+                    <Required>Y</Required>
+                    <MinimumValue>10</MinimumValue>
+                    <MaximumValue>99</MaximumValue>
+                </id>
+                <match2 type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.ospf6</source>
+                            <items>prefixlists.prefixlist</items>
+                            <display>name</display>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related item not found.</ValidationMessage>
+                </match2>
+                <set type="TextField"/>
+            </routemap>
         </routemaps>
         <redistributions>
-                <redistribution type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <description type="DescriptionField"/>
-                        <redistribute type="OptionField">
-                                <Required>Y</Required>
-                                <Default>connected</Default>
-                                <OptionValues>
-                                        <bgp>Border Gateway Protocol (BGP)</bgp>
-                                        <connected>Connected routes (directly attached subnet or host)</connected>
-                                        <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
-                                        <rip>Routing Information Protocol (RIP)</rip>
-                                        <static>Statically configured routes</static>
-                                </OptionValues>
-                        </redistribute>
-                        <linkedRoutemap type="ModelRelationField">
-                                <Model>
-                                        <template>
-                                                <source>OPNsense.quagga.ospf6</source>
-                                                <items>routemaps.routemap</items>
-                                                <display>name</display>
-                                                <group>name</group>
-                                        </template>
-                                </Model>
-                                <ValidationMessage>Related Route-Map item not found</ValidationMessage>
-                        </linkedRoutemap>
-                </redistribution>
+            <redistribution type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <description type="DescriptionField"/>
+                <redistribute type="OptionField">
+                    <Required>Y</Required>
+                    <Default>connected</Default>
+                    <OptionValues>
+                        <bgp>Border Gateway Protocol (BGP)</bgp>
+                        <connected>Connected routes (directly attached subnet or host)</connected>
+                        <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
+                        <rip>Routing Information Protocol (RIP)</rip>
+                        <static>Statically configured routes</static>
+                    </OptionValues>
+                </redistribute>
+                <linkedRoutemap type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.quagga.ospf6</source>
+                            <items>routemaps.routemap</items>
+                            <display>name</display>
+                            <group>name</group>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related Route-Map item not found.</ValidationMessage>
+                </linkedRoutemap>
+            </redistribution>
         </redistributions>
     </items>
 </model>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/RIP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/RIP.xml
index 27e95e96c7..8426447e74 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/RIP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/RIP.xml
@@ -14,34 +14,28 @@
             <Required>Y</Required>
         </version>
         <networks type="CSVListField">
-            <Required>N</Required>
             <Mask>/^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2},)*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})$/</Mask>
         </networks>
         <passiveinterfaces type="InterfaceField">
-                <Required>N</Required>
-                <Multiple>Y</Multiple>
-                <Default></Default>
-                <AllowDynamic>Y</AllowDynamic>
-                <filters>
-                    <enable>/^(?!0).*$/</enable>
-                </filters>
+            <Multiple>Y</Multiple>
+            <AllowDynamic>Y</AllowDynamic>
+            <filters>
+                <enable>/^(?!0).*$/</enable>
+            </filters>
         </passiveinterfaces>
         <redistribute type="OptionField">
-                <Required>N</Required>
-                <Multiple>Y</Multiple>
-                <Default></Default>
-                <OptionValues>
-                        <bgp>Border Gateway Protocol (BGP)</bgp>
-                        <connected>Connected routes (directly attached subnet or host)</connected>
-                        <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
-                        <ospf>Open Shortest Path First (OSPF)</ospf>
-                        <static>Statically configured routes</static>
-                </OptionValues>
+            <Multiple>Y</Multiple>
+            <OptionValues>
+                <bgp>Border Gateway Protocol (BGP)</bgp>
+                <connected>Connected routes (directly attached subnet or host)</connected>
+                <kernel>Kernel routes (not installed via the zebra RIB)</kernel>
+                <ospf>Open Shortest Path First (OSPF)</ospf>
+                <static>Statically configured routes</static>
+            </OptionValues>
         </redistribute>
         <defaultmetric type="IntegerField">
             <MinimumValue>1</MinimumValue>
             <MaximumValue>16</MaximumValue>
-            <Required>N</Required>
         </defaultmetric>
     </items>
 </model>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.xml
index 095b46f589..8610f0c90b 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.xml
@@ -3,34 +3,32 @@
     <description>Staticd Routing configuration</description>
     <version>1.0.0</version>
     <items>
-		<enabled type="BooleanField">
-			<Default>0</Default>
-			<Required>Y</Required>
-		</enabled>
-		<routes>
-			<route type="ArrayField">
-				<enabled type="BooleanField">
-					<Default>1</Default>
-					<Required>Y</Required>
-				</enabled>
-				<network type="NetworkField">
-					<NetMaskRequired>Y</NetMaskRequired>
-					<Required>Y</Required>
-					<ValidationMessage>Specify a valid network matching the gateways ip protocol.</ValidationMessage>
-				</network>
-				<gateway type="NetworkField">
-					<NetMaskAllowed>N</NetMaskAllowed>
-					<Required>N</Required>
-				</gateway>
-				<interfacename type="InterfaceField">
-					<Multiple>N</Multiple>
-					<AllowDynamic>Y</AllowDynamic>
-					<filters>
-						<enable>/^(?!0).*$/</enable>
-						<type>/^(?!group).*$/</type>
-					</filters>
-				</interfacename>
-			</route>
-		</routes>
+        <enabled type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </enabled>
+        <routes>
+            <route type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <network type="NetworkField">
+                    <NetMaskRequired>Y</NetMaskRequired>
+                    <Required>Y</Required>
+                    <ValidationMessage>Specify a valid network matching the gateway IP protocol.</ValidationMessage>
+                </network>
+                <gateway type="NetworkField">
+                    <NetMaskAllowed>N</NetMaskAllowed>
+                </gateway>
+                <interfacename type="InterfaceField">
+                    <AllowDynamic>Y</AllowDynamic>
+                    <filters>
+                        <enable>/^(?!0).*$/</enable>
+                        <type>/^(?!group).*$/</type>
+                    </filters>
+                </interfacename>
+            </route>
+        </routes>
     </items>
 </model>

From 8a48982e824d9e5f68826f2c4ab9e45f6d952704 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 29 Aug 2025 09:49:20 +0200
Subject: [PATCH 2634/3088] net/frr: yes

---
 net/frr/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 43bd5813b7..c4bf9a4da1 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -15,6 +15,7 @@ Plugin Changelog
 1.47
 
 * Add OSPF area configuration options (opnsense/plugins/pull/4880)
+* Updated model definitions and indent
 
 1.46
 

From 8fc13983c97021886a89704919028699d51fadba Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 29 Aug 2025 12:28:57 +0200
Subject: [PATCH 2635/3088] security/softether: remove development plugin

PR: https://forum.opnsense.org/index.php?topic=34567.0
---
 README.md                                     |  1 -
 security/softether/Makefile                   |  8 ---
 security/softether/pkg-descr                  |  8 ---
 .../src/etc/inc/plugins.inc.d/softether.inc   | 67 ------------------
 .../src/etc/rc.syshook.d/carp/50-softether    | 70 -------------------
 .../Softether/Api/GeneralController.php       | 39 -----------
 .../Softether/Api/ServiceController.php       | 47 -------------
 .../OPNsense/Softether/GeneralController.php  | 38 ----------
 .../OPNsense/Softether/forms/general.xml      | 21 ------
 .../app/models/OPNsense/Softether/ACL/ACL.xml |  9 ---
 .../app/models/OPNsense/Softether/General.php | 35 ----------
 .../app/models/OPNsense/Softether/General.xml | 24 -------
 .../models/OPNsense/Softether/Menu/Menu.xml   |  5 --
 .../app/views/OPNsense/Softether/general.volt | 68 ------------------
 .../scripts/OPNsense/Softether/setup.sh       |  4 --
 .../conf/actions.d/actions_softether.conf     | 23 ------
 .../templates/OPNsense/Softether/+TARGETS     |  1 -
 .../OPNsense/Softether/softether_server       |  9 ---
 18 files changed, 477 deletions(-)
 delete mode 100644 security/softether/Makefile
 delete mode 100644 security/softether/pkg-descr
 delete mode 100644 security/softether/src/etc/inc/plugins.inc.d/softether.inc
 delete mode 100755 security/softether/src/etc/rc.syshook.d/carp/50-softether
 delete mode 100644 security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/Api/GeneralController.php
 delete mode 100644 security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/Api/ServiceController.php
 delete mode 100644 security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/GeneralController.php
 delete mode 100644 security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/forms/general.xml
 delete mode 100644 security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/ACL/ACL.xml
 delete mode 100644 security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/General.php
 delete mode 100644 security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/General.xml
 delete mode 100644 security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/Menu/Menu.xml
 delete mode 100644 security/softether/src/opnsense/mvc/app/views/OPNsense/Softether/general.volt
 delete mode 100755 security/softether/src/opnsense/scripts/OPNsense/Softether/setup.sh
 delete mode 100644 security/softether/src/opnsense/service/conf/actions.d/actions_softether.conf
 delete mode 100644 security/softether/src/opnsense/service/templates/OPNsense/Softether/+TARGETS
 delete mode 100644 security/softether/src/opnsense/service/templates/OPNsense/Softether/softether_server

diff --git a/README.md b/README.md
index 6a421e8d27..9c86888599 100644
--- a/README.md
+++ b/README.md
@@ -90,7 +90,6 @@ security/maltrail -- Malicious traffic detection system
 security/netbird -- Peer-to-peer VPN that seamlessly connects your devices (development only)
 security/openconnect -- OpenConnect Client
 security/openvpn-legacy -- OpenVPN legacy support
-security/softether -- Cross-platform Multi-protocol VPN Program (development only)
 security/strongswan-legacy -- IPsec legacy support
 security/stunnel -- Stunnel TLS proxy
 security/tailscale -- VPN mesh securely connecting clients using WireGuard
diff --git a/security/softether/Makefile b/security/softether/Makefile
deleted file mode 100644
index e7cc86d2eb..0000000000
--- a/security/softether/Makefile
+++ /dev/null
@@ -1,8 +0,0 @@
-PLUGIN_NAME=		softether
-PLUGIN_VERSION=		0.3
-PLUGIN_COMMENT=		Cross-platform Multi-protocol VPN Program
-PLUGIN_DEPENDS=		softether
-PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_DEVEL=		yes
-
-.include "../../Mk/plugins.mk"
diff --git a/security/softether/pkg-descr b/security/softether/pkg-descr
deleted file mode 100644
index e49e2da52d..0000000000
--- a/security/softether/pkg-descr
+++ /dev/null
@@ -1,8 +0,0 @@
-SoftEther VPN ("SoftEther" means "Software Ethernet") is one of
-the world's most powerful and easy-to-use multi-protocol VPN
-software. It runs on Windows, Linux, Mac, FreeBSD and Solaris.
-
-SoftEther VPN is open source. You can use SoftEther for any
-personal or commercial use for free charge.
-
-WWW: https://www.softether.org/
diff --git a/security/softether/src/etc/inc/plugins.inc.d/softether.inc b/security/softether/src/etc/inc/plugins.inc.d/softether.inc
deleted file mode 100644
index e11d8b8392..0000000000
--- a/security/softether/src/etc/inc/plugins.inc.d/softether.inc
+++ /dev/null
@@ -1,67 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-function softether_enabled()
-{
-    $model = new \OPNsense\Softether\General();
-    return (string)$model->enabled == '1';
-}
-
-function softether_carp_enabled()
-{
-    $model = new \OPNsense\Softether\General();
-    return (string)$model->enabled == '1' &&
-        (string)$model->enablecarp == '1';
-}
-
-function softether_carp_interfaces()
-{
-    $model = new \OPNsense\Softether\General();
-    return (string)$model->carpinterfaces;
-}
-
-function softether_services()
-{
-    $services = array();
-
-    if (!softether_enabled()) {
-        return $services;
-    }
-
-    $services[] = array(
-        'description' => gettext('SoftEther VPN'),
-        'configd' => array(
-            'restart' => array('softether restart'),
-            'start' => array('softether start'),
-            'stop' => array('softether stop'),
-        ),
-        'name' => 'vpnserver'
-    );
-
-    return $services;
-}
diff --git a/security/softether/src/etc/rc.syshook.d/carp/50-softether b/security/softether/src/etc/rc.syshook.d/carp/50-softether
deleted file mode 100755
index 71d3e58aec..0000000000
--- a/security/softether/src/etc/rc.syshook.d/carp/50-softether
+++ /dev/null
@@ -1,70 +0,0 @@
-#!/usr/local/bin/php
-<?php
-
-/*
- * Copyright (C) 2018 Franco Fichtner <franco@opnsense.org>
- * Copyright (C) 2004 Scott Ullrich <sullrich@gmail.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-require_once('config.inc');
-require_once('util.inc');
-require_once('interfaces.inc');
-require_once('plugins.inc.d/softether.inc');
-
-if (softether_carp_enabled()) {
-    // XXX: carp enable/disable mode
-    $subsystem = !empty($argv[1]) ? $argv[1] : '';
-    $type = !empty($argv[2]) ? $argv[2] : '';
-
-    if ($type != 'MASTER' && $type != 'BACKUP') {
-        log_msg("Carp '$type' event unknown from source '{$subsystem}'");
-        exit(1);
-    }
-
-    if (!strstr($subsystem, '@')) {
-        log_msg("Carp '$type' event triggered from wrong source '{$subsystem}'");
-        exit(1);
-    }
-
-    list ($vhid, $iface) = explode('@', $subsystem);
-    $friendly = convert_real_interface_to_friendly_interface_name($iface);
-
-    if (!(strpos(softether_carp_interfaces(),$friendly) !== false)) {
-        exit(0);
-    }
-
-    switch ($type) {
-        case 'MASTER':
-            touch('/var/run/softether/CARP_MASTER');
-            shell_exec('/usr/local/etc/rc.d/softether_server start');
-            break;
-        case 'BACKUP':
-            if (file_exists('/var/run/softether/CARP_MASTER')) {
-                unlink('/var/run/softether/CARP_MASTER');
-            }
-            shell_exec('/usr/local/etc/rc.d/softether_server stop');
-            break;
-    }
-}
diff --git a/security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/Api/GeneralController.php b/security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/Api/GeneralController.php
deleted file mode 100644
index 5844a20752..0000000000
--- a/security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/Api/GeneralController.php
+++ /dev/null
@@ -1,39 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-namespace OPNsense\Softether\Api;
-
-use OPNsense\Base\ApiMutableModelControllerBase;
-
-class GeneralController extends ApiMutableModelControllerBase
-{
-    protected static $internalModelClass = '\OPNsense\Softether\General';
-    protected static $internalModelName = 'general';
-}
diff --git a/security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/Api/ServiceController.php b/security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/Api/ServiceController.php
deleted file mode 100644
index ac6b37084c..0000000000
--- a/security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/Api/ServiceController.php
+++ /dev/null
@@ -1,47 +0,0 @@
-<?php
-
-/**
- *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
- *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
- *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-namespace OPNsense\Softether\Api;
-
-use OPNsense\Base\ApiMutableServiceControllerBase;
-use OPNsense\Core\Backend;
-use OPNsense\Softether\General;
-
-/**
- * Class ServiceController
- * @package OPNsense\Softether
- */
-class ServiceController extends ApiMutableServiceControllerBase
-{
-    protected static $internalServiceClass = '\OPNsense\Softether\General';
-    protected static $internalServiceTemplate = 'OPNsense/Softether';
-    protected static $internalServiceEnabled = 'enabled';
-    protected static $internalServiceName = 'softether';
-}
diff --git a/security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/GeneralController.php b/security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/GeneralController.php
deleted file mode 100644
index 7d83f2871a..0000000000
--- a/security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/GeneralController.php
+++ /dev/null
@@ -1,38 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-namespace OPNsense\Softether;
-
-class GeneralController extends \OPNsense\Base\IndexController
-{
-    public function indexAction()
-    {
-        $this->view->generalForm = $this->getForm("general");
-        $this->view->pick('OPNsense/Softether/general');
-    }
-}
diff --git a/security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/forms/general.xml b/security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/forms/general.xml
deleted file mode 100644
index 8e738f5d41..0000000000
--- a/security/softether/src/opnsense/mvc/app/controllers/OPNsense/Softether/forms/general.xml
+++ /dev/null
@@ -1,21 +0,0 @@
-<form>
-    <field>
-        <id>general.enabled</id>
-        <label>Enable SoftEther</label>
-        <type>checkbox</type>
-        <help>This will activate SoftEther vpnserver process.</help>
-    </field>
-    <field>
-        <id>general.enablecarp</id>
-        <label>Enable CARP Failover</label>
-        <type>checkbox</type>
-        <help>This will activate the vpnserver service only on the master device.</help>
-    </field>
-    <field>
-        <id>general.carpinterfaces</id>
-        <label>Monitored CARP interfaces</label>
-        <type>select_multiple</type>
-        <help><![CDATA[Select the interfaces, whose CARP transitions should be monitored.]]></help>
-        <hint>Type or select interface.</hint>
-    </field>
-</form>
diff --git a/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/ACL/ACL.xml b/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/ACL/ACL.xml
deleted file mode 100644
index d7a964e55a..0000000000
--- a/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/ACL/ACL.xml
+++ /dev/null
@@ -1,9 +0,0 @@
-<acl>
-   <page-softether-config>
-      <name>VPN: SoftEther</name>
-      <patterns>
-         <pattern>ui/softether/*</pattern>
-         <pattern>api/softether/*</pattern>
-      </patterns>
-   </page-softether-config>
-</acl>
diff --git a/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/General.php b/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/General.php
deleted file mode 100644
index 20ffb40cf3..0000000000
--- a/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/General.php
+++ /dev/null
@@ -1,35 +0,0 @@
-<?php
-
-/*
-    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
-
-namespace OPNsense\Softether;
-
-use OPNsense\Base\BaseModel;
-
-class General extends BaseModel
-{
-}
diff --git a/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/General.xml b/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/General.xml
deleted file mode 100644
index 57d0c91828..0000000000
--- a/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/General.xml
+++ /dev/null
@@ -1,24 +0,0 @@
-<model>
-    <mount>//OPNsense/softether/general</mount>
-    <description>Softether configuration</description>
-    <version>0.0.1</version>
-    <items>
-        <enabled type="BooleanField">
-            <Default>0</Default>
-            <Required>Y</Required>
-        </enabled>
-        <enablecarp type="BooleanField">
-            <Default>0</Default>
-            <Required>Y</Required>
-        </enablecarp>
-        <carpinterfaces type="InterfaceField">
-                <Required>N</Required>
-                <Multiple>Y</Multiple>
-                <Default></Default>
-                <AllowDynamic>Y</AllowDynamic>
-                <filters>
-                    <enable>/^(?!0).*$/</enable>
-                </filters>
-        </carpinterfaces>
-    </items>
-</model>
diff --git a/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/Menu/Menu.xml b/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/Menu/Menu.xml
deleted file mode 100644
index 6bebfff377..0000000000
--- a/security/softether/src/opnsense/mvc/app/models/OPNsense/Softether/Menu/Menu.xml
+++ /dev/null
@@ -1,5 +0,0 @@
-<menu>
-    <VPN>
-        <SoftEther cssClass="fa fa-lock fa-fw" url="/ui/softether/general/index" order="50" />
-    </VPN>
-</menu>
diff --git a/security/softether/src/opnsense/mvc/app/views/OPNsense/Softether/general.volt b/security/softether/src/opnsense/mvc/app/views/OPNsense/Softether/general.volt
deleted file mode 100644
index 7ddc14d6bb..0000000000
--- a/security/softether/src/opnsense/mvc/app/views/OPNsense/Softether/general.volt
+++ /dev/null
@@ -1,68 +0,0 @@
-{#
-
-OPNsense® is Copyright © 2014 – 2018 by Deciso B.V.
-This file is Copyright © 2018 by Michael Muenz <m.muenz@gmail.com>
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-    this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-    this list of conditions and the following disclaimer in the documentation
-    and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
-
-<!-- Navigation bar -->
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
-</ul>
-
-<div class="tab-content content-box tab-content">
-    <div id="general" class="tab-pane fade in active">
-        <div class="content-box" style="padding-bottom: 1.5em;">
-            {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-            <div class="col-md-12">
-                <hr />
-                <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
-            </div>
-        </div>
-    </div>
-</div>
-
-<script>
-$( document ).ready(function() {
-    var data_get_map = {'frm_general_settings':"/api/softether/general/get"};
-    mapDataToFormUI(data_get_map).done(function(data){
-        formatTokenizersUI();
-        $('.selectpicker').selectpicker('refresh');
-    });
-
-    updateServiceControlUI('softether');
-
-    $("#saveAct").click(function(){
-        saveFormToEndpoint(url="/api/softether/general/set", formid='frm_general_settings',callback_ok=function(){
-        $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-            ajaxCall(url="/api/softether/service/reconfigure", sendData={}, callback=function(data,status) {
-                updateServiceControlUI('softether');
-                $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-            });
-        });
-    });
-
-});
-</script>
diff --git a/security/softether/src/opnsense/scripts/OPNsense/Softether/setup.sh b/security/softether/src/opnsense/scripts/OPNsense/Softether/setup.sh
deleted file mode 100755
index f83ff509c7..0000000000
--- a/security/softether/src/opnsense/scripts/OPNsense/Softether/setup.sh
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-mkdir -p /var/db/softether
-mkdir -p /var/log/softether
diff --git a/security/softether/src/opnsense/service/conf/actions.d/actions_softether.conf b/security/softether/src/opnsense/service/conf/actions.d/actions_softether.conf
deleted file mode 100644
index 6e840fd06e..0000000000
--- a/security/softether/src/opnsense/service/conf/actions.d/actions_softether.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-[start]
-command:/usr/local/etc/rc.d/softether_server start
-parameters:
-type:script
-message:starting softether
-
-[stop]
-command:/usr/local/etc/rc.d/softether_server stop
-parameters:
-type:script
-message:stopping softether
-
-[restart]
-command:/usr/local/etc/rc.d/softether_server restart
-parameters:
-type:script
-message:restarting softether
-
-[status]
-command:/usr/local/etc/rc.d/softether_server status; exit 0
-parameters:
-type:script_output
-message:softether status
diff --git a/security/softether/src/opnsense/service/templates/OPNsense/Softether/+TARGETS b/security/softether/src/opnsense/service/templates/OPNsense/Softether/+TARGETS
deleted file mode 100644
index 04e32a9777..0000000000
--- a/security/softether/src/opnsense/service/templates/OPNsense/Softether/+TARGETS
+++ /dev/null
@@ -1 +0,0 @@
-softether_server:/etc/rc.conf.d/softether_server
diff --git a/security/softether/src/opnsense/service/templates/OPNsense/Softether/softether_server b/security/softether/src/opnsense/service/templates/OPNsense/Softether/softether_server
deleted file mode 100644
index be34375d56..0000000000
--- a/security/softether/src/opnsense/service/templates/OPNsense/Softether/softether_server
+++ /dev/null
@@ -1,9 +0,0 @@
-{% if helpers.exists('OPNsense.softether.general.enabled') and OPNsense.softether.general.enabled == '1' %}
-softether_server_setup="/usr/local/opnsense/scripts/OPNsense/Softether/setup.sh"
-softether_server_enable="YES"
-{% if helpers.exists('OPNsense.softether.general.enablecarp') and OPNsense.softether.general.enablecarp == '1' %}
-required_files="/var/run/softether/CARP_MASTER"
-{% endif %}
-{% else %}
-softether_server_enable="NO"
-{% endif %}

From ceace150e335449b95d8a88d55b14b7041224a75 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 29 Aug 2025 14:40:53 +0200
Subject: [PATCH 2636/3088] bootgrid: Sweep rowcount as default has been
 increased in
 https://github.com/opnsense/core/commit/baa1730b1a9f1d8c9f0bb81a0ff1521636824231
 (#4916)

---
 .../mvc/app/views/OPNsense/Bind/logs.volt         |  2 --
 .../mvc/app/views/OPNsense/ZabbixAgent/index.volt |  2 --
 .../mvc/app/views/OPNsense/Freeradius/proxy.volt  |  3 ---
 .../mvc/app/views/OPNsense/HAProxy/index.volt     | 15 ---------------
 .../app/views/OPNsense/HAProxy/maintenance.volt   |  2 --
 .../app/views/OPNsense/AcmeClient/accounts.volt   |  1 -
 .../app/views/OPNsense/AcmeClient/actions.volt    |  1 -
 .../views/OPNsense/AcmeClient/certificates.volt   |  1 -
 .../mvc/app/views/OPNsense/AcmeClient/logs.volt   |  2 --
 .../views/OPNsense/AcmeClient/validations.volt    |  1 -
 10 files changed, 30 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/logs.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/logs.volt
index e50125f615..4eab4cb5a9 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/logs.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/logs.volt
@@ -34,7 +34,6 @@
               sorting:false,
               rowSelect: false,
               selection: false,
-              rowCount:[20,50,100,200,500,1000,-1],
           },
           search:'/api/diagnostics/log/named/query'
       });
@@ -45,7 +44,6 @@
               sorting:false,
               rowSelect: false,
               selection: false,
-              rowCount:[20,50,100,200,500,1000,-1],
           },
           search:'/api/diagnostics/log/named/rpz'
       });
diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/views/OPNsense/ZabbixAgent/index.volt b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/views/OPNsense/ZabbixAgent/index.volt
index 3339872a8a..3041c4f696 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/views/OPNsense/ZabbixAgent/index.volt
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/views/OPNsense/ZabbixAgent/index.volt
@@ -48,7 +48,6 @@ $( document ).ready(function() {
             del:'/api/zabbixagent/settings/del_userparameter/',
             toggle:'/api/zabbixagent/settings/toggle_userparameter/',
             options: {
-                rowCount:[10,25,50,100,500,1000]
             }
         }
     );
@@ -61,7 +60,6 @@ $( document ).ready(function() {
             del:'/api/zabbixagent/settings/del_alias/',
             toggle:'/api/zabbixagent/settings/toggle_alias/',
             options: {
-                rowCount:[10,25,50,100,500,1000]
             }
         }
     );
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt
index e979d8bb62..7127c13e58 100644
--- a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/proxy.volt
@@ -50,7 +50,6 @@ $( document ).ready(function() {
                 'del':'/api/freeradius/proxy/del_homeserver/',
                 'toggle':'/api/freeradius/proxy/toggle_homeserver/',
             options: {
-                rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
@@ -62,7 +61,6 @@ $( document ).ready(function() {
                 'del':'/api/freeradius/proxy/del_homeserverpool/',
                 'toggle':'/api/freeradius/proxy/toggle_homeserverpool/',
             options: {
-                rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
@@ -74,7 +72,6 @@ $( document ).ready(function() {
                 'del':'/api/freeradius/proxy/del_realm/',
                 'toggle':'/api/freeradius/proxy/toggle_realm/',
             options: {
-                rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index cae271d222..cb6eea31a4 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -56,7 +56,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 del:'/api/haproxy/settings/del_frontend/',
                 toggle:'/api/haproxy/settings/toggle_frontend/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
@@ -69,7 +68,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 del:'/api/haproxy/settings/del_backend/',
                 toggle:'/api/haproxy/settings/toggle_backend/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
@@ -82,7 +80,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 del:'/api/haproxy/settings/del_server/',
                 toggle:'/api/haproxy/settings/toggle_server/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
@@ -94,7 +91,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 add:'/api/haproxy/settings/add_healthcheck/',
                 del:'/api/haproxy/settings/del_healthcheck/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
@@ -106,7 +102,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 add:'/api/haproxy/settings/add_action/',
                 del:'/api/haproxy/settings/del_action/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
@@ -118,7 +113,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 add:'/api/haproxy/settings/add_acl/',
                 del:'/api/haproxy/settings/del_acl/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
@@ -131,7 +125,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 del:'/api/haproxy/settings/del_user/',
                 toggle:'/api/haproxy/settings/toggle_user/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
@@ -144,7 +137,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 del:'/api/haproxy/settings/del_group/',
                 toggle:'/api/haproxy/settings/toggle_group/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
@@ -157,7 +149,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 del:'/api/haproxy/settings/del_lua/',
                 toggle:'/api/haproxy/settings/toggle_lua/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
@@ -169,7 +160,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 add:'/api/haproxy/settings/add_fcgi/',
                 del:'/api/haproxy/settings/del_fcgi/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
@@ -181,7 +171,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 add:'/api/haproxy/settings/add_errorfile/',
                 del:'/api/haproxy/settings/del_errorfile/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
@@ -193,7 +182,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 add:'/api/haproxy/settings/add_mapfile/',
                 del:'/api/haproxy/settings/del_mapfile/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
@@ -206,7 +194,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 del:'/api/haproxy/settings/del_cpu/',
                 toggle:'/api/haproxy/settings/toggle_cpu/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
@@ -219,7 +206,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 del:'/api/haproxy/settings/del_resolver/',
                 toggle:'/api/haproxy/settings/toggle_resolver/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
@@ -232,7 +218,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 del:'/api/haproxy/settings/del_mailer/',
                 toggle:'/api/haproxy/settings/toggle_mailer/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
index e140eeb27f..0094f996c9 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
@@ -182,7 +182,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 selection: true,
                 multiSelect: true,
                 keepSelection: true,
-                rowCount:[10,25,50,100,500,1000],
                 searchSettings: {
                     delay: 250,
                     characters: 1
@@ -292,7 +291,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 selection: true,
                 multiSelect: true,
                 keepSelection: true,
-                rowCount:[10,25,50,100,500,1000],
                 searchSettings: {
                     delay: 250,
                     characters: 1
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
index a9623ad107..3836955d8f 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
@@ -49,7 +49,6 @@ POSSIBILITY OF SUCH DAMAGE.
             ajax: true,
             selection: true,
             multiSelect: true,
-            rowCount:[10,25,50,100,500,1000],
             url: '/api/acmeclient/accounts/search',
             formatters: {
                 "commands": function (column, row) {
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
index 9474a0613b..2b57076f1b 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/actions.volt
@@ -43,7 +43,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 del:'/api/acmeclient/actions/del/',
                 toggle:'/api/acmeclient/actions/toggle/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index 75cfd51547..e824edd850 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -56,7 +56,6 @@ POSSIBILITY OF SUCH DAMAGE.
             ajax: true,
             selection: true,
             multiSelect: true,
-            rowCount:[10,25,50,100,500,1000],
             url: '/api/acmeclient/certificates/search',
             formatters: {
                 "commands": function (column, row) {
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt
index debf4ef220..dbfb34efb8 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt
@@ -35,7 +35,6 @@
               sorting:false,
               rowSelect: false,
               selection: false,
-              rowCount:[20,50,100,200,500,1000,-1],
               requestHandler: function(request){
                   // Show only log entries that match 'AcmeClient'
                   request['searchPhrase'] = 'acmeclient';
@@ -51,7 +50,6 @@
               sorting:false,
               rowSelect: false,
               selection: false,
-              rowCount:[20,50,100,200,500,1000,-1],
           },
           search:'/api/diagnostics/log/core/acmeclient'
       });
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
index c3ed80d05d..f5643178b0 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/validations.volt
@@ -43,7 +43,6 @@ POSSIBILITY OF SUCH DAMAGE.
                 del:'/api/acmeclient/validations/del/',
                 toggle:'/api/acmeclient/validations/toggle/',
                 options: {
-                    rowCount:[10,25,50,100,500,1000]
                 }
             }
         );

From c2f8aec72b93f55b0239a244fe636fc2acb41639 Mon Sep 17 00:00:00 2001
From: Gauss23 <gauss@gmx.de>
Date: Sun, 31 Aug 2025 15:50:19 +0200
Subject: [PATCH 2637/3088] security/netbird: Fix typo in firewall settings
 label (#4917)

---
 .../mvc/app/controllers/OPNsense/Netbird/forms/settings.xml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
index 7be06a710a..4d9f69bb27 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
@@ -21,7 +21,7 @@
     </field>
     <field>
         <id>settings.firewall.allowConfig</id>
-        <label>Enable firewal</label>
+        <label>Enable Firewall</label>
         <type>checkbox</type>
         <help>Allow the client to filter traffic with its built-in firewall. If disabled, you must assign the NetBird interface and manage firewall rules via OPNsense firewall management.
             Additionally, NetBird routing and DNS may not function as intended.</help>

From a691165cee5ebdff2ab8c04f768b797e116ca255 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 2 Sep 2025 09:26:22 +0200
Subject: [PATCH 2638/3088] www/caddy: Fix setup.sh script interaction with
 files and directories in caddy storage (#4911)

* www/caddy: Fix setup.sh script interaction with files and directories in caddy storage

This fixes multiple things:
- When running as www:www user, the interaction with the admin socket could fail, now we do not touch /var/run/caddy and let it be handled by the permissions set in the rc.d script
- When restarting/reloading caddy, permissions and ownerships would be changed every time, possibly breaking the storage if caddy writes at the same time
- The custom certificates are now stored outside the scope of the caddy storage, ensuring caddy has atomic write guarantee on /var/db/caddy/data...

* Fix some review comments

* add changelog
---
 www/caddy/pkg-descr                           |  3 +-
 .../scripts/OPNsense/Caddy/caddy_certs.php    |  2 +-
 .../opnsense/scripts/OPNsense/Caddy/setup.sh  | 68 ++++++++++---------
 .../templates/OPNsense/Caddy/Caddyfile        |  6 +-
 .../templates/OPNsense/Caddy/includeLayer4    |  8 +--
 5 files changed, 47 insertions(+), 40 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 4db418bc6c..d03ab08879 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -9,8 +9,9 @@ Plugin Changelog
 2.0.3
 
 Add: Tabulator groupBy of domain and subdomain (opnsense/plugins/pull/4909)
-Fix: Tabulator 'Data Load Response Blocked' warning
 Cleanup: Grid HTML and style
+Fix: Tabulator 'Data Load Response Blocked' warning
+Fix: setup.sh interaction with caddy storage and permissions (opnsense/plugins/pull/4911)
 
 2.0.2
 
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
index 0c14379c4d..c8e860d455 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
@@ -43,7 +43,7 @@
     }
 };
 
-$tempDir = '/var/db/caddy/data/caddy/certificates/temp/';
+$tempDir = '/usr/local/etc/caddy/certificates';
 
 // leaf certificate chain
 $certificateRefs = [];
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
index e2d00c66a3..5b757de219 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 #
-# Copyright (c) 2023-2024 Cedrik Pischem
+# Copyright (c) 2023-2025 Cedrik Pischem
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -26,46 +26,52 @@
 # POSSIBILITY OF SUCH DAMAGE.
 #
 
-# The directories are created as root:www with rwx permissions for both,
-# so the user can change in the GUI if caddy runs as root or www
-# If only ports 1024 and above are used, caddy can run as www user and group.
+# Detect configured caddy_user/group (defaults)
+. /etc/rc.conf.d/caddy
+CADDY_USER="${caddy_user:-root}"
+CADDY_GROUP="${caddy_group:-wheel}"
+
+# Canary to detect root->www switch (disable superuser) permission issues
+# The storage instance will always exist, it's a good assumption
+CANARY="/var/db/caddy/data/caddy/instance.uuid"
 
 # Define directories
 CADDY_CONF_DIR="/usr/local/etc/caddy"
 CADDY_DATA_DIR="/var/db/caddy"
 CADDY_LOG_DIR="/var/log/caddy"
-CADDY_RUN_DIR="/var/run/caddy"
 CADDY_CONF_CUSTOM_DIR="${CADDY_CONF_DIR}/caddy.d"
-CADDY_DATA_CUSTOM_DIR="${CADDY_DATA_DIR}/data/caddy/certificates/temp"
+CADDY_CONF_CERT_DIR="${CADDY_CONF_DIR}/certificates"
 CADDY_LOG_CUSTOM_DIR="${CADDY_LOG_DIR}/access"
 
-mkdir -p "${CADDY_CONF_DIR}"
-mkdir -p "${CADDY_DATA_DIR}"
-mkdir -p "${CADDY_LOG_DIR}"
-mkdir -p "${CADDY_RUN_DIR}"
-mkdir -p "${CADDY_CONF_CUSTOM_DIR}"
-mkdir -p "${CADDY_DATA_CUSTOM_DIR}"
-mkdir -p "${CADDY_LOG_CUSTOM_DIR}"
+mkdir -p "${CADDY_CONF_DIR}" \
+         "${CADDY_DATA_DIR}" \
+         "${CADDY_LOG_DIR}" \
+         "${CADDY_CONF_CUSTOM_DIR}" \
+         "${CADDY_CONF_CERT_DIR}" \
+         "${CADDY_LOG_CUSTOM_DIR}"
+
+# Format and overwrite the Caddyfile
+( cd "${CADDY_CONF_DIR}" && /usr/local/bin/caddy fmt --overwrite )
 
-chown -R root:www "${CADDY_CONF_DIR}"
-chown -R root:www "${CADDY_DATA_DIR}"
-chown -R root:www "${CADDY_LOG_DIR}"
-chown -R root:www "${CADDY_RUN_DIR}"
+# Write custom certs from the OPNsense Trust Store
+/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
 
-# Directories need execute permissions to be accessible
-find "${CADDY_CONF_DIR}" -type d -exec chmod 770 {} +
-find "${CADDY_DATA_DIR}" -type d -exec chmod 770 {} +
-find "${CADDY_LOG_DIR}" -type d -exec chmod 770 {} +
-find "${CADDY_RUN_DIR}" -type d -exec chmod 770 {} +
+# Ownership decision based on current service user/group, otherwise skip
+EXPECTED_USER="$CADDY_USER"
+EXPECTED_GROUP="$CADDY_GROUP"
 
-# Files can have read/write permissions
-find "${CADDY_CONF_DIR}" -type f -exec chmod 660 {} +
-find "${CADDY_DATA_DIR}" -type f -exec chmod 660 {} +
-find "${CADDY_LOG_DIR}" -type f -exec chmod 660 {} +
-find "${CADDY_RUN_DIR}" -type f -exec chmod 660 {} +
+if [ -f "$CANARY" ]; then
+    CANARY_USER="$(stat -f '%Su' "$CANARY")"
+    CANARY_GROUP="$(stat -f '%Sg' "$CANARY")"
 
-# Format and overwrite the Caddyfile, this makes whitespace control in jinja2 unnecessary
-(cd "${CADDY_CONF_DIR}" && /usr/local/bin/caddy fmt --overwrite)
+    if [ "$CANARY_USER" = "$EXPECTED_USER" -a "$CANARY_GROUP" = "$EXPECTED_GROUP" ]; then
+        exit 0
+    fi
+fi
 
-# Write custom certs from the OPNsense Trust Store to CADDY_DATA_CUSTOM_DIR
-/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
+# Use detected service user/group, only migrate ownership
+# We only interact with the storage in this specific edge case, in all other cases caddy must have atomic write guarantee
+chown -R "${CADDY_USER}:${CADDY_GROUP}" "${CADDY_CONF_DIR}" \
+                                        "${CADDY_DATA_DIR}" \
+                                        "${CADDY_LOG_DIR}" \
+                                        "${CADDY_CONF_CERT_DIR}"
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 997a746f49..c169890680 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -312,7 +312,7 @@ http://{{ domain }} {
     tlsDnsPropagationResolvers=""
 ) %}
     {% if customCert or (dnsChallenge == "1" and dnsProvider) or clientAuthTrustPool %}
-        tls {% if customCert %}/var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.pem /var/db/caddy/data/caddy/certificates/temp/{{ customCert }}.key{% endif %} {
+        tls {% if customCert %}/usr/local/etc/caddy/certificates/{{ customCert }}.pem /usr/local/etc/caddy/certificates/{{ customCert }}.key{% endif %} {
             {% if not customCert and (dnsChallenge == "1" and dnsProvider) %}
             issuer acme {
                 dns {{ dnsProvider }} {{ dnsApiKey }}
@@ -334,7 +334,7 @@ http://{{ domain }} {
             {% if clientAuthTrustPool %}
                 client_auth {
                     {% for ca in clientAuthTrustPool.split(',') %}
-                    trust_pool file /var/db/caddy/data/caddy/certificates/temp/{{ ca.strip() }}.pem
+                    trust_pool file /usr/local/etc/caddy/certificates/{{ ca.strip() }}.pem
                     {% endfor %}
                     {% if clientAuthMode %}
                     mode {{ clientAuthMode }}
@@ -508,7 +508,7 @@ http://{{ domain }} {
                             tls_insecure_skip_verify
                         {% endif %}
                         {% if handle.HttpTlsTrustedCaCerts %}
-                            tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
+                            tls_trust_pool file /usr/local/etc/caddy/certificates/{{ handle.HttpTlsTrustedCaCerts }}.pem
                         {% endif %}
                         {% if handle.HttpTlsServerName %}
                             tls_server_name {{ handle.HttpTlsServerName }}
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4 b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
index 92d6387594..53b04b1a9b 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
@@ -99,7 +99,7 @@
                 {% if layer4.FromOpenvpnStaticKey %}
                     group_key_direction {{ direction }}
                     {% for key_uuid in key_list %}
-                    group_key_file /var/db/caddy/data/caddy/certificates/temp/{{ key_uuid.strip() }}.key
+                    group_key_file /usr/local/etc/caddy/certificates/{{ key_uuid.strip() }}.key
                     {% endfor %}
                 {% endif %}
                 }
@@ -111,7 +111,7 @@
                     modes crypt
                 {% if layer4.FromOpenvpnStaticKey %}
                     {% for key_uuid in key_list %}
-                    group_key_file /var/db/caddy/data/caddy/certificates/temp/{{ key_uuid.strip() }}.key
+                    group_key_file /usr/local/etc/caddy/certificates/{{ key_uuid.strip() }}.key
                     {% endfor %}
                 {% endif %}
                 }
@@ -121,7 +121,7 @@
                     modes crypt2
                     {% if layer4.FromOpenvpnStaticKey %}
                         {% for key_uuid in key_list %}
-                    client_key_file /var/db/caddy/data/caddy/certificates/temp/{{ key_uuid.strip() }}.key
+                    client_key_file /usr/local/etc/caddy/certificates/{{ key_uuid.strip() }}.key
                         {% endfor %}
                     {% endif %}
                 }
@@ -133,7 +133,7 @@
                     modes crypt2
                     {% if layer4.FromOpenvpnStaticKey %}
                         {% for key_uuid in key_list %}
-                    server_key_file /var/db/caddy/data/caddy/certificates/temp/{{ key_uuid.strip() }}.key
+                    server_key_file /usr/local/etc/caddy/certificates/{{ key_uuid.strip() }}.key
                         {% endfor %}
                     {% endif %}
                 }

From 2c4e372109bf59184bf569e122fc59c59fb57512 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 2 Sep 2025 09:52:37 +0200
Subject: [PATCH 2639/3088] www/caddy: Fix subdomain http access log (#4919)

* www/caddy: Emit subdomain http access logs in the same log collector as their wildcard parent

* add changelog
---
 www/caddy/pkg-descr                                             | 1 +
 .../src/opnsense/service/templates/OPNsense/Caddy/Caddyfile     | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index d03ab08879..2c24dd7ffa 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -12,6 +12,7 @@ Add: Tabulator groupBy of domain and subdomain (opnsense/plugins/pull/4909)
 Cleanup: Grid HTML and style
 Fix: Tabulator 'Data Load Response Blocked' warning
 Fix: setup.sh interaction with caddy storage and permissions (opnsense/plugins/pull/4911)
+Fix: Emit subdomain http access logs when wildcard parent has logging enabled (opnsense/plugins/issues/4914)
 
 2.0.2
 
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index c169890680..e7c7168e95 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -647,7 +647,7 @@ http://{{ domain }} {
             {% if reverse.DisableTls|default("0") == "1" %}http://{% endif %}{{ subdomain.FromDomain|default("") }}{% if reverse.FromPort %}:{{ reverse.FromPort }}{% endif %} {
                 {% if reverse.AccessLog|default("0") == "1" %}
                     {% if generalSettings.LogAccessPlain|default("0") == "0" %}
-                        log {{ subdomain['@uuid'] }}
+                        log {{ reverse['@uuid'] }}
                     {% else %}
                         log {
                             output file /var/log/caddy/access/{{ subdomain['@uuid'] }}.log {

From 3a3984f01f9930bc70d5b7455515d28a293868c5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 3 Sep 2025 15:41:46 +0200
Subject: [PATCH 2640/3088] net/shadowsocks: FreeBSD port points to wrong
 config

PR: https://github.com/opnsense/ports/pull/235
---
 net/shadowsocks/Makefile                                        | 2 +-
 .../src/opnsense/service/templates/OPNsense/Shadowsocks/sslocal | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/shadowsocks/Makefile b/net/shadowsocks/Makefile
index ba50d1d293..487d2efe60 100644
--- a/net/shadowsocks/Makefile
+++ b/net/shadowsocks/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		shadowsocks
 PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Secure socks5 proxy
 PLUGIN_DEPENDS=		shadowsocks-rust
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/sslocal b/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/sslocal
index d7fe2808ac..bf81f63bd4 100644
--- a/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/sslocal
+++ b/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/sslocal
@@ -1,5 +1,6 @@
 {% if helpers.exists('OPNsense.shadowsocks.local.enabled') and OPNsense.shadowsocks.local.enabled == '1' %}
 sslocal_rust_enable="YES"
+sslocal_rust_args="-c /usr/local/etc/shadowsocks-rust/local.json"
 {% else %}
 sslocal_rust_enable="NO"
 {% endif %}

From d9e74df9ebf0ca6f2382ce4d34aac28ee20f3c10 Mon Sep 17 00:00:00 2001
From: kulikov-a <kulikov.a@gmail.com>
Date: Sat, 6 Sep 2025 19:32:23 +0300
Subject: [PATCH 2641/3088] nginx_1.35 (#4600)

---
 www/nginx/Makefile                            |  3 +-
 www/nginx/pkg-descr                           |  9 +++
 .../OPNsense/Nginx/Api/SettingsController.php | 26 +++++++++
 .../OPNsense/Nginx/IndexController.php        |  1 +
 .../OPNsense/Nginx/forms/httpserver.xml       | 17 +++++-
 .../OPNsense/Nginx/forms/location.xml         | 18 +++++-
 .../Nginx/forms/proxy_cache_valid.xml         | 22 +++++++
 .../OPNsense/Nginx/forms/settings.xml         | 16 ++++-
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml   | 58 ++++++++++++++++++-
 .../mvc/app/views/OPNsense/Nginx/index.volt   | 28 +++++++++
 .../src/opnsense/scripts/nginx/setup.php      | 24 +++++---
 .../templates/OPNsense/Nginx/http.conf        |  9 ++-
 .../templates/OPNsense/Nginx/location.conf    | 11 +++-
 .../www/js/nginx/dist/configuration.min.js    |  2 +-
 .../opnsense/www/js/nginx/src/nginx_config.js |  1 +
 15 files changed, 228 insertions(+), 17 deletions(-)
 create mode 100644 www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/proxy_cache_valid.xml

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index a952c7337f..c16651e7d4 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	8
+PLUGIN_VERSION=		1.35
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 0f7cb8ac84..ce2b4b95bf 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,15 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.35
+
+* Global options sendfile directive typo fix
+* Add HTTP/2 option to GUI
+* Add multiple client authentication trusted CA support
+* Add proxy_intercept_errors directive support
+* Add Variables hashes size support
+* Add proxy_cache_valid directive support with response codes and multiple selection options
+
 1.34
 
 * Add the option to not log TLS handshakes
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
index 0458bc2aa3..7b2043b904 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php
@@ -249,6 +249,32 @@ public function setresolverAction($uuid)
         return $this->setBase('resolver', 'resolver', $uuid);
     }
 
+    // proxy_cache_valid
+    public function searchproxyCacheValidAction()
+    {
+        return $this->searchBase('proxy_cache_valid', array('uuid', 'description', 'code', 'valid'));
+    }
+
+    public function getproxyCacheValidAction($uuid = null)
+    {
+        return $this->getBase('proxy_cache_valid', 'proxy_cache_valid', $uuid);
+    }
+
+    public function addproxyCacheValidAction()
+    {
+        return $this->addBase('proxy_cache_valid', 'proxy_cache_valid');
+    }
+
+    public function delproxyCacheValidAction($uuid)
+    {
+        return $this->delBase('proxy_cache_valid', $uuid);
+    }
+
+    public function setproxyCacheValidAction($uuid)
+    {
+        return $this->setBase('proxy_cache_valid', 'proxy_cache_valid', $uuid);
+    }
+
     // http server
     public function searchhttpserverAction()
     {
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php
index a30d036d17..01ad3330a2 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php
@@ -64,6 +64,7 @@ public function indexAction()
         $this->view->errorpage = $this->getForm("errorpage");
         $this->view->tls_fingerprint = $this->getForm("tls_fingerprint");
         $this->view->resolver = $this->getForm("resolver");
+        $this->view->proxy_cache_valid = $this->getForm("proxy_cache_valid");
         $this->view->syslog_target = $this->getForm("syslog_target");
         $nginx = new Nginx();
         $this->view->show_naxsi_download_button =
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
index 33cf1ce522..21f8b4a288 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
@@ -113,7 +113,8 @@
   <field>
     <id>httpserver.ca</id>
     <label>Client CA Certificate</label>
-    <type>dropdown</type>
+    <type>select_multiple</type>
+    <help>Trusted CA certificates</help>
   </field>
   <field>
     <id>httpserver.verify_client</id>
@@ -165,6 +166,13 @@
     <type>checkbox</type>
     <help>If the request scheme is not HTTPS, redirect to use HTTPS for this server.</help>
   </field>
+  <field>
+    <id>httpserver.http2</id>
+    <label>HTTP/2</label>
+    <type>checkbox</type>
+    <help>Enable the HTTP/2 protocol.</help>
+    <advanced>true</advanced>
+  </field>
   <field>
     <id>httpserver.tls_protocols</id>
     <label>TLS Protocols</label>
@@ -320,4 +328,11 @@
     <type>select_multiple</type>
     <help>Select custom error pages to display instead of the default builtin error pages. If at least one error page is selected here, all default error pages will be disabled.</help>
   </field>
+  <field>
+    <id>httpserver.proxy_intercept_errors</id>
+    <label>Intercept errors</label>
+    <type>checkbox</type>
+    <help>Intercept responses with codes greater than or equal to 300 and redirect to processing with custom error pages.</help>
+    <advanced>true</advanced>
+  </field>
 </form>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
index d6ee67abb0..23fdccff54 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
@@ -98,11 +98,19 @@
   </field>
   <field>
     <id>location.cache_valid</id>
-    <label>Cache: Force caching time</label>
+    <label>Cache: Force basic caching time</label>
     <type>text</type>
     <advanced>true</advanced>
     <help>Force caching of 200, 301 and 302 responses according to the request methods enabled for caching. Given in minutes; leave empty to rely on request/response headers from client and upstream.</help>
   </field>
+  <field>
+    <id>location.proxy_cache_valid</id>
+    <label>Cache: Force custom caching times</label>
+    <type>select_multiple</type>
+    <style>selectpicker</style>
+    <advanced>true</advanced>
+    <help>Force caching of response codes specified at Response Code Caching page.</help>
+  </field>
   <field>
     <id>location.cache_background_update</id>
     <label>Cache: Background Update</label>
@@ -335,4 +343,12 @@
     <type>select_multiple</type>
     <help>Select custom error pages to display instead of the default builtin error pages. Selection will override error pages configured on HTTP server.</help>
   </field>
+  <field>
+    <id>location.proxy_intercept_errors</id>
+    <label>Intercept errors</label>
+    <type>dropdown</type>
+    <style>selectpicker</style>
+    <help>Intercept responses with codes greater than or equal to 300 and redirect to processing with custom error pages.</help>
+    <advanced>true</advanced>
+  </field>
 </form>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/proxy_cache_valid.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/proxy_cache_valid.xml
new file mode 100644
index 0000000000..e37702e9d3
--- /dev/null
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/proxy_cache_valid.xml
@@ -0,0 +1,22 @@
+<form>
+  <field>
+    <id>proxy_cache_valid.description</id>
+    <label>Description</label>
+    <type>text</type>
+    <help>Brief description for reference.</help>
+  </field>
+  <field>
+    <id>proxy_cache_valid.code</id>
+    <label>Code(s)</label>
+    <allownew>true</allownew>
+    <style>tokenize</style>
+    <type>select_multiple</type>
+    <help>Enter a Respone codes or use "any" to cache any responses.</help>
+  </field>
+  <field>
+    <id>proxy_cache_valid.valid</id>
+    <label>Caching Time</label>
+    <type>text</type>
+    <help>Specify caching time in minutes.</help>
+  </field>
+</form>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
index 8ac01921ce..3afcab4c6a 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
@@ -31,7 +31,7 @@
                 <advanced>true</advanced>
             </field>
             <field>
-                <id>nginx.http.enabled</id>
+                <id>nginx.http.sendfile</id>
                 <label>Enable sendfile</label>
                 <type>checkbox</type>
                 <help>Enable sendfile support (faster).</help>
@@ -56,7 +56,7 @@
             </field>
             <field>
                 <id>nginx.http.server_names_hash_bucket_size</id>
-                <label>Hash Bucket Size</label>
+                <label>Server Names Hash Bucket Size</label>
                 <type>text</type>
                 <advanced>true</advanced>
             </field>
@@ -66,6 +66,18 @@
                 <type>text</type>
                 <advanced>true</advanced>
             </field>
+            <field>
+                <id>nginx.http.variables_hash_bucket_size</id>
+                <label>Variables Hash Bucket Size</label>
+                <type>text</type>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>nginx.http.variables_hash_max_size</id>
+                <label>Variables Hash Max Size</label>
+                <type>text</type>
+                <advanced>true</advanced>
+            </field>
             <field>
                 <id>nginx.http.bots_ua</id>
                 <label>Bots User Agents</label>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index fdc25d56d8..423b564228 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.34</version>
+  <version>1.35</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>
@@ -56,6 +56,14 @@
         <Required>N</Required>
         <MinimumValue>1</MinimumValue>
       </server_names_hash_max_size>
+      <variables_hash_max_size type="IntegerField">
+        <Required>N</Required>
+        <MinimumValue>1</MinimumValue>
+      </variables_hash_max_size>
+      <variables_hash_bucket_size type="IntegerField">
+        <Required>N</Required>
+        <MinimumValue>1</MinimumValue>
+      </variables_hash_bucket_size>
       <ban_response type="OptionField">
         <Multiple>N</Multiple>
         <OptionValues>
@@ -352,6 +360,18 @@
       <cache_valid type="IntegerField">
         <Required>N</Required>
       </cache_valid>
+      <proxy_cache_valid type="ModelRelationField">
+        <Model>
+          <template>
+            <source>OPNsense.Nginx.Nginx</source>
+            <items>proxy_cache_valid</items>
+            <display>description</display>
+          </template>
+        </Model>
+        <ValidationMessage>Selected caching time settings not found</ValidationMessage>
+        <Required>N</Required>
+        <multiple>Y</multiple>
+      </proxy_cache_valid>
       <cache_background_update type="BooleanField">
         <Required>Y</Required>
         <Default>0</Default>
@@ -557,6 +577,15 @@
         <Required>N</Required>
         <Multiple>Y</Multiple>
       </errorpages>
+      <proxy_intercept_errors type="OptionField">
+        <default>Inherit</default>
+        <Required>Y</Required>
+        <OptionValues>
+          <Inherit>Inherit</Inherit>
+          <on>On</on>
+          <off>Off</off>
+        </OptionValues>
+      </proxy_intercept_errors>
     </location>
 
     <custom_policy type="ArrayField">
@@ -827,6 +856,7 @@
       <ca type="CertificateField">
         <Type>ca</Type>
         <Required>N</Required>
+        <multiple>Y</multiple>
       </ca>
       <verify_client type="OptionField">
         <Default>Off</Default>
@@ -881,6 +911,10 @@
         <Default>0</Default>
         <Required>Y</Required>
       </https_only>
+      <http2 type="BooleanField">
+        <default>1</default>
+        <Required>Y</Required>
+      </http2>
       <tls_protocols type="OptionField">
         <Multiple>Y</Multiple>
         <Sorted>Y</Sorted>
@@ -1038,6 +1072,10 @@
         <Required>N</Required>
         <Multiple>Y</Multiple>
       </errorpages>
+      <proxy_intercept_errors type="BooleanField">
+        <default>0</default>
+        <Required>Y</Required>
+      </proxy_intercept_errors>
     </http_server>
 
     <stream_server type="ArrayField">
@@ -1955,6 +1993,24 @@
       </max_size>
     </cache_path>
 
+    <proxy_cache_valid type="ArrayField">
+      <description type="TextField">
+        <Required>Y</Required>
+        <mask>/^[^" \t]+$/i</mask>
+      </description>
+      <code type="CSVListField">
+        <Required>Y</Required>
+        <default>any</default>
+        <multiple>Y</multiple>
+        <mask>/(^\d{3}(,\d{3})*$)|(^any$)/</mask>
+        <ValidationMessage>Please use three digit response code(s) or use "any" word.</ValidationMessage>
+      </code>
+      <valid type="IntegerField">
+        <MinimumValue>1</MinimumValue>
+        <Required>Y</Required>
+      </valid>
+    </proxy_cache_valid>
+
     <syslog_target type="ArrayField">
       <description type="TextField">
         <Required>Y</Required>
diff --git a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
index 5c715e748c..f64990afb1 100644
--- a/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
+++ b/www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt
@@ -193,6 +193,9 @@
             <li>
                 <a data-toggle="tab" id="subtab_item_nginx-http-cache_path" href="#subtab_nginx-http-cache_path">{{ lang._('Cache Path')}}</a>
             </li>
+            <li>
+                <a data-toggle="tab" id="subtab_item_nginx-http-proxy_cache_valid" href="#subtab_nginx-http-proxy_cache_valid">{{ lang._('Response Code Caching')}}</a>
+            </li>
             <li>
                 <a data-toggle="tab" id="subtab_item_nginx-http-errorpages" href="#subtab_nginx-http-errorpages">{{ lang._('Error Pages')}}</a>
             </li>
@@ -603,6 +606,30 @@
             </tfoot>
         </table>
     </div>
+    <div id="subtab_nginx-http-proxy_cache_valid" class="tab-pane fade">
+        <table id="grid-proxy_cache_valid" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="proxy_cache_validdlg">
+            <thead>
+                <tr>
+                    <th data-column-id="uuid" data-type="string" data-sortable="true" data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="description" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
+                    <th data-column-id="code" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Codes') }}</th>
+                    <th data-column-id="valid" data-type="numeric" data-sortable="true" data-visible="true">{{ lang._('Time') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+    </div>
     <div id="subtab_nginx-access-request-limit" class="tab-pane fade">
         <table id="grid-limit_zone" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="limit_zonedlg">
             <thead>
@@ -825,6 +852,7 @@
 {{ partial("layout_partials/base_dialog",['fields': limit_request_connection,'id':'limit_request_connectiondlg', 'label':lang._('Edit Request Connection Limit')]) }}
 {{ partial("layout_partials/base_dialog",['fields': limit_zone,'id':'limit_zonedlg', 'label':lang._('Edit Limit Zone')]) }}
 {{ partial("layout_partials/base_dialog",['fields': cache_path,'id':'cache_pathdlg', 'label':lang._('Edit Cache Path')]) }}
+{{ partial("layout_partials/base_dialog",['fields': proxy_cache_valid,'id':'proxy_cache_validdlg', 'label':lang._('Edit Response Code Caching')]) }}
 {{ partial("layout_partials/base_dialog",['fields': sni_hostname_map,'id':'sni_hostname_mapdlg', 'label':lang._('Edit SNI Hostname Mapping')]) }}
 {{ partial("layout_partials/base_dialog",['fields': ipacl,'id':'ipacl_dlg', 'label':lang._('Edit IP ACL')]) }}
 {{ partial("layout_partials/base_dialog",['fields': errorpage,'id':'errorpage_dlg', 'label':lang._('Edit Error Page')]) }}
diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index 96a863c740..2e92730c29 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -120,15 +120,25 @@ function find_ca($refid)
                 $cert['prv']
             );
             if (!empty($http_server['ca'])) {
-                foreach ($http_server['ca'] as $caref) {
-                    $ca = find_ca($caref);
-                    if (isset($ca)) {
-                        export_pem_file(
-                            KEY_DIRECTORY . $hostname . '_ca.pem',
-                            $ca['crt']
-                        );
+                syslog(LOG_DEBUG, "NGINX setup: Setting up the CA certs for {$hostname}.");
+                $ca_certs = [];
+                foreach ($http_server['ca'] as $carefs) {
+                    foreach(explode(',', $carefs) as $caref) {
+                        syslog(LOG_DEBUG, "NGINX setup: Searching for {$caref} CA data");
+                        $ca = find_ca($caref);
+                        if (isset($ca)) {
+                            syslog(LOG_DEBUG, "NGINX setup: client auth CA found. Adding to the list");
+                            $ca_certs[] = base64_decode($ca['crt']);
+                        }
                     }
                 }
+                if (count($ca_certs) > 0) {
+                    export_pem_file(
+                        KEY_DIRECTORY . $hostname . '_ca.pem',
+                        '',
+                        implode("\n", $ca_certs)
+                    );
+                }
             }
         }
     }
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index 87592f4b4e..f787eff2c4 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -48,6 +48,12 @@ server_names_hash_max_size {{ OPNsense.Nginx.http.server_names_hash_max_size }};
 {% if OPNsense.Nginx.http.server_names_hash_bucket_size is defined and OPNsense.Nginx.http.server_names_hash_bucket_size != '' %}
 server_names_hash_bucket_size {{ OPNsense.Nginx.http.server_names_hash_bucket_size }};
 {% endif %}
+{% if OPNsense.Nginx.http.variables_hash_max_size is defined and OPNsense.Nginx.http.variables_hash_max_size != '' %}
+variables_hash_max_size {{ OPNsense.Nginx.http.variables_hash_max_size }};
+{% endif %}
+{% if OPNsense.Nginx.http.variables_hash_bucket_size is defined and OPNsense.Nginx.http.variables_hash_bucket_size != '' %}
+variables_hash_bucket_size {{ OPNsense.Nginx.http.variables_hash_bucket_size }};
+{% endif %}
 {% if OPNsense.Nginx.http.keepalive_timeout is defined and OPNsense.Nginx.http.keepalive_timeout != '' %}
 keepalive_timeout {{ OPNsense.Nginx.http.keepalive_timeout }};
 {% endif %}
@@ -117,7 +123,7 @@ server {
 {%     for listen_address in server.listen_https_address.split(',') %}
     listen {{ listen_address }} ssl{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %}{% if server.default_server is defined and server.default_server == '1' %} default_server{% endif %};
 {%     endfor %}
-    http2 on;
+    http2 {% if server.http2|default("1") == "1" %}on{% else %}off{% endif %};
 {%     if server.tls_reject_handshake is defined and server.tls_reject_handshake == '1'%}
     ssl_reject_handshake on;
 {%     endif %}
@@ -246,6 +252,7 @@ server {
         root /usr/local/etc/nginx/views;
     }
 {% endif %}
+    proxy_intercept_errors {% if server.proxy_intercept_errors|default("0") == "1" %}on{% else %}off{% endif %};
 {% if server.security_header is defined and server.security_header != '' %}
 {% set security_rule = helpers.getUUID(server.security_header) %}
 {%   if security_rule is defined %}
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 9f9b576038..71529378b3 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -47,6 +47,9 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
     error_page {{ errorpage.statuscodes.replace(',', ' ') }} {% if errorpage.response is defined and errorpage.response != '' %}={{ errorpage.response }} {% endif %}{% if errorpage.redirect is defined and errorpage.redirect != '' %}{{ errorpage.redirect }}{% else %}/error_{{ errorpage_uuid.replace('-', '') }}.html{% endif %};
 {%    endfor %}
 {% endif %}
+{% if location.proxy_intercept_errors is defined and location.proxy_intercept_errors != 'Inherit' %}
+    proxy_intercept_errors {{ location.proxy_intercept_errors }};
+{% endif %}
 {% if location.force_https is defined and location.force_https == '1' %}
     if ($scheme != "https") {
         return 302 https://$host$request_uri;
@@ -144,7 +147,13 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
     proxy_cache_use_stale  {{ location.cache_use_stale.replace(',', ' ') }};
 {%   endif %}
 {%   if location.cache_valid is defined and location.cache_valid != '' %}
-    proxy_cache_valid  {{ location.cache_valid }}m;
+    proxy_cache_valid {{ location.cache_valid }}m;
+{%   endif %}
+{%   if location.proxy_cache_valid is defined and location.proxy_cache_valid != '' %}
+{%     for pcache_valid_uuid in location.proxy_cache_valid.split(',') %}
+{%       set pcache_valid = helpers.getUUID(pcache_valid_uuid) %}
+    proxy_cache_valid {{ pcache_valid.code.replace(',', ' ') }} {{ pcache_valid.valid }}m;
+{%     endfor %}
 {%   endif %}
     proxy_cache_min_uses {{ location.cache_min_uses|default('1') }};
     proxy_cache_background_update {% if location.cache_background_update is defined and location.cache_background_update == '1' %}on{% else %}off{% endif %};
diff --git a/www/nginx/src/opnsense/www/js/nginx/dist/configuration.min.js b/www/nginx/src/opnsense/www/js/nginx/dist/configuration.min.js
index 3ef498d006..d25e073871 100644
--- a/www/nginx/src/opnsense/www/js/nginx/dist/configuration.min.js
+++ b/www/nginx/src/opnsense/www/js/nginx/dist/configuration.min.js
@@ -1 +1 @@
-!function(t){var e={};function n(i){if(e[i])return e[i].exports;var s=e[i]={i:i,l:!1,exports:{}};return t[i].call(s.exports,s,s.exports,n),s.l=!0,s.exports}n.m=t,n.c=e,n.d=function(t,e,i){n.o(t,e)||Object.defineProperty(t,e,{enumerable:!0,get:i})},n.r=function(t){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})},n.t=function(t,e){if(1&e&&(t=n(t)),8&e)return t;if(4&e&&"object"==typeof t&&t&&t.__esModule)return t;var i=Object.create(null);if(n.r(i),Object.defineProperty(i,"default",{enumerable:!0,value:t}),2&e&&"string"!=typeof t)for(var s in t)n.d(i,s,function(e){return t[e]}.bind(null,s));return i},n.n=function(t){var e=t&&t.__esModule?function(){return t.default}:function(){return t};return n.d(e,"a",e),e},n.o=function(t,e){return Object.prototype.hasOwnProperty.call(t,e)},n.p="",n(n.s=25)}({25:function(t,e,n){"use strict";n.r(e);var i=Backbone.View.extend({tagName:"div",attributes:{class:"container-fluid"},child_views:[],createModel:null,upstreamCollection:null,initialize:function(t){this.dataField=$(t.dataField),this.entryclass=t.entryclass,this.createModel=t.createModel,this.upstreamCollection=t.upstreamCollection,this.listenTo(this.collection,"add remove reset",this.render),this.listenTo(this.collection,"change",this.update),this.dataField.after(this.$el)},events:{"click .add":"addEntry"},render:function(){this.child_views.forEach(t=>t.remove()),this.$el.html(""),this.child_views=[],this.update(),this.collection.each(t=>{const e=new this.entryclass({model:t,collection:this.collection,upstreamCollection:this.upstreamCollection});this.child_views.push(e),this.$el.append(e.$el),e.render()}),this.$el.append($('\n            <div class="row">\n                <button class="btn btn-primary pull-right add">\n                    <span class="fa fa-plus"></span>\n                </button>\n            </div>'))},update:function(){this.dataField.data("data",this.collection.toJSON())},addEntry:function(t){t.preventDefault(),this.collection.add(this.createModel())}});var s=Backbone.Collection.extend({url:"/api/nginx/settings/searchupstream",parse:function(t){return t.rows}});const a=Backbone.View.extend({tagName:"div",attributes:{class:"row"},events:{"keyup .key":function(){this.model.set("hostname",this.key.value)},"change .value":function(){this.model.set("upstream",this.value.value)},"click .delete":"deleteEntry"},key:null,value:null,delBtn:null,first:null,second:null,third:null,upstreamCollection:null,initialize:function(t){this.upstreamCollection=t.upstreamCollection,this.listenTo(this.upstreamCollection,"update reset add remove",this.regenerate_list),this.first=document.createElement("div"),this.first.classList.add("col-sm-5"),this.key=document.createElement("input"),this.first.append(this.key),this.key.type="text",this.key.classList.add("key"),this.key.value=this.model.get("hostname"),this.second=document.createElement("div"),this.second.classList.add("col-sm-5"),this.value=document.createElement("select"),this.second.append(this.value),this.value.classList.add("value"),this.value.classList.add("form-control"),this.value.value=this.model.get("upstream"),this.third=document.createElement("div"),this.third.classList.add("col-sm-2"),this.third.style.textAlign="right",this.delBtn=document.createElement("button"),this.delBtn.classList.add("delete"),this.delBtn.classList.add("btn"),this.delBtn.innerHTML='<span class="fa fa-trash"></span>',this.third.append(this.delBtn),this.model.has("upstream")&&0!==this.upstreamCollection.where({uuid:this.model.get("upstream")}).length||this.upstreamCollection.length>0&&this.model.set("upstream",this.upstreamCollection.at(0).get("uuid")),this.$el.append(this.first).append(this.second).append(this.third)},render:function(){$(this.key).val(this.model.get("hostname")),this.regenerate_list(),$(this.value).val(this.model.get("upstream"))},deleteEntry:function(t){t.preventDefault(),this.collection.remove(this.model)},regenerate_list:function(){const t=$(this.value);t.html(""),this.upstreamCollection.each(e=>t.append(`<option value="${e.escape("uuid")}">${e.escape("description")}</option>`)),t.val(this.model.get("upstream")),t.selectpicker("refresh")}}),l=Backbone.View.extend({tagName:"div",attributes:{class:"row"},events:{"keyup .key":function(){this.model.set("network",this.key.value)},"change .value":function(){this.model.set("action",this.value.value)},"click .delete":"deleteEntry"},key:null,value:null,delBtn:null,first:null,second:null,third:null,upstreamCollection:null,initialize:function(t){this.upstreamCollection=t.upstreamCollection,this.listenTo(this.upstreamCollection,"update reset add remove",this.regenerate_list),this.first=document.createElement("div"),this.first.classList.add("col-sm-5"),this.key=document.createElement("input"),this.first.append(this.key),this.key.type="text",this.key.classList.add("key"),this.key.value=this.model.get("network"),this.second=document.createElement("div"),this.second.classList.add("col-sm-5"),this.value=document.createElement("select"),this.second.append(this.value),this.value.classList.add("value"),this.value.classList.add("form-control"),this.value.value=this.model.get("action"),this.third=document.createElement("div"),this.third.classList.add("col-sm-2"),this.third.style.textAlign="right",this.delBtn=document.createElement("button"),this.delBtn.classList.add("delete"),this.delBtn.classList.add("btn"),this.delBtn.innerHTML='<span class="fa fa-trash"></span>',this.third.append(this.delBtn),this.$el.append(this.first).append(this.second).append(this.third)},render:function(){$(this.key).val(this.model.get("network")),this.regenerate_list(),$(this.value).val(this.model.get("action"))},deleteEntry:function(t){t.preventDefault(),this.collection.remove(this.model)},regenerate_list:function(){const t=$(this.value);t.html(""),this.upstreamCollection.each(e=>t.append(`<option value="${e.escape("value")}">${e.escape("name")}</option>`)),t.val(this.model.get("action")),t.selectpicker("refresh")}});var o=Backbone.Collection.extend({initialize:function(){let t=this;$("#snihostname\\.data").change(function(){t.regenerateFromView()})},regenerateFromView:function(){let t=$("#snihostname\\.data").data("data");_.isArray(t)||(t=[]),this.reset(t)}}),r=Backbone.Model.extend({}),d=Backbone.Model.extend({}),c=Backbone.Collection.extend({initialize:function(){let t=this;$("#ipacl\\.data").change(function(){t.regenerateFromView()})},regenerateFromView:function(){let t=$("#ipacl\\.data").data("data");_.isArray(t)||(t=[]),this.reset(t)}});const u=new s,h=new Backbone.Collection([{name:"Deny",value:"deny"},{name:"Allow",value:"allow"}]);$(document).ready(function(){mapDataToFormUI({frm_nginx:"/api/nginx/settings/get"}).done(function(){formatTokenizersUI(),$('select[data-allownew="false"]').selectpicker("refresh"),updateServiceControlUI("nginx")}),""!==window.location.hash&&$('a[href="'+window.location.hash+'"]').click(),$(".nav-tabs a").on("shown.bs.tab",function(t){history.pushState(null,null,t.target.hash)}),$(".reload_btn").click(function(){$(".reloadAct_progress").addClass("fa-spin"),ajaxCall("/api/nginx/service/reconfigure",{},function(){$(".reloadAct_progress").removeClass("fa-spin")})}),$('[id*="save_"]').each(function(){$(this).click(function(){let t=$(this).closest("form").attr("id"),e=$(this).closest("form").attr("data-title");saveFormToEndpoint("/api/nginx/settings/set",t,function(){$("#"+t+"_progress").addClass("fa fa-spinner fa-pulse"),ajaxCall("/api/nginx/service/reconfigure",{},function(n,i){$("#"+t+"_progress").removeClass("fa fa-spinner fa-pulse"),void 0===n||"success"===i&&"ok"===n.status?updateServiceControlUI("nginx"):BootstrapDialog.show({type:BootstrapDialog.TYPE_WARNING,title:e,message:JSON.stringify(n),draggable:!0})})})})}),["upstream","upstreamserver","location","credential","userlist","httpserver","streamserver","httprewrite","custompolicy","security_header","ipacl","limit_zone","cache_path","limit_request_connection","snifwd","errorpage","tls_fingerprint","resolver","syslog_target","naxsirule"].forEach(function(t){$("#grid-"+t).UIBootgrid({search:"/api/nginx/settings/search"+t,get:"/api/nginx/settings/get"+t+"/",set:"/api/nginx/settings/set"+t+"/",add:"/api/nginx/settings/add"+t+"/",del:"/api/nginx/settings/del"+t+"/",commands:{copy_uuid:{method:function(t){navigator.clipboard.writeText($(this).data("row-id"))}}},options:{selection:!1,multiSelect:!1,formatters:{commands:function(t,e){return'<button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-edit" data-row-id="'+e.uuid+'" title="Edit"><span class="fa fa-fw fa-pencil"></span></button> <button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-copy_uuid" data-row-id="'+e.uuid+'" title="Copy UUID to clipboard"><span class="fa fa-fw fa-clipboard"></span></button> <button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-copy" data-row-id="'+e.uuid+'" title="Clone"><span class="fa fa-fw fa-clone"></span></button> <button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-delete" data-row-id="'+e.uuid+'" title="Delete"><span class="fa fa-fw fa-trash-o"></span></button>'},response:function(t,e){return"none"==e.response?"unchanged":e.response},statuscodes:function(t,e){const n=[],i=e.statuscodes.split(",");for(let t of i)n.push(t.substr(0,3));return n.join(", ")}}}})}),bind_naxsi_rule_dl_button(),function(){let t=new i({dataField:document.getElementById("snihostname.data"),upstreamCollection:u,entryclass:a,collection:new o,createModel:function(){return new r({hostname:"localhost"})}});window.snifield=t,t.render(),$("#grid-upstream").on("loaded.rs.jquery.bootgrid",function(){u.fetch()}),u.fetch()}();let t=new i({dataField:document.getElementById("ipacl.data"),upstreamCollection:h,entryclass:l,collection:new c,createModel:function(){return new d({network:"::",action:"deny"})}});window.ipaclfield=t,t.render()})}});
\ No newline at end of file
+!function(t){var e={};function n(i){if(e[i])return e[i].exports;var s=e[i]={i:i,l:!1,exports:{}};return t[i].call(s.exports,s,s.exports,n),s.l=!0,s.exports}n.m=t,n.c=e,n.d=function(t,e,i){n.o(t,e)||Object.defineProperty(t,e,{enumerable:!0,get:i})},n.r=function(t){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})},n.t=function(t,e){if(1&e&&(t=n(t)),8&e)return t;if(4&e&&"object"==typeof t&&t&&t.__esModule)return t;var i=Object.create(null);if(n.r(i),Object.defineProperty(i,"default",{enumerable:!0,value:t}),2&e&&"string"!=typeof t)for(var s in t)n.d(i,s,function(e){return t[e]}.bind(null,s));return i},n.n=function(t){var e=t&&t.__esModule?function(){return t.default}:function(){return t};return n.d(e,"a",e),e},n.o=function(t,e){return Object.prototype.hasOwnProperty.call(t,e)},n.p="",n(n.s=25)}({25:function(t,e,n){"use strict";n.r(e);var i=Backbone.View.extend({tagName:"div",attributes:{class:"container-fluid"},child_views:[],createModel:null,upstreamCollection:null,initialize:function(t){this.dataField=$(t.dataField),this.entryclass=t.entryclass,this.createModel=t.createModel,this.upstreamCollection=t.upstreamCollection,this.listenTo(this.collection,"add remove reset",this.render),this.listenTo(this.collection,"change",this.update),this.dataField.after(this.$el)},events:{"click .add":"addEntry"},render:function(){this.child_views.forEach(t=>t.remove()),this.$el.html(""),this.child_views=[],this.update(),this.collection.each(t=>{const e=new this.entryclass({model:t,collection:this.collection,upstreamCollection:this.upstreamCollection});this.child_views.push(e),this.$el.append(e.$el),e.render()}),this.$el.append($('\n            <div class="row">\n                <button class="btn btn-primary pull-right add">\n                    <span class="fa fa-plus"></span>\n                </button>\n            </div>'))},update:function(){this.dataField.data("data",this.collection.toJSON())},addEntry:function(t){t.preventDefault(),this.collection.add(this.createModel())}});var s=Backbone.Collection.extend({url:"/api/nginx/settings/searchupstream",parse:function(t){return t.rows}});const a=Backbone.View.extend({tagName:"div",attributes:{class:"row"},events:{"keyup .key":function(){this.model.set("hostname",this.key.value)},"change .value":function(){this.model.set("upstream",this.value.value)},"click .delete":"deleteEntry"},key:null,value:null,delBtn:null,first:null,second:null,third:null,upstreamCollection:null,initialize:function(t){this.upstreamCollection=t.upstreamCollection,this.listenTo(this.upstreamCollection,"update reset add remove",this.regenerate_list),this.first=document.createElement("div"),this.first.classList.add("col-sm-5"),this.key=document.createElement("input"),this.first.append(this.key),this.key.type="text",this.key.classList.add("key"),this.key.value=this.model.get("hostname"),this.second=document.createElement("div"),this.second.classList.add("col-sm-5"),this.value=document.createElement("select"),this.second.append(this.value),this.value.classList.add("value"),this.value.classList.add("form-control"),this.value.value=this.model.get("upstream"),this.third=document.createElement("div"),this.third.classList.add("col-sm-2"),this.third.style.textAlign="right",this.delBtn=document.createElement("button"),this.delBtn.classList.add("delete"),this.delBtn.classList.add("btn"),this.delBtn.innerHTML='<span class="fa fa-trash"></span>',this.third.append(this.delBtn),this.model.has("upstream")&&0!==this.upstreamCollection.where({uuid:this.model.get("upstream")}).length||this.upstreamCollection.length>0&&this.model.set("upstream",this.upstreamCollection.at(0).get("uuid")),this.$el.append(this.first).append(this.second).append(this.third)},render:function(){$(this.key).val(this.model.get("hostname")),this.regenerate_list(),$(this.value).val(this.model.get("upstream"))},deleteEntry:function(t){t.preventDefault(),this.collection.remove(this.model)},regenerate_list:function(){const t=$(this.value);t.html(""),this.upstreamCollection.each(e=>t.append(`<option value="${e.escape("uuid")}">${e.escape("description")}</option>`)),t.val(this.model.get("upstream")),t.selectpicker("refresh")}}),l=Backbone.View.extend({tagName:"div",attributes:{class:"row"},events:{"keyup .key":function(){this.model.set("network",this.key.value)},"change .value":function(){this.model.set("action",this.value.value)},"click .delete":"deleteEntry"},key:null,value:null,delBtn:null,first:null,second:null,third:null,upstreamCollection:null,initialize:function(t){this.upstreamCollection=t.upstreamCollection,this.listenTo(this.upstreamCollection,"update reset add remove",this.regenerate_list),this.first=document.createElement("div"),this.first.classList.add("col-sm-5"),this.key=document.createElement("input"),this.first.append(this.key),this.key.type="text",this.key.classList.add("key"),this.key.value=this.model.get("network"),this.second=document.createElement("div"),this.second.classList.add("col-sm-5"),this.value=document.createElement("select"),this.second.append(this.value),this.value.classList.add("value"),this.value.classList.add("form-control"),this.value.value=this.model.get("action"),this.third=document.createElement("div"),this.third.classList.add("col-sm-2"),this.third.style.textAlign="right",this.delBtn=document.createElement("button"),this.delBtn.classList.add("delete"),this.delBtn.classList.add("btn"),this.delBtn.innerHTML='<span class="fa fa-trash"></span>',this.third.append(this.delBtn),this.$el.append(this.first).append(this.second).append(this.third)},render:function(){$(this.key).val(this.model.get("network")),this.regenerate_list(),$(this.value).val(this.model.get("action"))},deleteEntry:function(t){t.preventDefault(),this.collection.remove(this.model)},regenerate_list:function(){const t=$(this.value);t.html(""),this.upstreamCollection.each(e=>t.append(`<option value="${e.escape("value")}">${e.escape("name")}</option>`)),t.val(this.model.get("action")),t.selectpicker("refresh")}});var o=Backbone.Collection.extend({initialize:function(){let t=this;$("#snihostname\\.data").change(function(){t.regenerateFromView()})},regenerateFromView:function(){let t=$("#snihostname\\.data").data("data");_.isArray(t)||(t=[]),this.reset(t)}}),r=Backbone.Model.extend({}),d=Backbone.Model.extend({}),c=Backbone.Collection.extend({initialize:function(){let t=this;$("#ipacl\\.data").change(function(){t.regenerateFromView()})},regenerateFromView:function(){let t=$("#ipacl\\.data").data("data");_.isArray(t)||(t=[]),this.reset(t)}});const u=new s,h=new Backbone.Collection([{name:"Deny",value:"deny"},{name:"Allow",value:"allow"}]);$(document).ready(function(){mapDataToFormUI({frm_nginx:"/api/nginx/settings/get"}).done(function(){formatTokenizersUI(),$('select[data-allownew="false"]').selectpicker("refresh"),updateServiceControlUI("nginx")}),""!==window.location.hash&&$('a[href="'+window.location.hash+'"]').click(),$(".nav-tabs a").on("shown.bs.tab",function(t){history.pushState(null,null,t.target.hash)}),$(".reload_btn").click(function(){$(".reloadAct_progress").addClass("fa-spin"),ajaxCall("/api/nginx/service/reconfigure",{},function(){$(".reloadAct_progress").removeClass("fa-spin")})}),$('[id*="save_"]').each(function(){$(this).click(function(){let t=$(this).closest("form").attr("id"),e=$(this).closest("form").attr("data-title");saveFormToEndpoint("/api/nginx/settings/set",t,function(){$("#"+t+"_progress").addClass("fa fa-spinner fa-pulse"),ajaxCall("/api/nginx/service/reconfigure",{},function(n,i){$("#"+t+"_progress").removeClass("fa fa-spinner fa-pulse"),void 0===n||"success"===i&&"ok"===n.status?updateServiceControlUI("nginx"):BootstrapDialog.show({type:BootstrapDialog.TYPE_WARNING,title:e,message:JSON.stringify(n),draggable:!0})})})})}),["upstream","upstreamserver","location","credential","userlist","httpserver","streamserver","httprewrite","custompolicy","security_header","ipacl","limit_zone","cache_path","proxy_cache_valid","limit_request_connection","snifwd","errorpage","tls_fingerprint","resolver","syslog_target","naxsirule"].forEach(function(t){$("#grid-"+t).UIBootgrid({search:"/api/nginx/settings/search"+t,get:"/api/nginx/settings/get"+t+"/",set:"/api/nginx/settings/set"+t+"/",add:"/api/nginx/settings/add"+t+"/",del:"/api/nginx/settings/del"+t+"/",commands:{copy_uuid:{method:function(t){navigator.clipboard.writeText($(this).data("row-id"))}}},options:{selection:!1,multiSelect:!1,formatters:{commands:function(t,e){return'<button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-edit" data-row-id="'+e.uuid+'" title="Edit"><span class="fa fa-fw fa-pencil"></span></button> <button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-copy_uuid" data-row-id="'+e.uuid+'" title="Copy UUID to clipboard"><span class="fa fa-fw fa-clipboard"></span></button> <button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-copy" data-row-id="'+e.uuid+'" title="Clone"><span class="fa fa-fw fa-clone"></span></button> <button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-delete" data-row-id="'+e.uuid+'" title="Delete"><span class="fa fa-fw fa-trash-o"></span></button>'},response:function(t,e){return"none"==e.response?"unchanged":e.response},statuscodes:function(t,e){const n=[],i=e.statuscodes.split(",");for(let t of i)n.push(t.substr(0,3));return n.join(", ")}}}})}),bind_naxsi_rule_dl_button(),function(){let t=new i({dataField:document.getElementById("snihostname.data"),upstreamCollection:u,entryclass:a,collection:new o,createModel:function(){return new r({hostname:"localhost"})}});window.snifield=t,t.render(),$("#grid-upstream").on("loaded.rs.jquery.bootgrid",function(){u.fetch()}),u.fetch()}();let t=new i({dataField:document.getElementById("ipacl.data"),upstreamCollection:h,entryclass:l,collection:new c,createModel:function(){return new d({network:"::",action:"deny"})}});window.ipaclfield=t,t.render()})}});
diff --git a/www/nginx/src/opnsense/www/js/nginx/src/nginx_config.js b/www/nginx/src/opnsense/www/js/nginx/src/nginx_config.js
index e61a2469be..4272efdaa1 100644
--- a/www/nginx/src/opnsense/www/js/nginx/src/nginx_config.js
+++ b/www/nginx/src/opnsense/www/js/nginx/src/nginx_config.js
@@ -66,6 +66,7 @@ function init_grids() {
         'ipacl',
         'limit_zone',
         'cache_path',
+        'proxy_cache_valid',
         'limit_request_connection',
         'snifwd',
         'errorpage',

From 6c66db83c73f0175839b536dd2105014020c904a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 6 Sep 2025 18:51:12 +0200
Subject: [PATCH 2642/3088] www/nginx: clean up model

Some elaborate defaults were not used. They look kind of useful, but
also suggest maintenance nightmares (default cipher list), so let's
get rid of them.
---
 www/nginx/pkg-descr                           |    1 +
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml   | 3891 ++++++++---------
 2 files changed, 1840 insertions(+), 2052 deletions(-)

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index ce2b4b95bf..20e6079f54 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -18,6 +18,7 @@ Plugin Changelog
 * Add proxy_intercept_errors directive support
 * Add Variables hashes size support
 * Add proxy_cache_valid directive support with response codes and multiple selection options
+* Clean up model definition file
 
 1.34
 
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 423b564228..a6789150a5 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,1237 +1,1087 @@
 <model>
-  <mount>//OPNsense/Nginx</mount>
-  <version>1.35</version>
-  <description>nginx web server, reverse proxy and waf</description>
-  <items>
-    <general>
-      <enabled type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </enabled>
-      <ban_ttl type="IntegerField">
-        <Default>0</Default>
-        <MinimumValue>0</MinimumValue>
-        <Required>Y</Required>
-      </ban_ttl>
-    </general>
-
-    <webgui>
-      <limitnetworks type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </limitnetworks>
-    </webgui>
-
-    <http>
-      <workerprocesses type="IntegerField">
-        <Default>1</Default>
-        <MinimumValue>1</MinimumValue>
-        <Required>Y</Required>
-      </workerprocesses>
-      <workerconnections type="IntegerField">
-        <Default>1024</Default>
-        <MinimumValue>1</MinimumValue>
-        <Required>Y</Required>
-      </workerconnections>
-      <sendfile type="BooleanField">
-        <Default>0</Default>
-        <Required>N</Required>
-      </sendfile>
-      <keepalive_timeout type="IntegerField">
-        <Default>60</Default>
-        <Required>N</Required>
-      </keepalive_timeout>
-      <reset_timedout type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </reset_timedout>
-      <default_type type="TextField">
-        <Required>N</Required>
-      </default_type>
-      <server_names_hash_bucket_size type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>1</MinimumValue>
-      </server_names_hash_bucket_size>
-      <server_names_hash_max_size type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>1</MinimumValue>
-      </server_names_hash_max_size>
-      <variables_hash_max_size type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>1</MinimumValue>
-      </variables_hash_max_size>
-      <variables_hash_bucket_size type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>1</MinimumValue>
-      </variables_hash_bucket_size>
-      <ban_response type="OptionField">
-        <Multiple>N</Multiple>
-        <OptionValues>
-          <http_403 value="403">403 Forbidden</http_403>
-          <http_444 value="444">444 Terminate Connection</http_444>
-        </OptionValues>
-        <Required>Y</Required>
-        <Default>403</Default>
-      </ban_response>
-      <log_perm_ban type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </log_perm_ban>
-      <bots_ua type="CSVListField">
-        <Required>Y</Required>
-        <Default>Python-urllib,Nmap,python-requests,libwww-perl,MJ12bot,Jorgee,fasthttp,libwww,Telesphoreo,A6-Indexer,ltx71,okhttp,ZmEu,sqlmap,LMAO/2.0,l9explore,l9tcpid,Masscan,zgrab,Ronin/2.0,Hakai/2.0,Indy\sLibrary,^Mozilla/[\d\.]+$,Morfeus\sFucking\sScanner,MSIE\s[0-6]\.\d+</Default>
-      </bots_ua>
-      <headers_more_enable type="BooleanField">
-        <Required>N</Required>
-      </headers_more_enable>
-    </http>
-
-    <userlist type="ArrayField">
-      <name type="TextField">
-        <Required>Y</Required>
-      </name>
-      <users type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>credential</items>
-            <display>username</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected user not found</ValidationMessage>
-        <Required>Y</Required>
-        <Multiple>Y</Multiple>
-      </users>
-    </userlist>
-
-    <credential type="ArrayField">
-      <username type="TextField">
-        <Required>Y</Required>
-      </username>
-      <password type="TextField">
-        <Required>Y</Required>
-      </password>
-    </credential>
-
-    <upstream type="ArrayField">
-      <description type="TextField">
-        <Required>Y</Required>
-      </description>
-      <serverentries type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>upstream_server</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected server not found</ValidationMessage>
-        <Required>Y</Required>
-        <Multiple>Y</Multiple>
-      </serverentries>
-      <load_balancing_algorithm type="OptionField">
-        <OptionValues>
-          <ip_hash>IP Hash</ip_hash>
-        </OptionValues>
-        <BlankDesc>Weighted Round Robin</BlankDesc>
-        <Required>N</Required>
-      </load_balancing_algorithm>
-      <keepalive type="IntegerField">
-        <MinimumValue>0</MinimumValue>
-        <Required>N</Required>
-      </keepalive>
-      <keepalive_requests type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>N</Required>
-      </keepalive_requests>
-      <keepalive_timeout type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>N</Required>
-      </keepalive_timeout>
-      <host_port type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>N</Required>
-      </host_port>
-      <x_forwarded_host_verbatim type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </x_forwarded_host_verbatim>
-      <proxy_protocol type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </proxy_protocol>
-      <store type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </store>
-      <tls_enable type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </tls_enable>
-      <tls_client_certificate type="CertificateField">
-        <Type>cert</Type>
-        <Required>N</Required>
-      </tls_client_certificate>
-      <tls_name_override type="HostnameField">
-        <Required>N</Required>
-      </tls_name_override>
-      <tls_protocol_versions type="OptionField">
-        <Multiple>Y</Multiple>
-        <OptionValues>
-          <TLSv1 value="TLSv1">TLSv1</TLSv1>
-          <TLSv1_1 value="TLSv1.1">TLSv1.1</TLSv1_1>
-          <TLSv1_2 value="TLSv1.2">TLSv1.2</TLSv1_2>
-          <TLSv1_3 value="TLSv1.3">TLSv1.3</TLSv1_3>
-        </OptionValues>
-        <Required>N</Required>
-      </tls_protocol_versions>
-      <tls_session_reuse type="BooleanField">
-        <Required>Y</Required>
-        <Default>1</Default>
-      </tls_session_reuse>
-      <tls_trusted_certificate type="CertificateField">
-        <Type>ca</Type>
-        <Multiple>Y</Multiple>
-        <Required>N</Required>
-      </tls_trusted_certificate>
-      <tls_verify type="BooleanField">
-        <Required>Y</Required>
-        <Default>1</Default>
-      </tls_verify>
-      <tls_verify_depth type="IntegerField">
-        <Required>N</Required>
-        <Default>1</Default>
-        <MinimumValue>1</MinimumValue>
-      </tls_verify_depth>
-    </upstream>
-
-    <upstream_server type="ArrayField">
-      <description type="TextField">
-        <Required>Y</Required>
-      </description>
-      <server type="HostnameField">
-        <Required>Y</Required>
-      </server>
-      <port type="PortField">
-        <Required>Y</Required>
-      </port>
-      <priority type="IntegerField">
-        <MinimumValue>0</MinimumValue>
-        <Required>Y</Required>
-      </priority>
-      <max_conns type="IntegerField">
-        <Required>N</Required>
-      </max_conns>
-      <max_fails type="IntegerField">
-        <Required>N</Required>
-      </max_fails>
-      <fail_timeout type="IntegerField">
-        <Required>N</Required>
-      </fail_timeout>
-      <no_use type="OptionField">
-        <OptionValues>
-          <down>Permanently Unreachable</down>
-          <backup>Backup Server</backup>
-        </OptionValues>
-        <Required>N</Required>
-      </no_use>
-    </upstream_server>
-
-    <location type="ArrayField">
-      <description type="TextField">
-        <Required>Y</Required>
-      </description>
-      <urlpattern type="TextField">
-        <Required>Y</Required>
-      </urlpattern>
-      <matchtype type="OptionField">
-        <OptionValues>
-          <option1 value="=">Exact Match ("=")</option1>
-          <option2 value="~">Case Sensitive Match ("~")</option2>
-          <option3 value="~*">Case Insensitive Match ("~*")</option3>
-          <option4 value="^~">Don't check regular expressions on longest prefix match ("^~")</option4>
-        </OptionValues>
-        <Required>N</Required>
-      </matchtype>
-      <enable_secrules type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </enable_secrules>
-      <enable_learning_mode type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </enable_learning_mode>
-      <secrules_errorpage type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>errorpage</items>
-            <display>name</display>
-            <filters>
-              <pagecontent>/.+/</pagecontent>
-            </filters>
-          </template>
-        </Model>
-        <ValidationMessage>Selected error page(s) not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>N</Multiple>
-      </secrules_errorpage>
-      <xss_block_score type="IntegerField">
-        <Required>N</Required>
-      </xss_block_score>
-      <sqli_block_score type="IntegerField">
-        <Required>N</Required>
-      </sqli_block_score>
-      <custom_policy type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>custom_policy</items>
-            <display>name</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected server not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>Y</Multiple>
-      </custom_policy>
-      <upstream type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>upstream</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected upstream not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>N</Multiple>
-      </upstream>
-      <path_prefix type="TextField">
-        <Required>N</Required>
-        <Mask>/^[^" \t]+$/</Mask>
-      </path_prefix>
-      <cache_path type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>cache_path</items>
-            <display>path</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected cache directory not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>N</Multiple>
-      </cache_path>
-      <cache_use_stale type="OptionField">
-        <Multiple>Y</Multiple>
-        <OptionValues>
-          <error>Error</error>
-          <timeout>Timeout</timeout>
-          <invalid_header>Invalid_header</invalid_header>
-          <updating>Updating</updating>
-          <http_403>HTTP Status Code 403</http_403>
-          <http_404>HTTP Status Code 404</http_404>
-          <http_429>HTTP Status Code 429</http_429>
-          <http_500>HTTP Status Code 500</http_500>
-          <http_502>HTTP Status Code 502</http_502>
-          <http_503>HTTP Status Code 503</http_503>
-          <http_504>HTTP Status Code 504</http_504>
-        </OptionValues>
-        <Required>N</Required>
-      </cache_use_stale>
-      <cache_methods type="OptionField">
-        <Multiple>Y</Multiple>
-        <OptionValues>
-          <POST>Post</POST>
-          <!-- it seems like it does not like the others required for REST - syntax error
+    <mount>//OPNsense/Nginx</mount>
+    <version>1.35</version>
+    <description>nginx web server, reverse proxy and waf</description>
+    <items>
+        <general>
+            <enabled type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enabled>
+            <ban_ttl type="IntegerField">
+                <Default>0</Default>
+                <MinimumValue>0</MinimumValue>
+                <Required>Y</Required>
+            </ban_ttl>
+        </general>
+        <webgui>
+            <limitnetworks type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </limitnetworks>
+        </webgui>
+        <http>
+            <workerprocesses type="IntegerField">
+                <Default>1</Default>
+                <MinimumValue>1</MinimumValue>
+                <Required>Y</Required>
+            </workerprocesses>
+            <workerconnections type="IntegerField">
+                <Default>1024</Default>
+                <MinimumValue>1</MinimumValue>
+                <Required>Y</Required>
+            </workerconnections>
+            <sendfile type="BooleanField"/>
+            <keepalive_timeout type="IntegerField"/>
+            <reset_timedout type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </reset_timedout>
+            <default_type type="TextField"/>
+            <server_names_hash_bucket_size type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </server_names_hash_bucket_size>
+            <server_names_hash_max_size type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </server_names_hash_max_size>
+            <variables_hash_max_size type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </variables_hash_max_size>
+            <variables_hash_bucket_size type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </variables_hash_bucket_size>
+            <ban_response type="OptionField">
+                <OptionValues>
+                    <http_403 value="403">403 Forbidden</http_403>
+                    <http_444 value="444">444 Terminate Connection</http_444>
+                </OptionValues>
+                <Required>Y</Required>
+                <Default>403</Default>
+            </ban_response>
+            <log_perm_ban type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </log_perm_ban>
+            <bots_ua type="CSVListField">
+                <Required>Y</Required>
+                <Default>Python-urllib,Nmap,python-requests,libwww-perl,MJ12bot,Jorgee,fasthttp,libwww,Telesphoreo,A6-Indexer,ltx71,okhttp,ZmEu,sqlmap,LMAO/2.0,l9explore,l9tcpid,Masscan,zgrab,Ronin/2.0,Hakai/2.0,Indy\sLibrary,^Mozilla/[\d\.]+$,Morfeus\sFucking\sScanner,MSIE\s[0-6]\.\d+</Default>
+            </bots_ua>
+            <headers_more_enable type="BooleanField"/>
+        </http>
+        <userlist type="ArrayField">
+            <name type="TextField">
+                <Required>Y</Required>
+            </name>
+            <users type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>credential</items>
+                        <display>username</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected user not found.</ValidationMessage>
+                <Required>Y</Required>
+                <Multiple>Y</Multiple>
+            </users>
+        </userlist>
+        <credential type="ArrayField">
+            <username type="TextField">
+                <Required>Y</Required>
+            </username>
+            <password type="TextField">
+                <Required>Y</Required>
+            </password>
+        </credential>
+        <upstream type="ArrayField">
+            <description type="TextField">
+                <Required>Y</Required>
+            </description>
+            <serverentries type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>upstream_server</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected server not found.</ValidationMessage>
+                <Required>Y</Required>
+                <Multiple>Y</Multiple>
+            </serverentries>
+            <load_balancing_algorithm type="OptionField">
+                <OptionValues>
+                    <ip_hash>IP Hash</ip_hash>
+                </OptionValues>
+                <BlankDesc>Weighted Round Robin</BlankDesc>
+            </load_balancing_algorithm>
+            <keepalive type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+            </keepalive>
+            <keepalive_requests type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </keepalive_requests>
+            <keepalive_timeout type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </keepalive_timeout>
+            <host_port type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </host_port>
+            <x_forwarded_host_verbatim type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </x_forwarded_host_verbatim>
+            <proxy_protocol type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </proxy_protocol>
+            <store type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </store>
+            <tls_enable type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </tls_enable>
+            <tls_client_certificate type="CertificateField">
+                <Type>cert</Type>
+            </tls_client_certificate>
+            <tls_name_override type="HostnameField"/>
+            <tls_protocol_versions type="OptionField">
+                <Multiple>Y</Multiple>
+                <OptionValues>
+                    <TLSv1 value="TLSv1">TLSv1</TLSv1>
+                    <TLSv1_1 value="TLSv1.1">TLSv1.1</TLSv1_1>
+                    <TLSv1_2 value="TLSv1.2">TLSv1.2</TLSv1_2>
+                    <TLSv1_3 value="TLSv1.3">TLSv1.3</TLSv1_3>
+                </OptionValues>
+            </tls_protocol_versions>
+            <tls_session_reuse type="BooleanField">
+                <Required>Y</Required>
+                <Default>1</Default>
+            </tls_session_reuse>
+            <tls_trusted_certificate type="CertificateField">
+                <Type>ca</Type>
+                <Multiple>Y</Multiple>
+            </tls_trusted_certificate>
+            <tls_verify type="BooleanField">
+                <Required>Y</Required>
+                <Default>1</Default>
+            </tls_verify>
+            <tls_verify_depth type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </tls_verify_depth>
+        </upstream>
+        <upstream_server type="ArrayField">
+            <description type="TextField">
+                <Required>Y</Required>
+            </description>
+            <server type="HostnameField">
+                <Required>Y</Required>
+            </server>
+            <port type="PortField">
+                <Required>Y</Required>
+            </port>
+            <priority type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+                <Required>Y</Required>
+            </priority>
+            <max_conns type="IntegerField"/>
+            <max_fails type="IntegerField"/>
+            <fail_timeout type="IntegerField"/>
+            <no_use type="OptionField">
+                <OptionValues>
+                    <down>Permanently Unreachable</down>
+                    <backup>Backup Server</backup>
+                </OptionValues>
+            </no_use>
+        </upstream_server>
+        <location type="ArrayField">
+            <description type="TextField">
+                <Required>Y</Required>
+            </description>
+            <urlpattern type="TextField">
+                <Required>Y</Required>
+            </urlpattern>
+            <matchtype type="OptionField">
+                <OptionValues>
+                    <option1 value="=">Exact Match ("=")</option1>
+                    <option2 value="~">Case Sensitive Match ("~")</option2>
+                    <option3 value="~*">Case Insensitive Match ("~*")</option3>
+                    <option4 value="^~">Don't check regular expressions on longest prefix match ("^~")</option4>
+                </OptionValues>
+            </matchtype>
+            <enable_secrules type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enable_secrules>
+            <enable_learning_mode type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enable_learning_mode>
+            <secrules_errorpage type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>errorpage</items>
+                        <display>name</display>
+                        <filters>
+                            <pagecontent>/.+/</pagecontent>
+                        </filters>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected error page not found.</ValidationMessage>
+            </secrules_errorpage>
+            <xss_block_score type="IntegerField"/>
+            <sqli_block_score type="IntegerField"/>
+            <custom_policy type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>custom_policy</items>
+                        <display>name</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected server not found.</ValidationMessage>
+                <Multiple>Y</Multiple>
+            </custom_policy>
+            <upstream type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>upstream</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected upstream not found.</ValidationMessage>
+            </upstream>
+            <path_prefix type="TextField">
+                <Mask>/^[^" \t]+$/</Mask>
+            </path_prefix>
+            <cache_path type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>cache_path</items>
+                        <display>path</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected cache directory not found.</ValidationMessage>
+            </cache_path>
+            <cache_use_stale type="OptionField">
+                <Multiple>Y</Multiple>
+                <OptionValues>
+                    <error>Error</error>
+                    <timeout>Timeout</timeout>
+                    <invalid_header>Invalid_header</invalid_header>
+                    <updating>Updating</updating>
+                    <http_403>HTTP Status Code 403</http_403>
+                    <http_404>HTTP Status Code 404</http_404>
+                    <http_429>HTTP Status Code 429</http_429>
+                    <http_500>HTTP Status Code 500</http_500>
+                    <http_502>HTTP Status Code 502</http_502>
+                    <http_503>HTTP Status Code 503</http_503>
+                    <http_504>HTTP Status Code 504</http_504>
+                </OptionValues>
+            </cache_use_stale>
+            <cache_methods type="OptionField">
+                <Multiple>Y</Multiple>
+                <OptionValues>
+                    <POST>Post</POST>
+                    <!-- it seems like it does not like the others required for REST - syntax error
           <PUT>Put</PUT>
           <DELETE>Delete</DELETE>
           <CONNECT>Connect</CONNECT>
           <OPTIONS>Options</OPTIONS>
           <TRACE>Trace</TRACE>
           <PATCH>Patch</PATCH>-->
-        </OptionValues>
-        <Required>N</Required>
-      </cache_methods>
-      <cache_min_uses type="IntegerField">
-        <Required>Y</Required>
-        <Default>1</Default>
-      </cache_min_uses>
-      <cache_valid type="IntegerField">
-        <Required>N</Required>
-      </cache_valid>
-      <proxy_cache_valid type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>proxy_cache_valid</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected caching time settings not found</ValidationMessage>
-        <Required>N</Required>
-        <multiple>Y</multiple>
-      </proxy_cache_valid>
-      <cache_background_update type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </cache_background_update>
-      <cache_lock type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </cache_lock>
-      <cache_revalidate type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </cache_revalidate>
-      <root type="TextField">
-        <Required>N</Required>
-      </root>
-      <rewrites type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>http_rewrite</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected rewrite(s) not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>Y</Multiple>
-      </rewrites>
-      <index type="CSVListField">
-        <Required>N</Required>
-      </index>
-      <autoindex type="BooleanField">
-        <Required>N</Required>
-      </autoindex>
-      <authbasic type="TextField">
-        <Required>N</Required>
-      </authbasic>
-      <authbasicuserfile type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>userlist</items>
-            <display>name</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected user file not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>N</Multiple>
-      </authbasicuserfile>
-      <advanced_acl type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </advanced_acl>
-      <force_https type="TextField">
-        <Required>N</Required>
-      </force_https>
-      <php_enable type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </php_enable>
-      <php_override_scriptname type="TextField">
-        <Required>N</Required>
-      </php_override_scriptname>
-      <limit_request_connections type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>limit_request_connection</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected limit zone not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>Y</Multiple>
-      </limit_request_connections>
-      <max_body_size type="TextField">
-        <Required>N</Required>
-        <Mask>/^\d+[kmg]$/i</Mask>
-        <ValidationMessage>Enter a number followed by k, m or g.</ValidationMessage>
-      </max_body_size>
-      <body_buffer_size type="TextField">
-        <Required>N</Required>
-        <Mask>/^\d+[kmg]$/i</Mask>
-        <ValidationMessage>Enter a number followed by k, m or g.</ValidationMessage>
-      </body_buffer_size>
-      <honeypot type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </honeypot>
-      <websocket type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-        <Constraints>
-            <check001>
-                <ValidationMessage>WebSocket and Upstream Keepalive support can not be combined.</ValidationMessage>
-                <type>SingleSelectConstraint</type>
-                <addFields>
-                    <field1>upstream_keepalive</field1>
-                </addFields>
-            </check001>
-        </Constraints>
-      </websocket>
-      <upstream_keepalive type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-        <Constraints>
-            <check001>
-                <reference>websocket.check001</reference>
-            </check001>
-        </Constraints>
-      </upstream_keepalive>
-      <proxy_buffer_size type="IntegerField">
-        <Required>N</Required>
-        <minValue>1</minValue>
-        <Constraints>
-          <check001>
-            <type>NgxBusyBufferConstraint</type>
-          </check001>
-        </Constraints>
-      </proxy_buffer_size>
-      <proxy_buffers_count type="IntegerField">
-        <Required>N</Required>
-        <minValue>1</minValue>
-        <Constraints>
-          <check001>
-            <type>NgxBusyBufferConstraint</type>
-          </check001>
-        </Constraints>
-      </proxy_buffers_count>
-      <proxy_buffers_size type="IntegerField">
-        <Required>N</Required>
-        <minValue>1</minValue>
-        <Constraints>
-          <check001>
-            <type>NgxBusyBufferConstraint</type>
-          </check001>
-        </Constraints>
-      </proxy_buffers_size>
-      <proxy_busy_buffers_size type="IntegerField">
-        <Required>N</Required>
-        <minValue>1</minValue>
-        <Constraints>
-          <check001>
-            <type>NgxBusyBufferConstraint</type>
-          </check001>
-        </Constraints>
-      </proxy_busy_buffers_size>
-      <proxy_ignore_client_abort type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </proxy_ignore_client_abort>
-      <proxy_request_buffering type="BooleanField">
-        <Required>Y</Required>
-        <Default>1</Default>
-      </proxy_request_buffering>
-      <proxy_buffering type="BooleanField">
-        <Required>Y</Required>
-        <Default>1</Default>
-      </proxy_buffering>
-      <proxy_read_timeout type="IntegerField">
-        <Required>N</Required>
-        <minValue>1</minValue>
-      </proxy_read_timeout>
-      <proxy_send_timeout type="IntegerField">
-        <Required>N</Required>
-        <minValue>1</minValue>
-      </proxy_send_timeout>
-      <ip_acl type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>ip_acl</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected ACL not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>N</Multiple>
-      </ip_acl>
-      <satisfy type="OptionField">
-        <OptionValues>
-          <any>Any</any>
-          <all>All</all>
-        </OptionValues>
-        <Required>N</Required>
-      </satisfy>
-      <proxy_max_temp_file_size type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>0</MinimumValue>
-      </proxy_max_temp_file_size>
-      <proxy_ssl_server_name type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </proxy_ssl_server_name>
-      <errorpages type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>errorpage</items>
-            <display>name</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected error page(s) not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>Y</Multiple>
-      </errorpages>
-      <proxy_intercept_errors type="OptionField">
-        <default>Inherit</default>
-        <Required>Y</Required>
-        <OptionValues>
-          <Inherit>Inherit</Inherit>
-          <on>On</on>
-          <off>Off</off>
-        </OptionValues>
-      </proxy_intercept_errors>
-    </location>
-
-    <custom_policy type="ArrayField">
-      <name type="TextField">
-        <Required>Y</Required>
-      </name>
-      <naxsi_rules type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>naxsi_rule</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected rule not found</ValidationMessage>
-        <Required>Y</Required>
-        <Multiple>Y</Multiple>
-      </naxsi_rules>
-      <value type="IntegerField">
-        <Required>Y</Required>
-      </value>
-      <operator type="OptionField">
-        <Required>Y</Required>
-        <Default>&gt;=</Default>
-        <OptionValues>
-          <option1 value="&gt;=">Bigger or Equal</option1>
-          <option2 value="&gt;">Bigger</option2>
-          <option3 value="&lt;">Lesser</option3>
-          <option4 value="&lt;=">Lesser or Equal</option4>
-        </OptionValues>
-      </operator>
-      <action type="OptionField">
-        <Required>Y</Required>
-        <Default>BLOCK</Default>
-        <OptionValues>
-          <BLOCK>Block Request</BLOCK>
-          <ALLOW>Allow Request</ALLOW>
-          <DROP>Drop The Connection</DROP>
-          <LOG>Log Request</LOG>
-        </OptionValues>
-      </action>
-    </custom_policy>
-
-    <naxsi_rule type="ArrayField">
-      <description type="TextField">
-        <Required>Y</Required>
-      </description>
-      <ruletype type="OptionField">
-        <OptionValues>
-          <main>Main Rule</main>
-          <basic>Basic Rule</basic>
-        </OptionValues>
-        <Required>Y</Required>
-      </ruletype>
-      <message type="TextField">
-        <Required>N</Required>
-        <pattern>/^[^"]+$/</pattern>
-        <Constraints>
-          <check001>
-            <ValidationMessage>This field must be set.</ValidationMessage>
-            <type>SetIfConstraint</type>
-            <field>match_type</field>
-            <check>id</check>
-          </check001>
-        </Constraints>
-      </message>
-      <identifier type="CSVListField">
-        <Required>Y</Required>
-        <Constraints>
-          <check001>
-            <type>NaxsiIdentifierConstraint</type>
-          </check001>
-        </Constraints>
-      </identifier>
-      <dollar_url type="TextField">
-        <Required>N</Required>
-        <pattern>/^[^"]+$/</pattern>
-      </dollar_url>
-      <match_value type="TextField">
-        <Required>N</Required>
-        <pattern>/^[^"]+$/</pattern>
-        <Constraints>
-          <check001>
-            <ValidationMessage>This field must be set.</ValidationMessage>
-            <type>SetIfConstraint</type>
-            <field>match_type</field>
-            <check>id</check>
-          </check001>
-        </Constraints>
-      </match_value>
-      <match_type type="OptionField">
-        <Required>Y</Required>
-        <Default>id</Default>
-        <OptionValues>
-          <id>Blacklist</id>
-          <wl>Whitelist</wl>
-        </OptionValues>
-        <Constraints>
-          <check001>
-            <reference>identifier.check001</reference>
-          </check001>
-        </Constraints>
-      </match_type>
-      <negate type="BooleanField">
-        <Required>Y</Required>
-      </negate>
-      <score type="IntegerField">
-        <Required>N</Required>
-        <Default>8</Default>
-        <Constraints>
-          <check001>
-            <ValidationMessage>This field must be set.</ValidationMessage>
-            <type>SetIfConstraint</type>
-            <field>match_type</field>
-            <check>id</check>
-          </check001>
-        </Constraints>
-      </score>
-      <regex type="BooleanField">
-        <Required>Y</Required>
-      </regex>
-      <args type="BooleanField">
-        <Required>Y</Required>
-      </args>
-      <url type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </url>
-      <headers type="BooleanField">
-        <Required>Y</Required>
-      </headers>
-      <body type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </body>
-      <dollar_args_var type="TextField">
-        <pattern>/^[^"]+$/</pattern>
-      </dollar_args_var>
-      <dollar_body_var type="TextField">
-        <pattern>/^[^"]+$/</pattern>
-      </dollar_body_var>
-      <dollar_headers_var type="TextField">
-        <pattern>/^[^"]+$/</pattern>
-      </dollar_headers_var>
-      <file_extension type="BooleanField">
-        <Required>Y</Required>
-      </file_extension>
-      <raw_body type="BooleanField">
-        <Required>Y</Required>
-      </raw_body>
-      <name type="BooleanField">
-        <Required>Y</Required>
-      </name>
-    </naxsi_rule>
-
-    <http_server type="ArrayField">
-      <servername type="CSVListField">
-        <Required>Y</Required>
-      </servername>
-      <syslog_targets type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>syslog_target</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected SYSLOG target not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>Y</Multiple>
-      </syslog_targets>
-      <listen_http_address type="CSVListField">
-        <Required>N</Required>
-        <Multiple>Y</Multiple>
-        <Default>80,[::]:80</Default>
-        <Mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+))*$/i</Mask>
-        <ValidationMessage>Please provide a valid listen address or port, i.e. 127.0.0.1:8080, [::1]:8080, 8080.</ValidationMessage>
-        <Constraints>
-          <check001>
-            <type>NgxUniqueDefaultServerConstraint</type>
-          </check001>
-        </Constraints>
-      </listen_http_address>
-      <listen_https_address type="CSVListField">
-        <Required>N</Required>
-        <Multiple>Y</Multiple>
-        <Default>443,[::]:443</Default>
-        <Mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+))*$/i</Mask>
-        <ValidationMessage>Please provide a valid listen address or port, i.e. 127.0.0.1:8080, [::1]:8080, 8080.</ValidationMessage>
-      </listen_https_address>
-      <default_server type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-        <Constraints>
-          <check001>
-            <type>NgxUniqueDefaultServerConstraint</type>
-          </check001>
-        </Constraints>
-      </default_server>
-      <tls_reject_handshake type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </tls_reject_handshake>
-      <proxy_protocol type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </proxy_protocol>
-      <trusted_proxies type="CSVListField">
-        <Required>N</Required>
-        <Mask>/^((?:\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?(,?(?:(?:(\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?))*$/i</Mask>
-        <Multiple>Y</Multiple>
-      </trusted_proxies>
-      <trusted_proxies_alias type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Firewall.Alias</source>
-            <items>aliases.alias</items>
-            <display>name</display>
-            <filters>
-              <type>/^(host|network)$/</type>
-            </filters>
-          </template>
-        </Model>
-        <ValidationMessage>Selected alias not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>N</Multiple>
-      </trusted_proxies_alias>
-      <real_ip_source type="OptionField">
-        <OptionValues>
-          <X-Real-IP>X-Real-IP (default)</X-Real-IP>
-          <X-Forwarded-For>X-Forwarded-For</X-Forwarded-For>
-          <proxy_protocol>PROXY Protocol</proxy_protocol>
-          <CF-Connecting-IP>CloudFlare Connecting IP</CF-Connecting-IP>
-        </OptionValues>
-        <Required>N</Required>
-      </real_ip_source>
-      <locations type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>location</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected location(s) not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>Y</Multiple>
-      </locations>
-      <rewrites type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>http_rewrite</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected rewrite(s) not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>Y</Multiple>
-      </rewrites>
-      <root type="TextField">
-        <Required>N</Required>
-      </root>
-      <certificate type="CertificateField">
-        <Type>cert</Type>
-        <Required>N</Required>
-      </certificate>
-      <ca type="CertificateField">
-        <Type>ca</Type>
-        <Required>N</Required>
-        <multiple>Y</multiple>
-      </ca>
-      <verify_client type="OptionField">
-        <Default>Off</Default>
-        <OptionValues>
-          <off>Off</off>
-          <on>On</on>
-          <optional>Optional</optional>
-          <optional_no_ca>Optional, don't verify</optional_no_ca>
-        </OptionValues>
-        <Required>Y</Required>
-      </verify_client>
-      <access_log_format type="OptionField">
-        <Default>main</Default>
-        <OptionValues>
-          <main>Default</main>
-          <main_ext>Extended</main_ext>
-          <anonymized>Anonymized</anonymized>
-          <disabled>Disabled</disabled>
-        </OptionValues>
-        <Required>Y</Required>
-      </access_log_format>
-      <error_log_level type="OptionField">
-        <Multiple>N</Multiple>
-        <OptionValues>
-          <emerg value="emerg">Emergency</emerg>
-          <alert value="alert">Alert</alert>
-          <crit value="crit">Critical</crit>
-          <error value="error">Error (default)</error>
-          <warn value="warn">Warning</warn>
-          <notice value="notice">Notice</notice>
-          <info value="info">Informational</info>
-        </OptionValues>
-        <Required>Y</Required>
-        <Default>error</Default>
-      </error_log_level>
-      <log_handshakes type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-      </log_handshakes>
-      <enable_acme_support type="BooleanField">
-        <Required>Y</Required>
-        <Default>1</Default>
-      </enable_acme_support>
-      <charset type="OptionField">
-        <Default>utf-8</Default>
-        <OptionValues>
-          <utf-8>utf-8</utf-8>
-        </OptionValues>
-        <Required>N</Required>
-      </charset>
-      <https_only type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </https_only>
-      <http2 type="BooleanField">
-        <default>1</default>
-        <Required>Y</Required>
-      </http2>
-      <tls_protocols type="OptionField">
-        <Multiple>Y</Multiple>
-        <Sorted>Y</Sorted>
-        <OptionValues>
-          <TLSv1_2 value="TLSv1.2">TLSv1.2</TLSv1_2>
-          <TLSv1_3 value="TLSv1.3">TLSv1.3</TLSv1_3>
-        </OptionValues>
-        <Required>Y</Required>
-        <Default>TLSv1.2,TLSv1.3</Default>
-      </tls_protocols>
-      <tls_ciphers type="TextField">
-        <Default>ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256</Default>
-        <Required>N</Required>
-        <Mask>/^((((!|\+|-)?[A-Z][A-Z\d\+-]+)|(@STRENGTH)):?)*$/i</Mask>
-      </tls_ciphers>
-      <tls_ecdh_curve type="TextField">
-        <Required>N</Required>
-        <Mask>/^(([A-Z\d-]+):?)*$/i</Mask>
-      </tls_ecdh_curve>
-      <tls_prefer_server_ciphers type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-      </tls_prefer_server_ciphers>
-      <resolver type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>resolver</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected resolver not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>N</Multiple>
-      </resolver>
-      <ocsp_stapling type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </ocsp_stapling>
-      <ocsp_verify type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </ocsp_verify>
-      <block_nonpublic_data type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </block_nonpublic_data>
-      <disable_bot_protection type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </disable_bot_protection>
-      <disable_gzip type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </disable_gzip>
-      <naxsi_whitelist_srcip type="CSVListField">
-        <Required>N</Required>
-        <Mask>/^((?:\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?(,?(?:(?:(\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?))*$/i</Mask>
-        <Multiple>Y</Multiple>
-      </naxsi_whitelist_srcip>
-      <naxsi_extensive_log type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </naxsi_extensive_log>
-      <sendfile type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-      </sendfile>
-      <client_header_buffer_size type="IntegerField">
-        <Required>Y</Required>
-        <Default>1</Default>
-        <MinimumValue>1</MinimumValue>
-      </client_header_buffer_size>
-      <large_client_header_buffers_number type="IntegerField">
-        <Required>Y</Required>
-        <Default>4</Default>
-        <MinimumValue>1</MinimumValue>
-      </large_client_header_buffers_number>
-      <large_client_header_buffers_size type="IntegerField">
-        <Required>Y</Required>
-        <Default>8</Default>
-        <MinimumValue>1</MinimumValue>
-      </large_client_header_buffers_size>
-      <security_header type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>security_header</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected security rule not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>N</Multiple>
-      </security_header>
-      <limit_request_connections type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>limit_request_connection</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected limit zone not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>Y</Multiple>
-      </limit_request_connections>
-      <max_body_size type="TextField">
-        <Required>N</Required>
-        <Mask>/^\d+[kmg]$/i</Mask>
-        <ValidationMessage>Enter a number followed by k, m or g.</ValidationMessage>
-      </max_body_size>
-      <body_buffer_size type="TextField">
-        <Required>N</Required>
-        <Mask>/^\d+[kmg]$/i</Mask>
-        <ValidationMessage>Enter a number followed by k, m or g.</ValidationMessage>
-      </body_buffer_size>
-      <ip_acl type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>ip_acl</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected ACL not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>N</Multiple>
-      </ip_acl>
-      <advanced_acl_server type="AuthenticationServerField">
-        <Required>N</Required>
-        <Multiple>N</Multiple>
-        <Default>Local Database</Default>
-      </advanced_acl_server>
-      <satisfy type="OptionField">
-        <OptionValues>
-          <any>Any</any>
-          <all>All</all>
-        </OptionValues>
-        <Required>N</Required>
-      </satisfy>
-      <zero_rtt type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </zero_rtt>
-      <errorpages type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>errorpage</items>
-            <display>name</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected error page(s) not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>Y</Multiple>
-      </errorpages>
-      <proxy_intercept_errors type="BooleanField">
-        <default>0</default>
-        <Required>Y</Required>
-      </proxy_intercept_errors>
-    </http_server>
-
-    <stream_server type="ArrayField">
-      <listen_address type="CSVListField">
-        <Required>N</Required>
-        <Multiple>Y</Multiple>
-        <Mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+))*$/i</Mask>
-        <ValidationMessage>Please provide a valid listen address or port, i.e. 127.0.0.1:8080, [::1]:8080, 8080.</ValidationMessage>
-      </listen_address>
-      <syslog_targets type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>syslog_target</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected SYSLOG target not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>Y</Multiple>
-      </syslog_targets>
-      <udp type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </udp>
-      <trusted_proxies type="CSVListField">
-        <Required>N</Required>
-        <Mask>/^((?:\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?(,?(?:(?:(\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?))*$/i</Mask>
-        <Multiple>Y</Multiple>
-      </trusted_proxies>
-      <proxy_protocol type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </proxy_protocol>
-      <certificate type="CertificateField">
-        <Type>cert</Type>
-        <Required>N</Required>
-      </certificate>
-      <ca type="CertificateField">
-        <Type>ca</Type>
-        <Required>N</Required>
-      </ca>
-      <verify_client type="OptionField">
-        <Default>Off</Default>
-        <OptionValues>
-          <off>Off</off>
-          <on>On</on>
-          <optional>Optional</optional>
-          <optional_no_ca>Optional, don't verify</optional_no_ca>
-        </OptionValues>
-        <Required>Y</Required>
-      </verify_client>
-      <access_log_format type="OptionField">
-        <Default>main</Default>
-        <OptionValues>
-          <main>Default</main>
-          <main_ext>Extended</main_ext>
-          <anonymized>Anonymized</anonymized>
-          <disabled>Disabled</disabled>
-        </OptionValues>
-        <Required>Y</Required>
-      </access_log_format>
-      <error_log_level type="OptionField">
-        <Multiple>N</Multiple>
-        <OptionValues>
-          <emerg value="emerg">Emergency</emerg>
-          <alert value="alert">Alert</alert>
-          <crit value="crit">Critical</crit>
-          <error value="error">Error</error>
-          <warn value="warn">Warning</warn>
-          <notice value="notice">Notice</notice>
-          <info value="info">Informational (default)</info>
-        </OptionValues>
-        <Required>Y</Required>
-        <Default>info</Default>
-      </error_log_level>
-      <route_field type="OptionField">
-        <Default>upstream</Default>
-        <OptionValues>
-          <upstream>Upstream</upstream>
-          <sni_upstream_map>SNI Upstream Mapping</sni_upstream_map>
-        </OptionValues>
-        <Required>Y</Required>
-      </route_field>
-      <upstream type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>upstream</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected upstream not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>N</Multiple>
-        <Constraints>
-          <check001>
-            <ValidationMessage>This field must be set.</ValidationMessage>
-            <type>SetIfConstraint</type>
-            <field>route_field</field>
-            <check>upstream</check>
-          </check001>
-        </Constraints>
-      </upstream>
-      <sni_upstream_map type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>sni_hostname_upstream_map</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected upstream not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>N</Multiple>
-        <Constraints>
-          <check001>
-            <ValidationMessage>This field must be set.</ValidationMessage>
-            <type>SetIfConstraint</type>
-            <field>route_field</field>
-            <check>sni_upstream_map</check>
-          </check001>
-        </Constraints>
-      </sni_upstream_map>
-      <ip_acl type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>ip_acl</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected ACL not found</ValidationMessage>
-        <Required>N</Required>
-        <Multiple>N</Multiple>
-      </ip_acl>
-      <proxy_responses type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>0</MinimumValue>
-      </proxy_responses>
-      <proxy_connect_timeout type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>0</MinimumValue>
-      </proxy_connect_timeout>
-      <proxy_timeout type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>0</MinimumValue>
-      </proxy_timeout>
-    </stream_server>
-
-    <sni_hostname_upstream_map type="ArrayField">
-      <description type="TextField">
-        <Required>Y</Required>
-      </description>
-      <data type="TextField">
-        <!-- sorry, the model relation field is broken here
+                </OptionValues>
+            </cache_methods>
+            <cache_min_uses type="IntegerField">
+                <Required>Y</Required>
+                <Default>1</Default>
+            </cache_min_uses>
+            <cache_valid type="IntegerField"/>
+            <proxy_cache_valid type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>proxy_cache_valid</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected caching time settings not found.</ValidationMessage>
+                <Multiple>Y</Multiple>
+            </proxy_cache_valid>
+            <cache_background_update type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </cache_background_update>
+            <cache_lock type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </cache_lock>
+            <cache_revalidate type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </cache_revalidate>
+            <root type="TextField"/>
+            <rewrites type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>http_rewrite</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected rewrite not found.</ValidationMessage>
+                <Multiple>Y</Multiple>
+            </rewrites>
+            <index type="CSVListField"/>
+            <autoindex type="BooleanField"/>
+            <authbasic type="TextField"/>
+            <authbasicuserfile type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>userlist</items>
+                        <display>name</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected user file not found.</ValidationMessage>
+            </authbasicuserfile>
+            <advanced_acl type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </advanced_acl>
+            <force_https type="TextField"/>
+            <php_enable type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </php_enable>
+            <php_override_scriptname type="TextField"/>
+            <limit_request_connections type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>limit_request_connection</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected limit zone not found.</ValidationMessage>
+                <Multiple>Y</Multiple>
+            </limit_request_connections>
+            <max_body_size type="TextField">
+                <Mask>/^\d+[kmg]$/i</Mask>
+                <ValidationMessage>Enter a number followed by k, m or g.</ValidationMessage>
+            </max_body_size>
+            <body_buffer_size type="TextField">
+                <Mask>/^\d+[kmg]$/i</Mask>
+                <ValidationMessage>Enter a number followed by k, m or g.</ValidationMessage>
+            </body_buffer_size>
+            <honeypot type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </honeypot>
+            <websocket type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+                <Constraints>
+                    <check001>
+                        <ValidationMessage>WebSocket and Upstream Keepalive support can not be combined.</ValidationMessage>
+                        <type>SingleSelectConstraint</type>
+                        <addFields>
+                            <field1>upstream_keepalive</field1>
+                        </addFields>
+                    </check001>
+                </Constraints>
+            </websocket>
+            <upstream_keepalive type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+                <Constraints>
+                    <check001>
+                        <reference>websocket.check001</reference>
+                    </check001>
+                </Constraints>
+            </upstream_keepalive>
+            <proxy_buffer_size type="IntegerField">
+                <minValue>1</minValue>
+                <Constraints>
+                    <check001>
+                        <type>NgxBusyBufferConstraint</type>
+                    </check001>
+                </Constraints>
+            </proxy_buffer_size>
+            <proxy_buffers_count type="IntegerField">
+                <minValue>1</minValue>
+                <Constraints>
+                    <check001>
+                        <type>NgxBusyBufferConstraint</type>
+                    </check001>
+                </Constraints>
+            </proxy_buffers_count>
+            <proxy_buffers_size type="IntegerField">
+                <minValue>1</minValue>
+                <Constraints>
+                    <check001>
+                        <type>NgxBusyBufferConstraint</type>
+                    </check001>
+                </Constraints>
+            </proxy_buffers_size>
+            <proxy_busy_buffers_size type="IntegerField">
+                <minValue>1</minValue>
+                <Constraints>
+                    <check001>
+                        <type>NgxBusyBufferConstraint</type>
+                    </check001>
+                </Constraints>
+            </proxy_busy_buffers_size>
+            <proxy_ignore_client_abort type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </proxy_ignore_client_abort>
+            <proxy_request_buffering type="BooleanField">
+                <Required>Y</Required>
+                <Default>1</Default>
+            </proxy_request_buffering>
+            <proxy_buffering type="BooleanField">
+                <Required>Y</Required>
+                <Default>1</Default>
+            </proxy_buffering>
+            <proxy_read_timeout type="IntegerField">
+                <minValue>1</minValue>
+            </proxy_read_timeout>
+            <proxy_send_timeout type="IntegerField">
+                <minValue>1</minValue>
+            </proxy_send_timeout>
+            <ip_acl type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>ip_acl</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected ACL not found.</ValidationMessage>
+            </ip_acl>
+            <satisfy type="OptionField">
+                <OptionValues>
+                    <any>Any</any>
+                    <all>All</all>
+                </OptionValues>
+            </satisfy>
+            <proxy_max_temp_file_size type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+            </proxy_max_temp_file_size>
+            <proxy_ssl_server_name type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </proxy_ssl_server_name>
+            <errorpages type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>errorpage</items>
+                        <display>name</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected error page not found.</ValidationMessage>
+                <Multiple>Y</Multiple>
+            </errorpages>
+            <proxy_intercept_errors type="OptionField">
+                <Default>Inherit</Default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <Inherit>Inherit</Inherit>
+                    <on>On</on>
+                    <off>Off</off>
+                </OptionValues>
+            </proxy_intercept_errors>
+        </location>
+        <custom_policy type="ArrayField">
+            <name type="TextField">
+                <Required>Y</Required>
+            </name>
+            <naxsi_rules type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>naxsi_rule</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected rule not found.</ValidationMessage>
+                <Required>Y</Required>
+                <Multiple>Y</Multiple>
+            </naxsi_rules>
+            <value type="IntegerField">
+                <Required>Y</Required>
+            </value>
+            <operator type="OptionField">
+                <Required>Y</Required>
+                <Default>&gt;=</Default>
+                <OptionValues>
+                    <option1 value="&gt;=">Bigger or Equal</option1>
+                    <option2 value="&gt;">Bigger</option2>
+                    <option3 value="&lt;">Lesser</option3>
+                    <option4 value="&lt;=">Lesser or Equal</option4>
+                </OptionValues>
+            </operator>
+            <action type="OptionField">
+                <Required>Y</Required>
+                <Default>BLOCK</Default>
+                <OptionValues>
+                    <BLOCK>Block Request</BLOCK>
+                    <ALLOW>Allow Request</ALLOW>
+                    <DROP>Drop The Connection</DROP>
+                    <LOG>Log Request</LOG>
+                </OptionValues>
+            </action>
+        </custom_policy>
+        <naxsi_rule type="ArrayField">
+            <description type="TextField">
+                <Required>Y</Required>
+            </description>
+            <ruletype type="OptionField">
+                <OptionValues>
+                    <main>Main Rule</main>
+                    <basic>Basic Rule</basic>
+                </OptionValues>
+                <Required>Y</Required>
+            </ruletype>
+            <message type="TextField">
+                <pattern>/^[^"]+$/</pattern>
+                <Constraints>
+                    <check001>
+                        <ValidationMessage>This field must be set.</ValidationMessage>
+                        <type>SetIfConstraint</type>
+                        <field>match_type</field>
+                        <check>id</check>
+                    </check001>
+                </Constraints>
+            </message>
+            <identifier type="CSVListField">
+                <Required>Y</Required>
+                <Constraints>
+                    <check001>
+                        <type>NaxsiIdentifierConstraint</type>
+                    </check001>
+                </Constraints>
+            </identifier>
+            <dollar_url type="TextField">
+                <pattern>/^[^"]+$/</pattern>
+            </dollar_url>
+            <match_value type="TextField">
+                <pattern>/^[^"]+$/</pattern>
+                <Constraints>
+                    <check001>
+                        <ValidationMessage>This field must be set.</ValidationMessage>
+                        <type>SetIfConstraint</type>
+                        <field>match_type</field>
+                        <check>id</check>
+                    </check001>
+                </Constraints>
+            </match_value>
+            <match_type type="OptionField">
+                <Required>Y</Required>
+                <Default>id</Default>
+                <OptionValues>
+                    <id>Blacklist</id>
+                    <wl>Whitelist</wl>
+                </OptionValues>
+                <Constraints>
+                    <check001>
+                        <reference>identifier.check001</reference>
+                    </check001>
+                </Constraints>
+            </match_type>
+            <negate type="BooleanField">
+                <Required>Y</Required>
+            </negate>
+            <score type="IntegerField">
+                <Constraints>
+                    <check001>
+                        <ValidationMessage>This field must be set.</ValidationMessage>
+                        <type>SetIfConstraint</type>
+                        <field>match_type</field>
+                        <check>id</check>
+                    </check001>
+                </Constraints>
+            </score>
+            <regex type="BooleanField">
+                <Required>Y</Required>
+            </regex>
+            <args type="BooleanField">
+                <Required>Y</Required>
+            </args>
+            <url type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </url>
+            <headers type="BooleanField">
+                <Required>Y</Required>
+            </headers>
+            <body type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </body>
+            <dollar_args_var type="TextField">
+                <pattern>/^[^"]+$/</pattern>
+            </dollar_args_var>
+            <dollar_body_var type="TextField">
+                <pattern>/^[^"]+$/</pattern>
+            </dollar_body_var>
+            <dollar_headers_var type="TextField">
+                <pattern>/^[^"]+$/</pattern>
+            </dollar_headers_var>
+            <file_extension type="BooleanField">
+                <Required>Y</Required>
+            </file_extension>
+            <raw_body type="BooleanField">
+                <Required>Y</Required>
+            </raw_body>
+            <name type="BooleanField">
+                <Required>Y</Required>
+            </name>
+        </naxsi_rule>
+        <http_server type="ArrayField">
+            <servername type="CSVListField">
+                <Required>Y</Required>
+            </servername>
+            <syslog_targets type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>syslog_target</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected SYSLOG target not found.</ValidationMessage>
+                <Multiple>Y</Multiple>
+            </syslog_targets>
+            <listen_http_address type="CSVListField">
+                <Multiple>Y</Multiple>
+                <Mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+))*$/i</Mask>
+                <ValidationMessage>Please provide a valid listen address or port, i.e. 127.0.0.1:8080, [::1]:8080, 8080.</ValidationMessage>
+                <Constraints>
+                    <check001>
+                        <type>NgxUniqueDefaultServerConstraint</type>
+                    </check001>
+                </Constraints>
+            </listen_http_address>
+            <listen_https_address type="CSVListField">
+                <Multiple>Y</Multiple>
+                <Mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+))*$/i</Mask>
+                <ValidationMessage>Please provide a valid listen address or port, i.e. 127.0.0.1:8080, [::1]:8080, 8080.</ValidationMessage>
+            </listen_https_address>
+            <default_server type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+                <Constraints>
+                    <check001>
+                        <type>NgxUniqueDefaultServerConstraint</type>
+                    </check001>
+                </Constraints>
+            </default_server>
+            <tls_reject_handshake type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </tls_reject_handshake>
+            <proxy_protocol type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </proxy_protocol>
+            <trusted_proxies type="CSVListField">
+                <Mask>/^((?:\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?(,?(?:(?:(\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?))*$/i</Mask>
+                <Multiple>Y</Multiple>
+            </trusted_proxies>
+            <trusted_proxies_alias type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Firewall.Alias</source>
+                        <items>aliases.alias</items>
+                        <display>name</display>
+                        <filters>
+                            <type>/^(host|network)$/</type>
+                        </filters>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected alias not found.</ValidationMessage>
+            </trusted_proxies_alias>
+            <real_ip_source type="OptionField">
+                <OptionValues>
+                    <X-Real-IP>X-Real-IP (default)</X-Real-IP>
+                    <X-Forwarded-For>X-Forwarded-For</X-Forwarded-For>
+                    <proxy_protocol>PROXY Protocol</proxy_protocol>
+                    <CF-Connecting-IP>CloudFlare Connecting IP</CF-Connecting-IP>
+                </OptionValues>
+            </real_ip_source>
+            <locations type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>location</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected location not found.</ValidationMessage>
+                <Multiple>Y</Multiple>
+            </locations>
+            <rewrites type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>http_rewrite</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected rewrite not found.</ValidationMessage>
+                <Multiple>Y</Multiple>
+            </rewrites>
+            <root type="TextField"/>
+            <certificate type="CertificateField">
+                <Type>cert</Type>
+            </certificate>
+            <ca type="CertificateField">
+                <Type>ca</Type>
+                <Multiple>Y</Multiple>
+            </ca>
+            <verify_client type="OptionField">
+                <Default>Off</Default>
+                <OptionValues>
+                    <off>Off</off>
+                    <on>On</on>
+                    <optional>Optional</optional>
+                    <optional_no_ca>Optional, don't verify</optional_no_ca>
+                </OptionValues>
+                <Required>Y</Required>
+            </verify_client>
+            <access_log_format type="OptionField">
+                <Default>main</Default>
+                <OptionValues>
+                    <main>Default</main>
+                    <main_ext>Extended</main_ext>
+                    <anonymized>Anonymized</anonymized>
+                    <disabled>Disabled</disabled>
+                </OptionValues>
+                <Required>Y</Required>
+            </access_log_format>
+            <error_log_level type="OptionField">
+                <OptionValues>
+                    <emerg value="emerg">Emergency</emerg>
+                    <alert value="alert">Alert</alert>
+                    <crit value="crit">Critical</crit>
+                    <error value="error">Error (default)</error>
+                    <warn value="warn">Warning</warn>
+                    <notice value="notice">Notice</notice>
+                    <info value="info">Informational</info>
+                </OptionValues>
+                <Required>Y</Required>
+                <Default>error</Default>
+            </error_log_level>
+            <log_handshakes type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </log_handshakes>
+            <enable_acme_support type="BooleanField">
+                <Required>Y</Required>
+                <Default>1</Default>
+            </enable_acme_support>
+            <charset type="OptionField">
+                <OptionValues>
+                    <utf-8>utf-8</utf-8>
+                </OptionValues>
+            </charset>
+            <https_only type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </https_only>
+            <http2 type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </http2>
+            <tls_protocols type="OptionField">
+                <Multiple>Y</Multiple>
+                <Sorted>Y</Sorted>
+                <OptionValues>
+                    <TLSv1_2 value="TLSv1.2">TLSv1.2</TLSv1_2>
+                    <TLSv1_3 value="TLSv1.3">TLSv1.3</TLSv1_3>
+                </OptionValues>
+                <Required>Y</Required>
+                <Default>TLSv1.2,TLSv1.3</Default>
+            </tls_protocols>
+            <tls_ciphers type="TextField">
+                <Mask>/^((((!|\+|-)?[A-Z][A-Z\d\+-]+)|(@STRENGTH)):?)*$/i</Mask>
+            </tls_ciphers>
+            <tls_ecdh_curve type="TextField">
+                <Mask>/^(([A-Z\d-]+):?)*$/i</Mask>
+            </tls_ecdh_curve>
+            <tls_prefer_server_ciphers type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </tls_prefer_server_ciphers>
+            <resolver type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>resolver</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected resolver not found.</ValidationMessage>
+            </resolver>
+            <ocsp_stapling type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </ocsp_stapling>
+            <ocsp_verify type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </ocsp_verify>
+            <block_nonpublic_data type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </block_nonpublic_data>
+            <disable_bot_protection type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </disable_bot_protection>
+            <disable_gzip type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </disable_gzip>
+            <naxsi_whitelist_srcip type="CSVListField">
+                <Mask>/^((?:\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?(,?(?:(?:(\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?))*$/i</Mask>
+                <Multiple>Y</Multiple>
+            </naxsi_whitelist_srcip>
+            <naxsi_extensive_log type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </naxsi_extensive_log>
+            <sendfile type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </sendfile>
+            <client_header_buffer_size type="IntegerField">
+                <Required>Y</Required>
+                <Default>1</Default>
+                <MinimumValue>1</MinimumValue>
+            </client_header_buffer_size>
+            <large_client_header_buffers_number type="IntegerField">
+                <Required>Y</Required>
+                <Default>4</Default>
+                <MinimumValue>1</MinimumValue>
+            </large_client_header_buffers_number>
+            <large_client_header_buffers_size type="IntegerField">
+                <Required>Y</Required>
+                <Default>8</Default>
+                <MinimumValue>1</MinimumValue>
+            </large_client_header_buffers_size>
+            <security_header type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>security_header</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected security rule not found.</ValidationMessage>
+            </security_header>
+            <limit_request_connections type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>limit_request_connection</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected limit zone not found.</ValidationMessage>
+                <Multiple>Y</Multiple>
+            </limit_request_connections>
+            <max_body_size type="TextField">
+                <Mask>/^\d+[kmg]$/i</Mask>
+                <ValidationMessage>Enter a number followed by k, m or g.</ValidationMessage>
+            </max_body_size>
+            <body_buffer_size type="TextField">
+                <Mask>/^\d+[kmg]$/i</Mask>
+                <ValidationMessage>Enter a number followed by k, m or g.</ValidationMessage>
+            </body_buffer_size>
+            <ip_acl type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>ip_acl</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected ACL not found.</ValidationMessage>
+            </ip_acl>
+            <advanced_acl_server type="AuthenticationServerField"/>
+            <satisfy type="OptionField">
+                <OptionValues>
+                    <any>Any</any>
+                    <all>All</all>
+                </OptionValues>
+            </satisfy>
+            <zero_rtt type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </zero_rtt>
+            <errorpages type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>errorpage</items>
+                        <display>name</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected error page not found.</ValidationMessage>
+                <Multiple>Y</Multiple>
+            </errorpages>
+            <proxy_intercept_errors type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </proxy_intercept_errors>
+        </http_server>
+        <stream_server type="ArrayField">
+            <listen_address type="CSVListField">
+                <Multiple>Y</Multiple>
+                <Mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\])):\d+|:?\d+))*$/i</Mask>
+                <ValidationMessage>Please provide a valid listen address or port, i.e. 127.0.0.1:8080, [::1]:8080, 8080.</ValidationMessage>
+            </listen_address>
+            <syslog_targets type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>syslog_target</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected SYSLOG target not found.</ValidationMessage>
+                <Multiple>Y</Multiple>
+            </syslog_targets>
+            <udp type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </udp>
+            <trusted_proxies type="CSVListField">
+                <Mask>/^((?:\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?(,?(?:(?:(\d+\.){3,3}\d+|[a-f0-9\:]+)(?:\/\d+)?))*$/i</Mask>
+                <Multiple>Y</Multiple>
+            </trusted_proxies>
+            <proxy_protocol type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </proxy_protocol>
+            <certificate type="CertificateField">
+                <Type>cert</Type>
+            </certificate>
+            <ca type="CertificateField">
+                <Type>ca</Type>
+            </ca>
+            <verify_client type="OptionField">
+                <Default>Off</Default>
+                <OptionValues>
+                    <off>Off</off>
+                    <on>On</on>
+                    <optional>Optional</optional>
+                    <optional_no_ca>Optional, don't verify</optional_no_ca>
+                </OptionValues>
+                <Required>Y</Required>
+            </verify_client>
+            <access_log_format type="OptionField">
+                <Default>main</Default>
+                <OptionValues>
+                    <main>Default</main>
+                    <main_ext>Extended</main_ext>
+                    <anonymized>Anonymized</anonymized>
+                    <disabled>Disabled</disabled>
+                </OptionValues>
+                <Required>Y</Required>
+            </access_log_format>
+            <error_log_level type="OptionField">
+                <OptionValues>
+                    <emerg value="emerg">Emergency</emerg>
+                    <alert value="alert">Alert</alert>
+                    <crit value="crit">Critical</crit>
+                    <error value="error">Error</error>
+                    <warn value="warn">Warning</warn>
+                    <notice value="notice">Notice</notice>
+                    <info value="info">Informational (default)</info>
+                </OptionValues>
+                <Required>Y</Required>
+                <Default>info</Default>
+            </error_log_level>
+            <route_field type="OptionField">
+                <Default>upstream</Default>
+                <OptionValues>
+                    <upstream>Upstream</upstream>
+                    <sni_upstream_map>SNI Upstream Mapping</sni_upstream_map>
+                </OptionValues>
+                <Required>Y</Required>
+            </route_field>
+            <upstream type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>upstream</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected upstream not found.</ValidationMessage>
+                <Constraints>
+                    <check001>
+                        <ValidationMessage>This field must be set.</ValidationMessage>
+                        <type>SetIfConstraint</type>
+                        <field>route_field</field>
+                        <check>upstream</check>
+                    </check001>
+                </Constraints>
+            </upstream>
+            <sni_upstream_map type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>sni_hostname_upstream_map</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected upstream not found.</ValidationMessage>
+                <Constraints>
+                    <check001>
+                        <ValidationMessage>This field must be set.</ValidationMessage>
+                        <type>SetIfConstraint</type>
+                        <field>route_field</field>
+                        <check>sni_upstream_map</check>
+                    </check001>
+                </Constraints>
+            </sni_upstream_map>
+            <ip_acl type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>ip_acl</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected ACL not found.</ValidationMessage>
+            </ip_acl>
+            <proxy_responses type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+            </proxy_responses>
+            <proxy_connect_timeout type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+            </proxy_connect_timeout>
+            <proxy_timeout type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+            </proxy_timeout>
+        </stream_server>
+        <sni_hostname_upstream_map type="ArrayField">
+            <description type="TextField">
+                <Required>Y</Required>
+            </description>
+            <data type="TextField">
+                <!-- sorry, the model relation field is broken here
           <Model>
             <template>
               <source>OPNsense.Nginx.Nginx</source>
@@ -1241,33 +1091,30 @@
           </Model>
           <Multiple>Y</Multiple>
           -->
-          <Required>Y</Required>
-      </data>
-    </sni_hostname_upstream_map>
-
-    <sni_hostname_upstream_map_item type="ArrayField">
-      <hostname type="HostnameField">
-        <Required>Y</Required>
-      </hostname>
-      <upstream type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>upstream</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <Required>Y</Required>
-        <Multiple>N</Multiple>
-      </upstream>
-    </sni_hostname_upstream_map_item>
-
-    <ip_acl type="ArrayField">
-      <description type="TextField">
-        <Required>Y</Required>
-      </description>
-      <data type="TextField">
-        <!-- sorry, the model relation field is broken here
+                <Required>Y</Required>
+            </data>
+        </sni_hostname_upstream_map>
+        <sni_hostname_upstream_map_item type="ArrayField">
+            <hostname type="HostnameField">
+                <Required>Y</Required>
+            </hostname>
+            <upstream type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>upstream</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <Required>Y</Required>
+            </upstream>
+        </sni_hostname_upstream_map_item>
+        <ip_acl type="ArrayField">
+            <description type="TextField">
+                <Required>Y</Required>
+            </description>
+            <data type="TextField">
+                <!-- sorry, the model relation field is broken here
           <Model>
             <template>
               <source>OPNsense.Nginx.Nginx</source>
@@ -1277,802 +1124,742 @@
           </Model>
           <Multiple>Y</Multiple>
           -->
-        <Required>Y</Required>
-      </data>
-      <default_action type="OptionField">
-        <OptionValues>
-          <deny>Deny Access</deny>
-          <allow>Allow Access</allow>
-        </OptionValues>
-        <Required>N</Required>
-      </default_action>
-    </ip_acl>
-
-    <ip_acl_item type="ArrayField">
-      <network type="NetworkField">
-        <Required>Y</Required>
-      </network>
-      <action type="OptionField">
-        <Default>deny</Default>
-        <OptionValues>
-          <deny>Deny Access</deny>
-          <allow>Allow Access</allow>
-        </OptionValues>
-        <Required>Y</Required>
-      </action>
-    </ip_acl_item>
-
-    <resolver type="ArrayField">
-      <description type="TextField">
-        <Required>Y</Required>
-        <Mask>/^[^" \t]+$/i</Mask>
-      </description>
-      <address type="CSVListField">
-        <Required>Y</Required>
-        <Multiple>Y</Multiple>
-        <Mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\]))(:\d+|:?\d+)*)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\]))(:\d+|:?\d+)*))*$/i</Mask>
-        <ValidationMessage>Please provide a valid resolver address, i.e. 8.8.8.8, [2001:4860:4860::8888], 8.8.8.8:5353.</ValidationMessage>
-      </address>
-      <valid type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>N</Required>
-      </valid>
-      <ipv4_off type="BooleanField">
-        <Required>N</Required>
-        <Constraints>
-            <check001>
-                <ValidationMessage>Can not disable all record types.</ValidationMessage>
-                <type>SingleSelectConstraint</type>
-                <addFields>
-                    <field1>ipv6_off</field1>
-                </addFields>
-            </check001>
-        </Constraints>
-      </ipv4_off>
-      <ipv6_off type="BooleanField">
-        <Required>N</Required>
-        <Constraints>
-            <check001>
-                <reference>ipv4_off.check001</reference>
-            </check001>
-        </Constraints>
-      </ipv6_off>
-      <timeout type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>N</Required>
-      </timeout>
-    </resolver>
-
-    <http_rewrite type="ArrayField">
-      <description type="TextField">
-        <Required>Y</Required>
-        <Mask>/^[^" \t]+$/i</Mask>
-      </description>
-      <source type="TextField">
-        <Required>Y</Required>
-      </source>
-      <destination type="TextField">
-        <Required>Y</Required>
-        <Mask>/^[^" \t]+$/i</Mask>
-      </destination>
-      <flag type="OptionField">
-        <OptionValues>
-          <break>Stop processing rules</break>
-          <last>Stop processing rules and find location</last>
-          <redirect>Redirect</redirect>
-          <permanent>Permanent</permanent>
-        </OptionValues>
-        <Required>N</Required>
-      </flag>
-    </http_rewrite>
-
-    <security_header type="ArrayField">
-      <description type="TextField">
-        <Required>Y</Required>
-      </description>
-      <referrer type="OptionField">
-        <Multiple>N</Multiple>
-        <OptionValues>
-          <no-referrer>No Referrer</no-referrer>
-          <no-referrer-when-downgrade>No Referrer When Downgrading</no-referrer-when-downgrade>
-          <same-origin>Same Origin (recommended)</same-origin>
-          <origin>Origin</origin>
-          <strict-origin>Strict Origin</strict-origin>
-          <strict-origin-when-cross-origin>Strict Origin When Cross Origin</strict-origin-when-cross-origin>
-          <origin-when-cross-origin>Origin When Cross Origin</origin-when-cross-origin>
-          <unsafe-url>Unsafe URL</unsafe-url>
-        </OptionValues>
-        <Required>N</Required>
-      </referrer>
-      <xssprotection type="OptionField">
-        <Multiple>N</Multiple>
-        <OptionValues>
-          <val1 value="1; mode=block">Block</val1>
-          <val2 value="0">Off</val2>
-          <val3 value="1">On</val3>
-        </OptionValues>
-        <Required>N</Required>
-      </xssprotection>
-      <content_type_options type="BooleanField">
-        <Required>Y</Required>
-      </content_type_options>
-      <strict_transport_security_time type="IntegerField">
-        <Required>N</Required>
-      </strict_transport_security_time>
-      <strict_transport_security_include_subdomains type="BooleanField">
-        <Required>Y</Required>
-        <Default>1</Default>
-      </strict_transport_security_include_subdomains>
-      <strict_transport_security_preload type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </strict_transport_security_preload>
-      <enable_csp type="BooleanField">
-        <Required>Y</Required>
-      </enable_csp>
-      <csp_log_violations type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_log_violations>
-      <csp_report_only type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_report_only>
-      <csp_default_src_enabled type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_default_src_enabled>
-      <csp_default_src_data_urls type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_default_src_data_urls>
-      <csp_default_src_http_urls type="CSVListField">
-        <Required>N</Required>
-      </csp_default_src_http_urls>
-      <csp_default_src_inline type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_default_src_inline>
-      <csp_default_src_eval type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_default_src_eval>
-      <csp_default_src_self type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_default_src_self>
-      <csp_default_src_blob type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_default_src_blob>
-      <csp_default_src_mediastream type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_default_src_mediastream>
-      <csp_default_src_filesystem type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_default_src_filesystem>
-      <csp_default_src_none type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_default_src_none>
-      <csp_script_src_enabled type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_script_src_enabled>
-      <csp_script_src_data_urls type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_script_src_data_urls>
-      <csp_script_src_http_urls type="CSVListField">
-        <Required>N</Required>
-      </csp_script_src_http_urls>
-      <csp_script_src_inline type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_script_src_inline>
-      <csp_script_src_eval type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_script_src_eval>
-      <csp_script_src_self type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_script_src_self>
-      <csp_script_src_blob type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_script_src_blob>
-      <csp_script_src_mediastream type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_script_src_mediastream>
-      <csp_script_src_filesystem type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_script_src_filesystem>
-      <csp_script_src_none type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_script_src_none>
-      <csp_img_src_enabled type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_img_src_enabled>
-      <csp_img_src_data_urls type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_img_src_data_urls>
-      <csp_img_src_http_urls type="CSVListField">
-        <Required>N</Required>
-      </csp_img_src_http_urls>
-      <csp_img_src_inline type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_img_src_inline>
-      <csp_img_src_eval type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_img_src_eval>
-      <csp_img_src_self type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_img_src_self>
-      <csp_img_src_blob type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_img_src_blob>
-      <csp_img_src_mediastream type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_img_src_mediastream>
-      <csp_img_src_filesystem type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_img_src_filesystem>
-      <csp_img_src_none type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_img_src_none>
-      <csp_style_src_enabled type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_style_src_enabled>
-      <csp_style_src_data_urls type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_style_src_data_urls>
-      <csp_style_src_http_urls type="CSVListField">
-        <Required>N</Required>
-      </csp_style_src_http_urls>
-      <csp_style_src_inline type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_style_src_inline>
-      <csp_style_src_eval type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_style_src_eval>
-      <csp_style_src_self type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_style_src_self>
-      <csp_style_src_blob type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_style_src_blob>
-      <csp_style_src_mediastream type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_style_src_mediastream>
-      <csp_style_src_filesystem type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_style_src_filesystem>
-      <csp_style_src_none type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_style_src_none>
-      <csp_media_src_enabled type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_media_src_enabled>
-      <csp_media_src_data_urls type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_media_src_data_urls>
-      <csp_media_src_http_urls type="CSVListField">
-        <Required>N</Required>
-      </csp_media_src_http_urls>
-      <csp_media_src_inline type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_media_src_inline>
-      <csp_media_src_eval type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_media_src_eval>
-      <csp_media_src_self type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_media_src_self>
-      <csp_media_src_blob type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_media_src_blob>
-      <csp_media_src_mediastream type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_media_src_mediastream>
-      <csp_media_src_filesystem type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_media_src_filesystem>
-      <csp_media_src_none type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_media_src_none>
-      <csp_font_src_enabled type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_font_src_enabled>
-      <csp_font_src_data_urls type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_font_src_data_urls>
-      <csp_font_src_http_urls type="CSVListField">
-        <Required>N</Required>
-      </csp_font_src_http_urls>
-      <csp_font_src_inline type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_font_src_inline>
-      <csp_font_src_eval type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_font_src_eval>
-      <csp_font_src_self type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_font_src_self>
-      <csp_font_src_blob type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_font_src_blob>
-      <csp_font_src_mediastream type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_font_src_mediastream>
-      <csp_font_src_filesystem type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_font_src_filesystem>
-      <csp_font_src_none type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_font_src_none>
-      <csp_frame_src_enabled type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_frame_src_enabled>
-      <csp_frame_src_data_urls type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_frame_src_data_urls>
-      <csp_frame_src_http_urls type="CSVListField">
-        <Required>N</Required>
-      </csp_frame_src_http_urls>
-      <csp_frame_src_inline type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_frame_src_inline>
-      <csp_frame_src_eval type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_frame_src_eval>
-      <csp_frame_src_self type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_frame_src_self>
-      <csp_frame_src_blob type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_frame_src_blob>
-      <csp_frame_src_mediastream type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_frame_src_mediastream>
-      <csp_frame_src_filesystem type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_frame_src_filesystem>
-      <csp_frame_src_none type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_frame_src_none>
-      <csp_frame_ancestors_enabled type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_frame_ancestors_enabled>
-      <csp_frame_ancestors_data_urls type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_frame_ancestors_data_urls>
-      <csp_frame_ancestors_http_urls type="CSVListField">
-        <Required>N</Required>
-      </csp_frame_ancestors_http_urls>
-      <csp_frame_ancestors_self type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_frame_ancestors_self>
-      <csp_frame_ancestors_blob type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_frame_ancestors_blob>
-      <csp_frame_ancestors_mediastream type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_frame_ancestors_mediastream>
-      <csp_frame_ancestors_filesystem type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_frame_ancestors_filesystem>
-      <csp_frame_ancestors_none type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_frame_ancestors_none>
-      <csp_connect_src_enabled type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_connect_src_enabled>
-      <csp_connect_src_http_urls type="CSVListField">
-        <Required>N</Required>
-      </csp_connect_src_http_urls>
-      <csp_connect_src_none type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_connect_src_none>
-      <csp_worker_src_enabled type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_worker_src_enabled>
-      <csp_worker_src_data_urls type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_worker_src_data_urls>
-      <csp_worker_src_http_urls type="CSVListField">
-        <Required>N</Required>
-      </csp_worker_src_http_urls>
-      <csp_worker_src_inline type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_worker_src_inline>
-      <csp_worker_src_eval type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_worker_src_eval>
-      <csp_worker_src_self type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_worker_src_self>
-      <csp_worker_src_blob type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_worker_src_blob>
-      <csp_worker_src_filesystem type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_worker_src_filesystem>
-      <csp_worker_src_none type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_worker_src_none>
-      <csp_form_action_enabled type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_form_action_enabled>
-      <csp_form_action_data_urls type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_form_action_data_urls>
-      <csp_form_action_http_urls type="CSVListField">
-        <Required>N</Required>
-      </csp_form_action_http_urls>
-      <csp_form_action_inline type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_form_action_inline>
-      <csp_form_action_eval type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_form_action_eval>
-      <csp_form_action_self type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_form_action_self>
-      <csp_form_action_blob type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_form_action_blob>
-      <csp_form_action_mediastream type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_form_action_mediastream>
-      <csp_form_action_filesystem type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_form_action_filesystem>
-      <csp_form_action_none type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </csp_form_action_none>
-    </security_header>
-
-    <limit_zone type="ArrayField">
-      <description type="TextField">
-        <Required>Y</Required>
-      </description>
-      <key type="OptionField">
-        <Default>binary_remote_addr</Default>
-        <OptionValues>
-          <binary_remote_addr>Remote IP Address</binary_remote_addr>
-        </OptionValues>
-        <Required>Y</Required>
-      </key>
-      <rate_unit type="OptionField">
-        <Default>r/s</Default>
-        <OptionValues>
-          <val1 value="r/s">Requests Per Second</val1>
-          <val2 value="r/m">Requests Per Minute</val2>
-        </OptionValues>
-        <Required>Y</Required>
-      </rate_unit>
-      <size type="IntegerField">
-        <Required>Y</Required>
-        <Default>10</Default>
-        <MinimumValue>1</MinimumValue>
-      </size>
-      <rate type="IntegerField">
-        <Required>Y</Required>
-        <Default>20</Default>
-        <MinimumValue>1</MinimumValue>
-      </rate>
-    </limit_zone>
-
-    <errorpage type="ArrayField">
-      <name type="TextField">
-        <Required>Y</Required>
-      </name>
-      <statuscodes type="OptionField">
-        <Multiple>Y</Multiple>
-        <OptionValues>
-          <status_400 value="400">400 Bad Request</status_400>
-          <status_401 value="401">401 Unauthorized</status_401>
-          <status_403 value="403">403 Forbidden</status_403>
-          <status_404 value="404">404 Not Found</status_404>
-          <status_405 value="405">405 Method Not Allowed</status_405>
-          <status_407 value="407">407 Proxy Authentication Required</status_407>
-          <status_408 value="408">408 Request Timeout</status_408>
-          <status_410 value="410">410 Gone</status_410>
-          <status_415 value="415">415 Unsupported Media Type</status_415>
-          <status_429 value="429">429 Too Many Requests</status_429>
-          <status_431 value="431">431 Request Header Fields Too Large</status_431>
-          <status_500 value="500">500 Internal Server Error</status_500>
-          <status_501 value="501">501 Not Implemented</status_501>
-          <status_502 value="502">502 Bad Gateway</status_502>
-          <status_503 value="503">503 Service Unavailable</status_503>
-          <status_504 value="504">504 Gateway Timeout</status_504>
-        </OptionValues>
-        <Required>Y</Required>
-      </statuscodes>
-      <pagecontent type="Base64Field">
-        <Default>PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDxtZXRhIGNoYXJzZXQ9IlVURi04Ij4KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsaW5pdGlhbC1zY2FsZT0xIiAvPgogICAgPHRpdGxlPkVycm9yPC90aXRsZT4KPC9oZWFkPgo8Ym9keT4KICAgIDxoMT5FcnJvcjwvaDE+CiAgICA8cD5Tb3JyeSwgYnV0IHNvbWV0aGluZyB3ZW50IHdyb25nLjwvcD4KPC9ib2R5Pgo8L2h0bWw+</Default>
-        <Constraints>
-          <check001>
-            <type>SingleSelectConstraint</type>
-            <ValidationMessage>Page content is required if redirect is not used and needs to be empty otherwise.</ValidationMessage>
-            <addFields>
-              <field1>redirect</field1>
-            </addFields>
-            <isRequired>Y</isRequired>
-          </check001>
-        </Constraints>
-      </pagecontent>
-      <redirect type="UrlField">
-        <Required>N</Required>
-        <Constraints>
-          <check001>
-            <reference>pagecontent.check001</reference>
-          </check001>
-        </Constraints>
-      </redirect>
-      <response type="OptionField">
-        <Multiple>N</Multiple>
-        <OptionValues>
-          <status_200 value="200">200 OK</status_200>
-          <status_300 value="300">300 Multiple Choice</status_300>
-          <status_301 value="301">301 Moved Permanently</status_301>
-          <status_302 value="302">302 Found</status_302>
-          <status_401 value="401">401 Unauthorized</status_401>
-          <status_403 value="403">403 Forbidden</status_403>
-          <status_404 value="404">404 Not Found</status_404>
-          <status_451 value="451">451 Unavailable For Legal Reasons</status_451>
-          <status_500 value="500">500 Internal Server Error</status_500>
-          <status_503 value="503">503 Service Unavailable</status_503>
-        </OptionValues>
-        <Required>N</Required>
-      </response>
-    </errorpage>
-
-    <tls_fingerprint type="ArrayField">
-      <description type="TextField">
-        <Required>Y</Required>
-      </description>
-      <user_agent type="TextField">
-        <Required>Y</Required>
-      </user_agent>
-      <trusted type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </trusted>
-      <curves type="TextField">
-        <!-- OpenSSL curve list like the one used for configuring the supported ciphers by the web server -->
-        <Required>N</Required>
-        <Mask>/^(0x[0-9a-fA-F]{4,4}|[a-zA-Z_\-0-9]+)(?::((0x[0-9a-fA-F]{4,4}|[a-zA-Z_\-0-9]+)))*$/</Mask>
-      </curves>
-      <ciphers type="TextField">
-        <!-- OpenSSL cipher list like the one used for configuring the supported ciphers by the web server -->
-        <Required>Y</Required>
-        <Mask>/^(0x[0-9a-fA-F]{4,4}|[a-zA-Z_\-0-9]+)(?::((0x[0-9a-fA-F]{4,4}|[a-zA-Z_\-0-9]+)))*$/</Mask>
-      </ciphers>
-    </tls_fingerprint>
-
-    <limit_request_connection type="ArrayField">
-      <limit_zone type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Nginx.Nginx</source>
-            <items>limit_zone</items>
-            <display>description</display>
-          </template>
-        </Model>
-        <ValidationMessage>Selected limit zone not found</ValidationMessage>
-        <Required>Y</Required>
-        <Multiple>Y</Multiple>
-      </limit_zone>
-      <connection_count type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>Y</Required>
-        <Default>5</Default>
-      </connection_count>
-      <burst type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>N</Required>
-        <Default>20</Default>
-      </burst>
-      <nodelay type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-      </nodelay>
-      <description type="TextField">
-        <Required>Y</Required>
-      </description>
-    </limit_request_connection>
-
-    <ban type="ArrayField">
-      <ip type="NetworkField">
-        <Required>Y</Required>
-      </ip>
-      <time type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>0</MinimumValue>
-      </time>
-    </ban>
-
-    <cache_path type="ArrayField">
-      <path type="TextField">
-        <Required>Y</Required>
-        <Mask>/\/(srv|var|tmp|mnt)[a-z0-9\-\._\:\,\/]+[a-z0-9\-\._\:\,]+/i</Mask>
-      </path>
-      <size type="IntegerField">
-        <MinimumValue>10</MinimumValue>
-        <Default>10</Default>
-      </size>
-      <inactive type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>1</MinimumValue>
-      </inactive>
-      <use_temp_path type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </use_temp_path>
-      <max_size type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>1</MinimumValue>
-      </max_size>
-    </cache_path>
-
-    <proxy_cache_valid type="ArrayField">
-      <description type="TextField">
-        <Required>Y</Required>
-        <mask>/^[^" \t]+$/i</mask>
-      </description>
-      <code type="CSVListField">
-        <Required>Y</Required>
-        <default>any</default>
-        <multiple>Y</multiple>
-        <mask>/(^\d{3}(,\d{3})*$)|(^any$)/</mask>
-        <ValidationMessage>Please use three digit response code(s) or use "any" word.</ValidationMessage>
-      </code>
-      <valid type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>Y</Required>
-      </valid>
-    </proxy_cache_valid>
-
-    <syslog_target type="ArrayField">
-      <description type="TextField">
-        <Required>Y</Required>
-      </description>
-      <host type="HostnameField">
-        <Required>Y</Required>
-      </host>
-      <port type="PortField">
-        <Required>N</Required>
-      </port>
-      <facility type="OptionField">
-        <OptionValues>
-          <kern>kern</kern>
-          <user>user</user>
-          <mail>mail</mail>
-          <daemon>daemon</daemon>
-          <auth>auth</auth>
-          <intern>intern</intern>
-          <lpr>lpr</lpr>
-          <news>news</news>
-          <uucp>uucp</uucp>
-          <clock>clock</clock>
-          <authpriv>authpriv</authpriv>
-          <ftp>ftp</ftp>
-          <ntp>ntp</ntp>
-          <audit>audit</audit>
-          <alert>alert</alert>
-          <cron>cron</cron>
-          <local0>local0</local0>
-          <local1>local1</local1>
-          <local2>local2</local2>
-          <local3>local3</local3>
-          <local4>local4</local4>
-          <local5>local5</local5>
-          <local6>local6</local6>
-          <local7>local7</local7>
-        </OptionValues>
-        <Required>Y</Required>
-        <Default>local7</Default>
-      </facility>
-      <severity type="OptionField">
-        <OptionValues>
-          <debug>debug</debug>
-          <info>info</info>
-          <notice>notice</notice>
-          <warn>warn</warn>
-          <error>error</error>
-          <crit>crit</crit>
-          <alert>alert</alert>
-          <emerg>emerg</emerg>
-        </OptionValues>
-        <Required>Y</Required>
-        <Default>error</Default>
-      </severity>
-      <tag type="TextField">
-        <Required>N</Required>
-        <Mask>/[a-z][a-z0-9]*/i</Mask>
-      </tag>
-      <nohostname type="BooleanField">
-        <Required>Y</Required>
-        <Default>N</Default>
-      </nohostname>
-    </syslog_target>
-  </items>
+                <Required>Y</Required>
+            </data>
+            <default_action type="OptionField">
+                <OptionValues>
+                    <deny>Deny Access</deny>
+                    <allow>Allow Access</allow>
+                </OptionValues>
+            </default_action>
+        </ip_acl>
+        <ip_acl_item type="ArrayField">
+            <network type="NetworkField">
+                <Required>Y</Required>
+            </network>
+            <action type="OptionField">
+                <Default>deny</Default>
+                <OptionValues>
+                    <deny>Deny Access</deny>
+                    <allow>Allow Access</allow>
+                </OptionValues>
+                <Required>Y</Required>
+            </action>
+        </ip_acl_item>
+        <resolver type="ArrayField">
+            <description type="TextField">
+                <Required>Y</Required>
+                <Mask>/^[^" \t]+$/i</Mask>
+            </description>
+            <address type="CSVListField">
+                <Required>Y</Required>
+                <Multiple>Y</Multiple>
+                <Mask>/^(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\]))(:\d+|:?\d+)*)(?:\s*,\s*(?:(?:(?:\d{1,3}(?:\.\d{1,3}){3})|(?:\[[a-f0-9:]{1,4}(?::[a-f0-9:]{0,4}){1,7}\]))(:\d+|:?\d+)*))*$/i</Mask>
+                <ValidationMessage>Please provide a valid resolver address, i.e. 8.8.8.8, [2001:4860:4860::8888], 8.8.8.8:5353.</ValidationMessage>
+            </address>
+            <valid type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </valid>
+            <ipv4_off type="BooleanField">
+                <Constraints>
+                    <check001>
+                        <ValidationMessage>Can not disable all record types.</ValidationMessage>
+                        <type>SingleSelectConstraint</type>
+                        <addFields>
+                            <field1>ipv6_off</field1>
+                        </addFields>
+                    </check001>
+                </Constraints>
+            </ipv4_off>
+            <ipv6_off type="BooleanField">
+                <Constraints>
+                    <check001>
+                        <reference>ipv4_off.check001</reference>
+                    </check001>
+                </Constraints>
+            </ipv6_off>
+            <timeout type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </timeout>
+        </resolver>
+        <http_rewrite type="ArrayField">
+            <description type="TextField">
+                <Required>Y</Required>
+                <Mask>/^[^" \t]+$/i</Mask>
+            </description>
+            <source type="TextField">
+                <Required>Y</Required>
+            </source>
+            <destination type="TextField">
+                <Required>Y</Required>
+                <Mask>/^[^" \t]+$/i</Mask>
+            </destination>
+            <flag type="OptionField">
+                <OptionValues>
+                    <break>Stop processing rules</break>
+                    <last>Stop processing rules and find location</last>
+                    <redirect>Redirect</redirect>
+                    <permanent>Permanent</permanent>
+                </OptionValues>
+            </flag>
+        </http_rewrite>
+        <security_header type="ArrayField">
+            <description type="TextField">
+                <Required>Y</Required>
+            </description>
+            <referrer type="OptionField">
+                <OptionValues>
+                    <no-referrer>No Referrer</no-referrer>
+                    <no-referrer-when-downgrade>No Referrer When Downgrading</no-referrer-when-downgrade>
+                    <same-origin>Same Origin (recommended)</same-origin>
+                    <origin>Origin</origin>
+                    <strict-origin>Strict Origin</strict-origin>
+                    <strict-origin-when-cross-origin>Strict Origin When Cross Origin</strict-origin-when-cross-origin>
+                    <origin-when-cross-origin>Origin When Cross Origin</origin-when-cross-origin>
+                    <unsafe-url>Unsafe URL</unsafe-url>
+                </OptionValues>
+            </referrer>
+            <xssprotection type="OptionField">
+                <OptionValues>
+                    <val1 value="1; mode=block">Block</val1>
+                    <val2 value="0">Off</val2>
+                    <val3 value="1">On</val3>
+                </OptionValues>
+            </xssprotection>
+            <content_type_options type="BooleanField">
+                <Required>Y</Required>
+            </content_type_options>
+            <strict_transport_security_time type="IntegerField"/>
+            <strict_transport_security_include_subdomains type="BooleanField">
+                <Required>Y</Required>
+                <Default>1</Default>
+            </strict_transport_security_include_subdomains>
+            <strict_transport_security_preload type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </strict_transport_security_preload>
+            <enable_csp type="BooleanField">
+                <Required>Y</Required>
+            </enable_csp>
+            <csp_log_violations type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_log_violations>
+            <csp_report_only type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_report_only>
+            <csp_default_src_enabled type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_default_src_enabled>
+            <csp_default_src_data_urls type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_default_src_data_urls>
+            <csp_default_src_http_urls type="CSVListField"/>
+            <csp_default_src_inline type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_default_src_inline>
+            <csp_default_src_eval type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_default_src_eval>
+            <csp_default_src_self type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_default_src_self>
+            <csp_default_src_blob type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_default_src_blob>
+            <csp_default_src_mediastream type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_default_src_mediastream>
+            <csp_default_src_filesystem type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_default_src_filesystem>
+            <csp_default_src_none type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_default_src_none>
+            <csp_script_src_enabled type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_script_src_enabled>
+            <csp_script_src_data_urls type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_script_src_data_urls>
+            <csp_script_src_http_urls type="CSVListField"/>
+            <csp_script_src_inline type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_script_src_inline>
+            <csp_script_src_eval type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_script_src_eval>
+            <csp_script_src_self type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_script_src_self>
+            <csp_script_src_blob type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_script_src_blob>
+            <csp_script_src_mediastream type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_script_src_mediastream>
+            <csp_script_src_filesystem type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_script_src_filesystem>
+            <csp_script_src_none type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_script_src_none>
+            <csp_img_src_enabled type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_img_src_enabled>
+            <csp_img_src_data_urls type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_img_src_data_urls>
+            <csp_img_src_http_urls type="CSVListField"/>
+            <csp_img_src_inline type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_img_src_inline>
+            <csp_img_src_eval type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_img_src_eval>
+            <csp_img_src_self type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_img_src_self>
+            <csp_img_src_blob type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_img_src_blob>
+            <csp_img_src_mediastream type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_img_src_mediastream>
+            <csp_img_src_filesystem type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_img_src_filesystem>
+            <csp_img_src_none type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_img_src_none>
+            <csp_style_src_enabled type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_style_src_enabled>
+            <csp_style_src_data_urls type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_style_src_data_urls>
+            <csp_style_src_http_urls type="CSVListField"/>
+            <csp_style_src_inline type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_style_src_inline>
+            <csp_style_src_eval type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_style_src_eval>
+            <csp_style_src_self type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_style_src_self>
+            <csp_style_src_blob type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_style_src_blob>
+            <csp_style_src_mediastream type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_style_src_mediastream>
+            <csp_style_src_filesystem type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_style_src_filesystem>
+            <csp_style_src_none type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_style_src_none>
+            <csp_media_src_enabled type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_media_src_enabled>
+            <csp_media_src_data_urls type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_media_src_data_urls>
+            <csp_media_src_http_urls type="CSVListField"/>
+            <csp_media_src_inline type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_media_src_inline>
+            <csp_media_src_eval type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_media_src_eval>
+            <csp_media_src_self type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_media_src_self>
+            <csp_media_src_blob type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_media_src_blob>
+            <csp_media_src_mediastream type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_media_src_mediastream>
+            <csp_media_src_filesystem type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_media_src_filesystem>
+            <csp_media_src_none type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_media_src_none>
+            <csp_font_src_enabled type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_font_src_enabled>
+            <csp_font_src_data_urls type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_font_src_data_urls>
+            <csp_font_src_http_urls type="CSVListField"/>
+            <csp_font_src_inline type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_font_src_inline>
+            <csp_font_src_eval type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_font_src_eval>
+            <csp_font_src_self type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_font_src_self>
+            <csp_font_src_blob type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_font_src_blob>
+            <csp_font_src_mediastream type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_font_src_mediastream>
+            <csp_font_src_filesystem type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_font_src_filesystem>
+            <csp_font_src_none type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_font_src_none>
+            <csp_frame_src_enabled type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_frame_src_enabled>
+            <csp_frame_src_data_urls type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_frame_src_data_urls>
+            <csp_frame_src_http_urls type="CSVListField"/>
+            <csp_frame_src_inline type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_frame_src_inline>
+            <csp_frame_src_eval type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_frame_src_eval>
+            <csp_frame_src_self type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_frame_src_self>
+            <csp_frame_src_blob type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_frame_src_blob>
+            <csp_frame_src_mediastream type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_frame_src_mediastream>
+            <csp_frame_src_filesystem type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_frame_src_filesystem>
+            <csp_frame_src_none type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_frame_src_none>
+            <csp_frame_ancestors_enabled type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_frame_ancestors_enabled>
+            <csp_frame_ancestors_data_urls type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_frame_ancestors_data_urls>
+            <csp_frame_ancestors_http_urls type="CSVListField"/>
+            <csp_frame_ancestors_self type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_frame_ancestors_self>
+            <csp_frame_ancestors_blob type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_frame_ancestors_blob>
+            <csp_frame_ancestors_mediastream type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_frame_ancestors_mediastream>
+            <csp_frame_ancestors_filesystem type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_frame_ancestors_filesystem>
+            <csp_frame_ancestors_none type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_frame_ancestors_none>
+            <csp_connect_src_enabled type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_connect_src_enabled>
+            <csp_connect_src_http_urls type="CSVListField"/>
+            <csp_connect_src_none type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_connect_src_none>
+            <csp_worker_src_enabled type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_worker_src_enabled>
+            <csp_worker_src_data_urls type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_worker_src_data_urls>
+            <csp_worker_src_http_urls type="CSVListField"/>
+            <csp_worker_src_inline type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_worker_src_inline>
+            <csp_worker_src_eval type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_worker_src_eval>
+            <csp_worker_src_self type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_worker_src_self>
+            <csp_worker_src_blob type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_worker_src_blob>
+            <csp_worker_src_filesystem type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_worker_src_filesystem>
+            <csp_worker_src_none type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_worker_src_none>
+            <csp_form_action_enabled type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_form_action_enabled>
+            <csp_form_action_data_urls type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_form_action_data_urls>
+            <csp_form_action_http_urls type="CSVListField"/>
+            <csp_form_action_inline type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_form_action_inline>
+            <csp_form_action_eval type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_form_action_eval>
+            <csp_form_action_self type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_form_action_self>
+            <csp_form_action_blob type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_form_action_blob>
+            <csp_form_action_mediastream type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_form_action_mediastream>
+            <csp_form_action_filesystem type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_form_action_filesystem>
+            <csp_form_action_none type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </csp_form_action_none>
+        </security_header>
+        <limit_zone type="ArrayField">
+            <description type="TextField">
+                <Required>Y</Required>
+            </description>
+            <key type="OptionField">
+                <Default>binary_remote_addr</Default>
+                <OptionValues>
+                    <binary_remote_addr>Remote IP Address</binary_remote_addr>
+                </OptionValues>
+                <Required>Y</Required>
+            </key>
+            <rate_unit type="OptionField">
+                <Default>r/s</Default>
+                <OptionValues>
+                    <val1 value="r/s">Requests Per Second</val1>
+                    <val2 value="r/m">Requests Per Minute</val2>
+                </OptionValues>
+                <Required>Y</Required>
+            </rate_unit>
+            <size type="IntegerField">
+                <Required>Y</Required>
+                <Default>10</Default>
+                <MinimumValue>1</MinimumValue>
+            </size>
+            <rate type="IntegerField">
+                <Required>Y</Required>
+                <Default>20</Default>
+                <MinimumValue>1</MinimumValue>
+            </rate>
+        </limit_zone>
+        <errorpage type="ArrayField">
+            <name type="TextField">
+                <Required>Y</Required>
+            </name>
+            <statuscodes type="OptionField">
+                <Multiple>Y</Multiple>
+                <OptionValues>
+                    <status_400 value="400">400 Bad Request</status_400>
+                    <status_401 value="401">401 Unauthorized</status_401>
+                    <status_403 value="403">403 Forbidden</status_403>
+                    <status_404 value="404">404 Not Found</status_404>
+                    <status_405 value="405">405 Method Not Allowed</status_405>
+                    <status_407 value="407">407 Proxy Authentication Required</status_407>
+                    <status_408 value="408">408 Request Timeout</status_408>
+                    <status_410 value="410">410 Gone</status_410>
+                    <status_415 value="415">415 Unsupported Media Type</status_415>
+                    <status_429 value="429">429 Too Many Requests</status_429>
+                    <status_431 value="431">431 Request Header Fields Too Large</status_431>
+                    <status_500 value="500">500 Internal Server Error</status_500>
+                    <status_501 value="501">501 Not Implemented</status_501>
+                    <status_502 value="502">502 Bad Gateway</status_502>
+                    <status_503 value="503">503 Service Unavailable</status_503>
+                    <status_504 value="504">504 Gateway Timeout</status_504>
+                </OptionValues>
+                <Required>Y</Required>
+            </statuscodes>
+            <pagecontent type="Base64Field">
+                <Constraints>
+                    <check001>
+                        <type>SingleSelectConstraint</type>
+                        <ValidationMessage>Page content is required if redirect is not used and needs to be empty otherwise.</ValidationMessage>
+                        <addFields>
+                            <field1>redirect</field1>
+                        </addFields>
+                        <isRequired>Y</isRequired>
+                    </check001>
+                </Constraints>
+            </pagecontent>
+            <redirect type="UrlField">
+                <Constraints>
+                    <check001>
+                        <reference>pagecontent.check001</reference>
+                    </check001>
+                </Constraints>
+            </redirect>
+            <response type="OptionField">
+                <OptionValues>
+                    <status_200 value="200">200 OK</status_200>
+                    <status_300 value="300">300 Multiple Choice</status_300>
+                    <status_301 value="301">301 Moved Permanently</status_301>
+                    <status_302 value="302">302 Found</status_302>
+                    <status_401 value="401">401 Unauthorized</status_401>
+                    <status_403 value="403">403 Forbidden</status_403>
+                    <status_404 value="404">404 Not Found</status_404>
+                    <status_451 value="451">451 Unavailable For Legal Reasons</status_451>
+                    <status_500 value="500">500 Internal Server Error</status_500>
+                    <status_503 value="503">503 Service Unavailable</status_503>
+                </OptionValues>
+            </response>
+        </errorpage>
+        <tls_fingerprint type="ArrayField">
+            <description type="TextField">
+                <Required>Y</Required>
+            </description>
+            <user_agent type="TextField">
+                <Required>Y</Required>
+            </user_agent>
+            <trusted type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </trusted>
+            <curves type="TextField">
+                <!-- OpenSSL curve list like the one used for configuring the supported ciphers by the web server -->
+                <Mask>/^(0x[0-9a-fA-F]{4,4}|[a-zA-Z_\-0-9]+)(?::((0x[0-9a-fA-F]{4,4}|[a-zA-Z_\-0-9]+)))*$/</Mask>
+            </curves>
+            <ciphers type="TextField">
+                <!-- OpenSSL cipher list like the one used for configuring the supported ciphers by the web server -->
+                <Required>Y</Required>
+                <Mask>/^(0x[0-9a-fA-F]{4,4}|[a-zA-Z_\-0-9]+)(?::((0x[0-9a-fA-F]{4,4}|[a-zA-Z_\-0-9]+)))*$/</Mask>
+            </ciphers>
+        </tls_fingerprint>
+        <limit_request_connection type="ArrayField">
+            <limit_zone type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Nginx.Nginx</source>
+                        <items>limit_zone</items>
+                        <display>description</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Selected limit zone not found.</ValidationMessage>
+                <Required>Y</Required>
+                <Multiple>Y</Multiple>
+            </limit_zone>
+            <connection_count type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <Required>Y</Required>
+                <Default>5</Default>
+            </connection_count>
+            <burst type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </burst>
+            <nodelay type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </nodelay>
+            <description type="TextField">
+                <Required>Y</Required>
+            </description>
+        </limit_request_connection>
+        <ban type="ArrayField">
+            <ip type="NetworkField">
+                <Required>Y</Required>
+            </ip>
+            <time type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+            </time>
+        </ban>
+        <cache_path type="ArrayField">
+            <path type="TextField">
+                <Required>Y</Required>
+                <Mask>/\/(srv|var|tmp|mnt)[a-z0-9\-\._\:\,\/]+[a-z0-9\-\._\:\,]+/i</Mask>
+            </path>
+            <size type="IntegerField">
+                <MinimumValue>10</MinimumValue>
+            </size>
+            <inactive type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </inactive>
+            <use_temp_path type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </use_temp_path>
+            <max_size type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </max_size>
+        </cache_path>
+        <proxy_cache_valid type="ArrayField">
+            <description type="TextField">
+                <Required>Y</Required>
+                <Mask>/^[^" \t]+$/i</Mask>
+            </description>
+            <code type="CSVListField">
+                <Required>Y</Required>
+                <Default>any</Default>
+                <Multiple>Y</Multiple>
+                <Mask>/(^\d{3}(,\d{3})*$)|(^any$)/</Mask>
+                <ValidationMessage>Please use three digit response code(s) or use "any" word.</ValidationMessage>
+            </code>
+            <valid type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <Required>Y</Required>
+            </valid>
+        </proxy_cache_valid>
+        <syslog_target type="ArrayField">
+            <description type="TextField">
+                <Required>Y</Required>
+            </description>
+            <host type="HostnameField">
+                <Required>Y</Required>
+            </host>
+            <port type="PortField"/>
+            <facility type="OptionField">
+                <OptionValues>
+                    <kern>kern</kern>
+                    <user>user</user>
+                    <mail>mail</mail>
+                    <daemon>daemon</daemon>
+                    <auth>auth</auth>
+                    <intern>intern</intern>
+                    <lpr>lpr</lpr>
+                    <news>news</news>
+                    <uucp>uucp</uucp>
+                    <clock>clock</clock>
+                    <authpriv>authpriv</authpriv>
+                    <ftp>ftp</ftp>
+                    <ntp>ntp</ntp>
+                    <audit>audit</audit>
+                    <alert>alert</alert>
+                    <cron>cron</cron>
+                    <local0>local0</local0>
+                    <local1>local1</local1>
+                    <local2>local2</local2>
+                    <local3>local3</local3>
+                    <local4>local4</local4>
+                    <local5>local5</local5>
+                    <local6>local6</local6>
+                    <local7>local7</local7>
+                </OptionValues>
+                <Required>Y</Required>
+                <Default>local7</Default>
+            </facility>
+            <severity type="OptionField">
+                <OptionValues>
+                    <debug>debug</debug>
+                    <info>info</info>
+                    <notice>notice</notice>
+                    <warn>warn</warn>
+                    <error>error</error>
+                    <crit>crit</crit>
+                    <alert>alert</alert>
+                    <emerg>emerg</emerg>
+                </OptionValues>
+                <Required>Y</Required>
+                <Default>error</Default>
+            </severity>
+            <tag type="TextField">
+                <Mask>/[a-z][a-z0-9]*/i</Mask>
+            </tag>
+            <nohostname type="BooleanField">
+                <Required>Y</Required>
+                <Default>N</Default>
+            </nohostname>
+        </syslog_target>
+    </items>
 </model>

From 62d1a653aa6d0e0440bd8e2d322bcfc26a05532c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 6 Sep 2025 18:56:43 +0200
Subject: [PATCH 2643/3088] security/netbird: release 1.0

---
 README.md                 | 2 +-
 security/netbird/Makefile | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 9c86888599..86e0a520a8 100644
--- a/README.md
+++ b/README.md
@@ -87,7 +87,7 @@ security/intrusion-detection-content-et-pro -- IDS Proofpoint ET Pro ruleset (ne
 security/intrusion-detection-content-pt-open -- IDS Positive Technologies ESC ruleset
 security/intrusion-detection-content-snort-vrt -- IDS Snort VRT ruleset (needs registration or subscription)
 security/maltrail -- Malicious traffic detection system
-security/netbird -- Peer-to-peer VPN that seamlessly connects your devices (development only)
+security/netbird -- Peer-to-peer VPN that seamlessly connects your devices
 security/openconnect -- OpenConnect Client
 security/openvpn-legacy -- OpenVPN legacy support
 security/strongswan-legacy -- IPsec legacy support
diff --git a/security/netbird/Makefile b/security/netbird/Makefile
index 94eb027d84..ac9352a27d 100644
--- a/security/netbird/Makefile
+++ b/security/netbird/Makefile
@@ -1,10 +1,8 @@
 PLUGIN_NAME=		netbird
-PLUGIN_VERSION=		0.2
-PLUGIN_REVISION=		1
+PLUGIN_VERSION=		1.0
 PLUGIN_DEPENDS=		netbird
 PLUGIN_COMMENT=		Peer-to-peer VPN that seamlessly connects your devices
 PLUGIN_MAINTAINER=	dev@netbird.io
 PLUGIN_WWW=		https://netbird.io
-PLUGIN_DEVEL=		yes
 
 .include "../../Mk/plugins.mk"

From e5f37015bd6954917d1f2f5c1f175cf193e0f160 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 6 Sep 2025 18:58:12 +0200
Subject: [PATCH 2644/3088] dns/bind: bump revision

---
 dns/bind/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index d1c8e3f2d7..4d98f7a4b3 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		bind
 PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind920
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From f83e65f09cd6ef67d1afec687a37917d3c2c2d4f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 6 Sep 2025 18:58:46 +0200
Subject: [PATCH 2645/3088] net-mgmt/zabbix-agent: bump revision

---
 net-mgmt/zabbix-agent/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index 796854acee..d602f69dbb 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		zabbix-agent
 PLUGIN_VERSION=		1.16
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix6

From 98ce5cbdcefdfdf0546e2195c9900f70d1729df9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 6 Sep 2025 19:01:27 +0200
Subject: [PATCH 2646/3088] net/haproxy: slight reformat using xmllint,
 removing spurious values where reformatted

---
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml      | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index e4704470a9..e1a40e1c57 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1366,11 +1366,9 @@
                     <Required>N</Required>
                 </port>
                 <checkport type="IntegerField">
-                    <Default></Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>65535</MaximumValue>
                     <ValidationMessage>Please specify a value between 1 and 65535.</ValidationMessage>
-                    <Required>N</Required>
                 </checkport>
                 <mode type="OptionField">
                     <Required>N</Required>
@@ -1565,18 +1563,16 @@
                     <Mask>/^([0-9a-zA-Z._\-]){1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
-                </sslSNI >
+                </sslSNI>
                 <!-- XXX: old value, required for model migration to 3.5.0 -->
                 <force_ssl type="BooleanField">
                     <Default>0</Default>
                     <Required>N</Required>
                 </force_ssl>
                 <checkport type="IntegerField">
-                    <Default></Default>
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>65535</MaximumValue>
                     <ValidationMessage>Please specify a value between 1 and 65535.</ValidationMessage>
-                    <Required>N</Required>
                 </checkport>
                 <http_method type="OptionField">
                     <Required>N</Required>
@@ -2522,13 +2518,13 @@
                     <Required>N</Required>
                 </useServer>
                 <actionName type="TextField">
-                     <Required>N</Required>
+                    <Required>N</Required>
                 </actionName>
                 <actionFind type="TextField">
-                     <Required>N</Required>
+                    <Required>N</Required>
                 </actionFind>
                 <actionValue type="TextField">
-                     <Required>N</Required>
+                    <Required>N</Required>
                 </actionValue>
                 <map_use_backend_file type="ModelRelationField">
                     <Model>

From 8a43cb1c3f6d82ca83d47563a060b53925bcfaad Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 6 Sep 2025 19:02:12 +0200
Subject: [PATCH 2647/3088] net/freeradius: bump revision

---
 net/freeradius/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index b40352f967..09a4dcbc37 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		freeradius
 PLUGIN_VERSION=		1.9.27
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From c3e9db2911f609f743bd355045771cb1faeb8f82 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 6 Sep 2025 19:03:46 +0200
Subject: [PATCH 2648/3088] security/acme-client: model style where reformat
 took place

(This model is really clean regarding indend, nice)
---
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml        | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index e9dbfa6d1e..9534d4beff 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1491,10 +1491,7 @@
                     <ValidationMessage>Select a command from the list.</ValidationMessage>
                     <Required>N</Required>
                 </configd_generic_command>
-                <acme_synology_dsm_hostname type="HostnameField">
-                    <Default></Default>
-                    <Required>N</Required>
-                </acme_synology_dsm_hostname>
+                <acme_synology_dsm_hostname type="HostnameField"/>
                 <acme_synology_dsm_port type="PortField">
                     <Default>5000</Default>
                     <Required>N</Required>

From 439e6f9b26d69672e89ba3cc4a6494ee7ded9723 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Sep 2025 08:02:22 +0200
Subject: [PATCH 2649/3088] www/nginx: style sweep

---
 www/nginx/src/opnsense/scripts/nginx/setup.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index 2e92730c29..e8722930dc 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -123,7 +123,7 @@ function find_ca($refid)
                 syslog(LOG_DEBUG, "NGINX setup: Setting up the CA certs for {$hostname}.");
                 $ca_certs = [];
                 foreach ($http_server['ca'] as $carefs) {
-                    foreach(explode(',', $carefs) as $caref) {
+                    foreach (explode(',', $carefs) as $caref) {
                         syslog(LOG_DEBUG, "NGINX setup: Searching for {$caref} CA data");
                         $ca = find_ca($caref);
                         if (isset($ca)) {

From 877ebf20ed3919bf4a7e480421b4c7aff92e14f6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Sep 2025 13:21:35 +0200
Subject: [PATCH 2650/3088] security/etpro-telemetry: netaddr going away from
 core

---
 security/etpro-telemetry/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index c45747de65..4a2a4779bf 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -3,6 +3,7 @@ PLUGIN_VERSION=		1.7
 PLUGIN_REVISION=	5
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
+PLUGIN_DEPENDS=		py${PLUGIN_PYTHON}-netaddr
 PLUGIN_WWW=		https://docs.opnsense.org/manual/etpro_telemetry.html
 PLUGIN_TIER=		2
 

From 3f298fc57ffa5f98cbe1bddd3ad417ba426b69e5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Sep 2025 19:33:00 +0200
Subject: [PATCH 2651/3088] www/caddy: fix for #4930

Best practice vs. reality, flagged in code audit but reality had other plans.
---
 www/caddy/Makefile                                            | 1 +
 www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 652ac84d7b..02dbe94acc 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		2.0.3
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
index c8e860d455..bcf424ece4 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
@@ -43,7 +43,8 @@
     }
 };
 
-$tempDir = '/usr/local/etc/caddy/certificates';
+/* XXX used later to only append a file name */
+$tempDir = '/usr/local/etc/caddy/certificates/';
 
 // leaf certificate chain
 $certificateRefs = [];

From c80d04f840beb5d5ba0301e5ed41a50fdcfd52e8 Mon Sep 17 00:00:00 2001
From: Konstantinos Spartalis <scoon405@gmail.com>
Date: Fri, 12 Sep 2025 13:25:41 +0300
Subject: [PATCH 2652/3088] chrony: fixes entity rendering (small fix) (#4904)

---
 net/chrony/Makefile                                             | 2 +-
 .../src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/chrony/Makefile b/net/chrony/Makefile
index 02436f088c..d4d807ea8b 100644
--- a/net/chrony/Makefile
+++ b/net/chrony/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		chrony
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Chrony time synchronisation
 PLUGIN_DEPENDS=		chrony
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/chrony/src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt b/net/chrony/src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt
index 308d4c4eaf..40d7552e95 100644
--- a/net/chrony/src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt
+++ b/net/chrony/src/opnsense/mvc/app/views/OPNsense/Chrony/general.volt
@@ -62,7 +62,7 @@
 // Put API call into a function, needed for auto-refresh
 function update_chronysources() {
     ajaxCall(url="/api/chrony/service/chronysources", sendData={}, callback=function(data,status) {
-        $("#listchronysources").text(data['response']);
+        $("#listchronysources").text($('<div>').html(data['response']).text());
     });
 }
 

From d3d38c928c28acec3aeb390ad13a4cefaa6ad444 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Sat, 13 Sep 2025 07:16:53 +0200
Subject: [PATCH 2653/3088] net/zabbix-X: Add 7.4 variant to pluing (#4935)

---
 net-mgmt/zabbix-agent/Makefile  | 8 +++++---
 net-mgmt/zabbix-agent/pkg-descr | 4 ++++
 net-mgmt/zabbix-proxy/Makefile  | 7 +++++--
 net-mgmt/zabbix-proxy/pkg-descr | 4 ++++
 4 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index d602f69dbb..f43fb87e7d 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,9 +1,8 @@
 PLUGIN_NAME=		zabbix-agent
-PLUGIN_VERSION=		1.16
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.17
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
-PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix6
+PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix74 zabbix6
 
 zabbix7_NAME=		zabbix7-agent
 zabbix7_DEPENDS=	zabbix7-agent
@@ -11,6 +10,9 @@ zabbix7_DEPENDS=	zabbix7-agent
 zabbix72_NAME=		zabbix72-agent
 zabbix72_DEPENDS=	zabbix72-agent
 
+zabbix74_NAME=		zabbix74-agent
+zabbix74_DEPENDS=	zabbix74-agent
+
 zabbix6_NAME=		zabbix6-agent
 zabbix6_DEPENDS=	zabbix6-agent
 
diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index 0cae91b594..52f1c1c6ed 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.17
+
+* Plugin variant for Zabbix Agent 7.4
+
 1.16
 
 Changed:
diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 228a5a6437..a33852cc92 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -1,8 +1,8 @@
 PLUGIN_NAME=		zabbix-proxy
-PLUGIN_VERSION=		1.13
+PLUGIN_VERSION=		1.14
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix6
+PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix74 zabbix6
 
 zabbix7_NAME=		zabbix7-proxy
 zabbix7_DEPENDS=	zabbix7-proxy
@@ -10,6 +10,9 @@ zabbix7_DEPENDS=	zabbix7-proxy
 zabbix72_NAME=		zabbix72-proxy
 zabbix72_DEPENDS=	zabbix72-proxy
 
+zabbix74_NAME=		zabbix74-proxy
+zabbix74_DEPENDS=	zabbix74-proxy
+
 zabbix6_NAME=		zabbix6-proxy
 zabbix6_DEPENDS=	zabbix6-proxy
 
diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index 7de9a21811..43ff9d9624 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.14
+
+* Add plugin variant for Zabbix Proxy 7.4
+
 1.13
 
 * Removed plugin variant for Zabbox Proxy 5.0 which is EoL

From 71ecb9a1d84d05ba087813ef66d5dbcbb5212d92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaka=20Pra=C5=A1nikar?= <Jackysi@users.noreply.github.com>
Date: Mon, 15 Sep 2025 13:56:09 +0200
Subject: [PATCH 2654/3088] theme-advanced update to 1.1 (#4939)

---
 misc/theme-advanced/Makefile                  |   5 +-
 .../bootstrap-select/less/variables.less      |   2 +-
 .../sass/bootstrap-select.scss                |   2 +-
 .../bootstrap-select/sass/variables.scss      |   2 +-
 .../assets/stylesheets/bootstrap/_tables.scss |   3 +-
 .../assets/stylesheets/dashboard.scss         |  11 +-
 .../advanced/assets/stylesheets/main.scss     |   2 +-
 .../assets/stylesheets/opnsense-bootgrid.scss | 488 ++++++++++++++++++
 .../themes/advanced/build/css/dashboard.css   |   2 +-
 .../advanced/build/css/opnsense-bootgrid.css  |   1 +
 10 files changed, 498 insertions(+), 20 deletions(-)
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/opnsense-bootgrid.scss
 create mode 100644 misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/opnsense-bootgrid.css

diff --git a/misc/theme-advanced/Makefile b/misc/theme-advanced/Makefile
index 2c4c80b3b5..ae1b635286 100644
--- a/misc/theme-advanced/Makefile
+++ b/misc/theme-advanced/Makefile
@@ -1,9 +1,8 @@
 PLUGIN_NAME=		theme-advanced
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		OPNsense theme based on AdvancedTomato GUI
 PLUGIN_MAINTAINER=	jacky@prahec.com
-PLUGIN_WWW=		https://prahec.com/
+PLUGIN_WWW=			https://prahec.com/
 PLUGIN_NO_ABI=		yes
 
 .include "../../Mk/plugins.mk"
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/less/variables.less b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/less/variables.less
index 97a510c23a..19e94a8dfb 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/less/variables.less
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/less/variables.less
@@ -4,4 +4,4 @@
 
 @width-default: 348px; // 3 960px-grid columns
 
-@zindex-select-dropdown: 1035; // must be lower than a modal background (1040) but higher than the fixed navbar (1030)
+@zindex-select-dropdown: 1035; // must be lower than a modal background (1040) but higher than the fixed navbar (1030)
\ No newline at end of file
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.scss
index 32b852e26f..ce955acc9a 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.scss
@@ -516,4 +516,4 @@ select.selectpicker {
     width: 100%;
     float: none;
   }
-}
+}
\ No newline at end of file
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/variables.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/variables.scss
index 6e9c8af262..555ef10fcf 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/variables.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/variables.scss
@@ -14,4 +14,4 @@ $input-padding-y-sm: .25rem !default;
 $input-padding-x-sm: .5rem !default;
 
 $input-padding-y-lg: 0.5rem !default;
-$input-padding-x-lg: 1rem !default;
+$input-padding-x-lg: 1rem !default;
\ No newline at end of file
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_tables.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_tables.scss
index 2e5f9a51dc..1cdca5cfdc 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_tables.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_tables.scss
@@ -13,7 +13,6 @@ th {
 
 
 // Baseline styles
-
 .table {
   width: 100%;
   max-width: 100%;
@@ -233,4 +232,4 @@ table {
 
     }
   }
-}
+}
\ No newline at end of file
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss
index 7a7d96579d..d3b2a4313d 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss
@@ -128,20 +128,11 @@ td {
     word-break: break-all;
 }
 
-.canvas-container-noaspectratio {
-    position: relative;
-}
 
 .canvas-container {
     position: relative;
 }
 
-.canvas-container > canvas {
-    /* ChartJS v4 workaround: https://github.com/chartjs/Chart.js/issues/11005 */
-    width: 100% !important;
-    height: 100% !important;
-}
-
 .cpu-canvas-container {
     display: flex;
     flex-direction: column;
@@ -356,4 +347,4 @@ div {
     display: flex;
     align-items: center;
     justify-content: center;
-}
+}
\ No newline at end of file
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss
index 3dd6c75aa1..06813493cc 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss
@@ -1284,4 +1284,4 @@ table#tunable.bootgrid-table td {
 #grid-log th[data-column-id="__timestamp__"],
 #filter-log-entries th[data-column-id="__timestamp__"] {
     min-width: 3.5em;
-}
+}
\ No newline at end of file
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/opnsense-bootgrid.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/opnsense-bootgrid.scss
new file mode 100644
index 0000000000..1fc6fac887
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/opnsense-bootgrid.scss
@@ -0,0 +1,488 @@
+$colors: (
+        default: #536270,
+        primary: #51aded,
+        navbg: #263238,
+        lightgrey: #f7f7f7,
+        lightergrey: #fbfbfb,
+        darkgrey: #3c3c3b,
+        bordergrey: #eaeaea,
+);
+
+@import "bootstrap/variables";
+
+/**
+* Customized
+*/
+@mixin button-variant($color, $background, $border) {
+    color: $color;
+    background-color: $background;
+    border-color: $border;
+
+    &:hover,
+    &:focus,
+    &:active,
+    &.active,
+    .open > &.dropdown-toggle,
+    :not(disabled):hover {
+        color: $color !important;
+        background-color: darken($background, 10%) !important;
+        border-color: darken($border, 12%) !important;
+    }
+    &:active,
+    &.active,
+    .open > &.dropdown-toggle {
+        background-image: none;
+    }
+    &.disabled,
+    &[disabled],
+    fieldset[disabled] & {
+        &,
+        &:hover,
+        &:focus,
+        &:active,
+        &.active {
+            background-color: $background;
+            border-color: $border;
+        }
+    }
+
+    .badge {
+        color: $background;
+        background-color: $color;
+    }
+}
+
+// Button sizes
+@mixin button-size($padding-vertical, $padding-horizontal, $font-size, $line-height, $border-radius) {
+    padding: $padding-vertical $padding-horizontal;
+    font-size: $font-size;
+    line-height: $line-height;
+    border-radius: $border-radius;
+}
+
+
+/**
+* Main theming elements
+*/
+.tabulator .tabulator-header .tabulator-col.tabulator-sortable.tabulator-col-sorter-element:hover {
+    background-color: #FBFBFB;
+}
+
+.tabulator .tabulator-headers {
+    height: 100% !important; /* make sure the border below appears */
+}
+
+/*------------*/
+/* theme: body */
+.tabulator .tabulator-tableholder .tabulator-table {
+    background-color: transparent;
+}
+
+.tabulator-row {
+    background-color: transparent;
+    color: #373736;
+}
+
+.tabulator-row.tabulator-row-odd {
+    background-color: #FBFBFB;
+}
+
+.tabulator-row.tabulator-row-odd.tabulator-selectable:hover:not(.tabulator-selected) {
+    background-color: $table-bg-hover;
+}
+
+.tabulator-row.tabulator-row-even.tabulator-selectable:hover:not(.tabulator-selected) {
+    background-color: $table-bg-hover;
+}
+
+.tabulator .tabulator-tableholder {
+    background-color: transparent;
+}
+
+.tabulator-row.tabulator-selected {
+    background-color: #e3e8f0;
+}
+
+.tabulator-row.tabulator-selected:hover {
+    cursor: pointer;
+    background-color: #e3e8f0;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg {
+    color: #373736; /* spinner icon */
+}
+
+/* Command column styles */
+.tabulator-col.tabulator-frozen.tabulator-frozen-right {
+}
+
+.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right {
+}
+
+/* Tabulator groupBy row styles */
+.tabulator-row.tabulator-group {
+    border: none;
+    pointer-events: none;
+}
+
+.tabulator-row.tabulator-group span {
+    margin-left: 0;
+    color: #373736;
+}
+
+.tabulator-row .badge.chip {
+    background-color: #31708f;
+    color: #FFF;
+    font-size: 10px;
+    padding: 2px 4px;
+    position: relative;
+    top: -1px;
+}
+
+.tabulator-row.tabulator-group .tabulator-group-toggle,
+.tabulator-row.tabulator-group .tabulator-group-toggle * {
+    pointer-events: auto;
+}
+
+.tabulator-row.tabulator-group:has(> .tabulator-group-toggle:only-child) {
+    display: none; /* Trick to hide empty groupBy header rows */
+}
+
+/*------------*/
+/* theme: cells */
+.tabulator-row .tabulator-cell {
+    text-overflow: ellipsis;
+    white-space: nowrap;
+    line-height: 1.2;
+    vertical-align: top;
+}
+
+/*-------------*/
+/* theme: footer */
+.tabulator .tabulator-footer {
+    border-top: none;
+    background-color: transparent;
+}
+
+.tabulator-page-counter {
+    color: #373736;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator {
+    color: #373736;
+}
+
+.tabulator .tabulator-footer .tabulator-page {
+
+}
+
+/*----------*/
+/* end of main theming elements */
+.tabulator-paginator {
+    flex: 0 !important;
+}
+
+.tabulator-page-counter {
+    flex: 1;
+    text-align: right;
+}
+
+.tabulator-col-sorter i {
+    display: flex;
+    justify-content: center;
+    align-items: center;
+}
+
+.tabulator .tabulator-header .tabulator-col {
+    padding: 5px;
+}
+
+.tabulator .tabulator-headers > :first-child {
+    padding-left: 10px;
+}
+
+.opnsense-bootgrid-responsive {
+    white-space: wrap !important;
+    text-overflow: inherit !important;
+    overflow: visible !important;
+    word-break: break-word !important;
+}
+
+.opnsense-bootgrid-ellipsis {
+    overflow: hidden !important;
+    white-space: nowrap !important;
+    text-overflow: ellipsis !important;
+}
+
+.tabulator-row > :first-child {
+    padding-left: 10px;
+}
+
+.tabulator .tabulator-header .tabulator-col .tabulator-col-content {
+    padding: 0px;
+}
+
+.tabulator-page-counter {
+    padding-right: 20px;
+}
+
+.bootgrid-footer-commands {
+    width: 90px;
+    padding-left: 8px;
+}
+
+.tabulator-tableholder::after {
+    content: "";
+    display: block;
+    width: 1px;
+    height: 1px;
+    min-width: 100%;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator .tabulator-page:first-child {
+    border-bottom-left-radius: 3px;
+    border-top-left-radius: 3px;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator .tabulator-page:last-child {
+    border-bottom-right-radius: 3px;
+    border-top-right-radius: 3px;
+}
+
+/* border line corrections and hover/selection behavior */
+.tabulator-row:first-child > .tabulator-cell {
+    border-top: none;
+}
+
+.tabulator .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title {
+    padding: 0px;
+}
+
+/* Row highlight behavior */
+@keyframes highlight {
+    0% {
+        background: #ffff99;
+    }
+    100% {
+        background: none;
+    }
+}
+
+.highlight-bg {
+    animation: highlight 2s;
+}
+
+/* Tabulator "loading" and "error" overrides */
+.tabulator .tabulator-alert {
+    background: none;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg {
+    border: none;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg {
+    background: initial;
+    font-size: 18px;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-error {
+    border: none;
+}
+
+.bootgrid-placeholder {
+    font-size: 15px;
+    text-align: center;
+    white-space: normal;
+    font-weight: 400;
+    margin: 10px;
+}
+
+.bootgrid-overlay {
+    position: absolute;
+    top: 0;
+    left: 0;
+    right: 0;
+    bottom: 0;
+    background: rgba(255, 255, 255, 0.5);
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    z-index: 99;
+}
+
+.overlay > i {
+    font-size: 20px;
+    color: black;
+}
+
+/**
+* Main theming elements for tabulator
+/* Base */
+.tabulator {
+    width: 100%;
+    font-family: Inter, system-ui, -apple-system, Segoe UI, Roboto, Arial, sans-serif;
+    font-size: 13px;
+    background: #fff;
+    border: 1px solid $table-border-color; /* .table-bordered */
+    border-radius: 0;
+}
+
+/* Header */
+.tabulator .tabulator-header {
+    background: #fff;
+    border-bottom: 1px solid $table-border-color; /* thead bottom border */
+    border-top: 0;
+    border-left: 0;
+    border-right: 0;
+}
+
+.tabulator .tabulator-header .tabulator-col {
+    background: transparent;
+    color: #333;
+    border-right: 1px solid $table-border-color; /* col separators */
+}
+
+.tabulator .tabulator-header .tabulator-col:last-child {
+    border-right: 0;
+}
+
+/* Header cell inner (align/padding like Bootstrap) */
+.tabulator .tabulator-header .tabulator-col .tabulator-col-content {
+    padding: 10px 0 10px 20px; /* th padding */
+    line-height: 1.428571429;
+}
+
+/* Sort hover (subtle) */
+.tabulator .tabulator-header .tabulator-col.tabulator-sortable:hover {
+    background: #f5f5f5;
+}
+
+
+/* Body */
+.tabulator .tabulator-tableholder {
+    background: #fff;
+}
+
+.tabulator-row {
+    background: #fff;
+    color: #333;
+    border-top: 1px solid $table-border-color; /* row top border like Bootstrap */
+}
+
+/* Cells */
+.tabulator-row .tabulator-cell {
+    padding: 10px 0 10px 20px; /* td padding */
+    line-height: 1.428571429;
+    vertical-align: top;
+    border-right: 1px solid $table-border-color; /* col separators */
+    white-space: nowrap;
+    text-overflow: ellipsis;
+    overflow: hidden;
+}
+
+.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left,
+.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-left,
+.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left,
+.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-left,
+.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right,
+.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-right {
+    border-color: $table-border-color;
+    border-width: 1px;
+}
+
+.tabulator-row .tabulator-cell:last-child {
+    border-right: 0;
+}
+
+.tabulator-header {
+    .tabulator-row-header input,
+    .tabulator-cell input {
+        margin-left: -24px;
+    }
+}
+
+.tabulator-table {
+    .tabulator-row-header input,
+    .tabulator-cell input {
+        margin-left: -18px;
+    }
+}
+
+/* Striped (.table-striped) */
+.tabulator.tabulator-striped .tabulator-row:nth-child(odd) {
+    background: #fbfbfb;
+}
+
+/* Hover (.table-hover) */
+.tabulator.tabulator-hover .tabulator-row:hover {
+    background: $table-bg-hover !important;
+}
+
+/* Active state (matches .active bg) */
+.tabulator-row.tabulator-selected {
+    background: $table-bg-hover !important;
+}
+
+.tabulator-row.tabulator-selected:hover {
+    background: $table-bg-hover !important;
+}
+
+/* Footer (pagination) */
+.tabulator .tabulator-footer {
+    background: #fff;
+    border-top: 1px solid $table-border-color;
+    color: #555;
+}
+
+.tabulator .tabulator-footer .tabulator-page {
+    border: 1px solid $table-border-color;
+    background: #fff;
+    color: #333;
+    border-radius: 0;
+    margin: 0;
+    padding: 6px 12px; /* Bootstrap-like pager */
+
+    @include button-variant($btn-primary-color, $btn-primary-bg, $btn-primary-border);
+}
+
+@media (hover: hover) and (pointer: fine) {
+    .tabulator .tabulator-footer .tabulator-page:not(disabled):hover {
+    }
+}
+
+.tabulator-row.tabulator-row-even {
+    background-color: $table-bg
+}
+
+.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title {
+    overflow: visible;
+}
+
+
+.tabulator-row.tabulator-selected {
+    background-color: #9abcea
+}
+
+.tabulator .tabulator-alert {
+    align-items: center;
+    background: rgba(#fff, .5);
+    display: flex;
+    height: 100%;
+    left: 0;
+    position: absolute;
+    text-align: center;
+    top: 0;
+    width: 100%;
+    z-index: 100;
+}
+
+/**
+ * jQuery Bootstrap Grid
+ */
+.bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item.dropdown-item-checkbox,
+.bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item.dropdown-item-checkbox,
+.bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item .dropdown-item-checkbox,
+.bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item .dropdown-item-checkbox {
+    margin: 0 8px 4px -8px !important;
+}
\ No newline at end of file
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/dashboard.css b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/dashboard.css
index 947ca20757..6b67121b1f 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/dashboard.css
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/dashboard.css
@@ -1 +1 @@
-:root{--chart-js-background-color: #f7e2d6;--chart-js-border-color: #f6f6f6;--chart-js-font-color: #4b4b64}.btn-pressed,.btn-pressed:hover{color:#fff;background-color:#0086d9}#save-grid{position:relative;display:inline-flex;align-items:center;justify-content:center;width:50px;height:33px;margin-right:10px;transition:opacity .3s ease}#save-btn-text,#icon-container{position:absolute}#icon-container{display:inline-flex;align-items:center;justify-content:center}#save-spinner,#save-check{transition:opacity .3s ease,transform .3s ease}.transition-spinner,transition-check{transition:opacity .3s ease,transform .3s ease}.grid-stack-item-content{text-align:center;border:none !important;border-radius:.5em .5em .5em .5em;background-color:#fff;box-shadow:0 2px 4px rgba(40,40,50,.15),0 0 1px rgba(40,40,50,.35)}.widget-error{margin:50px;color:#721c24}.widget-content{position:relative;width:100%;height:100%;padding:1px;cursor:grab}.widget-header{font-size:14px;display:flex;align-items:center;justify-content:space-between;margin-top:.5em;margin-right:1em;margin-left:1em}.widget-spinner{margin-top:20px}.fa-stack.small{font-size:.5em}.close-handle,.edit-handle{padding:.2rem .5rem;cursor:pointer;text-align:right;vertical-align:middle}.close-handle>i,.edit-handle>i{font-size:1.2rem !important}.widget-header-left{display:flex;align-items:center;flex:1;justify-content:flex-start}.widget-command-container{display:flex;align-items:center;flex:1;justify-content:flex-end}.widget-title{display:flex;align-items:center;justify-content:center}.panel-divider{width:100%;height:8px;margin-bottom:10px;text-align:center}.panel-divider .line{display:none}td{word-break:break-all}.canvas-container-noaspectratio{position:relative}.canvas-container{position:relative}.canvas-container>canvas{width:100% !important;height:100% !important}.cpu-canvas-container{display:flex;flex-direction:column}.smoothie-container{width:100%}.smoothie-chart-tooltip{font-size:13px;z-index:1;padding-right:15px;padding-left:15px;pointer-events:none;color:#fff;border-radius:.5em .5em .5em .5em;background:rgba(50,50,50,.9)}.flex-container{display:flex;flex-wrap:nowrap;white-space:nowrap}.gateway-info{font-size:13px;margin:5px;padding:5px}.gateway-detail-container{display:none;margin:5px}.interface-info{display:flex;align-items:center;flex-wrap:wrap;height:100%}.nowrap{flex-wrap:nowrap}.gateway-graph{display:none}.flex-container>.gateway-graph{font-size:13px}.vertical-center-row{display:inline;height:100%}.interfaces-info{font-size:.8rem;margin:5px}.interface-descr{font-size:1em;margin-left:.8em;cursor:pointer;text-decoration:underline}.interfaces-detail-container{display:none;margin:5px}.d-flex{display:flex}.d-flex>.justify-content-start{justify-content:start}.d-flex>.justify-content-end{justify-content:end}#chartjs-toolip{z-index:20}.cpu-type{margin-top:10px;margin-bottom:10px}div{box-sizing:border-box}.flextable-container{display:block;width:95%;max-width:1200px;margin:2em auto}.flextable-header{display:flex;flex-flow:row wrap;padding:.5em .5em;transition:.5s;border-top:solid 1px rgba(0,119,217,.15) !important}.flextable-row{display:flex;align-items:center;flex-flow:row wrap;padding:.5em .5em;transition:.5s;border-top:solid 1px #e8eaef !important}.flextable-header .flex-cell{font-weight:bold}.flextable-row:hover{transition:500ms;background:#f5f5f5}.flex-cell{padding:4px 0;text-align:left;word-break:break-word}.column{display:flex;flex-flow:column wrap;width:50%;padding:0}.column .flex-cell{display:flex;flex-flow:row wrap;width:100%;padding:4px 0;border:0;border-top:#e8eaef}.column .flex-cell:hover{transition:500ms;background:#f5f5f5}.flex-subcell{width:100%;text-align:left}.column .flex-cell:not(:last-child){border-bottom:solid 1px #e8eaef !important}.grid-header-container{display:grid;grid-template-columns:repeat(auto-fit, minmax(100px, 1fr))}.grid-row{display:grid;transition:.5s;opacity:.4;border-top:1px solid #eff3f8;background-color:#d6e5f7;grid-template-columns:repeat(auto-fit, minmax(100px, 1fr))}.grid-row:hover{transition:500ms;background:#f5f5f5 !important}.grid-header{font-weight:bold;border-top:1px solid #eff3f8}.grid-item{padding:4px;text-align:center}.ovpn-common-name{display:flex;align-items:center;justify-content:center}/*# sourceMappingURL=dashboard.css.map */
+:root{--chart-js-background-color: #f7e2d6;--chart-js-border-color: #f6f6f6;--chart-js-font-color: #4b4b64}.btn-pressed,.btn-pressed:hover{color:#fff;background-color:#0086d9}#save-grid{position:relative;display:inline-flex;align-items:center;justify-content:center;width:50px;height:33px;margin-right:10px;transition:opacity .3s ease}#save-btn-text,#icon-container{position:absolute}#icon-container{display:inline-flex;align-items:center;justify-content:center}#save-spinner,#save-check{transition:opacity .3s ease,transform .3s ease}.transition-spinner,transition-check{transition:opacity .3s ease,transform .3s ease}.grid-stack-item-content{text-align:center;border:none !important;border-radius:.5em .5em .5em .5em;background-color:#fff;box-shadow:0 2px 4px rgba(40,40,50,.15),0 0 1px rgba(40,40,50,.35)}.widget-error{margin:50px;color:#721c24}.widget-content{position:relative;width:100%;height:100%;padding:1px;cursor:grab}.widget-header{font-size:14px;display:flex;align-items:center;justify-content:space-between;margin-top:.5em;margin-right:1em;margin-left:1em}.widget-spinner{margin-top:20px}.fa-stack.small{font-size:.5em}.close-handle,.edit-handle{padding:.2rem .5rem;cursor:pointer;text-align:right;vertical-align:middle}.close-handle>i,.edit-handle>i{font-size:1.2rem !important}.widget-header-left{display:flex;align-items:center;flex:1;justify-content:flex-start}.widget-command-container{display:flex;align-items:center;flex:1;justify-content:flex-end}.widget-title{display:flex;align-items:center;justify-content:center}.panel-divider{width:100%;height:8px;margin-bottom:10px;text-align:center}.panel-divider .line{display:none}td{word-break:break-all}.canvas-container{position:relative}.cpu-canvas-container{display:flex;flex-direction:column}.smoothie-container{width:100%}.smoothie-chart-tooltip{font-size:13px;z-index:1;padding-right:15px;padding-left:15px;pointer-events:none;color:#fff;border-radius:.5em .5em .5em .5em;background:rgba(50,50,50,.9)}.flex-container{display:flex;flex-wrap:nowrap;white-space:nowrap}.gateway-info{font-size:13px;margin:5px;padding:5px}.gateway-detail-container{display:none;margin:5px}.interface-info{display:flex;align-items:center;flex-wrap:wrap;height:100%}.nowrap{flex-wrap:nowrap}.gateway-graph{display:none}.flex-container>.gateway-graph{font-size:13px}.vertical-center-row{display:inline;height:100%}.interfaces-info{font-size:.8rem;margin:5px}.interface-descr{font-size:1em;margin-left:.8em;cursor:pointer;text-decoration:underline}.interfaces-detail-container{display:none;margin:5px}.d-flex{display:flex}.d-flex>.justify-content-start{justify-content:start}.d-flex>.justify-content-end{justify-content:end}#chartjs-toolip{z-index:20}.cpu-type{margin-top:10px;margin-bottom:10px}div{box-sizing:border-box}.flextable-container{display:block;width:95%;max-width:1200px;margin:2em auto}.flextable-header{display:flex;flex-flow:row wrap;padding:.5em .5em;transition:.5s;border-top:solid 1px rgba(0,119,217,.15) !important}.flextable-row{display:flex;align-items:center;flex-flow:row wrap;padding:.5em .5em;transition:.5s;border-top:solid 1px #e8eaef !important}.flextable-header .flex-cell{font-weight:bold}.flextable-row:hover{transition:500ms;background:#f5f5f5}.flex-cell{padding:4px 0;text-align:left;word-break:break-word}.column{display:flex;flex-flow:column wrap;width:50%;padding:0}.column .flex-cell{display:flex;flex-flow:row wrap;width:100%;padding:4px 0;border:0;border-top:#e8eaef}.column .flex-cell:hover{transition:500ms;background:#f5f5f5}.flex-subcell{width:100%;text-align:left}.column .flex-cell:not(:last-child){border-bottom:solid 1px #e8eaef !important}.grid-header-container{display:grid;grid-template-columns:repeat(auto-fit, minmax(100px, 1fr))}.grid-row{display:grid;transition:.5s;opacity:.4;border-top:1px solid #eff3f8;background-color:#d6e5f7;grid-template-columns:repeat(auto-fit, minmax(100px, 1fr))}.grid-row:hover{transition:500ms;background:#f5f5f5 !important}.grid-header{font-weight:bold;border-top:1px solid #eff3f8}.grid-item{padding:4px;text-align:center}.ovpn-common-name{display:flex;align-items:center;justify-content:center}/*# sourceMappingURL=dashboard.css.map */
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/opnsense-bootgrid.css b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/opnsense-bootgrid.css
new file mode 100644
index 0000000000..4d353b768e
--- /dev/null
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/build/css/opnsense-bootgrid.css
@@ -0,0 +1 @@
+.tabulator .tabulator-header .tabulator-col.tabulator-sortable.tabulator-col-sorter-element:hover{background-color:#fbfbfb}.tabulator .tabulator-headers{height:100% !important}.tabulator .tabulator-tableholder .tabulator-table{background-color:rgba(0,0,0,0)}.tabulator-row{background-color:rgba(0,0,0,0);color:#373736}.tabulator-row.tabulator-row-odd{background-color:#fbfbfb}.tabulator-row.tabulator-row-odd.tabulator-selectable:hover:not(.tabulator-selected){background-color:#f5f5f5}.tabulator-row.tabulator-row-even.tabulator-selectable:hover:not(.tabulator-selected){background-color:#f5f5f5}.tabulator .tabulator-tableholder{background-color:rgba(0,0,0,0)}.tabulator-row.tabulator-selected{background-color:#e3e8f0}.tabulator-row.tabulator-selected:hover{cursor:pointer;background-color:#e3e8f0}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg{color:#373736}.tabulator-row.tabulator-group{border:none;pointer-events:none}.tabulator-row.tabulator-group span{margin-left:0;color:#373736}.tabulator-row .badge.chip{background-color:#31708f;color:#fff;font-size:10px;padding:2px 4px;position:relative;top:-1px}.tabulator-row.tabulator-group .tabulator-group-toggle,.tabulator-row.tabulator-group .tabulator-group-toggle *{pointer-events:auto}.tabulator-row.tabulator-group:has(>.tabulator-group-toggle:only-child){display:none}.tabulator-row .tabulator-cell{text-overflow:ellipsis;white-space:nowrap;line-height:1.2;vertical-align:top}.tabulator .tabulator-footer{border-top:none;background-color:rgba(0,0,0,0)}.tabulator-page-counter{color:#373736}.tabulator .tabulator-footer .tabulator-paginator{color:#373736}.tabulator-paginator{flex:0 !important}.tabulator-page-counter{flex:1;text-align:right}.tabulator-col-sorter i{display:flex;justify-content:center;align-items:center}.tabulator .tabulator-header .tabulator-col{padding:5px}.tabulator .tabulator-headers>:first-child{padding-left:10px}.opnsense-bootgrid-responsive{white-space:wrap !important;text-overflow:inherit !important;overflow:visible !important;word-break:break-word !important}.opnsense-bootgrid-ellipsis{overflow:hidden !important;white-space:nowrap !important;text-overflow:ellipsis !important}.tabulator-row>:first-child{padding-left:10px}.tabulator .tabulator-header .tabulator-col .tabulator-col-content{padding:0px}.tabulator-page-counter{padding-right:20px}.bootgrid-footer-commands{width:90px;padding-left:8px}.tabulator-tableholder::after{content:"";display:block;width:1px;height:1px;min-width:100%}.tabulator .tabulator-footer .tabulator-paginator .tabulator-page:first-child{border-bottom-left-radius:3px;border-top-left-radius:3px}.tabulator .tabulator-footer .tabulator-paginator .tabulator-page:last-child{border-bottom-right-radius:3px;border-top-right-radius:3px}.tabulator-row:first-child>.tabulator-cell{border-top:none}.tabulator .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title{padding:0px}@keyframes highlight{0%{background:#ff9}100%{background:none}}.highlight-bg{animation:highlight 2s}.tabulator .tabulator-alert{background:none}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg{border:none}.tabulator .tabulator-alert .tabulator-alert-msg{background:initial;font-size:18px}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-error{border:none}.bootgrid-placeholder{font-size:15px;text-align:center;white-space:normal;font-weight:400;margin:10px}.bootgrid-overlay{position:absolute;top:0;left:0;right:0;bottom:0;background:rgba(255,255,255,.5);display:flex;justify-content:center;align-items:center;z-index:99}.overlay>i{font-size:20px;color:#000}.tabulator{width:100%;font-family:Inter,system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;font-size:13px;background:#fff;border:1px solid #eee;border-radius:0}.tabulator .tabulator-header{background:#fff;border-bottom:1px solid #eee;border-top:0;border-left:0;border-right:0}.tabulator .tabulator-header .tabulator-col{background:rgba(0,0,0,0);color:#333;border-right:1px solid #eee}.tabulator .tabulator-header .tabulator-col:last-child{border-right:0}.tabulator .tabulator-header .tabulator-col .tabulator-col-content{padding:10px 0 10px 20px;line-height:1.428571429}.tabulator .tabulator-header .tabulator-col.tabulator-sortable:hover{background:#f5f5f5}.tabulator .tabulator-tableholder{background:#fff}.tabulator-row{background:#fff;color:#333;border-top:1px solid #eee}.tabulator-row .tabulator-cell{padding:10px 0 10px 20px;line-height:1.428571429;vertical-align:top;border-right:1px solid #eee;white-space:nowrap;text-overflow:ellipsis;overflow:hidden}.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left,.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-left,.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left,.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-left,.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right,.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-right{border-color:#eee;border-width:1px}.tabulator-row .tabulator-cell:last-child{border-right:0}.tabulator-header .tabulator-row-header input,.tabulator-header .tabulator-cell input{margin-left:-24px}.tabulator-table .tabulator-row-header input,.tabulator-table .tabulator-cell input{margin-left:-18px}.tabulator.tabulator-striped .tabulator-row:nth-child(odd){background:#fbfbfb}.tabulator.tabulator-hover .tabulator-row:hover{background:#f5f5f5 !important}.tabulator-row.tabulator-selected{background:#f5f5f5 !important}.tabulator-row.tabulator-selected:hover{background:#f5f5f5 !important}.tabulator .tabulator-footer{background:#fff;border-top:1px solid #eee;color:#555}.tabulator .tabulator-footer .tabulator-page{border:1px solid #eee;background:#fff;color:#333;border-radius:0;margin:0;padding:6px 12px;color:#fff;background-color:#51aded;border-color:#51aded}.tabulator .tabulator-footer .tabulator-page:hover,.tabulator .tabulator-footer .tabulator-page:focus,.tabulator .tabulator-footer .tabulator-page:active,.tabulator .tabulator-footer .tabulator-page.active,.open>.tabulator .tabulator-footer .tabulator-page.dropdown-toggle,.tabulator .tabulator-footer .tabulator-page :not(disabled):hover{color:#fff !important;background-color:#2397e8 !important;border-color:#1a93e7 !important}.tabulator .tabulator-footer .tabulator-page:active,.tabulator .tabulator-footer .tabulator-page.active,.open>.tabulator .tabulator-footer .tabulator-page.dropdown-toggle{background-image:none}.tabulator .tabulator-footer .tabulator-page.disabled,.tabulator .tabulator-footer .tabulator-page.disabled:hover,.tabulator .tabulator-footer .tabulator-page.disabled:focus,.tabulator .tabulator-footer .tabulator-page.disabled:active,.tabulator .tabulator-footer .tabulator-page.disabled.active,.tabulator .tabulator-footer .tabulator-page[disabled],.tabulator .tabulator-footer .tabulator-page[disabled]:hover,.tabulator .tabulator-footer .tabulator-page[disabled]:focus,.tabulator .tabulator-footer .tabulator-page[disabled]:active,.tabulator .tabulator-footer .tabulator-page[disabled].active,fieldset[disabled] .tabulator .tabulator-footer .tabulator-page,fieldset[disabled] .tabulator .tabulator-footer .tabulator-page:hover,fieldset[disabled] .tabulator .tabulator-footer .tabulator-page:focus,fieldset[disabled] .tabulator .tabulator-footer .tabulator-page:active,fieldset[disabled] .tabulator .tabulator-footer .tabulator-page.active{background-color:#51aded;border-color:#51aded}.tabulator .tabulator-footer .tabulator-page .badge{color:#51aded;background-color:#fff}.tabulator-row.tabulator-row-even{background-color:rgba(0,0,0,0)}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title{overflow:visible}.tabulator-row.tabulator-selected{background-color:#9abcea}.tabulator .tabulator-alert{align-items:center;background:rgba(255,255,255,.5);display:flex;height:100%;left:0;position:absolute;text-align:center;top:0;width:100%;z-index:100}.bootgrid-header .actionBar .btn-group>.btn-group .dropdown-menu .dropdown-item.dropdown-item-checkbox,.bootgrid-footer .infoBar .btn-group>.btn-group .dropdown-menu .dropdown-item.dropdown-item-checkbox,.bootgrid-header .actionBar .btn-group>.btn-group .dropdown-menu .dropdown-item .dropdown-item-checkbox,.bootgrid-footer .infoBar .btn-group>.btn-group .dropdown-menu .dropdown-item .dropdown-item-checkbox{margin:0 8px 4px -8px !important}/*# sourceMappingURL=opnsense-bootgrid.css.map */

From e67e16b1335dda385d5cde68ce2f36f908db916f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 15 Sep 2025 13:57:31 +0200
Subject: [PATCH 2655/3088] misc/theme-advanced: sweep for whitespaces

---
 .../assets/stylesheets/bootstrap-select/less/variables.less     | 2 +-
 .../stylesheets/bootstrap-select/sass/bootstrap-select.scss     | 2 +-
 .../assets/stylesheets/bootstrap-select/sass/variables.scss     | 2 +-
 .../themes/advanced/assets/stylesheets/bootstrap/_tables.scss   | 2 +-
 .../www/themes/advanced/assets/stylesheets/dashboard.scss       | 2 +-
 .../opnsense/www/themes/advanced/assets/stylesheets/main.scss   | 2 +-
 .../themes/advanced/assets/stylesheets/opnsense-bootgrid.scss   | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/less/variables.less b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/less/variables.less
index 19e94a8dfb..97a510c23a 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/less/variables.less
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/less/variables.less
@@ -4,4 +4,4 @@
 
 @width-default: 348px; // 3 960px-grid columns
 
-@zindex-select-dropdown: 1035; // must be lower than a modal background (1040) but higher than the fixed navbar (1030)
\ No newline at end of file
+@zindex-select-dropdown: 1035; // must be lower than a modal background (1040) but higher than the fixed navbar (1030)
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.scss
index ce955acc9a..32b852e26f 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/bootstrap-select.scss
@@ -516,4 +516,4 @@ select.selectpicker {
     width: 100%;
     float: none;
   }
-}
\ No newline at end of file
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/variables.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/variables.scss
index 555ef10fcf..6e9c8af262 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/variables.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap-select/sass/variables.scss
@@ -14,4 +14,4 @@ $input-padding-y-sm: .25rem !default;
 $input-padding-x-sm: .5rem !default;
 
 $input-padding-y-lg: 0.5rem !default;
-$input-padding-x-lg: 1rem !default;
\ No newline at end of file
+$input-padding-x-lg: 1rem !default;
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_tables.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_tables.scss
index 1cdca5cfdc..7f87ca4c13 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_tables.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/bootstrap/_tables.scss
@@ -232,4 +232,4 @@ table {
 
     }
   }
-}
\ No newline at end of file
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss
index d3b2a4313d..af78a80af8 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/dashboard.scss
@@ -347,4 +347,4 @@ div {
     display: flex;
     align-items: center;
     justify-content: center;
-}
\ No newline at end of file
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss
index 06813493cc..3dd6c75aa1 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/main.scss
@@ -1284,4 +1284,4 @@ table#tunable.bootgrid-table td {
 #grid-log th[data-column-id="__timestamp__"],
 #filter-log-entries th[data-column-id="__timestamp__"] {
     min-width: 3.5em;
-}
\ No newline at end of file
+}
diff --git a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/opnsense-bootgrid.scss b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/opnsense-bootgrid.scss
index 1fc6fac887..13d4509a66 100644
--- a/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/opnsense-bootgrid.scss
+++ b/misc/theme-advanced/src/opnsense/www/themes/advanced/assets/stylesheets/opnsense-bootgrid.scss
@@ -485,4 +485,4 @@ $colors: (
 .bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item .dropdown-item-checkbox,
 .bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item .dropdown-item-checkbox {
     margin: 0 8px 4px -8px !important;
-}
\ No newline at end of file
+}

From d7738a1d7512d37e054205a289d3d298cdfbd9fb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 15 Sep 2025 13:58:29 +0200
Subject: [PATCH 2656/3088] misc/theme-advanved: tab size mismatch

---
 misc/theme-advanced/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/theme-advanced/Makefile b/misc/theme-advanced/Makefile
index ae1b635286..8c7f095291 100644
--- a/misc/theme-advanced/Makefile
+++ b/misc/theme-advanced/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		theme-advanced
 PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		OPNsense theme based on AdvancedTomato GUI
 PLUGIN_MAINTAINER=	jacky@prahec.com
-PLUGIN_WWW=			https://prahec.com/
+PLUGIN_WWW=		https://prahec.com/
 PLUGIN_NO_ABI=		yes
 
 .include "../../Mk/plugins.mk"

From 0ece71fab003fd96456b57b8f4564c8d872dd319 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 16 Sep 2025 12:39:14 +0200
Subject: [PATCH 2657/3088] security/etpro-telemetry: bump revision to be sure

---
 security/etpro-telemetry/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index 4a2a4779bf..c18fc71fa0 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		etpro-telemetry
 PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	5
+PLUGIN_REVISION=	6
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		py${PLUGIN_PYTHON}-netaddr

From 99dfc679841dc577aabfeef2afe9396ed5ca1489 Mon Sep 17 00:00:00 2001
From: kulikov-a <kulikov.a@gmail.com>
Date: Tue, 16 Sep 2025 15:56:04 +0300
Subject: [PATCH 2658/3088] www/nginx: 1.35_1 hotfix. change ban_ttl default
 (#4937)

---
 www/nginx/Makefile                            |  1 +
 www/nginx/pkg-descr                           |  4 ++
 .../OPNsense/Nginx/forms/settings.xml         |  2 +-
 .../OPNsense/Nginx/Migrations/M1_35_1.php     | 46 +++++++++++++++++++
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml   |  4 +-
 5 files changed, 54 insertions(+), 3 deletions(-)
 create mode 100644 www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_35_1.php

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index c16651e7d4..87bdec7bbd 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.35
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 20e6079f54..1e1b282189 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -10,6 +10,10 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.35_1
+
+* Hotfix: change ban_ttl default value to avoid unintentional system slowdown
+
 1.35
 
 * Global options sendfile directive typo fix
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
index 3afcab4c6a..1fc2c9c9c7 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
@@ -11,7 +11,7 @@
                 <id>nginx.general.ban_ttl</id>
                 <label>Autoblock TTL (minutes)</label>
                 <type>text</type>
-                <help>Set autoblock lifetime in minutes. Set to 0 for infinite.</help>
+                <help>Set autoblock lifetime in minutes. 72 hours by default. Set to 0 for infinite. Please note that setting this to 0 may result in gradual system slowdown and the need to manually clear the entries.</help>
                 <advanced>true</advanced>
             </field>
         </subtab>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_35_1.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_35_1.php
new file mode 100644
index 0000000000..cc243dc120
--- /dev/null
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_35_1.php
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * Copyright (C) 2025 A. Kulikov <kulikov.a@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Nginx\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M1_35_1 extends BaseModelMigration
+{
+    // Rewrite default ban_ttl value
+    public function run($model)
+    {
+        $general_node = $model->getNodeByReference('general');
+
+        if ($general_node->ban_ttl->isEqual('0')) {
+            $general_node->ban_ttl = '4320';
+        }
+        // run default migration actions
+        parent::run($model);
+    }
+}
\ No newline at end of file
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index a6789150a5..88d65ee883 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/Nginx</mount>
-    <version>1.35</version>
+    <version>1.35.1</version>
     <description>nginx web server, reverse proxy and waf</description>
     <items>
         <general>
@@ -9,7 +9,7 @@
                 <Required>Y</Required>
             </enabled>
             <ban_ttl type="IntegerField">
-                <Default>0</Default>
+                <Default>4320</Default>
                 <MinimumValue>0</MinimumValue>
                 <Required>Y</Required>
             </ban_ttl>

From 45b48a6aeb20297927b39c0e408bf7ee51d8d02b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 16 Sep 2025 14:57:09 +0200
Subject: [PATCH 2659/3088] www/nginx: cleanup

---
 www/nginx/pkg-descr                                        | 7 +------
 .../mvc/app/models/OPNsense/Nginx/Migrations/M1_35_1.php   | 2 +-
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 1e1b282189..330255d091 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -5,15 +5,9 @@ NGINX functionality includes HTTP server, HTTP and mail reverse proxy, caching,
 load balancing, compression, request throttling, connection multiplexing and
 reuse, SSL offload and HTTP media streaming.
 
-WWW: https://nginx.org/
-
 Plugin Changelog
 ================
 
-1.35_1
-
-* Hotfix: change ban_ttl default value to avoid unintentional system slowdown
-
 1.35
 
 * Global options sendfile directive typo fix
@@ -23,6 +17,7 @@ Plugin Changelog
 * Add Variables hashes size support
 * Add proxy_cache_valid directive support with response codes and multiple selection options
 * Clean up model definition file
+* Change ban_ttl default value to avoid unintentional system slowdown
 
 1.34
 
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_35_1.php b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_35_1.php
index cc243dc120..8f545c7fbd 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_35_1.php
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Migrations/M1_35_1.php
@@ -43,4 +43,4 @@ public function run($model)
         // run default migration actions
         parent::run($model);
     }
-}
\ No newline at end of file
+}

From 466a2e18d1ebd6b1942229fc4fc1e92bad10ddd2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 16 Sep 2025 14:59:51 +0200
Subject: [PATCH 2660/3088] LICENSE: sync

---
 LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index d2cb290674..9e01d2fe34 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2023 A. Kulikov <kulikov.a@gmail.com>
+Copyright (c) 2023-2025 A. Kulikov <kulikov.a@gmail.com>
 Copyright (c) 2015-2025 Ad Schellevis <ad@opnsense.org>
 Copyright (c) 2022 agh1467 <agh1467@protonmail.com>
 Copyright (c) 2024 Alex Smith

From 59762b04666e8a0ee78a25e4cf011a673d75eec2 Mon Sep 17 00:00:00 2001
From: Bethuel Mmbaga <bethuelmbaga12@gmail.com>
Date: Fri, 19 Sep 2025 14:09:58 +0300
Subject: [PATCH 2661/3088] security/netbird: Fix service startup and add
 syslog support (#4942)

* add syslog configuration options and update service reconfiguration endpoint

* enable syslog by default and expand log level options

* add plugin revision

* update service configuration and logging options

* update syslog log level options and change config sync target

* revert default config file

* Fix log level settings

* refactor

* Update security/netbird/Makefile

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

* Update security/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

* bump setting model version and use syslog always

* Update security/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 security/netbird/Makefile                        |  2 +-
 .../OPNsense/Netbird/forms/settings.xml          | 10 ++++++++++
 .../mvc/app/models/OPNsense/Netbird/Settings.xml | 16 +++++++++++++++-
 .../mvc/app/views/OPNsense/Netbird/settings.volt |  2 +-
 .../service/templates/OPNsense/Netbird/netbird   |  3 +++
 5 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/security/netbird/Makefile b/security/netbird/Makefile
index ac9352a27d..94edc0d4f2 100644
--- a/security/netbird/Makefile
+++ b/security/netbird/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		netbird
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.1
 PLUGIN_DEPENDS=		netbird
 PLUGIN_COMMENT=		Peer-to-peer VPN that seamlessly connects your devices
 PLUGIN_MAINTAINER=	dev@netbird.io
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
index 4d9f69bb27..2f5f4224fc 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
@@ -90,4 +90,14 @@
         <type>checkbox</type>
         <help>Enable Rosenpass permissive mode</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Syslog Logging</label>
+    </field>
+    <field>
+        <id>settings.syslog.logLevel</id>
+        <label>Log Level</label>
+        <type>dropdown</type>
+        <help>Set the syslog logging level. Setting a certain log level will cause all messages of the specified and more severe log levels to be logged.</help>
+    </field>
 </form>
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
index 0d9fa123c5..a99ce9985a 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/netbird/settings</mount>
     <description>NetBird settings</description>
-    <version>1.0.0</version>
+    <version>1.1.0</version>
     <items>
         <general>
             <enable type="BooleanField">
@@ -62,5 +62,19 @@
                 <Required>Y</Required>
             </rosenpassPermissive>
         </postquantum>
+        <syslog>
+            <logLevel type="OptionField">
+                <Required>Y</Required>
+                <Default>info</Default>
+                <OptionValues>
+                    <fatal>fatal</fatal>
+                    <error>error</error>
+                    <warn>warn</warn>
+                    <info>info</info>
+                    <debug>debug</debug>
+                    <trace>trace</trace>
+                </OptionValues>
+            </logLevel>
+        </syslog>
     </items>
 </model>
diff --git a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/settings.volt b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/settings.volt
index ba255057c8..97bb7e39d0 100644
--- a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/settings.volt
+++ b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/settings.volt
@@ -54,4 +54,4 @@
 <div class="content-box">
     {{ partial("layout_partials/base_form",['fields':settingsForm,'id':'frmSettings']) }}
 </div>
-{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/netbird/settings/sync', 'data_service_widget': 'netbird'}) }}
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/netbird/service/reconfigure', 'data_service_widget': 'netbird'}) }}
diff --git a/security/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird b/security/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird
index d4d96d22cf..e6191178e6 100644
--- a/security/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird
+++ b/security/netbird/src/opnsense/service/templates/OPNsense/Netbird/netbird
@@ -1,5 +1,8 @@
 {% if OPNsense.netbird.settings.general.enable == '1' %}
 netbird_enable="YES"
+netbird_setup="/usr/local/sbin/pluginctl -c netbird_sync_config"
+netbird_logfile="syslog"
+netbird_loglevel="{{ OPNsense.netbird.settings.syslog.logLevel }}"
 {% else %}
 netbird_enable="NO"
 {% endif %}

From 25b4d659576a3d050042ac6d74f4317a17b22f9f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 19 Sep 2025 13:51:32 +0200
Subject: [PATCH 2662/3088] security/netbird: fix selectpicker and unbreak
 migration

The auth key may be required but not giving a default for obvious
reasons just makes it end up without a required value anyway until
user contact.

This can probably be made more robust in the future, but requires
a bit of thought on what we validate/enforce here anyway like an
"enbable" checkbox being checked requires filling this value, but
it's also not on the same page or model even making constraints
tricky.
---
 .../mvc/app/models/OPNsense/Netbird/Authentication.xml       | 2 +-
 .../opnsense/mvc/app/views/OPNsense/Netbird/settings.volt    | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml
index c12afa3b2e..b9ac20dd27 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml
@@ -8,7 +8,7 @@
             <Default>https://api.netbird.io:443</Default>
         </managementUrl>
         <setupKey type="TextField">
-            <Required>Y</Required>
+            <!-- XXX fails migration for obvious reasons <Required>Y</Required> -->
             <Mask>/^[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}$/i</Mask>
             <ValidationMessage>Please specify a valid setup key.</ValidationMessage>
         </setupKey>
diff --git a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/settings.volt b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/settings.volt
index 97bb7e39d0..7c505a7a11 100644
--- a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/settings.volt
+++ b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/settings.volt
@@ -29,9 +29,8 @@
 
 <script>
     $(document).ready(() => {
-        mapDataToFormUI({
-            'frmSettings': "/api/netbird/settings/get"
-        }).done(() => {
+        mapDataToFormUI({'frmSettings': '/api/netbird/settings/get'}).done(() => {
+            $('.selectpicker').selectpicker('refresh');
             updateServiceControlUI('netbird');
         });
 

From dfcb4cb13882e95e7009a2acd3c5ebbd01e5c67b Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 23 Sep 2025 14:29:44 +0200
Subject: [PATCH 2663/3088] net/frr: Remove faulty standard area type, adjust
 helptext to reflect reality (#4951)

* net/frr: Remove faulty standard area type, adjust helptext to reflect reality

* Change default too
---
 net/frr/Makefile                                               | 1 +
 .../controllers/OPNsense/Quagga/forms/dialogEditOSPFArea.xml   | 2 +-
 net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml   | 3 +--
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 63a0a654c7..2d077e7a10 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.47
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr10-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFArea.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFArea.xml
index a027c2187a..bd1170545f 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFArea.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditOSPFArea.xml
@@ -13,7 +13,7 @@
         <id>area.id</id>
         <label>Area ID</label>
         <type>text</type>
-        <help>Enter area ID in dotted (e.g. 0.0.0.1) format.</help>
+        <help>Enter area ID in dotted (e.g. 0.0.0.1) format. You only need to define areas that are not normal. All areas defined in the network or interface tab will automatically be normal, unless explicitely overwritten here with a different area type.</help>
     </field>
     <field>
         <id>area.type</id>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
index 6e59b88816..4ea5b86a75 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/OSPF.xml
@@ -63,9 +63,8 @@
                 </id>
                 <type type="OptionField">
                     <Required>Y</Required>
-                    <Default>standard</Default>
+                    <Default>stub</Default>
                     <OptionValues>
-                        <standard>standard</standard>
                         <stub>stub</stub>
                         <stub-no-summary value="stub no-summary">stub no-summary</stub-no-summary>
                         <nssa>nssa</nssa>

From b2401a695c52ef69690ebbd45461acb3ab926f8a Mon Sep 17 00:00:00 2001
From: sdsys-ch <100968265+sdsys-ch@users.noreply.github.com>
Date: Wed, 24 Sep 2025 08:45:05 +0200
Subject: [PATCH 2664/3088] www/caddy: Add DNS-01 challenge delegation via
 CNAME (#4950)

* caddy: Add DNS-01 override domain feature

Adds support for DNS-01 CNAME delegation through the dns_challenge_override_domain directive. This enables least-privilege DNS setups where the certificate domain delegates ACME challenges to a target domain managed by the configured DNS provider.

* Review feedback: Remove default defs and align validation string with existing one

---------

Co-authored-by: Christophe Neuerburg <c.neuerburg@sdsys.ch>
---
 .../OPNsense/Caddy/forms/dialogReverseProxy.xml        | 10 ++++++++++
 .../opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml   |  4 ++++
 .../service/templates/OPNsense/Caddy/Caddyfile         |  5 +++++
 3 files changed, 19 insertions(+)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index a2b3d67585..ed431a6dbe 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -73,6 +73,16 @@
             <formatter>boolean</formatter>
         </grid_view>
     </field>
+    <field>
+        <id>reverse.DnsChallengeOverrideDomain</id>
+        <label>DNS-01 Override Domain</label>
+        <type>text</type>
+        <help><![CDATA[If using CNAME delegation for DNS-01 challenges, enter the target domain here. The DNS provider will manage TXT records at '_acme-challenge.targetdomain' instead of the certificate domain. Your configured DNS Provider must have write access to this target domain. For wildcard certificates, ensure the CNAME delegation covers the _acme-challenge label. This enables least-privilege setups or can be used as a workaround when the primary DNS provider lacks an API. Leave empty if your DNS Provider has a dedicated field for this.]]></help>
+        <advanced>true</advanced>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
     <field>
         <id>reverse.DynDns</id>
         <label>Dynamic DNS</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index a8d1234950..8a1ffeb463 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -212,6 +212,10 @@
                 </basicauth>
                 <description type="DescriptionField"/>
                 <DnsChallenge type="BooleanField"/>
+                <DnsChallengeOverrideDomain type="HostnameField">
+                    <IpAllowed>N</IpAllowed>
+                    <ValidationMessage>Please enter a valid domain name.</ValidationMessage>
+                </DnsChallengeOverrideDomain>
                 <CustomCertificate type="CertificateField">
                     <BlankDesc>Auto HTTPS</BlankDesc>
                 </CustomCertificate>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index e7c7168e95..8e8e89b959 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -302,6 +302,7 @@ http://{{ domain }} {
 {% macro tls_configuration(
     customCert="",
     dnsChallenge="0",
+    dnsChallengeOverrideDomain="",
     clientAuthTrustPool="",
     clientAuthMode="",
     dnsProvider="",
@@ -316,6 +317,9 @@ http://{{ domain }} {
             {% if not customCert and (dnsChallenge == "1" and dnsProvider) %}
             issuer acme {
                 dns {{ dnsProvider }} {{ dnsApiKey }}
+                {% if dnsChallengeOverrideDomain %}
+                dns_challenge_override_domain {{ dnsChallengeOverrideDomain }}
+                {% endif %}
 
                 {% if tlsDnsPropagationResolvers %}
                 resolvers {{ tlsDnsPropagationResolvers }}
@@ -622,6 +626,7 @@ http://{{ domain }} {
             {{ tls_configuration(
                 customCert=reverse.CustomCertificate|default(""),
                 dnsChallenge=reverse.DnsChallenge|default("0"),
+                dnsChallengeOverrideDomain=reverse.DnsChallengeOverrideDomain|default(""),
                 clientAuthTrustPool=reverse.ClientAuthTrustPool|default(""),
                 clientAuthMode=reverse.ClientAuthMode|default(""),
                 dnsProvider=generalSettings.TlsDnsProvider,

From 97603fc29b18f724a7b812ae8c37f2965cb2c363 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 24 Sep 2025 17:59:44 +0200
Subject: [PATCH 2665/3088] www/caddy: Bump plugin version to 2.0.4 (#4954)

---
 www/caddy/Makefile  | 3 +--
 www/caddy/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 02dbe94acc..97f312a281 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		2.0.3
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		2.0.4
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 2c24dd7ffa..38e81fd424 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -6,6 +6,10 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+2.0.4
+
+Add: DNS-01 challenge delegation via CNAME (contributed by sdsys-ch) (opnsense/plugins/pull/4950)
+
 2.0.3
 
 Add: Tabulator groupBy of domain and subdomain (opnsense/plugins/pull/4909)

From 59f3c772c59c57d5a2201fbfa709ca24e85b5f33 Mon Sep 17 00:00:00 2001
From: eguun <79050535+eguun@users.noreply.github.com>
Date: Thu, 2 Oct 2025 08:42:06 +0200
Subject: [PATCH 2666/3088] net/shadowsocks: update web UI ciphers to match
 shadowsocks rust (#4958)

Updating cipher option set to match the one of the plugin, source:
https://github.com/shadowsocks/shadowsocks-rust?tab=readme-ov-file#supported-ciphers
Update to present options in optgroups
---
 .../models/OPNsense/Shadowsocks/General.xml   | 33 ++++++++++++-------
 .../app/models/OPNsense/Shadowsocks/Local.xml | 33 ++++++++++++-------
 2 files changed, 44 insertions(+), 22 deletions(-)

diff --git a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
index b66a08112e..9636f880ea 100644
--- a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
+++ b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
@@ -28,19 +28,30 @@
         </localport>
         <password type="TextField"/>
         <cipher type="OptionField">
-            <Default>aes-256-cfb</Default>
+            <Default>aes-256-gcm</Default>
             <Required>Y</Required>
             <OptionValues>
-                <aes-256-cfb>AES-256-CFB</aes-256-cfb>
-                <aes-256-gcm>AES-256-GCM</aes-256-gcm>
-                <aes-256-ctr>AES-256-CTR</aes-256-ctr>
-                <aes-192-cfb>AES-192-CFB</aes-192-cfb>
-                <aes-192-gcm>AES-192-GCM</aes-192-gcm>
-                <aes-192-ctr>AES-192-CTR</aes-192-ctr>
-                <aes-128-cfb>AES-128-CFB</aes-128-cfb>
-                <aes-128-gcm>AES-128-GCM</aes-128-gcm>
-                <aes-128-ctr>AES-128-CTR</aes-128-ctr>
-                <chacha20-ietf-poly1305>ChaCha20-IETF-Poly1305</chacha20-ietf-poly1305>
+				<Secure>
+					<blake3-aes-256-gcm value="2022-blake3-aes-256-gcm">2022-BLAKE3-AES-256-GCM</blake3-aes-256-gcm>
+					<aes-256-gcm>AES-256-GCM</aes-256-gcm>
+					<blake3-aes-128-gcm value="2022-blake3-aes-128-gcm">2022-BLAKE3-AES-128-GCM</blake3-aes-128-gcm>
+					<aes-128-gcm>AES-128-GCM</aes-128-gcm>
+					<blake3-chacha20-poly1305 value="2022-blake3-chacha20-poly1305">2022-BLAKE3-ChaCha20-Poly1305</blake3-chacha20-poly1305>
+					<blake3-chacha8-poly1305 value="2022-blake3-chacha8-poly1305">2022-BLAKE3-ChaCha8-Poly1305</blake3-chacha8-poly1305>
+					<chacha20-ietf-poly1305>ChaCha20-IETF-Poly1305</chacha20-ietf-poly1305>
+				</Secure>
+				<Deprecated>
+					<aes-256-cfb>AES-256-CFB</aes-256-cfb>
+					<aes-256-ctr>AES-256-CTR</aes-256-ctr>
+					<aes-192-cfb>AES-192-CFB</aes-192-cfb>
+					<aes-192-gcm>AES-192-GCM</aes-192-gcm>
+					<aes-192-ctr>AES-192-CTR</aes-192-ctr>
+					<aes-128-cfb>AES-128-CFB</aes-128-cfb>
+					<aes-128-ctr>AES-128-CTR</aes-128-ctr>
+				</Deprecated>				
+				<Insecure>				
+					<none>NONE (Plain)</none>
+				</Insecure>
             </OptionValues>
         </cipher>
         <tcpudpmode type="OptionField">
diff --git a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml
index 00ab061c40..14ff6b74ff 100644
--- a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml
+++ b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml
@@ -33,19 +33,30 @@
         </localport>
         <password type="TextField"/>
         <cipher type="OptionField">
-            <Default>aes-256-cfb</Default>
+            <Default>aes-256-gcm</Default>
             <Required>Y</Required>
             <OptionValues>
-                <aes-256-cfb>AES-256-CFB</aes-256-cfb>
-                <aes-256-gcm>AES-256-GCM</aes-256-gcm>
-                <aes-256-ctr>AES-256-CTR</aes-256-ctr>
-                <aes-192-cfb>AES-192-CFB</aes-192-cfb>
-                <aes-192-gcm>AES-192-GCM</aes-192-gcm>
-                <aes-192-ctr>AES-192-CTR</aes-192-ctr>
-                <aes-128-cfb>AES-128-CFB</aes-128-cfb>
-                <aes-128-gcm>AES-128-GCM</aes-128-gcm>
-                <aes-128-ctr>AES-128-CTR</aes-128-ctr>
-                <chacha20-ietf-poly1305>ChaCha20-IETF-Poly1305</chacha20-ietf-poly1305>
+				<Secure>
+					<blake3-aes-256-gcm value="2022-blake3-aes-256-gcm">2022-BLAKE3-AES-256-GCM</blake3-aes-256-gcm>
+					<aes-256-gcm>AES-256-GCM</aes-256-gcm>
+					<blake3-aes-128-gcm value="2022-blake3-aes-128-gcm">2022-BLAKE3-AES-128-GCM</blake3-aes-128-gcm>
+					<aes-128-gcm>AES-128-GCM</aes-128-gcm>
+					<blake3-chacha20-poly1305 value="2022-blake3-chacha20-poly1305">2022-BLAKE3-ChaCha20-Poly1305</blake3-chacha20-poly1305>
+					<blake3-chacha8-poly1305 value="2022-blake3-chacha8-poly1305">2022-BLAKE3-ChaCha8-Poly1305</blake3-chacha8-poly1305>
+					<chacha20-ietf-poly1305>ChaCha20-IETF-Poly1305</chacha20-ietf-poly1305>
+				</Secure>
+				<Deprecated>
+					<aes-256-cfb>AES-256-CFB</aes-256-cfb>
+					<aes-256-ctr>AES-256-CTR</aes-256-ctr>
+					<aes-192-cfb>AES-192-CFB</aes-192-cfb>
+					<aes-192-gcm>AES-192-GCM</aes-192-gcm>
+					<aes-192-ctr>AES-192-CTR</aes-192-ctr>
+					<aes-128-cfb>AES-128-CFB</aes-128-cfb>
+					<aes-128-ctr>AES-128-CTR</aes-128-ctr>
+				</Deprecated>				
+				<Insecure>				
+					<none>NONE (Plain)</none>
+				</Insecure>
             </OptionValues>
         </cipher>
     </items>

From 320de1124acee321f0f467145dce93f7d9dfadb9 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 2 Oct 2025 08:50:46 +0200
Subject: [PATCH 2667/3088] net/shadowsocks: bump plugin version to 1.3 (#4966)

* net/shadowsocks: Bump plugin version to 1.3

* Update changelog
---
 net/shadowsocks/Makefile  | 3 +--
 net/shadowsocks/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/shadowsocks/Makefile b/net/shadowsocks/Makefile
index 487d2efe60..34945a08ca 100644
--- a/net/shadowsocks/Makefile
+++ b/net/shadowsocks/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		shadowsocks
-PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		Secure socks5 proxy
 PLUGIN_DEPENDS=		shadowsocks-rust
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/shadowsocks/pkg-descr b/net/shadowsocks/pkg-descr
index a271c00c4f..03e26282a1 100644
--- a/net/shadowsocks/pkg-descr
+++ b/net/shadowsocks/pkg-descr
@@ -3,6 +3,10 @@ Shadowsocks is a fast tunnel proxy that helps you bypass firewalls.
 Plugin Changelog
 ================
 
+1.3
+
+* Update ciphers to match shadowsocks-rust (contributed by eguun)
+
 1.2
 
 * Switch to shadowsocks-rust

From 73a32e2e44a19d257cfd267864e908940b5a271d Mon Sep 17 00:00:00 2001
From: eguun <79050535+eguun@users.noreply.github.com>
Date: Mon, 6 Oct 2025 09:05:03 +0200
Subject: [PATCH 2668/3088] Shadowsocks update web UI to set timeout and udp
 fragmentation (#4967)

---
 net/shadowsocks/pkg-descr                           |  1 +
 .../OPNsense/Shadowsocks/forms/general.xml          | 13 +++++++++++++
 .../mvc/app/models/OPNsense/Shadowsocks/General.xml | 10 +++++++++-
 .../templates/OPNsense/Shadowsocks/config.json      |  5 +++--
 4 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/net/shadowsocks/pkg-descr b/net/shadowsocks/pkg-descr
index 03e26282a1..e152306d6b 100644
--- a/net/shadowsocks/pkg-descr
+++ b/net/shadowsocks/pkg-descr
@@ -6,6 +6,7 @@ Plugin Changelog
 1.3
 
 * Update ciphers to match shadowsocks-rust (contributed by eguun)
+* Update WebUI to allow setting for TCP timeout and UDP fragmentation (contributed by kvoffka and eguun)
 
 1.2
 
diff --git a/net/shadowsocks/src/opnsense/mvc/app/controllers/OPNsense/Shadowsocks/forms/general.xml b/net/shadowsocks/src/opnsense/mvc/app/controllers/OPNsense/Shadowsocks/forms/general.xml
index b87f8e8385..185decc5aa 100644
--- a/net/shadowsocks/src/opnsense/mvc/app/controllers/OPNsense/Shadowsocks/forms/general.xml
+++ b/net/shadowsocks/src/opnsense/mvc/app/controllers/OPNsense/Shadowsocks/forms/general.xml
@@ -41,4 +41,17 @@
         <type>dropdown</type>
         <help>Choose TCP, UDP or both relay mode</help>
     </field>
+	<field>
+        <id>general.timeout</id>
+        <label>Timeout</label>
+        <type>text</type>
+		<hint>60</hint>
+        <help>Set the TCP relay timeout in seconds.</help>
+    </field>
+	<field>
+        <id>general.fragmentation</id>
+        <label>Fragmentation</label>
+        <type>checkbox</type>
+        <help>Allow IP fragmentation on the outbound UDP socket.</help>
+    </field>
 </form>
diff --git a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
index 9636f880ea..0a400b2323 100644
--- a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
+++ b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/shadowsocks/general</mount>
     <description>Shadowsocks configuration</description>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <items>
         <enabled type="BooleanField">
             <Default>0</Default>
@@ -63,5 +63,13 @@
                 <tcp_and_udp>TCP and UDP</tcp_and_udp>
             </OptionValues>
         </tcpudpmode>
+		<timeout type="IntegerField">
+			<Default>60</Default>
+			<Required>Y</Required>
+		</timeout>
+		<fragmentation type="BooleanField">
+			<Default>0</Default>
+			<Required>Y</Required>
+		</fragmentation>
     </items>
 </model>
diff --git a/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/config.json b/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/config.json
index b4337ea4a8..09062d237f 100644
--- a/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/config.json
+++ b/net/shadowsocks/src/opnsense/service/templates/OPNsense/Shadowsocks/config.json
@@ -4,8 +4,9 @@
     "server_port":{{ OPNsense.shadowsocks.general.serverport }},
     "local_port":{{ OPNsense.shadowsocks.general.localport }},
     "password":"{{ OPNsense.shadowsocks.general.password }}",
-    "timeout":60,
+    "timeout":{{ OPNsense.shadowsocks.general.timeout }},
     "mode":"{{ OPNsense.shadowsocks.general.tcpudpmode }}",
-    "method":"{{ OPNsense.shadowsocks.general.cipher }}"
+    "method":"{{ OPNsense.shadowsocks.general.cipher }}",
+    "outbound_udp_allow_fragmentation":{{ "true" if OPNsense.shadowsocks.general.fragmentation == '1' else "false"}}
 }
 {% endif %}

From faec4252cd61e78486707050a21546d133523d36 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 6 Oct 2025 09:12:37 +0200
Subject: [PATCH 2669/3088] net/shadowsocks: reshuffle for clarity

---
 .../models/OPNsense/Shadowsocks/General.xml   | 58 +++++++++----------
 .../app/models/OPNsense/Shadowsocks/Local.xml | 42 +++++++-------
 2 files changed, 50 insertions(+), 50 deletions(-)

diff --git a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
index 0a400b2323..6819ff0986 100644
--- a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
+++ b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/General.xml
@@ -31,27 +31,27 @@
             <Default>aes-256-gcm</Default>
             <Required>Y</Required>
             <OptionValues>
-				<Secure>
-					<blake3-aes-256-gcm value="2022-blake3-aes-256-gcm">2022-BLAKE3-AES-256-GCM</blake3-aes-256-gcm>
-					<aes-256-gcm>AES-256-GCM</aes-256-gcm>
-					<blake3-aes-128-gcm value="2022-blake3-aes-128-gcm">2022-BLAKE3-AES-128-GCM</blake3-aes-128-gcm>
-					<aes-128-gcm>AES-128-GCM</aes-128-gcm>
-					<blake3-chacha20-poly1305 value="2022-blake3-chacha20-poly1305">2022-BLAKE3-ChaCha20-Poly1305</blake3-chacha20-poly1305>
-					<blake3-chacha8-poly1305 value="2022-blake3-chacha8-poly1305">2022-BLAKE3-ChaCha8-Poly1305</blake3-chacha8-poly1305>
-					<chacha20-ietf-poly1305>ChaCha20-IETF-Poly1305</chacha20-ietf-poly1305>
-				</Secure>
-				<Deprecated>
-					<aes-256-cfb>AES-256-CFB</aes-256-cfb>
-					<aes-256-ctr>AES-256-CTR</aes-256-ctr>
-					<aes-192-cfb>AES-192-CFB</aes-192-cfb>
-					<aes-192-gcm>AES-192-GCM</aes-192-gcm>
-					<aes-192-ctr>AES-192-CTR</aes-192-ctr>
-					<aes-128-cfb>AES-128-CFB</aes-128-cfb>
-					<aes-128-ctr>AES-128-CTR</aes-128-ctr>
-				</Deprecated>				
-				<Insecure>				
-					<none>NONE (Plain)</none>
-				</Insecure>
+                <Secure>
+                    <aes-128-gcm>AES-128-GCM</aes-128-gcm>
+                    <aes-256-gcm>AES-256-GCM</aes-256-gcm>
+                    <blake3-aes-128-gcm value="2022-blake3-aes-128-gcm">2022-BLAKE3-AES-128-GCM</blake3-aes-128-gcm>
+                    <blake3-aes-256-gcm value="2022-blake3-aes-256-gcm">2022-BLAKE3-AES-256-GCM</blake3-aes-256-gcm>
+                    <blake3-chacha8-poly1305 value="2022-blake3-chacha8-poly1305">2022-BLAKE3-ChaCha8-Poly1305</blake3-chacha8-poly1305>
+                    <blake3-chacha20-poly1305 value="2022-blake3-chacha20-poly1305">2022-BLAKE3-ChaCha20-Poly1305</blake3-chacha20-poly1305>
+                    <chacha20-ietf-poly1305>ChaCha20-IETF-Poly1305</chacha20-ietf-poly1305>
+                </Secure>
+                <Deprecated>
+                    <aes-128-cfb>AES-128-CFB</aes-128-cfb>
+                    <aes-128-ctr>AES-128-CTR</aes-128-ctr>
+                    <aes-192-cfb>AES-192-CFB</aes-192-cfb>
+                    <aes-192-ctr>AES-192-CTR</aes-192-ctr>
+                    <aes-192-gcm>AES-192-GCM</aes-192-gcm>
+                    <aes-256-cfb>AES-256-CFB</aes-256-cfb>
+                    <aes-256-ctr>AES-256-CTR</aes-256-ctr>
+                </Deprecated>
+                <Insecure>
+                    <none>None (plain)</none>
+                </Insecure>
             </OptionValues>
         </cipher>
         <tcpudpmode type="OptionField">
@@ -63,13 +63,13 @@
                 <tcp_and_udp>TCP and UDP</tcp_and_udp>
             </OptionValues>
         </tcpudpmode>
-		<timeout type="IntegerField">
-			<Default>60</Default>
-			<Required>Y</Required>
-		</timeout>
-		<fragmentation type="BooleanField">
-			<Default>0</Default>
-			<Required>Y</Required>
-		</fragmentation>
+        <timeout type="IntegerField">
+            <Default>60</Default>
+            <Required>Y</Required>
+        </timeout>
+        <fragmentation type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </fragmentation>
     </items>
 </model>
diff --git a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml
index 14ff6b74ff..0883dce34e 100644
--- a/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml
+++ b/net/shadowsocks/src/opnsense/mvc/app/models/OPNsense/Shadowsocks/Local.xml
@@ -36,27 +36,27 @@
             <Default>aes-256-gcm</Default>
             <Required>Y</Required>
             <OptionValues>
-				<Secure>
-					<blake3-aes-256-gcm value="2022-blake3-aes-256-gcm">2022-BLAKE3-AES-256-GCM</blake3-aes-256-gcm>
-					<aes-256-gcm>AES-256-GCM</aes-256-gcm>
-					<blake3-aes-128-gcm value="2022-blake3-aes-128-gcm">2022-BLAKE3-AES-128-GCM</blake3-aes-128-gcm>
-					<aes-128-gcm>AES-128-GCM</aes-128-gcm>
-					<blake3-chacha20-poly1305 value="2022-blake3-chacha20-poly1305">2022-BLAKE3-ChaCha20-Poly1305</blake3-chacha20-poly1305>
-					<blake3-chacha8-poly1305 value="2022-blake3-chacha8-poly1305">2022-BLAKE3-ChaCha8-Poly1305</blake3-chacha8-poly1305>
-					<chacha20-ietf-poly1305>ChaCha20-IETF-Poly1305</chacha20-ietf-poly1305>
-				</Secure>
-				<Deprecated>
-					<aes-256-cfb>AES-256-CFB</aes-256-cfb>
-					<aes-256-ctr>AES-256-CTR</aes-256-ctr>
-					<aes-192-cfb>AES-192-CFB</aes-192-cfb>
-					<aes-192-gcm>AES-192-GCM</aes-192-gcm>
-					<aes-192-ctr>AES-192-CTR</aes-192-ctr>
-					<aes-128-cfb>AES-128-CFB</aes-128-cfb>
-					<aes-128-ctr>AES-128-CTR</aes-128-ctr>
-				</Deprecated>				
-				<Insecure>				
-					<none>NONE (Plain)</none>
-				</Insecure>
+                <Secure>
+                    <aes-128-gcm>AES-128-GCM</aes-128-gcm>
+                    <aes-256-gcm>AES-256-GCM</aes-256-gcm>
+                    <blake3-aes-128-gcm value="2022-blake3-aes-128-gcm">2022-BLAKE3-AES-128-GCM</blake3-aes-128-gcm>
+                    <blake3-aes-256-gcm value="2022-blake3-aes-256-gcm">2022-BLAKE3-AES-256-GCM</blake3-aes-256-gcm>
+                    <blake3-chacha8-poly1305 value="2022-blake3-chacha8-poly1305">2022-BLAKE3-ChaCha8-Poly1305</blake3-chacha8-poly1305>
+                    <blake3-chacha20-poly1305 value="2022-blake3-chacha20-poly1305">2022-BLAKE3-ChaCha20-Poly1305</blake3-chacha20-poly1305>
+                    <chacha20-ietf-poly1305>ChaCha20-IETF-Poly1305</chacha20-ietf-poly1305>
+                </Secure>
+                <Deprecated>
+                    <aes-128-cfb>AES-128-CFB</aes-128-cfb>
+                    <aes-128-ctr>AES-128-CTR</aes-128-ctr>
+                    <aes-192-cfb>AES-192-CFB</aes-192-cfb>
+                    <aes-192-ctr>AES-192-CTR</aes-192-ctr>
+                    <aes-192-gcm>AES-192-GCM</aes-192-gcm>
+                    <aes-256-cfb>AES-256-CFB</aes-256-cfb>
+                    <aes-256-ctr>AES-256-CTR</aes-256-ctr>
+                </Deprecated>
+                <Insecure>
+                    <none>None (plain)</none>
+                </Insecure>
             </OptionValues>
         </cipher>
     </items>

From 3f9299b3aa0757604d5ab118882438cfa582d1fa Mon Sep 17 00:00:00 2001
From: kulikov-a <kulikov.a@gmail.com>
Date: Mon, 6 Oct 2025 10:20:49 +0300
Subject: [PATCH 2670/3088] naxsi rules install fix (#4968)

regex adapted
removed redundant validation (validated on serialization)
skip validation on serialization
---
 .../opnsense/scripts/nginx/naxsi_rule_download.php  | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php b/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php
index 0ef1300595..00a8e7aec0 100755
--- a/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php
+++ b/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php
@@ -81,7 +81,7 @@ function parse_rules($data)
             }
             $tmp = trim($matches[1]);
             $parsed[$tmp] = [];
-        } elseif (preg_match('/\S+ "(str|rx):([^\"]+)" "msg:([^\\"]*)" "mz:([^\"]*)" "s:([^\"]*):(\d+)" id:(\d+);/', $line, $matches)) {
+        } elseif (preg_match('/\S+ "(str|rx):(.+)" "msg:([^\\"]*)" +"mz:([^\"]*)" "s:([^\"]*):(\d+)" id:(\d+);/', $line, $matches)) {
             $parsed[$tmp][] = prepare_values(array_combine($description, $matches));
         }
     }
@@ -167,17 +167,10 @@ function save_to_model($data)
         }
         $policy->naxsi_rules = implode(',', array_diff($rule_list, $dis_rules));
     }
-    $val_result = $model->performValidation(false);
-    if (count($val_result) !== 0) {
-        print_r($val_result);
-        exit(1);
-    }
-
-    $model->serializeToConfig();
+    // skip validation on serialization. possible warnings and errors will still end up in the syslog
+    $model->serializeToConfig(false, true);
     Config::getInstance()->save();
 }
 
-
-#$data =  parse_rules(file('./naxsi_core.rules'));
 $data = parse_rules(explode("\n", download_rules()));
 save_to_model($data);

From a75a87d0b51bd191dfe78743a79a7dc938e26d48 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 6 Oct 2025 15:11:08 +0200
Subject: [PATCH 2671/3088] security/etpro-telemetry: always show an available
 status

Bump version to clear the relatively hight revision count.
---
 security/etpro-telemetry/Makefile                              | 3 +--
 .../src/opnsense/www/js/widgets/ETProTelemetry.js              | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/security/etpro-telemetry/Makefile b/security/etpro-telemetry/Makefile
index c18fc71fa0..d206a5d1c5 100644
--- a/security/etpro-telemetry/Makefile
+++ b/security/etpro-telemetry/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		etpro-telemetry
-PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	6
+PLUGIN_VERSION=		1.8
 PLUGIN_COMMENT=		ET Pro Telemetry Edition
 PLUGIN_MAINTAINER=	ad@opnsense.org
 PLUGIN_DEPENDS=		py${PLUGIN_PYTHON}-netaddr
diff --git a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
index 8ec7b63b2c..046736bc75 100644
--- a/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
+++ b/security/etpro-telemetry/src/opnsense/www/js/widgets/ETProTelemetry.js
@@ -41,7 +41,7 @@ export default class ETProTelemetry extends BaseTableWidget {
 
     async onWidgetTick() {
         const data = await this.ajaxCall('/api/diagnostics/proofpoint_et/status');
-        if (data['sensor_status'].toLowerCase() == 'active') {
+        if (data['sensor_status'].length) {
             $('#etpro_sensor_status').text(data['sensor_status']);
             $('#etpro_event_received').text(data['event_received']);
             $('#etpro_last_rule_download').text(data['last_rule_download']);

From 12df16427bc79c3822b8e0378a57105004e187c4 Mon Sep 17 00:00:00 2001
From: us3241 <us3241@gmail.com>
Date: Wed, 8 Oct 2025 09:38:52 +0300
Subject: [PATCH 2672/3088] net-mgmt/zabbix-proxy: Add VMware parameters
 (#4740)

---
 .../OPNsense/Zabbixproxy/forms/general.xml    | 28 +++++++++++++++++++
 .../models/OPNsense/Zabbixproxy/General.xml   | 15 ++++++++++
 .../OPNsense/Zabbixproxy/zabbix_proxy.conf.in | 12 ++++++++
 3 files changed, 55 insertions(+)

diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
index a75cc7eb2d..9e9a174ea4 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
@@ -155,6 +155,34 @@
         <allownew>true</allownew>
         <help>IP address of host allowed to retrieve proxy statistics.</help>
     </field>
+    <field>
+        <id>general.vmwarecachesize</id>
+        <label>VMware Cache Size</label>
+        <type>text</type>
+        <help>Shared memory size for storing VMware data.</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>general.vmwarefrequency</id>
+        <label>VMware Frequency</label>
+        <type>text</type>
+        <help>Delay in seconds between data gathering from a single VMware service.</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>general.vmwareperffrequency</id>
+        <label>VMwarePerfFrequency</label>
+        <type>text</type>
+        <help>Delay in seconds between performance counter statistics retrieval from a single VMware service.</help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>general.vmwaretimeout</id>
+        <label>VMware Timeout</label>
+        <type>text</type>
+        <help>The maximum number of seconds vmware collector will wait for a response from VMware service.</help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>general.syslogEnable</id>
         <label>Log To Syslog</label>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
index fc214f6917..36692f1ae4 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
@@ -50,6 +50,21 @@
             <FieldSeparator>,</FieldSeparator>
             <AsList>Y</AsList>
         </statsip>
+        <vmwarecachesize type="TextField">
+            <Mask>/^\d+[KMG]$/</Mask>
+        </vmwarecachesize>
+        <vmwarefrequency type="IntegerField">
+            <MinimumValue>10</MinimumValue>
+            <MaximumValue>86400</MaximumValue>
+        </vmwarefrequency>
+        <vmwareperffrequency type="IntegerField">
+            <MinimumValue>10</MinimumValue>
+            <MaximumValue>86400</MaximumValue>
+        </vmwareperffrequency>
+        <vmwaretimeout type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>300</MaximumValue>
+        </vmwaretimeout>
         <syslogEnable type="BooleanField">
             <Default>0</Default>
             <Required>Y</Required>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
index 80373b0e1e..90d7e38ac1 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
@@ -84,6 +84,18 @@ HistoryCacheSize={{ OPNsense.zabbixproxy.general.historycachesize }}
 {% if helpers.exists('OPNsense.zabbixproxy.general.historyindexcachesize') and OPNsense.zabbixproxy.general.historyindexcachesize != '' %}
 HistoryIndexCacheSize={{ OPNsense.zabbixproxy.general.historyindexcachesize }}
 {% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.vmwarecachesize') and OPNsense.zabbixproxy.general.vmwarecachesize != '' %}
+VMwareCacheSize={{ OPNsense.zabbixproxy.general.vmwarecachesize }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.vmwarefrequency') and OPNsense.zabbixproxy.general.vmwarefrequency != '' %}
+VMwareFrequency={{ OPNsense.zabbixproxy.general.vmwarefrequency }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.vmwareperffrequency') and OPNsense.zabbixproxy.general.vmwareperffrequency != '' %}
+VMwarePerfFrequency={{ OPNsense.zabbixproxy.general.vmwareperffrequency }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.vmwaretimeout') and OPNsense.zabbixproxy.general.vmwaretimeout != '' %}
+VMwareTimeout={{ OPNsense.zabbixproxy.general.vmwaretimeout }}
+{% endif %}
 {% if helpers.exists('OPNsense.zabbixproxy.general.timeout') and OPNsense.zabbixproxy.general.timeout != '' %}
 Timeout={{ OPNsense.zabbixproxy.general.timeout }}
 {% endif %}

From 25bfd97c8eafab27e039ff887df3f969a9d6ed5f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Oct 2025 09:06:01 +0200
Subject: [PATCH 2673/3088] net-mgmt/zabbix-proxy: wrap up new version, style

---
 net-mgmt/zabbix-proxy/Makefile                                | 2 +-
 net-mgmt/zabbix-proxy/pkg-descr                               | 4 ++++
 .../opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml  | 2 --
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index a33852cc92..55c98a4c14 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		zabbix-proxy
-PLUGIN_VERSION=		1.14
+PLUGIN_VERSION=		1.15
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix74 zabbix6
diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index 43ff9d9624..ee37ddc130 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.15
+
+* Add VMware parameters (contributed by us3241)
+
 1.14
 
 * Add plugin variant for Zabbix Proxy 7.4
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
index 36692f1ae4..2ad956f58c 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
@@ -23,7 +23,6 @@
         </hostname>
         <listenport type="TextField"/>
         <listenip type="NetworkField">
-            <FieldSeparator>,</FieldSeparator>
             <AsList>Y</AsList>
         </listenip>
         <sourceip type="NetworkField"/>
@@ -47,7 +46,6 @@
         <configfrequency type="IntegerField"/>
         <datasenderfrequency type="IntegerField"/>
         <statsip type="NetworkField">
-            <FieldSeparator>,</FieldSeparator>
             <AsList>Y</AsList>
         </statsip>
         <vmwarecachesize type="TextField">

From 613df67b2f90feff8a571e2526e6d3c0be4fa748 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 8 Oct 2025 09:13:33 +0200
Subject: [PATCH 2674/3088] www/nginx: why not

---
 www/nginx/Makefile  | 2 +-
 www/nginx/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 87bdec7bbd..7586338550 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.35
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 330255d091..c12a093281 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -18,6 +18,7 @@ Plugin Changelog
 * Add proxy_cache_valid directive support with response codes and multiple selection options
 * Clean up model definition file
 * Change ban_ttl default value to avoid unintentional system slowdown
+* Fix NAXSI rules install
 
 1.34
 

From 6a6f5aedefbdf3d13942355f066af804b16f535b Mon Sep 17 00:00:00 2001
From: Oliver Traber <hi@bluemedia.dev>
Date: Thu, 9 Oct 2025 09:01:28 +0200
Subject: [PATCH 2675/3088] dns/ddclient: Add support for PowerDNS API (#4772)

---
 .../OPNsense/DynDNS/forms/dialogAccount.xml   |   2 +-
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.php |  10 +
 .../scripts/ddclient/lib/account/powerdns.py  | 209 ++++++++++++++++++
 3 files changed, 220 insertions(+), 1 deletion(-)
 create mode 100644 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/powerdns.py

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index eb0fb768e4..8eada3ee4c 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -31,7 +31,7 @@
          When a URI is provided, the tag __MYIP__ will be replaced with the current detected address for this service
          and __HOSTNAME__ will contain the (comma separated) list of hostnames provided.
          </help>
-        <style>optional_setting service_custom</style>
+        <style>optional_setting service_custom service_powerdns</style>
     </field>
     <field>
         <id>account.resourceId</id>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
index 31682aae0b..a3cbb5a866 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
@@ -52,6 +52,16 @@ public function performValidation($validateFullModel = false)
             }
         }
         foreach ($validate_servers as $key => $node) {
+            if ((string)$node->service == 'powerdns') {
+                if (empty($srv) || filter_var($srv, FILTER_VALIDATE_URL) === false) {
+                    $messages->appendMessage(
+                        new Message(
+                            gettext("A valid URI is required."),
+                            $key . ".server"
+                        )
+                    );
+                }
+            }
             if ((string)$node->service != 'custom') {
                 continue;
             }
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/powerdns.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/powerdns.py
new file mode 100644
index 0000000000..ea931a0cf2
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/powerdns.py
@@ -0,0 +1,209 @@
+"""
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    Copyright (c) 2024 Olly Baker <ilumos@gmail.com>
+    Copyright (c) 2025 Oliver Traber <hi@bluemedia.dev>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import syslog
+import requests
+from . import BaseAccount
+
+
+class PowerDNS(BaseAccount):
+
+    def __init__(self, account: dict):
+        super().__init__(account)
+        # min TTL set to 300
+        self.settings['ttl'] = max(int(self.settings["ttl"]) if self.settings.get("ttl", "").isdigit() else 0, 300)
+
+    @staticmethod
+    def known_services():
+        return {"powerdns": "PowerDNS API"}
+
+    @staticmethod
+    def match(account):
+        return account.get("service") in ['powerdns']
+
+
+    def _send_request(self, method, url, params=None, json=None):
+        headers = {
+            "User-Agent": "OPNsense-dyndns",
+            "X-API-Key": self.settings.get("password"),
+        }
+
+        base_url = "%s/api/v1/servers/%s" % (
+            self.settings.get('server'),
+            self.settings.get("server_id", "localhost")
+        )
+
+        url = base_url + url
+        return requests.request(method=method, url=url, headers=headers, params=params, json=json)
+
+
+    def _find_zone_id(self, hostname):
+        # Get the zone that a record belongs to
+        if self.is_verbose:
+            syslog.syslog(
+                syslog.LOG_NOTICE,
+                "Account %s trying to get zone ID for hostname %s"
+                % (self.description, hostname),
+            )
+
+        zone = hostname
+        while (True):
+            if self.is_verbose:
+                syslog.syslog(
+                    syslog.LOG_NOTICE,
+                    "Account %s checking if zone %s exists"
+                    % (self.description, zone),
+                )
+
+            response = self._send_request(method="GET", url="/zones", params={"zone": zone})
+
+            if response.status_code == 200:
+                try:
+                    payload = response.json()
+                    # Check if a zone was found
+                    if len(payload) == 0:
+                        # Move one up in hierarchy
+                        zone = '.'.join(zone.split('.')[1:])
+                        # Fail if root is reached
+                        if zone == "":
+                            syslog.syslog(
+                                syslog.LOG_ERR,
+                                "Account %s error getting zone ID for hostname %s - No matching zone found on server"
+                                % (self.description, hostname),
+                            )
+                            return None
+                        else:
+                            continue
+                    else:
+                        if self.is_verbose:
+                            syslog.syslog(
+                                syslog.LOG_NOTICE,
+                                "Account %s found zone %s for hostname %s"
+                                % (self.description, zone, hostname),
+                            )
+                        return payload[0].get("id")
+                except requests.exceptions.JSONDecodeError:
+                    syslog.syslog(
+                        syslog.LOG_ERR,
+                        "Account %s error getting zone ID for hostname %s - Failed to decode response as JSON. Response: %s"
+                        % (self.description, hostname, response.text),
+                    )
+                    return None
+            else:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Account %s error getting zone ID for hostname %s HTTP %s. Response: %s"
+                    % (
+                        self.description,
+                        hostname,
+                        response.status_code,
+                        response.text,
+                    ),
+                )
+                return None
+
+    def _replace_rrset(self, hostname, zone_id, record_type, content):
+        # Replace or create rrset for record
+        payload = {
+            "rrsets": [
+                {
+                    "name": hostname,
+                    "type": record_type,
+                    "ttl": int(self.settings.get("ttl")),
+                    "changetype": "REPLACE",
+                    "records": [
+                        {"content": content}
+                    ]
+                }
+            ]
+        }
+
+        response = self._send_request(method="PATCH", url=("/zones/" + zone_id), json=payload)
+        if response.status_code == 204:
+            # Success
+            return True
+        else:
+            # Failure
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s error updating hostname %s in zone %s - HTTP %s Response: %s"
+                % (
+                    self.description,
+                    hostname,
+                    zone_id,
+                    response.status_code,
+                    response.text,
+                ),
+            )
+            return False
+
+    def execute(self):
+        if super().execute():
+            record_type = "AAAA" if str(self.current_address).find(":") > 1 else "A"
+
+            if self.is_verbose:
+                syslog.syslog(
+                    syslog.LOG_NOTICE,
+                    "Account %s current IP is %s (%s)"
+                    % (self.description, self.current_address, record_type),
+                )
+
+                syslog.syslog(
+                    syslog.LOG_NOTICE,
+                    "Account %s updating hostnames %s"
+                    % (self.description, self.settings.get("hostnames", "")),
+                )
+
+            # Update each hostname
+            for hostname in self.settings.get("hostnames", "").split(","):
+
+                # Make hostname absolute
+                if not hostname.endswith("."):
+                    hostname = hostname + "."
+
+                # Get id of zone the hostname belongs to
+                zone_id = self._find_zone_id(hostname)
+
+                # If zone can't be found, skip
+                if zone_id == None:
+                    continue
+
+                # Update record set
+                if self._replace_rrset(hostname, zone_id, record_type, content=self.current_address) and self.is_verbose:
+                    syslog.syslog(
+                        syslog.LOG_NOTICE,
+                        "Account %s successfully updated hostname %s (%s) to IP %s"
+                        % (
+                            self.description,
+                            hostname,
+                            record_type,
+                            self.current_address,
+                        ),
+                    )
+            self.update_state(address=self.current_address)
+            return True
+        return False

From bcd2deb43eaa06a809ddb2f022f84edaeef9a6bc Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 10 Oct 2025 16:05:31 +0200
Subject: [PATCH 2676/3088] www/caddy: Fix HTTP access log excluding the
 process logs accidentally (#4974)

When using "include" in the default global logger, all other logs get excluded, except those that get included.

Using a "log default" instead, sends the HTTP access logs to the default logger.

This allows process and HTTP access logs to coexist in the same logger.
---
 .../service/templates/OPNsense/Caddy/Caddyfile        | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 8e8e89b959..c3f5a38624 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -43,13 +43,6 @@
     #            with the syslog-ng instance running on the OPNsense.
     #}
     log {
-        {% if generalSettings.LogAccessPlain|default("0") == "0" %}
-            {% for reverse in helpers.toList('Pischem.caddy.reverseproxy.reverse') %}
-                {% if reverse.enabled|default("0") == "1" and reverse.AccessLog|default("0") == "1" %}
-                    include http.log.access.{{ reverse['@uuid'] }}
-                {% endif %}
-            {% endfor %}
-        {% endif %}
         output net unixgram//var/run/caddy/log.sock {
         }
         format json {
@@ -614,7 +607,7 @@ http://{{ domain }} {
         {% if reverse.DisableTls|default("0") == "1" %}http://{% endif %}{{ reverse.FromDomain|default("") }}{% if reverse.FromPort %}:{{ reverse.FromPort }}{% endif %} {
             {% if reverse.AccessLog|default("0") == "1" %}
                 {% if generalSettings.LogAccessPlain|default("0") == "0" %}
-                    log {{ reverse['@uuid'] }}
+                    log default
                 {% else %}
                     log {
                         output file /var/log/caddy/access/{{ reverse['@uuid'] }}.log {
@@ -652,7 +645,7 @@ http://{{ domain }} {
             {% if reverse.DisableTls|default("0") == "1" %}http://{% endif %}{{ subdomain.FromDomain|default("") }}{% if reverse.FromPort %}:{{ reverse.FromPort }}{% endif %} {
                 {% if reverse.AccessLog|default("0") == "1" %}
                     {% if generalSettings.LogAccessPlain|default("0") == "0" %}
-                        log {{ reverse['@uuid'] }}
+                        log default
                     {% else %}
                         log {
                             output file /var/log/caddy/access/{{ subdomain['@uuid'] }}.log {

From a9c5f61850ef66b59487fc315289334f87c5fce6 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 10 Oct 2025 16:11:20 +0200
Subject: [PATCH 2677/3088] www/caddy: Bump version to 2.0.4_1 (#4975)

---
 www/caddy/Makefile  | 1 +
 www/caddy/pkg-descr | 1 +
 2 files changed, 2 insertions(+)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 97f312a281..1208069564 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		2.0.4
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 38e81fd424..f88d170b7e 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 2.0.4
 
 Add: DNS-01 challenge delegation via CNAME (contributed by sdsys-ch) (opnsense/plugins/pull/4950)
+Fix: Enabling HTTP access log wrongly excluded the process logs (opnsense/plugins/pull/4974)
 
 2.0.3
 

From 27bd359a360166eae91d23b603bfb405f2d5b5f8 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 11 Oct 2025 09:07:04 +0200
Subject: [PATCH 2678/3088] security/q-feeds-connector - add initial version
 (ref: https://forum.opnsense.org/index.php?topic=49123.0)

---
 security/q-feeds-connector/+POST_INSTALL.post |   3 +
 security/q-feeds-connector/Makefile           |   6 +
 security/q-feeds-connector/README.md          |  48 +++++
 security/q-feeds-connector/pkg-descr          |   8 +
 .../src/etc/inc/plugins.inc.d/qfeeds.inc      |  35 ++++
 .../src/etc/rc.syshook.d/start/99-qfeeds      |   4 +
 .../QFeeds/Api/SettingsController.php         | 117 ++++++++++++
 .../OPNsense/QFeeds/IndexController.php       |  40 ++++
 .../OPNsense/QFeeds/forms/settings.xml        |  12 ++
 .../OPNsense/System/Status/QfeedsStatus.php   |  61 ++++++
 .../Firewall/DynamicAliases/QfeedsAliases.php |  56 ++++++
 .../app/models/OPNsense/QFeeds/ACL/ACL.xml    |   9 +
 .../app/models/OPNsense/QFeeds/Connector.php  |  38 ++++
 .../app/models/OPNsense/QFeeds/Connector.xml  |  10 +
 .../app/models/OPNsense/QFeeds/Menu/Menu.xml  |   9 +
 .../mvc/app/views/OPNsense/QFeeds/index.volt  | 136 +++++++++++++
 .../opnsense/scripts/qfeeds/lib/__init__.py   | 179 ++++++++++++++++++
 .../src/opnsense/scripts/qfeeds/lib/api.py    |  72 +++++++
 .../src/opnsense/scripts/qfeeds/lib/file.py   |  53 ++++++
 .../src/opnsense/scripts/qfeeds/lib/log.py    |  77 ++++++++
 .../src/opnsense/scripts/qfeeds/qfeedsctl.py  |  64 +++++++
 .../conf/actions.d/actions_qfeeds.conf        |  40 ++++
 .../templates/OPNsense/QFeeds/+TARGETS        |   1 +
 .../templates/OPNsense/QFeeds/qfeeds.conf     |   4 +
 .../src/opnsense/www/img/QFeeds.png           | Bin 0 -> 16073 bytes
 .../www/js/widgets/Metadata/QFeeds.xml        |  20 ++
 .../src/opnsense/www/js/widgets/QFeeds.js     |  96 ++++++++++
 27 files changed, 1198 insertions(+)
 create mode 100755 security/q-feeds-connector/+POST_INSTALL.post
 create mode 100644 security/q-feeds-connector/Makefile
 create mode 100644 security/q-feeds-connector/README.md
 create mode 100644 security/q-feeds-connector/pkg-descr
 create mode 100644 security/q-feeds-connector/src/etc/inc/plugins.inc.d/qfeeds.inc
 create mode 100755 security/q-feeds-connector/src/etc/rc.syshook.d/start/99-qfeeds
 create mode 100644 security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
 create mode 100644 security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/IndexController.php
 create mode 100644 security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml
 create mode 100644 security/q-feeds-connector/src/opnsense/mvc/app/library/OPNsense/System/Status/QfeedsStatus.php
 create mode 100644 security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/QfeedsAliases.php
 create mode 100644 security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/ACL/ACL.xml
 create mode 100644 security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.php
 create mode 100644 security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml
 create mode 100644 security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Menu/Menu.xml
 create mode 100644 security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
 create mode 100644 security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
 create mode 100644 security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
 create mode 100644 security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/file.py
 create mode 100644 security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
 create mode 100755 security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
 create mode 100644 security/q-feeds-connector/src/opnsense/service/conf/actions.d/actions_qfeeds.conf
 create mode 100644 security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/+TARGETS
 create mode 100644 security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/qfeeds.conf
 create mode 100644 security/q-feeds-connector/src/opnsense/www/img/QFeeds.png
 create mode 100644 security/q-feeds-connector/src/opnsense/www/js/widgets/Metadata/QFeeds.xml
 create mode 100644 security/q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js

diff --git a/security/q-feeds-connector/+POST_INSTALL.post b/security/q-feeds-connector/+POST_INSTALL.post
new file mode 100755
index 0000000000..47481ad322
--- /dev/null
+++ b/security/q-feeds-connector/+POST_INSTALL.post
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/usr/local/sbin/pluginctl -s cron restart
diff --git a/security/q-feeds-connector/Makefile b/security/q-feeds-connector/Makefile
new file mode 100644
index 0000000000..dffd163a23
--- /dev/null
+++ b/security/q-feeds-connector/Makefile
@@ -0,0 +1,6 @@
+PLUGIN_NAME=		q-feeds-connector
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		Connector for Q-Feeds threat intel
+PLUGIN_MAINTAINER=	devel@qfeeds.com
+
+.include "../../Mk/plugins.mk"
diff --git a/security/q-feeds-connector/README.md b/security/q-feeds-connector/README.md
new file mode 100644
index 0000000000..b18fb8cc59
--- /dev/null
+++ b/security/q-feeds-connector/README.md
@@ -0,0 +1,48 @@
+# plugin to connect to QFeeds threat platform
+
+Register for a token at : https://qfeeds.com/opnsense/
+
+# command line control
+
+Settings are persisted in `/usr/local/etc/qfeeds.conf`, using the following format:
+
+```
+[api]
+key=tip_xxxxxxxx
+```
+
+Our commandline tool contains all actions used by the UI, which is practical for debuggging.
+
+```
+usage: qfeedsctl.py [-h] [--target_dir TARGET_DIR] [-f] [-v] [{fetch_index,fetch,show_index,firewall_load,update,stats} ...]
+
+positional arguments:
+  {fetch_index,fetch,show_index,firewall_load,update,stats}
+
+options:
+  -h, --help            show this help message and exit
+  --target_dir TARGET_DIR
+  -f                    forced (auto index)
+  -v                    verbose output
+```
+
+The index is the driver for most actions, which is a json encoded file in `/var/db/qfeeds-tables/index.json`.
+
+Actions supported:
+
+*   fetch_index --> download the index file
+*   fetch   --> download the lists
+*   firewall_load  --> collect ip lists into pre-defined firewall tables
+*   update  [sleep when almost time] --> run fetch_index --> fetch --> firewall_load (to be used by cron)
+*   show_index  --> dumps the index
+*   stats --> dumps feed information
+*   logs --> dumps firewall log information for aliases offered by Q-Feeds
+
+
+Example usage:
+
+```
+/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py update
+```
+
+**Fetch index and update lists when updated remotely**
diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
new file mode 100644
index 0000000000..c6c57300e4
--- /dev/null
+++ b/security/q-feeds-connector/pkg-descr
@@ -0,0 +1,8 @@
+Connector for Q-Feeds threat intel
+
+Plugin Changelog
+================
+
+1.0
+
+* Intial release version
diff --git a/security/q-feeds-connector/src/etc/inc/plugins.inc.d/qfeeds.inc b/security/q-feeds-connector/src/etc/inc/plugins.inc.d/qfeeds.inc
new file mode 100644
index 0000000000..c2fb7a2a6a
--- /dev/null
+++ b/security/q-feeds-connector/src/etc/inc/plugins.inc.d/qfeeds.inc
@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function qfeeds_cron()
+{
+    $jobs = [];
+    $jobs[]['autocron'] = ['/usr/local/sbin/configctl -d qfeeds update', '*/5'];
+    $jobs[]['autocron'] = ['/usr/local/sbin/configctl -d ! qfeeds stats', '*/15'];
+    return $jobs;
+}
\ No newline at end of file
diff --git a/security/q-feeds-connector/src/etc/rc.syshook.d/start/99-qfeeds b/security/q-feeds-connector/src/etc/rc.syshook.d/start/99-qfeeds
new file mode 100755
index 0000000000..367479388b
--- /dev/null
+++ b/security/q-feeds-connector/src/etc/rc.syshook.d/start/99-qfeeds
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+# load already collected feeds
+/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py firewall_load
\ No newline at end of file
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
new file mode 100644
index 0000000000..6f9f9b136a
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
@@ -0,0 +1,117 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\QFeeds\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Base\UserException;
+use OPNsense\Core\Backend;
+use OPNsense\Core\Config;
+
+
+class SettingsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'connect';
+    protected static $internalModelClass = 'OPNsense\QFeeds\Connector';
+
+    public function reconfigureAction()
+    {
+        $backend = new Backend();
+        $res = trim($backend->configdRun('template reload OPNsense/QFeeds'));
+        if (strtolower($res) != 'ok') {
+            throw new UserException(sprintf(gettext("Unable to update settings (%s)"), $res));
+        }
+        $res = trim($backend->configdRun('qfeeds reconfigure'));
+        if (strpos($res, 'EXIT OK') === false) {
+            throw new UserException($res);
+        }
+        return ['status' => 'ok', 'output' => $res];
+    }
+
+    public function searchFeedsAction()
+    {
+        $records = [];
+        $data = json_decode((new Backend())->configdRun('qfeeds info') ?? '[]', true);
+        if (!empty($data) && !empty($data['feeds'])) {
+            $records = $data['feeds'];
+            foreach ($records as &$record) {
+                $record['licensed'] = $record['licensed'] ? '1' : '0';
+            }
+        }
+        return $this->searchRecordsetBase($records);
+    }
+
+    public function searchEventsAction()
+    {
+        $records = [];
+        $ifnames = [];
+        foreach (Config::getInstance()->object()->interfaces->children() as $key => $node) {
+            if (!empty((string)$node->if)) {
+                $ifnames[(string)$node->if] = (string)($node->descr ?? strtoupper($key));
+            }
+        }
+        $data = json_decode((new Backend())->configdRun('qfeeds logs') ?? '[]', true);
+        if (!empty($data) && !empty($data['rows'])) {
+            foreach ($data['rows'] as $row) {
+                $records[] = [
+                    'timestamp' => $row[0],
+                    'interface' => $ifnames[$row[1]] ?? $row[1],
+                    'direction' => $row[2],
+                    'source' => $row[3],
+                    'destination' => $row[4],
+                ];
+            }
+        }
+        return $this->searchRecordsetBase($records);
+    }
+
+    public function statsAction()
+    {
+        $stats = json_decode((new Backend())->configdRun('qfeeds stats'), true);
+        if (!empty($stats) && !empty($stats['feeds'])) {
+            $info = json_decode((new Backend())->configdRun('qfeeds info'), true);
+            if (!empty($info) && !empty($info['feeds'])) {
+                $feeds = [];
+                foreach ($info['feeds'] as $feed) {
+                    $feeds[$feed['feed_type']] = $feed;
+                }
+                foreach ($stats['feeds'] as &$feed) {
+                    if (isset($feeds[$feed['name']])) {
+                        $tmp = $feeds[$feed['name']];
+                        $feed['updated_at'] = $tmp['updated_at'];
+                        $feed['next_update'] = $tmp['next_update'];
+                        $feed['licensed'] = $tmp['licensed'];
+                    }
+                }
+            }
+        }
+        return $stats;
+    }
+}
\ No newline at end of file
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/IndexController.php b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/IndexController.php
new file mode 100644
index 0000000000..aec86b9a38
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/IndexController.php
@@ -0,0 +1,40 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\QFeeds;
+
+class IndexController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->formSettings = $this->getForm("settings");
+        $this->view->pick('OPNsense/QFeeds/index');
+    }
+}
\ No newline at end of file
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml
new file mode 100644
index 0000000000..e27658d30d
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml
@@ -0,0 +1,12 @@
+<form>
+    <field>
+        <type>header</type>
+        <label>General Settings</label>
+    </field>
+    <field>
+        <id>connect.general.apikey</id>
+        <label>API key</label>
+        <type>text</type>
+        <help><![CDATA[API key to access Q-Feeds services, to apply for a key, <a target="_new" href="https://qfeeds.com/opnsense/">click here</a>]]></help>
+    </field>
+</form>
\ No newline at end of file
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/library/OPNsense/System/Status/QfeedsStatus.php b/security/q-feeds-connector/src/opnsense/mvc/app/library/OPNsense/System/Status/QfeedsStatus.php
new file mode 100644
index 0000000000..5477729d65
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/library/OPNsense/System/Status/QfeedsStatus.php
@@ -0,0 +1,61 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\System\Status;
+
+use OPNsense\System\AbstractStatus;
+use OPNsense\System\SystemStatusCode;
+use OPNsense\Core\Config;
+
+class QfeedsStatus extends AbstractStatus
+{
+    public function __construct()
+    {
+        $this->internalPriority = 2;
+        $this->internalPersistent = true;
+        $this->internalIsBanner = true;
+        $this->internalTitle = gettext('QFeeds');
+        $this->internalScope = [
+            '/ui/q_feeds/'
+        ];
+    }
+
+    public function collectStatus()
+    {
+        $cnf = Config::getInstance()->object();
+        if (!empty($cnf->system->maximumtableentries) && $cnf->system->maximumtableentries >= 2000000) {
+            return;
+        }
+        $this->internalStatus = SystemStatusCode::ERROR;
+        $this->internalMessage = gettext(
+            'QFeeds requires additional memory to be reserved for aliases. ' .
+            'Please increase `Firewall Maximum Table Entries` in `Firewall: Settings: Advanced` to at least' .
+            ' 2 million items.'
+        );
+    }
+}
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/QfeedsAliases.php b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/QfeedsAliases.php
new file mode 100644
index 0000000000..26eca705d8
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/QfeedsAliases.php
@@ -0,0 +1,56 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Firewall\DynamicAliases;
+
+use OPNsense\Core\Backend;
+
+class QfeedsAliases
+{
+    public function collect()
+    {
+        $result = [];
+        $payload = json_decode((new Backend())->configdRun('qfeeds index') ?? '', true) ?? [];
+        if (is_array($payload) && !empty($payload['feeds'])) {
+            foreach ($payload['feeds'] as $feed) {
+                if ($feed['type'] == 'ip' && !empty($feed['licensed'])) {
+                    $name = '__qfeeds_'. $feed['feed_type'];
+                    $result[$name] = [
+                        'enabled' => '1',
+                        'counters' => '1',
+                        'name' => $name,
+                        'type' => 'external',
+                        'description' => $feed['feed_type'],
+                        'content' => ''
+                    ];
+                }
+            }
+        }
+        return $result;
+    }
+}
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/ACL/ACL.xml b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/ACL/ACL.xml
new file mode 100644
index 0000000000..3c58e042a8
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+    <page-firewall-qfeeds>
+        <name>Services: QFeeds</name>
+        <patterns>
+            <pattern>ui/q_feeds/*</pattern>
+            <pattern>api/q_feeds/*</pattern>
+        </patterns>
+    </page-firewall-qfeeds>
+</acl>
\ No newline at end of file
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.php b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.php
new file mode 100644
index 0000000000..eca13f9609
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.php
@@ -0,0 +1,38 @@
+<?php
+/*
+ * Copyright (C) 2025 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\QFeeds;
+
+use OPNsense\Base\BaseModel;
+
+/**
+ * Class Connector
+ * @package OPNsense\QFeeds
+ */
+class Connector extends BaseModel
+{
+}
\ No newline at end of file
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml
new file mode 100644
index 0000000000..f90fc08c96
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml
@@ -0,0 +1,10 @@
+<model>
+    <mount>//OPNsense/QFeedsConnector</mount>
+    <version>1.0.0</version>
+    <description>QFeeds connector</description>
+    <items>
+        <general>
+            <apikey type="TextField"/>
+        </general>
+    </items>
+</model>
\ No newline at end of file
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Menu/Menu.xml b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Menu/Menu.xml
new file mode 100644
index 0000000000..a91edf9260
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Menu/Menu.xml
@@ -0,0 +1,9 @@
+<menu>
+    <Security order="65" cssClass="fa fa-shield">
+        <QFeeds VisibleName="Q-Feeds Connect" cssClass="fa fa-heartbeat fa-fw">
+            <Settings order="10" url="/ui/q_feeds/#settings"/>
+            <Feeds order="20" url="/ui/q_feeds/#feeds"/>
+            <Events order="30" url="/ui/q_feeds/#events"/>
+        </QFeeds>
+    </Security>
+</menu>
\ No newline at end of file
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt b/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
new file mode 100644
index 0000000000..08dc8e4a5d
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
@@ -0,0 +1,136 @@
+{#
+
+OPNsense® is Copyright © 2025 by Deciso B.V.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<script>
+    $( document ).ready(function() {
+        let data_get_map = {'frm_settings':"/api/q_feeds/settings/get"};
+        mapDataToFormUI(data_get_map).done(function(){
+            formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
+        });
+
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint("/api/q_feeds/settings/set", 'frm_settings', function(){
+                    dfObj.resolve();
+                });
+                return dfObj;
+            }
+        });
+
+        $('a[data-toggle="tab"]').on('shown.bs.tab', function (e) {
+            if (e.target.id === 'feeds_tab') {
+                if (!$("#grid-feeds").hasClass('tabulator')) {
+                    $("#grid-feeds").UIBootgrid({
+                        'search': '/api/q_feeds/settings/search_feeds/'
+                    });
+                } else {
+                    $("#grid-feeds").bootgrid("reload");
+                }
+            } else if (e.target.id === 'events_tab') {
+                if (!$("#grid-events").hasClass('tabulator')) {
+                    $("#grid-events").UIBootgrid({
+                        'search': '/api/q_feeds/settings/search_events/'
+                    });
+                } else {
+                    $("#grid-events").bootgrid("reload");
+                }
+            }
+        });
+
+
+        let selected_tab = window.location.hash != "" ? window.location.hash : "#settings";
+        $('a[href="' +selected_tab + '"]').tab('show');
+        $('.nav-tabs a').on('shown.bs.tab', function (e) {
+            history.pushState(null, null, e.target.hash);
+        });
+        $(window).on('hashchange', function(e) {
+            $('a[href="' + window.location.hash + '"]').click()
+        });
+
+    });
+</script>
+
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li><a data-toggle="tab" href="#settings" id="settings_tab">{{ lang._('Settings') }}</a></li>
+    <li><a data-toggle="tab" href="#feeds" id="feeds_tab">{{ lang._('Feeds') }}</a></li>
+    <li><a data-toggle="tab" href="#events" id="events_tab">{{ lang._('Events') }}</a></li>
+</ul>
+<div class="tab-content content-box">
+    <div id="settings"  class="tab-pane fade in">
+        {{ partial("layout_partials/base_form",['fields':formSettings,'id':'frm_settings'])}}
+    </div>
+    <div id="feeds"  class="tab-pane fade in">
+        <table id="grid-feeds" class="table table-condensed table-hover table-striped table-responsive">
+            <thead>
+                <tr>
+                    <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                    <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
+                    <th data-column-id="updated_at" data-type="string">{{ lang._('Updated at') }}</th>
+                    <th data-column-id="next_update" data-type="string">{{ lang._('Next update') }}</th>
+                    <th data-column-id="licensed" data-type="boolean" data-formatter="boolean">{{ lang._('Licensed') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+        </table>
+    </div>
+    <div id="events"  class="tab-pane fade in">
+
+        <table id="grid-events" class="table table-condensed table-hover table-striped table-responsive">
+            <thead>
+                <tr>
+                    <th data-column-id="timestamp" data-type="string">{{ lang._('Timestamp') }}</th>
+                    <th data-column-id="interface" data-type="string">{{ lang._('Interface') }}</th>
+                    <th data-column-id="direction" data-type="string">{{ lang._('Direction') }}</th>
+                    <th data-column-id="source" data-type="string">{{ lang._('Source') }}</th>
+                    <th data-column-id="destination" data-type="string">{{ lang._('Destination') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+        </table>
+        <div class="pull-right">{{ lang._('Collected events from the firewall log for QFeed aliases') }}</div>
+    </div>
+</div>
+
+<section class="page-content-main">
+    <div class="content-box">
+        <div class="col-md-12">
+            <br/>
+            <button class="btn btn-primary" id="reconfigureAct"
+                    data-endpoint='/api/q_feeds/settings/reconfigure'
+                    data-label="{{ lang._('Apply') }}"
+                    data-error-title="{{ lang._('Error reconfiguring QFeeds connect') }}"
+                    type="button"
+            ></button>
+            <br/><br/>
+        </div>
+    </div>
+</section>
\ No newline at end of file
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
new file mode 100644
index 0000000000..bf4c528aad
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
@@ -0,0 +1,179 @@
+"""
+    Copyright (c) 2025 Deciso B.V.
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import os
+import subprocess
+import time
+import ujson
+from datetime import datetime
+from lib.api import Api
+from lib.log import PFLogCrawler
+from lib.file import LockedFile
+
+
+class QFeedsActions:
+    def __init__(self, target_dir, forced=False):
+        self._target_dir = target_dir
+        self._forced = forced
+
+    @classmethod
+    def list_actions(cls):
+        return [
+            'fetch_index',
+            'fetch',
+            'show_index',
+            'firewall_load',
+            'update',
+            'stats',
+            'logs'
+        ]
+
+    @property
+    def index_file(self):
+        return "%s/index.json" % self._target_dir
+
+    @property
+    def index(self):
+        if not os.path.exists(self.index_file) and self._forced:
+            # require index file to get feeds
+            list(self.fetch_index())
+        elif not os.path.exists(self.index_file):
+            return {}
+        data = ujson.load(open(self.index_file)) or {}
+        if type(data) is dict:
+            for feed in data.get('feeds', []):
+                feed['local_filename'] = "%s/%s.txt" % (self._target_dir, feed['feed_type'])
+                feed['updated_at_dt'] = datetime.fromisoformat(feed['updated_at']).timestamp()
+                feed['next_update_dt'] = datetime.fromisoformat(feed['next_update']).timestamp()
+
+        return data
+
+    def _file_stat(self, filename):
+        if not os.path.exists(filename):
+            return 0
+        return os.stat(filename).st_mtime
+
+    def fetch_index(self):
+        if not os.path.isdir(self._target_dir):
+            os.makedirs(self._target_dir)
+        with LockedFile(self.index_file) as f:
+            payload = Api().licenses()
+            f.truncate()
+            f.write(ujson.dumps(payload))
+            yield 'downloaded index to %s' % f.filename
+
+    def show_index(self):
+        yield ujson.dumps(self.index)
+
+    def fetch(self):
+        for feed in self.index.get('feeds', []):
+            if feed['licensed'] and feed['updated_at_dt'] != self._file_stat(feed['local_filename']):
+                with LockedFile(feed['local_filename']) as f:
+                    counter = 0
+                    for entry in Api().fetch(feed['feed_type']):
+                        if counter == 0:
+                            f.truncate()
+                        f.write("%s\n" % entry)
+                        counter += 1
+                os.utime(feed['local_filename'], (feed['updated_at_dt'], feed['updated_at_dt']))
+                yield "downloaded %d entries into %s [%s]" % (counter, feed['local_filename'], feed['updated_at'])
+            elif feed['licensed']:
+                yield "skipped %s [%s]" % (feed['local_filename'], feed['updated_at'])
+
+    def firewall_load(self):
+        for feed in self.index.get('feeds', []):
+            if feed['licensed'] and os.path.exists(feed['local_filename']) and feed['type'] == 'ip':
+                table_name = '__qfeeds_%s' % feed['feed_type']
+                sp = subprocess.run(
+                    ['/sbin/pfctl', '-t', table_name, '-T', 'replace', '-f', feed['local_filename']],
+                    capture_output=True,
+                    text=True
+                )
+                yield 'load feed %s [%s]' % (feed['feed_type'], sp.stderr.strip().replace("\n", " "))
+
+    def update(self):
+        update_sleep = 99999
+        try:
+            index_payload = self.index
+        except TypeError:
+            # when the index can't be parsed, assume we have none while updating
+            index_payload = {}
+        do_update = len(index_payload.get('feeds', [])) == 0
+        for feed in index_payload.get('feeds', []):
+            update_sleep = min(feed['next_update_dt'] - time.time(), update_sleep)
+            if feed['licensed'] and update_sleep <= 300: # 5 minute cron interval
+                do_update = True
+        if do_update:
+                if 0 < update_sleep <= 300:
+                    time.sleep(update_sleep)
+                for action in ['fetch_index', 'fetch', 'firewall_load']:
+                    yield from getattr(self, action)()
+
+    def stats(self):
+        result = {'feeds': []}
+        for feed in self.index.get('feeds', []):
+            if feed['licensed'] and os.path.exists(feed['local_filename']) and feed['type'] == 'ip':
+                table_name = '__qfeeds_%s' % feed['feed_type']
+                sp = subprocess.Popen(
+                    ['/sbin/pfctl', '-t', table_name, '-vT', 'show'],
+                    stdout=subprocess.PIPE,
+                    stderr=subprocess.DEVNULL,
+                    text=True
+                )
+                record = {
+                    'name': feed['feed_type'],
+                    'total_entries': 0,
+                    'packets_blocked': 0,
+                    'bytes_blocked': 0,
+                    'addresses_blocked': 0
+                }
+                while (line := sp.stdout.readline()):
+                    if line.startswith(' '):
+                        record['total_entries'] += 1
+                    elif 'Packets:' in line and 'Packets: 0 ' not in line:
+                        parts = line.split()
+                        if parts[3].isdigit() and parts[5].isdigit() and parts[0].lower().find('block') > 0:
+                            record['packets_blocked'] += int(parts[3])
+                            record['bytes_blocked'] += int(parts[5])
+                            record['addresses_blocked'] += 1
+
+                result['feeds'].append(record)
+        result['totals'] = {
+            'entries': sum(r['total_entries'] for r in result['feeds']),
+            # assumes no overlaps in datafeeds
+            'addresses_blocked': sum(r['addresses_blocked'] for r in result['feeds']),
+            'packets_blocked': sum(r['packets_blocked'] for r in result['feeds']),
+            'bytes_blocked': sum(r['bytes_blocked'] for r in result['feeds']),
+        }
+
+        yield  ujson.dumps(result)
+
+    def logs(self):
+        feeds = []
+        for feed in self.index.get('feeds', []):
+            if feed['type'] == 'ip':
+                feeds.append('__qfeeds_%s' % feed['feed_type'])
+
+        yield ujson.dumps({'rows': PFLogCrawler(feeds).find()})
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
new file mode 100644
index 0000000000..3892c371f8
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
@@ -0,0 +1,72 @@
+"""
+    Copyright (c) 2025 Deciso B.V.
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import os
+import requests
+from configparser import ConfigParser
+
+
+class QFeedsConfig:
+    api_key = None
+
+    def __init__(self):
+        config_filename = '/usr/local/etc/qfeeds.conf'
+        if os.path.isfile(config_filename):
+            cnf = ConfigParser()
+            cnf.read(config_filename)
+            if cnf.has_section('api') and cnf.has_option('api', 'key'):
+                self.api_key = cnf.get('api', 'key')
+
+
+class Api:
+    def __init__(self):
+        self.api_key = QFeedsConfig().api_key
+
+    def licenses(self):
+        r = requests.get(
+            url='https://api.qfeeds.com/licenses.php',
+            auth=('api_token', self.api_key),
+            timeout=60,
+            headers={'User-Agent': 'Q-Feeds_OPNsense'}
+        )
+        r.raise_for_status()
+        return r.json()
+
+    def fetch(self, feed):
+        r = requests.get(
+            url='https://api.qfeeds.com/api.php',
+            params={'feed_type': feed},
+            auth=('api_token', self.api_key),
+            headers={'User-Agent': 'Q-Feeds_OPNsense'},
+            stream=True,
+            timeout=60
+        )
+        r.raise_for_status()
+        for line in r.raw:
+            entry = line.decode().strip()
+            if entry:
+                yield entry
+
+
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/file.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/file.py
new file mode 100644
index 0000000000..53d6b3ea63
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/file.py
@@ -0,0 +1,53 @@
+"""
+    Copyright (c) 2025 Deciso B.V.
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import fcntl
+
+
+class LockedFile:
+    def __init__(self, filename):
+        self._filename = filename
+        self._fh = None
+
+    def __enter__(self):
+        self._fh = open(self._filename, 'a+')
+        fcntl.flock(self._fh, fcntl.LOCK_EX | fcntl.LOCK_NB)
+        return self
+
+    def __exit__(self, ex_type, ex_value, traceback):
+        if self._fh:
+            self._fh.close()
+
+    def truncate(self):
+        self._fh.seek(0)
+        self._fh.truncate()
+
+    def write(self, data):
+        self._fh.write(data)
+
+    @property
+    def filename(self):
+        return self._filename
+
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
new file mode 100644
index 0000000000..fed49e8e47
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
@@ -0,0 +1,77 @@
+"""
+    Copyright (c) 2025 Deciso B.V.
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+
+import glob
+import time
+import subprocess
+import ipaddress
+
+def is_ip_address(value):
+    try:
+        ipaddress.ip_address(value)
+        return True
+    except ValueError:
+        return False
+
+
+class PFLogCrawler:
+    def __init__(self, table_names:list=[]):
+        self._table_names = table_names
+        self._rule_ids = []
+        self._collect_rule_ids()
+
+    def _collect_rule_ids(self):
+        self._rule_ids = []
+        sp = subprocess.run(['/sbin/pfctl', '-sr'], capture_output=True, text=True)
+        for line in sp.stdout.split("\n"):
+            for table in self._table_names:
+                if line.find("<%s>" % table) > 0:
+                    self._rule_ids.append(line.split()[-1].strip('"'))
+
+    @staticmethod
+    def _parse_log_line(line):
+        # quick scan for datetime, interface, direction, source, dest
+        parts = line.split()
+        fw_line = parts[-1].split(',') # strip syslog
+        return [parts[1], fw_line[4], fw_line[7]] + [x for x in fw_line if is_ip_address(x)]
+
+    def find(self, max_time=60, max_results=50000):
+        result = []
+        start_time = time.time()
+        rows_processed = 0
+        for filename in sorted(glob.glob("/var/log/filter/filter_*.log"), reverse=True):
+            with open(filename) as f_in:
+                for idx, line in enumerate(f_in):
+                    for rule_id in self._rule_ids:
+                        if rule_id in line:
+                            result.append(self._parse_log_line(line))
+                            rows_processed +=1
+                            continue
+                    if (idx % 100000 == 0 and time.time() - start_time > max_time) or rows_processed >= max_results:
+                        return result
+
+        return result
+
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
new file mode 100755
index 0000000000..737ec65e82
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
@@ -0,0 +1,64 @@
+#!/usr/local/bin/python3
+
+"""
+    Copyright (c) 2025 Deciso B.V.
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+
+import argparse
+import sys
+import ujson
+from requests.exceptions import HTTPError, Timeout
+from lib import QFeedsActions
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser()
+    parser.add_argument('--target_dir', default='/var/db/qfeeds-tables')
+    parser.add_argument('-f', help='forced (auto index)' , default=False, action='store_true')
+    parser.add_argument('-v', help='verbose output' , default=False, action='store_true')
+    parser.add_argument("action", choices=QFeedsActions.list_actions(), nargs='*')
+    args = parser.parse_args()
+    if args.v:
+        # verbose mode
+        import http.client as http_client
+        http_client.HTTPConnection.debuglevel = 1
+    try:
+        actions = QFeedsActions(args.target_dir, args.f)
+        for action in args.action:
+            for msg in getattr(actions, action)():
+                print(msg)
+    except HTTPError as exc:
+        print('exit with HTTPError %d (%s)' % (exc.response.status_code, exc.response.text))
+        sys.exit(-1)
+    except Timeout as exc:
+        print('timeout reaching api endpoint')
+        sys.exit(-1)
+    except IOError as e:
+        print("output filename locked or missing")
+        sys.exit(-1)
+    except ujson.JSONDecodeError:
+        print("JSON decode error")
+        sys.exit(-1)
+
diff --git a/security/q-feeds-connector/src/opnsense/service/conf/actions.d/actions_qfeeds.conf b/security/q-feeds-connector/src/opnsense/service/conf/actions.d/actions_qfeeds.conf
new file mode 100644
index 0000000000..b693285e20
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/service/conf/actions.d/actions_qfeeds.conf
@@ -0,0 +1,40 @@
+[reconfigure]
+command:/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py fetch_index fetch firewall_load && echo 'EXIT OK'
+parameters:
+type:script_output
+message:reconfigure QFeeds
+errors:no
+
+[update]
+command:/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py update
+parameters:
+type:script_output
+message:update QFeeds
+errors:no
+
+[info]
+command:/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py show_index
+parameters:
+type:script_output
+message:fetch QFeeds info
+
+[stats]
+command:/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py stats
+parameters:
+type:script_output
+cache_ttl: 3600
+message:return Qfeeds local stats
+
+[logs]
+command:/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py logs
+parameters:
+type:script_output
+cache_ttl: 300
+message:return Qfeeds log data
+
+[index]
+command:cat /var/db/qfeeds-tables/index.json
+parameters:
+type:script_output
+message:return raw QFeeds index file
+cache_ttl: 60
diff --git a/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/+TARGETS b/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/+TARGETS
new file mode 100644
index 0000000000..da2b51f083
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/+TARGETS
@@ -0,0 +1 @@
+qfeeds.conf:/usr/local/etc/qfeeds.conf
diff --git a/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/qfeeds.conf b/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/qfeeds.conf
new file mode 100644
index 0000000000..be8460cb8e
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/qfeeds.conf
@@ -0,0 +1,4 @@
+{% if not helpers.empty('OPNsense.QFeedsConnector.general.apikey') %}
+[api]
+key={{OPNsense.QFeedsConnector.general.apikey}}
+{% endif %}
diff --git a/security/q-feeds-connector/src/opnsense/www/img/QFeeds.png b/security/q-feeds-connector/src/opnsense/www/img/QFeeds.png
new file mode 100644
index 0000000000000000000000000000000000000000..5dd5e38a5c1a42a058f702592aea61e0afadcf69
GIT binary patch
literal 16073
zcmd_RX<U+9_cvZyS`L_*h!dW)w9*_h73Wi$p2{>U6miCKLKJc$Q?pD#ak$T2mN{mg
zG*J{%lyVl3yG+eWG$#b^Y;b~1rL=r5v)|`=-uz$u-#*WN1AN%m-fOSD_FC)vUHi&B
z=jNgyt1i1`%NB)Ge>t7svSmB)b?d&J(!d9Q=ymg!E%yI9<#hZaL~XWfSHb%PKmGB=
zRh|#L?U7B1oAswyi~l$yZtZ^%i5s~j?%ML=!GoI*b@qr<4x}DEtgLlX$vb4k7ZGx?
zc<ad>xPRe7wtMUPbn7|o+`sSE?5Efz&y|#_t7(e2p0y=R_`rWyxj6mb&{%)hVR-F+
z*=H5a;O1#6AIlwsQnf}Vkz+Tklr|gTl)GU;-3$^=>6yT7P1)T+EMpE#Rf%J572Mgk
zar@>og|DJ1m~cv8Ch=E;ZO4o?VFc6}sv3_ZC;lUnb?1j==dk#?$P#}YJy!$C`rYr(
z&3@r9a30ePtL<tPYlF3#OznuG_>uN(PEIQuZNiMPf=qK<gijd`p0Kreeg*!(WUiLZ
zW?Oay<|=|6qtKV&OPap7a=?=c66H0EcB9SzQQE%-==!vjh%tc_rv<Qu)Yp<(Rtxsj
za9kM#L^$xfpW^89+!*_KI6Tg{6};jS%9EB@N3n7kTP-W{mS9^osJm+BeE8>W<+M5H
zHaDKN6SKNJCrG7}tySyU$%F42y6KVt$!_~pG)*Oqtlq?(<pxR5V2zAAE3lSd=icqU
zC;Wg!Ym+B_8%`1dSepf|v%g!L-xanzi)`Hy&E!y-KWDJk&^&F9-C(w-WOr$X@ut3r
z63{P&rD~>o393J;Vf5`&d8}3Hn=Uj%KV_@KtvF{5fdU>HrLw6zF~*w4L!#|$rQA;p
zg!zagY<H}umVnOkudLaYrqyI~`7YwGT%`V{0t91USvMG}{u#oYc$<_e`tqLfkD}4^
zfvH~nZf;?;Yyx{#Wd7SEcyBX*ypEeVytaQH)#%;YNMF7ZNi&%yf36qX`i3@|i5d|5
zevevYO$#7@wq1i1ev@5qpf8uvhPp?GkgI3bKu!1S`6r5X|93}szu~?q0<9~otm^>d
z9e$RjA&R>5%|Z}f0RC+aKKjem<o@pTu<5Z(2iE(Z8P8UEulw}`j^NU7(OTkA_0Q_i
z3~dXIIVOC`LO#cPI8M8V7aZ2EES}h$OD7%;7>)8Z`kv^X4olva0Zy-no^YSUpf)Bn
z-SXm)naSSG(OeqcW_yvv!HqK_#e=sOy^|)B6hh<t67KvqU_l%zz^xnS+_J~3@Il>7
z9jC?Agy&cD`S;^E)(k1xN_i${+4N=M1AY`<yOcCEKa21kLE7}cHtFnW;<jg%{~jyy
zyWeo8-RBG@zq-JJx20@$Wi_VdKD9nb!?UG9t#zl(5d}wIZ+JcDI@@AXIvnCFfmuFM
z0ku%WfV~F#`tqN*XpQAG?J+o_H6!+6w9h<iuJ~=L`({{BI(OD0xY3U>A)re69MR@X
z?O^gnhW|5GEGm!uBFd5EJC||e{rh&wdp?%oy!o`|6Svv3K{bPw)KQ&R$fEAky=Mse
zQ_q=vs`BR3gnxK5ODw2D{A%H#C+apk$lOy6L%hMJlt;JI@mr0wK!md0n_Xon4iI@3
zRHd#P^peqFKc8to?aGy|J<8i1-4%cww-9*Y9)6q8`q0cR%_;gV{P9nu<Zn7rZ0E(2
zynHyF{olrk`Mmt;u^Y`o<0DZQU?Ah}Y#TH_37)*Az5?(<9^ccBpDicUoo?7ppVr8L
zG;yaB?QA|w-$5Ksgwxf}W*>F2?4@cJs@3k+rH5S0*8=5**Y3S`l;j7>Qz=lo_O`J5
z0X@oVm|k+X{wEezOeRC09q#*bj-lnK{8n}Kib7PU^Wua`k=W{X11RqVFDZZ%YM9a@
zQZFWO%AYpmOLint&9#e)F6iX?n!TlsqzZA?ZtM`v^l(>tWoY=}mqDR$Oj%KkUHeUA
zfdONeWg|DLdV+<Dxq?nnoM9ilXSzl|?4wzz-!vWmG1FsmJZ_@wq5=Ulp)2+^J<WeF
z@gdX^wAmL}rF*4EJj`2@O|a(esRMj#U-y<Bmp>Jh=dw*<pwOvfkv&M)pl9ZGz04fR
zNngy(@2G$%b|@}kv4rT-#I+B-GM}*unTwG;dBk^K1NF13r&|nuUVz(C%!e~!PhMVp
zs&CYpjDzN~54%<n`oCO+1cGd+JJykK?H(6V%4ch2COgm^nk{4>tm5ZW-U(h6XA#Qv
zou5`mNF1mW<u*!+%GbV}YAq^^2~(eowRN4X-#1N_YUVG#l@Z$~r9SHu96Q@$W7PQr
zYoE(J>{_1J|0Pz=f*+y$Hky*zHtG*w=n@XbgeKdz)0aO;o{4ARL&~_uZ_*M-lee{f
zmY2YiI$C0GyInP|Wc?UqWFP9A4{3p!j)%B8efZDoS1#HHRFFQO7X&VQ@Z-qjWa0Jd
zqkCz1t(+ysdBcBN0uMBi(&M#jyD_M7Yu8|Pmmo7}mXFB2v7<9UU_oN4+iuHa>(bOp
zbbDpTciby{;5K`PUxq6ggr0*tAmAmYHRNkkGOx^d7`*C>*EG3k7B4WcUCmaCH#QTl
zbGKg2cH4ELrJx$Nt3(oCBl^?#X0zv23ky2eT#5ANbg>S2G_h7ih*d5A1AMzejA&J_
zXZ{$pv@*l*_Rq8AS7DD@yOf3(11GC+*JsvG$+5}YqdZyPTP+$DWMn!Cm+?(jn;mLs
z*F43RWDn+YNZ2RD_n%;`JFjQy^AFOD?Z%~y*=2AA?YGF8Ohi&8t{oA^nW{r+=5kJ<
zOp)pO!XtRu${cTWE}M-vD7_h%8>!WfhH2KC9xoZu9ur%PM>e(y)8X`f{8w=rV|U57
z5b<~a`h<o@pJdnULvoh?ux%MO(?wl<ck7<;+sHxC+hfq1mYzfDjfa#-XB1bu57Yj|
z6=))r<uKCvME2~l*1ZE^eX_!s6Z!Xq4uQ8NmZ2BDqi<T%I*iz56)%VRyYOys3N4jP
z_JZeiM+Z^{?QdRp@-EDfoN3)9wYVgXU3>L4wmuU9bz@%d>fmI<_J&Tu-{zr^EWs5p
zmz4gN-~RRvBFwJ%<V+?zQrD>Zi|c51dcq$6bp0Ubq?RRE&-OUfbqrerOCR*)?_fM8
za}f|bTX|!4xO0nIeb>_6rZJK1TEn2l)YY`EsXCpz?Mo7Oyk;evkKL0Zrx@OniLlLO
znxe`l6bx9fVp2G5gu;=lCLqpXj+Ex<2O^WI;3JVYt#N<YXIcgm2DwvS;x+Q<lnI%9
zpPabOKPM*JqSHszeD?--R7G-j{8HmJ{=Gyyw3DF+g?`9Z!GTx`E4JYOn{0iCC7{W2
z0PB?J5^*p!1NM2WZHihIatnnHT{^b5_dDuNcrkiorfJcYRw>5{O3$LW2gpN8952H4
z`3EFY#o+^!Bp%zM*OAVhOtTE`PfA{crTjDeMwzx9J|rbhs@*NePr;|4JxK`75NsVH
zOauD_LI|e%8>%SwH29z|fEvh&CMmmWSfyWq?8WsjebC#p5{0Dgjum}VGzsu$5PYJ6
z9HN;@{!IS-Uvi@L<V_NFvNU<CanHRY#x|l=yzz@9v}jwgKI)SdXn?6lJ7;Z6dm*f<
ze5Qx`@}1$14q=@@5*pYr%``LC`9Y>~&1X%*u(hpBRaUaqRx`bSlx1q^@m8fdz2}_K
z3=RM61b!SmE(l)Y4WAkOX7MAX13pwpwx*Mz!~muZklsKpEYF_7N1^9_+^wn+@9~Xp
zd?UW;KVYqN#)TOyN=B7a*l!Z%)S<d49IWcaAZp)P{xMS!8teYd%}_;O$ni0IFS@!L
zx^I~i5_xQ2GR{O+n`0(UOj0czti&EI&CusNCsmVw?il8Szb4F$(zmX3dc(lzSIyC0
zQ>sYxLQm(HCI42CF{=@XM)IYD3(dT;qM94TlXd3k8e0`Jl;%8PRTzEJb#fOXZ-#Zk
znm&V!hSlCc{H5^0<HE?kyEmcGfcJFCL&s*&KsS=+;Kr(Eyx#tm-KFk1^oT+)>yGC0
zKfY_ofFsgxi`yWmk034U)q0WAn(R*{sopVAtMmu{>fqA`IAGh8Bt;V9zvN=VDiP<M
zR@FSMT{CWkdcvK8CAk64Pl3R!2)E2ikC*mD5fF#nx~0S?3G-0=mckM38Z7kZ;PzO-
zIeD>%t#W-ASf<iZJ2`fl=hiCckh7k4LzfxH*dAaydPwr#e_)pmn8uAzcgPNAF^<_%
zUxe%EMN22B%FP`c%|vNhOdX`%c{yc@;J^Bc-N()RF~qS$qDyvtWbs7@)?`z*YO~$s
zf<azWd)D^ar(e1B4d$OWHw~yS<;jL~`I{UuBeDxa6?28QO1CZ37a}NV)IO~=z-nqa
z)u=<^4DH;6uw1t8D`gqf1^C&bR5wkd=4S3BQJWPlAdS2ijieh3S8)6MZ_a4mpGKnV
zIb$BvMLos>ep{&?3TG{)pNT8#aSXRpx;=!wGK4*C_>T(AFPmvSUNQ4b@9w{Yam9`?
zd**dOZ$oM=x0b+)Wdp(~ZQJv@jD-tWg=x(KKZg23Pd(pMq9`$x&W*GbCSdOm=Cb8*
z|0bTSG*|e5YJ)UqT&T|1(OY0~YnA2Z-uk=igOQ3K6ba@B?*2O;)>m#NQ^USty{oD)
zwSA<DTe$ER`3AXIf<(uU0g1A$f5x!qkQILKe0mNHtU;B%Fp^7Q>}Z}sGxn~(Larvk
zF*DEVW(nNF>lfh9>KfkCxk**r(aS(?cNwq1Em+vf_-A;r!vpniSs(1x;W)4PQS*Z?
z)Wa7V7o6Q)yPw0hdJzk1Z<C8}&9F~c$CzOEMybfn%@=gJ(Js33YyIo3{=%3%UNk)d
zdh5YZwZHW8JNy9nt)YEZ-a{U;sAmvP-)dl*uEo%57BrDZ2a!b$KJafDeC)ybe?(sR
zy(!!661bc<qKkJ58m)Y-H9^Le$^ZEqqh3Wi^^T~FO(#CLR{t<1MC~id6=G`uFGQ90
z0h~e5VxURvzY-gj2U#}?yW2jgzkn>UVSVr+%@8sC+AE~;>Sa0q>=<n6H}yh<d?J3g
z(WfQba1$&^cNlP)r|x&10<2Jd<xyMuVcIzhK@{VJVPh~=Z8+=E!ypXW&&yoX8k=0J
zB2&S?lyPAsJR9&42=p9@vE7o$uH)M?YIMhrd1jsZ6x2X`j)tXwCZ#vZR*`Usyax7p
zv-JMspDM9;U<mzJxkp1vh>tMD4o;EjZqfv3Hulm?xv}1(pb{dRe~VkYN3NQGhx`4k
zVdJ4<y}O0g<Ot9SbS0on?y0vS!Q4#5_a^?3WXowo&lpJnJT6_=hfrE@2UK&?5Tx&A
z<zd)pMxOS}#K9=TGb^m~uLm`=$)AHyYt{x+-xVzRpmpv(;TBHR)sji#^Tj#g$7qnf
zQS5bgy&?hAqU+<ReEZmjuLFlpH2@0Etf0Yx0cFy<kmH7T?{KYU%4^7OnziA@fg78O
zQak9Ir9XA7R++@!Jv>#|)mck?9ucMkCa8@oF6@^3gwRYwvrgD(6=55QBlkcnPTDa&
z|2RO12%`*!k|hA@5o?LC3iGzZQnYiPLCQv|au})po=_*&Pllo=-y-<+FMi;Z)m8)6
ziNda@C{0g+yb`TrK1(^r;};0kyBw1*WS{sfoTS`W5@N5Q+w^pnInI$5&LtZlso>68
z*eS!t7;>$u5bHUF%^{9xo58vuaT}-(bshj7h%o)YHVDCt=HWD(2kn2jlznP*;756H
z!b%W-)!>SO5Qlq490~Yv-mK>zV;vm<$Wrh_vbV_wrez^K4%4txq8YC|s-*cD-cezw
zP8xtmJzyHwqr=BC)-!6f3W0R83no`Ww6T%n2+#C907keuAV96@Ho>jJD4+Oy*Yrwn
z0a8y#Ms}K`%D>|3>(Ch3rWvGkpkrc~Phv6kUz~kE?`{lf=2rA~8i;ltQ{p|@rO)3S
zE;lwta+^Ea5@FdwpFSs#-QiDgLA4Q|Kij&{S<4QWD}1zYv{l=Y^hTc?3qgFJ%yWNe
z=vH=uaN`kX1gQawl^PAL<}rU@8xems3l}9v>o`WFu`SK&w^Qo%1=vq~NMxtACP5i1
zUy0R->hi+b)p3^60J6vQ)R_3^XdgdrM-(ej>2{oX3gtx{xSAW08<KfVyENePJ$Ciu
z8}Iq`;unW6D@F8SqoQC`!#m7>L{{UsD%dBUf;)1Xh0BK>?*QRWD)=>!!Na!O6`zMI
zb|vHN-MTg)1W3VA-jv{-q;hXL(LQ5^znFHTL<co4Ju)vEOE1yUtEbkOw-_S(j+(IQ
zxU+lYFs~Mx{Q#Zqkt35eoo#&3HtZAcGVZ;ayyX{<KAS{HfoH;YYRzZr^Kme_H_LS&
zKxT*>AvRiGq|(|ly!e3;Yhq&X3-hDaeF+KYTUgMglbWeqq!+wu%0+y!ICC0^N~&vy
zDZAHeh8GEvslY(OCLV7a%c7v_zw0btKx0nA?ZC#}c7q9c^GMch@wwLW;l;9RZIi<Z
z^P0b@fWa(_e^{k)I?Dq%_|gnsYd)<#{S9^30J8`<Zgz=wzYLg2goTw5+a8lM-T>K(
zs>W>DzIc>DRCf+TYs{2-Jw)_Z>n`5dLbKa%*nOv+*cL`9xv_rJ<v~M&lrPC$cqK_T
zpodF-jr7SB;-bfu6PV!zv`~c)LO6V>xUObJfq*%<NpgVx3SgC%r1F5!_^!b!X-{;g
z179}MQEiS=&=XQj&==4U!2|Q@!vN5pocT5t_~19#PMIM=%IQsHa*6^kuRkmuEtYMi
z)0gwf>Z1-e;sZ&$7P@rBBndRu*+$NoohKx1PKWA<)0v*}8Zr~@b=APA{sg&4QQEe7
zp*~KHbCIiZwkq{ZiZfaQ^&OwFI=wm7Y_l6HX{9TM)*m(|)>}I^3E*!(zN~Nd2Y!w7
z44)%r`gxuG-SwUutAxUAz&#m^7vv$)#+`Ifhj*)5M^;gGle)tgvW2v{Z6n4d#OR0?
zz7k#sAe^qJpTRbyH^^PjSSM1PZB*S$O6Qk;uhTwGr@fkNF{Mu%4bx^u3lim`uc7D8
zN`mEI4l|X3U3>m}VP)1zyf0g9--cNVn}JQQ${xVrci3Zq+*0)ElmBl9<l0asgLw>^
z1D`h7&{p$7;nL+bwfMs59VvJdNbUdG%aqX>W+^x_61A2gx!@bsxH@%glNzCU0e+=8
zv(LFjQ`>SMg^m`jKnkL@`v3RCy8dVi^9O){r$xEkQSj{xc*`b$np6FnSowQZ&?UA~
zJ-Jdm@$qGX)XxOC!kh&}KFJaO%@Y1zgZ!ejkvn@9{>|;zkEnp|VJf%8d|X50nq7b@
z={y=^V(I1hOBgwFrriuFP+DJOPTCj!C8}Em)|(V6%rh|nKO#SSG`#5LH~eFw&X2jt
z5}U>+E4c>K2cvo-(S5ft6tcm&u=z+8=n-&3_lhEcxehZQ`q2e+-(<TWHE!FJzvjg2
zPP_W^XCPUR9`m=aMZz(gq;K$W=7aLk#<_zeCI<L#_APnT@Yi1S)G2rEma3rq*#N8k
zQ~AuhVO-j;U5B)|ZI_xoI%@sZ5Tx-c^HGG{<ZI;WCd&+IY2O)-;)c!89+I01YgJ%c
zCEwx&va@?h9(=S!n?i5y>l-TmJq*xwO1*-@F=Y&1qHw$cUeCR2n1wPQTUd$a(SqxK
zDVgQ;^(0lUtW){b_&euuRj&uG{UMPSqoJa7AYvjKrPF?^#HwVcv}8+^8SnJk7SDoz
zHE9@iA{YDkKMH=+v)A4NCKHOy8H5twxb`D$!55~-ZeIV*d;hYhvl8N<g|OSde%SR-
zxSje3jX62V!{2sZ<Hm}j&`TsXvnB!B4!|bQhp$-(?ju6mOC;LxxJ|_nM}Tfxvf7=T
zoOs1G+uWmi6neO=n&PohbG&}WZ~Ly_uy6R9X*@v3K9_{MdI$Oq)5(cDOY_1PRVD|K
ztN$})Rr`T|W}aDSf`(DbZe5u$^_o{qw@9|RM5i4fgDK1j)=!AQPvU_8=bNVx<vWDD
zb`7pzm<>FjO}r;?s`w!{N%Z@lL-if}lpN7gk}3xfo(aN9n8plM-7dj%B)3TXjgQ5v
z{oJ)sL!LpR4=g_>*I_7a@*jfJzFF{B$PtzFWiEO2lSxDieCUVhXwtn6m*9iGw^@C7
z;GuPP)|)3V&oM)y-8<76s-C0G8Tp7zW%2H{V@A=GHo1k)P?}%%c?x~SbEr&kA7ERn
z@h9P!2+9u+_=LbDj6xxkwL7nO+GSg?Y{Vh*Cx2}_b=w;t9)Ry}1P^_Iw?wHptH0bk
zeWB}z$P91r^9*|K1zA07p;4<N-Aoh~J8c7Ar;(wlXGGq!vAdDzwhf?~velh!eQnvQ
z6*9c(uNX`kOvVeKeSMseXf*k=7!R;;cbGNIQ+N>66JFo#LpzyNH6z+q+qENX+9zFq
z%C}YPdX76vE@Sy2c{IuZ>j}5hbhr`osyWn4fJ#DcT4-}E`{dhDtOA8)n@r+NlfPfJ
zl|viW+Rx{B@#pb7>f*Q89Ok`3UVyiMy1;<cbJ_-94r5hqRUI-Fg%c9nx~@3CVNA^g
z^$D4ax`3W@wcWc8DtgtB;3fD*p(hOV4ZT{gA1~ijxGs{pB2*Mhf0m=r>ph1IGr+DY
zlz5H!lC9EUT05J6aSaO1YnQT&CG_9$&I#!B#_zKy?cvRz2aqK@`BgTT3eD@OpekGP
zXPA5}SIaZ-NG?-7c6s1~xSKo5d)YVir;`)wM)*ha*K8iu{QZAky@G#ItMT+3CPyH0
zH75ekwUIr0YLGSMM0QP{i!g{$O|D~m-bwdpEGfWHCN943WylT-dMQu$G#n&3@%}rZ
zRo}DY<GW@nAf8TL@lD6fo21>wB@`3-3Z5j`*@87hwRJN_8bD>}=UKk4WLGOBkA0^N
zUC^Z$c}0{V*_i^>E-3<LBNC+&Wc`N<=X&aXG?VYIG&Z#vUgr@k8$-fsKQEK{3$NS%
z`ya6`eEv=0QGcJXj<bFTPyp221?!S1(3FS0zG?nci$+uYGOU!jmflrUE8@0~v)+8Y
zHM_}7_a-io)XzZ}4gP3MCE1PLCW0h6<T{!mnLos2K2~yD@=y|=-iuW-Vm8pax}T|B
z&-IG;TY2i&l5s#sU{ZYr_Vtx_2omiW5qQ-~+WnZ?J%L@We5f!|2!sVlz?J{Pv_EKc
z%!rY`2XvPIVagU~-xizLJ|$0PdhuoN?D|wxOvfuhbNfptZZ`AXMFSN2yJu;3kc&fx
z_M`zp2~5$wOEIWo(AsuqM{Yp3g22X)bZ<%u4>syF1=V{e?X2(NDN09a%L7gZRK@)c
z^2mEi5-k|oELn_RuiEfDf^$n)^%Rg|=Rza*r?idhpS(+7#SIdVuQ?W-?<JU4<%am0
z!!lvu^;_3_0)&=Wqwmu*d>2tYepmd)AzSE@5eKfx&*$ZQw1TA<iH-5Plero)QU`QU
z$K^F2s@ZC)B2#{5`kQX#|DYmhKL<EnMilybHm0XG`Y1HxLm+){TIAUZ@e2I-3In)>
zDsp>j05k7lbbGk(tvsO?>Q47v?&x|gc|~AoyH}C*1G}wqZeok2;7Zc&_0(P@y7}VJ
zIVYBmC)@zp(DlWP)prnxoV4A!?D~uO+%<blKV&I~C%v}E?dYiHPfg=aFD-w^Bqd{(
z(c1R!(__R?{tw2f*;7FV_PKe&IEGxiToKNYi&97|U>ipD3^C-(qA3%|mP{hT+H(rh
zJFvR}SP5z$g&9L`tvA;`=A0b-HqH+)QyxL?)l19H7O{bZoW5w@3Yif(etfwSXxmC(
zZW=v1o9CURUbc)uqJIEI+zwvZ7%kWZ7*&95*oHQAkc!+0M{;xfeVvjs;%iJlWe;Lu
z<HXRwM}zh`BwT)af`b1ocL>J3)DO<dax^FS0n6-V%DVcbNRJ!_MC#$=;LylyYvIzC
zab8%n@I8FVxaS{w{Eie=%c6R|Z!wU73;I0+UwmnxyqMcqgC=)Mh8&R&Of_)W7G#jK
z>?M(t&vEB#Nqpq{nx);lP6HD0o@~2tw``0GIA50i+bBqu<I=%#c0p{<2l=G3!Kkh>
z6iHmf)}FFnG`HPb1oTSkP5gSq!DsV<#*ow-u#5Tv*WlM`WoER&u(EE#*}u?p=aWVN
zo-+eDyU|uqyWW903VjTCcJ{*9jS|7Rv%+j{Y|jHTXmT;(5D==3aW&81<tCu2zIh5Z
z>Y44Al@kG(s!M?H%R#VOzY#qUA%?&#JStrxF6g=H+_H6D)$#U{$9PCPC^QgAb2Y`4
zl}P5UkA@CDK4w4#jOK3M>4}3Ca|^?RUs*y8sDoj{{KK~swA!<R`x36Vf~AB@aceyC
z_j71W4S;wVT@Na;hK27#(Zh6p;2(hU>X9?kk9}Bt>a!QIXs|C2{}M3ds7?!IF0zGA
zZojo~lozsgN30=u$Q|t!w~PRC>qWqTyr<_&qly%u*i{P_9P&_^fZ9=+eLU1Q@uS9^
z`pf&R7>4X+@kc6jpeya96AMM%rUBT7FK~KL>&fyq?DE1B1CZFB3de!421sFRw*my2
zl*?WxECC%}dj__>4<*h3v1hi!IFJOpX!lEt>E(kVuM9y_qzg<((K#T=H9cj92>PZr
zh2GE~&r5t2_t^T_h8|)H%tjMq+pFmz<rnj#z2NQT<fJ#I9}V5mqBD{|>gYQ!<^!==
zI_*YRVBj6{muT{fj!#R5cc7lZ$n0LXNG*AJCqvoyyK7l@-iNBzY0JyT05<m@4>;&`
zjzliWvXWIE2ESasl*4g*sgBXDq)lAvn{qm~IFaQZ6vj6%PE(k#<=X;P+10esvzpm-
zyliQ91)DLRm9U)nGt2~g8(?^LR333?7J6<duwG>3d+QDR;jkri3<p#T0u`dnyj_Hb
z70El@dq8saOp?g<>%=?RH7EEFg*p|Ph#e_Ps=@h?=7pZmDII=CExn|a&I})R^-hUm
z0)=fHE1Y7r9Vn_@&j@f1FpMY>k7T;5&B2O;zT`4P7FFsZC=*%UFHztIz%zuHlKwxw
zj_0mt8Eee>t|6L>VCPmiX0+3;-SSW$;M5{Ua~(s!y?b4F1W*g{0-SsrUVRw;h<q`h
zeE$FZQOGP3dDA||^#rThXWjV572*nxdMkDgPLHK4qQYE}=zvZ%^-YqQBooNcGGMzo
ze3YiKUbq5KLKw9u5B>I3Yr{u@&cPSXNbJUS!1R7e612Ino*y(4c*S$d1IV<%N!|E9
zJ_aaQ^>+_6auZS4V<o1xzOJJx3^&&6cw69nQQ*=WqxkYE_#I88lQm}cWz0v;HX3=y
ztQ0%bvX|A8*adWMT~Aryy>H(o<>Y5ABibu$GgDo?%c*(7%Oi(TnT4hEaWH7f`%v(P
z#mj_h_-FFE`%oUAHOhQMp0=9F2~B(4nb)usF*2u&DF!YRtWP3aXyoiO@OKzu^AwKJ
znN%e>gg1>R+Igpyaqc^}03>fb?OcY$t5t5@8bXv@pX=JyTAARdJv(!~EHvckeb?08
zd$><jyq&VLjCXE7j!GU9+#FJ6AJ!Q>uj>1l{koa!`R!n%?9L|$g)_$uAqS-olBDIg
zo9sfL`0J1R2YN3(dHL`AFR%2+@H*UxG`0R+@A|Lye@UuGzl-yW@yg~frN_rcV}pm|
zm`Z?l=Ciqp>w$_t4VtDN;rACJOr7<rM5ak<dFH%Bl5gD61v<A!uR?(-QkM81Tg0$s
zJSgV9fiCbiC0@qaTrNLU+|C{4uumZ2c5(wJ%y>bq@>Lb8XQ~&jr4dyglE+VK;G)s)
zK`Yo>fU9iz@W;<>WgK_@J3PdiHtVd1mUH9unhL{aut<1vEBPn*@+Uh`#|>ehCBd?p
z+vJ&l`8-TnyGOBTVgH(Ze+}7DFk`p3BU5-}RvGWbv)Qjxc{;x(LduQ0{B`6I;6QL+
zB|83D%~LWWrzAPIZoO<4E63F{Z)NJL1iUz*-H}&TPabIIN}s6!aJ?EdJm}t(aZN<z
z)w!-uc<Fh5n8Nx)^5i&j)k$k#6wc6}$U%;P)`EB~o=z;S1o_<NWqAgW7_$WG!V|v4
zVBAq?mW<$1aq8KT)L^W<H7QieBFJn$O_{3JcSjwbziaF@@|x7oEk&9X{+PImLcgA~
z=mGX(>WbBErTUTxq8<Qx8!)}$OCD=~6jqdEt9lKoV$&GxH=?BMmzIQ%PJ)xuxD_X`
zjUJj^131%*pP&7`3zm9h1Qle)G=ajy!Ka4rS0C+8)Fea$6`kq=({yLQ;rrBXpPJ7$
zV$GK@B(s^XfDcE{MVq2=FE0)`Ftr7HV*zGCX1#)Lflyoa8Zr=<z@87Px6AQ{;wJ7h
zP42+9c4S}k9{Glc^NN&}a33_&;<%-bBbd3vFCV)4M<;%TRJd}3<STn2!M7722e`#S
z5TC7yUn$<l;8AnP$gX_6KJ>C|4*A7V#@6*+imW%UHkL2?0AKom*Qz`5bY?zBn_Vwd
z`e-=oy9SL{U<RfiT(j$EExxiEwG*S6CP{mS??;(QuG(t#C9R4Ixufp^YRo2FaWX51
zd)JQfdX%nW%!Dd?m7(X(-3MuR7Y!EGdXIwNyq|+9Uw#4-UZG7la$Wx>0hfhrU+h))
zwhv%m?=0ghg-y3;|I{kYwiFopjv+P1O%+yZ$@;=j@sE*@O&DeeXNPC06yCfvQ>JJk
zQ{vy+7kh1+e`;`_<y1Xx8V{tmg8s3a0V*|p&^7b;tVdtr#W$>IZ|xn_=?OU;$4ta_
z_~opxBR8RDl`sGE#agE0hC`2|VdSmQsZ%h;1v1%q>bx((luY+@iG}d}@epX5cFzUc
zJIi<#e}H2MgL{`7b+?Fhj=9)?2beBMw9VP7KKK&K_GNbyUnM!Z{uf*?@Ei{8%syoH
zq*Xd;i$k85&?9Qhx%g&PphI0JXqH({zQU4@?0Jsgo$K;p8CVm5cQxAb(cmhfjM!w+
zPGR8Fv-u%llRv$N4|Q~|l;4jAMYDDQegHT;g<8({Pw4j6b9hrbBp6$*neiqNM`()A
zZVAnf5!q1a9W`WH{=yl&Zi=d|i%;GMz$@G!KV!vS-J7CZWH`&jU*KtMqS1mACHX;}
zR(PmC!SC)Qbj_-C3~3`5T*HJcuv86a0cP_Jh5q*^+SV#Q4%{SF&l>tAf==bd(Dw&@
z)9(T2^<Y$^1SD7xZCg{X`_tR6N#JgRZU?Og!0pCk!+^M&)}LhO#&Ow%)ULGt7co?N
zyk3gD1Hp_sJkhMUz%icUAkm>ysYBtNtJwB*yX{r*A!#)4xg-zvuDd;TJ@@y$#0!y^
zE+6(Kbg)*jvh5mGQ-3pL3ZrYOssUZ^V89(cDEdz{CKTSbE03w?qQTeqK`(S(<<`Z)
z6x;!S=ij<*>=#saa(()@%472Qi<G1-+N@*|#1^d2_h%?tw7j$TB}_1+RRuSJi(Oi|
zSOfTbF#IyTT32MWcBVLMI!s^4n=(I$e&f(3N9{_Ink0411K#sjJ7oDJQGO(|1lHT9
z&JFg1)9YqJhABRl*PNc_2SI8*T11IS`nfTUAcsutKfQ}Arl8>XUH;sa<;{KAsaxa2
zHvu(sFXq2{=Y3(iLgHg9*9Tln*#G8(i9c!6rijG)PppV$xq4O<?sm6~_}<4&rLu-&
zQAc2^p{U(9Vgkc+bCqiqZnZmB#ixCPp7rqo{`AA9oWzP)6os+ndTNbnfl+!g-oTBs
zNre$%FCNqNxVNm<yx}Ez(cR8(g0tsf^$T<5o8z$torSnebD@cSj{By}L`ME^+S;l1
z>TkB2h*-1+;_pVIP5-LWY#40cMxwaUScSvCZ;TSn>wlA+N@)LI6&s)<w{`GkHW8sV
ze?z-F0dS@j*d3E3x$l!e77R4KsQo&gH*bq&*GzI98=A7kzH6(4kK00R>oyrQ<)KXC
z<sqa7ze=PT>D;iKEjrkWhh!-KQWA?5r-Sl_4+%wQ5TSF|_CtRSsiRk?tknAnzqSV&
zX+0ZGncEay8IbbwV4NS*OdK4>ZD+!ye0~p-^Q=y}=JYV~&B~8IJn2D@`5aXNY*8gX
zsAH%etI*Gy`98U+&H~1ui9Cw^iMq82=We@Yg>8qkO&llI&{S-w^<)shwvdJbFTx$t
zFBr}ui!%m%e#pxBpj&!`pEqZE0-<wRS+B?uy3o`MxWmvJ*Z8o=?wx&ovIMMDJU@#&
zDpT|MdawcL0qgV<c5Pd(DKB+pikZCdz<l!pAnS`-=6f#rvp@duPnFVCnZT0h+8|vE
z!6jSufld<Eeljx;J_M)G_ZU2<N#bm~yN!CZm)g=c)dGJ0n9O?eF13oEF8MI>-+49u
zas2Lf?GFHOhiLcM)6Uzf4fJGx>w#$nY-;RG`Tg^{rZ|8`41z$j?oGL1AF`XF?i^*&
z)-`?KTYGvxP2!c@8mSFpi?6??Kph&FF{?bMuSe0y;J1h^Y_;`~NDgp4)nW~c#*`qy
zW@csz4!IYOL~8p_AjkHho)iKGj5trpR4K=F3QdD$<4`ChdPe*PuUkq~OBjd9V5Op1
zwKjE3p;#Zj)H||YuWn&gMtDp!xV<}IgK;>3dZO+O4j`xjBIBHjy0Q`A3J;s^w(0<u
znQQgm1$Th!#AbLkx7gJX+=2G27~HOS;cl)FZ>#CvSt0&2@@vk7YDdmlNd<Q_#q`ij
z&F3BX+H?$Oh9ex+M}6T6kAr!;MhtZ-*+S8Yuby|kTUBi+TJCCj=)0btcbRyHxP0@6
z^bn;IVxQ+f(@}}ACA$LJQ4Az+=7uERb}Ogwd<C}<aixO%eczgq8!%bwfIv&Kvo4CF
zRZE^sG8;)%7Vll#UwTV<qDd%@#_hiD3n#GmCmE!GXMh}J{T*^u2dL=Qa`L8_@VaK0
zMbor5?39x$>4NBz!2lg514!d=E7bd{5$7FhABWGuJyfY4KfA(S2x`c$E_V!lkwZRh
z__Ru>0(*`rViPv<paxnMS=!}d{@5$wmL}nq;>>7HxI`(kk=lnp1^4rSUw?-*pxv1V
z;y^n%-u@@vwvI-8KPXCLB%u45MqlR(K}F(&w#vFnrbnz}JxeD>Fqr#Y+4-Rw@kou_
z@V*#aR!bFAj6c>cql<nM2fL-r%CgvVX08i==x1iSO8k_&Sf5cz9^a9kEIDXTau;}s
zO#lq1VT_^pjUsKl4D&tV4yg;rL)+W%$>=%R)2yS`(gQ5BlTNiq?lp$E=OYsD#g-&9
z1CNXl1C$cp8u@0fl2j<lXTqgY<lIl11@LujwL1uC!`wCs-JxqhkaQ<K*({}oJiqU*
z6MRC^n5DO<VxOAuaKm+-XY7?>?T>Ucu5?3VEZg^cwz?T+k|QMcYX_adO*=Z?#!V1R
zLU9Uy!^xT*sWBeYXqZZsCtR6?kzQAKr&7^kYt4-tv1iJuey-g?kxFkOvMDI`4C~)O
z!7nwSClefhAf=5SZ}H;wWA13EScCDhJC{kqInW-HKii0WYb|-2lW&o$*Gw^|4XaLM
z62ocQ0ZO;2GODDZ%7dg!a?`9VZsy5hz-=AE|2utxcu$xN@j(tDZDfp@MvLZaX2qj%
ze#)fF$|(wpbgHpX0k*%=BlG=R5-}WyLAUGZ1*ygphbj$ANmQ3{_~mWZw2v7<Fwj63
z4ZLiLm+R3B?i|BOCoW=Gi>vJp#|<+);k@*PlV-fFt+GDsV~6h`jMBY<oi?Iep%mPj
z!B!wJiFepEg?pqH)SvfL-3-$?{EKoe()HcY+i{QS%RDSC-44n#oNppObMVi;h8XdN
zNu?Dy+x4KH?gipvI8OZ1bxdE6zwPtC5E$Sh&t;`XZan{tpzfn-0WchyizKYetURHv
z@HKlMklSx6KClFskd82cQ4LwmR>Pf6^}|cWlfs9B-3;$-y>^n-IFh^P3?_S^iJQZY
zh+)v9sIY13$#Iq7uX+!ZNn~<v*PFrn(GHU&$Ga|hKz5R(1r306h%Lf$m;!LdrnDr)
zf{<WMaPQ?#x(-TRlXV%jC#v(_Ih6UK@zf{yra;5_TJP+$f9iwB#Q0n37-rRxdJ?WY
z-EN!W?u1ittu$4>DY!`?y7RbcUkL7;;XMFt62qx-s-#mR=@=CK6E2?}r?gD8nK_4^
zcHJ1}2li%qGN|Q9y`N-fA^?m4Z8gSkFU`>AWPbzk6&QcHJ}qRLqn^$_s#8&VGj-JW
zfF3__R=K7R;&Y^q!tfpUzE<<{e(K+dNX0Jk^o%&OZU&^toB{(>fMF9r1%S^<_Je|M
zS7@d2YRL<#38&$4cpbMV)PbqK<mi5n7k#H)Nftd`>?=?2#+MKar0+Fy=jK+A8$PWU
zoEv&@x)vJ4co^{t*#JSJTgabvl4=-cO{mCi&Vctu4K}tfXs6~(w<z5MG0)xQ(P6hX
zfar7l6NGDv7<f%#IMy$-dRQ^dI5_+7f<`pe#mO}d19vpOJDR%agN}h8@XVJQxc~<b
z8X74laM=_(4Y))0P%WdJkC(H#HB&1ugGIQW;J*Z7p(*i!=)kN>Z;%Tb<LOiz7c&Bw
zvqL-ac&&vEZA>tB(|_C}*f+Opdn_Q9F14%sJ9o4;KL{Ly+7mCxVR*3C=~~02QyN0K
zk0)8kX5dVn8p-KpMSNv*XP-!ndZ0KLtxk~g>rD1VSXhu5oId$tkab=|xCHZJ4KAZ<
z3L2#(*OW{Z;`ygdcePMmYAqTh5RgyO81>A!#~3-%bYBSqcwwd6{|>;h;0>78*{t*G
zB9B%z!pZT|XpkU!kaTMF1_m%HU&0U6o+jY~1ZJ6UdnQ=BPC4PN73FEqt?cjZs-#M)
zGJ!fcn9FpmmFMswK;|)}j`LCh2^U1qf~Z5ocZfcpd=|S78+ZR;?U#p<nkvXZ(zS9x
zbI)z8KRTpFnnv~=Da63<b|3d8F6?a%&CUyIBD;3~W!OX+A>`y*bT<ny1r4oGV$O6C
zb3q`FyGQ3vlOqBEh>06BV&20!nC`L^OuQ{7B4(tM>gX0;aMY<KMk6_qR`^l?yoWId
zl|B<xN48Icnh7+X$_5-eu1g!K>xnA9)V|QEH%m(j5y?lI@Sw$GE0`)qQ6X`RR`%VX
z_~ze;hyd0HC)TkMlHANr+FKAmf;Q@#uDFz(|Hy-}<r?lL<4C%h&mvs;Z6>=(b<A+K
z9M5<kceFIKKM9c0NLlH&$rMwPg@_1ltuY_Y+BjD}to^er72tHXYTrX5eW+)WbS<YQ
zV3&X!$Ri+r@WI8BTNhgD(02!fqH~KXMm_#Yru*j3w<-nG?(}m4$~T0`Nd|U95J4;S
zz0n-p|9X@#!^Rvc&T%iIx*0Y>%UBB2Ga_R`5T5uRC!ZqCxxcX6p6Ku7dO9zGZ%Dhi
zJe41NZ^M(RfwE4)v}M>4ri9@HztzS^2|HCY$DT;l_t-0QGard|6o&@oaol75EQ7za
zs}4As@$w~&!~$yk0sjmw6m1Ew{8RNba6G!dHG0$DO8efTArxfGI*Ux2SkLPE1Puqp
zOCe&Qc;Rv+&CT!`c{C>>kej5t_R>V2cQfP)G&O*o{L->V4Y+PbENJZ37e$Q!0Y1aO
zjW-7Yio)p{b^dX8)DZCgf*Q#>aOcL=Iml+3MNz;z%;gs}$XnC)O0Pxx1_rI~y`Cyl
zkjfp^TeB!d1$pr)Kxw--sE)oIv8J?~*@Es26&X<I6ab^nb{|0PspI6M%tx{UqWknc
z^gf)PRc`($-n9mfN9vUz4toh=XDtH=p;H}G_IJ4e)I1~ERcppG{AptZ)EhqiiT1y-
zPBb_ts4HNuiq^PE&;vS^&y8lmx2XzVS^1HjS0yKtwzNHera8tw3*wi+C^Mf?y^od8
zJQ9JEAeY<YB&XIu^U>ks${jb?Q-y}JW|EkfS;Y78!SFU|<IXA*{rSh;pjO$ARO7(i
zN^ho5Ywo@++A*taFr<LD`3VPJA^J1=OT6&J8wz&EPlKNdM$X>Oy0kk{oeRPu@!4sg
zJk_Zb2_{MDeN=?Y#UUvX8o$p1IbziMgdPuvXA)I{eBV1#p6+xYXm?eZ?vXp>o7W&l
zevTZiB^G#=q5C595y*7oZ08BQEtHk@MDc^*`m3M%aTS+e$6=x%pUv<_g`dukkn;HO
z#=HwLo`4Gn%GZnJ&kjO5gYb>ZCy2sYH5a-S=AS9Rmy#uClVqI17KGs`yMs!!fA4Mb
z`c}d%&Ryuq6J#><LtLA?gM2g0aC-fmtxBeSiAid02p|A%JK%ZKYPM5G95t$6ZFiTK
zdIS<&@(BwW6ZyB6#T(IivPXe<*?CPA*t(Ykkh*{450vIu@^wc@S5`-ripZZ2Ny3Y>
zZjU!X7g%T<!m0M6R8!OR*TdJ-U4%5)4);zeoS`$fX=?)mswxbY$Q%9RcN}<GClKsK
zI>p#(!@6?tWsqXilu)wQsQVG@(&cwIl3`t=W`W=qu}YHchpFy5^cbN$gz~2@?IRK$
z<pIxSDAjlAtsS-S83|e2Qkpd&^exUgGLr82aWKfvLikfMPfpwe%~Kv6Z}Kj_aZlc{
zrN<#6?0YHKiREN&iGEi1^dvA0<sHeL|K_bvO>wr2@F)Hc=na`E{IOc5DT1K1!R}ov
zsC8uQX{%U*RGfol|6r)!3o@wdRvF3t@iF<V6*7i&*yT=<0-5#NCcBq9{NjmLFq&iJ
zds7XEwxPAXP`dp0Ec<|9#_wh?M>wf-$d_=2m1-(&S;Wp^NZ%70jNAaKhm;r4Y^_J*
zwd0o{(w5a%oT{JvH=}$lZBDZHXZ29%pLx*Wmx3)#g7dz)XsmftbBK0N?&HH0tB1f7
z56R(_@qf&fhe1%=gL>1j*6kfP`=WTM%#pl_ksKz1AjBC*_RtD&t0Cg}wH9)G4iRDS
zEa<UE{(bH-m&TBbm$gDnE<E}sLwWkVSL}Ox>8fq>i>UPn=IJK_9wB3HTfHo=%Bl9R
z1y>wi>B(04$2{ikQe)RB);GT|Ou+4-&}VAM&G=ll9ecP4$io9%5Vl3Mcd<3xy%~oc
z(TyS5PlFz}(=Fzo-7hV#g-)2f-390RoJ3wYxL5isBskj?lihXr*q+;s0Lj}cK5zRU
zOYR0NwVyBb!<+k$t<+Tj0n0S7$$b6s3lHSt5~!fnYP6s08@iS9RN-u`x{y2DsAG=)
z&rj~Gs$2xc+errdr{QA&SIsf)#paZ6g@*&)0IL8vm!nd1&$ukv!OT-*c@E4)anMU|
zWV)P~gtr1f|F3o-bpKr@M7wK;#A*$AlVu6)o>wF45QPHSOWDF|`!C7@Aam6--^a$m
ze;h~8X-QJnG@%)1KaQI>Fw{e*j!@`wH4(oV7gze<h^S!StYLw?EqI_Of!_|3)_sXU
z<S|Eb1_bpu3nO;zZxTk=8TAN)Jy6H;W*9?>1bz|rx@MXJ#Dwr;BzJ&+)HgGE6Nl@x
z_y1Mv)G(4e2jeIKQc)IG>&VZzNIEwnBqRiq$NBv#s~|p`72)x5@PCMz+yDPbn90Wr
z>?aZP#P)@W+Na)Xd7P+#r>A%;IyzDBlg4{5`JJ};btCKU$+6~z2SA<Ddd4L9Cep0d
r$Fk7ze>k1rtNVZX<Nf0GEq6;qm%n^XJp#O<zU9<OH>bK2fj9pbm;5q7

literal 0
HcmV?d00001

diff --git a/security/q-feeds-connector/src/opnsense/www/js/widgets/Metadata/QFeeds.xml b/security/q-feeds-connector/src/opnsense/www/js/widgets/Metadata/QFeeds.xml
new file mode 100644
index 0000000000..05f3574523
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/www/js/widgets/Metadata/QFeeds.xml
@@ -0,0 +1,20 @@
+<metadata>
+    <qfeeds>
+        <filename>QFeeds.js</filename>
+        <endpoints>
+            <endpoint>/api/q_feeds/settings/stats</endpoint>
+        </endpoints>
+        <translations>
+            <title>Q-Feeds Threat Protection</title>
+            <no_feed>Unable to contact information feed.</no_feed>
+            <installed_feeds>Installed Feeds</installed_feeds>
+            <database>Database</database>
+            <size>Size</size>
+            <blocked>Blocked</blocked>
+            <last_update>Updated</last_update>
+            <next_update>Next</next_update>
+            <licensed>Licensed</licensed>
+            <unlicensed>Unlicensed</unlicensed>
+        </translations>
+    </qfeeds>
+</metadata>
\ No newline at end of file
diff --git a/security/q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js b/security/q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js
new file mode 100644
index 0000000000..6a9bb4be48
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2025 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+export default class QFeeds extends BaseTableWidget {
+    constructor() {
+        super();
+    }
+
+    getMarkup() {
+        let $container = $('<div></div>');
+        let $sysinfotable = this.createTable('qfeeds-table', {
+            headerPosition: 'left',
+        });
+        $container.append($sysinfotable);
+        return $container;
+    }
+
+    async onWidgetTick() {
+        return;
+    }
+
+    async onMarkupRendered() {
+        let header = $("div.widget.widget-qfeeds").find('.widget-header');
+        let title = $('#qfeeds-title');
+        let divider = $("div.widget.widget-qfeeds").find('.panel-divider');
+        header.css({
+            'background-image': 'URL("/ui/img/QFeeds.png")',
+            'background-size': 'auto 50px',
+            'background-position': 'center left',
+            'margin-top': '0px',
+            'mix-blend-mode': 'difference',
+            'background-repeat': 'no-repeat'
+        });
+        title.empty();
+        title.css({
+            'height': '70px'
+        })
+        divider.hide();
+        $("#qfeeds-table").css({
+            'margin-top': '0px',
+            'margin-bottom': '5px',
+        });
+
+        const data = await this.ajaxCall('/api/q_feeds/settings/stats');
+        if (!data.feeds.length) {
+            $('#qfeeds-table').html(`${this.translations.no_feed}`);
+            return;
+        }
+        let rows = [];
+        let feeds = [];
+        for (let feed of data.feeds) {
+            feeds.push(
+                `<b><i class="fa fa-fw fa-angle-right" aria-hidden="true"></i> ${feed.name}</b>`,
+                `<div><i class="fa fa-fw fa-circle-o" aria-hidden="true"></i> &nbsp;&nbsp;${this.translations.last_update}: ${feed.updated_at}</div>`,
+                `<div><i class="fa fa-fw fa-circle-o" aria-hidden="true"></i> &nbsp;&nbsp;${this.translations.next_update}: ${feed.next_update}</div>`
+            );
+            if (feed.licensed) {
+                feeds.push(`<div><i class="fa fa-fw fa-check" aria-hidden="true"></i> &nbsp;&nbsp;${this.translations.licensed}</div>`);
+            } else {
+                feeds.push(`<div><i class="fa fa-fw fa-close" aria-hidden="true"></i> &nbsp;&nbsp;${this.translations.unlicensed}</div>`);
+            }
+        }
+        rows.push([[this.translations.installed_feeds], feeds]);
+        let db = [
+            `<div><b>${this.translations.size}</b>: ${data.totals.entries.toLocaleString()}</div>`,
+            `<div><b>${this.translations.blocked}</b>: ${data.totals.addresses_blocked.toLocaleString()}</div>`
+
+        ];
+        rows.push([[this.translations.database], db]);
+
+        super.updateTable('qfeeds-table', rows);
+    }
+}

From e19e3c94f64ae03c9bb9e1a431c08cfb99e36cf5 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sat, 11 Oct 2025 14:02:48 +0200
Subject: [PATCH 2679/3088] www/caddy: fix setup.sh script not setting correct
 ownership in www user mode (#4976)

* www/caddy: Streamline setup.sh, since chown is skipped automatically when ownership matches

* add changelog
---
 www/caddy/pkg-descr                           |  1 +
 .../opnsense/scripts/OPNsense/Caddy/setup.sh  | 44 ++++++-------------
 2 files changed, 15 insertions(+), 30 deletions(-)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index f88d170b7e..c4a06b79d6 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -10,6 +10,7 @@ Plugin Changelog
 
 Add: DNS-01 challenge delegation via CNAME (contributed by sdsys-ch) (opnsense/plugins/pull/4950)
 Fix: Enabling HTTP access log wrongly excluded the process logs (opnsense/plugins/pull/4974)
+Fix: fix setup.sh script not setting correct ownership in www user mode (opnsense/plugins/pull/4976)
 
 2.0.3
 
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
index 5b757de219..8cbc15e24f 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh
@@ -31,10 +31,6 @@
 CADDY_USER="${caddy_user:-root}"
 CADDY_GROUP="${caddy_group:-wheel}"
 
-# Canary to detect root->www switch (disable superuser) permission issues
-# The storage instance will always exist, it's a good assumption
-CANARY="/var/db/caddy/data/caddy/instance.uuid"
-
 # Define directories
 CADDY_CONF_DIR="/usr/local/etc/caddy"
 CADDY_DATA_DIR="/var/db/caddy"
@@ -43,35 +39,23 @@ CADDY_CONF_CUSTOM_DIR="${CADDY_CONF_DIR}/caddy.d"
 CADDY_CONF_CERT_DIR="${CADDY_CONF_DIR}/certificates"
 CADDY_LOG_CUSTOM_DIR="${CADDY_LOG_DIR}/access"
 
-mkdir -p "${CADDY_CONF_DIR}" \
-         "${CADDY_DATA_DIR}" \
-         "${CADDY_LOG_DIR}" \
-         "${CADDY_CONF_CUSTOM_DIR}" \
-         "${CADDY_CONF_CERT_DIR}" \
-         "${CADDY_LOG_CUSTOM_DIR}"
+# Group the main directories
+CADDY_DIRS="
+${CADDY_CONF_DIR}
+${CADDY_DATA_DIR}
+${CADDY_LOG_DIR}
+${CADDY_CONF_CERT_DIR}
+${CADDY_CONF_CUSTOM_DIR}
+${CADDY_LOG_CUSTOM_DIR}
+"
+
+# No inode changes occur when directory already exists or permissions are correct.
+# Always running these when caddy starts guarantees correct ownership with minimal read and writes.
+mkdir -p ${CADDY_DIRS}
+chown -R "${CADDY_USER}:${CADDY_GROUP}" ${CADDY_DIRS}
 
 # Format and overwrite the Caddyfile
 ( cd "${CADDY_CONF_DIR}" && /usr/local/bin/caddy fmt --overwrite )
 
 # Write custom certs from the OPNsense Trust Store
 /usr/local/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
-
-# Ownership decision based on current service user/group, otherwise skip
-EXPECTED_USER="$CADDY_USER"
-EXPECTED_GROUP="$CADDY_GROUP"
-
-if [ -f "$CANARY" ]; then
-    CANARY_USER="$(stat -f '%Su' "$CANARY")"
-    CANARY_GROUP="$(stat -f '%Sg' "$CANARY")"
-
-    if [ "$CANARY_USER" = "$EXPECTED_USER" -a "$CANARY_GROUP" = "$EXPECTED_GROUP" ]; then
-        exit 0
-    fi
-fi
-
-# Use detected service user/group, only migrate ownership
-# We only interact with the storage in this specific edge case, in all other cases caddy must have atomic write guarantee
-chown -R "${CADDY_USER}:${CADDY_GROUP}" "${CADDY_CONF_DIR}" \
-                                        "${CADDY_DATA_DIR}" \
-                                        "${CADDY_LOG_DIR}" \
-                                        "${CADDY_CONF_CERT_DIR}"

From b25d279f81c478a494c22fca891bf1fa61be5004 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 13 Oct 2025 12:00:47 +0200
Subject: [PATCH 2680/3088] dns/ddclient: lint

---
 .../src/opnsense/scripts/ddclient/lib/account/powerdns.py         | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/powerdns.py

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/powerdns.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/powerdns.py
old mode 100644
new mode 100755

From b587cc21cb1afb2b11f7179798a5cfebcbbf2230 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 13 Oct 2025 12:06:04 +0200
Subject: [PATCH 2681/3088] security/q-feeds-connector: lint

---
 .../q-feeds-connector/src/etc/inc/plugins.inc.d/qfeeds.inc     | 2 +-
 .../q-feeds-connector/src/etc/rc.syshook.d/start/99-qfeeds     | 2 +-
 .../app/controllers/OPNsense/QFeeds/Api/SettingsController.php | 3 +--
 .../mvc/app/controllers/OPNsense/QFeeds/IndexController.php    | 2 +-
 .../mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml     | 2 +-
 .../models/OPNsense/Firewall/DynamicAliases/QfeedsAliases.php  | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/QFeeds/ACL/ACL.xml    | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.php  | 3 ++-
 .../src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml  | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/QFeeds/Menu/Menu.xml  | 2 +-
 .../src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt      | 2 +-
 .../q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py   | 2 --
 .../q-feeds-connector/src/opnsense/scripts/qfeeds/lib/file.py  | 1 -
 .../q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py   | 1 -
 .../q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py | 1 -
 .../src/opnsense/www/js/widgets/Metadata/QFeeds.xml            | 2 +-
 16 files changed, 13 insertions(+), 18 deletions(-)

diff --git a/security/q-feeds-connector/src/etc/inc/plugins.inc.d/qfeeds.inc b/security/q-feeds-connector/src/etc/inc/plugins.inc.d/qfeeds.inc
index c2fb7a2a6a..0d70f598a1 100644
--- a/security/q-feeds-connector/src/etc/inc/plugins.inc.d/qfeeds.inc
+++ b/security/q-feeds-connector/src/etc/inc/plugins.inc.d/qfeeds.inc
@@ -32,4 +32,4 @@ function qfeeds_cron()
     $jobs[]['autocron'] = ['/usr/local/sbin/configctl -d qfeeds update', '*/5'];
     $jobs[]['autocron'] = ['/usr/local/sbin/configctl -d ! qfeeds stats', '*/15'];
     return $jobs;
-}
\ No newline at end of file
+}
diff --git a/security/q-feeds-connector/src/etc/rc.syshook.d/start/99-qfeeds b/security/q-feeds-connector/src/etc/rc.syshook.d/start/99-qfeeds
index 367479388b..1ff426e145 100755
--- a/security/q-feeds-connector/src/etc/rc.syshook.d/start/99-qfeeds
+++ b/security/q-feeds-connector/src/etc/rc.syshook.d/start/99-qfeeds
@@ -1,4 +1,4 @@
 #!/bin/sh
 
 # load already collected feeds
-/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py firewall_load
\ No newline at end of file
+/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py firewall_load
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
index 6f9f9b136a..ed8a3a27b6 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
@@ -35,7 +35,6 @@
 use OPNsense\Core\Backend;
 use OPNsense\Core\Config;
 
-
 class SettingsController extends ApiMutableModelControllerBase
 {
     protected static $internalModelName = 'connect';
@@ -114,4 +113,4 @@ public function statsAction()
         }
         return $stats;
     }
-}
\ No newline at end of file
+}
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/IndexController.php b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/IndexController.php
index aec86b9a38..d2017c9e69 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/IndexController.php
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/IndexController.php
@@ -37,4 +37,4 @@ public function indexAction()
         $this->view->formSettings = $this->getForm("settings");
         $this->view->pick('OPNsense/QFeeds/index');
     }
-}
\ No newline at end of file
+}
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml
index e27658d30d..742ceb3cc1 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml
@@ -9,4 +9,4 @@
         <type>text</type>
         <help><![CDATA[API key to access Q-Feeds services, to apply for a key, <a target="_new" href="https://qfeeds.com/opnsense/">click here</a>]]></help>
     </field>
-</form>
\ No newline at end of file
+</form>
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/QfeedsAliases.php b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/QfeedsAliases.php
index 26eca705d8..f6e33c770c 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/QfeedsAliases.php
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/QfeedsAliases.php
@@ -39,7 +39,7 @@ public function collect()
         if (is_array($payload) && !empty($payload['feeds'])) {
             foreach ($payload['feeds'] as $feed) {
                 if ($feed['type'] == 'ip' && !empty($feed['licensed'])) {
-                    $name = '__qfeeds_'. $feed['feed_type'];
+                    $name = '__qfeeds_' . $feed['feed_type'];
                     $result[$name] = [
                         'enabled' => '1',
                         'counters' => '1',
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/ACL/ACL.xml b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/ACL/ACL.xml
index 3c58e042a8..ca1468d637 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/ACL/ACL.xml
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/ACL/ACL.xml
@@ -6,4 +6,4 @@
             <pattern>api/q_feeds/*</pattern>
         </patterns>
     </page-firewall-qfeeds>
-</acl>
\ No newline at end of file
+</acl>
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.php b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.php
index eca13f9609..f81bceb4b0 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.php
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.php
@@ -1,4 +1,5 @@
 <?php
+
 /*
  * Copyright (C) 2025 Deciso B.V.
  * All rights reserved.
@@ -35,4 +36,4 @@
  */
 class Connector extends BaseModel
 {
-}
\ No newline at end of file
+}
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml
index f90fc08c96..9aeebb308d 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml
@@ -7,4 +7,4 @@
             <apikey type="TextField"/>
         </general>
     </items>
-</model>
\ No newline at end of file
+</model>
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Menu/Menu.xml b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Menu/Menu.xml
index a91edf9260..dda28fa4dd 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Menu/Menu.xml
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Menu/Menu.xml
@@ -6,4 +6,4 @@
             <Events order="30" url="/ui/q_feeds/#events"/>
         </QFeeds>
     </Security>
-</menu>
\ No newline at end of file
+</menu>
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt b/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
index 08dc8e4a5d..52425088dc 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
@@ -133,4 +133,4 @@ POSSIBILITY OF SUCH DAMAGE.
             <br/><br/>
         </div>
     </div>
-</section>
\ No newline at end of file
+</section>
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
index 3892c371f8..6f2bb6a3cb 100644
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
@@ -68,5 +68,3 @@ def fetch(self, feed):
             entry = line.decode().strip()
             if entry:
                 yield entry
-
-
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/file.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/file.py
index 53d6b3ea63..89fbf8ae8a 100644
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/file.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/file.py
@@ -50,4 +50,3 @@ def write(self, data):
     @property
     def filename(self):
         return self._filename
-
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
index fed49e8e47..bbd4448578 100644
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
@@ -74,4 +74,3 @@ def find(self, max_time=60, max_results=50000):
                         return result
 
         return result
-
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
index 737ec65e82..7973d59f4c 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
@@ -61,4 +61,3 @@
     except ujson.JSONDecodeError:
         print("JSON decode error")
         sys.exit(-1)
-
diff --git a/security/q-feeds-connector/src/opnsense/www/js/widgets/Metadata/QFeeds.xml b/security/q-feeds-connector/src/opnsense/www/js/widgets/Metadata/QFeeds.xml
index 05f3574523..736a377cd3 100644
--- a/security/q-feeds-connector/src/opnsense/www/js/widgets/Metadata/QFeeds.xml
+++ b/security/q-feeds-connector/src/opnsense/www/js/widgets/Metadata/QFeeds.xml
@@ -17,4 +17,4 @@
             <unlicensed>Unlicensed</unlicensed>
         </translations>
     </qfeeds>
-</metadata>
\ No newline at end of file
+</metadata>

From 8599a8d85f03f72f74bd978d4656676b4412b9ae Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 13 Oct 2025 12:12:12 +0200
Subject: [PATCH 2682/3088] plugins: sync

---
 LICENSE   | 1 +
 README.md | 1 +
 2 files changed, 2 insertions(+)

diff --git a/LICENSE b/LICENSE
index 9e01d2fe34..97ae175c72 100644
--- a/LICENSE
+++ b/LICENSE
@@ -63,6 +63,7 @@ Copyright (c) 2021-2024 Nicola Pellegrini
 Copyright (c) 2022 Nikolaj Brinch Jørgensen
 Copyright (c) 2021 Nim G
 Copyright (c) 2023 Oliver Hartl
+Copyright (c) 2025 Oliver Traber <hi@bluemedia.dev>
 Copyright (c) 2024 Olly Baker <ilumos@gmail.com>
 Copyright (c) 2019 Pascal Mathis <mail@pascalmathis.com>
 Copyright (c) 2025 Ralph Moser, PJ Monitoring GmbH
diff --git a/README.md b/README.md
index 86e0a520a8..601479d90e 100644
--- a/README.md
+++ b/README.md
@@ -90,6 +90,7 @@ security/maltrail -- Malicious traffic detection system
 security/netbird -- Peer-to-peer VPN that seamlessly connects your devices
 security/openconnect -- OpenConnect Client
 security/openvpn-legacy -- OpenVPN legacy support
+security/q-feeds-connector -- Connector for Q-Feeds threat intel
 security/strongswan-legacy -- IPsec legacy support
 security/stunnel -- Stunnel TLS proxy
 security/tailscale -- VPN mesh securely connecting clients using WireGuard

From 43f6ca4abacea26cfb5369d56c6666c8463bfa8b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 13 Oct 2025 12:47:12 +0200
Subject: [PATCH 2683/3088] Scripts: do not descend into Private directories

---
 Scripts/license | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Scripts/license b/Scripts/license
index 6580d40b22..38d61f2602 100755
--- a/Scripts/license
+++ b/Scripts/license
@@ -67,6 +67,7 @@ sub process_file
     my $filename = $File::Find::name;
 
     return if not -f "$cwd/$filename";
+    return if $filename =~ /\/Private\//;
 
     my @lines = read_file( "$cwd/$filename" );
     my $possibly_bsd;

From fd1fbf0aec0426be1f1994c3dd651c04bbf46d5d Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 14 Oct 2025 18:54:16 +0200
Subject: [PATCH 2684/3088] security/q-feeds-connector - fix some minor
 glitches and add unbound blocklist support

---
 security/q-feeds-connector/Makefile           |  2 +-
 security/q-feeds-connector/pkg-descr          |  7 +++
 .../QFeeds/Api/SettingsController.php         |  2 +-
 .../OPNsense/QFeeds/forms/settings.xml        |  6 ++
 .../OPNsense/System/Status/QfeedsStatus.php   | 61 -------------------
 .../app/models/OPNsense/QFeeds/Connector.xml  |  1 +
 .../opnsense/scripts/qfeeds/lib/__init__.py   | 10 ++-
 .../scripts/unbound/blocklists/qfeeds_bl.py   | 55 +++++++++++++++++
 .../conf/actions.d/actions_qfeeds.conf        |  2 +-
 .../templates/OPNsense/QFeeds/+TARGETS        |  1 +
 .../OPNsense/QFeeds/qfeeds-blocklists.conf    |  5 ++
 11 files changed, 87 insertions(+), 65 deletions(-)
 delete mode 100644 security/q-feeds-connector/src/opnsense/mvc/app/library/OPNsense/System/Status/QfeedsStatus.php
 create mode 100755 security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
 create mode 100644 security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/qfeeds-blocklists.conf

diff --git a/security/q-feeds-connector/Makefile b/security/q-feeds-connector/Makefile
index dffd163a23..295ca12f05 100644
--- a/security/q-feeds-connector/Makefile
+++ b/security/q-feeds-connector/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		q-feeds-connector
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Connector for Q-Feeds threat intel
 PLUGIN_MAINTAINER=	devel@qfeeds.com
 
diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index c6c57300e4..3457825026 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -3,6 +3,13 @@ Connector for Q-Feeds threat intel
 Plugin Changelog
 ================
 
+1.1
+
+* remove QfeedsStatus as the new table defaults are different
+* add unbound blocklist support
+* Events: fix empty interface names
+
+
 1.0
 
 * Intial release version
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
index ed8a3a27b6..b65b7b1a66 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
@@ -73,7 +73,7 @@ public function searchEventsAction()
         $ifnames = [];
         foreach (Config::getInstance()->object()->interfaces->children() as $key => $node) {
             if (!empty((string)$node->if)) {
-                $ifnames[(string)$node->if] = (string)($node->descr ?? strtoupper($key));
+                $ifnames[(string)$node->if] = !empty((string)($node->descr)) ? (string)($node->descr) : strtoupper($key);
             }
         }
         $data = json_decode((new Backend())->configdRun('qfeeds logs') ?? '[]', true);
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml
index 742ceb3cc1..0469ed6ca4 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml
@@ -9,4 +9,10 @@
         <type>text</type>
         <help><![CDATA[API key to access Q-Feeds services, to apply for a key, <a target="_new" href="https://qfeeds.com/opnsense/">click here</a>]]></help>
     </field>
+    <field>
+        <id>connect.general.enable_unbound_bl</id>
+        <label>Register domain feeds</label>
+        <type>checkbox</type>
+        <help>Use domain feeds in Unbound DNS blocklist, requires blocklists to be enabled in order to have effect</help>
+    </field>
 </form>
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/library/OPNsense/System/Status/QfeedsStatus.php b/security/q-feeds-connector/src/opnsense/mvc/app/library/OPNsense/System/Status/QfeedsStatus.php
deleted file mode 100644
index 5477729d65..0000000000
--- a/security/q-feeds-connector/src/opnsense/mvc/app/library/OPNsense/System/Status/QfeedsStatus.php
+++ /dev/null
@@ -1,61 +0,0 @@
-<?php
-
-/*
- * Copyright (C) 2025 Deciso B.V.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-namespace OPNsense\System\Status;
-
-use OPNsense\System\AbstractStatus;
-use OPNsense\System\SystemStatusCode;
-use OPNsense\Core\Config;
-
-class QfeedsStatus extends AbstractStatus
-{
-    public function __construct()
-    {
-        $this->internalPriority = 2;
-        $this->internalPersistent = true;
-        $this->internalIsBanner = true;
-        $this->internalTitle = gettext('QFeeds');
-        $this->internalScope = [
-            '/ui/q_feeds/'
-        ];
-    }
-
-    public function collectStatus()
-    {
-        $cnf = Config::getInstance()->object();
-        if (!empty($cnf->system->maximumtableentries) && $cnf->system->maximumtableentries >= 2000000) {
-            return;
-        }
-        $this->internalStatus = SystemStatusCode::ERROR;
-        $this->internalMessage = gettext(
-            'QFeeds requires additional memory to be reserved for aliases. ' .
-            'Please increase `Firewall Maximum Table Entries` in `Firewall: Settings: Advanced` to at least' .
-            ' 2 million items.'
-        );
-    }
-}
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml
index 9aeebb308d..fb158adcfe 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml
@@ -5,6 +5,7 @@
     <items>
         <general>
             <apikey type="TextField"/>
+            <enable_unbound_bl type="BooleanField"/>
         </general>
     </items>
 </model>
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
index bf4c528aad..f0f029c1db 100644
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
@@ -45,6 +45,7 @@ def list_actions(cls):
             'fetch',
             'show_index',
             'firewall_load',
+            'unbound_load',
             'update',
             'stats',
             'logs'
@@ -113,6 +114,13 @@ def firewall_load(self):
                 )
                 yield 'load feed %s [%s]' % (feed['feed_type'], sp.stderr.strip().replace("\n", " "))
 
+    def unbound_load(self):
+        bl_conf = '/usr/local/etc/unbound/qfeeds-blocklists.conf'
+        if os.path.exists(bl_conf) and os.path.getsize(bl_conf) > 20:
+            # when qfeeds-blocklists.conf is ~empty, skip updates
+            subprocess.run(['/usr/local/sbin/configctl', 'unbound', 'dnsbl'])
+            yield 'update unbound blocklist'
+
     def update(self):
         update_sleep = 99999
         try:
@@ -128,7 +136,7 @@ def update(self):
         if do_update:
                 if 0 < update_sleep <= 300:
                     time.sleep(update_sleep)
-                for action in ['fetch_index', 'fetch', 'firewall_load']:
+                for action in ['fetch_index', 'fetch', 'firewall_load', 'unbound_load']:
                     yield from getattr(self, action)()
 
     def stats(self):
diff --git a/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py b/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
new file mode 100755
index 0000000000..ff3413a85c
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
@@ -0,0 +1,55 @@
+#!/usr/local/bin/python3
+
+"""
+    Copyright (c) 2025 Deciso B.V.
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+
+import os
+from . import BaseBlocklistHandler
+
+class DefaultBlocklistHandler(BaseBlocklistHandler):
+    def __init__(self):
+        super().__init__('/usr/local/etc/unbound/qfeeds-blocklists.conf')
+        self.priority = 100
+
+    def get_config(self):
+        cfg = {'qfeeds_filenames': []}
+        if self.cnf and self.cnf.has_section('settings'):
+            if self.cnf.has_option('settings', 'filenames'):
+                cfg['qfeeds_filenames'] = self.cnf.get('settings', 'filenames').split(',')
+        return cfg
+
+    def get_blocklist(self):
+        result = {}
+        for filename in self.get_config()['qfeeds_filenames']:
+            bl_shortcode = "qf_%s" % os.path.splitext(os.path.basename(filename).strip())[0]
+            if os.path.exists(filename):
+                with open(filename, 'r') as f_in:
+                    for line in f_in:
+                        result[line.strip()] = {'bl': bl_shortcode, 'wildcard': False}
+        return result
+
+    def get_passlist_patterns(self):
+        return []
diff --git a/security/q-feeds-connector/src/opnsense/service/conf/actions.d/actions_qfeeds.conf b/security/q-feeds-connector/src/opnsense/service/conf/actions.d/actions_qfeeds.conf
index b693285e20..e2fba096ec 100644
--- a/security/q-feeds-connector/src/opnsense/service/conf/actions.d/actions_qfeeds.conf
+++ b/security/q-feeds-connector/src/opnsense/service/conf/actions.d/actions_qfeeds.conf
@@ -1,5 +1,5 @@
 [reconfigure]
-command:/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py fetch_index fetch firewall_load && echo 'EXIT OK'
+command:/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py fetch_index fetch firewall_load unbound_load && echo 'EXIT OK'
 parameters:
 type:script_output
 message:reconfigure QFeeds
diff --git a/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/+TARGETS b/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/+TARGETS
index da2b51f083..219dc39f84 100644
--- a/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/+TARGETS
+++ b/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/+TARGETS
@@ -1 +1,2 @@
 qfeeds.conf:/usr/local/etc/qfeeds.conf
+qfeeds-blocklists.conf:/usr/local/etc/unbound/qfeeds-blocklists.conf
diff --git a/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/qfeeds-blocklists.conf b/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/qfeeds-blocklists.conf
new file mode 100644
index 0000000000..1f985bf4bc
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/qfeeds-blocklists.conf
@@ -0,0 +1,5 @@
+{% if not helpers.empty('OPNsense.QFeedsConnector.general.apikey') and
+      not helpers.empty('OPNsense.QFeedsConnector.general.enable_unbound_bl') %}
+[settings]
+filenames=/var/db/qfeeds-tables/malware_domains.txt
+{% endif %}
\ No newline at end of file

From 17b605be7d1cb207e49aa4c2fb4733b248fad2c7 Mon Sep 17 00:00:00 2001
From: Q-Feeds <support@qfeeds.com>
Date: Wed, 15 Oct 2025 17:39:05 +0200
Subject: [PATCH 2685/3088] Fix/qfeeds unbound blocklist priority conflict
 (#4979)

* Fix Q-Feeds unbound blocklist handler priority conflict

- Change priority from 100 to 50 to avoid conflicts with predefined handlers
- Add conditional logic to respect enable_unbound_bl setting
- Return empty blocklist when integration is disabled

* Update qfeeds_bl.py
---
 .../scripts/unbound/blocklists/qfeeds_bl.py     | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py b/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
index ff3413a85c..555e3d7ca2 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
@@ -32,7 +32,7 @@
 class DefaultBlocklistHandler(BaseBlocklistHandler):
     def __init__(self):
         super().__init__('/usr/local/etc/unbound/qfeeds-blocklists.conf')
-        self.priority = 100
+        self.priority = 50
 
     def get_config(self):
         cfg = {'qfeeds_filenames': []}
@@ -42,6 +42,10 @@ def get_config(self):
         return cfg
 
     def get_blocklist(self):
+        # Only return domains if integration is enabled
+        if not self._is_enabled():
+            return {}  # Return empty blocklist when disabled
+        
         result = {}
         for filename in self.get_config()['qfeeds_filenames']:
             bl_shortcode = "qf_%s" % os.path.splitext(os.path.basename(filename).strip())[0]
@@ -53,3 +57,14 @@ def get_blocklist(self):
 
     def get_passlist_patterns(self):
         return []
+    
+    def _is_enabled(self):
+        # Check if unbound blocklist integration is enabled
+        try:
+            import subprocess
+            result = subprocess.run(['/usr/local/sbin/configctl', 'config', 'get', 
+                                   'OPNsense.QFeedsConnector.general.enable_unbound_bl'], 
+                                  capture_output=True, text=True)
+            return result.stdout.strip() == '1'
+        except:
+            return False

From 4aeca83ca7ecffdddf44b2f9c0934f18b15a72b1 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 15 Oct 2025 18:05:50 +0200
Subject: [PATCH 2686/3088] security/q-feeds-connector - cleanup blocklist

---
 .../scripts/unbound/blocklists/qfeeds_bl.py   | 28 ++++++-------------
 1 file changed, 8 insertions(+), 20 deletions(-)

diff --git a/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py b/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
index 555e3d7ca2..e10428db08 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
@@ -35,19 +35,18 @@ def __init__(self):
         self.priority = 50
 
     def get_config(self):
-        cfg = {'qfeeds_filenames': []}
+        # do not use, unbound worker settings
+        return {}
+
+    def get_blocklist(self):
+        # Only return domains if integration is enabled (filenames are offered)
+        qfeeds_filenames = []
         if self.cnf and self.cnf.has_section('settings'):
             if self.cnf.has_option('settings', 'filenames'):
-                cfg['qfeeds_filenames'] = self.cnf.get('settings', 'filenames').split(',')
-        return cfg
+                qfeeds_filenames = self.cnf.get('settings', 'filenames').split(',')
 
-    def get_blocklist(self):
-        # Only return domains if integration is enabled
-        if not self._is_enabled():
-            return {}  # Return empty blocklist when disabled
-        
         result = {}
-        for filename in self.get_config()['qfeeds_filenames']:
+        for filename in qfeeds_filenames:
             bl_shortcode = "qf_%s" % os.path.splitext(os.path.basename(filename).strip())[0]
             if os.path.exists(filename):
                 with open(filename, 'r') as f_in:
@@ -57,14 +56,3 @@ def get_blocklist(self):
 
     def get_passlist_patterns(self):
         return []
-    
-    def _is_enabled(self):
-        # Check if unbound blocklist integration is enabled
-        try:
-            import subprocess
-            result = subprocess.run(['/usr/local/sbin/configctl', 'config', 'get', 
-                                   'OPNsense.QFeedsConnector.general.enable_unbound_bl'], 
-                                  capture_output=True, text=True)
-            return result.stdout.strip() == '1'
-        except:
-            return False

From 9432d3e4d906c0b039fc400ab691342c9a1a7f70 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 15 Oct 2025 19:52:25 +0200
Subject: [PATCH 2687/3088] security/q-feeds-connector - prevent duplicates in
 qfeedsctl.py logs, closes https://github.com/opnsense/plugins/pull/4980

---
 .../src/opnsense/scripts/qfeeds/lib/log.py                | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
index bbd4448578..0f327b5331 100644
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
@@ -40,16 +40,16 @@ def is_ip_address(value):
 class PFLogCrawler:
     def __init__(self, table_names:list=[]):
         self._table_names = table_names
-        self._rule_ids = []
+        self._rule_ids = set()
         self._collect_rule_ids()
 
     def _collect_rule_ids(self):
-        self._rule_ids = []
+        self._rule_ids = set()
         sp = subprocess.run(['/sbin/pfctl', '-sr'], capture_output=True, text=True)
         for line in sp.stdout.split("\n"):
             for table in self._table_names:
                 if line.find("<%s>" % table) > 0:
-                    self._rule_ids.append(line.split()[-1].strip('"'))
+                    self._rule_ids.add(line.split()[-1].strip('"'))
 
     @staticmethod
     def _parse_log_line(line):
@@ -69,7 +69,7 @@ def find(self, max_time=60, max_results=50000):
                         if rule_id in line:
                             result.append(self._parse_log_line(line))
                             rows_processed +=1
-                            continue
+                            break # inner loop
                     if (idx % 100000 == 0 and time.time() - start_time > max_time) or rows_processed >= max_results:
                         return result
 

From d3389faf31d58fd74eb20e997fe35688b5d39fa7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 16 Oct 2025 11:38:10 +0200
Subject: [PATCH 2688/3088] security/q-feeds-connector: style

---
 security/q-feeds-connector/pkg-descr | 1 -
 1 file changed, 1 deletion(-)

diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index 3457825026..f8dd2c0cb9 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -9,7 +9,6 @@ Plugin Changelog
 * add unbound blocklist support
 * Events: fix empty interface names
 
-
 1.0
 
 * Intial release version

From ddbb31c5795fbf1453d23963f4c1e448796b6055 Mon Sep 17 00:00:00 2001
From: Tobias Perschon <tofuSCHNITZEL@users.noreply.github.com>
Date: Thu, 16 Oct 2025 13:03:24 +0200
Subject: [PATCH 2689/3088] net/freeradius: add Tunnel-Password field to radius
 user (#4235)

---
 .../OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml  | 6 ++++++
 .../opnsense/mvc/app/models/OPNsense/Freeradius/User.xml    | 3 +++
 .../opnsense/service/templates/OPNsense/Freeradius/users    | 3 +++
 3 files changed, 12 insertions(+)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
index 0a6f50c54d..992334fc29 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSUser.xml
@@ -164,4 +164,10 @@
         <allownew>true</allownew>
         <help>Select the configured AVPairs for this user.</help>
     </field>
+    <field>
+        <id>user.tunnel_password</id>
+        <label>Tunnel-Password</label>
+        <type>password</type>
+        <help>Set the Tunnel-Password attribute for the user. Allowed characters are 0-9, a-z, A-Z, and ,._-!$%/()+#=: with up to 128 characters.</help>
+    </field>
 </form>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
index 308802c78a..5b4546b230 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
@@ -132,6 +132,9 @@
                     <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </linkedAVPair>
+                <tunnel_password type="TextField">
+                    <mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}:]){1,128}$/u</mask>
+                </tunnel_password>
             </user>
         </users>
     </items>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
index ff9a97916f..6618e41102 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
@@ -24,6 +24,9 @@
        Service-Type = {{ servicelist }},
 {%         endfor %}
 {%       endif %}
+{%       if user_list.tunnel_password is defined %}
+       Tunnel-Password = {{ user_list.tunnel_password }},
+{%       endif %}
 {%       if helpers.exists('OPNsense.freeradius.general.vlanassign') and OPNsense.freeradius.general.vlanassign == '1' %}
 {%         if user_list.vlan is defined %}
        Tunnel-Type = VLAN,

From 2d9ad0e5f50689c0b941f24d156a7ea4c0d60c50 Mon Sep 17 00:00:00 2001
From: Hleb Shauchenka <me@marleb.org>
Date: Sun, 19 Oct 2025 13:34:31 +0200
Subject: [PATCH 2690/3088] sysutils/git-backup: add force push option (#4981)

---
 sysutils/git-backup/Makefile                           |  2 +-
 .../opnsense/mvc/app/library/OPNsense/Backup/Git.php   | 10 +++++++++-
 .../mvc/app/models/OPNsense/Backup/GitSettings.xml     |  4 ++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/sysutils/git-backup/Makefile b/sysutils/git-backup/Makefile
index 9c31c558f8..17eb65ad56 100644
--- a/sysutils/git-backup/Makefile
+++ b/sysutils/git-backup/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		git-backup
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		Track config changes using git
 PLUGIN_DEPENDS=		git
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
index a109a1adc9..77fbfc6405 100644
--- a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
+++ b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
@@ -66,6 +66,13 @@ public function getConfigurationFields()
              "help" => gettext("Target branch to push to."),
              "value" => null
            ],
+           [
+             "name" => "force_push",
+             "type" => "checkbox",
+             "label" => gettext("Force Push"),
+             "help" => gettext("When enabled, force push to origin if diverged (e.g., after restoring from an earlier backup). Use with caution as this overwrites remote history."),
+             "value" => null
+           ],
            [
              "name" => "privkey",
              "type" => "passwordarea",
@@ -161,8 +168,9 @@ public function backup()
         }
         exec("cd {$targetdir} && {$git} remote remove origin");
         exec("cd {$targetdir} && {$git} remote add origin " . escapeshellarg($url));
+        $force_flag = (string)$mdl->force_push === "1" ? "--force-with-lease " : "";
         $pushtxt = shell_exec(
-            "(cd {$targetdir} && {$git} push origin " . escapeshellarg("master:{$mdl->branch}") .
+            "(cd {$targetdir} && {$git} push {$force_flag}origin " . escapeshellarg("master:{$mdl->branch}") .
             " && echo '__exit_ok__') 2>&1"
         );
         if (strpos($pushtxt, '__exit_ok__')) {
diff --git a/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml b/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
index 08fafa1610..29a41d0c38 100644
--- a/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
+++ b/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
@@ -33,6 +33,10 @@
           <Default>master</Default>
           <Required>Y</Required>
         </branch>
+        <force_push type="BooleanField">
+          <Default>0</Default>
+          <Required>Y</Required>
+        </force_push>
         <privkey type="TextField">
             <Required>N</Required>
         </privkey>

From 3ce5c48c0eadb8c4309a02d0b8fdc68d231cd657 Mon Sep 17 00:00:00 2001
From: Q-Feeds <support@qfeeds.com>
Date: Sun, 19 Oct 2025 13:36:47 +0200
Subject: [PATCH 2691/3088] Fix log parser for rules with tags (#4985)

Example rules:

block drop out log quick on em0_vlan108 inet6 from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop out log quick on em0_vlan109 inet from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop out log quick on em0_vlan109 inet6 from any to <__qfeeds_malware_ip> label "dc5f8e7ee80be02f12014877d82c96a2" tag qtag
block drop in quick on em1 reply-to (em1 x.x.x.22) inet from <__qfeeds_malware_ip> to any label "de057b37c3fe418169db727c1d8a3f79"
block drop in quick on em1 reply-to (em1 fe80::1e52) inet6 from <__qfeeds_malware_ip> to any label "de057b37c3fe418169db727c1d8a3f79"
---
 .../src/opnsense/scripts/qfeeds/lib/log.py                 | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
index 0f327b5331..d9e7cbd347 100644
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
@@ -50,6 +50,11 @@ def _collect_rule_ids(self):
             for table in self._table_names:
                 if line.find("<%s>" % table) > 0:
                     self._rule_ids.add(line.split()[-1].strip('"'))
+                    if 'label "' in line:
+                        quote_start = line.find('"', line.find('label "'))
+                        quote_end = line.find('"', quote_start + 1)
+                        if quote_end > quote_start:
+                            self._rule_ids.add(line[quote_start + 1:quote_end])
 
     @staticmethod
     def _parse_log_line(line):
@@ -73,4 +78,4 @@ def find(self, max_time=60, max_results=50000):
                     if (idx % 100000 == 0 and time.time() - start_time > max_time) or rows_processed >= max_results:
                         return result
 
-        return result
+        return result
\ No newline at end of file

From d97704d821f436fc2a38c463b9d26b312ae136c5 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 20 Oct 2025 11:28:43 +0200
Subject: [PATCH 2692/3088] security/q-feeds-connector - leaving the beta state

---
 security/q-feeds-connector/Makefile  | 3 ++-
 security/q-feeds-connector/pkg-descr | 5 +++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/security/q-feeds-connector/Makefile b/security/q-feeds-connector/Makefile
index 295ca12f05..4b4a22416d 100644
--- a/security/q-feeds-connector/Makefile
+++ b/security/q-feeds-connector/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		q-feeds-connector
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
+PLUGIN_TIER=		2
 PLUGIN_COMMENT=		Connector for Q-Feeds threat intel
 PLUGIN_MAINTAINER=	devel@qfeeds.com
 
diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index f8dd2c0cb9..b9194b08e9 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -3,6 +3,11 @@ Connector for Q-Feeds threat intel
 Plugin Changelog
 ================
 
+1.2
+
+* fix rule parsing 
+* bug fixes for unbound blocklist support
+
 1.1
 
 * remove QfeedsStatus as the new table defaults are different

From 2635f71fc163ab10b0c12e2b0b5bf1e7f38ad148 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 20 Oct 2025 13:51:32 +0200
Subject: [PATCH 2693/3088] vendory/sunnyvalley: bump revision for rebuild

---
 vendor/sunnyvalley/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vendor/sunnyvalley/Makefile b/vendor/sunnyvalley/Makefile
index 2c9bc2d133..1dcd36551d 100644
--- a/vendor/sunnyvalley/Makefile
+++ b/vendor/sunnyvalley/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		sunnyvalley
 PLUGIN_VERSION=		1.5
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Vendor Repository for Zenarmor (Enterprise Security Modules - NGFW, SSE, SASE, f.k.a Sensei)
 PLUGIN_MAINTAINER=	opensource@zenarmor.com
 PLUGIN_WWW=		https://www.zenarmor.com

From d9dea7f9cc3c5657c159e527cc8bcf69a8d6ef30 Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Mon, 20 Oct 2025 15:08:50 +0200
Subject: [PATCH 2694/3088] www/squid: add email_err_data off as static (#4987)

---
 www/squid/Makefile                                            | 2 +-
 www/squid/pkg-descr                                           | 4 ++++
 .../src/opnsense/service/templates/OPNsense/Proxy/squid.conf  | 3 +++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/www/squid/Makefile b/www/squid/Makefile
index 6e9236529f..0678e6fd26 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		squid
-PLUGIN_VERSION=		1.3
+PLUGIN_VERSION=		1.4
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/www/squid/pkg-descr b/www/squid/pkg-descr
index f885f0ccee..6d36eeccd1 100644
--- a/www/squid/pkg-descr
+++ b/www/squid/pkg-descr
@@ -5,6 +5,10 @@ content serving applications.
 Plugin Changelog
 ================
 
+1.4
+
+* Make email_err_data static due to SQUID-2025:2 CVE 10.0
+
 1.3
 
 * Repackage template files using new contrib directory feature
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
index 63d948db3d..1134b1a9ee 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -329,6 +329,9 @@ cache_dir rock {{OPNsense.proxy.general.cache.local.directory}} {{OPNsense.proxy
 # Leave coredumps in the first cache dir
 coredump_dir /var/squid/cache
 
+# Disable Debug information in Administartor Email / SQUID-2025:2
+email_err_data off
+
 #
 # Add any of your own refresh_pattern entries above these.
 #

From 68c34f4f0be1fb2796c7ba69f11128e3abdc1c0e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 20 Oct 2025 16:15:34 +0200
Subject: [PATCH 2695/3088] www/squid: annotate fix contribution

---
 www/squid/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/squid/pkg-descr b/www/squid/pkg-descr
index 6d36eeccd1..edfa082d0f 100644
--- a/www/squid/pkg-descr
+++ b/www/squid/pkg-descr
@@ -7,7 +7,7 @@ Plugin Changelog
 
 1.4
 
-* Make email_err_data static due to SQUID-2025:2 CVE 10.0
+* Make email_err_data static due to SQUID-2025:2 CVE 10.0 (contributed by m.a.x. Informationstechnologie AG)
 
 1.3
 

From 765f8d80e69cc81e85228d84dba4c9eeb45a2aa2 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 Oct 2025 08:34:31 +0200
Subject: [PATCH 2696/3088] security/q-feeds-connector: fix lint pass

---
 .../src/opnsense/scripts/qfeeds/lib/__init__.py                 | 0
 .../q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py    | 0
 .../q-feeds-connector/src/opnsense/scripts/qfeeds/lib/file.py   | 0
 .../q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py    | 0
 .../src/opnsense/www/js/widgets/Metadata/QFeeds.xml             | 2 +-
 .../q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js     | 2 +-
 6 files changed, 2 insertions(+), 2 deletions(-)
 mode change 100644 => 100755 security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
 mode change 100644 => 100755 security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
 mode change 100644 => 100755 security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/file.py
 mode change 100644 => 100755 security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py

diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
old mode 100644
new mode 100755
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
old mode 100644
new mode 100755
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/file.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/file.py
old mode 100644
new mode 100755
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
old mode 100644
new mode 100755
diff --git a/security/q-feeds-connector/src/opnsense/www/js/widgets/Metadata/QFeeds.xml b/security/q-feeds-connector/src/opnsense/www/js/widgets/Metadata/QFeeds.xml
index 736a377cd3..faec76e2a2 100644
--- a/security/q-feeds-connector/src/opnsense/www/js/widgets/Metadata/QFeeds.xml
+++ b/security/q-feeds-connector/src/opnsense/www/js/widgets/Metadata/QFeeds.xml
@@ -2,7 +2,7 @@
     <qfeeds>
         <filename>QFeeds.js</filename>
         <endpoints>
-            <endpoint>/api/q_feeds/settings/stats</endpoint>
+            <endpoint>/api/q_feeds/settings/*</endpoint>
         </endpoints>
         <translations>
             <title>Q-Feeds Threat Protection</title>
diff --git a/security/q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js b/security/q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js
index 6a9bb4be48..bf5acbcb12 100644
--- a/security/q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js
+++ b/security/q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js
@@ -64,7 +64,7 @@ export default class QFeeds extends BaseTableWidget {
             'margin-bottom': '5px',
         });
 
-        const data = await this.ajaxCall('/api/q_feeds/settings/stats');
+        const data = await this.ajaxCall(`/api/q_feeds/settings/${'stats'}`);
         if (!data.feeds.length) {
             $('#qfeeds-table').html(`${this.translations.no_feed}`);
             return;

From 3931aaaff45359e4309c5b4cc71cbdf09dc7b99e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 Oct 2025 08:35:06 +0200
Subject: [PATCH 2697/3088] security/q-feeds-connector: now fix style as lint
 works ;)

---
 security/q-feeds-connector/pkg-descr                            | 2 +-
 .../q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py    | 2 +-
 .../service/templates/OPNsense/QFeeds/qfeeds-blocklists.conf    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index b9194b08e9..796c7e92bf 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -5,7 +5,7 @@ Plugin Changelog
 
 1.2
 
-* fix rule parsing 
+* fix rule parsing
 * bug fixes for unbound blocklist support
 
 1.1
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
index d9e7cbd347..fd2c506db9 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
@@ -78,4 +78,4 @@ def find(self, max_time=60, max_results=50000):
                     if (idx % 100000 == 0 and time.time() - start_time > max_time) or rows_processed >= max_results:
                         return result
 
-        return result
\ No newline at end of file
+        return result
diff --git a/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/qfeeds-blocklists.conf b/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/qfeeds-blocklists.conf
index 1f985bf4bc..6113177758 100644
--- a/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/qfeeds-blocklists.conf
+++ b/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/qfeeds-blocklists.conf
@@ -2,4 +2,4 @@
       not helpers.empty('OPNsense.QFeedsConnector.general.enable_unbound_bl') %}
 [settings]
 filenames=/var/db/qfeeds-tables/malware_domains.txt
-{% endif %}
\ No newline at end of file
+{% endif %}

From 04a0f5587907e6bfbdd487003ab47a6396ec55a3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 Oct 2025 08:36:32 +0200
Subject: [PATCH 2698/3088] www/squid: use short version as discussed

---
 www/squid/pkg-descr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/squid/pkg-descr b/www/squid/pkg-descr
index edfa082d0f..cf30d7de9e 100644
--- a/www/squid/pkg-descr
+++ b/www/squid/pkg-descr
@@ -7,7 +7,7 @@ Plugin Changelog
 
 1.4
 
-* Make email_err_data static due to SQUID-2025:2 CVE 10.0 (contributed by m.a.x. Informationstechnologie AG)
+* Make email_err_data static due to SQUID-2025:2 CVE 10.0 (contributed by m.a.x. it)
 
 1.3
 

From 443c7a65bf80832121a25742da461cc94bb0112f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 Oct 2025 14:51:10 +0200
Subject: [PATCH 2699/3088] dns/ddclient: new version

---
 dns/ddclient/Makefile  | 3 +--
 dns/ddclient/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index fb4a7b36cc..cd453e19cf 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.27
-PLUGIN_REVISION=	4
+PLUGIN_VERSION=		1.28
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index f50bc5346b..f5f2d1aceb 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,10 @@ WWW: https://github.com/ddclient/ddclient
 Plugin Changelog
 ================
 
+1.28
+
+* Add native backend support for PowerDNS API (contributed by Oliver Traber)
+
 1.27
 
 * Add support for altering IPv6 addresses in native backend (contributed by SaarLAN-Pissbeutel)

From 7989a4fc8fb733987fdf080b4eae196833a1a94b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 Oct 2025 14:54:32 +0200
Subject: [PATCH 2700/3088] sysutils/git-backup: new version

---
 sysutils/git-backup/Makefile  |  3 +--
 sysutils/git-backup/pkg-descr | 14 +++++++++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/sysutils/git-backup/Makefile b/sysutils/git-backup/Makefile
index 17eb65ad56..1c7a356f8c 100644
--- a/sysutils/git-backup/Makefile
+++ b/sysutils/git-backup/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		git-backup
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	4
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Track config changes using git
 PLUGIN_DEPENDS=		git
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/sysutils/git-backup/pkg-descr b/sysutils/git-backup/pkg-descr
index 58fcb26dc5..f8b99a6f0b 100644
--- a/sysutils/git-backup/pkg-descr
+++ b/sysutils/git-backup/pkg-descr
@@ -1,3 +1,15 @@
 This package adds a backup option using git version control.
 
-Due to the sensitive nature of the data being send to the backup, we strongly advise to not use a public service to send backups to.
+Due to the sensitive nature of the data being send to the backup,
+we strongly advise to not use a public service to send backups to.
+
+Plugin Changelog
+================
+
+1.1
+
+* Add a force-push option (contributed by Hleb Shauchenka)
+
+1.0
+
+* Initial release

From a828890850d94d8a6e76a69f17bc1c9dd74c9023 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 21 Oct 2025 14:57:21 +0200
Subject: [PATCH 2701/3088] sysutils/git-backup: small model style updates

---
 .../models/OPNsense/Backup/GitSettings.xml    | 53 +++++++++----------
 1 file changed, 25 insertions(+), 28 deletions(-)

diff --git a/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml b/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
index 29a41d0c38..dbd7b4ca8c 100644
--- a/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
+++ b/sysutils/git-backup/src/opnsense/mvc/app/models/OPNsense/Backup/GitSettings.xml
@@ -1,22 +1,21 @@
 <model>
     <mount>//system/backup/git</mount>
     <version>1.0.0</version>
-    <description>OPNsense Git Backup Settings</description>
+    <description>Git Backup Settings</description>
     <items>
         <enabled type="BooleanField">
-          <Default>0</Default>
-          <Required>Y</Required>
-          <Constraints>
-              <check001>
-                  <reference>user.check001</reference>
-              </check001>
-              <check002>
-                  <reference>url.check001</reference>
-              </check002>
-          </Constraints>
+            <Default>0</Default>
+            <Required>Y</Required>
+            <Constraints>
+                <check001>
+                    <reference>user.check001</reference>
+                </check001>
+                <check002>
+                    <reference>url.check001</reference>
+                </check002>
+            </Constraints>
         </enabled>
         <url type="TextField">
-            <Required>N</Required>
             <Mask>/^((https)|(ssh))?:\/\/.*[^\/]$/</Mask>
             <ValidationMessage>A valid git location must be provided. e.g. ssh://server/project.git, https://server/project.git</ValidationMessage>
             <Constraints>
@@ -30,26 +29,24 @@
             </Constraints>
         </url>
         <branch type="TextField">
-          <Default>master</Default>
-          <Required>Y</Required>
+            <Default>master</Default>
+            <Required>Y</Required>
         </branch>
         <force_push type="BooleanField">
-          <Default>0</Default>
-          <Required>Y</Required>
+            <Default>0</Default>
+            <Required>Y</Required>
         </force_push>
-        <privkey type="TextField">
-            <Required>N</Required>
-        </privkey>
+        <privkey type="TextField"/>
         <user type="TextField">
-          <Constraints>
-              <check001>
-                  <ValidationMessage>A username is required.</ValidationMessage>
-                  <type>DependConstraint</type>
-                  <addFields>
-                      <field1>enabled</field1>
-                  </addFields>
-              </check001>
-          </Constraints>
+            <Constraints>
+                <check001>
+                    <ValidationMessage>A username is required.</ValidationMessage>
+                    <type>DependConstraint</type>
+                    <addFields>
+                        <field1>enabled</field1>
+                    </addFields>
+                </check001>
+            </Constraints>
         </user>
         <password type="TextField">
         </password>

From 416712dbedb94f2728ff01f443e17635af31cbc7 Mon Sep 17 00:00:00 2001
From: Hleb Shauchenka <me@marleb.org>
Date: Wed, 22 Oct 2025 15:35:52 +0200
Subject: [PATCH 2702/3088] sysutils/git-backup: fix force push (#4988)

---
 .../src/opnsense/mvc/app/library/OPNsense/Backup/Git.php        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
index 77fbfc6405..f9573f33e5 100644
--- a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
+++ b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
@@ -168,7 +168,7 @@ public function backup()
         }
         exec("cd {$targetdir} && {$git} remote remove origin");
         exec("cd {$targetdir} && {$git} remote add origin " . escapeshellarg($url));
-        $force_flag = (string)$mdl->force_push === "1" ? "--force-with-lease " : "";
+        $force_flag = (string)$mdl->force_push === "1" ? "--force " : "";
         $pushtxt = shell_exec(
             "(cd {$targetdir} && {$git} push {$force_flag}origin " . escapeshellarg("master:{$mdl->branch}") .
             " && echo '__exit_ok__') 2>&1"

From 095ab23c68cfa712a097b91b850eb7cbd8434428 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 22 Oct 2025 16:13:39 +0200
Subject: [PATCH 2703/3088] sysutils/git-backup: revision bump

---
 sysutils/git-backup/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysutils/git-backup/Makefile b/sysutils/git-backup/Makefile
index 1c7a356f8c..7474455971 100644
--- a/sysutils/git-backup/Makefile
+++ b/sysutils/git-backup/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		git-backup
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Track config changes using git
 PLUGIN_DEPENDS=		git
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 8b3741f5910f5ee4905214ecdfe340da40db060e Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 22 Oct 2025 17:02:44 +0200
Subject: [PATCH 2704/3088] net/freeradius: Add LDAP Groups (#4989)

---
 net/freeradius/Makefile                       |   3 +-
 net/freeradius/pkg-descr                      |   5 +
 .../Freeradius/Api/LdapgroupController.php    | 203 ++++++++++++++++++
 .../Freeradius/LdapgroupController.php        |  38 ++++
 .../forms/dialogEditFreeRADIUSLdapgroup.xml   |  20 ++
 .../models/OPNsense/Freeradius/Ldapgroup.php  |  31 +++
 .../models/OPNsense/Freeradius/Ldapgroup.xml  |  23 ++
 .../models/OPNsense/Freeradius/Menu/Menu.xml  |   1 +
 .../views/OPNsense/Freeradius/ldapgroup.volt  | 135 ++++++++++++
 .../templates/OPNsense/Freeradius/users       |  12 ++
 10 files changed, 469 insertions(+), 2 deletions(-)
 create mode 100644 net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LdapgroupController.php
 create mode 100644 net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/LdapgroupController.php
 create mode 100644 net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSLdapgroup.xml
 create mode 100644 net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldapgroup.php
 create mode 100644 net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldapgroup.xml
 create mode 100644 net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/ldapgroup.volt

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 09a4dcbc37..abfa82c673 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.27
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.9.28
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 66640e76e9..21116160b4 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -17,6 +17,11 @@ WWW: https://www.freeradius.org
 Plugin Changelog
 ================
 
+1.9.28
+
+* Add Groups for VLAN assignment
+* Add Fallback PPSK
+
 1.9.27
 
 * Allow EAP-TLS with multiple CAs (contributed by RasAlGhul)
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LdapgroupController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LdapgroupController.php
new file mode 100644
index 0000000000..06b8377b95
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/Api/LdapgroupController.php
@@ -0,0 +1,203 @@
+<?php
+
+/*
+ * Copyright (C) 2015-2017 Deciso B.V.
+ * Copyright (C) 2025 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Freeradius\Api;
+
+use OPNsense\Freeradius\Ldapgroup;
+use OPNsense\Core\Config;
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Base\UIModelGrid;
+
+class LdapgroupController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'Ldapgroup';
+    protected static $internalModelClass = '\OPNsense\Freeradius\Ldapgroup';
+
+    public function getAction()
+    {
+        // define list of configurable settings
+        $result = array();
+        if ($this->request->isGet()) {
+            $mdlLdapgroup = new Ldapgroup();
+            $result['ldapgroup'] = $mdlLdapgroup->getNodes();
+        }
+        return $result;
+    }
+
+    public function setAction()
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost()) {
+            // load model and update with provided data
+            $mdlLdapgroup = new Ldapgroup();
+            $mdlLdapgroup->setNodes($this->request->getPost("ldapgroup"));
+            // perform validation
+            $valMsgs = $mdlLdapgroup->performValidation();
+            foreach ($valMsgs as $field => $msg) {
+                if (!array_key_exists("validations", $result)) {
+                    $result["validations"] = array();
+                }
+                $result["validations"]["ldapgroup." . $msg->getField()] = $msg->getMessage();
+            }
+            // serialize model to config and save
+            if ($valMsgs->count() == 0) {
+                $mdlLdapgroup->serializeToConfig();
+                Config::getInstance()->save();
+                $result["result"] = "saved";
+            }
+        }
+        return $result;
+    }
+
+    public function searchLdapgroupAction()
+    {
+        $mdlLdapgroup = $this->getModel();
+        $grid = new UIModelGrid($mdlLdapgroup->ldapgroups->ldapgroup);
+        return $grid->fetchBindRequest(
+            $this->request,
+            array("enabled", "ldapgroupname", "vlan" )
+        );
+    }
+
+    public function getLdapgroupAction($uuid = null)
+    {
+        $mdlLdapgroup = $this->getModel();
+        if ($uuid != null) {
+            $node = $mdlLdapgroup->getNodeByReference('ldapgroups.ldapgroup.' . $uuid);
+            if ($node != null) {
+                // return node
+                return array("ldapgroup" => $node->getNodes());
+            }
+        } else {
+            $node = $mdlLdapgroup->ldapgroups->ldapgroup->add();
+            return array("ldapgroup" => $node->getNodes());
+        }
+        return array();
+    }
+
+    public function addLdapgroupAction()
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost() && $this->request->hasPost("ldapgroup")) {
+            $result = array("result" => "failed", "validations" => array());
+            $mdlLdapgroup = $this->getModel();
+            $node = $mdlLdapgroup->ldapgroups->ldapgroup->Add();
+            $node->setNodes($this->request->getPost("ldapgroup"));
+            $valMsgs = $mdlLdapgroup->performValidation();
+            foreach ($valMsgs as $field => $msg) {
+                $fieldnm = str_replace($node->__reference, "ldapgroup", $msg->getField());
+                $result["validations"][$fieldnm] = $msg->getMessage();
+            }
+            if (count($result['validations']) == 0) {
+                unset($result['validations']);
+                // save config if validated correctly
+                $mdlLdapgroup->serializeToConfig();
+                Config::getInstance()->save();
+                unset($result['validations']);
+                $result["result"] = "saved";
+            }
+        }
+        return $result;
+    }
+
+    public function delLdapgroupAction($uuid)
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost()) {
+            $mdlLdapgroup = $this->getModel();
+            if ($uuid != null) {
+                if ($mdlLdapgroup->ldapgroups->ldapgroup->del($uuid)) {
+                    $mdlLdapgroup->serializeToConfig();
+                    Config::getInstance()->save();
+                    $result['result'] = 'deleted';
+                } else {
+                    $result['result'] = 'not found';
+                }
+            }
+        }
+        return $result;
+    }
+
+    public function setLdapgroupAction($uuid)
+    {
+        if ($this->request->isPost() && $this->request->hasPost("ldapgroup")) {
+            $mdlSetting = $this->getModel();
+            if ($uuid != null) {
+                $node = $mdlSetting->getNodeByReference('ldapgroups.ldapgroup.' . $uuid);
+                if ($node != null) {
+                    $result = array("result" => "failed", "validations" => array());
+                    $ldapgroupInfo = $this->request->getPost("ldapgroup");
+                    $node->setNodes($ldapgroupInfo);
+                    $valMsgs = $mdlSetting->performValidation();
+                    foreach ($valMsgs as $field => $msg) {
+                        $fieldnm = str_replace($node->__reference, "ldapgroup", $msg->getField());
+                        $result["validations"][$fieldnm] = $msg->getMessage();
+                    }
+                    if (count($result['validations']) == 0) {
+                        // save config if validated correctly
+                        $mdlSetting->serializeToConfig();
+                        Config::getInstance()->save();
+                        $result = array("result" => "saved");
+                    }
+                    return $result;
+                }
+            }
+        }
+        return array("result" => "failed");
+    }
+
+    public function toggle_handler($uuid, $elements, $element)
+    {
+        $result = array("result" => "failed");
+        if ($this->request->isPost()) {
+            $mdlSetting = $this->getModel();
+            if ($uuid != null) {
+                $node = $mdlSetting->getNodeByReference($elements . '.' . $element . '.' . $uuid);
+                if ($node != null) {
+                    if ($node->enabled->__toString() == "1") {
+                        $result['result'] = "Disabled";
+                        $node->enabled = "0";
+                    } else {
+                        $result['result'] = "Enabled";
+                        $node->enabled = "1";
+                    }
+                    // if item has toggled, serialize to config and save
+                    $mdlSetting->serializeToConfig();
+                    Config::getInstance()->save();
+                }
+            }
+        }
+        return $result;
+    }
+
+    public function toggleLdapgroupAction($uuid)
+    {
+        return $this->toggle_handler($uuid, 'ldapgroups', 'ldapgroup');
+    }
+}
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/LdapgroupController.php b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/LdapgroupController.php
new file mode 100644
index 0000000000..4834bf5fd0
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/LdapgroupController.php
@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Freeradius;
+
+class LdapgroupController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        $this->view->formDialogEditFreeRADIUSLdapgroup = $this->getForm("dialogEditFreeRADIUSLdapgroup");
+        $this->view->pick('OPNsense/Freeradius/ldapgroup');
+    }
+}
diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSLdapgroup.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSLdapgroup.xml
new file mode 100644
index 0000000000..ac48a4bb23
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSLdapgroup.xml
@@ -0,0 +1,20 @@
+<form>
+    <field>
+        <id>ldapgroup.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will enable or disable the user account.</help>
+    </field>
+    <field>
+        <id>ldapgroup.ldapgroupname</id>
+        <label>LDAP Group Name</label>
+        <type>text</type>
+        <help>The complete LDAP DN.</help>
+    </field>
+    <field>
+        <id>ldapgroup.vlan</id>
+        <label>VLAN ID</label>
+        <type>text</type>
+        <help>VLAN ID for the specific LDAP group.</help>
+    </field>
+</form>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldapgroup.php b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldapgroup.php
new file mode 100644
index 0000000000..0e75f22967
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldapgroup.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace OPNsense\Freeradius;
+
+use OPNsense\Base\BaseModel;
+
+/*
+    Copyright (C) 2025 Michael Muenz <m.muenz@gmail.com>
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+class Ldapgroup extends BaseModel
+{
+}
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldapgroup.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldapgroup.xml
new file mode 100644
index 0000000000..b120513e4a
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldapgroup.xml
@@ -0,0 +1,23 @@
+<model>
+    <mount>//OPNsense/freeradius/ldapgroup</mount>
+    <description>FreeRADIUS ldapgroup configuration</description>
+    <version>1.0.0</version>
+    <items>
+        <ldapgroups>
+            <ldapgroup type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <ldapgroupname type="TextField">
+                    <Required>Y</Required>
+                </ldapgroupname>
+                <vlan type="IntegerField">
+                    <Required>N</Required>
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>4096</MaximumValue>
+                </vlan>
+            </ldapgroup>
+        </ldapgroups>
+    </items>
+</model>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml
index d74274127d..8f471bcb4b 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Menu/Menu.xml
@@ -8,6 +8,7 @@
       <Lease VisibleName="DHCP Leases" url="/ui/freeradius/lease/index" order="36"/>
       <EAP url="/ui/freeradius/eap/index" order="40"/>
       <LDAP url="/ui/freeradius/ldap/index" order="50"/>
+      <LDAPGroup VisibleName="LDAP Group" url="/ui/freeradius/ldapgroup/index" order="55"/>
       <Proxy url="/ui/freeradius/proxy/index" order="60">
         <Homeservers url="/ui/freeradius#homeservers"/>
         <Homeserverpools url="/ui/freeradius#homeserverpools"/>
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/ldapgroup.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/ldapgroup.volt
new file mode 100644
index 0000000000..88d74b363e
--- /dev/null
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/ldapgroup.volt
@@ -0,0 +1,135 @@
+{#
+
+OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
+Copyright (C) 2017 - 2025 Michael Muenz <m.muenz@gmail.com>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<script>
+
+    $( document ).ready(function() {
+        updateServiceControlUI('freeradius');
+
+        $("#grid-ldapgroups").UIBootgrid(
+            {   'search':'/api/freeradius/ldapgroup/search_ldapgroup',
+                'get':'/api/freeradius/ldapgroup/get_ldapgroup/',
+                'set':'/api/freeradius/ldapgroup/set_ldapgroup/',
+                'add':'/api/freeradius/ldapgroup/add_ldapgroup/',
+                'del':'/api/freeradius/ldapgroup/del_ldapgroup/',
+                'toggle':'/api/freeradius/ldapgroup/toggle_ldapgroup/'
+            }
+        );
+
+        /*************************************************************************************************************
+         * Commands
+         *************************************************************************************************************/
+
+        /**
+         * Reconfigure
+         */
+        $("#reconfigureAct").click(function(){
+            $("#reconfigureAct_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url="/api/freeradius/service/reconfigure", sendData={}, callback=function(data,status) {
+                // when done, disable progress animation.
+                $("#reconfigureAct_progress").removeClass("fa fa-spinner fa-pulse");
+                updateServiceControlUI('freeradius');
+                if (status != "success" || data['status'] != 'ok') {
+                    BootstrapDialog.show({
+                        type: BootstrapDialog.TYPE_WARNING,
+                        title: "{{ lang._('Error reconfiguring FreeRADIUS') }}",
+                        message: data['status'],
+                        draggable: true
+                    });
+                } else {
+                    ajaxCall(url="/api/freeradius/service/reconfigure", sendData={});
+                }
+            });
+        });
+
+      /*************************************************************************************************************
+       * context driven input dialogs
+       *************************************************************************************************************/
+      ajaxGet(url='/api/freeradius/general/get', sendData={}, callback=function(data,status){
+          // since our general data doesn't change during input of new ldapgroups, we can control the dialog inputs
+          // at once after load. No need for an "onShow" type of event here,
+          // since our changes aren't driven by the dialog form itself.
+          if (data.general != undefined) {
+              $("#frm_dialogEditFreeRADIUSLdapgroup tr").each(function () {
+                  var this_item_name = $(this).attr('id');
+                  var this_item = $(this);
+                  if (this_item_name != undefined) {
+                      $.each(data.general, function(setting_key, setting_value){
+                          var search_item = 'row_ldapgroup.' + setting_key +'_';
+                          if (this_item_name.startsWith(search_item) && setting_value == '0') {
+                              // since our form tr rows are visible by default, we only have to hide what isn't needed
+                              this_item.hide();
+                          }
+                      });
+                  }
+              });
+          }
+      });
+
+    });
+
+
+</script>
+
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#ldapgroups">{{ lang._('LDAP Group') }}</a></li>
+</ul>
+
+<div class="tab-content content-box tab-content">
+    <div id="ldapgroups" class="tab-pane fade in active">
+        <table id="grid-ldapgroups" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="dialogEditFreeRADIUSLdapgroup">
+            <thead>
+            <tr>
+                <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="ldapgroupname" data-type="string" data-visible="true">{{ lang._('Groupname') }}</th>
+                <th data-column-id="vlan" data-type="string" data-visible="false">{{ lang._('VLAN ID') }}</th>
+                <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>            </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+    </div>
+    <div class="col-md-12">
+        <hr/>
+        <button class="btn btn-primary" id="reconfigureAct" type="button"><b>{{ lang._('Apply') }}</b> <i id="reconfigureAct_progress" class=""></i></button>
+        <br/><br/>
+    </div>
+</div>
+
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditFreeRADIUSLdapgroup,'id':'dialogEditFreeRADIUSLdapgroup','label':lang._('Edit LDAP Group')])}}
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
index 6618e41102..dda33d3f3d 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
@@ -101,6 +101,18 @@ DEFAULT Hint == "CSLIP"
 
 DEFAULT Hint == "SLIP"
         Framed-Protocol = SLIP
+
+{%  if helpers.exists('OPNsense.freeradius.ldapgroup.ldapgroups.ldapgroup') %}
+{%    for ldapgroup_list in helpers.toList('OPNsense.freeradius.ldapgroup.ldapgroups.ldapgroup') %}
+{%      if ldapgroup_list.enabled == '1' %}
+DEFAULT Ldap-Group == "{{ ldapgroup_list.ldapgroupname }}"
+        Tunnel-Type = VLAN,
+        Tunnel-Medium-Type = IEEE-802,
+        Tunnel-Private-Group-Id = "{{ ldapgroup_list.vlan }}"
+{%      endif %}
+{%    endfor %}
+{%  endif %}
+
 {%  if helpers.exists('OPNsense.freeradius.general.fallbackvlan_enabled') and OPNsense.freeradius.general.fallbackvlan_enabled == '1' %}
 
 DEFAULT Auth-Type := Accept

From b31937c1ab717ebab1a5e084a88c16af55b8ebf8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 23 Oct 2025 18:05:44 +0200
Subject: [PATCH 2705/3088] make: allow multiple stable pull here too

---
 Mk/defaults.mk | 6 ++++--
 Mk/git.mk      | 2 ++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 5142592ea2..77a93b13a9 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -46,11 +46,13 @@ VERSIONBIN=	${LOCALBASE}/sbin/opnsense-version
 
 .if exists(${VERSIONBIN})
 _PLUGIN_ABI!=	${VERSIONBIN} -a
-PLUGIN_ABI?=	${_PLUGIN_ABI}
+PLUGIN_ABIS?=	${_PLUGIN_ABI}
 .else
-PLUGIN_ABI?=	25.7
+PLUGIN_ABIS?=	25.7
 .endif
 
+PLUGIN_ABI?=	${PLUGIN_ABIS:[1]}
+
 PLUGIN_MAINS=	master main
 PLUGIN_MAIN?=	${PLUGIN_MAINS:[1]}
 PLUGIN_STABLE?=	stable/${PLUGIN_ABI}
diff --git a/Mk/git.mk b/Mk/git.mk
index 5ef0bcd1f2..4aded1e189 100644
--- a/Mk/git.mk
+++ b/Mk/git.mk
@@ -23,6 +23,8 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 
+CORE_ABI=	${PLUGIN_ABI}
+CORE_ABIS=	${PLUGIN_ABIS}
 CORE_MAIN=	${PLUGIN_MAIN}
 CORE_MAINS=	${PLUGIN_MAINS}
 CORE_STABLE=	${PLUGIN_STABLE}

From 3222e2e1f9e62916b849be20b39a4832818d0209 Mon Sep 17 00:00:00 2001
From: Matthias Valvekens <matthias.valvekens@gmail.com>
Date: Fri, 24 Oct 2025 09:15:42 +0200
Subject: [PATCH 2706/3088] net/tayga: static mapping support (#4986)

Implement support for the 'map' directive in Tayga
that can be used to statically define one-to-one
maps between IPv4 and IPv6 prefixes.

Implements #4606.
---
 net/tayga/Makefile                            |  3 +-
 net/tayga/pkg-descr                           |  4 ++
 .../OPNsense/Tayga/Api/MappingController.php  | 67 +++++++++++++++++++
 .../OPNsense/Tayga/GeneralController.php      |  2 +
 .../Tayga/forms/dialogEditStaticMapping.xml   | 34 ++++++++++
 .../mvc/app/models/OPNsense/Tayga/General.xml |  8 ++-
 .../models/OPNsense/Tayga/StaticMapping.php   | 35 ++++++++++
 .../models/OPNsense/Tayga/StaticMapping.xml   | 24 +++++++
 .../mvc/app/views/OPNsense/Tayga/general.volt | 49 ++++++++------
 .../templates/OPNsense/Tayga/tayga.conf       |  8 +++
 10 files changed, 212 insertions(+), 22 deletions(-)
 create mode 100644 net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/Api/MappingController.php
 create mode 100644 net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/forms/dialogEditStaticMapping.xml
 create mode 100644 net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/StaticMapping.php
 create mode 100644 net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/StaticMapping.xml

diff --git a/net/tayga/Makefile b/net/tayga/Makefile
index fe232e6ac0..9b9a62daf1 100644
--- a/net/tayga/Makefile
+++ b/net/tayga/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		tayga
-PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		Tayga NAT64
 PLUGIN_DEPENDS=		tayga
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/tayga/pkg-descr b/net/tayga/pkg-descr
index 4ff06aba27..c97a14600c 100644
--- a/net/tayga/pkg-descr
+++ b/net/tayga/pkg-descr
@@ -7,6 +7,10 @@ networks where dedicated NAT64 hardware would be overkill.
 Plugin Changelog
 ================
 
+1.3
+
+* Static mapping support
+
 1.2
 
 * Custom IPv6 routing option
diff --git a/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/Api/MappingController.php b/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/Api/MappingController.php
new file mode 100644
index 0000000000..05b88d7270
--- /dev/null
+++ b/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/Api/MappingController.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+    Copyright (C) 2025 Matthias Valvekens <dev@mvalvekens.be>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Tayga\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class MappingController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'staticmapping';
+    protected static $internalModelClass = '\OPNsense\Tayga\StaticMapping';
+
+    public function searchStaticmappingAction()
+    {
+        return $this->searchBase('staticmappings.staticmapping', ['enabled', 'v4', 'v6']);
+    }
+
+    public function getStaticmappingAction($uuid = null)
+    {
+        return $this->getBase('staticmapping', 'staticmappings.staticmapping', $uuid);
+    }
+
+    public function addStaticmappingAction()
+    {
+        return $this->addBase('staticmapping', 'staticmappings.staticmapping');
+    }
+
+    public function delStaticmappingAction($uuid)
+    {
+        return $this->delBase('staticmappings.staticmapping', $uuid);
+    }
+
+    public function setStaticmappingAction($uuid)
+    {
+        return $this->setBase('staticmapping', 'staticmappings.staticmapping', $uuid);
+    }
+
+    public function toggleStaticmappingAction($uuid)
+    {
+        return $this->toggleBase('staticmappings.staticmapping', $uuid);
+    }
+}
diff --git a/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/GeneralController.php b/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/GeneralController.php
index 6cf94562b2..667f30cc9d 100644
--- a/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/GeneralController.php
+++ b/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/GeneralController.php
@@ -34,5 +34,7 @@ public function indexAction()
     {
         $this->view->generalForm = $this->getForm("general");
         $this->view->pick('OPNsense/Tayga/general');
+        $this->view->formDialogEditStaticMapping = $this->getForm("dialogEditStaticMapping");
+        $this->view->formGridStaticMapping = $this->getFormGrid("dialogEditStaticMapping");
     }
 }
diff --git a/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/forms/dialogEditStaticMapping.xml b/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/forms/dialogEditStaticMapping.xml
new file mode 100644
index 0000000000..e838c49e76
--- /dev/null
+++ b/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/forms/dialogEditStaticMapping.xml
@@ -0,0 +1,34 @@
+<form>
+    <field>
+        <id>staticmapping.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will enable or disable the static mapping</help>
+        <grid_view>
+            <width>6em</width>
+            <type>boolean</type>
+            <formatter>rowtoggle</formatter>
+        </grid_view>
+    </field>
+    <field>
+        <id>staticmapping.v4</id>
+        <label>IPv4 network or address</label>
+        <type>text</type>
+        <help>IPv4 network to map. Can overlap with dynamic pool.</help>
+    </field>
+    <field>
+        <id>staticmapping.v6</id>
+        <label>IPv6 network or address</label>
+        <type>text</type>
+        <help>IPv4 network to map. Must not overlap with NAT64 prefix.</help>
+    </field>
+    <field>
+        <id>staticmapping.description</id>
+        <label>Description</label>
+        <type>text</type>
+        <help>Optionally describe the purpose of the mapping.</help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
+</form>
diff --git a/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
index 0644ef6187..19861bafff 100644
--- a/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
+++ b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/tayga/general</mount>
     <description>Tayga configuration</description>
-    <version>1.2.0</version>
+    <version>1.3.0</version>
     <items>
         <enabled type="BooleanField">
             <Default>0</Default>
@@ -10,24 +10,30 @@
         <v4address type="NetworkField">
             <Default>192.168.255.1</Default>
             <Required>Y</Required>
+            <AddressFamily>ipv4</AddressFamily>
         </v4address>
         <v4destination type="NetworkField">
             <Default>192.168.254.1</Default>
             <Required>Y</Required>
+            <AddressFamily>ipv4</AddressFamily>
         </v4destination>
         <v6address type="NetworkField">
             <Required>N</Required>
+            <AddressFamily>ipv6</AddressFamily>
         </v6address>
         <v6destination type="NetworkField">
             <Default>2001:db8:1:ffff::1</Default>
+            <AddressFamily>ipv6</AddressFamily>
             <Required>Y</Required>
         </v6destination>
         <v6prefix type="NetworkField">
             <Default>64:ff9b::/96</Default>
+            <AddressFamily>ipv6</AddressFamily>
             <Required>Y</Required>
         </v6prefix>
         <v4pool type="NetworkField">
             <Default>192.168.255.0/24</Default>
+            <AddressFamily>ipv4</AddressFamily>
             <Required>Y</Required>
         </v4pool>
         <v6routedisabled type="BooleanField">
diff --git a/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/StaticMapping.php b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/StaticMapping.php
new file mode 100644
index 0000000000..be26d28b0e
--- /dev/null
+++ b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/StaticMapping.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+    Copyright (C) 2025 Matthias Valvekens <dev@mvalvekens.be>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Tayga;
+
+use OPNsense\Base\BaseModel;
+
+class StaticMapping extends BaseModel
+{
+}
diff --git a/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/StaticMapping.xml b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/StaticMapping.xml
new file mode 100644
index 0000000000..ad7429652e
--- /dev/null
+++ b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/StaticMapping.xml
@@ -0,0 +1,24 @@
+<model>
+    <mount>//OPNsense/tayga/staticmapping</mount>
+    <description>Static NAT64 mappings</description>
+    <version>1.3.0</version>
+    <items>
+        <staticmappings>
+            <staticmapping type="ArrayField">
+                <enabled type="BooleanField">
+                    <Required>Y</Required>
+                    <Default>1</Default>
+                </enabled>
+                <v4 type="NetworkField">
+                    <Required>Y</Required>
+                    <AddressFamily>ipv4</AddressFamily>
+                </v4>
+                <v6 type="NetworkField">
+                    <Required>Y</Required>
+                    <AddressFamily>ipv6</AddressFamily>
+                </v6>
+                <description type="DescriptionField"/>
+            </staticmapping>
+        </staticmappings>
+    </items>
+</model>
diff --git a/net/tayga/src/opnsense/mvc/app/views/OPNsense/Tayga/general.volt b/net/tayga/src/opnsense/mvc/app/views/OPNsense/Tayga/general.volt
index bded11ae61..0732903f5b 100644
--- a/net/tayga/src/opnsense/mvc/app/views/OPNsense/Tayga/general.volt
+++ b/net/tayga/src/opnsense/mvc/app/views/OPNsense/Tayga/general.volt
@@ -26,13 +26,23 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGE.
 
 #}
-<div class="content-box" style="padding-bottom: 1.5em;">
-    {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-    <div class="col-md-12">
-        <hr />
-        <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress"></i></button>
+
+<!-- Navigation bar -->
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
+    <li><a data-toggle="tab" href="#staticmappings">{{ lang._('Static Mappings') }}</a></li>
+</ul>
+
+<div class="tab-content content-box">
+    <div class="tab-pane fade in active" id="general" style="padding-bottom: 1.5em;">
+        {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
+    </div>
+    <div id="staticmappings" class="tab-pane fade in">
+        {{ partial('layout_partials/base_bootgrid_table', formGridStaticMapping) }}
     </div>
 </div>
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditStaticMapping,'id': formGridStaticMapping['edit_dialog_id'], 'label':lang._('Edit mapping')])}}
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/tayga/service/reconfigure', 'data_service_widget': 'tayga'}) }}
 
 <script>
     $( document ).ready(function() {
@@ -41,21 +51,22 @@ POSSIBILITY OF SUCH DAMAGE.
             formatTokenizersUI();
             $('.selectpicker').selectpicker('refresh');
         });
-        ajaxCall(url="/api/tayga/service/status", sendData={}, callback=function(data,status) {
-            updateServiceStatusUI(data['status']);
-        });
 
-        // link save button to API set action
-        $("#saveAct").click(function(){
-            saveFormToEndpoint(url="/api/tayga/general/set", formid='frm_general_settings',callback_ok=function(){
-                    $("#saveAct_progress").addClass("fa fa-spinner fa-pulse");
-                    ajaxCall(url="/api/tayga/service/reconfigure", sendData={}, callback=function(data,status) {
-                            ajaxCall(url="/api/tayga/service/status", sendData={}, callback=function(data,status) {
-                                    updateServiceStatusUI(data['status']);
-                            });
-                            $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
-                    });
-            });
+        $("#{{formGridStaticMapping['table_id']}}").UIBootgrid({
+            'search': '/api/tayga/mapping/search_staticmapping',
+            'get': '/api/tayga/mapping/get_staticmapping/',
+            'set': '/api/tayga/mapping/set_staticmapping/',
+            'add': '/api/tayga/mapping/add_staticmapping/',
+            'del': '/api/tayga/mapping/del_staticmapping/',
+            'toggle': '/api/tayga/mapping/toggle_staticmapping/'
+        });
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = $.Deferred();
+                saveFormToEndpoint("/api/tayga/general/set", 'frm_general_settings', function () { dfObj.resolve(); }, true, function () { dfObj.reject(); });
+                return dfObj;
+            }
         });
+        updateServiceControlUI('tayga');
     });
 </script>
diff --git a/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga.conf b/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga.conf
index 2c8a3bd580..853353f95a 100644
--- a/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga.conf
+++ b/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga.conf
@@ -10,4 +10,12 @@ ipv6-addr {{ OPNsense.tayga.general.v6address }}
 prefix {{ OPNsense.tayga.general.v6prefix }}
 dynamic-pool {{ OPNsense.tayga.general.v4pool }}
 
+{% if helpers.exists('OPNsense.tayga.staticmapping.staticmappings.staticmapping') %}
+{%   for mapping in helpers.toList('OPNsense.tayga.staticmapping.staticmappings.staticmapping') %}
+{%     if mapping.enabled == '1' %}
+map {{ mapping.v4 }} {{ mapping.v6 }}
+{%     endif %}
+{%   endfor %}
+{% endif %}
+
 {% endif %}

From 818440296f746b2cae1c6f88d6b782f483fc14e9 Mon Sep 17 00:00:00 2001
From: Schnuffel2008 <30749854+Schnuffel2008@users.noreply.github.com>
Date: Mon, 27 Oct 2025 11:20:33 +0100
Subject: [PATCH 2707/3088] This is my theme "flexcolor" (#4927)

---
 misc/theme-flexcolor/Makefile                 |    7 +
 misc/theme-flexcolor/pkg-descr                |    5 +
 .../src/opnsense/www/themes/flexcolor/LICENSE |   21 +
 .../SourceSansPro-Bold/SourceSansPro-Bold.eot |  Bin 0 -> 112325 bytes
 .../SourceSansPro-Bold/SourceSansPro-Bold.otf |  Bin 0 -> 235128 bytes
 .../SourceSansPro-Bold/SourceSansPro-Bold.ttf |  Bin 0 -> 291424 bytes
 .../SourceSansPro-Bold.woff                   |  Bin 0 -> 117872 bytes
 .../SourceSansPro-Regular.eot                 |  Bin 0 -> 113255 bytes
 .../SourceSansPro-Regular.otf                 |  Bin 0 -> 229588 bytes
 .../SourceSansPro-Regular.ttf                 |  Bin 0 -> 293956 bytes
 .../SourceSansPro-Regular.woff                |  Bin 0 -> 119064 bytes
 .../SourceSansPro-Semibold.eot                |  Bin 0 -> 112905 bytes
 .../SourceSansPro-Semibold.otf                |  Bin 0 -> 232680 bytes
 .../SourceSansPro-Semibold.ttf                |  Bin 0 -> 292404 bytes
 .../SourceSansPro-Semibold.woff               |  Bin 0 -> 118412 bytes
 .../glyphicons-halflings-regular.eot          |  Bin 0 -> 20127 bytes
 .../glyphicons-halflings-regular.svg          |  288 +
 .../glyphicons-halflings-regular.ttf          |  Bin 0 -> 45404 bytes
 .../glyphicons-halflings-regular.woff         |  Bin 0 -> 23424 bytes
 .../assets/stylesheets/bootstrap/_alerts.scss |   68 +
 .../assets/stylesheets/bootstrap/_badges.scss |   57 +
 .../stylesheets/bootstrap/_breadcrumbs.scss   |   26 +
 .../stylesheets/bootstrap/_button-groups.scss |  240 +
 .../stylesheets/bootstrap/_buttons.scss       |  159 +
 .../stylesheets/bootstrap/_carousel.scss      |  243 +
 .../assets/stylesheets/bootstrap/_close.scss  |   35 +
 .../assets/stylesheets/bootstrap/_code.scss   |   68 +
 .../bootstrap/_component-animations.scss      |   35 +
 .../stylesheets/bootstrap/_dropdowns.scss     |  214 +
 .../assets/stylesheets/bootstrap/_forms.scss  |  540 ++
 .../stylesheets/bootstrap/_glyphicons.scss    |  237 +
 .../assets/stylesheets/bootstrap/_grid.scss   |   84 +
 .../stylesheets/bootstrap/_input-groups.scss  |  166 +
 .../stylesheets/bootstrap/_jumbotron.scss     |   48 +
 .../assets/stylesheets/bootstrap/_labels.scss |   66 +
 .../stylesheets/bootstrap/_list-group.scss    |  159 +
 .../assets/stylesheets/bootstrap/_media.scss  |   56 +
 .../assets/stylesheets/bootstrap/_mixins.scss |   39 +
 .../assets/stylesheets/bootstrap/_modals.scss |  150 +
 .../assets/stylesheets/bootstrap/_navbar.scss |  658 ++
 .../assets/stylesheets/bootstrap/_navs.scss   |  239 +
 .../stylesheets/bootstrap/_normalize.scss     |  425 ++
 .../assets/stylesheets/bootstrap/_pager.scss  |   55 +
 .../stylesheets/bootstrap/_pagination.scss    |   88 +
 .../assets/stylesheets/bootstrap/_panels.scss |  243 +
 .../stylesheets/bootstrap/_popovers.scss      |  133 +
 .../assets/stylesheets/bootstrap/_print.scss  |  101 +
 .../stylesheets/bootstrap/_progress-bars.scss |  107 +
 .../bootstrap/_responsive-embed.scss          |   34 +
 .../bootstrap/_responsive-utilities.scss      |  180 +
 .../stylesheets/bootstrap/_scaffolding.scss   |  150 +
 .../assets/stylesheets/bootstrap/_tables.scss |  236 +
 .../assets/stylesheets/bootstrap/_theme.scss  |  258 +
 .../stylesheets/bootstrap/_thumbnails.scss    |   38 +
 .../stylesheets/bootstrap/_tooltip.scss       |   95 +
 .../assets/stylesheets/bootstrap/_type.scss   |  304 +
 .../stylesheets/bootstrap/_utilities.scss     |   57 +
 .../stylesheets/bootstrap/_variables.scss     |  852 +++
 .../assets/stylesheets/bootstrap/_wells.scss  |   29 +
 .../stylesheets/bootstrap/mixins/_alerts.scss |   14 +
 .../bootstrap/mixins/_background-variant.scss |   11 +
 .../bootstrap/mixins/_border-radius.scss      |   18 +
 .../bootstrap/mixins/_buttons.scss            |   50 +
 .../bootstrap/mixins/_center-block.scss       |    7 +
 .../bootstrap/mixins/_clearfix.scss           |   22 +
 .../stylesheets/bootstrap/mixins/_forms.scss  |   84 +
 .../bootstrap/mixins/_gradients.scss          |   58 +
 .../bootstrap/mixins/_grid-framework.scss     |   81 +
 .../stylesheets/bootstrap/mixins/_grid.scss   |  122 +
 .../bootstrap/mixins/_hide-text.scss          |   21 +
 .../stylesheets/bootstrap/mixins/_image.scss  |   34 +
 .../stylesheets/bootstrap/mixins/_labels.scss |   12 +
 .../bootstrap/mixins/_list-group.scss         |   31 +
 .../bootstrap/mixins/_nav-divider.scss        |   10 +
 .../bootstrap/mixins/_nav-vertical-align.scss |    9 +
 .../bootstrap/mixins/_opacity.scss            |    8 +
 .../bootstrap/mixins/_pagination.scss         |   23 +
 .../stylesheets/bootstrap/mixins/_panels.scss |   24 +
 .../bootstrap/mixins/_progress-bar.scss       |   10 +
 .../bootstrap/mixins/_reset-filter.scss       |    8 +
 .../stylesheets/bootstrap/mixins/_resize.scss |    6 +
 .../mixins/_responsive-visibility.scss        |   21 +
 .../stylesheets/bootstrap/mixins/_size.scss   |   10 +
 .../bootstrap/mixins/_tab-focus.scss          |    9 +
 .../bootstrap/mixins/_table-row.scss          |   28 +
 .../bootstrap/mixins/_text-emphasis.scss      |   11 +
 .../bootstrap/mixins/_text-overflow.scss      |    8 +
 .../bootstrap/mixins/_vendor-prefixes.scss    |  219 +
 .../color_schemes/black/default_scheme.css    |  380 ++
 .../darklight/default_scheme.css              |  380 ++
 .../color_schemes/light/default_scheme.css    |  380 ++
 .../flexcolor/build/css/bootstrap-dialog.css  |  119 +
 .../flexcolor/build/css/bootstrap-select.css  |  407 ++
 .../themes/flexcolor/build/css/dashboard.css  |  372 ++
 .../flexcolor/build/css/default_scheme.css    |  380 ++
 .../flexcolor/build/css/dns-overview.css      |  209 +
 .../flexcolor/build/css/jquery.bootgrid.css   |  151 +
 .../www/themes/flexcolor/build/css/main.css   | 5937 +++++++++++++++++
 .../www/themes/flexcolor/build/css/nv.d3.css  |  649 ++
 .../flexcolor/build/css/opnsense-bootgrid.css |  335 +
 .../themes/flexcolor/build/css/tokenize2.css  |  174 +
 .../build/fonts/LICENSE.SourceSansPro.txt     |   93 +
 .../SourceSansPro-Bold/SourceSansPro-Bold.eot |  Bin 0 -> 112325 bytes
 .../SourceSansPro-Bold/SourceSansPro-Bold.otf |  Bin 0 -> 235128 bytes
 .../SourceSansPro-Bold/SourceSansPro-Bold.ttf |  Bin 0 -> 291424 bytes
 .../SourceSansPro-Bold.woff                   |  Bin 0 -> 117872 bytes
 .../SourceSansPro-Regular.eot                 |  Bin 0 -> 113255 bytes
 .../SourceSansPro-Regular.otf                 |  Bin 0 -> 229588 bytes
 .../SourceSansPro-Regular.ttf                 |  Bin 0 -> 293956 bytes
 .../SourceSansPro-Regular.woff                |  Bin 0 -> 119064 bytes
 .../SourceSansPro-Semibold.eot                |  Bin 0 -> 112905 bytes
 .../SourceSansPro-Semibold.otf                |  Bin 0 -> 232680 bytes
 .../SourceSansPro-Semibold.ttf                |  Bin 0 -> 292404 bytes
 .../SourceSansPro-Semibold.woff               |  Bin 0 -> 118412 bytes
 .../glyphicons-halflings-regular.eot          |  Bin 0 -> 20127 bytes
 .../glyphicons-halflings-regular.svg          |  288 +
 .../glyphicons-halflings-regular.ttf          |  Bin 0 -> 45404 bytes
 .../glyphicons-halflings-regular.woff         |  Bin 0 -> 23424 bytes
 .../themes/flexcolor/build/images/caret.png   |  Bin 0 -> 2935 bytes
 .../flexcolor/build/images/default-logo.svg   |   41 +
 .../themes/flexcolor/build/images/favicon.png |  Bin 0 -> 2221 bytes
 .../flexcolor/build/images/icon-logo.svg      |   14 +
 122 files changed, 18571 insertions(+)
 create mode 100644 misc/theme-flexcolor/Makefile
 create mode 100644 misc/theme-flexcolor/pkg-descr
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/LICENSE
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Bold/SourceSansPro-Bold.eot
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Bold/SourceSansPro-Bold.otf
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Bold/SourceSansPro-Bold.ttf
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Bold/SourceSansPro-Bold.woff
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Regular/SourceSansPro-Regular.eot
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Regular/SourceSansPro-Regular.otf
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.eot
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.otf
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.ttf
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.woff
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/bootstrap/glyphicons-halflings-regular.eot
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/bootstrap/glyphicons-halflings-regular.svg
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/bootstrap/glyphicons-halflings-regular.ttf
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/bootstrap/glyphicons-halflings-regular.woff
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_alerts.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_badges.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_breadcrumbs.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_button-groups.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_buttons.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_carousel.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_close.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_code.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_component-animations.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_dropdowns.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_forms.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_glyphicons.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_grid.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_input-groups.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_jumbotron.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_labels.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_list-group.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_media.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_mixins.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_modals.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_navbar.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_navs.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_normalize.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_pager.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_pagination.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_panels.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_popovers.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_print.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_progress-bars.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_responsive-embed.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_responsive-utilities.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_scaffolding.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_tables.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_theme.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_thumbnails.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_tooltip.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_type.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_utilities.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_variables.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_wells.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_alerts.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_background-variant.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_border-radius.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_buttons.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_center-block.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_clearfix.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_forms.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_gradients.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_grid-framework.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_grid.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_hide-text.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_image.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_labels.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_list-group.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_nav-divider.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_nav-vertical-align.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_opacity.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_pagination.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_panels.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_progress-bar.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_reset-filter.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_resize.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_responsive-visibility.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_size.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_tab-focus.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_table-row.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_text-emphasis.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_text-overflow.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_vendor-prefixes.scss
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/black/default_scheme.css
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/darklight/default_scheme.css
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/light/default_scheme.css
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/bootstrap-dialog.css
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/bootstrap-select.css
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dashboard.css
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/default_scheme.css
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dns-overview.css
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/jquery.bootgrid.css
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/main.css
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/nv.d3.css
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/opnsense-bootgrid.css
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/tokenize2.css
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/LICENSE.SourceSansPro.txt
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.eot
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.otf
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.ttf
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.woff
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.eot
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.otf
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.eot
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.otf
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.ttf
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.woff
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/bootstrap/glyphicons-halflings-regular.eot
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/bootstrap/glyphicons-halflings-regular.svg
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/bootstrap/glyphicons-halflings-regular.ttf
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/bootstrap/glyphicons-halflings-regular.woff
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/images/caret.png
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/images/default-logo.svg
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/images/favicon.png
 create mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/images/icon-logo.svg

diff --git a/misc/theme-flexcolor/Makefile b/misc/theme-flexcolor/Makefile
new file mode 100644
index 0000000000..102f611200
--- /dev/null
+++ b/misc/theme-flexcolor/Makefile
@@ -0,0 +1,7 @@
+PLUGIN_NAME=		theme-flexcolor
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		OPNsense theme with 3 different color schemes (black as default, light and darklight)
+PLUGIN_MAINTAINER=	iengels@web.de
+PLUGIN_NO_ABI=		yes
+
+.include "../../Mk/plugins.mk"
diff --git a/misc/theme-flexcolor/pkg-descr b/misc/theme-flexcolor/pkg-descr
new file mode 100644
index 0000000000..484bd86da1
--- /dev/null
+++ b/misc/theme-flexcolor/pkg-descr
@@ -0,0 +1,5 @@
+Theme with the option to customize colors through color schemes.  To change
+the scheme, simply replace the corresponding default_scheme.css file in the
+theme /build/css-folder with an alternative from the corresponding folders
+in the /build/color_schemes/ folder.  Feel free to adjust all colors by
+changing the color codes in the scheme-file or to create your own schemes.
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/LICENSE b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/LICENSE
new file mode 100644
index 0000000000..4e7f5527ba
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2013-2014 bootstrap-select
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Bold/SourceSansPro-Bold.eot b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Bold/SourceSansPro-Bold.eot
new file mode 100644
index 0000000000000000000000000000000000000000..e9f423425ce4cf2be93117ca950fc6e5d39e1315
GIT binary patch
literal 112325
zcmagFRahKN7d1LFI1Dzp5AI}eCxg3taCevB@8It4?h;&ryAwQE2oO9Z0RjZi$@gEJ
z=loZv`l;SkYp-6t`=)z$@9ObRARxX22mt-tkO2Sy2n!7f2^k3lLIwi*K>q-MipC!h
zz#RC`^}pHwS}_m+{h!UtX%+aN{l6PEKpWr&@Bw%NtN=Fuh}r-PfGfc3-$>&h=Jt<_
z4v_k1odMSW#@+zEe=N^`eusaU>pvC`fC~Wow}$~l{~e+I|01yegV_ILdH+-XAJ_Mv
zkNf|yxd1`{fq#6Lf9G=gr}saO?LUw6KUK^BqsaenCIH|C@cmQyU(hW7KT$&eKQRIT
zQrhww|Myh_07ytS-N4XrU}!Y3Vux`4EMeO3o!yLsm5+CnACuL`GCnsxb*|G-$ugiX
zA7yO$YMAM(YSI!OeiAU(3kfl+P8C^C<q7%3m*JB{H~;>qnAQNH$8E(@<S>sXyhT2u
zw9Ut;wEUv=o=$2M4^2;~)7VJ$XD-n)uKG_%m$>Mg!^vJ$-S9g`{~Q=#Iuj*}^r1?a
zVTW->#c$ol<f7}=Y2aw4+HbdulHBvlG3p0$NG+eKUy9kp&G7GOCpAWM1jXZbor`jt
z2@wR2SeX11#PeeaHL^b`RH(7Wu+`S);Z5=#t5{FRN8Br+Y2tc4IQwNffqQjIYM;X8
z;BdJI0;Un$LrRm88s3KS9Ot`eWi@gN(^VRwq<J}^qzYBc<9ZazwmST}B~>S2DUwja
z+A=`*z|gYP9vzQMX$?X{*+tT2WPV%ptP%dosdo7E9ZcdS;#HK3k3prRZqIn_NVk+u
zHu;8G`Xi|-sss3{tKu+}-8hLHH#uwK8VCO+qlaCx#ao6(A;}RM((q1_VvjbRUP3oR
z7P+;zXDIjY*zKX0J(rmEU;hlb7_#&S?wqBA#-p$+4hivlQrF5+t=fH#aRxUn^8bd-
z{fJzeTs<EbH($AtzGIq#KNMN6ysHW?q|izMN7X5LVKsESiW>Js=(n3$P-&<hl4eMU
zLse_t^-AQiDkNzEl`d*2HR$Kb%aA&wmZ&kSqr7GZ!4}ZL7n{hRGw14tjeKJi4UvBz
z*ZC!_^d(RZ1?A`=-<;TIXG8-m#&lK{&pXje!esy8YxKS{;871<p5PV%8O5JE+FL$g
zI9<$N%OBnj9K<vFGr)@B_i<aqMstc$jcivF9@4a;VNF*QDQ^PWb-Y!+>*3rzSks>=
z>;;Bpx;ppMg^rp(;Tq8g*V&;B{}S=0bE>KLfD(k}6kUJhW~2c-UQl62I6ib<c+Y=|
zSs*shp*UB?OVGeq5UOYis6fCp1(!1-F+&@c8XEO?X^(ySZs+#SF_s)(6|5-%`GKWN
zug{^ygz5IB(Yi5@dHZHy8WiL+h)rVh+)4jhX>s_$?B%%O=MNJjCnBQf#TU{Rc|nO{
zf!;Y-i9*&1b!Hy6zlw$f#i_H#3B4I8TdY*Lm~l@+II8|8!Kbm0s}0ychC98Vw?&Em
z5_6m5p_q!}gI<1mFea_g!iIFAB9Ew<Ecp$Tr$9T$FABC7>9B)w!=Zw#OYlj$|2#P^
zkpHIPNO}1uTv%?or{oRgIkc<D2obmKPYZMp%>*)Eq(PLTylM|{rRc}z)kUEGz0_yw
zyW+`F60MbzPSd+T5hpn<<Y9H@DmA3y5{YQPwWIFv3RKIs<*Se>r5-K$5cYiZx!J7r
zKO33|A%paKKQAmR#ibiUT=86yfY`AZOTchhjL)e-P3Ixkz*7|E1kF`cyjx-nCAI*A
zr?@s25lX_KPs4jbuaZKK?uG=iEjUSEaO*fnH9Q>;+DKNgO8DLoRQ)cS*ytuD5V$($
z^_Ep|oIUmGo9iT*UhVO&n((w5Kbw%TVsP(QElHP+D)<4T=2Pk1l)u5@R_2t%Ih7F{
zAv#BkP`2<iL77_b1eNAmItW+&)r-gul&~zYsmNkHBE-I7RQ4Qx*XVyhU2A%xQnq~`
zL8aUukAk*4Nq??3MbG!jY%8lKzWSFLtv6;kIq{ACyHriVfTT4GZlTO(VT`QJqQCNv
z!e16xnsjk)N8vEWky~;dh&QAo$e4ANx>=eir*aB}pF7K84Qr=hbe#QqHl|9lK?(a0
zwDW@@<*P31lo3dyd$tO%lu-U%1%~>ccN!vH<j3nGk#>P=lC>{=aqE8}#%OPF<thB(
z*#Lf7IjI%_uGDP0VQmw|$`(ZdTm>pWU56>cCqD*cIyhn~zCx1MZ;Ku@+q&T8Z7l@E
zmrn_r31FRjN}Y&wBLkj5J{8>VkYxyx6;4Dwr6dno|G|mtmq*Oa<aMDk02#Yt!pHo9
z!(YW%><p5Oqp_UDH@PWJ!~lYYNU`lZx>xrqD2ut0V+Zx*?rL~%qZ+>#W;Bm5;xOKi
zhDME~tP1yEiY5>(jmrAF#<bQePTc$6a{<+nD-W*wKh{(K&TcUs$8TlO5@MTH*rLe@
zIhEb6GAq0H<OouRnKr1bMOgm?{a0ak&BI&0Bs|n+Xv2unZ2ubljT4kv)%|Y71>0sx
z;n!BTPEyq{!j(VN$V1xS|GY(GVbYI2PltDzm9h;7iJ9OAXNFxamv|5g2N5Jm!nN+t
zSif1i<z85rgQCB~bh%GKXQ+{Bueu@nYP5n==5|{}_+JMZX8UD93s*Gql-ujpMMbRw
zXn?TfsKPaB@kTV2(dxYNf<oHOEr=I%#K|4c;RktUZ0VGL)bxU2s&Y(pku6dOA&nXK
z?$?A(<!^?OtH!Oh_HLO8jU>$e{G1+x+AuM<!qhk-#qy~W<hgjXh4!?5-VYIF6#27?
z7undKvD@FbSzpw&1`2X~TYZ>EQH(Ar4a(h)n|c*rkud1AwL{bkhDdshu%&qK%p<9P
z`Y?o4zE=YS9&flAvkhQ-FwyK8QQ0rBQyB$vJD^rX=SCOdxVTlIu%)pB|Gbb%BI#u$
z>}CmSg(G;Tvf-i(BbHv?8C$d-kssh+1F#Cn)|$dOe$B*lK7-STXrEF{HBzXw(cmtN
z^P*JVj>Un2)p$e}mD9G>-oSv)haU9zNWmvEsLBIS2DVz9rFyBfx-#i80yo*y%4ya#
z%nMQhEN#0JQnXw?hIK2gytDsyMK9e)NuIF>SLYn8AE0Lwp{urynlEquHtcAR+a`tD
zoV7B|+#mxg(Il*bVA~{@1y!Xw=RGukR5;T<*~0MX1erosU&M>Y0=FSH-z#}5J{w^P
zd4_yb0}~Q_w{v1C30_pNu5FTnnGxuDu{ymouc-5j%qD&&#rbP8By;n<f;Mn)#zcrt
zJe_RW0uo9)Bv$HA?%Hdy%j=Ao%QJ;M<MIe<n3Z&s8~Y4syJ3#@h@tK_VUE$__7J)(
z=#3`EcpA&G5^j!mL>&Lj36nrgrp(S@wbYgpQAEL*+Jd!|o0?o9Y}q@}N#7fLvIz(Q
zs{1I!X8p%YYce&dC4>#ou`2lA7!Ymk4hb8ypvYud#!{JB6ct1RnJ|c2WmN58{DB5>
z%yBLEE>WKKs1=Hm`WC9q4pk`iR+^#T?A4Y_L?(;7z>oA*kzb%ivDy*do^cdrAKqX`
zaknZczpsc3`;VM&(m4h?q7JmLp-{vI@)GpT^9b#%Z43A2UPt~uE48GJdBDgf(1c)3
z`&H4RyI?x?|8P$@xid$wa#Qg@LTokkadK_Tw3eqswNge)?f8A|J=N5R5B(f*d>Q>T
zLw+j|2!<>$a2oZW5fi1@i0bOLvS$NOP-v7<nq!Y2-IZRF_g@UsR!H;2wt%_KeV|x!
zXo?j^*_yb2ESc;PwZ6bY*bWA3llAr3gvN8L@qQ~XBWF<|JQPBjH*A=Xa$o8R(cdF|
zXm5aIe&B8vq=l)u{JT^9BDRjFfy;X(ue5*nV38)NmAW9LAWjOWDClO23mT<<{xYO&
z@@$N#{4jh32-3nJW|C~Ch6YMcjBW9MG*z+fW#hhUd6^<uxRS#fVgZT2&j9<0sB;c$
zJq6_(<@#U`a^0GQg8T=C*hX=kMhb;`g@YWod+Az^%pqQX=;iYuxF}O!K+p-XFy}1l
zi~|ppVf;HxQ^u}^*KE0v%Ge<y4cBM~eceh((*0u(&k!4>IW~{o;kl4-Dz$u<NrA_m
zFlah?<ofo@UA5@-_rXgV&xSnG1nISlhxXj2=4q!#+={j3T|@2_{5p8hI5J`MCDa(g
zD>f%NRac*TXk_JTeZt8RAMqJk0MosthULF3%ZnfN<`f%ML!WG%C77o7@kd8%j&3B<
z#ytm{9)EYKSf!7IwXgOMnVjXfzRmN`0i&jEBq(YwYGI3uS@nr}TJ`ze^N<*|WVJ4G
z4j>|SavdnX1a<92q&l#TF5*%RVSi;K%vv{PTrlhv8WjmuP-JFI$yeZ^k$<Re<*~X?
z8Jqd!TYh&fP(l+b&&HI`P$(_y$Ap6<{k742igrv$B2Zp4@@yqv_{2g2peOT|kit*y
zFDZ**+k*cop|LVd8CT0#d!|zK`Sa>Y>j;Dh=Wq+<L1y*tHA{&uf#!#UFAn)ZX)`@l
zOuO{OMn`B$-o0ZNS*7yK*hIzX8|_3iT~B3_Eu__+S>oaD%+G(a<c-jD2KDScpQzjW
z_jcv<4)f?bHJ#nPv!cB}gti{(qXj394OY#jGpQGul;Fi<Ox=>8*AJ&1U!@MNO*z*b
zY?|>e`)Y;TD@abyf)p5~9FB3*OksuTlKx1`V+^rooWwo}L5wx&w)Q6+p7u$M3@o#$
zjiVTlS9Q-v<+GK{p+X+L`F6rgI%nrCOV1HDC&EQQ+?!V8bmb_9U71}25xR$g1M2J<
z2idfz(4YJe*iBdsO~Pkh<*<)R<9HGCD>6l8i_Q65)-oo`jmx}~stVGLQRGo*MM>J{
z1dGvXl=~N<^{r<;wPvv`BQ7Vo5`cbz9D|Z3x;@~}Ifc)+q$|y6nlUCm8X_Rmw{XlU
zo?29OT}skq=>@sj5>E6kWF9fl{uYX;4sPHqGExDej?Z{T_fU+)?()tQZCHyj&5+!M
zjYkXs(G>W7%`JsMLd7qm8UoUqSQiK}Y5EtQwjgkhj0hiQ^+~-*SS0;jX9CcPWovxH
zNIJ5w=vs&ZFMYnG)C%I_Dqd0xhA#O8VCbTgIc?I_9dOOCJP<5lF{i1<G@p4aJ_!v$
zjADI!#x-dvWPzi}1SDlO_*H%_EOWY^nrJ6W%@nKzCF6<5KJpsl?KHaF*~Ewgf=$Gz
zjGc$y<D<<9F2w~3lj_%gp+zKU-KHoJF5s?q<_0aqF@zIx<Nx&u*2a4|C2>bxd1k{W
z=8_pNq*gqJBDk`0@pDtW9}h{=b!=0Xa~b#oOuPv$Pw@%x9s(!nHHB+-#$hYJYUR2C
zsZS+OGp*2o@%;-;0YX(0pWG2<2rs|K{J`7}A6;clNnRe=dh16td?$=W6RtT1^AVt`
ztl%G#+q@^Dao32ApclNZh{$$H86|Q;OdlB)3G<%>tRZ&btDZAv8GX~cOJ1izp74E+
z7dBa|j!u+4EI+a>PGB+)AwZN~A)XJ@afe~a+5Io#`+SYIHy(~j|4Xi_vwyOBM0S1?
z+(VPVa^&!?NuT3oq+id~MJgli#vsvPrdE4NcpVQrG=d51$N0s9?2n~oW6VJ|2i`Mw
zwVpFR1|vFqMcJ!A0QgI9OmlRFDP7RTR#5uhat~4Y#@Lpe1B>>3&IABmUZ;Nv@BPk5
zPIj@!=r?SPtKm)-5ip~t3Grr_VwKpy(k9fYIEn|r^PSKk8_yB>l@9xO?s4c|G~S*n
zgHSk^?8tj_IZlrFgKRf(DG9($F*<3%E0?dxh>*0oa`_7is$R%iy{9auG0CA5F=Iz4
zZX9I=peD|N+Z~aat$vkcHJQW)KxWVi!&Lvy#~U23sXkLuzPvw|3e_;)FxesZpltA!
zs4Y~=#xb;pmU9OU(hcat<<!h)qxPVrCY~{J1lS%kjyy>F)Rfe|sMQ>m+RcN6(>y;t
z1w0*IMkNk*{(#YI3p)%k4W)@eNi(>0%z;w--v}z~(%++eb%@Pgp0+*-Y4H_2xRL*>
zgIQ@pXAA?rK^pLM*Li&5wtydzur<h8VvQoocPOUfK*oX*_L!Vls8jSEQfAG(2TUui
z0&~jHg`_)skKH(XW}<1*Tak;24q=HnoqXbscVED|c!^GA2jEG$GZk#VXN!!M2)lyH
z&@{p#nZl~27!r-?RrELB57oD7k)BsE&O?uMLWBL^#S-H_A20I$2VZA(U%c#a(MA7W
z6@<F9_H**ffA3BhjW$xyh4_o;A66{T(s&Mj*Z}D4@9Rp#$=@n~@z*&WlH2nrybet%
z`91#IvGlJ=GL!IpTX&bl%R?<F*fO~X_mT9(YFOk@<C+^VzQg%6oxU<aEM|*n_6pw6
z9qxlq9yyJN$QcS>UfSXx=hB7q3w6R-eg#3l(hI8KR?%mG)<Fp9dQvFbwMaaau0nI~
z{t}TNO)X+|IA$>7?wun2I0aMICKy!8?yieCP<Qr&5u<0&+B_YklE+CwS4ZisNO9cb
z{U-Mti)?c(UtnfFWD2GEcs-1H1vvCk4Mg}QoHvirOq}^$t!xAz{}l77-skhaQz|HE
zzqVa)LZc+k7-c4nDRth=3p<!9rid|`#K#6E(VnLv!`=aC{dN&CJSA|fDv}HMw=C7B
z8>3UQ9zoi1Mda*D4fkSV6=a1}BPCBvvn6um7!?^M{+1XT^$2F%^2?he&3FJ?v|uQo
z5m+-Y$BNjPr5p*&kW+(|I;aL*_Z}iLm;e$DIS)go!qQ7EF^MYitb!sO0k@(<)XdSN
z?Y2RpW-d{VjV057cVL}SNy;;nQ9^NJ`cyIwqFULo3fCO1)(S!f>oDD1Xr??JgxOmP
z!vsAdRy^l0TyAmbF+ju?S(!F83Rs~HB1+ScY9Yj{0lveEj5yJY;IpbF<?^5%pD#(t
zP4{FnPaKUmj*yv6$#IKBXHhBDK@(QFL7vWazqWy(Dx`w`Dx|`v@k&Uq^H7E6-X;m`
zHHPf`1$oSYEu!Auk76_!+M))PWv`R|LfrrBa_jNOE2MRN6a3^><WV^l+bY@tz`g3<
zV0s<Uh8%N#NpdxMC>|QAc}C<0BfT$%{G}L%Z0{M9;my8K%o)n&O%%tYd8YR)qfRi7
zP7tSe5O84HcqkNuwVLja^UAQsE$@iPrMCWa=pHc#&U7E{bRQ;0A8H}T9%p`cae7U3
zdQEG34cGK)h~g?<#W_Go1f?qf6tm>4=*&b6<~>G+Rb0;a`*Qfx5{kspc~JhUXWQz3
z`Yii@SblM7&XJd2^Gm;Rj2dBbNTGilpkl9;!=_OwWCWC7Kr5%r9Xj?8JLLFW#dqb-
zS7h+@7Mi3U)#DKzliqY9c&hOY7bWYmEJ^hj*-K4-c@u+QdUC8ZHezW0wp@PePXUqz
z{LEzdk(SXnZ1><I9PqHtiw`(BZI`GHyiIOdAaqJ4z_;or`IC%!t-QVQ6UqS&(NS1P
z$E!7@bSILj{P6M%&qz&FGScDWM8fXf3rDT#^6I_3cB(O!EuCdr+LuoPwIbmpxIa4l
zt?ODcG*h{WnFvgZFXhvOzR5bq3gq53@wEQAp_JNx+c4+AeFW0ys8g&?X{<bsCLp(@
zWr3lf18lfbm@|^o+J~*y>%YtAX&0f##>AfDe0Zm>74VHhasd;sNF~Mlt<zF5oBaxd
zIB~KT7Ji0|4VkaNvkiw8m@)p;=?LkEpu9whkSoRp-(QQmCYC3Rd5N(FUsFQchA%pU
zB0Ex5*5`;s$I6;8<Gh2KE47+YHgr0YiG7Yrbm^j{dXeQ&Bu9CtgVfN?(-utzJ|WaB
zuB6t`?-iv=?d?RHCg+8=yGMXxc%rvNuVzJvtQ{@JUl~b%x|h$$J7%`3&@h)~Uig~`
zznkqi3=-<P5B1T~AHAwY_u|Jj9FghUO?dEyg}FB|AL{Di0o6AruUD-L(lDP(IK9Ix
zb2*G5C$2>jJCrat-#VGB#lGpMqfLcV5zhiHxlRu8vES90&l^C3^M7LYi|@qZ#jt}a
zDJbbpy@@B3C-lo_!iQkMj=f56YwtdHwa!n(@M3)f>jS~hFp${NlovkzKu8a18V*al
z&f3K6riVE&9VI>sY-ZzP)3$D48Wy>)_0tJ>dI$bcTFdsw`3p93jPjj<z_<u!8s!)N
zO^dEv6qQ_c+8urA4`bfZb=AJ;!D)OJhuwJ1u5Jf|Vxvq>vKc?=?f8YHKjwDDW3<=_
z{#H!QeUVx7E)!vW!n<G&qB5_CW5`)7RT~KDSvpD`sz%D>w<;Et{TyL07}u79S}4bl
z(2<e1f5@mTeIdJdr$H+VpadGgw<G%OfOtdwlR$J4L@<2eLsC+L@lu=OHxVjtep%ge
zncwB|`91d;uWt25`RrM<@4gfFF2vkcY;%%I_%{+z{Tc|ADVU~p=Y`cjjYV=`^Blid
z@qKs<g?z-6j(x)zQ5+FV&w-r?u-jGa)k}oWit<?o8oJh~nf3ubg~f##WDVOZovw>s
zEYG+PWdTdE<j$Np{2~wLN5Y6H?ghOW)8841BwFaAj<98|a+d%V(Fxh5-YttzGM9;b
zq}IY;N($SLf`(#f1O-`r5h*#N!cT^%1f^1hMPMlQxACiV=w_6BG*Ke#G3xSKyq39%
zNpiuDNX-t0^lgiM5!(<7-Ig_itBUw!ji<@x<ZMJkOH0qs8<EL^ZCHNur0&ps%=cLi
z9>ehY%C|0@Fz5W1SvAIOhi@|j&!OJ12IOc$aI2M0Vu+feYgyNyny!mX5x}_>c37Io
z$Ge%SWL?Y}wntDQ*Sgpaf_@^BaH{iqrNxvsGU*X+6xNYt`2|4d)<l{4WL*8d%sD^c
zoYtm4@a@Ivqv@D{8}>`1fz%vK^k{<s@r<)`9Yd8tW1bk;y8iW>Uo#TSs$Gj%IT)KJ
zblUd(DMdv^!7v$r<UOP%|3AT;jJdH8dLpbqt8Mj;6W)rf%iwm7GW!eM6G8y~P-F#X
zYE0Nl@`8O3?<<-8EIr4Z-z_4yAfA)6eb6SK3(=CZb8x1#LT}UoPuH&*VlT(HJ*9t2
zD#u$qIyLucY9^;ZP9ED#dsu6>b_rd%W|jFe4^C12Vr}CgFFu(ED?y-^n6Z{oE2EkQ
z+mw7JSbDFEKyYW!k2Tb5P2OjNOr7pva=#}TWUc~jWl|Uw>^*3ZUm4-aVT79BP`a_f
ztx&uQ23r!Mi6DS20}vqREud&_$BgEOMJ;2}6z<8w9OfEy#a;f4vmuS~{ozSn#Yr}V
zwNPa&$|}OLlkr7rD0B)ciG#l-xHRSbUdG4VM^D6osFfesO88;SK}Ir6HB6_J7f=fo
zfOEp3Z<_|S0vr=0e#hdLmc1%iO5WRojC*LL7<lFBXWwPdFPcf7E{FT9taYuzy>#%u
zN2vq1P2{QGb<cUU9*|v#eT^TwgFBQ)h<r+Sqpt10DEF1?b@uId5#MUt%$c`G{J{ZD
zJJ@^~os6!=Lc^K=(<j8JM<Lpt?Pjy|BhGPZt#Cx=B`A-Gk}_4&SCko*hS2*BE<ZY}
zWJiXxp-ulv@~!)s)xr#}kTm&fJ{wnR!2TzczUQT)%9j;Wlr{G^$q8}0C2c4Cbm>y`
z*Ga#T3#1t6h)CKNSm`fLcgsyOW2|ic=uaeHP!N@(QG>O!k;iZkQ*@~kBHGmw)rvyi
zFAEc*qm;RKYf>&Yo?e*AcSeYoVV3vvC#>3m15XPqC_js^bcJJyZs4{tu2p>e5AStu
zYu7W=W{2i--gJ?`li!QvGj%w`!;haxKTNq;?vYP?DMrMYfVquTOAG9^*pGQH3uFOd
zU<`2#U)tD&N8#hWMp)w4XwZi$D@b#25Kg)R;OH=Jgf;CH_7$vc262vC5`>sTK}Rkb
z0V1QKjr=y68E|@)0K<oEEG0BZ*{HsE>#{5iI~+Hby1x5w^1w{$mZqeSZ13yW0R2zY
zM%$HAZzZG@1SdiO`_)qZ{pqxUHgnzbVh*R1ZdaC_D$jm{UxUPcd=|X-7)_GUS+ExW
zmA_xd>H9VKjeVPHUQ>2~vEW1Zhk=DS^c547bFaX5?V1FlJq`)Q1?C?M9;CWCR%6Ym
zb>4Og!+UM!6GDuW>o&r4L;82(3IV09h8S^Ex)Dx<2BQoPcT-}`A%((OO};2Nk=qT^
z6}jb$y-&71lz0O}4|JsLm$K$udjS&Zg#rEO0fmS^!w!<P;tArJ{hten2$t$UD=&LL
z8UzqI{?~!bU&PPIU!+Bz5<_&_w`MwqX~k-Z+JfxB8TknH);o2ZW{s(r#Qw3)(kbFo
z>C?;D`##Q%V+yIex>R9pZi8nlPBrboSj;^YSJF(9q*Jr1GR}%0lQ&99uUw8*YQ4Hm
z;C!RH+kQa!7%F%oG@&J+4b%o{d1|8b$s(>?lj&EqGPHLy7cvPmr0IE#6UMr<B1*fX
z3(?PsW!RWKaOSD3MPhsyyd!=(EDo=MbwrERqLN~A2Y6m>6l^J{NoW1@JezC`WmV#i
ziS*g{*)IQeC>uNdz092)I60O$OsK+0Wu{eOOum*lO+3OX<_aH_gQu}_RgDyc4M?me
zzu=p*r*zm;s>xlVA2A!Nk3EY8K)e~emBiEmX@CNFO{pO*7;6kgK4Jtz58WUiA}JQ;
z6>%1UEJYKBIl?`J#dL{|03(_Khd>+<A&?Kr9Q_i<oCpAhTmLI<^8-!+0+;f8Ul)F1
zQ;R%&Jvhmd5V)_sek0`9d#s+aVmr~zu<<!x!e47|a9lln0ByUZ{x@%-sQ~raXbDmC
zgNJ*Xjsx1G%S_S;;z5a!GK95$xovzO<i!$2N$tQzPJ5$s%Dqff`c}p^DFQSWF`2fm
zqF6R4$(mBy1>cR{MI=D|(3-<6&flFsHz)3ejs8I$Ko>)XcpOcSj}nD->a~rG7?E5^
zwXsbp6E`TeU|YE4^P$^&YZ#Jkco)`6j>IHliM(wmvS(KNnM)!^g^vl9KL^fZJWB8h
zoyM<MEo;7)_dPZLP3;|_1*w_fF2S=R*Q^=23VjcqGSY9V;F|iC63U1v9YYfbGPI@v
z1MN15N~4J9ks-}gak81FZ^YN)O?k>ZLcjCJuyh>CTpnvil_DQ51uZKI@{{ut&o0L3
zrQp+=L5bz9L;a|lNl=G$hA943`<HREu)r7w7#g1NF2pUG*cXi7-q1Ec11Yp05rr~^
z2ki-y9h-zuig&*|4h+o}imEsq?b*ZjU^&hm`xa6Aj+2tMyU?BR(A8LCeow6v<d!-X
z4O-wf#ui+s)X1mn9&@)Ga|qSkQ;>w)-q!jTd*St%Wx^bLnIJo-?m1SK(Y#a*!p9@t
zU{cR$heH(}W`=iTRWGI5@4@gaWL#2{VC&uHul11_B-fxQB8-L@CIM1)n3|Ow1~r&;
zgMzzeBseUPyv?(Ee$=uJ<ZNu&AG%IN`qpw-;Rr&gpfOgel%oV%4bc4FaQf2OAq_%|
z<HhmRpwwh(q!Az_Sp6z26z;uB%7BWFF+`|)D5RJ;gw*FV1O>9>DWOu%AZ@5m#_@8-
zr_l^__BRwxIvi~8hof}K0+dcWfIa1#jyO6NEVP;jrNO=6B`b$k{vY+1whhtPvcThv
zJ^zZ07e3h!WRVSFJ;ZNgN0iR^tr#(QlbHmV9+HLz*?#52X@n>qG9xg`;zt8-JOMxc
zC3-KllsbBVAqxcSCvR2qQWUko5+_X0vjSFCZI%LYe_D2{UFHXt=kgKpI~>DhB|e>W
zjpn_R3_dVLN~z5I_<GW&2Gve)IY!IhB1;x?9t9}BJ*M6(ie<$zO|W4yjH2t{3N>H3
zn1AsmDaqZEFfzE|85;Y>m*K0sJM;LF2G%gJ@+Q4?@gn|9OeW~9Lj>t)OY%^96Id3Z
zg=Qxt^>ng-u<e-kgrO}vd;EPdPRq|)`86Du2r<HS4F_&(exj%4x+CtTcY?bM0DX0>
z^V4qGtz9uXgxM~`mF#ly*7QFlC!LTVmK{Bc&2aJBZr7+7oBkm*%3Chr6RxfMtA%&X
z(RRI8XO|JC#jn|;5h>ii17{=C+?TdlhD1dlbc@lTFRyM~7Cx=Q6Yb?Dy2jo&JB#`n
z%x&dM&bP5ozssF4k7cPqsv;N44o(=5r$BvX2vLaCu82t;D^%pfpArTX4E(o?FIj(Z
zdYSw}|8n}Ir5O|Q<D|}g44I|q8=FpkoC4OHokCWcL8Rl~HuF;#zc3uZJbuq|?}<-5
zvfK#VKp3O?+rEDj*5V+{y5P^X5+iWBcb4=(SRyxZeH;A=Z$_37k#MuLq_qGsd?2Ig
zU*=D9ef(<hS!O6Qm`B1iRPSU*PXUj-hEd1nGfQX|&VFrI@w~=it@Agj7Sn^i1kFok
zBPT8IefB-YYgUhzn=)MQi~icZ!UmLIX)+P2?;||jwaiGF1j!}nMFa#YL8lX=$fMR7
zXR$FOoXws27?hyR*R<_4+I|0FrxRNRtJ9&kpK;>d*@rZ{%K)vQuXXP-MZ!MC?(1Nt
z7jfflheI>FOKMcuxOGwM5VQU?=kgkkA^^=1#<#Ruwj0Zy)}@X4Zj)8xlI%G|z_g(n
z!h|EdI7&iV)|qOxV0{T7g+Bh+6^1VzmEspBEWNY|9|l&Sl;unnB+{N@<4$Ha*;+}C
zUqnZs)<Y~cKNX1&Ls^3v7El)p%0}-D^(D!-nOu}A^#F<xw}V2dz<gAv0VS`}sUSK^
zbWC*Hk`t+E)K*Fbc07M+h0D=tY(l~*bXF+2y*czbVg^(JPT7~DMLi(i%L{!&$Ct7o
zH4W54l0lDgD&4T`8{sapHC92&S%TTy)=Z@{t1yzC!xYR@CeDhH*ymQz?1`<&67YF9
z=A{|uthre*52+j?M+KM&>uFs?^M6E}Yh(Z*xp`KetsME<)Zv!LvFP(sun;*lj^9ce
zgb|jyCzT*mC^oySr!497b;ZbZUN{%3qaA|*x}HXahDwa5MRF4CZ6t%~y%!!02A{<z
zWv;)ahw>As{|Sqk-XL`)kE&QinELc?-)c#)CAL@$Lfy1HNSF6di#;!h2!AK}%3YO!
z;|buqDGtajy&|SDH3ksBmf+<GV+B&)f-fRtG_&I5hmm~Nu-<tEPa$d7y=9Ctxq<m+
zx{Iv%@`GL)dMo>eh?-^rP947_)$j-h7u~bnZ%>=)DbG;x9L=ox&f_7;b89cR5+#MH
z^|W1~uU3NhXxt%?nyD2et*GotL%f!zKuwDLDjA0YWQB={a*{FSSjUFIgukvob(8P^
zx^jM0=qhG}ka<T;kEh|muPVQtj~o1Q^BdYoognra?P4FWQu%POLIH5~{cbm@#eXbI
zYI-3VyS8bF;w8ex?YNLbA+z6yn(p%C@Mp#HitFBmGW;`$1)=p`(ZI78N~rU_Z{m>J
zspOs7$g2P`dN!TLBc13{<L6z7SEUivct+5%6P`hl#mn)hPn6zSM)QzV3)j#6(uEW=
zg(M#gPSPhbKmF`!uLj;Uv5-KUws@#MY?L1BOd*DCBS#5Vp;hl~-{*;*BsbWam}2b9
zT|LNF9zlWe910`!)S(0x5o_XTdsU=SesqihtlId8%xr|1#RtJcb>n*g6E7fNMx<L~
zIdZV?Qe0#VEVT?XMr%6C#K1ZccrLMnpTMFyL6m<?Xs1pui;cXgd-waPO{k)=bQ70*
z>C`^7jFFIKylH|)qzY&)ZMm&1ukB%_AW8<+YZ$WyB1c2=F+dV=_Vn;XnY48@7H;H$
z?M*mN#ScnD>#goVp)nKsTZkiM&#ZSOycCzNhdu%<iB8V{myGLI!&M8IRxO)w<2#P;
zR>#4AXr(2jBc87@e)Xr)$bT4eoQq2-9WK<_bx5qSoxRsz+%Kk<Wd?E45C-b{Y;|Ie
z@4DkBoPhHa{0!XGjI?;fC>rqOw>>ouE%GdFVNkyJhbG}8Osrj6_Mg*D(U2lv$iMNT
zxLK&~x+<|2)Rr@v?u%MjB+d{YH0fMO7RRS)Ij+ir3v+YKqUP5bJ*@_e-)7s;=71BX
zRBWN4zDHK$xll)oBpvQJ9Ik6gp=rZi{wur>IQ^`4-a)vyT&nI!TnscImkf)m;Nsy6
zq_^DFu06Q9Muud2ivMYR*qMn#?S0{E)m#2fS038v8;fUwabSXNvsG?!5xeqD7i7bM
zuRnZshi6a%#;dX>c1+}C2@JD=F8L{?=KAa(BvmDCExLEA!lwrpn*Y{?VJ+SUrA^Ev
z_Xh-r1eBVU{bV2z^$;tjiqu^mS4-|U*8G)>*+YX4$-xVYxYJ^^nND}rAUahwXTI6>
zTG~hALz&W|Gp><O^^RE;f2SRZr2CbbeABbSvzEh<0CJnCh*cw|f~8u;ne<a2w(PF|
zUD_e<g<R$n*Xv{mGJYrlyq<Ws?)+1)DBC61oZ1w~bhhk6g?ghXI+o4#*}E*tJMF2L
zrvNqsqu14Ex%H7EVou?*+u7rQL=BCJVRRT(K$8h1P@`cj2O$#@sl=Ts+3#IV8_WnT
zE+nSX+!cdssVbi5BP|kkePCKhvkM!EDQh#-Si~kIikW9g(NT@_HF@X{b597qI4lmP
zC#b_XZw5@AHs}3>@TLM4P?roo;0AiU6G;4iHmJem{wwxc_JC;KzA{#is<$T|oIh=L
zS6_gR4M&L4V)yfv1nQ22OBx(HuyW(?r<tzfF;Xf4PNzW>$krMjea4Qr`xTPotmrGP
z?S4+$vP4XJ{-o(KZ$Po7zni2+Z7#Ax_9h*(n=!DyH3BJ0yXL;(xci8bV?VFUcx=w$
zbP;5*?i91J_+gRQ=bnW%f9kiK2vY3J-+lN)%-cS=H0^4#f*64yW)2I!BmS5_#21pY
zM}hrVp0-%3+WadBeKqO6SLU`LuNm6PSG20@p<&2C8yu+p427^biy6U4F6HCM0e_wT
z+O_|3twB}yidA~U@j{ls8`D3PS?~PKqRx&bmXae3srXSf<1vuU^`KX#_x&*I+i^g1
z+-Wn^kj0S~-IB>Xc}qxlr_?h-^3Oy$Q)IJpwN+g0qFf~B16j^PpPSY3+H)4|7tPsx
zv@5wC_nI}Q+UA{I*5uk$&TwJ;tt(lBnex^S9oL~YImN>Qz+mHNU4lq03N9_gNV3wT
z)nsYL2BS^ATjOU2hEfz0DGM$nWxbpFnu-wvFVu08-k#e@rAhL?z^e9o6~a1tqwL2m
zmmic(6N({?S?z53WbzD~308g1b2btdLx!ZeQ0Y1xIof*@l{sYDNL`XMf{&1G-=U05
zRLo-{<VMZeq%taf<DMeCFYyUe!)r$C>GwM;0$Nivl;FZmkiS7R#X!N4!j&}L_^i!L
zJgnhK8Jp-@;*pI^%SmcB?Z;w{`!!j19NGOgz8{aOwgDcR;kVFF7!1eTp(cleiQ71W
z$hLAH8>0-_d4(h{2598&zqNJ#EKl^8t+zFVtaUdSv(eJdEdE|f6-Xyc4B)WPPUrSW
zWao0QAN!%-RObyL(-7A&;gUcCnc$N{RdB0$C_WH!oH)Vaho7-bTrZ+OrohRY#I96N
z@17BT#d4-Xc*N-pm}p}|QSDUx;AV)H1!8R@>!Bo-UH*=LTxs`%{Z|&;233FFa%oXf
z(C1wDpTpxsB#1b|DNM_x4G1j`Q2dj!kTcoM{@cVLF-`o|Z8}+0QsI({PlSLS0`t()
z7VAu70<k!=@51H3Ma&~|a8KL#U-(eUwUDY~GSuFuko&Fc#LJB`>UA(bbQu7NRSoEY
z<p%O~*BAf&q+Kc#0vvHfdN-Y}@{8?Vwo|GiGgQuIZEoyvBuR_;Hp7=4QGduucb&2f
z;aNoGWj+KM3Y%xhH;d1VT8*QVw+G*RQ*PN*M$To^+&g6qX#s$B+)RfH>D+p35jeD*
z;IF`O_CWHg0s@m9W9rN>sEX7`|L8eB3Zv1adb%`K3E=+YDk-=?nlzhokRE(EZhC}>
zr7#5V<n6O48{yPyjtoW3VxkNUw94!%+iH_gA{0?c0PHc_i`4C?(<MYXSFlxu$YJWq
zW}8AdW_L_Ayj3?Q;<~n2JPg|k<LzraVWoyehFj5Yri}>e5>jQ?xH2+KQDj7Nh4!P*
zKJ5c>g^faCwTkEj8sfmVNB7UiL-(h<@*PgLpJ5>~G*Ik~M*@s&85#P09g{0fj6DM6
z=_v|H=w`IM-<RIy0wyePbM9cNcX%a*V?0?0Ql$d-e-G{Q0!j`I&k5ab4=y#CM9&QS
z*nc`(Vv+1+$&jT4EN^}J!5<?;xW}oR^3@xiuFtn832!9zQ_IN|qgpR?jolc{urC6h
z{74#V1KBk7Xik6f3Mrsqe&{$Uf%Q357o=j2yN9>ttMGMe^ZH9s{L(XZQTMM62AnQ_
zB}klQir^HvJm<0g_ko_6<d$V|I^&{;pXa`Y;8SfYc0A{doOgSxT6aw(aU01==bfQt
z%|ji)9Y`CtZ?jn-8kDJ~`7quyv8p2A{Z|E_V3z&vM7l4K)ng`ieS6WPF0-gG-kom~
z$Sq(IVkso!dl$V2-RVQCSPjpV>Y#-EjQ3mlinjezzli~K#_AIzalTY<`&2Sa86|nG
zSSuadX(LTDlTrD>q)aaUi{}XvvJ#yboeUF+u{}N!&VEbMssLG{)z{z8X?cdMqo2k4
z;L9rjf@BvN04G0#keTbycg;N#n3m9m3Y!DqhZS#%=m3HP*4XqsdZhl%EY7({?SNkb
z4{V(5XAV4Nwp90!%gUhD0PhOF5?ixzS!UVpGwT>~rU&e%1s)j#osn<~&b^3>45{GH
zjZA?W@5zz+ncVm|-GT*MPO=`oSbb0H@-Nh}U#1H7JbQKiv=iS&y{RtxSo>B)j!V-^
zo0w!yo6$I3^4!H(g}d}L>`@nkuyX0-5L8rwWx7Ft3{%#eF;~-#oL`G${GdZL_$7F*
zx%#tH<i5u%%8^u&4r8Q)vO~8#u+n@bcbON3<#0%~ERApKlIStRGm=5=30&-Ga8OYH
zX;2v#+%;7@cDl$&`>~AK9*Nuq=6LqsuO{gP0$&JIl}@B~-<ix8_7mz(rBF`f+&>lQ
zbtUGfG6K2xdYm2m_W6!%)^za>S~bX07pswkzf`N*D0CWHw>AIk(OSaO7B3rXUzS^e
zzo5UyEo9r?T6ZX9E*<PG`)%dU(Uy0e_VR4Z3Z0mTm)U7b5e1Z9RSsQMb@ROlT%4Pz
zL%oSYgWp@7N@{*Fxv&tAh7@WasPtW-%OfF2NE?2WI#w1$L0#?BnXjrRRmv?+!z7=N
zg{KwDtRF>mzKt`tUD3DA(k5kLK$Z3)SA%hByA3-M+kQ#p1KFccQ_tIy&BdNbX@gai
z9VRX+qs_N;3PS*hxKp!trkAz5Uk4QV$br}n-MY2HgfUOhF&CIIT9b~RptX1Forz3^
z^@{)GpJnq@OSEfr$8*b3G8qVcHU`Cfl)GYY7z^$;sXfm_sRW^rqM+%`wt+27)}e*r
zVm~~M26G%QuoE4zrOF-7P%jwdiYz@!py*vJ2dxu?5glSON1)XsKVd`!s3i=>!wFTG
z1?4mxke`oTF!!kq+kaE*QNB9NaFj!i{Zr<6+TKsElmiibHwU}HtZ}j5at8kDQe$eE
zuDN2*O9-Ml4C%&~i@uc>>k8rvG1p8|oAYg#97v&vv1OfQ!N*9@1p6twhu{3_r4H#}
zzJf1<UN0P{eLozu&_DQwUgto$i8y-O0s}Bq_-2k`&GYiC_W8qTdI^}1#4HOSvt-b=
zsQF;pX%h=RFTBab-!pym35^~t5H`aDCh~FQ-k8)0pKKK{Y6AIxNCT2icr#hPkhjmW
z<x|f8DJc_G4Nl>2#CWV*$jzQf|9z42sx!(j%>@t+3_GZL$PQrunus>F6@Kt?A3vdZ
zh7pk0QC9(tQX3BwkFF#patRrh^C>WBF`{6ciHQP{gb116LeThhbQYpbE;|&wj!(!_
z8hWdIV72ot*IO~&MS@JUK%LJ~N|Iz+p_qog5iJ8bV`?gBsIVbGFJX7Iywguo1UeMc
ztn4?QCJ#i1rd@AG8ePjIvY7{>f@rZCj(W5A?e_XWU}q9Rx&s04|0Ju)dC960oqk~3
z$ihCs75h=!y$q(+Osnd6jIqMw6_dyR?}SIIVz__4EbX>gfwJxQ)mPZNL`^65hD?K!
zFA*oUj^`~C8>&^xNt>+&X`IMUeRKM<iXL=B3UqAKrMXF-qzP;etT$$dvlS7^e=2;+
zJWQ1ftdP?7$MSypOGhhsVlh)zW&F+MJl3H(#?pG3msq|ham1^QHmMO~I#i$Jc;#VH
zBBENWl=hcgxhnh+C#ya2*pso3&2^gGsXI4PfTySA_h4jMs|M{<pezazMOTs&x|=p!
zp;S|;vl<#f(6l>pkSj)fMadocPjV~?pjeeJ)jTB=1cqPqeqvxgJo#N(jr)TIRp^<o
zb!l~lg;|@17mkh2D5!2MUDNCd9lddMiecI2@%uzar#aSZ{)GJ&fQc7OnS;%cfz04E
z4~bGpu<Rc?Z_b(L&n!bx2;b(&CylVAUPIq1Q7%wK>Op($13J^Xk6~!?S*Cfa>YN!o
zmQ3=bS%<Q^@Mo7@;dS)W&@g^Z_?Q3}-0&r@`-o*pP|Bc9Twpu~zLipRh~4@7_v5!-
zvR<#@rNa<rmpnQm0;m0;hZX!1SOWrwEhiZ$3B~@7&g<tk4Dwhfj8Iu5tX8mmIU-~e
zM4!!V<moEQ_WHt$tDfiyp)pu}|HlXg*f)ARN12B5ZO#?t5`sZ)j8oDxfkCj>0I2*K
zn{*EJv`liIQqi#n^LD9s{Zz@lMgs|sKyC7BC5e1lwCw*>;$+$$#T^xG9o053EBNwq
zbZDPy*7{Yysl1ve4&6!zHNiSN^wF=3f67s$Ra<nD4WZ?4Rc5@4&1&`FkkQarYY#$3
zCSDw7iSWc^!2q@AsvEJM4`>RBRs35!uOQ;$nD4OMt3)(T+mat8?ZAL6Q+BP%v#>Xz
z|EswK1M}bFnA_mu(>1Dxwrz8kXHTbPat`Kd-|+SKDa({i3&@dvW+xsDy_?v+NXyp*
zQ>Y2o9=fX0SUJyX7-~amAA@lBvc*>8*$aL`6qLQ1y2<?aXuqEmC^>)jP+t+gsQ_$D
z4c?lFW0h%B{8g`*ID}!PS&cesaHrMYyc~%!Eock!uO#sF+pf|iORG5i7^0W2K+w|b
zG5@Fl<t%`<2MI$y0@1B^ghMU>{ZVby-1vXxKN8zGGpPxLn`onfA3<PC19k$Kt`~gd
zjttoaoKeXLfUug|;=d*4SP&foQy%q?=C`OO=Ojt<6FY@TqsfJqCdbXDmQbcJDq?eN
z#TsmjLViF8Fb6rnB^yl)zLVN1@oi()_d`XAu)<LoVtB|DOT%$7kv^?Il%W`!q8ND?
zHiKNn$8`O#-meBEdZ<)tDAU{XM5perIlPG$|A3k#N*}eU-%|Q@IJmQB{@7dkPcf2n
zh7+xz?(ND_fZZbS;t9tSA8t!#uGB(vvk9U8<!ufE&^C?71;(MtNiK?n`1b10{ghXy
zPzt9rRNqH#F|1G_9X_L-wB*@?8Kj^zjMvFo7UiZJs{=YiDrkBQocWY>x#6i*{0Qw(
zXstlH(-;EBKRj^aZj5VIp!oRBWAKWA>EtQkfdUN+(#A?OmFKE-nS353bu4E~&}Xh?
zDtiu=8NO^)SF#i-z>`F4!oe>6K4Z;q&g8U3c4N8YUX*iTz-ghSnZ^-A3XA^tn;BFD
z^Q~MhVg3M~+DW|=$+>@@iE__Mfvi?6K!qRx9vV=$MokC%3ICAR9-inw?{heOIJ<Lq
zVOHuq8sJ$Pf>6HkLJr&Rf+hB==&#P5Y8&I!+0`~HqOk>-UHEdVbFvh0QGT<~Xta|)
z;ie-OJbzc!%`{^0FD1KQ1|H&b(^pvmNibm|$B*ZN?JLimF(m|-MAX}w9Uh-ODaiqX
zfOsk=R-V4P-P#r^cXdX7ov^Wa%#;!Mnl8a1Q67#c<<*`18LDPxvA4|BO;JxtiMhQS
zMN$EexEvMv+4^UZr81ZRT)a}@EZGO1eHas;OW_X2Oyoxq`dFN~13=Mog@!be>`!1U
zErK!7^3+H9iJUQTdrI6}Ey*h>8Y@w{KH%7m{+`6=d<+YGxRi+t9ttrl3c#VZu5trc
zJ%mgDNc{aHjenUou>d@$%7C26Vu3jRfpS4?PUBb`ms<I@w1=z))#_3AWE{j4L46w~
zr^4=TUrxFt-f28Z8wi5Dqq#Vitd!2R+b!j#A~IOi-;$_rc_pY$QzMDwEKidhH?^Tv
z*~<|fe*!AK*DcwUT<Mb#)zT(V20h2GTTA>PrM@+mV_sx#OrzwHURxikSOdD8f&#w|
zOrtKKQ&$NvarzHa4FDO`ipf7+qN<K%`DKXUz|8ss%aIRyr3|-t=j$m`s7i36YIp(*
zb*AQ-(~|!3{Cfgq;h-hFF$u=Qq^O2IQy}^9Qr_Dhxl$4f*!}u!p|O8fqaM?A{}3iG
zwR~`A5ueHU$>If2A&19~gi@M{WVFFU_V<*kT-I;h&gd}=END#hc}c;fKYc+Io&mu{
ztrPW0_J1z8(?5FQCF|C>`lgVLEgn7fv>}4(<!h#`^Tze{wb@Vhq~I1HpH}k4>kb!b
zQNW_%>sbI}3^MH>Icaj0dL4|T$m-j}o_$$07xz~nFUoV?7#=rwb|l<a-bMwDIsqjm
z^=+;>MuHeWy1?k>#->hF$Q_GkO{`;-k`gAJq#p2VO+aG#qYBU!8@&6sa|QJ@4ImRh
zr}rmOaF{-!PY|T}V<2F}`LiJi9#n9+8JfOniIM?gUL}cG$V*!aO;pERBG=TuSk;mb
zywZ_PfY(q0>nQQ2%NW&32$pz`sGMBN8!I;(87=kYl_WZq4DG?5L_gRKh9yhO@Rts4
zsLh#d?9E9*R;%Gm=s=sQ9I~{d(ykOya3eq?@Ual2oxg+)6$YF!@e3jRRu9l^P*awt
zSOjH!taP~HDAU7_Uy0C$z#Br5n=(uhSs4UQ6B7)$xD^L1GN==UKnsS5A+Naf9p5vo
z4I(w{pA|I6fp&6h&H|sRqqp#k6#1t9^KDRl_ojnsQ^EKzct15=-cRohS({@5u*E4n
zr!~t_y9`oh#0BzbwV1Tl{(+~Fp;mKZbVbVdtfz9qLf@I7RKGm^xtL-fH-lsC+ov1`
z)yF^~byo&+l=HGEE^F@BJf3lla<M0CR=qEg<Qn{gPz&#&5b;7MFUR2D0smf5(Mqj^
z)(?2pwc5g?aAgEf_i73gU=VD23Ea{%YRDB!gvt-40Hw`^897^`kQ(0^6YmIysF5T~
zjik(HWacyyl3?OC5lf(^5}h(;5oXvKlTK*4nhBb$xuQFg&A#sb`}${bx*8IX%X0V7
z{FRRP6%&#fL#wT6_`h3{iRZ8`3Zj%H&IowzM%JW@9<H0c>LAmnyia1O2f`K`As@G-
zWTws--`<EIz+qfKjs4aR_^)mpgVjiNt?ZaMxc2OJfYh18PPZ}-^k-tpU%ZTv+LmiQ
zXNi^8kL8$Xqg5s{cb!IcOfb7d$UW~m6osuv%!dhz-1V~}!I=m5{J@-Gisw5U68DTT
z5)lnoZ1ebd==7gcKmi4DDpR9`IS&%T9lljz=7uI^M$S*<66S)+JQ3E!m#Lh!GY^kS
zWGsqu3jp&B0ufGZJ~*&6?vcXym&I@}oK?w0nazSV_2}hT?nL%u7~jX`z*euVJr9(p
zPOco?6`RE|jzWt!Z3Y{|q$06hn_W^&Y?z!HE7I0MGM9=eu}^HGhKqj~s1v5doa4d6
zpM@A~b$+O`cD(#ro%msHZu9<LNK;$$rh~wb=>Gv-K%&3!*+lb6I3gSh&P(7hAF^%J
zKznNnSnfBYgE3cyaMIJ;*h#7%F-)@#*wlO3fC6!)hh<+TE@Ne5MiVIjVd=Y5V#Ycm
z<c(+NBUhxiAljqo^T!$_(fltQ<`gpKRZaG5f=VPC4$x8cw17^+2QF5*lM@o2)txcH
zce>O-3_p&1Rh#0q8MN_h*l?6eWyp}oN*2{$NQMP56r*Z;=0$SI4#fp2T1*!ch$sL`
zQ3Tjv6OPW;KtAc6@1@KH(9R7YJ1{O55){&vVF#aJW)L05kUEGDY6I=+%SXtmv_gYw
z7{d99?WqBBs!`LxKqg)J)l7gy<f9OGP&B~-WIvpY&}Ry)@JSXm9FJHY_L^hU^`}n#
zM|Q888bDCsp)`X16rt4+V0FMC(#Ct$g)AuSi09Ncz{S)Z8I+np+B9j5ro;a(nW{ua
zpFo#62?hs>MeOGVh8<PqO0JNSFjF=HuEv(QYvsi+`$e1a3~8zRG~5D^RO$jPNlhwA
zqezYgv|N85L`OlwIJMCoVmX@6>K`AX;ZEmy$NF-T_K`VVTwtY-QR-w1=#-S5npJ1<
zl#|nBLckBTu~itOQ48T~(GKEJvex;eQs&%E2vki}bs<h|7>6em#PuLNu*yVPZdTMy
z!7~DYFgeZ;fHgjltwgjk#0Z0M(kwPwK%$?=C@e5^N>P$AW?F}gp+Nvj2Mw&k08rkc
zOOgm@jG7qlDEkkIwvdrZ2Zu2^YC%(Uy}|@$6cL9&law-1QiI4*3H?ja#|O}sjWKZ`
z8F)sKvV7qtMqOq7y=M=fJ&q0fR^^}_0C*HY`6G9T2SXwO6TPDXR~6?Dk5$lV5)1RA
z0Ennab7*Pv-O1<1KEUW8@8+t?AIa0o_VgZl>E29xgp=`1p(<eHPpuEpM!I~&%-jmE
z<vT~i9u84qAA>w}mrLL66HjJ3gz7@icHeA4&L*Bldn;;CB(HVouo)Exq%;L@iBsGw
zoN^#o^?nmDh%8+Ki8zdH*lt8y;@;FMl5}BXOg}R$RGxPcC@_@dr}`?-2PgR^(#1l-
z!3a=62r*$5Nx*zW^I`ZfR757MbrG>)z(7cwkRFkXOh;HZ??KI^H`@_Hts_Y%jTla;
zEr(T8mIP-IW<YtuJxvY{h$N{$<OYEhE)ocU!=w%kf#&9E3>ORJGi%GULKxgO&EIRL
zIW$vdhQv+#O`#$tc!?!^!D=b9qreFe7b(iEpcOkoQwgSl<A4s!Cv6-Yb2U-|7RhoD
zEYMaXZa>3lAH$%aj-v5(+U6&6bN2%GdSnaF!rA%c#e{MPJ;8KAN62yZDcp5vNLfhz
z5rv^MkVK<t?I24Avu<A0-rEJvOsc#UO2@~-f7k=vj)4)8cfVxCU2grhhyp_Q5536m
zfB2;-LC*m5s!~j{4Q(`rmDE87KU<<!IMZF%@4Tr?99AgLl!7}wUo<@MMU%$xK(=Zc
zVoKl`j-)=im{C|Ku51ZhopS38zW)KB)LMt4_@|HY!+v!7ogT~;TIA)BlRFk!NCe}=
zbfFlBbv3!q8s#U3h$k}w7bJ2tlKLYkIl5z35@AGHY-{xs`y)b3CrQmX-cX>hw6yJB
z{(vNeS095yE1q!wBg$#g5m{dj$vU9-Q<?`BkDfk>3L^-Ba!LBnDt*G2AYjAmoj!B{
z>JPqoS=}ZPO*}XJ%3}k}xG-SX0}>{Gm`F7CW1x6-k%5N`@O`kk-BV9ZBQ-&UtcA?F
zq&MilvY4e%7cyPZZpEaPmQggLQi=tn7O-FGXhl6r%aoEWOpPSkC0vE_Hi-T}5Q@Zi
zkXT0XwnMHMkne_L8>nLAql^r4A(;)-J(1*=NQOl~(6XAKf6?&`Ofb0h#%>r`Tt|xG
zbBXv(;S7Y_En*lD;GEiMfY~P+pl*c%DPlqbcvD2gwgdzc735o>{vpqWycIZifi41J
z8DayBdY=wkhd_1(SHg7ffxHCT0{AqxNK71Z1%Mx5Jb)wv>>JQw0FDI|55JSVH{qY`
zJVWLm?4CV%XY}9Ee8dQdX;(vp4i!66jO<C3B7DN~E63Umq$6iu7HK=+4{IcL?Pp5|
z1_WKDAa|3jU9jzd@o7Sxh3f|+`)9`B6w*Yxr98sx4+ed8(_UHdW5gZ|x^2}C^z`41
zu2p(V#4llbqstCLy-?&USawIy)uPf+x&G5elXt(SO7Wyddfnb#>B>k5iS5>_T7(2n
z08VFtljLNIL?qISI}?L9${g+`077_%P)477!U$xWYHmVBjP1+m=_ndKeW0_WFW0`z
zcuGeAPO=dlWeqbe(oNwrw4t*=CO}-!30N09@<ru$SGbk-x;6Z+>eIGYb!icm?ydKt
ztzgj%t8E;tyXAMRse5r?C#juHa@)kaT)L1zF`*_{Wnk)FxU$z*Flg6WmRC*Dy52^x
z#Fyi>hN72Nu-6MKx{g_7YcA_knzU{x2BNQ+HE63{tyn%GE-s`!;VEHL{tRZ7KCxXi
zt-fF&ex464E(emz#+3mL*<8-%tEdszEg;gMBiaF_KxLKI!=FQ|N`R98&~)J@Vrf#z
zK3CTvmK1GXgl2Hl7ap0@Q_7#GCsEPiFdN(6ZXcn!95)du6oJ2KoQ@<|Q>im!4p+w-
zJ(kI^k$$B4Drv5mi8zE~0zY`-?bWZA55r`8nAa|ddtV9BPM-YA!iPa~3q=&QY6njx
zv_cAzEeI+^$Up+k>zjRg)8For`j*inZu`K)juJ(+(0~r`=Yvc>n4Oj8@J7IAEO4vm
z`w2XvVLKR@ft)%_2D*I#3J^w|@b85C@i2iqWg)@>GOfhUc;}W(;r|fW8PBYh;Fl|S
zbXv`CHPcu9vPQ`(5_&lMuL-9ly?*<_LnCDJ<+p&a`^~pihuOXPUgOUL3puVWX1r~*
zEeP_UdQ$v468GP*UeP!Cuzk@jad~RUGK0!IR>N}nw^6X{On{$(rMZ-q5KiegTyo1I
zcL67^Z@+(Yc@^fJA?%9qfQk!YVj`i_js1kLuTW1fsYdIHw@4yc8vWMyS<Ed#YpZ!$
zhS;`M3M+NdFI=8o{OvHl<nrzlGWaFQ%(?-5lS>3w%)dpkdouNTd^KgrBd6U9ep#1r
znTG{KnQ^FQP(UJvWds5iQcLvU!LVQ((JrRarrrhN03&d`y+me%%Z1Vq3~P%p+0;Pb
zE!CrCVdbw@y%i&{7=RI6daGeimHQI_Ow4G)PK)#ajB$U)$^=WBlpI(iu3KEML~ybg
zUR=l`Dvi@D=)7>&0?Ql2h0+u)+CV6@Qa<p7E=vE{NK-Vbhy*0(l)8`!8;ZwVSSTh)
z-niIQjF*<&f%nO**zhh<I<#m37l^^J*e_x!EW7?cx)sR37|76oU%oj=L?HjOl!QUQ
zkR&B65cx+Qg|MeBt3u-c2rTh4_!c;Vs=Mp!sTeyv${W4Y9_R^rsy60_{}qN{QNi0o
zDvfop%Fek;<zUw>5wtbs;8m6FaCgdsTi(>7Y5zC{5~U<jnT}GeZYs)F))LSF63fd8
z9jvS{khQc%5*uCTV*nP`aHVTi5wtj0VGwThgULcZ0~uTZ$ixQ#H*t_)0bc0UZuz1C
z7vDM1l`-EpSH5pk;IQN+^JoO0eBuEn-#LI!G+NSH7^%Abt)qQiO9*nWx27?iT+l0X
zBt;2dQna=hGYWT_q+KJp)~**+al(~e0aiK7hOqYXqS1Wx_$9Jd!_yPD6B0fHaT2W-
zM;fPFIiR5M8$JP939&#HqG&6u!9N51WRRFLr5E4JB1lh{%w(6yD(3uxM}_jU@hsA3
zuomm`ci_UmCr&<YS*Zqvx$wh!E%?Bnge;G|A!I}F^afj=5R8jFAuJ2SS)Yf?`zG}^
zVSs%Qk_GxY2AA7m`&D{6VMGK<bW9mCPWdYI=C^*1f#|50HjvDYi#b7c{T%~2=JbRw
zWbkxvNU=E-5sJ+m8r;>cGHiHES5O*XikjesDXv8-{&8Ebv<y5Q9|V4Ia&-~=!3jfr
z8r%3ar}#MEgo5xwUD&Z(Frf}Ig_uLMYlDi;65AmpXAT1xF)zV_C0TqJDy%p?P)mCp
zV&EFiF$hQJ9Rwqk_2{Xw>uW!;gU98u>lP^3;xQAovBi=Tr8g@=CC%Lrm~(Q|<Q{2q
ze1cOzaq>LTRD6j|6)%|-yGaZq=X#}2l&qU)3nAXq)VSKSFa=!B-e7!%o^S}eALt!O
zhP<7z*yjtzNABR^Y*W_<`w?xy<+1*|gzRexUMM6_5!nmG$^t|~^Ick79_3feA9Lk>
zC(nlJo3V-^aL=?ZA1&1@v5TL2^4bDk#BnUvfDszA&)Cj@^Ooh97h(#v0l`-ehtofH
z`W~THppZZJpYKq~=-4CorwuDUp_NRzdWN4$OPO*BKyfbg(D1z=i~-4*_5hHB%^ci$
zqnJeOPHK#y5E>SQcD5kP8L)Q(5mTO`5^b{XO}1UrVUK`}aM}@&K)kvTPseCM1+AnB
z?QJXYIuL!WItsC;Kt1iD02WXV^=^a@Vq!pj7Dhl=X`z>g41f=14#p@poFTpvc;5Lr
z4X;y>1<dGTEr=ZGVxco3Wr3TP(8LuHXQBM7T?|QFTWO5?PCX0`dos#kNPt^RNp{SD
zrGNlh8GH;AQ;~mit2UZ{mDmS14J91MRz>=`q@e@6TTP%rHEfOU(g3ay7m@n8O3jM^
z2$#Q5<0F211M(o}1NBefZ+GQI!_n${yh*ST_(KKoKU$Qje<<=@Ei}~Bl0<2uCS>sM
zbxv=|Yb6Kr;LtbiurDgu4dv+OPzx^+Y}(5rISYY%Z`#^rMZ!AR8`Rtj$lk`%QSfMN
z3)!Kvuq)VKEDO2-)jE&Ahf(o8YKxix$f}Q$8|pqK51_WGuZB|Dv@w!{y9)t9_x0#I
zuil`x&*N!}ik2N^tgyBh{yMMzcU^z}0z()6C|~@q)&Rc-+7u0b2)MrncZEb#VE3p4
z_g&1$5=LfSfKSlQX*^~Cy#`<kmQnYHfVE*5Yo_4y4||9Z6M-F}x#d(3@G^=Il~4il
zwtxaJF9ReKSO7l$>I+h(7*;$BC=>)?b)%VINsI%6*=$xHm2?6bDvphhD#!$8vXBa+
z!Vpk>>XdI*LL}`Z!Vb_`Fq4&10Z!;W@m&Wy*^X-^z~T@JW7SzGL1iqVI!akWQ&16c
z*+**0{_4r$o<gXsbtOt#x_O3U)l@NiYFJ`4RhMCx={RFS;R!0rzVa~L8j>0v2SqXM
zs)s(RC~_MWkXO2(L`yNv7FH}LD}l^Nf<~>O>A{$<AQ0eQk4^-~s<E9PZ63r|V*<y-
zR|wTm=c-LWdbCvlfqYPaf#%zQ?z*~qnUi2C2;-y$I6u+?ohl?iZ;rrMHl~>K#Sq{(
zx8N(UB+N=vra_7Vot#DjofR8^r*9VlTc$^@){{J?CwgMY#_UF<AlgyJCp!Dd4;77I
z>ZL=)JV<qA;6%in60Qp!Dtcj3*GRCj(Hz8@LDfzPV8JIgRwSgdWl+Es1>&ek9h1X}
zB<Ar==YpuPb%{BwVh15&!J#}js(ZtNsNM>ZlWcv;I1_ATK~eLDd|hL~LV|4;ROy}|
zq0bDQ3Vs4Ak;jV_a3~)F+dpnC9l^ytjtuU$k`<-{eZZ!<6#i0NBA!#hPhw$y0^%;d
zDlszPk<Al(R!PCj(c6P+Qn(U70N(=rsyi;ls5myK7Y8p_ZUm-aSs+T*vIMP!s^A~E
zIgK2+Hj+9;yIE-T+V9*PKttRbQ`x{5fJorc6%D|bQ3e80sZS0LKWDf%{K285j%H%P
zL4g!$Xy~g$h^u3GROUc;=ooY^)V-F5kL_qAK3pPbIY0q%p`Dm_W~VlQ5@|4zMlgLr
z6bkgYkyr#n<O5DLrvy$0$f{k^9VM}F$_QA+BcTGfK)_9zb578E5Y8enNIhs=7b3{M
zNN3eiauK@MU1%i@$R--}Ryrl{(2Z%T!@7rVWK$uTcH{Fcayv5kF6_?f$7Wi@Ze`Mj
zW?%PqZ4Tlrn*r4s0>Eq;kTN4O1>%FjjC+g=*Qs%%BD#S~#Cf`Z5ME6e5JY@sC6g6E
zR$8$&moF)NxcGNvFt}D*&lQ%Wgyo{3sHVL($9=?X3gR!3+)q)Ezqn3pCa#FR!pIQ6
z!*0^qQKLYF)!Jc7WN|+P7}RMAA($FU%{W>iNH+wLme#>`96Q@G{R(&O`V`54yZRKc
zowy?F0_hB}p0ZS!g$ropU|B;ZAx%<&3Pe4FS40RMEr<|4o*+Q^@L>b~q{IwvNmBx?
z#2QT?ZnMS##G`6)L2P<NNffIGrjmU2mHA*KIysds<Y`pm&3}%#_oIp~hG=+mBHD<y
zKwOvzig6Q4BT_^FcU5iy3yawtl%Yr9{6?7s3lZhE(@M)EA;5@;QK;G2h$sNkz(Tk%
z$*RsWSA8r-LyY$0m}K)|hH5~Hg_6XOYzk7z4C7boWkwq%lweZ^&sY{xMi>MHNuy;s
zHtv+LDwC~&QAmtAeIPL9Qd~uoMjPFMRXD;e(I*&1d^tyotlI*lryO@+jo20Q6oo`J
zcEGBWFervZ2gNo#d}=7+@j3<{--3_nAf}lnK(b&Vh!oPGkm8ik7b{ABF@R}wbfheQ
zsH`4N{Y9{7PVrb85aXez<NA)lzGGp*$9|)f8}IyB8~5cAD#|h#nLE`RVDY%fbZWiD
zf$YGL&9V*|rBHCq@PmeGJ_;G2SO{jmfI~LM0vWA^Xmq||u5D7NpHU_<85<ZsQPQE0
zYnBO&Z5IiiAf=#kbr1w3uAtpvf^gUpLcrv4iqcGO(||6&M~8`|Xm+rv<p{c(NrdKv
zTRZ}`I?Xi|fCZ3WO9I0`;1s580D{8%KPfdWFAe?=?*9j;|AV!GY1S1bpNR(Y1T*Ey
zMG+=-2;RT3Co}9%Xo`r<#6}oYL_lh$DZ7V&K%Nf(g0&9-fKTiLCGQ{^VDbT#FUST?
z9zZf9c}UCO!rNpqY1g5PObPOllB>E#SWe(v_Y7Et1+tn-lVKnnqM8BpQQ&e9#)gyi
z0Mchr4H|lYXp^W0qIrOBcq9Xwgn)Ak!~;VfAYFVA!JCADm>eO14Adf6C3s3B8JGql
z$tS^*PT7i1H^z~dxsy8u`7xwc#wm$;e?a3CNFjg{g7obouP|FUEd~VDHH6o218l4T
zI1^9_z!qGZliXlQBGkhX+L(EZQw=5oqH{a}g$gyM1SxNmWXOAL3Cr<?I^QM*xMskT
zCNMi9AB5>owWDr6v`$u;qRYpO4b0IQB6(OzOlS<P{pqq_O-gZ^EJ=T1LEqMh2|YJC
z6Y05<`fhR;!I^Mu8RJ_MR3%BRv&7lIiLvEMVa%Y~HO5XQfpyvn(f0%ZhS`P|Vx}@t
z#b9sK5``)l8|9#={>loDk=aoxDT<Af_EbyWa-*JRDmxRRqEb^88ztzdmIp;dx8!>R
zAmNq<n}HJ+8@?7B@Hm%3VaK)t-B=h$e5wl(_#>pk4>3U{F&XbtEkOH8g$C#XgL`^_
zsr4^V6o$MIz(CCzM$<-FG*Oi<Six_-OBZ^UF7?hVW-MHMdX@l-<tzagsbC1bO8`ad
zlmRv*Fb2j$0Buw-2E(9$H2DMpw=TdM8+HKP7hnw-y8vu>7~+D(@_;6TECCR$>y!aA
z9iZo2pb5Qjp(8P12#;Q+fPUqni~O(&df@<pX5<Zua)ETtK$+3V6AQTlcc6(%2cGRL
z1Wj9rs139{fD))eKng<-AOz%{KnbFPEvO7W0Bleh>~OFivxR`9U|J7b%R(ktx?QnG
zjRDe7exM^3P#NaX#ev06g50z*6Gj?z5sx%7S|bTM5Z<SS0buz?7V$v|_P_5LK;d}G
z4<;s{dLYt(!23fFA+#{@b3+d|fPqjLAZTE%%#0L0cAa8rWMGKM0V0C5>#rp9#87nw
zOaA-3^btVveAFMVjpN~T0I?uonCd_bZ|~kpG9&bX0I&<Rft@=f>;x_V%^+oi0zj#N
z4-yYX@gzQfa@j8kZW2tDPMw&ft`ddSTuNa&1nj(fgt+gtON&5Jk`71olH7~QAZBO*
znnI`oFr+GKQ6t?fT9B#$gUJeDAyl-fYEdB<N=lxqg(%RjUUEUwk`fL?`Y6{H0*jEs
zp4EOwT02e2snObkq$ne!5k{760`)lBGybx)<IZFsL(sDdu|xn;rwOhBM$!E+L<9k4
zw!x-OQ(T_i<r;O$6(9;Wy~qbD%>ZB`JYb0wV~G$2FebBUmHyjCNOEs90guoIQ~?>`
zVgvOcYd8lI`KALTHVtPINc_``xnigSeQG&@Sk)pJ?+_3K_aVZrB)dR45qeY%LjY+&
z8CqQ7)SBlG;emc22}f!;B#;2efFsmlKoh9+P!2qYqS8;PAIVM)R*ArX4?q(BEg@p;
z#CE$UPhE}9uD}x|N+j88Q!t{XGio%gkVTfSt1VZnEmG?(a8_FWthMbbwLS?@Ds3b>
z)hep11fk@@K~;nPO<;^uSSA$K3>7tk@S4F1Qn)o57Yqt(1Z2u#4UKSwCa^{aSQxw)
zBlJs~Q98@i*SW}-HllTwu`X>#@I}#47es0j$g^sOkTfHStPzS!1^7kTp&f`t#Muhw
z(nz?lQZ6h~E-aLbixCPSXAY+jGe-vyGghGl4C5E%4E9PqKt@492pEI;C4wnQV7kb<
z?qECtN&v%8%?ryF^ow&5v<Jh>=^G(uq?V2<6)<8y=nV&iDrUh*rYuB?V#VSjnj5A}
z#$zH%ck-5<Kcu6APtn3h==N}ElNJpU!aqk2pQDG5(bfm(_V8$v6q+@PO&ZHvT4t7Q
zX`2=e5~&7>Zw84z57FVUXqM#ByTPJWleBR8+Bjx*k9KyB9e+faq|vNWXx3Uy8@V)Y
z@92{7<cC=zLtMsU&PeWI<c!#_BxenIBQ`6^8Nz<kXfa5UtF(z4wRs~9+sPO&%JL<A
zNvT$VYE^1AD$<&jUZTksAu%f8ol3>pM6R-35fV`VQ$Q^d(E#a@cq7<e2)~QL5V?3G
zU{(my%E4?UH)_r|j#y1XRubA3gsHMuOB1SOBA^YEUyRKZ&;*GOikX#9QSqNvqtd1@
zwZx_|eh$q}V2O^Hm_?#`OE|U1Q3Im@!5|i}Gy#x<sxhuMqZ9eH7_$th#q`RIZT(Fa
zV_<`lIxf({fLh}y=IBx;CML9EC<U*G(6O=cM(RW|n8@<#G*){~8!=76Q8TSBqI5t9
ztG2@t5oHm>-KdS=C|@-ZhBqzLyUTTzeZv6-upR^gmc4+Tw6g)Q!i)xmtCPgyW6J_n
zTS~x%_yD4SQu4t4#-s#N^b7(DLF^1|$FMP{%SbH5zYGEu6Ar*56#(NVd_`JR1VrUj
z0>3r@s#taaf^>TT){K}3$*@{PLI(F7z%dGrU>K%`una<21^|M*qF&iF!%9FY5VlMK
zN~2P;o!{633RA=amAxub%wklQp9z2<sasjO*NkTLE0Z_>g?IHEB^7DwMVf{9M5X|e
zGM5>RTIsU0b5qxuxuyVbM#V=9Y;iV4vBJn&MugPlf*x0V5r~~u8M%U@nY|rwnZ8ou
z&H9N?X6A7e&FfQwl97qm25;4Bb2m5=V>dM|?BD1=X66eL&FzSmWA*3BeH8R*i6MJ8
z>LhP-H&0+B(V}B>H}JRI&H9u}H=<O2WODWqrdY?~AEZK-ws8tt`-f80MslT%Kz+^R
z-$GsZjw#|rs$2MjscRdxOL<cNQHb7|DI^gNq<}zmBo#v`A*?cz9|4q+WVNndYVF>P
zr7%)UA8M0jPsB!2y!NR!G*+aNo>ZilxK$)Tgi=QcMI;14sUf&|NhK0Gq>=j7CYhDd
zrpF(xQr=;Mg;A6M(vn4CRV0$4s!3#lsUiXmNef{&k(?}SQfh4zQb@&GlWmDn6)bd+
zYFdN=scP^MXqhh%(V=5nmgyupOBt1G41hPt0YqX<NOF={aHS-Yp(;rPrz8)T+s9@0
z_}jfb!Oor)T<PSgI&TL%Vc5RZW?yRGFQhM}^n^UVkn3w9=)T2h=hqkT=)=<fme60%
z8#(h55`2vge8C~Vn3ZqrMrQuRnzVnM6r=vH%04>8qcgW88P<-`n8|rg-j!&`j^u+T
zo!K%^LncYth%(&HIE`oz1p#Sbv`;n+JOx9{Kt_dP0x-CE3ef^1;i2HEOCO+R%K>;W
z@D;xn0`HV5ASDXK1)GO}cnI(gXC49Xi@;eO1WIxWfH9H+UCY2(1^ncI2Ou<t@!F)t
z<qEt7ob})=g(L)^l0Zrocne&IfOV;O3nA;kTh<LAJG2b4avn$vqS8QJ3P=m+S^_u1
z&=H|lfQ_g;1!<!|RLGDQlghLNVQ|nDgRKD>-n0a5t3XC|Bn8iJ)WKoEXehaj1p!Kv
z7Tc%kAhi8j3PCv_woM)YW+xs}L2iOUY5KGjo8aGzp@x9i05piWUNjUTMuLYx&`^#7
zI!-puGzS0uNU5BkPjR~aBvj6%fWga>0|!-LIHoHB!@XDz3XK7xC15yrs{zYOkQ_h#
z-jOZ=q(%a<pfqQ)L}Yc;^zmCdL}YbR1Cb$MHNY$eg-Sqh@{$7wdXOCUf=Iu70!Y8L
ze(2W@bg$>hA$ogB3)86~Yr#lZgbG5$by5~BLc+m}EG!%OlDN+*1vuScu$4e8B?Kc0
zhw3nxCX6N>QG~_c?+<4S3H6a-J!UK=L41`$11eP`l8h;qG+|7C$qFZVAx0ULe+DBL
z@pF;*8I>J@l||TC5q1{rF2e3b*j40q24yD08A-6l${Pb!iLkVkHU?!T!x>Q68hrhM
z@IPQ}@irGSe!%z>VYnZ#G*nH6&WW(AVr(fyO@)3xU}jQmF_fDOY?EQQ6JfL;usD#L
z3MdJ%t06WNs2<Y=586!#(z+1{dq>p$k~4|7+Bi$GLBq$g%shJ~!^g3FJbQEl$B}$I
zc_{~u(2@AcXbVhv2dq3~_#KWJo${H0@wx0CHz$L};<$L!UJNF>e3d)e7-(}WG>oN&
zmEbVYp2U?iGq9yh>~JMa%%z5q>he^~%0QMfmJ&K3f>!zvO2C8?uyVpiY~G$&F1(d9
zGLR*VTBNDtE!3%+Qrc9^%2-I_Qo=@MAWImM1hJH`k&Z$MQE_1-Gm8lr8`P=Vdnr>h
zIDxd*)RjDCEF^cr!bW8%ByJFbRA>-N*w0Ftno@#Cc?cy@lhUSUbfl@Ai9w`gAZ<0W
zXA{~26JFqi(NvVKBV>UvY?Kp@QW7emf$<~nNkKWFpqv;06K5b%?eG+P9s-Y2fKl&I
z6np>i;5TR#Ar<>J&;HGqhokc>&j5J}Yt{5@FZ67PI$xPbOZ`7a%U?#$e@4weM#3S|
z{K`bSWg=ZRM@#pgqh-<3{K`bSRUI$c{*93GCDKGqyoHQeT&fw76D%1?XvRvZosijx
zD$6`C+m8alUNTs^;7oyE@>pxXfnbsN77V`v!cpCZK^?q_&{u`}A-Y&UP1s_!Y?f-x
z8cE?mnT9b}`(&~vVT@G*c0>46Z9fZiW*FwZQq4bKg}}~O7Y_sDWvW@C--Xr(Mjxvi
zIHr0q{jvBT3;zS+0nLZ%8zvvJSx6oIjDg!YY(8al79Z(WEW0&9Vg6N_hu#w~`cl%c
z`c;0z{SV>2wTmuHkV7l>T@ts9x)hg;x-h$Crd5@e;^tOcxJt`$T_Y{U0!CYk?Tv$`
zTgxnrwc#Tv4iU1DDKWB;D#pq{xrvm4Ru)nm95R$bxMe6pM=!ms89>uu%PJePczo=h
z6ipdt_#B=@R*QTDaC{Yb!SGkXi{RvQ7s0_SA0v&y@+}M>A`89pGP|E6S3X9^bL3SR
zzDa+DOQ~dCcPPn%6&O+?iwD9Y7+$6L-sj4)?R>0O*UEx+zEt01<xNT7D(Ic^I+MO3
zsXBsKQ$Blxne)*(d*?DadW+)gpFbk4eElx9?u1xWBZAof*z+iHn6>FbIv1kwO!j-E
zuU-FzW=(kERpy@_0;Z;X5~?%D4TWaJQKFwQ!^xxU0YIbN9B}jRa3O@xbe{!xrWBb>
z`TeLb6*0&HSiUdiP)PwSUzgIoEFq<enAI#)*9jt~HGV6&6QM(f^p&4_I6=J~HkK=H
zcbY!?%?o?Y2z};{wut+LPD_jj;_y33%qO`yOl~JWAN9Tqx+^u2C1f0=?tMR7)b*k)
zpLMvQ%<e3}oyR6dA}Ar}c>OcHZ-(6>5;o}@vP1{-JD}Fd6O-~p<(5d5fXNb|WQkTe
zB2nKbvIC4o$bbw*$=ER$A}LQ`LP~oADM)NZ7=|<6NNOt>hB7!}7{P&vV<tu+j?)A+
zUNA#bsKhamMInv|DGX#$NMmO(LsgClYhWo1WR#>fBZVQ162Sw{I3RhtDGkU0cj(I(
zevM1NcniPcVR!s$F8{LN_Q`x6+jT5o2PmXB6Y;;KrZ@Bi7k*>ONM<M!kjT`eGBW~@
z-*+3J1;*&H7k*<fDGk;F5Zq*!e}|Iq@YGHDir<GNqLxBfE|&-4#?edciUa;~{5Z5y
zVj$@+I3Lv#C=N`NupB{KaTfvp2lqZ8{Klmp;i*UXc8EjGY!vkqf}Y3lQ`E3d%}9km
z8kDDa2vhS83EL=KNipETI|ijm;s=7B;O<k?<;r^-xldBLJ24^@{AwXj>g4T_ZYMj*
zWAJ|5r?y!ZE4D?P7!oV03P`;o9#r7vJgq0`<!KGal_U0wD@D;oZ|q8yvY}L};uS^&
zj;bK#c~A$Jm6UE1P(&N*;!EnQi;(D&r7%jRFcs9M4Vsk0#R_0%p+l`PF$gdUQVs<u
z(b^$IlWJjeWHNLfOMt`3cn*3Dnqwp^2b9wYtpX$v@=|6VLM9tlm>|VW5Y7mh#z;iY
zL7{y_6fdha>Au#ALD|06j(N$R*-44SFq6no!TUZCOrSZk;R76M5p$1WQ+GBJBH$dp
zR!sf+H8nq7yqce`JmcPer3J}R51*-!3M#gW3eW=CrO@=Y+YU}R3N7xrWq@u^2vu(d
zYY47q?by*1$oL2JE~n{~M55{h-BHQQEsc}hg`4ImrUi>(Y{0)Y<K-0bBWXKfZV|c7
znf#PoQFgnxIE(zC;3rWnx$BXX1JQ$0nw2*>3<J_Oh1SCf--N)PIt4TNjgnn!mu_=3
zSt!?YQ$4xQjSVF<o>a1elIloPNi}6@4&Ds>5(Lc8!Cp+X{1tpi&%sqiEc_9mxc7$Y
z;LpJz0++ipNurdih`UNh%XmpEJw~MwjZS2;%3Ro;BsS+#_dhOY0+1$V(HVt6QW0`e
znL_DEblIlnh1RFl)lyzkNxQ2^6SVVl@}<mDl@=O^Dgres0qv<{fP#=lHi-H#8IKM+
zvs4+??v>!Xb>4que=`|`#H0|GvnZ*BnNeb@PvDCati)fE@{o@*m6DJ^DxQDO?)VBq
zQ{hNqJz`XZ!G}nOY(@YqF!|W7jv6Caid5XK0+7Hq?7+{=TvCx{V@*Y7Yk7yuKx!6P
zh+D$4iUKJpldObCT*->1FP<IE7U7}wIP%STkGzK7N;gyct})a;btzp;a{4hiT}m?I
zY;oy0pd3S&9A_AY)&|p+PBL;!K`u0F+iqJ>EuyBI!%tI6Nu<QnR%JXQMZ>7k>av{7
zq^4IBC@{)QGMp?YwN&D&Q8<v;zM=%w;)f+y1zUw&Wl(ymK~#XN#G+|)1G30y-&9TN
zFXbMhiycL_qZUzaDBl!7wwZy?mWybbM5e)0Or+C+HQ<|*O*o{PX)qL8LiL&|M3$OQ
za!XoEdP%w=9E^yq1YX4K6phjjq7Iq}u=U1zFFn9=tT}U>hpS&CQfDtSoq5WL<O?}&
zoT|=1$1!72JrDsnf{Vb`ertI(CCy{zq{*y&)kQTon2iddmNv<Z{KOP71Wa^HQzknm
zBcm0A7L^%TgiTM#8^tleW4awN4uC_s!O#eF1091v&LwKNn+IA4Y=?CRbq7Rat`X57
z?g7<e5>XPE_b~31cXl$j88-}~hHS$tNXYUsCZ3(Oih0ar5E;W2e-&62Iy<CqAsZnb
zK@@j{Y5f8x5f;#C$Th+nqzO7gOaUrTlXr!g;0Q~sBm)WW1jNBbz){!~+6w6f7Wg=y
zzXid9t$|12t>C@4EU<J1(*X#8*gPFiv;wCAUI2u^DDW3h4sZoH1K;wlKX|rD9-s5u
z<|XHQ)y>vT)^XH)>iOzEu#?OvXH#z#_T66HJ-Yi=Hkw;e*y*;+R^#qgo-Nxs+tsxR
zwBxo(wB@%mwehye5J#h28SMwWPtf}BS>yO$?|t)u{o}dE$+7GrE0+9c<Q?EwKNeHQ
z7t;gr0PGm<O(@8>eFN=|yD;$@m)J=2FKiFT6YUR@;x3i3d;{l>xT1#CsgxkuNR0(J
zDpJbnw|AL*4`Ru^iSh?mse(tDk9o7>j;*4Gi!4jYpA2<b6Z0r01>_HYI})sn<0*!Q
zc{tMdt#t?<^@m3z%!vrAUfu-vgRhE-OM61csfL0lF7b~<iSHX!iXSi-!jrD?JTB6b
za-LI^<6Ea7-8rVoP&7{?M7oOAp9MW(U$K?cC0A3ucEJ|tZD!#s+ckQ;t8+lJnxf6>
zw&I-}snJS}(^0lcHOWSrlu<Dz8(UJU;fjECNRv7<5{)R*ri~%wDbhldSpq}nk`tXW
zOcWLBl|g3PoZIl**xH@i)Y>R*Hf<ENApPgt(r++|?Dl!lJ?Zo_OoUtM+q|B1b=6bR
zbCBtEJ-sgQCdI|_q*FUY*Kpx?luY7RZ4g-uxYdg@X+qRFtCVJ|vnZcjsMn$8CK(#n
ziB3A^S7x59gFFMaP@3~(yxTs+#YO89nyIlZsi4oM324x3jmmHSd|{>|i|2QebA5+5
zDj7^>8w&6%!w7QbWWBs#VQWEaIOJo(!<2Ux7u9gkD}@as_eQmiQ`VGPU)Nf-{Fp?~
z{uC0Vq4bpqh~iqTCAxxCcpV7pppLnbrPQyKg>Pv=%D5M4AdaO-=wOEVhw1u1U*mL=
z8L~q4lwS9usuJRNx$2cDdz3&#*o04*M3V$gTfY96$OYM=`0Fb(+`>4QAcArse=Ur+
zb`zZdO*}JcMgw4>lHy>Y_Rd(dmjcYg?N@QU@?m=RGHRJ3=LI&$Zmd4UZFaw1cFBMx
zH<8}`-bYwBtcJ6)<;>~``2Y+)Q{~_e)*h=zw7V0vx!7dyz^s8|)-1RZ7^oktlD`Ih
z8e~VV_$dI$17Z0C=XNQK!zpQYf~$~<O#mm?-~ri8&;+eNfDf?fU9ibrxXDxanO0#C
zzPEHwE{PC>`R9RvvWpR;`~fdS@Z(4j1*I&)&mw>!b;1Fb3U4`==~D&0Rx0SZ3r#5+
z<_&bxtEf=JO(SAcE+40*1w<%bo|Qu62~BpGL+EFpRORSx=2zKUN4@4Y2>a(YW?HgA
z2}^@G^?4x@6Y&XDgcyYL4xGSi=C23WCMR;3Ofl0|Ww7EkBxb*6Cxk}3e?`52q(DDN
zn*LH-#2?`e&Ip?IJ;39n=&tspuE#2U*3-M?aQk}<8P!$_Owx9^*~xUwEhE>0pw3;j
z?_W!^+~{3lJevc6sz$ogzDmZvWtg3tEYIkgf~!QT*GNMnb=s&EC`>m0sntb&8WPby
zUWNEd^PqbyE{g=7A_{JRydd~!UqW`e3J=C5h;rX>1^a+6tO0!B3+Dh|7y|Ra6)y=Z
zzHIqN50w$0$eNlNb4C7w_5hGV<N-B7fdGwq5x{PN)B!d^^Z;=z*9Q}A0iN+W0iGn>
z^oRipBBl|9F)7Fbs&WS9Id!CvxL-$B_=c;_e(=D6M@k*9(J=vjvn*I;eH?2re2!V0
z-xAD86_sU|!c~hIR%N&<$`{2?l$ofSt4H0{lTP}nKV4YsuBz9ns*|d&Z#7(wYOSv|
zSyuH_i+ZdXy;WzuRX?>?FKVtv)mwn-qTxEIKhCNi$0CNLm{4FRy%Y(7vcfQERzzD2
z&p(JA<OQ(mI9ogtIA<nS>zvxaP7Gns<KA?Y8Uc{HGu&Mn3Kct=F+;gY0A-&Bi6*3A
z)ZPeNM0hQrRtie~f|9Hr!yMU;9;A#tdmmmFe{UJ@ZwQyCj@NgDo3Yenv{}4}i;{1L
z)H6ScFI8TBRa0=YF)*`pc)|g;9=@C`Q7kM)ftE;?x6KW$hm$*D%bl<jXKW)gwhCr;
z!)u+e^yO?BSz8XyR>O}AU>?HQLt$(b%q@n>`(fg~*eUYX=ztPOq<|*L%55jD=H=>>
z<?3Qe)mXSx99${`9KVTnTi;e&*cABlDkKcdl}13eC=a?NQJV#vyL~J}{+zfwVg*j%
z)k!3MDOr<EJiM`gZ8zP5YctDYHpm=kK^2>Tx-SMJo`i9LIJ*h1Uo;u(P`wW_#q&Y@
zrvJ7Lv2ym4aQ4ISrI0vM!L9*XICywK9m*^%qF2qi3!5?+wh3=oa7WDG0OH})mTc)i
zjLAK$tgUz1Q1=xVEh>bx@hgQemCK_LNJXkBYeiJKB<iVah1F8KKPsdS?v+YA66&Ak
zx+$JlMK(_8rnOxZ%?o0h3v5#~tcqpi@k|{}6wTDpOgzhKKiG9i*mY4nAq3C|x?2SD
zYGeWUf>;DG1h4`@39trQ1ORu6O_mRk`8b;XotKPZp6sWr60mI9>#$A2rjn!or)r@8
z>Dr&tGgy1`4OV!~VmnaEA?p)dlcqU-0346V085{c0KYcMH1^6g_EI$UzYcpx3VIxz
zbLNiygqTIaOl`nPO2A1JKvYuwRipQWwkLK0#SAszueZpKfGL)n<dt*el)KO#=b%02
z;3SsHn418=@U@gS0rYAEnWzZ8tV8XrKzWc0J(P}BkPHow4=0}f<$GP(uWPAQ?Q+dt
z*EN;xahqP(CTiO59a~(RQ?<_RJ6#v-8K`X50;om;sFoGli|ev$MAAGw!6j%y^=L*>
zXhmsYLS0x#s*%MA<A!(DgtOkjYnQ-l55Q`jU^R2F8t{V+LtW=sf1OO;`nmnJSoGC1
z&s`0A=LQ;vF1>l$_2$>8Z%(lKHAb{+md~$0Hnjt+<uWuZ5&MW5ZXiLpflV3*;h`~A
z3KP`}hN>0`R4yK<R~S}W`RcWCRcnn>%O_CE&`!$*PRh|v%Dzs@8Kz}y6Ecor8EeT*
z%gRj4Hb%;~BV}O`vXjV}Qixe~NLf<EEUvl+SeVNy8IK|+_>ql@Ds887LkI?4%D~8!
z3hTJ4pj~$LM|D4!wSs|g%u8@UQLU=v0J?%D`dIW<cV(6Eu}aPYEw6^_M_wOXb>MPU
z4eFsSRROBC<P-rElAsKwvCvx{t19{CIJ(6r2q{5~Pq|EFt<D$qPZKS&Ih?|Ki9JB>
zq<EPSfBuG4UlA=c)m9T7UF!<`IqHBWDh^Di!=BMPrBmC~2SXun@*Y!%2t48Cli^};
z>S6xGdQj|Ro)$u;aCa0S9KdR+Ntzb1wbk$~hk0ua+97;*!MJ;A*ka||DcIv|SB$rN
z4wBXpTt@ZD2E3Js_uX^0Bid0>uf$s}Z{DcYa_nD}9T4)DFpFwZ_>mifEKg`kPdW~(
zxmbNjR5`BNU{nH?hBFB7Ns7hLW|*p89Mo5RENHnt`LalLF*#aKl1f?6O=~<EBc-7o
zOz$#U(jUssScM_I8D*tAwIX{F@<z&eIH_VM#Wk9d%GgMcEJWoL8)_yb8)%^0J)c9c
z4HY1^!?+BHR)&ZOIuY1*QM@J;bqlNSj=*Y$kSC2Wo~0s4b&12OoIC1rP6X8CaLC71
zb|}a~>ByRy2m&yliG=!?ZmG!Orb<UP^g*^H8&rczr6P4A4N?u6g&@~Ei|XbYeO-<T
zWa1Bfh1Pl?9=;@U95OCMVwqP`--!CD;q6d0BT7<O6bAgME%^RKOZzErBZ;Nn+Df~7
zIY4X;r)n+KXE%L=C-p)SMp|Lh=TnZ9M^DDU(lpnM>dO}Z8kc$V_)NzPO6^{3J#y?9
ze<g1YQ+p37s7=X+wxO*9D`CoR(2|^21hK`V>_aY#LGYx2x$l9`nW=^weWD^v9T5oz
zDIv_Hu9=4EzRU+YnH%MiD%`0jc`Zo@Wn(L3!{lL>Oz&n3Bm|H$nN8|e+3w6oJ?RkT
zotI6D-jZ4Dcy?GlO@ox^u#%lErghLWte=e5`L{@YBBBr-MW^6$oi++nxHxCNftlrk
zVjevasG)d@2w2O8v;7JLL&U`iqM57n$-Y_^{YxlHVE#Z-1unK+3AfrG+7^Y=+B&UH
z^jNE5nZ%aX(QYhYSZIttZDc$SS09Qg7KWi4<J4E`Dwr&%Z5c6#&sIg6a-?k@gM{Ox
zZJu3>06by+YVvG?VT{fbPWpmNov*>9Of`Vj5~M=xkt_r2Hbht?HOEM<6cVNW7z`en
z0y8{DUMyZ9c@%tgd|3Q_{8ijl;Dpg8_{ufuCczE|L|-9_FZ#P3hjd%Xn+N8ktN;#q
zq6$Zyj^G4M;>HYP5q-=^rOt>uhY4XYF@|g~LQ5Um`DsiNrz0gm<c~EoWMCLOHi#mp
zE09v`fu~4g9wo!=Bv5qjY5|lQM;Ek(VI4h{`{Js39&Mz}k}ixuI%D*qY1q)nM~){e
zv58_H3#k^8>T4cZbNwU_!$iZWlpExrmQ;eny@_0cv_zy8kWx7FypB2%mSRnAaq<i2
zSMrh9oKCOK1;3v`k<$JNHOhdI1k5QMleCWYaUyz1OcV5p(pX5D#XO0ho|z%bGi8x7
zlG;tg+}Tn<h8@xC2Dl><+p$h5FzSj_2&9lK6=al#43XR>=BiReZr_p*Y*r8teKs7I
zC1B*RX2&O!qBu^YaqP7f4jFSUx>yf|1Qo{w(7ha6#Eg5AYVb9{7CA;GY!suceRUEK
ztyL%0WJiNh*_5^IbG#!YlYAiGNSqKrNOTd|OSmGUlJFphNyGrHNO;kbU`<Ps2LAsG
zm#_f*(JTWdYH$PeZR`LzG%5hun#%yb8l?bOjAuYS26zB!j9dUsOeg?lMt*=OMb*F=
z^22})^5)<UAxmHdNnMKC7BYnYG8E7Xswe}DiUEH`027eF7U>{Bl#TiILj^~r4O-zj
z!*EscxG$|S$dse-ur~%$jX|YF;KF%$Gc3FtTv`n8Ee08jL54CgWGsvtbVdxTkb`ZA
zL8QVEZj;J<W!<y`@KI<0EL4~R6szC@`Bs1q6ccO7a#gSfaFDPAkeNUR@h%VoIXyrU
z!ioYjDt*&i66>C526-n?1%W%@3-V-O8FExW402WA74iij0kRjs2T=nc4e|bf8&Sf5
z5$Lz)lU#E607Pc^1U@p<0G>8j0GS!U0LU{?10Y2EFDNmgU;${tfCgco;0BejwxFjm
zm=FgK6{rUYzkmioU%(kc>Hv70bNIP}oq!C&w}3Z@wH5{TD&ztDE))ZJQg{ZTe?SL8
zE5HqrG2jQW7$6G41|S4mr~q72&)~(@qPP`)QLxQA>N5qUxOXZK;MbGdEnVs&O?^W-
zj7T=u`YF{=bQ{h~ZVqk+Bhx&&JZj@5wr4o66W#6D@jR$YUFSJ9nD;<WJf5LxZK2K;
z<sRZeGsyrtmW57m!tD25LOg`H>1*lCc7}Vk#vV(tscT^79S}M6E{!Itid(>A0{o18
zBLS^nVU%xEKvhYqq6f+VaLyP2wK$*wwEF-(CH?@vlCT4gT_6g{qWDBl55=ZeW~0Ce
z#()eM$|p&<er-%-7L2E3Z0k>fqys(x0~&gC+W@06k=;<=N}(X@h5|LqHjxo+2zXb+
zTfia^UQ^9;XHZVQq|_7qXbj{Td?wTB9~^;fCwIUmq27>GYpjJlx-kxk(X?>%6nOE9
zgPBAWlDvnH3)k!(xbYa_&?I}h21v3aj9~Qz7+xP?ppK)nlM^V&n30mPJbWOUO3)HY
z+gnPWIR}c9&J1vlLGd&>z^ehwi;ClJHK%zyCJd|R>_c5?(;>`<OqHNLRU8~ar!^eZ
z=Hd=nHOM(+RseF`^E`1$yxEt)(9YhFy&PZa%<52~jiOOpZ4j{>JB0wjqXN+JPRPK8
zFv7v7#3-CJB#F*AXh=c%!$Lwg3YroPepJwqVkuKXLFkGa5)XPYp|hadQH>p-h8BV;
z(@K!Sa~6!%xLh$1cwwmtn*j#rLq@jD87Qd>3KpcpEJm#6%&=||IT*_Y7Dy46|5@Ou
z#%C#^!=Q#I9`OEl_}pOD!$Xdm9l1$1DI;bf%Gic1it|fRHn#>w!70{ZJBC++f|gn~
zkrp{ZAbAra3~4eTJt9OD#7KZBM2Im6kq3Bz5NijK0vve|D+Kg&U^29GGvFI`URc0a
z6qpz?;@(&~g|F?9rkPhTvUS^&!zmM6v+-@mkN`!g#TsJ$;)bIVg4Glf>kt$RA&Q7h
zgslO!s<sB=ss{>@F1J8rZCBy3>3Av#YjBTiQN)8NhZ3$@QlUWwa4OVsAg8F}L0?F(
z1px(pb%|94u?%&%r19<iBcQ)mx?~lhCXN&=?)pL@po?ik#8ReCG~NuFh4YR<?;Jnm
z(?F~Le)tXCjnK@EieP4dA+n=Hs(HSrNSmb&3xZVd?clwHF6DqUmX=%RZDFJ;^wV7=
zSDmEYAL(NOOJ|C)(VoMFWFXqhY$YZvSDE=+Q_^$G8jIOmj2ODOD1oMU%d*ZkTspK1
zGU33l*%wgJu{u5H@?&cfGCeLB>wX7nq%!X`?Ap7a6_#A^&K2J!9%n9MIwG4OTZD5&
zy1P(~4Cx5VsQ|7srG2FDKr^imsp%M{kj|#7gkQ}fsYFtZUu(i{vcA^YUrR~Ls@KZ;
z`8j!o3le4cD>VjQ!pLZbiX(8>kUWH&lB@WFqE+PsWf2%?8o0@Pi3ZAsG|d=QvAV8Y
zCg&+e<CLPxWhjn0N;g?bCaK9tYiXG%0&zJh0wNC=83n=^Jfc8_XD|>()0hY=q09sq
zOy&X$T5|ye=Q)6aWR}1|Il~4%TYTXyEj|#WVINeOUa5a)Q;OC;!WrkI{8HN|#W2hY
zxBtCCP?z|eT1kCzygq;4>rbEE7^;8dFl$DS3MP8Tkpn%k=b@hv<gqks9@drNk2pnm
zvF(vwOnHJU%EyNSzOmL|ueLi=E6t9+r5sr3oEhnCb%ZMRI@~Jz9dOF49SVxAj*~@L
z$8LpLW0O*-V}W^8Sm88PCO9Y+O2-5#R<Xy_t88#DDw`aA6;8(m6*L!f<xYbrDd1HX
z2nv$T;3!HV33|>{wSO&kmn#-*j4M><mRbTjiydm%UW@b?b95t$z-CPbwTzNA5yi<G
zPhR>sbsCIF)k6*1X@?$Ky1-)xF(&jelcbx1q>$&qr&NL-G!Act=as3w#2^}Hk~0!b
z!&1x4pm`AvP2x*!1$cZNfK(r8g58ZpG#BgENx`Apg4-<M@@oaIfOb`vKOc2WlTXj*
zen+jD#*!bVNUdSO0F@HaD;K~Zq^VgCQf5_SZ9-{)88XP;G(fO>aGIP5(BC6!(jup?
z<ZLk*;Ytor&YGY`9=jPUA^x#cLcL8YAP0Sv*h~aLl)9`cp_+kUGAAgh`>Zq7#73i>
z2+G>THSBf$VQvHr&D0`>imh6ZwP5X)C=6)B2R*r<fx<2W2bybz%pO3u;K?GII3(wm
zU=gttV|xYpG#jLZNcIA5Hbe`24Gb-wfi*E63@8Oid0B`B2cjSq=sY2rVsJ)En@9G9
zG#u%M3~Ivn=5VgIDxklHtn6eN<W7J~JM@xlAo+ID4IFiWJanL67YE2L2H|c;g<Jcs
z0^A-aY(q!C^%cpJbEv9262f+L=O1ffiS-nD09rt$zu`zGGzY>^d0*6Oh~fNHbbey@
zC-{c!J`A;UhL+86$o4$`QLYEz#H3&0#8*S<)@kCghtvw;Qw)d{8NXK;)o&TKYZ!bC
zsCNyt0v?Ve!|=&B=v|pwhmYgpkX86ScE1l(qVKN#DLra1xdtDR=&lTmV++L~8=;ZG
zPZ=DwuN3t+QY&06(BZ=?0+97Aip6i@cCRlUXjzA;Ww3gc6#RL#Q3vtr64><*U!?#E
zv9X6YbLIjEtE<ql9<F(Iy#zS*Md)(1U+wh^;N@_c(l^?d#o_A_7{(b<+yAQGm&D%&
z3C1w)a0x}#ZJdxn#bW?0F<otnhu1?y4m6N1zy!p6MPe2BgF89=u0uOD?GD9o_U0jU
zTbbVQ^jE$-<>1a<b{pSZ^mWPqjw*i)oXYKIiM&zQ?q_)0?>GeY2Z20!)n_N3^6XoX
zj=?_jqn)sG@z2*)-DP;I|D5pW=h!%i_V*Q@X}}>u^WQp&$ZlqM6Zm$ssotjhCoeo{
z*e6;zmf#DDFMoK0flu#oS@v#VxB%<plg@jXkM4nSGnn1D;%8<$neDIfb_lhJ&|C=q
zZw_=bklu9bhxE7t1?{m|UU7f>oUWlgy~QWDG};e1Z695X?Ey7u?_9WehnHMt&kM-N
zySOw_0O5ZYSiu2!!0Yc@c8-iNslnpab9ECu-Sp4L*ey6540hnb@X1+^AAVqQ_vVX~
zHJrWq>wJCq4|pvYZ<GA_y9dUMHJR^ReO5lrCxG3a|E}Ak3<jeO-p9bId0koAopcvv
zs;K+PM}@M(sy53l(sVNx>edIkvY>TeUb-hb&@vfWh6|!?S-L^I`%fcEQM8gEclyZW
zn-P9cZk&0I7;YT+VN!fFcNKz!_V0A!S6{gq&rbt(6Y^bF?8g!wxjq_8%`CnrihkGn
zbQ1^|io|9-H4(Nfwra~iS$mCuEZQK^mUS|Hq>V{xI{?iXVwJ1ST4xJ5+BDH};ksM7
zh0F$*4G?35xNeIsCBto5a>y2P8Op_$HUb=%3@OQmewgCj@|atURtwpnj4R28hhbnH
zGGU>3EE5~lTP7Qv#Ct>;`6e0JlMO|MfTseHT3qEOUtk41FrHAxOc$&LB9U|WTLfI$
zb`V3KnT5ErU6Kr(-~;87({T*UW5<NIJCRiCG_rn2Yi9sPFPfNTjQMAtbK2vbb-zS|
zTK>JPDHC}{<_Rqc8+pwgV`-Mnc5ACV*~F78ZL3-va>jNSGljM0!QiYWYzmhPSqhgH
z(V2eF5jHZ5-P3?$z?HpBz{4)BqD+VK=&~J%hCtg=+)W3ZCpfxd=pl6r@NmVQ@pA@z
zK&L4H_C9_PVAHHgw4$g}BR!Nb?PAf4XPK&NwjKMZIHp)gv{huYNP%a<nzOJisZ2+6
z>$hc>(kO|AptLc8HgGhii3(@aKw3K5mIfM2GD~&fG}H@4BLSK~^*RvM&!D%C8Ed9k
zE2_%}wYG{rq++o{TA;;(iW-p5`w`0$#3o#gD^MIJs|cRC&0q1N`_>b|G*g;rC}VK(
z4gH0A-UhGnXe@9q;jn{G&{qP_4`y(-9LW8kH0XdDcHm}t(>`Z&|1BEQWuV-qw3E?2
zkvTJvWGu%}0m@n{{3V=e!$)3tY?UR4Ws>C;^yP1*Nmt=g3nuH~fQJ<22_(x*GE71^
z;8c(+-GEI=UMHfl>uR<}J~}4iHi$adOUsH}81{k$BddjQ(U_WnkC9G@B;b{W-ytI|
zA8xdOSppge>`Fkk3Jih<M1}xO4jeMT0^PbGq7|JOYCObyE!J2+jEb(Z?%pTCk-Gcx
znvj?)!?YZqd{k0Kx-uV)$)E}!ogiBSwIuv_{+_Cgg7=6g-WeHJmk2-%G(`%PavTD0
zgaYKVrKql8wZj=6%fXT0WEmc|!z0=359yb;Hy@U|7IX$%yhAO)h-7;Lke6HPN^T4c
zjJLPY{uahmHg+fPL+zUQqhJW9QR+qTj71dg<~9_xZIO@MIKt>Wnn0prM^1qtX6o|3
z=>b{^5**Yl=fn;mo#f@&-PfVXM*Fi5OKx$x&U4)9@wgLSBhqXY)V>w2aXbKB;n-`O
za<{C@-Ke>jyL4;J)%C>W!3`7*ehkFeGjT@C4aAx)7?`=2!Y1!8VAonGu42H?0dM3l
zkgy!EV7D;430^Xj;)&9hg?I|Ll=LeAQ9M(;sZlzzMLURq4PJq<U2sV?O9E{;2}nr*
ztO?gpOc+QtVH<Wys*)}wUnT=--<C;&C)PkRLx72iwAcr@>XS0qk1t`~<+&A73Gx;M
zRY>uVSyz%J<U0sh#&$*l3;~S@w)B;VXbCmg&h>y1mNAxLkAZ=LpTaDJJ}i;vv21D)
z*#0T~sJZqT#jI)hlFf%!EMb(hiD>>G^`BbfCMIdvhaoHg_IV#?;F=yQ8eO70J-F{d
zbFsG>YFgCOX8s)^f@HlCAju7wp%z)pcif6p-ZjnJ<F5lD2ys3kO=s1(jZf8!Ozu(`
zD#idUSjzh)9Y~Un2O<z5a3u=5s}c};oA?G*jZU?=<8!MUmaTHBVU?pf&xf!Gh>sBu
zf*ayE1iOeZ2>%Jl5+EV?M*v08p5YGy9m2STJ_3IQ#s;(%0F^;50ha^U1Tqdh6-fo-
z+>|;fOEoNgP6hf3loaS7a4GO}KCJtb_Yb=MZLU5B_v+ut2}QQ5#IP|E-p5##s?!l7
zmDHy1CNE+CwtVgJ!mk(ve4DOZ+B{QxZR20kUqYz2;)BEGFRGrSX;-g}e<hxgdOhVo
z*j~K-ID6(MMN??Bt`n(0Jp7w*JK$HvJBl5{=yol)W$hnP1>4hOrro+cvOU~BkE#{#
z1xy^K_KFbuykx%aG{q{M6EKo@GZos&j$_^Nr#>wo-8{@tp3LhiWc9&}-xEg(ot2KB
zxNN;ib$_S~%JQYXS@d$#+dw@&@}bH9FM?oIOOl>Zxsl}*o+R>@F|7YGfX|tjc3+H!
zxcT7;h(0Ws32-~bqY8{0_z7_B;>(Q|3M^4Lfz5voIkSKU&73g%xNbh(*MC*=SL80M
zyX|^3^Mhl1eanlv_l3T4{!7jKOD2VGV^}aBCgQ~zDC0cO<_*{)V<JiUs92)Z@bQN$
z$EeT>5=sX1F!J1)f#XJd$B8mnS=?Y9sjL?@v7OcqWsz_ABaFcF>x;4HF)P7ic$A<o
z8Q9Kq1WY+I?<CR@MA;VhKu3=zQlrQXDm;n4Si$q;IkLD)TNE-*J1*74IPnn0<p`F!
zJY^#Q&6>*881aT;@&wcdAGaDw!*LBx&q)I0=p~v?M_;P?g7=%-Q75j^AE~5n3YeDM
zn6{!wA`@9#p7kM|!MM!k0h&7<HK{ZTEO=I)M}<iU*(Kk9Z(Be{XX!A`EU_LFWqmNw
z#{OL2PYitWqIwXt{ebO=mUC-OSz=^ohA=V#gLxp(`(!k9$RnZi8I|O8K0N}Cnp4JJ
zp~EMsk<<5NtRMo0OUHN5;obMbP54(LM@Yl{u}wK(*|_bb00`Q}pkj5oBgJe|Fm)uc
zIGHDxBygk+i~tmg(lH6r+`bW1>yjt~C2=RBOd>?|fCU0qT7?3yG6!0RLbz>88h)w@
z&qG~mxm<)MlwMv!ui(F0&4o`wYD-i!RHPH@SU9XyBiEXssB8t-nb4}Y->p@Gzg|6R
z1PaA`I@QS)028QM=S62CYRgdcRn5KVVx$!acDmId6?tj(ue4QW>3M2PVTH`=QkYh>
zB}gY=kn1C^S4dYmh1Q@rsgH%$ypdcbccG3LR6ecimpUt{5+x@vSENqdNdQP2PuG<|
zR(DC(zadnHcdcGRvq{fG8Gx(~JJ9+Biov5g^Y#_x#dVSp3W;$2Yt0SS!gVeb8wJ9h
zKEqQ89<0Cvc`!XnEWJU0={aG%=l-dF!Lui>tky$7r>?BP!)k8*QtJa;_kO8!VWRV=
zQs{$U2Twy3kZF?T)oz?M!g1<XaBc)FGNn5P71#Qtf(AHC{Z?T^I_tiMx&ZxZ?^4Bs
zGfDkY3xgK)?x_)3#KhjE(*`aHU0KtHLW1?xVUQRmrFB?=hC9Na0=R;SNgti@o}qBF
z5T!y73Py!@1rRyj5qSIYY~(<Y09-&<1E0l~vT4Bez>p?<3IYdQ1~LWS1tv1|P>NCx
z7yao}2oF<v6GXG`HC~nQFCZ?Wt_GkE7zh*103!SkKpkK;;+_Qt2B4>?og)@Nog_gB
zKvRlQSRoWs)S*B~Ks8EQP#|DM)VQEXk}jo7fgU7XN+^O-K*uS1eg&jHgH$JK_t|f|
zU^aU4QkB0BgFQ-<{4z#5l#5uZLQ(0cZM9AGkqS(`Ur})pub98@HsNlib9^}z<}8GY
zbuOFbXn*zz>BxUpR{s)%KcJsy13I$w_;d>X#r>WK>ai^Oyb1k9dyU_!%J$o7=Ii~q
zDd;rE;IFszE$zo{s}b*yj=$GWpsu}E3kOXH4a9^_-A~e0PF@Y)iW^9tj<y=S8oxa@
zkv(X4$agR3ztguKs|xLQQ!LzFeJPzaYvZeb_95w8cU6RP@jJL+4|i?$t##<8D8Y?t
z&t)4E7lPO0AFlnqRs-KBJ3p=uU)uU?fqZ^w{>{BN=;^X=@{yDJ@ARvarpV7oegDnR
zSXs>2OJiT&{OGv{UFov3t{PZ4-K})yaZp;AEl+IpsZLaEA;Wh(lw7Os^w~)0w7dCn
zX<a##N=qGX=jN5k>c8ea&d$G1Z@J=`U;+=!?zc{LJsj14FYZB#eKt5V#4^CdL!0#;
zn;@Cu8DL<A=D$Ox$Tv?756w@Q^zNH8xndbmV&%+2S51@*vIi&QJ(M%d<q;|_Dgaky
zhLsM~^DUFpnJ${R|CE0S6Uu_$s{@n(EikFPs5$&?oOOY1YzgH-cO-&y%k!0tewziJ
zk2wFA^{`%4AM;fTH|O=tjxSA!XH0BQ%$nE}$|KHdp~U=~w!wK}<DhpF^0u}a<q^j+
zEMb0YJl0`!*z4#hLHyAzi_S<Mfk4oHU3|iz^w~t{W`p^}a(si+V0F+p2lC*yAvGXW
zaKLcd6RPS5O@i*kBmb@^SeyQvDmw+I|50yMGwz!P4V8z#Q+rXn-kUo67EgY%i)p5_
zg4X7tJ^HyChn{rV>avEs@SRYPI&AjY{de`0YeaX`VAEi_@9HS)26fY8>#@S?rE9i#
z-2F?IN1ah05aXH8^Vu0XfDxmPeyhH?Zjp?EN&?}}PDag<&2=V*+|(yMIY4ZIxan8Q
z%IRSrrH(oxJiNJI_4Dh7*Ip+LELVLup210X)wNiceK#h`ir=koQB`kEf|kyrzhruK
z74+F-*sH4ktzu<e7Ah#>ud2nV(5IroT0#XsSB|FYo{I!vmPx*@jy=S^76>QmN%8*T
zKS|MKPbYCF#@ibM{T3bh9_PL=JXR;VELL(2M?G<qU~{6x_Cbv2#1oHU&WjSfgITZk
z!4C$yEI0BOW_~09-yst{78iLU208-d$aXQ&VE2*MW1`4DOA&sBiR6zL=*Yv7{9mI!
zjDul*g_Y!2;-im<Sr2Sfa!(wTj8kR$oQuN#z6<6STi3ySrLh~=#QZEVO&7ZEKyCL`
zl)cQ$Vzp!svi8*7JWa?wsjer@%_XPZSl6tCx3tFBFt<iWn~wsXuS?O*AL;eHLBahB
z;JFF4Hl?k&R*&RBS64KHx)t4W86D8DOP&GU3Rc|Kj_6bB;rDH-%GVU@Yl^8abIWLi
zg`&7uj_Ap!az}2R7Is{g+DfWGiEutQqaeG6c;1C{+*u9iSar^r-i3Eu>KV|oJB|UJ
z3U#>Z8S85qxZxSlt5wNp&V^rGDGBINp657ELe~ULw*q>Xmf?t=bt&B9C!J*%5(IOr
z_TYGqb*S9N5zet&h~hcb$8kVEI)tuEhv!%w#CT41UtFRI&b3>fVL8{GbC3@@%We$7
z^Q*q(1P?mnt^t5^ua@G72Rfl{0c{T*b+;cD!49Jp$LJ1qs@y?<=UE-g4JA{q8lcbz
zI;^Sy=?I-d`io!r)HtckqzF3mDtJHVQ6)&P-0K0T0sEa+wGov2=?}ldPu}HBLZ7%>
zc4a?!RW=%Z=_*&A`|{+f6*T+T)WK<BeA7)Kx$pTVoP*(cPZ8#!U++4C)gd19tfrv%
zN@;(Ps2<bv@j4nji{51fY671AbA?62Qq>t~GY79Zm1{AKl{5m*Ov`!mu1>q&HCm%7
z;V>Wb<XoBf*XJ_bW@2R?%&L^Y@6UjAGx{W<;gyRr7VnvU6AuY{`1wvQz0?zdFJ2ug
z-d?%pS{%J{7piAy+Ev)}K9*F}byj35RMdEU%$a(t<)NyHPj%!}9gi$z%6rTZm5gN{
zOsY#!GL4fc^5aacd6#K=)$O|+CH_~o?j6rIK}m;sdGN_Zyz^zDG6}~hp6!EaN<a|2
z-z|OT2;0}mL5CT3;@M+6dbnl`eoMDz${g*@VuoSMF5K-bM{a8c`HK{}^i;mg`K)Nn
zRVB}l<$~wR9tc%`YNM1{ei?eR)C?7uE`63gmo<wN&-A%^M4^^GuN4DjCC8Pe9I^Fy
z%n5*(9}<@@k2RZ#kes;je7`I?tm{nc%YR`?8Q;xi(qc_4y{C^fB`Pio&<w@?uUo|i
zTlw}{1^%$2{s$$yx23*a&6R}6GFv*%S_Phpy8byOv#w<h*Ue{K!mhs=dEO7J@g{@&
z)UScpxb^c`$e7lau91|fS2daWkYu#|oVir<Si+beQ{k=W%mqFUgSXRJPYJg&<I>8H
z=b7ZEnPc-A^56`yDTkdr%9G3!DCSuF$Tb|wRm@n?%(>~2`Z<+%GY2iC${tMq(af+(
zjQTm0<(UPenOAcWDmj#cFzAmguHKlHEUDuJap;el%WTM0eAYuIc*o6Uf?%pXYY!7Q
z;^weYn52uE#q7Y$T-FHYAR^|mT`{j0HI|u_xVfybOe;mrV4*TI7d4sLhq$?HFs3%*
z<+9Z=O&2YYDT{cyZ0by7May8PGM^VMgOtRCT$TkBGLZ6EubE(nlEV&VDjrK4a~bgR
zSS-xW!^vVtGdm9@k=dCDc`TyL>O;w4)iQ+#C6*b82stcE=1`#IuvnR*gOblg&kP)v
zS|&4K<gq}RY=e@|#Kk*&mSE;U8|1LsnNDw#%?!i|zDpw07VYv_56t~H$zZcHPTwVm
zq`^hLOBXXMjq+I;nd@(o#2RJ|u1hep04;J@I82GP$zp>r*4HJFnTaO3ENslSHOXL?
zFu>O(jI71GT$TXS7EN+kJD7hp$z)n$?XF8TQ!R~hS@D?7Ym&^o$|GEserA5!<gsrs
zdux)xc4Td?OCS>sHhC=U%+9mPWwK%X&n21(fa^Spf|yye#-yac1)ez)(;*CTu0~{8
zjy#@B^s&cgN?-`b9(v65vB#Ty%~6g!5F#v$aoMbi`eTmI(I$*>**%HvV~)(|lqLA=
zKScL0$6_2z0{nJQqDTwz*p(0-UyjWDMkRhbD&h)@@!742sjtUkLM9!4I~p-0mH6zp
zh<;m+%Irj)ZaY5WdY0p|w-cnd9i0&}t8v*gh=VJ~V|pMCuN{TRg{r)EQKC*2<FPLg
znpcj=Y)^8$b_pT?D)HGVh}2h(#w<cvUONxbFiP>+G>DNY$7M1iSw1@$F$C23>?uU2
zC&yyOAh@3$lX#7U`0OpBG>P%qq=*tH#bXX3B%c+NsF>9FtnS1nlj5;k5EoC1%^D&k
zpB0m+ltj3!QX&AUaacG+)Fs7d(k7)ID-f|OsPS1Uh}@&aWqKtM9xFT13uJh#Cqx+|
z#bp8^G>;XFxQnECtO??D5aP4z6SWR26?@odaami4&qIpLEKM35Rt>Qj$Z=UC#HXRf
zWV#_O4l56lG)Q4s(TD;=3c_k8H4G~PNSMdrShI;BKL*JZLUH&uFrqi7VA=hMygLTQ
zOhPE^8#pm3j={4t5Cb~~%)%yd*fueu2<Kqfp+v4b2Fi2B+1NIF9$F5;viaZ+UJaI~
zndRWvJiH)_!LdVmY+enN&j$kVY`8r7F9yH`;TB#EhGP3ecU9zM-+9T@;HaANwbX!A
zX?bSo^ee4-qU_KsobW*HJS+0>80x-^M?5<^ucHy~1TLb&spp3WRQeP=Lpw?jQMZK$
zX+cmm;M=NvSvlev&|lhk(XQP>P5APl?aV8}d31Kd5><~c?#{xjw~U8sVI?PdRCNjp
zqwgeckpU$T@mA`G9YJ`3mx53E=fJ!bA|45);ID<}h`bg3yt=vr4@6HTZp%Wf2aDHL
z0qu?C<<*c@mhqzL%oS~33>}$;Y@RAz`GI&3D(;yIrzE(N=UG5mo6nQJ5G<wTIn$U6
zB6zTLqXLDm7w)O@Ro9X?R6j8O@>=NX4%A*w-6FuJQ_1tW$vIHoNFADksXNabyD%x%
z@=EH5=DfTM9nLQ1+sfg11lry<h2SfF;sm?}wmk8dfzXNOn7j)#uP-j3;IL+S_H?5H
z>0V8Xz+20~=)4IP?>41iDIMqBtOaO1Y88OKXM|Z;3S2y|6@a@&hw)en=xC8E0d0*a
z<zOmHLCCBHf3$kCr?VGr0;W{-6SUIsRsy~42ePm_sAv_FfVDP<`8W$GX+mTo0?XQI
z+0+3=Z71a5D$SvAP6GHe60)7%W$~i9ok$m6(P&Nwe61Yh;3$~V+)e_zS~ywH0Z2^(
ztlmJn=9i@4EZw8<oCOzXS!B)5=W|7?A$Sy>X-Y-{oy|V1<paC6fpHiLC}~(D0c#CE
z1Yj-kra>4BQE6mG0@Ioa#9%Jzr>iEZsg^rcFJ^27NVHTDfUY)&$rv4&wAPV;ri%mV
zY_gU;G!e4OoO~NtvMU11np4QYP|c?K7z&9r4YH?$EE*n2z*nn6V=r(j;i1%g1);PH
zvZo(!8WzXEQgx)fd<AnfqYtyJowOEZl(%C;<1!#w{i4`>1xsmcW}pta8b61?T`NGC
zd<F8fe=}bKmu(Rv?Apy5Xa>OSk)rr)1)sE}jexqwj-jw5m$WX%z*}=flPka}aiL($
z><To{ZyNz*Z58b3K&u9VYd?T1>86-$1%0%ci@jgQn&Ee-V$k|$CF;2})C;{)W`H2O
z)~eFJF7=+Y3`O3h<3rt_5gp)Ycx4y$WG`<QdVuW<rdlKEnhav^Q#L2XaJ$qAX|^uT
zWEyC$6MFoIz>u5Q{5%%~-lVHZFq`_bXe$$X=rocEy=+YgR#o1h%SZbw|5Rf@9h(=Z
z%F_rY_0u$!GDrHDbt-NXdfzle6MDQ22%+y<R+6yys94ZY9`$zGQ^Ve(n@Ny+lvdF4
z9_1*sJO{Z#ttO%FSHnf{dz7Nm+8*UyG*_}f<vB%^lG#1M2*lYxe}}uj#+4Ra{!t~S
z^_)K`RMKF`h08W*<z$WJJX%l#+_()K@b@Vq&?*mlr6shjhq-aFk?ON3?ynk6gWYED
zSz35K%8t=k9^!18T{4}+;{?$$HJSG<A*Df@cPW}qHsJO_>6UkZEJ(tvNmL`OS*L9W
zy21-7W7AbeUg;gjXrkSiOauV6Dc=dm@$>eQ)(QiI>Hw$#9}|Bckp4c|^AX(5aW`Y|
zm6B6VBqR_t;Iw(CLJHLc@*A=*icYe)>k2ghmJ|oilSk1A-qX$8J><$}1?XU_G~r?t
z>&cpAq^<-zf2fR~jVw0;>9ABHY>4V(hhaNR0|Cva?F}@d<XMAzX(S#FRT&E6Egu!(
z0CS6vbRbMF{#ef8VES}Z4~pxLHK2otFZm4cZ;gW>%<ls6;H}nHDFG*XcK`;zyYD81
zfNu~%y;4>aDS;jJksxQo6jbc5-JaVf*W7qUuf@dPQ@Tt^wx~85y_`mhWz~xEqf=!a
zG_^%5aV`D|Xb{-OrKy+UB{Yx$ZaiQU+Zt15V#VrIW2VC*hht0OF-;F-&mqXk$HR0K
z13&_r<M4=hK9@+kwpI(6A!8`LRy~+FuN(lDSL^+g-qMf@gL#qA8mm)^(^f0sv31!M
ztiwpKo+T+{hdYusAV>%rO5ae)S5NCiLr4h{?eTG7sF6+ZS4@jrYoMzrjYvEH35~H=
z_5TY82Y<P$gEc+LzxwmAbX*a=LWF%*pb+Bl0J;Jxu2#!hn?=pFh)I!D7g^+wE+57s
z_{_+~$_E(=)1d}rcYJk9KhJPl6(nC04~_3FDTGh--d|K)aF?PQ1nt-@@UOR`>J=F_
z1BK;prbZB|+CLkcPDOD`IHf^b40s=|TRoQ*B-yog#TG7y(|$jXt5G>D?~PRe7lqOH
zO-XX^d)ZLN^CFNhaHgNbip|g=B1Iy@Osu{`6&0hF+)uw|_Few8Tst)3(IVCjA`p2o
zC?gxW+E6OkQDz8a+MLRo-B=F;iP)NjuZ4AzffkWTw>6JdYDg9>brn)WP&jFirw+9f
zBf1xmeR_5VR4R_0&CR}%Ab(NHZ6g!{nM=k^sTPE3L<uW$?UM(=OuXD>GV{ZyoS<Z0
z5egbJdOVFCl?(CoArR_xNx@^#3g5Q%kdlx?j$G9$hQK7ND(;2apn2Yii|Y!vmkYdE
z^tBh_kw6PvXFLTcsJ#`i&B(djE>HP#vp*CU?VR7nD}<Cu_<pjI`2(9*R2%8<G*GEi
zUfR4SuB(G>BV}C`K^iQ1QE^F(h8IeT!^dB{74rYv=Vvf%wQ`D|h-i78%w(?NBTUQ$
zB?wXvTurV4|4geV$>)14gt_`i3Fk(Bo&7){;<<>TYN^;|ZYd)J0K!ytbh<TB+j21+
zi<}j;@D}42z6kE0x$-UUEq+ATp!iPYqJlyBuE9;PI5X<{1bIPUiOVQV8`Zl~gze2h
z-G#S>5!wJGY$BQ%c)q{#CvO_G5j=q5B53$f-)V}(H*tn<?P%~F4Ci`JaHzpCJcJJ6
zVdN>2>p1wiftf@KgIXZKZFIT-poUS@0Cx*@?FfYm#*LMUj1=_g#jeq#0GQ0v8Uo7>
z>46$FQnxN+cuvs}x*aLb6&)e#=ZG#bgAf~>RSN(LxC4U;4p;^*G?K<7;d%|Q;|^T@
z>%jSls!R&kb^@A-6xt&$aW23!-Xg+bq7TZ9q%tX*LXoh*`j$R!zlt0coH+DF*H8s>
z4!6M!*`Vso{ZQFLc#bcpykqbvs6xD`==g?iDd`%v=y&f|vTrhM0XkI-j(~;Vya?i*
z>7BgjK$QW&4}^DH1W~|1KvhEPx)HpHTa?zb8w4`73aCxw(g7DU{MiQiHQa3bA<>`M
z5@pmgGLS*}ZgT8xI#IWEDi~P0q)DkEP+JgGTYwM9QrU@UGq*koT%NIWSYFv3e!m^H
zvb=2ExMqRWC(DpOBMk*GS8`D<7r&N3b=ScM>>I!fwp9y^I$cpi-Zt#?hCM=_nV_dg
zqBz$S*>SBJ(<r{q;Dn-=dm5eA$8D@zF1I>oZ1w<-p|ErpBxz}uw0XJ0&v3P<I5fL0
z_E)|E?%w^%$8x-hJO2}{N{}{cv9RRXw`qOoX+p^Wu#wUnL>NJOk>?E|yvTUHn0gQp
zB<WAYuMmtr_^G*vL=X`;4|3vn+Y-enZxiEnzGa!@4{cPRoDx6)dK&W538YWk8)?43
zia$qVYovYq#jBU-sh5C*&bZ@Ty+W_5a8%Vjy7&keFvZ*Qa^TNXt0Q=)!1&PzHuZG#
zLM#Oh;D~2dKn`w6boHwl#9TNzr9@KU*cuF~B&;MLPuDet@^lgsM{XmYTCLyB@zJSl
z;!qqu#_gCMZVY$O!O&)#yx^Cj+ok*I4p@*~wna#kk8%}tDH(iuGGGswWl(~Pj+tyf
zmhR#eK_%kwarD+NuxhwpX~kXXgr!oJ6>EjfNUxht5fQvTslJ4>Bc_@!m0PX%evjV0
zd$7<kUL2JennMWgc|}gV`$^T7$0gv0tC7k`r3u_QPff=tXjj{^99))LNZrJoz$;Gl
z(*53@;qiV3NVcb{!%KlyKfSr0!U*9eFbwn`40K|AZvwRM>J*W5F9KVqHDr7B(jMKT
zizSW)TY9{z-nUmfgEu%#$9FJuNe%J6d)BC`Zodz8ogB2xsLO^fFL`cSHT0ErR%x#V
z?mx5>)43XLk=h`gtvGnFiZK1Ikf+It>`PrDYgoC1WVChy7<9i;e5wzQik$`8B*f~#
z?JS?1-z=dQrZk5H(s3-JhX`QLQO0CB0;sEvAZwB&?~y0_L3%YkW)8h359{*1_{N*c
z<ma>Uc{4Ncde~;L1$EIT9L1+|szH)G%C+3tnRyYsBs`{%S51mKFU=Zp5-!=ru)oEy
zc5O2a2xIyqIs={tpt?C@oN7!g1d5Ylm&Uu~ZvdP-=anfb;<&wOgHTbkEvdQFBy)&_
z5r?rHL-Q!y7#M=gQPax@bJ#x?Q-2ljmWGTW@kw*H!n-3Dhhj={m{@&?aAlBbcI-=o
zDW8FWK`FDI;+k(1>jr1xVO4?>ZQB%jyewW%xUH>1!O|)jNQAu;n$OMwXtUs53?#$w
zjxf+kTGCO~lw2YY(o}%peTi+Dz*)*A45IDcEG3y^3RWO>IJHrmH!=o|F&zw;;#!Sl
z*jSNpmMr^NQ7PLt!-6=HD~>MLnT~;qDy406G&%&<Ev9G}SOjPEtfb4&2sFuV5hO11
z6pEK8lM;vjBRuNGgs{=L%cOrNNTql@ik2rDGQj9?c4ntyAc=~-GSVzNsmm$K*ASq#
z;;UVt08DDU6xmMY6~KPOG=!;%@(nyE{f6+r5uHnn-I;ANEVSI3GXzp?`O+hRVW~_s
zC(Fm_CnS`X=W3nds~FqTIgE;R%ErmkU;{J=z2E000CUbvw)$~5P2BBAk_rtkd0YrQ
zXUoM?BFD@150r4`cc0mTCUZel;#2?hoQSqzox(kX1QYXfsQ*RB$q(9OSo$_&Tu&rD
zoiXCQbMsgvay@<XM#Q_JbSETu9)EKg)-Td=C=!5y1oi?%%M8S#=`^qqR3mO|hBV3S
zV{3cvNAucPP%B-(uL8D7H!KCd|3V%`1j9E|?$mX&5s&^qn1UgQOV3~F6hD}%AY1uI
z7=MKQeq{43$W@~)g6(2WRxZUeT|b0^j7T0%G^I11F;+7gQkmsWDG8Su;D!(7N|}gI
zc+barh&OuWB~F}{ZKhOYdf4cd$xZ{EFvEl}9jI=_4xSjexRw}-LSuTnr6wFmHh6?-
zD;6#xv@)<o#yI(Gh4K;)X5)Sg{D3%NfkP-opo;^j1J?ZTS2nl}X((F(b>Kuz)m(+W
zWM2}x{$&`86M>M{KB@&IthUeXXh|qI;!;WJ<Zo^&y=USASoMjBsQ4Nn*@8Crmw|}^
zpYqR{SJ^ON5J0jn%8~@Q&_mT7F4ZtuRq!3Ll!#&~oI(!~m6mCJpN{6kg*X)o{!(Pd
z4C5WgAU)VOLSRfqGb4f(N<}Fku4o=xYfz(aBD)ZgtRS*m4cL4rBq+e#f;M>X`SJk}
zN+AgdHF>Qz)^5@zvW6I$p$i;6e-z@rV!;wsf|SxYRnZ&}>zU6txhI3+)yCU&!w{<e
zPXumW#+$9m6DhZP+Y-jLA3H7ctA{e*-Zc_h(^KqK3Ym>ShDHD-0EjD42!ddVh$(0U
zK}{w=A|BKNA#CMNhC~4{$Jy&`bS5@CjwNXZy*abu6QMo9^+CNyp%$>g;1hEnfru>!
zM^S9Wysxn!btad~GeX%yNXmEY8ZOnMGrlsG0@zOIjS`u&Dk&XHAB2;gG=fjpqK~Vv
zs#cYCLk`?w8L%ePh6#qYX*rd41tHq-)^E*^=>-osq<B0BwTAI!ZWX|oFfc_`T?Uud
z#Re1!aTMA-luL+BHjgNgVhoLA%!8<iD_H*lq(aG@dv{Turga%5w9MUB&6Cj>Wga4L
zrnSyxKe#eaZj09f+a&)iQIKR-kSMKBX9|)EMXCIfgK=t#b56M(Cab&&YM<CpoCJDe
zm^mO{SfB0%Bn?W_@kHq{sh1h_<+>N<`$~|EN0+oyPJ3qs`67|ZmB!-&ml>D5!s(A1
zjuJej)xk#_)O0im+tHj!M9xBc%;grLX*N_2j`3X9<jSMcPO|kBN(f(=_B7v$mOSkc
zk@?S-hhSn*Gs)HaO889lH$ie4arSHAxQ{)nP(bA{j!Y$3O<uOW*d?IAHa)WA#c3X0
zTOk==Rt&n?EN#cQ*#xT-*{c)#iqx0qEQPIll{zK!fm$#5EW)84WP&ChCVg}}AhX5<
zgAd0AU@At?sZ_ht7PXI~7myL_EX(DA+}K(<a4nj=QG>fpzBiL#6;f-WC8Y;0mCD@j
z5*`UBvC&fbw_4wRZrnRn)Qss(%pgs;wjBd!AL4t4=2jao8&Mc-c-Y#G&Lf5+MV+M<
z*H4wFt<|TEK`96oN$hY+Lb*zLX+>773D`{_!%;<GqqQsi@l_y?v_vN>N}pAD03<;}
zWY+R)W|UeR6*ehJq|`?~rkGSE+(M#)1OHNzkc54r?=q5*gng_Y)PmYH@|R*mT@rt9
zDniK;dsl>{q^L#OT10OBp}v}d!Y<JWiFZtTUj?-admBNmN7~wZBOVCIQ~Stjk4xay
z(*ZMLi1RKehqZ`KnhI1Y`jRz4Xi9SOf-#|`#ySW?Os({$<EQ&|trASH4g@(FN@T|8
z*6~BOQ*oZZDdeFUd~qPBjSJXfWr`h53;k$c#oZvQs3BU9Mm~3{%Og!i0QYFOAta2@
zd$om%l16Af+E+SX6K|$sKpgEq>}aPC=;4EXtPBIg1lfN!0Y%nEJ}T1PO4%7=v2$+!
zO(ZG%hQ`G?QbkXp3U*2Dt@Ak%l|CX8$DN&8qxF!*JuH)9y5#;)9&yXo$`T0jvl$^o
z1D-n36&c*h8js^WXAu&(f=^gm4cygGD=jh_c)9M14k5E~!ya$W5@c{<k4!R^nvcP-
zbkJ9t+_{_H-Eh@}sTD=$)vC=&m?R~q#2{2ZZX{$cT6dfgpYWC;#$+o?NV5d5R`)Xp
zhWlb~TZ9{^z2^HxMylKcWu+7x*J$v?To`Pa8aPY#lnd3M*k&|vm+j-uO<9EkTMlt*
zr9v{mN3_-jsH(z_b`u!2RoQB$PtLy<VeTtb3cpQ+hS+QnLh?z|)@hjnmhdA|OI{$U
z0kvh$Hxz*v2f%P7XxuzF>_xXc1Jf3d;?|Gyb85NjOC0BnM5qx2M8>S6<uuAZP~H}o
zrl{??a>IR<<h>Uq05&>gD*@aTI0Pl;SW4{oEWtgpj}2i3V-5S<rAzvv7N$SzEjk+>
z#Y@k>`^u8ywZ@(P=MAwEPU`DYL+}53Ducq!CD_wS3tAZY`$I;SOA`ZJHVmnf<s!i%
zS-b{8*uZ@sAO7kY4WPevzNafe<)d34x<mc(j`f5z7(bB<L}W3O^pAzGHY16bl8Mz^
zP@l+|N%s4G{|~9ykQ$JR?|jxGaKDcr0X;KfbfDr)y-NIKVo6=6#AqvtRXd}=x_*!&
z+D#%$&F2XZCOBy15%M)zA+mHo{rhF-?-*HBl|blrO%xAiiWbC6#L}e(awX#lLW21c
z@=S?Buz`Nd=|d!eds`uuQ4cSfa&~EW;{O&pXT$~&F(w0QuHKIy;idgY<36{dkLc3&
zOTj@fFuyiRt}IDjSUf-$P2Gp#jH;xRxMhYHi>3w-mPgE?LGeanq&LiU&nwiRV>ZUP
z%&_`b&Um}koyCc!Ew!%728koZNzs!@<sy~8uU!YQk#BXE2@1Zfjh9^+V2zTipQ2On
zmqcQM=kp7+i^M?Luk8^E81Qp<R38gBZ4tblLx{HyFtYkgAx_CZVntDIw+|apIR2*U
z%@zruEt%7=65Z$FkP>(+eoD4KpFQg-i`PyEY5#cxc(K?3Q))Q@BW^>?&XZ0C9(m;c
zpP!)WW~Z5pV5e}XE*v3L=`5Au$S7g+KmX_yD}yd8EiHRL)kk_%MxH4xbKgky4w2?T
zt?>gxnrDtb8Q`LJFuiE-P(2u4ENCGh!iiXH*%)4bh&5nl8KgKPnd&r>g@q}Q>&VXp
zup(O<e@U0KuHuQNWD?C}^-#$uGM(3kT~vxlGpK=5^pOD1jKSaTt3H`Y37!MG;Hf?U
zJ7oh$gQ|)f2Ez-~Zsi9Nh2)WySR2Jjwa{N_<ACx*x`5_U(!or3Py=G`Ou~XfUh&<*
zsfo<M$PJ5xLFSN0Q}z$6n;JauS3#`MUuZSRpk^$+Ml8M6!)Ve`Me85iG5~|Hsd486
zFrxAJqx_}B@zMKXcqn1CM3BjGyAVk6&CmyP4is|Yya)WA31TrbPqvG5#&iu#>YGbA
zlYLtJxvrd2ofKAs(>N&lnnArWO9j7$$6<dJSG-F&tz@tUIo}e4_fG5+PrQ9zH*$Pl
zNHBLgK|>_IkBuo+I-dYbazJ+v+7>zu4kwKgqF5<ohcgNV->pF#f3~a#$Tk%kf)-)1
zK#cK7Aa1_2hi-+w-kO~wx)_?4G6`*xm(A%gYJes0-<~x<)g7giNu_}pc-0a+xE0z9
zX9yO94i_>67(s^(7=jT1L%LW(5kNzb*&5{@xDcKK9LmVoC{>_?GzfAUv=J`?9V%G}
z^nng+0W>!d0nd(2A-_Ne4oK9(18qPK)u)smp90C5!0z`ZNpcxs{<X6rO42_}o?h<U
zgG0ia<gZzMlngKmCUC07vzkbu$Nxx~!Y(PT`VVFZ3z^KUW2G_+P>q6&#aj;pDHaqM
z&89rRxSqXgwwqxViT+otnByqv^l;8!&153|JR(K-a?v;-C-`vC@+X+AmHr))N0=>d
z3@u@;&dEY-DQ{yA(*hR1hXK<93cm*o{_T8TtG+;W;ERfdZb<++Mu{9i`?Lm&5;%eP
zXk8Q_qv&w!*?xjY*{_eiyI>h@6u|Y1>(J!-5Wpwsa7W(OWJZ7nsmp=m7Lr6j(=dbH
z)G7o><wu>PZzcSHYe3~e-xjLMcQFdWVc<e=R&yQ&g6NxA)Ehl<<y(<TcjF9H;=}<X
zZ)DCt%kjqXwsc;eoA&ZAWWu;qfZu_ZM){dW{+HSE{_C0kXkW2>gbD~EI0P<{zu7Rn
z=N9>Yx?wp<ooXk<*P9+;#S@?i-|&A4&P4pR=H?n-i;jlqNP_Yz71Mf_Qbok1Q$djC
zfJ5B$No*TmO_>ivYz&R{C)1$FUjQ(Le2?u(Ci8cMHl`NMklklg_!ugI!cEvqo<Ij<
zN%_6wOAMDpPufbU7OB}GZiStr`Em)N30iA(_Z3$}y$&{ol_>}gzabD1t1^vP!fiML
zzGTPI<0Z&TcA|{g)lL6o1SB(LAj+wFxoX}S2C?cMYFu?Fk9Hn%Zqfn1Q{x~ZvtLcd
zuwDO>=#33G0Hb@YwgfUI6FSdgTT#9TEYCtdJ_iqvLL~kNERO;T-vf_kp%NbhjRfNH
zm$2%Yc)(@Ybknfrw<i*=`wrLru=e*Y^(okKsK3Xv`4HpSb4$M7BKj!{7Cnm6jr1{>
zVb3yQKwS16;3b!qK&BsKk<!S&G&mDGh=ajin~<y_W5982pdgFDbL503F_Q7FJhvF`
zGzkyXMuoFs_Unz^Ps5&4`&61Nl)U!(QR+T@JPW!7Do);ll3{(bMSb-17biHS^o<i>
zl|Fp+?jRF^F&@wXsg$?w`g@t$dbtfVrR8P-g=8(5!<3mjc1(z2d%sh!->0YhTg7CK
zJTrJ65_Ta(CRq8-b9YY*Tm%TFxuQfX!K(^N=)@0LZV<*~VVEEZV`Z~3Dr)GC5`QV@
z5F1GCf|wk{Txm=?>~rBDMKAIj0p4=hezK1Nlgd+ZG4-|qTlgYP7`~{b_#dB8NtCbp
z2p^=xuzWx8B+4JlQqjVfQlQ*(o6WZ~Qs>p~Cg?dk=p|1<nT2tUY5Gs|^LgL!2t_Qi
zHmOr8bf(imxhutC+sv(d3_L^*$hhQS49ErB%)Zftiv|eAISSb-;${-%deN09nisp*
z1ucr@W_+AV`1ohJJsS^9C;<+X!{hfZ%ZKf*^u^|b3Ji8yU#6=vkbw6=(xR1`eVvYj
zv-oNlQx}`k@E7?Yo4UWA%i*erxaA?oZg<p!Dc&mxB>@F*v^GbkA75V!?Q^?Dov)F5
zL{3fsSsVk(X%ADECR8B#e4$-lWC5aqjHyE|=uf66gR|%xtcg2N36orklXG~P4yj2B
zT!aU?dgo)LtFCry&t*XI!pRm~tH*R;2QTD5O?HW*M+lw!QsmJigiigkLNJH+;mA@j
zg1>O$nFvGoaN-dJNX(4w5}x7A1}bK8JBJU%h@?J(n)aLrMjp*WfkT>m1IN*(y{rv8
zY%?<OIi~a&N@Sl#ns&Jefk3p-JGMnAEI~{P$0Md}4mN9ysi^wsOEBe9R|%#nW+-pV
zHIsVlR>LsJuC$zvx2oO3elDl81n0N`5`FgMM+OD*MC-%#pEzdq#i>}0DpL>|{lN)s
z1Txsvd->}P-^ipJrer6lYBV$<^`LNY93zRKc33z-WuS6g7$9SqbKn>tmdrSm2odGX
zI1is~uOV&dYKp+b>Lof4SX6!HOdWytQ)X>)y+RKa>#AUZ1ff_PnNgqy5DyiEZqw~*
zNNA=4Xo-GoCZlgr8jTVfK2)U<iiD{ymRD=`S}bWLjaO^%JS>TCNGhD3c`(Wms<N-?
z82TQGhn6rB%}o1XuB^UJjH@$hhRv-sRux%5nKc7s)U_3rrc?74rtBL03c!0b@WH7R
zh%^Oo4tC<zClUdsS!NAO*flJ57;fJ(KK>~vu~INJBPg>&mW++Wq};QdB<UkVPj#L9
zM)84|9BbafyShpTNL;kGaeWqLt9=@+0b5Cg>tZ<W+B7v3OPg7^tELe&x%EOSZCgji
z1_L5-Ra2<l@X{%QM)4Ij?F->VW?4YRls_@gmk{m>GqAHN2x?1B#_P}(kksjOmw*_N
z09JABJiXadhAllds4vtK&?<>ji2k=N+@sA$_f#U0FuTvg9R$1<K#^0c!s)Tf+O=5-
zYirz7I0ai$vw(q0+VHD%c$!M@P4GA{?O!PGk=4brcpZOPlEqBpBcTASNFeMhY8u{;
z#|j@63yv0i&;A&MA2$`{zH)RYd!rPj#2V$|Ot9q%m_rAl&qXd7q;lnO<L+7(8Zc;*
ze8Uu8lT#T$EO8WYVgwz@9+2$@VzBFttG5QJcxu)vXIyPk{>D6!mliJY7sYxP#d}=Z
zsrwRUqg2($^dreoZ~~^g?SVzp6?TqbD>2l^p-^@OQg&)Lw54kVF`}XNu|ZhPMq8eN
ztH2L`%L<c?1goD&HUy+j%{6guU~z~IA5kNN8oN*)qD93OcKmq=bW|K{@(?~!91<1`
z4jMzCzGfoP6!y3&4o>W7EFh=0v0j*z7(L$-)Q1&(I%+Zvw6#}L+W)DP1Cz#^tGZCo
zz&6s=#w;ibibJ)c((=L(=L1+41>R>B?K#juuy{*S9P2VLZXng-R*C~w)0K!qpCFi`
zG~q<5X+cd@coL{ifFN86RDQKUdbPECTu%Z`2-r;_XjLp{+m|smy0J__qedXq0f#`b
z!i?Usi`g2K0}w0V_&_U+L~=9Zf83{0W-27X|EdnKc7zNx_zlekD4dpIj48@fk+eGD
zhy{*}B~SovQ!}Ib$@{AW=jkQH=jjQelzx&KTy#&;X5^2tO-`_5&XklA1Yt}fwF#m#
z<MRwAE1XDi1IZ`2!7m!|NSY*Gs|MD&lSuFm>%-MFo9_q$Q>+882LaJp>Q1KDwnh<(
zT7b4GsJ!E@RyY(N>=2ji5RRldDN-SGAdRK3qIg}<SCt)=8bgkF0DYf1P%Y&)v}Ij#
zAs=|%s-voO7(@~u{4yw|=#~x)487pKXu`-Qivd2i284B+xp=WlLFcNSxBU}{!RR7P
zh?Fx*J~hnV!g68^m$aZSVQ~Xq8ALQG4h{yv+{+xFc2lyJt%`X|yc#UYMJ;O+%S(>O
zlE?G3#Bj?@y^GjmLj!^&drDXOvBc`g!7Vz9PPN1|a@G!<TM%Hgfwqtc!KkIFuc$zB
zkmkJs&2I#OWC}ZflR|~#69W8<4l(>*EC8dnu7R>ke8f8wyhvJ3uFTO%n(eX*0h6*0
zR+V;2>cwFsh0egF45ZdT(jwTcb<1QS5meUM|H;Kb&^YjUyb}gpW$X+&Ay;_<4^*bb
ztbIKyqjtaEtl00;1X2y#8x)Wc{L=(I>lir@HvD4CtuDzpzBRl+b>T=P7e#@Ut63Ty
zSV*TPO9073GOP>-%u2vJFPY`l6bF8$j>0)GC5{3+5gUR!22j($b`yJryOsclXGRMA
zTqhD_kgXl2Zo>ecJq<`V-r)-|$1!F&-rT3|(10%>G~D|(0lR$I3J|CNd&24Rtb)J;
z=IKDe*{Mi<I-AQ_EAjQ)B1dL4cAB;Xc<2uD*bw8OIK!wQR-ilcxHD46tpVQR!tttr
z>Q0S5<_hDWIn*o~E`a8qaf7CS=I&5~RRPMZp$dq@jS-p@jA6&sdVStQj$c*W{#y_-
zfs8ecsIc1!GDSFc5xk~vU~!yfGohN}sIb#I8Wa@u2V*5e%4P&0I57RDaKO<;$P~&R
zbeC0l3Fe|SZ$TU`95W9t!9E&(LY|*im7g~!&5XBe$RN@73xQpu%jK{tANO~$s%50O
zW3Ko3AARENWZNh~^C&_lFyT%}lNSLSUl_xW1F=64aCG*mqG$UKYe9IZYNps(k*l!8
zmZR93nec=-A`UOa*DOW%H8Tq$0M05F`XmKr7?ETMyG+<3MNlH`E?@}Q#2r%*caK8i
z&w?QDQus57W<SInD8MlA#2woUPzx1Pg>C_${oezX^wtSjTC}Ugiqu2fQw+U<LO`uV
zA<-F#b`dLtd=Ad3UKA_~o1&LE*gv)W%`flo0d(A)uizg`$rnYVOa2g2upZE8KLdaX
z^TDM;NGgZ`i{Nh4QHer(dtr-(34wCuaBtC9eg&oeC-&P1-fC<B&G>g0&9rUGBN`fE
zZ%TKDh(x_Y$-i)IQUhPA6B7KqPfU~GP_`!l0EvH4KW`rZKoe~bYUA_BC|NNdpMbWy
z>N>;biT?_~q>4oT3&KQSP4X)PgLWCz=?=%eDN?!v1@iwAx@*40ccix=j^6XoAdpUi
zkVvQaDl5_gtHC1aJGc=YAhh1w+C{E60YYG^`R##dyu;veA$67fDIY9S2-7ndABdI8
zKqxT)>tK*RL6{k({MIo!Z(TGUE?RcrElQevDAOC0g&?4EYfCPw1tL9mxJL-QfYEl~
z+{#lguFdqa(`*AlbSNH_0}!=;0sTA-+p*~Y;_py2*JjS^6s4WfW5@tHkSBCb;jcwG
zXhP~DnVZhNCUcAZa`1Z8>7R%qAQEUh4VThJpTq6Mf&E^9StA`@t5s+iUUhFqWg|z@
zZsG?Z+oappcrp<Vrq$URL-WN3<~4~y!ks@gAWpP`yDZuUlA&2TN+EO%z;jTBIiT5@
z0>wseg*SZEt1Ow1a`b+wj9uxEW1;17w<Q#HfAcp1W2yPn-Qcdyi*xtS6LBfA)k1lf
zj$shpV_@X~`o2r1jR6FwIV#4gqUq9cYe5E7!oQ`)(t0Ey5ncw6D%y+8Gqtm+Rf7M=
zglksxW!SgXJ1=AsxeCYJ4Pa6VKtPFbjFJ8Erlb%UkLS^ByFEaFhyW4<gWePb3z8HN
zjFV-qAYy=O#tYtNybz2Jr1_}@J>@?m%vtI{RHI3th|CeJavFisdC=Rh{H`*BKIFM<
z#7GUhJQT9-g)+FgkYwX)0hQO#HQEh3a$_VKkh8;ayxP8LrKlmTT$Wc6Q()hopBpiO
z3<kJF6cqSM3$Jtm>4s%1iqcAQAnLsUazKs0ErT}7{cU?|I4p^x3E99Acilpe0t&5p
z++GAgY4%!e6<!~h0Lv^^qz)Ypx40Kbg7VX++z7WMoa9)N93=?O{cbv$q6UzjyW}dN
z284zQ!lj@Zpvl4L$}4qpW~cvnTy?=rY~Ob3n@61upQABytvGN`F5j)w>5d0BU6B_h
zUt6`O2q`1oY}wrVDs;7UU+^%r3z~uAcX?&~KwNBTMv!x$JL123T4d%2LY#tKWA{2E
z_%5W-tnLMj?f}vCXgx+h3n=g5@P-Bv*L?}0{pN^N(;rkOFWsQ~-`GVQw^r{Q!DoRG
zr>dv75b@yirM|z#)yWkofGgCW#*-Fa4bxa;yQEwIj|S?7RQ+nUk|d;SEILNCDvq~{
z{0t=AK?k~DY1NOoE%H>ACi6y!+tef*8-8q}!2pZ@n4a@NSyn4H;6fte^#Pr|K*MH)
z_|SRVTSmG&u6lEaPr1eu6iNr=t12}+=@S4Inx3>9K#u#^0sMy8LyQsOFHsX^dA0gb
zf!>slIL^RtNO`Fd|GwTj<#GWw`T$68l)Fja`TB3}13<%?P(^s!A82x_rbflsAvs=}
z9wKLPpm2}95{`!-Lp#yxEde?c2moXC`j{9e@z@r?R1%fH7QOw7F2#7KxPftRF9I&j
zTygZGk0gB%WWd~a9d0}-2*<;#2fKvxDFuvdDg8YcLh_;$<iMeB0wOJCZ;8Xw@>P-i
zH?P0m<v@(_{_j5iNWdDk8n5`9DNt=76SNVU{xLByL+vI4b=NvNPWp~v*f~-}7udyS
z*@&Dz029ho<Kr((zyj(F!w&G=QAij1>lz;+9mNn}hIyGZ<9e3Ndd*}X0mIPgq8@}B
zAWw_cWe|U0sXt^nxHYh41}B3{$|<EI3B%ym5xJ{iELb?{pi{2VIHquq{+EJaP=GA4
z<i`tm7pYa#5F#wm0(x1ZoCNwfV>GW68;0Yfu+YAt1T5QOaHeNYz(nYadp1f&_m#L8
zI$<xF8Eg*vfV%I)G<PkBEg%FHj`>ERMQRg!0w4uV&*xk0rMUW=e|_36L&LxX%Em&u
z5i0`Km@q_KvKhR9@F}P8yB!NGd#!#eIRlA7q97Gj{->9~yo4<wZh1})oBOY+(vw?=
zWonk4uc^H6<Kx@}N@u7+_s0Tvs1d%02~V$12n;iK%d?o}k3{cyh)0wY_G+Dd04B}{
zrCgy6b@zBHhQRxoH=hMZq9l!)QumM>aFWCYsQ&UL0;-0q-DyBc9>*h@K$1#XafJ^=
zr2BU-5KFIY4hYEjcJ!#mEf|55tp8v!A?pJyK`a=;<u#p`55ZD!8X_>Rb9|*`E@})K
zd@jN+hkyVzg17@BGy9dw+G2bxn!FPA2f0M-xHmLUP!#yIr8q<bHr7uC_jM~kiFx|_
z`P`b4a;rtC*(r2}dXkprMHmP-l&erb#)6If1~4f#JA<LCOAwg+J#2^FrKU3LT)k;%
z4n9ct5UpY#A3egi{mt<L*R*47nXgsXi{kDF;3$RXUMSNtxsvE2C^vrEyn%g`d&dlr
z2(99<3jP)0F&hPb1iS-ZUID6-g^fu@vyN6f_5qOZ@ZIm}nlzOVH<iCqL)WFaL<0Ij
zdBjSgz;YVVwLX6hE)8aZa9wt9B-3qFcrIdeyvnUcS`s86Qv&U2EVH&$60G~vwxSuB
zZX;QS&z6s$3Tg}=_=WL(f3lH{|B$j}@p|j<O$!~*fzB2V9TqDc7kWGVnFxydWO4D|
z$?hUZ%X>YJQDhdR_!9@3suBdq$80hs(%vHx5J6@h|80~ZLLrF%qwJSF6Prbi8TbG!
zNRXRL?;tcXH2XIYd1|$_Ddj?t+5gr&*I;R}zg+@eJoGQ9T#%T7oq@N56A`f}AeRRS
z+5;ttAda%zos5B@V8+gKx+HB0b7Da{2zv#`;dyXMx+HA}hz>3dpZm4YiW%CU4$PdA
zHr3mHI1L;W#m=4sTa98NB@7#Lj1jJJfmnh}9RmoHlyof*^l5Oiq8J6z21BDdiz*~z
zI{*MH=nH#hENGF3WY>uxaQqM`r29=uQbX#IJDxYsjU##3*LmI1CGW>m$Ld_EWYWe=
zP~aVamNo&N3H28zL!p$zOla89+?2$|jqKp%WGp2yM`l=t6U07&kQ$J{iYO(3PLbbC
zvxxRM*28*s+U$>De4YWolP-`l^!HjccxvE*m1uByPYa4M6aT=GL;?#2blwaqb8j=&
zZV#dWpGR2*UofS<Ze(kR-Qy0|-Fg4d#E2N_c$y5}BE;?>@F1|}<`B<Vwz87fLC7x7
zFqZ;K)#`)Jm;hk75Spz9sA9*L)G=t6Pa9H@@?k8>VWhM$LBF?$2fcs}2*55;fl^RF
zyc<&GrjHJnuw_8GNy~8yh$tgOHlSg9vu!sRjfVmR2=u4|{zM@QHr-o(<tn;F5ZyL`
zTmn*kf)SQfxl51)TLj1}HY2&%G=;&aZRQD}ymQgNa8r`Y!2qH~ZxEs)(m30Um;@(}
zws-@~Da0HvV`Q5VJOe2}m>ITS&)!h#_^N$w`L`D+JTY3hLuW!%?wWCt0fa{Cn&2<e
zW{yh=UtsPCe=Rq|>UalgxKIcN<hQpsd=VZDj3OX0dKOYyihHaD{!=!z@spUsq=!@U
z;@EHv4Udcli6(I16d~2=ZvI)G_RMG?i<f?BWU1F2auUc;&@<+{d3~q0EaWN>WRK}3
z>4pQQ?}u-pKyNm{6zs?smv1Mt@YFouQa+#|cNi_!4D2Sy-dy`g?-5DCWO^5on?-Cc
z0Rybs!Qv19vK<d5TTUy{HOpZyd2i7a-cvN2h)4u-z90$Bcq9RGU!t6SF6b1V>scUE
zzVZ$yiI^+`^|HLt3}ok)z|Ac!qb8ZT_aRG0wrzIMDipetmrr`wk+TmJK7jqyS}=Iw
ziU29^6yojF)Xf<gQV>awwmv0vTi3Q>0|Wa6rD~w^H-(*GA<^mq6FCLAVm55SxzedO
z1_2=!J}`tJ44M+vn~|{!EQ~S4Nh}!P0FXvEBEoGd1{S9f2qIWu(HNz(r`X5+Y;I;i
z5b15TMwc2*Ivi#yl;9k^t0TVvZEYv5#l&iKa@;a_f`&u)d%T_MN+|B<Y`)FW(oSBK
zqb>x==HOrXg{Sk<Osv3k?|$REbd!<{y(B0Mz~v%b3C+ThlmCb;lUYp9Ni=_~eHtu=
z=~CQDm{TR<U*wpRnS~GpjX54gkt!y2@f;bVO?s6<59AYv2B5}T)J%^r)o9A;FwpYs
zOo6q5bWl*V6e@)w*Gn7#*RptlB%!Y!i~*nbi84IDZN1yu&jGg5&)}F{7Nng5n_r8#
z4hLttln=8dxRWX(rv(9e*Hk{928zvKWF;Ot9WN?Y17IF4oWj!7A?NzSV|qWy@VNPi
zhXGlENXyC{>(Aoxl@mckr)SXP)z%vf4a!?9tguzENV$XEi-Ko>j@0A1x^tR73Mhd&
z(~<;15Tl3$Q(f@hDF9t6I!iw|4#tqU5i<QZS5wDDsD$p2op{`05TI3)a=ZEmo^nJ0
zxmOVg&c!c}n|Svtmd+C9PpJ-k@0MoKl&(8)Es=z-L}u4>^HKIJK~QlM8N9P+BpGu9
zp%z#o0UnHe;^yG|LG^9x-@LBwE8r>*4@%>j7Ee>)7y&ti=Nc;v|6wlVPdigBcgd@x
z_|Qc^<P4w3y)wh_pW;gL0V;urs%jas1Ig4A;$tl%;ek%wEhgVpw3u;Z&BE52b{%jg
z_Hbk%QlD4q4n_rl<IP6bN{s(2h3M88yiD{zZZLQJ*tWY>d*G!16Vm`80LA|?uQ+5q
z{#J1ipf)C1+4pvLn}E)(Jgxsp)HIYQ!N3kOjOqvlU~aQ&iSPkD1%hVNO#!TT@mO^~
z6e{x%&p_?->VGmAkMNj$FKGM`ue{V`XJ0p}Z!eGj*Og0jg6&RagGjYJ7$vliD<q~{
zHeMyH0c9{CedqFMkRE`6(*<@v1;Rix{Nf8_gCX1sjwyzQFwzhdy}1EyUJxv(ex4G;
z;2`M`A1M(z6mf@HAZdGUR6vbECL%^urjS+98VUkG1WBrt(@DZ$SsvybJ|s8+he-~N
zy}@-PJSM~Eb^ox7xqf%YxR8fmT0!Gbj%fjCQvd<KZP5A~X1oh`WRhHwCa^AR7TDHg
zM$`mr9?1!-8(Wy#nY`gC1<j4G^lemzv&4isDB6YNYB4RCgdifu)@+evQ=un@HlacA
zz&A9+_`wI1VaKTT{dE~kgq#@K&5#eFbkGo}7yk_;f*z|?7$Qojk|IjkfGeoVL@#7t
z1*chfjzC|GEEhS8>y=+Yp~E1C2sE`6^E6&3<t$9%y44-cl737B7D@S7$v;GiFA79=
zVCxz<aY1>i0b-~*D7xkD^M4jHFn|ci6;~gPOw1wPkpVG}Br1|@b)fuVABe-Ju>?3H
z4hG@~0V58|t`QE5JHTXKGsYa_t}q`)9G!?b7H|-YUp3FcXK?Aqfz(0Y_3V61=mOmn
zR9sC$sL)rFb5=@ZpbK<OUxOlmJcv8MF|RBEO*@1~PNMvXh)o|D4;7^0H9{CM2O=s2
zc*GqA772_QQ6XuHDZqyrl}fk@!R|(}U38UOHr5IxEhFxmRu7{D?4;ykAxrsH3b0|-
zA9zvdc1a1I9MWxq`bxxPB)S!eE}1nX&QBt(2h_<N0!3TLOd~H4bj2WoS|H@rAc52&
z$%-KW6d~CZ0zNQ@O`p=vriIRSbE8jKaT1UeO@u|i<0@TGSVdB)jt;`rIIxB-hpZxy
zwNI=f^`t0Ba~`{_EJCNWP8P$rX^K=i>m-n=stX7NS`-@yNO1lrK<Ba)L)L7dekN=o
zS{4Tnl?K9l@n!N5iYBjlqnQOb_3P`#Z?$<_g1n8ONfs9=$k_>4DnvnxHwTPFEGBUf
zuu{(2Y)BgSAxaKa$qkcwi-9cxtEiue&Kf2hIGpF)N$O<95fjYI`g90lLqR71f<+;r
zU-nZI4_Vco!<9^%>C6!-D5yAi9y(6_3XGz{73k@fMVtebatbF6cC}K^!lWD#@c+_E
zH-Tcbd?#R>gS_~W5Kn<X$YVqmpfG_%@QiD81PO|cS@NJbBE{{G+w~j*xR_AtQC$L4
zV;@c{co0jAWX^0SiF6SL*-4XPh4uqd_ajUB$ANrBT8|ZKpfOfP`|wTbl-ei!;a2q|
zKo1(!@(N;&a0=~qJ`IBIiB#~znNX<90t1O!evK9-qi;QyXyxW`wv$87aNI~Up?Ya>
zS#L{G!Hx@_Z&)YsDITlWQ-dpr#9<39a?E57lo7wUgQ60lFxS@*LVzMS<n-?&#0XsY
z$*V_fzX7_32_p3>#B^`hGh&HgSu9M`v4Mb@II3Cym5hF#gF&%T>xg58|6<tp@<{rF
z>x;k=N5*n4lZZd4{#v4-dU=??$>jv<7g>0fgr*yGfQ(RqiIOS?fz^((f_(XqC{?(q
z=3WgaD)=s9NOb}OL~<}ev=@lBM6@!a^-xu7CnWq+9CDGN=diKhc!=XJsD0f5;NI$i
zpLkZVlYy;l2$+o2M9=EN2cOi4N^_(7t249pd7o8gdW5=>5<%BJ)B^a_zE9GVz|>3n
zdlMZ#O)jA6q`|BzR_~++FrUx!Cyh>$y6hZDI$j?RWm6u>aR`b{d60Q5XP*T{{wFWu
z$D`hs+j3ATA{PRS*&gtCp-A<{KuL{p0PKO_uyIRPMng||aHtG&9IFG`NdO8p6Y}|J
z6^Z1lfp89w@(ef8U_yBWnh1d7^f(6y*Qhp&{%{?76E_7oC^DiK$Xn8-%;SZbN4YDN
z$zTkz+#VH*NV-JXPiUWk#sik}g#~SL@<bK}5@kjdvy-|UR0@*_1(^epEKyyGy^zam
zh84x!udOc>210-Wz5)OSAgN#2nvFz-Xn>h%EI8J+Y5`mW*leV_L{%A_XCMJUfF;pj
zao~;{xw{F6KTuj1zrhMP=Kt-snVl~QrgTkY(h)ZL1B@OO-~c@V4sa223AWDZ%!q%&
zr0kQ1IyL+kya9S0e@3zw<ad<zin(O7=fk*uDawxCFr4Kq^)PA|&{Fz;U-}DM53o;3
zj9^s~3ab5noD*-DeO;dkDUgSh6lCzC!_^Mb4G3#q&r~@iI)*5y$K_QZYBEZ;vIQ)Y
zXjIUnGgR+Y_y4*AK!?DPSQX*@K%6Y)llp4#Hz6wr6$oK2PQ4G6`-I9N)jE(jDB4NX
zD2H2N>4Y>f-Ei(nTUrC*OCqgfo(2NG))Z12Y0Twj?Gk+xgGdb33uomvEI_3m^qH48
z8%PICKM2KFkU$7V7nmO^1OWO^Fyy28ac)E}+ilo)>iu=aCS>bHMO2~}SKSK2AFz`e
zxljnOq3<k<3F9bpP-PHp<_1$WG4K*N469auO1|Wv^t<1e5xSa)$jwIpb1Ilx)YI@(
zIA3E5(}m@sY#bZ>jwDbReMxj^!Lj_<F`~M<V;E7%N@2ZL$GJSOy9D9}E9LUtBp@lR
zz;r3oMl(#*y$Iq!tqKMw;<%)cZfrXoUcZqQsRMGZhu|<Xqe~6L<Viuj^dvNB09I2j
z%aX3ds8!2NQtV0>Ap??jB|8e?Dj@9IWIieipO_;DAPM2%Xk#;7Yl@XArl(qUhH%D;
zF9w95aAE}CSQQyq*K462F{8|iAG%sw6M!0!7V_w1r!cG;Kg6Yp1;BvM{l~wyb-Du&
z&xdLe)8UoDl_ZiCZ@#A3)fSb3BtT*m4aX**DzM?N;W}BZ9aW{RCKl+zC1`C1NH8s^
zqD{p&;OsMA4yAUz2*xg%JhB5-%>!atLRd~1D$R?;z2||BN71jRtFj@zvseYF$dH`@
z)>EH~v2?2gp>SJe;Gv}SAxNzR@Gdc32Upqpv?T;lCY2=~H89WK>##<{COl^b03=2r
znMb%9(p`!p{4fx-Q-X#9V@nVhfA4F&?%jx@-;d9}(_4lIIQVx&o{&Fq0$B_9=z_2%
zs)Vi|Z%R)P!4N@zvduHKXbG+rBdY))&<7w1Eq9<Wd3bz)0z9Tuaer<AK{Ut$As$KT
zqcTPRSEl-_sF&;@jyW}oHi;3<9$?!95A{NkvI1Sg@S)9O{&TOc32Uy*c9Wn}075y4
z*$CDw&#uMSHXyd_r6$;6$)%va1lL;mzHt61>7s(2CHajZqAlFkfFWxDKy65A_lSVI
z^f6ckM72ZHc$4loEaZ>f$*CR?Ge(2QfYo7qha_Bu1>M`JbY3T{0#dYa-g{rMPn2Cd
zwV6KbG8W@mqzK``Qc#vf@8-xU8Nz3G25zrdftCt(Ark5~rTun~PB2ZE{YhD5&Y-^J
znp&b8HpT~H%mP63bh&eq@??rfqh(D}YXFN@!$i=G=KlEy1hU{DSz`!*^$|8eHKq;5
z1<Ed^uwk;sMk}UlR{>cBCahpU0BF3|F#r=B0*OHp3*PuG5sV{bgR33)sl8)NgNA*#
z1^|y8({A=o5ta`R;$KCg9Hkye3WAkKby|Xj%o!@}TSoRlk{c=G7$A{cC9Vly0A}}M
z!9c^PZf@(A1@|s@dazL~Dv3zv`@V4y<(5Tt1%ZUE<owjQklH0cFkdhiR82*ltJ|6s
znVdrVvJjoELx8MINk7<Sq&AM3axECF1&Rh6_eFD2pp2-%*|mxb!2vZyVL}5{@LMg2
zXyPwl!QKFeTYkTFNIW0`%*HYZ%L~Xecw0#8ojgc?m^e$f2ulGlX%B(8HjAD8KDpe;
zcH{R0oZiIP-ct->d=jXD`^#6`^1v--)MXhUqM-Y9$-FUTp65HL)b_H%cIW{x6S$OX
znK1DIVk8e~2sOzL%9s&IR&`jjKZ=dPkPy&@!knTEwp1<$t8c7Pk{tCG@dKoE_4CjG
znF(t$Gkm39ormwf=BDem4GEq;_j4EvBUVZXQx~>|vq=G{N+d8Ji-|>w$4nL6;;jUu
z*yS!5;~^{Y84h<3d|$kK82<T8HvuK5rpLWd>Kk@UVgg%_cNU&Y+~yryWv@6OO|@uu
znKr^uf#Yo+{k2$x8dx^)Ixbs2CZ8{B+4yU;f{y_;Mx>13nC1p)+{Ro)!KJM^6olSZ
z#Nx%17#z<FtJC$Xql0aL1qt63fx_04_G*Y8S5Js<#p8g*1tmTkqV?q$bWC0J4Y9#A
znHg$ZRVpw{q|roPreS|_2O|)m7s5)~B>y{Xbx940PIEYs4iLrZ(Fqz4q#B0kmgLRC
z^`^kCg|<qR8%qdm-3lUta)gV-*e7ytQ%I71ymA=8><6NNpkWetmi!OO5iWPDWKn>-
zl}#0(36XVz&9ghxbD6D01rqKQX|WM4+X_<c;iUug1YyX;F?l_{VQ#%>yn#SBw$O1h
zh9E3!#Z1?j#jx<xfV2>S!i~+gOw)uI1pOq?44$DZL(M!Kjj3`njIf~~wjM?p-f9`X
zUIqfhaQTX4*my!u2h~LK8#N5rjQAA#=knshN0fLmGF}rf=NnK?MF4onc5XKU*;fEB
z<KS;>+XB=8(>yp)js*__h2~Zo^?`!cAsF~!qm=^OxFvD51>m2a2sPs%Lll7$1_9<d
zlD#g3?3E5D7P8|gUF-Z53IvM<K(f&^EPYtO>OKmt4;|;lg>OGqsE&6*x<<B6=o}SP
z#zH!x86!}6)ftGB2<nI2m8p<+k}MJq-5XvQ>rN&xjo@Hpy$zdCKtziPtqVBXm1<1m
z#C5r`wZj7WS2Kf!8y;E2z(R=<WWXGQHzy@D;sKo*PrQt0-)0$Lo2a|I*@Enw>|cQP
zZD<kKmy`C3W<{v*SnG`pofLk@L@~S^LaF_@P#$;^ENBl+q)eBMsR+u8!BLsP@wEqw
zXr@LBNygN~TSVlZhO)SxODSvE>HA@LFd;Hv^hDajJ=0|mNCvKWxDkX`WKbL&W{8hY
zOUj#yRf|C5I+_X}xXeR<hDor6?#`7;#L&cTZqg|z>NcVivP%yeRIu7iM4ej2E!^&P
z77IZGZ8d)10j8So*+IPG+}knS<SZ0;+L}#-9mdqoY%9!dMvXq!HZ~!R(Sn~D8F=dB
zYd}TMb~GHOT_6_;TtFbcaX8FBtXDGs=#2*{mIwu!`ZlDb373*Kq+|({R~u3q1kMwh
z4pATw3nZzaSvIi0E~H$OVT3E@Z&^W0VT*u^J>9oPQmOw1ITk-@p(6=76g11P{;|c<
za$H~9X|O>w89Hlz3y3PB&Qxtpg2!r$0(jc<3mvK~0^(~5ER&gC`Q~*=Vua3<&=3<*
zJZM%}xiG;VeHgr#m)TWZ)FQ1jvBSjD<kUyvYru5P`dL-X^#OivAk<UIOdBQ#)pGTv
zfS7}!;%drGnoyc$aSh|-ivuXLuPg+K^F<z6d`#LU2BpdJ>{fv>>yQn?qG>KQc{LMU
z_Pm;iku`^ENvhf=vqMxE&t<oOr-r7Cn%^dmtc%w%j8V|2>dN$FRm2=5Xt6LjgoDlu
zVuy^5FZeGUh7tf4Voq^~D1DL`;2vlZjTA3~VoyXaWHgW^vazH|f|O_tGzm(H4opXQ
zNbH1(0!nKN8UQXtQK)S|5eyq}PYwkL>YIBsLB^n|f<f9AyzB)-;clk1OuaJ<#*76;
zwzN&EC`OpFt93sFqH5+7zAA{(O)(^urwBcLVy9q~O{&5V1r{n|2*lU^1VgV>Q>n86
zO!$mCs69~9>O_HwVCMuumI+iqyc4+NLPf+<U|2aO4U&TV1=`V}E<wp4hj0vq3aM7$
zOokMX3&Ei(L8%~X3EmPqsS|J}K?+nG8W<8tH6$@0)j>LqgBfj~7-g<g<+(-x;#>j5
z(SljgV%7lcT$-}g0tN^V#j<LM`1NrZ^=*{G6wn6`__a;cibhy(fvx=@jsyYI6oLV$
z1Ea<542Dp;8G<?rk%%ivG>Sz?2rF=K>dMgw3z~5J8llzwTcyog0KJVyK)BEds4H-G
zw2wrjR^a7s1)W(s0ReMP6K7N~v#VjRt5cv-DS&dcd9SK&oKh*cBBEr$ijh!6sm4!>
zPBd8&t0=`RKS3eD;uxsm0StPDlYz-eL_}CqnzBX4Efy?hLDu6?>bkG?YEXSKWl_eW
zS}cl~vY6vjLM)>uAab;Ht*UNqsE&&>8Ac}B-L}+(qNy^BO|_J5jfE2ZvW!i!k8O(u
zJ!1a0uLZUtA?3y@L^d4NQgnt+;JXzwp|MPNJfw!hhwzOIn_{PII_9>ljKG0I4c#?$
zezi4ewKZt1v51#g?RPd`iW7S>J0~z6fSkd)LGn61%HouIg}Y5l9-wvsx(47qrOQgG
znhvq2t05>LP}+9&Jzq^dT4f_yyr6{(LBlO0Q%szbFT~Rr=^+z#gRZ26W*QEZ3k)3X
z2QFzE=46B-8V+u(FPO>PGIzH;a#sPU30xYa9u%GdG{r#Bb&UgA2_XYkLz{EWd6SK3
z6OCo^azw5S(h1XzOj0sLt_;#fvc!m9RyvWI;EIJ>gUSHFaI9bG#wiq%=?s8ItcME4
z<`@AtQx312>m?vSHK&I*X8Q6bdd+3}%A^PsGtl8uU#VI{D4blhhFGQ$kI(_|AQGk>
zfHIsWA0rSFrXy@e43@HqfyG6EF%onfCj*#Z1jN8PwqLB2fdINr9LksLo|Wq_mFp*v
zAWlhxgV|oNM`aU+nma5@2y(pA*GW?jrm}^>XC6#LJIQ1$l!WXS0D~b85vQ0~1I&0j
zs#mOxVF0!!9KMz7mX+%)mFp*rAWXu8gGpYb_{^d-W{S$JNCP}zN3%Kj4G;NG7KOUq
zb2_lImr*;52aVAxB^!><Skj)b=06^%eMt1iP%Bt*pN8z*!e+WpNY{ruqS6Y3)-kh=
zeNIV;aKm;W(y|`teWXH@l;$6TyRj@go;gZ~Jf>VR<)5eXR)&R1BOIV9$0m_z6h`Od
z&%Zv;<xu2k4e+9}9&KO3a^X}XMORblijK|e7D&*_o#Bx-noi$&+`|~@l}G-_jZCCs
zc#qsIKDTZ!C`xu}?zzRvryz54D<K{VsH9SUpXHgK+spg#4?NgSd+g^Sr0b%Q!jgWe
z*Nw!v{7j&&d@F4={a4d)+P<0A2Tj9J-B=qU;-S$9;gz*ul;-VDH?kR3^|`mL{ZWzZ
zu0fd&5z9DC6)bTUyu)Yt-Q-<(M|%v~-+!o;#fm{@{thSJ`K(C|i8hsr!hH<;HH<qh
z+oh4>!*`eCh?l$oO&JEXB@;K7aK94`!00{99+ZeiB*{k8`ct;z86@n%s%j=UOlv|n
zs4hy#yWKYyy1?jfmGXl33Qa6|SvgF}<xI}qsy|NBm>(0hr|xw8^*)m}JRQmG0R@1D
z#MLyi;VI72u<^{6@wYATihBg~a$PGf6rs*Sftyb23Lrj9l>)<Su%Lj$sCGrWEVB`2
zu9#4mL$KnF!^T1^iZ)oniK-o(6l{@&8e4i9Y~=}tg74@_EGR5nftR?L(|BP*x5B5b
zB2<;1(BPO+bF_WLYLp!oA$b~LRH>0JWKdIx7|kPDePwt;&9`$Z+b8-FPnH*#;0C&C
zr998mY+8abbNfmO3+%uzOjNwJ&5&d2^;0DcRWZ3m-ScZd$3WP1F_@+*Oq|p<Cp1Ys
zY2f1_ie%Nrmw9y3;F8vK17yp+a&yW+aA_ZDVuhTFewI67qL_hMx#$G~a>2~eSvP3r
zY9<(&_}<%xHXF7!!y@W8cv#+HyG}qHH-8QT0%Gfnj1`_4$;!6Rwies91`u-me4^Fa
zI<QirT^&}=SfRaOT0K!{OgB9&Wr`8@z=T59Z~I|kwk?jqRrU)rCQ@C;+E@_f9KILV
zdbO8pLU8_#XqOIQ$SkA~lW|<8QYW9tl@iUgDoCt_sH1F#A{o2*akkkkps;O`sKWdK
zVj4khnoBVVse&+vD~)r`<f-6lW2)fRPCF_;ZY`lk$ZG{#3MUkT@Nuu>s~}13wiH!#
zpc-;%o1Y=$x(|gY%ziXKF!hbBlQV!28Bs(T$K~5*!HAJvO_MG#s)t(97EnrfXYGn*
zN>UYxmm8^6fvBfNr7TTd>}lz3V~u)%H-ytt9`5gM^(%yAib98Bgv+NS-Rzd9N?|K&
zzf6TVTtM*B(%+N*8dZ$aW|Atxm`}+EMHlrb&L<MAN+zTO$S4|i*sG<j+#UPX6aP2x
zl&l4_@+uV#8J`Sr4fb88Gy(p>1)EP_?oPp?Fc<6xxMRHyfVCD)T<2$BtBQhkcz%yu
zVj&Mt8>JX+&}nj6TCeMg23oLExN@rEg&eFa_3@2NbcYO9U|fLI?Bu`WB-!L#9M4^i
zs7YJB)ciXYg|7+WC)xtMOL$Xji!7W~y3Rsz6xO;CVYd++e&Qoc3OHx%<R!{bq4w%W
zFkwJ#QqmHnEJXkR!W^eUd;zP~!eG5&)TylOnR$#`A|nK7Ob0N4|Gl`0bm=maG>Edp
zf6FM+N|D=R9!EfE<>rewV1sf_Ca++_L0=3{U@VcbNrq;cTCb704jTB`07vy4T*y#B
z@BLtBrV?lXw4K~(aiuYU)!skIEqdK9b~lWU%1Hsu8wfB_YrNn{l*y~qBYGY*nL!!b
z;?6cP?kc#giq3?ZN}YMSn(3NE3tkkOVq)9DC$y325Tw`-CPqQi>ZL36Y<x}bL6P$x
z^;qItW5{^;w*(U4!0cSfiicCc#3#Vi37j8JrN~)2I?w9wh!7MHp&>I&S`;6RrZzma
zSVg_m1c7#dZrjn_slKvt-JF*MzV1G;$wJ7t))0uwYA9z4l6CXte$o;N>2@F4T)-in
z$sdW(u!m&JP6ww-Y?de6q172yuOAAGzgR=$r<&tQ({e*dU1AjPGWNMYig&~mp+n>*
zFTbRRw?4!#il4jjT0UD=44)ZT&g=7ec)TYXDWtOcI1Ch9gWNV5OSn0yu9g0AEcp<b
z64C;t-}L!#fd5Gzk~PF>wsWOe?VGz2{CSKfm&G;mMfh=<ZCYtC!#5-oBqxP>9Wr4H
ziDb=POBo@DPO#K~R*V9uRxs&xfu@oUG=wLD)I_kxXS2CvOZ>m_hy@mqn-3`L(MgOh
zQ`Q`GOJMjRxUi0;*_GVkW?1eJH*zp`Da!IIA1lbrxx6+-#tjm!B6a5Ra;M7+{a|w2
zg!~r9V16?eBhr%N@tiDt*_Vdo9d4Q8GJVh}W!R&}xf3$T+rR~i9Xr+Byg^~L;%C*~
zXovx;#9E8+#V}+|I~36%?i(Y;(sbk~n80nZt9ZSsO5^#^i*8=mSQE=G_&5~K&SbNY
zQsz}`SYW#HKI1L*)}_?U&B5LWcp8+yLJQK&yP^pUE|UZDucvA1L<p*TWLQC_N(=~U
z&@!5)rv8)+oJaGZlt~_-G=6aLmUNFl>+&TDnQc`eG~`8H=jsm-Sd@pmFcf1c)L~0Y
z=wvG-WSsLAF~UHMddTiN6~UB79J>@)rgHphG2yv0rtiFne9O-uMV1!iwzcvBkqZU&
z)VTQ1Uq-yJ7N!P>&$MCjdQL?N!R*LLFwZVa>A;quXH<112;l^g8K{399jiiJK(I^5
ze<hwQuR*(&?M|fQ%sbxa7FDysZH0DVNPVnaXvUR0r|ZPmi&?nBAW5ty6)cjh_i!BJ
z4k<`C7@~8D&(7|t$n6={kefSWmm@+Jm2)3^odjVX_l6Cx565<U-WW9I+4O9`<#%}W
z2jUQ8OojqEg8z++3_L~A!7@_x76Lq*H*x689^uu;B9Q~)>Rz=_I)&gmh2!C1g;2yM
zNHpt-Ct8^Sws|Ppj$4Mzz~i}qZ+a2}=%;xV*_fmR0O8p~B%5JSIZiGP!bf%(UCVNJ
z7SNX0M9o<+>A?^OQ?Z}NQO%CA58S1V9Vo~x5;dOeC<fd)t|?_SRmCl!nAYRI=)NL9
zkn<ylh@fvAHVnMW6Io?NJ(=P6s_MtWkp)wZVXR+U7ny1)ryU)*>KTst-jY@?-B%}_
z>f;a_yxDhag^?9jLiGj-x4JH2qQI=)0}`E8FiRrf{5u<Yc^Dasl@jE0Y=$@AhInTN
z4m1&zl7)U13ZzhUbvZMgtYJv1oj(_aSGOTppc^w1y~sx>sZygP??c916rPAA2dF|Y
z?l=nA>R$;G1c&zshM>4lBC)cL>oEA!9Bpj{;xRAUeRPCe7NUwah1;kG%_|9%L!JSp
zmKU?YG?3BDHiEC#!~}Ueeb`l%j}j`+gnA}jm}26}1^)=Dn($WPKAUH`kP3$}1OxX1
z#sbQ;-EkDhAOWomU0P@WX&Z1Z>>_LkTC2W@rQkm(T;`dy*bt4EC$Fv%4$^v3VUZ5E
z$0k~u#vsKjDJ~4S-3Bgn%WUKp*e3#mAZB+zMhR6+Wegm$4h?Zk2VNM~r;UaM%7Q1n
zW*Y^__v&1r#~6W?z8XGu8l(ZAF87^OYO$>jhmV*TR3=F+S$Ml6p;*s7!<`NC=z|Fa
z&3Ocf^k#Duie_iPh>s~kMQLmhTZgmJ&4w|`7~D~6kwc8<gOQE07-S-0#1_r%1rcPT
zE9`RFmh3lD8v&Fkr?I1Xga_q3<3&mHnq3qRq2~ecw$J>m0AFeRSS2CIhsAg+ii>H+
z2GOGA_cokOs>T#{PvkU0h1IEm6EXPq+}Jcd><0_&lfW=|LP2aVg?0teZ1C&OfP;a0
zJq7}=!!mr<1M0U1C58&d3J+=NLxqqD*P1ZUUplY#2622;>A(}^2IXmsYTr1baFjDJ
z&?ynXN2gC97<AcY+#*xNBQwPivE34(4mD2<P%VX0s=Y{zMU>)p8^xMXHrOVWT8veN
zNcca|e&H6Sc^lPmQg)R)Nh9r^T~Ci(WlpI#GU&5&5z?Z|Ob-uLg7T#?c+gy~O^W9_
zW#K^U*f6{_5r9>OONBkBxpkJTqG{SMME4^N)Q}oj{p*Cufb>LHqv4#cBCbd)#c1N|
zL!5-JLc*i~j)IevVp@wa^9Zn-Q%VGY<;Z~$giz&p=`vsLH}&x%6AIhYK(fwK4qEr|
z@nSvaFb(7AYtGENJqkDtW0ZR3V53(k&#elCSBhtJK^#vrfgT}1>~QaGM1(m-7dN#e
zAY_aagjtdd>@R#re1}QuTK@=)5mVYmpsFK2i--i@Kq1Z%><a<3bMt$U268LL`|hc>
zEI$2MELMzZ!+1W^QU(sx1Q8`-Z&ywV7(VnAOA+uJ?+sCZw`isk?7hhgkfv}E{<I5<
zdh!do@>hb0#FST!%IJ(4_UO2XrQp6W^~reAusyfW;*%;3&uax?wv%E>>4jjl+@h(8
z%mMdYw?+Ql!=TLBRnl9?NDmu;Cz46rb{?eEQLWVovP!s#fr6~9m+jMUSghw6ERtrX
zm`)LrdJ(W@0-ZL|@F1PxjF;Omgkx;7<u@|`HJ~64umMu?E3mBkG4OwSMBv+M*%V38
zaDPy2lPoJhh!sg1+4Q7bU}==d@|c%hPpFkDVu1$Nkch2i)GKb`deB^mIxR6utU^x%
zw%z6i;o=Q;z|q*HjNGs?O@KgTn;p<sY_&+UXgHqJ5!uKvN@(olYV%B^T_h`L0tjd)
z;@C#ZJ;<wXWYcUbq4?`+NE{NZj-beWk}chkFcKj&=4W#X1V%6j3^mm-35AB+OBAY5
zi|*i3ZcW~y3bj`(?{8|2OGh?0VzVS%^m&?MK6y59o;rMaNZ`6$8b%1p6^4L($fZde
zYlN9fl+BHxi(iTN1Q<^(hAU^ac=3WxZ@8vzE7*buS`NWN(9gHFtJ)iJin!u%RMvaQ
zsK8XUeYnLyG6R5xZX23lV7(5=B`^np4h0C|Ek>z^aC^8erX=7BHFTdfb+QgYJ$XGe
z$24<i&tdf06MeZ@tUwo-(`054)iw>^pt%)X#WEoo?|$^o7%n90&~k$;Tai~YY;Ca#
zg+vajdQUeKoj8J3?azHryqEx+HUy%=1})TyMbV#x<t`w70xgDd`EBX9-0sp(20U95
z-x4u|iTF-ZmcL9XUT7wAUd@+I22s+r@D&icnSq!4&?_axGp<7HgNP1AG1H9=ibpd3
z+sqXW4BF5LBb1^}X4C3lB{Ce0>{fZ?gc3!pj3=;m{xi#=2Q&mE<tgKgcK*DK6jTL=
zf!eHt0NJRELM$bgi0p`3X@OR3qjS3)%=rcPChHI+OMQmTOSl?KtiCK(z)m*%>@w<7
z%S2re5U9bK!ATuJ9}zKyj!?BgU@uVD`d$&+qw$B6LCn*o9$8X#N7=xTP$weBJU(%-
zST9Y&zQcbUPa{Ae*Ib*CIL2UQtr>FzH6A$rOJBc+uHGXSMhHQ=`DLQjBTXCj6Sjh|
zD3@67k8PFcWR_FF+V@Im-H&XHdEztZ(g+b1cFbi)7ev0j&crGtLKss(ti?EN7#3p&
z?bj30vFt1|${xK^^5!!~g7_JB5sF*oU(8qZa>^7U4)Z?7Gt5031dIDYt)2N7RnasI
z?Z`*;`nF-3Yi=vO>F(Jg6|x%^Rs;E1{O7h$B@G9el`d&AAN)s>>MM$b;kr3!^@w*<
z6OZZ9i(j6${k7uh#ZO#L+bpzPUx5tF4l10=4qyDq%=EfKGWf-ZFMFA;)@`lwxL7^Z
z;9{-!WDQG?PpsJF2bY}@VrXiF4MW!n9AfY&tvJ1pP$3R=#qS(@%TBgIm)mWINj9zV
zX{9`Ah7Oc6-SgSKnf1=aF!~4v35;qGpNxt%f%wB`s%A}{<k=zm!KA@21wbh!K}g!_
zyJ)&N+nr$OjsU-n26guhxQK9Z17LQg`9cuo2@*$XVnUmi+9dEhX_l@0o_Ps4-EiS#
zC8(Ll3nAFhcFYNArf&6y)L&&pC#S-5K(I%N#P5E={SbX~cV-T?#HvdnPnlTs^iqb8
z7oJkKHG2N2?QAN8@tZoi@bB>cje$PjpV(4iWiledVno+-wTG(lBKg?;JLG>CL~u0)
zR+{;9mD#7O_x}=a(CkCq-6qEm*GrE!Jz;bv>>j@5*0YQ{gA_O6^r~W3%yQsYHy~G&
zV$`vI2{^M}ONmQ^+*}akdkhnYUll!gHnsiN+e@q79lD>4ifB|1ADKp>5cS^hdSt-!
zlAt$p&m&Z|7i0_UBI2I_%?eFmc!`!+rYHHaCD9R!gXGW<(jq6VQu+^Z(|dHBbnZR#
z7d-hN+zDb4z7?N|Z11*?1i*NVm|YB9ORe?a?8IIXEfS8m6LVONktuA7W`}BMcWE(`
zz3B0arFCy=rUxVDiXkRlLd<U~3U@3D^hq8T!aDBgGUQ&uB)~_2T4@Cx3;j*sr)<Pj
zzh~r>BJF)zG5$UnCgaF*6}BV#S=0rJ#m9xjv#SZ|cb^Zt%(A93>9A?Upw&kO!U{E$
z|K02&%PKk`ng`S1;C{6~W&FIR8P$?oBL19AMwp6Y4e_=`{Wz5(jU24YlR_|v7eV_7
zFbrKEFh(b-3Yltq<~-o}7``rvHYq?LH$4PQ+uu9UAxCzorQvE0IEn>#8yF4_feKAQ
z20{Gfh_u%r%Sckho8a@9ud3Z1rAYPF0Z2vVwh|x?pQmJ`iczX`LdntzF>Pz|6l(Ls
z%brrOQs2!PeuS<j0}5K{-@Zc*=Mdw{RzeLKGx%<vD1@F*GOr#vXosjF&^>7V@rmN7
zo8bRbgm840ig)+8C-!7bX;}A_cXBB@)Aq3Q%F=SQ^ZF#D%WsAN@<t8FFB$Di9W*6G
z#)y?Pl3j5W7<4ip`FAj2B*K3h64Q|fzoc`l$!7ZPjBSzI39hi}VUqbr9A4tc1w*#o
z6xJBQ`maWQTu{X$Loi`Tuv69Gn^hyFGWkL%{`zz|A0Vj;g0tZy7WWU7HYE&NJ7@Na
z5n&_L^f=ji1}<{wKtC>SVU`lvn!@Cx_@X*ub--~2LdtF0KPFMXB@+0QT5b$0GUN-a
zSZq9>qrQ6>$Sw4ZjKsQ$$p08SSGy>HZSIghkIE#Xq=BILrI1Moh%>g-t`$3pX-eGZ
z&p2}er~cu=4#EX&if9xNq6e^Ta@>^A^hd{S|E99<(S|6IYbnYw81zF2t4cZ`RA_-e
zA`$#!qM=B}8X;^${2|0tm``M`3=~^K%2I|S^C(SY1!My(d`ThDgne{h@vNGS3&UJt
zkLtC(NrWZ53Y@}ggbmkL%;d#;5ar58Tq&2kfS+yQMROIR8=@*%AwphG#ApeOiV;O`
zhiiTfRM7_UV2hZINlc?AaHha)D4J{?m#SJeeRi{oPOLz9^Hbwtc(9TgXn;*c{3*ts
z9b7JTWZw-mEVB~~JC2Z*5~L1ja3%#bxffs>LjPJ8=vTW?6LZ&>f+opGc+%L5U6M+n
z>P&C^M8-9t?Mr$XCa<65lE+}yjC>vuZYyTOP;%c)iTX8#kzS{S%EOUZ7ei+@s@;~`
z{gAvtIN1qmJF61sm|jkVJZwYRV1j0w9;gt^vCX|LB!!kD02g@wvoO)LqsCIjaAg68
z(5r$_9NHcg4S!Jl$sE_8^^=796(dV9Kl5qZyBq*F7G3%zaaYSwY;q8j$W(E41N;-k
zn^xN4eg+@UlSC<^h+5J+D06&Gbjy!|@%3XMy0PHD9VChZ5%qZ}l^?O$2P6xN9%v-z
zU`am9uN(vFA1RF=)783c{`OI)Pm!%8bni-yu9fNUbnF0#TZ`%$NN!Fl2Pl8aaO0Nw
zGkeM!p`J@}FQucgXrr|Y&4onLlsr<2!`ZHa6O0;}MBghjvQZBY#x8|U$^pN_V25uP
zQ`zG|{tGg`5yKk!FZyKz4hKN3D`}jl=D&Z3C7>IK2mt>yU@p{%;gA!B)sk~yL%;4E
z1Q_Hx0AY&KOx^L7c6P`78;0IChZBoxLw)~)Td1R=d;bka=nR?Usg&$p1JJeL_;fF^
zvI3RU<!zZaK30?-?o}lyRZ%1Y<mwFx7ttUVFXSE#JF%nkMp|o6j=4M5zdu9;_z}m6
z@gstnE!;XYROe|Cs+@i+ITNTKa3WVB#{qOeQMy1v(*lAovlEZwDU~SL#;Cp@4MwQ{
z%Z1YDcbW0nE`UuWx?KC;qh7?3KH=V+4P~%9q)awb)<}qN)T8^sp@!zRA+_~tFfa^x
z)`m0XO=W8Cx8+y_Gd8%MK3!Nw!btj71#1(Cip~R+S}Ve4iIyPT^Sanl`_}c7hw~Ng
zu|>p;0-_8#X3W?hoQ@5#gD#w{#Tn)`Dfsr?<KZKNZ%|Gq^$_4-o=;FE7!qOFi1;u~
zybLXINyAe;2^az(9uF-9l7}aTBdW{3IWU+tktmES#<sL_K#AP<B_Y5Dn>-f<KTj;o
z(of$2WVaWbZTf%h-2PcF)wv{Tzmu}kYB?cF2ja$oM|6vavLdTV!TvoezzeI>dhhy9
zqr91mgpKhS@r6zg+|9&vNXM+6!Muq~&FWG^_hk8i$1^t(^m8p)y<A$6DD#;g#YFSK
zct7dk1U=YfLRDu>S7fh*SNT+b96vd^442C{>%Yec##W(Gf_!jyrNMs-tU3ul*E90#
z>gYHmTOrr0LlIFPOjCfnp(~qmyv9JtVg(a%@kZ?1cR0vZM{rsfw$q|#DkQbO4$#U$
zuV6e2!6?q%e|bEQRS|&ZYm2+JB7!u<w)QgwWX@82f=H5b=1G~8!0P<K_pc(YD1kxP
zd4!K6ijP5;8ws)j@M9@d<ObHF%OcEhMG$p`X-oC$vzqxXEpJjF1dPrIqZ$M!Os^Dd
zF5n6+MAD@K{p7{6M?if7-YamGP;_6!1<RZ4XzWOHfvc=IfM#Lx4z6y3;TqYlY!9fF
zKtxE}jZUQ6Ns@*H;lyH~W~WSKL<{%g1~%=L83-(kuaj5<5yDn&WT&ENibeI{OiOq?
z!PE+L2&aW1PXSU(K*<dA-Qdemi-b$po;gAJRQJ`wV?nOImmHturP|FhB&3vW%8b|u
zqXb}r-qz}sKqE$YpyP1Hpp!sWz~!E8FN(amN-LWF2c4ZOm*O6R6R88o&jTG*>8>_?
zG$8}gVK&mBeUNzhCK09wkqRE8rZQj+pO^?=TbRqk3rMdvYF3h%!D_07*1+P+0WR_A
zT?Xl{ZKke4cbcl*g!WMq*)}(SXq^@X?9>f<6+K)+8p$L=h*rMdv&_QomzhVm)kLMF
zWrqWN(Oq;jP}(GRK<BH-g~&|#x*mWJ3x|Q<ssq!};7@f;9hOv{3;;gi_Ac(MrpFyD
z-h<pcg?&XBCQ=~uKnVye6rt(xG;(o5WKZR0Q;7h-KO}Iak_YpYqRP<`+Csi3VahNP
z@IVsMquWlKz_+mm#Q`LOOt2;4QZ{I{ebPxe_eJe#Y7Hhr&Evq%<bzNE48B_J3R>84
zkzWY=nvkG=Z>va%?O#d^%fB&fCkH!T@_#_2ViIJt$zab47J1tW8rwQ}up(HQveiI<
zGflRUG<cFjCk*m1XSJ#5_}<$0BP6QP5Y9Gm!RO!gjK<3~G-<`FcTyjZx}QY2k9NSf
z1Ho2C*$=jIBF8?NpTZHkG_tj{=-Yir1(@jg(4oyg`W6FBQ!Dir4<DeGHM)9@lW(J%
zet3NvjVLv-^;9$U7_|j!^!%9(`P+>36iAl2Q3?TD+c|#$*8^&}w9T9128=jN@XM}s
zyDAi7enpcsAqW%+@y+%jf)9Sf<R}$y5E1#8@gP{}>I`kGB7FBiKx-4u&kcfz;u^-B
z(7-*NLw{o@aDP3Zoo|+`n!wofAjYrAOBUV0Od1+LB&_L6dL5!>XCVt!+?<-Ys!&;l
z@Pu1MF2;vw0}!+{MM%pBwVYE>z$RdS=08}@GXCGd%PHu@Ee)=PDHw$hU(|SgWsT$q
z7=>&2#~3hS^LhRiSg#8LoeLAW2{Uzu*@MM{V<{b8k~nO?Vhrg_A!@U3VCbyeGGa*U
zYA2hbvvNw^=2a*i&?h;B?h+Cr>Sr7VSGh>oo-)Y#6=!1zSiJc!A;~b{@=57_dfIX(
zPS+`&|JTSwW$4QEiy7n|M_{7RE{4#AhX9x;3oz9|4VJ;t>|zJH4N@uj#OqASwE`N#
zz8vn+PKvjF5`GtiD2q|n64P?5`r#zyV#qO?8acr8TGM%QK86hS!01@B2I{Hb6R~a$
z&nq~UN{sCtUsM%}2s3kDnymHG1+^-L853aCa?s8~7hs^EC~{B6k<7uffj^A_1Aiuf
z6z;ENR6o?)bPCTf@1*o}Q&qNhKCuT)m>R(uzE;!GqmF`&qV56Vx!kYU^ndycgcwE!
z96!N;bt4E*za|9<LUm#y1CVm`VM0b(psMu*vMET(fZ6CGgYq(xlcrdRWYNR}F8N+P
z0GCX&-|S2>9WK<7j5Wud<ceU?>y2}!SShL~QK{&@4Tiz?#UH9V5Fy7O(%xASBvSjf
z8VZ9E;XH73rjoJfhLQ)PhU}Q68+8Fw&zm7)iMELNX@*KgG!;7>`!_KL9D>yq*NloF
z?t+#mgT@u+b>U56BdKqZzXA4Z0xnP<=%Mk^4fNP&@iyVr<(!uo>fO*RWu!5Z*ECO4
z<#JrjVTe#ZKq)OC+kkZJha*E%MPKG-@zhiG!kVA}pQyWBh1VrYjZWk1Kof~)j8}&d
zjv+agDU9%YRnqdZ57RRSg$W%MPYzOpgOZ@R6}!Y#Hqfhh0MmZCG&qC=wqm0y%mnX(
zgyz1KBh~bwA4S+U^gmDuI26nFu;yUP?LK;Vt0&3e=HL%}5>O7@P~~wmaP++}_fAOx
z5BKV!Aq17Vzw@~bl_AkWzaiG?{d8gQWkM@1-U|xLK9dtQ`UEuEh4<}?O;1Y{G=imf
z6%aYkm;u`4tpN9vaP^qo;YBpd0_vX*CX^z5jI{$hC718?z4`a+j=P)3q5Q%mX_g&a
z!m9Nne+MIego&jB=cNNe22`EExlKk_+yKzPVu1lJunmYyzW`gIUYGzrK*7H&{lfU8
zYp&)JF(4E~()kzRwAvRTOrHV8F1w#-QIoiKvd{J51{ySQ^dqTqScX^L6TkyHd$c^F
zFXH8KfP_&p?vsu-=*W)I@;M*qg>>XhC_d8zG;()vCM7I3KwI7qwE_skuk_=if==!0
z)(~!^uvvu$xH4Q1zdqt0%%2yi0e2dF#qkNVoJo5EP@mc!31z%Kdi&%Wa6TiGW!!_e
z4z20~uYvqDsHBYshF#17c0dQPuI^wu3!T=OZ7EGscVTH68g2)Amlje91+o9k4~klY
zb<-)(f><Y$yD+0Z_9-A!XIeH=E6$&6*z*J8gVo*7!8E_QeW>(@VlY(_dl4t|z|<7Y
zdNyKC3ts<8cX_mnG{VJQcQDkb%LzM$rW;GzgrJ&JOS{CS-Q1ms7vO(j(lJRplY!|X
znjlcEwNxzh*Q0ky9U&<d2y_($s1%*?=#rCS9Cs$9B!aQ|93o7EeVqiG&%p%HtCuBw
z1lKjxCuax^E)Z4WZPjtVEde7#XTW&>mcKY19s_Ns0LQ8n&2(^iL(O2SzPfAFqT>Jw
zQWBGZkYi({lHgvabU=QVHR?R-yv<TsX)YQMcApoI0M<ziA+tX@bbkR~l5YV}t!ToI
zED?_u+pv<Xk>cX0#h^CB(Wx0WAF2<JFpQ0DCs2{I7_KW-Wml)*jI*}WNG~{Tgy(P_
zvVx{ylOdj|QM<yW0GN{mq|jqVO-;U`1=c5XcIx^-p^f3l<a0T_NX&pNLPK6IZD!q2
zG)u<!X)#uE?w@(g6_K_BLTr#Hq7Fs?I&F7KK>0;RwNA!vx@bGZE*D!);lL0AkfG#l
zA<6<_%)3A{CD7I)EQQw>1ZKS{-lwfiA**u+rQ#WrG%aK2Y(zzfG;zany+8mVA5j78
zg=Rt(S3q&mH-Yp$mXB}gl=+oPfw)Tn2tGbgnV9CAYon%<AM%}P=~HZ34ddJcPu4J~
znVV5@9S_l0o+OB|JnO(!LXj`Xc$aAyMD(2I)QEQ@-A|{|&@2bH8N$!_J;oboZ~q}Q
zoaBT}#&Kaw?*YPd;8@i_othvoqG3epGZ#7@9kaCI1pp%8kIMg($_NBX^K8XRGYJU$
zj8XHTrnyzDif)p;rV&*fYaK(L<7o(YCWf-YOp(!}G2V!cvHQDR-z*~CGa&%6pb(Xw
zks~UD8sSiq@T8X1?k*LAHXeclEiYjXHbLxKfq0Y%KsHzwgj}@qA_qduoz6zwg_(uT
zL=?dw(_L$YbL$J@i|pS-YC_$Z6FE*;fHBG9%9(I9MA(!Ikl{in0D{~k`Y^Fi2h=Lw
zd{i@MO{{OfioLwf>o)3W;_Ar+yiNWhfKDpBJN}8P5gE4**UP1mE>ie|vBMojmQqFB
zJ|+etJ$c~qX->TX@M6?Pl3h_0AW`UG?(0>mAX7>fkP`qC&pQ$;S6fj`PDLt@ja07z
zxYOP(inT<q4gmtgX)08eTA~8e7p8SQxOV_wOH69N&N@DpsQ;VfW5{P3((LnLQPXY^
znp0V^tR!KKvtO89E_w1TvwI_3&8Q@FhqJSFtGC!91<5>MQ6G&R?ZI;urn5mx)Ef$u
zkON{3gLYyDNyRY6Z+fj2O2=9c`YxD}tKFDd(uo>1Bx-2C=q+W6dpTri1jQbpUdqVz
zC~RWh0V73E>ir|UP#DJSPOJd=FQt^V2rvs<Z2%0&HpXQPJSt(ZPl&bXfSsPy^TZ*1
zv0DV74QMprS#`{_vawxdbUD8t`w|`C;T<NAWt>BsQCVKi@pWlsC{2N1NdH(;t%YVP
zz*gg(9S2q%u}#5FAwh<$tZ`@p(vD)P5OT1l1Xi6xo4jO-+~m3x9+$6-+ax0s2dV1t
zf7yI@ea>Iul5%*doW;~+_-KuJ*WfDV@Ykj|CMVQ*IMQlLFE?=WW0)|dR5`#Mln^R_
zorw~J9F7%Epj;_Aj%L}2d!++i@Te!D_`+|*PZDu0Q@f!a44Fq#2!CRVc;AZ!r!rmi
zk_EbC&`pYlaGmC-Dd6Nvyq=GUQ6&O|)dmzz?iyH_)K*Y*NFD|PO#_=;IjX~Y9d8^K
z7`&n_O|i7(fYl|h9GtPPzx_4$<tN~nmhNJ1nQVtz{cbDY^vcLKyN`4^N=QI%8^Rj&
zD8ZR$t|am}UO4Ob&VF$gl6elRYmBtpH3T;4zw*QQ1T5Aqi=r);he-hoVk)j$a6Gbi
ziI#zjf`DIF2b<K1@_!^{jVFnjqV8~+lX3>(D<i0}s7MO<!+VG<QLzBA+{Qx5>FY%|
z0YFRGH7e@BWDk*Z5(qZUq%h4al{85IYl1$_t!-n0Obx219|c@`Z4Xdji7Q4mJ55#C
zO_->YdJ!*?sBs6&(9RSTls7lMVVMk~g94=AD0~MF!Au;4yy?66vNg&T8ljK6!8je|
z_bH05V>(TtqHq}{EekP~nk_6k*P=&skjSJ()eB)wSi=Vf6(|xMF=?fL3TYNBrdFOQ
zz;}oP<#=y>vcMlWPoTBTm%nGJcsfB-dA;(<XVSj`B*i?tYZ|)(FLd?KyJ2Odj~+{b
zo<{6L0EGY#4IPdhPAGYBvINgIrAYGQRVM>eI~~19rbAG5PKX4RM`#}~qzcNTl*f{z
zf#%7y9$+?oPFh|nvjEdbgDH(vp!t&UuE~Qu6^ejc0_(u%=}u5U|HkCN!Bh_vWB6z%
zFj*HjS+2MDks=R+Rrz4yfC(@T?H$sfm?`GGuW3X7Dp_2a(wnTxWZ^MW^8!yTdubRw
zsKc_GT_11Y3gaA?d>uOA@Cc0<Y|1`AoL{Tj#6w&cR<?`gAMA#&@Cpk*i}wIv$25@k
zvpM9XqzBut5UW}E&(A2Rd)?K{7py+_I49gczn_XE^3D}l6(u4Ds^B*bM;Q=}{q<&C
zs17``0jU6JI{+9MkOvnc{fW9fdOor_GL$hN_AY5ey14Oi2L|sLJJ>FzOSEWxf{Ftp
zF+@eaLnxy%^06fGh}jIVFh1#1D!F8~71;6FSKO%Uxe<I0_&<n2@9R$RismED%LD92
zN}bRtR-`yrP<>+{lsf;@;Xu_u9~f}v2HyCNAbxS(8I~NT?X4w(N<E>GC2G6KS9`w3
zV20El!n)%yuJWg1iTcKvDRrE8u!ugeq%sO{tIF4BO*JQjRg5Q#<+D|k$<0VkW6H@U
zahLrza%%C~URQ*K^d!$!R2Ek-JhcI0SG3bG2SbE-!yFeVXg3h*a%fGGci~19LAEMK
zcsEt_4a4W3paUq&AJ2`H0DnL}fq$`(km3Q_7T|G}I{%t51BE-jC-n0hOcKtEtl+$%
zxEF!Tmy~IDG}r6FJiblD>0T;RPM{2D6qx`ZjLNrtaG7Hs?J4CrIUsBd`3r$$r8R`7
z{t9~qfK2%{7H}9A9u46i7@;2u&LxvQA?QEi9#&sCE&q1_m!suKA<805Y)I1R8GIS)
zqK0GuI3oH%*aQ}PUsWU#3sT(>UoBYPIlZC}%o~uO8cP9eDYl@9w0`&dK$t~C#Ccpa
zU`@aqcNdekVel$(({wOVnRZvJMLCmMC44aUWP&?T<<VV9tS-|SiF51G(($=$Kz72j
z_5>_rC5}M3eKQr0v)biHq@wzA6Ol5+i%elA!j4(CMj1pT31aQfl4(+jM*nNY<k;lM
z3>Kle9y!ASwW+}NVWN;6BKQeQlh2~|QQx}0ZXHN`Cr_Y5d8cdtY@WZ(H?I9aOH~P2
zR7eI?ZCTL;Xp1G7k|oyr?(1)enHZWQ>Y7CVB%$y|q^MccRJ;V+(V!d@M*#1byq_}y
z>_NHr3#<X2GENG$1=F$gECd*LzHfn04Kxb%NC8=GDIj93<bW`c0eQGr0gM~Wm}K2u
zgQQGCPh3z(+g}DJB8H*><q82|CFQ`}p-EY^!6}M;FE4FWv@vzyUzN)b2kIBkfT4Ke
zr#u`>VlbbLP2}Jm!UTeF${K)K#X!Ggy_enM;h!IpQd%eagntyR9w?NmL~UzXkItv_
zxAGd$q-3&c4X0>5A#XyM12kF}W&p=Fh_Fc%i7N`urBBi0EmfpAoJi!$0_KaONmu)R
z7I3V~S%RAYV#OnW-tfj$bvzleF`=3BCqXrUF>*^V_*2Ff_phkNy%3lK;}r09D2Ybp
z7j_gAGgyi2fyUMnhs%rXBmVBRbrhlOs}?0;I)I_6Tlu=MrYTFc;f3kg%NSuqu+Tsm
zG);3yo!&@ldPZN;KBTq@XagV6>p=SeWv*SsspT+W-&L#%-wRvIz~1#YZ{^meIW~AJ
zQ9t^hUe+K(0A-LTuNDo+FfJxgFb%@og&=yUDQHgLrU1xp8qP;LsG#mMkGf<nrPse`
z19L%!`-VIfFf0_)Pn|Ud*-sH=4pEH39aJ@+3(4sCB1O=4Q7Rs#_y;IRg1F{AhAcRO
zq#nZYpETl_A3J3FAaV04b9;BP`r5h}$fCS{j5%8Rg@*(Z2dorSgz9>Z*Vm$ly1Iiz
z6#@#X+gGCG2Z&>pvpJ)qrnn#~H0~lRuDVrj8azl<0AwxP5H=awt_1*O33TFqmU%^|
z(Nn?iT1Nd@sY<ajo8Gvh%wGNp<24pmhKmV$Xh3fq4As4eqZk8RN(lz+LbO>{gP_X1
zm_Vz>PhaanU3sb*9i3uV<<*(wpr|lB*r)I`=X>)!9y%g@#y!}8H34A-3L}0(6e5fv
zd@^_&`+j}1?HG?eeftUz{y|&4`Oiv!v-!G))|?~IQdrrw33fOh%pf?6x)4U^HrV4a
z8(E$<z$28sKn)@ZNF1n6mXE<1?d5f0M+x*_j;ND75Xv`~ZPTDZU)cKKn0q1=V&k&T
z(45X;y2v)6`Y1m91z4oV0IC4o5EJg{ruQXaXw+w9U*LsNK<pC;gn`t+B)<ulh_?jR
z<x4&}`S1_>zCPVfHf*7y>zD&@KsGlt0zd!`kW>WIKVrvi%x4mDGHnEn?$8;Pg-aO$
zSr8PsPE2w%dJQxZc?ba2*?)Em;?0YR$n?{MUHMAecW8mHq}|SHO=@#l!wCO7j5T1L
z8sStITfb_&Yi$z%Z_p_W#ZU(21dzTHt^Eb{c<+Bg(7h>eHpB$1b;|(9oj=z4L@?@F
zb=#xEC@KrZ63wGxLw&{yNLNrh5EZo)3<_+`D?#BwL%H3L;r#0gvO|ljJi%FIH4MKl
z#)f;D3M<(L6K337?lT4FbfV9AL~hcHOyLnVWfs-KBgT+fTL6e_Ah%z7+AH_05Dr4W
zvdi*ADIm0WBsr!E$Q{{YL2hz^Bgr7Pw{En;_>9bg$-BZZ5(`a=0_U;=*L#3b<S&@A
z2e2gq=Isue=!h0UY5ma^M1t0GfeGxj*Ls>=HiM%WD2PZAA}$&N%v(R5Q~4LBNWYw9
zh=6p#SUY7Q%HlH@j@tA%<zdVftgX!m{{#tUA1FD~uT`nAzS-ZK^tezofLg<He9;Y#
z47eSei#2G>9Riq(=lx7s&m6<FX*qGqT%0y4Mk@YAO2&j9A)WCLdoWgkVjbD&gN=V{
z8kc38z;ZObZUH$!xz+(g;S>PD_MYE2T`NLdg347G(R<1%?wjgWQuB{e7-YMGHlD!m
z6&=7qB0+^MOcW>90okog6(UAy1j)Sdn>bD$q>_B%hLw30MLS5T;^>X$L0}!x95iCq
zajG+mG$9i%h}TQUB#X;alZ;wJiW^fBm|YQFYIXJs6FSu1xWfa8NI5(}na7Z#lU%$(
zu9?@GPnQe_3}cdZwqQ789FPv%J=9B`8m(JL0nAi#N|uB}7{$A+m<|Fl$y!8Lq;~|3
zoMMu$Qgymki7<<DLc5)*?8Vevu)QI_`x^g3t6K`GGj}#9W!4aBk*;(qlH$M_et=qR
zED=2*G;5q_LDHNR1`1-B1U}eNFjFu2_=1K}(C2Xoh6;E_&TbBcv-^>4#N{<gFT_ux
zn;?fSP<q7)v`i9Cb;Ls01-omQ4UAxtvVd4L)bZdJ?8RmUfcB?&fLs2s$6o-lrC}P-
z45^(5qtQcjM>G0k9u9aQr@Z-0Ec_5s5d-T4d-E(_?u)S1#WY9`er50^UU2--L;fFj
zqzBX1bPh}ehzGNZ<=Ptp3C<8Jd<#7_IT!_`IU$`eQ>zHRwK={pQDPQB#V}I`^e0Wh
zn#Y0~e0+Z+w^ba$4A)e<{-sFbN*RR(H4)SrfsW&gH>N3qm{w-@1dt-ZOq<h!Ny+s>
zh$(@#oAOexsu6+SBdPUTkE$CJfixw(B&Ev?AA*<~*}WxVDkeo~59_Oguu}-3h1FZ`
zstv(RB08N^0Gwd16cjpJv=mcvc-1ok<s>b}iJI1ECK&RL1xG003}BEoW&nYt+JUqS
z1IN}8j^>04nhD}7tWHY7POzFD^?W19paicQ4};jcS5IM9Vw3z(rY9okw_8%oZ0hLL
z`X5iP8X9E^z8T;Ql8Fp;ZV;oWbyB!7I5`6;H)5!LP7JOwILU&a)o8&@#6{8v2z0}g
zf(ADKbKCI3)4B+n6c^-#@C97pOPMJJpe5Kq03}HxZrQr3y~R{1b|)g>v?hc6h*=C7
zxfl3v5!@S2Fe%P3MP0V5_kOgaWqK=dlX7NDp?hX}WNm?DTD^c7?r;MO&5s8yI7M-(
zz*s53vTGANg#~s2PBVmGXBZ-;SXApcM%KWzoY50~fo(a0IrasVgv88?0>HiXtL1@b
zhNq0cun8bLw}~tZZHb8<mIbuDb)|CzWY`u;Oc8%zT4*L0JD_I>Lv{j?@M%2*Nb)&|
zfl4C60KMd3zK=rjiyejw=obD0KqPcRpM~G3zBo#cYj(~B0B~>;nca|vTn7{)aRFf*
zc1Qi&2ehGxVi!1)MY5xefJh{ZmGxZaZTJz@_;M>NC@$rYW($sp(H4h<Uocg3dijYI
zI~l_G(i}olSMpRcJS5|S7op|G8@3UByCWDbN7P|nGMW|EP+a60UJ4)NUQSdM1%fC^
z@2#c*AT&mNmE^Ue4R1KZC-*AEc%}bGI<cV%f+}+aNK6X~9QhV2?!u`oSKE;QYH$_>
zw}g%lg>INGRC=>mE@QxEBbHp6Dpb%){l98Jk|D{vGKA-nM_GnoyOm5wCtMypqyR%g
z+mq?dT>nb#Lu(fRi(*S+!l;!S#}$x$x&#7~C}MIJ6;{g;vM?>!!m20%smL%b&bzj5
zJ}RY%!SX_<V5BWiCc>&AB;#<F5w?~YS88f13R@HL!&c*EIzXL?8Zjvr6*@~1tFA55
zxUf~J-L5S-mKd65`ftDIT<9(~zOF4$xY^=Z#t(xMYZkZR%!R&M>X!^i(!4W2MhYLL
z5nZ8Q@6S{8joCi|kPV4Tc>h;*@I*KO5DWz;Ak=oK!#02CbROP95A-1O5?JJ>qQuVj
zao<mCy<QO$W~C^(oqKazI@bFH`RjioJJ=FtaWyU!PZ&v%-NfQ{0R+*~O)%pKNQQ>?
zn#!j7jE93b#@Pgbd9^obLMi%4melN}2=G}VM+|G3bFwHYfZ)K$S_&0?5lOn!oFfI;
zcVxj>E2#o|hXe&Y`$?j1Ch#(h2FzN@nWYHN))thKB1^0-qa;Tdu(F(y5T#*m&GocN
zlFgaJ0a{2AzP7p~3_|M*2l2#js|zxt2&WbnQ7x&bYYPBzWoab!Abb{FL0DU8(8DWX
z2q+o>E-S%-<TcaRJ&P#+<f1XSSDHGg?8@Rvj!bRABNJu{Wyc02j2%qybrM~IS`^rY
zEdH$q87o-=1!qyWW)zwpmLlkQF*<VpZ%GME7${)b#jgHUx2VD@QG`ef3vEL%M71oa
z0JvtyCx}>EavJ=iFJwvV5PjIu;zn*J@DR)qHv+1ep$L+yi)bq(Ybk6$!S_0V2v#%R
zcnj1c0Qi+;nV^^l#H%Ht1V-YhwL+zOXRp*vz^b5Rx5K!e7%DBY_+va&T1{CXWEI}<
zb@AN~R`!H(m1Madm<On<B|fQKBA!5cin341Vv&p#Dd39RlVCwYA_K^_EULjaftvJM
z|8Ca|X6)3R4A=h?I%vv1CaDPv;U}!=3Sgkkln4>^d%sVZSJ3z=1VSFJJpyLPbu|KL
zz#k{zPVAcXI@Y0rf(>lLq8JJVsHB%5x^1_x!KkO|8qeftkYTmT6Z0&BZqRMQq8reS
zumc`QZN8zIkB>{G#f#iA59HqZbFH1w)YmP5a7PUw$Q%N|i^;4QC@sW=ni(A?Oxzz1
zP^6&aU!I@aYO7PSV&tL?@u0=nWHYe0^>1-qv}Dsi69S-^D6nz-!A8wl15uffQrF8y
z$nhe3155BHB6ty627zcJ#v(59R&&Dw26qJJb2&F`nNYl~Ha2xHh~Vvq70wg_a{C5x
zI5cBiNL3QHGQrIS7hk5=<8}cR)&aPgl%<1l{Q2v+nPzI=jzKpc?<Sr=Hy`KlA{W}?
zKWjQM;IHQ3$Z2^*Cq1_x;S^hlGglA|5gU(3aS*Z_kFKHqxc&w&Fq1#@$w){fs3suV
zbT@?dM%Ny0WQNsNkV$_|l2&#cr0K@(bDS7r&KNN&JtR1s-oi%-c}Vgu_QU4GeZ{Bo
zsK=ZKdgJ;#8adt2fHyIS9T(11V9jZT;x1EW$*I-2|2Mdpi1h#jaB--MBhL@(kKy@o
z|LN||6QV3&F?K>hhX)Ml4sFN!F(tW-V@);Oe?M@OZ!r>6*uS|q5oY7%Y#a#WZa?(t
zzgR5D{+i=BM>vq+9KJEx%&nYuHi$Ts*hLRCc8gIxs5sPUsGMt$=ry~*htvZsK{mc;
z-(w}`Hy@IX@p$xoF{--e0?dOs+5$k}?{ScknL=?mwo?w7{&q)s>vV>{5!LdM81^8s
zchr~VY2=2eK1LN=dCUlht^9@a6?1FMb=VhsGwX_nJEI?fPBRaV`bXQLtl&4=gL{rz
zS`f~SmIwh7upunS+y?wq^5V6!EpJ0&wcmHQ{{FUz&G=7YaH!~&EErG%@lT~Rq#Rz%
zYY%5i{a9d~L(;{l6B7_mTqUDgbUo(sSBDA^`Za%s(7AZx6{U{4YPs7cq#VryC-m1A
z0}2qy9144H9YXwXDHn|Xh5LDsY}P`s<py46Y*Q`|Wo%8&a1x3^)~^d_FbnK}!h4nl
zoKl1`FtbOb*te;lfkFq+D@~^Hc{Zg4fzv|}>CQ2$dU*!+!V~3cXFiUU!8IEXqJrQ8
z?pBruz=)19g50!lWZ6gCz7BU#d)9GhKR(};63k9gMIUS@i}E%bfzizeQ(nY``W!IJ
z89f4pV|zxRwl9lygxy=g1d=74zkDT~VF?I*6deExR>}!~yih?O!25CayHh{m&cK6|
z?0-YJ1mjj+9sb`)QOO5gSmtK670Bj+8H9svsS;h~PVyE0p(Uqc6cDEh#UHR9mjl{f
zoi0~BA74lAL^{kv=#dUxfF?64<PT;UoX)jva=MV*%x#c?{Rld2>{m~$%+PN|Z=`{+
z+J$w9SXxrT+DKX+brt*B#=C8oVLq3kN6~&$3*PUmeR;Bixl`HUDgG|BNEn$9eC(*~
z>v*`gJs|l{mf)w7OP=V@Ba7l6EI^QPK;VCWv=5^E0(_V&`667Wg^9(#Ps|-wvIL9m
zGSN>Z`ae|RR+RPdbpkh$T-QzIEbz6TE-MsL1E*+wy)@Af|03c*s({5FfH2f&7E(Hp
z5XhwYUawsAO*Qs-9Q1FAO;0AlAYt6I=Rs&5%DWGv3|8s_AOg*;lyg}&i<c1fco+dk
zW9-!ovJ(u&6r$FeiklwbjC(;s$qYXN0h6+M7IDj?-$!<3;#c5MwNnQ~yDvQ=o_O5D
zXf;U*{e~FIhmU~uP#3%hQwJ)bEaj0r1|N}R3b%?N1kpGcNGe7ayQO0oNzjRRGNM(g
z87UHyFf^*tTTN$Ml{+2X7*?$}w&^^KGenR~<w7%$A%rkt?)Jwcv3&O-g&T;y##YHG
z!IyRV_~<iB+)2kDl?EOHRr-R*p@tL4VZYP>6wAACn{=TMA%rr)2}ov(F}To)5>gQm
zFxXId1`uE%Z$Xc6{T;K%TfsbeU_nY)fAi{7wOUfO@1~ESy8^M=ijS8YS~QZd@;PIG
zK%A8W4_X)jX<?v^K&BS3f#njRG()>s?NDE91u+8*#Gy-S`OW)|uXA95-a^p4f$1ww
zGfxC{9GTa;*bX*LVF0s)r=sO<a&C)s^n2^*9n+Xac3!dvUWxMpYA8`-e2X<pKADFZ
z3h8n!Zy5OArY9kI??k3&WriE*9^x|*Pzq~M!p^7+fqYr2)|g2|d~zT~rKWngqykn+
zIFjEi{(>$7Q|WX*ksH_)gXPUK5HP|di&XkNh7rTc9lrxFzFJqPE(1XpH<SvFzq<k`
z7Da-fM9kAr8YTi$Lgxd;%d1r=ig7^lFwFLtPA9_(#;@o;?%9bM=(8yCVX1f|lYhAh
zPdKp7v%*42fxc&4qen-C*_o=C`V$U?!9mh5wuaL}x(RDZDPWi4hj0fk)Idd?wm9R0
z`lw5g^;-Rrs8Q@F`Z_}ie#nwYiDuuiR%#_i5Nww{Q*%M=zhp@+3P5;6xy`D9QtY$I
zld2@6sKenE`iUP@RiFnGxF`H~z|1jN?xQh;BR+K)eAF!f4}fKvs7S3SJ3~bh1Rz;7
z1&F|LK!;!xr$Z6dDs0dIAbF(Vp+ChM3W!{I{h81+&ygMM7+U~fM;~S)L8SmNp|ggR
zcow!&77nZvnRuBxUDN~KF55v^U&bGEjsYqQf`j<pxYlif8+KE<a0mp%(3a1KJh%i`
zk_67M0^;bO%q>bY4tjXQ3&L}yL*o}Bgq14Xpb9_&1}=q-9DyPu?aq8NuVvTngC79I
zwum$L6O$7_VnWD$Dv%4bn#?5vXRIA0&8z_jDe3Bx)y)ty4qDN#wu?WX=xD!}bjTST
z2ufX~3~$7!2gBLxDS=Ko(mw+;uHhHSzlfA%L*X4#AN}8Z=p+z?I{-^SG7ymN6!k$b
zk$*Kiz*b=<EZD_q)TN|-rA?#Q(s$+uDpP|I$6<*c@WPo@<8A~^CLT;R7PZ0Xh8b*!
z9~gp6YAizw@rWRZd`ji!fEZ>2$P`LEmme$Jlu?4)Y=!6;xNMgZp0~y&0{$5WTt+~^
zcmiSlB#p^kb}IH<QVT-V3TW`E7)}GGD}j7;Ct%1Dr~(35@Dr8Ik@&$FZUbOI(V%Eh
zf0h(uh&cm@Zm<l1hIF1cm{6kq7JEW~jEOh^Mjr!&1Z_7}wBCN2h}ita>lmgo1AL09
zP{6UyQxTg#7_+xj-6Fgioze}EdCNKSVkjDyhd`*|#Cl+Z2#YvJrb~oaN9&f}2K;&(
z!yt5HD6rNuqfcEs_HvBqvs41bv6OHlGgSpl#RM+M=}wE}jsP@)uQM5FzrZXX-??)E
zfD|r-Sb^!bB1O<R5)7fb#Skpm%4cALn3Fh!=VC_JsQmYdu7!*V>VbqAN1A!Eqz)>i
z`;sk>V!UJhKnR|~Qso)3@1qmrE~F(3<F)`rC66u=>V|!)n<(=f-5Zefg9sMWMSv*T
zGz5x`6d(|YPCZlyXz(co@pT+U@md6%8aNhIOvb{(z=u#GWC{x?3<L@u&j|E575B+x
z_CsygAw4h=t0#azhPsgoE(;*Ri+3N07(CQA*u$?-aWysdJ+4jgvF$A~)jNBF5}Bp2
ztiDd1_^%DSiLygek2D2%vxPzFv`-cIfZOfpc}Rxx-zWr^9lDEF7o|s+!EGx6vK|=V
zU^5c}ntg@ph;c7M2aD?tfXKFh<_*4g^mD)zBZWVT9v`!EsHb>X*`_2Bq@dlhW=P%#
zq%`!6jWmX|iUW{cmZXL{I*R28T``_vAkQzWV2%z4TjL=Yo)EDDhw_{NpN@sn6+z_H
zjPOc=^|A=why^?nlx@v)gF?r9c_9F%EyA-CptyIgFuwEfPhe&%3m@RwBLFA5%J0Jc
zD?6?-%d*03yZnfW@$6HTgS0fj6ou=tfsezKf&sHfK-U&YTPt=Jk94pEY#~}}4C-X2
z3p@?DD<+iQ6k_J)L33FlE{ln%D$9<`W|6xBYE}a&lun7USQ8NRh=Awxi6Et&2|%OR
zl~_r&FyJ@E^o#<P<xQEQf~a?MpGqqBxpbfV9ha<<L1gR^l8k5e;KH5Y>pqDOuq?Go
zh2Lewg$81q;<NdVt7#{5gb`9ao6u~Q&iJDNboo*2z7M9&NzmoQ^**)t-bA3sz!bWs
z2HtYp92Ep0R<#s$AE#YY@4A4)5{yH<!qY_<A-k~Cv$1u^y+1oAyXKnUR7*`Zb%>u-
zYQrfwbgI+jvbQia5C~zXQRq*uE1!m}Y+AM%L|n8d?5)+ulRg$9?}XQlH}xaJc5)7z
zUms#Yk_MxOLoC@82pzCHCDo=v!1^XD^1=?1jwGlsD;G_SCLq7@h!dp9km-gHjB#J!
z%X5*L@z|E`WJ0omb3r(fpkTA2g~$eZ@3X|!mbNmKkMd~^E8`WLlCq+I5ik{VRYZ1@
ze1!Cd*7!pBZkGK`eDUlM8zrKaYnhHYV42-!rZ99SxHa%2JvWu#zETx@5FIefFeJ;a
zCWxX*9K{3~8ND5J2Ea*a6RQ$V>Y3ItVsVc*E2hCHw3<?4WKF&(HG$oxIOS5jFcli>
zNspOItc-)Z4cUd<JSz((4!O#RZije504@#)(H*uD@3WFEO*SAO{@`h04nyY{NPpyE
zqy-pfAHd&RPJVGNoatvQ_747TUzeB&k9UJRhdBT=M{Jbt6MP)2+7;5R>@P@~Y7K6}
zreHW18B&l`z{-n2MuK(|R%RDW1BC=*jpyQlIr9nC*ooLLLJByJv@>;<MgR^Z#aa({
zssS44!fE4Tl_q<cfg_RoG~-89XS&%t3bNA{e}AqHlns`fdr%x+m(Ic{5eH!abA0S4
z3}QeT$kLwEOI{$&V?c8LDcwz;ff>=pqZ0mb=G7i>;4ugsuL_7ioH@?NoHzzixphDi
z`7%=$ph3V07)3aO@+d`QLBL#M(J2g0xlC~FLoRB-6Rb8rIzT9K!-WEkro?$0Ga7aA
ztLI1;N^E{~gJ9~z)upo%XlN;|vJuka+^@?tGPVw?`(DUd!#^&pfiWim2T22fsPMyw
zl{%n<rSh1vtw&O3H$1;nHWT$6gmnnAp_&c!nE)d-Qf1_FOfA9dEYykZGWWT84s{E%
z+|5O8;yK3oQ^u_<%G;?3>P=)LsbE{HKRSlO4&|*!Tz^8abEpFDSjfosQBeHq0Z^mS
zKZ$N!McJA)^|cb~JSpT3s=c`OPO!_o8iMHDa$}}Wu=j&mzdE@D^0GM!*82J|P;~Yq
z>B*cr@3mbfjkFhITN??+4xwDiB26O`p<Rl+LU#*|y)8E2yz$p##S27>jmo<j*a;d7
z9kRO?PXwYjf>Py(C3YyAr4wk(MsTpHazYjcg{DMZilxk?^nV-Uv2il&R{vpfJ}oo~
z>|IhCWM^Hgc@Z2IDKzfbe2B;xGDj~#TMG#VPM=)L0!<>bpk0cr0(6QEyDc`*r14i{
z#S27=4amD0*a;X3ovynUKLnyTLQ>_3C3YxdVGT*2$0%fuSuPd<MCL?Uijqhqv`Iw_
z5zA078v@cq=!DQDXh)P|&k$?}w96h}8<sxwQ9K>-`z^c;J$egOuAtMx#)gD}4_fM;
z$vr55dnAyl2CB#!GZ*&u-Lo!sY#0AK{A!Vha`nWmJQtkX%QjNZOv1DbQQ6t{YkXEP
zaByePaN0K<riUc9GmohiR>e@c$cWW%R6C&H(Ew~=4Nst`Wx@~!%4jL6Gxq)84p0hi
z5}q@c!K#C3dwycoR~9DWzr0&zGgJ$uCCO$16I??x(Ius2jyJ-bx2(kPX5U6F1I#Ow
z^?l+YenP)z4oLP?>e|T!zMb}UNWInG@8f$1Pvw=~=>WPdB-^Q7^wled8h9#F-CW;Y
z6#XzJ!+iK4gOXB^ot@7e&=FKlAHQmoxT_?5zwH7<i!_~GvH|J%*_q&T$cGKugmmzO
z7d@4GfZelc!&=C~UFiX&GiAS1;HEm@mRAauY_c=eJ8TeGJ3QO*xpBa!yebP7Pca!Z
z)53|JEL_4OhowrBmTNnJ@SsLs5?V|Is>TWp`f^t@*7m-VvZu0;nGKE@b`w4s4j%Ng
z@=evubo*jy@6c3wVKzRIVvzQ5s!<D51K;i}*_#L>wvh*x5_p_2G~hS2#p$?_t|6Fk
zx~Kb_tVX8x3Kj#lZPG&O0vWdnsNg@Nd<_XJF!2Y;Ucpt5u`sRy)~}8ChdH5kXq42?
zY+bpP{=np0PgEoo3SfSCnF)Q@Lv>_6avz;arLM97u7Tzxk@`0VOku`CK*cwBa`0NL
zfJWJPye?XsA7*k`NjcHoDF8MIA}nXP>GN^+8KaWw^`_vRNt3GjNIA33@p5L0m@wd*
zkn-39vrwg8A5<^J(Y+zNg03SCD`%*06ZI4q&E)tGn)_I-%pF>=p`NAe-b2Gly;1LR
z3Hs*H2QUznA~%TcxQ-++5(0>dM7^J?sPAg4%71%AJP-kAnw;NPTU1SwfkGp~UdyLC
z2G*f=@Ki5Nq$;RZ4bn;o-*q#Bi$NAf63X&w1l<b)ZnEjJ%r>U@r0OGJ(0S9#nM6qd
zK6Hz*Q;1IB;k70v+YX)@>~-U3(9yY<V>uBb;M29&V#U~$H0;SP8|zt$1gyfV?!%}P
za?u#u%o{QS%v8!`T{dyX)ZYx6p>a1&nA$|z44c)=KdmGUmKFYk2JbdTV!+6OL6M$}
z$w86okF23!5rz5Wal$8*`@IssE9Cq?iw>6>48t{P41t;`#%i&9$~iFSkTt9X4Z`@-
z$OilzGzCYG?ng;AJ|RS*6hx6D;Ac*BLpW4E`mIv*#1qoS1C1%_o?z`sSYtGnE?>oc
zv<+T5B+!m4$J--l!b71-Vd5bEl>(G<OPs6GIjJZrgPmPUafz@|Qiz96nT3k$14Fir
zGmro*^tW1-#0EHhcu1q7Xeg4DMTc}oBmG!(<xH+P`VqA4TA(~1Af>Poo2-VKE%L7c
zb&3}>AoL0#By!0e5eMpvaP8bM;x!_uQ;7*4vI{0iB5Bs{g95CPO_B(LI$}>f)rgmp
zGUQ{*NtI(*+QU$futHhYgU;<WRLX$|Qu1ib>dvdCKrHgvfE^4R%(u5_a5ozwkf6d(
zL_mhbOw;Ac2bCv42(+WAlNghnf{|}BgahSOHT*=bA+QaeL{_7!sB~6eIaDEvXWq+y
zEb#enMSfFxX@Pzj+{}p-kLY)@gr0!lTGiU%b^wv;oC0hv+{6Wd<}z||1k??KkxV2x
z(C|1Mp%{<v5<Ckq+y=eLJhIm&o7SJ4D!73>OEVCDew>?K#<5g~^QXG=Q)dU5nK0wh
zA9HzJ3G8<rthnkqpq`|164;uV{#|942}VJR6B{)P{<9F|cqD_GV1^+cEDR9awF^%r
zAlk!Py1CWG!jnTbqidiu7|3O(M<Ofu3k+{JB~2qBG?Sv1ecW%r!3T{bAwyvi8-SH3
z3X%>fn=1<YBn&N$^xq44(BmJpT4BzXj1^uTBxV;eQ>9EwTmd+y6~QMSAHt!hbE!?q
zQ$VtbgwiFP3;}zIVbhNzq+&)T4p1zA0xh!{izVg<sjJ&Ph8$|8=AXn2J%o$bRJ<&L
ztnid)0+Uz6*I?XcqyyRt@a;b&A;q)|m2^%8yKcJqd_z#@AXI{0dI}oq8N5NEj)8gV
zcy?|t$><3+O~JJ)V_{uHo@M3rl2K95TQteR$5}<|rm!u^^9_;otwc`lO(gcmGUP&S
z7gIR$um^iF%`X7e6QLC|Sgf>5b-0K?D8wobYz6?9E~WzQXa*eFxJ5Rb-nLez(kcRE
zz>`W>lq?FcoTuL@oNbk3GzCBX=~J1@&q({<P6Vu<gu{8-aUmoLE*<jl4G4np0I3!k
zu)HZBYcKkgWX<7R`;r0nDr9@BW+`-url2Rg>mCUHn)O}`3dSr6wFi4{ev%gt>_V;I
zALoK0Sa4@1Ppy}BPs^o6n|y#nDLP=j!CL|(Qe^~5b)f)xP)Ol!@sQkNt!_o1-KghV
zC2O37vd7#dm4wTW)_Wm=3`~-%Wsy$j0(11}Dh}i`>PQG4J8%<(2omra6cMfN)ShX7
z9rbA|cFP&q?<QUHZnlpTDfg~Ij~%SBhO>OO50!Tn&d#ig*$ArFG?ANtSEn@F)~TPb
zu1U2fvD=f2(a#ovxO;zdgVw$i2c3zXv*XSvxrKtwvJ^FH!Q($7CgGXkv!w!cY)i)k
zE{ZL<g@-2hVI2ktrr;>ph~S6zr3CbP!O)=KDF$%WlPr45Hq>Y$`2K|r?BI6T$Q-`o
za0Az9vJtdlC{-O}s}idU+t@{d(5qCr{e_oNubEU7Q&JhCb%HK?Xa$pdq3FtxG$J(q
zm|1N5L6U!lR_L3<@wmh(qZNq^u+DWt*s_iUspnH%h=#!D(A8%cP?E3~YZz2CIzT{t
z0rd<3B-XvInsQbF?)ee2%Y8c97r?rr`9f)eqj+YZt`oMY$c~1Y(K@FoP}`57f+E)w
z{vak8<`pwq+89R(QA0933NU)(iLFDkNn9n@Q7sXw2p?Y%c!K90`=dQc$<aIj#fR|q
zLrr*fh6)Xe7l|mRJQ|IH<SDzuLoC$m>uS=z^6B7+HQeQ%BKxVGmyanNJPIT$f_`hS
z5PhKtWg>*%b{VS-&UIcM>I#<$foZ-KLLG&=3pn);D&b^BxKAL|RdKVd)fX)my(m+D
z(8F~a0;~b&gg_|s3}tbFbibC4q7LkEyBQbMTehd32eB0sPSwbdjjRes*~Oip2I|Bx
zcAP;bb^u`AQN9MnSvY7YAVpy)EWx^=_Pz?V7iEF-oi*;x3oLDk8U7w?gX~aG;2i_B
zMRO**R4xl3U<HeYp{|HzzAfw)et71B4twxEBLz@pJ3zD-mc&QoWt*5jvL1k&h04LI
z?*%SGcY_JHpzVF<5w)DA*@yrPrD4L4ceH1AYd<xeflEUeOl-M5&6*<-0ImoLdCyEj
zYkM+K3x$hkAtz$UP{yLDn5m))xV9E(fH$JXkOY8UmWB*GR8YnDnVNs02(z)S<be&&
zeGy!7yzBQ1>EVxlgXOlsU!gDzinynM94{A{xZ+I!2`IGGBpU*eqAKJu8c*ABfpN%q
z0}7slM5g1pY6<mBP9YHs5o@Y&zW&onR2VdJ6Hv)kJRK-$wCRnTSUX3;8Yn<+%m{GW
z4FLopk~@PqxGG7T3bYWy3Ni|`)6}w|ZzB@uLv0ZinDeP49RUN-t3U!>mA>lY5tuOp
zxag%%%K%RodyF9L?FE&sM#fioSYN4W_?qA9l9_4zl*T#bnG(Hyx2Inbr@Os{xhl*)
zQQ2F%tc#G^;}C^Zm3JK)H)!xy6^q#9DYs*ur=we=Hyc`ELAgNtr*yy~?-ROCn1eYP
zcn}i&h&rk0+T0&@W(8SiipQoi{I9bsp0by_vIDrd_e1G%?^T2Kcl#VtdGnNitkF~7
zb~)doG?hz^W@0IlHezx~fPo@cZFRet##?{}3qxQqD-x~q=j)1H?b?#`MuPVOC4c1L
z_np)<iOnqJo5w?&KHg`Gx;;k^3;1m<1;W%~)U3}UNE##xfeuv%U$u5CS|G-`EQYWa
zgnACn>_cbgXe`onfS5o)0}w+F4OJ00QRJIP*D=_&RBhwJ{Rge~TMVqv*gE<QIUk^1
zKsMXC1Q#;~#;|#Lc_Q4TqNw2HDZ$dnKibxv!Z#Bzh~|G^jO`};;o*v;J02k&R1nQ$
z><iR}2ndj%G8ih2)V9gn%G$ih4fvf;S>bTR-a1!7QQkTCMZ9iX4y6R{t=6q_<G8|3
z(HK(<PGI!?7;qiX9j@UUgoDe%==gnzzj#LFTs%2l7{oj$s(MBg!-DiHBkJox(ugwo
z;N=ZkvOl;RV0n&GvvMCPhXCLh9vkjSZtseP9@byX>%!fB{~#id!`@~j^qM`G5ctjf
z+Uvy<0xjz{ABS;?*$*CnNf*YoJgTL8S<My;F=~V=l~Hq&iJF1JI7bID7g7kp0`n#W
z8S3L(6GLgRUKy+^ffK$X!lPwAu~_u!IOPnG3_Or8QbzE<2p`$h=%=OaV#RAG1_Pv~
z=c|}VJFoy>1|0!I%|sya#}Nom2cDTu#IaHCIowcnB)m@|L;920rGQ4XQ_#8FlzVi1
z{VjwtECfjfU3mw)iyY9N(#nyGEGU*Uy`syJLJ!>cYe?<R4zfUT-1f9l;&q)>MQWm>
zYVegFhM~m+t95%=_=UF;qQ%I)1jM#UPYO)>BI3PiKG|R`X7H@S<>RqY*b*#qlJZtX
zfg(-p2$$wa85M_0QBu!i!E0SWUh@%vPFu8_)dz@O1uWeu92H(w;twKO@FgoX?FRM(
z4h32*aFLCzv!G3~AZ50te5TA%&M0|^ff&aT2?YHa{~GpdAUvnCRkO}mhHjQpt+7uT
z@d}OG0MqOSd=>h^d55@WEvBQ&WvlHpA+*86oI+?q7_t`-HdBccF7pu`tUJ8r;!%!@
z=VvY#Wuu1Ft2)z!WDuQIh;Jdn-@=4KQ~l?w-ggQM2f!#L4a$cRy16YN<i3^CGh&GM
z(`2i>$H>IAbr4YQU((cTJ#7eg!fVraRX{Rue^6&L28rRfG1OzM;Kan?tX=}X4~_zJ
zV@oXW(3DuorrBtD$y`z^VxcLBJEWkSs*y_((IkCb(kQe^QncEKfb~?fr9)inFJNC4
z1rNDG2B0)%!^-d!>%>l|Q>`{U6e05^uBmTa?j6$@I}GHmSzi*NL32Z{B$4~rS3z;5
zBQ*9`$Ul3VyQOP^e${ze1WWjH*W2hC*N2seIJN5Hh&po`bX7Yo0=i5Fy6I16W40$q
zI0N`^#6Glr^Q*&3`{`<QF%mDn3eVu=<G~0&Bg8B2@&YZlK>w_P+s80&1<kPM*d=V+
z*M*^51GWM&vsjP3EzHBi22A=K`~(Ah9E*H0^O8GaxUDO%im-U}^hEd~5655fsv(-L
zW9XH24OVwR^-4uZNfbiCok(U%ePnE(!q{NJKvjfPfcBjn&<7zR;o-yG+R~*h?sH72
z(kdE7c|`J*Mj3?TrTA|gu^}j#*YB|hhU{U)dMAuW(nwRY)5^JHFmi#0@hS9vv?<z5
zCbH4q!v+Z>gcTG!E$80D-Qt|&?JZ$4N8*Dz;8dVc$cnBzgDJs|h*jNNB<Pz+o${g!
z5V6ilHhKbMn$qK`7EpDPllaiIeTaBkV{v$>^zHUX&cbTx3`FD2T59qn+5$OHkc=*s
zHEbC|xM6IC`=@7qy(zZRm{18Cf{vk`hiG&}$n+WW;XTFfb*x^iul3$|L&&F7NsPXG
zdkFeO$K4aFs)+^<uZ%*eQJ_U?ZttQ;TgojMwh6?)h5*lBL`EjD`yYl*9v>WlC^kR2
z$>cw|CyD_W#_-cOVy8&uuMTl%KJ=7(e8s*BXqj+weFOMGS}!O{Tx+T$XMZ158ntR8
z{xE^pY|lysXG4Mljq2-Ys8)pyv@K`ASPpgHg*jF#u)ssq_}0F!#6w&uHi!8n5?qoa
z9I`wL-$33*OBNh#ouF!@z&J=5>}$y#E63PickyD4HKXi=QC#7DB6}4uS$eyEIS*CP
z{VgPGXC#|Ho39&mCbqMR1Y{$@C!P9cwFBg>7ZP&#|53Z4Iv95~E1|gE%hJBpuQj(A
z(0Y9)(s)_1{NsS)W-xWb`Vh?nM|PNP5=)fFZzJ&T+)v36nPz}B-Tw^S`uILL*#_1i
z-W4rT9<{bQe8vI%wF+QtNqDU;M=?b59e{WpY6#fpVV`$vBeOpaZKPEb(zWMc2<W>G
zl36I%4%H4a8)Q###`ql2q$0P-L5S`c6(LXtk`lM>mTjnD#0iv8+yh^(;mQfaTDQGo
zvX~}zwY5sQc78ghC}%{*YtqG4VzF(5P2na2T`KqWL+W~?6fQna3u=|pGsT9N&+3>B
z+gldzyrY<TZM%uU9@lDK0aMP}j}aatlK?o%3ML*$t#7t()Ao$ADXxClXw3)nSjXz_
z)(Z2YEU@l_yFi3QnOOmUM>xvp*vhO;3^*paOWQf!7#Iu%fj~GYSOHc_B5;F31egT?
z+}vU&(`PHGRlIK_WT&kL2N`5*1XCsBZdhky)4^r*4IaZWTV8g?oOuoL`QBidki(d*
zUWA!1&oIu^$%xjx<w=V0lv%g-zYPt5jRcg5g`0qJOQ1F{PDQUb8vAje1hen}(vo>`
z>Xk-ezz$V%m5eoQVJHj$1E|$XUQSwN;-ZaX6PRQ8G0(*uP}VBlXs1<01Vw?O=OkgR
zd<>(B$h>8mP=vf@eQpUPBby@9np^uPB*VrS5sG&!LBEZRqil8eax>3w3NjJkpQHHA
z#+1OgoW+K^;OrEg%`-BupXGtffDXb6;kwgX>z8L&$+%noYG?@g)Txp(?b0NQLgyd_
zDJD}BO0JO&pW}!%<^bb>+2UTIWE~zcnvx>2^d4uIyb$ik27QO$tpk)XQwVzsxhvKm
zaM!!bXfhcO1N~}E7y%^peq(@vA$gKY$SUG8xQ5DnNxYa~V>raNfn{sCf|wG7wD=q=
z1&rhL9a`{=*&yqUQh4aFY>h-uNi4MCjtv-f1o)||_bG(?AQr#*^5j@Ybw4&m6M-w-
zumR{`VaRJ8G6BIDb{H6P*WoQJb~tJ7DLvc<-d<5VNpzaEIpPSCe=u++M_`Xg5R>!4
zirxCfVRp<gavj66utjq!k~xKDEJzS=gYva`b=MLlYhhC_I%3Nb4AZP~VwfBp1`1}F
zG)2H#0@4mb;=coxc1dACDXcg{Xo3U^C*$T|ZJ_+46421tsMpf$a16i*49tsFZH2y8
z$ZEc{iXRZPumF-RU?s0%`WZb<sL#LEF00`{^fBN8Oi%m=WjD*lljW&wKzBoab0W=t
z*0c-31LVwM@b|$oVWN4VUyXz^z`+c#I0{0TIxang^t@iUa-?C)e=7b=BtE<nA5Iny
z@6$n=AXqyo77p!_sXl?!l^)8A(5Z15`r@V4P~^cv;&z1-sXND9>aL7m`N*>9iE%mo
zf+ep|<G~XDF*($k6RAFPqZG$@dhWBYH+dgJov^pM4Fm{ho;8AL^f{P7yJrEpZbUWO
z1XuiV{>4VXN)InjH~<JmmIlU5=2XPc;ZebhU@i_eAdsLv1Awu>HzEa~j{x$wq25;w
zM(xdFnM0d{%dy%Xt|ZyGk~{&?f&VVJ$fo!Y&?oTJ0TUKthStg_mcyOMxgF#jq{W07
zH=%5i=;_6>6)<YkJbPB{+7#bZU+UmeSb}+hro*ra@JgM|L?V$NAhF7Gu_2%~FuzAL
z3?8Ha^+sfLB($tJ9Fs7xhb2=W^uI_5*AsCc9*>VB3ujS;R2j0dY7Z`9JKqxr?oBxv
zkzrKVy@<!`;G+?P0080l6{pk*xf$J{4kliD=iaQ$^n<+u>tl;CQ;q98E!)e%>ca$i
ztk`6gh>IMqwG9io?4e*G{)S>=$Q5xoz^y4IN9aRXw$*4vq$NCh_rAMb+%iER%2t!L
z4FmQ256<c&KoY9_hyx|wtrC77jHKcV<)Whao~ZaO^ofacY#mI45pDVrDT~Ne5s-ky
zE1b{GWV;@qk8HPS__e4g7#ln0-7b=tWC4;zhK4OrWtr@lxgF@oUTaRPv&x$8tf@#~
zd@GftQW-<>h!{S#R;WNtfwkT0Jtm5&ZiWJvJ5q5d<Koc!V_pxgb|)*0N&>uX7y`xk
zaV(*5h|Gc|l>lQvoWGz~O1BiXMOsbMx<c@DLE*fVTv|k@A)HUx+5(iEH;T+5B}oCr
zJmHyFF$d3XE*EetSC%Pb6i1P_AWCtJOlSiR%TE_?E}lD0;du_#VWbz%<WlCl-q3N9
zMeluzUeh*zhP(SI9_ej{tR<qOJ{nKRt!ryc&hE3-G9wE)q?Qx`M~~BQ@r%;JrOjfb
z70sh?OZGA`Ztmva+UG!2_%FaIal?$u+MT~&tlM^9Z`fy$*=?bdtJFn=D$`SV;~#p;
z>ojZ+9|&@~;$u)B*T*z(#3-yM$k6$%TzFjU?&{)ORyH25$MLz|2#aW*R1kkK$F%j<
zG*6-IE?BYZMd2&2U&QQu7-$1|zN6^wM;}l@Ln_c3-Ea|~l&jkY9LgYPd57YDc0m^C
zRr6s9o%cUM?5s<~Vik~wXiHUFZ6%8(j=l1#D(PmnY7TU-?E~VqN6O3}P^gO%X9y%X
zD7R}m)YL{YlL{p`+p&-c2(hwv1F<TIHrn}rQ#oD~<bDt9w}xZYty{&rU)n}9G?8fN
zbXrkX8B)CDwOugz0_<D`X=*6oiy$yqpMV{!Rsw5}io{59T+SgO7Q`oYV#`Y7$Q}Cr
zDQW620-VrYs79}_mYCTwueoOaITz({LG4`p6KCQTe6d2s{!W&L#4SMt0CN3?jcCq~
zTkcRqe7oCFq2%L?^y{kQY^Mq+S~+&49;14##Bj|A+d#pL@8lp&F0=Iw&rtbSQBDp2
zJ=)pAp&rurt97A?9@VYe)n0bZ36!M{w-{Bl`VZN~ktbT2&Htqkg3k~|Qda_aQGiBZ
z>!>r|tkqWM=pPV(Zt!#DN3{(S5wTBL>tjM?M*zjRjg^6C^l1s$;#9Dwm7t7DKNYW=
z<w$t7S$HMkrUnJfz{V0Ux9f9>py6`B(3mir;QYT=OO2Z9|B|CUM{U9}GnweSP;S{2
zp}ua9@gq@?;d=RRZy04Ob!B2I*OY(~qC`qBDXV#<r18;;A(&^Z^<O@VENmgH)36%?
zfO^S#lQ~jg&d3qUlWSa1W-$jDFR-{cFd&dioRks4g`gK&WalpBYtWnixXn>4>oNHG
z-tM*q;^%gHm=>><$k96j$|eG@RhAOM*PDL<cY6KC<GtMKA+ngJmNWpUgn!xO2jmeY
zR=X<%mDoau8^Skb%K-oC^@|E|0g@r&3Q$N;&9B!^$Z(i7Vf7UtCf<X@6tGoU*R0PD
zTy~=}C_{*-{}Ur`vDDezI|S8WOrT5&*(%Hk_PMZ``%o$e8+oBIj2(S~H0Yq2U+`2J
z*(L+W<#S;(1^KL{)mUl-3sqv$->-G*tGmtsZb6~A0#&}j<xnugDhItbWAqDI?#Dq8
z8c&`$JPodZJQUlCLRetDV7Brh-<a?jea=IrL9KY=m`%FPwSeJ*se%*!`pCt4U*R(1
zph^vi`i??!Doi5ozakZZZnRrZupZz{r}#mm1VL-KPUCoTE^EB-w1KjFDyC-it1Aud
z5CIO-s!EPF5#IhBL(@S{8F7J<3LuE<2;FXyoXR72ZoWyRra(1-h&K1lS`Wzi0Bo(h
z$omey5sWtO9A?CK%|oB~;}xyIRiqOd&5kAvYN22qLSIi;3MvFgQL}51){flC+6qQN
zRKCp>pZg@DKKwe2<fhNZ6}>^wcIa6bzN2{Cja0$l0c8())gI2qby*<tq}#aRkCG2O
zx;r@OCi0IFDacSBYl2B^mseziYCZIn;lLi&6d<>Bfmx5i#(5zI7=)47TZWLs5S%2T
z6o3RF{J_NKz&KU3qbx?O#}g&J2+)hdwtKCu0u%9AJRvm=JzyqR>#dMUw2L<$w&93P
z{njdt4EX)aTI*()MIlziTY$KcNE2#6AUU-*U3reMQ=vKMN7g!ZZi4}AZ6Xg11j*fr
zlXH-NI#y=k?}ptD8x#@L7Tm>QZm;WZ->k$QB!T32|C$E)yvnHu?T>YgR7?f53WK`F
zZY0bACz0(S&atXvz{O`FsapeGV<g9PY+xi}2G}PUk%DEGD*whhbCdxf4k(;;9SUD0
zQH%}sY4I%J6%gLL0dn@+aphd}j!?}4K>W9#?TW3|3oBVL3+yfYEEDNKuq`li`YGJB
z)Y1Z$N-Jy9-x*(JqZ`M)?`YF2$ClmYOzx{K$E=+h6ytv$D0B{$#i{plivO4{A4Ct&
zx-uQg!LrG=Z2KGm*rm4iI-_b!OmA<3S(e1;W~($bMUzq!qB4CZHIGT#??KXi`md5P
z#jnUVB)p$OC1RE13sqYdH;De-04=)uyK4<LP^eaimL(1yuOPu5DG)fG?*3I1EE@Lt
zk5FlTCt_{~E&$}LJ|PDSu>wPI6QZ0rHH3PFq87(YSX^~Tm6(PI@CMIEVYkL#%|cc9
zrnia7-<s_Xs*l6t$qP(RMUUUHd0trj-bVwfKTJQDKrMwd#wUwi7%Mb>KE6^w9Wsa0
z6^mh#zw-(sI;Uh1k}J8w<hZ)!aq!(hInc-k%5Q1r+x}St&s<jrX-9Gnn0#A_dLA(G
z16{}wS{uY-TQU&9<IN)?yX{_Kmp3eE`?WtOa?ORMjJdl@NB-8tJ9$Z+%{}+-$InUy
z8>~GjJ7XlM34&am?z<KBpd=PbZ9+jdiBFA<@j`wvD2?BWZ)6;Z>@K`qC4)B{0A*bt
z5U%s&pjlpB2?s4HzBna<8UPSsD7?`Rr6fMlebN7SOb~~|eK8gV=tRps4@}O;T{EmF
zJQB7ZvnF0c6WEB+U}|*QL4$1_Y=445Kggd8^4k2GcjV0+il;FaP?Mmd-riA2C#z(!
zs3DU*2J@B50Vt08F%6p-hbG^Ior2{F7WaQ#T(8i&#|zfq+_tt-3bV{#Jq`dQDnr8^
z<!?R_@o<r19q-C{IY@vJ#|3~1RdO<06Pvud11PtLK8Pudi+xLsF}FPm4vvJ+L(mGA
z8V-Pr{kdfyC9w1}v(M|coIW0gT<)_9{06Cw&lidxpES(Is<RA6^0<mf_ClbArI}>u
zpahJm?BpiS3Dkw&SsqRCWGT?WSF{KM+QBwI4&dwowto(`daDv@u!W0k*s5~&Q3G2)
zha#X8FaV{p@;%5%ipLQJC<jLaHZ5Ed!T}-Ho`n}Y3rI+lWkrwPF7enCq}gd6P4Oow
zgPzHuK}H)(tQ67E!aHA_<)2V?Hp;<4VrYy|G)xCH!t4ukvR;w71F~cmb8-cRU>wL2
zUY%Tw$r(CXbva|Om(MuC!bc{i6I|{wLRf~fv|@dvG9QrSZ4zfD9_)u99@`E9MN=?T
znw?^wEy8oh@)N*a`MFzB!P_ez8VDIwSx+H3X&6!sPZ+!*G@Fjbn25#&@{MV~N9;8V
zS2IHGg-KbLwnftfWy+XlSYYqmYY5`S+RuV#qPFqXY9Cz+78wwd2$F9<A49UxgNxkL
z%nWxl%{GQeplOqv*UQ_UGe(63DXHcfOZ3-pBza2zDlb_P62o`LbF`RlZiS+bw?ZZp
znQ*3rvQLK$e+U_E01pPP>a#w74ABS~YgsU@FOIf$Ysn2R3o_UTp_c*76+wLk<aE;=
zqgnuLBokUekaMi3h74`QWckjL*b3TqwuV;B6D3YlR{GY!irO$IQu}~XIQDJH+@R!n
zV<<a2D|gS}|M~NYF9Azr%E*ZBWeE`(wL7E8jzRf8+_C>UrohR4l2^{H9nXU|fW0Bb
z9M0T)_`K4*Mi1&+XJAw$b`8FnX@>#gNEF+j%)vnWJA-!3J>mqFBtWqf9__GT-J1(f
zUBJ%aJnXjcpPl<XdLz(ll{d-;A)XNcQ5-$I;5+$N8gjD==%jj}t@8|L;?32Rf;YW=
z!cy#<YYrT_jxwwacP-9Mx+Ta~CCF;6k<AY(d`uRtn5$?oT+*v<HEq{RU+HOcKmbdI
zA4@G#!&K%#Xh~E0c^X+_mM(=M<u12@0I*yv;;Rj#=qs0nGKF8J-I*+hl|PXn&8?(w
zPJXHpwyGYA>y^Tj--Z_Xy{iWxD|1*7>6snj3Ro8=(n!~fqIZ#m?Mg00G(eyfW;p=-
zxVKs}D58shM>tY8l5=5fnNZ%9!L{fMhYt~62=jv%h8eEZ%5KxaWr6|!oSx7-0H^px
z|LXtPij#0}Z`face^*$`<w{5n9`Se|o@qXOs5sIrfi{zatb+w%i3QK)fyfkc(S6-D
zM&wZZt?Xq+nFb+Cg-1W2h$0|A48{_x4yd67JE8eUth{0cvYcZy1$_>eQV0+Nf`e>k
zE=d;nhNfx8rbfo(<kWV((ccE!r0IZJ*Z_{qgrU<RZUH|rCCS>h@4w>I7BrWY0p;u(
zMH=bm2wqpw@q9MNw}h_dS)|wr0_RzCM8l$xiB>AI9PPpDgmMC?V2k0vDe51*E695L
zE`s*isWcvhB(9zfP8y;6B|+grgx-n@6A^*wJCHYyO!$jmuxV#{T$z8{s?6v>T_IB#
z#+0skdR(m@oG^%KCI-RuA(6JMEkaDZn=W~h{BAu89(j;TCS1$$yTAp04^u%@KJnq2
z4IymE@JPJemT*FM7#F3V2?}}#sW9Mumf9>*&vbf3{!2*6j~Hk(GdS%dhbGZ?C=%g?
zOQ4~wjHrSwIDIybg@xtp>!bkGSZqGDJg(O_HAmz>tD!jk2b3O_mH;}qc<h1c1c(c?
zzHwkis=}!KtNRPq2c$$W2V~$p%k3BW(vs$i1ckXKPUcF#YAolTT#5W?hLk5%<4}Ua
z{4B8xSyKcRPoRu8R%bnH$9F%cl#VI_5+w@J!fnwTM-CPyB7!RhCOp<A<TfRvn_efr
zP80;eXE*=~O`WY2k9;}MWu~jN2oeMYni<wD0F)1pjXfFw<HQpT$CH`>#!?Q2ntTWk
z%S>@G&zeFe0js}^3zv#EOwz2uLfU`?JGb}th9Zv?CJB?MheaL{<J&-Vi`JsA>A$21
zTI|V-3SfmE-7s>Fa#;>r$VJ!!Nq>PO!Z#Zo>q8CZ$kA{`(atMu6NWveB*K0TLY+%Y
zR~}plJLgDRab##d!<cy?QZ)XfXlXiBlfuApQZjxZU_YKRFU|q+EDV7fqVqYm5Kf$U
zkJ@ou5OzFq18FqzBjXnl*iGy@N9}R|Bf{JqA!KWsN9+_geJVl+u`Q|!M!7mwsLlhT
zLk=At!K`Dg><F7z0C0W4?Hi}C@Yn(qB!F^i?GZHC<BI{!nRvmfEC@)?%PBG5?<T^O
zC0{^x5Ex|~UPuF<oDj}&y)x3i$Uw>GA`X8r?b*)2E-*GtrVd+Tjwb-+P>QqKc00Jg
zAuwj>L>LX`Lx>!9lYkA*FY~x|Dg-2e6E(NIjbLC284n9E2T+H<Fb(7!Q+Tn=d|ZOV
zOWn=%4rjt8pe<jSd0_-U7lX;q&Dou8?OeWaa9&k-b1*<i`kGD2U<a-eIKEyttT}}q
z8#V`*p-wKMm56C1f*bJ*B%ZWU>YJ52CFtX8%m4^MBO4e<Kl_;0;d%wd!NdWzEeaIl
zn5vD$r+U|Ln<+29yO;}Y>;@Q7Pzr$FAM6lUdB!{x5&_ek)|vLF9>tVhU|jeFx(3kk
z(O-~dFJ%bP>`Vb?%O+xc{Zn<{5C|>(%@A52@xON_$-``ZL$otnFjnX5E0@Bd4^wbd
ze3M5Hg+?nO{Nj0kz-BP27y1fu%LqTdAPvw6Y*P{wf*^wH5a@zBSB3*&8LA};L=o5j
zDQInu%ol#bfM8;!ErsI1JN6x4O)bb`FP4TK3N-9(EgQnE-2o4%g^oa-!z)BHw;A6)
zG<d!+L4a01U=L?g{DSQ<iq;e(t2`Vc=nfHmc!&$ZP+|jQdmur<5E0DGaMRZ+JY*4m
zAUl`S%9qeX2r>^mwng|@h#$yQ#1n=DJMuuiNe)5~rO}jzF8~`=*>2#puabHx`=h9>
zj~40D8yH+lf-gqp4iuGNMj*cIL_hktSZsl9g^3~Z6a*XF?mJS=c#G<Q1=Mth9n=)`
zL3Hd%E|?ywT0ADLg0@P+7Wh{}E>Tu_H-{@C<uz99NouLda1y(mxy@43M%YTX7^*t!
zYMO=N>BEFKgmEzaEAdbdIj9KuhYEm&ceaT}%lWN5D#Nj~AcBFyz@tin%BIGp!i*eH
zghid{K)i@UZmc~^yTaK;T&t6vQ%2OlQwpYj^iNPO@4^rJh`oS3;Wg=G%qYlo#8(<U
zwmf4ei|Y@BlorKtUjj53!N4Hct}b{27!JNgbJaoc09?h-Y#3j%IJY2lVke6p(;xaS
z6VMd8mU!5>Pur?Lv29YjB)Dc>o2ro@p^oTX2)N?2FFzRN-<<i}@T&?i@&f;ve&)UD
zyhK-+o+x^HeK%xJ6g@aRODr1CBgk|I2uBS*Le$IZWf0bogG`PO!%vVfz^C0Z#6JvR
zz-Ef!_+jaR;hAIw1|NnrS*CyhKMOvX84tpbJ=$sBnZzlNnWzD=x~|%i>QffNYo?n3
z{3!FCg1omETI~;ZDTE(~_r<wZm{Vv2@T0^1*Oe%+6~dc7AB7%ruup7BJ`=&2b^-WF
z=ON<U50+&>AB4*0%VT3x#kCfQwg9fmF2JsHK}sl&Wp24tKdOdcz``WE55gLRkp!*{
z)IkJ785HgW`r4o)XptL8WJSUXLPPL_%Tvb`Q?{8C!|*f8b}1Ul5W%M7IxuExgaTbw
zYq)^cLR`2|dSu`Yz|V)Z_RU?i+#7(f3sc3>3U~u>6UrmNGT*Wc%ODN^A2P%Pe}|H-
zLc@c9hlclv=rhM#Cv;9Ct@n3z2#r$}caYtwk>|^GOA=fO+-P%7#W$*P*K`)qDWd(`
zNQmIwJSw~Jt3(ZuH!!0@8h*h%yn2dLyr+(t?s^9%UlPKBsf%J=c__NX(A=?dGojLp
z#mGcRP$k&WfUw#SgLCGh*wu3oZl6KXSV^IRx!1E;O7)6t$-D^!IGqTLGlsFyi!N{@
zf|M3p{7Cy)8?_-~?DV?9g+CgR8bEM{Sq!?%QGPYGOUo3DLet96+et2nU7ouJ+gSeA
z8>7&%%}szI=la(4-H@&b0>}D1l09`6I4>NQAtPFWTs7U4Q3c?O|B;&_XVD}JBE`j>
zs<hVjolrv^o6`XwK{)IWVo4~AHGNdcQ|n4AoOMO$^H7Gz5c`-5<>axF4+JVENRuRk
z5L4!Sd18t#(PG9$PYu_)>b5e9k=b+&s&H{GB(bCMkrryWo0_K#4vom9vxG(>n239g
zLLq@OO)Q$%-CnN(GitRK{15{T(o6_-fKrD`X@xHNt{|2=KLQt`(c2>Ni@RC=h>LJW
zC^cX;T-;j`7A8AaQ<v4yZZ#UJ|C`L9f-d|WIGB(9a#S;%ix!R0b2zoW`lp^pDi?_$
z;v!%|xr!W(v@k@mYTG$%&bEPDhFe6yM>@IDves?IzY5!(Y_g6-FU66;3gLJU%`R5l
zZU>Vgt+Lk5N^jxel~4#XswOfku5T61d_0(?Ps3Txl*V;G-CNyI&S8nlD!zx1s&uJn
zJ=mDK8DXok=&tbhgNkVWsW-ZlE-8_Ub@1rHc}q|Gg{D&=FC|!+c%*pL@>Kok?`;bU
z)3E_M%<3uByuZkFQ3EN@QyHUx>%>CwgEAs6d-8!YC}`Rl2~F`$et{Zj5~;3uU+D5R
zy>M#2DEd5yU=A9pTgl`Z@TS`=T{@RFdH96a2AWhMd0;tIEH4u}oGP-4y=sE-vZ_Qc
z@_7K$OK`kNp*~L<PxFKIA%g!Wj4b;Ew*UZ^<qpDuZcH56n#bzZhaRYq)tvXFDaC18
zbtRPr`6{lobqJ@f>NMzvRd^;{0-TvpKe1I?6o*u@s0rnh%DD=G@d}|@pk0`FtWkSL
zFpB6rtO}*Z8x2foPYjcyV?sF4UaKM-)2K>-J>N-pp;RtU3iD{h0Q4AoAKo^bsErH@
zl9dAK1wdpi!BG1Nlc6dG6=><3fFR7Y0Q4Cr+@IYHQPIut!^XMNfy=~2*i^$p46lpd
z6!b_!NS(SA%uoberB9JF%bgN7g=Q@r3Of=4jv6Qo3aG-gHBfk2h4X@jm1~W(v10n|
zC@l+qgOvNIRaN-GL@_X4RH)3Oc!fZ@6ahXGvAS-J`*oERXTTT)1uy_0VK(C!LUhE&
zErh~oUann6R?l)&+*1x!yukG33wN7DOLaf0kkDDlXqO{`;nS6PWQ_te&J)Ej`3*#%
zR}&tsU{FE!muJ985{6|!j9DvA)dIG>p=4T}Q3i3e4cDY<hd7ei+`3>d!~wgN_$Od?
zm<#aKf#@9yzeBm8#8Pac(ym<{C<^lmVW99r<bxPEn^6e>$3ZzJg56K5fJGslG^pA3
z(X~d&pFsQiiGh|2?1w%kXs~*DMPMxdNr{Ch0YU}sgiX+b`5{3PDj#Zw2ZL&ELBUmm
zr}azfx0ODsTvZa7%`-$0B+&tms{x;R8h^1{0x?nwHy5W>S~lUMh24?F-~hetbhLzO
z429%e&@~f)Qf)$D1h+EsDj}stfEM52D+!kx$HC%&a8ABhL);e#^fKaOIv8c8IRvmO
zYpPHcHP?tz!e}#1oPds&f>^;10A7@Up{uI>%<B4%I)hpeiFx5}gXvfs1ehp82iQ-w
zW+o#{u$sj(F|q?d428hzsd7fhKc<XI=mc6~<mN_&_Z+x~JL}&nEo$U7(M+-$(`i$C
zytWBwJy+SN+ZZpFBF%0y5UQKGGui_tYhH6)jT(k#3=W<#Uh;@c`Bi;TTt-#dn3=;#
z?$UMg)e&#(ykBBlUWw|H7?U8VTI}zg6PR^yrfyQ~Z_Or%HoeixmFS4a%2WVv&n$d0
zW*Q9x1^S*aAJ+}jLAUA3jF}1R%}@09T*smRr7&FyC4|)3h5AABJXdFvTXSaEJ2Kz|
z7v^}Vf93uQp(r&Estfh#7yTa>AGtRp>hh3Om8Ja<zeE@>yzv=}?o02to*tjS2a>LB
zY}_DUY3@VizTm#o+lPuaomqiES!nQIYitHuU<>R#IX`9_T!WB5S?xB=d<W}3Sl)QY
zS>W4G5FmcD(@Rg~(+?%hj-_BcGtib}@cC&zyu(?kh%;RJ7-tucRTX{7W&C&ea+#=U
z&Wh~}+RFMC1;bjk9Lk-Ux0^c@(;ihhX?i9o;ga*o-J1-erL*YL9RJKQFDX=!{E#-*
zQqqW%c>kscWEOfcG@B}CNjsLFvgD42%%~w`J!L!`^NLVeu(YfuL1qA!f|{;DXYN}v
z_$0u}?wR<~#RF8$m%xV1Tq&~%Zku)WbSqaZ42q^4^s9NOR0JHS>BRTuf>{JDkL75e
zAT|>%k@AB16=dE3G?kD=?$V5Yi$Z0^l~D{PYhe6EK2~L9HB8tzZ*CB)M}@{9uwh^U
zn9$rOQkd7YX2zQF!DD2>{t^sT8f@8mWEh0s$*k!&I_y19)Ui6B1Be{wP`xu+U_C=q
zZKjJ%%q3^Am@hh!kDm#|bEz0G)AeTug$82M5dk&Kv|(KuvhY$3uFcTXU(HY@hRK!5
zth1b8%vx+`LF@x=>XxW=U^i}$l{cbg#!!~CY6)c%SHaF~HS!J5ln)rp%RD6*05LZP
zqS#bI`k0v-KnDyaw-Y)iy9HG)W@6RECzk_7`5a>=M%?SsfT>1qnq^VcG_e@=#I<>h
zDTvkk7g0<r&Hx7tNe4JMm~V(_X9p(}NP8N7TYtJBh&joC{L;5HQ(wW&nH31B6LOyy
zof=(WbulbyfPorkl)!#sZecJ!_90UgOqeUa!l866GQj|d9SoZ_G6)`+Q08{y2p$84
zPfJxsEJ3AkqG&XlFA$9km+EUyqti76A2f>vDbik&0ue_Vj3a`rX8^(a;ku>vQx!y|
z?3-o0)|S!?UY2PA#CH_2!<DEE(ZTOR!H<R5ev4Ca3ZP#H7D?d#-+>EPK*6T3#5C$#
zO!fc;DrT`J!c2{&dH_C^v=$={nQY$x9@m`M`@A+4+cc1m)U|9<(-Ag>()lOx1dofU
z=K7_S-IU0{93c2VMohC_PPqty0X4DX55OkSFyd(HYKm&&YC2)<FkqSMdNGDC=gMF*
zXi{%7WjbM9HF{-K)M&a<7SSv8x8SgeWfGMTWfg%EZ5LuM_$rJ3!9BV?hdg8WR#x72
zbjEmD^>Hh6D?BQmSHS5&cmvSQ-;|jW0!(wUSV>uy0p<Agb3BsfVeO&e?D1pd&12eV
zsYJ7xhPWbx4u?D(7NxM}M))1D`j=|6n=<i@jf#OP35&3uieef8Z%Kd9Uc7lU@nG`6
z@YJ<#wmhDJFxUQ<X59=%ojL>G{nq`dj*~^Ryl2c6qD}f>f7Bp?VzUStc4geAzaoM0
z+b}XKiF(SNMe7s4T@#JyOa^vWYtYPO;{#-PrN#j0o(JAuayn5dy0?UQA!BiI;TAJ;
zxUeP-OPgyU5L~BeU_>HMvanuXh(uTRVb8+qyt4_@n4v1d-38H3dg}<8!XrxS5uJLb
z@>L4LOej)F)x{YCpoLnzGbQ(eWp&&@3yAG_PHh4n-mMKn$<aYsdB|08&8)m*S!N2$
zk3-KR;aPuZ&2j`*TfO<m(*OY?DZ<HBV6g;-@us5l(U>fTRD>F7`E{<M?!}FBri$)x
zytEmhz9(L(w{APucRH*G5sZYWP$ZP;5kzk&iTy++uhIyb7~Hcrzb0a}!(q@nt?Z?1
zx!Dy8WRaGj$)thtMqmYoH4`AfZd@`lA_15Bf$?Nvd$XY<5HM(%&M^cJmz4-E65;H~
z;m|TCm;z%MW5cGIn8SveWU43-B@Ae73c$E<$R{y{xNQNzzp^)SMQoug-9S$-dAkA!
z8v^+dWuz^*y4J+Fr&U`cc#Vpi@*{opgVr*Mf?gRyfNp6lT1{;@m#r4Q<d@VW%T6=e
zDTJ7s4M+f)np40^B<WfT&huH&vd)B%nHwf7r(+Igz`(4jM7|=tzhZCu!~G^-a0=GU
zz|zHCzzU^`NSei8mrfFar4d;jfDYB28V+PotLoHVX)41KJP=`g5iupckOJpi?=3A}
z1X*I)JscB(Dw1%o*hc~^WTo`zB)SbFmOZRCOg4=CS0caxs)3?!M3rnVg4^FO$u6K}
zwN64?oDN_Ib|R^Kn`!fVHi5x$#FnjEE$fmPO>k7S^pryjc2Kqm5;Ti-O$Ef*Sq=o_
zY*Sqbz~0Lm>(^i=NtJyGolOy$tF^&MHkw92&?g!tB-WJt2>ACgSfy5__6l56Jf=;0
z&lD2CL$uxG)X*@!HO5i|g0MmoDldb5Q<yQ_Mk!SxKA8>HK44$P=BOC9AgTp%brMZy
zxr6^QSOr#O1aT%8&%AM8RW!*;C^CYOg3JmHW>QnR%w|+g)*)p{IfMr(#`eW1gCIw5
z6k+g*hGnM|MFIybsb3!_ppP+XV?4*hr;4X-<Rl{JWO9}rgd>qlf~?6+eTb|>C7k$h
z{6cYJ;V?QbblP0!t0s4?^ys907MYd`+98HLJ)JUC=Y}aK`rlg2VaZg;J7teAf>coT
z<g9p1qVN?m4nrOhk~~TUMjBy>N|Ht3Nup+%2>UWL0B9jhZ~=rFn>3+>_boDr11kkj
zDDWh}R>fLAh+Li50g)s;5|xY+(S)m*<O$I@7qDpe5aBxVCMmL5bA$osDP)Nt1d5nH
z8<X1m2AO21W&KWdNLImMOK?8V7)tLC3gZ5yO!+Ad{L5!fT*Oq3{!BPa45DIyBh-Ba
z0qt%#k~!gw1!sevMT$jCM&WdPu?MwA*5WW2`rY}&pZ(0)&d050?K1S7VvssZtw>^^
z^K~mvStt*zr9e-C%*Qd98BY~&A}Fjd@5HC#2+JD)+JGDp@mP_md7+Ydk<~(KRbN$b
zCy%@dO&Vyu#weaJ$d>^^av*JH#IDZQ_HVRU!T4C2n1zv_%KUkh%moLNLe<Xawn!Nk
zJRVF0NhUAABZo+jmMI<naH{0@6Y7SivjqyEX0^b@nZ(WtjG|B`w0yJvu<sNSusR77
zlZAZX17$kd;bIeIO3ntU*f$sTFfj@&{D#hWf|N!leR5hs6qXD2fr<-fE}zaL3Z>2|
zlGK`!(J3N7szi=zqjaAomB6-5itP&6-6<m>q;Y~vVxm(U=2}2vtKjCVs1P1PVI>`f
zN@b><s=UIDOvcM0mS{QC0hWf7!opJ~#O+Gt(<c;GEHC*(LbAlEwkJDoP?=svF!tel
zl7^5}E*34}K&GXo1I6Cd&#)0FLZ#Coxd3pK0e#X{6b~nTHyxPshyNoVPoQ{{9_Y`=
z#=0<UI)sQx5Yy61Fp@Ll_$v<ZjQLT1k;*gU|1`x0c9U3a27Ev}=0eF_W~ww>8sH53
z@odqjMtnjjX(AQ&S+$KD4F-lLu*)#diHg*CXwJM+G-QnEVZngu&`O(HPy-!Cb>TvE
z`iH|fI#Gh)U}#bpCuEpXU`s?X7?JRI-&su>1}6D_ki1z0ti_OA{R;$16*sKLBWg4l
zO^R5F+$ETc(hI1qA~t&{VR?ebf}iGkxxw?7PoO<u{-f?rsfR0KB+!J~cDaCYP#&^+
zTkBNYapnj2K0IeJ__drsJ*nxPiY=Xsczu)?4uO%OqRH$U;W8)ac(KPLgNNE4EOklQ
z=TjZ}^HBXU`G>Rz2_+(OcY<{8=hqw@I=K5h2uLcO^YNK!!+pnup1Lc7KsPT?Bm&+C
z9MA4JfOxoRMtFq%2>|+07Eca9wSU2k2RFD<IGo<8`NN239}e+2x4oezd$yoSg{T+(
z<qqz<H?%_jmm}c6mLSZ<pjC{(9|v*bZiJgbHOeP=R1O=Rf;l>Npp$`~A{P8Gk{Rcn
zf!)*$^H|KbNy~v$wOebz8RVT8AtN&}5&@pbblCnQf?MF<r941I@&-e`&*K1_R|Ww<
z+$}_sfI>_dQD->8xw4+ha76E{a|h^dVhDA3!TG;2UN9X&d}0XOLI6|pp3in*@*5b2
z`aEFqxG;Zh4;ISP9fsV+a!empZek4VkE%bI@8j1?NeW5Z7&}8#5Eqc94&KDDlN=y>
ziB%>zS^kAYOmf!~<OYTbgJ^eilL2HgIO1~{WMD1Z7$jN836?R`V6b{$tqc(6yO%fv
z3xw!#dCGw0Qx1$BGAPIc7tC8TD9p1D4E`|8$P+Hi85m$>L5qgD7^rITnkG3Lb!cE>
zw?x#0`x8A)?=@6ha1s_FGl;YzA`9`nrUr$l0g;h50WL1qEIPr>X%n4dj0qb4VQkgo
zOe=ypQDY6}1jJ`TA|Qe}XYsS<-I~yD@rUsl!DMA|wSqH(5i{7;qeo3ZH2~b>d(Epe
zxIF}#(Q^;xCd6S*0|(|84fQs(-$4*lhPWW-4aNk-M@<Qy#%`OMYj8erUzy%vbT)MO
z)&z!nlNJFJpvcY2Ac51aZ4rm?fx*Zc7!U~%69Zsy;~r(Pit{?myqTP5K*1c)NOMKN
zXGaB}oTCnaC9zn!kYU-LrWu(6W!Zt_3=D-aa0DD_019&x91XTKFw4Vj{?3d4W@!1N
zG@XdRC&@tXGEgyR18Aen(CxvO4}+s4T#RrsBh<}598)Um8pdFt*5d$XyqH=wc+tqy
zGiZ^9(*TCrcahny)1`pVqhyV_HIUtt4<^zS3@WI)!s$!dE5<a5>kttY8ns3&bhARu
zOUf^#x?;P6Us4w09zr*CVPA5h4p%=Qz+n4u*{e9YV)Y8DE~v3Gk3r>`%aux2d0lM*
zA)G)z!6ckgYY_|TEf+}ze;8iWJTEa&r9=lO@{BW}*FfFsI28RnOG6D|Ag-FS=Z5E-
zi&`KA<AtSDI4KP5ykrfBpl^x6GgucoND;Nx#lawTZ%Xj!AY33#@d8e>|Ncl4^+%i$
zT-c~$`xOpTDMw`vl@wE<P6aiUhE@SbWqFihQ>j-a2Z}E#+@_M-N@OjFtrD9{vmUNU
zBO4KDWwXW=2hoHOcg{$$?Jl8U{y&lkkt_V8SL72qQk9xj5njc}7jjz(dL<l-oiFUF
zQt1nO<Ti3F*s;>g3m-1%z2fAG<Qv5%0$6!RGLvNyimxb&QE<Pq>dW>Z*g?FSh@)mC
z2q8q5B0Y%YCrFcl1Tqv61!cF`gTV#D4dm1WH~(}L4&TyFT+HHGxUobPiq|4s_riY$
z@mPl;#z*-IVj+kOkaHo#MT1Oy^E8e?phcA7V}n+Kz~-@$l1Bi5`4M6UWJJhQ5u-DK
zQG_TG#R(9EaLvtQD=Gv)<c1|IC~uTVuVYoNBh;4(kU8=4TL>~joSk%uVwrM^iA?h`
zjzvdsul4IEEQ5F06$ch*_#jb283&RJq#TIwC(we|-g+unNQ5Vm5hOCe0=g)Y9SCqC
zpo|yrS0&}~0=Xbj1>`~y(o1Oz#HA6SLt!=Kevx=hu^6Pfkk(2`BV@A@nor3dMDNC^
zE3qc%inj430wuVH{ouOXlY&`E9w$ha0tRHZ6Z%V`1j1MeA12hF23Fw*UKCzFMe%vm
zV&<TT;5uF;#hhYjEqmFE1`lvb1-05LyJl2vs%$@|$`l)BgA#<Op>;(Isn}gkRl<yQ
zIgnr+Ui(d4Y)h0dh!U<c?Vy?}+6~w%n8js#JBboI4l`G^hle9iiBu>OTscMY*Z~TG
zJJxullR;GnRZ<YJN5XoP59Uf0=g0t$t+4)EBFk@E(q1TbsZ6Gcl-Kf`W<dV}7deo~
zPy@~2ZduZR<Q)hW=<t_sy*g7dB_W_>c)JasXhK02SF{Y<({BP7jPyD!y|g_{+w2Vn
zG1%}qAz|E5_KU7NQaz?Rh_wiv7J?WoT#iK<s>if*v4xV?ZKE!#LCpcTUtt$8GM2_b
z4{$}m8tsGABFS#t{n<>GglY~Mxb}jF)Mjwky1#)trQYYJwaE57rPOR7DH~`mb)Y_;
z+#T~D(gUK2(okqgZkf2QnYf49Ez4RTmb5VUmU;!(&$)y1VbE2|@WP@<ZW_<fCqD4j
z7fM)-nzcBAZ1Z$?z2TF*;ep<8-(B$ET@kCSL|~4!`D|{CsT4jv@V*;7Gg|y7^0f^t
z8=&YVO@|Clw+v3Ho2i$i(#mwYOrq;uin~iOgOKK*3-iZAI#~^IA%apEsUf8IPCKrj
zbL3bKRXmmRXarw3R_|M>Pdlkjd#~3;4C_ZxFG*Yw>)sAljia#DWO!!eIf$b%8OGu#
z0*&lUSPx)3Tt{r!>^f!@nWDNYrq=AH`5A;8D101T?(NXU(Wzv5H$a|S)Isj2A-+ax
zD9vjbfiYO86{O;`^hOs?DJUIDK<Y*ZQPS}7w-i7G1mct3dkwdC<p6+Eqh!A2L17TX
zmbDOjv&9!IV0a|~w@ko>O_s?kQ7EMmqhd4;QKFT{y+mplZEFpHvLEeb62(^|ZE6a0
zHBkeEtwgE@6Khh57lV2r8C9YT5ZNdwt9A@O-OD}2+%{B*36R|w42=pTMK%qex?`Oc
zEROR;X$`CgJ2n^KMg*9m2WNjlD+#Qk7p9>v@8G~Vc82BxqX_8NVk4s~dxL>eBBn1c
z1<)P#T}o`al-Yi_*?zZ^VHh+hiyupyI*74KF0O>zHLb_Ma>O`BT#UE*G|SP%RD+4c
zSD|Q9RJM18D{dt~Tkgp-?#xT(%t)5W*TA~AO8nl*AnGO)Y}R#wIm2eKmO$JhSOq4@
zMw|mKY)T3pzinIUJzMH4W%MDg*iaG@jsr|5JGj7zU~0`@$gUb#lyqjsU>dSFy0SOA
zC?VLIOI`pL>4qDNqzRy2jA23auEZDTPKI^w+U@%c-?9Vt5~FPwP2gO_$T-Saq#bCj
z+hJd}iZf=4HKU5v9KwU@E|7CWVUTq|5>RkBh#UfNjudb}cA|dY&)9OUyE8>^aTrm~
zJ@W~cF1i&#cCtNJ6m(puiXSl@v;}&HOdpC}+olV}EN11L9LR1ofu|>+IBghW=>(G7
z95yZ*>lW44E#WC3IGpRORqL!(>s(dqTovJ#463{pRX8xi7f2d_p8>uNp^gUKyMExW
zec+n;!Cv;kUh%<R@4a5{y<Y6ShU>jL>Akhldfm}`4aIv5GQENsUcn5nV1@UvLd)18
zRqUZv?4d>Mp+)SW9qXYL>|q7wKJ?JK^w6!ryIz_V-o_JMPN#4tJAx^<76Ke9EQ&{y
z2{8()A++XbQ27?CtK$WqWMmE3S)@c2LPTg1jga*A0jCnh47m-&%?X!yia{nprhrV(
zNZpL_ZX>Wr!ex-agzJdhs#%gOKr@MXTnTYp2y88haa;&&uM*{VG8PA?w23QRD}wp1
z;;weu+)>TNLfBkQL@R12R-$xhD}h=P;e82kzJIu1KJcd!;#dn>7uORwKx#GyCaY8`
z7`DX$o1ADMg^yLHQ;T%)uta$S6g8M5?MFbdoCsxXlavE!%T^k)b7(6;Iw{x#ngGH@
zPix44G#E!?HNmP~JAD?V)+ZZ@#m$u{tk8p6;52#JEb)BL7HgRWgHm<sGj#9s#;#TK
zkzQ>e#^>l5$+QI?hDBVDT>9?TfRR*NOw?||>M9x;a<^FGkH|3FU5bNCa*xAI43#@*
zBe6=^n-biTNPvd5nG3im4Dv9|K+!PC!cFfBYXHF@Vc5Oo%@_zJnJ@hsAh2NYnJ=J(
zWyXOScO!p+oS8^@*pLlagoghyY{>yB8fSJ9f&wxwKx~uFxOm1<d~BiqP7+?iDtHpo
z0J(lnqVdG3AS$2*qMB*JfN2ZcKW-+4sB*9Y>1~YKfn#{u4|p3Bw}nJGAJhY(;jud!
zO-b4yW=_nkV+V{i0PC+|5fGbrQ5^kiLaTy+t0ok(ky{VxZci$CqKBF*Y#lAplQlA8
zJnE*WDw>G%M0u<yn!$LVOBj@~iAxxiv7DV;;_2Ph*e<Scb*AS{-E`XN-jx}yl^PzF
zsCrtQ-E`*bsCQb1bl#SzN?M?)YI~ij%66w2+Nxb@q1LV)YO&IM%xa04)6+4hW@5BD
ztmBPYoNCPDS$0Rb)>>wDj%5Xn#9GG{tC-K`Ue!3}rNwGoFPTN3nPWXOqdhUxwv;O}
z#2+%m8#446GV~PL4=VH#D)b2|_WiV?iC3bDSE4CbqA6FRCdheLp=np4Nf)(Er8|*&
zcOvxeMd{p&)27II7pGD$PGnw`6f#!^RN!r0_SGnDWUp*ib%M+<S;gzW8UVEA*{3ee
zB_m8p8AHag-Hl>Kl_N#*s3eU+XKBkjM|P6!v`=ZvGfr8WO3KkbHg$$J1Afx4QLJ7g
zEbTGcX$9gni@a+Wc$O})EL@^5?KN|WRn8?>CQ`RVy=;kk*vnbgTFyjW;&SZ?TJ}+9
zSw)zMb1M?%p_N#fR$?Vth>G)->gdZDm1QDTl3~n)2Y8aQ5hYm|Rdywc)JqkZSE~@O
zRhVlw!VJ_U-u-%sTRRA|EF#Ooxs`=;Ckoa^6<VehbX~9f3SYr0p8Bhs>)*B2`CQ()
zo%JuH>b@dYUd3<MY7Tu$4Sh>=`mNLJ&|2z&);FwYeM$j+N&tMbzEA5lIekiS@|L0H
zS@)Nx3o3B2y<<DdQ-_qM?-q1tCe?zKb%L7Sy;|4MxQR{GRvT{&3?+`yc?X%W_2yTU
z_ms;em0q#91wt^Re~1X9#D%n^N<alsa<#5eEQD5Krm=d-ZdWT(#p^j|R<|oPWmdJq
zRS{XLn#4J$>C2)-P>MVS74bzfYg?@?W35>=lr^HTx)!ffs{%Y;tf5XB(_9s+Dy4B$
zq*SqrmPBf)N>sTWK&;EGseDy0>ZLbXwB2JtIb%V!O4X@V^(v^PXVlS@eL}b>RwWAJ
zp-7=)6fAOud5vLtjbM3=9)dkJ<;wHRmDiUl?=DrIT#@C;9$b;-$sSyh<;fmgk=4mH
z28h<Tab-Qo*YO&gqgK>wQnN^uMil2wFpJ2QO%l4vqn&5k2#<B2eGj5lnEJa8>8_Rn
zbE_|ttdEnh-kPu_z#&bC#2T8h-8o|c#WdN(sk4kVvBlM~WUX<iRb(24Qq(t%5UYiN
zoZ`y7s&A5}CaUU+RI*BLEUId;QdG|3>pZGgM;EQ_$W>E2Y87!x+Zcshg2dMhK{>`X
zvlR-s<!Noo%-k9#swr#$=4ONIK7Ctqv9{%6ZObIuYaZl%TV`X}Pb*F=bXnzT1&(Qr
zjA@OEX^n?AJgqKZ8eG6MxqoSL`pV`dmCQpcm=;$sEUsV~T)#58er0m_Jx%GNRDiyA
zo?i3HVtHE6Eb^@)N<ybH(q5MjDv{+9qy?4R6!GjX-OM@Ns<G)}k4+M%#NjGHSYq_G
zs>0BzAe<pf1WZYYg2hf$z+p`>VLdHjlC!Y7vnrL75b~-6HncN5A%u}mU|Te)s@kTj
zYz8Z8nyj!(RG1l5l_HL-ol`TcfPti)T6`9lW?FJ_jb=1p0jwXBJtx76gCZOwgkFj0
zmFfz}GZoB2Cow>b55f>s@JB`^Ku*JlI<P~aiRl;~uW^$uiq@bwTv)h;TLRAt<3y~x
zZ3#=G&^DSvV(9b10*qFq3NctB^KyYMk5;s@Jw+^>McIf-SvZE$WgfViqLxlBuFOk@
z(qK%unp|BZmQXC6VZ8u{P(;ZT(Q@)ia451!N?9}d@ChPE7Ee)2GYM3)1TaMr?*@Xc
zBAw(-V`e{0taMr2H4%A%$d6hqiKE<AHgQrhs*5ywgPGc!&~$qh3cQ-g-7IufZ$~;S
z%P`TS4vO>QFyzrGtVc!k=&wdLHY)^aAnP<=B6Nu_J1jDLVNw+5&44znDvKL8i~2bf
z?=XaALMs6jV2s#D6dS+|s|JC=zTnZwG-M45gG!*#h$JEj)dcqfS-~x!mhdZB1ZDvq
zfJP~T((_CpR8vYL)3-~jW`DnBG|DkLG`SGUK8$5WPk@D*Wt@6&D7ecFlqSbTqETSz
z2B+J)C27wut{H=FPdi#mno}snk{wZi+EHLJlvd1T6|&4IsPfVH3ZVm0;ZCTGs~T!P
zl~%*Qc@jKlFw|@?7;J>WWLH3JgO&s1%&>r`2T>@f``WOf723%59FQ!NF-`y{>!I-d
zbdW!COvmfD*wga|c0VwOr^~VAIDB5*R|C@exoEzwSudij7gf>4b#!rET^3hYLKd(O
zmv$-+BJ6fG8Lf)At+)$_x|3nGT%6QQ;bd9x04)TkySC1Ud`!w99zYv&fT=JPEh?d_
zMbvzmsGICd>ep17mDMJ+K`)%4nm}qw9X_FTNea)e>3kg7L<K0RFgCL@#RwppL8uf+
zEu5eUnBJ-C#6MdYtV)W<3zDhM0`Z{5dOk?ZY&xs;8jsqnCBb>`O_fan`(FAzYu?L`
z0J80+V=p*V>j>oKm;$6%x2-VH+nVw{6?O{5uD5blTe&GW={%&ja!_s(VEu09Hnqok
zw&iexwZt}-KaRxp!N{Jt8%q_#X=1b!23Do(Faf|HA0&cJM_-~av410y8CY_vdO1}M
z#%#j#ymiq8dM|F(8+Q6gUUyBAU<YxkvDj*NbsC-BEsVX3c5cQcWanTH=cic`PpY0U
zLsS+5$FL@05aYl=?N8$4ik$pqkS#0O=v7u1jM4-H`tC`N31iF^H->Lxdfc(KbwI6Q
zo7mLYBCR2^=+GIL7EsZ3jAIPD=V4vTqT+DVv&4;+(VKKP6+A6*V+zX8_BO`#JPWp~
zcp5w|$DRz@nR^~+rL}DC+O~IW7|4V(P{3#h$LV2*sbPnK#1M2az>>(k!sAG^e3l8X
zgU1*%2;y+eBPB*M9Q^RFBV;VGnDDP;WBk-C2j*l72YBjScb3C2MmY_S!%e2ENSSU0
zSK!ld6rEU0CbFWNM)`pkr2+*Q8B<NeJaIDHkAqD&Z)^cgH)5@TG=zYGq{!59Y*X6U
zkAp)U&1MlE?(CUI#IjKl^4g)++nGd1k^sM*krCjn!wal<zO{pJnluvMn~T_SVgfdx
zQ=}aKX%K~UXnjnh{YDhCFpCL9OJV+3kFvmfk{+eZ=K?Y<qwvo&%yym=jF%hbbloq;
z=|wk5;j(2;@pydIEoNC>FiQb?NM4r`^uLv-1gAWO8Q&;LQ9@S-viLldQPiFd=2Y(p
zJ~x)Jw62XMd}SmVOMtpx#Z!V1Os8wEkv|?gJHm-76iRr0Ujy=r9h0!+$(-OmPyrN(
z2P9gkZi_}8ymZ?lwVPpXL`60n;Z{1*taYV0h$6M>ekdYlC?a62l`|D<+E@`3!8ydt
zQVD{T6$cHv2&D-I&Hj(WOm~EWDM{qH?}pZPFoXjWlQTvR@cox|%`Q+^wQ}J{dQ(Cc
z=}N7*7KYcQls4UJ0**E&glxgw)!mMSM0Fgj894yxzdPj$5E#IFIx-UnqWT<QkuKE4
zL`d3i$$&;(B?Y1xHVqaLKA9>6CWi`zyj-x;<dZofXjGfhWfgRJ5*!0z2gC!L0t{Am
z91J4}Ks%!~n;=`#V(lOVhT(1V6_OzMq&+7z4<ZY3A#Yo3TCWk?zNM-_Qq`&!Rf^g?
z)6h-?wTF(<)?Oe5izp1SX5hJMn60uXN;E^nQOl^%fH<Ra_~k1>0{QZIfL1FK6avJB
zLa`w~Ey&U95+B7fLVQih4{7o=dVGoLHzZaR<4;SvAx4MNbHIHkJSIqaff<t0U+F0?
z^)f^LB_%i<u~Mna5)K72L;g&Vg3%)-_(RC;^oNnaX-trTVwoWV#ExEIMTs20QaOI9
zk{_`grywJjcmR%25F~P~6p0885*dCF;yZaE#Bc&pa!>f9XZ?c2@o3=#%IF)AeAHwk
zA*#r*a$XKf3CTP;GDjy6<nbJt!*UEaKE~vDZbs(hG;T+x<SuSQCg(uh^O}~U62xL$
zj7v$092k+&i5D216B2eYB(oAVF+8Rv0%A=@B;aC3#wFNdTSg>aPFzIfW=>3G<%CW`
zl5#62B_$-{QjsY*5}DB{agvj{DcUWD(z$WnoRvFJa4M$Wct(d~;QV208)7cv3s~wb
z58_-k!-Kww0!n~hwq<bE6uV<WQevI3N=;Vg=^U}0=tbNyc<KTxFc5cV)?5bu!r6(<
z_=?W=g@aL6hic-IzOk=F4dx~hds67uU=uMLcBT<kSt2f^1-yXi5E4|u6QqUZASf$J
z%QJg0=T`EB>nwAG3OI@eV!XO_phPvGM&bhcKyXM8Ao0;2B%{QHRtbG&sbFiKBjGy(
z**gc82DaWj6pWO3r5V|H(wP=eLx~D3!9yWLohb2SUliD2cEO<B)T9J(ZH^xglje`b
zT0)_UJ*L8Y?X9NF$z67Q9w^8T2q!r|Ok*lQmfnNrS5g5H4xeO<5gwyn6x9~J8ew{5
z^p(`6UooRTJUk)_SJB6hm{nF%x*-UHsyOj>9w$S^WhrMlgvC^fx{?kQfqA2df{jYi
ze7wd|DyGv04q#+RnTaB13^WQVP6{$a$V)c~k#t6v2(HMDcET%C16nYO?vUl)(7+Bk
z$`bxNIACv347|VyaG*DS___!U$G#~d14%E6j)2sA;<_L;%s3+)xf*h<Ab~V}>h=VH
zy@7)0sKSB5lda1j4iq)r95~~Ih;XBh7XiYGG){(!R=IzP!K$f7i>T3P8Yxy4RGbk;
zN(~i5VN_(G(N^fG5h$q<D6RuVA;l3P#d#6Ofg6=n2NmQ@uA*ge0HtvO>f!-Qp!I!S
z39nqxAm?y`>$tUptU5bagM*9=mjj4xhY$(@Bo^~Z85bL6HL}ZOTkVl<wnY3ija!4M
z6gky69~+Bojvx*+w#b&j7hur}>a38SQa@UdH$b`th*u?Cgz}Qsqzlj?nD-!}b;79^
z5TbR(RXA18!gG#Khr;54ZC5Q=#Q1zHBh<WnB?Snz<1yJ+nj&m6cj1ZH5fozwOyVSS
zWBq~!EZT3?tF=2E`T;>SzRPucf;`s&KEC^f`nUZCh4ZVvwhC@q7iKzUq3~dQ&$Phy
zk?v-sXp&p`4S84U4?UatNi$f0N&!d!00000WoC@}(0=h2X2y(0?!_S{rx?NkD9SxG
z9P1sP!x^azPujT9nEa_dXGMX#2LO*eGPfw=J|&$oxVtGMx1<c)63<K$7dApHR1!&%
zzD}FBIk+{aA<6CZB2z}EL}UnPgh0F#=eLWw1vml*wDL<f`3-(B@oQsL*XxX$4orhk
zga*j_OlFl66b|Hz&@QZgftkRAA#t~1b^<0igW+gEGj6lGvt#gzJ@-~;?Wtunm|&k+
zKVuD?mOju)i72Rg*alg-LhSg9ZVs$jIBN=MIHv#LlUk4B3G*>Bg975^^`!?Y74A$o
zR8;cy@^za}c2j!dngv;tL<TUR03>&m-JeMi&29Jvgb<m2hTnk7s^*39M$bp^Bnf@<
zHUJV2S}Cv$&AwRND?|e?R|gSk{E&o`<|*|Jf>;kYAhgo;pMdyDvyj$p&o0%l24*i6
zwje>Z$EXZpFafYZMxP`?mn-x8x!XUb{v8jyvk}CLk&Wa;03;w_0DR-tgMomMqf*#o
zpaoYH<zWC?ssV1rZA{xbmb{7-JoE^eoH$Myty<05<b#?tIDbO|bQ+c!aL7bxyMmpH
z6xb&w;omC(Bi1bUAdjbgC%bTPkPDBZF$oS96~^wDWJ$#>*-=B0WnqF`sNu?8A_=Yq
z%i0*&3l^wR^m8t`0x@2l3+NXKt{VV|i6#~Sf~8$gL|Ed%Pa=rT6UfXuz5>wU?|P62
zCJA)mkE(+H)7~41#R3Y3<dlOJnwv%D7-1x{EWN(f#`SQOu~?c|($ng!6?GIqxY^{?
zQctoAQM0t6ud%{-%0&opX|XMzhv0*SAPA<-%jt2IuVg0HHUQk!h_^Ggg$p94_pn(e
zD0Z2s(8u|xAHbeUfT`=@H8spZVM8@;qTy$KLDc$}SyMYIV2HFDE$Nm~ac%XIz@e-*
zr6gvK45A4i0ExObB@6!j+k9zPLPG6LX^wACmsZOfHLBkU7R$ngXDmcr;elSKJfQC@
z8+M$^c4Mcj1mqYFCK75WV)68%#GM!;rGNN4+g-thRcvMMl{{HU>dLf|j4Qr*i(7sL
zHtp~#Ad@lxJOU%K5Pb4abO7)uH_Qr2iW+p{1s_18cu&-|JSpLZp#x843L$dTSdtKG
zPelY!PX=L7W-Xy&140(?0P9<MF@UuD`7X>l3@Qss3+U4cpp^6BlCpjeSpJVZ?CwPL
zQ`U^egnehixERo=Z<V0L0#=`sJEy9JWLf#E^b`Pi8bg1BNO2dLLk9z<JhqDqy-eG2
zC)r22Mj-$YOi6-N$w)*QrIT_%=TwYi)IOGO0P08RzzJ0dXfVSe4x%asiiD@3T74eZ
z{!6vqYY1cmj#Gj<N~k!l^cG_Szp#k#xu!?V(E>(E1Q1SjIuJl}Pq2mVX!;1?@LC3a
z+WF0Z9Sf--Mui#2q)6H!&|dCSfM4GSnFMz$Z>j?zv=5}k8w+yd081}|!?!Lr{r+?i
z66-AOLMFwf&@_|lgk!s!P^np-?4N2AM2zmS1Y@E_+B;VZP4=#oE1T&Bf`+*y){QLs
z5t`g=S`Yykv6guwt%m!Wd%8>2$?Atz2CFvfudCT(b5CSky&r;~m=>!0;3uM3Nv|w0
zF}~Q|f(Bnfu4XURtJ;WtnkEd`*=@shgJfm->kJ1fWDWXLKqjwG#V}*inTNN3&Rjm)
zS&f@qcX6)bhqIIkkaX431<Jt(iM@(o)LtMxd`^Zl3u*k{87XrRA%rgL5ambz*vugv
zqn}Y6QpovB;1iC0)R&q`2Zu{05$swpT*112_dM+kf$@Iq3^yhtNY(rdo~tNX;O()z
zI+%4V=wO4qUBHWp8rqM7ywXHhOb|$@-+62wM%gA4i7=vfi|D{CTW$Ut{dJw)N#Bh^
z?2s%29L8^;Hzp`eh`;H=OTkG8mZ#0~zpE~mGqUf$rR*r%1i$GBZ-PxKP>v2}Opir$
z_<g)H-34RKBUu8#lbk<5s`HTAS^83A|J=}eJ~cW8Og>j?2pZ9HQ7FK<cNw5!BXbzm
z<Cz-d2!+opK-V(?bwyKcg2VHGZ>bvKiJvCX4Z0(-K0<!Gq6B%J^Cbwegc$3lCz*Nx
zK%E{L*xm6%xfV5|G+>iMb8G7tJS7IL&;jo4DqMUa0(63g!V=7qTrAn*A8PQ-SvA4O
z0*L8wCI_neQ6tpPjVGE62m7!Y5YS;I4M|`(#ry#-Ma<>&9Lt6xJTj>7@Fxu$rp6zf
zvv`S$QJaM7CU8=vM8GpZ0TBK$dW4FN#?muSoat|hxX>9{LVyJfgR8=rfO3h}nWB+J
zo_d&(n+j{p+TMUU;1eQxT9u_zBhPJ3T1OB#RvW6Mbi@#an+P*D-0v>PjFL|%d8*!K
z4GhQ+LDQsCe~{VmXF|VD#%D=|>X)T0$4<LZl6Xm&yA6{YR@Naeoz)R+5Ry}GUp_Ix
zbtLT)X>pJhL8P03@Q$rB9I(^{C=j%yG1zJfCb&m5>X;EsmQj+=lXOM1asjDzs>x+z
zqdl8urR6=7lcC%v%2ePHiUv|Z^<ksRHA5VC6(p17lSRrfh+%feiedM7cbRt5WRf*u
z$FrW&_P4k$F0$>~?~6lkPFJC+65zTc$q#r#619mx%$3*ci5>W!Z!CCC?A3%(s_Y@G
zL`*OSNhkHiDodvZ1yn%!{rV95oCOFc?YoxkClNPKJl!eh$PC;@OG~Px*EF5OtDBUX
zxi2#Y2p4B7J`YDSz3B30kzld825GUBAYr6QNLUlLjLRs>b(Ngt90oQURjuk~z^yes
zOWY4?B+68uHOG+}WXyc$LM3NXSJ)g+pa6h!Zn|n95W17Nwu7Xzu+qPiFmwYH-2?Mr
z9H1cz;5kzK(d>!DhBEIJ>$Yi;PByv2i6f_IS0D%|IDy8kfe1*D+&lvq<^(}XWF{W_
z+bo#9e3I7DIzs}1Le|k{wYN;+HuiLreV8^Ae$}kuo}lds+qjeNn*k$;&oGKGKo_ZN
zYYP3PC!cCjh6K6UZ7``@(RSw>lwSafN_B@OmE1<LCgkXFakCx}3JhkjWc3Ckwabi%
z1CyP!9Tr7UMT{n?F`#B7xTWo#W`KvLVX><8R*QH5tLcmJMpx~<ehQ<aq;ZS5(lA>V
zVz(^H5s0|R*uhK0`?Y2J?XFaBLW0VXf6riyuq-oSZ`($MM?saq_;9Hz2-!wLn$$g#
z_!pcJg@{QMArg%j8BdcJwuOV4J^1`f4=gcgxS2YJ3AkP}kMJ3=*)9;aD}`71Q;iOB
zeA4?m+9(|E>54HDOs{O)&YO83F8jA9-L&Gam^=Xh(}oZ((o_#7Fo3~t)(-uV0ih}e
z4MY8h=tTAupva7ixeCfJGeO@hZQdxW32KYwk$49of}QOFHXznq&{3F`eCnlGD%Kn4
zT%vU#1q+}*j(mR{dWrGVg<m}gjDAu-qxe@{`o)zc1S|p;WQW|XpFIjLTMfD}_v;!2
zokffymLl1cJRF;B$_7=x73^ztPUV3VI7l>XVs5?mY%H<=3c-NZUuJf#9qRd);ej5u
zxLy(~Z4>~h#;_41DUWw03$@vEK$}kEo7`PorL{QU4YXX#=&Hp7C6kpEj<>Fz{|iJy
za?(DBN5YJ_)Mm*^LbiWxRwBr7*8BipQ50}4j}cN-1w6@5Dp(Sx7ns!wCR+7+DN7=%
zocA7fV8ti18ae{l5?IZn0M9rhMgd5woF!=xYhg;Rrd`&NF}&gkCt*gjp%`=~IgF5P
zQz6_fCj{mHVIbEKx0d1+93Ie#gReK!j;g#)gVPH=UAjV=*>Vh5<QJawp@U72cI80^
zZPTc46hy+S8rN<OKiRgq>lkMQA{C$pMr&>S!}~3c<10-9PA7sa>T}Vqw7|mcSe&a>
z0>hj3GW>R99wY`SWr_!%!hl}n5Q_&S{)$5F!HUd)Y^d%1C>+r?=zkuJeIdDT!I&Qn
zTm!7^S%szLt~Rpp9wWA%fh1rtBsj9nQt~H=#Ha2O`*W<xTBQSQ5`deQStX+qvP2EZ
zyrd8f<O3^40s2C$Qi87FxS5is;lcM3^a0l-orrRPMo@ls5;!djpL~xQ;LuRIpfDQZ
zh#*L<K)nJVNRYr7d!`uC{)4csJt+<%bLZM^3h2=^*@|5d2sk*4PZ*<p#@3mcnL0u7
zgCJ&3yIIpJ)~0_hR`4#&dXdi$o+qk9%OS87Rl|kp`*hMdkX6P=D@Nm<KDC~zuhF4X
ztZEFdxOFl}o)&JYQzra=>N%QR!pS>r4ONaXjkjMp=`i|1EE!S)CPE`KbGT8IY;gWI
zA<}Co%f&Y_gEAwMt7;OOxBx~4f0p`8y3ltTxFrRtyH9{TW)2I^5W#*wsN03nO-Yk!
zgNRTylXjN{GaSoYi*1@t%f=iG_4)rp22E`QOoCC1PtH|9C_U*_w|k^!U}7&QUlqK5
z!m{nE*GzZpeYKfa!@<NNU-~|T2MiN3AqP^UqEMpcyX4NzL>n{uhQXt6i;rcSg3$?p
zl^tIRD9kP?`r~;5f7m1|v=FL}q2Az`()aA61alHC`(i7u0CJq5QckNe=PFi@bk@8O
zy~2&4!uOyKmQV}Ib}K|NZ!|Gvk5v<h%6wRa3^lT{HW^iOxtM0878d-0Xt43HFs~G1
zF2)qc;Cdz_2fa$fK{D)-FbrUGm@NTA>_reDA+#$i8bXt#Kv5O(OaqcG{_+w9BPMad
zX-Fhatt0oio<8F35-%g=+U^W^4vrU^87p=ok`Aw|g$aockx>tmGiHI6nI=fT7_;oi
z4d03&(qCVZO|e3l4JMPa!(tC{TTTZH>Lr<it$?W+xZ!ggQn7U*V55P@-hU1L_5SZK
z`iA<N2Sx$HcRi{qN?d{<0x2DI#Gl7KHd7CD+IRM9A`{kAh66kTP&=41ExriN{B}7p
zT<wX)hOHGN#UsLUaO9bBGSWY~XVJ1<c?#>tk6s?zM?#N6@Bj|6+Y{G(=zbUG!kHhu
z#1(PA#sF5rj=p{kX6j}p?S1edIUuM>x)+3`YTw}_NxlzvS24)oXpR&=0DJiYGcr7R
z(lTxuJ55$Ni)2i!3D;^Kkv$iqYH<=I4pfb)+I5Z+tDTk@=@ea5ONdZ!xe;t)w<#+A
zN*%bBVzb<;UaTH{%IrEY_ZS=~p>(an)*8N|dxzx0X%Z+9vte)pd&=4xiJU~vR32tX
zVMb$0r#m(vDgy4EM0OK6H9FE1iPN3-%Rl%cAiO!=Ir1k)2}m#z;OID!DT|}PZ37<b
zk~pIk;8B>dn0ZH_h|DTCVS!Q~KdE3-QX!32bE+(9lAy>4s@)PX@?1#S@vRPu@&-0<
zl-A9ezX6quM9Sl`!S)Q^nN~{&C9_5ib@{npNDAm83mFutNhdQ+*=bwg9>fEgcA1MU
zXGX$<Xo=%6S}X~NQmJ$G90VMN8}%bfX><W9eOM-Rv_QLK28{EEjJcF>nr_p<iY`e}
z*HUjVG7?2$2jM5PU5Fw@pQ=`EMo`4q6}?EUtBb7tE{ZVHLA6RFsg2jk>3kwNu`DXG
z*4cJ@>Z@F5m=%8}luk*)th0h2=sjFTaEE)pmPHbP*<#}QSb4`s@_UnDVO$95Tue$P
z-Drn%R%JPu1JW0bj8!psC9nZ<p6x=Z9A`5+M22WVRwPjlBv}s$Q^UU2Xr}8ON`spA
zH&wJDAZ+87zKj=x2$?U2s^fh`>otx=s9;}<k;i91Q)v1C3m`?j!%VoMpi^OjckO_?
z&Fu_^%LgMq92(hkpHv=BN2*lHk`RFxv0qEH91E<ys4;Fcv6$dMWww=cOjtzQ(3H-=
z?4gl6Wet)B_{=5%baBX9u_*!pNQPC$yUZo1Sfge{xS4iP9ELTQ$>oS-yX*4CqDy5b
z??%aL$y>9=TC|~)RU_myqS#BKAtC8~`Qw0v_Z}=cJ&!P^fx7u<n9?x91ER_-VL;A)
z(K_<ewThLf!P16)CQAX0WP=BG;LWW}D?yI9U4}KG9h7P(n#<DM@xF?j+r5Z3NPlHC
z1zn&z1(hHM;b4`5(~+J<v-1L)_|#-2$;-Vo+A#y`OTm^A&tyRqH+K9l67ALWJc?1%
z{naQsPOo*RUaCu-)UW|JY0D++m2Gt7x{Y=_fr2dkH=2PhIkm>PywEyiMW6v}7(sl;
zO|=}sGHggzGQ@;eAWh*#wvxNrd7+6f;;jPP8wDa(BP8q9&r*}{roH0dN*}r>3n@}s
zobw^|sp<sAok3R=C87R<i$Z=ohqAFj4^n`aN+%_E*`)-CSf}uhFS)S}RpBw3Ti2i#
zL4ZJM`=Cz*26zrx1{tYj@<qTUbs)8+0jgJTg1K_pv#@e$PC;P%*B~4sT6;p`>RD!v
zo+n=|h|4u%rn=({3f-5t!-2RV*cK+}WG>W)Avg9rp1Lu9#%gH@ayEML7t;q_#ekZb
za$*$m`LA{Nr;>%haqkN#Q&3>6Gh=pa?wAD|07S?bwCy(i)+oBUq*9AzW0yu#&yrM7
z`QpzCO~lynJy}g)tN)GBbnn$tOS;kXq#Fx#hwvQ|?p~P44^H!w)G<<Z7loJS^adbS
zI>DkAr9Bg+j`@bg?BF90WA`8TH)v;WVG@%L*f#N6Mwis&A8GV8Ab;wHKrWs_jvrOD
zbnL5-a{XmKxOvB`?w*za{vEn6bK4!v=nfRs6zM;g6ri_u>8HwQ6vYT5;AS-B1E5?r
zPd2}Tr;-3DKe?a_ZpC@F0a_CM(Wkch)YMJuEGWC@&=Z;;Za9${=5VRIirUkuy`9TO
zrriGFD1~V32wA!OYLG<tq~+7v7qJb<Id-lcbjN=f^R?*J_d$-1GDZ3qv8M<XnmikY
zqzq(Lj^H2wOjs>THk~mqe8M}T*>G5GJwO<>InIC#HMu*~TBMc?6_^fNBGne%K>Jfe
zra02~AU8TOJ58Q_5VbV(ml9@&)yR2C*J{3vHAw{zM8KxW8_yLbdvjdVVIjb8LZZ9+
zf;>eLPG(f!G9}wHUi3Gr!-{7+ESpbKQ7f7WNHr?0u@T;NmJPLh)6_R~S9(e%M)$)K
zYf`>xIlgIt%~ChCqC>N^@*o;S6ImWzX9!f1HFy#>lwzCCiwMfupjbNPn|3M83PQ|y
zsSdsEsIR>Y-m+#Y{owsPaLty`FioDY1Euw%yh%Kn0q$`as7HTw8>?C3oMal@yxdWM
zmn@&fLCs4+5nzKYoQLTV)JBE^AbA?_c`7Yl0I7U}I9h8N;c*a0AiBzPLZXN$SsyBa
zjRPzlG?rUU`P5Gi2#u@}v(8!X;|YhXg_4M-6Ib-ba5T~+LFS)cNk#ZyTUfL!;}Xzv
z7=zO=&6d8RA`Lnk9x{%e7-$C%Obj##u|rkHWnYJNU6NdEG(`Nw4d`%SrPZCL;tioy
zB#6zsn-|i7e#g-j!3(tbLV1J129cJnNOnavnx_Eh;!TSKxW`gB+Pe1bDwwK}_PB9S
zz=oB%t)(>wn+Hi{V^-&(**(z%E>3GZ!;tiAXeNX?q5WrfvQ13GP1|nP9tNX^r+qEH
zsMo?9SQ=xiJOzM^9%NXhqOAm$Cp3H~?MI9x0YN>L%_2pCrcYB~=I)ZyYJp7yH>jh6
zz2F?x0Tdm7kswqnku4I9J2u8O=@FMsRUBdwJIf}{!kD?kjQIovMI*^j@Y-GZGB$)d
z12kW$i}eMAr(oDDuyZ8=oa~H9nXHaG7X)9Jd_bj7c(%n*6qB$<4>RpTUr9j(HcKjo
z9iMP2Zy30#|7Y@8wJAb98o3pFZ@*L2;;~dTQG<OU3-zX_$<?h_2}a$Rs4EEuDD^9?
zq`|1{?Ne;cT~$<9cA{mNuBdgcdIuY`2s1u+|0E60TuRcb$vIRz<`DrL*lnYgJrFV?
z33rws1dXZisQ?1<{7oQ+O5M^abdX&f;EI2?6F@cxt{DpTpjTDG$W10vbi$$Jj2cQZ
z`CI~`jN*?kt5fwW1;`OYl&S{wwl9d`D55b69+)6oN`u<!5HYzhR|<r%cZgOSxbict
zQB1L4qHefasPSl0{X8s?%AaYM9DS6k+wLGPBz`;uwsi}53p5t@extm0o6CtDh*r8p
zCqQvQ45wj$nw#iYL)4$y2vi&sD2=Vx|7cJOpA1M!w;Ed3L{8V>dNBJm&Jk%*jhoL`
zj$P$|{Z;A!v)_84xaL%4$9Pcy*d?Wfz~NL&b-&iZ47ibhrFLeN!8hV-lBH<NDq)ym
zYhYn!%BlM*02kn?H+I66mAscJ*ckXmz0TQ$u)1wVNeG3uv4DWZx+8AzMAD{G$PTf+
zFcj^0EbC~Esk*<AVzw{r#GiqY+ep`}arh^4!Me0_M(R#|`rw>XaHo6&6wo3>Q2{H|
zwk<D6_H-sD1qHh6Q8@81Ho#Hm0gfu9_M~l5Fg<0s@_`XSTEHG6Xl0vCrAIj$T8yAH
zE!%TK57}P0(l!xq`NZ%e(M^*40xD$Ih>kS9d__#x0?i<dDtoI97PMZ1*F-%gr`slt
z^stBXv?m#ei12_Cx&fS#5r#wu;UZHE1oVs*i=z$zexqGJ3vs%JpzWoXtkEbDlKE)b
z5Rj+k2MrX-&?cZ1K>9h_k<@~Ev)l>(#0Cvm?dVuPAeBD>C8Y<?;>RsF-mk;w@lDzC
zTE(Wz_E7uteffON*Y21-bmMw}M-<5w3^hd?e*;Z73&y@@;tl5PhKPtAqs$PYF_a~p
zGch@ObY=WWn{fBzLue1drJ$-9Kk&r`&+LT!)+OK$SFT#f&}@|Ig@bg)VGR;aND@$~
zhl@%T$^6`MF8N;cKlYEDa;ARTIih+wg{<{3NQr?-O3IXo?pMp>i*HUBv_=v{xWqe^
zrBfMj44ss1X_Stf6|AU@7ULlM5Z$B<2$hh@+tCYY-gbWeP}ra}-6P|amwqTD#%^r#
z<)$cMwm}>Zvo#Fp8_|R<e<RmCF*7ik5EC|r490FfSPl}wJKZMz>!seyO^;FmmS%lx
zOq^t`Ymw0D8(Kg#&K?n;7NpEA@ESFOhXY)aoBxcI+HFFUqR?z>RLz0oqbf|+lum5(
ziaUbr=%mA+!<r4T4Tu3C=`6`Xi$;4?OgYuY#@BvUK{vay4#;Sg*Kc6$8<w>tQUL}%
zv1i+I!0O~^$Tf}pvD1MT>`@JigtpeJB@-YcPZ;*KJZcj)w1M9MltWEQ19hygDDK+D
z)HFTN2v2JOIffw&B9V7NG#&`*IzwU_YvXfNNZ%?eO?^<;@uBSiY92>pZ4ay806?hl
zW0ZlAky*7Ds|Rx#!m+P!*GLrwAycypcmx^;=yK&ZS<U@sbX`Jxkcg0E#6XRl-}j~D
z<=eOT4K!44a_V*H5d^d<0ciZJxc8b8Y|Dez?#=lIY>*sErk+<;tu`+R&LmQShr9|R
zz<%>c9Vt#QQ@wN_PE(L%ggn4A&ON@jPW*w-Ge|&;)WI(|Xc?prC%tPq5Y~%*rRUT-
z6)XaUPp%*oRGjQ<#IkIJZAO56Ma<zVVmyc$#WULZB{v6If}0Y#coX6lcWAb-{{hft
z!xg%#dpZi_dAwW=N%5Qt;T4%E;=zv!r<t@uo$mx#AiK2!N;;K@RK(JiqRTRA12SyM
zZX$3unwvyayMqSzicoRPHd(kchO=raJ-CE4dzvuSOm*R2B%?6ahzlb95D=(VY;;Cy
z`>#b*r(mxP&KJO&HWsUn4_DGnhlN0*)at-}gG9?&5WdJl!&f1-lXpGQM{U$Yj$sHR
z$W4L(qbPy8P<D`HX!YO=po?rD-JSw<q(_-(!YD1R&-~xIkjUj@p%y==2547A3Lh?#
zW7$lJnG=&#0%T8zfmKf>2EpzPW@u5`eUA{pG#HHNw|3|9z?f#?0_%K;l|TUv+4^Ur
zQob=wO@I+8tBT2AjP1yDy0}=1B1HwURl%e;4jBppm|1m;O|7Bf!Y|uaCagLNW~*GJ
zUBsN4h%z;oz~Puhbr6F4Y`pr@vwwoaCLl?n8^E%<BF8xE|4^y3lx_LGs^b9ZQPBjZ
z8!uNDNsv*-q{mLl=M&uM7H5oFlU96KER((1{OLRHO;-9yD_gA0<#{8}$(R|cS063W
z5c1vr<VWX3?Wyvrs*vdEJ#rytC>AcJf-k$Io-q6>N|OXcpHXKA%=EnD3>bS7Hd$ew
zrfs$*%w?I8s<*xb_R}sCly>ud*_mX0x)w3BDu{*JPBJV3=5oshO*qR_k_RQ|HekVV
z0t^{2yMUN*(S}SP{nL4ph#=VH@mZN=LyDI?qd_<q%Sj|^tD7KTXZlr>J^_k@#nUi7
z5tdo749Q}bO0a3p*eMzl+zATU>4g1E%bdKim@A2sCMOSQU(Q0yF>#5sMuKQnq8Kh{
zpdnz)5NMAr$se$}eX<pEc9P$I&Bj?`9>{E9tso{Lf{Xw{i;h5Yh@aez0J7R*QQDVW
zC^VU|M_r3YbOISZpa>BmDh#kEaX2mrLtfeMb!Z+#fx#2lCRqa77ZY-1_Q6LptV19z
z8n;QJ9i2->{*guBuDDET`9*12;YTMryFbcCkfj5yu5`;bivm6IMlWnYh4lHvN&mW3
zpaazOZ_b7Vl@T#n5VPDL=MjxWptU-gnMea$oUqMR0ZWmYT0(4@ea28jWgNCfmbb11
z!0!q&VeNv-w1+1302z?nL<@;``+te}q)MYnQoNS->@JLtUPKGyESu)d;*;+<7K{0F
zuw4ossJ?>i{h8F*1lKr;L_6sW$a=xqu5{^hY8vQnL?>POm=b2gh$wPlhe=uq^8u)+
zv3&WrYv!n?R4dJ4^B?{rN(57qh=9g#0C-hw^9y-ws{jk!cL2#|IIsh@1KbHxK}o1^
ze-)F#Qm+c&4%!VtL)<bFFBrFgyiS{Yu8<~xvPuDLP8AlKjr=c`)p#`Es0r0g<!~Hv
zmC?+9g#gwyJ17H!qS#8&v!aoFn}W63g!`DPWDm1_JgT2pN>}jEsb5$Z&7Z$mH^bh4
zS5O~LrU&NJ28FXCOHvjwCEVwq7?QRp|3<%9U|+t<eudUS?b0n0NNbjdWrCs&NrJ)%
zHn|DF_h2+h>JIeYiQ>R<M)YiQk*FOu$q4BoZU<T)9an`!c^k)p5PY%3jE_f-`}s<)
zAF<M4N-Nc}N4AW1qnLNO<p>f*+`U%FoG^$WDdpgd{4{_@*bsT5&fpv0?1-R8C`Uy&
zLQ3tQd~^byg?xxS6a?gL$}!5|VYz8#fr@~Mss>JMoy6c(qb5-fMw%V;6dKIl{`ZR%
z!$^G$QVKj?pCUs`Yy<9SNY%W3bW>QTOax}H-9kE31bD@Qb{899VvmkM0TS>w&_um(
z0A<y0n2<#kfKBRRSyK1u&`L2Ej}~{T1S_Qj!yQ}>zr_%3Sg2V(*1#T54}FTz56y#M
zK1f|GSxh)=6CdVf1c5tCt4Y-ykBzhKDbY@~(82^zi4?T=;p3nO=&}79gF&(ZGSE;R
zI(=4lPcGTZ3_e@xzmpN%QE`_F2-3g_U5$y2h(A!&s8LQtdpH4*E9lmyT{?}SU3xRG
zN=d%2TEVL*p}`vbwJ!WGk!QuERp7DAf+R=Mz)dg^y%S2=`!Tklr5@Ajzcc<9B_+lQ
z3GOkBxMNsx9@2mrgi-TIIQqdFq{U8*cxJ-n#U)P$g&z#sc{I1$b*2ze{-y)!E<9kP
z)>R^ak4yyMc_1g0tZ5+QJ%~vOfw8{vpqzcowN5>ky?m<Dd<P!H3VV)#=K!={0~~r>
zsw}1yeXBkxfXl#aC0fM>5$Km4ECSOj!CP_#CRQLIfb3{XB<fVkx}c4ChE@|0x2r;g
zJ~k8_i%r+&EjQv%zz)+I-NjrSxh%};gN7>qVAjN%1E!+yyZ|n}lzYdjpBw=N0OZ(F
z_OovLd_=U~eFb3{+?_Q!D3}s43yqZNte$AOi6o{1gdkKev%+j$p5X;>Vcee;lb}uM
zdx;*x!wSUS%Y%cv&mBI46V8tWarXPXg1^S3(vl&O;nL;wcw05au4KL;c!`)(lO?J5
zS-^pWfh8~vD!fEyVc%EA)0{`)9!%idQR|$%MwP2xtDV@-MzIJ&Rl8AAbjnif_(zi7
zHpHhPd7)^4h-I)1W)G0XRyiLE#}oJBfE6~L5sNKH795BcY*b=9K@ikHzeQg-5yD|q
zy%PiZ1waL^^z4(%g%-?pVpT$3?Pds5221a#=!mt^AvuZPc)|%%kCr}NCKNa(;Ql8!
zt-pwPs+p>J0ScXqO<+%k-%yrU=q&NjuT~?|ufgJpTmHwGb80Qk;9+tlN3yH5>TLxc
zK5{t(JZ@Bw;hsP+$$;)maPN1Z%or_Lp(k28QLmUtyI{4t4r5a<@M8COM>&9or~M@D
zVNjcQWx6c7K5OG(EWRRA!KS#}rWn0jf_@tB{|W3Yx<kN6oh&yTmSb3RZFf2dCXW=v
zb&*(UFcpd(gFQ4{K+(w+9x-V-h|>(E7HrCfE?r!9Rt%Xf`apPY#b=}+3!C^E%NU#V
z;XC9J=K9?a(i%GXFmdUVI_K+>*erK;j#l!+t3^ahmWmxK-8%EFiU;|$d@n=sGFrK5
zQS8Un9A(az7^!2x%m6fVa$E7HNq{UUUH{a@sd=~RyBdZn5UcH=1B*tbAV#bpR*Ugq
z8eGn<>9J)%i^sS~P!`{FU*e0RyWT-Xp<AoZ_OV%P!bj{dTT{O?4!Hj%ZeCs(bR~Ri
z1sN2-#aF(|_-f@raoN-FdKQ%PD2cnOqFpGWU4vdE0to7;Te2vBRa%U@Dyxx#f0gL0
zIWrm|p46MsV8QQSe-$M*3A>Dvc(9vI<nPLqrOu+gD5<=Yb#=i4$wkL!g>01-vVr&a
zvn%gpehIVDb^B?$1bWM^R?_{l8UGujx#YrtEVNE8rGnn5l?y!yQ;!=Pv##osUoX0H
z6{={!WpYSli~uzL7D69qM@?4sRBdyiQ09CTD}HEYyH$I3`)>G&Q7jpFP{B9oW`Dn&
z+9}sPj5k~`a<t%@B}1`o2fZpK#~XaCu$y>(aln6|vEj?iw>ZgJaw*%Z#?5GO+7V5w
zk}*>ugn`-dT`^NzX<y^rHNa_Of_eal@s+<-g=GUpW=&Csty@%N%*3!5(9@2KFfJI#
zr$S;i2^TD4pah|c_Jo{=X)d0v&I@+@a4$ug7o^aMU`6N3vR{_Ys!t$vSjzi4r-;Eb
zYAFAmb6T7x^@&#SduJ%JxE%>Ra`dN1Yp^XhZUlw^!f_D)W=h0i49B_O^QrHM$nP>&
z_&4uHW2PJmcGf3H30;Eju^B488F1OLQ1!HB%hp{y6&z=98BvmM1EZ9<8=d7C9CQik
z4U)PsBQw(NtV)?>>}i3DsLcr`GgKvNXCzHpW;&}QV@w{%2Xevc%6dOdA0Bj@wy3cy
zB2s^FIY=^<Jv187sDU)g3Turc^f`H(<nlDeZJ2|s^5CH4Dg~$Ylt=6FH8U>6H*`jU
zbV0&xX~J0Ysh*tcp=8s=5an+N@I-(ma4*mdvCvg^<dpSx5s-|z&n@&?+`up_kr+#I
z8yjNbKXMf-PL(U3grbzvcOiS`w&@nr58oeW)Qbi&P#Dv%Rq&4L(}S}89?AsF<7>%t
zlL^2<u84s?21D?@D}Oi)iwYLoi!mGuZlnQxp6?>x5=pNwltDomVpl*phzyfDP9;tc
zT{$a9Gzb|8VT*3VhY3WZz82-HNS^43(VN5ChzcAyN=$}GrV+64PlrvtOTi~k_{pEh
zUb!N&=Efs7ymUU!Vu~b1mLJl&ZiA3A5CmuM8wAUZ0aprOJbOlhIyb8bHt<n!&q!-1
z*35rRJFXs(l7Lef1J8665Zua1twsp;h7G1A)%1dDLy~Y}c82|mWt#9EcSP#O3AYFP
zZRLm<zS;mJ6nkQnsmMh)8rDb6$++83NeRGVVUuTNvrZn=ba5wppt3Z(m{rlL7!r70
z$QdaeSf*sl!)>K%|HVcm2GnwsG*ualf^n{xGGZ29(hr%2N-MMlS=1cNIhg;W(@_pd
znTT5uW*nETe5tf)inltO^S!6Lu|Tf<`{HT}l<v$eX33<8*t9v)el@xAdyRadWsby@
zI}GPW#K-m(!BrnK5*-g~_AJO3QLn>hi3>a31sy2tDC7il-O-lE*9#1BIv^_hFkL%C
zVPndux=VrT(*a^xl^6jx%xjy3-~n~mOlyISz7&!t3fVJ`1K}~!fm$o2NxOPJ%-I^?
zzd_$vcmsC*(-#Vd=MEfT&ju7j*N?g>QtBNPV&Q!L%ZFi9d5mf$UiRKgTq86}AXQ!|
zk?UDYLqFN(vS4pQ70sTyKIxqHY+DwIjSUt;y;<Q+i{Pe2#FxUE+*o&2Nn<U>K1h0&
zFe~l0rHqnMe}|3$y1Jj-+{Fz8R{O|tWFJG5WRgKxNFpE>GjXZf4+)DjFk4mbmG{#7
zc9F#(hc$^0TTV+x4#D8UJv9_AMfQKyvN$pWU;e~o8vv?DU)6CudJMrEaVsPHIVpy6
z?229>)*mZA$b|YE=88rJOKB`X1#eqSh^UD%W1pt;6D?sAHXxAXiT*YyHuc3A6Lkzx
z1U9TBwEgl?o@f&*ds=m{wI7M3F_HW?qO|9ut-`e-lp4V>RrSVdkbj<CgnRG60I1U5
zK1yh`zMGs0_L>78Uzm}~){s)v#?q0cffUz~&cibcFKru_(v5I40?I-M{V<|lzS`Pc
zk<4A+Z@S(djBI{=dyjJe4x;Sx4m$8RYQfIghz26@`}gggy32t@eaOvE;QW{aw<tVo
zqA?rKPO};iR_`MZ!sg#d|A)FkA&N|B47;N4zi@+>zNM7u?Wb|{Z(xt@ha0QzL2_qy
zMb#E6sc`hDRMay)^e3pvn}c>Wb}`VP+MZ>Ol8x9=KqP;5`BhWTJSM>n0IWt~;1_pU
zKw0CJ)kD%NcIvijn1murg3Y4UTxi0Z48VpSbr$hx;>XPU8W!L`W;AF?yz(#+l)O;~
zsuT|i25;Esh^iWWiB=J2AHbHt<C<wn0!>f@lDB}sm(tKpBUD|;*Bz2U?qg$Q9zguO
zkuoEj(+zb|VH$?ErvV2kJx8HycDiZg)q&GE!a{j!F78iBiG3>^WKU-eYPrE=NPxO`
zWeSP6^~v+232jsvT2csVCCGJtCVJ}^si=q@LDh&dSB`+$h<1hq^D&;^9c6gYU>}>I
zArO=zvo3CElSKyQ0;_MXhJX=dOYz*0t&zo_d6LX~^xq3@lIxxgK)@L!>&Af;g~%vG
zXv7+!%0WI#eoW7z@Hbo+Kj*rriV#;bns6|ABFJQ+#t0u|PVwJzAF9HOnqaIYjI}j4
zkQA`o8N=wYXB|6CH1UKRc$qIhD=|50N9|Cv#T2X6aH_9S#Hy|i2FPxZ9q5Z<q^|ma
z0=o*P=EfTVF78|+Q$nUdjxwWwQc<khqK(_3wpUwlJ|Wc__L(;Ni*DGf`b$dXlJf35
zFHQmrM*+i|OCB}7sxPJp8A&x!QXGc)aqM+<<}zjF4K3@$m+W-b5KV?Qpj}$8b~qsG
zlzgf}csd=C8<Ho7rkE@DX`evfh?kPwl0!OsL%1My$=GHf!_BT(h{upZrA^4XY}eZ0
zBmv(D%;VG2F{XK!{?2$*XdTy(tt4L^22nDciU_mb35bt85xyA&R>Ak0fNDh8fb<mq
z(HkF*1T~N@_rec4F_WTD5_k&(-OLl>$TlOpBwe$35;)N(E7~B+5<bg^Y?G)TwE(<8
zEr(o}77E@MMzR9Kfp7S`-diU*n8gXBX?$>jhXqk=_8>(8QXLUU3Ux;9KrH9`d_n|p
zYQE-LvCPJ(2fG~(-*jv{ado-bewPC$DhC=*Xb#C(1;>#<gs|eW+d!Tv;qCB#JzGeq
z5b|O}JAqEX5i2$E=8C5u3vMHBmjy{;Q=xj@#g3hr2nI1vhy<HnLlf*6iXia9cpq<x
zN#4zUSjjog(i(%ULt|;8oQ6At=?PN`BStJ{r(yaH+rkJ*e~5VUEMq=7HG>1Ewju_d
zp_HzB$^mq0zF#FECm`MqOd`=>W^TBF>gi;l+7N?n^!Lk@{kW{aBf5Y)UjAVC-tzX)
zBTSezAdF3}BSSg!h#v`aqF0$=-Gx^2MKD+}yrP@8yp{xEMQIH22-|e}gW08^a`-UQ
z>k9E*8gGr!ws9-(jtNIx?duHvdWw}QFyUHkeS<tB8Q{e<7<e8afl)!Cp|BL&wJnEU
z!=d6^FbmUa!_EgL2-@N7T>9ig{_MU|fxws)d3~L5K28W{qY5figYU){O^)Q+#=2-H
zkh?rH3(Fw~i$R7@U$SsO1tx)pjSo;DJ&+fB;%K7x7>BmSFJV%x5ew3tScST=>jY;i
zUnZ-HdIFH6D8YKUMUp@kGY(4Ou9Ei^n?stQ%3ZETo0I}M(C&BE$kr(TSfYxc)S##X
zwD1gAiN6?8g;AdA6)!>3z@P>y-<y_0jlw#5gJi1LFu>E$fj;FFP8mT*1oLgsOM%K@
z$yGud0GgZRrp2*w5*eB-OIUWG@yr)#bczULjt0p#pDBX`VW@arl?I{M!Sv9O00GG|
z1FFnZ01_h!-lpOqfT%8AR9=#st6Q;@1QcVfP2OCwwHE{O`gR$3qR<SxqF$I=mVb-4
z2STJ9q*og{y$*)uVP4q{4yrcB9%$$|3dKC6p6vGh=+5-(Z?mFY>qA2M3S|&!*_OIj
zPI7g0VkhtsDtP6{&BTds&ln<P<jWCzes3w%NQ%SQK`9CEI>{*}5?Id&fkW15ArO5$
z*GB^egs{_tzU1yD?*w6)Ch!eG8g=Yy8&>^NIM{^Rv?;1WC}2PcBfz;amJ77mAlp?@
zRdhQ*qqB;iDR@l{4O{t=p}h~>IF6(zBlM6`e;mf(Y;TSccM$Cp98v-P86QeWZmmH*
zJ!zs^(slP>0*S+2Vz7_Jj|_S$6%K@Sp<I?3U^0jU8CMCQ-3)p;>}imA$bkkMCj&iF
z1s!o<^-U}vxJVes5o{DB;Hb3Ofn-=iHEYrEj8+B_<$A3RFM{jnUE<l*HD(%h&|He@
z!4ki?PGKN#&fzhMZvlr2PL7TTQeZe~RGy?Z;c9CPUzIkaMMNP|FcTmCP({2rUmi7a
z(PSYK4q9rrjf+DpfmFK1w7>MeH;gnv)dpn6R!p?-l6%@rq+AEY9TfG(*ivH*##tP*
zfM>Dng<wWf0wM;q4ztqNiX;W$7&(X@xXZ14thX#}b#Vg~q}TE>1viEwN_sfylTh~I
zp=QgL3f)Il?D?}}ZFtJpt<jL1H*8a){b8J70=NCOmxmLzo5m*`%1;T<2*ofMF5ZX_
z;0q$IEtUaM@csS98@<1tefci?My*RrZx+{!U19%^2r&tF1a=4UyRU{2Qxb4{I#(G?
zS#Hkmf_!H#p_0|QQJ=;@*HZx|R602U)+zI&RaK9mrx5n!fk{fnAc!R6eps@6LUZvB
zYU63gT?y%iSUG6BxnfT#Fa3HNcP86QXxHqyCR;F-(+-bBI{R?X5Q&~DZL7jgPXaiB
z^+(>diQPQn_=XtBaxG9(zmSqwwq2E9T!JPnx5H`g<pn$t^#U#^EWu&Sv0&$Yv^9$q
iXt_Z$tsCpcN#Jg!LF+iI#`||ih0gpG5w}*1gp)uVV=3DJ

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Bold/SourceSansPro-Bold.otf b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Bold/SourceSansPro-Bold.otf
new file mode 100644
index 0000000000000000000000000000000000000000..98dbee74d5d159649e4de157068c482dbefb60f8
GIT binary patch
literal 235128
zcmdSCcVHFO);_$aWKMeTWzM7#(oRlGLco@G07ZfXq*&mP1c;=OLQ@obZ(y(3d&7c?
z1sgV0u!9Xnz;^Au!0%am%{dA8zW4pU@Auz_KJ%=Z*|YcBYwf;ga$2TMYZ38cmC(f8
zhWgg#4)d5Ng|;$N2oY!u1gtMh2mC@bbqQtLCrzyr$G^QXvK05{3XzpLzNtBI@>gf9
z5b6Op3!yzbeo9O0W5>V0QK%<8FBCCteCzavQ~$iMT&RaE6yku{Ev;4FISJeD7ebkW
z_~*8D2m8)D;G1e8;=U20=GcWD!S<-FD~50n=b~mIE<~RcHyz=Na9*^qdvMtWZLh@%
z)tn@RIkP*stj}>7MWsx@!RQHgcWm0Tkm3ho59sS17~J=$@Irrt7Z!99LX9xvjDM|}
zlW@Q<Lesv$74c?t=BFXvTf6u9$ZqWigw=#fSMd+eY47j-PKd}WaKARPTgJrq<k4}N
z5K{ylg{D@hPlyO4bdEX`=Z7&X#|p1fimNdWP17}1)#nQJHzYth$$#}t4K2bF*1mn}
zxBCoAQAvWz*V9eqd-W2K1)X3A<&p4HeRLC`V}j_jWmV|nBwN-*p*Yo+b&)D=wdDvg
zMm%oIhDa7a+Ok8;Rdid96xm9<Ek}u1<wRSK5n0MPwj8Hiq}*i7@giIEu?(eRwZm;$
z5z*Q#TUJGk)@I8Z<Q`krMU=K2`BU^L<YtF<iY+U`)aTi<DkAk&wycSOewHokVzmCc
zEk}qx{a0HyL{Y?iTXu+z5$D))r0^Su+H#c0G)}bT7~wT8v*kF=GG4Ofc;S!wf@S0@
zGdkCn6_Fb4w`EnNM^CV24f3(Jtc&F6!N%Uc<^7!t77kiox5r&UN3T5kt@`%fc^y{k
z@`1sQ?g49JPg`$)UvGbKu%q1?y>M`_Z){c7(xppXK?>$->+P;8t+1AM4lcB&b_{g%
zFF~+CZ_l7L8D-ykyR~<yzpdjP7qitG>>048^!GOOcC~w5Zm)YB6|!-Bmu})-CEdjJ
zmWJkkd&;6aM|SiNboTaG{P>hs62>j;9c=6ESz>uyZr7Naaoxd19le9|U0t2?ysm0j
zjnD6{`Oh@$*gFTTpf%VZZ13m}_Ajz}=l^dO=<Klu7j{_FdpgM;t%EQN9`9+d>g~6B
zai`yE>mBMD?C<OtaQ$~fP6-ZmSxqi$0)qaJCLLVf*D-A&G?S)m?VUfkG}zx^;X+qu
zTSw0T(jMw*M{1-@>%>V`OJ7G12cE<MDy)#9JT8yRl9AcZQZ&IO!OpJWysi#*UC;{D
zA7KRt$6B^J18x1CeS-t8fzB>hZ~ua-mcS%ClK;@Cy>kHhoi{`VfnS0>*4y>1*2LC#
zEHvK}TPv&?6Q@mRnLf>$Q9pHR{p4vAn_I1xsa9jl<fe(!Cbmq*S-`5FJj*(4;^d|Z
zs{=&|8S7Zq*WWQPV8O1P-F;o19qlfwwWH&|XV{vLpk$7LzK*ue`JHW6SFmTnP;fy<
zh1J*5-`zPt#YQ>{M(pl{>*V=@-X$IVJ)J!ZtmP=H*3du)6@kJ3Fuv=*Tc))uIIs}8
zU(wOu+lrDT>s42M*B~NB0kML^;)2$W{?7RbJ5e->UbK(PMZf423&cV(h}P6A+`<D?
zgk|pt*^jIBq8-o86CIFS@$>+m>k!>wOH33!q78TZ5icEs@?JacjF#~a;`&%oh5wey
z|6B+Wip?dT?8d!Pnc`AtHHfDyF%|I-0R3VKjucw}vG+)QCnJV#T(zuBXwxf(5UNdd
zSXsg~@*K~!B4m%$atgxqiUyzyv3U{FE%QANd27P;7BOzWXG2f&bCuyIIeZJwoA(R<
zpJ`d)XO5Kl7(m`A2W0Qz)Tbbp(3Nq>c`tHE*6cyPEqH}Oy3j|}K)-I}W)b3|F!OP>
z3o*`<u~p-&M)-sup=<Wj>%Zk=gx!!%r?gQJ(xCKUJ5r(4`jMW6^ycIEe^&-NWsb?G
zRCcE0j6BR9ZH2_8g~}0msvRYP$`GZ=&yY;^7{XoBtrO1<Ah-WF+Dt(jL$I0!kGpW3
zV8=?e;Qw7I9Yophg9g)(AGX<WsU(ZeM?6cV-6*#lg1m&%3H_-&Q%R=0kcBC4A<ML)
z9!<h|i;SO2$#Be*_KSgP>A#mKDklVMgl7Av8`36-auq~;T{zCek@Os{byNZZu<a3G
z^2}K9{?-{lUdRi5xJ!PZQr!h6uPuQ0TJZd&f74_*C;!bx?TCfi6pDEs>=P;>TwkbU
zP+hN=b!DPxMNOyLMdvt^EyoN<)8Nq-l(A{JI|Fy8;=g(^8RrvaZ6)hY#l1%GWRwAV
zVxp9(4wB|n$|s9i;KOi-!jQE)pw)0`>=4V4`+i&<z<*Ry$&a0=FMY5CmCtsW|5iw3
z-T&_%wor~Z*3h#9vQ)Go_W3{?VkQ6ez~V#T1xSbVq>|YWJ;;`!)@Hb7(KDna<%N99
ztr6W{fYhj!?MIAMUl-uoa$KW!l}am>+fXY&8vQ?&eAoX~nQ4`I8o;w$OIApYdf{Jg
zlZN}NE_kU6S6O3jL8!d`PgfV<c?w6C<9H`xT#b1N#-&1~`IIh1;&vW=!-^Pr%j=qm
zme&pCcZ7)&zu6%|^9)@4U;iok3jHMgY2#MoY5gGmME!F83jGG-ZGDM;jy|Mcs~@Z%
zqSxyUdZXT?H|qg?ygor+sxLFP8{3Qz^b_<aG3(NxTZAx#LqtM@Xb~e~MI2_S2_jJ>
zVXl&bc}$u}7a1Z`WQlB%qhG0CuU}<+qF>^O6}ci$n8FFq<%<H$eu_k~7$r*3E0>Bg
zQI5P;qMTNt$MB#Jp}wP9zgoXezsC3!IU6euL@RKVxLm9iZ-_s{@8VDKxA;r!Q&N;X
zC08*OOF2LpryQsptQ@7xQ-VsH(xJ2~tCfqDHOi&>jmFK!UB+$t&H5Vs7UgXHQT-A9
zF-M#u-PnQl;U432<74AP<0IpCW0$ep_}chJ?KSoo#~O3hBb9iiUtg&oZ|pR_Fzz-!
zGrrW%($ChHJ1#)qRwu3(_bLPWdHVVKDf+4UD*a^RJ%^^;C%!bEFz(dP(9d*S;<!}5
zNnfp>rk`$XMBjO|s1?VG*<yt_UaUmPzE)g^99|<fi`T@f%6Lb-Bh8WF$aLg5vK+aN
zY)76WLFn<1z|}iY7#v~;taON&D^3(oi>=}l@q==rvP!uS`Mg27UwKyfP}!;MQNC7w
zQT|Z=QFGK<wNX7nov9wJE>w?Gd(<WB@#=}{Y3geAQuRvpTJ?JMM)iL6LG>~93H539
z8FjO|RsC4qsl{puT8d_AWm<*i(frzhT7%ZC1+^h<g?6HLj&`1Qk#>W2mv+DQtoFLL
zReMK!Pur$_pnar$syp;pJwZ>`v-K*yMjxxs(2v&V=xr!#Yv9$J^t<#2_4WD&{aJmh
zzD?h$f2n_`|CHC5H!<(<yeWB8^JeB9m3K|v+Pn>>!%Q$U%zU%hEH}rQ6U|n$&FnQ#
zH!n0VH?K4Qa4OCyXOc6`ndQuL<~vKB9%r4i-r4M&=setcgmZ>-mh&j*G0vc~)49@l
zvhz&m#m>u}H#l!|KIDAf`Ihqo=O@nZoIgAFS`I7S%C=0az#3(_EuU3wjkON8nyiV|
zVr#i|l6AIqfpv*>gLSiYn{|hEw{@?z&U)B-+<G!UB|jtI$}h+tmG8=*nm;@L*!;8e
z*A%D)MnOVBazR=_c7a(?UNE6xZb3((vv_UsgT?EMpDcc+cvJB!#hXVZjXJI*rDST!
z9#^qz++X_Mef##IG+3wy^=L!ZijCq;c>G7{;nm7o<vw`$HRUs9xAK+pv+}$0x0)$E
zJVl+V&Qgzshr85Xb(y+SU8SC-UZP&1UIP!`01vNI*Q*=Ur{LjD>K65Vb%!S4;Uq0n
zD};w#@Nk{&;X&!))8OF?w2QTyw7azjwCA)f`*~RCk$Rk-sAuRox?8W+$LTZmWAu4?
zzkZQ^nZ8!PQ@<B=>~Vdg{)Yax{+Yg8|5pDI9v%-5x4^?khCOVUv1YnynMG!q=`{~B
zr<ya(E_0Q6fw>wUUh5Q2)fw$fc4j)WotCq}S?2UQ$2uFF6P$-Sr#PqD9-iZz=RD52
z%6W?OEaz(H70w%-w>uwkZgRfs{K&b(`J?k!csSY0v~n#A9<H*y@Nk`V06aY2>azx|
zmDVcjeA~mf!ozpL!w*;wS&vE&r-wZ}CBHTQD0uiH+rvrla8}sE?S;AU@Veqhik~Rn
z2oJvu4=36l-t8)Ijr~j59)^=g{@Zu)zWMg~K_jn|yzlhAu{d_`>&3AL|Mddh`?~gZ
z?!yWmt{t@R80}4x^uzT@+S~dBZ4;g0yb5p;^h&*4FVPG20^PCi=Y2oz+atu@Ex^4T
z64D)eZ{2tHzO(k7x$lg9r|!FZ-#z>8+qZ1rihU>STet6_eUI#0zwfb7*#E{~juGNZ
ztW17c3sisc=@&b`*!JJT()G_q39%EJ;JAC|@jF-U{E%e&w{zRh&Yg>PZr%CT&fv~@
zJA?MsCwD%LdmDiDd}a8!=d6(Yd8-h+-`u_R^TWZ*=;|)Cp1U5}^}z1P-Lbo)cSr4x
z#GRPk>TWcsyY}wdj`*(HdHJsAcWuP^;$8i_4&629^Upuu`T0jee11Ey>GLN(zv}Z<
zpD+9LqEA~tZT__J(}O=f@Kad!)2TbY+i}Gw-+prQhp)VQ(Yw>64hmZ8y{d^8_cHZu
z^;a!X!)hnI5J0bbDELr)p?;j+rT6H4s4s)^-V%9~GD)F-`Z9e5%jm0RUhK1e^x~%>
zuB(7+LZL^pei`np1#Z;Wp&o`UJ2K3_%lhm37X4lQL)6x9P+x!7|J47E5D|Jrd_-bI
zdPF9MDuiqXKTX#o%m^!@AfhN@RK%Ew$q`c`=0|izEQx@=5v#BS>^8z>+GsMS8gq@F
ze^1%yGWxLMhkwRe04v4DM&o_sXY_`d=mp0*5QAfqW13^8<7i07Qb_P@k{$DK1V;XI
z%;YnN^avm6ievJ~P&jX5?0+?M=75Ly|L3qAqjBZ`*W)S21sKg>G-TXj+>Vy|W=FdI
zh;gibma$VmSAW!zfw9uZ#%QC|5oheuZ_!sfa*YyWu70-hjPb1ToW2s{o?47!>g1?w
z62@h-F)}+EW18jmnC2&p)2@-@n(M_{<6Uu&cvX&W-Vl4l&&t^tz5Rjl+g}*L?ZfCQ
z1>?6oIf5I9F&vHH9>W+eh*4Y{MsOX*drCh>ajR(@r`)4Fj<MA^@sBt_>=lP8abl{H
zDq58^F<r?J)0A{^q>?FSDLG<}k}u{e1tO>visO_Dag5>=-Aa|{QQV?e@rXXfD~6OB
zu}m2&PEZaKCn|@C)0BWXRcR6@DdWX&%9G-BWr8?EnW#(>XDf$`bCoIL9A&aNPiYYs
zDbvIy%1m*Ea<sTinXSwfzbYHV4a$6Rm(nM0R2I;vP&}d>FCJ4)5bKqd;z{Kc@sx6^
z*r=Q?o>op1o0N0K3s|pzMY%}4u3RFvD3^(?%H`rs<qGkZa;5k{xj}rc+$p|L?iF8(
zZ<U9{_t;_hPI=h48*`2OltJ;Ka-%p14cIEBUfiTC6mKh6iFcH%#k<Ni;yvYB@xF4M
zn5-m<#fncntgH}Sic4Io%o2wy3E~;$4Dq6Jp7NBkN!g6?#Oul%$`)m-@}}~Z^0xAh
z@}8<FFDmaU+l<qU^Nfp)H4cY8BF)3-G~2ksxY9VoINw<9a5@Sc#f}n3siWLc>F_vw
zj%r7(qs}qTafqYA(d1}xOmQ6Hn2MTvB<k)g?KrJVouSRgcyyLJTRlddqn@r#!T5Bl
z+Nw@dr>jS*M`09m0>&>Vswb&usB_hzI!|p=+tm(rzPbQo*iMXb7Gadrjj?R6+J~{u
zVzpl#PzTi^jBS@<+;ggWvU-Yon)bAwrES!+wP*Ak?O8ondrr^Op4Uz7MLl18NiWb|
z)r+;)_0ifJda1TWFVnW_<=UHih4z+SiC)x&@y@##zk0Q8x=-7#`?U}BYVAY4M*B#w
z)jrn8XrJhH+75jz#=GN;6O0p$lZ?}iGmUeM3ycfJ6eU^AP_o2KC0i^~Dn-BI7fX~{
zu~exOXDWw^vy{Wc`N|RE0%fYWP-ztxE7Qel<w&tcnIW!JjuBU3Z|Z7gj<{P{EFQ%k
z&*RETVuP|uJfWN{o>k5i&nah#mz49x%gP1fGv#)%Q@KOzQtlF8VVCU(Wj#iWk1Au7
z3&p{TA`VehQLkvC0eeV|N`z=q4AHDOL_moY<CQ2eL5UU<l^AiT5-a8@MWRh97VXL?
z(V>)x`O0Xq0DEK$l`_$(l#7#<262kgC~j6d#VyKl;#OsmxJ~I2w=3P^4y8xjsq~8b
zl_BwfvP7&?mWl_JW#S=ax!8t1v+c@S@e%f=K2~lPpD4G89m=iZQ{^_XTe(|&tvn#U
zQPzonDG#b&tKX>qQomKdQ@>Zw#3=S$^*r@_^#b)m^&<6W^%sm=6;0J>$1Xy>T8?km
zVuX96dXsvy=FlRw7|dPbw0Mke6V+SPTh%+%JJq|?yVZNtd$kNLQ+*oq8Lw8Y)o8Wa
z7>s(ys?Vy=VO0F0`jYyx`ilCh`lb4n`YUz<_p1A}C@osc(y}p1F4BCOUwut|U3~*1
z=&kCT>RamD+C=S8^<DKnjHtJ%+tm-$57m#f>DrO%C+ZIMQ}r`-r~0|NOWm#hp#G>G
ztR0{oqW+|fS1-o=>ul^oZq|CW9<2`}?v>hM+5~NqW@xRLnO%mN*>&nW+Mu>XTZU13
zvX-i)VLq0w-iNXLZR+iqhb`5XW8_|mv3r%~#7wPRbE_LMzTbeE++*7D+6h{}Hba}H
z&D6$eb1=huNPS*?LH$@8&=zBqPIK0a^;>n!Sur=I+3V>TE8L{7ajZ5r>bGHzb}2^k
zw__xKhcU`H6}`B}ILlaP+-W>+tT!Ij57gHin~kl;o0u=ZgTDF;;}-|EP-(uaYO3y7
zgY^OYE5;~={%KAeEE{OHunr(0$2SF#0sSO!Aw$PV532+c#;xFDhC$acZY1b5t|(#X
zG<u-E8T+~V<=`@gegn9iVZ05lVCXdBs$}TrfT^zsblU00xS60|3w8r_kPilr1;#;M
z3O;~gYzH66Fle+(IswK9V0s47PXHgnz*>sH+)kj^#L^CM6hprfjIj+tzaD%HgGPAh
zTP2K7z;hV-CE&RXtgi^n76tlWft414l?4g?YA~e@=+}W)GUSNyM96^gDR?adYZ^k3
zy#Sr!xRGJp1-^-4+y=gxVcY_?VPKq$eQXJREttXqI)$ZsfFm7z2Sa}Zd?&-8{81VJ
z_K$_Qn_=t(-^0+)1>eii9|hmXaAbfnUL+Wl)&mUVWAHlQL0lgVeu&|S13%0#c7aI`
zK&O1rtOC$igDDNbLH2x%VNh9noMFrbZ(!(WgP#DNLR!y&pJrgJB*aGGd7uV(!N!5$
zO*SThU$k)q_$A;KfXc_KHpo7kf!BfMz#BFw{w+3s0&lf(IrvTBUEmtvJqE^NLcDK-
z>`LYJ1Ax-`&<4f*k&QiIvLoSVfXW|$F&y3o06qtP2gr_ueZX#p5)Y>50VM_e1@IMQ
zvgg+f#R7i=e2eSjz~3>HgTdc36tevf4CN^BkHD`89|Zr#Ferbd2cYzW{{a4id@=ZM
zhH@$RABIAC-^)<QpQJZ{v87NT5~!Y|@06hD(1%J;y+>avL2;l@mB1RkK;Ozh8ABf{
zfi-@CzLt>+j$~jZSfKA^q=BOu*f9|3iy0Z<SO#_n1jf6JbTI5IZG0p+!A2%Hk%4^!
zp(NSJ0Vgx4{UCox<bz2kfZ7s_qZtKYN&}#F1!HSQA(+wt#Bty(8x`Pe2DMule>0q5
z_*?qC8=PmO3T!g4!Y?p3XSl%@11tVQA^iv*fOG<|uOKj{XL!Ly4D1XDj9VBr;86_h
zj|hxo7-PX`3kcLEVqC*G2wcXXHWA|-#vx$J8z4>tSK0`GT@1X(BQUREG=V7(0N(Xs
zy-D}+0O<-)nZ<~l@g&&K5T}EyZA<`D9sqF$xYou*@E9ADz;z6P`iOZ9<8UyQT|k@*
zrt(Ud0vyN?=YT2Cgvr3c3~?U#5F0JvdWN_N++c&sVIxCa0;W6@W&+I&aRr!cL^v9t
z`~%`LFy)Of8=(9U<^qQ@WZkB^MA!gOJ^|{JFbiYM2b10a^%<CvG5WxiPk{O^jIS9B
zz*8C2hhV(T7ywg#0O|uU24@@(K9WIgKgQ$?Dl?Q%fcgo{rWh;1lpjElPmi*33YhW_
zP~U)YJ%h^3u?(>hJjVu=fw>IoL#U0Dpt3iQLH&l(W`q3O&Y-?U>99fmB^v?Mmta21
zAU`f-P+x*EJcImr9E183jOiKVuPz4lEg0i7E(iB8sGq@@pFw`_V~DrFi)~y9?q^Vc
zgSjz-d^*UWz6A3I#+~3L4C*&9k6@7RmN76Z7MNE^$o^vmWWqxL`46Bz1oLkO`Ir0z
zP(On?72{#>DjP}Q3mM`U@M;F;+(KEy!0cNnYZ){K!91No*XbOfzLef}l%R6>EJMXD
z<uwM45f$<Qfv&&75UarC142DOb_ZzurI4)&<U_JAAl?Rta24ct7=rj+8&`whW6+pD
zdEdr0;B5>VBPiQ#Tni>Y0W@AvC_jYjfX^7%j~2>K8;RiE3_(8MW5Wmjia}#8<!c+{
zr=J;u$`{$1-~xVUh)cnL*q8<Wn<1zT_{T;9hR~S|@eDYNfz=J6W;1APrRFe{^T4$X
z<q2>j1H0`)ox)I_0w2LpHi4%CGm#$ZqY6FLqanWpJ{F*QwHXY55Xi<V>Jfo#tRin}
z4`kR??FFbze+*s*91j^bQ&Aq(6CuM+Dtxb=2KgKCSpb#4AHbIYWDnRty}||xjd~?R
zp*&v0AfK!7AAx+UUe8cI0^a~odE5)WpJAK=UdJ$yw)!B$AX}|x7#D*dWf*I~k1-q$
z@CE?3bVP!m0$?XcG?@GW7|>fKJHk$mcrePfx)s+i1CxyaM<$qb1svonvKQdU0)N18
z<bgkAIMTqBAHYF=CYu7r72q8V<4W+S4C4$i$}Pb-AB=KKFkoK|MV#Ppf)$3N0IV_`
z#b5*=I7+}e!%+&3U^vRb2E$PahFu5_4;XeKI8Ya~D2AgN3>y&~D34kU!%+v0WjMxx
zQN9VZ`mH4~9EX6D8IA^U3WHX%HP}(J5Iz7d1V%wd+15yJfY!ma(G16tV9G-ouFnKl
zFlbF(Lp{`>yW=RZpW&DTCjAb?^|@e58*p@hn;DJ;;2^`X5IhJB0VJ=m(G5P)20e>1
zCvhD3bQ@h@_>7>=0H0}NKKLx)99$=z&tp)X)GlDC$AB+nsHF2n43*-(7`Oq?9t^$-
zxC1iky>=%<rTpH-p!%)d4cvz?CxB632rB9I0PqZCvct0ss?*wYz{|M482k!DT?KxX
zp`Hrf47`RgCxc&SP@UJd09$c=Irtq0wGkTH6bVXen~fm&0~_<es0R{l;7@I|V;(C2
z2hNcXJran8{4h8UK)KRTZ}mhV9Wv~yX8@>AWG6ibsDgYs*bUS`{tR3TjD`F)cpNYT
z@(*D6Lx&$IUL8KrVS9=f?}<xjPlKVKL>9Q8p=|^Y*g)E}A4VYi(proJ>2eW+?5&f2
zgj@i1m_WAI(KbosfiGid&x0us1QWP|p}h#c(ndb`Du(tF_-Y#k;I$0$A+04z6oYSM
zkPr2nY>Wn@ED^Lfz$i-+sAu}U4Dz#npN%r`{S5NG{(y~g@Hz(V?CKBNr~p60(B1;C
zw}CcCf1IJc4c=hG1t$B#mQ<#6vK;|_)k!~s7a*MgDqlM3LGS?-7ocqi)AIyB@GgVO
zp#GkXYVi9E?L#odMW_KjV^A5@ciN~0?`CKpgZJ1N1O9@ceFFZ{MjiNDhPDIzosF^J
z9~o5k^`C5v6C$sXVH^)0&oE8^PXH#O{YN{LcR0g18Qj7!&{pJ4VHjtEr!tJQ!ACNT
zbHFnIlzZa>@KFroBJec~V<i~nhhVG%Z(tag2w@rwfpkm<gXZWa>L>y43<?wVltA-r
zGoB%ko|(X)Ik%b45R1SW44S8!7DM!d^BFYPG>aH`$4;0i#{`;Rnkb6|yniW7ls^K^
zFHJ8)zz!zL1cByiCdCDav%v5@f#z%`{7n$&gDGBs=3(X-hJdY1iWi_cnF;?9#D!q^
zj6m}<^B{(}7<@2;=4a+146zzq&!D-Q*}xEM!0<bP=51yZLtF`NX3#v$3^2r1V3Z94
z&B;uZ4T88Dj50!?`I$+&0<<=1l74`)7)<^EXsytk#h|%`Ih#T2h2~KV?BNLWXolDT
zCOrUU6`0ZnXdTg{^Z*5A(wxf>sJCX2p^z`;F~oD=HU{>DgxSTQbwsn9fqf!j_AtcD
z;9iD8zM!-L@fn!X1F)YY%u^U*C-_tb_Lziu8iUsR%+ndzcM>MW1<)FwNxlSV{$rA#
z0PzEud;?&AN|;m!0P!REQieh{yo{lY0bkBgD8B0$w3ceFWzgEXc>{yi>dYG%;t=pn
z3|hA{Z)S*k@GT5l!!vJXhz9U&3|h}KDgOZ8%@ro)8KAX2^G*id#1$sx8K8AOlgb1j
zn!)!lXwA>Omm#RE-N&HyKa=bN2$VVV0S2uFn(G*10{B6O5)FQcAtr(!X3!d;`3OT$
zeI%O#v|ebE9RV>9{1}7Q$xJGXfM^3#`2%Rp%%n00h<5Ok3|c=kpJL!$Rbf8OptUq}
zBSXvwKf|CkHS<}9SO9*GL2GR0^9->N`~rj4+ssW2(FuN$L2Ga3OAK)`_+<vIKbfyE
z#3|rc84CGmGlTXe%-0ySwqd@`pgjun4F;`qm|GaMUtw-#(3*$&CWH1Z%(ob{{$ak&
zpgj!p9R{t1nC~)ZPs4nVLF*#s`wZIOFt;&ijl|r}puGz70|u>mm>)7|@520uLF*sp
z#|+xXFh60?T8O!WL3<nKrwnBo_%jCWb(lLD%5w1M3|j9ucQKUf!MhoP^xDHv)`Gua
z2-4+C2KH@*`4xlq1I(`(*vl2>Hw@YvF#pBC{;n{;WeC#uI|lZAh50>0knYqj0N4i>
zCbb0s?ID;yF|ao*%%2&wZ(#nyz<#kXe`U}fg83T*d&t84ogqk<KNt#Z<wVp@1!HXF
z)u{pw$cWP!2}D6Y6C4dBKt30o2qZy9`p#q^4Km_(W&&A|*MPHuJjj=WEg&EA-{1nE
z1Y;*kb2Lzj>sN!zfGWtaztatP5C(cUy+AGG81NXN4q;$J=UCui$S7mZLx6gO$pAM1
z&5(1z6M%^b1DiMx1rCS&Fn9`Z1j0Zk=Tu+@<YMqFhWa@8D2DnZ_!tJw<DGLDG@p0Q
z1%h}Mx;p0p3m{j67XqC~>sjz|0LnPc^__jdV#r^D`+)(-@Rf5A7=pYPjPmVVig=>H
z%YfyOVN>S{;CRS|;1htAkbU4)z{!vg1fK%HR~l^LJPWuGalQt=2)G#6VGHMK;Bv^Y
zh4Tsk_Ez5ouLW+v_37Xnf!iRHJ#Gi?Lzqv%_X7_={sFv>p&bmSG6ZM`fKkT?8u{cA
zhWZnDJwqE0eiV2N@jxdh*?I%yv%ya=XidaPb_X=r&PjF$G_)a3vOA!WEjKbWvduFL
z4R&#o-2v?|@N*1}%EI#uZ4#LL0nqw{^F@Z%3VsQA8Twobeg$|H^0i>n2~ghwlT87d
z$2-xM5;XGL8w`#7wguRV>q+1@fwv&1g2~nZtxq`LV`%B%_knGQAGUUG2R?udA2>f^
z(0YOMV}^$E;Us?m+H&v?U?=1XFxoWdF33*sZiZG4-owz`;4gqL5kJ}QE8uI$@PYFi
z2CZW`{{^6((vAmz$Iz(E{>ac~fXT0bHVynULz@Zym7$FT|HjbffPV-6Kw1xi{{;Sm
zOg{OWL2Fgce;C>TcrQa+EQIA?I4%SyGidH>r2w$2ejYfDL33aWHYMn{f-`|E$g9BF
z4E;24E|7=os5h3$&`$?jKt8Uc9#{nonm=2k7&>fjRWTf^!LTX8*a-FlKCJ)f;A(~g
zWz4Dr#v;x$z^Eq#9sacrWYB!rItVxz*DnP(F^ng`;~6^YqJ?rypt-b#`b^O80QWHr
z(vj>17^i{<0qAR#fmZ@2LMDArVi;$ER{>|^x*vQ#Z~<h}<r0Q*4fqCzaS!-rhH)?W
zRsi`hP;M>K127%{Q+@zr9r$jBK|0ejfbkfZ!r{L0AowBRVaR~>D8qOhOyR)BdhnAB
z17$TIekT|xr}^+RL5D5#GZ?f6kZ&<)4Im$WB<P4QA2uQwDEs*?hVd<U3d7h8J_4AE
zFk8W`z--9RgO37^h5Q;AHX|5sfiD8qKt^3DP#MN<u)#3C1Sc>I)U$#lhJm_QkjyaN
z0jDtx<h3A+VZ0B{W*A?9O@{F~xSV0^0i#?HjL*Px8O9E9JJ5maAL2ElTmWr@4xbdS
zWf(t!;fLY}5eD_O_z?j1GyVXh{1rnN19i1{Bk&C5f54j<#?RoF8OAT*R~QZr3_B7W
z(05cKfIJ)fz{fEhuv1A2!=Zp-Z-VhF7`7`xo@gD&1;4q_KhxTeYb-Dh@&!UbB?%Sr
z{DtTL0y|J<|3cb->1bQPdyyW&u?AZP#{rA*>;^oDd-QML!@|qb{zpaV_{vOCQvUOg
z1JLF2+{kK?8(E{|M%LmhuE;Uk-^cv5B{#DB&(kAvdpi<x7k{0!H4nR9J;}y8RVX4-
z#EUeMD+)!K@Q5*(q6M&JGff<Y$q0R@xm28pt?u(MeZN-RgqM3B#02>nY|^}jjjZk1
z1pFEk!ao$DIPhw48eR=9RLT?&UJPzfCMm7TEM=~;2rmS$R8CXQ#Yaz<D%U8t;<ez1
zlnwYW=4HIR`T;(U`BM1~pFjPr3e};;t7&SkTBw$(ZhR<npxUG!CO?&#ix)@-@hQ|P
zcn$9&^>VyycMDz-d{BK9A3<%xOMY+TRld*EFYp@TFY4cT*)SR};bmwATB+v7Yl8>j
zQ>eqVsoE@UuC@R#@D1X1yOXsuv^CmQ_$caj?LO@h?Mdx<?Nxj>^PcvxwoCg)`$_vl
z+ownCDSDP(gwHX&dL2Hy3+PkudDO9b2R;ZGz-M}^^fUDf@ao+)copwX{Q-Qc_O!l9
ze+?hee1OkrzSO_hf7AEkmHdQ=v<PQJaYRLgFQP8u;D|uPq=+LUj)`cGSQOD8u{>f`
z#F-HnL|htiO~g$R_eMMv@l?bM5wAwP8SzoX7ZKk@{2K9(p%@M$-bgcYjY6Z$@EK!`
zW@D1kYRop~<8}OgV~Md6um7HFtj5c}Yw^1HJ;p<L_3s(uCF2d_UE@=F;m`Qnp*f-*
zNq9Nf=@^9<fc^5t-|>#gj_Ho09c_-|9DR<Zj+Ktn9OpV#JFawG@3_<Pfa6ie(~eD!
z&5pMm+Z~@ezHof!_|@@uq!t+!86TMwSrAzo>5i<8JSeg`a#Cb#<jlx9k@F+FBL^do
zk32c@%*fS|S4Z9ud3WT4k&j0{6Zul)>yhtAeiFGm@?ViZNB$M1Mny#>MrA~qQN>Xe
zQNF0LQT0(1qFSPkj5;Q&J!(-@f7J4*RZ(X~T@ZC?)HP8zMco<oK-8mAPe*NvdM)bh
zs1Kq(i~2I^`>5Zd_C`lU$3~|_XGiBpkB+X2u8BS{x+(gw=&8}OqUT00i0+9ViasIw
z)aY}fFOI$<`ugZwqwk4+D0)Nmv(Ya{Z;5^{dVBOI(Vs`}iT)<~yXfDd_r=7<q{cX7
zM#uPL4vY!Jw8YGe3C0{3(;YJuvohwKnAI`Y#@rfnZ_L9nPsO|#vn6I*%x5uQ$NU`g
zPplD}5StmBA6pjdi>--0ICfI(wAi_^ow18!SHzwfdrs`?*sEgK#@-RTE_Org^Rb&_
zx5T~^yDj$P*j=&T#C{+9Q|#}tf5$0tj<~3}n7FvO)VTDxtT;0+KW=nfd7LZG6E`NV
zA#QTqk#Te47R4=%J2h@~+%<7G#N85iXWV^pkHkG5_hj6&ahu{^joTXce%$uB594;m
z?TY&%?q6}=$Nd)fXWT#WB0eHMHa;ajJ3c?YJia#m;P?sg)8gmGcf}tce|r37@pr~Q
z5dUcW)A5_)UyFY`{)70>;=hdlKK{4(y$KNsu?Z;&*$MdxqZ6tUY7!1iXi7LNVQRvx
zgt-X|5_%Gb5>7}sHQ}6uixaL$xIW?5gnJSmO4yL_Y{JV4TN2(&_&8x#!Z!&&CH$GF
zBt|ACB&H|kB^D)?Cwdd>5)VlnpEx;jdg9TEZHdPvE>2vQcv9jSiRUL?l6ZCEjfr<8
z-k-QW@u|cY5;rHlmAF0e)5I?lzf1fz@t-6;DJCg7DJ#iJDoJuBRVN*g)R=T=(h*5B
zljbDNPwGw@OgcX4l%%thE=syQ>AIv_lI~7=FzNB6XOdn@dL!xGq>qw5Px?CP$D}`!
zMY1C~J~=HpH@PsmEZLJhCi&pxK=R?q(~^%$o|oL2+?TvG`NZVYlg~?DlYCY34av7B
z-<SMI@{`HWC%>BfX7aY=9m#u=zfJxn`R^1hB|0T3B{RjDGAgAq#h)@Rr6FZv%9NBD
zDaWRCq;#bWq^w9eIpwUB3sWvjxi;nIl)F;ar976hG3CXS*Hhj}`7mW?%2z2rr2L+;
zFV#qmOHED9Ni9e%O?9W%rXG~qoH{ABHFb7sFm+*SZ|aiNm8qwto}0Ql^~%(>skf!x
zoBD9-6RFRoZcg2nx+8T@>Nlysq^W69X^CkWX=Yk+T1A>KZERY7+Jv;0v?J4wNo!AA
zl-8fNJngi!3)8MjyCv=Zv<+#S(zd33n6@YF+q7TO{!Z7@qtlbpGt=|a%hEmRW6}>!
z52UxG&rF|_K0m!XeK7s_^i$H$PQNJq^7QM{Z%My9{lWCd)1OIyDgBM~chf&g|2+Nc
z^dHmz$PgKhjQEVSjNFXEjEW3j#@LMdj0qVn88b7284ELdGnQnm%s4IM+>F&3S7xlu
zxFcg-#$y>9GhWVkGh<uEXBl5-{Fw1arpR<;#%HEw=4KXVmSy@f56EoHJT&u&%$b>U
zGUsP@XAWi_pLt5=*_jt*UY>bf<}I0bXFi<yROSnrn={|a+@85J^P9|{GXKm{vLdq*
zveL8ivWl|Gv%Fb#S%+ke&zhVyJ?rSKwyfi_7H2KXIw|Xntn;%j$+|l0#;iNC?$27E
zwK40(tk<*N$@(yBXVy1azhwQLtz}1NCuL`5JF`b+S7!UO56li^AD%re`<U$c+1=So
zvQNrBBm4a9OR}%dzA^ib?EACVXK&1YIeSa?d)Xgn@5=rr`={(bbCjIOoP?b0ocx@U
z99K?l&cQk3bB@TFozs@HC}$|=q@1&IF3h<+XKl{yIrry0p7UJJ=A5^4KF;|f=ZBm>
zbJg7F+|=B>+)=r%+%dTgxrgPp=FZLy<{p>ZpSvRW<lJ*|*W_NEdt>e$x%cO;&wVQQ
zh1|`#Z{=>!{WSNB-0yOK&HX1&&x^@R&dbWP@=EetdDVFb$WM7&<VT)!^4jti<SokU
z%^S#Dns<EONqMK{otbxT-i3K<@-EN2I`8_toAPeUyDRU$ya)5v=WWP)I`6r>&3W(S
z?acco?{`x*W6TsY&nz)L`24roY%yoy1K@6Rsd=(_u6e0>y?L{FulcC?thw2I&)i{t
zYyRfcopH_#d<<OX^f?c}N20CHIr#jy-+7YrZ08#1wfOk=0p|wi3(hy3+nhU{|8o9i
z=~j}JV-;C0>i{cYO|y=*7Fxa5GV5gPLhA~A@_Vnf!Fs`Z!`f!;wEkuNl^>Cxke`)b
zkYAo(oqs@nAb$!z`)$kb&R?2;a{f8_m*iiYe{25z`H$y6pZ|LPd-*%^zs>)xKr4tV
z$SWu*@Dz+IXf9|em{rhL&|R>k;P`@53(haNyx@j{y9ypIc)H-_g0~7jEZAM}UBMrP
zT47vaMxj;cDy%K6FFdSpdf}YHuEHgSCl#JuxTf&h!rKZTD15x|xx%f5+Y5IWeqZ=U
zky4aYlv7k(R8>@0)L3+Q(Tt*CQD@OW(aNGTi!Ls@y6EPjdx|y`y;!uRXj{>qqMwTX
zDRvYm73UNe6;~FIEp95FTs*D#=;HaseZ?z^PcJ^d_>$slif=8xUw*RuLh<I}w~Ie2
z{;YUU@i)c47XLL$85K1uVN}*A=cwXQ<)f-cHH|uQRL7|PQ74Z&chse$t{-*Bs0T+q
zIqJnxTSt8`YS*amM*UHumBf`~l;oF`msFP=Tr#nwwd9zR1tp71jxRaA<ie6GOKvK;
zr(}J}GbOK<yi@W?$(JQRmHac>F*<2<?&wjY-J{2jZW=v#^vu!oMt6-~GJ4hMb4Fh>
z`nu7#k6t(WiP4)zZyCLP^yj0$9sPT$S{hrLUTT$=mHJB$DxFX|we;xH`K5iOD@xBO
zJ->8K>6N87l-^!?U+Kf8PnNz=y1De7($7l&Rr+^XbXi(iewnN6z_P>3jx3u~wy<ol
z?Bucw%dRWCvuu6Y#<G{nwv=rz+gbKa+0SKr%OlH^%AMt|^1AZI@=4{>%8xFeU*223
ztbA4ZIpvp>Ut4}x`Qzm;l)q8_e)*2_FUo%`|Eof;h^<JkuqsL`YAXU2M^qeD(O%J2
zF<5b8#hDcsRa{YVW5wMS4_7=_@n*$G6?-avuK2T3R2r4BmC2Qvm1bp8Wm%=WvZnHY
z%7)4bm6I!{RnD%QTRFe7tFpgxS>=h9r&XR)c~RwMmDg0>Sb2Npy_FADK3=)8a#Q8z
z$~P<Dul%_3^UAL(zpwnY@^6>wigd-hQeD|D%QebX;qtl0y6RmMTrIBIt`65?*HYI?
z*Qu`aU01kna^35C$n~h}Y1ebES6o|M@3}s3edhYo^}Xvi*WRj#s@STOs_d%#s`4st
zRbAB~RpYBBS52=vx~i?}xT?if%c@SUI=|}Ds<l<OSKU|jc-6C2FIR1;dar6n)t;(v
ztA4B6>yB{8y3^db?m~AN{s!9^_rdOf`*8O(_fhV7?oM}~d#U?G_v!BQ+-uxdxo>da
z?!M3ci2F(R^X^yOZ@Ra+cewYszjgoO5uPYdq9?~w<SF;mcn<VT@U(bldxD-W&w%Fy
z&zYVzo~t~!c<%PB_dMl!*|Wv-f#);NzdS#C_IV?{3EpgPzPG~b^B&-B^iJ}&dS`os
z-i6*??-K7y?`ht1y{o-fde?ey^WN`W?|s($viEK82j0)TUwXgy{^s55i}1zzQheFI
zeBWqam9NHE@0;Lj@y+&i`j+@k_Fd$=)_1$_LEp2!*L)xP_V|AFEB-`(j=#)b?Qin8
z_>c8>`j`1n^{@6{>%ZH--oMGe)xX34wg1;@r8>4cqq?BFwAx)gwmMLKc=fdE8P)4+
zN@{BAyMt~0y*>5w`a70%4E1!nJ&jEuPjkJS$;;$ts$m+#RL|7N)GVoipKIXf8u+<}
zn)==ay*(X^5X9{X&;xEyGX-&b{XY4eyQVSNhCh1N*w)$KHq<@8t7BPXTM()>w)YMO
z+wfP~2AkwLhvqch%}vlgIM^)jG;>~>WnP-YkI4rbSmg#*xq%;VV3iwL<wjPykyUQ2
zX%4IGY4%XYp}BwjuzKTVI^##CgTMOc9Y3t4mm+q%{k3kNn{w&))cGb1M<5mRa&q4K
z3G;&e69+rH+B+t4J|^xTb7Me;Z{&<L)=vzphg2I6-7i|V$H$)Xah`nsNz%BJLb@S9
z!z9EnqYQ=Rn0;&_AKS*yw()x>%Lrs90%Il*$K$V-arikKeooduriJs+vT&$pL9l<Q
zyDK<EiMc&Z9vQxoJ<!OhG;u0TtZfs=)x>c%ky>t#pF>uATNd{A_sBS!Skoqss)++M
zb5vZoP>iQay{Cp0_B2;>eAOI#HOEoSaa1?A%HXa4X3c7f+wJwRg=#p78rHV1d0HrP
zw?|$>K#sMBW37=-dunQ?OZQG^(@dAeXL>*WRNnOev=SGWCNeH;R?Ae!)By4{H?x(R
zYo>ESm>#xEGppImN;I<)&1{~4d&YwP;F69RGM_Vs^Esovvjcx2uybIRygzIBj!bQg
z{WvEYVB-bG%$Cv29$8X7&2_e6D6HEvhRQAcN7|s+d4rt&;D{E7<F4nDQP1r`J(sI`
z$~xRgSqE{}>+L3rYeWM-*TBy;@N*5d!4dT%Ko6kBVXKZ||G8`1r1ovYS#6V^Yzt?n
zJ>*$Wvzya&2ij$e(;@HRPh3*#*&*}N5q?bS+Q2F|u*wbmc!OPu?MlEZH?qo&wH;xV
z(c-Yr1Jw(L)mtFbSuipk)P3KAVJ*EBvD;lETbzZ%PfCrvoK77(&)cvNEl#H_lAW9n
zX(YQYHnRGS4V|o%O|Ets$lG+>ev!km>?j{+$ydE-L4QX_5B_FkduLmhv~!nKvkThG
zD12NlL(g$?KDL&R&E#h@`F%Yy0{K{=t|ydT6e`Y2s10Hj{B=D+`pdxmy?qNidO2sk
z|5?MhklMYS-MHF~Qxj)G);>?OtbHKT5J|FX)xO?veQRQ+o7lxo9H5zXw~JhJL;r9V
zs%!g0SwM5d8L#FzsyUA8z<>-s@NY)0rnu3(@G~`>M2&AS6df8MS;V~_j;@BIt6`Pu
zxJcF14oRmE*-qz*NbS(je_Dy_uxyIa4sp{d+g+U54GWj5=Gq~<^oH%y%xX5XF3qe<
zGwTxYES2rdQkl=C!}(kqYKNA~`^$&#AnTrH*_wEo1Dt4pJszlAA){F_vSy$iVmH=N
zSU8T<aC>EWLvdw0RZ~;o_EuA20NEF1roGkjIj`&}a8DY~%e{xUTGlgfoh%bx=|cpO
zO`KP{5@%!{kZk<Dw&!Hm;r2?;fjC*)XEmH`4JTVeMH@jl**cD_MmoS-!wJ=qMG?fl
zXP<F;bzD-U=iS~~&SouZUCYVVa&Bum*;-DvmXodJglai|wVYlpTd<ZBs^x@aW9s&f
z;i$)O)MGg6F&y<6j%*A^Hijb`!;y_)<;QTGvX?<*tb847U1!^xqpssP*{NRHXSluf
z@}5VI;N0H2G4tol$NzIW>CiQQ&LHvNL|1U4EK^`vT)@Mn3n#KxfI}q^B3BW*78-=Q
zf@E}0V?YX?=EgB0p&r4w3fN)1jke&&tswrlQxDpy2S=ukKc9=C9|8@hZugY9CaWlz
zDybc3W3!!Zy(c92LPB*&s0|5qA)z58G=+pvMjAr#G=$=52*uNYc<k=f6$~j5z}*pj
z6HaU`hx;d)1oco9lE(6OnqE#S)K9sBUHIQN3ilE?hsEvZeQZZ`-=X~YLizC_KV1X#
z_kvx)`G}>yt8Zbjp<^&OKG@wYJ>{$OH}~PsF8B7##^vV0;IxI{iE!s(!M?uWq+s{F
z_Tb?|lZR$@wsdz=Z$71S>cZaE&IR4UX~CiC{Opv4osA1SrwnwG^L_PoGM&NRp56gF
za+dK&km(x59u`9Wv}2do?N~?3!@)Wh@WVmM%RDH%fb!Db(KQ(CU~N|5BL2r;XC4f8
zBCSP~lP;MPsb525&(N~YUd~QmXaB<90m{x`aA=4l=v&y?wy+a&Z#Pnt&v4!G$==`X
zlN}+bS}Gy+w9{tU&L1T%FOU$*ft{|rZl^a=9u5}D=*Wlvr;vONt$)BxEeS|=ECHU(
z1$cxNa8tX2d$P9)xT#&i8MP}QIl>IMW#1FvxnO_?XaOG72e?lS@boIcqn`ke;{)8A
z20R?6hvW3JE?(B9kyCHv)V+M>wa@rDul*eB;$>ZY9E*=*;TcVU2NVIGi3NB}6yWhv
zz{j!h^en&wrGV_1JpnmH!6cRA^mCj6J`3=f9EKwZYvyOo{2V9G6aqXV3GnnGz`b{X
z$0q?Ep9ExY<_YjbBf$N9Kz2@^K#iR&n;^gm$sP;$>@!Z5M<)R}J;FWPIebs{8J>Xb
zGe8`f>@#p?2Vt#wW)k3mL4fC#fjZ8#?4Lb>I)1#4Q<r@yF7o4b><-yqdIEB3!V{?H
z$9dKfsOQId@)4-#)OijPsOQJ)S$VgdSp?kFV|fCy*9GyJoBAjeMd}(s)Qy3t*9FOO
zY``stGXY*g3Gloo(7^XR9JR-enj@24xF_J@GY?1Y;ix?vwOoVn1mwg3y6`>O+2bNV
z=jG>kB_hDHgn*Zm^|DHheCA^%e6|vNv6h4IQbT|z00AE-<YOgxg(1LW{Q%D}0zB9b
z@H9WbbN>Jjy#qYv4)E$jfad`LIVeFM?2^pN^YT%E*B=5r6A19!IMB?g%R!zeAjfQY
zoV_UrGq}jH$dMn;SZg`*!x`sKj{H#A`Ha^W0zAAA$YloHV+&#oOy1=6fdCKB1GQXU
z<fsYvI6XP!!x^V1hkQ8W6y%T(MUl^VS{vXwYd{XOJON%^3-Ib%Kn}W4Em#RT=)xK2
zeGJDk#x7a5H#wvnU!fwfH+lIhz{_6&p2G)t2py1vE`;Pbc>)=b(+Mo*ahw5;la~zx
zJeLmyIJW`LrW~cAa@is6iyUV?>&esofE?GO`=O{o<ZuvGUl7$>w@*62?W=7L_Vf;R
zbaiwF!-A_V*eApA(AHO5Eqf4opnIVnDAcbY7A_OK9vI-cdVuHZfdJQVp0@<#N&+&?
zjR#Np0=$Y9;1wwRstyuIW6Z>hivgbf1b7uD(8wllXtGs>x0}Oab091Rh66MXi%r8K
zMuD7Jq&F;La2mcE65W2;f`BM(5V;0K&H#}!K;#S%IfIA?U?j}rE7Bo;*=6Fs^ow71
zk~qU4mjl&@LQ9AFWw(j@(r<nbnG<JZ9k-uXNd3HQ;g{_ZF0xLtJ;E95B-<mLu?Dj9
z#TjcLyIY)bdS0q<IOFuZoSy7%-G13XgV+YLNyZtcC!1uPaeA^z#u=yQ=8-4Psb>Ij
z!g9=kGfr5JIdEnV`$=H4$x#SyuqtvC;`a08&(D)FKNnR$PkH>Z_PPDCq7m7ag}@QY
z?hQAn*b;^Ahb%8^q1#{Ywr@b-2YI68mpvNpvqG}Jar<SX0%GUO!Ij%Di!X=`)@Tph
zac)P*<3;R0NKJU1z|ZRheqMw1%ZAhKmxBcmrzu+ow_kQBAdX&kAvj}y$SwqD><`(6
z;4EYd2%IIJ(EH^;3isJDa_EG!kYym)p&O*4axjJaTt?(z3TIp<WvAoz%T5Qx^+a|v
zIOBZEZU$#;DnFMIIqbqk)_~VL{k-bnmjf-_<MiZOHqJObUW4%Sl7gR?BK*7*ft?+x
zE-yv+c`3rrOA#R3ySygh=T!(luR{2F6~fP}5TH=lP??k?Ik%seC;YrT;pdeIKd%h<
zc}c*}^KZZG3Q*WMvvr}wA+Tk6EyOPeSqR1xO)2nwo~rxp=_(3es0hja0O#x(Ig&yt
z<Psr!Kb&!*a-@&K$S!I0+IfP&NywJh?dQphpBK;l+==+P6Y=wUoL~0TD2(hY*|xj=
zvI|2o@VEy0DMGKuQ$xQ&<8t$HKvG}NP&bx*UBrV+dzlwvu~SO(@uN2^bS~j51D(s{
zg#m1^^+>6Me$Ylr_?;XM#0m7-#0d@B2@z95l4U|9$%Ldp36VevNtOwb#0ilk6Cy#T
z&<laGKuj@9mNAngW0nHNOajF$S;kBf$4rupnFJX#x*dubMDY^IXd%d0i78Sr#YrTi
zgupREkP(8Z;Jf80+uJOwGl+@^ep-uK1TTgFOjL_-k?JBYQseK%mKziK7iZLH;~v#M
zuTS<zAp1<l;*<T6w^p`QAo+N+?2o+7vOfY*T?EP0J#u~C>p=&G@i(S7bZiI?B2NPy
zovy+DMfI+Mwg#XPXabsn05Bey089i91r7ry0fz&Vffis2a0D<FXa%ML(}5#_8Nf_n
z7BCyA=T#*Lyn+H@#JUpBcwq@bXxu{&*$Z2cc-01iTwEGxLndhx7=a+sK5$s_h9!Sk
zstHSD!V=}2pQXIBM7ftzLpZ*MaC{Bn_!=lad#{)z`!U)x<_Kup*p{$!%n~+d=&{DO
zj`q&3t{{maQ;gV6mLcRK6z&f%=fOF=G-d0DPCFz~;=I2Mp*dvc=1|<t`<a=ypef)8
zGuu1TbTwq=;eBabWs8I@*ATW`Ls*N3u;m)VmP3PQKie3#TqBvl-m(te#kfs|qm64w
zBlfQ8ETqx!4t6NCm*VGrY`z4e+lhyEvqM4a$Oj|#w8P=Uig_thw7Ctk*Iyxoj5u-y
z7MDY1b$AUH7sF+B#44<vFN}0UmIzz1krE88#M<Go6pPxnpTl5#Yy;R9!rEfkran@g
z_sdBbQ92NwYBX(}gQW9DL=aX0gAD}YRmo7WuowMdFZwA(-d5+>;3kS=awx^gA!|rg
z{nZ@G)9er1)*n{iPfxal%4kc-ye<1>xg``~%ZM^+@6^-dBe#DzG1{*WCEFM-lbChb
z`DzO1rYUT{rm%WVVfC7%dLfgv(DQO1KO9fE<Tr&=!Gy+6r8%5RxbmZ6;=9<`35TmD
z9eBe(^k_9D%)9@g@YP|hs>7*bd}OCpO|kJ?03_^Zzt)gvq(fv#lJH(Y=;@lUrZuF?
z0{l=Oc0lKK4TJ*JQS|)60AHea25bqh4TOT#g!QShbBA!G_w<m9r-xiTeLofX6$1)5
z!o~I*2Xr-5>E(L|bm4#Wx!thB`*xv&REy9u-%WL4iE0C`(aQ*7Nor~DgHZf<TO)ig
zY^RX-@MJir&0#+V$cp@)0tum<j(A&vE|16{zq5dgvqE7<yuUz~M}(F7ju}oXta%_@
zE@U<2R~zu~?2y-oUvt1!8BJZd(AQBk&4UYZoHm?gdi#OHqL_vYY^bTRukoe@g3-PO
zNN!!&Phs~0lD)?OiS{t)f;`Hd44h5G;yXz0XMlN21H$1$I83I)%uXEa4G2h6=oFhA
zILdtvFt$2ywD%<-VZ#GQ?0JwpKu7XDc0M3cdLs;KKQ!Ws+#R7+{ehu*2oG(CPg-cl
zVfd6{#ma;oKNcs#Qm9s7i6VT>_7$E8l}lQiVBP$lPzlBQMEF{$tkUvCD4bnt5sO{+
zAlc&`NTK?MC5q4!;m!{W72#`P{jj}d$LtO3=MC%U4eRF(>*o#Y=MC#8yGdycZ&*Ls
zYw@+Pe%`Qt-mre|u>IU&{oG;w++qFPVg1};{p8R|rhzpMJ0DWw#T<87Rd-lbci5Ef
zu&SY96IMCGs=C9fy2Gl58#^p~gp#Wbt5p}yNT_CE0vR@7U04^ac-X3jhNqZ6hU2Rr
zz8lscH0-2hj?lAmuqm@18hFuqN9Zn=IP5e+og8MCVNF9_8?J@53U^Le@(4ZKJbX8-
zOMo;8cH>u62hce{mQ$wz{Nip0PH5tUqntMlw8?1`h-OU#Z8T}ZQO=nL+IY$|&?aY0
zI9-MpZMt!vh4$X1)bK7I>KLG3W*s4h?_l9{06WTE6!qdEoS~-*iCrD@2Sc*_W#iBZ
z!i>C!)6ngO%kjbuCDhT=PCK#?x^1BkKeyXsKPKhSGxP9X%%YA#`<8t+@+Ovcr6P0-
zzx7Hp=a9j$xhPErmPR9Hvq56RkswV6K^l*k%?HUgAS5;+gb|8{&g?|#6bkghVG!{{
z&D}vMvGa!J*}BZLbphMD%nRuPfpwW@>jJiQnHSb&UPzaD`{`nzg>=DbNSAqGUFPw+
zL3>ZHoZS<XT_j6gNRoDu0_j2m*+sI{g(S8MNzyJP4BI7q#=6K;)`dj23rW&0SQnu8
z<6Oj~i)5(_Nm3UnkS-*UE|R4#B(W|eNnJ=7)+Kz#y2w-3g+$hcq~8Aa`5oPzGKL^p
z2RINd7mnxva72rRBkCuPXsK|-BppXg({Y?AkC>`M#$+8wOxJP5gdNAp@`y=0<SFua
zggj1_$5wfqCXdtQ@kn``A&)cVah5z{DvubrNX?USn>=!HLk-2<`SQ3x9#Oq;1syYv
z$I0U&c|--q6*L1lqAucy<^;z+d0Z@y{qi^<kEl+#J0y=w<Z-DyqM^a{<?^^f9;v1D
z@<Onemwmmw(&m*LA8v26yTcxx;>iwsBu0_bgVpFhAj=Hm9TLcR>w}JMy?8f6-V3!K
z^t9cAkZ89d5SOEMX`I|V)Q{f;$K<Wf+tt}m-IUi|U(<(QOUDZi@}#c47caAsD3=jI
zv|<R7D>!cXiYU%_aY!z7BL-eglJ5rKo?IOAda8NKGN0bwLku3d5DSuvO&+-ri!-^r
z<dN&IIHN^*5N(x$XdM$I74XRIY%kv5>%wnwcPt(XcHu2a{G@filxZW2uHkKt{@!I$
z?ChD3QaiXDk+`8ZO8#IcUXAITkIRE(?JoS#dS_d(i&F8*JqxT!)eH=wb)r@u5w#Ds
z4N4t6KI#c@y`x>8*SUlJ{k=<vXr&D*dF2`P4Rl^Dw-E3Wo6Kpod>_JFTkXY9lLr^@
zBh_+o7O%T;kcL`$ubm%f16IrJ1H>Y&P$PGs@ba5HtCd?%UVMVk)w`mjXF&%g>y}#p
zAld=|$+ds4^pxAn%fDXv@;=VUVIaAP?v?Ltpm@p!U9Wr_181~e2x_FrswLq~d~ysC
zEkA}tDlNDs7o9=Fw>&QU7C8_hyu-KTE(KofAHE_N>wOqyg=3cb`!L!HUm;^5o*EYq
zs7VN^0WmDg1#ce)V&N-t<H?8dSon&}s}JL{@D(b0h`fIIinM?a<Fs%XG6uplj<~|>
z=sw<<0)=n!UZD@8^3dbFZRqoOZM*RPp$}tpwi9m+`gm*5$6JFw`TmTX7hXYBw?NW=
zyzmOQvsb)qRNngY@z$S@xBfu3p1cR>^9~z_w*!3`SBLcEok1V(4EnsBY2FL;@m`>h
z_nv&b_vGW<CLiw~`FQ`xCl{Pi82NGDE%Nb>5Gb4&ZwLAKtxmWI=Cw<b6vN^8PN+oD
zJ-aMQasOcMk-_YuM#1bdCdK`qupLWxMmQIhD5Q)Oho7NSJAEncf5$FdbZ0~Xqf=WM
zDGonVGn|eT_rGJOLw82hJ36(~k>dW(*y+%n5p|4`wd;@+ho8YdZYZZx4Bx>bedvx9
zSs5vE8XlxzKPp8#09};<+}s$t-L)8#wRO0tJLsVinJuF{d)=~B1)A~BgUii-|HA4V
zu!7bgT4;PH(7(v)op05*_s;9ET9*$Dc61L|6MNcv`}=zPsY$jvdn~-rXH7?QkF!?1
zSl5Bad)ljd`>kHw>9^X@?V*kB7;rWA_AQq~9t#^E?g~13<<bAYr7(Ko;9%d_s;Z?+
zm%4(ahzld6s?rK;Y3JZVYbrX>{v}8{(AzU;O%8T<SS6f~5|^Ey)?m+oHKo5-&7;50
z;m1#IpM;+-_)<wwN|go5naZ8`nYW+tcQMARE%+I=P53((McQKgwC~OM`xV>qW4=G@
zQTR#d8TgwN_vugRKStz5cq7h@SR3&S{+h&BMx}8%el+<}<8}N!h#&BGAS_3x<HyK~
z$d<^pksBgEjNB2G8Rd*RH0s)@^--@ztI-MgTMEADanXV3DbdG72cuU+pB8;x^pnwV
z#CT&4k7<ut9J4IugqT$^H^nNk1+hoP&WSxP_O{r2V;_!v41e9=W&FK@1LJ1kZxq}V
z_j7za{^CGG{H*v3;@8AK7XM8ANAZ6oh=k&VBNMvucLO#gypd=mrY4R`bSL&Do|Sk@
z;_f6h$${_t4@|00IxMLrX<5=qN#`fsn)FE0(@8JlJN;^Wqdz&hEqOumYsv2<f0z7c
zN_<K(zPVo`zpbaQ>Yq>f1>ey}r&_7Ur>;u9F!k!x8&V%geLQu0nj<YGZC2V{Y3tIS
zPJ1amD}6zFZ~9&7-=+VQ{#S;Qk(x0I-=;6lI6LFQjB7G(&$u^Zea5qy(fIznD6=WE
zBeN@WN#+TeYcuc9+>rT9=BCWoGQZCJE-Mk=lpm7SoOMdp>Z~iXuFv`)>(i{=Szl&-
zoApE1pV=Z?mtT#W@>}t<v#-m35Z{D<oV`0I3*UgdbJ}wTb5`V>mUC{-nw;n5_ukuc
z_T+q<^J~sOxe@r{J2$r|w+vr<PsyE`ds6Nhxfkc&o_kO3Gr6zizM1=B?l-wV=kCoj
z^5XN-@LhLao<DC~UPE4M-om_<d1vQcfiJf2&0ClEZr-<fznF>{X~vmVW`jA!oM9eg
z&NCO8{pQ8yTJtXR5%VeYIdcoX&HmWjY3{{O_|`ZNbT&HY;*0Da=YVq=eysOK=Q`(8
z&R3jU@l(CKoL@PAaQ==TWX`huR-HA$nvCzUXW@(NPHWIQ$vO>RWM5`oYu#wwhOe?;
zu->xXw?4r)*}q!*^7Z_<{IvY+d}n@5{^9tU-i7%q@k6~A;A`v$@;Bsf%6}{Wqx?Pj
zKji<K|4)Hl5Q86Q&L}7?IH;hZV0^(*1-%8!3r;IIr{J=JYYT2ExToNug2xJ;D%e`^
ze!)it-xvH+u(!}rm{^!rm|f^B^b|JYTkMX)zQW@R&nP^v@Z!Sj3vVsFt8iW6BZZp^
z-zogC@SDQFi;SY!qU56VqP(IKe2-mQbZ}7sUt}LqG_z<<(fp!CMSVp>MJtL<F8V)|
zy=PbyS=Tmt7f{_;r7hC7O1IU8NHAc|jydNnDj*`L2#Asd6a^C^DwqQXL<LbvDk8yz
zm~&Rlj$y<srrk_AGiSB)%=68A-tYW47vpsGuCA&bR@(PktJX@#ZH_sVm0jX^+VO(p
zUB{P>Uz|86!Ksc@J*P%at(-bJ^>7;KG}LLVlb6#ZrvS>$o=Mr+@lI=;Qk}A$ik*%-
zoprk6bld5n({racP8Ck(%xpOG&I09T>nJz7v2#1;p3Xy^J)He0H#^FCk#iDdXK!^*
zcg}Xsr~K^G&X=5TIp1@B?EKuh-1&?1pDxxe)m`+IrS0s}*rhpTYIk($y7khQyPL0B
zuTX92yS2;K0h@-_QDl`8tn6SHr99S*XCA6Ng+7|A6z@uVUg@n8b*vYw%4#xyHdU$0
zsw=(dud1R^{1tyzRjJ8($xLh2a^z!^Q8;<;#fy`jO}(X&?OV#?;jGNU!hlQ<kAOfg
zudKksvW87!YjhirZoIIegu1Y4%!Yv*$F29N<46xv0(7jQDuaP%EmRo_eKb`mT}^4c
z(o-d}^RYVC^!sP(Ne}xEN>in|eM6<E((Ah;Yc8{DR=p>leg7`M^!nBOQH>f-9NJeF
zhi=WAdEJn=d(GOd@+`V({JhwN1%?@s8?x^1XHC+XT2`D?Vn)h})yeYQ`+UNJCCe5Y
zBBEEPuU)n|ag!|4i04Wr7g>#BnRPQIuo7vg;vefdkN(&+;Ye)p+`?YWzmC#C#YX;!
zTol4jiU|#IH_VG!k+^`ao+m`Dh+dPb-?nYT(In%dN4&x<89Qm1zSo7|(+iB^p@QR&
z8T72bBC;AvZ>5hSC^eM+3XZiuG{G3JSg1wzjE3Cl#Tzz5W}g*@ADmjLIdMXd9=-*v
zrqRSH4V2GnWyUL4*4ZfDS#@d8RsD6(!%FQW<AN6a>G<t)!}Jl63qltgHO#1eIFEf(
zdei)xW~sFA<}n-JyAFNEPaNrOj91ag9s)HEljulMEmp?HDb0;an@KwD{dvyj#(Ms$
zF1yD)GKyTB>5(OyT~9C{ZM3W}iGN}KJZOtqY^?5dQToYjIZ4H;3EJXmlD2r*5^s+Q
z2GP`AV9j5?W_UHOq*JEcE}I{@!#g=ozb|w9vEzAB0f&rt%K4KcJMHOaQ0g{rqrmmz
z$Sc9}Q$PMx*uEGa{iL9<A)|+8<arv~IrD=rzYKgz_vB)AzunI%D3n==vVe$^-kzn7
zi4I;AY)~{q?lC>9edGS8liA_Zv*fbZe1Ui0gG~%d55<v97MQ)FW<(&gSBjou@Q&JX
zLuUDki*in_*c5eTFpA8NX5Q|`^_Rc(${Dmn9-A_LL#94$Yx4e_?C6kO<K^dkruWFb
zT@8x5+n{D0Zup!HmybmrofDuBiHe>u(PwM6m$82{-sk9@8J7&=htk6@*2=#m^F9lv
zhk6;jrl%cTApbI#Z@ISA<AZ^CtF`JSvly6Hza1a1s{dr5FRx*|5R<Ub5IlEX=Hu0@
zK@zi;X|-RgXqhkWzNRnn%28~RjI(=~mw8^4epcin^D?&(H2p3F+^o<u{=~!IUY2%L
zcqjj!{RSDuX;Uu_GIW{X?zlvLwU|G!V*TcA^x)?gPT#vf{BWOnvl8NG%d1ZCtnqKk
zJk@N)ttgP+oU(cK4nyXy$jO0W!2$kZo3cXX0b}{GIi)kM8$@O+?a$uxC0TB*4hfkV
z9Y8I81s3~IMYJ4i>L4f$STcWoZ_&B8de%(g4=YBa602e^N{NmQysIwDpE+>g#DFfc
zsM~Ow4_z6#HdViKd-CZO#s$PDwc|a#`|JB&3c3?VwCgVPl$Ctu!p^Y`g2*Nb=T#q+
zo;+)&QmQj={^ag`$8PGGo#O$eno*f-e#R;tGagr;&6(vfA#lbJSxg8IO^7gz58JeR
z&z^0?`}fbAnI)fi&1bp~N*QKQtem|Y_@;Rtjh5rpVnD#@UWVRdyqy=zZx->nE0Q;+
z7(`2EsKo}T&aorwkFF_MbJ%W$YPH82xAo&LDo5(D!7655X;0F@OF6xu--131dXsdx
z9&<hBa&LCJj#5L_TR9!mH>OWaAG>(f!fW%dExhVwKG9eu?vvUj^WJeGer^W0klaIY
za=W>_$Z8gyey~DTY*fAp(P4fDzv!KL3FfcAtSB1JY8o``rI6|F?iYAP(58$Lv|cfS
zcKQHG)}{;*WNnVWWK<@owJAp=(Vp!Va+xDdlcV+%OO4fCIJv&)qCBFUC!gqoKtsQ&
zsW~}2l8^7&laP=he^qPCyGz<n!=k55?WcG8GM0plNNiwudH3TJ_aj5HOx9At?gK~8
z>A!ZlrdTUN+kOiA<&Hlx#Z*Na8tCEKMeq2!7t<QGWqBrB-GH<SX~*?PGIt(0ygR@>
zVD7Zg=|=5~DN2^k%`5BVfz;fLboqh*iHMPUH@^^fqbAm!s6T&_Z^}4BeTRlhThUcu
zQC)QpHwUs{MGPmNxF|8O+9QuEHJZ^+l^U-`j^Q;g1Z~+GN&AAS>0qg#eX&4NLO-zq
z-<1Kc*i@!c6jArKxcJs<{o{bcL%ae5$9ZMXIFyvMY<ZG#SkUC5LB#AA)rT|Fcjg!h
zHqGow6nXFLnfrG<4|kh3J$7ced}(!h-YLVbZLxDx<oqlAws61Hkp{)Oe_O>yu{qoE
zo4ojuZbtC-lZ)h(lx=HM3|U*F{HM%}4wW@#g|jTqFn!*}qHwt%b3M*#@dev9ZQ5g4
zwf?0PkvPLJ&~ru$Z+Vc?i0{hQDw49cn`#hi#J}|R%ou2x5s|QHj-000@hjGCShmWr
zd()f=+vMX)t$vCtKYr%Cm>@&kyk#rq$zk-9MaiiNdkp6bQePCx4_IIRma>OQY|ky#
zL#3~HBKEgMCyXmpM--boN`L;a>JICFl-ckrREtK(HXp4gX02mNQyQv&Q33;6(%c5V
zXwL%KTtU>mzE;L+v#Wwq`)Zfh@*}H&;H>iUU3;^#c1>&AG&mqY7NeDEtj%3!FDbRZ
zu)d^e?*B{Cy!oGc=02&JH>73m|4$`zhjh&S|Ed_amWVD_ki)<8E2OS*q&BZA<JD}6
zWE6F4i}_heu`Ac<H*8vcbcHeI46j(kPY(ChyO)GrTx1lNxl3YnDs_grQcnv1)swRS
z*^@%*Ng4H|@V`9~nGI{SOAtv72kA1?w&!GrZV#LmI@5n@+RVK&OR2T@@3v`yf461I
z8tSL|?L$_F>3=z|aFa%bP7IJ)gOw+bUN`K^iwN5;mp$hX`VPryXHfJ?b$eyL62_`D
zW7Xv)%tAL|V&=yfxiEd-)-1!}oX~zf{iaQjHM+l*MbBj3bADj3yTLthSMhwgCzB*y
z#U)y>iUGyPo4(=|YgN-`yjUvP7PH3e5Nq6sRo8yHE@{gH1?{JQj56c@hf&5x#Oh8K
zrSHp^SCCz`TCy!;A0=k5^<>=y?X&<%yCq&CoA2^%r7N@V?8<AnGUj4AgUF$L%M9kP
z)R@JK&qz`X6}07tB^D5?yIQpOXg+CvF?Ez6&W|-U7FZ*a*qtQPBE>~Tv;0uqQW9V1
z7ZmT>y)Z0YEQ@^>catdcqT;~1DECP5RN5={%52sDxj2$lH(x(Sr48Ro>oi_@sG?g?
z2k(C<$}h~zm@zEXxTp;;?pnrFtP|ttaajWEM&izj#NF4jT5Pe3)nis?nBB9nNBVD(
zSE#k7l5Lq6PU~3>hkc5{sDzo7MY4{$TvuPqiW=)VEvTp5N7+L**JHKz>%+Y85kq}u
z{32^|CGFSLaf0@}{d)7!8A<!yetbx1fRA3B#W+4;VLY*U?A&#GWz$i`<wpToZjDE<
z7BAQ~r6X%B#xjw)3Sw-mB<gwzVnJ5s(ZZ=26PLs<Te?I(vuFR=J;uO`d}Gh?J(}n{
zWV)X>ih;|%GvU>j@8trk#q^3btM_w2)5x;=P{_C&zWcjw{yCnDn|B>A)PHr|rBpF0
z9_Hcr>Asv$A4`jw8W0gaN*=9D(J_Grb4GP8BWf}kJVVI>SD(1}F-cZbs*wpXLEZ-M
zm^~*+!KhR&Nhby}wLxRD7xwPnypu%>X1z<_GBY-({pTAyr)D-DckTO+pX@ckSQ0vM
zPjAD32~&N1<am`>)|qJJsfvBAY|pn<iN&n8V9UBm>&(Q-P7}Mhmfc|kWHyVIVha&!
zU!_phBsgH$u<2Q^jjT{{R&v$KfJfa}BctdgXdm{FMAh2SiNhv|wU~>jyR(SjwQBA9
z&17s?-IvG|h-K=Emv31WT5>Dm1bbGO?7m-E4ejHFlJ*0eBpq+WXB^Jol4mGQnc+=C
z9uwJdxPxB%xc#aAFWFw<!2aFulI7(Qi8EJ*t&X${2@Z_*H_#?$wC>uP+{_}wi5)&e
zWpR2~{wTw!sZ+ZyG)ucax}cfcGg3FCZr>yyh}yegnm&Z^eX>*BVs)2GQ%_!($LE($
zyKOjqIW^~)Jnju2;TJe(ieacn*0p&uJD^J1khEi$o*DXoQ)&+zAM7!a6cA_9w^0Rz
zhsKUxXx;yXTAas*2<uJxmg{S=mSlF=C1-ES+LT9T$5!7>0h|3VDRy;OdzI3UJ!G9(
z8LzZZjZvz{1kLrI<3l#atb=p2=j<85s@GB4tBAd>^P0ix3wvh!2Zhd_77(&2E9|Es
zmwjr+RfE`NL$g(VXb&)u7^jQ*UX8_Tg7)_dYfH9W(iczOt#B)ha|iRs;*;l-of#W9
z%e<X<DqNxkVb4`vCHJWTQ;e%$uxKLg|1CAe*}6-~Q(3TM1W#IgtnPoyP$hyj70YUw
z+DodF7nzOXXWsiM<Jcuy$7#IMN~Jg|ZhX9{tt2XY&Pk?~kz#HwQ#0Ci#;8~{yUjoQ
zp(E>ml3IyYZu8>em|2UX4U<B5oRpad@tvA>S9KJPdbUzW%r+_xb0qOf@qx2vJ@@zP
zJAU%ep+%Ff%B5D}QCoJUr)=4=BV~3-aMbK@S+hAKt!VQe+Mvb_Su|jrUNJHU5@mX|
zqEn{KnI7U59b~sewesBR%SZH#ZmSmeZr!zapZ?0wye{2_P(bF+;OsCX*^_3g*q3!z
zd`*%>7QCC%-8>Sq4Cax@2%5dIC`4|{T3shu_e0pp?D*AlXC_WJ4DtwSHBN3vc0mue
z)>KDed+w;-k|JL-GkC=egMGuHia0#eGbhY!vGNIVixXlDv*)bZ86%JQlyjHQ*tm7|
zX2a%{tbs7yFv2ThP>}4VSn{LTK=w{z?xm`;3NPwL1QfjYmt?XP$x>v=ikptL`RzK>
z$);FEP>c20HYO?-E7aoF)Cd;Bs<3gaidhe^QOwcOJgg8h_KmE{Rn~;HRIHCH^<^d8
zEP<}**to0e2L+*h`%d!fNa7}0Fq&i`sPxxg_mrMHyLVKZHq%BCTb<lmeE6Y$-`suC
z+l&f4Y3OSrX6n0m$4pKzis#IG)ds31x0c+9ziT})w>T!>@a5Bc)`hidT}~unaB8m%
zlUbCa(@meYCNoI>tbTH!r1W%#S4$_K3GT#GD%EOMXUnq}jJH0m6t`eK)O{TTyDn0y
zS&N;P9h1bdu}sx5!en4oi2PVj6>G(+-=V>cRH|QBI?GB28q1HCI##kv{rHHly~4Rq
zXiu0zs3eXjfo`&k%#0KlACN@ig!)XQx^RP8DWiEt1Ur-!vL3WEQCh2%7RopxUT3Ag
zigppSZGK9d{S`O&Ue)J^q>kHQ6qUkrQswwa)<n_<vp$k`-wgA?LP?x*>h`P?hMnx5
zZp750M>6R}R-+m7Bl&u0$Lh7IvN+DHRyuxR%}g$&_E|hh*P0AhnDEH$c#l+eQ@Xl)
zf6-+<vut%isoi<tv~k0Yw_ETzdD*FjhNBrF6UO@aD=N7@8U4(dHFcziPw?Q;p1bx<
zmisp4M;G1n`)ttYj^+@0GnH8rfh;D?!n%CF^Z7-;eTs(Q4fU~W&y!>^BV$6T;bd0M
z-4$~0wR~{={McCrG4_TezKbRNq&ZpaU0F5m7?}fEtbrwaLEY>{#6;x7LX;}ZTIuH8
z&EIpZe8rj1%qiM^-teYmv{GfA{G+QXVfND5bM(q|W<fvfX=GKcx{NDk+(Mb{r8j%e
zb@S+I&_pnNW4_--)?FxPO>9d@+_hvbG$tETFSl;xNE+73Y@i-u3rIk{x<Dq>t3hWD
zv>+48R@H(`s5z2e)ZNeIy&i=>dZ~Z0<8k3bW2a1hc&mWUil|qrW_3Q@%BUH)>>b0q
zckgU3(PC=}Kd8<ev|nlI$%Np`4^~|9%^tkzr$#=rd1pbs{zI!w#nPzwsaSnttaoSB
zM^d7Kf+A<R%fpq4ItJ3n*Hy>2hffcP40n??izQ7!SZHjZL9C@6?ah)Tt($iT`d{iM
z^HD>|p52~AYoPkXf+f+U6*R+`z~7iUc4uEhWYm(yG4f8O7N59gZQ@!(#+H~F$#Q-x
zrKPgRjGxg0Oy!S??3QG5CFZUAV=zfe7nS(!tRPkfvUovzgVmC>Su8@*9z3Qr?<)+A
zWma$BeP&i%F0&<zzMdsZq*b$F+y~Z%wRL{4)E?Y_uHR_+h%29(ox5Sb;rzjX-s@%M
zs45{gJ~%|LNH-l>J>wE)r5hG{;FQezs`|~JGTp<VQCjX5#K4(hQ~mTl+d|T3n<Zp$
zc$TNZBRHxrVP-_q4I{(?RxB*8tj08wvQimyN{H3Zk6k=#2{B8FGM1@Lw<FC<T}n&c
z%DmLi$rAlixr!Nt4@V2HtdV<d;HNJP4<nTwzH|3NxmPUTZ_QD!4+e$gl<xXMeiv=0
zwi?74GYUo-Mg~mn8ZT=eEhAnUaD#>?auqa7{;aWOIy<4etDIn?2;E~fzp`)^uGIXX
zc*x2iB}>(HG0(!3<vKQi)wrS5pewIR?2XRDFYU_BeR~fT9t?EZD0_uYnH69NSH2UL
z#B9E^`E-f!N~x}>8+TOdDEfzk84i@D<!2GNvv}0FUWO^YsXHU&&aHUgyz_of44MHF
z%a(}O-m+!_vkdrk<Y_Z1**d~hhgB8#(>gKr_iwaNMW$5C|KOt^X~p{3zxj!ex)P|^
z_qz+>qozStXY%}dZ<Lh?)%A^ex#tYZL#x3)2XDuc3{`cH_3;^M&<te91TNV$+cLQp
zb5$L9v|)Gh?hP4ab!?uoDQNSI!yW37HA1r(#~j%jUU60V|1xhz%=Gy)$mW=vF=uy7
z#)JoTl$K_iU%+eTORSpGLnkVGSCJ~0*<jmqtj{m+v`<-Eq5F>{o%R~5l5^oPv(P{D
zJKle+Prz8W{GeiEQsS~C!}4*y<GY7gYtqfOeYG1z!z%6*txKz)>k_NGqs0E-B(@T&
z>K4bdP-TdYReN*8m9G0Poy`(7N{#caSp%c^_1$Y`MLc%P%wjKy!^(-lUNj`uvbPOl
z_5sW#khVePq}{}f^ZdarscYGMAtrH-p_fP4FH>ai=KKUUP^qm9oS^dljeju3V`neJ
zoS1~gvGNY3E}yt+RpM&H&eR1yTjY$v;uJxpz02$bah*HQ=-u6t(pj~tE1&5fux%83
zP0Ol`VRZ%4>3-{cXoKk9#(}Vh2RDw~ESi?-yIB@<m9d8i@3IxxaONk8%i`C|e_IIR
z6-$%2K*xI1CRa<=g^%J&hEs3)YeKZ;tN5}eik9`3&sh<ssivJ#d-_v<BNL0M>nZK&
zPpxo@3z5>lFk3=!s|n&VW@Bo=Y(%ABDkD^7<2OmAJ$FISZZx$QwC7F>+THV?u^E!M
zLtUJfn!RgN{G!dqU9<&S8$NmMM1x{*Ywsk7v){;88_9aaNTOe8Fzug%bLm+wmSwfX
z@$Gouh}rYQ4U6Iu6XWD?nzh9nHYRK`Trb-8<e+@&8-GM(9<<3a83@q&Y^p06HNOh9
zKQ$1ek=gIUdeWAFAVIO$`6;L75h9>{!>XBo`c68@+UqV%A~~gPc8b5DoY#GnF3lyO
zpK*fsS`oD&MZYs`{k;{&d4w6%i0?VAuiia7<og1$W)G2cb0DOGJQI^#$>?!V>Ng=2
zV6rmlwPM5S{{wM^2y7<XD2TghS0gGDO_q<?fJfZUZ;bzH$%dFLbx+GK62);{F12mj
zWdO}E$_73q$Yj#&+!Li+_8mB|b;_vGv-~E>q_mnbH48a2pINnIizRVCt4ijWcxE#@
zD2b(M86_9=3>~j1jehAiV+^V7hJ5Csyp&^x6Z<2^dQK1SEca8mXDV&^gZ*KnMtTPJ
z8}61;=q`757Wa;0&CSFt#EO|j^}bIf@q(nuP2ZK19kR=hERakB?w92fRn@fmTN17(
zNf^ttrtC;jH+ANw%>N)hvi3NEK1S`6pSX|lZ`_9(|ABt!j2ZngY7Vdq0&UICn+c~C
z<GF0pHOuT;rfV-$io5A7uk@nNA7^>iGDmln1(&ihq<~K<W3DN|ye2no!X?A8+yl2(
z$pcsO!ErHW(_sgz%dd=yNt|ow<r&#-l9}hmimZ*Yi)U?BN+|oCgmW=Z)|t{ySw%MO
zD)Z){A<_SOLa<1$u^9qcr7mJ;9pPVXZZWGKCauy>rOf$Z<egcDTG5kQdcvHx=5Ec~
zoJ+zj!8d-0k6ux$HM(Q_^Gc4J^wJnNQ+Mefd|so=P1}=~7rMt!)|U8%1o_I^RNwTV
zTqA2zOS^L4-{+=KqhDx{uWwpVuB<d7u61N&znU#*MiNFO+G!%0)tkM!DMFkXzbI~w
zL7XIYQ36>%p%(Sk^=DtzfA`h)-+eVwUvoF-{I{=;Y7L1MrRi5eY$PdsrKe6bJ<|0T
z$Q3hq9{z&+JY4)n{wIlj6hv2MOFmdyaR+T>BjSdvw3Vw#xR4>^BHm=Fw{7>oZ};ZW
z+qUlrLLDZu9_HCIitc{X4v?uyyJ<)Mi+Ro*M@?XsimO8Zc(c7+NgJ>!CRg)}D`C2v
zf=%1RNZWjd9;A^!u@<bAlqPG-18(z+7R+5V*AN-8Aw4@ayJR~F0+BEcvd`ZM9BUw1
zvY{er6*E@JUm?uWp6$6p-^g|m33s#+b^j1A+b@tzAb}ujcCsdk*LYWzMz>GW{$NuD
zZQ&G28^t~d;-mNHUp}&BLEoBvBQZWiJWw>VfX$S|2o_65=RmUcZ!u>w&g+@SU|{6_
zi`%v>eh)$X-y|`zTo6wx9r&xNldJ>L>3p_WnABjVsV1?MXDoB2k4~{>J5n{i3Hwu6
zKaAf^rbqfY+Dw%eD3&CR>EEaV!ulNf`n2_Hsrt&?`69)gM&e$i`l`6oFP)`-fKJUz
z7WTrnkUUSq7j0^x_~^#1Z;!Z~x6I;$B^w}ixZr<xAqlu}5~dB5ovQfAuqBfW9sTyc
zlvxYKNok>0dX^7jO%J6fuH0=DpPGIVSm1k!@R~Fh_#=(ERNDVorP8oKvk56Oce9BT
z&YCQX6p0iGs}&9TDKo{Qgn~txM#WjRZcO5kNqXfSGwxR3Nj{vr-<Xt?n3$L(u8fUL
ziZb*a6V_|0JWLUIUqS}os)||H9n4m7Sx)P;RPdid##t!aL}b=bkZHDiek3wdi&I0w
z%|@;6(5m!(C5DppDc-B(C&~QtB_se;<UAYOr_~Z!!zta^0>M(TtQ^Kli9}h)S3@5v
z&FpzmU6LL(*(W5*&1@Q0r5!|7k#Is6v3R;i#t=i#zQL0R$>Op|(hqe+MSZvnt1jMV
zn`xcy#p=FSyr->)Yqt+d)$yJY{*&bucg-LL`Dq3zGh)Wh@r)fueww3mierxrVl&KM
zTv7KfKEL3i{=&q9M)Ahc>LbgyMoiaFpEc7x(WnWQr~^c{>XS?s)uo%$ir1}O62H!v
zPLAa@v%*(RF(~yXG*>uctpe7Nbtm@Xm8vT7`zxjrqe!EPy6D-fHqMrrojPUfW^xqd
zZVegMKV<qe(g&s*e_;l(?q4hCfu=40xp@!2ahGB3+JuBPvS=VDyDoIbnw=psY1D!N
zhOvH=yT=hL1(AEFv3MqiX&Ybd`*z?pTahgk2=sIjxw7{JGq7%oi&|{;YBIB?1#;67
z{Rds<<6`H<#TvpRH>B@L$tl?;n=#rSiwH>|q)=(IU@hy;D}rjR(p_n@mX6e{jc9w8
z?m5&f<kKR5f&dk?)S}5LQgq4g|B0sMps-S$A<!tV_I)zu+T69YC<JS9tOMgLSqJkb
zS+63AIEBb1O0X3RHf~For%_iHh>R!3p=KM>oi<`B**hZJ_Kmj7O)9(hF<T^RcA8bC
zNnM~sm`#|4W~*Q1FRx77b=0sqB|eU%*)vw1RyIL03$;fq=@FM+!K!|?Gz+xYWvrfQ
zO{B;j{bG64B<e(VjIeE{;|?-g%P;iU@ps9KMdY=d5L#9#i6@Hlw;$UO%cMGrb#%+d
z-4(TUd^vTe@>Zq4E<yE2(GNR5UR_!AL(eCw#I`0cFM4z+^Lfo3s`Rov#C&v>Ua$Y~
zQfZW>Z2TAQ5L-%(<8^H57iFnR^ADETWudI8m|S5ia=(&gbdp_@Sn!P-y+q}P+9M=n
zc7S1G)XwWaz0zt;_%i7%F)u;L`^`ty*acQiRF8}a^Nop3ToGdo7HP>jTass-*gTfm
zHi<B$M~W{wl6WdhGrYkz(5}(@%MWi7)@>g&BreepJ?4Lr#C)$oE**@bZ649I`PODT
zfPIqou(r9(!7Qo&1)u%xi4lKoA&3tqKd=?kOs+bn`(fTx2C9;hHzlSU#4^?CT@l`s
z{lnco$L-9TDEDnl3)|2vxTl)B2|AO#)cR6Ws<~i(*gINh^?jy~jocZzZH=gO)0tGH
za^9*^*%@BEN6LXnN1Q8})w=nk2JurpTDeRDLbwa`ROi3{S(3o0Mg=Cs%28fqmpT4O
zQ`*rr_2{!beL9M^Y@{HXu5uSDED36)gU@uJ7H3|b^nq7EcWfo(iEJ<lMjdOU64mcZ
z$NlCJ%(ED>p3kToj~36y>fRnc#Rlfd8%}LFx8c0CXh!K~8M^;O>Dm%X*Hg?;Gt1i^
zN^_-o_tA=_tRbwE8S;N)Ae){w`)%lL#nFN0f;v-+^$sTeV+IR8iL4u0sP`pXmP?pI
z4f0!*i@!=CN@vm@kBLpLk<9r)^OQv}hP~|uR(&{g8BSn&>TRM`ZRL<#v{;|MrJC1j
z2upe<iJNz)M{WwA8966p`nG7ZvbEu8(?qySt6GGntrwdQ^QUlt2c4)Zwx-rJEp13)
zh;cXQ8Ho~GLAt?4;V%-#VI#8YsSo^Uoz?vplMC*$$fbW{_+lxV??(G0gM+i#N$Yl>
z=DeGZX^FH*h|tYQ*=fuljY$}gI*%4@Z?OiV?FptAO^qcsI#MK`L?#J<G}$bR=8J6B
z{L`kK7u@aBrnN6D&A1j}DtC_FCh}8p;=j>14Zmj28gUm%T#?W>5-<%pMre;EYe}=X
zjD(XbQ*-Pxv$y;yHtasJzCWdvSw%c#eg67u0*Tl9BD1c?tW8wtga9*NX7gh`S^2Hh
ze+RNC;vKVaU_<G)BB#{6#Vl@Fis`4)FYdZ%y+X8o$=(ZM!hA#EywoGIIDCij6GvqE
z#AfCdEfWdSAbaoAJ;Hu8N{r%qPplkH1Wc3QEZSzXhDt+|w>H(ZKvX50dPzhBolK3y
z<UNKnyM7{<V`*DBmPYRJk=9MkiS{8;vB8FgixLyb`A|8Zwp9JeKg-Th=i4exX`W-*
zV5NP8NW9*U`k;ipVT7R23|f=gnVdIv>||fjFC^GsoSGh-OKWFJ6R)$5*Tq!oElmU|
zRI-yY>23pKnS6sylSo=P(sr>PYsVZ#HFGZGAF37SE@br49^Urvf8riLzu=%rzPrfS
zB__6I7g+<^ak_{t2-mCig%M)MQ3ws~mm)a=%n0%%kAbMPiy-&h-&#Cb^^uL>l>n8-
z)SKK>#0c7sw{5R~6T@Sfohc(yET`xucEr4nqNy#@()sSUZO^<D$s!%V>RO5w6DpW5
zQLR}a*_Mf>x`ImVW9mUIF4PYS9a|`tzAxpJIxl`DnmQ0-I?k~qR^=yQm};2uR`H!c
zh(tqCVW!wKTd(?&@+@YXOihR>(pZVG-}jiTIj*8vtQ`J`M&rhR6cvg96{(&bRVK7U
z4?9pv$V|>$06H5KeT!Uh3DvL^+y+ak{>*JwgX%&a;LO#Q4}wdx1C?<+#Bs;W_2s$a
zHK=eNcb%t_dE8w~P~%|^$AP2Z9*9WfxL4It0*(phBIzeMbGg8iR2;AtPQ!xADxQIb
z!HP=lS=d{ctKM$~mBqtF;2cNQ_izCg&KxemqCqvRghg9RT!BSLHEsY`Ig1{^by)PY
z!yVuzXE7eQ4GS+7R>5MjNX7gtLU`PTMWhuT0A(Dg0^@yH%n`AMvshA{3Q1dRw8T1C
zY*CquK0oFxXn;>)kyeZ9&YMfJK8M8-D=PnIal*n}eR~JhOa068)L&Mo7C;TusKWPc
z45}(w4KQ$+MI{dbZz_@rM8jNF+!E&6?$)3ZgH&M<GdToupz4cJpmKzK7%&4!03XhA
z9l=Kcp+Gp$4SXbrDjYfiT>wwO3!wUqG`h|}Dj)*EoVm(*82DM$shl^T0CO?%WbjKZ
zP!D_}6<GwI^p`4WE0#g+3ao&-Ne^s?xduA_vjY1hsOcsXp$-M-3UydDD!;Ct&p`#u
z22y~{ph}2bFHXHs#dWh()19lrT$+40unlT@gb|RaLM+rt9JYW;Dymlk6QEuNY=C;T
z3+7m03Dm__6x)r3z&s9%fW<J^Nsj~Kp*}tnL7aL$O%n%<1l)esdZ&Q}!~D~wz#dRo
zI1vXeGpG#bZ@?RH6f(|(6U;^BxoB`ie4D}T21m450Rk(yKVV@)R0WGBuyBWkFD#;9
zu@Dwn=K8)C1)vJMw7OLL)`H0HH*-N~i*K-Cuxtj)mayyw%OS8F4$FnGTno$fu*`yG
zF)S~_@*ynCVPy@gy0B^ks~)f#4J&V0g@Y<$TBVz7TUy<QRVDa3;9Gzn1bzwlBjE2q
z)eWkiPz``;HK;r%&Aa*{)c2r%4Ydi@BCMTY-4oW{u=auVG+0N#dI7AHV4V)@LRg=H
z^#fRcMin)xbVQXAsN#<*v8b{eRnDM_34#`a6NC;BhCuLxuoS{p2!|j%fH)pv7{t{O
z_e1=Fs#Q?67OK`q)jp`|hN?cOIs;XsQFSe<=A-IaRK1O=&r$VvRMVnbTU6_eYQCs8
z7u7bQ+5uF%hiadosSiz8Xr@B59GW%IY=Wi;nh&V1NA<3#J_XeiQGGqCZ$tG=R6mRA
zFU>S;Bfv%nn<lX73mY%kgu^BmHjiQRCu#_&(FiqCQG=nz@37@yYYp4}u-ydP2ha|I
z))(5@(5{2_0JK+8(-JisqGl)59D$mCsQC;ve}}FnbWNb!3Ed&+o<a8qYUxp{C2CDT
ztuWMzN3CtBRf^hGP}?50+oSeK)SimkF{r&CwTn>u25R3!?boPXi8^CZ#{+eIP{$v2
zGGPbU^?=<l*m=Qj2J9BVE*W<FV0Qs_@1U;+eRJrCKpzJELg?2)zX$qK=pRD=7zPIz
z9ASunVLuFKVR!_?@2J}Zb%&vD2<omw-J_^`50ncb*+c3BX&R)(kWPZa#EcS*y<qf(
zalg5WJry&jy46&A+I|e|OJM&M^#-EeSkwzbz4@rO3H45*-XqkjfWt&M1j8W~4r}0$
z0f(1x_yhHgsNW9thogP~>L;RpHtJtS{g-gGfnzH;?u6qBIG%%(0H=;{nhK|EIDLS#
z0nXFmJO|Eu;am*o%W%F5=R0tI1n19i(ZQuTTzbG|G+YAVvI;Ke;8KAGA{tajg9d2O
z1r0pWAP5aMpg{^6oIrzjXlRRuZPCyl4OgJy88m#2MmjX=fkyq&Xc!vJMWZ8V^bU<B
zG#-k^(P+F6jZ4t@8XCWVs|Z&YxORu@aJWu_YcyQf!Sx_qZ^HF8n%JR9M>KImlbL8z
zfu<|bbPbwrLeuSNdJE0;Xf^=N4x-s%G<%KaHfY`%&1azbAvAxC=AY0)jTRDGtV4@@
zw78BIpV4v(TFyhuOKABDtt`+=Mysx9<&RduXcdW88_?<$TD?JQYqV~T)*fi>gVyuW
z`Y2kLqm6_%L(pbA+N?vH&uH@vZGM2XSli}k>xZ^0(Ka1zi_!KL+I~R0Dro13cD>MU
z651_ByM1VP3GEo#3us>t?K`0TFtneB_P?P+Gjy1P4vFY+9336daSA$~#xK_RWg&jK
zf=)Vg@<pc^=oErZVd(TbI(wn>F?4B$E<@4fEV^7kR|C4vLst{JwL!N)bjw1w8|W^e
zyDPfyLJu{1xT41p^q7nu1?Z_p&qe52gq|PJs~dXtK(FoSbs4=rptlCSd!qMp^v*-?
zO7!WDK9|ww4f<9^->&F;0R3vAUjX`TMt=+RABO&m(ElO^w8DUa7!Z#E2Qc6-4D5t~
zAsBcYgPLQ|Gz{8-K@}L>8G{F4uqOsj$KVARd<=u{WAGOYsg5BI7}5zt#$m`d49Uk(
zYYY`J)D}bSFw_-8XJY7n41I}V4j488!xAy<6ox&)Fa^VFV|Y^xpNHWWF#Hup@EGBM
z5pfuC6C=A~WDkt&kC8zbxg8@fW8|M0RS%=6PVjP!T7ywrF{%Kg$}s91MvEBT6r($1
zv<F7VVe}e|UWd`UF**~Y_ha-CjJ|}?pE3Fe+yuDwgqsK4yx^7yx7Bc42e%DyI|;XI
zaC?q112AR~#w26RW{la2G5av)48~l=m?s#^VXPiwJ7H`9#s*<*1;+KpxMGYu3U>qC
zjc}g>_gJ_epgP9z=m(Fr@HD{F1)dw=nSt>tjPH-}UKqay;~&ARC%i_&YY!&0#Dr{k
zJHop$yj#M%1H8M#dosLd!aE7x``~>F-tRC`i;2xKaTq2}z{H7|xC9fkF!3fPGWfKD
zPau4v;Ij%o+3<M|pD*xL!M6!~hr%}!zMJ5C7``vy%P^@LCbht%5ttN-Ny(V>7?bN_
zau-bY#bkd>4#ninm|TR(&oPCpn%<bQ7*p0_N-CzD#*~+s@)!K-!LL937Q^o-rdGk!
zP)yCm)bp774E`Ma?cqNi{t58k1OIynsDc0)0fP~+2m#j+Xh7f`1YX57XH4sZX%U!~
ziD~5sazc;~g0>;30@H_JdMKu6VETK^aK;QT%-Dz-*Ad(R!O;jl0x}~*1|cLGA*Bed
zi_j#5enr@1gsnnYCc+LNtO#MZ5%ved?GWA#;oA`Y2WB?K%mJ90jhWvNQ3Vk;h^UQ-
zCWsh@h$)Czf{3k%*pG-pL>x!NZA4TevN|GLB62w*Um~g#qQ)a?4x$z!YAK>J5p@qy
zzhjmQW_e-OI?O7-tb3TvVYV}755eq}n7s$HPhj?S%>EU#zazRfqFoU^2+>m!y%5o9
zh(3krM~ME8Idw3nALayLPBP|P#av6wZHu`cm^%k^w`1-(#8@N788O`v<A#_(#4JWk
z4r0zD<`ZHa5bK86`G~!SdB0$u8|EFrd=2I|#{AKkABy>#u|S6fE3r_Gg#s43U||m|
z?2m=RvCsz#=VRe&EZm1h4Y4R4akUZG6mi~&OGMm$#NEbXD=hAe#nZ4j1B>4wz9r&=
z5Wf}ie`3inEQ!IAdsy-SOWt4!LxL?5T#?WW2`!P(3kf5UFa-$_NLY-7bx24@!fqrK
zAmIiQeno<UrFtywgr#G#)DKH%Vd*j~-HN6Av9uIRPh;sbEd3M9>S9?3Ec3*&I4oO(
zWo1})AIsijc`qy<faMpkyaHqZC$>Ridn8Umq8}2MBXKJd8Ir0aNk)<*l3b9~5J|0&
z)D1}kkyMPNBS?CRq(8Bu7FKk@ibYs)3M))l*&8c&W90{|G+|YBtP01fWmt6&tIDzJ
zGgez*bsemhu{s&68P>GJnl4x~6>DO!CJt-1W6d?Jm9e%S*2ZG(7OXvowcoI=9@fpm
zx?@=P3F~WMeGjZ(j}6w?&;lDKV8bD7xPXne*cgP38?o^kHkKh-jpS}f_CazClJk&!
z5y_X4`~jP)Vv`1&oUy4bHub}%0&FV6rpwrD#O8+BoQ}=cvH2;sSYS(SY-x`zzhKJ*
zZ1KgG0&LY|Yj<oNjII9I8i=jo*h(eVcO#`QQu-q$1Sv^K$wkUDY_r9-;n=nu+nyq|
z3sU2dx)!N7u${Io?%2Ky+Ye&<A#A^n9oE<(V8>kSxPcwFu;T%CT485Z>~zA;KG+$C
zomtqKgETeL9FaC0X>*Wv66q4s`yqWc(zhY~B6e9}*L3XKgk86h;fRcm$nZo)9x@&w
z<0W=$v3nSHhhTR&b|+)^7VN%_-FLD3Gxlh(#|C>^Vb4J9IgP!=$n->J95R!Uc>|fZ
zkogRmFOc~OS+$Vmgscw8T8ON3$ohtCOJw&zb}wX)K=vqPdn0=_vbQ5UAK8B)rx$YE
zkQ0EMOyp!Ervy2r$hm@?zmTgzt`WJ-k=q5i3y~X#+>OZHgxp=oy^Gx6koz6`I%A&)
z_N8Dy?b-Wae>x6S$AMNjuornY$TJ|XKk~eh=YzaB<P{+AB@XIv&=&`zaBv+CrsCj!
z96X7GH*xSe4t_?y1@g7XcSU}0<o84VK;%zAz7O(eBYz$8_aHwD`9;Wofc%d*WQju^
zacCwE<={{$4&6sV4;1W0!ATU{M8SI$@+j<#!jULkgCbWHd7>x^MOi3%h+-Xzd!cwI
ziVvXp42sK8{1%6`INS+`2jj3W4oBkfavZ*cBU&6;j3c*jbRv!(!qGo)>@bdp;P`PI
zKY`<CaQqyO-^B4(IQ|YLRZvm~C9Wvxgp$4}8I6+3D4BzjSd_$}BpxLnQ1SyOY;eLJ
zCmQ3#6r2dgiBOz~#)-u^k%SZLabi189KngpIPn}OKBAOEsfbb;rOi>=7p3D-Is>IE
zQJRg?(<ps{leRe711CLk@+3~4!O6=w)c~i~6V`##Za6&|r=xH>0jIa)^kJMX!|AU$
z{T-+O!WnCv(c+8|XIkS-ADkJ9Gk!QT4`<fm%vqdyj5A+xwhGR+#MxmuyA)^BaJB$v
zui)%UoFlZP9?rGJx#2h$jdQ=_d`+Bhjq@XMJ`d;5;QT$De~$~*aKVTREpVYXE{w&6
zU|d*?3(2^Ug9|0Na2FRo;i3u`?QpRRE{?;+2wYr^i$%D28<$kLR1cT><I*%-3d5z@
zxU>nEuH(`VT&{=9{cza_m#5)!1THVa<rG{l#^sy1{1}(t;0lK;dR%FVEB$e0KCa~8
z%2iw)gsZD@bses5!PT9(`VrUq<Jua~M*n&>TyKo)opId_*8^}p9@o=wy$shYaH9%t
zIN?TD+$hA2GTboXrX6l}#LeBfc?>t-;1-WtGH$iQEg#$p!L50?wFb8i;?_0XdWKuy
zaN8EQ9dNr9Zu{f*LflTl?E>7sjoTk_XE^SR!W|FX@xh&J-1!T42ji{>?)u~IY}`%6
z-A%Zgfx88`djoghp{xqZ98lH`Wy4VBgR%&eEk{`f%J!h_J<2}f-ca0|k9)Up?;h?w
zz`Yl^UkCRk+;4#Uop3)1_fv2`3-@2*{tw*$3lCiJpd}u(!Gm^qFclA?@L)b3yupKa
zc-R^bJ@9ZE9>(KgDjuG~Lxu1wJnDu=J@9BC9;M^aUOXzp<LY?qgvTLx9FE8P@%S7b
zKg8o_c>EHNU*Yj*Jh8x&x_Gh{PuAnfaXfj5r<Qoy1y5(<>25r|ieKyF*LnE$G=9B;
zUti!^Ydq_YXKU~*1J4TZ>>Qpw#Isj;-V4uD@cb&C-@)@wc%jFO-gvPbFOu-$HD3I{
z%SLz^ikHXnn;m|eir=>5x3~E1D_(WNt7N=7jdC94I+VMkJPhR#C{INB3Y6!f{36OP
zqx=hA*TCz2pmfVO2E6gYo3nVU##>*!r2~p$oQ-!+@m`Pjeer%5-hadgD}1Pj4^8l)
z3qB0Thl%(Qfe*{@Ar&7U;A2gEY=Dp5@G%7+f8difKGnphM)=eQpL*ca5PTYkPgC$I
z1fS;MQ#?Mc#;0xgv=^Ta;nN9xx{FWG@aY3S{f-JA6}G65P~n1#mZ<2AiUFt?jfx4V
z2tY*)D&kSG3Kg4Ck%o#~R1~736crayaSIhsQ1KcSKk(TapN;t35TD!P^Kg9j#Akne
z4#($Md|ryr>+pF8K4;@|E<W$a=Y#nC9bZP^%LaV8iZ37V)f!*j@O3u6F2dIX_<A2-
z-{D(Vd|QlfXYuV1d>@bRsbB!B3pN~V5m-4)9bpQCX$wp#FkMBZEh;CXG60o3@VgIw
zpNrqO;`bX+1SsvH%!jfC$~Guh@xy>01MwprKc3+a1ODiZKUU$7YxvV1e~!SPEAeM8
z{w&3xmH5jYe}&+$1pM^?e?8*RpTjr~(>W~Uu#rO+hnE~Tj^iG379BW?Rh-2o&axY4
znZj8~oYf_cZ^rRioC=(3Ij8!AQ_th9)tvQm&iXr7WjI$QovZSi6RL5-1Wxebgvp#R
zl@sDQ;Vmb2<izQmc$E`>=c<n4sxIKFfveV)tCq=CyTxe+bDB_2vxn0#u6ir3dN5Z#
znXCSQvynNQo}A54&So)Zvz4>i$Jw0cY`$<cj9iT&T#Z<+MmAUD8E0$H*>>k_qd41D
zoYuf;-8k(@uBIbb)19k1o~t>5tGSM=S;*<?bGqG}?gpo0TrEegR$s1`Cs!+qtM!Jf
zt>bDNx!SF`+MT)DBe>e3T<vXK?LA!W<6P}0T%9glojF{cOPrmCv#Zb9b>ZwhIlB<f
zZVqRc$l0ZEcKbNHW1QV(&h8;+_m<OJae6JMci{9bIDI!x@5$+dIQ?8szlzhRbNWM^
z{v4-&$?3mvb*pi8^<3SCT-|nD-JV?C;auGbT-`vf?rg5^a;|PVS9c#*H;=1(jH`Qs
zt9zNN`;e<!&eb(>l8TdLPHN6c-8pFpCwXwvWKN3Uq&QAm$4T2bDVvi@IO!#46gXoo
z&e(}F26Dzo&bX5^?&FMSIpZVF_?eRpoZN_$yKwSIP7dVc7*1Zw$(uPjos$o6atSBj
z=j5-P{1<2M$l15x?E7){BRG36&OU&%pTpV5bN0!c{cg_wIA{NetJjjNH-@X{&(&MN
z)l1^)o#N`<=jwgs9C*&59_P@Fa~R4wOynHmIEQVVLm}tzlyfj~^{aFBUAX$4x%&QG
z{V1+}3RnLqSN|qg|1IZe!8sZ@$I+bQBF^zB=lGU$YR);$<ecI-r)19Q0Oxdxb9%=)
z{mwaCbIw#=z9Hw_m~(E*Ik(`PTXW8BIOk~2`3SRG_M0i>75Csh`}Kq6gIcCtl?{IE
zQn7(QF6$1I9eht=I0qXZ=)$*ScXi%xrk$Z+0af6ziLSiTS=pd7snu_kAv}c!4AwPa
zgI}{Dyyk~SvzRg#%n^1wm{k)=6C|0`0$0Qu4;D11%>Ja76y<A9WH3khZV)s<V<lff
zGn%ehML`ISnazHIjv~kt8bRN-kb|(9O7ryR9jLvQWeZ93mOYn#-eM+sLo+DSZcl1N
zrG4aDLDPrTkgf`v+@IggKe1dUXxM!6-wsM;5dwR|^x8s-J*vYNs<dST1<gcBQz|tU
zG@GSw$^a%jjWA`iw}LsP&ys!&UCWV=$mv$=@3$(D14<s*p{2|Ml|#Ct2iI-bDTjRL
z<Dx<r&oGP{zO^WbTy(h)$qCm}|G!?;FzBUHjmguEPDSs#F{43~lghgOJ%}-s(9v1a
zn0SFBhZu!2H@0jpX=bt<iqP_=0hS1wXEZF1{J1QNIaoHLlgpT_2+T{cU1YjK2@500
ztF2;VDGhqA&_y}LYxhO<n%h6Br**t4@@CBC$Qzy6sX9t?3P)NeamkgtdP<r&$&Ip{
zD7KaSx5MX3Y>vuB&`c?pxLngT%OpXwU1EC5`}3yAE=P*+Y9?sX&E8}3+)-FhW9<<(
zRnpG+V>nZ*wMRCT5S@6lE)tud-kY(@WFu)P9xGC^bo=M3s)F_i<x0<aB599o6*M~~
zj+s~uO9xuJ`Kc^S`oyfsN&J$c*ABjXB2YNINz&f>RSGtHzqJR+|E<<c6EurbO`MP*
zY4W9uQc$X?p=7yB((Iwd&HR~j>hyO+g7%0xZ1!O!J!<|%ik8)^5j5e{8}eK>vaBy?
zvW3Ou36G6r)TxK;4`mQ#AXau#)bw74|0F?AN*PTN!W8>mSiB=MOOETxcVzW8N}AX7
zC=W9w8ecQXvK5VTOf1V5xTiFUZjxrIq#3o0lF4dEavMzX<fgC1x~N!N(;^Cb8lc3)
zxW|l%9YaA+$77Di92v-B%t22YHd3<PSvgI+k9iB)Yl8&ME$OphyTKHv-A9Qf!6Awj
zttRV1&k~lg*#fuU<Y1X1{7)Wxli?%%52m}5(OOvSC$TD*n@DYMwwLHQkKGfVnk0ep
z@+c2R`<*q<qZGdnJt&#-wfVP)nLWkc`v^bNWI_%*ncJ?twx#z?{20kfwWgm}eeHj3
zf%!z?(<ai>LS1V~WByY5tdwJ&Z$7!1Ar<OYnICqPp1bmB8)-4|aMSWpM95yOZHDxx
zh0Z}*{Euv)@KBDWfBX5s`~$jn<_o`GX(BDi>LakzIl8ZR-OswT;mwcur@8QnuF*4(
zVV}BC>p!>odL`>DXBzzG=Y1Ar1)2Nz_UiVBQyx;Vhsh{unYrr=vI-<-BWacW)NuK~
z9itig*|(n;x4p^s34a!u`$(fIYeIoIp1PZ!B+1Mn&Av+E_<v4NV1=j7l}XJ;P>7C}
z-=cs{{nMdBa@C*XSla8KH!WdJbr)A2+i^x;FeU3}Hs28bX#8f%=9@h?E-Kzwpfvw^
z+oLybo8vwH)#ay0b(g5a|77^w`B#R|zlTux^gpv}UXMSUSyAtQh9S_bn{2;Z67{u`
z(q(@N1)V>4(Huj>tc_`TIfbPw<$vBTqj>*e&r|5lzurBQrwWMj@EEKgdX&PHloZoZ
z-T(EaHJVa^{$tTatp&D?0zlH3YW*&OSl{y5Yg-egC@L;QI)~UvX3}Xtm@Fk_FTIaJ
zdq~MpHd9!RO8fmPYsi!6(jIyvX!Bn_TOb@=_VxOWi_ciYZ?+#v-t}bl6pqqwfB*P1
zpV)y}ooB{Z?#G*MHHUlrC`-vIE!8u@;ea`xIQ&N=Rrff4z-={M8A|V3xvsvtFVbV&
z)M>paueeZmo!Q<{Y%e}iYkz-O5Y(rS*Az-F-lYsHfAg;t=Hcu}|NkU0SCXRm-$~5B
z|Nls0uKaHjv-Yb}PbnQOtWXx7VWT2Uhs;{0K1HrCR~G8nSK;`TwWl%*kK1*A#rsn|
zQ#V87!T))Q%8TNhnL%0dz1Mu<guZ!{%ick$uh=Tn6c2j40?(YH<cV$h<Nrs=MpyQ0
zEs)CndYKIn1`A5B%JBB)v-|)4-lo#4jrr?7)|AelV_gOdah2oyNdKtjqnH1soadSz
zw4pQ7&A-)lxv++{CDo`6-ympzoKxNttDO2de?PT)xiE|!31c55I$PdaIXhaoBK_3v
zEQAEq-$&y~GSLz7ov(0^BoiGUr9)Pmqy-(56e<@e-OPvXKvA3DKawD#=4-FZh1Nf%
zP>6JvL=ZI<KBcSte##*Fc7()?5W%`oG);)a{EqaIf~eQ-Qn@gnwWZi(YMlO4`p|F9
za)&H~6W=VOB-Y6+c&IUtB3kIldb5Q5M(sIf>G<|vuOrdE|L+S)wBKHvd+_xN^`OfC
zOIZE8{a@1RXEVtuv)vQ=#{A$aB&n$NZ%I`yv@}bq&-i(wK+=ArU`$E-`#h3X-*EXq
zgP}?LdpvWZq=PqGP@3?wpVBJG%<nbbe_9haDIkE-bAPftt1cAe6%-}PE1L>`*t26Q
z{|GP7A&ipp=)wP)QWh*w<kA2}dj4xKrSAgae^^=z&9wCNZ&Lb?@uhS!)6-KS>nV}X
zf7%i&$C-7()1O4;D?DXg5?C$mn-&xvo@l16v+TS?sWOx`MG2&oGDEK;`nr&QakPb0
zUy0Od|7=bV`AMJuxnXBBkv<hpy{6x$u+qNt+uzN1QyNx=n7f!^YAwxpLqT`76pJ_7
zm*o4@ew}xVos_h1@&B;)9&lA1+x|F+=RkIHiL!HyLiRbRQH(8U)Tpr#d+Zgvf?^jt
zpjbE>dyTyVVgm(ih@z;7U9l^QVpl*R#;eF|9FqLMYxX%b&Aspa{_pd0pPW5w*0eP<
zYgWaLmTi6spm_loade}xF|1T=VEFxi7PH7CzdjW;WfH;`z0yq$nZ9|u^RCcM5o=ax
z*2cEF6#)~M4{~w$Y}dpjKb*68?i^?N_oY*(ES^#<ypiBinWAkcjZu9Lg3n~-CAJN=
zxXXlX+%8scw_sw~T0x(ge0n;oM_xzESPO;qe$<Uskw5H|Q2ZJD2|O7L1s`8+eWL|y
z=#&L_0r|={HPCP~FL0cs242_8$v0Zs%U53UD)w@6b?ztrcC(k$s@pe*Yt~p^)gWJa
z%>3%v7ck9_usQQN=u6n2JmQ{&j<1rcp}+Lw9C(L*ufmyI#4Gr2!S{GD7_2l_>A+M)
zPJ1cfucj)wuBwAH6dRVRJb$@LYJ#0ge_vxYS4p?AC+Wv^;GKib&LeV9-pY{bzn2p%
z7<cVA$e}-?05b$`-sw6_?7k-tLu-p~Zi^}65o%d9#_A~O2k82gXe8+|+7QP9y#dhu
ztI|-S)IH3bu+h%@JsYn9R^zWP4el`9rbaNuJ8(X{StNnMSt+pZ!Fk3U@SH%|U=~kh
zIe(@a(2MvCJz{&rgJqkkT){L6d+ai-0%B-P_=y(FDNWwQ$|-UZ3+ELK7xiFc8!DY(
z-+Ch7aQjp?`!`$(MHi?(TnIa`siJpTtQD0#$*W^vhkzW1?h|Di^^S06uo0qr;yYR0
zJ;#wqr7B8)zGh&FFL|O~&SnSx+KyAXlQ@;1C=F-?qJGk!sXe3~Xp&6GAAw=r!CDwj
zN9o{3BHVXaO?x<C>3Toowd?5EIvC%k+Pii_*q={7oY)b}0LuJTZ`N&50G8MZUI0&7
zlgD^r9kIT!9=4O%X)HWzFBn0*z%p39r+~O;g?J5!vtnf43R?u6_$LGeiLfZwF9W3r
zj52@%ql`gdlwbr#VJ$#CC?=x3%Um1a#I6soK~E0?8tMV44ITt`|A0a6W9}@;Jv?wE
zZ18v~J*B1CL+)&@?6d4usI<mRl{T1BX@{9AHNeWqcg*e*8qmh%x{Eb|UyR(JAbkP2
z8F2DIwhF^~ibc}!#j$!}0E!}@g8;frKzmq-7}--=3=Pho#Si=lZWsHU7Kh%UtJMpG
z6#8SPdZ7-!WM8f(@h0l~`uIqPo+n1@i3>P|y$UL?$gggww^=p7?ZJ=+OT%z)4nyf%
ztu%|<sShflRGg!8SmGSq&00|gucp48C7R?eYVI2RwGU1Gq&~vj?huddORU}{@d`#m
z{3Y1RM1_5Kiw=F4_wm*OFZCAg&qO8TN;Rp5dZj4iUg&e7tB}4%o}+UaoCG(%f(sFi
z1+_zPqb23D$|aT>XLJIqyg_4?r_3|rrT$1T_Ne?T?#o{>RD{yA)W)s(3UT%5!o;ol
z%6ypyBAB2eBf(@^x%@;W@^Ljuy;l-<*C!@vbnalf7Bj@Pn5fuVLjBk=atD4AaAWvM
z)18-1&;HUt7u~n>=GHFU5|i=!uqOMvnp)Mp)8)cl-RQVeffrqPCHB%FqzKUwL4ILI
zM0?z>`*r8ssJ+gt62dO}j$6Ii4`KxtqFX+3={R3!{x!lk!Z$Jw0u%mu9|d7FKBp-g
zjoZLq{j7}I1@e*A@ap$LG)N!Vd}Cw7Wgh`9%2(l&_#{@o0_%uqWSiLM2Ci>(0(RQ9
z?j2!zQ&?VYz2iUy|Cx!x1}dvGio?=6(Ey#_AJd{4<y{B=foMi~+!A8)AEFrzv{1lK
zY)2qy2?7NPQaq#-8=$yr296Y)|AIt*Wph%!4UX$JUEi;4UP@Ry>d!@1FG<6e4P<YD
zEBn8p%3H`^;skt8Op(M&s|~?vpUMH-QO!;*31_(|ILleyLqTwj^M`BP&d}&%TTIMw
zHYJU<|5$X>Kbt$T20=#O@goQI1p73er9m$AQLxRAL^=ytY8^?)c`Qt|Ch2L;-quyb
zXTh~DWKFii^WZ~cu)8bSzgsEMcp}_Bc?;s93@JT(0m_awR+{EL6MRy%c92q8D66*?
zg@LH}*Y><*j5)uMn7cMCk&o0srkMc~Xu~V2I_pL8r<pYtH$}9#??hw$Sv-P^P*1pH
z-d+PP6T0#~(3MwIIQ5%&V(75D3Q4T^_u`?U10z@HYg^*v{PG_?vJ*sHXS3(iLDUj2
zA6#E}`{>Y=VdJeQS<WItrSbn?gi2XW?0Iwajb8`VD|<rm1M8_aR;bBp@)38X3h|qH
z?h*!s7ZCMk9&0ie-EqfG-$2Z&AB$7ydl0L)M*E(%6kD_cI9PHZJ?G=E9)u&weY`Ob
z0OuxkF#MOlzWFfc_ckZKL!>er=BQ(~zCYaNWn8#t9XKLaHpz|hYQXrvoc+7l6HiV?
zj~%_qi0`FW*VTbzC=n1dY_PM}xG`R1eAnzAWt96hsfF)D_g)<S#6`#fK|U5q;2hS>
zGM)YXVJBb8iM}_;#vSifM$U+4ZIm7O+!}|$Qg~Ig)}y+&ln?l0wtP528vEx;tgXA`
z2Np;x>Mb~}Dsn~wqITT=b1nw!r?Ej)Zf*PLKfQWLevs4dy8%Z6%V)HUiP*=a8<0nO
z6tv7e)atl!i-;{(=C&E66#EuLq(t9{Q!bEjat|UV`hJdF4c;Ki*{g=|p}kjCk+ZH5
zqkj(vMHb!Z5cuNqd!w|(<<|}%ZyCbby^0Bk)9{#xL2ykUGzN~r;l42@Hla+x=WP0n
zQYtYD0qgUZg*#A#UK)fw>2aaY3$&Mx_ztlbnw<~1*HTsuo0rO#7at#2awo45c&-;7
zUjy0}THn8nzXmiN;ey$noP??O?}bl&ZWb6&`1T}T182uJ@HvLp((e*E9A{gr?z);^
zwVKj4H|GTa5<b|xLxZ>jvoTqD3k2;xW%ohfRh0p`-LU6=RGwN-N8xa`CFeD(@HL!@
zt<T0CI1s~3OgeeuD(m1}IQXqm&KB`+P1g9g-l^ZQ8ncXY-ju2R2U#RWj{Xw<6HDta
ziB-==`)hC~WE7668*eXXZNx*rWuC46A0z8pdz@XI76{$FV(9Jz-M#;at|;|nW10w0
zb}>9Tz?1!-@mMA{U!bnK5!Y%Jud6b#$EyWZ3wb-6h_@6zfL3jx+!!P^hl~MlrH_U1
z57q92J|UaGsCEa&R{~>EseM(|4Aid(HQcORM=`gNU@<fDrTTLA5OsJZs!JR#!d6&g
z^jO9Ih}5HwXoWVlcNhG$>v4DS@G5{v&KrPJ!4q#bCu;pidbU|hBh-Q7<%SlBDZlh8
zg1Lp$OVJ8|x8k>|m-bjJP%*HX>a#i$e&cx4ln(4CHMg#UFSr<OSs&H}iU_tyRa+@T
z={Y1~W7x9(tR8(|$giSDLy5Omzn6d@Pol@pQV`VdJc49T`*Bu%3D2xv?6cS6i3KUN
z7CY<9G!Z-N3S?llx&AmWZ*qSPUwTBGayPJE5A0J8PP9bNI-op*FRJR!WFfm*KwN}7
z1+2IXZ}VwvUbPqet2Uj+c=k43=M~fzlG@ikA@XE+jLWS<-FQ{rc*M}bfisr<W;Tt2
zoOnja{yDo`9JfN#<nR>Q8-cPW%b<s>o^Aaz8BU9_Y0TD?>&UD8>15x1#sv77E+rpR
zZmauM{Y?5uE3;i4>HYE7ICW$r`dTTClsNI=Vy8ig6aPIlFx*XD`7^0^lHmV}Xbn}<
z;cn<wBVC4Zts?u{04~Y~faA>nR!1SKfjr8lA@mUD6yQ4#(6Q1FY?{Qs0e!@w!W6*A
z0o=ctI;=K89%TTcJB$Ao<wsB+i1H&SpTtY5GkO5vQaS*dK7t>no9m+@Abxw)k%s!z
zwNvmN1C$S($Lau2yqN}IrV*HdYO2j1b&z2?a9v9~5I_Swj`A5OK915rA9ZYdr5Cx=
zTH=cV(_B_>G7#MZ+!4Ut16)inPX+y`_6qCy0w51_dIBQbOZis%UYe~A#W7h;!4!T8
zAK7A4$bu!d^^)P#z&GrR#>aJ}D*H6lu1kjcOm5sWn}4ozq?W$C7k2^ZMr6u)T0^Z>
zpZU~^{{DJ+^`aZyufWUCjoV$3V`<d>H0oFywZ9p#e@L>Qnbnr$$sXzA&jwPFkz&2`
z2m1ikkD>MhR7O}#T6OuznZIZoV-+5v8{Z`tCXK`DOLkb1CnWNwh5(64pN852sHc)V
z0db}mX<!%^u+^l_r)K&vH(>ps4Q{cT{*+ey*0ofhR1~*Q*2b1xd~AMZT6*Rv;n=A$
z0~$w<@U7m7E{W06cUGD_R_MmF(qgn*ima=Jl4gjt1udo0gvHZ@rP72Q@zCf=j<X5;
zb3aDiiw}K@O{=f(A130?p+~>}0Y_7LgZef3#Il9T^f@zJ`~%kPFv*)E!uDR;Y-D@w
zS@o7Tx!kw~f*lwWD4u1^rh_ggL&pw8Jj-4I^}8aT<rT!UOcN1Z5mQy(wboNNA#mWJ
z&d&0NPDe+dG0K;r2T5uK<>7yfn2C6q^6USLh?$ONg%4yAjijROJ<7m~%JmM5=Vpiz
zDNN@BGvajqZvN*$oe#|an@FAVLo@%A9qS>@Mzn}J{wy87@<vIhi}5<7kPrwQ#+*IU
zDI|p7ND2v|OJ<Gj<xw}_axD+Ljc5t-L=XGc(D@E)do?eCl*>B{l*`|fa(Ny3>JDzx
zV32n&#5TMlA?83E7T*P&_ybZ&AJbIQ4+?5oRnqbi#5axa0riySHBtd~2#DYC1WK4+
z@DvGG!V+SZ$8OrQyIhw{UBLL!Q%4~{G@>RRPP`EoGAm%K>DnvZuA%+5baX+e=zmp*
z9>(qQ_w2JNn*PPA@D5f}8=(y-94e&|dg#D;vs@jHT>3~SmgVa&>XY^geLIg^NRhUX
zq|Xy_$W>|zh;`3?Xl!dB+SdfAsbkXQL(rZFKzn{@GyY}U)b=D_91Hp4T%2?_gl3*e
zF|6LGn>Yq{^QS<8$=T1Ujc4&y@a+g9hGXz^^H(MlBIHV>0*_{MgAB*w!Xl#(j#&0z
zHBiUCR8Q)!{-#T6Z7+`zi{k$?qEpLbTCne$*)R9d?HVyMv^zY|YvAIPqj|;qHQ1L%
zrc+{4ZXMiDA%-VyH}UTg*s_qKzZwhkmJ0O#O<7nY{G>^;SOV}Z>=I^at2Rg0k9FD3
z_R3bed7Pf(-l-0%{ZK(d=&lgM!SG!%2gdC3_Vyh;cu>UXgC<Cl#*{f2fv>*!ItE|E
z@f8?B`EZJl?|{nL6)?qo28->1)-R<yy?Ml%JgTo@t;@pjHnc=mL|hwc77SAtR_`|e
zJg1s<(JrK`nDZb+4d~43El0^DDyfsV4J8;+&lgT?U5;66iyK(5xJkAmI7XOqKb^J5
z$*D`1b1FyyY^y<jj~n(iF4&wDnvE~-<<CY}wrPM;<eK?Jd65f7l*e6gqN(%54TEU{
zlKIppTrY@i#T>7&dRJ%`a?D!c9}-<A+y<8kdfb4d&KMXLC4X#z02B)&=iL@}M<;QL
z(&*P@Ee0x;{l(rXK{z-kPF}lxe@OVV^QJz}b$-J}n1{Oj(mV3z3=`PvV-$CH$9BZs
zZTS|8P(+KV!s{Bb67`vFHCAE8%0)}p8YlRT_UYr?>G0^YM&3bPg-5C%(L>SI<9evK
zAPZ7k@LzgJqou96ts6;aCG`1?gqRd^EAYNKt`sslfkH-mP{`<nvzTBHEo3wb*)*Jb
z9*Z$%*MSmmoI4I=cUHQT{zhv12y!C%$43H*!x+?Z5Wubk>@X0Ig3jx6TN9IV7OK;l
zZ=^6*&&SecDFQE50A32<?>*M%wg6e2mCl{KefEvCDtosE{mubBeA^j4eDxc8__i~8
z_^y<thwntAuYN<L@2Jrn_j9?;bAW_SkAhLMQoxbp1stzKfg{HYIG80cwhYw*M)^7v
zI2d};F}HntAb6DVMjFWC%m0TiXM1qx+`c_9rNkh<k?N-7buG6@uZ4MiSMopgx+JwI
zdi}oSK<R#N8!X^_koQ}6(D(b2DUvYXVc%R{pnP|uzA{@#vS82ylcGhe-Yi_iAKoj)
zf*ON#Cja#VW^lHUM+ozu`+xllSB%h;iQj-|NJ|nUu}0FxJKprq!#lYBkoKfy8X_RT
z!l{&mNMN5~o$)aX8?k3PA~bDH#~THKO4FF>E^)f4=x16A)yu$f<HaftXKuq-MLeYd
zls)WLZGqAu!-~=)vj=^7Lub0Bl?ACd(-U*My}+P;%)uL}loW9jkE3e%O5&E;B6cQ)
zNo}Yau<nFer8uc__MdwoW9Nyqy}m{828yv6^SX}Zv8F<A{0vjcz#XYE`UwGp2X$dD
z(W_axA&9(LPz`lFFq0Im5%3uV|E2(*hM$@4H2Tq6=C<aMHn6-~cWCx7X^!~;K55=A
zW8R)AjdG7+)_gUQBrLA(X2a%+ef5_IbZEZXh!AFi;<7F$Wz-G~gawKf^VL>N7->DA
zCG$mm%ahQU>(AaqtllmnR&P7R>TP0))mxMI)6Hl75d0xRX_XrUJ>=T+N+i24$(|IN
zcg<Kt(n4rnxn81rnr^?Exczu(fcP^rv}loJn|6`4LKuBOZvu2bf^LFn8i*5mNaBY{
z6xf6qhT+-r8Uoq@pfv=v6d@TQ7rg8aC>((rRCx?2lE9Jx7D-?mW(Z-5fML+deu+g=
z2rQbwt^h2Wz&7(?xu*>fo<efU`uxQ}zWgv|<00_w2m2L<1=>Y5E~3URs<DaJ<t@OP
z>=e<6ost1Cjt!-lXY$@+A?`6jNy>5e!`pQTt1V&`{}=N&^()#7yKjJ^YNETi^xb%6
zsF?8plaG<5+yhw39Tk>xs&or|WxF*QGqN}ohJ8S=zXSHZ1@_OO0A2|j0N}?z(`n~D
zRcJR*Gc|zzI8}Mbp4m55dJiA$jWFl(@tGH4lE)fhp8z<E-k>#<8tJf|aw|`7P^xj+
zrbv|-vsUMV*rdDZIU0lK=p2if+*P@j?T^NysOrHYHD7BLOZ_<!)QaY`8Q8$;O$7WA
zg1=V;{)m8wZR0$ehdI`1SitHbvW|R@D!eLE;ht9E7V{UAF-MR*rN5xjrxJWt5%^RA
zpYo>%4vrl+q|5AkCsy}y7B(wYfKAYJR7oyUMVl}_n}6F$DQw0#Qyt<h6*6mFtqy4<
zP14v-L|lTQBX6fJ#oom?@zhtOD(T>5s`85I^1X_Z{PHp$xj6NbF`q9}s46}06{!~3
ztXiz9{1z}-+*Tb_o67L6SEQ~izAH+yQIf%{s8f0r?m$m<z)^w}EUwlA4|OD#8Fr(J
zw3^j}x=K{d<4<tX0g@ixij<l&M=S7By#=d8CBz7cK~z)+7Gr}xE-u0aX~lSEpHb?A
z392Xo!+g=2<&BMD5F11T$uf&#ysDu&1S9mG7$N-GK%!3LF`eJ<57z0F|4J5Y5SqdJ
zQ;`}I|JWF~#B`}cO5!L*S+VIFtG*?k1*$~wEQqnA$FZl!JD>uB<X5m`{h_B~4zE~)
zn|^18A2J;|(>-=z58XDO{_Fd>z|_kDZ;j?#x<q@K`gKY4j!n>w-+yHKQ5QEBYIwLm
z@%)zHIWsmG`FF6yo*TSi%Xa5Kcum8kfEDYenV=x-sQYd5l1by8>-%)?1cl;!<ZR&f
z?DOA|5A1W1w_y)#jy;gM;V0&V2SrGb;nwkp(=n#*F=t1eb2)Q`vM9)VdKJr~a3DXA
zLL1~!=+t#o_rb=KLp&o}Qh#mGUz0qRH+Y8txyGeXLG~D(_{1a!JlU0a@?>OpFn(j}
zj_lsU$R@JRg;PB^`bhXsP_hp+;6&g>s00B9alPcv)`Kxg0}exkKL+>UCZ!PhSm>RX
zO=rE*e_>UrUW&~}74Mo+GsR{TX&fW9&2XDemsd7m0t!*>e{2>CQbEpiZ#(;|6``k9
zq-C$~5qYs=V2x*xOu>K6j_}P<@mow;aY@%%S!dROJG|nhAx*ceFRzwWlj)|L<g7^n
zqkMXcyL~ddZs=G%Za<8WS$CYcyp84jTd6>;vxCl>{fHF2gCYg*N2K6gB2w@e9DVW&
zsJon`*V@4>2NUQOfCdxj6@W$y&>S4e0810ML_b_=n+PxofSU*~34oCTP~O0Pq4N<v
zAnRVl{W}eTF@j;q7pcZm)VN4Bo}$JLtwz!<aXwmWOqQ5FLoEqi1|+tZ#hL%Y2GuUx
zP`wv6sCe7PQqvrjX}L<}D>nQ8s;D(gHaZj`If+_)j;cvi^EoQs67@X95nI?+JDT3*
zu->K@XTAY9uPt8Y_$*GX{O`TR+uVf&1&x^v0)E#-fIpPRX7^waAu^O0<oIx9>nWXl
z?^(!^bGMvDraI&QW2QPe{_xPG@#p3ast=VVcOi2*Tb8J`xi7m9wfTe6(4x9TZ|Pl%
z?u?<=2RN=DaI|a_Vgv31_NAaM^uNQc0HK0+IT^%kt40R-tLe-ETw5iW>$GR(hruLg
zv)TZ1?SEaom1bf!d5d|Mo#lqdQzBkDKWUu`fk)k@)w#i#H<eXVN7~=rb@Y5p*ccz9
zyt!G6aZPwx)?#T>=du0)BS!nK**3x`_wVJVlQ)k&dMNNL!p;jT`4jiaPX2HjEakTf
z29DUbp4t@aYx?i-SIZ!l89)|hLn&&a8Qulu@UiHnJ6D9RC?{V;LMl0_P)aI!Q}xJJ
z_x+9XhJm$V01KG_rY%Y$6tkh|^i&Xy8%!NEoxCT_idNJFl>NpN6BeNHay^MLvy{P1
z0~!P>gnJ9|W1{15RH^7RomCvj+{V#s0Og1!n>(boD7R-{+<1ymacI?U6Pswb>ZNCu
zAc^_>21i`X{mKs{&Vp;ec{SBr8m^=g8SaMiJB@t@Y2{D|wxc1}773aloG&Tpaks`8
zL5x>29qh3i{}-`Ffc3QjaFmS(J;{u)y<Y(tUMq+;{4I&)ZLtgE05}D3aT=Ka5H+PX
zHR+J?sU{n%Z+f6KGaV@0A0c$G8+V3W9ykJl<A{dC?}nO6kA&UIGZM|4l^zhyljt<w
zOd~MU5X>6rRQR{vf^>ek60F`n3e18b#8{65as~j8Yj88>(H`5aykcKoxCV?h*-fd+
zKVTf9-k+%Wunsr~t`SeYny)Y{2Wr$URI})~Q*uYBjUYDf#9Ou2Kx1zd0{*Duqd$CR
zz(`mUDHxC|%u=aPm7@4BAsp$cJ&jqp#yxei{{p_YwZtw<;4Q~t5ce?FBN*#FZLIOn
z1+7sI5%uW{puCzh0Z<u36$DMD@UJ4d)=u@VL4H$BnW@RCOV{uZqac2WBVFQkXMhK*
zKjBSBK^tcYIW-JdNKU;a`f`Yokk~`cOnJWKE7o*ia`d_ux^Yvy2SXGc-02A9DvqNR
z{CAy*aFlY4NV1?)r*oz=H>CZdeyJsJnj-I4hL-nhlcj3~g!yGU`vs&@Ha!FtEVN0L
zMth)El#NzR28lX>L@_bTSiPwlb}=^u8VAUG7QmPkF+;_jVHl%FMKKQ<^>cdAbfY~a
zJZBD*=gi&q60DfT3%?s}2q#!ZO#@X@St`m_;r0GWzZ$0GuJHbcqFT8t8li|9B8QyA
zaLAb~9CDCg27eCAJqrH%t&kQx5v>7WngEC=fNA@3mr<*Db~wRSx!y+z;CHkP_gPou
zSgFa&Fo$~nxs3vx)Di&g1yuC~s$PU@9lJkKKzbtC<rc)2U7cg+hDfC)btrw8yVOt(
zUPC0<xJxXL9F5vzMD1v*?axN!t|VT647eNr6sd?S5%X1Nf}IfFMX4mp&^(Ngl5j3$
z8RGLTQpeVZ+7*hg!RidUf+bSO!W}99Ge09f<1~GR?@mC%)9Ew~##`Ym59uLIp@ccV
zA}H}eXdimRe~N9#edG253fj8tyKe6r-8Zo>&JRiA6`K!??6<Su)^hD?M+Qa&?wDMT
zJ9OFCmQ}d1f9OuH&7S2V#`>)Faj974M>s;b<<w-QOuvE0?B4I-z56ly&O}Ad92sF+
zJZ;hRsm|Z}^zCMZtI%781T>_HuuBsDUI;xt@3zi2Dmw6}3q`7K!fG^m%}Wm$IN5i&
zY1wr|s%HLqFDyZyS#JqRji7Frqq;~ChgqI?>>2N*MVYlVv7@kMVC(arxp?Ry{B$0k
zjoK4X%c2^|b}ERCDW{SuH(%Idk+e8Yr0goWh->de@*xCP#e8WwR)m!5If;o_vp<)|
zg4(r&D+4L2`a!%T&H&g%nPMWqzF*t1@0_V;mTp|%Ayd3v+K=0LaGr_v-tzEjj&n-y
zGxdJyIcA^_p5o^7=pjccpBgDmkS?Y<i!j`^kKDO4IMO9NbegZv2;U0RkQ#>#DwsQK
zTyM<Q&xq^Yv-kMnKFB*aGhQ33y?$*x909!##7&Mx)c5>p)07UXJ^NQSx%rWFfLsV;
zHFPgoLsrEj)2b6%a)m7i@sb0eKU*Q?%_k*L?AjBAm^=(S<tu@_>sK8#2&)3ki?76@
zu(qrtC<?3-UQ+BQZkNFgExS$f9b&p(T^G7FWM!nw`NPP5)wg^5k)t<;j5l?yrt>;_
ze(FhZD0WEZlAJ~M*y2^zl)`2o`NJ^DZ{_+arl=h|gSWYCUpr;0pa0|$CM1>m*|2)|
z>hQJO9Rj0cW*u^QfAQ+$)LzGa?AK@Vkp89xs~4_W>zo#U`cBw3sEv%5o)uLab=cT*
z#~_pch$%jSUJj0PK~rb7u&m5Gz?OZb*dc6kC&OOWRhp&hl-vQh9)7Vel(__ciE)R*
zc1N2QHq!lcyahv|qs8nf+!MDeFPQyI;nx@qb&<c8_#{jpzaebjiscIztT4)BC|<hk
zzdSHt*(f~K`Zua(THK%@CyE@cIcM&{u`MzWAwvnPke!KLUbiAvoLBe>xxdCQ8@B|B
zYmVug&lotejmwZBYqktC^{uTNe*C)sS(j$)iXn0L{<BASk8Zz`HXjIxMm1b=JffUd
zm?4OjU|&6Yf~jV&5lfb>LmOpZz!KgRx*&9Zuqh!-*J#U$DMwr)wy#|mV)DJNn`54V
zta77ggeEUAwcK8Fu<oW$t3%aXy0x7?th-2q6di>$NJpareS(pyn12a!TyYt^P&Jpi
zl<9NCw%D1-f^=6mchQ_V&K^TNJ&lgs0m*se;OO-)SUkRATY?N1PORB~&eSCXs*7Q>
zd|i6@AUW^W^(Rb^vXJVdwZ8u(q%YnU60>LL%qd7;{7M(mr{{()F0R!nd+~r%fyf0X
zzv(#5YiJv1H&()v>5Pt*&;;9PX(NM;#yD-W6aKj3wYTF2BnUgTY1`og&aZ37e%qn@
zG~b@alht*bBg0qkaXA<k;5)`|T0c{ps%ZM5{>0Yl!-o&?@9sNn6(+h%O`XrBljbBB
z$Do2Cv}fPn!IpZ<!qCXKOnQPO3(a`xCmgw1UU8e6UR6wTn&>A5NPcVWr>!TmH?oo?
z`;Ek4x2%r?&=Cyx)oA^o01S6~Nc6RR1HQ!*yQ0s)=9skAbVRY!H`o9uuM|e4Ilx}H
z-0?~4B*))4@TJ4*b~XDV0)Wtnq!vkS=WTyv!?t}ZRxF&q+_)WiYb<p5)qwgxL3=mC
zo|5xW{^2S}by4wtW%gy<p^%73)4UG4esjl-Z00h!_nPhfOns~32;BwSwgcqA+h1|)
zBRO`&27dkfYq5X7!}c$2$6|sEcdzZ-3%kGhe8_i?>e<gia>4+Y*8LMQ-kpv+dpLBO
ze}oCC#G}0WZ?EqH-|o^icq86|{i^}{+T_@s4@<X&xxg1!84|ZZq-)4HcjoCa|NTRg
zOspD0U6W6*&kXMwqk{&(r}yxTT{8~0V?Jdm9eu658oHrv{fG2+u5-RihB3XQ|BOxB
zcdXhK8f*GZALg~%cdYaH>45=8$5}YJp5es$oEh!dJ}lkmDVLaZ#wV$BqA7eUvOl?O
z+B|pGT2oApZj)dCRfAo6be`C~pDD3#=dC?leEQEqs>Fk?x>aj7{kGX<XL!(<t)|Z1
zhqUeD%%!{S*cV3jc}XAt9S5Se#_WkSMUUJ%XoT}%|8YZ%j&mr8J8}w;*wK#VSzVxs
z4;?&a0@7uEoRt0Q(Z~aPjk9a$;DzlE7R4$5EGN-r7Bn|E-YP9jd^@lnX1$f)Qt2E|
zrE@$B=eXl+oO9|gq8g%67r8rkTfqUW9r<qThCQxKpxcBiQ*EH&zFY?3<yW>>fF215
z?5@CNy$kz+!xl|2(5;b{pfywnd^L=|CK7>?0wvj^K6$<tFSBH%|8-*%uit2?5iTXG
zg8H%wi-JcSZzsH~aRa#7ohZW&G5h8$_$Fj!hq(Ps9^4$!#K(a6OWw><Cj)UWRw9Kp
z6$#L?*=fGoz;wq)q<CHEf27>v)r;4xc2*}N9{Z2>zXb*^o#s-#o99pU&$P`ve`HJa
zZqt?#p+1`jIB;+Fvtitf;E>=A>$k4oG<!y{Y1G_l0b^Xyr!RBM8;<Qk^1oq7{^!Uk
z<00#C<H9xDnJMsNvIE5&Hmu}EJ!O9o8D)&cwFKYNFw?L<C)lr=9=P1krIWXJw=ReJ
zzco$2VHgs)Ve_U{YeV<0_VG6@fGgNxERLqanue=q53ZhH>FVjq-Tv%gUvYmOq#}2`
zpu!dw6A0Cjo$AasN_jH#1^}%<X>i*=NxU+$MF=#=H}Mj4=ZS&@iJgS=C6coq*%udU
z>ap#h?{$}?!_hG@$XC3k9i`@?2hcP9s8M65PH-6%5Ozc4UEt5`M~xmcb)t)R{+ILi
zywuUAIgnzWRC1L9qWxdg6`e3@oj4n_J?^k+c1`#=?Y1&@P<T*c1NmXD12K1o17wXy
z%-!pM%(^Q-oOvmq*L(esxqBn+yUm<9!aQ@yvYE#5!~{P4HF)csJxC{?C>^G@<O5IN
znb@NOU5Um*&e8WV`;VGAOVq<o*c>)zuc)Mk7vd7w1-4eQ=veYuPxkDs(%i)N*;hPJ
z2ZC6~z(vTO)(+F%j<s`20uj}MY^WF3N?}GMi9R;_(wy@!U|R1RGGN0PNQZ}%WiEhL
zKxlnd{PJ5T<9z+}aR0bz;V|_cQkJ{u9cN3d%A)K)vYzIUQ41u8Ft0omWY{0EWOba0
z9m(dS{$S0rc(bR>JBRPpukJH$iH{3%xH{G0&3H@Z)ByQTS1<=d*B(*K_U*|7r`K&*
zFmHp2@35aYZ5pzwI<h*yf?GI@fcAvn9xn%b;`8cDc`YbAQVVuaV!e^^r#IUMiD-~&
zt02ws@sqo+?13@M8aT3P)OA45euR4S(*R#6d1gyF@nXQia;&>xf!Sp=r5aG@fJP74
z1B(TD1-&~S|Ms{O+t9)0$(E2F8}GEj8%RFS4%%PY9=CO`OX!CAb2pocByuC7G3(`Z
zmi>i<U8R`}1?e_@>Y<%c;cFKBy3-iOzSOOpFl2cj7wCV!=Os;!uzr0FBLy4rp!p0M
zy5<V2m!N;n>*?5!dL+i|p^Mudb@-|?E9HKG>x~@pC^wF)Mc!|JVtc^g!Q;pE1eQhc
zQ~2sN9uAf8gusciu?+JP8?mmZzBa3?<3H-*S=3$EfBc96t(|$Pv_VX7+>C%IJ;#T{
z?BBlgglRwj3WuT#(yf-f$ZQ+<!;R3^DU=y1is%^7Vhuy1<!)SmAta-w|D9wMY3#iR
zt&bdF`sI5aatqt;b7zhRw=Z8AVjQ2Xn>XD&f4Yl&WcbvuxcMeId0uG9f)FtAB0Xj9
zPdI}vV@P|D)J0v(e3iU4U`+~Gm(w62@Gg^3!p9b3ULcF?gzT2REwVheiZ<mQ$po=u
zp{&NL1espm7xru@QseEXq_F-hRQTggc6y4#1G=P+YoVA){z(t5a;dnc%tlCKj7#-$
zM@V~ED4cXX$w{{((nvvO<B8`))%;&OkXMRwDDLIs4B`%!m!4-;0k#9V!>0~)aSWiV
zU<U-H;cO&~{M?X3V+4oL4wekNG2hjn=Dat_ckd5BKWvY2X)4a(5!LPGTYLKl_iyUl
zVodk;?Z+hEFv`#G1jp@-Grr;@x&4Fr02nrGc*mcd%Rg~tHH?nqsf`0nj}R#kKGgzW
zd04#F>pXy(3SMP*S>>NERvkTg!JH|^jWA4JvSRt-6)t-=4*jWuZ`&UI$3>->P$L36
zX16`B{;&xvV|47UevPL;g+*CghLzV}Vl&pouRF2s1hT5F?YX|^+CE8qMp@)Y;f>VU
z2rdLC+dhlHolJs_9-^bzZ7svTLDH+hRq?+aU3CnVR`*`jcWs|jJg_WspPXcYYmclt
zCJI*eUfy?QpQBVzS<g#p*t~e3nf+(?|J4(zGG`^siklTTfb}WMJ@k%UVbAJ-e$CPP
zb&ic#dt?p%4^6D=v$o%c0XO)FvUtVwZfd~Bc-_8r+jhjetX@BF!79^sR#LY-AYhrV
z3;)csEics%PtlT#5N`uc#&y7+RMkVLh8#CF^n+Zd4VpfDnl~ltJUA_SMvPZZS^m8q
zsc~QH5Z46<$PFP&*-ck#S31_WEMFOH8jrWyyqWX}M4n!6a?d@bOUWzA?O6wV?!yyx
zjo6$S_H|<Guu?`x58S=yQ*bia+p6tS?AU<@hUF2<cdpp#5RILja5?4H;JxiS_w80^
zsA=-z$%_M)5W2D{{6k@MJ?-cC&z&@Pk^}4mni+zE76rK+4GRkmaS2&HYl`3GfI%3d
z1U>*KGR}-)!~{5^{y@6?%cyCTUk4(cl_19iX229|(94h0Zd^)YCDaO1KjY1sy6DK5
z@Z&D0_l)d>bbf6I_2>F#M#tu&DstUZ%}~}GHL*(`bN#JBaY<~vgzSF2#HF@rE$B_v
zADW*CYUx{ouOdHY-vYir6g3XK3_P@xPM<h;8_o4K-a>P`52CqKXs-LPZk3yvJoJ=D
zsf0ahmD3kO29JeRX!{!LC~%cyCG<^~>zV>x<y*r}C87^MpXhX{s|k0PgC1ZYP&~Sw
zZy@`uE&C$VZaI5sKsb)lLkNFcrqBB-Q~m1wjq<EC{l9-#<NqFFkDRrRezdjP;dR{#
zgng7b?`B`^X3jzb{LM>90p_#$HP~nT8~#lV{u!Uo=f6a{;BQP|<ootL1%|iX(X&U7
z9_`HA@h*M4^)<0}C8HvCMo0VZ95KRo?C{|cW1~!t_rRZ*X7*_!&(6$%hydi;k#DM1
znF$#spRp5|&U3_;-(<;({H$;)QTY-j6P2G8PbaE2$D+ef*O4*8d<%xDF6=Kl8Z=ju
z&1%(05;5;U81+iAg0pLRrP(>?7)2szL|@R3t~9FJ7_&W~P_@?u)zqGONXMwaO5|6V
zOqYPd8kY;2&5sc!j3xYEuoDo(@&0-_R?9tibkFLQ+l@G`mnk}4m%WlOR7gB%sQw5g
zg|w*lj%pJM*d%&D&z9E$Nn@?UgzHn7V8Rk%ul^{|Sq6#Tf@^MzXj$UHFbVfdp&!g$
zO&FvU`SOjL0DC6Dh=4=%$e1KeRI?CX0pBPz(}`FuyuxWbJ`S@|&D1Io`a%85R0#^s
zn|W1`A>CI^GRSH0XitSq_c`J&pe_QYIBm*LoqK)~RN>L;EyQ3z8NxRmffJ}72AY9_
zH*?jOvqS;hYn+hxO%pCsoj0tqdK>W>P>FmEwf<dJlM$u?pAay`iM}CL!?j7$TlEs6
zAs|jeTZn++c?14Ii_<V%L&V>bAh@lFNrK|%)})kP@GjeC8p*ztB0_dY?KH{5VOOV(
z6NAJEvDuo#Y0*|cE?_`k5vGJ1r|?Evf6&M46lUZphx?2g!8*WwhQb5bskM1q@al&x
zo-?jI(0(2ThWJC#-wk>?=O%dCOS}Sxo1$BxA2!3+XS(pI8BabnA=~G~xHyiG@ZT!c
z$6Fd9g{wY|q!lFehjnyoMIL}WW=kOFUm*!=B_=gYXYfklcIgNo05O}Vc?RMRnA<|q
zvc}vIn`?)8gkt0a?eQ~Sk^6W&R)>)6y@wgX_dXsez)cD}CN(F89TFzVn+Q!mLNi*R
z*(A_JTG4DGG<|Jqsou4zUr^&Q$%n<)Ma|8q*dO(LsrAj&c$B5>&D1nEsFQo34wQRL
z>huWd`*^8GGQ#zvmJL<25%p|DMH_2P8>(s!R((k0w?YycKPF9r#;+xs4E8|n0UoG5
z#)E1Hdr<9Y4@>P}57h3D+WnvdTp?^D$;dnel?I~DSgI02HTGC4gaCeEH+4jNizPdl
z4kjT39+`AqMy)8+I!LuHQ?1*UT9;8PI#igslYo&diJ0^{2L_vR_HgVhFJVc9+4}yT
zWffU)QETdAWkqa=1WMtn^M%w4MnuCU<Qbf=ph{)UPX`Nd1#9TWzq%rCqzUOu6EaFn
z$VM?CyR8$lktU?C2M~ZY?2|xdM*Ur3W`sW*NSg6Jh74lMAN3U?hiD>)SV0a~1UV#I
z$>9o-L$q0=N_mgXU15)eMSh5pa{J`g2o&**JbC)(d-4=6T#dq~=tF@64~_Pc@Ze!m
zRwhmhAdx=|m!_&uo)YnB?mJBCm#hsr`F}LzJ_$rY1wK9fT|eQ|gGtzuzwQ<)g&ir@
zo(S~{&1^KyY^<2sD`IAotuuRtW;V)IBUH@D65-`DSJR$;QJcJc5OGM*6Z={?`mD84
zn-=l(Ar0ypGgPQaLWOE?FJClYQ{;0tN8`6gN0UFqPMfv8bmOOZkqULKjpojC(F}i{
z8xXid?$}4#u6Af7;Tei0guL_NdRSfmB*_mUpL`AZ<U`0O`A@1p4v>RndW+<w9UtM9
zz~x8s0~-MUZUg8CHUR(K2JjDHrUbR9d868aw%<XaJVYggse%4fen2&-0>KkFK|kE6
zw#AuyP)di9Ikm7ZI}xxC&D0k&b;eA+F;jQURN;~Ng8EAiDhS;?di@BHe*o|i;Qj#E
zBS3XlyS4`i&Kp9BP&oDfsr`Grtm@qZb3h76z&1!n_BuDNPnVOa3u)AaWa>g1bs<@F
z;hx6>wIdyix9M2Chhvc^hBCy9)c&~~h3j%%C>j6WeXk&SyPkFBHOT7su(0}tkWaJu
zrDrgVe(?$xKqvBs2wUGohNwSXNYzvirXU&yUl=WuHHcbCg6)x<p?!t(t1wr_SJ?AX
zLAF-V^sUwINM+w?M!bodeW$0?l<b-LZbTXF5@4H*+dP6THIPXzE^+n-2D&=O(-xM+
z_60t{RKgB%Ex|ol7!md~ue1T`-!71k6^Y!4aH(C9N*Kx7MJ8cO_)})k!lxAu&{;eP
z>U*T51V?6oDPJZcar8p;3_I|X+u+d347`{A_q<x=Axq2;m0C1LD*XD@)y#w-oD@-X
z@9Z*ozT9PqBzi6Q#`?=4HyxJggPX7WC8R|PKV6o&>v`{7R~>JOciN}p15ser*}W8}
z1a)X$1@=IGlTbz-im(Jjq0zX?sv6h>h!-B{yRfefYFB*ks@LMMvM$O-Wegared>6-
zePz_~h;tH$xIAnKuZQgAP^Xm2>sDLO`XagG06rTWb>TRvAA3_fvbKJ??ZIlB@KP>=
z|Cx~TnmsT)Ja#f=t&yL!Z@jkmsYlLgnKD22?$$WS$WGd)1Rd*9-<hxB?+~)(sh-tc
z_dbKwc4oE8Kj(GV8K3Ynb&;ocM)}&jmNT#Yz9y?X0}^$pW)V;I1YRX}$h};GBw^=}
zXq%1Iv)XGjQ(0?gWKsW?SGVUShj=xgWn|a5kzccKzRD+-m2_s+Q3kZFGaIrWf{c!P
zr3=dQUSKbK(L<|OV+rrQo~I=?k|N*YV>86*>@~#twU*@%imz2T5EtuvP6`TeLNBUO
zupRlX+6s|&^18BDhKxWR0^uTN6*{e!L?dcRynHAKY+fnmhnD`kKe?Y;3sF>^SoLv=
ze1m;cM!v|F;;#mX+`0k(ey6~jGfgzK|E|&ye!cKLQ>Vl1>=FcyO<DQxp?S-=#9Jaz
zqki6<`FH2tbMQQNZu&`=%(s_W<%~|(nv$06WK=}_6=zo3^)xTRe`v;SxXB2|g|+;H
zVMzZq$A*})mb_e=Wt87MUK*Zw#^u1C@jbdt7|_IQ+U%;6GnTDgw`7CMg<W1fTMroN
zX>uH(jtg0fK6hu8@X+i)jaS#7T5!{R!3f&u7tQR$StAGJ<DSjG80XsiTLjRRy@s*!
zp3HgR6$d;+tB%sW=T)EbIo!#)^@4G82N@lG@vc$lK=>8IOy6VoRX`Yr49&RV*(>In
z)BQ~CBnVA@KKV;@wDZRGYjz*MJayuAV<ethVXYc%YVN{Ib?Mr+X?)K_M61YXIJ{+>
ziq5=ZHqvei+u5E2_uouDc<9Pz)1l#!K3$y~3>^;rWgBeelDwgR?mCDsVqoVB2G~w5
z2iZYv(x#*+=es_UZXw26o5w_?I{yLPY7_SLJ>zob0P%r?{`~THiw`bw;I6LU@e2Gi
zXI?+8XL^9~PGHE)an9qXOd1OnQE$a@3_aL-XR#jQt@<tW^cC&cPDq(tz#7w2)g4b&
z7ygaA_Eb$1PgV78$=Il2yw-9PZwO7;@~AzrE_qW+dW|^1YRxgRhI(FW&WOQYE{;<q
z$5E^Ocl$$Nk_*K`MaV|Wm<@6-)?iKBTMgM4eX`22O^Q66c`6R_y2G^&w%p&x!EwB(
z@&u7j)~UPYz0AXmtlEs?RLkSC_){ISzVjC9V#LMtYIlj-yL2A=>x@yR-EhEOy=C+A
z2$zF<#`julS~{JN$is7dBSy&e?2C&2>Tkj>p)xbdjgp8g@EqyK!X&wo3KyMztOCqn
z=b3{R%yJnQxO(@)6|Blq=3s)d4`thw?u%eoZ}8WMYoWRfy>45Ex$0qw+3qkiMzH2Y
zQ}Vi5T<^!f=)+4=U}o5o{^<F_K^_jGy2t;O%$tVu_T?NA7^b1WI)}o+IXE3;)haNz
z=L{E@`i)rJ&9t}^c9#z|*4{LD!&T?=2?ww2*t%eL1QNc(2IbdrQx=YO={e$1+{wLB
zCry|ehrA|O@{`NAE#9}p!PkH4&=Jm^B72{iM2g_-pC`0$S=X7Del+0Ue#Ydfp=PoE
zW3c`cC}MJJ+#wL0pT;y*_mA*bOQB0RG88)FU=|!4WY`<I0+OmgNU9c0n}OLGGj&Z=
z*kUFve`<n>Zr&ye$O_jh8+*ACFA>C*iM$*F+%UIUx^?X9b#N_{Akx>@pT|p#ah5lI
zySEL@8K4%0&A@paTWt`rIT%5Pi4eoER3%smr#<YV1YfknY%9r^Up`|MlgFOxvr~0Y
zjxUU!cXEycivGp-Kv%@22Hb<!e~(Miv;-DHo+IO7g?=|Pa(_Z%MBBzj`EbKg{jrzo
z5_-r~ZD9wG>)}$6A$H%&Rl7}-Sqa@7zo`qRxJ;V1ChF|sN6Vg&MZJAq2{9^LR+&$<
z|2DeKJEP+^h5cJ$HPyOOFK{fC5imOivJ0#70{xx=t8lCS0$NchFdCBrqcId1Fj6bU
zo$cjRJbt%HJ$WPl+!}O9tyIGyX{y7!7$B>k2@1!JIg?e|&HJ!>I6v=`Wbp?+0QrdJ
zy%55U#9hrRjbdH+CEkU<f>x^;L?;l+<SL1n=aOjcGl<LL**PL_SfK0K&r8$avQEw^
z)9*~YWkmZGM(egVSlOu~<o$yOHkof!w{YjYE%tTCp1o+=x8!<^bKJs%zy78;yV~=z
z7h$~J1u@xJYsD7%%fWm6uGqPPe=Ex&u0g<9(%8Jhp~U{pJK|6Zz7p;HV03uRNMpOO
zVLKi;-`{`Y^48E<0b$1LaH}5Ho7}3)asBuF2j1{^&-BrznCTm)jB+0DKaNhL^<Zw)
zNtU~#9^D<4aK_#Q1;C~PPqB=4x7^p^wz$4)_X)Z!xJ@GVQH_@6aa&-KV9?uvebo{t
zD%YtaU}gDu*^Y$MF8g*(?ACqkKwfq<4&KFKi?=S`=D=+DD?`tYd$LU{7p+|B9DI7m
z%55$;Bl>%G95||nNjnpVq{E!=bEjjl11|w8t&9Udn{`lE8xC&UcX+WeVaY+SmAsMz
z|90A#^Jksqtmk=K46Fua)LzV{xPu$32cKB3t5?Uh-YNbqTOMxWt>%px(a%NB@|qNS
zH3G8?C74maYV@Mf{hfJ<Q%zV!%rwZ!7IOJ7Ftb%*WKjm|2^Q}(EvKt~{;3707M^xs
z$_gfDvc}Hr`=6deT4~b|;p>dhD%4*wJTcYz>bBFzE*QDvV_m0~UX|-O^TzB;cUEbR
z5!enG?u150?%z73TBQMAEq*mFJh$lF8E40a(r9(a1F4PDQGM`0>aA4Ho%KMPB5_Ch
zxkT7n3Rg)Z8AnfAg2)>66nPTUBNPX3Nv6kzPLkg0&<E0|_DU~8woOUJ3-jObsGBB1
z5i7@GFQs5F#ib~6Y<WUejMyG)UBLFxK_jnQ%8YB6u1FvF=jsdA6kX}7Y(wZ(9kAoP
zU!-8&is0|7fyMS!?haF0-FCY99$Jnh2zBKQSB1}EeGtiRs^oZnn1bL*D2lfhDSU!K
zzB`#*EjucXhu9HmS}roMD}2B%$r1MG^TB0EXS3j+Fp;V}2R4-ODty#kI4v+dH*WQX
z^W{7O3nH)yg}|EdQ3m-|8<^t0!)Y=jAJqse%(BM{Z^fq<K{Y)e)$l@Ku6%j{syCsm
zq>_~>KTcrJ3FexIt0F)3;HfRQqb(2CU6P-89Kx6qSOqFLr~JWN8vq_CIf}aBAJ?s&
zjX;&G^*<pHf#M5CjsJ9Pc~-6$P5<@xm#{urY&IC*fi(H4n0!&ju93ekeb>><C$Bl9
zo3zqzZG`jIuuZ3z8RaX1w{^VKd=Y&kjh3Vc7k#GKZwpr)-%IIm8&99JS%{<PCa0-x
zjiob+Ws$DXA|=xz9VIZQpe%NsI;U19AhATLSfVUiqWuMkW(q_~V~KrkU84d_`>dE?
zg9A+82q>{c`KZ<)&@XFydoJSOVltYMBw;ofelZ)bX*M(f%m+hoVW?YY4~3-oH7jSC
znTMds*E9je-wc?8;-9o>P#c6kSHu*cwM(koLnVI>uF@Q&V-D2%fDtnwU@8-gn1Xan
z!5vJ2>aHP~NnO6ADi2}YWF3D2mYN!ta~jY$0!R$siiX|5@Lw<q0;wDVO4!R1Xncw8
z7@&OGo!=!=J?~DWdeR-FdTlR}>S=c?slEZJ<|7HuL?HP>Se}k!l?d2Eu%ATZ$n|&<
z-?uCPE_OB>4<y8C(w2Zu0}X;GGMoyLPz2@n8etyB^xqZJUkg;?$gEGac-9KXfgrP0
zsvA{`q)PcSy@_Tz2{U~ZfEH3)rB==d<hA*5R#Dlnp&=q$r7HQQ1#_K`XP<_L2yK=6
zO+F+a41bx564I`yL6&KDlTUiE1cEs2L4A_XduY>qO`HgcbRs<QplLpDJrPdQiD1Pc
zX1NfO1Th;mv$0MdmYMz}Cdef2Nd@7X>6bNnG+RRVenYjUvexp1O;RV*6Sf<>3I{AU
zRHB^_cus1lHbXGrza@1jMXOC0rC5Pfu>!--!A`xphQLnkPW5ZD6d$b0e|;aTRkaS(
zMrsqF&#jnWSvwtQwc=@C)YIT<!Eun_D&)h7-4Va`jBd*6scW}7Zw(HK{|&qrj;YG?
z`VDU9Onb)lob>Z;Jf%Sx;JC$8{YviVgrbY(sUCbjQnH-%;uMLdHcgglAd@Be)uiIp
z#J-9y-T^u%wGPO^baMRyiQ0HD6usGJt>{dlK%nV@<j1FqSZP<Gb*s%CPVkB*K8Z|9
zt{7PFtM>N~P0%8x@yF?ioLu}kzFO!w2GfLwYS6A?7bLj1xj`UdvPd0xDC@(_QjxR#
zaG}cDUiw&C!5=aoTFH+~EOLy;g8m_QAo{-{T9YH)B&vsf#FDjQSO%i_e137>mpD}`
zBHk|TkF%TETm{tq1VD*qb$|wS&Fm)07tB0~HSKS``mUSlKss&4PI+n;JH<S1QY84g
z3ug5zlBpn=B(%5?=~zSK-GXumIxQ4Ef9Zs0RU%^dQpj^_x%{TFI(?SJc2ee~de{it
zA#J(9I+l^okhJ9jq%9XAZMgtx%XbWlxj4(7SPkI}ZHhF2r?5t4<l6+E0`PkPPx($6
zB%rZJQpB=M2RwYy0sWj+y05sh+cc~HD-n;{Uh5<F%5c$Y_Q$OXyaih)j>s66mozkN
zooG?*-9J<lJ1MR>A*bXMGVP>h7>0E#4FI+zgolP;%1nb#GGp|YZ7}>Kb0Oi>CUe2w
z0ys8wq?x+)vlSJ#*ES8+%l`=~vEL%i#rv6L&hID`ezfII(6}AgWN>1Uz`w<n4J{*w
zhEi9zxT33DJkZrGu5g{3<H~2KgK^<4a3%WM;tKj&?n?AE$JKJ-opPlMFCS%i=9~YF
z@|<fswl|+{7k!LZquX<?M7IaoB*`h)kz^wx4NyPz?w{2o5w@Z#L?huyHiB}&G^=|6
zQ&(f0f3h;pJ*P^!xAW!$el_5G!X};p9(=U=PCyG@nxF+Q{Ub>7Cy=DvBiB2xqoq<0
zG!o6q;O5L7jXJf>8aLg*T!fweL9AX6tlo#9yk)4m!i)xcm{B<jm4mW!_iL2}k8Q0i
z$f~Xx{7VBYi`>=xp?Y2qYvry~d7IYqAg!`szD4B%?z>RSe#Khes<j-hRTeC{wX&d;
zA}v=a*0PBLpb)FB9zy;4RWx?Jjsw{B`tvn*y@3OfMEy1(iH22(B<jz%kVLQgfl}_7
zyg?Ytx+<86UiC2+3&!wFm4AeB9j~3w#5XAW5n7ER>aXiNZgT5cCb?IY53YG>`N*pP
zxifXw38^arobIyk6}jn7Xnk{I1+9dj2Ll0f%mS0o+5+y!gaY2SZ^BgR!(u@$YZFkX
zZ$jZp*Fa`L+0dw<R$bI0p75uHe5Uuu1fre<K|To|+%)<jEIoiF*9%QsI9yb({aAIo
zU%=-7@R+uK@5g<mZ%S^`*6=YZ_I`|t14Tug1J|itRIE%D1>rP!48p1Vm<Z?bhX>m7
zQN6BI&(qrAOiMlGexc_;;TBgEYq5v5#dDUL--w!mVv00*vuKm5ii%hQE9;Ezy4TcL
zXZNMVI@fa4c)Hq-w7%{gK{j=264}&pw31DeK<Pt>Ae-N6VkEtqU;zrD6>MH1y!C^L
znFe0%_4i4{a_5>KJ_uqFC_C2#%BGOIxspuJUyWmTB#IR%_ck9YgAGeZU~f9D`<QVA
z_Qq+Ay_x$b{~FY`-i$sqFayD5)=O$gZ$(^*qIOp=x)-~6QT47~sNOXc)w_CG@5Y*5
z;&S}3Sy0ysFCePv1w=;)5#5!nD<adN0|J95Veljjp1>fk%Z^?kFHf|BAVgjtDhcvh
zLul#&P3}Z?hn`Qv2}|}d%kz<ls-_na)gH0L0-RdS9S?AjR5XFVJEl=nN3Y`7hNoBl
zwE-GKt8c`D7qp7wh;%$?cmNxv$lcuO!t1)1=AfH9M$oM@M$pZ@(1q99z2L$FI67F(
zojSN(ba16R##7B59mH8hn9;{=7R<Q+{ySztqwU;_52TxW{y^l`?ikAt?jO>`SVW6I
zphZ{#mRHn8)*Df*X`A+RE4Hal<7v|#<7v|!<7v|#B=K{5%dOa~J<)QT_Mqh!?TMCu
zZf~Jw_axBrVnNIE+hbhrNrhVxm*jtIrAt!bi?UhLM@?zRVwWV#u~?=3hjc;dqQNTd
z!=+6@K@yuup>8sB{{H)g+2(JXnPwX~J{|u5qw&Aa^S$~GbO}HN)M|==4R`?9RXKm#
zG&0*@qaDAjdNqLpZ5`PsHIyRBK1sm&5!{rlziqq;4z{kt403Ec4TmVJjk0ioBes`1
ztct?QPcb~$IFgOypHI>`{xgoYh4425j$jSPAi{BDf#Jc_8!$TlJj{ZkInyKmNVVR{
zS2F+pJKJod+CW_A!QeW0CT{zwD7bmxd`R|aKxQ0BkCN>1I_}`%13Sld4mHk30Q^`F
zZ35(j9=u%cXM=DO@Mai@xu4dHeDn)5|F)_B|BgO3;f&h1r$WtiW6cIhV*Ic<QKa^d
z{<hg@Sr%^pNRGqG#9?LPtQ`x}Y@x)2!Td^*yjlF;fA1Hw62nWAkrkB*`!GfNF<s2M
zSmjFT;3f-C1$^T%8<%Y`8<A$r#$}tLvk_^wG#X=muGx+4A_EBuc;z}l*f~{|j^)T7
zSZI*p;;A)pmrPwVbYpx5%^Ky>W;mSq!q%VI5wT#wPE)qMobxkMcyyjRba)%*O7D8X
zho?8(_^T-b&jVIf8k*AtA?5a{cbh0}lt2mw&_-EGp#cb@2SK#UY9jHP>LY{vww<Ua
zzH%3Qmftp19~CF5PgQJNfR2|I6<binB6O4~u>cC0_bA7wsZ=W$qRRMc3VnQlkMnbm
zLV_DRFL!zqrMJ>GccwR_&_i?Kv<?W+c@4!k>v2<wd*;p-^l$xIIg7bdMgFhc*~L3*
zg(+OKZ9YEtELK_6w4<8EdrAZetCJ3(_le9%#!{g6_aue?PMw1AUC50v_)djZ{k^++
zQN*)Y4@jPpJv!5-;QG0|*BtI{Bq|*Ep>knjN0;(3FU$nL_y34FHX$f?a$!2p)CjYN
zQZ1diGvjv@OQcYL5pAtVf1_;B-^(`WF9MC^_cz8IoI8u`b@Jn{K|DG01>A^?9y#)4
zi2V;k>^~V|e<U4xYLF*YQveX~z$qrDJ}&kmdV$Fkh~%b7jfv!@NL`5J0POd`X?<4z
zV!(V9QQzctgbe^)v$hojK+u#59~0t#LD$yOUcamjAEPV#5qSa|EzOkVmCV>Eb78XV
zXM+JBw84n|Y)I1)V8bV=GQzHSw4@)mp#Z`0m0xXPW*uhSn2e949x;=C#7x!vY(}yk
z6xurzQ<s3M{$}<$s#!ub8bclxowymTwJ<C|46Ce}2qieac=sps(G<{SiDHd%X^c#l
zN21wXXmuntI&lG`=nyzmCZ<pq|5<qg1x|l8V<AobKLZuguq;79mKVxMXft(}!Wdi<
zOL<)Sc+6%#IX8gKLk#m!Rt6JjX8thH_BhVn5kX~)#JuUIe3)ZK?v)=UAH<-iK<re|
zldijYId?>XoOML?ZlV;@EzO~LVTFFLr+|2@u{1ghY9GRd^f$u|a#lMSpG%dp5QvvP
z%2_Sd;l)pfPt-!%tH#pz$hc>z)ro2qIT=W4jm|qkZ~Y=C5aGYFgO!oE)T#TTtmgwN
zTbgrSE0ePl=w635%<l!%Qb{>eAow}b3qfO`@;Z{D45n>_V-NtN9ss~E=UPz!IW~^=
z(WlgDvuS62s$d=MH57~>jD51+7sbfGrOgHw!V1B^$U?q|BHfZ>#qnK~m9WD96UMgr
zZSoRX@QNvhvExTO4hVn5jyuVm8{(Lq4{>89I%Y9D$sU-VSdSEOk=MwbS@;MoTx($_
z&gf6nib>c<doG^~*rq(DAe7Jx!gC#C<zLbHh=wlPprI%mG!$dT%qs;a-!|n@Ix5t7
z#9$K1%OhG+!K%pzaf6cO<~HSB27sEe_*TV+8^bHn7X6R<NZeXwXzTq)paP}kHsv99
z9%ic=d#)gqCNFbIj&-Hka;4dFr9p)9TH3xlQi}FnOepQUgO+{QT2SF$%F_Au&pFT0
z;}5P<CQ)DxHXlksf_s&$oF>rn%Q>z{)W+Hp@fB0ZG6NA_@sHmT(Ge0*-CpH-)?f>g
zUy0g2U_V-m7G~|T;(wj=@u8j%R~!X4rxnGjtWYb8zmh*9D*_|Bg2BSR<n`?9#yHI3
z`Xm4DiXr{s8c1jOdoLWsf4Jfd&kF4)5a-ue2<yDBH;Ecqp{Vh@E6xKD)9X+i;MtE+
z?{z2+aI_+5YOk^^eHZ&WDt#WBxMxO%OdIA+q?AlNT_(Z|ZsMa^-B|Vn`6#PheD}A_
zXV%w2Y7wUKA$Z2uU>Q?A&_q#&F}1UJKBV!x46MIEXMJv5eAlAzgX5u1QJiK%Y6jMa
zHiXt(6z@Zue8h&zO8F7`CgHsw7`a_;v;juSc&S*Mvb<J2zavBwa<?_H6#d@}s!-dF
zbHly=PbaJp?k>6EcvM-3Bpy#wvZj6~@lm<E4e~vkLQ^XWYiA{5y!UN*h1}i6Z;$_g
z1`n$uZ8XX{tf47OXo_4X`GEQFpMCE<3LaSZi#)L8`<=0vnVqqi_vww5*}3Rq-nYE5
zKqZ9+E#FH3+wvu>$lHK)?<Iib@4MpFW$j{q%L_BRYP3mDyZf$1$mqU1wd_tUyHd;U
z#aed#6d9qHBXdK*q~4>Q^PmbfPdmrjbpA^!vCy8tTPiuUNZZK?Xge(dZ6}AK?X-lV
zZ6}9*vh91J3vwfb>3Jx2;l0olsfXe?l?Huhym+X0hkaX)Pj%&nmDckM1K2ugYtGT?
z(4d%EEu!@vh`t4~?1AL+L_*9~nV<Ezx-yc;CdG`i%~tst?+{Vrz{j*w3?2uWt<ny!
z4*`GdBcjOfNb|EB?;~GKcV&3NE98EuLR@`jsiIu{{ZioSGfRQ1zh5e!tLJrnK-|Ao
zrjOPgF5m0yEoj1l7NxU=CO*}0{v+l8sNwtW>^qGpIulW7?Sm++Z4094uC%hgV(`!^
zcy*-}dvzt#t1FFOUC9NnE-~KQ9vE-3N5ObqSsRTWZY2;sxTZ+43hpUfg;Vf;c18Ss
z){T4Nbj4?|YNF&<sk^u(^XOFnU?zY<8>>1IPOiBc)yTg%2^m4>7KfJe%(IA;KGkX=
zq#cOP{tJvZ(I8;*FWP@>l=meH%>#v6!Rhj~g1;}`NAC17?OH3+ZEUUh(crA@w9W4p
z-O&FCF8^ib4j+*{TFSqJ*Rx-x&X#LCXFjb?n_{ysBi@e>k?@CgAYnEiB%D*FAGM#4
zgf8-5r9I*%&uK$QsuV|(Ge1xeBWnX<{LqUqwE;247QWhll@i3=F4%|cgkmVxYgF}$
zPMPe46loOi3{M1DI@_rYcxS_|{fYMuUALGz!_pac&WC<D*lJ(zVcmOo>f`C)H~|qd
zA{zQ{@kg{33Mw4RDy@SNe=rOG!_aZ;>9i+16VG4R*}bm&*sdK+@~YN6f-LFfIt$Lt
zKQ;fHgWTj*_^oGJtYQ5tE+f#e9)X#Sa(C{0=ZDO(Mn_m$`m5(POHEKa?8lv8VjOcm
z<XV*T&GC^Hb{cDM9d_WVb7uVh+lS9DT5!||(Og4&q|tF8!`d3}n!g)oIzMgI)Je|%
zf#ZE)rpYU@(piYlLs4K{5o%A^QO{*|^IyDiW^J>0d;J3TgN_YCT!L46M{oYi2c50@
zFILG;UC4hiti8JO@?~chg_vA(c_6E8tj=xj^g7@9NSkte8MiyfzkCsY@4&;o<<^Z}
zGkWDn{u?h@79Z~%yc&INcey40i~anZJI(1F^o!9kS>d~&hU@?<;#PL79&B}XL1p+z
zQYQ-cpk43`J8t`cHMD!6mNjG|vOv=?ChI7E(5^)&fp4B&LKy@Q2xiB1)%5*%Q<&3E
zkXVp3Nv#Lv$|6KBoU9@OkknV1L^p>moAAyK1_CXSiyV3l3?BiVh6F__Ri$ug67oUV
zvd|nm76cF8YRV^mKd@!Lp!~L))I^!2o?x?VA*yL%2eaY#5*nVQBFab2EIanKdehJj
z5Y3f`_~oVEEY5rsfov-(W&m;|K^EaJCgqyI2s20A9}s99W{$aj$Q5x5bbk1@(hq&M
z6fexYk_;QA%j!8?*D=@&NdQ53TcExUcdut6-sE1E1>amqhsJ@{_ac})X6d<@rAlh*
zLiE@AGr&4&>Qy{ga`0M#h#-<lr<A<fFt)P2{@!k{+Kg==yPmwd^d$)CnPjz@0WqUt
zK9V<3ZO;O2{a6jVeQJ9$Q3#UwZ!CjMEJN7>`eZTN^MYanYJ9#Ng)poPW%H>}=<K|p
zvI~U<zMx`9wLkmDYG7lnx!zi{gD4ex4Qo}k3E5A&PgL)1m*mdS2^^A0@nAJSy9Q-E
zKwu`h7hcP5`Fi$3keb?HFVyQr{lB&>LUj1%5V+J=M0&tp@FapW*c?5q?h&r#J64hF
zjv%aCEhK$D4riz?u*J!XHn8R?_IG0@b!_i5wz28cPGsqe;Eufx4ocgZTRRc;t`>5}
zGL?4*S^Z1O`&#eMOPkyKaeH50dqmeUGaY=t*RSK_bnI(Avr{)1Hr`);V10@MbIPm2
z1N9NdLa%Ll>fq?xOBoE)gIE|4MX<W?2nq`bS>>eKz()V#k}~W^g<LYauuPr&^b{+l
zJF+EoZG_A6HH+r0G0A7QvU2#oV!Hp5DK0;Ij&tvCYRRkWy6E9hw2Hg(RbA{`FhqNM
znl`|5$ImWP{1?ogX4=Nf>6WctyJ$J$R0j16GbJM6AKDLsC3ZD*z*e<IaM9eOL5A=x
zOIEBmO=RV|D!ST-WBo58p3qSk`j@t4f5Qgn-;(2WSZzTZ0ZV=+Q{JR+Vbl(%B;n*z
ziP>Fe&MAFPwcQNEa%QjS+FpAy;jxS3ZOQR>_N8)*8KLE_+?g#_et|W5KQmiE4%}&Q
z6fv`!P+Z%v%?XB<O1$KFD8Fxa$<yk1kYRVIrE9CvwPW%A=Ug23QqT4wFT^!HE34or
zx`$e><i$#Pe$|%$A8FqKR>ifo4dTqfF&-l)2lbrH89Vk8dsM{UTg2W$ML`8Y0R;iE
z$JiCciqb?tQHqKnV2?fa-YaTiLD!H?ZvJ=A0b_FS{r>Oy|0hOa&+cXIwbowiT`=<8
za4yvNA@2lvrz@KtZo0qexjmH?4Xuh|sCHqMqOWx`n1eqn@59Q$VTM(iIwQ!_95!#+
zGX7XUomCPH8|DEiXE$cyzxeF^)1{CHqStF4d8$r}3ExNhyT6^<NVfe+J!<ENY<<`I
zKgLX^knO_&TR6Rt8FTwB=pc^#U1Q@Rqgu}A;q>k=$QjebR8-CJ>EVp~t1T==*K+mH
zgU=8diXlY0;ju{0>ptA4rY8EX`W@!H4*qrqIL5V`Tm5_XoryL5(30BC<^FchmeNBR
zSBX<k%>LUO*ve`*Y~@PW%79*rVQ#96oP$ld4pwcu0)Tc`lSWc)JGBl178h2b{-7NX
z5H($m39wbG%Q$0&i;;XxhD+mHYq|r{`9UctT&LEMbOyBzmf{$Y1w<ruN51+?)rttN
z#bY5OFgs$<!0B&_Bl(F`m4u^k#;nS|I>{8J3x%`i@a`BWQthHfM(X~v?rz%Df!)XX
zI3tE#yjDxNH9~1;s`22BOcMYiPOGGzD5!-cO+=ww6!IR>eH02&0V~7ZN2_3)Z2z)2
zk1!5uF-ycTUnRBtviN1)y;Kw*t+n}wv|Wv`qj_+kXi28`6huMn8?s~HH*fDgdW3Sb
zfsmN8cUzYEZtmE+n-n$^xKaTkD;+XuWGnLzqvMh%DeW2wy^mk@#CcHdaf%vnyN_>q
zi0sa?8VfchLoGt(ouGRKLJ>{E!79%>u?98jv$iu8CW-*&SfN$|+7*=szANjt<wG_4
z4qK*lv*A3lde+THkF(mTUF6}dnkxEzQ3z0uTe&6;=1cgkwuCHHgbSrOf;Fm@)930m
zg|%Vp1Zpe786{M>BDzo+V>`E`GiTDa-&C%#UZRy!(R9S=1<e9*#tVs+K_p(oi$HLQ
zzabbel?R}1a~wICU`lXtLwN1pSl7PT16x%N-&yMR3G|^6vpdD~qXHH$oTAX52r<MD
zAnnnu*uHgnvib5puWo=v=sU@8+T8g+0qxB&8o^Hm!`As*cPx%I199k|?!7dD2Mhi~
zI>?vgU8wQF<)qVjO1tO6WUp~PgUwBTI7mW>LV)Im<>l+GCo^uFGk4FNnxx!(DI6Hn
zEwzOixRnax8V0c-GSwhl0Dq6y{)N}?KV3vwLScWpCF3uP{73(iJ=K*ERU2nIA0&u5
z6mN0|)fvNVjmgNm1v+%pN{1dqJ^&s1RWt-+7Dni_Z9542u1K^}qv@O)Ww9z#W+0wo
zD5%jq#SrYnsZrLvsHi2$W<#(#kBr#g>DK){+6Vn7SV)&aP#~a*m7#F#De@|A`ySz$
z00s#Rt?@&`&zWL44AO0Lj5%3&({ReW2Zqs$-by-kbrIy8!=G#Cr$<j!Ko^Ra*j8KO
z9{lL`#<rq8;)?CD%cIRVcX<Ij4@*ydb=0KcSyp4J4;I{l1=nW*Pkc`^Ddm4b*4fO$
z{>b?^+Rl&kN|e6}v(7zkGKeVHMF-H)q9M3U3~&ALDnUj>6YnCIP$=9R8GqU=;o8A!
zVKyKTKX6hfMo@nNAb9RF=$#kn-9gSgIDg2eGPdY=ZQO?#Rt-lQB*H7zCI=L$5)(5K
zwb4Bv6IzCOy<)ZNAsSy9+#?`Of{~mPb@%qn_@Vpw8SNGQVQJA)L}HNqRXpdw6lA_y
z1pmw*9I3Ym4@bS~ChT3eIX1x@5wU2=8eB55gk{~iCLn0VBy+uyLs<E#%0yOmcBinO
zL7jko6>xdZ*}%*8hN11?Sk4-A@U1V7g1C-=BkdptFc*Qvi+V5Ga|!CzuWjGq&Wxo!
z#_Mbk48QgOa*0*I2hBB}9TqvP65UoSNGezkc%{~~D-45ph1uDlc9Gz3U5>o3NvuD6
z4S+m36=eJ4=XF!dfUAn4t5RRxkE?!=V~4~}+ZkMW$x7YYMQazYTVjvAxC-EHRlycU
zj!v`zS>gO<0AJpRG6mLJ1XR;1VHm9f*x9O~B4CkL@l<#gXR^WUcl9fYDpQ<rj>VyL
z+*y$-vpC^rQ9lQEKgC?fls|12^L4cgv-!+_OyL8lh~@1gyxV^19Duty8)8|ZgF~QB
z&K-7o`q{aa^-nNpYz*3mRaRHyimIwZTxLJIA#=8h&daoxQ`m&d@bqH|LYk<5uCZve
zMRLV>*U9n2;=OkURbI4Kw`TF`#cMF$=f%TC7AEQ-&V_(@TL;<_19hcUyhhHVG{-=W
zV=~)oRia%G%dy~5QfMqcMhTZh01zh#)JSBLfr4hZ_zRT-GU4V8ocVhyYYgA;sZEC|
zEy3`0f(s)UzT3DXy8&hD`;rB+RtuH6;YOkJ7hIFDC@gI00`t__8xBraT0o>Uy!ZvN
zAc`bD@YQo>E}LfVJ))%Yj@&V$r1GDB5{kh8Qo=ReE7q-q_kwFPm@oJe;wDFHb}=eo
z6S|2dnd2_%z>=}s7_J?kpxR^v>(>$2Gnhr-aB914z1l!-tHwl1e^gllt3=>7>sR2A
z9#y{w9>ZPj@Y*4?nwA#}o4X-1VekIRpQ(JkJ~!c%S@F`XCx4^uEzO8CTOG3d6xQ!8
zkj^VjQ}lzE79xoJ-^|GMgUJg>WIXK<c^ScYcwvxURP_>kf5}BHC9sBKe^z(a@L8h+
zhv6*F%AS2-7Q*J%t;D`VhN4o!46)$?K_7?l*{VZ1s?t!kmQ)>Z1z6U0bVFcGM4af5
zsdFX=yYULr<|GFv{6OU^u~wit>=)L9J?8G$r>Jsd^2Vf%sesVi;=a*y)8w<Pa;1}^
z{yd+$%2dXom=)^_3E_nrhE{-_jhO>W#x}!M^O2~}q2nN7d~c896buyqu(%>Bdih@S
z-91y9D6BWATW=k8YIvG896No<!f6(o3ou38bC{a7TpH1KWfI6Lt);Jns7erhZFupe
zIC4!A;Iz4zK7z{9p^^=!m589PXOkR?5(WQRj4=FOq|?Z=Rh)nvhIUXYkPtuPYs1BN
z+#PTpJxA3GJ!J604hz(~MP8h^tC|7zr^g3)v)eEuF(gLBNe-$bcQHCjs!_Fr2ad{i
zu?jjC&o&uxf-X=Ufw}<uBp;y|hw=)+x`?Qbe7JVfgIAU+bD`w*OD>auovUdW&E=74
z5J$E`8X@sUxO4<&T2;th@&ME00T%5&?)R#A=7Pn>-I~&22^SHZ5coahOh>e9=!IY5
z^l%=qta34%Kd&$_0wKM5Nc00^VYE;K>Vig+em3`@UJFptbTr-*PTL%On@n%s!fB*_
zvm4b14fc1RtZX31gR4l{x_{Ndh}do3^i8EHbG+yGn`h5@`!ZuUcG$$mJZ5E~_*nvP
z?Vc0zNL1D>UAxw_KVk2tWOGiEXVX?whrkIpQ)ac`m;p?<JPu3;&~f%s)UV<Q&JGda
zy$6#M-&}90J{NG4m<v6?wc1v#P$YsY88(|$nLWiXr1F${Vk8?V06_8@0CYBx4$ux;
zSu=5K%EqkKXYIcTUaY5H;24I}6o|Jm0oztP&;_b!IK9e|dTQeBceD;dYW&Ya+UBUW
z(dN~wmMmEX>2?Qwi{zD|A<Kfzok#e!nW&6yER5m8Z7)`l^%|oa`wZW2PaF~5*$nUb
zg`vt0_N}mN)v9Hy&G3zO+pNU*LE!jmfc!vvc7?-2jT<*CTe)7DLEi>Tzsm3guSmnQ
z#A8*3mT3nAet~4y3!XcWZ_fi%@S~)!2~>2tifw|`C{3k+JwI`GzfB6+Ny5l8r$W!8
zK!OAto@zMZ)u04g4Byt(5R4L}S2uZbYqc^0^HhUZ3BKH14HG5`zHaoFPXW6jl$1-D
z5Dvg&r%nnr#&0a{*?L)MyYIlPW2n4_#C`XbDqM+))p9_rU?;<dv!TXUd8f#3lM-=d
z&9${x?B7F(<rsYPi-63yA+&aQosc^AgXRYW_?W}39OF<wO@5ufWy_)+X8qkL{|s`0
z&rc(?ZX}r4+nsg94+b$etYG0$j$u45$~AJ_3D&gIZSgoYjZEK`8@V3@Y2m=R)drhz
zfja{1wvBE8a}IS6^$48=f)=(rY)?pPA9Ak5+Jbary@5AQ-L%lI)b!ndh8zDP0Hc19
zbxZOIp}Oy647jd!Q2j-HGR&d?sDNPL`sT&iFaY=gxo{LiCtwQnh6{f!5z%C{P%|lb
zB=*q)xTGL}iyma~y$pmfbf`L0a8Fdm@%@7?aSZJ081}-;!mPN2@I>?5ms%{7&c8A{
zkBM_;Pg7Q27pOKaklMNxorFz(-VyHRdiCqD7Ocg!I%J=e6uBu@S>z%Nr`E<{)Aql4
znY=$uF|e&s3+HS`2rixBkD#F03j)jrMhhKh2d>x@sL(v!rfpkRZZl`cjQ*~s=a|uo
z{))U=Z7bvGJN4nm?ktzZ^~I;Iomv6ncm-Aq^N}lgV_KU72f-%*kUUQ4JEq{-92poO
z{Xn&60>f0T0D0U=!h#mIz#7$39VJ$k|5X#W?+R-M2V~$a6%;}bZRCer<;{GNw`e|O
zbX67g2k4oU!J!>Gp}7jU)~J&sjTC9EG#Kt|S(x-XP@pmR=a)H1z$`-Vo*^i<b=7UC
zDn}B=-s%OAkQW)4{;wNmu&)#kl-1<&Z%}S0%F#aDlP4v8pD#)q5Re5$M~hVMxmL6h
zOc52=FN<dBa$^D~xcLSGng$zWrxc|&V&~`_NLRm5_?}ahf=ASWIx*V^%+kC6jLDOf
z(=CN9F>w(|=98(@yKPXIb6s)~+lP*s*3&%6BXX;sG6*)cZ^s@u9dsNAa5xBabARej
z-&~=xfI@2^L*34W^9WFc3U7I!l-9Knh>(d*JF{|r3J_1H;hp2PO#QEMvAjamQx~!~
zhim8=M;<;*I+A-V4lz`GTz^pXld+gBtYFlqAc-0HVm{=H$tD3vvynUdx@*eltmz6M
zAzV2)^>5TdI3kYx)i~HEE;Ti7TdtDH4B{7Lwm3%ossE2)?+bW@ig*6>2-LwM;ds@B
z8{-i+6zAm0Q*g??dc9`ldXJinnOyxuxCT&D!>daSe?Qj(-G6Z5;o1z(dtNBY#fC}M
z?Mm3OX{Y&kq7SRd28|guI3#TOiV$Tw2V&RI+yBEwME!YqMmt{_I1Oj)C^^)acWP5c
zmNNLM5a>5~mWR3L=)^0CpVIy{aE{MLrtdsqPK*r;h*3^IMWC1w90&t4S2Naubtq^?
zRUoc@8OKncF4KPxP|XsdSXUg@5|q+T{SeVJ_p*AyxF<d#b)UD2ch8m7$Z<~`e)HkK
z0nVuC0^hc05X%E}8g#LA4Sxcb5sr)l)Hx3KFbSn`(wsrF^K)~aZ&SA3TXA>QefxW&
zVGPh+`{{6!+_9xq(Xe%4l|^-CH?i*@<`*1jo(sY~Uoi~#<%HYWO1KRp)b{i>j!cqv
z)Fv*a(l_XvrjUfb)6jRS7PofqBd4}ip*8M@bH@)4m+-&F`T5Gi8$(c~d#oF)O5MQp
zsojdc;S#>J(lqH5Jhia^|BL&HwbTrgYFG>Wr<;&`5r6DGzYOzn6B@EWmA{Pd1r6M4
z+=fd*{Qk7jaUl+pTm-JT7a)N*fGo9A)l0Yq5a0k5u#rXqw}V1F0%jABcudel*kMIz
z7$-=>9#LCh7`J`IoSJc*VKQ>cbPm&%!KZ7!G<qp!Y6k-71Vjbkme>ol`EHJ!FFf^-
zE(m)gHplKXuV1T);v1kd77V9W2h3hE+1z;S53I~oC7@Ht@bDqwLlCVbCnP5%%igfF
z7v#G%Jd)J>f}0uwK|GbbWq&S*djRLS91XezEsW0gDGqov4Kki%gV1-NLLtN<K4|P0
zn<MsE1VNmW@Ozvs;2aCN15c;0D%nfSM%Rq0-Id|K4jo-j`6!6_OzV!*vTF<#&u$3T
z^7qy)-V_WDJ?mF6!@<RTj_z31?PGTM#06JguwJ)n$;u_GxP;DIyiv^aKzJ)@u#~P2
zrnm|D3#^S;6QZ6Uc8iI1^A&4SH=YLgb${l}cBqK<YeTL=GIPbn>Y5~y4an6QphM#Z
zi{ac;OMc0GEp8@f;l{R8SyxRO7i9q#wcjf}X#f1m`gJ9v=6An8`k(@$R$`@f4M7*3
zC4!c?7bmL2)sA4=1PDXxP<g60QGYAa0pngTC-&SkBcr%lKD57OVRpLO7#TE%sL+*H
z=*la+sj;Ux!8o|M>mW~ef}gUrL8u{E8`=ON+}ar~ZTGTXemeclVn*(-qBqoQU$Aq+
zk_8J9ieYx}s^}2qhqn;5cV8FcH*8tG$-HSL)t06~A?)9Ksxp|_39ek!F0L884-G$}
zJIRC+cJL<WP0tix#&)qP5D@F|T-HJGPP$-w1NbpZ)F)s@uhKUT#qnNxfd;)$N75^K
z0}T{jL11jp`3evL9`*$jp~Zr+O5IR|x=<q3mpB3uP|8bIuU+EWq)qWLl?S{M0;W%a
zHnP`9+-L`mT-vb>VY-xyfFYVVl2c!qmBT|hGyT%+H%QyAtao8sx+_760ybqbtQCs@
zJLtOf64J<giIsxpOl`+MG$?8(j2E3b0C+W>ekw*_t5)Nip&H)|rF3m@C)J=e0;?}h
zZWHDmGHtFm_|7@;!8=3Z$K2Kg@#-ubp^qX2(2jj~*YAu(2q18+o4hwp-Q<0!btN2|
z#i;fm7P**x>W3rq0?pf7g=kP@iQi^ih@P(+sKOGkG`+N~aptB2O(1a|Rh&<ls4r!g
zyE2!Brvf#>Uxu{t_nZa)cd^6pJ40Mk6t;>Vw8q+0IGMuH)Wwfn93D$YkRd_VZ%6&)
zEwv@_J;<9088RVB&W0qJ*$5`_dtfr{FNeus3($`@AiK?}g5mdSQghk?gB6H;XMS7G
z9}osE37I<9JT@fZ=o0Nc;diIydA&$y)*q8W%DI7jiCmM#rI$Oa<$JFXeEWY0b3UKP
zdPF%y11K^fcHuwbJ<j;CFm90a17ciR0|tDKznEXR^bo&q$~x?Wy)u|uGs!q=Tfkz~
ze)$T|5jKO)G&!LdQe3hJNA56f+XCeHwUz_Rvmz2UTcu#11<ZbdJ*ynva(Z=Bzq}F0
z+$@HR4W@PJ$x54;{96lhu<#IvLr3lV<?5l#3tN=TNy(FbFtr*rVUR_yRz}lR5DTfU
zf2@DJKYeraG!LrSl$Cqho-=)M5Lq1_fEo{@iq}c}o;H6^I)jtW<xQyZ?w*4WlvlcQ
z^RLdKa*&(ix(Eh+H<xTC=Q2|sGuu;h__XX^w<f`2(64ua*MeZ^xWZ-moCV8fnp=B}
zYN6EA^;q2@l9jV85`BIV3=8935Ze)OiG#>&&zcv_5+}`_H`QWrT;USIP#DcFj$E~5
zyV;;$;ZoR%l8ujVo*<h~?M^jq>fE;qv$@g#vGTOESKyAkysgoRiCg^!4GNs$r5N<f
z!@x%d8ENxPwpr9afn=+Cymp8or5~01K&7$87GgXXV$zN%N4<{C$P3#|Wh;5E9KX>m
zD*M9jE77;?nMn-lJAH`f*b%!&rA^GRzi{wE-UHLqKF8}=3^$l<w{{KPHja!Li38Qk
z&2>m)lhd{4R1KeIs~p@lK518Ez?3l_-Xpy&A#wBKqD_Vudx|W^0ppXi61K#|?ojrQ
z$Q+gJW<T4<JKV>tABHgRDoiMCQ`E+|VW5I3J$(EDaPuAa?aRvEJ01~mI!qWnOwkYH
zH~@C!C8-;zP%5%x7M*?=F*(Ii9SC2FZ^Wr%7A^8p-jmI5Bz`iHzQt`Q!0*e+iMw|l
zG#}YLxla=&0`05?YoO?p<zXstD>8X}%}lBxXG+6pCc+UvM})+Y@-W=<YY1>VKf&4(
zS5;U0r$v3Cbls~%Y`^a(FjFY=ut(3|sUzMwq?01krXDf|QkE)ypdpCDldLwCY2^i;
zCSs#Ez*ZL>QmA4qRf&a0q`*4PLE~URL#@*f<>jT103~fbZtx()ccbd1)8i8kW_l-#
z8|OWB<f!<m=@@-zfjX$b7IolusAz`@)WfB7Glnr2zaM8V2~b!|VBe)|j){yn7Y!;s
zc<eE9j{a%;Pg@m)P!AK_XZZ$soArQ+DXX@I-3@2jyK_0j2Dn3|2YF;dv)g7*T3+5B
zH#`r1?=ceEBi0tPFq?jt3(M0DX$WTefFo>9zGimfw9$N~e<PcG>rA)7OgHZ5*{zr5
zc3UAiF@?`}0-tYN{MXbv-?R99Bbt&O{^Ii;g!w+s=lk$TxsNvAP%78KvnBDDXXx~Q
z+KTzCsm;9$<~~}-B=oF!?x$JjK8MeJY!5l;i@DF{b02j<=7YuadILbVm37D^C6;Q$
z!3_v=&&S+<{1N(&n(oUwaUyj%`uLr@YkxlXmeT17nER;-<Hk<I-0z&4p<vpyxzEMi
zPtxXI#@ru2gt_<m(RZ=G!n)H!Vc*vH$X$Hy2aLen$Ndz&Y`a1|*doC#&^u^K@jfq0
zf_0y7CWFK`G@a%fdJHx+JFRVKuKfML@BUNZd5gEUy*Le9+fza8ryI9knn-GOo9VH$
zlM;6)W||KtO?GX~N;PE7nL*LVNW<<y6j?_Owk5mUEFbv$?p8-od0UvDVXm73UXf4s
ziYRPR><Mk7m$z>8b`x0LQ0DpX8(pm}$8sJJcQ!3PCwcM{%tv;BpWqmbOxrpguyxdH
z*gE|_k0}qLJ~q+!^mX0h(~2Qo)P~d=LuxW;a`!%#TWy7;!~_g1Hy#74|9M=VpT~8C
z@1i5b$K{D#l*M;ZI(CtDTzJsKV_xyN)<#1aQImRNTrPN=*EUgmH&!E*O|#cev2LPl
zzKNoHzzeCioLn-lmFFalGP#yerp>sfzI}!ZV+Q%b8=S`;X$%%>2AlB=?}CUu!s%8f
zPF1&k>7ZNVz;kt<FtUVheZ!YIf!T<oy~oV%8e-p=$`*Z7vfwJ@8CyE{*Mb|0PuRzg
zudp3N6P0gqN26s}aVstBT@NR#EY50uP8zU}I)0#5D&(#gv<MyjhHNg<SN8|!b&P^h
z&c&T6*+6>~o1S46+x40<Y=GrzlhobG+YbCxIs3=>=_5^pJUkErt2+20vLty77~<yL
zXVA#FlnF|=hQgqOmp$HN`@)H*H1LxQCEJRJLu++~N_SMhV%<d+T;wR!q<9@TmD0xh
zRAo!bmOY#HfGJzzzNoLe34)EapPuhO;N=AGJmFjp48&s|sL)b$84)e+Lp4?vPsp~@
z{TI&lQzEFWKyyHFio{v$>bY@3^xmy&Qp_jPCU)&SZeq_tqvLl^P<k{JhGqXU{)2YF
zO3}m*(D{`G(ys|TmRZv(knZ(8^tH<OXPE8yfqr9gj_R&DmVMEjlIrifUAg&KNOSAE
z2M<UlRvrP(Ss0b6N9C2pJS6JaJtTxG`(yTQPBI_b?bFfO!*dKK9FH)#9M)_Bqgoed
z=2^+*P@XwYVoE6Uww@WUlFI?ZGe5ol+mjKweUbsdx<6rG&S}#}=L^i9NiDiFo36Wu
zWlvPg$bG#=4ry(w@v<`zI1M*aRkN{2?AZ7trmV#1eTQ~>4fhD0>@x*nsV1^?<KWRr
zM>Dpi?Tl6KOwRS~YZ~k^eK_EV`Ch2}o+gr=^%7b^uZ$x-;;&p!Ny<2wK8clHuZ*5P
zan@wBKZ7Q?GF}61Xg<whQa&rsboE++tFLmW7uoDP5}lR=;NAtU!@8L#xJO0LRN6Ha
z+|z#cxQ`HGyFy_kic#%{A?PY<17h;p?mEqpcb~pTrA&`Ja(WDP^Bg)jeQKs<`Ld<U
z%|8uuAJt*Hy;iUfIK9sXr|d>)RB}yLYlI^4I>3Az;{OKR8ntz(aezb*9P!tEM4FUX
zxauf7+@VUqFn~rNh!EDG|1XkZ?8Tyk#>0D4a}fS0S2f9lErzi}_PQU2nQb^-r#=8I
z)C%=~1%G)EyM^4AuDd^-fW@jmJ0TdNF5*f2TR66%eju`5;$X@RDJTqPnrGOe;;K_}
zC!`J?I?)}q`wU6ZYS+Q+p)8D!Ps`xbeW)v>#b98#-aM0%cS!mEs^H_}6FAX4-g|r6
zHL7(ifMf+sN(64Px)WG=6DxanFxglPr#7goc<a09liCh&<)!G8@wT{=M*Je_-RKit
zlm1Get!%{Sk0|jBn*Af!HLKly_>r1FuzODh{bUr>KHaAV*Ws!Gy{zP>?xRBz|47?=
zAqU$PRZ@br<0Yc-ng3M$dEZg>TiYxI$m(^JdLX;@JGDlFEi6f7eI4s}#P=-DLe~J%
zik#X9WYoTBd1=uYUV@@<Ez5Pt?WJvoYO%{8H=}BKS!98VW1IYYLoNMVVWIW`|Gxb8
z_t~QUTXC@UgMCN4Z|$d2uJKzs+~8aLjv^?MR#RVVO?_V$_0?*^v;<;vQlPdw=U{{H
z0`Tq@{)AB8c<uPfTek<CaOp6hf19?)`(0J^?O2t2h->C!x1Loosy_FMd_;Xa_2=R=
z_2-f_7WC4#Xw>huU_DeCac!EV-p6`QI4^WWK-^Y-tb!TJ;a1UCn4>bGyU-H!rkOi6
z!$}EY-F~lS3!Gn=Ap;!r`Cg$TIr2y6Y9^|dNKRJ}^{vrfp(T??0NTE@iFH22YTRdt
znpa#DTM@gW3d*9zLlBHRBc9_3s)05vjV1_JnPVaZ{Awmv&5Jp8V2B~7mX!-#DNADY
zjpT8&R-vmZ$y%CfXH6@7%RJh>`@<Da1xTl#AJWe^9d=QL;Zz<sKq$(cz8NUGg>F2e
z<gGY#%5>dt=dks#s>og+z4Q91MThcCN7iplvuwTDTWsn+nb|0v*G=qgGQ6GSKe6W$
zOLJT!XO~1xoYZ^nM2yEKb@F4aPsQzkAuc~0qUzg&ydCjzYBJd<m*%FNhMcfFD&_1l
z%R{IwdM@)%*?oFl$|V!oxF<KY^lrCROpge5RR%2@(bv>IdRlfUfVqc-`b}%!cg2W7
zCfBgwah5=6;pVYsg}>WwplrJhtQkz!X;k6wIOuwITK!J4d&rg>U;Q4;f463gr^9wM
zTg%Bt|1Bq-HNH}N))W5~T>6zdoR=s^@90n4KW+Ah**vv_al<>~ohP@yJGH<62eQfX
zyUcXHA-J)e#Sk2E`{)@kP9EOBx}fi-cKy?4DlWQ}lDd(a&!bRz4O0KK8Om=!FMOD9
z{b!{Fsi%3kKoa66gsvrraNIA=Ly>=dICEGF<A&zz1t#gJ`C36gtR>kj_J_@=twRdp
zLs6yMRH-K()qU|Y^VAr<e(R2nmYeP`0(zT#!e-5wV{uNazYSBIcB`m0UNp{Mc)BY*
zW=@o1@XSd}$T$v0HG0)0Q_PmgJ-he$`|Prue=a1t^+|Fzv(i0!H<=XSv&COAqz#`s
zWyCNTYiwHG&g2_7%WeFGElFM$gKrBL!I1XDf$Kh3%=+VnRRV1H(cz=G*j2d=H<j~&
zCc0kH2xF=`VvGo-z0MVecn!$DEmeb<;edsC{OYfzq2B)rE?y*9j`h)q_n$T)m?u#F
zwI!5429*B@MN3d4F5))<|9vNZhv_m3fhu3(;i9|vP*uZ~Vru>b)SPT3L{nb`+J3|O
zo1QvY^Or4dC<_f~#ZH$rbqQ5J;!Q<s1+V<0;3fGN-m{Wc9u>E8-rBD#D13wWs}7nu
zPP<M6njI2Jmp}gm8qJ?JK4CWdsWR-?Tqwx+P7HZMU6QGV>3yTqtbF_S)4I4??sO0`
zQxZ32nsZX83>h+gir*w<)g|FP_CW*>kNfsaQ4<Ub)Iu%9nRi48!9tvO?bmFXYCDo`
zVK;u<v4KMdBF8|DD5!-{$ng}=1fGICwnc>?2&^irf3wi_rtPB#+1KqJaT;>$X2U|)
z7YJw~KKNsYvCuX94_BCwl;k7jdiDc5ewgVP2+Of{FaB_CC{jDel8hmR5}Ku5Fbkyu
zt!qf&UE@i%YR8h!vHE|}EEw);-DCAjXcqF>vI73N=@NeG+C!T9@YYG&0~hWT(6eXq
z`fJ9V^z8|Il@S+&0N<H&Jk0|=GA^7*&O9BrEp%p-a^#ed=rumBuenwu7X)D_cc(oe
zL@cj~x?ZQUx1RB;$l>Fs4|kr)?Au4ikI(jrFK!+9^;P@idJ3LYKeFKnI=)Mn6&Eyq
zjBmhDY+HLelSTHac^SD`wuwhhA3OYW-Vr-+C1)_GC-?CNEq!+%T`u)qOOONUNlPlF
zWR-5&@8pXYCr{qLf1+Q*hW-1sRK7oIJa%%Yn9vWpX}24~j)?W!c9;%KiW+74PCQoE
zm=~qnwk~u|@Z699MgKvq|NiIq%^o>C%O}Uj)aJ1v3laK^`4sTz5!>DjAy{Uz0OR9V
zVi-&`R)|MgYvF=uxO0qJ<F_zcC{3t6qX&n<&!SVZ{sX<gJO}mlx#E!g@aW?lt-@_E
ze0guYekeOP+b`B_lQM3L;I}Sh)dti0HS40b$Ih7(WjSz4*gkE-mT~3|qecxH8b3Wb
zNXZBkc7#PP3^L7`J3r8S+NP)(mf`&b&y=*F{buUCo_ERM{bi^A)+O~Dtur?Q(U~4M
z9HQ~O^El^?VK*_@<xm$HHpO}DmT`Z|rlfdf#8F|^?BKb6<_S~c&zwq3NZGzIJUCLx
zJSN2Wdu$zPZt2{M*)W@{KRm|zR;7Pk@<pwkFIj6n`|9x<!yaC*H?Mb_TA!n{>cuxd
z=Y1;ZbEt;G%80MP@sZ0`-Ts(>K0SSX!R^yc=JJHfJwrUZ2`@>0;*j+#-j_hzUKsAH
zF3_4^I<qn9l;U+;m^p61>>*~>n0=cMCE`pNi`0VM-_RTE8(0>U>ffc`=-~L{k;*~x
z5gLng#tBQrJ+r4rdYYN88JKUqV#sNfJK$E@;kbSAmSv*h{)mW7?_=fyD*qh9%mikE
z9(W4-k&R=$SrS`=cN#rG3zstwSCwbr_5&yP+&#H%)7-#yiXSrzp1uL0{$@R`oP7WB
z)3#5k`?F8?9kO0M1$b&c?|FsE#xsW_Vvj15uL-jz4WH}AIhgVn@JuiSN3#Oer%o5D
zvvSPFb>Jwk(74?7==Wfui5R5yJIFWE%UrDuHh3BIpzWc7=hAcHQe(Alk6f2B<%pSV
ze|?4-=z{kW2R0mXaxZ9Emcd`GRb6U}GRr8|=ohjzIVa)Tp{R&?==Dszj7;;J6%q(p
z4o~L&UQ(%-5MsvLJ#>5^?x23cdqf54Cs=>Zf7w#pfWQ;aUba>1NY(Lw;|90HIjoe>
zqQO=1^-I_(l@dN^33v+LC^eMzGi6njZ4Xi%yMdB^88-pWg>cWU=bGXHWQVMelHFxJ
z-uR%|DD{!Pf|H3W>{m;%J|AHs_!avXh))^r-%$r|c}BbDl0G9!l_VN$bxG&|y~A2?
z%7`4roh48&>=^O8O(;x&TLfH@^fUhY@{_EuvJ`QC>KAAHPS$^lq5z4uQ6&T%awHz)
z*KlK?tRE}s_wJCIO8O{i4{J~2b$@8^%GvIR(Xuapw>kNnvCFtqA77^*`Q<{oYu&2j
z`gT*OJBv0ROj)yjyE6TQuwYieB0uxcG3yTa!K7*D<yTb0L>;UA${Mo9h-}k|IbEwq
z_THA-={LGjWo(&WB-<MZf(Z4Fi>&WJ8)e%wm?W?~cC<RwSX<IJ!$9gIzyfY9C%Zhb
z_NDNU=_1=Tz^A3;$ZYuxzzlks!H1eSQfCCFQey;g0RtG~DW%LA7&<6u0AjlYp9swj
zKH86FSHfG5o@Pn5k%e74N%}<+J&_O}7!HXPf%hr3k==4x&lmA!x|_C`SJRtG8}VRx
zt|8t%w&BM-1P9GlW!U)vt+-L%XdpFoguB8^eEONHAohiuWLI7G`MD+%?!APe;Rf8B
zM+|UXF%)#a7mm~u4;sq%PjHlB{Cwom5nD1{zJEDEI$>OeCeNUy6=#~uF3g`AzDUD(
z+fa)H>5qkoD2I-8x?)S=AJIZuuCXOgD0{x4JU6qeM8|g<3$718>C{|6y`Pg0+&9*J
zG@}1o=i=0)leTKze3YM?ITd}OQWv)0nRo}!=@!`l{N=fs`{6k+8`xg_dhT;4Fn+Bc
zDA)WUrAYtkrS;~-jfOJfUK=lugb9(M(J{fD9T<g9@pK5^p2qqlH~InAfCgbRv$1|5
z<&-VWeTkZKsIBqL%ELQOnD$RhVzw(RbNUL|i$GUQv*#=bTx8kL8uKD&E?vFtar<)*
z@1HTAMgQXC#~d*qP1=2Jh0<lM;In9M=q&S>Jw5?oXKmv6ME{Xjx*Epfmrr&0gq|fE
zI~YD_;ZLs$^XJZ)A7u8Qy&)!b_kklT71o|_p-v)$8;JmGq<F;Ap(bKHn4rC)XW;M=
zeP}l#m8-tS4cQw`ug^s!wv9v9_u4Ql!mUybya!77LnE+ls3ng6{DS4=BV!{_4$NM5
z;2}5@M=#m9Ep2O7R5r>QhO-IvbcRfjtVulhm0@_+Cpf*~6|M>uB82h8x8(eZIX{Q9
zlvvb5XUIB^O*C)m)AYP_L|uC7@D@ZArk!9Dsu_NN>qt{X(*JsZY%jU*b>5`FLcQqB
zrnsB~rh*1>tc-<?grl#^LSgtd9m@5DHY`_{6Ftj)yuXhtUW{iL(_iK_NY@#DKQ5k%
zpD||aH1B?j9*)v4@;{OE{KKag5&(1>YRy$O6oP!9xpKwLwbz>ay|}shT5}_~$%F@-
z<aCE)LMD0o&wyZsh>wsw4237qMBoI(QAg<M0=y+18YB&1^G?tpe=JTpPX6A(*K{14
zXQTq@@bT3-F{v4q+dLHf{Jdt3F?SfA_wMzvW51-tg!;xSw;v08-TNkXF~b?!SPLrA
z=K0@Ixmn7%=0eUF)HqnZ)l33$rn2XX=`-t8D7NA`a!OKKsBfF|gu@8Ri$27Wv*GPP
z$)GM&f9oojQ1dhAzM$umRNv<KB45@heUcPTEmpy(YsL;}Ne{3WI4aBd3>JTFPgw{&
zFY}Kz*pWffb(voWG#Ug)`=KYc4m21Q&$-LnL2;twGx&*0gCs=BpfIpB{#J96@&*aI
z12PkZ-StAM%4rNOkkha`qT~|~P{dWEF;Vhq&=J@KIYZ<|R6N(yUFEju>tPv|$xf50
z1wi7EJXj+zXcq(q>AOGLc}rA>)0imW7~PaEVLqLxcD~^Q(l>Fk_r}xncxQ8$A!BPT
zR1B~3=L>sQL~ht>Hhg%=yI=OayZq)KWa*3KFUXRX3bMrS$1(Y6_6;Z#60MX8!?oeG
z>AemAupe+hfXCy=4Ioe-ZO#=B1+(=+;$sQ+mbOzWzTeeIR9k-Lzp)N=2ia7Fy=zI(
z<Nc}o4=z(y5<K4m`@&yGG!)S?akBsDky@zZ&$CMNB}lqM32)*B2;CEo_{v{i%|U!e
zA*pyr6<^q_Gv8H6&V2C2HNHT7rD4mLk&5?LDme!slvsXq$xyU_Z?7eU5H)39zf-Ho
zeD6`20&jfJZZ1^?!)^E%UOmc4){R=+P;<Unk$CAP&p(}xv_}5lQC|VjrR=oMrepQ+
ztz$keQDgml%vy8ltojTQ%)<I}1SH&EA8lUpnzvDDt<~0~Z^*kva4WlcC2nt;LMxbO
z%?GV?;UTjY`kU*HKJn`Pv12zC!|VOAVSxx8U3BY_5E>D(d8;XQ%et7gD}G$O))M<(
zSRF8P)dX{k5&gR>i<d50jL1tr&7J#Gm>CQKKctEwpY@^&-%%sWXAXzzSx=Ug$vJ}q
zkU>=?SRxrP;?6RH(Za^XFncXlgF>`Do5AKhrxqH2#QoA-?zcjQ-`C3cyo}n&uuTS2
zWq0aNn@*5}|Af^2OBbr@@EW@fZ5YnSs1=Quiz?z*FL>p^t4*zV380a`bk-TpUxJyg
z;aX?bLHpTBXL#0G*J+_Z-ps*hIDd*d^yMxNe=%EN!|vl4|0C%P4m3-kQd05QIJZ_0
z1Jly3Vs%F5BTQ*RJ|z1@z~@lSydeC8aN@ko-8-@xquNUoaniMf_b*F0K4%<tEeWxL
z9nNXd!>>p<-CEjxZ5nw~3qU!vBpPz%h1BXJY*`cKUAfkn;R%>r&O-e{JZAV6E1SU*
z)JkZTn&B_*x=Tl`?c91$()3l0w3Kk17}phP0N?R55azX*C%so-_mfPPKh_u<OEa`q
zusZ8;MBi#&7xT5Xo1q18{mjPxBtQRS>>%kM4C@8VA5Vg{s2-AtuM;Zz^vtlCz61CH
ztz&u~hBgUdXkl}KfS=%Xks$$LW|83m+BXz6*2;ebk6lJ%gD-Nm|93JSXGgg5whAZR
z)?#kFgS_Gw)KBYS$+v*_AhP_cimx5-8R^JNc0|M`-0-iKAn;W*0&lH@*}zuCTFJgI
zhjSl1ETY;Ok0lALHtzPX*u+;l>iTNf9rjH(fyO|)8m+6+PxvnkI<3V#e8O)2je0B%
z;A?(^DrJ%LAu#fpC5-&Nfii8y9{8kjkKprjsYMPl+$zcNE6<>fY%IW9Q6v6Yf;~%X
zr2FSkqZ#fZX85WAs&<+ud{q|0&Z-f15We%RiVSt~F^^^@<|EQN&o(g(`8I~}j3@Gp
zh^P*#GAImGWn<V&DV{IMLy1@Xupk^YM`&d>@-lH+86#hz>oy>5Yb5KS%p1vhF|v;0
zwNFLHEvOq^3dOkMu~gRTHgZZ}HYD>*>Bw}BXWC6c+Suaxa=b-YZvHg`U(e&~J-!&4
zh_g-|=O$}E%~i)W<7pt@O%XIiUDk@Hr>o86=HT%mt{HCDkPZ2l)TvaD=gZa{cDj<A
z)EVF2;~V$ZnOT#6yYv#iJmcwz8*X=ec){waKZaWyWM*|$1phGy&9qSiFrRS<UL++_
zi+F49qMz7f>?35MmRIoQ-N#7n!&r3+HgHS+;nVr1QUi73-&y@H)4#Y>wdACesE7-1
zHS!HbHDr|C1`wXJpIPow%Pk@Oz;bW2vfQ%}JrL#IXc7TRy5Zg(i&4G~)5_xR%@5;u
z??)Tlz4>A1v@w)DS2B!xhTm(*d<vULhJW4BuHU`f-Q^CI#vNE4Uc-o1`ZM108h(0D
zov#O+@;IR6{p^}P{0Cv@xWOCyL7%~eMCYj9dqyg*y^oB`J}yj6&kH_jMjX>b<GTYV
zuI-EtpS9J(da{Ya{OyZl<4rh2ZH&`=*KL6tL{FM1tO{7}=VPidx>rYp=j*@pFd}wI
zP|89;e(tEk;)i*?rB0t%r{^$C6^qJ<Fl8w3!dw~L<~ozJGLJ-Ki{YuC$Tn;L17#b_
z74;qx{%E_zLn_%ef2~lxHh9S>_-j;;d@hbUs2JY+@(Z~0ryA545Iv>4j63<JL~O1z
zu3tChi$&#I4Lb;+*Q8Z;)8^l5yAg)!Zrc10^%?SQ4yseZlU?Pvc|O0*|Jq*vk9{<h
z>`2Z+;e6EbS33Zk-Cf%8={YvVVOaDxm1C93R9=dY+MNv>6x)NRZ;?~6#BYH_V-@;a
zJ*`PjVK5k<I^EN4h^b%p<TDn-Enj*7b;3X9g>S#i2Tdi_w=|?<{POoBH3cy;z=plB
zvSD8;4<hIgxUgR&jn$n?&LObE{M`jSLKI!>D&qs^*Gn`F{ppwH@@z;NSM#pWNcn|y
zsbCuNXS>KQMG+d8HQP!(`M0IiBDkcoxS}OEqMtu<w!1xqIyhbMEJa~x@OK;LNKZ;`
zhe8`_qFoQOwR;YY{nZOruE>3m^dFQSt2sx>(@8q_4}A!0z%N<;?eIT8_2!IV2QEIj
z`m5bwj|xpnQh^UR92K#wts)dRDz%F|bK#-sMek(iIE(8xVSJ?ThG^5ysK`AB(gS?<
zSuVd6l1KGPZjKnpEqge%J~#IAbmgeOkTNGO*xNKcFmT+U!8=lhTe{R14C;Q5pM5UO
z8`q*z4!Q)s^(Topnq4pkjb>UEI4wBaitCqmIU6??zWb8%WMn9?W-z?i%=z99OXZWr
z<uRL6|Ms1EV$#)?UucIOgIW7aNu-85LQ`}+l!RKD)BS;oAUfQJY&#vI_GYye=uMdu
zmmb~im(nptdGuJw_xt`lD`RFZ?HjVPilG&|gS@A8*AmlC?~j}1x7qStgLRz*!{*y_
zQ+y|zrUcCP4)k8NeY(Xkv`cFwdne{jxnVBROJP?PYo_K?@8)tdKK-LKjg<pWN2vR^
z<O1ibUDRDp09)cjUlsKMHFFa6%{Zq7)s~jAC76{wdD<UlFy)P<W}I8nKDAPf*zS4o
zmAvwY9<$J_m|glpCFWA}Vvqzi8I8LHRbH{CjIIFrn50WgLfYp>StYeT6h0*yv^DB2
zT>GDY4b=phQZi>!ttvL=q6smj<g4$-yhA@__D#OwP6Nr1e^Gq~7BxR9X}~3D@k+^e
zsft=ou1juGV?2YsN0!%!>-sAIJW9#nSBtA_pa~?UWU!IelqJRT5R#w<Lk&}*2lGP>
zg{a{Z|GMgn4l=n=ir_VZwY8RStqDK8`SMv8QM@UIORcTNdGkiYM=B>PhQimfJHcb%
z$VG5$w2>_^{>rOCsV~Z))4WUpZxCO0UHIY~y3@08@zeiUD7SF+2WcnYzU9=G0VuSb
zTC7DM3iu=}(e^HC1nZ4YS3fSWei^Mk1q^jddFNlWbvG}&kZdj?$2Ge9Sxk)sZQY@~
z&e#vADHH9%YuEu@10T=+Aff%ICB0PW05l#5uIzH9162yQ7&2xDjdbf{GF<C-7<5)Y
zTgD%4X=lsYf@e}iAa{T6%{uM=I*wCP|Hd`ysn9HhDcFqLs~bBY@^*M5mXbz#-i7~`
zrKI<~sxP)i2CBM4f3NB;s=D((RP~Rol=*M-`2W(s&+}fQ<|WF&PXGMd;|$ytvv4%d
zS+&5_=@Df0S-3pl#m`y0P7;Nj#^x<n4c}2Kqj>Qzr_{<QjbG}W)AYu*)h;OfM8Xkp
z0CPB%oF;MCh!&VaceR053Fm6@K;z6Bb5A6Ed3#B12r<pBSoVT~9j3x1-!2!`!%62Y
z47uU}0}!X?kl0#C@oEiCV#5c{hbQGHl2aT+MpXBVs;M=tBI935Y?`PBpraA|=Ci7`
zaYmPc?~LG=q%EF{oT2I_AN8lMa$PR}oI*^-_SAwWPJxqCHMy=P(wveUP@KKuA`L>m
zytu&PxymXi%K!OCs`0TZ^?f0Mf>y`Ucaxr<7pcsrTylhFfK1i*!9A=y9tLm2D-3Et
z2u(Fk>5lFS8am9|r@x{<Dn*A<IVb-le^B>w9H<C_MLk1=DquTSI`M{j(6AQQneD(4
zGsliq3=MNxHOQin!Xu~v52X9H>@pus9E+Es%F}(PgoH0!0VbpGRAws}B0@LsSrBK|
zM>9BLTrCkV!3g4EArU5+fAoQ!T*folgQyEx?V=?VFQeFewTu*x5~bB9<N`@o6NT(l
zI|dWaa%m4<D(XgNW;JySC3M3~HN|sb_vfF2k^V85Ogge4VVO8FG+@fyxyzP^S$wMs
z3%Bf8u-B};Cg4ekj1t7xKSlk#rC_6u6yU+>N4sQ4^~Xmd{NDO#8s}C;eFSQpY|NzE
z8PpJusry;OY*t&aJ{bMAxSzEpn$oQJJxF7=b)P<J>~_smYP1i~D|jac`b48otdV$=
zJ>tCgTWs;JRr0krnfeG}+4WN`YOGM{(k^39eJsd0dhJTaz-m>;_U(wL=fA5q{_(8T
z1bPpJD#Pk+9^PM4=5b@{;}ig=rpTiaM>ZXUZhO-Y5w4K~PqKhY)Iem~(@ZDvzlgW|
z{i!E7c86TNmVTg2!`oa(+=5~eRN^m=y){ziCzdG=e{NJ^;$CDHIeUo5DjFa~Nsag$
zTOJI9_o@x;_ByH!!Rd#J@Rw`~5Upwgd6H0MX(PgMtSkGT^%6?%Z`>or?@Gm|TThO&
zfZqd65Zs}acjWkvn;!S0t;UOKyG{We%}dvJwOisv6FqY5>gLrK2x?xsQ}ffNbTzSH
zmSQBwbHG4~cy*O3n*jcPnbnN2oMw)_fzcUOzcVwNm?^&_)e5uV<>`Z35!#BXcgS=H
z*2)y;2vgE_2<^G<{spQF<Pnhi^12q&rVN>9p{1}HU8)<hX4<X?u+hbriaJ*JemAlJ
zdF=?TM3Bh+juZ~J{VQ~fn}NLNW+EAg9o;UY7Yt_>HRXD$e`u5bC!!S)g?ADa8d*Hk
zsLhH1zTyO9>RgH5{No`K7L-nSj4ZVMBF`su2o~&4hDXJny2d+|&pUOEck0pSP8HT?
zx{|83m(xj0`7^^)X#cr3xGGiS;AvhW>3++A{-=D+U3dlV1-MTt2Xj8)EW*S{$^%K6
zGtPb5%mK=m$1HX!%xd<5!P)?k9UNyLT&#e<;Lc|*-2ONRPH6_Uyv*K<v+9SBoYlgY
zmGvI(7iK@r2`ChU1@cvg8zXX7?pSx&{u$fHT*T<~Ek`z-wl6-6{lRlhqD%zoJP+@p
z(}bJu5zUY}grXxrBxs0ixTM-3F&7AS?YJOZ;W@b0(hhhGt`5emI{E+y88W^;PIf2U
z4i4VPQ4KqD*Q^YA$f;}oV6A{e7vpe49m;;8o`zgC7U3vYO8R)H=6W&9RsN-@3Vl7A
zdQO8uRuuofcqL4i*t7$%%szPh_6mi4EgCwzFA4JVFdJ5S1VyL9Hw#H?+pIVUGzGIh
zN7AnkrEjbHM_bueU^N2P5HEiZIF4a`RhHQ+-K+)yb!IjMhN0>p8;1I_ia;)$zh(Q9
z1oMA8%m3-U`it}W#q;>Tz3?W;Ks*UIq%43{ERYlNiaURE?4o3|{?|~vHaGRZ@`;9i
zszRL|4gk-DzJ5a{!wT3EY&D+U7k^@<g$>p9Uo}4Ntck8T_8jlie}RRD>P{@&=iSr9
zd>IUZF#3QiI;ytz=~=31qDoE9uxe{92JegPYn>sWtBzF*Z_<lZGO>zJ;Wik~Pii8z
zl3Ew{6C_9t$3z1+{2Cj`fo~wEqPolp-*crU*b~D*il%DthRAJ41&%m6fYJe_TB210
zG=-WPx?vM2R}~a>Q0xBnFCM4YTeCSJ8{e}9g)Z>2j8r?z06c8_W!}$a@pe(5eh~Gi
z;EG6<-yS2qEwmv{xT8S4dOFfjkrqqr8)YagIgUYt+JryK?T1lzn(k-XF3~6|l3|FU
zz_-&5ShwrtB42)-`)b7u$~Y9$z!jRHNTTi(icIDuYNC1^Pq*T1eZI_=qh;%Z`~Bmm
z*Er5FC%wf{Z&Qq&d-#nQp<HVs?1<U3CEa`?)w5Tm!a7%>u43zu;eLJ1<EKT&OjX)8
z6~?EX_PlHc=j3n`-iloj4+KDIdg4q&Q>gnNSa}AuE7bvhLJp2n-FNR1F{DGyUs+vN
zxp7BUd8X0=_zCK_{K9r3_xl_{LD}}a4VleLsGPB<`>}VwrskYIn>wU+P4^#qqH-t|
z4wJ%HP7MU+6q_hAeXa4VvUB?2Q{D=z24`UaC*T}+5)L!C^@?mX#T)xfjoY7<wB?kN
z%V1^v#dF?&dav6TMnWU_1;+T3&zq-Q0)&DJcDz*$3Z=_A34Y*pR!p8bd*;IV%a$#$
z7#hult%;%Ef=%0g++qIpd=~8Jzpj3$=Cr`Yi~JO|y;Q<jP(Pp+_WnHM2kACEphAt8
z&&A{%Qa(SM_860N1=xjMp#&4pZq7_RX5Jh3#RF<*Gqli#`Y`+%Kwq__TFQSk%lIc_
z@NahuUJxDu#Snj4<RY*gPQbz|c`bl_3b}*kz|~4u*Pm9rJ;CST4VXxKXi+wU_MC;b
zx2QgK)$wg>P&~1*u8So^Xfr25Z8aja*-C^AqXEWhz~0=UZ8`!*9zw?$n!g2E08h!^
zE$zXRYe0n@t-u{F`c(dX2AMS!gZi258w+nkLopc4zQcaefwDH?AO@)O=UsuLMtB4a
zRP?8CytO5>)t1b}p|H~BqdWY1Dy$-Qctssq+GVkCw573NX>wpSibaWES{U(fWSor$
z?j<D@Lk)%(wd8122SD`#HL7>OO7#r>FaWy?IH{Nt8nl+=2+-&kpg}6Qs#P4(pdLs`
zZIFW|8Wjq`C0gOP^KWc%Wfnske5E0#lz*QNhaIWjeoX54^VIDP>vo4ZeP6#$J|_sc
zGb-%FXlIWa?J*l@BA4ZkFtMSXWa1FQFtSO-#Q-Clp1?PFL#hzJI&yoAIbx*-9K0cx
zjKDWoH7j`eWOI|T<Cr*Inb9)DHEc{+=gJGk;A0^t=i~z5pdSTtcWXU1t+<xb1XdpS
zg5L{lmZ<+8vpew;=#ah`VQ?Z41}9<!6Rik?6=(`)pxII@!eA&S<Y~$M3rFfIhBJk=
z>5yDi*OVFwhR6IaKB?WskNI7Encu~ab7eLOM{QCz2Njqk9LCKY2`60&uwKoY$+d<I
z=U;qB2Lf#LmAnZ^0|wuFQAhLco3yK%Bmd3dm-Rke)`kQ7Cmx=8INV;Jto5nP4eONc
z<hw5v9XqLx;g0ek;Y`pu(Rb+Gk;g*(=1uEj%<I-_&{Sul`TU(EgfPEMBeX|1Cz^Cf
z2Mmx&!XZ)rO5-+AvwnHN&Hx8a-VqqQClCcD9Rk2AGQo5N`1DCy#T(bfn%Az=D!!ss
ze3n=I1Ql!KU#CBgjy@=UQsvK}8hDQyfa${}(+-zRZJ;G~_)IwQFzSvw=Aoz`0Hz<p
znr1vfv$d)D{!m25j^vd8wPi-l>&@T8jh{=nn&B0*!`P}{qVoax9S;RYFz?l|?A4*b
zswqM^KF@c|xGHnpf+q!!;|}`i!Mj7!#(k;;$V%uo&kGARq`WEG3BmOWQVNB7@ugWs
z*BUidr%fE-(z8{#U&yo&jxL2Nc7{cdzgLO1fa5G%2QU9<$X;T`vxxZh@#~Y|P!{RA
z!8_9XK;ufsMg0a;eoedCIa*#ZA5ft7w9Xi=W!&&=tWKLF&IN$RbEqoL#n$FzVg|oV
z_*1GA%@&tOZeE^XJ{|1~x={;sqn3{9exJ)Kd(K?4a0dJ_{vmcz39FgTVeQ7z*TE#i
zTa8Ci=S*jq#&w2S+0HPH?+nuz&oFSFhBGb~RT1=q8?JHKyA4IXHP}0tqkX!chYzq<
zg1v}_U{{$V*v;n%b}$|3A|Hj);U)0vKnn$^xtEvlpew;+MimJcwYRMU|M5Z0r=|pE
zHo*#C7hd!&j8p!dw9Rl=Kf*#mWB3;TJHzLv7DY%~5L}v`JH$}M9wa<20CNo3->WC0
zc4sQtKH2_<<|UC>$$O>Oy2%^U^L8EIcG8|z5<^D&yHEF=5Iu3{l%4h`_Z&|>Z@M|)
za8r1?)#=mC*)wv&jtTH7cbziQy_2c!>GlZ3X}A%h)-@(YN5#ZM2K!B(=0D!w60&{%
zwyp3LiD!AnF;lkhiCVv9%VuTQ<dn&&Q|;&a`!9get2cMMz6s+_4u#y1YT0Q><;Ir<
zfc$W2@D`{s#)eJ+4(jxx8X39g=D11waO@m*C#9$F_JpH_Vbb_<5VX7ESOF1<`z1qW
zhhK6{P;?t{tgl;e?@;(~meT3#akaq-$hbgKRJf2^mC7{|z1@~9nx@>n{N%+m({JrB
zGF|(gKK%z+ZaNFm@kz1i<^wS^M|5^-0$&J0(YJz*oXY$L?#0dlc&9a)fofq!XM%P5
z>g|!Y=SQUX*rF_lQ_Rn?NqY~QUVonl#HhZ$V+L6+Hx&~0ByHMf&WM`jHNk6!lL9r&
z3;H_N&)w5AV6^L)9SM_^9*u>O8P~nxw&#iyAbkXoFZ9tV^sODGI6@eg&V1}e$5=O!
zjbT3vwdhA3EA`QM?%kH;H5<0><{q3Li-&ob`snm6!yqnIe{})n|Fr4D-4}wxY<}hM
zhXG-b_<p^J2dUC6bDRSF7tIe)R^1XHv46!Li@_}Rw7U?sd()ad<^y|t#*FfsK4|#Z
zxVXtm&&I;o%(Gt4%=-SJpUCp|DI8(*s4|#?N_I2~QGTAD1MjSJ$!;`uSit0|fQVRi
zXwOOW?vz=xwkg*h3cDx#u&WIoMF6A41_5rzt^*0mPoInvJT_mOqa<xh+_2M}mN;|N
zC@;UsSWgk_sVV6l_<A~EJ>mN77WoV<R<nOnR0VGU^L162d1}?Utc|_Cdnhi{Hx8Nf
z4QvN0;Ew*P8aaYqufob09-Myi%b2tu;`qwkNQ>E>a@2IM<8dZbY4byaL5c2}Q{d0(
zI(^K99;Q~0`;&ydoJ=>3{kM4R*lkLQ-ISajJ9FZUP#^yQ_;dQ;J!Z6fblUD6J9cbV
zuK1?SayPko292}mdxnB(dV|Ak1FWga)R-#U(T{Y{IKgXkPIhwCu01KUT_P2)z)5iL
z4`j!=8?E>ZCOLyy>8q?Xv;D3c6PWJiu>5_8wkGdXn9YKb69<?lcx>GgptNrxc%+<|
zavNT1;c$I~ze+a!AsfbXzZZB;MbY4u?`ghVLof`zSk$A~4{}4Xi{;P~7t5uT&35_|
zK}m?huCKVhY2kapu+|^u;@rb>uwa;Ukyd{8uyiZ-fSCx^T6467uq}pNA>dw?GCgmX
zR;xolZ?}<_Gp&WV<oL)v=HwkgKK+?#@|IT0|IH!O3oa%J@W*t30%xMtA=3+FDLySz
z>2*)=p6orx!#sJ$=GYTtP7b`s-7(j7WJ(AtWomTO?VaX}S<&i?nOf|Nnflq?(hX=&
z@WuR`@K0aNXzq(iFbYQq74H()O4<w8$|`Ui!Z$c$;<MEovkI~tlK9tRcgr7X+6S!g
zk8oz3W~3iKupi-y(~SJ!D@hNK=m+?|m+S#JG)YTTKWT~Tr<X;axE~KQ7DkkK85*r#
zhBi2SR2DID66vce@HExD40R)zp4B!nr$em#eWugA40%ydNzKd9XuMClLvWhJgK_N<
zq;E+&tCyioBA_qI!fVxwebs^4@PajOs>k56Q`72DbWC&Y;c0N$;c10q8QhMFj&U!;
z+R|U{g*A)43nMa>y(^MaO&9&*hedGj!iebjUs4w(?KNetk0|jj^s1u_SvO-0oC~M;
zd-nX%(#+~y=;bwbuJ16DQ|c7%TUZ+=1SL*|s2x6qyM9x$=f-5<nn;XFgiGNg?o#-Z
zf6}h~>vrUr-nb{0coc?>R3<F)bT@U0_RbFD9))3k-d){SOrBsG85U;sC>)I_7%*G=
z(-pS-qYG=$A~;j7z%q{p=0R`#tl~-O;ym2Fw1?+F?smvMK}H5QIw+}Sjq7-Bq_;qN
zo8mmZCHiv!@)WkDU8uyktvDSP+JE*zI<ohX)rUU-7lQWE37PgDl(ipE;>Vw*B2l%Y
z4YF!ye2fS%qWTq`fWgpNiH!yb*jj*RX}!%yXIWpZv+z~!ji3L~S!8a9%)GO;(N}mc
zYkfs>3nXiO#m~JZHk|hrv%Cv+So@0fhRDPFiXZ#P@w}^SC%VdZ@~+~?llYN$6;MDM
zWH#8^Rn`YxWfyr@L($Vvt)rBTo;uFwbFdWsbfm<;&1ool8Ol5P2%U7)x)_QchH4!Q
zMgKyz?&YF;j@m?qqHm$RYjC=g$&+`j33}FqcdQBe)r5Cz9(py;+Nqy-pB#CgX!%|I
zv5kF4U%j^@I5c1xQ_(rvs7)hnME7XpKc<nE^EF@2dk7!VgA#2lUUO7d=FFjICD-Nf
zFq<<U?LKMSVL7@@%Xz=m6X-XJShv7(be)!KTVOfg0zTRnaN%3PMcV={=s&se0nloU
zfL2?FK%4j$sB~7!md;3IC$oX7&n@b7!*-#H3%UuOHrJ&`X0JP7zf4>|X8o{;vFj#O
zYAk}k?r!`j#=hmzYhr2%WG6CN?JTegpepUvvbV|R@{3yz*&nFX+wb2Q3bL_P>3i|z
z^|Z&wyb}AYSC&CCIlOUu+CI~r&e4r6tbzCey4)8Bbo--1rcMnA7^RFs3uFTxJXg$#
z37Ry)H*g59;{K}L6WadNHsO;U&A~Q4p0#~{iZbw&FvEX(@Fa5|_v{Dv4jw+Sb6Z%z
z4&~?>A<=tO%s?{}>b8I{RgLHE$qtp&Q_J3?ZFg<ay>CC+X??3GlJU_+h$pq1ondAL
z<M_bd8EM;Q-Q`U0>a|8r?u>F1)Upp>KD_;qA`rpuA?yB<YCmMPZ&SyIY!}8oLrr;@
z&p&<uJWt(+tZqJae#nyW#R<K>d;h}|bemefv_m8%JLAbCv2n=?jb^P{{?bJ^Z*I_{
zS>`t54?nzjF#GJ@ZJ~it%87HrPR}thfK2<UPHT91*UWdOuh0z#_3#tk_nIHHzJGvX
z1PFW|)XvpeD^`<QRTuR|W$AYb37p2GZCi3h{H%It_3i#k_Z8Y(o$b{1pA|HD#>@@7
zf-Rkg2!nR*_W@opYlU)DM$9_%f%Onb5b??xNtLKQxB(ITQhQ-Bwdb|Y!c_2Sh<^y@
zqF<5H3lyz0P&`Zy+4<!6+K|GhHJ|E<8S~CA+y@7*l-g%mb0JkU_?)BWDZdKK#f9U;
zdyX}+daqHil&&l5@7qCGEKa}L5n&gYEgGo=QVE`0?d*{Kni{+|`0zSkLrs^x;Kag1
zs57Gh6v~kOCkkYvcCO2+i$hlRSvAVCSRDHbyqCKGu3OK_@IA9boBV#*HnTAeRQB#e
za7R^J-vJs*+3(vx6<Fm?b1JJmDLr6P-o5*~vyLC%GrVOhk3o2bfEC=PJLGVO&$;8f
z;yJHzQhavj;QNAh$qf|N3cJPKNDeu=!*N05#`^klz}Ygi?yg$#iEZ2`8t{<^G#h5@
zKPmSS>OOHiWq8YG69*4as1~qO_r$MWvq_nCO;|W5XmNnqWBi((fy%v@JV+v@;x2xr
zby0t+&C38w_g&{k=3}W^s4;h_jMgiMx5d3`kR#q<4Fs|m>re;b;P!;HpH1(a6B}As
zb952TsAaNr*>OSc<9%iVVup=X?VeK1Biqyh?wipM6H{>V%*`Xd3H@S}AEE`1P1DxK
zn6__<Ox_b8GIOUT_pFdIe$ckz<_0|nbn27hnKM&4>L>gk(%u6siez0MXB@f*rxlfP
z6lR=hqB*ZQV$N9vRDz-+h~$h&7Lip1QB)L=3<9E{qM~BXE(Xk))>YTEyQb<n#oqnD
zJ-B=JoO|xQzvuZsyD~E!s;jHM`l{*+?^_v>ALp+Mjtp~K;kv8POFL@<<9g&`Fz|6P
zO)Y;0x+ut=20ix)Db(CE`fea;jb7;>%H^?7r0XwI5-fI!(K*;PcoN!$#><BI`7B!K
zU-Vc@;;m??jCMIY6##0+bg{s_lOzaO%_>BV(vAhU)_BH}b)XJWi(_5aE;LJG*Ve`y
ziaP2*983W@W$Z0*@5wxD#<mD0(ih@QN_Ib)n^v~DVsok4CN{+@b!D1oHJxh;O?DTB
zb!EM&V}i>%r*(_X*0XU(V~@rjaw3kV-?7frF~%jqDONlle{@|<LX8iOo8w*Pi^4BS
z6J*jf@d;9P|Ff-ow(Z$gXa=q6yESNA(1C%b=oA2YdSlb($xuUf)u{N8*q~@{6c$w+
zwI?on<vml8O@O7#8Dr|NFOewFbmE(Sf^85^xV@r4ujm!!8RZq_A--yPbm`i%6+eq_
z3hs-&xY1J_nA@L8a>*@eu2`8{&nSqI=8{V060I9ZM$70Nx{onFE+?Pl#19RB^ZFHd
z<Q%UL_wrg3=+CDd$GEp@a(gJ-QURZ}cV1a!iQ2!B_-p8HLE1>BHcIj!&Z4l??a$u5
zhhK7?iHeMf_E9hKsXTS6q_R3|M|{){{@68USNMwEj_Q6Rry{pjQa|lyNSs}B5#$wc
zKT$$i$*$a7ej~eO74uYZvodElFJN*)e0O-LCy$>7y0E$_Pxzun<?`U-AI=mOmu6-r
ztl15~V_C?WHL=L|B%X4D68FgI2Oab9`a{WuPtpte=Gt`b;hdf9z8#r+wr3<EeIcuX
zNsS2D?5pnWIc*#tEptv}M%TcNx|+mXzI1>8<sa|NsyE4fGWzXzk6yp9|DgD6i!_lK
zjF+3o>(9I959SrWMK568*QRD}P1&55#;?oF*sx7~>q5odor#(2()km2XlpigP3Wdj
zwc=y+*eOegFVFGHTf-;HaAV+_$iP6AZ$|iTajl3<jn!)+f_+qY$n1*&_q2$<O($oS
z{$abyD|YY7&)*&9;Sm<@k2EUVEeLON_1T`cHFfK@bUtxMX7WyT8M`+#AuQNC+!bcG
zP4aAY#b$C-?tRME#oa$3P@8s9>_3@tlS&u!#iW7&EBTY6?q^*LIfccheUlu*^cV`e
z$&|!D5^TRn4u3)%d%W^h@udcyG+NPTvK8@>e$la_yCQ59gNG)TsOy0?a|#O(H>l*t
z^s(S(a`2PF^`O|+kJySsK*MREZ5d+7!bLw98whhz#JeL?Fp+E*AJ!iIE;*=I1X5+*
z&J>{RN8JJT>H6eEbxi!09G)~;Q9(8_*Xfqlc!Q38j*DM^d`%#xzHCl*=GIJg>DFL3
zp3eP9d}TQ~nOk?N_om~$Jx`5wUghiUtKAp2I@?+8>>c3i$0xCIhnT_G^=y*osLTIs
zo|OT<zS<-<_7F1!r=%JTfP-Y6^3%_3!Zju+uV`(t`meFzu_81ukjFSL$Hk;KO&8@K
zqV|MLd?E^Oym+JFHk^%JiG1v0KVRfyPZ&SN-2Bv(C&hbr=4A8h?3jhWL2`>OUnnjt
z&fFaznF+swEF=QikWh{1buC_k&jIf@n?1a{cxS$P`;Nq<bbj{>CM9-lN{HHXWw5jU
zP0opLLdyjpB`vrsDSdnHt&~_{?7XNwdhz_?yrnyN&+VRR*{U5GTVV%?ipbL*xy0mn
zugF=T9_8RNbN&&(gW-I6<leYYRm9pDKR@qnd%U#HQyKq?+R($O$t^+ph>U+EIg8#I
zgL2FBQd6_|um)ybOiXf&Iv{*!B~RMkdo=3l09n)^$3$jS4K<OCDzkeGg={ZKpGyvW
ze206jac@mUL7q6Cw=H2FL&~Tx8yp%Q6RLJk$g1MWd~3QyHoSB}18xiuxVw@q<du|&
zTOHDhMRNRODBq>Dr=Ja))aN%h(vv|3CUk2fe4mUYQ;3qj7q8`z#Hq;q2?08p{fZ%C
zm`?8F-kwn0T_d_+2@(2>8|jLETTZ)%iNDwU;*H-Zi-wEhi^o2dZV^i|VDnDopM;j%
zYhUcZkQM+h{_dT)*fC&(>_Z#@df;>1_ap=D`i_1F<r+jbKfv8TNgtEV%18UEo|GZf
zhBTtuE2t)JRqX17RWL@!mM0X(lsOZPsTEe0^wzpaCLk^>+)Ew5E*Vix;+WdGBPknA
zpCxdQ$cRTUh~|PxbED#EzF4c=N7MqiuJCNwF=yz;VWgEz@e}}CcBny=E~U|==u`4X
z>>IH>Qho%NouY13tzSvCYJWjaRY^fuK$iBzRi@0#rC_>x&{*d_z_%KA$n~NV8XfGb
zb7AY43+sTV^iT)l$#x-gnMjtjFcf-<SW=bW&cVc9sl=fsGZOq*LS^Kh6ltl!%JPDY
z?b-b5dL|)e?YeNaUr-5=h4FOuFve0w+Mi}@^A86d#ft?&tx9e`sd+2~vR#bw^1%b=
z%OVT>4*~o!Ti?m5IG@;%xYd~aVoTz(<BFCL71C`#(LId+l1P6~)$D`Iu4*qEM#gT-
z+?|@WqnO{sW_qWFhN&WAqN9)v0L4E}7p<&2fn}az0`hIFnxf$Q#^L!m469p<2|r-g
zQ81^P#$$R|BS;@yK7Z|jB<DvWdoKm%omBbs_79&wPy3;Vo6A~%cYfbYW=Gzh)O_`!
z+#r`NJau3bBa>poRD%zX{-E9PK)Gy9Q3X$AtjoH9&{b;VE7<gsn1{C;N#7@ulFz^+
zgcDhuFeH~xyynT>p|UtHNM2!pPll&@;)H2kde=>TQe2pkoyV{DWD;Z^L8}(~d2GpC
ztz9{p2{>?k?LKuDiGsQ)I8j$nP_ip~-I`3^Tox3uCLY?NNrmNrn_gXDmV`PLxADsR
zf9~Xon<2LI^r2933q3nbdPo3c>9AXL7$iPS*nb5FGjVXgl4M??nXK^|{V~B`e@yVd
z(&Uc|Jp{`eq{~go0r<P_1Ds2+R6e=_$dPFmh7F%KYw+MJvmWv{443(o96nT3a-gbk
zwX2KoYB!+TiD6X^zex~3iukLJ($|lbH*PW!r4?}%>hgVCGE4az<8L?2gi0#eUU^t`
zD5?@G$%~i9HcXtrWUgA7z7oU=u@PSU#2aJBT$sTGdq=HsRk>uW*t1$Ya|T1!-%&1F
zzW>7c{RfU6+rMn~tmVrW;hD4rS=|FZccGN5whq}7Vse>SY<ss8rojXQkk_?PzGD?O
z2A^b#@1j5MscU!(?&w`{Z&Wn}S;r2RhI{VQDr}+~o-nv(S+&#NY3W9aeg?mGmnpg#
zSj!a2(Y-?FOzH-B&RrX=RZjka^A@>e?|0BDCKycXderrX-+6$C1BJ6K>GF~c14<}{
zltp)>SpIsfgJ36yq`amX&?)=2mmX7X-H^T^T}zZNS;eoQ&P&K!mzPJ@%Kg%O(|!2_
z7IX+A@YOHu_p#r{#;V3U&7b89IKE`Edcuv<H^>n<2j_~^MROzJ{RxG?srL=q`?UDi
zSY%8)0(^N#Y8LJq;S%lw)f09o;&8-a2V!PQdx&1(BMdd3Kzhxmz3^AWK8tT4H2~x%
zy&I^8C4)%A|60I6+Q86GW5ip@7fpj0aQPEr5H6LS2U6W#W~HA`=yLVEWmUJscw&2p
zPGvWwCvV-FmYkNRA^{E5lf9dH;LurhMM0Q<KHvC&Iqo{E2$?}<od?lwUi^%8%%oGY
z4ROhM@z~_J?_;%giOj@HGTN==!${H&a2`v+=zW1$-FhS?F64spLf+wHIa<0&wm93r
z=7Q=L{Z;ws4O^3XEPH?1?AN9t5do1t>x@XgEGubuY<9%;pG>_=TyyL<8@(RZT}Imm
z_w7$DRMh5aU(z8Qjobr1g6gj@kGBj9F)0z2{qbLq0ODkUfIFieO4#c=9e6{y9eggC
z!w}h5Yc}mPb98fVX^lF2M|@%iueetPtPsVE^pK_L{%UGEe-`Z$!LM^=*0N&~n9g@(
z;k0uUWyAayCz-AJe$B?n)DS8$Rosi+xi{eeUT!O*Muc+0CWM%rB3+*!N7CbKp+uRM
zx?w{q@7Odda?{$)(Ob-Fg+9#psc2I*=r}!<ul8I!RHk*K&zXpQvB%D<9yN_o9%nN?
zT;F_l@6l6cL+=Lp1cZAhm>m<kq{pSlrpK5)dg!;;GjHWivmJzC9NDNY%=a;|-^V11
zORtRgIHFh_WyMg9Umsu`O;^!A7dyXp)~*5V?{RkfmyGq>lXfIE%lqqwW1`oTlZXN@
zZ5DP>(hG{W7o?PfQK13uy7igsGZQm`UvLN1XB*OzQ_~>scpi9i*RyjHn2C+D%@La;
zQX-6k*fHyviNDBV<}7ix4+Qq5NWh>tckCSS%OsN9U&tuzGkOZS$`p1VHDP>N;)XaU
zcQA<;f;d^h&@)t`{6eBHun&P%43|`N{ke(9@Q*}U(5PALa1fOOZ#9aYkigjASR~Vb
z$VlZm<q9_P7;}`R9TzDVvx&!;N(>FrCI9-)%UiF&2f&NWGCWyXhE>U1@MLB2=U&bR
zG(spiG7OPz0uDk5@1RR?=##<9eD?U>Ajb@zax5KYc!zMZ#nGNVj_Bg#k7Uj{V);=L
zifPcB441+L7>(CSr<P0*8j>a}qez#;gG>>dv?PIcVdzn7I1br-Qo|Ipg|r6jLTo91
zTs$`)pZgg+B7*K`R<M2~NnDl$&?Ls4jS$atV9V)&S&7Vo>oU+>%uyzgE=dQ`Qi)5V
zQ84P#aPS=&^Wjhf-mfi!Q(I%(O^lQW_wOz$!0ejt&io>DW^bo5Ka8!Vtrt@3F~oX}
zEM+oN;N!pDMLlfrWH^S5FHd^Um%LLh^((%7qM~G9-tKr9s=%4x7Ze)fr$#`ohf=U=
zXu=%T+@RIxYR>J`Hz^)E@2_Tk|NPL)68`$RdF=P8$*HNT^kh*>o;f#}eeE^4qKnwX
zO0kLUFFDEdA7V>8qNVp0MEmdJv94-6NSTnFupvQ9+tiRY?Dx<jF)CQ7S}LnQ%lsmI
z*Q`MMi_=7}V3=83AsBw8l^FQ4AJ~cSw*XAL$bf9aMDd<gxEuT?Q@BT;+<G*xYM&9Q
z1FA-=dYPgs8ag&EI&58-dhntKKtii(9zHo(6y{yR<LXBb8Qi$6dQp)*W{&`aU%SZ^
zs|-NsXX^VM#?dqto%0eo0m>jOR=#NN5{su|Sn%N}<@v_K6Q}r@Z<u9^T|!*d4uOUH
zLH4k12T!u@&@pVz&YaAwEF)srFooTmxhX3f0KB8G(ALA|uXJ?Q-T=sPdFihG>gwFU
z6@hC*L&AAFR#Z2Wh_x&%5*SyZMxo;GiRWeO*KSz5MnxIe(=4Fvwt;w8rxlw3+UDsa
z#bV-2ZYe((-#SyEZR#zXpTGJR9BEIXP9FWnp51!9r25#<yQU%j!4dv(M#3=Jo`kH(
zU7?R2n65bFSZJSWq$qnite1@P{=M+JGgZ_csk5Y07@mZY<b;iL!)elTOoK_iV6J#q
zPn?uD#mEdN@PWW$7<{>?rfzGa*^P$rY+Q9nxo55sF>PoPsh?@ftFns+BA4#qEt_9#
zvTX6%WdYOGQz297!8&z_$drQ7ZX(58L^9$@_xEI~YFkqFx@;|N?Za$blN_6%8b8Bv
z3_`7k3)Y&`_y;hlE_9)6^ipP+>~1wP|F3T%D(_cuP6TU}^aArpMy0cuQ!+pdeESan
zdjGFYZsrIzn}U-wQGj@%o&Lh1`U_FU<U7a3nN^rf`rm0XWo^*|q`!>zC+(DiTSJqZ
zIQLpL)HV>8KL<mn=D}b^>>H?kZ3(msk<@{j+3GYk;ps@QbcplgB}Y;IC+RhfqmsDf
z%P#I;J$}Y=x0%@dcb0$qe{WPH6ik7f^cDRN3b+jAd+56`&DY<D5QRqf-JhrXh^MdX
zuQ^#qRz!tq6i*DA<W2qOYlJ}hPWf~FJ<^d^SQ(HX;CX&xKs)|0>St}Ep{H-zYw_^w
z!qT#`La*N9x!%5>o>~z)x6@GgVn{?X7+<;uf4G4LfX7l|f;}6U#@>P-Q7t+_6wb$+
zPU3l4q{Z(&;U-p$dVWr($ht8HAi^q{Vicm_H!^nMC&d+K<s>Khr(wb5{tHs90cpuW
zD*vRY`BqS9g}$KLxZit<{*<Heq1B2$G!p-36<#-n->JIvQ=<v-{L<$OX?UyHRtG4w
zP0uxo4BJ_9{930`EU3$)J5ix+b#I$1G^kFj(WbgTt2C(YpLN<)CsryWs_{LFMV*9+
zC|L22<{A}?^&uU9AA<6mQ2alRAt^<?bnj2A8p)U!hy)N{Krj^V$&VIBYZRr?sC9lc
zs!fK|r(v4c`kQYV;O^(qGh~-b!aY{|hkJSY?JNu6r#djW)}j2Y&krzpA;9~cTx?;9
z*usBEI*S1n%^sq^SI6}CA#ihv^?)mB+fNH#k{N$i<PU=vf8C>audmNTu|DtrS)ZSO
zAENy6@;P9FJdA!Y=h(#Pu%yIrZR#n8^ms|5*>Jkx$SNi?D>E%uy|*xA`Kkb4Pmh3|
zW&ZlQzK?dOIPD|SB{n~OL!;-*=I&UH7Wl)U;h#@0uOp8%ipO<$?{aiXmcB<C>pnJD
z{<`?8OGSx7Prm&_qW<TNPml#7ddte2#)WBcxxTi4)s$EK^8Z-ZCx2EIef#D1%|>J?
zG&d|s1Y931EqdWSpzmSD??dM3d-lui?;E2UkHSM|Lb__mK=De&zPd-?p+HUUUpW7O
zS3Ie^v-p^;mv>Z9p!RB7LDg9`FeM|i_=DG(>_GP%_@s=c45Dp$+(+A981_ZGu2JdZ
zyXOo@y`I!%Wo4&lsmpeUdWh#&1V#8`7RexWKmFD3$k%4SRZcH{mmtG%1VTD)k(>r`
z)NFY__)X*6LGKj0zrRD9--o<FNZ1w)4$JUmgIuAD6<_KWncJAyP^2F<VmFbof8PHf
zN9?0VIq0JYIe+%iL-SAil8)A)sE6iaSx4(o*hBNbmG)N)jrp^z$2pJWiYMRhJt5xv
zM1SuI@!lumy(!HvFyJR(y0E0|&l|CJ5j~yfXd#B|5u*C*H9*$W{2E7aGdl6+?Js}p
z#I(1h#fN|CM6PMUT)EJIVc||B6ZB&li@e5Wok+$)B{r#>I;Y5mfTk+!<^iWDs0PYB
z1O21y;*6%ekdZI+2y|-m0M8b6?kjOvS42bS?h<wGZ~CG9L>$T={^L-t_;V;blG0BS
z#KRg$$%>z0j6#If_)l~^nGVCnbUNM&0C<=+a80@3Ds-3QyP+^ia!eR6#av-1Qd3%E
zMzy}(KrQjzl30&z5S^R|x3nHRhFId8B?XYMBUIlY+z-6sOG*MKZ<8VZ8ZSgt;|!6w
z5#TAi2y7;Y!S*od6KSu1p0r%hDoL4!zAz;BHIAQz#e%Ws6Ef#ybo@C+QAgEBnG_jO
zA0_ySqfM@K0%HTPe(_2R`6ne3SX{{j<~N+d2W>4Q<L40dVkS{W)r;x)IpT`+6UrpL
z^@Z9V5ewzZ#X|XVxU9bwYKaZ3jMnNaf$M=C)VsN8<bfHBW#a;rZR<pM53y|CgW5WQ
z;QZSSWbR)rO!|vW+^M;VN1%yEG&eCFPme0acO->^IW;3@CdUO^Mb2?jh>EdCNP9-%
zim3-i!WybRLfebxMv%?Hz%3WMXV6E|;iK3?(vwxn*X%7~%#f0gFnj``n;~63_SYZk
z#g3!K3@x#SH5<_1z%;aeA>JMT$>)<vvET`7-fytM6L8bJk}0s$pDrK$7z<d^78jiS
z^P*y0gup^vv|YTYSbq^+V<;Y3`OhP`4MHPy5OMK3=mo2~$<>N{#wK12WbH&-e1)3p
z)c30ie5XPVF+gVhUBZX}w2cUSlns7jF?{BdDGod^U%hJG?GKHH1AWwJ+M#E|khcw|
zj~uDs0d%)(=%w@SkJSn<N{N|rvCqE!2Xc#!R_*t4DdydLJ^Yrc6}t#<v*#_ZIkS{M
zeW0fBu=@Od_t}d*mLm8*6NCd4?1P}pL`n$2@vqVeBFa9=l`ATRwsOMAqmp9PzTsQ<
zK29TDHxVO{3cz<v@--Vot^#}5T{~hYdJM`<q`@QWu@)QwnvLFw(VjSpNNAr4vwfTv
z@R$2CC8c7l<Aah})R2!)j!#e>@Nn9*SWQj(_Yuj+UX1?AXM+C8ZAJ09JJn@p_LZ-3
zE#^B1FLrl;C37~`a4mGJ#o)7+#H=U4cj`Y-h*H1OFT{dZJS9UBkVbl`e%^NA<c<sx
zDQo9fW>a)vN}!tdTV;V97ezfCx*to4UaFqa%k3khHg1g3Mp`h5+x8^psg1V|C)Sce
z;i{CB3<r`k@%o1;(~YJ5ejk+JyUr)k7e<|g!uX=N!mi|~DIGh$U}8flhyazEO1TT-
z4%-ST;Ke8q5~T&Sl~PCq?Zu507NdG29YHoRDae^?+q7(ej5yH4)Quj(t){r8z2qU*
z(CNq!dWhSAwGE=l-(gVFB{m&}El`g=8i(LPj2NruA_zSa!Ec<|f8a2`-~|&L;1#$`
zy<}y<H9k*9Y(8K7iL_CDnRdAwH5g$_N5D!UTOGP8#69?QKhs@X;i*YC>X!3x;Y+oh
zkfeN;SCXH*Gi2!m?|F0PV^;Hz&L$VK$oXspp?45OfK<T-%832#<b$icJv(XsP}jcd
zfg|@{wBr*~6VtYUphLE4<M$i2!mV_c%tY^Wr||v)B(^)937afFiG!B<kq^qGq>Y<^
zX(~%k*|IrRd*Srm{m;~o@2;40hToi!5+AFgpg~MZTCX)efXGK9$sXaPl+=YQ>mQ&9
zQ-=Hl+vtC=VCpcP_yBz2*-$UW!f*uH_`xkmaHb>e{;;0rkW%;wXf`c<FcFaw-I;I2
zRf)yj2v?F)n7mVDFs^4$7=g-~GE@h6M;(g_n}U8CC7$<#O@N@F;Wt2B-JKyiY^ikE
zN|Np)CZNYo&e9c0YIH@?npsL+k*?_XA`In|!*xGM@^wE*g=xc;LO-E@Q$L|!6aI=f
z*#4+f{wOJZr<1(Hd0Qn3L!R((vW~>liDU!~qv6=9kD&2%9Wt?olW_h=Ll9;ms~OO>
z^Wb<;lCk)&6C$4H0Z&K#9E(dx+Yj$C-b}mxf{k{&u3dogsQLiVUu;EA&bp>Ed?%?9
z|LUvh%-(*?=;j0Sd&pSk+V7o|Izye|?}jq{+Z-baNE<pi>n%RX0H~-nklctSFkA{|
z@*3SSazL*C_7-2>{w~E9N+u*DB^&n)*Bz4_)#XWbH+8F&zvm^fg6j7pP|kvx?ud9^
z$G!cZ&(i_DloZc_KcM+p`FPfDjrc5G;9Gp_p_3|`++<D3WDN@YtZ9f*3NP8KcNpPo
z(<7PfROVdMd8JSxq&HRIO+IS?hh(56+RPd<<T6p;AQH2t(57@;Fi19qwwOmvmQhmx
z*81M@y5oGi*G$t(eXB=Q+8EI^D*v<Kr?UK#g2Mc~eh*BSyDfKew>N5XX7MEB`VgIi
zBu%FTrAdhRjEAHe2|SC?0SdEz_t7cX?NYz-G!81l^Re4g`$jzAX4jel2PtD@?BPSa
zB_!<;Y4HTn7e4T?-LFR`KlxpDBd}`LY?XVWe~g#5HiXHq$UA#R_0a2FuPa)|@|g6f
zT%(aq+u79EfK)$qPup4JW}Wpr%^R<d0l>yY5I~(2W+U|vo({O|29ehk|3GI7dbHOJ
z@ujPkcBHlQ+ZtHSTBBD^(bhFRoO{?I^HU6PHT^@<E!sfR2p>hGU`iaoAM)2Rq06^p
z#G9TFPl?x)6NtqhDn-Jksd6zH9R$l@=kK%ViT|NA46^@`+oY+paP;*1Q<B%Wz>Rs7
zcxwJUka0^4jXFwP<beVwe@;@RBuA)UqW^^?CH$-w>PN@}brvrrZ-f@oH-c^qK$(Sx
z=AXnxXqc{P8Yff|SIKT-D9u4y<QF!TxawC3U_gEGT9Qg?rK!RTJ2`!WXPglWZ7&w8
z|2bCtX&^qbX&l`{mgq~_Nxq^6H%PAL$5+JR6~dg}2{)9O^?iqF6qWaJ?izwx-jOwk
zza1%D>yHC?4g{oD3O$M^1q$`ABqBM|C<s8QP_G;!R{G-U_dqD_{NmXQ@!&;eB(A$e
zypXCONW?gtOULvj15yG@8}SkmJ0eg-!r`t;$R0!qO#u8*v8L!MGmu@>4REZ1bj5ST
zmtmECg7lSdSo>`Dv&3h)_%HF<tY;?sp3Zw5|8&peoTu?m=R8%IM}K~+EZCJ<SQwV+
z9~>It>zfsk!z<bu_z;P*V0UIwVdzf(pwKnGK3Nfac!g1Pk$8O9uEOH59k@Qy+czs5
z*N?ZoPwSNVyGf%)Ffq*Eomo&EvNJF!WR169ws>Ex`RAry;&X}%!gk`mHGbaWbA(BT
zVp)aF$M9@@S#7^G^~AMeS?zE>v#=;66J<sC`0C3tH+n!%D)YrUhh_!_hM>;b5xKmg
ztzjYRmM7LZWM@!7bDi^0XCq%67q2f0-HGehh~?z+piGg|dFbgFv7<qG>M5aP$VTZ_
z-H4?cr0K>=kjgt=>O#K29}fEUROwbxK=c=m#&t2e5x}|?ud^c)q;|rMM!C*H=q;zy
z^x~-7dQCz{k=If>O1BaSxHpKs{9oinHyJo1bfE}!U3pVC8R%lZ02izLSuVT~`f6xb
zQDjKYzyGR#Mb62EdPB&LP=8-SZ9y0+#qVH^ZpKqVDc8*qp}ll7h*pA$<$H}32PSAB
zn!P2%AV0!2AT{ge;MX7kl<4Ld*6!O|Q{%pO;X?OS*X4Q%rc*=_rV>$vb+dulf&;+Z
zrc&K(8@X=YPm-9gQdi-svWG@@>b4~2i_}#&2{5+8MPV5J7)GKBBIq_{0X8H)JyoNZ
zXG9H3r1qjX>!uQW2@v~Cq*Sf*+J?O!TFq7*v%0z8+HAOP?m$gbxllv=B>^v`!9oq9
z!GS>8Tv9Yjq6$#@+^ZNsrgU{-NHs!L|NLRxTz;}xemmV%<?Zs$WMD6QhFqpr%3I=(
z-u8^K&g>-`au5o1*65O-q2-3)+UoS;yc%^)alq1a{^1VhMeO`zUDaLZFX|r)ae0j8
z*QE2(B;m2LI4@`4UjHngr1i-glK7OuoUF<nK{ck6{Ja*;Q!UuzeOPO(o7X7mj^KXb
z>L`tFEN)FbFZB=}D1Rs@J$6P_7g+4-9T4okDlfEX)23vso)Ue7Lsvu^;l97MFr9Z(
zl5=1Bfo_GRapV+gFrFApL68&<cfAi%k9o?Q)Zp4k>T>^@%vfj9e6es7soHcVE**jO
z(P$DQIZN6|zZXU;-=#HHzfo1L*|!ExJIP`~G$Dbi#lB%~aR^1&A?o7Mx1^Wp4rpE)
zc2lzKzVs^%Q{J5PX{6Pp@px>{8_mahDsNEF2|rlg|J+;`{e`H@q-!ImOd9{g6tOm9
z9nBHcV2(->&zo>P8YgS?GDw3VgVY<!@=sBt-u>k?8S+DuAwPh$l*D|N+CZ)Kl?zu-
zHJq39{46~pT>Yx~ruM#_{kzipU(P@q4*Vd^hAspgl%)SxY5rfxdL?_x_7(H}Sf9|v
z3#Y39>2w(lAu9ZNm^NlZ;nQw6g%+CA)K_^M`*(PWZr?;u3c@Kwk)=V1#0NO;IXR6K
z2P7S?mnoVInW7;W@5l!F=lp<3X>nN7*%;OnaFR^;`$>K4r`(cGN9%iPsHgZ?&`o$M
zu_v$`i*VeVV9KJ&ryA;-Pb7;crqFcuHdQDaNQ*IO@%2Qu{G|z<b?4rVdv_F}bQX<L
z-icu@Z{L|;yfqN~J~cr%WQx!|vb|e#i;##nU3+IM^Ywd=lcUv&nw8$+?or|fGjv~+
z&n|bh?Mi#|?;-X3iIb!=ah5tDTH(Zr6As5~9q{3J+`+-&grnmLd|-|E|E}Dq7a1s-
z`$>9=OpxnZf1~1R8Z4Bdfjf{PdGIomc4SBZ$hG+W*BKCK(E(L-fSL}V1KdEag&O^U
zH4i)%x8%|^os%#^K8sGABx<TQ#6@$43{hTQ2G5p=mVc98B2{u>kQ~YO$r`-DeKK0U
zNb|P>;&o2SGy6sovyt{p63u8X21*q`XVTNU&&r;}rq5jL;1rBCFo=d~{wj-_36D02
zCH<s9RbFUpuPDmsfHV5CFV%mm9(3pr0h(oGhLY6Q!+iiO-85yYzN)qLsO-O@rioR>
zs~x)e?QR?0?@Dr24kp9qYL))*tzy%4ZxGqczWQzUfnH;=)9H14_A=%$0^){hbld|8
zg6VBZ3P_HwD9^b3N?MJ?+Dw;pT|#>ay-5l{dH=~{pufCa7>~<KuPEV}7-|2Ra^Egb
zMbd4G=5Ls%xcbN?3F-e<Y9(B*mtRh=%f6~Qy1ZCVEii*Qk+=gmr(sbEVe6p%lCA@C
zob-Pq?WG&DTCQvHa0jW@&>qNhJ$aoBx~`~18NY~3PyOYJv#-Q2L*=^YX0im-6o}+C
zxbv`{Ea4vTP;0Jfg!;#lpYKT1b+bqfhU92v2)KDL?cIa&p09iTZ!8Jlu8zgk&*h{Y
z9J_zJ{4_5AH|_*nPkKKziF&*Bj^gP`-3;Z`EvIs>s?IK}q*72P3};U2sT0E1#)qy4
zb;5WAmxRb+ZP3?1BwdL9S-MJh^#5jD5bAH&KU((4g!a8-ORn19Q50kPCdOC=Ahf^N
zT8-jtao&>C;5n|iyM?z+WBf=voFjWMJKoeYHGFFx-CRQuHQf7;L=9*y9doe^f@n_4
zq~Bp#`RpPV|IcQgEF1cQK~VG1{tTk+jg`;K51-n`+wEffqr-z8)sEpg`O&;xIAgc1
z+~v6%-FUtn^4N!57W+~8>J|!lHSWxT0k0Tp!Vc)eU^8x_d|!L$+7^C%2ICtS6lkZm
z3(75w<HtuaQ?}H)zE>OT*E2pkCvrnGo=&lo>z4lvAtk4!Ub;KL8`YzY3ga|%#yjaW
z;Z|48%_L=G#7*Ksxm>6goUnf<9V4C~7GcW9OiyfTxIhRg@_jXE#0_t+-%*rR2p51t
zQ2iE=)f423YQo9IJKMgKBGu!Ta_YbQnx^^l-s^8S+)>ofzPcc^`)%A<)1X<5gdAf>
z<ECl){~e8u&*qQ-&22y%wIfDA;}U(H<A62?+zWV(etIGTEfWC{MbXbRzOpIn7#yXN
zYcle@sU5i>S5z6?zFna)uDz%!Lpi?^qo|O*A%dYs(X&pxxm%rh^MJZPZ=PN!-YnPy
z0H&u#v7ydKqnKVt;xxul8A5zUcE<jUnvBgEl^HB`$dKV!IF238IGK@(zeaR*MoVqZ
zQkPaOlUs4H!;>!fyR8*)DpFgu7Vao-C|YP*7)T6U4OSQw7&J%>BwZxaB>s|9ElgT;
zZ!x5WU5ls|=`FHb)V8Q^L8L9DZKN}$;nGs+KIv&gL&NV3Z4D<GMj2Kbo-({^_<|Y5
z%w(Jye<qAcV{(}T%x8828^b2E73>N2lB}I<n#@k-B-<v-lU2*^$vzoLjZ{X%jYb=}
z82KAT8f`F2Gdg5cYgE@#(o){Ccgx8w16r1~ywdWk+(6FATZ1zuRK8KZL;g_yD<|i)
z+(2$Rx0^f7UE}VwGHlhdRl8PwTgA6J-m1Q}rnOh=pw^pOSGB&>`gZGITYon0Y~0Pb
zxA7cf2jexy>Bgsx?;1Zde%Yo)8@^4qHWS)RZ<EyKe4FcS?zJ7;c1GKIZSC7Sw{>f~
zvaN61kha&`Hne@(_Sd#w+y36psNIxy4(&YJ1+=@>?w-kDlQ|}vO+F~5DKZo#iVDTs
z_7mGrYrn9)NBh<7^V^?ke@khl9HUHEW+=}nFDq{=?<rq(FzL{%LvV-a4(mH?>aeB5
z?hXYVDmxtNaH7MN4tG0BJ1RR`cAVMKqhnadwH@O-W_8T%Skm!i#~(WW*zp(B{-z^M
z7nm+G-DR3*dd~EQ=^eB7W@<Cutg~5vvr%S~&Fsw<nz@**FiS8?Guv*KWtMODz^q9n
zS1D8~RaaF{Re#lR)mYUe)k4*Bm5(Y=6{d<+WvQxF=T!Gpk5#W!zalZHNi9_?)#hqj
z^*r?wwYxf09jo4;-lM*(zOBBm{-YDuN!iJ!Q=d+QI*sTwuG5rGzMX<PMRtnml-wz&
zQ$eTVPKP_4>~yBnD-EZy(Dc#_)C||yYNlx%G_D$NO^7B&vtF}NlcuTE9MhcAT+m$A
z+|=CHJk|W9Y0|dPDzw(xZrWbje%e9W;aYp`N^Piit#*TUi*}bbPg}07)*jW?Y0qh&
zYJb&!(f-a$`Ifvf--YkbkK`xw^LR(zm3Qa8`B*-Q-^1_YkMpPbdj2lo$Uo;_@xSn&
z%{g;R^P%RW&BvP0F<)rzYaU{rY`)!mw|SBIUh{+I$IZ{0Uox*ZzhnN${HgiR=Kp2U
z!a`=Dw&-Kg-(sZ26pI-ajuuNSJS@B|0xd!<k}bAc<XKc(9Je@camC`M#a)X>79T7P
zER8JNTk@8jEqhuHwj60W(bC>>iRDVm5X&`|-&<x{?zKE-dCKyNWrO8?%O5S@TYiG~
zM{31cDXdgh=2o4pdRYyy8fG=xYP{7HD+eogt5sH^RtZ)ctWvCYTNPSWTb;J5w`#C@
zZ1u|OS3qnuS+}ret&OcstWB-8*4EbDt@~IHv7TT()!N>AiS<hBAnP^Oan>8GQ>?dI
z@3P)wU1+`6y3+cf^-=4S)>o|WTK{PM!J62#uran#*>tw)V>8rdoXupL*)|R~t~M)e
zd~Jel*4o6`B-w1T*<!QZCeLQC%^{mpHs@`Au(@q>-{!H+k2bGu-jlV6mpPtaUkHc8
z#Da7F=hejcIs&vmdfjur#Z&b{rgp^61;bT+{THrq3(37vv$-hkoEGSaX>&IFIIE@y
zu3oYv<mipY!W*>@wN!hOaT)JvGgL)w@AM`Z<K(f@T*HwnJmgwV#R-1l3ns|jBYK5;
zieuR=z$zVQH)U)pEKm{kgpV-bb5zz95aUCLqzAFoBDUzdGDyyecmq(?Z;<mhlp4JO
z8=46<>Pd&vp};BXu33Hh*|U<<7cZ2~A2`r!{w$u`ia_&Lq!L&s6K+w($nn0*r)%rF
zGeyU$cO6up%JFg8gy7?lA#<%%oU*#Oq^iohWa(1x)oyOZtE+k9-{HR<Gp3eaOkThA
z3DZ=ay`2{<^(w5>UQ2y&P<15fVEksyqQr%ZRUB~?hA^}@JDYY7TNvgX>L><_9uKbx
ztDQr-n<7$=I5rJoIMV51!&^O^H2?n#PTJ+vqt#E;+^0VbT8cjVm}mn<qXCJEQl2|f
zaHbsLW{SpW8x0~3hRSimR*XIPaO7Z3Rgur^9BuqS1_x)acU|P7eo5~sJ8LXF*iprf
zjau%AJZ5cDoZ1I&p=+CoWb-R{h3F2J6M^9miL_>KqAWDr+4ReWH&y2y4p7M^ZTwK?
z`1<Uq5LIwQ9B8Pxzhm0|6M*+W0ON94iRWR(;SY#Le>j_Vz?0IG8+>-kOYL#Oj)35_
zOSx70gR0h}z&u^+W5?7aW<`an;3*yn=zZmtWuKm4{qkw>l>_~Vl%WGyPI<7nw7SZ>
zbjgy{UT#ZEybkijyTic}99xZJ-Z)l_W5(jkh#YO!8YBZuBizV0bTl=GJ^KG3a5-GC
z7TihTZmD#eT|VMZT9$8|EIdaB0AFYd3pc<o{~H9)2>J`d31j2{Hes8EntekR5Nftr
zsNoUO_&}(OPG7uK1flksKZEDSYxc^yhymCh++4M=2*C|9t8R1%&+UpL&*b|^k3S45
z|CEE8zl#B6;2uPv1`=@ZUj?A1x&OInClp$}!fltM+RCyk@{X+@b|!6(9L_E&;}d5v
zi`V&jj#axkZYx;KFY3;q!KRRYUEcu@6&Cak!l2%AmIJa@PL%TUnQcd|@N-`?-piK8
zu2N54nNv}byW?bGNm5b~{~1|X;Fb_(N32*mS!MId0VpyY+>%G(?uTEpn-In-9+0+f
zcP%G6Et%)4#m4pMSj0oj)&LlvT}K@fXkRTy2R-OPT4^gtE2YD#LvMLbdBz?%k&pt?
zuFsj1NLA=aBIR7nGlq7o(NJWv%HUd)bs%HmXI{RwI`vTM0RX3LUY6#%Woa#4ZVG6#
zw?ZC6RjdaMPq2%dmoOjWHu`kb+2}euk^WB3&ZFTmc2V=9#S`(T<4-4?_7G24v)n%9
z7gzWZm3*Z~f$u(^`};bdY?X6=uCLD@=m&u?Vf%GqxBv|#GF6^&jtScuk&&m$%gV0Z
ztPO8qIwvl6o2KIK9j^VjiSM(SS)Ldj9-`)Y%E^dXSU=yu`dN<k^OdMK@t1+2dy@8f
zjd-p{>}#^I4gg*$Z2a`7o(PJJBPyLa9U!x&ht@8SUb5DWc*(1x4zAsANe-DJNtH`K
zl6E9rWMNBRu*GSsQw?2cN^B7-E5sv~mt9Q5V;8Pl6f3H)nB%d>qH5=fZ>wPE)9|Rp
zagO>EamN#m#nmnnPjqI{z`sQ)pWZ6Fe2O3Wit$*r#CL(Z$Bg@kfbDqm!Hc66L95I7
z`#&=^E|aPTtD&~7$Z|Q+BIRW$hD^CeOBl`J_uRgmoT6&g57Vm0&2$TPa@Ah6WA^OM
z*_E#@$%^pv^jfos=Wd)l{L5y(XBy+47zr{;E>FJPZGi}P0y$U}npIx8Co{jeFnC@X
z9~u!H6QmBH!Ac^#{uJhewzD2tjGQ@pgzeEqclH)%?8)V)#{0R=Rr`iy><HzTOlCrI
zD}v7=pz6OP0RA7uY14>te`3vZ!K4qO-E)Z{Mo8^zSO<(rd6e?h#mqys{G7K;h@V%)
zD)qF*7}qtYZ{}vlhUD?}Z<x{*i}xV?98Plm*#Fv-XwfLZIXzZeP$5PEaAZ6D?%f`K
zBqJY3JPmrtbHmyBAsP9*Hm7gj#>el;UcVbbYR^EJSrDHWyOV$Ll}=%~gL2}Hh@u^!
zTNw^S@lt$N;gdLNxbQJd?YgXx098OlR9K9byOLIySF5U8o=aP#XxGjb=}qEED~)pN
zQ6_X#)aI?KjGbFfY|=)aXK0JW<v~kT3+n=|#A`X_Y&n<FBvDRr$*$a;zH@gbpO~4Q
zRIWb3))vNjc`Wjs!gEE*ziJQ$i*fG-PMKZcl;M=OZqeRkYFBu1u|+#-jy>8z+ZYWe
zLVrm^HC&({EE<|oz()V|pYwjB_f_W_Ku~!D3w)P`TOp4@NgaIU957PBup#Plkyzx{
z|3(G!8cZO+{x3uzoV|Rlyk7HI&ZWsoD^$^5u2{TQuJD=)9Q<7~<-DTIL!+fGGR3Z1
z4fpT()kw(87ZI*m?r!#hs#~h6$bAueV2E{rAvVBI<r*BeELxlGws;%3XU7Aj1t~y0
zcV7N0f=Y>EB7p8b+wRjKd({zWztP*oZ|6b55$)vX@3~aWT_tNk8W8<GpwVqz<XpD=
ze`TV%mVN5jL)d~V*C0q&vY1JaObZTD&GQLxi_vah?U@EP+va5x&)w@FFod0{VYwt=
zk#oU<g0zbY;jZtlt#0@a*5qYz+MOQD(w2N9oPm7yk5c}6;o=7*96AZ#Bfn)Lo$EmR
zVj7uG`i@4vn+P=L*AyHZ$^=IR#d@p#qEk|$ct3>p#AOw%+pp$Mb|5t%M;E%@#@H0(
zx0<?+W4X&)t4fck&*v?h&vTziI}Q0&Lqdt=Hhs@N7o$&Jydge3sRgn{Ci-<klLX1I
zOI*f|bvumNM37*m@=->8UiBm+wOpmfb_cU4&c|(zdX7)ku{ho~lHs<UV*<AXWt6D$
za(A6g5!EhjyWVB#Y!$arV{%oDlGzB`%peWIU|9LLp;5hjkKQ7Np|O5v++_`S-ldwh
z-K51pI-9sBJV3QNI4Uqs%OTe`At_!R7{0YCn0I<oaE>{Ym7PXn<dGXA)#IH)2D|aD
zeHmv!5qG51oLSeG%o8`K?D6Wz$fR{qd@k+8Y)nnvn5NFlj(5%C3+8aoYmS^d=X_+q
z0B5H;b84KP^QR31LbHpDv$FH@vO>JQLqh_1<E;Q#Z6(A5Jc7fbw~VwxM~WHvVhB%n
z5YVfLd}y8d$SEuA7K@DKg@uJ#mFlX(pry97^W1FMUpbxm4op?e{9MMTFV>#9ta>u%
z*uYr}eHXZCFV16%_vG#_Q18nLT+VZWQKZG!ckd9vDYPNxdL%F`VqPHje>7!ZU=h=v
zvi-4^0v&FD(w-Ok7}k}0Oh@9zBKC4dMR}c?o-&;0UU?&iCob%S821(Pp>nOFl&|Yf
z{fHdckphCvIs*ovr8Ct)oE(W}A!*5AyFunOwU3Kt*2ab*w>K<O#IEP2Z2K;4E*1)N
z5PIH@go7lEn+S~XZ9=$oTZjJvnve_vvI^OaXuiz<1K<#=!GH3Rnvf@Aj@Z8vkviy!
zNNfHgB6aviL|XG7iAXt^nessdp3h~HP0Cf<{kIpXa(3_Blec?~e*}_OBd{D=CTH*d
zf&iN$p%q*ZLMOP0w=)1-1h^!EV@Nh2SGjG1lX97N(doM4!UG42eeCCZ`z*tdTpFc3
zn3tBG!*lyO2wqrNA7<fIpT@jsnhD_89Wq+oG!2WlcnwGOQ2g7Tq+Jx-4!bD?Y%mn6
z3?yYX?3C#5;^$(0aTb99CTLVdjB(@T#swP4RYDFi*N|Rli7&{NyGMSMjn+7>bXy`W
z)@oudBS?V*HM1M^%G>AXnuEOAzaqSc-%uWWRCNyvl?2+7St`R!-~m80tKKJ>XLO+Q
zw*E)2lZ-JSlIOFCk!k;#1d>47{sUda)9J{yYbsF+{fm$f(69(p-hIc|Q7O;K=CAc%
z78$iEWv$jv7^=xGNT^nGPy{K+ko{H8*#elId%W{Rb)%{ZZnD2==b5fCZb@3MA@h7y
z<3E)ivn6s1)aFc=sAU_(<>td~q>UES1MmYa!OIJ1^=0G?bHB+D%a<84x{RJ?xQW;q
z6(~7hWMvHhRSfUb!&vqZ$Hyc&84ivI`Il2zn5wJ~($+j2XGj~|t|T^>WEYBq7dox>
z2DgK<s%CrsK7QpzCNdx(Awccwxw|%w2NHG4j_=cVs~)@F?K*hOBufyePko~uN0ulL
zrsZXqs;hRaUd0;&!<bwqt+^BXt4`J}uX1qU9QzS@d@xxGoE)JG%%~)>9}v!o!EGXc
zvf%Vsf!8QPe<<ExcTGj4-(8~}M^5u{oTF{%$5d36=hUc=7kRrlxG$wFZzaRc+OlQy
z7B2OeVYj%b5=fANlX^3XYP%!1+&`+Z3yWoPHf>4Wq2}PQ8KU9tEthkhE2a>M))-*;
zPdK`AnTGpr)5(d1#U(3gyWI@8PUr!75+f5wgTUg^RXQCJa=`ps_ki)Ns0ux#{`%W{
z(2FU6Ni*gHZDsH1w{n>%WRGHMA!H=D$yDj@vn9_@yuuNa^dp<4E)EEF15eF3*bAo9
z!NGz%;O02cEns0gh};F5>*0rp-VWEmgzD_PZ&fYNJwAA(mMoUji83x8efJ#lt`+0{
zyC|-I(U1clHRE}T951q+IBL><V(yTUAh*0p@%MTI7&;U$ZDmL<Ra~F?gUom{ptJy@
zEGJvPX<+q1JzYi&Kui<1%eiBPyX({WY3Yo<YsiY<uvTm%Y5c<=R@}9PA}bP{Ysu)O
zwg{ER@<7x3DwX&JC&mQu+kkXSBC$noV#Da;YpzWG{;VyP>hsmhr%qh5e5##uam8{G
zOVaW9jisNUPA%n$oTI4z9Y20T<l?_S1M?`J0SX18?tMxBjA-#0ocN5k`e!s;Tf*dh
zdxpofsY^WYj3V(Fy~SrN!!r=bN^H9x9v~tZrGtg}uV2Q8(U2u%AbK}9Bs=}JTya?(
z10}auK;o7#qz?-`;a^0!|9g7me>3sxbtsdYBppr4fhJn|;L(M{jgsOIKLYUp5H`yF
zrMvU;uoB+t0mOqj>@SYBgX|ZE`MGE-Co#MBmToUp@7)pM1Dj6AsCmmLsO%0nUD8%O
zPzFYB&CcDEb1jXZFN+9|j0sU2e-Q_Y7{c03MC26^pz{W;F%Ab?f&L0G(iq|65Tyq^
zO6rFIM`MJ4j^%}uhWAf8blb_(L+tyVbtmqrn<g3#w>w8#z<`Am#};cB%o(OOj>em>
zB!9;;R-6~#{onA0@xuR(Wqer=IecD(9KI=H8Ou20+5t=gK%Hvav<cdK63a=h{sw8z
zMoM%(VYd|mas-&92te+F;durj%Zhgbki|-Ys->u=MKlu}Cdl;qfplZA!&Owjk#hxr
zUInzg9C4T@AYdM%z?~Mi7GHi7LlG^0qn!s%^mB9KuXShgi>vn>Ro^_geE3$L3T#sN
zhA8B@jr|C4UM)ab=PucIGXcq)?3lGnJr_V6UWeb)q(+9P_^2K1R!w$?*O_yn?yr6U
z3-b$N^>x4pF6y0}TZI-{NW35$`Dw}G=vSP_I9n);1zMdr;SI-R2XPoB3Qb47OiU9S
zLwWYcviqc!ig2Fy=l-Z2zKW?CmOG@ss$bwx=b;$%)w1gaNAfDwIXl;{+s$(#hR9<w
zrSV?@a8lT`Rm>C82sjZ>EG&xreRg;OPGp)TmFf|29xGP_75z5^oH!r@C?Dk3oW85N
z<X7SB?(M&FSxImirpNDB_y#&e7#SmHV&Te?hqo&C)zlvKq+ABS*n1gLwteYmC7JpP
z`2#D+;%-==^rkI)3<fJnr&}Y5{NTC#L;GM@i??$eq+Ysud+sWJL1$*gsY4OS=|N<s
z1c8X?o?vv3_0^BW1aVc+Bg16_e0&#pdgL4q&~_QajHtP`?1P$f){ujkeKsS@I$lG~
z7%s;TDzJ;95nGw#Pc(|g-EyQ8ZxqX0g7TD?UVP=rJLKy9D4QA>w%o@zt1ML8Z5%VH
z`n<;rHK3f@h(y<&L4;$2ty>cILNBo|BE99@8Pb+Hx+f>2M4h_rCr$9iF!h)PzI~ne
z2?(g2gYj!l)90|`5uf|gc|qYAby#px{2D$VRZ7{Kk({b7&WT!_%b%ugIE2e}Lm1&K
zSl`ZWyHt5o#g$e}yR0_OA<lAa?pVdZr^HOoeU<MPvz0jI`>+SZlUn65#`{UD?HC8V
zoSc+vxeHM+p@GDWj3Nq-*wP-sL?E`wSO6=U{!eeO4&L4-czgF17FO=_Ep~VJ^>$xT
zD4KDU&o3RnRO?l-4AUeQ#{a=H{})r5yT7l;%6!}ev+)P{734}_c{46*z$g_(`@s&=
zSBBN_eWuwobfQ#r0Z$f9LuleITr(dW?I!eq=G_iMs5`X0J5~ytFz_Q}T*OWEq(T^m
zw|kEL5P}J?C7Ov?hWX&G|JWT3u?P%`f?DKk6FO;N68-HAD)8I9qbGYm5xv5_2Q!>W
zIcaT9G}MF`ahp1jfq=0hh0HZth?%YMst9UT$cU@r1qjEUL5?!Wyhh|}D&t5}Atb2|
zEY^#u;!!e#9%Z<>xX@@&ux>;MN04dsM$Z`c@$c>Mi-vA=!iKs7!950KK2uKT!xl8Z
zOvI3%&j6$l+k;%vj|4MxI15}oCIDmtDmuv@;4qWKW5{z1hNXNK*)$yQxC>I-=_O44
zUc{>}k)m>)`cf(NqFyf%<=qMWl_y^TJ5Z%)2O`7dAsoQwe?7G;??{#EL$^cbQ)Wi2
zw9}sIg?Y1b%RzN*LAbY9Ksdy<J76RpuqX4@c&u~_wqNO-QM8nw+nc+xxT<rCXb6wy
zI+so%Ewr3_h`YP9YUU-!AF(7vsCPSd2bssb<&vVlagTH7cmFWyiG6)|NNzej%3O@b
z*o3s#a4^0;7%JyJ9j?2O%8$!n{NjWB7N{2l6%@qt<D!^ZsfQPQQgaPVe9YSTwd&yD
zi~{az2jM$8mk=8rp@vB*pC~!JzUnm^(vB?X{T1z`>TQnwfZb~tJ5?e?_H6G4<eV_Y
zcg~+LwxtYZyvJZcNwDl&ZQ!-?%5?Q8mxb2rdE`#NTE`qn*_N5DRs=@hms<$K<RTx5
zNX6pCkwE#32C?p#BZa}}+=+ku;eus}75F(@axrolSLp8U=gX0w<fRKqUyZ2rFP1@&
zVSDD@{*x^H=6I}td!gG-YF-doe}b7u#MRFwotVvBvgUO#7fvLi8w7zckz}%b72@IB
zodT$gI1S7frvY0C#{jvw)gdc1WS?9c_?1})9`y+IGXLB&Jl7N)r5l2n8exi*jz%__
z@#eLmDPihKPC?_BKo`lGMYyx2X6;69Uw&alxqqR%SV?QzhFEhV<ty=!1I(M_$ZWD{
zzJ{BI46Z~rtv=(`JrxqTI?Kcc9}lI{o_KI{g|d`v(5y`mduLl=$*!WxVtxqg7v|zJ
zoBWIjvHoPHoH&Te)d9ADaqF`Qv8mVNnZnfcZJF4Kh^(m`!nh&qLs*FIBnI>_%^EOI
z)PNZESCw<*+$3M;faU7oH7P0Kyg%ZT5_V=L7Gc3Wi+rzqRdf7CiWWqM6H=UyzfuVX
z9r`#sPDs>}8rjXn!;XDabR*{-aB#lb!Anrd0i~VK$zaD{d~7_Eo}0d@P<?K{$Lz^V
zm(6u_%PaO2*NQGjudD#VAsHhFRskyC7K+9jNN<fqgO$R0ST3^C^3`dnV%KrXtC46l
z>l_A#Bk~Jgk)9?e#5slp!FmMS1G=gvC-2}f)lU=8QSIa@fvyX*^}U$#1N(PWsH=)Y
zJeLK9+VL~{;7%_xO@j(PC+^rOL_)nPu1=OK%06j~=X=~8qIPufv0cdDoy}C{<mD8q
zIi#%g-~u(q`pi+uzUG8cXKwyCS$!ava8Od7Y+_hMQm}f4U%?3;65E9WB|!Vsj>xOC
zHl`M0&~~9K+4Yg(NvqW}0`ji$L_q=O4oa{`cEqeaXH!Zp>_r$3@Z7xCU^onK>W=kS
z(^A$rH+9Qy-j5hCi7^}`olGU&xuV=vN7bBg%U;6;>*j=<k_)ZSD2OAcbDIOnuW`ge
zBOr;9BQCPi;({F|>hp!p{khV;xw|Tfowx;$!kYOsk#L2@aRCL``Ikm1QJ6WVuG6xG
zNnv}6RmHn=YBy+4$-1X3aha}~cF^Tr3KlzEJCG6VVX_b-=sWrCV2+rBNRcxUn@L=3
zj^kkD^P)c7oh?_&8&xpv#fNZ%cQCFAe(q2_e)|q3@Pi{6<W<WxBJ=Uj&A?69&tG~V
z$$LkPo=Z8>O@cjc7wL@-LRVyvaU2{0YdJrSg!A{)a3%+d1>8L_)T%C2m0dn^z<Xt}
z_V#P$xYN|CKB9%uU?T0r1?t17v3;K)GC3fS`uK^WJGK1i^UR9iz+fLWhuE3<a;TaX
z#QqcJJ5GX{F2SCEIhs`DYuA5)iD@Imj8DcKznIt~@`Yp(ERO9o<DlrR?h-4Gq1{<d
zb)~$dZf{<sPp<aiL*}HjUGW$o&-WWaO}Hi(VLAzyM3G+7D8cEhTnPgpmj}Uyg1~+i
ziyaP0Mr}Ufm3**F64PFeA_FLIBikfqyCkwrV(tsv(oByZ$#p8hYV=AxQ<S=W+ir}_
zHot)rhqUc^R2&#Ed5$KS=}Crs;YzHyz(k40WWaWSDl4M^p~TSz&9HlKMNm2)Haj~r
zgA-%#oHg7Z2F1|^A%G*k2%U>O0f*th?Pp_Az!}Vx*3{rE?ZR_gg50+*Rnu<syHS~F
zU4Mq=Y4z$5R8?ExrnKU@G{zUvWnA}U&{J|UvO@!8H|RLgQ{I!9U@@~o&H)dVwE2up
z=BF9=X^Sm9)?yCKeU4o3@HeIxai`XwlrVa`JXWJ%2uY{&#i=h7;F`a2lZ0ic^|K+G
zzk<JL58d)u`QA{cMJq(^pZNNu;~N@`LNmo2yu+1+C&VorSKo9*RCdTBji-wKbbty_
z>Wcn^kJlO_-<wQsG|}Tbb6?02^ba_+%fu1J`D;wL&DcF$CsVPy6P?4v1m_R_1os?A
z*w<(V8M468&=|vQxnujbZYkjU$scm>G+3CCZgNgqGe^0R)g2L3$Q1kih+qZ)JT%8)
z4XlPN2NuCJ(*6Y*pdtgP;sxc?v|QQVLs#yrhz&MIeQ0kB8)~EF=7>x4xuU`ZS`;Uy
z%}bCrk7OOr9pj@JTb}fMD*edampmseq|doeQayqrmqXm;T;}e?gk4ZZtg*5@e@|(t
z{~nK(0YP3~c|jFCmmsL+!a@P7I;>s}u-?JWF4G9&%>LbOW-Os2^(iOldSnmQOY1nL
zxMaYLRZUuP^`Ob+pr}T3M=FpBuyU`H)5=xO&K0YU@Z2JoSBUU4Vqd*lbhyh@NH-S)
z0$HJloLdL((#JOehld3K=`itbuU?aojmnWra!|K$;W=R9=JeQ*pP<nm!EgUFni(qx
z3s5aLKnY28S<TY1Q!gFB=>J({pJ;*QtH}jl2%v;@@pTTHv=-bPoXl9{N9OEK`q$l1
zJv)4+{>I^X1GUfqHHgXU1!qn#P1Q?I`7g1$N{py^V#CjCwiQk1h=Y6#9z8>HQOvLI
zjvX>4B#~W_i;_dquN>}8ECx))*u@lHvpqW>J3~|mmhR>Z2`(A=tu3K}F@mQOm6Q{v
zkjUW;CY);4QLpn_u7ni^qfr$I6~Gu0vBJd(ZzNXj+a|)|F3#IsIFdrU!2M~a;U@Sm
zm~XGOCUHdeT?*_N*n~oyp8#X?>lZ0ktl7f}CzbDai?NPY0m!Y|BM$EbvV^f<jZF?f
zd(#@)mIErHv#(3oM13=HB0#N(b<O3G|584G%f=8HR`(opq;MD5Gg31|A}KCK+yi}w
zoq;(~NH|7Npwd0WNDT$L$q9}{CpTHMhX<X@!9ph3W5^uW9N|pPf-Rd1x_}!@SdlM}
zOTl+Yr{Xi0Bbrf-gOT{F;DmaThLW*!;Mna#FU@c)FQ_epn=*+lqj=5zW5!wyH$U@`
zPrdq^2^wY!bj3i72|784gvz;#ahZ`JDj$8|2DivJbQ1C}By=!1?zpCQw6)NVL)VCN
zxiB8pIXOp{C*f9(jsu+SENojqn$d-OLzcdQvL=v9&Tu9N<MUqZZ3I`^4SaTW<=|83
zWL-~Ncbnwq$U#-~ME52U6O=hy3EbiB!UVkAX)p+j`b0d|p3M-CUBz;>HH=}cNoP)E
zP9QPQN%Vaaj?E@R0Sg*ThccYBoPY?i4CAU@AB<xXt>FULUJ1-pBA3AyhQN%M5@ZRr
zfWB{wNwY1+5RWA!kKYR5^F+Pl=%#<Hkvw}ViVzHx&D#fPt1gNfPIv_5P3}Za_CEBp
zf<Z$MW$^-7g&2!=WR6tG^`FXLNXwBYM~XXq@)Q%rOmT6}ks=8DJ8XbkHO-Y7i%|&1
zq!?=nJoPi07We;dE*9d;yy6U6959$|aM8e^#mGPY(c=GO?@i#WD6anR>gweVFw6{O
zSOjDlPyyK&MMOneB#Nj=kPzHi#03o!qlPF^B&<pdE^*fwMMI)7xFnAnR8-==1qmV|
zAQBwOXkbJ{`u(2M-FKO}0|RRE<o~>VKj&A~wRLsXsZ*!6zNeVu>|oQy{sglfR0v(p
z{oUp`r!(}GDY4^m3!v@Lub@TvkBH52n4L^pXdnE(YdeKsxSdUrJ=oN<^+OIdn0B_<
zbhL+=Bb~RfA7&09t#;1$OjFy~l-WaZFEzcL#^EbG|465$Inw>UInwrn4%F~RN*w1J
z{Qk!@a;`89Y#-Cl)-#1}0clvCRmT)MFPr`KedL|KVRDZPKTF6?G0oCtCgqk*QicgF
zAe@xvo>AMp;iW!yN7R?pnbI<|kJCBaMExC$`3dv}w3d4V9TmBm!>|vAI&!}yUC&b2
zNqtM5=aQ@Uh2cMx7la=Yo)EsMiG*LiKDBozXgXa<D<5^S!izOg#G}He)#+(-g7UBM
za8(kX{<`#A(#S*7PO?eci?o@VNZL|W5<Z*Ad;i+>v^QgphNQji5rtpYCcN9wbWO+}
z8h(|uX=&Hl1pgeM?OfV=+}@?l*Pg<ydBcjl*cBZbzAy45L*Z9WY4{TI1sM~*1-%UY
z4XTXpO*fT2rKSTW6n>y#V_78fC?Szc&Joaakl2;Nt(XTmUBiz>W+kMuOXOD#<c=^$
zt85ebRx6^cYY68awCglfZeD{txW@F4?T27Ol!3_88pvM4J0feVQ}|h028$g27D(iJ
zHi>-S6^ZPxO14|n=SUrB-_p_ahIjf3&&GV)1fFe@=2PKM;nfoS#r`Zj{i^BWtTJuv
zL6}E|AK0T!CnX<$`X74;ePch$AmO>eW`J`febF4#%Q-uI#krI+hEMD?^6-%I#}V*|
z5WE4e3V(Emq;8i(YkB51VVEJ}O~oJng^IPV;7!Sk*1<&b(8cU)+h_HM(igrNZqxGk
zT+79GmW11#?a296rViA=ImQIYxo-9sl=E+(2kA#2!YnsUow?+FF8mUiEiet#0P33M
zCSek4t8zbS>w9K4Oqc(z;w9z23sc*zwDZFuX``jQODTL_N*fhAF#MRlxoKMGse_!H
zhCGq}S!Am8o%B)khf)8B9+U3d4uyB5|GE)B(R=no*N}cf<n%VmQFNUO)62d9e@sG_
z-V$zco6@J=1JUogb;2!n2}F3eZCGwk;(4P?f7>Vwd431y9qRo})4}#I2a$F+@^GXr
z<C*PEeLEa`J$T}8=skQinRjRi-yKG|wR6gm{iWtW;Tv0I3dlnzyUDb7p5p!l(%;YY
zP(Pk0&ye&bZSwRtO-temNu18;Ut+(O_r8L>P6|JjcX1C2KX-fcKAkWR#QnZ-qf(+{
zy%2tGU%>sAaFf3GIfR=?_|q{@!yJe?P|IVJl!^Nh_Zu)*W3IxS7H$-BUJpNqq|7!+
zx!H?IcQWQg%(F2Ic`l^73VMutDDm49zj3%p%GX`N{d&w-F<&A4=g_;*67ogayVpR|
zp=P8L_pk2v2s;3`14)B=akq2-1@{%0|HM3>ya}BZZg(F+ul-H9#TyfT?)?CBIOd6j
zc?Ex=W#%~VT-?qLxA;Zj=YD-m57Q;=z2Qb7_Y>2}`w3wvAHNNLtuUKlHYUsh!a&L!
z!XJA;%0I$GHIVX^@K!Ad{t*7_Ksmn@^U5;pFF<079=SQD4=^jCm!Vf;dSCfU__QVx
z-W5uCZ*NU_R`|A7v<GFW<z9<&$|=j*<|7FwZJY9OHbH-&eK$oecS81bLMM-CIA(A9
zg*E2K@bH0VG_+dk1M`WP9>Kg7S_6%MPKwP_FfWT~6z2D1I@jD2es1mxw~*#0N!J-n
zn;R6HhvEKyxKT)D<S68vj15Ij-i{nXPP$`_b;pJ~+=<4uz0jlY!B1#XOcOAF5mu_)
zjOA%sX3988Wafd!u{%s>m6^8@{$kV5y@s@J$G+0+<9-iQo;}z!b|1x*K2Bt`(38ZM
z{6uNBr92p;>bRy*#xL$o#-%?y&b~@G$&=(qNb)Gp75RN3ej>{cN6txFWu}=si}(7q
z@t}J8Ubo;b`4Rer@Ec?L1NZXmL_a@;@K@9KUL1{;wR|SV<%4{bF{9>NbaTmrJXc8a
zA|yI`cL<$B^aDGD^hEdgg8umn-unxaqQ7o|&T*tt8D>I<5oQ7RgCWr$==bOobd0V2
z0(yX34}C_)$0y;pzv<?-MF$c6=K}hTb(o%pZ-lOOq-|}A(>ixQ^k(v-I=$$JGCmi*
z`9Sy-{lhIZfh#(Ri~*ATh$;Exx%Mc`Q9MKP)d+nA9(VqVe$keAZOK>L_`QY_E}{8^
zPv~^?sJDnKI+jp7-r)%PS<$ny%SLo7%Ftz8lFqy2A<>m3FG6MJ0QUuW?iT8?#OwzR
zhFU_6q3=LVpbk(cNa~{ul5qRkfxP?8lw%QkpoH(H?oDX_eJQ_A^s&9L_mFT(wM)O5
zZDTrXx`An}>9#S=F`MAtUDIt#nr+hg*lm7exsk|_F7BIVs58QxsPr20{5AByPG+dx
z2lr0qVCZP<2SZ24_M@G4raN?yvj%ew=1_B>(i(H1+u9uHuQCS~+=Px$65SK;Fz5T|
z4qK>W$e5i6JEP1Hs2g-L)CFp#=1Hc$Q)osyCz%#%{uSMHr|Bd_di&X_jH8yCk+jzn
zkuM$WKh23y2l7#pl~$DIBc%O^rky-PO}m*ohS1wv+XsvXHH4bl*WkUMo9^!6lr43u
z{QNodL}j$e0@~w1+V8)hRowUI{`{ytJIm4U55)cs?!SXhh0ezR0L<~^yE}f{Ok3w;
z`06zCUFTzD$}6S_Syaz?3myCe<U7y#HpqU6Y)PmuZ6|pbd7o_J-Q@k0#+YXMp7O4{
zr=#OACHcZ?IZ0XViYP}ZOQi*SF((z5ztlle4^kIZ$cyfolae}0Na|`=B=z`pXlE_s
z!z02c`AB(3_$Lp!AJV^0H75vf<s;#@uT4KBjeG<T3m+$>ye#}&6A7PJAq%e|7mvg2
zsdG{?FGYPwTM%A#R&d{!wkUi^T;&n!L;7^B>y3=9q%Nfn9b~K2mGtGbJ!b>5L&}Bx
z*rmuC+8gb>m%S8uBKiRC?tb*Y^yBV5xXCkH5jT167-SL8wL6VPZnaJG$-%e{Lw}Ly
zo)2X`Q`(e1^CSB0-ymb;nP(EFKl%&t+(Fo{K!2%+*&6cDUrxmAj%<wE8oJCr`ra;S
zNuBeqY5fIWcN>J2Zto}^^rNV}<as~9-WwSs<?}`Og{0wpir&&W&i`2a@5X;BrsOlO
zC)<`h9*=&~U!H@Xyswl6azo!=>PE^}-c!=%Swf6)_d#Fi?aW6euSI73lYXxrWxg3%
znxbEL-Lzrlp)2)rU{)W~lRl;weL_wjL)$zUI$HaYyXiX~Cr(X$#3elI68fi0O!Ju9
z#%4Rr9?<?!Tl$Y9ptk09(*bIQ+kZ#A31(mCXXN!q%uQSse(BuEJIydHo!?^q5IPfj
zko%>khj|J6DD<t{F;77ku$WIlui$@^n$4X%F)ucadH)h;3GLuA>UKX<;9QA*HI{zo
zJk!L9p4rhkglEdLN1LW*BXda;@tbBknkOj7r^5H0i?Ba~?sFu10`8i}pJ7TIbRwq%
zaa?%$3V7ly<{Ikp%rQLc45$x$eKP%eC+Ze5Plof<ooC7OphlX`Ow*F*b<}$MlCY=1
z4?Qu@*Lk;6`evDb>jo9Z)CjX5B)Zx`kodU~g`Z#^8Q<@ZDPbkdAgBluy-LV6r-$E5
zh`G0B-Uqau4yKDc4C;YyFbMNRvv1lw(KL6bnzr$Mb2Xzd%?Z~W9lE8sc~@z?W;{dm
zMIp&wnQdSm%yLWo60=9_w=bqpncD^ZN9K8sqz-3L2Sd>Xr;(1#CpAWnK2JZe+|)$}
z>w*kv3>^Tq7t=l8bcXhUTE+IRm_p(%l-x_0ecS`gF+%p|CWV~Z2i;oQ>~Qoz9dn8u
zQvJ|8WST*R$m5ft70_uy=9ln7FB6z@)5nyDkI6mmGS)l;x)M4cx(>P?dJei5TEhFa
zGbTI|ItiKqJp(O<UWC32jf9SZ`a<VH6SK^dv5$aGfrdd3LcfKMjp<%Yp{dX{&=t_7
zP?T<m@I&mSP#s9pl60Pc?toYg)wuU#-Uf+T2}$0ruR`)%d8Rz)TIjCW6#E0veb95z
zG)SH;&k~aNl6MmGX-NEq20^z#$$P&bdNlXngXDb&<gq7yi8+xl6NvW_rVGXQX)}4>
zs^(b2o&`;T#z9G$AC3JmNc<0vX)Nv5z^}&4iRq`9Tsp6M5pu=hhEV`6+l)0+q29P1
zYled7@N>*X{H(c(pJRS!9t0oZ=a_fRDsZc*qz9_+6oE~hru0^w;6=yj;q<`X+vyDs
zbOwThoI$uB?HmmbbB5tE*_nd<GUqaIwlf=-yPUhR|Jiv0<m<NJGtM*MQs)iuE$3};
z1%0XGyytufe#Cr?<CHUccAU-hb&m6?^Ci6@m$BAoglTPx{?Fl~N)5qAjBOp;hEW=$
zc}qTRcY1qkd(&4t_6SC-o*iHZfP?HH@My-zo;}VU2Odwq?AhV8de4ruBf%fg%UgRY
z{js&D+tW#5tQ`xEXQbiSv+185JBe8h$6m-BhGQ?X7lA*vKL)2EEv&uDUIqT#J&oCn
zGu$(b<DTW71x|7&F}HD{dm(tSdog&adnq{6or&)pcMdp@IT**i&b<y?;4T1fc5epn
zaPI)`W@f~3?{n`1?{|L-E^#SO_jQ+&bl-R12iLl5!4J_}9rq)5BUsLQg5z#>DM@#W
zy9NBh{Q}(Keq|hwALx2MSl6oyHuIW+9X)17yhFT0z^A>HV1@Uoar|Px7;Nvi2Z#H^
z!BPGw@Is%`@PFoC3Et}83f|%03I5vu4S1iw5PZNV&;IZH-+>SMaGn1L|6y>kzZm?B
z{}=FSAKvhn`b)v*{pZ2g{MU?=DoPcBO;d1ps%5Gr*ecb}xT(Wa6Tpe7dGs&Vw86C%
zer-}^V7t_Q-~p)vzz(Sn;DIULD%CmF1?-;c4)#p-1be68mDIthgTX^mymRW%)S=+v
zsl&nkss7+msX^dLsguC5sd3=M)I{*y)Op~f6z`v!oSF<yNlgJSPF)OMlDY)EEJb@r
zO-)S&FHc<#PD@P#uS`*1sp+Zd;EdD^a3*ge?N_L-9aH?c@dgeaI>IzN>(a^RnG+^V
z9(S&J=DaheOfuVzM;H@^rm=)IrS$6U(OCMKVP=#$)0}56Hq*>(v%uVL7Mh3Y@t;R>
ztR$p!((t2N8<8iWX~L80nMS6S>0o-A!^~iFy!pO4%bah1Y<`A>x!&Ai?l*rlPns9Z
z8_0(!jzzvSHm%VidXdi2<^(g^j5U+YCFV*q*W6(4G!K}?<|%f!yop3f^4Wwss?QVK
zpqunIN0=ezMDqhP&Rk$FMH0<3H=4W5Z;?ZPF@H60nfFYY@sAumsI?g}VEBmEX6CSy
zj%#h6IO*7vTAPXy!;fw4w2R-~Get<fGSkT%Wcr)oW{eqcE;N^!>E;@9leyb0GLM=i
z=0)?iSsmx!H^pWjG_KC(U~{DTt~tq^VkVd$nxB}f&9&xN=GREY$IR1ce}6OY$8iEv
zLO<NjbfLFB${b@xm{ZN!W-{`1hM8|}Husp{o5#`JUN+0knmA6%G%(H0ex|EA#0)?J
ze~(^!BC_|V=I7=Y<`zB@_n`TcdDgsQ-Z3A<aSBXB)50)MX!@Fg$n25kbY%7vbGeym
zt~0lqd(j2{Y?hi=%?h(Nj#I~c$LwnkFx}0eh7piC*_>g{H9s;}m|18Ax0(CQAI$%l
z=ge#7?`EA@f5sW-P4P!7o~d|_;$+3k6t7gAt$3Z{&5C!Q)#IYG{09^lD?X*TOz};{
zRf-!FD-^d22Hsg`Tr@5yQY=+$rr26>f5lFUJrw&W9<Dg>th3I)FgQkWjN&B4X^Ph=
z-lO=a;xfgRisfS`U2uM|Q!wQz)>SM~Y^>Nqu}rbOVi(0;<0qeSR;sV!K*eE-qZH3n
zJWugr#c7JO6&IX0al#p?+ZFFod_eIb#YYvNP<%#lnc}O8Z=ZL;S?8rzDy~u7sJK~i
zi{f^{0;3pA`qBB53knq*DmGPYsn|}jqhdG3gB1HI9(4gm!4Sn^iX#+9E1s@6UhzD|
z$%>aKUVg#kv6Bj>E6!G&uXuyvt%`RmE>!%z;$p==UntLAqWHYx%ZhI*u25X9xL$FS
zVufPmMeuOJ4#7H&6}u@Oqc~Raa>bhzA69%>al=IuCylRb6a&RV#fFMa6<aE{Q|zeN
zP4S?M&OhtIy8RT7Q5>Z>UU7=zm5TEfZ&zHT_~(l*>ejvPGQ~F)S1E2#tWex8SkF@|
zQf#VN2KK1eNwJq=KgEHHLls9Tj!_(|c%I@EuxGugiqjS6DlSmGRq-ChMT(0RpHN&1
z_Nw=?;&R0`iklR-DDD(2EKqEy*g|oCuy<iM#e)?4DITRbL~)qn2*uHgrz?)X=tpN>
zRCu1^WW`GqFISwdI9qYP;th(oD&Bq3k1o8ZaG~O2#U+X_E3QynuUMhDL$H2<V(De$
zCSOp$wc`GYofLa0_E9`saiHQciYF*CYC;Ez`tEPabm>7FBHdYP|JG~{J)z`!Z!l#F
zOdWIz)`#fZi%92xzl(zoBJaC5=%V*DMR$<;__k~g`hw(d@6ac%H9qqKl7{GBPRx}N
zPrB+7VdNtEqoZ2no?~l`yLZ@3<L(`{(zttr^{Baa=wt_=Eq6eJJrKRIGg_U2hySnm
zIE)pf&i4jIcP>FDl`?8D@Y#RtuKA3(zV>fEHEo-mww;}}otn0dNZXD{+xn+%2c>PD
z(l+Kagj1Rij?Kek^Pt%55}W(SX3N-Y9GgY4$*hH@(;pMAYu+a|yTxYv*lZn}%(`f}
zlGrSWO=;W2=hSKBUrJ7ugPYe)+e9|0TeHfvtvqd8o3^b;+g?rEmZoigPHg+!1E;jv
z=XS-L6q%pEWv(KlR_xOh8RcSU^b1ZB+-ok2c++FV)tu4LzNGW-v^$I@rG4x<_F(Ke
ziIMl^j0&$|Bz!yLH5q#^Wn3uZ&kD1R36}z=gqgM0PJ5@D)5q!Wut&fd<BWCAbEY^`
zo$1b8XMuC8bC0vgS?oN)OxerM+s-OyJ+oq4oE@xb$?Sl$&vI%AvlVk*Vmdd(=7QLi
zS`v4uv&diNy|Y032G?2ZY+*J{`Uz_bZR@D7V7H_88E(hetcXGsU08Ib+Jd6lMYk6H
zzGz9&n?>uRloPYKV{~7_43a$YJ7>oxb7y)l9D{qKfw9TFlHPBL%*I7g&KegsZrQk7
z?A9kXnO~8xjfJnooEe+f#3nOL>i%kMZi`LkGSxkPMw8LeeUmtyCd}T5fBIhdT<-6T
zO=hU{esOHROv@Ah*Q5KU`$y%}v|VJD-5t4?Eiz8qx*juOZR@i8*tV@}Jm#g^r3T16
zQriMT;lo^uU|smUHDmrx%-{53Mr9!L3n%cLfEg^o4q%DeOVr+4?XA_`QSBYoUYFS{
z>l_U#XOz8coU#>~pVTg0m}ldiqA<2>R2g${WzqX~i{o)u7L^FIW@QVJ`z6dzjD@>b
zU@xRUXi9I=jyW&O9NZMJj5#mM?Avs(GqYfpIkxPOm*dik88HcYC3rw;nuJmNIJC+*
zMSAFN%<J@HmQBJ>0^2a}Cb7;1+odi54`BAqGRHR=JXBrA!AV8*QE|DZ*jq+y!8WOx
zV3}gO6f@Ms7OWa$E^e(-f^AZBz%s>l%+E;-LFNG4ETSBexti>Gx9pi3(ZY@;{76dK
zGv}mj%)!gtByP+Y$G(rGZSN*Fr+(T-uORc1#$!HSV!#`$1u`F>I>2FWJ~cx9n3<1K
zlNtFqywrt0U*_avx4RNInJ<^PZ7f<~59an~*qQb-x0idkJJXx(pW`nIrlx|_kkshZ
z`hvv;m38{mxvb9Hb-PgGhcjb1j5(@P^T@s5n@5=gT*}Pb>&%I*Vzz3d*=)9$?XZ5}
z6k2*6cT#Eq`y0d@WZzVCrhQ$_S@vx;XWKW_oMT^8bFO_$&3O_(H6e<Rsqry2KBmUU
z)cBYhA5-IF&a*EwLqEwXXILqfGJ74^f&KV!tQ9U9V1Et{l8~th_8M@e6^@u?=YzAY
zaKRia+%eZ)3(l*~xAuD6TiF}HGP?jAV1Ee?;*^l2b`v;@o%@o`jo@5*yS_TVIGj1v
zGvSuW%w%54JnnVOG2YF*>ch<bEnzPAW#(2_(4(w3o9I<4%?|sHmdgN3zo6y$u9`FL
z-_@LD-&1q8U8&|AOaD)}xptMB^CUjyqVX{YS>j`Ad`yjxsqry2KBmUUoM->0<#`)#
z(aPQqmf2gu0rnPfkoZ!DcY`zSo!~6?VoDhb7tXPFfO9!LC1qHjGAKhk@51bIU(+8B
z8_KNiD0pnF{XNgP)ZRz9R(2s+#)%23vj@S>vUZc|Y3~IGuscMax(J-ft`vFRZ^1eC
zesC^(OY+y&A8~JG7lUP-&y;lj01jfmgrxH*ILkf;&asbx(w}+uPuK=93QkL#M2g%0
z!Kamd0xYvngB|P=u(LfC>}mfD4zN#wGucxsDgOnW{WUmXjn?D<`@Wik?0Pk4a{54O
zdY0Xw=4^JI%KaSsftqvehicBV#HS`TKBmUU)cBYhA5-IFYJ5zMk2%k-Rt|UuywENK
zFJ@nml)!UfnSB-<AYtHxzk)MaS(mqd37pO9y41^y;5^3Hy;#SP+3yj|=8t79V+!-^
z)6HC3!A<B?_s|X=Lb^P`eETwH!rwM4-6J&bt=#@<ma)rF--TTQVh(bTR&$&?P|ca{
zQEJX|2dg>T9iZkM_eeG8x`Wi5Xa7NtTG>rtnf(mxU_S*rvm067<|A;B{TDdS?FUX^
z=cBw?IXKH!fV0`VEd25@IG4SY`T4FA_g40Eu*_}+2iPs(Ap0dalijwG+IDb`tm(pc
zP3RT-&^CskCyX+uo3mN*xWr6jjo=zqd~Rk1=3dr49%e;CC9r#}zD+B4sG4Oi;~z?8
zfcsrF2e~JyInF&n&6(~nHD|fQ)tv1fujU;0I5p?8|3c!=vpdO6D;t7k_A79J-2o1A
z8ShXcL%<0xD|4xtF0&A+S*{Pxc3H_y%|S)sO<WJ0$J|!Cq^C#v4WUmNf&7y{(m4+a
zcnSLSbhi#6Te)??GPfbv!EFF`wxT!mbPK=%ZVDXaeg_=qHUcNQrQmsPWAFmE2%PB_
zg0tKbaJDOb>m0WpIM*!(^GI-aAKY8H&A>8Odf)+W6L65*5}fI_0B5=Tf^*#FApL{%
z%5H1y1Kd{Npjy3MTSB&S+ks`Wql~xf1a_9yWZtd}9N@MA2e}7=<J_*`ME0!6+jRpk
zaNC13-TlE?Xz%iN2Y_>2bV%N=12}Jw`Q~J;=T`10HOt(QY7XFhK-8*EQ*)d<M$MV-
zXf<cKjJe^D+3pY2oWp(}xu5HvqUJoeC%I|m_5#b;`y=nx9USBy3XXF}fD_z4;7s=*
zaF*K_oXrkDd7s|kT=x(#Pi>(UkQzD#si9Gj0{R3gpiPhhx&$epNst11ME(@s!CiVm
zN#R{kdO%6xJy3c-Nnr&jJzxG5*5EEuR8m+EiUgGuHh>~MC4~<_k(`o3y-0hm+5(Vi
zQcC?nk!Mm$hk+u?q?87NBFChB27@BQq<oG9MSkrn<zw*`X&@;d1BxV&lurUh3P{Ss
zK#>5F^6{Xweo6U6u;x6UjIZ#Eq&yN7UXhef1BFi{<<X$<h@|`jQ20YqJ_VGOe5dgP
zjIdhEI1B17E=`VsWPUku!PaC-L~$5#VZ<qv<uV2rD4os;+_Uzb<uVwT9yu<3aoIoZ
zVw-d^?PNcLe;0qm^=tng|2O`<vZuknU-mTki`difdv-KDB>NfsKeC_U5&u!{?vULN
zgnJDChyBNKd(3~_*v1v+Qv7QA{hC<Wzu%BX_1}G@oB#J1Pmw3){@8Cp9%}kMPVOXs
z`F?-$^Z)+r=l}hWpZCXmTW2AANuKeZ^_F_idCz+<c+0%MdM|n}c`tjfc&~b|d9QnK
zcyD@dd2f4v^Oo}`Xe+$Gdn>(ny;a_O-fHiCZ;khXx7J(dt@l3kHh3R-8@+#co4k*`
za_<vwv-eNgqvCz${ma|pZS^X>&%JH@2m5yKOK%7N#J<xDed9a6^<CfdeLwJ1et}=d
zuggb13Vr^so4qY1egnUu{~f>7Z{#=joA^!ref(yAbH9bZuiw&d<+t|R_+@@uzn#CI
zzrTL~`(Qfw9sL9SPJU;<i{I7n=6Cmd_&xnzesBLE|6sq5e~91LKh*E%AI9Ig9pU%)
zkMxi72lxa1LH=O>Xn%<RUH=&WSbwO09Dnw9y#IZFw10wsB0FnN@<;gJ^GEt8v%lsC
z{we+#{tE6i|8)Nh|4jcZf2=>wAMa1_&t`0Pu793?zCX#ofIT=r<nQ7x@~8Me@-Oy(
z>|erP$6e<C#GmT_)W6)n!k;GlbNs9P>HgLJ4FBi;On;U?+n?jl_2>E5_}BXL{a^4`
zbHDT#_}BY4_&54D`M>gS_HSW7&ux3m{ndH@>+pMiPQR}TkN++YkJpZ)t8;R79)7}q
z(tnCwN=syqlK(7wl%8XU(hL4F|F8aw{!9ML{ww~g>{fc+f5U&%f6IT{|C_(uf5%_p
z|J`5dzw58^-}6`d@B3@~5B#<MI{!m|ga47g(f^0P$^Y0d_doGB`~UPS{7?PQ{D1jd
z{H=Z^-;vzrf8lTEE0R0>ul${U$aI|(*uV|Ezz>2TWt@gPofnP$jy0u0LGYcRG-%}g
zG-whu4fY9|1<ivN!M;JupjFU1XcLqLZG(0J+Calf^WJ}5OU%~}lU7)@9d@TBejDxZ
zRBeg>nRY0x@D}6|8e)T~W~l$4=Et3IWHo;DpCorpO;K<{aAGh#I4Kwrd@mRooE(e_
zz8{PUP6<W_^!Fu|gg7b~5DermEe8ij2SbAI2FC=)2E&5mgQ3B3#wppveolJ*l1<Q-
zbWfbPY|nDBB|Az!Bh<#Un=Pp@`vyM=rUpL^E)T8<rt!C#R|Z!F(}Syn8NttknZc}J
zHh-i!H<%Y(6Y&32!7qaAf?oy;f}4X|0%mMWo)6GgN=_h``v(UE?Sl?M$Kb%AQ_wl+
z5_AoE1U-Xp0s3mmLgNK@26qK_2fya7HQ{>&y@P{-gM&W7Awl2Z(4b#%SkON>GB`Xy
zmn)fWO1)#fq26)cFz<Np1n)#|xOb8_!aKt|(>u!>>y7iqdlS5~y@}pAgdR`mlf6;i
z_r1~H54<tnDc-5xY2N91LyJ1&lng|ZbV?3qKG~M^H$B`5-Vyw%=#k!0-T-f)H^>{z
zAB+ykn}erPty67N`={EcI;Og&dZc=#4odY&^-c9l9l_s>o}4--b$;rHsf$uSO8q!>
zY3e7bpQf%z{Va7=>S`YA@U*_1ap`RjvIp}wr-#_S_E6i;9v0kT**{s*hnZz?Cj&l*
zkzYwK_PaMi9cW^k+I?&@+uXL`e^Xo9R<<?!c*`tbU$Xnz{p|s^z3pH-+5>~rg4;-;
zDOxfcS4p9iy^)=4XWPYgwcXh7+r##>y#i+LOE^bL7>_XQM_`|Dfvscf+Ip;S)VD>p
z*p}D^>>Fl$SiFN13@HR>ed82wr`+<-Ia&8y_8MFFa>XkYrzuA6SE~Ig#p#MyE6z~-
zIp`F#5&-@lEP$sAm@#h5x{J%|SXWDVm^Ri28P65Zw~PLlXgmM!Yc;p+N>|*io><%7
z=$q66|I@wCKGn3qU5|jO>45f9dzt;o*Bbfc(*$!zI^U`m=uY^L_q%!ZKyvk;)J^kf
zrv8&bfp<*xe$5+Mz5k;R&8NA>`l|Po-%fgf;P&8-xQFUirH5iob=SR=^h1R$%(YHC
zrz30b2RZ$mqnsg}S&?=3Go7=YNvynI=1g;Du=akPbCYvBtM3mu4>^yr{{D>fqVu}5
zoE7-B&PJ!gsdRQ)k6xuA{Z~u+s*dzQ2hrahWrx^dc7z>mPq*Xkd3LhB#9nTv+u3%$
zy}{mU@3sr=@9kpyXS>8cZ(p`=+7))SU2iwp3R`J+@Q2_9ZjoE+Hgj9M`@5ao9&R62
z;0C(KxF@(H-7)T&?%A9onc`mNPIG6tb2%q+lY6^+4}T#3ko&0ng!_!U%w5HKj~!m2
z*TU=M^`oT6c;|Ujyvw|4-VAT9cb#{Wce{6w_W*w~zSw(;@%O8YwO2Bh{*19QbGhEr
z!5QE)!I|K*!CBzaU@Z7tFb;e^7!SS>OaPY!?6C3v8cdX)&U-OHWAR=J&IMl%&I4Zw
z&Iex&CV{U77l5w^7lLmDKLp<lCWCJU7lCgFQ^3CkKLVEr7lZEvKL%F>mw<l{E(KQx
zm+`cxgP(BPNAfond^Y$gxHPyNd@i^Gd_I^)s275tS>{g3;g#GiA&*ya_hK*|d?~mZ
zx0iz%oDPya{v3QYm<hfX%mQBzW`l18bHF!)x!_yDJn-${8t`wywczq#KKM@X3vfkn
z9r*X)m*C1^fw6u|%S^Q2$}(H+x3*|vej8g4EVG4RTl5X<%XgxzzaL-Cu)ds`wEh9M
z0odL)1Ura+VoUv7N%LJ!9$IgeZ34b$n}Vx3BWS(%E%VXd8rvNFz_tL_+I_)wwk5dU
zwgNx2%t3n_(4?*Rku3u^+P2_7Y&&q1WhCf*Y?&|i$~n(%y-zGN$lhklOtJS*+Yzj=
z2ZCX6Gr2OsEnoxN8Ej~~fZws`EPg59;;?=rSwr?4+a6#O+Y@YRdx2f}YMb@Da*o>i
z-EAMR8{ZwWeh=Fh?8&!8tl!J_1AE)UK+(Ugf1mIaNI8I%nAcB67XDY%TAiQ{ql=@^
z%zL59o{Wt7u1N)T8E*_gSMLqakK(=_qmO}T?gyc3f1mq8#v+5z;}1sj9?gAyMka&N
z>ieLF|A6}<#wkam;~#=nK8E{ZMlD0o`1_)xpTd0!W0>!v{~wCRek%737||TVXrLeZ
z`)S-aWPEchV}rxc=1+&i&OpvF?}>@tj}&AM7Y+YNaIAL}IL;dYj`s$F6TCs-*&cJa
zX#Pio=XgU<Vvl8XF@`ZwkDx!cQy3fd3`l_y{as+o;BK%LBM+a^{b<Hb-Galhw+Vg_
z92az#@di5=-~jeWQ0u8Ksjg_Cm#7vhI|z6tI|6L#8q+N`-x=gC_KN)Vc}Hc8$Yf-;
zw<CnqFGT-keMeAs<9O_=DC0bp>;htiL-Xah>$t0H#&AOBc5|20(rM$I<&1a#=%Jsp
zLt>1%9k;WvbAC%*P9szsM|KuDDNcK#qeo#K-U>HIQukB)k$%r;&kcIFtjrYf6f|)3
z{Z^(m>&)%gm)8;PyBjit{jZ!D9KcDzqd6gXJSPK3+S54!IG&S#lQ{8r5hwj#wtus$
z-G1&6S*2jKVcDT(*rD<)drh7*pPPlGaGH77{+!wV9h~mF#u?-O!d>8;<=*K2(V5^r
z;{M5*j<jCt%yM6FmpRwDFS#!{3*1-T<<9l)-`x+K+r6j#vz_~x*}KgikGAx<y^{WY
zoxRonFi5eY>X;T<g8Q)#r33HRoj2^w>9s@H`*L_{L~0}_)6Pp>$Z51GoI<;V(`QpT
zbvBLDX45t9-j4JrRjm!j{Uhl(zSNkduPKr{mmNa5t*1QX<m4sB*r|2~E4h|I-$%^;
z<G{*(Qd*yLo?6Ojm6p?2T27~EIgQnFI$O)>YAvVPT28;za=Kp2=>{#QJ0xvJxI;8;
z-#gr6UZ1}1DqLrKvrRpEym_Y3yV1Lqy+BsSc)ba`%{iFU^oKZu&1iIhW6jylan5Px
zJm(DO8gqp+-}xW&JLgH~N%MDSnX}BSbY68{HSf}oEMX6eHFY>+$y|f`vAfx%+)pWy
zdS0>j9n;=x?6owVy*6H%Imp}3+t2jz+IyV*@_KlDVUn0`lvnRZ-o>Uaxw?scQ&Oh4
z;pZUJzE9pLQTUm@hPHiFaJ(_W6TwrOdkJxhzNv!`C!Zy3YCf%tl;LLH%xU55%bQ8A
z=@B$7;Z53)_hU*#N`rLcT%3%YqIXK)AM1_ao;2}47PE&tzP7Uu-jiR0ANe{K<v+|h
z-Z{ZJ(HZWX<ctVrq^>6ij%9s^@}W;b0<_>Kb%#6%P7O{qO_<@~OOhJy3_`fH<uYEj
z3;UrQW_*6ejtog-g1jSdR+re9vWEaSM*c_J2W967ygJ&BhBbe~&Jyvl-glAPVrzr%
ziL`4tnNxvV%>df==Vq}}<TN*rAd5PiXVD`MHg72>{Y^P(o%207=_BQ&&xDhl*1}2b
z?}Ue(<KXzg&M>sZ)0~m^410z%$xg5noD1v}JH@$>mhgM$hxQM4gYzqQygS}`O<Tq5
z+A7}BR`IU3if!5|zLHkKR4~%R7D%hGb!Zi9Z9{jxyV14~{<Lj`Kka_PpY|x>PkXfR
zr#(UV(+(H@v?qBzy?*uw(t7MT-u}CGJbmc*>;!tPbL<b{oFCiEq*d9Uc)#*)wO4yj
zdQaL}(jM$=sR=trYQoNyGPm=XVVhyELGJEnuSGr`VCT!(Tl))UmAcyN<kYSGrJTC8
z3*^+Ty<Se;+8gB5t-VoB-P)Vv)UEv${liiA=G4H{Kzj=^ZG^oQxi-??CZ}%g?Z~(D
z>>bFs3+<h9>ek*Rr*7@ta_ZLpT29^Cd*sxu{f(TuwfD-YTYI0Jy0r_DgIC)7Q=GcB
z52UV7T`&8B=nv$Se8eHW=%p%6f916!wN0I@T=jkUbc8uW+t)-m=xB3}a?!c&I(o13
zY3Du6ByC+6pqU(NE~WjPVJ_45ezi)ZpKBYOscnBYZKjo(OHWv4<{`y9vvb2?R|h?p
z^kn|JymP3`pUOPy-nKU+i^u~xFT9?W-R!f)o%C$+a6MZ*miETQ`Cu`lv&F~;JvYo8
zoVq9HhNHXWL~tfva@IFF#oJ9!@gA<Hc!%mK-qCW3mz^t73dt$n=q@>-8{H*mZ=<{9
zRBd#ZoR^L6l9RCQ&mA{;lKD(=o8nGE$5X7USfbciv4vupV*B&Yn0&6&MRB0wXvGT^
zXDHsP_^{$K#np;i&Oi73b8TJ462-=fEfmWX+beca?4{UOvHwLAFB@kED;}dbOmVp4
zNX5~Lrz)PQI9~A_>Phscy~R2jQ>3WJF5Q3`+X7tv-*9!}_lVwRPjDe+a1V4RbSrcd
zv;dk9&4p${(;?Zv(V88LRrh2`YjD`Vq^1||6i;=F?o-Fa=A)5WFZQp8wlDGO&5q5@
zEc$U@I0hL-oz(BwZuEX*_PcohZikmnXg_256C=%7+@s4`cF$jBZ+RiR;<^#(#s6x$
zir%)=Y38(c_U9WUJvb|IIJ=WeF^@r8Xa<d}Hh(jQICBYq9lvJG<TT?avpJ=NegHF>
z(^*E3{I;{wS%d!u`Q8XKK$D!$NLhX-@Ou=WZ8F#6?2MkmoKJ~utTRP3Yzy4R*fQrC
z+aBs-dy$uwwy$%Y?eCP^!FH(aZ-+ZYc9gR}-xC>Y&mpxL_Cn}lG~+AnOzxYJ))c3i
zy~ZxEH`_byy>^j(*gkHbvP<oY_I115uCi;{X-M_6V&FLY2%5R<L2?{fL*Q(O+KbeE
z9lMDfN4_8Gm|5a(X0rpzG4lkS$25E|#daE|Qn6g|KK4F4&c5oKQoLHxQIzkYI?gSE
zq$&0X6iXe(bL3y#=c-E=#g>Ym;(>~RgfyYpjr^;C!$u6TZ&bWfT{@}#dA0vW?Jp=k
zqAq<Dn<zF{_m31`mK7XFzI^F8oz+G5XgN+d4Oyya6{o20mx}*Vm!B$jP&`1ft>RQc
z^OoB0R&1dz+nCdEoHE7wibnBZL35+p4^%u^v5#VJ#ZH2}yWmIa(%7yhwZ`l&cbqno
z{_`WBzX{($c6)QO(K+EiMrUX3EZ4o|j^)f!c3a#(-5L+q)-uwpkTzl}2+3@!Sx*Zb
z$S-?V^*X}bM2Ki^b^j_Yaevy+NMcEgl=k>p)b^q_#|mK?tAVsK))pJnvS?qlw&8XZ
zZEF;^vCe0N>`Mq~c|)1Y-9U@`j4`{mHcHj7_uO%sD|S*mS@CeiHi{Q0o*+nVN_g3^
z?l?!N%gt*4sp2rjk&68k4^nKa*jRC>Vw6q`wFinV1zGugl$1|ZdjoYJqc~ad2<5kH
zl}`%Q{=B-kSNwzGNcOcm&Pj^<s>{)ey%Zl-Oewyv*jLbG^Keh*<s7HIJ|*JkBDMEd
z%;xID)J1vQ+@kgxINV_+mNbh6BW`!Ps>=jLZ7(tZKcg-UnStcniux7@i{0ri$aw~E
z>FA}WW0&(q)FAqe=s1Zqd`HS<>A<B!HH2vJhO;<A^%)7auX281xEXE+vsYTup<y|v
zDx%F|*AviAL$Py4Meq}K@2U2kin<HIX(RS$E0@Z+vyjsnoFR9neQPwI6M|iwUQS=9
zzcZLo<Zx${b1LTq&v7nvF6N}*mCj7(8qNxib#8X<bnfN6;KR=2d}Zri&J0Ft7EkG_
zMSs>UHgk4xfwSEjXO#_D4{zu^o~&Px(pXu;AnXF$&w0uoMH)|$#-j9!M&O)dPq*WV
z(-42wHssq}y1sF_y_^(vl|xd50{n-_iU;m@+tFawx`#8^vhv}KvaEfO{(3@ea;{_r
z<ayRn8b<3Nq(Cdsds#1eo;!&lYb8<Wj)eHLeV#qv)Fxk1r(G)^s(7m6A&LhGnmg2f
zj^YXGa--Ud6o)F7DPEyCN^zthUuu{1k5+7|$bTK+@*TxrDK=CrP;91{Qru6mk79j6
zzWpxvMc5pit@h)?M%ZU*n8y^`s{56pw1wXbnvLr6vHEsZyjsyw_jO@0VYaHvIK`V3
zJ1Op~$p280S|dU8mEulyX&ZLL{YZ6rUU7%IFIM|^)!tgMiDFB|LdCym4tuG6ilEu1
zcK*kKG<zzxS1eXMO7UPpvsUegDW0r&kYaa1Q>pd|ih*Jq!KWWyG92G((!gxvd2Ixr
zzTs*1@1#RCW*j3ky%}i$zc>|yUT?2N>a^ipmg8KcE)VkGERORhX9xHZt1FIkqqsjk
z=IJxDQf!H?&pF3<r*=n9sT>ubR!HQ^{URZpc`7shsP<zNUr;<#k)1H4`IXvbOd+`k
zpDua2an`fSs>rea$giPDwdgEV^1Syo{%k>WmD)!t4po<j)h=TezR;&AvmB12-<EJx
zzCAH{$y54N9WiiP&-@pYtEWCoc^}o7!L@3C-8g?)qvNS-k*R%=m^mxHc8IqjSe&XX
z=wC3n&g=C?*E_x5<a*QU&8|1U-VOE2>+LKoC~Q_Zq;OK<^un79mlSTO@6|7=-?V<q
z`UC5qQ-6N_N9(UDvPJESh83M&G`VPc(G5ili~h_B=@*M$FIrx-s%ULddC_M@+lp;*
zVR6Iaro}Cb+ZA^#?p55kxPS5B;-SSC7f&s|vUq0kb;Y+9KT!No@iWECia#qUDd|`;
zq-1=_f|3VHo+x><WKDyhLAwS=H5l9A@&=0<Jl|kd!;TFvX?S_V=?!N$e5m1@4OcW=
z-Ee*Bu+q~@CzoDQdQIt_r4N@bD_vc>zI10JuTkAbEgJP`)Thy~Mq?YD(`as^2O2%m
z=$S?<8f|J^+PGumfsKbXp4Rx8#*~qB7~d5=+_ZL%fco=&hq}(8rqt=DKArFxh|fTL
zIypz0?>I;4T9W4s=Jc{<X1m1WJGji+J{Zz^c8Q%$qj0@x5^gX}!)>M+_TJ%Y^Bm^$
z&<oHq=&#U=&|1Q*gVsYILK|@V2-*n!1KI?A43$HlgzKHf;cDj*=uzk~=yB)^XnVNY
zn;Ne2eim-<u7YNVmEIg^E;J9C5Ap9A-d*9_-a^7X0R1*xm8uhNNYy2;_mS&za=lq|
z+=B0uwq&lP71SCk<Gv$iCx{hMBXie1!!LQOa^9+(w<_nY%6Y4D-l}|eZ-GRuq_?Ov
z+o3O^9ne?MPAKGmU-&+%<3JX2ArJDQ07^jxP#vf)R1YeI>O)0PF;oJ5hi?a$LXDut
zP!p&rv=7t_Y7Vu4_Jw#?hj(>&SEmhB2DOFSLGsPx{h<S(_D~0ivTzQBC=X`L3!E-I
zuPf9I>JIgQdP2RR-jIC9_)Lgz8#`kmPJ%n*p$X90&_w7Q=v?SL=zM4rbOCfB^h0Pe
zbP+TK`Vn+7^ke7}=u+r1Xd&n1?}r|MnE!R2!R=XSDfB$_D)bukI<y}85ZYi0*nLpI
zihKd<@dd2L7qAvzKwnY7I(z}E@CB^F7q9|f!1{ZErHoj6FJR@pfOYo*R^1C&b1y)z
zEnvO9fYtT_*4hhLX)j=%y@2({0#?@xY!|32)D7wm^?-Upy-Wezx*Bd>4Y#g_TUW!a
ztKrtw-gV(-?{VhsE;9Ats!}M^wkqLN{=X#LYTCew!l7N^-tOUc(*x>BJ7vYhTuq!O
zp{Jm~Kue&fp=Y3Hp_<!eCGE13c3DZgtc0Ui(JoifE?3bmSJ5t4(JoifE?3bmSHaO+
z;pnY!^j0`}D;&KQj@}AKZ-t|`!qHpd=&f+{RycYq9K98e-U>%=g`>B^(Oco@t#I^K
zIC?7_y%mn$3P*2+qqoA*TX)N4v-$U=InZ2a9&`<KEi@lm$QQfshaP}_3oWL%d<2rw
z+GEh;(5Hm^0uznFTK;LwhXUyE@Jr-MC32<Gn-PBM&4gwn73V;*mxT2<Z$8AD9W}Pi
zyMvm$i+`MYoN#|azR*&UF_ozW;g_lFsjCyH%@wh{5eZpgnj`sIP#gPE(!G&%SL0u^
zY^k6oDyWGHYNCRgsGue)sEG<{qQYz@t$#ul(5KL6&^FTk0@@CJ3GINsf_6e-SWfMf
zQ#<9<PC2zxPVJOaJLS|)Iki(x?UYkH<<w3&wNp;*lv6w9)J{3IQ%>!aJ40yai;>We
zK#xL?L61XE;Qk8q0rXF(0{Q~??csXwN8wWMV(3z6I&?KOJFK8BRL~YGXbTmzg$mk2
zg?C$6PFra1{fYj*VV1OByNi-qOG)v40_Y#mCg@|R9Qq_&OC5d2n&Q5c!I{*^W7I+=
zwXjax(taWTLBV}@=FNNXM5GwC@))ICN$FNnx|Nh}C8b+Q>8_)6*HOCbDBX3G?m9|$
z9i_XD(p^XCuA_9<QM&6W-F1}iI!bpPrMr&OT}SDzqjc9%y6Y(2b(HQpN_QQlyN=Rb
zN9nHHE$<HrcRE*6vhb)g9l9Et0sS1B39+Xg$><>&JtU(?O;u7;mDE%vHC0JXRZ>$s
zsi~dR)J})@q_%caTRW+(N@}Z;+FD3$Eu^*<decl(+C+tSCFWI_({Z~Rnn5kigl1E_
zbD+7<JZL`j3+OujjqNtt#vQC)KW<v5_%}-0M+NPpA|><f|9?&VZ>b4s8JnpkX?J&p
zi=ws{{tx>d?h2P6+g?Jpy@bSz+9W3w2+s^H->7QJzXhDlKX6{bzcH4Fo9$+Z{=w2e
zSo#M`|KO&=3bz2_`wDK|aFtukzXFy(4NM!iMY!2*2^|FugeHaWdk==M@m1|Q{EtU5
z|36X!HISV@f}9#J5kK70e#pFfJo9~?`99BlpJ%?G^}H_$`7cuWR~)~MsZ%X<9n+q(
z<0(#*rwG-ZryvV7zr{RFo+x>3$c_SWEhNP+N%6~cj%t@;?Lws}ukGZ2J5M54=@Mvz
zR_;>=p!Yjuf3~LnyYT&5zE$n=@P8qcr!ozBmdGUdU!>f(;o{gIF^^&4>}5V05~C`q
zF&SIEm$r*bc8JKYzL}Win(ZH@keyB@wW_?4Jg-P*VZEE^<LY{so0NA2G>zR)Kf}Bd
z^D2`<O4m!(!K@3_W3I$;H<0%jHQ(0TH~h#uh<2B;xe_XC>?ry2yrJ|Y$D!8_W0W==
zUB|(tf@dF#J9BpUZNab7J3d_Doq);zfD&${HzF(#ev5=j#VJ%0YO{tIjyWQ%#FsTy
ze9K8gd@Ez$a(vm<h0m(kCyBRSe27<}z8m6vCBCch-Jq$~BX{eGzl9Lxq+Cw!ZYT9k
z<Zdmw+v1&s8Rc*pZE+}}<@vlHuIn`odGjP^oAu3o@62$AcNXEs@&@D49M49Rc5$u1
zMefQ?9q$bM&m{FI+!k*f_v3lu+2I4;Ir`S`k^3_#%}h$0B_(`6(I<=V`gHs#?pl1e
z;Jby<#~C~;^90F>#9v7WDVq(HX(oQQZzbGu1}UG(d!5De$3o-K0mkDtfn1V*Z(_J6
z&gH6{bmSc*#CmxOB^IS2C6V~7<-Y?@<`mT^{;%cx{5R5Q%rTg!m{NNh=4||~H!0@&
zn%mnjZ^yh3b0Ov*`F_u0!aPCPrP!aNPx@w4bNm<Jnry7Yd`cT;S-LWp(v`WCuFR!$
zWiF*Fb0}S%A<(t7oC0@lxWc`W|HFM0VpQdRN==o7tNbNU)ifPxJ!UkT*PUoyccOXS
ziKcZYn%14()0FJ9aNrBji{VY)YnX39Z=qeSWaRNK{;Qz(pw-a(&>H9iXf3o3S`U2)
zZGb+4HbVb^HbEal<<KY4X6T<#1;i|__c_F@u=fSDJ>29sfS4`!nLYPQA!elc-`!38
z|L!KgDYOsNF}%rVM%rh-*dG85ga$!_A?D%zArLdu{xQ(85VF8O4jKj>57FBE6QSYI
zNze%Bd(cRTxn_S9^nGYFbY{5GKMNWQjf2KR6QHx9iO_=ZQ~!GC2IxlUrtnj=m*vLu
zmxn9;)zC(0E7GRAi%4j`jwk&sp?45^C!u!|dPknn5`Sk_n4LAm%%5KLtU#o*cQbS=
z^gHN5=nqKj$UnmBIjtd0e;ZQTubQu5pYWp^^5z7LzD+@Zjvg@E6cmP^2lc~$1;xmh
z67Cy>Uj+@rPuMSC7Z>KD@clF>!YoFDlptpsAZI*$CGKWiE5#L!v99Dq-Rp(h;uzc1
zPeMz`FS*-H>XoK$PzRf&Q4dqnsUN;WoR0~mPmoa5;s#CelQ^gHq^%l1Aa2GL9SWb1
z@uA1k6ibL%=w<qd3hxBu@bK^hB=~!=1QZ$f9+K-lB-cVD*GJ5YM*S8&19dVCI-d4?
z0_KU~XT&b2XV^jtl}O4hq_P&t_!+S`AsM%bWJGo+z10Zha3bX+>A1xddqYh_(r!uG
zElInav|Ez)wpeOcdS{u&9y|NIahxk2k2wLqiS(zEw!MEnTw)d#EgFXGsmH2Xd05GB
zbGSi&|6o-h&lUbNkE1xrx@z_7f3vGyNUNj-+AorG06rzKnKCGc`|QGv>eFS>F}OFt
zXB*l`L(`CwsR-ACYw4MCF5)I3Hs=qK6Fj~N9|_+^VkCFll2mzu)I@pOr;;3esriVX
zTSExDkXd`)>5|_SvJ?L@;ujL~pW#E{yWx}J-@~Qyp8xkQN^=Qiu;~BZn=4nZ4_CrX
z%fiRPP4M?hwXF?T2+xL};<6rE7QRO*tpeAB<?_#P|J@fdn~PQC_{y?Xs*mjN&@1u@
zw^JV4>X;+{Uwf%+$&x+cUEfqz!$lc+^G&7s-;fTx{<i5KK50B8<dX1H)+V>ey|#?E
z;fPQ1S@PfTCVP^{@a3e(4*wj-i~DMPjI^D!`<^8GwZkHP=nv6P4E<@&C2o;Vj<dLF
z51RCyiEqr!h4^m{-(g<ARu|8gzV{t)1$O%ST1ETD0>OL#&tLM6QEldbRjEl@->21m
z^VNo?rlm$buh4%RT}AvSgu;bM8gh>dK58zcj?u0N4`P0(y`c1itCRz_fMQ=onp@}_
zSB7hFiQLvmjQ{jimD|7V{AkZ8{iC+RZ~JMrOP|{99NtOo-5FjP$KYQ7)0TQyGjY#K
zFuV^f*sxlmm;P&PY)@Pge`Z^`1jComi+;=RC1PWXLgqyej-f|UEYIlndBbKo(g)Ra
zq0jGGZ8Q7CXik#L9$lo9C%wJ7YR*Hrkv5{wV|3xk_~Ywd;YRW<QsV76-Q6ZgnQu2f
z;YD}z^e!uoq_;O$&C)o2=enfYlpTkSYn{5p$a|&VS@vPn>e6scRX3??8dr_=Exhw;
zt!H_I#xfeNRVF1+&F{QAuIF0op8A%JbtG4p@pzSzVmH}dT{YKp)#Uy&T2a+p{Cn^J
zPrmbC{=H@V-}5w?hpP3J%7j$SA?rTllWWWEGjs1GWX47MIqoaMFVW1{b;EDH-iwZs
z3Lj#RCP+^#`<iOF*r!nCipLq!hvw0B;#mb9fiuU;%wU!1dwpAT|GKwHQYKnLwT)lX
zyU2Scm+BVZ+&k}4{*pZG%B<;~MW_3AFSt*+EGfl3EBh#K;lE-tPYFxvN!oEJ9rp^y
zLvVi8EBswmmv8z$YH^u-WphexpB24Re(skRSmm9w#_@SagZ~xvEM<dS%2Ug@*I3UQ
zi|_5szeaTITkpNAojH~hB9fBKTChgJD0RawMiRBHlCKpmGjkj+BO$)M#4L))X4%mm
z@Si!QXpyTJ->=wPZLPN1qg);nzQSA;K9`>TZ^&t(QcAFeq?6TdSd}Die5n}RiX7Qy
z3MkX<*cOq_itz66@%%Mb+x#Tq5?<H5vEoYE$g_mkg|cRMlNkBUJ?e?Gl8{y#{)^{I
z*~pI9y5Z+|7iR0}ReH>{22WX5vZf^KQS9A|5{>2FC%EM0=&VOqvyu|~0CVc0dYE*H
zNcmK~a!Mh{_SN@Xo#Zmxr}lPuRm!G@D@uEpA+j_NxUf8$Q>Y=iEN8-Qp^Uesdl9~3
z5!VTAKf1!l6I*=$u9#9UQ8`65tZqBtYVnhrk7mA@*^+y4-QA_JWL9()ZJ{#%xH41o
zw4E#sk@mxgTze=PnVWDmEnnwUDGQNwl7qU@TwnOb?sAgrpFA@$Yw+FeJLZ-`!uh$b
zxoJmtS+XN?U<X2NMv|G558tY}4tD?iDtYS2fAe)Tof(@qt>UA%tZk%uF|oxZryPY{
z;x*+Qb!+yu56PrKjj}El-N$)v%N)y&Oo(0E;KzF<gzyErIQ0?ADMk7JNe@b2>1QaX
zq@BN(MV|%_vY%fs<oK<b1odt1NuEo-R*D~Q`=O2`Rtu-X_4KZBoIrL;;C2}y*5WR0
zNVxbDSv85S@O9SNE0PjUT*YJ`OnlKxFHGz;o7sF#jHCuOgntSbldEbYmzq=BJD-RH
zMV{0yer<Sv_bIWP`)gj++T|Xl7p)QS)^Ac{yO}r4)Tlf{<aPY0L`ElO?3^h{wRI6a
zF49Bd0J}A!z6O3yo}>~qlkRR4*y{k&PbW`h#XOq*tBcm)Wy|}l<V&;c^2MaAi@t4Z
z)@=>e<Y_f{e^bu2*b%dPS@-X#fxUWRnU9z6d&xf$RKIfhGxx4~=sj>rOUzovk@8E*
z5Lp+?+x+86<a3()Yngm*utIL5a^Vl6a=r52eS_svJ^jplR^*qgQC1K6?Yo4W2G^gI
z4_AIkn%*Ciw_K{ePwjHes+#s^$e1<sZD~y<9h-b*N+zFfl-86b-|T8i$CUnjJ!^NY
z{gQe`_))&tnb6g3=%oe3tPDSoCA^GbNk5~VXFt1od~wMw$?V+a51+WQ;z-ZWvt{Su
z>y&M&tTl;NjqB#9CUl&gL=X+@L%G2h{e^I%!>lH*tYfZEWObAS(tKGpq^*ROljnLR
zW^|Xqn%pxXvTeD2W44dlJ5_Uu9pt?dzl<$$$(Vb`XPNl_rM8@Ybl2|?UW<PrwXVBA
zF_&t1B%ZXj@Xjc9Bx{p>z2V;@*KEwRyEw+0Y~Pyg=*Tm}KQQz109>{p9HDu6ohM66
zd_GQVekQ*50r=tjE_~0PMYX>~+$p@n{BWAw<GUW(7JkNRFZx+7SEglC6f_IreHnR3
zJ1XCuUY8ZE25aqGa19AW&IM8?dw#|JpL~O|lyB42aK)i=^{^Vk*6bW>_3e00jZdmM
z_AY$BX1;cja^jVqwMrZ!GowA!tk=OOa?0MY_ec7pJTnv7e3#65MA9|tB}hT$Z+6fZ
zF>fLqo12R`FY%0jwqO2`ad`4XTAO6gD!qd2HDOe#ElP6xQNA&lj2U*{LutC?Gw1Sh
z?(`;ZM^QdD(!bCe;bPG)y}UWsG}7%-_QxcnX`)23Mfd7xiuwp~Pv?ZOLVETg@y%~i
zQ=Fa>Ka~(`FmH}R=H@HA<|6+L*31!^F!^oK3`3H3xICPR&TVv@6qUf#OuS^~I|(g5
zl#7&Pbd^L#IGJ~U1&Q@B`%R)ZOP5mkD!=qy60xe8cWyEjF3j*r^3=GDQfZAirSm}^
zGDa`Ha3CC~tE_Qe(i~0h(tUQ-98|e4VCI>fJ#uj_A<;NQH_2J8Onjn{xwtF8+>ll8
zC}Y}NJlj~w`MH3*?W*g>v)`Gtb9qKn^2lTQos*d>_>(U^(9$cJ5z^HuLZwS1D|}97
zXtz;+R8E_fuNr;RR}HeSc8}p*s&G~;)4t4ppG;X*Pc_}%BQI?M)k9Txp;RJ1rvz1+
z6_FQqb|GQX^9)s<Tbz?hQTAPu3+g?ok!aq+B=dpUp?7W1ry1=!Mz*hLtGln|@B>2W
z9AtJ}vCHg>n%k;sV{u52c9pKP#FkxBNvqTFP2*T<P{Oi8mbA*aq_QPpb~@QHBRhP5
zQ*4tnWbE6GbxYwv<-_=d#V%&kIANK-=rPwsH|bhS`-vrdBXe6V*DoS>>!5kkLn4)A
zU+>&#@2|#OLTg<Lk1f@i_l<<u1eay>!P02%Je+~++sv3RhL-Wf<(Sl<rtyT<Wjeo{
z6wvV&e$Ao~VAI{t>QSa`)8VC@k``N6zbbx+>7V6W-P(*f`ux{E`JJn}#yW5xBfnZ*
zxm=Jf338%$%DJn4!<UYCb)|VX&CQg5S{vXyYo*!wt${;!Ay1>06ie#Qc9oNVw;ye1
zP3|-EON@l)bHjf9JE_s6JdyVs(;TUDWI0+JA;mX~2c&O|d-F_A(4KLt?k*t+A4{A}
z_{2sXNxVqnRZA70rAbKaS$vXl&9XI*wel5&l~mJfs#3a9-gsUfJv=Low3Rw~F?|#5
zQI@=j-0-7az;TLsa-GDBLL_&4XeLs^(>HmMCkHx))X^03>Z>HZc=x*M&g7aO>#Q<X
zNOIQG^wk<)f}fmw{X`J|wP>5ML_>a32kI&{o^!?e3uTy<W>$#o-ACzXX898<?rCtW
z7xgyDDV+>o>FiaU<BV%gGI?%9x+j;UtopXhoXPjWxbkYnNrZ3Cq>gyja_UIdNeX#B
zBZBPyU0Z;R5;9j|#)@qp{l0bF<LR47J#tZJ@hGb1QlW-6YK^N#5q_MLvfj`J)2$~-
zH#Zc|NzUQaOV1rDFEGAMk65Bqvg$K8k$5zdI4aj|=N;l_CvOm^f{$D^xBkeV5Lx5M
zOlpa5%_cd|ytPOz_5;EDGN<}!A_tP*o^)mIHQBQuc4-mR0XCI*)M3>2_(q^S6W4fe
zMV8hnql_9Zo=kaW^>9_f?M~M5luX-f9?#pah!WA1quSyts&Ng|9%^^-=8K{@^2SnT
zx^6G$9g=pW<yd3A^O)QoED4#IHRpp-Z!8@sPuVxHigkOwF{nJ)kh@jP2cnrpSGZV1
zY!3g*yrF2b>#0k)K1l=V+);Py-inmlg!cDWB&CdJ<t%h8&%-w)wCZ-Twvmn<pCV4T
zgygYVW>QY1kfT#%>LzWIT@P88@R!_XQpob$y_K&}W&*`hbYsSabfY@jl<k&lPo!?-
zn#_&vK0itMBqrl&y@(m`CF{t(G&0EtXM}|0o_F3NvQK+pOublD5fhoU7T>LmXVA~N
z&neF+D6Scv7bko6;ZmwoPrbsLL(I|Q&oe6FopgVg#QYDNb>U3Dxyd`esO2PUNy~WO
zf6I=@=-uP8iQ1QzIpy^j<<~;|nfF|ulo5HYkp7F3lo6urgIvT8n%uHa0`H|s%CfUS
z`J#FfHH>z%0+Pc-qsempCalqWs#J(~XhwF*D3(q6pOW1o^M|OdYxHJ{iQbnbQ7N}{
zsl|0dD9xitvh+@A>N~SDrM8dG8;&RP)$MG(JuNMenOV6>G`7k_+Y#-9T2?8fv(+2m
zd8v8PXZXI3a+t{N^c&^PKwihFZ)F9UxCw7c8<W79em7s8<!TUB6W^1(#QB$Rlo!VH
zi=tD<qY8L5?vXW5Z}H}dMgjL`^RKSb#{Ez9Hli75iAC$ZeX8a%-@TTse92}nFOd)u
zHUIvLy-YM6joOAcled<BIQL5GFxT~)yOR=!)3T&S_*9ZQU*uVp*vaF2dX9X(*2;6a
zIn7@-*?L^I=9Wn_*Ty^(^WNe6`M5JTWd6IPW$Ub)w0hkeBP9qAB&{%(*Gbs?DOGpP
zZcpNy)JtN@)AGd1<CX~}Ek1L%Yg_mhwWPmfCZcAJ&aSm2)$B5rry_CUXH!bqZG%2g
zd4g5(-Cdb?&keaJvLZL;-rb2rfot-XCEwEA?Uiofaahue*ElmAoImwlCyj2M>31Rt
zd~L42EAiugpd!-vq7*YbXsbRU^2se>o+Dp3&wHU;eaMfm6Q<96#Npt+(L6mZi;+aH
zh*!8K4xk1pUys|vl*#h&ez;}@bG$kp;clJms$e$w4O;h5SrN~~g<m%${b43OX?1W{
zG;+x}i>-v7FH73wdM0-X7w2-G+~v9?;dgEFPVeb2tL);P#Ja;OUw)7zYa~^b2k{D6
z_&4s+6QerN+{g&?x45jzNXFXdF#Lkp($k3y<K5s4X_eZeXX-g)ll(+iMq5o>vdvts
zA;phs&J(pK<4Q)5XuPq8hg-7C>h;WclXT?EAndflU-o6am*FY=7|&&Ls%1l|>34N>
zov?QMC`egq>a9#l>Gu-8S(M~3?OMf>#MAYQG`GaLN#vmR7!tAOQi+n~E#Lp&C~uON
zj`l;uc~!ZS`24%fq`c!i#Qc-Z3E4T>UG2rG<kTB!)i{fkopxf+u2br7jkxFLG6{+M
zH&kX-`;6>7Bv0dHwqA^Tvt}xEMNWHVT2?vxW@10(SayfXe*BuQn%;`{TA5!y@Pu?P
z8PC6@?`wL>-nj32gi&*f;qBx-t)oyPX?u1Y<@zU77BRBoonpP39;`BwNVqNML{Fi_
zN@ROdNBPqv+?uG&BAyVwN%qlTgClFcqWPzq{d0XHj*Q%*JZ0)C(>~HG!v)L)F~>t5
zre>#;6(>g<Ql0%Nc<dD&d!|RNdMEQr(zm>tq?9ec^%*O)<~l|pkj0<y%bjn2E{aP@
zXZ7Kk^5MyAbobX6)K4OBvrf_{PyTvlR8GnV@lG&(FL^iig4NtEcK6iWn3=aCU455W
zUQi!dHI<f5)JdMbU~&0LoLJf<Z5$WIScz-Cyd@=A-7n#yn46W;tB2YH7xWIUJxwQy
zwFi&+rh;bIO`N8-lIrQx2juLrsvcr@E>R67{0`^G(xB$r*<Ff>KXbib==xS(IVYiZ
zHT#~VQq|1xW>uf)J|nMaqcYNbIa>}SoF)94J(drjQ8~L@Bo972B&{qd6s=wBSX0VJ
zMx7ZxSFQH5>T}w=;{E)2udS;*oBkkaaXJH6+qiolZg(ZW_bKPZ4D?R;J^%S8@vfmY
zXw0t-B6T8tC6iSA?(E3IFE00tFK#(|xRTjINhb-VEkSg1dKUO6?ap1E^dwe>lcO{k
z1E)j6f0;d5(T*(UiRFsM;gLPTbbp&Tq)km_O?GZbLH^gZhKn9Zc42LyAAB(mC8yZq
zU0K+kNFvgTICsF9UQg7fT|bep+lEh3zHhT$C+RF^L@w)kiy3(>!Cc1Jd_}Y$C~Mwf
zIWgG55KE<0{O!jYB}?+W-I;OE$6nR1f58JX3%S>MN@C{L#y5~JdUtvW=HsROgoom@
z+F7f<xTSe3^Tdn<%(!K2)JPT=Yud3+Bz6fG*Ou5;sz%F<OVZP@^1GR@y+y0OU*?R%
zwUtQP8I2`;GyDtp?=fE8#7eKMS^QP`#HhI#zsKOn&CK7()8al1n|u*Flgmc&KEnpg
z)hBx(BtrI;s?}Ogp+;%S6Et<nsS>BrqQo+JNGD#eHX2A$W{H`Oown5MlMYhNl2r!P
z{Hi)oy7H?*1|+LL5^LA|fq#Y{q}P<zk<qJ5t3EgHeFJ7o-a=kv;$?#IkBzlBF`uca
zm8|2)|0YJWIgBDBp4Xb{C&{KuY4<fnFBPsyvXV&ZES*5T^0uk;Txt?K+eDJ4%PiYH
zpPl@(;tqeWiFUomVd7PK^0zb-i}tgFu<?%L$URfT_(;FDMteS~seiHmU383Sye|JX
zEqzvWmrgX1SL$GgJTATRnM=nn=l`@P6JGZc(Z1JUdpjNJ|2a#v*F@!4UFHKz;HDDR
z*kuKjJr6SHDSZOv@Nf7!(zj8#B0u$8N%8lVl-p#UyEI3dd0Dcch_`(R{}TNlZ~psF
z?DUT8JkZjpfFC?ch?0?6S$g}1><!sW>)edaS4udM*)4Q$f_|gv+jy_sG*tt69j?vO
z3+9H5?nIU)He#)ZxR=pzB==Ry?6Rd-O_dbCp%wkADJS>Zy4R4yD(yJ&ufeP$r{(?P
zcf?kktD5A9HPzb0-McX83AzHEoJb|d^3Ct1(MV7=@NY!p%j7Owe~Da?dbQ-GOe(dp
z(L=l*-WvV|>5taKo1r^L7yPp&cRnlavp&}NaG)e~y+>ybm><Rbh?BVa`qw0SZ1SzN
zSdJ$vE~@d0d=M>;|BEKAJ@`I$mE^N-X$x|eYCUPz`W#i#9<!49Hm%<{4`<0w(Uj1@
zqU=Xf0Zk{Twf&pk*4wkyiRuMT9Y!<Qa*CC6UvUUezc(lUPpwzlojcxL*Kfrm_nnQN
z3WLj%R5b4HAd^NEPjo!WG->}0^*Nal!tRo*(Lbs&Qr0~>QA=cGyIS6nJ9%n6GRRIM
zDS>Ra+S;qfrTyjWa|%fjB5!$eP@AVo86qQOR1o(a+LvsRxQUjTD*>atAsKXbT;pRW
z2kBk>jPq+z>e*{XNlivA1)W63+kX))Hj#nxQ&qmz=DlhT6RsgunQw@`8pau9NxSAX
zlRe|fnx7l_P>(C}htXN2J>vhW>15_9WmZVqnzpxw@!968D>3@@b^6mMlQ*OneUf@b
z<4LaSe3<y;Gc%#%+L|mplI#?rcaw6~H<Wc6&aHrZa*?+z=~;8k4EGVfYKbzEsnsk%
z4arM-N&M<<4w;a{`KmqcWy_2*pedv|25CbX)_hexDU+L<n&Z{vQ?2v}h?GwEV3~Mn
zshe@C(MIc*?`0-$RVOW9s2kEx>lxW!%w)DF>&-*-c?}zV74=;>LnT(^x~G`Mmoc}H
zKk6~NCG2UMwF#g7Z9|@>+Mce1%Cm)*#%9!Jg!8h>pvEVZs81_Gug=5&>1fEmoY8`u
zx>9b-;ox-eU07%b(yAo4k29n5IHTh)!&AB20m)Zw@?KT@v&@`D-r%{8rMb6qS1mn}
zHZMm6(h94FsGdeX7d?{|&nPl({ZMzCvEz*NhALLwrM5`-M%*9X#r)+G=E7eIZ^ADB
zLn*z^8dCTo`%HAcXJ)zaraG_wu0HDx_@g8of}6~w>q)clTAf>8uKr7T;{8c%onOnT
z<HRS|WUXAzo~eG3@7$TDEajKxKKM$wq)n7gA`b}>bE>XA5To`NrIQYyD|NJWYOj=N
z2|Pze<C3E!4*xA%+h?i9vRy}tq!L}ooH%~;j#YKz+#K=TT0bp$Lav!VKDo%`Xj^WK
z+TF>>H0pE6abY4?nV;Iu+zbDZ6{V7vyrPl6nUxnW(&6N7Nr^r0l3s0|j8>yHpBq+E
zjyOS6B&ArcYU$}|m8AZ1Bktmk9La9*U3}X(ik!tOTk|ES+@m`ns@8SB(1~00B^dgz
zoZ6{UM*4l^DsD*vduT?_(b7wE98b^b>vHo_{Q>!Erh2HFU8=^9?%}39HC}Tn)qRvt
zlhb0H70iU7hO5m;i?4jSB?_gSrQEEtR$Ym;Bk|9qRXZDTlbqDp>*q~-ci)h1%=3ks
z*N~5<NgIv)sacWtN&ObZ_QE(7qu&LWyWL&=^vf7>vaXW8S@kNSlve#0C@JYEsoinW
z?jDGL`#2?1B-KLGiCL`n(np{fbiyz9%P+M^a5q8PRr8mpRJ)W{r1iAdcTCEnTDV;}
z^pn`+zgX6;H9dOONPA*7ocDrXAIgr;y~tnrVu`NG5@Lneqwl(NS83WLC7&Iyn!Qi*
zWs+DkgFEy(0^Kos+fKBcPNW^n_Q+Lqmgu6LmM3;KTjbo;>L%$g($A<>tpBP&UMSyE
z<&tu)dQn?kQ9lvctA?okebx9$+15UV-Gx-$2yV#i>)&+@I8?L_X{YpR8C?#$_RhlZ
zdv>vsPs~W7$V^Tqw(ugocTS3FU2ZRTTShG`t|L8Ntu2f1Pt~f0Wit2wwf7z1QB-Z)
zXJ*dqq>)Y%(i2L0GMgSchTeM#3R#i>fsjBFO6UX#AcA5+DN3^dN)?sfn-m2>M4Et7
zM5<I3<-gCfyJ3Uqi|_w_*Y$qa|L<IxoINvh=FFMrxu5&F&+P7hutXS9(eM6o>w=Fz
z&RCwv)oxke+uAEeR>Y4gWXUebr##IJokm!E7s8$LNbpR(vAs{_Oq-6R`+JJ)M!YwB
z&OhgJ;Jf(z@^R!uPyNnD(X_4g;9WVF6LxC7cC=z)WMskR99kUz^cOwpONeQ<(x>nB
zpRG0Hu+=6>%M#C936G#}P^QvTzY)^hkBWET-{~7h$r>drhyUX?pBg>IJ%a6#y(1D4
ztG1j#vEHMn_gAnknmY#8AZD7sYtn2@q`+8@LfcN}vc=DFkIm<^)Sj|h0O|={EOYnb
z(?L(XEG<|$R{2)+!-D-ll<Ron=n4O&EPE~D>DKZ?{zakON5wt1v_{DAl{k>R@`-ai
ztwDTt4ctP^dZJ%8X!_?Xd)m?eP8~GiHR8AmbF9}N?Y1x;q1{>MSZtcNMGKqiXDXV{
zXS*x<P$5d#ZnKvE9p6O`aTR*ZUijQ$(T??=Q(4SR{>d(A+{M0jR5II>0r$f4JT>mg
z(Wf0HTC{!PK5jC<xAq%H!s5`*9Vj*8)AYDv>nw`ZUTj-<)-ttYwYT!T=2?&a|NH$X
zM&KVK>pwZEfxh+isaX6s&HU5-|E8(`<R<u|u=^(>lg$~Pcrx4U88kO2;*R(`j=u_i
z`wzUw5yzf2w_`r1Ev}k-_C(v)!5&19|0O=zT!T#!N-%y`4BEW;8!+BNOAqlk-*R5@
z^g)Fu5Uf$e+QdK7$*l*K{|Dw^R@L@J*MjfxeEcN2?FiWJ`DD4GiY-RTnmr(TUKVJF
z`9#5S@ExBh<GVev-e_$FO7&U1|3rK?8~Aqyzr*w{6m$B1PkOfeGRFBSamIT5pZ|-`
zk6UJ?FVM_m8J$&NtgsOCcY~T|t&h_)>XyD>F8`SIJM^B?ss**h78)zG^_MR^6Ifvz
zev=UIEy@UO@ilKZ#{g?2sBp|v-#mdQ&7QiGCFi1T75njoO+Ec++gjL(=()J!YWOGq
z@Ivi9C`&$6qV4AT|HS%P$3pC9+4rwhwSU<i#9ZhiRu9J5K6#B#-bYvP(~G!|)$rsa
zo{+>S1e?c%dLuCC8JL{tR{2$eP2km%*5aAV3NITEG~dU^+r_h&wy%osga=X$u23)v
zJW=zkJ+p1}e^(huYJMj06YKcmZan~ooE6uBF*x-!94WsOmWzGzy`}o8|0;gBjM(L`
zK5cJ%_&+&=^*G$c%lP~ZzM0j+$txh@(={IC!`rRL+y1v;BR-#FTl-gKjNh8S+*Y1r
zmumojwd*s~i*fl^R%(3~$=sZIZ!0E>|MX}3-HQJ(K8xoO(TbVf<0OxDIrCksc<*3c
z52@Gxu4W~ktUQ5M@T)19XPaw2FYfbSd~(H#RMx?)*c)r@v;M~!pYkjj#Wulf%(G(u
z7P?a#SD^<vp&juVO+;AB=eb4*#KpV$_<L+U;u*s0u(X|+hdczk{Q=LSZA1-yzd6R|
z4)#9r4A)i8m?*O&W`;JdW7cyr&S1{7_M>!M@JzIiSrJjTxy$%90NY&fY3DR=r<{#)
z$EWS{v^uL*iT}2D(sI|I!TKw<`hR!#E4KCb@65fmGDeJ}=&Sf%I6F(<pSYsGZ|&dP
zYCZdtM_ak(ll9N`9-o5|^T<MDHUFkEEY0#V|Gu*2jV&(W2$4-2tUHP_>clfhus@8;
z&$f5hX0Hmx$NO0A0>={Wm}hNl&nQ~0aPYtNraV3#dVDzf0%oyr2JuOw3Q@(p*JCez
zeAKg+D$Z((qs%_|r{e_+GBcq+ZF<%UT*)SQ{eE*)v-M$Yv8a+2+rm8)5zzL$Hf8j5
z=d+ADp5xhRZrAFMIMRF{#rGsWFpr=0Zazzk6?<9!PWCt;6!ui-)P?w6&R0+`*r_KX
zUR$)z#UGW*5BPt+Abu4&9HW3yv%FBkz45`Ut6;>4Ox6wmPyQF96OPzg4WnY#vqeda
zPdL7(`5ykd!oK#yt3JcuPJGY88q{8Sv<><BTpV!<*|Ye3*WO3(*wn8_jqP6W4?0q4
z9Vc+q`bXm*6+9Y?eXb+co<}QRVIhzC@45@<q4*5G;4tD^&747S7t{()Y~{sxFKPw*
z#DA=>VEbPDFK5_heqpUQU*+R>Hb?%=C=e?Wj7U8FOy9eLwfU1dBFhokjhIIhd(bCf
z|GUQWKieDYv*iETR{tkkqx%C3fmN7e1HMPv`W@!NQt&4@6)|GEtH<fRh)?1evt5b1
zjZeE<>gXM9eSD;t0sTv+fNf@t)$%L|S*^K7{B8)n%zNOB;u~&-rHOB!5uYa$XA^6D
z0{^eiU~c1|tj(XR1`6O?JjK<UGZJJ~VxEh#dC?l_c8~q*GE~aF<TX2O&xH(G)LX}g
z-qF#Ij}+JQ7vqCIh`a+^afQOm%p*fJ=Cgnw(XYo-HewmC$LGiXmS1~A3s=z-`g^?n
ze^cpcJn+A-{}}Hhh%Ewp7vU)n^Di<i64ruR@mzrTvsj4PgTRu??~%A3Si@yY3pVwr
zv3X~?ZchKrYfDwde`dQPtNg*dMU?3rmhT)xSy&g<(iZXEb#Yjj<rywfNiXt!;nfci
zGj{<o{IJG%>zR8dEDg_k3BD_~3T5ctqX~F-4e|K;qY34$oGl-p*Q|Q<qt~EX9->ik
zweBbWm;3)Y+gj|4_hOs)|M*q$-Q)UyU9ue?^WL}zh?S3DmQg$YxW-y~oTXc9(67Uf
zR=`@LAFX&?XDwkw#MV1t=%*j`72|{b#T|Hv1+yQ7Dl5g_k3XG2-xIr6s1p@m<>T{&
zGDFWbi}9&YU-4bVmj3FUB`zR3SkGnN6ZiHp4vMXR!x5g=Hn^Mckn%Pv?qjZpEselF
z;$A}+vAiUvYe8Cw7OGX#s%v3dgcha6XtA16OVE<E6fI4wrPbByYtL!vT0^ao)<MhG
za<p8nzm})vYX#astxzl0hG@gI;o3-Tv^G{N)h1|V+GK5t_M$dbdr6zdBsLyTHU_Xj
z7Q}+_lu{^uU9B3cj^ED-12>Iekt_<n5yN8PB|0<W*V7VMB1@7gNzPKV)JSR~6-q@?
zu{2y-AT5;EOB<w((q?Ikv|ZXI?UwdPd!^5%ebRpEfOJs$Li$oVEFF=KOJ}6-q_fgF
z>Adv4^n-Lkx+Gneew40A*QHz1&(dw_j&xVLC*7AGNWVzGO25gK<q$baj+T?;OgUTb
zE%%l4<$-dMJXA3$S;~3kf^tc@tXx&DD|eJ%l!waiT;dAnT;&ejmq+p_o~F)I=c|j<
zch&dQ57fo#QuRZ1nYuz<rLNYTH6JYyBN3zpYgM%xTDTUeMQd@IuElGKTC$d^)zoTh
z^|S_BZ>^s;KpUhLX@j+)T8TD78>NlW#%bfViP|Kz(3i>hMOThlVFP~W(hjq24#*Up
z@T(rqcskXUx#78A4<JEhJd5lNmR|+GedotoVD_OO?!z*+oULG=u#@Z*yUXrLhosZe
zRaukWmC4FfWtuWwc~yB`nXSxI7AlLB50oX!QsqNst8z#=tbE6}@$GyE-^q9J-Fy$<
z%RlG)_<nwXALL)~FZm&Un198O@T2@|evE&^kMnQ&34W8`QeD(=wY}O^9jJ~|OVzpR
z8g+}hP2H~URClXi;+iC_DXql_$y!IP6aH7iHHxbU6n25LqFo%nN?n6-l$okE)|xP;
zHP_nXh^|@>=BQ<AS<GGQqxHd+%djUIW5F;MNf?zCSQ2o}r(juku_VE^oLMq#s|ibi
zZ56Xr*w#Xp2K!piYQny@vRcwkX)mh_+d9C~g<Y}6u&kr38LaC#Yk`sbj<tkkU0`is
zT~}CJ>8f;<b%bp_V4X0g8tV?Ls?45;WreU8U|Z3w2ka|}^@NROGGS-g%miEO&3eg0
z<)JJKBYcQuV-!!YVvJaOHVW4~kd4Num9jCyzSvk;*n6y0SQwiqY>Z8Ul`UgaU}-DZ
zi^AI2RE+Q%HVtFEjZN1AF=8*%`1YiAGpsd?i5EOi$9?;nEK|}tquvpoDrUQ|1!J=r
z9=2DmY}wug+bdyI4X`*IEghFN^miAm0BxYJ5>tR7Kn|2%#u>a>0!DVQG(;LI4U<aH
zn($cRou|ckVYJFUP;MYMl$*+J<#uv=xue`kenIXb=g0%(!SXP9y}Uu*C~uNC%Uk5F
z@;1dmaa5d?N{X}Mu4KY$Um|OLPg$XCQno4El^x0#$`R$Pa!$FZ{02{b#GSbx_ve8;
zl!ue2M)Mfng16+Ycx&E<x8?14d)|R}<R;#WXYp*F!+Y~Syf4q?{dgIl%-`g*_#FN=
z|A;T=EBRsElTGSo*zi_$hk983O8r{>PQ9VtRBx%b)qCm#^;h*bgT2AQ;An6%R5Cal
zTnw%TH-oz&!0^7|1H)p&QZdr7qN_@OWwbIz8LNy_N|o`-1Z5(&NW3=Is`7?1Q@Nqs
zR3GA96^xl>wB!PK<59Yf_UPjXK8nAJzRgn~;4JP2FN3$Ciow?qfIAh8zd-mvFc3F@
z)sUcxNd8hy$y3<9lpr;eT1$yiTd4!;I!SA#x`eI^=}x^%=(+^xx>x!T*m^+vh_H1T
z?%y$KCGho}w1%*Ct#lFhb3N|pPeA5tK-kT|*jv(8VC)@f8{zAA882z4tjdYfE;&U`
zk?z8F_Dc8oKGk3PLyc5p<#wvB&XPN;bJTa_t=b#f8}d$JZE`(1A3q~BQ0c{VC0ogs
zsw(+PzElm~utBPB_|b4hdJg;f0Kuj+rp!=YXPWY+@-cH%K2g@OaAl*ilf@`|l)Wrj
z*{|$psj!bPS(@^da)i}VzE+O0I?A`oWmZr5Nx9D2D7UyH>%d*P2g~PPJdhRg5FW}#
z@anue8wCrBV5507k7Hwb0<Xm;s2kPq;cFMv`|J~O=h<HMcZ0_Ep-+x{Fdq(SY9t@Y
z416@7#x(v4pTWFgQE##;u&P<i7nU`L`SB0<N6a7gwVZ{*##XYbnw{ndPn4Mh;fe%X
z>Cfz8FQZ`_W0WyWhTV*14zQhZ%ntTbit8S)jAtBnG=UkEiLfRG$5#WAip35Khv&Lt
z?T&@RHiEH72o?!ZITZUwVo?x{qp=pORYg2D!sFwyXu!@yw9$@r!m)X*80)!+C0z25
zVwfVuN=ZzXOww?aUzA>9s<c@8kZG`+kC`2Oe<$j9OS`fDLOO)?VIZm<V)I3mVJ}P-
zHo_#>hyiO&_FxXc&qSukb>+J7if{S1%wBy-eT~^`uWN6h&oXRVW?b$i_hPb~C+A_`
zLb(t%gXO`rox_J_G6{ZkgDJ{Q1)pA3AHt(#EHx0-&ogJ`d*yrVaZy1(5aTal<Zdaq
zFp77SJ1E~*?qmHxd4SRVMfn9I{j2gTYJOLKXR;Vp+*5@s%oR*PWe(iHHQZ|l?trx;
zEXf6ygc0Z7+?(0)D!dA_2Vd~TRzL2?RI)0KN5HBK!lzLa!x6h+TZzn>C-EfIr}8wc
zYr@*>)GyR8n3H-$J;EH-W9l)K&!}gxzN}ux`kH!;RZ{P&cTxTgw&;lK^Z|0*1zz8i
z?lEsLp8KeIfEdN)0=WS8b4WP^TRN&7#TZBONahJH6U8b66WcR4AWUCe+Xy}aJs8DD
z!KPp3ui_fs=5I3(K9A31DiH4hQ-D6M%pC~i&g_6fUd#zd<jq`wMpalPAd)Y01_B1a
zj%2AG-GS#Ze4Gs+%N&5dI<g|N&jDng0}%f`*$dzRm02xBD=&N_nKzcYU^PChKA24v
z))VZ;mpuoD<Hs@)yZpg&gjMH}Rre>WPK5_l!*`ig$5N9lJdZ3qk1TvJIH%5rke$~d
zJFf?(kidG7wKo8JNMa={84T)q)&@%o+5Z664ND4n!2mW4OB$PqrHDLY0NccNpy#`Q
z0=3wFb`Cv1&n}?P7uhxR_B#6+y}gYkh1f_jdmy>8e&k1a<VUGeEvYdpl$uIS!A68n
z<&jSfmS#vFup#7G^~kdt0EO4G5+LtJ?72zWgrhb~o3W4ZxIFT>JTT*f*ed)kkNmCy
zQ2Yq?0ZYdEoOBLbg(v1oH>8^=3x6Ce@Ecpfk68)%W`FX{{^XT;<dyw_&h=Oa`8oMH
z))_IpAvjNCxiQO?o5{^k-%@VLGUQfrE7Y`=+p=zm@a<R<qI`Rnj7Z-RObH9?DtD2)
zutA9WJy4%1XMz_AukI!Hll!qQ<l9+b<oPUH9wZOKTKIX6Tr3x(EWEuV7}PM7N5~_v
z9x0DR3*+Q*C{K_lU_D8G1?|s}Uq!FLB5;-i@&S|&%12RuNxscYinkKTvK6CJ3+viS
z6V!B6dZKJndSN|Tnao;(ZM?)h!IP)6c8E1IfFf@yz;bZr*{rYfw(>UC?<nuE1hA5M
zEKr%R%x7N80%ZXr%OYhFb5q_|-pAG@$`Ty=q4FWCsw`KQqh_VD634DmR<TxyT%WLk
z%BRYwXnC!&7F#zdo6y=8WeaNyKE4%uZd0}~qp}mxtsSD<9<(N+TY~Z>qFY}?x36%<
zBZzTs$}z;ac8GD`qW@=<@30l@2(1bH>rMFQto)!{V7`Qc?u3GUknLP%VTg%8v1%gk
z!B&Bb-pbF)ZIlH%_EGLCcTpA?*@rOFpD;3!FtQKW*Ke#f7}!JXBk<Bi`9pbxh$m3f
zANiAvvI6X^j68~?ED$t=5VQ}s=k}-(INFCh@k*?KyKom4PiX4R-MAaJdLTyoB1U^*
zE$}sw`*0tW1<D2y%Jw0Y)xrM!Q6GqC9)@Th!m5D_hN4EqbbrM3aFhiG_aO|{5#OU(
zYeHfd9*0;TMtIzt@VF08;VIZ(pmHBV<wV5!A;82EUV^oV_6~^lV^}3VmX8Huj^pE)
z6EEeZD39mkQJ%mjV$U*O#)k1pd=iTQ%bbkz6g~yz7r_*U5>pt;7xTqvZ7Kf{>#ck%
z*vK}%4M@F%??9B;!}nmlkMCo#VBue)e3&1``UpS56l7xfhCXCtUn8m<<HvyD-|%k`
zua0x%FBDJhkfEJGesz-HM4R{cuS{0m)GAm<s*x;KZJ=hL+)K@6irQZti0C;;odm?6
ztWISb#bP`4b@eS42R1g3wMXvzE^Ds7ufEUn)g|f@)QH?9A6dyN)>K`su4c_BH)*1-
zRo9}tPF;t6HmVz0BsldJ<_Au_m3dI+;)e`zI|~QL-odJiToGIMsC$@?x>x-i<$dZt
z7On1A51@QdJ&3Z1jRESH$SGsgL+T+G1$KUzH3UQd3j2td>8c)8zeZU^&H(ir^*GAk
zs^6mh6Y2?+PpT(bsCr60jk1WV0busup?p?7i}uf{=UBRW9(>OaeD4BltX@<vqCc0^
zOQ;bMI6(bTy@K*j>QCsyRrM;$A|?l`*VXH2;f8vHHA1Fv6ZJo<KjZ3dtG99XJL(<O
zh`1eq3<6r9dLMi;8hr9s^j}1BSMZkKQU8bf2abBAK4Osu$sjR5gJMvy<_48T8w_Bc
zG2p~Mvd-X-cF2nDHT=S{<_Iq7NUW(pli3#hiABL8oRK3Yt60E6usGnI#wt-%_JF=%
zkI3tQ#fKuaFSG_HWD}LJgp%gqMKL=9*|r;$9KkFjkac^oSc>09ir+~TziZjV?*<gV
z8&dpkLh-vfS`C0E6o^Gd3=c*R1UGf0DDH+FMl3b3_+hUwY!~WLRYdeCyc3)?4OxE-
z{>New>@^N?TtxRYite>-qWg0c-5XJKZ%WZ!hC<RBSJ{TO#drvgtFg|A@ewS8^+&zn
zyB=&X8;UCt@!k`xU;@TOM15aY#wMfhQ?P`x7qJAfshGVFWi!|u>^~Q}O9Ygc<!EOG
zTZ1e31WN?_lx;*$1y?Y#omgCnF(iR8oCI$;1>TTKyrBW{h9<-tniFq`V0W;@3k?VD
z+{fYrMZ*<*+D&q2VPF#8;NL#T_yUpf#h_lWb2lkjs>!O7>XC-*uO;)7T1l-~F!I3G
z*b|u`%AKT4>|>G&(N2+6gky`P5>^fR+i=v3kjAlSsZ^TG;-o3k6y{94Bmul+0o0R)
zU?<5o?4%K~lcuDqgh9F6fR+V2v4eiM4XtgLwxgfBq+KYB+#pTln<yjS#QIAKc^WjT
zL)b@T3yp}iq)A7muhGsi=@_;O29qX~KGb|KeUI`F(hoTHBG^nA^3qGFL1v0RUz4t(
zd|kSZo(q1HK>Q|*_)SydH;%+_5-9iZmOW+sE;(_XG?B5gKnwD2=i7m;0)GwA!gjK7
zXdt_Q=DYcBAiF?hcW7gK5!D1PSAjydA2H?tKY-W<r401~sl%a{9b%D$*WplnzG5+i
z+B%_jBB6FoLhU+)+Vu&w(+Ra36KXfJp!O|(8)v`6@1j=%!43R34vgTBR9ECn0?pl3
zU)7&gCQPrQMyWB(UyW5`SqL)jB&?Iw`q<h)Z3|>+r?$gU?bR+orLI8#aJ9Q?0+xvw
zpsW4Ve$0g;K_Vi-I93zN)FhUoig-|86}eesiU-ZqS?VktJ4c<1_1o$@tg^`H;j=RP
zjIgH`;f^1nj2|IOG~tLJA&4JgM+{+yOxO`f*rCAVd~l@T{#6M(RKku};{LF9oIxkl
zs6wa_N8G<5asL#;i#n76=)jC9R)<hSC)B7zsNqkj0aYAJBB4eQp++#}1fhf))d)3`
z2sLUEYCK1H;YS$ZM~Dy&pZ^3s6TTfoUM*7|5J>*a$)8p7=UC$YKJZ&NR-ZBeoqRP8
znoLd9h&-Snd2AiZ22!M!@Y_1@(w<n0%s?lftV2HOPu?g|mXJt(7))70HS)tG^1wQj
zE2L1a(2%?_5#G23t%;05CqLAotM5UL$Qx29Z_vpDtC0sLlJC`lCUqM72oFqz2cAXw
z9Q-gvXznPBd_srsT|rqWqjkvl{3*joArF+u0~0Aftw;H3Bza>Jd1Dpw#wz5EwaE{4
z$~meiIZ6&|M4Zc=59Py<r3&Wd&WA&7Nh?=d#;_X1zp4}e(zxJX)ro&;#J}8$f5j93
zN+$jlPy8#H_?MCRmyxnv5B?T^i>30}d^Xl|`CP0;{#%ps-!Q&_FF<bp0sjDJ7ktgY
zm+&Ph3)W`f%lI<vzk;v8dKF)V^;*6b{<)5?1J~OMPS=o-#UASVc9u@a;tOQijj})!
zUqX{~LK6p|$rq>>2;xf!l1>QXO9+xq2ogXD;z$VML<mxe5F~^U#F-Gpg%HG*5X7Df
z1ZlwU0zuLVL41KAzoRS=B%Kh%mk=bK5X1opl8AbN8tKFkeF-Dd2_pgs9UO@#IuR~}
z5H7e7F1V_*)!8^|E)XHzP}xwKd6G&XG|MWiGN}Y!q!L6Kf($_{!4P5yVRebiR3|Q@
z5tpe>Tn0Rq4WtZImg~#)p&&Jo8!&guMjhpJIh{FEPMRt=k{huo%1o=uP2?shH<g<L
z-9?rv%gyB$s1dnp66LB@<<@d*)U=V?uwcqt!zpi#rMxv>?jUzy{*=AiQT7@rca}Rd
zU&>)+xvSh2=j|qUM+?u(&$FsR&1Ug(PZ?^3Y?4h-sYGt;Drd=A%${ZeoS=5+ASV@b
z0WNYMxetrO3{+p{A?M1u%#*TUZ@ItRA2mYf@_{x!fF)2y9D;eOfh>gb;u@3}M`PZq
zi0PCahfsEGkcY@aP$Om;LZGP+W7Xvnxdc5KE)U1KMAjT4kCI0*Cwa6y8hscekHxt}
z1|1@o%HwgY$fHB#iSk6$m&s+QnS^XwmS2-+<9g@FD{;N6<h8iob@Dol+j?Z#@$z<g
zKd$<Kd=W?8k$*$`4;2G4K~3>u9>};cBdCNZz+1|@LzJdU2W%C2cL>z|Oyt@o#e{M%
zr5B43`Y*Ck=)cGjM8+Xu#%(^bk_GAl=B6%G7cvLTk1T=)CNhx}%*4Hi%tGWNp_noG
z0OiH%V#GR;n@BW!5~+Tqe#8<fPYG3*tIM&Em`MpzSE?&n7-cRol(`tykJXRCz{T8(
zrhcM+0<Qk4iVR)-O#KW;iHydGjAjFvxnSUqhAW0Eh*2_om25PT?6MkJWDT-KU$VbM
zvb^WW@_fnK8j!U)lC}BC!rHva+Puixe8}4BlC?D?#l%m}lrveFENm;>qJ|3FiXhvH
zB-=_Q+lnIFQpvWW$+n`%wyKkD)v;)(!nRV#wqi*mG+S6GSy(Jt7$*yhBMXZq3zNvg
z;z)&wg>4OoHwvqYB`qe5Y%7v%D+;zXhDFO`VPQ#RVX<Ukab#h!WMN5UVR59|G$hp~
zkyIN$Qf(4RwP`4yk<YNYq}_y(ZAFr8MZvc0ShQlV*s~<e7CE5o2y06seJ554g3X1J
z&Bc+;#gf(&MwS;vmKRHw7e%^HtdgZ<VTM3hUK&N77_z@;ia#zCf1D})xKR8tQvC6!
z{6CQ5PXNUqSBgIY6n|VP{<zr0p9GuulR)uDr}(2&{BfiBQ=8&XZHhm&DgHE~_!CU=
zCy3&Yk>Za(#UCTZAAgEJwJHA8rub8v;!iU9j{*L(fYl?<sY#wwk36Rmc}_j@oGLWe
zSdV<hKt5BCe5OA6OcnUd3bY`+C7ry*fxN|uyv5GOTkOeOYLU0pBX4n{{NJFiSJ$J3
z4e*>=6cgMjCRC=F;6X9LlVU<uiUy6zyQ-0QnIl60MFv-j3}W7E8EJL0GDUe2_iU;%
z6-Xm=I~_CJ)1asc^)7_eyEM#qzs4dl=lwcr-c)9xER?)z${b}5%5#;utP-huuB7V4
zkgAtVs-7dMdR~|*Ux=0$Deq$c_muZg77AY&X3v2)%3@_P%9uw-n?mi2R6bIcp$|gy
zGhohg1^OnGKUY%z?3LA+xr!wHFA)0QXE@fZ|E<GZRtV;@pp=jnn5=A8Hlr*Q!CIsU
zRwG5wU(A4_O`!{hkS>^}?8V$y2&sc1nEUzyJro+DD`|vYq!H?v2m2bW38gTEltNiK
zp`1iNPbsI+^V7;{Y!%vJHPQ}~Ni|fU8veji@NC2dsElF;C6=^9Z_*BfNIOh{c6bf5
zaMz(A20=l*jk3@VLrFUfSMDkIP!<ZJGbxBsHVR@WDTtn=AjU#LL{_6bf`S;!kph6r
zNn8StlA$A37tdl~=1eGv;iMpXb32atF47U*NJn(0`4|lfq8s*i=kCl%3Stl`h~YL0
zVmK*?)k#4NB?ZwJ3St0wrce-rNI^^?1u=*e#2``-V@W}DChgFZw8L1A1!oZoVh~T{
zNtpRd=E>-%P!PjOK@2r3h@^o@D(010DrT0qAZObOB`l7VFdtIFf=LNWg%Y-lMc~Pa
z-B6YGKnaT=C9Eoxu>B|>P!C}4N9bWLq=!Y59+pIUm;>oyl}QhagC2Gi`+u!|jk5?n
ztOoS3Z%}g_s#p!EVkcNt(!(N15Az{COeH<co%Apl(!=aX4~rl@EC71gB^)c1uy`n8
zKca_Mpoc|}9+pIUSOn=|HAxSvN_v=|m^sJw3Oy{C^srRuVRum$N?05zVJ@VERVF1Y
zPW>H9SOh6y!K8#qkgX)<V~`Cpt4exU1nFT_Ne>gVlH!>WndQQ4I5Ipj6B<W3XMf5$
z<0$8hqii#tvdu)wHd83itce)ziy0g-$7G&YilMA>Amxf;e$<GJP|S_iqMR_7vcWjY
z2ID9j>`&QX9OZ%Wlm{kK23VUiz&y(F22$o`q-?Dg<z@pZ<EllOl94i^7|MuZC?o1e
zxljy6q+Wz~U4eH~SpgwkAR%1=Azd3ny4K>!9&8n}71fltfOG|fbP+(hxhRX7iwMFv
zg)puqVO%I-Tn)mw0-C?@SKbB26%fWLz_`UIi@A)}cv5I7$^zqB5ylk|#wmnx1%z=C
zgmIk+;|d7lTF@LvHRUrPT>&ATq6nlbAfziGq-#k?S3pP?MMxJxNGAd5wqs9$bZrRf
zS`*S05Yj1xbOnTT5j4lyj_|Gq;hjI`JHN)U0`J-o-gO1uonZOONuXW<;avgYT?FA>
zOPVY3CDdz1b0wLCcL9WV8H9HYl^>NKStCNdXqqv}q#2W{G-HxUsFy*gmr1DClTa^%
zP){b*i==sz3_`u?gnF4YZ{kPuCYgkKGR>Q0(!5Cs&6{Kr>ZKFvWf1B$C)CR%)XN~$
z3!*ucJ~W5YnC4Kb(i}=A;b3#Z!A!!zOv1rPnn}qd9OQ(98H9sjG?S9a1AvA-2n`z&
z8b%WuW)d38goc@fh8Z-U5=NL<oiNdl(6AxRr})x*N(N!#^Mr|+gozo1iIK#xJcwbr
z6T|W#hLuGOOC^R?j~G^6Vps-ZSapeE8Hizd5X0&~8Gc)0SRE+CZ%YiTJu$5I#IPz8
z!|Fl|s|zu#F2u096T_-c3`--1l|>9oC5Dwn3`-@3)rA;V7h+glh+#FL4F5UG@CQ<c
zpUs787)x1wES{VCoDHI^K8N!8SjyyMZB)SCl*1=b4xdapd@AMeX_UR!q3k`IGWJ-?
z(qq*?HG&PIEIo%Z^H_^+C+2Q?Q%;^hIe98&<8>(N*dgj{VJ3<<4is-p6mL3HylF}^
zFD9CKaiW<Q6UCcwnt3r%qzR`;<4TdH2}K%5iZqod(wJ!G#hzwfOcZHcY39X5GcQeP
z=EX#jrW-{X6Ga+ViZmvQG~pC!f+^CNDAKsl%!?DvyqGB7xYEpvi6TuCiZmvQG;S1W
z!YR@?)69#BB28zCG)-yd#Y8hNt`u)f6mP=mnFddaI+ZBu*wg%riK0$tiaK^;vV;ww
zSr`*V9TP>JaEdxjh{=klvAh|y4X7L5#AJPl$#x`l;|1cgeM#M@OB~if9JVg08{!E@
zAMyd2d_W=}kjV!)`G7_~;6OfLM?PRrK43>aU{5|ElMkrm0|xQ|m3+WJKA?~fC}i0j
zmc0bCgG>2R@TL!;U1`)aJL;J|^~?^jv=PP9@f1HDNvF+tO5_weZB2@w&r|$#qxks(
z>9nP!(?Wm7GJ$m3iKNgvkU~416xvwmvr%k1DYUWBP-9RQ^Ezb|b;WbSBI=6gl2S>V
z?QV&{;(3jiDGrY(ZFU?*U`JA7Gb%)2@kB;Vio<RchhHEiwv?1uS5jhQNr|0EN~|ks
zu+vF{bs!CPI%%-eNrR0g4R$(duw@j<by8nbE%97DqwzASuhU6=bs)ucIw`KPq`1bC
z;yRraR|isDV=eJt%yUd9t#vx7tkX$lbs&{>I;pI&q_R#Ym32C)tYxIKIuLizNnh<j
z%IeF+BPI}!m_V9pEb)j5q)-ecg`yKF6x~Rh7)shiS5hUqkSY;Hs)P%v64gnS5YKCN
zVl_yW=uE1_5NKc-tT(A&*-*b;U}H$9a3KvWi`0s$q*e?gwIY+0uo6-$Mvz)DmQ)E7
z=@Gq1i3lSlVt_2PuF<4Kgpm>vK^jCDX%HPqeF!7nA&hi~s-!!NAeAAE^o20e6o!zd
zFcjL=O!RY({0`Rd$&0aGC9lELB0|CH4Fzi>dM=(8ae<Dti)E4eFqG7XA@VW#8|))A
zh|cnN@>y&ZPmxq5C1M0=4Pm4;j3$*Kj8ulIq%VY#vJghBt(f?lLQKt`m|9!nXwJmN
zf{2T0#KpXci?tvY=0*G~h?rMf;#{qXZ3Pj-YD(P7K-|iiSXB@)DUCQ(D6uDB;!XC%
zo7xg%3L=)&pIA~0Vo6@akL-yb6%#+2O!?px;zSy8q9S5L(})d8#D@Hc4Yea4)P{J_
zG~z*(hzCt09^^+nXc{pfKVm=u#DIc{0r?RFYEBGj8ZjVGVnEY~0R<2Pnnnz$88M(~
z#DH261M(vV<U|Z;8ZjV0VnBn5`>4cyDiQaYM%>4VxX(1=KGTT%1QYj}M%>4axDTGx
z!?Sum#C@g__nAuEryX&hHpG3V5%&oo?lX<Jj~{U#AL2gEiTijG_i0Dmr--<ZAF-Zk
z#CrUQ^#tR&<d)Fh#nX3<@jP-b_8dKf*9gxd_k&6=o-~<6kzf)%mG>e&mG_bj8>&N*
zpe{v%Iur@&QY4r}EXJLfNDMKNIAS7k#6boT2Z<vN5=R^)m*x?Sf8ro%#6b#a9-%fd
zk$%KPVu*>v5fh0c4l;;1NE~sHT$&d!+HjCGnir@|Or#&FQPoI?8cqsSU(%k!Np-45
zdQ%_Lo5D$H$|0pGl9Z-sQkq7Q(ln4XrjevBMU%QzjdZ1v#B@A}<H*Er+7pZMC;sA3
z{3Ve1OH1M}ocK#VF_+53Sptcb1QH+dCqB}Xm`DM!k3ixbEs1f25aaMC#!-d1MtkBH
zfy6BQiCN?kv&biAQJFYJd*T!x#31~MLA1mZ<PNMMo*=Kp>f;%57uJN7uTG?VnV;{d
zL$SFo#pXK18YVD_nZNIV<LL}JH#?`GuwXzw;|&|P?8tnxN(%FsZ=b@P{>(SeRGg34
z3=)Hvgs5(ZCp)A^;&TAzmxPii<FAVN?`f{~`9&}FxofbGENfbJzmlZM^Gkg$qUyXX
zNk&KA-k?S~E3&W3bd$j$$^ez7G)0#9{0@3MJ=&(me_`NQe<apoX~TN4B36K;IR_6~
z<gmJ8(L-z+<DRel;N7=Z{IIS^_uM$%=z#I3Ro}mHaek@Ca=lc!j=wJR6<LyH*U_*2
z^xMeYt-D=mF?;Ay!^2v7rSh&yDmpc8Ds@un#0?&DMgwDI-NS%4b{<Y$a*B#`3iE^0
zO#^d`p1QlJ);t^=4le9v${&)OmzQI7L2IaW@Gx}jYZ_XdV+_#o1WqUJ=;3Lu2u{x_
zEY9tnn`J7_Eyy<p=>cN1;^Af4+%b0m&SDxcFgL$XaC!qh(7Tc`-WVTm)ajMsT`68S
z#wY0U2}x;5X&HJCo6dIXU_G6Khi8Y90jB)ooUGvVg2I6Xh33=gdaU_$Vda~}34=RW
z&)6ZSa7b=eP7zKW9249mUN4nGZ3jqFnNljbFw{H9rIN%}ee`j&jxFBwcXv2my<|pc
zm&k%sYisOGFY3R2OKjVW-#oVunVv3HPhYd(e4{&;KO3>5_(144YhGva{Z`kutof{A
zwf+ZtHmY^F;TP%dMc$=TbJs-epB4B~p<j(wgMwBWPyg1=BzJg!>D^}0>aa%d#ZCF*
z(yU8=ymY=xy*j&JJ=Ofdh=d<X9Dchwcyfcek9H~TW-a|DZ{BOUlX4=)Pu!mAxpVL5
zwLDL39d|RRQt_ErLqFVi|F`0iVHfW=_Z#!Uj(1{~zj)>Si%Y}2Mw#xvHOOt_`L+vM
zTzKKv3(g-z&s&-keB}7d%X>$@*ScxLM^(-@)LwP`rtgHYFZ3Ih-RNLu<Ix?rd5qju
za_jSLgJcChuxQ+``ndaaD+8PnDm;76zMKF2fdj>}kDeZNqu$A@Eyu>5*5eI!uy$3|
zB#GD1tLdTE_qtT()wj5KV9mI=f~=x}vBhLMu~`KJ$i@OZB<T^i(+&71<Jp6HxP<{h
zJXKHD6X(az*UMrp2WJ)L*&G{ZwkTVJN^cO0eaM~zs&gmZ!P*1GPInfqx`;Dz_=!Oe
z7w_G8h#vGVY}i;u_cmLOt7wqyB_>`^OpP(xng{$x88?n8_H$k?xiO}jzVt@lPk#O0
zK43$eQo{==J>PFX&uiKh|5xoB=HDIgQ`eFD<zI5ARV{LKFKDu4d79gU$W?Pz`tF$i
zQ@5FH*%wZ&Rv$9HZ})uU@Q3Gz2Xtw<ILGJ5lKQ=>&&=PmC#B!`5WDFOuAKh1OTB=h
z%_c>98G5{*+Aq|7QM)SRM}Ml9@<s6YsTPlS{_;-h-aob^<@4kH-tzNp`$Uib$9>4`
z!@4oGf)B^1S$(+IKl0&37!pB7)W7oK4!M2ua|(qYC;m%6UYO;W)^P2Hsvk6Lw!!()
zf}19X4zI0z>*TU%m*%_jAC=Ya(8;Cp7rb87?@MOR{C2ac#IgJ5Ez5>nIGf%g^o{G=
zqtds{JKlHA^!jbCPfT6swyWyT*<Ei|jxT84Wx?{v@5<jq1|Dp2?sV4I-c#bcuk0}^
zWAWSJZJoWZ&pc_W)u>&-m+qY%Uv2X6!{zsS*J<+6z`{$fUg~+!b=}VK*{@gGRDJBZ
z%U^}QcWAvle8JGyy65b;?p?gGL0RM}yOuA#`qGS;cZN0$>U(T)@z9gb-Q%Zro|>@f
z+pN9K-mbZ8*OdgvuWl{!yEAq3w;y+zTI&q|V0h^2YRhBy4BWN3_4pcgzd3GN(q@+3
zIoI&Qr3cM^Tq<?JNOjPigz=Nx$(VZf67Q-D*Z3Qk(Z=dUR(FDf_tA6oNb7qzc%a2c
zi;H5&$A=ch7FiIQ96hCcU%4#m@xG>9Q|uGF#uXP8#blXc`oza(<rM0*MdyNelAfR&
z=f};Du{~M<!rvSXD0o&ckGBE0#=CPDIXCwV{JQ0d_F3NbdL(bGbWsly-Kffabg!{b
zN56_u7C}T}!)mRW5y@KKe7TpNGHlU=Fs;C6^_l9Y<{y1sSz6Y*`n=io75~#;d|$FZ
zq_5$`r}1kBY`GI%BP-#DX4wNOUEI;f`M&yYQr^fZUb}x>{oU#xPY3TF<Z|$h;!~eK
ze`ZrkQ2MZo!#+6}&Vv^%z13pp<cJy0V-LGMJpKHT{5CzD8#Qi_Uuor))Y+?Qp0FR}
z`p~~*&Daqi<=**y?x#*(QMbl)x34p&`+2W@9^(eE*wjjkBVLX^xB5=T5@|){xzTaW
z{7!~$*zw1(*W2wVTU9#wg`0KOv|CV;5EVOO-Kk)Ek3m26tJ3|;%kSx3qNg;gx9-a^
zpKqxf+Bd7i>`l4FAMFaLJ?7Q3J2v_s=Y#c9wI86Wy#=Q7y4_fEj-7M<-mw1Vvk}$1
zJqc6e_Ep3QZ@n@G9bCh?b53EdaQ5inX8BpMR#M^U;bq+r+_7+QQE_nVoZ_Jch5d~+
z^;B`BqlYm(D<U{v*OP;-dzza7W;8A+3^ole?psipJ3J>lcyLipa6x`viLsHME{;_^
zYFiHpPR}zH6$K{*w;kLoFE=Z=ZDH;JQ(;L(rW4%2+*Wakz@sEHuR#P$d5nqic$;j+
z#BncGyjTm5`YU2%;ZeBc$Dml@lI!TT%-v2b-@)4LM#GA8^0RS`olSYU*+i5;nzF%)
zFr*e5_OEEr)bte#b}nvp@X+-=$y?{YSW*;zeCUO(9rq;N-*C-u-jyx`k96`2tFmPO
zSqbyuKQFsv2smt5ylm1sp9yh+0rtI)oUU}&dyQVuqx}%CmpYHw^-9gsQJ*a9dXZi7
zQIoIf!3%C)-O=mLELY#x@7?Uu_w&N!O(S1f?Bx~wUNfm({QQ}>U({1SEL%`{(a-+D
zUD~!-oBh?Qyo*27{?smHXN&qXy+7XH=VV!fZ@d5TRzSmQH81Bb@U7PW<EEas?>LX&
z)ynwWrWMOWYWMo-%8BD|e{*$4;Kw@}26hZ6opY_5$8~++_j#|Mi`I_3{L&TE=g)uG
z;;qO@>rT{78SkL4|D@qtzu(xjbZpY9=a=2L!e<%avs6#Cf*F7?TnE>&z6TKc*fO0V
zFx(=H@?UbD9Ne^kVBSN2Ue7Ra6q(*$uVHOYmb`o|%?%wolmHc0CK`*&8dwByvk)#>
z*8P3|YR|%fCUlrUG)9loBj$(AuU=Nw(yTyG+fK#}%rYg!^hqKfC8#@il$Y*lJ&_`p
zmy|y-sz|ZB8?UN|ybE(R`sr0r0Y`GTI#R2)Et<u|$HW^GZP0en^e?MCSI2nn!;mQx
z2JHW~WZ~-785PiW%#oZAwx7Pb;ihhXJ3Z}Jc}0RT;R)y<wC#60U}Mi#XOv%>H49i)
zXNdpI^?vCW@07{U4IZ|~Y5Rq@cP6%RUh-q}HJckum~`dNq%|#1x;CqI|GUbste^1U
zvnD@v&uM#mQS(8rUL*X^-92_~OWV!`4`zM5q}`{Dm+yY_?4>zQmFsQ@A7Na?ZpTiY
z)YN@S=?(jy&759&XYak4i$=^I?6J4W&ARmp9NR|ZMGb4IKl~xn$)o<U)WJ)%lI-92
z)&Ai|)7Ko&Iy8Nx^{*w5KivE4b?4r?<2)~SXKbffY38WW6P(5l8JxWT_r|6>xd(jT
z&W>8o^M7<}f5Ls%f{c~pcW!Jl_WiI{Y<RL#d$Z}Sto`%U>tiQgKmEq5_pi4-nsw^s
zcdM0b0osBTaw{q9*?QI554$gKx+*KQBy7QZ#ZL^G{$B<_f<q?hNiYp-9%xL_lk}8w
zyu4%d(A^A<mVCOlEGZr`5<<b-Z7O9?yM{S=rlF?7^3>GD!xM--#8jLU+@`RPDL;3(
zIahQg1LmrS7N3%sYK%{-2*~1WFkd?-hjhSZ?}EboT$9mFcM+AElU)Z>esJ@Gq8ua4
zT~s+Z`8LQd=mk(MK@vTnNJJ`2Vw#g}bk|+QPL59Y9ZLr0Aok=JTMtw`|K`AdNo#-l
z@p8KxX=P4MkB(&foGo};X?SkV%RS1@l$@Ixuz8%v{q)eLTFB2Y&YIZ6(Djzx(ye!R
zOj(|TA76as+OeH6SC4A@zS*@p(Q*2Otu7CJ2W~tUSYyd9mk~!#D{EiuRd-ZapWbs*
zCcpE-$)mF$&6(r8_(I;x>(?BA<#yfPdr~iZ#@|o=CE?qRKOdiV^t-LCzwp03bo`Xa
z=JxEXaqj&F{c>XBxg#H+n03IRr17xOrek*BnAoA}5A_~3nfCtidTTuO?@mvhdr5Cm
z=c}KbJ05bo@?f6Fy$z#gZ@P76%(~I9#n$e4u5R?zoXGxx&z<?6uRe13Xo-IB`_Ixh
zxHg{>pZiH!k4DP<zBlW5<XUn04UE(bO8$XBVS4rXRjoi}r_2YDaPsKXA;xMMF_s$+
zbp?p!!378IEsDXsr~ZQ8-Qbv6)>JBc&`8p}4SGwxye;6dw*bx}WU|=;j<b4|gK>51
z2?54coSwRyK;ox!?I*w#T$`|$a&6=7lkLBo866yV%g(U3<%QhqDZxYZDAC;@jwD+T
zo*y{hzs!pMMOile!W)qfcd>R2;i`q+4Crc!8wgh(mOx-RE}J4%c>vPoziGI*0!%*@
z$Dcxq?INeVlj_~#TJi^ld!~5xbUQ!$noq{Nle-iRckVmYW%R83_kKS%F=Wk~i6y_>
zZIPD~w75~=p;~u){o3c$=u0~XEVRFM+UJe@=o4G7)!cG^<k3%eA8YfwVY>anM@JjQ
z^OkG$jR%v@_lW<<@vPgsIk`1EZQS#r_q|Eq#I9`}<n{ff?Bf{`i?$65dc8|#yCus<
zM9y@dZ`a_<jB!41e1H1U`$Ox7E%5H}*{R0el3qDABw_ZdExn?OKX-Mwa&xW{IQ>{&
z?JM4&mEGDqx5tX@ixwVjFy_*nl_9zmalYH-DeG@|zfkJ-anmko9@%y0#lNz9Ox2~1
zMfK*cm_Bx*&+t3*PMsa|QsdRP7bf&=YAogJ0MnnylBADY@LvYQvg@D1#$!2i{<t#;
z=~mg(UNJh^h?!jXw|VDibViQ(Sp2LEA1XhP8=)W#JvZPzQ`2>C58TvfT$)>pbElrG
z`LjOS<`5_2Ks|qc-q?Pu19Z{B_yBtrbkShEGqHSVrNQ{1S|PRsv)-r~fQOs%@R77&
zd_XN13Tj`JnqYelmi{P<W3ur-9s3m0zIj+@p{70B7+`MGHbg=Q<fRhJKE*drZq=-D
z(C9JmU79ib*2NDl1s+Y?m$vV<51XxA=C-Rw%MLZp)C=t=EqQ6*tfl*nFQ57D^W-Dl
z@_h#<ciXY%*Nk8K{$_V3t*W-6B(qMycPHXrs2OqICu5lD`>)k^L-t*q_4Sm^->qBO
zd_z_5u!OT`+TE?@Kk)F62@58Dc{HW8ce~cvV`p3+JnGULm7Se_?o_%rpv_C`n%vG?
zeJ6Fu%=qWuKX~;>%@2ORv3|{$Z^;FdcN}WIpx5-1Mf2^--nAc-@XOst-TU_+`hL%4
zkJRST8D+B~y~gd&`=jK=O@F+W{nf~xFLf|=ZMG`;)72)!=4<Q1N<#JfmxouMyUY2=
zo6k3FK7ZHYVHt*AsS8SFN4-?m9^XBKu~d2hw7nw?xbS~kTasP>ByQOl<O{mb<Blmt
z$MQFt1amAmIMwJv>>|yWXiPDtBpEaQWR6XPP8=Q7E%_zy87%bVsVk`k`>K8Q6mytf
z|J(G3v&PpO`%0c$`uT?oll984ciWeBvg@^9-#ht5mCs-Kfvxg8@awv1?zgursL?>4
zvB=@OO{12lzMppXH>VSKe+rrM&g!^tV&<*uGud@ho!y@<eSP9LyMDeqeMW-cgD(3f
z9;q^NTCJ`}4El?1okI2Wy4wPaUcKetv2l&Awci}II?XTb_80lzo{0~?6lPpFb(Zhh
z2Xixa{5<W5dLc8X<%ybgmrv=v|95Riv-Yn<ENOhM^~9*ft4H+8yLe_^kEVBX4&CS(
z^IF##_XBs04887oz2)B42|v#{^YOyaU#I6DO1W`#&$!glKgHe*Z*il>)J^Ziu3HsS
c)H`VVYsW)#iXT?4+%Tf)yMJ^UfC-TQ1JKV!x&QzG

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Bold/SourceSansPro-Bold.ttf b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Bold/SourceSansPro-Bold.ttf
new file mode 100644
index 0000000000000000000000000000000000000000..5d65c93242fc3776b379ab98bb5e6e33af4b25df
GIT binary patch
literal 291424
zcmdSCdw^B*{{R1aueDlxs;Q>y%yij%&#jqinx<yD-=>;wRHlnebeSlMB7~tZ2<arz
zNEAW{VGu^bAcPP?2$Pb~Ax8+A{d>IjdrvwJKF;^^`~LCmoJY_1TI+qkzTWS(cEpHC
zQ~vTKci@1rgQo{4Jtf`*Zpx6tvBQUYb9%4jdYDLZ($K=eLoWI9iVMU|S}fu|H?-)O
zu}{p~UL|hpA~7;<=-6WiUiR}f9mH$BMx@X2$BgaNWlE#>D@05s@s*r3d+MCUefD(~
z3C|JfHu<D;=Z4MVhCM}!SMj|4$#YJb?N3<MU1a=L!km4|)U)SABI1(X0-nd6GVA=4
zZ+^dTXOZ*L#W||=jOkOS)qU@yrugl{^KLV^QSagg$8tTF>+~73=aw#+yyc*XlOz%>
zo^{4aQ{zUg+(vqvxt=(CYU!N1k2+`Je+B--r%#<d{p{8IeirB10+INEbIv$>?(IJg
zJ4>9`NdIV=bJp}ZU4Fc!72yl<Kb|rZb)8_hhgaM*rBR>nrLMb|JMvb&r0=ZGn_kns
z=7qS~?zi}@D^4^7$x(aTYrdgKD|p^LZg%Xx28#X(EY~~yy;S05w$zC|uSas!3pHZI
zb+Vm}JP~J+Q%s<vt(wWw#kAvY{ebIwuH$$m;{51D)3k99C>(f<ge4q_IA2G6&53Co
z7IUjUHT#`%BuwlNOOa4ZPT$DS&LkP>43QjX9-0pEa1qzH%Sh7^ew760WbXO!Gu#O4
zcs?$s)6r~6gJhl!cd{ctxgDjU(_QL24I&4fHj?f%lJ-tt8DQSV-B&V+E8QF`Nlpt%
zb$WBZnRGQRBCnDD027n}?gSa&^nngh{{u9PS;Dg?rMbCS8aq9tk5gab-8kZKNUN^I
zn=R5dS{^Oa|IfH1Bmb(!nJX<1*O}Jak!T&(QjR~Z&;O3JKlHEd@jpR(X`4maEXk&0
z<O|yGD0Cleg`E)L-T-?~`rsZ6?YaK$a64;T*S5E|`M={vuj3<MMEipFhuS`&{o>Ei
z{_?*k%RMC;PbcE~BXS(=i+_ggquNjZlV_zU+JChV{~qnr|6A@Ojz2)h$&p0Ii;kH;
zL&wtZ(SA0Qa^E3&&Q0j?pyTbof-&<q{JTx0Q!P&K$gj0yTF3Q~(0?+c<6OsjY`p83
z|NBI~|3kkzU;GulBOmL0@*9y~O|!_W%rDF_k+)$ByaPYjYsrnyJ<X&Y3XBo;8=H%C
zKB`6MCDR{X0Ch)+e2-?DPLZ#4&Z;Fkcj^4~C%EHeXmoDV`R#8JIrL}#+-`pzM|9p?
z!hEnq3S#b_C{PDFpZ*C>DP?4?{ZAtQIy?vKJp6wFo!5^<=l8!t=l<X0<k~ey+aTJW
z?WHSyr<eBGSieoA&n6!3r`kWYuO{$Z-OtmfUzZ%SLsFb>=zz#hXQ*UHsl#*DAEzg4
zV;}0Ew$BZbL1qAJ(LW^L%!s^Z&Zmy)Cr%l8sEGED{`3)rz7hE(+CMtu);{nqd`g;2
zn4=FvxcNM%PeP+;ThTW)FVQxbNgi^fjgxi6dZ=sRTakm&`uH(gFLg{+<Y)6U^ZX8}
z3ysZD;xo_XI@eOqcfy0LqZQ~rNivJc`(pZw)z+v$W9W3mJ@r#dT6Es89qa#{HaT4X
ze-*B_-v2_Q<5tIRKhQDSjIuP79*pVlqjZRT#oC;7*ygFrJXywkqU*EHsk(NuMzJ2+
z^$$Dd@Y>d!zN72c4Lno3Cj(nU*9o1c4^oe6>+F|&=Oy~b>5*TYm5~E(QsjVH1FXAl
z-N*r_3h?iyMgHlGCB0%PaGGPMr8DomN4viz?VK*sjkt4ljdoH=GfNscV{q4}PrQTO
z(~fZSqzV15FZGsg_A&Q2lMdQ%oQ4ud9<rS;CCfa`brJDrNSEj{($h3FevO+vy%UW~
z!zvo4BlefNuc6!*lh@ND-)dRhZjm3|u9PPm?ZExJBYUIN+E_0|eso^q{>sRg(Q==P
zznS<iL8qXFXkoNIzSKH#Kj(T6`Z2l#EsN|`%+|<{pmp}8)|+!S@t%dwL}#G!qzh47
z1v|#=P53Orw}^bH_3LiudN=wy`WpU!gb$&Ld{OuA5?BB&i6^$cy2s*o5cfI|2kqki
z%=J%P??=BuXOlPOq{z?iqu8}~Mh<urBR_g4pkvU{_<4=z%4QkqoyNV>A_wX;jQm)q
z0qUVHe(#FxRos6{wl@zy)K8rho`ujvv;}_3@dMGmq5b2(AliSl5B&+zex-fuZ$SUh
z{@0Frel^xtHsgK?RNsWJW2im(18jlUVtf+qSK3ei4DGv0ZQuJpRr;*<+rPzsQJ2wr
z{~Pu6Z*}>1^HJ+h$2Rq2zJ!Mu-$~5N*~~rJ(l^E!v@7dEwVX#E?jXm*$J!p~#u$&H
ztDqXj!PuBiLNAC>j82GgnyiWZD7Qrp5a*W~uNlIa8ywTV-2Wu9SBcJ%#msZMH`ICZ
z7Um)5Nq3q!?zG4ucP4wteC+5oJX21OaSD2E<cH|I8JkZJ&zZVU(mAt(80V05jLw-i
z<NsXg<1QiYTX26M$?mbJraeSjxR0T_#_1fbJVkiTkBuvh`e2W$`x@3f_Nnd)aaqqs
zI<MnT^Q8GvG>@9D&fjx*rgM2e<~fZkRa&}NQLa10gZj~Ot>nJuNBJlI_r`dLYfZb>
zKA(jD%UOHRwR`1g{mhKj5A&n$8Ke1D+g$UY=_;BRMQ!fRfX$)yfisNw)b{v^_4y~t
z{gVV(uUlht42Y77*3uV0<y;Q|wI5jbSQDaq?C83H9pKi-p3(jBSe~_&TsI9HMD3q5
zST}Z|UetecY^?!KSQ;I+x%*%@lb@(fulAwt&(&`3KtIL)aO1^y)h5wBKy7|hHJ_yG
z3`C1bL-W;~wxN%km$5I>2$x2_(qiQrfxlXo;=h&>?5MX1t2UOBP8s^M&Z?btWZkH3
zMIE~AOAhB<^H6J3YhIL8$#h?$&#j~#6C?wMKoD9$Q%Hn%kPX@%si6KcoI=We6ZO~-
zJ5c@SM(-yw{(Dh>*{reoxVxyoD1R^hmQIRvjK=FrI2vz?v_ccP-#Hp@8gZr^&d2|l
z-`KoSJBQ@BZ^{TWPDV$0gZcao?7wUo!CW%}?G8h6cZZ=d_fV5AouQklMyt^g(jiK<
zba2Dcq0SEJ5VrywA;De~uCJMZ?QnoL29cWXrdWnSE*u9r5Q^$pX<*`IycsL4qxv$o
zX^mtn#FydBXCJjm#<O=E&HU2N`C3LpJMximL|it`M~VB<Xxz1FL>2!X73}t~bFX;N
z1d^OL=zCX6XSW}9OWQ{K^N;L#QyG(SjK@O8?{~0+>jJK4+wpAP#lG)=`#tX850haA
z&oj}J$#-X-9h5Zl75!?83^!jfr@ST&nTzV1x3R%@GQX3~{|%ham|JS;#n`DWi<aj|
zD4Uiq%0y`yEvJ_Ce`aXRPr@Jhjn<Ra)n7q9YF$Pt|35gBiq*fiL2Wx|Tl@~sUUMd;
zZB&c4)nB3Q_`jj%Z-%FjXg~QQqJ2mE&mZ9KVSSx1McTLi2<>nGYtAH&KY~82{kWEB
zU)KKoXJ|kF9S(hsd2u9~7d?~Gb1B+G$Ab1%vz_Z+j79B-gpKwQ+C$g$Xj|`PZ>4Ri
zZD^QVwXJk5XY83h%pF=U<j2{>T*G){oaZ~|GoPqEz<oD^^_O+rUBf+1Gep?hbSE+w
zk*-rC4)a#p;eOJcd!w*lG~L;7M4CFLqG^84x_u{ejHY=aehRQ(2<HyQeKGb+eKZUn
z_RDCrGjn5XtYOO}N6YOJm$o@&J#4?w*WJdEAKb1s9_%AqUz*+txVtjPX#M;Y`AOq2
z-(t6PjOBkC&u{1Xd{pxpYbPg-JRXC6QlRPZOv|fv!MqVIzqXCmua;BeCM|_MZZh^l
zSF@Bk`BUbMZ&>&0Q|DhZmj+lDwn~bLu;v=phu_wiJl2?e)`WjsV;Gy=VQ6$6xt+D6
zk}!X^MwF6PDeF_Iw2F}y({!{8w1qU*kN%J*TcsU@xcC1?xKpH!xrDr)!`Z}TkzdRW
zl<5iyn)}c*;Y4_l>rK){Ud3IEy>$yZ30uHHpN7|Xz9Oov%xd&pX+ilDOcmqc0@^l1
z;>@MkSJPN`W=W#4X|^{#NmJ84UXo-lXGt@8RwnIbBlY-n<P+XJwU_6xeFk7Ba6g*I
zOHd7iO~iYrM#iNtUre7kiL-|Kq&bnara}+;^>M80*|aUlQ<1Bq_eo3BgXYnA7D|xx
z+DF^%7yM45KjfjaqvvkTSey0yEf?ZrG)Mb@+G^cEpSc#!QLvk1*KJYtt9}MULr}X)
zait`3Y%QF<we)r}cG_{4Jqo%oW(T9ArOja-Ev?-7k`}ve6;<n}75-XbLx=R9cbVjH
z-I6raUQ{%HsZL{g@Q8c0&uX<x>{%OBNp*9ufApMZ0Bv{$Z7>2`u#9;0JgEiozsNf9
zuGGT@%V7>_0hy4c>duyqkPM-iyA!JDeWmtV{Up1Ya+Km+DFNoGWNd34vtyiOiS9Yo
z4N?10Dx@XEGanxZ+hK|#%jgUF;>$kiA^Rea>oxavuQ?Sih1qZ&Tn{h6T~I~&(nTTz
zU@Tk#&%t_l1%|_T7zn*!7R)?CkHb9<Cc!9p5blGcW88%*^I-{G4CjN5w_W5j+|8ga
zXj~f4M&Rvegtwv5u=k)hgX#~UdAt61Xu6uFrgIJ47E^WK3wOf{PzIW|rln}Pv`nhc
zf<9Mx-yB&9wdH<E?P#uf*BveIpg(ZeKC9K4_&J4epQA3st`BQ%d4I3d@Ou)>h3QaR
z=R<M#1%2Kx#x%yQ&|gLV5#vIXKhbm5vzb>!-&r%>gkGgz9Z13lVsMFMN8fAfeOGwX
z&3&I0P^7N>81um~bJXYm^q282@GkbA@$d4V@%niec{g|~yxaV3-nrf)?;P)DufJE|
z4e$nfgS<j-us6gT>J9VG^Gf{>{P+D2z4_i#yk>XFTOImuK;p<jJz<Y24Wywok_2fi
zO{A$bljhPw5-C$MW1y9Hqj#%!lmCfV9*CFL(uR2~Bw=BH#_X9coCiy$WJx>bwholF
zqvS{@$(7E`<9U)VUA>jwE#4}BCxz=JePy(qAUDWrc|(4ZgYvT+l3yfZnwmDIwF#QA
z>0^4EzNWu9!JKHOnv=|QGtFFQt~JZd_1^9N8vj23Zf}jZ%)8TE<yCr*c~1ly1X}pj
zGD7b6cl#gvJN%FQwf<-R9{($UpL2%)xj)%2amJg5<}B|*Z=S!)-|MgQKlQ)x7J65C
z=LeQZH|Z(2$^+(XZ?Si^cd2)oSLR*fzZY;>kG}9X`uBQQcvl9>1J`?Zc-MIgyvzM6
z#{NX<E|cYWxj^R0g>t^!EVod?RkB51lUL2qK*K=uKw=;%&?=A|XdP%7XcK58Uc<*|
z>S`K0Al1}Tft1Ka@{GJGpUAi7B2#9rp`5pw3iF)VVRo6%%~$4o^OO12Y2|cx205dh
zVrQZ=!#UMC-8t8p=Un70aISN%cW!iUc5ZcUcPgAmoF|-(&NI%l&KBoQ=VND=8}Bx9
zo4R4Qy_@ZJcJtl7?m&02JJmhMy}-T5UF0rym%6vP_qi4BbMEWzo9;XAd+z)0hwex2
zPA}ladyTvnUQ4f&*UjtY9p_E-rg$gO*Ot+$cX;=Ck9d!JPkPUJZ+h>0ySy*FZ@ll?
z3~DpH&B!)IZN{`IZgWDLRc%(cc`_IXHVP&NQ-T@64#D2R;lZ)NlY(aiFArW5ydii?
z@TZUo)eSWcH4i0++JsU<?LwVHJwpRRgG0kZBSWJ@$Au<@P6$m3O%2TqT^PC~bY<w;
z&<&y6LU)JOhc<=Y4t*H<B=k+_K&U1h2)78g3<txh;kM!2a9+4;xL3G;xG+3Cd}jFk
z@WtV)!b`&C;oHJ%!gq)739k!35PmrPXm~^Tsg$NEi7DZf)ReX<IVodOj!&7Ka#hN*
zR43I>ZIs$1wRvjG)L?3d)M2S5sngR!8LKlM$#^{Dsf=ecUd(tUV@un{ZBNZ?nmH!(
z^PG&F-oJP?5x(ycMoF#=kg4?cDtU_*|5vnyuQRL7gS7B#=2NrBd}$7tgXWNv6m8)m
zXN)t!nM@1Ma?Wr{oeP~ZXQ5N>tZ-J*!ne`F4?B-LPdZQ2!Y?{oo$XFFpAj{38@rq^
z(ZV^jaL-r^&yBY50$O;9d#!tiyUu;cecs*rZ!IidoY%lh@DjaNUar^O>+KbLle`nX
zv%IC=a&NVFulE3BY=c+jz2R;1KK1r^Uwi+eg@@9@$I!y#54W%%j1RU5hJ)$B_Q5W}
ze!(%p;^3@cS#U}4I$C&jNJ37iUZ_bZDbz9)4yA_Lhq{D%g$9O(g^mgpg~r5McuMHR
z(5a!a(50b;q3c2`Lbr$3h8_#O7<xDKQK&lfuh0*)aFcLSxOF&83wH{4p@n;f`_RHe
z!*jxO!xx6j!dJ&y_%2%bK3e#p@cM9Nw1rz7ZsDSou_-6e!b@W<+?W<lKHS37(puBP
z4`)1<u`#2H7Jiu)PKdSeo}AR2UcX4Jg=yp?|3t2hoE*Dm<@onMk;`j1C5p_BoWb9x
z^S?7-c4Ss$W@Lu?jP#34a^F&yH_{v7Zu5q@FX|Q7oghc?I(i+vOfSt#^#YLtk?$g`
zc{Qv|H4j*yxbCUBD{@t2VdTol6_Lv#>mv6@9*mSmE{M#JJRDgcc`WjH<cV6pf2Lpb
z5cwh>Sc$*rx_9T^>b>v(nP0vCX<Lz9<b=QX?3%ah!d*Mmt$%jCziZ~M({{bN>+M}r
zcb&LvYV7V)yPo0Mlkm8`^V{E_FRXR%#!lMv)}A+ak3>uL?q|%NpRNDwp*?YX;`h|s
zQ+H1sPwMY+_AsG-R`b~h#COxK8$R3gSryl3es<PpM}0PB_wL=hc7G(Ydo8@Ud*kk#
zc9-og-MMt<*qwuS4%*p&XWyOF?9MUO-&C*o<m*q??0DtfrSFc5=D{#i*Em6D+~v+T
z=La_ddznA1tHZpb(4)K=-l^U!?{set;{_{%d*?>~j=I%V`^PKwF0gLa>S$SFS7)(`
zFCg4au&UPgk?Jky$!fUWdzf)}xMq*^^Lw}Vy0_JP*W1Bp-N$%6=>6;+sv~v0It}Y2
z)M-&C2~$OBX|bX8ew|>QaGlgT>2=!H=}~7?ouWD?*O^u4+&bj9PML_G>mTmZexX0c
zFY!<ReaikUe~y2V-t|{Q1yuRl{R6CqNvwjs0>ls)5f~RJ4ot)~S$(3%t2=Naf5VY~
z0>$<!5N#3rx84biI?@-{g_eK6TYD9th5!9eARNfz&i~W)RA33#4Azi;r@xk&dQG5(
z_n1G~Tj=ld{^3;y60wy&_OtwUfd>9(-ksicf!2PeU*cWmKkGl|Kkr?L-P0XArf1YD
z8-ZPRJeJu+Y?||9HqCd~X{(}k&8@Q9e^>5jU#`~88}hjvFjrx{{e=DY3l>}i>#8aC
zTbrl_*Bcv7Ex0GJ;ih86orDE9-G9%Vg%x+5+HvN7vjN+xxBM!7q(+W54cK=zld-0`
z9BUF~oN2*Xd6G;ptz?QxkrI<CQ%#zj%HC{}3CV2JNlrJpa)#+Fb4(XG$8?iY(@W-?
zesYm1kOgLlTxJU8Vlz~JG*8LpW|&-IhI0yYl^H4jFh#P+jFQFX7+J~*PB|wHE7;91
zH^-Y2(eHw8GbhV^W{%v>`2kj;JZ9#}6MT#ExVccC;(Xz0bD30`%jFrfKwji~mlw<;
zd4=<$*G;)>HOu8q&NkjME97l+qkL#?lilWC*=rt<FXU^pUiO>E<Qwy-zfR`LgJ!Pm
zFt<xTCa^LyK<+RzWE*cr-Z3lXU9(EwGdIh2PC-U-3UQ{%lSj=3GRx%1^}Kl)X&TA1
z?3iCNi_O#KMY9Ea;&t<e*=pW2Z<)8vHuH{o&oSmD^R9W{U*IqHul1J&0x^rU4c2K(
ze}#Xee}#Xwe_bFHNDX8JG6U@b9ReK#odbD+u7U1>o`K$hg22E)Vc?iRQDAgn3?p|u
zV|RjksyoX$&OI4>bb@odGs&6aT<#QMpN?_HI^&#Uo$<~ISTXalUoLVkcCK(roT<)<
z&PmQRXS#E;a|$->Ol+LfuyST&%bwxP!PYs`Im<cQnd_W`ZF?Se&t=Xf&ZW)*_ZctQ
zt@2vB&w8!g=e*YL^IjWwlNWSf@>1N*UaI@5m*KwdWw~#7?cA+id-qMRgZq}3?Y`}G
zWEIW9-gy`MwTt_{m*;-q<+~qxUELjCH}@m2yZf=%!~MkT=~jEauy=d=^Zkqbi~Y;}
zEB!_O68{>`9-8pJC0UA1OF7MSl(X3TpKH3yd7LR-$+tuc&CznT87)i97`cY`JJ<4U
z?{#LpEaOb*M$UL{;=ARQW{RxijH}XIBpWzGdeW51M$UwuGgr#<W}$30SIf(0iF|6-
z$}V${e8!pBm%M}g);x~ISZR8gYdG^We8cAOF42{N#^W7f9Vs+E->?Q`h>7Eju`chP
z>hT_?KHt5@%ZVmkPBIxX&9s&2CR0u}S#k>JSTjs}naR7%OUyvI)C`g}oQ2(KPL;dN
zX>vDbW@|Z*y2qR@_nI@Lf^)EkIAeR*oF|WP&bHp1FYog`^#^9Pd}Qw6o%|a4#M~*>
z<}TT3?v_1foqWan&VA-#`KNir`O4Yn{L}f``NrArT!|I?4`;D+wX?*z##!ndaK6WG
zHLl~je9c|QSsAr&S7YJc?%d(5aRY9gTc5p41Ggd8ZGv;BbC+|EbFXusv(CBSdB9C{
zlbmPR&vbFSy4~FFZV#;9Ue0sQ^H{|%Ih&oAomZS!oiCg(oges0yvB*Rb=`VyvfC0X
zIo-{3^PSh6*PS=8px<=fa^7~fxx?L~oOhk~u&Cd6K5#yCb~qoo$GYR4Pn>FJr}L?^
z%h~OG=In94b^hh{cl)>n&Ufxm=UVn(SMi1V7WWMIbaxIG_l54!?l5<R>$_vwnJs5$
zc8l|lJJ&teEyYT2;x==evma~WJcuoSx3iXg*m>^xSneIM-8;D<c4{5mT&D{A{z-On
zPq_2k`R-Znaqc*`*zN63VTZTg+2p+7eC(d>o{5#Nd)8~cyFB)+>`is|dO5bj9p19Q
zb$*q1H+!_}vE<ic$=~C*^)F);@9Z!1ANKF{H~5eHm0n-(aes^drvDcE<#$-C_xj%l
z_`F{CyN>I4fn}Tz@FxQ+MgO=V{tCxn+Tt7_O4Pnd#SPxYXqv^t($kYK#lH*9u=si(
zyHWAfuE?}_YCY)M+>ZM<pzST*ZD<FJzYWc{L@ln4xWQY5>RJ!pIVg6s;@ynq0>8-c
z`lG#|H}3P$J{JE2w6DciYgh9G{)ecB0dGE9VBsu9*xL!KCPzMSg2lTL#kNtrThU1t
zweVP5qxheoQ!HLNT4LdRMc6G0>#uOqBAhHl@m8XmHh8z77h0kg<3+f^--)iaaHb)m
z^#z{Bal6I8552?U-;J)Z_;;c)eC%Y=b^>oTs{X)JzxoUUEzo-`9yYn$Yw@*wng)0a
z(RCJo7ka<N`v>}f#j8Xgv;-1S>_x@bv>vkfAEOV$BizqI*INP&&_^x)XQ<`_JS~Ur
zD!{uA)ifZW_4$Ow*S@yF;+LRLTD+^!jqo&SJ&QhL!B!Hff=$p3UWm~beKE!e^raZ1
z(arD*X#aRMhStv(cpc7%H)3e~TVv=iY~GA<1Ns)c3#;Hg3$~cZ_83~P+Fw5eO=m|8
zjr*e*pQBoj$^p>+2iR~T)vy~5g4UxFfjt(}5Y_NtnxcE*OWazYUs+5T-3MQDzc>1g
z#q>w_Ta4EIw-$2(`Y-qa|5MQ)Exwjd^8w~8^e6ZQ_qFIDi@6^C)nc^lH5Q}osrd$M
zOEEYV9p|i_Q8XNDXcQgytff&j4&zzmXtYiY`WS0$6d8jCVl+eJEW$38wb#-dt!I&A
z(fTnG(RhoDLp5Hd1yH}yIv$TUijjmSSY!g)I7Tb9iACoRZI37^sOAZDF2Rnrq@tPz
z=)8h$ZAn8l4UkjO<QUm#ON-81*x!~AN_$7!d^Xx9Mkh3Ak<(H2r{qG|B4?nQKczEh
zo<QcHnh&K5q+8@1G$Tegw5>%-(aadVQ04+f=S1upOFy)|Mdw8997_SJWdm7&c8oCu
z&9TU3sFp`51T6!|#i-_6848+L&_0VrZg~pLx5(va*BHZ4Ed$6EX!jVy(H=2Ipgk?Z
zcw`@A8HsA&1%2mWw7)7v(AOf1P%X1E3i?}QF<KDg7<7O|mZAe=Xg?fek#bbatQ5mw
zi>yGkj+BX@<p)`gYT1<ILCd3*z)_ay*w(S6JPBG(&^3u&nB`<t^9{OYup_g~LA9Kq
zYZvyl<rH*`Mb{AQZOhrHmIrhVzy`O>L&sZm?#Cv#XrIw?g02(nrYsktS{@K>(-UG`
zifZ{m*9Po*i}snx7O6s~#LzxaV$n53=eQ`^_fE9vy1~0-i?;7Hi>@tZdJJt}ts~I2
zg#D;R+i`|P*Ai@ai?-vb7F|!U=`Gq`vn;x{VB=eEKu@>mI)lw`(RQC>k+;z^W88?I
zWzqG9y|G2xbgo6$67~(2d(m?(x^A$KuxQ(rTG$l}`-&*h_2UBE%6icD16@Pde_OPD
zwVgoM8TM3`N71qvjnQi?@;!Q;g*~^JWfpedVpdz!24SCW(ffK0x|XsJvuHnj&f@Th
zZxN!XjmS557QO$5MaocZ17!ecy@T3c{NBN$ZK(ANvJI`}Cfx5>MD^VmE7A8XY7?04
zF;=1PThvA{AH=vB)pi247mSuixdlG8$S8DIj0AL#MYPR7kCBIdX;GWYd=*36>3~JF
ze`#GSIdIS-*P}nhn1CL#h|U4O#%P2Ion(<`(PRs!8{)LIsBPu6vhe#G;TxeSW+OVt
zBFCUb7QPn|XSBt<h>n3`(qlY2<inYWdowy2bX;vgX%9u~*kK$gTE`A$b56%iy*g)r
z_UVt&QkaLEI&<ic&PBMXCx^Co7U158E(Gm=-=gK9^+6ptD`FV*MvKuhuCi#GJG7so
zZR^}>F(0AyRla!=z8@8*!s1_wK5X$x+j+#|Yh68V@vlWIE&ej}2}>Y=J_*!iAP#*R
zsHZ?ZRNDi5^3Asx;!sb4hA92od6WCgQLQ5gB%zvD2xwbreL)}@{m>F<gYK{dnxk4C
z2xvQNor1ptt+x0#qB|}A6)62y@vlbdw~9~wx^!_R5JHV5kcv8%Kn98jC6I}FmOwkS
zjwR3m^(}#pDD|QQI-}H!5@0O2buEFeD0QR+=#OrFOQ0tjZwd59>EDW;e!Gn=fdaIN
zB`^?eYSEKymwI%=_#c9%L0jDPZN6QJqUYdlmL)JA)iSilPcfQp(KB_vtr3^J2Tnlq
zErBVh=C3dJOHfT40@KmKmcS|KR7+q6Iv36Xbzcx;HhNJE4NISkaw>Xxj9DmcrZ~r;
zSH?IQT?mV~uX$c<(J|>Ru{e{^Yb=iDd8vip9Ef`@+(y{`=pAqmZpOWPuf@^w-e=MA
z?XH6d@iQM~yeN+5>mhg+x7NdR79G>>^YAkF&qQCbIA!Ro7Uwc_3%rJ(OVHOXI_BN2
z@Fw@qN8hpN9N{vjMA5X~k1-YfFvf`};~>gO=*}3^*vAUc549X#9K_>(6m0<XE0=NW
zB|r<@)T@^Wj3=!puN8E{eFK^c-Ee=3c86ZLze0P%ak#%lX%CNf(0D!Cz@zRpUXT1K
z?lUO)i;|3<WpS&}vty99z7JEhe)TLSisoghMeEzs{3)%0F|26ad(2Hy+MvrV?j}^r
zpafxs#eE6AF-8h{lf~VPu8fh2uC{0!>RD2h4D@!3wxM@Nj4YJCq_}UO^ra|_Gw%V5
zwzKzOjP_`SMcdwcC`JeLVT-=m^&W|ljXq{^-$oyg!JOl5u(;dMCu8KGTEEn#_9;*6
zPN7{r&7aZ*G*6)Y%hP-)d7yED`vI!qm3(;DqJ7YNFGg2%yT#psYFtV;_|&3()Y}!K
zJG#f>evEz|qX)Xz;(mgD5u+#iwZ*MQzlqTc{g*}izV}^>-Xd)VS^RnEP>Vkw9R|ah
z|Cxu{jI{WdpvPEz=885&7XM0gjK#kS9dGd$p~nIJ-d}>AVDXott1SM7DE&wA%g`q+
zez{1{w+QJ30~Xz*2N|P^5O<Jqs^~sD*w7-R7i?tFJ$JB$MNUH#ExJz)hAnaynqtwt
zW-#3%=c4puMfaCM`l2G|q4YmR_m{yg7NH)3^a(}xYC(+)WFbo1E4pV3(%y<(jcUB0
z`><dSi%?fVjTdxJ7Nq?Yxdx@p6y2W%`&r~#w7*67XTbuCT!#*@=w2;2(870>5~SS~
z-M0k`Epj6|*rNNe;1G-4gwi(@-IE3B8;Yz%=_88n&w`p)(6h;)<`2x7sI~{_Sz&O3
zMfVoL<1Kn#7(BtkI~@L%9g94PYCgb}p_(@6Ibu-L14Ew-mRR`CSb|e6M%&^<i#(5>
zWZ|8V1ZP?F95FcC!h0eKo^Fws(K9SY+d|U@`4rXkfcHrfywoDQ(90~mW0K$ki=Oud
zFSqdCNrD;|=ow#7+Y)pS6x4PC`4-i-0p3qZP{#o1d0y~(i~g%f!Q~dy1HHjwG`?Fb
zdX^eoZPBy!;B6K?s|((4kplD%i=NvB*H~l#dZ$It@Pc<)WFUICMbGnsT7Hm0sFoS@
zY%h4PMG8?ZGw3;AQ2PYPVDx^Ap7{kIu!#1x2Q7O37u0$Iq0a>$vglc0@L`J#Lm#o2
zdgywK3`ZZe=ow+~F^lMU)H(${FAQouf}DsxVbOE4p!P+OlTht{pl4=5?Q<a0(5EbV
zeinS%BGb`lEP9p}tg^_-=(83*Qwu(4kyFs;EqcZl++>j%=nED-ZwtO?k(uaA7Cn0l
zZnnrJ=*t#8e+s^0kxS86Ek@gDi$&i{1Yfi0*+%eni@u`>zG2aGj^I{{zN-knY0)!}
z;9C}bZxMXkqURsMZ5Dlp5q!s@XCc9NE&5I)_?|`2MS|Nc`hFw$zD3VSf*)A)T}ALi
zi=KG|cUbh@Merkwo__>Cw&;6|;3pP63kg<R^xZ~qr^S?_pIY=?M{t+LoR99d=y`we
zGmE(u-D45W*XI_q8r^FV&C3@S-rGv>ON+h_2!3VZU9JT8S@hjN@Shgm?@I7%i)eno
zvGC4Ug8MC^dDnRXcn>T=oeMzUAq2m(@NQUw2Q2#DAo#t7_r((Y!J_XFf<Ib#hb+N^
z7SX)?WHHoLh^Rvb8=JC*90=eh&QKiG#eF4O4;tbA2butlag%<i2{gw|+@T~$#=Q(}
z32kuSfQBIj_aQVDGO?XB%`9lg{gr5Y=!Bd459LB<{E&}O7wC?=KH39%;)gm6^@9Gm
z>0_Y+7=WKdbRZ1I-3lEB!|_9%gpPudxF1D}U^ITnQ)mnvhdTqEU~x8}Cs>@P&`B2E
z$A_j^bUz;|fvJQgub~s+6x?0W88DNyo<mOs`nc}(Lv!Fv++Uz)!P&TJtI%9H2X_rh
z{|=o;Jay4hI3G848oB`H;Z8&6!-cr>&@#9LcVF~Upsif$BD4^$A<oy(rEo3xsf*Bc
za071YBD4aiZ|7ZfHQdJiW6|5;ZroZQYvDose1cZML%6?1AGWytQSC$E_CXnAimPq%
zn8o=Heca*>MJwS6;vr8Vt?MUoUxjY8=$S}J>m6L`E~NDiE^|mo>m6LJ%PNbjb@Qyn
zrCvf>@8BMdK5ucgFKn{7BT#J*(DRAVOBQ!5x*1+3Ki8wLz^k}#Mm101yn||;g6`u(
z%%zH}?e>Pn)ppwoZ*spe`WC#6yBVr=4SGHide7pvK)1vD#7|v^K7bE#(*~iBEP7rL
z`q<*qKSJ6b;GU0G!!F#}D05oqGu$C`kHzhPer|Dd(Y^2m@oW8k318u+4MO`YdX5$P
zCooUB^U!ZBuJ+k~S={4LZC7x|p$9B(G5UkW?T!9uai^dM;V0611pOI)!L4m_$f9Re
zp<gZT*=UW$JyRqcumr9_n^<)38*U2JtG5_!ZqYq(m^xLwyU-*^#$ATCw0H~9*3gFg
zjGJ)K;$4o0A%**lgK(-v_s`+B7LPg)cd`VoL#b26uR^;(9_K$E+SL-EkA-_eFXFrc
zWt=D;?HlfE(fx3^AN1$`^=P5R--r&ic#Op`{aDexbeQq1c=w=lEWYMZ>kItL(78Z<
z{r2dEa1n0J@5L5>AzB7kaX%lu8kXSJyp&t~Rp@ON|9*6h#eV?33n+(AzYS|Xz<&tU
z@__#^y3XQjo;3{kPoV0L=l&z;dUzB!gexun22}l_{^RIV7N5SFLc1$I{WOJkRy^u5
zCDEd104ZUMo&luLj*3ToDb$hT)Av(yEdJMMk;UJFj)pP#c@rHA$K&3Fo&b|^zlKt0
zivKpc6qey;tfV>?e-G+g{4dZ(7N2pJ+SuYV_EMWz{CCji7N4@FCR_aNXiJN~7Y$nc
z-Dn4k|2ay(Q2bBP5{qArPJ`*(-@#`@t%140qfIhaTm0`(+9Bf+{4icK9s}yn{|Tl4
zWsn!2v6@i@&*J_SebM3{Kwq}_-=nWs0xn8DDgpA_HUTKJA3;yG1gNLXrj~#~sc*&q
z0j2ITDU+T9<<M?9tj~J(lhX@&<6a^{mZCVs^9$jBK?C&JUr75GkGTb{Aw4Cqj8_Jy
z!fAwkGP*6zKDtus78O5a%#sO}CUSYD6t;On>WVvMa>q(uZimBzXBJkN5-yx<ZnRIq
z<z|P6RJa*K#uTSb2rmjR8a{1Ncu080)M*u7MpSt)ebIzY;R+dBJd?l26{l1bOlWo3
zIeo%}Uc}>RJOsh}q6x%sYAgmcdaKi~c&d|qbhyH8TU0!{xT37ERYgJJgjOjj;lUME
zMa30Wg{@L1Ou(0aIH%<J!kJ02JO{|L-=61jHkPr)6$Py-WWu6F8t2&Jw3LdnMT=T3
zq8zd7N~!wY4I{t5Q4qU9O%Mk)F}Tu{6%iSdmeNXZq@|>#kk1K)q+K`r=&{9v$!W@j
zj+ply`1sLrI+%y~BCdmZ+-)09ZW=Ff9Uk}6V=lf5&S@J=O3<55R%+{J`dA*W6Bp=E
zA+~rlTgjN>3ZsRo(7n1ele6U_PB?DF9UsZ#m&JSdrKu17;3DAP$8|PKJkRZ)%?RjQ
zVkZ}Ht5py^70srHFtX|t!wPyMUiA%%UrjGsBNA5#jL5nrBJ~Jck5N^>l7xvpem*cF
z8sN7fVH!1q1tJMEL>dnR{5IJn(zJ|BheevBEn353k;HV^D3XLG6E1nZNK3-BB0sI;
zpqx`O;tApou4ZLSg5AuB3z&KElR|najFyzmPz?te^$Cy#1yBrgU?C7bwGy_%US<S=
zF!X>Tm;q&gzjQQX1WW_U*LEVz1@hc>4Up%y+h89f)`QlN4~2l=O#EizHxs{^_|3#`
zCVsQ<n}y#j{AP`SX)qtkVI6D{X@|QV?sl7C2OJP-9}nr!2gboHkq(6IK-doW?|}bo
z@}Et<vsXX`Y=&w$DAF+jvY-Hpfp|L-Zw~S15N{6g<`8cV@#ZXmRj?kmz&_!p+OQB-
zLnTm$o%Y%fB6E|_To?u=Pzp<7EmXmF*e}vK4#Lm_ieLtm!3wB=%}_1UMIZ@sMe^{Q
zw_hZ`3bq68uEf(d3_R=B46>mRCc<1;4C`PMP|j`#M7qaAI#AB;<6xFZ58OR)_fYo&
zSOx1vdgj9jm<IEq9M%Ex_1pmm`1ms(h_4rM^cn}m(Tg~G5l64}BE9E|^htm$D1c&^
z0}Ej_RKix+8~b213C)FJPy(f}6xKo&Y=`}POd1DaARqnlSC9Za8$ezM%!hIyuLH>I
z0Q?L%ATp4=4kWJw`@lFLuLH^Jz*Vpww!l6PxIAbL`7i?TS6I$L)*+E0%^;gYsvb}T
zGoTDsKm}}uYB(q|j64k|p5eqZoOp&$gZV&Q!`Hzk*Z~Jbj*5qL=mX<m7A$}@B1f-=
zO4tf}MTkm9Btb3=gAyo(rLY#NV7tgj!i^-{NWzUI+$h40BHSp#jUwDA!i^%_F<C%<
zjv+rq9+2lE@?1nhMbm(=qX|2ju%ih(ny{k@JGu;3h>XGS82paG?-<HArW}ZG4DpSj
zd}9uXjE#qMpnPM;!7Nw+t6)8Bf!%OOWLz`IhC-MKb73*8flaUj4(LCv&I^IoupRb`
z6vsgrdO(rL1oAq8yiOpm6G~wztcA@`4F~z4Gy$@p0E%G_EaU@Z(mR3lPS^<BU>_eL
zdq8><cf%o(N#t`9`J7Y;6M=kABHSdxO(NVR!c8LFWWr4*+~j;10n_+knJ^`BKz>Vl
zKoQJ<GFSl>uo=i_$w59iB%f2WfP79RpHs=_)P=AbDq$<^jUH~wiAfx0;{PPVP2<`0
zu*k{ruwUeqEh00Bb0*<WohEV`I%|Q*>>eVglgHDufq2f?Ei$J<<jhi$vxWiJb3KuB
z;()T9yNZ`0P)dHzPv9eK?q5J$^YAkdoj;2YtNTDXA5?RF5&5_n|7D9sF5%v#<3uiN
z2J85Uutel?(!YYVufX4xg>ZnED62)TBJQi!h%6$me~{Kcwu>z0{?%C`OGs<UHeQmH
z!fuhJ#C2^kY!SI`hR8DfFWV<lPWt7<cRlGZ=ic&-A~%$atXKgRuvz5BO}yL~0qcSA
zD~WIAAwCpt2H8*u6JahahBYELbA2<{x8wuQZ{hkDz2^BXJilclY=eCww|dYT@O$eB
zm<IEq9M-`W*bRq7RyTuez~60@?Y4zLnQyCvt*|%xA)nlygyzC9z|ZaYxg9^Z<L7q#
z+#wK#9<UawfM<79^RYVN)~o>TuOZBu&3v?83JZbzcX>cQ?n;MMKpyW-0OGqFKX>Ej
zZo;me1(f5SEFkaq66Rj=es3X6gt@R7*1$&C#>a_!d0~X#`w9QRYLN$*@}YV$AE}e(
zL!0?Py$>I#Cjt3g&$CB~`!V8rY(F0u5=Z46K0YUnCo1{yob;b0EpE%kYCbe1%+n=&
zY>xk`0+DA4`>ZPQKTEi07s6^F?6X^8ujor8d5-j+%Y|W30;RAN)<P9*hy5bY$3Yl+
zKoQJ<GFSl>uo<f1ARo9VKo%50G0cI5uo^01E9{MZ0H1{B!Z0X-QdkOWp$fLcem;<o
zgD~`fBA5YXumUPzGgQMtKA=y4EGU3tm;(!8HB`b@*lRzo-<*Wz!Z0X-QdkOWp$e)+
zUy{koVJLtSD1+5d1>4~uA6632D?OkXN?`?5!gkotNA(FnI<FSN99Rk!uod?6L4O>C
zp$8Pf3?Q8?#Ipr|TQ);A929vi0kWU~ieU~cgw;?9TVb#LfxzoYXf6zc5-5eGuokLd
zJM8C21aT0C9#8}`pbS<(1#E_DILMC-5+Dl-pcv-BLRbxzuod=-yeW_bxiAb$pcIzE
zTBw5Uu%90&#6cK(KoQJ<GFSl>uo<f1pvc<^kOc)$40B*1tcFV13VWj;L&~-=iob0o
zPzI}^3aUlk5eP#8lt3x00OELOI~?Rk6G_kmilG!%KqYL4{rs3B0dk=T=D<>@fUU5f
z4<-{J7mE0SMGx2~^1&)N$d4`N0Qvrq>klhnhscfuNQZGS1Li|D91!^^4q8Jl6hbjD
z4}4Sx<**hu!dBP~r15b)P_~cP18IMJNaT|RBGn$K;%6uRKPBv^mHhUdbazdIx%{9b
z3wrQljuE_sS;vnzngMy)I|~T=MLz83B`^8;atrK$eLxyt#Y1bzhCV<V`^sUB$Ulka
zpG!r)_5l4R3{@ig3xM$7l8=8C!yH&B@?8<k5IK+p<mmu;I>5aHd*PtS_oVv+@%)$$
zq;)V32!D|92N%Ktk)L?}b0O^Jl!SDC+02hY4sl8{mmhniixCgDiZS!yfEZ_;7<Vl{
z=x7aSonn|F#!rB1F@aLRUmW4$@Kd)+OubpK0Lp>z^)|vb*awHi)Ncma&__%>VdA%o
zX+YWyHUa(`LP9Q-i)lO&4v1+I4;B1CV-}E)W<A6-kApc-2E@^PFB}xpVgwK_k^Cj@
z7n4*1JH#Y&KN){5r-^ALFkeh-(rr!rZ5G06s1y?<o#1AEd_mlyGFS?0#e@rCoEY}o
zCS@yB1L>t!iAjqG;!5iS>%^oNKoRWYWisvz;%!SFvWT-?YuL|`(t3VSF$^|}$>x5?
ziLiwaehHUDo;sC@$;|@N=)4$K0b%mULmv0?;~)&VKs@=yKs@;iVFgscW`01im5*8a
zi0Q$-p5&z`_j?ubV~A`Zy*~KwOWJ+$+i#ng{%ge)ED$qbhM0i~FiXs!cxVlT8AM#{
zi_D-(Ak3icVhYLEVB%+QWQME~GZa6=2s4a(!%1^E=?y2|;e<J=6c)m6K8_)sqsw6p
z5XaG*#Ec-F5yUfsI7Z-S<TyAWX4F<O$IRk~4C!!?4``<GvCJGkj2Q-tVH@n@hYKFy
zXB_o6u9_b&EZ~O=SwKAF2|pfx$AzH>kgwy2=Q#WxR{{7xj<|~xARh{WFvaDt5q682
z5D(;WLN3gQHL#r@I;6ui;QII-{NSM(Y~hCv3!oCXH;H&B6$0^1;(Br)KBOTpQ}8oo
z6L4?J0Wl?{QIZZ^PmP0oD1pVWTg-`sJ8=dO&xuvAPs~Y#n}+}C+r*r_P|PWmXU2Rn
zGYiC=%JpgFah9@I%<M8Trx!xCm@_5<Vdmrmai3WNtHqoZ2djX4XRi}8cLd=7oN4?J
zfwG^wRm^#7;Gme&SwPz7<NtygfP3CBAg+0(uoTup6_AH{`^C&B{`q0(0YyN#`DL&I
zDqt(@6?36L666B@E<!KbFXm#xUrhKiv`m$F%6MKzJY~dFMm%K|uo<d>Fqh!>68v6*
z-%Id&34SlZ?<M%X1izQy_Y(YGa!|~r36KQ^Pz<GFF6#s1fbw3p04VQe>tPE}PnR7M
zv!I!n%LS4k7lr}xT|s<T5Z@KVcLniXF$WgHYN&**uvg5L#C;`kUrF3o68DwFeI;>U
zN!$yGdto*d!bF%4<zlW%hdwY42!9pfuUZ9!zl!iz5&o(}Vipm85#bjRe$hmj3yWb5
zY=mvFPs~3&Xbt%=0;a)ySS4n0g_x@+idjNDONeKQx`}5A@hl;pYw&kXIjn<CumcW=
zSsD-NK$xY3SxT6tgjq_Mr5j-z>=SdX2d&`{KQ?Iw*+7`<2y-1_uH*hP?l0s1GVU+q
z{xa?_Bd%q{wQM771L7(tuJYE94<le2%olTgF5u^S{4B@Ma{MgE&vN`M$Io*7EH8(3
zunBg+0WmkkLpt<<aWD%Oz$#b|TVS`C6-&k3*bKIbxv5;tO57`H-<8#{U(71PuUZ4^
zVH4o*<}x7M&Gd&`NavQ;kPUiW!GC-$4(L<2(r0d60c*vqo&lv|ZX^ENi2JsKVs1}>
zjbiR76tjl#Ye;Ji@vk9YYYvFHlXUM~FXpZ)J}@D!wZyqL7q*MJXD%#&a=_m`_`7El
zY=hlm*w2~!3ZMuGzmB-qtrK&957;c`0rK;}J~0oj=0mqxVjdzd4`l&i9y%oE;bwrp
zhe_+<y`mqWm`7H?T7IOoSj?j%pc)Q}d5o}+5%#gAd>oex_^(_DJb$7@%m(uL<TNoG
z@w1V8Pm$i!tsxt>h<Rp}n5ulJfGQx(s{LY~6-WZYu{SjA4b8JNpbS=sVV`H7N1sPG
zk=_gB=>^LEBKKaR{4ebg!+yxTTq)+2bSM|Yp2o0;F|Ts})q`TT#6c2pf6Fi^2IAkc
z7Krz?9xw;Eew}CRJIov8{SExTQ3!gE^04<XZxH_*_<Lg`Yz6Yd{=;mIhcHmat;1j<
z5a-qfumaXW6>NjOa7fIX2|%9T>;c607U{l48gCQF+v~+_qpaKZiFt?k-pvNWzSkP2
z0r71YXa-r(2a14a+e=|FtOnxQz8QAFetvM{K@t!K+uyuT-0xTN1E6t$zYlYPJbbu`
zA5`&d$5P-qcD})`Hy^DM^Km{9_b0^j$$T-@VJH`~vk<u6xkb#U-1`*WRRSBu?2d<Z
zVm_M)+r;ddBj$7NeO@MJZ-tmI5&*wn>=5&10W1*nRTiuevyW%{$iqL$<3EY(>sfF>
z%r|p^JntvY{rkjxyAZaE`Bx7p2mF5547Q0mz_aiB0PY`%`^RxGA9jd2C_q{Vi-7ok
znk(k#QZc_2i#gO9){FU-Jl0GU6Nwi`O2jcU#Bmmj;}(m<uK}Do!^H86#0l`<xs1z&
zgW}X(FHXHOaq8#8YH{Lc!5ZLx{3h5dPQw+j5vs*$<UtmUfH_bOyz*?cL!1Nw;!Yr)
z1ma0p3dEDJ9S(`pBo4BHa7~D_3HO_lkEVq%5lFu&X*44*%@)D|ahi{Vz2dZ(2J>O9
zIEna6tPm$@fjG(WPz*Dm6gI&@aawK_rxku%?G~qX510#^VZS(STEh-;g6U8Mi-B;V
zIKXd+ctXS<BAzhM!~4WZ83BYzB|oWUumY-JE0E{Z{o<r~kObLK0QgNKUujEW4Xg*!
zN!tc{;gC4#36KswfHcxeU@j~ar!D?6$x~)7j05gvRsi?2xR-^$EaGWLn05=G5;ntj
zaoY2|{e0lMLu(*>hsAI}oa~9P7WRwNu?Q-Fcyh9UICItmW$Hw}I?aG8UVFv^esfm=
z&vFUdISk~vGii6;B2JfPFbqhy3t_tKhJ)hd5jGFMd9#2#vJY|ci(#!eT?Mj$>#jWS
zS_b8y&o;tVak?eJI9M!BcjD<@0&@Vr-M5L;gL^&5S5N%)#7{5c??s+^9TcbcW^wuq
z1C%|B)0cerD})uWPn`Y*Ksp7vutl5!Ghn+o1Gzu2LYzUwIS4J}x{$Dg2{)uQsN!!Z
z&xg)}DshID0r!Rz*Kp$gGmi3v|IVz`ks=ZPU8Ztz`HrBGG?C`Qzf;6}qvA?7bFH3W
zXWh8pgxC$y8@yxgH{l8Km@76&9G9kXlb#!-e#}L%geRmy^eKZe_O!`iSJT6;W-(W8
z=e))#jWhB(nY2Lny#6LF(e0jT8V8D;CN+1i$!zDfYv;8OuLxZ*Wr`U&*(v{Z)(Im|
zJn@Gqy?fW(^2COktIgRP#EJY&IR-J))Ro3EuC@gAHN*9fC_!Vr(O63mD^f$f(NJ$}
z5dG(G>r<FYN$8{n*8&D&_i{To4di9!n9Q_>#%-F{G%YhNuqWXkjT*LW;Ke8Zyyc-S
ztFm6oGDr34)A{tg{Mj{^JBxpvyK*H(q-IBww?5=8QNohN??L|O`rROzWI&>s$?UX&
z`plGMuAY!2vSsTyEDkQAwo`CvE#`FzI?bCkbOOzTu4<Z_*QHz6{I(qokD@yAlf2^w
zWW=`!HA`+EZjw28V%I5yyLIl8KV<Crefo}d7B_0!uTzWcw!whsC%4T@=`yTSqPent
zTHA0<adC$XT2pfPFEZsiD<mjAYs*nj>#*JtwftK@sg!!;ukqoWCP#BxCpE|En%~dK
z>(U}IkYmzP8<Oo7<h6UEZzlCSeQa)*adZ0hpO!KzxqDhl?+(f1hh_Co8Z{=q!?+8_
zjJ~)yCogq!Vw*PIMs=QkMq0~>B~)*;jz>_(@sccEYjgIOJ-A^sSK3<{KmS&LX_<Ll
z`jJEaTSaDM<<X_%b8^O=Gpu9l_Jz5vTICkDZ|y8@d&~vn#?2p{bzY0kMZJ3+(}~V(
zG!Nz*^1y!u;cw)?wj$#&I*w{vJC3gBN84CimjAMHG-oNzQ<~>BPvh^AW<|{}AAf8b
zIg96CHV>0OmhRqY-yih9PB%IlW2ucaD{BsZ`Y9>hF#p$B+ZWRIX}^{4zij&r^qYFI
zejTKwVM?0Y`Oo`9*R-yAjT;&>d(b)KJ9jy5?tq~uhesy&Xy3MfPVxy8o3)Lf^>yl;
z!`&i3Wpaz4?H2Xw%_*(frr*lh`r%)s({>sDH|l2tIjn7sdgM`CNZX39o3`qB<NKto
z(b3jCkIbd<zmdy!mY45z7XR|guX9a8&Hh-L{I|&#Gx{_BMw-$1h(~7)oimIi@Lwi-
zgz$~|1SvLO{Kste+c<lIiAsA)VrtvW?m?r&zHwe-rhre6o}N0bNp5mhyJg9F$He#Q
zb5u&W^8j;q&B#vU`lZL}W)|th^V^U=o0sb70I%~W13bD^)KwpK?KG<Y4R4*fbn>ht
zb)&9&F_$f8Uei3cX_^~oK607&-0d%Xaoeqo+?wxA{hC8HrKah$2W`F#J&$mQ%m0_7
z*^P}9))J!So2|va?#FJ8&I|VwPl`<X)AIdRkDBKO(kzyH{#|rjw(aZ3+P>k|4a^s`
zP}EPWSXraxY8o_&dHqcHrt}J(-nyqXGHI-8LAQ+=dE3l-P3n2|8rM5z^%b7)yI$8x
zqbKEiuJ3!4{o^)$gTcOSOzN+5ze(!VyJynMpMF}I)U$W5q;Fzn(7COtobab*h_%2U
zE!MGSjn_7cw{27hhi#cg|5k#;yd3`JPV(<&rUm)eJV)MeZ-G~*!D1_9bmP+evR-@W
z=7X1Xo8Rkm?W<07O}L18p(#JiI6U|M#mw-8V5KppbZuxEZMWZM0K0-^M%S&hRG)Rh
zj2}3AREG|uW)G~@L8C?ug7{9w7Znv<cx=ax<1aj>=%V6I7oUC7iKm}_;z?)6)`MK?
ztf91!zcVZ98e2Q+8!+nGOU2gN7PUPqwz_sO%?~f9)!il!Y1eMZ#Qf32N(=fFI*Xfk
z9^Jd=xNa>!GGk`swU5@#QO;`WroLp$(Y3ADN}Hn95d-QsyF?8vt(#WVjURP2X2xl|
zLz_<T>s1=_PsWio#Cn>U<Ju)vE6@)_=YZ~sOr7InwPjl77Z2^$IRDr_;o7>KGbM3U
z`{o%9TQ=!EYwk>~x|wrpK5o@%K->D=$DcX4wrUsL+bXS%U+1*C4Py0*p@6NJB$I2)
z^B*I#kruGg5q8#*olh&eQFLHwMK`9Rb;@mgc(DC`LG}Y`ZfT`kV`k)6`6m=+_3v7K
z=Y^w3^y=HU7h|JYr%}CzO-ii!<*TnuN$1?$wmOHVVXM@m?mPcB@3+*9wLGHce;fOD
z4&6Yu`HV4|y_U3r+EyE+9bt4%)3xgG42ylx$<$VR%#xwQ2AvT93a;8;rdh$oUB;yy
z+b*YLgXFa4$0m2mXp!3Q*u0)+v_CprklD6lqgLt7$MqSU(tl!nr%uy@ZByGcYSFk+
z-Sm3l4n5PehIS2Rx1W^UD%84BbMB@ljT_u<c=r??a|SDijVkRBki6PfaJ6jiAC`@e
zUnz@;_8>pHdZl$uX`a@2%OmFJN1TND^MBpX)8W+DF~r&Uw>UkG)BD3Xt#!hO!Su)m
z#7WIW7acX^q7L7Ty7-FnUfsL*S#nwY@-=31&9agaBTCHdn%mbbrwoywC_^6UHIRbZ
zGW<tR`in(xgBnV)X32B&ew%*Xr(ak#s!?JiuVGTdk;^wRZEfu~y&L~Gxh$`SIYHbo
z>88lJe?Q&kS`*FxuqI*?Y?As&vJ-4=&U9DNT#}-TMH?DU_ZKV{N9Oj3e5bi~hY@hE
zJpYD{ena1@*R<Y{3y1Kx$A9Ib<JEJYD2QuN$MYM+^`%sA<eieAe@dR|T=PbkQ@VCN
z85c8iR@;&3=_A|LY>)O6_GL~sWljEV?Qk@o&JiVv4bHz<I}$WVf-M@BMr?g=#;tf;
zpr&qKqFw&_8(rLETct*({-gJ<=~=%;L$7}GdigisvwqEh_(U#R)bDGKF@5JH=7mCe
ziSueU)>K~JGA|g+Ysp&(?HdQlcXRUH=(oP{-{e~ta+^(RyX(JYuK80h+|sLIazn3S
ztA@RAdSS0wvpi#P+qQ!<me)+&8?Cc+GH{5r>+(C`Slj-`IQY%tvGWF20v3Ylq~k$r
zSLbS<JANn4fJtGvnUv<~CS3E2*-%q$(k7V4=TE2^J|DmBvGul@L#zlHzwN%8Xq7jS
zx`(%_zs*#-?`B6$&0~v_ViQuVAKNojN+PKyvS&=9EKQ<*bSJ_2963tD6^gpzaD{QH
z&8WMvZrybw<_9wSVLi5J-k2G;q3O<+tZPH&vKCLLc5mB!!7?YUUATXG*W8)COQx6B
z^TI>olGB@w>Jy4jY}YM3s<=@~W>WL1ZPI6-U9&r{b=p}injKfaeVe32$~b_zr3JrD
zY{96zpte>UXc-$EQO1DY2uRaEEVM^~tU;!RcpZvZkHEGXw1|n(f;Bi?ST!$#(R<n?
zT5LOgrv=g)=QR&#L65LD(o)$r8#6d%P#Z7)>}6h?L1`U_<+V!dee_XnyN%Co*DNbO
zCEV3{YTbyIZPEu!>RB*taC+(BkymtlwMj$flyutgDcZ30f9#9@s0FR<V{Hu0dW%@*
zj@TEswboB`SIjb=oIhb;+x9~z=j9A-Jvc4gtzZA#q>jycWsHwc8#uLJzo`S$f{9bw
zj2JLrMDs=^;Z{_YBbnssP_)j|eyj7CUG`h9Vr%su*Lj1(+qM6XxHk`Q?5OUARaa`M
z7qwby?NV#srB-ihbx-fxboZ>D@$6&Ij6GiPZU)Bo7<;^77TeftZ4AT#0%UU_EFplI
zf#ikV0TP2TB;YT`Bp)F_z`(GCc+~HAs_Jg7?g{UEe|&jwX!&<bS5>E~&N+3q>ITib
zL31+Tv}?;s(A<k5L^SF{DaKM$sjn_DaojJ^kx5%xe92*T{i1JsJ(d~UUMP=5>?>GU
zktHQm==PO;nUQ{HcH#1=smm9#J)s>>oL?A>WN!C`LG*>?ZJW^-jFV{p0^dJr1pUe#
z+cZw&{_$$V@?!s}Gw`H^1`^Y{FZPF7H?=!bq+5|{Wvva<B(X&O$mV=;ZeO*&s~)i_
zjc>Ov4%J5n^G6^5SiYL6J2MNHPfs3S$Yy5`)_mEvky`3-B+kam!+lsc*rn_i1@{9Z
zG+6fBN1MQB*cEap`V8rk=1GeWT^6%I49MpO1HxaTJ}oagm}Kgsnze;G9AhvgcrKZr
z_x3IgC2F2%PcRxke3;#JQ%kh4G#q!@Z){KH<0l*ULz_siRuu<mI}AR&3$;UJAA{7#
zprMbFx(+g=A#TVL<V&O%3f?lhK^zNr?gBew$>Mur(`NCs&YyPSZ<c=}hyg?}fC!$6
zg%re4CitAtJk9Yz37$1t?_<Qd_#awdK@3c&UYT@(^Q{R6W(HNvYEYNGQjdftN9T)Q
z^ll$ZF8d<MP^6R|+g9vNeSDXrEnZ(P#S-nUsq*e4#|v9tR*w}5G5jkH%@%UCNYWXd
ze5NZtkeV#oI*W<upvTs|&|6)o2Anr^q<xi{lCQnh-RbR~SSZZ(N7+-Qa-mc#mP?J5
zOeE;GT0`L;=mU%@SwL8P2J?MLrLAOw`VN&!kv{*%rECMg6y$V*Yz{f^LJWC1v0xY!
z+>Y3~hp$<OXKuyOv#oaV)|FVYrx*fTI~=ZDf2{FUmKrIBgN=_;w_q5zJg<BMtAOT5
z&b;i5-aEZB;-pN=&xT#qF03RTEA+zQ5fUms``pU5+`vFC-`~$(Y`B%NN;+LGrzs^6
zzqk6e)k(_>_&pEy;Dq{nQUPrGJ*+em6~t;fux12%f`r4bHd#TuhAw0irLIVOcSkI^
z;wf#eQ+M$1^R4z9t+srb{k-8VZ5c@_=e4ehIf`SB3^o#J6485gfjN?d(=~=Opr}w>
z%{CIo&*Zda@&86^bnJ2X=iX#{*B^c8?0ZhkD4%KE{DrSJp8LDyJBVKB7x-Q``em>Y
z*=b+e*A<{bN0988tV4m?I3qsx<@|8Mwc=@OaoD?^IcKOcl~*$7za8vWZfe2W;^T)2
z<0VM$2h~}*z$(y3C)R_5mL(U~V$5_}z(3A+)xECIABk_0hJuBK_$OM_LXgubCaErJ
zGPaNjS=Cth(ssxtjuj3$l2{t7&v{c@hjwqrLeCB0fAW3o#o0u)QcMrta8#`KfyPH^
z+2fC-D=mJE*Qe{u|HtFSq+?ammULpI`nIGIXxmbbz_=|*tJ<OMOZMVSylUQ-Lf&zn
zyq>*9Uy=I0Bx#~jl*BZtL8_)<(14`I!2<n<7K+7%L;d{+>F>e*YF}TquUgeK4OQbf
zMd}9qL!ahWw<rP7jP$#^)m75O$#gr1+!VUlAR=MGfM5)Z#fq)%;o`!F<?Z02!2{9>
zNk`-q3N4XSEDe%_LdOewYJ#w0Y#H$Rpr12+q2tlQh;1!Yw+xYXS4>VuT6RIjtCW4k
zCzU^kevzGrdUxewHX7db7M4|YJkqDOu$TB4GnSjwF-rAGr@Leg+@++zeo3Z|Gtk#z
z4&lS-!Z7_9rXTB~MH`ZWPeO$vZC*&eE_|ZFVZQ34E~w|~qy>Ut4<5)g5`98XWY^il
z^J!I&Dov9T`)`^K_2k=kgc7PA6-y4DKg6;|C5rEH+&%ab`nlFdu8&M#QS0yVCoL|-
zK+u$sQHS#}b&qm4k6moa=#IQU+7WVv+&xo1_Ts_XKugO#He0dQ_@3B*e(<&Tpf3Y@
zU&6%K!p-^y_eGKv5Oy2#kv(Y%qX)z#$cqL$2{4mPfZay3mPxY>S#5&CY4*(EHTn7U
zbTSq9#IoLCUp^EaTB?j4NX|!xBb(gOj5pL@2t|f>IP-}kkx0Pj^twA++d`TCM0&g!
zEQAjE0tKhX)#+#prU%pM@d~;CFDk}#vvLdiv&(WCBC9`S77Oc98QI7fiSP!sVbu`d
zwBxS}e@Pb-e1!J$6wB0c@a8@u=}E(x!O}NZ@^0SYx#QHSOw1W>5Bf%&JwwZtr*5*p
z<~1k3RL<FLH`twm=9B2(Z`q6B6noW`Ezi8`^^9ykL|+eVLqhqW&51Y_@NHoa68x_V
zJ?+8?7!p~t4UIzf@FT#tpnb%XJ^8@O?H$(SR_FD{*l^?dkzypqwlv&}d1wU;?}RY`
z{c5%m>HXSBMc`XdwZvdKn#=$n`?E)9$*$7oZJ&GOeeA^_<#rYdJ99s3aIZD#<;sir
z-PG?X1MDCp`2>W_Q@sTtjGwd<KfDHRywi^sXXu1sN%2)_>XN~LqT5d%J^j`Jd%GRx
zpSIC^Hnq80ZH_ia{{yE!SZ#GWY>o~`FMII^xh?tpw#*Os-z~WxG~8dzEES7OnJ<dD
zg}n=ROumS<r|oTNOVMel@9ifMDI+8oNia8h?!YX#dC&de^kP5Nyaj{B#}U+f?0UzW
z-rd{o@36IYx2E6m=6Ak(z!`Mf+I(#Vru=lbzv9RL-@W?tJ^o&N3hbddUY%y=(Z3#?
z738jvCaI?WX<DC%I3Vj2twO94d_u3$<A6y6oWU{8Kv<Xc_F%Fr;^=P8726$u`{;59
zyfUqxw#i36*j=d2eYU0LgksCaBJ5wEO)up#%b8~z9sSGwSPkfB9{=;#=x4KCNbjev
z<*C}K*)BvoM7Ilh$qZ|)`SVYIik*1++q+ob$%`6aKZ(mjc|3#lZY56?w>TV03jbdR
z&zSH9t$p5v@6+(23E!gO!zR36!^<Xow}$tdaJ`?KOt}8LlPbQNpg0ZfJ%cRz(hsz8
z-KOCqYJ2R%1?xQ;e(MJKDHHxSt^KP^_~$hIP8FyASXH_e9Gq^Tx4B>ckM_O0)bH_r
z>G(Y+{2#RT_nGjoX!!jq&VOH}Yr(<ks{TI3wXCLa!`j2p1B$ruL+%b4wW1qrjqVj%
ztJaFx3vJlFbicEU?~V>=93)5FPZL*CWn^AHC#?`CHS${`xFv%i7Z;*PL|6udi5C9C
zUL2Trhhokm0$v_N;EO*M><qd)e64BUMB_OvCg%CUYOs_FJ05?WoZ5;f67TYQ+gi4D
z`IM53k^u=<e}T@1F+Mvq$J6TgT1ncs8Z6XOkpx4R6!20DuP{ja&{SxMJ{S!|+>TAd
z$k5r&oj6^<yqpkSXh$JR!r(*UDFcHTpa&+;HdtvhGS(th&p23r`7WEU(D*PLVgLTS
zXP#lU#&sXv%&t1h0t3eyuaHp~Z+jc<O+FUun=!{b_@2!uAxpQ0&uMs>aHzQODdDa>
z5f@a|XSd1SE{!c**Gcnk_hJT#uk>OzEBH%i?g~B^@i&Y)?*gwc@}ZK3Db(T`f+-+-
zxy{o~w$7#yA>m%5!C$p)+xI9^Xn1^SOJVV7{n+9Nj_^x+Cg*0S_S}8<hv)3<F?VjV
zx3mpr^j(X?+XqAJkxD+BY%Grq5BJY56R)!DTwSENCyd+5=}}_iFZ~L5->QdVh=7wx
z*WuXDj`8+9wutjQfoG`hD{qgOBfduko;TsdV+1~F!VhZrki;ntYloHExA5PcWYe;r
z2?ahx4IgA<#FKdcjd%$-^`GYLYP7doekr~Wx$raIZ_)yYS0~rSGbWsPj%c4Z;nY8Y
zPnvMz)dC+j;l!&2UN+&xQv}{`!ig>dA5!tv1jQ|B_#i8Y@$+#JPZsS*)b<?L`&ra+
zCB=EQXn(83GrT?VaDksPw2xVdR}1`AIu3dguNL^7Do*|6>ws|L)k*v%UXA`@<L?Bo
zL^K8BleAcmrYHnmK9e3MI3*cN$-7RPL_4>^z|RgAf!GMJ2-3m5+@C|d(<eQh#3xgT
zHBsZTGA3sE_`pI}u&1-}Ej3!J#ghoRBJOsmM7{}Pjm1>BRWc9e4kz8dZq6GG>*i<L
z_+L-sl>1;aUuP6|>2PG&%MCcKCxPcpIIRPL_nUB92Ld0`aF2rcE)Cy9wN$m=rTG@^
zC$;wHl+9LJe*!O?aJ_wzaLf<w@7Gv|ESvNg$fo(x_0Y3$oHFQyHpnuXA!tIF4LbMq
z@wuvLHvAgqitNZnyG9^5%!Qd2V@RgnHPMDm(PgfPlX-I^=|rI`(&}st_H;Wpjy6-2
z7Dr30RtU7V++?+dgT7eTWu8z|_!;pL@QeL?-L~<0%QHmX5)RpqxHQmD;Dc<p<U1h~
zUIqRf^gtXWacd;S0R>S%N=m{e&!lc+IfK(2eD_=q_#pd(h$3m>Yg&PvpmSO){<h$6
z8~&2zo$OT<VL~TOGN=d-6+Q7{-Fx9kz!{VN!GR$DUl3v?yafSpOG}Twu(I;P3+xAT
z_RH{p%Z&)d!m%Ih-;c4b{s%_>eZF=P|3^HM?vMfvwqao`81Rh1SAPP0meWkM&rAGi
z;72$Q7kE+PF965Ao1mq@hb6uWyvo<8z{>(BySwGbR@wssACm3G@6y^8_@rz<iT1y?
z5-$|^h{P9H6PADHb13jZ%VV4ul~+@&1#=bBE$2;Z-N=jJ&*fSh@ffE#!3bRpr)BQR
zkdDB2fwKf69fg%*I?~nQb)>w+PC~_02<+tiEuQ{}<RqXuq!Syn(*75H>z92-Y@y=e
zv_*6P<|5Cok?YZe`*>+R;yeX>4}%^f*QpU7WIHtZXv9lwJC~1G?@Y{fCx1_dYO{-d
zfS5kgnFT(@Zd?5>f4_%f{WN?JOKa_aspGa=na%QB(H~R$L6+wIu|ht4pU*YDzu+j-
z?_wP4bLb<c@0IYqU%|Y9waNYibJc0twc)NZYS^8ikB#pt3Sfe%7<`Fb(w&$)+EGsI
z91*!YS|Dr3XwU&Uk*Y_BZdiHu(9=w5-0+b@lQ43;bnwtC{^0aCByE(x<of`pb@Vwy
zDWrmCz-gTdd`QK?I}q2X;e+fRRc1rSq4OBUG0}T48}dCyJZZvdy^Hpf8{kD1hwdhH
zBGG=2Nw=bY3VcXwuj*C;A7lr$wPSow3AoS=&nb8F{*xVsbg2Wp|0Fw%c*ca2>=W(t
zCY;74@S+JPJ|Xa76Hc;B;AIp3Dh(eu;rjb0H9UbEuStfA_YATFe7vIn#6JW+qP3@S
zk!~dLTQ|T@nQ+pXMEh5naMGCsey4_`KYXtfPC66l$@he@U&JHC_xiQ(QNKtB5%}x*
z_pFxU>bI3gQIk4sNn6U6yVU(6BRTXFsV>Knok9DZ?-#NxwLC}X6BQwAcsH!ZB!y!5
zOaC3mU-APbHHn|$pStm^h-dVc(sLy33yuQfR)lvuh;1egHC9M^FL^V#(Z65~u!F~z
zr*|yIQWW|4vaRzw5W|6w&p7PQWrr6oddtE^ZQo8i2X>AhsJxPgJ=XV394lQnw;MsF
zY=6&?pLx<ZH@<xG%4)Xps~*q~F|T0PL*N-cSP1v4RA}PxIu%rZ7U?ifoX|+ql$KLX
z(<I#n7B;jXX`52b{rZ74ha)OamWV6t)}>R2hK3H`xs`q3H%~v!SYux>SXr+1^wgG%
z7oXm@?~Yx0o*;0Fy&J)i6B8E?`l;Xj*hlZQ_JOvBc+~%~-vzF5h0*5%pT{s}fOG}w
zvB*BrJxcJ$A=iY$&_y6B9Wzbwya&}d-ksC%u-k8Pc8`yh`)O*{2KFXelSyB?qt{c5
zkIZ!S-m{M;M33?%z9z;){O-eiU8{UyEw1trfzv(|?bUrKaN5rTFR~@hclyC+K`#yG
z`<dn+XAO#Z&ZFd^W>uA8a{4Zi?pSV!PNIKgmmv#2ML5_&JEAM>G5A!)CuxB}D3&3X
z7wJ4k`ELwlU?&C^ioxltmhx&uZ_miifqW|B?(pE8F^;9p1ErxL6efMP+QB=vt1-Qc
z*X<q;c>4WPSzvp#&}k_v_HrIf!9FBIhBX<om+M{vpETjb`vpFv;*b@H71r=QY*D-i
zG&SObY*ESt;9P#wdmz8*J)Bpm&lgSKE8%-2GkBaY@2^kx7bi{)C)ptIJTu}n*8-o^
za1X@`YxsT^lJ7C&do&#J#auRv_Y7(8NtoU<$U<Bv+>O2W2Us&Don!Qn9jnJ+>C!od
zh%2PHbZ{KL>w2(Gy7`JB%X|Q9C;(S!5-rHS$5)S<{V|;HXFQ^h`<7*@m2hyef1Eqo
zvoll;B=ej1w%^n_T)OYk)Z+D9uec|8BTPD>Xl;kHx95_Ox0sCAx(?hG%>H5HPWH~x
zqnis?@43T?(BxcksTKo$={(})>jA6<^EAl<oL*tfyO+<qz*Rb~#rJ6K6Q=fqEWp=8
z81^IMdrH8euZiCU?{(`tugPMl)A1~wd9Y*Y9H|-ug}k9t4#^T1xGfKpA`_Y9ww|xv
zb}U5E(YM{kVsrKno<9A-<;K5am>4&YljiFU<Hfj>QcqrsXG}P)L(x8O!f71}ylBEn
zM-lk22`3#z;AIm|GF;&OCY*Sqz&Dw2(rE-fZo>8cOq%e&)Y`wog#TQ_uQ%cUs^KS1
zxZeII4Np+qxz=7iUkG{<uNM6rq4t=|t>C>Br(SIG7wMc=E(p$fahl+qmu6q&B9fno
zeDJOK+k@FxE#J^3ps#bIH~+AP`Le4A=DYlU$H`M7tld|h?Im`rn{^6tzuocnKQP9+
zFJ7@c=<^KtR11%Yvwzk)kDWWJY7R}Oczykv<LpUG68$xFbQ<zPleiwA9(cdh6%Ten
z#CCX>XUsA9%-+=#l(KbtuA}i!fBcxXwx8u|`#HY0jceG58`u1^{9G*B^Er}x<XO%e
z1g@{`go3eSP6e*cHBL9yB>!FTT)wA7f7ap|X2fYviS~IDPJ2h-!vYua<ox}x-tzau
zhKMurZ^6U-20X)zIK5xA&zo?1zrcr0ILSbP52-k09pczEe2}#gZ<D`EYg@D*QQPzW
z&>j?cQQ(N0L_`wrC&l)XOvZE2S>V)O;FBht`Xlfm6~`GFvF#c@$ikf0W^pz);w9j}
z0@uW^kgXfMHf1@iuGXeZ6FuLD<PqWpxx7lk=48PxOJd)NsB`jJP*jVMViYNYJa*_k
zuq;W>gbO*ho}iw8OQxpC4lN1yf34_QxOd&fs`D)@q~_wX>L=7}-1ou(A##GpdEY~N
zRJM%d(m92`)6Noiz}duBIg2qUSV6W5k7Dtwk>bexs;jBgE0@-fE*2^I>(V{9PfhGm
z9=_5~$-sL@B6q%cZLNf9!aHh^`L{ymM{!=#^3Y^#|N4Ds1&2#=X(i(NRja3<l+d$B
zQ-)}LEre?np~-Cb{B_%kR`!9`i?;MHMHcd}*fD#<j&gbDjq_vMI~qT-FFPyy@7fcL
z9NL=;U7hKx?7w^O-h1}<-oE|fJ=^fhJJH`8(chHixH{YaW6l)xS<GY?X7UWh_R8!j
zirekxwh_`+e3*H%K}PUdL_Zny6-u_I^BM*3)%<E;zMcJHaJVbk>g()^`kd3Fi7nxk
zH|7u32KG#*uXeVz-(zd>R4<-6ajaZyj42N<70cOO_gwnnKj(Dcxw=hpVeYLsQEi-E
zB-gDz5prciY@CJT6iS1-1Ux}K@ryXGOWC<{I#F^*k=7XxKH6PE^56MeKGAB2EjV9R
z?mqvz($<kAx`I8*^E<5L*mFGq9F7Eoe!C8yHsZ<;we~p^PI6Ver(nXrtl>2iPI6nc
zFPZRv*YK(lx7sv()QBs;)$j=oPf*^9h7U4@^Aa)Mu!h&Q_UDwMwWQ&<2pm3c<i8m3
z+YIdy<)*bqZm@xFOB#NMhNC|k-3ks)H_+SMuUoY5oz}ibzpvwWn{d*T1pV$c;fosn
zY7M8~SLs@CaJs6$kHu78?PLFexVC<9Bh7M>pc6pC5ZNY8DO__QCPHUMvMgq>gEH7b
zt*{=n;Tx0+a|Wwhe8R56vjp~Bi0?VFpA7I%<iD!%PkwwF#wT6hp-c=BR=76*XU&;Y
zrU9}0d#Ahnp*AN{f6C1%K?8-byWQ(Z_{KjV@`Aq6R}JLi0eihCgAAd>E>nh(Yar<B
zcC^fQb+b)crVz%<&-DMv<NqeXGvBZBq5sbrQ58_k4_;K^Qi-fcAs{JGN+2ncQ=rWt
zr&1QrVBO(Kdrw;WB+bOxVU)K>0h{KZD7I^kTk9z_(@aAimrT6bE>cEN-GYdnM`A)9
zk()T6aT<?`ERxTrNAmtxzg0<<<Fnb}fvZRQmIBG8>fpA)Fj7js-#TCI8Hx_&kM?fb
zo2(y-^!qxjZ0mI5XMdJ0Wd<qzDzWQuS5l;36*JjFZthUcmuedx^0_aI#LJm7Wn(2W
zex8r@chyaU;6G&Z_)p?X3|bb}X_`IG_ZP=uT~_fD;fU2ZkM@+q6-Q3~o77p6!FTH=
zCy3a$c6gmcoW38HKl0R56dX}pjf5iGn22h0;BOb`PjzU-nV058=nk}cbDZiV7g2`_
zmJ>?sD&domC6w4j$u1%ea&3Ya7chntug#lRo_NBX=2b$-ieDyr_0F|y-?qGcM>w9E
z+&eUOWF~$4^mJ{LKlpgJ3$&ZV*%Y(@4<IkH!%<>6Zi~pSdMFPJc%0+=G`$NsN?ZmA
zJk5lUgL0Stne!}x=S(>9T!Bv*@XsjEXgGWue9n;TrQC<R?(?7)^=C?%k~rym)K7sA
zvQ3;v7r4Hs<0UrA^*wse?Ake&(KhSPu@`gJjX4(H@^;LzA!!WHNZONCmtrAl&cpZ{
zhTVenQazDO%rRxXiwGCuUl~5f!uLyaEV6#oL^6~H;WG`Tf!G-BDJ>e>lu-7zx2<g6
zd}o_2GOxu$JJZt#N9qTs(y`$7t;^fC&9$6=rZ=2GV%g&!*VyR9B&QwEE8}yP<TOpt
zKEd3t#nVQd&!uReGvPFs0-rG9B)0`#GvOq+1zs}YBwqwxHQ}@-1U{(Y3CfEz;!@YA
zwMg<=w6AOJfh(k62)v-<s3k;lTi~|{eDzmYyDu2<+YIfUTyBf@x9d3CliU{g9U6{)
zYIGyHE%?zO>xA8m^85ODe%}Dj%i0-4uF3TxFVDa;L2~m9<hEDFbM%16lOz=Dj4WwG
ze05RApBg(rc}k`@djt0d^EO1osi}Y0S0{4bw$7IIGXPWNP+PdW-P0QPj(?r!0zw|<
zHhC15X-)|YX5x`9DG#A4AUV*m)^65l_Bu&3o|nhhCRsO#cSG~W+T=K=rNDD0oYs!O
zt0tV*j=%>^_%AhluL-BMEZR?)a9XnhFPU&!QvxpteDz=GaAZ9R95z|>KW}-!GQjyN
zE_CJmO5lSm%hxRNTO(cqPPX5<)sP9V0)GxZ-ShN*&d0QRW-_jBeJ)1+CyJu8!5c#%
zgd|%?*AnsEZTRbfTyo-ssLCZ_fu*>2k+(r!U&<YownR+|p$Hcx-l->?IWBh`u4KM9
ztfk*cVRK1m$cHfa#!EjRDIf{&`>+#y1=RT_m(e)Vf=&s`Lwug+U=P@8z|#U>eFpd(
z%|8?Ea}xh5@GZ2rC0>yDv%qH*@F0oTB>rpQajpZ1_moWU$NbCo69R{>N%0imDH5+s
zypH$?<Pc(>VW~j>2Q3frJzZMuv-}phej(s<sxBe@Q0wn$bA*J@8N%=eCSVW4;cVS#
z31jZzN_DE!7i=r76q6B8o2M=Aoj^ty&;FBYYAYorcJ-@TskOt91IYV}*ze|ej^C%Z
z8~1RXUaj97tc4daCp9`>NE%m(##pUb3zl!9Z_Tx)^uFl_TW--n{wEC<U&MQncgYs`
zn)x)JqnzbovBqG>N8TgmF3<5jtRV4(30LC<X^$G)mk^gn_ImVBiKBl`J-6ilAfHaH
zx<#?f&?9BtBDF@Bw9jbSk}K9f_@lr0<a<s`uou7lWh6^}X3MRz&*#{<_2U=|#(;I0
zu{>fK<^1CuJH+)Sflo2`awPr*@DJJEcB|!EJoaP``dx(6M6};yIjhoyaxt~{4_eL=
z--3)xu$c8ei5DCt<WPQ-?*slEIc1A%m*IOQe2-#Mehk@4dYB<+L++0C_}5vS2pOU!
z$;Tlgh=iZ93w(<-Xpt#I`qLDH%N#})ib>HjK)*p5pw-&tD+5DUnDRjHh+I0thJF;i
zbo9$=Iw;Ww!ZpTaPm$9y%|0P$KseV;1wN?as|m^<1r1dElY*yn89;UsI_HuM8&=-~
z*`VVIBhKv*qWy#kCmAE~f{J7PQY8-+-@}CekJh7w_fxbV)Y?P#7}^iAj4pc&cnLVk
zo@I<TfV+na7I>yG0=w-#-hb$aii7u`^boT5;538wYw@%Z=Q3Ng&zW!<m%s}qob*P4
z*GxFcV1bv6xV2Nm$Ba0qr)WQ+;R(tw)!Gj-Kc|D}Kk1F4eO+sRPAPLeP~f)+eDx(x
z2htk_ew(4am+OZDzuka4xPB<`J2V{q(da|^A?Qha$k;D#cM;#KYTu)IAl*seujAjd
zVjlh-@9TivrWlsjs?w*a8i{ThrV3DM@sSerf*5#_0wl(5FfDWj<e%bNTuU6SifH8q
zLXr4XIHM@bmx$OF(lKan(kX||uf|xGfH9aQI7&y?AXP0WI07uNZL%`jA4yP#Zf0|=
zSA0IW;&@vi-8XVob;R*l&{?dP$CC#~s4j@lJ5m`>iO<YgjGpms|L5&9rRW(jI-<on
zYd35yMOcO=ELv7;lO)z@AtW#5g;6|+(1ya&f<k9;@~DZE9$BpD^w!T&%E}z!pZY<Y
zG46FEtBE+zX-3~BV~H_#BqvL5bPVj9$>wMG_t$sD;(K5v86qpm3&KiL%OC5l?n@+g
z4VU`*N~PXj)+($dYTj~Rsa!SNN2=vYua?dHX;?=vx4f>1Qdj;0tE3O71&oQR;_8Gr
zi{UdY3>yv_QT){pv+9(p!!w4&z@;dnl#JujbFPQ_;`ufQ9CqGRC7fP2{o2=BEPG-d
z{av-5_&_e=NMFwDzi9o}cuk$_hqv&(V&pYO+{l~iTz?bojeEP!^+tggEa&9=6GR*6
zA_C`ok<+Y?=cdzo(&A#8EO+aBXT{1PFRfTdWapu^quVQg-@uqsb*jVdZ7c5_ORI_O
z!OCPd7w5iO9LFj$ryaVMH`U{BZ7I%QGDf?F*2vI~$*RZG7f`K}Q)-^OkbUeEoVQm6
zT`j-i^gwI_<xhjx2z-y!e`lefeTef|fltWxkU{KCTm}hz&;pGc?;nG{V0;hPmsOnf
zasGbNBk;RikAOZ6J>%EVBaGjJzRqP7<x>9z?=KxFA!98+=D$Pu`#4V(c+P~=`A*;y
z8t$Q-Yz^OM`H6gw8Q)|1q4xgw@bQWF3~KL5nBFsJ`5}*uq54oql`kPT;5v1uWyms~
z*`St%9qWSZ;E?E?ySn8k*vPSJgbkdmO)>DG7_3c1<qU5*EI$dG;V3UxH{53<MkLN?
zTF8uWtRXkt#;f`LNp&e(8|;h3B89#}BoGax5`BGdiH%<}S=(8QgyJEN2m2SDA^%m`
zsNWk6hEvs4teh`JV}*tBMw$IP`L25UCzIL1Ldxq21|qq7K0Vnhe7Te({t8?)oyV%D
zxte0=HRj%fwT0Yq4c}*Zab0|mq_GEU$k-mV=knWwHFA&PJtg4KV^)8G-@Tdp>c#KY
zEPsX*fS$9S!knDOVOYyqmtk%C=|UE?<Zd&lP_V6&CQ1=*sB{8}KrwIam<cQXQf{<}
zx_Q!)!he&FN_Ic0Q86$$3j3{|%MRzSo`Oh@iYeyVEHc{loc1iGxj#SGa)_t3A6zcU
z#CA$`uMqusZad!tbV?<C4Dxy%JZ;4J-Vp6`CY<y!ffr0T>0<(~nQ+>(0xvQ6k<{Pi
z`ij7-#`fI*Ch$=mSK7G#Ch##GXTRmVMc@-g+&ZTH?g<nAN)5lxgkPuOuQcI$`x`Yp
zLA3(3_JgdSuP;Go(ho&{>eL>qVRE%kapL?}v|OX^ZJDH^uOOq>i!4Q|*GqW2)Z(C|
zIf?2pWXlWlwMF?V6i+E)c_2ejZ$ORb5&kW6?E#}_i~U)3%H<EWccT6P6<rbK2!`?y
z6J7@l1mY;}cP!^o9LZRnK(`X`@tspHQ~nwpNV85h)lQHpyZV52JwhrL(h-O~MB0<6
zumG<JMn@4pWZ_UFesF%9HbwlH%PI7^VhH+axzX7@Rc@}Vz#P6zOsWr4TU?DP6j~5#
zQn`%l3-9B5B+X!NSqD#;aI*J^_H`r9^#y?!G(15x(%P$by$}?w7x~^Cl6w;cAo06v
z@ibjerQ&>ViuO4ZPJ2+`HHq`u0{s2N_i67#XT^Kg;%Ot!-!IzdOgOz?;58FY_EUim
zYIs5E;(J8J|K_EiYQIZ+MBsI;J!&9u+q=LE5{Ko5{Wb4@UCfK+SG@lm=X+n^6DFMc
zBk(~LhfF~20wd1%Y#uVfh?gwC;(j3V;Ww0j!<rt_Gm`@(kpt^WWLQJ7QoEm4{Xmps
zP8^@St>p0`50E$)d<qsnk_mJ&sB)gK$BqYrd2tM)I9B}(M5^*6Lrqax>&DZ+cQ%(E
z+ggZi@<%4#n7_qW4bNtlQg6!NKCvS;b!ezuXTgC;@8}d9J%>j}_KhdJ!JV6y=f-hg
z!{P37c+1?><oi!dzHD3h)YglffsSzZ_~gVi>HNHo5$rBh$LJoFTS;q`Zh2`cY$SIx
z%2UYQY|O%=5^d&UM$Ltc$dkEFAtPg%O7b0>3mL80BD3lK?ZZ7($0$1*v1xUTthat}
zDHu@;8HIw|-l7*W!a9OYj_m0;_ZgzPnriGwwVg|K=v(+6Np(8MQSv<b)WfpEDEVeZ
zt{`Owcro8z!G#M#zf!BtA-qScc|`@1cToh5*BcM=Ds)u&kr%&0VYag<$Yw`9wvZ@C
zrxwEcXAxDyc&)f+AyW*s&o(Lpqty)ITvUya7C}7bYH(|-z`<Kxhi&v%vIbrX>-F+A
zYvKY7U1kIDH9^-0kb8l)1cm#{ij6>{K*-gQ#@`|jL`G#NGH1(@dET{gM*y^kdOf`d
z)-7vCHeS8T-g)cBRqkl*k7LjOzgQDt?0U^>@;_Pvgx7>@v%;TCHV@S<;Ffj)vOkJ}
z3ttKC{Upbzl$Uy3CJCo54`U5;E6*sQ_%P<b{uQ@(*kTtA%`U&@QEO!&Ihh@<zU-b|
zlRbfO#qT_Mk_Dzx#hnwouXZQ%VIOMIGJi*JEEtF)SY7OI#4uotw7+jv=kkJ<A1l5m
z%Ffy`MRtscqH)x!c5Rx)hh(;xR?<>Lc{0*c#IB}TNAf+2QwJ|WYb;X6jR9&2+T=nU
z)w@hp%BTh{6)1C}co%!oP@_yMLCbj;#b-PPdiKMc25p<DPc{n~!KbfPna!v(G+i4J
zAsV6px;kKTZP64`cpr``I7Z>czyu?w;6HI-r;xv1KCLudmAU5&G+b%t5rx3Im}>8l
zxj{6!hS-e2z(t#=GO07_%;#;2xfZX8(MTqT*}2Nji8RWUwzO1+7Q*q&%%!7rhQEDo
z>s|ifSzebnh&BBY%y$g(P*S6*zN$WWHByCgpNYqrIEDyO<OPz&$?#0+Kz0nGXJBTs
zFP!dPitVWn9GoxY7cOx|lb3h-$!yT+zAP9|&mW(mj$w|1tDj_lkN&h_jx=pp%2j=S
zDkNwtRNmxMSbh8ig$N7UCsau_!{e6DAS1NG&$J|a#fqb-CiQ7mKGp9Ea0IBlvz9Q2
zba*l>`h7vcYH(o?RZV62NUYnJFZbN>%Fd|U7nDVZXEV96&DO=OGh2ea)5ZCbwyvu}
z9%rB)_{*W>cqFm2p9UBY9*XT+?Cu&{no4deg(AKR?K${3lw(+zX^dH`@zUhKmql&$
zHL0gZpC!jC2tk%MJ4i=WT+WapBAxrR&4@VS$eHJ#h$IF6iCp|;e4?!fi=4^B9|%%K
zVhZ@D=qzT8AyM4rsiK!fW;1G4JzkyI8*+6;T-nA?v|y66;nHY)mtJ2Fb&5ZJek7NI
z0BdChW0^fp3py(ZTF@Tl`?D#&<^oLD7+ymo6Nez9se=N2%(h4o7%1pM%t_FNn6RLW
zDX>P}sC;ew55<~UcWJ&ql<bUjw8cVTSR2%B-jki}?`dhd(VEGf|Haw@&Z2(v_pv7^
zMtWnLp>db0)*qZvI5TR4*Isa3vKf+Okvo^HI}|J}%*<ljT5-t<*8PvG$MXXt<F%Rg
z#<vw)Y;146dhv8NH-G8fAG7ymt9{OR<Z!As(w6nr4$fw?3&$s?FJH*8@qxZ!F^^g;
z$XBWJ_<K$pMZ1xHETkhv7EryB|J%~qR1%UO1bNkVRafSbP}zy?g*-0_xzQX!tTf!F
znZa3Q4y@;=I5XI-|Ar-Ho+qu&c9U&apC_`<=`%!U0kuXT2@hRDs`EwWaz0xSga$SX
z**Kc<1^%nPyB@VEtkgQuKUyCw9qS+5KTS@6!ECMdV+CiHA|A7C^`X>d(O?!e!>Q)>
ziE6EagOIT0e;aG87w0bR79FXf>3rAN_YmZ@6`25t3YDH!QrzHYmG&$zVh;u}lR5mQ
z@u=bs)g^PB`m&Zjjxll6sg>cMc&gj~;fzJZzHMyJNRO4JT(xX$I5Jp1Qr>b+?C25;
z1f9Otcvn8yolQnt>xwlwv1g=M`&etgGe5JpdS@)^abu{{sF=8^Xm43+?`lP`ZP1l)
z4<FfFxOsWZvolHQAyjvToyFKI`n_FE_7{ERg4xD7vu%U+LOw343ZiN^G**hkl<d@0
ze_Kd*zYm^7E?M~YBgWcUzIZx6-d8T9Hf=5L-!>AiMiZIE&HD<u;ZkroI$qu5^ySC$
zwXqIc=R_POSUlCsT&`%a_joW8iMu>UV}2|_j3tG!e8@Z&X?$F77SGbD1d^Q2E!1xj
zhf3B)KSn^c$UAvu!!>fg!bFw_X(a^+N8%e=$*g}GJTNdG9S)Xjxx(Is#Z)rd7aqCj
z(!ydrQ7HF~XD4?${jsASS3D949`6lCU9QWjp7cmAKGA9G7^`8Fxc!LN!tr4o5!l(a
z+u|-bD`48Nppgh{!(WkyO=A+ZVrhO->(7eddIoosHapB!k<*ggw53$LY-^>o<+72H
zvC-j3W-8I2NmbX*N^<UsIsE_RiKUA!T2iM6^RoH^&Pf9}kA?NoG*!lxYYYdXvy>SE
z@ok<LiX<iLFxd<!H?vbz4wWZ1s&T5u_TucgNjvat+qSa2j3c9Zdi&m-{qO&N`8g`%
zO>0K6^sY`TS1FHRhmPwyzf?DxRt@hR(VA@7XE8f;UyQMzR8h|*uXKsRP9<yWf&L<X
zoK}~JEu`BvwAey9iWx+G8w>fW{!gKbA$QMQ)wiW|b!8y4B|h3`vxR54Cc>F{Jp#!)
zK$5rB84KNiJe2d{wuIcs;Af*f$9<k^W;z(n&K({ZJ35DZ6VmZ<lD{|Ea+yZ$_{-R$
zKk`@IuKAhid5t~{YcYk<o>FDm1?iJsmnwo5<P24*62eTzF_UqeM5yARh~Fj(31x&R
zL`Mg4DuT@id~z*?NUr_9WSQ!*b=-DgYD5!#4gXpii2FOf3mT;L8ZZ}-=E8bKRgMK;
zAtj9JiHURXUF32K>E}Jw4Q#GIMShN&AG|R+c<EBPvV3H4`l94~u#gUvlfIc+!ng11
zi7T9m+2ivwSHLeBK7<-!*|EaX4%hxG&h_N5uAQq@UK_UuG}LNCO09XlbxkLRHt8>;
zXgqNPTq{s<_X0%@dEwXhgD;8<KH@JTrct%1o2sc&Lb+Wq7P7R%Rm0kr_O*8TUGFj!
z*L}Oo-_^Qzsmts3w76Z}&+MA_rnAKmd*{>1;dFX9`E=vjP$`@C&hI)B^!W#p$w8kF
z!K@11fvA))Cv=|G>=7Gr6`Yksm2Ke<EF&IWe6oYrl(`I}%tIl+$r?#<=``XfMjVGC
ztlyPG$6CH3NgW|ku1az`w8~Qx7vk#J#n5AyUO!yzF8gDivS&J0+Lz7jE5)ZgC2x<v
z++D5Ta7iqlibPWh=h4HxN6G=O>xRzGT)CX<?7YF{4U~`c9zJ>s9_q1hcq|gfPJ!QK
z3;S>IRG;ODx+|MzSFbiM&k{P5r4SV{-IVT5*WA)_r9$Ik;nLu{DGWm#iA??l54%?0
z4*{1*DX{Y7+mFRH7f3kHwwymiyj8^ZS-8#NWojRr?jUG7-s;MRII#(HqKC@;@rk0-
z4B5r#3?~A%NxXsSU|MQTmIN7KtJ)an%*KNjQ>3lQWN@(zw|$Ozc)aarX*@j6_$hd>
zu2sj=bTBQ_>AYx2*;?OFT1214$TDDvVtJ8sS{O>ztC%F~BTcEU4x!mvBF4Cm$#ng}
z8VsndVrc6Q{6A!lBF4Rd4Ttzw$hH}E+!u(^JPXSxEiRIaWZG0?G)*_7)-(QvmG`Wy
zyobH`v5z&}pZN^!X(txV0PLw9FePdCA<E!Xoo7kb%Pr5i*$UsIUm~wDnWQM|itKOX
zO?E>2?uLJi{Kg{hCsQ|CNS)hPmX=nw%3DXC=c>W;&$COk&|bV99v60yk6nvImfK42
zk-lWLieH#YE8kMo7wQ|o@q{ioq9PKAu^isAg=MyEImy~jo^1U3B=(DS^=pk)_FjxX
z3?4h6TY#E0Ke>sx?ONDO6Bwxr*)>*d6Vf@z&g!z*`KN$}#Uw@=yEvOvKplpA<y5@`
z`fQMl-*ic25Z6fZ=rXWwBh}b|EA9y`^<~G3{#{!F(G|ur(~-t!13_EN-|hFkiPLjn
zps|`Bk3<r|;z(k0Yb$$yqo=j2HFI?0j-HUu>*@+AkLYw(5TkOAT@T+%5}KG+X-!VG
zZuXJJO3u%n;Nog6V__i23IH9*<S1;)#L1IjVp{Kmm;f0zAg(tNVFQI4-RCS0B@gag
z8moH39atG^v}>3mU;_bLN4LxEim>ctZ+TOz<6jydT7I(#e5G4a9$Hpf{oS4JP8ae}
z1+QSZ5e)MXSNDw0`zU{yp&6x+bNh<)-jbc^hXb<(_lh^vNtUFu@%myx`PBJ&VKL(G
zom7ZUS<B1S_cm!`8@b}Rw}Bg#<b{Qxqki@gSyyx&p@_L4_9SkFgFbH3!eqKaVU)@|
z*8C~IgM>X?Hm_U0Dl;FR%vVN-dwl`Vz&oB^Sz-6Qtu)&k%uVn8{6Ol`Kw`939cXbZ
zf4OnL@|mw)^m%JyXrVB=e;k%@Zc}&+d#(9iUwyCXGEM9-5wTwL&#inG4vqV<k(gx$
zaf>~8kHJgV<a0OfS(5u_AWUph#89TJxHFHOFI3Bl#35N?Nci+XCkTO8^>9iNs}`$`
z>V{Azdk_AK`aAsOsCwq%m>0H0{N<(?a@o1qcX0bmJeliXi6?Lc4P5exWxAFoxy^aQ
zQ4v%yz;@Bi2lU5Hm(w7plaFzW9HV9_Y|?(D(@V^<AwH3>1KJ!xbe9-r3x)*qGrxp{
zjL2Q`u6t6;#q}^0cqf7@=oT?@){?Fu+!s^=G-1#cI5*KW2IIJu2Oa78Djy!*x}%T#
z$+sWP<Y;8ggXYQvm%S7xj#J2e>bg&os7)F~t#ndy$p9-L-(aG`1fA%`xiN{(=Fxrf
zMN-yI2B!^C1(n1v<tb8TSkfYH3!z*v;kTjhiMz*|gtC6EknX}%FCN0KP;QClU6C$#
zq+7dXh@6>*>xVprIfF}6zj4TT8If>qveoCCeX~uLDt&jK1@Bks;Km5Z#n=vOBJOOE
znYLuN5@up@<dEIXU>!C1+~n0sD8qmuReQ1+kt^iII1D!uxeK#=9H|`px%qCQkHZ2&
zxvD~kx`Ll4wRjlWU44(sco;s9=#iX9@*|6#>cJ^QoUBRp6E}<aF}f~{j&2m;rhHvr
z()@;+Eno2wlQsL5rR|<`ToyBXmcJs|FZCaTpu0bUx;6R&x{%O-$ZkQLgYE}+fU^h*
z4X(lY4d-Am18VncBbGtjus!$s+d6tWthUw%Uw^72+F@&f6881LWT1L9_fW(A^}s~1
z@6!B3AdiUEmiIo9ZBnxu{g3BV+TQx<ln$rril_4(tqe&|Zu*x-^0cFtCtCzA)I+KJ
zL-WPr{GkE3xA6Diz@F|ebzfYrwSJ{_*qNF?K8r(YO8v_oKYqON%t*aHLi!%%415}E
zA%ZjN+N#|8YS1~gI9VsrCv~o=im~cXrUL&Ysf0ummM@hL8>2|nl8F#pE>;*C^}w0o
zf)NjO6Eg!xwp1!xjts;GbFAlUANtU@8{f&)0=^*5p2dXMn<(PUeZ@SCT&Whv4F`{3
zbzQ6N7CY;<yVE0u(rC)1&cznxZy=-XQ1J`8)ubtgLTWR*dLucw&amZ9kPKVZDJjar
z#z#u~S&f?{jz)}`7<(S<codZ`Q69Jj)t@}m%vu-m(WD6rY3=ZzovzoX*^N^p_38f_
zzI<D6@3zZ_U#EWf?cz2o%UZWB;&0<Q>$b+*K4Q(x9i5y!I+wA2;S2ibk6_RYk)r3=
zMc5bJy5_!7%ms$0)~|!0kusOg-*gp&*eT5xJ`y8bY>wl8sBmY<9h>q&T-u^LoVX#%
z+ES{qM8l2yqSU^C{>^>SNv*Fcy)WVlW}@K#bzgpRenIWaBKt7tV%U>S{LXlyfj$p<
z3TI}!<k94e6Sc`GY8Dn^xhG-uB*k65bX=3PWK_SRGM?!Ib?7=Rm0aE+cTb*;_D`j+
z<2P$bx^)@&n}`)hf48V|Rt5xMN1nx2RoOAAJ9aELJH$yV9o@J(B%%Rm8imF{U6mT{
z+Uvel$0}ENAxKPDe;M^(_7lT3V9%>vmAv>a@DDF+Kv*}V;WR}b>+_6<pdM+pYYhe1
z{hqnt(9V(ECU4Lm4s=F?U2LGdZBw$<ey82m5h=$TFM?lz_bV-!%P!;j^a9*p_b`a-
zi0PgrvA#*CWPC0~Z&Wt|u1Zobv#+qZuU627YUa-OAFdY)g^LR8MR#GQueRCuckg>2
zYstkY(I;54*fVSU)MN?L8OvFcm)IG!!sw=Gx+O{Ix3uSI<&z0QtuQ+>ikqBJO2LC8
z5<ed?M`in{?9<8_^s3;=&-9~9|LeW)ZMbi|Hy@iK9>^?ytRuRoZCbDAUm$(0V9?i$
zb7MmcgL+T3>VcsMVd2XtpkJ`ILsHf823l&gtO}|NNgU&ZiI|RZ7rMeNp0Evdcse3o
zrDWe!&i(sc=Vo8DS+BFVCP%iG3P-|$-|J#G9*4%Z!~T`f<4dHj*2IVSSzdUc)DSSK
zhjF_%tUt0&Cz%}Wep15p@U-sU<q^`zT02`aJqBloqL2+o#&w-PFP$F3A472l1-;g&
zjC)zHUsSa%#ZTJ0mn?<NPg)IW#e!FhI{`@Q8v8B$GN!)s8;0q$Xmrw;MzGdl^IgLz
zzNh<cC<kGYav7kdY*P2XzVgq~v5d1)THfnlm8YtTT2g^1@5sYF*0~_>EM*O_+j%NM
z<018mJhHW)Qx0Pf20^Ji)t)rjtz;kvq#uP!A&J#swIUf#mLfG5f{s)q%ZbM1`4Tjy
z+SpckO%a86h)fpRvx4qx?qHAs?o$lufp93mj01z$V=!#+z;A@Ke;xPhJr-xqIs3ct
zf6I+?2=~7J*zU(8v8$#=C><9BjA3kUjIE@{uU|l}({Ykyr+V5FH@S-aOxhdSW1wTw
zKkoIB2S;Abn)=9{9;AwiB7b=V;2_IG<ixSy*x{*UZ*<SMdU`s7=};&g?C9xv_Tp%7
za_X=%H@TxYc}diI^0Lg1v1nh~>rMAX$97~cJ86wxGFjX)nG@qd9)e;8Uy556)tPFN
z$40(H=L!+UDD+C<BcQVgofY|6P(9((6-lZ;Kq$)0bH&M(e5O<hN88)ou0$|9(-%oh
zUg|vgN)~MVc%pvkuE{a$O)b_?ZP)11EB8<$5@=3#P;sweP3_|aqzv_s{JxCeI{?{+
z+qv``_nhy0;?EzQ!wq{jTxd886Ny{B%uxJR2r^CFWq9!S`Yo!CMQ2K3Ct{!utx@vj
z(dmY^oH*U^pe)X((I0-gnP#|!($F)#k0IPx=;(CV>>aI@C)7I)U2P-!ordg1_140M
zd+m*eI?c|5r}gOir*3bP%7JlSRb7Cpts^^Ilg#Af3Sopo#?-viWL+0`!`Qo+q5IB{
z)1`pD`i+6^zg=1Gz@?FNW1!;fTOJ6>3j+rmG4;Yg-dC#c$-cv7wpQcy0(UObnNgAI
z6<Lz$29R3a<ZJW)(VstFp=%X80v)Ay{@G*fk{c4E$>eC_hQ^;hCg_7$ex7F&(&^K*
zkM*0>jLegwaA~cJiYK(c#UAJ+lMhe3f>mAKRjBH8>~H#Kik_eIn+w0Dova6^Q=Re}
z!&@{p4r9x&eu(Q;G1y|X%91)Km$Ro^{)7X_0$VS+uEhCYsG@?^3pq;bl5VvlMV0)_
z8R-pZp*Tmi%Q$v(#~lfz3f%9AkE#z-Xa`Fy*&HpO!w6pXbXUyPvs@k6<f|<7Wm?(}
zCSvifv}aG3C+(KQQ5c)wIXW7v7lPfTKMi}LDfkI3Er@&gB<4A(+X^;{FV*Bfh4A_0
zY*VDEIMGsI9@(LcvQ@Xj!lfWBu+OYDz<!0@vA+5Bq|x*WcJn)|$q!@yM0H(yBVC0b
zPt|xQ(xs;<;fRQ42+VSL?yF4X+(VW8ba+eV+HKW6Q`ul?EX}5(eZ7@Xbs!%(njelJ
zJF>JeF&u6D4)iLc56_$XAlGP<Uc&o8Yf;#yYaTWGSKX`p)?UvS(qp9{<$^C>nb{f`
z%M6UVa}yP2j}A{PlqfTEIDa&fAE<^Zy?xQf=g<c@McG%;2g96658irx5cR{sc_GUw
zf=y_!R4<5R9C61u->ryF!G+}OP>ICbn_s(Q`;Muha(*VXH7h99ovegj{lrr@+eZ(U
z4W#NB>aY55c?w-5uEm}~KjZq^x<KGI)vQ%LWop2-upE$0leh|1x~3B6h=0_=PK2%r
zGeRwhZk~DKzJbjqT2AfQvE#K*-BLNS$w12T!BP9o=pug4zG`Rl%1>df8$~4)>VY4W
zI!h*HoHB@Js@_9Vmg*^yahdil*(!<8L8IXp-s9&%DY{k)K;6D0fBE(Jzsp~_BhR*>
z%<s|0`<L%pZrsc6owMIX{LYGcQRk46{1hZo0TnK_>bgxHC0!;^JdeVosK9VAm%{K(
zXKyldH(S99LzEOuej{N$8a3ozut079WI8>$zo!1}PDeeSXu7*Q6LsUF=<Y~9AHhFo
z_0k89T>8Kzy}g$_aOsf;F0GyljvZTGJTevvjU8EBJ~kHoWG)iP(Lce*Ly*@W!MOS?
zuU6%?Oqka#X3}b;FIegQ;G2euF4Nh(g|l=jy6nP#2?IH$Nz#I##6nWks7NzSO&*`~
z_#DCK3O>`q?#1+^XhwKh#kDHFwuXo=aFyS~9(!VCe%@bQt|dnhy&v&KQcrk$mxd^o
zzb6=tA3n_PYTVE6x~V0Y-#irSaNN{lPi2CU!qRXYas2J6eEekNewpWIJpn&yUV&VM
zbj&Jm5&3`c`@A2tQSk!dSZg8ZeDC2jyMuC-gIca~lUL{h%Y!m;K82T&Af!bhJoV%t
zqF@n9V-r*n6tn;rR8vEJ$n`tAmMo*fElpxmivh)%$#cp4ypc5THD1%rQ<~pNbcz~C
zW4N@NU*io*sbjZ(7h~USc}86?@?Hsjc{Gh$rkm<5nhrBfI&+>5_qeQ1OL8j{P&NRY
z2-rk<3r||gAmB77<qQZnkADk9K>SniPuRPN(Byxi&<??)dhx7^f17|(JRQj%BT+fO
z!eaY<sZ5I(l-_tru0!{gCoZ@`o2P*mHI@y<5gbCz=?=@3IuBBz(F;uLyhuGm5k*MH
z5gLt+^Jp5g9z&4by7e@B^z`Y*ji>n@Kq?bzR^eU;g>tUwF1;^uoPPhL0nbPrS?BBo
z-2o-r=Os>y=V8kGmv~X)BzNwlyYwVJEOAr^U`OeG7KxW7&c{vnph$d3;^KGp_fMMI
z-=?)6QE}v`f_@r4X!#Pa4Ka+n^oXv8o0cT|)9ETzNvu5K<EE20nFPc+mDr!~b@RMb
zH^sRLix}PKsa20N#BPXiHo0ZLN|)}1+iyZV2j=2vq=%Og5m)c=n>^L&@%N#4oVdsn
z@$(tb>pHrBPtv8I#))-8waIb!8CLyXb)86^Q6G<PNjOU@1K%TADk5Zs{wS_87Oq;d
zHuUhM4}Myev8MHmRXCa8v-GO2Cn&+}-CFFd<1c1yEu9a)UHs`TEr<%{g(zEm<H+f8
z+-%tR^qYt89shx`o;hm7QtpFdXJXy)|K_>lG(O6)M%oX?zZOp$amul#@1uRrgrmNK
z#0w@Ixz`e}nQ+uska)?2Q=L5V{;CnD`U(;sHR6;@E%6BrN9|myc_Q&aR^>U<VqBE_
zF5X|)+MiQqsScLJZ;^O6(aV6}W@ulcI#{y(?K+P3sFN!3J2aeX`KolII#{4H=x6R1
z>V(Meoz}ibzpvwWoA6g@?e8_=sBbRc^J)#J-&g5M_00{x551~@Iu9P$UCPh}A5>Si
zyu4Z$8pcWw6oqQ8^w4Pu;+%d4PKcn)x+FW9YE2^LMU5w>^HPP&4cg~qIVR;rtu{re
zh(la{sFAC}RHnz`Qe3gI7KAzQ`UAbwR2agEl%_1@f9WYSgL$pUxt0Q^)`_S^GFfDv
zOkKW^<ry`4nFuy*NCd;)pqO;TTw@RYBi}3hzxf`*e`8M5tXIeRoC`c>!f7r9UNzy!
z|Cjin3IC;r?=|7H_QiW9OgQZ=ftO4;?NNaj2nT<f!~cF0{<!8Elua52cr;1%8fs7~
zpE-}fL*f<qzNpWrh`I$@eMaECKBL67`i#JNeMW(6^%+B}9?K7@o}z5O2P=`@zX^3n
zzhl4$Ef3OO*6TC!_Qv{*>hnbwGkg#A8%2Fa{65uZG{j3v1xg>U)VVO;v)COBZPh5o
z7D%5CtYwOq<adNpJw|9MaZ!VD<#%e?#l{~qAMZb%2_~T9<sk*JK9oAUhHyI5D+`dB
zcKia3b0_|r?p(KHCeTItZ}vmTnil=cFYS!FtT9?$$YW*Y-p3l<ZtdC09&h{>7ge8s
z5wF8<r13w;`1?9^kB78ut@lRN^9sK&4?Ut2D2$i>T&<sF9O*B9<cp0fURvB_8$GPl
z&VTLj>E}N8IdvTTPI5ch=`b#E3hWjd7wU$~anjw%lnzQ~L4Lm`?k%x`Z)EhdV3VGp
zACttKSoxfg+8^ScY0?zpeEeS6rLEj*O>UW{B$~jv&tIWlWT^g?_w6zFefKr~t^d&7
zyVdLVb~oKyh<UMmkM|$34RSnmm#*Cc%P?#;{{=eNK<7@JY^8CmY2I{Qa;<$hL-t`S
z#hAF5!|M3_N5Alg7j*?)wyuzCC*4!R21c$P!T)bOt^PLMC5yOHtuJ&ptDQWLpeQBK
zInWm?G?5OSwo>KNXI*XpzTU}x?2zYwI#Q9lnD{g<RUw@o+AYJs9RAhWHyW>GTN`(=
zzd3!Hb>Des<22M<>X)2T^utXw;cI&v`r)u_e4~rr2T3*E;7O-9Iur8_c*MDOCp*9L
zZK8<c#tN77Fu=zSEf~L<$Jnj-%?|wrA-RO~aZ3Xh#w`wz*ozpgu%e35jutS`RM3&~
z=l}jo>~9<Y^}au0xx+91=<w;!eO=S(`CWH*9MjPcaX%FA2NLc<`GM6Rp-S`nWW33u
z1vw@zI^#xgWT&Hi7ksO<Z^Z#VjQ>J}Hva2E(IZ|{^axuodSr28Vv)U?{<qPXymBd@
zU%GPg)#?Yfb!K-PtG4Z&nc3Oac&2T4<9i2N3Jb?3CXUSITMis($<G~`m^ijjXgSE|
z6LBC)FCP;XW8mi{<t%6$)%{L#wshL+mBlEc&0&dhD?Zt`#G0ZTBgk_`7GR1E>%?Eu
z?dhN%A@c=BHN|Rhj0GWarWyZ?8jOBcn>;q3dGpxFLnE8soS8p1@m*VX{>p{-zGL53
z2b*ks-m!JxJKno+<$TumUFs{OobovMOI7!EOGQTStG*xA-jRtQ`ZUE@(Oi(XkLu8q
z=91-zYEI}yL>pZ2at2gx<A6adh3FmK0u>1QdvA8b%v8SUrUl|U-O;rB=EkpTL%w`H
zjU+?gVC|I6JutCc+I-^TYW3n1n@h_R18&=?>jzHkEN`jBVzn*hohJsar#1H97}G7v
zyRpWVLHI|kH_&ks_&MM&<GB44#{sMOS2^Cc7H0=J-fqHQ0O8iVll>fQHQ(Xw-AC5G
z|I5G&(EdJ#pG1%Jy}<8wr@i2CsCTaYC;IstdXI8Iya!AZ5RW<A1wAwa-l^5_k-}Kl
zL-pCByeKuojQp3z+-#w33O_7WS1_j5i}DwA8%&AMCdm#;s2A1^Duh92OOwXwLJ&0!
zLF9d=pq>meh^CbpCd1PLKdx@A_hhGbRm#gDoBJ*80dHs2k5nvIC0?I$S%>QGWZ2Cd
ziE&RV?5;X9^UyV~SjbjK4pxpI-P;rP*>7~T=c;>d_rwZ;0|(uidTt9TSc+wKbr<S&
zQk=pla;d;QESiO^$%m%L*q*`Ku**2vJRc{;XLJEAaV@<EE1N!vsz6CTcJjJW)lOmA
z5&4fn5!*mQl=5hKBsq;At{E?RW28@28qcAX$JuPp*ulxtMN<eF?itGYGh@ry(*C@)
z#d>pbystmd-96sh7w_#=6l-kuqsslmmn`H1)y@62tr43&-Zz;U-8~$R7AH@lSl&>r
zu*rTy>vXwP*fG2Hja&0US|=3Gwo9>Lo%C3Cn<>(?R+`*sdi4rQ!vJIB<RG?2$8t<N
z`AZO_G8(rAYa^pImz5I6J_WZlOAId+A9H6jNtbO~`&&Dr<=KJOmXCJz#B-7U```5N
zret{A;j8QK_^X+lUvbCw{;T0Iq4_IGTX!$aYubI&8%1<L5}m=?hvvxVriL|5a)5kI
z6h%N0(H4u3KO-x6m9JDaep0)A*yLsrb0%~BM82B`MR;?e@@U+ji+PClBd;7z)i2M7
zP*h{6Ck1AdoH{sM9O_Ng#>bqAiG3r5*;=8qD_a_fg{moE&~sCFpv&1Aji-H~fsxr_
z{lIkk)aZ0&I^voi8yQ0%MPBCTFh~8Ct5rRyDOX0{$!96L8KV<f(is`Qujj5)+<pR-
zNPr7x@L4s06BSAZD)6ghOeRLZk8DAH)m<VDL(Dm_e<oY2=5v{eo#pD`+{n;Gro80N
zdi=e<Lbg^5O~l3q4m!R0@qBI6X>(5T-1cbbSPIG0igKNzP=32Ra5O^&#L@Q>;$8j@
z=ZcDD*}Nv@rqoXty2VTEK9Qk7X>(DGj&!ZO7!f>nhJdM2EJY|I8RA571zvk>N%q>4
z{&1T=-;<dePGn{d*4?#<@gO^4A3U^BaQ0Nw+h=>u=3{wZdzZ5Vc|#+6r+Y8E>`0L@
z=tj5P5<hhOcrIRvdmUY4<B`LB93!i{*sn2fQLI)Ix4D2l0A_pi8uuS!g?hE~KSjX^
zpBq^MJQ$yc;=eVAB#uo8f7JuP*>S~YRU)ZKCA4C5+>hw>ZNt0fKRSNj=@XTaVm8}&
ziXDpWDIF+py5VR8hY8_F`W1Mi7n*-b*KZ{k&?#<QXJO1$j_bE%$rgSjT19G&Czb1q
zbAuKBBS)>zY6Z7PM75Q9Yx^crsfm5H+Fts*x908%bSZzTbOn0c`o|{Ek#fvk**-C`
zz2a_!J=Gl(6FaJ;rlK#XpUZOaL;JCEq~?2pI7v0KMTTuksl?qA|4<rDc0S5LLM)8#
zR*$>j3{|G{Y=7@%NB1Q{-B#;O4mxt-H|wjvQVN*kl%Ad2R7p#(^elUoA{RkQxCnSS
zr%qL&z0o~UAq1R~--jYlL|qi|sRyUD6lbt4`GVcyVlg;UX!hgygrb-vSK%fPvR999
zR$8LLhit8HZL!&UrWSYhI`f-L-2=6eP{-B>tSzzaV==6QeTC3W=4fT-RMGxmTP~B`
zy<-_m0%PmM*s@p?KD}Cq9Gku#<bjOq{Y^vRfSwpCv_71Qu(rXMxorz#qTod)faX>Y
z1aWH1eDFQbTH6Mb!MG<Gs`VbYHu;fvAGdXMuwS_Hh1S+n?HyO$)M#ZF;U#?DcPTqD
z?|Ec^oA#OPoUZT0iSThzQ%dv$vcMAOQh+k@MZ^bbq$De-e!aM<OS?S+`m=Cic_7XV
zY7Dd(lI6rr=2l|KaM8z?PsrEh!Rkp~8?xm#cPE{Y)YgwG?`=F^FQF<M7zkfZcC4no
z7qz*12C97#lF1m<@35x)7OldJG*9RwX-a~+z)GiT4LHT}HG>T(1Tum{NFsltBR{Yy
z{+O?jj<nixS;t#D;+2Wg;%i=YQ#F~s^!V|@{tq9Rzx}p57eObALnM3C95hN3oh4cI
zRiPg^&yq|*mM2N0Zu}LRQXI4nVIAmJO^U2iB~b~V$p_X89zKB2<O{3fGezi(8~Ax%
z#=p{?XOyNcxjL2eqR2Was)W}%NW$CB9yl2Y7dPcM*J6R(P)~1vFz5<L6F&AAx0Z&S
z!GzDB^ab<2aBtGvl^jeJYq5?PXZnaKY>igu`jg}RnKqkexf&UAOU~b4f+E^wwV!OU
zbw%^RNHXBExBBDd7^HyE!&@+yUSo7@lWwK&f0d6CN5xuL*B>vGMT|1QeElLDrC-fT
z>917!`zjTv#m9L?eD$wh86Q#6ID1^h_shn)NqQtTcoyhy0sSc&P{ip_>;mOqxbWA7
zCuGMXo<-b0Y3g-718tY2FC3U8aTOomHJr^V?d46GE~c=P?)H`L?i;r$tw$kDg8_%P
z!{h3AhN{zrj=|~0#Nnr|Y`f|UdvCVilG-{u*cS0B%8hnnz=~xG`YYMnefZs7=2h9W
zBcvgWYla?~Bdmr5kj75*hGfMj5eXqR_5cM<88vn8>W{Oj?CgQsO?PC*wiS}|QEQ8`
zJ6AtY9u8JN%HF+n&3y7Tx6fX=m<=Y!ZbT95#htI)Hgin~MjWvwP{9!AhJqf|a)C7=
z&QiiZEMz}Ljo=?BPZVFXPE!6ps~Swol~pz8mvs#sn9Y?I4)(LCFOy1nbH()J-hpDZ
zBarYH`}&-zxnt9_m(L_#McRYSzkh6G|77yi{8VhX5S-aEw}hP>fsFkI`X18#yG;>n
z`f3(B7;##x5xG7@B$FCZ#}@@v%}}*TG84Jpx{clZ7^JVq74~>TV|*n%f0O;>+^K5B
zYi+sNfukz3RL~c?OE#tFfk~gg&L^8rEf=ViB-Vl&0YkftgeusE=pOwyV(*EK*f#B|
zg={v*8(VDlQlePy>VBigf2%XG>7xG3)+{uu$W$hI-B7W(v}54L&56moX6|_l$tt>Q
zWEXO#Zjm;uqqJgS!$P!1R6C0{<xlB*@&Dh<s6Tu{&xSgETL1h6=Aw0VLFvI<bRu2{
zV`BXw{BOH9rl!D(rjQgVGWg7q02WN=3~ZH10pltVnZBr|AE`wxJfVZaft}o>PFqAQ
zu?{MjRPaI#f^*C2brdpx^p4Mb<}D{}hu-;tFTUkY+h?5Y02@ty>+c(%YMe>Jd;+@`
z=H#=OlM>EXn29j&yKWmulhTkjM0hl9RjJSEt4`O7R5?dy5*ikjw{79}IBj*&`hvXT
zra66$k#%nQ@`(r*nH?wQ4upTdZhXSk{l;$J>+b*PpRn@6;h`JEO6w|?3a(IZ+NX4$
z|E03yXy0YiiP2X~Jo1?GCtN=&g5Q4@b2H5MNgHtu${}isr_%SW8VO71MDjNl@t5p)
zeTW(!!s$fl5^Br<6i&WF_z6qZi?DtA=<HAXg`0U?>_?Ye>-6<_9?BKs$vMSpvp$Z0
zN<7|^ws(cQU!N`?KT^HOXY(yPU;paF!oo~+c=G1y`s`5;ipB&2sd&s&FD@^}hX-r%
z!I9f9y6+9;;bGXCu&0)IJv6$n!=#t!r{uGAD3Qi^^(c&q;KxE$jnL}ah(jUQ7mnWI
z?+GU|n@3W`g-eF|wndjxnW53nNG_D=k9Ee+<YQ%DDAwUjkL{nHJUW|>2QQ0lnM{=9
zzBXq#RY^pSV9(Ej{#D%T5rbuHOt+n0Am;N7;(mldh3e}GnMyiy(lW?(RkEv#+kc7w
zS73P)Tx*JH>8qNJ$!d3~=R~ixGvOIl9Ge-qbW3k^bl(`6m<H=ShIH=Wdlfb~lj$tR
zD&^}+V*?}J{)#_YboNXgUwnS}lKGs!7Z#=+L0e0re=0MwYdFlF&8M9`$(+BO-`2Rk
zzppsa=?WD_QcyV+%Mf@pohzMk_3@S0PdlpLP($7552s2;qSi2Fs*CWweteSI7WgEj
zvll~vodyRWq(IQMC1BP<CCB;FE-o{nYbSm7Pq}iNN37k^j4z!%JhFWtpg10~+89eG
zyL)_2W#+QQYNR7x-&(%o{u2rdR1#hGk*yUEV*}@(i4HB6GDAVTFBIvh<=uUI7aY!b
z@6eFHxICQr)L)+cYc9`;r`y0I`cS3Fv;v!IRy4^YBdZX~6|o6Yg{cG_#nw^j1z|`f
z#z7VtI^to+1*LU{^b<!Qh&l=4k|pRTaBf|(wbIp-3*M2>jn2d{isL7Gw_aXjE$wV%
zIvoqgKKg``UAST<wYV@7+24P-Hnp?mT?>~@_S|#p%$19I>;8T0%e{xI_NAR$riZ~s
za4MlZ=3R6@l5#l!ha<}ntSNBzIgVc?aa5Q9&g~x@f0@K_F9C3VPUrZw0vGoLtv-vj
z!tdc!1TOF4<iFd(+utnT1LGy$!{tB6sjdw52gZ99r~5n=f!8F?`5<o(6FqN#E44=*
z^>b|5nnHW=yEn*ti^Tg07w@@2yodWG--eh=_zd=th5l|jrc0l}YXv?}_&tCL|2Z~-
z(Z_JF^f7GYd-x3$g-PxMP%LE5w_9JWzTY|_@!xX%evVW7A&LKt<FC=$4@&%}9Dgmx
ze~AA4rSdN7|Mm3t*WnrUb1nXQiF5xt#c*M*6WyRb^7aBpES$v45=VcOw}K7@XgTl4
zH$Wk^KWlJM2*3Lyv^V-%?v=m0kq?H(Tj%4lvnBq1oj$`7U*xz>pNhmMIj+;EEb$4B
z3;Iz1f6M#d*3^G9uJ_;Q6S^1gQrCkKhbM>Q)c?o%@3uAd{|_X-w*POD_}c!zS>ne2
zV;-%;m|x_eTAs&G@);KMy9UP$14n<@{d~ObYsb3=*T!q|b=@n+h50h!hVfz#kx#3A
z?Rb@(#Mg{h>5=%F@hVY?uNg1<TRz_Qwc}lbi}C&v{T$=#8OI1(&lV&Pfex#{s}$Qw
zo-p8LiT?)i)=v063vhG15l^)B41V}K;CYMtG@+mlf6tGA{}BBI&iB{765q(@NALe6
zAD5ev#b4X+z&|1JO&pi&8Tfl7p5nM%&%oa;@g&E^dZvB!44+?*oL@1Ig#RnYBbI;Q
z?X~#@_cZz-@8#p7_GTP246*^YJ|^0;`}liAKM8+W;-?J#q4k;O^A%y892fHfo~HQu
zya*p>KeO}q3!LUf;AM%^J}S|?C<n~*0z63bq8u>K3vdhi1N>^DGDgMUzpf8e><jBZ
zQva0$Y?${`=QIBx@fyc<KJx{MmpQKUna@kS#Bnh%M29(|1N#4`90w=H?>6ItKEK2K
zUV&Hv$!~G1=QwZwU%>ww^9UUBD9_~)-TC=2-pS_&&)+Ye&(m{Sr}X?z`5f!db_w+l
ze4OM>p5zU+uyT35igl|!C%KciV!Vdu^!?rP`y_wzR*aiJFRH(<JtsMow_^N;=RZXM
zz5+U+|JW~iE{~{x??)?6k2TLh4f?kF9I?dbtY74GA)63Ac{l$a_3K)`z6Bo#WyEvq
ztky5{b4eNb9N%wo@^J}1t<&Y-)bF>n%jb)Dvrd=qtH0l($mhhzbh>;;`#!Bl@M%W;
zOsC5~@#mn6?T`6B5qw;uj1|k8)=ATINg44R=h}1DAB%l}w-a4Hr}oQshhg97biwkW
z{mkj6?jLQv5LMLgx5TO6a$o3l`L+6e?K$laoi5@z(bXrvPy0lt%TKiLtIuh_=yVa!
zY20r$>>HgfSU!?2=I1J1_;abpW+0O;$J-r_I`r6faDSoSdNh1N*KeWs;x1;{KCuCw
zHsQLS{O|_&gB##)*Z_aPgi}nt=>H=d;13ybidmNJt0o-rtr9PpaKyJtyrAPIJ-^Ou
zL~o)SaH88)oSq9NoaiR-#0GfUgcIFF`-eBcAKU<c!v^>R5?^~BsWZ;s<T-`<|1#Ns
zBToGnc*4|P$I~X9`Y+l)yaE2;2KXB`z#lN-H1Fd5k8FTHWW?z{HQBx(ampFYS!w-W
zE7m{GJGA~Oz9PrxQQ!;mT=o@?(|84*kmn;h$8F{NLf~oH{>!{Q(Lvx3OZ-b~@COa;
zD~9vn8zla9v@aX*2PFPe;CY@?BHsVV2KYk~e*x`leEo~|Rf$tA&K%t*EBlH2Vmbf#
zD)23wZlZlb;%m=|H*bK;^CN25onv+DviAO$i}vz7OZ2~4(4Pf0{?o$gFYpE6a(^i;
zoX!GIY=EatIMH9Ue|Q7@!42>?Y=A!?aqe^B>*s{*e}(s7;IxkfzQ8KH|Kc1?;}z%V
zI)fn>>rLR)Uf>JBX}kib^(OGd26)<p(|ASuhd00<+yH;W2KWOeoc5h~|05gV4;gX3
zenk6%2`4@*@Tv)?btv$X5$ARZf#19VF6|PMZnWM+`<Ki1MVv=I%jb)<aFTboa{3FL
z=r8aE;6#6c6a59A*Z@zPaH79x|L_L*gB##)*Z_aPgcJS6`ybf=f5?b)`iu4jiDy@f
z3SuJhp36BMu3<H~zkqZ45MFR_+@u%KbE1>^xvn43bE22|xvnRy|6JD>=sD5P{C!<-
zSpT`MKdk>;*CW<{uIm%@T-7J^@#}iU`p<R!0?#?U&HY#PhLP1G#X(_wLT+6n`5?zR
z-3iC<63*#9#Mh^IPINavU(n<m-plE3ey+>u^`GnVnw}Hg&EMDM_WI9t`Mv&gU5>B+
zT$ktcT$Shg_;tCy{&QWv<2k3hx&Nx1FJisJ?}PD)eQ*r}U*P*2xW*4?z6HO~`2syx
z`GWpj=MVH;<q!IEolmU)T;~_`T;&(~_jSIp{&Sswtp8l+BkMoc`3XH&`HBAfI$v4;
zxz1nkT;nhL_c@<|o2kCKna6~c;ZHPq17hU&h#5SIdPD+cuOJ!*CjV~y?MCdE0}%>T
zFrV^TyJfYZl>9_F7Q#7@r#L{kv2aJjg@VCcR`w?!%q>S_)2R((!aUh@;?o_)1LgcR
z^A`*bi;NDHVXA>1vkUcXUV^78i-<vt)T#M<FA(AQDeQ5I2cS4d5g9=F3Mu$SQHULG
z9C$C_+feIxYIy(%lSZ_Qh;9j>zEl)7Sb5Y-q&k&VY|2%;7Uy>Cm|NV{`0<C^duR3z
z(OrBL{W7#?rqWS8P{q%3U*RHq8u1G`(PQ1qt4A|GDcqyR*iwqW6s035%7x-eWvvWz
zTq!OU%BMyDWxUbdCxfAuu4u5ZeLP!QzHIbQv-{GU7RDFgtLlg&vZ&~8bGbU~?fIz#
zV<PfmW=n0RyCaw^M&Uc8n8sb~?dWgETHmG~+a`)1i$o)ly2gX<k-C-%qM8W&M04!G
zKPXRr!e&G4*~#}D-|?osoEB}X+m&|Z(}+*?Tj(l5n4=J-WyjwD)}87eMVV_yftDBl
zix7wair?GWuiw<xW*xqEZ1N?$yM5+Wn<xK!`4yLa@M9ex_Y7T9O(jG1<eewN{lT88
z+?_AKddH2Y8t;8(=t{gA{HJeq8ucZ9t`v~5XknWzcH3<npJJOVKLhTNIJKQ(&s%<`
zyhCC?=KbEoUSs*K@*xBUbfDji_j_P4%4%I~k9Q^5&tAjI_j~{_?M3|WcUT#1LuyQ@
z?&e0h1zZeJL%l9*J<xx-_nr?lzJ=fX9!ey=#Tter$}*w~-UChkNy{U!Sy<tPl?z19
z0CHaj1`%%HaQ56a$)0+)`<vA7OO#ReO=}A8xPb-f6~O)la`2(mr+{4}Fh0NMSdsk^
zW`OGF)6J@Dq9`vAruy~LXxjBCLJF0T-|o@FR9iAzmuJE<OclTTX=M{T#m7?@<JkcF
zINF`CdeFZGt=%7j7CZQNQySJpAG~j$Qe_|H?H<<J?FIG$jy<Sh)b5iUdxM4@1@;M!
zJ)mKCC^hz1*4^mKBkN!fY1koUihWc0SF|f=*kREA8BY6~*THVkup5*K_IK80eD~!7
z!#w|neaP|=*bKX1YnF2%<0LT8qCf@8^~ksZ9^K&j-^9HMd|OwQKd$#ATV7;YvUbU`
z_SLd%NtXA0i5+ioY$r~erD;o=(54INlD0{Ay3lE9sY542X`#>pEh#YV0BusB(;xc)
z0~9EK;LlE5hAk|e;l~j9|2_A<MY5c<Y@dI@dGhhod-tAu?%D4-Vx-pW2{)T}PTQk7
z;X^%@Hb;X~J0*6fe5odsPXX<GNb|($pGirlcqWB*Sy~)Lc5m=zqxR{Y=H^JFS@@9F
z)P!esi&I)>gTsamDy;q&=<yatkIFdJ6R5;uDJ8%X>vTl>u4@#Y{zk($84b#GEV6S&
z8WHpTsIb7EV^K4@)F(+OkV-DGV_sAcpB~R87M(()%yj-TIiW&A%&T~J;RS=y>Wi3X
zCT+oHHV|u1m9?S4qnpxpw|U}C4fHgO>!ZSEX&l`$=3nPHXbimGElpTog2+E$2rt>1
zgSN>TbHryg@)777n&O_eZtaxL)6ih8lJKx3y<h2)tM2eJJjiDYi{{^nYPzL_aol@d
z|L=;YPuxLUK7DEai_-g*?DaFgUz#z!wPeQ6;H4ido-upr+8GnhUlCR`{{ug&1JY3G
z=`CeysVDlRj0F`S?T30g((MNeLqiFa<)B(iynG(@J?4i2<lYMoC@E-QO|o1{^P@_(
z5R`gHF~TaH`b4<FW4G4S8ni?FvkjlcaJA8d<^l`D<Kl)~xTdbA)?D2lsxj2mnjUWz
ztE#FEVy`yfi$p<6Me{OhqUyY)G<0<uQdM#lAn7b@UO0e(;3>_E)D#l-yzp6weWJv0
zUiFCfEh{9(Q!;2e>&)`Lw(<H<cfuHL^!?jurYNjbL?iW1b2U!58>;In-n?d>kRPSz
z+@XKXVzTXsdzg?(s#L-+qZz5Z9m~*{PqrV&Hw4!8k)NC4dKlHZYha9noqM;*x>qQM
zRfA^MEX)d@D17Ve-1f0J8a(HAZR+jm>zTvJ_**P3lO0`~GL8eyZRse<IvSgD2A}^<
zXYj>JahTQ!XA8!}w_)tmgM6BFM^Vuor2(r8BlUT~4CGx$*>t2QQ$;r_OGP91@{!v@
zD5i>25cq!pO<VM#ycUWJiU}FD58hJORO@g$Ypd!EbydPG^L4kpTIYAXbbSR#=-Kb>
z(0SSydz&|mPqm&px#N4!qU72IQQ?TUwWSq9mgevqc6OI^B&su~K|Jm#@|A9pIaV>F
zTqDR&P|Go#Gows+s%zK6GP#I<&~a>jdY9||l!MIYMJIac>}-(T(SqL+$iRz2Ti|*0
zl#@r9@|0DWD?LWx6Iew#;Gwjzr<Rp6(~8e_nuGR=`YKng*Vwrjoani$XM;JKY-=<&
z);g=|D;xoH*C!r&%jjLBZxOZ~3ONPstrfcL*!_ZLRdYXT&Z14jty;kuI$U^6uoZqm
zKO~p_jF{6t;AC2JtBjKbSv?7jx}F^b=qLgdYh(;-QsN#~`~+1nflf+Wu@bYTa~YJt
z$14>i@QLFli@(u1fgrB^xYBuoamuv>qd}Dg9FPj>jao`XglwX!yMsc>sS^cVyuBSe
zkWw!==w2q2wJ~Qr95ip<_?C_H=3qGCaQGOSYRz@Vs?qj(567k7);8rIoPNv9pns~(
z#&2<W>f1-nPJ4x^%313-RJ)o3PZ7eN3N*W_85S#y4)f8Q18#=n+$hKKXpa5O9k}_Z
zgngnpEokln>>C^C{RCJPRYoV=Q0E@9Ac^H#7&V}BDvndzSQac!)DQ-=+UK8n^!D6J
z_KruNdHy}O4zG;dDqJ8$PvO79cM9(i8VbLrA9_y+K0^!Ev8Z3JWWB2Es4kmY0Um-9
zYocfL>cuBJJ{9+vMI{=(0-T|s$E;-Y(IEkzu7|_1$ZkW4Cd<&__PNNWRBo`RZ+W!0
zEtiN6`KMAB_r2+=L^3lR8{cI}WcCD`(r6%faV!)KdYtFQ61z6HO<8otO}$yvy=428
zc+oO&W>K^4%ebUE7hd<5pBkl9ylP;T_L%`Y&qN8w%r?U2f)%9Cby}!S85FmWUORiA
zu|hZW!FRr`jxOR|FZJBmevdGI>WY_p4tKn@a6;yb%i3u%s=W_m)9c%Wt#sOt@ypAA
zZ?~EsDy12(k8i3n>0&ESiO*C&O@QsdE6NeZZJ-q1+lR*PAc{bOac(_!FuO9j#S%%T
z8;xF&w5h`GvyOk`fhQ)#yRg#(EsX|gr(a!ol<#t)55(NXi!t7)dR9={wCj%-+KRM`
z)!oZai^#dFe3!B@o@Nh<Nk<|UvFx5+S=qQ0MINVL9`A-N)+Ps-S<(JtqaSIP#(wBs
zMSF<oVISzh0IiXC@v8wQ8HUvDGP~0G-bcUr{r5aPj?x&)_8@wq9&RF_u$z@$c~Xl0
zdUKa|1FeJ1->H_l1v`Vz#w#4D6J8uvkpuF|s2y<!O>TW%mBDVc)mnpQ;qZ}z2B*Ok
zY3noSD&H)M)q(!}_NULGvK`|$4lnE<bjkF!wvLHXBL*_8q@IW*r%_J?a(PacaiUWD
zL%P2W_BS{%`@0LcvoINGV|xqM4c!lVn~?c^nZl^<EshI1Jzw5~gw7C|L8l5v1_f;n
zY?-WcqwtV7Zgf{$t!Z=h|NG9FPF-&N$QPQ<G3YCA)K)ZEgdczMo$vf)p=x>y*rTQe
zWBO0fCiSK9sdY6ZH9}pZV(*(BZ@01D3?z%SUsWrL@NO-{Td71S`G1JVQoUONImalc
z5uv&o$U>G*p@HYJq<6hd9N#!NxUq0xa&U0+_8acI?}i(0yzjmng^gpQ6@{NxY#1Nk
zP$4u{j28B8)8BCLszX&<w^m(y@apTTwgK<8z;kh(kXcDzGJxiwE!8U8(iu3JtSu22
zqiRd!Go)%uj1v$yAnj;&<tr=mb#DfdpQQRP(0karB40&Juys{xcbD-asW>K+()Ex;
zI)xvR1PTBrykP}Z9w9M`R|;>pr~EzJhk|eG>i5R#j|f#dt*iU&kp~|f%j>j4{i!QB
zFGOAx)tgahs%(}LkujZ+*L;y@Dc9Pq!i=dxadq*GF@)KBAG!Oz_sa9doUh>gY)nh~
zs0n8-OMJFv_K;+hvNv<hO@1SP8=X_+M^Q*78}asvJTy`De>S~VI5opYF<<xWvqd8T
z_JMZrb&dE@HWsJKUCYLy>h<IRq_%dX2axf_tHKm(^HfQ5jW*vbeEU<v;)eEJ6Uq4a
zj{NjUPye9-(RBFNj?7HHcXQ5uWpi#TNCEo^{8C$m@fab^-Di-Y>VD!}m8u}qKB6MB
zw5zB_54GZ>m2&b`DIb+UOSCfFxoa#MA3vvKAm1~5C@;KyMZD|R_RLI&JhB3-SVZIF
zb`aHxqVXxdgEERa^XMe*FV(n`EFKs<D@%MNyE+y&_6!|@P%Ie+-Y;nE;5Sb28=s1s
zGG0^61F>3=&@~t>*D`9*(Ti7ir)Iy{NlY$CY7$DgqgFN9%93qKs?l$5+BWANYaX1f
z`N@wAvjdUd#<}pt!vp&_wX|;DZ`i%V9h%y5Xya(3b5}5z+;Zdc^7RWb30Kh1@4#5?
z(3_QN5@i*K%F6l_mq#nJYj83HR6=V_5*<B1u+~)Hhg)Q%@saikRg@dYGyz^jgS*Pb
zeFs;Jm#wTEFyD9i$c591#Po$DBNG!NBO5jt-hO-Gq<Gi=-f&0D*6TKvRuE%-bde`~
z7cl0~EXmSGT4t5YtEcBACyum}7~3L~jLMqRIWrh#%p@a%<z{doAJT^;1HV@=YvtxZ
zcWnHp54^u?LwtOD`!9YlJ>A>)i(jBY+^(6PxmGI*i|zh+wC!9jTZP|HEn4hP()Ij;
zUzV|ePb%<sg5&ir(9!*vPh72udImZ=0eY96FNAlZDz2$g?I#PgL82xbgVJuR2+F1p
z53*3LJyv1YMkXS!(I9*~;c-;eR@FKh4BZ`Wzxl|!MDafjR=eArUK)xu<~A5=F4KzD
zHoqg6(P;}m1H(9cqo@@HXZu1=$6UrC+sUucyhXD0_4<%N#3wM_1G)tEiQ=s&lPT&x
zDb{A~l#$IA$Bw<iBQZ2*H`^;@<0*wo_+CNWLo(eeg`I<!F0^JAFB=?sLtxI;8S2|&
z{NYb(7RKU(&bb9cY~lLl<r}vobHQB>@94%uTc$$p9lO~&kquPCbRVm{ZpHQLR)2&^
zmDP5_PA~u-&`v^rIiMpdb&#cVohoG(*YzR_p(>!<(%`l(H6~Yj`oh}C6;)o>f=y0&
zLLrYQ7`z@op2lGC$rbV0cvDln_~+CZ<O?JmtqXd|3r{iK4cZ0xrWU;5a?l%{n^R7L
zpFxu)4~B?)<(<y0JQ}fFo0RlgsvJm>Ogf>qo`$Qi{AK}88B%p4%m{22HbLd}RMu4+
zY&NUG8bJT`4p|I*?tFvYV2ZZ&3!hK+4joFCsK5$Gh9-Q|5NX0UNwSN{2JMZQqaEW?
z=2#{hRH{2c<A?o9ECF;TQJoD`2a5~ylC=z)wdJea4<X48GPb3CL{l@%)0$m*@rXK+
z7ln(G5NSzpwf|KHE|>}@WqC_>ord|wTx##0GU;DDVj3q|FkJeJ4F9C>(HKdimMUr6
zIQvDp5SalyO}pEXbaZU%58j*YZHSoJe%9$+9ZS8(k9TBgi*wo`o9Qy`ZLnL906=?s
z8Fnl1i#>8NGPa{Q+o*IO_=j79sA1uFUDn|L9r@s#>~T4bMJPTyb=Ns;KQOxxbD^%W
zXRr(@$e>z>Z^Rq0#S{xs{0M&>=l|j|!x^{r{bcI{&TJ;CMXr4p!)2Smd&ZKEPqiIu
zxsI=%o-U);V(pjLIF#v<tSCL#t(e9M0R|QS#g&iL$}0X9&pwNFBO03)AtS(zM`YPq
zOjJ~?m4rI);mv*gr09}bO>S527Ew0<)D+qP)WM=uiGths-h&5^y!c`~zjGXZ;~n{y
zaCcAFpkMgOmAiLed5$GHp6Q*>*bc;U%@N>3tz&8de-Efsbp}~+0-RQsg}fFKmxWa8
zOZG2t2_e@as?-P40+l-spttMR;fv=|skw`X<szm%GqpmncDlEJrl#<nnps0?`G&>C
z>z10Em#$w}ykR*dHcwAYO&8|2EH1+01iNQv0?&nPE84SVnuv;Ct_yRoO|id;R1cEa
z*t6Q4g?i;uH!0>AlX^4hwVy;CQ=_w9XRy>o?3*UtP4(_dQ<cMAbu9{&f0frXy?e)E
zC42<Bkhg$TW{i(?c;R>2E^xLyopINl-hNbTw-C20Di(_4^i&JiV!ghG%HbX>e47=-
zMNJ6Mk^s7`Q}vcIex*_@9opAQjkl}8SE<$&-UPBD4;I-kT$3T|iFz-gHwsnZCDH;@
zb<a>S-s`Sg5j<#!l05vOiNeq5*dfhPTpiP1hc#%|yuH+hE7PJRQer9~s%Kyf#68KA
zR*7*?Zw5N`u7$_17PG73ng>Qkx;g1pY8^{z6+)-v2^PVXd;=+buMKnbvF}m5G|Q<F
z#pr1c`1ker>XE#m7k?RNF8GIDkGuYwb6`%&&iFGs?Y~QwCgDuCI)t-ZM^QWF?J^fg
zk$XN><eu*)Kz9*9;zvNAq*6;o_!vI(cq$K_@fDP7?h)ovz(s`NFb_Pn0bdbZhj8`a
zI*IEH{eTW;ah;{yraY_%cvk*)A3m_DtuY!a>@n-#=*1WM>!16$wo<H3$NmaOe&q$<
z0)}cC-tPi+oh{?N469{Emzt79jmx0GNkX4kKGYEtxf}SVB_oWGrxILIIDiOCTQk7?
z{|~DXfg3KWf9^Rs2B5|T{)>$_1ldIKfHZ1>mH0=b+E1!ht4@PQ1$cadI0^Ix&;Zqb
zqTw9}CDcnXNRnPH*y|3g^y>`|)C=Fv?1-NsKHy3ZMQfk^x2kyb^f7|?a3)Yi9utzi
zZ^it4n!Tm-D~m=-WrY~6BXvXadQohO_y%=!qQ%gIhRFlNXX>FHp>PAqE|wODdAv)4
zbhJJ~A@RiI$~vC;J1&$qd6|3u2lAetT^$nd#$1}AflC`ya@Ap#co>qai&W65QKA$o
zl&$PDHl}sG@Whiem9>@C_N46$j(DNd^xV_P%F`KAQS6cRR4={{_*n0PWwF+CqjDE@
zADn=mE0aA@l(B@&d9aJIO-;|k<15UA|F#1rPSspVBWfnTNBYl6;K;3J2uLyu@qY<v
zk{3h;s2T{*xpOK?H+Q*_>cQ1-B51ixBU8UA^iqOQs&Z%k(o@33<Wh7~mmG9$vTpe1
z10R}z8jjeD61}*l@IEQN%6tUB!nhM^2iCG-s)-Dx>{;ETswTqsD37m_&xUG~bB=9b
zpGcpS>uHk39pV^QqN-3Y;oMv^H#KZ3J}!rB1WfgHL~Rh~D4uyq+=kZd73dlDWwfF$
zkwhyji36IkWET;w;LBi%7V?BrVIa;K^)6vTj`OStKzorQZzk6e@r6h5PLpO$4bL*4
znaUT46C4L$&`bR`b<lEn^%B`LOge!=yQC42cMP3(Xm?o`f3&jlqa&LPkmWE7$xbA<
zJjRm7Sjc}8SX&phEaIZ_V0fbOE^=pa!9X4p`a~s0NI>v{B1(#Y5fv|aDK2yYMMK>!
z1L5q_WdnoUa}wxnc5R&`ze&%0?Xw@RZC|)-!{!^drJ3)<3-`~SOW`~jwGy(CukuHr
z+{XM3EDkIGuCc52B+Kf^t1*S+B;KUX@LF(Fie6Cf)oNhQ#&{{2Becm#XSDMa9n7f{
zt@BE{hLTMZ%D3%w9DAt8=rZbz9%Ju2j$Lv0%8SF5C^Hrrk4DEM_ZRM)c=1Jy8+fh-
zp69XVO`12B%7QYDUP||1tcup0a<(ZxOx=kr((04fo4U!OpS@Je(+v%mR~{xhkQuPr
zCpKg$89x&TpY9trpm_lrpY}iW(Z?U@uC?PATTT0ek6pG8lya*(*VL4A-zsbp`VTpB
zK3~ppsPOEUNFoTDKFsH8%*VZ!ZpyM%RJ!559?lmi3x%?5Xcsy8{?CWji|&xz`sH$I
zgon}b+9(gFXR^1uF)r$xC~+!j04k?a>48T%%#7tyB#!lm#f~ZSYRs-kBe=I~z#BD*
zcm0aTn4W%`VoU|_e{P!>`|_|h8tr+^CVwkvfa3B`;wtid7VRkVS$1mvSsvxzn9;I;
zx6NQ4e_L+L)0zcfVH@pYg&Y5EIW7X8Lly5RR);cPf47vE!ojxDq*XX9x;!42cv!S1
zM`WMOUy%hPe#RCCu?K@7_%MRdqz@n`25V%~#E^?c^{++n1H$j=@?)qjJ9349yBzJc
zvOJl!m{65uIc>&NHYHVKRx@eDXG+E@=kO7o5yde&gYO6M-(e0e#w%xJ`b3O??&Gn8
zHo?!}Ir!VIWIpLv<@?}c>Vz+e`<RlFkBP<kS&RWCC-I(kz=`ga_`mi!_B;1Qp|*zP
zi%JUKBKS25yhnm3;Y0og&J<Mw%Y=LUE>?-((fEtILP!~+YCYIueS<tTF}90&$|zX^
zR_MvxzfU?wfbnvw)Q;+IWX6!+8&$86A3?Q^jaoh5^Cf{Klr*yo{)0E97cU=g$vGOW
zgMs#mw6nrJm57b!n?eIy+7r#`m^<(2Fg*4zm))~9QC(@My|Lb0p*J>lW}1B7?ycS3
zyGFwYCkID5J%Prp3*?JJ1Vi{W&R<wC--sHwkoc5Z@vpd79r<I!m?3!&!jh~a-br=m
z$xM?^k3iltR~eORV;N5&m;pR53V-1rhF?fdcKD(#t(}3c>EwJ*#P5srPQ(MD*aqQb
zoi7{l_ZW1w9l2;{&?KZ?4u`w&b)U-)qQcn`{Bu9XUf%ae9k;4mbN)_VZt@sY=fz=R
z%k#oXYDOwTCN7D6cvb^6=Qa77lJ=oKQ?2++83;6Iiu#giN{&O4*rby<`J1GC%|QWb
zWKp)}(Ho4uYLl_9(jgq!WW4^%6?WshFFf|C-4&L^Nd7a0TXuiym{60MY7`I{BD$s;
z1V3VQ=?8#vjWpu#aW<)0?S4@<&SI(rr9rRcxtaBvB-1Zwlsv*uS}<jP(AdetW5t!q
zvhi3)5|9Wad=L~OcNE|?6T^(d$ccs>P_vNGLT*x~Fc-I5Clw{6uY9Pn&eu>;UEwf0
zI;I+%Q@5m=8>c$(8(<B-y2ghddSm*Q^cw|Xz=tBZcj!}n+duyC?R_cz9inLQ4HQ;C
zi~nf;2JFjUVg4I6cgs>sovtKo)htU1pc1hJm?Y27B-P74L4F%p$HZ0J7=FoPR-BQ^
z<Gxg{xf$3YzfK3PK3w~7b>KRt$|^Qn%Ey$feKi{sNNN%lEMY?^Sdy)ZO7S!9R5V!M
zow+5`T_235+#EmVMpN2tl+ou&MFaKCEw{8Z*9W30kBma2J8fz-GYlK59dZAKpZ)BG
z{<x!>5NK^$>hU)aTB{uiA0gJ4;D2fG_bfG8=`Vy^`~%veI`glUgGnX%*>dOfmQakZ
zvHtM~-+zJYHs=NJfAE9v+aI_sxL+{-_$mDN<HGNr!+#)OyrU8Hd>reSRC$h+u&(Yi
zbwN*ncCqG+s}cw0eN?FvAaz8bUKa)pTBuM{4msZp?4?=A=d!#Fypmg>@S^YKcD8l<
zhTO6I%%%++ru|*sj>Os7_*8c=l4xm<4$K>zp`A8MlRI;6TiR&Z<#w6Td#9<dPG{)M
zMZ2R2nbJJKgTzYU%Aw{)l<`h=9>u<JvQc==V6OM$3?%a!6L;ddm*g9lvoDQ8y)gV%
z=$VFK?M=76wW>mA2pDb>PTm>WnRfKrzg{ri8Qqa~^x3|SVS!(;afv^Kd_zqc$j7u0
zSH|lB-d(CMTeAAs$2+)~<c5>;Fv$r(`7R{Yv`pj2X2M+T#0xNTo`b1SHKU8+m0WYZ
zKbG>?8)&CnnvCxEKYXBFI9W`By@fyXy*-S*U5ham<zA{Nly+{Ic5ayOT#DL~tKtN#
z5;+T#sKn28d9FQz-^+YSZhBIj|15mN77O|6`#RxO$vZ}x?T%_kMUBDWstI-1*z0P*
zvZ`H%Dtn~qO`pZEFKr8Jb=Xoy+svK@l)b-02PI9W2M_4sG`W|2n+&fcFMZ@a#~22r
zeL>%?#GW|CXi15wOTLfw)}}b`(gY4f-VLOCK)R`WfK&=4<x&_nHyWLl2EEl=QBz+n
zT(Yv4@-G(*l@&<03?!!Rn=Y7y>pCy(T-v70Wf9|vz&4Q3{u;E6Sun}6mbR@DZBx(B
zTIsAW6|5zlh*1rAACCnwdWSBA$a%fMO~xjzR~Y`lK#jRdSKUzE^ZuK)6&0ec)?M2(
z-&>13eX*iKC!Bn|snhN5Y<j$4y20Aj*KG?-`QP;}|FqxM-PdKMx>xF6E$ZiZhWV8G
z;&_H3(Ycgi$ov_QX|~~&cde|vOE~$|Qw7r}J|W3!QO{&GjuG?svUSyK*7o^ZZ(ZRD
zz-p2{MYUm>uEIPh!@{#G&~|8vs3|z@@zqJu&fe3k=m?)+zw>x2yb`RIdC_|%AK?1$
z<+*jF&s4Cz%==RxyH9v}MY!&A=t+2|0cTr5qtK7rF*hyx!A^=lMbCsdejn2OhfF7B
zU5li&i?SE%6>p@fsqq5X#LuaxLcLS~oAeTDYEM~+VQ3=`&{CM)69pr1GrFT5+vvxD
z8Ib3JcaCkqCn_&XnvLAGDuHL@@vK%{dvK*gQ2p#4>VP%C@LrMc<O!Z~>J84_*oriB
z$aaTKo2BLqJkKjYDlH|lLE9Aubk<f^YD3l&$d8AcQVqI$D(rbra<tVQ=-3d=#4Dcj
z+3T8&zEnbR22<1ZjrGRHr*D`xG=!zzvh{|^BS&WH8p0zxyQ$8;XYvLiZ2wJd)#$|3
z7^>}88-8P`!V+Ljj9BMCur)!w5282dvJ;F4t)EL<wg}LFWKEWKF6CCNn@c;qa^K3F
z@p=&9EkuOSQQ7<2@Y0{*eMNqbGMQ5B=O9_WCYLtPQO&#fk$nzlp|D^L`%=>#O)H63
zlgqgBScTS>-q?Q6J<*s}`>g`meSA;<1n(~DS$T#%z5XmYO|8wN9e&$2cVBa#JXg#Y
zFJ!pYQg4IP<<Y9REzYB@WVA*8JUwtLYn8IMlqBoAd9>oAr{2j%F=sq>tY{>_Jk$=*
zKXM${SR85=LD>#3&7(y&C)1+Tz0UJ!Ij32hM@u@?hu<#5^DVR8fk5|cOFq46QyR?R
zA#;2v-8P&sU)I-+bzpX+_#TV}zDwv98)ZIlhP60>Zwa_t&bGoyV(d|_Nf7@dt4h)+
ziV`kpL>0*V7+wjt%+Z+UTEgB<o4i8rig2=cR3J!3BES=LA>oJ8*w#j2)b%ROpB13p
z(8zdpFUJn_hczP^Ug?xa(V3Z>17Q>of#}5snf?*zGJbW1%4$cb$_>|Gc<@TqbBQ|<
zc1k4sdTFyKQrm(Z4LNsau=?2JH9ak^gk{jZ*hYQxA|q!TJpQdlOI!E3(8Y{PZl8bn
z+>zmPhXYtY;0QX`Pccp>c&U;%E5&0~9F=kL;$(`lyjet8Aj9PK#feOb2Sf5>F67lC
zlY!K-b^IN0cZgzYx-VXZ<1jM~*KTcH7zl+17P^`fiDqi%;c1_0eO5U6Z`=2j_kf{O
zV|>jicUGZBX^GYONbY&?zvHAku?$7xd>Y7?3W6}H!V_j`%q(FRwIWC)$O*ILmznK+
z!+YNx$@sfwn!oXUYwLXcJ@0wWI@X>ZjF}*>D{km(ihxfu8=mUQfEq|A_X*(KGMwsp
zOYj`Qk#louwNJD|wx%^#$@@u4sZ>2rQtAiu&=)TN<f?2YQR;#Fd)Q9+iQxzcDT!pv
z$5<H*I#MW~XQpHiYKBS1tdAM9%HbXAc0jU?RFOQmvyGw-D7?>(wBamU+7mIlYs@v)
zkf+|@Ks$qoV`Xe?<*~=~b-qx-xqX+vZ|kS4D)(!3_Rd|C9b=I?r=##AF*RH<JvA|X
zR-Mygc<Y@Py=|HBG>pkVNqEvyavu7mYkp7oVEBW611u?-cx7^?crTHkigP=DZjAGn
zvVJmI*&fhiPTV^TH=N+gpEVLmOzdn=Pc{x(;?9=d+Q&XvJ(Tfe8uF2?=p}RRFzucu
z$JzC!mdv@GS%>j#zlYY7_WZk;9+qb7o5$#XAbuS>Q<#2V{U#>E>c9&VY<{c`Jh&mM
zy9z<^vyf$!SF4=8D(jab72RiR?!r=Ou&|Z*A>L`g@{xRbt=!s4PdM!HL?Sn`YdHL`
zD`IcF$s3P*DZiFqPklz>p&0X*SNk+SVsoGzHiXE*FJ1vp4MN{i@=niSt#AuIp>P8=
zw^ok6lKq0tj^Gj0sf_xrmhd~WWEB1@r`8I{K_!VmmW`{zP-XO2)m7_+H^gOmbz-ri
z##p~uI6tsyQ-B*fO{uZ_HY;pexNh*!;P~`mCdRm|5Km%WcKALv$-C~1QVjWQSUa*l
zy`VR_ObyqfXhnDyEzO2m$Fy}MDFXjQ2u;%Y3|8)5QAd5Z;HLqTQK5|V6Q5wR7He^e
z76AR~D}^3LU)V3AhwYbNGkOXNl#kANdabsnG<Q|qARriOlTvI+%l0#mj*(4GRP~ox
z(v-XUx~%D^C*N`Y87*pYa`I#6N^64oojz}sTh)}es#?}N@pQr;^E!!r^d#DwgsV!1
zEAAKZkzWLGX4jCvgxNLZFCoV(*QG_!!|8HXRav4UcD-EcH94!X;gttg?l)auA!&7{
zW28!BuB6koi&rrEdyTwRBDY$$M5I`j=dE&*TR(4=Hq8S!-L&$74`k)7l5O6!sabgJ
zisj`imW#AI;D+i3GkaF}DZ_~YV@!Y#m*;}6hYix9pwE33KdAb}`p+v;RmlZa?0?b(
z6n?CI>itKCYAiK6y|Kn>pBh6hsH@UgZTD1d6;A$FWHuI?jZALaT3K<JrGkEj)(eaF
zu=q~w!`9R8-eRSt*v_WB2}A{6uw7mAe}t3A3O^z{8_#s&pAUlu>QqglOv_dy<tMO;
z=q)KN47cKWWPp~4YJriZfhayQHIPh<pHSX8f>6Z4gDd|&qWk&fS5Ex<zq9vNt}bbv
zz;oN$d{4=kQn4+GK}duXSd}y9d%C22PfCvB`JNPQmboy=6H);P7Q~gT?l`oe6nGr(
zBT1HZnrm=*+2^a~d!9B1z|xlP?qcr!hh8fTu)H4z54rkJ7YKMOSwOTl1_?)VnrGIm
zx2h7U*_#r}D^r?OJy5!%IN619Nj1Os1fBbU+#`;k!wAZAL3s{J4wy>=gK=EDaSh@+
zh$|^s6SxxPO-p!W$!SsKfc`CU14^#ByFy=Ki2MJx(1CW)c<g<mC|25s{<83aiB<(N
zkgdr{@UnkU?k90J<bFy42N0hchTvp2#NrN*s*#BEE&)MN^g)hAJirKu;t)$L4$-pq
zTx?k%JxK{*dkof?w8Lo?d4@M>Exarc*{&(<aR&lpu}-E@62Cn|Frr>~Z$)4zaQb+J
zEt>V3k3CZ1cAhpS(U=aq^^X(&$^SD9zR`4=Tu+s6sANvL1hQA=bh)0q)`goWo^f!V
z-BYv}<=%gm+w-x$1MMs25rCbSu}!`v2=F#eL-HJ=h{;iWCkoq)a{2f<;1kdV1ZG<j
zA+YS}Gy3-_apz<HPUjii``RhvvG-IYGV8kciLhn7o`eCl){CI>8r6$g>OZD@xV4zd
z>5I@q5rOkBWmL-47Dk}_?7>^GmLAmyUnYB0&Eo|5jIr-XZ&N)yq#lr6U_hQ8Wy(=4
z#0tq{N*XFZtIT{qtbRsm?1ub5>ql>{yL_GS4ZR=w!ZjFkTyv?+lO^$}Ql7+uRe(AP
zi3LX~!V~2Y9!dtMS#c{u&f1c*4oO3$DmmPzz_=(o`FV!4%@H};gUP*iyay9qKj0&;
z5Ba^;(u6uSi6#J0t8sAtkKKw<OF5fT2-WNs;&OP1{O*zpD_qCq-6;0<5_A#M+HSCt
zQlq}LbZ^Vm3*@~m`yOczE0hUyq$pEU`1~S8Hdbcpjvf2NCs=@k9FJs&F9~Fad)MaM
zmHCTQo(Zi7Z{h{ih-bn!howiHvQgrcvYTBmRY)Z-FzoPp;f0FnbCMIga_Nc2@sPh`
zV6e^EV(qcDInBo&x8Jab>Y!3v!kOXW8C(5si&Os?#%Nfb6jp(!dd<8{gOWp5#Zd9+
z*7!~+)e#9y5}V`OhXzY-T1UPlebM%*r;ZF(+iG<98NB<6r=J#1em6Q9#s9xsz&DD<
zVn_G9QvE_5i$wlvI7D?HlPO85Hc0tk<Dn&_fFA`yEVxqAiIt5Do|*F0&`-T}Huf(?
zBRq1+?N2|A%+SY_Q7%tlR2ZibwB-WMPL~&|j#kxn@p=qF&H=^ACZ(VI+DuW3{Z(o#
z>qrjLeptAV1i2Cj<jnD{U2O)3L04_9jvYOE&qJviTdl6Dp(=Rv-gy$~3$~Qa)@)x8
z#9z<bn(@&#zj{3r?U+v+=7ShB-aAfsM~*F9<uYERqM9EbkogP6w0R`SDf902;uIuY
z9$PMrRcyl8*2F8YcO?6h+3t{OWOrgw#ox0y{VP}lvO5psinIUVp}!J;2#aG`^8uM^
zHWN$StWmSU%b4b0mhvJex~R!7YH)&g5v646GpD>ft=Ww2JjD?thuV?q^VcT72uR>i
zax{g%Qz}g1;pIi~favu5owzLiRhcp3<XO|nR4O@r7OfA<k-_@du#R2w`bZVTSaSa9
zQ!{zlFk<{DX{TzgN&*dz#1~<pJe}riC3BG#TAo}Z_Q``JT7w_5f&4^p^%AYI+(zc(
zpxj2HH4B5c60MQHvcw-vz7W53pX#UnF}v^c?0d|YLj6Ug9Fqk3o$wy!FJS&`iht|%
zIRR;`GMs%Megyo^eJ=RE<a0@o&qao7>lAo5^TmjWHUB|aMJ{F<5!x*>&dVar>Yg}`
zylbTCFpkp+CP}sRDC?5WCq1p{#HSdOLZm;mDg?|@G5N6pDzeBkGI`5fmc$rCaXlO`
zN4aR$WVX6>u|MQW^@VJ4pQWjLKHJ<Kbs8ESqrq&Szs3@5Z5*8q4xXL0Mm(l;C^u~K
zgbcp!#awbU7pkofM&gcG&R4G$D=MohZmctj+KS3*eRaLXWl3GQxqW#cc+l9C_BHpo
zjpJSJM57UrQ`CP#KfT+Lkvfd*sm+?(Wn7dUj8SoM0{ViWnPWQCBtCU99g$`(WiSFi
z<e#V_E{V^6eD=d%QwJJwFbq-@iZVQ@+8qMV47Le(rV&yYVc0|7NvnV$xEcEw8E$DU
z+VygO07{;lLrhJlWDZo<2BYBeo}X7PE|;Q*U*tTqv9{J>emF4~_2??9Dzse#Wf1XA
zfxZ@xr=>3t=u3M%>Arx|<8k6=zffh+iU*)a{p^A-?A_2ZJ(zdx9vWq!f~OcHxa`S+
zM0~K>Zf_opCkB%Cv%`r*B$7ykU!I!-?V`pU_QqRqCZz@X-I(Ss8PjFeR#i+(QYKEk
zI!@~AaS&WH%$MVuK|GR5-op_9G-tj?MREpN%VQFb@~1HF_OiPub)i!s(H@5UKIyOI
z9Op=s;!#p0Mh^iBUwICR#Q20g4nozUg4Y0oR-{>3vb@$g!dAb_Z|-cg1e%=|n=3t>
znA+-yWn7J;VOP{}TSGqT>vn|_OUdM(O|><lHoL=xvXF`BnAhse8=7*X(O_pPTpt?u
zg$7zZ^JD&eOVsS|cl+nkeHZ6UHr>Ihpwkx;{?rh++R_0>W2}If<5<`nbwm&rAs!mR
ze*OjM*n)ki)FhT%S?kF-*}kS|j#Qt%jE-n;QlyFw`k)1LRc@&_5a?aX$ybZtSy$)u
zTN?aMqtWR%G%p?Ay!qP2L}KyU&6^J|H6O5KmxhNITN@f$7l((JvdAygY=Cm~9dr{k
zsBtH?MzFNp>iW|WInr$@`<pU&WN$F3X*E#O=p0liPfG-IdBdFt+b4tj4;~aQ-ComZ
zJ@w~<cpoJ<{}g!fsWBiah_7PBN95%r@*;jl@1xup?q%gCGhxq@h{+G2?lvuaaeXDE
zv7nZJq<_!GL|Zb{;hb+hZ>)8;t0~yMG3M-b+_=<z{_=FNH4}4h%I3WJsdRjCaWSr~
zAl-!3gA#s#@wKWsgwk--@fG8PvNfqDo=@T$^{_*EwBH9Dk#2Py6u{5Q7RP+pO6EDc
zEt!Cl#QFQV{h=}Mc%rqdK04Cg+#RZqgDjh-Qs?$&Hh23wbDa~>p{<5YVrOGG7PbW)
zb^8nspCu4!a-SV-cC-v7v*UK1X?7qr-s)mB35h8D5o=uo$)UuxBm-`}*_{AB<jhn$
zM?@K&TKd5Tr{62_nGA<&sPHDx1My9YBM0&*tVzya<V#a^O>9>oTKLr~|F&^s;kUQZ
z!BV&J=pNzv!rhl06{`07HaEFDz<o6i?3o{8d|@?jR+510jgE(aiHpl}unyxQ8OYC*
zQOu2adMVaHEoitMv%o)Hl<)LEbNizs-qA#+r?bUqw>gX>4Z^;k*ER&KiH%+U=+G8J
zF1phl$!6NJ+A2eJQW!pbuuAW2o66-Ex<S$+>%aC(&`lWi0@g-w*Bku_8XMRhc{55Q
zxDhtyvbsnZwOZ>*ktzBnt>8*8kH(uPc4h~6G|iej8r|uTT{QTE!TQ8_t})m>n+~+L
zhFv*ph1Kmdgl7&eoptk4qQ$qZ!DDTm=`^{_)tE^(JJ;pCB-4>gc!SZbkD_HM(926$
z52Jd<OR~h*n-TJVB(6Xdfge-=pkmIT2OExkyh~?`^|us$A{_4=jhJ+sZoTG;fx~By
zUU}U;J4qIi{`Ly+7r<M4H0R2)NYeS&d*5;JRkO6~@_2KQ?X@ag^Poc#I(bcyi5gP(
zRc)xH2*1e1;t3CH4s&Sf00*`u1c`+*-;mA0y0#1Yw#~hP!Inr{Q^$0wc{1CW4Wx(s
zy^FQ6MA)0`Gep`f;Y^dQvB!WD?6ICHr>=1#7avYLT`j}0^n_jKnj4G`wR(i>TiPNm
z;Yci1_+~6_YjWA^tnJ<;6|08-9k_T2xTr;RM4_b^F-33^C8toeQ%^9?<z=)K!(4er
z7FDOF408Bj;BAl-`A7k0Zd>G`k{MH~tNhuOv($73{cUY^gFBn%OdXA$bjT(XQ`QS&
zY6i6>KyAWSZ*aPs=%w&bx{1-!beBv^nN3|@nb0setZ%VA%&D~@{{o4492y67Xttsh
zcSxiChq_B-U8__^b{19LDwmhmkh{L#9kR+-e>CdHPr2N*=N1PB7BW_AW?^7pF=xLg
z5eg-fp%67VEty*ra{d+CJ;U7io+pnw<$Cg29j92FriRUrbXUqGqEr?RBR?_!R6c7h
z1fYXaDHX+$mG?6Bz!t81ua@R(3mYF51bix+De5vc{;DZFv^8fd47!_sX$&+BE$4AM
z1bvbIAl8E>|AG2UumcuBaA3J3zm2Zj^40+9GXbk~HMDF!G&gtcQgdqY+PS$yTU!p&
zdJN8!J~KZ^>jRzzD^19NXH}_MR~gTe6ddN*CZ2^{J!mqJb)-|s`pZKHa~lH}3okL%
z<yPQc0B_O=-vti-(Yi}Z-+2?U=47bLIp22vSnEvQ8|avbIQ#6E7U?dzY^m-7+Y+@b
zNp}$|btBByjDVTc02h_I(FU?TCHacKkFme^;QmvXPo-`gjFj{HZ~wjc{o8fcXkV)E
zTj5y8NVvX~-(xK8c=zwvyC-UBY+3yN-|Y8E<f3Xz=<WX}eo;n`_K4ePbVuy=FkQoT
ze?0ETPdQ!MvkSd_^KDjZ+k9W|Le_p~DZfznlJD=xFZ_&O$XtRf*)#GBvYFB%V;B%~
zFel2U>qr>?O%%=Es2!g^s>O%0nTkoL_jjg<Rbm*v-v{Cnzu^3S4*bHW?nH?r)+sWq
zSd-@QMbd>()d@SXoVTk&S*Xe`k!`$`m9H($%`Nyb#An_#x$&}@czouvjgxPhi66LN
z%a*-+w`{op^v!LZk#%gH^+)tq**YD>Fba9q)|p#}U#Rc<yVyE?Z<vgwqoGb_>!guY
z?#YfNT)p-ymf9AlMtsTExQlF^_Km5~$mn=XwRPSHelZ7IXM?P7NyEYTPQVQ)fQ0B+
z<!hNYrgaXe!BG7>m^WvWc@s%TY$2C%pV1Yx1meuRai)ip*%_EOn+H=9StJ&b-eg&Q
z686mqvv0=a8A<jHn-K+85eSCLU2M*r-jqS{=htD%%ssqExU+E6We*GH%VEoSdblm~
zKG-rNklKCnNF-Zk4Q^HQg-jP5u!gxyrVHN$>TxHgkSeANJ84O0s83_L;GiEjT+Yr%
zx4WaA?U@cO(g&M`sY5pzUD=sj=a!x(;=9y08g>h0!Z>gU82}u<gmD|8c}V8JBtJ23
zIpIfE?;WRA@8{<K>Bd8Yht3{5bj$s_=sl8tkM~TlwQ{e%5B`xkSZ{5xn4~vJIxfQy
zFo8i(Sd@mvYZ#JpO9=^*N(=RsY3NX5Rh<?GR@jMiIT7&>-cEak%^PY6wzbx{Q?aNu
z?`-q=b5Xn2GwVNVPq1e;)w6RX6dd0xRQf_KJt1R9M_;z^?#eo=agW(zZJqA&hcDfm
z-Q3-jUb<#_)6F~EF(3FTh2LZRmAYj(3}wAzq*(8ef|QtzG`(WIqY_g&liu+J(>p%N
zChx}!UckG`^$zvfugyouQ^9;DlCumx6J$7Zy_x$=TCTZ05f5dZn;b2f&LH@R*OeYg
zz-Myq((Zc)7#DFxU3H~=1h}wcEx|{ywr4ZF!n67$ayUnTo9$Ix?_hfYf8W9Wo&oOu
z!1WG>JEFO7{}nWMug)It=PJf%)U2CZ_@^7L83N5+d-MIfWu4+A*D=^Qf*2=Xv)y>F
z?4vunu1>2~F<D<m{k?p2sVz4yEnUBuOfFrwv~=T^)B$Vz^4RFsjKz}KIy$!8PC6}@
zTh#MHu?8hlT7Q(J$(H-*$Wv2$dLP}5+iN_wQ@>E<7S&Tz^0dn;sl7J6y$&DU;02Sh
z5+7ZlYhxUG?hQ-b7i`}gZp*}&-0GN4H*edvWsQ%HdN(b~oI@JU`uHgG(P8hc_0h#&
z!$$|JN_8^6ULRdYdy$VW5wnM!b^FMm2}K3LOI|u>%Sdx>BgEMJV9SP#3pB}nbaycs
zro@4y6u$Ll$Fqf0p;qjl)58lxt6s(YbGpCCKljK5!p(&{E_+0<?r(xj>p=FpWIx;m
z%~CmaBFVJ%Mpo{h`-l4GIy%}R;uPPUD>s|(+|moTEceY(-L>_6bL)-#ALE<z&2itH
z1MZX%^UZl7d$@0|-J-L4e1^#8>&_zIT-vwI0^i&$_ow7$+jH<TUeXTdWMd%N6QnbS
z+&4#k6O{T(lAK;|Mz86cv&Q<<<eTdnjnwNF?!4~c(BbW4SKoAGx9Xew=hOJ+)_dRj
zzPW0}H|P3?`Q`@F(N@(r*E*>9=6dVkn+s)|>>lo$8<>Z0Zl<04=7!>JQx2Vbag_Py
zZg1&|q{5Lzrtqa$+!6FR>a0Ef65rfW=q*Kl-m;of#pmr*^@Tc~@q9{NE4W;dIg@Yh
zf8FrlT0DL;ymQ9EokUJvSBvWEE%wgs5SG2cWLL=8-rbolJgE5R>RqO4XKp4>^c2~2
z-SXMDY-K(yLDRqb2hDFZPr&E6Zm-=+INP9$!ky1Tah3N+bGayf4Eb0*pO43I42Wvn
zp*Jv|!7Fg18X;l=)SHPqE5?{wCVhLRsjEk*3Uzcuv+X;cpR*1{o8!^+#*xK?Og~^_
zDd{nMC4--?_wWp2#z*kpsP0M}jYDT*0eXlAoruLpaTPV2p>Jr>pOa3#HOdl0O(BCd
zKnIL4!%l51r`PI>=6S8H;z)(9O`7e?LiW~M3t#!YGHH7Df}lmdSjn@CvvBC}5_Kwe
zpxc<mp)Gp$?h4y(Tg8<0><`^4WD8%pRroDolU{(KOT6n*@o~h#67UsBilkJx6%MT8
zilEflGAz#|I-n~Hjp-c4Q+r26ePhUPi!?PhTQ`T!?TwG;y!JrE*PtDaX0x=oF9*BY
z;*pTW=XYDD5?O0<IOWSEW69Pg6$3QJ<mv|DeJp3LXpGX)8{}2-0^ejwVtg256UJy@
z^u(Ocx>yeN@Zf3B@uaw76up871{;(`dm|ri)Jww+pOco*b{wN>p;0ATn@Wc(oKi6<
zXl8`-P&4jBSSRW`jr2DJtzkyAQse1MyjWzfaNg%`z4ddXH{xF5OSm_xyB_!H@$WBj
z6*Qf~g63!92SG(jmsiQ7QI<Uh02NYXRV&$&vmT=o`M<rjb;G2;rA4dvx1@xH@qvl`
zp&>_aix5LW9K2^j*sb|*kq$FbC3`w)N?BVNE%s5qvUnryrKeQ-TbhIEHhfEY$k^b-
ze!L!Y!I*`wVa!q8jR5HJFXjR`?iPNGcSLnJG5Ad~e07`Vzcv4gp51_-`Xj%0b(`>G
z&A(!2aTxvWm-IJ{pvfTH;@84+7$M<R3mD<GGnPj)U&qI9yRGxmOS|sfcW>(GQTz$_
zci{ftEB8Yuk?!xr0VmtVxV!VVF5H~DcOU+QapL*H<G4SnyA1$6{(Y9g@f@66A^7bK
zemlYO{ASG;gn*F2NC<ai?i1nBnUtKZ`M<xgZy%m1-2;2%PU$;eK?h?x1+w-#0b8?h
z=T~;^!fou?UlCtD-F@O0i|?!W*VElsaa-|yRTnGw(HlsQLvJ!$AYXOy|9nzN(VJ;b
zUqKCm(~a*qe;%6`8z1I%H^WiC=BMb%{vhwat~tr(5Z4?MGQ!)SXVQ8h^1$)GCJuD0
zu`O)1hT9q&Gjz=yLXJL4_C;(s(%00KjoR3=469cNudIHq3~vrZ{0zeP?pj>LZ5Y2n
z%p<mU2kuk)T}$byh-T3?VS<o<NzBu?ghJ=4OZdX-x1~J*TLQNcZfq=m1;Z8bE2J-7
z^YgvY%>IinY;C>p;{BQE-k-nRKRD`%+G}d;QP1dLKYRb=>Z}kKe}L7cIadNkH0q$p
zpVGAZOM~O%gF8C2+0Li-e*evH{{G(RdEdI|qHmo?<8Q<FP0IISI`Z$+ZbYsWqG{;w
za@UToY_@9$p7NCR%_w^geSdj%pO6$k4TqWoG)Y<Pbdr*vrJ~c77z>5V@w5EGo;^pk
zJLXOe&Ec*zz9%T(lWCbhfoe?Pdo14~XHH*m!3#&{#OLPz{0P41lirsD<($9{5^$D>
z-bXq-MG1NLAv(oHF||5Yvj)#1KE=alF_u_C+_?j(6x_=~9W!}zJg{m&e=#zk)oH5{
zn}I=7jgJE(gBG7%7mh~5I=jzuw12ZF8H+jV+_pMlt59ci*EwUcq-S&goHvn}Nq6U}
zb=A4<^h_e*rF0}|zTKEFAGbPRas~04kcf>VZJx$$z%_zc8N&gqw?~V~qPgTIW+zhY
z<RD|&Z3sZq6>|usiw8MaK8d624DYm4;p47b-7R$BY%?lG$r4(kZ+@1YWSu3at^306
zFT7iO!JpqjbKSaHsri`rYkY@jlBk=}B&t7b-Tf!+D}P4j2+r^97B;-bbJ1$zr7!OO
zqV!y`=(&37$vXCA3!bcHPv5;;=n_6wm^$?p;j@Jv8cS5zDZE$wJZuT8Jbp<#!uUz-
z5OeO#If$j}V@LXX_dBkro2|Rtxxcr6Uf7x1mzi{4b<j1L*_T58DESaSB77ast5u&T
zd12Y}92R{ZiGlh~Tg>w5>W3e$zKZ^t7b~l-s(#{$>Z__w{fXmMevVCjjwEmSb2{lc
z>>u_p2R+fjo~S&PJsHn5Tz|cRKVAAndP`*W7<`aVVh0RkA4s~Dnq_<fua$j}F?^!t
zNx%l^hzDC^l`NP}dJ94+P`4<`j(?Ryo*+5sHI>L!BSL)GpY8Vs{h5AmXjA7KgIh9v
zK5wjNyeHNiG1l+g(zD$+>gaNJ#QP@t;?1#IgR5;)*z62=T=ljnF3x&Kp)1imopV|&
zjqawFq1NcA!<2B3ZAmzHSQ}#v9*@6es3kS*G({c3o}`m-NO`3nVSU!L(8?q7998Zs
zO<J;7z>X1jAxe?t0qQ^qZ&~?$e%FRXe0*nnYF_-_sjy)4_AYl1ZpqsV-RvEpW#JM=
z%X(zB$kdESL)p`PmHQy5>Jqpd``^~x+c=FAokMOxKS!<Uhak(Z#q;#KYlQ|Tzu=qJ
z4np^h>L@o$uRAPY>qz&1n!)+~hXt7Vfa8Ag!J_-GrTc*c>Yep5z$rT4BjZ4IV4c9h
zA%5CeRt%{?2ENEb@s!3DVTxQQltn6%^cs5gv4+~KDjWQHl;m&RoZR1?-qam%$5LUt
zwoBHlAKyPZ;m*fmsm9P$KJ94kk0tusVv&fwSg(fMz-CH{Phl{mmmnGiZb2l-lB>*+
z72;EKryjsa8F6YLE986OS;qbRUL2A(AGzQKanIZ-6m6z^msdZJ=N^)tOZQ548m*3P
z`I0?d;!~#{Af`+*=<|54e6P%t8P~<#=?gCIniKc12a8P3-Ol7yE#mMe$kxR(iX|O+
zC3*D#I=4j`gAP`$G-rz;@V+dx?cDj@Y*vzhkZ1Th=0S3BSJ89jQK*to_H*&tPVBi%
zG6u}_-1N?!Lfh?lE|-wfbAboJ&gAl1{DN0P8Uw%h`-kQV?`C+wXOhMIUKPI<<O?wT
z;_tiX3aC3P$$Np$q0zdngWsdVhYIhO@e3KR+$+zl2){??gx&O5Jf~&#f5hj+dzim^
z92vXP=2ack)BsIxCq^kGJfs?jy+yWR7Rk)r%rzXx-v*i1RUTwrn?NHc2+0T6RYOfU
zICAy&e17}YBO_OzozI_r^+@OL4T;2t-JQ~PG&zy;`tuv2=>cb_$!~4TWRtG2rOi83
zonEF?jx8-MTMo_69a>KJ$0pw}(Eo;sXmsKY{R0SRPB-Q@wji|U2|4@C=KhvkpQV1x
z;RPNjM_k222lC~W2wO2GP_!S|AmT&GGZ@eGsSBUl@rhUy$Ig0T=28sAq(Z+&v01RO
zW3EsxUUTZ3-xeNBdm38@LNVV=EaH3Z2`>v58=JD>NJrSb{ry8;oCwtTg-+oK@jtNM
zAw<c#S$FX^<Tyt0LkCx^SWwU#eEm`U=EiTBG;)U0xI4<2R~p%<Sq5vyHO*l3&6cmy
zcb*}HP%v$c_Ah4_a^(r7;j+-A^bR_cjL%%XdO5MN!{_VRm`I?+v9Dt?F*rXz=x>kN
zY_aytS)p_&(bwd))#E>#(Am^6l}b%@G|AV@;)V^2_IOt))D^dPea0V*m}mR?-e9h+
zh5rV8OSn*65g&n;%uj}TFkdHrC<B-Z{#fA8t_N0l1tZG1<$3<(>n5K!HPflVm2!KK
z#|Zq;sXQtT#4G<&XqBqsW9E5Q2haw-hopX9krdtFF;j<a`?65CeDnU8UFV2iyscK(
zJ=UeG6)ybA^72oFp7TdW&M$m+_vMd1diidwfv9N!hguOo48GUPx_k6uyb1jDVk{br
zMT1fDygaJU$9st%2Z!WI^UqLa1FT#lL=k1U(dmv}O@gggC%(yR{LwdC@ho~~7S~qH
z3LTp;7xFC9)~2=Op->2^R-sfKp;)O;;K~U4IhRfNuF=knIcf7+&CTxcP?x{c-eL-y
zO?8%rq%UX=q>rq{#jZ@B$!0Scsw{@)Xrk9)?yoi1RoB#3H5ignYs70dtVI+~&;d_R
z0#6puXfL=U>KKAe(dHz(hzER$iA5Mpk59bX1fA)m^`{yWCR(|5CZIC2walv0Nn^Li
zF5Xt7>%uzL2;U0yrre%Xk3W<*wc<ENV<PTtaMiUXg$qjuZLlT#6Y-%Ihs)AkTi23q
zOBsz_8LS($ebDI_L8rXF_#$RQWlI{@%m&%Wh&&L}p}O@%3)F9n=0aDZS2|@#f1|Lv
zO0%b%C2DQceyo)G9D^H`O>X$gx#g`>Zc88>4p`PsNa&f`w0V9ak!eLg7)=KC47Q37
zBF4C=IUh3^!f3h7p1>y$n@b3vX4xlVsvT@Dv=6P=hg8ie#3(ijF6ChqJAuEYFc&&i
zLx<-$uaW9Otl>5AX3+sj=F}PxNp(i05`87v_bf$TI_x0(2D2T50!!hxS%qWMZ+YXu
z<e^7)Y`$ejHaW66);v@t+Qxi+lfI6rW>>UMG;UAZM(xc(YtzWSjYHS&?rGip#@^Uw
zzdyZuz~r+y>wS)ptL|8O*WJ6{_`z#O+RwRVZhY@}Fdp_sHjk&bjVB$R<oC9^T1OKd
z=S`>b=e}iW>XON@-8}Dd2whg!?cT;@);`Mie`fXjIMwwDhR2Ia@F?T#1hQUbjLzay
zs0fe1CC($A370AG62j+31)qf3a`E+-;&Tv8f}bcswWzCib`4#6WNGT^E$Lv-bRyYa
zC0fV)*`dblSj-tQh^DjC4Ow&8Yw`5#80p@>luK?ntJOE=4kkCJ-64BbgQ>x5tqn%z
z4{zQ1&lh#K%wIM#c<xBBIn)%H?n`YRi~^s}&)X9HiI#<daLdwF8%KBbdW^<tt64B7
zFE!S=qAeD3d{Ye)^gI;r1a<i|@0K+kDZ-_CTg%GAmlg3-RRZiiDhVZ>BV)dEhz<OY
zwkB;mFd&dBm5C?ztOF6#31ku~yn)Ko8kYob#I*r%Dkej<<Z{&LoBibUM7~fT*-r?v
z#DYI;wNGs^ZrW~JvhKsrrtNi0=Qy_5_d0@mjr&gQx@6a*_z#y8Cr${iOE7)dGK2-C
zu9`+%{S)v}5KX90VOINPOVh7aGE7wCRhq3-wG6W*+oo3Pk}ZPR$UQ(kv*q%Oo%&pi
zA6C{PPyq?3|7y+N+8Rr(uG;d$$3OhRcQiiOxQa7UXT{>%3f~n?r%vwQ4<1N;V9<LB
zXGNR9vzO(Sk}OPhWNM96%1lJ<NX99`kZqLmME)EHt9Z+0H9z%3Reb!6$|0ZSOqKQ8
zEl>rL+0UhBdjd6%ptHL-)HmNU-jNJOqaD3xoz*LvaHcC}4*8swIzw+qq9<w=`h709
zz3|z7NKM!ml#AL3N>l0_NPY%&{Ka%sdR~Jhckw=yWDhA%a!5ny>Nt0@xn<`3&iu9}
z(0`-5HE12}3S=7Q!@CW^(F?{$_f19;-ffl!TdXHMyUE$GH5O(2fbeSveht8|a*nJF
zyXsj0Uh#lqk<@=?Ef!Vw<l5Wpqk|XCrJ85<_BDD2$2SakL{sCy`ID1-hP?+S7Uqei
z0WWyB@JYP87M~<~Dtoh9JBYs%)(%#a<aRAvVLeuuZ!GG_AmxOR&Bv-k<!rOU-fw*D
zW8W7|2X<Vv=Yaa&k26|V)}!pbQaJ{;jiFaDkE%KXnzj6nS>eJLpLs?!U47vt&++F|
zAC*e1w_mM-_ZO@;r&ka8&M`yuQ}nbt`8l<9sDN~?9O@{8KiE)raYN4qGpUx@y*+)~
znl{-|f!>+%jehHvZ}~1zsGzxV*<x9kn_M(5UhuzOB=NF!5Cd!-HlKDKBnO*HuoABX
zf~2KWSBffi@Y+t?m%vZ$g>17cPaHY&glKyH`BNwV^FNifK-|oPoxaw4q`pcj+JaZH
z=b2|$h&}M{lkep&e7`7WR>rl|y~T4zVExLcROrC18P2mWk8by!XN=jr{uM{tq#>7^
zba{dqVN>A)@re$clwf=)gZCKJ3a@1}Q--7BguLSN35;Fp$bW$q=G07mWGP<4VG`cJ
z>cJ`XK%DO0cfJ2J4<7C!<bAvF`4@&(_?UzzF{TP=xu@Gd(wOi@o)5?|h<&m0b<tGV
zceT9!yYU>aT63msZqjnAi=u82>DAH!eraxq1h5&AMA5TPbQ-jpeIkE5{gsVHF%zhZ
zPY8AEQG<pKI?vv}=+_12-~MJ@Wu;b^oo<`X=(LrUI??pvS!ca?>f{k?duO}#@JBy-
zn0+`Rtr5DEgOhDPEk4SKLzQ6CJc=a=d02?g@CvsiQ{*wz0d2T`Xs`kXd*r$vjIKg=
z`@J`J>niF*(@WRe@?Bl7x1Boq@^$IUvu`7vgZM%Z_`-TQ>ndW4sg*leUT4mFzIXSA
zXmrEw-k#mmwr+P%uD3Ur@9i~2C-#ku?AZ_wZ@6H1WZy*enx(0Yn>KBnTEdu!|7(FW
zBjn@hxnXg>2{PNT3rMLUtC!9~GMp%NIc-XRqS<e?EcAyX1DjK$11+gk%YbMyC&sdw
z4K23!3x;?o5}-XS!k@ndJ@pzP2a>4jCM|<hxmCrBs(Z*@2^Zd9$?6f9p)7^rpFjdO
zsaW_e0JSN?d<jKKyrpOH)N-{s2~$7MZW?GYZQCm&@%*KR!Ds^-ZkY3LSe_@G%`X>z
z>r4$qZ2xqrjM0nlv<Gb!75l1dX)c7%M&Pp^v6>}$E@it(U1Mpss(|Gg7d&`YL*Ypf
z9Y-|@1{Kvfl0^;^71>`SWapBH9youXBi)*9X%|hV_(-;6#{Q)be^{`@0%5XyL*SR+
z61~W6RC4U3lDI0S)zQg0c1Em|lMRGA8}XB4Q94h?c0>_3WnKXsn&ze!PSA7g!!3XS
znNchZUY^(xnM?S+;l?gcHtJ~VoM|226`J%820cw7Z>JY|)84LmLn3f~qu*t<xzNYZ
z9clGN2AZ8o_b#i)W^b_9T5DXPOej2%c4J(uUn}B4Cdg=|M}#CY)|(Tr?#0hul=Ny?
z5uRBQj$VCrVIQ8k5qp*NB8&P=DQ30aGpRQ!QC=k|uO5`gJOw0KSn!5ER0^4{<=&?I
zaEc^x_W^@<;Jh)xQ~2IQSJ#9PF8u5*SMxsc&=V=UNy)h@qa2l8QKT8(3yD0W+}o1s
zN)JAAw6E4$i*E3>Ju8obCnYzxq!yAd$+8oxDt=0=hn}M3xt6`pPsc+2bXFdw4eW7>
zF_-o!v9at=2h+I8!-NXVj4Dd1DXFE2w4oTY$m@m6_uLz-sHxCZnX9_4>Of&49exYm
zw)<Z*27IipN{jUvaWc7(c<H4$GMI5a_1muv_IU?=Ut{Zz4Tmf)6MS1rtu(0|k-A3G
z#!>;21;-}DWU|C)nB1bMh6|%7&l&1_vQI{Q;(a@95)7NLv<oMMv|NX&_UJwDiB$pV
zH4XZ}JMTIAo|alNaT=<cQH@JjY)HA?sfNYE|1JE_c3ZQ{)ok02sbKB@h=0C=xzwv`
zUp5zY=<4|3-2u(9ewS-XYrXpe?@Us~C$t4k9)15uh3yylI{p4m-$jK-Kg!+-J4qva
z3h%7uHJ-?Nl`?@<bg5#V^8&D<ui^*Z0v$L3-$iszzmiU4=Pl&!)aGpAm%l39^zwf#
z3&U407d~}0>Mk?;Qfn5Yx_`&Z^?JYNkE<)|z(d7w@mtFM(GvK}3Orr{|E>aWFM&U=
zz>_8LpD6IwVtCOwyNcnW`rbYnzUm{pS$R%I^T$8Gq|B>Yfp^IF1Lp;8g95+uH1LBZ
z@VIjSH6`$^3jB}^XXBCa7Sl7l0pF$Lx=i`rb@KPvxK#KJCGc~V`)?|N?^58m$Z+<4
z8Lu%t!>jy$@-wUk&@0{qYd)?yN0yJ0dZALCDh~OnWi7M~Iz~m6AZnni(0+su9#mKj
zC>3-g9mx+Kd>nZj{O`ntd2dK^HiY1Gpd=01WY#L~2;qZmqb8Tv5QPKc?Qlfc0**Sn
z$zZJtSbASoTogaZv^Ww0mwx|#vOPpI$|+kc)fH3qR^j`S*8+4cQm;<&BbZ+$G^5Mq
z`AK$wIzP3DF1byrSTh02ZsVW$*$VjeAW_JN%i|GMQvEmT#KWTw)Gd-n9jFo^RRu(D
zmp+$=zf+(B6p{%{jTeMk|8AYhTln^>@X^md{`l7m58Rs(T;pGhP82>b*~S-L1iug;
zKcoNOvV9s7{+;bpJ}=rw9G)aNMhpoox-nlDvbS4MGgZ=O%1ohRF58TF1C{jgfCgw~
zQ<x)hm1bP|`2y0n@mIFW)R%}>7Va^8g0GmAAQ-#|F|6;iL4kV~MM69cj<P+|)1ObF
z0}FX>ddPE=9?K_#Gx?sD)LA{dcD*@MA#5#o-}FShJ%vYN{?TLy&;Wng?CLoAp)mjF
z8D0`X^PgV@JiTfr-wxpahrzc9Id(tu`7k_kcu2?*9wlE8?N1JmmcWU>aClz{{J#`<
zR)TZC4c-4~_TD}r&YnNJ>La~HfoFs`@gp|=Vt4{@8b7UH8uwRL{0pBa_`oOGxIe?5
z>lf<ybJxH_#c;-_`TfxnIE|0P`-<Sti^QinyuAqiNs;J_!;>X&;wK#5S^_7$aClaR
zga5#%q`)(Rk<XuvpZGDqzeBoz0`M0YU+3_+{2buL$oMpeUn#+HcpUg4{>|YBi|(({
z5})SqYg9PyCqB*Lhh#V#C(!}H!KVpMe3Hfsy>50jz;xP>TD!K)hos78Dw9PSUYrk-
z6+{(tYM8wZ{s<o#)hQ)z$!m6SzDb2I6&|Vhv#@818KrPx+i1O`vF`tJM_Ps1=QO%a
zH4Vfbi7Cbdt}2Ox2qu@`WNlzvk?k3VtDBX%-!9Fa`NtTIeU8ysNEnj$2K;7(6Aq7-
zz=;MpytM>QG{E6m1#Tw)n*v`DM&vySIMF1(zfZZJ{B=Zo9G)zJtM|tVj<uoj_lxg_
zWuR0!Dq9=XhB^ToLar-JQVQN_tOO+pB-uK(sh++z^7N$vE%o%3nNw1c;nVp3s_Ls6
zf*F`t^=^HY-r_V>pT-p^2vx3h&{kEkR}@WFqpND!Xe#y$N^1z;Ag#&g*;++~4u#La
zXQ;q4LWjg>oa9SX;4OfEkF;v+r^ApF7T6Dplqj>()b7A!rP09#UImIiQzVn@D~i06
z&TGNnsKzK&jiO+Q5m$=LQ`Q2VzN6?nYqkT|DCOHwzrm0hJy%1nNjM@WCXPI@vhu_e
z!Y#uU6ZmgK;kp-J6mIFKlwQcepX2glMx$R~^Y&}*XY-x{O^+7ALma+}tao9E;fdcL
zmEd0md<UaB4v$Ol9|1ni_#lV3OYl{|TNo{Jc#^}BL8#IELL^$}@T_z{e=pG}hxbYM
z_u>Bk))K$t@D2$+zUtGw%+`m)Gn)Guze$4MRA7CaY80T1ri=Lv@(38eA^nT24~ML4
z!PsS`jHHO_gWw)^cWrDX9(32&TJ)T2IO72)xW=iI=2o}FFo5&lWA5D|?Q=f1R%y)S
z<9(Uo_KR#SqC&q!gJuyvS=|30489;>@tCahmB2GXzaj&R?@s_uGLYgBPqH=r5_?Wa
z^8kN7!O>AYs^jo};r!Lh+4IfhcU9mE0`e@R=e(%GbysR$(fpc^r{w;OP{qchgA90*
ztu;MArccs)nGE26ht5&*y#&7ZDs07{V_XP0KnqlQi<a#q)f-QK0zK2W1iXdxF3MBa
zGTn-@9Vk11u2jLY0zVW-A>ETsSwP3KAuAXACy@7KFIu@V`y^Dy%NP2D`u`Z)ynFZ6
zM`Rwco8j-v9Dl-A8Gqt#Mzb8AmEq7);BN;0I6Nb4m1VSuBx1n7B0Z-|c}_9hFBHMq
z-s1Q7odzD4;j3m5{$b_$3j(5`eBA)2y~UrCRqpqd+@BHh3LO<cCjmIu1>xUi<EP*T
zY+NDF#?Sn|MetBDoY6JEKUxB(J<Z|q5;*Bj9Nu06C;7$U$zr(Hpul^I;S6v5{yqin
zBmcB=zs%G5_=%VB`#Y5TX}+Wjarl*|fgdb^la9pizorDfRe>K;;4~hRJ#;_mNWdrC
zACNV$J<_W$<L?RRupvZ1-Xhx`W!9uBi}?v6BlGLfISu}ayx%-4%A$N~QvT|bU{tC5
z8CW^8^d>oe9EpGOQ<Bmrrc=fAF_x@Neo)G5=UGuyOSF^fzB$M<9n;%|e9I<(wzJdI
zL@wv;Lz&JFj~A}{Co3vG=56jCyt;F+`eRK7yQ3#L7~0iCF6UHtav-?9oBa5K!xlAv
z-Lv$Ev*r>_UvI?w5o5qVUjT2gLL*epcb9Q;6(d|@bh23)m?w|N9gDR_(p7lPc?&pw
zK+dpHEzAfaA*@t}usB3<-`RbA!j)hC@P}V4+-$WDZP?H_@P-K%`=uD{0U^agz&swZ
zM?|e$*n^7S{|sY2PFjRi!HjzCP+tZb8($OBtzwLCsd-wwa;tQNMp^_p`;bDXf)X<s
z&Uzy?l^54qhI65HgD3V%f5_Za+iJ=-b`2UsdqzqlDa1!;pX{N1Ua^32>h;C@yck~0
z7xs{hmhLa!S9@rGO7OVQDDe@W2z)7Uwm)gj;ZvcwQW!aJidSE%sG#~B)B~x<;eFxK
zoAfCsut?QHaP|dyDRneO&K%P~={Rm@TJq+z(=Ga9(T>_qJXM_#IoCE4cXV#+56H2T
zvlpTPW+w!#y>fg7_Cl=Bs!L9sHy}q(F1ayiZna4|fH0#(reu8fFnxgYi&lj%5Z@uY
zg2Qi@;E>~DBjdAQm+;@L$d5+G-#I)h6vK(na(JH%hnzqRM}aR0ZHit|49^H{l05L?
ze&WCM9LRBc4&zhu-^WXym%#T(Ua(jU8}AF!cuj1)JVrx&kHe!vF`UNB;e86+Ofek=
zzC{Bql0Cl^z97^~aEbwuyyMTwD$ntiJSQX6v-x2>+D{{9B;BujLHISsD`@6H?@OS&
zl&XhFL12~YR8AwulIqA-RkRNyw0J7&jw2GxDxxR@B~ej5LiywvY*e0fO7zw$NVO)>
zO_PP0a9jpeN-4S|Jkm4o++d9vZJzGFnzQPXfwtBo-u|7#sg2#S>Sa$RY_q3E3{l&H
zxz^=yhpHxbH8^{_3tto_sgawrxi`G6+7)c^1-hGEz#q5`Y;eN&H`x00X<lXP<AToz
z@g@bnMe_%S*R}8k&8rgJS8{(w^D4uu3;JF0a}t0<zmwi;f)%51@G=jgidQ-h1O1a>
zl#<Cvhokz*$dLg?$y%aj7j?MOU#STP^PbT^G6z3))h;JRzplFK%fpp#zWVAnPkfo^
zhsD4ceSVY8-!HVX`LBhCis4LN^ZTPEaKa;p$4lU(&v1Bq37qy5hbK$mWFK&NYcafN
zoLxomDARxV{XIo+J6l%{?<<CDhm_~PsRaIJ1%6=({3->0c?n#-|6&C$`{ww2GeRq)
z1CCG9uQ<Ge?#HTb1Yf5ZWE`2yl3%qfoTa9i$i86mlT$(=orIzOFtUdS!S9lYBx-#X
zb8}%MEH#_G^85>VjM5zJ2umDX^7O=-Y?b<hHx-91yXJf1CNl~VN=_dhH+?{S9<oS@
zVZQFTDWdi`%D6UmDzyw?$6zsLWF{AdQpf7O&Uz-dZ8%N5Hm+J}ZgiNvOlJGi0edBd
zStYuDfas;-W{K~rbX^QDruPS!oaXnl^^u>$<TQt?bnO#?1LgVhIz!78KgH<uMQK0n
zW&3F@JR}ss*?!{pM@!(eZ#cZ2!+8vmJ^%mV&)2+6&o6_Ais9_}{QhVOoSx6&?Im!M
z8yudM;jm*7yHwyA%_~IL(tC-n`TZU8{ot$LVf&B6;~dW8k!<|mk=8}S@WbPj#6LK^
zPbh}dcsM*O!!aJjH5GV9^Jlit!r-^X@C4wmLVuEc;NZ7jHN&(l5~}9FP?TH8YzOQx
z#GokWp7QId4<yAg<et|&MoPLh)dzqtO39JQJLGdN<eG9%E9sISUg7zY=bZD4;mYsJ
zIg`J*hBW5=6BsM$IFzqLo|@C=>lF8`r^AQ*+ymuZ@pIkCceSabQH~wWu8g*99^e@}
z{mU)Me$g~<ijQV9<0;#Y&(224$&4}NAop7!_dUp>Rx$=9*WG%O|2QJd4U&Ya2EM2@
z1J9Qr?H#AaA*aYQ?Pr+c+IvT5fD9$ICYDiz;@*jDD<R#rV<aMo!W-)Mhx+Uzp*_Q$
zJ4U0?(Oq5f?wW5@bQ>bbbE>u0UDaqgw<#Q%*gHJDcOr5i*VU1y@sn@;4`Lg}?^A0j
zpD_mpc@`KUWxkLXojSnD*)Vp%%q#<m&Z1H}w*~Wa;<FW>t%!*;-338MI&Q!w1hpk+
z>)^<*6y9WQt!pxw4OUZiI_c=JuDo@4Au-Y3w8KzceQ~8BIFMb~&=e`WTQuc|n}+vI
z-Ej}m!0NJS1Py3m<tbdYEOSH6nxt-eeC3OD0LTId=~YUGicy?hIqXZAJQhon<48kd
zjQn$tRaIPE8BGeW7K}KE<(KidOnwn)XiDCQh0;V&^Fhf5RXw>USe^=<`QU!q8d#Zi
zxR*EcAdjsV5C`@iWe2Jl>&VO5b-)<11bN0Csd<-r!$wy_ox>`!WV_py<U4b8;4!`K
z!U}IAPr55g!~0VR79M!gpFjW<udk#$1n_X$PZZayWN|%~=P5jmxm6%TN|L!{m{oHs
z37=|SCDbYNtZ>n{Mbou~3$ac?Jln~hRjYbc%d$Gur^y;}4c<<<CoH2PXF*L2q#5di
zk9_#Oh4($1P3fAKg=Y#A%hw!v$2;UXu$WgR#gZ^5DX#-_0$-HoNIv;W=EEny3G64(
zzZO^zsWtz~{3a3$L}rY7I#}gtoX;VrjBz)dT$cR;5|=BsvtNE-c5QNEXMcZZcYptj
z7hUv|$i%);<fw;2;}?vM?wg2QwmiRSVPVt!G9NqT2V?B;2}^S!A8sY{`SQG(-vY;V
zYMxfvdZ{^66kjH8#Pg=wGL#jd=I&HI`r$|arLVTZpffbo_7M61B)Qn!yqNq6=w5m^
z`7JBSZz=swe!xoRH$+Wo(AJkR7A<t|S{1L7+g#ln#XFO7xOm@lwdW-9LgJ6K{sCJ=
z`pFAN3lF2u#bd(l2Mz#jpF3~>W02MoV<20Y=P4uG9?#63mVS#<w<+FEG)y`4c%L}{
z{zO##l_T#b1PJ$olI6KV?%+L$Xy83KJs>=X_ta`wf4FsXhg2Ul&&<c0=xyMTlsm+^
zDv$TmOi|MZ8_0o!Ez$SASGe<AH{S7!<&Qr(|E9OTi{|OV`^Z+RBwI|@E!gj*LufT^
ztG^bHh(SEH4ql)MoR9(rSuGD<m!yXApIUGmdSeZ)R5>7uD_Nj)t;g>q#pw_ZUER<{
zEpXVOZCwS*u-FC!eV#i*D5}IQPQC3!S32D#%+bHEbe=UB3=W?4|Izjy@Nr#L{`kE2
zrl^dj_uiW{qtT2;qb^HUu_arUWm|UK6W7E}?DROj0s#_-I6X_2&=!b+KpH6|^xsnQ
z3GferADdn3vXlS;mKNff|M%Sc-pt6dP1yhbm5kq;JMZ0l?z!ilcF#Sxd}Gg9Bhl!{
zSv^8acTw|QO`*HHfJ^b`W9m@PY@xWiC#W77Q3r8fSX~aO$Iw4HmJR*;9>Z@pc*kYH
zuea_QTM~jTAG6EmC*|zpXP43$$%JPkuH+%p;Y!vY^WC8bh+Brk2AN&ZBX&<pwP5L<
z?+f0RNxm(axh>c?-~CZ_puDd4rmL3qX#f0YZO^i+Zt7iE4yZp$W8VSTR)c?}>+7HL
z6syyC-9CL9Z;<>Xypojk;7Z;*+T=vq6D1>#uqVhqO`$Z!V#$g!wiP{vRw3x@pPJ9f
zY46yi_c{%Ui5>kE@@#N=^_za1Neq>`hZ5<F)%s|*<nP%s7K@E->G7AcQN8-&eaUsD
z(bcO*OY4&R7#;lx9Xi!I++R@seYQTwbyTJUt0a;iBG!1oL(K4rZc$xLBHtxTiY3A2
zvNMy#7Si@8e)@ulUK0fxz>6ra6?vignx+Y~NasOXV7D#ZFom6&=B1mageQ)jyl+bQ
zaAh;s6{Xc|jv67U0cl$e(j`2yK3)`ICCJ)Z3nB-wmjk1xcot{`X{Cro9Fi8v@*qU*
z1RLMqA$%X(Gx!z{84l2kw2{#ZMF;_o_8J`j0Ns#w{rBjG@88ZaAIDpu9|HPJG$efN
z*xx53)=5T7i*yT)f8lSyKk4eH-{Dl()d|a7n;?BiP?;EA(5_6*E6F!Yelo_VDZERT
zw6s$fvjTh6gm?aVS;v~eSae{veY^)6e2-{4ve^(B%w>m@<^#ham%__yIuDm)r1KyK
z=wa|4QPqaCKi2|o8#Lq@)iuPj6$)SCe~=YFP&h$OX9LnaCtgYvLmM6GoEX{>k2T^b
z_WI-SF3Rc+($T>IWkuRsEFKu7`>!?lEh($6rL{#TY+qxzuJWCoEnds<E!h5{J^qE=
zP4j1kx{JNB%6YrLa9r@@=R!ij8t}0k<Iv&i`Va6Xq7!d|-Wt|~<j~nVe>z#Wu`>BU
zn=)0Hl^W=$JUt6V+u=A$^o#f@`Bm(gy`;60-<-;bkI^c46jzE%NaOtkcq5OOr}>fs
zJyH-J4qImd@wz1Re{7Y<+_5h@XW1yw#z?!+UpV-{Lzz~uUDu{{*@MN^o`KY@sR7Sy
z(co)#Y1?qVROX=v4;Eg2S+H-i+eGokrgYC`U;XN3J!!T2Mo~;}s{HC@@>%kD|CfP_
zOq~LKq^l!NyQZtx=RQ9pn(yu)+l>1VeYm6bAM(lSPmzkBCBu@}0=U6O`^R}UFN65|
zo&&k@(28h0w_){AI+_f4`ur2A9mW0oqLEZjWN4i}lHBPIh5XC5`u%R7!?QgUnH!G{
znAEMyvYC+#SzBDMfvyEOYWl_*xGi7RCTUO6=~}$SW4SFd4@R6M;z6*wK^u-him)nl
zNY5ae-`=KC_up{G+tnIuI_kTYRG{}1F3w$pkcs!WdwWavYkvlC_?&?a^sn&o@c6sD
zP_Eu0!&wBrU3E{w8GN@qdyA9N9{KAO{fPXxh(8C$DPD%J)e|LAP6=kamxl$~%g#4g
z$YitnSbj1%T{L)FTpHv|@U)dbb>F-4qUrx!R!V8qH{hrZ`=-jzIbBr$1RDT60QyBO
z2ltXWQl|@|1eyZ`1J5l%w6C21#Oz4gO@kd=nBGi<#Jo00gU+zQt!>q|Sj^@Yv)>?W
zylX?VrP&ziDC^aln?zCP?o3VIF$F#IzRu0<6I;tQ{&cdQU9(?+`$amhJQmP-!M{FH
z8=IQ0%AaR3np%pj#P>zIB*siYe93PaznfBY<}<89lCDf6(=5krJwxlmvScTzPI(oa
z$dW;Z^@t$Jc`zh{aJ1m{n!E<LuIaN6b`{jw?42L=ZP2$K(ITaVaQ&sX-g;@}qOn!r
zqR9O(9sv!JE*q`uSaQ&CecskRQWy<HJ<;A+9x-gkH!ioy|4-3V6eVTHRpD9@K)FP_
zrR-vj%I#yNY_=pUqksS7z%|z#xVp4Jr=l#BgqE%j&6m{KuCA>5OPY@VT&dfA&aPd$
zi3!P9obKwHF8ZXEe4d=F*RF<a*#KPYL3fZWtu@JV28~4NnWBSGf13DAfB>iY08z5~
z*s)`444AQ%^T=p{lwf=VaZt#~Pkf{1DOobM^&Nkl|B;W3YiL|&rt}dxk?YMA)&!MD
z*lCV>3OI%AJ;_d|xAoXJB()<y+k4%0g_I<|%r@9?p7l$#-CzqY>1Csh#K*6(mpY7^
z2EA==>@9k{`d!!JKc%n2J=7rDL#~ZJv}b}>4!Bj-aJwWrNCtyRZL<70jnrG?Rs+!t
zNj6$D!ciq0*9ykP<0l?wP|$JRbw~*Fq(fkiiCY*f?z$zs1dh7y!@Wc<hWWZB+^F%;
za#f?oLjtE=c=EkMzL=jMh{T5Gb6uHCv9mKR+;in)*3?+8IG(m#9EwE)m>J~fL0mBI
zEZ}*yRq`cq>WzLY$}h%kDvB>8FE5P+@o4g3^4;%*6;fuFLMFB!J8|?_1_$~v*peZ@
zmJ5+Y5ltt7C+muD0=~Dt4-@m7WvwKOL5X;5^y}91x2!%ktUxi)O;BKK;K>jW{m}Vd
zuYm7F>iCgGK%M8*EgHVw#J!>1u5rLxa4~99{JP*VijJzR;nFVOQc>1}hJ{y3+a^;T
zGv}0hwglHWbAH4VJ2anuw6!lA>bB0rc8I>n_@3pf4=fM1BYlCb#gz^o$alHSn`7{D
z5#F#iodnDdK)pxd-b*ayC1yt5>4t$N=S5xCac?PQ!b2%AOWQ8Fl}cG7xPOu&NipUm
zgq4E<>#-1G``#Ok>yI7VV7_5@@3ygcd~92PS8s0@KKhH!eF?_V?(<@kd$1LEMdHZ(
z>X}umW>(KrU-TG+pMnM!?Hye*0`<8ogI@0o-#bd6(?&f>&c;EV;AR6UJy1iH$Rvt|
z<zYKNJytyQf!lL^(V?}uCS*CyXNgWf`N^-?*Yp?0Ql=B{48+3;S?@XR{(vQM{h%p#
z^^f9m^r^vDyo3ifaskS4)WmR4wh$0Pya_XoH~}9C6Xsw9B@uWDtmHC+AA=8rHmVSr
zqKsmg+`{u8vxFRp>HgT388c$3G|g(Ww>@cdwH~A0o@YyHYkDlVc9p2PKos4cP*f7X
zE8M5_^#w_Sjz@M8#q(I0jtBjN<?{&Db?PNDrA|*IN$PV&iLRo#!egpvc({F3k6ThS
zJIeAxiWN&EEcBMoUXkgT*<J3TEFbOu_R+Rae!69(5axM4Ld*9}P3)hFvOFL8t^?(w
zlI8<CkG$^}{w2hGaGj~quUb8&9|R;sG#SRZ@z~V~zB#1KuqC^*>%J(`w|R6CX^Z56
z(&9=U4Wu)Lg2A&(6&vm)@X%>*H0t$6BG=;M^+h6|J|@nl0)bTH=LCXonP>(4a^45@
z=WE0Vm_GX&=qv%h{YC}KGibDYs&v+7d0oHt17bgHJkoE;yUk@`67Zj_=hm1$b{x?m
z#0Dv@EbA@Ne3yq67X0Z^Sp^nua}qOlE>eYSe7U9(U&kaE<8?qQ*+351<+T|4C9|nc
zdCw4q$(|fL=<U?{g${kCk+ObM;ohVt27!ej`QeDqk)0|tI@o$qEJ(;%`c@x%=vbIZ
z-{JY(rydfzT$w_y(@FlHT1Q@biOXOX*TQ&#yKciRfnHvSV?IrizuYcg%nN9Jjdoc#
z&VIiDdyXxz)#rSERgdqEc&1^d+d8JYZ@Q@qIvP!Jc^-&GHpjmr&+*>sEqs0;7MbQg
zx9^ZEk(F~>f$TmWdzM$7;C3JMS{j>H#A-nIYN_d7OL|xzAMPWecpbujqee?90#_e<
z?_KwruGMng>cs2Eq0n-@$}EmC8d#ywdE<6MQVS%cyTc|RkS_@_a%yPcSfnedc%)!b
zDmYraBymlH43SKOe3Da%t5{d;*m3N!$CCNAgOM19Ip%N282g2z=d4|O&T?~dxFbKB
zG9U0oqO_u<tSwog0sbTWk+dm_OH}w{0QAcF{i*mP7rIhJ2StL8n51RlS}3QI{$jiB
z$1Q!?>_GERn+NnKuQ3UqIj>Zzd}g4xcL3uqRR0R(x}ZmR>$EA0rMm9ZIC3O~xV29F
zPMKv~O3|qdjl19J9JCrom)^^F<!hSEEzTBiycqF#4W6dfCaXhpj%fO6YGZq8ReF8<
zK-{d>+#m^ld*z={Kl!*mFFpyeULp^wbb9(~T-|A0*+Jqk2`fAQX}hW!E0iCu{17WU
zq~EG=egmza)mHMCXz6tug{)p=6lZ=(TFGw$St&jX(%QM7l5B=H%ukAWP(sY2CC@4>
zjb3xjv2TxQ{(R*%Q{SdoN%-nuvxI>6yz1`7Hj8YO)v;gKJf8(^DOv(q+*%N`h!1&C
zXnn60zf(RPvUs^4h1<U5L8e@v<VB{`YQ*PAlOQi1dF`+(RTYqZ@wI(eCGyBIwdwDB
z@0_qi#k-0J3%9-n2i~UhU^u;uztj2f9wbYOa1^bs7s!X#j(CMdcHNR_OPSd)yAIqF
zGs=K<b)K)mfEk5VBFHm}x1_u+<j*t8s}IB!$ZzhXOa|-#Z%qC(Irg+h;TcV0CVYC=
z-l`GP@ek?3zSBDQM&?W(qyCXkfYt~6kZOziw`4`S9>e@BC{c-NApL^IpH@zY!I4Dc
zCm@lZ#*HV{wNb^{nWV$>Q6<@Sk|&LZQ22WOUHM~6ylJ~HY@-2N>`;4%4HB1a|Aanx
zkmZutzpR@tnM+G7kw&J%ERi}hUuqMR56+BHB8ClX_$1hw^Oy|cx*xDjXLEBuAdKRr
zjzEt4Lzw?2)rQ5mUt&YmaZlKO2L2_TO3U!724&HXA+9Nr*MRn;Q>+ZbG!zDAEx~O<
z$o<Iz?Yp~c7S#U|8AD&-E(45a4s=d=@*-HjT|@^<JiT=~=lhj-^e}Ndo_m+5nKA%@
zn&t5IQ)JCE3O~~%NAuoO=FRhr#7xJJx3-UN>{*&S&lhd_@RBv?dJYc<a4C=fk|?se
zuZi}esO3C`B${b8uo+n6nG4CsMX4g`>HwEzD}p7k@M1$M6_VG{Qf`~(zJ^pE_wK#y
z*wIm~&|k~<@s+8gM`@n5VxCbvX+U-EV*D<dXZ8FGe5|#Ai|1URIpzYSSRY|496XkX
z=-?UPUMuG)pz)`;E<V$g+$hn-SyR|lyS2ZTAmyJHr%sta018o(q%2OJa+D^Wpc+Jf
z#?T+n$@H>hm8woJT<@pzj%Z~HG5|Oxy5Wit_yU&umw5Y#Y@b|M?C~SF*J7_<jgHCJ
zggj-9KF1}}tiEo>v*j5XM6|9%+2yUWO}j{|{h>MLCYR$K$vn9nMbk5C$quLEop*Mn
z)#A_4;8ME|qeN?A--5nM!bGRb3)fX|uf;*3oZ_IU9Qiw_{P%bs`72;oA<qM^4>6Ok
z;5oj3JumO!mSX_nbH@PzioPs9UelK|vcAmqL3*F-%d}?=?I?O8-v14IpX=51K7TGl
zdNrP-^8Xeqweo(ZZ%gni{I@vDWMU6I$;XuWcE%{goE(Mt3^Ka&yx6qXol_0U)H}#B
zm_LL4L_AuNcGZWO{lxcqh1qjatnE?uI_?GRW_*uy)H3d#K};r2Qp2xgE%Ma%inoQ5
zDr1=`AULr`Qq<}gN5Zk6k_`picCi-lFp3bL@xA<tPM66Sw<CvCW*|N`XA8GGoIQS9
zpylS^aG@g{n@&W}ny~qkHpJ`s{E+~TD>7yDo{n<B+aB@i{bjemJLQ@jaHk`IHb=(d
z9*At6b2MF~4cI&Z;T~_q6!BQ>{>n2ZXP2i9D--N2OPn1K9_+{bPS#`A&fwip4gnw^
z2ag4-dodK(7{xx~xNbSsvS5Y57!D82=kxQlnlPU?`H<w>?lZ|(ePYG_vC%z~al~;h
zBPZEKrsPPzb2w%&#D+WbBT33YmjnYyfaII%aZXF(%<Hl7+y^0HRfJ+uxcsD1FyDPa
zetGDiaKn~nmlduBt`9#3x(d{N9ZS3j_2coB=v74rCZ7T6U1)(Fadc7yD-QR-$wrCp
zO(U_%P{BUiaZX=5jvxqh4Fw%#`_^@t)#HQS$&h7rHtp^hiAToAhP;w=gm@kKW}gRK
z>AKJ9jO)0BBhFKZHcwv1jo>$mE@<#+K;2_Us^eONn$q&i`EY+UaxgUJ8OuaE^x=Wr
zOy4qpw|7N)OZT?JI||F9Lvu*yx5XLoxs6CSush^0IGvlqvDuX~DakNgO!TL0;6xNN
zM*htf_|9vQqe~=YUC*a1S891>tqB?xVY$Aug*;27?VIFh*c!WXoO-gzR(Ii)5qy98
z`eVzM{pkWpR2wX9m+cWsm2aMR*$;=k<6ch?%M^mjRsEyz9N-GqaeD?nqC{!7$y|cM
zYU(Qj+*8b@NzGqGb~HmOW#!Sq1IA~@PbPLnM?E9)bhb0%jd(_k!kX`DgMs++qCYyY
zrnNn^#TJQ2!-+OiN-$rsrqz}j&U8%X0kf#;0X_UX)0OgdsLwD@xy?k!R4n#KDl3;n
zB|NuIeg4*TCeW<{b1kY9d#(gW206D=V+);w3;r2n(c?@8Y@%~K6dB5SLOm-|o>V62
z=rC$5F7TsedsnPDI2lcO77Pw!xHskTS<}Pq?aMn|2cpqv*zWelY}m(y@c_@oxfHY(
zQj1|+qK!7H&GqEkY@H0@C8Ql2B;B=YbGVdxU3hn4Ak?NFId|u_;uU9=w(YtU5*pf9
zCvf;J;4liG;XvJMxFnXj-qy2-t>qc&Npi$gJxn5ak+VL=Bm!k*%G4x6o^gVj9AJls
z(S~3e{aSd0q%eO9%42RdE&xt+tSSeM-k3ew;VVp}G80{%Y_PpQSe`YQ%(0LsQm};D
z2g+uDQ4fw1bSFcu7PS)r7QHwlBi<d%^jRg_Xer#Ab_f&3gxME#`#iDVd4hq6wJqie
zMt}m)Q9HwdANGH)PDgQy5Q#TLh}2h_pJgLNdHX-3ip$(iv9?J5xiD({+%zlvGC7Ga
zFu?OG8<l0QUh$MBd>Z`8-f7TSo!&NQCfzc)$+yZ_@OKPr9Hai&NT-+1{>aRYBtd3E
z+~p!72`7?)%1bHl27`0iT922=C^MdOgThv>JTOHaQ_f_iIBqlYQpwu*lGy7;o2GV1
zD~@3@iVg1Rlg?=U!oGc9Xgo&=ZGm1T&=IxOrL?s~2dyvDaLrRWxRs6t2?|m}gNqMt
z-S>qr>=Sm?&l+X>FN6ohJS^Kds7>yhhsMl9i5mIANSygoFlY$o13P^-QQL%oqXm@-
zz4**lU9>YD^mwzLWzo&OiP5~Ty^vJb&T9?kQgMgPX}8S>6Q)oxk}f6_-o?1+uKrLU
zJJ<^eU4tz`utkWTp5-oSMm`b1<^yakbbg(zEG5ryR%>F6z)7jE*BCq@zfA`7takaN
z){rSwh%$)m5x>XnF#=Hgx?n=MsfIh~ldFUf);$hFzr9xVJpYcfSPx=vE573lFr39&
zrSh_1!da~6;<@YDb5lY<^(XOie7}Kx$M4`B=i)v5j`wixDSHpk2|pGuM>(EDIZiTV
z<?X8P<J{0Oy#G#637xt51L1OE2wdn?XM(Q!LH$h7ABeY|?m6+C+H)(a*WnDx8&KQH
zXY8><*PQIA7IsK1*i8K}${RL5d+6{p8xw0E-MsnHwSX&+dQ6M!k<}<(4=4x1Ox{sn
zKa}zYxrW5XXAU2tb5S=|AHdmHd!c!}l`|>#ir<($@y%Jhm&1EP?LBB~Dt=lBq7)$K
zPd<}!@2r@gJpmmYXHxR^x`5ed!O!XBSUU9u{s7P--H}7Q6?YV!*UGF}ru`5nq8^px
z6G5Oi{GBr?<6Wmdk#cYEjMa}2A6H7;sJA%vCa>3TTiG}3jQYC+rF@gRDUYi^>QwsK
zhkkN+>-~h!8@@S$H;%ji!C91)2flt5WysDC%(REB^|L6u;_Nuhy#!e)(9Iyjl_2X|
zX`?RaofiE@G3BBzSZ8`MA3VYVVF&g=>a=6vc9%1oZ51fkBA!6m@>-b}WwY$L@rJSk
z!dg}~Q7en$xx?(;$y%8gZOpT>sajbKW$W3yD{5s0yt|1#hae*vmIR*TZA{n7qP2Ht
zYGosWU-b)V6JTCdD~qD+MOH>$cHXzNa7gtp!s~c$wpJFze(q1PvNg3bPjx`pq58iZ
zFIB)zJf%8?69!-8c#+GzD4S)^0WY<(0bwmG1775^D4sja-UVJ7o||W7R6lPchIZGp
zcYznVtblhnvFCsnxh#R_cpJcrTo$dp3%tl>Bb8sPegO``@S;42vKLty@FJI`t0Ss^
zseX>*MJ@|gzO4EbD+6Ar4D#0ly<&%OC+x@|^rQxlXkD42R9&Qu@~sw%1W@EsP0@s2
z^jvhX-Q{W@jN*!%xr0%6H0s7j@9SCJ)wQbR^OaV0b*=94&G$}D_Vi3n_5uc+$&G(3
z!rP#!g#ZDqSDX~;!NZ#b$RBd3LT@aZKXeuZi&MWKxW}ZXmbT`~m8c4JdGXII`s2hZ
z0oV9hUG>vm;7USo6hn{_D(R@++J*%l^vfen?b(@~0k17$9vVDrbdA{`w_nyjyd&-p
zxgEW86C*ApOLuOT+XWuiqTLibh0eXS4|T?d?x9suD`<hk@+vtp^lY(4HuESV5!PKv
z$=gxiT&bKP`b=@&GaAi1!`ou*9;Y>E7z&N$yj=-Lz#B-r(`9`+QOvuX#bKx0=5UyM
zq9LO%?GCn^^qo;}HVC%~jeQijI?V8H!ud>Cd|V1O9mqoKlw1`emoWu-NO+K(a<rhs
zS1D-$L&ID!gi9p-<cpLr?{M_ZE05jww*LM{=d|k7#-6|aVshhq)6ncOR>0Xj+K*sW
z35YmV>upe;sCB}a4j7{VFB{WC6h&1r+0bIN!Tx!+wAM3fO?cd)sLSj%<jk+#t8H^P
zd2&&kgX72TjJo{(R(<FTTY4nP9PSMG3o$$4B?h?GV=TSk?F1Rwv?oy{jhT%>MvGZS
zKt>SyIAn|S0FoWaTuN-FL?iGleQj>R)w#SQ(`(KcLbmpdCf3<Eiq-mv)mIGoG%@|*
zZMoIG0grKctFgB$GS(L;#O?ELU&)styQY9~+XTEBKy7>#<s|61gP+!tY5lmF!UO8Y
z)}@ls6Zd>VNQ5)4Rw=t`Y9hJ0KQlYKp^I#-giOa_%%3tlThe^0-bY~aQHru=3|^5L
zS8kL<m~lmE{gX0AvJ4~SV3QAJUSd}zWuv=pR#C#A=fdTbBkT2q?D2xnkKRX}{<I_2
zV|KeNW@os`5lH(Ze!V4-az?t1YD;^-o$?xu-jv(dVNjd8<IZ%z@`lS}wcAW~=W{-r
z(_wH%?6ff&bT5x@3-Cwd8&rDOxPa=!qeOW@^oB4=LFyLtrcAy+ZY}XM$XVDAg)}wV
zN>4^znwZ1t^R}03W1PnrCyIVJ2ORF)_$&TQ6qcU%$BReV-?J*$xvCe5e+1P?^~2!x
zKZ56^@r-t-yt&Oucyd1Ah&c6nXT-5)JQCR)UN*ieo1Gb777kr`)A-fHG|y>W^23l1
zN<BK(F|Zn@B0@uCIaw~Ai$uof?7Xtgq2a5?Z@Mys>SnUpRpZNeJ?ZLSRR5wn0%&UI
zx7VcvKjJ}F)#Tuz{oYv2i%(O`=S?KMJ_-c{Ji+R<s!yRFS`m<ER(+d?vZa#1OERp=
zm6aTcl%RH_o=AMzjb(kz7xcrr?(CZ*S?*E2A?y(E<MLh5LcWm=p@rV_ZZ6;DGB3(z
z*>j}#@aMdEcP%R;y@!`Y@!Vnd?qscuo||W7ke%{#F_f)m?~>lb-!0(XP3$?+dw5x*
z)&}W4avQaGN$=rhBdX)7Um)iK*L#%bjze3ZGSYi^Sz1+r-g6zwNbligLDkLBd#H@`
z9$w}b4k6#=S4FM%DuxpezHegR-^;$c@O>-$ek;aCto{u;+dHKsCN@8*hgL|*Z`O)T
zKSqo^k07O$cmaZo_RmrYRzhldx^dDOEpY1I+p?vl$<iz~Sw42_HMbse-{cY3CK90)
z;mFh*!lRYBJ$s1XkdAmG+OuE;!z}ijcHLRfS_m_h?>!HpH5*zZ{lLap4DH`>V^Weh
zAf{`Tb4<fq!&q$;ksRPFEW<Qi3in3_I^5C3c5iMtI@}Qrj%G`%SC`QCqli=u_{*)L
zWnH){XcE+3XM5$heMKNp6##CINS#<A^MX#<S}|ZFMaV3(Hz&0%o5c0l5zI?8Uv_GL
zky+UriuA3{WR}}|&0$A&u-xfMnR<JLL%!bmo}Tps!LVzY(KI!(Y|3sP8bgl>AGZM?
zbPgJ|sz-~25fZnw1D1O3Xy~y)l;ekUIG46?O>w?I80?$Ndo86=bFjl}rY^dRYs-D>
zdOYg}Rwau8J)48n&Mew#g%*IZL<=h5oM)iqLS2&kNM^saA?t8KaD3vfyB?>C7v>hW
zFYq}{^-VLnA*fZTPgqi4V?71I_2@nKuu66;e2CXU_<kqw9bzz19WAJXu+K9lza_jY
zXKej3J3A1L46e!Mmb(W`5r5b4z@Xna`9aSt@)Go}1M>R=A;*}(JUKGDLO;3wYql_r
zIrZZh!wdC;@WQkrT$=z3Mb$`j_&blbgEAVm7xuqr|Ni$-Pd@m;%G_g*)$pNu0QDdW
zN3KVrI9PMhT-Z;~R_6F~&FFIq&zUj1XqIu@kxE+k#mQ%1-CG=YPPK;2Zts3`v@9G-
zrMsQ>V25C<{3O(yfwx(K|AVMc&plkIkMwEY4_e6<<aIKvG{~nswa|Nf4zoB5`7Eo#
ze(CCqZ~mtX_jeJvk38~7<!?_cyR_EE1lrIrm^tkrY>iVT>L~1ggmv-54YctsJn!fE
zkpK_PC3=r=s=?|3@erN~o1d>`lVRffD=B9d!`<o5pemfd(j&PiE<lX1MwH@XsnNJ7
zs?`!f@!a(EbCtP!P03W;xa;AEcNycUr0L#TKWMJe8XAX(;NoLIaB<#7e2-&Ifgwlx
zv1?~a6%HP3mo&PwaS_!zYVxI>(S_vE%G|fN$JQl|p()I3qU}$Dw#m+NqBVt^G@4d*
zPNJ;H)petvWmlH`{?f{9cABo!*^WY?qob=!I20UMS1PUR^9TCoaUBSrH9ayiIXN-{
zIV1BE;;*z{L7`}x>9n(lW)-RLi}?vZ-kMqlL-}A7u3cY#I5OCsN~99q)ICF}Cz<Sx
zS?>5zEEMvf4KGeE{|fp>r@hk&XGUO=GQ&mWHb`2iz)hUElG#Jw>9|aIp1Jl;iVQr@
zOOJgbN7zq0ip37>V0vN2+0Lo;)OA9^^oXJ4^*Jp1wD9HWG3xNx^p{48#*4QqxL7!B
zbr_pww9Pd<(7ZMR4{5+i+=X~6aVZ?$1YD4OsUPFC7%TE2P9=H&ZsFnRaL${Ko^#3C
z?yl9z1e+plK_tB!GJpL3`+qqUpm05v17p5Z$^$2a6$e_QR&|hMv=hz2BpIC>;YUdf
z-XxjMYd&}&ho9ZN^pqyJjtt_n9ShMx=b$g(iuihy1!ra;8eiovIXb)^SHjzuO*t~d
z!l6)T(&loStQNh?T<Y|8#%zAysM%sQTdjJRwJYQAPSVy*z-z+j?gx%^pi&Mi8G4l4
zo6cXdvRJ05`PL)Crpxi<=7ojIhuM31^z#n9XJ(YGmiyU^_b6V5A`HRHYTL5djrPY|
zHtvtdV~O1h!l6Bfe){@IK0osMPY*#S5UOvW_Ulj|8Gn3UDsxha;6#m!0&K3k<xsKN
z)FQSRn~Ue(L`3?f=<;}cdGt#PpKTH@7yYO+#MX;B&uWYarFlT+EybCTDMzt06d6Lh
zgXshem299dYPTW8r*>M>S!)mYG))>w*V2^Tl*7hgNv+fPcdfc9-HO{LO@g5Na%3D?
zRKj2Wa%hrWD|62m^Uk9Cd4^A7B3A-dH{+Ki{Ye9(Sw%CK?VDy$=|IhNt`yOea)%wX
z3LTY`4KYY`3Yik$qr38=OQKqHv(#kJgbrVL`6bCF6ZAAw6JYznw^kb?4oAee`jzi5
zm?JhgKfuNLn4AZgjNsy2BOzE2jn7)+dI{wku%2|f5k@B7Vr~%;OCLXok-1-RZg+Qj
zJe}_Cm0#SC?xH_V^mhSuH#0s=^g}X>%zed8Lv*C%n5PqrthE!2oS%I}=y?7G;qno|
zyD(h&=>i~<bza~v!eb*)n+ecr5iLMGk79y}I%%Ah@%CU2lF8=*J{i4|#ai3_1l<lH
zK6F5J8Hyc3kL<P^J9{?m5}htv&J_=@OfH*R*P^!Mv_@xJAt4+ZNSFGX?M`#sxXm>^
z^Vx{SwZ@<?Yy9Q_;LBjX?2{(pKnTM3#b+9e?xzh-a^RtrPU@8a5I;DKK-GQ|A9SMy
z6N9IbWF0_9$cyEbRR)BlQ}`Y&9M!!JSk;DR{O``3Mcp*FUv14g2Pd7$u5M?<>-Biu
z!XdjOD!g=I!EE0;)4n|Gn$H%pDc>ztK0ah4bckQY$dd$7B-dNlgAKy7(ZLRvH#Y<$
zxh>!7Fa%SHkloXoF+&q}W|yT?qa7|s+gNi;A)PK5nwJ|~B)gccBI9X5#uNEsXf}}B
zg~p6*Q657~$e<I3I8vUWReu(vCyyrQp-60CmdCMNqP2dAo)3&nyOIUBCuP*^-_RtQ
zJ0!2e4et;{_Vx|Qp$@0jR60=U3Yner{+sRXnPLvG5l+T|6UwbdYl$2y6mJK83N%FN
zMmQ`K6-e=7eq0G>AvRDv=15s%W}Amd*d>cB0^##9tjv4b`$F-ah*^}rq|JpAk*Igs
z-b-8oXGA#U>R6UeF3Y+-9sNOrsWl$34Oy)(x)PKx81W?Vjh~R#V~v;e8iLG)j}0Fu
zV4yi=0~~5x2_6%{LoU0T+luhwNA{VheK4DC3*@7=sNQOX!07K6E`MW{x|KYQTFtb^
z?KRH5K{P@cs(vkO13rqX5!I|}lRR3DzE?)kQ&{9BQQHlHM^_!bPsuC{WejnoCQ$Mj
zy7mKL3J0e_T?RnQ%-F)tH@*d0(HIb-2o#b`q^)HvFl#^{`qwrlKjzE!?E)U5aevrf
zNZ4}*6HH34Gg0&goJWdk4f0cZo2+_`*5NIUEZe=t>T+4}@rF_^SGd*LYEJ&T*%or7
zo$4m9%^b$LZ5{qVHfU^~(K%ZEX<wU2XX5EwlG*O%Lf-9Rf9~HoOokRgG8irLoXUXb
zZDzDhbBbm^jgMmO>Cjy^F14xL5Mh|vuQMZFAiv+>F?ul8n7Bih;PlYfpAQ7h#($&n
zfR76_aKE$>^TWubIY|!#KBR|fIjaDNV?07j`?|J!!eI|Sv-`zg2b|6TeJbx1rYldf
z`l>%ry{>u?^_js1g7WARv@|fpsmVUI;Ob(7RCCUvW(*3%f2}dE)6;6vv^Ck<_UnC}
zQMuXIHOPP?I(@?G%2U3sxI;Lh00DX?Tpa?gxJ^T?l6)Y$j1DlTy>C2g1W6-)0$__=
z2FeBmbQC+ppU$4yuRi<m71tl026lv(DsNu*?&q&=M^pf7<B;k(v_X;-bAx(@Pm_!(
z>PE3&pc#5=PkO&u(rEO}U;!iD!tTm_esM-k>z;s9^kNQ#*iPyY-luV;7;MTk7GlIr
zBTM<)n*kx6U<iJI658!gyo-J%K0)~-0684^VB-io<no6p%Q{376OTY|);Ec^Tx8T|
zD@4l0{bpn!*=KP&0_fXxyDix3h;W(+z6!z!zDncBak&{V+E}!OLU+`z0w?#d5QiXr
zsDTnWG$aVQ)(!~PHH$VziftYfBSmVsff6~Ngn#LOZ1+49>d$(;+5V7n_4|B&EPayP
z7)hs>WnC`FkMu~^Ip3Ae6bhL%+}NOljOzEoKGx5mitWF`NH7hGWUL&e1dgPr7<`C~
zj1yTv0(2BIH&ke~h>$??6~}DINKjaf(+-6|9uG%moeopU!$hmsk+x_HvV8r$@KVI=
z=AzYN9^3wsB3>z{>F>!O$M8ckj$|A6IM9i6IM<kg1no|xVIYyHH)C9AhdbGh^qn%G
zVGj>Q?8r`NCrI9m^@f^^dtGDfaE#2jQbkW^Qf!{P-{91{JdRl4_Xm1RwykSZKxBKg
z()F!Y<4yKVHs7w$iV3h;uns~<BflI+hC(acKS$^>&`hbJM^1Pm(`c95XwzAA))p&R
zGl;W464FR#iE2;yIYyI4$Wk}jNwT#wns-cY$njlll!(n}nYai4WQZV<N(w*-RajAi
z=E-n^=MBTbwi6I{tDnH+BtN(IXn4Yt&83nlk16OjP4=hy963wWY__D`#*o`IB^+{F
zN5dY-RIS+=wC4sqreVFQt<{L+#YShyksHPw(hG-FZ%7Wvyg`{0GI$%QN-a|jshNZx
zno6X^>T#vMm^ot^!dyaF5!=uwI}HuO$A^2e1^vd=tDTl6LzBf27Y?oLzjn2H!-ln2
z`&@#0T0<^;z>x&rHj1AI?F=`<A^Xy6cvB29rELRXFo1EIPzi0gVVG0QGfJAl6r?+P
zyY?BqUf=$8t)jUbAPm0vxqv_TYURm{CB)l@O(kqW`^~CEWBYOtKa=;g%aM<lj#yeP
z%gSXJ>`VDXPkPt+L=gAw-FqJsG~5RL8|t*HCf`b(m;f?HO<<~|8B@3{sbQ#!_f2V&
zJCCF&a&#JnbLRK?jglp?E@hQW{vESN{3g-lBUtX*z56cuRGz$U^XBUqo~fVf0h3uZ
z*9emwrB=f;;g{UAO@KrL_Rd{dNDss?K!zI}W(+zy8k43oFajfu0|p7jAZyxx_93rN
zZF3wvd+!DQklO7ME`Q{oy9<TxNB+6k-CaaAO{zDAvjC58G5yJrY&Ceu(SQINxplLA
z$3?XRqfxFo8YulugDq>2))}3xmZlbs)2G$kus_?>qEl=1+W4-+dS4{>rX;PF1gFIy
zjNIyO_qcMdTPsh6azP`}q#L+OGMXUW^R3x(lxV_^E%feNulVb&w+WZ`ets?f=QKuR
zGA^x#El2TJw3iHV#N>gkMQPUOctCX8Z_f3*JNiQT<<6oZ;S9uDT}i)i`SHlgo=A7Z
z9C43YTmiq)=L=fCg$58;37`exmrO#JXmm+F$RU8ur^viTk?FL%i%z>#;|@!!<)Twc
z7Ip2r4ZAPe{mSm=pNByTLmshXf)90nA9eHCF%SZW9Zw&{lY);uSG`U3W7W5WuQ2}!
z&xc9R(atT!>p(-LD`BaQtt%LW8=}M3>z~sZO_r86Yg53O{BgRseD2!z-f){%Gtq*P
zpuROhC*Lf74t7ASW@nznsc3y4+e#Q!hM=U-TqQ$UFRLqN(6SXgmTxK|&gCXy!}PiG
zBBCMnTg!t%l2KBxAMfh7S@-YDX!SZt+onzL+HJM<<(u1D^pZ{g>r&R;jx#IYh80Jw
z%f7Ah$57UtEsYrUhJYjO)}sd!x3Q#$a2EuJp)A^@!K%T!sCQ&OI53g;o<Z`i5rg%B
z;gU~{f+=YaRE!vHvh0*<t28{S_hgIflh;fhjGocz5?{Mu{JP5AnM|)U!c3$8zYFu{
zN(U#e{yQ)iuN$w}&j_=qvO|uHLH^PT9NDsL#UEI10!4D>O;$H8>$d`{L<C-3$pQ~B
zF~*noi=>od(Y7HlsElBX55{|<*r5L<{ct=I^Ns{!0~se~XxJ52Ukt~CC)*c-v>hV@
z)}39JB&&8!Anb`_gypqL5MW?2=anNJnS^Ntm>fuw1f)I@fQ>S)?j9h8iNGcrW;O{q
z1(>dMDxUy!rCdVYJhxt_hEKp}C!au2IJ9kja-_qV34`aEo$GweBamej8NhtoBK|9=
zwS6(Xa`X{{Hw5jHoKOTMacCs!V+XO*23RMP58U!q(yo#foaA#(4$U4CmZ*Ac=8;v*
zJQ|<$P9R3G(-w_LmXw2eH#~)?)HJ_&#Ng8FeQnP0udSBldVR{H4I9myCgVfx&SbFi
z*~#f&>CFdPo0BP8XeN6`bth~hzJ^79NM#KxLu*(sRY=vwII$Q!@dXGQC&r4{2d8uk
zI>%Pa8qB|B!@Uw7Kp_J35e_MF0xu~ys0n;j^r*fip2OfEtyo@zgV1RIu;^Jq3-5Tw
zFBHUW_-%2VF6EwR7j&Y3*)q8<zu0`*=l(-}PK0iCyRbt11o}hkHP6Ccf+EA>J+Xrp
zGlj{ZMLdNizUP(^xZhKOQqti_mIAmsopg=I1O7xpxZR%Y4h2gH{!f;Iq3)!8G93=3
z)1h!0^^0g{o$#hO0*cSD=pM$e>oMxj0vrK?pKpughe3fKC(C4D<Kl$UOXrx8>qF<%
zLEnxd#a+WX%eIw65wmG<<wU-xyD)(-7SqtmNoTjGoZAyC6k_<Sn;y=MhRTlN=}EVH
za(XzsEL?UDPfzLfu31VkM<0gEWc5z$cmD+}$(t0(Des>|46-ar>pMF6jw@10knMzt
z89MQR@1mt0{`@>4*uJ<Ydzf+pptIPkfULvpIojRF--X$Rr#kQy?Fr2?IqU@a%QFO9
zq|}5DPzbj1@#Kq$wN(>R?BDG;JGv|}5z8c#1LFh9wNq#3SNNyBg-|TP3T9_7*sV#1
zcKQ90s3#T<=Z3S>XB+nI(RBpZyWN3^D;x;rM)NE7nfC*(Jc#di;@c4|RXZhJwp;2r
zXbh5RXWD~6kb}e0N{g%>qd&x5X=e&zp`l?=z)={_k@-Mb0Ob(HBn8(gey_Uj<4{~+
z=waBN&khN~?s2WIIn+1X*}E<>XHK|Mom$OZHwc2=B}iLrYkG8Tx&@6bW$Rp3@@JBB
zc6%;wiCMPj+L~hBUiH-&V)PH{0rtpV1+UKmWsK!K>8I)+^+?Ou8}0R{P(iX34ba<o
zFDc`M6{XZCIun+jqH(9))8z6a_1Vk%N{LSJS)^i+N0L6z-+%x8S01~!sCOCEZLYS$
zUB|9`;DHB@O_nEx_$}eF5dOcV@^AQhY;hm#sx?X<WDW1seL#L(CaEdEKZl#FZ6n|#
zI4Q3t!AUs>PYvVq_rK%e2I$^@>jSS(3!^p2UYJG}K*FsZdt-H=oi5dd3S2hYfnigf
z8ZP}wxFw$(L1hEYcp1&`l~u0dhwuyGH-Rg`oy3)PkJV0%BT7nimj(ss-^le_x0WfJ
zmE9+Bijp->VeR%?ox?qX&@-&hPb?I&3!!;y8ZK)6D?bpPJZ|XA_}gu3V_WqXAD&R_
z^g1kjjca;04#Lw97wT}|w7toon<@AEJgc&u!0%x7yErTMD0)OE5IqYY1K&5mGp+K>
zVies&>ocU+krSADL1K|acof)|^J2mjV95iN>7GcMv1b&nI-ULN@n|fzqH9fWFw{TW
zxi&fCSRU}&W5xmhctj{>M~!comQ^m_p-qi$>M1RZq?^v(ruI8GyQIqNYO8*m+ppOH
zxB}Jp3BM8V14r%xq}V+Ri9nJ66hpyf0__xOV@#Q}q$pq{zf24;(z-U%bU25l5!m`=
zq=INbw2_?bNJn*vKi6t&b+lUCmR5~<X1YzI_2s7u)^4M(*<p-C)w+EbJ2j5>@tsY&
z^EHwn=tDj2cka=)m)8`Wt-1@OruJz0z-P0w{bACZd#ZP0&i(?k&IsH-sL)oBXe-!2
zTk>|FI<Y0_iA2K_W-2h#W+j=O%k)_<=%FWi_!ALO7w8%sTaTA07?iROD0iK;yS#jd
z?7kU6CpnzfoS?Hgkz?A5CAVZP@f|!PI-*LrZ;6d3k`l|WW)y_=nifr$(OJ+mA9bff
z;kEi!Yjaz{IJrJNxS^;o=v$lGn)C&OCvRJ8Xv=59^HCIwcA>JTRU>>%5MJ4cvjE&@
zR}8ywNY8m!MeezD;_$js%l>n~H7{(9x#o=e%K6QiRq3317oV#NpD!S8QO1Rw0Hlt-
zI-e&g*CeZXPlIa6V&puZQ!lxPh`&?dFr{~*jD_6Y7z6FlFL7Ln&NH|Y{kJo21G?ty
zpGg7P*;f++%9N#vOVkfJknC&PJ?)Tm>iK?2S|kgEhi;cN;>|ZmHXFo&d9-6fqj%{i
zv~9))c>pxepmf@kb})gU0d=WFJ>&s-w4*HE<6#9KGO^V0QQy~1bU?ZwS#D-|y^dxG
z<<Td+(5#`EPCX7W_laFLK#9kZ11o}Gb@-6nCka9t0@XnHAr42`%<0*7T#3^WpCBpY
zCqCgUCauL}l(I%pco-N3QYy-6w7}}1{M)U`D3%DK&imTDvG1wdyp_LB;_n@EgXc})
z57$qtI}PU;;%d=w?X{I1*S+>yw>ICc{T2TD^Zl>A_L`8$;}89Vb_yKnfFnD&au_*0
zWO_M+%;EYaSL?{Lz_b2@q3H1_kuY>`!c!Q(@oZaad?VAKm6ejg18IZ^4fGBBRv86I
zh~zQbp({i&i;#P3ba?o9W@aFz8|c@i2WQgZ%bPnBZg(Qzbh&W#2F-`e$&u`q_K}S3
zWihxS5&2Cjs!~^fjlM+KcsHXj$$AEd`u1<RdvcN^wy}}iZ=5rtC!iEkSIH`;K2TO8
zxCKG)G(H4B{h}CebWi?my3&}^GsOGpO1bW6E)XpckEOCW`i<1|7+>&Lr$zz>q@tC4
zGWb`*M3CseB>Pp+HanWnQ)@+^y7J4&^1;ZBrkLxHCvLhtSRM-A<@LLV)U9f-D7<$2
z?Uk#JWioFFv65N{RDSZuKMMZJPx>pb3bD$o`|t}J=TYEBBfblxl!gw<e1qgY$`DJ;
z5KAPoM=D!%J_ArYK*lP7O=L?)Gf)@;kurTJWr!?7TKu6&KyC}>Wl@%`mBep4?ww`6
zec9Y|=wRdgczUBhHy8-F+tqj6ab)Gn-OZA%N3;dZCcnko5j!Rvz2uy&nXyin)wbM-
z)X(GE$^|jI`)rf#kU`&`$aj2a8UbVK8tsPQ^Uq;5_bP>Y&!F{ThGI;^Y)q+R8hnU8
z1$?M8G+rirNQ<KRO5;o8*p4fWG0o{BuA~9deJ79*1OhlcH`27j2EByT6NA8sI}vpb
zB23&~?CA!PGa3h#$H#j!`sKZX(7W7u*>rfntGr9N>MG%CciDZeu(?~4>(<<02y{jJ
zp#mdTr+;D;Bp-_%X=>AEHBE=ppxFd$o8Ll)#_QQ?<=p{w{wD9Xt{2pe9eGZ~h!kRc
zv#%FgPn_uuZMd_uyAWCm;*Rp~ELLKau|=my4>m)s7eu6{42AmE7S2gd`PVwLp^>qP
z5x-^PUx#Kd*xOWCdw6Q%(0WL*J-SqI&f&gr&;EmLS6)$hxoq4EdS&{i@JHyI<+{Ep
zPuhAH8f6%*Q4;Zz)=pze{FTO0$xFsbm}VmVLXwM~OyjDIH0hgscRf4Zk_j(ahAG?W
zYX=eVVa2~;@*bk!PJ<*w&pTf|Fl}x1819(<gwYZX`tzR2$imQ;^P0vE8-k{fSN>#)
zB}S%(Y=!Qke$NJ%c|vP&w~lMu{AORs?Ov1U+`8cROrvbZ>GsD4c3Azk7T}-jNI!)B
z8Lel5lCw$Fu~C;`N>)zFD9yQ7qjpNthO|@4Ny;gnYo}(YG)o3HX{Ok4o&9U=nN0hJ
z;=)igGPKaWHo3yLw#{db1?GnrgpqaUT7?H}`zz|*y8POUS598IuGGAJ3+&Q02Aig`
zSs!1u5~C_03nJwOyb6+LpE6VB2%>r~>RZl<*(hiFQBFY8Lny9_G!7bBf}QLenw=z%
zDL)ih7L+dlah}lVz?L9kWGw`F=a49anV!%$AU`KYci0}EKDV_mH!8gQ=6u`KWYci|
zkq;gH>ZMcT+Mw&w>BzF_;W_({zsl&*Q2iZpzF&nApj>Rs({TnaLyIclPoPJFj(7`E
z8TEo>2;CcSrQgUVB0fSrAqqqeEcof2C3w);r)V$Rb?h@N!TcfpoYr$UufpH4JMl*m
z2;vd7R6h4U{m;{D(`9_Va_#E1tIPQOi)4><cr}JrpV8Mee(pqs^(BOH_$~V4tlP;;
z_(kK~TGSWxq1G3`3l9^dBS}OW59$s5s*DSX4C);%;S_6qqD&gmTECt@gujP`mmZ?)
zjYIQ;J%ek9o;Yye5H7eK{8zv%suY-;FwbjeRLXL_PCa#~dAtxUa}jsf;v*_r2O2jM
zF+Bg!jBxWqm6wE<gvTeeGnG|h7s(a!*<r|l9}h;mMyY2UZM*C>xEiELSu{yRGHHP;
zX$J&@9arK^bR{i;qz}m=I;V<T=S<&|cZV3TMS?jH@SVpuLnRs>{%Gg=5%7@p*}xaS
z=+2c&Irq_VO<`Okr0m(ruCB=rd)M?)VSTx?rxR#HEaV34A8Ua<h!qNjZX1zA`&4y8
zQFuhyxuNntz4*ZsTk#rlcFFHyFAmndmwu<cxY9Dzn`C>pwYWYfT!UA!mm9mc=ubz_
zsQ(XZo6ZC*Bhq9eX3u>J9I^y5*9<mUM%4=%A!SppE~Df*I8H)qoC_@%SPX6Fe-_Gs
zfMsS<<S1n$Pq-YzT`wcn90p(($nV8<6RyL!ZU=EVfrrIQFN@uz!Wmqs^#nId!{NWp
zaC_i1`;CRap6-W-PxAvCB|&@Ieae-Ooc5>r)BZwx(2%=E3bQd?Uj2!{$8<Lv(@Eh|
zG^Fw~(UYFpz@8Zwz9T<_JZe&!Ju^|Q$n{*wo|zQL>Q?FroK(*m_RNIvqWp{>^<>yH
z<2X>0!*hfD%>R|2A((@wtY>ObJ?*EgXG&1&!Tw%}KSNTAw{-<;tNsj~S--&QnXEnY
z0sf3g>z_)$oF~C^7JFue@J0C<YK!BL@6DsR!`oURywp%n{G@s~epc4{MSVXRhrF%n
z+B4J^$KlESnqJg*{>;hn)Sn5W9tVSGW%buGet-qc_i5qF4KSZf8yub)-Y-Z+<nB|S
zhk7J<THUZj`c&H$eju+LoSK`n>0eh4o+Z<gEwA(RN!@I=)3IO(Zi7Jb;0|1XL@CW`
zWhXuzR)F2bbWCkyQ0wA({s}f;uU0ngUnJlB_Zg?7rM|hp@<#ps^w|VxA82iC#%lD$
z>0pA74Z0XnZHGUv2R<4<{CO0j0wyQx6*@34lCG4YifP`mpWxe%K6>!cN4I}w|7Y+&
z)gd^9-w4+N=S$a{BEmNW$Nv2oL0TU;Ec{T6qAl9POB78jVpyrcS`F4|utalY<?Xkx
zJbIM<dwBZj9n*K<|D)4)5CKSlbtPb(!JQGBn2MIObPY>rQo}u({aG}Zi#B`+j2GJ@
zk#_nB`;|N3>65D0gtLVYA@j|ps*6;AVe>4a`T+X$doiK?j_MMX7XRMH`Vdj=2Ml@0
zV>|i)Nsc~{ryp0Q5oU!_+-?-?K|%OUrCa#Mqi=uvqx(O#_ftpuJJp^2c#QD1s1Ein
z>L7ej@B!g^L@0F%C5=5ouM6MU&)+`sDY9MI8ND(LZO|b;!?ne_4?@{B+yDwN#lboL
zu6G?LupYSm%G;0RBI-!4@@tIFTduPX8fiEYs!sR@tB}`r<n}8o-($mFtCMKU2+=6R
zDbGUY8aW-gkrDMYh>7M`BjMpdA3G<$%1?!FJoJwJANk1scRYmVXs@D0_z&?Rj7zuD
z(jxf}wNe5(GgBOOYoP|yunBBYBj4o}uu+%A92FkC?7<_stU8-Rjqk2pa{b%iemxtr
z6mWhJ`g1K$t{mf5kBpI(Tomw`WMMOjY$MXpTWidNv_;Zr>pFVAi#*~*m=a+)c*zkC
z(@)nub=I+!uL|}R+gH#{<yR|GSMIxU-<9kiz~ooGF8o3GAXrs9Xi*Q=L>2+*$K+LD
zkqZslH2D=NT|^wL2}|Qjc!IK~u`QT`@4yx_t%}bi*u6bU_piHru7Gc#FQ;5Vf|xUY
z)itnJT$mp}V)NriwfO;l0$zY<%?5sgR!d==#w6TWd7tnNaE{6kF?Zss3y~#<{DQ=%
zYd#~{cgiwv(e?uFJaeJLoC}kF6+s6hNa2hiC~)I$>KaNYY}^bqr<jow$8rNsX{5}!
zJmQ+it8xV@4lkhMSHQg-#TyXB<s;iW)oqb<-WMCrdCuL?H|JF+whyKziUFi`s~ip%
zZH{sv8chlB%;dYX;W2-3_`=>{bJ%0@cP)#ZbFdsQ^an~S+j}<j2X2W4!kL8MpOs3{
zY$27&3=r-{t82v7$jPG>53u>1$J&<}GK=s~J9AS$RN_?1DnIQf1?nQFT1wuBPG`Mi
z?FHx{JCAGqbuom)bLD)Fi=$E$9Q=1`swWugThkdG^K=dRi_VeMS*8As{r=3%xt)no
zlcV6xlsoml;>v7s!(bS>%r<OvI=4iVsp<2UZ@Ob|`SPJvAy2Wd13_fO<1*EAgaeXO
zl>l`%t`1S`0FM}uSA&@Op$JR3@A*a)K1jPPK}3C;TazxmL2pb?512zuM!geX+wgVe
zLmKHkQ5>G?JAC+(;nL=@gho7|Zum-Yc&m?!>!faI14NHaGC9G=B<Yf6E0$7<J!LpY
z1^YeIo=@!3wrJGa=J%fSy*c5*;KWqr`?id&Jt@Bb&8unLVBLz_k;_0ULZ0G#2fjau
zd<R+)+rp?{)pv+(u<P1bpId9Bi?jE@aCjats{|evwmWG>!t>IXgl|@U{E<%zLsx7R
zB0_ZI)#^9?N{b7EY7TW>hPreNZV@%WN`|y_veT}^<~cEOtg5;~{KJVh@!}ICn?zL$
zY_Wes>{1M>N$s>S*^k2`A;~3MH+sm6z;g<d5km|yA%BO34I1iT446z0#7+>uP`1U8
zhd{?1Q*04RLgr^qT|!r6q!?>zb+whfd8e;1o}S+1D$Mp|L;g-nDZKtbN4wo@4d^ZL
za$IL<+H49KUK!as;6H0FH@|8o=_+J=rnCHc;g8p57D~YY4wR;T<!~O;AH=(1qj#yM
z6z(p|yHm{%ijv^2W^yA_U^MLo;@KKnP?7-`Y&59+LO9|Vu<tg2fUTZ#(I5!n!jRCN
zWRpXO{XaJ0J<~Vr?Csro!}LmAPkdgjk<y1pCoau&cimZeQFvO@oVj3R^ny%tYiY}s
zlap6&DbclA{S+uFR~jr1P6?YepJ{FFD3-FV`o{_HlppuE$OqjFCPuVL`#EWK0I&%q
zEb)O%oI*$Cmx5#B9$|0gfqTqCt6FGXbMqxP<H=<8XX2P>#=8*(BXX=WKYaq7rbM)~
zWKTq+OF~W6CCzW#yoPGg&)wt^_TDogI4ZxKxTo>};aO0n0MEJ_JhY2L<nScRVBX2H
zU>Ala@2NZ}?73%BaF_{_HI+Y--tv~<!4#0;(O^j$+epezK`2!IxaQ_dZ<?$8w?}YH
z-XrX(Jb2G!<(I6^Z1qd<0elydg7ig*YNjvJ49H5>LCN|i7G$VxclA+ez4$BnIT9G8
zS8AF?;i<|w!b8G)=jflxE|eqR$`jJ8_%q1yq-uc8)5XzDbo|U>>L6lI%8B-re9(OB
z6|F~bMkPG8aQ6ixBNyDguyFVJBO~YEy)b&=`h0%<g`=Yv(e<Ly&UwlNHs6`!*O|eC
z_iWjG&%r@lH*djpQ*Og$D^^^#K9^fh*A2N%(cy(c*9JP2eM47q!*G=PD&m|?juQ<=
zo;WMp1q_($u>v&QIL}lU51Yf;b>in%p149heBzEl@oOtjEL%4w9%eY}L_Nd68SU(+
zI5HWxC6I}|Q+S(NxMdL81K#{M;ym?dn`)FwLK!Ww=i_0CzjER|!b|@pzqeEP1C33#
z`W1}LchF8P$D^#5fg=&9Xivzprurpg<tjBxUPk>?-fKG3o8_$h@^<0Rm1d=e_x=38
zsO?VB#W3iH_mQwibb<DwLP;8CZQ)$>H~&qFQ~#--%JaORR0rqV{2fi$s=Rin()DxY
z-JO*-yw2$GE1=g!eU+Il>nn^yOl&;CTKvwNzhh`dyKeNAzt_;$rEluml$W<xnuR}$
zN)7M(ub)%<qH4POC-L9K51_xz^?12DyRVZ7R}nxuWWUykWqL+jF?!<XBC_eUhzCbc
zJT%jfU_)N7l$NrHO9|HNZ9EKs7B(qOCD!mDHn`p%=MiY6bAcMe@c!#GXbRsb8pW&=
zR`|wp+ap~zwST@)*)FO|TOyS!W`wVKd;OcO3G3*=Ro9OXl@ImpetO-Bp9w#m|Jv1W
z160Y0z#2=+dE)UIj&oi0HSrzdqp-%v9y6kl?6DSHX?p>>my=k`2_^l)B8u)qrf{Oe
zyFEGNR(q$`?<j6Ao^#gffGx9n#Z-J~_?nT;AA8{D?%Dj6_dj(Ibr5g)DRi?Z(Qle<
zv|2)xPkI-ZC}^Q(>N`Nq0f}#}A#q9B$&+TA_Evi;X!GQTW44fPR^4KBS)+M>Tfo}Y
zq(v$^&jDYHJ>>M}V|JZJR5!O7%x$jDd?}Eb^VpmjucIR#Xs+CQ&K|TVs=BLxg68-T
z#@JZTbuaI}IF&5qrVd}dfJQ<CE+HuqTLotJj`NlGzyFH&zkgWWlg;+fKP|}jw!U(_
za{Q_zJ9i$z2ki=~dEsW&Ul0STUc`&Ng3~C>TaP(Ag_{w-a_u8bFT%6Jf8yDMj@h*M
zml(C6Dxr?=*Xp3(Xg-qNRsR0YPRE_X&5v9wK(CV961DU`zL$l0<h6Z-<+Y{nQ^HQ<
zwSAi9wWaSK_!K@Q{skvO>{Oj4K><aX9%c8kvT4;Oxoo32h`gNrcrGZgG!J<0dno%3
zD}xsU5Yf9k#4h1Q@#lCh-cUA*GHPRhm!UsK<P5$A&nbQnP8;YE_B7bFmtk%F8{eS%
zwBnqQ6F-i3(<&xvQPzugOK4ZCi(H0hs!xf7s>j*)AbnRED}PYkQvDo$-!x6%H{mSb
zm&Ko;j${p{v&BB)>xi+|>58?o8`0Lscw4oy^U>A|;(y_}Y_050v0HdR!g)Bla;@xc
zu_TI88_N1>WnV@c`^5hTWnHzh4_D2?WuOF|ZoNQx0tmj(Rdd2o(5Ftfz@LLX8ms<6
z3<z(6V#q&F`O2q|Lw^TWg)T>w>`~Ph6wPIjyzGPA%Z^m!P+&=*QOemB?5+oQd3Hyk
zar~%viXxy00u`)4;$)vu<x%oZl)MuqP?1nVfiYA{2WJIf8xDdyjj>;1C|!?Is%0~-
z^wdsVcjBoY-0#Ib{dN%7gD9im!HaNDi@R6gN=E&)<Q8l2IW>lJH<mZ<_-*u2{eLNM
ztiQ3{b4@On$?9_E%`TVO>UK5B-}}vOx7qA*S>@}3TyB%E3%uNEldl72kH>6wJDV(S
zw*`p?v-0<yPMgh1pYxGX+kp@S=lL$1!)|xjT$Pud_>NMiaIFKs;a5jxU#;vhmyKS)
zbNg#$*EmrDDsoo7v$S6P=0NB+BQT*liuo~&`LT4Jsg2fmM5y#&^v;$ic0C{tzV~eG
z)E27i#E+;}N#vJo)NyDBOv_WVkBA?+e8;;%yh8PDV!NtGLUK*WO{}ot3~F9k$L!It
z*#3&^RXp<rwEx1H+h-N8cwm<}xZ=sPsouxY{>SC^soDlG#~zs#KQjI99jyJYq5Z4s
z?c<z0v=4`9Pvqztap+aoE2wLw*rj@kcoNpRP*=mwUDkhAAR7RzKnDV)taQw(V3H7S
zX?R$px~C4_bFlXs^)=$2n{Mjfx)pUVfM0w}T8_FYp9$@472r3b8q|nCTUx`%HotH4
zvi<7);>(8)CD*TKeHasmRL_GyIiOcB^+nN6du3IZ{7_a57iD-_<cA`~V9XT{V#kwN
z+A1#VXZL<BZp9&+%jWTGW~Xs2<HFkP7avzaO9XeJHfft-qyOvVHp%z3q)leOPI*%y
zkKSODcBm&y4fo>X7Kg>*)vX%m*O>`43w#|E=TvtAXM8V6ZCqj4--XP>bKADznRCT&
zsqRG{sHODEEOAD!c;Q|MhHtUF>5u_(y^wp@|A6mu9r&JM?LvO3J_<fgxrJ!gJjqWv
zA_e%R+(Kru)v<)noqAIHaK?`K&=meO>jisyL>zRr_k|6i&d!h_+}G~n{aKHCkBdKq
zPDAx_e>5L|%6r$!>P;Y9o?;zuTqj;6x<VlrF6+d>vt}|K9hn(gi4m&X#HUpskmgQN
z7sXf5IZ@`?R!bW2nYFq(T_zIA;IdYHdUClT7>x!E%O_FSEb96+=<@IMw+5J$U!JiE
zSBq}1*DYQx+A?F})Am>~5Qszqfg<Iz6{?>U`&4To&-faImf?`W#9f5g6%os3WB7=D
z$_fGN*CXO*RU0JAAwj(4RPV*}`8Yn}XB*xVt21ct3CL)E7P0asW-w-f{+nE|&^c+1
zf}z+TRL&2jQlU^X`3ycG+>3qbU?80i1k=iu#*o^1PW6Pe;(y%Ep<pr@#ODS1Dn8eE
ziZR_&J3{rtVz26K@G8m^#t&`aJ`0KIyA<EeQmD4;t)5s%bJuvrigY4kZ@(J*Gwsr5
z!5ZxFc;ap({i3=aQ|**4gC={rx>zg<ugkn`l>;?B*00tZ3}y-ZFvaT;t5=KNs+*z9
zD0{B3PlH(jT39TkVS?gnqsw<?vaMl`G5L>V96n<AU`NLweac>k!%H9Pvsk?yba)Z?
z_&-{Iab%=OA0|^#|I^T}X~$4c8M2V1D4Ty`^*XVndJTFP#Ss%G$mZtuHAGqvF*(le
z)f;zB;v<%#Pjno|hrx9OcFCWmBkVoOqemIah;vgE2t{DgHgl3ABk(4@eb2TlFW$5L
zO7VLScOQ-51N^TPM<G-Gf>zm{^#<plEK_NL3!p%JP^DZb7E$306Ck|@#Zi(V-8Z4G
z1@U>vkoBmG@|1C&c)Hi;nDkh-S$zJ2)cW<Q3y2o}Q;ey`CHR{d280F-6tSA7-GQZs
z*ndpi&-!fxzHX55MHypwYkW@80*{EkYdN?Kd)J-6YvW#g#M1GOC!+XZOq+qbx68PD
zD|K9R<@P-nU%73M_~g;<ha>m^W>g4%{6of{I207aPFel<>?VZK76-&2>zFHX17pJN
z4QyE~F+R+>G7FhTz1slW2c*@&1dS^7j&?&4|D<~9%w?Kw^*t)<z&dAYj8uFQ+>`id
z1Zx1*=fr7MNeW<&5#J)am}Z0&!Gxf|JIV_Io+pmwi;iBcsIiBF;`DrG+?KT`1+U8s
z$Ei^LXUzG{l3AYfwC9hEeMnO!`!Y*1<ZSm96HaSpysNn*=CO*sqQM>axKn<!I4{{P
zCL@eFq57}lq-s?1$ndm6YBP9}J!LJ+*a3h5PlSNc+JiyISYDh|U;$iAF3LOza*^%5
ztA4anRqd*NO`bh<zoiu^N$HH}U9$%d&Q_{pQ)B2pV0bT{-&lKI*|`GC7~$`<#J%z0
z?Cil8#=Z_yq54sAShY)h8F1ECT4gm0a{OtKDfv)%Lulq1ad^!XYvWJCBdW)-ro-{B
z_%5wAF3C8X&>D!hXwPr8`nyJjM+UT^s5#KuX)5?)#VE^54;`}d7v#Qv5wt+NNy+O#
z{tcd+77c5OvpMYv3KK1ltQ;F#8OQF*%HO1ce7;}m5qu7ZA2V2}-d**o4zNDk!C{m>
zb16@eYfgqKd-1?4<Fn)cIYn!#)w_YG1JzI9>Ba956{^`gz!%;-fLC6*@7!}qX7hKx
z1`45gf>zK9aWYQ1G&d=_lIAAEwbCZu$Nw*kVT1_hcUMQz?mNJIh#OKw0_TQ049<a9
zUYMGKZuH4&P_?%Dv<SOYrF!#cj4o!XN!1h8Cs9^J*>70c)zuc&&DHOttc<c(*w`Gc
znpHch-(d5L^c}uCg=@@!6nY}}-mu+DpvJwe108{gZ*FMcZwDl+*<g`+bg6g|4GYzW
zF*hz0{~*`J$A=<IfmzH~E$N&*KNoZzvW;@6Wjm`+>}8cm1CqspDp41M3mlO0auQrE
z7;8R4#MKwUMZ17x$bz~2f-jLE*lc#AU3<=Gb0h@d{`c$qST(0Q0+P2eUP5_0Y3^bj
zkFurVcu4e5UQM=Thm3Yt3-T<RS}eMtt^eD(tRoS0>M~iIMW-1vg1Uw3zf{Aj8&RK=
z)n~5N$5#Vs9j0ER+m#MlOb$=$W^a%xZHm|iexP?novw7mt#fobZI))uv=Pa2h3c2#
zI~joQM4_LWG=&8;pgm7p`NNAZ(sS2WW2)<`p9ZFh&dAQ8*cbGuM2sM8FJG`yP`x@e
zb^GlA4K%m18d5z~{Vr%}0JQW2R<^O~Qhl`gMU-Vx_NrXgg0d%2whU#6TEn|z)d0?5
z`Vz{LDEkpBJ6N4i-Bo=*%AoJR`A7bo>eH&{kp+o8SGg1o3)Rnq2dt{`0M1Kjc}K^2
zXUWln)i+(KhdB8N&42KL%HPVO-{J5HJyL%@4|rLBGw3fUs?N(~@34+|8AuSkj3yav
z2)cgd1uI{<9i7LkkeAn2oAK`Rc!>7tD$zT%azJ}r>9w#OCtO6Y7gSGOaKWFSc%p~f
zXyesZ)pOOyu`gsq#<7h#a+K^P+<p<k8Elv{6cs^f3rx7D_*N?8oBz>5f+QZx0_HFZ
zY%#l*e#`!>aDg|~tZq(w`bxr#&1yGKnjKc_um0JCq>i&|TRMY5m&4%-20MX=2XR*D
z9;^YivT;Y|67-P99oiOjEgp$fEEH@1i~cU<OIMM`lH0nFKNw4Vm+eq|CnZ^^{-0_}
zb#e8pke4-?(THcBDh1O9d4{w$B5|Hgt!KFFJkf4aYjuWJ|Mw>PBdrddtxa5`0cBRo
zqD%NH)-t%>O@TAC#}ca<HBA744hFHZEwS$xM~?hrU!v>a`R8?Zo_GF1(Y1VJXlP`)
zH{ob$aU@hyb%QvddPKSiV@YvTQKlDAG&!xYQ9c21ci^33;9GE|*lM0Nq^?CbS}3~S
z+1c-TqfswDFUVK%tFc?UD<`5JPb}u~M3pPrUJpCvxb!>VUTK@#QY71qtZkAm)Hb=?
zsO?6}h%{NoZ)CmYkT-&?ozbX&$JVR&v9==-@j0c*55A}Gx@(j#XnVO>R()0q%l-D&
z`n|Njq%}9X)f)R-jP08~<_w3Ou5kGG__%N{PP}UWjydS@1OgsUP`QFXo&ndGRj0%?
zxv?6<+8W!|?Vg=|NXBs;*OzwR@@WOd%9YwyaJ_V#Dfjs)#~DEpjreYCyF7CB)+rg^
zUzBkz?Mz<RSNXbvW98a_Yd+3|Yd+3g6FA-YI%)njSZlY)c;2ycUvyr<^$G>Q=I_{F
zm6R_vTu;FV6+r~V6x#Gdwh&!Q;91mPN|Z)%@sz`bP7vS@WNt0Bpq%o9(oVuC?)|u?
ziT+5{4q&O5+!Yi|1mn?&yqPtVvJpw|(-ab}n9pVKH8110?luEbJf1ve-|g)+m<&l>
zxephM{cdI0lq>j%LOXr(Tp=Hqf<u}cboOH#^#S*%!)Fp)xsjI6m*E%_Qc3w%98lVP
zdSc>f<({?A>F4ABi|s4(b-9pB$s|;tuE!@Pj@Kxt-v4u%#0g^kfU+lWUCn?#lbyx<
zl(>>+N&7=62#kL7(6}L)jZ+s*T2C`ndv~jM=eJ(6HGR_9Nav1@c5K~RsVKNmt_?WB
zIt(akDNN*ZB%c|<r9Bl)pl?8RTJk|G%y#wmfvul7d7droO|D#--1~rnALR;|MED7N
z1iO?5Os#;4JcF%_>L~|kqXtPjJGcvT0~06R-?{CQZJm47SFV}eBleIbKU%!5cm=C-
zpZIY>kgluM*}^bSTIuQQB<Z<*VDq(`2ezso=-AyQemuE*cXEYTSQw-_EB}Q!<9i$6
zYz3q=JI_>S5*$f^^RnJ^XB9X*E~nriu`0n2dw&C*Z?#SZ&ht9<<YhREU8_k?V)#^5
zqypgLp5>+Rf!Z*_v=^H!e#%a(;I+Ki!c#zhcZ<Q~O&I1!t-*}kg|>pa)nG75!%`;d
z3OmSYg|>lr<SV`#ZQGew`yXkWpJJp~ElLmH)oQSK6K(UO%jJIRI;GY&G(0F~!yQSv
zzxPU$Xp>H*IMsM?p9*Dfrd{f^yNEmzq@_`wTQ9Eu1{^SzWHHCA(b}EbT*4l3+gqJY
z%j>s5$@=x(z32Azw3*rxI)16)<9_Lj|G&bfVCr5epRtEL_EwK}lHWR7JX&CF>(=DR
z{=OdK*v;&cV6ZWNymSeqi=Amv(8$<)BkPYi0qrKFd!iFF<{oKLy2T#)=4IP9Uc>xB
zGujUPX=j+5{@IS(M*qy5Lb2}d7<bi+vTyz0(Vm&L2QLh3k8Em%>(D(}o<^GMoYT}7
z1cdUAtrwf&DO%B#i^p?KD|Bn6^|$t2cM$HPXcED)aJz#Z{?UGMjb+iwL-QpYx0O%P
zuPa7xd*mPL7jaUy3enInD}`<@T16<YxOi*oq<(cmGkLY4V@kh{K+g=bh-tSRB}hjP
z(s(J-gyuGtQMy~onNas_Gp`K=eAIC&MVk#4f6}mSxi!?$y0ptr7ezR%P166%-kZQz
zSzP_&&oa;RWFr9#h=3SW5D~+@H#dQ}lI;SDfUJsEy(A$-LV{U9s8#D;L`CaX>w?x+
z+^V&1wN_CP_kAf<L<B^t5z#`5iafvXIWy04Ljq`R-?#twfAg6$`<XLm&YW4F$#^q<
zNU!~SWS!ft`rx-bGkFzs?aOrSt>~heNPD^{Y%kD7F9YpF7k7QN1kcOL-m5P(&WP^&
z4NgmC%|N99jx-PL-*dknnGGQ>QTtcnJm^NV0#bGmP8&NqX_9XW())q~UYC684Z7$b
zBM*R0Pqei=iRwrt95j4Dt})6QFlf*KYm|{YVE8k3Y%uGFp6SPW&b`x&Bf94e+B+*Z
zFE2N1??HLpe{~osi2=TnFx*P)J>O)$gcSsR1xWe}vj??vB2Ta+ZKS{YgI@ZNRXssx
zFY?1afawi0uOo7g9b=EQ2M!)Q5Z0LW9jl5bjx5OPiCxRAf+KJC^hF`54b~UUIHy=-
zmV&;0xSc!F?X-7I@<%k%?2cZ)_Q#e~!8;*7p?N}liZJ@;@7G-vrRCv2ilr5a?)&8%
z@%|^C*#F2=@UPf&yY1Dd&tBbf59~vCqYSqi<IAtXD;i%8*@dnr8fa|eceqk$2=nQb
z;Zx6^I{ai|9CIwVGT`8Y2f#X3YRpkTIXsq?+pk}4R*Z&Kl+EXxW<B&5jjX{p%ycp=
z^(EJJZ~DxmZ*=hyJ3hy8>I+BI9`iPiRFPkvhkmg~`S*+d`iLEC^?b9mbk^~&&<U&I
zjx-L{mf-A)UV-;coYLjWpLVkOEEvo2{cuIi8PW5Q1A2^|;NX8VWFN8ryphJyX3jnX
z`W#whOfb6Vbj>!8She>%z<DHaUb81Sq5F>s;XE%fum4Us$Go%mD&VX#3ef+?gU$i`
zzexFTKX~Wy&mbTF$dI>Ddcj3kR%!a{eGNg29C|*YHx@Jf;HEA*fc{a4d?}5VF{mX?
z7TT|CoC6{iIR_LU++|>&uG!BAT`=4m3#@?ya(dza%N%ZIrl+MD=j=RY9|fM=+Kwmf
zPYI<a1*3nNmE9w6pfh1?j{^?5c>lQx<LJZ8?5;W8!RMkw`wZA8$0A0v{1D!2_XsbT
z9me}iVqV@(czY1D8L!808pY{<zcRo3(Ve7z8g}{Ry~(|p-)Z1Co>>LI>442!GSZTR
zo(Sl{9G6cRL6kdSaOxE8#tvDWpH6edE)z;CjE_>7d&f{CEiFA0JI4F>8$eSK+`H-p
z!A=-&;smch0vzo?y+(%Pn-Y5S-3vcRpG=iS{KKe%{K=cZ<i=e#ZH@}3Gq`h<+XP2&
zy2r@{_I-b++?IA2`mYS9Q`RlY?P#azw2w-^G`v|lL%H#KhJLPcXX0JtMatbpUySeW
zWcqBaw^=CN2*@(WDYvd=m?tT>p=FxY%8lC>rlMIFTDnQ^FzJGBMXWI|P;PV%QKj5?
z16Z7=+@_Wg3zb`FgT(8~ZE4M7n{wkdHmgp#9c`JlSh>@*xIJFE)3si<S5~GLvu{-4
zUCccDRprjs;^~{D8};gyvA=TbT5bm2X9CT-q4mrdtK25sie}WSd&YvYhB@;aYinjU
z=fxt?$Pj`thVi_Ts)p&+c@yV1HCNAW${Sr@+0Zzrp)uK9U6nUzW^?nL!-fu>H*a2k
zl9J_DHq0J+@Q}QDwaqj0CR8_7H_k<}L_>XZ-q_^q>b$onHncQWR=<-k?YxP}`lh_`
zjSZy@byczaNGx)ANqOnG!(}W*BJNO%MEJPUigvm3C}v7^V^eKIeV)udej+)r89lS1
zxw4^tZeBD$l0UrY@Y%^()eX%v^6P4+$MOsFiwfeAqMb`o_-mW;l6lRI$*Stv$;MfE
z4KsGdgWCGM=9$%blk01VBNLm!7-X-n8rsm9*MOMDyvl}_`sT*k>Zbh8Svfx0QkPer
zpEn9gJ7j9}{5jQ=W`Z(i=EQ~>&GV9t)p-c0tF5fAZ$jBE^;Ia1h?zKgOy0OT)%7y*
z7@1&5p2w<ael$Oik*U0dCOJ1*TbG<(S1lVanU^RzJ}=pPSe_!Msj{(lPIFU!Q*B*-
zLu1X*afvYs$xaki)i$BN(_4rkXqjYv-rFS;^F~j6C$F?*;^>J(@}`cSG-}-BNqJLC
zCQK+9J85*q#Jq76^2)}IEgwB;^tiF`CGtwfo|t#+=&|KP@~R<Bs95!xa~i9gn)1Nc
z+SzmJYOAaA^CnhTcV6MV8AwX(Xqr=9Sv#Y)GOsRKU(=GTsUDIyr@C==Z4(I&Hx`&U
zyB1By{+fol)s6MF^)-3(A+32WP1Pg<%{wtazjMw^tV=e{MC}(;H#SU!ByrEGE2(P+
zVhBiHGH}*RtZuBGfwZIXwnPIo<b16WZ<y6+Gx5!19{%@q1YaaY@ST+Bj)mNDgqCPk
z$TuDDCgtJg>wK*V`Kq<qu=BLhTD?|@*hb(bnB=%B#0+Bm%?LjXyIw<aTbBOvk;224
z&pBr!?qDu)9;j+Yt~_l5@HfFUYI6YzTLReYnclI$FdLz`xdmz(H2T`PQmf9}2e?Ci
z<e7++^-Se>q-nsV*#@l+*kVW-;d&pAx|Jh*9Ci%CdA*!6-=Tg^nSLDn6)EX=E-TN^
zGllEXgt}1;h{r+c<AKEsiGZfVQTqnek~mtAy3@B}lsX?@9v2~YHfl5r_$bW`gw_G;
zbjDZ+UlCsSiX(MV3T>U$C0yS;;Gxz`!ZdR$R-qIstr6wrp}ZM@KTHm4xz^OKBtMhk
zqgIx!IuR}@F|zb}w9ZhJ*2rbbJme;Rv>+$ZR*Sq%sO=A-W;{x30oU@->iK}96jtg9
zdnT#PkpDTLU=r#hc@{_}adZao%wxV$ZDk5-B}gdfCz&Q`rn(S^scs%;CZaEmfqxw1
zCrJq~k4eEmJ+-}5k(`jp3sII@u18H0a+L(WI>70GL}$?RNCI%TMLQlgwaj6#Q@PWG
zx=<_3K`gZcNp>A<YPA})-Z<nR(~gp$CY|x93Rp<55a#LNk0&9r&rm<6{$9fUWwbUC
zy`6d(`Qc;jF%_;!Xwh+yu}O%Xir5MGE5Q}~Nr<B!OWd6RSO$A6WPoyvX19z>Adb?X
z2>V#XP#WTPHK+=tv06J5wQodd6aJ`oP&?M5zsvzANIt8${uALM?tcFk&Vw9DtX|$G
zmWoPXp8-<|tkiz>;CKt{8k9qHl4Lf54&tS!ae|&jd5B7?3$?A(NEBa#(n!-b0weX;
z8idV980l7$R+3v!3lK%Sll=T2Br_AaPEE)wd&vT(r~&OJby6^9)uEN@5GpB_8ieGv
zqtF`Ur*y<QiFY(+*K}HrpZgHBX9qv$S_GQ-gku2K9tUA8I~eaj9s(X8ik2M;9UDbH
z(zb=rw!@&Ei_udK$JZZ6LSib=14cp;M`Im!Ec(K6kfU*U8Q^%x-b6^;Wc1#t_>X!g
zYSXlnw3D@;X!mL_XwPZC*QV=+Zfcdf&@KGOc}Gvv)AbBJQ_s@7=-GOX-c|3WEyjxu
zd*NH&9+0x{^q!il@2&UJ_tAUneYBTQ!{_zB+Kc+WdOv+XJx}jXUu5eC>I3wF`a$|2
z{a}3HbcnW1AEF<s=j%iDh#u8r_*^os7izC*FKe&pMcS+SF#I3;;d-%tn0~l^1pYVj
zQToyP2)#rv)ywp9y+TjuBek{qD1EekjDD;>Mn6uQp^w$a>Erd|wYRj_wKwn@NsT^1
zpNOxpChJr5srm`}iTX7CB>iOlC)$<T{rV~TsrqSnuVlJjsaNUM`V75BpQ+dCr|Yxy
zI(@dbUa!ahu$ZHtp*QMHdb8f5&&59|I8%F9ds}-)pO3dk7U+2YQU95KwtkL&uKsiV
zJpFupv2~$-k$$m$iT(?Hp?;~pNWToP{$HUl);`m()c&krrT<dDTE9lWR@<Oor(duC
zO8Yzh!@~{wuk{<X(;*?V&^zk%oAjHtdi@rCiGHhooBkX9cKx^d@ANzLrTU$CYWQyb
z9&L$!ul{@eKK*|5ksbOUaOLI!{g3*C`a`;oml&ZNus&_lAJHGx|D->r|5<-r|BL>F
z{-nN4e@cH^e@0)9*MPp(SLn~_&+9MfFX}JheVJGESMmN2X}-Do>)Jg14gF31E&Xl%
z9sOPXui9VrmHOZG_w@JmRr&||YW+ifjsB6oR$r&B)7R@C>l^e>^o{!8wKMfk_0RNH
z{d0Yjwg7$jr`pf7v-B_Y&H9)6S9oV*i@sHF)BmY&)4$fg(QeiLpnt1x*T2(u=q@ho
z>IOcY!b{T@UITE9H2hzM41BYeiT8oK7}?q{j2xpYz9Z~z>}BK{J+Qt$TRYe2sr}s8
z8y8#mF?!>F<@Gi8HToI*8F@y3V}IiS<3MA8G0-^37-Sr53^ooih8Txxtwz4~m@(9d
z7*Qi;6lk9qaeT8?q<yMwGKS&CWwCLXakz1WainpSakMc4Uze8}Wk$JCfjxqe#wcU7
zag1@SF~&H~7;B6(#v8|Dmt~?c$(U?RF{T<P7$+LjjFXI$ji2D1gHw&ujHEH$s5GjK
zYGVd=6J{E<#_7f^qt2LZ)Ef=P9ODdp0nlVL8!dRNV4iWNG2d8V{1jL3e`cI*oMW78
z{M<OtIN!LyxX`%BxESAQ{=!&jT#6SIE;BASt}qrGR~lCtzcj8kt}(7PuER?TzcOyX
ziwZXyHyJk@w-`%|TaDX{-x#+Wzcqem++i#=?lkVgcYya8_Zq)9?lbN;{$M;{{Ly&O
zc*uCzc*J-V-vmBp{MmTi_>1v`@uacLc*=O%c*a<6JZr2lo->{|UNBxXUNT-bUNK%Z
zUNc@d-Z0)Y-ZI`c-Z9?A*Ssr@zZvft?;ES|742%{Lt~Bck+IfTXRJ3qHZ~Za7#oeh
z8=q>wHa;_2jn9ou#uvtB<4fZ!yiKsh*lM&H|1`E4UmM>T-x}ME?~ENdoYYL+G)&VJ
zre)fuW2TwuW`>z*W|>{gY%|B~YIZZbn|qnLW)HKcxwqNN+{f%~_A&dK`<ngC{meYG
zzqvo&>^;yNU=B17G6&&1+`;A{<`DBxGv6F)M$D)gGYibPS!foS!_47kv3VHwhmJ6h
z#JS?p<_NRIEH%r_a<jrrm?O<m=4kU6^H_5X{%h4(a~uvOjyETm6U|BHWOIr+)jYvG
z(VS+UWS(sP#5~13)jZ8in$yinv&yVCXP7nSOtaQJ-JE6CnX}D$v%#EWo?$kcO=h#%
zV$L<^nP-~w%?0L9&9ls(nP;2lnCF^5H_tQAH!m<RG%qqQHZL)MVJ<W;H5ZwenU|Ya
zn2XIT&8y5`npd0GnAe)unb(`YGH)<{ZQf|!WZrDvVlFXnHE%P2W8QB5*8H7$hq=_e
z)4a>P+q}oT*ZjSCpLxIe2lD~*kLH8sL*~QgBj%&#pUlV1Kbw!6e=(mhpEQ@5Pnl1f
z&zQ^2XU!GnbLR8r3+9XFOXkbwE9R@_Yv$|b8|ItlTjty5JLbFQU(J=~-^};S_sv!2
z2j*(?LvxM!k-64fXRbFtHaD1`m>bQ%o1dDWnXTsM<|gwCbF=xS`IY$(bBnpvY%~99
zZZp3&zcIfxx0~OYJ4_d^1?s{OrVs+}iU>!fiFA>Hca^h57m+P;L|4&GbQgPxT+u`H
z6nl$aVjt04^bvi<zM`MlPvnXIVt;XfI8Y1_1I0mNkT_Tj7Kex-;!u$<hKh)YikK)6
zaZxCW#4s^j6pO>e;o=B!q&P|(Ek=kEQ7Xzrxu_5cF;a{Yqs1}eSTRN%C&r3#V!SwB
zOb`>rBr#b`5mUtp;zTh`oFq;bKM|*hQ^jc_DW;1`Q6;Ly3{fLyidu2Hm?i4OY*8;7
z#2j&kXcSGNS+t0`VxBlt%ohv9PsLf{XX0#ejyPBRT%0G)7Z->N#YN&`af$eaSST(P
zi^OH(a&d)NEUpw+iC>DV#Wmtuah<qc{7T#)el2bkH;J3YEn<ndRoo_iBW@SJ6~7aA
zh^69AahJGT+#~K4zZdt3`^6u`1LBY3LGh4ySUe(d){4#XT%2vte<bXMbC%w?;nr9D
zNjxV0EFKqs5l@IG#WL}fcv?IomWyY_3h|tHUc4Y)6fcRF#Vg`f@tSyDydmBcZ;7|X
zJK|mOSFuw3O}r=G7puevVzu~CtPvlHwPKxEj}tOFv+JkbjXl%f;MUP?xU*|%4{MKT
z4{8r-%e7~<C$uNEJGHyCuHs|d?EItHAU+Wr#ox7Ow2QS;@u~O>cQvx`nB)k&Q+FD6
zQcuM_$&EOjI1gXPUZh<jTE*vLllVex7GH|5#6QFqu~oE*e~NA5Yw?ZvR=ZSe*A{Av
z#CKwcaJ2(0O|vcCGAz>)mSx$NgEyVi@pOHrm1T9YvaKAetJTfwZtZ2|T0N|u*4|bx
zYagq()yL{<?Q8Y3_OtS={?`810oH-m0BfLikTu9U*cxmdVhynlweqc@R>X>0F{{9e
zTZLAUHOv}r6<dc{hg(NjM_NZ&M_VJT606iIv&yXsD`AbaMp>ir?~#wS##qN$W36%4
zc<Xp;f;G{aWKFiFSW~SNtP`zi)=AdM)=#WctW&MitfV#Fs<f)CYHNm7W6iW`t<$Yp
zR-HB5s<#@fIo26gqt#?JTP@aHYo2wcHQ!ob{nR?k`k8gMb&hqe^>gby>wN11>q6@y
z>tgE?>lfBS>r!ixb(wX!b%nLqy3)GJ`lWTXb&Ykcb)9v+^(*TJ>(|ze)=k#U)-Bc&
z>sISF>o?Zz)^DxfS$9}Vtvju|th=pytb48BTlZP_TYs<~u>NR0Xgy>-Y&~K<YW>N2
z%=)wSxb+w73F}E~ne~+QwDpX&+<MkpVLfL(Z@pl>XuV{;Y`tQ=YQ1K?ZoOf>X}x8=
zZM|c?YyH()Y5mQ5&wAflWqn|+wm!7hSRYwyt##IV>tkz!^@+97`n&b1^_kUbeQs^C
zzOXi1Us_*T|FE`LTdg+hpVl_(YwH{9TWh=ZowdVqZOzv4?SyFy+p=xjvD55yJHyVj
zv+$4Svh5tZtKH4+ZtrF1+CA)^_TF|cdmp>E-N){0?`!w7_p|ft{`UU%0rr9R0DGW)
zkUhvg*dA;jVh^zowe#(vcEpa_F}uKy+l6+KJ<J|%7u$!~hucTkN7_f(N82Op61&tc
zv&-!YJAvcCQTAy282eazjD4Iv)*fe%w~x0c*c0tZ_GEjCJ=H$JKGB|LpJbnG|HMAU
zKGi<WPTJG$O1sLgwrAKi_Ds7LceZEQb@pt#-fpnx*k{;{c9Y#~x8NK5dG?w1e0zcY
zQ~NCYXZG3lIrh2s&+YT<^X&`l3+;>Si|tG7U)T%nOYKGWW%lLv74~BLO8YANm-f~6
zHTJdkb@ui4uk0J_U)wj@H`zC9H`%vnH``0>TkYHI-`Ka?zqNm7-(fGc@3il-@3!x;
z@3nt#-)G-%|G|F1{-gb%{gC~z{fPaj{U`e|`_J~{_FwEL>?iGI_EYxL_A~Z!`&oO1
z{ha;0{eu0X{gVB%{fhmn{hIx{{f7Of{g(Z<{f_;v{a1UX{WtqP`+a+r{eivO{?J}y
ze`K%4$;)4GqI02kt-a1(uU%k&Y;UkXu{YX(w?DN%vs>-Y?M?O<_GbG_`z!k&_7?4N
zd#l}sbC(s`R-DMR+5fb+*<ah=*x%aQ?eFXzw(Dq)?ih~g2*+}49Atfg|788Bga5~j
zdt?2ztF>$JKMhLoWqwk-L%UtO%1Og(x;JXSb<&*-?N{0jPNtKEXX3M+9H%Ru@aXRB
z<>Wd&oSt~Pv6r)t)7$Ce^mX=i`Z@bKdD@?x{?7i+0nUNW0B4|c5bj2o;f=VJ+DFd8
z&S2*dX9#Z0|4qAGdrx~``#}3pTcxem);RgjP$%L<otRVL#GOK?$QkAgcZ!|EoWq?X
zoFkp1oTHr)PKi_MlsV;2g_CebI-{J?&N0rh&KT!7XRI@hz9e-fI1`;o&SYnbGu1i4
zInkNsoaCJB{KPrMIn_DMNjlS=N~g-Hc4jy=&P=D)Io+A%)H$=AdZ)pe<DB6%I!#Wq
z)8fo^<~e6N^PL6GPo1-zpE+kc=Q!s&KX=Y^&UY?wE_5z(E_N<)e&H;1E_D_;mpPX^
zS2&BEE1j#HUpiMi*ErWY*E!cazjAJHe(l`o+~nNs+~O>8Zgp;RexohZo^ncNCo3Bp
z>g|&0jn#9jotFCANVKe+>}W+vMA<QA$CX{A?BU8TQFfWKE2Lej@|UXor7C}EkyFx8
z(@<YMi_%4+3C<UZR&crqUXPdgBSo2Im9>qPEwg9TRiBwrR@Km)ti*vvvt3@91koy$
zDm7Ap;Kqhzvt1!$D^%4gxM~>{es)EjqP|p7U#jqwD(cG=^<|3sGDUq^ky8;+AFYTo
zH&Bas=ExAWBU6gQky*?h8KOEC$)vhR;=>{Z5w33}T3nDhD!?GAjHyy%C1TX{WTQR0
zxwfvV+8HhDMrqJq37NJ`)u^n*868lFqRTRmNyUrzxK$e#sM;08?J>zp9Lv~ad@7Nu
zRE$AABzixKDyBd&u0Sy?t{4`N*<%@%q%JYs9vea#FO=Bgs$y|PNPM_6PFAYRxS1{W
zHOa=7*>%YlE;|w}kE$xFMk-Tfma8($RW-^L)^dfloN0|j<0^e&%o;bdp;3uWxvD|A
z!dk9URVb`VAkh=-36ePz{F+273Ki}`RaT+GR;aKQR@f6cSLVd_+%M#UBC)7qWsxed
zNL8b_!k*-p6p6}UBv&OAsS=7LnrKmxJz2`dWF_;HS>~<DjX0|6GPwhODv>Ma)&PHp
z$;K)#R(7f6cZK3-MUgXEij*}u;9rFzze3Sfq3Ehmd`v{_sWpwsxz+Ym$%v@|Bhsf<
z)mG!suC~cOk<(<J7(~j#hkIxg5eda;NYpgOmoY7+lSM0vJ^pcyNOU;&3^YFz2zib<
zNyVXLSmCLHN|cn9C<RoaWVM9312JIkz*gKT@f4-%fTb#bsmfof@|O;ClHm@S;CxVc
zsuhN-=8p`^tPGftQR&ytuJWZJS`ksDMiO?l48~bBEAeWn>8kyFl8>c|>{3N`sX|cd
z=?$-QDYDBH*=56=>VRx$Iwd5D!pxcwnKdcJLERMCH6e0iQK{*QSkq<B401~9Vyd)a
z)w;1#F_Sc1t(53mSvN`xF;$EzQ#C3pb!sJr>B`Qpk||^5nWv|ggw|KhSfJ`zP?$BV
zrm?!Z9%sK*wUu_A?BjJzyr@I9B(4G_)_#6fdV%6+f#PFa@iAUt*E1@aJyC4e`}}|`
zs(Sj0P*D{x&a6+)X~6M#!yNqEm<CzzE)5-YUM1z;IPK|wPf3=m`pM26t&p7?Hq#9X
z6upH7RzuL4%T;a4m2{M=R28aLp0HMw+Kr*w6%Ml-{n|w<3Kee(6}Cc!tuSFXajwj!
z_RUhr1wp&1tVOE8q5`|w#|$ONwL&t5xkzCyQgjw8>BN`ZEmCw^RJUl6%CLo%VM_=6
zRN6ug8jv!j*yZp5zo*ueq*kCLr3_mF{#7XQD-?YdioOa(Um|MHlge<OWW>CH5$W@M
zWjJ3d!}&oZNl~;ys<LQBLJ^TrVgu<~!1yv2r1V25LnQ{qoCD3yghgUfjL{twLkqc6
zMPh|4R<ONr$(C55%pa5E9O5OTV`}`16>@t;V#QLtVp0T<PAc7)6b1O1jj-jY74zC%
z4t|lCY<Jj-4zI!S@1&^n<B?=#a|eQ7(NV1M7RhFd6{&KIxdD*Qi}(Dh{9+|{Qh*|{
zVTupKRDFgiI`ASkmp@F=fqz^h{fdrZs@!3!{=-!H!xX=Vsd9&@a;3J9#D=SKhO2Uh
zt8#{`a)v9s!xi4)3h!`*cetw8aD`tEm%yv)Rjle$?6r?7r&!@vauJiGUL;l`<D+uI
zi}oCD&Ny|31#@aG!#enz+0|^0&QGR|W>F;v3t)b-%jiIADVV!qell~kC*AqUbTxC$
zPiBqw<rTriQA}i|D_T)D+;^2wCfVJ*bg?qe6-TU@L|I9XmZV2ZGKCi0-@&{Yv?N2c
zsJQ@TXBCm3bdsbbJnUr^(uEN}>bnYjSE273=DUi0SE=tR_g#MdN_~8#KE6^PUn${J
zGX~Vprze3FT|z@I2(M9uX9c6MERDutif0Y#5fDSMU5M2YIT{0b9TLfbj~ptsO@p6@
zr$BKV(-ps-1%5pXP|viwCc4y=pA<8I&MK*!GczeltDBS7$mHzVN$xHM5W9*wxFOb1
zFQy^NtU&annQ)2GSl3y{Cg;paVhu8TdR5XmuEiMJVw_NmB|$CCY>e@>=7gCI*2LPH
z*-3L!vc;J!QJLds)|zE7<C|(_F(t(rTz+#yeM3{0Dv>>DD3KiyC*{f_mnRTesxX;T
z6~LYx<?&KxjGJ9uBXL<tuIzNw!>XamT2<9`%}J+PRdoR(Op3&1GgP&fsyd6STE|tD
zM3<Hs^)1GkwHWoezGfpT+r*V^MrB)6W#^!xl`!yH4Mc*>tvYOhoE=39<U9a&VFptt
zE2Jo5Pa0@p2c}IPE6C+lFiX)PbE@LmlcPLd$_%E1qq>DLa7b>u#2iR8M-vfNZm{L3
znNX|ngqou!BCPBXFGtfvgq0oqtn6URDSIL!N7qED!l&lC3AM6Hs7Xaat&J0E=9o}R
zsf3zMB%%s`RN;>)d@)5I*3?WlW}Ixtlt1SARsNWlU(pv+^c5(41qz>9dM4DYE1?$C
z2{oros5xh%K;cu1?1Y+YCgdC?nviokY(6ObafLsj{0ZfkD<Gs(^u`svafM$k-4bg4
zmQYK&gqqDH)O;?X=5q--ct;az37Al`pM)HQqlqGq4#lU0DpwB9i1+-84mF!g$R#b}
zy>?acaxjc0<X{L};gy3S{9Za$AGLN&sA*H8OvM)~zR1Z+G*PVZ6f1h<WCGy|PqAu8
zIa!F}VI$f8B?^yP5++I%9<?+~lz8bBo)U$pMAa)IS278_E5Y(4Cm+#-oP0pOc`$~}
zlLFX0Xv5~o2W+{DNJQi`FroI^5^4#Wz#bdpjjD2@UO5V{oYX`UQRR=Sa-yo7s46F>
z^2faVDqc>4qKTNwA5;0&epN!P>Jl+UM@-R)-7}`EK;bR$@T%}(DxKPwN~pD3qCl04
z|FS3Zdw5iOwK7boHBdrr043DMP(rPV5^61!P@7c=wPs7mNgVj^^%qqywHKLC+f@m*
zYD=h%kwk@}M^2)n2{{=C9wiTQ5{PhxPfo7kSM`yTYxq@t<m4LtO8M1RR6?!75^_rl
z@rvKH79oAAc90Tk@st>*<WEjM5wFUZlWO=?`EpVXzba2osv+mfueLH0YKtNvC#}(h
z+S5&_J>7(y#G)T6y5uAle#M{R3g2)=FSbOO?lP5LPFB(Hlsu?i*M!=2O{krngj&=j
z<Rlj96@ImQkdUiDY$+@J358$nWhc}YPa>iCkx+b)liz4UZT%!lyl{oTMA5Idf)aB1
zg)x@Pfz5IQoAn56?)Q-b*=~`7VHN4g`iAD}y6W0w7vGg%nVds>Ks=WRyU^lMGMypC
zckzZ=fAmBuC0%N-I-z!S5^6^$kx<%3tvwTR!wFnb+DNVO6KWeZp*B7fY9}F~*8T~#
z2cA%C*@W8IOO)}R4y2%*D5U)zNK8fGu1Ey#L?}&J$Xy<CW1{WjDG#}^APB<Q&D@Gh
ztrm$(tp=N06E?RtY{|{I)MD@#@d5+3n$(hOy22$}FfL~dNGn@19xYLMXaPcPgb+WE
zY~{F|H6TW|c09^_ho7~4BrdflY?f-+icYC5;a7A@Z3#b18Ei$9oQ1%zXp*xI_*MBa
z?&a{S@?)xeIqQhT<tPJNl`lsX_!Xbzr~*GrIc!yaWSFdR1QUMAB{^S13Pp*WpTVyv
ziIk}v-qI`{Df74`=WIx;sFQQHNL(%S<7%NDSA8I^7OrvG=OgiA)q2H#>%pa3PmbqE
zqgt!jZ!Ne~nv#g5tt8^LBwSvcY7sepN8)mvj>P473R}g?@f3dUd6Bs68L*=gcbQty
zQHY0I&Bx>NP$Cjn`%7`PzZ6%;3vsFIBXK#Gg01)@byOrS$4c0$73J6nziLG}Ho~u3
zu|V;wz~>iSs=jLTCobos$fMe`K=H4@=O0{No>D0Ta!!goO4{U{6n-V`a!ifH<(LXv
z@lKAR@GEJTV<`Me+Tu#u<s25_iYB#dA6FY!aXDv2yeeNF>cFqcR~uPzwILN(8(ML-
zp%s^7ZX~WYwBl+*D_*Fiz0j9-wY3#jTUl|nl@(W8S@A+8?S;Oy!=<<-XUHf;wW8YQ
zimUCcxY|yNt8JvX+MbEakqwfps3}&9Z3^*lt1Y&8ajBHLVztSDG^Jje5+#w|mIY+m
zmq<CfAw;#PoQ*=Nm1N1$9)8s#ay15-jwvaRc|E8s=9MSM3`n=ap^lW|YGjP7kuk3J
zkK=O20x4ImEXSxwJW;^s1d#IlrbgyvEE+Ac=`*SPh$F40bhhWzx6Dq%`Efown&&mJ
zBcpjHHuKq;J_BE8DOc@Wm9DAwOqs3;C*AeZSxsMG$%Oc-OD0rh%}JAG&QXOndxf%t
z3MGdsl$^3q>7qh89Tm#yWTEVog>phJlwDj{gI5MSs0?zbGRP^*kS;2N(@`0mPL{z=
zSq3NMGB_cZfdSPa-jPiuz)qK(gDZ_0#|}bIX$U)|k;us<aZ@5jO^IlHjL74#ScP26
z!Y<92QCri}SY3t9AxeTTM_EP1FfWpRsX7qOssQ0Upv7=3F5{&tfS;FJi07^!E06;(
zY|k(8707`%HcYBi*b+~L9C%|Da^Qu{stC5ECn}G&V$oQ{Zo#6cs6<+&PO=%5Z>qLx
z^P3xIiIV)LN>NInj6gYo3IYiNBMFQmFq*(I1db&zhQM(I#u6AuU_6222}~d`k-#JZ
zlL<^AFqOaw1WqI{4IsTl?sJk$Zge(PW|xF^Iw?YKbv9LIm3UJ}<jhbvJs64HG;FF&
zE8*=<#8Ly|;s+&!6C0k9z!?ji@xWOWIEM#L;*i2XEK*M5k#v>@cuNDkr2*bj#;fj!
zAe&X<Wu}WF3J={C@tn9W;$x3cW?UMnuBxr8OTwLA=5r}@m4qYYR%cUXm*8Frh0CiY
za7lVGi}9UA2;%9E3Arl#rl{}>sYq=Kc@qVRvns+(p>C!y60a$`1ou-Au9y`twlrXD
zX+Tn`#~bXJ2aJVo_ArzMj4flvs;eu00?dPDTDrgjXLjfg3%uzgefok6Eq;y|6_hTo
zwWvTe3=xve3PE0O@sk%*LuH4qxCD6uGGkOxhwi$-PFF_^<nnnOK4hQ>U)+OZ22{yA
zXFvmo4jR0=VqxL4C}46KGub<A@Y3S60c3}6(5S39LGzf0t?_{81yq@Id7Fk^o}^Ku
zA`|HkhpyEqJjfiv6HtQ*7~zpy>mIcQL5s(O7LRj7$XhoGE83G#rH}PWPao?sO41Q8
z^vjP2?2iYe#5w;sU&_b%Eif)s%Ex(#v&My`TwUiuDP2=;^!NmpW29G-UKYqS)`DJW
zc~HahfWPGdwdDb|<&s*DTh=&2lg5{Q0(?OyDh~?8g3~LoA}BCWFi?gn0nSi^w1v!b
zc`wLEP{>rsTS9)O!hp&`4^^}RGe)o2Lc*FZFAKqy9l9^X5ndC@hU3)i#Qh;3M^Qj}
z5mDBq2A{FxUc>Y{e3!4dT+HRjn?)*+E*E)D+%NKz76sH5d38ows!94}UnC~`A~88t
zB;<7@B+i-~772AdiII4UC5<mBA*gH0JtYLl>Xv)z9S8BA$ig`+NKhO&sc%uXXhlUJ
zB^Atnb$<y7()bEfkTPJR-_pn*FrdO?08ZbD%jxn`6T5r{gswIrBFn$sM5*KjCwBSi
zL${qM{fS{VaRr8lN)76g2xLk2Z+R1na8L8Zq)Tuu3gMC+#a=7pUI1aUE1GA*N}EI%
z7*r~{FXcONvg)+}>o%U8<02J8lWBay2A4yJe6Z8_oX^XEqdsz~vo}gc2Y#?oD5vIQ
zKMEg>Gbh+-eE0_kv?iVZ!DSuSLU1g@6Kdhcp&Or#QSf*QuyG;?D~%5Y$&YhESQ(S$
zX&Hs!bdW3@5VEg{@sJiSC?TQAq4GnF@2;|jf^xX3bh6ddG96jEpbCL6hYtb+KT9lj
zr;t!NJr##NA+H7C^hFvwRY6)`x@mXH$KVS(cBq0-U*>67%1`TwKZ@|g7fx?h2d5`f
zaQaP+T`C^~4v0NuJh;nR;3U}(4d{&p^u_{uV*$OffZkX@FAwkvZ$K{(vMMy7Hx|$v
z3+Rmm^hN@DBLROS0lkrc-bg?%&l6>7*y6&Jkz^vy&ZG(sXpaQ6M*?0)0^0pKB2Wah
zM*`X-0qudd#kQBv)nNgZ#X;r#K8xjjz~JJ5GHh{q?c&eZvA7TLmV^=n<oI)N+TQXp
z$cZ;I!k=u?K9`>W8(Us!{=kf7e?YoF8Y46yG8jm)(dA>P2qg$8OAt9($=P^<r3qsf
zJaRFPK1@qiShQkApO*_(MDu!;Y+9}&o>r@fmy1<6<XRO8c&Q2vQ+;M7PTrBGi*!{r
z%p?7mc}7ch6TR^QcaG;)aoK0IVCTLG7enf(3?zjY11sEF?5?Yx(F{))_V80l5{pcx
zV!L|Tyaeep=i{Ou6_{RKPfKKW%~r0gIe5dT-owluFJty}T)>-E-K-*Wl-G;SB0mlq
zBu(t`qU82T6OQG1`-C0LQG}>n1`3nA4ARAXr3}njN~d^BPQ_iyBKZqfc8G9zbHb#<
zpNY1uZ9vn)oq;EzW+&O{Q8wM93=T=z^nkMIK4s*Rlp&p@4Cy?|;Pfa%LPgp1RLZ8e
zqilMJGUWFtLw?>hsj6>~TTbjC%E+O3Mo!5y=_1NF9Z|;VBxUTBlyO3)j9ej}kvGgU
z@_RfZx1x-kk}~WHHF9gRgD4}1qKur9GU+19I2}>O=_F<Bl$3Eori@%6%E%k0jQk#D
z<W`iCvr9u`)r{)dwTvcdLkpp`ZD>rgFfx$^O-U9yKUvU_WMK=1ENr5XHCkHONFg7#
zQpmz)3R&1rA#1F(u%$x2@zOe8S`(x-QCgFvHCb9yq%~DqCrIl=X<?&<kV(O`r%PX@
zw4~tL&;yiYhO}y=g$_)Cm}HQ3y0m6V3(A55p?JtbrzZ=ljI24*Izw8G(rS_x^a>?u
zk=9&k&65^19mUO;)&jP8CoWbd_hMt}1R|#PW@GZ4FA}SWWLB$5JTPQdt63@BSu_CP
z3a7-$EJ)g1zogA|NTQi>hl}GgJq^Z4ln!IJ(qeGi^P%F(#)^uT#s(%XS{&=bC}u;Y
zHzynCi@MrIK4pqUN{Z|`co`1&r$7e0#iFXAzD9cF9(61tPh?=rExd@lWDh^@C&T6w
z8e~>mjPhm>!sS+BELxZ$7l|{VCaL4#^{&RMbaWhcG;wKBc}9T5a$_<o&*kBl8<A0Y
zG626UEm{~!2P*DCGqZSflJ2HV(o@Qv#hp!gR5{#Iz{6)HSkTE@sLRk1uXZtcGKURH
zMNhOKoyM!#^wyrlgj2I*V`Ia-7T%2of>=8HX%OQSh4Ks>_i!bSLU|V|HVkFsO}1o>
z%2_B+0dQ|urNe0e$5$ylij#$9e1`-0WF3m+sVwgCO8+o<8XGH;cYd&WE9)4M=T`8`
z^QxF^xkyZ%HpJwYSn$gel$bo#j>P00F4*$qASUl*!7ooUV)Bj;=#i(Q1rhm;6>Q$X
zCdno@%M)Dky9C&w*r*>H<2hjgW|iLlHontRVFjVExC)Dh!U|PbVJJ+V$rWJcDQBDP
zO3vZ_#_ph)VJiEuQ1;;}Y<MWFScMgb!b((FNhqvTg_VZF%2Zexh4JA|0j9Cs@4%Xb
ziVcq33!;i$QDzqjRHPs(kA+}+Y=c<Jm;yh9I}FmwMk|mP@8Fk>rgrk-=k5txHoDr$
zhs>~$!Ip=e1?tGWKpmOmwP{%*mLQ7ynBpH+B0f)Jiho#=1YwFIb*NqtQ(~hI(F@ce
zdVxBAEl|g=1?sr9KpmYH$m0%3wW^UiCM{6Mqy=#$O4y|H%T`CA1x20^4kv-kks``&
zO3PPu3nJ2AquPXgkx)t&?odhycqpYOvXm<x%EjUuN>>(&W0_EK=%qeg>?XQGaULZU
z$CQNPiWN?ZV;K#_6@=orJE^#$P<iYQl}CQBJa)H>^U9;RaCzkS%42sZAJJA6q6OX4
zuOF^S_;qJ@5Ql>z#7UajtyB%W70;t6)lWliFAce+G)I(5jzorKG|j=RJ)Z`ptorGJ
zhgEk(%3`7-fd}&OAD&#if~CVH|7pWE_|Af%*K3c(t5rH)L^>UiUJ^6#75DjY--~yh
zbi4`i5a9dx)>+3l+HIOnuTuf`(tBwJUX~gHcTA7LU5Hnu47?as4p^aAAbccVj?(c~
z)L4Wx>dkO3&=&wM)E6S;R{b`(AJZQPd_rFa__Y2s;Bx&9z_;|b0axlP0YA_`2K+?-
z6tGoq1>A%ek953p^sT1j6(c-mM6VbD;!|;ibT{x%*Nq-{wMfUyMEwB|F+e9?Ac`VQ
zp@CZCt)ZheftQBL04t0Nz>&sCz~hYL0LK~Q04Ep|0H+vJ08cVbLf%u1QvgphP6LK2
zqY7|_F#~X>f&V^;7l!Hq=NNe77jFzT0nRh#0iJ7|i(Ka$=L24Bo~jvmqb8~8c%`Ni
zupaM=3%pA+2XL;5|5A?^Y32i7VqSvSOU+9GFEcL(yvn=^@M`mFz#GgP0B<pG0ldxp
z4d5N-9e{V5cLOdn!B2WC2Jl1kL%_A>TELG@aFSky0c<tFNxTUIPU1BfyoZdJV7><2
zZhnUse(?ur3JWkp;6G^Mm6zUtc*_N_SQG<3CEf$XJ0F^kS2}V42U&vvCs-2zPq0n^
zoMV9-^u7h)jn<8Tc&`HRH`Z?f@m2*O-l_n+*SZ(*J_}Mu?^OUkXgvt{r1c~qUZ?<E
zZY>8~VXXjs&3aAK@nwHDU@r&HisLK(et`QqM`$L#x~~DObuPopZidz$q5B~Y-}eLJ
z`+mTK@W0S>eA$06;2{ob<s9nd14i-x8FhTiUjSH$|JSMGd;Vd7#SZF>Z~6}hJjyu=
za0LEao{sPOD*z`t69MskK47g=3y81t0qY&q-)VFj0h^s>z`4#`z%!jQ0T(#v5BN&|
zEWop!vjNX_&ILTr0l)CI{sn*+ITrz5f|^kOC6l48HzAqji7}J3-j(wk>$D;GC~=lH
zp)T1>Z%yLgmhy|*WM|-QnSOx!#0jN&^!7G1fdH0Fyg0L;@)^(yJ+-`0KKeg|d*gkD
z{WYs(T1B1~DVs1UPdjSt#N+a`F%yrSn5RvfG~rl!EmGnWc$uLWQcItOH)i(1JKWM|
z<9|c+#_M|0=imjJK6q(Q`qJ=zOkcdZCw=r1&c5^l-z+?At9`|A8^aw0b-^%$VONGd
z8TMtkKf^)v$g-Z#u$<vEhI1HR#PCLj4={Y5;cA9kX3v^E%gA8Zm0?eYeHrf0a1g_M
zhH-|6F&xoUyP(=gFg%9gScVfAPGLBW;VBHKGn~QjbhH!R4FAE9UJ%zI<tAFt!hhUy
z@S=vs|84!hKU7!skahe%a4C3jJIoT88)2@8xf*6M%p#aeU@m~kgyhl-#u2>iI07#@
zj>l__r$Mp>;&i+v$+j3MZ6~7aW0d`{v@=zF<_P6qsO(L6+y;2EPDcBnO}ZR$;IsiJ
z512bJa#U{3po`vpd<y!j_tT%h{e?7?nWeo7YBc@D|7vqSUa`!@OO<*0K+F?jcw_P?
z%nov4AA`3ed&5k@3z5_D5@bEzd|aTPi`N`aMxI4Te--|E<ITq2_`4ZzGUg)nU9j)h
zAIAHNPva%USMgfnd-@v0Z=g8=Fx2DC!(;ewJW@Z5m~HwFL*TVTF2%^edxkx^q>GHc
z2s_!>Uw_&d1cU!R0$ScP4%4qPM(C}0d2kF~BAlRS8z<-kG3HkprvuwX#vGWrcq{Nc
z;}ZCL16Q-&8}9;MjW+<7;Jv?l@V4Khc*k!!-t2oF@AIv~TYMO4@c^lf*~&fywM7QT
zOuZ+ET+i-o4qs<{jPM+G|ANA`h4>!{x^@{s{Si(dXLul|X=B*R@DAfDq}i8a9flV&
z)EQ<n{53(~BuegLn5)xlt~ZA-;*flX{TK>{hcL7$rRI`b+sYv{+tRg-43}`o5O%L%
z_ix$#9K(k=WH`gU8TR4uPZ+*zbO8-nI%XgGp&YW1c@p82xeN`4%^dqJ!+&td&ln!e
z@F0c<Fg%N(_7=NuW7wBNwi$7hvOmKv3^j(s2x`}{`w)gx84hPy$Z!Zj)SVz+umql-
z#%hKy1NJBUE2gZt9<f<?+YIBXKK_5q%*2aDtF`rbVRJM7+O+L>XErURFAns3<5Aof
zr)Vpwk7%2b61@@cu@0npJogpqm5Zo9BF*(kLA~)V#HaSef#^R|5K29g`r}u!@5w%g
zcS85ao1o}rc<Zw#dKUT@dfNoN-gydo*n38m{uNRlh7{EE#y}TrK#%(hGimN^;HqZa
z20r&;IE3L;hDR~%&#-~vc!Fq6N?*h9Xb!o7-9KYEmf;kJM=&g6cmTtm4975(c>1#2
zX4sD)-ama9_)lSXHx56UVI#w%S>CQ-Imu%83JxE{@DB{97<U1~M27ov$Vi59h7T}w
z7=Fm`FoIfGh6@bLO7ZW8NE)R)XR~_*!?08z$ssJ;cng%$cOv0>0mtSLl+vyb<&YYN
z++URZKg}WCje+3CNnDFz<kq7Ewe19#Pg{N(+*z38p#^CU%0_C#zY<@TmoFc~DSGng
zh<PC9f?Y6=9E6vb<9KCxghua+)63oy;KF)>he~iBHrAjFdosko=SJ*ChM#i?{-ZiV
zb}-z+A^izH)3zLI1yFT5X1JPu?!V0}#tY2(cx(AEyr!JMyU7#qF7hdO|M+ygbUYWY
z8J~xji!a9u#Z`EdcnRJdz6b9LKZ=#`@2~=XQGXpT0Y8EFf7c@SMyz+YAmuj({^1*5
z>&-H{>yP3U-hOy-cQ7zj;dR|2q`lfWLVv<2MZPD1;~u=8I~FhHPBU!%bgWrtAWwJ1
z*BOnpe#YCkXVV`rUVt}l7ZXMp8}Xy?w(X4wzs;BixD+qfK8ROpml-Sc1YV+j6aVXb
zrLh|L*CWNJ`gwR$b_L%1?T+_kx0}$`cwzT8_EWwU@KKJ{e(J$U@tCo~q?wN9eu{SN
z!|-s1r!XvLco0GD7IvS`a6E@x$L?%~V;Jtw@EnFGFq}eAyOrG|8TMk>li^+rf5osn
z!!(Ay89EFHFdWXX3qkF6hF`mV;9kh?aW3{4v|n(VM;IQ!;pe&37k*Dr+sGlGaqLir
z7c$g2e4UGRv$mB(su^C-a0tVF86L{82SM#ShC4Xq0CzA-DdCV647YRmgX|v7?mUKj
zGwjDOi{X<@VVvE~1hsAKK7?Tb!$Ayl7?v^|Mo?SJ?jspaWmv>8N>FQKcMU_EVSj>8
zJ+N#7Vt3L8+BVdoKf$N2eG2;neu|!0$MnSNFwh2&7kx8QuQ$$v*6D9t3wINT+=utA
zb-cg59q<#QH{f*?{?y4&O%Gx0hq-<~tV9Q6c3lK`1pceQD7@D`32Er3>vuA|jG*>M
zb|1s=Ifm02ngq4)*iCB+q8{+6u21zuxL3dZ+vzc>$?~DcPQbgVUU?sK{)Ggw=SH}u
zFdV}n53rloEZ9Y3SjccFL)LGPH!gdEOXU@Vh84qqu`#iWkc&TXheu7#Sj+C$HT}so
zyq>xOI`uGU%wWZUxrs4KY_K16+R{d(CDLEdoR)c7W@F~LnF}))XI`7xnz<t@Evt9d
zsI2;|3$kv=T9&n;i|CTwrB|1JUCO(h-eqx@hr6uGHnIn0kIg<UyD|HM>}#`^W<Qp_
zEc?am*R$WvUX{HzyEXf(>}@$lPF7C$oL)Koat_QHoD<JEEN4VcB4<p_+?=y=&da$Z
z=c=3=bMDHyKj-P3=X1X5+O_N8uA{on=z4Y6yShH!_06tpy4l?h>{i;Xs@vJ!?&-Fo
z+p6w^yPw(p?CuwIU)cTr?r(Nq*?o2Q^|@nnPs?r0Ju~<6+$FgW<UXIfI(L2Ujvk^%
zMvuNdVm*fU7~7+&$LT#5^|-6Y<2|14v9iafJ#%{w?pfY*Y|nFhKHU>M(vQ?~^rN&q
z{b-mG*oVo`57%<_BRFOVV#*Oyj+h~OiME$sig4_G>IwX}14GQko4;pbw?-HDx#&H+
zgokQ9-1XYt?gp)wyG`p2ccHsldlvQznCD=ghj{_!MVPfnvkqoG%*QYr5cUboMwq|D
zd<yd!Oe@Ui?t1+}ceVZy%)>B`z&r}`HOx2eYH^mkO8ng2AkK$b=(dSVVHUw$2D2FE
zN|;;Sx5ZMVy9?%Sca@XwZg4U{>m8uF6;y9xiu<~4&<AOlucv8wF#E$l81@ht>=fg_
zJ{Veo`z>nKidwazR;{R2D{9q>TD9)37SO0|+Sf4Oz<dj{9p*cj9Wbujh9y;-uEQ8G
zCX9fwU~Cu%CJiPXCIcoDCJUwuOg2moOjnq_v@|^zrUy(<n7v_o!R!Om8>SCTUzmMi
zP*)vw)lpZyKg|9x2f!Q%GXQ2F%t0`NU=D@>FZ4rTzz_XUn0%Bs6ea=_g^9rwz{Ft+
zVUkEQ9i|ed3Z@!n222giOqg1j(_v=8)WOV#sfTHRnFDhMOe0JaOfyUi%v_jxFlWNd
zhgkr#6sHGw!rTROH_X!rdj@7X%nF!SVP1oI9cDeu$1oeTG@J*d;XfFp8Q_rt9vR>f
z#)>opJTkx|13WUoBLh4#z$2U-q#59m0UjCPkpUiIUYllsM+SIgfJX*+WPnFFUr57$
zJ4nNSJ4iEz!bD)AFfo_{m^l8I-$F?5r7(+NE`wPNb0y4G?k0i%zK*k(Oh{EOOwhO5
zAgQagzV247KO~VPbSR`Z>VBieU<%Mru|ut0h&+FRc>?B1m}M|e!8{G~3{2<!vJL&R
z4gInW{jv=by$bzu75e2W^vhM~m#fe(SD|07Lcd%EiQWo{-U^A{3W?qdiQWo{-U^A{
z3W?qdiQWo{-U^A{3W?qdiQWo{-U^A{3W?qdiQWo{-U^A{3W?qdiQWo{-U^A{3W?qd
ziQc+fDO>1n(l3Qs1ale8<uF&kEQVR?exu(Ba~I6rFb`tnd<ceCYmdM@3iBn>;hckJ
z42I!;YgjNg%u(*Q&?{}wD{bN;_e*gJ49=;<r7(+NE`wPNb0y4G?ly4?TJBbNqj(hQ
z{sjGko(dh)=3MQ5>s*7j8jsdosq_tL$jw?GXuiH^jRD|vAvE2Ei0@ptY(`6LMoVl)
zOKe6<Y(`6LMoVl)OKjFQ0oNBWn_<3$`3hzmaDNT+4a~PN+hM+g*#YCat!SNAv`#Bp
zrxmT!iq>gG>$IYETG2YKXq{HHPAgic6|K{X)@eoSw4!xd(K@YYomPDm`uT&<&=0{p
z4D$%gqcD#n{1upwV7`Fa4D&U@zj4=#7I(Rr3o{?)0+<V77P_0!7dE3WY(`($jJ~iL
zePOe>$!$en=p+7w@xFUVTd&;(r`Cc~Yr(0t;M7`hYAram7MxlOPOU{7eWmI4zTm-h
zw8$f9g*LRpI_^sY+#MRU8nnFyZ7<L&ZD^H8z}+@*w+-BF19#iN-8OJ{9k{y=++7Fm
zt^;@1fxGL#-F4vZI&gO#xVsMAT?g*219#VfyX(N+b>QwgaCaTJyAIr42kx!|ch`Zt
z>%iT0;O;tbcinDff0VmJKM$ORjOrJ_TnKX!%*8O5z%0dBekaUbFnHk~E!BpWYC}u4
zp{3f;Qf+9d9cZZ?XsI1K>WS9cf!5lA)@nm*wV}0^qP3QywU&x=wO;5Go5gvs&xd^h
z!Y+il2(5Gp%tEy8r7(+NE`wPNb0y4G?iRG<MsbTK(3*L8mAe=E$7b}8%?|Ci|NkxV
zzojLpXKX?%QNO#@y+`&v7ym#QzGcvDFG07x1dS*AWG43{+MPZGt=Pku>3(RO<F*>D
z?j~as48{io<AZ_m!NB-nI__pO4JKX7H8b2*W{&$$vnxzDt-smV-DLKIDTOJAsdqmV
z_qng(<U3vKij>=savM^1#d$fP*&Qy#A<U11&dWrZAEL|;QRasz^TSYi-y-EdfaM=5
ze}64~r_|}%ATvjE%&suqv?xk}E?|0dP#Tp;w06f?D1~ML<F~;0txwUOVcfG+c;?>y
z2K0Y}l0cQuf&Q44TWAA7aW8a#c&2`@`{5qeYR_o+zmQ6>PJ=%4bQ0vBwA{ZVL^oQn
zk6}QvpSLhW!m5f|jMi2k_-+abr;u@7wAxT;I9_51;|Z{}mkqDHY}$nt*JF&!5NB(S
zI0xojEmQm)_Ia?+*Bof+OeY<7223XQN_2ArXjhQwHpIT}C!z@bE^wKYDztVax`Y^m
zk>ohcYsX@hHUV=T9U+@h_OS@Zo*m-0Ag)b}b61M-u#bm-g8QDB<hI&(yYB&`#L$LR
zn>fV;*pu8g#Ntd9v8}*Cv27~06|tK*-zpX3<y%iN$hVneHz>Ni*j0$#z*sXu-Fjf&
zf)uU5+zRS$2KG-u-C9t$MNEV(DSRG%aST#Z`KTX4*E0^PxkuS1uDK<qyW2%2(p8}b
zGca?UiJ7#C(9H-TU#pfbl8B!U>@wXJQ4RkLlsMD9OPtQN{s7cZ2R8#un+OwPKj)Gu
zcD<ip=3R@}Er{KM)khL#1tkzAl>a@XAl_^MPlNp7*fvN<5}2o>UX>`n3Z@!!fEfs@
z0hOR%)VgaFm8(+lP#q}6dMX7RlQ@VIUd&o;FJr3K-#9_*W1Oh<GN!>k8TL=KT;o*O
z3lVpX=3uX{k8u<1n_=GpdnxQc;$GH+Nb@+-E{FSBj7dK(Hr;v-QWJ*h*iY$?U6!HP
zOBss2l%d#58H&A>q1Zzis*i%X0zD_qT;#4auX9_?hhea)GQUJib#+%+%V65$)T#Gq
z(=hW|f|=J6%)FLhrnLk!ttH|qaP}EU;Bzo9y4Q=>V7~$L7G_uPVde2Y;#a|Z0J9qA
zLzp!%AHl4JSqHNo=3|%*FrUC|g!wznr!b$vw8DH2vkB%4n9VTQ#TEaA!LG3Q8s;1K
zQ>z;ccFQg7o?E#v*pardpKf7y+3E$e56ocqdJ8+!7WRv+GMI9h3YY{8_TjBjFxZ*4
zj)6HA2D-pH4rVOOI2iOc>v)(6FcV=W!Aypk0)xF~>jan+VWz=McQ;y<FjX+sFf(9k
zU}nP9!d&fsX<Y+zEzET=*SlY0w)3tgtash_tkp0ZVYWis>>NTGdZiq1k$O8)??CDu
zNWHy-)RccmD9w&ea`O1S6Fym%P1;%90COYEy)gH|`~ezU#!I*}rJdlkwn0l<?dh`j
zaX;yVHr>YRTT8PsN4K%tWM{emw7a<fuydeay29Vh{m$<0ey%x4@i}7K5c{Q_4Lb)K
zq$~7HH|QCGSjxKzp=}h38Dj=f!r__jHkD%=$5CoZ`7L~#fW1x2u+!lp9GS2QPZ#&E
z$nzOeaS4<Pt+;_Pey%8`lD2Yw8+n6J%%KqT8DcPEF~+XQnI*=cH_FjtvltIOJi+}4
z8vFyL0ZGSw0L}FQG}lsSu1~NpD#tC13}}<FFynw>JnZA$uaLVHBf}P8XoIHQ0xWBx
z8NWjAPoWvNkY<GL_C~8o(8HdVm)dcQmLtY!-GRFwaQ6f5R^aXj+}o7aZWEPSPl20#
zqFT!pGho*st`_4d;WqAE4=K^^$-ZYSbWbKu)mq&){B3eK@ZaBYD$v2t{i1_F3Ziq>
zoqzwELye{AmEgdjdxl_bVu1sjz=KvupRsf!$K>C048pr1W*cTB-L>xE%w~5j;987K
zDL>@(Qf%rtMM`qzaUXKuhQ{!G+dQl&fm))~k7)x1-!dJl+)h#$OR;N@I-PlM7H(56
zK>jSG{KCE8ec%0y`!{zv)${+}58PY^9^CVPujVY(>)rPtP0zcJxSvA4-(%NWcO}WJ
z`z1ow!#wYP04}WpTo2gl(y8Eo^$$85Kb#_~U&z(QF?7F!e=^4X2K?Y&hduKDwLjJ^
zA>HHN`eTvm-V^AX9}DMy10Klw+u8{CFPeacT;_g>v&k*w=brI4B;rfNEc<V$$@ihr
zec2na-N#fuHC7`=qrT&Ze;>5}a$0B~jE9(?Xc$jZeiSBSQi3UrM^JC<^kS7XXCZ!*
z`&aDi@6iwC)7bl0z?E=gtly(-KUyNl-v8%+R7csG9aoiF620%sont#{4aUY?Lp!f@
zKSthFFpraQmwGtJFJstViZ;gV3h4o1f6SvGjf1OL0=58>dlhhQ!Pxkoy9OaLYz^i3
zpZ>L%_J21$JTlVw$i492UD}@EN9!KyE<x)panDmZ;HQ}jwL9BhcnG0;2WG(<PAmB5
z-VwOH5HB9Pt@sgiU&6fTZv4H3+;GX19YO(#!HB}JHJICXm^KuMF{ra2=JVgLwXyqz
z)f}M<uP%J_!1qIbozviML?7Yuu(}Ym{`gma?ncl~TH<Ymcee<^^KUc@>1pmJ*cZw}
z_<qQ*b8W2ZoB^!8aO1G&9%H8*9sc|}(>;tm`f<8mJU7YEdbZE?Z>aNXZfB}NPg)J{
z5s{Rr^E$6q?YzfxPp)N8Udd%(J>HH}xJ~whex0{-dvyOZv!eD?{Ad0DC+qy=f0oDp
zJ*Ck;)E@twASKTnLjE8o)s;GCruryl5JKY|{F~ixF*C!h8~m+jKh04b_kP^b1jI;8
z_nJES;hsXfpIT?o7}~*HN9`)`3LJa9*coh>{RewHA76hcO7Mg^w5Rzys|(fB`|;f3
z$E)-AqR*pYS9WK0ra9fe_Xp`?Df77a{dg~FbN`|24meEMJ=`i4uX{=2VIcYKf9}2Q
zLw;<(>~R5IVM*E3vSgh)mVWAi?dlv_$9K3I{I6(d;tljt2d#|oPTQGtt=Ejjm(v{k
z#^2p~Al_j~Feciyz!?QrsT+2&lGxKG`IpiKJIC(xK$M|%#V!izX1dXC)3+L!MXtj7
ze&r9Ht?em!;P4|PSFl&P&-%On-SNFmE;!hi@PzseP9;HG8+}jWZiOD%rlo<W-@tVb
z@T_!ib06)v#rBjQFP$grOdC#I!5b=zWSvZCch}3&vHiV9;t&ezweCMqF7bwLyk@xn
zM08eop5AW6^k?wkWgE_v=sXH{_asuK_dZ8RhY}qsdM76^;T~X0JM5gs=Lqqq{V#<J
zb~u*nx!R*L9JA+c$SU!slb^)B%M_uR2c)o7?kRMFE)<NkTfpOO{wRW1EL5AI@5`V2
zsOM7t_sOPqk$jRZ%wgLh)f7i9FL%DMvqgRi-QACK(XQw!^o6#L*Ofubqwj=fi0D69
zk@E;eD|5|Vjh@eYs^A4_I-(#$?)AA}?~anxc&|*)?j&}%bxh@gC;6$Nsko&tq&s8)
zZXoQ*N;2TQ`&Q>|u>11c(KJ{)3SS}}inV#Kb}{V5*@iERo=b6#B?@lJ*9+fK=iy%a
zr~n6A6z5{nuV_C2do0_76uWjo9)CwENG>oJM|-&Rl_KWo(88e=fnNqo3a9v&0hb0D
z#C?ALL66@UAm!TJ?v)F=-lI6w_G4a2tR_i?)MIp2d2G5Vfv^Qgu@>Rfhe(P)r&AO8
zb6>|f`(}^BUMShP2cv!%rI&i{&h4;VBZt=l8{9v+4}z+lRxX`m`e89r0!g3jS^hnd
z{oP~2ZSH^Zw^P6TUij$r0ByC&eG_mu`-VY_avr)pC4Zid_G}d#aFSj5G>?<>5S3uJ
zmK<v!&t6HaK?A(IMeu_Y&^YatiW76W`<H=Pg9z*U5c=GZn_f%`{V=v|4S73pdZl#|
z{bL31!Ht;R>$?9$3;du8(|$a?@0F&R9pq1y&s1Lr$@e_S*O+^lh4|<35V}t3+m6?h
z(9gc~?;-lsWLfY^zF2#7AL>WsODZAc3-+^QoYX%%r~6NYxcC~J|A;^Mb*xGK`!OBz
zrG0(&jBcE&@puLuvj$_EKU48@gRX!x9nFpWnKIFhTTOmW8qe3`><)Sz*f+bMbd)<t
zy|WAR(lq33bN@**a>Uab7WjkNdARJI^HWGFC&ScroZbt?i6cgSlub7eUk7h<>8y!n
z)d<}rTY}fwUIv<B;S8MXiunuD(Hv$q^3plxdQVqN3V`!vo*``oF8cDEf1WLU0qiV1
zND+3Wj*a0Mb`RMpL<La2ytu&Sg#`8wld~ZIf2k{F9Nl#t+$#{Dg;wX=pRkv6dW?6}
z*W4vCx74-Xy<YckGBgZ>ey4J*3CDKs#vJ()_Yc^4xeHQuwL6Jvc^xHFPh6pJEe`VY
z7$9d~??di!XOZIIy4r0<9TvOi%CtN;-{yXW(_YNaQl-+@O)_Z+LiTCpLH($8ck{YX
zwoaUT-h(?qAcND0C*S|4#y@(4GM8RS?f9osrOv}TPP&UwHLE`m<#bxoF0ywX^)J%Z
zIbuJ?-?j2X*b&SgI-l1;PUtIp4R?QNJnCR)A}n{_o`=+~a+ClD+P~S3u?YJnz|`TK
z#oO@@Q`m7znL_F9PwCDoMg_WSf>kB=D5Cb0j@DqbX4w4*Mfi70)xij_`VmS)`i&T0
z*29s-vrEw-<&4AcmvleITTK%N+23D;i!l;b`UR9=t>EuI$hgiRS_)rJac<Crxs2xC
zAk(JO6>hoqxH^}J_9@%@<qm^~+kMx)1aoeU*GZBCX9YRDoo_ES#egrwN%`w4Ew>SM
ze+3%rGjLkg%;%E(D*k+*m$ALw;ohX<E)C?wD^>Bx@n^&i?*|F!82;gf1ClsCWmUBJ
z5)JD7F}pnl?fhxjdB)8i`r*3-Z^l7$la$j+FGi+Jg}aJNP1)WD9^-^f?KZaI`#BrF
zZ+Nb&cE1DMsWQWu1Zec@?Co4ZKJn56&7QC$#HUk8<#QvHK7|<cTR9%JqR-N+MnCqi
z6WzCG#h@<jBunYEZ^QKoc(pTDzrV{U?g2Ze+BpPVk#Y_WvNp>GEx6eQ4dd@Kv@16!
z1xt3==TU)n_gX~mTWH>XU^w-z-5t%0cAX;}OS9G8x3c>YQt=*SI4`+r_l50k?Pp^u
zr9i*(+st!?Ipy^_PTx!AVhbFm6Ed$?Do%wpVHi(1r*uQ^uU9Vmh79+1)!dR~kmXQ)
zVX=$dG<;#{|1e^%ksiO*{5W#BZv@_*sD2T8HytxijF8Yubgy@jy!*>Jm!Y>Vhm0-f
zo%fAM@hPM%m=EU4y>s^>guaa(^9Ny`M~UykMhh~I$GI(idhw+IueT7_Tc!Z)wfkK?
z@bmybJ@Luwu^IfTc(FDj6uYytH}>c|{_WFoaQjd-2Oh4`-yZ!^r68;cQnC+8@$Kxv
zOUJwV`LgRvGx(4Blll$8j5kDYClay?eJXpB($rshX#Y3Z=sRmt>F8Kvcru@w_Fwl=
zi+cQozTfCeB=3->%-WEWVnZ@OW1||)14=M^M%d2blmh9M#tG7UF0>KllNxU)tcY3e
zrGz^qCqZb))kn?BS0XK8_0Lp^yOK7Pr*7Va@^$D$8@(7rPz{(C(i@h%1*|Z3K(&`o
zrto~<)AqCkMpV?~Mf3)n*O0k{2m0ze51+cd&U0r_jX#{T(ptfztUx=ATYMSf=)2d?
z2_k+iW}8Z*L4TqRIFwpE<)`K^+|zuVp%mfUM;*ljuNrBPDN~L%-d8$-T=DLeqBsZ*
z71N=Uw7d5s%sk(woilnL48IO%#a@OV&qf=etas5ybWTG5F9j=t@c7O>fK~~?FDr1u
zwGaKD6Xf9$k848hNFmq}Bpa@sT1JK=W<AC?YH^-XxSx69fsH=s_Z|;#5KAtU<9&yd
z>F*tKiCEwID;9|*)SjtG)M~~HWU2cGxK-I+4HOo{(695}FXNFSw2ln0d9j__pggEG
zX)W9bg6z|t>X)7#@J4&!rM*}0&H}lqN1zShVvUD3lzk6x1X7s@Rd*{wvrbxNbn-*V
z;Ad!rYnN_!x(=lT63|EO+pm;J7_)3GyrQaF82w?-eyI69G7r_5c*f`U^u2@EkC>00
zwmXVR9l^Ymp4~YeSoJFH0DjWFfmJxS#~XtzgWcg<h5bOx%;e8~kW*}OU%+l5&1To5
zEg|(D4ru4Wd|UTMXt_@@`+EVJlGd~IEws|-?i-Yv=XPqg;pbLg5&J#CD>h_%d;*4)
zIYrPmzKd=>gnlGn<P9){B6sh^E0jSZrA0ReA;2r!=+kgms@v1LGSu4}-90@Xe>@xO
zY5pOnjhC#Yd%3hh2fh&^Lw?kG3y+-`Jy-`)Aid&Dad?vvv0Jg8!TcQl6n;_)`uW_H
zUSsA_#MQG-Imgh7wUHE$GTI<J{&*-8{*S{9NG9IgL>*sbKG9jy^QiBC<VK{dz2c4R
zU(9px>k;s;FU4cu6RjeDpmj5iU*III5a}M|J-9&==o>HLzhDD1-7H|a*cnYHtKCpS
zQ0UEQLZLr~Q`VEUg1Vt8-QbbZO&ymK?vWj**wav1Glt&0FQieyH=k>&O^}LdBu(bu
zltz2YbIUy~w$pSd5wC9hJr?PFZ2_GbqQ;xCwRy80nth;^Sqt%Q^#;g1wLHyd@V*X9
z80l@lMx7F|Q-mB_ae|Dzo@`PdqlCe@+fkdP&LG+&{ywxQ`st1GEVaK#b85A!fQ+gU
znQ3|pHTPx|klwKT@+qwve`IZFX22Yi=e@(*Q`wQ9IZH3u{J<Y+2+G>={fi%n)X#?2
zhHQGZrg1p+=e1#K=#S?kjziKyTEl(9!;TkuR(WpF_yK=MzMfm<*;Gn9=1q7W7oNEV
zI8$BNXTrX>`(a1YnVPa=pVzZ_*Nu8T-;E&-LI%8EsPwg$wqr~?hlcwT#d_`H*;HBw
zxjG07Qc;f&e7knJZ=sd=&)bRUT%yCR=3x!<luCuhQDuWm;l6<}kYxg=;=B6=bx%$C
zeRM@?&L8F@jRL9Zke7H%bGJXghpV)}r_MM73GNvCu2Exd9gI6t17DFk-=+L&9M~*p
zd=g`DgSLGMGA5P7D2HA*@9>AY)yMe5>xBL{A1WQBZyHMXbul#2D-`9fQ3==r=4%l4
z0C@7Qdncr3CH8oEJp$i4x>bSQ;5X2_$Iyv*kQeg0!5a?)eAMe8U2^3T1e2>PM!t}?
zNsaV;o)o7_9{Ey3y!5-aQKt|1FT^`_lbCN<bwm#|$r{4S`aqq4x$nSFvv<bB)X)m^
zZiK7~G~=FA=zfjdG}4g{L*3+RKx&|%odXxqBY(kc)e8yRsZs;npL9+WT94M1SV3aO
zt7doz^KMza9;`RHmh@fe$B3tUSsw&4g*dF|0!o=T;2OWH!{>y1c8>y>siocuF!}W&
zxw*%q&<}0r@bdBbg)c3N8cz@Mh(Q@U=ZZv&T7LMyQQvr#miHkPtv_H6>EZd|w#RQp
zgOZ=HB!qGAuJsg_ly(EIPIr;QxIK5cP0@a9C_I%)FD1f%B%ZY&Gr}}@rQyqL{$br4
z+Nt0ZIUbdH_PX7RV~NG>P`Z!b*{`!&p<eHGtRJ9{{ZUfwzxe*nO8Ft-yIx^*j?ujt
zwEJ@uaKv|q^RU!E4xPm-E7VENt1*JLNsWZCckx9}7UlAEyVph?<3zeOl4nvTNN&7)
zG;l#8JO9c3r_SS3W28jNFiBI;Rzd&pPlnU56NEh;&~R25Pbg2yY>4OVPe8_A;kBo~
zYGohoD?#GjS3OK&{mo^p<dz#OQ$QDgj=$9X=4WMIa5^-G2mC?FYxwrp*JvM4--f=V
z_e%cPY{@5<19cOO>qT|LU9isk#qLT?%^B1Rc)2c0U!XlgE#+$`v`Ghd!4&@}kJ2_?
zA4dq*SYBvHw0RudInI+JCCx19JE!^{Ay^II_kHomT;HRZA1i6NZ4^%KB|GEC7?5(u
zYUdQY3z044$vY%pX@kyNXLlIAc<l9l&F5Pk>N!fatKD}GOM5$z&Gs?UALuLeQCexf
z9M%J#WRbjv*YfVutY_aP&4ZZjge#<l<k>Z^HHkm8>I~$ZRy?>bw$q;Wu4KPs+V?b+
z%Eox$^|)P}1MDfrJxRAa&hH71JxF778j|;pzi*=GPI?39{Feb~9XVeKP^r4(Mi$}}
z--B3$rQG52b_)rQmx_A=&CM~gKz{si_&UHxxdKU+IIsrxQ$qfNJ6ZBZmfB60>u|4B
zmGj+Hf8b**Yr@o^T>8JRo%}EY(Jibk7zbZespu<qbt?<5$Gwc`MfmOjYkK~o)(`!h
zUbl6h0Ds@cc^%<-5G(Tk$KIR3RaN}`<8x-tf`EuC2q=pvpez@}eHU=gJuNd65my95
z+|ArFH>_;4vQpd3HY?k+%q=S`vodojEi<z+E3>|3`G3#*-U}DR!k)g*_j!KLpZnr{
z=FFLyGiT0cKHDrukLzuO<+T~dov_XKx#t7<_#O5l2WBvMxRT@9`|*OD#e2WMI(j4@
z=BobJ|3CxU3;DO}<jq<3ZTtiEf^>(JfInWhpQa(tT5X?EU&NKrR_Pr}IbdmAX$Wt`
zhl*J?^$4B9)2^lG`>D~w<KmSx82LSk-QL`zzQ2{R!`Vx8*`*rGxjpAz#rYxFt0yqh
ztH&(fAe{&vH{#lJpvaT(-{`x0WEetvN9@vC*7nRZtPWqjcMgQk;QQxPYOE)aSwe9K
zmac2cf2>Ax7gkz_lEMQjqk(uR+)L>tnM(uS6s0kL9r9^|zf6qQ)xQhy0PpCJF6Pha
z1J_I6zm}T1ca-YYwf?dqIze@KOWp^+D9u-z4PR`m#ESXSH?<$*IQqMZZf_2(NH@*%
zO|{j<mbB7ezbQzmbBDcE@p5V(oq(4r>{BJaRBvwIBRFYEoB7696h{3q;tu*g?4I@R
zN#hx%NBy>y=0g8Di?p5@$L{#jH;gM<t{tZ2({JiW=rdZ!aNF|wYtve0xz9=p_3|r5
z$ZpSTsXSuasJ-}}b|KPpE)n|oVT3*?$@KqRz&+Q5{L3Hyz+g~QFvi&R2q@+}XrHH+
z322A^hTW0=9gVB`C-+M7?6*W}(|+z+Ww@E?!wZ7&v>R|enBVcnxBqk)(h)Nc*czum
z4<=d&Eu+1%koGk&H{>LG=Sk>%wUAEp><G?H;2ur?j^`>{CN+@VpxO$gVA+)JGtJAq
zA>=xWf1GP;*v<FJW&X6MmoF71{zD`B<xBRSvv(gx4a@ao@AV5D%kgRbe4b}Ss4{=&
zaSo5BTA93mFAekrjzD`?q@u=p&+lz+OOP7)KcexK*3MUdamRw|Rg#uUOQ}o<5@Pqc
zRp(v>_lMSlCxh<n{saA-F6+-KxpLH_@gV{&!SNn?4&Wcf@k^}4tw_FlvwM!%E6u~l
zy(2Evcr|~}S{%L?jj}Fcf9!I_`<$XL=(SWwQD&vrQF;5LPci?_;6F~oKKxT_O3=XE
z)pv6RXgXzj+key3nin@Zaejm29lAZ(dKD|yeR)!t+;2{QpPGLq@i@b?bNp6cDErKU
ztHMBK-cp$Nub{LHcRsD-p-sL0zXtD9Y9ahpaTmPqeq$(^b9CH25ti*I`WbPi@9MD(
ze2eh5fNxx7!{_Hk|Eoym1foRzqiz+{pfY#UZ3rHrtpbnipe#A9^Ln++vK-J|H*f}e
z$C)2t)SzS*KkWQUv^um_?;T5|qr0a-C(-uyt6Gco@<7jB$=@pTTo+Dr?l4N#{s#B1
zVOWE#%f9fK$;Hv+h41UWg7>(u;xzOkT@?M7FQ?Q`sYhXSUt@o(;aS^Uek6vwuS1@0
z@;)J?=q9{ZXguD(^XbrgrJ`eLYR}s$)HLFqDFW%H+nG<O$7!%`1$Z%ksGAS>yl~D^
z>O=bSEecDfQeJ=y6tBzk=0CsBfhUxqd}@z>vuC<1z!FL*2HXa1c;UbDD`m>o=EC_d
zbmhF(Lqc%r5(!qCuY~KCMqMz3-mUk`^gdOU68?gBgYrxC4Bs6y;qCEx@^jGVnby54
z>H$y&IhH&2V$p{#J=B8w;XV5Hgo`b+GU<KyHpJbi?QtAb-&_B0^BmoMMpK?o8(i=X
z!MqZQ)Spy9|0UVL|H@bkdes%FtqcX1B>$5D`ho6My0*{5qw_qh<KNB=!`WH<>s@Us
z{3|cdN_`d;CNCRVtL&*hJFh&=ZFaf;f#`+hQ=DH$MKN5H<?$%OZvBF@%`oE(<@F+#
zpQZLF=SDnyZVmjGo8b$8``k)|^>-+>)H#e2{^h$Sx}tmf#NkQlS3kgey$AXTKGzL#
z+LO+eX6J68Z+$PXZ^IoQ_U5L4t;{?2UMYLTSh-$%M*X6qb!RMDw_geMfvz-_M7zuJ
z@<XKXP%6hBkfZW{Xq}SuWw{P}C#8~)zNf8mT_bNEd|S4%_oBw~D=kHo;{F5A@#J?u
zV|m@UY>jZ=O5e?UhqA|t^P?7}HTtD&j>?^B%hWA%P~$)^Uxk0_SNLA=g)Da|C7f4l
z<a>PTV!CxW{j?|vbKZ4%mANyt8ov3mX?4kNN??g7$-`IKdR(pIeSc*${>d3?q-TTw
z$==59%s#a8Q$@v*dN>23{JX9wwKvYa6Aa{6nYUA}jkrH@xj1hD7kPBwhpksaakzUK
zSy#3$=ii{BH*<cf3&)ht?>+}LRq)0yT*~=ZNT=SBb*vREO@TLjo<~|=)jPMiQ<1Vr
z&E&O=MXs~n>!oE?E`+?^np{xoS6KF6?IB$U_t*d77pO<5w~xB7<IQS*?|r{Po^YV2
z6v2JL_1RzjwdKwjdS%@i$Y$zQ$Wp8PSD<uDyNmiOD*CG%;(ENNB$S9!14SadSn*m$
zKr=|hwX!?ERHDGYND_PAb$yrf{zxmj_r&uVy=`$`x<83%t8=6N)%4gk%Y#&PYftco
z<GDbu8+`NQT=QSOV+luPkz$_?yZ3d+*%=Y-ZF%2(=Y?B(cP8;@W}puKb%5^Ze%eIz
zoJ5rE;qC5Nt+TlQ&`-bdhIx!Ab5^Mnue>O^N2PN8uS#T|(|f7nPq%aVKfEpcx#fgA
zTs}qR&&%icwr%B0_^Xs0sQ@*U&g=j49H3CGb?ANysaC4XAx!D4>HXsVFp`g)ZjPco
zIi<NZEkb&iDUtQn>Hp?zOLq_Ryd$ozX3xU@Q<dsrrIq^!L*x-<``tyCuJ!R!i=~{c
z_PzJqmtN7bT7J|eC0BzzRm-iRvxW6u2&YRVL8WTr`<_ZPZRX_rJxIFI=kA_EYN=Gg
zo<!hHdf&!<u!$<%vr#AWr5>D>=yIA)z0ZzPJQ^7(xI~A(a9udlmmJegr58^5&s}lz
zVJ}V6m!;=h=^nuylo_gUM@V-a%D#cWQ!liVS4w!YUv!xjN>BZcKzpQjNFr+0o*O9d
zJF2+8TI=H2F?bDRrhBhRH#N}%<IRP#1KnXyKgT<E-_H|!&`SY`CwK9T-Rsps<^DV+
zcy+9jtEh*E_k*LH#EheI{g+nu^Pt(yC0YI=P|`>BJNA@D&ag*kWUnlDkBSP!+O-Wx
z?cUGPhnt@NWEJK9J8|#{Z`Aq9jIo|Px5K0HXy2W8jK!yTUvA+OU8$h^e!fXjhcZ&a
z_nJ5Scls`Dh;QJJ*@-^)o-W7x&KcGtljqR|(wt#hKZe}&WFyWqpBj|+K}ET|we%kG
z9yhte-g+Y^C=TVEhNniarpFU|M^U`=;>~?AN0#HIw-USNVoLb`)Baam;G#L}#oW;5
zuCEpH;y)?oV$=UgQUBy6^hZti<s_5O9m>tjcJ~a94Qjcg|M%g)OuxN|-V=blhu!74
z@9E1|-8Cy$_DN_Dy2gLWpM0LdCkRh4zAFabyn6?Xl_=>f{#SeMt7jjSnStPyBHkh{
z%1`diRB{B*!KkY5AD;z#c$Tc(Vw?J=xKOyP7hAWI*Lr~TJg&JN#uK%UgFQYG#@?R5
zm%XLIQ+*ic&*-(;;D4XsJ52Y(W6u3OIk)^c+PMNb<IR8mQLi8Oj7opOk;jF+tLCwq
zLfm_Ux<{?|agMsDE*Q(->)k`If>J$PTVG*Yp{xu3VNPI~YxpK1&OM$HUI}wwcgp~;
zBq)=o!jp3Rq<e*lJT@1vm90lPnyNUrZ>(3J!V||LUjO3{v1i~}3S~$?*+2MK*|yN>
zJZUfFRr||YLFU3Q;_bm`+w#v?{yhdmKRt%`7>k*Ym?4Q)h;p|HYomEkB{Vr*t&*pN
zHi5rhL_O!S%%2Yra=*vY>w4~`?_b$7-2)keC)64RX4F)+X1;~~?+SyHy5|Hw<85EO
ztzW=H4(sPY8yu{NkCeO#&%>5K_e58CD7&|ePI95u_P*IK<__L`c#Freeg-?UdUWzK
z9I;}b3GCr5-u%8t4{yZ!9N*Xrh0%T+FL<rQ#xC&zTqtQJ;&r?H6_tADBDsrmr}pwh
zedNFI-ij9~pY?o1l;YOzag$QNocpbneRrU)v#j;s^;zkemHSZ&zM6t@wpH%?;yqtr
z<%*Y6c^k8AZM?CSJ>rfP%q632(|V12RP1kYcb4%D{6T>zN3YR@g!QcFnyEQ1&Q{~U
zlzQ|W!jqu1Z5W5#4Z1ywxo9sVhWneNeNH3w{z^PoiN-|Bj+z<DIEhiuMYx08&Uy=>
zeOk{%`4|<^VV}2*uL1blf)(A<eVsNNZO4kzR21i>Dt+{Qlb*L;3F<Ff>VNI+mo4kh
z&)l{3YK&+{U01z(fuE=D<(}xzOZ$6Qy>~C4+pBAqkFVT0*1_m;WbI>he^VKh=J|7f
zU)giw%a@QtThq2Tp$;QX&p`tHp<RCPeY-xX$^=W(c<BOp$#>kNHokY%rIyM3w@ymr
z<L=Vz><bvh!X5NVqcT#(ovO5#mgcH#sO+ew&gJfd=jGR0kXsWv?^0zW@Fbhi>)&!q
zHQzprD;}?8*|PA?v;_3MuTK~?-By`a$2^{G?sC2T5joxOQSX!Zi@W{2Z?iHbmaS#U
znXI`>d)QkBwOotua^8q|t)13_#OsUFP5sYMNrwOP0sU3vc(ejq&GUy4-c2Y*UA0CG
z$>hE8fAXkXCmymj7Omp;XX}t|pLp!kd<OrQfxg~CuX+yu+py2VM#P>t_ZsZ;RmgD=
z*0WyUwe#FPKJhOi#y1uE2Xks)$A08`@!b4#1?T1<%}L1G&rr%9{McjuXT1f~P_Mz)
zI*fi+x6Yt-7sP6v*sB-gT*qqd6Gz|)T;GXfiH7agFTC;Yrz}15$@wR(K&?n?M0)l!
z_gw+HSLSFdM_V^~98IU-3fTWyZTZjE#ygk%pDp#@SsLFDC<IjDmJQfP+PjCjrWE{Z
zor)SU-|9Y|Yx$(}xams2ZLD_p#PN(*OLOWG&<kn`xaRh;dgg+VYTYsVyCM8@r@$Tc
z4!4@p^zJiyJ(<3nMy$ZU@EzP`TnxI`Rf7v)7f=24Zi@s~l^*A!HLpvf->$TO9fy~4
zCwt8{-+RGA*74r<;Tdz6=G4z~f%ZWiwB3QLctYLF+%3Zx_g$bL@$2!lMm+6RdVi$%
zeC-V-e1n?szx4Y5rcgzC;Qze(qrKmUY|*^;KFsoPf05xnO)ZGk^8)n0heF&v2wGCf
zJJQbsYB=sG!6zOuK4+fiHhFZTC#vkhO;@DKqwXs@%zJqD979-B7h`!v?_HOIpYY7#
z(vkdQ-`BnR7s$-*;27aRtdnxrOj8=>dTD)EU)7$WGv^lI>|4m=ljjzclybPFeQx&p
zqtD$8ujOvGO0YMbK9=<VBfhani*tQVA4~tro|VS`b;!4U+^O*nAS+A%Jgv5`G{ze$
zwbH#YsMmYvo&dEbo_nG+&Kp9D=&Prpp&vRoMz;^r>o;%~Ka75mt8CDzOIIgwpV*z+
zJ5lzpq<zYHW;m}|w@;b)vS(#Wy3m<NE<ieX@8wR3cU#H__0>Po5h^Mhx|{AHC1sRN
z<BkU{%|sgguHhH){29XKL^{z<j1%iLbmE)@r-_r~Bs-~2Q>U5J!fEBSaoRf_oz6~%
zlj&qR1Duggt~1sd@8mi8PJuJgDRhdQDb6%!hBM2V?aXoJISZVH&LU^Av&32IEOUy5
zA?9OdV?9w{M2aZPQi{RX)nY|Md_N}+x@m%FESjKiB#C775|>ED*VCGcbkWSHY6KaH
zMwZdlC^RM+MaB$cjj`5v(Rj&t*?7fx)!1TeH+C4W8#|3Rj5m$9j9tdt#yiHl#(T#5
z#y;Z{<5T0Xam4t{_}n;Zd|`ZP95=o)P8cVR?~NafAC1$-PsSPJXX6*+U&gP-Z?d+G
zmQ7@$Y$k`xk#dwABlG1%IY~}c*(yhUroK>Ls^jV#byA&H|59hw@1|iY(=;v9-wZPw
zn@!AC*1gth>pts#>jCQ_Yn`>;dc=Cndcu0rdddlMLY?|(iAX2PY2Y++;+@7$qLbpd
zoHQrhY3{UiT03o>4o)X$lrzqm;9TuYawa=do$1a@=Nji)XRb5fxz4#BC5#agUvxDw
zDs1CBmwp&+^M|Dvh_8ACVRmY;sE&ERHNgpLV=i(CwEVjG_FcH>iP48~cn^<>$Hf!k
z8F4@y6hDbG#%|+~@r`t34Yf!uRmEz#TA^-HcdC2UT6Ld#NIk69t4GvkwOhTXJ~dx6
zx0qYaZRU1!hxxj>(|p5x(|pU^Wxj2`W4>$dHs3S%nD3h(m>-&Z&5z7|=EvrK^OX6$
zRn3aG`dgP-6Ro+{JZqJ;(R$T-&DvsZvvyeT;+YJm8&S8AbOt(?;#d{WsGp*~rVHE^
z<s$!+)<(3W6qeJ)=_-WN!|9J4mpQ{kfHU055jC9A&S*Tj1U*T#g+N<0L#sT2UsF8u
zK~UCD_%#D<1&QXMt*)X4XsbxH1Z}Mqtw3Kdiq@d7&7zI5&Dbg0gSK{w3{6*}3n=RY
z(H+#aPxM5~eJXl^vc3>~KwT$9U*j9&8!-^H^^3R^ZR&_CKvlKHP*7I1xDvFLD29Q)
znu)7GW5b1}vymbjv^GkNkW=MUk%JcAEk>dh_lqL5SbuR1o_V5}jaHi{uGRD<=77Q;
z5c4#JiR(0tiR(dSkBP;gv?s(8O>JT+T6m)<MjO8-mOJ&)VmGjTuOfB_I%tzR=y@)@
zw+~5~hBFB90qCiEv<p|zHm{(E?Uc1W*9YTzRkW%NibHN=pL9^)?Vtjbfw~$(fro%|
zAan!n5F(nQWhWa`jH$*nV>(LHJy!S5L%O}tS|vSDc9NO0o9rw5$^LSnyi{H(hsj(y
zK~9#_<csnp`Lf(3Uy-lM&GI$nuL4w{s;Yui4K*B8yNuNOfO<l0Qm?5kYO8ujy{`_d
zBkGv?4L$Xo8Dxf=5oUce#*AlAO*E6to@Oue60^72$LwqNGy9tZ%z<XMIl{~_N1D0j
zD08$q#vE&oGZ&hR%-hX7%)89H%}340%?;*zcqf~zS3tv?t*zF3)*kCa>r?AH>y-7q
z^`mvh`o;Ry`pvFl``ZC_pk37tva8v_c6GakUC(~de#l;Duh%UND*8r^SF_c%YL1$#
z=BfE=fw~S?46`lJQn#wx)OYHXbrxrJ(Pp03k_G6EAMiQ)qmDDpYs?j>+r8E=xJwPY
zjvZpxwZrUscvDgMua7<u1&&)!G&0~5F(QoCMlDVEMpL7^(c4Hj`Wgcecd7Bb(VpCO
zE#K7r<gO2cyY4g|0dL)9JWAgB7~bDrV*~i>5o05H>+{Ajyw4Z$M!yDU{uUhe74X>a
zjm_Y(r;XRhU$;p78QY{K(~a%2g=}H`1lrkYoH5_DB8)$*##XZIXSu99<RI%V>mIq;
zxz)K<Zqw8zJIH(?<U}<>xYS5B(rBRaRlX66-tdyq(EiFkVRS~iP;jv2La3Y6Ey7W^
ztEWYPdPcn<;?>J)n@CcxtDT~`dP}_}T7o{_6|K}B^}cAMK2&=}JN2<TE;^{M)k)Du
zeQySc0cNmSQ{<a<%=)6xj5cG$OtYccP+S8FN)WTnL^DOqF`Jrg!~*MO>vQzAFRY)%
zGy2Voo!0NRBi=-v0?f(g47jFdnX`m#&NhpMW8P@qBtk$@w~M-<syjp&DC;f}Za!o_
zDk4B%kBb=4*ap$S@pA&u6Q%GcUok){<3$zF%WTlbwdz_SK{s=RKWJyJ@B{tK!*kD9
z^MwgIS|Dt79jHkme=Inu{`ui&qUQz!Yv5;sHlmOs8b1S4IR<GP<EJ2v6M<T5wIGjE
z(c{zbbHF>(QAR&;De~rtBH${>64R(@Bnf3C8_k3?vW*!CFEMTuma)!wL^z<Er-dK-
z{x-z#Fm?dnF?Ivr14s3PY(9oC=tWqXMuY(xv4M`PDg41d(}j}lWqb6BkIj!o6>FJw
zv#8?S;@pZlOVG9yrW_$h2r2Vq9?}-dLc~m#lX=}lAG%E#=ttiPrA{fVUbW7mM@jq|
zL8^Zyg4E~gbEG(?P!GuXFVS+}tMAc@r`2hMe^x&Oe^I}nb^oRQg_izR{fe01)$c;;
zX2m;IrV_!>1T5ii+NOhd?Qi-613*dDKuKtEGsFxLer8>>uBZZiAq-c;&2V9nsvI)`
zRAuWvjhG}8vJ148E`rQvW;4XMG+O~%gWCM8cdU0rp!L4>z6h}PT6+=x#QFqy+&T{Y
z*7{adwSKaGLijh(VgQ~q6rAHH@ar?i84&`F=V!$H0vTn>0$Bk1*{ybimOfA)pp6@w
zjYTc!GEGEn@WlS2IylT2JljljCTehvc@1cKg}DOHaJPB4sA=A7-YYC{ykCR@_X!p?
zz=3KAKX9QsA`qM?L{tMesw=93BZY||aKL(?BWZNt8yJe_GsOf_<^<F=KujWiP9S|w
zfc&o|u7nOyTeN|+s)HTLLhx%3ttM1-gl1D$Tm|hWOmv2Z6E22Bc11wT(NvvBsvb|O
zZiyZci@nSm;@6rKo<|DLBZW_f&gl|UNayWH=N+IaG!?^0?VX@KG!xTBb7)XQMIZcH
zkp3r#%kgW$UNAvS!>^UN4!=q45fj8Fu@yDn4ld9}yd{pH=AVf#Q0HUfTh#WX_yM*3
z5x*AHMvBBQMz9#iew4?4)Y52UbP<I{H=`T05#6Wq*rz5NHyIC!DePGt*t0r;3qLQW
zgY&+Ol$(rA$n}cx3exBvm&YEL2hI3xT-E(9kNvI_xcK`>11%YN#5jVhx+mrt-x;S6
z*8Op^=HIvq{a8$A-yF}rIi9^TkG*m{xN`?FKz5d$#URM=Oz1paWEU}3c9-1|-%Iuq
zL*ym$62$bCeZ}RF@cl$HNcsMvIVAl+XiE5r%j94=SX>RMKMe81<#6alx>t{o<K#Fo
zn0-438hO4LDX*4S19d;ol|`}$VcpvYLW7!y@Ju-qI7`k#33KIKgcryK!0Y9WDE}t8
z0=0q`fxGOIyAXa`et`Hd<&Pp;g{b;sq)Jt7fNfP*#0*qdA)Kv702ir6q8GG{Wug}J
z<mI9tWX(<BBDX8>a_G!=iZSYLbvN)Hb&qHYt>j)&U#(WFMIE(9t$}2@Pu(Y~s|VGC
zxcabq7<nI2kBA29arHQ2HmD8A`=okOTms4UjF_mNRnMa2=hgGLx=C$9X|JkRMPKOS
zo00N0^_oak+aTTgLAt$;(zJAIs@{ck8w2UK2X}lQGOoJX3mMlBGVWv4{}c5ou0lIP
zX`26yBL53gN7WZ1j9jn=x!`D6JI6&FWa8H%R@*(es`+Aw`a%7Ou;z}V)lcdtgf)*G
zO&%FR9+^%aIU3s6Z=yFeu(L>``DHcrhdKv|r@3YX>?et^0`II1JIX{@bI@pV(9vcU
zvkGD~A02H5npH)CS<S2_(#TCi%<5)!T&)Qi9R?X)2dMdLx*2MQBCNS=B)RNpa#<I&
zzX-(Fhcu6aG>;as&;?@<qh)#oWO_Wpng@?24|YMmCyL(W#MR6c$oe?)<5A?tqs<m(
z3#8Xvc{I6lI^_Hm@WkonbfA{@{*d<9imK)ua}GG>Tyw4nH0PP~5T0+&M|gpG9a1hd
z7m8`-_2%^=0b1rFgcqBO5ncjKVJbC+spdL!9ZFkoJ_6iqZiY7Un)w<y^;UB$q{Qpy
z>%ce7H$^hE@OKe@&wLN~zWKgTu*9%KAFQztAyxL8d%?j!GCzX6+GoOkp*;12g|;8|
z)dBMq$~<HKDx_82stasvH5SQMCu<18BdoDPS>vsVke*jt*Ms9PvX%;mve?hM#aby+
zppD%t`os3UU-YmZv>p`s*2C7rh|#u5KCF@_MK|jy>nYKlwn<m(dFy$EU$9<4nwPDY
zMPumHuZnQ!)SE?3S}x(R5VweU=-69DLv1VK>g(3)BGlSxy@BwX)|(>Hddu2{@Y~kg
z2y59`&w3X&Ws<eq+AW$uJAY4PLPOt!G+Jf`TOU{-BCI86J?kTDAHpA7AEW&J)_#N!
zSO-Lmb<jG5u$HU!pxJ+l@L}sP%0FTq5gFEJ(D%Zj?|mV<SjVhmsLz+ymx$34xSsWu
zbpqk9t*=psZ>(<+)-pNDI%%Cm3Ex@Yi7Z$Orx5>x^#h*nN9#x2{j_x&F<Nfdg9QO!
zp!GBK$wcUrzoPzHk_SU?`5p0pSbrebIqRHgY#X*A!fj<MplMqo(YB#^CP63uN(_Sj
z=m)E~ii0m4I|0xo1E@8P7gD^6fBjSV>CR|ECR_MH2f@!DXO5^!sazBOg({G|{`iGb
zLWjZE5D06cDt<BaIn<%dPJp#t9iAMmSth{ht|^i!zf&o{n^AtZ@sZ!1D8Dl)zq?X?
z_du!j;1jBkp9L8ng&JtxG=NgPI&2vIYlL4oQpMrA_8v8WL~nvKt+Td*)t`i8GJaZn
zO@SQO(!CX>ds`pr-kH)pi_*OtrMrZOq&J?jkLZi`&^oRo20_Lrh#_J;;<dh8Q%n|9
z@g!Q_*Me5C0BxeBewbJ&7NPEo@rw~l@QV~nF?t^(ZW4DP{VMof65x4x9OXPAHsT4M
z!7o8PD_%xTwXTpVw&52{jiDJdh6B(W4nl8eNxh*H^@gt08+uT0ND!y-OVd6al=Cxw
zq3~z~L!Yj0)DUsdBtoEnhr;5k4~s7e@mf2tZZtPqiw5+1w1V~5ON1Mj7?+4B*nz!~
z5|$vsmm0&7Cfg`PIg^Y@$XjGg7qRfa%|OgdW3EUv<{67bim}*OEP|+)G=*NW2Humk
z&`z5BXeU|JPP);n5(m%SODI`uCw}nXy@t}Z7+X-!?Z$S5wQbN!+nWf(-UPmDz)pjY
zYB$noYaxqTODp38<3p6Q*Vv1zT7zk&J$;Dz-1r>fqsCF>JqB$i4tD96h=FB_I)7_?
zi||R~Bx<hpo2Jxn;;7$rqka=W{iZ2xj}Tc);=AP3by{hQRn+%z-Yw=9@K()#ZTP~r
ziFo)xwu77RFn55nYmQt4zOkK<YML+Cg@^1d$e3N`F32``$`G$Pbv*oKyG3L2>v(v4
z_J|~MZ5O$AI=Oaha_x5H+8xQYGsv~OkZX7MaP9BSA9457=1-`V=HRyZn+YCap0k2s
zFKKRG!wRz^L~Zi)x>ge_Nkmx5R<ekO#oY|p-0Fy{ovgm#Ed8v0$kpE(46bw;xPQEL
zg_R9nre%Q38fT3Y)hG$lAqnP+*6>VSFIrey9(1&{ZPtbIpu2U4bqDg^Wvv3<ZQUbk
zYl|LzR*L7yd)koigp<pJld~j}kA#zhgp+q9k#|V)j{4*s3Oz0qIkoQJfV{&Z??|TZ
z4{FC9T;v*c$u&}_`)5-3Z$W<1juwCmJfn$dN3P)_*Jwws5kam2uQ-0`<QkFW8d0<f
zV#qaO$u*jhYqTNP=uCbQP970Xj*y5x{|suT`*sq0wWJ+TpZ(cnf4114ld1cMqTf~*
z9ccl$*jH2FlWC0@Z3kqs$F`$2(8B12e%lVc^eUjX3|#D!?bs(H*c%O63F+*IQM3|b
z*$<ns2ezZF(1Nx?CVOK#dgH4oO<N2u_Cpu^>aQb4+YK#fH@MgXW7z}K+4tJPCv^yE
zbPr5N4?K+U5%j|r+UJh2wkKTZdnXXqp3!#fdl9rSTCfKi?1AaDPdm^)ZOq=-jJ>fg
zdt+Vp#<uK-F4`P*Rj$evS=6~|m{ZMZuu`?=Rl}SCZ%eBZZ_Bl!5%sTz)V~~4>t7A2
ze>v2@YEb`5qyE*L`d1qDujbUhQmKEX(%P+Qt~6JQmgb%2oxoM*DxkK1ThsoHGuN1F
zVB0@rK7_k#ea$u>HXlY<Yi+jqnE4peKVd!reA0Xp_`LZ%`sWMg3()m8L#N9mXQ=}3
z`WBHv&JqUBvIAkwO~S}cGRRH*!A;&lyyhTb<RBU3AYtSn8RQ`K$Uy?gK?2D^s*;05
zlY<12gH$622_^@rVrmZ3$@~c%B!e6z3>@Tlgf$1rAO{H}2gx7@@dpP<N4(}58PpKN
z$RjeyBkGYm1W->5BwvUoU#LdD5NzFP-HBYQz!5U++IDSGi(Uflv#cv>(@Ri?UV<ie
zq#Y@m+R=8jXir_HA$1vtx=cgrGSE}SL|ULyc9b3ALFyzsi5j#<17wEG5J9v_Tgoh%
zC7RGOZ6LeKt_XLN-N4<ol`3Tq*%L9^R&7RGwSnv{dn2Zg>?5LRx5m?MO{U$NCI`p?
zB7)YdAFbE=a*!M(!f3-vd6~Qn_q|+Rff9zwp`wBIW{Wg=m4vrKX3K1NskChyEOTUz
zsKQZzKzO@zVUy~yfNFBI94%5X0yRd|lw;*sQHxe^h#W7+BS!nVLg5>qAez!5j>b6E
zL=jE9xDoB*M2uTa5-wWD(X@_jIYmxEj2>l(hEIK(Xeg)4>8QyJIRp37R&%txMqVQV
z<!m_{b+}f}!M(Hv9WCd{`N*s7=xBMJybkdT<wC?<4{KV=o8_H&-n--mJnxh8c|7k6
z@&&Zpi?FiO<QDlBo_d!&hFquRZz%t)vSA52s*b1$iyI??Dq4Zx((aB{-P8bF)pmC@
zy!*ppYiFx$gh!|mB0>9qVU5E73mZXO90o?*R>LY;W33U@t+m!#;g9i=```o9mPiYX
z#61AZLfa!T7%_PW;dRzJ$U1GC7#uxmY&~i{D$;4E#8{78k0Xs9Nr|*JSQ|tfEte!(
zE~(bj*3;0y_1KDIJ!3rsUHw@L7P|GE^&E0(izXEo%}dbCwFVwwpRi9rMoF=PG@4Gj
zj3q@jA}xlI{?bW#ok@9Nq_$3^wg6IFxYX1ZLTal+Y6~T`wI{V@(qj@Xhs)t2PHNhU
z_jp4!Z6%Pl8k4qKlD3+Vwk*<CB5A7$X{#Y=tDVP(s%fhQX)BpNLN|rQkiwElVJ0ao
zg%p-d3NuJyDfGf5gSKX%H)^U%rY|OrwAGlj)daM4tw@w}Kw-^DVacSh6jE3+DXbYO
zEQMa1OnPn7>9q-`*Cw4_n@stM{6w^;?<S74)tI!^1hnNR5>*vdMKr@`kw3x#ptff8
z?<A{8&|C~@E`>CgOkYnNDX$4BFPW6rgnpl7m7{VnLZB(H6(vs+=`WG;ryAu?5amxb
z%AZuqp9tFj^(lYqQT_x|{?w!V38wt1<|BWa`pBQAls_)Y9~b3Mb;_T%ls|1Lf7(+1
zWKsS^QT{|y{-jd=L{R>uQvO6x{<Nk1X-oOjmhz`L`;U$Ovqp4a&uPt`(}6vwDtk@`
z_MEyLYwW;2W3$h6V4vy8K2sNc<_VObdrJm;i$8lyAbX3SPj9Kh-qMD>r2~6QAnkwK
zdeM3jCA@^5(}psk24zBR%7mJf3AHE_8c-T^Veg7%?{Z6qdXx;olni>@>oNN3q*|<&
z;GHd1OTlTh-_C^*?qYb<wD&HW-n&*9@4i_y#+dglh`C+efw1=E#j3m1T?nsIt3*|L
z^@8cuOQKh=IlX!T^y<~YNcmcne4n}>=^s!JAgn!naTq-ZzftSdI)pKfjxx2kud#Ym
zJ%&1HpP!8}%O_Ab?fDC)=dX%-3L{sI>Hn(_|KD@S>-PV>fU&G-jAg-7LSJBW^@@50
zVeJuYLyurAJ%SN>1QcazzhE@|g00j}jD1DZI~a|zuXj*G?IR4PkFXAXgf5JOeTdSu
zr!bnHLaFwv1E}Xgbr3Z_qz>V#_8rF3ci5a>Lj|wlQPBc(Bffx_QIDV`({~s`-(e(u
zhb`bc{1&5dC*eViga`3QgthN5hQ7mibw-^*SbGqI=s|4a<3Ws}2eB4Ch{^CE!m3f{
z;6Y3_VFEyxGfV?|l!PC#p`MF@ku&W<jHd@N#Pl;U-bFuRb@~y5I3DA`gIFEuYnU}e
zDm{pi^dQFjco5_1L2O75VhlZqVelZ<gPy59h>`Rlwx9<wk{-lJdJvQ8K@6hruoiuX
z$tHfdi}oN!n(1aUjQlk>o1>oEgBVW_VvO5^NFSJCVO&|X#K`iiu-P`l6P7|xSSUSV
zQS^khgePpfNWjdA9q=l>4o_GDJz)*t3406SUDhs){b+w!HTuI6=?`m0f0#f0VYTTG
zOMyS^1El}Z`Ve=~{;)>yhkb;YeejAkf>&(6Xh45h0{vm3^oLpWht;4ztQ!4ce)NYW
z&>vP0{;)5RS9`+J;0gN*H9P@-SOWcF&FBwHpg*iN{b3F04-3~L=XhT24~wEdtR?(m
zKOw9=VJY;4Rih`YHa%e}*6;9yCD0QVMNgOkx0NA6ZD~u<fc~%q`okK~AErko^_&qY
z#)522Sa^CQG=(<jc-ovPv^i5~ZKl!MOsBQkf_7$W$nY?X;OH?X_qb9Lt;&hC74`UN
zDl9@hHrj?Z;aFOODYOPtXbq01HJCy>FpYL#IxWDqv;gyH<4vUHmP%`_4Q;cDw7A;P
zQc9&olthati5Af~+CoW`NF&JaE(5<?DhkNy>XXwIkkj=cr|Yd}_TZ`>t%y}C!RZRf
z=@P){Rw1lME)vM&6nR`P^0*lCxJKl01suPKQ1^q!6_Cd%@VIpd>#>a9m?^X#Va?+%
zA&)B{k5lAv1>|uF<Z+jh#}$yr_2d{wta=Wdu7I3QDb48$$mt5m>3WgV6_C?4A*V|q
zr!&CmwjibEbbZL_dXv)?kkcu0x&m^#1deg`Bfo1zeiwo9&JU4S^SeIecb9?R?HBp#
z0JvTO`CS3|T>|-CFOHRjk?VEmSjlkmyL#kzL&)zk)mQ2(kwvbT$Pts_95HFY5tHHM
zdPB(dhLh`EMXoo5Tu+kgHRia<5OTeS<a)z7ZW7LMli}oglH(@BIc^foag*WXdKu(;
zL&)`dkn0U6*Be5v7s)Y{(HukR!ZDNv977pSKG=hNa5(wkaPq;%97!2YK4_8;4j~_m
z<4DSIvmUtNFml68a>GP&!{OwHlH71Ox#19wr^JybHY86BCpXOGcuE+@Q-+Wy4kb?<
zPM$b~Jh3q~teVuYYEZ+fNewH98kR*3s{=Kx_SCR!YFO>5VcFEMYEr`*KnuSwHLL-&
z@cUB3>Q4=;KQ*k{)UXCq!x~HtYcMseE2v?0q=w~C!^)wCWl_V*p@wBq!x~HtYcMse
z!PKxi(ZcUc3x6Ul{E?>i8Ya`KPsY5dH^kMn>T_w&C)1Ko_VEIaq7C1aHhgp1@GWV>
zx1#mlj@J7~TI|WR(vz+FR)V;iR(dWi^JI_TPLJJ;qD|hEHhD{0<LxMQ{2+B+71@+G
z{**V_lsAJYZ@O{hC7UBJfgE|sro4&g$V)aQO*|z{FeOb_N}2#lnyQpE*&KPP!jYG3
zN}6Dfykv9ar5i_HvMFgUr=-cIqzR^^$)==<r=*FZq{*hFsm76)K#sg*Q{Dt~<RzPu
zrYj{)HYH7UN}6~|njnt6WK+@%qNM4@k(X?ayaZF;WK-V6b527oN}Z~dI#oFSl1-^I
zh*HN-50;1t9EHiI)XApQiKo=*N=;VJ#tISeZNR$`LQOW5n(RP&H?E{UJBHqk_S9i*
z>agwU-Ow`_L)ix;`+&hdAlU~@_5p`|z@L4<kA0vD`+y(&Ko#}@$v$AQ57_Jj7W;tB
zKA_kK6e-&TWj~D3!S&{P=uMBncjd5Veymv)*31vGG>fuyKILZs{j@_Wkeu32+nVxo
zDCK8$%Fiq5r=3SXE&R{;Euf$FI(lgR>7iXt4{b91vrWWudT5j3Lrp?hkLxU?)YbEZ
zwba$~l3LO?dxb{=>-ictP!7+hZ+0#vZ~#5AL&`{CJtLzv<#2V%;VbEhokve>Fg>x!
z^u%6APi!!Ku*>O#^`{SZIeoCp>4QzC4|X|yunQ^4UG%=T^vH8PN8<*1UzgMS>Q9gB
za(Y~o>2Xb_$8|Y9uKx76CVS++9_Lt2U+Z#uS(nqx>Q680a(Y>l>1AC`FY9u8Sr^jF
z>QCLlMgQtBdRA|s9<hLW!~*(Mlc`56pod~AJrtMHLvcBM6I1D%xQt$j!SqTrp;w|B
zy%G)SmC*AwFBOgGl^8^?#1#0zhKN!0evO3p>q>Dg{S?*c1IwYeq5-`X)99@jPEXi$
zdMjqqTQP@TiER2KM$i)xM^D5AseN6u>4}J=CnAA9h&cKn2GIKuN54ZH{SFQ2cbG{p
zLmd4Jar7xnp-*8dd{?)jo_EQ6fDg!Zz$fKK%ofoetWoe_y^Nac*&@~8$J#D(=zW+<
z@52<iSAK*v+6OU6eku>+s-8vCfS!n%^fkoM*D#x2hB$f|8qmKGN6$hWwYDPaYl@m$
z6>4gIsiOr^7mK7W=1><4p)S^wT38+GUy;<j`cmiWO>HZZ8df*zRyK93AZk^S)TA8h
zP%+e=!l*Y@q2AP&8dD^-r18{}dQwZOL;a`<^`j!{M~i3=E~ZZ8P$!y1ZK#;qkU?!I
zoZ3)7>Op;|2NhEfs!Bbmn0in+^`K&EK;hJY>QMuVq6QRB4X6h-pkiu3wWt9VQv<3;
z4XBtJP<LuT#ngZ<p#~IA4JeQrP%$;2aB4u4sry*eeX3ITDW>idNZqHHx=%56pD5}+
z#ngTLsQX~19_H$WQuisQ?z5D-Pe1BDeW?2sQ}?My-KUtkPdIg-Q0hKCsQc8S?$eLD
z&m`(T;naGHsr7_Y>xsg=<X-T->)Cf*Fdun@=*&5IS(uAF4qkda)8u+eg6laeZwY7R
zE%VWa+EEg;rzB`cNzk5>;CgB?HK>UsQ4>j_CXzxO<Z9|5DbztysDq5<I6~@qI!G((
zAcY)9XiH6G95s<7Y9cArL{g}OTumJ$g*wPsjtivv=pd~)F3^^m$T)hVV(EvPK@Zdz
z`kvzHb&93GX*B&!@$@w1($mzKo~A^4ny#UzX(D}0v*=w)q<1Nnex+H|bZSz^k<@Pb
zQ;Uh9{t`j`r9SnSUesSq>M!}!TxwHisZXt>KJ}3Z>LXWC6DgqfQJ;E8FKQgo)Houj
zanz-*(VzN7eQFjF)GYF-S>#i*s7;-sKXr<l)F2|LLG;25a(|JD8RS((N6aCwCc4t|
zbtyex?)e?<D4W|;Hn*eJus|3BJAlcd)$k?P%r3nKim;sNg?Xay=)&CbVoP3jQNH+9
zyHBtV=p1Zay<1o<$m4iO(zciZahVta%XNyFgINr>h<n63@f2n$>=3)fexx)8^zR%c
z+B0tm?i2vYA1M+bf!m2Lm^*Q~$iaNhsbVhXKin$r6%UK2A$eaH?_oxRzF!D*hd|sl
z3Nk(&<#fetiy>m9$j6L|d19HkO{^B{F+<`Nu~Y293<z&MLxjS7lMv_&O(5Sph;Fd4
zuMoMS0JAXWi(+xRSR)?6i0iB34e`D>1f9a_G$boZ49w_1FiI@yJ>Zfk@$!J41ER#K
zf&F_%8L^(HH!*`H6sZ%TF?1CDF~@V1m?&mID_Jg9inZcV%+c5^-V`5*PdxRvL^X~*
zCt>bpCxJPRnCCfKTrFlo&$vO{A@0LmkLSc|u<}0?So_Ckw&7(6gU=utx=Lr!Lkz_1
z(lMBkIt$v&jp9ymKW2tJFSdwXVy`&t$>U%)O*pio6wF@9!0gjYG1qmhm?W+d*K=0M
z1DHwj0!EkL79U}ri2FW%@MA<^c8LpmO(wLTL6~Ja4)a!KV|L04_#hq>8^nv4XY!8N
zhjD0ko+_BtqG#Qt!h4Y=E)j!8Hs-rb7T01f%gy3$@sM~@yac`JUGcH_TpZ2L&MUHp
z5JwQl5etbki1Ua`h%1P964&OWP0F#>6E_lHA?_sZAs!?iBc3Aus?j!cvM1%*LBv|b
zFk%$35iyaNMr=uJPt458nK04rK^#iVC(a?RAl^@WmbjC+pZLwl{DKMg9~vE#=uZqL
z)*(g^V~Fv@WMcZL!t5NUH8GRen|K*<1Tl{|g*b<}gm_Ed*wNX}J;eKo>xmnP&k|oI
zZXxa@zC-*VuOKJS*-t!7JWf1GJWc#nqn{w!`I9FU`UMhe5JQReiLu1SL>I9+u`RK4
z0S<oMh`osei9?9PiKB>l#6sdU;_QOLk@<cLh)ak!5^p1}BCaK_BR)>tNPKakzVBw@
z4&pB29^yXYC&Z(~6U0-*Gm}8WerGjSsY7%Tdk{wwXA@TvpCaxe9-A~af0Vx<+QdL&
z4Pq#<J~5WqnCK!lpEMz7qJLXr58`FSQN$wRJmQVSdx(z`Uz{|_mFmBfxQBR<c#L?8
z_^ZYMlNdw{CB^{L0uqVo#J0ptVlU!A;!xs9Vji&w*fd}kaRG4|@fPAL;{C)&i5rP8
z6So1=19lPj5)Ttk5Kj~T&=}}PtU-(*HUc&abP<~q+Y&nyyAgX62NH)6hZ9Flnml4s
zU>>oMIE^@)xPZ8Xcq8#P;ws|WNs}i|3S39rNZd@^MchX`N<2k8tFfvdvDS>-!h)(%
z#74wKVj8g}u{|-9*n`-YI0$lB;$O?|f9j|pLG)TsEQ<QKg$&HX(zX6OSbp^?R?@&P
z@4KG$e_o6M9YjCx-$4bvN3X}#@8jPUGN3Q$`u#n$kXK^vE!<itL+f6KhZ@~9sTku%
zcZ}8_4Qi1Wk5SC~_b`lk{~ks%@87`yyg9vcz5Kd$0X_Kt$`u2)f_~?J2es~uHDa(g
zYNL$*;92-W&--c=KC2{DSP~jj5*k(#8dwtQQ4;D{5^7!&(kmyqyFqww^c_%2co)yH
zz3156b4>Oe8+nd;j8do9tJn20$aAzk$BsB+w}kMPo}<fijQ1R)JjYPaG1zm2&zAXg
z-$wqhUp(ivP*d)_5bj?R(!7arVP{H0-;{(tD+%o@3B6Mi+Ex;J(Hp9JKPV--?mfhn
z#1+J4#D&B;#2LgQV!p<|O=WJ{#CjswPkP@80Z#Vc7dBu`>i%)@m<HQ3AC~uQScS`B
z3Eu;IP21kvU>9op^A!Bk!tgVKF|R+$h&NnDOQRz^(F2X4#z-R%v-D>f3yfvPEygP2
ze)yd?!qdDBGwDAt4#G?P4d&XO#e!9>VHkDy;tk;#ndm+@utrv&8@G6l`Yq{m{m%69
zHqeawx|R(JzUR}D!ylOc7bv6LvO>nYkE*ffc#4ul22Bi_$B-SgBxqI8<3XE)_5>Yu
zm+U=OYwSJ`4s#!Cj`18vd5)T5P=nf;p5uPc@wEF`Cx~}Ybpq?uujBH>we%b(dXAc|
zP)40ap5t=Qah>P*j_3G`=Xl0*^xPw4i2FRmQ%*=;xpPhDC_iMi=lGQ8xY2Xm<!;50
z-R|?yM(%bBjddSm*1F?k9u-Cde{+>aJ#(Rfzc8^!ODy(a$wHhTQsD}GEgJnn+flIj
z6FCyn9(I2Z_*AfN-f2io00uK0?C5Y5!%+-3X1FoK{@Axc8eM^;jF?@*h}p;bIDZ<m
z!zYc5xh!T2^0}Ya<;jP$7<Y@LBD4;CKN$Xrk)ZB<2nRwQ=z06G&J^tA5$O~GW1Jbl
zIA;Mc$(aUhRwm_a#6&u?fHBTIV4O2Yr(rl3I;5vW_?TSq>$G+9m_8pE?TiJ+I9LUR
z_ACI#ITL{iP9d-jV{$=BL6A|Nc6AoxN+dDbS%h#5G1ggva2&CGj%CcDG1^(m92#St
zVqhFGR~XTcq8+@x8ehMguct<9VLg#c@6BO~aV4Qix+KQUFNu4mBy_+VGO%BVJFfw$
z;Iz>>j6}wPLPVf}xiL<hkp>*dYni;JQ$c!p((8A@`y2X+-DRxt#>rHKkT+Vd(nvEh
zjfHZN{6VFw_G*#21nWf}wP!iD)6E&;9QE7iccx0qDl@8l;Gc{)-X0#q-tbWktAOu4
zE}n%Ca2q^tyWtZ%2yfMKjM1GIzk>8_BTz!>sC*|wzRhEn+{5D{iG2kSzgT|2;}ZEE
zk4xpdJT8-16^ZM`IzM)bVSXH$A4lfLk@<0CejJ$}N9M<|Snk4#`Fu&rkh)c3^h{_c
zLEZ#RlA1~~<n_QTozfXCmjf3`O%aRbjld;R)521z>0+6@0a$!K-O5`LABhnvUH&b=
z40$s!3-hgYX)A$?<sHDK@^;`dNW0ebFZPE|bp)uT5T49=@Z+w4k8v&hs!zfDw;8_N
zUGS~$gG4zhPC%-h5oa-y<!(>N1+-6=Jiy~3`7w`+<slxI$o)Jnm5~2Pw@e=7u~_Fv
zyJSe@$C3GQWPTi(A4lfLk@<0CejJPChiuQg@f495i__1$3Ya190%qx}Xv4L@MRGN8
zvAiF+L~1HrD(?j@llK9O;UkWK<c)`?H63ly5fs)7Ufs(;V<Y9`xW{z)5Yk0rq)*>t
z129280Zfut0GrAOff@1vV3vFoxJa%CE|!k~m&%8M%j9Fgir&`Kh>yhRp)UC;V1|4W
zn1vbfx}0Z$izU`Rp`2%cTArC0WkfpIyd~Vm%f;nOxDtu+M_t-$zy!G&m?Vb*o5~k~
z8S)k2BDo2;SYk~lc+uadfWv%~8S+yev*b}87fI-R>`}*fTp~Z`aj87Q<1+aLkHr}O
zbW;HG<Bc*uj?9naV$A>7@yw4S^W(_;I2L0RRrjbZz=?7vaEjc9CyK<Vt8M|Tb;k1|
z4d~zv;3A22&nWdR;1an5xJ<qY#Oz+Y`L^_a4}>>=Bxm8xf<J#5dcjKQRQIDFYyfw8
z8UFU2@PvOL_Nxx8Tcqm9V~lFgV}@$SW0va5W3I~NagplG<6_l?$0aI*$EB(hkIPgR
zkHzvU)F@J(0LI84fC=(@V3Irz%#dFKvoK;Tom|xxI9i?rE|T8>7t2$?CGuO~Qu#G-
znfwk|5#60Ze5Cvt7$biIX2{dPEUdNArTq)ISpEuJDt`ekgYUwHafpr>L+Oj2F<gwn
zh{rTB2V(@wG2(M4MqnPqxW`i%kst?FJ^3_|suzzj3ic1)ScdA(V;0tH=<{6Fm&Zk_
zH;;=|e;${pK0Gc}m+-hu_2aQv{(;&=%5%UNiM>=%@3X)x1$zgjbpwu83b;tY3*jtQ
z7I2BeJWgjRR1`dkGJ(bLZE?RUE$PAix<RH41pgZjsgef{I1T#r0#yYmBb7feM%4f&
zsOrEZsr81Y$`6>K9AK8J3CvZsfn!xIU>;TuNT)yr0T-!2;9?aFT%xpWU8(|r%TzUB
z1@A^-g%a)?28>Z!0%s_UfZ;Cnfs0fGaIwOSb(9khgnZCaSw$h7p(24<m3q1cNExYO
zfiWrxn4l7YNm#X`pDqTNp`w9VstGVxr2xmOWMCdv-sq=`2QE^LfQzBM>!*tYE>+MW
z@pK8m;)|x6!F<n=>M|Z<)F2)+)TKOTVTF&IZie!>NDbj}v4YJFdRn5c;Bl$CoX2JA
zN*;?<Q`9C>r2}JB8Zbkp0<*Adhkmw!z|pEDaFJ>bT&!9Hm#7xNrK%ZlnQ8^B;B7%G
zKxxn^P#QD}lmLAKB|w`%3D6}_0yGJf06n7O5<Wt_mV&y313)bSbqR-nTKee{_5roz
ztGI;2h}T?Lmv9uQIjAn-7*KOhUBVHd=A62O0Jrw+)pfl+06a~%Qb(ZXXS$Wz0W~kv
zt&|DWd`!1b7og^0x_vqUHUIjvl6&H+<_5at9ze|rbjbsNnhWTXdjmBG&?WZ)>fWzQ
z?gzYZod@HprWalEAfTodUGi1HTs0J^sYI7N45%qYmwY);Q->~D!MellY9UeD4#R({
zjtS|3{~(_jTnj03|9jHt7+9S8-zR1$V(?#5PG6j3?As@%3u4mB#I#0CqmmdIk}UL2
zWvj75Z7tT<=)EBy)az+5uR-q*`6%WzVEqi{G(3s93{PVY!!ww{umL&lL&}G+R^~Cp
zKaaTQtmlQSb4pCtGbJwYyHBs+@%dr(TLnL?gS)^F>)3cl?AhV-!)iD^&*B0<ta@Yp
zuoCXPA9nYs@Q3w275=aSsG=X9TN>*yZ{^~5pFCh5G!L1dn4g-5%_HV#=I7>7^9%Es
z`K5W>{K`CGer<kZerujIztj6vnm?F7>UH#($MUoJi}^3}SFD3QYyNKjft9e>g20lN
z!U7Y^vMtB*v#MDBR)7^~Rkeb!!(}k$z0|O3TD7d&RvjzE3bpED&1|?8Vb#N|+(;|R
zind~`23D-q&}wAGVMoja%#mqgC0a>Xi=Tp(_^DQ!)znJ2nqg&a3#+Bo%4%)3vD#Yg
ztoBw1t0U&pbha|AOe@RkVs*8;S>3H3R!^&!b&1v6>SJAQ4YB%S^?rYAfHly%)EZ<B
z#`^s$tShad)-dZTYq*t-c{n-NNGsPGWsSDRz&0Ci<yjM~e5(LE8eVM`T9d3IYqB-P
znrcn6rdu<tnbs`p8f&(7tu==`ch0vKSl3w#t?My|c(Jv_T8bGw#ny7`2J1%aCToRt
zGv@N#YTahtZmq=n|2y^Sf2{q#Sn5BY_WvvNej!@-rEncSpT^Ip=VvRR=JP4}d>VdP
zuj}D{k*{Iy(N?{J2kUoU*R!cH3kf^eU>4Fln0>SxvyS%Ybvam-vscfN)~j$ZGaCER
zVD{0cn0s_Y&w;kS(Cch4?+AO%VBXO;n00g#vyJrrlRscqGuF;vCiBmjXY?=3GWt!=
zTgD8db9#*oR>&wl!-(^Xj2eF!ZwgscVhy&RUDK{**EX-geC1HgRt~en?Fh_Nu8(=j
zQJAG1V>hs4ZD<2E&WJ<*>w02E{m|PB%lE@n^u&KhKODxM_@C*Ax)<IBegqA%`Yh24
zbK(B8^!NuT@;rL9HlcQ**dws7-OuiC53mQ?m)e8u!S-eL<@QkfN_&V6c^`ZRDLUI3
zcBY+Wcd@(L-R$mm54)$`+wNocvM&)v@Cg~MrGD@U{Od10mB??#{OS`UgU<&4fK+;)
ze|IVwd`i@_XWFyuYwX$fwe}o)u07A5Z!fT~vlrUe+l%bQ_7Z!kz05AQm)kekH`+JZ
zE9{%?TkJdSyKH!DgLl}_R)YJYmW}K<JKj#P8{19nL_5h&wo~jhyQ%H6p|1w76Q;e|
zUSqGd@55OX(x=<a?B;e0yQSUAZf&=*+uH5yj&>)zy$xM1cmeihtmK}xNIeRv2b-6f
zmzzV(E6kzhmF6(>Dsy;6JKXZojo?gZl16ZQ_>*ODN0FvRn;p!KW+$_=nPFy{S!Nfr
ztJ$r>8oc7Or*%rX{j4u_248qTYuwqu-CBzP?26nRd+fB7tz>K2Mz)ph?0Y5l{0wf1
zIRU^wVDK5R{DRX(UCdgqBSU1UtSiH0xQvkXWPKSaqhz#<kqu<5Y$zMaI2kV!WMkRH
zzRJEECFs=%!cZuo7Uo7K$|RXAQ>06#$~4(jrrYq`2M6o95{8L1*i9R2?EGXE=`RB?
zzEM>M$!aoKR+lv-?89njv2OzQCzVx&QSDc>Tg5&nsm4p#lxjBdTH+j{JANL+^N9<H
z*AW*IuLl~{FcJWK9Ows{_JhZ`4#r*do~<bo?IEJ21%y3U?MC@1X5s!%(02ac*J|$m
zGhOj7^~B0bqkmEh{7*}ty60(ue{KPtrvvI8CFINt*gZOR*<WStp8rNIP>ueN%iRj~
zK-B6#shd`ynOd7{KeI;#d$A8Xf6sQv(26uykG^WYV#R6+VBcfk>$tzVQ2vVx7*lor
zR7z<%6c~ZkTd_uCjJY>A+8Uj)3amHB-A5Q>jC_o|&oJf~3o-V-!dPkCgVFc(*dhH{
zjK6Qe*8_HAx2%I0F+Xmc!X8(DV7mf;$dOP;tyoAX7bIU>th?$adt)`#5IJ0q!m6i2
z?9nqD>y?(s8|7_sm0T;=$;ahJtVr4{cVHFL9=Q)IkB-U{@{~M-T~DO)!+!X+RG5lV
zjZ~saQ!Oz9m#KQFzG{#fsz#_W*tMic%}{gHLaaDiffeBQU?ul@tjm5DYpu6n<@7<U
z)j5lG!Vy@p(iSZ})XX!Bu-b4ARuC@3D%q9hJ?8yb9k{{VXug6ysouf*ko~Zwe}JtF
zU#|I@oekV#j{t79bAa3Ik-+VCE^voE3i!G`8o1NO3>)(ed#sjp=9~67;9K^1;4V84
z__jR(_>P?qeAg}j?zSfa-?Og<?y(Dj@7t4rAJ|2}5ADgoz4jE~NA^_UK6@JQV|zMq
zzdZwYd(ECH;nhX`W&yX_*8sQKvw_>~Yk@oLIY{-oJy*haiW<(t*=E#nKF;2>7XaU~
zuS47}d!d9E5p}#C_>R2@_^!PexZ7R=e9vAA++!~TzHb);Kd_erKeTTE?zL|Oeq`SS
z+-I)<er(?i+;86^q*Y(S6KzFGc&n`_2~Et3mI1&R83=3ueM4HYG6>jERs%MY!N53K
z9T+cb028!+B5PTzQ04(y2Y67101wGf;3u*!@KXtYw0T&D1CPiE;AgTP@N-!ocvMCL
zzmV`jo5!F@OY=(^13WGp0Kby4z!MUdp!v0gzu5dn#sR;T@F1HfB|OFEcd{|?lxzY#
zXWxlh3HvT!b(sXLA(MeMC3F_6mUIDY>oH`jj!XlF$fm$hnGQ^r&4DS{c~M%avL(<Z
zTLIH#YhY8^2AD3}0-MQpK&^jE>mf~3K(qr8EoQdWmWA~@-dYuWm7y=JhemcfG}*!6
zG2MlORW|)#PsG{HK=YU3JOI{5CN%fv_&&ttI1hv^k_A1!1-=$B1m{&@nRJ0x-xA-B
zxB}-vuv5B1$8Uu%Nesn#HCQd(pz*iHcO|aGc`$64?$H0+U`^LBoL7fM(*xE(TYPik
zDxBAVebW=RK|6ebVmK%)+Z<%V?};PyesDqfaPd`&PQa07XJD?G0UTv!0!N!!z%eF#
zxcFK{SKv6a8<g0dur7weCQ7qAB6KBeqoy`WfJMIsSl?a?jD+Q3!MYy;yUAs@M>yKP
z!oI{#)%FHvE`S0sX8~^=-vdg420D#esGb{udtyd_be7}mK{py%YNHus9j(wRgGHt-
zv%hO0I5%ni7vnn`^=upyGcjWDH6lF=2qPS<m!Uq#nZFo{6*BjTHAa0S+Q>0Rsi#fo
z=a@AyRNRBO9E1%gi7{6pRkWdJ78y<qP<qn3zky;Hx^xTQGD*T$kT~ZCdbb{#@xxu9
zfkWSq6xc%w^@@Yv9bYX1&%pdwtf9@oPIFzclUE<Ck{u+6V@0damxRE#Ka`(f9cVW_
zN&#y_VuqT)xYbt7HQA0mT-Tw5tHc4UP(3EjVs+?pV<=XH-eTlnMd;JUXsqgd!C0Wb
zXJIVHy3L)&3cYUAxCJ|1>@{x1D$OItJ?3lH7~>&$_U@K_pe;Qw=Rv-IE>~G!*bYWi
z4H3Z>bbsq9soZy-20DZAZKu47zv{%iQI7ZPMHgr3p{4mY4D~e1F)aPYBxFsHK2w+>
zgt((<4~aILCIr^*F2qQ#gwgjUy#I*6$iBC=e#U-sx}6TPoqlIKUCDMD$#xpUcDj!3
zw1n++Gu!D_w$p8Fr+anTuyDJvY|CtK!mkfmHy^P}%q7^Tdzo2`-CS=sS79y?zT|;-
z-VAAfF|hNu(aPu|hCm1CDaK&`+^eu_ezvh(Tx;BDyd)mu-Yp+<AKU#{$Ni2tz#SkC
zqLeCFF$-S<R>q#h*Cf72iv(a*YEA3}q`xzggw>=mqB+-*w!}J8to$<5%(hr%Cczb0
zSFZl_N3B+3-jr_ByY+K`r(KS^p+!N@kTvMro$WsOVD-!PE3CavaV4MBz?Givw9bv_
zT`1Z8WY{IR9-d6^z6*)KvNUa?|6uQdC2S3p>#4<H@F_^AlJlPCK%DD0+5w!$fcIcj
zWxWsPrvCyx24IKZOQ4DM!Oq3~jQ;qJ%|LshqrVJdNR02GeIQf70V43z?+*OH9%c{2
zP7E{cneYhcblGf!81!br)&2%NK65c6Lth)MpAk={zc{aVdqx~A|E}^0J#z%KIz$cu
zX+D6NCHjgqyMu4*P&BUgL%#+kV^tt_)kNR^S!~1(&Eeu1@S-HK6?$X~@jfZ(LsHV`
z+)dz1Qqm8al8h)#NtoXW8Zs^c#dk4!Lrc8M7^GLu8~J)CKchgeem5qfCp>OkjkW8?
zj62jQHOhFGy<#_e#YgNF2iPlqVXydI_X@az!9Ap(?iEt6@%{{70XwRW%Lq-MGFsE8
zY^do|cGmPMyK4HBeKmc`{+d4J0IXzgE3eSKN9N+`yUS6Kp_j_hkXqy9)u5cI5___m
z^W{u@>t>a_&fH{fl8beJkW2KNkW2NOkjr$N%VK!g7Ru$|yA9<Hm?sw}Z^XPj%&Ee6
z(o*CK@TydKGdOZnc?;(HHIujE`*bbjZTLoAD|tKS?zNFC@vXY{@(##{&hk!tuP#&G
zg|CSXl&iqk2Fbg@+s4X!z~A!Zz2I>Z<!XGru28PQ7wn4UT71QBio6eBvYRIF$Jgv;
z$OrI6yIJx<eARBYd<b8*n<Ljb^PG9|VP}D}K(6N(iXOq6hL%O%peZCBQtAxmR%lx5
z#6C5cRCPJ%bfCy){~8Ml>MF*OipFzCp$X{cY53ZZ?&Af}OnQpx=s($F2K)PU<Ve@E
z59)7GtrSbpXClQiNWvIV3@N4e#?X5fLvm?JW_@0v4;B7X?MMB){SBN&^8@#{)b+Yq
zId)`jL1Dp!{4(o|!??~kjO&c?l^dkjxg=yKIMz8mkI?<6`-u+Yzpg&kaz}^$%QY|b
zC%a1Hh20kZT-9*o>Up8Z5cQcfjMM;E729eOq-2;ST-mmN6B|3g&1)eIbM*jMKUbnp
zOvKvyb0RPyMF0AT5m-1|Ao8$axCsC4_0JXUQ<zz+LHDiKHr$tS^_9yu{4y%y>-#tD
z?%sCwyqb@@=BbnTAG}&gL(1UUH-G)xtR1~CKhg8fsUO&9+qkNhRMoIhskuv8Np-1d
z*OWs#rPg-Uv~l8BGjMS3q@vuy{HToViMgq@Ts3sGQ!^lQa^Z;V{3&De@^VwFp)|z$
z*R%(Y$(~x2n_AC>-Tf~$18UZCM?_`h78Z>iH8v-^Xly}#YNV^4zN~82@mwA_b^`8_
zJz?V5{LxVvom}-ps-~u;rlqC2_%|e^YMLuGt*I-mX|q<%S`Bdx^Qr8m1H8BMuUTur
z^a<JdMY%aq83lzC3ku!0bGee;w~H&etZx`Kz<b95xrI~4=HyPot)r5nx~94288N;M
zWLQGYGpY&1`^$NTA)b8n>Fxu2-X2lIe_zAtH^mHYTyXIDM%ywbjo<QWa^E4p)!H&;
zd4|z2W8<37vQ8g=ZsyjaT`?bRgrW5FCEvcf@wv>{@o!(1)#km-cQR^B3YoWb?8YW<
z-BJJ1!th3yTpjsj>Y?BIWy=8%uK%ffqBSk+ft1DXe0j&0e=PfKaEEp~Rvhf{%gm-n
zr~ChQYVx8^tIlm#{q9)*QQo~bkG(!OVg7YnhS%D*^NlvO_HUkhDza+PCo5tedGqJr
zie|+f`?*K>wGVB*C+YDeCmuYuKCaF+**~wmy86qX^<C5Riz|QqBIu#Sd)Mbiy}$3a
z<2z?P(7Rjaxw@ZaIx7M`8na-|mE)$3%zArxm)Qeft2t}?^zYwz?P{se2kx8ut84Dh
ze3kWrz-Vh-b>~m{LwD^ey7PlW*L>IEz&E|-Bp-66*?ypQ%W@3EY~+e{#dyzM#=<&d
zii#$-PDv@qnKUuEh@_L8Q!s%vR<EXEoHPAgHVzUzq61!Gy-2gAtGO$Eb=qpz!eme8
zoWeYxyeV#q@+GK@PRU3^dal>d40QQ>YoPpGLAumx`c5YLiS3Hl=he+<SLFSm;ncdW
z5I5xn>jFtHNolV1mPx6;<bnR9=FSzW%3U{1|L)q$UF*La^USZGSE=_>pLzC`Ev|a7
z|GjmJPeiP!l9~V0gs(4~<vRYavBeE01=J|$`takes{hjX$-6d$ZC(EL<+q8)-U+<q
zsokj$`VDP7<LqZM>J9F-E;sb6=^aNjye<Fr*ISI6AMLli(}_bL5AINJYWM3K*Rh8^
z*m7J<jr;o5oj?0o*F5t+^!TNo9v}4X>6SbHc(qx+xo_Oc@UXt+YW#2SL+(E8N^M!D
z52v;A_Tdp1)rZqTNMspJ{;CfT7&|&Yw@~-v^uO%KYjXlxWj_B>gNHJ^zZ7(C&8ckv
z0XJ`0dEl|cYCX2+pIg{=z@^n{zhic2^83TL-S+V-+0z5Ac%#?CDPJ7U=oxeC$t_JX
zUb}bSn2pOj_BnZ7%NMF|Z}7v&%TCo!E9gCV&Et#immf8*|8~zKhjKm)S)6vohGBOM
zS$B7Q-=L6_w;jlClhv=@yEO&{tmu07k;l)BYS;DAiG^RT`0}c^gJ0M-f8;H7H#MAd
z<oKSL2X?<GXRMie^A)*UPlgn|+-YIsgMPi1typ$b(mhi%BggDrS2XoN&=qM*2Q6*7
z>EoQ8-S2L_efx=~0eil`FZ}e<S3Z7v@X|J)m=Dc}c`Ekt<ku%|f2H^QMt;8qY<jrQ
z9eziG;|tfn?e53(jKOHB0j@wz{OopcZ@B8{vxd5B{7IK_=C~$#yAwM2XjiVQvG*Ju
zyuPQ87EMZGAD=oYd6I`iv!k~tNh=pNDNUO_Haodo(v+e}lag|>lSZc{=j0Z;+Um+h
zn$28IU8$>6Rww!9)(qiKa)T9AwwI^*Ft;u{#@-jyqgMS7d+qO^6VhQ=^Ovh0b4BWE
zG%!P5b>>ve{mM#N2oZQA+HAb3vFLT`h7qn7)9zak=M;oK^-05nt3S9!tzX!?;k|cu
zR1t^X`F#3Y(PQlW&!%mh@apNrMmbH7b{{#R>ane(gMPN|Z<aS}ah)AsJ@x5RUmc3t
zadow~Z!J3b?9fj(wTR4^c5K=+Z^xTa_pSfF=e9)&HwDdkulm_TL#O2T85We)rBi;@
z4JTUO`DE+;Rjv*`8!>(3oSBb~J^lNtX9Mdr`Tp7~s<gZ7iqGo2S#$0Lk=(NCx`Z1N
zk34mH$iv1HwO1vkbPqoe^U~HorrpwS>%u4JExPhlyN&(UOmEsGdFBfTqpH-r`s;CZ
zuXy+P1Fpe|i@SGt;oWQBc(r}Zn4AH3ZW>$k==OSTuU&C?>&p@Q%*n2K);O@L{vI}!
zclmb@9}!1_KDS@I;c!C3%geK=xo?)`6CtkJXmscrL4$G&$Lh|W7}Y&LC)ul11k|kK
zy%069aPp+0sNT6nQws{mr?z&r)HwrcrpD(aM5Vc0&7-_2-9><BbSWr|%AQ;_rl4@_
zjNFk?lPBdy73AklPt9^==)9_CTW^-AjJ)hglcJhN^_@H-Z){Ff-@>sIvJ0n|)pVjd
zxyve=uK7_jw_XDY)}oXrrs1@?mnY6$R`y{%dens!8;>4^M=oWGWgfYmtBt$b=_Lug
z)y|q$l$$>i&p0SMZ|q1aN>G|cLMuX(depGLQiGOeJh5imx=Y^Pee(6@n^!NHJ}G|R
z)Gsy<e7)JvFMS(+?}@<^-@i0GuI|Hc9X2pm@Q25~wClZRuY2tJ7eW`L)UQ`%#QTS;
z{uHv&RWPjolsd}>&D?%t>v`8a^Vns_#FwE~^KV^IYfgQ$b;RjAg2Qe(b87IIHwv3?
znswv4I(4ER=x+2&TYcM)OI$4<S-7V5eLqA*4es0X`H_2`%sY0p?X!N-+j@4qE#&F9
zMju$%>EkQ@SXnPKw)OF`Yr<m3Ki#d?kEes?Z@(n<w@ptx9^H1t*C+PxyZfVWZmR$E
z*39|?>&?6C+skX7bWQv`@0KHp&igkkJCXgy&_{Z%Y<&F-``fpe@9%o?naq{Hf46D<
zoMulBee7p1`&<b2InR~uWoBT6@h<2(-g7X*P+v`F3J7-+TKR&yPA*<ry(n{-Yp838
zZ6YXK{auZ`#Yv-1n5Vd@Q>T)lg35GZDLE4-fw_4UE-76RVHZkSI58U)CKF9^HF5oa
z&6{~Vl-nQ2&5{{ru5Gd;Wcig#xX)vk?PeWIC88P^4KtQ7%9cslVoHm2h3sSbC2dM>
z2^V!GB`umLMFvGhWX4jFdqzfDUibIc@AbN`dA;U2=gc|hIj`sWp7;0j{m%2KF;$r>
z87lMB@(8+kk-zNlA?s-R>CNdVo^%H~N(urGUwu|~DC9y3^_`+p=XDoHt3XO6z+B<w
z&@#{fHj)H?Bdv3Cu+!Am)P{8z(Y83{-ZBeQn0-bmIWf593B9PIg7g(_V;@pWuXhdA
zj6y;jOQR3SavfOb8+6Rkb~{JD)@xli>b;$v{5jJ|xs2-NmM^&sq(wy3P5kv2d5yXo
zM9N;-SJtgf-2a-pztZukn4R(DbIH`|#HlN`Z``R)oMQW(Vp7p^?D6*DdMCG#sjN$7
z8!y|OZ_4Z$$iYjR)%+X{7YlH-4(%sOBqxjrdD-Dp^P49!ileh52+g*mX67L{C$*r}
zQI61b|290~*LK5*G7OzEbK9hUgqViw5hl)J0*#UT9{4`G%09srDF|rPa@9g)?2Spp
z$3;fyx6Ig(xdC@%^C+vU(X?0M&Ycojg`^An8f$IiPO7dG*sYH;sUx58X(?FpHZJLH
zSNiXhZ=F~^&yJS-hh7h83q&EBFABZZU#vRgex7*IN13i#_}}nvE*bPM0}xL`>Op$I
zH285KYyjy&1`E98!URZM5H}xBn;;P=0uls-Jl(#i5xEp=MGYeFB8M)7rlN$UfY_1b
zaH`^lP(Ly)VE5-(QEbkD(Mt#zZ3A6HSlj4pAoI=!%omFnwglMp4GE<MkYRC1l-G#C
zV_nEJMf;F2Dh$k>*CdRWT}uh^22iDgAUZgV=c(ocQz`|PfW&y6aCo6j^c_^-duZYO
zfvBbbFz|oM+BdHTH;x!F@c7w>6q%loJd_nX=cp&6o6gRVuZt&4S}GGUN@EAJk~{^s
zyu+Su;G#7dLBh+?r(O@YH);;CFt<ByROsST5*tLPWp~uF6;_qq5RGPap{fpgo9$Kg
z^UXClkni!7l|7r2BXa6R(9!D3$Eh4M-<yVmOSLEU-|IZ79eaF)^}J#IT{+IKeaY(f
zLIQ2^65Dsa?@VGpywsU>N0@FCrA&-%8cA|d={KLXJ#zA~dF4{*dDo%b0m#9$?TyH$
z`{J*s3J4Q5d$a$1*ByH`CQZv^6WdH<h^ii_VA0)&u6Q`kqC*pXS1fD9?31+v{$O}o
zqbB`FO$h;fE~kSlb!;y92Lw`uRx(xipu(b<KuF*Tt}dE<%g~&^;UK#Lh($p2G_WtP
zsEGE0JRo;L+%^Ug!I-i}V59{hM`&R#z+-71IKx0BOX1<z$9n<BEBPk`FkXiLVK*L$
zf2_5?fho}1bL^dqwPDUv=jRz3iod+W3N|~w2zYCt7zwTBEq4VP1lf=xQ-LYR;L|_M
zXVJPqg%=NR<}VGnD+kC9&~+Z?z+DmM9l`uK%ABWKa6l09A0`g}3e!L2_zy%eRy{f2
zP}*Twzcln_vXqy2Z}zYZspP=su-zj5heTttCMRavlawkmb?NWN9fGJUPFXA5Hy-!?
z;P)(MpfR{e=v|jgI!&XqVR%h_?;h6WruGdpf+<3+vn*?Ev|}Yy+p6E|seKmLBVIxc
zSmRoI^NjSw{tm6G^(&<M1}Kk7YQ@*0Rvh2FZDZN_X!Q&UCU)&TQoKxhU)Su(U1q9<
z(k@q?*=*HIeHN*ceX-tqb@(kY;n$<ND20^vAd}b9R~YY_b3Mzi7Z<VC#t!6MP=XL@
zy;}#9t4E|g62vbNHyaTsW(C@*O|dGcabf1U<tcGVGP}72&w64H+f;Chbo_~M0{SYz
z^dCqB0*WvEmthzw_MO}KlFnqtcLSHsPkRcXVEm$FCK{4kRKvj{AjbTX{FDTHXkj24
z1{ox`V<xRtW@-BD8ZFs`I`Jl!`bYy5vuFq&-T~2=L2=s!TtHql0=y>Y1M;GZphgy;
zfn2GgfD>p70Y_iZ5-bn^a;J1q+XYJD;Dtd&0bB4p6?_6gnKy<4j+UTL=v?0*@a+Ry
zoWUHypXXfcB0(Y$oq!O~Y*WtccV4w!Vukt3<!<A|SKN*iz4SV%&a~#fJ1u)8OWi$$
ztb7lDLet__DbR|8G}cljuobPccJ|d4m`6iHrVcH2oqP0W3Uo`0FqsLh$y8_Mn(5L4
zEqkn$8}s*$$RSajug=AS+Nb`BmFpO6;iA;{Q>^PgwC8yZO_m?_tbFMonlRksOFCIs
zd8=Ept7CwqJ}4h^Kw`bsDHUUG+nYg(YN572K3`s5%iekH<E;ZZ-c>i3DW!L|4q`<%
zDfUL!>9&3Fy}NCe_~}d{SHakCxqGuAJ#EYMU)J${)SovO)-)T`v32k&NrCAaYD1QB
zkjCB^P3OcZa}CF9$MgylkT?iD1^VUg3Bn18DL`8;&wxY!-?=5E*mudTMF!~s$$VKD
z3dSu|FbH6d3kJ6Y7M)WUMzAhyz{^sRzB9-1O&YQdffg=u?t#-0Y($J|>V20Vn8WcB
zwW;1!2Lmw`l9!D8s!Oj*{q&+l*qZp)*n?R^{cBV9R!;D~V}*M6rfXcAo(8l{v`00P
z4L?399jPZh+Th;OJ?&G3u#L*Byjz|r>z4PYh27X${n~mr<r~r*G;x>ni!A;1pWKu`
z!l%ng6PF`;`+s|o-tVb)g|+6EoT1uC{^|2FN6z2#s1n>th~8qjPqO43LbXuoaLWb1
zBh^dVT}<K36ER$y+lhVW{9P;4a>@Ho{E9O4Dpiq{+MU0uqhV)~LDV(}=aIAO*%H0F
z59z68dDEkbo{wFNMnCpPGjk8wa*jv!Z=En&M{2?5>LhRQ+rueW3O+uQ%RGn*wjH|<
H{s8$K@VVub

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Bold/SourceSansPro-Bold.woff b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Bold/SourceSansPro-Bold.woff
new file mode 100644
index 0000000000000000000000000000000000000000..d1d40f840f8671981fa6930ddfa8510b3cf148c3
GIT binary patch
literal 117872
zcmZU319W6T)957GaAO-A+tzNJjcwbuv9axJoQ-XJW80kAn&@S}@BQz+bKX5ueXDCq
zw{J~XcTc&=iHQNg0002kxIF;v^ZvzA9{>(O|HS^kOX!D^C;+VeA6@Jpm=Nl8iYQ5n
zf6^oX02B%U00;YvJ#VJCi0G$IwFUqHToV9*=nFUr@f4SrQv!f#A_D*tSfBQkTfLTh
z#FbQp0ATr4008y^0Klgi1d64VQ(|QKlq3Gsuki``dPplZMm7fa002VPr+zH}fI~Nm
z?~L8Z)%lZ$O8%3F<{yAXA#$7Ao7n&W6i=TI1Mvw?P#RgBW(H37pT1Ol^1%Fqj}HKZ
znYD*00Kl0B0DPDMz<=UrukbUQn-~~>%9MWcaQp+<r42OmPvR$S`?F8{31o172rA|_
z&hDT7c>@4n2><{>^%&jpCu=*SPd=(o8WP?oO&dl!bKb_l{nKagPqF{V62mrvJK7r9
zm;k^yKS_|p006v@)9*8oy`7UY0F3Xmj~5OANCEO6B^>P?O+IBQUq2ZYKS7n{F$eE+
z%s$mY5^~g~W#}RC-2-4DfS(k=EFAXjfA3x<@0{<0Fg6g^pS-Z2rvFI*+`)|WjrH}r
zt}po^Acmv-4nM}Z9Rt2m`TO7k3TB~>{&7L40OA1f02=`0e`Nr0|2zkC0zd%3{>hup
z8m#vBjP~@*52E+>^lT&K;p|~YVY3J1ub+*N(~V0@)4{?^Z>9UA!pm<1clW1$_x!&4
z5S(lOu!e^p=fsA@z{Wlb+Q$}Tk^xhMgC7S-9U+|k$G3$v7w0U_`p~0fe9qQQGTH6{
zbdEJE-k5&v(DZa}hxE@&z?6!W)u?5B-Tp5^(}EA1_-6g^&e&t@(W^+c7;d!w(mJit
zfeFgo@HtbxaS{$4#vvOUk)b`sbN5JTDZX!tbA4K!@-kR=$l9M=Y-bcr3XeFM4JM_-
zrZq<k!#2qbi?gQm#RR*IpMQ=?7iMt(ibn!z1vAJrD1;ql7)LXuQmOjsS)U8nBpS0R
z7K%9se7utE@@fBgNo$IjNwUuAcxJMNuY}wg)GSCC&YUWi-agy)#5is(8N{S!1y7v>
zA)#r@@xFTa@1Hki-7iyCs0F5y^U}DTs(0@I#nfSQ0}CovQ}a3vkdqQV@@%uw3NJ9r
zah*=R>Bye$H)pt>r<ANyOI?>Ca3j5fu{TJkM%3B7nvv%|ENs{KeRIhQUQFz2QcnsT
zRQq4wX|l)drjL7kd6~kTob{H2ii8P@Q(szb<(5L9sPhqt&mJNA-&)ojCnGz1(*$mg
zB*BNU+1;ugx|9p7wq4xOngAYuf*It&w*?lOcIbXmSVFvQ|B6#xk2P1A@3pxy!wjys
zx?B!t5t(Xw8+vOf;aPLJ+yXhF)$PQ^U4Z!`amhUfbEh|DHMZ||$z}C^$UHgm<M?%5
zLh`?y8qwTO_HG&QOBH=(o>dz2=bE@98!olvxfgiD@6uwxn1P<%bQUe&C@~F7qDCl{
z>vu(xEcw_BcgLfH$hRDFN_UP)X)~FjeriEDFf+QejgIyO8#)kJbO&Nzv^H<EcI!_5
z@V}HT>1v%-UJ7Y_ss-ZCGljre*hC~=2w%o7*k*zZ%0c-*?i$um&f^phXJIl#`^l5*
zD`&NX{5}xft~WM-Vt*qTQYYgG8Zcnkf)FK5%mexO_ZDKI$9rEE5OXiTZZzj~T?H1`
z|K{}qiIZP&*fW}uZ}LTNTmQX(EYB(ML+LEZzp?+gj*(oq=?o({8J8)f6au>*-1u#F
z!|`Xnd9rzSrDH%n#+i4*PN#Chv2kY0-)o7(vGLI2cjtst=J=O0nPg$<uSYd{sGSpS
z)hVb-<T}Ugvs*J1Seb*f%TbisVsssUJyWkXES@St@0fj_Obhmru^fmvi^JKB;Z00C
z(Z%Hwh@?Is6^mS!Z#ld_cHaGzUUs#9*->c~AD5>+YE-3octi8rs5LLR8VHz}XWjU<
zHNyES>pE)XrEpg-c@X_<$8~1lfhGt;RQ9U~)qG)puAYvaMw+hQ(3ESKwSl~>zn8a)
zDcCZa!F8s_?WcHZhT~d`yo`Jn2=c|tyNvq)*NI^$cvE%Pd+Q>!JWsY4*q@ebkvk__
zMf^=COH>iL@xzz**>1*ensi;$1kA1n+I{JLW1)E5Sxd?E_uh;{gN9h=kqJ(+W7-;A
zBSJ<?B?4{%b!pML;JRk)2AK(U$xLxb+rxaLDC-RTs<s^7^fK3X^|j8t)2?o0qGb8N
zSiP^cH!L0K&KTB+-f&vmF6x+1>U)-U$n9{o54nM98+wS#B~Ls4JwpM%z3}uzPIm|&
z+%S(E)0MyH_P7HLcW=V8_AO_Quj2KP?yh?vu6UomQ1k`=uHT;TQBK3;l72sI8qL+A
z_o)h9HD~g&m7f+!@;h7fbk>tgRtR^xL7H98O?1t}Zl8WLwi?Ko%zE)Fm~=AMht=L|
z0=7P5NeHk)CmxO)<HtWsj^2;I@*hw-Zs|#G`4PY67_UhJm2Gkjh(ucVI&2PLyX=yH
zv~qsAmiRx%KYVLBBOCone7Vn^`2xDZTwUnIm5zoNmTZ=~9La}u`#RofsN;%nL6ws@
z`e^4%P#3UG+`LH|4c*^8S)qqeUX{>Z(R?{GUavSlw636m>fg5(2uO79eDp(pW_0m4
zNzn{!6JMOFuG=mAv_<tXcjD*a>L3Cwc3Smy_VD%;OUAzo<b2o3Q(oo!)6~E$uJFN~
zk$<kW98$O@snmFWJkkDqF^y%1=tKJA=9I;C@Md6?V3`@&Rh>9oXf#lD94niQPoVZS
z{24n|H=gdSL<rtl*R)WXvPIJobvzktd66?EVG184S=3dV;4>HE{iKtC{Svp0G+hfY
zqOD_;<UY-auKude)DQswgkdZMoAiTvUnqbjuJr>-kR$$KwQDwYt}CM181DRQA?q>C
zmh4LRyOXpR^^&hrQMR3USCL()>%8x6VTAL=dkkk59)^ph+TRiL{3s<=3D_h>frNTf
zvQ>nTxC<y@wsUqp9-$>5+8vs6;Q)W(UQ_k}o;UGz2&WXjSB9F_oICIQ&vDWlsb=#s
z_+LNMz%iy(T>{x+3|Vk&ia>C7b9#m21x|cA5&1_ZEOylnO(Cr|DGu_1=XY&gs2~6c
zpjn;uaFAopEzqf=xUE0JLL1f@Sy*r$X?LAGbgMeqqWxej+=Vyt{styM><9BqDv{c+
zm0-IITua&lt2dy&7X=y)ZN#_PWC`Pim2<Put@fnXNoUw&7KvK92l>%FZ%+C_A4)y?
z1m+|prb+pvX$7Vy6x^;0hJ2CP(&+?Q=xq;wSt5G!Q*?PpszGcghm>!gtX2qIdGU97
zmAfAEZ6XzW@E@AYsnL@p^fIi7t=#y1{g8W@#{V6jvY@tuGwc@hq|T~>>y$n2JRh`m
z`k-@%_?(kael6k^jq-|-9NMUR+C;v{oWRf}dwKKiq$@$_9-?XDR`K`|@1>)jTXdAI
zn5r3ay?cG{!7j-o)8?6D*+e?JQ)hA7-u8gpFdr|<RcrnNC9VecjJ)x=QRMJav5Mp9
zQ~+r6Jc;<tC&hS;t%0CWB7~si6kqBr9rv&5OG;PMf>$^4X;b=|VSCs^fsui<r5)5U
zLqg^I%0<(QK>j7!a7ySkW8pjFd@kV-&f?%c^APiFCbJ>sIA<0?l=u>b2cx?dA!~dW
z95-q8q4awc>mJ@kHk)@>di@>o#joU90mt>$_<_WWG}-CacY^-SGbrIZ!sp0=iGE<t
zMOY#^w3yJ?cin04(m)~lNJ+tw#AHQqn~yE;W)V&CqpNe+1dQw>S250+2O$fzjSxbJ
z+Z~3RDXHWRF;AMyO2Oatg`?PalImh_6S}pJly@S3dsIE|*xvb)8|mXhW?DO<F&*Xb
z8Pa=AE#`&m<{zB@CN$2nmE~PnQzsAOY$aao0l8+Ue*XDWOn<;5)-`80JA>L)J8-Nq
zFaU00K3l_$rgi(9*MVPDvv$)VmT#wO+R++P(_9cs3hykrOwe`K74v!;mS5<@%?eSM
zmITurtTPY68Nmg!$401JxQnUb94_cLY{OUe^izrjgAz&E(UP-l)MI^dVGJ)<WFA?~
zCF+KT5~-X+$?}kfS@Bhn_o#>B4*_Vr)_|W2rjDs67k}VZdE%^S3%`FH{V_#gG)55n
zDfMPI`jMOT<AZTjeKORq{(QNFJpoKq{%nDe<RA{gMz~G*cZaTk7Inf7p;J8m0C%#@
zjmuOF=SqGzcW?QHPOFw9@sI}}<YoXjVQY*!knT^NLfe?wW875eR>tkNHWzr+FT8EY
zCuqKj*Beo7c4_~wI~pxSy1xvVa6rOxT=<p=&T!Jf8cetsfou9A+e86#J3qO;%1Yj8
z?RJS|3KvW-(YfQl!!U;0*#&GtZ=epj3iDsUJ;;WZZ%>s0n)?KIAh~##b5Mauq0l~1
zlZf!aTND#7<R39&l)WO@HJQ#MlnqcRR~t*Ezv7T^58Lr{V7_j<t0(QBl1x+1KSC0B
zDh9h_w9?r_g@wIWduAEG@lp@Xi2i4N95n(_gKdiJ-+Os=QEju<WW(F^uU$Lja=pP`
ztJq*}--BcUKy)J6x6phA+h&G;evFoSe~ZiYk9<bi5$yXQ*__UNuEWL~dquE2dF$wo
z4Wrjx;`JmT+O-2|y*G95U4p#cyZp9^K;pVnr{b!{VojV6<WwPvKjK=#B3px{TBF8V
z18G|$%3DLMT4PRI1MphIGh2UY`S>H<2Gq`Zm5jASueAp8wnnzMhI+NezIgaUdxV90
z1dDq_4SNJqdPJ0XgqV569Qni{-S^hwx&K;v&JemY;yQg!&wcu}^^`1lpxLTpo5;J*
z;31=%ymTN#O-5c6oRq+#sOk9=>6qNd+c+vll6g|xi;;+wz`JYe9`g9cS@>+1wRoUw
zBr<Cx`npySabSk4cwtu`J$e@uq)o!!8O|Be=|Dv>oWpf?-WkLxq2m#diZi7A=ODW?
zviVMRb6soT!I&kwzm|)_Q_C*ZvqV5()XUS#4sFaMystw-0d6)<j4cmL7#j}W6v0Y^
zo~W31_WpRtS*eYEBg<B*xo~YR`3b}6hbt_Z>ou93LRK-I5h*V>y-ZQ7bD}PbQ1RH$
zzww=p@-d?x&l<i<TKA$pYTb*kn(AX#qLpPXjqw}{i>pd6Kmb90zjLANl1AHitWy@9
zJS*pd!(-j{@u~)^a|W*g!upbPZm*5a+Q-V^h1!tCc^*x(Q(IE&1exaKrb&)f)ivAn
z6r0wjwZsom4t^%}Dv=-f-N#wA6VBPj9BzyMjh6qk-HkT)xYb>KmwKD~;(6$jl2q(P
zB`nJEW%39Mt1v}8L73BUn!<SIyaWYKcSIXS!*}Z=2K%gVIHJ+JVj2a3%rj}0)^WD8
zav_pRt1JQI#J7J@>q4x*dHp4EjLM?h5(<I_M-GI+W<o*w8;7_O_w`vGW>6mLKprev
z9^rl(c4Hd4p9yM?37WPRjnW=W?FyUmDtv=0iBzL*P*!%7nhT@kh%PJf)`8V_Sf_;u
z=`fxz+Uy2DXZWiJGvkp;M-FHD57V^2#U?xx1Evo39U3cVW-&Fv2bRwo0jgmb7Lv39
z$xCIH3lRbQ3%Ul?wVW$!XB!W`FTYuPGz2-Qn%vLM2V8gIFOTPrrgBvfDtzN66l4~<
z796z01z#xmv@^@-75YLOPFLyAa~_1e3Ve`vwt^!gcJs4JD}wPNDDo?TWNi^$hK1O)
z6f`>)Kiyl^NjbtMe!4ev(M(2^w+X{S19v>5P-QEE=iZQQpJiG~PzfuL=FEU!?@d66
zZ$Q01L`O=Zn-Zpo{KBLV7I}>_k%d3p2t_k&$%k`>_qF#8$uZNCZL-Zk6n>>Xk0g5(
za&1s*P5E6)UV;fejvhs7x`~5^Do2vefj+l3tlTdM@EjNsu5Z0H$V7kR30LB=o)yps
z{b1C7xXg>IIg9JT535TLYgY`}W(|>R53+VB_66Wi&W!)$f~8dJJLW1to$QxsC3oAc
z;sb_WS(A5shh^ML?s&+w2Qu#Do5I!yq7s6HxxT}SzoJ&*pj8H^u9crhKd6#-$icpR
zAa^A%|IB*t+{?WBc=)yI2uLA?0XP3>&siZVLH;*I{m;jVwf%*$De?5q#;0A|L#>+I
zWiVSO<A;sUSU!oX(fSOxYo0BB`%N|8+Akg@XiK}xNJX?G8T}eKRoBg-o5_0ppq1qc
zLgufgea>lcO8H`XK-OnKOLe_gFV-W}qh`kUJq!HkB87(ZrfH57IS31;^TLgW)Q1_c
zF#pu&m33<Yj#w!-em8!9d-r(E@6Uh&I(7*Jh1g!K`|mFD+4Bf4QjPNTDqpvbQCy<-
zNL-1&^qcWL8P0>(*lKb{(PX_q7+sjSW%AP5(Y9eML>PM9Qe+&|bhuw|5P_Hevdr;V
z<(u?DsxQ%)u{OmHVaWktpRUvo85rd;uLG;)maL9V?i4+lJHv7?zE?lLzTG}gZSrfq
zJ?(BByIBQ6Gj{#ih$-~mn{-)s^>!L^J^TVSX6R8d()z7wIA$5A-O%kUyfdJ;tH+)I
z{wx;4r@U)faJqvMad0LJt1glR-JYR6ODCN7nphx2!e8y0XLE4ad<V}vRPYMx9feqa
z0KHaJ8-=KcBd?M%r&WR`Au{P(qXg|uWLbWjIW13QSH7TKD8$HF9o5q}sj-Z@)-$-?
zxNH+Q?)j>e`n8q4o37VByZ)zFOuEu*LG$FsRZX8tW;K~!F)QGo#uWUO9`k!2r*nUE
zHI<-jS{pnl%|+zIeNE8Eo7d0Gh#)>aVaI6g*fEDjOsvPzVlG{ptl*bMcgM!pVMBf@
zI75i<=-HWtk~S6p4VH=Ke<7o@*0f=IjTCfSHMP$gO8H7@o1ICJ@Ep~ZoOveqJog@j
zR|QT}Dn#QgXR@HIB{Q!)F)tKEly*o-KRxSJrIDBXu3|Hn?A6wqH+9FFSg`p%ovUEy
zC*IBf*NKeunZFmKXqms4AfLL@LRf2cX0uz2$dow~$kpVKMnF^Mr!4(ZMk7~>I91NT
zSSrByhmf%hEPOt#&{EQ}@msWJqN>hF@nNB|n`0St>wMz+i74THi9eKrNIz8`O42MB
zjXB)`TS5dV+6Y&UT;?~+0$ch?h7diuys*-rKk4&x+PD@Z6KuH@4YSqwGc-KrUppHz
zVj^hfeM3%=`<?xFc!sbE%qnDAbSbe*Zl!0qQJvG%+a|R)jJs@Wzc*`?^3u&}Rm=`s
zFCJMhVS!RQK{;=r7$4tqkOlPH9Y?texCMGqV~DJ0`k?18a?j)<&uA0R?1Qr2xf2=P
zbEB}fc;Q>~iW9yfCFyC%V#lmo?E~DU)?OJ~hfLm%aoP^kZSd-w5Tc_JkcO`;43bC&
z-w9i|9uVsp);A-UKrw`k#AgJXCA5OXYlPq?<TX#93O^!5F;AKb%Q8eW&$SdSbB)-w
zx%S+!Jw2pJ_|DvDZh(!Ge&WeIbyb1UMTTE#i;YR9z%WF#JBo>P;>+A<1BZ>Y*4$(R
zCxP^^`SRopmrj9WoA}rRTW7wDXQn`L^|2X9d<`+`0>?@$li4(je+P9fks+M_AYpZm
zA)S9OVXdCwSLe3kS|mes=kDy<DMMoC4$E35LuBVc-Rc@cX6IhrTB=SAFk7ua?{=9}
zTlb}S%xuf?`FyR)-)9)3;j&HWfnRO8>oP(F0pq^^6-ID2_7Tk|F!#c&6mzPKBzz%^
z?Bu8GJxMN<ygUSTMY!?|S(znnBYQSa#t)r|{4UeE?@s2WqHIfsn&z<djmeulBQOM}
zg)vM&#c?X<q~~!cj=#-0haZFDqCsIYpkR7XLN+J>LLmy8dH_E8OLAW+o2rRD&6qGv
zsG3J0%~cJ}O&HB}Da~zK*;UJGoUDyxwX3nb7fTsL`h5KOi3p|(MY))gm=RTZqw^w9
zn>oKuV}R|dgqux%D94-<?{T#b{Io5UB~nmBYOiMyhG$~3XDGX8YNKbYi)ZdV$R7ce
zR0)dE0p;#_$~S?-0jNM1n<Y;5HfyfYH&jS3LDukf|NS*aE4)WGZc=cRbVyn6AlP{f
zdkI{{qeL0Q8{rJQQ!vF>d$SG(m-Z@;KVPo>qBCTcQn#F)FJ|q;88@e3t&cjWFl4t<
zALCif99ze)iBPFDkg?KO<5@gl66czPm354m%i6)Hex5|~y<TH0W{>rtH+3l2$acy)
z0>^3{FsZU%IBeSH;cWR!Z|fA=zFwbw?$IMmc%4SccYrhXJYa^Wu{GpfOP!cDP9^5F
z$l%&k{zhOdmANu%j#tc_?J<6o!GCU}SD&_UcF2^;z0xD5S~IKrP@8*DsV_>aG18Y(
z&jQUoK=@EM28P(sPGD^%e!3D)Z+$>D++v5+{ww@riieu+!)=l2?n5{9*Pwx9T0#~+
zQV52DOd4i!XtIHeI)>B`Nv&fAs`$`^gUdRB+d%dX(%3zKoEukM;kEoH2hM*o;Cc4J
z+46r=q2}6R_U*gRWc8($8~I?}`}_7!d)5{VZ;bVWTF~uw>U5;oR>x+vr-ESC#2${F
z#xO8`PHL(ho+2=67b!n|fJl}#(l5(2UY}rsrq>}u=GBp{{i)v^ao>2Vq;)_~(n-ob
z^bn<+XoB{gEJN<Ki>>=f$^tCOIJKlmK4T*{C4L))p0-z5Q#Nq8q2o!|9P&DLHp2WD
zm1bmjToZ~Pw+-$4w^iA|qlV5WCv#}nz3CY2U^Z;JcS9bLR}<&bCn+EktnMrZs%!!6
zAd$41WKDWiiax&%X|JYbAcAxD6D`p5dTAN~m7)M|a7&z1ayrHq(+_;(Td!4{%Ija}
z%qM7|D{SH%0cu4aFS)yzn*k>;^aiPccAHwD98lnTY4&Y*Dj%9mS{UhPTsC3CZwP+6
zcM;Do!&zTtXZLoIiYV=&2JIJ<2Dz1>k7R_kd&nF5Oy&^P>=7UwHsA*lZqaNro?Cu-
zsRzEGt`{JUtMUyPX%C?}5y(xLxtsb9IfY9XGF~zJ4pSZqdeg+a-?4_173c0rx#EJ7
zMOdb*uj$*_-ekWW96zFROZde}Sb<1=P238*CGB(H8RBDsL{E|YiSP9Bt#?G>)<qvb
z_mSV^zOC&HBp1U2&GL6g<u4IlJoL0}Kq=vo-?d3`Gswb7s+glK627Ih6tgu+#&GRs
zOt(<r?1o#3?Pa1%5Lc1Qm@AUTw>+@b{tYAB<(V#|KuZWel}OASmmsO4l(D!WPHt&p
zYm|&-+uba%knt@<dlZndgCh=VK{6LpLQWs>kzmaf8u?bmIAIw<lGy^r)=vEke>Y@0
zs~F!g98b(C6K;gm7JkC2j3l>ZhOPTgAoy;`TwpN|T=+{gCWp9!$hx}b{QP%jhdpx#
zB{Xtrf+Td#_!Jfw1<iG1%^|k$8V-r(+)79XgEDy-(mu-QoI$EAGV&Vh_?m+a-&GvG
znzPSAEeuW+uuId<vk}NktyecRaYym&s?N3*<DG=BNuOpS&3s>{S)FzkCv{l+%m;Wf
z1Lp-Y6Z&juZgCu(!qY<QzN@qFqO=a;7FMiqHUk6&HWTIzXl{W`oJKQ0)*V)7qJB_1
z9GRQ3;^+)y7wJrpIitCSyK=Hl3$L?-n$m-Ec5SEK#`!vEFDQJb#)n^aZD)|i!M&+2
zIL=KlcS#*$E$r%1eFl7_UovEXlow8`Th{#m2fgWl-L9gbaYA^^M}7js2ZPd<OCVD{
z7OAw5G}hzSZ1P@A9xZL6HlcObw%NO0R|h#DVm(|5*$Gg^;Q+|KXRosk<Jqq~AmdPe
zOg{(FJh+iZQ3vBT*m=xfkNr5f@fm)oeCTeu0xVM3>gy1o0lI!#hkKw^A|N;7R8)}l
z*L6`#=N&C8j9{c!>bv31j+=wiF;Ox3JEmIdyU{K$mJG=SnGAKj16y*-EnA~V@$@b#
zw-9Y)xg4IvKDG^2yi)^;W=-r|ig|z6_q9CU7r1kh_?Lzf5yEM=>#i7!JBT|Y!2$>-
z^<i2b^nT~4d{U;6H}-6QjWZ%3{`kT{ECUk?UDAk0o5;6Epkg>*;TZW%Qq=&>L$`D2
zmjWOI?9lWEs&w89d731W1XCtq5>sKQLoh)QVZVbbou^`8>m7d8)wBB@REq%gEf4}$
zX*v|OxHy(fT9QaAEkz)niQ0$8fCeNT2zmGG%hzKm*r6FUROzB>^6e*2*}glrZw3^&
z$xO8OWaF|vuuikhWaBaru(z}FeSvHt!M`k|VIybNQ87zu$>}8bB-As8Qfu&Ks0<)8
zB>H}`)ds7W!x`(V6{N>U>*SiI*1%4X7_erbwJy_}6T)iEcvFqo%0x;m=cI^exI$}6
z_Ej~M1#ei0!+K2%03!*pjW_$5<}i$;<)YXx4YNct=dO$KDD)F-6F1SroATz!R#RkC
z&AoVp^No(BD?TUB@>+#v54%JWt+@$Q8}Vj+UN4vpk{JhQO4&NzX(d#G?{a(J+Oayx
zW>D_xM8xN4TSf^bt0kS`I|DM$0`96rpyytSAqX>K+^u<b{v1c87DqaD373xT4EJQ7
zF6!c9U9X6ngOklU+$WMI$0X+BKCj$bfT0_8=MO4GykXEsAD$7Je{J~T-5}~kCQNx9
zGdD>=E`WOZ<=jRwFV>yXLN5`Qb%0mYEQ2kLeA9wwt#FX<dUE=if&eqjEr)>(r&gll
zt8?w&V2oXzVp<v13e-zn9UDjeME9j*(?qnjf%YHGncB-Fn=);4`$G)Zwlf<PNDtv|
znHQWM4iX)_cQt=Q(YXGcCi;!;54$MAa1MA$*k$y!kZzKCE}{4GUlV>l9~EKPW3T|*
z;MLELlDkIg7`Z_&F+o=Ht5)}^W2|DbE{sdax5=cw*xk-TL7b}0k3?)Fra(e{?BK1-
zE4%-@Ra|qeZu01AtVZPhOXk7CdIYkREx{}24zdlDd9DYhSWXscmAA&(791M3WoJko
z%UUuN@ET#g)3mi`SOEzvCkr1-xkJ0E4nvHq#8yI@N{b7WsCeh7RqAK|B<TR>%T|EW
zqdU%~3klAI2V6YWmXK}!j;K2FjVwCS-02Ken#l|$+R~|NHezb>40*I=93`~WYO~2I
zYqKgz<-oGCbD-tug0suQgEResW?Pe`cw3AkfsR@unvPs+PF3}4y6x}vpPb6)lAMaR
z1$gBT`I%JBb22JkbLUBvz=txUV}?;$XSD?lXU+rmw)PY2w$K}%4J8-E4JnVHi%Oo<
zi-HdEM-?6EN2Se@mvV+YaVnxYQWdq?f+RWMOj$XQdz8zw>IB6zhb1Sc+A~S_cf;&g
zmDsuRBnHpM6CBTM7Kv)LPH8)Nidj6B>gi17^65+!wYl~rlsiHb8_()8pwB4Jo$mrN
z$iI%kN1i=Nps+%mNEM+Vmg;m)T&4fmXcX$sK}9%Mo}*B%OcSUyDt2eFKz4^?Vg#zN
zR0L(!!TRX3<M{koN$M)i$m%Mz7SmIe`Jt!qP*7cl`Ma9>Wo}93>nvvy1TeGg7f@?7
z;Lc{D?~dSr7*u760?Kh@^3iLgBFMuR5|pPG6I4blBKm__LPUEsE2n%qBbR&&G%LG5
zJ{pC%`?`>KCw1@xlzhSjYP>;y6LaBuQ}symE#V3Dt>zQ*lP8e$Qzk4D{1cNeNE<t&
zrz}3Fmuv>KD?>ZJ9IbaQJR#%x=@Ap7nk_v{H8odTrUc|VfaKA2p~?RJDx{_2Hpg+G
zwp!H|>PkgwQF7wDS`?MPQ3h=u%aZX>Mp)=GioIIx8HPw@bo~3ofJeciz^^ptw;#>M
z9pgg%on2Ardx2-nd->h$hw>Dq6Ld1XMTziqpBv>zsxcCi;TJIUkhSc;);72D|K|wg
zAF{aBL8kYfI&qfcY27CeGeP*XpZJ>>S#<EonH(Ejetq|hde}sc#2&GL7Y)L9;ukCg
z@LXDoFESzf+PRWS#PnVaGNE@_*A`I5CZR<uaoMbq7Kr;Mj3v);xvb2e6Nc$<(V%=5
z>!}57lBr$sfqV{YKm&ML9opQ<?)h)_!8IAH$mY;R3_HfkP|$j24##&TSJPGa32rC<
zrtex0D65F)D^nKG&c=Ru+0*H7p{`&bDKh4(2pcQ47D#u-&~v)LiAjl<JV9Pg0{^_T
zS7+>@oAEhk{2`}Ku5AB5XS2?@hmMDE*`d$c)zVn{)a^VvA&ptBQcDK>FZ>(C6pR~G
z6j&Q%6hs@}HpSaiq!ro_)>;K}E_!4i?AxR|l$@K>nw(?PIGn4~T%B{%2%WprHt+n?
z67GJd8Q#UEDc*%)i^oR%k%-;-xGYONhRrgbDlQplmzIk>7MTh=7MhAU7Mt4P<7Mge
zk32KKi%2WID@((^!>zh~ZM=iBtxKI<Gvt}$HEf%0H*A~pavzZuCE8);CGq)2LGD9C
zLEsZ|#OFuk6OekAeV6RMc5KzL<1GhLm4*iWkX8XHNRxvkrP)EE(y|~GX&n&4mdCpo
z2tsfr6v%jeF}-ETGb?ELlm&Y=NF-GdMj&4B4c7}jn!%MXn#2`0`q%QAFI&v=4>rQx
zdg$pdhR}0>FLhYc#I<M^sI?mwn%9)m&btpY@FOEGQmm1e=C1qOn<Q+h%SCL>%gJm=
zH+7VALc6Xr`G%=8hK6d>yN0QAuDc1-54%vavcO5%A6^AWyaea8w%F&PJ7?0)Y(q7-
z(~`TUGtaxKbE3P8)8y)-x>Bi;T5@U;Yv0wvwSFvxt;sGKL3ojF1W#Chu|{hSvW0fh
zI<|Fq)k27(xnPeb;oyv>cBMr?ZV!SA-;hlV^ZGFt<|RB9&MP`r0RF;P8HRf%+(2<s
zBR99R%P{MZHgb4NHiGsT%;PX+A>vSNZtTElf$orM;q1_EVePPFj_)vK4(<?Z{?kFu
zg4qGdoZsQmoRrP<wqDtuk8J;~XPESw&w=O|%G%hkNUJ9KE&HO+_Cc-<>1Cz+7{wtM
z=-`lh410~hPcBexl^_u|p5EQ?>!~9)K@3BXtdjWRt50AF2v0tPn9S7fH+Nj(ME6WC
z$-u3-guEXrdyRI9-+P2${0ED9K+1aiEzvkRHS}j)l#aZprZ6+IY$rdM;+QvA!{zyk
zzQ^DOOUoLLeTi#|0hTL2HiwHxf?jtT$~R^!5pzkuHf;~Ks%|V&<vXe1U^72Pi(p!k
zBBwtiE<JtO`bNlU9;hs$IXUwY7eeVN$H$2c(tjiS(QY1+;)3SbRucxwy7nDpAfgRh
z#N<#yJqYa_2<<F#*lys}l5wzCc42*6_NB&u-rO-9o5(!UNEg8M17`F35{d)iAig!f
zHfFPIYB#Ap;7i!EjgYD5n5fK|r+q1&Gg*Li&Xo<F(@|d#L)U~)HD?#24M7nNwd-T9
zdLfU&ZX?!aYy16`3BJ_*T;9-Cg_j22|F0j}iPiq+7_9aDo~Q|r50}hzKw}MCpR6b*
zrXKI_$?MD(g&Z|po-8e)pd<mH8qdlnpn!d~H9XK?+U)tgt(i%^v)dU&LPBK-QE&$p
zGJ+8018@{UUitjf3LW4C@C76S(m!$d4^{v?*dYKO9O@GUKEd}BK5NauM?UM#KJCK~
zL6i~$06o*$|IaGmbGAHuJkYvd1^AaMw!|O{RKLQoyP$kKoEHz9SC%4S(JX65HX#+M
zEG<E<q!*bgPetCN8i@K64;P|tNAjQ;mMD)#VyhOWrou?_E-Jx<iCX+igu~(IL@*hS
z3u?luF{}%6g4!>1ZW0q^`e0=p5*OvlUu=^1D6_J`&fJa4UM?zj_eitDDyqpUO7{!O
zl?w_R3u+_&vt^|xW#vPb^u`V8mSqKELWe21rRl4siJqmoapd`mWxr|4il8iuIZg@*
zPbiI}OOt3yGfqn5HA}PGU{^3LOBhay0!h52O_U|smE}fe6i6H8c}dLFq8Aj;7gRbI
z1V=E`G*nb&?iG9Ec#B!e3USLyC@hN*Pl|noa>6po8hOgvL2w=liU%qxjSKP<3#!=*
zN^ieD;HO!QAQb??Gv|i&k^g%f@pP<RnMa*HMq>Y}Wi2d>^Na`)U4)5qgKA@>yn{Mo
zz@2+@WH0n9Z&^jQS41&E`r|5Si!fpw8O+g29eYT3&Pu_|9r5s<ZC<1}3)n*(z_Xnw
zbMykdF|I-0_a5Jz2&NFu1chh=>mdG)k)297rzcW^d+cEW!fS~4yjXzFGAaJE`7j^i
zH9QLNg7&LVTz{;`dzn7nZ|n{AA?nR*=sGBxKI}~iG4_z!XsuUP=_xovD1*;}%>R8@
z(zG)8@6^PJV{<o7nt9=5&Q~;+*QA&&`Z(Grdt-^59i|OaEW4e(L~u@H>WA%3y!*JO
z8}mJtjFBg6`oh@(ja|5yHNTTm`Xan3N9MJiXZAjcphC$e*x(;Ix1sv1Z0&t=%b6oG
zq~~xaABYI0+>5B;R^Nrz2zQX#KPwZ)Sp>-PSs-UKzSH=}o}oKamhzP`l}*&>SEz$x
zmP(v)YYwNRc5iYVc0%p6RcBMS$dyrz&#!qyBP`S{`k2xB>y>g2ffHf>RE(|s6%{~@
zC5#@Ib6I80dQO{A(Bd9bdN*Vc`?U5q%t_k7axQ&_&Xm^7W7H4o*r0Zj7#_mjvc26=
z?ZR?xePPkUdT+pW7TXPZ57E$!r~zx%?E3ZHtjnWYW5ADS$tkX$PgFMd_11$`ymdqh
z{EJ0lrb3FsQR)W%5k+-)ahPmKx@c}!$ZxqV*S+q`%{Qjusq+zFY8J%M>-mSgOE7on
zsc<mvHzY^gJrNC~23*5^%opUx>&5sQ94o2$X0n8ZM8m5232a&${>fudrUQl-2`jFP
z@v{I`uJx4TS-|?+GNlJ7(e6EP?y2gE0i<PYGuR$)7GC?)E`P}+Cv_~}ke{VWTFggf
zsLVH-eQ~7jf#Rk*a>)Ju@WTo1p0hNsHr{rB-B_=YuP9gYJ#V=3g?mD06HN}s($XvT
z<pX|>HAq_l8!(Mk@)_Z0|A})tqqPT9n>EwsR}!xXR@Tdjh0qrRihr-+;yRkF%swRc
z9A`vYwLZ0+Z;wc{L4Qh)KRwJLm(ej&Za^Uf<P8fPQ%-UEPls6#B7`MXuke%XmpMx7
zixP_O-919z@iCK=6SYq;`BYCU+&V}*{^o-2@Jbk2|8e|R1hYQ5eti#5a%5P~?8VGF
z?D->`d%hE1srl-GOFURp{9(|e;1$c}JgpMArEWFw$Lv)ki?{bZ{NX1YvRWNCHHdoQ
ziLFtVXv~|#F+t1wTMSDUIq7dkC5=g0hMTZYUqatld0CTMD~^acJw&lR*tRcBTukUH
z;V0AkgFb6^r?2{%;6n|tLx@6lnBYJ0e*3iZE;;zelC$3at#}3b85XAN-gjo=ZzLs!
z#YV>cQEziZ%+w!r7C;S$oya$*k-(_Hh?IbEqz6VY6j*L@b^=m7XI%(GmY=v#9OKI!
zqJ`-5chcieen`*Ee0GRULIwcwe`c8AISKz`?-Re$$2Prfb1U`;eWR|||LgnKr6WJX
zT<fU+p(iaSDLU3OK1zzE`GMvL{;B;d9`ySoZoHy>L7v&}<Yf4}*8k-Ji3`d8{`Asd
z@B0V;x1wz^;i-Y_Y_zx7w5WtnC)1O~8SVuCj~b933Qj;sz%K$jA93R^xSpmQvJJk9
zKP~?u<8M|ef*~g)HBDr20DU*>wWjl^&xEoT{W+afPSt+4I+1Xi&}!8PHHfgX2dX*4
zucwgk`tQ-OU5GmqUmYH_U}Fx1YzH6T&cQX8{dKtF9<K@gD1&gJ)B|LegM_&gtu*>>
zy`!)%4{H$IZrC>kFP|?ubNk}eZv*a$bR*jYR{aUC-a#!8+<tXpFu9&czN&%R0$UJX
z-Pk{(^$@Sv>~7f&y_1Cz_{WKdmdtj2o@8J_cQ$aoeoOvVH*YM<A3=P+>%m_@w{twe
z!6^)9rd}TJm{&iPN42BZ#X$9Lvl>{~7}3jjrjH{y;F#Xnl{<{z*sY$+`x2_5#LhGF
zUcf89;cPSsg&v;aPXyl*+dc-8VvH-_u;Uj)9Wl5?<4q#NMMC_)>FXn?x`$Tph|KN5
zgr-8{e|GMXowVGsPj9HOd*1u#?R^yxn?uw)pl_(sVQSfezI^Uib8o%EOsw?vo?pC)
z3<o(n2n-K!)zun>!xq5U7aO);SB+YeAW0TCM)yb-DY=rAQ0fgJIbdpQLytU&t~2J>
zvxL90mbRMUEdH3N9NS*!;CAM!uZQw**}yS;qyfssUT@O7^9*#k#3^+zLlA^9yMMzn
zoVtR-#{2s_08G^Y4HbW^bv=Sd?0|=%8rCRrOyB!w)G^^eX05O5*NW`97mr4UJrMmV
z52KoY4rA`WF|L97>W<H^^Fx=G$FGQRzqO9Nd|%&s!9+dOs@AO0hdU)!So=+4a{uSM
zSy~RxAxu92F!Y&vE(|lxtc)^0)2IO!9?{G4D|NbI3?tz=>3B~E1H1v;;<#RjCtcjI
zP%Yg_&@0yI9_lkg_8_xB-safJbSMOH#?h?;yN3n5LTe=mmhRgG*u^!HS+!*^b}@>5
zj9QqP3tAgfApiPzgvC3O34}YId8m5?q8%LH$Oe7fqbq)zVRfV!`3c5-Tst8mZ#g!7
zc!wC0kbU%<tO9(Gk~1l-+;}}zAE%qYk=4K7MYp63;bHhFtq$64ac^{phH?;$>>q}>
za(>Amw1jMNWFFJs*7%m=H%EULY})$X>H4L`tK`1@=BdLA)4|m~f;Z_F;kLU3j6bdC
z+YSCU>Z5z8`s3nn2+|tcEtq#!`6+nAF9v|`M*rE+*6Uc?U}@p4o$Y4LWKUdV?T7AT
z*qO0Ebp?QqGV|Vlncf-Uo-R*8=G-P)TPhqGvVxeSUCxfcr=BG_8pDnic|(|EZNm0$
z=r|nGXgerUyx(`c+YL9X7Yp$A)I%Ps8jY}Tmxml|uX02pP%iKLwRhNS_ivGGwtxdv
zm?-v8R@;ZfrnTY!L%+9kF+`7qfeC+-ra4fTYQ~$1l&mo1G@CXhlXIKz<c$#h5-ehV
zw24D_o9s+e%W>Iki2Oh7z?UDSo(3IAyv+Z&+&@au3e-iuOAMGPQXdKSJHx7Kp#K7M
zUf-aX#UoljZn+DTD%_Fn-`Lqr(3Pv+nYBOWuj`{3o_c>jujumfCjG1<yY71L#y6bk
z;qO9`<oPu}JxpT|a~;}i=1m#zO=DpYg`8P>AJ>7@-A_O|iQ_ZOa5S=`{tb+zPn~n~
zJJt=;b(Gz!F&ulY_W&giwveDq^0(BvOD^$AQ{6nMdP}rdvUuUD>(Exf<K*ceq#3>M
zE+feCPXs0i1_tF2`6YFtx-cR7tvtMRMw8CdtTPD@>Li_c@^htqWz+Z>(W>oUtqU;^
z*j`UahP=a1hDK5+?@<E%PN1tBUjE8tr|ix7>I14J=H`&-f%M@jPAIA$^fHG_uW6$5
zGj%BiK*>{$tgV#Lz4Lc9o_!p)@@a)vOiaeQ#Kbh=d1*teKcqu^o?AHjwBoIkN}Gux
z+HF~LI)RUb*PcWL4+7oyCHh#qy9n;4&`9}e!e%&TD6L40CbVX)Q%bW`{XXJV3I3M_
zG12rUlxD3HN&<;uU?#!XM_7hY)y9lity5B{Bl*EJhSIl4Z@KDYKdN?p6Qxj$PQID)
zzhU2II&`ljwz%3-RzFWM>GTca41obmFRHG0mqOaTgz*@zaWB}`j|Dx8%{;+E+S_fU
zy!xDcFZJ|}=tZxR{gopu3bPds)64=?=G$JAa=(x%hHbtv3}32#J08xd#AFG-T+&4y
z!e26Sco>pfpO`=f)g?=D9(EG+-OAEiuK7e}J<=!)cWvT#h*k*mI^4x;?t5f~cV&M8
zZXAp6+pEUZPxiO)Voi)Z*P;5f;ST8PP_jgBZF-A#Xl-p2?cR6R6OA5=bqJz-LEr1>
zo_s3_{lLjL>tXs$4Cr4fw^`$8Uj4Ti#;{{<TDI=^To{+13wlqrdD*;ry<o@nBW^yW
zdcEJHBrD}-GlZXT&P;}iw6CL`w@EgvG0a>jiFna{uQ!+DoYAco@nQ`4Wu9wQ6M!eA
zK({&t?>mBdz6HrzgV3!1g|RRa5m~yILc5=_g#_n3Kgd%b(Y6;p3Q5=Bg$wGd{cs%l
zQ?Tbu-b)W&NOnIfR~TZme<Co<EuZvd8<}ATMd*iiLB6OsFR`BUINZ80S()f?4A><B
zCuI8-!WrHc1nm`!>~<DxyF3Gr1Ku*L1(9wq{Esj(4lXxGtf(IRiar7DKE~x9guF0u
z=8?ZiU}=FEPkLDV{^ppXU;tg-Dx1?vn>F0wTFRISF0n<TVN-llr!>yB7Zcn2&Qq@`
z?n{1VW0DW0hwM#}9yc0b&uh9r-MSM;2r5*Xkj@n3zP|T6VC&Bh8AcIgp>Zt1xd1PQ
zY?4UAedp&d4kN6~LuRY$Ju9^0?sBkB<%`-Iy;hEC`jG4$P0^%eBtxf}Ptn-66}#}=
zlKK8TLQ%iFI3KSFuD5uE;4RR9V>ZVUSMhq)99>ZSyn5h&-tvon`0-`e_bH3wbxAz-
zdU6lI%@;2GmLnjhlXL##<&}A|%l_g3ETiUffiNNN@)Uf$6ZYxF&u+<Kn~3*bcI9(#
zT&M}@z9zAn6K_Hrl4gTrm_)AxA8u{d@6ZxgxSrIiV~N$)@ykeCHq|57=+Me*+&k6C
z^l;tJdxPq6LS1!NW<zjlvp$)fkUQtm=cwShLn3mKWZ=wfk{Dr@^lKd{RvTirsJStS
zuFvCxJ2<}5E|Vo-<crX1m(3A!<ki+>0fl>{&BNsFNNLpeRK<}ztB<8h?&?CkFadY6
zLY_>WsI>!iEM%4N$uM~Jv4lQeb4=}6wU5lV!D2;go>zHb6TjEhfbHS<>jE#u!{x_t
z&V}vgUhC+9_xk!aOyddZ3fu4kfXUJDXQ)R4fS1Zt6Az0wTZU%JVnBiRr3wLu8q$g|
zObHG@y?~e?D`{jWSbqpNbRQWN{E_ywoZeKA)#~Q`DDv`k*XZvQ+4V_IPLq-1b?K|(
zVazigp$|G$U>%x&C3MX-RaAocDcl`@Eb7%41*Y&<k9qjZ&Z`Uj8$d<bkikF?OfMBU
zX@34Zp|Q3sYkzAXt|JzkqF1XjIx9Be%*#M*QDt(=Ujj$ZIRh_4V>62>iPp+auD0vN
zoXzNQ0?b;*OIwT}{PNof#X=vxslC(^NM<@YIkR0DrUT6PA@sCRd1RMGcWfBze$meg
zh8{Decu#6Y8@A!32%o6=i^EoY%zRV-bEpb}4#dk7-lp2=uH)6N_n>%5yHMogN%!U`
z$`}4bJn3{9O3n&F{_Mp3_UG@v`Bq$kxV_Czj3ZL)x?gcK^`mDa=$50fMJ1=4?$A&b
zy@-g%nSU>@us2)(J>b~j%CV6|!g_u0vv2#=DxB43Ggpjun#kF{w&>y}bI_Z{-0S}V
zj~!)h2nkbWRUby;TX^A$mX?EPAj;SoNVgl&LY4}sMtdT8?u+#erXMGu)b)OWptL-F
z4_SSm{%Et^uta-Oc-9kq!Kt|04)-v*3^llfWV_~jeCJz^{-ME~M#&MyXn{nYN47GK
zO+?V<Af@%Ph(}`-+K;w5Hf!iN*=|&##HRCB0&FbPKqqbA=q=O0hF{wJ=0}<!93e1n
z+QwL}y6*+0f&rm#jKRwt*-#%0YtAlJIY<u11@@kq_I#YqDrj=iVsG#cWu1JK#6BaZ
zFM|+KtuF)ex#B0YB#u~VyW)Jcee%K^Ws5L%SsYi8+9@#1Ck+c<>wgTO{;;0N1OD*p
z&6J*SFQQgbn>vwbsSMO(l-uXLA4IpQD)x0MC6T31pXOLL=E<W(1C@E=it?lKHA={d
zLzyTaP;-+-3s2iuh2uQzO?jU*%L&5f(0&l$9he<x)$DDrVPry$1$B>AjAXL26E%r$
zTQNiYoXnPg>cr@x40NqDzvK>Ul!fesWv9hK7*KoI<nto*n8!aX(Z<k?AwDb;Sl<DZ
z6CbXVsMi2A=u2U@!%M1}mJup?O}TF7$JDcB`%_#iw^WSTc?iC)`=J97pu8Zsc>MZv
z`E@q3bHqR1F2(t?H*|6YNh^jppjT)7gW4ccmr2pmnN&0^<0V&cqzE8%M|X7LpV(nZ
z!oVJa>~QrPC)||n0Cz!;=z7!lv`n}0?W2@!zB1Oyc@8`11CY>gd9!fe`nmUmH_C>f
z^?bzSzu5;K(vy@0arrmH6K0PaQ^X=JUI-^93frgO%#|!w^0snkZa6wxZu~iZJ>G+U
zAmVNM=y4z?LjTUn>R3%hBNU_3*@e@wS$3%L=u{^R)jsbGO1!z4QMPn8b9j5Ahv4rY
zC#Y(=-^k7!?IPMmNR_fEo3K2jo*oL*oXNmN6x3Msn`!&9EpPK$Qx_9st?#mnq<=c^
z20oDcr1<N5r-*Dl)$f?Eh8eOG*mer@eO<eE>MN@2>u6OL9_NI<EawrKJ`We=b}fMt
zZi5Inv9He&=4Z=}8xk_BsU3eAzc{a!-%UhR$y51nxKCe%v}uk67X@6S<k6Q+b7-0c
z<WWsF@sXTzDcYjUjHxX6>8&$ooiS#6od3PIYWMVN@8QgP{#$je)8W1I*gfpE1_v2G
zAP;sn3s`NYAMzpU-DwwrCnpSuixs+#UyYb7ij%uWt;98u^obkhmeDy3JcnT+!5<h<
ztZ~|QexWdMqDi%RfUBC=^j;@8U!!x;P1HprlnB#^6g*s=XGJ~UvKT!=f*dsO*=^Fe
zV;1I`!;y+f4y-)Z(e*1G+znhQHJg*LR1q)CAnK?=LR^MMlw`NX6%w5z{$lR`wHULo
zU`2{bR6FoI@^a|IgVTuL!O#~mrwY8Y*nCo<JCR(kmt$H=t~<7|Pi#`r#C+CasV){#
zF2{Ezy(%Uqr(M_DbDQ10nXlgMe6{nb^mW{d5P<mg0}2tfVkrs=S96v;Vbh~f3tl&a
zd`IneM~<JvVu!wB#VE&pI}y3bbS!lA3JHt2)6iH<0<D;Pr#QL#^cz~06r?&*`qexs
zX$c(G&9nl5#8^AV71s8L62F0cM(P$wU)5}}7An->Zl9{7PMbBg^ESi@LS{l!b!mP6
zYem;L0&2`yi58jnpD*!>$4pVgER=)c>efO@-NNSsFu2X&YL|u=`Y^I$Ciy%^<fR&a
zgBw#waDHW=6-%oKAx00VdE6N#tS1*FK;mt^6fZgBZkR3tS<s36_PlhJn6IyfY|aLi
zS{_|>;eL_5yFLfqtfYbp_2q9mlU5)5x&h6RL+JrWL0Z2gdy-FjS_SU@P_~WhvRXZ4
zwi7+i+g*KTyV$T@iB~X>BfC;lW_OR2#W_-h*Y6X}mg@kt402PES1@^+94NIMKo5#N
zC%(g=y?U4b)R<szAIIxE+S<Mf<#xSA>3vr~uBb1%9-q(JUvSsLZmL!aW3^M)C#ni_
z<w<xm6v3}*U7AJ9$7aZUc6n3$OmH&_iH)j0w``9oyyj24s6N<%>0=ae=cmNvEjYpv
z&-M+%&Yi{~D2hAp>VND-A2)@Yv6rvR6FCpF&S2A@l)3r1ZNka;s(b>LXZCIw3o&;*
zo1My;39hbsYQbv<C%j==drxi49jqymGE(jLN4|vOW06mME8K@Ur_=sE1MrJdj^HC-
ztVm$*p^^}<5NgNmf|T{&%|7jSSqMQs(Ebr6{!JKc(b+o$0Umb6;V+|ewFZ4kb3<{K
zq!O97p}<{AW7qeJx^k!OZHcp#`0!MdZhcO)%mDsZ<THb@I;YyMot2TYoZI!WsUJUW
ztBV}$9M*oP5w6i63~7o5+qYJCZ~x_K-_?@t+wSV>@(B`(+d@;<`cvVe@euOXz#s)E
zHv4l3-d2f1L$1a--J!u>wPF@7ql(8Ba%6ttA1|k}rB@=r&Xla0Pe#v7Pj1xq!Ps1k
zj?A+}Hfxe=3k5&MIqHt;YPL$9bX&YUy}7yBDO`&=waPh()c72%m8JW?_;{!AOoOgV
zxI4Dfv2EM7I<{>)>DX4swr$(CZ9U-=PQU;Ae={d@&2=B&2fJ$3TDx}by^wq@Y@Qga
z1<IcVioa0BF4gn+;}tEr022shq9D{C9gF2!T4IvV6y6017C%Epin9le8XBmyGpK<Y
z;$JO>McpcPsP24kc1$$MvIBEFJvqK2^=o}<<5-Jn#bfOHNbbc^T)`1(2RMIc`+a5L
z+mn8{R*b1q$3~f8zczKidZc!NTIcGr)>>8EmNi!VNF{u-C%|=Sifsua&Fl?%fo!!M
zq=>WnjF>l?E9%@pLJk@|#vp-@q&LArXrdFw%@Jm(H9Ud_@oVqERcb|t;8kr!hv{M}
zR$hx7u~-Qw(wpapP>^{n2ftzB9tHimOREFSAi5VU)_zK!KuIEo085D4p%lUoSCwHP
z%E)u9#A)pu_nuC4TF+lfK!Pc|Z>~9qi{tV&jAKB**2%Vs>2i-;gp@HZ7aW^Ild9cp
zXJGPcLz5&0aVXw^L~$I)U<Z2l*g^jy=96mS!UD9eYrHF3yHQ@U>zYP$vwTvO=8tb&
z)wv^*QF{t}=}>1&k|mud^OC%JREi(ow}463lp}#c5V#gts$hVr+AbdyDXAQxamf+l
zNIdJtcp?mgNH!@Cbi`Ejty8n;Oj=ofR-_BIk(~$BwM=KWJGFj@;Zjj_cYVl%RDxN5
z`~_k!%zc)FE)rH44u7oi{xxWpF<KNATO)1gP*zXZ#A84^FyfCpHKAEdj}Tuxw_p|d
z^w^hy<vS~_%YpZ)>+HF7RFVNrp;Rqw{*}|mX2!4p?noPe1Y1nYAGD3RXKquzj}id7
zN|EWJZmq!-^G(e2`|y~NrB=A|MkyW`zd@p;O-!>{i2fpZw}3AdCK}6^Rq4d>{;F*M
z-j}rc%tDYD=X((aK;&n4!>LY?lpl8MYc7%~B8fVqhXGYl@s*%j>ST;C&P9(RdWe>*
zJ$7+Z-Z~n8jErXdw%wV*U3Q9$u>wH?B|b}`sS6ZyQ}x~p*E~scTh1`wCw5eSa&`Uw
z_vl-Rye1-%l`+O<r2-M+5rNI7Z@!V`RV#=O9n+FR9XnR>>}uUNcL?r*?CfDjm^@8d
zXsdo*vEeP`SL!4p`6RV>Daw<>p+6DZQAAbSQ9RJ6G@Ca=C#Bk~_9Vl*N-(w3UYvL<
zDcfVwE4G`r8@TKT`}O@sck}V6$jrr>J!?<)QVq1BPn$Mvv?^BW+?Abxcbb2*%W?!I
z|Gk@Sg*m>&Kk8&oPP`mxK};29GeI;M%1K=#H|>(8b!e%w=up9iUkg>~fJ%scM?Y#5
zBf*MLC2cagDdn05_ww4LtaxC$Fmt4N0<Wk)1d-px!-(?WU3xRjR6J7nw8ZI`>V!6@
zq@vG%p1Vm`ochl@L)daniYIuX?uXnet&Znwm2`xX3}vU5u;vnqwDtv~v7r<m_<nzh
zrk3zNjmu8IMRlz7Qv&fbh84W)bANM=Vs$J`@a9RWqbyy46?@z*gq>T{g@2vr17d}?
zQDv*c2CmZeX0MtHFb2PIbYtOi$XUBMP|Z8TG%4{Tsp7kxu!av>113tN%f!+i^ztMb
z8-$2K>`1i$42V80qqK4yT(Ci>oRClhum3rJb!jUx)Ni5BiP8jaguqYX^>JO8K0~)J
z<UjA8zRbYM3k)7r*Re(s;qm2fT|BB|=Q!sR=104h20+g?EoL*WPfcg##I=YO>S8hM
zn}EuX{>Aw*i^eU~kWorc$2wN(RSB?0imq@}mhhfi)*8!yb7J@<{i#vVyFr_SrC5{b
z1XtU<?e;J&+;_xwH`7pF>`VL5Uf7Y=b@Xb!;E3m)GNZEG1$p-gI~&kxTP5(oKBuGb
z)ZFh}#9az)*i4`j<NvEo8=&Ib%&}ys9Q$K8kP-u~HT))BJ38ZzdNHNbQR&N(>l}8^
zah;pk42u3w7{-rP06y}bl?pNI8S--T&z;XV7SN*F0(VSmcmAMLKa5;SQu2e|q-rSD
zOD8jgm6$3<$TNdKX`fnq0i6kNJeFXd@iLZRhG?1)mQ-!SU*qYhFX%21cuoF~c%=-B
znVA~$v&Z_5584fK<gv%mIy5=&sy;es>ae{9FZZvtCYPll^CnIzuP(0k(@^XXZ65O#
zZ+g<8mBz_aVwf7{mA%0lR8Ff#%EJj7Ab$@rkTVH7-Xqk4Cdb&<GYb&6AMQ}WQSFVM
z<b6R{{IyOe+V*xkLV9f+ng_<Z1Fr6c334EP=q%utTivkLeV4xv`$U!2<IB}RK#kmW
z!Pnw0-L|XRLlCunvbw2qSRDwsSj?Jm*2pt^PG?%zP=6mEYF#(O;lRG$&Gus9#lRX5
zaF`nV(cb2BN8SPO``Wu0itOhw1}5Kx+iDn&2yHcDj!?{JKhu&Qepr)8J@~0|5Hf-g
zC4-ltD_R7Qk`fsT8W_WI#`0<4^Ln!19-U>epH6wOpW>4Hp7(6J0PP+cCQnQYZ#5M<
zGUcWKSBFCC_O9o}lXly-f7iasRVr#KYVKCPcOPqtZ*L3Ny=yhTSGt=s^34@zDWMDc
zY&Qp*!jNF`lU`W?!9$f}$|$=5J{kvHN0t${5;@k2In(fdt-nv%;9aoC9-2-MY8gL~
zk4&j@8^;hi_9V#s5P*&m->8736M#WCS^f^~#1rbrj^&iXi8<L9{1HRSt9nAO&fDkb
z>pR!OEoz7_zEX`@{TPx|0!~DgmZKJat)RXtWVCs{Ep!el&-sypgm*0Rmu#bT776Ns
zGd?cM3>}f^2*_e~g(b5P5cczFu7%z|mv0!10g-V(isIn%&b7HyyYS}z34LkkgEsg6
zJmJsv_HC$$?JyP`mrhN~i7rBG0c;A~70_=I2FKuKRk-U&<?~Bx-%acO%YkS;x(~b$
z{D)e2wNc2K__jPMGn9)RGlCnYv*U@uIXC0p;ZdpF6-4&c%?2e82C`O^B$ZiV`{Oye
zyVIwkRtd&eTbFF+ioKr;kMGyh5|7K^+qQ6s;|*>TSue&DT@~F6=4{CU#r9Zfd}#nG
z`b=_i#T>Y)=%w`NwNqV49F>yZRX>@r4wgwZSDndKJLH;c<flL#SSvOm6^TmZ<bhEH
zc;KC6Omz@L3RDDa8}RgY<H=bO20m{3Msh|+zr(O(>Up;DA*H+;^}&3Gmv>p1;4D%d
z;z^e_y2swk!+l3#moxqhv352kEX-N^G|xV%yBVu^AlEfzw^e?WzJ@ucnoCGz$OH8h
z@*JL*Z}nHXdHm>EV1xpRf@D`@7x6v#5qLk4i(6rrc0nQ1$;zQ8mRCVye?1H!qhpRc
zfq4B4GNL_pdjVW1^=#K3(!gsuV){Qn<Bf%p<%r~@zWN<;MKBODEP2X-ZleHr<pw^Z
z9wp+_aFSV?`%}WbegO^pjpKKQ;xZOq%1`47(g5ESM-<b?LtZifuR#FH1b-Z*tX#j}
z?VC6?7!}MSg}C$@#wHMHKNzp6KF3rfSfr}Uut;eLd#k&NNnTvGqv|iKMvu3}#{T8C
z#<!ks_43uyM|OYBKQ|-kfw{ktU|Pd_LY*M{^zIx4IC3xFtUKS8!=KKd=(h^h1p?ca
z2a98<D7$gI6#ohTNPf<pD7UmVV?jMZy~xLDY;o-Pk!mm4=?kV=kUc3xK!^;$bwHH-
zm`FY^46TxA>Zy&+6snKrXaWQ?<#aqB|M)JWzl7T;r_qbGl9H%f-nqEEZsAbNq>^r|
zZm<3O*uuVB!w&9q!#^4$|4jy9xjKdPd~b?)UXMFOSS%)*UHmlKx|iV{e1%bZP5&O$
zfjlC4(aM!IiWZZNxr_LVz0TVJ@&FUZ-j~&%V#6rX#~t8Ht@bHj@9%6p1;g)H?{{ki
z39a)4;k#q`ac#UPZ2*bdH$AiS9W^|x{}K3QRdFo-yt?Iu)a3A}4v9Fh^~y<fl-6}?
z$2=kl_)#0A8$4%;8i&>OjCQEKY<UFTpN82hUrnq4{RKPXUda=W2&-qzTX+&*3XgD)
z04VDC(?$4chwdp>REs2>qZCKT0L!nuI0k+UKlX6+lmAz-HS)&P#)N{j|ANL6-ADnu
z1$a*ovNaQh%Y01!akq`hJ;Y{GRJq06{7r+H4rA7<GO|BSRby6r9;Vb<cinnKY{h%M
z4VRKx37tw-m))kAzfZzhoctUJvmM6lH-0}`#OXPH7QwVmX(vNX<o%?@CBl5kEpgFI
zN-kk;o`jVEyI<Np2VrihlI(XU{Eo|C_5`*<-rsM$F#teW-*VQT)XK{3z^s^O@$GqZ
zEeecp690@V<vTXNYQvv#`3%Lrp%<4A$qo@-B{!9uSW==5rh~@&WfO({mEjlk)UpP@
zOOh~Z+A&AR{kiR1?x*WF%zMJxMtP=|Tyh+rpPu<M*4Ss*38&}lZ&}q>`#?@n{%DQ6
zx_`t=1Mg8WV=b?NN|c+nq6Rw#`&Tb%;q)Bj8INTZOCQ~N6iaW0UTLNhs($Z(ju<c5
z{r^5<jz`AufLg*;LD&dhh1$S(^z(m9F9XaH^K1JlKz;8#7ANzO8=uRX26;&V{ba0E
z^ZDAHmAtz+rVpQ0MymSW<J1fAm--_rm64U2f(u{72{XZprl?d~_X&*xNwQ5dLc7#z
z^ug6Mz?_VWz~r|K&y$5tg5e8p_FhEC6&Tig#l*tSMxA-C>yXhO^d+?{gJJhKbBkpW
z<LB`qth?RjAS>>b)A~xof&j1Yuy$#!#k=1Uf0O%FMSyqPRXwYKUy$DeTDbIi|4v{S
zccFWg|M||T>D#KhH~cgWkyStpmK_Qa<hKbMFBFcU4~JTYsGcQ&=jjfOaZ~)lIz0y7
zvg?dBm4PS(KZnn&OtJ0lNdE0yfR;|FL+=R)aT3|xJ>0&OQd+T$`i|n`>Y3aV7eO*Q
zT07;Px5c$mbF0!w8tt_tP`oA8a{yDvDurwq)+zWB(F6d<H9+j|bBKg{tpgW?bw@kh
z6SM1Dx9o25apX>`g1fb>Ij>?{5V@oB0l!A~)+>qtA%4_1kRu^sjyiP*h7klpdZ`}h
zo{=*!HA23Qv9s{2PvUJSTtYCIs_4vIRT8|h#|lCkQ+IR+OO0YnH1F7*6X9C24pgaD
z{8^3Zr~b=2N$&7+r9MfsxpGVB-QCCCA`y~xmD}UbSjK||{Oce@nvNXk81h#&)?Vgz
zI|3)JC%i`Wf~WPrhc*2EtY*tBoincQsUD&Kmw%_BwG59QT*MvZ4m`OBM~M6X0p8{-
z)Te0Hyy!o8XP$BG>FTmm+QB3mD@~vv)f3Ybx&iBE1OzSFkDmq@^Zy5zapc9b$^!bR
zH|FQN!*9_&Oh%8wkmsNFPh)sR>d|Q3Rk<!vOvndYSG%~6l?V%->Fityg*x-2v#G=E
zW1M>hyICDQ?zIAk@DwcsYcAfSbzckbBrL60J~x`XwzNfuw^TRvh|hY5?!^Q71&0-j
zJzp<Xxkb0Q?S9?>@CS-3*$iBT>0j?wY$8EZm-8eS^D<C(8K_O;ef9X&ue>Fzq&cN}
zD?5GWq%|x(Rtx;@3EA+(p#c5{tmN6cxFG|=O#2~viTzVcVRCRHW~L49UbiC%fwICl
z+<aeUx?C>T3l`_gQ)mW;RjG%s6LjNAe3}18c7!4j>r*A<NsZ!<1l&gXh6iYq`r!k+
z;TLvebwIbdPTP9>{v&lneEHE5gnUv7Tt;-@BMAKxJ7t)j+VgQ{r{+$AYs#jPXC~#O
zhP^I##SEAmCwCq;FZgUG*Ef$V{h~v-D^j7nbS<s_%HpoMo;Nx>*SJnm`D$lZy_I$(
zhRgu-%PYeam-H3C-)z%uX8WI2BuCD5R4v<Vtzs*Ci@zjl6{f0_l&>!Zen|C{J=_BL
z8v}jUBE!i1z&te%RF9~Ru(vw*)>cBvb5CzEfQ<l+yT3#K+58?*U|l~vAJ;4eCBVM^
z{}*;2NPyx0XgMAafY&zUf2c+!p%l)}V!@NkTa+t^{2y`>UO@oD*{iH`EhMvxKWGr|
zup%!1QL5NbhhbGrd?gO2oFW*>3RgwlORx}l^UzmZg)@xTkE~&p`1?8<d`)IxWfuSA
zE?_Zy51)1a>+>KK_T|wsV|_*T)0KgK`lGi4=OxJ5RpFmKMrUsH7c_p|Z2y@cu1(1+
zuF`r+t}b*bMe4M2g?I0-S~^{UB#?*I=7&-8k<%0o-dRuq|2$k?;3Wozt4OAf$!x#j
zF`iB)FP-&!^<*DkyW#Vs@M@fQp57w2H!1PbTVl8`DN2FMcT1*wvC7-|3XR*5S<qrc
z=Zj6Zs{(iTON(t`=jLjzMS3G5E-&9LEIv2VOD|z69;e4iUqB-yWZZR+lOM*=oTjI}
z@o`N2>Bo2u)gaaJUL`s~N2$-;%$c+U0~XU5VMVS(_W+Le*{)!^esAfoH~if?lC6sy
zhsU<-B$AETzJpAZut<@Ilrz{X+sqkuHXasryY|aa7b{;C&p{jN?cUp~W<>wMyB71F
zPWhYOCsrp6!(OpJe3=}gJha#sx_zGMWiGb|RC2c$hAlJkw_kR?Ji)tP`qq=zge0mn
zyzkV$=3F*a7;U{Gc*-b6X#(2Vu9|?dbecG#fAYZ#C>rVw?xMVhOt?hp{liO=QVI<W
zPxgZcayr5L(2PB(1k{Tjp$h74j7dn9a|7Pt^xjE|IPOVG9%YY1KmMxBXdY2a9rt_5
z2zP5HU-EzKP<`Y~%}Rc70@5UXAb^uayS;yUbD6&RUw|g(hmXYL3G*>y5fFUxBH+-W
zzh5;fqEcia-F+MUoskSbXf2I*&lu6T4kqSMt;*6vUdNGg^wEJSVY={*l`&5US*N44
zp8^XxsJ4QS$3aO5alO+sRRZUebV4HIf~(|da?WwS8+YKoJel_+B0H(S?W4JZn|u>R
z%ACheZ(7*?nT;+^pP><p9(&(^@4fZHq>~eTRpKdu$|x#qoAfa@Fdmqb3V#HO21An0
z_Ri1p2L<5>eAB|ZhQ^j7`=J}ECzbK$YBc~9p>>(H#6?vDF`JW8*9cI!CMsQq91=c^
zo3ie@u56`A@isODcpn3u+*WXMrjOi@L8pELCRc3JcZ3y)96$F?K=&8&4Q94$7P6Bz
z771=wjXim4w<_@r3!Rkfzf62C6zB0Qap>DR?chQe>RH?BoBoEa0t8IhPp#Psa|}Q7
zvyDDHIfz_qc*Aud<&!rW2L{oJL64>z_;<BlXD-bbrFEf?HJM~}@C^wnX!13%^R1d3
zrwOw{J!D7d;l1r~(Hp2(xy};nVW;Rr5q`6KL_m+2+;8;w-Y4ZI+v;&ARe1!@TRT*E
zzSOjDdxPXl9t#>icF@fmCnXI}<L`EM^6Y<<v4gtilS<~66>`RjJ+5Z$fg1A;d7`iC
zP8Al#62&c00tl%8gD@X>U|WR0kfwMJ2JiUBNpXcRis+$_a5@t1inpS?T+uF^G0`Cl
z%IY~()r$wec72R#bBrrarw5q&5TmBGObHXyCQtA$lnve=*eP4)KyK%xt&y!K{Na0=
z(2A$vkOW#aW_e=U(2S;~IYqadt%K)lip`9`O?F<>`SB1ZOGDy~)6H&YyVaWV6Z14k
zP;8de?#*>BZf3pqqUiynotvg3B^Gsj5&X1QY=C2gKeVUP0V44#ncq)O@q@{+hcULh
z;dHL1Zc6_jo>CL1ynrJJb)$;d5B{K4HKOha0;b~DO7Nr6BCkv_zX2Wjs#emaOiFvm
zsm!Yf+Lssj1Z1ZtGT(-204v+{>GW)(o}}T>jNp6dCmgXQINF~S_LHH8qQ*2hf66;X
z&2PK$=uur;yy+E$KFN*UUuQc<Ht_8uJ;U99Z1|(?-KduaP|l)40uh)9sKKTJO1L{g
zFRxS!X4)9yUi!<<f_mU<ctd&V?_tMSQ1r!f(q3=l3F801umr+&(q27}q=HucV4_@}
z^hS&ie7@OC!s9BjU-#orEd?$c|0}H%?fM5;BkEAqd^A3;L{6<$mDY@rY=zF#@kn-O
zBxQ3FoN4^9$mGHf&j1jy-Oy}riFv1p#(0=ZD)9>h0{+`I?!k!u9~-wrCeCtUySC<T
zxlz4T6zQ9%X;nEr(op-}VBF@>LPxHypCJFPWJ*D+saUzc|E)g8hjsL=;tYub%$M#+
zE2X}$9@+=ih{#0Hm@Cyc+tFbGuZWHUvY;MHm&#(F$k;}y{uznhXs%^<Dw*}v<*B((
zMSfU$z3_kr3)q@vUdw_8o#8V+y%{<8Ru8)`6FLI-W|l3{s)t6~_YiY4x@<(Oj<0G(
zOD6B1uCB+`UtX~-z0$LWO4OGNP%$z}?SEXe0=OY=5gw7>tfSoJnl)`~Vy>^2h)rfk
zG4FI2EO*TL8Q!LFqWRUFsfoU9$V9vNsoFwupWL%%C3Vbwns0JVjvJFe{d-!Wb~~0w
zvZ2tn6UDKSbA?)u3f^iEeJ<>G{8u?YpVE4UrV{nn95s@GFD|m5y;U|+`BI)FSjZnp
zRheM9d3Lhj3^pG~UFVEIe9glxsUU|q;!j?nPPe>8YsBgJsYjN5%02&6aUg{)_k*I}
z=qv83;k)eaA{M0FMAFsEIyW32P9ppkvDK0|r6rNv+F`V_c-X%#O2^W8cvdR>xuQJK
z$IZPT(`fcuxYWGrfPfq*J?)YZ3a=VGU}9ZRWWB`op|gVY6yLXf5Y4~C;HtOSCt!8p
zZ~TaXS?I~%F=qZ33AQG^y&=>`=ioGf;<D=mjDP~*iOo{{4}YVN*d-huaPQ6O|1tz-
zeu?l4)jc%zuq4`rg~#7I-<ZzMTFJY{<ArAbMeV~_63RCUpkRnVv___PGr&hhx;NAZ
zw;kf^_mSsCfEN-FEIv&ZSfq*v^o6L^4Spo|8%o|O{uNJ<G{F`15!}wJAs|(jJ2_db
z(|2oH^l>BjMZG6#`T-)dD<7yc2$0qsTriMbxIZT0rc_<iC}La~9W5|hpxD|XT51j!
ztOTiH5dVEJT}qV`G}n@MKr&K8zue$4ZS-pwstVUfXVS>{c}q7XAVEhFG|bM%dpFOq
zyUv2=G{$Ulb~f1-@%5_ww-;@fB1BrvrYb&W6z1wu&IPc_`UTP5e%_n^lKtY~#fqbQ
zY=T{OWc=EHqf;iBf%eaP*Prmbvyls}=ryK$;z(S@n+e*7O5ArF7b&$%c7)Ww%_NTX
zH+BRScIOH<e1B=KFJY$}DW!fEkoGbbkPZ*Q2c=h(T;r@XYU&c;7FF{~2Yww_<;;xT
zC&+pkAZ<_On*STj)=W!QNT3`~1gXb#F+^Ed&x6g>#N%jOD@slLD=)@c)qL6!4^OsX
zbJaJ4js+!3cfESEqO!5Rn&XV-Eh2KCN9UDvH8Rqpe{ebY?od^KkTC>0CSz8UC6Png
zi=h+LA%rknuvSUMKA-ERC4PgQJA=(vivF(Ddd7oU`;ipF<YiXSJ-M8^!-HLov+fI;
z^5p?FV`a$0PDq_n-K>+Kr(o@DwaHfKYVU2RKz8V2*8OyLB-(8@-0}W>&%{fzvh81H
zjngL(<D*yQ-`enqNM$`XD&}?5s+O8?I?j?6x57FFxjOkz4WV?ZNWKidx}Ifi#ouyf
zIH#2Mioehp?A4NAq=dn~;{lj}wxQMdI1=|j3LMWAUeoc@apS+U?<uB7o>LNoj}ZQF
zO-vu3imNo=;_OM8m)+zL*`#LeJ4`zBNRV;+)+^C8&uq~FsQkYh{hf1<n^6v_!hq-(
zrd^?AUC`XAXM%+3{dy2qo#Zu{Knt^$-oLXD?}6hs%xBm4;!QTs)xO57Dv{n%LjGg3
z?F<~oFWx!3yN8ZXuOJEk%sH~>yx$TRjV~>|e$Lc*Ij1=I^J6)3`R*8WC5Nj)ct*#2
z58bMvt8sAE|C)xn0lVb{Py?IEaw!yGYKSmgXWyXiu)J1=Tu0RVb0KzInj^a;`Q>*E
z096tinOT8hD-7cscb+2{S^y!XpYAMGqU{56Y`C>ZkY;rGF!oKv2i?f^;vsFhnF8k|
zHmA{gZtJu7hm-23ZiDkZ`<AzmneVeD8HkSB?*m!%(bop91b^Q4cHF+;;3Al6<23I7
zZ|P*y>JS6rtmLt!Fn>dT3VSmsuq^repU6_>Djm5?ec&H)$b6U`y|7C9<2b?Zp#R}j
zaGvWGeft4GDWXWeuQDp_C8q)q6KASaDRdWjT&N0MJ7uWJ>+vqb+|iWgmkt37Io!{I
zsUJ5#rRE;)r$kFfd&@=OZ)p!Mp<p5iagF!Ywv01n;3VxS7_TRxkFT8z0sfNFI=0ua
z5|cH@fzsSiXn%O1_HMY_>E9YSD90iRfUYp>GyLRlmOaxud<i`t(=baXu}=}lgF~@1
zPZ8-uf6k0K0IvOELydEC;oz&J_=0-O&d0m}QYZKesP^zntXs{!Sp%V?Z)ss#kEN-U
z(fCoaFR~-CeqblK2mc`Pw_GZ()yahM*x`SfE-m37X`(}ZHb?m1ANU{KLd2&P`TR!&
zXLh;zCN)tWUM?WiSK|LAQCOZm|B6gqoqbc9pP;!3Z8NVG9u&tNfLl^=7@Qds1{Wp!
zAgGG8-Vm8AP{%l~=-2Iop;4k7`Lp#;kD8?Rspd4s7NNOjAU;&u1bW7h`!=UDWXnil
zAy1NTCSU(O2ic9YIf%A#V*&?7Y|L$hEG~7C%n}D0E^fL3B%k^>hU527LJ7yKxWmQ9
z{b#!u_R}oqoz3k@B@7oO?hs{hkYE#1LGeF7q(o8W_@@?GAaFL<5aHxG4FW-Dxr~g1
zdfEMr1#E%_ACek(y;m;uw-+~CoxKOg_uoGabKRa<8d;XvwwISx|9ul9cDdv1i(LFm
z@ZO89*h#Sw`8_)?xEFl(%$_FKRU;K{n4R9<Z(Kxi$dk&RY!oS5GFfYqS)*m17&%>3
z=}OMTB*2M?Xj(e^<S`4S8(g@P67DU|IHk6W<VIfc1{ngJMy|_<=&P3TP*HJFa^*~j
zs0*u^`oSeP=E@{iY7;g0x;Ok^GeRuUT5Ebjkn1#1{_WzQ6MX~TsZM%^DOLy)bAM&^
zaF~J^R+99Ej9N;Gh%%WoMBRvPRr!!tzL5*8kjBwp_*@c?`FWCL9cfHLQO$$2bHEXH
zbg*m+{foHnK<4z_WwaT|5>Hy{hCEy(&omb(qC3virU-pT)Fso+6Q#{4W=h>3A}z0n
zG@s?iiyF7~dv@WCzs%<-a2YRleaupSoUr}eq<uOKq@TG0dD}|-RI+Gurs^ce`AO6=
zV!SPqJgBo0SM~y?IphCuY}Ibw!pZrS>TO!y)yuJ!z;%1kuGhMp&|rZ;AimNg=u=|8
zt=BDZ!6?EA)=;*HpSgVe0}#yHM60k~Y;FQfSf&%8)ynTCs?@#2Dao@%H?2V}%?l}!
zF3Nj~^C03EN-nlZM6iJ;y%nZNb4sp9YpSySQ2&$5bys4T*~=MN>k70JKj-a~R|;Z#
zL>KlTkPF_S9Lu)pw+kv{wYC#q(wWz@!LzdJpkyD+$h{s)mtv!rW2HVFZubbmgzxPI
z{Ul;rL=AQ+h7qgaJh%&mXi>k%{sQDTkJ7c2O6lq0Jf0&CzCSydj(=1Xc!-k+ZKlaY
z$DTFBPnM!&4(c*K9YK0E#^yOrvFOh*z>OA=Y_igS+hv1i!fia6uXpwD^MU?ljD_^#
zkLZDUY#QL%pvY0jp_Dcx6ubNhMMD{02Q@ESK}0V$lKzVxIw8%lm=B>KV{ILduTzC4
zZ#c5tTwFZWWG%E9dNL!jKt66BSFWSBt8KfOW7A?`zhAM)I>yH3x-Xb+n}DFE>0+iC
zhjpdl>As+M^E`7Lnk&53<3v2Bqo$tU-+bVPwKSM_sPKdSEKSJbfeHGXPsYkxt3Ugh
z^)!DGk#qxOOcdL~bmmj-7i~dNKQV}m(bRCRN#qDX)~miDPc`XS&=?N7R^fSAZj1{P
z#gu}5y_vg|UFV$*mfUkAq0H;_swb3pm_R@^0?YtJIe)D|XPBvqKv{2#7E7PxSI2Lz
zbg4;Pxe|ok-v;o9QE~Uh+4sdU_hM)oBo{c9q}JjiLk=@H_U;whd~WAm(+~UoS=#xW
zl(1s*pYq9l>Bsh8h#9?_8)j{RPhrC!%_kQqt84MASylv`8XfaClr#w?AJmN$8MQ8H
z5F1tu_f86{p-yJL{+!HRpA{6z>kj0V_uQ=z(kUx-?M;lB2ys{E*SmZu!rMTbuseKB
z`Z1ce-t%UqcTZopp#<=|7sS#PdQ~!I>oD&UBc()?-xqlOO}`hTcHo+oz93d0q}LTP
zcNX7RJQNN%z|tCU1F|ea(N6Oz@~<aJHbu-X{nJ)cbe-_YRQTGh+T+(!XlyP<<^Kq`
z6?qYtKpRK-wKeO&WgR!{yY2tT6iNSGA!~W653;dX*Rw&tQ%fb(i3gDg=LUlI*Iad0
z?O3|%SolilCqK#Ec*F{GeK;jTla=+IMc;a{m>fZ%G3jkaZJQ}&9$g3@-i)x5gp*OO
z`6*_@2CG?$Iz}_rpkG?W)Z_=>LyE^aw5mKR-da4@g(KGE+>)Qhs{2SvWIcN}Of))s
zwZd+_vE0?bJ^f&`fb2s}UTOX{m7Vy&*MQbcaCI8grrPUccv5X*i@1ii7_e3I-`E>z
z<l<^8#p;VhXXCg=p0lmbqRDWABT%@|ntg;A4_Z5{l82?1Nusl$n7+BIdlZ&R11`O>
zNh^)6d-TM`t2s0qKdR0ST2Px`a+8>uU%E*QvDY%J1<Iwhj#30RfzXh%)P4dHTaL&u
z4bn3r#gwYCM}IBr*3ES-u~^b(aLl6bc7mI_anrcaRG&8e8sTNef;J}`qI&hb=~`-2
zN9$S>OQa6v{<&##S(nVBIDJKyS%fD`=Xq)erW^{h)SgWK#n4%neD4KS<4cY7_eVo(
zP!rXg)<-sK#Db=^azsQUbxMs@7|YV>WC+MV1P%+hJR^PV`diqzxmA66-FaP6)X7gI
z;U=*praP{C!D$6uo0XW}4vSU~iu>|OxEy+)i_liUw3a5(d5}|JjE>@{*$d$R_Is*4
zWJm(XP0&7H{QPMDxMmdYOrKF$hKIf|S_=JSO$#BRD^4=a0UMIP^k2Vhf71A9iyHp5
zfnyA-$uC|1Mx-`uaGS$fSxa2ck%B1aQK{L!#e`%u&~+7@&Jky>moj49>lepo1QCH>
zj+W!x{_+<-U9oo>9e+dXe1i+@!G3Nt=5!bKC_%Bh>6Dk%%F%DB3=jW|!0bb4=vVx4
zY!<SAAdOSVo$wGk&&<gk@5eD1f*594L9__8B|^RDwe0%BX=){dx3OKD&w7R_7NW&x
zECC2&;MNw_>MbLq=NTdH-5k~z=gQ!fO*e(oc6?E8g9S1Gqa}_^`H%<Zv+>JNo7O_^
zZ5os;*YmK|*WB7C$U78r2BNpf81@JX)_r)Sq&aiuD~M;{-hgE)eyh!nzTd`0#X7ZY
zDldcuw|by&UXmI;&#*##5R=rKY#=Lk93yTFlxCtNk|UW0ydMP?8b?%Xl)b{`*EJ~o
zxa+r=^?W&d^tr58kZ>(q4<m;SOz5H8W9{raPhda7_e1mNvnZzpcFv|Di#EW|zu%@s
zsF&0;66LJcgzx=ixd<kvV{!hOY&`*Gj&zz$_|!f%2&Z)oobGwxN&MgR)-WiGZ7>*B
zU4A5m<BD7UdCv8zyGgWE)Mz~Gqc;l9V15j=eJ+uqlXl{WEU=F~j$_XS+$SSjdyywm
zE$La%+nY2!x~Y|5E~9E3@4T8P?oU|9<o=nH7s*g9W58G1k;x7b&`q=DK1GisPM<>t
zw46-tRCCmp3_?3qN9T%6=-tv6%7KcsDoWvNlAggifV0cuU@0|J2RL-%kfQ<*($STI
zDJg9x&*~s;rrlR7rZEUyd;C?@-#keN-C#=fI6MLxLb;%3!mOb%Xsa&{fnxuT+Z=W9
zeAND#wKTvQ8}M2Yy1;3z3FT*JGGp0YhPF6iwot+@oi3|xRW<gf0wtrxXwYBig%V_(
z<PKkTZgpv^@8XxdMM;(my+w(O>5|hJbHnS*@UVM9k^-;NqQE;XZ{X3xOc0;y^m-fB
zz2CvVeRIJfpWNwN#1pZy@=xk7Ju&Ti2m2V2<$y}Tp)1NLAFi(-ZeEgpgHeLl^8~lm
zX7(Yzauk9sx)wRmxJTcdVfJIXb%TAfNQ$H|)zU_6n`2@M5Jp7}Q`+1gY!<*9(VJe}
zEz1^16ne)aGzBDnDYAzfV6LwE^IMeva$6nyvGSXzGF3T|gl3QzEl7KzSqi2tsDX0C
z?JXb&0W=F!!xkCyn$@Bt!J4x63H!=;-9deenZwYPju`F2eI=)H;|M=$-l!+(jwQD?
z8^Mhyn_s)@;8M3z__n-Vm0Q)qd^W|dbG>MJ9k`kHIwcZ4K`;mWXe8ad&JtCjVNpZz
ztl4*=O{+H`98G2HKe8}N+(Ps*U)r2#0}a)1pn=B;Pr37R$}eu6igq=HLtuN1_G+pG
zmFUx|c4}6tT;*13<H){JY5pjC?!WI0?o-Ew_rBz;ZNS`oy4F(O4hx)^!{<A-P4%5~
zEGIP}Q~#TN{`6rWi<nyEW+Uabp^YDNpUcfgs}Vis>+LyJ%IKaD%uaqCX|1VOrzrHJ
zq_}-;MjXT7S{4l}of1Wxr;@0Fg2$lTJg(jGV{5LikRzkQt!P?J<ZI|5D(dW_l?-CB
zMe;jz_7rrpy2pwtNxdoBzuk@R`-;O%fZ+jM!f07;TTjdUfZwH|z2-L3IfHS)LJSw`
z#t#7(dzE0Mi{MY27{~am|I@BwZQtkx`s*5k5?3m*3I?Mh*9p0*A6u68oROye;#~HX
zU8=vtQF?8If>k6kF{Xc=9Zbo*q}}{w)RAL7=q@L{%wg^l?i$rpnJ26I_uSzDD^j)O
z2B*-bM`Q5wV3r=u^!LDCol-zKAyFl}yif{1Ua1)@2FvE26`6$DMb&Zo`v63Et&lq5
zg2}MkLu(UQ7)z1o@Q7OwOg#%)Kb^H5D<!H6ZvwZ7=FNte_h%cM--_Nzkq-Ov+j*p(
z2FF{#8l?~S7|!sbeKJekxw?c`AkNJN;onS6_Kzz31drdpQqW-{U=Zgu(|d=|m$_ZN
zN)uGEw9wKBn1@3D$~4v=D2gx<Uu=n%>T3d~r8O(o&VD@zDI8X9IBB?DoXczTv7lOq
zZ_AnB(bcMiLS-a7hUJTCbxP?ZND|<XUPFn_*$+2I@FV;}VtAm-r7Ouz+(bhZIdf-u
zqw`YJ1glx0ucS3HL>D`&umW#oPO9(1g4L|o$Fg~mJs^%-Yy4oN_A8GbXcn+BSAi{U
z=l6guEorPTcT9t!&C>9_*7yaD-V$clA$zShc~qfo$6er7ehi~H&|`buZ006zSAE`V
zdtGnZDq(*txy4=iE^3p+V%{as7Nu6|;kaQj>0G6OEd9%dO6<M>r%ZI^BX!@y$3up{
z_m2Pu;9-OTYn4K#qPCoyHDI4Fs7?}oNnrld`*}&PEO|1eWBUoq=v3N)XExmE1gGQ{
zyMP??_yl*7N|;Vx79nb7oizgE1Ki<<=Q5J1C#nb#54C)0D7LE<N$AGj=Prn0*$;_Y
zbDCYld&HMKi2=d-rZKF43|+AaS7XijCQ}6<lRQ?o^v_IRlr68iHwyY|kx_!i5Fy4<
zg4BreFS~Ifb<DIl2>Kf1VZDVX7jDEMIi3pRWq2@X^{P!XR+HpUYef-(#FUU%iz;Z?
zM%Sq0^Dn1%0=%or<oEAR;};WdzV^<;k+*(*aSBsP+DzP#*^SAD@r_M>T3Gn&tLtqp
zv_#*1Sea1*ayCzepf7gV!+|lm>R--86{XcRr*9_ft8M6XJ~kUyp>K+@Zk;=e=Aq{(
zFyfYZ!pX7;ltlV+h))F<O+UUfEt#r+Z)$(e796jZieEHE7a-;**~l_`Qq&hXvU9R*
zmPOkcw~r^A3<0VdP}N98O_=PD*UN9><ta;tC0W<OkWVL`z;{(981Cg(33r1v9P``@
z+IMD9JpVMH!D|>Bh`DJ9`v@8DX)5)XIO!9IxO<-0ihp8!cI3mY(YXFDr{$M7(UY$-
zt~HWJ!hsn(<A7U_WJ!@M9XE5-*wkgmo1mcJ`J_HpD%QD{^|Gem%2{JUyQ6ot@tr98
zrpAX@OOot{mTCS*O6iFizOt1WzEZY0yQCr{LgjwTsXo@AWycYrc&ZPuv5Wya-}-U<
z7VYXLB|#6<Ghmg{4E$^GGlNwyDPgWCPyxOqLKSJTexdH?1yy*8jmJ8S3~2+uFkN{$
zb+P4rIp&9XIKt7NqFMe&MLGYwjIz>Ny;9rcCCf|wiBp0>(IL{Em=Dv`ln_q?UR()Z
zET+B&FdAnjwPrf<*f0J@6g$1#t}^z2Rz$%9n;7%Cnp_;mWjfE~#S{9Pnc>$C8nb0}
zI1wTu${*^IWa9NTW{EW#6T*E%$d(6A;0JfC#$H{4Y|N^i)JJv>Zg;$D*ym}=rDcmE
zccXipL71&lxGxPTx}?_Hf081)n0|7fzNY&GYtL!6t}~DnYzL`1EQD*-Z5cj@tiZfZ
z_;8pY4p3HSuC8xA<etdNs!63xR8~gXC<pAr!yfU)xWng7j;jT3RJ&08tZ)7f*p+q>
z7I0S?up^_FF$vNi$F5Ri?zb9#7G68kiS@KG;vI2Lj!vawuFt0B9&uNKhiDnQ5@G*6
z3lfcEaMytdheLXYqq1W!BKYd7SA_MO|HpUC>K9|A$olH`?PJ!adIT)*v*70ATnkw1
z6Wocb;rN>PnNf<)`dekpn(;+H<*QbQLs3I0H{YE_vFEPQkKi(U^!1LGXW(KD5M$e}
zna-jW($=c=-TPA4(tlS?uE?Exr*oQ&$4AYgV=@IkL$?3lD-yTMieb97w!KdW$AA?U
zfH_`9&rXGxK&EMQpa2tx<d)8*`ril{G+0z2YW)7yVAQ-K@v%d5^LaDBwg=(m<CEPg
zZV%?VRqq9reeUITqHbRNx{UL3ebgxnE=7&C26rJ_Xx3GbU{;peE=_tW^^N7u=UDGH
z4;cFM(VjEb5L51xQRr5KRw%4FfHo0NCc>Yh!rY>?5(m?1YGq7~qlBzgk;GI+!mUhW
zZDEI4y+XBI;(`snxjLmdBlOIq+saU`x2s?uWmY~w*4bGZr3XT46+}>)oh38eRbt%Y
zHjQm#0|)EfQ3s8&TZKvSJAK%(S*i?k%(~&wlZOsdqs;RH92B~mGmhfzXL@6$xuP?2
zEfz2o7l>^n^$WN`d;8Y<uH05tuu&oZaru5LvWf6o;pe~Xp7-4IKE~omE3j^EoVGHn
zNyb)xXOr)nZNf`**qIV*UlP)w6(alj;bKQ<_exi;^9tY6K>rB2VTm;;^A~&cUT_mK
zLhpFLU@M2^-V7NMNrD=5?nwYv!q(I|8Cw}PJoGJHWC<s)&oS0Du{&JLN)ki?mp}|u
zKEYmgr{LAyqTh4&l2_}+gM8OgKE^~Oas@nhv=SEk#5FW8hdoTf!lOj%DcP9a_`nw-
zhz1Gbi^?G9leB4awmK!2!L~wo9pUsmGSzh4Mqi4;Ky8h=v9G6Y>&H8r%kjj?>R?QX
zI>J77@R<mspN@{amb#&D;xG^Lb+i5o?)QdK8~ZZqJcjbT->9g?w~1K~gN=*}xKb`n
zru;e!u*})KX%M=T1eJsjuV&+WuY*%?kS02mWt<T5BcGLa@ikfWn8k-^Ev0V1d#~^`
zctxvI7+Ar-kR&XvE-@<!ayxYue&ZtkfaOh{?YjJhC&QPwe<>K$OSLganl6A#XKGTs
zLtq#yQgk|h;l-$;zK4>tbJJnyWz|s&Ra|ssJqS`7{gwRLA<^TM-_Q|nW02DMcT$5M
z2s7_nw}a^7g_Z4+O)gX#?KyGrb2D&dzvzpKqZl<>ak{u(nw{{WT%u;W7Wuxx-plJP
zv{ol^V}8AF;z(H4lPEr%<WQbwp79%J2E<7|uTS{EY|5c%w285MRQQ1^{oJRZ)CqwV
zyT6N|A}s|ZuPQ6{hM(YT)A!y5O%8!(Zf3)KBra~XMraj|Dh`(YFK=u=*w^1S%&7tr
z^JEG#Slr0QG4w{xoQ8IK?r9O7R(w?)Uz3%Ek{yFOcjfXgOSld=2=zG&xc0}o21f2e
zC5jJA=1u#Z`p*;F^T(FV*4s8u@00Lq>($q@So+Rx>(R5<8v0EN5_xm5Z@TGKf>1Zp
z_RAsQb>>xRRl?MJKH-mT@md3^v}Rc$<#~ks;z(@y1)F?`2THlQ%mO@~n92BfW__CS
zSGe#MRX@;<+l1kLLm9KKquM_T8<uVm_)Nv4k!vE?E$v;}tp$h8m-F|qXf0<M1rpm%
z0m4{N>sj^n2n??!n;=TJ`x{R#0=ZX6uTq7)<!KWkz)r5fpxslx4|PoZLC!G7nck$k
zE9oxv_0&cV&k(g+`~h~_A?}bIu5jA5*O4}2hj?QhV={Izp8}imRJDx}TxJ^_d^?kA
zkvbS;d&@8NDGGH^YwSq3B<7vIa<5HOf#8<feLW2|^#Rg(tCsELp9RCw!85qSf=xdq
zjR@C&xESRr8<-}VO5yz=hacR9s@9qi*u@k$Hsd1joY;c<a0Ssakk##ekaEQOw$D^a
zOWu1wAo<Owa=^AHFLwyla@X1qH&3BDscMpBV?3zb&x#F%VFKH4wvH1bx-)JL8V%M#
zedXfB;N2CrKKDgFJOYN{+#wBb{~<_>VdRx|M7Y~D!NI~WZTopw*Z>{suE-1dDz6#4
zFZHY=I}0)xRd7nb-K*~MX$n`nbic?yB@l|y#<0JI^aql0hMJD)o<d1xcG#(Q*|Um_
z=4T5-O4ZNQ3(tlv8+ac?HapaBZu*W>i%vlg44!PeL~&9BqZHoD+R?=3d1l0?j#B%?
zYUAs1A)cSa?c=5Sd_s1E%-QpGfn@uZH6iEc!ojrj1m!V(vfaz<dv2QmYDS{;J(EC)
z^s>u{Atb)BDQ3DjgbDQP*3YOrL)mC3tSMu9RxgQT4GtCdDn4iRQMPRX`zdqz7ydix
z$Km2zlekxmbNtJtNRK+?Q+;y}(cs>RyT4H1%!4w-AC93EqOaC)v*Bk6EM3$cUkq@!
zhHZ$gN&Dc*z{}ZnUtBl_hV3wdWHL-Y=;4^7H?oh0&`Z<?;z0(Cd9IN=8k}=OpD5%W
zwnbOy_id(U9wxsOsNTT+)$lu|P<;xoFY7B{`p9V#ACu<J54SYZv%pq|f`et0bo>Fi
zbo>o2oO(LWeU9s<*uF$Iso{f&kf+~~*F@tD)!|$%==GEdms!K;9Ohi+$Rh-jFNZ@&
z*lYBtzwGm=L^TtgTjEM`C<>0?BHWf}iz5U-ZOq~K$zs|=nI5bE1zqJ66`S&iGSfSA
z7Y^kgvyX-R1u_Ur{P6;}OE~a7aEFil#W{#d{Gl2;`oo-y5@@bICS>Uqgq!@)SSrq$
ziWqTZel&UT5p7bl#}(Q55&b9WBO1*dh;>~GzjgW1c*Xy)MR)WjKPK`P1ku&EO*}IT
z#W^`k$t@7c3*Q^`AnYd|O9I5w>>{<+OPU#OI4ILZD+Jl3v*<Eu&WS^2MX!wya=iDy
zu*9&w6*EiSEr7i2*7>p6pEl2*?*_6*QuK>!)~fy~@s`=JCcs}WtX;hSxTwM)yox^D
zBhRzIU1<9EAY4c9GX|xK??sWpDD;3p=h)|xj;77J)_LsI!v@4DdSG`o+=z@!QL;#W
z>K=x`$MD9wKi+k+dMlt<d3Vk0>e&DLr5Jmy2oL_re#{-i`ji~dol*rZ)h+!6hP&Q|
z#6g@-QFr{qn}Qi2e^kXzvVzvtL@qZ@j9LpR#<lr%2W-3yfeTSk>qR=R?QVHi)*6aW
z-b7ucD|&PmAb)JFf5s)<WgGH)-M#Au^Ra6|#F^>i#~pY!Og9*@Noe-@BGLC4t(qxG
zxxCuI(kTTyrtzk^``&n{8lm-UNu6hw>$!xopS<e^w@64BOGU1Ks%iItiITF)zx0=7
zQ#fwYI@8WGC3=nO)5r2Hbz{=f=85I^y~1S1=hNbGlZ}Ud%m%@G^U^<|2#Ec49!Vb^
zY8FIsy#=$;9^!fp$KCvjaspKwhA+RFLt)DS#jg5FPr~h+CR$Bz)@KAONoGk`U$C&E
zW;{3dr<%+l!tY7ujHUV8?`4p(;pvE>761Lko+UenBjHpl^+GV=R^ICJmCQo$w&b3?
zaLaM4^_sIsRAb^&@7D+&At?iMNxVLp*AQtWz7UOAT=er}biw6aZ?o1dm+}1B8dvw~
zGUD7ufNM47A~y>o<D!;#zN_x_C~V}~SWQk2o`}-$$#mq|Tx?E`E(ueJB8djPt#lGQ
z7bmv+v;cgUYrwA5M+=->`oAj=W0oT{5mc2zv*K)e=tyX@@-{v)3*=vhJk`8sEeB<p
zIccZp%uwm>&QK9|S5>=emmPHMo#h7+PmkBEgfMv<oy|Zm>s))y&if$|l2f>_V}YTj
zl7N+Wp&paA5SB7enesv$EJ9+ap7|>k6=!JU;B?dlu7(R5hDrPI!!$y#FwML?<kZIy
zFGdzJa|X=*-=k+R7YtRO^(w3qlR|4I7WB!nV^6@G`=JbxOP2Jfuocn~Z-5st;o%|7
zED@C~u9P()iz``x;HCaMgk5()Ae`nBgHxW0=T90HX9L9D15^#Ku!9}+H+R2w+Mz|j
zo-MIX1^GLHfzJ0Io!Z^{k1u@)UI^bW=-4dJ!3^tf=-1qP-`D8@->=MnU4*A&J^3i^
zPgvK}E7I4~B^%^9c#>}5^9a|Bl@Lh=&Ju}OaSJrpb0uP67wd8&(l&;;f=X{*{wbQ;
zZei~yzsDUrb^P5kmzQoD`qXG`C$w)CCn8O|ck?CadhA5{@<*|RgjRXINwdmni=MBx
z_T2uaKx%IgrvoS9bN;$M1oErI%0?sQz~$r|PLj&!Pjq9+AliAd3oODgwJ7ZK3m%#j
zwq*yyator0%D6itIDz#VDtSwn1a+=|No3~d=YXWpw|(lFurTFPv*ZM+-G~L<)P(E|
z*$@Q7bw(k}lv(p;t)Zn*nP7}`HgZ+YuVv48En4QJc|r&b=<n9sl3Gnyji;<|A4}V}
zaH#06?mG;7Bf1kQ)T3Rh;43~+pw^%FH@jEGY;a=FvX4&Y=eD)GCX@X36}u8gHLdO2
zWL$Eo#QJ4TPUP^fe<@I<LNC2qrT-Ss9`hZIL1b)|=~u4;0RpfYFy7+5RC8pYSNs}2
za~;F!yt?bDUAoKE?rIMll7OW5c}P)i@0Q9}peU>6nRczgpBLKEi2(kUCO!BgW*-kP
zg==p1sgV^@*-?-w=3!p&X$K)WfKyLVsV6gJ+}BmBvxQ7~8@o~6qA`#6!|>=<`z#z|
zG2pj*+Q@2SJqix(@P_NY=#KF$*cAI9xOk=f;tc>|`q{^nQEz99fcN*c!V^#Ppl%9%
z3&X>%)O1yM<#nQ2{SZ-y4EIob+O@8Gk_Fgn&^(?IghOhlNAdO|tqhDFxmJT@SFLW+
zE-MnfX+eVGtSoaQ+i$Ap;6&rMy8cA=(ShQ`?$N~*{kgvd+w;FwNmd^dbeHJgYyM0^
z_`b;T#&IZKR`ZCc#Wr#Lyo{Oc?;swIS>&g}PNpf52uPaR4eBnTzaWW$p(6&30+&_I
zr!m4wQxo5zSsw|v<Fs*X(ki%_Qw(EZty5e{^XjlYi*KkiB`t9@4^$4iDJ{$?YnLlk
z8tloR2>p80G`|if0qdA2OY>;GT1UMv=_>i9tKRBNV<~a`i2H^*j$R+pY|Q5Ur_M?}
z0pH5#(jWDqeO;pl&H~+8GO_Gw?e`DPjloINE|xvnb&O-WRgtq7lhLg^iH=%6H%irr
zu)*fqJi45JwRsbY;H}OJzajw?fy6YKtbBs;pSIBkpQ&ORi`?QU^Gj=pe^bUI*QU-=
zh?Fgj6$s}V>s2=X7h`W3Tesf@4K@uo^iLYbh8Y@WW^S0%Ff-!~Gcz+Y-7qsV-!L=X
zFm9iHrTw&8?FU<yWgX4WwvMdv%p5-fj--3r$`}AqZDad`OsHHAsc$Mj+tLC{^85;Z
z$fUEvjPtPIlYuZE$xdjqeK|{5B6{Zsopob<(-g-~Rlr-9B*Q?%dKvSHks^GaKm>d7
z%zE3L8OOLWR#VfD8M@q0QX*1^PrH=yq9JBJmS2AU-yjDo(_FPE$8$(umQESGe)2dD
z@Z$ehl{JT*L&YoU{-(znP?XjRLI2Bf&SlfeJ$S;kQpY7$n8EESdb)^hjt$<ZTcy5o
zWs6SPy`-IY7KMHI0y00lJiWX1E@fGgs?*kULu`E+*#<!*m&pk<WMlN<PtUJr9Wh!h
z3sRfWHY&jx^85O&ESp3NrDl^qvh~8JY1L;3#(jTO@&x;Sg%WL$s#nfkH_fF<yA;X!
zTtTy8WK{P&arwe*c_r~g#;}yb5i!Da{-cO=?6)Q!1K?4K!lp6w)XF1OV>Q+Z>C}t_
zBm11VQYb{~qy|wr60eLn&Jkz5-rp|oMsW-EAz6SIr0*g?^>KIw?1zP`qM)rNgJ#w9
zX|o1-UP_U|PuSO_U~R^FEafJ6%cYzcFxtskJilf-6Y&!%GbuorV9L$&nq?$FKA9KI
zwoT$v?tx5v+i?gQ2Vnn}!&fgyw9f1OVj>}7flt!Rf#jgB%pbXCsr9>`0-|R!acvYX
z7hVg;PyFF`Wl5I-h4i92lzr9;LU*04eAw)%ZQSu6n(5&13gKez?CLd@;={FrYEcfN
zX70W0IX3cGHYMj$C-%(c-MjR;!c>X~+{_v4+f183jii?xr|-dnod<us!e&F$gp+Am
zlE7}q!qtug?!%gk%44}Qek2u%)F`wE-0F)*_u4?|<e|)a&K4y;9U;RODd&p{PxnHB
ztu-=<Ovj^4r+(Wc9UpaRhU9S*W$F~FT<-|xeNyYl;~DaOF-N-u_sC&znlLf$?5JUk
zGb;d?BF?#PVXE8{cIG%L3&W0#)W^bLr-#<)t=+&<B*M#GWv9)Giz0tlk=?752^=b7
zH+RDIDiJ7QxQ~5p_C3s6cIv6y6+R^Q2L=YKm4+Xq&}fItuey20tb(R)HrkS%UooDv
zg;?=7NfE0}aXS)i8lTuLFP0B8xNn<1|LD8hJDmp5is&Z(4l7Ebes+n!J2DQX2czEa
ztaclGX)}zB!P|V+1gakRqX#EKzFoY&u2%`(4Gy*f%{qy~o<mPJ7)6(@b`q_wC?RCj
zFdOJhqD{Pf;~9E9m=gRPe~g+SLw_%k<X!C`CYmX$=9l5kT!IR5eL%S)ywUXs!nT<x
ztD7j-evR7amXey{rD5al|92e3^~gikU86t}AScR&AXU;aV2)yl>QbZ}*6_!OCH^r-
z%6Zp^=?%9DIdE)C%(I^siwXsWV2o3ac_^6PM&qi~FGWAD%}x9QoT>$^N}vwEhaQ$H
zI7|(*rHX4wvcVnWIhJ;9>pVmb)=9q^O61-rfSD-9)jzgoXktgqNN!|204Sr9aFv2#
zSDrm%QFMIVd}bE$FVfqC*6UoA@RonerfN*+I?#OrI#|vKV(BhJxLvJJpHYz=Di%mP
z@wUWx+z4!cj{mcu^4p~TsQODxO<Vj^{Iz|yFW4k6pGh(NG?GI75Mn8=P)!hH(wsO*
z7%f>?ZKwn$y__7=b0yp?x9hFWd!om8C(?~5S)fuV^Uu=Pp1M_T1>fP9g5gSl+Z}#q
zB2-mvjKL>J%#kdN8i8GGhRN^LshZYY?7?GN?9#yjUrzeMp~@{i_$4CkDCHHqc{=*~
z%0ZY?dHg>mk>{uAO+KxC0&#Hk3gEyX34cwC_t!nEE-&iB`hpP4w(r@~`~CEV=12Eg
zrk8C`EFkSf!Xb`hrmy4l*M1QjrJ78!i;+Qg8Hox)N*<lYYGju5zwr-~e$mK(8~P0+
zSU<%<!jrsO_Y*d6Y^E){%aW7lM0+NVYacfwUR}0uT&~!5KPa9qMkg~4j~u4tR$j!#
zVRQ((upU!k-Ee<dL@nXocp@G?KbN%>D&Aqzq|WHQEgMTnBvi$YNb<AlC<JzK-O{{R
zOpip}I#biBkq(~glrUa&4(_==3tQ3nKaVyWy3Vs<!eLZiPKWU&ft$Q?BRmsKJ0z;%
zU2V>;H@UFy*Qf7f?_U%2oGOP=C10|5@>Wp3f3Ya83=ELBG1%@R8uI7v{jeVS>pxwt
z5YJW9%U(6I=1IF$r(Cl(Os3qtxDrl*DHoX;26G3ZoUb_>X0SG-Ns>Z5o$VLlr9li@
z-_KFGlMAo$9!iqYe0PZMu$wudB>;txrm$+HmDo52Gp=A&OuBH+J{1T>gNW+M3KM}~
zr!{wlj%C71C};N?+Ig4akVpRcS$tdb7@*Dt3W@_)`x#RGP1nY}Edo1FW*+?CQh(?;
zcr6AvtNe4JRFxk?vO!cs3KpbRG|Yvx#>gQpY9)7S-G^%F`1yI;C+t?w{*B@+^1zl(
zc8|k{P<Law7w7Tu^(2V=_i`+qp*hhqbLEUnc^B%68Cz_NIroL30&@PX-M7Vk1whn(
zxom18t`yH8pJG;HK-Yb;7_@55f2zUJtj*KYh~*mgbkUqCoYA9>m2yYo&FvrmWoet$
z%AIbYf|BPXU3wv_SDmQ3T;1TQ*A<HeP8{6%@8F0Cxx9WcaWn61B!RTfGXL;0IjYsZ
zoyovX<3x|M+lcDR+f7l8m{Pp*aH_#tAdh(8bc7>uN0GSTfAI9p6t`yW41NmTfT{G1
zU7$&!wi$OGxU>932;@Ujp>$^R#~!fe-&Wz|j{pHgCGHbw(}46{@`#^Yk~IRtwLL0j
zA8;$N6W{-(2JEz5@IwjE?ezPE>EGGBZ?2j##oAn{-^w(<;X!$0@2fj~{{)%vhgfOB
zF`Rn&Rfsp}?LqEvxnpLv)%XH5QHH*RZ_d{q#3H`1`nLOP7!}_+pnCjwYJch<Lq4}1
z8{Lb?XruPP|2@(V#b)RY#%4IM>~%s^P{Kdiy@uc)<Rn+Ap~N?QN8MNd`JOuAO}}EF
zz>mGW#cYv^7EQme06Qd+dP^yGyJhk&rPLXEE0Oob7&N_1@ruJxlKT=gc+b)q{`ofM
zq@8&J;2BC?0C4<ohc)z1#EkWP^DQ5Y5wK0=zpc_E(4Ny&DYvmjkp)ygIByqUhaG;#
zA$M-3w__yAe{OiZvyEW1V!ST+cUUkJ=L!r5(GF{R0Z`mitqH(mhh+*^tUEaWqqQQw
za10~a-r-wgb2<v+1%4@f!roAo3M_MO0pOp{1MIH7hlwn5iQ2v>r8@4*D&qzG00Dd1
z(eDuN+2|;&cd$3G)K_NjsLzkzJz_&%y^NnLq1+s|(Yv+}`A4mayc4U4wkUT_wEX2m
zw#9ErCtl6s0De1{_gzdxlpc)oG-gRi?*Buv?-1X69lTBF%jgIC2Af;<-1Ti5zI(o_
zNmYqo#r4Y$0{KaTU}E@`gIZ6EUA{-~_MpMx)gyv3<<<ZW3~>S=I&YEV+@JaCedEJ3
zgf8n0uE^Q!_l9~NS@lK_ehJG8rsY~@+!{D4rrL$&2RN61jkT~%a{Mu;Y!g<i`pU`v
zLf``UeDJ<~aI=5yfbH^+_b;9vz&*srcK>Aq2u|K`Gu;Z(5Q6wmDrs|iq`Y%7{lWTV
z-WJ7XgvQR7W_KC(A^dJ}bL9L0HXa2)?JN`5=4fi}GN9Jn=&n7U@vF~whNbP_DWbY<
zCs|*PyTi8!*NN?k0~bg$;}Npy?M3$-8AyF!@+iphRDhXxTS9cEc=sgZZE!RZs=7u;
zr?n32-JwF2?gN+{RsVC)*UogmD4wy$w5K*#A?*3iYWd1*_1XMj;sx#4PK$fye)Ycv
zqY0{h;O~vz8`NH|5I2?$N`F|f*1+8ssht+d9lPXSJIvj4Y~KzjUn|n-p5dD)I6&4e
zJnARSfDxLfFU}aAJ>-Cds5{4i51M=2?%vxrh5t5*e~;?-9!*0&CGjDc|5ZlanzGM@
zA~bG&{``NhJAQ*b1UCM_Fg(v@cB4K0f)BvM<`-Tu(I@?1W$e=PRv?mloZi==$$1Be
z>a*D7nI37S6!)e@=^f-piFcDp{fXCG*x-WLqx-!lc~1bMbMPNl#G$XC(_JDn_kcZp
zSnmKp^6u{dj@qA$NxdkF?-;!k4GtmtWLh&JtDenK);f3tNQgubSw{b7Es8-r*uI%i
zzL8L$YVhx-5kGSg^1uEAz0D2(Z^7Tp&dvX&nRxPHJL1^>eTLh?ALzijO6(0J+333g
zk=<yM-Ly#Wa75nxA4I@^ys3%1Y|#I6|3V@!QLv<UU`3xf2N==T_=G2~{=jrd{C`3~
z?T*=Pk=bcs-+Qk_jQzvw%^hPzvewy*lAK~+f-(p<egEBc>({@B3hCP2aoTB@3>KR6
zkXU#Dsc``&XpXnr$6qqVj#t>Sdwi0?E$lgz@21CMo+5|N_#;B~9_B=&LLn2v=&=S_
zQxi59okGqzQ!^LdZVMjUG{=Dj;FuC{OSR)?it2QaOEQ=va=O-v8}LSRY-htebL8fl
zGX-{VXWV%**#Aq!J$Xa!@gFH?BEtV&W(@ZKCmwIJ<Mb?4!~W&Cv^ugD^$Vn%zuG-!
zLt#+FZwaAEq<#WQGD<RNNBch2;u$tng0VZ6&9^zGo?`_ZKVTNdX9r@%hIMm3{fuSP
zi1F|F3S;c##h;LR4D8bywPYO^ul<d*7j@F``skOkgn~#bkIanXAvpKwzxmEdiWo;)
zzwm!!Y#?TdwyhWTrB>%V8%jS#06TtewEe-~VdhqUTMAvDhs29`I7!`m7nIIk%i1-k
zyQK0Y+`}T-2s_!VGyms%myx4$3HtC*n`_{zX@b=(5c2mu6X-mvo2r>@v#u|{vNwFM
zI(zHK3(O|nB)th()C;4FIM)Vh0UPMoTiRs8I<eEJkg%870UL)K#DmTG0Ai1qMzngH
zf@pE$b6g}n|Ir`XV`$&CLS~Qb?i7558A4YZ2d+0*e2!uIBbOJHz45*fj{};8KD~R5
z$%rUNH1lJZw6PXQlwvfV2XPXkTTKA%jX>4q`ku<CT4^6pFNT%pm)rZ48Q){j>wd^y
zvuv*&<6A7D<AL>6_vl>Yqx?U@!|Nn?kL!U??jua3=g`Ozo6#JpG)Z6lhJSJF18avK
z9ji{g^=nT-@j^Z5%HtmMit!zmi>nl-9W|dv-#$M9c`6grhU*?Psq+<*mH+4G2ZVG#
z(A75h2AvR%JlWo|yn(F+<op0@$=J^Vm@J*$WQM){Pm{}$XtpZnz!o+$D2j#Sx?>#c
zZywNmW5jDtz1!@ap~MSMUu-)WI?UCy(6xfdzq9+{UOkKqCTgf^c&>vJVJx?H@`K)>
zVq0D%aNWxzJ*q`JDWsT5Rm}YI*)K4pyx%EzmuC)jKBr-p5dLD{k01f(8=k=`j~~{;
zLHoBM(RYJYasEI;(p4Ko(6?1sIM>LNb_KMHYD5tHDkYpN%RtS6%*nrgBTB<z)WU3y
zupQbx(epzi%0S!yiSfTJ{nqcUeg?3Adwu2EW7td{bH1YZM}5+I@Y1eyQrw2?RD{>i
zt-=;(?@)n#81gu-@|uO@_kFg-L#9m=6fZSRjF(IM-H=b-I{#E2{e1Os<%@hB>Ru6l
z&KKoHX!h9iP{!}|TGg=xs2lNYFv&~6sk212lpk|zosbxA1Ua*sKrye_j=98bHs9E$
zwyju?zPDZxFM*h&F&|kSeQ@?5bt+u%c`yipB}F_;wiHD<3<oUX?s^Fwy?hagT|!CM
zhfX}WQO%4O&G1rGMSC6L6&(~K@QvV{nm`wTM-UX^DlQTk77zG_=4&ejP5*NtBy6S%
zgDMWM%R#+chMn3CC)yO_a6tU^-EjfV&X<2vdv*1*LN0Xh5-{%6dF_TYML93Dyy3n6
ziFE%`&f@9&Hm@v3|B23f4;f8Qfug%?csIE+NAhG=m$?3yeS?0hZ?mZ}5u)n)>}GNw
z_Rib*=uiE<2Xiw{o}O1<3M4$WF{G8GT;RT<bu^;#x;C0Y;e@5FvXyaQe?4@}i+!cq
zb%f<{sQ630QfqaWoQ?S<9MEEY@m0d9Q+lal*UK0}pKLsQz4)+TmcaqL-9S^#5r!!{
zxJhP+SZjS`_)Gv>lU&m-@Xlnspg0au+j>ZCE0Jg^xE*c14D|FnoT5NXjJ2Q<PwRzH
zZ(+U0eWJmY{nF{!y+NS`@}1CA&7rP*rtaQ#FZ)s<z6;N@*-CDV`3^Vru}fQH?n9%C
z>;TcT`Ejp#{*ldr>PBasZDnB-#D~DMU&~=aL6hwS4H_!<W^eaK;s1!y8`*v#7WU#f
z8FhoaY=wD2U$%bE(v__<@W{r3#&aRdn3iN|*EHwyh!t!jN2fI!!ulj)N}{9BZ$Ly(
zO&~5x=Ck+dP`7CWEmgS6b^Ornsrh&nXnwO1=#hrdJxNb>8`UMi^Hee_Ol(u8bnARa
zEYjg&jJSF@VCJgv5a1tU8Sxjmf=b=5InIDq0sG=WzEg;h?4shEtup8Z|B_0(LLs(n
z(#36eW0$NM?QIzZy9*Qq%hbu{oO;fA-?IN8BEdPVnE2^6F3C@Y^Ci3VUlWZpP3U@I
zwJltX+x9Y_X&43Awp!ap{S>{~FCV-HYlqWjbAZ`&Xg(Ta%t3W9#P&pd#p<Td6gk1V
z@k``!wtk&-ROt=la{xTA-*+73BcZ&3<dQ?ign)*`TmCn%fh2Lz-z&&UOwFq~hi$c&
z8H4QJWefe3-~X5Q<D6`DA*+)aay)yBxd~l3@0NW#bB7{nhqcVZlhLC)r@2PYV+!yb
zvCqEW6pYGVj&!NDBpEtQelu@3rtk_|Vw+BQqi{suPtKlNV>I};h31~7W4+eGrRclD
z-w-}jNiHpTEDWv8-9Z-!%3TKw(Vbh#@GK{o8XlpxnRp$ftP5Uj4$PBlh5fFFte6sC
z3h-~#wtv%AjmZkzpe6bmS{S^plu@=-wCJ|pZ%T8#o{&T$2RQP;iudU6>Tg1qm!leQ
zNS^~U@cu|sP}lKGX(pBG1L=!t<ky2D%KIG4X{xMCX&4yEE$ry&VkLb>1dZ`+&K7wc
zZU#k^`qHAXABm?3p4;A<B%0U}(O2_iKfD6B=+OV`{Dm0-qx;xs6s~&?PNZmatto{Y
z!_}M)g5F6F*Y<+(APeg3!Jl{oNgL_2G2PvB?zHMnKqYEbWC%9xtZ^)oWVT6E#-aG`
z5V*DMqkJ~!y6G=CP~!5rj9G1t(6}w;)JzOPub~qqZ;DvMcr>Le|G`Cp=*iybZy<nx
z8RJbwZhw*=%?)v^3ixin@m-xWEvil^HVz$@CGuycY`pPu^@AW_iMEO#eByQu@DAuf
z@-+ChzdRf7>v3sdkn}T0_^Z`#usbU3sYrSjG%fxcudCk{mD3Wx*p3zErHCFiGR;+i
zo}p$FJD5`*kiAteXId+lZ-uWP^ty{I{Wj;;@SE($Q{WyJNs(OT)(UbQE_Br%qDEyK
zeDmacfAz14fKozWZFwH?Zv7k?Y|S<0XabElkp$Dcu^iJg&FA1K;`26D6XHc81yzuE
z0zJ)SI;4%*v=@)^AP731!iH<+B<{L!+wSOjw{cHs?ErUlS<OcG8Tl`PkjUk{6m$|%
zoVjp30#ZkZnl;o<uwDELHK`oOC*Sl)ymLki9pt4AcpGuaEE^hu{-ltSYInp9+$#mJ
zd=Ax(OV-o4T3>+cw3>05!YAJ$uapuok7(Ilw*0T>d!DV^(+o??pUAgk-{iLU6yo?W
z`E6+_)kqO(wYIC=hsl9BO!N)Msmu{g^}v|mE64dc?-t2b4OG--&9oB+*0?rSzg!|+
z9;Uix*W1C~-a$F_ZKs(fb$zE9zLh+nl{h*umu6U8Vg!A(8oT@wH1GHjKM_;GZl|W}
zad5X^K~H-CpPv7k0Q0)xFlqE=nGj_mQ^j4JrCM6_HLyN6xyOOE0_=h2ev#5sxF;kA
z@bU@>ZCR-b6NaDLo!T$!QpC!VSy=Kxnv6B5C_UILH}!bE{k^%G=2wt)V^kV5iK(#}
zK;f+`p-Uy+ESCworN$$9F&!p9U^_Q<RzS2Oul((&{bM`)-ISi<E3@sqtEK0dVO{Ut
z4gRne5v)E_jRjg8JST3ZB3Gcu!1E&U!Np&wrmB9}Lpc2A!Mxv&n4LkPQe_1=!V!nx
z<*&<*s*nAtb+Hk4&>nUAF!*iMiTzIraXmW`4TlAo`u<}k56Ot2V>t14j^MC-_o}<_
zqw{ms&N}$iappDQVP3_8Wvx+kEA+?7T>puK^mM*8Z~b~1rf_@;Sv+~0(23)J@eZO}
z(k!ZQ|K@b(pVhF<J)dYMe>y(R&M|v}NB|(as^C-U>;~L1jlp^s#qjx+2R9{3p{dC|
zasLF}<QL#(paf+~ywGq2#z8c}L3He0$QW+;pYo!$-l_+0+BQ#DH(EW>1&@5a%dmqA
zy%dGFo|;YObDc!oGz+f>%8c|+$yhIT?>@z^zBXCg522|mg6Y|Vl0qwqjYr)+CC3Fe
z1O)Y|5vp22fgT)lprep&t?@8%%CZ>{Z6YYsMuX9$JvX}Z+_jlx05?}ruyGLg*ZSc2
zwLn7|UsJ1l{cg^{z_9{3n({FUN^I=EE!twsRr!((0Q%DNadLwBowE?fxeJn%%ZpA}
zn_j(YOIC8mG1qeHoI#xX9<If1|NT%=CXC_6D^5s_5!o5M-tq~0;~Cj21o8Mjj4!Gv
zT-W*r$GNOHKUq&Bh7Y*{m@~GO^%?hcnzEEe|3nr#;_&y~AV(SbAivJ}%;s>m7(Dnw
z4O*q&1{>kDaAv%XCH?eF49;_HK&zm|rLzc%J6)P*Gz#YJ&b41tu}oe!U36B>@*U{9
zK6tUSm{cnz?r>l_Vu-d_M;?1ti`-VD88rds`uB3WA~EjAcNukeFl*P<1Nq1LctqE+
zgn!TTSIDrgTx!?*M6XvRA5t_Nl~IOVc^|4*Fw_pd9F?!bd9}hYWXxc&<KtrUaxk5j
zg?MsU0NyP@?-|d2KCXH{GkYuzb~EJ0l<ZTdSQ;KrO2*=xMr`kLZg9(@Pxz0Hyj_&q
zvN>_e=TPJ1;$Ej2Y7}&^6i8}Ql}5jhSC~>;7~Bm<3>JqN;e?GzsZ$*|LI?gcwNDTr
z`Z~u0D6Src@xJ7%^BvJnRsxf6;e~rLM!(~X1`LqdvQOCP>L!v81czD;RsKt1qrhn5
zV$^;cQeU)BkCP*=I1?|c%Z5x|DYmv-(x5Yq=KA)qLi=E`BXewCh3mum?;APm0*5yP
zy}VbJB#^@U^4D@uE%e;v5zHFf;PgQ-drb`sU-ap*R+wa6ol71$W$RK}iqJ@UU4p?w
zx0oD@=qmo*e3uN82Rwmfe^Lrm`D0I%eNk<8)l5s+<X2u~?{V4S1!F<l?Aov?fDoKJ
zXZ{OJM{q3q?x|SD@GWPs5R}rS+I$avP4kFN3d5Xp=qO=gG^4Db8sQ%1WUXs2=}KCq
zeO+wi>96e2S%)0-45CVX2ehIk`DcGcsRe%Vz5B1Jss+8XB(`J^-G_b5Vj`6S3X_Rl
zndz#Lx1kiwb%^hXFl|ScUpX3p-9)ty5R_IFYj8W)MeN@g7j6yc#VzX^Hy0|+dq@a!
zmxA@@-9<!)02a3cXYCPyF_sxc0;dRAk00~y8W%VilrX`#Th<xzb9WfLERl3bev0Xs
z2U>mB-YfB>Pu=%Qot;kT7sEW`>GtYw$9_azo~KuvsW~RnF_@mq7<5=8(&b@PvE}dw
zUVeC7q+VfizY-2f_B4G|e1~*I$5RATig=LSQP+8$`>eV7y!sUR!Y!VfaG{r!`Fs{^
zfJ9AG=JN>ZcB}T@Ml`_NiWekx#-f+S#e)MC8`p&pq)g6~O6Px}S<#v$;gXX!TBbmY
zI*vIsjG+96gmS%SNfia9M~hLT3gGzxuCmu4H^=V%S(bFy_>qb(eE4`SmSe_Nw^1M(
zR1xn%IR;k><da*2e4MpO=ZG%DW(!$ju<+MNo4wpo<+?rh#)#!MCA<UbaZod9LaEDu
zr5+jc3eb_c{nc&?zO5#OPJ{X1>yPFtY=eFgofrHkYk?Ez`gT8Zl&wl|%!mlT_5-mk
zi2bfEga`RLFVHK~9ciSAs$9B=rrA+-?@G?CYod3rGz3f|OS>?2JEue_LpfCvQV$12
zD%y4PFfWXKkD=6Tm13k@xva})sb2#9Egt>imY2Oj$q8@!jA;DJrO7eeQ$P0^S~pL|
zo0v<Ov<b_b37PZfsOY!TJkrKlzaZ8(G^tz-H2(e>W~c0Uj#0-egX!X3D&d%Mdj^za
zk{d3#T!!Z?zZr{nSnq8AnRNUkoGQZJhPznM&24*!T&1dp(Gg%aBKFle_oGO5tg^Ab
zXCSVY_gX9qHuL6#{X`eU317p`*sdXoMy)gK#QevB_@~@x;0cNB#xCv##CO`)@Q<&2
z^4Q)b*nbtQH(~1zu%5~DIh;L_ZefkvE@=;aEwAt=Y4eQyrD*Psx{^9eTj8=6Sa`f(
zK%YBux#eDhq5oW`r~t?>KT;lSRRQpCRbHA)(l8W^?-dGjZBNJz>}wM1l!wvA7QvEl
zlFb%Jnf;C;3i{$Q$T6BSy6&P(7CRQ+TxgI)OK7nQbTxm|dtUyTf-)z;wX?sGY;X?j
zD7!PC8{XwZUNc&vlQZ0u4gGGdv$}4n_PC0*)-2_;wgex9RX@yf4-PwZ5@V#x^q7#b
zt6L!c=vKx;8d~|;&UhxNO-e0yc+|Y*&xsWjZu->goh-fEG;y#HypcV&u!`}Yq-YCa
z_p-)$PG<Y0k5xyPZ-*6I6rHt%<xf7`Jy6a*4-TK`nCV7%O&M)>d<E|3g>W!mM6AEv
z;MIcQK7XFb+e>g!Gi&||)ZmrzxJu*Sl6Oi(K+_(mx_j`>z|YG!(egyF$ZVQ8nrlyp
z$tyS80YV6bCT)jwvSf|uuPmxNPrUv3CJUhS2@V!bhKy#I!-U1HwYrOhTiwbV#rrQA
z;hMZz;}5bz2}Ly-Rvnr9kDM*xbDMD|RxkKQL~yjvir|}V`f7*=I3$;j;qzdN3klJQ
zuip2Aksa~p+Ze8)0DN6%85$uLdyvM1;5v2qP*5?p0lb(fdB24_ai_R3t?d~K76;)O
z(SLN5{y9lTV5sIy=UQa}u$0Tldw%_cy4@HWC>(ZDz>D$w{#Y1J+GbV{!Q8bweYY-i
z?0bU3E;aA8g^9Z+GD9&?U7O2>pg2%g{C$#46xOUOVBVvkBHvvOjpo>GozSaJ`+RmB
z$Y3)ABI-DJ97+vIiZi8S#*K~<zpC71`J9&tcvpeUU4h8fyOK+qQNrazdir~fZ`f>M
zSm8P?y4{_k(c$n&m}7e5>?ob#k!JT_FA|249LejL^Ucc^akN|{Lhd8q^R2`-sJOWw
zOGbMHG8TUwh3^o?Z0ww#%TCa#?7FP_0Gw<sVKw7T(2n$YDCosN*$#8gL2{S*iq!Z(
zr3vqiph|a9wNkUQ*%$QbDRi(){Lwl#A@a(iN#qvpEt}+b^x4~q55w&Mp}H72YrK@E
zS%ki^w00eS_5%7;c7IJ&*ehMp(-}*l9K4HTdm(U^`~35K5bTb*2FEdUdGL9di~dik
ztB@Ju`YuvWf5U~6tNj`Nn}I3}>;|t-Jo}uBd8fpaKqQqh_j_yCk?Yy0lZ)#eMYQim
zzb+`h5jJpkcL38}LRc2DlN14K-|=sY1EeW*jr7O}oMv5Mf&;Umd=)x-p`GQtbUf>O
zsc2I}78fa*8FJ&tw@)7Pz`*;FQ*t7RHhHO9@Xt;t@K^C5#m5K?o^tY9TEgP6s5R9f
zdvz&)$dut%&qX8ti1i;X(@1F&1xR1$fez{%D7-s2hbf9_B+l3#FwG}yR<26$e-dFC
zWb|zH#c_WMh%zA#H5eYhg_a>FpsUt?Kd+C*j?z}MCj;(4rGApCn{nV1P9<5}f(7%8
zc&*eq{|Uq98aNhv%1PtLhqFwy#lWLIgzZjF1*+wL^b1+2w3@ao`_946HdklsY-s$<
zznOGgpf@s)ca!6AWqO1txqdcr%%hvEB_Zan84U~uR2}s@*9fy-^XiPb#wH;O)2=2^
zkX15zBR&M?V<r5=&}U7ogyAktIBzHQ)h{yRC4?Iqo*i@5|Gjs;Ji3&u)P%cOST$hk
zwA{V#q|wzxh|!K>Zdc>ANTd4{rW8W^4LM(KCO@$in;OMwPrMuJ%H#l_PEVPpcui^8
zETcHV-3NFxvVfy42mWFhvO@ml&~y}D3G7zuYSy(7!J4tCeGTca@L73@^)YSfPr_yZ
z<hy=c&G3e-|46i59Cl31&yDky^0shayy*$;lA>1o2$*X#td*TlK2ttm8Ed#eMG=^=
zv&usoj4EaVyO4!n9#h9HqpJN898Jf@95PW0L!{^r8QmFnJl7C|2T~C^x4cC~s0B~`
zt(0w7K0RNcelmvchA_Pcb`W{r$gQ0>+6k9!o9(@1YR`9p1YX82yG~OwJ+=<cYqLK|
z-X+ck_g%g>0q7V1)3%YfJR3wz>+KEd&4;`HP8479a-<pg;sf?8D$_0fp3DDy5v+jc
zU1Q*cVL_i>d149p#>O-@!NSnzXP!}(^p2HvYOc7V+S)x^j3B-s?=Jw;!hgQFyml-t
z0okr{^eQWj6;`6_f@ztp*##10m}^?!`vmtq4}m`%v}sNA);j7zc7xV7KyvT2`tBh6
z;gjpF6SjSpv=;gzyKLS->`ClQZLL)vTaSDHr`+S#Ip3`}qUYW>WEfjSLecdv_wS!?
zvFq3T2w(8rWq7Y(Wn+|GM9Lo;sV6<$@6)NgPE}}m;mhr__S`4wd+ld~-AY$~e*{Qk
zcIm9AU*92d8y%ju)z?!4N=p+~)uI$!p-IDKC7J-)!-VS=zdf>p`Ch7)n<h?~1TP8f
z>^gLm>BTw<Ol$Oh#;Sj>wU%=rt*#u_o6qV~x#n=xlBbX88a(?Q-A(2Ro+ZdLvkW-1
zvg;Hnj<fonVKq0VP0G{QOnB~Q`Kn#W)6lFp;igf|r#JS6ebl0#_(C7K7o~@Fv)O0!
z-x~qhvu&v@8fK_eBt@bo()4ONZylOX@`L5vDv=glvGb?Kx(VB!t>v9%_BG&S581h)
z9^rBElP2nt7#n1naP2JWXdU|dKhq4}->R&yTN%8zMSJIXCn4LwL1BJfJB%tC6OjG5
zr4^8RomG*Ub8*Sk#x4+I>1?(v@B2Y!51g@n63WDZAaI$vYo*NJpET70>79=n!)r}=
zExz-l>)JQU-Y*7$WWhi-i^Qi~p<p>cWuur-eW+k51#iTU>HrN1XG5z)X~FQ3YTdc|
zq<_eV^V3nUP{ps7D=w|mtfE9>q!LS&!`8rNP4F?{ig%zJsYk2cF4JMV#7cy1^ZdM!
z)c+=g4ptLzeH@I;NQcwKjDq{x^2r`3y=7^A>HFov92}5ZnSFNU!e`0!0{#(<pY6S<
z?ZRETC1LeiIhEa|o6=kKm3@7$@ItTKm3>qxW|X|-lw=*dib?qxQE4uKMZ>wD`tm<_
z{vMX*KX1M@U#%oUdS&9nal+GjfAaKBo9M9847w$i5l2vtCX@|qPr>>FtH2bL9r=vZ
zZ-QOTyG`vU?fmQ6;|Oa%w3+1k{*wsu+V<Ugui3=NlV^k3#2uWBg^yPHn<(VHi6{sp
zf#3{yhv$Dk1mp@VQ4u=KJ?$rcWZ+8q$sKT|L~v((!<*rj#|_4&Sc=QmNz?fWEwn?n
zLS-IJ)OQzW2+Ej0kQ}K{+x>xP(yETk-?6&@WA-|lPE~ClWAjbb;rAN$q%%?m*W@L8
zWL2w*0=uBo@jedB!^9L9Y|<|`=<z}WyLGA_Wdr(-1X3=uJZ4P#L5$o7O;DGXKDYlx
z-+j__^+J1Yr>C@0)k?~e1;tgDTl*$9;nrF(_~Kvknz+F^pj@@Jlg=1qxAdMWPCn{M
z4-1v(rc~f%%W=1VQe;eLQz=SEuSK8YYJQtDq<N`&LPi}L<Dzoc$@>mwDPU9~KSp=>
zcLAY{ww|qxe_!y?l!3ly#h$M0!9DWj9_f#C@{Z>HX`aI0=@&y8Ink%;V`+rDpE+vM
zBXh``K0}x48zP{HuluAH<}#aKI1-?CLwx$lSGt%Ki{weIbqWlL2?6gjf}jY^OQYD|
z(s0N5YlDn@V&?Vr%Pibvd*-P1_;vNud**Wy4ow=Nud^V<&aCv)A5iV4%!d~nI+#Iy
zfg#U-*#(lA@Xs#yPPh{Q9J2+%sTUf$ScYD_bk@zwkVq<tzwTl$&&&%Xh0cD2vNWcZ
ztjVsja2yNqMV=Uws?HKiVePt;006QU=Lto!_yUofERnfGN!7ArvxY!<F(4C<_J4`J
zyN~{|pG+srzK<aqS8!t|`OPMtHPLf|rmm-TYo!a?0T@POn%L$(7jw;5QKSaA_O_$@
z?H=*FHn^#P#^t2zb;$NK*TRKkqIDMDCNnBQ_aK*=-0#`0am8NbwEAJit(<8EZS=Ss
zADY_uvM`KGGv9SjqQ9HH+^g8>K<l+y>?dbBfj{yUzr4+8;w5(t32S1;Hdsy$Mw+i}
zY9JtKF<+-$WLeB=Tic`|tJ4A`g9@_H&3Yjk{aB$U3p{(RRq>e+f(p{l+O9ohigvEE
z<b9snbZm9sH?KddJme%?f0cy3XgRplawzE!?05do$~{V)W2nA-VPxqHa;Q_x=H8sp
zHn5#?Om*0clU4?A%^i6pyAq*!?s((0qrMO6VJ3-oro}p_&3FC+&0G`>G1-uvh``yH
z{swC1Krg9TkfD=pm7cEsS;m;-1|ixU#mSV`3vmU8**HvP3`r1LSUd%zJzjRacV!CH
zDiJ1)RWIrOOlFIB?WlhI$<J4mmVuwUzHZB5an<_JyNQ6R_4HPlrqGZ(*Xh+`=JGw)
z#K__S7#S?p!Crya=*c|)2WTy{LuE%0LpJQ@YD~ESS<=e4Q0RLASse(i-lq{`y$tpD
zWM^(4XtQw263n+$AlET<9q=SI{LT|jm_mNtf(X^s4}k3s4d%VUr#$eN*q8Cxsh@=5
z9R<V>FCjZ9Jt&#a`)FbOC+J>3p8D0ix(=_-dEqEVva+M_{5DFm{qxCl&mopW?~C^V
znnc6`xmWLsvIq&4gfWQ|mNlyOSL#l4O|zCkqi+FMbBc#P2*PCnIWpDN(4)oCoIXO4
z3y~HtRJd^dRrRvk(b=|>U!Si_Xs%?bTH+Y$=;(XD@JObf(~KuY$=t1fA!MQQh-b&D
zPG4@2t0or;hnsj~TJXNbul&&Ba*LP(F<SAt{=59GfFTf8YFRhI%kMt-KYdg_kD6&p
zqaB>V@WGxB(u-5euMEt3z9L}7p)^_biFVD4vkF>^W?xgQGZuZRNJI4*bGDCzLC}oH
z00x`D@7r)be0{rI(G41H)&16`;^YVURvv9#aM!c^Bm>F0sVgc`bL8R*+p1o_i=vkl
z-a@g5vl4z|yL7I3OtEc*W;7E0R*!q`Ck^z{*?p{mYQ~u}!8>`;m()mg!&QlIV5=$_
zL5p<z#>a|Y$Ftp+T9sS7p`|TDFkzdq!EQn@40(wIU!<?JdjSOQ&%qE@8m>m^kpN5e
z2xwq6KEmtZ+ckkT3vf)k$;R{_uMr0ALItc=OSNR-ewi4RrDOk@zS^K!&M7V|)FZgE
zj&ggwqgCYdeF`-%Np)2W=KKPSF16)@hx<k2lF~g}uKzFRJ@E<T<%SkKeP&z68m%Rk
z9%AK9|AP9WydLW9USgU{pNAb0jQU_aX=E;5%Gcga@qX@G*5Cb5U<ko;mf39%+R}yS
zZBC5p9v=bg)<XXtA3c)Ns*vipDCqKP4&)vg5v#7r(%fR&gZ3$orgjv+e;H|8Qj>2e
zHAgTSoNx$))@P}XP#ga0f<=r<gj0^WduoweNopBsgsb=$^XS`etXofg&}0A6v5f>Y
zU?-vd(iGggSrh95LCzpZFLMHKWF5?@Iq6?fUXkDeG3bBDZG6SHAsa)kk8F*AJLkEd
zTiQ_WpR0TECAY@LzO3qVr?TzFkcjOK;+_cz_3lKoe2AT?E_}+~NUlbT&;$m>_d-YO
z9=w$a_`+Lf9*bKQN`PtU8w&g83hr)ZM^Ur+|KfE5AuIqv<XZRGgkH7%7OD4At&Ij|
z6NL|4R&eVF$zc!HA6|xhnl%WeRLcvS&&-3%0L-(O@U2K5%uK#-JSg!(-IMV49H$~x
zNPnhB`~k51Ce%ATo3K$UDPdLg!E=onYQkkV>X&wTaibK#*e>mOs;aUm!4Xr|?Dq~M
zuAwZFuH^dA6Z&HvQBP`aDITg#FMEXY`YtCIJO*B6Az#vlo8CWNITTe!r@kW4$HqB$
zJdKYv2OWKnxyfA|BPg{y-Kdu4ck17!9IgsXJOZ^+BX^F(nSMq1Q~iW1QZ>ftD`@^Z
zZe-P-ry){Y9ghgYuQ@NBZB_l?n^lAlMez|BY+eLvAqt;M|IQ2>vR>9LgQ1LAN!GA-
zE2W|1me1k%?qg3{|1wpLUQ5l@>~Xt_DQ4M_13wWTA}M!&h_u>R&$;=zYBa+i$wSW0
zo8a;+-hlj6=gtG~6>sj|)Bt7KdWcCuy{V!UA%osP7RP-bV0cz_@LZ$hy1|Egr~V3i
z_ZZa%N@&3&^jh?M(6fH&Gl8$)9Vr0WG_>#v-v_`uXRHF2!y7N96k8@;14IZsD$4Gh
zpMP1F0F%XbBU5I09j*l{i{+33kSzkA2Z<*KD1|@&Jb$5B-9*A@Rc*v9oi(?xX2wD&
z{x>8ib=p^}s1UtOQSp!oubZDNEF$1EB732aN7eb%pPA#0Mj}FFpu!L(AoZGp`I-WG
zk`#eplN^Si8v&u(fUTIwsgyJnoFU3Ga@RV$igv5Qxiy!*vdVg==45p-7|uf^+oHMX
znEVHW*I|X5w|GW-9#dwVJN9|Is<CKiw&Cht)n$_j<?{5GC!A*KL6I@42^)y12OYz*
zm~>FD)P-CCngSdTU0-X6Z2t3&_GXp%T%q0dSlD<|YR^3^_tT~Qigy@-Y_R1<AOvIN
z`;*;+UL)bp_8hUmuR>x*y4hgpo_7LbMnMc6E_lS(W2m0Izs}Ums2_>K29_xF);o+x
zm%cp&{Os?#@xR{(m&=X0v$NJCwiP08wm1<wN8}w~e!u%}QL!$F473%0H<u+rW({5N
z)?UPPut(a~rc797{GHH^sU2ZM#*WN!X+;rm9Hc>`N8KQ?fBt^oPW~=1>Y{HO_S++C
zO$m)^`1cn_y%}XWAE@8nRN^mt>PY$&x&L~Ky(Z5<2NUu|R3BJDgw8bO{Fq(JBSQ=o
zUUgbF*fiPIie)nw3J!lL?KAG@T2N&ZvPDmnxbY8iCyOzM1Ot*1F>KN5HY6WniFOX-
z@Hg458kZpz^~D+oka)n59w3uC%_(*g3bq+z3N@7<j|S;fmpHoCN`#tA=|{OspX3H6
z?Ta(BUcL%-jl~L>Ik*8>tZL?%Hh)}ut#N`vIOo~et<s{*vwkYu3S^2kljQ5lY(?z!
z$BBdGa6rQ|63y7f4{g<CUZvbAOI&}{fFcDdlsWp%f3N<;PucRF7UwiCM9tv@Wk)!=
zAlEwd6*K9yEFb+><?_$^Vi1=|G8@46jlx+3uJV*DZJ<ijP7&M#-IU*mqy=0zb*K7`
z=Q4&t6I|8U1HZeCe=^molfEUG$8qjx;sxoNI)My;jh80fXN2K9GduP%+14<%%)40S
z;}p)zs6-V;wrUVSC6d&vF86mY5U|+9lqVyJ7bSULzo2U#OZ<>*xuNu1(cQqkVlTI@
zoJ!z~@o$|);?s#JA|&#ojS6yr>^<tAh$Dlo3t-}EC}h&P^d}{D&L3|#=P>YP<cnOB
z<Dp&1J_|p1LygC`UlhK}n3z=SJ!4C#go2d+s_E=LV~199O&p3Rke0P=9{Pd&B)N*Z
zv|&ys;iDU)XlTUT<|e<1Ij(IJ^NWeHeb}fum2GQYl2t=4)FuCqewo0rR?D#dv?$Ui
ze<^?+<Rv6!7f<vD`m+1KS0bYg>oFMXD-9&?7_0t}GWrAz>ugl)nVtY&>i`E0OfP4(
zi-Cs+7m$+g>)}V3M@17aPIkroaE@S}nbE&|ggX!jbm^NoXSZT`=__ZsU;l7kyAda8
z-Rk)9YJ{hZl^KB-8p3`MHM|j$pC2vuGqm-0jEKNatRt?iC_V&(5V=B`${&#aChp`<
z_#{R+2a#tC|05>X^Z1zXojy{DSuqf3<4766_kCudZ%P2V`}wbTr23W24A`KTl6Qub
z^E#(gO|4za4x=QEnLdWz5nTjZ2Bkst^|40oATd9}NB8Q2tu0;NuFlG4a?7a0)M$kZ
zLAg(d_$Z4uh4*mG+It`b$sv7DgO3Q^6Z&Lg4qI3}21-Cna%9PYpN7r3t-WPC)P>fO
z9p?B!4mInBVj`ebcg^<hZ7ndLEoV-&Mj4CXO43EB-2EhFYwSKJr~j1!08}A}MYdf=
zN8{Pt)mTMq0$#7IdY1?eo^N2vtuY6V?Ukw4<en<T9^n@$WaRk+{M|N()6?}M8Ft7H
zXbj`aaobB0c6+jJbfvJ6tI0Y_0>nF^$Nd}Nd%ohJlg+)&5F(a8!4I+3y4r7-(e6g&
z%3g+y?G>(X`9CFrGc8-^RjoTx>^mQ^{{LbFNpm2!<DM?939Vt<C#?lEd6G{JYako*
zBL`*w=Gun2y@D_LPU_6a{+!g9HmOC*@mPz#0rJ^lCc}Z*pC>yMa@6e$IMkSTV(HQg
z8KNR1F=bj8FJnp`-4h6%<PR&pNFNlF7^z<N<nEE$Sz3L8c$#a0kvz>+9>+oIA^2;-
z@$Q!1W)6Qt-G&t%cp8amYj0r#+Xv0Z2re?lU>w`(3XRp$viarQUq^?lS8QaBy|tql
zoNU`G+_1Is$%po=OON}7i<54k3dM*XQ;NBeKk&CgQz|1GqovGG=~ZapVlvb^eK5@&
zL%2|yeL9tG!yim6YYR#%NKw1IuR>@UP6e864(9jWt`0bH=C<`<KcRQZH#c%j*36x0
zEd@=c1-HF%w525N6#LB5<+)85B&Tsj*A+u<Q;ofgenz=pjHQ%VCo-u8YeEALR-T|>
znBzNJn3Lt@&^Lz!U1zr&g$QJV_{Q|)$n1V#bz-`;z_`|pv{PO>KDkr#CjohwMd~kF
zRj<+r!jO-2PAX*i6W}EbPuHIe9U@l@Y&hK96S$b=1A8NLAsH8Se9IY!><5Grst%Hg
z6aG=#N>L_IE4}gIO&A&9z$7;EBI1;tQK&P&0WL|hHcNQ|xpqXWr`b#D8#UIWO4qVt
zD9$D5_svlE>`iMwv(EZIiXZ<j%e>C3m~}B?9C7nK#E9Sh7jZOz#_{Pk8K&UikRnAV
z@7%a_JZdRoEC}|tK<0AcHXGIXx|b;QeYVQss4hnO_y9vUwlQsQ_v9OQv7r7SPs~?T
z26gHrfSh1#3e#;RE3KPU6&zeS*M?n{UPjk`4fV>)#;Q$+8Ig9OQx4^idpSAL?>;__
z+VjvGTn@nX{ZW>ADVqAo-MZO1N+@REx&PF{V?t&~vYDlv$fG^`ygp;;`%wiK@PUwg
zhxy)CY>oWahvIKZZpP$MVPm7Zt!y!e4i}G?v(pirFA?N<9e<<kw;rMfo@f#1I8B-w
zI^xE(fC1x_D0Aj8#j*QT*x00H7zRNB%8Cgj<9~vvT%u2bSzYEXv)B=(F~w3J-Ontx
zw$lbmMV#1GuWBr|6Ncgf4L5%v`I4@Cv3HtxtUdlVOsC?wMAS1+w*Kxru46ae$N`w6
z@8u7q#No%&m*(B4jiXZ&hwdA_XB9L4a`+)1ZwF+~2hZKbE&F>H-1e7fx59~mZ2jls
zS9YiQRqS$@a;1xS)iTp3qV~saE751hTQQJxd!d8Dj{SJ$;c*hHx+UUpND1WqCF-$D
zX(l487qqRRcTY;elthanpe_9NJBP!)K#lXY6%jc@Yn<{jXZw`Yl!nQ>2W7Cn^Y3}C
z=Eg9E$6WU~$mq9q!nt`7jqRY-e)Q0*8AbAVZ!QJ@$5A*iv}FJGRK$vMi<hA1xl=Cl
z@e<T@%G<n*qi0aP@HwM>u2R=qmYllG-AFqc`3ShuDt+1r*I>u3NC3)X(gADsGJ*<6
zJjaILL&gmBnX%k<fbt{j&gSmMtj$f!9z_3Zr4VL=2TexB1;I(j38iZKTYlf(dzw1e
zLQ*;6tq0K@&7Z6Ygp_~Dr*J%8C^m2+O=Lbmp57KD{#@oL75H(UY0%KENvgLUhlx5u
zW2rSQ$!LOZ)|8a)W6szPbiK?EjoW3aGSS&IribkO_&tlZ=Q(7Re%NU;fz{w#Utb&v
zMoMK!R#ju@gVSxbrj=;nDO`#X7K7Ohq-OQF*Qze$)UB{Rdo*m5S)u2hguqXS^a~Y$
zZ3pW73x)aHo*L<uS>!3uaaFy7Pr%u3Gc|X94N`5H>6Xu7VHga60MvP#!xFT#%8uC7
z+Oe$|CK3`)j3j9<B}mg&RyJwooHnh7qS~P20d7>Pe?(FmBOW=~OgqzAGJwGR0BXzR
zHq&?QCzuYi`Awcsk-j+}$x{TAc9C`I;ua0B)P~KfO)Dk?;4)FSxxRx>Do4j{M0wk}
ztE-?F^K8yG<cIW2K!lO!2-6(Tpl{tH#sl&pjpxX|==C$JMJLgx$1YI{DZL9<z-n3&
z{Q^%-D>W(##-&rUY(6d&*PerM=+D3Zv`h|9x*wtuoCPti_4p8aid^5XUGZM7xIg~n
z?1%bufK;D(2oUUjVY&3bZG8yM@~AxUKYjER&TNvm48K8P7?D}V%}n<^oYBJM&**w=
z`gELg4@n7){Bnl!N8Zi8RHI)zk*_LS!2KjzJDJa{S!=zmKpHz3-pAw6Yozw6Z!<EO
z8a)aaQ(5J0FwGyBJgNp|9Mi+o%te4P*IKCf>~tHurcAgVDvLeN2Y-A_-OOaSz)WX`
zg<CuOPXirhoocsMUA7({cD;$kkE+L2*nuV!B_{0cKWSG_5Y0>r7dR9Q9i;FGoWkEP
z6E%tp`@~bjG({dCKiq|WMvxp3FKC!@s%jxDthW14YV`ff>1~PUvQAVfAzyAUk&-jc
zwaQP-h>*3s>lx#J+5*qI05eg#u+mXH4dg3Z(|xYk872+IG+i558fHH9fm5n91j#U<
ztU^}h8r!qmB^#$WHybff*6vrj%`^w?>XG$dd3aP%7Uim(jS~Sy+uGrR=rYlEgdBzD
zHs;S&Wm70GX^WCVD79e(9zTdH!3Lf(qvke{nnoqgCm|?{YdLi&(d}4Llrp#H;W@s~
z2(+T(d)d{IYVGtzVvxy_Rc}+1ymo~DwPNk`v1V>N#-57zx4A9HwQednLa$P$Zt9^H
z613qQ`Zp6V>X_2T@i+w4FtdYt0Y@s7G+g-dyuOwGqyd=O@j(LGfUn7ZAWu=2F3=lF
zcumMVLx@JfqGqlH9eu9AW9lSM*nK<Ca{WtrB~K_pVXQmG-2zGP9xyf?*IZbcQO(zT
z;lv$E_`2YX^He&zaT{#2Vkd7O)Ze`T*!hg~%2KY?u~L6w#;LG&@YZiqiRjNQ!H-Ox
zxYfYf4qSveA}r;>S;SW;#C9+l(kR<qS=gGkE&8EKGiNvwb8I>lIH$s!q07^`3pa-X
zM_+(DklJl<xodHQvyCtlJ<hn~fS)Cn7izEQk_JfYY<#$xHhvE@UdhbVCjOxXX7-!y
zub@-2j0dtRdKQa0)b=NoR{J1f*tO<APHi`e?|aRV;=EQqZ_)h-wU;kbu@1B}qR6b;
z-Ri(d*~A<o>w1E<6C7ISuoLVV;uuERX>GsoOaml=1^+L~-m<H%CTQ0U5Fo)VxCD0y
z5ZpbuySuwD+}+*X-QC^Y-QAr9i_P=yG4?*^%NgVRfoXkrRdv_w>;4qC-|MJ^krR=X
zUuD#^5o^%d`g=KM6)EN3E^v(SN{d|0X{1fCHjfJJYX~poA+jplph_|c?|if$8#8+B
zl17dy>|jrENljufnvrbha}<j$cnyIsi!H2Sqh3lUqs-~EhxDGzFq|5#f=|uQ(@~hy
zB7)wTl_QjDxcuWlgga&9Mon$3so19su81o3K5SIDIEgK^#mw=m<OcpO{_RxkrtY$q
z&>vV#|Ij1xlvCgB*blGM_wlnzSSQ#b|E}DY*U#HqYUtmuNeAA2-fuKAVpp>ofJYh&
z(uQDV*TPDG1|2KQ?zEvHEl3i3GWsc+01kc)z(@fl$9I!q*N_fGMXXDVAcmhj6qUfB
z#(|#W@xUnLjfXM5zoB-HXNK5^9^GP*WO`$n!A;Z=T(gI_hTXAcenSK)_~=O7Se(C{
z(r#q8MBiZUN`Dka<$mt)^bJyoR0YXQ#Dg!7en5F9eX#|{D0Iqe8PV<=J@1Ba$}zMS
z+?GM@bL7%L?2EvcKeM#xO_uvVEt6n(&dwq;ZSCHwJ_5WvydNku2@<zMP6NEN30)y?
z5Ru=>{I&z^7%jXZA!U8zk+%rfZg+kng(kest2|u?Z_ioia@$jXOtR+s*#H8!ztd1U
zp0m1K?wu{)dMC6+eVXq(g+>3<DsHL0<yeHg;E4Ebk5~77tPB?PZk7;4P3g%SUvN#i
z>or3sPS9}f%pYaX3(5ZGBkP@sde=GJnqT5`btD<^Y2^f>Pq)B#IR5Hqvt2u5+?ecA
z44epJcZ3Y0_$IgxmIPkOw0`gOdXtcHT=k)Y2fQ}H<DBrIcfq~&PgZO-Qan?`qM>^Y
zB;QucRsz<1yX@b9j&Kci?iwSwKgW_}o1VjTF2d0fv~9iUTtJY}u(O`su9Y^r1HT%Z
z8rAZvVtsk;-b3e^D5kpm8sk~0&C;#Z7G&LC&mr>jAvnth^&dk$c>&`ZUJdksr*LS5
z4%a3m3wHm9i)X4gce~g9b!SKP@J!AfI++<Akx|c^YYgdYQ8CbcPWoyNElgW{oRv%e
zbKe=;J8ege%k|IIs8t33dPAPgXe6LkW_KUnLBhNtY6hYEmK%LW${{Z&aQRu^%Acot
zpm4_pl281=#rljCtqidd^<Dv&r_pg!@PbSzmnfViFQAuEN>(}rDyaM0Tlub6s^$_*
z7nbTwL!aK~jnAk_VsQR!&Bhs1=849&_>lgSb8#V_mB=N!Njo>XMBCEyBmgD!)KaBX
zX-oZVOqv`8A2&*9eSPr6_>y!!I5Ehch)(=usmDYpC!Gx21e;ibS6V;lpJTdkh&{xf
z;Hn4_bQ+GGKI9!qI?>Fg7l5_wMrQykf8Zls<Z8EdN-?g{+vr(ki<I-a+Ge<W)kA&M
z)9(|WoY)g)5txu`xY7aiHmv?!L`cE8;%pl8G$Ng!?rsB?KXiHYdup6y9`;E>yClW7
zUvEWn%#xeO7k7nrsh%JG5uKHOzz2=bP*3Pz{@{i75)W`_H0&qpBz3mYndV<7y=1x!
zzJzvvTguHm{RsRCG!n%{4g5H*^y5D6KjF0HWi~<A&<g~vO41tPP^c?OOgy|U1>>7{
z!hP09ef_>_;rV{MG_F|ud)9d0lO{urYkLl;c<WhqVa#%e*h<_^-O99~;IOEK?cw4~
zvf_;o0h|`q`wrL3rb@V4p1S(mpv4^~{?C<6U!9;Bnsd1>Wz0TEw2eRmT_8DrU+?SZ
zO#C|xAQ!)P?lfvzc^73%>CE~4K$~d0L1~C`vxCC3^L9w(yjtjU)bo%6L*r0vHsARr
zShAo=XkW0FNx2i5yaH+a=z%kU$-ng^L@L|1YBize`cJ!oNb-0#)<i+@#ajvON@jz@
z->QfHf~mBKd52izQ)=z%Z{N!4Hxy1hX8hq!k_NYvT_Q>M@;N!@&R>#c0%Hf~>t~p2
zN-Zm$>>8$XVa>7~YPaB;(f#~Swe@mclK&BG5IxwvL*JvF9CtuI+?TwIGbZbVM&LF|
zjYGYNg7J#n82o5s>jd3@?~dE+dV73_fM3=Ltv+^@=R8OCF}U_<UePD%Fd^QwlKdt3
zqPRm42U!-K)afI}82m4;K<VLZIO1$PLByLKovMAA9MRe6xD9+tmBTX8Y3cDy6fr7-
zbG%k{4KIzx#HzGQHIJSkT&N-vz&wF-BNOKh?oQt_w3;Vm44XpzLT)UxDPu(b?!VH=
z$ma^6%_6wszJ~O=z9_|tLOsf-@Ar&m(JU{S7H~yqv$Y}r94G~v1OodSL$s;0_IK4&
zT<A_R4xi(2?hUirLnl<sG5-h<dP)DCkL_%$m@~mSMFnHLAM}}lOxSL{4<01S1k>Xo
z_Dq?8ZC~+JN&9*3Om|}Q2uuoG_;~4B&E%8=73s%L#oW*zLe%ZK)rEE!ad_{(Lz`G!
z6M6U;q=cuxSd`skOkHPHPS$_<_Z7angL~FIRjIKY6B;HSU5BbQ;A|%?41F+ts)3~S
ztMLo*tBSx)X$BG2>#)4lRB_M=Q(7hXb~bvjuxiTn6_QP#Q8*YqUZ3pUfQSA4$u`u<
z&00K~o7_qNA}*`urehCWNB8NYh3h|_%C>B#Fv7${R}!A#nv5}Oh}{&(>Q7H5E@lHQ
zbu9NbKwS>Q`LnkUz_;E^_CvbLNgs>pUv<w|aGt61)nd&<N4*=!x4C_f4xJf7dJ^=f
zBp<d3zeO``7YO&J&TvDplH}D@M_86k%^!=ZyE(aHoLU_|a#L(L&~GcZb|4*nmo(r+
zsr34vo)G~VGt#_edBd;O{G5WCS?5ITY4_|M?y@T_`d(_XSzv@_wz|e7&P_C$c%*&Q
zuvcqDz4AAyq^eoQB*Uva9FU6|ee=>-zfI+7SvrFAHK(oK)%C3gkIO5hNXTxEh4ghd
z+rYd<C-g&|(3*nka)qjw4Q6}2(G?$+$>vW-!<s>AD}Pv;da<wJ0y*}Vrs!Y%k^3cW
zu3MoR)rWWO0;i5KUZ3Mu4avzbHk<ni@*0CAb*GoWRFE9R>L*Mr1sh}h;Y=(EO;Ua>
zBZx}d8xlU23J4T|LsTk9qJG;&Lnll(0)m_Cv|Q;<P&EtFujD1URGuc3&%RdE(R75h
zO=IEn6h94q(IvfJZmfy&BTO-7-U&})xeMAvWf0OKcjFB;`?TuulaqBD2lQz9{g1?;
zC|xD2r~VmmmVKQ^H`Dp$m1^8Q!A-wW|0A2-R3bIYH&<$#R68cdI!#a#Pfu_;_`6X-
zn}EL!PANLvm!E~@KlXnAOi&qfJ|fP;C7Hn-#^3LC&veIwRRYyp`m?5rWKvXVC$(5_
zzdJoF($$R?Nb-+DhI7=WD6;AyvUy-U82Je<!9tVsR!8`fn2cayYk#nR;Rw<6WXSW_
z$sS%ND`&n17SzbEF<dUKKx(WVWb(P=02pTCo!jO%L9%Mu3hQuJLK_B-4ae~(9t^YC
z5_R;*1QRQ`MRZQ?Wa%;%jhT={(U&ta-DBO!M;O~ZKg}dI#?=i9u?7P>9&syKgHB9f
zC-r=%8^hiz6saMg_@`B=W|tRQawSYKSY$Y)d~Mlu)wg~xaI-giZMx>g!1e+u_;~y$
z-yt?IXS@*_bYmtf_iYb|L<!}u!J<NBD|=%9AWV`d6o$jjN+uFc2?H+JG9>0F;^S%V
z4;I4q&{ep8Ftc4&vUKQ3s;QF&o;UG#>_&-`J*+Iy+MH#xy=~#0S8vNnB2-5gLMe3^
zMOM4?siaD>=UsL<yDu^7OF>R<?S5E5S8r@)YJ3)DtpK`t+uL=nnO2>6G)87Ys?N)o
z?b{E&)WMunZC=if+opf;pM;j8jhiFLtf~&i)A3qkg$^%D9o?pBameX2erUj-<FYK6
zId2@;k%uoKM-h9x$5v!|C*9nB+b7;%WsI8Ykt^|yzDagB&@OTS=Ury>k_IWfu=|`9
z8vNE+IOODnrf+lEKR8UU>%A%!suLVcUw#SqzuHSn;m+HAT(29-BfMZ}ZF7Nh!P`(3
zkFuJ4U1IYeeN;0UDPuf~#Ah1Fs^DyLJMP9k8LQy@%T;5-mIC8Otk8M-2qCv~>~KyK
z+9hP%#hbC}y1Evt#Z6b~JZ8xkbRfLuEc({~#d3^a^FF5g7u(+c)}YuWgo)X%io{@<
zs<Liqp#TY4v&eG_Sh#W7zqFIRK>=PoG?#q~Q${QT=TgBTfjj65GVdg$SJ>VZ=HAfB
zrBSK1*2|>GqmLWb=1$LjwI-=0&!!!oOHi?kR?E5G3nEXJ*PGcvON_--`Ot04)AzDl
zK-I6K+Q^KSSMyTZIvNWsDX#J&r8>70OWFqw?hpOOLLpY_aY@n+o%+MqCeJgLc=avw
zx7&Pzx1RM)#1<KHl-bJKm!vgByI!C_bl}?^7kC>@28Q8IU)`@Fz~CC69>VMx%x(tK
z-S;Ql7r1(JSbV*pBDu&O-J*a>Rcl|xvk!Sd5$B9C>{>fOp!1wDKhf|HcIAWR=34)`
zo{Y)_(%ovJy_5{;EFN<XPj<gqrDtt5?D-A}`XW4crA2Bcf2Te#3NQdqo@W<Is<pn(
zgeWnUr&xV!FA#L?eB^f&JH^-ALf4^zipy@}X!t2avb(C!sII@co66p9=Rh-dwx;ge
zjjgM#7S}G}4yKDW{TH9<P|HDXIW-s>VWLQ39tha1@|~^q!l-t6&Sqk$bs2HEeR*$-
zEo{rr4l*g<{kJ#T02^i@yE7GNnmCiB>8V?qtS<m3bWG&UWV-FbdmBn{`xfqkyW)O3
z=kV3p1SAhQ3{pBJEaZ(*AaNT&Wq!^T^9-KT^M3YC+gBvDqHHy1rvulwSud;Uumjz3
z%Zr^)Y7a_Lu>Uo})%AjZ=vDwbP92SnbzH8|uQN#TPEzr;&RJ~$vo84Okd)7Uqknlh
zYx&!EJ3b!+D0yGLxgnmDzVyOb!sXP-6OG4b966(y0JGFQ-nZNdjvuGFUCs`gy9T!)
zUnU=1ll>3slf&-ff&9qiH25Rep_hj&+S4A!M5Uz2OhjQYzCixvkD(Fg?bWrE!F`>E
zL-N0ca{>LoXmVQDx(A1;dB*a=vB=%0Gel{ASG(crZ6}0P{0Z2qAQH7gLp3_K02>;;
z1{?#sZ+dE_CpxZ|yWabDh%Sc-4(-^?%$d_vjk(jr5UpSFv~||K-9A39gMh9r;Uri6
z+Rx$;LLI)@P4IU3b3|NY>Lal~pMTmL=9~DU7kST3JaVAr;bfXzt?wj5FLhqh+84@`
z(Mul|!`P?FQyxFkTW!A0mBv4(ahBm784!HFFxcDDTLt@0{90FuCx_EzS_xzNsVZf9
z<q46hfH`UC?>x#EBFuNuIo$5c5%^xzUUeQvz2^2YU0s*J$%*HZ&GEW+d$GH>$%h>a
zyV>DBnBw%vi(jvOwaSei8FhJex)nLTba_Sh_>eHh&7F4g0@~f}G}ygaaTDwZ4(F>_
zW@vJ<HapuBCw?;Sq$bsiNeIeygl1i?3Q3G&Vn<>^vA}kuq+Y{{zAYDvzA>FT7G*Ev
zpjd<j)<ztD{6j?)2KW1*^#q`HBfR7t#cd?8Ih=>JiEdKu>OSVcll%okq!sFh<g*Hs
zy{h@GZPzg^-?oNwxIiD~@PYM_<mp6~RX@vy#4IpICiuD$=#*k|j&9!FSPUdiYSvaf
zK7njj_eT%Z_bzYa$!_z_=9rqYN;n{QAEvfyV)}EehJ)M8R5(aR2PX_i20sB}F?ObO
zdjL7SQLkz;%=ex@-tOuft-U=Wdj3e&_x+>&9K@&HHR9faYx=gA&~nBaQaf*tTdAyX
z!a1CGgHuJB$B-siVOcOj^Si$@pT(Aq0X<dfg<H?1xE!<5t$e;US1b4DG~di2yjvN5
zNcxjw)jSFKamxon{UDeVTxM(r{akh(d1m_rUHGD@Qu;b>t^mbGw$sviBT<Yo^@6#q
z#FF_=x&<>$o(ydsYO;>@I^we?tii8yVX`WcCpEDfF{!Iy)SeSlQewt>)pLailwTYe
zfR5)Ly10Q$3=6IglWP8|wekJT%zX+?;3{o0tkWL9Ou$J|QChInUf5zk;imuKRu~f|
z_ste+r+GbgS#Nne1_4xRf@ZeZG`Y9*vGlw0>+}uB)U;KMM-~Bum#+<r{NP+ug>)#S
zEO!n%5&11eQ*Ufal1Q0AZAnbs$<0=~Ul>cErje|ZwzBVlko^mKhuyO%3^tpkl93yp
zY=-0%xfkgE1?tZ2ta%&%<Pq+rOX@_$flXZk@%od<E~|`eG7-!Y5*i-mCw8BlzLQIg
zbIA^N7OvUuKfx#(H2<d1a@(||yFaBe8?RR>FezKcmOnf8r%<n_N^VhxOT>G{8hTTl
zIp&Ap8$YW)+}cSGZ3}4DTLB*m4-iDGWpP$&M47Y0@|Ivy<MI}r=i6Jc16bKPG^Te0
zK;Eb(f*Yj|P}w!#<!&_WH39Y4)(YUJgbk&|EzP7(ml8^2N+cEq$p}F~w@*+Eij!Z*
z9bXH$MvpNwa|qiwtx31QBE+2P8$HG=dN=pd+MS`T35LkL_Z|)x9d@&fiI1_%Yv>yM
z!~2UH^&hXu0p-C_oU6GxD*Fkn%EZ+dIIiP8^+n*l2|EFa1nE%u5+Lt>0f7knSef2U
ziMb<e7<_G{9P#wKIj643hpN$c-7&o?e{2uloC{BTCvx*Hzj#Ci--B&^_naCZY^_f+
z;#00JAzv?TRuOELX`H<<RdoUnAak@Z;6%%Rc$c^OXKDGvcb1>pA_Uy<=*NTad&t)A
ztWfW_Tb4gUs^Cq|<=O_ykdoZqhGbzXFjyKyJErWeNY&h~5CsY>sp`MtIhfv%8`Y6G
z$F6s>5e0z>IaqkwP3Z!g8A8b^Qi>UgBN$lRegrk|5z0r=va|0t9LBxOwNAv-d!BL<
zr4cwr>gwS8eX##7w`rH%&9`|Yc|eDv1Rv6upmvxMhPTTT*UNE7E03LTD}mqN#6CYO
z|KQIa-?$fE0=~Xq#C`~MPo@wQbPHT_bi67|Xn|#z1S)w;cz8T(dePGv+PaR<qZQlu
z8Om#F7e-z?PmeaOQ9W2Z{Ko*?3Mcd9;e#Yb?S`YlxRkRLJ5~mri^-fuyUQg&g5Q^g
zHQlC-IO}T7-2fD87>H_KnuULejCDLc>!DHF4T>Fr!>O@?zVRl1AyXt;Moo{N=($0n
z0wbWD>K?f%`H#%rN%Wo!M=zhTVm0!ZUA#OD`QCtN%iRx4fv}%7L*Iw$1MzY2VFac^
z1xj2@`uLj*g!Ri1xqNWb=UNE4r)T7%>eDfBwSfTPehLP;gjD?>z5MUXew{69$=Zc1
z7`!ZgXlCpXs3stH-%dJ-px?}19*cnMPS^w3XOq7F>wmPWW9zR*y0v2Jk7k)0eL+Wk
zQ7%qiNJ2!)WEr?j(4?$uO)VHDl8+nVhmZ9K;Ic}J#PEn#I+H|~gyR1UrB98ptVs>T
zh9u?S<;|;aUH{bhQ$PvF)4o({!=!&35~$C$BP;jQ?*XBE%aTOiu9RMDc+CsdinBI4
zw(Eg(Eg34=79<=bD*RFoHywJT!`Lxm3$bGzG@Y*(Ww883p3<K6%rbC|+ub|g$1Hy8
z<N;}EhOPsk%3q4VESN`~fdQ$7^kQ2IUZZo#!%1D1@r5?8_U6CVv&D-Up<rtU=GZk9
zY028Vl={#@V#Z?O)fK}$xvE($@X8=7yLuT%%>O};aK18nlK&zz=`kL;0WXtfH^A7%
z>d_feXWlr*RFhe4@r)~PC_L*C_>TC=I7^pa=6!o(22dMeC@Y#mp?#c4*Qsj9l`L36
zpxxC)VtiQBJ+qbcA+-OhK87(c2)uE%cndItKZneRbpSuLwwK8lEMFl#-l0$Pb#mX%
zJPS7Caf3y$Z(@A1LCib;|Ahhhcefswn`#Cw>D%mYJcFMxyLf24@UB7s4e{Fs;mZ>>
z=u0_aS?!LW+5k^_4`6&n;_k1o=&UEZ>RZ5<V*@axL(H#3t_N7_aL5$LDnezWetOnF
zbntI9M_6KSA1nr6xtOB~6OqHoTp|27^Tn-?R^Ts6!6`9FsD{JmnIt-pl88psT!d9e
zHS(5M;!`ir8Z^9zZ^NO5W5)Ar>l%3<Y)SN_Z=@@@Ef+KjCzV^VPVx1FR}1gps|40o
z@D#hJsw>?NAZVKSS30MTK3i0ncP22BFZ$#STpk&4@ZCFVuQrLqi;h#~<ktrs*b4!B
z0FdkrtqJw-A+t@LgFGic>})d<Jdb5CDkEV&)}-mCcJ*QKFzO=rXw}aeG(kl=IU=n=
zi11}JUYN4|-B;}b;9A;ayNiyOjh4s-**g#_@i^Vr8|~P8^oD5Am%!&7OPeqK+~Kdy
z@8?&tP8o8|?Fb-_9f&#TS$xMXtlu3%bNa?j@rcd&gC0xUa2Y7Hj3Jx)m@mTh^=zje
zvr;GT=!Nxg&t^k{k!+tt{rN=i%t6D#FNj!MgniituJR9>@cr$iSKH&Z1Yg=kP5u80
z(7X)3yiRRwSQ*~%Q{=kV@OG3}=%tGVrrRYE`=;<(q?~<AHc_~#E3wI$kD+B(-&Zd1
z$m(7Ew2})%1x}ljFePZi_Sa6A<Wt(pSAJXdpU11hu3RuVfb<*B?)2mDpLzuv_wIa7
zLHRI)<XojyzT@Q(mDxAu6-`$Me5NX_EbPVYaUZ>xS}Re}mPsYMoK=zDD;()JUc<Bl
zb$z@#V5_=ETpLA9Pdsa4<$tGP)rp%WEe=l3;+AkKEyyHb3<?Z$ctYU)SFSnhyD_xh
zA`v}L3fG*B?{`*G+CMk!_JD)xdxI2_T0IK{b;-~;#K}iRQ$ETo%j1kF?56r|QJtt8
zQ7ep_qf0G;P}+VC(}pD{p$(MuvR{1u++UgG%7wg!H)RfQdF>8-IBT3VcLjew?CJ53
z!`x=sbfSR5uGIb1UxR?%zdtfL1aT9-Ylw@)0~Mk}3D<V8W`y-?fqLOD65wkgP1B6p
z3F9}TCOnUJsGnfT9>e@5iCyfhMoesS-*2bkB%zaY#ktBt03YKdFtZ`}LG5}J{g`$*
zdRq@X--?H={)ugmUIvkKO6KK!U(MJWgE|`iMHECG480B<S-qA86(`yL&ounX*;^XJ
zGC1FsnLO|hQ?<XqJD*%h(P&>H{}a6r44H}!^Gg1PJB=}bA$a2HJ69fjtdQXyyDNtb
z!tQs+vi`Qwe<Ou!8mphtBsgq$!P9N%8oN16-qz*g7~s{S{p7aQFQ*9te}k_jsP=!Z
zL4MOpTc@1b0|j*zII~SNTnYl~Viq<>s8-f&4GC0z1T2qJ1TJ*)TFKxEAudyz(0khh
zw$?kRc#NaWXsfEWnkp|x`FLEai*1f&0ahv%PQ6M$G%8N@q!t)$WH~LTV$AiEXSe2+
zfK+Kcfg2a4SvN__qJQ>b9Sd=1toKxi-a&MWm7o7!4%n=|ea#xF4FWc6NRKQa@t`MB
zN6!cHOW3U(a@M!^Xm}6}ceB`-A4ObP$RS#_%A`W=TeDTeiZCa2AAhCE4I*{k(~431
z#R|}A)o2@2zU%OAe47yjFUflA8w+~nrfRmI0U7^4lbvS3f1!}*ojr*Bf6|56%>1g4
zs1bIMi^R-4b=&ms{%xAR?Y^6P;TIz~UK+a(NI3E)_8<&dgl7nV=a+6?0DJy$NCbu%
z=g8OZIt&8=Ykr}b8v^A^tvEDXY9vqp%-v%DidyIu8rM=yv+LZ*2{={Q{+%&B4Rxa(
zOCnxoX`|&_b{c*R>PQ{4Ib-e2_C`3$JKMfsg{=M<pX^cyp)qn`YkCaREVXdNZ;zT-
zM_-ZZ*r+c1+hPTUm|E|->Z268S&^{)9RK>lA@`~E|B^G@vmU-|MyE;dw)oqr!~+Pp
z^Y(w=-h1Q*0Sv<<<bdZhc#TF|1Nr|{j0B7wf&rg#yMr8FYta9t{41vo?Y9l(AQho!
zx5!;PFpT%ufGGl59$Sh3W{tb>%U6i2*e~|{FDUMS!cM_F6a&b=eG*sVq><h&_0#?X
z2qf$4)+B34ACY0|v9n3-pKJXUOiY?Iu`knrWv0e4UtTj^fwGfhD^_he2u2Td9j%{w
zTa39AeM}kE(eh<J^52KQ<<KpSjab$jBUtw+F#={B(ooq1T8T1+6Q@3Y2n<MX3y`f2
zpD&;86A$*8uGQ^_Gs#6GRV(;;W&65q4??y+?v){+Fey@Ry7*cB6EK5f)=+CnHCm$|
zn?hC1TA&W1Zgxi=bH2ii`i-Ai&WU-}h!FgQpyU!Eluz8wv9D#dt>kD%l%rBMd70cQ
z<=(M7^3s)?>$x8rE|HnY7|H(q?VbeRWg2U+hhlXKpLSNaf(CmCCdF6DfJG115TVMD
z;aSn8R-RBK+$WjlSD8#cYr4awb|=5VQnPV<Q<&RrRPO75Yp_djQR5?cA=!#f2Eo0E
z`Ssr8A>s85Xf*x$z%|F)cR4Oaj7dd{**wlt8THa&VGhv7;>*H9FhPTVPx?R?KWfpw
zoTBP~=@4ClhCz`p_As1=&Z7T%{;u)c&Y2LKwNIRsS;JoKokldvn&e4CemM;N{twt5
zA&`qpvpnaLq3mqdi4fgRbVLZltxr9;cGLJstY%Y+=4A@$(z`&|tE+Dx-R}y!?*>Hv
zoto=t7}`7e-C^R%f8_aC)$%5uq=?Z4iXl-7xi<*QaR=A|8e4nq!-v?CzA8K#i<85<
zu$C0G_OJdsRRCvgp{fl*tnPRHG2?E2?Ov3URE$1TY`zbxvH^T*rhmQohto6NcR&OJ
z`9tCGc#yNWVTB7OfGrDdgam8`g!0Lq9+0L&@#?z4)Mj=b!t0~zw0j%7+3Gh|SFbHD
zKhOC>RErEfNBc++p<#2|7#e=M9?bN$wZ6W#I>CZpZbbjQ)X}q|jJeh^uw&{bZJL?G
z8j$?y<e_1<q1g3J4h+7Qvn-hR;imhkEE2nQsN`yB^K<baNYPyIPAQ7poz?A$b;SkZ
z6(mJ?%{X%huPx(19AQgT-#Rc-P<xn{7GJ5zv-eC;BXpvJm07|akk=?WBZZ*@X9=7e
z#HeSk!!dnP?)<!?lcUKnq@h0yZi#aEc7S>{xZUymkpgzowf0(3$vC%kJnE2lGi@R^
z(IRvaGXfR4P9KGrC!hERw38@j=)kY-9ZEU@Zuwh#-lnB{H{Og!SGnKgU3a8Z4(`0V
zRt`A+c>nlB+B%l`4C+os-18{WjKCRw?fsERLjQBUp`r*G%IdEJUqTh%ZE@7p9>UwH
z2Nt=(x9fCtO1{sAhx{Z)S}VxTO={GJ*<#N6Rq4OspPrp<PQNj6SJXSJ>YRR~VXvt3
zTj7xoN`&c)iX!ufS0j#pB(Cb4745|%!i{*^YG#za9rn-gV2?vxzVhtaK;HlvcdB7&
z4CDz{8YbvYMLCWP9Oq17@ET(pXBG)+HxonA8h4BnbA%5tSs}1EkJ>$&$qiVC;+lbN
zN1XVv?&UZf)w~?4a-i4gv9X=mb52&p&O1?4d>1dM15xnz>^;Jwq$v#XmodGrzG8oC
zd;8-6%}D;HZWaX7jE7*9LzeKno-&kiy6|*eF`L;I%e9jewN2GBQ!Bd3q)%}X;256g
z?0{Y?Spuay)p~IM?(XF;8FtjU5yb0oD+<KP3AjYofhW6+00L=w=p#c{(2h<Xu)sFs
zm4WMdwa{<8lp)?K+B|<fKLEdEP>BF+v5t-BW85e1qn+9+1*YfkW``M!r-$8Z7v)3O
z8VkQl!ek6X**=S|_`1W>B5~a9yMIa3($Eu6J>Y#op}<YMqZwkJ?Bbe_SGB_CHpj8R
zHwto2=eNL*`Pi}5&nK^a4u3D=3l~WqZ{v?(qz@6#AKYy%09K;NgO<a#z#i|1Zbg-B
zH6;~{OIxD0wyeb{1;+J?TDxcDbr+@O?b%9ie97s@AVKc>Qs!SXJJcPZFsn6P8<u$j
zCft+f^>j!4GF~n*eII-x$7aFH>BoWK9f(s0+<D97I$oN^k%5H!2hY=z#?cV>G5NY%
z*$TMX(iTSDZz`bg5D8-8>NyZ*MxTJhC4-1`^|b{nTGQo>r?a(Z=jPUkXsh5$g0bN&
zP8H_v#cjDWxaBF{=hopErtYce4zlX?^@7hBOzo&o>T5C{Lc5cS25W=7Hu#Jnxl*5N
zuJ9%c(#tuy_ApZD$|7e6yvyjy8>~FLpFdwb(caoJ7ek^@N2#?=vj?4L%4SR2U2iTC
z$rkA(B--b!Zxf9(xNkM~xTjX*mNv~*ngkKn5B#4AXuO`=N9qRkk6zCeL&uDCUdN0Q
z12nzxrpcQYydJeu$jv%FU3@V{3-M2eq+BEh%1&0U5TaI*HWxnqt?JT>6yF=T+zT13
zA{z;_&#tMU>nz?;bN@NdOX?7z-E*{a<=@te1D^x^ZpCYC{K+uaFK>X{{+wL+!Ru!m
zhlo`gs8_S&i~gwxd~;)Vd7a$(8)tJ#u8pIXHiV2z0tT&mp5hkDzdQCz1Xysf0@!Q*
z`ndK>UBb9MH@a++sPq)&SC!YWb+)^*x#J3uT{$~CC(){WWLV66<VY6_gcOhGpPk}R
zWRmVQXKJv0IdR8y4h}Ic%YKBc*f<rewfvkKQ<bShDy6<+u2^}Q(D#~PRh#2jzknG@
z-Lb6pIvCKn?*K_8C+@?%Hgeh2SeACuJ%rDDgLfh$f9U_Sj|j1PHcTA1m*_dH0L51l
zR@1=Q<O#%$Wp_6DEafUvuSY-$ruXIx!#-P^GdG?2otBAIwPYP@;I_W3Xzk~iWQ|x!
zL|&Dw6+T!tc_E*7Ty%twR3oySmeHWcYa%ivj5~>OjrY8M65Uz9M>rc%j-;CzImtIn
zP_K&Ai>~<fp*VjVJ%M6PMc-6&Y<-}s%ol#V_z2A7if=teekO~2gCQ+w;9J%NjMFAB
z(cx#2xw+;*ab1(OS%#dd{xx+K4oB;N4*|s0hUme1#4`cAE4mc&`OP7-ZI-OXIHE-k
zpF-`)6h!=Awh8dqyxx0i?~FC!jU2EVf6awWk23`dh=AOL-%KntrnrF_4(cMJMptu&
zxqsB`$CtnrlxHkVbgfr~p5zdAQ-wXruz!yK*^XHk6BYsgAjlFoM#spt{~NKg_Ikp@
zC=qk~*vH#VZl6zeYrPu9OZIv2S2_A@f_kx1q#d5n1i36`6K{M~^K7ts{9x(b@_11N
zW1kV!UM$U+`Y4g-9a&LFAXk=1yWl>*wxV8P*7->FLSRMxz6*`AHP#l=RhzZ+J2?zN
ze{o&y72<Y2$$X<3g*!2U>Z|37drZLjh?EPSd~Te8H0AJj%Z4*|5Uese&;N|alGGBT
zGGGuJ(OHH0`tRoe1clDn^z-+A&-+yYMzyg+l#?#%>_3CS^@Yqo_w~Hl4hr4A^GGcn
ziNv^B6z(kuJ5&GCP{1-X{soyhE7AnSbASXX=S0ZRX0<smr0USmpx;ASsqwCI=U~LE
zEdTm^W4-K8n6F6m!xNEdZ9pMq3jc7T0&x8Kg(rnp(*{lNxA9XRRKvf*HO%OZsw$ZJ
zP=9omL>RSL!n#;$mO}hnmpQzo>PFw~Se1+0$+@v^lhtG#@H=az?ByhQQ47mE*o?{p
z{TiWam6OpycOcpC0rH5&z0c*hP7O{|V834!eAg-Fj3s2*vv^g)Dr5fY30dr##E|1}
zWyavk-snC3{gn9+Q&IzrY>sP=&7r|TsUVB#%Z)GRZ@B9VI!9;p9T|t)^e)Koe1~bo
z=*z&$7SvhlBa@<{;^MDLY7-!j;eUyj=n7$Z5w_m<6ooQ(E5eO6In-Or|6LqWS@1ko
z3<*{upVg~Pwe5u4#jst#^SqvF#6E3$$LlQ@(Q}q@SqnGnTxRnu@_QZ%5TaoJt(G46
zK=6ueOs&1CvFpo3)zqG1z(U0BjtXFO@70n1cZO3}Q-@U%znCcJDuwWHDjMl!;aJDn
z;W_rLRxwPuwKp*=_0qg<-62}iS{%+~S>`?r)@^I|A=vO;;^ey(^-I2C&OW!$hnz^o
zeys<-m-Ue(am9)%Sf+2}FIXIE>Cg)Vw(;>fmcyyDtWZP1*@ii!$?HEidBID9H`8^#
z*rV5*=nEWzO<sH=H=esdh(&qsN$Bv`n;UW5e!`}5@pXPStkZa~5}azXRsS~<7Zdu`
zyfdtr-S3Tjl%>M`3o(Or3$_vWL(**mgvr#H9WWrxE8Uy?@OR6N^GH@u<{QN%kk7!+
zhWKGWMK|lDzB|YZ{m_1+&m5Z;hl-tLEY%Bk>&Hv~8*QUCtb^Xgt1)+TZ=lGpt$$hv
zEM{HAzHL81CrC=ZvzIJ15mrP>DWgV3$U0Jx4Z7347Qd;FA->3Rs`fM!aR#Gerx>)Y
zZO>uiHhJW4I}!B5mR#^skOne_W?ywD1E29W==DMrUkK8@E@g7H<|CN-Kx3OoAp&XH
z&j`#TN?djt*Ul2eT=^UJVnCf5{{tV*9Q*$DGz?hvuTHNZeSRNrSw|-%o^WajhLmxr
z`^z86Mweljv8n4mpQ?9M-M0c5uu{+E0yF+SZy7tJYT4hZx`}D_i|ET7D-y0yJ4wT1
zd)<9fEq@2#?{~kbZPPZ|2^J$rQEg(>EoC*N%(aY8#$raJhs~y~K*-$bXka=FvyNBg
z_iTBus7KFsB}&rSme6)siT884;CIRD^!ivO4pQ~z;6-D_wS^YEg4&J?b;xM-Fl;36
zl;i=39g+Qf9XXS1@*yJ3x85y!z-XWNoLx#BeP{qRG>X=53<qR!b!%2}ug<To_S^Ms
zxo=5(tmVriClIAQS~eowMMW|)O8Al>UweI-TK{`^tMUjOn=!U<5EkbzmN-`|RU#|j
zv()~ae-S9-%3Mh~3&lJLvoIPlDDCurBjp|T20u{5(vUS`2cB)=)tW%pjgIux-!t9M
zD&NR<RX^>oy$W?7&NPR9T7F<%l9~>hq>$@8-o;G{3|%Bt4(#*k<Ew_Km0V;%EuVZr
z^0u**-(Sb}_qSi8bj$sj!wFupj<-aXY4(Iy#nX=GGyKhdS~au~$q;ANc+0>aEBP(t
zJEO7Xp&Mezp5>G-(kRBy$d%(&`Ro)nxi%q|<Myp>rK(+9x@tMvoa){tG5y)GVkbbC
z-u|d+fWP)q6_dl+64CFMuyYsU%9~9>Ip_E_xv`u3irv7z1F0*}QJA=P@3;W;DcRhB
zisT~h$5+kFk{2olpDXG-1^X~SZ2rCxH`M9t^d@@F0(L=gV+$O(G{8SS!Za>f?NL4x
zZwnV5H~y;*7P?}FYg?Gnsid;6VbxR+s}j<c<Za<qJDTQvmA-xpi;A;=KR_QkWp(Yt
z!bUhwdQ~oEVCEDo8vn;e8#P{&mBwT=Oqs9aw{~7f=imj>g-;EIHRE^rEgc~PDd7$i
zixT541M7Yv2$RHs>O0)c%Bc#dl=(G|;_-xeBYjrBYU?53)m3KT)+cQTCP4ZR7E&jG
zc(&YsgRM}Q#D`>w&m7$<@J6!NF~esj-6&4&-tpu(Y(;jfQGbi;m{0Zd%N2fMMxc=0
zC5y8Fki7y;JGQH*rL87IB$Ep_rTQH~-bR<YxG)3`31V@sf?gq7x0OozhUmxAh4f%(
zkRrjS{gzR<3j(Da>-h8S;4SAh$*cU1mWJ3>AZzF=b)vU#rv>SFYYr)kkY(~wXs}?&
zp<Em>xu%Ie@uZgbCruX-$yAy^&>HO~4gVPDK&iqJA|GNYxfn9JOe?Aj=D?$Xdr&U7
zw4Arz0qZkH(KEFgw;*h!cTN3Pn_nX$>RaffemDV(duXLs1%bh)oU~Pxd_C5Ex|~E*
zl&oRi>Y)_1StBn?0A7kuyS|&`w`y;3y852|>(=6!n0wyiN9v0668ekvoN6A?4>XnR
zF8^1m?#VlsgVt`OjH7Cw?aw3wi=Cj454X0hVg?^whwkoPf;)yHdh*b&iKmv(r;5#9
z+jsXBiJphEXogOX&`0yIPv2^W4xIfz_P94dLPm1sp12NI5xEexq>na?-^A?Z5Dh9P
zoj%5+az0wez6SO}Pi~MSazCQDZAnzYI8&n3Ntw(sjtSiw)m|C0E+Ohs@;M&7HF1<y
z1xVy2!wro!HYu&Blz)Ebz6QRAW@ueUss2XbSVhIsHbE$;XbKy?uyPNt?oL4nAkWXO
z%r};qumtBVAwPkPEs`<MI4xUFglYSmRn|X`+#LPLhQe>t&TQuR@ZF`NzKl*8Fey#n
zHvMY>I#VRP_$gsa*|y2w#BZUF26a8iWH7Dq%v*X=UBL@~xh!+~__&r;kEhz@%Q!Av
zLxz`mHuR%k(0!N)X_!4E(h%d^0OD2CTeTei`S=ckfx9voH;}G6Zftr{5fRJqbX;mN
zX4_fMYrq>xtG#p4n!_pXtY7BF+EgOD;Fn%0SJv;t6a-02sIs882I{23NM}o|AJMPj
zNvjX5T9g$0JG2k46-wh#@S~~BomC9oc4YCk1<*vj%>ABpsTW~wR!{RJL3<PLEh(ZL
zV!YO}ZP>IPEavV`^j9)a2yele{iC|-s3)V+PVfK@P1Mj!JWj++C0w}2%J~7obt~;=
zLFiMcsYmxPmh~jQFP{QM&7w<s;r4yw6Ad}@?SV!U))13_p($81x20BU!uR*(suo}S
z?Q30G+JYVzk7M<<g=6(syq=e#y}i6z6#Iwj20$Zsxz?xm*W{0u?Z%<Q2lhWUm&KnU
zSzvA88xvR~$W76qgMXWkQ$&5#!!D^8vy|wnD?w)`?74);d?c}>kXro5J_wVY1rKh-
z#9xPwO{6pLY*?X*bNL#y2t<R%j~9+yy&1WahReuQd_gy##BK6kk4h{WOr$4irK`@<
zVCZpGJmJa}JQh*{Q<pC{N1E5h(+O1v4TBxVTTMd*7vmfsiJ>h_Sr2OS9D%b4ccwQT
zp`rc;xh)R$OJ%T*Lz&hJdAy0(qpOGk0=Yhey9nt@h9I~e-e^>ve`0fa^h)l^C7d`Y
zXH(jwtl!6O<4>COqr0_uZi+TJC6aAuuepxruuzy%An?6#Trv0TH4&SCM;RsU=%*NK
z1gAnoQ5%Zbf}s@6PQ)zwPyTRYQ%{2~7@K4fAwfQZLG3Aha9k{Q2&BzzXlKKgi9*l7
z(kWY4$y_{x*Xw3d{rjfCt>j-^02aFEF!27w(h9Gvm&p)LI=3s~oN9QKYoEiUC!F6_
z(tGL9lDWIh;klJl%6;(w8K??E+x3M8I5?LQ2;2G-qj-@=8K(x1r=3miS!$`vvr6UN
zSq7rbV8|eO*Bvy##7{0-OOUMrnp=vUgk{=v^ziNipzY~2fyAxWzo9nagfE;o#K31$
znx86LEaI0~TDDI6HYr-k&VBHkoG*QEbp@rAxl7a2VnaHUDCWW}obTqC)w9=|ui5Q9
z=N@sPr|siSehqLol4wd}f5`7D<KpcI&IM{bb3bqJI3koYQ(biPJ>R=w&c+r3N~As9
zkK=X~hyD0JB$zc`kK|AH(kf|lHT#YojWYamtukkGJ2;ghM%6l%by)Cg)2z_%JLt=v
zll?;FY0gmY^Y$O2XE{UgXq$vIkmk`37E)MX*Wr)`dKLII*5xaeL6PQ-BEbyocCXAZ
zmGjpO3XIJ~6xr_pZw4WXy6@c5!3xj;>MSpLCx9VNdG|%cw_E-ho9aCtT907$3g}h}
z5Z!`4cjPVAoFMHIYp>IC%=u6(hItXb@Ab0%16M>ktDT&Oc8NP6O&i)tCi<HfZEtm<
zYZwp=CPz;mb%D>^y2~#rhbJ^GeZHDz@x~*tTkDJiWa+#)a9S>x(Vb*rQ&tNtyj&12
zr`>+@ARL^f9#Zvr(_}@UEn_aH9r^IUqt6U;MXZ%@rw#}{=~D=%1EejK064|(jx+V7
z#_nILr?UWA3k3n&giq~@=JHvr<Hsg4PCe`dp4z?(&J$qrzq=jk(lD`=188BgvF)VB
zOd}R{dGpf}V*AE^QBI#{FuMI77{))w_$!hwa&7N6VbN}EMJN;8oS`zR<o5CqVEO3m
z%mDZdZKSZHD=Ab@@CxV48r+r*uR|gn$PT8YcIW(IbQ4N>u5K|THM0_t2FYVREcHjq
zX^+e9<Qs>?(pWP^FgwCer-tHOXq;CCpU6KGkSjE;)>078-zv#hDEb9#Hwo|78D^dC
zzvGywV%9_+G^4^%_t`YZoG&rbjAb#5)*t~d(fXlcf`NgSu)6bbuwYN{ev^M_eChVK
zqNTxE#{Upp9D{!J9$_AFZTf$;rJ{S1=l2`5U)UJ!w|hMFQebP;>^IY(Dxm-W-O&7V
z^aFhGr_PF#kEg#b6P!c_{?3;7TYU;W-2Gx#k7t0c19;H0Vjr#(dRy=T2ckl_Y5bn?
z&|J24V@+r8Q?7|XCuKYLB95O-Fa!@?ZVUwI@70)O?jJ4Z_VM|^KFLAuZFUyr(uhbW
zl+=*z8syC%X=wx$rdqz>du4p|^N_i4=mCf}fuVy%s}Z>Uj7l2r7MJ2t=3KaGfln(f
ze}kDpMdtKuCsDND#mxQDJ#+|nGFssS{wYWpn>Q~TAz;4&nh_?kxRA$<Ha|>+xx9iK
z9X3zC40{UKn`V!}36}dE_6uM#^IPF1{NQEFl-YLXUl=hNYrq8{@ybcWmt6IkeGWz3
z%Kl#C!W>%pX6`1;8{e4$-}}{62+becI(~}gm5B*SxN&0MSR&LfnwJE;bGY>FN}Mvc
z#!&Aw!EhM;_`xgmQguwmUh(=D$KcN*O(k_o#Hq;dGHeEVQfFO?5ytYYrXGQ07umO?
zL2~Qv+IC?7dBWX`z+tyHL(>i4-W=9gy_+Mk8V(q-G62ANtV;+(yV4<!GF;hU=uaMm
zy~Hb%yv!LaDOcQ2P=}+rR<XPMnP=%zlCc`IN_8`=2fNCR-#GNS@f0R${Ntb_OMk`h
z6$Pq|rLW!54p|`8oOBHQ&+V8gTg{b`uRt^3YTZf<z&q@xg|lm*j#l$(7LFJ>C%jnY
zc7`}rUuzX1YzwB;Rorsr4-16Li77`wW*c&2RXq~!)g3x<l3Q^5h4h}2RP6o?`c8V1
zV!4%B5dz<t#1LqIDZ{kZsZ{bff{iyM&$mE}c3d(#dZ@{X+{A?S*Nr;0IMD9fkWAu2
z(%*`Ox8Ev6lw<0*$ZDGG-+uPR#w_uQu*d14<P+6ag(-nP8#|$0H3u8NaWT1+H*HzD
zxZ9|kxsX;Wmv2?*S6Zqy8LeV!uv9U!G?fkwImQQY`TfMZ7XUDyCJe*+K1?Bw!jgFJ
zEziLs&7p#qe@<+ymMbxJJa=x}GCxmEWw1LOO{6lJ7*Ek;DKm(nP!?*bWwTyLHoQQ{
z0#ndRTng8PqSwj9ku#}P2|}PEnsn8}n$#7Wf^x_&>s39>qPu4+>YB(3-f}LLnwPH}
zRWs+}y@C%ICFD%_j@-ApoG2#OSQB)N!IbvW4Fodcpq5nlbMu>ctDGmMlTMO~)JtDf
zCn}@bFT8XF#mx4}O!o~5zYT#Ule0bu{6_Up&AKLs)nK1#B1_hp$1h+kw7C-eeg27~
zhOseAciV4;LcEHlqR5C{SYoj$`?rmGj<<m<9gpBFIzVQF%dsxGS^_-71dVMC@;ONm
z@_X3LVf^gLOo0Ma6Z3|<{mBuk-Z$2)$ttX~<lTk-vC-gJJD)w_ar|yFM{F&oUn!4+
z`#i3WcHQ);53l=-88aJBC-dKi!#ct%B*MynVs$E3K&j3qN*W|W?+BrOuqH;>c~g9=
zKld0W!P%ZIcZF`vKIg`+dN!?z+#rj-=9+@GL#5fA@xVRMn%)aaY{4wx9J`C6`Pb|_
z7)fPk7m}{;rb2B;8{+~i!CEvxn#eeIZ$#lXoY=zi@aK*Bm2}zNl_SJGXs}Xg?@SKz
zA?y6`Hgh;|hVsD-y;(XGc89oyfGg7M?{bX|y@!q7_O<@D^~=^!myHpy9t6g*z8;9i
z$-3P02!_f9wZf|>Cq1OLVhh(%kTG9FUA)uqj`rm*PFFF%`XFQiT&Y~%0t`6RCs)Xj
z^_LUR&Z^uNQ^mVK6OsJEyCtKThN8vPJO4vMza5Gt5|GV}$drr7{cR6-42ug9520nI
zF+5Dsj`rz~lz$R*o>pX*s{K&%dE_I@kO0K$-ddwD1yG?zff<tmE5yp6fZcGADtkfp
zRZG<O&J4-aL34zdL*gh6nHQPD{+4XEPNmE0ZaKB~$+p43imZNYl}<!+^-6v#y{V~r
zpBVH6Z)K&Rl^fE&t&ewkPT&;A?H}?7&;fCxCxk-1n37DXe?YElHmTJy1k3X6@Q334
zT3^tVY>7eLs0lSfNUliszw#5x3VJ6?%X{k!^?0i9kqwA-_GCG@5Mlh3DT|TrIR{(N
z-?fK1)YT)GchN821~y%I1;Auvq^Bi`A+=L)BN0a(`y_T2`^<W;WH#ODA?gg?{C_B&
zemLj2VA}3AKw<KE`rI0yR=uo#I5_7~qg-kyPgdSJs^$A0ZB<?Q7#%=t{q!K2=|T?K
z#)4~yn%w)h-DAE#ve1khYtDV8?|5t1R^rxves@=e?G@f-pI2w}lv!VYUBLX>15Fj5
z{ZS!+=m@p*W29&Ihg*`2Won@rb-X<X_X0cosgR+sBb0Vh(xT1mrpoiLpaMBT)rS}3
zLDioGV$03qQ?kU)ieA{()2>JByAToHY3%Tiujbq*;w(q!hU$k&#T;oeSN+T`YW$4>
z@yXe5#}X##lx-%{S(Wemvmok3#-Lm{=6)=P3?;@d@ZSg^N$FOQx#L#r9|511c)I|P
zv;y-S0~QhR??Npr^spF@PAHo*^%no4{b-8H4IDvGroTB63Di8qPXR?LU;SId)^|gr
zJ01(F%$f_YYj+n7l+%Pq9vGcd3+IHr$8R03II<mZxb)*hxb`hi(xpj)!Pws$pNM{h
zh)aZfIGb2<IJGgpcBZ}z9cW1|8+Uw&5l$be#SuxNOIKbTr>cJtaVo=o4>MS`Obt4;
zG?0)mFmPbvK{;DfrLn&F@tu=}Z{=58&c-q;<J_`J(IM5{;>4j?W3fhT?DNFnT>;qi
z_SMFnFJ_AKhg9e6)siD)re)zGQ}DWc=~K&P)Mr$1zcxjGFarpCVbVw5a-!zIXxdgz
z8w!thhCO6|9{&w5ul$(#F(2k*&LX>n@WLcAP=Gi?7XWw^o;yKP%#6+1Frj;Ur%SKJ
z_ip6+N6n=Q64&Xqe{G_oEs9>#Lf>o=nLhpfYymryo8^!jD?y2z8YAl-Ige6inxIi_
zRM)|}lzzWB?5tJW)#zqLHQE+J`Ca-NFc8gq(_;hh({4ilVb!HzDgYlrMOSDuPClzy
zL4uKh=99u^ujFQ#i@`0Oa7bqZ(%g5f&^UX7-jwrpFB2Yf97M4I7gouiK9_#us54V3
z!XWq=EQ)JAYTk^ssn2jdK8y$U>0??S?%Y0WWi$0%U4hO^lt9q{-Lyd1S(=cL9{8j@
zzqI#EzX`y#VTYn@mX=ZB8MtHS=f2KijIe78TUMBEu1h<>I~)^%f699u4NNyd4Ry7j
z{>xMMJTk3)YGHonerO{41m4lA0`~U!4Ux<{!vKElrQl%zQbVz-`|uyXO(n4ty60}s
zWCL>-ibmqUiZIVYDify{%%9&T{+#Xp`Q;jJE#{~5vW3;gG%%?Wg_NDMzJ1bE0J}u+
zQ0`>TuTea1J=)tPz+b2Y?Ofg3y7jI4Ye}#Fym*3iVH@f3SiXylu1uCq^;ZmXS^-Xl
zN=W)!6+RjL&*dH(T$6|pqJG+ufvt(Lbkta?K=INqP0qc8@GnEht3u3#I&+xH`$g%w
zorT3sAh{>YAT~hv?H06h$<*d*z`p3B!4ilFg84<3)|AKWZ-b%xd549Q+t!9Uj_t?|
zl6le<#5Ku0c0bgQz-T62@3d{Um=s<gA?(-xeREGcMWCGG1uV&!|1ZA2F*vg*$~NhA
z)M0mQ+qP}nw(X>2n_p}@Uu@g9ZF_oV-m99adiAPK)j7ZJkA2Tx`_{U9uk{&6&#P=p
zUr)t`E|J3*iIwAtiFe-Lb-Fb+UHrT3tb@OsoYGMiSic0%=waM6wh><0(V6~{T;i>p
z?z&MznXPAtu!CNt8-B%{pRx|Pv(a)z8oeB8MT)Oe{yrJvOr|NR6E997=ABc~yI9~N
znPon(PaWpNYieCik0x>9hyCG;(PP(5-#2wxv-@Ik55tDL){10I8wVny>p@v84MkBm
z<y4O{KCBXwmV$ZS1be(D@RNDpFV&GX+163jWLk2QNU^+CCF0FnHwO~Wq0R7RRZ2_v
z7<e0^qVXJJEya4-Jvg-%I{6zjAUoi@2-kWjC(?zj&8HO?zoKk(hcR?+w07QVBrF$N
zYW3^wfxlqg1ao1zX<@lJ?XhCQHYki+ZP&Tn5}tDl%eiCnL|eH8vHwjwnY{kkt7I+%
zyAGM$rUOSxg!iGNyXHc+$-ToO($h6DCM^2z^daauBJ3&?K#?apVN;V^-2y&xE~JOT
zOsF_cC}`Fg%3RQ=f`v*s;L~+%%AG6PU?1u^dr<7{CLvz8AX){oT{!?QOfRZ`tfM)P
zDAPPLLii<u6irstsO!r|ttC(q8P9?3X}RRB0oTsRY{Z&{_-_nu`zMAQ<H*|hkGA9U
zK4ixN<lzapSTNl1X9~#YivB49CGXNvSqtt60T3mcPA&ioIKVI_ZPqpbw4ebA&&wrx
zjGrbN(?#R*R)bV8m@qxGJoUykR}Azq54th9S+(ji+2MhFtUeEjGN@4+e62v+habZ=
zr$1$;z5)&P?q2YubPhv=%|x=OnMBN=vQ2}0cz&m&&fB0|VPszgkuWp;4567YmAU#$
zNirvi`sMH3?O#c_FA5*dc7-a3*9f0aucg&ZTQ2S{`?bp$bmG7?Pl;=&_A`>?sbfT<
z+Vlnn#EB5<H;1Zm#L{N~R43B3dg>Ukx=#j|?)~_+bKJ7J|L>~dz7M64nEcRsqnw4u
zyRw<rnq@n=POE9CfvGB0pKn01M#J)6Ffb%$-3TVxtLsylo><d&!lu0k3;_y|E{DOj
zJUVfMPboriAadMh+7TaymL0BfrzoHB_o1u<CzUFe!QJUQTvq_$2lsDqdGXntBe(`p
zC>z8!4I-M1)&<m~#106+TA@>#Y4n$O6xw@)rn*$v!LSuo>^lI7_QMkeTDF3y4=QIK
z{q-f+wDAW4^leaVXwWu@`tbfsRN+7fpCrekh*(Y6t~rNjnX1R-+j=(VYHfD&@b3rW
zBv2xYX!wHtr2Iv4XTvoiJDZ9e6!50CQpn#k%Ms7YR|s(q$(lonFS!Uos}g7Qsb|i5
z)gUdwpm?n&(TD|*usjhi{hyiC?Ty;9>^VkhQWpp1jsBpGQ<iDzbHBxCId|L|g{6Wu
zW-nncn<c98v%=Zf1uv^hCy?@-F67|0L1W;PR9<9hQ};({sNt&-9ApnxsE-DsJ@@o0
z&F?fjQFZO%$P&tZPW^bUUzhF8mX60=Ln;h<t`UBE^K#lg{A-*t+q6aJJA1F63;AbL
zASG4Ym4537@d<iu_IPky(*mK=E(J}js4^H=VY@peMlC)*seSiSez<QXK_IBIAU-ws
z@shDx8eDx~B2+Q0VmIG-bNh(!vRZl)AF2vqXTPV$(>+Cpbhq7oINhUCwd74fEIiW8
z3T_)z@^*;)2;wTr3!kr5Hs*4D;U@zfkK`9MiSiP$v2cEjZl4FY;}v;GL`WkkSU-<|
z{I;*1JX-<s!Ub7}sbq9p)oxr&7y~fNI}E`$tjT*l27zH}*1zNcXg5%5AndWMUexea
zGFCMWB@;<voCO9=_Mi$LL~?hxXHZZ4925(aTIH^OXpMiC{Z{PlYT#?ML7~8)-aiIL
z2aC-w*ag=6+S5w2w468@FD8%X${Lq3@6^RO=W(htX-Ff0p0OksbuoKHxbOS}Fh=E~
zNrF?_smp6tjTx}0QaGiq25Qx4H!OcE-Bs)f!uQ)@)ymkHPdvoi6C_)I1yIU*D<V@p
z8F*AlE2Qvlt*6*9*y^^c)}Kyr0yqL<qg-^GRhum4-x7V<RFfAqTj@&tZ2_Zb0mPlZ
za3g54=A-xJwSX9cOiZBot~;i^50%O)aaZPcTXwgv9}QS=!q(u(Z8@)k^oX2l9@IuK
zR8ExM1W7ew61u*Zq`q8yha>A!QX(09CWqzy@AJNURogz$CSmW-m+jqmX^fDckUh@%
z@oZp;vUC;YIh7b%$x;)iS~BS!#+Jak9UZJENb0{dtqeA3l>s<N!(gh0k4oBCTMfsy
zZ_2pszUNEl$)2*HvV<82?2A{5N+;F_F-6W349W3;dg?J}IHAg51Ub{fYS}q<LrsYx
zX*RFf-#L1R_Bd_k+q?YghYtHjX4{)<b90_go54#<KL#N?L+C)fKQg~juZ)#$X6wHU
z4~il`WN^!MrWfJoecXEsC#kI)#UTLIvNW$OXIN$pZJbq-HVeeAcr0%Pt;;_Rs{Ba+
z7|)w$7B_89S6WoDp-u!aTzcS*lAyNViLKh<n$}I=CC5t@-@fNuH+4^R)uG=exCJ(h
z#FZkrz#2(807@CAd38}pJbrv;iDOpwP>lUNWtqOLWN%Av)~_8S1hL_@{3->8GmP5S
zK+wo-ym}wCEj8$1{SPeC$%x2~=o7UYSFtbRZP&5{xww>H32~I>SWjus+Q8#r9yuOx
zq`8unZ2Akx6+XqMpx;5p8w8IQ;^Cjvn;Tp+ax-qX%cY+|@BM|R{<E!%0=ASkb;!sq
zVJ!?xR^7W2RfCol|0co(q|V45FN?s=vDS!4qdi-u2+#dFXGWV7=<wMh3RuP^DS=(F
zFN5C(VS*oHI7Dh{!mdH&QBh;a<Ne6otUS6s%+~M8+>RxN$~(Ms8>h9?SJUQEngT|1
z3)fplZqCf7GA^RM2Hs_9kIX@Jr!-Tg#3EUCWgi@wkH(Qcs0AD+<<IDO5P!Lc|KR>@
zMwHBlC$_4kMAVVzV)d~nVB%vs*~>iSfxPx+DoWpEl{?i*2x3cf@VQ%y7pl9TY8#0R
z4Xv(`&bB*q(anVZXMx7<m*;MNaDcU=-Qrui$4xi&lLPcv0Nt;XypP#B{v3~UN4)Uj
z4DFPD==hx%$^{Vu<+7?u86+vC1=OvDH_kjV{O=8lksTrC^CS4a4hFQR`2dcB4txlt
z9gql?98NKcd-V%h#7T#KPiExauNn)y^+2a(KK`~QK(Cx2_Gj@&0z>r>_s)*F7y24Y
z+gv>>=uEPsM6$1=WW^7F|F(q94+3xFcjfXLg)w3NqwqOVz6K~`6D+=mW|&d7+(WFH
z14*VG`uc?n^MEhN?LXTB1OzZSpj1~(t6rA9h2@ZR3Xkg3R4A?3ABA@8h>3SG>dLi6
zIumWXHsR21a9ZyZwgt0x350a3HWg7rjcQ1BVOpYpc;FN%m0v%^Uz<g5a|LoFYYyM=
z+LX|Dt<(!m;i#C#N#!RQziWBi4=lvNU4&J-36<kn1zYT^(>2?8_&sjo&v*mOD(LRE
zH1|ZdN!rnI8}V*g*wL9Wd4)SF)W$7-wEUCssQ+G?dOEd~$nD0vbr$Y6Z2R6hg_7J|
zzqP!B_SpJCfipHW&3R>W_Hmyw95|RXo=gcrkVK40`lpwlG2G6rShGLRaP0J-TFdTI
zl2ak?pXwR}u``WU_{QJeqHq4GjO3lpv2VxnVek<j>cpEL({vz(%EA1WiPsE9T81Px
z5sZ@M%7M#Ib=jrnm$+EAmR2?xAqapbGizbX#}r4eeHt1Ech(dyC$Qawie~P;+o&Y3
zhR^tf1ua|_%uS?)L2Mu6Pp2zc_UkXJBoQ_`PCg5cX$d#5kC<0sn0uv0*+X7}!FQZ{
zXvDpeTznk9&EY#oFCQX4q>N;?Y-B6hfn#MAG!J)O9{D=BAAIH=<V!i&F=mQo)p^wm
zZ?lmZs*qz{DfZl>grubK*9s+l?O*}s6Iijrj-9J_B1fNIP0@K2v1I5jVt;ox_~*|)
z_o#K=^?mQRA~0uTM2;1y$1M@y{LeoMl`5po8nxTjk{f0rTv;{0NZvB*MHocbmT4Nu
z2W0dcLw=hn0U`H!gfOdkHyGmWw$ZbY6R(_g3%cG#qq1zNwNKQSi&-p67GoNTx{J|A
z3Q4o3v=eD;+vTn12DN<36YIZBjLnQ|1VEkb<8vMk&%~?>6>O=IN(Co?5N94VkBC;s
zE{+bdLVx&pE)UNdVz<2qvPp(ZPwyAN5V-C4s^5Q!HfxwT0yM9>&IkSxidUEv(K`b)
z@xAmPeo}|SHy+D<ob0o0BA8ouE{H9z3d7CJV+}Si!}CM8jZWODJ5Vp3mz^vto!3iD
zHA%Pre^=)Z)r>nb?O9b}I_9HjtM(3a&Dm9Z##_RGqA|&V?@~Kd6(6beC3Xq>S$`21
zH!z3UDONQvhDh8scHV<j`(lg0WviB^Hz*&01{+IO)|lD0qq3oFE9U~Y^j$YOFLj}l
zIO+U>Mn2wv+q;5($|?mI7(Jo0r^!wIQ%EFBJF(R=CaYnoEZ^%4YuuA{o@cNRDMw6;
z6*yu0cW6E~d@s#Kimi`K@4butrW>bkf;x}xG}kNswzbVfiaIo<%%&+jGQ-=Kvm=+w
zJo{r|U!U^nCdw11AsU^4JaSrNNa`BRcdB7m^EoiBwTOA2$F@jd#g94FW_b@06E@rD
zp9@?dfSnDmoACqRB!NkP3q(WWkTO*aBw=?ZhD?zVfOTs4^m~4SXE3j{*VPX}E&9zy
zOVnzpgP!@QasB%hSWAZvYelOMnF5+8)kwYTdSN5V%dc^grV0b|5?QZs&7Ku>TdNkQ
zn&Q01Y7s_r1emrE_0yf>2BfUt<$=J-P3Vs=t2MCzAcCp~m9Pdy;Z2I;h8ZuR1W^LZ
zZ^CFqif5Xg>5MQ|%vn+~;nrueu`<F4#~QH3=8n6if$fY82M8<hRO4xbDxrEIr8%d?
zh<z?js^Wnk_f;F!Kb|22N)}wsOd}WamvWv8`{N%)19j{y>!PGZ+SpK{XhZ|23Ymau
zoiZ_xrb<er^#l;J1L0I&aF!noQF<#IF=X6mDiiJD{Ip%9p4Z9!Vr;1ArfvZX9SewV
za+*=eQV;1Yj~t7(rHav+b^^m_9!{FYHI7ZnJ0+d~E90(-PRg#lg&%p5UerN!Lriyc
z&{M}4Q{QmjKgmb;_(TFlu%eS`rM@#5upkw2+IUP-b5(3kkb}UDKz&bK1!QD5$=R{#
zvBSWk`~P)uvsW@`SPp^V-?I;-bUxCu;+MwzBQhjdt$1?`J$ZGY(HNtSGak25;Gw5W
zi^K_*s54e=(Bdy`1f!ZBA(7?yW43})y<xjW42mJLag)mC5Od?YM@7lj7v8H?ohr+U
z2PbvLMU<UVqIv!L<5n<;+t$>d9U*}z`3&&B#VeQY8rv4z*<L4Yr^5~LL-Z9*X1iu2
zQy%c%bV<fp?tU?>C@xdE*LqoAU3lG#q}ww_`Y6btD~L~tX5&Q`fZQ5L>wl1{UMfSW
z;ro4X-2P8hUD-wWwz_l=#ux&#Vgm(vzgdj|9uc!v$ypICTa$9Y2&}Uc!EC5~Zmn9@
z#^>4H=OB$Y=fOQerp@T(fb<b^P+9M(FQhAK|DCvz6T^oCN2t6tHJ4UlY0I;REci-L
zD$9MDlS9#V?l@t#Xalgfm)-JX!cp-&7{Yfqk?mFIzyWtFgcmo&T`x=!ecu7Plx=D5
z3H+6^3_RCgzE%kU`%zR-$Nw!=r&lL>J*QVWhuB?y2RJFeI+0oWH-E}zz=KNp7<Ban
z&doy^I3{)z*}SdWdQ>faq=HRXZeM#h&-aZ1Ny&Fvnc06k*7|t^V|5Ig8=diilwc>F
zR;frT1RY;i-<cd90IQ;QdeD0G$BxR(1W7FfQSW2c0g1oNb+zs6MTSaF#j3=MmS#f7
zS8)q_#08QFPIeK;4I2+@y#Ni{X5cq+6)2#F!559!XRz8Py|-iiO5Fr>d0HrAY`5i~
zP}-uyfVH(aD+{k4txzOI2bL&wk`TD_Bw*%kN9@p5&zFnihU^)vXMJ39-@^|DB^|<M
z;@ufkkj`%!?6=@?`G@xSJS`*?2Mv-PqZ65tBAcuLo2?Z%sTnuCb~d`@G`d=o(MFeK
zTRC>RORDR>Rdp{J56LuWN0UmHmCCj`JnJy00C-3zXI4L0&)w~dLzYCM%6ZJvJdzK6
z^D9o&Kcc`b9?xrhZ+<ByS*L5rLRk9>iC0+u?;|u)2gj-wx?<>xwqmFFKhdx}m7h(x
zNcJ)q@NSiMtI3#fm8tc+UA?<q{x&aIJV>F>r<zN6I5@nF-~}tXHk{0-ciL@kPjROM
zi^<oi)bHhQq+d)?1|-#Xlv%F94ARraz{;kIR_~@e+zUnTj-eMihpXT=->#z9Q_sT`
zLss`kLtN@RHBvUJkLVjuDO1p4+AiTm6(Cl}5!YBw?FwNYf1(>P=cd!{U|Vm&QQYHx
za`(#KXxA*Rn3Pp-i(8@=_EH*82thOj{#!rpbepm7x^s_KNQ=WLQkdIiEhM%}m_5#E
zcO1mvOtHuoaSBE+a?Lg?Z6~T_iEnilL^<|!lafQ3>o22bC`;JJ<7Q08^bncg(`@xd
zvo;qW%O=0hQM#c(EYA{$?IAE%?;!>)h09sis%~%VgSlvt&xv4qIvq3DQYx+Ja2BJP
za&$PRZvSNvw@W?eVT1+4(Rim9h1PjFH`yg2sAZ8#Y&Wc$#Kd>Vdj~(zpRZ|CqFzMH
zf|&H1zfbnwAfj^m!MLzvlMv839l>6JN;1W>zjf^9R}r$mj*<(6GUDFH92>hgxK2Mt
z*)aGrj(ualp<0G#uGm<bm6cuxa7+xROgJNW{Mei(lC@;mA=g@cK&VeHDA=WBX}mna
z)4r5zs5jdnzBXORJ_@)HM;wynIqkb|)gI5!rEa`0+nUaoQ+8f!ccNI|7EA-T_m<&s
z&|~V`f_A5`b7}u@w&ZuH*U=tZo*7oXnKRu!)!wYBtPf6E9p@8uDUt!%l**Qs{sEWJ
z%W9~(yV7*X74YhjCl;66{pSz&%i`zp-{59AjQKGl`)`iw<5W+gw3{Y&G1`(syM!ho
zCAgTwCAj6>|4hPSVXcO!ti+k3s3uGyWgtvE@|vEz%a&XnD|#g?RUGHv?q>g5K~i2}
zC{7CD6`^r^`felgg^A~6bWTd|B2~NtR_$+RKa}xC;>xUV#`T^KA_g;$AL80f#G~h@
zF2tSg#S0o*y)osI?`%9+(bCp`IyS~^$W?usL+{;jsL;^vG`JrZk9kEMfYsO~UgPY&
zhKb%EIBq{sSI;2WE8Ss`LgfrB3#ziu2Yq7+x))d|>zSEI@sIw|3}zL&ZuN`L(RH{*
zC!r;|onwd)gPjc{@R)I=n!m&Dc<fvMaQPdDvbDCV1&^u!BWxRf7Zu8jATw`XFE`L0
zmx+RR+V1TB<B3OfJ&-DsZOBjWH1xUp2F!}2QsXw$@sNn>tI=Rk&m3@+Cqq;zqc-`O
z)O?D&R7~_TkEl97fLgRVFbBJP?170;SY~Dsa!koR2@QW7j>+CDV!u?!-2Z}+O$uVc
zNIi*2$UPa&J^8H#M%GB3ISX!&nG(!Y-g8S~5rX2|<*AT?UYKrbA)3T|ojQ-G0>?W?
z=uN9{p}J2uojPd2&Z&ngcW(`sIZ*$Ix&OGwtPQMWlp{(_)&T07=+>+;7f=;L3t*y2
zF|j`Xkz?wc_jWPa+Ifi@e-yMlE0A+xNQ5>$5YUJ_WQtUUPf0$K`kWQ__Rw+7Sr}8p
zD3=9vY^>5=FD@p&w7fa;PJ`s=e?A&N&U~4C9LgPE#sFXYKa<stx7D6VdrZtt<6%47
zQo8dD6_~-EI#`YQL5aOw2ILn9W17o~nXYZ$y>i|b^5lFhkMvBx!M{rAYhk*hYP4K&
zC?dK8bs8ErY@Lz6(ZUJ9wAvMK8=8xdbt)(%oWqY^RxX=kvv?=JaA|V73cMjd{Mx)B
z^DRJ^8G2l>x2PYGe}L<qLy4Dqgc|z&9zQf>K@izb4>4~H;B^PSK{&q=d;Zo7;tOjm
zr<yf6v5Q*HKlzj|;fpIg@^A*9>)Cd*_niCzFC!kCDGwR27?49`ifMp~h9nE)8ba^e
zIv3G>U)J39sML_N^?bUY<)PArL=(_^e}@CFS*`N)&!!G-af*C0rkjcCnD@&ft$oDp
z;qHU<K*ut0rzFHm0aSAIg!@D8`+**Adc$|`X}`6UGNYn{nd`mSU@2GBK$L?00|!F>
zpEK_hQZn9;9?I;@W@>t7T8H^I#`aO3$pNWMGj11#zVw<qrjM-9E!Ow=*om%70`iz_
zy@uY1Lm_{^^ZNa74v%#H!Lhh$GqBTSB4%Fg+HtQKP27&N-u>1}N&r|`vr2W#Zk1hU
zK$8aMnIqKdY_Z7K=0l`U%z1@M14W9LG);QM&CE@eW<(79X9a=~OPSVR#Q@o_op5t4
zF}fD33vAcwYz-Mb%5I%3-n#GNPqGy}e?0!09lkvTd}tOBJW!c*)T$#@BA`>AC;+v!
zJ?v*#F{T*iB1`mT9`*`6w!?YGfO|qGm(jx~O7k|(gPY4iIRW1NOcTAHgV6Vj-4frI
z)+rv7G-_#lnP@hD*`PQB;U0kUx_29NRN<A5IQM6p@(dDQ1U&~&>xk=^s=HH|{eHSu
zd>_XlWAYhFXVuu@VI0;-X2?<zO3`p!5c)!@oquKP2Px=c^%}~b`!7%ijYYOZwe<W)
znJ;&{DKCAc;X=9O%u`tew7)w`RgTQc_AQdV>eSKO*%p?Qq7YztTT<&@gJH{<|BMZ;
zIh7?FogpHP;A{Y#fz1Pf@zRWlBfkdKfh1X@&I)UA6IDc3w^YJH@b$iPKdtl#TXSX&
zF7wwn2T|<aB^rDbNTCj$PHe9Tek)RHb}Ku<o0MTSDZ{~iCE?n@1amDN8U=10UGWQ?
zN$JU7Y;0hRMB$B)K~`3y>J=xky}=l*_7z`=v+t}lY9!D`70n$+s@b#}>7A-iXVf;&
z%&zo2t4?3`L4re*#0Ocbg<^XT_ZZS;H$l>Z;9>M`0ue9Xkl`qrXRR9-Qrib=rwo&J
z=6~iGA(RD2LZ9MXvU@&6Z0#-e7G_{8FM5x4ne&RU{;C?8cu^?1;8KEFQy!IFhFp`>
z#~z&W8sCz;SXwAk!TfA@{j~qXhmMI`^)V9fz+5=;uFFLc3mrBQx1PHRp@C-}bPai$
z87$qv>GiLRUz)y#>9*5KWl5zU5b_S%0E6F8C@TTu*D>u2&ZqV|D#jb`RlOBezz%#Z
zJX`FpkX2Mq1UaYlFEVjQ0)D3p<TmT{Gf5=4P3BdM;_0!){}W4s+%Mov6Z%Adf*Q<Q
zkD{sHUrEjJaLVbU4>$P1FxqXhE?cmt#bh#+<RIB38(_t~#Zdu4y@7p6HQ)l#Ty|iU
z@IfQ=ct~@V5)QOxk84IDQi8<7%FO36ZzPd~uF_~;#ANQCX|AHO?=`mV&$vx$C)sb-
zMKtg8>!M}Sfd$t(bRdR&X84TX2<$8M7_|xAtAC7eRC0P`*0S%l2~Br`;rW8FC&ui7
zPbIFoL7hMs)AY2b>gEyv>)v%svD;YP>bf7gLl3I)Qz$|`i-m{POSiD;YPf^-6|9=Z
zzQSV9oW+Vj%SOlGa4?7u@m$>RQD`-E%kx6EQ~8eUolz$@g&PuE__(Uyjt9**GrIby
zI`hY(HI#s{Cfpqw`{xPtqT5m9c%=IqOL?XCY5}EW#WztePJmEw>!e=SVwyp$(c3vu
z*ya~nF7%+9TvdU5R3e+#ZI@SQUBw+>*Ne*RfENJa%}V)FN)R&gQYeYvp+s^qz(e$`
ziaX$SjnhjTZ&+V_XGVT7xm%!cqp+Vqj5?4I<REqU??<+d$G!2PobCl?E82AxxBIpD
zAseiz>lKwg*bC_Pc@Tl@4i7%nN;~+w72T-2*AXv?bo}<6b5M!WIkay_Jq%yaHjBi!
zva1mH1QRX_=?L8l$8)ubD--zcW%Q>&D(V+JxXiXwOU?BS&;0ze_S~}DD9=1tsw@kO
zj1DKgJq8>d)`(qh#Ak@NEc|dg!lu{mk{5!DP|KqrRPzC=PLt=Oic;$aG923>aKN)f
zD}!xTYL$%zjrDOzT~FRTA3{<p(@OqQ7gRJ)QFwur(2%%2-rL~fv0`*~`TB%(8`G=P
zZy%py%sd5>y_28m@kfS)h(3}TZnsFV-6^TyUK1XYu;tuYoJE&3i4P&+h=#5oneS67
z_qObZSSwsNgv~woflDsQ`!Yp&9G;m*ifpf9tLR{6YJ7%w+x;Q6iN_Jf$8tp1uU($*
zw<7IfInXV>9haY_l`(NtA(4V~QWC!Wy6<&y_!nv<JT+u{y3Z9J3%|Ws*5f7bYsx*`
zRHZW!K#zTOmxBev4WdN+0|>y!A3v<R&6tG>Npr5eIhu+skJ2M>zf}Tmvh}_skD~83
z^hUZ9pP9DA>6(TXZOH^a_5hlu6tRhmU^U+nxxdPZLLqeh%sUd@IkfY1M+mWgIkZI5
zg4t7SZCpfbWyiVYDr8ms>=8j1Sdd5FjwZCcwfxq%C0)Ca2WM?mHie?pMX%E4iRnJH
zLa=Tky95he+Mr)h;+(5H4v((+{_$<y-z?h&UMmR)xx6|zcODxx&b&O;DZVAj8=PrP
zYqIN9#tHSBHO&!FK)~Po_bG5myndD~@$9zLyFiKSmljMrtvZ&o@lrLe%)^83dh?@^
znQW6RbC&zgtx$)IpQ!L1x@5za>hQ4hO#4e%z5MVW7=ZwsY6DNyWORzzyw=5Zc#e+N
ztrnunEcr!^jVE=b9^^*0bLO3hDX$s5V_2!K;ufU}Qp(Oz>WmE!d)xH%2hPH%>BTgt
zGpgsywQ--tFL37J(6sLOJwm+R@#x??Wij1O`VpX?CkvkzxamF4Y4CIB_1SZ0joM<$
zByg6`#r>C@3T`#G_vCFBS8RX(NiArOpkE+QZaH}UN+=1;mVUR?*uD~bU=7#!1EF}N
zAG}4PCTmG>Hys1Ii2p4Sct}Kl?tS%Ktm~1E+n$nHO@CZYst7YP-@R5l=*L>NiLcG+
zGx-*@uT75rzhiUizzpQ*c5Y$T$&b8%K@5T`UQ{(vE%y!6x#*H0*)SLbv}TG=#Jy}Y
z2L%#aNQ<HAI6VRFd{SGGJ@O7()Zr=1-+XQ0b2M(ny=ASELLb|&@RJn;iR@y$@E+&0
z81OYXV>E)Tm^KfTFWFw1&IMvCZehMeQiri8DXnxp&nb+bTY{eYey4JvqLRI*gmVGi
zGF_k!;3QY1<mX0?8j>3%@=Nmvsfej6dsoC&FHyOFTN3`bAyE7wOvA4h3V)|es>}Jn
z8epMvz{^0oRS7%F>iZM>-lq+pBl>f%n8PQEocCGm&p^#==gfxQEBRWOYi{5PdK*TT
zs9yQMK?sv&Ta6TB|2PNMT$!GA%cms>JDH2gV(rK5-R1Rs@5f&?q+uTKPB;7$6sY^Y
zvN3Ri=o3O5GtdwwRy+f;JY+(vV@j9a@VMfO5ZCW7cA@y(NvUiIx<hDgH6b$)yDkgV
zz&_WjwHNT=$nV%aHOgoI#Y^DYreflWYou$e)^InMNURugr!5ykiAP6Z=)7ac!Hz-d
z$zw#m*xV{NF5tw$?Dbi8bT{tADg5VK_xNrStpk^~Y{~d;wYT11yRhUN7uuIea6iiT
z<d*3+9A>aWfXZHVG6)Dr0_8MaFidx=_6?w8iW%gyK<z}^G;8#yVk`#<qyXI_Pun}}
zsqeB#>?}9dsMrkVZkvc_UKXjB_a61@NF7cy!-^dNT&c`Wtq%_wg?2M+rNf?c5Oc>4
zFQi4+&qF?+t~-vMMKjmLtHoFy;a%Pzhklu<a*4~i9PX}vy$ik9;Z?tyb3d$(#?jPY
z^$~3%vvtKhr&{&=nT-lDcw|lfP}0=%)!kX4*rMhg>YnCW*;f#z6_MCb7W;h6bcU|g
zsOU&NZFxJL18qROFb@WYgH%AMdZvMfzRF6E8;*#)z(*dfcQciSgLko*!s23e90&;n
z&tC_LFhwbA`6(-T7fITYm-5OC=+0z<xCJ7}!1yoOC)}AHs#Av+oGpLPd{_hMAF8Hg
z9zO$8!iZIiF)^mKij6GNy}vlmq(VDI8-!N!Fe#Qg62+`(0ple)OvIu4{fu<Dgo!7%
zxvTlE!Qr2q>@uXycA?CWBW|-kg1!{pwdpMhyS(V=U0h84#^xxrQC^Q1fPVjLSSqw3
zx(9_jDOc8*D{+B)F2$+Qu3+I(JhpOqo02@X{Q;#j<_{$~12Z4IQ&%=;;fY;uUh5cV
z=9a@ZY0!;OgYVGr-bKe2&8z3Bo*hypa1+-K52DtnmVN`apI8#l;QQ%ALlZCHuuHCY
zKRvtYThURsk2Qu3D9HD2AJ-&oNHHh*YqPl->c_An1_h5)h(N4<==+GOKZ-u8AR=X`
znqa>W-@bU`Iwr6)1|C40bs)lu7WC>9Tou0fBsk|j9&Ep028E3OtP>3yYFK6GE-Yvh
z>^XBu@y50J!<s{;mtRH!ity?!!^_A9f5;=*)q72-`<iWF5bPB~2VFA1Yft%Da}%_i
z<-8F3_wlh;-iJlFBa>{lpzrM4g+olROc^S>#6vt=+dHvtf(noD@`Nx>g|N9q#Rm27
zp0S=j04B=Su0vs)JE=};^oPZ@a__5jNiE8{P_(XHpHYf|59%dywO|U0!LEn;-V+P0
z|HG<m@~kx~cwDFj27Ee~gyt-TKv8BZ<DG^-#A-^T;-%mQ{<qjLySuoRn~@Qlk0fvE
zxENkKuo(<bmsI<iFGTO;oN6XCx(wtyob`1;UTc&l*3}l{>#;CQ7g<`owC;&OHe3;^
z-+i{t_5SL&yEwy>`F{URt@p5j?w#5$`?%Pr1eCVp^mY<;ERm1;T$juB6H@AR7KecE
z%huAog8NDuqd#s5CygX6U-9TL-%B0BFIagBkRAtC|3*AQFz25Zo$1j8a=qw`;I-V^
zq}7=|3DLNpTBAy#^GZsm{YhxPvU}#@_~K3CsUhJJ;9M+RVSs^eqZd$BJII-HQCYei
zMa&>?GFSun{G&3rPm*@F>%dTCJX>#O2!x&)u*)q<Y`=N>Y95A$=R2hJ=Y(O|<}S8h
z2#LcYal_vthe)CN2Dm2WoiPse{E(Pkp$<q$eQ+#>>B#BWDMgM-NPCPA3~_l@@e%=6
zAZe8FYQsBAZ7C~I`A*uu3lA9LvXx^*3qZ~#6h%b{!l+?BNMRIQ8$=iJ*w7mRzp7o~
z6u9~c6u06q9F4OmE}Y)~BImdX<!n=ibxbecj`Btod$Zwn=N0toiAz3B$TxH`Ts0-S
z8a@$sWIOW{WBn|dv{X<~-^M30=f4?y=_yFLl~CCf1rzj_OCl_A2obFAC1q3`1ivxd
zCrlNfr$xo+<kd_UYCrA@Zj8K0c}nYWZSmTh$qOIb*g46S-gXmso0Rmt>|mif3VN98
zI}$=d3eCp-c)|~s@tn22^YK3uk@A+Dkzo5mq6<U4uPJofB&XV^d!hCW+L%5MN7-}=
zFzyf0&zE%y@5MF8?J;X--c3ViKB%JkawjlNbnq#>V_RT*hGk?JHBuywRShZ0BTmee
zptP0rF$xScf@aszcnzIdTv(uJH0T~j!AG9rapHB3TU^ypIxdGqD&^8M;d$ws8JL+C
zGc&Wu9>YF(9oXaUh_&|==n9NG41PzzMpwA=j=UzLr=IAab}~=u=#U;k_~zq*qG2Af
z#{ogN)2h$mhY3gMx_LMuzv&@67Bv6dK>B%91l9QjGlaJ9MDcL4VT7pW-;%1aG1|)M
zY<VSysP?x74P8cVI^2AC!wnfnq~wG=O^>Tk$KGUuS4ho>{w(KW^}C(6mo~#j5Wt#6
z&a9+<4X)df^q~+kxL)F!{NtInX$KR4&7W>?BhCdz=nTz@<zKl6o@uh{zE~BdCQzY|
zI>sXNo+uFk=(ljNbcH)9FyO!X#@!k|ay((@N|o|hoAAisdZk0L^xoj8=RqxLhyS3~
zI=5bnE4cS+t)#+8XiTr{FIGX&v`%ux%Z|(ifMgHsg#YTmjt9-S<ra=@=QVC<>j<gp
zLIf|5<ZSzzKZ%jJdMgz>ACrOy=;{F3$v0~LUKUzi!9-p%T7S(IwW=$<?lVo#II~R*
z&cZq62xtzLN4Kf~7|jMWIJrY+TW4q2?NT4_>sskOy{{m9q;z_uzDM_1r(0*mj=NwT
zG{U%s_s{UJ6vEC!TaGn0cC-<%^xu9B6yaZWoA~(IqHpp%^M+M~w(yOg&X~<8xkqMJ
zJCf`#)BS~2FBk!tF!7HW2gy6hrwj$Ih?02VU4G+3Qht-i`;Q+E+X$K|DWN5t0|MTD
zKvLgo)KuA?rEqD0W@8P($9CFtDQBOO$EhKB<QVRg3<?g`;a^~rPNL?qX%E=;oZR+@
ze!ra**xX^;m{0j<XL|j7RlqB$12eC5r`vtw-t~PcC)2C^7>E?&_&^{bPA2hA1!uyM
za_Bz%z~;S>I#+q~v=jRs%XJ~^And$)+3nN3e0(okSu-9gXq!5Y^Xm|_1X2RzGMEJ)
zY`Y-$Mr=~HP*6(XHRoqW1>PjMIT7zN34N@w&Cqe)O_r(4*PAw`4)3!JF|Cx@6{U!w
zZwNEIzQdJFRaNt=;a+1ovt|RqP5<sxX>XBB+6X6$e3c@h?T3sy05RDIg*1dol^HaE
zR#pW__Wb?!a;tYO$BNf>u;=}?Ck6lexx6boyGy03u%db@S-5Y5bS`-6SL&^gGD9(1
zsk)URF*#RV)dpGqImc>a-Q0x0IxoYmkRJ6>;IRd6g58jvMO6pxz309|4Vx-l-UUTk
z2{-izE{6N+J?<ZA6*I&RYdE@gpmzDFWK#pG9<$^)%*BeUBOeV`*J$D*A>YkZ%y~_f
zFaK(VIJA#$*p27AduQrGs?}r}%9&Q!HQhFe2w?)(pI0z$TX(Yl<IL$uf*LmT2T!3z
z#H`dMsQANiS%F=uS<mT#0U;@KACq&M91X!UOiel(Eq?b`*QH`fswSth>jR*I>@}T}
zCJdL-vYT>O6>>+=Qb*Qn)C1hQTK;Fv(L1W_F^<u@5mtGlu1-<SOUHet{HMG*PlPsk
zgrhm~7%YDH^77Oe@P6O4jk{gIA1m%~RS~BMtV8MpTMnepGeWP*hmsU4j@liZuv2U^
z!Fl-8wn1;3uG>@E6tLFVGU+?BWedzuT2qAl$$HEq1&}L~gDf$S%*&JJB5DfA<l^H|
ziUf-5_Ko8WoGPOvS6imb!6NV}Xz?EB#C~rl*E}q%u&3(I>EPkw`nJ63Dt&`l4?yQ}
zFLJb0o0`(zv}FCkMX^!pf{yw+Dsr!FHKjJu%PV`jRJgQQa~%Y}iP#WfqobQ|0IL)=
zs%6+^eA}pHy#WNnQVp=O-Vhyx?>)L{7>m-&Kso9wv-x*LBcn1OGt_71e=>adHY*eh
z4OrrW6N;ug?TVv6qU8qZ<Dy%X6Q+)u_3C)K<y;Im2XyB|&F;X0&tcS<(%wgh8BnX$
z^p^-WvHA)Nj-{8E&VjBrN?8^g^U}Q8YYk*g8I96zN@>Y@39Qa~aM=)renM#!apEf6
zHI{tz3WE)|>QwzoAY2z<zq0LcO;M&Jv7T8SxM3!(+RGn=QS!hoT1`ACs8`D?Lx+FF
zK5Emzp-$YCmu{<?0pAji;J}{bL)3Z~@)^@6RrAzF1~z`D{#H4S(M7v5aH{^cScRc$
zt6aLtfi(rtS*+35{%h$6puv)ow*ZWZqA7H@--CXeeqU?mN%wWKX|*C5g83Z#+WK77
z+QRvyN=gSWUo9LYOyv$+#5q?S=>-rgDOFuUa;{0MDk)MyX5u#bbbowP*{Voxk};cP
z8r011EJlsgRCCrqlmczE%I$y!(UR6YFzB}RJi0AEphreU)n-PLR`K>qpk+QLx<;DF
zF9l&byZqjdtkQYRwdbL}nfE88zgvggU_X*Eg7>Pb99EU(T5LYI^SI-a&2|nkD(@AC
zd(5&?H6rVFz?YupVr)_)^(i!~#!3EgY+7D=8k{Y~oFfFZlBY-x_Sipkm!;N9cUG@-
zbT<CmaNUPj+4ShPh6HUoTT%@5)N2+~?WE|+)o_^;o$gVT&RnoH<by8Lo^Evh;_A}z
zX4HNi?q1n~P1DqgNx@WL&I4=$l05b)y;^2#8^`33!{S}<CGwhjaa=I%)RldTzP=H5
zQ1sm;u<0x)bg8G{^Xxb}EG7Q1W?cHlv3~;PMVsT8C1^oBgRBQo95G`SSowAuAWt5q
z`{)}*e<i2rc*K9+d+bW|v?q4mN5&&<h^*%)mmaq1l=JN3S1g7*bLQ#FV23}^S!ps#
z<F`EQe<Y8E*lMxUVBqZ5_LCR&10gxfoW;on|4v*&tlzf>*%2Xefwye@N{Ir%WJ7gC
zZVcxFe1*`tn%z|_Ih===%|%&8rAeWCGjeF?D6`Kf&~@~im{C1(%f})K;m~zz@T*Q(
z4dPZuuvC*wyayAk)TY*MT?k~F8*N(*h0YrzgdGV0<uYipr2TEI$uvnsRq-&iVGk4P
z-VUMW&#xExL{|;;*iV1CeGtvT_s6mJ^f`t<?P+@QQe>Gf0X6FzT{0qL`~1nmK0ZJG
zI%pVHZ*46aI{yrWH<CibT0eM{*`?R3N#lF2P(6sCmO5cT@Vm#^Ois1W@NRhLe|@hl
zjDXTZ_}m1H;aU3Dw%;LTB0)eRRQs8lh8*FMXguKd3U&5SQOSCG9OWP#**Fux?p1Ct
zB09-h&ye=ZI=MZpke?z^X9v-(i?SjD1}#zBrX{AqCUE^drU3!a?#WjATg;Bs^*@g?
zj*FZszfp3(WqwTjq%0Wp#ch>}PjjRsgtAj!tjrFnb%He1O`G`H`kpDAjYW7o`8a;-
zUTLxN=e(4S#7Fg>?WkSf#*Vr)5jt{RQ>^W0pl%7#G96BXR{-htAv4GI7;aP3h6yuQ
zzr<w-v{~hD)og{RxL%1qP}7<}5m-sLTUSbvhtl%=&nS-nLbF8=mjhMz$Ff9tv^-qr
zsd>o^m-s1;@Y7kB1Q#+fnng%+u#zZ~+wYx1<YU^Xlq_~jv~u(B4(f0x&xT}5>%jhl
zZZyQ_evkb5Q#gHw7ziW@k8Knje$kO<`9C5n=_l-4bi@7We{No@2TD#T*1i#>7M-?0
z+(D^_NaR@z&>?1yH=o-p+^+YobRABGgcz^DQ~z2C_~s&@cnTo-gy4DRL;hNuIW7dt
zm8QjiVFJ7P3&qp{9_XU05Mi^04`=2LOVhGzQ@9iCMvu>WO(-_xj^MDm17<u9iZ@o5
zc?W%9{<#evW(7%i(*$TnJRz^y&e?_I)(P<)2D>Tc>d5Vhx<S=$7^Kpi#I=(*!F@qT
zoq)6}pl0pmYKg|Vr#-un-4aUa?1wC^lY5bmy!iJ1;j%Tq4L))w<t~u1-KRBjv+nWv
z1!WhvN9W_Bio<EU&+p8;|Ch6L8GG&g;it?xB0)$KLsp3Fc%zIkA$S6?;dSc3@9I*x
zS=NqT9KNK>L+CO)=!&uJk@Vi(nHiJ*sqUh=RXrrw#3#Mp1}U`*z7A&Axc#7;mBS4o
zwExq$W+E9-F2wcW)#H`Q#@#SFgtIXfIL*ycb?C-vZDg}e#Sy>wGJwW_9cs#<T5x-!
z;NYpv^QPa)*ynmb2Ib@8{iK1cr;)v$rhW54@FB<)G<z~jdcgUDgI5;c=J%{%rMn)d
zR_+j4*H&<~)%K6KF-hj_ma=9SYiO(rui>cd8V<P6WJ}5M2*o;wCF%QgL??t)CtNl-
zcXDPevny$(Uk{N(;R`uelbB4+%Chs99$7F*ekT33FtoTtwy^b96#YXq6{(u@d@!91
z4;x}b30yV?S*o5_m2(SYIZeb!BgE{b!+ngD?*Lb}yx`nXag>E};IWo7hy05(zewuD
ztxiNQ%5mtvUC^m)``#f>if0Gy@WbKJdWtS$wK8pLoN00~O0N9Wf`hJt!uD8OTJJW|
z(UVjEJV^AtIFgkFqNe&1(=0WjscG9bO^qOe#Rcd}rRHSx;c2y$o8M69avA}Lff{Cx
zBTDw{va))TrFT!V1!flyEr;(nTmHt%)W%>Dc(uKT&a9i@tsygOOgz-GiapQ-oUPi?
znu7*EJ4qnq(3}rpWQev97E=%WHo1U&Wi9-h5~dXwT=_eTT*%geG5Me@ghi38{rCEx
zlx||bkS_wb+x2m|_|~an;`-oAyRsHC$Zxnpj7n&#x$0?GcsV-vl93s~@efD~^Je7u
z;X63RP_Nj<IJ6`*WCM;N%Qzd@>G+3dsLm`wJ%KlNVC==dt*%%EpGr&4XD+JVFn22N
zAC6OhzA|5dH%+ELlMuS;mbaU|uEeY&&!@DNH02$nRJ>H?SjIZyA2^lm&M^0wyC3Pg
zyo1+2+k3~5O+;18MHY<Qt9{>b*iSK?l3UDLTCD&f#MwSB2$%AE80`aL+AykgE1B*U
z+k#G@7LivNO3EvE&l-MTMW)JUx#>g@nLc-nO*cuuVYc8a$C7&Lr3Kzn%B4;(d!iuD
zpr<77-sKqOct`2+zxGsivqlUBo|@W1F|KQ|D??CMF3I$=<J-V_P&fjAe??^lWv2bO
z(m0AEPW_X;T&otA1C^k+Yfe!zfmRCq>`>o3Fd2E)jY~PT><YM7ziNRdqQjqLn2pHZ
z9l%+_@CBD~pgW8-Q8!zWvzI+pCX|dfKsuoQs<Gz{0Ow6uPvGhhy|61qdXT7voaMAE
zLz)WEep`;au#-u%AkjdmlQ6XWC#9Qc;)@$)=TQBwHVfUS+H$cyv^$=FPPRndz_YR(
z=lbV-R6@0Q{OcOb2u+%i1OF|&tbE&(Nz+rZ@zm^F6%qV|N!IBl2fX_S)pJ<1c+@?W
z=79OEe=D!uD_&b(*tR>U^|(?G`cDvup6elND+6Gb*}BD(@5Bf&nr0nnMzwrlz2EB9
zoiyV2<w@&u&o{P}R%kp{B1l=RNLeCTUaVPOB5GNzYFRSHSEGAYB7j+}fLS7uQLK@1
zywWH>-Y9wAD6!rs_3kV_>@0cgEV1k?_52_{{UCY$AhG=*^$j~h;X&=h#1(6n`$y6=
zPEnGopfc;i8m)b8^6II!r1K)H;?hX(eU&fpJ{0UO6%6M<Ka`#Mo{88AJH-RuEyyv(
zIjI1rpyL;1d0{<ed3j2Xikgs2(}Jp)&f~%|eq;ka49f&z^j*bJhIx7VQH)FGe%6jK
z8HWZ8P178wRnx30*QLu0gOJOd2AWO-w^Ti|oN=0M+j(AzuIG6{jqe-QPLg&aS=JeI
z30FUVAS~;Ed_OE(pLjtOE9rSOi)?_PNJKPSuW+LDRC(oyq!QzX^1L)#fBKXo&?)nr
z`?$R)nAWjQO8bm4wY@L7+R+8rN?Oyh<WlVxh}AGFW9upfG!E6;JbH?n2#Xp^i*gO+
zVp`HM%{a7uZdvxZdiICpIWUNIXJ+C#a*%Up+`lU+8JN$$tvnVt_@#L8itN=Jse4zi
z)^WyC<JAw?x&yj(oOgcg`7}&2EOXz})Xoq_G7;=E%_d0KFEEZ*)y`2?G^|1LKE%iR
z>?!5EZlEoxTj?xm*ab$ju3Afxu3G{wU0)cLm`LUsiROI{t+rp5+`66v@jegCx?flt
z?vl1Yt`Pj*0Ql}8u>1e$_?Pz8N}F}yzlF6}R<!_3U;Fm~-Ej4V^a6$VK2XAY-%96w
zTCo#Q<Fl`|4Icl09~JgH2s}@qB~2hm-7u1<+I>$7KTr6N6k(Zhf)qiKvZ54GmGj&<
zB6li7Sc-(HhH)~DJ8?U<BZORFs^dS>vg2;F#{cgxipsG32#V^U1WAgjsQNLAn!gd0
zWt9=-<z>|&8J1;LF>PmMH31=*7M0<}85Y&SDVi2l(ZDr}n!p&&)5^%|w$tj+Y|qoG
z*sixzI^k0KT|!v;8T>#vh6Vcg5G;d21yL-cN{1nUe!c`Lz_8q+IFhknx?zHKSo?mW
zxkoUP8aSXhPTkxmSy2fb(mbzh?iB@C0|!-SfvdKmS+1)#v7Jw=*ZzU<92a2)F&tMx
ziLxA*Q4LcZ*MB2vTQ4Fis#~u@0Jg1{G3{5a*8!op9v9&y0!e1sUb{tVx?cNLZd>m=
zYTd7!cwY~x-Jkn<-$*|ZK=}WK-T&)9L;gS4c@D^rUqL;8p(xXK1feLBX8NG0GH(dO
z$P-5L!~R)f8irA%tn7tRWxxCpCyyUU5T{H(P!y*~UYHZ7%6ecNAy1sBAE5+XIF3-H
zZrqJf<$U}iFOBPqATLkblO!)onj0gp$h@O0Eln6JFD=hFvn(x3SvxDO$bQ2#FOC22
z?9wzZOI}(tugH4hJSk0_YC9<hTzQ_9rEa~QROEa?pqt0_hM-%f?TVsXB+U+?TV>vo
zrkN*<7N=QeoSLRtq^usLS!KVXs+-3Trl?z{AF8TbBrpEEpjnTsE9Qxlz?J{Johufp
zn@=lNIiK+CCvp8T>}P5Fvh1fx^Hc2SnfJ6UCkf-#EoT|$wk@YA>sKx3+3&dSC-KAC
z?q})8y6&gR%UkZ}S<k#LCyCQtFK2*j-<Q+W?XMR(L~f7}L4HsW?<Rl^*E(*)Wr+3q
z<OEP>TNG&Hv})S|5Klu+sjK`+ESW$pQqFwJXgrocBUa7*`U{y-u~N8<@sLuvT(L^D
zit{n0p#!DToP<hiuw1pFjiu6p#!73rZK<IP&f1&^Yki=Ybv{=i(UeBh#ui3vZEOix
zS9NJ^2g$WII^|kdv3X&O;I%fs^;B2$d2tP5v*vQ*oEwOJff&j;u^VGwSb%+rKFm3F
zD{G&hn0bL*!Z~?5WnbKod5L|@IsHmIQ=}EE>+=SO&TPCArhwKqGDz!CHm-g3ORa5e
zvD%^PT>Bb=t!;GD)}dm3;|kubZG7{}q2_(#8WbVJv<<^F!vx52lwsBd9*_B|fEcWR
zJgD%eNCEXw!5~irRm-p}l>6d$tmnjj_Dx|4_a(-(=hVIKO@3;}1xk(Q<oVW3adXEd
z&b8<CJMT?itoH>{&fCOsSJ=i#%vfo}yU+%%i-T67h~Y%!D+Afl5YnwNH!{L-r-R<X
z3!~|vwchJmn%&+ldYJ0=8|@qs5oQ6$S^?8tK2e4tHDdu6ZsZsGLnq$H2^rt}V2$s6
zJKx7Co!|R#_gCca?_v8WOg00?GbEyfKP6CqAwlr}<q3bq|ICqp=c-@iaXo+WOZET4
z5ERM_!Vp#3_eJ98ixWl?mYe5C5)}Xc@Cd&^nsJ=4!n%H(phVkooT$e8jw&}-@E28n
zsbK_FUg3XLFUPTp+<ZyOiu`iR@`}7-P0NacYR@yP+&ocCtNb$446D2%RZXjcD%Z91
z+yYt7^ZbhcRc`ci1t72tOAY>?_yaH~)-VMaReKz1>HqiZFiFueC{j_?GOBV}TGua-
zVO=+@umP?cl<2sw8`bzcaqZ*^!E^1E8pUw!7Anbd?N>TYweRFh(YEiETUEF37HiqI
z?^k<WdF|wh;d<?r{cr3kkmG&dtFY^O-!0Me{U(FL1?kiL7u7E3M;ovILLY#^zpc_^
z5@_S2<@Wnq_yg-Uhd)f-picx}F=@Hu3eL`Re0}S-`nls84DW4ZnD@49+WQJd?`>?k
z>$d8eI9{1?v?xxIvaBdxmGjgjPJuMtBwmGe^)OC}w)HSxjrSErUY;NrMM0TiFj-!a
zq9|EGmE%xFUV$W8ML~sSaZz50rfE?@jpvbNMxH2|WmcJKvS~(<s_Op~b_KF5msu6I
z&Bqxfy3WV{VC=1fB59g_(Oq;|Y=K1=hsE8U#ht<3-Q9h0cXxMpcV}>CaCdh-JkR@n
z=fsJ)_r~q&Kc?$flU0$OU7cN-l{u}<`v(8d3@;RhL^<(80G@I68&L$q3Wk0J<2nS2
z6vOgQc`3#<IL2`XP`XZIOAq${_dE}>XzG)`LO!hp;kuvIZG46P&9Pfe6v?sQj3Ujk
zSI;=XanKG+)4E$rS=qYZ`pc?yuaWZ{ik^@E2WCH{{Hi@~@Ljh+6xV&f{3O>yuSAu{
z1vKyT$RuC8_A8bkWJnKf&t%X4CFU<#_%46qz`lTgc^*o#1fCj!Gz>tg7NC7MkuVKy
z<>DyEuyB+)BsYM`e<aP&A-L;`b{z#WCcIZvgv2b5je-dEVq0p?1og=zyh+U*#Zk8E
z|3wldL@9z1zyHgw&lh4fS;X}tw)cNjpGaC+B<&sb*I?}{Zm&UW{cz?97ZgdR5d(Qi
z=5Yr`Ak&zIJy0=UB}DH32mjjgPaB7{UQV66`GT;W`elc(oqNTK(wzoX57M1`gpxFz
z1{4=HocpAjR-J}4A66g!Wtm`#9V&%liBg`Dny`|zR)!lq7WW;{p0@pV^yCpE>(#i9
zD;@<pmQF(mqaxzr+P*nn!0>lFyFGgZAJiI{-Pe`dTh<wm*u8plZ|>C0%=5x0g7uNT
zoRzT0XBiL5a5wE#rBvqn>m`2{ha5x!jJ}`ysUa|yhx{ACWsVKBoyRZxB}P_F^_n6t
zDeqL8i9v=PZOdr96SInrv15icydf6kiZd<+bm%D*LYab<&i3MCpqYuAcQ#djx<GQ`
zm$`rFTJIWcR8nVAtS-;vgUa4HIxIokX3-6n6F;S9;U$M0>Lqr8TB}0clL1$|0}Wik
zNkw*T6yZs&ELv6UDFJjWS_m)ZMRm##JE@6%=7&pDsMfo+JgD37pMKCIyAh?}=y-v2
zflNT=9P0IkoI?q+b$I?(TrHYgU6b}jA#U%kk_U6wVrO;L*$!ZC{ZBh%BmQ5lQ$Ykx
z+ZW5T4{68M#;k$l{gkXZ<2r-eaaI#WjmUaPpc~a8x`39))yz~+uO&}fYg6_58CC*A
z!Inpc!xZZs+?~YUbWd%nTMeq@Cn3(8*@2wZsw~>f!y<5QjP7qF4&4ErHB&^)nyYuT
zh`Mm{qId^|k7LjHU8vi%tw`Q2=KagsN`|&%k$bYQ6?Z9bXIrO1ni%NMbU(eVcQQWS
zdfYi`bIQiP9i&>7mlSHw5U~H`q6wuw{DTNZ=L-Ye)L^X1{_F|kI&;%7wM8J61Q`vO
z2o9sV4zq4X=7O0X#?MPrTrwrD%%#x!jfBoG!%Ai9FD_j8cIFIZ{>Au$AJZaY!UWPu
z&Wx(s(W}ytQJTp2A<LLajuZ>50?IqVB!Pl44yi~Ty?Bm3Mwb@C5R3aRkyLbi6@*)w
z&Pqg~nvK!7QjO3GuPAHKE~&aA+JW3FI7Sb|jL4#I<Pstz9r8=gmuDAOI-h9^TI;f%
zBbha;?|J-iWu)uvEc3?EFO0ApQ+{8=hrf7FrYM2aOX@&fjZz=d)rYXbmEM5aVub2J
zpd|OSu$jTL@gVoH9}miI_(rn93r+P<>vH<-VnRMb<}T#P-!v9CU@TN%EC6n219;$c
z;W$-qvRh&3%c1o?M`INIx}W%1IdIu#)&KAp!|P(;vIwm&E2_U5cBkiy@OBbfpElya
z)L)bKwEB7+ti36j$xngJhUGr&`w}=c6Hd5*qo3UUbKj=&C~eC3zle{!`~pF^Yi5nK
zE|mR!+l#IaKkUlXUz*$O&j+Xn<CEE|zf%9x`ajnJm_UL%L6Z7xcui598c0hXc+M^x
zkDIKtlIJ(T^7~rpT}gxVPEykK@|cstuRP2@hFspRtPRIC@0D)k#<Xomo$<yV_8sx)
zv@foTQBQ<rRGp*uN~_rXt5<ci6L$0GDy3}(NnxjUF%NbznlyINVZ`VSYoh)uECxi#
zo;<EeLKb(4v+7#bkR7OZN;B%J)^~Tmm8{u2_U@EW08Y$NFCP1urRJVhmCPa9<#>*>
zPN{E7d~My01z>PI5sH@;b~AV$5r3PODoc4H<D7;vvYT?(#Z&EvD!8m@_I8B>(gs1G
zh;-rsG3lyZD^ifH-Q3b%(~w;mkJ?9N<6z6md#&uku3-Ui@%mmVl-16;BQ~$;?ogBa
z+1#{!BVnA9=~*U{*Ru5Jz^)^1hqjgljbrYyuMoTF_@S?6Zn1yb)%~MnMR^F;$^w1z
zI?l_jkj6k;_3e*_P0G3|ob-F5(1Gi_*JoNZ{}PL^4y#a2)&XhdfqUWzUpa5)0+zI*
z#<^PZJ9G8pM)HJp;v*C7D6e?o0(lHPg_@zpr8tVl!X<UZL%Fxoy?Qxv8;%BMMijLv
z&LrmwvcL+mR;74P%28d)QeDd9&l9?$_*v=I3nRz#x(IsW!?<L<24Cba{uix~u4u8p
z%^wj?MvZ-;Nn+%n(~q%_k9ez85AQ*}Lv+8iAiSyzlCwQASHP$%eY0toWa~y)jy9YX
zu2(znNq$Ei#`D1D{+5Wl@r+hl{6+pMnqS&IZ%fy;-l1R6;!FO;V7>>sKo`a;*Q*I{
z`{YPcSkHK0lvCq_^Yxyd&CO+A#)+p?r^Y|@>f?}aCP`(b0}>)K{3a(wfw!3`cL3da
zbS0MOjM!w)#ihIdLez`>7S@;3pMVoWD{n}OUqHgSdhUzy^}lW3s$|bYmM8QMVJUxc
zLgTghg`|AqBDrnGH~*<R(_~+r>@TOac<vn?oZx%uIeV7^KKB;VmRp=+*SEQ@RsA2Z
z?Ez8I@h>AQoWHJ$Olq$pRh@nf`Gd_U(B(;PUF`_*#RGGeinLQ7#i)D<5X3Geu%FhH
zh1=!!>cOKT#+`nF@ql5KsSWhD{s`xNya2_iwznR4M{=&o;(b(NS})bWSJu#X>Cc|d
z+RCs#usr~R9@yeuA66ya7>YFQx)z2Cyo{b(<{s`$T=S;0g@SOwh54A3IWQ!ebq5KX
z7vdWV_4*>gALPsa3rc?0`=b7G!XAE7%i{|};D!oMhM3Q<{iil9JCzbA+!0&UImQZ^
zq;&*~`aiTl)!#~6knKa!6y!zCfqHyy<)4Uw)~pG{yhcbzn{X7;k*i90GXeK$IA;VD
zHODOm-S^U#nI4s1ct*6IhQe~@e>!Z=a{Di+_fLKKQuWTC2}CS-HHSlboqpnCl7xS2
zKWQH6l<)j$4ReU0n-*d@q=WgF)*wakzBrIvSVoGVf<6fKr~=C&Iofsn-;OZc9sItc
z%-q-{(-ECGJ4Y$EJU?z-tS=<HoDA(CS|@aRUdz5epN}7C3(f~1_|U;YOtD>OG~@i$
zzkE=kUQpEbu#YTAga(wvpEjzQ3Hj;IDrY%ZUC^e0P84Xb%U>Gv;AlE<70kz(DZ~X#
z$-oQp9O45RWT3<a_U?Ysfg9n&HGgH*f$IH(K_>vkyYnH)yB)^$(f;`NBEkD%@2c8V
z%QCWz4ui+i{WGWsVh@5X4UF!y^o26Wo%ZA7kuiMzk?TO%4W8deCpP?dOHxGpSRora
z>IOrs`HPa1E%})}N}1NG*UkIc1zwf*9c@q`$v;_Zc1st{+>0km4xN<l+K(&mlgLxW
zN}rF}l{H_-?TT9;N7j|s6xNiuE6^>K>YW$80ShDqXbsI*8o%D2o>yK-ySzMJNqL^0
zuCoFJV^zcrLYPAwL*PTCLa0M5LvTWhklT>mkzbIZk%N#$kcW^-k&BRxkq?m3k&`-_
zQODe+W3*O6&PCS0A>g>pmqfNruRFebxV9;|4d?!Jzja_db}Vu;-wLW;@bba6==tKL
z^ZDL`M@P8TfrZkoKs>rig;&Z6*1hjlqtWxrfO-%js?zTGxIJoVOr;Vx#V)wLb`2Ti
zJ{F(T5|_A4?k<0q(<dBt`ngOpvLkk#P}k;qN5&u$Qx&<5dq>`%3r>{$2P_Tyum=sU
zSFKgABJPiap}V(dyPu;v9waqO?@NyXHvPq}Q9<(n@SykQmt=P`+MKX;@q$pNc_^O&
zy_OV1abM-jzF9ac_27djlg;d6umrTQt`tl4SiWjg^1NHBj=(R(Mm439Ld@XD_*5)Q
z8AImqZ#vL}y0@2R8G{x}98+WU3Trl*Yf~yl=;SgEP4a<FI$wgW+?~MwId@Q&>QI){
zx&Lx={tYTa<;L!{<KO+{NYcL?sV={#P+Pp;-QSlv^^<}?8TMcPn>m>(I#r#4Ku_z)
z$K)ii^VnbX_x)4nF`tVWcrd}<$gAO0MZZO{lCa5Mtnhw$9y;i(+!`p#TA;_<XUA=W
z#dSu)g8?o<v9r}s+UiO0VA4MISN4w_C$Me#UG#VQNgq2;^~HU3{f1|QG~UG4u<@eC
z@Ne)kO}2HQw1XC=`@3v2ZhBTwY>E%ty-fDSxuR7}34K7z;2vH71@`nrVQsXW8lzhp
zmo`i!#xqYAZD876X1(%2`{HM)K0p1O1ZLxO_4E>FJx>?A!O|^#A#v6!*(7PRro3lw
zs(ajW0g$OAo`ibRGeyr-<{DsQKKv0<$^Ay%!a02NaIHLRZ?>e|cgI6i+#?_-GwG=%
z<3!4GamT|+mJoVu@88&8EOGParV8Ty%KO@b0kg3bxG=dv`xE2^%f&527=5tamceEN
z=2rbx-R3)#4V2R+cK9Zk<R&t3Gd0I~6XI3}ym9j<+$P*<H#<fTWODcKWWI$HY__l5
zOFq<Wkl<{ydr(=6`v_tG2gPmQ0{T^Kt$wPTI?%#>pDL>`-7lI?nft;(#U8Cfi?ihW
z^%SlS8hq)Kb5f1YS>EsW&qI^%Z4!7$AIQ3BqTl=f{G{%?6QxAQOj-%qw0SAeE)r8+
zkLu)y;*hHwO=5jiN<Hzr;DRiJldlrzT*vGR2VfSdpk^y2z<3$>DZZ2!&2*R+&G`pO
zuBKa^?QuYD`PpKDvaGgNw1hVR6_USM=7}pW=bV(6V{D{JaV^xaxYZhA%C=C07Kru=
z1Oqj4EvY6enlfM-ZL~ASo~t?vdjvvR+7n)F2|Xg`lyA^zR~f!shkie#1}|=c`%y)C
z<6>x-+1ZF+MKeqdUjGq{f~cC&9%7v~b@<G|rtE8^l%g7dnQeq`6rG~@d4U=HS>nfo
zm%}ZLs#E`(Ej(`0f%i-P8UF*s|11!(|GR;tJ%isooC2e_y)p0$J&FwD55{kw<*xyh
z-e)mn)MJ@V2kJ0`J8!KzRQy^lO!vM)oAj=KdLt#r4abN2TtKCMC_a;K`S_-27tHf~
zT+{^?5c-o+wp6m^dqSx~nQWPK2UJ9Ay~%u`W>97289%!f#<y;p7DtB^_qfPzHVf=?
zPX82kfVS$(##*GnhM6))%Gp$j4M{pIdT)WvZw*-1-U=JiRanH{yh~y(SlZsQOOke2
zyk2AecZVwHZJp^YvdD$>OG&JuWRy$-{q}7D+dK)|qa%q1>9$p5lqiEtr4I5KbGS;S
zUad=wz{kbV<F(6BSIgtuEi&s>wkMCv>!Ypbl?y)ay7`#)11W%BqVCDo!`YoAVj^b<
z8`h%Q@KUsGkl;wOhIE5CbC7Z;%N28i7B{NSWji0=vS+EJ8=11arU%UuO`9Tv@1X2y
zmB@?XhFzpxob(s`Ap5P}T6Mfwn<}TZDnb;E!43EEKK{BK@$AwDbX1hHHSI&aXX46@
z6qRA<La1j5gEHztBx{r(qcEE0C*2afjTu}F>*?PT#<D93uroBvL_PX{-oG@MSNGwH
zr1y6YLaCotC+#6wRxjv0*W8it<Q>D6mV%TzdRoM3Fcex=vqw>(6f1$37cm5>Wo4G_
zCu*1qedc}?i=W^^_Ne10$Vx^D@c84%(EMvFoiE`A(~2bx7SoE6nPo{Yh#P@zo7gSv
zt36dU(5CLTlc8B%PWzWa%V)Q?{bF!vIQvUFVL10}!7Z%KX`HnEGnV(}uMXy@lb#Qb
zFOqll=BQ<vGYi~)p*Lq_2+E2lixf)CU79r8LQ;wTF0$qe6k2n>rI3o0Db~Me&48p=
zxq}|a|NhWZ9c>6zq&8L!zN=;9ZBn#Q{EX@0$x@?OgFT)oQQI)TKI`cr17IzfKijG#
zaAZd-vQ2#lpAbG{{9IQ1JidN>d;xR$3O@-xhoSuA&sI;T^nVsG*ESl@{01Ax2iXzK
zL5(2J$IQfB!rF=-_if1vQ$;n-5gK8DIEtryG42uu#ljs8xjkyvU*0j=LXMnkxDRvO
z1Gg&NiBBVL3^%j4OzjG^17o)g_f=Drmu?-I8C=vlT7`y7g_ft`bFx76BV-S;q#be1
zkTORitA(U1M^BuMX}~4p8*<k|)s^}in)g(fV8o9)19csh>bknK@U~?umuMXSp`{v^
z*bHK$qGeMcZ8a=$ox~|}JCLT2^7MQAL}lNvQ>gZ3t3lA2Q~S{Q*80ntm&X+D&jyh*
zS&voRA<{E3kM+zU?6Dq?u^~OmL9DW^O1H8hBkw;zyz3yrHzaR}tcQc&H`tRsgtWbK
zv;%0?TlH(8n%TDM$rqb$Xq#xn-Yp(%ktY-Eiyhlsz~EjdHtVCX$K*yI;+w#0KX1?E
ztNrUr*P!*A`s=dyAnz;UE9e7hT=bS|Yhihz*}0JwHv`Ad*wA<@^i=AV=Y@~yEZV7?
zXg0>hz7_LA(pgV>v}Z*jNMPm%cBb&=ArsnA5eyr-)L@Azg*0H+)+jZ=eg<13F>x!j
z9$C3)zL}+B;Lfze!~zerlUYN0j`y<j)wa?l9S^W6KTS?U0$t<&#Ta^^$HfFYP^2Hp
zMFBftsGr_N13QXzK+Huv-M47K)I~V`uknDYi*&l*!O)Y7u0}BWkfDpjs&CYw{-Xj{
zz+`{jqsOj})~+t!PaWBxx?=G<s`0u)3Ob4kpE<B~H0N{$m~`ZsbYZ=7Kfqh26IQ-_
z`opX)LfZUNMTXk!0!0FW3?rd=WI&+g_xMve1s>&O9Eyr4c5GV4&x7OOI}Rf)qdbPg
z+dBg;<5}6e765P}rK9#s;7k7Yygwasku>6bZ`*5F&D~)eM`P{RtviWdta^~hU-5Ad
zGDAHSlI2h`PX%nvHKPN;6dJY2XJo%=7ft@g2Nx>##aknpm%7p2jJK&k+&P#B-VrD;
z77Yfqu3Tc{E%>}OGMrg>pD3~#<Up*cS8)voqR&?-iw*OUyVYy`CPFv-R<BinkGOXj
zqSH6JB<vv>H8U$MmS4h@hBm`+T+{<Ep$|WkC0*d?z_`X&m5Vs_cI*0l6c`8(pDJEw
zN<f|Gg_ZwyB*T#^&82^qq;%}Skv5U1i<RT(fTSs`Jni@eqQtw29QYIFweA5QX5@oa
zQTOfQiscKds)n&`!hj(fx@x+yZQ=k;m?fGiSs)@GT)(Jfza-V4pAyx9v-rV(-Sxh#
z#z8fn*Qq~<baPWrwE`^G($pRvwva%xCpll_7zULV?}{(3TDrThp33|<z3vqtD5vhT
zPP>l&FhCqV;zEJhU3zmgiWlyNDSIGCcQU95kGiB#JT*=xLT)z%i*``OG1tms?MYn2
zFY7L**d^X+>x@w*sk-c8wTN9;ydZ!s;zV}Imx*5X+^<od65353w3D1InODg1#w;o!
z8*ytmMfU1RMoqWmnH1|9q5&&8hDv41U8kQPdfqq`NKXloiLeg2?Pasf`6$d(DOd?U
zG&88J((U&p<7ip4RflM61KO&2)K!^z=trn-8SA;uN8r!NJbBb^GTzy|vm1wF&m<5s
zh=StjY!cpvt^|}x^pgf}sGj53RQqk3I8x6<Hx@-)qwhKOsoX(FZMRAt-N$?FX@X7i
zIi|PbPAv3Ye*0s(vt!Sy<+nwsOfmO4xQiidoQO3u5l?Bi97@j&8)L6V`!9!m<>C24
z_3?MCht5oW6i3%3%TWm=?<sHw#ypBE!)>I8q~#t7_qp7r&d;d#ugOpF_2CJ59CLQO
z<Js9n>CN%3c&*Wq`F$qZ_t?4C)pEs?vlq#V=dT?x9Z9xMX)-Xwz8@;(J+zlxS_7cR
zsRiBip9#AYbtcms5olIwgpUDfNFHRzg-BIuLkjAa@~(+#A}1|ycy?G9(SH`j>Q90N
zCDTMFc7}SF<tNe;OSJv0Mjh%kr5tVyXVDglX=aKIDR=cxuq)o!T?yQePg*C;(h_C|
zVOo1S*z0LEMTcf7T0>}Tw&nKAjv$mOb>0;}bAukLaHKmG1uzNH78uS6P^PQpMyYfL
zyCR(2F$t4idU7URh;iI>ltUlAG37cZGuNjlU^<X_`jAYcADYyiaB>NXTuOFMGQ~;1
z`Zc*>pY@F<c%Q>35iphQSSEdSU=}KR@J1Y;|02kn=X@EGIEGIu&7pp*mS{t0CxwsN
z`^EVBU?Q=En!xEN|5peM%uAx+cZ|^K<lv)k1VCmS*-Y?Ys@#G4=zWeW63?gv0w7=(
zpju+*bz&nypVfjO<m0iUjdma=^E@VlNsVII>Q781t4d61kYSNHIihS3b{cEHOIW5s
zusA|(m&Ao1HNu$KFwFP#_Z4`(F+6sE#JcDCG{+G|xyyPy?J%A&RIfr=ujURCqjbnd
zXj%_*DCf$H+rw1<{PV<|t6G`kag1ZDpz^Y@-PyZa#Iozf3Hq(M)p7`^UTo5yRL$k|
zU9v;4s`eRP&3L`=;ZWe&pQp&(u+>Y%n^^WOfXDiv%M8bQ4DC(k!OVJmzR!(;?+hXh
zObc{yDjlBX(%I40<aS!$0W<Og|GhEIoFkAXH_rq>T4~rBNu#qTx1Yi!_;!23Bu;eN
zp7{i)CJAeb+mXIMV{lv`Ru7FM#+cq5f*Y2UDg`_kf(5Rfy2d*hdrENWJaJ36kBoA*
zbNW~n^*&QxQQiEYq&zaLr=>1>Gx_=gn4YbeJhqh9Go<Anc@_W~(?3iTs`1Sp)xDx3
z7_JY$=K)`)2$)3c4h=YbGiVv{M9^op9DZEj8g-_+nIzOb{XOXQJ_UUdVNWr-`8}@e
zcuXc3E2LUv4gPgkAh^9$9bc^=NyQ6_@?q5W#+Kc*Ge_%2PT9KBT5I8`|9ifwLLMuW
zUNbvd96id74CuYXj*}Y{0-Z8h_;SdQ+TB)^tSwxYKE6C2kde9f(Q!fV6}PO2AxmZE
zy$)MH5>f#qV(K3S2h!%=9MW<4AlUMtx}T>+W?|TT&UwhuAs*_l-VmNC?_aJ@!(LsF
zHDE?fR0)1@et-nMMZPh2ui}7Tos8Lo+8WJ2>MTL`deq6ETGF^pqa{?GWm?Ze=OWd<
zR}o&XIhq&F+OHR!Ds=1E=26h~y$3$tr1ABW2l>aaJRyx;uu*PRGL=$j+;#(;MEtS=
z?y~58{LP-%(+>d^IFODzc5s|6xmACk3o`AFVtWMQ6}wme#bXjb@vscbs6aq5gkmn1
zLR6{@C6;)eDWOzRKz%C9tTcxd`ca!)slQoaYw3Vl9Y<+pSrJDm>=9IJ9d23E@y&A%
zxo%)ujZtlisZ;97ex<90)(T5w2aZV)sKu#c&60Ly=)ORzrCOp@qtdr*f2Db%vMBA0
zr7iEgzU^cknuQFB>H7-Aj^FIx52P~q{^LJ9N{aw)e9_ue9n}hNG4d=XJ;%4Xn|2-p
zUHJBmB>)N;WX`3G%+^-6Pk^(5*V`lwJk8B-gK-b|Wrh!agh@(co<Mt3r&CN|-5cDO
z%Zqe&{dM=nMrJelB1!Fm#<Pa`fbmv!P-BPl_}2CZ(EE1m7bkh&wr8ilCq}Rc+bDgc
zz3)q;YqtRI)lwrV*B<7iD<8`ERSt|3=`s+lu{MG$<4XGe%!TrW&m;XU*p)tM-1sZ3
zYOkCZCas}4c2nftm6ENghla+!s<Qhr31ICyjT9HzexFYaW8#~zY8J6{4oiMc<nz*A
zMQSfnq+R$<`X*i{Bu-^gQ5;R{QBD$uy%;`0floMpC|RMu+$dR*uXt&3VW2a=*i2C8
zZ5}T;#xOn<qkj&ZJ{u9n2$?WrU`@C_7fSLlF$rTpiKKnk5imQE<JdGi29a&w&m$P|
z28m~M=#edJGtMIvaD&M+cJRohy&2{aLVJVSIlB1Bv9Xy}4r5xI=vaQ>V+qaPk2GPE
zXwS8a6eS?GlH_%3`~@7dUnh_*UKh?7f(UcKWRNb=HryBtC8gh>kS@Vg(io~?P8J|Q
zHnLx`{zRoiAfYl^yA*2)E3_q%qoH`W71fa-U(%#-oJJ@2yL5_9^KM~qLPn%R+5%22
z`6zwuRG0Q;Y4R(=^}`DTI__n(2$xgU|7N^{OC(o@!?YA)NB<)U3~~O?XjxIDfp{5l
z%smAeG1U3F%gIs;Eeo;zI-dY4J$eZh6wbJYa((VJ{#XkmSoLM$ww-G|W6>EVr-Fc=
zSD8zOmAkcg^puUp_Q~io7Cf*j!^nxXR89uGNiEugMawKhmaN(iX117=ddgSgEpAyB
zS}$wu^aO@x)olIGD%!2ni&>^08(GwrTQC6EL3^z!K}PDzdGTLo?fHGKt{g|XX}E47
zHRS(~Bh|uOGT^uVXH<hUAb@?8(#kMs9TU$;J0z&K>Kfh)D7in-_}?*I&o1SoLm7hv
z(AMAMOg%p?yvbiOFXN554j`qNhF<J$8Hj}haGv-umnmS`Rb77E#!B7>n(A4SF`d<A
zclJsS)dyG9Pftj2q{sb_T;UP_^^XT*_)eaij4V!`m;RliBsUf7UF_`Txnl%z0PjlQ
zh#_nls4F!b`!5GAK>y0SW~FVad%cP^Dri{!Je+-5EzUE+`tptL51`(V_op}U`%+^H
zFt&gl7`OI6H~&$MB+G~wF~uU1j0Oh$Rz%$v^L^vpIxghHnBVxY3P>--Vc2KwPJ0gb
zxp^eTlC&ZN?&!j;_LX&L<C|FW>1yZE&`#UYgP#1#PxTozj_oui0IBAcR8Q3sJ?th+
zByBkFkrJsq;j*rD;3yopp^<&^hyn&h)90Q83dDqzl$4e?&i&HRykYbfSsHYYw{bPu
zpHeAesT-Xg51toiq4!*oW`pE^<uH%pO@mNo@1(IQ3{x3pxs4gHVMO{cS1he&lKM9z
zci?QG*mjVeFfu5NOm?qRq2zE8minNUzNOW->2yf3EppgmlxC3>3|OUea?*!z*cQio
z+FZfc-_g?>M66LZu&8hKA7TZqM)If*0rvIK<|CwGveDYXXMruqG1a<EtR{t*w2qZ+
zynDD_HkdCG+sgH4NteHk__ykaDReuR0U`>EdptEi7BimM^>c`d;Nup2Eo6god7i8W
zHX>fxG)gf(D1}FXQNPW+z<3kvZWy;GKkZXw#saSO@hVVzz1C}Dwa%RTZGf4C{Xg*E
zjUxTD>PzWK%dDkkCl$<R=FIu|4H(KjW1oR?CaO#ubBCb9M3o{{kF!GA*>lGgX%W!Z
z(j#B+d4W4wZd=(|0SdShQ-#R|$Di}R;l4X!mXXMIfHi<Ko3<s^wLwHuMKVP)wS5L<
z4_&+40;WQ3Pa$L_ew%=(w4@}qK$Nd$oXp--&rKVbV;CD|GSyM57r?H?WY92G6Cc;R
z8@b){P_0W}%2%B;mrC=T&p;lCSzU)Y^ylz7R%MQ<!Ye%!7|%5-@J9v1_7u81W8=aW
zv$ek)D5c$-BaxXc7Mmk(Yr_)hW!kYK*eK<0(RBKG|Ci)MG~4YyLlm9dlYx*+zA(Ue
z#Q)L)^H-)ox=1=LQ6Fqbm&i+!VBZIcH~AIAwqk!-NK**RM&yB4dlaKL|DadT8h=a?
zQ(d3R=!bmaRablme^9Tk4IB2?q28-Ybn+zRgQ(}m8$2maXMQ=(biOk>+p}OUxB+f~
zK<y~tmX~(``>zQ<?cS<Qr1j+?Cc{i$<GZf?-`kXzsrPA4I82mNoY^R?*}vSf(VsVQ
zM7!If{S&4T%kUw~2;jjtd$5LmCb3QkeBi5P<zvK)eUa#pg?mge!1Z;pPfI@{u=%)<
zBYpF>Fxb!{{dTq>*pQ@s<F<Yl2VxZma1;kYnfM=l8e@8?lHu)jLheNpdl^&^q^97g
zr@nv8^$d4yZd~F$Rw1;;-Ad8Nur_edK)zK=gLv`#QcA56*Q}>m@+^fwp^Z;|C)17Y
zjb1i;(8l)WErGMk8W2g{@HQx`gd|0vEAWN)=**Zu;2}RR#&C)#dCPkvPB_SITg+Sb
zj@wXM*KrEX*OC#kAFT>LJ@g#@<g!7@c+T-Tv(XpgehN%EhJx8hf3U%C!N80qj~1ww
z&@bby74|5~xNDx|_7W+ov@ty8*J#XTwl!dz+wzhtk>CQHkoQ(6YrPg$8S`X+{Vj*s
z5>O!@g2PJ!+|KqOE`S*t>9)YM>;U`92xqFyHfvksANr*^fd~!#9G;Ww?pRY;S5zc+
zqp3#M)T!GBz!gTORQ1Ur)Su}yJeB4Bz!5p2i;+SsvqNQx@;+05rG|uIz3QObm|?yt
zAxoTf0t1NCLyA9q_^z+2D$y=8*YwWSEwz49@%k^K=1q?)=1av`VAZ<C#@~#p4NZPz
zBw4^LR~^}#((=tS%7}6<L~1le$xOacJs@rqwS!h`eG8S7=QYRq@Z{O)onlEzprh)P
zr0UTmjc2`Q0<n>k_aX2*Cg}l@!lp(Z>&bV|KOa?55`vvUh<A6o>wYI)NmXmJ{*8=0
z70#yOv%nP7tWL`WJ_Z;UHO~1(gh2>>wXC;=uJe2xc{n+yo3rFK+3ASm62zm2Wlq>l
zwpzxoT`S=PwcBJo8Rkd$Kw!GBzL60X2MwE1AswTiJV8PGS7S$V_JV}dbjzc3RpWfc
zeYFa5%M-;Y?w6TFhr5jDhcxB4)mfznpM{fC-g(9g$4M?P-Y)MYg+=ObR?{i3ZGlSH
z^n`ct-vp^jm2LRv*?O2P9T_v2XgT$f1k~q~JGb0COC`{s$^oS8zuiU7FSvimbkz#L
zypm$PWP<zq?vvRO<L&r<?c%R<cq0g``XNV}E!I5rc2WEb_i&gC?Jtnnas`r&TRT;Q
zVbW14Avfn|7J!z=q>I?qm9QI{Uhrs?Aoi64>F-oeV7X7E6zh~j@*WuF`P1kf-~2<m
z-;4>IuqJCa^t`-lkz9LRmn@iRCcA6yuKf8+H*~UW=%k}PO@{kK?5^{Aig8HPY5V@u
zpH#U483B|U6T=X<qfRQcBo)WTkhY~sF?26i0WI75LluiQz=R__T>WXM7S&kXx5dUN
zp{+Hu*qgCm6f91jxG1fz4hM>8gHC5R4o^Hq4UE(UxCyH!FYTw#9!v?2K~o2YpacDc
zXODP&xnrbU57)ec)?U=L$4i~8i&M`JJ{^gKAaLA|^Sv-1H`|FW0gt^5YA`*xz(3b=
zD0s>niJf`N6oWLt19lt{0jV4%zOk27IpRfH5fRDqQ2||Tm9a$jIi4Z+d1Iq{AA!hK
zvioIL8q`UM>G_8e<9%Wo_RT!^se|s58#O#b;(;=}xD)%?jWEPvSF}G8Fnb58K7ZD3
zM?XYePn$YFG^1oUiaKY_Tm+E8l)kAdJW$dd$kp{0NKN(YEcF+^9jU@|Fqz03yY8l5
z?3g@R*vy!IL>1dImzW(pab{|=h0Dez-*Uk`AjK8?5nCYJhwsd}vN}h@A<d4F!oUb0
zGdOjeY{_rGR_-B(%;8Nd=zC}~8S1Z7oR0M5(VJll_zD|$jX|a6XRQ&ReH)b#2GZnJ
z^Da*A^&C>*batwbg?4R45y2BCiZ6h&1^BnC#{@K0r91Z#_P%O2Fy_;Da>rOYE=2?r
z#9lk5(spR^!@+OWsx9v0G}CetS=5@6&lM&RfD(g3gDqeOO~x|D=E;LzsJzUaF0y#_
ze|sls*XbuS#1dQWs*+U})fS$K9UF2k%Fj<{qFDo~{_IA`ju%>^Sq`GiHI*5cTqq$l
zBl_L1yqhTMw}Ih$c{>-?{$@LmQ{pH-({OEXW|uVcG=#UC-al!duZnrd)qMBWyeNaH
zRT5Yx|C-ZB8?^h&yO%-=48rgGIp^LeTi;rL2QdPR2F0%5{G%;@y@Y2VITkP~bM|OE
zuA^S_a>EZ44fX8UcmKS4&cVd;`eetbWS@nb-7z=2`*c=H#irI*ST=G6mj^|N?P;uu
zQ{&OoT#9;05T|t>-6hvtwfc<59e)+9+Xf-s#gk)1q>rP3c=R+k2@n6R?4}<R4qZzk
zvmdURVQ{TEzluShjXyhci1z`#I@jzvmIqx|P9)1*=&b~Sir)I_{5yQE)=9E3z4h+c
zR(*)adqUJy^o;&OshyIB67)1iXQYlxjINM4sgt8}uGk*8Win}etAO5w%tpye@tz6O
z%Jp1bCs%(d&WIsD3rs*9JCPI6hZ<lM#vXu#0Ek<%#Y7gNsIS4ulnaOPpip(%@bK#<
zP{eu!oO}?jXGya*UW6{BIde#6T%GKl6GjgAAs6^4zJ~y8ViD~_7q53_5*ZhGcO=Ap
zl--!R7Y3A54!~B<eHO1pJkph~l}FEhBh%E1Qj&I9qFww6pGr&)Uf5iX#)88BsWw+M
zp`a%tT{?7nT``j5Ld-3!)#uv-V)j`}F>vmTjE?i&F%H1hr1^~ZJ<-<*n}9FLyId%h
zw`A5^K;co<2RbQN&q@!5UuM4cXXfZIgxc;rrEkdfGyqNO$&-PaZIT)?sjHs2z*Ff+
zEyu+|xYhZg{b+_dE};m+2p}Y`_O*yYF@0ufA!v-o_PIWYYfPe=ksj;Xv%m%)W}Q-C
z+%FL6(n<EU)C76fx5hZDiv8P@gTOtaBPUau={cfjpwn7aSKiO=pRVdVuD=Jr$`%CB
zgk3cgJHn3J<~8h6IUDW|-&VN-9)4M>kNU6BQr7L)Z^$`q(Uc<@pX1t`+z<vr2*efc
zmEKyprxdqEspv=O+%{LWMo?CPbi(p?u`TaO`C1wZs989}#kkwjGYPaW`Z`v(JSe#`
zuY*AqsDIm_6Rw@I3_D3UhQZFlGJ=HvZfyO|H9x98`k4{Zn{C>xd1L`)=!`A3eyC<@
z!ntk-)C#>@<C<Z+5VNLS-2PxM!`@Zn9^x$ts!f#>RVzonvi9J~1HYgX=!S#!ZBQ$(
zOWcActqO<x=*9|@WE^0s^BphBXn4DstNT<J%2-^@jXa!Zk3-PbKvnuQ3Bst}Ic@<I
z5G5z7kN_*$g6{h#$ZHBn3_K!*xKnHob@qwW;R7g*qqyb!TuM`)HR;@=>TXAH45iQ)
z`e#Nk;uO#L&*;Q*Y+(E!X-D$NQ7rq_5Ov9fr+gZ#h=fJ+=TGKF6ry@fHG6c`SM@A>
zO%8-K37L89-XzI2F8Wy<$19xQ-v^3Ln2$zQrN>|9U6fPxLO<*qs2pwGldR?SEey=O
z8{LpXHU$L)`vV(>Sz3}5NqbJxMM7zzAp-1gr+aY^9?l6G>(;r6Rk;}oOSyd@v+|5p
zg%6ASq3t!UhI5R_LHSE!Gr{xFp3l-E4qrO0R)+SX?0*8>e2*$=d)I^me9(TaVYM_J
z;D%Rvc77KCjZZ5z3iGG;Z@V<E(@ld<TI`ok#ZF#Zw4LWw12W8#j~v6r-u?y)7Om{d
zO^nU`m?3d6T?WXBQ)S__J*=3h=iXKP$&)xNAViMpRqS)@#9Ov3O|;|=NvrUIkeBKm
zuz}l|iD>|BoZiQzJ<PaSYc8k_nm(+lyh35MD@GuVU~%#LK~?o1b)>{vo1E)u4RY(m
z!KS!bDFKkJ*P3d3I2cz4;)m<dlMO4!6mzK)g5Q)l-WxQbie9)NL$YeM5Z}pyz-0p7
zEHo=RvgalA9jM<s7F&=cU3po&v%<1A`YN?L9D--Y?puiJ8Ha5c<DBpsOlG!tXr^=b
zB0kq4U1zPksBq>#w`g>=n+Dmx)8s@z2~gc$y7|(xhy|N49J~@3KMWJebw@-@nCY^g
za}ffz@2S%I$=~>i1+V<Lgfk3=wNho>P~G)^`t@xJKyNU%oa7wYbm4Yt8{u-LawQHG
z3kqtf@2Q)(GuO4IZ2>WnP9PlIbi$Tqr8r6n+Jp9ZrplcU;-e8#MITdO`2E#F?~Ab5
zRz~F#0l%+WLe}kt*{FU+S$d0R51Kj~580yB9Q1YgIAIH&W|TCf%0$VBo&|?=G^LlH
z6E4H~5Tt*6y23^q8AV`kn0Mg`2AxGbqcb46Vl6L6+wcAbj*3+kK<W!<oKb<9_xG>*
zox2yt(pYcPB_!-tC8m|?eQnD6{$@$9SfEZQ=}I2?#kGVUa3dQlo&BaX-Lv((DqpOP
zWFMN12(_dGqK9l%9$$GwUN>lCXS8iq3O=_;C$Ny0<keW~WwN!xbS6x626h#NunTt~
z1om#ath~18`=>+cg)#Rs&91|G-d{(pq*0Fk^aBBhVtcR{5huHkG4IfcT`I=omwEl#
zF2ldkN>w<aNF%>#(E(Fr<A$VOC3bgpR*Ac)?#B2TL5dfi{h@u(3t)pED(Boz6)>WY
z!Na=d^YrXVV!>_3daW})7l!ld;v~iVeX5jJC^^FkH+BfaPlOz_WsE?hEBI7ur3&qZ
zSdooBE_l+d_=p*!(a&u}qg>QK9yC~oruHnJfUWb}YJOMkPZGfRsp1pF4HpbZd+*Kd
zb#s)nwToHprL3k>QX;Mu91u5lRHB!zQ&Ez~sw%Wv=R{)Uj#iUt3vxeay!~4`(LNa8
zS3J8YT1ZhZLD|DnaO+7sP7{uRviBRNso2m~59Sk$<HoFmd6YSqM3G*Nv^2ed?h2R#
zk)6qd&2>he`GLn~?2I}%yj{KZxWTu<ge@^SZJoqfLU)c5MLTK<^-hh$0L`QncjRk$
zewL-ngV?ypB#Yg}wmWQ4;kY3d1}P&P=9CqV3V@Dq&!Z<e$bZ~U3$M8@xWi!;qQj%-
z+nP0@w!4kcAmQ<l(O_s(>QK;b5}VhWD`R4ksF{#`YA4j}$D>O>uRi;?sci<(V*KUG
z+gYUDV`!jgYEkh+FF-I8bwAA4coJne?krttVkDJVS+1T-^@b4rLE0<-_btBN&mG}V
zK+{Hrvva3u6yU<4^;Nv`f|=$nQ+XpOtTC>_!AO(C+J(c!IwL-}oym6N)}uCES!vpA
z^R>YVpVFi&a~pLa)kW7)MK{vXIdsj<P)t&Ik@6fZh3E3QwWrNL&>Sr#)~=9^)~SPB
zDFqEny{J-aQ@w^Q%4lA<09=&YAuvBe8!H#Skg>b<*9cGFw~TM}nd6J9o@*546hY?o
z+K7e2H$Jev)0x6;o(zFbN*mMwgd|Ph``uytRdR+t?s9wdnD(L*!I6V_Ic#Huiq4Iq
ztho*)uev)%4~R4V75nV?3ggwt><nr>chhZtEU#iXXy4@oPKLaJHNk5&+SpF<%Bb{%
zhSNx4q4Q%Ts_JfZx8u3{ngNf1l-BIQ5QD^Crh}*UuKozQmXwu?D`Ze4&Bf@~snq~u
z2GrM5P6xp_QmqR#+=bb(U2Kp;um&QxIG@Pj%6A-2`J`sivActod(H~;N2>MPHRpVV
zCuL)=o7V}IcfQ4>;J`3#2R|_T(E*|D_*DGm78ZJBq7tIcFM|(|E;?VasB2;^+JCEB
znjNIx-iwZhwa#tsa88o$dbcC~C^98Jj|~?F=9cQt<!hw2a`bwdFh?pu&l9Kl)>#h?
zn8*=9Z~d8wKUk($<&x6j6)2hy>&Vcm?Dsd=^*9sXBdd*DoY7A7;o8TLCxS|3qsh`9
zH3KE*oO_@q25RhB)QD``{6#Z%p>#&3+nd!#=J1D%-;PU(`QeVJmzOxn%p;vAIPP41
zsIDPe9wq1pWzG~FQjAE7i}#f;!CnD_Sr6k3i{$bJ5YJoCaL`dv!){U~=yx{Z$^PVt
z-Dfn(C>1zMld%g3m@b}k-l*#lI<$ZJ7_KI!F&Gs6frn#2YL{t9IC2CgVax=)Iqqk2
zx9hfx`GIH?y1OGNSa0_+MYp5>XTv?6`Ndr<ZnOO{g_`kLH4RD3smMm7dNQM&6Z?=*
z2TocfK)SLpY3iPJX_>k{MJMnKMve*BZ((4dTq$@~nZ{9Yg5`jkek?IFvzv`J0>#AF
zYmqJ{Ya3BTenQ?qF$|w95&K+fqwEVu826Y^cK_~Om<4>X?J~t@F6}GIjL89?dOx=X
z%C^xb+gq8lJ}{<hdzpw6!W_P#yW<?78>tQ9@l$ZhT%DucU_$=y_uxWCjK;eLH71St
zStKy)adT~z(MO0$7aqLAU9a@ROpw8{_6JY3_?UK^Q^OHYc@#5fg;QmzCDr083@z`?
zxWyh0)e<M}_h=Zz!?2>J*$olVbmNhJd1%w}3Gu@lcgI|04SuKb#Wqc$>MoP@t|k*q
zz;Su?sNsat5&4DPwBBTGKFOoiGU6RmRwUi5Cg&GM$(x+;AP`su12=KDP~GOLDj>>M
z^><YJsNZ^p!iwS*E`hDBzcLfwdAe?Ti9VQS$j-80`$~uWV2ixvfXff=@9w{lwsf@S
z{RPjpQ3q2TNpD&AfEsy2rY-g<jdLnC$->gp2?-7boxa{sCp_c*^b6<p;;SNv@PF|@
zE=}Kt0#01(N|Vq&bK9%^@Jzd}rs^ktO3op6c)bW$avQuIMS<6_ir!Kgx+MDIWOBD{
z%?%h1#EZl1V=3I=F>*P`?q`dSAn=^iYC`4eT8^tYJyKBK)=k4rlG~LQ(@shfH3+|m
zRa#USpN=JJ@p2Ay3f+Opd}XW5?46tF5czI=`7`D!2sVlweXLhEoizIPNc$4`Xsyp#
zi?(`?9rimO;6*4X>g9&)u}Ns`?L&}Ts;tk7n!EPr&@-5$yHS(L&_jEA)5<zefXRW`
zw2l6zkUj9~xak4!CO)uLHfK=W7EUod52bIY@J{xzdWP(%<4~Guj7Q32Ik}lvE6Cly
zm4mw$K<-%;14rAm&?US)KAl*nwXhUB`2soRXa9w1uXb}*V5R<gF7(gg5Or-V-o&%?
zbBvWgJVA!p65?4EB(I3yR2-=6#xADcvfQ2iSJ*??&{)mhvz0z8$2t#HfxE?Qb=MLR
z{x$bsx@~Jz%`-@@R__hM9D1FUhFo?#Ty*NFEU#}pR#*}&NMex)sZ$k&P@Q;d%|T&(
ztKJQ4nb;XMYm@rlt6i<qmmN+<vQx$~gi_JogyX#u!J9;gS~O1Bk}d@3Z4#r}Tq0qN
zZk-4dlSh|Tn6-2F-cO87n|bmj?@at~2Y3-|VuD#2B>d{wUol~z#=i=8y3^$W*0Tz+
z1Jv{7&2Ry`(vMI|E2@8p9AY4wjGzj69<+h=(0^U>z2;t?qYccCTOkM?YAm+gjb4!K
z=<Z8j9@}Tm*$t?Dd9?1{6yIu@L5J^GI8ua(Dvd~V>n3-*7yXa#>#h^l7{*|tDi;L>
z`T;kJ<Y83<g>g0E<J00bIHdkVPepTaTn9ot)I0B{6AXP|W2@utEwCXM<ehuejb%^Q
zHszE;)u~?Bh;n5O+4SS(?po-0jv%xN`^@=XIe?44B7V)2Yz#Iwv27|6?Q!vr@=G7-
zMjfS4IySIuz;;gUmWneeZr^I%wdJ7C&u-7v_{jR#Fzm?DYe?0(z7;NMFw8uPQzs(<
zdtT?;=!00gVWk=^;^@l*djBfpJC{)=pw;0*+e)*=uZE|U5NBg)(*un6>|Rl_7mhMf
z+wyi-IqtnhEb?K>H96+8EEP>2s7D3pR3I#s8b%NMz{Jv=FiyiP40V+BGP}$G)T^7f
zYwX(Odh-(<DdXx&kp*7e+65%1`dh|+bx^_@heW2yHoZ~G*D5qY_w-JtPcoUMT8OJ#
zwuYC!E-tZk7rwdC44uqU<1KS`D<j3{XY7MJU=tAS9(wX%?PL#W*Dl_!Bah8+!txh;
z4;da+y%C%<T~d)~V9H3@Ba!lD@Jff^IgmeFMO^8+Q2L-F-@BYF<IL<H4B!mDa%1Ax
z@%(A~((F%=ee^EBeD!$!F^Ujur_}qV#RVYZ5k($}3Ol4wQw-12Bcg4~4id$ibdgie
zNX+Med``D1=D87@TyvDE{Oc2p0%Vxf19(c$#l5KC9^cLMvd5<kDH_>5V;lb>C1{Vu
zb-}fME|f1hefRC7b!p<r*D@^#7t_1zBd?UA75g;n?P|wlMNhkkiW4V^d>2{8m)RJ;
z^uHAn+0F^!QI{jZVbuy*Zt+r+Vwj{FN-+$Sm(*1`=xPpYLY~$^B8suu$ZYvgWj^vW
zM|~<d<e>R+rTU(@u~$WBlG6x3VT+Jg$=R)A0*i<;UCkvx`~b4Ubseqa;+SMxFl9{J
zt1dCVfNf5H*{igjh4Ckv!5}^l-JSikbcwPe<?IsaISPOm&4I%icx}T)WcAS<T#Zc_
zk=Lmuz2@%lta|3)(;TRC!iY@`yb>a<Jo$>2+)MM1J@^nOzL^GxOxulc+8^rLxml=J
zx@$e_P_J3ob5Ux_KRAhnp&EsFnog}Prf67sBjv%~)ztRI*S1mdzi54TFe!B9=#W-H
zo+h+ALfv)CHj|qJ|6)?p9bUfuP%R`FTPRq@87B^DH}3N4F10`Wm7ZFif1igj_9n+@
z1GYO18Og<qk)E`}6W1LHBdhaf)U`aufi{snM7GH`*3#5`EOXlJI}+(`Nnya&1zQhP
zn92J@Lhbh80ke{Kav=#DQ69tetneGNc3JYi>C=N|C4<Y(&N<!5f%}sH>N@Axkcu2&
zOTUBZ{<^-8LgLklgU1P~aoI?7G_E-C+`(6hevA{=^6?CJ+EMM@a|Heeb7rD9uOD=T
zMuN|d;F0^Zd|1`Hf)TU1_lvjh=2xX}bZ~u#5AREHMW>aPMEXi~wU(gN3JX>vP^Unn
zWhT*B9{iaoeu#mb7-^h^-EdK~o;Z0??7c%iqvoMFtJ_T0S2$gaKFoid1QM?#4H)E8
zCM1m*lb)yyJ`Lrg42gBU1~=se4YdmkgDYyB64indwFVM33KDe=W7U#lwH9MF8e?@H
zl-2x{wR-c);D#k>ZYJe}rtO7h4GSh&_a{CGN7a!>`O-)A6Nlv!N9{C+xim+$mB+1S
z4$2P>+K9I@QMW39Tgk~ge%d=Fyj$6<TUG5_#f@7{-dp)D4Wh*f!&WNgQ@6HvtL$H=
z!mZO*>1n$!k6!ON-rHGE2k#BuC%i9s?@b>lKRvz?1ajoK4u4C@;i?QT+g@p=sf_xy
zQ`r35Dgv}K(ad?C^Hs{!vX-U(cg)Y3Vf-+SYqIQM<k8~nPy`1(d;!cJj6wRpVv@R8
zjL8Go`!zlvTq)oVB+DoR7iFc38M|R;4ITRB&gC}aHJ0|D?l(B3`q1W}RGp58Tf7bK
zqWz4b%Bp8&=h&36EjlEyfF7bh!EF6RU+IYnVMavxC}yG~;S302mxuXiuA`&C;QDMN
z_uXBP0b8c+!OmB>E7My}tq*I?$l|S9xk;b7oD;N)SPw1Tn%0XRPWqmUc?zS<E6(RM
zpL6C_JD64Sn3vr^I=?LAEE}mC=Np%uK)RfkNoS2l<~2&@b*yL9?x6LWtW)Dp?eO04
z9gcUl>bmR==N(de=ftDK`u5~Am`JmY&Cf8*-{s#Zx1u4!I)&(mA+tu^UEftdz?@+`
z*yyk!`~~_LGTDf@5Nj@dZQy45V74F(1cu|P(R8TYswn{SYnQn5IA;oowF%*w2IfE9
zVk%k=r5eu#@UHK$o@1-jZtWwih$2bV)onwGlrcnW)#&^kIs$adSA#I5Yk7vqX71p{
zSDnu}6{0I>6lx0zCP)-j*@6tt{Om^-w%DRP?z*20PQjuXF~eX-R$RgpA#1<rt88Up
zj8Sy@wUn!1CSGw)_S-30GAp@U2P6=m@|E8c!<}$p_6_8pifM??WDXi;)^FJ<Jwj@X
zU@dNyRwtvjag<&>$zu0n)RHWpw&y*qtF@f7d1L9r1x$Z9*#<O}7zJ6zmw!}d;dY?%
z{n>U|>G(}>V@U|v?$^RW#_d1xb?6`<zv>qy=j6CE>?(iLu%Zag*tx-;3a!$~2M!tO
zNC|_Ac)r4DK0n2t20LJIgeip-c8}RrbN$n-mxxu8z#%o2Okx&GV&1Ct$E+&Y#8W0~
zfuds8&2s8&r5x{Q=zr1l4$!&u-rI0(+je_u+qP}nwr$%ub$e>}u5IJgwod)^`TgH-
zCfPgL$zZKnnM^V}*Yy_mH6Z^vnq1otQ@i%u5>g`1w-w)D#J(lICW&iCu5N9nZjbI>
z6xYhczB01znPZ4*mn_#BbBXfflisp<CGRts-(+Enxhs`cPXTE8L2$qC@~i%y`#uf0
z7kD@Di@3S(dlv})M?@S69wnrlh*t_$C8V85fCi2TjtH3mmJpOiA+~#lrdLPnT2{BP
z+$p|#&RxfOF?;$X-Xj&TRPa&YIA${arSmImz}_~hR|4Bb*Ld=h``EqhW?y9?<dTST
z4E8>R1Zuam5bJNjdl3|5r|#tejGjTp8HCdI781vTn+JJau1nfAx`*#!-HVvRdC-_1
zp&M@1=(hTK)R<1e;k%8??3{ssI|HXT?X2Ix%PY?AX`Acu%{C(MH;dZEv!Yv4-wLci
zol>`}hungUcZYjZ^Ss-dxxwkzbHp2I*%INEL)zlU)fasgyaSv=s(2zhmryw<vx>xl
zC4RNZwm-LCMc3y#e0>*aaD9lw);QAP!ayC!qjnE)(N4`QX*t7rHK*q8oH$+)t}Chc
zImUMI&Y=n9+o`>sxPaX<J6?sug$Ack-!dVibU-WC#II#$#_gtBtY$mHO-z|fAReGe
z$vI+8`QZ3L=?nAEhLyfO0ke9)Yo5E}lbliUZw(}47BHq9ix^-XYZ>G<=Pr~YJ(E?E
z2+{3WUS&7hd#RNxs)mRwXtd<|iUtO3ABgubC!^RrD#=LS;iNR`NJ@suz40j+s1B_t
zu%>1hr$Y-iVdg&&;_)jab8e+l#N7arVWn`@i9~tqXsK{x!U-b-X-BFu&Rk_YF)ut3
zaL#m?`MhWmY8s===#E&Azhaq_juL{~Np+AzdZ!pJzFA!mJAC^D5|Z}$5_nP8p~;m`
zv76iSR9YKhoc9mlqle)7|AI(Kfla8eB?|-GBPQ;gd2@U097uNz_Ua{kJw-f8@xTK6
zP5;D(kEv$Cq^&dKitlD(*5dk{QgA-cCn$bO1q8netSbrQR~DR7O0Fn8sc?FOKg=;a
z$$-5zf59#Cbw(V>UzuJm(1*U|e2qwd*Y&v^Gkn4tGZL|~iT(C^kZkA|21_@Dj%7+t
z6;9T4nry@y(#k&~-nsu(Pz|mQM5u(mL0n41_{_@Na|Q*qejaanVZ_I|yZOfWOm64o
z-?bYrx_g;}{9xA`cYyc-8Ef!bkJb0GOFG{6?jHY56vNcOa*B5~R_^0U6oIfXo<+Y3
zo`TIB@^QJ8hh#U8!D;SD#eBthoFwK!ErNq@PNICqEQ2&>l};?))`4*6n#+@9<gvMZ
z>)K6EwM~hB1{}uOsmP9UCdwsQgnL9B6`z`5%58`&9LWPLoCjJ`9%RZqQprVBfR~~$
zB73fDs`QyC_auSf#_L>#nk12z;CpV0rifXXn2o2z$5!kuE$ZfQsW3ePtZI<xSeNW5
zjuP+1nVn7O<gYvQ3VkY`hdJ+$;;k4nhYHBNqWY~d^v#+p^#sxtco3#aSW|Kwh(C};
z!^-$TVQYS@bIZi?4OYN%!f?yi{0ZF0xM@(OZ&`6%JXvP!yd<Gg!he4C))AC>1<^Hd
ziu<&*R9SJ{VY3a$By?MWR<g(w#q<Y{Iqi0Ev`DMoud>#d=DXy~Hy&lOciC*8=sn2v
z8&#RE%kufB!hA4#ZBo~S+VNKM9%b@OS|Ij)O!J8wQ@oRl@^qY9Nm~Kam3)AD2$niI
z?#wKoqH?5~`wP^Jh+-TGd+>FS8P8%I3VR?6g?b=MnWpTN*i1P*Uzr%a5)H;;?97?l
zeB8^K;N*1?nLf7D`;Tn;I49rv6%(^wxk=4bvR3S+OKeI9bB2jK4~=OM-Jxd`oslk$
zj2D1LYxquEYtpk(7w}%6c9Dr55dBxBbwWM9O$zp;FV(=Q=-85J<eX_Ep|KBPUp6d%
z_AZP&`wpcC4DbZg1CsUAPlqY@sMnXpY}GtE_sBT_M0-?jOuJ=nggJV2Zp0gRN?wR`
zZkBzRq;FQ=lgbg#M0EXB36IuCpPVi$6wXv~y~GRl)-9g2V&^cQ#HN-q9?5q;qI(CI
zX=?ZF*tA1XYL~UIYZkfjO5!%gWZ6$4c1HTP+g&2A|DM}#PgAnnuoV0(WZHUY?VbJ*
zm_zKCD2P|Yd)@sv_MQC1@`?AF1Y0ga|MRw5sCP{CuiiBdIJ)7}En^^&2$(nED(7)l
z==z!rWdo8*2Osd=R;z8i>bSaYw6NQR$^G9#tmo|?fV<5uY`4qU%CSnXZ#l-h=M)vv
z@v5XTwm4hHINpM@3#vDkAbgS5Gqd2A&=)d%L=f*hR79?p6m0-uM|ANR+M_SDbRzCK
zl~>Ksp0iXU*iu%uxnwfgT|IU3U>5yZ?ve(pWVvawikXrjjZbftE&QSZ{mZNC1LJl#
zRGG4@!YupKbXkSOSk(Zp0{rnSOqF1O%05_C`D%n*!Ym6Pzd?2x_ImlmNe&Ii+)2HN
zqJ1hZ*V!}F{FQ@5?iR6!BGXMO4>GOCxZa`1<o4mqSP!pP!BzzBp??RVQu!3*7-1^p
zIH9p}yM87br$8d2=cdFx(+S}{WSz178)|%<B^|G=5h_>37@8_m*eqGWuV${330=?i
zp<|)7kz<kdF^v9E^;RT*c9v(%heaUV4HVT$<#ljM$U`XJ>{6{<GwpDitJ0G3*#+3W
z<(PF*(fXzLqPIYPxIQl@!Gd{A#c9@OZiwdh-jJQQ{N9MkN0HA&TzAy_pV#5zQvI5o
zw-(1)k-#b9p}=_p??cR2FthpjZW2KD6H+;KI?OjVUMLjXhfZF_UCf^1T-5ZOEKinS
ztfEl3;+*yVj5{xPCz3a>ibbia*%f0VYsR947WED9Fw=tKoHtKF{^W2xtTWQLk^cBo
z#ufTiSufgHuY7X+teUr3StGfAL9IKWrA{1Euf(Q9tNvnMkK+`=^jv&<3?4u8gyRC^
zzP1xRty8WoX)#5qlE)R&VXca1K2FXE^To#%k;E3x=XLkxjNkrrvwJU)fJmSc((5ad
zKuE*oUi3KqV5?vb_2axWUo>m>70=mMzaT@!HyWlOVZ1px%abLXMF3(gI^+w<_>;-M
zv%0K2W^dr;7OOiH>q9XZI}~a_VJM5Xf=IHIRMa$E#DX+^OaxEK)&b${cwLDM`KZt(
zr2<Lqc(>(vH|}`X?(1YXZ>p~=JK%-!`#O%7B-U40NfK;o*ko!rMbX$&=#WSjZR0{I
zs)sOadS0g}xl#~a$*z*a!@=x&=Q-edXML+Dr^83V#RKuJSU}kIUl7uRr$G4PK?zn|
z3^H?tf{}JR!P)UkRXg$v(W0&Z?#mwV;hs=279ujZCze8@Kvag;7rO6+4?n5!KfK*S
z@Luxbe+Yer6HUUuMv$Y@v2d8sW#%C!8*qO8;&5%+ngckCI84GTU6P*nbKu>Fh?d7#
zghREHWyCV3h(auxb;=$#->H!pR*{Ueb*xY|Y9y%J2KXf%ymk0fnIc}!rq~7_0=BTJ
zjE>u*Uv#hP!~=hQiKpIwUQyWFyL%K5ZXXc{w)o8PMS4z>KTVN4+|RUS%4dIN$aiXS
zpIOz@7`aatC>fuT^}lopbYLHh2(Gh^rm$4qLOjbkKg-Qz*;8;dXKF7g%W%m2s@>w{
zD0rcBgdNK=<a}Kioz`wk_s!FZVB|T2nE4q2aM+et8nSH5_X4g2TaI$PCpnBJIrx6<
z4r%sQwOuFeNj;U4Y&Xf%BI45Cf2;2>F+=Dt8WhB)I7N<mVkZ>JCPGKDiOHu+F+*FG
zPip<F_FOP2A7}N(HJE6xP=2V^Vum#n?x83kby2kXt!MIk+wk}HhH6({mAiz>6@B@}
zwp@$PXYEFp8AEWB!ZW}I<~pTBI4&`zf|EI-Uvq&9rl41^&E#ib;Ha-T9z$?m#rz-A
z+p5VA+~ll3(+1osOU_*ZgXPP0e*KI`fP*SJtHbkJ*D}Onm+uzk@|6mI*^o*BVjFC)
zlwI$-2dwG(wueUA&EC89+RFpzAT8wEUiKkQ;v2MoFitzl)a#jl$I2VJe=SA_f$hF`
z1N>^p)hB!3FW(o0K9;SWBadpk;nQ`=ZV;c9fjs6^YLRqkPUUbSvo$7Y9ys^M!FZC(
zNW)R0OUE@Pv6q|D_X@=lSZmqE&y2ILm|GG6kaAqaE}V6#B54TDwqgko+i{^d;nHaY
z4yd9Dl=YNIoSUKvY&R7kl36sfA9TXhCs`GjU`{5V^#1bDEBbmD+j+B84ogs4y#m%o
zM4e*~c#@1A0D%F^6SieeToyqCfKz79N*cFc(CkM!9y1c)!Xt@zAY%leV>pGGEpTEk
z{EKIfB_@xsTB{ByhI7yy!c|7$6a_gM)5maE-lZW8av=^9paPI#Xt-Zb+(xmQ-f)=N
zGBP)<#u?Ei_k%#^0u(s*D@;nA@>$)JM(7vX^YO|#B{c3%_vbgVXO{8uaPulCvNc>>
zg<OMH=K7=`>yh7989%Fozu08Ie-{R@E%uq88Nfc)YrU<4eA<M6v4vc<infWjSyTTY
zZu4#JU~gBEe|Y@*;=$R*+{VmaBAqAI7BQd|OAt%2g0HPb<3r~wD?80P&2oI#ebjCD
zWAkP^d}ujkt1VvqC6Z1vmMoIanRsM!G)ERr!NppI!1}7q1r|jti6CSQl`N7-0Hq8n
zWKArI4<<z<$p>Z?NEC-u3KMJ_{{;m$PArKBb)Vq;Up=hgL!{D;Q9pUEr7^2Wrr0qf
zQAF3uBFdG)Ffe-7{xI>rZ3m5O4+xUOvR36B?R6B_269UinYo#C!|o-G^Tl&zW$8ab
z^enO&RfUsqi)Njs-0+}mo2EI3t?TU7*toTgTh7Y|r82E8cC}7Zu5&*caByYI(_&I(
z&a)PeGpcstv@Ena><(RjY2Edk&|w?KA#YH}!cJjRWqZwr{CUIXeT_fbNwfLWR$zJa
z%e`>qiik%tgm%+*dZWm_(wJupK?AwX?homeq?!|qqK(Any!KzZ!h!e}6E?fibtmh_
zgDcM#;{km4;=D=>-S$QK)|3_;Qu#|(9yw@z-e63HwJi5?<x9?icp3NjypmLv@S&OJ
z2UgpY%~zTYaQC3{#^WLS))+OLj5TuW2AM177Q?wHJtGa8;S$uYjXH#S1Cv!MczM5`
zDf@;^H3yHiW}LQ@OEvfno9FDet0%+t=I36&BF^?_1?$G$D~9Eb-C<?MfoS6{?O>-D
zT55`6RqCBQv^Lu7Du`|#=*>^S63*rO?d`wFzkjRMpZjpM*S~**A5i`4@vkT8o4rv<
z*}ZwG-XOe%RE>zDdlUIe9Jx&b4j3YYP9S`eSPsuY<K)ABp!}4Y-lGQn`Xf-wB(MDT
zp%tKBk~v9s%=|+%1xs_lfc}--S4t4D9#Zs9`xQOHn2jAUy*q~m-(CKwbH*{utT!7w
z!;~Q+dkEEx^@H^wyMsZ&V7|f5V#g+{lVx>bxUrGdDqn5~y4d<5pkkhsFNqd7!13wm
z;SoXct6k)gB$tF+OB^xD&)j@=E3Em@uf=$|UES~L4q%*Y!DIzchiqkCJ0Da>Y&CBv
z1Eiz2zWpe5)Yg>-aw8iU9SB_F&?uZxY^38rM$|z#sCRH93fkDBwN6y|O6E1=jfUlr
zUwVyCI(+ZVKV7>KL}(V0x!@Yspsacht$Ge}wOszP`H;0s8GcL2TEq4qqiRT<PUA_^
zw*}fBV>-Wu3i)?*JCkR8k#uwywoDeI8N&-Jk$eO%h{Ll>{_w5I9!-&*-22=CgMzQn
zGlj?>ksucU^H?Do5dBCg{C{GQ@)JA%(LyqS?#*Prfa+6gz5x9{Ve_U^Bw+StvRDA}
z*?6W9^i^{@8~vXE3(%b?U}zl91wXcBqKxFynHs-0IKZ&b<!m0#!k;lsWBDG!(4lV}
zj`#&^dzZVmKb%h9YTHQOe-n`L@Rzqz=8M)Pot0P|HJO!I9u<YPNFLt4p*lz}RS1n*
zB$OE~%^_gzob{DvcSyH)(gWF|t@*Ix!)SuQ_Yr203Zc)(Vx{$kWp!nDtx#QY(_N9a
z5`Edd<b0~Wn|C#`pt+xWz6;Eoqq^5834Pg%p*57uA<Q|k`;X3%I(5B!buGrSjo=f6
zQV+FiJ<hU?%1ir-xT(*D+ZRNe5Eqnz{M9SP)%qnnZMDQIUzy)V^Y&T2k-ynForf07
z{c7NcT4#@SUGzVLf{&ZTBmehZWH&8nH?3q8I>(7TSIV>ys2S2=E71l@*20xoSPI7h
zEsvc%jdTQSuVuX!<k$vaQd<C&#8Sw11Br5`APlL;>h_|~j>n7J3FLJUdLw|<oihxF
zyK0X#$34L;B5rLD$$c#zf209mwZ3OF*~Nh}lnHiM;@ki*Z4fzPxQ=l~8sY|P{1y<B
zC5ik6wVw!f*ERD^EQBYF#DX$}GWk9xF(DtEDT?#}W!zPNi+=1hB#ze@&tI+^yjJ;;
z<C_vk63GO{^j$!7j64MQU&Su6$exu*q7kGaD=?<;|1>dJBLa`@0768!IIb9yiNCP>
z+I7W8Dmn6yFOsMk7&0g=bWhWCYJPGk8?g~UQWFvdLt@aJ%*dif(OaDWBO^ku0R$yI
zIaE)%mkzOd0C0ZS0L*KPf>=EW(7tOh@>+At3lJe-kBu-pGHUyC;(lg##B<+(Mxfpg
z;J$58=B<H7tR4l>+%|v^tk5F*SZk5l%A!2$I{Xv<uL{N8kDWatqU^TedM;N7l>lQD
zV18&+kQNdOPipiescDnQ`144iX^D)S$ZATb$c*sKl(bB#d20gyJ7!M$S<7@@A^viM
zDg+1$aLc3vetqBdZr0vKAsPC$+ae?#9L5Qsr~-<t>ZsT7F!OwS+5G@+!D<nIJT;$-
z`9H0cBWB$!YqxSbMUjWSkd^VrEc|z@<uHgw5u6U|9yVKM353hiU+^Cd8slo11p-Ii
zFN4ESyaltQ9m5_&RfkcgS{TWUrW8)XT@l9YTZ-Df*=&;`FS#1wD%`17s?&(eAzy<|
z>VC2SeTMRUIs$!wf@Oi#7V0E|#S!jg+;`e&!6A=j@qFAF^~+?Kf1A^2i}|M#+(D=l
zbnNEHPnHCCG}5obRhV0Zn>a7g9{McQmAX`hNH0R>1t026J;@&Y#}fW?H89*0?wz<j
zy@bzpkHIdr?oF2)|B%+t4(~ypJw1?{^fl>DMTh*_L#P|?yKA7Ea=O-k1*Bb6ic~;_
zKx5KTVi+FEf06bsy5<FdnaPit^H87MN61D@t!0IKg1w9MWq#!D(xzg4;ZCmi9R;5Q
z%DJCUif2kA2lNxd5^beNg?^=mqQj{o0m9LxVmSgiUbhP)9vmdcPYmGFbab>*zUT3@
zS)03+1mMGq032|_!^0G`n4M;Z2;dX=%Pv%4DAZ-)Pz_8sTKxUQ&>-gaI!DkW#yW%`
zJUqC0^FK17?mY&!C#58$!WNa4iy45(d0`^LM7m?HeRuWW>)s1Ilfv2RjN+^`4{%oM
z!qrwA>=zsCmm6?!R%&t7MF2Rf4FvNI1WW(FTxlR!X`o=ML5H^y18C1Tu(Q@|velG_
zw^SP~v(@OqSJxTUT58hbtVD;qMZkZ{<9<Qoe&uiTZ=9RFwpS4jO6h#|`tffZ9tfb_
zLi2p6x&O1dx?SDeb7<(<HTKzUZj{jRt|`zlfT6TIduM;pJaKowr@TDWSRb!%i`yk}
z)23&T+HpOUOXiroKlabaIJ{qQ@sheX|9hWIHZ8aiE1CUHCa1CRNG|8>W!2S9CdIOU
zpRB8Y?cpVrY%aI(lP9rCF2$D2ejt}iW(CkQ@MUC>If(1(Czp08{8vn41(9q%c0?|f
zZ6@W?H!0)ng`LD9wFAdnZX|sESSG*uNiLOVR<%f@LK#|8$0&79R>hLY{bJRml6_f2
z!BaavW7(9j5ckXPnHv9D9lx~*up`Yu|9RDjYhGv!F~bOo&Z5WyD#tR%1p13*j{X0{
zkBtKq{{IO!P_=;dmV1Wx<~h3WasdW`ui}qM`?m@0-lo?28a4AXzNSaJ*Y%@67vBo<
z@;)UWTd4&l_bxGuy~9=|bbb+wy)u?Oq3oy|l9nt*asMS=O0SQE&YRXR)-S~q`%Rw(
z5&EXhcT@ZIP`bWm!6+IzCiaxLy2XrlNg7GX*pt^hq%NUCrr}xvhAcmdoq27_a5v>J
zV{!E&VAkc$ThM^T?+R&ER+rQ%Zio$a6~QU4??k|6x`s_<MOKR^^+!o+v6xM#KJiU#
z%;VFaRBxI-2_|?-BzQ(tiSzB_3*Ye;dB!T%G)A4Q57DG)7NKCOL>bXE3X&6)p~R>f
zXG!yF;H-Ij2K!&7y|tk0pP&KYY%|oS=A$t!hY$Yji)r66*LsFXlMytEkieigrHXco
z|LDdcA{dA}C_k!pkpcYUcEDt6(O+0_70-BTUW1M0_r0ivI)18Mf7Mr3UL}~745I`?
zz8|fz=XTAg%e}&3l)=xdK$u_sq4`S9J3y39E1=;I-9=^`FWNnY1G93AV@5><z%!s4
z6TY*_dM+%LKngc<O_ueqjWfEGwPR{s*>Serq#i!CL69fzjDC4sBy8b3Zec53A#33h
zzc6hK9zLgIA2LosV;?gB_xfR)fU`pnbqlYxwq2G|1D9IHw&vrDb5=>oIgYF<EY(S6
zm68haT{<io^?e-oxn)6J&N@Yg2glJC6M=@GcA2At1V=dkTi7oI4G9h+4Mjy-m>h@#
zl1)@7DEJA6_FrC5@Zcw5nf+t7ru@l41M?Xbv|KI@@CW&AtW!297#1Y^fxNS>Q5qE(
zJwsnUr1>4MTcrP(OfOOY&zNOc;QyRuQ6O=dqNq@qAL>2fNs}KP-_^^5ZV<~LKDzZc
zFV<m%qom~dZwdLoQ<|HY>TZVs%hN(~PE%+E?O>7gzof&D$z${=Rg$H~iI8y0Op?Py
z99X880wI@Xi4kAO2#I5IDC=S*=uxV0_klt*5FG<VCIMKc^#MVkWX>va8<iqGs)cnn
z3OZ^Pao&q;Jyz8Vu3}ajb*xva**jEnFKp$j=L_;~RwZ?h*{*L`7Hr#ein0?7)P08^
z%)<;!eOu%iz~<vsWG6|f5;I9-d~ahNCefTL$P&_cq&1EGm|R+=rcOC@*U7^`Ds+ru
zghHiYOlmgE+VfG`61Ak<$``-g#46J2&5mq_*$MwlN7z0HS$n>KE)w2^{Ku0u3!112
zi3RqzzV%AQ4wCO@ywBrK-)gt=GyKP|KB#(q9(6o|%JnoIwo2gQCZ;aw4|^){!*|Yp
z$Jy+eQ{tIB(vScc1aM(ea&MN^ImdLFQY%#e60tF~?W#WsZc{b7PhcszNdy?^MVA7$
z9`N?aPTHrI?a`^FT9u!;;d88#*jl;%3Mu$3zxTp%N^q}t2<slOD<vOMEf!8jYGLTu
zbcGPy$FBPRrIkRvjdz|95Ljxl$NVK$=N#7=mu(m2=FWL&H0!+`(Tj1Mxz;p<1b*iQ
zPCU|d&mzK`R*+A)e-hmNm`F+z{4Bw<{5q(6g1~gIYPn#N%$2U~Pyryg%jNJr%pn?O
zl6MJmT<ub+QGKOhyI@<_owRM3+$MPH=J31R40Nek)T0`NABjpS7fi$OE6=p(h;#26
zHPOFKSMbGjjCTo-(Y+Qw7?#nf)UNhdnQj}T@Y%X>V({Lq=tbll<yjoAb4-CoF{M&2
znGUoXsrj?6|Kc?$vvZe42r>gb;~Yi1ZCfmw6}@cDVc7|;zHVIb&Ua>Z^R|`X|GV}I
zi?jUlXG#wk${r|k@K&t@?*|ObZqq!ux_G?E9kS(rQ`D`~hX%epz9qx-YoNa_V?><D
z<cG4_6=_h?QEG;!+c6Uk#Jb}Y?)bi3(e`EX0MST8rkM~dMhH_8Vhw2O{np8)S;F|X
z5!?tPQSDf5`%c|a^=8|1p?&e!|4xTRGeH)OFs8!58#Kqx={hD2*=z%A8(@E90R}ix
zD66--+}&q~hucwB57f8fAn!QyhbMm%S6%0L5*GXb#>Wcai($fet2T=YPz<PM0yi5G
z(1nsW;HfiRlCBIwto?v)P{I{OV?2)pg_B?GJK{whIMK|Egtg<X?wfB}aYMh~QRR=s
zc;eseoA^fE+}W&siQl!AP=aF&a#I}$=EmdRvGT)vtcvJk!kmthWx}u+vQLGCHHd1a
z$U1P<gw!&IBI89LIMLUQ<n1{Y4elIxB0C(Y_$CP8``s}`Rx!rdAsg`1g&#HGtN_f{
z5X@AWjCGb)2_p_Hb7PyGnCeER+i?*$F&^?psyzt}_ANdxPBEFF%K><;!=GUdVCeuF
zO;}t*7Tb_KMznZ$=y$b04IBtVdz>hv2dcSoumB~NON00vCxQHtAC&st1BcPT$niIt
zbmXy6E=EF(0cB0#Y9oBx&|kXr8oE9QAC#kbg=Cz;j2{}aTaV7py7?<UxIYh^cj&(<
zxu5WWwCV2s+lIR}1@Q8zr^jaV74$q8qW}0=6{Yw-z4YVh@;}dxTLUHH!vGe(Lq)+m
z1-Ve@0LU&NDnOtHzlvW-zKQPmCqn!eLb^Ysgg?vTt)c|zuRl!T2qVLuScIq__3luB
zzO;{>4&0v8(f-{onj4agdaa#_GI(9>=`wU(?Wr;^-R$u)YF(V!GVsFUi+bJ&Pl!9T
zedr;%y9Q25gyA4hiUTIs36&^Hl(ylL{or<;TqHo}V^Yog-uh-st~0a~jo;q|8+yKj
z1rz%1g9SNyJ>-ggDI(SAQAR`)g8r?T4p<kSV~nY|%nQ+vycae?@>HhCqCQU4-+f6b
zhUhgRat-kA1N@v|qkqx9F8xri_h$<n_DDg<D|292rR}mK%Zsxt`L$!yOVTWVZA7*f
z=UFmvN5&VYoYHkh))nWR(tAhd7oVK6c_;9z@IwKi69!>=neuj(iwr?VAtDhTKc`(n
z0`Yo>@2CJ<lrdYQ@dGK_+0>KzPr8R*gz-4S4Dt<@47v<n3_=c`Tqc<$EH+-#YrWJ`
z=!<n{JoVe|Qx4r|oe2BPIA?7++LKhtk?SjT$9r<z@$WAVy+jJ21Q7Ypa`(l0;@@fS
zY7vt1%liiXBe~O4ynMgxoC}?;)6q}>YMcdGR{l~#w!-?I9$Zh`S!c1_oTCkbc4cT~
z4nrPW9CgPCT|Nkx3IAY7Oa<0CfX8xqyfy8W`apGp@Uy4pqeUOHKK|p~GW#L~1)dYo
z>NvthSJV6L9a6PE$%DM=sn)VOHbjvZPVZ`hQxmFkn>mjCSR81y^hBZPE$U#ZxvYcL
z`Y0cMa4`)>`K^A!zSV*5aowM{DaMzpAx?5F0*Pt_BU`b$|K$cp>+P1Wz1UE<dbIuo
zH~I(>zUXXb1_m`xXi)F%k<ZS$*md`4&)Wm3aB~NW>T@@w&)Z0;fR!E9<3+MRQ8=M>
z>b|?|`{2{&;IATb%fyhXAH0Y|Z-<2+wHROL-YBCm64gYHUOYK!#al-WHa2%S?_`Mr
z81{5vU+oLL*d1Jcc5FE~$j)AyQAcym3^gy&Te3gLcVKpaaNr0?sAKD#foWX`%9mj%
zDUi`k{YS*5<{Wb<QU%Qzi_Hj$(T}3J2bupeGeF)B!Lf(16(MnpmOmil33{_ft31Ud
z+e8*wJfCIqviASl;QzHmyI~%KI<~I&12a`MkK8ez2Mhu0$In+VCW+yV@-LSx(k0$w
zvX(wBd3-~8707JVC81+1w+1dT{Qal*dWk;ux0Z$aH2>O1n=%91Pwf_ig7MZWV(bwY
z@^b96va#4(6dP8;iEB#n@d&qCi|}ZrP72|5z%Z4TN}=v_m~zA!_hCW@o5|mVFaexn
zs!Y_PxCnOO8O{XKBy!R|hV;~EWtGJRWo~H&?8>NYDi*V%nk8Agj2>rA`3bKMnzo}N
z-i)^U^;{SKd^dl6XMcT1e|;x^eOLc{4}X1k|NI|&*+N1AX656-i5ShN_Sxtx%Resg
z9+i0>?4Fc49|%N?VsGx>76*H9e-r=!El(^}zDVjj@~TpGh9;Xqm}=Z3Hj|cV<-GZU
zDU%UjbGnnMbSLvPS2?p|W;X;COcn>?2Mi`F;FR=_VXNBUZk&5*PTIdU5zQDg+?+PN
z2($U{JKs`*(4X%bPR-C8=9WBbC+^Q$X@2&hedzZXW1GAZUlJg7U0}K{(Ct?!j*H}f
z>ty<WWd!2V1AFNHub{+QK<&M1Lt)wf_p{0wC9sB6zr0>f&Sz&UTbGj|BEqHcjheF~
z(DJ*YUnJh;kuHKWJ@Vrr%fp3-RTW)JS>vDdnFSq)YRCh#-&5+C>66;)bUbE#cxj8y
z^X4Xq^S18RvN>vV#?4ULw*1!kIXZKuE-=})`a&tw<d#ibU~=pUi;qCyh)TD~EWQKS
zI}+1;3wP47$t)$8)Dr|Hms}J1i5U{7KF^pPK9i{)vR<ICY=;VS{DSXLCwv{S6@F*r
zU56R_%KE=${H*A&%DNsiikP)snDve)jO8Z0_t4icoUhT`uhCqu(HyT+f6^Y;Xl~c3
zKUtS+G^guS$7^4+-QBep%;!(7*!zz?N&i`78$S4z(M7}0Xr=7CRL!3tz`6e(gPE+N
zhQ6FqU)gznzTT#4rdQSme>&Y1)UCx{>VdM7k#c&?mtza$(D^j`s3?nAVgrh+y*k2P
zQ#WnP=#CPa7ivf;v@T`nj`A@(J0fmqFM1qqA<bDX8is+bjmDY8iMx|#=laEx{Zb%M
zN{^vp%t8)*j#5&Gd2TEmGq5FEDHGmVS}7CX`R|gF{#`1v)AN!B;T)y#diS_IcT&zP
zBd3X;!%WxycgL2hdq>r&v&!;OdGe$jct#G*5-~fvwMq#)`G#`gFVqd`l$^&?shIrO
zQ>lo2*3<D@%-PbC(p#w6{1jfF_=iibX_q^&*&-8OOodPIJ-pCnBzmECpgow-7^E4I
z_7BX^3#2-scKAJt&@Lo<p?2UsgwX!SZ(>q*Tza$7vYPf(@QnLCW&4luC;_iKO3bgr
z{sP_r8G5h|#>3!5SV4O54$i~kL>Xavhz_Vjl%EpF4&KA2#7V(Ahz{n%=)`K_I<O9q
zLz=|ef1!F*{CmYQ?GAYAH|R^WYxM-kJ-gW#s|iadZ%?FY9sYZ0tF#vmV_r|vuQ?LT
z=jbmd60+^3DDOPmE=Hk@XyAfKAgdrf3$k0i!+dh{!0gf8>oDnoiIJJ1sj<1iC}AUp
zPO3|+e_S8oVr5yu$V}0uIJq$>%+o_WI`HejiVtO;HHfo!w=&+UP=7fr8dMviUViiK
z?lk%$fgy?`{Xo+OB3$(?{`b{E1uR5tgsjBm1T95vg{{Tq1ujNzhOWlu1~2!^4quPY
z4^)KI1XYE_1y+XE23Lp22U3F40#k#-15ts&fzY5&K<GAc?LV+v+X>tM&R2Q$_1!BP
zCav~+xlsK-A|E!Zm14CYxEF4>vy~E!0)J2lcx-m#rA#MO3b`zHla*XASd3p<t;WmQ
zZn*4r>#ZiM`F@ZH_+0M$OIa?M^m-lc2P=6#hy;9I&-=?cg^3=7{C=;`2df2v4V96Z
z?V+Wqe`0HLyMvSO1*#qs(f+%Y+dq9j99CTgrkm^(oA%rmSGekdf<nPzQ0Nr8p^{3)
z!;$Ee`oW@7$z_sh6nf#ZT1`h|X_N;4u|K9!sg>*g@9rzrD)d7}3~mAfz6Ev#y1x8h
zH`fJlKU0R~vRnQKBrUJk`E<Hmu^T8P5*~-eX1*0FrBXhf$!4(=EGCm)tJz|{9WJNS
zdbQSKu^S{J5ueBDcDxlPqfxir?sl>hBB79P(B6FVPdc9t=I?UFHBTB`NfsGktu>|b
zzfR~sC)}Sf-Q3f6WP0^k(pO(Ckaqo`Sm0wpa|g>U4#pP;ojf3BC6KVhQUNeyj5?e8
zOT;rGYtED-!kG%-%q8Va=9)4ic+lz>j`(xamGD_#JEXt5=U083@1~hk`I=D!IJ%Sm
zn5_}16|Nn=6b%wNSK@dQ`11Ma@K1XAAV6hM>7?TbWZ{Zw=8ACPN_gl9gzbow>4=S~
z@-Dddo5q@E!kcu$n}yCDlggc<&Yi)|ov@;per0yf^YC82+up68zDpzg-a#+@U_ILG
zd>-D_7n$JLb|lzSA~<l$|0|WhZ<W8Nm4D!+|5r?Z-%Ni`P5;1c=daw(zTM8A9)Bj{
zo`_rhs!P~4vkG;L=F|^PS?p1bA$hgtH1|q#c%SzSYTjLvFB;+WsAX!&E4-~KYR>wg
zdTV1I{-r6RL}Sc$w$qB)8d{F^qHX7NLl*m_`6gbDO|@-HZDUL8%*rOjre%(8vw8jM
zC3x!`#=5bNv5Z~TuQv47rqy+N=Lx=*r!>8~gs;xg<yZI>J3jUa@l7mTn*-Z!xrV47
z3Qw;w=+`2u)X*kH{BvOuOPF6pzg$DF85!uHasaIjw3pEDgF%i|c+jJRQI0gZ&?k>;
zk_t91e)EwOtR>*JmLfddbK??)GG5xcj`t_}E=3*i^td66SXpDj?BRw~;YOU|hGah^
zH@t@>Kw(tEOwx+c%&9KmgylS@9dz3R7YNvOh%|~(G^!;KEtMjCIR6}{rJT;PO|nb2
z{lUnHvHj*SKj#QR8Ih<Z#c&qzA-<Npz)DN{Vj#XW3v_P2Pr&-Xg$NS(kbRWDj^EDK
zSQ;%%W{2|=dWcGbHlPy~GNfiMB%MNp@{T&K`v;Clh^y1iDDvM77Op<NJ=hT6T?%##
z-VVPutRDl^{F-jgK)y!^kRlwhB);zCZv|Gt-{8OV{0fynDOsM<Pt9bT#$VKFasnKl
z_DFrMbZ;&+u8yKWeuLcZ`40J^|2|HjNqtuR_Du^uSL`#o7FR_|6Jt|SSwfDBrx0H}
z@OxRFAF=Fm-$9h1EP2@Q>BHw^^lo?GEx_Yr@$P-zHNfxT^0s*VIxX2?`Zj)?K7F5`
zH98GpH8lc*Q4GgnEdniJLSAITjA=x<XhiRFLK=0#$Z$e^85Oy+<V98(b-6R{MyVgw
zxwH30A{@22GxJ5=9aZ4-O(y)y@_|%v5aSzG|M07KGT|xZQ&wP?;i>xb=MVPHQ^b#}
z=Z?Ws+b8HJ;M3$Y<&)*};Zx?b`V;q4;#1>Op|$|N8RlY+vS+DvL!ZZ%@~T^}W%F6k
zr=4#l-*)!T$;RYW-1*b44WYW*YwPEn|FvQLKFzCjU3&c<&Z~A^TKxg{t9M<7!(WJ3
zaeLRDogq0WoSv+lBb|1!-ZY(~&33uoyv-w?c9Gr`o};dInckePBcFDO-VC3k_jZNe
zg7+gxPeK1g$fF2PN&n1<JdI9LEVL6IoD&|56CQ#S9^@0Av+nymVX@rXKjQVOBP>pX
z%}#?ZGqihNtRvVAL)Z*Iau}Oo6uW*1yM6?_ei*xc6x(44+hGLTVHn$C6#Hff`-YoL
zoJcBOv}sC+Fe|2)8S&GU|7{WkE-?&?DkhO6CW%HSkwPZvIxu!f1pks0i%uX~_La$W
zJb_flA4KGkl1bGc25?xxr0WksdT7C<?2o{8|1g$jAejF_a(|SeNYocA{ECh?USF)~
z4^Mu7L6x>EnDs$1am4V?u*}&vQdX=?RwPYUqGd`j4lh)j3(Jie^@$l4z6nOI31_+q
z<5v?zZ4-iB6TwvzFn$wqp7Lj#FNm<McMU(&g=DwviGWCnj5)J~Gi%J6p^9ygT&om)
z1EPf!T+F(qie1r&A6Jfv)*wZWc?|3IC>P$SGW({hPK{H*%#mk$<FNS}N*tsk0cAsO
zE&F1+HE-erR}#8yvsSC@0UG^ZGWDiy^G)YCm5#&|tzm>56IxdJ0}^>7HXggWTGt)*
zb>Ezm!d3f@4evu7T=LZo%Z{0mu_tzQ`vxcHlDLc<+u$u*R6SFbTqo*^=6F7Coe}Js
zitGM8-&DK-iOD42SQ*BM7_Kz7%LOm`3`ZQBs*~`oL{eDc-Wr%?dS^&Cva<%sS-1x`
zT@SWBbJiJwRR}Wv&5OQ?a_4O2sefiw$3V3*$zXe9mE8gV%@1z2##LKv?ri_B``K*e
z)8b-({<Dq$<QK>N>ClI??~i12?)hy3#j2jrVqCul2{KaduaBZ1Scp_^$Q?i8q%3DW
zVLOh1X{iLYbWCXXU@k(`ST&nvZ?l|gTc839;@?*{<W$9Ab)(f-ch%SO?Lx{po7h;*
zkh;^a1iq{U+H%=_UV@xm0-htN7{9%q<F{TQ!j)UX8PCEQu|9PqOn=N=x1Z-5sSrVL
zB!~q%2qk6)bma(2vq#|@tYU|_cn9Y3({!=jBYMoF*BJ1qngPUnAmh-OVUwml?aW(L
zK7+sZ)Yk>JkgpR#0o!{<TvWUm`6(q&oi(~#!#ij3`;I;govAukuU{YuQ{L35UZh}Z
zyaSz${<fB@s|$4vcD95(BQuRUc&MYp-JAmS@iGVZ?aX!YHV1F*O!o0Q2kyJi2I-_=
z`_MA&L{H7iQA#nEOa&fAvp&dRznYhUR$VA*f{}Vr%0Y>uzcN=SD-XH&&ba)Jxa6L4
zk3Ho(@)r?i&jj)pf%6xI@)rm47nz7eyK-oOlFGLK;1=4r;fj8jd<z+U7F>ssct;XM
z85af|w1D4M{gEI)qxxi&f*3PAoKVb)e`QvA9-&y*sO#5qPSXt=Jyh>NPng_x=E$G3
zdD7;EE;jV!?}iEG7~G89<C7_Ez*t?dEIj&ylWi?m8|JR9aZwz?K6iXtS^EceN(W3p
z;}k|OO4waJqBzpR8x5+_XG0VSM0iRn_;}xu$i?i~8tvUbt_ldMkvwGYV#IHno}|BC
z_P3;(>V0z^h;XlhPGP6?_kk7C#~0nm1svMj`lBJf$>RQE2(cx4)3^Oqi2hT+ttQsf
zuWut}UGXtVZ1NH_S#t|sD3Cqp*$Q+hF?1W{b?l%lt1K%j2R7ad#evnFGwh`%hy~dV
z;hGT(SeUmayt!=Q6(E}id}BGrzS+HwnR7CE5KolZXY!>W?v+vNU@WUrobk1wggM*-
zO_w6Hl!<o9-%=`DL|3t;kh!H1xuuw<HA#=rDUbdnQr2Y2rjo{z;W&4nrdW`Uov{b9
zGpS)yM)7p}&h#0>=7Z}^p(l4{Ty&-pwjHCj?W?t(L$#iRwf~lC|Iug-$TkIoC!^C@
zs`Jh&?+xG5RFm;*vD}S!Mkzc?`!)sar;wr);HCXLw6v?$<K$Wgbhtl(X4Q(g(z(>+
zK6DI?X$`lG)6^{j9wo2msvl{trTA|Js>uHBs-k=tOyv4#!Eef6+tDo@@sEi3UE9d6
z38*!C+0J~%#ijH1|FfJ1jZ13f9pki`4T(#O=N<Aq`*DlQvgf6Hj_&dFyhMG!g)*^(
zOJI#3xuY_nPLRM=c<_p4YRMeM(U9@VZEVRM#WkSy3TA4}ro^$Z@k(xN&8Nh5!1an|
zYRjs?@zC+o-Xdswc=S}{jkE})f-Jsz3H>uLy7K6_;@zookoP-k<P2-dweLQ*@N3K?
z`Zx@85LVMLzim*s%_?b~70YI-AWQS2_vV&of!@Qht?Qf6rJVcAVrOYk-&{`R5?%;4
z@=;2msRq-(4Pp6QL51(U@9Ed|=Py`5=;41~_P{?8>L-E$Apn6`nVLB`JJ{I+fr*OC
zssiDdcsbhw;aE7E*#P0#8oAm7;Q;+`!~AT(Kp;Oy!Ts=YsQ>Q_KmSLjGr<K_3?4^!
zgSW;8EU~s9dXtj(1v_PghM6E_N5eNGp;169*0!03uKUTZ`Z07=2SJ#SF8}q}4LYp!
z*~DJ$_{_w4?7sM3uZIvpk$;AeeM2NW;7h(Od_#r4fkx9H6eG?1u%)7C(=7!Av$_>3
zQDH%<qM_q0Gg*p&L(QS7;iD^Qrp|%J4Mrab(K#mDFzGvJo5Q_Ieis+HMnXCfVGITS
z8|y1LM9iFo4_|JC<5RNs%i;Fgy5u8dj`Lw>)rEdShK245M0!AZRlqQrqhi%=HdUHE
z*<VyL=>%wC{Gsu`gRmBn5u+xGp(!BOBcnjBmK3Z2>+cLCs-i-@9fu<*7%)qz{G$s|
z1Nw)2S{h8(kbom^WX7UN6HXJfQc7D5IvRTY4+uXfJFs{%1fGz@ieNEwyRSJ#iu?f!
zm+cx{rsNbB$Xx_iP*%v4@Z`8zQ?uj}km2tN2o*yZaEJws=zJXTel$!$Cnwx%c3$w<
z3>{nJkH4<J!SXzX5aOmS=A={+I5Gffa*#k;?0Hv-TFk`M{*EJ_5F7<k7PpC2QZuE7
zFi6F8ha6C4Kt`cd@K9D7Vz5e7mN)UAMbLYbu`Oy2I<Od;WIT@7gsogsM{?XdqVZC%
zH7>jX^yp@CwYAq!=K=1Or(oZ~!?hd3NN;|o4k}kgg4I%(i^1LX5c<W|509bEnJw|Z
zXk|Sd<7`PNbFRWR`9~M#?s8h;L%FHZAnfqe-OkRUD|XF2$ll-c^*seHMUrGP1fL!*
zy0L+)`w9k!>ek$2TI`WsxB<P!8+Xv$l(YE{D;=A<UmLP<--boQ&kr{O4>5KH-H0qS
z+rGxN4|Q4FIr+BD<nm=b2K-vpy`<&bA9w8v3CkQjwVNYEdVM{Q>+Ab*O2k3C@Z2D2
z82k2S8tHL4nwiM1PJ@-np(dgGD#08l@p9rOiCC4?-(VBFG7e=?-06|aQaW7y1U`Ep
z0cJLvOB!D<`l6{xn?Pbp>q^K;nJ6$}Ex_vi#tjIHB*yFo1s80#SP?Um<PT-aM2lQp
z%5hmpij_B-W`&WyMM_Aw8Go{j_=0#G(N%^7MZe~=X3WN)@F`SMy9+CUO@}0YTcFy|
z5mX}70hPclk;maAXEjLXQi1SD>A~6{OtBLc2g3*E%W`EW1DAO_l>=!gSp3WQH;|ek
zf|aKB09G$O8faJFgy?&&%2XADK@<NVxrx>m&snkQStL#5LsVhm%H;W+#5I~6v3LyT
zu+64>5dzpz^MO;Cy25To+wg)W?6`sHmh!3rq%z>E$R?AvGCmf-ikIpzm=$mxFf|V9
zdf5wlZ04B;qy*2MA&3s&<?vE!Tdoe_sHWn93ERS>+%@})cE26@&o=L7Z>_CuqGsS?
zk9;)kf8Svx4>Jbx1w<Q7+zw#Le<M!cz)&^4;(yn^9%O0RLTEHWtOl^euP!<PKoM89
z>=EE<RlfB<v&(V%ENAb1c=A{W<s18AeD_h=Tp5f$@%!xcIv?dp<pO2+Fo`DuJ|c1K
z8xN11B+eV%+L~=n;v@aJrXM0#s3&`4=j+|5b1M(e^;p;o9k?>};T#-FcIT>#ORur}
zNX#a2y0F}OGGuP%yF-lS=xr$XFdzcfdoT3L9d6@wuNT7<7U``CxU`ZQ*9r$ZYd+W6
zV&XL7iz`$y>7>naJ*!6R5s|pIG~zRR9G^i>TEK(M*E!m5VXvzyl+DSfovqqM1aLb?
zE|#k7F}GSc*u+1Zac(XZ@{c}&y1b%?`K$E~Svo3kN@#3T1rBgp#p@OASN|N?cTvTd
z5Yu3<CwT@E!tk&L0x97zNM0GhVwW-Zr@-FQ^#dU|1KYomiofz&SjA%Aj&&2ZDd3zE
zi1b<}9SHQYQe0_hlxCgCR&ZG;jk!W#{u{IW3!w`{M?m48eiH}w-nW3;_|;XCO9I)Z
zRFTDYZp2;AL2^AZ|MW51wOY*wY>v`Qu1<(F`6bzBKutWaTjX&C0!g+1)b09LNmIqD
zdT4(4rT?wB-HpjShibxmdjc8jpj9R>7~{cqxC@fHg-h;Jp4~O0ZY~zDg_5#qX_wa4
z(F9!sSwUd;#c}t6ec@~z2Q%aLh7j+)Z~zdi{jc=4UyO&Y%6v2DHihL9vob?(`E7xn
zy#Sw2pU+YiNXJg0?PQ`y-$RYU#-9meDINXF@Hs%w4@tq*S0(%Reiuzkh-bcHK4=o(
za_icxi}mhmK@)n5jz`O4gJOvfh8txsI(<AJ@dj-!({+o3oo!41aFVX;A-_}@V~0ht
z(D{)Cu27STTIF}rWZ6mf2VK+I9W8F=2Y!XDuQVn<w~~V|ZVqH93@Wnf@Mk}o%~W;m
zm1387#s0ik!e#B~M|x)NcNVI*pvDOF6B$GXHMBdWGF6T|fh>(9*nVM9YX9`Xos<%s
zKX3#O^fO34Gvr#ly+Se2U->sLs8H+@PF<8Aq>|}9<_bn;NiSZAD1bTiUn0RYsUZtX
zN1B+CgCt!^Ca*I(iaa!c+3{R^Z~+Uxa-c0;uizjl2R3RD&+Wg6sN~=8M5vP%-x7sX
z9^)d%1q|z$o|EZU+=q<qmxaRoA$dW%CMa>kQ;D_d6XS-GuhcStFFD_t;_Ev84)Xi`
zv<!=_oM9Gl-mXpXgdEhF_MZ9+Htp5CTpzyqu@ys`Nz&9o`mo+S1$4PO8vAvw&q)6x
zMitbw#|t}aQ16yN7Jm8yPM)gMC0~ZUB~Ts-fuQ_z+V&R^<);fw%7u3gOB{Ot7jCY1
zyw#o}&o2y;q(4k(=rYI*emtn2_LyoHE05SI$tHt{7P_00-U~-Ait8Vy|02u0-*uX<
zqd=}p{dMe7ERUXIwd^d}tO6ouHvONXRg!K`!neDo{1$vVZ+7%uE`~uCKPf@vP-R1_
zy+@JsgSX^Y_T4GVE*{K17H8tN33|7T-jcff3DAH4Jq_wVGB9AXrFGflaX<N?UWiV_
zM+VX0LfQZ(TTKEj>h&#8Nsx?;xV$%T!T*8r3dKhp2}Tp6Qw|lxYrw`sh$F%I!m2AQ
z6rA7^HB+9Nck$}CA47zXh5tStpDqK|z!uF5B5lCjjII?+ccxDJAc;6yu%e&QvRC%Z
z9=oR^nZxErn-d|Qa==atiET;m_XQ=<ScAeEL#yJ$l1yUSE1E&GfVrfR*v#(8fERxo
zyxN?urg71}hFZDV%(zFjlc{H6Cv@;pdcmpeE<^YZ-MIqk`iN>p-OXOA5aaLng@b2X
zKg)6Geyl`(lInxvW3Io2`}%jlMyXe_+{TYsZ3kDGyR$9O!@i$yUitDK(fN>|?$3#~
zl`;|OrGv_@m7;07#qZeMMokg*U^M(y+XyLf#oco`zo_P^*T>yO(hlJ*lh4K{+9mx@
zn*0}<K)}_yhm1|M`Z4khMBnqn$zS73t@tqHzcQ;}yhcNEv)#4Q!Ljuxex3SZbc1}#
z@UL~O<G6ZGY!4$z&qtr<7nzjfQKm}^Rpe>^nm%}6((6ksKc`^BZJ6;AjMryd_OGq$
zE9KW!oSOLCZBy*XScmZs7A1A$9keQLn`}2GTghQ}`(mxib_?1Dq~}8CS|N(A43#r6
zT3&9Sm-L8z&M-hW&*MG}tlq!j1X1)mfjQRPA~PBw9YG01x-TQ31!a(54py5Hal(@5
zak=J?aOb%vg5WS}14r=RtbPm42}R~99I!~vZ_(l8aEZB#Wh(=lphHQcA!;aOGJl+W
z3Yw>=rr!NlHC@iaqtB5FX$cH3Rf4X^Q!q&x<m82j9n<S{@B{?H$#Xl)fe;iV0aEZ-
z1X>f4fNenK&aU^=P{2Ci4lj)!AbE^kztZBrDKdQW1!DZzbVEl2`tpmuBby;m*LtmY
zJm*1$-j!2EoCke=i$x}T?M|UDj?l*Ymvq;55MIz3SK%17xxVc1o_!Rnoqg1*yz4r-
z(B`o9VjZuv<!spUl_@Q4gmdw-Y&-n6Q$My&z_uCPw$Xd_Tc&yXm7w(yzp|76y~6Mi
zd%}W0;q#I}?{WTaKWpW;hUYf^&rV1zO(YY>wN}?>|1iO$qQzi0z+)I(ZJ<&(CUIf0
zzI<56{WSnFzxk{+pccV%jos!+1?k$SR)TLYTKy%$E!4wJMT5QDOVPX36nUMpXnXby
z9AK1uHU^ou=C=x|4gOc}gxEUIToXOaOOTZx>Vf~gg&~OR$3=52o({+qJIFSuWz88$
zbpneiS@JJ*)ZI+TgyWYJASgO@Yypo`1!A9-5uuc3pCVFNu^3T^ikwdj37GE4vxXA*
z{|ku(cKas}A!mjJvh?&J7+cH1*Z}`WH-yB0$+a=R=Gt<Agx}tad$`nzH0+JC;@ODD
z%$FXdeBdYpx)rbhB(bU3STsm~9$juiq$1&XvfObM4nl#M+;K(txnG8)AFz>2*8e^*
zUmnwc=J+2lt?W>>)>ALM*L^ehOcgOrt7B!ae#(X!$-F7**|RiCR=j`r_2xA5+GVbS
zj|1T>hS`=N(<|Ns>7TOhmpnb0vtH#*oBk5E)7|D?ucnUT)`O>SMt@bDt8(#sYY+t+
zQ48uXx_6AH?7%(J+Q49XCDxzWuJ>;GE%M<gGh*k{jN2*pHOC6g7AH@L-MXvDVX3xQ
zIpA_ix&D&Qw(pw?{A{cB;t$;)HO6iJ{d|{|dz;c7`R6oMyI-%yn9jY)^6Az)Bzkjp
z_4wV#Yu2|0ls;Xx#~h&SJH|Y#I{Hd)oKS0jNb+z(hTl5M{L`hD+i*Pp)w}1GP1B#!
zzwZ8{(%GZ-y<P8;9RdrnM-WUOK%-Egy!!tchJQac<eor^%O3!Pp&P1#f${Q>H-WKS
z4F{_Od8;n4{HG%pMpT`&z~|y&zeVotb!0<fqt@wGhgZ#@M6L@S&IN2St85|^4{@M8
zhzrpn21G(?G>8rHkWviN#zDR_k(L~Y39%pnQY%18d?*_!1tWF_@;3=7OZsFW-&Dkh
zEA?d|pLC=p4jCgyHs&v+#R^f7^EHcQU2!%OwaxsW7$psaJnz3X*KJ87@$RCtofle)
zbvLJuQwhwR{SC`5voU4Yu$%%I+RFPb8is})9jSEV#S7o?md3lq?qAorZeFjnOn9-1
z5ob~NW%D|6m~vo}c;T)57aF)sm%Z!i?`2okMvB^1*U$g>q4hYO{cuh5Y3iq9>nGV<
zVeg~NlueDb=N{;`-Flkh@XVxShIUlo7EAB`Ydz00Y^y2R__Zb`<gmED&*x^WN<VzY
zz<kNwi_etR6G$CJjjq=|WnP-_J>=W=%6?PtETh!3o`OZAznlmv&tljmSJ$2OXl!@E
zTTYv_#L4~zwG22-Epd*k{NV2tacqHGwGfR1LbTF9cTW)(qCOzB?Ux9c`#=3`>Gy|Q
z@`4-(^yT%48>%Rwfbl;T1z1CxT?~g^VGr07fRx|lIFR6E*gR=uym9KJFL~{#65IJ#
z;{PCr#T)EDblA+Cq_j_Wzjx=+%}0o8k2k0Wg`DWS`rXt0*oUyd7`S3VwcF({b&03%
zF|WP5S$LA>`T5S~S4}B5qElNQe4(#L1s5)>y|jCoVbYq0k)eG%-0Pc?EKcdY#fB8b
zJzn7+^)1QbGrVng%DaPk9bIFuF6kO?f2h^#oUy0<tF_y9>Cf49dE8;eF@&Pgo)x+q
zcA{*n&1bjl$(nOi;by!qyli<%|ETkoojbD=YZtAiO<z6&<C(VE(vUc1t<A0G$<sUv
zCxpkn+TpNLyTkRmVE)!MUtU*^zn!@L_2;f4@#<N@Zx<JKjd?dbGNna%wM$iWR`J{2
a<~fVMt`^V4<OKI!fgtE#0L9>+NB{s$c%y*;

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Regular/SourceSansPro-Regular.eot b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Regular/SourceSansPro-Regular.eot
new file mode 100644
index 0000000000000000000000000000000000000000..ba7f8d95152f3640ec58f2755a75bedcdecf18c8
GIT binary patch
literal 113255
zcmaf)RZtvHxb}BhY!`QTTYPc%#cgqSf<u7dA;I0<-8Fd71a}B-Ap{E!K?6aOlmEH+
zs?OEdGu86EzkX)sVy3I!nzru-0(iQB0Hl8hG5`QT!axCmkU>aD$Us0c@SgxsL);?)
zEdO<p{u}*Qihuyx|5}lHL%ILj|68a5I)K*zZ-6Jj2Jq@1r~|M9xB=e$>mmMWum8c=
z0PTMf`+tnfznJGg#S5VSPx1UmIsPNu{;|9OE&%Lb4Fib%o2T>t6xjbN4*w{xfByfm
zKL27o|4VZLgaLy8c-Mcf&j0-WW9<G#T>iOQ|F5IKzmXt-55WJ=MeyHs|Nr+20Lbbn
zBL43a0stV8gCQ_n1{f|6tmGh^IgX$3Gq#^}wDI<e^kcT^F6DpCugP`vB?*r7ts8E~
zU(Lc$S)CgH`+|U_PFR>leZ0_i%qIJ0g)16vPAyjFmBwVqs6b;woCf+#%z6Tz6#i;R
z{tcuuGFW~w`{cKF-hbfwMo9RR^QXQ(%pb2pHDswgK09+-VT3l5_(h}O;CB3=;YlVS
zlL<(r=Bu$~X6VbLH5TAF8G=L#P`#g;z;Sg@+0po!tci0IOY*bDH`5K`nSH(J{+)}-
ztEtV0qw<ecJaV!?IHSuJ5+ven@ku39%imd=_A?hR@RwdPJx4{<$k=(`cuR<>cn2kv
z*p8kUBFwCwbnq=0iUbHDkw;afjoUt`bw}a)^Ha2$^H=O;&v6Msy;H9lVUorxy1x}s
zyU&3sU+;6fg5x|S>2WdVF<78#uf=i)f@vM6yNYOMtob~<aH{03r6*F}ylOME)sO=j
z${pfUrH+qITNPZkG($uTg*P?2(M^HWTZ?(I7^pJa-hhV~PAU*t_C)xI#Z{qya!7<9
zDXer>avXg>6&aVUIVuPpl)F=mmTvJ4@=gr}Eo_yT@^BSpc}E(@K$(Jmfn`EVZlCE4
zOziVZF_iBRz-uH(!=>1%&fvzb3z~y3wP?uR{rCp19<61g6jE3n#kDB5RB7U?sX_10
z!{1#Eeh-Hw=`wD7e;&3W(jVp@Z$HR*)K%E*uL}8d^;fPUl3>95Tl~=zOmN=T8i#{p
z%Oq**BAoA6yvmG}=Jm;~!Q|k(%!-lRGMsMBKv?bL!&tN1<#&c-L($(K=+e96rF0`2
ziYgQ|L<`)BR2(?Gss3nS`G3VpcVbTUTxDN1zO^L%Gwp6@9_4z>A&+7yc*(>#Kdle(
zg7&=eUk?vMX`~+{V|L0Y<&CdCnA?kbr4cJ;XBVSl6dh%2Yo^t0##1`Op~?QqcrF)-
zh1Js^4TQ{DN@Rwd%B6Dufw3q4UcOW2_`v3?#}7-7d_|Ve(BZXH2f2K`PewY97aK<(
zMsv9x&1*&@L_hIr=x}Ur3rpkCs7&9fy4PnKO*m0vB|=(+w(i!uyo1z`cvIgV<IN)<
zZkh`AUZm}p2U|zw3XX}b*YTeC@Yj$fFx9)!gL~W0Wl>{4$*z(VQDXIg*s4WD6N<U{
zt%rFFl}p5iZiY4CvgID&O*<r+C<M}Wu`}AZF{Air$!ZE<^V!(fLc$L6Y|SL8E(oF0
z^EB!w8^>fr?cEw`fw*rtvmc%!@S&Ta2nQRh3A6N$b;2c1DV#?lY6&N69){T=l33}G
zEO7`N|Frx4*m+_CVKs~(a0RzP8Wv!NEqCy8vkuJ5XljdM#teK}XdW7rLoUzh(84)X
zxBrmQ(_KtE^?isf-bS)(Yc7<E+0Bxlq|HoVs=+(7_ah?>F1#~+_tHYrPWlR|s@$FN
z><)RmSc{k%r8-?9DvW!(5gcelBW^&m{Q>)Qq2#*Lfs!0Z8;MrgDIe8v%U}9=5ubQ^
zq@sqV<l=^6C#13F8w$~(<n4_|H}kCH66@#DJ<GJ#3v!Ua$&i@+?q-;r%|k|rrA)PR
z=L;fsIbB22nbG1CeX)X0bAg*)>Ef#e3^VIWj4rS1pDj!EMH|`eCz0vWD>At|C}HYe
zb~|ANUly;c7Z8}u{G9FenP5G8vXXYNR6j!jIv9PG^R>2d6;%<Q7r6Lh16FW!t|Z-i
z2ztN{#|SGiWoKB)O%bW}G1()MISF;wh!+p#(S7yC+9kSR<^!2|NbwcLxAz0v*!TuK
zDN=uysc??NZ&_TphlDrfzA(KH^2<S9;Z%5~lT86IECVC`coxbmZu`WNC{MfY47!DF
z^NUFXlb6h$qk^)>7z8lyt^DvQTzFFXM=U-ugf#Dk>;YNOY?P1?uS|3OXz6J!atVEv
zu@CXQDEfFZHLuaMc~WD2y5|xKn?4jGLb@j@=D6kB%k3iKammiq0;y@YO>LV9hY@=n
zE>;l%oJx0zP&ebQ^Fqn@>p>V42XgFMp{#ZCIp6luJJYOpYpFHej4oIL8NFJ@WL)U|
zSPmFgUWR`U@v3><v1lerxAJc$7omx#bn49grtVo9_L}+1i5G%5sgI0);o|jOR4LxF
zkk{Sev_i8c&hq;CCtN~N;9K&f@wB2~)DAe@q3%=`L_0S<5Qgc+DdDgJu?pb9NF<!d
z)+X~Ib{Xw!Fnm9M;U7*jLT&-fA&QGlL#>ixA-sKm_JfQ;37fj>3zBm;NP4zR)#1$s
zTLE7{DQyGtZtDjc1x6V%3HKy24=JprwS7NUtb&md%c36WGBf$5J;_H;W2-d=CoX3s
zbV6(CliEv{H3b10DjKW3%8(e?67#Pg!4VWOF2powWT%`EqMQ41q%wC5KZ!S(PJ5WL
z6GmUzMN9YNV;veqI49o!4e;+|I(H;>eyY_tXyG-WbT5rHeOlK4aFlP@KD%%9(;uV9
zvC45`e~4XXZ=$Hw?K~58lv~E`KCpAqe#p1OYXXHkt5sgKai!PPfzO;yjKflb^J)tt
z;FBSf%H#n^u;ojTp&Dyo+T@nhbULryORj&4){)_92=j(ps4^5q@@{cp4hYaEJw2mF
z!rP|Ajq=D_R`5=`_YmnOCbk?b2IY{lRv1U%{~&|^)XT&V==9m9DpFk1<=&k`yJ}h?
z$Tjav+-Ecn$FHC_n<rp5IoKI;K>I0(pXj<B0n(RKh-{oo(}SstJ>5s6+GbhfCd<e)
zJyQ%temCRaPj;m);m&>S=Td$V?vtICQ&BxQiBzgvK*&R>`~@)fqSap&<ZQw;GG{Bs
zzJRlTtA9f>hdA@?2n~o?(Tjem)pN;M*cu>UwGlZN(q4axGMi^H?-CPL_HMGaX}y8I
zW~B`xBTz+t`PReiP_+d6unSS-GTchRvCg4$z595;2z*@P7be;zleG9DPSc!dHG{?e
z27SznJ0>(Vvrf&O&E*5(?^A6_azVK@szbCC1r<z`#N>MBbhz!pel=?<h1M&76(hWL
zRMBLFU~aEprp9@UBIBR=A8DT64e2<Sx_xjLrd0OZaY`0Uh<PWw&&ehpvz)axW&{d7
z{6{7wX|gLJ+SS;A=*>sj1lh(s;8oJ(Odfb@-ulUN*1O3-g0}ZrJ=MiF5qJDbmP|n{
zqIAM!P%utY_iJ#6x<gwGn+3hJJ9r(@2N`CNpvsS)ZhHVvvwj%H)~cmghGAB@<zPjE
z;t(J2Wk<>0(c!X>l?fT`gn@!JDfjKwv3av@XWc4YMBLBdhv2FJpM7~v8|PZ9K}#4V
zS$5-}O_;#XY??^Q*^ro*ENGpgbW1X;qm4GJarkvsZdZUZNI;e6-6SeAiq=HOiXkfc
z*U(Nuf!#@GXIkrP?o-YnJ7n|RdpCl}4=s8FL{HKod-<`%5FJvN-x0mdx2Y^zWGH+;
zR-8Ak37Rn|-87J9h7qay12f%uc(-ki-PO!h%`(<<6vnnBq<Bi8b)Ge{=3?bVE#aKV
z!-%K3z(L~!F{gP{Q9IJU`psE&w=_4K{YlF@NK-7{f!TBNn{Cq5E8J6*?ym8BJOg0v
zXN;KOW~<h<42;aARCF|Kus7~1rBc7xq17HO`b-Gj1H#)!!MCVO9$oHtG={Tg-&S5e
zq<x4Nrg{Dsz$a5V0w;aw68%lmo-tah2z(sV?}zk%@GEmr{u-|Bh!AlI2dtOKooyHp
z_Tze~NLJL&+Q#wxS*WJ?Qz$IOUn95}9kqm5%rPU30x{q~z!WSUa#31;6j4OZOF*ox
zoz2q9dfU@4J*221ZbWaW^fc@~rUc<XtgcnPJ6L=botJKGFsRo;L8%17+t&ubIdln#
zQrRFEj*KQ^k7SECkO|JqbMZ7bCved|^VgmMl4@qHcn;a3h|DoDMm|qZ3elGiir$M|
z=D?Rd6s`XC3_&9sF0X+umKXRm7(@r>AQtpJRxdJzeW&7YqHO794R09M)VpN9PnOkC
zYm2O038a-(YzyBF`a%T&7laaKM%q4J1hA9BH$qhTpz`slM|@Orzo)u+T_!GVlgE7a
zMp6Y23eFPEl2%w{-{-#gd4fH?KPtG#;cQ>lHz+9Ky5`wC`^!8SBGcffcZ&U`L9{XC
zzd4ZybeB+Xl~>yn$7Wl6s5yQU%}Dn$(TsM3;lkx#{8Nrh+;0K1_N_6@h$u7DSnpR{
z?f~*mfS>~={-`|N5DC892^YII57U#^Rk!K41mkUvv->IeJKYcwKZTeAx!KQSI!(E4
z$^6<!bP2yY)>T4wq8A-ndTd&f*yzG`Fs4pl|A`6*-o)oBI8IzVvYT7m3VO}wf2gyz
zkP|B*DMOay-lmeY-^Gfz<e^_x3b=C`pN>}M%(P30=V3{E`bxWli5LBf;m*aeqE49`
zA7Mey`HOX&+07BhWvhTc#;1vs$7v&72Ev$4?tjcFe!m}oOxJbBiS^><fjn)KZiQaJ
zyGo^lOTf^Ad%!SBfKA1u61?sHm1Qc;!yv(cSLX|O-8^O0uAK6<{;l*wiWX;Zc$Za~
zPj>H|@w1^uj3E+-2f4rfA|Qy$lOsh6{SvSj?CJOzZMjBJJx<;o)KY6MrM4V=+)r89
zif97V{Zg2<FiL4d)?`IKZT*v=E3tccNgVE2Ccjx>u00YkGSo)v!<NLAI=*NmlkyTg
zqVw8@ff0)AZcL8v?oTI>jyoPxvir88{lSZPtEI_Ab}FZp4Vll54;|0&dguFC&}LYF
zoT*;cP>K(2c{;uXv@tFWqjd6?H}jJ3SE;<-u!Mur6_oauCNz)UR{K?PhnAsm7U{`k
zWb~9k_}}<`CCZGdN;7hY7_XrbMqr8JfPJ-L^_jTt2`@Rv*=1b=bf1Fw02mgZQmo^C
zbu>OfCu}gmVVW7o({Go;lj+8k+e&6n(kXJ@{=Nfkf8hP>pajdtJGWi7{Fw!05{wBB
z+v7vb^lv@^<%Of^*6s$U?SeKFUNO$nUwd@y)%*Gqf*HgjbdurkAyFTZaBEBlWxDXh
z?8!a>cLK5+M`&g}KW)Y%f`Vdi2jAomhAY}3s&3m=IPC9Hac7k;$&lu#G-XpT7~`>i
z-jRqA!`~yX;hwX7PSiN!mQ&}%L2HJq$m0LP?d$K#GPDj-S|HHwCuf3Ttz?U1tSpwD
z&6-(S0}hjXYmdm9wv}Xf1QuFlTUczdGAj|{V@s|I{7p%BH`%yVLe@!Lw+GcN;F!bo
zgs?gF*=j;7G7>diX|fd4pQ>kH#`_&DWHp!Ocw)kNDbJT*xGK%&9}Q!^GpF!bY-v`N
zwU(PuU(t?QnFE_}=XPbq=YJ+iqPmvI5%S|E*V(huiztReLKv8C=_4TJy~Q|Tp^8Xn
zT9h)wr6Qyq0~lJmU3+D=r@|@(q^GgLkn$Zae#-Gf!V8<g?}ZbEm6yTi1L<CMB^xRX
zso?B@5xKO8b_@FSWQ*%8%$;w|^_@<JpddjhO0KZ3jZk_6wEnMHgHAmeM{zuP#OhIi
zc(8i~-70pB_v@FeoPN)Ak4!^XF3~z%Z?fp(4biad+pby^EVy!Ir+A{)X1BzWt<mwK
zVRE8Zy?$lV6q<0V>3rQCD&4_X5c0sO2=NbfxN%DUMx;m^+i%vyD8)6cg-Xq=UvgZT
z_Y*F`g2VDM;rTywIzKnxYK=wKW`RM;Kq_G#DS$4eYXw1cNl&5jv;c~93?6-Nb4M~h
z7_wUOrkAt=Ga6B3@g{`B7JpzrX%7Vu7UUVO8ru5REg07(R}h7#9sebzpwF`)GSfEq
z9QxWWB)7Iw8>vy%pnBO_jdheDHQXVoTg5!R0)fvfvqJ5c);0=4kg9#m?I=n7=7&{{
z`G6F$U>uMYtMGepoXz?B=F1Fjg77xO8EVEKqt`{B4Ty>dqmFEyB`yyS42HXd!pJe%
z1b)&QJe!|?52k3|w|;DD%6KGVvhmr@G7u(Xs1eDV_Kq_4m@Bcf%bqG=`PHKA#E^$J
z-OmDRm0kEn8M%hK(;{_GGc8PYu;4o{sLdezy}$X#EZ8qJ4exQ4Gfq{&2AwlqI+Qdr
zQ3zXpYR`fvRTTyQfO*Q~ulus<%GNByGWsNm)s%1lG4oF4pm5-Am%8aGQ8go`U1O}=
zQc~@ub#66`gP<M{Et<^?E<{@(mx)*{+*WMvEgA`RZ$gC=$c3SiOqUx+)NwQ(F-ozL
z8x3YNVFm<jq2a${%5`!3MWhdL2=}A<Wi`5Ix6MqY@{X!C(xPR)jH<L5p9?F%@~Xv%
zgw)&vodNPo(5}97S8+CFQdWUaPmxsMb%LmCI?ssX_B5V;@GQk&WC_a_IJF*dyVGTM
zj4fBmZm-ngfr}i|ivjIwuE7s9mfnV&db~L%>pvQqC^|JDlc&1bzYs7Dq3hQ=%Xe5u
zqo}710au!YF7fLF2_>7*>wW`7iy*Y3R<y=G93foM*Qn9<8s7mE0+*PzTR2)Jb9Z<-
z*bB<R=Q?Xx2%g|{0Z2)ybS*AiQ4b5ZPkM%$mXv)Q6<r<BXCcm|&JunceHq9DxXh6}
z#?r7~&qPU*QY+3ehw@8vF(cH<C(-pwLkWWz$;B>{Lof&Oi{Ze5Ry0ZqcIz-jMubCc
zn1X3}1j+;{vi0yRl*8ron{s{YP(@N{c%BThvfP2KN<C(bKZsVfe;oJzs=^K_Z{}|k
zYR=yd*yvkQOW$}tnoN!o-#9_3ADOno%wNlAwrCrKqFEBGCcmm#vsUt??>da2RPqe$
zT~;t8OUJSl$k1TZhce|isrGQ-GjAv3XJvx7rvSsge-|yX7EGs(iL6%nBbIL`|DAfb
znZB+q{&TOj`^5P14Dd&Porf$E=s5|?@{)DRwFT03OOpEcWhT@+wC2rM=gp7j&0nW=
z@l32?GM-7;o)Ky4lfJ81qmVGfIZseTt3{^nci=o@3zJ($L92;YWK9@jz0}Z|<3tR*
zB9?PYD%<7o1>{(qB6TH?R7->cU61Dorz0TQTuLQ&prpS1eveHl2V&@DZdkSd7=F`p
zE~>-82du-r@ZbFx$S3NRd-#>oT0`T4`R~b&DSmMl=k>)Yvwd4?`Ia7Z!e{CC7oXUW
znvwORp)Ev2M<1QXD|28bOEuM7;k$cGqL)~HbaE8c5ze%qDZc&ZpZda&PQ|m$9+1=8
zF`%xBdH>Zz=;qay0K4YO^-%aMriaEO(+VlD!cthaQD$&valNeeTD*|UQ$x>DfUv9<
zfzT3UAyGi^W1Yw3YC*bT_1;eT=?%YL08K`0X|;rJ#M2=c_&LRVOx{)S(RTOp1?0Y9
z4k;r05!S|`FWT!-`c|vp#EWC(V}1xhqi7elM8ftFGCE<ES}1iFG-+Aav7<8LW8-kr
zlKc+2D4s0ABtatnBazYNU6WPQ+$I`Um%@)yH-6vFa9a)SEbVY3hmP2`-*O^Go#=SM
z4k4G#<@3)BfJioSEJxi-bv!`gN=#Kf4%jk7T-B+FqHy=4p_Z%`o-H@9mToDb{<ri>
ziQC|_r=p#~UZQ$K@D;6HyqNjX%DB7-9S}wfs;jw}3OU)X_brxDT+B=6_Tc_jkETS0
zo=|ZVrFPTU$(kcPUZ@2oCJ}GcpbxiJZ)tDE6=_+JIdAD#EojYir^OR@=Uxg5n@qyp
zLxFWHCFHW6Hl-U~Q{<LmQ?0x|?6~JoSs8CTef$GdUPgKf$&uY$qx_n;tqDE|HQ}?*
z!sKeU{P-io_^f#9VLJ5~$#_4sln9L+wvI<YMFR^(Y<}k}nW(U24-+<WwsMN3TdVF5
z!#g!-B=V?B&J_bo>sg}8{LskyY>D$3k?12*yB%Lbyl(3de6;4Ukbyl#Cx9-M{aJaT
zSUoBSu$t<{>DNR;`tEKJSvhsn>)FO-FZ&~Gds-M@LewLSkPoK(n^LJPYR!1qTFas&
zH?huASt3g|`ey#>)Jv+|NEbk)66z4o7%F?x&y5{nK4|R_D@%%kG9J(rc7w+4a+J6L
zK|{fEo#jJLokOf{$f>xq3@6=YpI@mgWC`F5>u<O)CcuTN!<^Z7lr6A-R_`?rnu^RL
z-+iA0Qu7{mR#=~dEP+u6b^c-x_mNKz_+67XE6Q432C)+@(a`f&SkeY#rZfwkNqAHU
z2C^-kcPs*pN?GJbXO)j~)P#O@Nd^wIaCgQX@glavB|sBVmdR&FWcW7uTq#Swl$e%v
zNR?j39~UDAH5@)&Wz<GVI}zMNN{ZEDIY2Wcg7_oP&3ijOU6NoJR!^JBFW(RpXYJk2
znMwG|^fvykt1{cQdK3;;MmM1|QVL(Y@I9-dO-pX>Swxr!@Z@j|G4oUE=}4Gpz2PuY
z%65X)#zMrm>pRNN<vZ7WH)f41NTs1p*KBi%Lf7`Cu!U}(d5=c2n*Gu3;q3A|CpAQ!
zk>sT!!l1=XLpS+L<9*pr8Pg0jCg!)Cn*Z`F6_y+z`W0K`xX2uLuZ$AER9xloWAqPx
z6k(CnE+-D{Z*Z_=x0L0>pjW;*Z|P=brmDGY;?I8CejzS?;)0T^v3XYL4PJJBAY0F1
zuAmRJwM!i6`+7zYS*WJI)jeRW!pkH=_k(A&72PYmTbi0EN^Kar1&=Z50=9smokzcD
zu%|H$)^6Il`CQ1rn*5yk&Zz0ATD)=TI<%V!=>+)-o;nMZ=01G4RK|AxH3=&E%Elwe
z#SH8N_0&N~5z>Ed^{wPk9@zqy?B&_8fAf)}Dpux5vQSYDP7s?A&atC_EerWJMJ(x3
zCO&cnhjZ;+CuvCc(OKLSbLZs)H61i?hOi&LGD94y9bUI!qaEMfB9HMLVZxiNNC7TC
z8TEI+RzVd%Cl@KgNbS46mSs_R?Um}gZxR|1T2S}Coj*`~?w@1@hyz1LY?<8CyQpGL
zY3#(6xZ9~R2j_{_@ZsQQb*snK-$a*t1T$U{+A3|T8mj4;&wu128Q(`6O_0*yegt6)
z&^^;3$bOR5A`jz}hR7)anL{`)4QQ*A2GB3b{|2mqOhM*IuRg1dVR3!>9-DPS*BbSD
z<6-h5!TT0NvYI^E%Y3K?{|g`WuREJitL+MRB`hgLk@Zz`fqbinqA&2*s5nWd%xXTh
zRCtI7*Ju+Plag#l`eQRy@nK3cZf?coHEsvFBWZubd!>s4b2sX}0iT(bx5Zz31-*>k
z2*)Q`85!#PkY5{#yda%y^+u=G?{(0%7~W9RB+>))9k(5g<X$)bOcjiuaW4X3pSql>
z-}s#AjVV*D2*tY(1($n$@&F=5|NV1=Q6lpPC1311g#@U0OF$Y94h^YBV_&N*u5Zr8
zP#a!M=IbyJG*H)wtP@-fGOIBHF(AXfjkBHwr&uJ}kmQrU{Z3sA$|);E)-aK&D=je{
z6bwx%B`8J7E%vJ7Et<R@GCj=I0v5lOSxRbAUlQ)dO8$+JXX6mz>WdC?H(jU%_Be@6
zi|Ja;Ls57TzS0a$cG+&2-2$8~%VlwZ?fLJzV4!^@I#e6U1>8bwS-<O$h%~s#9RiBo
z<{xlIhC>ORZ{Zx5XGp|^mPAVCR`-wN65m7fx{zqelb^#8gu!~2-;q?1(Xm=+QKX68
zh5REFx%P=hqhNY-#qB79mLEqgV^E+R(mcOD;67T+nqxgw{q#F5^AogW`(Oh|?Lzxb
zNq?HfbZSkIb!rV)7cQHWV0|5b=I}Q_Vr@p(dB{0$vA6&_vp=uzp#O9d=EkpFI{i5C
zhpp6eN{=9OfMCl}Va-0o&#J!>iO(#0)2DmakJfouPauRcW9P%@MdYak9m9OtKy6N`
z4gY@WV*m1Tfh@%{9;G{+Z-6v^86L){P%V>_P1b}$HfqQ=vJ|})(|g)?C|8bQSM#$Z
zBU*11aU*jerw$Mcwp&)DsSJ{xL|ah2mP>tmZFVI~9_ky*7Ml=@y=sQ*386vL2IpcF
zoaieozgB+yDdE{il|P%Gn;*9zi2R)Q8{3tt>G!0Rt->T4)R);gT~$ZmL&E84$bI;m
zcDeB{N4NtWY>Fkf8um{3Im_E=cxqCF9u=L<elhrwY$VOZ<IOfNnkGrjDAlhkzy2U=
zCg%Y(EH<b%h(m)n`e+RqYLImAm+}bvbj#CoZ5^j#N-Js$RUBFOw2dpR*h?w)Vbv<Q
zS#&lf$a0tAwBawK+=$${7`hBGE^klo>=Vlwa56Y+kyVFrR324Nt<p?oFG+v53EG+S
zhb@pD(_p%R$GGCcPiBReoz8+uF*Y=IE(Is$-d)^QeLO$q8QutYkPnRM!Yd(SC1~N?
zmmU3xrAMxo048_i=Wup+xt#0#hF4qm8Z{)7ALUidCVnKrm`@t=Ulg(kB-u2iPoeQh
znMlc}#Ux~-p`$1XkTysM5izkXw;xF|w4X^@VOtweCY>sM1|)kFx&<Dmt$vV}oO!Et
z`lT$%<`!-KuXN$ec(R&PC^%6bd@OfDk~)?C!zp+Bl)t)=6w|``$6S+gx(PV}VKU*e
zEIFRa@wT${vqn?d^9#ft6w^;sVjEjXL`n0Yb@g#?EaVV7n2{r65Pw%qYCuz3L<A&-
zw1tjM+(`mcwhS3CRDx;^^+cs1{lOB)_9HDnoC+%nGnL#?#eTv*%W7_!?4jo1Zh9PX
z4ap2Lq-dU(d4*z(!H!J~)@46(oAW5f=&8qTu)K8;)bhhC?wO?GhY*S!>6ro9%J5KU
za=g0SIMKX_wg;LANI{e`AB|Ppq-1`YPI@h)LZs439q^Bo<EGveOwjhXg6xvzUjb(1
z`^oCbTIg+MpUJ&zQO*V}M;WX62V4|3jMyXA07pnsjH^OUOBBr{Y>m|%2&4HZ8K<xY
zv>Idvfc}1UiagyUd?XpAyg@l8xrF{gCOt$+^m6NTd{DE+BK1O!m8sY^bQjG5QY;?A
z2XLWDMy4f0o7lWKyvBu@{^^`^4{_GZixQ%{(C7qzWJ&Q|X~|;x>|r)_Na#ko`*l;L
z#rBYwi(nHe-!xWN=g%(68RC3*nSQ2GhqM$$A#*onFfM{2YnE`6ztbrV8(o9zdX9=c
z7+CQe*RhG{P7n`*v^EivfUHvu;lV}=j0401L9#$!efE?_ntXvK*Fv>QqI#o$FK>k<
ze?OZ>dY32%w@n#Ic9Ug$i~^-$v(;5-B{r!vjCAxA&_SIZfVwR+AU^46{Uhuxj*G7$
zCePO@z@`qF9Db(Gj{*hWoL8hLSbXWWP!|L>b%x<IdA3eiXYWFj<`_GkORc3{%Mk<j
z_d-2xw#Au<J1Q?>Bo(47MYIvrS_?u7)-1$Rk?{1m8lO%6<v^Mhd6DW=uHLH|`tcUs
zsmp8=Hip!_o-bOj-URPXUpM95WM3*++p1jn_3Hm1`6O7{NkA%&9iR86$B&9H?aT(+
z_>@Z`y2RC~;r33hH1(nHHK$zLT7@8-LNllQfWJ=R%nSP3MnW`=)lsebFT$yWSHVSh
z<(!O$P+7DhBb83dOisSpZGZX;0f%a8Yw#zo_%JXX^A4j?fikj%2A--Qit$Eh%@dUU
zj}r0oWD|adPde*JIz5qW&gBFq`yx-DaJQ=rrZMK6|Ao2#aS!PdI4~JYp{nFD$y(cu
zISEC+j@vJf-}E<DCn4kub}ZKd;0h6p=UWquy=m!B4EA$x-w3I<q~%6BH^5A1^c1e&
z1o3}F!$YvDPnBZ32<&{^JTgsBu(z|Bb@`eBZjYNUjmtA8ef=Szbt%BpLx9)GN(}_B
zOw@xCp*80*^{+QMB|$LfFtZTUE;b?KDMGozszUmmgy&1dD+;N<)=w8Rd3BlRek;0o
zO&nt%&GAO^7es3y82ph}uu@A6VQqsIqSh}X!x%h7xr|p~+2bV(cs?D@`<KdMl5!=c
zcU7Z%yV2436!p=Yb}*u)l#X$NZic3#7aU4O{)h|7Yx6$@v|NvV%bbPtYqg0BX`y!x
zA6g#$`iSfnE{HI5s=-q5ZNOpYdaRQvv9mE7Cg1Tl=G?b!lgY!uGfJ4g1?+9*M^WX!
z`=|v6&~%z&6mb@7y6!Uykg)}~eRN5eD`kpayX&sb4Bv3pxL8{^{~=$Ace>d<SlK+H
zlDgNtrdvy;Kw-HeuUrj$35`4z<qxm%4Y>}YbqKRpSd|%8&ckY!1x_lQG0;6M?Ic7m
zNYD`pEO|IhlEH-d;h@0G4=8%<Nq2yY)8_!0tuUup%2-}P(Q02^h<pJFf3=Me(mb9l
ziTZqejgW2~+uK_Ffke4}fspxXYzV4tU<6s3^I#5LL`O^?%_0$UiJC5`+qzgqi%<ZH
zB9M+>Bb8^jcAMz(F4Pu@AbeT}^4j}%dV3Ws<S!zVw-wzg7xYIWg|68t26|ah8otaI
zf{Vmaq(8wXEuHfYP}73Ye9_!1n(nD)m#z-b@mCQ|^2TBFtlmY07hkE4;MaOo<FLjT
z*GOweEDPe=6^{nv9t{p4P2wn#Fi}k@fpL9h1yBM|qiyJdLsKv`Is@F{5he8@Ojx=+
zxLUMe>A)x^%q70$PFgFO$IuAyBt^7wakI3ZtXD7*>IUVoc=GU>VjYx^Ry>3Z#ETov
zN85f1`eX}6=Z-dh#o#JovYaJY$JrP@n?~-LVz(-Mdl~P|Fpt~YO%i^6jnK)AwbUkw
z70Ry!cQ*0Ikj;PFyD6xYoGvA0A#+WyupcA{X9=~n)d-d3cTFS$vW~PS-dAWc9ml#n
z)H65v<<kWla^+(9VebDVWqOi|z-H~l!ewYP60Ku-QNA-k!D6<IFjb-ll08s`zJqDT
zq8E8jC-uzVN1;hr=SPF`m_Z$9{A@X6`;_^}x0KGBPzL(IJzC^ZE}YF-_QD;L5&mL_
z9Ca%vaI%ELO_=x~`TjB=<6wN5jP9lHUSB_@4z6*l>0MNn=$rgRuz<oJ2VSlsH-{kF
zqjBbg=mgo>4liox&bP(E&%&o`3#)Ns0{hM*#+O%c3gnrwGF`1$JC)DN(FvogWNu7`
z%D#AmuRql!Zroab?U<a(w$sR|(^N-zk|B%H!$V#fCl+%yis%NsEh)fu5~^#V6Q{I$
zZK#?!Am*WGEtiVV5)1pJ)O*U-h#~1^P7j+c;n6F@1}a8|Zs{uXL`Pw&qYtg}LgTgF
z-=3$7R>3}J`whuhh(X$!Ol0EXWAHyRFCa_L;RP6eM|!0qC=xdyqTX)WELrY6Z(S(t
z!O@OR*ASvU_3kJ@Xqk@NV#BtScOSKJy-lNJ-`<{c0+U0G__^vY+b*y5q!RW>WV+df
zA{Ld9qJ9{03o^9pK=`f2S_xpXMqH%ohg=U<OXa9T%odH~(O=vzhqWc1tWSz})ME=|
zc_j$hnFA9BYmne?G~gM1a+(3l02keII$eV*3fC}NI13Kh7_dN=(q4x^UVVVmU(qFc
z09s#DWrUeknM4s|y;m*BC`CSb8Z(*VpBd4C|84C8XH=2IZj=uZrd;^>BjGazOI4l2
zDx|@VH^(N7nb{kCDoxQl(YjUIhUk~kt+G(okl_Y^8JCxj?8sd%VVvNiP3v@l=dDMl
zywAJ)BVr~myP?YWUg=Dhz2d8P^m=q8+H+YenO|^~W=lpz4*#I%m*IIYop`lX)XC<z
zeaplsr%a+N&)i!oadlLnZHS-bGa+$9SNb@domlBUZf;qTiKk8l&BF?LRfHSKj;xDE
z7^7|*yu?oUExhFDOenlA-on;(h$EdtSy#qmzTc|}6fcT({JvWgp|WF%LKETm)Ciw1
z>neu%D~obc%DeCnj6H%*>7rtzgh}s8QFAf=sNq7YfeEB8cH7*yLAB19;HelUCi45y
zJn(!Wj^2IyMdt%XA8MhM+6pN;_>n=d3UNQhD@XJ_yK<=;0)X({J<hh7VZa+C>|SN_
zmz7ivw`pk9w`LhSeSd!hK~`C!jr;!A=C@;m8S<Zb@~^jA(=db9j&}omL-=C5Joim+
z-DxqlZJ8*N<;OBo_n=oC3u_*|;R265NN|U&xzIj@bRNjsEH*ypv)0QOD7N*-q`L4m
z>@eet=n;A%dQ>kyL9$vwS?0ss4|qnTNP}~oPvqPJ?}j;VMwuqV{e*_dW0AKib2A6J
z57zo7tQ+QH&y$dTy{|Y#H7qam%VN{iPO;NWYwP0#aYjE_qH7sdtD>DAv3jI%zF!T<
zI1?3v#I&<+00n~RP?1GYS$gUgUP;!PJ9MS7>yY=Jr**@Vw3|m%X>HU=g)<1(QShq;
z)Mn?GgKHD@bH{fQ-^Rxdv_^cKPS-O>bq-nO>uH7`+*<R+iQz!!u!SKnyh6<*H1yg|
zC=$u@qT7oas9|N+RQackgtD~tJD>p}iBDkz*+~;sc#`D<CRhBh^t{h<R$D%9UEjk{
zh4g`MwR*93NSR@w@3=xTzW3zAX(X!8ylvjDX)o}l$+8mo(hGf17_moxNPF<*xGry(
z;ADsW47;g{QP`6`6(zS~xltBq3u_PGl&T-EZ=a!*&t0OLV}$f=D{kZb0-us2A7OUL
zGd4RuC!jzo@aC6Iiy$am=8Scy!nM@*#4F6dUww*S2ua;GsE(?cAQn__VO05+qNwXv
zpz{iz$YG<PP;Z1dAz_B=zDiIYOLjmixis&R<9rvM$mEAd=IBZon_3k3=P~8E+|n1F
zAqP#+jD=Iab}Qu$gnAb&%T=CN98~O}3Jy3=uRHTEs1T<POqAJ4EzQVDN10SWpqvFW
z^ISUeKt9@)bPt(Z{v23!Yr#WA(3u^pb}{GdXCamAtiDZ^F0F;xj*Nvk_x&crP9dnp
zBoh!*ww38K3w!}S#cP-~s2mjJl2+{0;9ti|_g(VFNq|q3Uml{vuu?m^e_Um9!V~9d
z;oZ+psPoEbKN2GM%6oi50ITzAu58gVq!HBZRU4;h*Ocf-4-ZI6Jr$!CI0rWGotjQ<
z6meL3H)pz3Py_;#)TgtGRjf&?>K43tciZxY=@JH80mmek1O?;@GMl&2NmSjO%Hb>J
zq1mHmogq;_>#oVh$P@YVC{infRY>^Bq0)~W5s*P=J#dWHltWt3Ae}yGZ<{N7YW-xt
zhRBa&cYI+C7P@Vj<`3Ny7P1q1SU<oRxBwH{(eT3}C7pX)H%?!JLFqDKe}NZU4$M>{
zO5;Efj=YDT@)Tdp+VlI(S6@nF;=H6~InE$*E8ym{*&x%}?l~6z;n|2~OQ=B{ar$d9
zd5)dF`{o^<RteFgdH^f6{hKaslBIAlP8(R!Gc;>gKTVQen_MhInCTh@vgU>UN-U>W
z9PHPZ*H)hOoTi={*gGCJwH*v^Gv)mE9qV5qOvhH3M6wtrvQ%?kuEvc75Zu{*H=Q$3
z>K$1aQI0f<NF}Yo9W2>&QShRn^T|nIOm~%8c^Im!D-DFHz?8>^ZNtb({mba4)fR4U
z?LNums4}1=S``aX0nz-Vo)&CS+9;(Rv_gpVX&8w5k>)bTklD}<?hQvS4sZC@mQDL#
zq6c|*dP}s9pF?pUqJ#6%CRp{z9)sP#4+Nu}fTmBiDEYHOI<BM_m{pq`d^>wN4;aGX
z_p$K4ik)7`=&b5YAGd(ylm%?}g^rmc|B8M04{hu>QTv5zt%StjWQ!9Z=50Pdwb~`@
zC#~G@x%lYr9kP!aE1cq5hnm*_dbZ9Xt1j2SWwqMNB{mz@yi0|O_|W87NObVT$Fixl
z6QB_C`HnRYQyo6nSmvdL$|$ggmf`g_b^+cz7_*6Lquo*6SxfkBtwO0hw~Qzhe@7b;
zV|5BEc_W+PvV=3Xgc3&33lua9de0#Zm!@RI&yVylS;xgpej9DjslaH#rOn#wtI8H^
zkb`2&Fp!#YO_*pX`_=C#8JTr#r%2x=tmjB)fUv>7+<+Rd$uxv>I(6dJ+&fF4oYzUV
zqwYm$6IpilPuKZNMLORd^8LD~kxWHy!VC_=bOGGzCg8z_R<CNdnm|iMF`W`TIOOu&
z7Ks_Wh)$;@p1m{b^EMP?z`axVDRYHAxl$%)X(-N4!sPcY7OBlsdIG<0orf4R^fLr6
zzuSP;=nvg1Ls|u(A9hxiWr|m&^BRr}9qaw0&9^TZXT2J)<%=FCFt&W(GAuRCUusEv
z9jl4$;44|Rj`AzvZ-hn7$*<1>9xT5&-dN~S0SDo4(vwdOy{mU;)mF(7N;<M>-!F3E
zdfR0%IPNZG$zFP!bMs8je))=^yY#^5bMz%+yIcj|1Mt}UyD%w!sKs(a=#A6qSB=)K
zX~QhVrr^bnnqa3CL($hl726++=SE6#b^YL%tGtK;OK^%o!>3>uVq#jdP+vH{$;pK;
z$6?`dQA|7f@lnWc)t)a-r$=$zU!bpHOfutD6PKNdfnDz8mZw9Tl+M)|tsL1g5b<Fx
zr;E%|d4{cErINy0iXMk6e1u1`)v3*IR?(YL|M)A>)jBg?dL)-@e{8=>8I}YsW&MR;
zJGdQCFUA*Y6VT^sEcSoPtjgin<4=rE&(BWuJ~}?o+MWx{StaW#j>9QT-5XjzOg|c3
zAX9JYREm`#U4nfee!1{Bf76<JG5acjyinrn9DqXk=$hB0VxHW$-{~;}Tn>@r@zpf4
zuhO8>Fa@=_(5ZefnSN-rxhs1RMB(Sg+vkGC#ABN8v0d}bgr}{r!{IE`)d@#YAGVr!
zQuz9jTtZAe-gg~O%a7D}AyKzhcbWsi&?R<`*EtMV?LC}d2fBas8H|1aXF8rCv(*S{
zXiKqCV#PPJeuAMIV-CDD$xl{l)`))^xhk%ywQVLps2<XNnZwCc`<G6f*&x|4nLAYx
zu^fjO+i~2K(nY?f&b1*y)yg#F8{EYrFDyUtO<GWk9yVZHR^vTv!?Muq6UZuOe#h8P
znrDaBkUKHfS&2MYYxs<s`jV!RBxLg{p%Uabk!`>9%O@cGO5r``w6qW{!`uM1l&R+M
z0Vu%6T)2Jfz`+OrHMI2TZNL0=`HMQ(UykC}5mkbdw2I132m-0P85hlp))4o~T`L%G
zWOKRGIxPI~vm)NlKV4~mo99d%I^=?532&g#xmMii{w#k5;lvc9UrJdulx;gEq29#_
zZ6B{mU`L6|9ofii8N-vR{U65z(7j&uYPG@X6Nhir2_9oTlUX@6J5YbSFO^$?S-1Ib
zCN|E?PcZDxX0Px2m7=LX_M=t?Z$YSFF!2`(0MR=~$w)!+#rH=^m-&{@bYmZf*iou%
z?0&RQ8sm>W@|`k}6XRuQ%<UaCfA_%F=Fn9ii?0d5^?e4@I$KfCkk@6y1^XGEXe=4c
zqD2v2DQdV$pl>as60+g<)NjdWNxGV*hA^nk7@`hl^>7X_ViKV-F*0xsAH_efF-?*s
zrkfeEkL5z3c!_izOvw0epWixu@hY|JC7Y0r+b-smp~4po@-^OI@`9GGJP*=4MQ~VY
zN&F-WJ$#|#6(M=z&En;mTa?%)%y#${&$u~M>X%x=3oE@XPRUeWm~^{fe=--OlEFkW
zT;P2E9rk;skn+zi#m=EhPD*4Xg{A{?zw4#XUUOzyd*LO)TnToj`-dL`HI77W=j-q8
zaDR|0y!%+4hrZMwb~H{;2vcUYOxy)|wb`$K<(i`=K?^MRe^NSBpI0*(2`=+gFuA2i
zyvh{r@!8(+ys}d7V)T}rVP;o#0#^_ykrjJZBm5t-vB@5Ij4?APq2VB|8U@L4h?fwk
zhzYoUv=gDg(M<GsAl-)<a|G!61UxJq+8-mOZnz*WZZEjK^>wI^VQCKI`_)baK7?QB
zTgAI6FibFz0K}dM9ld_TyC4+djqy!WXWx|)*(bAWM5P}^!(WybKlo+N>_yKB*vKuY
zWvD<^Itx+Zu9x=IM;V!^!8He>MFQrzj5J5$i8+**u|qpDu)(g?yeFNJK$L?8RF4c&
z82*q;`mf@B$Yp;xm+Z_MT8Qw`R~LRW(Gg}<m*P*Z)DXZ0akv)-$)_@08rV-kkNzrf
z+rD{aDyihd8}#6D3E&4}UDKv_C2-^%#`I?y0knh5Wz<L3wCQP+2-bxQ{@+N}OfR;4
zp19&3tqlcPo@2sE93?;5Y_Ky#;@)1uT6(4<eM*h7v{3^$w+`Me$+xYqPmMSk>y1u|
zWD__>NF9)sO!GFgET-BT^A1YIGRwu9@xK|)C&Qf*iq4+i8+WuQ-V=8hl^khlPltUn
zD|x9ZeN>>wqqX9HGOWYNjAr(vJo5U=2CEMp4%QgSSyT>5%i+{F>B!mWAQyzc_KY+<
z!OJ;>i6`X5b|BXo(D&DgOTG=wgn&yp{OE9cRb$SzzO)GN{;tlTcr}78?9VJZb_T@b
z_`F9|iS0pW?GpP*K4qGdrBQzSF)nKQP|LE1dlTWPl`YgUg`=2gMbF@jR|2_LvQ_&v
zI?9tW7Mjc9%S2?8(`sp<o&eB|vt@Kw<9J8yksxM0E?VuO8>%K9c&;ztGd8}7hNRS&
zsf5n#6x@#$GMC-|r9NGH%|wI~{st}ivtA!+E(fN@36{<7_BfheHZGa7k{B+}jz!5?
z{{+IQ&ZVg{ZhgapQZtyC<<v+PX8yW$CFgru{P4i_jw2+s3`bUr%q09t?&FJEd6Pm!
zL|@a7>}H|2@c{>fsP(tg=xIx?HG^tpe4VoxXQWqaT7jXaWp$=!;iz=@1B(tXVZgA+
zDiXT}RxFQp=P^@x<QRjRDw8&3{JpVYeYAlBTB;rJkuWYvRfjA}!?-Xd4+_fFt%VHx
z=a3<Fkw57fh{@z-jo??Z>wdHcH-kSrKZKSE5gXZyX<mzn*62bnN4oOko6QcYayYkR
zDW-!t%f}Pk)fxY)B=EhHNKGc7L07<%bDJGqV~&sXSA$2|jyVhiOp*sHAjTP}M-3Dn
z`f7hulbO*K-E5C6-Kv6SMI+^4mhW}IDStDo6+pyM#e>r7YB1nz<ZL}9hpUwUK=E5;
zCp#Vj`68>vbBH-UmH5K3?A8gFHJYldnR<6xei`MP+(s;Y2DVe&WaY(Ae7a@&6tP~O
zJ^}n}YU-5q!7!v6Z$~eEWr7``nmka4vTbY?a!N~vgtz!9fb4Lo|1xyWD*_;y?(|L#
z=whTr$bj2X`K#ba`5IIMe3H`p&N!C0zKD8%UZL37(4?34pw&E_01RLCG!UN(Pl0H|
z4r?5yJ}AmT?@-)B?xr^mm#YcjTQH3caTjjdricR7T%qzilYjr2$e>f(cV8mCsWT2!
z2JrcKUySY7|1#p!3LOcLS(4j&_Q(17S$pb4{B{O6)rCmb_(zCz)lgFP11HYmNq?@w
zWsQzO4GNEIoooh@muaIqedGZvz9o?^JdpnZsW|AjC&3uTfrb;MzEto6GrXX{N3p5n
zy3!WUwYyXQ@Z$n+If$pmSJb|y++PwrNk5qcRWO<xd7-5$AwjiozfYmc-_3oy_meNg
zQa<(O=!mYNgP7eEw<5j=O2&7>OGwp_rxbq$jYh>N;_TxKs|)4z?#07}4V|m7S*<Qn
zUPS(o!d+ms)U)>uzjISa9@UnP`auWjZ(QQjpz<SH0uNd)RQ%h{wbDw3@xsQGaZ>gJ
z4;r&mjKJPk?n7s)FV<J8kaAy~WogM_6j#S{o1ckO@;e{&$Go`@l*QyhS0uww2$H3X
zFi^uYb)rq{uobv;??JsDFKAlKchkonPw<$Ban_4<9WDiDdB+sioF^x$#%U^`xhhyQ
zF+JlE-wLC+n1kf+GAHhH%j>mb2D1k{FGE74CeX=5Fq+yHhgs?pC8=G1L`&GwMU8h5
zd9%GoeT6WaKH}T9h!q!|X)x(-?+oN=v(7SK!n>w+D3Nf|@lQ&6TB=!<+ZpF;w60F?
zu{}rwuQkmekAwDX-YPA$wYHYpxHzsU#LSmMZzpf-(ysuX50>pPlbR%c>hqAgxGs)L
z-E)IYGMVXKaUfaxh&7|^XRY+<FNm+zl?G5?6W}DG)J5Vw^J?q@#mKrZst?kxm2jim
zhDE-PZywpF4SK!5*-SdVMvk~O3LxKgxZd@oV)ab!8dHRXg6a!d%Hk7Y^4$oeYdR=Y
zU>>hHNF+{A*8d71LY_{F_b*SwFdwyEt%CvVk`3Ogw@$$Xjs0bBGg9ebCB4dta$f~_
zIZ{FY9#?0G{t!}y0?M>|DQ!D+x!v)&R(VJGDr8vACW1W|lSd4YR>{F0)6#+QxkckO
zY>y!AH1wGk-A+$c(%Ax<TKNH6-iRYf9ZKp2c;{G5N3Cva8nz=*$qJ@+@vFn;LrCgR
z46+Bz`0P}Fn;a%VPtxq9lR(h37sXfn-Jj_=*&(pf2SzIjNGA$O5d^f;LmH+`SyC^+
z1fXW+A<wjZJU#$B9&vB6)z-v^lxb^ir_>C_M%sE1k+Q_zo;;s_$e$m_0T9!ALXRf$
z=h4W;?IwnI0=^S%W8~umQ4Tn^+@Hm4$K%@wXjoej%>)IvCLe!B>PHrP-(YSD^QoOU
z=yh8AGlsc0LigcxMrVI881U}P-tEI{(~kkEK=3uKq3OrIelH!r=2{0qmSQ^h-@BMq
zJ!#&R_lQl{+zIliGV9VBOV8gSAWoay1RwV1WpK_+8j+8qh6_}T>P*|4Ah`I|-LUU_
z=CDksq^XrDwzoO4rd@lADVPz5pJr6-#MKP?F)GI_Bza*uu%4ogesh*{(3L8WI`&(=
zrPuW!^iF?;@)qQ$rxc37vNzg=!P%zWb*$s1@nR`?buGYk8PJTO7}pzM)8V9><G?zm
znEMG63#@;=fe&F{#5>ZNQLR+qa#{s1v0dXGv(ZS-9>7s!UbvLLQ(lKq2*(|e8NCj9
zmM^tU;ErvP!LHKN8;`eqh>l%p-cE0k<eBQM!w8I$q$#jfi=`!<*D+k(hlMrSjPPal
z(%Q5!s~mM1dd8sR$@17#&Sj#JWkwL7V1d|11^jm6Vq-EAE0YO-B2IS#bo6}1!zn~B
zL&braNuMb`ya9+@hGRnX9_OE$^alsOztZrfAV03h40fjXOlFq^exo5>_LJYl(bg3u
zoTYgaNjExYuZ|D?@L^s4#-9Cq+=K7p{A+$iOyy4)#*wHrKljA-g7K9VnzhJeaEnON
zmZ0dD1I+x^&_*<2CFHbCpCXiTK=^Hw6dr9+X+R1BlsYWk^!+`7aM;kh7LG{R=ds(4
z*?>z)Ogy>qo+YgpensBMI3N=INAfF>It?1i3_H{~{}XVfku4%n8A)`mts!Tca5mDO
zP&qF{&AmlxRy)eG-?*wAz|Ff>j-(hW-!?9LVH)`x!948V6>CZt%9b2Hcs=jZlV@Gq
zijIjCSUcms4*OEC0?_vG_i=xrDN~EkWLjv^{JX%Ak(0MH+*H9JvON{Ncki=>y^F54
zXv?fr0+`kq4Y1CW$Z70(zoXJ>8uC)yf~D7dPjfEMh|qtsy73get^0D>i6eb#Q{$w)
zWATfPPM743s})ve9*bGTByqW6*Um3#mCh%(aJO-KyS&`9%=}!5^I+;<*QcP@=MIGh
zRHs}-piz;d&hpm;L(Fj3HR4=UHuFNxPU;e4^L&W{S%cWb#I&baX}0I)XF&axNcxUr
zmKxI13<?7Rmnq^J$70sMk%eQY4*ov?Xh4_0`j^B#O2iL3);OF$qZ7YIf5}|0OwD6y
z8op$#sIaDd1(|3rTMXKe!kcN+3U}CD94l0lc<Nj$f?5e}W+N^@EHW4p3G2Eeg4cdq
z;n0l$1fhfIK{o2@W!lpr1wFql6FC5R7QhJIiy@n8A{ZgDTE)Cd^5Rqs+X4_KIfFrX
zrp5-~yV3Au8`_ou0!G3wz3(&+!LN9=czIS1Hj%K3k+8R7g;P@W%>#h}mr#&~4AtoX
zrdn!q>+&1H<2hjGJA+^Vd4`myKx4$Gl0qF82#iY8IIL1A#{()J*Q}W0w%I*RNdzIw
zF)ETZLs;~RRU;)(ifxP<iL`+Yw><HaGbGzHJ9Co_wlixECz6g1Di&~f^b*u3K9bI4
z1i-wAQ*bQy2vwNb1%_re!bP$O@d@c_Kw3=i%p9oCVl9ZY!8c<p+8|?x5<Tb#nf8%8
zJ4Ue*hekVqG29a$m6HUXV(Kdm8WLz^XPqJ&I24|2YHBnh<QU+LS+)U&*@Zw*z=F2X
zb{z)VX^MyoJk%cSWsuVb%3`L3@RBxQA!^F}?xIo=%n@rMMw=oW)Q~YjR>oDHxl$=j
zE2Qn|;|MV^^BC45YR+aXF&PjII&xg9A7iYi5*cgZHpY@_6I65sLwc2t0~Zj$QUj(Y
zpbQo%u99i=K>5VP<w2MTJ~zxQT$8TOlS+27Ghjl9JxClv8nX2PH>MHh%eW4Vj?*Q}
z!-#a)AbvWmI5+?(Cg-PcPB=5HjWi5zPpwhV8*j2&$2xGll9gnR-0D)Kk;0ax;!{WA
zxqWKv5LJ#4L8#CMoTCCmvatXXR<Z^8`d=8)9XSW1Lro6LfM5{sQy_|foe+Q_b`(g|
zHvA?+N=-HdNQ(j!sE7eJ!<fP5rXVLOjpbU6S||#8GNDg#-btivw3@x%kT4xWRO<*F
zA%@7<Qf&c5RV_0B(OZBazIqTSbIcRslp+6GGM0^{f)4>BGP)S~B#ff~NUQUV<IfU|
z^oi(Hqec<VysFBBWaRIyHk;ffqzAg}$v^vT*gHF}S|iZ9BA~j2s{B;)u)cQbdPW3%
zIDHr#XGKf&;f_MGfe#`Mqw%hu127M`_W|g0Pw*b@D?YtA{j<UN*-2jm=!)S!2k<}A
zheD?L@d|*rl?a!^L155aJVYS!N5CLYhW?Zls4G4Jht5FjwW7Zm=u6t|zq%kPF(v05
zh_%v561icCk^pB577`>Jz`CjPQtrARR_{`6(6wn;qX?j?RWU)T9rK97=tcKE$^n1_
zq+P*7lkm!ZM8OJSNPQ%S%mG!Xp~EjRfU8C!`RMelcOB)?VUmX#N&UMa7$FsM?i|82
zl{HMkMukYwDiEe16T?5AXbp#Xrz;^<;{mZrQjL(%GckElrcMSX@<x@A=%?xec$|!(
z)_{Q;U+r4hSY5Xi<9E#zz)05j!o6&QMI1Cjb0;<+z$T+uVX*gOfnMb~sO||!do)q;
zfXfPPw3VaTv^x}BHcY!@sHo@sa3c4|!#7)xc0Vd$i(IY=)yWJxqzw=n@+*BQVnVDZ
zkvN)-&mf-&#KWh0K1otGWUwR<ri{*_Ns0;QsGACd1%|+SPdPao1;%tQh4X~_dpUu$
z$N&M)^zxm7^XQ0hKw};sRNCI*e(F+`Br^%}7=T%A9U*~!7lQzFFieEpB`oXUKvdab
z9(h2*CP3^4u`*BsK|taG3I?)%iCPEv>X*pKlJR<|aW9K2o5BU7R>cFfdyT@MQ|sk8
z@Lv+Jp`7ii!m_ZoXF*h00+MZV^l@Y}wQP!H9>Ahifa%0`{06`>=0PJXn1)7tm>GHG
zJkut1onP4?<i$kNZN|lhec7rBYbY5#1`;W~6eM2wpW<e%0|^r6Q#(n~A(|D021vl7
zw9rNq)aZaBD3SNu2!sMf(h{dEp9uNKR32n`LGj1l9g1=Z(#9v5zH9NZCJ0Sh?Wlx|
z&c~QS7|KxyS7MopY;mm29dO9-booF6@XIF_m|AIM1z(k@RdH1%B9?|(sX(GV<gJjW
zBh-jeVTh(l;sD9L8hmsE4~@Jzk<iAPDzJ?r!Vy$Q;x>!SK*1G>swC)+gc}fb=O88`
z>V<(P5g?-U6reysUkI`waI+z`0^SthrUsp)G6-x|;_wmBMgva)P+dkB02jlu454UL
zH$OC?m{Z|H14!dWlrcu_C~zQXRbu|ql%G`spAV$w^^g!bAghAN3V<sN1{7<K7N~Gx
zpo9tzC<90<fP8}z1%N!D2EZ?a7y)Pnz&Jq6gBl5FF(7}hst~7KAyQ=AmoIO;%K3mV
zfmHC_%W8KGc=~!b=wBNGefAiuH~GWSs#C$A>iggNIZIM9{;$)$zw`c*-t9<Ffq>!9
zEc!>lo@a8Cl)O3VcT4-}&M#8<Xy+dpymQvR+4ftZ&ewOps(Q2RwxVeOPWruD>pMez
z9!ZTL5!&XR_3*v4j*fzLB(OA$NCJ9%keXxsdqRR|7Iy4Xo>0e`C^skE${<xEOhOOu
zc}WOTfimqWVb$Q211-6-p(woG)=QFU021Pkl01X}+7h@aPS;tR@|D?}@@Uze`4>W6
z)%Mkyu?iamyQ^lwF6z?sCGM>O&&I~#xgJ_ITW1M%l2nq+uvIQcmc-de#MqkBuuK67
zk)bRNN&^EeiG|;)*qCI3T}7j)vTcab!ur_ZpRKkyO+c>d3cUHT)#g&zUCg37g1z+E
zT}(CG2(LYt0ksFcl(`wcR&!Amb6qtb=h!FdypC1G(>YkwWgg{R%-)c#Mpr1>)MdVy
z8jQEBYhivM`KZcgS4Gmsz|F31N%i#DrcWECBOFj#VBV8D627PDV-h+LQxFUcu!=Bg
z9jyY~1|BkRjh4GO_5cfjfutw(ZKhhk1tRH5qE#bBL5U#3Fo3^+7*@$>uminVZR2Jd
zGogQ{L&WsrPZ~1~)GY^%e{UM<dE6_Rh+$mle+u-gHEW?}%J+w^R@e58w5@aOpF%-4
zu&z4G2OqHeAB?RZhDJ*;yA`%dFh0uGbulrFcpd#Q4G_hU<SIdt@HvYSHZZ9U9vDIp
z&dU&)zn=L~j?ALq8vyxO!#*%^yTr>S+~;ADf$jx3Wtigk$#2}3wn#9;jcn~_t>Ib)
zm~7Kzc7w5%h3nTCLrGm)X?**iTWEbm{-uqGnisje^{($TW4n~vX7JikU~YOo5eJ^=
zw^?UgBci`w*6OlXid*TtrPf;RXegU$y@fMP>uj55Xk*Nd7Qz!axxQ;sOmzyvK=!C7
zxAdS3q%_eiLRUA@wyln5Z%cVz=Ga$)v*@vLY%RPG^7vTj#0{_I`UmCcB|-eY2@u~)
zy{}8!?fv~O2#YIfmx7&Rm=N8{5#01WqV`c=U6gQ1!P!RyzTV5#7x53KSInI|U=>~x
z7Jx+r9eargl#?^eSdq?>qO?yj43}1L4<m_u?13KEY-xZY-dR?N;WqO|fCNDUVAn+b
z07sh6TXBRl<J4NkjCYOK?ARoZ6ly!OB!v_7OHF^lErhZ)f(f)BFQb4;jEiM>2qqAu
zp)iaAA3z91SE*p&3``KotAJ44js;!9u;eI|ycA9!a<jqz2PX*F0yz(lS%9*~(4rVE
zJ$xffzYhm>fM1+_QbW(Qy;5SHsYh|pGwLrQJ4A0b_B7(`7$JZcVlnaLEZx6hk+2R0
zDm%x>+OP|P5pz^eaL6tmmA(lcSk}saEVZ|HmuqcUy_z0&NO^FrL;X?fT*DAzp}Ly$
zrf=gZ*HXP}VbrKsQv6^9S(g$pqRe=Zb*MXu090Am*ae_>6oRxI7U{)kkl}nm_R1Ey
zmFj#RCKv*x0H+)A3yB3lFg50K(Dg{~Hi&OF)bIV~h8FWcL<qPT1i`%J0D&|j(>6FI
zdIZm+-o9p;R7WbNDcC;I4&l@UWzkjioFK7^jpn(uj^0^(?NH_#RG<YonM5SzP0JqL
z=j?+n(zKSIl!US^(6mmJ>9viMF7uUCNr<;#3uwxD09irc+h`wvDV{o3cI9TDK!H8W
zpcl+izsPFt{DwdV`5*9|G`fgEx%m<BQ?HQsEeZ74^&3?I299e0qz@3-GI)l<@8XC|
z34S4r1HK_uwc?z+;)ePMiW(q4@d}0SrI(TooFNeomN*&`TE&+w2ss}L^y+vWDF$Yg
zf%`yWFGzSG$!?Y~cLs>k7x&#O?EtJ$h6l8>9@{4cK#{_IfZ3$g%cB?gLdy=KBEO!N
z{qeyc3gIBp?iJ5NNBBanUkbH;6!wl4*P{tILa05aE7SPY9*3=5LDaXaPWp*7Dh0i8
zaBm4t7LgoI;bm3{!hVW-;alF!c5LU&dp0HW5oX9PVm4peR`9G5<~Gat-`@(x;lFz*
z;xjX5FuX)8#Q}-dVbH|yF!W+Ym~U|-W*fXo8G%C*OE79;2?XI^sb>NCm-__GPwQqi
zwY?1iYhb}w3?8<u4%o)xOS1o84cT!oyRx@jf7xp;J{uz>48oBl0I3yeA%7=jtOW20
zpq>Fn1>ioe)!7j5Qw^7&Q;3WAakc7k6?N(k%Yp^!z<_##*RZb3EBnyZ*i!aSdCOR7
z2dY3_m(esbB2hm&7RW`iDk8=<Um4=xHbOm-ls|b(-PmBSv?cY(2`9H<hHT!u4Plt;
zvi&lw?75Rf;`s(i=8}O{7}&4cq_5hpfx8mQfP6FSMM0CJU<WQn!%z%)&yEfE?eJIj
z{z8z{BYD$GJ0XZV^g*8b(FQFVbTi`9x9qe*{8|`G7KRb@y%0jijqf;Ug7~J;zcNlj
zTxrOQ!2qCN7zMn~`96~P6VCdn<V2{RK`05Lc*H2>qIj2%3o#rOzDePLuzZkGrm`<m
zX-zT#2@Q@#*48)>ONGD#OoHfRg$aoj43xGHi=oLk$@bHu)x9DoTf`t{RWeOg{6nCg
z=AA4aF3XX=iWY7N0LX;2P%-&LsDv;j401Q|@F4(ka3HEL1AB`)7harF8M`MEUBtDY
z0t)En1`N6BFAq}>97zOvh@4Zuzk5G0Q0+-}3gFAvvT!XUB1!VoY-w992hrLR)2<sr
z5D@HX)5fBFFgKF;7MZ+_IslFnd4X$~MV1B|)s01%(1<leAJ9}m2M<wXU?A~P1ptbo
z04P00lwKSQEa~C`RTmfmHAD|=R9s#6QD;rW(*Z?LEZJX#KWKR(6g-)6czGZYI$`9A
zA>_-A2=n}c6df`CLH&P_OOP()ih%c#7UJ|_42}5+RN&*&nz%E_LI{r`2xwk;^7up_
zbrtuNPXYttLg3sr87ly<gh&L9Dj+N25CE|u5u-eWRSgmdm>v>Tmj1lN*#KBDPHu<P
zkQ@B#s31p|oh$3=>Ife-=UYElQjm-Ml)T_^lrQ_`f2f{w)hdU(LR2H<s0#yiP`~>W
zEBR<wxs;*kGt~#`)><R>veEc0C8JgJN1w_$ei2JQ2+F#*(Tx2DI72bIkI&W6#6N2I
zVsV{;a<6}=Z>$`8gY(uyk|MGkpCm7!`qx9>D#&=59fi$~f#j+U>2NV=b_VYi&kbck
zaSHHgE`%9YgXO10e5TpK`qN}ZQPYnUMKv3%dFuTlJzfilZGd<~c$N|(>hIaCUiyfp
zHf^BGa*Prp+-k6Z-%fz0Yi&24sagYkVgi_(Owg9-PznOw+RO#I(N+S@HFg4=OU}pP
zhGY`Mr9x>ob%}J52SQgkWb=9I0+FOVEY^CZc@(539ZCX`>>=@oB@+u7l*Nz(Ye+nT
zN14yiASzQ7BWxpqC^eV_At*Ru7;qFm0>!|3gANdNOh^h5fU*!2BYqq!^9T%p^-MSq
zNx{HQ3>j__bGPib2|Ham;$2lN1mHE6(360~;3j?a)5PN_L%GxSW6u+~Apr82b#X5q
zs(gr`J4t{7L<m%P8gpej$-j0}wt7lTgtEeo&*Q4Thr$seS$L*f!PmIAhZGrj8v_V=
zDNZW-PYDvdIH9Y7_og=itN?e`LN3i@BFT&ZTAUBY;+z~sdA}{`N$ZLNa6bVxaB)#*
zksuGlgMvEF10w4%J3N(1p#S9NgWro98$}i%4^^7k+QOGz<Sx4|!Kks5DP@DL+`V>&
z&jGXy2*^s>126#+Xl5lf!!+wK6%z<5rP(ljRaR6aO)R{aCIzQEQ{+Np8msX`*?<mE
zWE_Jz#TulgFqIT&>tmyBxjttHL@Ev19fL$j(=VBp2MU5>&`OQXG;BFR6W^-6*sMl?
zL<Ut<y{+zyOkQFSKX`&+?+|y+9LKNsh(3<72hY|ZvCgw-e$|L<1weITzFk;cZ&ntz
zQSF>k%neuJqN8DIsA?e<eL3u555X0T<tq$US;fA05)Ddj>F?Y)=&#M^7vmgaTw{m`
z6bj!Pxp9cnNK1R%{zpY)P!4DcCEhp2_{q-RgT1ElISC|rJG+H9h=4{;lGSnx=3qH1
z%I0kk3V@<2G{S0V9b4)Gfrsk?frVf?0YXgb<_MIVLG91hY;DS#Ag9wHmIG8W<OW4_
zkR1S*DvuICJYRAFXuA*#*4Thl1hD|k3MybPyX`qdhM4zYB!soJk^|u8jWi7Fq?U_Q
zO-if-2I(;zd#OtkfUhdE_cG!&3`BKEfC>o9xJP>c!FL*P+A=I5CYA1y`sDY|%IHy>
z0^)+;if8eloH9G29Y-{`5{0}IE@BsDfLh+gHO7*j=4puPl7!LSB{lP*OkYD#xbG4v
zSZN%wLJr_6E+1VLTLE}g#K5|fDM(u;D23G`i=5$sbVL>f$tF-i*hrv-(VIu5d^!69
z>XO3e`ia}3MqpiNj0=kNg5tuoFfZsBTM*lt!prioRv3~jqfC)yEJ+f|J9I3W{R<^W
zp}@s~Lo5pL(Bg(9Mhr&Fvna(9!4l#^7(zePpvobh)mS17S&IZg=?HL?KdBJPKS)F2
z+x07D9%=BfDeNawGPJ0NZI2C>1saG$Ic1tG3Lt3=#;x$oO;^J)_*V?YqOKW_a=2zJ
z%FLR~t{IHZ1{u=ylNU!6$pLvW@IZ*d4X3E95Cu+>422&C0z@E097^?922+q*2pp7W
z2%4}&$Z5epIoxmU^QhhmnFItZEPHw{<xam-8#%Hi{CA>iKL9#)U>B0C0-2G34)m`d
z>OOcBA=88D=)u@jVDdmu1%-uvW3`wE1c6?G;yfCJ&?1P7qM|2@$Hb;%;|=^eAXZdB
z5zKS}3PUJ~+M^%{JSd_xRAmu69TfmVPel>6G*KI)6GTqVAbtj?A4^k@y))4p=$eSo
z&S)1;1P@BY>5(N(kmd}sq5<|$@D36)Ks44U28*G9X!ZyO=wE<u<?$s<KLFS(@C~^?
z0MUi`7ZJQA<v9Vbu;vV^herxdBM>(X6|&+kD%vkh+Ani%h|mHPJ0)CO8xZp&W5@aj
z*{UIo8Q5hzONLAl3V}YTDy<xtxuC<fwF$<m88`$ZDXFUl1R_Qg4(hsLq}EI~=w^x3
z@TL^N6$~xdCYp#4o6ThgCrC7!VXTyE3ZjDn>OzA7>WDUpox!wDwxOce#4ITiU%J?;
zoYvM*^+8oRv#I^ZO~_DY;Zag*3NOfU%o9Y$&?ebJK$~HB6KtTM22%yo8EDZo(Q&4l
zB=8Bq%mQ#WsivWXjU13E=%6XQkx}IW+is*q(~*Zom#7Yri@^#Z*(-377z=G8FchE!
zXi-i^v{R9-E&PoF+9Y5y-^kFSoQ-I{k)W6KjST%9ONtV3peP*+prGG~px@CX_^Amr
z$`f%wa<d0i45Ru+AVd}oK}9(jjTBu_M%3X!xvrqx2v8Ml2-Hv#+(?J*$j9u_kFC&;
zun!)sVyBE^r;K90#siV#5nd{Ig^Z_&SgGO`DtLv8`4B3!A{fyKhq#18V?rVDArSD8
zh-+hF8Zg+0WMo5+1U@`Mr;Lbc^TaO_3*<nFG9jgVh!hvNfjJ%_OE6Qw7jw|OJn#r$
zy}%=<GKEFPP_9XkH#Eo^u`&js!pEo}en9XgB#RuNC(v>MY5;NpXt;6#X?Su0X;2Xr
zKuJ^;%7J2#s2sFch8EP$OHK>PX^_s{HyANOL9Qr2RxyPECX)tBNt&G(UodB`veTm)
z@nZ?DrPHH?6~3T65>7IV1vVz759DEyPl1L|C(NLNA=-eD*<%D&WsDIi7BEC03VlF!
ze*=N|7C2D;0%j8dmOF%^Qw*ai*Vand2!#p;7ybNRd4iyMJxUMPCxOVXffc9;vKWv`
zB>C|fIL?St46=d8qzQ3crf7K}j}ipL79`OqBSJyw<|PQn^OdrGTbP#?M%2wIzG6fO
zQpB-nS*C5aa}pze<|IZ$3dJDwen~NUHFSY6z)EQbAPhMm!&8X}zEmY3ya57I3&46Z
z<6Wu7yX8d9wc?y?UbzH=rBb9EiUx78LID=@a9_3Vkqv&+5`Qapn5hMb=#p`?K)|k~
zC|f-Sm)9OFkiBQ9;>0Hqnxy#)z&O$VObZ1dc~8Vl0m{*pTfE|6xk!|O#+~X&IZ){W
zbD{SH$@<u)WKI!go@wh$IXTT^qz<@^i379Y$pfj5CldU6)A>1q;&MUHsZiz1oj@Px
z;&U^=>Qy&+$bdJ*$1dVXgaeTZrFa?w93TyCxSSFcmT-O$EmQ%Gd`}3T0G5C=od!?_
z?4ara$C&wCNlP*Cy9=fqSPB#Yu1G|VrL!Kw**e*5XndvskgriD%X*ogZc{d+a@m0?
zYZOw|FjCa|O4L9~*Z7sGbd{}qCV>oTAjYH=LRJd)1%<aR0+JR9JcWauAz-+OSRjHH
z2(8P5QMGVY5U^gvED@p>4rGOc!Zm<zXoc(I)y=5dx!91sQChjR5v-%wxwRazmvW4{
zZhea*SN#Kp93fzn2Usj)F3QO6GcGI2*EW)6#iE&UYMF6trd(Q&$_6J<7=exC7=evR
zcOYVHUr;d?N(?|OL3xl6C)n!*kUGI!8Fr;1u7LH#cVq(<{L6L7!~};R>m(>%AYs;~
z3JTQ0i1DB%P5RW$f|*QMiIl~Q%w;y}wJ|wcqp8v;eLHM*98`TDD19BStrB9>qD0~J
zaG-r1SU!#$8%MsQM3|=0tW#*#TSkdP#?kw9Xp<D$HH#jJ7h};a<IyEB+C45k65QH1
zc=SoOHjhmgM;(i!lSR?MShPusZ5qWkjb*0MyPHDq4uN$=NHS9-6x72NBfS_BGh)Dz
zo>U1Lv0zBf)sC73#WF^+(<Eya1dK*U(lK9=hDzZWsa29HRdf+5iiAqNF;t7N5h{dF
zC1UL=S6Mjdh{8}qlnT&|kR!PXiU&b4Li{EuV2O$mf?|RAOjT4PcCaIK)*dp2!@^s)
zu!bE=7>6mI1P^L^o+KtBA^@==yiowN+Bx&u-@H)+QQD}1uf~}f<{pj+g#ubJyr|1s
zwHY};wa5joJpg7f<sRLPQRu8<k6^<TI|MC5yj`aoEHEHa*Dl^Q0=1@4vW#s&Ohss6
z5G!7gy2Bon3>JaCBBKym6#yb$lg7&vVb~)rg|J1c2ZhshISXKj3A$jY2(V5}5i&QX
z{*>Xr%Kj073DgcH0JV2ua||tkxq)mABfBP2D#wNaE49IZKm!6>KrMJ_KI57Jd3MGH
zD*-GE=80fl&kZOty8JK?SuE@WfWUENAyleWKq^k(Kri!R6>7@F3A7z57|u)q8825z
ziiJ`JVgP;_jsoz^aPu&+#IPA>9g|L2IT2k_DGXSJPljWF)q##BD>^cjF^d|5F;<jO
zjwMQ%#gL&GsP`5q-m9U+Y*ZacV#g&D*#cYuWMwGM3{W&kV#Pe^iv!?qBVeVu%Ndfv
z7`>n(Mk;m;P?J|qXvN(GV!MNeEK!Jy9aOk6LWwwH!H7mGI^qnU7j?mk6=_ozXNp*{
zOLG)(CSt*;HY(5sju52GaVhB1x<ckCQ6~$S>Kz4|jI$e<p=SG7p-Kgc{-vqm6Wfbj
zM?D0bzfwZy^&}I&Qb1INNhJU&mmR7`wGou|)rw8Q{G^HvYE6`?hKy$Pg-T4CYLW>)
zsYS=tDBitNimtY>SCh~c87e;1W9>>%N?$^Zm0T)Pf*v@fB3?G7Av?t=-FT%Ew~A56
z@k%?RYEmSTl_?I@DM67>MO2aiQl!~h4z5N>0;*CG1JtBShp9=l@k%eP)T3$(ePYaM
zQh_#wDM+fNN&<3JB}pYF>PW@iNf&^XB$EB&GR$dGYDoc7Nb-fA0&9+hBNpV@N;a?s
zDH6X_r1+d76$#U%;W~EP-810#Ovk6XW|cQj+V<5roxFl4Z&L}{;e_o+hr47;QAUDx
zbx@yL0@+bn8!H^Xs-TW1&$9Q^aChm3p+0|?&Qpo<jzs$btUs_*hJ31{S5^BA&irep
zVAAs)I+b+DkIXYBiySgfgN8}xgEHJy7>!j21q1^@Xo_3tI0}WFfQ>5T1beXHDmD6#
zu`l$LGj0OB8UpT+;3{x51@LK8KuT4}3k`<=>%edh)eZsS&Olim^pJ3%75vZ=*KPvH
zE-D%T8Cs+u7buf)C|2Mt_HF{mQ$R`yGz6hrfU#US2PIp8vL4(8nYtt>YXkF6L(Ktn
zT4)QQO#yxlz(%UK0U8yk2-_jRRG<_EPYnTiM6Ezav<d>D>rfG)?7&7g%miptKwTF4
zOdN-W1rG3_pg}@o|Ec;|Ek9X;knpfuCW}H26OSoiw}D`^{bmYC_K)4D0|B+{(jx{4
zFj1!l3M{}uLx3Q0IMwhF8Z+FHcye~V8xOT2@ak9$9JydHb!G#I^AH?6*nr?L5E|NI
z1BY_(97L}H!|kan`V%yZVn_%L2GEuK>y^{NW<;;&Rp2>E0t0KnKyS%t4jxj#VD4H2
ziVV`I(B_pxlQgO?*%GNAC57qjEH6%_h3^HSVrwl65!Gl|h=7HJcnDZ1uq9+Xs1)Nv
zZ^Bmx;V8XWOg~kGz%^ko>R3oQiV~qYg<(vE{3n=|gu|G?l^QX5;+e@-6vC>ora$F{
z6TL`NF)i=tAOG=gKlrsz{3vhzg(Xv9XHx7j*4eP)Z}t>iQ($IN>@k&1fwI4_r~hGf
zf3T#V_7wl@DgW418~Y0B{=%_;VMpKCTO~FIbuPmlOR&btb{m0q8-kky8~w1XpKL0d
z+X{I0(<r^PQa~zs+LyM7X&sU?i?`en+xzch+b6txA9s&zPVwvlZywss<IlHv@=e}5
zQ2WM8NIx|ruYKbrFpfB8ayaL{-Zx*jjmOR7a09GsztBze%`1ntgF~7jq-8`jx7rO0
zE!3_fI_g&z)s(IyDj}szu9d`PC`%bp2^yb4D^$=*jPw$%NQ8{ptd+%MQ7eebP?j-i
z61tgXC2=S+lDLehgpMCXBxO?su}LsX6;TNr??Ed5h)Bxh0!L$-R}F}%Tt#t%X>E-w
zsZ{`x%1{XzRREEb^b)SU1g;b$t|H2SNcP$ZRAK^G5nTd%`h@_}DwsBw*b{=2odnjM
z1ljkAABD++V7WjiIUXce9TL?e`<o#&?1a}ILTleNdLhjohO<Yc+)?Vk6nf@p@EyAp
zAo+_n2eD?vs8RV<+rWY+asn(PU_2vb6cYTZf?ttg8!urSIbj=aVH-^zm*rC>(y5Z^
za&lkJ;Tsa1m*rC>(y7UQF?4Kw(J29uHu;7+C33Ft$eC-jmbyto=Ox-Os?oT=Y;Fq$
zcT77Tw*+^tz>brw2<|^d9d*_PfPr9GBWw!|n?@a0*|6#&u)jC6Vb_7141<<wXcxCq
zNJRoR8B(i1B(!5o07VV{W>`~i*i%Osu*Fm2!xaaxy5(?TiZ$3D8O#`B^lUD$7qHOr
zI9z17!t6@AVWpk0J`l49#Fu*w3v1YDyt#&eRm?PR9Wc@(o3Qz<_OShJZo}q9iHG-y
zSbq?-EI){?n0(nb8{9Lp?3A#`z0Aw7(AkIi31-9nt(z&478X;a%q*vTLdtZGg_P+4
zeU#}OVYMb-Ww?^Q%U=(&knsB{0uuWv0xQg<3745j5ng2>;hQN%!zNOMB;xzvnUnxN
zR#`-Q6T?=-@S<MJI1u7_5mznqe=FdwWRHTt3#ZH@mp%?w#`zr7Pmx{3`5effBHD@a
zHxuMhQ9eacW8{t(l)C3as{)Lb-cg010KoV|8U-5;pnR)t2g>Fke5maE<x(%cRIPpT
zuE*aa!u#SEFQ_Hl^XIW=pFIv%N2EtAQF~!y=j2q+pRdxr(2DwmcuO9WMdc1D61^x#
zKJ;G+9?so$>$fkg$bif$*iuvDXRXHsqMi)HUs<sfOs^Xd@<*mvFDUi`#60ud2w@}L
z8ewawt|n4GepQ5oq0oRLikkW51dI<wf%@yxz`7`+5m7}EXo@I=SE7Ny?Ftkvq@y#@
z(zDUq7h;93d81i8(78O&A)aW#%#XXLWVrx(D~W81+;&qVj?a$SZ-Hcr%+zsN2`Ss3
zTbA_}NQ)t<ZY*@S7e;pDlO>T96s5dwQr<hI?vV*EbceAb0%aZ00K|#QQ6h3mBud;w
ziBjT3u&9wJjT6}g&&BY78;j<lxV{lidjb-3*bz=cVku-Xnj%9{5o9rq#gN8i7DE{F
zQ4DgCA**2$8ktHVjA~H~Z~};98k9pCBN7_IqC-+KL@|z6qNv<a3}n<u9<_-B+C>oD
zU>|;rvG?fI+xLN6{ue8M#-(rmoDXdff$fe*;-)!DA-IhV{RZK`pgBA99!x_lK$wO`
zrXi7-F$|2sJET^_bV?JyF_<KV=)y>DGEKk3$+!4wPW-{oLzSZ!FnR+?p6obH7@to-
zay49s1)~)Bk<wk@KdK|J84v>W20%i9{(w*)(M|*VyCi;NQxEXe!~8o*A>r-?Jr>;r
z<AFO*K%z;5%n92L1nixGJ2UR2<XZG!vrsAS!Ua7O*#zT(J4)6Pb5JL2I1{pOxSVdq
z?j{92*gCOsE-d15;<}$(RPxm7rw1w3X>Cp`NNz5v7%8<%pBq%GQMF30EyW69wMG<+
zsvzZcPzRS)lx`<bThP_Okkw;wA<~QrV1x=_6@g3~Fe!m_3ScXFL$kth2rvv%4+bdF
z+DSx_7vXbcf^;5DfWyfc4!0nhV<e0RTfYd!NF)&QVrCvlCK}oJAXNMjEg+f3NTkoa
z^7@osUsn5YsMcp@V5BV0Ov^}j+d~5U(ijtS;^JGu&8ZX^<55eTAmf%rM?gSU;1nR~
zo#@0)&iEm-lfDJ?Uo*YiA7K)A$eb{%XD};@cP>C#IS7e{IXFR4NWExlgyiywWfaxJ
zf@XJ^#n?O&Xm_aD-@9nS>=9E1$?sj7D7gzRT*93Ps?DRyw$-2*T*PVG;AgY$W5#s}
z@WA_ga&Q}2fy!5*J9E&j=pUeJgu2qVITqZ~I<-uXyU>KRp41~}XNz-e?o%_KK!Xfu
zGMKE+Xunc(Q$0m%Zf!_uC;+YHMHVrgg-98R*;$;7?5_GYc2-3jJ1kALbdA%2orPG2
z+p>Cz7^N1&Z8V*`>c>m<9(0PcIoC>J<}nl}<(_w@bSRj_2t+A}LgNsFS5QR>=Gvh3
zFLftkd}tp>nTa3-QT!`Ui8G?$5sFYou@Pua#H~+kVND<mL7^3IWqx8jU@Bm8q0W*?
z5Uo9&&XlP}A~<sxgH$DD2aXELBB4rp)KKi|#c|GJ5CHO2n1gFwZ<*4=0gC31Vj7i-
z%A1N+&>$+YgbI~o5d_I0Bm$9bD`xz}HLZ1!XK6R)BEgj>)Z(XwN6U#x<0%mofh3HF
z@{moCqvmyT&&w)!oIA;qrL(%FjZ<``71GD)RaCtiQhtYNLRgbP2$6C)`WJl;zBLUS
zkc~{n;KtELuyPRawH>rU2sp&j#Dn5NktpbvBuD}kI{Q?8q@XRNr%)wcK$noy%k|`0
zc~+i9H<WA70oEw47Gcp41Mv}rwbkL*1=m^Bmf|jHOf-QSPjzu#h@lK~EPa#@WhNO_
z%&A6JlPlqOjJiyt%XvJ+55?6%cI>h%EQRYkC6}VgDP*Emz96{{BGB9@it0KFB()S;
zir&38(uyZx0d6WPK$e<{O*^KAlWNJQRNP6eG}-cKva0ezDv|{xf@v>gl6@vxl6pxE
zB;*o%Xavf@#2(2zlu%g|7)9BllxVp$RGAg-iWMi+nDR)k<P`Y^?t5^0C_UPqy^dr~
zV^St!5sQ~ey_1}0BJs&k=agEl7Vt|_lH0^e;AsoWWVH0OW?F<TI~IhCW#y-G+$Aj}
zUm+CIGeVJQq+cnFl$Huq<sczR)>4v`goq=sV4#j2u#TrkY{q0pRdPu*ax&U7U>O&9
z<w0;Vj2V;+#s*r$AQ;bhWO_1a86S96AR3Cg1VTX(z(+tLlnA2&E|A>VX_LXd157t4
z8X<<e15x3<_|zS22Acy%!KtqXL@orc0%Kt!I7{d!juXrYZ-kCOufzmpIkf{QC{z~y
z3%Uhr0_VYbAfPBN7!-41C74)1R;Vr%6wdQ+=R@W@tQ-1i>2;Nn1Oh4)0$o!5Rh@Zy
zr@G5Jzj}r}XWdH&LIM#6XTbPL{46jjj4?&v3tzt;C*j@3Rd-~aZx5fVgf}Q`3OQ=e
z3S;wb9Znpo>C9I%!bj!d^pwEl+FX=o1o%G|Ka+%3im52dmcITI?r^@6aOqkdnbwtr
zL6=yn|Eg|Xv(!;!Z^GO6Pqo7004Y8C$Ijtj#j`7!ug^Yj3b+mQx8@%&g;r$C!z&CL
z6(db$)6^LGRl?NbWcI~LlKZpd@Y~8&E$~ks%gM4CsfWm;(wzAo2@6-y0+E1*P-FcD
zDM&F4AV-4!Av5^Qp2b@BDyK2v9jg8d&7|Zqw(KQaGvTOFZ9*Gr9TtIaToYx%nF79Q
z%}%Zj#lci72t`;+O2dGxIjTaHQo#HuKv{FD#fryuQxuwm1JY^Z3Z5eL(Y8$y%`{8N
zWB5vA1ra;dhJkg}Q|c#m{Pkk>d-ala9(DJ4K>e?@%0w`&;(YYH`O653Sm3lNUo?77
z8Hsq$oco_s+T-s6rhH!)2Q##-cPyWIO3o-{(FRP;ZCx)m7uJ;3a+9?vT@iMb&7tKO
zmm2I7(%!ukDpi$mdBz&(Okvh8B_9@;j475!D+;g}FslkYAe6>lV?Ad7UZoJRN1lu#
zN-&8Cf}RMI2M7T~1twVz2+-4B;LyRvdHRk<6rVQ2V_C4n2thNXsae`HCN`&Zja8nf
zHIDgV8$Tq_ZI&UUOyx)#3%tmA1{pVam=2)8P$b!)$@3v-3+Odh1O}#vg(O5iL_<3u
z6!d^>!@@0(3>bK1#|PkwFJ+Do!RVaAh6uPYBKW}Y#f5|@BQMSTN@oaILqK|!gc*pY
z4aOl1gHkQAhU~I)fCRJ6+DV|+C}*WAlsTD&jp=YK%D&ap8^Y%orspOINvitiTCYW&
zB^tew3Dx8QJ=~9XH*!73F64Wil`oKrh)@9+$}SVY*hT8Zg^aN{EU4ebg55pKA5mqX
z;9{VEQcCz5etD5Pt9VEUKo$j2QR@+*-Pn5ytp$}K1|R?kY7PM?rT75?t-uCd7%o!b
zUyZV>3uRmjLj1v3UR|<60cV=%I_Vn49)JuwGgvf=0D@AQ!Q>zVn!dm^6WS0u{KYDb
z<_)keg-abcuWD?j(~HKh3Eeod2~Cn_pB1GE2zq>6N{}IocNEj=Dsl<(_ci8MX<J6s
z<}^tAcrHk;TZp)!L8P3z5fKR>xQs%~Pt_L@fHnV>M>)xf!U~fOyjg>-B1U~2tjU?8
zA-fR}v=lr=oIFIlIZ0s>yp8*)5k2eFmyVa;<&}_NhpAmeO(*JyofVLMOD8o4rd3{V
zSQQm=cBh?Q96}H8V+ym~rBz`e=J|lB#H!P}_r|{!Se?77&*;{*m5ESurK%CRtqA|1
zCJZ~)VE@C;249)S1S83bvH4bBD=?$pVjBV%jdsR!w|ilFGvZW-)@A^+Fa?=_EPMfD
zU<(@nShxbMoY3!x`w^4nM91<FB!*8to_qoTKt1dL^*wC>WfI8Jw>dEYa-D+!_$b#_
zlw{)`@Q~^Nyc{QhD#ED3K6X%Q2ZS*IEec$(0#|SXRZKpr;Cgtlz$^$3+1FTsA5oSo
zbUuKRj2|l$X7oByi6WAWvhdKcyeQ0}+Ki#jQy=wFp?+&E{|chN!mB&*t2*>m%lazW
z`YNov6;DqETOWd`nb4}i^eWA|6>z-@wp|LU-MXQF%7YW-K&#%O!Q4>*_Y@Qd??isU
z(K~Q7-`ram&pqcR8p~^bqT6);%=en)Gw0a(%HTHYNWPNJIC0F4KE{kR;yb3yCvwaH
zxjF#8o19)v5bm^J?lgNXrG8eDr<UWK*~Ff!`8{;Do)z0K0v(5eK6}8CJ>c`4buldy
zuxBzdO@N<<XSQLQt`1_U)Rt>BmSBQpAQH*zo|4DcC68#ulK#E$t-r8W@9Zu6djY22
z!v}9*_Se{1boK*XJ%FK~uvg{mEqQwZmR`dLA7Jpu*jRD)16+N8+D&WR0Q72X0lt`r
zP5Rqho}nzBr6mne);&b(EkXY$@dJ~4?UQ=DdIR+`2AGu*kTrS(<B*~=XD^pe<U}S*
z<-o@9E33ssl0{?{n(96MlNVGyA?OT`LV6klg1-X+Nw}=C35~Ki8KYw#2XJYp!3!2)
z@OOo$ToX}M<``)87q#aXw@NBn5fv@bATRna3>*XaQVk$VPlu5!3nE$&m;V<9I|Kke
z^i?KW3QuvmO7XiX$-623-CahiuNu5VVx|R|C}Kgy<p~IHD3>JuQ7v|{M6S)6X#=@5
z(vFO}h+Oc>Xf7E{65*8AyfT^_hErPZ%50U{O*OkIg)6d|L%S)1yS+e37gYThR7i>u
zE&#L+E^1ADfNM?;0An1g0lGUt0sL_Q8?+N-1LKcclUJHj@s2Z|m7f5W{RYqc0&IOS
z6CbP%Qy;6%OHh>77PpI4uv1tYic*ML%Qrr3+}gknWzT>V3(){t7S76gC}lmhVLjJj
zJ-1;!(703P61!lS4zElN7o>{UB#PH6T3o87Yr|SIx**~a@hq-X0b!&h%Ta1eQDR8l
zU<%1t4n<f9Wm>AmAT8LfS!zH-DnN0m0a+!8JEe#&B>{gVk%ylFY99gBd*8bCYlXj7
zxODMrnQs=kcJXVyy{&UIwXXVhwaT|kT@UoN*k?iF5WhYukUlHydb=d`b@b4i3m2G3
znFwQ(2+ETP@)HO)69^A@6i|whXG1upnao2`)*-EWA*?zfuFfH^kVy0sa`m6d)Hai<
z@grHRjcJlKq=%}gNc08}wN^XUgy&Ifop4*~)o-lDwxd?s)3+0xXweWylwfI5fdxhd
zD7YUMg_9I0u@oy_C{_$mvuL4J!fI<ziq*jtuke#C5R)uClPwg3E+Bg>oO>v6J(VjS
z${dKPu84CevN@D_9LmKGWmtx?`o=P`hBEtxGNr>AWFd^TfVNNs9z}idNdpu_+fLyp
zyem}qgMkC~Po9-h$@5b3SU+dhb`~F|Eo%k#m6sd@&>}A|qH}s6udM|+zzxd!OuQBM
zdL6GcNlZ6{!doT-LUs8}1ZGMhDv9Sp7J8|wIA(Eh=zxSv4oN=e%@WKwU)MZ#$!$F5
z7MyYQijeL@UnQf;fC=MY40yJ$@HZ$9hBf_VNFcR!0n!b7>Efi&??F(92sQ2+qah9k
zHSPzY4yLW+HM#Pt5kG?7*n6PutkFhbYK#Kfs^u0vwOxSMDY31zu5)91z_1GTta!H_
zt7>Au^mC#T3e77%q=*KoBN6u6q?M~n#73@~pmKl|MI|wzwo<oGN?7(9NpJkusq(c8
zd2eM9mEefkN0dCEB{}OiN<^82ilQA#Yuc8`)y(-o8c@*&hdOiDy0G-ir#%r>wx*V`
zG$d0=>f~c-lRzyssf0!+wsM@+oklyRof=d!P!UbN12jI7jzzIv+O{alM8Ee?Y`^gW
z|GMo%w*?gy(!;xsh+Be)1!@tjR#B`r6vuLF^*3QW1vDM{0X?Us;na|ldW1Xj5>G+o
zBy}EMsy6_s33>rIktT%H(4VG+_%JtPBz04lBZQ!+Z6d>Hz$}BEqQn#B28Lju*q3>0
z9hg;Qr3A1fg1VAx0M#v62(b@{nG#XMm&$+ja>}3Ru$o5xQ6N!qaonf;MrN6+lHFph
zB^=pOeHCQ^+!meOw^0_|^U|N&h-n#ejZdETDp55*AEe0C-ZJlSOaPs(_s``^91JVA
zqHy(cJSP5iaRy!eoR@bnDI;5NHgT3fWzQ3m<*o`tiAUMQO$X2gDFs02!Oq>QrjK*C
znXIG7bV*3=n<;3DK~|cV3c=7HOzIk`cUVed*VdWzx6>xFROYOmO6ZKDHiT;XQ)@tl
z2<j0lElzb?omNm{lIz6f(dsk|xQUpT6&b5I<5&tuMH=dVLM2+zfD$c10hbZkX>n})
zpg`j<NeFMTXoL?#jPwGzhsS7w5(Ghn#d{`dYxD{5N*3`la#vsmJc<q<DtCl!+;?pQ
zGRBRfWu~%xjI<<KC9bqxi5OS^7-<@Wh!(T*vQd(Tp&QTx*MaJ!AYxyKMjCxVM(Dae
z#fOPPfFElzEK6~N4Kqu|qmo5JoRo8tMD2JFf?>}x!ChuZvB?%gYlT|fb<@<ZyoRZL
z|4D6&;TI1-uPkpOSr>k8K3AQ5-B|rqK!ts9ESfdu6rmW&L}3V}mtkAhZW(%s)}*jA
zU?C@)rRUHEY5;`Z37|$WOW#C_UvPt{P?iG)7-q7-M6ulVmXw(+^gC`ANb|i?MhDDZ
zQ3zDyvJLK_H1-5z#p4_KxdxfIcKm^)k$bRq5$xGheO{aiGi^ep75gFpDbL-=PRCk;
zJpnlkjbsRVwy4-csjT{wP?|s=++)tB1y)0b@fJgrPk9Qbix8O#{N^D05FSY~Q$!m*
zi;#;Cd6I9U<e67eO!6)$-8@W??QcHG42Cai$qo)Rd*Zy1(sI&6VFE_zIU)E;e3Bn;
z%#!O@l-X8tDWB;xO6GedKtpcKspHIgMS0rGI#hG{B&mFnbF&126F@Qs{RRjJmh3q$
z0C?oGxCaJVR*n;*pnECf0O5wk9i_6eQj$pEn^*&adr=zS@mU~5mE#HxAf=Z$^y{c1
zoojJUtCpBG8JSB}3cCUtrn7<o6G*`d14$tlV*tSsGa7*vqb^|!BL<Ba!5qYT0B&jk
zm1u$yqX>|JNU~@^B3yJJ3@_j#j#}&>gDpT29xf^fvK9vj<P@X`$P`5g6pA83EX6!R
z31Yqh7X@9y7h;(~7Sfzfv?%2Y+AhPO83E7*P;>&&Isx$=0AC!1V3A8g<XjbObY7i=
z+C{-u;-I{P#2qDjnLs8CqX~mD1VOR_AkEPbY=DR~WE>c$2L>s@L4m+fZLlaaCJGJm
z1qR^3L4oKNc<(LXM%bO8kJ4ho76jsi3JDwpIFe1UCW$S95%P3G4TRW)M9Ex)FNsG4
zIFKj^%PiYVtUx@Q;R<p=p%EfTK?O2cVG3eI!2qER;E0(8aDkx<V1}s!FpAL{KmutW
zU>Hfa=nzamkOO>%&;c?#L;<`!bOBg7d;+j%xByN>`!FLw&9DOa#*hk;p5O`s+@qmY
zqccDYT!l~saKdl^n9Pt1A+`WqOS$}A;dy`qqO*Vp#9wm)6AH`#V3B>=1)?e-15l&5
z2Qasg23WYz1qiQj1Zbqt0&Ua)n>}X$3Hj!9E70>{m?S!8G|OS*2|s~iR0*|nNr^Vq
z#Q08=ZD%H(Pbop8vKxStaAl^M=3--42@M$};;s{Sza+%-B@N<9$(u>K1HxqV@<Uq^
zaH!&&i4)T#7qmAyCk#hZb=Ne=OV)PSq{nS3yIeYCyO?&Xl408PpF?>vYKR@CRG1e4
zli?pzYLjVEyORM`McRlMXaLNbm;pL%AOyJ+Km#((0BB1L0^ciu1r)VF6cRD`&P(|e
zd3-^jT@Ym+8L57A&}0@Aqhsvr7lE9JzA$Gr_Br+eigP2nrNV_&$$=>Z=ca8UBHP#D
zl`TI4DKB{saHX9uI`>mc&+(d3kYvX?u8>0|A+r{%Z>}BFf(N?EVUwc~2%T0+|56B#
z7(_voC4hy-Ja||CWVPCJoI7nE?hsCEivuZC$tqdF8?g4hMaYyAL`eu)S3Z<X<!Xl|
zl<}f37|3N@#|jjzF1%lka12x&$b%GZ$h7VUr+ZkA5)pN!jDR4svR5GWVmLU|PHMs_
z%ny!PFtHr6GC(nJn&85dhiQ`&!#X-iNMV1^VyQxhHiKT31(<_Z)Jipdb@ORP#t5Lu
z!oqNcsVZnLuU#r=E-3h^pt!cOrh?+F3YrUxiz;X?FF2VZ@k7Ch6}5|Pj7atJFBHup
zyikZo9JESY0{O^-Mu@Z~Y(6EN(t&d@gyN)L3|hEMwj!AAGS_INUl_|=TI?Z~hV<|N
zb2E<6=FmeEv*O{U;`zf?$F5|&bbZonx<=cCg~be68Ip#pUI@lU!3o4-BQ&qpj9GQ`
zh?Sv;fO;5+HQ|VXEGZC5g(4duq(QtCh-o1Rg@go%bpVkA3gnJ_262IAxG``;!yF3R
zkppfVV{#vZSMWF()6Ix!I^Ch+jL5A)NNRu6L*Z&+VI040f+R(v`dSNh??jS9bq&Z1
zT0v5Zv<1p40xhD{wvj-G?cGtj@t`3`(H_<FiRNJrIpB3GlpwCF=gudJPn=IN9~Jc?
z7_ZB)>+8Z9jx~t~fb(G+^#;bfATUFkI>~1w&=F4rTIb#(g*tI^@O0E?S8=*o#L?!C
z#b%?I&&uQ3h$L*d1GE88l>jAM%$dgo&O;C1U{cSej@yH+C8yadjJfXE!^l<@zqF~$
zt>m~zXomgT17V1c_8f_wbga0c(n8l+ovCvX<DRp0rB%4$iQQ>=!59hdb=bR!9vxD{
ztaxxLlp^KqY)riIVoYsG0}j#Qj<qB`Edh^#duh<=V-=I2CvdQdIP*C3k<l($G3hVe
z%XG%cD(E#tfCpo`TN)1O!#g_6dXbf4hIV}I6;C{hP!uvfeE|jHRec$%zO-I0parV?
zq?+>z79{KNMcSQvC5fUIh_};TK%^9CC0D^fWQ%8t#3C@nB9O^^UWok!G{Y1}%mIHM
zCl;who1#%HXq0(0N-&xw5dAcyHMGo>0%9hVf)EFa69F^fh0gGWwActm0&D~%H8uha
zUrm657!zP1p-C_o>M1Z6>j47_*!g;rT6|jI!hX0gy-)vHa}~$^zBA8HpD8v^4IvmB
z)qS5lQjhidB$D$v@O=B9be}%J8x;Rb(3XuoA58V0jK+Isw=+H=Nn&W$d%iQnJ<ZJV
zXQFYQO!f*h%FlPEeP^~gpKSEJGtHhi<{Vk(d?Uk&;~r(~@}gz-ct06dd8RV9cvqQY
zJSGgX&mpEz&ju4Hv%FE1nAyx_D;vEGwT-prTVrF{l-S*v%62v%EFd#x?~fTnMq?<v
zfKHt+0Xks_Pt<6os?=++R9LfSVO$>jXwVc7SnZ3V^qP2ybxh7H0U0|W)-a6JKu7$y
z*yr1#j-we#8jR7qHR$8am*_Ov^l7~aWbvlpfg~b`N!2iikOQ5oKI2@?|GasgXv}Fh
zyCOiwvUtZP9@5z%W+?u^G3|80g=(spN>^?gaA)M9(91YH+LGW^6kI8MRLWb3lWF?L
z&O(C6$7YA>5-uO$08aQlD;ofzrm0d8>?7`M<h@r(fEhB(-`&7mp(ags4AACKdBmw>
z*jh^%%y)tVpPey}GY?*nm60nh%bz52l_@`cm@sSvUnzDju|m}w-`|A_l_Q`}Ql>_w
zTw{vX2Ze0Ip}>2C|2xlUqEuHVa4p~Vg&+)RT>g7@07XE$zp_6fL*RL}aIwNa*1Rx`
zrjE@y=D&<6AfPLPpxO<>Vk8RvHyd5+cov*K$0FG|!2=Wx#yqwhSV*^@SF~w`shgTO
z3B|u$N~La31;|pxOU82ov|&QtEp4t(>X|wUOG2Tf*m2_R!pSo(I$%|TY!x0L#_<hv
zJS*>AXe1z}MOYv`{-~nbZO)BEWh)=!r`1kMm`|^T&j^VDp?%)VmGwr$_<qGjgQPup
z9f)gVpvzUrscbfsk7Xxqy&HNAN}~20Lu_8(rkYmtGa%ao$X-TLH088jb9f0ktYhdh
zp>kD#l<aXJe@01F#n|fTTz?Br0<t3Ov!uG6V)E{*PFj=o0GAQy`V@>|w}l|Ja*@G*
zDIBssP%?(3T3Bu&rh$?Na_U&ijT4j(>3Di|5iX^y1=Onpho>2ED=wi?7f|W)Pyp=!
zY%MoL2^L*lWriVjb=!6A1WT$L#g(*;-&#wSS7>%d{UtbHF0sof!w)u8WqY!qH)4Wu
zE?b;FIdx&&B!1&6f<h?Ww#I{}LsvR!AsZGIyD}^gWyGc^us%T}5=bN>h0*K_5(dzu
ziF8n76%@ClIStmYfN)*tSINJYROR+vRQH!;I?2=y-+cEL-dgJSqB(-&6WQI8ask;V
z-E||Z4kx*)?32WA4RJNtuCIQB=3P?g2U$Pw&4KrvaO0;FIsyDUHP8=nf3vP$TI}n!
z->mj0ARpZDhcz5Za7DpaC7(X)1Co#XK#1IC{q81ntB)Rr?3dj=HRw=%w;_BtQaz!@
zt~z;J!yI>UBUcqFAYTe`{rv8MJt4%m8qI2_y-LB)E`GT3DA<i$7^;Wwh|debNV~XH
zQH0TdAK5_w^1$+pI5bBF7=h67aP_)MyIY`B>GlVX2QDqRF52Ce<)`14dVTps)eR3u
z^D(KX--dR5!G_H+<E`4|Aj47Em(%L|G-*$Q%62ld!VECx3@|gZfk^VYlat46Qzfb#
zjMo+a<fSAT$z{N2LqO)O9yzNp%Qf_N$vQXUkjmCjT^{Dm$DM>+oXSC!q>%-`-PT@4
zk+Oqv?YN-B4sc<C*YLp3(*%Wx4ZPfJ_hb8bv{9nWIWfhaEH5@O{4fQ4JhirzWg8h-
zRNQO?W7~7JrGO@cx0#~t4%@&F?DuO6JK4a`Cc`l{z>8Vf6={QEnq=H2;%mq7$Hpfy
zrMKV1E*p{jFaXbI@WN9on9|1!IoQ<Oz(DWeyzk+lMsl$p4-37t!H2Zfhd1!nZM*`J
z{4<Mbf@yadpTlEV3~hs7-@_BH;jeY@7(vhzSe3(;o&)KI6&l3LlbwdmVlVz;0EG3H
z0sy*t7@6A}nL^4Kz(Lt#0>m!NxbT|ia>59NsKb)l+CgIL=RPquim@Xun}PW=oL>$i
z;Qk^cDDR<0-Tj&JK24eM#)~_e)ZU!pHp0znXg+Z#aBRMBiwNwoe|S`gN(D`Y_=P<A
z#oKDj8HzHIjdY7$(#v-VgjP0LI$(uno-zH2)|Iy*x0(A$V|OutAc$Nj9Wy%X9VZN!
zOsOyM%^8i6A*ooC8M(n%Z28^mu=S)Hj)tkUShwz==o)(R++#qdRg+xQ*IkEA%3<a!
z31x#!UQuHU5Nvy5S$fuJospx=vuAUASbAry$U$@`Rw0w8<}#Ba9m;;%12DIi8Ei&a
zD?iHzySBgrz-~ZhuyTtB3^f9u_H&jcfef%JR+;2Y9vL%%4O7YSJ?JwCCY=kE)OLQ(
zP}|5@#-M7Q@`C$9fo*jve&Fya37pOpe9Vu?vZqD?Q?@;s=V~)Mlf1NReU^iAn$-V5
zOr7QqQ?RogM&44<eq}7=PFgz$%VehPyDQfyFDWH`Dr3J2kb<!Jh5{eEk|Sd$Fv&77
z{2@tjwRYQN<hYrPrPkGKjMTJDCA8o>VqwdJnF{uO1S9f=Uj)u>c;m^(Xk%DcXdkGN
zmEc>ZJ1p-F`*cb`xF-~X3PgsQ+Im=JiG{tyctl!sTxcec-LVd|Bq<e5#vQy_^gx_-
zC$)7v%ZF$OLwT|WyFyqC!4=M84%6bc2Wk)G(bB^}QVM1uom`}4V-_I*tlV-c#t3i`
zyATfvv<#2Ii|k~idqGM^g-J;DhbbP=kaV}yxFe<C11BXd-Qt$u%2GXr1Vn~4A(OI!
zl9u-x7z4pdhVsCkH*0>zC_}{u>KW(7kE<S>;LGunKV0xn0mc?m<k3v@A>g_H<u_MG
zH%)Y&lpm5lY<leALEcVT9m$Fs@f<vyT`j@H_Z;W})4XnUIZLF~%c*_RxyNoD-W`s)
z$=6h-T=c@`T=uN!InKL@$%`Bboi{0ox(5CYAI*~+#x>1zCyYD1y@6e5y)#lq{7tMU
ze1__c1WiVb+#B#T;x~qCjLkWfb1DX4Oz)E5CKOJDo;Ack1d3=z%K}Li><P9gOU_P8
zz@2!cyd>)EBWw_y;XTBPM2)P5^4OfhG(;cBN(nkv&(-Eaq(j>lbKJMNZba;j0SO{D
z1Yk?7t}zutA%l~Hio@`aup2>b?aoNgQtPp;=-{EAF_saDA+!cK#&rvmvPYdIw3iO?
zvICaJhXiY1`x0z7V?wq!GxkQUAH+t}>tl4Zpe=}7mcRsK<6Ao=(DB6BFR9l>zC)?a
zj=;F8<Nr$MNOc(_1fQ|T9tc+*K^?{s+Z)NO!c=+w8p=bB8A@v^vGa41%vxu1E@QJ8
z23FNt!D#9<v~W(8feA@yRgIXCl~~{C@~moat}58Q7~HmL?JlIanRE%)J97&@3?Lb@
z9Ar2^W+1;IEy7!bNec!N1ShCp!6act!5aa01FZ%y2p9@D7?2S_Enqr8+JJN@yaP<&
zTb9jue13rQ0?q<l4JZgNp}y+;tNnkSevPI+Xc6r%t7W3x6(U#}iEmM)O4nJKkxFV-
zqf3j|H@W@?_?M%`1J5Ptmc1HgAPDip?T4I{Tk)yjrk9Sq=-O5()K94&Yn=l76ZX5;
zE2qC}MaZsI7M169%IPcE_d~w;dlU6#-5n0d!8&Tu^$rfbI8N}*qsu0KRA~C3UkwyH
z7Nf&Zr`!M*`-jR3RSPI~1qy~OaTgrG+y$vVEc50)3{pubbrmXx18G4X=WNcyWM{5B
z!M$e5TY5~dDq`GUXI-8)8r*wp&AYc!++u5tBDRR!J7Z+=L@&1T*)y~*q8&@L;plVF
zQ=^WldXMYfpr*3=OK8&2>8EE=Jm7LSXF|+^YxslBoB+~n;o|0FonB6PB{H$g`<;eY
z+{PuGTSENHxi0KqO85(tH^Q+vn@Na<M6wo5#fYNO#+jjvI<R2C<dgFxT77}B#}ZeM
zlb{ytv<>WRGY7Qek9BHC9ITcWTU*H3M)0=*l-3Mok%7nl3Ngp+N=KOVuNC(elojT9
zu@=CKAj~>RG=_<GMiG%SgNIdc;V7pZGCSENEY%I0fLdEaWSn;axC$}H24?bxTU>NC
zQMK%XXzEmP#4~vVXrma}M<n5<hQ@7tfpUBD&AS7N<AB)B=Ej&w>xOV-oQ=RFi*3f6
zR-|*S4p!zv%4at)rgLu?f-N<Pv~p;04M+|F@tbg&ef@#fnUv4a@n7?@I1xn-2Jh7X
zGn{gqYfo@Mb#=-!TD-G><t@cSVxAe4sm0|<28Uv&g{DD`51;CkF`@G47Btd?QuVnj
z`j=KApve6XJzg^1^nAB{&Xax=X@TH8%Ua6Z)Hh!mhX;Y`*oGB^t!TKd9SRP<%Qj1s
z%aa&V0>*d)<lv=k@fKOcRRp?<ailnuQ77>tazFq&Gqri5uM`Jr_61*JM316ku+!IS
zwpLXN7B=PTD;hd>tbA3}CM4B*1yP3X)qe`U4PCk0io4AnxrPd!h~2916$X(zR67-M
zje8V475FE@#q5gKMAw+1Fsw*t;bT!13WME>ZwkFa{Y#@2QJ~K(m24}3j-~7h)I_@k
z-V!u>^-8u1%>4S4AQd<KdX~H^uIliyPKt#5-BS4lLIEODh=RRhVj@i<e*B$TT}5=e
z-AlR+GWR-`BpVsm@G*r3?Daekpy+G%|EoTb-%aOHJOJAL&r<z^L@SP^c*AS>QRuj7
z?_JfMSZ~sUsZzJ7GyNx&H-k0RF3dLNHPxLsZtgd$E0Eo!Z&ay()W$2ST-azo71W|g
zYvl>xVl@pK;X18_H?EJpN^}jXg{Ty+VAa#-Rleb=d)HK^K-}Zcfs80Wr0vqRK+yr$
zrqeiS+U3(~%XpCE(x8BA>b=vL@NVob=`xsMyjAX*NU+(^RbW?mUMlYvzOkj=27U(Q
zufT~wUEqFV*M#?0{re(V5hM%r4%Jil<^C#gHy|*T4h7f)Rs&T75dt%#_#jlNbRhow
z6Icz~y%hL^`q;(K_#N02q4xr%0;&QAVifJp0f>Q)fg_%9DDXGuokYzY@&ycH3-AW0
zr7!}o&U#mb7cdGHD_8|U9Q3an?%}^moPTp>-6|~o1pAnk@B7|1@EVKVbH2-bwgOLA
z6shO-@YAJTkD~F9O02Wq40=>0>xTMThJIczt2l`d%$L)<DJM$9{)LcpzE6jGR<ZYF
zZ~6uFbZ@6GkE$a--cLYd9XW^n0gC@^9?}YQ%8z~L6aI}o9SL;Ho9Sd8&CAn7A4Um&
z@CbiS9_<Kp%83131OH~8ssXxX5XYJan~O-En4hJJkDLyl2s+VyEM*-y8$Nh*qWaUX
zu3&HLuhB?1Os5|!VAktLF0gL8XZ3go{c!qA0_l`ecO(mgoSvSa0+*HuHVg;njrLWQ
z88{a{?)DM|(<rC){sH}V`hD-yENkp*xAvFolebK^pRrD#*QcmHoifC}zB&JEJmOzT
z*pVTgcz<Jlh`031JLL=(9OC1e`zojx3=4;a-Z)p)nMkzV@4dfOJGy0^{Y38m#`xyG
z%B5}00^9wr`l-kLoB9Fc>CAJ4Llgia{i9;(&9m$m2lgZAM{lNAR|uvk7~%WNx6>?F
zgi{m@4PMXfbjwxx5?cP_y?EK_lnCJz#Dg7gTy}aT9Ct_^kD0Fc&$F;pIG8vA*P<94
zIc49MW1~3VX!U=uUYIA<gq`*W3IK9x!+ltD?}>O>LZ?g<>cVbYMfckeuWFqVhJRqy
zKd#*{zN|m#DFr|13+OFFqElDxPKWl_jtTW)?@2xAen+fuytlikb1(Ac#~I~e$3HkF
zer4S0r1VQJ>I=#I%kazIN*?Y3r2MaWeMsn*E!5Q?^K9iIAEIAZQKWy%rwoPUp-_VW
zgKCc|$h{JW9a9m1Kkj9*dL;!qj<Ekf?oLp8C4Tjh!Thh>iy(AMPwJ(C`4{l+yv~Um
zny~-!t#Ubk(JikIn*YFgIlkzY8Pqm?`LS~id(kK}sABi>4|5oM(J1NG0Pmqv{bNr5
zE4(w$J0A+}8Jmg2GI`iWgggAE{M1-jFJVw0JLt^2Z5v%nskb+w*G5izc+R>N?8BPf
zj`VyrSXZA8?!KTlu+4R{@WX-E(|T<P9DQ3}OOK|y+6OrL&~<+==$5;-h`-yOzP0@l
z^ER*Ry?0T4cSNenn6K)&>K!ZSl|YaMU)C9^3a_G6;3|5rsK2d!S4636(n>zO+)2s$
zCGq84C;0ede4nCKYcGj6#rcgTH$<s+R~m0_WT;bgN^;98OYsk5BTLaMi<DlMjan_@
zPKignp}J3xv{ol0{SuKGU8nj2^vW(h(Jgl@sP{y$?7zdk3*yT4JJFF#EHv*%d|5-o
zy$cV@_{C=*_2oZtS;;;!-LYA-hq+bfJ*^XTr02DwZaCs7wW;h+VzMVYWsGD0wJR@-
zSi&tx9rgArI{o~vELL1s{J#uW`%$IgOy|WT6>R55YdK*?y^gZzs%zNkE{dkQ7B`ju
zip)y!lw~o>fVpzg$@D9SEksYDVR?Uqx)k}!4Uy<qTPcB#DoR;i++wPt1k1O_(uJqG
zK#}Om<8~WpP>E%(fHsyYKk>Q&BhiyJ(g2S_$u80ebStv%0Ea@juB8ZcE@JFxheC-i
znaFsUg*SHN`V~668XwTFE2bg+3Pjyk4(M2@s}|sQPt9FF8_=QaxkmIXF6e;Xg^t}z
z8PKt-z9Tvn{d9z9LY{7?jOb8h&>+r*eO&^H=v5`!aXkz2x&af=pbgRpj&-74_7Tpn
z8>_(_>wvng56+<N(eQ3{c3m>t`gM<8d|H$`gx6z%xz{yy))$>X%dwkNXJ3uifKGLI
z-4R*}I)nFBp*hqIx&T@i9YTwsuugRv-F5`$T9wcsPIXt^Guji{lzea>wnJ<LAEha~
zgde6$OrRg6sY|pMk1furFbmS_rNK+J44Pt4FkK9qb`PW)a+5Veuw3c`)v<x+Sv6Eb
zm6HF-R_#yW2<l>2Ks@RYRrG=7R|p~LrOP_qYK&lc)zwwPrDOsKs=`2WJCnBa-9kL-
zomC5fax;^$t!X;SDua}j2U0euL<5kWOgrmK<m&^fFaYOJ0;q9M{1l{c|KHJVwEy6A
z!|DH_DTq`5F?iTB#M5s_iC}70QPN7GI#yBk)qJS}UfB}IbcgRqqEu3sY1MwJB}>Ta
zO{?yf>~(U@u}g9?=jQk2rQWh|j+6ntWaI<>Z11L(rT@95A%D%9l-HO1LVFgCr4c|t
z^L)3noloz3Y)2$z`<W%HckgMMD~&IG#V^mkSzI$$IeX?wLEd>~txZa0=cr}7^UEvN
zYUeK;H7<L8An-t|@l_py$_j7qPee<cyZ1!5P5EWv&E!k3gGvx<?{P#o9$k83Q1efF
zjL_F9bnnS)dUDH7n_Nq$cgvmAmS3FT{JL~pq0W4=@TR?z%ZhmQDp9<2tTuz^?{uBk
zOP>bI`p=EjLr2WHcf7m|xpPmN9?OqY%Ur{Z*FzAZTsneKE*!F@ri_?zJI-{IhZ8Uv
zf|m|GUhCn@DXMQGTsq=Vz8tczrj8Qf{}QM0<(GjqL5B@9pF@}Mx(-`iHQ&sc!1<O^
zFWk|F?p4CgqRWsfzh;h?a;X6{D7%$t6JeHesT(!(Un<e2fz|S>vTb%=X;f623DwH9
zxv+Y<R8*UytCd&tT8g<;<20N_EUyZhn=Gqi1WF=R%PnGPPOe#4(`#zwmxVX(o>@cl
zKs55oKusOf%PJ~p2A)|+GgLJ4%A=bMr<PcR*bO|kb0#I|<*-SZ+oP7xjKF0awh@yW
z)N<MQn4qJU#r(wO9JXO*G-KtkjG4oamcaI6t}a^z37kl|Y-~)!May7KGNBhOk%^6H
zxojk6b0X!jEt!Rjmdf<X^jx+969FiBY+WWb;pDQLF_{k~h?K@;JeCjBDG>5mhnOY9
z$!2n8DjrJ|S(u1<EdESr!O3SbWL6GK6N#F5IV=mNB2aQz+?d#dlEA8969*-Lq{@sO
zmN1hCs5vZN%*DaUX98!U4od~8fJ7XYLgoV-<gi?s1aFeS{$Y8(OBd4%?ebXHnN4q!
z!FFJ+zDo;PiZ=Ny45lkv<gl|aPj8aSoW^5(mMJDwTjaCTF@WDChB=Ye`7Gj03L50I
z5ilKVlEA)YU9L+sGZfajEcVRywaH*|Vvg4(fb>ptT#BWLrnAVPY)>ORk}zUondDw9
zNlQGLNQefr$z`G?fu2m}h&?mOn#4&3o;w5LB&>1R2E+@P<FL9VL5@2caXhSX+36C(
z#~qCrnzlIXDv8Epj>eQmQI0zkq618E**}QNF~?voAVS9-ft*DxemeqjEK70ONQq-D
z$7Qrea@=-Wq9RLi*a?ZFTaM2hPcqzg6QTjjaoHn?TC2xo&LBRo9fi1y0=#xfVrrG+
zu|X5suN{dvn`L<H7sS}B$7JdyHC{U#F$tx3>}SN2E5~KJAZV{0lBkS@c<fq4_N&KY
zJ|xLrI~EZvYVp}2h}~C?z}6vHryYPCK+R4&8j%x4IIL>K2UOy)c!*mm#bUl7Jf{_n
z>`fw^R#YN+RN}D}i6c{r!a^lcJ}Vb{{E6{cUx}qpipmr~)jlgIF)WF3S-OZ1rNv<8
zAQ>(zD{%*exU5vft)<0aDH7C|6@jEga$Hs}_svq`vS|>?mlc)BjD)zX3}R`L;<CDl
zGe?Ta>_W;sRx_e1k>avb5`>Qxfy_e!JXQ}8Hqhd-trK*I6_}`jq&TdY#3T^nvb7S{
zhZTkxjU#xh4kCFQ#bW{?Zf_Nhj73?zR%GHUP2#Z6hy^!_$(&4SyjBEJ17`7AwG&Qn
z6`I(KQ+TXtM6H{}Vw)4h&MP`11O{<gSBYISio(Vq_|7X1#nB4?FNn)y6GSRPR$M?t
zAt5N>^4;FyF16=Vtl=un;{n}RmbUQP>iUkQJQ+H^qp6Poj;qAGZw5}UyeN3jc2F#-
zuM%#y#G%u{=U3did%$z0UHr={-Oq@Y4dtEPV3%O>y6sFvlU{e7XNhP}Cl1$yN>=lB
z=^zz1o=aU8f=adHP1VjmNbue>gpgI|e9jf^JQ<APU31ORoGYt%06Gp1MGqV9+XAZB
zix*V^%$4O4)ks!g@s{dV6&>CaU6O@*ULoBQg1Z-!Cr*W55?I;evXHAu<pti*R#5WP
z=-?G@yji*<g+-^02Up!HgT=F}o}93GQ*^NoYp*M=rXf-J;FRq$O;!h%*JUBfQt$$F
z848<^Cr++<b(_Ey+G6O&Jfj)HPHp92XA0CFGK}F`<IH)SIm$fV8N*<d&;(?m4TQr$
zDV2CDR%xI!g+XSWLpWqqG|rjAqehwII90~dpkE5m8V#lJsKnAnUkcjV2}SU%(W8vK
z6}B{%mx84&E9Ky<$)nws{h3~9Br?CChIW9Fcq$~cCCkC;6`(F&3d@>k3&B~dP3tlc
ztFfhVo`6(H(!5>@m>L5GV5lLWC6tcyElnt_*g~LNNoiO;2ih5m!BH)u%&ZlYw865b
z3dmYdSu+K24K_-_Sp!VjSSmcwRLR?%)JB#jTtQU5rukSZM6@DVT-&;>6@_4_381X3
z6{9rB6@t4ai!!iREYqZ%6|Xc0iNRf~N;@a1sFpg@X=c0%xEgMgf~Ho3*%&>NG|!QO
zr;9%m*=0NU(ZI_q@%Q0nkr-BH(?UiHj;%k)!Bb(Ot(E*4WYAnj3c1=E*>izj4Gg4U
zEcK`3EAjWmpuCI)N7^U|z*#Ft$r`H4TS3NIEu6Ftvik*wtrSFHDQisgHjs7p(uPI?
z{hA6yU@m>6k(@9UN@(&URM#TVLL&pSW|HzS7P!)sMgr&>Ey%!;HqhZC0c))dtjIv8
z#)6wNa47>o_<RLhv{^Gv0;^gOjEA6E6Hkcv3pr^i9|2qjf@t^(Av7^r<AGGRnX&K`
z;Axs40ccG$W8f`ipnN_8knIizKp{KC(a6cb1!t4yJ_3S`2DVxg?V4@J-l%L;r1AHu
zB+wc@s$@xMP9J*wiVi{dulSf3jlD+(hq1Tz!qA2`^;tBRjlDruf_pDNSL;cGGCx(L
zKuw(AsU*^rHuc=Jrm}PTpmi2!8+z<CCL4N=Ede8MUG|Pqx2uJs)NSe_w9E~?bnP8u
zZ&1TQaNE>W(7rbHoHT!py>G20qi<64Ku~S#a#+h$pX!2(Ei|f&f@@K-NoE&+Zfhrs
zx?Z88%+k7VQbNnBx*u0fWX)0A)OcAc7kac-5@POJ>cJ3Q`kF$s+Aig)#Pk4F$K7(Q
zr3<>u|Foi5yOo7w%w5Fztk_ihhsX(}5rVQ#S-Q(2wT@IYnytd@1Jf+;0a%;rSVF0<
zShD`*7j=g2633^?l3mlAj^0D>VHq?r_9cY)$}&;+!w^X>-e3^m7z5e_0W<;twE*0A
zLtOr|{0t@6;~|BBH!?k7IOkL~c{#+)3*teeye6nxoc{Flcd^}oqF2A0o$JY+4y(s#
zETMvfuh1QL=}CRBB>tqb{wQ$Z5wQIxk7UPFC%?-FrmnT)FS;<4Yf3t4D+Em)?4)tv
zW3JS^&W7US-3odae>i9GvvO|%zlwt$)_LQDhe=(aO^l-<&qbQx0Rnt)Hfg(VGYP8x
z%e>AS0(?N5IZ0S0CC%CPM5k8_aZ?dwyGtd_r%kOdA7jnr&2*H(U}H))VHFJ->nRy+
zXQ>X#$!N^>)LYKf#~tpu8(0!;)X#qsrh7j>s--uL%ASlHwdn#T{WQDdE||<`m<~n`
zJ`EES4FDnqj*MkPpm-R&($$1hP$=cEf$PK^U002REKMog!o2^J7_i{d(=Z_*>QQFz
z*y%nRXq(jleGmkz!bU^WluRM_WI}rQt#nU!W!Kj4;St{Mrx=DnESf>@p&Jptgj_ZF
z3!P}NJ#YJx3vCPt1&<Y8G))nO!Jw(uh(ply-Z|=-paS9omV#}ePn8jlg$nJpkyFya
z>4K1z*57mrkO9#MK+Y)y=!7d^f&?K_U3|h{BqWRpuCy$emTnHA<d9S)9HOi60}1x6
zSjj63d^#$LowT|nzH<t|`Kcx?AFjsiopm6WhcGMwnvvJkJFVzV0zB^Ln|`F@4S|m@
z;51%}o``uGOZ0zJ%~B(!Q-a#HNKvfL0x&t=3>Eyk<++su;bFvguQvt97@*Oj!#10n
zX3Cy40eDp*`H}`w=^}-=<y`PVfm5MGYH$U&2Du5Oyf2<0I-oob>RvCBfNxULDHL$5
zln_dsa1Ik{bQD)9XyHu9Xa-Iw|C!YU@ZRkNkp|{s@5+PO-~)%ts<`VqqXyH!fqi(?
z9Jtqu@Ztdm9x5SrEXF;ZDi;3{21PnH(Na|=H;gUd4phVDkSoe+)qMc)Zscc;y{g|i
z2O_|gSAtNf<qjnZ=FVK6i<Eyk$hV4B_RcTmjysIi{m?pch028gW<!mpA3ELsjqP+1
zTF7rhyW%+>uvoE1Q1-iQpS9=p#^jjOY}%%?d98bbwg2P7-O%fANRP;U3gWdb#`owW
z`bK@R6eFF(S$gV|UOt`Jg4uxxE%kF553CeGI@&F2o#|vP?vl2uDsLJbm0@%FR#PFc
z2K*%=*E+|gYGLWlPV?Vw;hR7ZAv1`X?&;6yreugKxr4qE#p<&Xs(gy?<z3)D=mdEw
zJeq>7g9MJqC1}z3c_4h63ao`>XAA^j!I^O$r$>UU<Gm`l@gv?tj&8XiD#-0N4GQn^
zfxgA4?}NjQ*)j&Ag5=&Sl5m_=A$(q(Iad^L1)@<XD*KKITq_2J(9_4zC<hEeroC$2
zHE~euuwoif^UIHqH1xN{jYZVy)q+IobVOo_!BkfJLOI0D#E_^2UC|qXapJJ)wjtE-
z4_wCm1G*K9n1D$ZDp0frm_Dm$bh|>SKXko{FQ0av{sxl37!7UtUezjU0<R;7dk9Rd
ziN#^?^QyuQPoY5y<Xf)UJX7Gr>=kBCz|1fJnI1jNZ#kwqP{QZ9%kR#62EyP*JmX7=
zN=H~ryTU;G3Ri8MbP5hvJ82Ll4Ak+Mcq!BmvtnSy(Ny_A0o38R9u2FVbA$Y)2Wde`
zS7QSB8t+LcHArzw^&Q3e6tff<;()0`3+^X{#~!W^L$99;hGQ%w5IhkmbpyKyJ36n}
z<b7&}8eSh~OF5wS;NPiV+aqjWa3XOvY}Q=(OVtSFDJ&lGlFBeEC}3}W0wZk%X)-r=
z$j!G1)7tevFCnrRy99P25L)?uB@)6d*~Ji8=drcg@;9JMTakKj?c-grl#2^bS|o$O
z%j2%sAmOHk29f~7VWl6;VWnG}K`V3*X*nD9weJq)Y>9;SM;Ks?Ml#TdT+kyW5(12u
z-hO7k7?4o}BlfRL*5PM%hY&-ed4`b!Z50~EVUBl}{8w@X2U8i@sst)ANpLPa5Oz;0
zIY8`gkkQ@B?Wz6nVn1{EGPa9|^$*Brv%n=)XT?lcICj@X=%AyZJ~Rc$fITlGm1-A0
z&V)dZ87-!IC|6kJA?bFwuJ$!T;~G%f^^48aMu9-hZtXbhMW>`gjZtkInth2WIJ7Hn
zS`K2(l)Y}dWvYPYja=@eq^QtBeABrPul7hNXDh$t^FMxh-+v7r#DXbSU#fhUxuE3B
zL%)z4r5Vk?>9s5mB9dB~Tf4LI`3$<1pO9W-VcXi8UyCP-mQ%aaOBXeGPC*uK4~RQ$
z%m(+sdJ>V7&!CZ!{GUl>=*>(zsouj7N?jWYYO|M5r%`jh0qb&tsW^&3;>NwUmmmYu
znB^fdzx&TwlqtvL>I#HBIKDP1mqCN4*T3NUH4zCxWJiaMsEO;7^e6qkgf64SOY(0>
z-$qbeL&TAS`t?GF9Dd-Q@lf(<2vLd#ZN+B@!TPxm2B_}i9gF`4g;PO6j8-u}=rA%P
zG!CKM_}<kWmZXlsts)c|q=lbYg?D+shA5HuxL)KRVS;xVPdxk2q~cwn>C>l({j6oj
z;VS2m0Ne&Vixo>Lj?`6wQf&p{H3tD93RPkb_b9>zt%T83rBS+RH`hE>8b}^c$|7ol
z@yz)=BLvV3V${BI=cz?;kC@3RkT_^nnISh2y|vijFNV;iEex!jA$gKX!xj%zDa%1R
zQ)(k)k*Rmshg)1II6^CpNu<Up0Wdk710q98onp0MqXgp;<1BB6t5&iQ;yv$&i`g)P
zg)rT*2W+~ISn3g<RPd!$I-w}imDPl`SmO0YNM1&1moN(_HuaM|E02ys%^>VNbl)l^
zXN#tq7FOE3o4%~U625Y@ptb$O;{c3&0>R6JN&>MFJiX<OJUp@Ke)QZ0HYpF8H|#0r
zYucz3N>Sd`HARBW<%eUbuID3gO_LMxC2bP)cN8d@s(xsI&D%~(jkVw#1&D7Vn(K=%
zSrrWqVoMo)9Yvys%o){VbS&RTNbe(Lj`w{*pNmpyR#yPsF=I)%snZvC3-VmCU}dh`
zH*BytBgJYdWUk&0-<plSn=O&dXS1&W<-ZJcLL4Pa0nXa2k(--|nQxa$Wb?wln3<LJ
z%s`-R4=pew=8=Gf=}7S@60X8p!i5i+7=`XeCX7)@kXMpJ0v2H7do9FCm`%__5F7%o
z@eX2T(LWjTh|XX%au!+;iwi@_d?paVe=iiI3oq2UJ5kdTsOmu|xt24?R`W)O0!$*f
z9~wUcV<%}(L)s?sr70S`_R;13-bPR22%~^PRDV1nn|<@Jh&a!*@1wa4^id8~B93L)
z1SKm3Xu=aW_dAMj{790_A%(U}bp&STYy(BrJJ6_-ssL~ath0g%e5K`KYJ^Auvg93v
z_syb=0wh_G?9QRZw&b(kf`fgR#ty2$Q!U9c2u#(PI|$ZFgES%?yw98&p%6bvg-Q>?
z9DJnlU|G$UBC~|J=E|GgKo<6)FKG=%l0+*Wb*5g^I({v0V~$e-!B5M`yIerIs9+2#
zlU>eNP~MiGh!ZR!qrT#?Cs@?euyM4Vw?~qYIC8}f>8Sy3+9M~_iZ0c3s0Cdu;PwyL
zL3Bj*bxNkn7asY4so!*Amm9klP9v|BDd79c5z<Q<N6W;y{k)=>9LLcy-k^dg@5_tA
zQ<CsKM_6|kL>JlQi!ZuKs#qToz)7tAif55g^AU(~0ugqJ5hV@&S3}V`_SL*ZJR@KN
zkUd3~W{bNi{AURHQ)#Y5yh8Ocs%JAVCVCVo!po)P&|$k=O0;@}NYfcTwz29SqA=4I
zDo)xaf%YE!a}l18H=!kNU_DqW2#>ZW5*|%f*pmcZ2YfW16&eL=*$&{8p{~gWSq!;x
zn{=#MQv1Vy2Nk;_g5eKw<K1awO*+-L5`%p4{G4P)d<D)%z-x2MbXWp0Az_o`U1g9A
zKrj}1FfT1}nxJ|`(yB=h6b5^p)y+q{cZfD3_wYEfUQU3|jg~yXIUEb?WI#zMKx+Hd
z2m&0{m`3pf=SFQOLaWyt<7_QbIlbt;c)2t{;ss*`PUL7Hl!fTA^)WIk7d??3g2vaB
z+kqk}F`8s}zft(u6{7l<7KCla<o1g^ibb-}(jhcAfojx$5P%R;u}1W%swD}G+JpnZ
zp#aSgQn>&iuW8FjR+D?Q@C6h5a;7sxr0i%bv7^c8j|AC-iLGUq<K!+0Dp<!HNZu2C
z4>I7UlU9w=lS4*=hcd9tZmn3pjein`_NU8qr~}?L<zk5O;9=t=P->Z*31S73k$E67
zU|#(_VttNdwjU4(XF7nd%|KMKg?BHooo3Dkr<je(KS_CB^k{)qeA;z*BErS``c?@+
z#6o5vF4{b<n23lrk6R@o2JNHLDA<9MX#aE^L}8qH)a?-5XC9F{L}Qu9$eA0yp4^W+
zlPK^Rbua-W#(tk+9<Vn~CyXP-=|iH)jv(T~K3rmm#;%XorJIYGQ^R>k>5^UBt7Q5l
zxZqn;8p-h()v@{FOhN><K6sTA9GP?@mRrewQBULh4ZgBGn4^Tg|G~{VS3BEs<vhwN
z!rU9_u(EU~oUn~r&s@3axMq&_$f$l|-v{PKH2S2!Ztah;fyWCbM@-GnKlTRK7r#x(
zCZg9u5hOwx!^Na$q<=*?=%tUF2_hu-6d9Y6X{B}igsCMlFaShj`mp>Ve^+Q$6s>&s
zA=*w5E9#q_#pE+vAAq($#WPE6WcKliR|E{-+3v&(AX!<7cD4%qLJ+t$#K-)!6SVO@
z1Q*zkxEe(taIu;^5eu`40ypOQB+<3eP{e)3J)PUJ(Nv1_%$Ow(H<-dwHf9t~bY99S
zRSp4%aA}}Y-_6`4#6};D7_2}5L)igz^i~6VqU6HvKe`#k^v7e?HlWvxp=5eBWO*!)
z5ra=386!j`Q^)rw>V>!T?dlHn+*S#jZT&f$q!Tv%kq|(qjot`lDIjcH-b>TLga*SM
zig3Bwkt9vi1}K|^CQAqo<N}efgw3RZkx0-&X4tU0AXt_>+$)F~C6Db4#57XJoPlK{
zMM75Iw1(gl<@C)C5;px2Gr32;U|6J&Pk+uL2_x2jdl}d+az3D{F0k(qeJO&Tzl~Au
z9TRMoGBjQf$K_KE1<Wbf#z@B!mn}B<biwG>f!JkrFg;i4JoOn&aK;41>=~@clYA<=
zPvkh}>`sq&!$M9RIpp)@o=*|^pTvF`HYrsewIiA740!u{e6}Kw$C10D7^maST@eX$
z(ftRb$ooCBGCdxV*i(64ceAnX?YY2w?0-g_Lxk*l#265O-H_**GF>s%Ep~__Ph|Jr
zj{Et!M~w_$jw2L6IGQC9Z_(B=Z>KQJ%a)IBV_v7Xrc}l5@h7Ivij#||)^p}s{Po<9
zy7fMzEaj-{a(A!EJv0kBjI&|`Lb0i}Nd%mz=3L3Xu)1aH^@oDCQdS33EiQX#C*^Bi
z^n|6!hQ61q=CwrpNJYU!$F9g3#p676O#Pq9sm!=v+oM+vUi+J{@O8FG#bDooo-x+Z
z$<DX|SZOm08*NUT>dO_4A`^+W(?PzVu&ntqa~o~d<4s@*7FS%Ry6Ppy3o)qoA+9%p
zBK|^kGTNLm*DL~P4Pg(-hTmW$PNi$+e(F~HmP`B~l4KBAo7+ou1+(qbw%fA-q{m~G
zi_+Mj5>gi@)m`*?Hq#t#1|Bp7hzjws$&%5}jLeCx3GsKb++{c$K(z70gVB`{;xzt2
z*>*%j;F=j0P^bVNQJLqT9O3$a)%x9zVwE>w25pSCrwVjdTMEaX)dFWL3zU!8`M*N}
zqwU?oBweJ?)fFKcD+?Wpic0&A_wE#;>n03=<|{F)h3RuWVlGfS5M%>|*KTqq6PD!s
z`2>G8{~11#75G#jk}N0GM?hFznti%SG5lQxVi2T$c}}g0x&q9_8+k?!hq`)Y29|L5
z<8t*WKfozoUc^qyN41Y^E$)V~IP}@l!{mLPK(!N(K5Pyp>&*sEKQ#GFrMV*4C5OTG
zTSPoXVL*A+nN8(y9vbwSLEglyq7ODP2jX$#iRgx*IP~1~Ks20rdTt;*PCtffAmmCu
zX)zHtB_7Wu9+}x&#H@UNi9Ir+4{$b`2lY)$PA9|T{IdstQn3cn@zPmXi#X`)vRS;f
zg>tm10jM{cv~-xVmmV1-qlQmL0TixoKBe@+1tMDN9mfphv4TILMA^kanr%uuP3(c`
zzFH_fhAAihJ;6wRQrZrA<C+KH8j@&GDXAVvYvVrNUvRQOvXH778}=e#f4JblK_nAW
zhKdLfcC2TkCQo&VT1oG7Zh72IKc7>`qqUxpV{&Z`1;+(Q+H4_C9rMnV+ZYS>IjIOb
zbi(DvNDqwb@g%V3r9eH&JBI6e-d+u2^p}j@w@F0}{E|%>;_o$>#F%(D;YmE(<g#d<
zJ*5+cD?-U@<w{_StRhwKIByb@17hsS)!Byf0@K9*LRjgqWa1P9qmgoP3h~j%(p8rV
z#89kEj*cOy9g{Ppf-d_LtiejkufP(n*Gs~(B|YjGGEQdEgrax%MGVUubXzS{Zt7n6
z(xedM1j%>0&|`gM+96euNDm!87DWtyw_73_sOwp;3lf2KN#|uUMP#saa|%Ww0y;Y|
zX}w{d*ouT}X{Uo;4xu8Eh|wmdakt@E<F)ld?j2ax*V#cq@<7@Zj$1B*z@4yK!PBo}
zuvNp=1TfL9qnC1#QNYI50LbD&Eix}OV{F}6*|P(N0fzFg2how(;bzE}d4_o`HwFqR
zXn>T3xA7DFUlPz_+vlydr=y8Tt*lhI&TMuok7p>EYnM%1SS^MOs70QC82Vo)(wUcj
zJi5jqr3qaO$Z0>H)<ZP*Z#|Sv5=SUN$4lD^n%ca2D%b#NuUUzRH<sM$tZkpdfOmel
zrqoj2Tey4pP~H``RIIr=XmGl$xP!$9_gIXgN@_FctRlLUHHBit6R08xgPP6iHYZeN
zO<?inGAc(@z(ydF#1-oVN{&QZFCRFe^IPq4j+m$zSfh@u#Rs6J!#2`|U{d5eVL%uu
zadE7mY!JIal%YrvxT?rd?+9F=VkkI-E|)NrN<fz@SPCxy3ybCghL8g3Qn5q$0dwR4
z;m?3BJ`htVXaL)gJx#_a4k-W2k$r%1j{w?7m9vI`S+17p)3@`cC--hd&C@MTza12&
z6gsk20Y*xl#hPhPLF?@;A#{6`hVwUZOo_xtP}U%~51N(LWz6kQ=mF^Ub3J4uig}5j
z>1e4GXWZ+dwr8f1PPOxP#IGj12YD)G2rAPRi0{jhDrE|P%Z-=pZxxkK%e9iLuXAKd
zAO|(j)0hyj=NS}=4d0gr)CvG!mlnTmash+qg&qKUsH(=3%?=n8B1I5CZ4D<xiXeX4
zR!t~3d|iq3y>5p*CNBB66cQtg=iE_$7a<c43V%zG9=59@!iV=tTo_vA(8@l^H>Ju%
zXpu^f8*w|A*ID2xQQK}Pa(yo`3c=DbLmXCQIeTZcyfTzoHHy4~b=0k*OQkB{R8Eq#
zXZkR+{K(dkGtr`*@Tud?zOC88cTW3fE8@yKAxc@BpI?C!&!K_K>3LS|nVfo?cys1d
zp<a;9W+@F4GZMOy02@KHgBhIf5<$fL{tV8MyoWKz6QMJ;QH|rX0DfJwkp2aavp|$X
zaR&awW|uUr@ANKW7dn6Dm4c`)K)_hvPfNx3iY1}fg9I+O{+v#|T}q4?D1yMMJeh3w
zH|jKiW>s$d^av?)=i^S+14IN;fJd$Eq?!@(?yD(!47DEYvu6)YcvW@^3NKrv!TBl`
zF$nwWTBqyYpRfec2RnqiF~T$g?W(P(Bi14^Sa&L^aG%#8(%0`pQ4SrbqVNcLHKn6g
zNdwZPNfbDK1?pnF5PqhLR1>;rb9E9W!-{@O(8!w%&PZPQFIb`y2S<g*v_gsxh09a|
zjQ4@S1F(j_Vbi0KjQ3&Ep2LkJwCw5Fb|6F3oH2zaBe3Hczov){uh4QUuD)dpgH<_!
zu2Vt>k<fJcNE8L01Exw+^3)W{?NU08mHjLTxQF&CA>heP;9?NH+&J7`5x2N>jVvZL
zlJz#Mw^;5LVxTnS3SGPx0NJ#5i^Pa59yZR+&EpRxf>b$rZRc0eu4q+wkZ`)Y#`FJ5
zyQnaO4D=OlPZ2r-ZkLlKogAayzU^<2o`n<2b9nkVu|9#pKk>|wRaN|Y=|KK{#P6PX
zc3?ea<{fEOe~@*pDGgiIlWP{Q>Y)VevqSs`uB{o^%wROzR|vKX6Zo`*Zeo~7#&5YV
z`Bhg8oyyYO`Cq8gPhr)xg@WwFn*GE?>`?&#Mb0Bad0Sc(paBn^L&dzhh?6m^2;k&u
zxao5RYiY!RhW;L-VNqXZ^7j!>eyeqjE6zb(FVI@0o)U5c2|;wEfoUk>L<Nu8IwkrE
z5@9B-1=*1<rbl50qdm9nsAWLOLmf-p>-bvG^>zl?E}A_%ql`M2!cLkVIga19A=s`U
zvcjt-b`u1_`GBS2XdMwl437puDOflAL2*$*pR_avskrES_0b?m&$LmTbUpf@3<5Ko
zhdhin7#S)1hhlHksaaU9=)agCIIB3V84`Q-E{2#TDG!tiKzoTMD*>h93t-Qu2PD3^
ztG11ES8g<>B^0vR>f@wN7d5|3UIhH4T;XHypO~>k0Hq`o!aLciYQ%Eb8QyI{fDp;x
zGHq3DxaCf!nr1Y~Bh<?v2Yxlj{sKhW6OAiCdckpUMnQB)krmyv@K_O#*g4i%5Ls*-
zS|$jd>>RWv2*d0h^hpvWB{-ZRsBvqXwLB4Q2$Z+v4pFAPOyna8PNB)d4VL8^Yt<F6
zR_PMpWll~p>49>UnsuKh0)V-obip!ETLPIcvPVeR5gfL{a17+O{+Gg4af^C%%08$x
zL~XTqZ-i(EfKrT*eCar~1ltBMCAhnI2me#Y?Y)IY1p)vLS|)RTxLW@8*j!5Ogh}tW
zaruQp7z!!(;|<>9iJTs&A_vj5=r9pc&^ydPB8#AQAZS73Fywe>MlUet&`3nzFy(+i
zL-#P`hE1~fN2~!40oYp|hpYdaoN}+wmB>QY&Q0U$iJX4LR={YIoOWuxPzVMH>j_P9
zFStp0eG{OwR#qVUqJ<XQ31Mps_K9>DMN)6g@rIxhZ{b0M7^+*jWI~aX4_CMVm5Wsa
zS!F?VV=XO~vvQ#Qt}1zMHTti_aWgi6S#C#qsggMMHlMj}75AvDaklC0mgOR5vb~UF
zTwAo*YLvFbvfO9cw7QoR=+V~}AhMdaP8!zG-q0fLFHMIieIFumEOKp;w!~?Um|)lC
zvo&)|0YC{~_c&PAgRUTl9@4=7g+@o7$mFULWfnaIF>|!B>e3A`CHx=L+oBCJjJbNz
zTV;h4P+4v05^%)Xk4P*JoL;^sZyR|4P=&q!1_u}@LTq+u)7!Vfp5`liagZ|efdc^Y
z?L4}B%XUF;6yD?-jUG?Iv;)k5sl&<qbD=-ZPaLs&54PC*cdG;Xc#HAsFK2OMFXR;k
zh*X?Oki=oN1v+BNB@6-9Swk-ZY{D0&QIQUy>{t7n9=wpm<Qz0mHkzPJ1F`_vV-xhJ
z3FIfDk*fO&l?@KKwi?+*j)gTA8HY!6pUJafARgT4u`n%YqMcZ_&lq0KyJ2`(Ce4NU
zF+m;ZYU}aqRgAruGho%%;2l=ggiR-ar-Yun*XFy?ZE4Gqt5|bF-(ObH3?gdqE9!Z!
zUyePK6qv2FLM$1T@tf8iT~wW`&H&{YU-N?bzwA_YG*#2wM24pUB%6m~#irCFMsf#&
zXsd=^z0ZvD10VEBpuVoAKd~V~iknS;0tpI(g+Br!wFe{q1S0AVrTK{oh^e))NN|go
zWjfLwRu8;$6A<Lg(i~*->7r;$>FSH8r~pWV!khUl3^FMWjQ9v9QXL6PmzJQeGl?J)
z!u-&*Q=8C`9u)M4J-e6z1VeJBKtQ>Fh%3uLX+#AawOL!Gbm)a_0@4|I_o<7-4gZ&t
z^#Uxs`7$N{WlmTSwWKloEI-?2H44h}(OGLqy`Tf3dNsW31o5>#xOA0%$8snCO$vm!
zgOh~=`Gg$Brr6;riq#S)4?oK>X-ZJR#Q0kmkQL9h=vrd}SZkBSYwZA>+E&oIt92$+
z-Z7jPFUAkq7y}a73^|}(_G$WWl&)n5V;89<BR%vOhzL>Bq+?V7ghY*~-qJCOKTdQV
z3ZAyp;FIAF7dx}yI7>Td8zm#^Fser8sE?o_p1NCHry_|P%<|BRf~0=S;1f!8)&@Q5
zK;Ttda?fa*xwpV&f&m1`(jT}%u*An>06w0k9>EWKLyVxZLbYh@JZTOscn04wX&ag4
z6MWrSfNNrVLK~d_-(5=+dX`5voC0Eb3Qt$CvF!eSvwH|&*MrmF?T49^CFhY~QbPfC
zI3`USXuTp`ecjbAr!Sm4KUxBB_AN&`5LdzwanKqlGy!gXEbEF{!@Ym8L}}|ro=(9?
z#W^^+(FZM$=R+0mIv5I=yrnLgDTMh*LlOX8Cz0D$)C1Ur_33ZucMdc$7t_?kz#_Rw
za>kJ0i3Kp|6gHFq5wh8^7$HQwJH$eO>S_kTZW9pfb#}V|)dSuJNV&BG{Qw_s2uu`t
zcu0Zik|u!@q)7z`g%yoA9Tkt|E;3+CqURJ~a5<{+O4^E);sIi*gNL*h*al0!YJWr3
zkxBIOtuFz9PqRz0=wzuSg)onkl>;95{IrOL7C>^XJLw5EK`Fy+FN(#|$xKpT{RO^p
z*bW_rx&w&1rUt-ZM`MUk+8EvuOe5gj7(?dmh*5ZKKn4?TP60(|4heP)Gsm|(1{<>$
z%6#%a7RrAJAhghfT7nyxH|(uHk9mbS23sk-tpd|Xx1gIv&Z+ydKSB0NMG4p$#y*5<
z{m~-dS{q86f*$k-821DM^alg>ghgl$KCD^vp|-IYcJ|SOmN4k1-ItaD4If$#phCGA
za+N3qB%=;?X$W=39GKD&r;Iq$8R0la91iXfP&{GOfYssgeVW_EVa71BZ9%+C%y$RA
z)87SB{g<bxWz-$UBnEQ;5E)bn>Fa?ix_Syl6{?<)1T)a~H5X-(K;0p%1u8RJxGy)G
zq2!y#P^nK<6uXvoI{&7DX+!0Ee3x;U02&qmttz{p9-A>fv11o;!#2H;TS%6GgDv=z
z7Xcqr1@MQwVa0fZfTOVph&qTAs2E5F$_g-Bez(^`kq9vY*0q<SOf<Y*NSA^DID>$3
zb^Q>c31bfMLe)i2HNu&4vgAlQ1TCZ+Q6T6Lw*OfOg2Ej^WTacmL(~k33?HzKt+0m`
zY>XZdhZUjfo*CE99^gmUr0FZEu$S<4QCBGjsDZXV1AAMaIBJLkl=Bem3D*cXj?SrE
zEOfS=<%ueFA?$nG=dy^79SMAtNMC(`)DYYvy3h$Fx&At5ils;&TN3+Sw0oH&;q%!q
z@nAg#L?Pddo*~IcB)%TIWi=7(k&N!pzQpsUfQBGx==U5>@j2>XgWVK;tnr6W^+a&*
zDva;sx$TFPHCNm@L1|IJVW8P|V5x&*$<bWdm*WjnFbxR>f1%N@0&y~qqB(yJDjGU6
zLBs>9fEqcN8pl`ffLgRGvaRostH?~j;laIp**~0G7+?YT?KJLH)S);_peLe_qR=|d
zf1<HwB9B=>T4SQJiUNCbuSlg=;+jPV*F;i~#1#msv{8?^6A(UE?;q{1bpwuxM>>FN
zC#S3)u?2@}-LW%hg&QDQ%8!L|5@7hcayiK~gybXMkb5{>9RV7NP@oSh3GKtoDvKV+
zF`%4c6|G(!u`hr3tRHMbY~Tj~uTUpAEE&`7np_T!+T(;H-bdE}tIo<2bP|=vC)dCu
z!0-#`8{Tzb738=9CpFAJ#=*CUWC%kx3-bsOl{gT}fl9cbN}!|^gb0H|ppLiliqCN9
zYuHabP~;$$kYGJ={{(iaK?9yYNEgy;>w(czRcVox6SO-yP~QL;@2CbwzfcUA2G^n7
ztB{zcG=2a@K)S!7YmDJs+M&{f_t2DYuSl7-p4eFwY`aW@K&U690N_XZK29_SpR@$-
zM=A=b^f&J_S-yx1GyT9X=(V?#4qgGF$m0-MC<%fzB9bXqpq61w+^xAdJ2*<HwU@)E
z3KLxDwyzgVpn!-p!Olv(B@NkZqC!QL@KC9x^vHUov>CiZBXa1sV=wN$ymv<kq)^}#
z2mm#RrP?{o1|S!OqWY`_K4F1FhQv^^MCX9-Wnd||5$`~WC6A!fW4R~3YF3a?^*H8Y
zs(l_G*@jEF3+-LdtRk3hm$E8=TFvy5mYt0Z7^?slcn*|%MlQ|HHy`HQ51<5i%c^&Z
znIN$*exoXsv}ygAk9wS-1o0m2F}7t-^<?H<tCu^&pTGs*U4N0wv$z}8S=BBE!ef#>
z23Q@Ok@Sf(i1pT!Nbzeb=Tm(k!Zrg!RGVt<=sHo?(Qs8rlz?Cdnl_<IJyo|EaAD@q
zeK7?#mW=y6n)>@my$B1XxEi-(EIMt}UE<ADu%}W6nge-_b%XI-9Ecq{Rfi$RKhMHQ
z2^fHUJciFl<1>fs0q_oY@FWg2okgHmIY#QD*%ksc+aRAnpvH$UUFNz7;|_!tg0>~?
z?@(*?W&&_{JeBZDnYC>JKuB@fV%K681nw8{OsLq_E)M&sGjcWX@vjM^?ix+@vyTl-
z0d9$dpZy(b`Z(~002Yr{IFcW8r6dB$#jogOa|S@*X9(0nboDPAiUX6WvDgLXI*e8>
zm4Q-XIuYQ-BBPt@|6Lda4XuP_1>R4>@K6uaPZVp!>mlWK!K#v&nFfNes}&D{XPVA8
z>&Bw>843D4QG0>o$>88RpL_?1J8>j&Q{B6=_e#1n`i@79hvKZ1RwKxDoBn5V^p?R1
zM`=r%!|4L%{!krD6JWH-nC@!$AKx*itaw&3-JP_n18tmgyHl;8T!{uc3yT2?B*h;K
zQHZtDqm6r9<Btb%l&ks)>yL)^E%^GS+(dEwVqw><J3rzfWEMMxuuEPGun5&kK1fr^
zpEA&=0b9vu7Z_W~<4nRqzy#s9)@*^>nkK&()G(FIT?CF}jt66R2E&hcgi&=Cd+T?j
z(NvVEbe&?Mz<&1t4O@K2$Y%mhQ}1x5%c7x%2RoaaVs<~xHWX+bfaAi#Hvn+3n%;QT
zMc6<SFQE7ubEsSbKBp;(!GhG_5ub=KoNnB24gQZKZLo9C|0xwiUVt~~K5!6~!03xa
za%|q*Y{5RnHekY;U<nLWY9pWFh7;0I)^d789}i`lRx%3r$b+*Ez9Jlo*rq-D3a-V#
ztuvs*b0H;VP$_y{L<KEb%9r_QFWQ?JDec`5PavT_&>SVHXqOz<hU!{;K*<)(_@HAt
zK-n{p4R5)Swp1S2LN6Ji8<Nva1X)cz&yP|a9(+dZ!oa!<Ht&E5h?K_Q((_OV#0mOc
z&?Ha_LRb)gntKP{(}}RKZ2(9tb_q)hdG0U!3%(2Gh7JZ2t)91SX`m=mSSy*a%3NgR
zN34sFv1h!coo!~5M7~6>1josXDZ+3Ve+m-nzb(#3>^n4g5Kd3Ik>YkOSp|MTSRj{E
zjLao+#SpME!NYAiXuw-cn+$a*068rNgEq${uJJY+eE`QpiIBmmyM3USoFoaaFvrk@
zq-x25D?#Z5iqj-;7p&IFG6=^B3D-?t3zg9~jly<eE?zJR883XpJWiBk(n(?ybes&P
zByxpLZeZ?Gk-Y7UAD1|4G>oOMv;^TJEZyv&P*Q2=$o$TC<ZwrDx-V?&Z(_2SiB#ow
zK*B(73_&>Tq~MRQ;&ZMk0nL5t7TiqZ1Sl+L&{u*wNAqAn@ne3g=vm^ij1xzxn@m92
zU&gp){vMA%x-uI{3+UZSKnKQ^#MgSD-?z8~z%g?Fhz|LR62bz>cr4rV5Mde#hz@k-
z>ZPT4O>o)O@{RwINsj?}vU1EE))O6oej?Nb*);NPKexYr{0CzPoStao&7_{iBIUy!
z{av`re(*ByumID&VuF&d$<j#v(w)9|m`@WXA<d7hIMwt6+&1{(3unhEG=@Fc!h(_m
z7pXW%&iKda2oC`e2KD}WdV^B~rVRy9iR``+-+$%N?idsDknx;a;^L$O$lZU>pPihV
zjjfal{_%(gegj;PNZMWQEzZquAr{iWT^$2TJL$Jmn%foAV_j_M;6OG$MP9ECkLMu3
zK%BQHTDZ7itR7d3u$nzG00tUwHzzS+gh2FpV74X=!EYR-SUUl!fcP2SM2LDEZQ?VC
zAe(2+LCf!MLgN1*%zly-5sc{dtVuTh8AszmAjHxen){h_NTgPZ?Mys2F3Ip#AH$OU
zxN#ds$@_ScL*awr0hBndJPg%@zfC)?0hx_E4~i&4tR>rrQj+O|dvWgeTa7#^#QT%>
zxn$g`0_ch$mvNwpZ6HseJwai74iL>q0C*7vC@$hNwnR@LnV;LWk%hn{wd1ZC1e8Kv
zzZyXfa54^PK(-Ro&`gx~K3)ShLFb^EHCh{bRvxjOq+c_E%+^2MNFf{86_y+&_^FPV
zhyjM|f%frvlc}}FO+jEi76vr!4+w1HcN+H*^8yLAwVw60KyKIu(pqVxEpcI$vq~af
zKsksSy?$Ge*l6~t!2n%n%8{ln(y_Mm7f~<_(Ox}_C@(`(V*42ig{s5VL32}MAgkE8
zQvg5|H171|^InG64@e96-aUr^2;ThlmRM3dft7($VTv-%OAy9oKoz7cJtMZK!|ncY
z`w1>Uw~gB#j>Ul<0c8V3q~n^8(lOXT0{$E71U4~^0A6@33TECWyMP~}W~xC`nX!ZW
zr{DOTkwXkZKLQSB9#2SEwSo%4x>*thYlP7kA_U;+SV7Oe{#TF20lZ4_8j&^=Un`mA
zc`(u0!ziMKm8jHVXBpYwy}5qi537NxE1@uEUw%(%e2$d490_~7gqI^(Ra9CD$m0h|
zwjxWMNhkqwW;L;82`s!u4rrVND6HwlHy*;Y2prcf5<=!r0lv}ha)hfS9!WYWC^Gs+
z;~DKHguWD7cto)POwNpyz*H<53yr+{v;%DBF3l=1il|lx?G@6;irf;0#>gPBwMt_Q
zqlgDnN=05NR^Uwr9`Bj|BolfT3;DrYB9+n%Trfb%m0E)+s)vT!4Qq)kmpf^%QzTmO
z!D`)?#tbFSM<Zw`V6bw<J!DsO8(_{~X^}ycpIl&1_3FDmbT|PB>n2dq-YV3QH_s|Z
zBxKE|Ff6LxOO#JYTE;*a1FxjPx6rawHrN3ZK-Z!Q?>Sb1F??H+i&NhSk7cbCPBSG)
zK2s%7BNAjM8rRNddc<9<WX#urON#K?YJ7Y^^^?-n$cjWe1&?-4sZBtVumcg0-@(=1
zVL?DL`6dLGG$z@U3`NCd)VQn(c2l6LcN8;WIw~6iSU94jy?Jf<yq;dZm_H>fw+jrg
zbIdBjUPtgX-`a1}%t9S!8IUv$3f`=^#8E#vz;wpQ!f41*g|btm|CJm`e!3z8Z)kA5
zE+(k4S$PY4q3q0BFoDoQ8X(7hKo(r%F$9uO=0r^2u{%^*At7jSi`a<2tDOk~h^V;`
zpl1q`Jm$NlUOSHc^-IH=1W`ia{Hzo!%?J`DF2do4-^xsE2!Hs4i8Lng3V_#F496g9
z2M_6t5U9}eWl|&YRL6>OJWi@WP9HATukWNvaE!cDide}K!pVx_@JMP2PWcU50#ybS
z{#I35gaC^ZK?#Z3<V;S_Mj%s`%kfSNfI6;N!pd^Mf^J13Q<1Q#gi!3k(abYf)@LWE
zA`KE_7cxO^N?#~XhD=H1B%G6>tVR%UNPQ8N|BoAlLW#ntupJj9O5CtHK6wyKR^snx
zbehieZEE}UTW<`PfFao#&qR#|jyfiHsM4RrFfrmM-<FVV0;yQ5?~#(8c~sULB8_~e
z!g#@N>EQ5Qf_{@YtCOJS0`BAy_UFOk%mFzyb9XF2)QLGzJ_wF{K(ilY^mx<w*l4p5
zlVekAm_+<=OV~ao67yDD_{DASQ4h6>hbF8?o`OJ8&{M#H6max{5VL`lOIVN(ua7;U
z0@@DGQ%V?#f+u3Q>#0M)L-mNbXp<V8v$s}baKb0dr8}hS?fgmn^We}?kKwumpnr-K
z1Kz_Cv!FFV|Ha0^SP3?i^L^yt9EP6O8VcTkIF*Cqh(qW+wu%r;L?<n`xb#YmL*fyr
z%p|jFB_~9P(9(7O5&|42GNx-bGk{(Uhq*G1WL3d6u6$VvmKgA<PtOo1Kp~L4C_$19
zkcG;rAI@cQq3%jduu;GtfkK3h5hP@*IH|dKd~t}d#}&=&WKF{q$|_|U$E;bpe+|7f
zXo=k)F9Zq_{7Fs_QY-f`A>Mr@8ly>&D<NM=9JKM=Li*&xyVKc@P#OVxKWWeF_N{WC
ziOX=5_MsB?krbc_NMaH|+*VBo%y~_Ygw?ZqBZ*MWh_kSoQyWZz_+E15X8ABesUh(y
zg1~T<t3{A|)Pd0X!=XI0p7op!S>dX})s<0sH9#RKBp;pvPe|7LGDI~=BVqCKimu@d
zBS^#w0ng%B4GV|@yED`zqH?01juJNbN1U_+<zh?LGgYJvA=|1M;}LOR{6ml(Q<G?&
zw+qMd<ZzLMF}X}SQ=JA!0E`2shsPG7b5JJm%={)4=O5mD8gkDvnh!QdK51p%OGh_>
zd9A+-62<J42ARqcG|o{%;54cn1ksmANv&y67e2&-p9z4KICFKpTXMms)Rgjq4=-j-
zx$<$tJfZ}l&6AC6jGEdWTG~L9Wa1=~tx4q!qzU^c5nP;Vk1bL{dt~DRv9^d(4Awq1
zO2MIR7;+~dAh3)$MH!#YxeucbY<yzKC=t5uGD*RYs^p|6FrHIM2m~hPjRKsgs<l@j
zebauSszNW+U?hS(PD&_&%edKu2(kT=DOnOB`A690)h)6x-o=1rx{=|1NeDtH#gm2-
zQL+fyl@cSdkY|WI6-ob2+?<a-Xv@XL(Crl$OzbcNz9N!1Q4#S7VhC`?93{jN@{Buc
z07O<W;H7Yh>|xT?!W^-OEh_{|qYgvH9ke_Uh|Y~ns~21hLBdMTIl&Y`M~jMzE;-}N
zipp}OUA5APDfqa|lz~y75Oj4!&RPPvN1{g+<~;~e;?2(}2a2k3DuD?ILygqJ9pMgw
zr-a6xh@iJ7>E8n_!J+{AJL<eCvdL906a=j%@Mu%1;V~_WhO35ZAcLeS*C_CyJ5y67
zCjG8K^#le%Ln9cR{C-R+1~D_V#WVe)raZC2$PWb>QQJI(I$D5377*zA0SeediIajQ
z(1#*t1V-Tw2~7xaLL4G&!bZ{sy!(G3l<*;7dD%fJXM~r%DQPbgqhy&CDQ*=MmQpx*
zR9=*{hmQCAwuKUT+@Dej^b(50?Sd*F{1LfJa7GZ;q)%2VK%|VdK|7SU3V=+4x`#xh
zb`dwO;o0Ui&MCNkP}Qi6rE9P#I;{|ti^*_GU}ey76Tqg80%0IZ_}(9g#<&B@B)344
zz0?AbOgmHIC><j&2nn_tE+*MH-L1_BrlJ9Cjqm`w{(KG&d{ND7S@YJ0afvA)EDkos
z&r3rooTYjPzwrE`K?nj+R?woBAVZy{h*yFFRaGlqBa~?}(y+q8SjZRWFo`RDE8v(k
zxlg#8A3b)^NUnlWUdz(@OpDz|bq7@oq=jr!q51v;*!IvUo>;ELMODFSH>-g9rEl}C
z4u8rLb5;?KP$2-p;1Ia7Bk0mMYaTqJ4|aG`Q5y9|q+|c#^MNH5*w$3R1r;qyN8nY^
zl(jm%;t1Sb#epTqF)kd%Vsea)@|by&m3l!ga1&2~nbP%)f5=`@Uieft>ER#Iz{;L6
z0dU}|o<c=~1R<IA0xt%$qe35d+D%ray}5Xt2V{{N885c3hM|no)hsKTq7ep;48YBJ
zDFSeBiLB2MClKjlO&Tp>Y7ro->F0=*St>#3d1RfY&PqH<)HOpIsV{~~77(Fn6OGLp
z>PnNJJ<Pp|rc`BDs1{ARH@=EbNBL?;R&wCWVvrszD*=&2CUxN?%D>k${UW>UIIj?<
z0MP<ox0z52hTic{!zR*<c?tTt5NPkE7Y;C0fK<>Kf4tSmO}Rk5C{QdCL4v6(CrJ~;
zMnQ<EC^{Q5Btrpg1Wkp=7Yttu3Q~dz9SCG@&I%+hDiq?4V-@3YU?d1+Fx0~k_^47B
z35MJ)&xDomJp)nJ;OXs$N5$?1{EASpLsV$+dxXU>G7}PEDUku98zR^7AklH1p$z0y
z@-X+7*n!jtDOjpaAQ<9iXDJ(;7%wP24#t&)kfCvqj5y$hAeFI-HTES-99Gj&IYW!W
zK$Z{7pMH~ulFHGd&%(3Nr^8+R5rRQ%?kZ8L)H$#+W9GFWDuodf1@<LYu1A*(rc;<H
z^6*1`S;{8JscohGaI{?kai@j(2GdZT83hH9D%=cd9>~O`+cB2;4Jrdoqd-8~>AD9}
zE|P6vF7PHOdeRql5y}%z{%0}iHXxxTIj(|vOaBtcjHATz1!0)c-$67tn}Hby1cK<g
z$9S07H%_oz#SF?I5S@50^`JB1cp|HCgm+a>vBVQ9Ad=tepd<=0vJ|_M2rQ%u7PC!a
zGWT?U?awsSV1B2tS-+y<p_)|`)pR4V7jBsK5?$xF+b0C|KtI<>1^Ez8qL5)Qj)+Lb
zu|QrmdrvPL5iZ7SS9mk5PwYxFfikOyKaj5cIU8EYi5VvUiC{ce)`-XeU`WGV&_IIJ
z!9WBF@{0;Uz<98huiO8z1{S0a<GG9w`Rv6U`+Q&?%?xrN3MeT$kbpE47~y<~2za7s
z(IzI-s@wpfWxzn#fNmR1sqx?@Qc^2eC&a)uW;sHOhC`s>GKqN+5)M+SOz7<zB`T#R
zo&Fs~#;GMv%DA$&l^9(;0T(H1XJatHbpDz46Yq-Zmzf}2qs%@&M>U30V?hE+O70|a
zZUp8eGqkeoN#<f8yhN>nn*vvy<ijo|Wz0I#Nl?Wl2F;sN@iQQ_#9TmCcIRnA)Th#7
zG1WJbw`#?8_@udp9<WqBIZWk=BGN=wxdP%5T%xOW@)}^n!MzVubs%JC0&)67L9m27
z=OdAHs!FmUxRbMWRIq9c82G>>YvCY*8l4J^C?B3OPZS91nv$6{%2H4Fi&#Jvglss@
z7%XonjIuF@Zig8!6x=N}+(u}D9;l>&P9q5j1E`7&LZuLh0ft~Qf?}8m(r8<X2F6G`
zfI!HB0R(tNf?l|g&QQ*y?SV|fWQXeItYRlo#qW(&O^iurib}7<(Z*`XUmY2k!lUst
zCQiaM)zWna)PSQ^$;s8zufWqZ(?&stYLpE)x8F^Ml%VT9elJ`!j9?QM8%GIfEc3v_
zJ47YGj)2ynDuIkr=Y*moajWvlV1$FLKv%P*&yDr)BV^nspD#7$FW(_9RqJ9SC3+Me
z@`wtL?7{K;Di9OwfQMx-URm0e3YZolu=N477G?)8!w&+3!)dXhwOvHDVk8HnE5<`Y
zSSDweg@bs+#RNgpT78jAV&g|$0?E*iUIw2TVI2I?Dgz5C1Y0igquh8V24OX&MPsE1
zyTc$YEL<E=wcdd6^Nl^3cs;D!t}ERgpYD$wQ~P%@jZA3WOmgit_^mI5mvkW!Xmk=)
z*hhD}J5Bqb2-*&c@UY!n5n<hXfO;VosAxDH+1Hv=1%kj&6URACGP>*iSHnWFZ7>Mu
z+N1|UM6xxe)<HWBKM@<lD`7LfyeJr#r>bV9nCKDG?Fzy+9LaiEzbpn;*7DD#0x>?G
zCvNwKB$yMas=Eo5Jj=$lvePPX(G~~hSTY2PODufdhCOVRXSd=$&=ib-C(HrU*-?%&
zRvf5B1=V=0Lg@qCg@y;^Z6FH2kt?s^qMy%6io06Sl^b!$kSA<Md0YmTrT1;Jl%f<v
z7f#}|l-8pV5C+#7l-5@Yu6t=VSb48UvdU%B;$SBqN5gLhA>M|_LlM|69H@t5vSGsE
zVAzw4l?cQ}hTgo*>_FUk0HAQ$ebwM&{M<01Uv5kkgZWGuxHJPDdEhHqv?<f>FxkOP
za#Zuw>YA?s3P*H9b+lK&Mlir^$)j|Qa?k+4fyIgF)&h<|&#>e(!kr>pB=TR`xo|{?
zou#hBOWrzr9pUX&37V^=VwLqqh+4fusH^z^2CUy3xmJozft@Wn)<U!{&Hz@P6#+Q_
zzi?9*R5=ugMF>5u>$PRnwEq-~F+GJ&cImSnf`Vsh<Q_oKxY@0777Awzy>f{Vzy-+^
z4R#Y1IE&$65IcaF@jw~?u;DIB189s@v<Wo>xWu6HzPav?2z^9tF&-T_&nlBaW-Fu^
zWw!E^HFN<Nfx`m$ltB>ONE||Qnw5YVM}Z?bjtDaaTq|_ED=y@QSZ<T!%;QCtnHnpV
z&n#?+yv3o&;@^qOyt<edtSiufNDK}U1kn&}nvIokN-bDD{RukQ8jkQod|q{!bz!$A
z^~(MfpNEG?0EOUq0#AbMLk&d+hDxa_O{DW|%j!*}`Y~gKN4)nK7uhdfHKfJp3|`P~
z)=n421|S0lQ3neG5xN*wHINFK30uJj*P=bp8G(brT1Grf@&@(uyCcopky)0Z@JsUi
zqZkaKJR@2Wl3KXLF@TmD%(EGn_YiP3uAZv~YH}2jR8S1m2MP5d4vHEo)U4O)M{(U#
zOQVK-ex5hHatrR$RBH?#sKKKsk+UNjHXb4Ly)UlmX;!BzAsc7H3h#8VnC?iDy^Jju
z0X)2yOH9dvvHTM9;6WI{sch!vaP3KyOA`EFj_#C(o3ZeqRsx*6gl-z8Pu=9u{3pK^
z*kA_W$V!_&DsjVJyiqtYwTpfI#Ac1&Wtwd8`x$wjC1;263IwUi{AO)Pxdi(m88bNM
zFoZNqyi6?WueAaZrUX0#5b-?HA-*WX-_b!yIuQC~*7{n8Bs;t%3df@=sd<w<*WL({
z+`}G)Ut|trYId(|Bt(eTpQ97`3&ZBxt@R>%PyCHOHY{3V&|P|ZGYJ?njEH6BqLURi
z+N+2*V;Im$dJfHv4S*o+y#xIdiFwaLCH7FVg<vUw7tRcF*2pusPMG5zv6%U7S5?re
z(kw1neG1bs%zzMGRExqI)mk>#hmTr?&(@OCr>Jz9wB#&q!P1LG{ll3-UOFKOWA_22
zDO&~j;hYV-?27GZ|8^&nOzW|D$MDS%vqnl<wJsJ&#6fbnGm4$cc9Rr>cagfOiOh!7
zfGxOJ!xK3?vdm=>-iOo#W6Tdakup6T8JEkiwRA6BEeI5IzyBxM-2-ckqS0y^4iqjp
z6yVNvMV+Ug(%N}IsMjbWiSxN;?a_b=$Qv<H@f3YSj1@%7Ps%zI8%Yahe7k-vtTQV>
zj>g2LK!UGUh78yg5)5Q^=C9kM0F?S6dn)7z3TzShjusVZ|My>*k)%!QAL>xr%R&~=
zMl{irOus4t@FJvSwm#p+h2)6z!4HBVCsrWXIxXpRAjlD@ZD9`5g|_PPz)^3~ZoRYm
zSV-7j%ZWW|0`?xJS<qAw4|dm;buw>cWVw@#wlgSznmOKYR|s8zV4Gz>DR>)4y5B*R
zCOt3X$4mX11usa70~M1T|5HbJnu~HlRWKuDXUuF!ZW`b2StcrGA2@bNgBYMvnkJ%?
z>5YB4AG_?niy*Bh5mX`xd2)3#HLJ!8T;t=H2!h%E1=3|$0(NkZ%xg(P;{hto2ZE-j
zxw%R%g-Oq|NsOV+$rHL0waW<;kvkQf_2xp($vkN$17wi-2nQ1TFI$oEpRcm^S05AE
zcbB4sd{^s9GwlrmP*G~@m9L>|maIA<YnHW!f?=1ibdx}>YGwVuBjT^+dXQt{tL1!1
z56Biopy8hv!z&&X><a^Q%G8cSDnHATA+1Ve30yBg46=0q!gfZaL|8F|LK;+r5AgPn
ziT?raEl0%jfcAbz#N&YTU7P|*l;ePs`jG?;Pe^cTdPnbp6o8{<1y2E7PvvZym?hD(
zj+L@%Yjt3~NGz$7O+kAG47`R!LN5KWnx~UfE<}7^3S^Q@uh{shR7oV6Rx$BjC}h@9
zl<<y1u|YHcBS1_7Up#v+0?B2nW#XjcRJ<C>)8a+8NWi@1>wpnvq{qfhqOKJ*R@owY
zxZbnjg8G>Q_CuWbkJeKle#FSt7ZzY;AlpxtGCnsNV7kQ4cio<eti6Eql8}H$6H>h9
zJhlU9+&~>+HDM~o++!HHz8Gt8&5MYT!drvtE-F)U4nT5de;_4Q!yys+o@Ij!;XNBA
z(biZvE$G<}13G2vIzrbO44uP?$=g$%A(h5hpJ13yl`H*KN4lAnv#wh41HT1Saj98T
zodA5q4}WV2D=}dWVh5&bh<>4Eo^S%+$}yx?(b5>W%#Y3$EKn4ds$})6L$nNt5(H6k
zJ@O(RXAHPtO^F;1aw63-8x=%TkwucDDUJbs?PX%m3N93xaNrlfj6`>cj);4}FQP=t
zfMH37jKO{Ed|dKTDI@k=GX$U#MLLo-OfO$8d2(6D2tS{@Z^#lOhctm5<h-&3fiUKg
z5%TbdIDn3k>Wxm)VZ$UuS7!oT&hl8?K=Od`NvCNu=J-6NI1+|+lF4xbkF$X;XIU(Z
z^Qiw*m4Yfp7KKi<zGnbr_;x|TXEfW~_;7c;>lHwQb%)aLIvIAIv-F*xQwR?}97uDW
zJyR(aOe_3oX#_<d4$Gnt!hAS3dDBR%x}0gmCUK`6@DL*pvR%+A5Fj694RW1gpb<&%
z?uQA`qde`8EbQd-K4d~+7t6-6Pg5Z<eUk2RNQA-WK-M|dDWMde4$NMi{$8D}UY(gu
zDG$Ir$VOhBJsXga{lm<Gm$;eN$&n!{(<sm&#gKmM%=ZW#>FJ!ebD^PB3?n}ZF<jjY
zIg1EstLWQXe$5(j(nk0?2oNSns%DSHH84w&DZdxi4FU1s2U*BV*b}ZroqAV_?CKlw
zFcV(LAgiqT*W*%6a)*!(vxTasGBc*OyMY?7#=e@VU@9FczYbx`zu}TvTr-cNw#jO3
z$=lQqs@ot==F1GQgGGmJxwFT&vrV_NC2os?3fz<aOO-N5A27QB>4R*RXA&wZ^2JN?
z7y!oEp6v~?SsmKF1#@hH8(S<A!VH!jvewQn&dmnK%yv*fQLy2z#>v)ENtVKHh)PgJ
z0kG-$ArThCuuMY&BVo%*`y(8Xiblhqhc$Y4$M1^9*_?I3wo3);;5O>?wjJwVWqv?G
zio>y2*}&J?o7UNl$SDrEG{`ko*)_;14!AVQ?A0B@)znwY$U1ESZHE}dT!7gYZ#$43
zfvi>?qgv3I&=}6%8pL38wSHIQhz-HG?Jm}}W$LHQ!l%q)ID^E24i>6>nPbwLCH{{~
zw$u`6a6QaHw8UKj*2h3-G|>}RQvq~aM%%4~ye%e#rO2k+J)k;H@~6RGjv{KBmjL{0
z0@~?tWmI@EDB?P!Ea57T1hW{(Rt8a_DM%gnnB7UkXak0_w{Kk%YKcPMhUf^ZmBy-$
zmmO$KP&*y0FvW21DgP_6ga&}zbk8eVvdKT@M?dBL7(t>WhX)hBNs(zv8TN}xgi-i#
z7r4IXQ4`K(a<iTjz)08&jYD~~{2(F<UIb`yp<{fhp*$z{N_{Jik!cwksHW;L+^Ga@
z02UTDe~X;Qz7!ZAMaLxF1*RVe%jtQ9tUH1wu$5CM2!v!2eLN?GC`4=n9HDm$LMF`r
z$`ZAdw0!9qwc8w(gNj*m`TzbcRr?$KQMqrGj291^)awtoSP&r)_wLW30O(7>0Stg?
z3oWW7nT_oNR=mfs;N;9$F8mPIAxTn`8K>OaD`Vr_sS(RSd%8vbeJ-JK4uK$Dh!t_W
z^vD`7T~y=Y;OsDmCCLNJU8}JGO4w=5uECya2Q5XpjPZ1$JFCjLox(;T5e6cvcmnuP
zYB3mq#A3=a4hR;6umk1OV&?e$7c=Hwk(PhLWWN-$v%On>`=s?2v-5PI$;xGHX_1bf
zo<sRhlPXp~Z~!P;_7575ISKVtXVErb3ifJ<M9XBy;VBZLGuR2@wL}iXY2@o!@1{K%
z0aH((cp}hIsJ@<l$_Z>Tre8fIy*`c3xlY6efsodD8s*OyG2&#E5aLU!@B8y~=|gjj
z4Y57Mutg?8&}i9c92=Z|dSW08q31+}p}Ff)#)b9MvG+;@Z3GD8d|l0%3{0UB(AZL4
znFU%{mqKU>F~aS(w9JjNUAnf~^e7^Qw#XTg^h>KYn(}5u9(`6S_RIE~Kwb$UnF|^J
zcxnbPZp{k9tL%t`uxS#n7J@FbB4;$`fw{7gE^}zo!lGry%f%*|pic8oC&gOKVeaRw
z!V9tk{bl>WEdhWBr(^P2<=dpFx<D9`nP<Ml^m5jJz&LE#Iq-5F{|f{2fnq*klLMT?
z(;SOAFdt$i8P(-7JwHr0;6XhvfmcAupm0bb+sEfb>@az^814*4gEhtSSBcuT=Z)5D
z2NMRFP%PcjO3th~DY)2d5<K2Vh{>}jP$(4IsH<?_hVK^Xm3FNbOA$>YurTqdE;U${
zpLoOt%Ck_KY()izFO^jd-8EXnw3@QL*{rDPlIf1Mzk64~2?%IZ2bjxtxn1Ejftlza
zBG5~1g}mRW3qYN5M2osHUL}_mYuR<#5aQu&Z1OINCOn;1Brjd&E~mcqGL;9{)F~NG
z5s9pcLYsC?%>G9(pJ9b~2EhgH18K6_6K!TNyq1CtbL9dFwD;R$+7k$>W}7pYgFR46
zHYq(Y7uhzNL!~L%^A{w9<bfhiFs}gt8JV(`la0EupKPxL6=aN+);g>naW@_<&5289
zR$pPTQXm$|xCO~CIkw5;OyYJH5;BJ)Cxg0Uv0s2N*Z{1N0SV59brke|0%|PY6~X#g
z3{%if+izGfFz~I11JT}`8dGSLWUz4AZs4+#$|XtIgh8+==`3{cR1(`kS7e}-&0u6j
z@>ifK$-paydY}_f2p%T_yG3#q#5M2`r!#%Kw)w2Up7hLcErb*ajHeq4Ef=JP<pKf$
zy?}-?t%<M}s=QZ|fP(2wdJ+l@5p%^=EHDI%WpGe|dVu1AT!C0s1-8#8BvL`GL^|Lm
zsd=9J?OqXQNHO@}G0Sjkv!;&%8^dZvid!f1v2|zz3kKB3736}JqBlTRl4@gE_IMz2
zzK1+*`IQ5JhecZVD<#$cVHDtdAzYy}9$|Igu6PT>Xzd^xdd@{v%G!O}Hxc`FMYKIW
zY&g&*6<0FP5n?zUStm8ZdQyu#C6=x-tbEvf87{G!5vjmw6!l=UCIZ{iO(|v35?V%q
z_c5U|(z1^;1fiIrh9?%10<)_Ww@};`O(_$NjSVe8MPu!8utDGun}_)L1pIboRge-}
zM-gk!2Pp!UrbrwMS%U02+^HTwfDjT<IMI3lsTi|5+=V;TF7zwmsfVWk5X-C)SXDb1
z#G^o<anJ8U{Jm{(;6=qQURtDB;s{o{z*vkjs>c(O&TG&KCzHbE7l03fqPmmSuB*Wn
z$YH)3gKjj#U~&zjU|2<qQ`|<NsHX)(o|}vlFz`8S?G1n_pANaZ2vmhOV>rL|IhE;f
z=Ae+d4f|O5P6*uGeWEUDX-qOJJ(sawLN_8nkc0_gYPfK14=bCfI9@Z@%vzJU*a-H!
zAVl;S{x;0Au;h+8vkV7*yh^OHCJ6c4mm}s`*OJ_cyGZ~VRy?8ejAnD<5o+NEIkWkY
zmI+S6*zC=zIQo`nAodoAcnn4vRsT2bZMpAlml(G8_Cyno<q!(w#+M-0Lq0>GnE>!u
z5@o6jQH`q;eRx_N7{(Z9frB)?%#UH2cA$;aaPA6Y7ck70s*CPWDRBtK8Kgp+fp>1A
zz`VBIF5;F>A2ePQgx7EN)}X+_f3WC!7j3fPEoUgig)E9yl;0Qqu4?-z!*hpFHX$=0
z#<3t*kj(K3Jt|!N0f2<}rEp15gD(x23%Ba|Ks4<Vtx#uRyxmMwPaFflw8IKH<{I_(
zZCeSl7%K{4Jo#RNxDo}K3(5px48R?7C2#6d5GcHi_)Rj&%&j}*#lD+U^?X8atC*JP
zfb=p+k-~T>l~V5AkYl7D%bgh}Fk+lJLgW0V5%wQJT?1=>1)CHfT?C-;c(VhPFf5;G
zEt-HZW#sSdNTF(;IE7iIib4SAP7z^98B6)GEaKp~G{}ZU4-;F&wKj_oO2~b-0N&X;
z(v~TQ{4$oT7N>Eg#E>RM8yNVKa?o0ILcvX_2+5Et(A@?)N;0!?0EVta#m$IDoJZDu
zgZN{$6b7tKF?0gPC##x-jtLHZt*&C@iwtR$R=w45)rL2QM0}|-=P?~A_ThZD%tl2`
z4kNW*lhz=iD}xl~bsiNN{=OAa>kc4LXJzgOd;oBC#>bq@v$$Cl_BRY{;>E-E;S)>7
zo<_wu=+`TmT%j{38M%)m-j)f`j1Iht0EGT=Vc(%7#p(e<WQPj%Q9xxvT_PfKKX+(2
zJs@mL>}H7$7Y4&hZO6UrIhH2<hG{5D14jhnXZ4Ta|Jgo6^dn}Z6AM_k3mDNRLBT;g
zR&c+uBS$aCFv*ja1)IOumq3qM;KyeYwx|lCimeM8E}w!yG4A&|%^hJ`8Gua2oN_3~
z8v-PEz!pc>z}+82-G*1kjTqQ5h_PLU5aLd>%**Ez7q(0%=iDBacq|_yAa|>=$hDz2
z-=q*s0P$^SU8Sd(50_R)#g^&xG0@^b1L{L^DaWKYE&?TQWgt_EQNj5Znnm#xD*TXG
zod!iZJjg8wX`Isrdh}twL>bqgn+I{s<3YOM!g1;gxP{YeHHDJHKO_<-!W-n0iB}B>
zu@Vd_UjY6h*iUR0zd}Va4>IN@CaCB>Y=RDO2@LNM@CPsu@s~8v-NbO@8)NL5+DD{B
z&DhOwn;w-<<PKy?A{fluMg*n5@)ohD&JGOHmG-b0pM)I8|JG$LZAQvm<1hC{Zh|q0
zW=rHb30i44>g`A6H7%)A&?2@!_`;hp74tl-QB)^RXU<XbPbM%}=an-)0RKa;?CWIB
zUQ_MQ$FR<TU!^h2f;BsgJ1M=aZf1_PR3r$?tEH*qN@vh#H2aVijyb2@J@5xK8<3y*
zILPg{i(r$&0mbghOi}^L+}izWOv4l(DZ5OmTOo@oP^^Sn8naa|WV$vO0aAzJQw4;(
zG%)y$crtMla}GTH&So;=Fqbr+cROH%qUVvYh3=XaY2iRz9)lz2RX=nwkm>hU+#8;Q
zTK?gaIx{qJJ?=1_;1)v(0n}L&0FPY|9z+Nb92B3ZI|6>^@s~L{%`!I}0q$v#Z+@5e
zxrga8v$u!5UEfo5$7n@({8?JChLrD7f@v28m8*MfGgxPxGdgsc5qJ@_+*zQTPs%L3
z&(;Bo6EGr>_zt6{qo&<Mb0&s3Qgw}>WX%f@S3L_WuLlWzAR+%OeJ&yPzfL|GK!p4N
zZNhP+4^hw=d6A1lr9W#fhHn5MOnx3CE1<xv4-f=Jp7~>a$6RfKKnpetXAXspEuf4{
zZI|zIj%*a<@UMj|cZVx>19~O1D|$2xgHl<&_LFE0>@9r`K{Nw=Go34)QqVKzUf~{H
zwK;_<*v@Wlm5V!w@zJNj2UqZHskGPY4Ac9=uofx41-LToz5o<#b=9T3rj|hi;>COm
z*iL-fRiEZ{)5_+|;_EIsB0F1TuGFz^JaPI=V;iJ*{H}|79@%*m_p{cmhjek}U|EXu
z6txF7i^GO08pH=ZGQUTPS&Fap^6XjFf}UKN)mhsw)X}rsU*D39=?#GzApLtCi=@#)
zD}t#~GP@rQU448}MLpmfi6j*am}>;6s^#QHSEx-R^xdP#|HTRW91Z8<nx3vi(LX_7
z7gZFegY$5`&@P_c2{3z@ZLnZS^MRm0cFKDRnys=3G^SYu>s7bg#TqMAAJ5{nSWpqG
zMo$U?2240u_}N1H0&@Ogo2Kg1{k`bND%3j3Hv*5Sz<jN3lK2ucK(N6CWp3GUv8gE_
zmFD#MV~K5t%t&IL6@l7Uo4mRN8G4TM0%?g`{#-o*{CR+Mm3mui;oIS04a&b6hs}&t
z^NlUH%`sI{-u;#n*6B80_T0h@g!Z~(1bM5ZnQJx~!r<KBU6KdNKs4vJ29&ZM#ktdB
zUY7qtk@obCKL9}-ieoi;=Cnu-Xh9GUN{F`V3g&Ye;r_G^5^6C)lHf*yllitDe66m)
z9R@e&`;d#fD8x((pT`sFnFgh0A_Z`9Zs;V3{3m%lYRq2)<A+Uhk{96k10%~^E3ga7
zT(+SvLna=VPpl`rk8&4c@j-5J5Jqw*+Y|;j&?Az<m@-h}XSX5pN+ljoe+UFAYr%7~
z_`QpZGq(y7D07;_gyNSnQIK?Z1C!1NA)KN=IuU|Oqw}FpRWW9@B=4o5kmj-YwU>Dq
zQoCr(YAtDKSrBn2bLf-3DwI^f4(|KV#z>*G-Gm$EYGy(A0;&JhNxJ}9u>FUQP6#Wc
z@Xztj0st)-{XiJ#SZA7JhlzM2bw$woJGfMx2BGpwof-5r4fOPzwqckNK1WMdK;qRF
z`}q1T6Q!c5;yY~ez>b{HcIQ>0deGV!uYA|JS>sj=fCMV({IMgYSBuNpQBYuwSGyHN
zh~|evFgQRMU*2D}l@f5xGz~dw#26UCpIb{zWbX2XvX*wS*`3BPNRMPKOYHsC@U|hx
zZqLCYc2#z0UjBRAI)_wDt7HDKDu5I}5MPjI*oNpbBxdM6shLGCVT~WjDJ4Ny1%j3S
zQG-;JgRceQs(8Z>E%fD&@YQ7ddWALo&dLf$$kQ)7wmWKd-Vv5t#DN^8tW^5+*%f8X
zG;k{{f7aS-*<{QLkZ2f)A~{N8sS#R3uPI%2o|3d;igd}Ik&q)v)8Sgprvb`$`X_5T
zm-yIlE2(kQ_Gtp*a7a$VNjG8n07|z<u%fo;$4tT-WMNeK*`n>MKF3YUrb?%$`PG25
z5zkg%kM?{zqN5pA*VI)5Cm=z;t9V9omUHzd+OqqzNUaNbGMmJEC#pQ$ne3-O4A@#n
zw_#<R8gQ^TAY>J%wIJ_fMsQ|C{D9;Y(3&HZsGlhC=Y4Xie5)pi<tYYo>1+ta8vh)@
zU}0`)UB@PhPX!StzeGU&M?mj(O`;|r?a}rk=#MkXTBJzpVLM#J1-0MXo%qNcv>C%h
zHesHI1jMs)6Txf}6pbPkNs=V^B`*J<(W#3t5mmS0`P*g<n<N<l{2)h$Xd|q7Z|yOj
z9AEq0E|0}XU|5*I_VgW6Ymmt`xp#MlWD4C3;*_NCPm{)cvBcIvm59v&xgOcWD*)4O
zN0SsrXZ7-lZWx=T0Neq~XwZ^)Qg1v&pRoV3@=9CfE&G|~yXmQ=VBTsO27cxW42YsN
zXiw?WLsi?FUgopUjhl-AFFYw;Z?bru8L@_&XLf_y;#vC|9;5Pi)wa9;T&MO$S%!Gq
zBN^Q#P+cty<w=QYK-Wtu<@8dxLmA*z2k$0=E}m#O5=Q`9jka<BwUtQ6S0DzZssUn0
zb|rlCdALSKNejs#Qy`gg)M|)8@4kO?un|n}PVCwMicy^C!2JB4R+JQIH6C5#OYwf;
zqutM16HWncOcYYnXy%J~8Mz>4Dwsgc4+-m>l%*#Z#rLgrWDx>eOl6(i#$6Mp+<qRo
z(P-sOEH9z~)@m~YsE%>CvT4Y&p35np3(6p}6`VAS3yBr2JlP^J&{F9dH6jNXuyQ^g
zT|iEA18Q`!;2Km(Th`}`19psDZu-GcuMS5bJrIbV5PJFcs^a4-N24r!z4zZP3h4s4
zhz0>IQ~f)v_-vnQw^K0|pP@B%-Pj5h&*I4Oet!%!j4esv_Gbt&A^|Bc(Pz<~&JBpf
zW!f>@P;j70-a&P+4vxV(i70aLdnXA4s8pbo#Q^L~M-^b;#`%K^3%f|%Ttn)>Ogw3}
z*8f{qOzw0-AUks1=rc&m5jZdEj8%QU6f3qN>~ZcDL+*Re;G#zgJ|$reSyAk9(4lIa
zcs-*w6c7m~OflO4&V-~XkG>pB6sb&$2VxNxz%5Bmo*W~TClD#j73VzAx)rCh<JjD0
z0ZExi=Lrsn4KN1m<OJ>i{UV0ct(}^#Qm6leTtr@C!<W#kZe=b#jZ5xrR%Y&+1o+0R
z1C;aS<|WW)TevjEaq;(C3#>^jmNDAoz!KxK9Tb6xjiKiN05G$&#OS<HXmlb5ql&Nv
zi=jXM$famFKUApgi8YC_y4w$^y&wfMiRD*ILq?CMO_5tjKN-k$@O+!_fvoe%{q;^q
z8*wqj=#8Kceg0~ElT2N|G`);nzv=4C$ZIhx84n7>34v81b$m(Vrg4WrJ8_R##~<c?
z;-4QcrfZj~)#aNU3J3;wf3?f)-Q4bhh~hX_h|{k_?r7;m2v&D+lLQ)ncAL|{?;@Z8
zMYhE{p0Pa_X{qLt^2uV6!`dv`Y)@JrB4XNQAAu7QGS63JZ$SHw;lBFi-Oa%Q{WdAT
zKQnSU(7@4B#wGZ~2m#oEDL)75JcI<H9xZIEE|vWmeOAU{H(tY&%3NaDijGBbm<C?J
z?3u+2NBMLq97oouiwtDk)ezIIP&$AV3%Btk{~KuHK}-@ocVULGECul~@voBjKIn<5
z&TqR4i!&D`9_1w-zU<r0EhV&8Tt%_daxLpVvTsGCMk1U<A}QE`u@=0-$ZfFRF$s+d
z7gAp-A~}ntOgXNpLjc-GrC4M~9?GqM>mKF7#cmn-hFOxQx;ch;u>b|6Z6H>zX@&t8
z`H3WdccfimIK0+-uSv8DATY%SqEbbQgu>jobXnVn#7Jj+^eLjUOpM`OBf&)p9VJ1T
zCeniu5=o%wyf+E(A&He@*4AM&Au=q<IRT7dDFMJuuz|sRQ9_S4=nvmwkzXCz5X&t7
z8o(Au?DJy~2-uG-^`R>a_SFSZmrb#fD-X__(6KVf<ckmxC?RnsfvVgkAq`T=7hZpK
z-h5~Ho&6ZD)Y5>vhjJ=D4MP?<j03e9uoe@OyFrF4Gk}ob4Y`)kQB@-xu~QhrnF97w
z&6xW4fX0ws(clA1-|7H+tLm8#fl7CUWX~y7V3Wd_*_#`7=+?XL=Xx$j-_6qP$^!?L
zEn7Do&DA3nKnwCzhUeWs#`208ixePBV#OMfjLRD_$TkYDSf-IfWr#y9G=ArWBsjfO
zO%zxu{8KWppcs^NW<E{krp2Y?Q$DZ^&*eyPK^CX?0E?MaQN&4jlr#?HV;U*^o??P~
z(Q1EcwEA*9%S{n}w1Dr_Hoi)?zccrVeu^P(xtX9gC|C5z8YK#j91@z?4{4D}sSEXP
z$%<&OquKC5@GEj6Y-@6WJQJo<Wb`CzDKu)rqr_Dy;=tt2*_6S)gc1RQ4FQdkdlU{|
zgPfG}s{qz05(|vB&7tWMMo4|eJJ_v^6IzU-!Pe`AC3u*U86|}Ekp_bHNC`5N;cYlr
z?cah+iI+TOK7S)3;Ugj9;ntI}h&~{G+C^OPXFr27qZu}rIFH`KnS=D4$vnugD-dL4
z#@md2eMK2~p;ec>KWFT1BJ<`ngCI6XCxYtF{V}bDX<f|mqj&=KsL8(iDnF(^Y9J%B
z_<eFzKgp6;^oZ&8#t6Yn(mFtcaAjxpYzD9&2!l|EtAJ<y{|(}=Y$;`FfS_IGlt_V8
zF7?}3X38^xD!a+1Rbso+J^4~gZmm51vch<1=d;Z-W4`stWkXw~F4g+Pk@}FD6e&lB
zWm4<tvYT8@5-H+t#c7mm2<KR}4y0t(=`Sl3SGM6Zj9)KSK_>`DbZhRng8`xSUyXJC
zszARfl&?q?FZVz+|D!-Uk;>9IF_MVm1Wb<%cUKKuYR3g5IiZ2^l!?8@0TwGfY*M5e
z@cWQKFAt_iz$!qw-;otRq=S>GLM@2OT(O-b8YD?KXKAv8VU#!oM`(;J1-91QLKcD$
z#)rbUnb$;Xdx$=b&ax*`E|n~T#DTJJq;i88Knv;5F6VGqsbW&K1K}jgot6Z0q3+=S
zrGXrx(L$LMR1i-^R=Jb54F}{-%osQZ$z@tO*aO@iQQlY%cIM-cHKG_zj71+NPqjY=
zn^7ueRlWFL+FaO6&@y*3Ijg`8V$WutCq}PCA{Z*4myQAIF2Amr@6Na@0u@+&GGYNH
zc)V?GI&Eo--)sPja6gz@T*@$WcPd>rk1QV`%@=K)%O}|jSQfRW488F)7PlTk_vt=g
zVqb>}Y?+{ZwQK-uT)bw>r8=3M^Y}H|No$+E05|fi?4reaq6T8YZ>$%x2>4~R0JO{l
z!xVyr+;atk4<z;vh%8XK>!>(C26uzOA~Yn;UEv>msa@2=Hl;Yx9nq9LR`@sO4F8Rs
z&ED_o7E(o0mDT6H_lLmbd-c?ZO5by4rJghNff>BihI4lqoyN_WAsh^EDIjGA{}+J}
z#h5@sWf~yKEkci|paBDh2R-aUHJPf3pjZiqcp#qZcj7}h6Mn#Jv6+D6At-UsjT2X%
zQS1da)lYUnezFV$*`Zq7NSN@az7WoP1x$2$ptJ@cKXU|51(|IiqaO>&9XJjp00FzK
z_iEg2IGOCFgoRB$=r0_Md(ae+3K=k`)8q5tS<<joV1TRp3mh?yNS}{`&6lL#&(03<
zQ}oB(K};rDzc`tAH1mt%@ydw0emWEy`fNGwGCd7;v~ODJa0fGul{D-_L_yz-9ZS;T
zcGO1~6jm-kSl>j9-fGWu>bvpUrW-TAf;8-abJ<zVd{|73=mOFw5hlhq%fIrv?bFap
zdioye#|wcT<jCPyHcocR1-Q^*;hMuzy$*0mH5@Y#!I>;elWdd-V9;O@>bwcfCnWkd
z;=tjy2NOS0Ydz<6?;nH08>xjn&_<3r?E;Dn*?+t~1TtUL+#SwB1@}}DP+3`;?Z%x@
z-A?MUFK#XkZfp?iI-q>hm8Xc34UVD+2$yk3${u8&?E>A%UbATQIu|z|q2hs{bq3DO
zpF@$KA}%)~+(0eOC6D#gP4Y76fNd=w!(ot+VgDNg#H~@HwT>*OP-lJ5&(@PLTWxZ3
zY9g1U&qC)kjdx{m9nyzDIz~>n{ZET>k9K)sFWM&v=1G1#8e_J!S7+=f^e#<<-}=BL
zdfDdrD+M{P18O7^m9P4o25ia9*VuMGI}Y{=p`z4?OlcE!^W&vWZa!GqXLGp^B0#)@
z%dQU)-nUu~l4LrS1TFu_sR`v4^~NLlZ@IDafJvdIUguj2jB>5>vq=HS%px}RQpw2o
zdau>Gg18PRZjWU!D3iiKha)io-Z~H%0jMY#(0rb064;Q54JMpEwSul7CI6$b%UgqR
zAZlc*l#jbd8JGk)BNl^Y{uhE0UK)TmcNkQMb1gaj>LDXA^=wW*e4QC250TU{SGj0(
ztO|<`LDGi1WD*p?Hr#-TMnT*e*5;Rx){yO_O&1*soRpjZZi22>rcVS^+}5r7<ZD}F
z83NpqzN7Q#a6!eTtr=g^2Cx7@Y@1B6zy!-|!_DKrHedh*Qug+o_<v&t^wzHhpt|t}
z@bJuoZ7K&eNk#D(bV?5LV|;ckreemiXp9Hp%V@QsfnzrmZch&FO)jqi>Y;dC(YzH@
zGNxnhO*4r8^e+eVw}{(4JweQ1>@MYszm!vs9Rh}%&9jNI()u(9kzcG-;EZM^h@wS)
zQ^5Z^hf3d#&@VPlPhOiNuNf+iBGG5ZJ*Qqw;-2Xt-OZSAE+JRBtz$e@Im(pFxj8w&
z>K;D0_9rI~z7gKf&ot*6<vGTLoZ}QULV1+>+DrAz)`6~XHO_Iar#Q`I40>~ow!s-7
zF7G`V?&xWffAFeXH8y%UYeoUl&o0K*`a$Lj7w%1h0A@g$ztisluEw`0l-MqGg_7_h
zOx}ZKIDeljy_yL^zYFV5C*<9-WG2**Gc-N$WqWiwF6%b*1Ntp~kDKp!5h!O7`_Wtz
z2ApHCke0Emv7WK+V?YcG!mh5ug~KHrXVVzsa8_-`z@f5R8IQ4xc%bu@_^GID^l20q
z>&HW{arBOw1Sp9eHnVf(1Olh$9&96Hw6LHs*^Q<j21HsI%yxm*qgI&Jd4p)LPkR~#
z%R$@%?LIV9Jb*w_I73q{X3pW!X$=ZP)B`l}(N4nLr(SEqRf0BDqCx1SQ`S%jC>J^U
z;-dK2OT}_Ow}D=d+ksHy>dbLyQyc?=67Hsu;e(js;>?KfW4Gowp_xzj;321KV~a>A
zPB&`IaelxG(mSPEyx|s}S;IW`x3Xi45E%wun2yw40)MJ{ODS_MW-{Ulk{hYuH6+Iq
z3fVQhA+8g3go2d?!+V2(7Xr4&2LTs&59G(wi(N6n3nqxcB~x5W{G4tgdqW_OazJj6
zNdR3(Ocpo^VVneNY4IV3;)g>@!7-R&vjx`t-Z_2p3zBNV2tGyI*q;R9g(x!y&IMGR
z0Jlge?Jf~P#UN){R0*c+po^1~7~n_*vpIE8A-aeaqYrwbXF~z#4ttf|)_M6npXw)b
z1+owb)XS3H1WerhySSp>Lgfu<x9Kx;XappZCMG~7oX8;Jhdjx7%BYp*VF8r$2$Oyw
zE*ozTl{ex7P57xc6zfl0$PCq#c57j`C|)Cjfrl`PPsH*OPI^N*@oR82@Jew4C$xKQ
z6c5DoBvRgn3Ki{5g0wdPb>iQzD9@k2a-+jIx6~Wl@H>NmhJ2NzXAVY!=~_nw%maPd
zuPTNgga9O{HW9!uBT_iFxy2Ucw-0f;#9eA*&{FF7@Fi`zi^+d0qTpEGb^uo%-&~ap
ze2Nl=;`{S+c1D;V2^^;yi;*P#42#p`1mdtiEwt0mBL$<;)Y1r<86no{W<e;y@IVzX
zQ3O~!W;nlvq5f$WYOyBmRv+R%Qm5sdoKN&D)9oKE*$)P;?g`=+Q%}3*wG6s@kb0z0
z1~r6#-Fi!TsQPI)VERbWBEmxoW=2dUakiC{AU+8V)#|W?86b!KcG^^8I@LxJw_VBu
ze`>nTQ%}f7-ehFv96Dff@xn6q@b&A!5C;qe3Jha;Ey&BkQ;|MENMxN$PLE_rZ~|r9
zt6vXw#7CG2GQoHW7l0dR?1h47sFJUk2r4GRgQIcG%`gyYY3c`hl^A>gD5|MSB?wSD
zqs$Bf<O{OrKD=37v1V($X+op|bVz<cR-oH#nLsDW!w?ey5ZXXk--U(%{lA=dy2)qo
zX;J|q3PwtpcWf9y7S;bMP8QPgIIINO2qaJpK{hvLT$+*JXU!nEfFpn>H}&<@3zMuC
zuQH=ZTMm4rd;FAS9Crhq5b{|L0Pr!fbdM$S9I<u@x6q|*;VVL5A@c-Y=S2kQa2sA&
zfp)lt;`z*0km_PqO{$MnFevFu8Uwkg34%ooNU$j!4|a?Qzmm)kB(cD0HP>s<f(q`s
zxramOQNlP4C_j8~E{epx&*=bv0u@`VqWy@s#4#rah=r)A6L`VX9GmbI`~g-28T^pD
zVAuGH)qvdE09_UtVi6DF;uj82rzlzA8bn%3`3IHWS(jjim9Nv$6vMg~)GItxQx#E8
z{1vaLUj{U<g~#LpE<jmp1gmIv;YjsCIlqXUYt^{D;g$iBI~%V=E0IfQKpx1&P1*TL
z*@jd+ZwY0U!(HQC-WKV22)BXztE{)Q4X;1Lhh162ys}T6ZW5%2w}haQ6{6RScMF=v
z*PrP}$k1vgQA~i{27WK$&7}urwdZsS$;SlXeQdKwLgvGt3Q55b%hG%)U{4!xoy}Mh
zf&nUFFly@d)LVP;SIz+)s5$q)Jxd0wgh+QOs3tExjf5;Gs81=f6Xu)3m2G53aDyr-
ze~$%%l2ud}!2PZ?Ul@#K`{1%~f{JKG*S#fD4xNC&jwMilHM?Zvn2)Nf-Z%3UQUa!o
ztpa|j(za<e7HYUdOJtt*oT!@)V}PGQl8nJc2Z8}1F!WUD+8m)I3LCHX$QlR~AV5cQ
zs6~3{B3*K*Sw<Q=&h^#r>^~)M#8qUcUB{bgY=7f8H#=lC@ZBT}5eo7FvIPWa?;k1`
zw+!`5G=3Q=tCS{BC{_kb<7LK-U4a}u3rJM(wIE-R3P%Z&VQLC!jRY?R(wKtaMTr2Z
zm>l#Yol&#vAtVblA#ukl3v3H|7;F<Dgl^>iU{UEC*sM2C4$LG&2I-($VT6ca`&k7<
ziowSk!q;J&*k(-{Ek6nv_l0^c6b4yhi5*c)l=89la`?F5)kU&Mur_d_kh8h<D8qM4
zES1}MTjGxsqAO`U0{B^UdGFvKO2JnprpUBdcp4DVKM)C%xt2YGMSqtj;dXM&%V;ua
zO&3R*f|>BA8i2i)iw?~O2Hj4>Z~^J=&z)8pS&Z~Ek6@e<Oe>5@?kSO|_37-Z0Jr|u
zav=<cVEN!3#>b`A9^1)F84!3WQW8N4*2wneKAufJoPCqUGY4BB`v71QhO&qp>v9A@
z_jG~Y-}1<JM}f43-nBZ)p5Lo&rDtym5CM4*(5VV+F6NqdU#iwn{kRYT**?4i03v<Q
ztg|lT<bKzmOwGtk4X5v{`DD)Q!T=kPO{UOXM&Ce&F<2~+?B}8F69Of*Vxq)t-cJW<
zLBLGT1Ou)<dTht+`B(&5bAFDETWF!(N}7uhll6Za+&yslmXDs9xurg7P0+5_s1mm8
zmd=W4K>S_qgG@*^kT+wTMH0eI$05{(M^HVAN2P*1fwlz7y1;^7b5$VFk~u(gAxD@)
zIFT9yjt-)0y)1x=%}bw(`@neM3QNdLqAYi>Dg9o`a)z98DVZjP%J$+{#jT_qPfmD{
zr15{UyH{I|pUwie>jjiJHw!&bH&F$|5RrdI1i^s|9xt-qK&8H5#mfcrYwYK`Z$sdu
z3oi7_M}?kGdms2<)=7x8C}FyXK|y`gf1vA7D~TDpBq((#sErL+CFYde_$fS|1m7}R
zmIO9duU7oR7^2o}N6W%(c*AR{wU_39KU;*{Met*HcXgiO%ZBy{78;E`7TcXg&Aq!!
z=#hv%3$@;*dzu>3W*NBh_d7|ro?-{qh_KN}$vT%jVU$zq>xcuHB#;gP93xX2atK^W
zAbb8$R{}U~(S<WkaccH?_#eZd33<aud$@p4AQC5lM%i&vC`Bh>Jvv1R!f|A{zo!;M
z`pB}9K-q4b;g=MroGrJ*$FW!q?Iyzj4IhdNF-6ewpK>2*2L+RWS(V9$OGiJvIRtbe
z^u}SK&}SByU@{2|f5zELA%(n3!U?VnweENZM{lg%7&5+)0oN!d(mkv4ED)XAKFyet
zj1Y+sHoA;Ty*eW6d$Lui(G>n>t&~OmK1f7~Aw5)2xO=ixM0x!eye$*^Q>Ku}b~qZ1
zAlM#sH;u-QAav<2Ys5gK(VLWJYS`05t|G%|fbK;)66c*8`l#4#3=OTADk(v~edi~D
zf_TR=g-F0G<=$}k0cS+X6-aOOx{bgz|7J!-*~AP!qwsxT#)+W8*#=VhqQ#IiwGh9<
zqs8`j{L^k5YteQ)@0$5}KO`;&5PCjC_2wgE5(s}n=U`y3o=@wvZe8uEOy_6973PhA
zViueMBc0JmRJ2%gG7J5U3g$BPLk9xbbm9i+am;BofAs(oZDCX#?e(wP?oFRpfj;#x
zdM!cS29(Cnz{Zb&N+y`weP(mICkLJkx@y5U1aZ6$V%n`#e@mPRTk7&*svzn-?SHz@
z?ukFiAP<Q?dORKAeDatDMu_w~u6YVW;cfqbaMV8a@W3k$A^<gDrWw-0xu)ZhbK}vO
z_&jRUM;qj0rn`%U=iPRzvN!La5tvnV6y4>BW_ci}x4aZVB>A_2(`+Xp6N-<eVPwQ(
z;z#f|$?zEt2stoO<_U*X#0gkGgyW2DlPQVE0N|{S_RAxOma(4Y08sYDb@3IwEXX-Q
zz2;5|Vdu~=AkbNrZMAehwX0tM{vA`<hKGI+Km~&~fV66Vu#zd;;)O<?h1SBO`i&?!
z&t1EL$%6X?u*H|YxbJ;3Uc-v|yWFJxw!x0-=xl<!Z!D|fzDGgT)e<gZ+v~7SGw~7&
z(-Z^6AA<OxLQDb&CBT%`0UaF$U<t;PSY3XY+-j+2E4Qrib)ZTqr=*=qL&2`3R@!oD
z+VtMtRR!M{g~F3JU?R6Z#iwEYOkD^BNE|3J+RZTLYzUrP!!7~fp|RYQ-YP1+LMTFl
zq_nUS-8sizJd1?_mq(O7N$<ogV~}RQhtU|rdOkQrxTS<mBG#Kp2AB>qz9qfriZ0yu
z>4YwnQa!mBJ8;U6D|>cmosVA5)LVcl)o}=IanQDpcWn4}E(Hi%Fr(GxvnuXWtP_)#
zxfe`ukC@|8e#enwRn3_oZ?lN^3kvz_Kp^fQMqXj~&gbUcf}XHJz|J9nJa13)p;1|N
zdw`Cv1(n(Bqe37tbGNiMKB;~(eTYYB`O{o*9Zvk^@QQ|96n&slo}Wvk)4}i{venbz
z#89JyRFF>|Nb7YRP-qmQ#;|Z=zL11J-|R|`{u7sqrZ#t-76po@Rb24AB$WH_4a1~$
zVAIiG!WTM<sWt7OA^FQV|5h!Nxkn{Tu2)pt38H!7o)zdQ<K+QbU-V`GCEz4QQhfcx
z^DS}&YN=a=b)DhsD9Li;%LlVTiOu3`J-983D8ovYw;0$YyA<`4E)N<Tp94l#3`m%f
zcAm3ziHSL@z!OaIs}oA%M`ME}1ZPOtGxFDPachF=ILv==bs><Pi4!j?20y!=ByEg_
zB&ot1$itNi2MX0BH7HOw$I}<xd0CQ82O{(t#G<^iwosW`78CQsN`e)Tz>uI|bSfZG
zK>gKm{-%?Xra$+rWD`&OhwETz>Em=|=!h#YLUV=ju_;x6a9Y}GHBm*62q1b?^jIo$
z1F!f_g0_OH=J%;J6A%?-C1r#1%Qo;boyNouZ%1C*bZ=)pie?zamO$B}iNFc+somM)
zB!pmUUW?4v6}mJCfoz2Yr$GRzqRq2jP9~uD!@>`DS?O;za1Yr6dRs6mC{W-OPwcpW
zXuD2;h%Gz}GC2DJ844c8%+u}U<?hTq$mQRO#4myp;si^<g7Yh29w9{9xJg_Spe^1`
zx3`CGu?TEEVrygEJ82OIRP-#0Nq9O=8s>=F@k}x$A<*4d@koje<iuzGj7A~Unhh60
z!XU6%<|pKOdCykK_z)<e0V8g5uADLFWlQP;z5xIdb<iOVhLU%v4%w5|m)0OS2vDR`
zZ0YQDDG+Xn?a4^EiCo{JX>py4aL8hN`{XGfM2Lcg2hG=<p-s>x;CJGtO=YZcwmi(A
zM-XJO?c1eY>fuT_c1k9Mt&Lr5DJGv+$ki%Rfn{s!AZK^1)oR3i>;i&bPS06=cT^}3
z<qFH@cpt7jJi4FKPN3pwHyD0d=RYKoW%(sH;6c6QLyOAX?{j8*K<<Fy2_F7E?4_l=
zgI5wKn|q8#a3BU{PmBeq9>B{A1*y=mkfuX)4gEgRA@1p4gZR$$E7XZVR1yPUi(%BA
zmliJ*IbCwLR*$NOv8Rv}OzZlW04!s;0~dj`NYJjw0<uuRV2UFPL2$|n&&h$vxq$86
zmyp&!h0?|V1@Otg5CGV~O2aYZnxMW><$Jg~Ka>U_gbJ306jHrP0H_<wt^mzvN>Ru3
zyQ0lXQZF82ApxGdmBdF+&kA;{vLsGuG$^C<pGCZ<s1R~O!5!JPLStzUCBoM~76kT%
zncwCL*Te2khkP?v<VQ8PlE4B0V9`q^h@s?`p6VejH5l~H33d=I16a5^!YD2Gn7Ycm
zpp0>V<nN|bFBsG_F!g418&hU&EC?cv)&^ukeq4o=4O?FKg6kn01bbNg7}AGcZC4&5
z>nJY4n9)1iuscXzw`auS9d4#5Dj+bQ%8;`2LPIJ3A(;ueG6z;6j&y$tTIGyLb0*j(
zV`i2O0L>5&_8^2`Ae(Wn=7G6_aXazOt|)gt?CR_w>)Rdgc^5bh{y*W#6^1xw4!puZ
zGlKjpvV8EJLU7{og7_RFi&W5%94|5?3h`H%1+eqpotx$4yZ8Z+9rCjIg{u8YH24r4
z9emhN882!3MfegiN_GQ47x6!^QyimD{eqe~7t~kU{uazaSHo0{FxYloiFah~)rX-h
z0{%rN-a!j8rK++>@!$?V0+B-W=@tO8w0Z(Z2?L%pgsx-`q|Ot^kUM)YNy{K|Hei`-
zf!H}hM@a*OIYMKy2MA*`{}tEZrp6raeh!vFk~UEuFzx(@2g$+XGk_plAyz<`c*B`k
z!bA~=WRisB5drXkkQkOR`<~+$1j#|?5{R>iCW<iXo*<D7Vc7J5i3Du$hU_4VzIVz9
zMM@}<5d-qY1S)7$hzlB|Mr0%qu=5vvRX@&&$@t>>X}vZ(0{Q2FFOWj)5qYrw7iMmc
z1BiH))`BzeLvnZ>DCOvcK0}!T^Xrl9L|X(mOB9aK#Lo21MOo1h$_t=iY_GUgeq&@s
zKfnq?f&qnj4tcr4dvOVJgf;lSv~LDM@CMyvf<S%g6R^u<R8+2c{2#D=uW|4_5S#Jn
zhEI^vwuMt9P>xkpnc<ch_Ep|N03X0;51S}W?ib&SL=3JY+baq%>C5m<pMAosQyU|$
z5SW}{!TcdJD1)jZqGZ_9pVco&s_R6_-WqY6fMR5J&0TSlAV&yHvt_MFAOarQNDduL
z6G(T#yQoj=6#T;=MZXA4)&hZ|n3)}L6b%%_$Q`~D#)vz5`9Rh-CPYi2GMIy~u9OUf
zF)~y_XYA_qFmZ*E+cO0!K>!xYBElWF4Ob@18&)1*WSB^qMzv?=22VT`amB9-lR}G-
zSxU2$10xL_logzq88L{$5(t3!fJh7kW$NGf{RAq&Bwx5wP(TQ+gjCX*H>DCbf11pl
zHFUl~0LE>ERHzW>`UE;0U}pp?H$28i3<k(;SDG+D9OqmnLjZOKP?<yF)enbAwo&Wh
z&{>@X$U@m-uZITej7|5$kt$7bm=Z6tOdp_FA}3YNs|K=#FoFQf&H0XUp#ja9KjfA>
zV0@cwkniip4+W`5nLd1(!fZ|&0|o!v;H6a6W&98&|2vCiOnf=h3=u1CW1<rp*=4~5
zC6b4P&|KUY3qrX9gs^YN07QWaU5mmE>AHgiLYO0kBf>)`Ap(L0FgFGwQaj^SRu7Os
z%5!EPWCYY0361mYjxW(3pn--fpJbJKh`a)rQ6=g+uTc~sbtp4D$cg-mu+*}JyLYJ5
zBL<k0!NI4hk5E9!QRV78f0?)&a2UZr!1E)P7(YHpCmReI9m0YPRe=7yFFulSY`lcZ
zrXdKGF1-2?2^_aE=+NX!!-X1vj>ys|IADS%m$SlT+blBr5$?O1t5%uyan1>ymdh=8
zIW?62?Y;b?8!BVL&?Qv8d9l#o8`LTx?e!LM0B6hKVh=u{EFGf}*v*?5N0(CvN@p4p
zZIoz&23dfln$-db6A2Q=(`g4%+-N!Okp{yI;!t8eCnq(6X~fiv9A^<kq*ce_TG?cd
zhfh01W`c|y-s>YhxFSrWYa?Dm52v_45SDOCeBhWXp~0D<D<?yx9W$sBJJGe_Vp$R1
zsggP!Jm?KSFabuilEQvETb!DVV`eyCs0f00vchJigo~~RI!g&yxE(DhCsN>cjG&T{
zz~o6mFUJFp5&~bX2L@UWpLC<9gQF@J>eW#ppzV1F1SIIyA1E%!Q5+^Ipym{Ckt;#i
zbWu6_0;*0(A!Q!qwYwOGV?W}=0~x|F5J*?-s0iWl0)j&`et8PoaI?G~R>1UoaJM)Y
zEKW>LTy?SyFrK#I3EPDp+wydZ;lTRx=tqOTVgC-5Q}Tm>&s9Z?*Vb*cHml4EHi13J
z&LCJBO?=|1`1@Ifz#oVVSgOQdg`Nn&&ZG<I`;zD;%t1f8z<#{}(s3bu#ZfP342;&)
z25d&~uScq*lix~-!}jBElFb}cAK^ukKPIr2!2aPD()5sr)tyvi2*0sq4ICvtI7oER
zcBF8XJ3-Q;3-%L<E|v7qcgV)CKI{Wz7y`%c3Jka4K(@b>8EhTlu{B<vq|sAPsZCLi
z%IrSrL4XpeScDa3O07z_^kBYO9F>LzpyPn$p$OuxE0g*I7Nbp&G#xb<CGya4S*kZY
z$4Z#cbM{(65%R_fYPALHAeD5Z8#HePf_H>b3w%LLi=}SJC0YZeBFKb}_5sd6Ay++R
zk+Km$Y^9b!vmw&1lyb;)3G8N5>}Two8DtvsAY?jWk+k$7i%w00W-hl~hSVBXXs!vj
z4de<!J?y~JZ!}=moU467Qv-5AAd0}brH&_s0gG@!^8uuSqc5lDq><<#IiMnSf@EX;
z8b#Mp4z;>q@WS2@6IyGB-MpS;Q957maA#0w=&K}q37fGPqN!QU8b_r5jT5|VziYy0
zC~cjVNDhj~2|h-A14b;ePQnRkwFR{xkYNPKx>14&0Lj0E5=kIues0%#wCwCs$kmy&
zA=)r~0uANNl8xWI#4Q~(FBH?hS(qUrdm+tGLR74WNx=!uvK^lUBx7Vb5(rGGfa>@G
zBZA?=SMx)-ixudVUyNSMhXtP$3+KIhD6`<0CBvYvLQ3n0K3CYZCBvq?txQ}wqRbYw
zf<bhly5ZU=niRWgf=IT@U}r)M*5%RE5=M2VP)Kw*Y}d6QG?ddg4mjuAAjZ}gAdqiT
z06gBCZJ$FH!p6#gdwTdefDlO~v@sKkp=yt$Yz`h=EM-z>N$PoHEV4ja$R=UZvrm_6
zPnqaSd(e>4aP0@7DkZ~&2aTF^p?cxpRpP`MAULZGko_g2`AOVgF7PBsTsf)WPHAB5
z^_c~L;uMjuD7b`W0JIwcmUvJalCvXI!hqD3nKRpj!<G)0SkHKSKUK_JOxMeLo<TD@
zP`P02_Tv=-!P09o3J_(T0kapkv;;eEHR!N#Rk=WHO3ae$8N|ue$%_XuATlYW6Ek3#
z=Sxij!1P(z^29jln}ibMgJ><TdRVo&xc)yk$_AtGk=o(_;I%>!ONwYo6dDO~U?zlP
zW(wnbfP^ID^96@80~fY}0(c7x@wQ>4-%Ftk)XR+o`lV1AQ;G?Zj7t@E&?|GGpp?S}
zmGbyh6#`+Qr0JR`hfSeZ4ugR=JjObR2s%~UmGcirN7uo@Ss%D$dh}hW%F+ge8t~8x
zBzwf?AFV^ny@W7=dQEzX5;~r6psDL*q_<QgQ^2MPoDO=DXMGBOq9R%z2uePjsR|@X
z2-?jviBBI~Avt`W&e)km)_f=@<z1mRk~N&MrwC6R?CkF?PKrlCK?!uq34liy5xF!}
zLlP5Tm=u<$+QcI{8G@Oq!h&vyP=n((5ZcZdQY}LTr1QsO=mz4_k0!Px()3CR?+=M4
z&z4T{Y6Z=yJ+%Qt{WCmJz#xUCVkm@xBFENA9~x_9$%F@TG5pVCN=A60g{hRJ)#4^l
z{}S5!NPj&fliT&{X5J+9<<bLMW)mo97Rh=8tlh1;sU;5cOo#?~r$&y`Gqv~L)Zf3T
zpm%hdhN@JK@me*sI{R}?^qBSe2|QOJB?LX1g#R`IkhI_uLeK`ZY$^_Tu8(nCAT0>Q
zY4n(fDh_zAQTSMis~)a|xs%h35VfdXRXI=d#d4xblBlYEUM%{=^w5aEugEEWDIArN
ztW^m_JU<{3zNQ{5E3F$=9I|&}7DrK`l3)4w6}>!F0C>C__n?KPr4d9wbj1_^x;c2f
zSjdu(7B6R|;-Ep1m2|zBkV`L+t9xFQ{SJ=3HktnMju%0a4vhv?%LOsBLNT%J*3+{F
z4V^Q~2mHT-oh6EnXjFI!M1~qF=xb$FVI5L|bFt_J<HT1{8R-Xlm?y<OWObzPgwB|-
zP{CO&?rf;)u%@pqQsokgJF%cDC=`WYPy@N|nar9yaYhDBHg}}5CegFZ|7zZicWzVW
zC7<>3_8FuWV<T0WmF_y@c6EQTYGk+=HBJ2_44*pKH1wLPD@^>C^;Bv^kQ6B(9e9xd
zFh--KDmwJ1=inr52uKQ_he3b;#fWaiZVd<SB|(f+oJoPa2@}Dwo)QI_2E3+1N_hUF
zkwcC<=l=Pq<bE=MsliVw!IBp_EDR3pzh%7CauCgj9TS{6;WP-T!tG<)%dS2dZxP4!
zr3i&2bjOL4@KDv5Qa6M^BW3?MTd^Fm?cpZ#k``Y0v>>4Bihpg}!D4Z^EMTZ%oF6?m
z$6yD`%$nUZxYcB}T&Mi$avoq|>4=%3vEvCx!zghaY^uA`htPn2${IXaA5lTuuFe3d
zEqFQEg2)cAP%_dI4}+7@h5{n3i~>a7X*#AVI`d`fb|?NByPSOjkcoe;(BOq*O1A$H
zc*2~hBg>GAnNj#a$kbq5C%}QE0D9!mY$9Lga1i#g5~nQ^Y|G1F=>#WVi<6+y@1gdc
z{JEgTGHdNUoI-^UgAV|LURH6aH9zfq3K+-d;P-zFwXGR$BY)Y*6*&i`1;B&|O*pQ^
zHU@=n?wU_ZX+N~RoF%dK5I+)3$Hu;%(6c0EK!F6bqSSeuK5gjBvmR}^fqxya&Rvb+
ze0V1igu6geU(ARGohWBxI?SQ)j6)XE&p>SwE)qwOzI~Hpg^(y*!9jXdXb7-x{5w~M
z&pu)Hkbrbn|DbQqp_50H_@a~V4H)-euEp+sM}~{01L1e9Y5<6g|5(%sSBn8v<8+}O
z5MWF`Y+n?G{Ze*ddGKoFgk$<0Fsk9@9K!L?mmxwx?bhx&&<E1a`trfqHw$jt{;rIE
zCfl?Funil)l1C!%*pvXOcu^gw4ncs(3grp3yE;|%=&{5h8~<3;;gQrBd7+TaMu%d!
zteC6V%w$P}p+{r70YwbIjv;_Y6RV=ERj~>|9EJ_h%TdHb!_}A5z(kKsfa5A2s8oBC
z#QYbm5jSG%K-ZRvx2wLkk~I`{8bbj=h*253CB<fS8Hod6!Ik(U(U}lJYaFDHM-4?C
zMNVNm+%RB}05!d%oy$$4uL^NGP*|G!uo4p|*0^3L%QIazlNNzsK!|Ffno3*&Cur*o
zivDGA1P-$@dIoZL_qmH);I$hHA}fWjEBAvrHy>>?SA+#d3zb0on8`%-J{qB(h@pwo
zR8m@QG71T4-Ng&Lh`FO^H9xyO4=H1;Oxnc%L?tAF!yM)kooyK4;7<uaWSAw1y4?g(
z97e>VSrGw(MpQXIFI=G=E*st^aBQ0nQNxi>Y_{!?B9k#wkvyX?*b0Sa{rJbz(lYs*
zM^sr9c*2Dkj$?3AFq7+pP{D!3YACxt2S`|&9;iWBw3I<mZux-?%O`oZHwO@A%beiu
zS%!4-HWXMiN+e2=Mh?d0fR6*{-Z$pLg-_EBM4Lp94L8MH8(`n_zTBCg7lS{LYtW!_
zlUhc4&7jVC0F~woC%dwTz%(Yp3*PFrWJsi@HNExRmIA?~QQ`$iEmfEdo0m@!9HYg$
zso{X(tR$&!&KqZ{`r1Q7gir}C?s!xro=vEk;y^?%!yQn1G)|yz#!!<+LXWNmTr@Ee
zRwhtlL<2jc2a9QA1Y5bBTZ<vyuS~Is7+u7QBMA{jOvBIsHZoO+BDJ7BMTP)lfN;!F
z;2;zO_h)VROGpNsMN-~hgtP^P)kJVEL!wEmm>MQv)M6K14G@zlh9OZwgFzY)Lk$^L
z66HewF}-LCn5Ro#iWGTDw!*F2MrNs-QLVHk+xy7aIJy^0z7YM_j3V8x57nuRE9wHN
z$O1$q%7kUW`9S{-%SDWYo|}}EYVo|m43!iqzHT^n7s{z*_-xjh*472(Q@EspsJl_c
z1u@AbASsp?VMUZ+!dN>YVbB$3uZ_|gA*v~znbel)8wHiTLjpxG<huYsNW)Fl1te*q
z+09`=OTeH}j8KnhpcI=lwwx3`jzdtsdn%KRSp_EKC+VLQ%FT?84^fnYoB@%BDi;XN
zBYT~nj9E7Y=|R0n4imI{3H4rbQ=Pg;GF~6^fi?^dqND(OL5QRhaA4P&B}2;shl8Ks
zZutqK7zQXB0ThLC;6_+TB9NpXVPnt*O$-~DfdWz>B%ym9TcH>gPZ)~>E<iDdjPT%!
zV-_<F@Q54)3b9?XrEX(f$c+iP0m*<!5-mLaR0W_A-){g;^b!3hhy)Vh<>N}dUr881
z9-#q(43>sISS0w;Ef92=U0Q>4goteQuWH1U*hE;?z>U2>Z0`?%dY%`6g{xeZjrOjs
zS9jv>dWLr(+OPSbM0_rHzyw%%cZmfh6+)+6)Pj;go}l067z-6H<dG3DGa1i?L+8Zk
z;zdK}%8WLVlfqr+wiq>p0yX7B4H-?Ns*@T`&QT;iPXP~9j5^WwGIdI-8A*prlqd{3
z?n=Svihw~O!2~8di#7NP94JCR00^G&L^tQi&`(ED@o<3^MOV&*$_RM`o+pTq4h8Zc
zy6aA23Iv6BvqVZ8ZSiyXjxd1jBaje^Fmfhr$fFCQ7%;ccg;H;P;xC6aEGFjYJa4bn
zV_q`g*moId0K+0@VWVJk38vxLP8Mtqp+-asJ;XVtASxG(R)D>+VF+&=1~I#+#^Mst
z0n<`M3xHwv&_wpg!H-503L;1hw(S8D0vc1qvcx3FP=#0!uo^tGxD;F&j~lKLW}p&g
z<U+%CDtgCYB%X~F#z?BRDcrWUy{KLg)+KDT)ur{AyUwBaW=PnVZMx`G0NF{oFYdWl
z$|aI!8k!vVP_-f<B|T4Q$l!4~l3DDbd(#|7_r_TlsL5Hms@<kGWO6mDi4Z6Yn4ut7
zWI%-m(of0n8b<>nsA~cL$q^056xmH3x+;e$v9X3pzeL9~KM?YMzJ|sDfKa0W_6cBx
zj@ngTd6mibP-YFN2(W!ZL1s4T)DU<ci1aWVo*bNpVo~w81(K*GsZrRXdj2YMZZUVy
z@g7S5!c_@)30;Q4z36PA-d1LTqVN|-2{#rTf+YeQLLtaZ@T!M`%}CMg!C1^)Ha!R-
zLNnPD+{2{QUGg1K{=jw-K26JkBt&}3&^~u$gjm=GPPNSW(yP$~nyj@xLUa{tAxt@6
zM8qY;DI@T-E2r^1B22&`$&BDblN}k920b^9i8LBSC@?9GAgv7eRt&$|!eojFT@jQA
zAn_E0vTW9D(h}&B9K>E=nh8yj7rZ@@olpHe6Dir_P0cb-f8{XfLr>(9WWal(h>cI)
zK8yG8Gy34)T|LO#D>Nu7BfWIV@BmgEwKzKj4sYgl3enhpZ6X}R4kJgmFI_0fyeW5T
zMmTSU6o(p`IRykc`blkr9uXi8sM<<i>B1YC*Sgk0l~ox^tgPU>+<v4%ANEDjc_HYe
zD`RmG<w8Os%8feZK)c(QP-t`&?LBZ=V>M>6D*mSizMpaWr^#S6aCI_UsniL;Xofw`
zEGv2eNCWuPd%zCRSPclI0TIC><%kc;gj9$d#j;%lvdiY=1Ee+ELxg4obRm00CkG)g
zKZDJCE_!GnlJFws`Bry?QF}#(H1+AkI+ysXKIg%WEL>$uh?3JJ%XvMi*V@V<-cmrM
z903nC5ow7bOlU&ztPmzD{D54&Aqf==1C83(SC6f({dQWEgv)iwI*np(_n*}_NlCR8
zm`-wI>lx;82O_Woejneo@ja-R-;)+9@He#?USFYPFN#VD<UeI&Q6r(Hs-=hNj7ZRz
zO`KeKo<U}*5D?Npd-|@U9ZzKkcDu{{Uow8%BKh3O80&$s9M46*j~b32t{C@kCD9zE
z=<5`^+~K<MEn&01qTD^a`_<3WzDiFJ|JA}Me>gfZPofP}gMc1~asToJCY>o9#6?06
z*6<AeNA=;dr7Q_ux`7Y=%*r;^_KRxx!!s<R!BE1$L-dRVhw7#x2k(iYpawzNZJzly
zAxu61iJ~+p21$w?0ioE63EEO=BeV|!ZekVzK|4z`BzA$~8<?W}T6T`2)QdPYWfvTD
zi-vFo=K$Cx3Q<6gLj^irF8np^X{m~%92QCpTjG%#Bam1oBoWA9rm+x}V<2m0s0?jd
z6$jQ9Z9(zK-=QhUfs^bB&gMky=HAkVI&|4Q6P^5!hcaYY$ckY(pcE!2G<1SV$oc@3
z<Y73E-gR0V>$X|-q>e=GJ+t;^e37ob;b$V^-`fWXNOAIWx8J2!^f*p_352IM#)(dC
z1B4TrS>e;0WG%ll8C21@Lg`Y-gGdb9^f_Vl0C`T>cB;Vr`x8^dG;L<bdr2dkz$Eur
zPW;ZB5+8eyUzroNS~smalfX6mK8xM72IUEBqP+r{Igl$fi<a61mD<RWb8|9X+5*1#
zIn9+10*kyh5t$~@1a071m(g3hwzY{cv2@3Aci59Z5iBHepG5+oH|$A*V_tS7xLg5B
zx1>cE1sEhE<u7K07?ZJe`6~KUc)2LVmdj>Q>~(1n35Fu&qOBM>UU!I$#ku~}RfSWK
zBbZQkXf!?bIl*-ff{Hn|EqNx;1iXckc@?*dYZsFl2S{-jeR(tR61qo0<WMRDc)XaU
zwdq<*f;hq2x!ejwR!G6hPA&dgPNF-g*U{OKBbHESxYtqYaBrtRkVFXqbHxv98Sx3@
zq+KmdCS*rM^mvn#tJLX4iBSqJzqb!cgn);`VCGnX0gg{=xSM@HF)gkjKuLP&cqs^c
zV@N_P#9;`Flk)5xUz;$li+YMkESEU0{CtR~KiRj(QY<ik6KkZIQ%NI9h!7HVHugrK
zJ|T~gF4JIH$UH1Am?_N&3NjKRXI9pd6aPurWLse5JVR&X)pknlG$~3-g@s=vCK5Ye
zNw!pc-x%lP=NNpuc#E)muLPF=!O9+{1moN7X@ch&Skp;P)DuhVsV9>=B}usM9@G^i
z(<ZhM*_VCUh5*X~VoD)65;qHQ0=OB>;v-t(TguHuHUZAy?9I<yCU#_}TRQ8XPOfE?
zc`^^|Fd>}LtTy-a57oxzR2!)iWZR{J2!aqsj1n+B)Dk>IRK#G~1k+%g08?CS;TM29
z2-zh<lQ>MT6LzU5njMC^eV(l;4c^;kM<U=g46}pIUKg@D#m4X1n>8ep3Q6i+9C0il
z7LsAUs`al??+CsQd;~KvoDgdu4{5%t`ZrW~GYxQ9xmNe5wP23dW=cUtAz?TYTa^1h
z{LFEZfB4GCuoOLUC1LYc9Oi(MQ3Y;`5r{U|sTe-9n6A1zay-_vGHreC916R15!!NP
z&;Q%0>e-dK|8i!?O^nR0gxy!Y%8(rfR}s|t!}tzmVJ22}Q$Q1sa0X<uf^ZG;yodqE
z3w7D$nnGwwBF>dV2R}seG-u9*N;b(TFeJ%ZW*ZuJJHlEo@GTlhI8=7FX#j)3fu*|&
z0DwU_b2{3xltA#Pw$EGsh=gr8Y}%ldks2Fvqvj>s9G_z|{T_=J-7Y~FNX4lQ1oy0a
zT(gsn``xW#gH~{75Fmg}Q&pa0z%mnlRwT<M+$$d~`K|oCat^``kVXWfrbQ5f@xr=f
z@lpQ=E{`7j5JQ6MSVnfSjI$Qall;>3#hFiRW>fA-Tn^FfN`EH0X^_5hIkj~TLWj7v
z1$icM1W&|RH}P6{wwZY_k#rXUcGr_R5j+l>Qm>Lp4K$_T*ah|KUQ2OoC8=QM3?-Rl
zj9iQ0-_@k$-Gfq@<}j9R?O!kVQkmu?mTm2k1Y6;q@LGN}#5MCvj9V?aIqj*Di%`20
z!Xnu4kjTP<7dRnq_|lS&1-UiP^c*~`HR>-d>O%AgVm6m>w;Wm5Avrf45HLb?fGjxy
z5nKjpc}T2In$V#&5#t6XS#4o%leK51M|I`AOiojyjn&Y~j8EjgzSQC~tZ#%oEARF~
z!pJ<rBJ6!4Y#t68(=hlhg2**zpCG8kxMmy-i@ERUEezi67z+IvHD7!FR0$3VFKH4R
z0z(kpXJftzyFpi|h~OaVEuDm?G9{C;w25{s_N3M{9leH^R)V!v8s-eGQ5>)F0+qkK
zETLl*E#0N3u3(e)1WS_D;9@3mK@Qy!t7;|!2r%CkZ9q-bk2zd?x$LsK+TlW^-@i(h
z58o&|coQh^T|8(3Ec#F~T)bxdaVaj8lVC9ZZ~AdeL@s`84n4ZXNx)QGQ8P|>lYJE-
zW^2F;-WOF6NLfIL+%{Z@uS@Z`>?R((2GU6%H3j4~O+8N=!hjtUlYo;H9PBEJ*M)pe
zr$8Fi3}a*9Q0$=RHMKwyVB+2+avH{|@KEA-lOXM&SF}WK5drcTfw*-VAzE|KG!KPq
ziBSNVo&0{p&W>ObKUT~yR-*;XO3j@hh{<&beDne@d<Zo;M1*b|9A&?Wuw#t&eeIf&
zL<u`}WYXo_=+5|!CDLjEyCMMt1j`w^|6aoxH$tlKePl?(omu8aPibV-LQ=`dt5M|0
zS&a%lH6%C-1!Yn-4-!I=0<(Z({vt3%Mof&p)|hGrr6(_OL>1YfZwo3n@eR%MKM>15
zRLtBB3)n7ps+q++d(eV*QWJq|cyM_H*wEpyMW7o=4BqwzodL9$Yys-a_MuM5C|-A)
zbq0U>)8oy8t*YIcs30Imj3{gFx(|XpK`^6&*J}>JMV<CeRiU%Q-bhjCH@=udZm9FO
z>WFNw`dmy#L_lz=_&)hDrShC8U<j{PP!O2D4nx@U*J&|Ih-=$uO-o$sKj6@`V?dm-
z<SVl)NjXs1{8i!x8wF;`&-!a<Q(nk9VEE24CoJ4w98P{7j`L=x3=nt`!m1TG*qat3
zTClVRO!<JyIE1DR+f?nVa4ojI4ysi<>@-U>MU?f3tA0$YSHm!OUr)B;u&hIRiMBEm
z*HwJiAwTXjPe}-6m^UM2QI_mwS^Q&|<+M%CZid0aQ^x(U*nze#nq&e(1Q-GHA(#f}
zZTQLZa(5;@u%v5QhO@Y5SWmO42m-jN*A4e|#|H*Qc1We<H^lYd_VRzZw+(hTmuQQ~
z{x4!9%>ndm0da!7F|l?4@-LKtDs&M#72frGUI(jaGQmjCh_GQ=wqof8*bQ$4EtHD2
zSxw1c?wKy~^v;-chgum4!nM`DOAF1GMmMt?^mx1QGgVtfVk4{or=f7BoU4<i2bOTI
zvw2uMzq4~PLE;Ju5TBT<XJiGCRMb>CX0P_mv;bgL3G7%iob9cNwH0)C*8GZq?hIYG
zzu3sGP49G$EO)}+fbbZOPLq7GtGFRCjKHW0mLjA;iN<C9AR&b*XT>5jsrqoXu?`{^
zpLB4&_Ev!PK|zKtBfOMOi`Y-+)i_f8FA~w#`DXmKvx%bL?YG|)z{9RbLt$d`wA%3&
zc9d`!5VTo^uapGeN`ARZN>gzhVb+S)Pvu-E8ELR6xP7FzGFa+0PXW_yT4{2>K?&X<
z_Ioq8_`$KB>TffV5gR~ykK(yKea;*wt8W%6drB{&_#ge@c6Cjidd0t8wT|_duE|W5
z5xs$r_S^TMuLR2AJXX-@g2lFMDP&n^{vk#iS_~hr-2sdqaI`-5hNrj(;UXy$8IO$b
zVzS4mmn&Si*nDVj`EzZKx$j+tR|8hQiZ?VhteG+n+qX!|u~{H`uoz~PCP?XhulE#2
zB>QT9;1s_BTvb7s`X*K5bNnOo#&GyFO<qVj%E$>+)G(rR$2J@Ixn!(`5+{0-NQysD
zi`7{}@ZBEf!z0KosqKXyHK@E84?vY?ECo>~(QAlMP&E1B&H*5UgU8PBr606FsJ$rN
zAD1QfgH7C&p7pv5?*`igo}~0Mm^D7UAFE0r;vOnR3HH*>X=sPBAJTb+B?v`MqXfC%
z6HYdWdg2ND!TC%z3e6~@5y4T7KIu;Au!=~#a1&pOvJFp$k8cA(s@=+^vou|<AlxCm
z@e3fKbXI>bFA}<gk<T!ZhZWG~uRfb?4W|eJZF?BVXwWis6B;eelAJn?Jm7M^r(?Ii
zmtZlG#H%uu<=iv69id1wY};t33mQElajAKXf)5)cf=^qK$p0P16y`JDzVa6Ens}80
z5=R1`RYX37G*gb(@%602?5XXel8!$yg*^RyVTgvHE87@Vbe%_d760iL$<T+2YtqX8
zh77)ab4J1q77;r35(|m?0CWZD5NGTr6hBz1APXAt%fpKOT>u!hKf>3hj36Kcc!LNL
z4;nB4;uBQ0=z#8SPN4X!QBYJ3-1VLTbQX0WNNjAbahMcbt*mI@CNdT6HCdxFH6yuz
zvtrm-qkLLI(%}yx*+gK{hy~HFtyP~u406dE^Mx`n9Lz1sIE_UU@NRe`oEwYA&8|eF
zZsPD6Ir7^)c;o<O6tgQDH#@}L3mrj7Ixo==*d2#sshdMTFVZU}1X*gfK}XT53Ep41
zNpz{fmqeyL7xsBSgVG@p*pn9<5eNXuickUFkJs3U0Av9_ZrV*Bwp^GGsqN+Uj&M2m
z%w;R=IpoN?E<i99j91k#bwSvkJJK*1{6WRgKx4H!gKWd`W%=(!!rrK-VG#j0c6XGJ
z0Am5DhC9+#3YqG;`9LWIiQB<>c)Bl|ue&yM*Lt<CqEtyP)E=&0?GW!~52n7sjA*9(
z@6k;Q7^3f2-A{9wch~+L#<aW3M!K!3nhBx|L*2;=0tz4o^B7C;^7TJhO=@@Ztn)J+
zFdPahCz1wZv$g~DdClXal7;XkS#!O7E^w4JNA)hAIQkbl@I1Xiw#l#%^A@V%Q9_j4
z7QpGUgumOAo>nI&I=6o`yBtUN;PWeDC^Bz#7X~6CbeLTv1jZsGo3QZYC^>BuC$d6=
zD)l&af9L!Op-J%mq8qNDEM}J=mH&2r_qb4vBf?$d&p+n`g{7iOilFkgK3K96KUqql
z@7-o~$5LlI{eu8j#~s3wz_ij>7g9E;087?AyYrmr#D~PVc>Xc-!$e3@Q<Vh(bi3&e
z{QM#t-Iu6W=Ok<q@{9Q}H<A28MTqS4tWedAoIA~~DH~&BAoK-0P|uD+@<em+p%HrT
zfFA(gi*kUm{6BJKayQrLu=sp5E!o!&4$#}Uh2p_iGY5oTlS{bGWTDx_=qCPR4l*>r
z{yxL7PYRI3f}omguTB6&ChoIf4-2pC5p12ucX9CJm*$=3?q%q~nR3H`$#o!RY_h;-
z{Ikzlcco3S*r-?(_JP8wgeF6TV7er-pj&2puwn)<aU1FJ8jPFJSbrVgLIPboMaF}~
zL^6nKC9<xsm3_VkQegjV61T!Ga0@Gv1@i*Cdh1{@A2}5n4GB}S(ZJ&^C*J08{;pR#
zX#G#<z{ZAjgxg4NJy}k|V)jT#T$QE4!qgbTXpSRHb_#kXElDMiNFI>^Lg%M*7{qP5
zDvHzRo*#qBbJJ*D@R>=H_hn9gqe7!<Bv6Eo+v7Q_1VDfaG5x)2t%&|Eb&i)wqocX9
zBx7P=NP11DUJ8NzMQKw}znoVxdjHS}k-nssL>n(bY1Dr&cre<DNZC<v0>7^qNwUo}
zkf)Y5DWgDwjd{3W6NoGQmn%q-0}eahv#NM#%5|?s^_Q(uMM6=Xcg4kf^6Wj~S@4Bh
z%0XmPSz(|v&PT2mlt#TKlo!ql71<9<gNJo9D^nq4i6~+HmLpG`k-5{n9LF4%YoH^N
zi_+T3GKdY0aKzic$_|_K{aQCMsE}+z1yOEnu?rfKn*z-OUDaQB%QKjWW0KFsdw9zh
zL6@fDMKV{JC80Bih5-gtZy5-}5(!#U__Nv|m)N91F5NJdzaNt;v33ADWT<_;WZA%F
z?5T`{Dyso+4TK6$?5<=x(Z*MX`+1M>siPG5I|n}Ib}O8nI%w;dRDJ>VAsNHbWB}qS
zI$}mq_(v4zG~tHhxHSX0ZJ+vOyj}gMhzYDgdLh?C<s9@i4oQ=kJ58sJo|!K~{Fq6e
zS%>x%y#dFB9-+Vz_R~|g`@87Tl^^<G2(y?Qq&2vCe}8=q@8K_4yv!!A6nP*zZ?}Mf
zZw)H%f$|_%RTZEFSFK5W#pVetvStv+^tJ?C7u^;0`B%W_wLrjep0M2nM02S`xbT_g
zKsz!<vOAzvgo?x7fUd9zk)dv<ysD9ky`o(Vw+g?7L2h6ov8NVBZXwe>`jl`v1CBZ(
zhm{(k)3MrNozYEI<Km-{t$E6E1V8%Ip1vyJP}LT&0L5@Z=a!O)2%9SiOqPTMco!3*
z`YF{N1y_?!S+FxmoC`K^^jE$RNRDPq!C?e)=23FO#8#YMII#PN>~F>$FO2Opxt#O|
z4i8}pROYPlW!GHR?UH3kDyVpRVG?8<VTb8;H6u`q>S4&AVORplt_icskV3pcaW#<1
zbnKIr-sHT9Wp043AH@uKUwV>kJIc0WgirIt33PVHlR~iaXX8jgVa#MgSA2i&!6NtJ
znR4>`_h>G@I<(rYTZmkMXqbFB>)yGAT!be6{&<yK4?L<8(b03>m=0!SEr1b16UW$|
z!TA&j_vU>y(=e<yf;NS$X~!9HOEMTYAnU$D_(5r1?I$qh9h?(-_nDBG3D5{qGD2L~
z>Ss$_SAzMmF0K|YCpa0^GPErC|I1~l8Bq3Yth2OA*{E{x-fNNK(?s%@3-SZ}vEds<
zTdV|PQ+@I<G`JQ)6NIqMmbNTnxMZ}jAM7;x|8t35VPQ6US_6V5e~uM_|KONIg-N(T
zE|w|?iNmH*%$xTgdt~I2TTle>{q>C~ROlO+OPHc;;5*tNPcUHSR<bc~h1EQ|71n&W
zwrjH&`gZ$nhWZ}q_U`nAe3B_winYQWgxW;L?lt+Lsa_W2v?y%KS+g6cX<7Ntel)ZM
zY<~vF%#@V5qLJib{qI2mDYTXb8R&hO1DMEOyaTCL%fjn<51-fM_MFlhdL=&09XFb@
zKQR@H;%z%q1SGR(7r<0FoFn8wIfR7b;CIpu;kfRA0p8+25k}A`T)TBi&-r$CCM0gc
ziMbz;9m@)Zyxx#CExlFnZi}Vp4CX-8IWt4ZX*m<td`FYN7fRo!x>j@Q`}#(8R9SYt
z2_!vbk{{M1Q0b0bR=#4b8u1+1t~&ZUH|Ue55zl9QL}&waQ>Av`3NRpS*FxON9Mm(A
zpvPwA1<#j=;t+!M;(0xfshNr}#d*JuVL1DP4Df}ThnwLB-nD(VD$STz&XS5>lChN9
z2H8#L3Vs6m3WWf$T+=L+L~Xe%DH6a~1UO7}wwk~?1M0kgACIa5Tw3sY-Ogk47F|MP
zU;&;#c{?SRc-HUOo}d&==gfO-U<rmu&FluJ@~@$O)*r`~{^^JaMTYmudX`5Qs;?z6
zIRTWm0JI4*8peyD!FDTpED3KY3}*)%u0I^il>+us9{57R@8aPLD=xoE*p0!0g|=M(
zXB$Q5twOmo4=4k(f_xhJ!h8Fw#P+#9pl=qb$R$_Eji68>d-f+GKw{VkZHb5uM6MwL
zxZzVoheHc=2X%u!W`Hs~XEByTB1C0qX@In_kG}GRHF;v;dzmq0PL7>z54&s`@oe3w
znfgFL39VN1VRz=nv>{Y|tq>o|KVw)~NOOgX^|horhI4ia1)AzlQ)9U|^(mCjxgL|$
zsiBcP=VqkL;gqx|vm{}BXsue$p>(9-+><#F4gvjCJUe)(Ra62%iEdEQlcO<K!akFC
z3763#m7Q<kVm3jrNh2Vb`7%RoG24s%B6?^`8|`%>LY}xL7{=a<k$2AkpCSkh%=i@$
zzCT5;>eNJk;qn=GH|{w_DfUe(_5oiu<|7HX?WYFp1i|<~)P+;<f8B^%J+l%)cIGzI
zl%N9cih0Nz=o&oBwTItzQ%uwi><t!k>>4G$KpV0cS;XMfF305lP#q41;9}4#5giSn
z8Uq$3VIj5!kGn@&l7YHFi2C+3oF2kbSdoFc4;E0OHNnEeXq^-QU_hV0opv!bbf&#^
zb4^$m#m6_C@99LkXD=`C0O~T}06K3HbCD!heAB1zZ)<VHwQnbJd`JURh(Jxk^?b{g
z8jE5cNcOVGEL?A*v3;>+_351vt&w=J8GQQf{O9ie$+83BL~0tN@Uy}$q~)E&=_9(*
zc+_l~i}v)<p@t_RSemsYLM4U?(@g_lrMyF=Ca<j^S$PEoM5#P@G65b8>Vq)IumGTB
zNaAy_coRA?qhOgq)&fAW1bxXURD!EIKZ8W>a-<l&7jmJ=_>AoSp^NZpxe5X%20#NE
z%fYPSumq&-scqjAAJEnx2D1>M8-}Mffwb}NYPvcdiBh`~6S?E`a2?T7tclzKA5**R
zS2#?`p*UGwq}4fRxv=hKDIAIPhTVx)MCU89wj>yMaR(=8>}*2~PpQ|?VA9)AXfvsx
zurb)?;y|hos4+8ooC}?_F%AYz5Ipl|Cm~#kEIAX(2fHgk$0hL=7wkMB53$O16*x^N
zjFeDkVk(i!PT&<gaRh!w43~-rcDb?+-Qshih&y%H)|`K?4kntoXfsRN^p7$t$Py`)
zyhQL-l4$Ty+u1d&X}7C3B@Kz<bOcs>znQM-fuWx_C+f^G<$-*?w^)7@`DI<6PF$5<
z)dbr}Yp2s@LK^5}w`g(cJg^46RhBH#X7-H$0S!ov&XDlk{ItNTsqzy?cQpwo$P>xr
z<T50=!_(PzmY?%rwPAUEh3NWw6nQ?sWjHEmQsJ+(6ZwE-mD>{7!Pfea#qr8oBLxF4
z`t}P(%6)^g*x#-AKEF#kp;-`7KLD{W<e^YDRAd3<RR<uSxG@{y<!^vMIY4UvmyDCa
zYQO}GLnKu=iZ$a`j1yxEw0kF-Rt*7nD_VyU>P5wXC9zEnH29-KM=2iG4;Je-GCjyG
zpQ9Hkzqf!{u8V6VWr)DdlnHa<Wb!i&L<&<ZkR&1x;oy72Xm;oUvdgVy;|AHOrKD?t
zljasO2tgZ#K0+bN*_{A1zNC@$vo0^I8_#x(1hN6zUWCWdzzmr$3xDM-<R(WeEGI_)
z*;%P*;)@Lpj}SoxncXQam)igYjtB&k00uAiS-`0p@z~1FA21e{f{u*hFaN4Eh-yyq
z%rWoFg&@tM;#`tn27h~bN7lJaz&CtJDU&Wq3j*pfN6m3$#LN)h_B3n|W7<Uht*v}*
zmBY+(2-4JEk@UveI()PYBxjrtv|1Hpd0@j@Fr?q==%#B(sN;9kWL|)OxX;V{`r412
z983~|FIKVHbURsc3AGq6`2m2}M?j+0!ZG4PTt2Y?DNo?Sb_zDkMF3k!D=lJObP!)F
zN{V=}ORkWxgjq&P-|M?Tw#<@=5w~GybIBg0;<VX`G=4z4&9EdpacfrGscf_{OtLt|
z1Ue`vw*w{Xy=->-J>&eNVf@Mct+4yj+ML=If-z91HZ8o2COhAIXR<4Ukx($%{uqXh
zgzw-D$h12_#8As>$PqEf>@@*vvnLx>_vxEI&(We{1D31gL+f!af@700yC)-1@>9Sm
z?M^BHJeXyK2Sc(6Nehg&<4H^43L3%r50QSbMcj+uLWYZV5De@PMW+%oKk}5*q{7wS
zR!NWrj=bq%zCzw4!~~6d>-UYjPohP#K>P*zf?4?f0o!NPc&Iy~cbGq52H^u>o=aPy
z1zUP|!B^RSf}+GYCC-7v=a0~{3gp&iAoG~RLyK^<Ay!6+rjlB5QPNog*P%=w)($Od
ztcV0vV9mzz(<4?}cccLN*un$;8Z<=hs>c*GBhlfe%sS)p0}4osBDHFhAXCr>xB4Y@
zt>;98Ov3HSKx0aD2{s@s4NO!bm6x<P$_x|+$%B!w58DA1;c)PY%Zai)MLM2os*D$L
zXwM!)t%<yM6u16R-<ifpx$56kN05_qKepM{_UUp$Hq1dC<K_R#5%BoFx<lX#26*`P
zgZbS?us?{39xay%a#tbm1Co|DAn`c;yHCTfD#i>@1jjcs55)WnrGY}0I{ACd0Dg^R
zLKF|VLS&oOr$&~Ses|&rly@aQk_q;RDDd`2XJ<g_HE1aLK~j<72EqNJ_CS8g%6J0c
zr6m#cx*+j;BO7fWx=8tI+ykQ9u}^N!=;HmOXU_1k*yzt>)Irr2Dzr{kb~-0nVlJ%v
z&Xx4Dubk<2kIoR7FC`0rFbG_eNV0aI%|d_mC}r4xZpYbUxcQ4SBCtmp70&a#^E~nH
znTxkzRPtu1(T|96b|?f5<Kl=Y#kri3u0a;V-e*mUrDiS%Hvx+i6A`tSzhOM9w%oF@
zqlXYBa{^)-LOjVX!Dh@Z1m8><Lh2AIPIgH5_AF}{1jJeyLp;cJ8z`n10%#K&m<vD&
z9?jj`ub4nAH(L7c<0U3=AT5Usskq<pk8#KBMf<4ZxXMEQM=(A~!0==S)Z1rs0R1UJ
zF}*ZN;WC;7VJPyO%RSIi7bN_o>Tn^njtRNXSr;yAi<4unH*pkSN14|&KJp{*6$qjT
z3R?zH3YKBIZhFb%X5xAvh?i<`@}WC(_i?(`xMWSn_1BZD(qo3WPx4@eKMM^c*<{Kc
zaq!#jBToc^+5LaQ(7LqZ6A2_l0Jjyu(Gmr><8I;Rjg4Tj@+_Z>adCkFm5m|_XzS9m
zjesxOHFpZYo!^`SDe}wL+?rt9SLm-5%K_`GyId#CSx#-F1n_0c`d7N0{vuQ4?1f!&
z|4`cfI=LVEF4>AlCOF3Ig42?BQ$G42kHFd+us&#mhc{5p5&|XBc!(8hj-^)BO_GsL
z?QcW#0?VwsULZoMYfQ)oki%e}O2I)PWJ6$(BGDNXM$)=Ntm^QI#<YkwiCzhjo{JUe
zOFLT5*LiLFB)=^x<0<BI3Onetp>YL#+20Q>K6*<x5I7={MSD5L?O&|#O`Iq=tO8PS
zNCI-0I{q)trHqIeM%lZOij4~E74dMR0ZAP&CR6yc>)>%Mw#}<}O!3_a`rQ*r6STrT
zX5#^i<FMhtW)D2sWO1vGzyKlyf%yhd?@5Z_5#~Xo2_a+x^qFJHvdZ53X9^yZhy+@{
zMt^4kUXoYdzskak<ZWACP<(}2;qXRyWlnNjSOR#YjHXSGhR7B-2Q7nO;B+!oI9ODV
zvq}R}Awyz18Japn20^(qFr@~=*sL!IG3dzlWs!daB`9)Ig(WZRvH2++oz)HCTHTqF
z6bLbpog^Vx5>H8?VL&H!kr^?7867dRBO72(2*>*@DC{qz4&2tm-oPA4%^3X__|&Wv
zsV^JjC1xUPVZ9jdP)N-Cl29aJG=}1&TcRHaXBj_yFRxP^_TDGAzX3XA1b!N|WskB(
z2c=LVP#@hR2{gtQxTe}s&A3o71o73c=_H6Z2ObtZ$$-=-6hn$Oz1hafUJfQmz_tc{
zHejOt+JqvaxO3A<D54HdwmV5iH&Pq09^!zN%(96$P%LoGjnv5pESwPN6ehrhd?*lU
zWp^4n2CzDAldOH9p?`c{$`i~9;WJ-=%>|jYh=eprsz!FN&>m(tpP)ihLdv+{j9Og4
zCZVqN%1afXt$Q)R*e!!2AOVYG5N(!1ithH<)F>ldvhj3I5)U%$F@UQ_ppm@SdHMn6
zoNLjUECN^PBN6MUHH~^Q>4SA8c*Ap6gV(p{^HFD0p9`DN@rY*h9wBT4FI+KV4Ms~6
z70tp8I8QW$#c$c+g#<Zzvi6JI?XuwSLG_|1F59F|d>N^L`oRYhyZUx1^D*!(Elxsh
zB_N98)X@VUGFc1x%vcpn$4*rlOeVH};x$=Ywvn3AqhNJ@iQoSt%6pf<YR+-_E~4iu
z>Ogbv{DEM=q({<S-ICKoK`T;-sD(_QlSog!cm&m`HJf-nHVM_r`*bXI6e?i6y51-)
z8sTF0Wz0{Y9$8GL<miN>((hQOoG`E_Wv-ZorkFy2V2Tf9XI>{sw;K}&@(sfI2!)l+
zu-cY21<$YmDV`Dg`2&%pi-5AS^4h{^8ocr}_!mH$Z(0h8DC`LuheGr##6QuvKwt;X
z&gCQsV%*5tOzx*wX4KhX;-#hWSSQJcKzA&R!;n})NUma29wwNvAdp(zO0rsmREPG{
zK7`33NklmC1Ay}g49{Op2h1D8h{DPv{4B{D%0#3r)!aSW*SL}BsX~v2M_pXScsSo5
z{J_eMKL9o!5YKP}Nitq+EDA?LL>+h;kv5jshc!c5`N0nv^hv*R*Z>E30nC-O&`oU2
z55R%rDDiVsx87ljNyV`bS%T;xAs!~#w3VbQg!a1N^Fz$|c=vL*NVGVZig~ib1f~yw
zd{{hik7cM8=)mIpY_IQ3Ddu#f(2!eBm~ZGBYkHJM?+_x9CmO+!*MaO2Owmij!zY%V
znXQFS%G}?AWn*=tDuK@ok%@By4xb@QfX5_f@yi$>=EBw)v!ZDB6yVJ#N_6fGxe+i+
zJwb+<q~_|lvP4c(5C$^04N`P<rWtJvh&frq%Bg2iEi^zWB6AF5w+<P3es-J<uiB9r
z*gpj@IyX)Oa^)}zY@wr=%_JDyl@?5?eL~+*rC@%$$)uFaOG)$zO<6B*F|?3#DJ0>T
ziR*3Dyu6`KjTYz~cC^E=+ncIeBj5D={O8*$FBOo7czR@O!U2t-Jb>n>plHK`0a|yv
zN5g=9XR!lALs#bzLqSmk?B}aFsb@JuBrAvn?VKC4p}?i4F+5OnFoCIQh(p*(Cjj9w
zim;&uZJfgr>76kn8vr33u?O7#hZQ6ivk4i4cm@;)lA+`rfDi=4&b5*5Xma!@t_EbG
z%gow_PysEqFL>PwIG7JVaD(x1w$ZonzR?WaW)`~$EW4Mf1f;kYw%W~H=R>zWdquY5
z^6RFCXUGWJezzm;Ghu^l8+jhtNDso+=LN3Am(w{m^xu(?T}V17;vzq{M9=pW^1k}v
z%vs6@U<hoOHwAwX0>AyN;%U?&GN{RH=zBY9&8c>Gs?Jrjw03tP&0##qwruEHxQ3v<
zoel$XkFu_1tF(nM?_hg?fgk(K?H4!@zZ)3}Mx(%@AR$&Hg8P!Aei+^&TrH!5{X`-H
zQI*3wI*#HVl;IYulkUYOEr;_$?#qr*vM9D{IuTR~8hB|oJ|B{>svC2<pY1EyFiIyi
z0NdwBSvLw-4fg45%&ilDgCnD@gCG;9Mvwd$fZ}fflMyM2QPXdOBYQP8#=h&^)yPVJ
zzJw4t*FLn^7|0kxz74%*@Y_|bG&X>cehp5)N4gjeUEx;z(&dybBq(_`J7}+hNQ|tK
zlIXH)SPjL6>mwdyR-BJM_?({P(vXCrSs#i?MeZuam{PhP%LnYVm{QR|YQT~cc;es^
zSQYf@6ylTpZ_2KRy2hw`0Hfdqeq=T!*$fiK82rW{Fi@`1*N;*2n}EjMS%Sz?Uc_qE
z8o=K?P6ucG7uhi3o1iqN(@0aw(P&J-yJh9&r56Z>OG<P>$)Y*H6Vb$w?Nm4n9yl&y
zA*T0VfZ;GoPb@jG#E|L$ns1OucB=L&oHHS^KVBNN#j72aIv8R2HIz2CP;sJQ2Npt}
zXh_=Pv+0415Fx_x^l{>K+Y?q~zCEa{Eq}eoyL(Qk95H_!k(>IProQ?AAd}6_ZS32*
z!-SHE8Jspj&a+A@_N590%~Sn7hG;k*1l7fB@UP{Rj#=W1CbNf`9|VR@J>R5$WeD_m
zaFgl+O<=6~T}Z=UGJ~wPoH$I<Tspj(bRoly6*r_9sZ@b?mDg8rqbe9AL|;egeFw<)
z(<Wk7XiO!*CXjc`pzEr+>me3uBn!kvD8iJ~pa}?pZUjk?$zc1Yk)Typ>fk73x}QwU
zGn>3j(mI?ta2+G7Ge$y9k}k~mL$o^yJmAZw{|b=m2a-rd_=Yi2kT<VOkaA!Q4<S2Q
zUz<RB(SLZQ)ewuBPg+V-6AAh^Og`Wz2!oRdjd}!bov5a>XMfZlw_}`0dps9~Al)(4
zqU3D&P75Ou|8<jqWY!_!61kb55SAgRI_j+Lv~K$-1l4v3sd1bR%O($ek3CvJFA0;$
zg-^m5_==ZTK?@j++mkrWKOrRbXA0upA@ep_Z3g(1@#K;?<>ZiAF5Ey*xJ<1#XAdog
zhm{ZtbkUC<Q6wRJO`19lo+K(kK^XDr7SLC5wn<spImCcJnMz0dd~~W0eknZ|H~*s^
z(p<W!4Gl*wCF35@Tezj;i6H|fkz`?1JS@)4AQELUnMfd%AG66?o)n@49XmQyZ%5k2
z%0M_VqiT>r+EZ>1#Jk6WQLOLxK%V%{m51#S#FSwNL`N2KE3CBGbuY+4XSm;m@PwLQ
z@)LIK4x)Jw&xG6|1`b{K#50{5>aDc@frI5MZ37@mOe^6Lyg$Wc3Q16;N}{456e7gA
z5l{L78c|)~VEYR5zJ1#y$Ef@e1?;<h@RUOMR{7|S(Pt9|SlvPAo1jbmAz`xmz;Foi
zZa&Q}qClZ1SoVIp4Yu0#dKat(R1h=l2tkD#5#4nZ6fonemI2GH5qO<Q4J0H36olpa
z66gU08yhX?aV3xlVfiw+I;Hc;5mf81TCTG4gcV_fMSEsueUVS57fcPjB_jO<h=M(@
zRoaehq7+k<*SG?X)H{Z(;$nd=Txen`f3;18-pKoaT1JGga49y92eE}6fBHZ*(yx>c
z^EOqPfc3ZfoR5g2MC<VyGU9#Z`AlkM;LvA^hE57JDgl06&$gopcTdg<p#8EXjUZkS
zFw&TvbW_VkiP8lO<#*5}7VU%x6l*jJf)|{Vau}S!AfSj8s20tB5nn1YKh@Y7StWCQ
z&!rdEFi>&;N(nLu5Kwd?gTTFjb2t>-#2P0^VkE~?^PM4}d%ysJqz5hhffNP%S(QLk
zRhuz##U^8gf;@nQ9goCU(U4Qm6;xypiVp6UWl5n)^#ywx+#E3q8KqDdn=ed2dHV;f
zB%j!;I6)FJ@0h<3&!iP!aic8Xqu}RnF*xU!jH9?!zp<xqMj9bG%wFF3uc(;z6MVhB
zLB@>|B1&X1_^ysyvnJ_vsb>3Zv1>#WrLU+ip)D)bX<WB$V{S<#2D>Pc8ePK$EwV_7
zVFc<UNtXUJvGI1%Z)gS`@Cmi7L9-x?N(%JSRM;o3h$03e(!PS7YdefdFq`NTj2PP}
zY|DtC><xmKWEU!0`CZ9vQ%PN<+&txl`oIq)Bs1hEFaQZw5}u973<?Ca!Eqt@apZuW
zL>a|eh@^KN?{Ws8kdRt8ksc6+0~e9KvWmDG(-p)=;Kz`R*N}+=0+GCg`{?kH)NfL5
zh?n4rpfX*LAM3Z}zO}rir7fdz5{PLCy9*0utkRGn!NzcwsHJI)BzXJjE`~0aQ{noT
zzBi<r_Kf3aum{HaMsc&%BgR3Id4CSi@W2X;;^*zAHhmisEjwJ&z~eZy>2d<2!5c9d
z#iUy_rg5B9^$_t;Wl1tdaaqyL2mlP?r_hA~d{FedV{gLvnd(gn0Q=Qf`XoedtF@hX
zdfP?uGt%S4hH>f%ei1SxL4059R8&rK0{D^Q_-GW<P>At-oa@E$BhsV9Mnu8`kVc5U
zIHW>SW?nCw^XQ5K_=Jj1BnEVQ6IVo4zm=tG)5Np2LzLZ@6|l`}CrQ9x3qP_-fr75e
z<5QrPuFHfq*_;SY?#L@j(tLvv3q2-2!1cMJ6UFee(8J7$n1m(xUm*puI09XXi(o?P
zp0#gEHi=Ld!q3jl)k{~h)L#masgvLd(%==sk1Wp$20_7RW|UV4J~@dM!H+AC?AaB;
zj}`8#qbV8Vl0sQW?NhEi0ZSQE8wBVRjCnPNwy7*@6rBB&viyWF;^aM))pn{$=ebJg
ziua06u|!VtBzyp-{1Pim@;)7SB6L)&ZTwKGj;M^(5`b?Mqj&<1^M4BCCy|3S<9cOD
zB!i7w*Rb9W!30-OY&5V)t|h`DJi+)3Qx{+#QS6WzQ86rs6A~TgW6=;lIA9Zn8lVvu
z8D*Fw61T|`(9xZqL`()t1B5QMQORAQcNpXmpi|bigG{@T`++W{EjOsJP$<H>WOE#D
zxGrSyP@W4Z89~TOiVAs8Dhz0eay(u586rl@e6?JX;G#POFg+_y0U=2sZM#ZxF2KfV
zJ(Xi2k4xGBkBpszXR8TBz{W*BGLy8j*R4!Oa)Zx`3$l*JbOF2w>H|l71@^oRDIwM~
zqqTBed0W#)*5g^Zwo+99aUb#~eR9eoI=C@fzCcl0Kx(x>zR7h}RRGMA3eC_TZ&vql
zV%>p**fQ(G6_&$qkd#5O0>>E^<2GD$w{$ilc#>TYirLf(2m)wE+`8B)oq<(B+=_jb
z0LmOPkTA@E8PE!mckPXZv`FO{H-{9Sf;a&Cgu(bK3pS7TXh^%9T`O`>R+1r8r?jp^
zBmo!vV2NSbxEnMJT|0u@=LKnS02}jKGvRt!x;sjO=|sCshiq541oB3?3lIP=yub<G
z)ukO<JY8xo`6>$7LI&U;Kp^hW=>TOH02KjE!qxq5tM#%))&*rMEz+&cslVLdw^b?D
z{J(lhHE?$R^rEa---thqxH?tIcjusr?b&rd=uuqLm-XegGa#o}=_*uu>I<%g(<Mz0
z!$)q6xm(DztT)KJ`&|T8T8g*L$cOkX&aYt^x8C@}SmtV9BCFw5wySYaRM7Lo@KefJ
z1suZsL-13|Nrhn#!A~g9#LpKYg)=;RMg>&WP}xjy7De?qVE!peB{=FIx{&|P3l0y#
z4<lw44pK@{07J;b!2y_AaDE7Q<v5(SgMb#mAoMsjfu|{<$HLrv%5gk(XJ(3zgXT4I
zA}J5ql&x^(+&CPHxHlC#>Ji;kXHp;BRKHZ~)W1~Cz~mEB^->?B)U%X_`eX5pH;vEC
zeCkD`LCrJTv^XM_S0?oX_+1KYFbNpI2-)Po@M7L=H5tg*b()YSCM5i|eKjhP-TkRV
zQ=ufl6q72FpiqM+QEC>=>o-lq)`$b%H7tRt*MJ`-c-29s<ZnNPR#wv6zU5gCLunX6
z{DIREKPyGggF;{v4==ZaHMmy&4W-tyPmrN#rX#%yenyy|E-G2(c&ma`CcoI$4ht$V
zraW<`x>J`hv1^ivNPnQMpwf`sJ_?@*8b3n(dN1HI$H9OwR18Q70Z2QFUJ2zAmv$bB
zQuF0A;DJ!Ga074$_9|Bhmz37t4B90(4Su*V1B{(Yr{j>_VFw+^=Y#;=0DO5xN1$Ro
zJ~M|v80ESDh0OIUrw+7NRS(pd{h9|>yUx_h+s;-txCx`%YhsUpd;AGLrl2>O=wK?Y
zTjK)oDv3R_G}l<h(;7^9cyLh=hpMf7gFSEpdkEZZWoc~M{yj3eEUJV|lGPPT!nUod
zRuV?S`imZgG&jrodMx&8TUvv__uxbz&J^+R$-*#1Bmqa%h(~8)5v8~US6}}~B^Kc;
zkaDJtN?MUZoh2r5(y^&)1F5?@q0tL2e>6Yc?X9*W4M0`V*aoE^Ls^AT>Y4%22VlVf
zUMo!#E9g-y(7Oyv66)Oo>@El@$x-VpX2BKH5iJI*SmtqQK+m}LG%aC#)xh6(sv46z
zlwzuCs3}M)st8gE14T|g#;cO(-rA|Eq0dr=;p>vwYjd+q+!kw#wDw3nzL}q)U0=8q
zq9PWJ>C$_u+(AkfODvTEVG4+Q*Fq*#+cjhk@I~u*)h~-*c1p3+$vK0w%DHN~*toVS
zP<91$nkS%4xh9*1s0`TWcmk4*%5HRJumWx#w=|OA2&U6^;A2g)Zg|xmbfHa&Q)j_>
zEx4@$X*QP+xRuVWW*(^<9Py2W(EM|Ma8iKkYBIAD6?r+>2}$;#;BOC9LC|p|tG&Go
zH>+o(`7`BjXi(e$@u2VkWB@s^i`+_;SzZxZgpZ-W^THDVH&$Upt(=Yt5WmkEX8S5X
z=1wsv7XTr@<Hke6SE0J2o@fbHkQnl@AuEvFBt7>^TvPP)w!X7=4QExTG;a<5o-H0*
zavS_SQ=fp%HsE&HRsnX@H~4+pXMW+ov+hUQc{e)@^v<V-{%6i-S^>Y4#RL3<J=nMx
z^**0FPeT5u!IXvl4-cjUfeZPbmSw+r24Xk{=7)%^gtf$RZOvlY&w~YJZDt6HFb&4V
zVhe4m65Xcw+oh>UvWZ6QnZm%I9M~pz1a8}I$kY;O#<J~W+7QVl++(saQLJWl@Wgcp
zC6O=tm)Vo}lGg~r+40lR>~u&;6eScU)3&s;a4oVqFznfUMT2lMdkL;z5TI379Kpa7
zMOC%cpqj4LSB;b$P^E6VwJM?aip1wAL1s<iiE(>PMIiS33=InlG_X-#=@5tz5jvi`
zFuSIXAnB0ZEB~RR5Nrq!7jg)}F<b5f1Su?O8qPGdPhwO_55f)Qnq@SNZ+azH8ZgkG
zMA|ax{UJ16aXOZ~krnp$sQOas4t+Y7qjH#Llyf;HhwGw(YHY=S?YW@cG-yfb#EC+F
z+)+x?&ZPXM^(*%&hB%|5YHDtDO0c&VLr|Z{08g$i&^^p1&h(MFJvDb-fp1+}|C2^3
za1#D#*Y`o2)fEd*m)M%Xl@^xpmk&d2ij1&?hX%x>q^odKLWhm<a9;G%*ET(4R`o2Z
z-4Mt%qdsf*NTCODhJ!Sv)k3IItT7_r&Jtal<5d?}n?>g86{?sd1hcNx&!t^GNjGRf
zxx4fFh;LWUq@tro8Z0_!87cv|#>5*b*2}<NaG9Iltqnr-)hJ)ESsd;VpuBF8L12S}
zPidD=Yr<#(06QtAo=YN?pfBMi1ftFi?JyEm=H`zzu~*=Zk!{2!zWT0(=|rLQWD7#@
zzR-81e6IH3lTuc++O;p}waKzN10C{}%!PeH?_|cAxQAq}Xj;*^Rm}qqkmafZRI>&_
zHNtA{;>h@SAHTY5hPBlLK_zX1?tOHv4`{0U$Vy3J{8A|}%2=<OEUF5dji92$2uWg^
zQgpDPLeN0uB3$&Vd#ex^?nb;rvCT<Sa02j?pTkquQpb>vTddnv+%e4&u13LmJdIwG
z<LfG5O7<IPf!A7wIHC;pkRnHDXo<ejqg;jir5p`(TKZdRQwc0lD7mQDQj)|bQo2(A
z5~7lZsd#Bh$ydpK5|9$!QrmYPl%kY^m4ubu950$VOo>-1LinOyI$UaA@J(>AFcId0
z61#+6J%o&@Z%J_x*?Of#?UE5F2o8E~)4|BA@Nx}lE8lAs;1W8}MJZAaEhvLq3m9&j
zWTlNWvDwK=t+BU|TiE3_XblE&+M;_Re2hkNz(_!s`77+Up#oe>YCu8e?T5!=Op5{z
zww9?4C51AuMvKk6Nmhwcl_+5J2Pctbg#S;iQcg@Xh0y=9LIh8##H;i*!no4c1lDTU
zkDVVK9=MzqW6>)0EQJXm-U{`h5E$fkS1riCS}0Pk%7j}Soio+O?ZjdkswyIZyD~r8
z&v!Yh1*sO%nzhwFNbY5=vJ~u-<wY}Q%Dzgp3-(4CDj`1WJ~-=QidM&5!Z=Beg2^1;
zlxTfj&yE@r_0X>qY@*wsOB5*~?zdQ*n&Mvbvbw?HYB9<Cm@u{!?7r+)7K%?gja`MU
zd2~_^27w*iN&+_gHWkaz{P&w`dC#$G^gPQY*Q#D?LZrQ)b+&qvU3|LUs;jqKm!V?V
zt#b_jaw}boQzIC?)XjMFp<|-9V7$B@j3$>hV>J+u0}g<M=&~%XH2~bKQvq{nS@?BE
zVxR#UFcMr>0?Z1<#!qYB<xoK?zaj0=yVwN2e3uK<*C!QXZ5QAL6Pz)dnZ@A(-hjR+
zk<khedx<R%AU`n2l++H;g%X_=c)!psGiw*^YysPd83N_!2pl<lE|`Dj%5Eo9!mr#)
zM&x7<eHkuhXffZxvx7m_SNe7WB+_Y26=~O%*;JswB-T3ltxN3;URtq+%=BPVN?=$M
zD;a{%dQ8|er#!G<AlQthe~1dvf97p|R<Qn8c}u~L166HT`Ao#U)R?eq<2O>OK@?#m
zs)()48<dpJj-0Z|ytIPi_u_|*9x|e)iVPfzCS<4?02SBP`B7!@BTE}`hv{YVp;;6G
z!$aMch@}?6PBk>XXwHHOg8ftU@^(N5%@9mVq2!=$Ckv;YAGbL+qw(OdZ!Hg2lL{|+
zxV`VgU)mO|$xw&Umx4kQv?z_Os72!(MixW{%;igFmz9}Jc7lnMDrE#zXbTC9>}V5M
zC9i~l5#(nz#@;I8%D|GlmBx|>?*&}r?ty_Bij?%cY-3@G<6t$$02HddR7{L%td0Tf
zXEMnZY`NdLVZV#x7VtarO72^OVn8KD09!hHab+Fqq~YS}B$t3-LH{zB$%bCw;sZD4
zZ)tvktWqHzOT!0^K&07Rt+$%Wl?^HaL9<FV2>dxkgVu*HXwed#1uz0uC8;xPf=s58
z$;d|^&}uPJQ9^|=VT7&*G33@L-<=*H7cu@9I+i{hrXNyf;7US?a_Up+n&$u->0PLB
zHTsG*PK{8lg`AiAEdXYrEHtKFOdt+lBSBH+r6t;J7z4+W%wg>pcuSqa()b38x?PIW
zhNEdNsxp?DmpK;jPF6$sfFt0p?lvbeBc6<uUP91OHQ7XwXc>jX*N6nQa6N{2@WrY5
zG`TP;GQ@Hpf@v=n;i2tM<Bo8sBSw5g(sAN)I&h*lVLWlhNiFb1vy3xMZ4Wx+L*=1h
zZ-P|;VWfHl&*BF)ILG)!a0HHu;2GSo>OM_gnpE*{?x$}G4M!bk4IcbSKtREu^_rD_
z7`6+h1HP`!!P1M9xH`<`Y3$HkgI6eotuw1WVOY*(F-rx*wa~R`<vaXZk_)X;R8R74
zIMU4v1Gp+$nqzH(dE<U1o{}v;Ezy<jrABhyM?i#V(zXZHDsV1EnKm{!xCE+LAJe)>
z`9*2vcCs8&lvZQ+0OBT64p;8SaprA2l^#t1FHQcoD<){wLtEHc_f}zp!Mef<#vHfR
z9K6D$us&K{1nvX{zGyV*S{J?vno5IJ6O6ac8tFkY;FGW0V1Y?4&9}Nmv&_kCNn1@V
z>HW7DL0O`p$WoA#NToCfIi?9#Vc;YS0~I6%+~Q?|MbgqSWs^D)ICs@6j&&=VH!Dia
z4kFE`fKxm~LU7DkoTQw=3LwUpc|7UOP3U6z_nc+>q7VeEmIur`Y~vT9ys$J|v>EFW
zrdj8cg(%RQNVL~MIWRJ%V}=v{RH)!onCQ$Cw&D6S%%!kS8+!UIm^=fi8aSCO@^X~w
z36%H+5~Le~nTxftyMW*;8)1FgKr5NTp?rJzZ=p@l`A>LAqbhpBiZG9yM}>UCJS8~%
ziY9)BrQi`pXdudx<S3Z#SYP!hYb3dfCIiUBxxGVE6wutX1}K-jgoU9+69L~f?oiu_
z2igLNw~?r_3MiQ!_Lv$do86AZguo#kLv#eF!J_nqQA8-BZ*(t_fc6wa^f*ZQZy1I+
zSkWz@_=nmu2t5eC5v<dKA}DU4upz+9aS8{HTv^C4A?73T%xn-4fRDmIsCWn>pk+m=
z55WY!`q9WnX$8_bi18eHAdCO(<LSjSkmvX~_l+-&#)FGw!6C(C`kT>)h6nA4^GRxP
zU#|K8hvK!qbfj_GcZjN(@fr3&8{R%t7!1K!N5>omKPdPEyHAEY!0JH*;aH#JKYaG_
zB6fs`CX=;0QQwCIPYF1Ep*EHj&Ru6!S)hsJ=c<q3PXZDFK|C{nKwIjE{~i(|Rl<+O
z1n`hTBYUV4oAth8hATKk&yH=p<}u^PAkW1(HF2PojUZ4<2oxSh^2Ba;`~(j<cX|WP
znnMdb0$YLmd7X>__@I=7MO69TtfRF~UmpT?NbqrUg`(a!NvRf(6<dp=HG@}pj~k^8
zu~eX9<YOzWM4WKLY?@DH9}w`m2W0@nodjkek#brbV$^KAmdF0k@h3cFOH52(<*@JB
z{O94HCHznz`4l@PSfEb(D05I#gdZgj@JxPr!bA2wiUz(#4+2Gs1UI2Tn|?c%H%bK0
zLWes#AVuB<ICyk;`M{9^DXAb*3`lvD2))G)j5?GJ9zq2r13BI%ER+f-3=9~Q3P&UI
z`N{x2lk*CafZSM~;&Sxj20ZwbFTnVhy%~fI{M9*m&QP!)@IghvK<*w=G|q9M$0r+|
z26a)(hee&_d|A-PfAY9S!?eyp9L9B7(5Jy3;D34kCug4D-cT6+ObG@9&yYEIet#jr
zI(7p!ykLX@AW!i*dBAWD=L32HfEXs(I!q_%=ba|!$Q%hjT=_H6`N0FuFyI;bIp;|L
zV*&+B=kuSadl~Ph%Vr%B13yd|<s23Pq-LTU3~XVS<_Js#n;2&R#ssSVFlKL#Q9hnx
z(7~C86LJhMWP?5)a6lpfm@~;baRW0A3N?_&4mrRCO~o)9jC9}}pqFg9zj&ukd6Are
z--$kN@w)g&0npxD5N15Y&FRzdH(0^(o#rMC2OAb)n}`!GEv}Ank2oNsJ3w3*&Ar8$
z2xp;?27H;OVgSc8D$IqrInr90YYfd0fHMSdiN4jRbLQD?6IxqFdJVL!GVl$9D-qGG
zy9QU_{KO4O$lhrAj`IPTrK8P3ibNteG~Y9EO^`4OZjrJkqUIKjID>!9&^5}8?q5Q3
zCK$eN0lH?b8s==FpT+|W^)O&);ebO(^61plf+Hoad0DV##hG$oJisxrhHDE%DG34z
z8&1Yqj5$Oj4l98W41?k_r_9i^07iP4Co|Z=iGVX=jf*qX-}&svzKjJ5(s0ob3-M}a
z`C@SIlwuB#5js%Vi~@{IH4!=<XqOj0%~+NXXM%uIaOlBYJ*If*z!`QYV;5BX#AUVT
z1Po)s3I-=kqC>z0kOq(i<phuj7xZZau{(eVcf<(dGKW6|4r7~)qZ&NTb9osEVWEd6
z8<`4a8H=Vw8Rl#$kVbkK>}SE5#vDv>GNi~eVhw0Ftlq;jO=&J}NI?uL8`xlvB*y{A
zAuuvT<ptK~ME=6b2s#@KZ^&8(>TxD_nHpmGy2j}mrfX@k#(S6s67)nSG$u&Tz)dSP
z+}JZM%m<tHYr&d@P{R0Uv4VqpjqWly#ZiKz3ntl^STGQ5xq^&yI^e9wBR$N_G$7S;
z943$$gT^xnAz8cz4~#*ZG9d8`1c-w+$lkRdxrSc+*rs6;HyfKG4GIzlVZc#fz7pn3
zZ7CvKX-)$5R~F}oWp{{L?_ootu|d$FNE8k(D5DWvLbJ+b7Y<fqf(A=OL@To*JC24%
zL+gL(M03azQAkaQ#4#Jq@-2+FvdE#ur}c}uFV6_#dJGqK)!`W~i;`j*MnOC`{ReW>
z%0Y#I$RI0c2}L5q%0QG2FI>A)g=G^0*yzbfmB3#Tp$as>2#2Urqsnb6Ag>$1h&ALE
zf*{eXrxL14gDvQ_;`+<%D+smn-plVVz^@{Ng*leISIK`x>=$HQp$k@x2!L`51RbME
zHwhzzJL3#^LU+gw6RJQ!o3eaKv?e^C(sPNFB>;et7OL$Ma(qK|c8tz1gR+7e6T!7$
zkXJLJAq9PPTtF|hp`hVcyemV2aj&SJ`k~!b+p0@cevQlQZeL<@`o{_z;T}Vv+V&1?
zlHMh;Y2F0~$_WUo5HW#QMrebG%FyIOq6WUk1;NX)1=ueU2VWEw{OsZki8*G<l5iNn
z>0&{qDE5$PfX-;aVq}O2gI$C6RSwF7UcQ20<%A0g_hDu0t~3eYgc~-H&@Ts>aCqjX
z0gh@2NWt`vP>pJ3F6Ut5Xnd3upB_R*8WfKQ#>H<E44rjD&y0g%sx|5f2#6dFAa6lN
z2qbGH36O$HRnXWGYBmG1us&NrQ#i*0M_A`N%O;8(=wKY`Gj4(q*@1k{9N_yDY(l{O
zWkaT*oqU<yHFHHc8hC<2A=T|=SIA35ogqa*E2G1(1CUX5=;YYGbaL_a_PQ68@JJ3<
zAQZq>qM%mQbGj<yK|rgOz^j#l;8y6G%DDNC4K7oN7U5MxprBRCkf$+$R}YxYCCIIy
zV41a%9pwP5vY2qHgF#iODG_%!iVwKWHjJT|!?xA{E#ZQ9K|m+)qWqz;p;&0nfCVP`
zT3V76w&<**7s$#!bJ-$uJlMPuvKwyzbTxvOvNF_DEkaV&-~w>~)nv4OU>K`>*H~Z?
zV++bu2}-LeKsU07NUG?wk1a%C<^B#;*kiCETyTEuMv14gA`17M3@fOqpcjPgA0=$0
zs96vIVM`zakvq_XY?a?>%NSNu_ilJTO0Ofo`ULi*!WZ^b@s3KtNLe`wD3GBE3hx<I
z<0$#MIzr{r7cKC)ZeNF4NWuZAPS#)Buuu1HawrBDDAVpN9w7`kQDF=E+;b?1FoKA;
z^t4!Dxsa4r69MrRx*EXf+&!Fo3^j#@vQQK}{3=l}nm&0MIUr<P0|+AJ>?S{=BGgz&
zt&8CRvW^g-rMYp2Kd4}L?wPH#IbOIxPeSCNcSm6&J#b}D(v?QV#D1(GhzjyG`EaR%
zyX7VjKRfsL_zM-yc}1K>B9pP~M01XUv_sgn#7{;h`Od@WMoemyEnz$S)qeS^`}2Dh
z^LrHZh;~L{8Vp?2W)Y*<YZC!}S409qR)|RoW)-*gR#}$t`Ue*9|07`Z#(eINX54!K
z)jv{IKU9@3RFTW2f`zP0$BStif#X~S^<1S2a~G=N%L1`ApPQGH3>bN1QJ4w|fWEKL
zey`9{XUeTYf~ut^90J5nY+Hp8s`YHCc0N6$FyzCGz&%)LeOPGyU?6eRCZi4?RRvEQ
zNgW|QAXNkE1aKeUy$xXCEgS_1zf;%hIfdS}SNN?RK;th)pn2;zU1@y2u&aKsvI}S5
z5kwEZ9zoBs8iD6bae={=sNhyqh{J*tv<ubo$n8n0m{Q4Ah_LGF^+!`12F}2?MxQH8
zJ~faBFBFd!6Fd{O(~4~iwb6=bMcS;ppbP^Fu8%!*y{MtG5+<y=UfeAQYnl$%qmn>-
zI<p-!vfVSXy)&}CGoT)pGQBZmx>0|WAyyK6CH*dcdM@siG1EF2<ti89oeOZzg*azI
zTr;6A8PJakC_jYc8^Yun!)grGMFeW1gf&n?8mJ)cR1j{e2scFp6QaZmqQnKF#08?q
z|3<I&ieJpieraF4(!Wa%7c{TVYEjeT*m(+5$YT~1;UWI6qQ|85N<*Ur>qef~UoKm{
z@C*=*EDvj4QZ}~Zf>dn`X!!00v>c`i)&YlB30nTE5v75t0Bui;>~!&N6S2^vX`sS_
z)TZ3X8Iy3FwI*h8CT4IV;C3cva3bS6Oxf(nMjc(yWUg>?6Xl%DdD_EpyEoU?`UG#k
z4fUD6qqf}hGd6qkHhc3fTk{|dIGGbd=3M$NXIdhcGL%M48PtAf;j2e1!tlu+85S(+
z^TLf0=aj>o!Xc757aXBOA8ef=_IAmkt0z|5mQHbE9O|kwB*5;{i{(SO?Bv!dtyTd+
z<!Z|7H{1S3tZ~|iEVYD(vu2<FGwv+Rf+0;iO<Q_z2<tQ%er#u3=%K<G0@BO}2VTRT
z$IgXsviRiZZN#M0?%_F~n~Qfu)0RQ8Wj@;+6jq+5lw!5HNGD$GrW{WzNg|J<C8txx
zytgk6stuFIoHV`sSttxN1{_V?4UvR|WLtQk`3-}&K)JmX2sJ$c&3qY#j!PK~8p$9O
z$-%NSDcHFIIkaZ`iE;vPE<kdn%c@sTQaisBj?NNY!(|RliUP*<nTtP@B!IE`HVabC
z4z_nQ_z}ZoY;X+#9-6S#Ul_C(An0Xqor4(=<l&Yc8&?V0oVHHU6>@fJjyQP5#}5Zt
z2#%(*qVdp9j1`JJ`f9$-Xd1)%YU~VPRPqHwI|ofiYO75YkU7OwcNJ1VsUKBE^;BOc
z;-w}kQeveh3Rb7uwLEuus)Nm1o>iIR_nfmlcfo~Z!G&<aRl@~U2b`!p<-z4!-Y>mX
zvh`NW)mm>=N4-@Z^;jpBf_Ye%m5F$tdX@U+E9J^pJCv(WD*EeHr&_8y)%B_FwS2jq
zOu0c!brwO@WG*xNSFtX+ig8${3++*2tysj`=)_ob?j`xLWAS3g;>GW!i{AGLdl$Xd
zFMBFpq&Sz-rSGLn-ujolwJ&<yA?jZAQoZA)dlKSPs#m8}uTH66ol?CzaEGOObxQQ+
zmFeNzRZeR_8;XD&RPBYLwX|1uiulc88K`3Z#ICsIb;m1?B_oVUNkh`H08X(Zijl(k
z)DljhuejxT!@G%pTqn5YdABRgrCn^FJ36^D0Z46Dxt1+67IxVEwt~|##g=7@B+C{F
zmMilY_S&P&s*f_NJ84m-UZYICMs2IJZC$1=^ErOTt$S#$&7!)@xpkRxnA)jrs_!zZ
zyv2FTHC%0s%C7S&yEf(7v%JYyX;P_8s+B6mCRK_|tJIlSsV%jGZ3X^P?vl+$t(~-2
z=FwkeT)xV=e3feXDy%C?t~A%GRWC@@PnA_VRqsPe@icE}&mxyzMO{IwFJ`GNHQ|v<
z!6KC+HB^Y#x~(gu(Y>QQYF!xAx$%~G$^E9MF{w@?Qo=^70UGq(l}*_<vS*D-Z5ou$
zGS1ZO+Otr$uvJr8sxt}}5h}k)AZ+8)5bzf`klDKrU}PAxIf}|xRto9V6C(>mW<ug9
zNLxxqqySP_Dl-Kd$VHYZESIvC9fG2=Udxn4>W<4)1?q-1Q5IUHGDDhvoT?-V2(;ZI
z&ghU#i*cnxovHpZhBQ<8(xKvYK52^8bqT{ds&e&NUaYIsi&e#Hz5!M!N|!XK7Fm8)
zE|SH~PNqz@nJ{Q8FlZ*HR3z$rol+C4`f4nlrd5Q>vYA;@sS>M-Rd-6Uv8yq$s}V7w
zAV;dixlW04n-b+VCCX$=l0>;AOOiynBrB3axg;x+Lb)f%6)M2yFsDf>=A~04s-Bfl
zSZNxF!mSCW5cMjgC0JQAye#|GDe$xG!?dcy9JnFfRsz6Qfo02qk;sA@)mX`c5T*xu
z+N#0bS%U%vG{OX_Yz#F%1=Tr(sm|$DgcKGMpsavWtObCr0?K;AX^m4AS9LEcS0soQ
zR5jS4E@yppf?X>k>(&*Ns=1woD!ipya7wR1Vyng=tn(VR;+0-<tvuygdJPp<>3ado
zDXCQfD!k=SdCH#imC5AQ#bF}6%($l{SDaS|6pHc+-18dT^BUOm8rE2mUR<=ixo3HD
z&hq7%<;#o9miLz}?yg&1T(&y7YISnd>gA{&o7G0C0cX%ixakzJBBrEM_1Z=hg;sT>
zvmT^Wgeoye3#+$+6Wv{~opZ1kV|eWzsxeQB!xVtJ#kovfg)wqLSYnn8n3AD|imbVS
z>Y7yQdQ{^jOmTHgT`FgC6<q}VGy;W2DI%=mwE1^a)!k2AOix#JJaLw!II^Iw#Q}3V
z?qHLFMaeo5JaH_{nz*?1f@r`+{OTPHr@xvUaNsH;^iah0-d;hh^idHxjR)~4ArDk3
zF;y2qPZ+%GK@-9!r1plPb4F0BR-|EZSmK3hj1a4fMC{>h4@)D`Uz$VW$n**68Lok3
zdCh)lXf92}b7(ZBlZfFl4@##I%_Kf?O=(J}YXi~_pe`w)^NMRx%_mR+RO-#|D0YMh
zkyZS1NmdvYNe@b<4R75iNySsy(yZEQRe~)diP4Rqsio(66;j&LjB6J-g$BYeGfF2?
z3nHjH6;*v%i@M66AfP&Ss@kAj^^&(Hr>-9$Rg2J&D{{`m_jC%}_<jsDN~(GVWk9Xb
zi;Igv7YKBR6X2a4iciWsHed*aTm?FdPv;|T<5^FufnKz5>Hu``I)WX24$Fsf12$ou
zFvvtQC=7)|Ct%3zGBgaELob1yu*xuHz%x7<XbSiRMnPZoPqLFNAX(EYBh|9XOYHB_
z0Lv)FZK9IvDEcw1y*>k=(=6lFg(U`9Y@s!}Dd-1?5H&vDYbo<tWtdB}esiPJQ5}=$
zq>%>^*X0y-`9&RmQAaAmUXLvw(!L;SJSq+#u11=VrEg=Qo<xrr6B`zehWyGe(gS!J
zeCvSo(<~q=)}{EUi|ssFi)CT#I!U0DF-{66?c?G5dO-ctGat5Jc2Ad$*!gxIpEgIE
zQ?=6K+8(ae$jdcyD$NxUX0AO^tB(`v<HXvy?5%)!*|Ak|8zZr(&1+Sbbii3w`81=D
z$<0L1po@wC1mG0+CP~mU#LTV(XcuJUCTs;;Qz&Y1{T~c!CiUN{w)#y|eI_+QD7I0B
zAT=q5pHkmRu%B#cdDH4-1x%?Y5;HT&m_aauUC}yjE&!U1>b|Nem9av!ub6$dRe3pH
zG#H6T!WxZ-6@DjFdsRGtK1?RT!zCKmvLf2{5~INQ*=cRdo1S*ma`R*XRx1N7_-M_|
zU`2|sXT)~bayx6e9H(hKaMyA-O;TXluH+dOW4&u~dPG{{GfNH-qIv2RPdyo>hobbb
z@!9_^Quc@d^bHSIMJ6M!zZgFKlqn2yg;hO5s*B?{A$kre-hwfew>}{oeIzS7_}Z`o
z5*1j)g*&jH&g?QqUAB8R+ZM8Hu~+k?1c@irUl&vQ3hP_hR*DemaFdx)rsR6O_9aj$
zj7jc#vadg+2Q!D{lI#+<ndIOsy^aj>#|0e%w~H@ha%zgUi_4=>vRqij#nckUEO*YH
z{FVod_B-am-6)6F=)Nj+R^rAim4e1J()BqNwygLXJXXh?A6l2%-fxRrIo+k4?$CXa
z4Tgi{(C`{7h8e4d87MG8dD#L=qUN2gCsFbAR=xrpXZWKNzeN&P_Bo%LwD)v?79yLS
zYm7vRhbVq(K%j$)L+CjqGXmX^%nz7tHF^-!a6iu`8-S{6oKZEvyxKHk2k}@P(V6OH
zxK4cqZNZ%b4co~8Qw`X!Z3basVfC}#Sp&s|ffQG0Y%pplsP_r-WgilWMMujbhi7g?
z6&^@Za)L!ig3k;et>W}WEy8Hg-0p5DwBm#Wu|TN!QYJzn4z4ux8Atl#X+~id662K?
z?5DRSIi)0G%9;)eBwI)IFeg2MHA)#CP|7NPPE)dWlapkezM$fP@=8=uvY?EW1U!)s
zDrjkPLeEM5a?kTnev#wMqMjt+=_h8nHZ9BA4iNOWDkZ5)EXsjqNLQ62q`4I*bW)j6
zS1ne2tF~vy@;pA2QS_UR<m_`M!-;u8!5p9hsSq2<%}}2?j5F5hrp_xg+dPP>Y(c^6
zb)(knN35_;E7VIcL`yJ4Ls=>viqmy)BB_Fdhjt_mjVLM2i*u7I5-6MfA6l5ss|3Q6
zybEvG%Xf+r(v9JnqX5``<GW^;EG*i*aG*UYp$Rmlc1#OHYtqUaCbbJddlN!3VDBp6
zpP4aTM=w~QfNs;@ivog=@Su;Tf@INl&=6IZ5vn32ZAS3GCr?#^(GD91i>li-l^y(t
zvCQ+sD^Aj+<ynC0m#RzK>!e6<41^y54de(hdD?+GjxhlHkqnkh&s2+ojS?G%;14>g
z!PZrJrfo3#4DmUh&e+XfBezUF1+WyYShzCQ(fzE}cGRVWJ84TQ#le=!7c*1yQD&wu
zUzakC5Y;6z>NFRuQZr0wrJ#Tqe-9AJi!6m2$&xHcNmeZKD5iN7OFW7lgCs&R$kFU_
zC`JsCc$bYovM7ZbOG(d!w4Cz8A(sS2NJ&D{5>T~<LKhH{pida8RMy610zyjESY$Y;
zkdlQGT2F<9jCKUDWSB7_B~s9aS#U<AhETMIP_>3a6A;RR0vT_C>n89P84FP%l}geX
zLJ1`&yuvm*;#e|En2^fUYFcM;nm8WqB9MH?Mj#)mjEI6wkV(1;CqFL-=1~0OpPBRX
zq<%t&q*{7IC#3*-Mu((odQYdN@bv8+l!KDWa%xUXNy+XtBI7gmW^oKj@SKbZ$i$q3
zNy<2!qY23%oRLY)ES%X%$>5y1$;ud<v<b_AoRGw%^h!!fPb8%>0R=ev$5Uh_JK|I0
zB`$I^S!)cXa#6CW8XeGZE~s8&MusQgfWcLbu@?e`RyvELaFuDYRPTg5lCU~8oLn*m
zC~#=1OjNcNNvmAuBa~My2$~=^7{5(w@$TxgX;l`mxj57g*XFk_!%-l{X{aej<F06}
z;Q(;sffJ^73|j$45waqw6-gqjgjHCI%n?!5Q4<wa$RejLN=mA;fCpBixi2<3!UYf$
z0Kc=2ouCg5Xc0(?xshGME095D$SCOrKi=tlg{gETo+Keh0#`c+w?anVJr!J(da)VQ
zFxZ(6P(z9P1i?r@VVx-TOHkgd!0pqamn$G6gKM(^IZwNOw-r?*deUnrwwk19%$3tO
zG3vyC?eyn|>2!=$5~OWDWpz{$5b3l?xrOT$;Z0a8*rpdGyGdPEX3|p=<BN+3r9mKa
z*@blFE29vIE}@Q7G0I{&PEwW`;0{$<nGX(CQB16f>NQJ6LYz#bS4}1i96=DHGE$7m
zHYgNT3>0-4k<IQCAnGkGg;^9@$yHTl7OPcNwS~)T_`ncxlqW!TYQXF$nX6F{zEN%6
zMP*c5D^XG97LQI<4MnJPl`v6hfhtBA92#=G@S8Kl>hzWny(J=YsQaUpgImTx9I5MW
zIb{Z@@YO>aq~lcNYMBjIEpl0n!K&#-t02`@8mv|o)(jCxVhtBbVN`Y?(ROmIF(~XY
zD5T?6g~b(x#Vv)z#*NDB3yM;1Qj>C&!cvmL^(BO*ll^^N6|Ys;VCKO}>uR+pP;{ZI
z>W4%S^OKLKCm$+FCzG>EIaPVBGBU}mN#?O8n8g&8jc1i97CF{=Dq9~hjCxeGvly0J
z7Q$5u)X0#QQh6?rkf0UQ87`2JpcT?tbcC7(5sN_^I=d~3xf?pJxSS~{g1N^p$Ae{A
zwxkwRV*GeAU-Z1(MFj{pn}SiN$|7VkeB@E=V-({*nZ#J;yW&L(SsTNTAF6wJBm+G>
zT|s+wbPr|$8s5gG&;i2=#{jt3hNFrNahT0PJE7=bTk3ZSBT%H>(h&LGgTpXM62JqK
zr=S1;0001IuZ;T8e(@G&#*9Yp#UUoA7{UQ4$~`q4>m8oM8L13U+PKh|{HZ->MS;5q
z0FOK}w<zL1C7m(2yD1~Lqzu~<&rA{*HbN{^5=oK1PMfzmxHYFC$?fzaQ%0vmWC&=4
zK)e&@w~M(2I06Q=^usp!4Sq23V9m_e6UI$vZ=j(F3=zhd%_b%(9!ZCwU0D4Cp@9Z1
z#@&SYiG)%Qg`orp_OrUO3{vGD`>Qi{JhF-muya{IV+Ej|W8_JeJRnBv6~S-gIk`IN
zr_n<9k|G|Yd*DoUVw0DO=i&+TI{4ZJ!OPot?1dWf+UDj4@^zJ`Wa+%WdVsl;KozjS
z03drO*e$`-f_3&>lpyAfL-&C(qUr?%jHbX-0<i7tluq5EfvQ=(fp2_Wd`qUmIfr2>
zFT<#cL2z>EiQ%uqt?>JF_)|h(d~zZNt_Gv4K<X@EJhsGTHv|DepW;Oa$QiqjxM~{{
zL^Y_`Y?`EBMaY>8@#Rbo26AsQ<0%EA4jF<(f2ORznoN!|0w&!su^W})?W%ZD5DY<R
zp}Fj7NtQRde<X9;^|Aeh?=dzTk?_!c>u3+=#onmVR8YrUh+VMkG>I)4u&TMoxAsNo
z);3ZwwNEUJfN@VHRh$GGTo8+LXo%l}&4N@B5t*Tsc<zQOjo}<toO%ulQF#ok{G&-o
zmio?;b>q|Jb|laWW9F9b!?)1{ME4xL`P|cFrib&W*7MLZ%SVPd;0}_2i*T;a_(eGP
zx5_OQ1Gy?)kjhyZ6+giMhiUnW(YP`RXJ%sjpyV3BMu8wJn-^N-H(@ci+T)7qd9NgT
zmnPO&Ncnt(GeHJm0}*Hxy7mnyV$$(Qb~pa1qBN|8^3YLlO0(rIYH1uzM6FXW#LiyP
z_@tyDSgoNDrR2;6?8o+PUHc29%oz5qL5G>mi~+k3J=w0Y`BMy~3vr%j*QTCUR_U-C
zSZ!x(bxk-U7ll{WvL$;OwEX5o#$x;e&qUrnonh9TODgI?qaB_ilNN2FP`%EPC=-=t
zxGAvaZio}zw5pG3i!NL+S))_ox}p1u+#-&wC-OfVoIG-N48u~jZfWk)QI5dSi(1f2
zy|JbjQTlzQnk@)2N=+l*?o5yCxPO7=4x#wY)(n&sDek~sGN|@<FfD?pI`gX6QD6<8
zB5v5H_Cy@1o!frvT$(}r)`5FM)RWy8YQyjb^fou5(1GFF&sBgD?DYU{5VCh$V&TvI
z(b=So;{oq(M_U&ZO$a!m4bUeX^F?0|aP)314KG+~src<r(x7+5@4Z+<5N|fvlw5bk
zTUy=y;VIEH=pyC@w|~IrWdvlr90&U2DekpzQ6bQ-1o~be%B8nrSm1iVh*j8n%!BMd
z4QBo+tKSs5fM`VxmZJtQCe2`G$0A?rZ|kIFsC`}Ps}wcpc|#GOJo?=(RA>>m1N$Gs
zM}(U@han~e@y|EBHz5+>lLW7#5)XPfUY``O+7cD9EO?cn7M|Tu1<fRVh$<mk19e&N
z-pM1;&~LrRM*4{B1pr*KQ)m>;vEoiN9W(1?xW{(lLJ`EQWHHz!OE@eY#LhDq;Ddu`
zDm@JDjw%QlNMx{crCXrmpdH`}FdqX|ifeh9Gf~@&eEg#mS0;#9DhzxeGR(SgLfZUs
zwbP>W4-t0Gt@<gf?#}8<j=~(QN;{Idp2@GD3XK+(IBF{Qja|#@EI85tR7PBg2>|E(
zVA7nW17#Uj*&;<2+{p<Pv>E}u0jsQHdQ-?0nS66KWgs!uMEh`qA{5mC?Lu&rj1O4`
zBxF_#r0dx_CT3LFTR3TiJ76=!aT|btU$e`Uue0KlizbC;a$s4`3Z2vWM#+uyOb~Sl
zVm9t}Gp0Nc-?UA9JPoiqK;roIRF}DhoHpbaBn8$gAQ0?W&;vM-98=2)Tl1BHgE*TH
zxqt%wfXbo+!T2A3%@}YBDx?EUh{4aR{qc1r=D(xIl1d3A8qQg1%Tu`fAvnEQcn(Et
z9RshNvQ`0P;$|Y&H*XNaP{8~;f!%gYj5`h|VdN(>j1WsTl*r<P(s9FhNt*1rr<b&1
z--~Q<OZH8>tq~}K-K;@3MG=&SfaS`)1ZD%~2J<%W%vXNwcu=&I8C3-sn;*Ad09A@9
zyOFUg#araU!%k6;WD!Y?t69*)CxWUwa_xN(mUvIs8&F_uR-qi=c5KlEqY*qq$%)to
ziiY^mP9`+1Z6R5(g>KA85kABN8{2Ti(nV2Ftr92T4r6qL5L$)d8{tKeYb8cFWp&Nr
z0#p-1BFw-##@Ll=Upz^(!~t!AjTyvsV)%~9HX`%paE4_$;lC=}h>nQ)Ff$|tTA^yw
zwr~pq#1iS9jx)x|cEkvsy0F6C>Y25xgq5!pr5i&b$PdSW#`yduY;F9R2_efRyo}6H
z=2s!;V7(5_&;@m{*do@z6>jNpM|C?#1^jKGw(e-UW+IJxAvztMYZkfUko_CPc;m<)
zXirRWa-&LcQ5ws903p^|C|d!E#Tzw@#2Fu$gKx}Qa$z44q!az^*SsiZvuqr9swu>%
zL4=i&3|>G~R741wDCT@hrR_0F(nT2PO=ienevIa~PtzS;hgJhjsN50i?czC@DO*Sy
zCaiBtEY(>4FPioXuObqV44<Z~0j^RQ+++HfVm2F&no~J2d5j3&H8A^nZ;&YHd!Ml>
z0OPwjCAQ!>`DyBVBJ3bJ0JR|*s5hi;#8E?XNg=!DIyFRbjv`e4|Ii53BpPw1**755
zy$FW^SoAnoH~z@p*kUmTe`Ol8RApg1;6^aFr|j{*8n+7|fvlxUdB*WF3reY)ssV-I
zL#)6W3^Hf4a^SQM!W?&-Wj&rZ#e=ruqhKka^3iH6APNi$2kGsz2s2P_!&`EQx4sow
zv-C`F#VElod2WTO?Vy6;{9{+>G`l9sbSgc<1*F914_7(3W>?XUqTxbu-BTm9mDxY{
zXvV3|;(o(z6tf|(sa>n9;(0}5=ALX%D%cPzrIUeDXNaTy;v)I$_=N`^hcj_07|k!D
zo8f7F%RmLbP<<fBLM()T4oGBxpq9iJe7e8L=T-Rz<SV+@jmr3?5>=*Fb^X_8`e=|_
zjBSX8PbX5afQ})6{AZ3sKq$v5qHMT84deuJhYCWFo~PRJYlJgL_}&@!kMwK%&1R~O
zHHCIKamV}VYJ*^$+gBgw@J$R)jq-9O@U<fgu2>TRdtWBHB(@A9Zsi4L`y*S^I4Wk;
z?8Z=m;B(kxfIXp!g~!PHB@9bpwr4)rHDju7g`nnUA<gzm)K6+o(5d;5fnHlY!rs0;
zu@-F_J2net=k=G2Uq(A_@AKWho*nU;G*OL3jYd_UkB%`I*Wd>hPyi5lf`OU{(10#P
zKP>ifCcq;BT?6n|2Q>?fWiikpgYYqj>U$BtVICpwBc;Y5ZTcuN9NLClPzifcDr=C5
zq5+`FT7<<yS1?&2u=4~$wrG+G29~9zO5K2$Zt+44WyZa}J!~6ZyqI=lTy7ZWRXTx=
zyhJ$on_|&D^k6E)En(bFSo;KjI&-kG5E*+0kGtsFbfuag!=m&Skjq`MWfdQf)edtO
zOcw_2OMN-uby2XrUW%^by+MTst1fz0Ku4XXxVPbR<p3NB5JTNt;=$mj5|l=4qR6~T
z+N0(HX2K_psr$mF-R7Hg4(8?qCb{@;N@i>8d`VV=w#g=f2{^Hx3U_#DU|`H&CqgC1
zq9J&wRon+lcZcnP5toCZ<VjU-J<{}uTFOzdkdQTTfMpC`YV=i2e@+Q)EL$Al-5NPX
ztdnaq)V9+yl)6ELAb{nXvxtz(VyPjDA6BN8@#|PI@*woKhZ3-b1|%x-tft97^)C$F
zNhRab;XH93m<xM@#EUVZqdRPYBa%rVM>nWLSxCN7uz)>3T3$&)@dJ6EtmVl!Xnm0^
z;oQ5{UgsmjYh7j=alYvn5knCK(+M2;K;ZTyG*p@Gd))5ku98DGT)L)#q4gp;((yC^
z3aiOL3r{xyE(uUXNoWTg(T)R2Sjx;IrZu2KosP5-?(@GE>$s2sHX|p;Wq;%MxD#|W
zln*RZzNeAh3e9a4HuY+DVUbW-bOBj>bq7$?eIxb)y)x|reKLtK@5cg~Cc$5jfdvz7
z!u5~HYn4R5Al^@pSD|Q9&OyCY>i4HY*qwk$w*dtP@E9Q6#fr64P*9Qc@E4cZKrMw(
z3!|i4yNVnBNCzy34#@}{g9o*Ak0`N~-?$b?&cp-Xi$gh)8HQLIW5<spI>dn2lIyXo
zgdD3J=DCEmq&?-pLWT|EZW+j*oL=-PA{lowMUdGrMS)bl2Hy!Quo@j>)Tzi(p@0F3
z4x#LA&YLo#PbAMWwPuabh}k&BHKIx6?rQ2(hlAe#&A6tjz`Zf$Pm8F~Jk9@U5h{)q
z%@#nj$^fW#VXlHd!^Sb?Q^%_-aR%!%QSw0ToIpQ=aTEOj-C=sOY$JKwJaQC~l%eMB
zJG)g{eq8l|r{iNT%fnAF#7F`6$XMCFE4v7cg8r?|Ns4`+zLy?H0=Ozkj)=UONoDTw
zXGW&$6yF9IATzoE4zGr@vE3t~JhJM>n{W=qJe>6Mv_etwg4ECfp9v3d>w+R6%E6X_
zfND;`Z2TXQlSp4#@p`}}^vrLA2$#VmDfK(@&IKGHn^DMMtm$`HN^qnejZsOU*d-7b
zE)WAj9G>?8CtV;=@VP5e<=}6Rkiz1TP|FJ?q7YZ_(>*0j7Sj_<LsAmM5OQ{~rlbJv
zsv@p{;FNQ{IS@l7O~C&1|8my73~K;>qX+pV4_g!dtc~>*A*PY#D})B9La+ozNdS1f
zsxA1E!=#RmV46e!P!h@vQptZH=8&fqEqZ;4fB~ft>&^-dM_F_mjwc=2v#|m*wIj5u
z2=u%%k3&>-PANt78yJXK)3h%J$0kA6{RaGpHL;no3UxHcPCSiYYi&n5<RK3tw5<iD
zNJs@}dI?Oq5EV9{5}OETLxJoc+sfC!-uFa!)#u{I@QNOQIGuK@6T2Q#W=pIFq(r=(
zYTO|+ImBIDIGJp=6#!7P;7=_vaEuLc<24bM$bmVulP6J4@rxqr9YYnx$ErUWu0f%C
zoESgK-q2<WNC@512~JUsC}cn;ivR&;F(DKCXRl5=p<!*|3$K2SmLO!z8wU>O`y4NJ
zMOMnnLrfvsGWiywSyf;P&pk}jHH`lyWyKvfwi?@97Lg^mY_y1KleaFl4N2l#WleyF
zt>+(>a?d^5R#}FkXxQ16Y(>%L5aVk4GMkyzHqB{xwyhLiGHUx|AZ0^lS!2i~vX;r0
z1t}*}AJWorV-Fh)1;rZ0Bn7+%)UL(w0Exa>v;b%!n~hlowhBlx*e@WN+tMLLKc24v
z#@=ci;nesIfbA&)Mp<{BCkF6$gTq8#i@JCt9D0};>?MWGQ5gnfhDgwlOk;uxS8`;H
zqyWzuu2li7jOzEwr-D4uG^$N%(77T9V&m~lx^g4TNf}ofER}#p<A_;ZHAdY3LxHPy
zJ|h@6`9=vM*+OlJd<!0L6hmlQNKxIHV25Zli4G;0GoPd93M(e+H;`fq@LPQ)X3({e
zESXw>F*&cXfXEsLHL9sxrOjgZdTq7G+-;W82Szt#VU`j=$vtS=T8iA7vSl&51~4XR
zVy$VdlF#<rU&wF-w{&|_=f4C`MGtFE@R-m)<5Cx?U|!8=YJnCbG1iF?br7GV>PBU@
z`4UFcrW62u4qTvV^F%Y0KrQU^1k%@5mJb8@MY3GFLq@7~aTi;JudKZ5E0ovJSkn~V
zkw=K1{1%qKp;C3xqV(R`E}4WPfL$~oA{o$qjwdz(C{oFRM7siM&ngP7er+SdhAYuT
zQH=ArCdLZQs8`foQ#KhlAq~^h*vUiZ1z~&pcr0mMq@Ka<i>^gXQrBHvSvi8!P|tMq
zZKG~emm6umF3yUSDGeABL5lL9k>cnaj$ia)K4n`#uzUDOmf9OquO#DGNoaCmo7em9
ztpLj15MbKzUbq$JSRY5W)mGK*rncRoE%rDxGznuawFOy@KPZElyo!pnmNNGs4ge<B
z?-}*(HPe_UT=(tzpU@i>H!<WMaSy^4TyVD6(1Ny<y{8FdTrx4m-mpN;%ss}@AmWRS
zI<dmvu^9n%lCh+FErPJm?Dy@$REE`(Hrg_6;l?*dGg)I;)ltVz5rDGn!6Zcvc3Zk;
zJn>~N0iZQYPlQTy@+c08ztC|Biq#ri`eMT*ZVxOU90wbbzk4M2kDGw^-zYa2Cg*jM
zSwU^v{JnpcGDGrr-RJnw(_<l(U##`K(L0!@l_(Yy0K1z`6)(~ig0kY$?5QiMIe@jl
zw+c;)mn(t~nZjDt9+_vnX!aHcL=ZrN5l`uT#EYq7I}aK~q+b2YGUTA3v(X+JPD<+C
zoB4}-j$;j&7%;;`2PnAW7#bF&m*BL(`slHsn+E*qXf;5F*x+~WdzVgW@&JW7i%1dZ
z7Uaq?CL7KSZw-V4b$E;sEcuYsQ~DXOyzo#43YzdU%U)T)Lv(Qp$Z~+Gheo7H2O)gh
z#T&)wxpy`3wK+K|#%rq(Fw(zDfE`5R`|xnwJ%F|_5J;xVdd1rxuQ{QXC4syF@d5-^
z`^(|7iOB(HY*J+BdZkg@q(Rh5q&N&yrbwEpMRCoFaPteoMSg<+y7zs&mC+ans{_1M
zYm+lxf}FFR18huCQSooB6Ym6(U&6!@RCM*n`gutNk=r7#gkvSV@j`by)(_fk?oNNo
zGcLB!C5K`!DmU>5ychyzD)nP7CxRpi=pjjtYI`1BJqhu*8_~^q0}R8jfxk=AK)$GI
z37^ZE8v>^9(d0^l!6+&->qSEto))0=+1|^Q<<!FvI_#qeF$4=jwPG3yX=(`65{rG*
z*BN=&f+>YK)i%Q<v9UBZQg~x=IbkUxUwDqaJ5(B=KKwJ2>@vR4xs*h&lBjF}S#ZF~
zP{Zhc5lq+69ChgB+x3xbwS1L@%t9`KEtzrv9H#ZbDaLdJG36vzb0(wxoR$k#Cy6<G
zT2~nfg1Bc=Bf=MXv?{o}EpU(weM@R~JSHbZM+i>vjY^!p3>L}5u$E%9ZQ6Pe9zb{f
zVnhv1eJ{HkNTSc1Nr!(mG9vU1WxO$k@&va7@2qjTZK!KkdGQu!TH~yVh$(jTD+H|t
zuweED+(?Q3pkHHmcbMOZP>MGau%PK_xsBKs!jwySqPXOBF1aiL8rARAsa;6LFh+>0
z(E@ZvUV*@)V9jaWFDFadoJU(hG?dDDM*vEgVa(WD!gUl|+%Wxd#cfKa=*z&>{)kzh
zgds^`(`9GW6cWP(rmTYSE0{862YWTf6nfh|GU1CD6JSRaS+I_ICj_A4%}f{0?=XpO
z0N^mF{#bi}5_h*a;Kdxy@;H0R1rIi3mI4~*j=G^h$H<>)(&?DMmnRSox4K)(L!+s2
z0*EG9pg&U1fIz4GOC;}^fAPfl*Km3%vL5_Nzqny7ZE*Z8lJx<62eNEdkcLWdWke)z
za30;FQF@Xkncw}T5E;;{mao#_g~4NKR}l|F93<4ZmmIKCZU*4P8IlB|Pr`MYjDRPF
z<e-x>Yu<+n9o&4#?J(AjK%8TwsL2_y;xjXp5)0G{r%{g)Eht^$#l%2^Gs9R0?bw6z
zp8ZiPfk)?08^e6jnS`bV?B99|rSH9;QZ2JUf`M=hj}qBIWIM=-H>IqI-T+OlFCP#g
zU0l?{QK)0OybQtkAuEp&FcFA*0a>5dhH`~<A6ga=xqS>5@@>1!(kySRv5F@UZ0u*;
zDg$R^<BU`|XLx#2gMNuH<;J~0A=SN(1O~NUBd%2*$T~xGA?dj?qC0MV?s5&u7%450
z?ekOTRESgi&k-soJ?D>@v*&-A{rTFrR_czj4I0=yZOj9VVCwZqNxOM*94dH#%>c*<
z2m!<E%V~+T7^<Ru;S7ySta$H4#Ui?hFs%xxkNdEtR1YJ`G##gBL%>@?!fZB-2g87l
zTKjMTob8zBiet3!I4q<*>_p=cyKQ~^9FAI&#=)Pmk>vn}?ev7UG^AdjYatb3ODvi8
zC#QB8egScCv#`xlHXX{GQt`4yhFXD;P`?dv2T4!Yt||{EBN115>gUEldNf@!ESJe^
zc|i-vYQ8P+4N$283(Tv@5UTz|xpe~Rq!pSekIj<n>D2zOFg-L`n}_AiM4G9jk{4>Z
zoKlyX{gb)|)ClbeWg%cJuDWa`hag6R7~Lo_|CR%wl8KG9An0W6C;`a;E|BZx!!=_B
zoTz|X)i_eq07GJCBG3`9fHYkYsnFwE{vumR(M*D*PK1mxk=33uVyc+bTP$fyYY0Fa
zQOuLXS1f{XeQc<QVPK^v`(1zn-q3@d4<4#_HFbWDW@_<-M~U`$=57jjwsPEANsKnZ
z^b@RvuuAiXE5K-ciyc@WWSd74w74spA|zFTPl-$l=g!V){Fb0|N=U>NtW<-0vMF51
zHpDE3v>|`PWSBQqZL*QVj|O`YnjGE8HazV>Qg^C0WZDJZZr()xNZp6j&n~O83nDCP
z+w&sKK#;91keRteS3y;msFny>s6<Dbs6gF3nR=@n1xU_uN5VaFG266K)o;7qDl4&!
z8e)ZoOFm*rW*+hh`%Lc5dgKKAT32Ert!Y%Ti<$OOSe&;&(lI++E+ga$RCbP(O+e0l
zOQ@8QB-*=Zbwz^&ra}l^IY5|=tfY@(>!J8ZNXUX#GIRvF!kE<W)Wd0tB@8LwL5Ej{
z$YN>M*q_w||9?HBG#OcvAiw<v)(M+e@IBrDl^8)sL&Jf2p*4e&m(Crnh6Pjn>wN&I
zZ+K|Mx1}KwphszvQ0`D*FpO~kp24A-%$WOIj6!2D#MS0!hVq>yd2vM={J?L(@ir21
z;AzbU0YB^D2+*+1aXsbIb=qk8I2!*!BT66PfkasnXn<xgW8&>Zj{(JXVJo#&leq8D
z+b-mMLcke<nYz@HLV7zf5;@=VB@~*Ixq(qVkf+146$FhG8X&m_l5Yq`)d7O%R+^Kn
zk}%vA{{cX;t}Apu3Cx-WbZ%2tVoaEdy2+w2YK<K!GIVMhBd<7k;v8ryi=a+>3>Y5)
ze3L#3_qHP@$TaYr_8oCRCFI^I``|gmT2um%Jxjs;#><GZ%uN9h!X_^`DMQ%^9|RK1
zH4EVUp+on^+KGROO*s6qD+8dDArN0`+BSFy#PWDp)RFC|;DayWHlpbIP^4S4jZtpJ
zwF2H$9q&Y&kp_!JfBE9-l2L-CZVsOIo@IQ~hk51J{$^YHI3;R%gpNCMPb96WADxkR
zM)YA{2O?A8j0i15cNKnr@~SSP;-3ZuSJe!#v%Q`OX?xaJw_)&)xC;CHF_MB?(?VdH
zvDq2>(}P3mQ)Q{d1ywMG5>P;YeWWh~j~XgQ*s139JhI&uS#eAu$Iq0(#<Iwff)g3I
zGt2PasDYM*3Cx{v9L4wfiJn^w0m=vPVlx=Y9O+nr3Z^iP8Y)KTAWCp;@&*2-krjet
zvN3CkW)#PFwNYa5RJdKbvdGuG2=iF<jvWBI-%iLq<%h3tIqqb`>VaigOym+@+sgua
z@Z?vt+*`b_MXvPD#Bh0m86(2ghldPx9VLgRz6~Nu!%`DIq6(*SC{8Cp{kSGG!F@Qa
zO5+&XE1(sG!T9^2iT&dWI#i>^8`drKSDS9(#O2n>*@<}mkv{j7E2MDwjVtZXH0nH#
z5CaWOYE_GUg9g|Zs1H~Go|M8o44MQw>BR_+7!8+~UMftrXP93bHk!y93uTwV8F}Jd
ziyk0twJh`&Mp9wXbY3ErP2Um3Wh+H7@gorz{R|lH-s(k2aF0-(-68=>F>Z%LWVXRf
zDVlcCGJ=`Yq3SywSX(1@3J}QreRfdRS70o@ITph%tae<}+nJ{n?~A!hF2^`cI|CwO
z3>nkHGF38cO354+#0cQd!aHDdMBu+Y*`iY+QrJwq+=tzt$4f(q1O-1(99~zH_u80y
zM%kut32fE8CB**n+0iNLu^0u-2+0d6sDp8B02uMog5ARM$Si4qppgYG@o(kAo^Tk*
zO0QroE7$@C6dcF3(lIDxYaIdD66P|^6M!o&W4F`n0NR<h(srG<feQmB6UG$H1qF&U
z4vCUujgb&`67D=N#X*orFm(ZHJ%P7K11L(Y>FJspQO<}0Pe$(}h9`-xa~%0XJVrcF
zoWWrY_})d4(v4c|A&Q&$`+@OA+@oC}6G9J$QCcp5p|U}ft;{kdjm3y5+AV@y`j~&n
z%mB3l;n0<Z@`(ouFBAEm3qbNjZQw6YIdE<avrP~_hzb&^^a&=$h`xj#H-W0MLn&Uu
zoasdz5&}tIuE_3_rk4VLm;8w|_u&KFVYGh$W=%81WK+Etiouj4{Z@I?HgYAC7YF6k
ziSNr%fERfzs34k$_=0LgDVr!L*`_*aIxkooAsDs1@iQ4`Bm=pU7o(n>fIlXd$!fM8
zx~OL7mJ9%tLdj4OX+oRMpa4qnawItxM(rpE(Se>xOSUaE_O|8xkZE|DR3d_I<O?r!
zQ<?C0dnRKTPq$vQXaR%z<Wm_|o>rhVtR2e&COwT#>L&v+cBTcqXw!B<SJMK*U>G6*
z40NWnj44|~AFjAOop*2N8y6c>xU&?*Xy7Jz2S6YyB%r>SM%4`ihro|p1;B@=@4Z=S
zz^;eD2A2FK!&mnh2y4s8N&E(e1#UB${X_KJuxL`wm@Q$gAvGAOY(NXFE|h|W@J>GH
z6Zs{OU!?F(Vypq2Y8b>T<M2jtk@z3nbyRDq2?z-Bs6*p15(a;lgBW0*5x9ckO?)gU
zg2ERFy<qglv77O{0n7%1#$WDMMf-&FRnKmrcj_1jGIW-<i07l+sklK`DX`U+6nQ|W
ztNPzVVl);`D{0NtshJ+r>BUBgYa-wC3`Sgm^xlF`F=<3Z*%_f3WLBWch(SQfw>lCU
zA*pJka7$EH*hOuA;cegg?e4z!vW&yF*WgvGpysjor_?k(ftjL#ytf3vVwF-wa3KOL
z<e=#vVnkBO##4M_aQ@e0e1|H!5}<?_XJk#WnD<SpNe~n%YS{Nd+$PYI1^6Ih@x!f)
zNnb}73<USR&wB(;g?<jomAM5xQO1%$Zl3tTcZRht@jA{y)0H2o@LnbL@Y|4Uw7^kD
zG?x43tbzq62FcXfsE8AdSs`l`T%!hxt}p=ku@kSJL$;CV^VY%+ZLiTg(=Fw`%lQqP
zVGHzayfcvyT2G<ia!THJze@4IJv??)gGQS@yj%q`?6<QwA?mOYDbi@{Q(e`5buc30
zulF%m>cfjFR}QI~pV%!~7K^szko+7I{d}1#gG!`j$%q9<al;}=gb&<cxH7xnvpA(&
zh5PDXa^Z&R5J|dZTEcjwG@BV`_$AkQK}@0K7Wr=rMS6HX^YN|bqUJ%ZrhKkZ&_+{*
zWc;la*nyfqjAnZdI;BUXNLK_)gRoLaTeB1DKWLM76{sLm97zFzcSBLIK}St-qcmwy
zD0?FSOr2In!nIJa6#ZZsWTFf_G_A22;!SRg<3ECGj_al)LKe|522MOk+Q7961kd<1
z5oGK()PP*u2$m#BL+&TMn<J+!1m!W~Cyzv14oV%zoLf!JMHa9^46qZ|{fzm4(I!E$
z`e3>l`n71G+8XIVgB19^;vw|d08dzRM924mW3W#%-m|WVstC9;gz~Qj#6lz)FQ$oN
zAV7!ibw!2*ROfPji1MjHi5zl5*lXEM{aRLpnNFDH0&EQ(mF7<H0HXt0ghj}&1Vv0g
zCcqAk4L{QDp}@wl3rUpDA;0i+l_jZ<i~vdQ5iPnqF_$qe2YV?`Vtj?^AeRV08)+Ci
z8-gj|?|x3)e+Zy2eDFl^?W%#Klst{((JM|ZXPKLU2){Be`W$a-Wlq8vt)~m)srE7{
z^q;s^umwZ|0Ru{_2!)?6Z!CJ3sEtGp5k_o<Y@aSg;BN?w#rda*6QfX%G$JkAIIjST
z2f|cGD<Jt0iDWk!Runh*uYHiR1=vGV@|<}Bgrn|IfH--A2SWvMj=M7#Zd^h)E4(%m
zT2#NZ&=th$a%t{1O;vJ0*I4I3!R;VO5;nzwEFpix6uvRUsYCEJ3DcaWQ@zVk3SRqN
zJ{KC0AAp>@g6SHayW5gw`~@5w1l$g@0wf400?rY})ntb<(f=91HbsyRa3wLtI~D3H
zR$pj*as+(fHnI3+3i=IRqa%~?>pM@n@GtHR4O)9mvDlMs3Mbea&8=YY#pTara@n&L
zDM?6AW}w2zR)9f)prHIn8m5S(hj4C{rYHO0F)LwIP@2Bqq-Y44Kw4v=ma6ekY9cO|
zIs)La6E^!QV12SAD!0fsE5?yV5@Za-9sFL<eEI^!nq<_XI6blk3`@*i=!_rY*yGk;
z(V-MrldT#i2Q;LcysCP$z%oA)>OegTXhKVN4F^a$XZ%r#4Q%kyMM8cNNB8v<WQ~x|
z=;4tm^ZZ=}fXN<F!$sbc7CEi@)D$IZ3-$R$GPVFLaS615W18MBBl(O{5?9Q<95NOR
zKbhq)qyRcBGC&hjp>^PCQpG(LjVlO5lPRf?kQDM<a#GZ`3B>3Hk)YAZ-B!-OK08@m
z8FNd8{p<)HNuUiFJkSP;oF|JtIR%e?N_x963)6N+a6}M;E+tId4pc^18MZ|WL{N&+
zB#$oj1a_Bbhd;7X{xMe`^7|D(rj904v@wz}$Hk&L%L_yieHgGuanNuhFZaA9ma#aA
zEz8M_Ic8&`%b55}^8jm7X7?gU2|m3rhNcK+gk6r{?${M-VXIh;#FmkohQ^CyDblET
z=VM1iATVzW+)Ek^2q|tH1VZY~#~Z%DII%a&J$_zHOz*tM%NUFePLVniiMF=vYhgj|
zB%;n((V3H?3^^qUcCnc~&xm5U&>%YW^?h(nbQH;oJhWx5<PYJo(NY^8yeT`aJ}vIm
z@t?Jmbbg380Lc=*ZA(89*GG|7L|k!I<T|^<v<%~lucZa;Idg!M9+z%JBeLO$g?AjL
zyz*NlJpm)uReWA`L-M@rrf98s6ApOkKN(Pj2+4e_4OWpETZ-F+jZW4J6`BGjUGtm&
zZ43`4Bm%%Lymh)xZ`-KfMq{6?V1r9S3!P{=oTL%BO2hx!pkz{|>#_~OcMhxFrmJ04
zPYUJ5jc$*R@Gpp07H~ExXmG_+MAh3XC_T3}1gaqENgp!Q%`oo{h~Rm`?Z(US?a>()
z{>e?NXGbF6T~<^zh?Pf@FeW4#KQ9|&a8Vi|L5_$*3=U(>xmsMOy=SMh3%r*I7dD2l
zwm*rK85y@owEPXX4dj^zamoRhd|MmMwvd8&j$8vVnRgD`RAx~TS4SD;QH^UH@03R(
zm#Xpj<d3WnAz|x&4h#S!FsXwPTW=C(hlRw&V_B}$T4V+Ure-6Ns{cR6<Rt>P=C^)x
zHu1^DOo_vuOCyn`-o#nM!~@HS=p43q4NJ}22LQSV;n`ZpGK61Xdc9(7p&T|y+6-ha
zLJet@ER5p4SYx~}%%QX(ZloW9l)T`a30M%m6+09=ks&VzC|?Wb*x~%jSmgXZ$gmHV
zEB3+R1XF5G5JWXhfRuR#ET;e3WC!5_tUXB18`&C(5E=_9A}p9*U5yKa=11imO#tTq
zxTmOKAP=&<tB%t9>KWo{@?&*{RW#$;8d>Rw9rf2V^*TU@qm<6p5zJI_aS=hmo{;Vy
zvxd`iH8H)Y^CP#4U=H8{qZ8}3$OXlw3Jz`9OS*f11o$_^lpRcM47uwqhqt77dFsEG
zJ{T7@QNu4hNew+(&a(hDhVlDU9<EXZrPs76vcf<ih{HIRJ|*&*jF=Kb#~BY4x}c2O
zs_T<^GAYG!{|%p->by&Ka)XV4#!RR@#;0$Dbli{he|(A(YjBAyfLw<!tH3;uP7E;L
z07J$ixYWhEWQb*~;6u)(eLEgY3`^x|Eu2<vK1`T7?FIQDd&K*JeX3wzQ^nO*_emU}
zdr&!S+r`RoUjS=lb|S~c*@hd(6w8(v#MlRMh??WCpA*p5IaJJZs}MMeg_<pd9n{bW
zs!j!r;f2YbfZwa-ZqUPms2}(w&QRuYKifqzLvrvC^Gx&ME!f=DlhQb(LHb0}1`el4
z(3Aqf2=FwzCf5UpXrde7_PcE#jI3M=R(Jn#qS`pOJFeb_sa!*hX{(MsZ%{tlZwW_4
zsf^j4#^(?Or{u?;&XXpy?!iCeDs~DfimH)*yw_7p$D>r(*V}3E7h-7|(&G{=4<5v1
zZ$a!5%p0jE@HajuR7r3*AWRf^JsM$Og5Xdx(Dw0#-#~^}NdlmJDGfA{&$@D4GX|G&
zvxA&+gy)7*?DzU|Wd?0{{ZOTB3$%}HO`es8hCA*JGBejq9PPQ=D5YI;O~KJg`JYq@
z%@6!U3mG~et>_G5-o9x9lRg6fb#1d$oiE>Wxl-VB&YYfcHl7$7@(SjEKf43wG+HPu
zkJUY_@hXggv@CxwM1;_VL2Ih`n-*RkmR|yHUpnV2$T*W|hGc>|L4-?i>H_$Y<Hh`q
zMwhD&1;~o5Tv|zQaSWxZ%NSbX=sQngIG5I`T?+H74bFGDWx2DHnPj`WEbT%-LU3lw
z4$151t~at|hxBfxspGk0APdWXCTMy|3JXB%w@E@7Ifh@W%}T$x_&f0)v$EH9l0<^~
zf9dd`={VY3+^$6s^URoL80vkRuEMS$nN_ADv1oA}V-e+9&1vyE!O*WjS{itb(lZ)?
zp=r8>dP0a4wB7z*%>waT>9qJv*nLa5CUBD{Q~@Rm!C~<_l+z+7_d_I`+#hhPTT#q|
zL^K)eHVDKx-1p+V09S49vR17gc^CgVpplqlfW;uOjU%wS2}@SYc0>qrDvx#fUZ~Y&
z3Ls69VbzNnLOxfg28z8k@oF)<PSjr59jm3D0{s({Wx_3|e`O6;R5_M;udaYeFa;q>
zYZYEq;Ghc|kgzP-Pqc_Fo6JM~18?hf!e;y+Zti!m&q9u_XMB%iOM!fB(a+Cobye^h
zw=*OsvLfrJ=?buKz5@n)9C}2`Waa<rozPCw1##wonwC*OfnrpkoyNPCIf|+niVbbB
zZc|PYBa5^hU#AT!N_<y;5Edx`;JGoh_$FLXrCUjtfkL8vtd0pbLT_Zqy0ZXc!z1x3
zr7qGONLXCrx)ZQz_*zHIPYvEbiKmHL;urWKtVdUn<LRe?#r;o@9#SHBozw)apSn24
zvu=TU3jsBCcgb!;I(Kn#qN3DagG*up>UtBAag{r_VGRrV=de490}A6`Bg<69LM&d=
z_D6VZP{L)JML3C37RIXdOiBi4Sh7)JDYm-f4&o+){pSEzLfaOF^8%a|AVK%>JIrp2
z2uyTRT}hUvK(X~_M1go@v~9c`bXv~T9^0(6Ir74$<tjMlEHIthmsvG+GFe-V{Nf1M
zOLa7o<thwn#f9tpGCEt5y92+pmt<bk*h8c_`F;hWXvC^8_pHx2KdJ5y%#q9hPT2|I
zIdy=O_ea*OUGFJ!NS4A_P$tlU+TbQ~Y+clAin33^v04EZ!KqqQfQ-9nNQNZ=M;aU+
z8PyzAmo3uJU=`rRjxq2k@&)n1LI4S?BGeBJ8213frn=3I_<CK4KRxYBH6d8Af_!_u
zirS`eE?+-5vxssRw<r+nHXu_#xF`slkZ<u_t!H084Ln7Ik~Z(~AZm--r=^0Ko{7Yu
zOgMhfNiv}mS_G~4wSXfkZhr48CA}Hw8OoJarWnqYl1Kr_mjc)G2T_O)2tq>$0(2Ix
zqr&H^;l*s?R2u+_>uP%7i@}V^qCP_^6mgayV9oKR!SiB?5v!zd8V^FaF@R>F2sGn6
z7OlDr6&L3v`wx+Uh$Q7!)s#UJz?vvxLn9?vtI&(mz7|}55f0Hzf`PI<f8Hjrc0hVn
zDMcf2h&F{>>Ej>wwciXk+w*V&f;65P4F`v8rLBgG9Ys7Fe=8*zt=_wehp7T6jAxME
z!AuuZlnLMqm;=zePf#lb(h!6fb_Fe#0;@~MdmbE?Afk*Ez~CPvc0su#<+mZB3&{37
zq{%}h(tifqKPSm(^|KHyWWdSjm@{q!L_`(3XF`*Ux@MrmX3*zOYF1PEprIa!17r~>
zme@KR$igJhucXu{RNrZB_m5XWcIc-pVSvb}gWHkOU$EY*`}#`-`ndD3qppxYXyy!`
zM-RY2E=XMslh8W=#9J%&VrXAqz9%DGR$~yiSVt`U=6cZC3j(Mgxi=_}MBGaq&KD*1
z%&3y4Xv$0xd6Hu4LaP{t+8TQvoIxP$qrHh;{Ig&-8W9}qWl;GvOrJGofYGnn9B+VA
zt%pAFExy9lD20uaOBy*XxP%2Drqf8kLr3EcI|B8YuVzJEvalKGM2885GiqHR?i4zH
zKu{$=pp8ukNZ`obM=`U|ieukno4iPZRvd{lb;F>%?VyGJnB<GZYDC(Oq{R+Zima=$
z#H(|Hc(81Ui<V|ICVIdP0ltQjASE<d4~HY59!D-1N1M#BdW5UiU4B(PSzlpki-?Z4
zqP!ZWbYfHEBH1W|SkXO`Fe?R^Kj3k6E)<6`ALLXPJ4XkP45w}ZfX;)r1r1==?4v2|
zET9*p1!+Kz!*WT#g=5RjqY-Aqn3K$qIq&I_k$GX<GT7EKRB=L~iGtO9W}-ZH0BsN;
zGVqP+mW;$BdtlKai%3)zvz?~~<Rl81hDxP@zpOh&V!k65YFQ&dy^0d?Vj_2TGAGu}
z8uvg`Or&JF3|+<XE0}U13D)JETr%2$PZV5rD9=Yp93K8u6aWyrGy<bSLm87s`sfU(
zucA0MC5y{utyKG&L}o+};9l`}Q4?y;(ZG6~yaX-Mn!v}qqo|&sFvDL3%Ons8KHTZy
zD0R#EPovE&afRMN68S*)V?=&-_i8AxW<_jD!RA?H2EIo(7K#UQ_=s?7*hyG~kAYya
zfhaVn*>dJU!)jSa8r~EQvj<qr3D|?WS_Q;|{yfUWKI5w*NKqU_1c&KOc%sX^xFALi
z>XT?pbmDvirVhm15TRUFM=b{u-jiMBPdwusQnsHLUdRAxGT4WIZbV=d%+!QpREg$y
zgr_2)ILms^2jvtOD&?B?(P_W7Eg(ess}yPsuNhST<o${^!&B?)CRSP&(bfZ8Fk*TR
z2)7CCc%8Z?O3z#4A<s9!KNKsS5K|;5k3{n4@ws}*m)8C*%3|V{OM(_D-vep8t4Lac
z%3=`CpzD?J2OU&e31!&<c7`aS8{nn(Ac`txsiNW6BTdb8P}5;nn-z=b>YaTvB?haV
zT+k*NJcN<vF=aEB*xQLH-7teOx_Yc+i<?Iqf@EnyH~IM*j}XQNs8{wF2q?vXW;VkL
zg@JBKb?$2{gZejMjOJNlQ6Q9%#HCH_yBEU~_7&%0Q5DQO*YU2Gm2L<$vef!pGtA%s
z=gqa*S;orJ0Q9V6tTdksYKWNJ$&x6j-+ZZ+@$n!h01||Pfi{|W$fT-b5}l<nV=ir%
zq4<=A0NIT!5q^~xll+ja-)S~GaRj=8+=0(USGaFl*d9DUfN4E{R#4$D0_>S`8TrFv
zGP#tOL=WuHUsn)WrVL>s7Ro~O2yk^!st6uZ1Ou9b_)DP2(*IV6mp8#8%rH8eKrJkk
zLi&p(Sbp9J@(PZk;lta33<5g<$=eS<kV9GA4Yx2I+X-J9!z2w-9jtFr<F%`1GoZI^
zkxSO`Ecgo6IG^BOV+uRjDrpn?73a}@B7HV^IvO}wq~9Lcj}hwVR9EFT$hjQkRvn+W
z?(XCIRJKN(K{~YE_rg9^a*+Dh<WH$X+Yoh)7?u2>pWU!@m$XFzBOv`~d3t~-9f##j
zqujT$StH%?qd;E$5dA!cSVR7?dn>U~fPo!t)Vnw;N3t!CtvYB$%O`(v9O*)X=ociR
l-HVn8)x1(Wa#?ebw+)v2w=@kHK$2TD0>`J10F%YY;~>$5L0bR-

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Regular/SourceSansPro-Regular.otf b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Regular/SourceSansPro-Regular.otf
new file mode 100644
index 0000000000000000000000000000000000000000..bdcfb27a4fd5374021f41a0af62ea7a9e8a5e3b5
GIT binary patch
literal 229588
zcmdSCcVHFO);_$aWKMeTWzL+05YkRgOF}@!v;!y-By<ZLLV!q`DKs1Qu86&3?-dml
z3!-8}1$!5y=@rYhdsX<Jwbz`Jc;9>9@B97!`_N~eHGB5#z4lsrcAYtCnKrFOB#Ko+
z6Z0DCTbtX>W1be;q5&a9urV04&O9RiA|aY431!n&O|28h|8>u^BXIpGA#$?EH#G-O
z{l{4=g<5=&5Zb2kQ(9Vot{8ELP}`3dikdmTb$Y|;|GKzbsHI5mpgAqARlZ|Beg9S=
zlqm?9*VYy4z2KmI)j}j}5u)bU#qFU5G4HNihHLwPn#Bl+JtJWj;*Y@jh{at4%dcIM
zI9sU3E+NcWU7_W@jw>iBWdaUHcc`m9-&m80^9O~9&+F~!A2{&1@In6yT(^XRqZ(yS
zyzsPjbCVAGS!mjq2oZ0^W`7;#{bTlj9NnY6jB`z>6pDYiPy1m1cS1y8h3jLYdt^#{
zO&%Rr2r)&_QD|zcvRXtTqw`c~E)Hi_juk$o2%&LNnx<>2s?QVZugHLOlK<+P8d}7m
z!a8t3{q}%CIVveo`9`{^>`^ZRS<ne~P#%li)k_xvIwpx;TULcboMOwG7%9%OWqnwj
zC^1^xYlj;mL+r9;hnOdRx8-P&tIW3L7!j}Z+j5-9QNrmbD65sL?C?a9tBqnAO2ump
zwycO)ZL%$^B2JrS%Npc1Th>L4){XKhdJIalU0Y_$iZJz=wycUoebAOQF-bq&mi1wA
zqC~I$rX6mGvZ!&k><}BHI&3*w1dLK!juF|$F}55hd`39^1kEz;u)`BYAm$~OQLgNm
zKWteM>9J|HtcuLo5?j_FA8gCINR4f6?CD+6*Rg2vfaUXeJr#8H$z#B(U(hqZ-D+LY
zKhWOQZ%yoO>*?$5=?e|CFR(@}9vJ8yQ&qKW*)n&CqPg38x~fVmtYsYoi>;~c{q22A
z5iQu$Jzz~n-M8Lp?HTNAYk$|xY_*2E`>iQ`JyY8k4R(h5d~T1=GnVSvSdKu~ak<jI
zj!P{K%`@8j`a62MEsi~<m4va2dj{Hix|dpBx5quYW^7kzNqf)0LU(7!e4o48UE>dU
zYW`!Awjv$<R>&IY3oU5x3iU0qdKUg~#qQ{~1{Swl)4My!2(1IK1#a(NP}S3C_25dM
z)z&lEJ<!+D-tYeJ)|(O<?6jKP)&xZTk9Hhb(c3<4F*K9*YwcM$uq@QqZXuwvqpiKW
zA9)XUFF<ajOzXr+R!eVtH%Fet5h|>(t-Nlp+mead_fj&UrJ;__(EQGJ_E*RX)*oqw
z2F6&nI{j^Z9lZnn?*5KWcTeA<s+Qm+JCXmP(SnYClz09h83e8gbzAS$w^|ch-?h+Y
zPi(EQW=@<op=J6sYi9k_sr8emO>AzpTBcf!Et8ujPMg>=8D~MOe)4SV@QIU~Dy(+Y
z9~7*8d2e5Pf4>F0c69Z2cC;^WTdnQw|GmK0LPRBV^!K*6bu8>?vpPfFiv~lB+AFNy
z_P(x;eyTarSukQ(2V5u57xgS{@9Xa9USzF61+@nI+o=i+{14;1|GQ;cJ45}8QTmnb
zeLbzHN%CRptnVB^!l)otXh>Yt+TPc(5OF7pM$v;tafRp;9b%DKEC$eo`h-V#fr^Oi
z8zu)3S}zvhzWJgZax3oc$9?Uh3v7vrqFc1#Y9G?2V@O_GfGeY9`U40bBdYM<GWnky
zF~X_2<(*x)Rw{E`2CW8gmnEhm{eGZNEX9#h3nKMysqbW@(1lRT%7!*QVi2*~M7xzE
z+{4dtPb*?}OD(4$PLE7=5#o0uybtAeqtsOTu_$4aXb>%shNT#}pYN{xxBL077Tnh?
zW=LK8p+9L!HXTZP3epLOj78~sPzthGH_B$g@)XmJ&Zh>scR{lyNQ>euL}({coG(+W
z##xQ<ivVKR{2ypJygU|CBcFwU0a$=ML4G7_EJ0Wg^8CN`c84rCd5>zzbexed*>|mw
zxL$DX-N?5Jx%J6B`5uzVDucL_bnC#q{V4PQP2HP<+{nuoyz0hrf}JYW_y2G8aR9Zv
z7aB}MdDvz{^^YvN5a}$FcB9gA4DuD~A@rx3OLdmYLKdd7g)P&HCuS1PTV(oFSB6ra
z^tTk~dHnZ!MYV-s4b$xJ`G&O#p>~Ck9@X{vIFg=2&llBzAZ&Xim^?EE{CDg0qb%fw
zUR)(VP~GkXlh+o(do8$s(!XgkRFeN@qXkHXS`SKjKI{{&A^g<P(@IZuy?kOOidH<+
z7M?FU$C+#+W<r_<kG7zWO~cihxH=X8)r-kEpNMCXp0*Z*SZM895ZWZ~m?&kw7Q{7*
zKO1~Fu2LMbc005hs*UYpIZEG$(0=?!PY3z21J6q@EJ5{ifh>P3B(m=RxrZ&(BThAZ
zZ@;V+ZAg6~(1ujWf8DV7Ab1h-Aw8*P_CXJ_Ww^~5da~#q(vr$TzU4NFt}jAv)SmVs
zMS5NrA#4T0s0F3kO7%9}3Xn$sZ#Ccje^qB%WtsYMFFz$KrA9sQ8@EYAJyR#V)QM2m
zm|GC4um34@5$>mWWI0ZEBFzFY@4&cIs5D>Fg-HI0N7pbTM%FT16R|SfP<}(481bte
zBRr2l;Q#th(O2rH=+7Fr8_(*8=qKw}>R0JE8Sm&z_4D*W{d#?zeyCorH|ULelisWc
z_3`=yeVM-8_{jLs_*g$te;TtY4Z1}M1GAK9Xb>ynM7&7AEHp_ZixiP6(nLCDB$*;h
zWQ!b;EAsTK^&9nTjL-GU9PuJw6bMr|;X0Qn6h&f$D8?M81RZdxC==x<Yb7db6*>+t
zx)SO_s`YF28}#dp9VpotaWI;Jqr{bBt#}hNo!`X2#Gm31aX?8^3Y2`sR4nBnWvp_r
zGEO;4nXiPDHl<xzpsZ0YQ7%<3*Kam%HSRI)&~Mc*)o)YI)gRX%)1Po8I5LgxXdv!0
zb{U@;pBSGScN)8mJ;v9@KDEc#YaDCLQ)eiNN}qm`euA;n_|mx7_`>)~KSw`TU*Wh2
zU0j{GQQWWe>lf%3>Zj?a>#OurjrSdz@__itc*?k2KTAK`ahc<C{T6+VeujRgu@PP9
z(V|uyE9Qum;skLLs`mBb29)qRu|>QtUQ@<95*-<iEJwB@&ynNEcjP(>97#e?d<?GM
zj>_N=+hL_cG2c5`JS(<|&&5BLla*D<#VF@Z%7e-#<r8J6vRC<9`C0j0`Af}HYt=^e
zNOhKaw7OV5PVH8gswb!?t7oWd)XUYY)$7$8)tl7^)phC<>Qm~o>T~KAb({K`x>JkS
zlC(6<(#o_7&8r2pgS7^&Sqo`{+Dh$Y?L6%QZMAljc8~U;wn=+K+orv%y{~<!eXM<|
z?a&>1yq=_I>bZKAUZaoEXX;1mbM-dVwM*gETl9PMb^3aJgT6`MrhlmK)W6cd(|;^z
zESOkuM8TATsRgqNjw-mWU~Rz$(_to=S*FV@Hp|Vi=0vmAY%_bzGtG<5E6p3s-<^sx
z#+l;GaOOA*oGxdn)9b8r);pV>6P-smk95v-&UPN<JjNMvb~sORp6Wc?d5QB%=S|K#
zoR2tPaK7#Q*!j8hJLgZ%{g%VZv~n%eDzrvg9?Nf4TVt$oR+BZ+I^J4gonoD9U1VKm
z-DKTr-C^Bj-D}-%J#0N{J!w7dN^@noELWjxq|5D^>YC#^)^)Dy(n7V+C`>9$EzBs)
zEi?<u3nvuLD{L=v7OyQ{SG>OX>Eh>#Hy6KJyk%s{$m2@VN~V_Vbr-wG{-N(baNq!H
zgN5gy9*xLau~EDQkN+S&yhd58JOB^Bu6&{FQU0O)r2MA*sb)(LPf@3;v(;na;ZC(j
zU9O&_u2RoYFH^5luY-qgf`=bg*Q*=UXW-$@>Q?mwb-O0u;S?=fD}smJ@Nk{&;Q{I4
zGvMKiv`e&Gw0pIOwCA<0fAg@=qxA$mS<lk*bdO%EkJV@C$LRC*K7F-*g}zq5TfZOA
z*pvE3{Z0KH{R@4M{;mE4JUkvAZh?nqL_BPm@n)uJnIp_H(`O!HPBmwlo#ra@B6AHq
zyw)k4sx#J^>dbcLIxT0Rv&`vpj&U|PCpZstPH|4PJv`Sr-+7#KmGd;`InFiCtDHAG
z?{q%q-0XbM`Kfce^9ScI@NlY?ZRJ}QJX~e@;Nd#!Ab5DZ)oTq{Ct0hk3vCbI4iDc0
z4?ko*Vm&TBoEh=(6j!V3D0q0a?co%7I49!a1x5Mr@WaKA6+czH5gvX89!|DByvJSW
z9`lE=Jq#xg|99Y$0}Ji*LxzWweBjLe@i=xJ=)tiY|MdV}2RaXQ99S%`A9COr?Jbh@
zBlJnyJNg7|Go9hQ3UCwjO1)e!(Tns#-ErWj13w<vE5!b-!2KK((p~#+KXC4Wa}Jz+
z;H(3uAGr6xeFq*mu>8Qv11BDM_`o9v9y_r9z!TxP|Bb&IEyPy=pcbh9a>tk3zx?pO
z#ij5sMhdYLn&7x+=LtJc+W85|^l#^fJ3DqR*|}}!+dD%$=kE;Jp-=C87S}ca>p5iT
zxc8i}ysK4+J#X#Vw(AJ+athsz)^qnGyC2#Uy(fN8?4FoC(YO+~N8N)4b@%?=A0fSK
zc3!#rh20x*e*Esf-G}X-yKC33ox462V%MF(=3P(ix@Om^UCVc@-qE_Fc}L@paXSv)
z0n6@~y8XNDSAG8N=eK_H>U*o-n<jNo&{FSLO|-aIsPCx1XvrE@GvS3Gdey_ghv|#;
z<Md9wTkpm5LaVkyUn-AMCMo<+U#_oY8GW@Zi+$FIUi=K)cMWh|IQDSXufUbHz|H!@
zcn%|$9UkZ3W&I6(tNxz;37*z{cwT?g|E2#KC8G4G#Hi$`%&2S(RS3BZzMI0M%qT0W
zFlt29$f(g#lcT0YEsW}nS{em?qgG*w*JDKLw9#ZtHRc)J|DLnaY4jQ=Q>d{Pz)G;O
z(fGjl3B6%9dciRcq~Mt3nC6(}I2zKi6cap$WXF6Qf#Lrgv-r#*J;Fx{aZDZ_3+GLY
zzlVm;9Psep|2ZtjD1`j~dOYR02%{N{hK$>cJJC|#>d4d|Gmh2IF?Q<b>yJCKFjo4^
z7-f_?5{%vYZTcEVzENV#)6X@YGd3B|>nCB{Q;Ts-og9@-!nkY>MrKE2OtZos)BK2W
z+I4bVbE8;myeIAxugTHPn_{o{NjVpzx8E^-`vW7m0~lSUVf<DgM{r{?hNBVO6BxsV
zFp6u#2(I0DU+KdrZVip&l>3w?F}4~j{t^d?{o-&XK}=QBMXQn_rYl)unvyAIDA{7R
zk|*XWE-_Cj6d|QZ9H&%>V-%<8QmRC^;t@THSM(}AF{spt<;oawqH>5hSvgdkp#;V0
zN|QK6883cSo)%{+6U14{L}ijVS2;qQuS^l=DU-zoN{d*nOcR$Wv&2=((c%hajxtaD
zqHGX1DGS9tO0T$CSwy2k@tAUgctSZ*tXEDFPb;U1XOz>$M&(TLta66fteh`iRL&Ex
zV&CBn<ub8Vxk7AHt`u)6SBbZktHsC4O=6dFxA;=IUwkFLRUQ%FV+Y|o<x%5aOg0`+
z2E-@I&EgO=V5^jRaf`B8yrWzr-c_y@?<v=b_m%6#2g(g%vXU&0SN!5pWu@p;+~RU&
zwm3pb63;1TiI<cMlxLL9$`*_#-ca6Dwkq3{x0JV)ca(RP_f<uCNqJBC&^W`mz_`S?
z)Zws4qy-qA<{DQSR~u&;7aD6EPDi1m*iqsrb(A|Q9bSjuQSGR8)H%jF4s|p*nj9^T
zDUKr@Q}N`^z_UABJ5K9VXKD*E9-XbuQIApQs%NTGFg~5CwyM+A>FNyiD2!rG#Q5c8
z^%V6ib)Fhh=c{e%0<~RTs4l`7wgY3FB^c#&VJzFD_F}AayxOPss{`sF#<t5a?m1mO
zRXt5TLwi=w(KhP2+H-oIwn@*|p4SVs7j#p5Nq1>4>xJ5Dda?F~K1zF2FV(i{W!g5q
zTzgBe(B9T7(Tln<-gyt>SD*Hw?$<uj1KP)Wwf2c#qkXE^YM<$&wa@iBZM!}O<K3~w
ziN?vsDaM(`*~WRsMaIQqijpd3Dmh}7k}H-dm7-4xh^0!cSf<p8vz5cdIm+SULgh$t
zkup_Wth9<tl<8uPGDBRd%oJBE$B1jN_jIi?SKO-{FCJG;7EfaDW`nXyJf)l}HYsO|
z=aqBB%gTk~73CuFg>t9ZsoW)YEBA<hU>EJ5%6g0#A6G^z7mIO<A`VqlQLkvCLD5B{
z5+#}xLo_Q65mchZcqK+mP-4YIB~Bcs#EbdL2+^h#iv`L^(XNz;g~}+gNGTPIl`_$x
zl#5f92639wC~j3c#BIuP;&x?;xI^g_cPd@tE~Q)Ct@MZol|k{4vQ#{*EEDUL<>C=#
zh4>JAVjn4M#iz<G;xpw|@wsxF*sk0zb|`m<J<7e}Yvm!aPkC5;qpVZER`;pjsNbsJ
zso$$-V-$P7dVzYOdXajux?257{Tbs{MN>7}k&9BVmE+sB7~$Tm-lE>BIkadk4s(|T
zEfJ&JWc4=ncJ(gxZuK7ZUiCipel1JOR-eUu#-~+lHCnAU8l&DZ>L&GhjEY}UUshjH
zUsYdIzf%99{(_yp{ptZNMvK*Qv|NmmM`(U6puVoYp}vU`^fvV^^=<VXZK8IV`kwke
zM${jwAE_U!pQxW|)3q7u=jwKKhx&!OQ{AQRR`;m?RDaOMX$NVCsy}Mu)k`q{Iv2Z)
zTeKdnTkFM$`y}mfZGtvQGqhIB%&x%9><0B+Z9rS9EypN5RZG`0FdxfQAHZ1t4)spV
z!<K0)FmkWN*u6?~Vy0HEdDM*<-*3Q7?g{M#?L@6lo2gCHW@%%!xtQTSqQ0QMsD7sP
zYsX`hPIJ~v^xJjJSur=I+3T4YE8L=A>R4lJ)bGF??Q)Fd@5D&{E@Px|I(l)hagOn@
zakufLvEF!GKUiOHY%#VOZ(+XtF8b;(jh`LZBBlARs;Ro;QmhZ)Uol20^iOl*VA(*k
zg>?W4Ild``4CtqTix@gadRQfpFm4AIGYksHxRIdKxT1ui)98WvW^7yQSAxqJ`c2?+
zhVc%Vc9j7+;;MuU=;wi{uLrPKDKNv9(60x3fI5Va1CIg5LS6<wh+%vLKA2(9XqR*X
zjE})|51^k2K9qsA6oI*&K(C3V9pEU2el-|l8-ji#_!tI_@X)tP7@vdZGW5&9^B7oP
z5tuCs^uGctEdnbG68g1Z${Wyc0H4H=BgT^<1I7;US_alMgdlqXI;C+l!?*{03&Xer
zd@IAa4Q#`}I9ZUN0DUc(;sH9vrE7pA6MPp#$CzB)%`m8Zln0=n1HPAG>;&J((9Z|o
z&(I$SKfrKgfiYer7?jsT4C6EK!@xR(j{-l!a3p{qWf;4`qz9l=IcQb^=xe}~2jC!k
zKEW`ku06>x=7Bdb^mD;a0nZ?>=fKZ0Fjf*`Bk%%H1H5SCVDM%elfW<8I1>Ca@G3y{
z<24&(pDn-}zzX0^8<hT58$W`#*|-w?7VsW$9q>K_V=*B<ut9dE`uZ_I`Fvu7(*D%O
zUNG5_@Do7w55O1>yZyi};5UHmNH_rOVJL}Ux*t%|z+VFYfK2xMnxR<WeZaQ}9}E7D
zp^O86&rrzr|70jffqwvgLHrQ-SB635BRv465Bxju2jok@e=?NI!GAFnD*JwhLjEMZ
z0gNq$0+B$^Ir>fsx(|J*1U>iYOC=}`^r;e9q!;L08K`6EV<oW2FVNRA(!tRTECmbn
zy^IWSECX8x0(~(f3mnhD#(}_imyrpEeWi_OfRk)wgOeH9I1oyTjXZEFgW3=BhlC4E
zIsw#{U>waT1XCUWwJR7~Gm5~J2Oy3E=h&zK=Q60>!uXrv1jFCb=Uw0e8&zPFfhB%{
zu{py7wisCQ7YgY|@B*Y0fQ<!#F+IZv9>KuYfWWwgQ3D>yzy^uHIEFC>jJAM4Z6d}s
zj6=X>3~CcG&S4x1rm_Lz3~;55AlS_ir-P|HgeHK>0N`C7)|+%650I_^)me<l8Bc=)
z3~?s7+QtMhl>xweKmy}N#zgRF8<W6w41wnn^BBevV5+--I3G;)l`sW3m?6#sQ<({q
zfpH9R0r*fGE#P{FSPgElLG`eaAua<`nF+IiW`?*5Og17M4N&<3aRr#lMwkOoc?k1>
z!x-|}re}$;0ibdM)F)vU##jg@y#eYoFe791f~lMU^<5ZWGZulTGN=#1c$?7=rt$#P
z2Ve}&H~~C^L2W<A<P54aR8D~U3CyM#CxNLvfFPe9W#cq3l^>wK0pofG)tO@%Vk3C2
z4XOk47}SSQ8z(_^Z$5+i4W-Qn`F8<>`WB_#2Kkq41W;ds`6z?@xR^nG3C8dY^5by~
z>Q6AHXOO=-8PvC6jL*0d+|8hV24j8(`MsAR-Uc6U<7#jpgZdlHjTz+A0S5IYm^U!)
z1}|k$zkzuKgM7D~fmyM@yh1|uA1fgf9s$UI0QDi5e>2Fx<R^go8O*5|kAhd(NC98W
z5I=+0Ffiv9%B2j<zJ;=uL1Pfi(-{;_=K%Gk^fsde)x%8;6_=FP88k*z$Oi-pf0H3r
zfyoDidVuT>(D+LsTNB8KWM4qM0}kUF$nP=)@q0F|1;5XrF@f@djqAW4GH8sTd}QN#
zF!>3f@q$9-A>06b!N7*JP<Gl#2Jc}A^7&pHe(*mSH0Dyiwn2XSi6N+dk*x`C;5UZ2
z9Q?bD+2B7Jg4%$;Y$Ra_oy`!>fpZvG-4JRngT_{B9z(eRT+2|N0yi?S?Jm?Q4CNW{
zkql)scq%Xp`Qdp~p@(`j<d?z60`y#M0mB~zvayQih(I=0Q8u+3GVH4M092<x11|?o
zfDD_dsE_K&kYOhkzE{tHybpX1K=tpR;L8BA2W+5TWdoH)y_%s=8LwlI&sF%3K)zLP
zWGJ74Zvv=3?gu}}FirzM%rKC*x{hIxt=2P)OTdpaj7z~!FdPo>1^~8nM1!9JU?)c`
znEU}4&|4)t!cLAvFzU6s4dGXS$wq)98%(+a4)PV*3vlFsKV~=zz@IQ28DJ_8;2=Mf
zO#$O7@OFlAHFyWZI17w=OE4}3quvq>*jGapCpes7h2ba!s|-gm7!e4L60pv2l!Bue
zj&iWUa8!a}7lOkJhFu5_JPTS3!%+=}jR+3ZM=g%wr~}6{9Am+#-vnCy)>0UbL&2#G
zM*}#GK`YrB?5J6Y9|RWxBO#-1Yos?o>)_fbhGPbp%20;zS>Or=t*L8x4mIfRI0_tK
zIOc*$zk?Az4@`Ljj&^V}!?6e)VmKCq2Y^9<<drtMz$e?Fdr{{kjsu@*qZ16D5!9LB
zvu!K{p97qSaMJk#20fG7MGW;A@Wl+3bY9I+DeX&un{e+q@GZbykn!AWcQaHf?>!89
zzO{RS2N35(FrF8JN_ss6JO`QVu!%v>wDvsk3c`;EzsgWofnQ^&r-QcuuOrT>;5Qib
z%xhbLZ3tfhewRUQgoZXng7W&%MhN_|jrm|a2NG@I9X1wV9xDI`&QT6M8i<GdC^!K?
zz0&a9>d8PRWY|^D0`NSMo%B4Q3i6d;4^RX73vewk2J+Y7vA|5o{{+JyI{ZNC>hOUM
z+f%wa^do4`f}x*84!Dn@Z3Oq*K;E<;Mj-prT8sqgvYJ8m)=57?K7ePKK(^P>Hc1qK
zuV82|fT;`w6S#_@y#&76h6{WRLwgx~t&KwPS_b)$){-QO!8bF=hx#oxMuAb62-=%q
z)FlZ#XZrmN^0WScjWY0q4D!AHkd1Qi!wlNl)z{gm06)gi-UhF?fi_2flA*l=-eAKG
zCi}vcRHt;Z9RYsTNk4)QAe{iJUpnbQ@B@?<pnU|U`w0QyJqFc5{e2tN;13wuCtym8
zPy>9ypgOAWv{4J*!_Ynh@3k=+{3S#C9Q>7yI`Fp)Z9Dio8)LvfFsSb9KiU{8L_s6N
zH~~DKVVnq_08B*tk9Mfw2!?SgxP@V$ttgnnFwO=~Wf<pzXE2QOz%v2Vd*dSTQ4C`>
z_&SDh5*YP|V5|afU>KJPVHym9d`t&}=IAD#Q375X6egZi0?o6{M20|qW)g$u+-4?2
zECFXRXr5|X4ABR6F=(!7j$q&=J7J<86KH;EqAn8f0;Vug{|Gd{G<^&KJD8{w1e&Xv
zlolY)0mJtMnzNbkH$hworgQ<Chnb@p0=6<KU4Z6fCj3Vb7lYw50?p6NLm1)`@Hhs|
z&&)#^Vhy;SL31^;fgvsh!|w!|x0y{0aW%M^LGv&($Pm|nQ8x%QCo@qu2;y2W>Ii}6
zXC~<i(AuO)`T@%EVDbk*YlY@)2F)$ZISg7aG>>9n4@a0sGsFfk=>aIKz?3&Y>xd@h
z2PmkM<~)YLb8Che3i)C_Lp%>|V_;86n4Jt-M>M+_*e4QZH$%Jv?qMk83(6Z1Uw|n;
z0Q*V8JdGiCf=_2)k4czkFlfEcJd=TaCt*@r0Il(v<V%3&KPLGJ5dQ>|ZvgC136q`y
zK>Pr{oS~2nuV5&n!B;XAO78{+t)-f48ML-;-o&7_I`d|RI23#fgVycLTN$Drd>ez-
z@XXs8q5*sdgVys*DnEdibA?G|254>1yqkenafL}`256nnq&fkJX7GIsTJtmSX9%im
z4=`x`&m_A50(H)Oh(T+C=EDpz0lbc(#DX7Th>74w8MH=dKE@FAJd#ZTS}!!oj)0gC
zeu6>kWG2-`K(v9W{sFXRW>TF4!~*cs3|c=kpJCu-Rbf8MptUq}BSS0%KgXaoHFFa~
zECN5zpfxu01%_A*evv`zZRTc%=m5XOptU#iWrjEv{0f8CpUhVo;xzDU4268Og+cog
z=Iabv+c4i?&>n^PCWF>F%&iRCt1!1QXwAcXi$VJq=GzQf|1jTS&>n{QE`!!W%=Z|y
zr(wR&pmh=R0|xDHm>)7|jl}$jL3<VE#|&EYFh60?-i7%ogVsOH&lt3iVSdh_wGeYV
zgZ4Je9SmhT_zMQ@b(lLD$_nr<2Ces-yBW%j;5`gMdhKN>Yr$VK1nKe>1N*kZ{0D>f
z1I(`(*vl2>J_hX#nBOq4zbnjd8G`ivj)6U2VSdjLq&u|>0QP}}No@f@dkE%_4D1aH
z^Ct%F8<;;cuwN|9Ul_E9VE)R$9<nfhV+hjacZLF6Igzwe!5AB5b*g{^GSYNL12K@#
z2FC(Pkk1Dv11XS^zcUrcfQ+=A*+35DOToE70pu&e7T|*XC%6zO!PtrN90imj{914s
zPz4$GcX|LX;y@3l52%G42ObU7Ar5Tl90QDlj5_8#6sSj>EN}zR3^@-x0how5u!-|9
z;0VZ%f~NpSA`WzNP6cK{E(XtLs852AVyI7pk73X}-Z_^+^LghyAcT9Nt8+fE2y!)e
zG0=g$Hi3@=P{(Pm@9YJRhx`?|59o&sUpWVWLCE{TsNc?INGAro99RJvHg&E9PJmnl
zJ`p$xvLCz(I2H22;L`y3N`oz&=KvQY&DX)JflCk$TR7JMS3-s@oL2#`xB4D<EpQXU
zr-N?>?to18xD$8)aXtq>2s{M&pWufX+Bh)PAwW9_jAx9Xkxw3Ds6T?&GqmyG$AKr1
z4s>#otv5hE7yJ~1)<m3ScR+*foMd-ELmT2Gy8{~8aw9_{+dRk6U>7IZ9ncO3KhMyp
zF1*0dCV|Nx0Ig3rUt(yj;Fp0{pwH#tSAo|cUk@go0QFrk*%Y98yc2CHK_kDt$<WAe
zTY+r|PXWILybU=WOtuDSeZu)ZL(2qz0DOq_VQc3{z{il`1Lvm<S}$;Z#?Vkdoa7Hc
zTLIn<?1WqaMw{l`4cQ6a!_dmXdl{Ms{3Y-e(kJ`<1Na&;eBj*2pmi+gHvrlx?F8_5
z42|mS4-9Q4nEVQ8)4)G5v{~R^7}{9yuMBN2_&4Bp<h2g`FW?Wz<dZ)cv{vQ(i=p*{
z_cOHPg|Hk9$Hm}O2F-n~GyrzhF92sSXbx<_rUd<Va5j(wc@;R9p`QWH2MQ35=f*M_
z`k7!0a3LJefmO($`Li{Wp~L1@6~nOx44V>+jbI<($NG;Bu4Xt;$E-SF4AMLcjOT=)
z!@t(S44MyHhXCUcemS^_VLSyM&(QHKTByeanoC=Fo(cM0;9iD7I+DEr<8<%<0DX-z
z@JYbQkV)TD7{)o^RlvCj4}dQOE`m(DT*ff21K-3j?gQV-FzyH64xk(c>a9h30LDXL
zDi2^h48E6Pkj``uU_1e)c(`t?13v;h3K_5-XBba{DIVBZ4}O|qpsu>$cY=X>>VlsM
zI&A66V$d3Z%VN+PfD3*k=t$268xaiDeV3bId<&k!Ft&h?1g0X+HgGF22l5Nxqkv-}
zzYd1Y2*%ss)xf2Y@vIc83}X-2U>IM4lNbh`v%(aHfoHEUm0`RK&R`fQYhez<_yC;C
zFunwv3}Y9#oMG$*qh1h<FTnE{#&+-mpdI0#;5DLr0BwT~pA@fU7(asHhvIdJgXgvQ
zF#z^6eg~ue6+;&T&uZ~T;5o>Dfj2XZpTMs$jGw`;G8`Hhb|g5U@5p2TWi}3gk7GDs
zr;;>=Ljl9y1mhPlY*&IZ(K?VDesiOLrnMjU7+@^qi-dqm5-QU91NZ*{cA(DwfxQ3F
z(YAp1BR_)UQfwI<2Q0z88*n48(Z2(a3Li^<KPp1US7wTm`5%7@fUcD1M^}sd=o%$I
zx)vXDMUU40ob$&M`O!W9Iyx%9<CmoT&J$B!FA&N#=cF1Bt3nacB2i?Bd{HFIgjbBl
zEG>v#n`z=G%tz>B&1K?b>~>#(8T|F)7QElH4s+z^uut<k_Od?0KH%4w6aKCU#euhj
zGw^nBky563@osQ~GD&GwW-IfQC3q+JB;^d{e0=wGxpJLyJKhX_MA?9EV_w1gs~_Y0
zn6H%Y@CDSLs!$zjqMD)Rt3_&=>cO`%2dho$;qq&ld3c9(0AE9$hBxt6t5@QEyW8-V
z;5zkjd<V4|@A<uhxB0$Mzr>q}KdXP@eZyG1hnJ-lYNeV7Zw?-Uub~dtrfRdbdD<ep
z!#998?oQRt(k|7m!FN%2Y7c0SX-{h}Xs_YRnfJBNwB6c1?MLl*?SLMur|CKR2z-&@
z)9di%T~MEbFQksu+wo06KfcskrJt=|gtzam!`paw>kr{;wP*Fs`s?_P=3{(G^OgR+
z{;R$pZ{;UNWkflnilZu`{84pL<D!C5lcHus9TT-6YDrXI)QYH8QD;Y86m@yjby2rO
z-5>Qx)H6{pM!gpGR@A3aUq*cw^-I)WhGIC3L?gq<H;Rlh!*7f+nvF?Dt1-t|h&S^4
zjHSj&cmw!+V-4Q-U5huy?=v33+kej)FB@+f?-@Jjoj>DGhvtZNq~QHvr(-1E0S?G_
zf5$r}JEl91cC<N;bM!ivIZkq%;W*#1#&NadM#tTbha8VPo^@<?Y;nBp_{g!t@ulNC
z$1jdQqqXRm=)~x}=)&mIXis!)^dZsB(UYQEqi03Wjb0et6+IArLiDN8XGgDzzBc-%
z=zF8rML!w+T=dJ)Z$y6({dx4B=x?HbivA-;jfsg#j>(EKV~S%cV*D{<V(Mci#I(fB
zh&d)^LClhvzL*s;t76WMxhUrHnCoJ0iMc!Gp_s>Go{iZY^LorXF(1c#5%X2d_c6c5
z?2nC#jgL)>&5d=%j*6{{t%*H2wkh`T*r~CzW9P*#itUaaj6E^-^w{%aFNwV>_Qu%T
zWABT7Bz8mWrr1|vx5mC7`%&!YvAbgT#_o&#F80^h199<j>2c1uQE`E|gX4m6EpfBr
zLUG5%b;S+FofLOo+?u%S<8F_;Kkm`EXX0Lp+Zy*_+!t|Q$Nd!dSG*CQ6rUaMiZ6@z
z$JfM<i=PxfEq-2nNBr^eE91|OKQDew{5A1w<L`=pIDSL?3-Mdxx5mF4|6%-R@w?;q
z#eX0FWBhONe<mmij)a(mxP*j+^n}cWoCGt$l`txyJi(pdO&FcfkT5x6M#9{LB?-$C
zPES~qa9zSp3AZKOo$x@yV+l_tJe{y9VROQ33EL7rNcbq>lZ2fKyA!@l_$J}|gkKZ>
zmGD=hNQ_F1PfSb9O>`xeC)Os8OPr86Epc9AXW|KoXC_{ecz5DMiH|2fo47gg^~84)
zKTiB2@vFq|6Ms$IpA?l8pOluAo8(Fwl~k2flXP%WQ_|r{Q<G*V%}ZL8)SWb#bYjx!
zN#`Y9l5|zljY+pB-Iw%8(uSl>Nv|YrO?p4+v!vZg`;vZ4`d6}&9G#q$oS9sZJR-R~
z*_T|Gd}#9c<jKj?laEerOFl07_~hlurzD@1d|~os$=4>|oP1aEgURcYpGkf(c}w!!
z$sZ-}Nd7YUyX0Sz|4PwQ;!;vma#F06k`#AJb;?00jVXtv9GNmJWp2vCl&+M4loL`;
zOF1`Xb;^|~H>BK_a&OAIlqXZ3OL;lv&6M|2K26z`@^#7&DZi(RR7YxJYDQ{)YEf!g
zsyB6X>bTTk>Jh2aQjbcVpW2byo4PFZ<kT}$FG#&K^_tY1QtwQCAoa1-r&C`@eJ%B^
z)DKg)r|wPtHudM!Khw0d*tC?i>@;WE$h69|K-$=}hO~)kQ_^Op9h=sk)|u9ywleM1
zv~$ufPP-!Q`m|fq?n!$%?TNIFX)mR{k@jxdCuuv={*m_2wBOPWq#Nl8>FMct>4oW~
z>7Ml3^h45{(<i03rq4+ar7uqJNne_NQu-O`=clhpzdC(w`W@-_r$3thRQmJjThc#F
z-=4lVeP8;|8EQsMMsh}0hM7^EQIX-#7?V+-F(IQRV@Ad?84EI&Wb|dM$T%b8;*4uD
zZp(NuV?)N~jBOd8WbDoOHsj}vKQpz=*vyp7>`Yf?S*AC0bmq9sU}j6^tjxKY3p2Yi
z2Qp8{JT3Fw%+;A!X5Nr_Tjsr)>oT9rd@l3l%r`UN%ltHRSLWB5KV<%%C9)h@iCGz0
z`B_C-6<PkQF<JFl6S7*eW@Ux47H9QjEzLS9>x``Pv({u?owYXWuB?Z%p2*sm^-9)T
zSs!M7k@a=f4_Uuwi)=@BVs=J$es)oIS++m>pzOx%!?KUeo|Qc}dtr80_CWRt*{5Zn
zo4q>w%Iq7mZ_B<n`_b%YvR};JlKpn}N7*~G_htW>{jVG)Cpsr7Co`uYXGBhUjxVP!
z=g^$-Ig@jy=Nz5WmUCRr@j1(LPRThd=fa%Ja<0v}Ip?mN2XofvY|MEn=Z&0qb3V!0
znX@nF=bS%twcOa;l-%rGXYR<{%G^Ni!MVZQBXXzZ9+SH;w<~vP?kTxv<zAS3S?;yD
zH|O4!`(W<++>N=f<ZjJ<KliiT-MRa6f6V<?o{|@xmz0;A=gKR|bLZ9OjmsOKcVyn2
zytce0d4qYU<eiguao&}AYxC~Rdob_Gyyx?_<h_&kS>Bg<|IGVWzM3DKpPpZkKQiB)
zKRUl5|M2|Q{5kod{NwWb@>k}cntxvYrTN$9-<*F}{)74J^PkCoF@H<`+xZ{m@5ui$
z|GWHO^8YH(3*rh=3vvpqf|3GvL3P1F@@w7}`JLz7g0_N11xpHg3i=C{6`W9TO2O#`
zXBV7baB;z<1y>eaTX18+Ed_TJ+*9yC!McL=1se*UEqK0QOToJZI}7#|{AQ|VoS9}8
zm?fqcUjR3oE#_=|1KedUGfy?oH!nADG;cNUHy<}QnOn^F&F$v5=C4lOnc&RA_rPUN
zzw;n`C)(<qi!XrtoToU?bzbVc9^d~y<lNwV(fOwHL+4KCH_ksS-Ab|YtPz&mI>-uI
z)2w5y#a55C+&a~|*t!Z|{oZeFuwJy@v_7<UTHjcIxT0K1t{hjPtK3!XI>;4tO~IGH
zZLTiYGS{iD^IVs?u6Nz;deHTx>jl>vuJ>KrUEjKXEz}AV3JVHL3cZD63!4jD3TGF#
z6?PRaEj*#{^uh}ZuPnT&@Seg)3!g1~rSR>-PYU-GepmQ=kyeyYlvQLExr=Ix>WdC9
znqD-wsIzEk(J4je7F}9&ebF674;4LG^nB5_qK}I96n$Ux`v_%3%80xX#UrXl)QxBy
zam0w3BSIrOM)Z$3X~fwhE*Wv{h+9Y8H)6wxmqu(I@!^QQBYqt5SFxiwr8uv6L~&*D
znBu15$;H!(k1k$V+*`b|_{`!9i!Up_uK4!i2jy4GFBWepey8};;xCH#7Vj(mrTCAL
z%E*|JNh5PcI!6|dEFW1tvT5Xuk?kY<MxHwI{E?TBym91RBiD_5dgMzZw~hRG<nEE*
zjr_etD@iEHDsh#RmsFRGE16i*T5?RuqLSlFPAECE<l>U6OKvH-uVj76b0x2pyj${l
z$yX&mmi#r!F)C$L{-}|oJfp^pY8o|p)T~kSM|F-`I%?IZ^G01Z>V{Ewj(T|1Q=>MI
z+B)i^QM*QcJL<PmwKTpov(zdrD-Dz$QaYh@YU$CX3rl-TSC*btdSU6MrB|2URC;IW
z1Er6aK3)1^>6X%WOTQ@nru5IU*s_c=SDCx);IbpiW|Yk>TU<6!c52zhWjB=FUADe#
zW7*4PTgyHw+gY}+?5DE*<<aFS<<4?<d0ly9`K0n`<wut<Ebl2_UcRdQyz<M+uP?u+
z{K@hc%ik>jpnQAzm*qc{|52e=#8+fiSQVuewH3jNBP))oSWwYfF;H=G#n~0BE3T@z
zx#Hf6M=PGMc&p;mioF#-Rs5?`R2r4>m8q54m1gCL%CbsNWliNll?{~>DkoP?tDI9g
zuX15!XJudI^2(Dd&!{}Fa&_eumDg3?TzO~Z{gsbYK3Tc3a&zUD%C{;%sQj#QSLHt{
zzpwnI@=v$wj&>)y)7`ml%RSOv;r6@7xa-{$+%4`o?soU_?q%+i+^4%QbYJDZ#eKi~
z5%=TnXWh@cUv+PFzwiFo{e}B0_xJ8!-TSMes^Y8Cs&cDbRpnK_s=BH}tHxJNu9{wT
zbX8l`aaG4xEw4JY>cXnatJYTCS@l5GlU19lUa8tz^?ud%s=Za;R{dJF-xKAD_hfkT
zJw=`}{LI>D&p1!ebA)G_=P1v7Plu=1v&?g{=S<H9o=ZK~cy99C>3P8OnCEHF3!c|J
zZ+SlSZ1?Q-eCzqyE4(q@WN)5#gty#V<2~3r!Q0}U;|+N`z5U)3y=Qwb^<Lw>&3mtR
zz4saKE8eZ%kG)@bzw!R$J>ZM>CHZoFE?<Su?>orX=$qtg_092xe2aZOzNNmCd}sL1
z_pR|=?OW@+!}p+Xy>FB672i9)k9}YGzVdzV`_;GKALWntr}=aJF8?ThmA}Sc@1Njr
z@z3#h_?P-m^{@6{@4wT(&cDh3y8jdZUjHuvC6FA*3zP+_15JUJz_Edj!1BQ9fi;2a
z1NR2j2Q~+`1-1vi4*XKBRL56mRToy5R(q<)R0pe%sGe3mvwD3^Nli_CSE#M8r@MZB
zU;EPb!R`)^x3LN2ZLaq)`IrJsHB6(K>X{munk6;xeGPnH1K-zBQ{S_wr@MU#qIkSP
zy20aZrYIg?z%TFf)HH_L@Dpc^Z5@4WgIx<d+m|=Cg`isFf}Vj;8-9~*ph=!{Y|hiu
z+yw1I1I_YEGnb`VmZdpzo4lccRc>IF8~FAHR=JT?Ze*1kS>?u>=7`GPW-k>Sng_-Y
zsW)EcGk$nJ_+dZa_#rKQl(5GWsP*_gR7#Jx&Oc!&0jZdev-8zYm>=q!IMC6#pnW2j
zW8&XaZVbx!ja-n%`iT+skZa>%e@oWm^|Pn^Tqb{Dk~Hq5ux^OZFbV0)B*SqzWj~w9
z&$bD$Z34c@G67kL;ONOi=>)1}8UZdwfU^yZZs9VtEFSD$6zUu7>I@B1W*%>oSH^E-
z4>WQvO`J;;Yum(WHE~)^q?X4U;F#6Emc>1N-7<|P*0hO}YT^jZoD^3sRO6{q@2O#h
zz0K8}UNxs)&1qC~8r99MGJ5O3S+knb_V~PPp&HJjhPAD0o)%8r<CS5E$f?$Fsx|U%
zZ%xf~>E7vVn(4CoOz*=F<4ymcR^sZ?M8<{9YMJVo8bIFWX0}pu&2+8^(<63iW;L5x
ziDp)!navaQ%v{tLTG~ESmUHG%IcF~DXvgmXcJ$Ad*Jlr1k-3ewZ|6*dY`oy;IWn0!
z!)vOyxz08W#r1ecQ@w@%NE=i;Ux<qz8rI@)+VxyB>bX6r=XzC7MTZ-y=pZh7z1>9d
z6Vbr;HSm26d|yLtXxQ@+q#MxUuvJI1|2(yAQv0@{qP9s-wnd7wAnaLhvxoEa1Q*B_
zr(Isb4_Z>|*)Ge{9=T2G+Q2F|u*wa5dxQND+YbS&+{h|7*0x7fMvKEf4^}T4Qg4yW
zXVLI{@a+2+4Qc74ggu@b+2Sl7x>IW8<9zDadA^3lXmL7ZmF(bhNF&+LVk4{H*wDdB
z+2mdzBl((+`&;60EIZ22Me<iKS=86w-i=>~T+q?hDec@T)$D}!G6_G|%kX`iou94c
zXEO!ZOaXtlOhDcitm_UJ7nO>O5^jT7g+N_*h<^OHucvo$dk>ea=YKw7TuJTT&Td@o
z#;J)5A)h{PvwZqMq#?3o)vEnHk>{<6m2P4eH*th!*4?gh%?*7+MX0Xr3l{;+5f{9g
z)2QY&s)PM9djG!}xth{O^TPMka27TGfpBtYfMgZ-c{#ZnPOgSks^cnEQ#&Y~K4?3g
zA4F=02LGp(_!*W>G1?(+I%T_yGrM8oTGd=TXxH9|U7A_VX4a*db!lc@g5G7aomnQ!
zxooJM%fju@3VD6S&=nNj+bmlXZ*!0{4YJ3Bbt`2uD~CTBXouL1brctlBQ-oeS>I4y
z*-q8e6nK2qR2e{ape(enTHfcA9R;pQ<N3Jv@Kwv_%vUGtgirbqQDhV6ldi-WnFk~r
zf1m9+*>!k)(sLlr*7jKqXIsPB)=<?(6wbDe6RVL9@YQfeb!1UQv9H-@oL?Q+6zO@7
zua=8h%UaiRwzXW^TF$nXv#sT9YdND@E?+I@SIZWx<&0`MBiWdGe4{z((VX;XPI@#a
zJ(?36&54cX#71*sqgnaUoTlt$kQggp$6D9fw&tYkI8An{PxcueU%kBMl_NNhuWt0h
zxeM|C+zvW)E}T0+JTTE6nkefOSXLMCQ0>Brd@8`<8VHde5ef?rLfs)Uy0<YX1#ffX
z=&(?aX#5D+aeR%o5WuAn{<m`v*|~>?=Z+uC#n2CthH|%iN`%Qr6ig4Pon~XRoo~H2
zEcnAhby%nk3w2?kAuKe7g>XR{!s#@G(`g8&(|~mB?$jL$D-guhVSN)$Y%PcSCz%EH
zP!yBK@^+p+&MMqbxkH`!-!=;O5;%v&?fd;~M|9ue^7zB$@uNJQ{q*a=?$AP{Qs3FT
zIMmQS5E>uq>XM%F*9Dq;@gvJU-E$D!JP?|;7(5Z~JUrCf8=4gAn!g})#Ngz?Ssg81
z9n_mo>6p5>r?q2IS7=&ja5~>RWpPL2;*Kf(9prp}eVxo_pr^a1-%gxm{Nyo(QR)#P
z>`yy&8E&UKTpo(nzKCxQQCa3g*+o>A1?`;!p?210B?9q3ev5e^)PcN~P)RyvNu+)a
zjopLGJ9@Y{y&Zjvd-|z31EIk|PM~*jN892K$UR-iP2R)Lj$iiv9>44eLDf<Tsi&Pc
z%XaxFa~VKFxCC~-GThE@xI7dsT+rb+|EHK7hSopmp_T+BJC-0%=7K!J3VNtr!8O_2
z1U=NQ;EdW8kQ`wKJ+ki!@?0>;1GFFy>Vw>;26=iF<k3%%$MHe#O@m%e)5~f4SQj7b
z(#W|ta_&Ap^Vw&7pU=LJb@8z-eon>Dsql;@$ODQX&%}Z}CJOR+Dd^`^czPD(fl^R*
z%-*0JqF|EBX$CmWAfE;KOb){lg*6MXW&uu<X9__ckpy}A5aixF$m5eBk57WKH}eL0
zq7meNJ}5gUZ?MMBmQ4`kjAW06YxWsu%cGN^oF3tt?Hs-)`wVYT_8A~fO!gT#v!k%q
zJTnRMz#z!;%3vKATK3Q0U>)CH$GOYC6oGtu9lJyJm)@XUn(zke`F5Ul1nc>Bo_qxB
zId`6e1nc?sdRE>eXBI&Z^;q7Z>~%qW=Ak|cRgt<z5Orf9>UBYK92@k=;Y^U1P=Y+K
z2{!OGFDLD_ljg)^7w!#u`OM2ndpT(@CoR_?yg@lJfG&JZcJ>J5`+R&KuS5iSmJsxD
zwmw#=k<a|Bgx^+z18X@7FEs>t0uc0bMt)X;R~Ujk)(`RwBglj8AW!pyJogXs&^yRu
z?jWx|1bH41l!FqK!LG@yJTD&wdHo^CGl3w_jf2gcyBy?sgL2G<+u56PFoQr&MUMP%
z##+mfAI`XZa^#1~&S$*75ai)~P%bmz8e0%!VDcuf4+MF59<1g1B1cWQ#`(!1AI>;G
zIpo6`=OBlCsET~X)7l`<S%Y$z<qh)cT98-Qf^yJ>$AXoRgD#wL*++9KqwShydy`|z
z@f98f_9icX1$p@^$aDB0521r{(1n<sCQl%Payo&<JWeynY4WmRkmvHjAeT1C#gwBo
zJY056JCM_?XFYkkAC%*IbU&0dh#U^0#}`D;t;a7N;PKZshq`+P+B@4jLJ`5;7V4F8
zcxdadt(HBAJkYgp4;1cKkP6ocUJnfNTs_Eh^<a>naGtjW<w^ny&5Z|7`GUNP7338t
z{NWsAj>edY7Z-y(`w8+YOt6tn-q2*L3U4<@#O7c`3=TzT91@#`M2rHtu*h#n#Nad%
z8WueP*@A#5ZxFc#M9u(_GeG1F5IKX02Vf-3=Md?Tfb24HUHT;;J4u{jkjs(k!?C5q
z0<zo0b?LW&m&}PXvW_RfE2IHlwg|}f2!X7VY>#lpI?473XRLwjd~wDa$nF+roS%;#
zIGk~QKF&{ex1NA(ph0W{*(BqP^OH?7&Nx5WB;$<p^YF+M=hQQRIAb~Hz!_&O#~e7b
zhy5h5+2kk$7g!ZJ3h@MZ@)zLASb(c)fTuhG`Sf`L@<AiAEenAYl-(OHP_-orUk_Ve
zK82n@y~n-)fp6rAQb6`-xXud6{>BrKjS7gJF9%nifULeCHdv!QaL2iwAdeTZ{~$Ht
zb%Fq|69jk-HXs{LPe2Y9K%A#+89V{mp@2Af*@fVY{UN&$oUuP-7lN~}Eg*1_ctRhL
z11Vf*$H<`*&cc>~V8?Edips$hu5%rcgDISGos^x9Cm=f=5I-lfo52~EQ+6{rV^amV
zj>usb0$BrI?+oy&LqHC+aE<emYuPyC{CEu_z)K1NUWy3tQUrE(q`JHm5#XhW053&=
zZ13`#M1WTz0=x<l;8lnKuR?&ral>^|j^sQ6UY-c>@<f1FA_BZJ5a1<&0MEYzvMWGk
z<HFX3Gl#&I<+YH29AqIHPc)^#*LkWQu&1l2eBml2`vaV_XXHo<wUBFs?EP@YnaYtq
zDkHn3(Px(l0%svxUQd80F9BXW4{#?E;7%mK>u~|uQ=>AnuVmZq3CJ!C)xhiS@1q2L
zUT+Qk#TmDUkNuK*y9c|l<m)CLSk}Y57>k`!T8KY!!$QYW4(ab$E(7|p!PYIMcKY)*
zQo>)w;Ygf8uT7lMfSnOBWh7Z<M3T%%3X~BEl#yha5lNg8Niri6WDY$Ls0hTAvSgVu
zNit<AP|74w%93TuByq|l$&^WuDWlt=gh7-pkxUkXOqG}t1yh<tGD!%WA_SQrm@2+U
zj<S8t@^J=H6~SN6q87o2ApjFSMF^y45rNeB`>^H4ME=DYHQKmFPoK{(`y-HjCR6dt
z{>WD=+bWQ}y;=50zGm4Uf#_KT$=tniectCq2Zr%CrZ;qK2o0c2{p}s@fxad6?*6t0
zpb=;Snt>oN9+&`31P%iZ2POeW0F!|hU<z;~FcoM8rUBD|8Nf_n7BCx_1Jv`X5(HjB
zfiP@c31_^p1R*@`p_}Z5El9j-13@k>^|zsrv<ZwzkZ2z`BKaaxAR^U7q|p(HO3wFE
z*;%5}OQ|7}UPC0khDdr1l%Bm;Op<*Y?HO|dv~6rl*g0kin=^D<V_W-zj?T^yiD6R=
z+f9}+<RTQV4=v}xIlMGw>xWJ|EK%mXzYL){Z06>0+RcA6GjBmt#9?N(ccdvaZ04bT
zX@s&xB9?22Sgs+WMMK1LjS<VC!L#pej99LbOki(Whp%GXCgah@HKbvC*K`)vXlMsJ
z9NS0f^FB5Q!RU78;oa<T)H?FPus!Wa{D@*cDim#QgY5NJ2w@`*Ux7t%xULSZ!6GnH
zSBI^_+U3GXH*ATB6&oqT@Jg&54@<Fl+WzJ+*dE&ewuP{^7_q6JROkJ25{A_d#HS~k
zHqJrPdBYNjD1gBRBJrwZI9kMufru9alp}Aeb82uCr7=02<K(b4q^f~xj^%9*L~I*~
zs2`v^Tf%j;C2Zc7zZJP9oM6kaI%@CK)9u5ze>gMRuMcP27^#z(b=c)<ij<})V!x({
zdQB1anxuMRleEzNavwjEPNe2HMRLJ}#?GZVl1t>_N5jNdv9S}0S4}$bhJX0hYRZ^*
z|HJXCBU)8Qa>e+_&a0YI<F^1v_?!J&!=8~2kugcadja9QYa*J~kS>exXYsHDI={0&
z9HEYq=NASzh~62nCA>Bej#d-Vr^YTF;*s9d!!Dj4cJcJTsmQMwP{d&_w%<6Q(C|Yq
z-#egy|LAkOVTJeYN(ZSHv1PfN>LL<74G5!`5h9Y*(%uK5^zpVv<XXf|VejG2NJ*O`
zehiWo`8@>^!X+K{wgLqYD<HqKfWX<|xWnFGpx|L~rM{zw@``94jMNMH81kzPxOq<4
z>qD<OAXFw(7pe4hluYx$VjQOp6`9_C;JB!!kqR4bYV0uHv_Lf4w*bkl3;QnYUO=+<
z7$DIe1_j8Y+{wV%L@d68<bDR2w=^IeF^I!tI?U?8!QOy?G=)yF$$_KX=Ky1?14nyb
z0unYnaKxSm$^CRB-(%+k66H6{p!Q9}LgelUt?Ks=&PRM`J9N@QI}Ssqlqyyx?DVlX
z5s|`A1(qlxVYaVuN4Q?n+63zs@P=zB)+Zui;kru86XAGvtwkz!-GgM0cOZqIH!M+v
z?}&7MSg44EMfAh=mYuRMqMt9KpD&`HFQT6>qMt9KpX?^3HGC2MWUs|x5&e7-{d^Jq
zJQ4eOBKmnE`gtPyc_R9GBKpaplgtBa9CkUR#EUteh^n55s-B1`JrPyI!zQe9L{#-e
zRP{tujWl*x_y}iL8&Rt+QjqYIg$ZQDfOQdFu;O8>8Xlfv{uoKGe&}jMgYdAEmN~-r
z%E6{AdU)VP>mA{%SmLnr2zPRrSw=JscWnrZXcg(4u;dZGw|VGlM3*3G5bDC;OzlVK
z09j6*`tc`r+i^k@CmiLxslQE5n?N*c>Tjb-6OMAu)ZfNarv5fLW5VfjylB&f>ntqj
zSw;=-@q_LC^mkZ?iIFQ<IPJ%dawjEy{2<QIQ-#IO_JspsS^n|j@Co7!zlPKB<;5%T
z!VP8A-o1c!WFd6fLNETfZnu4#l*9MT$9pkL+6U}Q_Sx`@SlX3}&?Wq3SDHD84TjA{
zX)>@h8Zny<5*v;LX*vkfc*JZzNVWkXu?ZmzQ#5>LXG*6~pa%|vh`+_$6_OG=Z*ab?
z%Y0iGu&vAdur3f-m-)6XU|W~@5nbkob(#M+UF@^4E;tSAGC!ird|o$L(A^_v_rzou
z$x;`Rq+O&yx{yG2kt}r~iS0s?v<nGCc8Q#^F7lLhA(8DulC%rf1?c@aH!<lVS?WTP
z)I|!U3kjr)WT^{DtP4p}7ZQeaiJY-6@|1NUk#!-dr*FZ+_O1?@LI|w`9Eg?+M|1!<
zqQ$}y&nJ#(sc^(39Y;*lahxcRn5sj@WF1FL*Kx#z9mmP?h)Fx-De`!vJWiFzR(YHz
zkJIIGhCI%c$64|?TOKi$M+#h}=1aLv9=W>V3B}cg^0-JI@pvHw9W#!{$>S1v!~={F
zGy^!|S;P^|368z;c)UFJ$z#7f;&H;&L3vy%kIUo{4GqFq$m2?Rq?Xdh3&B2K_Vw{f
zn@?_hczn&Cc6)S+JKOD%7$r_OR-^lXEDMNtNFd{_4?4E>;N1*)E!=+4-F6E?qTPl-
zT!Gf5adPuuAN~S3CU14V&W=9nrhK0InqK@tbiCjoPwE!*;AJ)v<uW3ORt!OM1;-;_
z5ycrV4#|aXq`<35^4$PjlZ!(>Z#7R@7Sh{$NWm)?VnK4T$txFPaVD3SymI{&XS65}
zqODR8tz&|u0$#bD?Zf+fo%qY!?Z*#>I`Nhy{(yC#lxZW2!tgdnU(a$Wc62X9tsPi_
zL_E+NHGiN3uf}vNMDPGvyAyv_y`wGENxAsso(0yVYWfG!I#H{Sgcc084M-ile(DJj
z-o8Md*LgyHeLc$tX{8M+`Q#b(4Rl^Dw-E3Wn=EOyd>_JBTkXRiA`dO%TdL*aEM9lx
zC=Ipp+5*0v4OlI=50HwqLXF&k!pm>+tX6J4`S1xsXV1#^?nUjCtw(MFfM^Q<B-j3Z
z(o-HEFaP@F%lkMZhk@iGx=+5hf$Aw2bbaz|44lz=A*hiOtCoZ}@yRhnwEP$rskR_Y
zE;@sTE_vPdC2}BQ_=YaYT?)L|KNKPt>-`vIMN*df`!U*zgpje2PK}!f)Fgz}fEbbG
zg0~+7u}FyAc=BUB773AM^<!KX38AWo#OsGbqy_vKr$yqBF%YM5SO~A9`*~vu6uHEE
zg?^06!?*Lcq2KGX?ZW$qevHxCPP{ef=dD3MZw>n8`!gP1cm>h31(N>bg;%(pz2ak|
z^46c9xBmRR^#`)`<UK&YZ^$^j9q7lnI;<z}4ElLz(C_0y^Io8z_X7RA_vGijCqM5t
z`Fa1y&-+Jyx!{b-$hY%uk)L;jK#|ONJIK#(b;3n3uU(U*7>UPM!ZnJn*>zEhe~;!F
z9?h<56wR(<QvCZJwqxnaFz4bS3M(VUp?m1m&R>duzhYM|x-zVS(W$MB6o>Aq8OleB
zf4^eqLsy19cXVp!BgMbpW9LIxhCO4Ht^Ev1ap)fG<AzHr#mE&b(uc1|k(H4m=ix;T
z_N`L1BT%S};Niy5<Eh1%tgYQm-9a~v$ZQ$)+2@h9D%gy79^4-O2@I>F-wIg+Xrb|)
zK;IIpXQ5TUpl5!&)w-g8puMZ#n%Lde)7RV6M@_QT(QV;{K5IIfdz`i6#kzLf-o2oz
zr_bual|HKt-5%Q5_I`I`Pwxsj<gu{v;i;gbPaXsRTMnZZ4-E8<sj6DGY?(VminuXC
zsw%CpmURp)wx*&3?OTehgFW2?*5puEyH&#FC~@26X$^JvTT}XalsD+tIgY_ETkcSF
z{GvvkGFLeVfBWrM{5r-#_zP>R@HeL(R)5Fes5(;X)K1f`#@~J2qpSG63a4IyzYTp6
z{-*0@{re~dzdaEj<&CP3nucGRxHoEB)Xt~__}z$3{Qcwyji(*D<8=Ja!v@FR=*;L`
z{CdN&(JQ0Rj6Mgy)9^uzGiF@O%$WHx%VJK6`3%3WkQ!SSduZ&W*w)x%W9P>X#GZ}c
zQn)&HUF?q7J@~DJk#YTTC*v0pHpIPy-$U3H_X~avL5(ks_ry2H9~XaZ{Koi?;y+8U
z62>G<#4i}kO*jv~S#ZDn&4M2ieoxdB6B2V0S0!Gaczxog#MhEylQNT*CcTsNb<(fN
zYH~($Ve+`-tCOEdemVL5<j+$^r;JNE3t#l#o$_eP6RFXuN8>B~`_n{PVp?iiC~bAx
zwzQAacBU7kk4$e&KRo@Y^hN0pr$3YaGQN)An!Y=IAHIqAWE`0>ka1bYl^J(uJf87v
z#^;#@nMY-wn0b2U8u>l@-I)($zMlD3=4Y8Zvof<rWR1>hz<2A*v(C<X3}2^zlC?MM
zo2);x)$AC2nQmp5W>;kgvP0Py;_LJKvme9P=Wk|zFTXiY$f?L_$eD_7%opY?$r;Ew
zH|Jt}Uw#$7FuwucnBSgrZ_b-JZ{@t7^Lx&L+?d>~+`Qbex#Mz=%so1{J+~KMlV6y7
zxBQ0usoeK+Kgr#Z`)6KMUTj`*UUgn`-Vu4Nc}K}_#{2SC<gLm(GjDa?J$X;%y_dH;
zZ-0JVerCQ4Ux^=*KOz6f{F(W4^B3iJ<)4A?!>`T1Gynel=kwpn-<!WL|7Uy+o>WkT
zZ@~iv^#zCHFaFLbIHq7h!EyNZ`vQFTeGR_(URUr~!KQ*&3bqw|Snzql?t*_5d|&WO
z!5?O#nQs=EHTYZ4Q_Z8yd1i;%i*LP8z+VJjgD<@wGdIicyuUENF@MJ21~#1W`1{Y9
z&OB#{b2Ps7uE*a5p6Bd!p6I;5d4=-^=dJiV!1p=V;cM^bov%8#IX}Q(eBOgEzJIh-
zeDQ5r#a5X$+B(=e+?s7IwEC<QtTU_&tt+e>t=p`7tcR@i*3;JW*2~uG)?3!+);{Z3
zm+ne&<>AZkQkTb7>pH~M>^jUf!!_U4?ON(O&2^FMYS(S9hg^@io^U<wdeQZ|>s{BU
zt{twgT>o_a>iP@cfJfsi@a)2(!qP$yz5@>y9#J@>@aV!&;ljctzxJMzv1!BYFW>6C
z*qD6Fv%Q=0zJL9bUu%DjTKxY1L)mwLMUia({+gj@uv<rD9MqW|#)vuRoYR^yAW9Me
zQ4tX&2$B>9MM1@gN=6Vc0|Fu-K?Nj;Ie<zq>#D2Pu#LN~26ylO-gm$EzV|-&Tc)ck
zo;r0>ozrL8L-k}wwqSJZ!d?nN&vwaD3!9|ZmqIV>%QG4*-e($Ww^}jSX1)2+)kU8^
zCs!3bF`AUhE}v*SxVu6aerN1^BVJBM6Ft(AtRZ%S9%(O(rvD^@Ot2T$5Q)%{j8@;(
z6<SUBMn;j54?hw5`ICpn!boA%gf2oWHBVCf<mGv>r_$9<*VxT#Y`0n{2h1)1vO`Ut
ziuWGbbMl0OsHZmw`huu)A7Q94^h-ZtXe9I}+46UXN(w5K4=yk3t>)!1hr{+ARd35-
zgMEWSb}GGn4#q@;MDIPJo?{_i5VtPhhz~SpcZn}rt&Sp-RL0(%`ec=S#ERQ==Ax4O
zk1n0}u}@PA2PBrOZQU%De4U6q_v@nK<w;S|iAf$&P8;1loHj<gCz4^R#AsUN9<|ZQ
zgBC@(C#j_e7O|BiS4`TNJr?-!GuJv<8l{-92^Vq`3YAZy7R*x%t2Yl?)<wZL3U=}j
zSMR<%qb74SvFup!Fd@d*+Q-bts#B17Yo^!Lt?9i;Ove#oV%qHOzlL4l;b65y>9;j3
zG(heBE4$-(WKfKfCwu+mMEb0ejDE58`Nn7Jv7YSdA%`YTRtN^Bi>5C!ORY1yvA?E3
z!4or$F*{5=Qkdtla<j$e6?71{9FHvbD<jCfjzh%6tl605<p(dY&Ide?B`6Z&j^%_J
z1?95igO_hys#uugdd1&}Cz*As=fz}#niPx^3MB%+%x>B=(+h+*B88)b0*Nr8ZV};(
z_~OIY;)@m6O;ZQ$HQKq9Eet-j)k(3*)pz}NBdPq#;hebZifhXg$I}6pvpK<WKARMq
zJbau3DgK<>M08%WVPc{);9Npi!m`7~Jo)4&ufLOWIbBVXg!MCsT9_zt-DJ7dTq$%O
z|2xIFk<UMqj^*ha*QTnouCbTw7NiYQ3R5WB$%Qq-I?`4!Ad@L}-SCs&FO5HQK~3C+
zh4YE7Ad_ryUmIYj6eRN=5`7}8x=)aw>gk+Finx@u%Tp&Rg+79)hcH2y{Jjt9MN#X8
z_$y)8BnUbK*&wl?^J>i|RyyhWqIzPaAYJc#C-i$WcRLGR1*3&SCoMGM4K*FBg<`Ue
z?5!5|5*u>mcC%E>YYc>$@>-3znCRP;_n*4lZjzZ%u$VWoaBwkG&T+o@QcbRo5^hQa
z{jAwvDA1#{Tm0KAGJ=fi`AU!qZF&wAMhPQ+8%WxyD|LsP-6Oh$y?Xz}i`+>9E9fqt
zJY3BeAIhgYkh}cUuu!9IE7`(brzntJT>aK>Gm<iSFG$5;j=ykvRk1QB=6voxwRsr3
zap!g)4<$XpgGv8I1wt2LEGum^Bn{=lelnTZlnOSa4+$z49*g-$qDI5}<cGL;$D^QP
zqcCxv(3|KBuh{~+BJw(q^rjmav?y@=B8BkdQB!wgx)R}wx23PSH`$@`&fJ>qok_Rk
zOUIt#7K~dT?s_yqk#s7eFw|&gE;}gL)X_w-=$dPB0L7NG>j_8EfMNtEuxC>QG3m^X
zrZ^GiC$GF3k$GM1P{6LSSnX@B9JM0#TK=V^CvmYMyOPvpl3gxdyFHbB!&x#SfwVUo
zBX$=g^w{&mIVlsWu@iOWczHr(RD1$Cs`BvI<PznPKs>mFC|cqXwP}+lEsFF=P)lbx
zEgB!JE(m6`Lyx7LrVx5vMW^$6#+ifxjqFtMfWa(ZBPMiS4k-eiqZTpfj2+gqQW1IS
zCx2dc_C}uCB9FCLWxjE)QqUjQg0eNAiGE>*i~U)3<~26MZr+8lN?|O8(@&I@QuvHg
z^OqtMld}}%CKqQdUF~AK*689|_Ebz_RFX0y(ZznX?S@%u8wsDW`&=Mdp*pa9kCok`
zAd^K3KJ$3ind^$1<|)(m8f`OYGlOG1)+#o7dbs)+@rTmFFCM(87bXt34YxgH^F+w#
z_+Cs{O$0kZyhMogU$Sj+z+y@qd<uOEeG8_N*p5@hlZ9B{#akEqE$I|2_Al@+3@BVe
z%jqu2t1ewAdZH+HO|^A&b9Y!Dza=qrZ^)idBNG<~vvo$ih@A417Z=1{ysTbRz&dZx
z($gXH?-LQxEqhRZ@$?p#M0NT#HhHa8!W^a0PGAO5W-$EY03xSnjYJj+kz(y$ofQ!)
zjY!^^ZrDoa)U52&scAW9Z71wkuivoAe}i(fU@d=l?>6a4+Ah2|V9H{XNs})xe{??e
z*r`Ny&mHFGi<HjphmU%yoh@1K*hHU9rIg*ZBY1b9a`TqMg&WkrlGbVONh%jl#&Qu4
z+0g9)d;OKBb|jmdOw6YU=99%M3E1cMc9Et^fB#*<f$C!u*uDG1LJlb7qqdpEtJC`Y
zDzs)7Z}9YYQw9d@*}FsSGoB3&KeX$x^6L4hXBp~BB4Zy28}E{h55yIMjCVce8I`Cw
z6BCt54`((zb(h8Z`3k<jc(zAO@~LCTPeiEwV@~aeQ+|AW>-RLT^P6MTzm*E(Dbhz5
z2&2Wd&r5FJSJaqZ9>2`o(Q<>)1qU`ICMiBunU&<YeBqq=LK}gh)GktTGvZq61I6ip
zQ)H-WpT`!(QacyZAR|YiQ2bwno0re$_!5;t!3#~ty6N|1pDuH<*Q+?$r+@gi(f^Ha
z%hS_@E@bSYC9JggSbk!)qIh}ouol##bjQO{vBqVKqn{C9q>_D_t&+W7tCGs6sJydO
z23gNZ>T|0*vQH$gPWA0I8Q!?Q$}B@Idu^{Bdib{il(SUojxuS%n4$-@&k83Bx`Jr&
zq>*ZVft~rpAa!97n-LZn8&5f*g`d3ScFOf~^~&@4)=!n?SG9t~h9W9RICxR&FsI^E
zkeXC#1&QM)sUR`CQQ&7UUOm^&sMN#!(p2TtS(I0+`Io{-`IUp2(P@e_>ywm21=>;$
z6&2vA@ZA#Nx`R^VJt~97ha~Kw%$)S&WR4Ch*$H1x%r|u(DI`)_pE!z7iEy~0yc`vq
zy-&SrKkKr~Z-=*%cPHi*<X$CzI;5P0l##XN2932OyvC|V_LWjuJ2C0`xs=Eom*kC$
zATL!VQD=&8DTriXrqIbqFcsGdDRQ#*ljL)r)5KX8HiE9Yk5DEjAw(>ZeI=4I`!Pdj
z+X$>$dh<la#WF=oK%8$JN#Q*Ad%G*FoHs5BFp6-r54Tkc-Fg}e<JA0-Q>0ZG>9&`2
zP><pZ151LgQ8Io*5RoOqb+%R$F+m6t^A9pzEiI`T(PnMTIajhqbvkc-sgk#IN?)j4
z;by;lr<&iWA~uFjDtV!p{Mj^)T`cB9+*N!+WaOy?&&W-iJUll!M|n~bDo==_MIN-s
zlNLqNBHpl;l#pVf<QacgMQ%!nKEGL5D7SD-J)07lcs5#{?{>v+rNZ7}gSC;A%u@Y&
z%b@rvS^JRez9Xx(QprB1YK5w+3Hiz=ky@e3a`QkcRLN@nIq4qNHWg2P@srnPUwxXY
zChIk4*b!pN88a;eIi=2KL@r24CQF5$&CR=g99a7;uHM#4PruMGe>GoCxwXEEx2)ut
z2#tp*!mwWamP|jMaw0YIQl~I+^y-uAPON_?Oz-$gEG#DVWG1=C4yCf&IPVR<&Rgs#
z<@C7VbIR-V5HhagKrxvi+-9W%RHUng{Axh?4UV+-liy2AuR5(JGc_YACmSl*+6ti4
zvLfh5Y^jJw7Bw6Bxv(z2?!N1lTmAQHXGO%Ep9ddH{N&~lc2SoUDT%RX&Lz36-Q>H;
z$<2tTycxVaJBUr(7k(^C$<Nq7Ic&C3ka!yTMF`LgVu$l&{B_dz7C$sPMa4H#*xOQ?
zPdbt1!W;IrnAYh-R*_J)zgS2RYS>^>GfK=ejkTh2Dqb^Pcd>b9b#+#HQBl^aY17Ot
z7pwV#^mEq=R-Ie2*k;X=rD<yl)#r4bHb<U46C0IuD$ZlAgR7^rTB_M@IDzaE7ak}H
zyGAFoKoAL9^ctm!cu3J}ap3GAQ!Um}ZeT*Lv(LpX6B{jVd`pH1N7)9kU`DE`=wZ$d
z6bnwmZaS^qbXu8)n&s8PXEFJxNo8}IM@%Ob65&I0DwSTha6F~#J9lqWdTiaFvPC_H
z^t?u-Y-+^GLvhN(dqQ^YSGN%OZF{|xD;zu)IIHIi9oc@wd~~x{4cYik{8Z@6XGL5+
z|5T9_kmwsjPmuS14^PEx`_1NB;WUMmtJbe~abNF9+N=0cA<-N!S?ITBrI%M&n4gi?
zJkpD!Yal(vWbDUAGLcN^RVPeT3*E%E&1P~<hY|^Cdwn`3&+Qk^6xz~F4NaD3AI^%*
zS7ckojo)h&Xv600it^p0aQE_e2{e*M+p74(PQ-MgKg;`V;`r6k?qvB5vb>z`3~_lX
zY9!}XZ^T4emq+)q)$mKSPhmPG6%lf>{DtJzWtZtQSFIbUmR_Y@9H!t&-@(T3J+l9}
zlAlj}DuoVV5`O*Gvn!QW9<CPjFwgg^B*CS`xx#=9CB0Lg&99}T#h=QatzK6Vwtjx$
zgp-sqRV8HSJXCxcdtDGsTDaC?h0$eG_QHkCQ~AoublZ8eEKP-9)N{2&sbAjmiPM%?
zOqgVL?vkB))l$|x<CgVjr8F(ptW0?==2Bj$+HxQ36cpg)N@c35q~eF6YQDzsDQPc$
z`HgfHeAz~^FppfOnyD!}NGz-t4zj@-_c3CAuV7I?6lYYt-xCr<&U0Es)m-wEM;_f9
zc8I)EZ4cPBL%DIwk!oADphH$1<;dw#Kf2eFG9sZ^FIclZ3(k1vEBOeO>{91NoGdB-
zv+6g$Dzc@F?5$#opKIDa6Oku$;S&f$1zIQK)Qz+jCJvdl-qKv1X2M>$Sa7ObN!nEo
z6^8FuH`|JLZ`-{sP$Ag-CUhX<jjD9JOnpXr>`-gkiiO_(Q^pD+rBqm}>5xMLa+&it
ziBXA&{G#a~PfLxCJ4Kc71NQ7yvRwSkA!n@VN;i*nMzPlHiBlI(oK<EYb6mAYEg1RC
zcbKj)xnzIc=wyz3t=sW4=g*${a#%e=;_S4^*I6koQ<3et25C1uAIj2taWYR~qUOZ_
zs<B?%ubLs4%8y)Nd4gf?noNQa4=TWxYX#WZRDiA13b4ai{@cFmiN%UE=SYjgMtqYc
zp=`SP87I5A(j#ZOa{0#9ron1iYLQ?tO=T8xos7CpdR#ZCc}iA2nNRswjUh1=6Wu2n
z?{1r)S#nezDv@cfMkJrTrl_BCwu_OlfSxOBIqC61azDk{(sKRAG3tSWtDKDbjp9j7
z`i2!tZ5_u_CUHIHT+VgH6_5CJE^b>kZjAAX{V7b^yE?DlY9u|<+*&?#S!!NlMAF%K
zHSglJalMVgE^<@cR-+&Z<*&viB&dS-lYe<pOZBi0Q_BS%QxnG(tJSji#4_xDRfF=<
zMNh{Bwd`qDE-QO~am|XP8A_@o>h%&1(n4X?+a9Ey(JkFED=LV7fcpBSy!bTb<BO)F
zMy^~uS1qm5=v7e~977Lb8AUo$&&h6SDQOwe6%$LLjD0B<+{qVK)=)<Vveg$)9!XU0
zKeRhITrInG>=7*{<5a|&lij7*DB<M=Pm`YzRzY+fA1`@oWbVf1j*l8SR58S3)bg=L
z(xrZnC=cte(p(tbd||JOkM>gWKGE))4tI#|m6fE6K}`*DtC2meF{~lw;+&i_@nkw@
zH%KiUt|2kRkF&S3Fbe&ReNBFq$lhNO=>MO-9!-A^kWAjm%AQ)^lSq^OD#+YYGQ5Jx
zdq(cmipUj;@m)XtMk(%O<9Aet?bfreFj<)VTTjwWt=Xvi;-*QrBWj^q{QHp`MRm&N
ze!2tamlG~fP3}^KCve{EK}zW!!LghStRxyOq@ILSlKt7lxsoBewWRokD3#okKNjwh
zabmK9fbNkUp{$Rz5-inJpG^~w3u4I#AxBR3lit}>rF15{RK!C*(!Q{<KKDlXi`;2~
zDqKB()iM_grHfE5C&s@~lT9#LHiGJgox2PfCKw2vDkc%G@cQYi)Pl1-aN6tvO6xVp
zPp?-yEMnJWWVn|pr8}ZycSS0niA&FJrQ)97cS=V78)g0-VW=_SKXBzIqNx9mh*B%7
zG2vuaZ*sC4VZ`HsL~8VZH7^|xxkct=lfmWGLS9RPwP4yKe<<wvZ#E*hiYHJI4HMku
zWDYUNraIzavWvSWBCR!(NGBC9w6B^&^r$#cvYSYVA2BevMR@a@vgf3gYEkoXxvc8x
znX45q6gM`Vw_dl=ZH@gYkCf0bt-iKr*;*?T7d`16Y8cl<P%cYma|Sg}$c`s6^BThk
zVls~;vogm5PIjVE#oy*m2$7ByL6;cTYL=2wRm}ru5ZXxopfvMN-s)7V!)iWTq|x)2
zlPRP(F(lT+iteY3+GM5(z3Gv&60AvY!H`T*r|SxRg?7{sIF(jyM`zua{%c2VhEs&8
zR3U67^rd|ApoV8J3(tv^;}5EO3pOnTO_ap(-)dDqtr*!+7pN7(I*fJNx!spqF~||l
z;kk+z%W5A=)^mcDME0>nQkHo3N?cUXwrHahCG26>bqCffjm_p7tLKo3Dk}FWv{sAR
zJEqT22=8i|x(}5IJDP`3!ueW7WDf~X){%7+s1Z{pw4Xrdw@z61P~b^>HC1wB=*j8y
zl(Z%G#C{Cng-$}JG1L^WMzDV>v?ZPB3Wg9LF4n_<3?S<{*;6vWStXXew^2!mze@J>
z1O39YRQ^S4RroR^=}gahcBZ)JP?q;5ZRMFe*`%;TC*qX6Ej`^=Yk2v|3#>($%aH^{
zVtmB2eMZ~U*e*L3Zd|0WJndFT4JM*PhOemnK}y(0p@hoVFU4exP{LAabtP#cOGzHv
zPfU%niR>t<stAdr#ljepNXy7FA&)Lrx~)_rEoG=;Ht_+O_*_IfkYG8HJgj;XX4EW|
z^bear&7=y=2tz?{;`Dw&MjEN)Q_$@hf<z&N@bW9+nNhilZ0lI6IBj1=6{qL`D$RIo
zql#0iU?}Iy*STw^RPyqx;^Sm&=qoBXhYqBI$tCeIGH_23yHG48Q#m4|dVaxvdM=4d
z#j_9gCS{f>PecW6KdFu^We>VJ9&l0$;w2LWk(zhcczN(24BS5)tvy0=xmtRb39tR1
z{*zCX$gCLqiJDZ}jWrfl2rHf#lXmKI-EkIm#F!Xoy?Fd6Yq(%67+VY*Pnl0LmF*mV
z%61)9UK^aOwrtP~5{H$9-O5uC%dryvy5C)5Uq!<2^1`iXid&QAkI1;X@?n}GR6I>+
z9?vczmn4EYB}=`D+sTxZXO5>(ePP$yVAHh<ihxpLLAT)zm9^<Mj8O50kH|D_>&`8$
z`>{*^r?u0`<dccVlYh2eLR-(1NV7?GjzQ)PtLsE|!~6ziCcpBb+k8U(l%|fJlPuKZ
zg$`76;7NhX+atxpz%`wZ_alK6jz!|b8tL9Q>?rZx{&agI<x5rkbd@Z<b1o;-jOF-T
zqD~_na}7vf>B=(MYch)`gH<Fjo6>JX;&W5XS8BLQe!mu{CXh1rtx)!ul)a@7KN;Ri
z@}-J$ySry%4<#x0AKV>$P|c4PzKYE(SG(9N=WYDkmibj;X4O*Q)KW0I#khH8_HWe4
zqoU1ABm({8uz`~CLG;|vL&u)AwvQ(BIG(Ag5fKH)lWu;Mn)x35G(kairLgk-_o@`+
z)o2OtVUTfaOD(k^s7a$Liez!#%FV73$<&6B7I!8s#faCENAgZf9w~kKY^wUHz?ys5
zo9?96`m1cH*ft|~GpSNp9XoHWCgGBdtPB#TBCj~QlyxgM*eE^yL-%>9y{EE)$0LHH
zl@w+}v%lpsnK#L>8zQotr`Ax7xSEWk;LZrBBxbXZv6P(H+~x`Y*I%*zsN@%~dNxjJ
zZLw+28g<q>HX}CvWRj8(sn#61&Bwc?P!eLp@!eF?bWTbY3#r^zyKXX(<3|Zu;vLRw
zf>tQIEILbc)MUtLVTeQ+(zuxP$~zafpDwT3Ty<BIe3u_7c!+npIS1P*hg+ViQ4@pF
zf`LRZd}v7w(ocu(i#Ot5sR;dkvUY)2(&z%|&e~m!%3O8VCR2+qxA${=#;(hO3Di&;
zZoS9UP9c1I7%$mVb|^RLVnlRARK!VMKAbM`j`-udb*FkxqTA5({yJxhR0bhW$y35m
z$&y^-!pTDR8r@g<YuhVAo9-;%Vm6W1kt-^aS4#>xO)bf5uB~nA-fSn9%5%e0@^2|`
zr7T+>uFef-@9ngDNWYM5HDNN{9I{*Gkj=~ApDX>S=1WPRa-PI-@5va_XV!bcVChmP
zTPyY6dX_AsXpsG!9ImB8V96a`epa%~BmVsPsQ7&KS;@H2RkrgL^V4k~hZ;$JV~pl(
zU=MopYHGLO*)ifl!bzW%UMqd5U7B9GT=BUwh@7NXE<Ev~gtD(#u%v`?AW7suTq?}n
zuQm^7*X`WkFi**AHp&b952|=C6_v#J3excj$)jhwMl<qDMRz_dz-O<Yav^VUpXzBf
zywwJ0TN?#0nZ1*pSI#e03L^f5ikRecS<jDT^I2(EZ+}pb9(})4V$`E=XQ4;$tJAY=
zjDjV+x2AwNFw`K?UPQKO%5QO!>&MO)9y_u#=#bIzQue@BkNumJ-E8O5n+a-pf1XXH
zA&kfn^wm6*+jK^hyFlJ_X0N!}sHu!@R<rs?8OuwExY&NwfQ7b{dP<20l>x^UkbaaT
zrw6ggVJ9MDDeqjZdd{=e5~179ePkFrUA#{iCUo1!PLq&s6!&itSCxp&)hb_owF~Dj
z`VneWa3`m!`dGnhI^+_+T!t4FY1DFlUbaQ~Zwi9zPd|LTK1M)Ki`jF{sfJ-Er>8~e
zNy0dyP-#YzO%>EC$?x?$^FMIWeAd>X@~tEB6&!0cUZVvw!Izkg7E7C4ix@#cqD6wD
z$<>7;I|(gFYqAlg5m$MWP0<e<vGk15STRraA_``&Y<}m%-5I;z>Dk4mY`dt;&pusp
zR=rouzZ|II>8)gtpg%+yq7a4>{lTPTkdd^ZkrEuqqilk2<Ff<_1t%4@MUM?hbEVLc
z7g)c$R_>Ze4?dI2;z=UaKkxIxgd(DF=M^Ry8|eL_+Ik&p#fvhR%J+(!$~0;=O!A{l
zW2C)(_^P6EfbR_wPbC39L?xBH%5t7FYo*grwbUcd!$50wA@81wG)ILc^4sFW)FM>C
z&*!9BWadqVI2VhEGf%QqUdp9>m1e02t<8r9`tJ=;F5`0<Qb3KkB#$fMPmtSm33sc6
z0Dk%Wl>?0Un}=>1@QIqGa?-PT=`#{6-WL-WdS1y(WS^qM>zy2IO^CfpN;w-jLG{MC
zlP6+gx14Zw-Qu;`?W9+nnhz=0sH+SvQ#o$QGkTF_-R~K-cwUUUy8WsFugRdIYl-Lu
zFHElC_!@>xDie`OlsAtfZXB<9<-yd|@|&}$QH@&1c=?8nZw9iJ;y150B=(&`5tApn
zw`@m_nr<;-;?kJnMQU>sK7rn}CVE6u3!?i*daX*$h4&?-|HFY)a2Ye9kI-K&^{aHC
z))6`B(qNY(D0{K|sgO@&-8I8MQ7TkII+G5)uL<4NeDYS+3-SvU6d7VvK%@n9lCf#Z
zSLb*?tvW}U2Zf(|Q+E$uL^Ua%a*#;18!1xx?&KxU@;2lzbzn*KXrW9pY#C2%IjJYT
z7vhCU)#7k+fuo?CrWyJ7BPDwDdAeo^uXuPh=S69{gI%)G<!kI^+P%34Me-(ddS5cS
zxkhl-)QtK0XEepDv6Q`yr9)TSJy%h3!3%TALKS~NMWOm4f>P^!s;QlMzskjxnz*|>
zBXoWF`K5?|%VfM1HSkokr}wpdHuI)L^oDmY|DrMc#Fxy!M`k_aZ)?V#qoD9B*9<7<
zS9p2v3-dMdp3Uw!5x;{EGIDU*WMic;NvF8##9Le07+qe<UP#S6Td91aHOwyOUlQ?4
zzE<{{D!5v8K=vt(XGtm5Fy^|GrCQLDbsh|zzA2r)sjy03Lsn6KMgpl~?B|g{(O6R;
zFFI^XEJkc)rJ2@QWLcJVCa<P?u$DH`g|x{ceX>M6RcUK)YmqqrWUjeKajpSREjEcN
zo@(^62Hwx(6zxg~7y4!Mn%l&d;VHuk$fO%Qxs=ajxA{>Vi}0Y<tR*F+UkP(YGg(Aw
z=BsB6(W@ohYejssSaX`nL|XpV<lAzf4z(PpqU}-iI@HN!>qxCdKTt(h=hC|fo?glh
z86}p+$0Vn?L{n^7+H{8DD{bAItm#=-`c%o+^YzU8Y*7xcIWR-Qr<d2t;wO=0!&)&V
zBZf2CWfEdo$?_o;WWfz$-EuhnR0gCwJq%4ta~Q!mo2<wd@o}+RkGgwq^`&wOudPI8
zY55{g)#ZH^B&MYqy(E}kMrL|Y@rPf2TSZQD$-G|?C7I5C6&h6V*BN0TDHZWT=pS2|
zSH*NEiXMqb5r2jvPPL|{r4PYDo^a-91g{RG_84C6^N8I=brtF_K>5|z3Tn-akD)Ta
zd=KK0YmobxCo@NjYnn&N$#kAxef6iulBL>rE>EmSQTwH-oGjpvQW1DhHCca`;Wh2Z
zSQV{fOcqr&kCI6HrY>wWlAhX>s+Kk_rQ|=`z_*O2*_CLjtWKEH2{cDp3Zu<PdIn4o
zgL7bZwZU#MM?^FoDRW!`nyBm|qfP&r1}44}XkM`lhRM|?JZAFR(KJrXZI&i*VjhS<
z3$HN91FnL3!ecMPylRVlFoe@)?Y+im^H&wpY*mIRh7Qg1bsaiNU7Gkwr?ZYW4f9FR
zBuyv-ZZb3%6iT6E%-|MudbPnm=!_7d0y<+Ps0Jz-ohiU==uGW|`@kJW#{#$q9ZNAy
z7p-H*)6`Nrn^-)6j)yLu01p|^lwgmcvz13UqZ8bgW;WG1D#9V?oDgfXkk&Ffbb-&I
z6K_ZpA!~C4)<Y*pmnNgqxu&B{2OCQh`28g+`b)QH8zexxR_x5aplQz907?d1XbvvG
znr3YSyrE5VD}pxJupVf_E1K^LZVc8lpy|LoL6c*#uE0iM7ud}VGX|_X-~wz0CV}-}
z(2Bu0U;<zcSOPSm7+u|XAR6ESXGWWL*A?uRwlu#iOVhF?fF`$Qck7@F*u6CC7ue9h
z#Gxk<0!cq@UTsPLDTskKDKFcS64(|J+Q}+NT)^~$#I+602P_F-AO^gE$d=UCabTt~
zlI>z<l1M^(ZVhd&+$10h5;}wt&0|he7D5ur-~?!bFUdZ@3X=W65l9a7#8w@e7hIC9
z3qN2x;Ljis*a>ao-W{N+#3gxd*uY2*Q!p{Wik21HwB#S&0Qk@bEt8;dr^uHNiXwEg
zwOMLkLz@Hk6Bu34#JS9N&=l6p32nk^<{_9jVBUcdXwEO_bb`)E=uCjlX6X3S&DJJg
zrTI>EazL}2(!`rO6dQhnNKc!fQY43HJw#5RNgzc#AUX+A8ASIWdH_)!M6?=#=r8E<
z&>aBXY0$NT?q<-;Y`RCGn+DxVZ6<r&X0Qsd6Tq(0?h1PWYz^2Zh*h9@;KlwB2SNM{
zl7$p5&@+TyH_*Ildefk13cU@`3xZxO^x~nH0=<jS%Y$AS^y;AZ4Xs+C)h}o@1g&PG
zl?Pgdq17q0x{6i}-~etGxYgiX!3BfM0e2hR2XKFZ?*M)r_-yc%;NPLO6s;}M+7Ye2
z(0UJAUqb65w7!eh4QTxpZKP<^4{au(%~G_nMH_Fl*^f4fXmbf|iqPgE+I)qS=5^}}
z=`2XyAPs^v3es#yuR(ef(wAu432i5$trgmCL)!$jJ&U%N(Y6?E-=ggg=<7qj6ZE@7
ze-!lRLEjeoUeG@Z{e0-xLjN;8P-qu|c8}2RDcaSe-CGz8fWbBx+=Q$LWFsM)1KBFb
zwm^0evJ%K%LiP>qTcN!I?f0O4EZV1|{Y}V+LOv7njgaqxJQnhF$QvO43PW8Oc7ovq
z7%qdM6AX94FcOAmVVDoYMs(oNp*uQ^Lx+Xvum&CS(4ib1o}t5MbmY)+3ObshqZ2xA
zN5>QBn2wGm=vae}-_WTYI`v1VIp}1MPJ7WQ5}hufQ!zR{MW^rRq=8~G6jPzt3q=ML
zx1gwl;s=!7pqvV&4U{2Jra@T=<!Ah2fL})87c2bYk6$wI%L}NaP>qGk0jgZ6zQAY;
zjJ&mZ%4xc2n(db+)unk@X$n=E&6Fk(rMW^oFGc6|=<JWqAJO?QbkRqb9_TU_U6!DW
zBf5m3ODwu%qswh{5zzG)be({%E73I=U6atQ6S|E=w+ZMLjc%XOeFD1gM)&*Z(G@-R
zX%i*(sD-f}j2FV#1jc4CwubRW7$1f4IT+`_xD>|E(Nm0`GtkouJ@=#MA@oc|&m#1!
zK~D{ObwRJ8=(Pa7)}vP-dPSnw4fLu<Z$tDRh~6gX?T+5z=zSi&@1c(befpx$BJ}Y@
zpGfq%fj;-qrxASw^zDJZ6VTTbeeKbAEBfw3-$eAiiN0^qPlA5K&~Fj?Z9u;e^fy5N
z81#=v{}lAUi2ltOumS_(Ft9xaDlyO+0|PKH2?Ot7kRb+*!Js)9v<ibfFz7V~>te7H
zgNI}A2@F1qA#E|FCx%SH5GxGv#E>)$slt%=7}^R$hhnHHhI(OW0*2nk&<_~a8pB3l
zm_3Fa#<1%c_6EbH8197On=srH!~HNk1;bxpL|cqdVMJeyn1B%rF~S-noH1fMMjXb7
zRE)TR5l=A^7-@i!y)kkUMlQohXN-J@QA04w9;4haDjK78FnS6`AHnE{7_$IlPGPJF
zV;5qqHOAUttS!biV%!vrOTc&u#`nPZc#OY{33`~Y9usOYu{|bEz{E|M=#PnMm{^TT
z6ENvGCgosKEhc@z<c^p;4wKJf@(WCnV#*>+S&S+9m~sbGo@2@fOzncHc9^;wQ%f+7
z!?X}gOTe^ZOxMM9J50~PjMkVj8Z(Yz#tY1BhnZtAGX^uSVCFl_>V#R#G3yX!m11@;
z%-)RIWtjaPzjns2v+?UP{OW*Tz3^)oe!YZWZ{gQx__YahT4Rne=1j$$0L(dxIgc^t
zJ?83QZb!@=in$J$yBBlMV(xv+>y3HSF>ej#?ZmuP%)5hmUogK9=9^*uPRzfA`L$Ru
z3=15v;29Qt!NOKp*aHjaVWBe?9>KyiEWD3Jt+7ZSi#lM@NGvkNB6lo0h(-BWREb6J
zVA2*Q?O|dF69r6ufr%O>ePJ>hCKfPpfQbuCVqkI(CKq8+3zK@7yoAXgSlk1Phhp(m
zEWU)r=~(;&OB7f#0!!v%$$TtXh$XAA#2-tdu_Ome8nL7qOLt)DeJq=SWwWs?9?LRe
zY5-F;Oc%iP7)-0MT#n_3usj-OtzagH**ch=hFLDmZexWUE4;BH1S_6mr4?3I!+a{t
zEn#j4b6=Q;!8{S>88EMe`6pQD!omm^Q(<8Z3qM#KgvEJSRKwyMEIYz-A}k$Y841fv
zu&jXPYgl!HRbN<5hSe%qZG%-TtggfA1FU&icY$>`SdWMGa#*{=`Y5a`v5E>F##l86
zt8B2!7OQq*)oHA%z$yZpZm?Md8wc2U!sZBUa$s`@Heaw>hShVhdOKDZV)X~u_JHkJ
z*sg@FFKkm_*AaGuVK)zUKCn9ryL+(v6ZQjP?*aQFtm%L?URZM%Yd*q34u{EbSPzFI
za43Mo7p(1rwd=5UH`eB1?Qd9Th;@^(&I#*cv91B@yJP)atPjTen{aFkM_V`+VMBLp
z*pCewIC;Y9D4Z_AsRB+Pu~CJM<FRoKHXgvnTx@&;XCBUz;p_<KLvTI;=Quc*g9@da
z24a&9HU(l+EH-6hQ#CeyhKm|56X3E2F5z&=gUeUAa&T3{br4)9!*wBCH^X&1Tw~x`
z3D+iUZja5qv3VXg+hMaGHs@jUeQbV@%>vvwxOIWsWVkJdn=9OQ!7UPQSK(Fzx9@Oo
z3wI;9&w=|2xNn2|1-LiDqa!>f!DAIX0^xBQ9^c?;0MCK&oCZ%bcy5GeC_LlgnG4Ss
z*doQ2G1#&UTee|KDz@ChmiO@L0Ivn`@`6_?yz1bsg10HWUEv)D?<{yfhPQyN-LZ8V
zwr;@IU~J9BRt<cH!)Gph+~5-dpLF<C!RH%%yTNxBd^f>25x$M^>j=M@@H+*+&+z{R
z{;u$MgMT3W_rpIK{sr(ahW}mozkxqNfCvFH1aw2d5Clv?z;pyGMt~Cnwj$sF0?r}e
z4gx+Qpb6VpY*S%de{7qAZ6?^Z3fp|K?EtnVVp}e@J-{}CZOzy|9@{5k`&4W{gzZPM
z{RslwB2bCIg$P`XzyJgWA}|<%M-ccLf#0!17du*EM{Dfpj2*qPV<dLW!;YKSQHmXJ
zuv3JcYV4eko%^w~6gxj6Xaa(g5cC#7pAoEwU|R$`A~*-ZHxOKn;Ck#5VHby8o3X0^
zyPC0Egx#&NTaDeu*gYM)*JF1Ec4s1_9YO{p#2g`&*rSg<tFh-a_GqwoF!nCS-g5{Q
zA+#q#tq_`v&`N~K5ax`qlL)(qu;<vP#y%_T^TfU|>^p#cN!XW+ebw04h<&fHzZLcy
zVgDfPkHG#D*dLAkFR}j%4h+PB1vs!02f}dR01o8iKp_siz=2N)pN8-#gkM5<F2Wxm
z{1L*RBfJR*b#d?@4j#tA%Q$!&2jAgPdmNgELk>6;fJ3D?+!u$PaX0{nBXFcOj<m-S
z3mjR8BaS$-9Y;>%ND7X2z)^b~b->Y$IC=m_6L2&YN3Y@N7aZ%3W5zh<gJZEcR*r}f
zh;T+kF^<b{d?k+i;&?hv=;Fi%oCv~+e4OlzlOu3)IZj@}$)`9eAaVpEZ4l{=$X$p`
zLF5@k-b7?6BEKMtM^qa`^+42cM4d)-AY!^AW)@=X5R-tIM8u>c<}zZgBjycaG>C1D
z*tv+^i`YwuEkIl=#PNtzAx@3B0f<|QI9tSdA}$kgO^D|Z-xKkch_^=kdc<!)ydUCY
z5Pu%=MTozL_y!~xA)zx81|nfF5~d<yEfPGDum=fMNcezLeQ@e9PE{hY3lam7n2Mw>
zND4$!7?Q3c=`ND)BdH0e`{MLsoc71*Qk<^E=}$QQ2a-7?|AOTHNFImexkxrgvLljr
zAo(Pcqmdkk<jY9TMshWhKWNPbDY{5$hm@g6nTeE@NI8I%TSyflRgTnwNDW6S!5Mv=
z>5MaDaK;2@cHm3|&Q#&-YMc$l*<_r(i?amhy5QU_oJ+yEESxLHxu-by8_sva`Dr-6
z1n1Y`yf@D8!}&+JpumM)xNrj(XX0WKF8;u!Ye@4$T0PPlk@gm8?~z83PVE&O(v6Wm
z1nE<eJ_G3sk-h@ytC79|>CQ-ZL%IjjYmxpA=|7OcBclT{W+B5287q;o1{rS1@Il57
zWb8-AIb`G^;~p{^k?{vE>*BH!m;2%JR9rU0<qfzTg3G6IxeS*-AXAFW?#P^m%xGlB
zAu}0SI>_39tUJi=gY41Bo`-BpWV;|c7}+t%&OvrAvWt;@3)v5mU61T0T;Xv=jVpt3
zWhSnyz?I#&5`!z3aittren(DQ<ot>pTjXp;&MxG{ASVMk_mJ}nIe+15cU+Cd)ofh7
zgWNXAwLtD_<gP{T7UV`E_Y87#kXwe_N67shc@pGxLf$~+O-9~w<T)WP5PAEM7lXV@
z$g4zNJ@O^UH%9(q<gY@$JM#A;{~+>@BR>oIA8@S`u8qbu8(a&)wS%~J64z32tqRv(
zqW~yqg@X1d=z)UKC|HaFM-*&FK`IJvpl}Wf_n|Nxg%K!>LE(E8%|g)u6g8lz8O5DY
z+y})IQEY<Z4JZyq@l_N*M)4<H=W)Fot{=noEL^{X>z{C=4Q_14jbPk3j~k`9QI8wn
zakB?*4#&;uxVZv1{c!UDZl>U7E^a=;%{RCypu`v@b5Y`mlHDkYLCIy5awr{u(q$<1
zMQJKZn^4vhW#dq`2xaR~wjE{RD2qecWt3H->=kZN!;}KI#^csP+_J+hZ`?Y7TdBBp
z7Pr3O)>o9zM7cZ43s6q;nwOxw9OZwaf<Z-FRCGp#3o6`D;fIQIsK`P^4l3TD;v*_P
zqvCf|c1Gm@RE|OANmNFm@-?bjqe_XYp{SaHs#T~8MO8Ses!&yps{6Rz6Sw=|_8i>y
z!|gq|oq*d(xLuFiA8`9mREtn8MztQQWvK3g>M^KJMfF)!SE2eX?uc<`Fz#63&NkdR
zhCA<YcRubO#@&;+dkJ^{#62<Ynd07B+;hY|Z`@1Ay*%9Sj{9D?pM?A8a6cdSU*JJ|
zJXnqgEAZeP9+cyO1`mJ5!$WxZ0+0IQkrf{0;ZYeLx5wiRczhg>@8R)7JZXg|3OrHa
z$q+mlh9`6J#1>EN@gxLKlJImop6<ZYcsy-H&0N%kq2>i@C!uyDYTx7896Z~DXK8rW
zgy$3Sd@-Ke;kh%O`{Q{yp2y>P7M@q&c|Bez@nRuf*x<!hym)}Rp{SdPx;dy@jyfCE
zd7>^5bz!JGfx1(uyMVeJ)ZIYcUDQ28-8<9~)a#;Niu!J-ABg%fsGo`YMW|nidVADw
zLcK5QccDHU^^vGgLj8Hv7oxr#_4iT#0`+fD|2yiN(ZHfX9}NmL^h3iaG)zImTr}9A
zVKW;1(69#$htUv&hEz0MMne%AD$#Ho4R_FR4~-qs=!V8DG=9d*4tO~NFL&Z)5?*HG
z<!ij^fLHzS${nxH<JD`t{spgH@j4A}<ajd}Z*1}A5Z-*p+ZlN4hqp<1n~b+F@XiSD
z9Pw@o-d)7|^>`nQ_owjwIX>|CFd82M@gW8u;_%@SK6b;$rTBOrA3xx?p7?DcemjQW
z?&4E-d|HA}d+;d*pK|f(Gd?fDXD58#h0jm$xdvZm<BJ)-IN{57d^w6Qsrb@}-%as*
zDZX~YR~vi{#8&~|%<-)n-w%VxK*B-ZLE{U}do<ah=|282#UD2ybb+uPLKcK)XzqdL
zo@nlk=Duj2i)L>$pF#6o{OE`u)A7RzKlb6r2mIL`f9}Jdm+{v?{Iv*wousBl1`8R)
zFx13M!=IUT3=_gIM;NA@(UCAZ3Pz_7qqBt331D>2GCH-4s1+j`!id%|q98_;&xjr{
zx~7coUPkwKhF!?8I~g{ZVG|hk8N>cy#CDAMEh8~tB;y##8b%VvNa7huKBG5+(Obpn
ztz-0j8NFae?<AvliqX5m=oK@1PncF>rj;|(DwSy^Fx&)&o6K+)4Cl#k-VC>c;SMoe
zBEw}fTnWQHWVkmB_XoqbWBAStKY-!KGyEKecVPG}48M!vPta=^hA(9Jdkp^@!~bB~
zbY|N0XWEQo+RSF!EM?lPX4-6G+W0VS_A+gvnKoHWn<A#o4W>;s)8-!2rjcp$jgjgy
zQW+!d!brz4(m9ND1tVR<NH;T5Uq%|nNKZ1-6h@lCNQ)Th9Y#u+wo0aLZ>H@crmY{-
zHiT)L!L%)8+CFC5eq!`lM!zqkKbFy7!06jD`db<OFh>74qo2&^r!o5ZjD7{9-^l1U
zGwmcyyB<ut!A!eZOuNNQyVXp)O-#E$rd=4*E|zI`k!e@Lw0p%E3}Xz;7z0PfU<YHc
zk1@E;7}PKZe=#xxM%J5=O<-gT7@0jIb7f?Q7+De{%VT7Z8QE8+y*|^vH`9I$(|!)q
z-jQh^%(Oquv_H$V&tcl%W!isa<ZT%F3`U;H$iFa#qZq?kjG;MW=*$@IVhmFl!^@0e
zA!GQAF|1<@8yLe^jNx0x@B?G`k?HUY(_#ACkYdfn8%)D3^1edUV5o6!>ecKlCTRXB
zzehS=`$FBv^19!p4()=R)X2@=%qH~C&QCmB;8*l#sW;texyD99o$$7@WP{)(r{05J
z#DLKIIpGiK9&VvZYNt9{tD?byvsBWekV?&oO6}bg_1g^Qq^_KF4t0FZzD-<6R~5-7
zp|^!l`nx5dQTkHbiZnbB4N^(pP)|3ekzQ_#8dq~t;Yua-C~WFZZ`H<=-dqkRji!MW
z)L%P5C7l{V8dOB8l9KV!<g|+3qHB!CtE85kv_v(GlZMmrj#iRm71~)u)ruNJIq5fH
z^zFJ^nzMK5cr;Ln2IdyYTf&LQ{YN<QxR!8Y>Tu;Ezj*dQc$C_^jNQ4#EyzhZZ9!7;
z1~pN~y{1cFr1-BW<)!Zg8R_O>H26a8Y|=(4JxnfZr%PgLMdK+HD0uEYBl`w&Qn#Ns
zm&E;<sF0J^`H{^Wx%ouYkCR%5Jl9luFd>>FB4TeyW9w|2y3_cRuEO`t<Gts(PM~+-
zE)TbsxIXGizSF>4DKX{@Vw*f<=gDYJRyCKCdZ>sU$B^aJ34J+XxjrhXCy}X`OwDpp
zkV<-9MaFZo%;nU}yQfN)*`Jf{B(*Af9jkQ-KKxvkLk6m3TYs3BOXyEtCGA1Bar0Hu
zU_WBXQ5P9m4)smlN_|sv{vUi(r589R>j^n}N7R-221IJTH6~Ut?`lNv=;hx-@p_JI
zqU+_PKG8HjMSCOM;*~6_8N;nu^V0!Y>zgBu;qth-)MbwBrZt|5j?=yh{VM6LySBcZ
z?tdKV$&s}+#DRJ=uc1>TgE*<bwv4(sKcu~xt+BA65wfyO?F(<ZAR09$GUlWwxZsux
zX;QCh@&A#%*C^;^bgfwSv}xvS>h8SVg1TH>u(FL>Or36edUJ)jr!QPo2MuKf{f7T@
z#JBV=^~0LaF?o;4^v9wh^x>I`c~>i1N>}PfqEytUN0zygZopHz0m28#2$ggY$>*3O
zngt@V!0?@zOwxE!=c0i^lFv%-6+RYp%eQ8E=lEP1NRp^`k(9V_OkC5DX`J*5N80{u
z*o#7?QwVvZVv;qwH&rbsvLwxn)1J)4w4wAb`6X+isykUhBb>N=;;DK~j&ib(e@8~j
z{v@sQsl$xyqoqprXDO|I{R6!bCE?sZv6G9g8>{wkkBbawJY{ol5-rpG)AZ|*$1b!%
zPQEtU;myAqWLD9_jB^C%88SKZOV&RfWoF0&X-`+P7pnGN9isBl1|JdLR>e?H9eRiL
zGg342#}|1Q&gW;)8yR<nAs47q$j^62)8(UR2Sk_lV3sjMMM5vgKfiFe*k=Gsm-esX
z3zhN_ZyoF#hqBUt`q9nKNoO=8sTa)8p0uqUwV+|hDUP(uB<7hi@~?OCsyix~a7-m5
zkGX%%l0xx6CaMK!#-B-avJ?V26ap=G^ndqpfJ~F8IejP0vU9A75F~fvNC!Ie|EgC@
z>-8gg%hr4s7&f%`&w77PI)|cjx`DP|o$E>2vgW_Ljv?J2(w%bRXo<GZyv)X{Ay*Bk
zk7A}u_I=XdwKDTk{%7hf8+0|Ds-IW?0YK&h?$2(z6wrdhbuxwSfu{2<k;eaTS4c0V
zt6M~JI*pi(R0}SY4AJ;5mml3}s8uPAsv_IPC4xB{DPFtTX5~`q{v)Jo9?0YFM&F5g
zK;wg>Cq_?=o08nKqhKbMZsq8I#589pM@~>bkJc5rG)QiCd0ml#rpL1-6q&x03{7jf
z?BluWb9c^G>xBu=g-K#zlW<sGFaAgtv&2SNtkJ6$(x^Av)@os^n6|JX$+w#aN@U+2
z)wyt)A*Do|{i%SgD>3+9OAbA;ek%LpyCJa`6XVZiq~oi_`F$g_t_;l&qt0I|qk$6x
zvsz*!o2O~L;;kP_YKfJctfMiK*EUR@vQq2d)?2tOr-9l1vW0%1h(sd$gNSe04j(Yf
zipEb$Pm_h*|Ab=hAdx$@!I(||doZSU$Upvn!ZE-7TR5iBTJT?>Ix4tdB2({BFHJ3*
z+(^&CLF&Svpo+a#6@D!>Gq2PCS8(_$`r!h7(mz0LKY@+q{^8gzO=d&24@5t!g@X%&
zn%oAeq_pHhc1ywXCYvEz{+{(+I|(Hb&r)q~S~rFJ$?30V|BKh3Xfhb0D%z_0@V5l;
zNPD`qLO_vlik^}p3O4N<>N&NWL|%F!`x?y2-cJ;^EuddoaplMwO0(#n>6BzSZcx$F
zwvEfu(k%LLHJeiIzLaFp-`79T4s1RUe2~2!%gMgKq|}KPQ}WbUyO~6PQOUmEpj3$#
z<>b>M2TGS{*>|$6N?TU^olf@}5sSuhWLfbP&XG>nok|e3Rg?nJGMg6aLn~@24`ts5
zW!lmaTDn6EwZyZL@^?x;-_x;wkeC+A`Sxc-vF!c7Vv1!yN?R78ODF#Ee<M`d&i^U@
zH%j%hm{KV^>d|64s<xeDOD|d))mXc>g-Cse_D#Hs-Y!!b^@l$tQs40S?{#QN)IUqn
z!mgl&JUMEQc>k7Fk{<Ms57GMfoIM&5NqwHTDqX41bAHy9to`cH|N7#@kM5*UZ0~Ak
zv4kFS?MAdf*+mOw8gwy{^rFBXAsD)F|0c)zY4Pdh-{|yHv=h3vpwvs%`Fw-C7q{t-
zY<eL3F-Wz)X_Z{|=j+Vtx5L$D;jH;~M|%^ciR1a~?P{~_ECp`|)yu!pZYU9#YNf>e
zTFkrtjm!GmrCy7Yo6D|fUkwx1$p_JqThR9B!1h|yeW|J_qQlmZXrBkNKL)8}%|iPo
zKkb~;=yvA4xL8PbJeX7{`vC1b|EFZJO7<HlGi>%RrIo5GXk(IpXUzlI+yA%kiKu1G
z<>~G&^phe5tXp!x$<vC{k#T2^9o!joSnGVd-`n$mvvQ`T<s6^AzG1%V@J$=`IsEIZ
zBWl^(e?B~7)FKj-L3B_5mWu1N=iyBRN1c^PqSjT59)pk1wDL0XYeC#Mf_DKi(>mfO
zk^`zB@|6pIMk&*3dQOPnpVSwgiX?LKk|UyQb27?+=xC!#-lu5%<&T>E|B0*C_}|H%
zN+luEY9y6}Xe3QB4FV&rMzuUh#_wdwaG}4P2HzG7BFVoA>c#W`|Bu)nN6)eLiO&D0
z9N$?xd2PvE3U-UaC$*0YWp}BYpjO7G)6;7?N>3@=zn8W&eEdSy@~U|rJ>lARAB%o=
zG=Ls&?enAWKcCa+Io3Yk&i?tlixLXqO4F??^!PiM$@2dm<6yd67Cnl-iJ)qQhXJKd
zeSi8Xwv6&Ay#;{66;eT86Nz?givC_LBUj}!Tdx+>Ub{-Y?X<PisyMAuLYJ1q`L*D7
z^f&G?3D*)5GPaEBD5UqFVv3E?Eo0HrPn5jS(rqn+L=!vOJ>8&4@;euxl4(Bws92!-
zN2@tS0r&Iw&>X7dkYJ(f6V=pjT(MT^k(X(UL@k|9rTlaW)kdOPTmie&KqLC<QnN}<
zoK#aOU8D7HYNO>;WJSxc+A^(+-^U_4p`ULCKbDi|A|YB#(*E?KG<qtf(X<Mk+7>#s
zf1(p)uWxB5ID^I=PzS-cwW2s;F0a1C3W3C(l1vHZ$2uGGg=zg*QZ`EXBr&F+bNCO{
zj2xtE`dOkS!1qZP%3RgsRV0CK9T^|NwRoUvUl`K~ccw2ATV_lZ4`<qv{y9K#i&&{{
zXB#v=CMAz$mZU!?b8_Hhk-jP#fkbzlzSSaD<6}=so;N*~Et{mRVn0b+XOgzkt$ex6
z(w_>tOD9nzi=0%-HBg|&(T_4bCX>tVJeD2y*S3i8r!8LjYg_bf0W<CR(RW(u6A{08
zEVIzo*+8pAX=?<~`8QCow)FCq;N4@{8Eu7hTA@-~;pc`oP_VXCNg$CY{;f(mts*=3
zRSR6L=6a$@-;C4#@M_W@N`Fw6Jd6{1HT9$Xxa4nYb%L($M4jwW%a^5O!u_USw6c2*
zU6D{qn`D2W6fvC&@98~M-J7}^(|#+8XweN4eWQnpdcBWuX&IqMQ{OQ9<3jc@&bq17
z5Y;!bnyM`?sQ)vCKdl%=MMFA)L07beb~OIEhiZLOJNYQu-*2={zb1qKl)nG1_}_S%
zwlpVQOF!Qg`_@tVsr?*QOIum9Bklh^Wo&sba<q&sr%v|K|DX3Q@;A})wvYagIqlqj
zN+<uCUJFcq3g0D^tI$bap<Lxk4^>k~-6{XM<}FPJD4%NKQs4aUn!0O#zx(rJB~&S_
z|DAj5`e;?Lx~jqA?7T5-n)!kl8rl2zm&epH&%SZv(*74^-vJlZvHcGryO{eDVz^lo
zcXM~K#l&9XQ)9#41r?$wDi&<mMX<B>9<ev<SWrMLR0R<WA_&qH!CkP#-jZm}U5DiT
zzjJp{Fy_7A|MT&q?wvDd+L<$F&Ya?|@7zcw#>J0GH>-xnr}|&hv7hLP#;P|+ikUe!
zT+dFGexeG92|5qy@+Y=WGtg)EF+T&Hlm*qE;afa=YOQg~5RW2yRaVykiO)#1S)41Y
zs>to%iMCd`wy7Fkjsn>3DCP^lCMOzf5YKGN(y%5iaC@d7&G)H^;dE(;+G(JKKY^T9
z21?tkw1XAH=x9Vb2|OB0DWb8wK{S@q|4THMv9<-~$70Iu^&qr^9LG&NASo~c%T2rg
z3mTExWmu^)pP!-(j~9FedAB4`R}GHSA1J2*qyPU2Vd-+V8_el7mt(4zNyA^J(?IBP
z{!A1i_D7%FZ=kPI^Pf}KziVcOzh+gb4Ml?6SXDkBiXc}}UlT;HnhIQlW0h_d9gZ*k
z*+k;s6cO?gsd2AwBdn8E9fZxC`MW91zgBuG|J=Pa3*3LR^@3|HDj>UJUbLt5G{*9-
zND--K(jMl@0U&fhN%O|YG_uyln#DhjR7c^?n-yOXpu@qof_4R)#Ww(c#Xc_G;wDXh
zt72NfB{2Ntd&a7CV%3yG3f~|cSwD^8qS5qs_X~X0q+f#DW*_SfBUweCZO$uvqJ8Qf
z*DhS&;G}B6-hTV9XfK_K%Da4ey6;InqEDUn?h@Wc$Nu$0``UGLywj!{9*t0?O-=~t
zrtLY<r&-tT;b*+{UVYDc=8Q2dsjA#MrbBdtb0+TunrkRDQ-n5j47ZE?;&f8yHx$-$
z8E-mgNcqJ$rpyh6)$AwC8QBMAj}DNZTywr(O#itp#>rjaujzQb@b|~=S<G<AKzgdD
zdN`)@WyDQj|E^z;HNqAyZB{IQ>qxpQX|J<lMi1SqXA-L)?5U#qQ%?@;trg?CkMQn1
zXw=SVU;SWD)zDK{CKTvwN;<5*RZX{oK5Zh+;FC3yyB#>=>x6W84hB>aAMT<rg)MMR
z8<bt@-<bxfoo0X<%Ag>A#GMz0{fVRJRU=`>cKEQNwjbHmDHb1|N2sEhKf^Jy84w6i
zVr#AOpUd4Os0rz60tHw<qNQTGN}ngdD>$I6DHbqR-E_HX7=7+oUXK`J@$wSN=@n;l
za(Kms6?oHFRgE}P_#N++B8uHHPsdiDQ6%0(RH8T6x%hk2cA?3qxu{wA%=wOaHO`cu
zi^Sgm^R%YL?_22=<S~5TMSJ!XiLdav6sHTs>Q}<GWPD!_e!S5N|J*VhO!<{?MbQY|
zF`tJ@=pxs6S_Xf-SSr`kS{DDcsGptiwxd3rO3{P+De?4J5G`ot541j6nn2%Td&G0e
zWdYnXCMiH1q^yIJr3}()qNYMj<vN&nw$26=e%gj<jO78<g0y**P4O#V{kY{<nv7A_
zV0M1e9qtC?FFYr^m%PX9C!C9Sg7PeDPxC&uPQSsw`dJ3yWV~Z#PqauX&Y-464)h!D
zSqI@q@$Q}#elYrMsNr#3#(C<jl{KwOzk*9<SFazMbxWisdikpsr5Z;z^if-qmg}b>
zY@2fJdTCP;$K*M56r3vjn#Gs4!j~O<@n62}V5{_kBBkDVrHd~iv~nToj(HlEJOD-F
zO=CySZ}OF8H<qot@!d`K4Q@d%t+RmJ#;;a%E3F&yJq5J<6_?W9`$(_3?Ds9FKSf&|
zN6=Om^b+s}fcpRnKwh*2)CKJ=N^YTKHw6CoG})JAH=wSl-42!AfZ11}>~c!)YO)__
z8{dKW_OmU;Tc9Yg>BGg+KJst{HzYdhPU`Ql4a>@2M$0}OgqGIZ0rerf@5>j)mil0$
zw&b@8w8gI#wtAancjaDz2Km%pK3`bOFE(XZ|DaFg!CXYM-E7Kf<Y}@+*Hqviz-X*W
zdh)c?Y$EYbIAzEmdWvNd87=iX2s0JoeGAw@Ag&VpE8B<;%~S;TE!obf&t5`iUxqMg
zzq2V^rxFSlQYQ;fAzi5pP7De&i%)snkvb%(sphkEI6l{?lgMfrn80s)AGL5am-f(z
zPiZUJIg;x9g!=V8MliL(X}44mR49k$@!L(oZ3nqdkmir<#}rH}>fB{jx^x-&legj4
zj|h|_FLAtZGW*n7-P4R-@VOi{)Xg(s?%MV941uny1v?{_9?&`Yv6k296L`+iP33w=
zWB*LkJUI?WT}y3TxDXX-G(|{Zy1zeHT#|QqNq>99I3n+8#lQBv#9ueg;B{jzUN_Fv
z7uZK~OgsMSQ5YwjEgGIe!_5Oy#4uMtjB^D@m@AjlU9dd6cLBk@7tUvk=01P)+}$k3
z17;RL;sFseP!4M#L`lCvhfst=cZgX`K=Eu8C!qLLQ#sZR)$>xG1Oi}M5_y<=B#DW3
zfSG3pphP=BB^cx6ZT#{bC7q9=&!YgjCz;gA{&-a}0&=bqkY|j5JZl#xFV`$agEubS
z3gkmdLiv0YC)F3$$|0Jrk|#FfO^A?1sbrUE77J0Hfbv4rHXmYJK@^^F-upC*Mx6r?
zeVef!;g|*rwWa#PR(ZQdl<V{Ps(J3c`ErxD4iezFuZf(Do6evJ6<>i5Lq(=*YSSl!
z#~>uq$0|geQCh2c?%XM$3`iAAt&J%N#W!ntYrkR%mc&qZbGsPv5MP2Zd<hQmB{=B{
zz#K_Dm`o0W80K<C`LAFbCf4=sNKL4hh-#*?#TAS9|J4QK#q=k=P^SMh4KVjU{oeGS
zw5VtmUxZjD{q(<p69K%B13zI?f3nSFUJ`XmL^r0Lrq5Eh@dhkdUp}GYAI6=QN+m)h
ztF2&8c<>w}ou4o)fsYmch_No{b)XBn9qR)4m~Nm1+#Mt_W>4>lk>N`XVvLVBlwC31
z2Ch5V|CtUysgoeaSN;(oKI0`P>vF%PuL!>ApfEF^#Uwt9W<HCiJyr^v{pU_j0Bl4G
z85AO+`j^+5#ar^HPlZK6^Ow$16#E7-;lz>H^LzD_<oG}14U2_8TpoDq^0}kO<MltQ
z*LxxgkngnNLp-(pPfkkGi-oKSZPg6+-ItPf{v`c-w}I&#hkN__d+VI0ONhT`Ulx7O
zVVLy6(0fLK9j4Q*I4m|9psUd?_LCB?kNsm6@y}8N-EfoU1zj5xAZxF^3vPs$%t(0q
z->3TYO}G2p+kc`jy#4Q3LmI^>A&nw=NTV2QNTW$U`K4KS^Njp^L<c{|SVVLPmbx{p
z?%oA)rj|nfetAK#KAFyk0A3=R_@il}@@Q(pqbX+NYZmAx)lvlO%pn1C?=1L-Qp0qd
zZoL)BTD-OI-09%>y;0#+|L>7azb|P-j`OXGd+WRGLfO<xsuj-}A7ZZbkyssB2D`%-
z&N!4$V`MYf1-{%RJA8OVc73E^`7!8YJ05-$sl}>5sxG9Q5s%?zck*RHJobNh*%f0c
zL=GyFmUEE+ikV6<q&zK&#mCqVAYRUA2%nG9u3`9U{+>_9@(OE&CdC+9jp(jPVNp?r
zpVeZ(IuBL0oTbhUR>gG0LOg_~F{S})Hkg|I+i`7k9?@g3@(kO6)nMNh{y<LFu-h5G
zK1s_i3%c!R3%XtY<ryKOV!fntPtoififx4t%B0zzr&$=~VB(Go)_E)Y+MMDrdB+8u
z3-LvZa4t;G6(3cHxX32a#RkH00kj%l6imB}x#Amqf5kRXt{W;SJ2k#&7Id%Ua&etQ
z8MDJJKAQ9Y<ASmlMa5*7#oxy9{Q{<~Hzso`e=#?c-8JR==cRM;9X%a&jz6T=&xlq&
zH=r0zeKb;tPzyz4Q^=Sy5Z!V?8?Rlx=rrQe{qBmmbPx9+Qp;=CB#xk_f<SqRXMuF;
zJs$rdfQsy0fjD;xgT-_H&{Xj+^jg6q{<)S<<*!0~(drm-kC~e*KHxq1-G!Hfqu<}d
zIr<}4aCH1vkgTJ$&b^83vXv1jvwuQi<GmHGrOX3WPraDyKyNtH3Ifxb#$O}%pSY9u
z{}JDP$BxzOLiAJp$N6|^`=0=-VsquW<>S3$H7YJ5Yb3X#RanbztcIK9BP_GbY$XMA
zYN4tEjl3RIBo<ZPEQp0Z9+G%{56+ZApCgi3<U(!ncV%iT;OinuJY6{qoFEv_v8O9j
zpu}ofHXs_cN-V@I{5>MIQ?NoaXkua#^|?MUi8r$l%@loyW^QytGezI=W|k|>Eac7H
z=*F8_h-Qj9@MadG8L{ZgO_l&oWx<@vfG?Nq4)RXltORTY?!cB83~UANz;+Ye#ov`U
zw!C0qi?0N11<Qdgz7oe)7`4f=1T+{d6deEM6tJC6f2<(e2xK=~09pP(AiLRuBipJV
z+sKjS59G);0@+Ouj%=gSwSi|Wv-2^Rid6G<GMDpFHsYgn=c8=IM;WY)5@W?E-T5e&
z^HFx=qg<|_a-U$Cg{>Kk#Y3+a)2;!^!tgN`@-bfLV=Uxj<V%9Tl`&rDV?52rSjfkC
z+B!xT_PJ%F8*o8LjLY>b>U_;Rg$7^uO__vQb20Lf3U+*`&USpPutLYMs@o}}bulW#
zb++T<busb*S2pqyqkzxfIy;kPE_P&LUps8cn`%4kNqkHa%8Xv9di;m&UaF<w0y7WF
zf_6Dp+n6k}J7ap^I);4ys)O~J$8`q^AnbUIv}>YCeDj_ijrc0(FE!3e>*J7Oa0A$}
zN#tw#G3js6H0-aA8u9fXu?6|ThJhPY0~h)I)I-<9FF9$E0T1D~kQsvvQpz1K{?EZX
ztt5m8^1FlxL5Q%f1}DW&hd9A2rNC5>B4*nm29x;6NUHmoieHSFiCjJrkBmtI06%--
z?Eie7Y29;N!vOcn<7ET>S$6^G8j_<M$Bhs$f%tj%<E|3Ru>5omU7wnP>z7v8cpEpb
z`uK{enjJ`=zIM(eH9`^F)isH~aeQ+03%;HI49BgVWpMW53S%O`9lt!DRCP?SWYK`d
z%nw>RS79**R7*p(-RjAc$BZhIa9%C3gx^Cew)&_%+XUs$do>^Onh1$ft|q49748N0
zeo0qM8A&`ERdk8+1ZRNBPCA>IX{j8Dsk1km95RJomW!CYUQiyD**lR_I!vB^{i`ih
ziM^~tRP3P6;R3irqQ1)V_u|Ws!LNiF*R5%^OO$tD#OL{XE0$AQiM~+(!o#A@;bBpG
zA}ne%Ygp6~Y%>DmZbnp`3Px4kENk#^cPa?cE95g=M!<YSMhF>!kkx193q=weh;XkX
z@$PgZ5ae5gXD1C-j1KW<Cw89e_p*3wqYdd|_z2;9==Vf(BY~ag@`6&}Ms{KWu$?k0
zN`$f!s&WCfc;T%P0_$eEZVTfsCQzHdvO(zVydqoxM<@hDUz3;zByp@JYvLv$Y9F@>
zyN#eC?SnLXxBVQv`JS+1Ay48FWZZPXK#{ar3j688F%_HV*eP^W8dUKgupOftAZOZt
z0yIK)=nW0ww8X8;ieO!q2qQB3<psJz`)!)tmJ*F3yP68f6M&dF$kRW&0p_2~(4e($
zCH-UJbZjdl+UG>iJ21l}n#<X-C2{<1?t=YsAZ#;}X=n=hnfj!NX|CnqaIXbmB;Rwn
zF4%LI5vbP4wbbaaCjF>Mj4lWKg2R6Fr#HxqW3>)FpX_2xVqrNjrR~vt_{O)RPb0e&
zllZtCl$j$NWSs%57irPtEZXH?5vmYS;=S}gYhvjpqD}F&GY_-lU>z`BcxSoCTV<0x
zdQ0WZ_qNH~yrg&5eDmaOt$0v)t0-)>@M8_-Q`k=UT1Y*l@mx|GUn1tXek+KNjk)qp
zOw4`GjIv$9j2?p-0g{V)B}*XcEde9|pVpNRHQ)tYN+?-RyVjS8ukigLt13skmFvJj
zdE+q-XOq0GJs5$zc2`&~LaZx+iGB&UJ6w$j%hfofBG%zrkdewi`^j4&)$z|<SmTlH
z@v*wR`8`?fLjV<JH7f)c);N-OxQg5G@M}0Pgs@ifGZ)r=E)g^NWZZW}JCN0`x^h`9
z$9P5gufY3lozAkZTPHMH5!8UmD&>~Ufs{L^M6>|YAM%!uo5RTR{plKKk+@9tP?4$T
z1YI2(AiG}$SBbwxr*4ViW%2tBVn}Yl#qlxva~TL1I_9ufA659MK_LV2x=^hFYu;&3
zzi=OeXAhMa9yRGqs><)gnb}D?R+Bbs=%dRw%uz?@P2I0YY|SmIxnYZr$7!i1)WT!@
zwuMeJ&^X$v+A(2+?@%rK$j!Am_I?CdSSudB4AJ4^iz&2#e$ItOWJr*v=<=ze;|ABL
zt3z(+tQm!rL;$|Chv-^#R}ul_zD)$s^%wSOr(Q$ajn)^A?H1Es$AntwDr@$#0exav
zlcj0ZUr9f3{zg$zS^9xiyf@Rp5+83opPH%5kM*c+a2g`vk3z*mBr9zz6rx-lK_N(U
zP+B%kwloKCMst1pe@%1nmZ<m!7|b`oERHG1^*vNMF2I%J`rnaZi(L4?rU8|plM0Cd
z^{e+V{|3ab{s-Pt+m_&Gt4k&#MuPtHFH<c%M4d*s)&mh+w(l|ooKo>K+N!%aejqw-
zkKu7ldKT%l)V$h5_Ae`mum;aC?@RRlGslmB#D8*9qJBDU*L*Ms1PpZ%{k)aL#&D*%
zke^qR(!~=S1@YjHT$OktOc0OII$<!FqIldI;#&MIZsOh_HtEG*XZfn)mxTsR)lN~u
zKsiwh;kA`ri<!W%i(|+HhDcy|%y~5cAo%kGWd)A648VkNm<+&#14g_;TFzDx_Ej;6
z<^6%gSKlPw0q7MDdIz969Q58vg|(IgrK%UK(5-R!|6+$4SM7L}U+hpP-%hDy{Fxlf
zj??>gQGdR&wx+OWW$@xX)XU)2?x9v5D%Dqbb2(e)<y_$a<7Unl%Iuq2O-1Q|uL|oc
z`#e!mJTL=Sf^<lioztDq7QRZ~PzVaqK?fq19+38@sKi%yx1GLpP5YqD;m!y29(#TY
ziPuIQ3cnl^Icr+D{=`{T*yx`^`{=6oc5Bn}#`tT~49S5PXLxCc`;F__*JppkaQz4m
zl~@`x=JJ&EWux1Dy-#2U2p_iQUZ<}w6cd^V9k~2aiX*9ya`Qf02&c{nZkoMWQG_r9
z#1dWwLpn}&M|jCLMJ(AFls+NAQX`We!ge<|-8ytrOpw0{(mcPMQEWi4X|EYiuiX!S
zp%v#B_RXx$zUb7FeW5SiVv?6T{uX^UC*{y+FMac-6B}#A1ZE(weXNpp_#|Hs-|^cH
zkJXRwtD1N!Zf1&(8;Gan!$kc085oK0QN*h$%Cuz;50KksIzKU=<*K79m^K?3-m=D8
z-*@)ln!_9RZ>TyaO|@jsjK#Bc{bxp`8fYJVm5E^T-*j<Yz`kjRxRJSRFAVxyhPvg>
z(T{2c!%sE^)5K$eq1n^vXqMS4kFabC=7N7mqccILFFkS81z2UYDO~hY%8DR+{S3P)
z6ux8)71^s;q6IIUS3F;7-U2xu1+SQ!WqJcNgdmZfPGetl8~FV+N0a-bn#KyepC<b1
zG`fj!d++zw#j)d3*lmB<Ts}=Uc|qs*K~wq&PM`+_eivy2Z92^C=fceXjACZ*qR=S{
zAu?SzyQffqsUv?30MIyBK!v#~VEjGcQ~CBTjs{ng>t;Vl1CTW10XGX^@m8pq!Sa&^
z0$_9(05gMjK}t&i$ZUWlSV8bEU~vN)F8>2&IL^tzCaCy%uZ+A~Ml0NDyVG(JzY`n~
z?kX<>*UfAB%fO0%0=|OBfq$5Q<#NF>-Yez8gegcuWAo8glG4<AWmBTq>3&WEx-=O9
z0mpr~mBI4UI~<YI{daH`r{EMUH=n#36ah;asIEO(wN8A>obI3cZ<xI-4{0f`-gfm_
zR~!64;ZFhn$o(zJanLy6U(BX;lIHOX#BK>@d&eM`VrU5%TA_6o%~usNofnj2(VYWM
z(qtSmi4O-02nx-^e?C+HTiPMtQr<pb&kx-=r=UicgMmr@{wW^kth#Z3e;)rg;l!b+
zONaHS=%_ScO|RBtYQ^+wj|6DLH+1AN@hA9>^wf%liay-QSHPb`oECkB^Hy>#>(%EO
z5vF~4qHOKgV6|Af62^Z4O7}LQd-eGwDiqoyh31;tq{Qcy(I_7XDulVCMwqL$3a3^z
zr&in4K;09~@hg*Kt55{^LL0a_Rhgx?J|y%Tzr&Y#l+bm4_d!h50hg>UCj5OAA~Zg|
zd|^-Hu@gE8v=|rkcaA62%CZkA-a4X?!LkoXKIfZIaccQaT471#Nbu>i7xqtq#Nj*X
zf+b49!mk?k)EC#;?<A^kIfhfI5%bN$)2mz%=uG#)grZ<#JcUx$+lnlA&)L)F3=aR9
zWiKX-BgTwnbNNQh1@IG^VL1rt{sDyhT*&rMl7#Z!G1N;wfMZ|rm$}Oo<wv;B3^kSy
z;+(dAe!)A{k?in!kbHullvTMgCH!k(^US|`v7eQ%czVTGXJB9#@bY>X>@uB=ca!Er
zxGYMioq_hrH|bEJHOhOH+i*4cftvIu`&PFMq`5l%6sz9B=a~25!3V1P4mdR<YI?-f
zs!Z&$e*{&_OY%DIwzFl`xN(E_KmxARxC#4))%vXoskm6#uIJSk50b9ki;JD>9&1=V
zd-cqjTK37%9~<kPmeVN-2iE2i2a^(8vxR!4Sv4*;CNM!q4$q$=<6+&dPuZ704VW~}
z$FSP0L_nq?f7a0W`D}|CW*`?OdbN|0^~{8^R!fQBKcCWls0}dHCUSf0P<4y$;L-Rg
zy>g^{fo0PGp-iD+)n+*L;OY&3MI-Z_2~W<d?{Q)0I+=T1CqoVXj6Du@<3mgAJ!uF6
zbbor){<?`K-EyFPL7Kdbh{G`kzYD6VqrInk>gr6ra%rW3M(%r%N*`%W9&zn@^zj?)
ztzV&DoTci@V$|%53oS^mXDS|XzOrL-V*I{1T}(v4z#bmMS@Qq`re&SPRc)9TB@i^G
z0fC^u=;t{BPeaSqi!Z3Umd?&puS-BoZ{PUS0f^~cVLq%c7(ZU49~F5(ahBUJJVq|k
z@47vC`@}@5VmQ#1MsNqZ^`|+in4}qR!-KD~JtlRk&OUMPh}WcAv`C<v=ur<?F^Mmc
z!;D(iyw56i7(8{t7(=wD>fqt99SOQyX*@ThLoe5+!$$2rIKeR1Lp3TU#s8AdsaDX{
zXP0PNhCQxQi!&W4>YQf6<c%TI4RKMY4j$7T+u=WB;#mK|2G)#yuGw^SYuNUKl>#E8
zjj_5%7tdY2JUqH%|9%ray$myt7*F8Bq`q44%ZZ~%tfxPjR57t$yZwER`xs_UoIQ4~
zZzZSYAdcUaNUi~a_S8snkT=sr!5E%muq<xD20N~8K@JjLk|;+w6L$QhVP!4VzmE?v
z>yemZ@qclhTh5&kn`JKGZ&G3;UZeun_fuub>FV>_kHv1;w0!wSy%@>O=jYB^>#u7v
zqHhDkY8dt@O(9jrf6c_oABCdwXfxD9Q!&|JKYffuMNJ!W+xE(>nlQucHM7<P8K_8I
zb7{Zs^>p6Dx9=NcnB=LN5`EtPDjWcjC-zx#@{PRH9(6bJO$KV>1MerS7ivmQhong1
zm!J&loJ@5x?B!2x^286H7b3Nie(#Ds%Xb@6_p3T=i}639JG6J}mK}x}F{(ui<}IG1
zn>=UxjU|R*AwP~+-5cLAslKlJfSD798p8UiLZgm_B<a!<$93LkU^lpDu4+?uUHV$L
zB16+<Ky=Q018sh#S{<}{{ygn>gIl%HJ28RwN{Ocard8A$%1H!ky?T24$@4tP<piHm
z^M~o$4?vR3xWk18@m2OE54HHP&DbNci7^Mx#e~oGKV}F|QH2fn-q}}IuO&T)Y}bG8
zfYF_`jqmlRkMtnby%O>{v|0uH$RIEpb7+6({4d!9qWUYIRS%PQ9*&LE-fJ7(&~4zX
ziNo~a9;$uEqPEBA&YhU*HEisJHfYt;{hC_5R}?$xC(i-n+Yj^IdSn<U=8+c?=U&x0
z1-<S5H{?_TJ?s`VqWj}EwWhYr;WpF4F`{-W-nHLsUAx~O31e4Z)wJ=#z+w&;7{ouK
zFHKR4k6p(p13UjTjVH?ze`8K=-Rok8PJt!KU!10qfiw%xIW5^p$7V}aKDXJ4HSn5z
zn}8-g(>}47wwN431$m*PmHJjJ+o-s1D74pjg!>PM)gx4q!$<G&(6Nuct;_1M`Zq!E
ziHDCx8CEt#>f7O7O>{%NwjLd9nAle}F6qk5RNY332Kiqj``^>@l~>DX16$}gbhs~4
zTRKHcbOaiwP@dxh>X@hB3r>B4uG06Hs2%pVnO5dGP<W6gH}zn|F{lt&cXzU5|8kra
z=od6bSFcwNw6LG%T)TJn$c*WS49fl;a@bYJs#dGZny?>#Ym9V#PK}uV1$+7;r!dC>
z)<gc9?2`%C5@y7X%{I`Fa%aWubj!S9bH>i|;cllfb0X)(Hl!^)k8qpPE~;@|W(@Pz
zb~)*tqrdR+l==I@!neimi$@Zw{X@3-jL}Y<?>|-V<PDw%m9RSwy^UDEk1t>OJ#Ro>
zk2FJcWK`&J-Oe3L7j88iNL6hM9KT_L&eLPuPeTmJ-X0O2x(VZvMAmS?O|@}LNbpWw
z)bVM<BMseq5A4uETjO#sQX!jT&xvv8FP=(GK4UmLDB7*Bw*Q2oz4T7Tpd5QheE!Jf
z<;-1pEnQncpz7;AX8PY#;%1(SJe#0jS`GILcwsk(cPCGS^sIauq!<&OD@%h!&c%3#
z0lSlr0<`QHyk5SzGy?S<%cW7ef}?OPO~}JBNb^k&W*Q)|Q!vDuqtG3m9tvS~hE22q
z*P+{Nj)~@&Pq$ErQ4M0mgT$AJlRsW!6BUnMs$z18uR?1wThJ?WCR@|3n7wKah5bP`
zG2_l9`QB^i=9%;vsd2czqNVJhCOvFi#^~fxC#tU9y=Koot-P*f=@!TBlP7POqH8;B
zgu7e9z=Dg>`%WA*gpLm#89JmA8%9o=@&0=b?AsX<x&MF>5!3yQGyF&D&=V)TCZZ=B
zA<pbb$cwjMl3WZ1`WfYFHnFK{u0>ZA?RsOHs=TT_(45eMp0{MH9JkD$y<xg;(716!
zy-tq4V_1-&85X#6&#q0|_n+A8JISyF&O_%hyEvI0XgKSsIk0!#`fY~U<RVyRw)}IZ
zBmFMzViU9E3=Tr+$TaneJcZIvD4^w^-pH6h2k2h{tG!CWfLvndGuc$RIUY3V7(Bp(
zG?$W&rz9Hs?LIjsUw1JnDlP`0``35Ip)#B7C1?SU36=(2OtN&vZv|Ly1x`skniOwX
zRugV4``?N}RyXtKmXFcXN0BgCBNLKO4!&C3-OJZwp#Eau$jJ7(z5~Y$84i&`G%Etq
za|lR@ai>C$>Cy<kjr_+6?1RgPc}|{eN4EuIhRi{Pb)$YxFV*55`<EPoMj%o+g%*AZ
zzx2c)S9a`LCUPy!R&_4jto8^R?>jFjc<lnE%GP~LLX|4=M$`%2w{HDb!yL>X-Fqji
zp(FH4&Be5vd`9Q4`h!CMus7YL={FI({w57opIw%=><SVphD_W$bmt^$#}0j6AkS{Y
zhN=gw?Y*`aGBC~xn-M!JjJ2UdU$;>^`3qDnDAVH#{cwq@UFo0Y9Df@ZYUsO=N>2<3
z4_mY8gn?qNutgAfJuWd1SoF-g!ot<!q)j6ytr@R_jf{O$*2*A8vQ}i@l)lynXKI>s
zN(JpZ=Ul$GJ9O#dJqGr><C1`BO9FLHH>6Te%?%h-P7r8fJ2sJqO4LQU*JY^bQ(P{(
z2#Aqi8mat%W(?v<zCHB>QC+f4ij}D3%`I7mBWk21o=A%@tYM<M(NWK0oD95<9EF?%
z(DsOz-=jr(=x7Q*6Lw0sd-L+8I}GAht|q$-HQC|C$hU+gL5<%f<}bI+MYMiORNsz|
zIdfp!iiLai+pnoM222hfqpQ}dGdHB{MINctHl0(m2ePz~2XZWZ!aR5axUXoaDs@+U
zY=QQV)=|~<@PRh5`A8&q!!a*rTEBii6FQ(e(!aJ(wZCAd{utbnDm+?1OV$@D4l7Y#
z<hrD<;Faw*bI7nZT9-oKSNd(~nvOmPE?kHS&o$g&?ZGz;tmoBNii+$|z84Qt0Jh-^
zM(udzYN4WsL(04VFHM|YeAU-y*OB3d5uU0pj^9Q0x*xWG-TDyyoXe_Z^XDu>w#=ZY
zRKp?1`QcHEqmax{dG$=p<d=k_6eq}kQ75VNKRAEOPG`AtCO@5{@SPnmcRsTztXHNS
zuBehIi1pIYXu$y8*Wx)dme_P(a-Y9xlS+F#)`{%#yWS}zD91N|wx1qM{?3nhZWS?n
z1C+zJo2!*v>B?nZoPbL+Z8x26sTM=16K?<EtP`8&$bY~j2|sv$Xe(Q(QF5*4(KPm%
zqg6ZLG#gy<Kbg*F%;a|GXKpyWAJbax7VI!o&xc+ce$ue!Stjy4u--pG^hzEY)uXPq
zp?B*>4ZRB=Jc-IU7pG5VeY!nc;W&KcurA+enW_lJOV#yGla;$s5Z58mf)cTSwgYXA
z>m<VawpPE)#?xo7STftNwWn(Brj2Vh>du9F)MS;t>$h<8jzQKRxHyHiU{Q`@0qmx_
zlbznFk=){{ax>pj<(B$B9o~L=$C+&jNEo%<d&i({gCDTNUzey^M?|5h3pV=0suC*B
z=IQ{4{Z(!vQ&Gg`_>Hlf;sC#8=%!&?hTLEgUl*ybQ^c0I&2h^2O+z;h+cYE>-;32u
zr{L+zw$2~2V90_&5G#VtEQmA4ccyJ$f2($CWT~0;wllYB@79=YiQ8g<e8<ooUfYMi
zV0$@|0rH%^8LHIXk+CVdE!&qZ-(=X4!JTN=&d`1D)uHY<gA=Q<3M_pW^z1x;*>&Wz
z>dy4DeP@rIH4076JTWVB_VMnd|GKG~TC?j2TT_)Y^-9W>KGozPcf|cA2=|xAY`x<p
zX&4<I<JdIP{T>*D{i^@iwKv-R$Ii!Smq;Ts?d67Nkx}PI&APC42iNbfl%#%r=G@gw
z<HGy(9qd_uv|;>ezt!X6Dk1;t>sVHVv~$C#v*Y3!OQtWKRtZWct!DP@RdaM%hr*A9
z=?-t1?LTqSq@U3Ls<u;(Zs3gb#u>*Rb%RYj4!3H2is)O@Z4`V9S>>eq+0~p3Qfo<U
zoWWG}`_M5deo))y13XxzZouTo;g6X4L%27<3&0vO2c#6!4rx^1m?n6ks@DT~=+rqq
zo^=QGC$uS(O3*+P(_I9OX@VM?s7EHNsV+EwA+yBRNIf?+5;v%A`$0Wix*3|NxmKC#
z;_xo3e%O51*4`#$(@?hyMuudUOs|Z5G&`~%Z}wmH(d@r3bSvm@U^Tl@cd(*;)GPrG
zE%x;3MTd1%jBpF=^U><IOI5>3UE1)X-0-)An)EsTk}LHstu)#Zp&FdVW0P%sL_cTQ
zU%Gko@l7PI*n#a(86p+>y|6Vx6d`9@YYcE9+f)d1lrIcfA9wO7qUq$5@-Qbmr2+F{
z(>+>sHqge8L-+1EaA?M^X;Wv+oIG_e<Q^v_Oii=Qez=1=KQR$vI^3sUVNX<+2=IRS
zM1W!@QUQwhH&;vsSlXP6B|K-_PPuvJi`PSGx1jhLnBW%*TszBfMU=<&_oRYlc<4xJ
zbEHTS1u--F1%xp=sIVER3V?T@NqjDUVM`sAA(hpU?MplM5S)$$WsZZ4n~A_Xd^8<Q
z;@l@3mO8M#YCI`83T1J4C|^kpVnqtL=T^93R)icJz!?%2+>eJ7qAF&G$?)VZ_k(I!
z)bRZ-|Ha;-h8YR}qQp&6>ddfIhhdZQkw;QkdcM$H1Xl?-+x$U8EY9V;Bor7#df5GJ
zi+Sra@iIV4_gTJ%A2`QYh--|3aFL}RT*3LLi}2?_hN|z(3hYaAwtNMra9+ZlxD;Ts
z<#YIjD?MrrCypxSsp;ai$-*OxqegrPzi>aBhlMllQg(IB;#f5L5+oJIm3@9n3<aKd
z&DoSbhi8rJoG2XMfBXdW#bfW}w2-%$5!b47ap@MMylLL)ceUTtF+)9hQm3<EBfL?>
zU^$R@&YY5n$wT*?yrp|^g|K`LZKLAS>>#&cEj5phr@eqDL~HiIalZ6t%|d#jzP2QL
z=~YN)IZQ_jOB<_#)qRb=@R2yIbJ`?uWl1=cCEn}tFLV)q`*K9y>LvZ{>(BDmR{Sg8
zN^IJep+FE>Q(}7gB=of?f>t%5WJU_jFyo~pbPw9_*aMi*JvAlqNbo&51WMMhU}#xG
zeV}GN5}YKU5*|$wN`j%~9c327ji}>oM4fOW>KwIeEgx*af$(aQP_mPDO*M-V02u;^
z2mnN~O7bZ;^h$X%Nhn#0H<LkTG13(<LtOzB=?bU_V+iz3cre*ydoW2TImI7LmYc<6
z9C8?kJO;=Rd5K0mX3UI<zHr_rx?4A&;r$I9BxZP~9^a!r_M5i<cvR^AqenxhkM^B5
z-Os>Bt-PIJO1Me%FpjCFG#v)}T@`!hC;=UZ6VzF=n2+)Zl;@*MH+EWWpP?4wJ{Jfm
z^<&0C_*_`kLv!UVc!8|XXS>t6_h!4Pyy-m~kAH-!Xz0OJP%svO$3=Bv1k60FO)2QO
zsRyvMr!xp`wT;_)Of-x8gVEpq!RYY*VDvaF7@$xy?7zmXK0^1v>I453Y=Z<<ydCFt
zzKD^05wBwrt<)jjFk0<EuvFad0!ww8{LC#+0}#+dIdmkTw^%;neisq0ir>Zm0NxAW
zeH>WvyWr!qdR-{UKTD0^=$V~$oC_?f67G7TcwGQ5_qs?ZS<k&L-0|0Fvv_ndIx=`M
zI&yR|#(VTIh(__cINHhPb#XM5dtDqoZ1cJ}8p^#c!h?SVa45VkxOscjTS`ni3$KeL
z5aW%?z<aDR@ZP8lyw^*t#JF1Vx>&BfEGa}np4{u=y8J^$uZxJXm!)owV*X-pgcv(9
zY~*fomA;)LTsV6)>Nw2d*Z-svuMbzAl&lUG`K%7@_%Djn52%j*{wY{q-b%t}Y<TFI
zo<q-M=6a^*-wP1Z_G8CKE2fIhiN!0DXf)0MBL^`mFvjl%@tJYAyp(S{;NS*giN$y(
zNivDQ04$$F{Q{sDyX8$_mH@Gb$uMAUq|?7l2&Mp_8w#!m9M=ouC3$5&?~StC(4Q9o
zDCSsRd@lsZE3n;A2sV*eyoYv8Hi^$rZsO(7Q2jYm$)Ro>0xT-AcxDPsH+4x7@9hCl
z-X0EhZx6s82S1QkgGW8$JnA0jQIEl+Xb$d+bELgdIGp041B!cR;TQ*95YM#+Asbnx
zxt$}_Hap7OIc`*PvC%YKN4c$I26yyDjy7Bxxu37C`ViP_a%W#|mC6edSg0P}BFm7!
zJoOj1+O?H(qem+Ma-l1&H>8isEHz}RYBhY!uo}{ZNDaAJCp))?x5|wj;Wwk<HjTw5
z86o;4mD39AfsaUgG`>QxJvze$2|m2Ch>i5A;Pe0imny^vtQdn4@e*itE{*5Wr%dE;
zg1h|`O4E>kF7rp)_EM=DPIClav4&kK7ogDxGkdLAiDbCy;}Z2NqJ0HBuIw*>Xdl{k
zN3VTtUo-mpu9}TTWHElvX!Bke$7vHK=QDCwR!YakmuITTU2{si;@Whb7Ha5t4m+;y
zK_fJB)9liwYHP?xsv~_U>SG|zUHe#hh(l}@c}NcXT}?g|!iLaV73E}?wi=|y4elTd
zV8>MNg=Kut)6|KY<z&d34Exi!$n!dRBFo|(h^*{m*LFx?u9r2ANN0Y%BXiJ}4zEHE
z*K<i&ujjtJ!g|*m^s$ya*=x=9hiYoMf$X19BP}&#_77Og4f+SJ4INp_Ma;e-Yp7+7
z$i6PMT%_lb9IGMR<rNdPETk5Y{jXFhq!nsvupX1pT1(AZu*Qze*~5d`FVWM}*6gVx
zvk&fno}9JRxFu`m$XY*erG|^4<oa|KEyV_idkyRVrg(DOjDPFm1N%ztv>{mfIna5X
zd=4}}Lw0~1<RY*oCb$SZ6T&C*GHL)@4{GoO{7q5!nQ%?|Ly5IhAvh1!H%kixouBi_
znqq<cIf8tYR+pO~(JA6)JQJd`lnmB+#fVgyhq#pDwK@`eKvR|SsAt@T_n%#LTOyw5
z{yboRFb*bA4={==7)1s~aRs9|fl)9=`dDyU6NFffFnipXAr{nzU2uDJ7wl?1(ltKK
zbT0glojbqAnT>Wu{@9I$tSf>&t~9MISZ=E1k$7e1W!<v}`SjJVZh7^#^1y8`FCULQ
zpR1)$nx3!6zUlcL)9Nt~^GdsD2KL*L>TRG(t4Y0vKGBoo>bSJ)I`QSXgwd`&M|G(g
zVA$GAwRT6ynh>4%@P3?o+a~=6bT&A(hmrPC%;%6I(T4`2`4aW{71@g}>cu@^r~?wn
z=>WB;)Ix1!I#2d>FXn_C(xT5~s@IWPx)rww`1%>sJY_3bGp*-J|7FAUPE(*6cnQm@
zqA53N$}Mz`=Mw*>@F9XAeA4ksi^~SFp!LOWCz7=X_wPHOkZPQ0*6+TmI?$@?);@T%
z7&NeNyY!#3y$s^R>V7TTuurtGo@z-B`qf#Qj@?rqKT6B|b)VtV(9;8d)Yci=qp9Ah
zGemx^rD|sHH0RSL<eQIY`BJE1PNwWQ6Q;fDv%mgMed8VdqsUQ<WtONm4WP<*^ucOz
zN+vURb6ksvB&$<&%&7sA)%Ip}kTkVq;Ilye{h7Oi=r>_D58CNpAQm)3WK6hz6tobW
z#^A1V=o0P1ZSNK>#nbRMjPQ#B>t(MkB=axW7j3PVy#nR3XKD2D)x@@}Z?J(aRa4*K
z#Dc53(x)GH^U9{-%M7$s&4w@Y>f8+q(=CGBA<*7b;P4&7({2qoTq0p@Ot-|Xa-BsQ
zap3(89g14fXM>(prJjN~mTE|q#H|TUu6%#iy^;bSV5y$%yhHXAqkdbYp{8;}gwVx=
zXiICW?x<NWd9#WPK7(@V>V{2Qw7}o6yQ^x$&Yc?$>QchJn;bN(3t(ePm#Cc924!`>
zCbv@zy(bljGffIrk~gNH$NB@4Qgq}cY`Z5cGcH)MNEa}741xvCr13&?#EGrNiD{ke
zfw}gCCP%#XoLp0=)&Xh*8VX`xd9iQZS!GT`QIqMb-qfYr@1P+wtDMC;9%Ef9IU!o@
zvx~HpFXx$((dM1hF7UdTBReQd8p4;<cYj^Jq}>lZ(LOSznDt`bft{<C957@%E}c4m
z<y4(`#l6Sb?1GCi=>}3~mVVt$Ego5W`QYkg-BAB2Lp`*eqrEOo=jk|eT21fLzOI&i
zd3)$@f%<#1_s+wD`}1I|2TB~8<NY)!Yh=KI0Quip&ZH}#Rs~{+JS#|ZXm9Yk5QFiG
zYT2y$82^O1+aeOyP~&ybYdy^>9jETRRE2jTN3k{gYCfwogGqYP+q_h@jlS7Vb?F-|
zxvE!ITgK{nX~mG%hkXk4P75Jb+TVl@ZJFQ{gzaN@6{82w*jWVr7jj2>c$exzXLf%~
zmRp1#OrRiTW$f~lWtFnoE=T6*(uTEV&0aJi!GKNDwqG`VOrKr6RA5f{p$@b6=+e&M
z^u2OBhe=C;1Dy)e967Xp-7Z5AMlfg2vbnk`^R`7iTTOO9lf8jjWU~8w2)(H}OLJ@;
z>XWZ`+9f!r-=x`QG46YCuO1+SB#CRkTS5EXmTSMoc38HdQd=u8*(gsJeIBs>Ja7C-
z5Fjv}EZW0-=&lM(r9I_C5r#do8kurMAEZp)+A@Ipu}tR49^+x-D_r_Jaw^Iyq{ao*
zx)?fv3m`x&fSQ`FefWYpXp84%PQ0aWHB)t@*~Weyv`pWpyUQ}YoZhxH-O*)0#xui_
zHQDF1;;opK$ClC{Y2Cop!;t;EiX+qK)}t0HaQdhu`y?13^USgiE|3<S<qq7$mt6B5
z=o;&$IhC^eT!c1ra%igq`u3qcBcR!OeLnlv@q^qBA^M!^$oSz0dcXqa+or4$Yx>yh
z{shB?+1mpBw3B8{9SbhFCMZ|FpXGeBh$a=mR^=gG1dkAKNIJjjS-|WzDZKppv8aoj
zmp4AwkX7wf2fUo^bc7jyXZpO)?|N1n;qS<CP3$Gk#*<^mwQJ?ko3-!*YdpF-G6o5@
zk=xXxVI<Wsgs$4VSG)J-@pXH2&!fA$w)7Z)MdxfPJcV{<IbSX8S3nbQL8o3zKCZcT
zDn3PjYxTL#>sbFvtlw1cJH=X9%&1EfHT3zd$8?kywx!DKJ3NioYuldL)yigH)5>rI
zo3-4le>a`@)YB*IVe;yzMSBfx)EmaGn$%azKDz=38BD9w!YlH>uGz;IQ~Nw>4;zy6
zSh+&=%JVBOth`W(bZhA|Sf^;IZik2Lqh`H(GFZnfb*vrS;R>XY`$tnRUek9wt?JWp
z$Pcx(>_>8HNxEhFJi4s8cjVN`i?LnUN9@xMoxWeH#}R3|rTvG~b+x=PL+C7wmTzW!
zh=H@p7Gs7`p4T?#kVvf!HNlMM!38iEJ@p;TCb0srr+mi|CdivIgb!^7UtWI~0s+0i
zMi~Y*!z=`Az+SnDy%L`Uhxu<gqW6gIsjX2>vGW9TSV5GTH`+)x(dUvl--Dz3q!{Ra
z;)#E!RKPdX3KZiZ><yND6Pydu!6z1%$w_mOMOiEuBspylmgpglESg(Z)Cie~#eyj?
z2&1L~ge?1?<qHmqga!HPC%Pg0SILVS?V%Bfmz4@x>XR~*ycW(n-lVrc^%RKt970tF
z;mJJqq1FD9`0y$MtJLKnkeh%e!wPf{jW339mqCafoChqmZ6LstA=`62Z$VNaB?40h
zFs1ByBA732iWbw26v~0JjV^+C(a3T<H%Vf8@<<6kw!qTP=p!k>8&l2E;+148@U>(B
zKTc-t*~9^;mCR~Ub5y&cR7>8%!&QGUd^EyheK_3oor!!Ya?<k<&4fn%AhBM2Qf^@#
zcnQIRvauP8Ta-{DZs-%XOxt-(d*tBm^K0~C=E4Nk4=V;v=&J=pQ!e7#L%?<5@-2ee
zV_7~d^wNll(%1ydB#q^b7TKV!%W(@6IZP>^pQ?mdp#om6EXFNN;ZwdCLpgx57zEAO
zeY%0(RfAHOuf%mA7-TC4icnsjYb(bxTnCO!j$<s3+qr;a!Qgq^&gV303Pb|)2+7ep
z3C}SJG<FZo=C^yL>^aK#G?+n)&oN?Z!h`Hn160STM+(+aUy}$I?U}q*k?osxY|qiP
zqCGT+mlW_4WmM16BQx(2iXfC{(GA{>8@wruDT|Nk0V>`=sf3@o6-qIp2dJOL>qqht
z)q5s!>blBDl+%cgaOew-fJ{tl#8Nnk<xByIr8NSH{T2lhds~guS%qr%qFxHTmX*Zb
zR&!#VaUcE5Hgjfd)KN&hEyf{|r)}c+F17;M=qJt!Qoup@{KaAZ3NU|c4sK;ulCcIZ
zwNBt4LSLG~cPuB6I4UYv_IA(q;Sg35iKButh_`z-4inNFAp7`^<wO!fH+V0@l`ddj
zL-@RAcnjUFKvqf#q1=i<nBELbZwRotV9;U8<WjCAE_daK#PzP$ISu9eZ@nw#^cPpm
zsSOr0%3;$KSk_qCvZ!I5&$m^SJO2klqH<M0`53J<%q)5Ft-4LQ7-q=r`Ni;ixu!-u
z!zr~dis=ujSSh_FH$^GSMk!L$i)S$5w>ZHzMOeF6O3DUV!vQREZ4>JL_Zue_nk8>#
z!#1}ePqEbnpFTq$33N*Vz$6CR0FpR>EY}7LJu`jV%-x5y5qo#X{j3*nfoF7FF~qNr
zmXqvtUeCIb>nk-g<v7$Vt!BIK?&7PI8Mh-o;*$2V_t8#ZI+47+oS;1U2%UiegRR!7
z3bn9okri6yoXXm&xQn;z3|*9x(*h?A7#z}C@a_Mzz+$PYGGS#q{0=8|PQ{tUI2`Pi
zG!SezjpRTTcwyW-UdSmMmvno|!y_QSq2qoY2Q479g8%F4KE_JbvRg62@y&l*)pihZ
zqK2!mLe=wA<sQXcvgaCraI|pWrU3{kN3-+;C)yLc<A$bBidztPAkcYwG~eb3xF_y&
zk$dpE!7g<q@y;F?9rwnGvciXxrzU!dDs;`3bvur3AA4FSF7}Dty)PlyAnx-SzD_l5
zMbMHtI&p=I-`vQ-_}6Dx;PfF&4Ln2`sQ5wRx#Dw)Wf?P~<pJJ2_84N@{f?N7oyvy*
zYbeivdAy&ZkWlD)J-A;QRey~Gu&E?of==QhbP{P?Cn3m^MvUfEKEw(SLN5ULP5Khx
z`2fET@O*&B1AHQ&u|88k?gF(|DmXs|^u5ObeqU?TU3TF+;Qy)^p~nh7>vm|MbYbs%
zUAT!Zbd_DOH=;SM-Y=_w?J-HIu=BkNywBZamwi$Nn$3Slv+;c4f3e}QZkO+YDZ@x1
zKy}54@u%By9gYz*5MtyrrjqMIA;h=O6=Q|{bHvCyb(<sO8)&>0&$fTUqgL>Mrj8gZ
z^zMrBUH3waynkC(Q8nf4nF^G_!PEyRgWb`!U>|fX*d1M49n8BnT0XK#68BbCh|5M<
z>nek?@XbbCtKF@{wK~{JTw;zpKdO`_I06526FIzz9<n27d9}NZ)&7sBAT`l)S}8eO
zK8Du7mhb`lZ^569Y6%p95=B^*Lkh%6R(Ul5qMstKMh=oJ(@Hl0>>$9vOyn0FNReDQ
zkRrKG0`m=^ukeav(U(rFCCE*vo`hq`f~)x?t4PXW--)D=J*78xrJDiSfJ4qtwanp=
zifGCqt)l6q{*oAQm19jPonnJkXv5OHKpbO*o(^a(qmJQ(aI~jnDOJ$c0a}0paUcg(
zWYxEzSZhC^9s|^eEHNB4Wd>!9wMwmWK!NC6*(!^UtqfUoM6gwG^=*U`a6~Xpz-TO$
zWn$^fxApjf{jJ^%cbg0g1l9xb9fkvyEy<;CQ2!O$Ridv4I`f$A)V4sJ&!ev=S^W9h
z$S`0~%FBsy9463c71t&k-^y~a#zE4XW_+crm1Zl*Cffi5IUpBICL6I<sE)-tX0+T<
zR_hLLWF|816rlJ$i7wWNrHWGK)Xc%=l%ahm-US*lnUk?Yfbq?EWu;6UbesY@CfO?P
z`6b)rJ$%4YolFMaqYB<a1z6(aLYX4{l>^3NO;6^lmCTnb`HipAKoqajSSl|J^7`Yx
zvC4xZzTxuVs1U2{GOjgNZd3?XF5cTmdgI1dPA-RmFCUi+%VU`4{ZilvtSk2pL)bTO
z_VJaIKMTt04@EiY3&iPMSMJwT5+{NU_<;*d#|{;bT28kD+(Zhs3N>K<^i6>{Dp@%I
zMkE7%q$?_nNJfoO$((N}hrsq^EMyC1A$@pV>p?(LfjA*qISj`0s(!rccwW_;SABON
zU}29WTMCqgeM-*+2!~+eyk%79jQqXo6L@tiGvA)P&|4L^d~e`5?c|w()92~mBq$5?
z2xzRV-G+v<_xI2!z4$weAD{e=iF)%DJd*szUs=J27+aZS1Xj<-HyV#E!0hXT@%iq-
z_<VgZzCJ#DYTj{sU!Mxxev{AposLmDeGlvN?gZc+2YP-8d=UNHL%`E#dU;{a*XLdT
z`}m;$2YlX4QTiXk*Z=KtK!yUbTQB8A=vEKi@Ad<_->n|H-=!DtzV$?KUtRu0=(d`l
z2=1$GCqkEc))S#iFWZR_Ru9D5N+DKTW443gpBo#;8?&AbUFz9r_kT2sU9r60o1ZyN
zuL+7khNN>`!`V7xUk2pqd9cq-x{?%rmB(G{dVIpg!@Jk7+otCl$_4Y68Ff=<><qsb
zN&h}TUmAW?2f(>=1@4y*CijkX)3J}gt;210Z?UE~e!xRP$Tf}Yunai4e3^MQJ1%j0
zwS$I5jZ`g{^zPDAw?^i^c}n|>lhA%%1_>FW8SgSlc$YEP5U$GG+M@hJPd2By!ODk=
zc5|y01?wV?H9M7@D`0IVhs?B&S}9+cO2ae6LbRHIRtsz3sy#stsf)PSvovQm`O*;A
zc`9hOFiHQ6u3U4gQ)$3^=mI#p)J2-a1(~S=c}g!+4<`6#h^dv)=Ap`HG_^8XO$~Oj
z)FFxgXFTGuxWjGGQ#zRX@&ll`?w92?{W&CkVTD&Zs940rmn=`BQ5n6GM3WuxC)xqO
z$qx7njS*Ip7-cMYHjgjajW|#h`+Dm;Zd{{4z~f8`Orfb6UOZ|HP=&byRhlbM<-5FA
z40~)rWAJF6?*a$PkJc-eE%BzlCi*BteB+8Zcs&s|xc}UtV>)Xam3Yvn`Z0<Fs}&Th
z1JLdN0C`9@x0N~zo49jqXJHn1l~t;Zv{u`a`r!sxW%>3@YhP@T-BLvvU3rDB$mP2t
z{?<jl{oXqNpIfNVmwx})f;(@aZ0U>O7|Y{QQS}VST!qcx297tZ!WII;i{U-VTwmf4
zNq|VmAjoWHKqLXe+(K}-ENLr!;PtDmWwF<XzE`&_ZpE>IWKE{nRQj|6Ha5nxe5O!V
zJT{dESLlv-9oe0hzc({w&>u$jwykNYc-AOCHX!?!BP*K(@(?)v4=VuGV|<4yV}PlZ
zTL|K%U^e$n6}|y3z1;vF0^b0Chs|~GX_<u$a7oz!9Nr22gQ17XGz5W;3i@-B1@<sk
zU{7-e_I#I_mgTVXs7SI<GK2G(3Ia34xbK7(@_miyUthvktU_$YlmbQZJaZ<e#PSO2
z(VQmBf9S!f6V7h~`fCz5jiMp#!7{AnSOI(A)Kvb22*b7a$qiMi4*_4eN?z@^m9H{6
zHIY}TR-SxluynRyGUiS^WCS)3O2wn&9+)DHG5Su5cGuzapc$hFB3A4)S1^ykU>;)&
zE+vQuU7<anW}GhPV8+I{vewjio+OU-;Wb?`bJmV>=D|ad6=Wx&;epn01GX{fE?6Hy
z@nnf`1(+Vp^q`a*1?Cj-RPuMi9>PU_S~3i1#u>p2P9-OC?R^DBx;US;kbj^3x9{&1
z?5N>%|4^b&U|OQ{r05CvHx}%;KOtI-Mdz81WjuA4#F_5JkYZg22cGGyL&3nwBL^%u
zhyf)Rm~$sAnM9M6xJdOgQuu@6M0p?g{Kn@|Nq9@Tm_c>;=LmUwTj|{+!VVrJ>fO&E
z9wds_8OiHFifY2^Kt$UKNjY7bp32SZ^O{3n+e_YAx8fP`;c619&4U8TR_!NVt!yvw
zmqy-cJT}(Ph+QU3RSrbuEBbu10DU$r6OQv!5bqBQ&+&J^PclxM#U#9DnDLsClq8J?
z(bnh1Gm}ufH-l;*^fZbKQJjFsj--Q}dO!3`vXN8qhYDtLYF+^s|8mrf1_F5lZmIm`
zv3vtDo&QGGs9T<_%j$Zi5?)R!)OD*s;QbZWFy9QWfDxot#t;rw#uyF;vu`=Ihq-`e
z4|48sk{^%#74GnN@RRO)6<S9%E3Ln+hqu$`aYFjdPCO96P%{vsoirD;6Xt?;qFpmN
zDW7x&DIeYgQjT^_!pqM?9-SlorY9^-C-YF;sB_DRI%kZibJ}jHb+2HQpI-pj1Z4WF
zILcEnh{V1Dz&|}9i7_BCY>)o}^6r%hKp&Oul=Pbeu~&Y@PMKyFV=JL&H!7iLv6axX
znB}aAb>qZW#>R<Ru529Ju8Hxn?iv-cO`UUA9$y18=$m5kjf?b*^T9u`cTfnbLZM5B
zKYyDQ|8PMvIr_K44=cXeQcZ;?zW1>brzENoL??y0?+|R_Cp4WBE~cj2UVJnDMnWH~
zB%xAP>N#7b>lJ8ch;TlC5}4!lVlgY&1)=jmFS${mmn=>%4>-LH0liGfzsNx{-7%8;
z!HDR<nPQf^jZku?@CxpnDXJt;N>X7$N>RQkC8k)+EkTVZB{Y;%$b%A4NNx!z<Vi`A
z5F&Bm`SY}#4DmVSBs0XM=QV^|Y%^7nLds<8&(mge>H4{mLl`-TQGux;wYKcnz;d!a
zhqcMUb2+YO9Mr@?pOt~4(p<}qwt)PH7Hdf3E!(~RTX`SL_Ex+lNCsRsUi{B3u~wE{
zGch<T=)%<8e*%4CWFK30y~hp9>izE~-u7m7YT7?HQH!@w#yF|Hl%6)tDn{Q8#WdxH
zVw&!T+GbR|dyl!(MQBD3V?FQQ0|7kR2m)x2Bhf!CjZ4&bH}YB=d996QwH}2ATGoOb
z?&jIZ;oeqWJrCr7(OBi-yXYYV;(Jl3o)?Ac_oB+GKRz64*|i-_9R_jSn*!o^d^kzi
zAyBYDOA5rtkVgt3jy#4ma-U6^0pdW}&*yk?(~OXG0Z*g&Ttj*adZ^FK7AK)BT@eMJ
z8ByD0MD=Gz)VD!WGfoWu*g_3#Jx&e(4Zx9;0{|BBwk|7z;)mPX$cdp0a27<y4MO_g
z7QL+ee<6C?;v$HP8-)A{YumU?K)kycgU(%yLEl}BLEr79OpkcCW{|SB%lYEeEL+>g
zWuoGHwH|pWwWyJGX=|1(ZCPz6^jQ%cTc=I3iH`Sz(QaNa+PxQyb{}`MVi;mw-Q|3B
z8}ZfcmLwbzID70)M{w0qcw=kU7YlntIjwm~TAzFyUp1n<)CkwIzBQ!Ie9K#~<pEg6
zVW)E>77q2s1_kgXe1SjINDXN^U)m2B4d9DPH5g=JEm-fI4`IgHfCWYSIM$O2FQ#7M
zK!5V)|FSh-^KZ-he?iHIq@c`7P5v9o2IUtTfL)ToV!>lEOE%v9peB0o;DU9USXaK#
zk9uLDA6&pf|Nf;r@3F1c!BjugQ`q@~FL|w+)>`84os7z2KiFtn>_^{l3>&eJkMQ%K
zbM-=0Rrva&I8=QN%O<`q5y}$(9)~4<6o(~#U63U7M3}PnJg+$Y#oRO};?L&9X4~xk
zVD<;2zxbwC>YR1=?Ki0R0MANJ{^<0)-f6=F_6Ep3;PYJa+<d=8bfewpG|jy7VU?&#
zyng$35|7rR9@xH_L0mhU&EqM>4J)%(o>-Aq>DOI1?@|pdwW$4oIkC@bH)JjJVnbG|
zsLAiM^-c|8|Hdt&hQTuGcUa*?CGAcQ(_Wq!)?lB$(cWJ1ueJ19`lT1=&aPT<LZ8j*
zIx?vmw@9n^u;=TkhJu+}0;g!F&kr2q1An7hRO1p&gj;+e;s9|=*A?{1il=0!r4g6d
z2>hC;qM4cOqT0!gb+uURWqpx@><!4R8NpXFwG_rQ$TU2cs_6&zdEWQtkLT-EWk=W-
z5nWy+7N2}@s_IVPZ6i00V4=+E>xeG*<8MY4AFsN8#LvThw0)NLncq|IbXH<%^eZ{r
zXVAYK=o7rIr^zR1mw<Rm+;Tom_M|2Drr#V)vZv;pI)c96{s8eO00m=Z`}E%&(qYrM
zmzJtL)#F$lT%S5hr3>XzG{S!7D~FlX0)buS2gUZ}#BFvQXn~v!V;&D-4)%pTEl+cx
ze5%Y1kND+=ItA4d<{)mgJ)OvKphfaE@Zb;pPO_)|C_gXfw3X(_DKyrex>02ZT1BxE
z+Mh$OC2~)7pt^GYOl&;-vd6Cxa{hbAV+BBKwSNI{0tYNR<>t_QiK-;<>oUv*s#r$i
z+I9<+95-Ha2X3X1-;WU<GD*IKgX@fq-ZKDn2Gl-B&QIN+>impLyI;{0Ie)tZ%H}82
z%OrtPC2Ar+z>5L?GpB5B<PwOMD-)ebu*sF;2@(!Ur9EL8VV{%kuwNdo!Fy$CZ~l9J
zy2CU4E_;)-P5z8m4u|AXczk?sF<8FEKEXZ(qZ}fS(xhyjL<8CxRf^?<x4;T`;d~Sh
zl1J^6`b&6vdsm^ZJlXo{2f$lpfVGv6sa9CJth~{Qant4Jn=nn#{l{&Q_~Y7Ti7QYs
zN1w?(@p^W~rXbA##2Lk~$X#;UyXq?aoK7RMdG4YplLL};k3;gK2Wc=-{_5LAW-!2l
zV+38#F8y9@F1@3npGggS@{41eH|{@zC;Rq=zl-2h1V;kr115S=ypV_fwnN@G`A6C&
zuoAUDbD7_II;-NxI`|EoVyraLOTCf#s`B78DbLXCCWnpLyXoUf)U$L8Hr(M;`?8T1
zp^_6EFK87W_0uUz2;vXj^q)e6*0F>A#<rUX!$~y}Un`HoTC=bwj%}$GKD`(`Vz0X{
zC`Z`0phJY=8f%D+u_~yDmH~x5{pY5G1qRYPx2;*bkse5k7Oq&Ln>1%j&S*n3@(d6X
z1Xb;%@R{de{Ja9`gYAi#uS-tL;NcORPLuMS<?5!v+<x*1>?gl^l}paQ^uN$f3GVZf
zKH-LJ%Oq9TtJfz#);V1ioSyw6<i$JxV%kWrh1Di_`TbJmu9}v}O%S`+cop_1Mp8@S
zFgseBtZ6SqVjXr$@UKnFU5DJozp5WeE!0lAK}B8x`;|<2GO{XdJs+egjEScqQHH%#
zX%{)dF1`}MsJKO`899R4El0u=&Q{iN!qkAVx&@2YtX*Ib2hMJ*61Ohi8M0yz23En1
zq@pVe&#LP54_+c$VPbOjb~ovLACS|6bFjQljGBQEbhBMmFtz5d#vOvFNzZiIKD{S3
zc1|dwq4_klNZbXF{9+BMa<5R8wfa(fM^<HR$1GB5<!M!zs$*AH1$MLcj#On?ZZD?N
zvcv3&CLaMY9ywCyb+7JG11;6Bew%d;){DCyws#aKHE?8ImexR`Wi4y)dlTxiL=UHs
zVxEB)$$9CdnbYAfoDAJThAm1>)LL*l33`gUM&|?VGfi|D0dd-JGb7SrucTUY_x@sn
zuK-Qq`@qs3MLQ*U-&|A5u$tB~V18v;&)hY6)I)F-<ql|aCwx)W_>5(vf3M1-;7l5f
zRAdVgIvJkd3#%aSA=P@EhIpQuYUi1Y0l^FQvV_hwT3uYaT|>c7;hTGTWUB^!N3oA!
zc(IrYB?MYPZb!Z$`>3h*BU&RN%2W$%!V<v$0{DxgTQqRz@WhWWSTCua_VRiW$}S$R
zrf(mk68r33EkxKuu-%uE+!b~#%RtCKz{&p;cz;hr2rq%P{IP?t&u~M$r|S6er2Q9>
z$v&$cGi))igPrJ*nzdZgp#^i)bscypewbm%0F_%x=Gc3ns^5b0M)J4G@p(af>c1_P
z9d3)UvKjcBp~bIh4EZv9`VwK*zWdgNb(>>g->JpPbO`CpcuMVW9mQBSXv6PF-Pll<
z_c2p-evQC!&9h(P?L?jZEdoZj=v<9Q2icG0qCB_<(v8aX`O2~3YNo9_n0-?{&HeTa
z#O`1xR8Q0}1rI}VPBr@|OH->~bjj@tM}9TXM{KzoOohfE1s@W%!*}`@^9cB=BKch_
z_)6aADfKi#*L(x^1yIQ~>Wws%BZ_IKS==QL4bnWgn+%)z?`mIWRfqa6TY}uR*9Ea{
zskxZ0JFYtvwf2PW|55fHa8VxH-#7&KS+coq44XA(HxFy?8e{Jo6)Ru`1VK~;DT*Kp
ziYSOZ_O7Vd5fzoHQ~?2%ZUqDZjV&5u)FhsV47vG#=UFVd_xF3>_y76aT$icmIWu$S
zoS8Y_^ZLq+4hBtRy9r*?mIrUy5^kxP9x_^?iChzLV$D%->0bZ_=7IiRiJ91upM+}f
z7oNMCX>iF@xXg5(Z>?udhSX5M)dq^b$xb5p^S+95GS^>DUf^-gfJmYj+{eWY)I**5
z7ee1IU;!AePide*9q>M?>BpXC{H57HJdhCX+m&vq>Rh$74tI}D@&B5`?32G-8zv5q
z)}4;U`%7rms8Yv3D(CapLK<H~TdFmY`CRfOlS`c8Fqb^$vgGM0Xr|ZK&~T-3o^`{7
zz9v8fv2T4AKmdh70EHVggSh~TGzuWibZK@KCT}HXp`^qrS$)g4gpTk@lUB<+s^QW1
z@+l3v(Fi_$v0e<COY~KTY}VQm9rVFv8#~F;Fm;sDEGz_M%B_(lR<=B9rhL?PVa?4#
zK+rN_+sTA2=k#wb&F)}e4%OrUVtZX>E!}5f3@tH+YDB%Ao7_Vcc~E5GbuRev4;f58
z$jgJKl<cUYG}ZMKi$5UHHR+IeAzb36L*fBwb0%c?j~ft9oCHL%mDj8zn{Zp$K@$`-
z9xJoHnq^AWSfDxBZrA41H-MDrUrXVjvwu?>h;MzI2ifpN`!v?dFo?dP<)v&nebEQr
z36`VC5<<d8OKVG%^l7$tzi;j4a3OI}<qJQT4OO8*M}rRSwAdi!X?BuF)7N+%O6}la
zlO7RqJX*hd$GUaf4VsMyDioUB?Mp*91?jE4W_I*9jAKEI1}(D*91H}I1r<y47v443
z9B)Z)0ZpMEPif-cCJ(|)?jW8!Lbs*~JE3ci5JK2c1<MxH9^m%XR0@HFYgA(vLszwx
z3@;<EQioL5fkG(lM!lL{76z`v2Ao6}L~PxZ0knv^pa!XFtz<pu%ys%!ar^AiUD5h&
zJAYWW)1WEgJNpxPXD|DBXMgfvJ3Dh`Zxm1YQZH0IXN8qi_#A(*Ld6*f;8aZFn~<UK
zG?vWnQg)Rlg!08j8<lH+P|OyVY+rh4eirupW`P*VRMn{o$L1Yh`t|xP${lNWtlP2P
z91U!^N#Rfd{;r`c#3{`eM{s)M$&NA=ogoO>Nkw1GL3XmA0Ox>{NJCWXOwd%vX&ONJ
zipMM;Ga2Yb{aL=^f}mcDQ<+U8ZZ_x=I25Vk+C(a?<_r-u!8>S_f<D<-jW}&OS+U^m
zH6dKF2!>*jJE73`?&`1AH^57%X}?x$N~8k~th7?H(R2oE`w`r{8GmrkN&U86KdjsF
zo|^+jnt_{L0NrqLTS$$RG#!kJ5!5BPN!c&+iROv^GJD*>o+XETv)Cu()NHTneI+HV
zH#Q@=-|6}BtG-s3$oxU2@0Dy4_|jW6it^V2x!`*fFb3VZ>V_~VH%3*hhVB+v3yqD(
z=tcj6+&^NiETT6G&Fu%A?t}w--p>MAzq?HXMbCxp?F`?t0RVRdFd~eubBG@d=#buA
zr!%%~K|%1ptQ#1rjoiCw%Py|ht$<!Pf61Pkvkm+s6q<^?P!xZ9S9{||MSU%2gAx%u
z*$hRy%V!s7K|J@yx~G|#&_OlO;cK+mup5fzzg9jI**QV|#`x7IjZc@j79eH(Lks8w
z*_8KwTgzkl&<M%|^<LxHI|WLwZu7wAz2Lt^nZ|)1$Om5IT(s-bnF|>%na$qq1p|Kr
z6m6gC*VH8E!uuV-CT@V94FH6T7JyuifNiAKiw)|28|qq{eiYsnzA9@0=`pp|ESJ`5
z;i|p178<Z2l{FS<l=KOFp87DGplJ(T7IM6yMd?8)foZ+TrdfAn*MFk$<{^{StBmT9
zG!dS>6G7@Ns5+yRtP>reQSh7UA@pPem(E-6x5OQ71jQ|j3O?1H1~vo4)<|}PO=eFO
z4~6Gswg1e4n8*ZpH6M06=zYNFXJ*wbUQnllkzQO4vyj!WRS1tPtw$#}Kj>3>k)<j%
zzn2TL&i3>=Z4BZDN^~^@5>*RZqt0(l)4$F0gdk-0)nu=v?%(CG4pZl>Sp&JgyDzX<
zKKNb3MCDdQY>Fvuxs^~EkHBdrB18=YjZw-7+<y2k8Ka=7M3C&XzQKmz4Q#%Zcoz-)
zKUos>=JL)U+Y?kFSB|ZTyHzIAWO{{$;n{)2#@JEJ8r~?TrXx8-rG|o%4)dYL4S8>H
zz()2w<B$lm0<l&eSD&E62dgzMAB>85uqh78CI$AN1*&{8^%tn@Nr)Pp)JAMw*Rrj6
zkZ)jkwF`~CzBwJ%Bx4U-%=fTl>|vV3B|J2>Yv^55<eM!Lk%8oWJl=Gy$OEA!PgQ9a
zw}WZfMFs5nQhHrrnpH_>;8}GJdY<a%U+7zEIp981+S<;ypJ9j~=hA)D?P%h*m>nk$
zEG=s`Z&~mfyOrk5W<L9u1G}eVQ){7fwgGBo`>EB`!mxM4-aWeF^volv`r6cS?bs)F
zLx&oG97|I~wLgb?w1}(%KJCg%&8wHt>ghi16S2kkGoQumyG1^JAzueLz^)vxxGB_1
zL$s09R{<aL-&vq=^xVPR-9MXih+8>CAEF8ZZX4ohKJ^zV_ck{w@$z;bHpoYtSA}g_
zp|_v4u)mkVg_$UZaud^e7;_$~bRiQIs8L}{`<!gx7n6J2tj-Xs-L-qu<{gHRyOTsk
zpNp|U8IUDSXf8I7obo#=4na(1;)W_)AX;*0-QS)96?Xdh22@zm^N?N>O1N~}sZu!S
zUJWVHtFuAh7}eV}i|Q(`QW{x0y9)MWb<=WzZ0Iz%A20JK!H-4FG!t_DQR}KoP+`Xg
zNq~uz97DDH_ioy}-LUNLdQmavY|OG`J#s-1a)D;30>FV^Xw}rf;~e|Q0)V{K3BDBB
zfKI)DxLNxQyC3a-vg?sKbrLiK>-*G5!7Ni5+A_4|@|NbBox{Ty&GpiUuiCU}wLvpw
z=@5nHz?yw~)*aNV%MJ&oJfk0eHLbowx69De9r6_}tS(!Z0c4(i?gwV=oAZn<YIa$8
zN{jZLKajXD4pL#Q<LaR^bj-I*3htup$`&toTRJ<0Ly|3v4~Y*+=uC^7br#fHFjjMK
zlOz0*WynydaX2;#R~f?qsn^gJoMRy{5&#2%-n59LG6mOvEvOHujFCXq9e4?v2xV)c
z4Di&aq`vcL>VsYCb5#QhyP8G-863zoj^*TtNnHil%PQ(7tiPpLbS7r`Y5lJcWN>in
z7fhJr9<pezVbdK2Sq)%T%1y%+hkWNoxa&Lg>HsX+-nYLcv$&Z3hoTJYhbadAq5Xcw
z4Om%b>1Bl{qr(HD3@lga?-vm63$UW5i{`?O*+6;96Q@qX`?)e^cysnI=V7A^>NM3_
z%HnW~<SS45YHrG^FzNf%_hG&=h^GtqVqHR^L8e!#$qirk3SSpYmQdp-qb}#kkV+bQ
z4}&4`i~}ls@wA3k<s7W0-|O1ZW^Tof0PhZ{>VvUoNp}Qw928Y6Y}O^F<OKN&Ey#&h
zt7sJ4J{o?*)qrattJ}(Z34XS=Zu9%YWHqNMk;dEu0xEz;I{`>S97!+4tF%c)@nd9&
zF7;?$WCo{)hVcU5qCgD_sOe`F)dCWC97IXe7q!sphPAC`jfXq=&Gk0KJ1UNyJR6y&
zugG<53uDx40{P&5<m&O0yX&X9MMljtcsVL&C*~~7$I=^(cd~)xb(>n30u!*h`u7Uj
zcOS-RAX+wm#v#P}boq&y!{>7l(=9c$;C3jWF@vkg>vwL3w%q-&FA4g!rP_h^a%`fk
z^2)08A*>NIa~cXva#!%&2vK>x28=-rd(Lx!Q8Lqh9?b`*&&Xd4>z27HfMubhDT<B4
zV`0cu?GTsKxw$FF%YiaE7`*);iQYwE{a>P}t^gu44GEOKx<!rBrcnz%9}t=9B}}Aw
zTC%wNBd~a<jeEq*$2xhrPB(0MVGQE?Ru1C(k_Yj9YYgK1k_Yjvrcz~k+Ie8VS0&o9
zA#9`FIIEClTegH5mf9#*?K>hvrA`s4)58HGh9m_e5`{3dmygC@G<at!{O8SD<f893
z0kH>RrY^n$+4^$tmCP!AQq1B7(FO#hIqfz5#5g^(Xx@hnWrJVz;h@S0Eb~4bj{3;|
z7SoVrOZR`VIPi2)b>LIY^#TcJ9P4lZ2|HEP9BvLvk7K;4GgV{--M-i<kbv~r2;!^t
zEy5JCs?r?7=~!__+Uo;`{m-|)*aiUxH#yh(KGaT$nKlj+H(6N2K3Ux|q@B6u(D$K!
zzVr0qt2b?0WzY->fgC%uX766eF^#L#<SwT6WhzvWGuA-I+b)GPN=6_6zOB_gM4M|`
zO>==TJ(t=FWPUf5Okkt_F(`$ZTcR7l<J2IsyB9h3Q%a5D7_GTPRyll<Cx{7vx&v$f
zkFuIgl4^L7j|H||D;t5}9?G#K{zx-@!1o1XP>3Vg05%wx``;!uVJ78&n^=dL$g8ls
zuo(v14H$3O&AS2$6`~_p799tTtGgLi_ekUF9?4gCGn!BWW!1bNRtO|yXQ8_OQ!wKe
zn6XgRe?tkqt>D(C#U3eGvzNv<eZ`?&P3e^)eSgHUX#K7o>(|28+`In{@L#tr4c#21
zA3fK#lb>N4Yrkw-s8gs5M0-d|aQd<|b4~QO6s_ouD~*;7^1J8XCL_a4Xr~B46bPDE
zDn<)Sxxu*{g>+bVUa8ar@TS#fr^riN%rG2Y^mQsA?t74b34oFVg)s<>15C~m>TKNF
zX>BEpP7???7;p-j827Ux=jf4LCkQ7#C49qwLJP!?H~X@WH~S|wD%OSVR6G($P4fXb
zI{!A!ufiW}z9JE#v?m)%D@T`7rxI#bWdVJFcbAUtvJt~(2gRwpl|O8mB%W|O>UVtE
z*XuVcx4*M5If)%)6@gY)n#lwXQ?e$oFTbTgMHc~nq)v*7<TQjiO~fCtV!8;>W&)x7
z@8y!E8O>D`vAN|m7XZJ_*j&X$LEQ$_1dc0&w!xbHZ8DaFx%2~=3lxtevSmZHrGjSB
zPU@q0u(vexu1?lLxQ!Xeb&w^p4zdV3NQ!$}@TE0hs~0se5%MOg64vHe8l@VlgvBut
zOiTQkVpRWRqC5QpkF5q#I{#-S;#ke+cJHFFyVRNUhwnyFm1c57v%r`2;;D(zOXAiU
zy8<&l%11|>7vF&w-wLcLc+s7lWFb8lr+a#QFIvvQjF`_`9$2y+2BuRrG&LtI&G|S8
z;GF|9xF79+%9i*7)E?(UUKAngcq?Tc&x2D8<xbwvl<FKPPy-=Q&`yO^+@M6koLs%;
zhj4vR$hI>}4E?E{Li1BLsTDC12X`IQ@7}m!{Wb&I+`KY;6M%d@gU0(AY!Qo~Gl$4B
zHVkEiz>a&Y(>q-(2TL0;ynI_VJ0bPa($M-ocU5e=px(o01=n*dWN7pi+${3J$lat;
zzCl}I<wCM7hh*XV)m&Q6=3=wHWgPm&uJ5m1U&+G{8*{mF*qt%#7k4BcI(PbO&4K^t
zkm?5DhP15c{&q1iaoJ2DfG3GC?x05WLLABZV1>HdhE$|c%T)G-K)s}KJfmOzIE8~S
zh+~wtSE`3_u_S$Y*G&2nl-$5^Sey#;TuCE=ezRK9OPJ6+#6M*IGCzog;Haf1Lr#o+
z%gxYsaK-AuwksY8#iZDOYJc>BlTa29&ObQsfbUJFXokh-4qkoAbsq~^_u+~R?wdxv
zQ)DdRd<F9ndd#xJB**iWHN^i45zKXYc@o`8GbQWN%-dO|unkoZ4gU}fMyVih695JP
z4X5i6x={0N#E<IzkH!Eiz^iY$EJi(6?&MPWrP4bpXd*?(_(x<}bu8KgV3B_*ji~8g
zs!4^-6%3mzwF?{%lMyb{RTY4U;wY0+wV3Y!p0_l0EqTawHNu{|s?K45f#(at#8$1K
z$dD?H%Ll7r9*l;Auo;}7j3PAW{}#*>$mIwageUTQr19(*1noh@pq~!aT^cX)z(Wnn
z^6R>T=T$zTr534o7u}<|m743c8~T<0!Oyrf{B-Qq?ga)-?Dv_Y51rGcTv|&l4p=5`
zjoooFBAA<jOV$inWzO0x=^ox*H~IREQfEueb!I+iuoe4U$G-lRLo6YLkJZ?#kDnKo
z{C2`{%_YTUfUcv%NI)#nLpY)Q(jAv#)FY$(GP(cKB|G@~TAC{Y&}41dgVI^F&8<Y!
zRmAan_R*Lk1NBfo|KZLGvVaki!@g8#tPkcf!xi?;RVJE0m12c6dv+eR)QB#t5LDA<
z(B>6uH-_o$0=&l<Sa)UTP2cZg765mjL|TPrvp9(?C(t*xB$|I)A1nBTtyqYfgSI2&
zW><0juFXH}(c{m$&nZz`d;QAmHzV`<^s$=Qy3LIVwT8=$9J~^WOU@=_W}bB$J;uw;
z!JrZQ;{te$mbPWEZG!qzXt9)e#o|oWwwu(d1O{$MsJ0^iRC0zP%Oi6^%JL(n&F1Wy
zd1U(O%<HjLCmxs&7J`QQjCHfK$+Rt+QDS~OtL*XvUB$Gl{+61GZnmR(PTTJgWe0?o
z(JnSqdgxl*8$zEUX9ivdXP-$-zj)BgeWHWgcsI+%38C@lb(!@ufNeH>QrhiH=i^gi
z4Jjk?M-@&s*Hn1B&kREJ4TRc|qKZu~R?()a60x|^P{%47PvbMn%kE?hVdL3&#{u6P
z)V6Rz_5PJ+ic*QS;2Ah`>BJT0_GDh~&DtuFc~ja6vG)_zs+bKuP~kqMJCp~+<<OC0
zSQ%6Goiux*y=AJi;zDf7*)09N1cza*nF&*}DQvPqy;rn_#2-;i*B;W3;&btW%9d8B
zOw;btHozPoPUYEB;Z3ShHN7wFrcI}*4SKMnUsY`QG}bwctun`FT$5t2StJrX5jT%i
z+2R~yN<N(|GEJzU?RW_hnu4@qnu!h84qsbdN{vg)`S%X7ucdKhomE+0mNgJq665Uq
z3^mZqMln&xl9K$6d3*T<%$yk&a27lWEs$agP?vV0ru1{8vaA8j)@kjm)t&}6pNbUO
zN6#Nm($~kxZQ7=9N!)hMK=WCVV$woS|CxGq5O9}{TsOU3LlHHlVrip+4)@5KtTW3i
zD>H|nYio!8xb|Ta@wMlE1*UhM1szmPddJ)<vkOh74mX*V;O(|<otJ^ygUKchOdbIy
z_n$P!cCuv}n0!7JOs<XvlUsntlZ`x{{f@_`bO&s`!};vZ`FzdD=d-EeXqnHZGyrDu
z03)xX!Rrp-^$YOYrGeMpMqUGROGO7psyH&Wk=L0<UT;WI;Zw;Kyq<*5t-M3(JC*!{
z``O>e!;&#smDSbY^%yqVzIQ(Zxi*S930}`X=IuQnygnHaV*smUUSBS!=<-s|>wCH2
zwd2~EE9V%nPnIYyACEhp%z52^QZ3nLY)RUI*f7gksbX?~yPu13TDzARr?nYvdMNT4
z+)<vvoBuI`JHDI2lQ4sy@EJUU&*0Xi`~4|@HDosI4m0mNiH@jJVzTv>@l&n3GLueh
z66<bI?@`%4E2i=%n6*ENQSz*XJ(14&36HZQF`})6^UxaA_dvYcO<PVwdF@2@eBO?j
z#(IRYHUB+tdtIlo`IK5@dg?Cihn2SEqUeSdiciVpE7Xj3Jrv~`;>%}<bQ3d#FF#KF
z!z#11rc(2ptWU!SyfA*i$UE%Qe)jl)M0`NiIeb9J_w>8T^qW!<W<(MH1~<$Id_!)-
zH=K$QN8%eysUN09KmHxNXxkaghz`KG!<?|1#=3>Eb>`~X#yOGB=fv)jD!2FF5oi34
z6&FP=X_6Zx4G$C5qzVtmmQc_DT;Kw`d;ox#g4mKO8P1N&p&GDiQpP>Vq5fdEy<^`7
zIkfC0mqYjEQ4E<FX6^tvwCvp|M!l0mW8N*3F4X1?4ECk~!5UV<MUgy|TnO30`0vcV
zVlx>|Ww^xHRzSf}6njvIGqturF{Uu=eV_hxlguC6<_(UdC*qCcDVbHe-v?Y}W*aSs
z{xHGY$>pL$v$)vgsH~0Vr9ULOjni38pTfSew1$pCoiiN<4VmIRc&Ov~1b4$sJB9Ow
zq8YC-IcZE0-F}Q|gBT=Zek|%Kb%i#3qQ0NPjuMp2xroD>1sptcFlPT5s7LF)*4caO
zm@_0Th|Dd(1-hy939g!#gFLg}sxetxcQ0b5vwc?t&odmLNebF<gWZA?<JF6PisNxn
zdoSv%v!`_FjBv6;r=5#)H@Mj;TrU>Lq#$@#N<K{~HI=8W9E0xlg9muhVL9SDGjo_U
z*U8O5)3=n}c&v|42%2}Ca#eA2oT5kSvBjBpV7u77=Q!!GF#J%Y?eBP-^x=l937N+e
zu~H^??>=pUH8?BP+;}Iucb&u<=t_>}8TH><(M=`pJ4Q`s-NV=><5I|aC&KY%O{&YD
zKekVwc$OZk5>D}OxvxgvVrH!ejczwG(J9S~E{WrP#@qJPwSDwGobWUi$x<Wj;L}!T
z@9GLKCSAFa=rGP{p{uK#B_MFwRqdb&mu}|AW@g41e)6dD?x`Cy)#ZCjnWJ{sD7En2
zMzNd<w1Z~nK75pZHNQ4vIMeSi*v@kFpRNyJWuS?K*Az+aUEVN@HobbYFWEOYt;qCp
z?&<V+19M&dy;UFmOt(X)=kr$-?y;AAZzAwVekh**;e+_=zaL0xO5!!M5;j<S?`%fN
z1Km~s*csmQ7tQgA3OciS%Z81cEjQYGxlURDoI+HzApH04DIxo-5gN%9B^^(E2H8K?
z_}`a))HT#Wq=!vyRro*N(-9PD8EA2zz7RFA`^o87Q8Oa}$1P`~PMkMr4#)YO@bUKZ
zcem8cm=on6gO`&>By+OZ5Y$lR4c=km@#M2GNv)V9gw?A7td}6odWevaa?5oBAPWuj
zS$q{>7<!UZs0#3bXw=)=pEtUA&I!5Eui4b=(ptIQw5oXe40jSfY^wHl&iT{}hG`cR
zbLP$tbk&dbxsde-^~haB-3-Ho1FSjgWzW9SwJ)}Pg>l^@6`|XF#H!e1`nSo%Fq8Xc
zFQws?cv;yDX-O*n8!)p2cuKxB^bgbA4EfjNKTOH;ve^S^xQ$$v=Va6886sIVC9Mjz
zAJZ0*=aREKFOq+tp$2Os*EoP|{<9%Fp;$6EP0lu>F~wwomwfWyG&I}nQ89gj>RMy|
zZ|_P_D*IM0C}*G`a^#|9H=kFasVe+$5C!C#CQ2>M5-C6{wal$=i312n@y}s$`ZtOn
z<P7|q`^}$$g8Cc5+n8ZK((D`a`4pr5hEgYeV?I)VSdm-mX>6%yZhcR=B|N#<g9%7`
z<Qce~TH*a^0xdMdN^GUQnwfU%mP7jZ@eWSIhi6W^YEVyP7MEcS_?hit7Fx;ga=o9R
zo+uSHq)A2Z(%7;*(|V^ro13v^jc5>cO0FTDAs|t~VM)7tu{L_vhIKz%!8C?|S-4XN
zAm4Nvgw?Qvjrg;<X*H}dZ#F`E>6ij=rta7mJL{-(9CfN7jpfv1ioQ(e#9FfvIyNGm
zwXOkf;k%mDrPS;ZYNESzNWKv|8sS8((ShaE00p{>V~9zoW1ZbuCy)ZmB1^2>PSGOk
zOxIQTwOeIOsYZ&HM%KMzBb~|oukFkn+{zNEE|cm~EzUk(ejBR#Vw6cv^%LxtohUL~
z+m>0XD-4dAu?NR17xo-DQ&hS-^O~+`--&F?sMP7gK=*mA4a0WYkJ4#gxi4`a^@F7Y
zpcYGiIOslmbh!O6UF*1cl`=gIebB#dEq|<ebsBwK6slrRy)oPl&nnSreu|HbE7@q7
z2`Jvt8yCmLmF~>Ct$X8fYJjDy^9dn)pZ{2c?HY$sy0QCxE`$PQbVle>?{TBHI@s#Q
zF7vmu^v9vvY}T{xPt#pgWwwj;)Ls?nP~D%3@yNJA4@9%4h~k>}XUN3&1@{qDjk73u
zMPR(-g!d)sqBc)*ohbY}q*0zUo7ZSA^`&I2!-O!CJTtPC`f6`JxY;W{dh)Xu2_Y%1
z1H#`boP=;-Ivx*kdEqvxi$dM%Z_}T`Op3`_C6!XEH8f7#$`kpKW)b~bgmegyR%;a4
z4qC0+N>*#gidwBgvF&T{Dv(*RR@)ULl++5fY{wPWnG{+i-&#^mZOemi;dbp)T(~A4
zJsx-1vSu26w)i`pYv97!ODy}Qvwt0YsH4y7yTSf>R+3kFHtfXWBL>awOVMXz3&@(C
zLZolq*`v`p7taOxpRr8HQk-_TKVhwJ=U_Y1bC3U_K-gH0^XJT%2%9GQI1_a4K6CBu
zJr14mwsf41(<j%&Ykm;#o9bEznI=+PcCDGzWPrA|ZebsxXZ<j3j5N$uV3w^X15B*b
z+cDGzs{KH4|4H5l{!@p4hct{tIHam9djB?w!dWS#c65W(zDCo4-A*15;Ia6rrd=p1
zt;0JbS^Q!dLkOF38SD)d7V_{$k;cX%4Gor|K`y9oH?;VIw|L~AC5?^!!aM%Gp{;9j
zpAzqrS?~ro6v-n0+pE<TnyHAw<fP3Lf)Tmw`wZ%!dorS!nGCn}v2(FZouRmRKIu@J
z{zjbh#G&>xy=)Cz>1#!im2zueoU_H&&(y|X7kal_@T~&O*-_UN%d}}e{@JaP|2n0j
zcKF*$UZI$JI~-8JfiL5)Y>a<aiw=AZkF@#gE53f&Xx2HkZhNZfvrEaTX3zKn-<HZg
z!K(ix6{h&5zp}M;+mrv=jyDAFN>Yo|i<xG84bnEqf^E+931q=10)5xCZu>>K=#IJ$
z=$B4w^CgXuv<}2clT(JhCk_IpLCQ!PnLH#k2pMUZO+C~l2pHS2q-U4u)a73jP193f
z7fWB}i94QYuf`oe6Kj~4q*&lPckxX9aOcYp@22P6K6gCCKgw_}UUA09<M?EK#~#CQ
zdf(*U_pfmGViT4`{u$Kn5;fvY(RW4Et%ywXME2Pq+9Fck7OIOcJiIsdd|v~z6pEOW
zmfGbjubc~-HpMGoJlL(LTe0-jnUb@)=S`0$lqX)lSdw6d2c5UHzum9Gs`|8dRjby$
z2Ov)Dr}qcEF~m0NGp^|Qv%-?v+M>~2I*%RO$1wbwHt|NHaL!7RBDmBjj_imydQ6u#
z=fF(MAwptXZOKXHsol$i7A+0+GpH-2?xkc=YL{*C`YN^0q4AeB>93_vv{z~8ui0#m
z-AjRHvz^);ez$XP)$f4xjZxtd9wf73n4qqtx2b@DvnX{-wYYHkdCoPtfm*z)d#f!;
zx|o_0aBTJggUeBc|DL7059to=KY04+@nuU7TSmt#4lndP;GwsfF~`CARKTeaL+V0B
z^s;@c{dECLLgsq=MH~&V^!8B9I~Bj=qMiotF_JL9frJnJr|;(d&rG*C$@?z4rtv)q
z@;SZ#D5|NEwn9-%I(snsgu(l)B5?7Nu=%*mOf0{Xl#qIS|BB!PhBL8>!;8HSy6O9k
zv2N44z_!|;elC5Ix{-GPtTMTS@~iauHO={d^r4v_qcRetIV7oAf%cj3bM}>&FYGRN
zFnlXqMI;uQdrFyq+GCW}+*!7mBT4Mr%hVxfS`O{arCygUE?p(dVj7uFQ}Z;nVNyHx
zt@e7s{&RVTMd=Fv>5~@&9eptS5>9~*w48=wPaa8QpW{(#FV=L#VCyN1<0=ms;>lSt
zMF?{PJW9-x`4L`v_UTae1s-!|hIPwyEWMZ<9Uo)4NkIFK+mrmW^-sw33651Aao3?^
z)7e4*Vhv}9*)r<JzM!eR+7ddfb(?phuq^F)Wz@m2xse86)<ZGNYu=Lixb|HbkVT*I
zPYBDQud*yIT_II5_06FE@+X)DX!A1nL}wTlrYIJAIEOjw0kQsR4V>3z!_3f8AL@O-
z1N4Z`$Bl7tUVgUfpdo=qDkck|GX24R5k7jR7|A|u!wDIbKJ`lKg;VjTjPy_2cGmZj
z{^^s4IM5x=J|lBBlDT0w`i`w;9@M%O4ds=VQ<&Dv|3von<R5QFMXZ>6(BQ{Jg_{>Z
znqlbS%w<L{wa=q*L8j-V5qR>QEgYvA3Th?<;E7t6{KwPW-oim@ulO;qzi^DkDeRFq
zPQktwj>>;5#2?>Iye}+a?G-&IRSDN}wY)T%;3>Fx4HJip>UpXuq4W(dWbfOk)ay1B
zNnaK7XI1MSm~9r-3!$AVK}$d(^(loPLIAlHGB<E%T`8*))K7RdI$Cb_ov1#KVxhNa
zj{GQV<35!-3w8e$dQ)-@%2ugeAE?l(*&3uZ-a!81J(c>=VVW({jWH_qOi`V$>L;pq
zh^JYX(((eS;|<eG52)k;f=Fj;JK0uZt7vkq?C0kQ>)nKXX*001fd(-*?YYz2b{^yb
z4c9DPyf#2@Gwtx@1=!jm@BK=hbTqK-E7p>=YS)$xWSy$o(Z3d3_KCR(END!QnVcFN
zQ=1J{sryijXnL!L9E}g)JF3*(aGYg#-IS)(nB|D-m!j#9HMF79tTTu=+fXHq4MLQT
z$#9ZtimRvLQiP(9(3c%vJbt-j(0E*1EWWxdWAWAAbhsH;quYuWN9(@82HYPp9IQok
zkczbeFQ|WwS#OoP?}qEr7p11jQZutPDm5REf&xc*T%rql;9u&VG8}LGT}0%SA^cY^
z?FA?;VlDlf8kh0dUoWS_MX>-S@BLz0ji+5^Emf25wH3p}R~!r2y}l8ibxA1ydyiKO
zQ0iuu=|g(POQp~^C{=WxOk!bICcjDHX+_#qNW7IgT-<!CyV!%x;^%~C@UUq#nehC-
zJQ0QkR87LI#il}}AX;W$)F2(II2DbAdv~1n^#jlNj$IX?_<eF*skZlXPmjkv8dB4f
zOeIYo>hn5td5d3Bl<HA3IVWonoyn=_xOhv{uzjKiF@)cf0cO0TgtO$rzkABm+)Oup
zm`YBmXl@5Ii$veIWNLq2F^R3!`l{$FkoQrET9oKa=Js>mGE>Fo4j)QTw<HTR^U0Oy
zRL#Fzs*Y0s3Q_YnP}=@2H*qKVamI!Wi$|1<yOp6}#ho)B2;*GMNFtM@49=vR)LQ)O
ze4`e~_q;;GIQz<r%y5IfOAOWrEQ&at6qAw~X<)XPIk?xgsgF?93Tf0<L5@NiYpXaY
zcrBbY&5k@owo(e$M&?FjAIvkyW!I#LDUp+oecz0A!yOi$+^MJwCJA-jP+XROp1O+G
z1sHUy0R-pHTFoD{m6G8}ADtPU8=Y;wnQg^x&ZaU~?E|5lS}15JYe9F4*$RN(Pby%O
z1k~tALB)*WfyjAGmgO5RS0vodr2dyJ$h4MbRybAx?ZC7tSqs$UVcMIU&hg*x<52PS
z*Y@L1LieoyS*EnaKJZc)vQ{ytTv<!~wABBevN~zu<S8CL-x&t6H9*R@NMIJXA1gI~
zKFyeCV>NkxFN4~LCaCghOb&gQj|YxH6gi7`RtGniaqs&YCinH{)%Se~=u4<!^R@IH
z?_-g@{T$zJ=wpSJ#-RDSry27njGF8ZpVHrPKo~M!oWcSVX!v!h?F}xph7_8S8w=E)
z5RYbE+nRPF;lkH0846Et_aFy-8|!kMpEM~cf1Mn&#5dZIdP#B4)9&;bJvIc>)@%^#
z^`tX>vE1M>SaI|t=@}$F?qU3s+NQ|zly#~zMf5&dz+O$2lU$^i-9<T}^eqxzkzk`*
zC%qk}GK$_?sqcmFR_RE09$oC029b=Xc-34er?6v~_v^qjo&km}pvcV+G{0}gwOmgY
zI$lf{7vha1<Ou%hjv2C%i;-|Kii?qrSl!_wHN*1W2$_M}<Bbk412L~}L2_*5lH+mB
zOgj7qQX>%)VI!mlQtTi%kn|RN@;4||^%jJlBf)GSJUy$1srrJ@!(6H+KvW>jN|qJq
z8nWVX&D%nr){0Aujj|wnm}6H%UOAfQ=$FxES(d#R@9sQgEn?Q^tW{jt5_$BvUc(AF
z^*WGT^&isZqvVgIi<}DS0^z<o4_)$Fb9ob7zC5n6mnF<w6P|G#4$UTzGJl3a%=}?e
z+3*Ei$h`Xq&aq@!%Jh{(8Oq=H3=`+y8LF(5w3Kaz&BbgR7SOB$h{}$%wwP7cN6;3*
zBf!IDif&TUyevy_`~ySre!-4#efoQE)^vgDqup~UpE>~cmgkLeLuKvcx${JICCei7
z{&8^Mxm;8C9mM@c=@)15iAtV7I0+Y$`2M?*&!O-?R4MSFxJKh|pbm{KJXWsB_)hH3
zytSIYyP*Sl5*pi|$tU6y)uUXLjHSb#<(faycs={N?lVqW0d||r`>S)vuiP$2^NR`3
z3o9pkfP9!>&#4b9K%wxUazxX)PpfXuD%U)wtD)Mmg5zi73>3&F*is{=Q7#GeTH&r|
zN}CECfoiUo@t09Avtoh+PvSf{_;C24Bf4Yz51ibyecig9miw<DMs4uc1$tXIH+zGo
zEPP}5W;jhf-WIfQ^8!8V$jsV6zI^|-Beget&^Kr#A2EW;afQ$D^AW1|ddLkjxv@`0
zZt`3_&z4>$_%U%M1^z`o0I>0?(bOH|`6~eN^7dlIovntcI}}q_`q+=f(PGx6l?F{6
z-4ky?wOLtImEuA=3;G0I)oAXWk-pU4t^cxyR?<ecvPSw6o{29~;DvbaAt1wF^k5s`
z|5W1f1NCB!fw*5q8wV(%8RcPhW{JnJIB&s&KV_Rris&me=j7i~JqPDqa;j=75#|%l
zPdo>!&Rkw1_rUtM1*r7ufhcFx+hEP2jmEjgHo9WL-ctSg)&kD;9VlMJ%Dkm|nrh5k
zk5!Md9%)$4h`t72NV)Z$g~ni>X%QeJ$O7(4ol#Tf8T_hBkVs128>V(J>OaXc4avA%
zlbyjGfk0d$<Uxa?hfm2?dCK$F6@lI;Pvj%hybyXHss9Smc2l{^eIWG~!~{~^<!)Tb
z9UWj$R^fTU8pyHozeXTvTZ5)}3T!g|CNce<3Z9APh&0#u4^<u%$ybH<R5fzbC~}>;
zL2wU{RZt~;hO)a^ihO$67~%<~W5@)FgN@(D)2>T)L0}#TlCyfg($e8vb{Mg7|1Chu
z!c%gB3S~f=3rNF`6evn|7?7W08z|%rm_DyDJ4Sl#&3FYHh7#0LNh6-kOJ{8dDQHb!
zc1GEDvf_ijOLOr-(0)&<xDYMF7VsKxG?rng9vL+*=*7R0$?rT-rgWxA_Nan?7GvJf
zM)7H?#p4RvQlXhnomCoNPf-)OT!lc*7+>V_3G}#PMh=Bn49n5jhw(BVVZ2ZnFBM;=
zMQl*$j&@;~O_5m0QDEh(0fADlR~z8SQbBDC6Du^k<$4jk-cz}raRAXiX4m5igp|5k
zp>g4D&qI+zyyZFggeWleqqgpnNl^vj_@Y=6ik0$W#xaiqXFn?V14S<Ts9-S)YEH}3
zfSU#fq(hD>{v%jA)B`^tDEo=5y_AOCHQy+!9t1%*4tk)u+ZrH?Wzre09p5qTC=`M!
z*MEVd%~q($TOVj{qRfldQe0axUlxE5j?&?y*g}z9&va5Ayd}_A8!2@Qeq2rMC(e+f
z!P?E-=lKnpy!lSW4nV;J9V63_L_-Vjey8%04r6;mni@O3Y`v_+lY$TW@IP}t+O*`1
z^d#;FbS2O6f#&&2kTI9H{uy?y%m;h;uC?cZ=0#X*RcGl4Hm;Xp*tq`S8`sOQN^}Ab
zTPPgwNR!!O)Q(Swmbe5;^Ghr;tLY98vyg`Cq?WIKqd{ds`JTy!t2aENCy!N}on;>h
z8(y}R44TD54q2abu^ev&N09TrIYkQ3#B2n6W4-7E9vByt|8gNVWPTKa<FIpz;F$2l
zbRDGIEbR=B{U`kpF^tYB_WSH~o2FwL>wz6{Zf&&z8z(+45I2wan$n-eY$f*0DFtvf
z>qtwA+3x}y()K$%J|6t4Ck;2OFV?az$KQYx%$HY70je5T|COM2QQ?2`;Jc_ACIfiS
zSq9!eu)D3P|L|$geD2t%7&L!+@a=5SudS$+<&8$2Z12(+A6b!K*bM4ycsFG7X7^w&
zCQvwU>#oUvHC7RZ*6y18pPSSCX;RoQ@%SG3r%3@H8xYCo3~zYhf3>>+%`W`Ev|2Au
zw$oe%X=zknA3Q0f9<YupGE`@eC1oEoyiK`UP0jyl^Y(kv8b^(AW<3fM`hWO%EF7*{
zJlGA@V)p~h8%+LxOD7u*`>!>zq^<>5TIyw`g+4N!w^A|ekD0O<tH~rGgWJ<bsAd>X
zG-|T4i5*B~-9=BnAskm>>miH66P22bp(>mDa9J<$Y!G|Lx&D|(CUQH+>wO`BKV->T
z)B+ecHoSl)By1>N!kMr}^jm|-23`+|vefo8#{QH$3#3TjO3j}r{5vzLA3I+BFLQr2
z*S&ZuUqm0D129qE$#@p@rjK)cxbD<PwkL|DuEiF&YTgu{s>S*Dcd#fl_1vaVXnuda
zEB{)h?nk@mA<>p&PAKdT`$Q({Qeva7T)G%I@0{g@Y(<Rw#8X4`Er(9(HT25tn|_8O
ze??kQY_Oxw+1+Q9?UWM<u9mKo6q@>rZdZM8t??M#?5L^_RJ>wipQI{`sD;BQy!Jb)
zMsOYP-`(U7fo6ECCW(Z^cPARVxpLSC;dyyY<Ykaa{JXsU%pQD}n!G;+`Sqit5NUQ(
zoQD|0qPvw?JgKFN_W_#UEL8g{zvN!U)O2Qc!~mash2pNS_2rIw)}nuZriKV%Rkc*C
z{52z^Hs{=Y&qzxKfS+wH+_S84aEynOZrWTgJ9n?Wr+qAEI4Zo(X8RTE8;)HtZ;S^o
zKTwPAcwz{n&5a+&SRmC0N()Va+sgs^QneS`a^LIq-;N|WQFr5UWgANIz_K~w^uPMZ
zF=e|!<KVS%gaNOnpK<{AlJr+Ad~!Fgbi6<2=~n+Y9yCJHTb4?LjAuXSsfLzOlT<uC
z9`vp&Hpo-xzE0svO_U#>3>}ajJE}f9DGKJ3>ZQna(|3nQti3#)UdsFPk2O;uZ5%2!
zcRNE+lySZKZiD%A2iw(4@zpODKi15{cIEf0s<nh;BsA7I7ipn%I2=z~QSB$hmV~bU
zQhbty^Z+d5z+Y9;FId4Z#rynV2dT$#vU9RhQ-|VzOHUiELe_hN+SHkBLG7oh?^9;*
zd5ylGTuwn<e~J?q8tc9V3G+p`H(;%$aP?>fo1*oVi@qx;lQ~~3BAqtYA4kFb3?_wb
zYbX_y_O6`V;GDVuY6DgF4D<8(M=O<@H=V_}x@Ckw@-JF36Cd$7rY)^ffyPoYxyeuA
zm_7Dhu)`yb6D}6QDW$XM1DM9X;_(I{IU@*Jmy1Y)>&ZJfcv-4n7!YwfCMqfOxS{NP
zW(u{?(dB_GN69|3cONmrAr4O=DW@;HtYrPGC(^&xSuR*G+iMEWU~uyyf^?k!CEbQ^
zfAWvw{X80M(A>j_rL)05P9zn!xc_?@c|!a@l#?eC%5g2d;p@<G=7)}J(Q#%&$HtFF
zX|D3Un^Gtqll7r|Q5Gu1WHr=)*p(++Ojg5eJDv5x+RhkSpo-`0KEpp*W;YtE{m|C0
zXsWiMC3zJ7^LUdUaRv21&OGTdlvgBTG0113$^0y|!dk>dAPgR4V6M|7Om*-VIroq=
z7go(j=cHF8t>ee%rpF~MOah#v^7UmrN^K#12VIb-p|zY}_SEbJibroKQnpe%V_Q&L
zaWf&bhY&#et0bxIFtlN`d8iAFo`#IX`nHe`a_blawC)e7(;Lv+O^s#}y5Q_Sol{v;
z1rrTzy`@j37F^$KFwg#Rs!J23=pHI#5@eh4s28ZAaot5@B8&i>3J5p=rkPTT@gzk)
z6^3ITY$O%#w|0P_zOp6qMX3c^V8z@{0>V%ko6paCyf@Hr>jD@F*3^M-umF}l0OL;3
z%%w&^%W3@Z5@htJJ>wyoy9k;C5Be%=fTctB_mz*67g|}(nES0keO9$A^oB>EG~<R0
z*|PV6CWihB)xNlP56|iB`rcumOqk+5bCyBlT+qKhqDHBSkt~!cXL8RZ>F-{0WbIf_
zkLfdlLpN^?H3W@Sgdd1r3y2dR*7?SpK$v!SWpkB0|LU&&Ij-QPLE754ev@)S=p3iu
zrCYWvw_G}w5LPydbuN}RyfT%I8#C!&xLmz|_R3>}bZ{_Rt6Z+CkElRI=bTmfYqRls
z8*k}o3cI4%EZD8^nZ0cJmd#<7AvTKD5r@}A>E*+8TyBs#E+34i?5Ct@W~Z7;)6xYt
zTJqwk4WsM56b}z+@nAiN`k|d1*6$u%N%*zLKgRIGVFR~kanhiMVol(9FFdcT!OP21
z?4~maVQt42u(84uR>HOHH*i`U)b>~T5~3YW4F~_)8u2ho8g;NiL?ik#|IRNj^1sJR
zurF-}bu{qnl8-J)6u5#ITZMauNoE@w)d=_D+<j$l=AkQi)fYKopTofk_u1iQ2%F2V
zA36#jY)gKZ(i8f&MLI6}3TcxZ3S3oO&+!fl=zA?~Dqx!gDBfDGhyRIC;QZo+I;wVv
zJvS6fUlk$r_t!l1_t(WNQNXr0jbY*`D59v|bh?1Y5AJx{?E_Dbe_WA#v{cnEvfx->
zXqr|<z00UKF!GMkUTsh7sqNQTQmpdjngXYuy82d4e=JCUxz&=zD%)?hzVxGxdb88o
zvYP_6-~OzOzR;0Hm)orUHp`ns;ilDob(dkxLdU*%Hk8^UK6j9+1RM4ELOK*=T2Mt_
zRnS*>#}L)Dg2oH<^|rfLc_dpcP!W`!rqAq!eh&?1hm^gxPEYz-M@<GW1R4M4?s)nd
z_)upFFmjJBHYL|9+^>5Qf<aE88O6;vEAiJbWHkrq);~{M{x=yz!w=)EU&^h)C4gj(
z!;&JAGXHTYRzsursiY^ytPJ!FBtFfPhR(})=aug|FXNp*X)e@Rj6pl{McwQT@)>!@
z>wFF_y2nwVYy@gtlZqGfCf(05m7zWCsUz26Pu0{r;}ra%@^NZ_?bzva@#5IH5VmZ%
zAvGzrI8jOGYoSEE`W-$vG!$=*=ue6Oyn?W}`HJy@9sF@RIWr*4+|N$f!7%uPq;A^%
zRXZ{ws?4cveG|484)l?i_g4Ym5p(CP%7O~+;z3O_xKr&d!vhyG01lR_fed;Q{>8(w
zR3_vgc&`OLxo6L#ZgZF^;qjGMrOwILd*o=dq~dUCyHpB?+`@&GdUezWDFV;QX^Yuv
zQ5_`}rdUwBTMo2k)-BE9)grt@969(wyh^<x^sXb1gKS@FA!z}KMr(n#&GFCdakRw}
zm4VDOsP#hlsqdwD6`;=mZm@UFzJu%Gp8nzf@xQJvKP-xm?neJP<!P1(+=OwO*d-k4
zYy^<b*6fR1cU-To4y6`0`E(Gn_#1e`P|usxvl56=dnrQOXQE4+b(VBc`FdU6^gg<J
zebd^!<ky>dXx%oOC#KZu;6NCqy$Ou7N+osJ`nZHX*U{(Sm9P#R<LvebV4T5Os>7P@
zqq%3y=Z{7c!p&ki9LBg#!5I}WRrs*V7-wH%MElg^(nFd8{WusCab7W;qd3f&FJ2s(
zHLZnMw#4{(^U63ftD+HAaGS-vk{%-~g1d(M%Xt>>^0?wz*PGfQun>IDrl3rH1a}U<
zC#VbIeFZpl9pF-?*N`^=LZ>%{_^=Xt(G0fB3f|o{^<QXdd^!1uKvucKy}lm-wCker
z46@#ZW1jUu`62YHh)6^TONufJ<!L?&$(@k=0Lha>Z_t<m>ds#>L+E-*QQ8sq0j@5F
ziw=s@XX7F->3__b*bYA73#=&sp`2ISPVTC=pLrz4TYgy^ch$2@Pli7pku42w`+|Lg
z*A8p>zQ>P+yBN1VWer{9Xk|w+O`E^OSqTkl|0|xBHtp7rwE$9?Irk8sgX7Q|ys=es
z7xAvUe(Fkk{SP;^UB=^vi!83*e)iKf$Sh`IJGd*t9fSMsSID~9G`ott!Tk~N++w2z
zrtIs%gaK)ex8Ne)nfWT732>Kk2YiuxEe=KSzM<EwnEc|4M{5lan6-fACg1D)&o?*m
zD~jE@8`Rb-WC?p`crCeCYX;L2@m{iz6=29lPG8_2zHIa6m4G2z4iBZswR;b*JEXsN
zCy4+e)jgG&xzAs>1{dgWL~NSW2gqcT-ZMKByuJiLh@2DY$%gkAWgTn_>C;sP3MgO;
zgg1NhFF)3&o&D&>Y&5?ygVV!sX7zg)AbR`{ckS5r{!_lDNiTp)CcV&}h&&V>O?$<~
zLB76`K_?6VDf`bPj#yUzLMxwRfArjd+(Pe;DVZ8bd$1QkG?><q!#w~FLOQ59MwvZz
zRMO`UQt__Mq}K)ZxnVSB>0vy4Z;%#|Tv`m~(jw9*Er3(jvJ%rbSNSx>Z`^1n-yWDa
zn=$7H-m<@ntsiS|c`ffl#w!bjM@cAk#N{RLg5#CRy;!0b8Lw;(Tv6r#udGcy!th?=
ztv*S8*J>8#iadm-d<b2EC$L1UO!Vt#V6CdDm6DnazsS_`NLgZ};#Fjgfr{EtH}9Ri
zWTOFR2k``CvT_-j3=%4YOQ>|CgnBELLv|i*SoJmc{x%uMJ%cBNnbh(<rMIvJ9@f{5
z9^yTv2rffb$TDQ<h5{OQ?OC2FwWuXK5Z0n8b>QEaLW)0nC4q}$o{@bXvwzvAJ%g{Z
zLa1d=v@|Y9`6Ok5_2_By!LvlM&4x<p)4QQT$F~EYYzdsjhc|sA(7z;0#rfTPjvUwT
z+`3^ckgE0`z)o^)>#{JQlZ~72-6H@V<2{2XEO!ka{q-9D#v*fZ9z4c-(-EK-sR8Sh
zp`t-m{7Pa9RKy){6(1!mWrGxKtDx=ymM%@D!H`WdHrY~OlP#^m(?}VcY%s0A!S1nD
zMr<;h4L4{&3AMjVnIg6|+RWX>vHOUCI{Jd#E|XG`aqQ5pDE+qW8`g6~ExzMD;X7U#
z-|?QDRIwFzX+;^}`q&D^d2D}h!VVf+)UXBqZBiop<M#<O;d@~!lzZ+5s|n_Q*iZMC
z<~-ENyP^^63%g=4cEz+AnF0C0`r659E2VaK>7j~}xDWO$5C+%i=Hvz<ZgAR8N5Bnv
z$M*GbL)Mf;lq2~C_rms)#np<3O6m);V(~H#JXwKPwKui}aUfNMe|Q9mT|+B?Ny>{n
z65#cJ>Rpq^_1kx>U%wTPV0n{8Xz~%@4!BrXsxN@5e#SdB+>FU?x2ud>#0X3qz*22|
zFDy5*P$T};6fh-t<aO6TX^wnTiTQ^~2>;{_V8?Yq1OMb+SGJ`ckN^L1E6=@?J63k3
zMvL&|`=d8DtQ9_WL@K2P$)@6E8Ug1QHlhabE{fFl0!+U&_#Ka7;u81ZIZHUy%;NYZ
z=Y!+Mkl3sTvRRrUT<Eb@p&o5qGE!6ctT)9M0%i?Ssi1T10Ql8trVd>gx-euecU(Rl
zdUW|wD^fS>CQwJV1@GVv0sQI?eYr1c--!tBnsdM>!hfG%Is391kkP`x!FGIe=HOSp
zwc*^$+ZK=kJE3`J%Q!4kuv4=|a1AOmZsmK6iEr68G#|_Gdu%51@NN~h9zC%+UjHDO
zi;GUx)Cu6JgOizNrti8n{+8UtfVNfyWy<MR!rg>hn#U$wX)8A2a~QudiSL;3S^P8%
zid#HAfSd>uGgBZvfk%a>EtyEb%M-i^;7C*xI1-ioBH$*{&#I!NXLx_o7e}-QX^X6<
zWwF{yewUK*-*+#OZN)?pQc8xO8pjYgR+9`twU`U4WTT+cB>G8zAbRZoqG@fFo^MeF
zz~8TbuEm-1wZ-&l0d&Y2q1uw{W9O3$Df2D{C9XJJ+-%;CIT0R5E@q#;cBIsNsIYXh
zzoYl8sd0{J9_i-!2?ZC5b%iriN5EZVfc*q3kA1U_!p8k+lBdH=D_y_RvA-e1OZrZm
z7<D?~{62qQ*IDx%eJz)sS`i(kyTIPyNMM4?x$M}eQ?XHoIQxvLSu^1x3q+(4Prcfn
zpQ&E1MvNFU+6rZ&afPf*4E~ihW{rn%lW<T)EBcqAxY6io#nggYrd=y3O|^x=*ur@X
zT+5g<tgJylnNl~5ayOvLL|6-6OFWj_g`3;|p;WiTe6%b!rMybBgr-uX8?2o$$7B6E
zfCp(v^~>{LbWca;H@BMPJJrcDWxC?bnZ&4c{q?gR6Z?1Simuxk)a~KeYJHUk76LSd
znjfmM=B{gAAk^eR&a<0#$s;2Su!E#)N0Jh*>K=Tb(PosL-|Xp@NmCUu=aLSk=&zig
zH*M;y+3YjCu^F$VZ!Wq|w0HI#XEpug8Bc?ogTgJo!0Vx2J$M7Tz*Y{sXF(|ycnO!%
zv_jDMA!=m7V7dX!-qoxU{%gCG?E3=TFHyh9le_mHi28c7@PqIA>Avs)SE{>$(s_As
zy*0gmi-v<6zM<OJ&kFJS!K{B~M{mCsp$iOqsFi{ON&)J!gzZRLpg0_Jd{3gjG<DXP
zQ4TXlkDd{I%FEzxukc97@qD6JTZI<T?5ote#5BKx0^#Tz8LIucs^m49jLmNEXun|g
z90Ps3r8uinA9sFfz%fH|hT@Eu%W**2eAc2bo5hAc?2ny&V}W+W^psy#7?RJWMxNK-
zI6u?I#&xD0hE9W_v&U2WmKgh%IEvX#(~sj2Mo(SM)7jsn=%|vJu@-LZvlVQTxq4*i
z6=~oVi|n##cWBa0yE2H^4ctg7zjp7&wDa~S`8ZU>9=nj7qpKR1*Q(1fyS{dDvoHF=
zmCeq7%Jh-C{?+5*C9kQ7qf1(=qvNA;b!l;@vhrg+oIDqKy8FVF&6BOvj&z96PK!Ht
z@tC33w<N$u=P=!Sw556|47Ao)$i2Wcy@D3Np>qlC){gRwFDks4n0fQUw2r$BE*{gD
zc<L9hqkv5M1ISV|wEI1#>@sk48)i~$_e=VvWAWz<tn1n__Jj5AbM_w%Ft|D@=AKDg
zPz1*vqeqz()!-rK$(;$bx!}mEO;w7%!Y1H!`z6%dH#nHZesD1Jd*@&VUbg?>Vix@d
z{9IoZMyt4k8C#{$Tu-2i_YP*#YNNM7bd|=FJ0xgt2_ZjI$L+ACDs0j_k93&tKFcy;
znj+?G?EXZ3UbN5buB_eCLwJe2n7YDC&8J9G%AMs^MZ@nbmVA7)*E3JXB^un)6y9DQ
zOK0gP`ksmZiQ4TCdJC_!{he6HRj|hf=Q}-@oz6ycr!#u_k<%Hyl%39ymZajp-#eYr
z&u}dxa~xdeOIsU!$mk{aA?qz?!RrjU4Q^+>rLFKQ<Jk><WgBQ^0X#^8;kSjOr{Dq>
z3{9vtt%X|{)gW=LmTGcY4eU4|#d2S<*K(rtI=B8ccY|OSb?X`&sw`xOs^8qP{+i&7
zB#yqQ_}%DE)yN6bs*R4dO=pd3n3?QO#p@Z}sVv}5WtNV++O|4s<3x@7QX|=&s%0E-
zYMba-6L)4YxD~I|CRM6~pF<mXVc-XM)R0rE#Wvg#!$J0jsIQZK9qy{$c~P}#aH2Yr
zWw@~Ie2VT`@EM~M)$RkQ3zAo#zo^UFclezXm47#b!_GNQaH5*C#ADPuA1V)zY2hAI
zb=~6pxewJ{)jQ{@HnQ*3i6@3j;jwA(or;Z&edjy1IQG0Dedqa1-4l-!0~&m%0__d1
zYvxSXS?`~FA<XDI<zwrzb<PZ({jx<y->J#)@~{>q%@DY~Os<<uD@4h#4nsLvGSFz1
zWYF5le`tO~nQ0=D*WykE$$7u!rA(w%!v*TDLMj?jNt%AV5&Uk9!sC%#=S$0Z8$TG+
ze@60XW9h~!sdl2s?$C7#Q_=N9D*0!qNY~Gc^<PMM`6fzVX|Jf%_`{NJh;#<tCX*4F
z#TpLbGOc(Ww?brAGOf%Cv@$Crt!(0ND8p$T22zpwPf~dsDmGCj6~7y!EGHH40?T<5
zGO29h&q(H^@)D{DPAS_7O4&|MDSn2EY$vA_7rRj+voTW2MuJk7!YK^}p`k`PuYt~{
zOE?EMfXb#aKSO^LLpg=Nfx@Q$qz^S!p)z%$ATCs<?ICDuDpMBvvlz<hLY|7IaJmM9
ztbv@Wfgoxir)ecfT4|){2TqVVCy2IRqM}Qt=kn?M0<+ihc-#bG6e%+hUcRGMulPvQ
z_TNO>E|0VT;wbVz*vH!$dZ8-El=c*w-QexecF;-NIib=oAQV+(Qfd3oNan=y5-Mpr
zrxs`%81M1&c#j9cG@esTyFoJKw>;i-kdJrAXz{R^sH#vg2Prb0W?nM=LHfju#Ja}X
zh_rnv`_j!f3HzM)O^cWoY152Z2<$U>Nftu?(<taWA)aXzB?4<FjZh4S(C9B2(x_W9
zd?+p8P~Q8R$2HCGxtN#KT6l3i@j>34v*UIfHbHB+wC{LalCHu!y1OOQ2?cDNmUM;6
zqL{_gr~57#VX$E?TIzNiD(&rr0LMwQ77WLxIZFB}o1R`aJ%gYki!f<(FCIxaYw(Oy
z`1;QccGC}-TJ-yy?Bc4kQ6USDardTZ|Cz^WsMxC~Gq4sl{Rt4*Ak>gSwU<mmom~-4
z6bU%R&F<WV%a7&v<xFp2jf8@F3oX^AC|_hu0hoxX(}Yf_=O!64seLACvUpY0i^yct
zfR)iV6DQyrvddyS@%f9Tdzoa}Pz1%OUnVf6EXh8L?Lu}t{sB!dQIBkV1I^7fLzH-|
zz4Rj|PZ`LDwVnE?xiVy_@5*`lZjMENyt!O_|3XyoqQi#s35pYbv!W*GnW|?m{xSFa
zkrG5Tk)CFAavV5C1>{T)%(*}sVGWNG2O5bJp?V9+AdN6m%rij43eaFmt_5b)9DP5E
z%`Z35Wowq99Jg@6^mzgMVisGv&Q(l55x*c8oAZ#5>XTl$RZA8?%DOJF@8}Rf$NMR)
z1U8I$DAtn)Z+scJ)WDxDz$=!TAaS@fx{8+FHO<YVomW6-9xW2$)?}@VgFDRmPStE4
zfTi!zymLR}hGm`m8hdvgTXaPlF-$ptEt=O$u}+x#pf4@r?pjPE87g@@E_rf0K0@-k
zv~?HJPHK1R#P%zSq!AODr{KJ0>gE}i>jam_fFItk7=xNh&iS8Ywr|4h@yDlAqq`3<
z?AKJR`Q2V*X2@<d)T!k6H|a%X<>_Nvw{#jk1RVZex{^VC<>_LTFEe>Sx$wO7!cWh~
zob6~}2FzR^EiV6+x6Ut~Fu~Jr80sh~{*p8y+w^o1@xJ_|aoV9yrGLC@xrNiHAqM(}
zb<v(Ywsq@XLui^}ZRoOfL3-!e`(uL)PY+(J=I6Sg%c7{y^JSLfkLS*)!B7m6Ze&mw
znUo<$Qbv{w@G=H|EzUP=6}kK45{q?D#+<>5Y5}@tXmMhxEIt=xZ|CVh26Rp5Jb0F6
znu6Cs82&Nf!L!`Ux37AgoO0A)eNy4Q&m$sU7aM&vHSzS)fRmOn+(B^Kk*WHA;~mFX
zr_8&s*iZl*yWmsHXX<9p^PA#2Ju=3}(qpE=Eg?JL8YrAz7m;O3?GY@fJ(hgF^f@)n
zV&(RP2U-|9OuL+XazfOadFc6RNd}<$Y4dotP1$ya&*Vun&%CmvZ8mH(&MS%>e}+!r
zDH-xj*V7yB4Qzm#hJQvV#=(?c9O4*0Yw6Ul*9l86tw;>X7zxx@46=`8D5UfEP4`Oc
z%zi_Sa^V_n+8(q0%=VbCHwoLlxB2Yw#`RXSGT|{A8ZWrACE+fsoL9Phy<P}Q2~Q16
znLtaLO%^7wC1K9tF5xcdU}efm<jg?&SbPL1!fM(9?P&+vFBYy+quodL9Nu#R*2q5p
zJ%PIyU1g1$VRdN853ln)fk$Z9VntB+l2CuNwfw}2gDVbA{-fDQ0kIg|6>1hPw?|rx
zh87JLP(J~i?IFcj!Jes>`z)Im;*EMCG0RUaJ2Qn;_()*)9YRHCE{&?POrt2zEDAL#
zFOvlc0JMFsh-2sNX_gYuf6o=_!y+9PGxMnrUZuN$>vxI^>64c(g?&7{gBHv)Y|c}V
zg-yL@nsVD2xJLR%on3ZHAAX5?sn}MUAf5tU)~J;cbMVkngMWe|WN~1qmwu94+VvYr
zX_uq-uUvY_a4JD@Ajs#Sv%c>zo94}nY#-s|^RO5Lk1))G!KfV@9eL~of}?NuRAfk=
zHtaKD^JK*lzxn$-^}|Qmv}I<Q*7ptjE@>yszgSrse=+sgiSUKMyzQ;@^INzK&Tec0
zloSA>*-Bq+Qn9+aZ`1L@%d{}xtnmM%?MuL-IJUND7<-0Hn^Bnz%ZxJ(;*!L;#0?cu
zjQcKv3W6Xipok#5in1t*xZ{SX$f_(N3M%`epaO!RxNC4pG@7_1#-(O%;q`xe(8POh
z@_qMz{^yS=x~ICTy1MGrsj5@wyayj%N79?h#ubb6fF`*=p4SrJTg>cOxpHf;YOK$k
z@tnKFHI{KHf?@6wvbo@CW%VgyT<TS1ly!REd16)_RwI8M37N!Z#jE<tnrhEf8&3X8
zFh%UXdQbAcoqP7|<ks##5W7#+Sas@hT2yNIUaqbbM!a#W!hlpc&Tif)k7S>em0XNu
zMZ}7b0A)b@$^-oB4+aBESA+%nDN(xpnWc9$(2CzePAL}pWfT@=q~{;Y@^^Dv>gR=x
zapX?AQ88oj!JNcB`;!v5n1lnH_NY#aPo%C{=Ci=p4#U=g%#a>ZmG2>&rOPU8=XnJ9
zEz@jmWJsqe5?O0!-ND;Nr|ylclb^n)J4jXm`*caG9L;hKroydeWNU@i|F%&fpWsp|
z*{WzfRB(kOuclBUS-3XDCp>z~wzZn@In4Tf@f%W9^7|LG=_o`-{jn$=D6Aww>hHzX
zjZa_@2&(4QFxn9lW~><KHUpR#Qp3OG3$00ouo9j989MvGZum;#)|4=@>tZ&=sG`=z
z9ptoKr?hes#{)}CVeX*oe;SENXWm;B&MQ`kbFxztQdPx!eH?+yUPo3)_=q$_;Cp>5
zM$KE~w`8g2#44X8H<jDcK;LCtjCg$!<Al*@hlV+<D*M<lo`Jr8fL>cy1e^fbP3a$m
zUrBZ=>RyRsE--<IbHg)Le~f{Ji$VhZxeemz<H$kGX*THoPtx7XXVbbli`Ok-V#J36
zmV#ct8#mda%jwDYb945mrEweVm=TviwnbO3o+vC%I~)~sh@(R!0seszJlQtu`kWP3
zULciFKz0*Xq#Q}iQ0>{f0aD@kYG&Ko)my?;i+qCJ1Na(L>pv(%Yf?(ql?rpu>m8wW
zMSET?K6&oE<H5NHIM02Hc4sM*5|fT)B}J`B(`27u4lY}KV6JM+e0L{@@}Q!X-0{`N
z!j~!oLP9;geD<aIYL?Dt0*(|dFGXc;YfZ|@3jMGl15j>iT3lQr7hcS)i-?E~S1n$Z
za)Kk)KbH6ZX|`l-U#D2cxs+N<#;3bBgAq^Hnw%Dv*O6}M<X*^Ja6B#ZFh8PQnKBR>
zT_N`NS%#tN6q!}Qk=aw|Jjuum$Lq)$rRB=NF9GP#5rg$A&~M=iV5-=Tj`rz^R`q#m
zM@BOsqS0Ee0_W<&{m{X9jg;5K1;i@(F|$RS+^2wAG1tXEAmeoLJUT9<FER%I<ODAW
z_F_2L3+8_>|H%!%CxIxofpD+kl?5MI^vO#(RbXwo4h3VGCUF-s@HrWP6@ll3WsZCW
zD&}9rNx%yVI0?FzB$Oj(wWxt4D4KFh8`EGdN}iy;v#Cv#Pt?*iOCY_C%8AU5%A8DW
zOkwF}La#)JFdh+s%ND8DVl1uU!kw6y_`R|F(dNngQq#ZOD4A@dVI)L;9}x<&tsL0T
zz(2GmQOr>q;sn@BSfH-K`*-Q;DugL@<+UQBM9NyYRkJDb&OM_nJ(68@G9x%3Nps``
z7PSj9r>U$bxec-{cE9Kb1_2L$8Z0$C3jvoPD(4Sf#u5z^DJFL9$oIUgA?3p}d`*f1
zQLR16%1YtaBw6%|tW;#C#K-UFf(w|nQ4!HARm(zCUasb7_i4;z$(sUZbYgD6DSS*c
z*?dyia=NmTM}*j{D9=1nlD#S;uo!NV$Z<@jc64ZzZ)DIKUrbnQG9y#hWKJhT`6g;d
zk1;_mtNeVFE}2WpG$-4wT$_-Tyeng0HYjMn&#q;`%Fs2dSAbXoAU5auye<x=yWI%u
zx_}|=T33VVf0zMA;0YLzf!m3$lx50Wd$m0(dv@}-GGTfZ8H$$UiMyqt;rF-G>-x-F
zv?_Edm%4!2pO(J+h^i)g{<N(eT`JxXwsGBR<@g+{mzs@biW$L$r#UiIJTYeRk~u2b
zNhzH`wp6^VB)*lxqxEDk3LQzdD1ND`xW|$Eb0q7QVojRv@4Hve4|;radeZ&ejKs7|
zF4m0+mpJ-(&G1>g>)=vN&^#t6w;()U6;Is3B?>NH%r7WO%UHv6iEff*e)`F+wKJ9g
zi}Z{Zb0fGZcI3Yh<Bywi65I|uHF{m!Pz<3>U(re6<dD9_yoo3E)Ha?(<UvG2pXlI8
zdJw?(`Z#T{K295avNae9L$xD|$zT*vPQEUO`ylN|MdP{ho44)C$B(yj8aDi#QzKX0
z&duj&Nm=&M!ouvub6k8DgRrI&Wi3gr6`r|4qHc&T|E_4d!~|sLho1yu*WUDOu4!yx
z(ZmKOH9H}{SXsRKL{PS-;i6m7xG_wc&w{-RRr42y2l{a1F1xwbPhf(4!WYa{&fU8(
z)kiaFA|$aTiitDN+_`h+Ohf&dnby`bXHLQ!v5*})zEPXfG>%wz4^4r!(f9Q=*S?p>
zM8d2Gs19QJg2>+_zwE8K_zUo!jw~SEl;`sEYR_bccpcXimU-p5XHVK;Cby4#F-;<$
z6xm%eAlz<JKWv7M<kCUPDW3C3PIb&WK2PH@<J7|XCG|Ko1Iiuot|rl!jLs10)bE#E
zlmB+cSZmo#k8XpHg%c-J3N9;?ViPwcYDo8LXi3rj;)qib`KO4j)IDMTUUzPVczg^4
zK%R%cinp!Ux?;J~)??f_PauG8BJ-U~8%oGkoS!Xdfok&t;}$W5i2aCFDYa@KRwWdM
zK!eFuGC)eK=v4+{eKKew9psEdRy6+ZQj#nsyZO{OMjb&O@acxr2MqmEpMsp1eh>7#
zD-nvTRk`O1xjBW*+{KFm=BS3uf|tCN99djSeZ?E&H|^c4+`Vb{=3Ve|QU=suA~|s8
z@{fRE4_uVNm6b4si)J33rlKZ&deLu#xJm07xAT&XQJW$ol@XgFHb-ct$1wBiCA4qq
z!@i_Fum>(Tk!MXpY*JY80!zS}{a9Rg^?-){D6u`@R`(FlI8Yv}{9RnRtqfvcuS(Np
zfr~=jHyDy<lHAzLu)~2TDouSd-4EGqHT-?H1yHub`VXcWCADa=BJ653+}Dj-7Q6Gt
z6==A{?*-Fv@^|wmXrzfw+$FLE?hqI!F}nas#EuI<eQDa6R#&4+Kd^RP0w=$j$Vcs3
zzI2zb%6#r<YPO17XU_zP$Hp+ze~<)X>)I_cXyz2vim<Ia!Z>IH%5SdOe`sAc59|n2
z7`UN*d@(u{c;&VCN&CDddGZ;Nq#1a;dv?Xf?&hYnCWmZYv14VtS&eoxvw7F9&AU~A
ztp`3vr{fQsj%sGMx-i})E1DlEN&D7Oiac@r^QLW;xu?#U$zuf0g+BAW1Krmn@79E<
zgw^q@%*u*G4*R7o*=LqO#EgeHq8lUcFW4G^Mps3z-Lx^9i+_P=c~3z^7lz7whXXQW
ztdd%mTHbWh$h${|Q4=Olyq7SE(FfNj#kSG%;Ii{&#O{*OX)>CQ`asdI|D@=bdWzn%
zY0DNRu_zPEwY0l<L(=-Bbq5W}0Q~-)jufv;i%EstL>jO?a7O^QMm!ZHaZj=%bo=t{
zp@wqp67g6>NaQcyiZ^bGjs26}uaThzHK)kf>%s>OWHxrbDs7Eoo45*FR2Nu((Rzg=
z84BR>J#;8TGe-hVCi*dS0HT?DB>GChsG2LMMv=IQG;V;nABkhE0IXxXp7FdsO@fQZ
zb%64pRfH8YSNz3W7Q>4zwaim&OkvJ$6emw-;39#?#Ml5~c{LH772f6jOk0TV8s8=x
zPGQyYsG58h&(&2!Bd&dT|04RC3R3GK;_ucoj#nkO$za71@eh?tZFX~Xf|%O2!!l)p
zWW<_T3kHBNpjWr9fY@Cyg7aQ#p-rYH!~`daE47A-12~o6Cf-K}ZCl37!_hU?1IHDs
zNat0rnJRHqmq^-~p$De`-SPyfM$AcCjf3+%+&2_V7au1@aFFIpi?H2WM7BeGwuo+L
zCX0O$KOAzk;)yYgN3-MsU8jg7ougg@)niqca1@CumDQdnTWSDY&~%l|z6@y?F;JA`
zrDkPfPK}$#oYRgJ-`dU;+BA+CPrJ_{-4{!?4Q4XEmmQd+vKlrP2Jf=k@lUyg^NJ~6
zWi5@x71hU6BYbl>+DGEK#3u~kD+8#Fg3vNbKQ`=*ljl!fAXrwTJzusIJUYZ(J~>6a
zdFQ5GyOi-8_iWs)xo~o{_y<4hobG(vwikaF!+2huE<qD}@l8ArP25zn!Zn4XHexbq
zq+-p+H5=Dz=!ElRf_QV(=Ew*ooH1G|ZjccYrx0iVF=%;yHUK8x{7WRRVImo9RB{hC
zUl*^-3rT$2WDxqR<V;*ydfo{`l1fL9{f*j4LRWaL^iXx1_8U0sz?zptSd<g!mBp16
zFFxs<W53-@?#E9Jq21w4G<XOqI#o#>9?<s0C=BBN^U}L_$Y3a^rNK2sBj!TR^9<v)
zaPCqE)fkVw%Hs){N$GI6SW1J%87W!Ghtmv+d09{K!Nc)K@|91<)$|xSck#T1nu57Z
z?$PX&GF8=4FK72apCx`A9j6~PWU|CRbXiD<zoEN$+<Io-ElFfRw4b-K`}Jvr0qfh%
zv!F+f8$Pfgvr73?(w$sW08Q%YgJezXLCK&4&M(N9N@4~EQ~9g7c4tXWez|j@sjr7m
z;KFD_xu-Tway%v@IBiK;iK+L=IXU**4CQ-%nf;Z7nuQLcGCEC3Xa5MpRpW5H4`T*?
zN2O)=n&y-lk?I!tvnyn~;wJBtYdf^fpyRRkK~l}xxL?gKmW>myDPDHmBgv3-DQoQj
zY9H4u`LQ}^Y63?Gw0&Hd#Cn~bM^Dvg5KY7_?Imbb0On!V6%mo(w9+MpeEmJKQ67jr
zus&5YW(Bi-`KItlWfu$k{!n_1#8mhLQz@Z?2QpW1|A0BIzbE~ysI#Qc989r~OPNuU
zKF-W6{*JG^wz;04B3FxvqKQwg7|Ul>T>5Yi3b3tjwVg!1qi*D?dK7{_mv3of8S-g;
ziESx#oX5n#TnBoS-w}yIYg^W8%TK;TOKVFZD+j#~C9b8^we}=5nVz17VzyDQN@~Qx
zsb&*T;%--`@+3ZwC-H9;WX}=F(<<*i103c;X8enk|A&*~3bLf47=K8h8aj;CYMcrj
zq?divH{K1y!G*5lza;n;3E)IgEg~)vKI&FkYd<(Ca;BH@*U%BkN#G_ZjaY;b!(uY7
zmP~FjB45^Phn$m#LmG`Uh9j+aePFly)4RSvQA4CLj0`tb%?%-~XUIdT*7E|)DD(;C
ztK#)Z%Y2a(XC-9K9|gavNUJ?_l9*N);Rw;Wp4>er4>=7tZadDZ<)O9{)cCbnolg(q
zMSD&+eR$Jp{#6_CEgYYdf0qaH0u)65wmAM>zr7oV5?WEfKNjPK`}K)Ss<JA`qBBNh
z%>`{|KF9Ox(nfv4e<I;?KH<g)k_k<=76=#XwaX#P`m@Ma?}p(BM_-g}L44KTY7*2|
zRG)fz?se(qcf%C7Ypd>X@_*j5D;X0M61{f0X3sAS8Bk3ZLla<nb`X=8oRW|Y%|!26
zPK&+fy85IX3*hE?GxA)w?9wHd00+d^)3#t!MP~JfMu|o>wd#6#c_i5{mEVm-J<B5(
ztCRFC(h_;CtxhNTT8HwzWJHz$?XX@B(~D1!d7`A-TWx*RNUpEr9~A@!!hc!CyC18_
zw|oDRH>jt+k;vX!G60fReLL;voBr9mVbi4gFX>;h3)FZWCrd^+St3LDlmMKnQr|>9
zu2rAC&dJ|LUURFk@$_Ep@27dOqqyXp>Tq&o_(ASa5wkzoFTqvSbL1Fkh#(j3aDL=t
z&Bh9a^P>El@bL9M@<`U9J(;SqL*8@w=Pth9?qIAN$&XbZ`j2QEKkdItP!A5V(8VRB
zxeQc8Qfu7K6M2nG4IpR!tiN3Mgm0$vWfw~PvRzYoweYv=q;j1{u$RXi<@7427LELE
zm|Ct2P~$60h+jo%*{L=X=6j2b`=iu<B=eotn#@yS^2bi2=2!o{_<x*6`PBT=7yRQi
z-aySidBq>iIO>n`-`Q3Hg~Rqg%6k`y^8RW2X?gD=QQkjoQC>{j=Q{&UN7P78|54Z*
zn9A{|eEBpRgH8AQzgO~a+W-Xd2HtP}Ac)lSWFU63e>Ui&)@62TZ8qp8rDdUhxEj^}
z2EHS&B!k-+PxlRK?TprDob}1?X_d1j%R>Dl+}0Yp-<Oa^dR6hT<~lJ$9}|;l*ZX}t
z-IkhYVEtuw-u98EqTTF8r(faOtK5ppid;uaJh5Cf%Mp~&Hs*8n{1EJ=N=jP!G5^oV
zm(u+_Pi)qY{PzO%&Ob4vz=|vDgz#D;B0jIMVw?>ab2^dCo=9iYiBkxK^7;fvwIj(@
zDejH5J%#033(?O6XLx-es_0Dz6czz5w?BUMb1R~~;U@&Y++5)uryuPDL^#>hr*EIu
z{Q@(qSumBjD#gY!QIVCFawI!2WvNeKu+NgT;B1bxw)>AbnLV7L8VSjC!ivadf_;Fm
znw(c3)nc=<P)ak~k$Ck~VxsLXJPM`m1;j)FC{nLmR9Vh!lMrP&@wx?Y($<l57&8GN
z-1?N-4);VykrE#?jJb%1xB#To%Z4Z+S&~qt6ZNv;mw<I23hl)g>Uou_3i(1+g~an}
zTcN!e_*y-$uLBadmD`Iiw-<AbFSi$8uIG0|<;It*a-*K#F*N8ydb0jws}nhzeN0=k
z&zK0rbbYhaiS(?3|2*xZo5C9H=b{>N97i+_WOO+YIk$<+s96IY&0G=FZ?wkz*&W)Y
zwgDUX8~m~H!8+)o{6xNC2v^rtA2m%p0td-hER&VuzVsW0a#Mci`*wF-N}bU$t&ItJ
z2ze}lHQhX7q?X^WK4o<qD@5`&o;Q6+gT3`btw5j1kx#T-pGba_dbi^<>f>&H%m}K|
zT3i%qEnX=ulHIK%r;zukWDvAxr(Yn`Zadc-ov7DdZjc|)Hj*BS7gw(XhGW##F9%Jr
zo9qG+wA`oEYu4GJs@`KJS`26!efMtFg%i0PL<R?JYtFjdSIK=^B`u0s?x(7&^K;Hr
z6hPp>IWBgc@1R17hB1mMb5CBg=Ps3%=bcquIps3mZlTk7PPQ$gX~HGF2R|snweUXL
zc}+MM0JKho*S{(iagruHl*U9x#jaI_tnvb;<uc+eT?+K}V-3WyNqFKGIR#Uv0Iat9
zy@lrLax!o5FH|vQW`Mgpm*>bF$<9warFw8?0=16V6uB{yD_m%Qc&3V~hV-GPlzs5s
zQ*LLIV%qHT+dr0Ed{I~uYG24vlhDZ{20{WDLi;u7&O;gS^Baq=%P;*(`#}RO?KwQQ
z$?uad=ffPaoAUSF=c^LpV`Fz|cGtnl(Q=%UP)XpIRKdY0=gU*@cidfR8D&3Xb;M>E
z8bnQDVs<5NNLI-<e)9<WM+X2F{Egy*m@NHA4~P`$*mqlELSlkrLLhcspS(ULI++@h
z7pBx~`a##`BaG}Zv~@NS7&<;IdIQf){b8N82iKm6pg41!N!vGTTbqqiUiJQ6em{k_
zS7-y9TiI=55<t#DD~v9}PHY=_)Z99GmV|^t%}{=yuE9k{B-*;G!iRSW1S}7c@2+kn
z`TpI=`?`&-(GaM86>(Yn>jmN4?@6a-y=LIK!Xw#7IqwQ4C~#TGeAS!<xlg!U36Z_N
zMx;cpeBp3r#Nf$OXdewtlPnAI4P6?VGut#VJ~944ydh=cF5BHz*=VyB&$3S)%SjIy
z-`l0X%`ouF^$|&=Hj$i95*8C<?JV+zNZS=%D}Gsd=OQ;-JkEZI+qbHLHhFb3xtO?^
zxSdLDFSg)6jkbBG7%sf}VWH@VfBk@sG?h*zxDrPVT}ECgVq>>#gW8c~=eC{O;xskY
zH}W2+T5fpRRdaFcwyj;Oq?08vv9U24SuOEx5+2e*ZdkcWajKZkCDRz~q^4Ftui@6c
zm>!~u;2*Nu0BxC&WB`6UBS6ul#p7voZpkTnkfcM-P7`T*u{%^!<}z(1=4;C!x>}_m
z=_C<+i{dhGE?hxRV_GMU(@qpq{`QkXYXTrifbPs8ms7AXoXcn@j%%GLp(t>!JNoO<
zG+nW<NLMT>nx@bd>x$nMV=zCm);$oW>mG=-4%Q0oP_1?AQ0>rG{N*#)R_hj333D#!
z9P02Kc5Xp9-0Da6lAUx0tPO)`Fj(CnD8cO|@X0}fx$1Usr7{e@M^-`sau_j#i<K$F
znwrrSbS1p3nbIlTvvxStYX3Xzm-^B6Z>XATXnPB^{y@^+l4x))`e<6AZp1BNQIT%=
zEqzs^#MKuWUFf?|$pm|*=-o_(ZiH_5yAkkMjV}VED%QS_rk%s}S+#<k*2zibJ2`6K
zs4l|OMR<z4^SC+xZn8rARHFNWR`MTbji)2AsCuLubq+UQ+bbwCQWT)ioQ}t{@VHT}
zJ8~X(({+;-txqNIz96UZd|gz5w)UFvT7fp}y69SzLi>yObS<M3wEiHO>c|wd-cx96
zwOOsTs3ejCj??C2V)F8p;sL~#wl_)dN5sgiHLEoXX_ra{P{nuj>v^=hVT^d$J@*H5
zZrXd8o*h*3?Xhl#@PIA;@D443SJT58htp@3n|gYB&R;awuywl_FO{8Hbpgh%ts>Gh
z6mPgeQsF)(6y4RsY-TxtQ+q=vI(9UT0-x}CIQNOeT@-(zZ)vX+)WA^Y5J+YU$)+mO
z>5PaN2Pz)lISWl7ZBNOafTAgrm0lYHqn2oL!<l{A2TCiIHv+4_t=Bjmi`o@+*wCr<
zs5ov-K%Bp-_eA@tP9^?lINAKDOWOQP!fNeTP$P*_z>;GKc>*P$Cvg1>KkrW%P;r`K
zGBKM-Gz|n=IZ8~2byV3v)f1^^3N=F$_koju_rf!P&yEHxXO5@^gWF1q6-hKMyt3y^
zVCmOG@qy9KR4gW6t@`Qv%_$I+>2v<AD*~J)6z7tTxx(K|MOoTn@}2aLn0=)pf~TY(
z+~A&3V;AczB6-@&PHjJz@IQBJFI%g_bT;ROkbdFd-%$H(gjyD+ZT=XsQroN;r*56D
z%_5G%^m_O_&%zEfjyOUGNJfuppPv=R;WQ#n`yAL@5Ad2Q6#I-XRsT!>l1}_PTc?97
z%;t+oAqCPf?X{Y;8l&e`B(lncJk?&?r?!*ImyH1sM+F|<`&CFfz4-Zs2vDl`dLsg_
z!Ex6?UMU1G3ez@KLCOHIHVAEa7<ehFTydOq0Bq^N(?oolkFHQeBVz+k2BQdCVwtw#
z7$WWxfsibP5j~RJg$aEaz(j<k5ZlWcdgRB<MnLAe^#zDy7@d!|xMTfXN`%tG5m)D4
z-E}SZ>hY_)uDV<^DsG;4dFSP0__y=&yk@z1BoRDQq$DJyq^(K_SrN86FnIs!L{8pG
z;75dtlzj=QX<_k*j|dFX#~VgwKzfJtX=$t4;sf>Zqit`|Gm7MWd(%_H;zO6OiU<nW
zhdr29-Y$7xLP~mDTtM)?)dxBG8uK@;z4^4{rkYPPo=<~&{@Lh`Z(4hy{I+uN-k^Z}
z;fb8qs9j3JzLd1Ey`d|@!coUnsH3^zZF*XfvR7aC(B*A)M;RU49Y)<zW@_5X_~oIi
zQ1^YSlQ_Ad;WEDNd-tZLuG)+A;X#4>@qQV4pIV~(6ZrntO(DaDzy-Gx9nej2l4`5S
zB4J<BQ4~lD)ktWMbgOwX(Wje<WGi)3`nM(X#+>J^z1Set*^v8c+DA{5x}0Jm{gRZ4
z0GYBFs1Dj|q^I;>=|<-S2nOh??v<Kc*E#Xn3(J7G^xFmCpOE`d;^s+*II92c7f6Zr
z<w;4~)DGiNd#O}Nzt#Iq)n01nCe_V6Eu`InqaxDH1d57oCaTesH+{j+ky1T5%>*@R
z?*e~B=lWJS1E>u;*LFwJv6To&S+XPmTM1&S=1H1%=SjLJPtiKJ=RzR51Dm(2&aJyz
zH|vaWUxR3g_L8EPTGvo2+*dDJqMHiv5^V)R{VUo<OLf!qxV&HUu)MlyKyA^}c2AJD
zBTw1TEgmWCMruXfbc?o0;mhg1dcJ<_>SmR+HQYSitbXd&<Juzh#IiC`fVSvPTNzMk
zEEV;@A!Bj!0Ag$B$B?abh@vQYAhDh9$H??01C6Ox)Lmz<C`j%@zOi4zkVI<n#}Aoq
z0N;ugqAsXZPqi+SZ?keyPo0CJWM}sAv#PV%o-RAN@}11(wXWxTt9rXmAG4N|X>0EZ
zXPpwoYHJlKiTg4Sg(QS-h~2bt1GgpXKx$s%iX)~o`~%%wl&*<^@F}C4RUx!)5FODr
z4_E7Y-4pIUDO##MuQ+=st*As<v?6Uu@bXnl{gcC!wr=Ge-^4Cm5#+ht5ZOLyTRNsh
zm|HHoPq!$Dz0)Wvav`Eo&=W%RpmNa-C@90^^@<a<FTWy@>H4%K)?S7vmJUSHUJ{vh
zEb$Otzbe|O9jmyvyWzxb<&mhg@HBEnx;!o{MCt11XTJu=+I#doc|xhEitYgerd}n&
zfO64O>ZK?d{l>{+H2g17%MWpuc&UR+vqd@Vcles<6QU-guQ-hw?b1AouL~dFlQ@Wa
zqKd=;>BX{DY9UW~bUrALy8c04)D;E`aiAI+2da4^6(-b+27tBom1?i#Jvu40sTbvI
zuUu2}eDA}fL+U@d-rq%o7fz@JqM=X<I33}HdQoP%G%x)`!4Ynn*gIgMi@mZ9+EmZw
zm(+_Efy+}x2`N!u$IFXJS3tvcEq(?ASQ!oCiIWClVgdZ-htWsF_|ZqrKF|>`h<mDO
zAjUWi{B&-h!}UX%4#!ZQj;Cb$zdUVg_QX<=1DYLBF2Q^SAn*@XkoClJF03-1&P4^H
zPu$CIdl1b(u%he5#k7Os9{Jh|O}+Y;ZD)+=u+pda2h^%zbh)B*9dqYkQr3}uzK$9>
zlxrmN<p(7d`!ch$4~AN6O5>PU-i1>a`-ZtkX=25vqI~x+R!#MGvjmA(5*wiv8HPbx
zsi>%^aLmbZ#KrrlqoZSm_u>j%nExwYM(0)uz3W7Uq@z^#)d#0Jt>0-&fTAoX{f?4u
zDy)+FEruT)F6|W4LY1^<5w%glxT~k@5UNCt?*Bv%siSo>6;EH!IXZ+&n3>dKv|8u(
z6VE2{)I3M}OUNee<9kBd=PvLmL<_W+Ne8uqw5_ZiC@VJ&%E@yUGto5Q)3Wk(kAT{w
z$87o}J7u(wSMr%N$~Tr9(O#!~etP+n&nbC6?FGAp`#&|8poTrQ_kRGN1nktO_4*IE
zDI`D1C;v+KJz1~rMaSu1p93bY{}?ab9e_&dA*FQ2XM_N9WWb~v=imULR*~xmoXt5$
z!Qys-M=Ho`(KotjWB&!PT%T!^wo_ZC+<HY1@|m+2VQ9M#xxC1ewp^cpHzL!SlS1-U
zO<S&QYLpKEV)E6wwxm8%o&0oS#hMBusxBbY3*<$pQnQ+f0D*Kt4W$98S{DbHN7_w~
zO<aUp>A}x$0^G6awv^nFuGd+UP0~WDo+TwW)E>I4{|Rx9RNIj%Rr-|r>r>?+)qlX8
zYnv({y}=kPC7;*imWr0?hToUw(jK!g@s;uT=d}9=0QBF2bSH1B<yyd>{|5MTZBxnP
z^0nx_t|e|IWIFx;{HLj%JfB#pr!39QS<lIHT-Gv<aVPAbtH@};fD8rXl($-@b8Lf6
zr`>qm^n9ITJ9*BNg7WGe+}xdvSG2G9RMk}9oMUjfo<DajW51)o>4^$yEfq!UnXGNQ
z52UH&%_mcx>Q!e_PE>5=T(>j6F;Oc6Rr37#LFJQFGlLh*-oVLp?Ta#sjL@fhOumAq
z%+oro$DdBgPW$FAG{3%q<CuA{e-bI~9xE!`!FlXveAfmB*sJUV(=*p{9#M?jj$^J+
zzt-(4%q&JHk;5kF1I3d|DCNo6oI`znz`<>w0emT65JSa}1%>5teD#+``}^Ce?EDX9
zMRTaUQ(S=?Y#sFrj>Wo}WRrS4wVbBb!Lt@sLJ@0)t_dKDZ4ioY;6bWJ<e<IQQ(d!G
zQ6AM;BPEC%R3n<m$B~XJ6lJ?T$Xwgi*bs!PsYS`*n%~gohqdSJ0g{DH>bF3x;TyRO
zjf|{=YeclY_S$mwC->5}oWIo^E|C{e3*7=_`5sw{yw%gCR4bb*Yqi$@KSm~tg}?P*
z-z;i0dfEahkNC?L`R%8~T76TzL`wXnq^#9S(L&@vWIOdM@m5DhG%X6zS~ZdpjS-=I
z7RMHO$S3LLxmscCsEJZp1f0UhC&d@WSH{QTub3{4m;76tA>uyMB+qwi|JkPYY@_rZ
z+qkEF`+IxZf3B@kT$Bqh8VH1feuB}0m4a-+J)wbcpm2^bR9I_ZY+z;JZV+yeZlDt>
zL`spTC{Pq8+9Nt6x-ELq?#p(4+YM+pzFkDSxOS!Oeq%Z?9OJ<hGB?B{#8brq;(YOC
z@f*o^l5oj($xX>y!*+(948JvWG2CjHVOV2$)$pF-?}n|0??1Es%<;3(&k8^L;j<^7
zy^wa24v;!ZH%e3CR=EQ9G+Ne<^=4PIJK1<Pi9N(>+Y8$dZ@;PizV_Me@3sH=bF0sz
zKi~8Dh0ou~Ol6#`hitNJfo!#`O7^mYyhEQ3-*p(<VQq)p4re=D@6giWrw*?>N;<ah
zsO}iuF|}hx$D<t!I!QbEbPDbi-|1kdQ=N)CHFf&F(~m~OjeLz(7;P}xW%OJwlY7d`
z<=5o5<#)fZ_+sW4SzjDi7${^4V}+MuhvJ^`XU3dyH{+4UV~zccHyQ6YPBlJl+-!W)
z_-Er^jo+AvO*)#Gn5a#<m~=Dw#$=euNRv4xdreYJGEDB8{L@rwDl;`RH8&k@YHzyC
zG}tu5w8*sF^o(h}X{%XBGh?$JW<$-!nN2jaGjlRqVCHS+XSUKT!fc&cnpwTs8zrNZ
zD^*GhWq0KWrJZu6GF4ftyrukE`ASJu0+pdkt?HucuNtHpsT!~HQ3a{OR0maQsw1k4
zs{5)Js#hwls<pGUv!b(k=Wd;QcJAAGTxW;Q&YkCX4)469^WM&fI%jsy>0I0Sht9uu
z{->HzcTk(DE!1DC`=|%0t<|&C{_2hDZR&&SG(e-BRX3?`s~@O!ns%DcH42SdW2xz<
z8Kar5an=NAVl|1Hd`+RIRC7jiL-V8NnMTKnx%ONq&XnUgOYSSKH#d@-%DHo%+)8dM
zw}(sRvbkeiAy>+s=FW2s+-2^2?iWsLE;8?EZenh3-p#zXxs|z%`AGAz=8op>=7HwX
z=DW=In;$mMGcPkgYktA}lKFM>JLdPzUs@Pgd}blDkXx8r^tG_E7-uol!p&l_MWDrM
zix`V-7V#DbEYd8pE%GdiEGjL|S=3wHw)ojXYw@m&L6?qQOuA^geA8uc7n?4lx=iZg
z&}D8H&n|vlg1dxuiRu#5WpkIfE_=G{?~>W&XqS>MHC?WDx!2{VF3-EX?(z>yp{3Z8
zwKTCbx9n+YWjV}pyrqNXJWC(T5X*4O^_E*L_gEgZJZyQ?@)Y!tPFtS0thc;mdE4@y
z<u8^mEnB-vx*Byg?P}4rd)J;_`=(t@zLInUzA2JNB#%n_F1v>*brNIwkpztxSSvAP
zEd(PjJeEX&t}C2fu-U2DDg~wb_yh&{EJ?+wiwwA&xqt2Bg7%^d760NH<45rary1;H
zzbUy;X=~U0Ye?q$-xvVvo&%Q@wr&kDvHqg*;^m_9K#RlN+P=(?byLPpQn7#H?*5Bg
z7(F;J_c!3ctRmyU_8p&y<KquM-AV*o-*SWLIq|5&^BW<-P5VLp<_Y}#SXn%Q*&J)p
zn_AI<Z+a7!Yic)m#&sO-wL5#`?!9VwjHM!bTPuzwt0NQ_DsnC!hbGUsJfCx!Nju^a
zG!Yk=n5giWNR@wZVh$3Gf*9CIx({ao5o==Cs6xWM)U68fsPy?w8aCP$K9r8nUy$UW
zq6XdJw2=0?MVh7Mna7TE8~ZRe8{D1xspdNEJ>twQwPO}nTv%SC+6Ci;L31t<;j6l9
zw@w^i?Rko$Yb37j9>K0?9rjwo13gYH_y2-Z>sEHj=dOx9TV4ATF@>m_iijET`iDas
z$qb@Z)0)0#?O{8?k{kFq<!^ut;j{|tRuc*BH_mCm!13jzpGIpkxE1hhUN1+%FC#mk
z*718y+C_!4M`~4F^$9X4iK8lsyNgGViwfP7oRX0dlH%tZ671)f9Gpo)rI~F}zJ6^{
z8Jr9Xl<9b#=KkGR&!!iR$l-dQU}mSxNV}jsUv~UzZE2v#2~E)%rqpF@4pz?WfRR0V
zHoMgMb3e~#>ikMV#w#Z|&Ko#xLQa{B#>tMEe)fBh$13*C_VXF%ltoKZ2JF_X@L-B#
z(j)wp%K}ze0a5OOsH>DE9(bqZ!o}N<Z8FCk;vAA^9Vk{F&&a7Q$XyYTqsgyivOH&{
zPgQk+XWbz;ye|cCr$f&LJ1O0lES_XHFYTziX1)XCQGC(&6223T`Xnw@kbr){$bh4*
zHSMNmpA?<Hypwa<$+)cb@tmQW;d8uXE$6hBIfZu*CCAlbsGnc|pI}X_>2-$vOP2?Z
z!BV!R>iFT)s<SBz`%?2*Iwpqp=h%N!Vffz_7>JizuV29$w~*K3aZ>it05w~aSA26D
zXTOb^w|+%XfQx^#t%?OyCCMTz?4M~Cuasm>@|i~|=jvW6N#~xWaN$Ya;pwGbK{gNr
z$;-1o0|(7;@5Zswzd<4!=eXGo28C~0;1rl`JF@=syjp))&9xm?e>|z?kEuERD;GY6
zUJ+f$vnLJlWv(QZRNR8!d8<6$kIgu|ajSw%ejvG95;$S%Jnw-Rm7-$}joY|UVwc#E
zg;+s`<d?+a*Z6J6CK3_UNPbcOiyY_^IwvnB4f`r`ZYs0ZWUNlnO!Q-Rg~bJjD(x4A
zIz(%{fpGq}V?adu!_QO`*}J!Rck!MwV8_JI+2tBP_cBc|{Z))(qm_(}cr-m4HFu30
z@sdUsMHWUBk03`)t;M$VXoPE&D`M9attpHw9)(ydF$=A`6m@ZnU5orTTc8L}!Xn>(
zm8;hnW#9V_@Q2KTba@xb4`vq4$bk#x{H(IGjmj5en|T+?6TTXM%B94+&4u!e!GF3?
zCasF$S!0geP}UWmgbQV-$u5EO=E0vYTqsxST_~T+E2%ijJ@)*5>5vaDl*`JF9x7MW
zXZWk<UhFm=^z~8q122Up#lue(DQ-fK;$eXLIuNR^lU?GHb(dpG009a`&lfa~IU#;Q
z;)=*;ShB}BuOI88q`R(b_w|<apa(p<;&jUM_ip3>(_73!O1gFXo`=%dH8Gpkt0E$I
zAL4X^A+7(Aj80!zr(tcpvkS|M57iXquky>|U{{jkIy1>m)nlN0Ki5O96)Ru|#_p+z
zFWFszId8Y)ZkKq+7p)xM4V^K+S&PR~UHF)Y(GjC@P7&4|b|vgmU!pS|fdg;dsxe`s
zSMl)?&8sg*G>=96Kryrm{u5N~fAu~z^7YriQe%04%pb8bc%Tf7P+qy`55*qt?-hIW
zN<G{kN<DvS^zhm|n3G}st0>)7oN`im!tJ2V7ESa*rYtroa)oj=`AY4ujhVY)wYRT}
z|Gm+eJ2pos&Q=~do`>m-RqV`R0^?TfPEaN$?I}aPe8wi$ZTSM_{Nmu!H5wNB&EpiQ
zi3iftR~!fmT(L4BAaNyZa6*jJ+TsF(+Tv1ChX|0Nr<C{Zwk|9fW-Io~kJfNF7cyyt
zes1Tnk|^4F#Cm4R6`CUHnLFW?hE=q2Gv}SmtmwrK<5lAqSDlXLoG+{SS_Q<d+`U(M
zFll$$R(-8DxUHCvT7~enBC{eCwP%jx73)9Y_$k_jeBt82$P~X{0YUvfD)VTM$Jj~s
z=)<riC_?eGlutK_cRT^~e0Zswc@?|lQdC#(SmA^BfhPd=hq~&o|AY4dmbj^n9^EE&
zx8*LRmsIYvNGd-Nt`@WK%z6FRHg24FMr?@l1l5F)(zCJnWwY(1EorBcZI===IIX!J
zaYugJd=KOZrybPtYqp#CyKG>H+LGb;Yfgp(&dGMIT3%wF1$1$9?7&ORNvN8=c;IAS
zqcSThBV5mkcIr9NT>k)vNKKN5+a6~XPPrs-#_S1>XA?0|$}UsSN3F6`l8@&2CobEt
zffw6Wr{`AWXae(@u?sxytd(}DOHOFm)e$5~O#)g{ugZ&@rBK%x1<gjWylf-3ogwtO
zc#xW{+FzA_TbUV^LHeuXLYFHYe0=fVgr!S%c=OOYSU=&d4bt+Wlj+A)btDj;X(i=F
z`RRG8+Dw17^Ti(1oje>IHRnPX<c?I?IeN`?hj|@)Y2D@Z7r_sjaSE}f^;_nFuIn)R
z7%jP)`aK{!$?7j3uo2RK@f*w5r5q_vJQ%Y!Q3IQTUBSLPma4vXo$@6&oFyAF6{R~1
zlPZ+O?rAn#HEZ0N@(syR{>qThH3697m$V_V>b;e<IYxU8;5?j&fAEX;T>|+@{a<@3
zd;N!}GFjWK?y{4avv$eC>8j~V^2^q8kgTx9#$;>rU~T-}%XI6Qd#&-{;y&>KiN}=L
zhm)$eXkd;xAlA{xPRU-3P-DTMcVQ#*S*l(mWy2yG$nf*zn|fjK9a02zAE-W)&tLt3
z1%i#`50ICBZV6p*YW->e`JB_vXm_jHz9--_3&l_4tE+FST06BHVt3)~I*t^JsbHPm
zl))<5T4v<-!r^aKFya`<T*^vK$W+Dc+PGmCS*BhP+{2X{PpuhCl4V1)x{AjWYvxzi
z1t|`yux4q>>ap3}1v+2=oyD+S;0AG@)>^dB`0t?69*c3ZzMuT>0Bek_x0=khSCsEw
zNal`&)TAEjY~nxF+1S5eItEJ=1-s{yxf511WIWD5{*wiLg_He3xBCzoOAf$@sC{Dv
z>8PG?(Ma2kclA)9ZLg3&JJx*cN^Y~^HhLdMf7GAuQT&Lx$etnd0pVfTOiz+EWK}a=
z#oG?dC)t-<`(XY1iN`)8@(W*>-dEqV|K3;MYcz`9S08J?W5TxCu!;rz6VO4<Ggd6L
zw88*;fWuJ}<%<cm-M^c$$l0BDt$Zx|L`tEmKF4jA1?@j0h4$t0sHfhcGQZGn(WGLb
z?TLl<`4gmf5*HxZ?772ZPk^Dbo82;36>%p)ieGkB)ikQEopk8Iv2-vdUT-oMI9A1q
z+UMop^OG-}Dvpt`0HzaJOIf|Qnz3rOvEbC%>UpOC!R2m0qrklpE`gT>q~#q?PdjoX
zJ<!u5AaDsMJDix4U8KC=aAM5(ne(U2PxC(-%<mP7jJ2kh=m{}7rtQkWT45a7BcaDy
zyD{v2(Jj6H)W!#~7dHH0IJ>BPWu@xn^Jh4%?>+Ko+L=mw4y866@u2n!_j!A&TsgRG
zAhOz;=0|y>%xQbO??!2`3?#$EWDeY1%7_QB7zN}r>dMi<0IR*P&>nzIO0S!Jzz&BF
z|C;vV*n?6MT47Xw>tGFmFNu<`z-A|ct5&Gx6||G~L2rC3peH-0Jo|-wZg`9yav*a7
zav@yOcP&*JvO87;ZeOPQ(rUbgUAD^+e||BsdOL<|Vcx!^Y%cHw6Bgtb<)fOmApc?v
zN0y4W?%TX$ud;s0y&glyPJ~?j^0Xf{Uy<30^E;0oEmfU6I0q(tSUK+{0x{|Oya9*i
zUB4`Y)-Iifwd?l^k^ty;$vK~IdONsNF;)i!A+L#r{Sl@Ku<9T0p+gmPmh^907(#ki
z5$_AmHGJ;@Mw8t!gK5&P94}_;rSe}Q>9Sx;wfyHuwgrp%260PHS=LEa(w+_L_jBxq
zh~wCGY{VfC>G{j8N8iuLr3}YT9e9ast|vi&eeO@bI&yC+4=xuuP(eO>a)mGtr=A<0
z2rhXky`=J{@^|Z6Dzcrvc<vkxV0`oPim>@;IyHaFc-NUg=$!<R81hZ!EZb2I&ckh;
za!+`0?lT#ef`)l7Rk9yQU#2-fF+M{Tw|nD;onS$WgT8d&`hW#dhJ{})DZ5Hd*bsIl
zPE&~WN;SKIP7Wb6$&c!m7P9BQ{8<ZihjeqWIQBlXsHiBUNJT_1cq-~S{u%8wW2TR%
z8)g{zmafJcfXr<jsaP^E;kX+oe@4vJ@B={}!vVybh|46diTJ^_<UOqhkZ<?FWQRb{
zq9gGmOQF=(9z?{?sx0-TenbL~B11Us+jc~FZ5TD*%e8ifefr*Ow~0{Idb}N#jCe$>
zq9IihQ>*9^-%^Q6<{Z(a{Vw!KD61$+VI1#--hHV2G3j2#EsbjmGh?XFFxpN@nQZH`
zLp3s}2EiLB`xvT9Z;TrC;@l@h$-6w@rMKjQTE=g<BH*_!g2&DMfY6D_GM@Tir+n)Q
zAPF&*H+$Sy>wB@_0<mruz8B1n6kK~RXowWx`@+$YqF1*8TBzw)PlXG8Bg2+*2godj
zY-*-g0HoVc=*Jw&JG{40)pBN5zi+45+1NVg9{1p30bL6(xS{7J5o6|t$HJsps_^jG
z4QsgsTV~6S9h-Kj4kbl7rE%48Sw4(rVs}P37zEy6vw?BgNDqk5tJxi4tG0%y9Gn(T
z_2y@PV#)WdvPnA?%>%z!e|^O8*7ont82(}Vmxl~*Z9hF_xQaQeM0^#WxJ?`lb3Jtx
zxiCsHmm2!nV29y%i%o-;=1>?rH3`q%C1)XbC;$zZ|N0set#z;8X_w(se7zQMCmfiJ
zoT9W!)r;!!aEZgU8jCkZZH$IO-oVG^#9RZ#gz0s!Fx{RNTSQEohS_!sun)gIPple*
z$FGt-Eh4f8<w}2khG8|J&(Bmg&SANaE0;NgNzcnaP^S8^a>Cc!IeJGN8xgx=g_3r=
z)sJ-0z^T^oIhC(D5-;wtX3h*-l}zy~88SU%Ah3RkV~FAf8Df_)06%1Br4ga*lpShz
zA#8_$5UWR<l{fGt^RL*j0DAuj5Bmq=Yy%Gu`|ufbG=VrPVW*)8KQa^}P2RvW4nOR;
zRj|=~1Vt*c3n@=NB{@=JC-orD`8+N|BrF9WNhJxd5a#?l!pJu9_C-tuxdy}rA2fOT
zGT(&7Kx~)-r>uH}kxJeO`#%sy!u<jExU*>b6BRoZJ(LfulxARu^E8Zh6ur6yzNzU~
z$J20>o`&uIpy3+OaC+Y11fGUx_wP4l22aCzpy8Q}Tj2$s`;Z@B!S~|ACzH-`ER>wq
z5Fa%QgV|vVEAQSbtFHULYy$1LhnqIvF~D856z<(|Zfp30>>}>HUQ(lO0|&!g%cOY%
zF*toTyW#{#=WQ4<=3CW*g-O}|dbIM~3g0G`Y_wNcgs*Ddnk`$_a;rdWyAuFke<tVP
zuNB-+a0&jB*54xaFU61PJeIagzONQ0Xa|WBj30<E5@vta{>%dz5E>-<B`!VS+e{f#
zh&%d`ShxmT2l>!+^Hu(<{8lf+#&qT3u#8oQCcZW8Cni1UD#)5h-8~UmgjV|E^kc$s
z+67jv&XOLB7L0N6OsVwMOmk<(=GAyX<VP1N4j<jS?;saM&Z;BUhp7Ss_hqxihpd{R
zR$Nb)HtITt^2`Wk%U`v~pEQCOJ<%0DROctXkg`IOgxAc#Yuc6Fc*2o)R=_S9;p=Db
z;d3xQP-8crnQ^qz=c<Z5keOMOn1!8p%;cDfv*8r}j&|j62_%bI*qDU?&;Bl%bGbEW
z44H!sfmeuj<R$j`BRCwxgw-N<d4y#qS*PvC$bBxVfix^uvxg2I%*b4R(0|$T<-UFg
zmmkK?!)as!Bjcw&oy%a%quT}(k(y((c@ODq$)VBLRkEA#!#5B|X_44oJ&PPHWff;5
zn~Bq)eT-~+@#3N|4SR$x%~P|<WT%=fb5WB?WXBLGyE--|ic7Fzw(i`$IZl<y($WW*
zGzUwe3@)$TC6({pe+78gSyFi>iIcLTy~a-f1w?$92I_MI))71|kPq{OmyPX(p+gAo
zIogQM0m}BA5p<3n58W~canLXfVc65ZsezW&1X?VEFKU*~)I<G{F;IM)$fGA*u6siS
zV`_&C9y^r^EG|vC3lW*a;?hgaM@y=za$H7_^>%jPWG%!;KU{tI;mW`ETfDZ9m>T1?
z{m2}4eo&eI2-Xotuq*S`EDs*u<{guz6BJdE4Ez1!`Khy1QIR}%-#47u61SD-?#WU1
zsa$?fwlrzZWmQGSiOQ{<`!>cWX633N2s_JnmZzLio_0Pw6ygIX=1go#IKS_T@LQ)r
zlb*wJ2@vq<hkyzn8tNaA1XOqrGDty^N@$XptfU@_LrHiXn&j`l9M5^wco`2Yns;p3
zp(WnS{JlKLYc&^H$FQ5y)a;sw58iUwtWC|@9oL0f+H~GUOnSMP`e=V=dg9XhJM$=6
z@sgarL_ERzFHz5z6k4<`YV43_D~k3PA3d+EbvZJ6i-v71%{^Vjw)#Zqh6$-P1|hWY
zebllL;?hVC=I?KsR1{Sd6KWKAiiNwx^rP_@Fd-)yc9&XKJ~#ASxe=@PekFg#&R0vI
z^tyC5C}c9(F+$49wZqiBT#jE-m=Z7c2lADah5F8;JeGzvNny`Udfx?9X>Z=?&m~>g
z!4eV)qk`wsy~db7WyFuUL;bE2zdQH={tFh+i|opK%2cPO>^?-WR_7~}%U3A)B(pX$
zoFBsQRGy!H97;cSQ2Oz3ovE}x;ajeet#M(BHl&0uR{AXu4TLp6WU`8a7$$T3&b>)0
zR@)Ojze~*;-y=K3Y>0M5Gf=Xmp>3iY(?)7aI*;Q;Hw+yMIV3DR9Y_~757`a~b}@S)
zHMjbb^7Wt#w1f4?C39UgMfS|`6Q|Q^RadLL#*TDeNG06NN!P^e>BP)}Gs?T8s;I$)
zN&cShngR!45*H<wsLmJq%(3_I`<9zy-ymis6v{z4uFUS#__z$!gHop<-%g)Cdi1<3
z02I#$K=G+_9?w)VOjF<;sK;GWdbw35X4@>Qg!yeIRU_H)WVwXyYGoO=FZF2BNkUnu
z$s4QrgLt9_2RN1iB=CMP1?cOQg`GzqW{QN>t{fs}#q;`;6Y8A{m_v{TWz;k5LaFQn
z+NT6)pQBIvom&k7)CJ=|A>+|E)+FoSapqa0qAN4+jJc#=f6Jw8c~aKN66M1or@k38
zGsN3PlRJ~i$UnZXT6O+Zz#Qj=zBU|t8J^Br9QxOp4^^{6Xoz^7U+@NBRlkK<S2$ue
z1hC5V^JZt#p&)VVj-wiO>)P-w;i}mSLPvOTlc_N<pjiG)Dq{U=l}AKQ6*hdfEmGEq
z^u-Xg0$~nQ&kye542SF1On>&;yc@*3+5WctAxoBT`awIFwA&Pl@j67!GSMU$v`cnK
z*(@HUe?7muK##9)b-?Pg^&7E_*AAv5_3FV_up{GLJmGSiJQcGaH>jMv=%esPBVX=y
z$R9d_wC)cL>)$^pSj(a>W0B78my#K$r7bPP>b91!QP6`ok;)h=u?-y&>bBf1*aeea
zNXhcT&_WwBf|tT7f_!(S_yZ41l97?I?~tlGecsq%o^H;Ztf2VNg=5^@qs+XZfEB)A
zPiHnBC136PY3OE#rC!No4W|1+#xKOrv>fIj4ubkyq<~>nJGO2D06$AlXj=x0S)<B3
z#P=?1)#3s-b8HL2_)uQTFTGNf9qf~?DJ@|N7R@;_T7@mpXzW>p6}qD$-F@9^#k-@i
zVlDTs9&AUe(Sdptw>O;1uT|E%=MUSUStL1~6yWI@8Ze8K?HIu{vD5;ZGbQW!p_qW7
z$cxrd$%t!0GO0yW7NMvr&#ybm0VuB@pBQcjNRyPUBE>+9jJhDIWOr<OZ55(5dWD{Y
z_XiKAoULi7I(g>6+FPcU{s7994yR^@G2|O8xHF}C&{8sqwMVskKvKd|E}~v*RL{ag
zg<hP```~0)p1H^y5^iFxM*`IB2XL@%ZOC9pjvU&@@2SV0me$`|Si;`<&~K|tSh`g4
z_Qh?8F{IXasbVz;1;99_kQM2E(uFEw#qa7{H84ui)wgnhkYXj%BD|beuH3#YLK8Nb
ziQZ3mG}TSS?;|?0-$!)h!#L4pFZEHgCtB~%R<rK~iIIX(Y;CF{1u#H_70G4sdX_M7
zRd-riar<@&dsa%kLyb!Avt_SOJ}DDs)DY_`5&Ov&Q_L<(hFep1p?XmXcA5`}TFq)l
z*0qilvqR9lSvk9Q9cClRIyK8nsUgwU{3+39U#r2nt7^zXvIH#nzQo#f!74Y^WdFhk
z94Q|nk=-Td?y;Eqw~>yINPi{H$3A~ZRofs)pQK1niQAFDh3U_Y*N3YXVj7`+!NyrA
zezCK>APy2TY;uTBSc3ID8KH*UX#o5T+`G?aURASK$yzmgEdmHUtQJz!6D$XBm#7b4
zn?-zWgg>{43P_QZ<likF%#v@_B#Io8g5Tj8l7-jc#16NAIuHEE1u20C`;1T)n)D_x
z0XAXDH0c~xTOe%UVZ~U;Av5ZT{Uw&Hl@{M;i`7D~sCl8RF|h)G$ITKVcr(118gfI~
zCT-ePqoT#&auJH=yaF=lD3^F|--81`7-GqmobkaWjNieKLmXQNKQ8CTK#cjt^l|V&
zA`3$wyakK;jWDxM^rsye_5<#mo8&qxX~|zUb?QRDAz101k?tgUQnU~>nOLmChSjmr
zKl0q;s`hax`<w`#v$u<uIm~qMo-oHb{<tf*XcqghV(H|m4vWW4c1bR9=G^UB@>vN^
z3T3n`qKU00>#JEh{VJI#mB@elPTRs-!*vSWB=Hxx!mwtc>i`3Lc4(^=wbfb;!)1il
zY6v@7yePyyY<iU8Eb<v_Zj6Ktyt!#7wsD4DA<L}=OXLOE_W@pr^_V_OQ!<w+IL<2a
zGy9W{vloExpqU`EU_*F7`^gvCJn{sK)x#Cgw`4=ge<LZ+S>C+;PBmL1Bt7axtWo(r
z65qmVCM{)lvdr1^q+Q@${BDo;dlC_PIFyZ~lNz-rnuQRN1h<G-$c&qXH(SV}yJQi5
zHW80I=v<}}2Ri=2D}7aK*YSH3mH?$#UBeRi7_GPsaRLUGU8Lat<NK%_J&3Wjj?8B4
z#Ij^E4Xe_nq?el2?-;_@v&#p0!oiDxVcjBbxrFGthq6~)O4fve&iEd3xD25b3x|%6
zj9F17pwrk*jan<r!nSah#pc4OnO}Y0Wx3)ChW*Dkt0A|*rg;Jn12N^Ikk$DihNx}s
z^GX;tR#d}cVRIr=gDJXorG(WRlTZV_F$qZI1W057NJPf(SYM0T=)}YgnfxB-Jozq!
z=Zv5l1sPXDKV#F^WvN&Qh|jXmjS?TNxVz$!{L%#$=Dn4?eK5-(aFQ|7g?-U9v&o9f
ztr24&FJ-Aii<;F#*i5>`BiOJ!6goLtNpebz*ehgc<Hu%)!lqtZ)2CF#?h#)iST%hG
zvo~)W>WyNAWDJB1W7s>q_lLgCD3O}MY=#wkFWj(U5st?(7q+f!VIx8h!95WR-~b*-
zg5?eCZ(?fx7G2PO`ghi>2f=tLCl2K-oPKVHR`8BHY_}a4orV>y7Nf~o2&-6<u69A?
za15I1c3OW7iidqh<IJ5Ju>rJe5H(pw)rKtOL1k)osd8EPibeCF9&=Fs8)(n70-x3I
z3Tv=M;3TLO2n@^xB7@0-IR@5(0R~>Ub`Z=FzQA=ces9LT1mV7bGZ=;IPl&&P5QDH6
z&j)?D4#Cw}@U?-dptHd`!E6JOKp-*_m>38J9faS%e{Y}?^b%^3{wu)@VXdIIK~F&+
z;ctT8!ma`h;(MVEGX!r1qXgvrP2sP&e=nFJvJuQMutd=4)6dZ7aYp_$L1*C%fhqD#
z5?&FsH)s@?3M&LM{$7}cdh*}%{~?G52@F35180Hek2d4m?bE=w;l~gzu;APC|1wPY
z%k+GI{BHsM#rK&$921xeCGT6&e^YS%6`>j7DZ)F%O>B!3jKKX=gr4~Q@?$^qef^=o
zr}KUOZ$Y5{{qy^O=xKqchmSPD)5YHfo?ianLqE|peK}Sr>#xE91D+QDF7Pz^cVWN4
zSx>(_4gY)KY5M;)>_i!V5%_WPY2e4p{}lMK^dEtzvvK(D9fF|-VYtfBXBcn)m!ac-
zlU~$GF!W=<I5Ye>rulLGX)v%6^x?<s$DkkY{FwjmL#Mw?3x0um{%tTYfByvan(;|6
z6uf=^OwV85zQ2$AMueXc-Xh?)z^d(;pgXPz`nVY%c@fW#J_himkwO`Md+T}B2%b*~
z-oJl?tC>*z{yopLJ_bGS;`!I#1d&8ALeJZH{`TJm)4xk68uve!A>{d{vp|V3;=}!D
zToK;C*7H-Ir~XASuth%b+W!pi|H;RpjVJwo3*hTKZ~qwd{GI3Ve;2^}dH(-tFt88|
z1pVpzK;NIw1)~fEs52jj0D3k1I3MwJ3VQ3NzqaBTf4@P{O;{x8hcw*`y5K5%|D!=4
zK|ekSUxJqTy1W;3L?83*&_;9p1oog2L*Yz3@BBVT*!%rIcsel{i8A-=>0=6Lgb%3K
z`)7Lk;Be2=Kq*2d@;QS?{}GUHDnc6_n)Cgn{}$9m-v=Ww2Gyva(I@jEU#}$a5xzan
z=-WgjOhKQO;=WiQL68g01!9BG1=gsSMr4Ixi#cruu6~%4XQK|Y@$GF_Q{n9Q6!%{s
zbpJC>pN3Dz2c@3xe=^?rcKk0x*Z(Trhj#zi{(p7F_|>l?grA|k_%ZqxZS__#=EGQj
zD->ca@(sT8!<t9<J9y<}{O0Fqp0DzAC*~;3hx+-CU&s70w<!eQ^3O02%+arVl!9;g
zc|yOwX%h71*E;CG5eA1*&LFhywD->q8s0w_jzhq_YfyvVj=1O7Ls#DaY|s~dJy0-B
z_z-F3c;{)fV<yT`gO;QMYoQq5@Io*Fp`$@R+}{?6g~u>AnIPXpfw4h1!Bo&>Z(#$*
z^*;r}^mOw;@R>oLz{a3l&|i2Q>G~p#RPY`DjDH{h4!(SS+2Z%V@MZCN_4)Zc;`a~q
z_oFel+q{2;?-1#~<-+^d2Iukn9Ij_@^#G6M!^d^jI>fI-{4|uwe|IZ>>+oBP>+AQg
zL<a9)BfLU;{KB`1Xa#-;BR&{ce_Y4Ef5HdhYVf1g?_Z(Ke$ltvYy5tR-@oDd4A*L;
z;RC-`!8!)-cx~_$<z7U&XkSqf$_qhx%W(BUd=3I%FGoB_+lz#_e}~YBGCs_+A_ip;
z#9c=pp<hJN$Q${8*gF$AJErvSpE|YNtlcfLi!7Z*ge)Q<!bD^th%F*aCW8<WM3`8{
zHkb&q5(Z<8of*6FH?fSt5J4<si7kjAJ6c4eNhZ|$eV(eiw{G|CEtvJK`+0un)Ty(d
z=RD^*OVuTg^DxiG+=09al^WOGE8OS~#_dI(Ey7%cxe#*_&xI~AV?8hY68geB2lEWf
zUt*q$xlg!O$i2<<^fH9oh}%Uxy8v?<=DC<V;RjOQ5dNqKDgOu$RYS^G!drD9_+tRH
zJ^b(~<}l0;pm$<(CFW-_iTl^k%g~20txz5nKCO;~ccFy$HrEtBuQS!7F16n4P)~Vv
zS)aT}U!!kp|65F(T}S^eH(QturZ==lOrtOdGcK$%gXvT4%~{Zw(swami0N;b^PzRn
zDbR_r`Af`cF&%|@YD}ja_|ee!i1TBK*L=$T$J~p#8uQU`t&sNZVaU3X=#nBQ&qc-~
zC*7_laJz;TZfDcT_CTMW$1@@EE3^l6dMr0%d771(GEWlS+8W<3Wqc5sISv0~%ushc
zaUYNU71Pdbk128OYC5_S$DYW$WFCbK)ci<X=<*_~MZRJ-llhB#G5NcRFb|VXk{`*F
z<WbTU`8|<mBFnchM&oK|Ix(*Z+|l&!(WXetbt?XT5z~wKCtpfe;zrtu{IJ_lh9l4`
z#z;Qm`sp0k5AspwjGA}R%_R?#u8`yfa=yXd(e!sj=RiNO%^925(|7JLO(DnLX_~73
z(Vu4!`OOmJMk9MB?u-w#Z!gis8B2AJt>XfEfL(@O!~B>sjY9X?)qaZk6*QXmycxfr
zsQ=b>Ic}CYBWY{;UC?334{7&OokQm5=*^A;pE6Ik?-MuUEqQN{mnX@iq}z*UgGqyY
zIq#v5+=%<_jI}ROu9qkmrk1NU{t}vq|AYpjM@ibE%Lpx}3=PP?=vh)XcSdz1x|P(S
z%t_+Bca?h5`jE8a@XU#NyT2m*c*^)Wvh8!m-p@@Js4cVw)CTGU$+K;t?y-G)+t%#t
z`~sctD|90K+l(p2Y=i#v6Y6h!%$=cr;!pinAO8+<oDzR~8^A{rZ<JnJ?j;XxFn4i2
zBHj!-M}W>%xA?lpawCx;z1{idaHo?wMClIVxx@6q&w<XJ=0MC{pxv?W0_`5#cXx`J
zTNRs~oO>|u!Q7d;5c<Gu>vlBT`b*8W4X)Pu(R;$};q;-dzNC#HW4;^c^rlUElU{Gq
z?~TscoB9&-aMQ?qZpL92sd+PP_6%tVeU9GLhj=eC;}{zbaS3m4GlxLk&}Ftt#TCVQ
z7IB}YaVKf0Y1dL`Ys?PLZLB~23jO6*W-F*2>s{^W<2$-V$llLQXY|6M&YL`!x$@Vv
z-FBGoLVu-?cIAFl)SsOPSyQsuAHe-$Xm4mgo(F2~XdCnF9pun!q_LMd)cG5-?{3q|
zd78B^(ZS!P9!clNAiD_Jl29ks0OGPpdD0|h%hDjzNy{l^t(^{w{p?i8uhx^)RZT=a
zN?j_QUgtF_)~w<+skr{74dQk<SlXfzxzRm(tF%!<(pEK*wBzPeZ)9NI!owrNCxu9P
zNBE}zxpy+Yjxs+J-YP`GZ{M2^A&x=>4+|eBq`WNrTpbCYS0W3qAs1!*9%u((!k^L}
z*?#u~_m=r)#D_hVM`#ZjN42dVqc6pM&UuS|Ep3H9B7Kkh?X^zGkG&MRO@Cv&-rXLE
zyXXVr{vPA+PZ^UB#ZCIU#4CM7((Q}fCtdp&=2ffBc3D0VKfU5~g>TboO23k}c#N_8
ze8yEtQ`SniMt|{0N7{Ib>Iq{RtHwGN=r5gcYh+p`{fD}4C+Rbm^wTycy{!Hsy#B2*
zZg;{QO+1npsV_-yIQI6qN&T>HuW`Id{jQ1gzcbH8&QV_N`$;=}LLNJ#pKLAZ;77_U
zb%ET_@=M!DACYoO+@z)HwWP0ZVBDL?`1CaL`vqj$hm4o6B6HW8LCi%vF-Gm=tU%W0
z#+W{gF#{PB^2eAtj4^W<Yh)a`-fV0CgjwAfagyomoP-=bi7_Rz_lV7&n0+BJw=tih
zCx43he`Y(VQ|#y8Kip5zAx<a1C&Kq9(4S^dH)m7VzsEcR+6VeQ_xCeC--mq<^x6wB
zheNBOKS6)x`LEUN;9Q6~0bZVf4)Z7GZDYgl;PIx;SlV|m>qrwBJEJuFIeke}(ms%N
zk>}7e59NM}>1Y0EdYC)H)y_fK?}ZO~!w0{BB#)<K62`2@+{$ce)|wJ$D($cb@vp(Y
zBPMH5PN`|(^fE1J`@TxQ4R3G;;Z9mHwb8WCG^M21Pur~wJ{Si-^u^p4igdAlnEjzv
zDf$WaW{{ZjtTEJxwSmtuhedY!V-!aGjEL=>FohbKG2u@WatD~s-kqki+tln%U)$Yn
zXG+~JnElal60<+g_cuM_`_5`c&pP9;GyS@~xOu}gTxZe{olr>hxl;Q6qbaxKSz_)M
zKNI~^s1&`VyXx^J@cl^IpeOYrYg4Qzq2IQ&H<_P0zcVe+!Ft&f&_PdNY&gMeBc^+v
z=?S%gI>q)KF@?lkD7hCuZQKrKA0aydIr6pH+WKYyZ8i!$Q0JUthg3hLt=dDy$e#0|
zw;-KMnyJXN7A7zsvVQ&{Yv$bZOy-)uf@VQ7AH50s6ZAIpAoO=+4bnCI1#~9#2MB2v
zJ`cSQ9Rp2<4u%eZ&W6rPndCS;8kzzf2T8bR<NHaNkH&O4<_*w|&^1sLZ?kX(_FbU9
zki;eNya3$?y$VVA`Osal`8DR_ki?TFNms&3IyXW0$EMiDztDTo#gL>eX$eWWq)cKy
z2g!4x!=SsNq}<fScLTYf3Q2uP9BKQpsr$tJEZok68bUpx<o=h~PlA&2RyI$LpG#Qr
zo7B0~=i$&PP?G;s3?+wOjUm@czry6wb=A)Bio*@F09?K?)|><N$8BFT5<H%tV@}~`
z%?11%bC3BG_y9l0yla+%UzrNyI89kYcbwKvYh#`5o$ayrMS966XZnM~oMGT_WTNBj
z<?IFS@9dAuROeLeXE85uoLSB+TyAo1#{P)&DEPSZ1h~Li04`)4bDY<l*TE&u67W4|
z6}ZOv7%X$jz;&$AIL_zJKbUE98Ebts4{I}w%Z_bkn}K}e1?<F5gJZX&4jj9K-2p%S
znS(lZce}gs>`-(B&kkn<_v~KiYo6VYk=C;Z*aN^(Xg!`C!}@_|f5y(TwTIio!6WUF
z#4v$A>ez|QiXA)2P6DT(VL0|=dop;6Jq7%w{Uvxl8i}<R*bBgm-6M>3$GhW=;~woE
z4Nh^V7|%V~JsCXRJsmvLJrkVa&fw{6cQ!be^-IUS+`SyU!o32##=Qo-!My>z*}Vn4
z&Ako0!@Uc9!lgdlS6ph+ecyc_T<$IhSGm-ryT)A$mbuiVyUwL1-7noQ!42*PaFhG3
zaXfyY>-k_KuMybRYYX=9wgY$Zb^)LC-T~KppBsly2Ni?e{qEo>e-wC_e;9bOPi^?W
z_NRf@`qzRt_&0*L_<sOz^KS?5^vSb-kADyNCm*i!|Ifc4obS&E|K|S<eA0(E{DuBP
z@EQLZ@MZsH<7A35MPTbpYp{I=9?x{h>}K4|pv<x0ahbWsg`+#++JR@CGNoXbOjmH5
z%r@Y*nQg)CGL$OQGt&#)A+rOxV`fLNe+FL3?3~#d+$BSqGrMMX1qWpYfrB%H!6BL9
z;K7-L!3mjTz~eH<fhS}pgHtk;KQlEm6+AU_DtLP4bnuMK8Q@tN`a|ZN%sJq>nRCJO
zGv|ZTGSpXQdS*I!QRX6W1|^aHE7Zu2D}LB`!}c7>O3~40PMvHHJa+0aCzu73$DcaI
zY&0Hz*!*O~$FFHl&+pF2znj_L9A=I(lg;Vod^5{jVXil~oBPe9<{9&fc?X})!J~$B
zG=ns3D^hA~T9^)ITeGA2iP_T}z^Rm@&57oh=GSJnxzgNV?l6BgkC|u9tH=jQuN5`j
zgj74Cv-BgLy;#c_YbKZ}<_t5<%rRG)8~HrdeDgS`TNWcxl6<zJjhYg=li3c5w7VH$
z4l+M8$C#7MnMk6!=C|f1a~E>xZ)irZnfK6A{5{4F?`TF39W}b6nX&)D`*k#r9=z|t
z9nJdDqxS9Sbcsvvv6j&q-`ks=4Ev>KoSA4&<`Y@d%_Zh)bF;bIJZPRkYQAok#rgM5
zv1!8!L{CP}J<Q(bVDocxtoemG+gxZaHNP{rAQc}nPns9Z8-{T}%N&>z)7Erh>>OZ*
zn0?G>bGVtrn0t=7$jmd>m|M}?9ySZii{?%9K^!K-O5IkbtLe>1J`@Rjh&jR>hwS|o
za{Ds#d-Dfm?_bPQ=I`b$M)4?}2BsOhVK>%^2AW~W>@ns@WcI1%Tr<O5ZmvZWxX(Od
z7MhpL60<xG(-5t2Yc%m4%&zRU?Pm@(<IM@?G;^MrX?|m_Gq<7Z{nb2eUN&!=6=vo5
z@sm&W$0{DBc)TKC&By&L#c7JO6fal2M)BsO`<`;Nf2ZPn#m5yFDK1uAs<>Klz2Zi}
zz&m>UDaQmwip>?<Dt1)trntRgU&R56gA|7yee{VZ2m2_FQ=FoBzT)MIw<<oUxJdCG
z#j*)gPC7C8PB7ysHc~86Y^m5zu~f0UVlTyh6Q_<pIx|plnBxA5hbbPVI9c&@#q$+s
zDPA%8xMRm>u2;NO@lM726dzQ4RB?ggBE^>!U!Q!^(UUXpD1M;0R&kx;mx>z&8yLl4
z%4sJ~ZO}xqnPO|j_KIB;dnoo%+(~ga#UUqQG#H_{zv5`cv5H43PE?$%I92fs#dA-Z
zI$=tK>58)y=P6#Lc&*~iinlA?t2kfrk&`9eClsGid{J?+;u6JWiYpaAR$Q-GaSFWJ
zV3T0OmWq88_fednc&_5riuWtNsJQx+<EBh(WE2C%CW_4zTPwC#?4sC1v5(?Tr<{27
z$&GeX+(+>+#fgfiDo#_Jr+B^M-HMN#a!Q{a8ZA;>thiKhwc>ikje?Cm#UjPlilt!R
z#@j3QQ`}8)nBqvq(Td{~Cn!!<JQdur@i~gq73U~kp?Iz0t%`Rm&R2X?aUs~R@r#OY
zDt@5&vErAC-w8Hppx8{Yonkkzf0I6nJ1Op_I7D%T;{J-G6~`(bsW|bJ(~df&34cce
zPE|ZZkuP`SGF@?&;ylHx6t7jh`IOU6KBdX+it`npP<&BwiQ-Dd^@^JWn>J8veinZ?
z-n64)H^uE0`zj7l9Hcl*aUaD46~{0RTS&(4AIfwYL7E}mS(5tEYz`x#<a%>3V;Y!-
z=oF372%0hu8}sk);-G^_c{c}L^q$t}4$>Y!md!z5ko;{P`h;aylXU@!Lv$}E=EjI8
zU3G~tauNN}Q7y9m*ipl79=6r6n};1V?B-x&TCNK^**0j)+oHj4hu+vzRz%?8|CJ{W
za|LPh%|X$fOOQ#;nKc;r>|b`b)kSf8b=&HktZi!6HYsa6JZl@Bwe6F&4bIwj%G$Qi
z+E~*NPT6YD*c=p_JH=+N*z6XY?PIfLY!<~Ps}>s1U`)7fs{yguCpNpsX2;lM)kXc4
z#Abuol)g>)wz9G#@iZr=%E4PT%GyLWsaxBMtgS3-Tb{Ko$=Y7Z+7@PQk0iD>x56o%
z+FY-AwIb^ixXe*x){6anMP|9!nf-!O1UH+@BHr|vac#wHXlvs6XWAWRlhQxxkA0bY
zPGRPKF0;Z*m<eCcd`;%w3z-+n{Byneh6R@fP6;b(9i8q@A7_9w*cs`JcE&jqoXO6q
z&N<F>XO44)bFFi$bGI|!d6bp17oFFgrOrxL#lCblS&y8NyEg10iP?cQFEO2~V)KgF
zlvWaVX|w3L%6sPu9UEL{x$`BfX);b&+r)N^#tPd#GTk1rxjynybaK%&wFO19imolX
zx9EwY#YHQlm=m+OM|5Ap3X-I_<)qkT?M&~5V{mUVEH+tJ()%wXvt?0~vzAR-wr|-d
zb{i0ztgndQmcmzJ&WO!RVv`jnb$=-~zllxOGSxj!qt)2xzEvDgD^_phdG=oTT<&j-
zO;)J%etvAeNY9h!uSEB)yG8ZXx=Uo1-W<7?-ff)DjXYMuIyZ8V3Y{Ank9DaonW3_d
z)VTq^c*0tXU?cdvBXj=kS-%;;ipnt77Y-zyfE6skZNU<?m#Dp?+B>SfhuV9ny%DQf
z*4YbG&M1A+IHgN8Kbaa`SZAY5ksn)nSSf38rBQkN#NoIrjcSBdv(np<`z5STOn|$W
zU~j^B(3;Vt3u|7MHMmp3Qr5gIt8df6o~(jd*4WZM&&8z!D`Mhv8n{j7eDS09W6&z&
z7#X4au&%Qkt8C(b3fPHtHwkqD*d=okxDBgsmNmYq;I8U&44hQN7!}uRW+qQMD0a%s
zz+S4@CBq6ep#>|4n4=*CJ7s2rrHWlxpOX-RtO0hqn|esrYSQa&>6IGM!uG}g7;4!w
z$7gM<!OPktZmbx`PanwI-c4*y)2xkALDnUW$9lYkfHyev!+LyX8;7;|%xHba%6t@?
ztjNdyr7bjlS(A_5Zc5x_y<Ea}vS@*QS=+zJ&amZfKX;Hj!<*$F@82DqlL;~-GGj9<
z8_aJ|(QrV+vl_nMs243hh!w;AS))3<fZV&+Jjfd0LRQ{hVNGl)t5s_`N%^JO2<r!q
zyf@~$Q!+#C-_;y$7ppnLzM|$#`?{L5?5k?dwlAwW$G)cKTnV2!HVTia;W0HlriRDV
z@R%ANQ^RA<wJ)+lKgB9%SgDm#dpWqRy$tNhn+KM-F9wH;&&;v*5^x45)Gcw(17~rf
z$r7({#~e;TSh%7J-`Xp2?_jS2OYIflQ2QHjxV;9PVXp>f+TVe*?Qg+3jCKQceUXz7
ztl}Qe3gcO<s?K8V?;6%J?_@N2gw@Pv7*7_{_m-KJ=3_>c3bToG@=<*<E>N$-?YnBu
zuy3n5)5=+lDdhScHD_DKf9~hlrE1QV@YKstOL$BTkE!7?H9V$<$JFqc8Xj}5eM9T>
zI!e*OUJsVqYr&!R_uz1ON*&$|&agLvGwrS5EOu3;>^FdO>@DD2=8^0Mqn-C+b$Or}
z42O+mRrfG>Y=XU)G|uEinxt_%SZePB<vfG58GARG9oesyRQ~`D=j@E6cPBX0-UZI)
z<f5c>4_K(R{)~GEJ0C2y_k%<2|AE6f%PR3a2+p(*fwS!cpp0jp{R_6C%!0GhCXwRy
zuRQ5s9|cS8li;@Y39zR<9Nf`90uHs0gEKfoEiwNMob^38-~(;Rp`40}IAEokGdNi)
z_cQHkHD}osYR<MFsyWB5Qgf~)JT0l=F^5~iV`_Lz4UeheF*Q7<hR2+1mnjD<08i$0
zi*--83n@_t`!rZ;p8|)9ANb%oaE5&roM~SGXW3`KIre#QF7xYt>|@C4_h?r0C$N`s
zD(mdi%^Z5c)#y~W(hu%Kx;)By`yy7tUpMc#yK7!MxP#R!bq7Udaet!baCa{?k8y{o
zIl~>I=1g}_HD|d))tv3_q2?TSxSDhAN93r3{TM8@<>0pVbFe3;9HlgCz~S}_@ECVD
z@L0PJoMFqrnRY!mi}Sw1FQ0&O>}OyhzN^5!gZ&yT<!rFT{3STt{sWw0H-IzkMsT+5
z>B4ud7!?Q5H%6c*9A=I*li2Y%!<^3^!6oeYT*D5`AKCY~pB)L6!0x_Unhx$rHA`LQ
zKeX6TcW*U^y9cXzjC-J(Gu-{voav5Ia~9_|#s6$~KQ-sL2dO#Nen)OP*bpq`+?3>d
z6FA&uzC(?S0FQOqnaj*@S%t{VbbWA^%T6wF8E}s4fpb~g>XMA~NWT$`DWj2pM>48R
zMgpFJK0V!Sh|dmgBe2wM25#$a0rs?_H|*#(0EhBUpQOGec#PWuJkD(nPIg;@C%Hx7
z47Uk5(=7pKxiYrSb{m6p++wgm+qi9T@8GrtOI;a(hq~;5kxF}T1}9e}wynY0?p7e<
zgN({<N9;p6<AKjQm98^BJGfoIQnx3#t-C$gQ+AUnT`4$}6EBkPcHl8?Z}2#`7dYAN
z1D?b=8p%&La3<Qjlx`bvHt!2a>9z&u)|+n*)pqXS9;RlgJ4Vf+?jdRpXO~;};uv?F
znls$7YR+_-bK^eC{h6AxIRhy7bKIY+IoI8h+;njJfu(L=aHzWjINaS8JjNXj9?Kaa
zDbG&eOm`qS%iS5A&DkF*&n{qr)<P>FHgpPNL!%%D^a)}>n;-^s31UE#AO`e^!ZEys
zyNrSo!@Ho2fD*%dpp1SJ!xB(NzQQqlfV)UhiD4xu5>#SX4T|)X7(N6=a!L%1Bkj3z
z4?w0#Ee!@mo=GkJ1Qb~&wKNPAIVSb9Cnz#Z>Sqs7<X25G@5@t>1`_i=phyCV`Cw3_
zfW*8%C=x(oJ^+;7FEJkkR-flXc`E!OF^>U-S0v^mK;aXKc`PVAA~F9A6#kHye-6q{
zzSHtfW>_6%o(1h7F0J-~WPLet!Pe^3h+;qD!i-ZW<uVQzC>zg#+_U$ca@iA?zIiSK
zap{(Iv8{TUE^?m1zsbLu6AicefAIe(XBzxF<V=HqH)k5|<wV1Ma-PBeGv^r|@E_#v
z208tJzlV5!zyC095BU!p+j6}*lV{caZXs0q_Xpyr`n!#I3;!M>6-hDw$9W6#P~Gog
zawqvK^!tln`1gok`1e=8;E!@!=XTDLEbyN47J5&6&v?&zi@fK&=e-xa7rnoGFL^I}
zuXwL|i@n#p*S$BqH@&yKCEnZKJKnqAQtv%)nfJc;f%l=e+*{$T^j3MRy*1ui?<4PH
z?-Q@g`_x<KeI{pAymIdg?@RA1kI%_^-*_9mjov@JP2RWOcV6gou-3P}>wCWM2Y$wH
z;5YOe`HlT1epA1Qvn?h57Jf5-OTW3_!f)xf@>~0D{I>p9emj3_zde7N)zR<dm-?Ok
zE`C?Po4*a`V7B#p_}ls0`#t?$es8~zzk}b`-_h^q_xE@5clHPPyZ8hBUH#qspZJ6P
z-TlG-9{v!2s6Wgf?(gaE<&W_9_V@Ak^+)>q`TP3^_&@c>`Um<4akA!Mf3$yyKgK_l
z^EE&7f9{X-5BHDokMzg;NBKwl6ZreCiT<(vB<5x(_>=t;{VD!QoWc2pKh;0QKh;0Y
zKi&VOe};dif0lo?e~$kv|6Kn(|9m;0<6q!U_b>D>@-Oyh_%r=k{%n7aKi9v+zto@S
zU*=!#|Hi+<ztX?T|E+(u|2zL0|M#5dxvt*aUzPX255E`Y^xG=&_&o)9ylxy_m6NOT
z@T2}?{^OiddP2@9`A>01>1j?VJ?k&>pYxyhU+`b_|L(uUX{A^ESN+BQYyRv08~&UA
zTmBONZT}trU4N<np1;h0-~Yh>&|mJa@K^b({Wbnt|0Dln{}aE=|I}aSf99|EKljW1
zFZ?h4ulx$1Kg9Mo_#63l^CtgW|2scqxy}h};09jc2SJcAPP6Zv=Z)Rcn&v@+V9TI+
z(8Bvw&?;yhv<cb<TLtZct%LSKhoEE7DJTs(2VDZRfo2uvz5lqLSg0Q+y|8jW+<~6>
zWAwwrwI}{-`l0l~-y@IE5VttTjP(E2{P-OlS%n|{$H-l4QxqH+92ATS4h}{KhXiAS
zLxaPDp9bTCp9f<D#`}^Ad<+SO2E&5k!Jffh!H8h*V4q-L{*3T|U}UhLaY{bsJSU@m
z$;Z%_*^xML*_d*%C7Vjh@wGPVW=qzat%I|JbAn$5=LY8m=Lf$IrUe%S(}N3xi-L=T
z8Ntk8Rxmr56U+@R3HXk3a9MD9@SEU@;F{p~0V}p8&je^IB?pqrZoxJ|_h8$gN3dP6
zeb6)L74#1J20I3Q0`%3A+l?387~B-x9NfZPNBs8-`Ug7&I|l=TU4ntZuEB1>PlCb0
z9>JghU9M!hY3}Xojr8{O_V*6(4)hN4MtKK&qrLIoQQpzs1n(GcqIaw}$ve(F9^Vu3
zeW-Vs_fv1I_cL#t_jB)X?+EY6g1$waaY}}vNjfEiSWmVkgH2!eSZ{Z4u(yXd#2e}j
z^M-qSdVBFVkcD#ac&1~fbEaFSd!|RGccyQqUuLJwfXu+mZkgRPhhz@T9G^Kc^NY+W
znbR`A%$%7yJM*i|d6{2lF34O+vJR;YG>tiNyAyvyIl%5>2ijfjZuTd^4VLqhB?DMl
z2ESv%=P>gt>Bsw(El>wq+19p=ZELr(?d;aJz2(bMoZ~IEooyG})poPn*zR^)+rw@b
z91&bc46V_UIk-v;%{d#nz3pjx+1|Df=Y9Ly9c{mWmHUzsIV<6K_~ASP=Y$*BhPIJy
z%>G7GTV#uEiQR&8!^{thH_6*b2+pR)Dc(rE6<%|)?g^YVw(hx#=P91A7`abV`vr>A
z6)#l0NbzFODP|`CyccW$Pd8x2xF!28F1usBE%jkKar)n~+i#2K*}MNuw4MKct>(I#
zbj4cr#JY|~Kcp7;uO5BcRM7%!o&i<S0qvRgEPM9%n)wvc1oLM)KdKh!9{VpJcMIx)
z<mz9kn-<Va{l|g^-ab{wHE&GS@sBaIkmefetKQ>&7a0M9>w_EO5vot65sE$4nnx)a
zhnloAmpWaX9_+dA<m~1QaYpdYitM`|<xFy>u=9SFbG~yCd+(P!S3B3U`+lc$pYtI5
z?+cvgomZSU*@0i~taa8q70!3oV^nFz_|=}Vst04xPK<X$><GKR9c{<jBke>x*-o`*
z@R!Wf?JPUbUS+SfH{09oy>`BR#6Dr4u`k-ic8OhPSK5#5dRt*Pxz=sq7P-y&`{s^r
zH+OrtuRDMpxMA)-?t$(Ycbt2aJBhbQPIb?6&v!3!=kT7$)$aA~t?r%feeQ$qqwWHC
zk-L=lJvMnwymsF9-fq<NIB&9ds&|%mzITx~$GhCS+PmJn)w|QX&ztW(&iwl&=GyNt
zmo8_n%v!GZWH26F5F7<Q6&wvN3?_h22giWV1QWq$gJZ!(0Viy{=Yr#8r1PE+&{(_|
zf)l_OgUR6EgA>7*f+^t3!AamN!O7sO!7sqY!Bp_I;1uxn;8gI9;56{f;B@e<;FsW%
z;0*BX;7stH;4D&mGB}&JeI$S9fKLU#0v877f=>tMfzJfz<LlYr*Os+YayX5<C&=Rk
z+&v#m2VV#-#O=l4BHj*?JYEdG6wCl$4rYR{1hc?bgW2HXU=H|NFc*A1xCDG7xD<Rd
zm<PTUTm~))E(hNZegnP}Tw$!=-m((ycd)Eh`yDNsnBU1Z21{)durvCG^}E<2u&XTw
zyV(+O8@mPA-8KWa75&6E_pc?+cWp~>Dc`BF-g~w+xXiWz-?ywsdmr%4EbDz}+kwmN
z*5C@;9$aZVfU7KP(B5h^Y3r@ArQllLL$=;WwhQ>NWhUr-Vp%Wt%J_zg^**(%Abaa9
zE5+Vtwg<T0ZU=_JHRQ?!zX!LlJ;7$S7q}&Fsan6e?E|)uJ!HS7?F+WDJA$okKd={H
zud;q`yEC|h9RT*>+mP1pYX^cm@*NlJ_p`f!{rO&@^+o@-{%yijAoT!JW8Q8uv+%#A
z)fxs3nOzJ)Gw+8cdnhtyZ<7fcG2a-9uHGM>KaBgv%sz&px$lIo{ZsCnFc%q)9=|i1
z_gL<mGBeo|t$qM{_|Ld6VxF=WI{q$b<>R<7X4WzSjej6I`p>y9VGgr5`v0zI?1yu|
z1v8p`m<{ZP{(c1a&6wZp%iQ26X!A$HVdIf=tb1aj_ag;a!$rg21DxOu0gv&9f)jan
z)uQna2Pb)~;iCEP1s?B>K#AR#*~K{KM16z7*nZC3XvcsUn9<(^whwLwJ23O`nca_N
z-qa@;guPSnvtYkq2bphhasdwDj0CNo>6Ph?26~2Sp>l$NG&vDqGnbe?nR(7|cfMET
zuPit#V@4)3v(23$WG)l^m;D_<IgR6S5~Gy&spJ$8I~<xX$6di)BQuUSWUe<iIqjWJ
z&e6_9_s<^sIVU8>nd@;o8awZAsml@g>g34DA}7P!Ug+qNUx!lR=1A;*rYrI97@fI6
z@0OjJ2Bd-pj=tZ)bY!2o3+M8Bpndm2W^n$MHwK6Drr=(@A$S0929B{u@&@2U-u#=w
z8-J(prr(S94gM}?H+O{WQZU=FoKQ2IP<e{8CQqBM&F#c+gn8Fq%xeE8-tN1^8RuT+
zUf~?={?`4obFBM-`xj?A(t4pY(|y)m<XrB);J)Bo;lAX)>0If)?SAN7?>*^Ha&BW~
z?>c(`+S0>z8sqy4d#%4J$grd8n08u&T{(xcE#=#R687iqwOu&-GAJ`TGln<QCTC9O
zZM0K)3+)WvK0AlE&d%p;v*{Xkb7y+gs<wvX{+W0jUs}vE))dK|%LyUeR#G4G=Hwa1
z*mLYf?BrS|eQQ|#$AO*wq_)21{b{MErCLwlYCZj2>uG}4(<H5@3$>nRX+8Z$>*-3Z
zr>nG{ZjiW{;f~O_eQ%J*x;|sw1-Q=gW|_u}cymn?@3-EyoCUHv$Lo*ZZ=9WZTYnd4
zPrk=6!r9kMa`tnMFq56}&L!qNXP)y{bC2_w^O$+tS>!A-?>H|xFPV24N1osei!}{-
z$C9-M_Y-%W$+(|WBaOXcZ%fnNYw5M;%W|E(QnQoS)$3{oc-=kT{POyGyYZHpMJi}s
zz0<tYO(Sx3HRq<JPOsycgG~D=d80<*XT}=(_K<-0uY*Sez8w|&__>zU;mN*{-^@IE
z7cs-ll+0=8Y)#1|*Ng}nm+&V2$NMEUBDF!haV`!;PBA)V@Avgab1yBrJCes?^<ZLM
zS0B8`z6U=xHrr7D`#T3X2Ra8iqnv}C(ZNNTE6IUl+25gl7*mh{?f6OCArFGXgTqZL
zR(Q^4ML_(G$A?Q_E~T)&I1lBp;`3`xWXQ8)rHquU5uwlI3;}M;{P(hdl9MCw>R3A#
z*8Bq}OXP|5_C{`ttrJfVqF=+wycPJB;oI2!<~v1vgW&;WQBU&}dgRXLHRYr?l#^CC
zhrmf|l#|MZlbnviNu2M5hn)T3_&uHd(Grhv#@O+8yfeifYmaqKvZvZpos;Pa_d36@
z|7TY_zjG(L6P=f}SG=OV;w|kJ?`p63MtjA#(koaBMtax=(kpC3dc|_v%w6fOwe5sI
zZ71PR+g13}4iWyedkKHq1BE~BDB(|gu(zYPoBf&e9(xR>-`h@P3_Zji%cym{{RN!!
zOM8~|Dtor~JMUV1q4${gn4Ky8!OoJFu(PEl>>R0cJC_x<i|i%H-LCdh<kL2Gp1gZ&
zFJo1yx4m56y0yQNw{Gnf^46`rQr^0?SIJwq_P6rZt-V^_y0yP!d>CS{$qdU3v%g2C
zjkeb!*T&fE<gHtKJ@Rd`y#X0_vb|B>y0tgSTetRRdF$5RB5&Q=Tji}=`v-aJ*8Wl6
zy0y2-TetRh<lr=WM~1g<?VXt`Ggr#FAjSiEOFrU|evDETX0Y<w9@?i4Rj&Fed^*~U
z*Zy@J9JH4?Ub*N5cLk%@iS+ZnW{UQ%lh91|HD}U)#+$RWzh9^l>0<4JGqmr|qR(_N
za~KIr&0M5-Pfl()oa$iYl99|`QE&~F^;20#-Q50$WD$8F?+dSFXE*(B@%H*|@hE+_
zcmn;6i}zl|jNUCqHt2i9tih>!^4@TCm%I_23zxj>o4m!_N8jQdq;K(#)VFxY%3Hjg
zT!~^x-r|k!k~egtyX4*5=q`DyHo8mRmyPa{H(|S<aLm*xrd;tG#qR_iPqC3=iDFB|
zc8aBn-A^1p^#rGv;xNUriYF^xq<F33{fdhemnnXE;t407U>hlxD7I8=r&y}kU9p#9
zKgEHHgHJi`tYhq+iu)+;uQ*C^jN(|u!xfKGoTzv_?Iils<|1FLAiPLXk5jq<E4B@A
z`R{Ob;&Mc#sSn;x9o!1t2we+Z4P61vgXTappy`mD-{{DR#mZ;0q&GO6UsBVph)lj=
zp!b=+v3Y%DHZF?I_ym6AI9%g5+4LixCd?IxuVK?JUH0iZvg^cd9e3Y;(wj4;Kkk_c
zxJQ@s{HW(2B+VwAit9t5=l`SW0!G{BPFts=(~WPC^yOWNL7Yx*?(BoEFou<zG1;}7
zwyD*dBGzxZv4V3wK5m7^v63^6P-EitoCjIsS%4IOiMJ}=aXxTX^Ik<czq3f`8)BB<
z7=GV5<8+;;#5Rgoh$PJ-O=*s8$vV;Hww<%UmO|ah+XD6@`Z?Fzfvg$5V+XSfvZqsI
zdpX_gNT=M6BJ3RU`;I+~?~6<zhi!4;ODUvsJadcF(U+%j?)nmYg}uh!X#a@o-S&R_
zu=6PGX&k=R!8chzb1r9)9Nr)imzipBpziN-*2r<J+RqkubG8*;_?6;W>hl&2)mgDv
zv8DQ7qWG@jrJOl)%qRMElDfRF_=Vysb-zyS=cxT*#io33iL}(-T(PTSTS4;=eOj*e
zwTfRVz9;Bp)ILM)?bUvl+P74^NnM^&oUZt?;$LNV#cASv1$I!EuLYe_#m0(1Q}+#O
zKSZ&G;?LFnMYYdT`^T(WI8JlLhJt3J+P78v1#0i8I8?Ex;x>xy1<fmJFXnWa;}qKk
z##z*F(doE1;q*3dDmn-L%V<*mNpX0jL8YFxecZRAo^>FcsjH%9Jw9b+^i<YH_tDkS
zqU`$Ut!9aHCqAN8((Uv5)JybN>3Q47z3ZEJ&9sDlzjo~Lb(g+E4;gItv?J*otD{~K
z^#tzD!GBAh4b&%xk=t@R4Y#;|P^*S>-VXgsu!G{>iv1L~R+MjdInH>+;ezG@wU1NW
zSzRtv`w5DBDUMX^t+<V1OU1^DLlhmwnSy-zSyE}OSRzQt=y%QmYHzOY`zj7q9HZDz
zx$f7>GmhHtQuk8DOBF|Qa@}!;2y(t(QW>n+Rq=O<zT#toCe6d!*xm8JmBz39>@-q)
zKgBdx_f{9>Z8KBt)o?hHO!`P$LGzv3yQqD++Q+DUm7?~AxCcf3qKH*WhkaowQ4g^@
z9R<xY!Dl)?(+#`4M?}k_$A~VINWHhEcAjbUj69R?&d4Yzr}Mh8o>28Yfl+3Z*^@KT
z5)U1YFYF0!p(tO)f@cKfyDs3{>Jpvxi_RIWQkSlRPe1zfGEMV%&dnO<{2z_x@g`s|
zr=K&>8SL!IY;lxxm~%Mq10L_3?3~UUfzzBB&LzAPc#U(T^GDtayx(~ke4J1V*_)V_
z+MQU(8-g31wM=XSXDPeh$sR?MXqUpdM)oP#$yiI=kK^-AaG`U!9YI|8vwP7b-oI#X
zTRU&siKOx+Zwbm?20y|{+-K;nN3^ps!nwlEBc-bdt2-Qo(mf8!G0;BY9G2bbc+oC%
zrs;0S?a6+JoleTj*cDlCZztR%+)0QR*%yg?-_GvIz4j5#cGH@CEuFSg?4@|9;tq;E
z1kJ^2AE!86T`o}kR$WFYc2Yc1k$*WL&XIy<rrLK>+(NO5;t)lvI7iTIQe3YtZ57)o
z_Eh9w9q_X;Y)j1T)qb|(u3;Noiq(FWpmT>}OLaLdg#Vp81<m{F^141PRr@DupQQFh
zp{%#9RF{1f$12{UxRoHOOZ=@An}waR_fhw|)a5?4cT;<7wST7gvf@4J{;=k!v$~w4
zE<aQI$7+wlwo!Xy#clQJt7_j)(Ni3%xQ*i0imqZ8LB3ij`5dG6Pu1R4@ToHv$huAy
zX~4T<j?-1}sc}yomGaS&`HHOQ=A?nhj@9^ngEdHpvme)BpR6vwch+OS&G`a+nOzsh
z`JK2wRr*x-RE+J>>3N?qK9Svnw^4?e=&giAu3WEj;zB{47a*I}<!;4;)Lp*P=kRtG
z=*(19xw7ER1xr(Dl~$5tgOOh&dHX4P=P5~Vv4)?nF-}(dNW~%QBC`_5Ia_gr;x>w1
z6ji=GK48IgO;u+Gyp?DEgUQvmJDXD;)r`>wq(%+zW;sv(QRh*YBGCpSL-Tfa?Fesm
za9^gP!QcjaHhiV=*v3aTp4#~Q#<LpFYkXDXvc}&vY0#u?lMzj(G@0JynkG*)S>4oY
zTGX_4)Amh=H9fxRyrvH}U0P&|x)<$VbY#)gqUl9f72RI+2ya3^U-U}Rn?*~DmKT*3
zl^1<eY>S%|H!E&k+`hO=agXAD#RH267w=g-viS7kbBd=G&nUjU_}bz-i|;F5P`s$P
zyriV0N6Cnii6vK*+*$Hy$>Nd^wg|T9vc-@sCTwx;7I$y)%oa<V^=NiRvvZqGZ#Jvh
zea#j(TheS<vz5*FZ+>L+sm;%5eo6Bio8RAjQS)WZS2q8yh1a4{i*_ygwiwW2{}vNk
zOlfgNi~CzFZ1H@H4_cJBY}c}H%aJX|w4BlM`Ic+h0s4vA+8M;RPj`m~o2~hp>#qF6
z&~ALW_9uMdb&wg%lfgXc@9e?Xv4`M39NLq0GV7ggGTs?-uFLyVxS<y8X<G1)7Oled
zrggZ<w8h?^f4z7b^BL$_Xc6=r^gOg2KP#Y>&?;y(Zfl^m&_~e6&?itC^eO)$GoOD*
zc>sD4dI)+L+5l|~Kjj}_R(Zb;*YgiA>%CcFg*O|T1I>lzL6<={h0lAp<L^%Bu5eYR
zVYoiih`ioLuFJ@Ex#qYX|5er=4&&>BrXy6!eGg38GunamlD-h%;iXh%l&XwUl~JlP
zN>xUw%4#cx`G)v5KpUZdK%1a%q3@tDtZ)qEKo)W#5AvY^%0LaEhEOA@G1LTV3Kc=c
zPzkgp5`rG%w18SdeEZKq&N?zK$!N6|gf7M&0wWhhSslvibb?AD8ArN6T_MIPXB!Ba
z>F{Mmhq`e1wxUCQurluOpIa49Z>SHn1JoDV5$Xr^hsNUv2`)Q&&IITfXd-khGzsF%
ziq7%S3D9KdL}&_h5_B^33ur2I3Un%T8pK@7`6YA)bS88bbh`<hJD@wEyPyTQJq0a<
zo`GJ1WWM$av=UkcF&c2nz+vazVc*?h*WF>y-C@VwVZYr`J(fCRr`=(n-C>uV?~g*%
z5&P>7yXy{n>kd2X4*Tj3yXp>m>JB^Ve4!Mgj@U(a*h6>NL3h|c=bNQaUkJ^beRBtH
zErVOj;MOv@wG3`8gImkI%foW-Vcs;IY8t~;&7oZ1s(@2hn|5$)r|>)F(B9a0Fh1Pr
zn;q$={gI3p66P`Jap-T*6VQ{;0_Z8I`hHnKzpS8NR?sgi;ON!#%hmMD)%45N^vl)s
z%hmMD)%45NaCA8wT@FW=!_nn%bU7Sd4o8>6(dBS-IUHRMN0-CV<#2R499<4am&4KJ
zaCA8wT@FW=!_nn%bU7Sd4o8>6(dBS-d97SF3qP}=InZ3_66jKB9>g~c;0zzm@Zk*K
znU6$#0D2I52;$3|eBHX-*?`HnHm&8W-aZsSgTn8SD;3C<3jRSV^kzV_OyJFi=0J0y
zdC+Ch<>4mp23qc>aGCd)@H6B~1@fgLb4B=F=1SV>AX;)sENetMZZKOR_1e)A{KpTH
zaxE>kqz1XNfmYZ+D{P<@HqZ(iXoU^5!UkGlgIPyhpF!)P&!KYY8{*yoZG`>-ZGygq
zzJtQBjFu^*Wy)xoGFqmLmMNoU%4nG~TBeMaDWhe|Xqhrvri_*;qh-oynKD|YjFu^L
zM$pISBb^_B9)uo(9)=#p{qN9+&}YzkXanvW`QNS6!uPz>p);ZB(1p;fa0C5d1N~qF
z{a^$AU<3VNgLj?Q=r{C*p59;3pPHql_3|2OYdN*WcL<=5ppT(Xpfc#wa5-(Xmc7HR
zsfVLzmFH*){=Y6<qkX9>|00M~qd#p)e`-q0RM0ZdQNtC~a0NA7K@C?>!xhx<8fthA
zHN1uzUPBG9p@!E`!)vJFHPrALYIqGbyoMTHLk+K?hSyNTYpCHh)bJW=cnvkYh8kW&
z4X>ew*HFW2sNpr#@S0kAe?+*^nMUoxqt0~bLg*ssVrT|*J7YQj;sgITh5wt<S{1Zb
z1+7&<YgN!%6|~kyT5BV%wb7xRwAe;kY$GjJL5o$;V$afI&(dPgdgq%``osor8s-I<
z({Z~Hx`>vV0nMU?XG3$KxzIf5GU#%~=IiJiH<+fh=AcXiQ%WD%Kp)wVX^cky|6AhU
zr6r_ilyjCK>U+0DeJ|u|5%imfyoc$nf8mSkHtv&*e)wO8ezYBX=`HM}@N;_}|F&5c
zK55rM--Pe*?}6{wjnF^Bcic?4!EFHX9R;^hxQe&2oAHizGj|J9?6wP^blXEipkdII
z@N@4^%oII*XWZg&lUo99fj(*l-DcQ$hFkU-a<4IIeomU7lji57`FSe6Pf5=wJwFa#
z%>Ou6_TA8Q$5$JCwZT_QQfY~Q$#1b~ifdC`i*c2h8k!PZ8{*n9o1?nLST|o8-gI|a
z7ja36TxDyZ7_FQ$NrK)z$p5saeoy#$9ZOZWJp3>C@>HfF&k~sg|BICSF<cybnw*z{
zvtRYY@Ex>3X)&2$eUi0{OWH^Dtf}Fxs%*HNEr}r=PcF8~ypi}WVs7nlI;knAl+HD6
zJpQi&>E6xzHRd$T3rriNbhk`H%tlaSR$?7@HF=Lw^KHGY!>{-+%}wMivAN<aHFuPJ
zdEQ7ylKs$Y_h%#+B_l8{8%TR!+((A1dA6Qs72W~i67N9FgVf(LZ**7|+=Yb6#4%Lh
zt6Y7I!W<n|@U$EaY$T)4euR@a4kS;bxF5|E3AZYKl7w3;PYAa`pMDnSD|xz_r|UJ=
z#^i1-;n(A%jF`*F-Oa?ln%pfXh4tRSm{AU2H9kJqYWkE9*R>jllsw5<xt84bj^aN^
zk0zfJD8WQD$4O|?F0LDJk-IX}&>PS5qli87x6V6;GEEHE@$~QB@mlIn$o)~|As17*
z#KhCjHD!6aHXA+)yPT)%c)HFsAcak-6eK4Sei=TbZulZxDt!8B1!v*L6Z27&>uA!S
z038!PL-@7cvE-Wkd&lult5Ggj=fzWjFY&QfQlZA8IHV?$C(F&2_E7!@<uLxI?x&^`
z=eBy<ahN|h&FvAGvv_tT@0MMK`*oPtW8Q{&JLaEx8*Dy)9>woM>`yZ${jjk){<CmR
z8XK~nQp{S)9;~J8!CJ~5tflP1TFM@*q3q#|fG(xyG;rsHOWfavW$uH}YDT`#;mVS5
zmHz}(IZj7<5C3s{T6hPV*BxkHcc5wAfu?nb_hh)#dx}<m7J5Fs)O#88Rp_<weea!c
zh4(JcmqPDB%b@q651<dB<<JUfCA11!4XuIJLLWgNL!Urp(5KKk=rd?NR6!bFL*GCf
zppD^be+#G?v?bIWY5}!`T0yO$Hc*f7QhyK3A<$507&IK(6WR+J0qqU#1MLeT3;g|{
z{h<ROdYgX`GzvNx8Vwx+je!n@4ugIQjfIX1-}jG(CP2qP6QN_FNzif772yj1O6V%+
zx6sw$3bdES#`E6{m-)+}wa`~co2o7%q4^4)jJNpy0^b|)y%FDE6!0zKH>Uh-tR`gP
z_@cA|k<Q*V(6!J#(4V0HLt;nIBdnU!YU1?2K}!3T^A)rSzp5s0HfR)X3`!^;r}43&
zs|Tz)1x+xUhMxq*;b%PkD%c|YI%pPtW;maZ3u{t5T@e&vGK0s*dVH+sY<na8F~7&P
zLR`@t8%d79uZVY39Ac9`6W`+V8}7=9y}~pi59PR4;I~}kX&Sykn2+$KDTpsx^D~Wc
zU7S-%=?e`X5cadIE4ma<KH>=@m&RB^$R=KHtk~ckh&&!euNobG5=+9*kW-%^!9GEP
zJ%a@M%9MD~_$4F6SIGXayaU2N6Y?uYh>r+e#t5;V7%GsM>xgAJ5^^n}S0W+TiG)Ok
zC!^MA<Z&YHBPqGg6ni7d)qbYEw?A|M@g0bH5I!U6UEv*V+IkaAk#`L55l_TCmS@K?
zu1ehYuA60*{GONYEn=smF}rJJVFkbP@H74WgWZ7w7a<E@oeDbtJG<IDAJH0Edruj2
z6rUO>rw+>CK6|I`Al$R=-bT2ya~y6$D?uxwW;TS&!R3rlc^6?5ALWI8<av*8!l%L)
zkQ~XKtdQwN3epl~*(Vk7BIohQN6kL$9r~{@_YSysF>fQtZV<dnT=$Wuh2gv5LU}v-
zfAOLY9-<a*`Clx%ayFwE9QA7WT(}w@U#7O@;S%9n?uA|rKcSXZfos9C@ZJB0x<Ybu
zp+m=4&Zh3NGpkqZ&N_6|^N@3H^6cNyR2h?!LE)c%s9c7(<mAo|73Y6OJn;MrW^ev?
zuxWS~(qe__#9WB`aD_a9FIMp6q5q7s)F+qW2h4@^3SW!ECHEiDcjzNo_xSNY%Rmw_
zI#ToO4&<j9=^@o=BgrV4go!!2gt$cFy}@dKoi5Us(en*(33f*QItBXyJxT5V?_KP)
z{105(v#QglDZg+rvS&r*swl*T8dvnCe$iu>NRO2<Eqp>Kd?txQ?xQDaJ_C27W#V6T
z&G0oO9p@}SPF=wD>tp*W;#`l0uq=Eh`}`e=;a`1K?&&{%eyFi>e$17A{Iu$x0xi62
zcn2+cM|fKtihGrww7r^%dn(d!f&N48n~_tv0H3ivaY>%D0?j2DzK4eRI=}Y_jV<z7
z4YFUaV`nt8%FcAE@m;%fQ_?S&e+#br#hM&*Tk)TsYh}X|<K|p7@m=^neWi@^K!({?
zQ-0s`(tl;vzD)_TbHbV<#h+`oq^4Z*!QOnnHY+i1&Q;TB6qj1wK<mWZv+d@@pAHk3
zn)uMg>R##qt?ePo%s*-nO4=ZM{V1h=L)%(P-BwlzvWab`C47VOt|#}V?s~Y^PFtPZ
zHe!vUQe8=mn{!dFI*-EPBb$@Le|nhz(Nh2YKfT?4#Qe*<rFFg9<UFb_k-E=4$+zX!
z3dKGDF5e~mQ13r94bj&)YsHTll-R`Gv<dIypEW?nF-~%+TLF;KKmUrt>zG<a|B2UH
zbX9`&Z&oYw!+xK;n#SABjhD4tbc4EIh07x)O)jmMAF|Z-%3qR;n$7A;UA3)ij;H=l
z;X&oJq#o;6`%!vHZ6|T0b0M);c2D|<woIip1PL3ym5$-Zutz;Fm$Re<^+_u#RpCA$
zJ+exvQ|lWAXNy((b$xPE7r#G5TT41<`vv<`O>M2=)*5@6{xjQk``on1>}&SYxYnZ8
zu$L2liTQk8%JF0R37<@24`0RB$YfaOT29Te-ep|yTh4hmC#S1e1z57VdR&r5%_jBy
zobVUs>Tpqbv-)lh7V)jDV)D_HFC1{C*5O)_+Y0hm!8;P1r$er6qOCm4Z^FljZ3&~x
zi-lWHW3MCRxL)%IH;|6(hw%mkcA?Zdc&(AvXM~O;BQ<vOqrEp~v&#*8-?DQ^&B&L;
z_(W6WvC23qvjV-SRcTdr@1j`5F_wkv>y>*6hZNPCC?L%=u^4jkN*(20@}G|laLLV%
zq^0AF_&<qKNL=b?Qo?WG*=XdVwhPZ9a=EK6_FQf1Zj`P+ROdHw$0z6A`6c6KMxJD2
zD$e?QF|j44tg=yZUD?4VEtS+-qnPuB3uJ^@U3=c6Scy;M4X0!16BV2sspiV{kt#9s
zhZR~DcBkdi^rIau*{PNsW_e6K)DcoC7L=}114&fbdPp3qm}wuH!=&b__{=$^<VfVm
z=?&_<9;@Aws%W|C)N}Dy@1FLPviIWs&R%9$X7Qyd*F0<ZQkIi)JeAaxtW0f+_fh06
z)Ip3nBa`65O-b9TZ3pJ*b(UI$z75~fTN~;+4sVc<+JhQ<8zgg^B%L3_)cW;Q-f8s6
z^=tE6Pf8L#oGTBj#JYD(N#!&Jbww|b_2l*0eV69?{=NxM=h<2fPtTGo@)7=(9uvDn
z?g{2NgxD4(uC<vtZYBkhxYVWQ>=j0;)&C65S8_-@*1gT^(Gv=nK76>adwpH=+qyoX
zqdj#>y_B+7yW$vrlf;>8+sH*Ex!SUFJAZvGRhwP0%i3F?B(A!c;kVhb$<1+y_N_X%
zQ(e+2<OjabYPR9ZY`Gf8E5-%16wP5xr*|6gzWl$>wPi}XD3B{o4%Tv|TDKOT|MbVK
zsPmJx{Z@Q)pg>!Zqa4rvfY~cFm#aN`smY`^+0%>kht#S?E(RoacHGao*4b8~K9joH
zk{Zfsn01cihx3@s{nIgqtI~J>M0<b~lrJJiKj9!5gR1KAb*QmI<*K<PX!JVc55HpO
zyE@v-s}h2o<xWSXwW=)dBwBSGG&e%SH|y9DTuq6-!d}T=m6WPFFq=XiYRFjX%gh%I
zAf?Nj+T%^vXD)YDlS{j>Z}l0qQh{Eufl@5dfAN)8a5?+Q`^c1DPl9n4JbP*F=(?#q
zSN%ry9P+y^uH9HFgkR$(XGTS1lX+_`Ba8U2-^Cj=*(>}qYt32u=d6`&QEqC=Q~i0Z
zavJ}k_cA}O^A+BNSEL{98=thrzEFcRVoTqXz4_>>U54k&DAAs3zu>_c;e1wZ=7%4I
z_lJ{oUBbxjJab}^|M6;9cxx&yPCN2MdM#($!lls+RkgMInQ`0~-Wtj`Zn(ma;oUF8
z=c}K?M*eb$RxcbceTvhjIrr~lt80(0Aq_98ml}Lj`zSjyHsrLt{L^<e7yeSKDb;wY
z)j8IMx8mFKTh;2ht{#4XeAOu_*?li~MRi!cyg?E_%a>tHxLC)jH3cKdoAFnUOGXc3
z(U}91d4;UK5MNrW$&RpD?O&70^HU|^i1)OwNPqd7^+1vP=u*;Kb)@>L^86)<qz>a&
z<q@;snGxwzq^t8{`jpFPC#O3~;KyRjrd3Oz<5Zp|O0Ff($=o`KM*ON$KFTwrSuNvL
zwv0=|nbb-guZ+VgN3M#VSIt=xuBuu4%%Ex*Qd3Pz%gbZ<X9k9>(MBgSv_8Xmsk!DG
z;Y(3GNf<)OI~*pwKXT`5KYE2zsP*O4{rlO{MJ@0^HF{JWJT{u;-)8UH!0G4=(G{(M
zh&`^UHt5cBwIO$%Fq^WTq!-_t5NRE+MT%1tq8>7quXzwYmo~A*am(qhdhCfN;iAxW
zML0^nFRd3bWZ319mFP$}7H(GAk&8R(%Snhh9D5B?57Aw+{w3Us?+SLg+5ZyGt*z%#
z6VW(ThTi&B_;MWI4{KB-3+s}Iwsg{02@pxFxJLN8L0#fdKk0WF3d)wMF;O!SpG!T8
zY-^?U&8afls1+R9Flv)3`<Yu;jVtRC=Yw`4R<6xFFC`}xzwae7FOnM7#S}hMU9W;~
zH2<^&qd_%S5xkvkyPT}Za;>gFroyJyooRR3hg(Muqk0l=Sw70ekP4l$BCRgXt+#1!
zm)(s>18qdB#WB^8_c*rPoJaJ-yxgSI`&;UU8BlbW<UD*5&Gc#d=4+Hle(&ok<Ez3a
zl2DxQTf*~&aNN_9B0iRdZ<Fu$6Rj1EN^2*ahWkU|;}AQh+JX;AEOO>GmDjsc?<?^3
zUVJr-_HmNi>P)TO7OAJvKZiv1zdipGw1e3@^)zjjwECtUvi5rMdE9orNvn4@hFUCX
zo+v06YM2GaQ8%b12_C2TImg*)-K9S*mCbX)0qJ;alCe>*igy5XJWq%GaqaoKV3bzc
zjUKr)H)bYzsabv`zJ3@}N4!`XAa~x^ek?n=vXZ3QLOOr=kP)7qp5q3__GH9NWr<V$
zSq&iNtb1$e`?Q^wl64KuO%?ecdra@D;Qy<1_?$hPqn^<^YNUyh`<Sc9n{q;q^KxMe
z+X(SwHdgf_HKDWd=IByeCNsBuKZW9|-AAENxFwRBk(QFkDUar8Igw_gbFlDlx%yyk
zO+BL5S1{+1(;r{+V@(JAG>*T&*-2ZUuX3@H_j&lKj3zoy(ixJ<Li%IU(s_KlR$D5n
z!|K`~bq0zQ3TPF1J-J&{zPO)eeG`(I1-Z!X=ft_M)}YK!r}Ii!b_MjDi_EW^CfY&1
zpF+{q?xRqsl$+>8fsP>jvotLwzqT@eNNWIb|MIG)mUY=C9;g0B*`zGmvy}g|=T&`|
zC&>e2-}~C?x>gc?l(^@cvYL{(B;1*pk$c`<w`6ZZx#zQZeiO%#*QQCNhHr~hx|AQ#
z+bBye?YPy|MRfQ0swU3lF=l%8D;HnNLjfzRNV$|nhLteN@GU~pmHDqp<`cPDEPh<A
zbvRPmK=yp4X4EZ`f(=YO#%u4}5U-L+PmE=3rHsTg7I8(IQT{|iRq_|#=1ae-e#lR@
z=kT;A+|HFqKWvhM%w?jUTWg+@6bNxkRMyCad+JWl3dma-xjvPx(IjMLGd;Fx9Tm<)
zUa)XwQhU@+L(*NvS%LRBFU41jluL?mSrh&trK>%ram)K<Z=v;x-piZnghc<1qwd64
z7m-}Vv>qMtEwsPqxZ{L@o|-e^W7tHOPezPXKI7F5wBMSplq^p5JLQ*z&vR`h=Plw(
zWp;KRow(N3WcOLVlFCIqylD|h49rS9<vHH3F6KxQM^7cR<h-^^Yn^nH_R95pE%&$K
zKjQeJRcvmkeb%0$z8HQ)OReVzcZwOO#-5GXkYs!xgOQ4_=EP6(j6BYlCw3D5Z)(gr
zQ_pK@cF~iXn`o1OS!Y_e%!}h+bkhjA!q-wMA38>SKJ!&-;Gb|pGbyo11!-e#xp+mF
z9+8~SlrL$=7hL60iyP=|oYJI4_&$@K%)FWTR*s_+@0(>3tH>9{suASxWK?~gxD?h*
zlc$?!MkQ1}7oCRFqLE#4TZb5tUf=gh`XOeb5z2}~Jd(ggDH$B+cBA;DHbwfA%UsW<
z)i*_QV)JuFigFe)%OAua%NprtdAZ3-5JF`8uxKUZEs|NfkIqWFjI44JF{5_jGX0`R
zJ#wkqgPb`f_N=_s+@v%MiLY?Gr8SB|siw<S=()x$`Ia-E>(MRr($<OBDdA4Wm-vcu
z`=Pdu>bv9%jUs7l@fEH0q-7UAL{iF5fvkM>PIw@RG~dLJ)P<g%%YRazyGTwDPc>S9
zed0>{rJZGUHRcc*i>qEqJ63)2{aqww>O0NF&nB_*rhBFH9q`o?_+J~h$)f!H7OESK
zKQ-=zPbINeHD!dNp829|)n|2gA%>JRR?doNVZtrhn$Go&l<(?ON%tr5m86lFQOG3r
z{CEnx=KN@n&)pWZu?jCdFaO#QOTVn1P}qN^mWw>)_jzp_`OY?%@IWfYNb?X~pWXKA
zul&*{{^}wl62Cu$3CD=WDqjn)a@C!evOPS@eZ(ufDOp`u?FG`Pl4$IJeofzwuBc8p
z*^t$DlP6*(+Bs4#)<M*DQQA+wJvyzMU(=+g`?G1E=vJ?xUA-2*S@~;SaNT*NoR!6d
zmT%SFuPHC($>Ll*oK?60mj@#$9R8MZY6)NR!7uiuyqCg>4OWr=W`;5bvcsM`Wf4A|
ziv@QXcV!-y8mr^y8OFSVJev+5*%K~~xG%d}z{C2T_o011Avd4ob`yvp;&(m0m9$Fb
z9EhBY&Iakqk?x-160IJ|E<-HuScMmP_Bt-BbF#5;pUF>yP@+SK&LYxDX97}Zk$cW>
zl2Xn^Y-wqp|0KGrT>Hq~Dl$;D@J(pq@1yOK54qru<n-3M9CyU>L(au;hD&4!rRLmL
zj<Y1BhEI<JGRkj?#y(Q7<x~bKM=kZCW+V;5H_Xw~PSx3y+KOkolsPFkIgZvb2wHWF
zs2m@DWkvDdPTnN>6uwPlVdb_?{QTHvQrD7Bu65F``C41fPt7@tS}cvZ^|G2mCM~V`
z*$~O6yxdd?{KM2-(hiz#m0m{O+!rOxzCmiG0uED7k49uT@?Cn?7l{uk3;p3eRs>Rd
zTebl4j3|3wtA)68V_wu#v-h<I-V6`b%`wt-m5x^4pUmkdoJJA3n5>edxJ$w)@1wV>
z9Fl$@s|&Ioq<tciNwjQtyz1N}8FQ*ldude15jUhy;Sgtm_Dttn^TWDzeXeBW6n!iS
zM|q`9p{&&Pcp9y7&cpSatk0Knp>VIrp1x5JvRlYGnO7ORKNEk6#utSV?#k!+v;-%D
zUf}~04PoJt2sK)9i{}iaNImDSbPY+~*^`k|Wc<%jQs238F&9d0QsR1Ekqpt6j?a=w
zd6e`tS<U^u_QdkTCuO6|kv2nnq@-B1mM;4sv{d3Zmj<D<r{Pj8c}!|PwLZWsE8&J*
zxVqWmQv=H3bqi6WuSh4Ye{3mTw#N8>@P}3FyRzObBR=(>(nvNh6H&V*QiK?jxn@1)
z3F(woR=rOTk^Qdq=_i%#)$e{)_L+a5;!z&twCCJOL8RwebhEYTHv)5<2(M;Wv7?yT
zLy$F$#e~rQ7R8j4MCwX?pi^qC=<J~)8O`EV?vJY5rOVI#4|AuojxYC0Z21!Fhl#&x
zEcvxw_4yCr(n{lyQK7oGsG>xWH$Tp$W9}D7_(&dVB5}Dny+uu@+|xOb-kNTONP5Ms
zqndrhrNqoWipuxAleAUh&8`nesh|O5Q>K5eAdWlY^i$`z#3h}J*oU|>a#eR}Y)kW7
zm-O;RK?%!AtJUahoI+zZu21zmT6}to=T9UlFgnZIj0<p+GhF4_Q(F?toAPC1#_(wW
z^>KRAQuZKZWPKdlYw|r^8Q)Fs=*(7X{UItto9KInHA|KxC$*b#f3DNl1geh>StHUR
zb&9rnztulU%9P(0)%&mgiRNkpnog8Ecqo2LJa6w;;>qz>I@X*7OuOdnw4!o%;zA8X
z@-emk4bQBCBg)wePF6?wzXslS*PUNx+*#g~xS|+&Cic`?5c7w><HBhdNsC=y`6B6C
zqThk?ebdLWJ;yHa&?rZ_@iW!|N6Nl1S7-cHH)gg;&PS-vnjz99I*F%91B_zTm6bUD
zTpqGfbxZaWvMwo0RCmOub(ngPXRY~Zp4Ysas9y4%s@zbkvYVNeHTfQLnqA~x8+VAW
zbZ+4ewB{@q)TUc?X2tk3D7%`U%FUMWO^xfiDZlBKTE_n$$Uk99&V(<MGtHa$KX1LV
zwN!0O$%<;COC)>rxTNO3QB1fMtjC;0OZ?@V?3UNq{^FZ_%Xf?9%LUPSd5t33qvv^6
zzfo;$BfaMfe2Y|0X=FJWuj8JaA&bv6ir&tizMQ*|-9GvZwvEJ4pp?drctm#Vk6JSE
zV`_0KK4lM3{xjg;;;TwpH9rbO-)qvfxJGE2^0lT-XbF6&3Hx&DRNh&Ya}oc<(*QqY
zK}8npcbnobK*9AH)pZ4<UKJ(RG$je-+fS=l6Kam%R=lqw`vDp1h3`OVZEWBhwEPdX
z*kxT7>0HD*WI6q^T)!*Dzy4xto%>?c4_Tr@aVeL}3U|TYS}=r+rkr<`i}sa%BQDH_
zBZ)8arM6xkg-(!I^7i}^_aDmC{=Jl373#k=Cz6xWtY=91;xb~Z%T-xsAdf2Pwsnc6
z?tYM5x&xi3bIP~M7e;!3j6UhzlDfxSz0YVhKL0r*SDpDOKV<cHj0~@H>h15yR@G(F
z<FSqgaA2Ve{|`p)^sVSkDcLQM9e@q&oZOckkqZTm-FT1qg*Xn~YoU+A3Gi(>y?qt2
ztRk+mSl6l{p4uJ}WAw%OdcJ=pJ@5y;YFfSffjL;DXD<I*12ON!QlUO?cKvXb(6ny*
z64fOL*U7i>((j5zUYjE8<veau#=P?=lzwI8Es`_Y*tZrNTvo4kPRAi3W3EkRd-@iR
zxP8Bia#9xBDme|gUdMvP{7;Cui<ZWzyYH7q<<Lp(rQPX))OV#z#%YM$ZB`Cc;@>AF
zOva8#gN!lOGxH@Nej^RLJbYVHhOm)??A|9c{5sTndcP>wlG<CIBen`8A?pxGLG7zi
zjpY1Qs)st?if+$31mim>J#(g%9`mXsitnFB5>sK5cFdk>Nc)K1AV|B^&z{rLbiL(%
z39b7pMZ6u22G89*D7P0AzY`t4%t;CDcZ{O^gKjP!e8;_5Lf3w!eQTXg(fRVCC?w;X
z)N|a!ksrESQ+uq54{|1>M;&sM<35!Naf)#~vi{fribjB%#(^Z^JX7;8;q|KA>&Rb<
z^P|%jiQmmJl|#Q#erZVE$(*nb<<F&*&P~p>KDMO2a$%6tRa&7wIv1so?{+4AAd`|V
zy7Eix@w4#7T&k2l{?{6DOa6z1xTtS-?DA&5=}>jElV;Qd67JNmex`du-QuaAukhNm
z|3u%@T~J+llX<?DFPpbIwLUA^TmuRF20bR9`%?)b|5Eb>{U-{MhbjI|d9J}qACR3z
z$?JUP#ZL>eelwPP*(18ChM;+ma_bd&&V_Gs^On@}{P9tx4YDUbiB@RzOogq^D*up^
z>|}9{=e6(xUBl+I8SWz$E1y%l1v$#8GEScThA&&b!1sAB#U}qF`WmjX3ciMuXm!0P
zY4{uHIoYAW{2TImcg!WyOC+A~Ce6`eefm)N+azLI;^}k?C+?L^=I8P@n(7wS?{SHw
z%W<D@m2!&qSe2(5E&L{D86tkImqtSEr2MD3R@+fWrDSAQ{Y&zbgvivLYc&p6=ZU!;
zZc3KKpk=Id61{Sb#bvMRTo0Edy>t+A5zq0GlBS>5ZkN$PM+`YDR-$q>8Q)x1W6F}5
zU?N|&rCe4IlRn=xKGh?wyB?DB{&gB}&}p>IE9WtaIeMz?7_IzkdblR-7X?f5S~-%`
zJ^7Jyz%m<6y{VA$khSJ&Fk8CpGqGsezB)yi_q4j3s5TgN^43Qx)sfC0E4ft{VU6xl
zDsgX0+DNs4bg=xqq@P6g!YxzPU-d5eF~s?aN6hL&)%-;H^rP61yfK&>d1%|hYtcsD
zL`&k0xH<PtXhMCFdz$#Ft4ZiMH-$(2f-%citm!A!UTt|I)U#S2ol@Elo-{U*_))B_
zVp~ZZk73O<J{MMPjM0PL^gBXF5x#=aIr|={uJ0y6>2JCG*TzLjplZ$T(UU0WV2SC^
zI#zc*J+#pD=c&%|s|{cO2Zhe$N;;J;>HjJNx>H8c{_A_~MgS?@*7B_jjV+qVsP+_{
zkAz?EOGhiUK+TshuIhddtL978Chf<?GybbSve$^cldqU)e<_EPV$BELF)C|+`c8l1
zX5~{aT$51*TV+kXb&aW2^Dr4NvT0P~??1{p8f{$7vwTf$X~Y|~_5PF`sKa<wwMJ6m
z^<h%CRef%ri|R)3Lbc}>t3)d~QjS5FqlYxed5Fg6!sBPoS0!6ZV&UIGz~rP^YOGW_
zuU~*qLTP@*_g9Ha{Y+9(4JEEuX34}QJ&P|^)v1ToFS$DURw+>@&8fNwMIX=2XDaLQ
z%y?D$;Ad?*26Q9YmuyVww`M-oT%<34&?>1Xw7L4pzx<X@YiruRtCVXb0h#~h>vG~+
z%f<Wf^8LppHGTV0@|}*RQjX%4UgC*0G8x6Pxk?ADWM{pAZ$*k@E#uy1_3=uH>21uV
zS(#4`zUI7yp7E0v6>=g}?N=pvR__|Fnh#lfNxRlF&Vr+-%8%rv1>dRE_!GI>82&6+
zhe^BYTgKA=H!z0k*D7P4)tN$)SL&uDvPa>RqjUX>?^-4tAilKs=^7I6Ams5+Hoo|)
zWyw9Jd|y*9dWxJl%EcbJK196p8Ba0mer0=Ub{y8cy(=+PDnqrAGULAw-_Jp^k6gow
zPPI|g>j8VL(f;G}q!`aSs1eTjMWumT*VkvguP%wlr?>LFl8@}1C+|UgQ%lb+6h!6^
zWvs@$N*P!=p?tJ?jzf5se#bNw1GO&xSw)Ze?^|hyC<nC33w0T3Xve#vDC2N4?sAG5
zT+cZuIa4E=YP^e5ng3Fmsl}?X#N3<kbS*)Cw8zo8*dHzWf8&VjDOu}Ul1P@e(l5Xj
zl*Tngq`E*2&;KQl=ySsLIu=)xfl6ny6WOCDn^hX>N@#Xum00T0d%EF!DO6CdMtMuV
zaj7wv^L-=9agDO6nvzJ)IP1*{?)$9Gzbv^7FNI{C{Ek=-RXXuqHKrQts;c)YF36m`
z+Sby@_uv;tUUTxWO3*xq{55PnE&gd7!;_TnE?on^OLd$X`m{{;Si>ihNc20PQuDVV
z8K0&;7KAslULJi3R8E$^&w9?wiSN3Y@&>u=Nz275``h6(%xFba*2<%=i0X4B_T$k>
zbKDp6V`aYZmB?&)sx_s0MPa|V#@|HBK9><g=0DxDE?Y#lWbDYg*J4S@lSl^aTqr;k
zt3Ju!A*tt?7I;K*EhUatS>m-8+~o_^oQqC;6w1Zsxux=6V+7(a_S>^YkJUb;ucMD8
zJ(!xUTE@!lC~t>w(w=tQihY<2wa_IBrMao#1V|-)vAV>wrGzuMGG=HYpQ%15?HKLo
ziAOninZEMxWOrX(C}DI)H=Z4*gZ#JIvu6UI%5f!awTWFgqzi6xf-N}{R72sjEmMP^
z<Wc^2Wg^$Y@7pIKvOJq}sDq7Ge4n$j^3B#rC$ChF>Q+sd5%b1G<ty?{oG(;<Qs|!g
z(=-b{V?`ml>N49-{1!H~2i4kp^4|wYdRrtF1(ou?vY7Pm!l_nvW#+9bP)X0rt;<Dx
zk>(C~EBa>F=B`=EY-*XrAxPe@jZ&??zN_R`rE_K1`rPN%mXc7K6VYmzyQfQ=Jg?o<
z7|K`;Vy;e~Tg&&EUdQ%?gbe43%*DI|%5l$HnQ2oK3;DeZ*RJKf>J!{Y@5giA1>f?H
zLTy)eeABsIIdYPVSjzbtxxDovv#j^9Es^yPT-g=jX?83}E8{;OYEC42t}(?rM$P`y
zPqSQwT+X@2tuEtPt^A)0h41g(`svuJw?}!+X^YgO<W;^2C*RkLcly&Msy?po^CXvp
zyjXOtH_xTcH|)pAKC-N_M*r|EvxjIz=6lZRS!;gF5b7hse48Z1S3PA-hB<-O%SUyo
zi=3Z?D<n3tN2>@?ib)=FzLPZTYi7qs>5I9ZCw(E>!ICd~RvK68n?_~-`Ma9Y)2J6#
z@+ozm)O)2zb-Shg?xN4X7maE8eVAwQx@6_JXf+uFb1CO+qS-F2ORY1*SQy2d>yLz$
zc9btK^1np#G~u7R#2Cd^3GJ3INj?XZ4tS7t{dqhU-LyI5-GRj2R7h==g8dKQc0x;+
z`Btt?vC%G_*mIRP6j#@8R{397lTtg~ku{u5fKz2XTWnH4-T4o=3g~qB>pgnabK0{O
zF+cx`T3gKQ{5nFcV)pzMK3)xPPPspVOWIc%F-XXdnb|KR)Fa{D;nmFWWo9Cy?J8Cr
zmP&8=ce}`;yn`<~jFdIf7({cCf6YUyPBd%o%c7J2(U<$Fp%o(cC|{&s2a$e}xJTv8
z-KoZ^D<(D7g6c$~56S6g`QnPmG|?aB43wOtmD9NLt#>iega4ba@Pq%f(rNo>t3+*#
zj$0A^Te_4)#st-<qLD&cRln4n%+I2+LtC3S?4z<rcN$uBu_&bMf2Q=x$Y+8)i`H1<
zJt&Dac9H)T(JQ*gUCz}Br^y>+@-~^|Nsu#w)u)i8RChD}0?Trl)kztm*$C@>vdaZU
zm#*tldy#g+OqexF?KSbZ8~cjfllsv+d7?g5uhH^UQ$I)|nRW1#5=t+N>MC_cfwSuJ
ze{ki|_b{R~|6g_A0aeA-c70~%%pH0cka_`;4s+?Ks04fO1shjDL=h0MU>6lNw!|bR
zmPCyv_LgYuv6n=R8hec;_8x0ujQ>6lV(=~B`+sZw-&)`AEQWK>v~%Y^&))mlXXO69
z#{QMQDGnpND}Mgo{{K_!|FsJIpLy@N-+Q3YL=>;XGalvN&ae)zPD780ngBm<m09^G
zVf*)IB*uh@{^iXX-hOuCn0NQ0(U;G$l&`7dA6MmBL9zCxek?~}Tw{O5z7$<=v6=qH
zMG8y7*0_p2%6}6Uh^+n-oVg!}5rH-Ss$TiXM5N(KFQIqER^bdid%Xg$PJ)krdp)$`
zT!_Dl`?IpV4#pW*!m~V1cjX<&@NNF@tvH%~Yp?NIY!ko#{`c;yzx)4ltMdIR-y8P_
zT>1CEH+SuAMP6ykzv|nDZ)-b@yYbHW%8$Vv5nCTZpC5ibOxz#550T%Gv0TS*obSz3
zd-E%vO`yLId-UyJ-FbWQxA*7j+b(L*+>^LJ@ASX>>fIy$-K#geAgYEpSX{m*KHI->
zP;C8gDkW$)ks)u-@$U7@`w>f1u#fnx|9&b&V!Gz5`Dy-IH7!sJ(n7Q_EkcXbOj?W<
zrzL1fT1~CCR#$sZOV#RW^|iKIrk17UXnnO@El<nW3baD4SR1Gf)`n=qv=Q1UtyCMU
zm1z^SiQ4<xByF-bg-L7-{sxpczH`%;8KFD<@i!={u|QUx1wosJuuvAp!ttzQB%Zj`
z@eORzEQZChILTJBlftF?QbVawDw2w&A<}&5OKFp|S=u6fFKv@{N_(We(mrXw^n>)H
zbU->N9g=>M4ogR+W728qqV$V&NxCduk*-R=O4p<t(oN}>bX&SFJ(7Nt9!pQ8r_wX&
zx%5K%UHU_MDOZvG<S;p0j+4{nOu3ibTh5aU<RW>HVpcMgE6O$HhH_K6tK3(fD8DOz
zDzCW270$WJt+)pd<zYNYovY4M7pM!>uhd2AVs)vyOkJU_QrD>8Xm*;r=7T%os~NQb
zt-2Phg=*nil%{LZTC5hYC2BRaT3Q_~MeC*Y(fVoqwIXeRHb^VchHAsLk=kf&j5bai
zk2CaUGCVs@-;1N+`8`Xx5!TEGb)g-erEy@6%n9?wF8Br<S3E!Lj_=R(z}!Vs){OPR
z=dgmUWUJUZc8;BAPuVl+h;%`^D{HcoGC`T7Oi`vP)0K~vS;}1HOJ#wwNLivRRhB8+
zl_Sbg<rlt#@8rAqZoY@_<@@-4{saG!AK(Z1A^sCT%#ZM+{AYfQALl3dNq&l-=4bd>
z{*XUX?bTqljoL{qP)Dn!>Kt{gx=r1o?o@ZHd)32uPm<P%*5VGyT05;he%s<big)27
z;sRI2d2#$2buI3r%v7y`)(}%AO|&*RqLbF0S!?N926NJ~wQRg|8Sy0JUNGE?INX(0
zSYq&=&m*#)Vu?d+*|B)URzsG6*eYg;h^;SK65?wUtAY61&T2}#rTwfnV(TDF6>-HH
zAhM3L#)z)dtSRo?FRU3N>l$l`=(^2XNq42YtQ}(O1#6Fcs<AGJsw%82BFm3;Lu`e!
z?uf5A)&nt?&P1GLGBaYW7wahxk_WL2+~FfE6L;|}E5;pb!-nHM7qAhyYo%<Yh%Yt@
z5%v`;6%oe9i5O$!5oIgbL`2#u_P&TVHVJolEt`USyn{{Ed~nC6(f#c~>&94XxF@d2
zJRP6g35rZf>wtc1WU3L_i7mJ{-y_5J%T?ZN?}+WTxU1qjCULZMTGlY$J%|FF17nq#
z0t^9ipfwFwaAPsJvje1o(jaNDRD!dKj1}2=LEJCgt+yE{r^xl>Msh2;wcJK-C%2co
z$=&5Fxt}~h9xQK?H_Kb(t@8KsHhH_eL$Ok<6&uA?u~VFsbVTiBiq@}`RmxUnhq6=I
zrTnBEQ!Xi&mFvn&Wa?{f$33|h_u>9Lm@+k-NARY+8E?*8@Rqz4Z_V5Aw!9rT^PW6|
zXYwrGi)ZuRJcsw;Wqbnvl+Wa|`R9B&U&&YVqxej=s^24qx2wC<qw3G<3H2BCf%;H=
zq&`-ksV~$&)RzWJgO$PBU}LZ~*ct2%4hBbqlfm2YwPBHAv0<sW(}<$GN?&D!GEy0(
zj8;mOG0IqF9JWZj7S^iri84cZpgdIn#48Wnvp083&PO&Lr}xnYV;std^XVAdT=fO6
z=zy!Z8r%$34ITz>d{##M_#g|6z+7)uU2<oBl9yCNauJa)#Yl~%7E-L#N@|O~_R<Ea
zHsR}+^jR$=d|d*3-7hTzx*n946S}UzCwNj?4TQZcttE8bAYI2Nx(T1@9bof4VC?rm
z*+<fLpzITA2O;cE8ULi+vMR?)d*lQ;L3)bl*)KigKdN5RUuvitDYsU2b*9`wovnT$
zZ`VH2K9P5ec$4eMdH5os0;MO@l}sg53Q+QtJgFM;VY3uyxMjF4y@&nWfnifIq4A;e
zG1HV!m2a7~vQF8^f|V`GZWf{JQ}(lX<$!X4B_cu&vn1tb<ru4}oKQ}(WaW%<lhsk~
zDEC=Q<q@}LZMg$?W_jF|`>;ap$Nkw*9>@dPaKumu8^ObQ6dT23cuh7|-J)Jawp~-7
zvvuOLXZzJx295oQF<J8gd<e{`VSE@f@DY3p)A$GcL*|B<`jk~gT+L)2h^^VolP}`S
znHM5#CG$s=t!4q5g=URhl$jMFi-c(D%PbKwBM==Um61$F<cwlgh@R2R0ufY-_dP}#
z!#E;oEHfzM5Kjt@uLdj?iv<>r+;za(2@6MT7_o<#<Cnn8{@6DZivm6l$69<xsR~9m
zA?Ks9Xh6?coTD{sk7ILLG1hayCR}osBA6mYN^wk<%+e6F-<LjMs<c>I#x%sux6A_B
zzZ?B~rM+1HBpt!}C@|Fm?0g+<#0yhJj4%l?V!&FHotYI7G?poHZMin`;tW5-EY->C
zN6b?DSo;KHmJ!=B<8n{ACzIt|IT!mD%7y3|AP=DJ99cAjNywxJOi>;x4;fegL{7<A
zs)N_BFgxX{aus`AS1=B+{0-c>N6I7I#V5)Ww4W=_v3{XowjIp>JMQ!!${*-?rMzOY
zxUKk16|OJ`XaSX3aRb-zSzB>D+rzC9N%n{&+;Q&4-IxWh%JG-!pcp)`)suTNm7+@H
zA&4r2$ZGUNaIhC*E0)>uI39=oM4p6o4MdxT`jh$-vr&(!$C$NxQay?GMfD=qH`SY1
z-&5}~TlJ~>6z!LYMQgmzs=$t?%nf?y8FPo`d5)eJU@0!=%lXKXBgzrP(sAWD?r|s&
zWmTYN!k8;iu?=$q#`I>6z?q>K!EipD*#K{*<9&Y4KW8p{E}zR(VBQO+0Dr8QB{0Z=
zIRl5Bm<6!NmDvK1+?WF}sVcJrE_pC}AfY#+NtWu;=g<{5k+XgjpZzdmYebfa(tZ@B
z{h$L}ST|^aDy$}0%N2i_%neIzs2g`y7Ye5;>j9PH!QO+?@nq@XFfXVb5!<;G+kGjv
z6OjkiSP_(GApXC!i1S>E^IVGafzX~h8${8bOwnEkiXnz|r<hNHiil%FSUi+eSJo0s
z0%buz))`9z<w8F;7)ufxhozYEq95DJc46dufCV+#0d^T9zrwCz%-7jHjP^eJ4WoUG
zC4p4Q0QN$1V0|c?aw(e<rJ7O$RwOl&8bOta%*v(A8Yq1zEn<Txzv@tar2vaJupz+T
zE!cCbv=v8vFMW@FMBe36-sM6eAHr6VeYuo<DZuh$*avDE>&wz*Y!&&KD?N}NqAjv=
zpg?hKg-&KeC`0>FhW4f0%%$Ay3yiMA+RE?A@39Wx@_Nud4dezaM{X=PMt?K88B3F!
z%gxc#N^ZqEgXvqdIIw*i77xa62gQVib&@;E9a$mRzdQQV<#gyHk=s4xK5`${kup33
z$~=!{%Khd3Sc`1Wl8fbHv_;OhgOVDI_E32!*2CmsIKyapG}>e3u~?6nKfw7vl&51<
zP!qVyLHQushvehvzac+nX2nhMVVR0asfl$hr6GFSDLv3OD?PEEpiE%RpgJZq7wF}w
ztTh<tLly|e0ir`Y&tkom&y~-y{zCbJ#Xz0RW!}m>Wgc@?<}35TFAJ0f%u)GT`5If7
zC`)kcGG!U_S5_)3(X(1vjbqm+Yglve*E-f;`A+!`XWpP}z}BtGR-A2{vW>NZF5iwl
zcPKlUN!bmKYYmRuhqDQei%|}P<9dVRe#RA#f$1ETlVG~mV7fCH|3&2&Y=ug~*#rvq
zA{4Y!epRk955htx!oqA+JvV`rca%FUK-53jD$vnQ`AvC@w!p}2<*D)%ZGn{8gp^){
zl(B@A*-&9GSqmt!Ke3NMO?%}p<u!OuV5b-AC>d=92wDa86h~X&sF83qn_F^A^awP~
z<~H1x6>xiQ&!P!a-MAxn#8zi8wFj8m6>EXAvD}@zqb;!3hp;xAuvUi(^g_Q6IK4VJ
z-H!!86Z)e^FuNC+Js53)#My+zI#@oOwIDpU=TTt%>V(R@2$i#W0#CsH0-Li5n`6QD
z1A*=(yaa2(`Bvckk<6Bl;-jDiM)T1?&r)8B_82|}?Xi3u_AKLNtb~u}<5@7&<^;4S
z@`-4_54|v$^ul1im@mfJmhxp-Z|B=t5!BNT;Po!P3tX{}@5A~>{v(To8b6HoQGOKb
zWBeFXP>~%6|D50_z%3{FN#OV?ehRF0nxl>(R<%H-b{2KkIsOpme8&G^vg)W-#X3|C
zWsz!%nuc~yHHRr`AGHt5SNp03VAB5Tc%c6TbrREvmo3zf)z4TIl-XR?29@wa)<peU
z{hH;eOVlOk5tT|FYLqpsk@}7L4Qou5N<(#nx&iHt>PGCdMcu+eps=?wPblo|%$e#K
zPt=P$Sr8QWE>=xcj@Y_S-N)S3{pt^B|ET`R!qfxmL9`F4htL*08Ll2ig&Cn9QID`t
zX!WD49`yRp*hlcEgL+&&fwo}LaP^dW8tpUc8Jz#DdKT?->N)18o>woREjTtDIv?LC
zq+U`l;ry4?%PdvB0`2Ds?RSkeP_L`kF`gUh4fF^$4p(ofx6!_%-oY5|s&~;A{OqgV
zSMTEt57Y;&KI(>t=>JXq4e#!;`WRP#qCP>7;P7zN6VK3o4s96*ZTSbrFIe3H8s-)H
z|5E?LQLok4EW{ugB<5*Q3<}oVpt3N70V*^C`uG;>04-^O8rf2_Vm6vJbfq;ZsJ={Q
z+wdb6@r}D8B{`T`#R5Ho#R{)9W=q_RztoDw6@6A<Ucu8Ia2{+>S=eInCkMinm^%cu
zw<CNVCoCbT!JSzovABs?JdRkrW+fI+Ar`MkEZ&e<ya~?g4Ts1F3(x?I1#!7Gak(Sv
z8L?Ey;)%V2uw8gb0bunoyb}5~2_8TMen(;vN;V2?E;v4kIKEaTj(?9hzCLk$BjR`&
zen|_w%a*Ja?uXF38tVY24`FGnFZzY{b!G#g7hH+;U04Yli+dut--DI02^jlCEdK0$
zEWT_K=JNg7hio?Xp92>r1U}44oM#nVi+8XNO9=apZNW%|Vlc7YSR6<<#6dTlgL*g*
z^^i#FA%)aKLsAb-NIitGCs?9|ql5E2$Knou!vWgbQF3BI&=YRZ;_j&ad{F&GpkF9;
zM=4&a!2-wwNkS#qjCo4UrRL0tny>}-L{*4(dnq0Jn59CTr${QovBgpes|Gi22zrJ}
zqgl9ADotQf(nM(@vm<p919dVVUdoryDDjmvN`2BOjmTpOf{(WuXBHa80&d<8oNcGH
z6XV<??Lk}A2}z>%L>sjy)`un3Y;dfOU>{LA)F<tdBpsJd;5;X#lh`VBOp@^Z&~sI~
ziuSM4uQ>KPG))j{)EnqQm5MRnlkTB?U%HQx3zZW?Dkq3kP9st|)}(S`s19+HU1S&L
zN{S~*RIlKba{S%NcLHGr3LD^z?FMS^;d_ATd--1AyTD~9IA#06Z33OE!Y?}jra8zD
zGC$#)p<m#2Fx)dB6rpx7{GXp$1Yx&M*d0sQU4yVYnXtPqVRtHFcLT!i#&59u5r2%U
zKjBX?DuLq${*wQN^S@RdP&)}scTzo6FII(+y{a0fMldfmQjG-C>1rI-@oHUcO;KC1
zV70Z{8b`HJJF-CdcWLP9qMCtaf(dkD0()YDSTMn8Rs%lOc$PqXP*)XoS_9&P#_CLU
zCXSu0&cXU~^$S)-RQJePnQb8K@g&^wA(ZhUWQigi@gW59A?(lzJ7mHRKf(?L8Rw28
zMFkK@*r5`31W^UxK@~tWp@tWshKVYGdQ<@<5MCrx9S{x72xG~F8qtIr$%Godgc|V3
zu^0(8{0TJzs4}QVs8O9zBau+UlThP5!V4e52p>X(DCGP)j7H?PPFXEeHQ-12%qgE$
z%I6@e06dVlj;t=#0nwDJCipWo&?BmWdX%xrR1+jf&5*ar$kHBIi~1m%ax$56(wDMP
zqFTX7c^E*oLUqc+M9RQqsu&WeVyH*iXhb${!`VdL5KVa)4VQf%dPMb*K-EJuWngv6
zKqKW|GP$A+;8R_|o+1y8$iqu$Uq&`22p=A8QCmbK18<`(+|p#qKwqjh5-1NP%0nYn
ztaYejji8)Nq@47kob;lctVP)vP4$PDlBHy^`lP>H_#i%*Ig<)=;X~lR)OhQ^jAS9C
z#ezwTX<TTrVA5h5X)zblVzH#f;z^6ek`{|6EfzysEQadeD*QA48B5}`_$;jF@HtqE
zinu0K#G!mXpO0#P5nqI>3+-m$OZXDBg@QBi6?_HuU&U8py@s#BdIR6U!uUqMk%g1K
zt4H`^3CDdWOC@~q2EOb?TVRSeVM;1tiWM;BC-e&(@g^KeB^>c497!b{u_hd`Asn$K
z9I+!Du_qjHARKWd9C0EXvE%|rQutHgNGjooH*n+?+5$&X2}isMM^Xt#tbil2=oi?L
zN@~%YkRp|k!kRF`hSZ`hp@Ti4gCn7XlR8VCg`?&G7g7yX44Anf#{hl-90NCU4BW{v
zh&1>bd|8~q&)~;ulcEVGMWd0T2_{A31w1LBYE+i%%5~u>rN}AFi7HcTIaN+&c2u7x
z%Jt>?ER3qu0J)*u5bZ{CBVfF!SY^41+!Q^cZjGb5H9&45w?I!zxg|4F4I4}~Y$VmN
z(Q;e4E%TyE)`BWoAGw3vfq76pE6bhaPPlGoxeLzFRqo0Hgu~6E<sLGe3)w82;aiD1
z*FnyZGnggK4A{T{&q94F<_GNMY&n}nVOFX)bCz@D9Ogn5v76ji?u#Dbe7VCf@5f@O
zI`+fdRRQy(8o4^v$l;jFDq=cS%6?QS8{~m9To0Og@Pp4jm<7ruatTH<L>_``i3-|J
z9xlW2kw?fQFou!xC|pZa(|&TPJO;;#n%YkuCyzsanOugR@u;k2`6GE2-tTOAHQw(U
zc>~_>MtLLd+a^@p(eh6D0N(XM`8tkzBEQ7>|5Oa93N^)*Iivc<ETQ730ClMb_fr}v
zZLw9<;C^uY(@}Su6*JmBm7Xj_IKr%&aD-7Qh`K|<EZjWQCiB(#%u)SP{gPQ>&SU{x
zF;R~sV0P{+)B>U^@y9I6BD5E)i@|uJLXl`jB~)FmE@!b+t@x`e)s@&s%&z#VtJT%e
z+oFDnp!&t6eye^99WLfuG<BW2j(Mx!si@Y~_3C;YCF&Xz>YB|glytbY;kMy6m`Y~T
zDMno>E`ul{eJB>aDE?e2@<J){yeQg2DB7$k+Pq~EZB;4S+$h>SDB9d9+Uk*e;w`7k
z>A3qMw!+`|qawB<D7GRgwrWvqMNw=;Q*0>|TTv8S!4z956kD8Pt0u*kiCn{KvWT!i
ziZByJm`V{ALlI`82$LwnV#tv(A-2Fy6jdhjWx^=7A}O|_5L+V=d7}_vi4<Wbim(`p
zFcU>sB1KpXIXLym!Eq%A$D14+S8{Ob$rt5|$OPfzgi&loQfx&bwk+W8S}K-s|E&}&
zw5<_siRAT|6ko(#AjMn^#hi(JpD>END2hB2MP3wnKqe(a$zUlIdC9~)I>nzt{9{l2
zV@LdBPy7={{NqbrfFJRXk@&}f_{T{6<3RjlPy7>4{F6ZZ6Hok;K>QO+{1Z$3<4F8d
zm-weH@lRdipZdf<0mMK4#6NMwKfc62al}8q#6NY3f9ewd)Fu9@LHT1q{y@D`=G3Ol
zNutcLrOZj9%<-i8$0W)b1LaH-<;;7OGoHv9FdJn{DrJimWs41Ei$$euv7~INL)nr<
z*<wR3fI;1)Zo(NhBXjByCpZx&R3T1qCQfi6PN+_7(15Zlh_cI_n88TQ;6ThEbmj{3
z?PO)5@;+vMCMlDEG{VEvG3z}A?wWA&{K&~m!W{TVEEMzLAEW0}WhUCf)vKn=R%W9;
zN14NH$>DP#hcAL0zIbx@tjXbX#q9Z)IP(H!A@=`D`3h~}_61=^9eATGRu-d;xpkaV
zIDetaa%Ba^ApAcA<}p`cY{CU}AQ#Y5`37@Yq2vYnzzbZDW6Qn3jhNl?!|c`;Y!$v>
zyz;&BJ=($@tV!-*HF5{N#H=XJDLg_y@(7cZ{g@5&Bd5?0vtd7Bgu*X$AivO+{6ZZw
zV<&Jn;TrmpYbYycm2(*9dF4DtenGi_t-?pFMm}OZIfx1z#9vtgo|m`=$5G6wM3Rr_
zMn0l1`G^Vd5$|DM?mpZ^U$}{n(H1_UKlzBk$}{B|+QLn=BR4UulAGvHZlVjhiIH#<
zQQIi5;U-23<AMdkO_ZSMWO#~!@Dw@b(uA8BOm3nZx8RroBTvzhJViU2q0!(bI%0n(
z?!-*wCi;?_7+lFs3??@*klaLnauYq^CVFFLM7W8*<R&JNo9Ih!qA$6Lk>n=Yk&oy?
zK4K)tf~yEO(U-^aILrmc^LUI?xQW5!Ci<7ViR6SyVy>AbVzzl3D!1+M!=lI!b0<H{
zNPbu%{IEUn%=W?+Gr|@70d3)j1;7tGfc8Q4AZCMvD`sEG6^kQR%!*vGD&&eq!4*4>
z{ZFVTa24T-Rfj8f3O%Rcja7#?b{6Lpu2=}UV(#RMspN_|kt=3Tu9yY6Vj<*;dBYXE
zfn$Xq77ah_7Djj*u2=}UVsYe(g^(*&gIuuya>YEwY&zbraK((|iY3Aody2O3!=lI!
zvnM~S3i)AC>MQtRA>@Y{$q$oYUP;W|ARA;BK(1H_xncq2iivqj@f?ZFau7BgRhb1A
zohr}1RC(%Dd6w6lF;sKnlfsfn)n-j_xCbgmG2c`^#}rAmWdT);(NrtOQ+-&AD#IMA
z33aLob*c&bQcYN14aQJ47)NzrGSz{(ROuB^{T59%TP>>43aIX?MU_%CRYZ|g5k*o(
z)Q4)JNMfX(gm+%RyGbmckj_X*mrqF7ijc0Qc-jYB#mq&Z@)?jWpO7vTNH+&<F^dsO
z7^e`%H7AS<AdCwljLWCF3?F47FfN}kP65U(MqA8lw8YaxOVJh>*McxEpD<1#jLRpC
z3nh%}Kp2-#7}t#EI|7yUK)QTFIz<skmrqESPe|9CkS?E)E}W1ql#osW((S~a0_j>2
z(zPU{%O|8$2<h?(=|XANvkl>05aFE<W<XEiSb=w~2=BarcV}6iat^4MPk5J4co#}|
z*PP}}JPGxh(!5DJ;hitxT^iwCedU&Ni!~tBi=f$)becV>MzbgBgnDU&dg+9EJqY#E
z2=!z_y)c?XNh8#&PN<hob12?4hmuaHC(|5CI?bW@(;P}Vp<X>gy);6-hJ<?QgnDU&
zdVVyYl1=j|jc7il8qKGq6Am^c984!1OeY)+qgj=7!a+_rm_|4lOtUKK+#6`vozSp8
zp<x7}VLG9qOlX)+XqZNGE5U?`)d>^52@UJh+=?g7t)vkqb|p+qCrnHuObq)s6@CUO
zER_^iT~b(eNMRXBVbvjpWvEo)w<CqsniN($Qdq4?VYMZN)s_^ND=Dl_q_8@X!s<i{
zs|zWt6jE3kDXa`qSSl&33{qGsDXdPUusV^#>O>0bJ*x0islqRy3O|zz?=Xt0`Y1e0
z^#kiqRecuK^HEgEM^O!Lq8h#z)$p-Y!zWM;pF}l$4XWO2Q}v!n6?+s_=~1eW8p8Th
zm7YbFc@)*;CaTGMQB598HF*+M<F$!(ENK44OnhTSd}AiQ=}3Ijgyvt&H2-2t^Dk!N
zn-H3RF%#2-5Ysr){7YkE8XIC7J7O9$&A(XE{EL~G#*yY<%ryVfgyvt&#5A3WY0Shl
zj>I%(Vww<Q8f#)2Gck<=&A-^v{EM0R#*yY<%)~T}iD}HlG)}}cA;dKHH2-2Irs+sb
z(}d<<%ryVvNPJ@^z6qhH9I6oO*b(bk(kzUbSf?Ygj)j;qVf|<>#!ReZCe{fd)@e*i
z7EeRqc?b_uvhJj0tCEs!PwqxH(zCru!`2}UYak6<hun=wFqS*zfJ{|}L{)}NRR*UV
z&?pD2C<iPk2P`QEEGP#oDF<Y#GE~X|1Lc59Ibfh1P$&l!ifoR^UcxlQ^it@iW$>;v
z8kq%+%#ucC0WPgiTsnsM)0*7cG;(XBi8*75ITPU3y5q?U;nsE~{&Xb%>_%>FDY><9
zp|Ol5w{{%)v{vNPP9>i<5-x2Rn@T=yB>A*c$)_zN))mhVo8ZQZCzTS(q3uEpT$3Ey
zX~e^0$e|rg3~Wt)Y#RBo(Zs;9<j2+^9(E)i?nZuWDfzJu<i|#mA3KixSO;=qr;-zE
zMNaHga$={F6B|iR>{N1M%ZSN!@?aB*&ufwgJB>WpspP?0k?%T{eAh_wT_eeNol3r|
z75T1_#Q!zPah*zD>r`@Cr;^KRMK0@9a#<tEWt~bc>r`@C%gAN5BJH4)zuKLg)oG+7
z#*&U0OP*>Z>4>r9Pz)l6qCGhjoynURMBYRvawR&FD-lMnggv<uf#gbvXE@ul>f}mv
zAXj1_Jg_v@i`=hFxL@7aNb)J{$pgzEw<3VtioxVoq>~d?LT<%Saw|rWD`6%-q9-{K
zLF7dABPU`6IT1nRM1+tB5kwwDTXG+Q$ae@L-ywi}hoR&$1d+cGM4rMx@)QQayPAP<
z&X&Kx`YU-c)@$UocydHISiRt2ZNbRJlOy)<vG%YGavuhf`!G;GDWAeV!h`4_{~}+)
zR^dbhkP|VKyoMn18b*-I5JWCR0Qn0+<SYb{YAYtarjSyzB&F7hG@2c0F<;VR8fh^%
z(qc_Xg}IXc@+IZf>W$_S6{RmJtVX1*45Y2>NLBfglF~>+`ICC`Al+n1x~UZ@CSOuX
zeMu!XC6(k#`pA;>Q8DSG2~-bGBu%7|CMqH|G=<cVL~6*B)KF{EK`luKO(7j*OFC!@
z=^#(iK~qQpd6EM1CIw_91>{Kzs0k^cDWrg0NC8bD1>{W%XbLHy#-xCzkOFE>3doZb
zkPRuIDWrfrNdXNY?W2<Ru_f&@g|v?iX`d;ieWsB1F_QL~LfXfIv=5%$!_#~2q<yB4
z_L)T5r!{GxmZW{AkoNH=?K6e6k0)s#chWvhNc*^u_GwMpr--zVC#jw(q<TC_^%(K2
zax-}E;(5FVct*J=dyk&VtB>cC`@p3aPo0b>CKyl8>Ag?S=}jgks6$MUOiWOlm>`*$
zpf)kVcv3M=q(ma#Q6gftvj0D6kQ~w=Cek1=q(R~<X^=viN2o<gqz@^Ph<B8Tc$TDp
zB@L288pK2zB<76<5wnK1NQv|zH>w)>P(#Rp>P_BLFu6|E$ZyIfzbTlUrYv%rLdj_g
zC#PvRIZXxRF%2VkDV*G;YUC>oBc<a^8b>B|(}q-x7wH!-(l0)wUz(AA;iO;kNV!xY
z&Ei9<#E0~V7wM56q(t&befW^>Xhw>|j}(U&DUPb7HQJEA@F8X4Mam+VltmsXiz=ik
z+K{GjCI#U|3ZfZ3V_6SRmD{qqc&^-@H6-V&Jvm?HPkAI0H`gX^PA1hbmN6#b#{xeb
zPie?GnOXUT`Tg=3uh*biJLZv5Qkcs;vJ12NGLKwyaUR$iG6w%7@VW(_@Q_}M{~b{N
zPeMzy@l#d&roX<znEUT~sryrdWoTKWvgfvvCeJH%zmBdevLu<TbxVU9W~ay=D$~sd
zt1tt6n$iSW;`7?-t@ZFqJzih>jPk;Rl45Deda@#xkFq%n4_sui+G5fDDxHkGxTn{O
zEm>vQRsYk@))ALFesTA{++<#<^Gdx`xsRWY^AuT<Wrq<T-FZ1|Z;Q^io6Z_^-0){j
z-S+KJB^84jJ&6XXwC4tAIW5IhMRzvfg@v<C$E>2_tin8Fs<|M`<f1!?Zq3=c-hjfM
z=DdM9xw%;;dz=luR?dcYz0HG)vrOJPp2TU-t({%UJB+DWg~d6&ax%=tIr(`eU)@`5
zR-9emY;Kp+4_7hwE6B;qHm0WNK5n+AXj62wNvD5lZnn|7DLO`vj)_Z(OG?wbR~l^l
zwiTDNa&~E3($Ab%oRwir%`Ys-FD$>Du1A(%F6ixMaY19-iYvCwDjb-TkyV6C8zYPj
zqxDkBzw!-|RHl?l_6+@2a;YS-HOs$k+^*@TUQSl014};i?--hYena)$sYQKvZi{S{
z_R?kNz^SQHVCvfWSL#2xxqj%b;)DLD)_%<7=gseJTf4qqwZ4aX)USE8-cPAcMQ){&
za@K|&nCY{;(6f5;{=REW7hbkD%Wc12`m}MlI=KE<Q4@c<G4sY>ldp8Fle~BO`6e%h
z#{61h_446>2`O`4?@?OMTzV>Z?ngP}vqHv<+nMgNd;bqLUCwSF{m|F8_~LZ`Wj{WD
zSv)N0`tv59BNy%ZB4XwHx4*u=G{|+h`T1x49k*O*HNWY#Zhu^}TNFNbX_oQW=@~co
z5BsV`qk6BaUa6-|w?5T-?5J*i24~hkl-^)OyB*HM_LMyOVMl*iK@Kb!{f9pKIenDg
zb|4Fv9<!e2bv<~nc-HX?!ynW+cemN7$P0S3!2;2)s+uJ6>UuTZzv8tnmAUpVE-t7M
z6_uY+R1jHAp%a;r-;ZL<+gXxca|_*oUoxISsDqEt+m|Qm@p|mM=y`fs<eP&t3UezR
z8&w`rl>;g@B@+8kJbMRn8{Mj61d4@jC(ddwuEdci20d83cI1A#??S||sjBW)9yt!;
zgcL6k(RyrRgsF0PAb*t6qnTnkds@kZk)8FW4|=cr<Eo|i=9Z;~ZV5fUZZp?)%5AUd
zmi6+U_Pf(*n11v3oGAfC)=v2im#j>3d=a{4_G*t^Q}1-1!B+fa)BKwwrmro!h7S4j
z$`J34%@$|5-zurwGjK-UzI_RO#`sxGO}TyHOvgIjgBp(ybv1PVI<b$x(}LDj$Bg(+
zFXao6@sr+Uyxrj^iTnTB7MI6Q_xa4zqt!o*_<uZy%5zvZCBBox(Mc6K-1EPc!?6e?
zf{d{Ll*4Uvvh%VEMIOig$2|Tr!#b(nhRp$s>NVbM_j>+AvsK%VR)2PGMYw&FJ$bLo
zYPD@|U*#uWC+yXd88gm&Z!WR!@<X$-f!8jjHueAH{?4$}9dl3jUOTmJ%lqRJH#+VK
z_${;3!z$7FEjrF$IborED%9st)5{k!PPk2s?y|c3%(TUy2e-0wyFcTcxn}*=-iMt!
zSWj>G=dzX0dL=hpUQl>r`i&lk95(JAllgJgt%0L1-~8GCt0SA_A@c`))Fo@zeYfH*
zDP^JOEt*Z9KKa9lF9y}~?R|1_@t|{dU7{y-m=v@1Ove7kpV!#4=XQ+s&yN;(KAH6W
znQuEzs(Fzw8sh&=wUv?k3if>8VoY_5m)2XCw47;i*&(=a>7nvGE|ogsPPNr-MDSDE
z$(Ve06|VwCYWx=|qm9ywD$)rFo~>u;p%t%@;6871w74jOa(qxxWYHUhrbJJ8yRTdp
z_V>Q#9CPG9>>5>ER1}e6j>wLV%*ZO#Yl*@6@;E(4H_eNh7g70W0SN!a(SU;g+boZ+
z1a1xX<}9#l;^K3n+1WN3ZgslHZ?V0u`-))%aChBx)W1f*cUcxBBC)|W*M1nvnmwG>
zQ%@MYU~G_<@BYoj!1MEtf2=GmYY{kiR$ayG!cSLA4*2ypoc%6(ZNF_#!mDS*{MtCP
zpY8Qs*>=y>g>kvVCc5su_02Ee+`3@g+u#1sC&lN#>w0l(f^X{J>x0)F3g*TIOCL4e
zJt5>nyHQ6S|Gdz3U|!4acJ&*i<k_yioj7YvjkA{h9scwxSvzXz@|-8H=6q-48un;p
z7t7??U9PzP=sda~i%hg#95OBZ@;6V?mPo6r%n6Tb?0L?A^RB-Jf82Uk*_zS`-5w^d
zZ9TsvCM<I3#`8u?=l*y4RPA#3=2v>h@QID<Y&<;jhi$d}duOzrwKb=B`5y0DBd1^5
zwZ-c+AE1}2eE?N$-oR9D=LbtJv&(i@4V$K23JL7|k1#d*$9HkUO|OER4y|F=A*(P)
zBzw5Aab8Abg{ZK0cCFZ8Y*#p-sMy#dt9Vd;VP8`XJy9HK?Q9Cp2r)+Mdc3h>&+=0M
zGaBR<8qEWWd*>JC49Utg4k*ep=I7;>nCk1P;#kGGR>dL4)Le5>kuk>DYCzB2oD5^D
z!km8Q!jgBDjxnYDT*V~<kK)R84HzupZ%mBF%lHaR96kBnH~U6M{X1dvMn~Z-{|$=o
zyyaxQX8EvV-|kQ`?D~U?v+^?W9y^$Gb23RNK{RDT72%e?kzxNy22Dy`HGlWw=7)~l
z-xt4q-uop*!KVjZ+um+p-1E)%Jm=o-Sa7VpXHeB82QEpN5&vz)4TJYl!{Qa=H@c6F
z^6|FpdF+DiQ@6Exe)l#5T_<-Ky61x$rNh^)=yaXka988+>BjjF@9ygPWTu11$Il*i
z?EOPw{MKO~EOvD@e$`lN9X)Tx<M;K%Wo7fLEcngK*s)d94Vgc$$-Vw-t?w-Sb~mj%
z!|mGx+2_hq&UE?fGw*uUYTV43?@_Jqw~bsLKd~FLr@86n)>SM0YW2Kx`|Rn@Pu=~{
z=i6QNeA;=J&c4^#`MzFoHTUDo;o7ljlW&`U=(?=wXQAUao~@lQ#!BC`uHI*_9&BAY
zDsD~J70)Z+vkdTAs>fD<8GtZYht{ch4Ip%{taJt<aEox4|E<=^!iVN<<lXhIdYXZw
z$@DgQ^@`KUlB>s?(+wIlhyWE)CQcTWQBVYMdn34HS@-hzcY78Vm@!}i(Fi?E51AJ<
zFR(1&&1nUKRvu(jL54XdB0G+Bl#uSwQLeg6#f234ZA<wlMHMP`cjN)O-$I0|$y2Y2
z4kVIOMItqC)wFR$bVRf%wi4Pdn0mPCd&#ED%lsye?RVfz$(P@JllBhUjy#sNXy=8y
zn;+_yk5iNWkXOZ+V*UX-2yOd3_TJK?`9<aT#*MvKBoFkOvB@*_`jayGy#a&w+3dXb
z`R>@3c1vzGS^Is;*zvcYj9=UAoI~T9&wr`%!KSe<);GM<C9Bor1x@-pxDNHY{Pg6#
zZLK=wznJ;$lGfifSh@GpOE+fQRH?l=c&KRsdmK4wd?Tlcr4KB7G`9KRi~Y}LEEqa#
zfb;%_4{O)Sw{8`Z8#cI^{^zghHqLcVCJtDlm1Ms9vDU8-8hvDa$*R$7t#3_v%+X#a
zHeUYhiQU|s-I47hr5VFVjI|jxa6tTlR}IWhat?ZYo*A}@=iPE_bJl6*{Iu0$c5i7o
z>g%B9Y)HIP>wEKO83*R7_eYJpf8mqq&+oT7o^gKK!fGYkfVL2Yyh0TAXt8F)vMwtd
zt;z5&37Y>^@ju)${eKw%2@M&i$00N->OfP19;YX~#mgrqXWh|Y{idF-B}<C4jDk?;
z_DY?yi$%SxT=O7v;oH*G-q{6+J<wd7Wo%iPZO+RXQeG=MPyln)S&L4HO*BO(y$i_V
zY6xEo8>>{nX0QChyd1O1QMVVJnvF$UbDptDeo>YQ;V!zYY&=pj^LqkROHf4jD-ulg
zrZCOQG&$)GVkc`G%XTFNS>T?$;)(+mm;d6x|0rwk+`8HNK~kBG&Ff>C?w9gESL$7!
zJ*|7$#gfZ2yuTmq{5;jak>>Z?`!mONH*|Vrv2^<r9#NKS<;fS{zISqW#NFfCkEiy0
z6Kg$n>~{M<Jqos5_Nl&PkNwc&7nBX}_pCiUD7)93gb81CJ9m86>)EsI7GKMqwrTC@
z4<6U<wJ-6eOZ4;j-(${f`R(+S<G*Zg@sro%L1QL{HnC(sk9O+Q|M#=wE+6~$?978!
zB@G7qHyXM3!ML^ozt(x(aLU)G>#TLrf4MMe&JDe3^3Qkd+8uGc{bH{3v(3Y2ZGCic
z<i-&nMb>I}xpw&7tkAwb?_Ipgzd82wc!~b(>iX2p4oxOT=d3I1USE0M`(d(kP6aN1
zf;;sg75_k>AU$wiKm|})DDxmBY@FM-ji`u>h&LZN+!Y{}GZz}TmuMP!551e-#bBLY
z)<`OQQD4&B40<#D?YV%*ZUQ)qP|0QrIL_$#7K{TcE(kELYV$956G;58we~-NDYQ0W
zFV)(n$LHGoG9%m=^~l1ozuC2%`w7N@dYBllFGrEB8|V4V^D3)A|Duda<H8G34|l8>
z8tAI2-WcfmhBrW0&Toj|&2gE;RBs7Lm;Z|s7rz73{}RXlg($WNo%ltfThn{-iwgHm
zbnW4IW!63Sw1pEo77elMJ;{E=%;(QuogC-4_S4vs-=8+k&GKDb-{(lpr#=73K0o5d
z?tWidKDyxkNnZHb?e}VIyE5$fcY9B^d}WwwdFb`=`q8}ET7Ao*_$%F`ms?+QT$q(p
zqy3hB%iNxgKNY#5g|F+?8=0rmLKf^8?E7)Y^wvvO4h@~*G|wXCaN211Pp)2g{q>;Q
zLG#_(u0P+PbKD2#2gb}=v#n=X@edAGw;#??e5Rhvt##XNec7Y^bGonEx!}v=DI;&p
zUhSt#Ay+!zoVe+MTenijZyR+?a?Y$hH~NFUBLkLN7uA`wYU-$Q?n9o;J%4HB<Obh7
z{xYU_BU35g2$)_cOOif%{{J!<mL2|yHvYCV=Z(GyO0TdzEfteZB{P%jUX@;1o9s|y
z{%w9%K@Pn=kelEjSsMNr-0S>%(`MZoebVoyyQTGh>8w7Y(jhjc0zGeD?x;SjEqu`d
ztdM2E7d7IQndQMNHR3<46=I8#^+HcSJl>Rx|C(mRe^kqXgW4OdhS;8kr7zmzm`wam
z#Xg0!Z!Xpu=xKv<^eaDSWr~Cm$V(-5IAnUGDN~DlKWS6N+ikn=mIdo)O>lm_c<$_#
z)BpVGM%p5GKD=A^k==*=wQ1}0myb8cBuvSzy{xR~M9+O2e|I;3+HB@R$LL*suH5+j
zUh}AygQqy0+H-v8&XdJ%55~;1ZLt3JjbDPyFRYJtn%wH?Eyw0BlaCBr+nYcCZfe7g
zGcxuZSf299gS*N7KVC6Q*%GindD(<ECDWqM-@EhGj#VwIT=bl$3{A86qsz>TJJM?0
z+b1o%?`{#e)H>wXj~3Nl|N4(E<D=RRUw`aw`rK*eGvm4k{@HSJ#KATbV*JN_cwtT>
z%MJUx58Cuyjm)*5A6cK%WWj=#TR%Cu|De~cHIF^&uROhD^7=;+-=5o_J-<}8)=OpW
z?@!NQDwSRUZJ&q$F8rVNmSl&2GPf!PWH;UY?|~^M>$fj73E}uQ;8c@6sf#32tSP~i
z6b)PXAH(rd|A1lo-Iw33?s|3FiHAA0&V99F+`kBi4_<ZNw8nbai%pZ;|K2rAD-C-8
zy<11eXC839w(aH*Yx19edM_?u(!%8dOXl4(FYEOrJMVgC%^}jPjO4@@v-5}T-;yWa
z(Va4u4sW~s_ks5(2Y;|yU9xrMzEe$h?CZFETyE>gVP!2&{`|qIxZRIyA9*r!OXs;~
zCU(et^<`1P7JZ__4^z$@%}(|0*8R879CtQJ7<cOnePO>$|J#{OKU@AX$|<-{iL`Lt
z?F*d>)?1IWKD8p?^LgjD)m&5ONlDJG!odaFh|dxNYe*JO6JOT+b<mtfGpnwx_qG4y
z$9pnzd{-yNy}Vsx#={Z!>i-yBEucZO-4AvJ|1$RYkU3u*Z}a04_urPBQk{n-n#N%g
G<o^JrS;n9M

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf
new file mode 100644
index 0000000000000000000000000000000000000000..44486cdc6702b42d1ed03b02779d6f47520a0e4e
GIT binary patch
literal 293956
zcmdSC4Sd#P|Ns9!KA%sYbJePKv$k$_p6Bjr)oN?4w(eK0TIpsg+A6guLI@#LhLD61
zhOh`B3}NmrL&znB5W-RtLI@$-@A*EDbIEmaUB18X<M(*{|2;f=9p~{mZr;cJ&G|Va
zMnqckmnYdnhfEwkJ9yO7;vKyc-w}lqM~%Gs`au=q9g`{2E^%bx@Db;Kaq&6ghS!O>
z&y6e|Kk<jmw7bMjn<vI;J96R?LofX0%5LIyS}HPN%J_*{IY)i??ivwOO?qX=oHTRZ
z@&S8#i-hNi^qGFlne)RYrP)74N>=f_>#_5WJIOCyl_zrKX5yTF+|1MG)z^zlexxBW
z$IU(a*vAHB<2)-(oC(wB%$_-`@dqC^C+q+``^>?k$&zLze4fwev^giuUvSg0&8LYt
zi6X(0xu+a6Gv>I$H1gZX=V>R+TrjWkBhER5uONK*<e4YUj!n$DQ=FH}MPifZopSp8
z+kPrKO`NyM|1g<%+U$8Z9`oBJ#4jZLk)n0yGztzYS=V<)ivd4KV|O<`@@A97U#y;c
zVqL$wZ84{~<R^{AiNqi~YHw@ZHx#LY=lx<%iTZ1#$e+M<>cihxO01kIjiS$+kRA0x
zjTmvACT0as#98K0VmZvJnJzgd72l?fT-S3Q$14-(Cnu7pO?yb;(D70r;re>#>v~@;
zF)hPlZq=t|m$MQHlltXSDp>8PdyGtR`b(~J9NI#rn6J^}`Mex=0BR-V3`2L}|1Mkt
z6+G_~)xKz3=}IefbS{#~j!UksB*8J#!feBi4$|H1Cwv!~U^Yq*r<-J%z0$*^Nf7_;
z*f2qUlwtBy{Z{i0?s}Qv4wMN_Dg-0pCq&{*CI0Qw(M*s;;v8n)l33?8Ni_eE=IS<g
zW2ctq{{e0viD|%@D#3$wruB9xT89lRmSnBZ{~@FPG`zOQe}neYHjD6pgiWCS0PQyx
z{RZBIFX1=*Mq57_jC&k(<MX!-?W}DbZSP`j^M8R}gx}}&zeM_i_J@W(q5a~o(Ejqj
zC&wKhNhgoA{)}8l`{G}ree|!mNv1~nulC`8Mf>#smTO4kPtb94C^}yL6FQdu4ee(m
zDfiXV&p8)uPWv$4{)e>qJK^1y(ysx=Sxm#2)^U9(&Opi1G21|7yz7|%`?UJgu*?_O
z`Ik81`rX(y;Sgfv$ND{y`Q^v@THLR}=kO!&S@P^N>4ZYWZ$iUdr1Mb&%u7Q|b3UIC
znWF~jJSFw@KcI=mudmlRtAWVerSsQc;09!HWNy>>?eCHJSK-`||2Yk#^X61(4}+ra
zVJOt^i_E7wr~U~}0r8k?|DF0e^`njt`+o-Wy3XwlMCNy$<Npfgex3gh#YvXl^uI_O
zMB4K!8OBO^Si}#1`fIy}^+@|E{VhGB2Y9CLrIOChCWkQTP72z*eutAKIg0s~zO1&?
zOB`*i^<ev4j!dMF#F!&^-m!k2=~4fS_7i6aY2Fm+A7kkw3U<}+iS&;UZtVk4!dl`@
zWsW`w@y3Dehhc4}NLjEY(guSWgGt!e>X7wN?YfnDMC;?(NS(N5HEs4J?#CqntxZ^b
zr<wG}uArL-1*~Zk&{J5GCu758%5F8$Os@YGcN^&RyI&-XhEv){=KVv)yVm31B=v8F
zi`IKX{r{OVesv!))HJ5Pbd3H;UHvG-qhtL?W7vyiQqJg}$9%_JIfl==M(ez)YbR?I
z>tSU5(|ydrwJlzH>ND1XDUp3od&$&wBC@}EU9xqrL;DSO?j)T))b05CubfTwUzw4>
zy6e2e=MvnyA9}0)3n!bl?k(fZPQtb(&l>7+E$JlDmzqd_<5PyOWfa6YIk?{!-#ozD
zlt8@E($-0rarDU^W)tJOP6kB!&30+*JSYR5r=^#vB3w3Mn#fRnruk_entmj09~($Z
z<3{3Z9KU{h#9heRKCu3K%Hc-J^3VEx&Wn700eu#o%^a&V?6WSy|04XylctvY0H1&6
z^L}(+{r9d@zYo5rKEBX8anI)S8Tg-po{ARL?^etr=A%XR-&1E_MCxrHpTFhvUUU!o
zJYf{wtFVtDkA2RUr28uAQorte(mRv%=Am=(Uk7Se3D2o}*WmsQUL%d@I_owfji2y)
zhc=>J+$F><Cyn#abJ3pIrlg4Lj;#O1Ex>OR&o-hP(GBPvo-0?#6wj;Q2j6=O(FN#P
z=zMf^{cgp*OS*dj;{Af(#XP$Zy#QT|_8|;J`iAz8{{fNyqkZTvi1aJ%TYm%kM?PfI
zAHG5h(OP&vsyoqdqNx8*@H%XdvLn(*wV(bK+IOL$@BQDZ_Vd5Z|DY}-_5L^N=?``J
zKe0u}8e=;${@$d`Zf1OcCoSb?$$}wKCZGkZ3tvkCV=5@;z&;(j=qpj4LD$3Aa5|h6
z)w9qGq8yFRk8-BaABC|;nqO$T@)e)I;Iry3^r`yYN@Q#oGS`h^FRAn7V&-_}NjF`5
zH@*HxH&vQAUD;2s;F+Rfl_79ubl!~4rw8XuJtyhj+L1=iHr5B7GcO?gkuuDkN!lmi
z-Ygy6AgXEgm$0j8j9|WNI7cxDM(okF*vso&t@A6|O3yFuCD^x`IMw9SV2|3QHfp{)
ze;>;;oy%KtBG$4smSoNqzB`HWJxQ8J$~7PVQ=@DmJa$F67C-WCm_MA(lwk(@iX+vI
zX#J!{>xcPK&x{e<b#JaVXugWt0%kw%u=F;%=U{)}v|(-D%h<VFnt^fdk!F$oM{k}1
z_8x?Fqlt4i{;UtQZx7vzvzA8A*pYRCeSq^3`x?&2lxYHcpZ?BQ=npW7_PmX-Uq-?w
zI-lU@aAqX$Nd9T;VX%k1dqnmedOm00Yz+OBbGq{}X|vv9d(0nfQX4hj9y}``59~4@
zvLC6$e=Te6Yn1CX%7sSCl}NY-jwO5p{n$ro-ny4jKA{XT*suF6t($vn-RRy*>rl@m
zQQOnCo+9<3c}L@OCdzUb5q~CS{Fb@xTh`uhB@Nm`OK1n#pwGHMM%10@w3j?{Dto>k
z*b@=n2}lasj{Va>>Ms+`gIo<43H#US_l%~g=?5L3ex&Kz{Mz$bZD@z~HJ_7ifIWxL
zp6l<Wml2&e8s?BJcfCwE$#O)5yGiG6$tFxOT8#FE!MOXv;HZ1BX~Eg5h4eA^q4%MA
z)P+(jUEHvAX|zqc#8gD;C-RwiLrgYxwU0Iek-B~+i#Ew3zbx|4V$YdHeW^~DCi1OJ
zLz_qRHrnh(@=(5I-;_<d7t1u(h9g|!J9o(u(22cFheOh`X`Vyc=S0$O$Rnc8ZtCna
z>1pob{%H~WmqpS6I&$CDkul!OZO+{Lt)#Lq9A@6(xt^7OqV2k&AHb80(R4mfu;bZ0
z%AJyf`w{#vfl)A)=YB+cIZb)?KJ(C9<S|kvn`fB&)=7eSfx9o=gMUChlF$DOoQ=#a
z4J3015G{+A=TNk42N@*Ek#cHT|2vbTVS4{r*hoETUHvDhN3F{UXa4OwDekPIcT&;%
z*EWc@!$fV1f5Ek%*|%yNHK1+vpU`&vzbA`1@bAT^k7z&nGa`LQ`_G@?-oyGjL8fZo
z`ZKh@{jWKKH2w_wu=e8yB7Ir=^IxI;{9kbBYs`zfe)n_oQTnI0$H8$|!)J%{rtOE_
zBYlMS&~-G@)=x8*qGQgy%edCIVn3o|kI$KrI>8?2O6G0G8|(F8rx<_T52*i#tiPqK
z$&>NZv99Ur7}0!lnD@!od7N|AF6nl#pJ<pK(R{Vv9-60)D{YIXS-Z<wS2a()D@|hm
z;*pQG@yU^W!W7o3DdtD^FUj~dk+u!vhq~^l`LmYfM%tYG4(?yHum2|EW)SBX(otKq
zzBIq#xP$m<{cvv|N#h;r_p_+|c|6y7j`BvvenUHbiH)i3Pm(kr!f1K5E|@nW<=3{+
zF{0(vw8<-yUt7lN&#ZgLvOc}Q{QU}Z+IH5<H<)vGbC2`@^T_AS+dG(Re_vy=Sxfq{
zCj4=YS<V`>oV7;Rkz1sT^8or+Ys4v%YEEGuJ%u&Jy1PcTJDLNko#iX`$zP!lN;gQ3
zhWY<~yi)cMXJYS3^!pPTPfMwrbE)f_&>1iqZsPMptj|@rhp?}`5FHM?-~o7&=jTT>
zWG+Hy(U)hjhk1Z=+m!k``gk)lh4wAr9_d)tPMc@0$ste8yO?{Cm)U1d=JUytD|bp)
zxx0RsIUM)>^n)z=!Kt7&o{17i_M#o6wd|HSa~kb1g!Dhd-3#Ro%A`oV=^<@t`<w{Z
z*WYRe;ZI&s+C}m{TT;j`H_~o<=m*p24>{;zVE1CVXm3b3gn_tQfvP@h3Qf2h_!cd+
zZpNdHqhX4o?qpPHB1hJjHsIz<s&|j1y3M43u~y)A#GQurW{=aLz403-U8A4vbNein
zaH)*zkUsMYWw3rG58V?gx}Qs7>_2sgU&FHo9T0t{`%fi>eMv@SA0J1*A43~-r(X1K
ziu)w?w{4x(Qfh9Hc=ljDoD<oDp2*s8qI6bu&y()Z4w9qpUZ|q}O2cOj)6NaaXvLYu
zJo1wyIgKQrHk)AX;m(XRr@A4sKcuaK(1N+A9NvY<SyE18PKy^`wsU{JojY?r^Gwg0
zi(nb(d2}^A0Pn%0@G5f+vupjSa5mfl%x3j`M_m6g%!auz5yr#0!1uQY6^rYSfs^5Q
z(0DIJKhHs*igGo|H=gyCa3k1sTh;Ht-4}8|)6#Tafhu?dH2!+HH>y9O{{T(rP&8kS
ztNE;khoY)(4X=C%mw@K2c_~^hEtBfYpwE>O;5+w&<)$v``tkWR(E89c4s{=Q$ma(C
zbMQM48bfzz_<R=bQ=p-||Elw%&o!=wZK!jt&*^YFG}wQ-P;&aK2v$c}gz_hHubN6<
z5&h0uTzt|{PbBVrF}OrB@x_I|%Xn0OpPsGXoBtFILDG?s|Lrg1o#UP7J>%c$KjRJZ
z7JJuw72axpi+85C%sa!o*&FN?ctgCQ-Y~Dw8}5zpMtViwS>6Kweg8fG18<@CG+(p3
z*w%>t8;}?*Xd+EHyENlm(n8`m;kII?Ya{W@X9<!h?WDbQ@NV#K^=|Y(_ErXBnLm>#
zYe>S(j47NZ(j;9vu^MGa7v|D#l(jqkJd5*IPv*m3%y+%Lo4i}RRsMDg*G~q@;WAaO
zmr8k^k+xrckpuFp)SK2O$#gV96E*`(e>2bwHdD>fW~MpD%r>*k)#fU5jk(sl&0pi+
z>)++A@viaiFqeAO-lN{*fo6fWeyxm=`~02$NB%bdLw~LRslUtr(%<8p;(z8(_sg6k
zO>=Xax5zu!-{J4}*ZH6LpL<KaOTDuLS4ba5{H=1oIo(_CUG81rUFem2=lkylT-KG(
z{ipnUyo<d{0xJX8dbfL5drQ2F{2JzsX^j8rGDXgjb7hg7EjP<8lyH@7l2_#wGcwRT
z5FbbgBnCPJ+66iW+6R&XEyQd7C{0~UV+W*`S}Kq-SuD@U8}hMyYZjYwb0y_mZK}+3
zW}DezJ~LmMAI#6@H>ZP>=L~ZWcS@XT&K&0i=Va$h=Uiv8v&6aDxz@SCx!JkZxy`9^
z9(Epgo^qaXo^>`kZ#W-0JKR{eh1=Q<yItK(x2K!y4s?gQ!`+$g8SXjmVt1Ll++E?W
zcJFno+~?fa+&A2}-FMyh+z;Fj-R)k$i}hM~ZN2thme<GY=S}vec{99Y=xf)|s<(Uh
zdJlV#c~5%Jd2e{{c{{w%y>GnllZGXYN*bF~oHQY+Bx!2Ws-()KCxd}ti(o=9IhY>o
z7VIA!6`UA6CU{ElqTrRm>w~uhe-4>Y<50^`e5hS0DU=-Q66zW18yXTC9vT%I8#+8R
zIaC^&8agU8Gjx1tQRw{8C84WA*N0Yz?h36BZ3w*;`XKai=$p{KP+d3>ZX0eN4u(_0
zox<7SUg6&1e&NC4!tki@so}H3=Y=l~UlCpzUL9T&zAJopcwPAZ@I&E8!cT;sPHvr?
zkQ`1<N$!-~BY8sdl;r8jmnL76;-vT~EmB&g#HX}R38r*QDM~3znVlL+uS|b9{jv0?
z)1OU$G5w$En>w}ZbVBFWohNkutVeo}{=a&4^}OFBjFN12YcuKXHS#7c{#~SnuQrwD
z0b2M~^NHDIzA*dDesjP{jI?mEGr=i!rqjZ6ol~3z&LXGWS?a8GDx6ic@M>E4A?GpY
zN#`H5@Qco7XRA}oYeX&FmTsb(N(=X(h5JTZcz&dXm(apjxL3KiyX)Ks-RIrSe`sOx
zV!UQvoR{Er@Up!;ufJE~9pxSEo#w6ZuJbCrd%XJ@V^4TB-s|2L?-OsA_qF#OEj*GI
z9#0D&d9a23U~I5$FdR$^b`9nP2L&etOM-KQ<-se0SJT3kA-4FTCZSfL#8CTCIFu6V
z8p;Xv3k?kwg+_;pLldGcJR@{;=!8&t=z`GF(AA-e&~2f$p+`e6hTaK%7^)3@7y6MF
zZWT@pcMOMV;jC~DE!;OefEFGZo)?}UUKB15Umk7YJ89v2Y2gRM>%-NN7H)g6g^QCX
zCQqe>S43O5B`w_UU<=Pm?MMqhl>TV?Q|UFd@XNGtT(pIE^+@T_?^lVoFpYfZpZcrn
zkBxpFbf~|&>o2O~mZ<)u$eMI={mJ#Gz)AIU>yNKz#o@`I`lH-8)#Z)##<*L&BKJl8
z#OEwv_u%#Lx_jNc&R(jQqTi*|e_#I@>*Z#+--g6>cio-!m)0+>zoh=+`U~sV)!$eD
zK>dRHbLtn?KUBZI{?Yo!>K|_i`&asTzR2gfkO#eYZ{J<J`@O#ktNx#K64`+z{Jm?(
zxjPo^*rsm%v*W!T$L~0C#~VA|+A(v-(K}{FeV^X(49}i~$E?rqe}A^L!M&5c!mc-W
zy|HsFx<GwDW%m4Z{ihG^irE#rtI4j$yJC3KbeFS>3H8&uPv0lK8+Tm)>4r~h_<ZW8
zr+qs5(-}K=?%c7H9m&qM@Z!#=cHX$NeCLAgE4EMEK79MI?Sr=u+)mAIpHTZvZN<l5
zf4pYfKi^sL&ZLM9hMBs~2{Pke=WKC)bmQC{^=Dlz@<yYhy*b_q-dyiwZyw`ie&iY7
z0PrN@R#(FxZ-K|IME|f>N6HfYbQ-Jp5`1rjRo3s1e|y*Qq!MoP9%39Gtl2+?`r{|>
zHE*-`j<=1`x`*+)-}}Wo&`272jhZ)#Yt*(;B3l)uy~V~=|3<+^;YKNq(i(MYl;3Dv
zqvA%#Hk#Y$%tqMTs9eO)_7C=HztErHm-*}j|M<tB>(BEStDj#9>@NKpf2+Tb)i9A&
zuwQ@_0%HP`0wsZIxTb4Jbc(tINAouv`X^9gKLsK!V*gg3z_>$0@ww3QN8g4|0b2Nv
ze*)n^20s74-cJRtU^l~V$iKs1%S^o{(AIm@pYAR7cX*e1)qw=|N+0<dewRQq|5NV{
z@9IEDzq4QFUFtvUKj%O1En?r3$3CWSWLGwZec2RtX4BZyoE_cMe9t~@Rb*dtt5o{$
z$bIrkWOwtre8%^2m$G~Nnf=?Z?BMFzUA1QamK52+^=A*KJGjT$!_8zDcMLnY+5Wrc
zG<I=U>psrhXP#hh)n9&-0aC~J^36Ddwc&e@c<$^IWRhtsN18;=eH~<mNtQCs*fUM4
zoM1BLC=-&CxI;OayZ2K}PnpNr{tVMc7MOmrkaPE9Qy@#s2)WP{%6Vp_{KTEkMW#qD
zHlsLQUTVh5Wt_^FnQ^k*jF%N=lB_f(Qo(8bIy1$T$&cJItmf|EUNcW_Gso$!P#)!;
z;&HQ39y5#NX>)=6gL{b@?jN2pOXNj!nY>_@$v=5#^)<6nHk<3@4RgJ`X)5F`&aEGq
z)v}ZG<!*Dod@f&`^|F_n^>550{yLd25AZ(kHgg-dN+RXlEZlD9$QE;>yv<F>J7$%<
z%QvK3xj7nV;^b6r93J83e=fHT*K)HlmTxPbH5bcEX1V!?dC_cQKk=G*-E1~*m^aN^
zW{Y{-yz3bAl6l9x=P&V>`&aqb1Om|=X%f5B_I`zbgMYDqxqo#a6i5lA2RaA31iA&f
z2YLp21$qba0(}Gh0|kMhfx^J}Kyl#kzywC_k&N9^_XKyYGub_s{b;E(#W~8E;aubt
zvp=2SOmrqWM>t11Q`yBVWdE|*InTM+DRX8zM?1$jvz*z^vCeVqVUK5zb0WK(li16i
z;>=^ObE<QibGkF%IfK3JS?qf*bk27!aF)2wc<tO8uf6-M*TH?x>*zl3CAk~Cp!<@S
z>~8c@+*iDG_cbrWeckKgZuYvmZ+P9@H@!^vEw4MPXb<)~@34Q(ao_WLx$k?q?gw6P
zcbnJ8{m{#EKl1Y3kG;Nbt=EtJZhwEFzt}&|zsSGDU*=!oU&(!5EAHglNr`DMCz|eZ
zn#q+jxz9Vx^p#7vvs%ji&E?!5U1283m1d$`WsZ=m&5?2qcT6{!qvS@u^SO!pt##Zh
zRhz}~ggH;1H09ipoG;IrOXPX(!8V%9<z;h)d}7wh4(<^@HTTLFeE0LMd5j%nwaGVE
za))T7z&L#8<jPRv@f}VheLq2ln}CckF*1^Oe~L^K-kWL4JFc;Ev`Ld=OuEc6on*G@
zEXSG*InH#EIi{-|Z@S6(W~f|XhRGUpyxhS%LwA}J<t{T<)^hiCH+N(AaIaWp&X5PW
zyL!l+B@degvfi96@9{qM`=(Mp<h#+2%o_RF+#$8*PT9`)PP@!H`O-Wnd$_~<$~^3R
z>Fja7a=v!HarQcwu#3ISS?*l!T;W{ltZ?=@Kd^5#uH(AA&E3ekDYCz<WQTj3bGx&~
z4Y)CGQ_e2U+~(|V<D5I3JDt0odz^cnb<Tax{ceJr=sd%DCdcjV_Hpyve0IJ4oadb9
z*%iO!Y;<0B{^`8peC~YV{K#A4bxyt8*lpsrbKA2^PIG&?xz4N3YtHNJpx<!bbl!5d
zxTD<B&O6S#?5N*!-giE5wmBcVN4Q5iA3L?qcIOjkhqKf9)Y;{H>wM=9b_cix&iC#}
z=PJ%$m-2@CCifKgWOp7r?nUllZjn32_1%e_%&y~Pc8l}2JKsIiUBE8AmD|RR=RDTd
zd4RqAUCvt0VQ0B#vvcpx-aX3=aZ>B%W;-?P@1Nu(_qcnmyU;z&o$O9>OWgkM3{H6K
zoej<l&PVR)?y2n3^~`#ecc;ghm9wdyUN2&=aJzR+;A+3dyNfg0wd~~AvXj5t@8n;|
zD&Esy>ObV)<3Hg)=2v?Iy~q4b{u}<AoR{Bbt={eb5a9KCJ?}cM;{~qaet<ve>{9d(
z_h%yEC`?=214M}IZ&GlB$Bhbi0}(uSdfXC3@b5&^Ex!7*Z&W<pS9G>`x_i*IxeNZ+
zqg^fDYP6fh--2dZJl%0|>!WzfP+jZ6I|F6ktavx0*}x5$HyG^){c)d#4zT#|qXR9z
z?snBC@IOE`4tNXE0t<I3!r4w(HM!b>sTS`Bl)a7O-HIM%(H$OZYXtvebcV%SiI!Qo
zUlC4=!ul)Rv<No~5xkpF%^SR1&_$NWj&U(=@VBFt7Vb1ew7$U8G;Xu_-0sQk7XL1E
zjm5tMjpDOU=H4@cSBYvk@HDJGgFsvKZj1LQdXL4|@@XF6Ek)N^{2l0h7Vk3jev4O)
zK41wXpzIeFU-Np<;(vrb1P|k%fv&d%nxT(a{7+G}13WE<o+`k*8r3`?p!NB<#n-;}
zgvBpIpR{<FqEEp;$m?1384G(Qks8<lec**C1JM_wj6q+DayYsX{t4PYUWuahvk6{<
zv*Gn9n*Qb}-=o~fMz|h*6W)PU@UDfun8?;BTCdt)KLE{VTNF+E!ziDjT93*;(EbPP
z;Y4a-C+r8UN2MNiSxj?O<AZ69?uIXLYkhucF=2EMe2ss9^c#yAjPAAY?yd0dLj*Gw
z{SJO4{7m#Gi?8KVJAm(6g#D$kzZ7#7dcb0?MSrvKo(2bAi_!K}yMeu>7@UfZbJorX
z8jm$Jf{uIE(g>OcYia~J3~dyJKE@gwfo}$cwbs%Gjj;%)RMuWgJlez}N1#okB%rYt
znS^S(N?V|QBXxWv+9FCK8fW3xN@7|@>43Jf==`DW5g{2>n?UCh_R*FURPz9xSJ+!y
zQc=wV<OH-`luWd}MdvN{-<A+cdq>**Bs3{X78<n3$*6`?vLS4dQ&6=}=?Q8R$UIc-
zP;wy6B4?oKQTm{rEV2OY9Hk%1T%hQj$iBuh2<>XoIgx#ir2y5kfh<A0M;U?ku*ij|
zmPaWBEd$7TsM@WJ1ho~k&$1)8JdNgB<RY|plp<8i0CF*!7iAQhA7u>M*CLEZ&M}s;
zsP<iu%TVpFN-+$y$TC#Rtc-)f7FmuKL>Z3`vB(N^XcX;-!z{8A)iNt3Fx(;)sMe7(
z4Yd3q*P&WAWeR9{lrk7?iHvO>OUjd=<pf=mIE7h`Mb&Q5HG>nGWge>K1YNt>Ut5kt
zCs=e1VZUuT9o6!Ht^w@9E$5;~T6FGbPj1mZqvZr$Cpb-67NJ@m5N*?`Q7%BW{Ge+C
z`+AG^ndug(L1#qKK2T=SHALsQ2-^3Kw&=QHj)|h}JIkVLi<uoo+gIxdBHur0`4w%)
zITl?@*uz`29Z#_6dcvOGqU|-;qU#EKe9QId$rfE_*z;So-RD{4E%ekVH=w6kbiLth
zY|%EIZ_%}cbA#m`^h}Gc8=NC7+I9;poQj2WMTE%uaSm=}J!t!Zt|6SiE!w`?PN3@y
zXDZ7hXnB;D=#>`v0lnJ7nOn>?7Ea${DlNJP;hb(!fBg))mU0fWXg_?;;_%44YSBHS
z(Kb-j|8<L$quK__5YT!D-G3RaYem~o>lb7T+Q5yt-?oVAJ5g>z-?iwTz-*1O3VqL_
zdj#`-l$%j)C(!+Z(efy_z$X?Nhwg|Hhwie7w)tmKdZAxfbkD`RpB8PWeHPLFrFE_J
zfc+M^7X3L&DSE&nItTm~r3G8)M2kF&wzF`%Ax?XX?yZ~-7T&25C(mM@LWfyoJX&nw
z-CuDIxA2~&I1`|R{1}f8b~w{;Z$zhqj;T#3?V)HLJB%Ym>)4@e&dIo`SLYPaKK&88
z0M5ltojLSJXEAQ-$)W9?CAjyXOF{eJx9CdH`k)S+iYRm%=LU<>GOn^{n>)0hqHXKk
zYB3+8t3mr?9a?4aFF+r%_~h+8Z1J_O9<%sYq16`u8uW2XAb>sz)MX$B{RdD_fhMT7
z2l&|SXgyL-f#xXv+Ia*2>rkyD2qdCvD+IKyw7wwF4*kFqNJ6(+0`aJp2Ljs8TBqPw
zptTnN26Vf{zZj+8D*ojt{Z{d*UzaYf1VX5>1X57P5=ci0paeRjo+Z!)ZDa{_Lw!r2
zJ4(GMfu1P!q68QVZevTJH%c8T0s5oc)Dq~6###dXQTn%{x8H6{OP~O4WeE&LTU+!d
z+oc}eFyTj_sn7{GecM&LLGQuc3`^ihRLjs6{}MFQqIc>p<Iu(Sz*IEX5}1LieFO0?
zLp5&*%tnV>0>_~<ErB`cd^iKteNL2<(8W<SE`2V-3Ft*p=AyKj;!H*_iE=Eu6qezy
zHZQm6m~^kOI7gvZS{$``g@xZSh<g>RChlPLcDNfi<KDf;;%IsAwdnYE*TDmXS%@-T
z6i4lP5T3=Y_3)fU$F%!Ayo~>;=szt^Ir@slxe(n1uM*~b^fil)d3Q6sf&ba)+ZLT8
zT;`Mrn%8?#W}+WNIT~dgL^uZB9%UBiSb+eaDTfyWvA7>Wn*sgGW!!pk&=xoK>Lmc<
zN$bh$09m-NN3)?1?oZG>=!g4Dv_DM7{Vhs+c(jA2>(K@tb+74q*r&M9px76o9eSF@
ztwB$ZLf-lvn4<NocQFyvmK7GQZ%^%0Is#)@(Yp7Tn<6Bk*IC>RsFpzqLWRYB3B4go
zGJ2!M-H6^4B?YatXdCKXQiOE$HjB2QcYBl!l)j|6ucP#(2#hoDev7uV_dt}cXq83V
z-g_`gH}oNkezWU693>Nd)Z)H{J{E;J$9ux!Zb6@n(gW4{r7pEkd0KZ0?dqw0N)D(^
zp#95JJCt6aX@UDbs_~Uvc*mlB(0eyZZ*;50-G*vfN+0;dqJ7lc5hV}ZWpO`3KZ}x&
z?zXreqn}6Vi+*i!Yte6_^h3Y1Xy5m~kJ4WxX_&=77aeKw7otTlius>;C~2(4KOY@$
z@tG@<iY@*n=md*@DSD*EUxrQw`n`VzI@RK@Kv!A(MJWA8@ypRCE&fW8pl=cK2?i{B
zMh`MZ6(Q{)<5baecCfic$S>H!qG#@4TZ^2CCRp^G8Vp<HG&I?wXU$-mMb1R&$BLdW
zgY-p3&O+&bik>fnIToQFg7gVR&uT$U3uGxu+beoz3)0?-T#jnGpy#k)zD203pr#9Y
zCJWMjid>1(W{RHAf`cq_6*}0W=d)meMXpANSoEwG9BPqkP}*J5b6c>`A~&GJEqV?M
zj<Cp$D1AfGGg*+np~y`reMHgoSx{{Sy_*cGePB*SwLL)Z3WKE<JzE5)SoFRyIMu>;
zIQ%O+7I_j?JHV8qnm6b@Vo>t~L!S(mS%h&LoM|!I7Drp;dGr_y-w8=@u0`(=gC|+|
zo=AcxTX>IIf~Q!FwuR;m@(HT>0pBM{@B)kMKrgiL9g_r?SoFRxc#(zgog}Dff!^^2
zwJkx<KtXLMkZ)0K8{qpX3F;UC`3}9-!oM9L!Rst0AHCjUG`(9adY2lkwCLS>aJ5D6
z>VmgfqyW9$qW5;eH5M6y-eJ)@yx^S{8H(Oz(fhohmLK>9p9Hncpm%%0dn{6jYMDXr
z`GVRfK!&6DS@g~?c)vxouRUPV`@f*p3kZEK_@G7a0)r1(qzHZ3Vw#}qEiwvy#G-eE
z!AC8k<5BAr^u92t^$2n_`nW~!$%5J!L5@MS|AF3_1+~wC%tD{G=>1vn9~PO7K4a0l
zv|x=zjzyof=$%^dIg1>JK5x-Gw%`Vf%t2qU=zUx8MT;DdzGTt6x8O#LoR7Y2(fg<1
zKP_?r`ijM98*Q@a_Y%QZEqb>Re9fZYQ3PMN=sibpvqitJ2)<#_JCER-7X98L_?AWQ
zKZ08<`W;5_ZHwN81mCgfcN)QWEqX5!+-lM9H-hh3^o}I>zD2bCKd|VXM{t`(zq<&2
zXwmzR;71ny9wYd%Mejm_wHEzuBe>mS7NDP4^t+DW4vRS(-D%PL{@|w;b1S;bB5K!X
z7E_7twusvDxrOg-CHRF!zYhq0Y2mwE3GT7zcLTw%EPTH!!LKc%_I_jGJ6{RzweT*y
z1a)2jz6X||&IO>~Aq2m-@ZGQk_gVCNgWwMqzAu*Gj~4w7A^4Mp?~o<9-@@-*B>1z%
zP*)+64jJ~?lr`i)05@rdVxTeZOVB3J0{3NT9JItu{-IV7kDIhZiO>%BHE4TC!hJm&
zhGg6a&=ly*-bwS!fG+sogm#52+|++48+sB3J3={-hr2174}A$k9ftbBVBGYvPyq}f
zOaeL-hU4yl7QraOP$!|$Fc$YCXfYg47;FknfXTSi(Nc@^1Ul8?JdGY@(Q|xghDFcw
zp)#0BTx<;;4aec`jn0AN$?G}v1fY-WSwA!nPR0E>dK#RLo3;wghcj^3q4e+2S)|h#
zT>xj}rcOiWz`3|n(S@)GcQ3RY&c{6vy#Qz{m%0cog)2$(RdfYhg+Fx>x*D#>O<ja4
zfckdcK`UW3{zss<!CknuKGwnmg!ve)f(LPbi#}v=2cz1Dz#V`x#uQiE<WY<BJ^Gl%
z9f?-M<D`R4A+75tabJo)Wzjp4kk&i6)LlsH9bD#+kk&i6T9-8zSL^0ki%Y$PwBErz
z41M0>YG2r3amS$A9-#LVp_eS~M06v(j6K()|Abd?-;AnF;Jl4$or0d@L(HX$tL^r>
z#npD(3~%7y5`7ci!rcbdx(2<U2)%1@+oD_HJ<_MHL+`@}xM_pXhZemr2z_L6=^r6&
z4{*;$YhefOOq4k-^eOHTy368rLqD^)+30Tgob<K+zJM=r(*~hE7QM#`eFe-@?z!kU
z7FYZ1cNTXts_hEyBy^v}EkS>@xc$+eEba_+Km1Hy52L@pueh~M4p{WAD)gJhJsqvH
zxTlJQ1D3#*Xe*1JeZ#GRdi9p0@fJM;hpAJ=yAw@>cDT#Y_7-mm+7XiQXWWE?7Vjc7
z49WO24#FuGJwJy#Sv=}IoMj1IjZ&wIUxVgAFYbRlw6`Td9}D+|ex!LZ$~aLx+BZDV
zqUYi8AQ+7QwP>Nme+nIG@feF?`mv&C=`iD2@$N?FS$wro>kIq~(fNSAephr6EXJ+&
zo@eowqUCTY{<-Moa0PC)Wu?Vmg|4>v_n~Vn{{85kKskK+ZCLF9|3OsC1O7wkI*YG1
zYaH+&M>QPJ{fE)@@Ca@QS6loiPz{IrkD*UneEMoK?XLLr(`4FN@u<t>1dHAQB!?|}
z2arrVDjw-2Q%8zV-%svg@xMlkE&e9-aF{@tH_(YN1@{JYDon@yDoULx{#)n@xCS?4
zCB?D$yHMZae~z}W_>8lZmKL9}m(t4Ozm3LQe9D^A&f;%H+gtqIXwc&CM7vr1&rte>
z;(vmcS^Qdb7R<(f8?O*`1m*^hHc79v_}`<nL;AynVZ5e43e=zfGfMwU#}=QlnqC9X
z;{FYN(c<qzU$*!^p#QW4T$FlL0@&Lr4k)u<kDg!&P*0s(TLK29z7_vRl)CFone-m0
z2kq8_^;z$Jdh~<-xUUewqzDe_{7U>^(Exq+SMvVVV{Sp~$WIAe!&e3;z=_0tGIA`<
zJgiz87neL}%oU~8rv9R8DNK4?8jCw)diQF++zy9_A75By%J|@9;?Xr3mzx<LQRSwO
zm{5{h8eSG&Hfq+g@QCo7nX{_A^oa6c_OjBfaFt9fIi9~Kl_Xacly*4ioLySlk90gu
zhbRPJR!RydL{mT`URl2ps8Qx&;VQRNamnE&Rpo^pstO8AJ0vHEhga1UmsHghc1SKQ
zC6s^AQY>C{d}7q*05<zwc^+d^nOIU)(4k67mo3vYCzhlpSCubY)?pdth<>h?nt$;y
z@~<8RQ4eZ@G^mN;)uz0d#E{hF4(gGboSKZCrG@0(IP<WHCBv~axwJdm`)<7a=s4ZX
zL%b2!%{=B7_UW43Mq;`><`qO;ycJwlG@w&k^>m5`WTvT09%>X5=vF1Rcr;ttgpw+w
zg{jiBy0qa$I!-1<-T{lP@5R3$vWtH?#)m<$7*@bWi6yN4L$A~~hs+#$Nj7X|6)OaK
zyO#mGc}KqtD(Q_epo(8$tw>A}?B(Z%3q_hRvYN&LpJRz1yHTWBfk^XA*eTMY3`jeU
z8LcI8TM@T)Htfgf6(Vh80sn+VSSON58i{;vS0U0qA8JK9Y!T^L!wng6gJHlODgn|B
zS2F7qz-~r3ekt={Dd3+{4TMSIS*k!HWCQ7>mcas80c)WKYGJ=fS{!6R0T3=dpV8_8
zGe@UfMr9kIe4Vki^E8+b%V7;rf1R<n^By=Ll0n!E!e$UQgRmKd%^++BVKWGuLD&q!
zcJZJi<iZ%31xrM_76S3Q60a-qx~>7@btPU`;&t<Yc$wIoiOreVoLM5$JrO8tcgotG
zGIU=6l(jo$?Op?0VJ|aD43JNcRj?j5!A>|JlGO$>p%A74He{`Yb-esY+S#O?P1@O{
zolV-=q@7LL*`%FK+C53TXBhIK80J7ZR6rGMgj(1yk`o6RPyi(`50=7OsDZ5_z4nUa
zVrOsC=uH~EtAI3mlSXgS=(AfSPaqMpp$N)=@OgyKBYYm=^9Y|u`20A?fC7=exclPn
ztL_q*2TOUeGX}zt55+JC%7OIyRl!E61=8zJ8vQeXH2RZ9f70l`RAj&;UIe9`26lv8
z7z49lA*=-IbKnNp2K#tPG#1ie01$W3Tv!6DU_EStop3;8a2u!*DJT@Z#F8OA8;YGn
zv2$oSVCPWm9EzPoYXLilVdpUH9996>ISf08Vdt<)sD`buSEMio!jKPy8(uClVt3?n
zN=7D%6lDVW7EOcsupHLFQ?Ld0h>Y??Mw8!Y@*7Qlqe*8p`Hfx*<Ttt+HUsG%CP2D}
zWkV5^!2+ld8AI4HgdIcJF@zmU*s+8iOW3i59ZT4;gdMvA)<O+z6&XjJjib)SQ7_|m
z0(CZ?IvbDe<FS1_wvWg5;xJSKc@*y#IXn(Bpa4o>8|)LA5DRHA044!(CoC74h~Gr~
zCgL}7E-ZmnupTzSPB<VksSRX8Axs0}Pa^)LHSiQ{fjuHec+e4YVGPWIg|HIV!zS3t
zKdpX1q$EwGl<=j5FC}~_;Y$f$O86=BU@1_xDU@x>X4uWk#W6scr{+U3%z<*KfGXI?
z3&%<=>=!vI4l<wsN_gp*xYLO{ow(D9JDs@Gi94OR(}_2oc+-hDgLpHDH-mUHh&N*%
zEQLyuGVGgK1ZA)QR=`@QfvvEYi^>=XLp~J494LnhsDh193;VgejDrj)fD$e(%S2|Q
z$0h=K9Y>waA&uknMNU9Zpq@|MD>8S#$jRh$a*fC-Yk>NlH(%sb;+#gf)6?L9$o!Qe
zXYlOIr}#32=L>jtwz7{GtciQ>I$j=Z18aGq8eL49i?@iJmnl+?4dvK#exb+(xgr-1
z0P<Z@EpicQTpSC#`G){t>3q=__vBL2TQ&*E?=tkVJtE8Z@dZk`$Q1>!kuOKEcf~@H
ztFZB^6(U!ch+N~r0+E$%V5i8nt9ZdK41~RY43KZde32VS<HlUT@5Whtu|eEbTSRWg
zwwouxTv!6czj-}u0@AzrfXFRvAQNhV^ls((ts7t)>=UVsg)|_o%1J<4m84ZkT9t&Y
zB&|x)swAz|ZGf~^kAYdR5LUuEAlz;HL~i$>Bjf_%ZYSLBgu9(^w-fI64ZM6#m^Fl1
zLzp#$SwomLgjur+*7HJo8VmrQ-7yV_cV`>G|4!oES;&j&wAo#WkO3=U4G?#2CJ=XR
zB~<aUdPl(TZv5`?fOPJ8ikA*6famwpHuq9D_fj|O;(+wlQQzxIU>+~8FXyH8wIUBp
z;stehkh~uv+(V@C@O;?Hi|IAIkUobO5Q+CFpQ{sL9WR{||A~A!z>DTf_+p6XPm})B
zyLp*#BQKe+7pa*h@+>?zK;-#sD1tIr04rcE)Bx!|zn2%$V;~HqyP+87Ksi)E6>NlB
z*w4%AagYH8Py+K{DO5r=Y=+&@7ugfhY$$><SO6<vE!4nP*vpIVF%X7)D26#u4i!)Z
z8=)5V^CEm4WIzFwz&uzAl~4_vVYlcPTJmxtWJ3{@!2(zTYoP|V!d_m6jDaxZLov*O
za;ShR*a*8tULo8o8BhdsU@5GHjZhoeQp+aN*;D{!P!5$)1GTVU<kdtVpI1v@0aQRW
zY=!;2%pV6CPyi(`50(Pyyhga!HpA}d%l?UIHWWb_EPxfT7HVKC?B&M*F%X7)D26#u
z4i!)Z8=)5Vi@XsB8BhQvFb|eOB~-&^*lmAE@Ma>K4Mk7}3t$DTg&Nojdqv)gfiUDl
zG0cH-sDLWi2(_@E7Z>9o0}7x7=D|{^glgCfyG7m>NQ7)Cf-+bDD_||uz*gAH4<2G5
z0|@ud99Rl#VI%D3hY&H40Yxwe%ApcS<K5cG%Z{=&j21u{ltU%dKrQU&M-$lcUOtq-
z0;qs$*b4ha-cN*lDB;HyjQ0=l+s1hQki0)+9Dle9s$c``;l~wW$c0(30G7i}Al}EZ
z!1IrJ{xLRx%vk?;9+1w*6+pTlW824DU^g5Psf`2Ds;vgnuf=csT-e5!ykp=ge(%1N
zA8(Yvoam1?i1R7=d`dc>lJ{pZBD;zIc^d5JOI^Z$QOOTCCh>!fd{`jz6>+{I&R5w`
z0L4%S^PpVh>qH>Wud(5qX;3S&m-u_pZ|C#HFVDYQCGtHs?IX>7`0v{<@&oDquod?5
zLytAE9yS1J{j>nEW&d1}pL1a&5bu{Q+=O83uLEEb5dJ_JKlo?^)!dArb>vmQO^n$j
zhBvN^%m1UtD-hEt2Kekx5)&wa&0=E8#57KX4B&H<N-<3d+q4Gw+;q2?W?RKHCtmYa
zunsoB7T6=Eg$HdQ6AFQ}<A~o<U<?qy<$f`(pv_7^<2Q+EI|~+yNk{|y5_5q(+pPdT
zx5w7@WiSuQVGHc!2NnxpDG(-UKHwK5OmLqVz7;XyIH(qrjIAm8Pz-a#q)r3Er*#Bu
zO&b7{U~lxt6kEk~;(4bfK-|vc*%>=KlRoEOlQ9?2F0rr{aC3$=-B$8r3DW5yK-jFO
z#AGiQ)059V*Ne#^Y_CLEB_<bJa%=hV1NQeJ4(B`5XFo5cU~@ip^sNBG_pO1=!1KO5
z@5l3g8ITXfFoz#K%oj6&v<4NyRxyLo!Q@}CQOppY56ysmVuqFRqXo(|ocu<3utm&B
z{6=DDQ3(*XXaOvR3Nf5-%&0by2BbfFJukcD!Ww>@P{5B85&`$PNiYjYhqH(ozXVnS
z<tSbOl~4sWu$dQQu;=i6D1xoL5Q9!2{fQg-Q3B~45r#ed7@>rhSr+ocgE2rlB|G7O
zn9??Y9i{k{?&Svv=+tbO2J?Y@ro}=U41i*o3#(ugkj^yHIf{IaBHmHtb5uF3h0U;^
zmtta|Bg}ynPz}VHF#s0Ade|eTY?YXqlVCYi!EP}}cLee~dW)E27KoWO4X|mpKq8Rm
z>>?=R#|nf!7Wc8(eQYIQ-*I8!^KpDWPCsMM9LjQhrkE3me<E>C#LklhYQ>zqPRuEU
zIki~KX{2>p3G5Sd`cq=&Pl63%&KLlz_<;do&LqvVVqu<`1u=l%*`#?k;m^T+&K5D}
zt`W1aP|PCy7ZGj|=`EfmhW)-d4|n+-*a~~aoKG6(WApj>K>YK0c78cjKox8R>^y(J
zm<!?{0}7xF7QhNv3pGHv3#-K}!G8(<OYpx4y-1bk7j1>TVlIw>Fyuoq%mLzDOxTMF
zdof`zChWz8y@arr5cU$nUP9PQ2zyC6R6rGMgjz97v1Vxv5N|2*E+yWjVIbb6#JiMu
zmzD$ZmMw&pK;18+elMF3%Yk~kjC#Cm3+xfI+ym-xc`l3r>Tr22>=$!+9ArQNl)yY#
z3YAa|n_;h*E3o4V^1Px7HUjalApVtcK>RC-e<ks+oCn0elK58=|H{p<+x`G%MIxFF
zMNkF{U<Is&8rTYZ`SD;JKLAOCjr{n7@?AsuuGs+FV4s+kv9J>kh`F{6WI`cKgZZ!=
zh;uD*t|iX3#JP?**QLP#m;`fSiJ0rL<9h749y_kbj_a}GdhDpczXJaX{44OUz`sKM
zvG0Z$2tz&;!yG7w3aEmOP%GxfN-;N$fmyH+Rswe2gk3jb*G<^93cFTe*DCB<g<Y$#
zYZZ2_S_SK26YPWoVs35&nNSGR?2kfjA?&S1Vk#41r5Mh5W;M@Nlg{dDF}GpoZP`!&
z*m@i3+#U-ZVJTqq?Q6wwt}|;$dkyKWA)Py7fHd#OfIUFGJ6G_s$Shb0gyFnq)@~4U
z_j*9@nFi#056|x<t$TUCu29T<u|PieQ8)J!=KlR+9w7Y(NdE!Se;^-<pakXs&#Rt-
zO=2D-jR&j6JVdyM$me0wdw3^5HX__3iGcgjC9n#3{@6mmwrbL=CcSFHRhNr-oUo6R
z#uM1`1nE9m1`B{PJ-JrQQ*nTOPtO(e55oLo7Laz02fM{Q%d_W5=XstzPd?9Y5VL_W
zFXRI0y;ua~_u@QQ3Kc+{7i(ZE>=pBpKq6#|*|<W?%N=39n199rdA)+|oASlHN*=G`
z|Jo8UuTKKf*i4+w<nzWHSOCO-qY|oMBh<oPF`O67n*~q~HLzdITf}{9o0u)6x1|Es
z0nfH<f!%OG%-eC02Kg`s$^aYQrYvu-0`hr#18jvoqCa*q@3eso7y!jE3l_j~sD$-m
z-X+a<=K}e#pEvJ?p_(7&l)+PCK3K~SoQS(^1#A}cVIq{nO5oXtg!xeYcfx)#AH@P`
zux~dX6~Q!^2TPy=i1QKYf3#7|$N5kzrnUsu!2vPb3xH>z!~xGgSqgi^?C1!D*_j9{
z0KZQw#O#WN8rU!9GxGYZO3dyu*eB-mVyG1J1!;b<SIn1`e@_gM&R3-O^%z(S#QkO-
zY!R~;|GgW;e47nC`)(4D*7xYXI9MTueYp97w0<DokJ$GUaekT$8^!ET1oGRzT+Gj;
z|4R&z-mlnnfM*Bxh+*$-ewz;!Py@Tg)bYGNLmbHz$Hc%UahzG=xO2tvI>H8Vd^7+t
zW5j8UHYpINX`(o>Y2q}C6{k7zo9`E=#Z%(MEfuHb09Y$dtNE}F@NcyV_KMSnwA&D-
z4gPI5!#;81Nh_W>@nx_Ch|AvFi6?y9Hjod~pd8k~MsX50z;1C8Ghq^}6sKJrqycHQ
zBW$}GaoQ8V{T$dLPKS;_xQ>MDm;sZ-Nty-o#R-l9><NV-8w#KjYQ+g-Yw}Vc&lGG;
zAzsQ_AbiRJaZ;ZWC(Q%mrOkyk;-tp_cBe0Z_2P6QZ}#m@=U5<q=WXI-pc&;*0i?}$
zQclKB*e6aG;&&lV7t-uf2qi$;T~-2lcd3Sruod=*(^a4iWWWF@hFP!xmh&|-X?G{h
z?mX*`fA<R51mx9&^m~wQ7Wrl2&)LAq+AB^rX=cX(X=GCmJqutBY!fFZ3`^mFIK3vp
zI&pGiVJ=hx@p}&d!t|~J^666qYsJYUTpn@q$SaSu^7e?6p9t8IzYuD~=}VZt#jpf6
z0%7_Iw1Etm4}|NFef`T|oj3z{K7eNfNPEB>Aguu_0GkI?!zOVC5`SO;@N7^=Ae}+v
zF=!=h6K8N3D#a<thAMG}WCC%A=EDJTh7qsOgH_@TF96~V-zUz9BEW``<UbNE;&T!H
zqvpXLaYkd$=$+ymMqXpmV5>M|mx?nk7D!{<7IDURgyld!oJ*X;+W=uEWc~*Vc{WWN
zNvTlD&Ps84kD!ILl6c|YDH0i8Qq5tn!{fsL^<+?K)I-!mq|u<#$HilAc|v0NXj-=F
z`-C)&x`-C{xHOAA<@_Ig+UlUI^+8vgs4Kf?ua?Oz)04AIY9O!IV3V5Q=5;nL1EpqL
z-3nty<$8Vkcs+-HIrQxF&NC&8ot3}M?YHE(<6fA4)>(Cz@7i6LV_w@$Qp`mze<e99
zC`n71)KH41YIM^>O3_k1T52hx#cHk|&DG-x(SHKBDFv#QxGXKa7BUd^%kJ4a(5rI~
z(>b-daa;Flo!U7y@Ji@~P^)m9*CPD>N7Fwl9rVp$bIPn)c_;Pldr}?$>z&``ZQQ7~
zxiSUY(y*<ybd+>{6Y}5d_z6kF0ErlrmZdeECh>fFT$qpd*?OksaS1h^giC9(S5DB0
zZ{r8zgC@RBb0^j9mD8tpZl`XBC)P3L`J9RUlY3?j7@anBTHfNBlSYpnJNvXFrcaxE
znzN!+r-9vij&I>L9aorLl$~hK?w8Xy`?r0AhYswk<uH=V|23?Gvr3YsZ$lZHX#F)g
zq=tX*C)Lsf+gcv9vO~nmMk)Ls;Bp5!y>i+n1bUd%l;)Tm<YS+_gyzOf7&K>Wx6E-T
z3?48wseAjOU9-mYNlMB+EGxSx+@tf+u{|cAS3G`kNmkErpN=W%!;c;~=$H|mI;ZA#
z&(S`h^_)vRH=(9`H(2-|dom*_TAQs7)?wR7-E}@#Wos&K$ryLq=pzn0oj->;E7smT
z?%X4~7cN`0XbE*fp5`O+Y|7W1|Giyp%X#Fb<ENp8W9V*vq+PW&`9CU0S~EF5IlfnX
zDt}Kg=hVIT^UtQIvtq<+BflQ0ZK3&YiS+kj|Lc4sqtNEoGLqLXzmU^MBkJD&z1=&}
z?wx-x<9}`U){&ZR=$%hU3aw)Ma|)%UcT>jS`$Ew9*Ur#8wRf+Ubcks~P8yflz4(+N
zDSfljoA+opG$*GxKa`Yrc<<D~Z7zE^Jm+AaXr7SNqEGv@hF%fh>fYgXdy>1^x^i+N
zZ8Yj{)YTJM+R!phuvKR}Z8zR<+N|S^ca%0qMjJC%ua>F&J!PWlIcZYe>&}Y0uT1OT
z=9%7guSDBO?jv89QUBljhD~$IM4dToy@&We0A5P`I9^4H#{UoXu6;;*PC`oOyr9wU
zi+M}~Th8q_plyC?@7zi8-G;{=-?ek<ki*PNbv?TtmLInH=(rh7KC%2p<ge^(qyxRt
zUkvoflF?X0G`3S|<lj7xtPKGoHIBHNL|wL=y-cq_>r^)oKV_n8T26oUtD`oYO8q@%
zM*UKEf;r-%&Cx!-3A-BoUjF|$n%(HgVND@f6QU*`8yRi?MWmA?NBw2_exJ8=(r+fM
zqSo{8qvNve-!$6(%{M<GZK*oD`n8MpmPol;2Tek+K_;)Y_Ke&<d8q;Z&AHC0Ovo*#
z%vv0q5bMRp$1a>bF2?n87v?R@_1plZzAa^V3jdku^qu1~PsqHsZk?HQEsnbDqy5O~
zj{U7=>R;L)t^Ge+u%k^HtL+nO+our@+bS*oV0}Wb9!9&(L7R{KY9uC(Kl1C5o~M@1
zTAFiWu9=9PH(!!-TyEXnI`8VbFq`?IH8aG)dG|l|RCXzhDP13ekv2PYCeZ1(bIu@E
zi5^bF@?gdcI&O5AE~AedH0Zd)x^y}0xIvjCdv)yCYh-3rW3x-o8$W*0<Q`d*7mXW#
zUTOBIP9u*QH1O!c^z=eqB}R6Nt`AMA$L5m2J9vN9(+}+l>}8^}Rx@S-JyY2kJfWed
zMONJAydKytGU9Zxo$_Sf)Pl6sg3>;7k3MqZ<Rhm$E827)-6wZUPP@7TrfA5Bk$I6i
zo65g;sdd(emuaH5q-qnT9x}+<sYg3)vnPe!C9A*Jty<bqZ`3=sq~dB4akXP!>dw5B
z{x3C`z<S%chijKy-5xY|0+HDvvfPgOmumc>``CfqoA)UhoYGL&$peqfO_<cDZF2Lt
z7CC)870n*pP^p7w7j^n5p=;liK%bJciW=&E<QbFm8fSKE<Q4dhwQuO$5~j{uNTN(@
zDCfV8;uc!Y7Fy0f>8vejgcgxO*pjUfn~ms@Y`)DlM&chD!`Epg^^oRxHRp(dDaD0%
zO~2)=lgCb&F!p3;MeEEFy~a*!S@(&Fulv%J4lWpytK+OI^X)gZNiR9LPPA9U+8@#)
zzxNLQpTcDP1ZIo0kC@k<)<}-{bs>(fcDlxOYM74c&snCSDWba{UpGG?6Lhs<Ox*A@
zyXB<L=ryFMWl~1M^n~nAiJ`p1y7!-z+C4a`N8Yg3;ZALi>X?%jAL=(DHn)4f^zQw$
z+oiT^)3i&Ijv0Ar=>=KsyQlR@O77J?F}Ypqn2gv^m%Oyjg}svOJl~N*9-u7(lrUP)
zu9naJ)AI4sEafqg-sMMDywu*w@u@98dC}Cq=!_mQ;<rb6I+?NGgEZUyo~Ey9`hS|H
zo({C%`t;V;q!}6ax=iT~kRfkZEHf-;^5C?IiCyx;$@yIqi_-=l8Jje0?s#*4-J<@*
z+41q&#r@5Nb?1$rJB*SsLg`~JHt>J8X(-pf^{{_C3jE%XPw3_=+FZTdUcXP_?wfCx
z9^a}%Yp+$umd78lnd$GA{<He^o7LYO%@S>xMZ{sJM4O-a_w$X{+KK<u+KIMFqJ~Jc
z6Lo`SdOC@hM7q=yEMvUG8|hqsu=WtUQ(b#f3AndicI5EJZ5n$`6Pr#QGc`6b)@$6V
z$?)Q(vyN%pBF2kp88eeo-PC7JpFYR;HnZz)%00olnBXt#G^!K-)ty0h3_$++F4E2i
z*C0pjbPg#=bcOj3Yfzj<iL*sx^h7HC31+o8iM0i4?e<ErOXy(J%jKA53(~^0c;=yL
zrOgsrc+KNuCzm|@%(Sv*9pb#^?PF({iDuy1gl<Vm-4fQ;JyZAKgNeO@!Cr|EYPaD3
zea&AVVt0$*`^NvoZru!6Gg;ny|G~KU4KI`)5f^OfwM=O-Y4Qto=IY1OMx>{YNPE2Q
z<hn?mbtms{$-A)(Z|EPMR)BX%o&CORvhxX38oLaW#Y^{$J|{Z*7%^FDfJtTun&kNI
zrnK%wb6ee==BOMeaYWDGc8?@1>#%vyd?y`PhYz0QTWOB1r18P2^^YB&(>XP-=~qiD
za%>tshg3@fb|f(2CQ=sN4beM!&ix_dHxXAT;_`8Yap}IZQ*U-WkyYCdbRNWl*fzc;
z2j%9bGpD=W&6(rcJ~#02D^@jb+d0^EbW%9w=>Da}h3t@u+oldm9XPR9LQZVa(BdOn
zCS<0>huidR+vTLGb?@{`>M}Grd`V2(VCRIcX}YFNpq#%t8`*<(l5-krwwac**&*c&
zs7F9r|7pQJ3S~ETx~XpzSy!4xt3r#J5Gh<UT*(oaZdFnvE^U^E;|oX6Kx)fg@c}KY
zU0i?Px#%(6bV(T%b^}8vILYI>WEJ&nm(p)cey~@1eDhGxl>Q^bgJYAEa-5CNl_aq%
zpPE1D=)%<D9eNgZ&lsB3erSD1CK$Sq^q{;C(60Y}?*6k@Z8&#pJ84lmL|W(f9oC<o
zyIW;X8kpLt;E1g3!uDO`vyzhYGZNZ%&QDJ1n~;`V9Gfy^#(;q{hNh$>^l6>gA!m5k
zu7y22B(=#)O4jzs!oK%tk2X}%!S;yJ>gWG5bg=rP4fN;j(NwRKBAqOb_K2fBT2l0w
zgWWDZQui$>PGZE>6c-zBiuiw+d++#2k1Acb>usr9p%q%4q)zIj&MkFNE9X3;(FAF7
z#%Y`|W^LmL#@K*uOt^5DWdoTdXR}~tb{CdSCVF9E4J>e3mIVyPB*U`cX?@SBsyC^n
z!S{Fn`S>yJ*3;E*SDmUl=hR8ngm<(k<pLCzg%l2t`pQ$y4Bp?Kd~SSfPc}OhY1qKJ
z3$6CVCc?d=;ZP;%U2@!a$M~7KMA*M^;o`_>FtZqq)q=i2X(4;`GMWd4&%@_14`jtT
zpsqWq=j!7$?l0U`EQjU7{-W9N@=m+(F3jK2!lET+J`Ix<C#tDw*63i8G-2i|9hy$`
zP43P1?<)D3QhTKF$WnYf5Q^;mJZqR9^$#R_9P!!H6BB3V;*p7igKa&{drx?rL+&t3
z?p|}JMra%izl?wi<*N`Vht*L?!<aq_Ieq$UNx8*UG@1u#h{9|+JHf2*N;A>UhXUeP
zhrtZEkq2E5F&HwOXXoY?clk2Tu0U|%+&T94sm8U{!_D?-$LY2C+9_xuh0O?i67(HL
zO@(8qRRW5UEmF!uy>F7jb~4%xU_>MqAF&KTL*I{|KM#I8VA&7sJorPmq<<2hj_^-A
z@tWk{=tjqb=y(vHh47i+Ycu>E&D9Ft(Xt|o6&M(fM(T@LWf+vSv_Z*hht179&cO4a
z$yvD;j*)Zy&L#fJF}2xm3cIVJWVEX%=ITy`%JY5hc>8;<aQcG9*}kr%v#l#pK7Hs=
zZ05wMr!Ukwk;_eVhWeuM(X_W*JlG!X^mng**BL8DdPjT>t*KCNe_MllKA)Z`blV%J
zorArp>0EbnQ)|HO3lC4mCi?^IBc0(~U}$`ND3A+x*6w!(60Vrv+UUx9QV8$Cnpnqw
z9_M@bs7iOqKy|uHrAl8D#--i>UMqI610=PBeB!u7{L;k<2?M3zlq43Mw4`lz=lZ%e
zzNfObyq+&6$NInuuZRwuJze_(%PdYN`)Y5YeK(ID{+04EtdI`<d?`Dl_fGE&<R@m9
zmSh8VU5m8VSh;*6q2#u$ucy1C(Qf=>KdAYY-C<vMDAeu4#=!4wetk2=f3E|)b6ll{
zR3Phq537*G46UA4{HkDIk666;RY*it_b0{H<}&mk;!CtSo4eZ*-Rl!>>WeQL{YF#c
zl(n&3P(l~~bN5keT<?{bpC4d;3^p2RlF@r~iTRORN!K>cgPKC=B^5`v(J*cokTx0@
z*=SOB&-wxDV<+DJ$>Xm&p*&g(Gt1xCzWw8CUkqBIUz<-`zK(u%=r$Uu<7~G~$UvmB
zY9fiZGREj2`ksOGdV6z&-QL>db&L!tS6%$y?oMT@fy6W)yYdSz{~l0h;}Wy4k4&rs
zJ1s{p;Kg_!v9tkc<NWv$iy!a(r2F8t3$G;d1&=1qEQAd$X2GrLL=;gMGZ}h_!>O7M
zU($BDw6U@wVIr&fk?D@)T48n9dL9S3_58r_Jo~{?e4v!iR@8OAT6+sEcf4S@>R!Zn
z-F5aJeXjM@zWsPH;hm3IXe&A}Dt$ZB2(;}eM_}BJq>im=`;m85?WWj{QV#wc{oBso
zvt18WVIk~2^|EdodrwE<z*Jw~)PaKf+B?|icJ~eT%2!<@nL9H%ab`BQK!Q5ESPrP#
z3HrIdSz*6NKfTb0U!<;_I<8jd6Vk;C5e|z8L}XY%R%{d}7b|XPCw4AEND>NNkw`3b
zMIte2h>uv@c-JQuyt5*REwscqID^k4<N{f_xX*?bOmtsvV5LZEVm3A(Q*Kpt#op;e
zbn1)B!y~~o6vff0=Pbm-{zLCzHdR}UMMzyFU97^s!Pib)A9I~<ELn$cZ_&qm9uH~c
zx-p$O+boTIoNb_k3v?hgrV*nO`j~=uVvBU*ozTZ<0||Ysu{zui2M<mKQd|yKoK`vs
zX!;m?Swm<wE0waDsM0j|m_Z@?;s>A>3#BX+>c6<gY$lCN@Wj&?t5dhv{9p40?0A@w
zXv#=jalR)eN;o7)LSb5Zma`#Wr^DURJKw{8aI}A@Wu>8^JXIqHAF~9Z|K5v!l=OZ`
z!`=3~fux178})GFl0A>O%6Ur~L=<)-gY3YGO0(b@%|<?9HTv@4>3AkGpDz~Oy=k|9
zFyr^-rc(WD!Bo#sq(9dcPI>&*Y`|BTcO*l@{zyLJ3VJ%5ntjoHZwN<`h;Pu<oeesB
zTpdj<-e@rv9!%50gIT&Uu0`br^l6{vE{L~*ZnGHKZgj|^#%P2$s~L-icr96b+VM&{
zmEb*Gr-G7*Lq7SqNDv4I;7?N3X#2{Zmc@JTjb_`zj!yT0qdPm1U~N;4_uoHX`(>d7
zA!+9xXUi)3_a$Uc<Mt?ZcT3r`UC)H<p@Rjaine(jpgWzlMNf%mcA%#nIBnB;R>&xH
z4R82);=6m7H*(Na;<PGatB$j$*<kJQ#mQ6-CvyLuG~yo^WHbV^(64%Xl-{qM)Cp|K
zo$XN<K6L10tFN`8)!TaV!26-PJegRD$5#@}UGvj?L3#N&emD9o<%W%BnNx!FCDpsp
zjq#Hv<AIl>6VD{SGZ~$jC5m_0Ax0C~wnnEnzx?1zQ@g#Psk3=?|DI+i3{CA#%X?pP
z#Zq%eGtia=bp3~M94F^vtVg_?i{qW2HO67FUyRqDAv(6>KOe?;dh~rIZ8tg{bvcNL
z3-p>K9?fDWdT+-}bn@PNz|_RPstl(L7ACt-w=lK8`E|!;Tf5tcy5omm_oidZZT|L#
zwr<B<?MK(SGj9C<x?lYI`QE(8lk+{F`sdgj;PV{Bc}4CFX#%V3pQa^>XbG}*(MrTh
z!8`OCJvM8M)67U_T!eJo8FX|uxtp`qj@G|Fba`tJmVvwF$o@~XMe-wGZfu-Y8pjI>
z_QTq*BFnMpN`$pt{AFUQK<lCxoqaXvSZ{~Y`>AV&sy1u3L(wj=fws~PMW$fbp-_nH
z`)to9axL=g*7<zxfq4roZafyldbvVA7mLMik1$vdx548kd`WAcG~v56JZ-`Y8a`;k
zyEQy(!gp)<fC;}*!$(Z`nubrP_-2J-Of<a2I-Yq#8`squKBTtCehgV})9_n%z;89-
z4{GgiH{tKo@H<tU`eRk;ma=oYf!^kReN6k_3)S!Oe(Ct#Cj1et{XHi9LmGasiu2!B
z>6)^0x~jjAxwmfSl?m8C15kp_s5?YP+~`JPqhFG|s#bWoXg@S#2h;u3?R<x{Lh&GZ
zLgy<o{?K{-JnT*4bM9v$J!2SL+8#%M4nK}p%G}GPMeeXC(<AL(f13-jI)@Om6E6h2
zd@f%{p{B?3d^MkQCnNsmM;|3eeEU?d&(~gPbt>~Rv<KsYsS3B2kzd+lxl0|F)GPII
zNjHeDV@XRa=kP8tCmSD_3&sZ#YeXk#fsrmrVIb$h0`1cH+KzTYSdp2w6Q34K%nq?+
zYsN-YLq($1xSho&-``NJeV83(e_s3XkAB1=wTHfRIlJuzY|nKytY02O@~KaO)L6TG
zEY|BVw|n?rjVpteCJm2hc$RSNY#fmhGxi!Ny%9@6pVhkX03VtEd}QhWBw{~^d*m^5
z#8dK^#T;Jge4fMmG+ui!*B#*VX-*PSFv+@17H=4mo<&>}DG}GLt?}rlk+GHiiMbQQ
zcVBjJb>G^RHyt{C>hMi(c*93>4eY~R$%$-n6(LUh7t6a!-R!Q>;i2NipUyAMPFx8~
z62^Ue^9aRiVcg(iSj!ofe+Jk6!nPi!*eBq0CbioSQC(V&BPNRTI)TTjuC9jD-V}J!
zgcENO_=E|sYIs@V<Ubv>Qu{{!yA!M;`&pq_Ck-#LBIiZae<Pj&PW_MKIlIx`X8D!)
zK4ijoc)v*tARZ0xAll*gOnBUc(|APtqzR|~34FqY7c_j(gcFYz?XxDFc!|IVOgPa+
z;AIuZIR|l98eT#w8}VY%f8xcW{gB$8kBel9z|#i&_nb!y{1%Dt;_Zod3;b3?`=3~e
zM+^LR1O6Q=@o0hHsp8a6&Z7w@9t}Ek9*O>9;~(G5v!}41B6@6!G`;GaM6wpnI0E=K
zaY!<@lINfHO_Mx~c7R1t^rblOi^w}Vz;<y@EBDSs5gMcNia7VkNFMp7^vFQ4_GLBF
z%<7E#JHuTbm#@7a95FlFCHaQp3iY`KOEj#PN40Ukoa$N2^`GSH3mgXHjkD(%a9T$K
zPnvL=e}NB}aGHOCmo+@BASO-2*V#$K^JzVb_7htBr<Ek`ja2ch38!@-+NTM}yzrP7
zYXY`tEnf2y5iJ+sVPoK56rCYlMdanC^G<=!QCaf?lrcwxoVOW0GBh{bSWZV{*o^CZ
zG<D%{{({>!RdM5l)YQ@H4|F&$6&h!^xje<mrp9Tj4dN{78+HZi!sNu>QObO+B6I_D
zmSjs}jv?m}KL;8Kyu_9yukoAk0`UI>`4|DOc@@^Q3j*LKRX)~vK6Sebd4S;)<-Few
zIq&-xg__YiRv;VbY}SO=M!YuT)rVKo^2zN$r%N)j2vakCLQw@SI3FsWDE`sek|Olt
zP9Hp{k-ZeCx3Ypzy$!spJ;t8QHr|5&4b<Eev&Wu%-t(|_H*xr|e3GwScyEX|(*0nd
z&l(m+ivf=deDi0(eVlHheNy6I0X}G@wI%Sh#D4-jU?tut@Ii@R1m4WosKB!Vr^?Wl
zzqZmI5O`U(7r#quUEmY4{WRKt#Y#L-;6oDMi)v%%`8*1|WVw&?pxkEO^6!{0k8WMR
zBoCt4ZsI}2TgbXDJ-_gTB4QJZSFn^<q(^ey?v379*y$x53v47e;U%T2dr&G>p!F{>
zW)E&(Rr@+1`%1BoKj$>1vp%gwvA>T)4kK0(?QwPjzRni4HEP65Y*~|sMm)n7xjfvD
z-~9rgOSpaUoH*UlCgsN$a1(42oRsiMc5d_k5WX2^h(*-!brvzS*Kpi)@eFhE_7zk6
z5{vNuSRfC+z~`8rpR#A^ckw&w=aAo~?`8148sZp!hyH#UbJV8C;MVOZqbA)3`ZVwz
zMV4*_HZF2>lNpcpk^_52#2F8#$hI-;vqLOItKH!%H$EKx66>wK>e1>jJ6Zeend%K+
zTK+k@C}^X+kkbq&bD|m5;nr|kp8_wdIQRzQE;YQwu2*HWQsB?QxsX2xA<gnRMm)ld
zIIVNheu7E91U^&X`%B<y6~`JuyrkBCovj$2PyH0_%Ub)2seOs9Xluv#oD6WG3nJc;
z_n&qG=}yp{(SIQ`=-eytxCtkjC-9^RC;lMtv<WBvAn-vGPBKj3SrdM}hL4$WqMK+x
zq2U#Z*VOP5+r!5z`cHgAv>(#i(|Ac268J4U;J2D^(vd{_+f6v>NCLl8!_gnU*9j*b
zNt{K@{URPAzBizKkNQQrhrnOXzh||SH@}D5#XksnoUja7UZ_eSX$9ByD&2NOMsMs#
zzF)|S)c7sZt5l=|NEhuOyoT^fe~0l(rtS#jyO8vK{9PA5E8sJFO8>X$T$-|{hRJnI
zMsOcCns6C2$an@9XuBf4!zt!v`>tM|>0j#Q!IxLBO!Y5DVu*F!gs5YY3Xj$N3<YdD
zJ8S<@cFb-hP84q8ftS+<;>Yqgtx()6J5t<;uv>-@_FDTZih(WekJKI<0bLOv1hyRp
z59z{*{E$kOI!>=sMQE8`KCTviLW7RPX{2kK!lp|!a6%G9g|ED#E17*bp>mCeJ%9C<
z_1wGvl)YJ=Nlz7vx889_;n1CX-}r8RBwbLN?t9^j9za*o*I~pJUT^IKeFydU*h^?&
zLhs6PZL0@zFUR{yQL(}zNX{8LGV59w{B}r=AqOo*TZmcFqjyAF3frf~9WRe(Q%$zn
zmbTGyarjaJ$h}Rect@`z=uG=6V{Q2dPHZ2IO#DKOk@&@jFlOSXf{$#)RsJGy+MlAm
zx<3U@d_>@BDHDgme?dbH=lhA)0qimqubs4v>6TR)ny2p$-F|VNG&(Nv$&ybVQ;PaZ
z@pVCtpOU03KVhf=t}@nGDg->cM?^&!qPnk156At}SFI$~XyZV2Pbt$E?sB-AaquW@
ziB5(F5gqrk^061Lso}=+*RD@`yGHyzpWO~C4Rh9oeM`9#;ryC1(1^|$kA@R}6!?S*
zCpjVTvWi2lAeLFf*V%x04(M#eOKd>O58zzZ({mu}={fj){qrNH?`7~kk}o_CnfKSt
z+s7IFF&a*CMBqsiPU8^xgocMHo>{{WQRy1~95cSI;fR0cdZu_zS$j^!^qdlNa=q~c
z_UMgRM`@j#gvjg@GQ>CP+(g7T5?@6CE8m?VtR0aFKo<KRtg9ZlS)*t{R(o#KQ{yLi
z>@?UY@e=Z|i_?;1r5_zT*;@=v^i{{4`PI?J2b{B&{l^Zz?2d!i1|GcTRG_@%$i{{u
z!Ra#M2ZJp`e;O;ExvF*pd+Q5cdT{9tp37EJ^Q9osB?uks8E$LwaJo-0=$?c__e0z?
z=qT_*$a>xmUuTdQynV&gzQo%2dI&<dGd?E+9J-zOUGU{jeK%f$D_@|q5q2@1HB~Es
zkWF+NBDvEJPRv8F$b5#7ZGH^;-knF||AffxJMUzpdF%I<mcBPo`)3Rj{XIf4+<d)}
z{gw2Yxoz>d38!@^+9ypo@gaeyO*rW@0v|Ntq|XREYr;w13w*$Y->BguCY<yi(SFQ?
z)4mY+gb9CzhCknglRhEZUu(iYqv1E1aJ~I=HM~MG@ml*5o8$8@=uG@uJb#GVV=j+?
zA5#o{LH8roS;^&s;5MK%zNOlL;Ms!gZO5z!F#An-jbZkYb-=CRV8+ny&C&IC!x@d8
zPLH&?e9aZ4Na*qQzU+7+mDa64o@mh5%p&vG?%5iFKX+m}<8+Pms0JaC5AZhYD0srK
zs$o3qd;sLLaE%G^cBWn%1U0f(D5q^phCno1Y_iX`I=Xsu-P<P%G$yiAD2KA)E?e#G
zJa<5@{kQS8|1G}ujceS98~4Q9_}N;t=X0n%ht|Hp^|fD7Ko1R9*8(`Y@;m;!-Ez-C
z@xgPp;&EogY0ruFNfS<cOW=b7$CD8E&Yur^9PMe#Q}p~gJZ{42`J#Q&gwyi{K4`*8
zMhd*F;yB+T-d@8?mY>twm%mGEU$h@m+w*=B-2|Q%IQ9Z!=Xw9h;z=?a<HJ(~PJ3G5
z6DFMcBk;0{qd$nj*YFbS;d`+FUTnlOz-!>DQOpbM<T%L&5QF-Nh(N8&l95LVz8n4U
z6o^oAiX*dN7g8RO2!<hl2b~hgT_d7QNSo#sDtI+`s3@|teQK^TG3w|(nQ;8>4UuvD
z$A8Rb;k$^4ykj<dkus0JHGsYzM_)Z$ZuICG*)jq~*W+{vd;uP31=6)4cL9A?xV@4`
zym-{;^&In5)y^E>c)`%|={O~_z2N%88wU?vue|04cmJ-T!L@St>%Td(ygY<wj6rss
zh7RBd<+PY+7ij^mZM6W3&V@F_<$p8iMUl`V3!6?7lp`)8NQD1KXzN46Q7-w_qyjJi
z$|yj9G+Um&VzG}g_AiZBoGu>-W#ZS&-}Bnku5&X7&o$Lv+IYER;OGn28r$r*zc>*Z
zjpaV@m+N;Q>0i9%#^>G!zIz;fUq;_ky8aTTo`<*XxzJy5@<Tt#wtk+kv@jn@0GK!@
zg~5S^CS%ZF^khZ~53G3fbOH8ycfQ@->g#kT0-e6xM8ciVr8_nb#4j5xZA`{`24)@h
zrqxDU&(yiSyRVq=clZ;YT8HwQ1L<mf-`ywA+_#>@_Mo+}d4hcmYrzWY?wkcB^X&A+
zAy+mQ@&!u$fEl(S$CrfD5P(F?*miv59)zrRw)oomx;LiCjQ5xJ#yP940t?B-=dK>X
z-sJfw);8=lXj0g-z0Ah<>{dKx#Fg)B?fVS)!^)R6JY~Q?qL3e2JilVXU#sC66aGyN
zFPQM3Y51@S|FMRTYj}n7YBaoL`3>hGd|b+JHN2{|e;T~Yso^(EyaP7Pj~MV57}`H>
z^=a*IGvFVw#x?v74M%@8x~1%#ZlJfRU)CAzdv|Hyqu<x@7n$(=TKgB9@R)|bM8oO#
zRl26^oUZEcV=WGDmf1fc9&P~9)3>WUw3l{PZ+$)p=b;&_7t(0RJ{bqkjDs^Y!Q#-2
zZxC-ik5w(+J!0v_UK2rw#952nPe3te75<L+iRxbwIuIow@hHT)+$8haR83K0w<W8n
zCD2ZJN&R){N?C*qINZ&i_QFThoTV@2vhKb}pm`{isn1?=j)!nIwPjj6S%Wc)3FGCw
z^CvuRa0Z&+pR1I5mKj^-Y^^+~<$+}<&-oEqp}K)YKq-L`cP(=Y^#RAZRn3|JUgbEQ
z=|}my2;R-{cN7P<s9X3=xm`T&nNIo0RG~^E6lwuFBN2j_GxGLC#@BF#NBVzu>cFes
z(Bw;o(<`B9?Cj9cQb*`Oxv)6UZLR$y>q!sw#zz9-$e!}#da!(DcWi&OsfCRlsQ601
z_|5o8W!IL(u;F5HI5Kf)FxZux%6I#mqwer<qR>B=O1P@Q9+@ll-PQdYq%)9=`U&wR
zChXHO_7|Klaa;l4ka&i0tluW=Q_3$3Tl#SWuG9f!z}|LI?IK>T1y(;h{&`?KB;P*8
z&EdPCpop6y3zdk2B)>@qW`Qd12uVn@Bl77yc$eX{r};(o3dloBp~&N%kSLULM(H)&
zyY+`t&vx%#|M<tZOFx@flIdsTxyDncil>f*Qql2)mC+N^(Z!y^Y$`UM?Vf*}=b(Xx
z>(G}#6Yv5`Kc%>c0Jl~2<7|xFG~kpxVYeS-u*IT1&spQLK;SWHOCbECoOcPl&x8~2
z75KOT|B&)=4KGO?IcLf)<+qk3=tjRgspR<Y^7v=oPl1<MKj+m0=s$AQ@En0>Sb^(%
z^qeT>ItW_7TAgd@n%sV_$?w<+52f(5H(|C7$!qwG!la3hdGSiKujWxAve%H%Ci0Ec
z$X^lDB*Mq(OfM1)xnE69XhS^|KIPCLw3JHHipWrDOl*7WTQ^o#mTcDGZoeUx+HvQN
zLq{fKz5auTil<KH8ZZ9ia4>}oH_UHOeloFkT%EJe@i~idn)b40Z7z*?%!u>36z%&=
zIL)QN$4xlNZ-G}#ILU8;XG}QB8G#o}IIRhRmo&V>ke_G3?R@TO&3%r`Y0<u_wI`hP
z41uQ%_|sfY3;bq@chPeU_zMi}zscpdXn&gl{~VX!0>4AU(NB$TB)>stlAp{5yBg&g
zmT4T2XcPJwMCRY=5u1`Baruc;5#;B2>>ZCRVHJi1r8qgUrbuTMT%P#Lh{{X2jexi|
zWw_BoBX({BKc`|A;OCUFD>=KCgLqYPu(iw6g1Fcnk`bd>e@oB>3oc~j@71(K$VgW#
z+}+%$Y?q(tOT~ISRWbP^k*O$o$mgu9+Wfps(vRl}@^u>Hbc;zl9mhFc1>R@EX&ni?
zV8Uq~3A|*&f283XCY;u_Xg_YkY5fX3W5Q{D2|Ok6%^%@x`?&Q+;BoZdW>4Og<@=2C
zRgi-xaas>yzJ7`K8u1KpvJ<aw`b~I&g%E$iD3XQe@&zr=Q#qQ9&)c4(kzb3V@hDr4
zPONIg1x1BZ#0AMJ2hNSEtU}BMp;$>m4<m1~$TH?uN26pirTTGEWJ>pwqUVZe5lKeB
zV#?w~UmvWJFc&-t$~??vHhjRK5nU%sJZc_eYcb$4fp2~nxR>Uhe8y<sC-E-<PtzWk
zcuL|=0B@tSgv2Wn{|#^p*9pXPGN$Ka?q&ONfm??0Yo90HBJrxk=MigxoJGuK0xd{4
zzl-nf<Yw9O7;+iCSQE4A>`3FDzPF7LU*y}=qb-Du&j&pt1X~%G5U4VQ6PihxH6$9|
zldR@E?)7jy=xTMfU{CgRi)=$|$@GK=k@$Y^kgB6vyNx-AyswBG_twRQJe!{G*t@zO
zZPyc81K-75bkjLQ(zb9HNP+1=uBzo7=vRGRExlj*!B!k+*Vk#J_#&Q*{7$)6{u+R`
zR<NJK3^|sVGdfgLYzfvp-)9vQuEtl>zBIPaARe6T`RE_}0s80A^HTmV@{-glV-)|4
zOd+j$7UTO*jHaSxX0BVmbmFa_IR2{R7+#Gj$jtoVwJ$`UXOWj#v;GOjlHy~G-#RGA
z@-%aEy@_z>O%|+pKE|inb<l%EdpqJ-9_Dc@Q=4JSPdH6P`*q73Rhm%Vr+hxG?>7>!
z+Wa-v{igMK5>MGPs0i?FzW({=$SFF)VutT!@I8ue*+hSz!SDNY8@SvR+wm--OoM4x
z=ovg@ogrNrdt;Kp_l~^*ue+XW`hkJ;X!ywbQ23xB<MfF{waSKTPoqp)?FU-wDbWQ7
zf?sf1LsoaYJ;vTH#!oocO9ft1argp}tBUcf_<IEp$C`MYKZnk`^c?U7@q82B%ODd}
zTp?K_+K(ICbDc%tDHX@seVqTUz}KaoOl$FR-cNy-wDyoShW5~_by;J;Gr&pKOk=!%
zg?pD%=+Ad(MK#>R`$@Xh&-u6@!!WL1xo5WGF(b}pv}oUF!bw&NJY~X3XB2qFgp<q_
zIQE|2ALV~EeAI*!Jw^L*4X-fdvTAsVb#glJ{&SsCw6ALIpJu<~I-tOBmN@0g{oH`R
zz|j8ZTsIW$Z!_U!+Y$I38jk*G^da34<D&gz>KExU;(G<{d-VIHD+&B%{CigDl22fK
z7h#`G;57SERpQiTgz8q}^JHU}7VQEwfDrhQ0wl!kFpbiCOS)#8)CkDtN%jXy7bR;0
zS!?q02_i;@PO)^x70IyXm>91f6k~P!Ts$Vm$15hJtX|f!Z=%#U)Dxmy;N(iEoDlE-
z#`kZ1BfZt6_cguMl&AY^DMx7{G#fcIL{&<9dM5Gy$PncPGiAP?S<`{i;uFXa&dd+g
zo&h5xx;$--LdQ-+$DX%bqtfLP)jY)co$|`MDXvnU?$y(J2pSQc_7Zrd2w-82qB=QK
z{0v{gXS3Whr|Q}waeNyCifwBYiZr1h$!gz3JTb99KXTe1JT_EVD)v}wf5&<<!@cn_
z7*F<=M^6VwZwr?bZg-*_mao71-PA~Bx0WzHH8DE7#d0z;dV5{^^moX1!p|a4D-Pv<
zL0cKpYv%m{DpAxkW#<Gyr-DW&DxX6Z40Zg*_#0l7Zrj3tS|WJ4kj*#QXIk1^y(v#J
zPwQc)oN!N5A=@5ugq>+`I3M-cB3CVJpCS&vhIODgxITF^-)9CsWx@@74fG&=Pqa7i
z1>mG-3OogIO?<o`@&NSHaK4Y_8IN-4Y5i%{=ISheMz1fOA%xdgR4pMpfo>_H^=9(>
zYUer7)}$Nqtz`(pN#Q`}bT#Mqj>pu5dtY`e5$l7YlPiq*Ep(={Tr}jhD}6I3$9PpB
z<ltA<#&eyWBdQ`viRtEid@0ke=CXn~3}m3?8=OXd$S&k@gLe^bv#;MSXg3Afbu*WN
zqW!pRPcrQ^muUhoS-#Gn1D)IO9MVZ{=e(Tb3dss;PdW*Hmw2l9eDi7OB>L~ewgsGI
z9?$FM{q5)NW0rsCzr%6PqXph)!b!#md|boBlpn6)2T6kR=bQ0$4M#pXAD?(mNqbJk
z^qdl|3Zonn)ZkF!%2#j}(fC-5tnIOFi(iTSPAa5`6~(!=Q@%s&0M?Z7ToNw}gO`O7
zk(0;hW4vWWzBBl?P*}RZfvg7zrZYt6i105|H*DaQ4e!k^^hW)aP&OONSMs4iG?>W_
zjjvyIIyIT~1mi)Ddb8sWzi-UzDMmucU{9nFj}`O%kz{FYZ_S}tPe0$6u7;D<e8%4$
z>G3Cq(vhLG4|EiH>g0zR;PW&ob5Odmu8_a3;Roe9*@~~z^>q9>6;u0?<=^=FA)WQO
z;W-)0*Jyog)*$m2t;5>$E0)(-?#FzndGk@rIm(-F((>kIB!qrS3D7hJL_Iw6J=6Xs
zJ3MN$Kw?s~T?^*Giq}@WirAh<EK&STS?c6<q%us!(lG47S~fj-k#)lj8FwaG_liiW
z*VF2KlxhFNT;oGLvHqdry3DMnZ2JQsBj~~N>-qXGa=P|P+wN98X2kiv5bgU+IO%o*
zPnmGi?F3#i;j~``jyNg3Kiuym@PeuR&$RZ#2K;fZ3ySum2K-B$uLykHh+9M2b8a-@
zdo=tS6TYJ1e`Lb-_Sb88h3XY(?Mp1i*B7TJ*EL0ds?;9qXcczA|HL^miFE|+f@)z&
z2d=(?j8?!1zC|mDyf!v|dhC$aK(Yjif?bqaDhifR6f@=et1+E^)I8vELqo%=%Zwbq
z+yJ=6zQF!CSuI7HPynHVdI;GP)k7#`Lr&osgM7$L`c~4g=@^S6=vD?XHmV!?=g<hX
zD2uw<4KfHyAFQsVN^(SL|3qp3koF}iJcwwhUTGaM3}FgYaAmwNg%O$SIe5ClzP2VC
z^b2Po?yN8FV0Cz7J*rYsh`4RFQC{sq?i0k%k$>rJe4oS^^h2?KOn9#m=Q@OFUp3*R
zLkK*j;S^8y=NevOLBW@xpnaV0&ockrUUs$MV_Wc;5$F3;wC^+Fv=0SdkvOk!z@HD>
z0iEqEzvR!~ipPvNf4*qnXTs_E0<V~GvcC$vWW@PCkvMz#Gd~4A`S0?5BJirQJwFo*
zJSA~>df2OZ|EpqNEZ^t-=Q!X00v|Ww)E|MDR2+H*>L(a+PXAuW1tXrZe4qQ2s*nr+
zrF;|C-4Q*j(@RU$yRAfquLygQ{6?Ly>pAgCT;BzZB1t;&N>%D;eT%X}biNqaqD^~!
z@VLU-!56rGq7p}mB+962rL^0!dnXc+;njR{$=^Pld}a6DgA>WbQsh<L_e|{R9o;t&
zE61FSMdxDC!Gz13Dmx;RM}{gJ<B>>g>SS_PW;Puebms%RGINvfzIEdA<<vrGa96%P
z*p?4>=f`1n$#sL=&~bVFCD?SR{?gql2a}dC-KtYpkV)=xl+2L3+?XjyN%H0*Oe#Oq
z3oxlAI=2*HGWtr%QC(kvX`Mx|sdtrm{iXO^lx?ZMWc}mMZ20@s0!%^wMqL3WjGOea
zU1VE<S4rb-vW~RQ%4CQX54<5OpM}TsQsfwwP^9|uev6BroxH%vqD66K!t(AGoLY^I
zR!ix@3al0Ma@*LtFX8Cq73O$pJt|nkD|=0Rf+vDj3T#r8*i(yqePZ`fnm5Ml-~A=z
zj-jU8PUUK}x+dJ-ruB#dhKv>N%$4mhR?9qWu<w&K{dz4q%h@gKL#I?7)0deFe0`9M
zf?OB0VJH<rh&Dng9F~lN5xgdOKs2gP8SLUNtN_D32{!yKl5kDs0bjCBnLaWk>m>u9
z`Sy-g`)Ci4Y=0DMA%wHqbJa2KR3(PXF$X#=A_ge_#lkBiQ>=i)U~>?|qzHj9Um4_q
zN%D6T2}7qsdD7OG1pInD4w%Pjq_`}Ex^8FfgS!X33w9-btTej&)qmj#789ApU?g(-
z-IE6^-a;g{m~@1P)&^K?A(5Y*+BoI(=40LnRp))Wsk=ARos1>O)XDcd;wCUw5BhS;
zvly$eD^V>Rk)7BG|C4d_O{Ou6s(duk2p=h(e?>`NDnq80<W2F4yvAB<x;2GYS!0=n
zWvgu-yFstDrj_L7W!4<y1MCN*A+6AwR*_e&u_o#de-)>uBJ_Re=jb=r&g!au$%)pP
zoxYewkccP%CZ=1YWg?NBZ-0afaKaGV7sI4r0TB>FEP+fcBBZomPIr=zouB)WKTe0S
z4yH#MN=Xop8S4^zveP+l&glvSiv?wCkjVHV4-x4N6_uXsLODRCT4zR|k5a|cCx)la
z&czq~rKSA7=gj{%4-!HCJJ$N2Vg94Kzi6l0tyt-5oguQ3X%>62CDnLISw>o%B|l!+
zABp?MqS4`u*PE<{<0Wr4usWREKaogGZlI9zusg(!4ojtg&pqUep=j|G*?suh?BBe=
zK8n7zK-bW;X<4L1=QSk~(j`%~1e}o0V2Jdf{X}~)V=3`da0i;8j4f8J4}GT{NR?*Q
zPb>0Mx{HBsU7}s)rO;I^3(%0=uU3ylNNYTnvaw)dpeGO*5BA+O*XnN%MP*6mw5Jq`
zjb?qF?a7Vo(1a&78egdThQdB)Fd6gT84Oi?krSh$LUYB{9V{>9Vq?BcZnVEA7j;F*
zB#iwzu(=Dl(_cjdOut^YrtU=HCK|X6ii+-xyg<eQJgNbq1|*2-Rt92C9kKugiD0og
zNd${kOH4|rE#xpxscUshZ9pp6ti>9DZiXU(iZVUM!n<;Y+RdI&OIK58Yj5q>h7gxe
z?3%estrv(Q&i{O|Guv;oPB%9F+*CG@)8T1lUimjp2im{Jla;<z>zuO2y{m`((5M7!
zB9n<ICwiU-sOr_L1x<n)P3Sl#XhKX((1g2kWw4K_7{sOHec1H8GuYZ`?`V$t!P9mq
zY5mfr1C5Q-N<%q&@v~b?TPv16?Ay;^Zv-)Ank`Z)DEi*ehp$_Z)JSf+CrLy!QT!#v
zoEY^13g6b_OHdtIgmZtpydDV!rsFFI8fu?Zlu&hbAirl6O6I}0FsprGcyz@Pb`Lo{
zC-ye?v<)7dh{Wg4OiY}fjkDy+zBMtATCGbh&h%MM8)eE+O~Q8K-FPpm{{26e9j~Cm
z<qpwV<9o6hRJgR0;MsnXLIXAbmbt;1XB}+lYdCw@tT?-1%*MIe8gIYdTx}n3Pn?Ye
zi<mRg8Pqu=>%2MMUT|L?aPRg$)xWzMR1~({usYW_5emgND*by$qtVg5{iBQa+QkKa
zSZMEQ-gVsP8ubNYbD|pg-1_Riy|VwxUtq2EBllF(j-^JoegAE+Yf@|zWf+ikgVelc
ztT17@aN)!>jQLC9l}04aMf}#AK05TMHxb}SWQbBlMNL!2Z!*;wX8%)Ot%e)eymJKw
z9)sc7zVh<9o&$NM+0ohRaHBAB)YB32dm1McE3Tv~h6bWICe>;!D~{Ocp6q?q3Lo*V
z`KU7#ciWq7x#rGhUtgfRqt`ijVj(>nEY0?{x|**U8V3_CW6!-EbQsX<Ib34LU7-1a
zzCnz)6|Yo@QRGgbzMq^+q4kMs<tT*4%asd$!tdFmsxsru1B&Rj!T-tZ8tSD2q3LX>
zIFraPN1}mhBr`HJKD;zBvosQ&jKs5h9q!~%%%2InYz^(>v1mEc+2b2_dXmX#c08NT
z^m}~6VQ4Fiug%w+$0YMXx0~4u@E0<83@MM1W)7zyjD&JRiJg)}ZIgMRV2!G(P8Tf6
z3>9r|X@Qbz$M4YjN_l@S9-WAeEX_<T4vh~DW+J13XmqU*o9Yi_)1FkgtGBxB=m`(|
zJpGw8Mi5OVJ%|wK>5P=4vGMi>n=730$A*$_zTaq`e$9Df=~>QH7Ng3^naWwRe5Ulh
zM*NWkqtwr#t?4tR?KEjhH%u6_=GR6dVydu?lI3IbspRa@^2))(yRxH$qk-($)MEWa
zMP|;<OrM#F%$+@X>N0J@Fjt%ZiSw5gXFQ)isya<Ta(o=LM13RImboGe1=*!3+MIGv
z+eFn=b*}U%Wt;|c+Cl2@;q{G;3H3zC!nwxB9xK+q#}A(h_C;D*RBizU$MiGAPFf`I
z8GOo+<doBd7-^iIjq8baOS`-_Cjh^#tR*P<gs`BC3<A<ZH6NNB!89|*MtXfI{YC?1
zA-io`iWyrACz9dBuK4_{!h*YU{ksQ)@v*f`b|S*27f49Aqo~%6XJRm<$SWtl9`KKK
zdltt}29mMq6QiRiXHeBSGq)eI+E&iix=vilqS4q>L7%@kn_53h{1fzH|Bm$-#o6Ol
zRd=~0eNcUG8>$FekdIcS3f+bvJU$|FlzjDqLgHje6jD!?>VDixArgSknl975ihc19
z(IXTr)Ra0ph&xd}4LZb8n;86qY~z2>D=n-jv=_<8MG*|bkN-k)b9D>VRo|CdJuV($
zO<}N9gv*0FDZ5LDaSg}pk@Dz@Kkca?Y(Cd>cqP!^as6KfjyR&TXQ#$b&&B(Em9Ah<
zX{m7hiq7_1$G_%BV2=VDW`x&_^+WB`YGPi(1V)jUcIl_1lMIy|rvkwa?vWEUn4GZn
zyC4-r79x#LL}PN5a%k98NS3%H0u1P2LRNmrf+vSY!~XXe3Jbrp&C}5|T6MeJT@6mR
z`@1uP@m+)LqqU3CQLNl3v)1<c^T~ME;LK>)2mLKR+e0@eD3(s}%AfH$8PM+^+KH>+
z1SpOU!Uvg^@uf7jF3B}XwHA_|d=(yW7^(moz-Ysktl>@~_3SU|PeAC)L_txRUmS(G
zxK{_x$IUE<j?I_-Bf+4{-_h^O?2pIyWqkb|es=(6vP%m`4;A}|Q|Y08$FaS`*A7JD
z?Gvr71L^cYYwJXNJTh?Y@ZMt!<JtV-zP`ixEXnj$*onUkp6b?bx|3yfb@}%PDzC%f
z!vzMFz$8N;IsH`g9}S+D@>9=F2H%F0y{Hk^JyD%{BEIp(4_=$n{4dEoJ9cpmiwAuq
zee!Xf0V9^H)O{nplKRQ#5{d{ZU7`*th5I1APl`9;N+RJVE{Gx}O_uO<)>|Y@QNbn~
zgef}MV0CyAj}ZP>7UL1Z?~-F7J1fSLw_L4`MOt9=u_Wm<i^6r9F?oB#YZCnxhSxZl
zgD||tfeDsDmKQZ4Rb_ou-R!#U0JpKgZZlHd7&|0JW;C^kLH{izBSR#qh5ZNCRx2X$
zB)_{vOz8z2&lT()l7(apRbxu!&9xq+l0Z7gJsaykUSIz)`@ui{W6l5duhSlG!tYpN
zmu-b+pxsL;gK2dlN><CQ*OWFYs!@=CnoL>bf3)M3{MHWW<z4W_k%wAjEXAuvQ)?4x
z1M69eNyb0;qoEA^@Q3VjV;nM~AXtizU5l8O+eq(`@pP*2jYC_=%HL66sBiox7(Q~U
z3s~{=A3XR!8yoZN?EHM~E%UUdtefwzJ;lmAK068%n`SAhJE6!9aQnBg#s)FcHe>_o
z*C$W~DY`y^>Km$8D)=QP{5mmwCk^VjC~Z!pVW6^!k2bd5>mxe|kEw8bjU@YJvd=x8
z5A{c!(_`t}x@~N*_UmxGDV^{KdS53AS$k@^7>ag<)4sy6PqEglvGCaCCwsdiKBqgN
zd{3t?=6v&a;M-~VX~NLDwn|fdCrK9u=i8JGKxZ+s)(QhVS;|D_yNlDD*T{m|UF*0H
zgqMK{;?5ViU?y3rBCdI*L&@!Pll^^N{uV3<H8R&ZkaoKpTU{MpoxN<jl#CTxoBzA^
z&Vm0FA-W?&-yX2FcDvf#?VTu`fMvpcFRd6$2Sy|JiS#RDBo|1Wpc&;jlW^1+C{h={
zxG=o#3AH+#oUOf|*jQ1%e=#WSNAkHT_+TGJyq1<z5hT_UG_V#)A)REp0xi3u-{%Sd
z>yxD0d9W6XCCC{m<+cizL&hRH2MK*dH;Zy}V#-A&Em7jqV;>TS26i?vUQBjo{7coq
zK-{x9>*;YuKVAD7!rpKB>*C%aSPxgf(dG?y40b0yso~hvQd3g_H;A259{pbaVq<rC
zcfNXHgi`y6hWO7t*l+dsF6;YEmt$g=$+&dS`uexwA325H#4KxwOL`K|iR#|JIv>Ar
z->TGTkYa_X0qz1JNRAw;<3%En{G(*C3Gzrxhol^7r()&Nnxy=cAYLg4&uhNRf#Si*
z(nzn|RwHs&|ATJm85o}1$PElFz*nY3_K2%{v@0G~*;%^jfnNMev0^!w#d!f^tjIBL
zwIu4a(qlB_GBB<S+9;GFNKCU4LsGza1=DE4BBpyjg*q<6H^^Qntc`B8C$})^2f_(N
z<xhJl#8m1BoTX@s+&FIK&l=*pv--_M+PJ^?fpf_MjZ6*Q&<D*G2)@7gT}%bbJ?j3F
zK^XdYbxv`CPW4z*B!{9}*U9b{MQ2lZC7)&&hMj;uEN+=hpdHn7r8_60@@8GK3W!`I
z`X0IV0^9gN^}CmJSE$ed>9nTY=!v6RuFnzoXjd_jQ`B%r)40(!s^7|Fys$|)N!jL;
z^*&zdrq<~oUH)83>U5y|Q93oZBC@UxyWPvDm@X0$wj7F>CcB)`f(lNhxpuXy)7-X<
zE7H;lh86NGH5#vN8W!W|&ngP8nljwqbl=Jb?Qi%2CZVSr{L^(RpI%G!0`*JIAt`ud
zr=codF7BBWd0;Jkmy$g|wF6Kjk**=>z1NKVie+Kg?3m`<x3eVz?#mX<uIUf!teE-_
z=JG}G6`yXczJx9$G$5ilaSgh=-A+~kE|<YEIIrQ{i{E9^&n6id1HV8w%tCB^?|a(A
z?G4t(y=(7l54YhB*xOHiW4_|?)aP(viOW0A-^!SB$|V40$X2<g?vFosE~TwaQb3I=
z?}as8takk@r^ihThHr&s6J~TWK~No(j>7s>A~CgIP+!OPHnVv1-tp;ujkSMo+~<hQ
zoSB|JI~$42o}DI(5c}KxD=YhJ_Z~ZN;27zB6bJn-^xY2~;MBA3xv1=~+RokD2;3L}
zIWmQmqtmF)i}jIseX=+iA{L{fY=F}csM1?LGM7xw9Vzz=gjx50efrZst9>U_ba%u%
zJL4U6=I+UjJEAnMGc(bKrs-FXzh%0qVcy=z&NSM614{$N<$h=d6zgA6?ttuW!ORqN
zt4Uo&iU<kxh{5w^yz`Qq7^H8EhaONSZ6hBU$tfFuN1TnaDTyMzc#YxJgV#LR@-W=*
zK4-hN5hriwl+{`ll@duU7N$$P=iWd+j?>e)ukmeX_9S4i{O|I~<y>z0WO+~J<Z?E*
ze5&+xez6#2><-0WT+AK0%vyUH3l<k^*Zl*F&z_tZKRFXqzVQtuHgj@(;v_sJ|A4Ks
zc@g?uGxm#9*XS>?CTT3<>Iro{wqtx$Em-UzlEV%zQ>B?qlcXiwkp)!@cVv+O^)EZb
zEm>@&=07$t#B~eN7tBR{U+UB*@J+oh7E24~lmCx>QT!K241L+fZUkLI`d+<61pWo^
z8^H(3`Pn3;6$#{aP8)K0Qe7a@*r3_+sv`ypX^fARr>h_iT_`4rCDqQzC-yAfJs__Z
zV<Q)9I@9Akn_|?_*OmI+sdo*B94t4Ah-rX$v1uEULdHZ9DmuTrcsGRxEaZxI+nLr)
z=)(|>#*5F4+OeYFf%bmAo02#0M?X8^*^t`KC3HU0?C2f?l6Dnd)lqZ=CO7B$vHgS5
z4rh<MEAH=PV}~zmU$i%LMoN*|<KR~$10KWNb%0Z9=hRC`0jhl^ybToj4!O%$6G;SG
z&kVhwQyiBAG7BD8L&f!KSnKakEtG<jg?mrja$?W$<mB)k_JfYtaC&T^{d1rG^fQHA
zj`AaU?R)mdt^KOA0!gD7*9>r}3wR}YcCe<TOeH;+Bq>?INEbrC5XMcOIow`Fhj*Nt
zgeT`0vRfx_KC%9$J$r^GCp+T9>G6g3NB`z;YW|rI4CHc%&Y?T%cJVvvruF*_QpE03
zhVzTAi(epq1}dqxbh_?OTs)uRbW5RM6n1hRSwR>#Fw$01x@U<W?qqn?AG*J8q|)8j
z=4<I}i~APFp5;w;?qFfC(K^}KbaeOPkT3A8@3iB&zrFDN2lN;f8D?C^fB4y6c%_Kz
z5Dm;anb}QmjCh;f>khY)W|j?Vo(|=@)gv<U?&9moro(+OS@b2Y*B_JoXS=?T)w7qM
zx=AY#{URAdnhj;(3C)YVF~YuW?knA+W9~26K+Jv_L$9}ZXjn+=d+qzuSwndaP}CH<
zA8<t7>-tK+04}4djXPZlNL|FTewG&jK0@`;*eAtBfJ@p%fV^Ihf(&i!;E3f;wI_8p
zE8XyS9xZV@70x88#fmIdWF=BFF6bylhbyA3uGNy(i~4GO2aqN#bTrzd!rm_Koe*VO
zP@_ji(N8iT_Z?t!G#%df&iXnXI(X##2N5^_ogA~}8b6Hx6>Gmk@afsp2S1<6-M(va
zlFLi(Q~fQ*R?xlWm&o13DnM_<HBmw<6B?MXP|?YlG?HHWhq#9}{2iqOBj+vTi4+bF
zWbL392nAs!5toBx5}}{4j_Sr}sH3~L^Rn}qa#w6H9vh5xmD8WRth2YLBRsn9=$qP~
z?VBFVbSU%H*cB`Bss3QFe=5FmMXWlnbYupn`?C9|`Y<rEl|RkC3po+BEUGhB7bC0l
zBXLe7+oFxfYpB(CC|*|VOFjlV+G|}WHvo)jyvQQ6Wfsc84QDXr>n%l{$xK^En=ihw
zFF1U_(No<&!h*G*WXAfO(eZr)d-vOBn$A6U=DGV3Vn-2(++WiM@1T@tmyj|fdMV-p
zh4eU2M4rA&oF&?s-RgM%S@i-(U+W19BV}&*3*);IHI%#1?{AFgJo=Kq<->0gpZ4(;
z$uOI=UTN*pDTlV7IOV`3uby(ypD-hlKdkl4hPYsU+@UUZzvRj#T-(^t)X}nVmacJZ
zYij7|qFWpZ#4V2K_3y<UjjRFv@4+pO3-h%f@;9-$c<qPyElxAo<%7CpuJbV%=ay8G
zHZDz2pITmlMv~cuQFLR3LcUa7Qz$d0UVz%cjD-CRU4q!B-;n72`-4}sc01^X#KTIC
zu0fO+B+k})Sev*YvGyy_91%7a_7*O$wR*LexMPyejtcLO;2jR^o=VkfxKYyTdDpv-
z&b0;F8`^u?=8nAU9c=Ew&`=2ff3Wtq?+|;s7qXb_Vg?Jl&Nt0U6W0((a}hQa(w4;T
zroBLHRmg!>zKfxCMyrfp%~;VzG5gT`XzfXPQDe<3L+3tmU@jr=Y&@eYaEhgO^Fv&(
z3c_ik#pl$;R7sVNYv{s4M;-=>-z9xmoQ24sl?0ju8i#GziGO6r^P{i66pEIJu3E7k
z#SPksfy}|<KCDGeK2>aL`3QA<d9$b36I{;cimv2Xy3*KuIGuHQeFL5YEvbkc1&V+!
zuMHF^-mxovd&1}R6)T{d6>$!)2dxvjt>6;ga@8X1#JUr%EwU>LgBw|BRKF_Xhq!XX
zc_a@+aS_>7YwV-j8DoFJ4qd_$J8!bWvdtRS<twp=0=gb8eGqlJ0cJr&MbTOy4VKqS
z7U412F~VM8cfR(>fw_swQcu1kRUD6JcMnH;3R8V-p?qq3Y#|>S>Wp-EbQf2OxrOm^
zPwhWIJIa&!pt%pyl(~H$)GRaVgE-vMugjwa7NpPlXx~(!Cpxw_A06pWbmV<=1GCEq
zj<DXI^7ujyzl|P5I){RVg|X>V<=S7P5Ac1nccKpweg5hKRCQh=YNLbuLblVrP;zZz
z)lq&vamX<3Sc*&m50t^V2!>ZHUy)Aqra#$p?7-@*N~*C0k!sJ_Yd+4{RAc4x5fiay
zuFB5WHqlQ+LZYsnsh^h!{-*l7s@IGn+DV29f0;1p>iw+fp_2weR($B_qkr|9u|3hT
zwL)~H&?kwx=fJT&Z(wXbd)17IoFkW48mG`v{Et~|n>N;?JcVB!wuqj1K(PyyA&Aok
z(N5Ke$aX>Z1(C6tWDDgY5zm9B18)xZ=Mc$wLBdMaw$?Xx4*whbqqRP^ikihY*B%<U
zbD(x5`}1rg)kVUn$07H>0y=d->mAT53P=vK-MYE}U%!I=tDZ&ZJS6xG*-KUJMV0h=
zv_FMygcZ&Igs=x@A6Tu1Za97FhS1=iet&<=<%;$D1L8H{4hG$>V9=32@zB|iee%Lb
z&pvb_zYtlu>ENClcgN$qZ`^b6rj-b@1l%6K-{S@+fIe<fPGT%+%S%+<ppH}4Edrf&
zg42Vf#4v>!iArzLVi1Ni3Q#4#04Z(4;7zJMDQx%$mP%s25ASJFQ+^A1g!nwDSILp5
zD8%4jBhv672>gY~VlVvs`rO>=p6-DzXE>fne|~Y757F#_;KI3c?CrHv?Cn#HGkcD<
zG)=Wtic@Q=hbiv=^xAyw6y-G1n16#YCl$y+?9PNT%X8|&sHf3mz*B@1jbK+?1fD}3
zpu4b;v|Q*qtH33efG`s<ZQ?~_1PPNaP=K5~M1>4qiDINWh$6D;P4s-jn+Y+z<>GPf
zd<6l|&dq7`_-M<*efP!WHRL>B`h!FqjU>hk$;Bn*pph7}^)ifk%JQ%3x{#R$`ueUL
zZJqP5?f_F~n~Df~rS5P@5RfpO=*t9@MSd*#RYo`oM?s_s{F}r-T67Bj2|E_;EXrvR
zalv#tA_<<tzcSDq-)~!qS-;43qAe{@(099~w+*S+Kfl9D+>Y$DaQS+pSb;R^V7FQ(
zRoY8erC#(}mlwkJB&a~~0z#W=AQ@qf6ZqZ6#<F5vTDo{~89#%4fKv=hQ+;{`5(>Go
z5zG5IPQPC<;BkpVpI|d|$CYfK6!_-vfuEu~%p{(c?Gb&-7U+&Zi4RH~mC0C{?v#;u
zR^oizba#uy%MusAyQbk2ruJ8B_>hVth6(i3@RH>Nyv9U7?kOd@_Ug6@$=Y<f>WL!f
zVG{tiha{ntkS4zBh_wlMOjdGYZ%(}0@k&8WGFA--PzYyYQ}|~rTk?_ANWS~(g9kAY
zM?x|6h9KMsl$mj>Gvgbk@*{K)keDNsdt*~{x1glS0F4p*6SdM6R4s>2v7xRJsZ;1<
z(X9nWAEt<SCBGdKWcaB|xM9hn5abqWZvB;J-)h{NisOzNEc=SfN0J;e6JqE+URg-p
z*Z9<OLxX+a;h!!ySnc~JMMd?&JbUBI%jX7b?@?Y;yW;-xb%Sh!Dy;MMg?hD=^Pt$+
zKk0u{jx+s@b=WIwU+{JYJZ8ixM_ab<GvSnbE}oMz;mF;Vc*TUjR>LzUoND%o=M+ph
zYBWfE*o32Iip0k?yu!z+;%d%29~aM^7tgP1?VnZ}ss5IH&dm~!6TJ-h3-tEvCsdb9
zw!h7Qe}ihaO8gEDM}IWBQC%)^Uxle(R9jts?=J0o^!qygA`_09>$3feO?XVhU!vjk
z`zl?j=DOkcp&t#PR>V`Vr%>+t1L~@-^Xlr62>P8~bWRi1B3k*Hrrcwf3_PIqPC4j3
zP&mjoCeoXr3t}&)_^zh?jfi*14N6KR2_f<l$U4mT0ykQ7X9zFHPPzz12^;tJmN@FS
zB&)>;Wyw&=mzFnE$f||c-(yJn6166(!OVSkjGviHgei$eFEqjI=F~6nZ5cm}{qq>#
zKm2dLPw+SPPmDpsQQPtP7I+`SX-LCq9t2)6;UCxVk_rEjhHsc~TKD2P<0hQ;mB2G5
zoc5={Q-p(;!4G122mEREwJ>#ELuwK@C(_xc;#^->9=$k%FJe4%^kPMwNQG)1*zED!
zP(uMY`B!+INRAuoL;}AazbD#Loyd>zI+3^|%ko*O>nNYIPWnEcvxs_-AJK5CxpXJh
zPT2en<cx*tMDq4jlj%-bCsO_V2o6Z<^Qb1%ouW=89!qs14RMfic=~va(TRu!L|ZyL
zkTyeB3R>?J2kFvEL&lvUQ4n$+MeDUPkPos|^dGB%eUtQBSSqnTlq!QG6Sx(6a0qe|
zzEb}8ar{m9#@px<k}>$tS0Q5>_4B*5<>@j;kD($3mg1<$dsv|>x}C@ACT`rheevUX
z9DalJZn`6?5u>T9`&(M7wtFJ!GUUa@9pOBjh%_3Q{5*Y8$RvCC>u0}S+s%$&wb-y&
zR!(1hTX~t~zw#A~i~3FXs@ur!hQCoUi{F!DgC&Cgrg73;&^A~(={(2p48<KPR!G2{
zex9qlze+#$TtJU7^?Xjqp4E+h!eWVcF+P45#J^Qqq*d$1)>GZLzI&s3G2_&^)yy{c
zF|z8)O6^m{V|VXUuL|7x9!8AG@&P_3c)aBp>CRw^vZuMk{}d}|UvC4}DX;64TW!E4
z&C*H+)-Rv^%F%0`L03ap(0L8rqQWj8yK)Twuf0+GZMrkp2CuT(7rKMih7&W<yMzvX
zAAPZ6ep_{VOZ%bTAAQdYUmohE@^k$sF&_1fomNio3Jh0F{wuMEYj0qo+S}NhmzP-;
z|2#`eydQF&(GO9Zh}J<4{jghhzHLVD0}f@Bp`j~?V!=0x4)6=QX~}<iqxLnTiL(3R
z$K^b<^0AXb$EXe&`!#;ERln^>E-QW9x`Y#lMv7$+@=Dxyj9p;GV52^3)RX_-ci6jX
zpZV+;*qJg5u&&b5?`yx6`h5_;MR)btU?sskpf|Wri~sHC^HALUvGQi+ozQKaSogCQ
z<dAgH*)}|I0W+oG1Vt7VL<T^X66Gn(&kF8CH?@&_K7?0_oFxgH1vg?MDx^;Yi7?kT
z(ILv-tB>VZ%7I!XP+rL&yZY~@u3Sl_R<4{{Ro}4HgI6}z?zV<2i`ndAC2VE)G+tR-
zJ!MVKpBf)KIooGFdD7Z9dva|2)O^y)&+}MS&?ae|q_H#0H0Jd#(6~pp{??tJ^e9&1
zFO3#a#DGE!#M+_=7_t^oC<1vUiQ|&4Plxnwj5UhfL_}F}iy&Dm`FoUP^01+s?_J+m
z-?zTL5t}(N_Up!5U-Z^Do;ljUj@I7Yc;w6*-#UGAve)`+>L>V;ay$4=N%xgp;(lMX
zXJi@({0sR<X;qM|EeOqqd}c|GP!Eehi->Q*2~bXg%7yG697?KFC?lnpPxN^T_j<BX
zPa1bl&79kv_C#}@d!GoF5*|!afB#C^?@pA03k{y(rH%69&4&gC4&A(1-dGy;G%QSd
zN0tr^R!__)lk+F4gNK$zypy!&!FiR6@+Rt&7c$v;9Ze0E;7@^vIc}TbIA9h3BaSz3
z#VtSOc#8@D2?)5|{qsMCt>%C8_MHP;pMQ+wepKK_f8_7-J;Cp>r#)e}t9Qfw82x-V
zwO0;{=Uk*Oh#0dNbkqdwj#@pSOGF}_$No`ckZ3J+VrDuqUo?xthberp=OH=N_#pC)
zi_A5uWeCfmlr2Itr8P?Ve$w$Q6E~obwi~WGK<q*_&Wo^4vwo|*VdDv^fDs>G%N7oL
z6!;xHU5=o;sjJD+8usP~ts{H8`xD(tQ%f)sclygo-;^UVePUwzviZc=;!VYCt~wFz
z@i$U6f@0<J#cot=J&`VlT6>DSiicphP%Qg4*OX@H86n)6^nBtb7R^#t=R1?eB<ORL
zC2N!ZKT2WAU~J^2Ml}kYPAO;Fx1~}A>G5iHTJoNb3TlWX9dZ@$A}Lg}k>aA^n;904
zV4hSZSH6u3iiX*~?(%9SF;@wf`&Tw1)rG$P<FE>{*Zce9?u7+^cUx*G*3lX4bB|6l
zg~it&R^C)TJQerkX7fWEp@x<#*GhY;fk<}hmZ>LQi7MOzw&|uww%8ra2HTGxIr_e%
z1)<~GHrLp{VBLf)`^}W8TRW2b>lQJ2t_MK*O0C?fLu9d7+}uIyn^Fd8JLAM|<!(`|
z1WFbA2ZnMe!%KY|-eNx9+Ay%IX`>}nm?_vA9_|bTdfgMRecj87p2+cQZyr7Ik5^9J
z@ccV><u4;UHQfpJeQxg@*DWQN@K~HjJrdY@xGiB2>$(MNoIDp~+ZOAZI!bF^zXOOO
zf#9uIT`Zbk0KOLCspt897!)0{!V05`UwxtSV#;6Y^SV+KnPa!Pr%%SSNvfyWJCf@O
z4eu|{%{xOW@7fVxvh08_e=xsmG~;lka;1<LIn${*Usu@ejwkxOzT)U&e(=y_bm7>p
za3$O4be>&KjHbb<h%Zy!?Du1?ik2%?EwwH#TGy2>K(9sKI3y%_&HF6kHa+sRbz}S@
zu0=I?_klVTy%6IZK%6?&ea!2Hh!PX3gIGF1J;_)+raMD_UsxRuk7u#6EAz?xzF0Ig
z9xF@^j<*M0-bB}Ji_>ugVCL6(CUteRwV{22C%gxHhCN=&pJvL8vYzSp28Ls_h?u2_
z7?`)<JVJN3ns#knCYn^yxVMfH%HW^J2vyTQ`ErwdFE*l73}2FBeuuO0iQ1vE#ED1A
zDYmhz=ltI0o?NVNt{g7yJ=5=*oSW@tyBi12?k!Wketa<2>3<{;Nw`~`ZEbdYc<{i)
z$Q?Ib5yuXlpO0Q~(`}X9c+zXLJG<jOzC}KkRqV4bWA5m7c+*(w>g4G6UkZCMd3-72
zz$bH1DLO{j`p8W|vfoMZ`qJgbt1luroMPF8>lf*ZR%;^Xj>qDjb)|9DZcQE-TAqCP
zw%=X5IN9pY^wvJZo)el&UO75~X!agxzvM@H4EwADJEc$8gX_%d#<d178%}Ygjghrm
z_>s0oSgU>{D=t>DSNg4VXZdg(npES!>R|Bt)2FWw4z3RLWFv0nmx?=*MG$htrTmh)
zBRT0g`sByRbEN!5c;?FG<tt~x7vCM6y=HCgnpsjQ5qtl%1qpZPcTU|Ob)FEt&uVO>
z2-T$RjKmcrD}AVv-B220j;_|$pksW9-E;XDj;3r=jbw{vmR*~_Ww?U?ba}q|8+Ch7
zkMEbdc^|n7`eZ3hQr7ieVD>PJLR&fyeNSX7k<C+m7lHM&k2BQ9ek<4x1cV(nT$*AE
zqOVL@sn>S!SX_9S&8E9reXU+6TeI2@G&VGZ7FPGBnlc-Ot|BTKG<ip77o+W=&d^%1
z2eZBsaZg6xP(Hc4(z3U0vXt1jZx;^3G|o<p^M_aiZp#UEoN{66wg7qP=DUucL5#!V
zfOM<y7NiM^wM^9?D4!Y}CgtMg6SYbr2t0|OJMynKcQxw{wY#0!=*q#!BS&7=(A30!
z;hA4-u`M*UTyxFE8hf4S=Q?D&4|ASI#<yu-)kXJ2ghvN`QTsu$I}t7cC?iblDbi9Y
zYBhpaVVx7)1brm~vzKDG5R@%VZ0fyy!UmTj7P7vcDRxF85hoUryVK!pZ4J1ynMTFG
zm<|=45PizS%AeLApPjXP`oe4v7MI&atE*5ND0GDqxO^`}^oO3x?|Jm-H^0iWf-ZpT
z(!ZrPqqoo}gsL^*Ji@7tt!I+Sf7hNYj`VKy6f=?5hQfUFMoVvgtZ)9_J8l^8q^^42
zjiuB7a{2UaFSvaM{R)C7zZ*Px5n85+-jclf>d<-e1#oZ%Sxl11jaN~(J_4GHtQ<9F
z&JUWaQmBCU;<WIHg=BZ>U+@poiFo<cw!EAdWf{_0I={V*BG!h6J$mK?m*O_|Jh1o{
z#IvLp2E*N%p>Sa&8FNQ^<34uZA9d$rZf_#*b@#a4VR!HNK+u;RjU_6Pj(}wP?QJ%D
zAU|JBOqUbQ4PCpc*%>G2{hi@L$X|$dDGf`F%$*#GCyKZcTbBb|PiIenf6$$qnysl$
z*V5-rtu0L2wb3U})n`QXi6}TAB9>We;lM;ZK5?MXFJAj+S5{_cmzN!}+0&DgXJ=!v
z*|U?Ar)OgeR~|Za?%bh6S7K(oIGdEPhvNFVw9dM1luG1Uw_q+v5(!S<45SUSL_5d9
zXGyq@Ndiy;owQaXq$ds~n1nE*M5NfomZELM{%fp=-SPge)(vOZ^OxAyo&&oO^Z6Ws
z*0!i)YQnXA_+<LrH_kPl`}*b6jSHDG$CkVNUfXmdb_#UEy^ycJ0bRY&)AyNIX5Frk
z1~hO2s!7$(qvF)^mZZU>9uTw#(v-*!Pdi^6W;D&+>Jgf|II4zNnC*=r@aEigv5}Qz
zYBw&%V9JXE0||FWZ!s1qCOom3huQn4PfzvUck|S97UJPlbaZ4a@?@a2Qb^AY_<e<i
z{<|_biHdWa7juELg&vi2iS<F20J82;kJYGDbry*Fr0Ws&g<e~UVk@L@zA)bhfec}&
zviu4Rgqh}8OLi$+s6<EC^1)Kf?TnUs$JTJvc0{L7Pt2T}3@=$5ScCtv#nGcvk%gZA
zxlCfd5<Ye!J72^Yn8gqM;iDLXSN9X|RE2{}2J&+>@Db2DqF&Rg5^ILSiD;ovH4S-P
z9*d0R-oC`v-=W}0g-Aq4dj{)+Ri_%~*WbL`@8w59>c<57@y}dVYx!dG4r-l4)&&P%
zqN<Xb#~}Qv6u}D#Oq3+@p>u>Fbd8YzIr<!=v+ZxRg5NvCDQ|Vr>D%w|hKKez&O9f7
zC=Y$hKOFIts)OEWA=Gy4%*f62uIamHr_RihEu8YI){s|q1J3A_S9OY3G~zoD<q_4+
zu5~$9dP<cV_VWLO?5UT&SI?fh`))mZ>b*jKH*e0eA7PH#5a)w2vVm^=w?!MHG;`|n
zRj1GyR~89x!JJ5y!jgix6GdJq!AX=4ppvL`AaZciy)dMaL9Lb2u2L>5f_H~2Ru=+y
zPj39(->$!|;e|&&@P++vZ}^mh9cE*m+B3hceX8~m4|fq^jZI>nZpS=ja3;g-_;~+y
z`+~eHLhpawR*sTd5;eq?=vtK;9Z7l!4J{4(UL)*glVs53OV8%!6~~~N$a4)}elRnz
z;?%LxpwhU%L1Ap~fwcoi8k##C`+c7KZhQD$EIxU7@Fijix(nHaWA`y-_~K`+S6&^c
zRE8t2$?K=@eU0^9m>_1UKsG#x`5EPTTy(2ESM2Iyv5XQ+WZ9D>r$~exUdgIdLB#Pe
zY`Q`R5w+Cxi!gb#XNv1paxV$P0gNVOECB=f7KIuQCRaTXZ)-Kv73pqoXgJ=`(B2(!
zW(J#GA<u4i#MgFWPj<Ph!8Pv)Pn?+8`?Aq!cywYexo5pC)E^5^rc#sP_(0IHakOu8
zWVp9CG&Z}Ez4P{Le?L_g>)+hNUWc(}kbh&+ZFCL)0<l^c=INlL9;GoU{8))f;4tEl
zU^WyX)ee;tbN)au7n>i9#wYgXOLIM0Pc9U$B;4L)If$xgt>KUPqj_(4q|Ff>IxsPI
zVmcD@4Y|5|`e)O*(Ns@!i#w3$@vnk6?8Tfk;7*bNdOD`tXfF{zN_v-Spef6DBJPMv
zuLv8y@HrFrC7-jD8Qa*dtXOkor==J;7co7Of>?4SLQ1Ivv)S(A?s9Cd(mOnQ-~?pI
zr`Y7dLGNgKbn4ZkyF266zRs!faG~Pp896b>n#+eK<DTqHe&|r3q3N1^I0y#VlaZlr
zM?7B*k5-S=8ds)*m6Wg5xj3|#h6W26IVaDj4uoH6oIOYTC}&78)isv$*k3t$dZtWy
z5fYfgJIam|Hfk!Z1HUB(0oxCa42DW|m(hZR)^C$CRHQxpFHiO4vf}M4hqFU}bl|vR
z+iPPT{)C&(tnB0+E8)PvRN}_xhlW;_P-G(SYFW8_DlmQV?Z;2#s($BiIzA9`^vv9F
z*wH(+o=ndd10Vm`HLpIJ6gmKSKl=?%j1^QnGOfhA`06_OWn>?st^u(Q+Kd!VLvef*
zc3l!v%#HAJ6Jn+EFg~GG!cgb4BCJ@QX*N(fwVa*opZ7+64uAi2a$`2LQ1oY)PgbDq
z*cj`Z>i3W3!<mQQ%c9e#rdD4vRP>hz$70#p{vPF*=Pr*;A0M4MJKx80hqCNDlXpxh
z!SZrp<1CyaWS6HL=@_JCQaKC2Zci{A=>^W-&+#h+ZuxJHb9)NMuafOyr$&2j1K{}8
zz-{&ftm<UP|1s7~JKagD2)rV2Zc}@Lx4%I?2YyLBhwBa;ze(Vhr*)h^N8lBSb3V!2
z-zuMTn*Z*9;CFpioA$fc$=?;vCtN(|I`N#%-(dmFDSt}-353DftS=(<7XAMf@G*ho
zd}y=Y4Vd~#zH*~K<Hf?Cv7?^@qfq`C{(}_u5s6@%^(ET#|6bzn<oLZDr}k$2KCS(y
zWc#=A_All5kI?=y<t@~I7`|-Qm*F$&|5p6v0_Xh?Q5+fiL-Rhsu*c=NLKKT9@vOjM
z;jt(OIUQ^-;PjEtC;Aw1NuN#fml*vzFP80h^7qj5KhMWyv!IQMK95Qq&jha1N6^z|
zd4l6QeFWWXmjB|opbtI&-Ms(Jb^SNu#{L`qPcO!^h@RAcBd+?5@O*18?`QMY{#%0*
z-_n0;K;m2aj|eVWC(Wk*(>y+f`6c|X`M5B{a(>M?W*9j7!{U6rEnCNH!VTj!`PB^L
zHQ|QwvOnYfY}q<q_9qhGGG6w2iEkM%d#%Kc^M&!UYxsCuwvKlTF2?%{wD<7!+yd%g
zJzK;&ft!vs^Ytw7ti+!N-}@){T9cN}=a|+r@J9r`LAXXA;51&eM^KT?s?i7dcK$^?
z-@44l)oJ-2pD(%JfzM0)I~<qm8Th2czs_;Fo`H`_{Hq)n>zVf5J$!zhe16q_68<va
zDOfGu!`tH%tOv}6V)S>u7@w)@*@&z2i|1Ia{CE8<$)6+oNzboIoK8$OtLP7{&&T+D
z`RS$_;9_1jLH}>_c@h590n1bTcLh#-M&MbA(?0zs(O)@io)_R>5cr01UVZ}nedrI`
zm-)OfF)kW!oxfJ>3oDH`r5v_=m-kc73&wj$;@{%9#%HVtCI0Um*Z7R}fW*aoX>@?p
z!9K<FU&-5R`*aJ=>4RLZr>)J1O_2Q7dV>N(F#3u5W!8Q^za)>6Tpro+={%lEpZ^M<
zC&lNGOG&;?>GN^<Ijui9CpCGKBza?@7LRJ*|B(Fro%ke4e3gIx5Bzib{s&E;W8D1n
zzt_J1Uitak`1dh>{`sf)=Rd;t_ks>W9woUvqF=upt*HN7KL<7Vx8>)EXMWmx3#Uu7
z{NzEcUq9jFCO!_jh)=C}(fVcl9IKz6t9_1fHC)E~E%>xX7c2A!LDz=U@^h>qoi5g!
z)Zf=WCq9<6O1j9;F)t0r<@f)Ke=g}_eIEZl#@$e&^&$DVMj7kU4xdZPh|etr(B)NP
zABd4DZ&&+eeM;LmI$ij{<$C$9wtw{Xg1{5?`wh>fe#?EK(?#Q34cExeX@6+zg=PTH
zC%RrOKc{`7)8&QybE3-?@^jiRN#YxPW^U)76J3Ht7rAeAx*$4Ctd}jHt90R?*XglU
z=&>!(XSjZ={2Kb+S^7QuysqCu??sHc#CvzZV<ueJlONgve_#jv6+7VfoA8v@pI7dH
zKWM}$c3SqoV8Rh=EAfm8N35;HQ##JxPqF996`Vd*spoT_H>aDx=Z!e0o4|W_z+)zy
z=qB1fv;+RY4)`l}!0(qhKacSKUnTm_Vzge6ix0mq@4vw3jX3YWz<YPVV<w#XFWNt}
z1OC7c_$zk6?>FHz@8bEd+yQ^kh||4rvVBV8BjkfMoWH7fwQxG*3FmaU8uYQ*=fyc_
z6LC>!PwQXcy#lu^;M~+|z+<xgchUZ5hUY&d@o#SV-3JWqpE0z5g~Y#)_P;UU_e=a|
z_}ykJ(Lwa*l{?@M>d$B0eEo~|1&RMRp2HMc{{qiQ{4wAePB($4B);{Wc*733JU^no
z$<xp?liKs2C)(GYXRFMi@*nmDr@uJo&I70QN&D*wPG^Dl?tsTkIITm`{-GW42X??;
zu>*d;#JL}b&&!Q+A0>GIInMhp@OhTt{oi^{ui_j{{FdXqJ>(_vTjTkik5}NmJK!-B
zPU98rAKC$bU<dpaJK*=5a9VHT`LEmof6$2Y^&{G+OgQmjffr0TtwVuljJQ>|Kiseb
zF6|Q19zyF)Jm-0`{Z_k2m7V7F=QyXou!qb8r}ZY<(|#9t?+$p(gcJQm`-gVGAJ_qZ
z#SZxWCY<Omp8v`n@CS`Jr@v^Ql6e2-u!8tYJm)N5Z|BHC!1ot$zMctB**T8&sOtsz
zoYTqtxvn43_f`Es|Gus#Z2!5gFKqw&y56w;=equ|{pY$KvHj<|K0%)oea++3^@{C3
z*Yyj0&gpIbzN$B@ZVppi6`oIW%Vs|ZZCuD*;GFJ+Cpk`3k5SYs=7oQc)7|(vm(Kd<
zobJZYxs<-d=UiGFK3C<n`ukjJU*dBvy)W@Om*SWBoJ(`V=R|j7|G8AZ#OGYP>z{MF
z8^6z`Jpa6c^$x!fo-g*nId)XXIo%1T^$MJ?ca<;Tdm3NRKiByKKIe2de_!Vl+kdX}
z3;JB;7y9#czOnu1I{(=IbDfWD|GCaj=yR2y=)bS?mF+**`3pYR_>2C1&S&6y+O@gJ
z<Ii&NH<~;HGX6&QG)kux_pnn|1VuD?@ajSF!e+!hc(^0fj~onf=W9Z~qudVRD9BJ;
zA-`Pj(s5@9-njN`YB@yFXU<DRpG9|FXv!SRc}Hg!{y+>`^>Ua^pqs4mSeaH!5>bd4
ztwZw*Um|MqlUQ%$)uCK_Q7wleQ>Ye~c4r`B34B}g4-nnUT4l6MFg0Hes!=q-;#?91
zaM;jQhbdy_@KsN|*Os0>I;2L^3>}_M+kNR&4hAIhA+E4T5c@!JlcxEpi>T4#qeLW)
zs8d3>hEt4FL^x>7@v69Eib8IAxQ34c4Q%YpT)=B{#Y5?p;Yi=yvC5x>Rx_)|eCg5H
zQZ<BdrM|9~uFej7OMG-=l!tC8$4;cjGJz&%rQf#;q(Yw&Lx=i>bpOE?zo+yiVNDqm
zokThvxyyV=r;GcLxB+^uv(opKFMWxJx6OZJ{J@|7f6ToJVB=+(Kc4rSv}vbl+9plX
z+*flqN!zqZ?@sSy+RjWnGo9%i3@|X9gUI1>Gc1DO`2$20MEQB(;;4WJGQ%pMA|far
z=&tCxg0hIZuD9+w>HqV*@ApWW&Va7_`|m)T^vO5h@B2RQ^FH_cJhbnbt_k=4p7bE{
z%WXP3{R;OMvcRhGO0}7l&?%)g#v)XxA1}yILB=>u?#V41YBmgCHW6Zt4ep8SH-(rz
zdGV&)@{POOYd*Q5eNSer-`g9WxO}+BKNOv~YWmW)!R}i={-v{Wr*K}BUEQI3f;}(A
zaFP;UTwS#R!U4R0grN#A;B>;0;2Z{j7yPXPCM5-4*kihfF?Itma};x-u_H!U$ThG<
z`__gKd+b+x-U;|dd~z?mjRs`fd{)HAwQx8NN1_QqZkXka8yiA-`<~l>P0#yxDZ>uw
zC2+=8ifrH?Tm1!lR<{Gb2|c2<@_pnLz!|Le4&-?nt=_p#_WT#>zCic59F_U**H_~n
z=Q11J0<hmg9$v8eIA8|_jIZx+bw6XbBddn$_8XKKzBWdY{D}3W!qTO=jrZqLS{frI
z!**=Fds^fx;#psn2G}XmA31mDb2tI)^U@Gol75Hl#>8B4-KQ}Bc0T{03ah{guDeLe
zvg`PDZ&9y1AFwMp>?RdP*S(#?-mJpj0N70&_9hi}oz%(h(#J5Cx2^-bS%sY@jj%_g
zZ{WI^3cDEizK`Sk&^oYlRoJD{9Q%kqitk<^U|8GVvS)NR!e2-^)$-cPITTo1Q5=Jg
z&GIa6C5fn|))7o3Ye%Oo{y2LkTI+K=JW^Ilx4EM(<XEi!2KOW%`w8wzCI4|xN=o33
ziHYl-W{>+V)1$S?M9{&WscLdX-EC>y)8laa;NWDduYd-ZI1Q?_Ty_$c8fwG}4o~Nt
zmpv=!P@!8%oL-VJ*Jp89jp*2-Wn!1zg>s<fbOk<rio=T=^W?xT1p{BfV_r5{oMW~5
zjg8JAe_~y<&S&d3WTkAz9(JSLF7WUy&Mm*%^R$v0q9UIBJQ+QdN8@-RH|PC$Q_$JC
zF<(38w1~%5Tis!M29Gmz+kAD9OY6^1+o|&Mt}{Pu;4oieWq$9%cK%Gs{Ag#dncj)!
zSMj`c=10#fo!_l^+?6HsqsOhC9-j9ydr0?f_&^<yV#{l&wLxw6BP$&BBpj&XRx?kE
zq3Tv5ol2YpXb`d(Qq2Lr6M$qB&3^Qvd$OF;M-_r7iNsO50jgUJfuO}{vzkneQnKWI
zM~$T=5Ha=-^-3$@a9w?!$yzPHzBgE9-e7K&Vv^VI50=cO0iJGkE^-!yHWzs-^0`oL
zM^O=rPBPFY5+_NO(<GEWA+ly-m{klqQu!9c6eu-!&CD*dgj|io{l-YZVSRVWTuSG~
z9@3kd(9+V2;WuI$RoAVV9rz*q=-SzM=twL0+l}~y8LOq{!c@?PmhnoNWa2bDoiPwq
zEK7AIIx9}atmU)vHj!mq9gd0o#uQs&?<{`q>aLv|TdzIux{J3jZQuTS9HswSb84dF
z;QrC!@!=jWhiF{tnSG2Kf76+LsahI=ppuXyIxZc+xb4Wz*+iO>r0RBZTDx}cSnKsb
zd7^ackk-P2AF4Y*IxW?S^@vg1!l<i?GZFYdh(b3;ltP47feKz`{dqIBz72Lqi>bDu
z-dxM(W@=}O&oqYZtmC1Yx;oP%-{>^B^2;L~i(9sLAAhLx8;`KawsZZGJ~=f$NwSsZ
zpq}3c?x4l!eTZdrBbF;~`iispnvgvP4G8&kJPV%TeGdAMIGaz^1jOlO(Njg#wWq8<
zI??QZRyjeN!(Uls(Y4`>ZI*wV^6ENqT?X214o4{{b4fI4^GSZj%g6x{B?)P~v?niS
zrmuc-qTb%zTvt_JZLYD_+M}%@%lxj*I~OdW)~LPKT4Oevs_L4X?e!C1-hJOGn@_oq
z?Yq+*v{Xsbf?mJD-5$A@*@{2AH`4Cjpht{Ns<H&#cj9<^q4*X0A%%pY76ru*@4_jD
zuP8W*QKnW*r>$>-0ErSn9|8JG00RUVC;@0_l@VWR?eGjmt;mpk#TL597CMA;3}+B%
z^(cvtDzDJFKuYFA<zlQu0`J279i2PK;<GSbH{zAfTg_1pCb(6WaV#3mKsj-9$`Bi7
z$_n75Q~3fYrPmu64j^#WP_3_O4h4eNJ!dYQx!W2HgqqzA4b{N7#nNnE9yT>MTlvy7
zIBl(=K-1X4g|o(*0-@GsSA$p>tF3N$huLPa)K!_P&1O@rD-(U1Q2%r^<EpL3f>c`q
z?#JKn3RsL-vg+~`qtA_&fa{*e+yP59ea_d5yd%i_cn9dyi~5D&e$XxmPgFIXtVlX*
zZ{^g6)`y(HtjLxP>jh11c=GX6K8zkyA3Ei+FYo#A?xmG`*%>TV`~|b}pXZ8qvhLzn
z=?Ao-OCo1M0&SG^>6LSuHQLY?TJ%X3qoFKCv1=&9nW|hI)x|MV>T*NtBR7)cNu?)l
zYRfaVnSJ{8o!QjR-at>%xo7)qetB-DkXi7h!{-cS<_o^g_TEjAjXO-~TyI-zQ?T7X
zJg~91r>i^Y=?SMCso_}H<|aek(s*_@hw~YnALoHTtCqcA!Hu;!i5kP=ges-!iTrmu
zM?ptwk)+J$Lukgai5yasQSJ)LT-c~zSv2YmQ@`3NUZi&vKh||_=MC&`6unsPI@ozb
z@ieTb;8{|hYM|+F0l;W%XLI18Vw|JEy+@OZa%%GWxF-qk=9ECE#i_C#gFL6R2h^8=
zWQktqR(X<>C<LR<t;>B@mM+|53x!)blc}x;$y@CW%P;JH>UEe$2}2?Jl^F{05{ku3
zGZ=Fcz7Kg*%e!0~vz!C30W@UGUy->D=L4vWEb{?6%OWZl5N$;;r_z0{%w(NyEcu&5
z!I163i<bDTf??XA>ZA@e*sa*0V6hF#236;%Y|*=(P`991mp;&s2^sO!X^>$@QcE?C
zO=YXCEbVz}|4YBv_mwkoGumA8#=_M);K+mTyHGbnp72Rz5_w37=aC!{CrO1wvhexC
z9E=sji8mCr=0z|eO3nJ7Mwhv%p}yYXu$h`$t!#SfQ;psxvp<?K8LH;1>mrkV2cJBj
zN{#G3vUAh^f=#BwwY68&S~vK-3*$Zm_BXGAB43XhD9{%cR617cmB`n-`Sk|=xd#NI
z))WCAsyJ^U{bEYNgQg(Mh|x$xspv!XS7^_Pn!i-T1$z;=k*ny%IHS)GGw?oC+QM>}
z*_-TMb5l*TIS@0O|8>{porcVX+rR7FWU8v#q&GM{VfOpt_YWUtt;hdua1wh2HP)n$
zfrhKGzJBezm8{}uWUFaxqTi&bB1_dzl<Gc0ZYlaURg)#(5%FiL!)t{(gF;}UAr52m
z;W(84;cg?N?V7VrJMAp?FZ8?k^BZov?S@(U#Wrm}RnN}X@7cb6kG^=T{?uY|U)8l2
zUv!mW?_R@I7hQa9)jr@Jwmv++T3wSB=yGRqn&q`x>QqhcB%Dvt<cRB0<tXww${jRO
zvIf*nn%fF0dM!aqL*1H(q#3S~5g!;6YYm>G))lYdU0NLn>P~_lnkw(I0XspUhHMUA
z9YyHscqaRYmfl#;&cWcKEjbvE6q=V<w5rOUTkOC4?nF<>Tvf#)$0_`XF+dm88!_iP
zjlL>oD_elzG(zJRr#NV~v}#7YQvF}5=u)fjOPV?UTUq@6*6%MW)5g^CRN{Z*`Ym{7
zBebb9-=cg<Mx!3t*yc~BLO|LR#nVJ>NV3yNuAA}ns&0;T`T4-UR6M?ik7B0wkw;2K
z0=<~@ckDOmgM2Jb?Sy#6IOMY0oY#WWKvI(~p$CT*)oiGht>86Oni3<B&opZ0#=n1)
zMbGP68ATKCUHR9awX}WLj#H)C$>MM9>B;u)xsI0cp~-;(S`$5&y<fzb$QE*+ME<Vb
zTXsGw#qtqaH|-^&O;wUrjEvDbEuER)wK0sb6%OuQ+OcED3j5*`c=B&->B$axbi=*H
zN2%}<jZxTZE%F$970y&aIVT^XEDb6~w6b)WGMdXT*oM)ZUojMnf$0L^K}PVPlDgmW
zcF`!Pk~dP<TA``bp#vH96cBc!uok(jAT=00)4I_-t;7(a^KiczJ2ROHZq6;ASp|V*
zsXcv1+bp`Q9vmDxb2^@wJ;T(Q?h41QxN7R`LqTso(9yQznx$>mY)4fp!WnFcofxkR
z{%KY6%kFb+#IgmT0ZJ=ktvQ~4j4J)p5iw9B$$K~7BV+?;l0QZ&EjFW4!Q3pZt&}Fs
z_U)fY=x<qCx~)1jzNcs4z*H<YbzmSh-tKg^kEfF2)s$X(!))=ZB&x^GosDIeuUa@k
zy)?`f9&+|`&<FKi+NRJ)g#_1n9Lb_gD+eZ;F;SUzIs*p>JQrs~++w3ajO)WzQTe=|
zHR+XRN9^5~-M9atk)_b!_ReP>J9KCs?M-3cF<;Zl=G<hP6^iAq-*$~`9LACe`ON->
zYVksnkzN^)^SHQ;%<C2jco)Gj3=e4TYRoI9)rCC?%~72%ssXO7kI?l=OQG(g&Con4
zx?|_7Mmw}z<0sm~+ELeluuXVlhz8kHO|5keM*9X!)Ze^q-kY~=dyxI?CoR39&h5it
zUv9)yZ5Y#6nf<xw>{wM*@pIralV7Mp1J^Bu-i3B}*yVYDo8~Q%AH!%2Gvs+;tfap{
zAHkkdy)YFrN!wGUnzNm3F1|>1>?;ukBARqzc0va&J5+|&gf?^~<TfM%Z;Qic&m~jy
z=WHC<<4wE9k~`0<gFg84s&n_XPX{uw(@bsKui3VA&5pK?K;9ENboSI$SH!|y=}wvp
z>@W69u0u5|b1SXYw~CzR%34<7vlh(wcltDBAMsgL&y=gOXdBQ?7PniJy>Mdfbl-=)
zjUQS^I-^XsH)&Q@I%@@!8SP}Mb0zQf*nY#!P8`E`Ixmr5uUnG7>ap3~ZoAE+ydLkC
z`77q+$DD5Bx(Qsh*iY5q9lJqy5%3PR=SIbT(pKgedB1S2LV22gtW-3kt>opDM^z(Y
ze3jN}%8DFIG5DQGWsYFIaGos1hDdj&4mox^*PXj|D=hmH?{D-rngh`cdvGf;@6Dyk
zv?fuYRDX<=>gFv&lf%7yj--oFj<OvZrP@`yLZ)bQJjy*$g63?XIoNjK<%%Yz=q5&r
z6Jdp{&k74$c%?+G1|fmC#vn@}%rw}f&Jv1SY@0f>`-}g~t`Kt~CJ6de<s-QQAi-%O
z;1O6bnuk;CTU4P@XtNOhG_sC_Mj`PvA?-?7Gc?9h7T`tq7Jg{a*z`5N@B6&n+xz{C
za|^B>o4nN>oePC8d|`H&c0W)n_PaEyKM4EzHUMb9kCP8l*rNJ_utiH`(*OU~C_<->
z*KCm%{}6dw_BEKL(pQq#7HG~`pFYglggtT+>y+X{nuU5jo*}QgY^6&7NVk)5o9DO{
zzKH<&CIIKQn|=Z~e;>zrJA+*d`XD<4HX-;9w==X;;uW-Bs(A~Ku|nNcFVQG#+eE)%
zVP>S3j@2k;#_Jw=1dqdfi5~l;NBF)PRb+7~0V>5-k6}pE(nXM>Q0vJxE!;U``v`KB
z8<@#%b+e=?x*xvz=54RMvOwG*IJjKcHoLTSY3CUGukov{8h?{DF`Dh()NUW`pBU=K
z*tFWPq95*<GP;w<9MQ;943hjd&3wNo+E1yZ5hp<PkfJ4BaOc(*g<U*r1AEhkvlf@n
zsVZJvb&e^seC^`mRXf_+c3i!6@!I8#blQdIoO9vvA76LH71t3yX$^H!2V|sM+uyQ*
zpvepky`m$E@HCbB$;f6PPc0A%Gn{wa(hoBd^GbO#qyC%U+;uh;f~~1Hn`<^U_jWhf
zOifkwHFj6stsus``ww9Acjdh=&WyriAsHf(<3%w>(qDd{AAonUo6hqaPHfATs+SZ~
zQ46jXatJr9uyn&zEtMHQ@@r9NnCfHc*ejsldQAta;BOk`QkITht`%MjE-fnkE1oy9
zp@eKA3$C7|D7p|rHK010P=11&smSp=-?_wcZF-iOd^uZuhULT@t6@iWV;%Z*?<}_?
z<+zx(8ZtR?`;Dr})o>Cg4`B7Ph`!*5PWbELt*nE#R>QRzijR>`kPaG)I;;Um66&HD
z#`OeC;FYRgwc~qv%rVTrN6prI__|i1xWDixhhJk%gY4B813XBv=e375-Zu=>mdW9Y
z*A(3NDU4r+Gf^A$eZb!mGb;NoNvck=BtX$dfVL9AAOQwT0K)_rE&<3~49JEEqX@ZN
z+E4>%fiU?BP3@NfrDd=AJv4ec25$)iO%an4G($(ig`SBn%6J#$t5(3uP)sR`*D<_O
zRi=5o&SMo9@VbE4EqL96*R6QnN?BsvDA52P(|;o>g3fsb(5_K>#bh#ABaZ)GT*T%!
z#|-ujk3OWYmQ3yGza}mc4_7f(cosM_^Ytd5>WZ@76>C+2crCq4bn6suJ4Lyo(!^#U
zj~It&j$2CfrJ)s$k`#}n?9rkt@0;52=%Y$3WlfCb1q>ShD84ez<13x0;a27^3J~c9
z)+Id=WohD6LW8T}G!ei%@{S*+FrD0;nIvil_zp7ZC}E37z_^OrEp**74}e<vw1NGq
z|J2m0#9O?%sYJ~q4_39MPabngj(7O0KFQ}wy1@$eWDpu~*<33mj9d<i^E8TY3C|$e
zBE-+A3zreEr2Q(AhPv}&->6*5U&f{2BB+RR(4y4@pL(5$39OBDd}>nWI}k+`;SORk
z7}d(^Mrk|dlhpiJ6@64Rr}0r_EI=#ZRk4-wB--9?#hhYTDXJYKcBnGu(s+it0Sygq
zx3}p;0S&mj;|5pVqo2{6-AO+-mO2S7o}p|Vbsp~k)vWb)X>3i~JI7!PEA{J%`luNd
zja$eAjG7`Kgj_@XD`zh8D9Gn#>%>mLI7BE!rGL`jo&pYiy4NZDwnE-k1O+Ox4@xx>
z&Qj%WQk;OQF<g(V_bE<I9v&6$%nHJwiM;Rxb6vOx^*AGHl-<&7Z`kpp6$HTG+N>Z6
z9#W?V!N>4T%qNY0UoyYfNI(Wuh;X?KiYC)5<|B(LJ|7g`f?7c$f?AG<00<erq$b7%
z*{i{CXwJ}}`4mg(NDgmHA5r3BsAGuv+Cr}(G`5K;)7OYe4UX}BPHXxF=uiz6^rX#D
zrY8Wj2%2EE*jb<_D~(%;rG=Y}9_CWwX-kY&pd_RwZPILyEAZULwe?$NHBfuH#$Sk|
zP(OR4+;`OgElyONF=9uO_nmYe>Tu6#oR{iHhYE5!g2WS>ieFz^VjbJa0Z*)65I99a
zut;6tcjRwsMf{<R-^l`B8&9dIqTVv(1{Bz!j2U6~hh^?i=4mo3b<L<eUjt*Q{O*xR
z+rl}+1H0jB8ck;B(0dgHTglNBSm*%5Hg@fJ!|dj(cV@Y>DKc@|;Lz!l&<whwnHpl#
zI6u3JCD3a9iypD~8#b0&XSAa4fL7P+D6~Zb&s>Mr2@XwBBkIRn3oKGTJ9z>`B$M=G
z(OZ-}Oa=5*EbAl-B^l-Bdv^vuxodl)ugTC9YS^~?$;;ln?KjYt4?WyE8Hr4`K3u#d
z`<vfj+`xAO@NLF8eY&&D@m=9dk~s=zZ?yhKj7=0Bt4CHqH6JDA^|atK*kHOAK&WhX
zH7}bjXhP&Nf$yO@D%HMfU}0<7_=yR!e~j&~cQ+c$F4HMHKmXvKUG<IzgV|<U-ucOQ
zje}+$Xvz6}xt0gm5*z%8Bjxp`93MgLvOjYA8N+-gFdxra`l(=u8vT$W1CJVK4-^%p
zhJeJSWlv>yc-^QPjr4bOYa?r%s4JsuJi5f?ANIKw<12~r$pg_SyEMi}(IwFhg0ggY
z?_lgB;r!*EACX{)h)qjxv}YHO@eRdW3(eS7MME_O`5u3qf_&A6;zPnWQR)lDtdZ-*
zeG+d2Jy0IS|G}#y@|*M%h{&CxbtL>>km0l&G`onE`rnc3#2_@NVjZueg);De<J_m>
zg~=W?-<)QxNt@SN%ciBqaF62H`l}P7q-X4rc4s(ecK9vM_6VI_kjPiBcVNA3(1c^i
z&_E_A_zdCsFU^%&i<5P7r&8-oYmKt6CR9m}m5&xQ%yUJFW-)F-vyI%RS%W!LaUc1d
z;^RathprPbn|3*t(+7QHACC|GPPq=bL>@JlC@K5vc<u&|`QZN88(n~te^1Tn&_Bxm
z7Jfa{T9N&FN!_1I;OD9EJ{gYhvj>oAP)(jV%%K~9|A+KFl;G>oq{T_Ak~^_FDbBAb
zmseye+2tC9P;nqZNU;fX|2HW-C7sn!@C_-XR9V}sHwr#NK_n3aq}q3=cxPv>^Zzcj
z<-&<(kHcEm*xcdo-`*Rj4lHL<(>X7dg!N>@*74!+Tx65!eYah4`*NgCUsYXGwW+?o
zs<t`1V^cig@88zlw{J8&?(P`J$(?9t^qfnua*JSs&*4mt4H74&#gt?osGaiCWTWu!
zMKN3Q#zfW5^-9N48|D|_`VaIA?zJbQ4Cid%g(RJg+iv(oyjeU(g=te!Tg21o%}pj>
zzh|(kv-h;K2l|JG4zQQZ-fS?@g~?bvaaU_sxRJSHp-{B=j<!Suhi7>2G<F!{uk6vK
zja}3Gg&d(c1i48Owrg5s*&nc%s4*`1`sy}T#Jw!ALD%F8%i4~1Pp#s(Qd5?s6q(xO
zkfj_a(t%pUljL0CVFsOx@=fUc5nRHjPt~?;ur@XtT`V(IGxf(Bchd`Z9y!)kZEKtD
z|88+_*Rdn3(<?5vA2d$q=bz#<8UT$l`1W+tU8o_M(z>uzj8W6TssFObu%z=v4Z0-P
z4rqiTYlFPil!-v&rpz9Sev*I9$2GSkAQ5O0Aw;*7P8L)p^s~BF=sc7U%)&{WsG`ss
zvVoEO18p5V7!8Z*6dC0L$4Ctd8|&X4YYH}3RaZ6CH^zrtnN2gBGOnR`qsa_dbEql$
z?p>E}nb~qV)9p{TNb^;x!SkMc^1Q(me5WnR{j0j?@ek9-9B|S_`UvJfr{(*$lDDC>
zb8eIX(UOv<1p*XG0KEk0EdgjKlkJ>W&-dL#_t+%zeNpaE)?3KVSMq&D{Fr*X1UNoB
z@L3zM7r-m^@3rG~iZo+k@^DOvd|xERAq$MMeP#UeY+r$3>?MI<vqagxz&B3cR7-ER
z1_S=avALPK@kSg?ur?wEy{5_U7)jJx8ZEU|#wxR^$r|>1%<Z!?v+ZV&Kh)e<-vIpc
z&l4l|KoegeQ>`N&xaRriuL;B*wN(pxXY%h(wYkhySQh$(7KVQ^FIAacwp0Hu>15JE
zl|q~E<viupa(k(J1fNaLsL{y1cka8oZ?5m^eRtlw_xh2!k?Wb^g(vXuh2o$83ID|U
zN3b96!TML`^lE!lTg=LwUW!DDoL=gBq2=_d`6aI<r}qcBl~g!16>+u&ts4i%3jKXO
z>Exg{9A4^f-PrC;Mw9)4{FKQZ?)KPB_F!`|-k)fVMC`V_)7u#642Js}40XNTp?nm9
zaly-81l}B)FQ$SIYjY}%RgjO2>^zD{lAU6KEl`I&PFxN>x{%Y0#7fHQr6XDtDb_Ed
zX0*W^ssHS}{N`cy(o?a$Sx27(=@>4&ZFltBi?5J;B^mLe^c~2}p9A?uV}_x(v^?IQ
zU=7?_oI!TvufGPAw=CR~<k_bP1I33ZuZK=->UA#8m1qvsVT?wuSpCFDh|D>WEH3T?
z*&>l$u#FAKJgH55XywNJ?4>f2<otr;6|_RN@LRR49(h}9<J6iA$s1oov<wK-J`an1
zuI2NJ;=E+vl7y%IU9ykG46rj1F_Kv!->BH9>`P5Px3hlh{>8;p2AlJd`iAO;s;U}`
zr!K$M+|p22Yc`pxEq>>_p2w`NPlxr=ykv1+ert<ak4+|M<tLz(b@F$CHF-NNF7CQ+
z&wKCXsFC*%;bQ~v@ff~aQa4@p-e~yHrmtkc)4EXiF6ys=Q-PSLx>xdG_iEm5b>0je
zrD}uG6)<kF)UwplyJ{M1Y$k(YPLewEo8P;+=wcrjyK(IQ$}}&<FqQ~vkIRUD6`IGl
zIGwDe`DU5s$;PeInQ_fgt~FEs0jDOQo_f{bge>g?=v~6#<)*Js?`4apoKk16Gt@aY
z?A^CXLN!3Vt=m)Bhu;Q<KiNw^_Vs(c{k|U;UEga=rPEe#zxzi&a`$_!>2#{`dt5Hj
zUinwdr=+*(N#;X-NF~#j=A&d4$Qi0OFh`6P{d5*z!T;=~FMX-#0tb}!f&bw80MsCv
z9=?m`8gcUH)$s_A23C@6YN}C8*x^~%(1zZ)_#^fbEfDo$r@fCJum8oLlj47q9`XtP
zw~s&9g@;oO{*vd)zR&e&Nn}ufcVNF%@jcEnCz}581MH3ufGD7c;hCn@Eb8gM1bw^<
z&!Al994g^H3H>yWi0)UF`N=An)(PZ9L~K+eU798+inLRA7&-w_FBfUA#~P3xMA@q$
z@KGByxDdZ40_}%9DD)Y*C}{@dRTDkw$b;X;VYEB4{9PRPDBxaMybj})^x{$eNd)i4
z@Q%E31xgTByDH;InXSYKz$Y<>jan-=QKlm~%Ira{6n2x3u_>v!!@KQ(FE<+TX6@1z
z$x(2pM$-;oZam`XXp!!=N1K~dww8pyX^=&88|&RkUvtu7Pd#(jOoL5yTyAcde&B)G
zrsnX-?p|seVQHGai&Zx?vvx}ZtcB#x)6U#YTDrNp`1NKeo<tXBto!|ZjVRa)ezdxc
z_s21boQaCu?DeQY(VP{^Coh|ln+@(Sbmhgx?=3<(22t)MqJ&P&pNG1S?Bk$28}vDu
z-YaBJsm(%pe!`<fvWHyf!EVyAqN0f<DNopIY)`$-*3!85jK#q*d#i2nalKy87Iwe!
zjrn#%)eA)sJD)3b?>qS(SMwoGvd7n-rJ%93`Phq#AKiRpt1?&2m$nzj?F)F`iSn^E
z+?M8JBV+&?RRV#EKB{<x2@C7zW8ZrG^L!LjHAjw=j0Bj+w82|-QW9e^!KbLszGBB~
zzDZHgL3qqWJ~oZYgdHGaF2vs;=Xp*ZC8==h@QEYEt;^?}v%GcYvVp-F@P$v#Y~DIM
zx(n6wi64N+N?R}nGbEVnHR(#?<gm!UCOIv-$&f@7zQq!aqa@pzkEIHPxVSixn#y@R
zxvA8|z-9et0<yBmUizdZ(i>0oMJ+V2-w@XXeu)2*Y^AZSjYMhdRGxQDr!*-PA~M4T
zKPH@r{1_E0i;H`dQS4d5D3;a?fzxIS`15<9>jbpbk=>Wt(>2+C44hA#{1N(#k<$$2
zyo$~!B@!OXRFQ4{P<E?7<mhi5TdMl*bG4iMTDxsA=casm>tHxExMT`?JDXkGw)f9%
za#}haVgK-{BO6Z{4q%+X6YRH7VVo}T&9%AK+DI$Zw9;glb#krIC!1rE*4WMGLi!o`
zU4&LfW+*9TYjdsPXAw~d_Cjj5r`2%w;^H~gk)G*9YQ8s!-U3-)d(bj5;A;<Ct>Jc)
zuWws7oF-3pZq9o{qo)iGoPtJ2#3{F(<?ck=-ti7M%@H#t9tm8MKSAbF70tBdFa!^a
zS+E)+rJ4eMbjnb~9!T$^v&YnLkT_S08N&rNw>qZgR_|M3H|)JFyAht0#F4w_=6Xj)
z9)0wy=CQtbA=FTG{rSFFDwS5{_)}E>h(-yW-p^2$LDnmtqPp`kJV$VhrDiq8eghfY
zrn^*`iJW$;$=`~!5t+~+e?{d99H_>Yb0Ia?fuG3tg(4{&3sj~BLKl-1-2^Bd#D{5<
zo88Zi<C4RcvXh;1ufeu$6lLLJ6Pdlpzm8e`b<jBLT$!M?!Jqbp`db%gXBR*78AE8U
zW9J@E_uN0%R1N8?Jd>C0-MFLM9*z{hB=x7N_U>)pdulL!^X(VDb613PA58oPy%~1T
zPdJXK#wV?htOJ$qu?pE!y2t1|w%|SD93yc+qEOgFGF_I%!(gr1!m>S&%xg=>w!u(j
z<MwR(gezw63=Ax8c;UxYixc5~M=-brEox8MxbakK;?ZSw&TZ=7zRlCz<qgtWB94oC
zJLK2Q@U_KxCf%o{PvLJ~({S~tm|s1uHJidGc<dE;0e@}6@BffK4jp#AylZWD$}wOb
zf%@z7u3fI?W|!*%{Lt$)i_)COMmg8o&+$)j=1Ox|{ioHKJckHIDM45Kt@LT^u@F35
zYTosU6hXenNE1k^TtdtESL!a121i{wh*-&=L~B&S2g%Y=d9#vt&5)7IrA3dqc|!wi
zA4jCN4pu|!MulVFdQ;T~Q~e~HEnGe@R1n5cwrA6OmsBYNG55CV`I!Zha$Jr`&tP5_
zP|0Rx$DKsW5U0<`x;{p91$~?(ilSMOq-%IqY%STcR;4b^Er)H&_!k$STim#O?zzji
zJjY@^5HdYvba3(ePyfUPFz5<?efC}HNvWFkak`>?@)N#K{vB&#G=@+S2<NVd$D`(_
z890n<JidaZ|G&1p(UZ{e8m#Z{B;VS1VhdcFP25}Ha!ky9{aj_u5~o~c%^E))_hv82
z7P&OUZzc1a7dak<pT$pp7QneZBs~Y7O!g4`FQ@^9$C6&iz7HBXQJ%84Q#Ee1HVdC9
zL&;MnojZ)mF^h{YExxCAQZH+Nt|O#!V?9atvrC6KO}<K=GLc{%CqYs`>G)x3o-%QG
zB17mDGWTAi06uuf9gB}VB6PrMY?x{G(AdQnk6mA)1_Cd{hq(>Re$4S<0#berouWm{
z`;`@~^)NyDmheI`RH~~ci-wCJ(!wZb83R=Ee&I79e>Qn>C?KOh_KEF#>RRdywU)Z}
z=0YcuejDq|c9-dVVC?6u)8X)R>uuBHhN{`>)=2S#Vy!T?w@bHRUuI9Zn@g3OQrn#T
zIfzue(l}NNGvLTC$uy_+hXu~wj`gqCbl{U};*>^SFE5I){Kc}+@{r|A)(A2f_;DtY
zxZoQ_c;t<5TzoEB^}^Wuvd=xopIZ-G?-=mhzBaE{Hn=ow%VLr9U5b&NEU(uo=k=1E
zjPu9fzjW4E;mRamNF5+p2(J{Sh{Hl}gS-+Qr^y<Z<7&uf5b*}e>wT5j1j@=8rSlRz
z?6B+A!V?#gQA9zA^#c_DNH!8Q1Q|bDbw5(pT8`9fn31akXaKnui3X5sk!S#UZMnGR
zy07NVkabHr0;FA`X=EZkU!Ijqkw~lxFn!`$B!u@_;9JSa-Hi8}5zkxzd@G7{m1N}p
zcj6X&5$ZRf!bkIeJ9NQ<HAg;xeB8QZ<Sz_g7{vMs`hE%g?teB9S0hp_3?j&}jmJIq
zYLSpDXFzxq{ZL{dkI_&;YZ1r*ii32nJ*yoccXgm7v?VJKd@oY%sYY2tP%{1lDm9SS
zz%y>iHToB1+#WSV!TU}g4{1sE1Zt1`UxV9w@|cLXqqU{#1A@<yZ>b7%3~088%qq3b
zA*bJJ0NFdJ0krwcyG7eRrRkvL$`b)QV!;r=q@oLkvQ9vPmWzERbtByP>jWh(-&9NN
zVr^W4vk9z#GOq}_ugPPon1+1RYrScd9xhf=h=o&^5{CtwloReKVP06iJTO}kj^MNK
zrX42^N3cZgk$a?I+dA<GzH5jU#e81+@8;ktMmnTk33@4#aV6msdw^6Yz5&n!7COl;
z(1urwA5_RdP5U`U{_e6wTH=1BqL{$fOvsz0ti_|yAgXj8t__fW<dQwrFf`>XR3#qe
zAVC9f6|Mc6IO>OX-*^gC`m%`BsjCQI^S-sxUW_@ayINUy*<q$Fv&^|QKm{Ravyy2i
zLOY&!e;3D^l>|B^8PtU-y5v-p5La;2fU|JItxp@(Qm+!KI#PVKSQRE*5v<~TN~{z4
z#ZK%MlQ$&he4>0>S^*_g+~g`M(XB-wTGpnS%rln2GbpaqxVB4k1?SN6XeqZ!so<gH
z=_~$HkwGgn0~k!)jRcP|?VRsUQ*>r=QYKCWX~<bheu8ZjD}n!M{oGk?aZ7oV$eks+
zBnBibQR2uUP@!Y})}JEu-@slm#Nm31lCNOgm9%BO!JfFo9_tB)dL6CZW3@*<XpF<*
zF?h;oi1++doK@cDLe@lxW3V-H6nlXNwnd>$*{Qt#XiJ@N@bgd_Dw4qX)*+3bwiOMY
zT+NPdRiCDkHnuN3w0$>e(TK0@-umD(uy%`oXq^g$rdnBT(e;er{mOXk8jqA0OdF59
z6SOdo<_3qG9ZF&y)O#@|T2^wVQGmyaR~ln89~(SLn!ZotBMtZqw=HyisAQD)T=lkR
zo=H}*he}2|lYItwGh?m42E3gpZ&w?w<{QW3F$A(gC`XqvOGS>Z6}zN7lUL;JT4l5f
zst{sH&D$*?mqHD23dVVDVyfO{Hq^J6Mt8jL)?FiYE%gROIQw_pdJ(A;7uwrwwv^+-
z;>+hYCz|p9xxadl(``TI@;l7MCG03-8FWmnf=6j+7R4Zhc260*R9}#GOp78u*NL^z
z&iU|cdAwx`TWC$pg|?Dx8*`rnb`$;0^Pk8j*1rrwp`3*6c!h;Sc|p>1$O}46%ai?I
zkQuZSG%^p3>ln2}#afehMv2LgkNW>*j*y%YiUcAA!I35Vx62tS9!(-1!p2#xE$DOx
zZMAG%YKr##b*V(sv@2Ec+G3ujCQr=fEuiqZ#Mk}3SYI0=uap-X1U6qiFLu2=BWsA~
z3aePC*R*Xp@91aiPDatdMK+Q&P%%j16GPvhe<B|lMoIL_b4<AphjL7bUcr(8r`*?{
zk&l+a|A4=Fo*%z1AYUi^@|5rNIKS>maepxD7o}U(oE++VMZO~L6XE`Qij^6SIfg1)
z3Y>o*z7qT`d`h>dKBWZtlvMbiRCq7<HAz%YjJ<%I*o<x?PNv8lp&|mW=_E%X=PfeR
z?FC05AA<#SE-K*k;$4JWp5zCoc)5trP<j#-5-v@OrH0QaW~n8`V%f|nsfaevQgW^@
ze9p3~Bia%eT+aJqZd+ZGE${E1$uv7+IZv=R;qdou?Fe?YS{uDF$HIy|+F|k)wsh_}
z<hF#u$U1Fv)}z27rOMXT8>)?UmZo}pi`UxH-ZS2o+c6XxceV|-`q~q%P0jnKLxmV<
zP1lcF9~VeB<9yTz_ViZWjS4>GNSjvgSHs6K=pjtEz&XG)-t}+}K(j~fJ;-_ra}bVd
zxPqpfXFdvg56Bs|6qTcx7M;O^2bRl%&G=RZVHC<M;9lx1LwZ0HGT@Pi$s4$foJ^GR
zZwm8cvy|w9iua&>5pxhR#u(4Wg>MT921dB#cGuR_7@L~*WOk-{4F-drMG`f&fLQjV
zceeEaBC%F!5tS@k$e#0ySAQ&<jp1kKaTAk9EG?4f;L~Rv&Mr)hwBFs>AxR@mEysU+
z@aeO!<)HU<bg+OuF%XRnBy6_CKrA|tuorqdb3Hw|&Yn+qc7lB2+o2j#i~KBFKfGLT
zQ7|o2o_0n<!?aABangq4l&(d`DpR~2z$k7hf@-5cbI13OBK>Am*8x<LfK}eL;%YBP
zFA;1nUmjYh0gn7(`BOr-K%yLo<1S3IL=CMGBS3X~dWU@uVl8cOZAGR52NDIpoSy0S
z+FG;DW`{lA6B>lp*6j`~XMNd*`R1NjXvl33&&8vA&uB8+6Ml;~7-{PY4SCylg~QqA
zaMt8*ABzX`nOIX|zBPzdnC=VYvx(;1zF1;^@5rTHjzG=$hKMJWkj(BrUxPmwv3pbb
zVx7mCJU#CjjJneS3ig1nqHh}e5@@;($m&+GENfcp(euObcoW@L12J^|iBq3iU8lT)
zmHkhro_F4<`_DUXzb75ESb}MfCxdXR>Bv3zeB>kd+;e2qKXS(8<bh$IZ}`CETdu))
z7<P+}JtSR?r>I#5at8kTqk-hdXej%hGMW@GH>r0U$a>>>RJ1Hm*f-yDaodP%`1*17
zo$eY(<MAiP@jOJt*cUN>FZQ%dL9#8bJ<m%d<t36*qRYH`8+I+#C?yk|s(91Wly2st
zMlz2|B0h<>8u97Z&BX@><Kv!ed}VmonX!pedR;xvhdZV(K7A=xm`n$<ZQTdAr+1%v
zcE4nxupGwb!rFWeW6NoImO&ayP^XPeqkl1qqp-q*GM8xLb}iv2h%r*sQ9EBP$XIxJ
zkdcqTYB#h3#InfI9V4$daR@bo|L4)+u0&(fJKx(kYinQV%}t~%{kiy<w=J@(H#wQ}
zZ0z!OMs2~~Ia7l(V9EP3!+B3OWEr*u+ML;ZtG6qh#-@+;%{Cj1?nFMA9M3w5{y>K8
zIjr{v_}<kxo@@}VH%qdwV6AX2N*X6+zv}4+D?xu(<2@N3wa}~^K@-F;DRLg{rgGI#
z?ISrQ7nZdbf5e*hEH4*dc@jx~CYSmCJiDWK@#y`(e%LkTa<ozXawpc{F^n&&osp1D
z^z}xktpQH+a8}ZUago23G-9esp}3ZaiIn)*IM%H=m{5`h_DXa(muQT8=6k%ksC{-Q
znDw^V*zg~k92sw7I`3~Cm^U@F_?z+oNAtna*=DPU<);48WNzu$)YY}6fGSeDc8vck
zprHUHxVocc_xyS@I7XgfoIN5vwLEGKjZ2l*LnuElS3?2k<1rFVPID4Mikd0Ar9TuO
zUvBT(<jyn~e8GW?hxxX|mQMF|jmKKzzNWqb|Fo}W$`qZyXny~V+hZ|r&f)fKJUACg
zopyR=Q{Fey9LWWSr(@}Tr(#rXpp`FUEzDZ(mu%IqHxtCSfNkOmqEJpP>PS%GcF=;&
ztT#SjXi1G_i;uHAd#93C!^-V9UOhUMo4)?0cO%N8*Cl|rCxN#ZxZ;HFRE0Ol-k9~C
zcT_ioJPonxLwGXf3X-6S>xQ_X@!|70rwOVBOc4w48@$VNysAQlS5hVX3JI+op+P?b
zu{lY6ATyA*tgH_GXL`O6umw|&a2~ycV#(30v&rdiu*LmWUw)1S!hPN8zLrF{xo5)D
zJ{*eXY>`frE4wl3?@k3x2Io{RGLUL<riUZWOgvC$F!^Jhf!3jni=E}&7;Ycw$$Aq3
zXYr|_PJdg_ZFWtxx!Z#9m+9ib(WAgoeJO3p-Y5-2r8!T;)x4axC>K&>s!`mHs?y=y
zG#8O_z9WjZDf^=|S5jc*XMrhy&Geun0UGk<=3PWyAwgd8rPF-5iD-6fe-O0C^6~V(
z{mqds|L}D2b5U=X!{Zq_Yd+d0=u06y;<x$|S?J)t8(AK_Mrnu~9_~R@Tn<!;#)n7=
zatKP~Bb|N{`c|O?t_sSY>FJ){>FHiqIP7wU!<wkP?xvfsy6Wbe4?hzM1VZ$)X1qa-
zMo%(cA-73_ABCq!jFk8!vOqXx5<L>9Itq<bz>e~>ar9~VO!N>FR-(xaQDZ?*nz<(L
z16@teS5;X<Sx+EG@21s>NXyYg@k!TEWb(j>|M<)C6zjnsZ@G?SK>_siBIv0BPgix3
zlS+S)&qvZ<=py9URFG}PSvn2dtiE$|kN5Ql4!qvmv$?Z>db%G!ru6nJH^1+`kKVoc
z%I)d#Yi_>z^2=|&S?D38hW-h>rbZh{1+S5Z#=~yJYv_F0!=P}k3&6F?^^SWlNki$7
zTwLYAH1RnySopsAAJ#ci(}(6_y+iQ{cYAX8;I0GFiG2m=91oP}9GP61&H+16);XkV
z1C(a`9l}^&0v=GhvWfnd<sm*F=bsN^&Ax**t2Ru)H6wWR!?^x$!lUmsIFcjT;<N0n
zJ(CGbIgiFzh+f3Ar_3}qvbCS)W0^)ufWC~LVp<*Lzks5M`W2hYgZ&($$ma=ZtaL}0
z)7#L@?BLMM%#gFS)rp^Sx;y-)H(hz<o8ENztLoM+8+!|Qkt%;qGIpT_(~dX_IV46+
z6##T{e4X|-MSaDNrdnELAc;@c&Wi7D+B|%3^L}vU6ABfqubAcs!v)JLCdlZr31N#T
zi%;Zd-+aySmlH|WpP!vPb2NbcEo_Zh*cuLPSIOK8t#M>_TdL7&wgz$6at>6wyZ^NB
zf(!QTJ9KDY|Hw%Hz{rT{_IJMXcKR8;;?SYXFF$k$8E%SgF|>|tvHsKlD%;|A+UUh<
z&9<0c$F|U(_qVVurY@L^_YEY3ZL#x=$k^^Y_WAuC{iiO?guBPv0-1Ez8QT(bTb4UZ
zY>WF~Tg<|?m{fEd*|y+Kis-Pp4ubmC%?S&y0Q^5@PV5loM0%9W3F}5{5avXWFej3O
zvA%h$!RSdAg2{<?M4CWjO{<@QJuw8m%c>h!W+vMcd}bgi{733-srhhX(*cFc*O(5~
z#x<6M(>?o<0{e&JX`>%`<*Tl7S7$qhf`>R)?}P0y1lwUi8HsE=RNz=K7qrxjzqP4A
zh-~WewAo_$(AXwxvxoIeJr4V!bFQm<vByjNvjhC|DRc(~FURVGmjjny#`w*U0`lgR
zWgy1CR<(AVP_>@j{qCC&L${u};VpOVqvy!FHJ(F;uB7t;PmhBZ>)~1JRGuXJ?m4EA
zH-<rw6P<=7>LIm)osj~G)TIiw5yxlYNh~>GBece!gl7ZQvm?%w-_jRtpA3XMhQb4B
zkKVtO+_m4|Jr(cT*5_{>S$Q#@Ie4}`mJg0E6u<0q_hsCJ2WF$m^A2P;_xMv=FPhnN
z<E}PY-aLbGR~weWZW+c-I>S(@&QQVKN_7VEp`1i#VBh09!{dC?2|VBtX&NWn*7_-c
zA$f7+<~H0<K?w{L!G<+VKPUB5$d(3oRJ2c>H{DtoNDRYKv16!h0tG5i7$5B9110RF
zt=ru`p41o$aN)ulf}dbbSGZo_1nv9)xTrSlt`T|z-wXJB5C6OuwDwJ*H^9*?Xzk&@
zg4RA{aJ0!P!c@{?nBD!Jn`BzM^Av@qpXJY);^T;7oKNvJ+mAI<WYS&h`oGrmGQL*-
z7nhk_EbYDEg1w6Wt7pOz%$PoU<f9+H_r4<^9Sw|~Ju`K1)PMMGGiQ$l_&N*!7xiaR
zt#z4X)*lUNo0a}A@_^Kx*#Gs@F7khUN|RAkGgYOlii$&8ooyv=jN*I>U6K7p=SR5z
zOEyv~{a^37rNsLc8ROosPj}q#^tRp^E}zcX*>U=rXXi`g6ZyX0yN>T`eLRo{u1r{A
zRHQSM`o2&<Q|{oTd0)68t@yrRP}9f@f1&SdxO<K7YqZzf9<mN2(&TFIVXW2D6>ejW
z<WOv20rJY5EQGMJWO)VRe-3qs$p59rSLCB1>&;Xo|7ZfN)c0kiRl&;FaNn2VFY|qU
zI?p~-JagpJzkkv>;cDq<!JZVl{yQMQW)!Y0%dhoDR_XitpZ9y&<Grm@3s$R}<t9H@
zZ+7N3=kwe8P`yHyWmGS}((kq2=>LX(FEe}(s^81n<CPr~v2Em-(EMJ;X;WhB<y*<`
z6%~H3v*7nScvkyDkAK7#D+I?D;^{NbA>IfY`7&sv(xzH(Ca>!Ea-_!E$?w%i40G>Y
zZ@F%4vUB#vx8J>A^LxDqey=X*PpaJ^`@PnC-ceMYRs3Fq*mc71RfpF>*~S<w@q4BD
zo+MkOoAZoU^?Ru%{0ZG&t=)>-tI_3epa!($_8KekdS!>hu};P76)dE~CWC9XD>Bs9
z;>rw1UD-si&QKpnbceXt>ve<E?c;sz-nO8#_}EZqFw^QWJ5lX}oL=~+_`U90*YBla
z=zqfR^-5^UUp+I-{a)exyeDJp4fy-g9?82Uxv2TQMt87$B6B8mm_l%Lv*!0A`a0OY
zx!{j2T(WTBEj!~hAEp~Y%=)vs*Fy%XJ$W@F3@)QJPOPiom~ytjITd!J<b~Ib#0-Ww
zF?wO+9!=UkWZj3mM@)1Nu+~^LKlMz}NkkXMnp5peZ)^#-Is=i(``WF;apv{7{axvi
z{m?1+xXSu#U&3{V6ZPHRhxqJ87(>)>2@G3w<!0w$e(1t2k>V)nwqu@8qmOSDM(I&F
zTKOoUNnxY~eJp3x8%rE?7uQKk62fO<=1;K8_w6g*@J$r~bnj{1)5!TMyLV~k3^k^p
zPTdaV7+D?ql6xPN>U!&>gnaMM?n7bi8}><Ugjsq3t&yaQLSMQ}x({+XhEq(k!snrA
zkVllJKxqaD5wdH9qe7lZbjTn)j+#g|I7(;s{^}-QEad2D5B58<f$fF4-7Vo*&|(NV
zLm?-|^h9j9JCn}1<Gp@&sx`ZPQ!wA2?d%O}ljq}WUmc(`XXWDy(fC4?i!7QckVOe6
z3Ph9#*w~=Z)sP{UvzrZYAo7GZ#7#@E^IblmfW<IV)kp(HFsIMa9@w6e@%2S@M0}uG
zSG>pPPKDd0o)QEy-4^x<-AAMcu|CvmUBZ}ouk|cLv-Q&(^*i;A>=XCy*>f-HjJTHV
z#I;ew)ws@x-}mE{>3Z1_-7yJK9PE6O!*mzwohSN>P%ST;OxS<t3+B68qEUTyGkU2U
z$+QjZ^u?ULN#=68$mhaz!x+zFpiAvulpBP5VUu*1ZIT_1XhdIS3-}z~P=S3S>g-K1
zSBuM+Z5vp|tuS7Ui=B&cMGe;iV8m~X7jQg-U5IBy4Tm}WumWFwo$fK+mFPte`0>ZY
zwX3gV7wWFWt`RW$?0))8$6%F>>i(I12IdywP7fI2t`O@+|7XXi-}I)|OD`S0bLdXr
zU3cRnT%X7FFR0f;50S4g;4qYJSNPIP!#9n3?!L=+=MX-^IB|dW23#LC+yH<Pzi}hL
zaUXUqhu_HIHxeB8Pw1XU#Yz`OLhC^0yjTZ15}J7F`Qc%FSH1@J#?A6~e#jnTE$e(I
zXiKoS{jir>o$!1AQ2N7(u9Lo2dR^5gPjp??&864XT%cY@Paxf`y@T0;-8C2d;V5gN
zC)1pM$iAXpS2`ye-}}Y=_`LY|Ft4|A9E~u&?z8ML))Ksta(-~HxbE$&hFuG(OzX7)
zFuq=L+JX{Uy2AlUiO%m1$}q6_6K`({w7K1BdY^W?+X9pzKzX6pv6olLPA$i^15q>+
z`~KAhoQC7qNj>ak>4J*uPz#r?lY01ttk}2eU{9<*io4PMU^n2~gb$k%?%}QEul>;(
zE&G3T{`o)J-*U!}emXLo=<Dw8OAL>QXDzO7VYSltaR-_oq8NOB4muaDHlqK|(B$M$
zuCKSZ@BRb-a{cu`!2O=T=%VNM(^#XcTXa8AzYjA|e4ln+7Y{l?H0|Qw&EYQh%inA{
z;|JGY|1b3YeXD1&Ch3b9y#sSVgb{Zj=LGzPm_N<NL7`^+?EB;;m)xP>lRYjW*9pCY
z&eDBD{hqSMqEdqVJ)W<SYw}-w@q>3{rDFEaAH?@U^7A^7f^v+qrsU_*VLLZ}GHNOS
z8|1Ew;+1OPkVB4_7b%VH13$<`5aA~g+(*=ga(@8*aep6*Ues8@^h4H~+P?m@JK?VO
z1OlFFyt$)i-rbSOI2+t{bC=oXG3Ry`=6kZqj?A`PN3PaT+tr@imgz`l2|t)8&KG|X
zwi}ICn<v>6qR%8w<|Ffh#%sbW^=H6%<+|>)h@zb&R)aU!CI1AC(qWTN>+_m|epkX>
z<qib!E8%MMwRz38t)0$ba}B0p_O|)%5Tk4F!sswYKDv5eE>_r?^JZC>+3s#|W-=Xa
z)D1=Cg2ugJbwArGJ%Ke;^&mMxTby+#dBt*U1FIV-{_g$yGynV^@x48()w<iIf5-QT
z9%*%Gzkvpt_VoRy{^dW@yv?}xwv*qx3ioEt;_v!dopN(Yr`_8q-`&9PZpGcHf7PD8
zzCIRaUoCbYe~~>~gy)gz`q&5ASva$AhD|AJ3bK}id60-9MqJ1_h<zJlH^+NVZ8)>G
zqxN9KsXehN_CfEyc*c3&xh<LaKJN~?Uw-v|_72>y4jfs&pX^b^{X~fkVUQ|CN2s{H
zNWwtq9btEe)!2=^JY&HYvp!n&_P19}(yuL2f7Mjg``?dW$G=qi9Gh;Z@*Fu+q3k)w
z;9yfyX=|WMh$9>n+N6AQ{NU*{5-Ms)=@&E-%K5g^ND4F({)-RCL1S|8F{$I?W5cM7
z4?JKL<CEW!9+qBx6!}6&5Tl&pyPtAI=tR{qSZSjBIuJ~miy}4(kAfP=CRYQLF-ij~
zKlhK2K9rwo<c$$wUlJdj@_YU90sIcUA-~h#>FkTg(}}_9!9;tsp~)KSiMG#s<1I*{
zi6n-mh7#GRxv?eH&-MgU0k6dz4Tjo+9!q1qI1vq|TRd^EC+hPi2QzIOZH;l4E8A)d
zIl7x&5tqBw=SvM{+WYNIF_*8i)kgFz!9ROHdlvSl9y5z5D<SWM3i}2CM30CXW%+`p
zf9%R_AI<L_i?)vJ>}uO0{p;}n>vVQ6_V#bh*^7((8K7&H;(Nvj9;WOXP!|@<fW@Lk
zqe@Y<i|D^SeY?e8qWuIp2wfgyyc;^h<+z{Ga5;mX0XXzzX%%{M)Nmz-U&)|Ti0h>{
zaJabsN?lRCezD~G%jtUHz>WJK20VauRlWCegaj7NF>Ed6P;C%HjX|HK_H%TcRziMZ
z6$RcnTPr}tM3D+4w^H0+ORX}OtKlErfK5^Fb6E=At;6nYcqJbn%eb7;RH)hDS5)!;
zS{iwyBc8~3+6Mi>R3hz2_Jtw?xooyOpsC}KPuNUN(gPR-$yiM)@dT(Q$Rz23?D4BH
zO-#X$-``NLH2@;?6Mjg$>DG%Ml&;Gjhf|WS-M9KQ?t8U-UwEzom8BiYx}i(Dqz8{*
z1rdNx{HssnzRI<V48VHQ*%`>Up{}g-_s17-t;FT&ZY~$=VBLuAT`p0{!%6fYHa2DU
zDH1k@f$lqg=+IN?v@B>LHgQjqL7tL(DkBi`TJ+=~8l&7>sz1f=DNA3vr~lBQ<NMp%
zWFbuV#Qd3^%l)-@wQ^|>yyEkZXN!mV{F$B0dU36WS1TR4BD~_-YqGQ%WPJkHi)+`x
z>mBUl#ls3-p+l(GDzhrV>m6Bk4c}vW_`rTAJtVyqdSDDWOlmYtv+a-J*otB`l1oNZ
zV2Oi{shv_M5{!GfyC#m$hPk^&1i!WPr1FGMpHxtlOgTM_<hE?pv5QA8-PzT(^U{%#
zOLld2?Yd;7_rRvMwoM0m<=2tuXs5@Y8*5GWw}hJ$uEN+zKG1IWd4}q;%U8_LUA`le
z*>U;Y{1waDWODx8(UEiK5{bEUM@G+`PwsQ)X0oZtPFJuc)@<9<KRWNUCR>6;p=Ef;
zV<PH)F2w{j2BC(a$7rTJ0q&Tt2k*K7BetXz(Reis#MCCkDQ1&ZniPB0xewj!&&M5(
zc-}uVl<w$AzlJHF!_GB((!O9vu<@b~MUt%nnyUjf3*I4pg|B%xJafz7-`x;`N&IwU
zQJb--pgH)(llaSrzo=uxQRr&ja&_PwvPKIW){fU4n3(t`^=wK44U`T|Ht*U@a>^d1
z`aGhb5-Qqp7mtx2mBb%hnfq33oO%X~$6^!oIuY|1Xwn6LARlu$V)^)7Ak*BG$%GTG
zl*Qp;!``mxwzlam^nnns5l6DWHQb+SfxHX1_9q>KU-h<H{MAd7lV^q+Wd9sGEJ*vM
z4?;h8^V6Yj%)Nya0nC635n16MZvciwJ;?^l7yA<!A%0-QHPk$5170bo2X(UeC!%B#
z?gJQQ(xM^(xDf4TswNGdhQxbOVX{D_G{O$snWr=Tf!k)X9)l+{T`(GEvNHxFI|Owq
zzp7*Tix(CyE<SbB*^fVd_Dv*j*l8H^M?rXlx+}0|gBWiLKZ6*H4r9?_l(3fY+!P?9
zORcc&s4}y1Lck}B9Xf?Es7vv+>%})kwjq791NWkPcHy-HbD@={dp@k|$2(eAIqi=8
zu35%yDmB-WHnX1zHKnl5l;0BUbp$O5r^98lXC0Bgtf#Zd+t}LVXt6hEyrBkf{Qs=Q
z$7xPSq{(KpG&kTlU_2b_us6m`7Dq#awboG|3tIxN2Gbg3ahc%(zODwotT<P-2{Hrq
z7%_L+zQocZ{2f_l6gC#@Oo>+!Yok>rC6&(MX{+4GSF~~^wJl%C)I4h^^hJMn%uf5*
z*KQ8fyR6}SSF6ou4mNjU?aNl(WJd-=bTH*`G)C&peLcMcjg29@6Vrp{<pB-f02;Q!
zzZXF@`eVo<5uxv6l<UT=C*kTN>Yz%}G(UQ!xzW75crVmpB~(w2!CHLs>N7^Ya<wua
z5kiVp%yVeZ?83ry$e+n%vc9!bWBJW9o0hVD-MKtyJGXiUs`}pm8MIAzI%cvF;}`OM
z67PfsOBSIxCr6Ap&sUB1YBTmKRih#sk*wRW&dsTM5}&nUE_6C(hSM<B*`DPztgV-b
zY{TVDO-{JyS!6ELY2s>15-4R^TufCX<7pUVFK3~$TW7C5r7(8UySB|;wmlQ+n+hd*
zt0d>fU~a<QIo0Nho29x!%(ty28*2$qo;5yp^=bX-E$45{EQajcudt<EUbC;+mkl<>
z@67DJVfnxZFCK1RzI=A{^s!Jh>WxiL#FxgB4rlzyOFZ549RmkvlZ69s+d1?4g@m)Y
zBgaf0|N9))K<9v`osM;JT)r%QU%DT2Ue=upT#l)@B)s)<x(60ytZu<O+6#j3DO`i_
z8R7Vh<5PjpS>Q7Zd}gsL2&Z!#rzH62PmWVX4A{|M4@iZuUk9sZ7V9j<>IEaOU+x?_
z`^^hu=P#uEU8A9BdlgKkus!B$a%RVqEwOsZ)Dt(`!q#Na9vIp)IQaTq-HECFh48q?
z5nbqwcOVhD*`4w=hFW3^mu_CU^{n3H+_|FzdxwLGR&U%AYWGGLhT}l(g9G`N_Nfdt
zK5bvQdSU$Zkw8;Z#%}$2-%SpSH&bvWV!$f}F}{U70XH<_I~AKp?y;xkGRp<VG=Qc-
zfJM_`+0vddiq<DIT2Y~p^jJExK(7sWr31-isFDs!Mk>i5oBZm;E5WHj7G389f65i0
zKk}cPkq{0)6aNWA>{#)^igU}dW&0jSx8sd1-7Q<`y|cUJdS~Ez%k@w9-q!aJ{`K9~
z`}EUKv#Q%*7mb0c)Y@>s1H8NJ+c>>g3(vILA6~96Q>SK{R8+^85d+JJoa=RRS9l2p
zmdI^EJ>r$pl2&7m%8Ot>qSG4H^)`O0<*pWUi`igq`TWECj_z##Qaf|a&Zd@9ZHvWY
zQuXowyyX_6eLeLDW<SB$1WzQ*hNE1zOtsO;!Ad@uR_p+Ae!3NMkn+q)YT9(IoQu#&
zdpD<a%E^c1pe%-x?iJi1U#EM;%6+M+E^j(r81eTmWDYD$^bHMdT^X65nOKpk&AyIs
zbkJm|>(9efx3E+)9uF5UP36*j5A$B`sH0{9M^|ei$bJrO4yA-uehvd32aHnVag{QO
zCA(KfBeAi)`OeL*tUVW+-?MW**6+-Owwqcf4vY++F%^lsa(3rA`%XF6>*|a|3BSDm
zGW!GYTZ6S%^RFwgt7R}L1ttiKqHZYRjskmByHv=HmA4;$>szkgIJ9@yuDwH2_2Fv|
zUq5pCsk;wgDfxQdhv(I4XKN~+R$AJKo&)O$D@cB0s&h|LT#;^6KY_A9Xa%8@+32uO
z&bGoPfAh7k9ha&{Zy)~HD9uwm_a08;D*h{;TiRX|X=ZpLaZzOirO#MlQ@{QC*QM(5
z4{ZFQxIg6~zlik>Y8Cwc!u6#bUHI)WL-bzrWLp&4JmIQ$gDcojG&0w-cRU)K+~3o?
z;L6y#<6HNyEPLA<U-yW2g)jZaGbSU6mRz&zoc;UGHJh&)e8ELFlEBFy`C4o};l7fc
zej1U=*?>I4%eSJoTB4E%)t%xyO08(Vvh>HLB|PX`-#Y%EKl_=w9_WQtjkR6tZPFg4
z6~W^7L!T|;4C4EK;QJJOzX4jH%oF70)4s3mCqXZ;m_xAwnWi{4+XT1U=g#fwYwb;@
zwpn9?rk#ntY%e>#_^$9^hE75V{1ovFlUC8Nf@Ui4qiq#=SXvDT>e~l5CRSKbv&hHZ
zAj4#w@tP-kqitnL|GhmQ`_itv!Cij;`zMjSVL0VOD(={OFs>?X?k5@-mPza%fkEtz
zrC&(Z#o-Bgeo`9u@#-#6a9D94dAT*DYMVr!pO(!`^TSymKEFonOPnFbOsW1<Eq_OT
zQ~H#T#R}blx>Pjr>ilR%hq6UJy{&0w@0k%p^uXRtl7s_#>C@w<rwz=YmoVx-9z4iu
zj{hf$<t9@p%O%H;Ut&qNB`vGUTKy7pv1(nMD&|r_AR6h)b19V~6g3v(Zos%no+#ta
zFccDR3hQI2-0Ed3+de;F(AUf_JxVVa=GQKW?M?m$<Lta3u`BsIS~H3Ft#W}sSfOjE
zeD)+9LUGKH93b1Xl=}+}w=@@?#h~i6wr<>&@7^`i+B&kUdwTo!Y5bU?lV=VOADD<l
zCJqb_pE((wJb&N5v(MhQ?|hl}e;+tAL)$(vS1iqG0msK~P`IKvf1}7wvjpb{WPvOL
z9>~lW{QjP~%)XryBV!Xgr0T}VKwEM+-uy*m&E~pQ-S(gq243pmb5-jmJ1K|2sndu~
zE~E@<Mr2zZ164`J+QXK0;vG0P-chYUDufj&IR}KOm|9Cm;0|tguK9y|MrBO>YU?@9
z^lX<`L87;NCT*R_TD+!4b6ft<sf4xt7kqu|u(54oZ?A&V-n|oT#$>3<Fl3~dqL8Qm
z2Annkr>ZVhL5Uh?s$deLyow0yZJ<;E5S|c1<>;;!UKSvn+iEMHOwDxrM)EiBI=p}R
z@Ypc$-O$>X?BCSzy=R|grhT1q-cJ&I^HacghnC+b_ny_Tt&L9jAH-=f(Xqt^Ob3B!
z>Z9Y5-Q9#=UOEm-pON4|;8h*gdJuS3hu;jJ5orr<&EyL8=zuo@r?<_G^NYPZyeZdc
zG@VPwM?EOK4Li$}4EFk3+rn0twV}qf!4+)t1iB-(s59^IM8p12qpQvlOa}v~dPMsl
zl{RpOyc#lF?TI0akM-t7KIMn8T0}9Wy(u33AiMK}?6HZ7A~^(?fvf+(J)PP;<(S%f
z_f-5w6q2Hz16*#CoblmcC+s63a#(BIrh<P72jdZU4_Y_-@|#SK{PISYDSjh8(AwD8
zI*?}B;x{)g=lQ&dz(0>M)Wd5d(@F(3l`7(-w<shd=L45jV!HqS<?W<+H#p2o+dctq
z_1pB8H2!BMlB^6=tCMcS^Mcy>^NQyM#esCL0yto+Q%t<PPm7IbqdIv1R622l(?5cL
zmX5_LN*Gc7rLbO@2S)vyFJ3I5g^a$|wqbU9dP8%ap~hTOn7{DUEj6ZUgV9v8fHD6%
zxs=5J%&ffwyAAoNV~fAY<Mj=g%xC!8sj^KjVWh2{ESWWc#%5$x%Zvy!rD&C;b7B@p
zA+J%hl)p3Mov7YqlVOk%*0SnMFn7e<8d$?Ux9^_ZU`1gjYwg(1+wa*kS7*l`wz^qX
z_g|McMI3O8UA|iU)3wcsmX<{GwU`2|H643D=Fy<7f5kksVQXW9KL~WldzPXUmsTxG
zZ~O4QJ4fr?Fuk1S(H-}Gk&WKuEqL+&O~ucB5!8lxrt#|mJhK+w8yOLDcCv;lO$|_d
zl!~v-pzbU>mtRdMu)7%@z-B>Pnz@TbcCh#p=I>ztXS}2Mx(Uos*q{F)MGcSP`9@<v
z_sZ&9*MW!2;NMcOkCwr|qr&55@S`fcs|@}j6`m}Ee^-TP%izaVcuyJpdn$ZDfup_}
z>}nO>p?l@eKUL@TI~AT+t_R+~jV_uB9xgcn{0(JrhkE^GW$+#qeuV<(<5BPyGjhBE
z-(};{kEq|fO8Fiimj=J442~Y3^12-^gAb_izgOV=`3hcRMvhnI`Pg0h)iz$i9-b=Q
zDGKGu>W4;orTR4WPu0UlqoZ6@{b2)i8QPEV<-?~{3n&$UBOQv)#vFymM|@7)nP<ur
z$QcoaQ-Ysm&UI2kANn=QTb6ww-h*1t^%nRiw!u#kPJ1j4tKFO~9#{Pr-)>7aM+2_f
zTW%ra#60A8ILzs~Cid^LI|K8AW+1%_`>7gU+>4ZX$##M^FFDPg^BVdNHA$e%JMoUZ
zM~dxD9$yj9sFD2~qzQ?r1^G0nV;Ajz^^Cm{O(V>#78_78k%MT^_~-VU_4ZWp_i*kX
zeDQOi`$h5dN9I`Tu0JQ1il3Hk=eNF<;^<=hv_F5v_h*<r%lD^%)BX|gB*8IaSeNWi
zn6E<@053VH%(%i-()?yeVacGnGjfBR&?{&~+b~DsC=|aC=N%}1gHQSDQeP%NpC$P%
zLwHAA24($TgCB>S1n1Aq-Iqd$DV^z&y*cCPK`MK5uD<&ERs&mE>(WW2lgUW&taNua
zJp*M5cv)FpCf^k1|2W4>g8Bbk1iWk2N4_4wzrf+!8JsN~{#(Eaj{+WMQI1FQ9eh`!
zeJSA4GC1)S0Us!XKd!<%WjOiD{vgry#K?`t0p{lSU%|eEk4J@fuoljTX#Az{1mHA&
zte;ee>#M8YE#`^)-p9v{lpW&FtVY~-4Ln>1r}>EMqh)X!pMVdP!H=r&t}-~$m$*Jz
z1}8ou;Mp=b;YGkZ6*%S(pOXsjU>n5z`S^(si|h09^~-=iOg#`~cwD&;;Qz+?v$*~e
z8Qx9zDS^MC<ofUGi9d_$FDrrHrzid_;8!ScK28O1;Lijn{z&76TwVcxJc@l4)au_>
za1qTtBkDQOUQ#&6QE<N+Zk1EQlya(#B13{>7_rx=vpwgH=p9+&QVW}*zN<m~bK-@J
z=f8xPP2UuBHTo<j#O}-)FvH}CMP?q7)f;JcIE+THLyeB~+tqpBD9>B?&S+nJnbTL8
zb*cN}MZPZtJX!{)^%rnt_LW>u>o4G)D%?lDITgOhI@JC6BHu6K`T_NN^5qfT33##u
z{u53Y0v;zg)&=92TBO6UsnlvlC$a2>f!D&VXp&51O+m}TyBOXbMch{P0%phyh#a#r
z>)#=l7NL4$JgrlG!`G+6D;V_|3K^^0)Mzx-+8ihJ5Z0O+;@#C%s6^$k_yf5{dx^J@
zcpYf`k9;kj<ZBdV36;0NwFg`Ycn3?!yv2p<HFz5EA3_!ez*}IO!VlumBtwOzCYOBU
z76zsDNk~s2ZBj`#BpZvO^`zrk@fn>>qzH=ze^dOEqWP5dAUxDo(Kra+Qp(V!9*f~7
z^r8(17T}nio#o!iKeB5RRXg!7Q@r+<zhu{L*@9`J2hE@H@-XLpU*Yo(=>DG1dmi}M
zPy!DN`06hKcW^w3>!ULKn}Bz5+7a-$42L_Exh3L#0^TLVj{{!IX;8qE0*+{>PWOmJ
zG%nzs^7Z1m#9IY?K)!w$*MCzY9w*>=89u+7!@OvH1iVA{_ngP1R@-#XV|{Fzm+GWE
zrV;li9z(o?=Tq@x9N-<frV^Fv&GDX8OY@RH<ZH599Sv#liPV6d6sDFgSz!XMp+zv8
zMEhEdDJzeae7#@bIDLw*L6l`>+Ve5^XL0>kIed|czLg~JO5q(WrOLZfcmi;ecT0Hg
zd-z&D&F>S|-6ZbM;RkVl0Uu;rS1+Kw0QnC8s|sI~^AKr|l)#al|F61V@auD>aPV^j
zACDg6d=Fn^x_``=q~~&eFFq&vTyj5S0^dVU+A109@536^YjU7s2WhTN%9b~B-HPEU
zq+?MIy`Jk)JarNKg<dHuj<W42rh>RKcn(sAk>!SrVeFe=cZ=_grCWUW|DyQljX2=y
z`1L}^zPC+$oa;f@(`k;sX9WJ(n1VmRiB<)?Q-Pz$C;ZMTyn~IY^7xnhK3|jX)27^q
zmBIt86izfRt{*6all&I&xB|zz!AGpZReAwFf62!wuJ2T@&y`(YN=K#lQRs-|fQyg+
z>wNqHO<ya6m*{<fle`z#m*{<f)A$8EUUnbi6$0K>1}AwX;K?#L>buJDzA`xBO<b?(
zl{q|@<fMRiuozz#F)!jF0-i6u57&DH{E`#E-%ti8eMnq?Ss9%4ApyTah0}Nx{E$8b
zeVOkMj0<)~cJ-%{U-H2ZNgcs%QtS-b9i~}Unm<#V0u!BJtFT5|Pgsh(QLLh#`!q$B
z9Pz17hKX*-0aaQfdxd*JmAfS5`;q<>Gsa3XzOjQu{*=DiVWo^<D><iQdOM5l9qwrz
zaB-(|X2IVRq4y)ZzT^6JVsv)-o|$Fmual<yh<7q9T+VJ6-iLPgk|&=v&2%zX>fGYD
z4(*@pEWXr+=OfO5Umpi=pgx4^+47TkEh&Xwi8as}auc|PsAoqV5{M57-9%`J4bTpQ
zoWtidTQY)J2(Ko~rmug;+Yht-KY8@gUl#9(Mo-<nn_|B_3OmaFUW9;YjMyh>=>xFf
zQku{IBpMU-Xwd04aE?V4)+qU(^d+$tq(dPlP_83U5Q2QtT8jPp;gbIL#hU7k8|wQq
z@$`CO6Gy{Xqs#2GL|fYX>%-?wm4{Hk+r?a<yH+8s7qnTrw>eLg;ibGFP4ZZVm+qxB
z?Rgm<mu<H$&MQBl!ug)$IBcW6ikz@^oqAGVu41ZDzIM>{C^8*{q$b^oYMIiyNBH_u
zHB;(stZM#>1D}E=)kay4^J7-L3L%j&tN}J2FN9r%okKw-X0p5`5m8Km4mqv@Q6KCF
zrB9tcqy$aQJ{+?2xMa(KnbnAtY$Ib{qyq?EkX3mBcq_LZ1pG!BPBQo3IM0QK#qsY_
zWyZg8o-W|nDkX5@eF8q9z#$tDw^8AX3}-fF*<A|nU|w05$l-e8xpW`MZn_WWP0HuX
zW%o<qd!%cK_zT%O-xA~175TUXoOqppN6X+eUI8Ca;XaDvsPOH&-}3P$F^^LCBF+lZ
zJjDG;7K{6Is`ts2UEjg<e15oIe?90+zTWUH_AJKBbi1*4V}K_$-9s)xqfwp4Z<Y8_
z1NOS$Dioh<gvRa%&56`=I{iUePfjEbh2i6A#6IVgSQb+PJ0+?U@nRlY5-gQn-?`vQ
zwdA~sHZuzQR9|S$Cx@rD`Fa<-XZG1I+_vCI4w%BOPKPbiY6-ZTt23{6MK*0Jewj^W
zHg$Vv`!8&o>GS0i4&X?{kO<e`=4&&c`zc==4{(auk_z9h`!UDqTKJ;wr!qWOc72EL
zryQpq=yRp_NdOLgPK{kPY8<;l=hkpakqCI+I5(usG1A${!WWssWED}~SUq0pQ)<S+
zJ!AAs;n|N~xhqVOt}CznX`B8ZCMNzN`%|J35$__}e2&jQz`}g~YvJKCIMJ-QK3WDR
z{YAjzW$>daysHdOdr4fMEQ1p-5O8D&l#GY`@B-db0{@jn`i_9(kX*_2w5|d^Pzu+#
zsPGHR;N+(e*Pl}c->kwfDuZj+pRdAm6hBn2?_gn02Lhj@Pl@~I>3Xc{GW<IfZ%iXE
z8xoFE3oE?eGGV|n7T#T4f>ox@d6Zp9ePa~QHkf!t^ikpE+|4}_@2R&sYSXiMuNIHA
z2D6?R%JkaF%?;jd3wj*2%-OwTXl;bDd!{o~Z|!jke>d?4%u705`WXBeYOL}knup@C
z7V*-OI*VnarXzJikfZ1@<?O5pp!#DuGvv3`pLDDrO4Y{_UZ<}q=I|zbmg?f~DX=PN
z9b+ZAeVyRL>YC9UG<eA#0G#BuxSp?>dLNS80<O_|j&PyEm9-b~RoY|UmG{^VPNQq#
zVO9#KJtnS?mceN+33!))V?-1$r2GG~xWA73>MP*kGC18|Tpuli)BOd!s|-$ZM8G>0
zIBZ$ODOGrf?(0PB@^gvS#r1jRdOl9#5dt0;a5?r!<Nuym7u|ny{G@UH1Kd|9-~(lF
z8jpZ?DsYSkF-#TSp*zm^UK%{O6rKQ_&W_1GZ|J{HWLe9*uOjLxE2%t20}q~}lOoon
z!ww|fl=qm&d(ujALL1sM#Y0Kb!JZ~R6wj5!5od>zDML=F;5<*6ymd+BOkREUA5(@O
zlJ5M+he&IFZx*-^xh0gZL%RKm^L1n;5Mw+>)vz!MIw8@5cXR>{(f~HSQV*c?xYGZ}
z+Is*<R#kc9bzh~9Rb9Edx^m9Bx;j_q?&+TC3Eh(!X2?ShA{Yl`7DO=Zhy*c!f}jqH
zC@e6nBA74-*j-&$7j<=A6K3&as{g-p?|W6%)5FO3|8}7JRo#B?zI)F-_uP}up5@cC
z8wcRBvng}>_L<44>Fttk2iy_T$+3jxvQOkIl{m&gHB8Jn|J^vN8(xF5+tkT8fX87)
zw#cVdJK#k2DWqeRr3#U;t{rWp1tr==uI2sJ06*<p0w*c2Zxv}ZSg^8vG{6|UPP=t6
zHrX5Z?j5S^91DhPyUVrZ_WHN9Tf3rjXN~AO+ji{t*{Xd}BprqW)Le9W$CjmC03+bA
z2XoM44v}WABRQ+e$!4IOtZs~wq#&|UspN`r<ab2%W3m2Nd(uMMF-MBIAUtru_6=$*
z_!z}QUZ)2SQ?e=9_Ce6jH^sWG?UwEykG-3G*!_#n<*mNWnFQR8?TO(ooqj^2vE(+7
zR2OsBRH%NPq^tQ;p7C?%HyoTo`9I9(Ab2?PrL;6D?>euIrZ?p==zjz@2p)l?I$(v#
zp^R1dN9y)0zsV8q?&)xJN1V%Jq^-NXO*^617BlR{x@K{wfaO8bkw6w(R(6eC<hcpU
zrdM4v`-9NYc0%H$h;`wuZ3W!iXmJ9&NZM<GUVlY#w*&CtIw)N5P~7A-R)43l&C=<y
zs=5E&CfOUWdb>_LCTTMX*$c1fm-m<Ht)NQain(oGN49HxCpm&_c{*;(6TY7x#Jse~
zy&zMAbr6*enp{hLf|syq51ap!q?@geV|^fbaUXW_C~Wxtt@Gk&_NH*n9e6wWnGgpD
z6SXZ800*S^etQ3>>;K4XTL;tw1@>G$Rhap=d+$}|Kz1%2*_ALSK{M$)Xrnww(#h+%
zu3pV$SCS#s(8Y&TjogFlcn+Bia*Cov77Mxtssh}nY=FX#p0cs%*F_1EFfK&KuRXH&
zL`TI9J9cbX*s<fcwc7uQ%$+l?$cW?cSD(80j5E$Z|BN#(7Go!WVT>KRVR<g3%hhq+
zFXJ2gGgz<grmxnz^=kS_kxiK>lkk<w7YY=X(C|U}_!*yolavEaQg#D~AY6;Ogp*WV
z$XLJ?uD{fgUQ-?m=>v6K--sAotoMC<KT;q>1Fq}bPg{2+`E3b*bMj0>j4$9ybP+oh
zbg=~1Jp$N9a4oQ_>d(B01li|KP6BGrO-|AngpLlTH!e2|{6(cH^x5!-TL+J(tx(w5
z35O9sNAEKQK&3*!;@g+e3n1_$Fj<)^&LF%;$b-;2abKZM)yw+|HFeR#TOU*h)RFR&
z(%FcaW3Ix+Pcuc1p@1#m&<AYkV~?_n>wmlFBg|j;*KcPgp7_!vAA^w7Xbh0k8axJl
zCtgC0`WL^E_DfFm+znoI4iQu2mmKBipc|hk?+U$J*pSGkM7E<St_Db^bfqXAqT(c%
z($$4DAPgEM(-?~&Ckad&mWoi45XQr88H}mkCK-1wF7B*fPQO1mu)7uv)^-mpR`<|{
zJyoWeoYT~Qs@X6(xk1C+nz{P@b82s8A(vaIc%->G$s;~{)pJ-+Bj5`EHO%SXFel`W
z0?rk&o{px*>=gbK$1rnID^0`)61+*ruSkb9UlZx_kaPvU%uwbawjPt?pHTpYna{p-
z%jCqSiODUOo_$Pn;M_O8VSY-(I_rPZOwGUHP3IoaP>vU@y%Yic$fz22&r|4L6|5$h
z(rM|!l`2kCq>~%C&<$Kb<PLCw<W`FFOLO0`k_>5uXCZ3@<=JnB@gYe}`a)Bv&qQf!
ztGjC<Q(wq*;n(t`_V{olGL*25<|fs~WVsfh1Qk)l$V6)8q)|ON96E0?K3nv7inH;>
z^FqVGrI)kE3BLLSei)d9b3{6fb)ncPn`*o24LI0xPWi-;5x;p7w(^e@G9`4H2GAmk
zh@l)l!f%J{mO`>4d;I$FDa2};P7*@(z2$XLRP6orGciOu-;g7N-eSZ_jZt<tM!AkI
zwCWlt!cgcMI-n26K9bjmv<|e2WHsVmhQw9!TnZr@jZVaTuvLU?h_DYn5aiy)IF56i
zDZu`VapW4~_`kp%l6U_e?uhuuEb%s#SA;_}?7xRc>{H9H43+qFv5(jA8DbsSkFX9s
z;Bq#-EN9W=;b}K05l|FALE15JmJPZ|x?7PapCX_F4bGmTv4mqdJ5c|_S?P^cKjh=g
zxqEMzncgMoW^OeEtMSBe)I4?|8<Wql2LB^}2mb>fpu0hTB;<Ntk-QkUUF8P_LWB})
ztlK(%!AAbUHc>l^Vz<Ozr-(<|*%XmV90SGRAtEP)tN}<PPMO4kLV75vsyaO^3I_H0
zb8UU?W{ahxt*f(3&!V$!bM^O}=?wnih_1c8{pb_@8hdiG5E&bth}XyapE&x$Rb}=D
zZz*3=&Z!131h~PfA$<yXmulLHWVhMo?mUstu{6#J6?Ui=+%<7y6k|Z=7;*ii&7{ap
z8<%W^UY**Arjhqy5Lfb1NZ|P>;{2)RtJpVjPJPMu5Wa??Byte<Lo`G}0h}kOJdN-K
zhn^}=>x_&7CT*;L<ITJ8A29o^+D@&Z+ZG@7jL$61)I4J`TX(mvLu(C~tM~1`dGXi3
zX4WgCc4<)?8@%pc{^h#Cn08UJM_*O{<*$DYIHX`p|198;Y+~OjWS?W?L4mV`&P%em
z2puCyLKKWZ`r2+;U)v%($Qir@*VjlvNoB=&XyqS9&PXN03;ELghN+3d^vF<VLx0M@
zr?`ApGM*pvR~Nd%u>rrokj-ZX;Bl8KRo$V*T4KbYX`d)XhZE%UDfk<bJ1kAU;}p~u
ztALg0#7dCgBt0ekw|it7jME){ArL%6dNoOBuzDamiT!p{n_4sS<TAg2yFC84KP7i3
zF0Fq<()}U1FLo&_Hh7}nN>4!7BmD02EV+8M7^5Ts)~=>T;S^RbkyNXf!@2__Rd^)Q
zB$$A0k7G;q%65CAybhvlM0I(cawQ^EMwdOyJC{seuOD)y-l*-+nLUo#CwAY1o&Vfn
zcf{7Fkv2+_BO<VZ;Hd&$Pz-QOPVja6qj@e6CMZ&`8IUyt|7lks){FMEB1ckbPlkOB
zRuWmZ4eFwyx6`ES&~;iY<_?puhxwP^-t91SqiA85T7!tMc6Wbz^Lw{}-+XHF+S=&m
zoLSz>>-g=490OXlhWC|e7r0i?u8%j?r@^y|`?-Inj{GX|eGNYeSZD!@Cpd1+DHM7g
z@7@XvNNHG|HqZn*DapS=#UsZA4It@SjytR|wVY`}ZD6kn+f6;TthMW(ckWMXV!O6|
z$}!p1Hm8gBvYWnj(M8`vVew&fgcAhySdod=47}}z9i_o*$qvI!`Xv)$E{~Fruniti
zBtHo5n)Jj*Irj^=U#yx9Eo2EKibZke>o{ESSjfu<2AA7WZIWhr)28M6Yw7o0mmNBE
z+1zE<Tyq)I)uyESU!>_;ZCZlQ(p3Eun>A<d+jpjB!v=BP3>crt&+fr_k^qdmR1<WX
zbT&?tQ*a~V92BPr@gKyww~1YVqnq{uj*mUdKVHE}0eOF%gch6&oL)=;$)CpiY)uWx
zy1m#uw~k@FiiU*tBE|CrDh8OKvXbDJDSQm<4!hKn_2)L0-P<N7JPFgv^BRpgF;zHp
zXe_7E{DcRqa#|&Q4DW7{1=r28RYnqLrefQnS?V!cvg)+A&K5J?v*p1ppWLF%l|3n9
zcnG$?!~1%mp#yAH4cM;p5|W1jj8P)0*S<~ob&<3{ry1FjP#Q(RT7kIq!Q+qeQOu&u
zcylBKdEy(ex1?!4mfof$ylxy#en(`+baE=#l!RNk95Q1mvOqKD{3{=4Y)5v}fY&>)
zDZ687a&~5BBYSf8Yo_o}JUtpWPi0DZ6o%z|@KqR(8eCIf({jE}mTGz+icAhJJ|glj
zBuy`^1<_|J8Y^_W1QlXn){jgIEg%2s@<wHB8>eY(lXRF!x)X*c^M^mg_+EKTCdsx`
z6<css!sC&j3vxBVCXDthA5cbdU>A)7j+iHofX)Kc;bl*O-uRpFk;z??)-)v<MJsB>
zJ`?hc6_Nt+2ZCo1(W@3^G|Jh4v$g^?9ylCg5uPjUtc4?!d&+}5J=xw`e0IC`M?Y-e
zG8r9qr9)dKb9nl!@!9jHgK1B>*Squd+TwDbqZ|kkeI)(oAGu6nR|T7q+Uo+B*NGQR
zg&PJ+#<nI+KSrJ}z!8P-0q2d`kc3JaYoV7UFH)>`Q<2;1VImpMy|(RD%ga}GU2|r6
z*LWy2zN<33vNAijyxev8%3ne#y5QA~klc&*?>~5O|Ne_;F5qt1gINDH@uTaY-`uzI
z(3^7+?!`283d~c>SviP#6Ji1}I$%2$_ayRzC2tP);L85DoPK-%q_?~w)xL8_ZGtfL
z+u#1aVR0li6f*wp(O7Z6e73%PEC9*J!l#}4@B@bK)jvy7%qP~=53i$rt$Pi20Gy-*
zcanPm4Egk;oz~00(H@Lq??s^<piIM|7F~Ks!7kFalg?3(MRK!y{@If9BscW?T&V%C
z(bLhbGwTgrr*UG`9W|{`yyp?n?f6(aH4-st5CNs>u!mihf<}Wvuo#3q?+=pwNqaXM
z$j`^Xc|7nQ#7khWG^Dw8=SmZ=gk4Bj5$v*`H`xpnTP`iriP7E)XGbYtnqkX4-A8o#
zwEhyM`>2GccXs^nN7|hWa>|d;G_-@~%!GK#k1b2JUHg=rADD~q1u;Xn1YZy_w^rTi
z$#o!{VyaYsk{-u7M%jc$72arFw05(04Ds6FV7T-k{I+yhJ+9LbUS!-FR%-dI1|6+g
zdwZ?;d9{4KZduyZXSesY{v5xb@KdafoC^Z;A^%_rbNZu1ylfP@`-Uy=6x^)XGP%ZX
zZ}PSt;F(9}ZArr|&chha!4rAh2H{U(gK=gzq8RwralKtrJT|_%DSPYdWcHW6YG`t9
zW@c~=8{DAH4Q_ZdKgBrB!!Oe3*ufDtBCOW!tS07>^uT0Ijt%&Bavp>7qmgW3`Ib_>
zn0Q1Vpx`529ML<HPi0yTD<;)eRwDkF|7S&>*i!b^|6yZdMx_5~Oyrlp6z4Gad6E1W
ze{WNMTQ_<q=@Fcw)B&ac74rC6x<EEp;;>sOfrmksJ7M={=ZmgwBO|T*JvNbj$2*8m
z<C|RU1ITN%$G<4=@zCnk^4|X~Zx`~NpX58V3ps)0KH-y=SN&MXeXA?%H<()|{5ZgW
zbu{>|bu(<PPm`+^S~U)B&SOz(L1gV%xvPCfBlxT1e>)1Mmh)EZk5ZQ7z`U{>Tf+#6
zHBiI&3xg{RG(=QM>8*v5o36xE5|i1Et5UXyUW;>?7MWrNl|#Fc+UISTU%v9xQ<DOJ
zm$DOsle5z^1MDA%&N^%8^q%lQJUJRQ*V3gtqWBcK4D05CefO2qN8+d+2VRRf7{WaT
z8;L#&y-_nOj>zbs2CawHm}*y&nRs13jLDUDHrBp<VrGZ7{-kzCS7i2_iHWmkLLuZv
zLPh!r`}gIgrRDm;{kwPXCmsm@V6!u~;^#U&SL^DLbR{HqqIt?rBR!W5(jmawh<vXx
zVi_7#UHu6%HaQL2Zd-TWT+ACS5Ru#U7F*kEu-bn}Z_N}prtg}pLOxbAUtj$yJ~VEx
z{HXK^9Pt&>qN-mW$6BpCtri~2BnAu5OFh$VuvC8JxAk$FcL2X01@3k?t^4b^^`@*s
zHZ){F=UOeY?zaK86ukv;@4~i2vO_oaDEU7qE@<H5H^W5w?sqT$Jgt6V_M^F<|C~Us
z(m{6lI^dpHy?d?fA`53H<3L3nC&4w4w59_>lfH*MqR7tIiB+UrJ0$Tw2F{8!7ev=c
zi%fY!Nt5iwXKD-LO7d_V&mkgJ<>k*&EG^~JB>9K5ah!$v`<gokBvR>6_~yl>SD?Im
z<1_@QU*q4&^>^PSd5ZLRD_nn<f$zc^*-lQw(}a&qY`AO(>WLj?B<_{Zhw`5a8-oWk
zBkq=Tc|9s4|0@xNG@Wr22CXFa5NY{ePN`>P-%{r`hhJW=hup2f_M;!vhW#(A+Y9u^
zd$k|J97%rl00-z~TQkQ~_%|N|CMps;@ffuJJ-8B)qf?C}NC(%`^x;lTV^w8-UaTse
zZzpKeXbIUjBKPcCK8Z%{t&4ogPE@M#rNU@P_Pql0@Tjg-sPoIEoM<lFy4}`FWw@Bq
zOiCeyWlE+=$`HlCCKPgll0#HhCWHggAj#@Ml9pQ(gdH92Jw4_wt|5fb+)xo}wA~I%
zQ%6YaQUh%uKh-tsvQE}&`km8CP+lm#Ty0zf%o9-sdaMp<7HDsgrxf2?JT{MW8CVNF
zdts3>hb_+m%)ca|>AOO$0N9qX4~Xyf!M?j@EbFwu&3!-`V5LGJQ9>u)Dvm(XegWIp
z=dB?%j{`dRzi5)PCHG0v>kaR0KYDLlYHIJmi5d1L+V5Uxn{MXwumgs&?6%I!tf_~h
z_<s%0q9TrLvJ|!hS~iZqq^lvT3SI4>yu??7#^R`H$@f9$I0EB$wcpW__T!GTE?<5y
zrD3r~?vL-~9(<7KixF`BHrCjyI)5!(*PVXNJPcxuNoOH)FVI=&#7LoK=N1prh+6pi
zKMqa++V{rpgEd~JsY;F%*h5-IujkwEx_Bc|%C5C3RIVbWlael_HHpgSh+5Korhu~@
zn2+m3JXyCBn|LDR0jkX;GE0cuoC042mYzftNa*_b;#zIsT>H_ZYc+xm{DnQ1eIMg$
z(MPU3;adHsh?O()5m9U_MOs>9xpxh>`+zm$&o5TEIx=a3@%76>A$i+v#OS_+7p|B0
zNJfKg?6crwp90ME`aC;r^>w&U*e=mdK2p?<JRZ~z?{ms$0eK4%o1#C&*MFxW`{(7j
zZrN85diXmV_x)CS2i_z2=%ma?3;q3lcwX?)6xT-YY3TK}zv0gdew&^b_a%wn#(kpw
zCyn+Y&WEc>kH!7`(n#t)t$LTT-(+<|ljJrj?Bn1&%(50A9v8fFC}kDNt7^bm!rq!H
z&p!nk_j!nC;%!Mh5#XP~u&+_3JE0-$=X8d6*Fk)G9NE-8JnuS5ks_6@qKzSO7@j0Z
zj0C$$31TEZ>7ytpqK1bCFI5Dch6OYU+l7bad@VMfahknxo5^Yk6}<h!_E5&*o{#oM
zyB1BkfV=Fljm`MCY&Ud8D~>*IB;_hO;`1JNc%;h_uRtFX@^<@1+%Dwds^xnVVZSjl
z<MAydOM4S0yKd5$=?k#;SyK*sK41?d>W8f+|3ciFbtm%J+f`XlXarB*@M}9o<buL;
zP_%+bW+vuOmQR{@s{-w%%!ZQtg1vh$be9$~rSb7nablb&v%BW)Z@-43uqMyB;KBoE
zTyViT06O*tEO9E5x!RikPV0Qno4)fD{RFxRYY2H-iKCJrZhG$pi6K{weWaqd7@%H2
z9VT>sJ3nU{`i^y6$od-03J*+N2lx_tLuCx73l~bE?o<RTJ+HqUubnj=DwQLn&TM2y
zB|edHhDNsK?UlZF<*R#_ro8D=$eD>I?TNu)WW&a-X-PfH=j;IdZ^PJfP1))cu{gq(
zD`*JeqOj#s91fj>l+R6xy=mw+!0jQse}!jvUOV)LHTSv6{hqjMu9B~rlQX5vXv9>^
zgvMOS;I>k9BIg>+mgl^cxvsRg><s7Q_E4{3#NZ5A!bx{;$rCY$O8(4<N!>Zw9~y|k
zlNKI8DxU9*YU4IMO4pr`P3<$;-4s9UHt=}_`DQds7rv1MfNDLmM=26f!Iu)uMaUK_
zaf>f@8H?0cf46VbroTNPF?F}qa8o~<tv_A6>6z>8!*;8eG$*8EdOz?h+=TTyKi4K5
zQ9L+}n1%43F=A|18ShELP~_MKtQ#6j)bB)o=O&JPe|on!>Y6I`rv2vek}uVpG_&xJ
zx-5y_@I=8K=m&7!6-O9}_Fct6Q%~>e^gG(St?|)hYBJ*lo=B=OjQw%o3DvcEB~rMM
zr(*oH5!PqI53;)p{XSt&tG~9$ug=p^fOv7~cFlGM6=NOgg{m(ywl$NVb!E&YkGGuY
zWqk|L#og}wcqlPgsq{^_+Qz$lWBVsIT{7zrIE!Yxt*~Xt6WY2pT1z`?gSp(GH@HBk
zkM$rq^{rSBLvz2c<3gM30T}>eCf`QchSn@x|8|WvGL)?Uo?Td~g-x2dt1mpeGF=!t
zc=78tlI^u0uzMJ=i{L#IO>N>SJl;iy$`L@1PL8N*gr5j~p!!jMB9I3><@6v;+hd5=
zCF;;P2Y3-Q4o~4yC|nEG3h77HC`nKHwyY%R|6h``Wsk)dvjz&T%xGw7kI~^aSi^2p
zUvXCJ@s)G&k}aHTFO53m1HM3Erpp#BdtIquUx&szobZ*xmZcF})aPnfcRKwEm$w|X
zv!uP`iWHJzTcFqS*KEuYblE!1m2jd=xKsc<J_>krz>}tdOLEQ6=84+W5Kt9XhI5m6
zsbFIb6h55t{CBE?fD8B;9BV{m;EZT#s`0DDYVlNE3eEg4SIup_I5t>z73Q63ppvH?
zcS^4L$if~sivFgMUNJJdl}Vn^Kcd%a{r3S!(F9c5Jmd)qRPv1-7+<=0)=%>h^<l}+
z+XO#GnIm84o82nUbb-_61!Jj>sMMmmKA~Rh3tP6l(5%qJ-vwBF4X~qk6_j_a<3pRK
z9Kn4mMP#Yeh;L1q)U`!qx4iJe7IsUs0ICE(*gvvMr6`~u1wSIst*M+BMlLF3CS2tL
z%EXlVu?^py6Y5sor8T<4K6@%XR*d^Lm*=<J0}-#OSv|Hd?sxk_4o|X>_e7?LeCeRu
z8*;9N#n9@1qP8vh#<YwrAQDRgk6LTT25?mOVQeR@9ZQjH>Xt?LR~k(iquH=#ka4+k
ztiLgwHG^cIZom!v<QBFUbz@Hle|t!ERD4Hm*wYaUi|?pAhT5>J)IP{|p*HN<xbIqi
zUk%TFPC5_Y-^9P;@2JswHlD-Z@!YlYbGQ#RTF*l}?n67OuJZm8s^6l<X%^4lL{??^
zi~WJUijfv-Z5>Y1q9xeEADZ<`{~+D)a`#F58ux8OUC(yuD)e@W8k)74nHsNyd1&R)
zOD=wNyL0oyr=R}F67AyX>UF50sXPxU0Lo>On>lq7L3&CJP4sfex%9~Cr$4;ex&6_L
zF9GsV&8zpImexLS9<QW^=DE_-x#M?=8k+AxT`lD~aBO%p#Wazgl?<I2gIvXnYG|ID
zlg`N<AI0B-^80e2RmZTqmFK|kKqE*!kYc<OpB~4#-pQp`qQ#V8sg?7=*He|yY=5}|
zn&%d#qhn!%%VsEdTV008Xl%NW3&sOO!F-`j(_YMmhWznR4znTt;ytLJxeufK->IKT
z8Tsk7pbYV#sQ4CITRd}Qu)WP1=q-lZ2S?7$h2s99P`22vX)EM|LxFfOSD22CMo@2~
zyUeog@K|(O<je}OYuF~WN7CyiG3=YUT(%R}U#U%KBQG1#7H2oJaem))qm7=e@wS;p
zTN3we;m_h=m!GBkrg+<2qb-BBS^n&NqpgT%#eEwZZFHY_??R(3)@WO7v`w%P)fd&L
zW6U__<@d(Wc9gemYP6-;Vbu-n$GDHSfS6l=IaKfDZJQfyq19=&Nk#VoE~qt2a`8@F
zf2H~t0T;O~jyksE{64@%Zlh;wybW-X+mg6%3x5`HX}NETw*fA4TL#b0@@D}Txvhw2
z#eINF%YEX#fQ#G~!?U6daFN?4R+;LHEF|F4xR0rh@;1OlZcCx|`3<Z03Ao5@f%*?r
z@8oTO3$@{V4dD#h#ExKhIk3kdcYzN+!Px@G9H=`t3@g>ag+!=p6$l@l-nw;qYTLG{
zXg(i}<?~$^oqg7Y7oK(YMWxM4OPe+=E#aNmM+iz&{R;IQ+raG#&F{Lmk>ZizO=Rif
zLf_HtfwZ;E%1NEYSbrTlKtFN(8ppU@;MJf#Rz@x7%H}S1PK>%K=z+1MK2H$yggjre
zl{2$hXFSxKG({a#@!>gptm3;jl9=ev*`w)zGZajYkGad00e=<mCYaUm?j(3dVWBu-
z4#!Ag3NlV7H<=6d7zr<&gesJj;*=8Ca6;D9-b0ELy8D)LluGr{Pv;jLDRa^1&yEk4
zsxiMkj?$o`iQY`m8ubQB_Gqaq6$teC!ogrD5%;=-eb%5SWax|ahH{3sLaZ<4>!G!V
z{)24+>^mTDEnwtY1!_%3oD$5CO;WHnr2Z9wKQgO>@4_NUVS!pMIuT5vzZ3>Zh-`4t
z{lP=`%nuEH<Wh~McrbAMh3vswXD{9=!)*%h4?<r9&CAK&-VMU9xFZnM$eF|{u&xDG
z<dcLqwn}0DRNml7S@OY9CL4BydVJ>R?&>u7O;DUz?GYJ1`Di?AHaMOb*sp6h1q(iJ
zF$D3C>c{?(&0;<K-~~e?BRTbi6@46ow(^njB0(4#t*cwv4=oawPQOlF0{QCmGuvF*
zv2ZYLa-r;4dQ6+D4%e)qoW~!FM(lBiHs5t{Uv*o*%iNXeFw8B+X9nE)u(gy4h0+%1
z&=ALY=ujBJ&j9Q{#oi(NG1-i%$}hR@lS7_Ctv{^pai_e`FjF|=?pBv}Y}u5khBGVM
zcb7<xA{fwq3gCnr;&myhOz%mc&<`k(k~^sC=Ymr&3WJe=097|2LUk$$GFc885iGn;
zX5wz<f-4d7ghLjYNVa&yR}5P-9+%$|NcUFeJI%I^V9XXN>h0EOpDSGK@@Gx%u(dzg
zW%9=Dk*Y~!O86YnK4Ud+ay!j>jj0fFCcLI!nj%)0*XQ&GzZ7$uon}Luzu+Pbprne)
zbEV3rwBCMYrcIT(NNGfv=*Mh`#qYw^f>~9$c26F+A_w(Xbqy(qlavP>w5AbXJk}k|
znEG1QJecpBC0uxtmX((GYkbM)7ZYO11sd@6o>=`PX#ICj$q(L<%4AZRXdn>XJbLZ+
zm1{=r!*86NdgBPu$QYhK+Iart{NRopJ)28p(wprgZ=9NZ<FI}7nw9O>((|d+zp8Ek
z#qI=^U55)~JSM}rV8^(IP`BIaa*<<D8)^-@Ty~oa(?CCg)winNiGEDro#cL+p&W8U
zQ-Y)TbKWswhybg6+!T7eLABQ8c3XPg#VaG7aW}KsY`u|ihR*6$kk&feB)wOh@vMWl
z?Zow0(mTZ&FSo@}E_|HdN4$@?kDjgZHsXCmTN3we;m;E9)4Xqrw-N6n+A?@{mOo3p
zk7z66S#clnKF#~YdlwpQF+3~Ui1!iqO@JHzqVyl)jF;P}2JcbcM!b)>FU2JAK4*wC
zUTzDhZUyf{ZN&SC`y%WxOOnTx?)4ld0eqk2-`~f-d+~jVe}4<sOIlq8-*&Nj7@J(I
z80G5j#!n|Q02zS|Ld!%}c!mRwVrZ!a8iGb*Zl#RaTP%kx$e%BD+TQ)H`FBml-WQWz
zJ2n=c4@G9{zhMv7w_I}#XwM+tcPZW{YKT#85(#g!;B8^-R=H9b-e$wwI?yJpYZSLb
zVkg;Kyx5qQb-AS*UNMcTCxbTx1`_sYG+*vbkA}C7^=Au(@eTdML)8r!!-Ji!xW`}W
zl-f#Zf8K9=5eKTb{>fM>8s>QH2b>P7r(hlE!x#xFD*TW~gGnZP4jM-zzFP4i0afF6
zN&|bIat3%S^U1`hHDpe>Mi%Bqyg6&gh4gEb5~;j0<oDZSCfnYn&3m2psMk;Qis17)
zz^4u8Hock7CxQ?iMICrELBc3QfJ+i$;wd(G*|`^9aCSLAzu{e3n%^Y{FSx9@V;kA<
zsm~hv?8L6YI`X-YXAEVc6o<T8o)d}nmX=h*gG}|gd+zxX^;fy3d<(QrKs4Up5XTuB
zA;E=V{nqx^+Rq?kPu+Vj@8qWPKZ`yHzE=Rg0X`-UTlC?9ou0<@is1})grutfPHpJ-
z`l^fR%$POYlk$&moS$*TyLKOO%o4DdE9K>3U%(nS+4nAO+1u55Vd*g&a*D}wA$WIk
zXcKHWr$i9Pc*vuM<Z9qsBcgJ!_H?cGG|lFrhw59t{N)BrRIfol@W7E_tR|mWc#RF#
z=-xW9;CP=I^X|ZXChRWSWdeSBj!TWoEqDqhn75{et!YEpfrw>;FV7B#gT7vSBF_@_
z?|6z4QUS~3KaBpmgcb|^k?)U~2U)BkXY->Q76!S366gf?JdtO`Yh1<jw!xb8@!1>S
zH*;v7hWnlG+*|+CzpuQx@s2Xyq2*&1_yZfbz(PP~u=WI>;y<+D$H#GhugIN*@zDOE
z=Ln`+;5N|^Vk=Q^i+_ThkB_P88OcY75IiW_AR16Km|T_$Rh|YnEc?{nEgOb)k~*|C
zuq`Y}IvT+9J9a!@-}1a?&U4^<-#dWI^XOKF(N!1^)!`Q7pz#RU(|80;BYG#G#oygX
zY@sB(7@WK<tCqAw6Sw6gNy8`n;vWA(=-K)frr#Zy4I=rEq$0e&6L?Lvr5t#hLOHD1
zVT9Ebz22l6!e6dcwEB<aOwsKw&Loqwbe&BOPEQXGPEE1HzG0y8wn3k7aJf_gI`{9}
zytHS}(&l}bqo5n-aXhd#Fj)m?6O5HzPAm;kPR_N6bTd3Gb@1j5dz|Uv@Wz>o`uk^S
zW<ztKQn2T~@9oG0&^MJFz87=qR3-VTPWBVZ5Elm4QQvers4zeB-6Hmhz6Z!Eu827x
ziey_+d^$ubL$6Zy=?C%@KUZ6}P)TWJ_A4{SfsoPO-qjIg|8)8mn(UU-?-<Hx!$V6s
z1rqzNG`M>;>byorYc1e#8Q?%Z`w76GC`%W9h(e)&6UIyDO0$#`d20x$h*7O6mp%Bl
zz+lo*PF*s0&c@kuO2t`%O}8f(ERJ?P{?J1|-4YKFez~yb8v!5E7s1;CZ=<*Bae^5z
zCJ|>!zOg>E#9`s19Z6Ww*zdg3^E!tYuOw<c>mJT-_C}oJfn+M~tM&MMdtf;5MQ5A=
zTizE+bX$A7YRTLdb~xxw_Vz_QK6kfUZ|Ms;dy_u1*BLY0{cfYp*rj!w3YjWc6dJP$
zQ&|C=^uSaxUNy!{xxJ|dlLdPYmM_yShuPG1xbyXuO8t8N+yLfEbgq|UH`gHGxo$j1
zN&||`BJAdISx|VvTFE~er0<1?Q;spCD`K;S`-~&b<S;vI&CFN+c05}0b$9zp(c^!s
z%x55@vDG@>cpBb80;1Tj%3dWcqYS+@jx{&Eb#kWD+@<a^bxw`nM62}E=wuZC|5Ty7
z-Rx%A6Nho$knLE|uvYI-5_L%gCjSx=YRG4%2Oc4`dQ=Tk#XT!AyVm!%xb`$F3mx1$
zk<xeR)OthP@W61J5oPE)_34p4i#0?BONbaArSbh&i2Pkc|D{~(TVCwV_u~H-#rm}2
zrfnR~lz)ym0OHDM=h3dF`bP>~H_DlFss543k_#_a1xnSm9z4xawq0}8%s`v5L)~s@
z>z}&%nwgO{bEmr9+&02){?WHDFnX+3kMV+Me{h+}Z?*bOm(jW$$C#!tCh}brW1_LZ
zL!ZA*@FtXhz;Z&BBcz?Jc3L~towkn3#9?;xy{z*pXSTOD>%6M|r+dYG`_T7B^xe*B
zv<CB}bBxpiidu)<q?O$BRLRIvu@I7~OSZlre}nZs{}Xm|gzczA>mMy+L^2-?3<?T=
z2=vy2(Ncv)qFLmR*pA+5t(7%*VShR>9ICEHcucxyk?T^nzQDbQ3g^a(Rm2~HsNI<9
z-+z#~ka*SV=$(m;REv6zwb&g?Z5joiT}oA|o&JQaJ7w&ft$jXX?kmK%x5eBpC&pLC
zKH9F{4@H9?wVuTe<R1SN{3M4*S*X+%9Dn$-ilOShg^h-3bYOE30>~4<M7lANK7P2M
z*fyMr;RChK`b%No&p7f{jV?c?b`;#TDMzdr2^V6?Sjw8fhP3+GvxkN(u3d|XiHxIE
z8!3;Z?lzHvi{yr&^eoO6g)1c**Qy|~iI-PULlQ^K+Cm603_Uuvvo|&93l)rBquZXW
z_NQDygUeK6hj(s`*WlIC9q;OzsFWvqI^#xK1>}LlJ104e0u4@r_+i=!^kz5Ks}p-u
z_!HAgQiUPDqWBB(6eK;!D=9{W1P3O04G}ZSL*B5CA06M|h?V+WX{&mys8@sQvWBhJ
z7(619?C_qI=t$CGF%4W@PlwFC2uS~+$v9dXA)h4p{bP*%fD2WLCp)4z@5$c|d=_6I
z3r0(0BCkLpzX(ns#Nj1;j)Xl`r*8%o#Y*Jv5!5{%7)tg!6IE{nWKxp8ryj^Sk|w8P
z@bG<YW{*7#zR;c;OT=m^r#oGCb{IN~RYO<YXnndT=rZLoM#O4BSN;R_1@Iam{)Zq)
znbAlmXOs6Asop3GnV@Rm=ONU5z<$bnz=7mJVw#X?Jd??n{myQ^xyx>!p2n8#$w|r5
zL`PQA1U%V7{RO-ae%h+PvW<XA2_9NYs$DX6bN!O+SI04X4#y=O$7O6$x>5<%Ie?7x
zl4#?=Q^KO@I)uS032VkN$SQ46T148W4aF0@6ahuD*i!%+-=@P%usp2^leroSe$=>!
zG*S1AEM&WT>;{v|8p^obj!VXn$1;%V?d<JpgEf9^c)*b!i}b}}eV%AElI{<9D{YQW
zU;eM@WYVo^b6G6jc1?HM)0gt}wC6kgW>?Z<)aZ1k&Yqq~(h>KWSs)e&M8d&9?9UO0
zwTG$guHHU?3+qz`ASZz57QVNL3J}f^*FtokROCH;O_VLIcp2(#<uSE&z(0^3b3`LK
z^z!T*r)>V&fv-LlP3Qg#eM1k7wLhfZjeTO|Cq11Y2K*4ersEh$R8FXLDBf$u>~xy(
zQyf!w*i9yf!(_78-^3>BpQW)%t3OlyO?55$BR?~rys|V>!f>M2q&lOV!o*c!ffPk9
zNi;e^QN_C)CR=B>uB*e*GnVX<-}yI<rl3~)JShBocmJr=qr6{%(MG^X$T{>zIv+?@
zqax>Ow2LefbQ*~&fE{uh_CMZE5f<R>2xOYWGnXBj**8G&s(<~i!=JfjYOA~shgEmr
z9Y*|z{Xny#_sCG9DcDOxjI7+R4tvJh+SEF2yS|4VPDR<x^~(&MQcewOE!J}t_#fm^
z)<N_^Yf8S?YMhn=v1wJi(9(`kifW!gv=Dj|4Wqw$0Yw|<#Yzqy*$Ssaz)o3w3a3;e
ztI9>K#+naIIUE&#e{RefGDjTvjVgwOSsA-;#2KC$B&@La{+IZzjB^6xw19IJV<fzz
zcPnER`WT{G#2d9>q8L$QFaT>or?FKzDn_D&iuBqBCL-@1=p^(`c-Q|wx#$sJHR*IF
zQN~ujCbQXOGM8hA9jUQ+yq31x)3tbfEafOol>5iW`^ys?|I3WA?RYPpvpg;fGvr(p
zowKr+5~z{FW{4%C&<i?1jB<e{5@?825&-xaYm%3QOHxE<95(2R`Et-1TQ1-bDS7zu
z>b4iGnx)1W%h*@J2#E95Vy+#0xN*kPdB;ds$6-WVADweT8$q=av@&-GE>ET9#F37C
z@;Rpnc#<#aJI{_*Y4y}WZRe7SSQh29Lj`AZ-Zj49#F1Byf)}_c8kG+_cG-~GzI!vG
zZyj-ez4CD6UQ^FlwMs{wz-!g-Fuop~b;O1MSMehvJP2@zM&RS3mM%fD9Hr(N0wlrV
z8m+jxx^(6?Tbe|WiGgw5fTZ?Czsk?4!%UC<Q{2`@d+&rZLm@Nd#BP(1S2`Jp5g@f)
z<G5GI4${Pt&`I>I!H{?*2YGVo-Wi^7dJ&=L_Ga9sV4rEI5-MAL=76KGuL~XmrjXk-
z&JOol5+<w5;&628dhA|XwBK%s8w|b1&YrFgoz7_U+0#{m4ak7%d36lKB0FJY?5!B4
zkuiwaPQoPGQpD7fV<cx@1fdy4#3ZyHJm}9VsvzD~N#%=e<z2f9ww`W7kR2W?-j|p5
z?k(Oo)|S=k>HS6QubT8V;Q3hV`(@ob$8dTFy_?=iDaq+OCD${8fSLe33dG^e(weLq
zoLjnMAcrHynsAH}W>?wanSrl89Zi9n)IW=Tj`x$iGKlxL!-uG4{<0%KKkvzHUa&-Z
zB5RHGD{r`RY{;ka4UJw&2=U;70}t}UhG2R#;!3^-n9jbEKAW@Z0bwN$nb1)bJ*Q7C
z?-Yt9HPtycvh#P3r!5+LZlGw_*iyqg7gILLmZGtIYVY1p(NF!eA3E){5Ai)f^Gsq)
zCe@bKG09$P4LH-9lB$-<cxXZ5g_;ZDZX5z6z(JYDM@MBcX**+d5Z1)Na8mJ+wOw@9
zbi$|Ui%gz*{&Xs&2_)Ff_unyDDox&X_e`}q!{M%FRgA~E7Vl)I+{Spc*dgsQOG=6^
zg*hdal$8tZv8o-4Ys!k#BGnq$gu~q3-RTOq>krpz5N0(HYs;fon}?WISJZ_)HdgzH
zJ=^QdIzCcAS{mmtvH?at92bb+d}Xp6WuUMjtloD2EkC~RD7!iEn_}?S<VcP=+R<NF
zeGsx4`Cd_M89B-UU=60Pxx0~n@P^_TO#0r;sMT*w`I4FPFuVC!V1B@#5A=lXaf>?@
zP7DVr-8+_pUhyUNO@1<yrS$|W=rOF51czl|-6t1y9za?xIn=R|zBto4vt{PpGdJDD
z=5D-^kG06U(cin#pYRjIf{U@@_N#F#>!uso>IYOmQ+<rx%5_pA2e7!0cqV<N>Q&2D
zgoFNq;esRDZlk%Q+uUaF3j8eDpQ?>S3w<5!x>UQ7=FkRyyPxAgxFJjOc{HgH@ze+#
z;TY!w6C#ucl=8=iHabRVpZMgUA)*Yuf`KF6dJRhO{6k!0Nun@V=er^ao9VLJu->Rw
z>y2$gBbS(MiKwBwSKZm&_1ARBkq@!H58ESl{Qu$lPeVCJD4nnv{dq^C$B1;)YRFL6
zv3~Wt@W~II9c9xd4pjrPM6)B&z>ZBK;si-@Ap+(CA)~xX<S0ooPB9{$v8qGeu*e8~
z-bo~?%QEMN{+?7N9ls=gb^YAGBU<sXL;gGI*lFeex5xgm(0S=I{{Gl~SI6tlzc+SN
z(8ifj!g)&(;Uv3qNfl5>C0m(LldMSGANRAxm27Y%BXS!Yhjf3nnK*`X_B?c?3Qvr?
zqGdlxtWqum9VD@)Gusg7;*aFi9}cs_?sR`I5F|6erPW<qV`C|2Azz3O0&G}y*=~vR
zEU=c+%7G*NL;+ou2Wt41EY@Ift!G+OH9-8EP#OSHNOBYk0b-6$st_RV2nqqPM<p=V
zYc&GfVxvii)#9sv77Br~RaOX$(YS-E7hwy27F#L3cHDA-T|RC<C@?9ZXrGaqxC`H@
zC_AMycgTUi4*X3?$4Z|G!J7irC|k$kS;<AK$>lxZ8ADm0f+LlY>}i?XE5_Bj!qSK}
zY_rBmx$&aKlrk6!(eAX_xpO{(NkzT&PuJ$ZZnOTQ$v9jr4r492Jfpe-a*?oYkxZ)C
zw#s85&Ck};V$HaJp7b<iO$RWDbZue>m@z?aMdKPZA^*i%J}a&SR@tS19aek_o>xBb
zaU`Sx)fc35`8bFpmThx5I1=xb2C`WiYeE_VPM?Lpt@YEToD>OEi5yBK<i3Uwi}-T)
zJulxUsS@k~c-uX|i6eQ+k}t6Ec%`gF<V#QJ)T+f<8$0#k-b}~}okFj24J4BR{ICbi
zft<&i3!2TroY#{Jn6ueXB%6(dFb&Mjr8*D1PX^du;T}Moo;TAb9Rs4lQI(%dlnRN0
z7=Rz5(pf*Q4$kw+)y{N!haResP%u{I@k69pGN7K6SDH<an=BU7czQZt^9(tr(-S7E
z)ijZwb_{vObC)_(ev8GQayrv=O`n&Ua14b)!;Z<!Y{X)o%}hFmL!lwZL}tcfi8?Id
zg4bIJTa+uuoz)|V+4vPC%)`p*D(irZBz5s=HKRQr!-l5#mQL_|6dg}O7?XVfh|w3B
z{2`3tGiA%890F8(nq0QTeUIY=5zj)T!(D0IMe)TM;b#Jlp&=V&HC%B-DfODdfrj!;
z+J2bd<B$3`We2K>u?=I1&66YfsXm1EB(nXyVR`<Nv$QGCpgT5@i&tX7bgeM8yW^a*
zv`J5)&s$E1v!Ot4rhoplj&m@s3IOp1=_V}FUIhkn%t{jmO}9Lem!CYLi9m>IV2XH3
z)L3LCg7|>h1u#1jC8*X6+#R6_gYp*+dZZIOK@F?u#W1^ot-n;&sL!54;>W(ibh3ZZ
zm4`cB|Ddt`14ksa-^+T7?)`&?K0{gKAN41v^RARX=kQLH{loqNL!YrS>(js`hSnFF
zTExyCf>!-PWo~kQ#*@vBtOdyThMAF!NbZKDX)u7N6M_L{r?8-v=0p`7=q_4wimIj@
z)x=Ww@wrlB6#T4VO(>9ze!ls^4}S1%AKI~G^z>*<9^=x=J#YWehd%WF{6vn8e=IN+
z3QYw*R(~=#k$?Z%IoMR2l{v_PA19xKnrIKVBWmSwlLSu34vmvS{%M?K3nSb0x-pu*
z`N3O0+A_M2z57Fq<=Ljj&_0!~uX5PJckP$Jn~LgkWn6MbnUjx;DoPV<>6p`E6vP*i
zet;6nP;Lc$Lkr;y{UwMi-I>Id#-GBK@C{!6ASIO3g-|J4u8c4+=St=Ru0#Nz9?)5B
zZYGdQW>r}&vuPyJK0eIY@OXQ&wp_?8xeB(Te{xHAy<TVR`_FZ68jDn2g}_QzV0`az
zO4Dv`Z|iAGYlrtu1T%r0D{$t{0tAc>OM8C%fp93DE)XpoUHuXJqVzUkP6QbvMI{wt
z$wih{k!yrB*ks2c-jI$>S_#S+MKcVOfOC>m@qF7;9(hvf>22>A8?26Bok0e8U;jd~
zoE~??tr?fUYz=$nW2}E_S2x?-y{mrSL2YDY1*Z6si0*>(q@cZQwoCQ<r9N}n6;z*x
zJz-w`0Q-jYUTE737;P`L@X>PXCI3Vgl@7kcX(jv^CkbL?Gk1{AR7hg9k&&~tp}U}r
z5kPO`Zr$sMb{QRgxkQ_D=S;7zbJG@k(qQg{n!<1ER_hO4@6y_%Lua(<$2vA|`uAbY
zz}W{o^)+p~J)G;U)qb5_>_-_4HQ;)L{SdUd9r9FF^#KLP<m@F)9P?8s5O|gb!46Ra
z>cce}BGeFRX=tXAlWBZE-O*3^qaIa-fMvjM;3H*{15`l2yYa^mr}&1(r>y)5iOB&O
z22WtM-C;puA*`hZY5%Jbl|=G9$gL%Pe-Y*isCh-4HsbVXS&fX1wRP)9dVOPUhEKbC
z`%C?=>2iCzqdh}Y7oOG??b3E>tvy{)gEP^CF#ZvL$&vSOE_F%sjMdxB8mUW?>Mu^8
zA7Wp2U3>fwXQ?|cKODX7q8mP9KmRPIIroarkTvTx)^(bYFP$i;&!l~;(EGCLQU#`R
z`m83zn)Lp0;E7YFBQfw+v=8aj(%~lstkB~c!<AGvbdBO_z>gEKqq9%!+7jQjbOw<A
zh)#f09RzmTxcsE!XTgOteodQpWwc$ZUvnO4wGZ6Yp*iw4<wVe?wMLIIt+j+LEr)_7
zWG?vJ1)Y2<kUxzIHQNsX!}P$C1SrbA3LH#?2Jn4qU`{g*oN$2nM3VYUvQ3Xz8<87F
z!i;Gz(_SGeX5)$#zswtS;XaD(7SxR(M-<qKD{%>=7tP=r#}8@P$womCCP)&kpi{;}
zG{RAeSxT^;l9N0CftnZGrE;!7PO#BE$k}M4-*4{9RsUVnnf{MO{9D<*b7CI<R#r~C
zS<^4gzkZW#P%6Pi%<<tDUWjT(BHH8lmmEpG@WKl$VF<eH(P3gG0VOD7*iQj38*C~8
z<ob}e%qh+w!H2pz1<_*eA_I5;R!BP+=L5hahM5KMH<2$>gKs28kkT=LE3ZX}(+P=l
zkywn-!JvjqkjX~k99KSsmN#s8ZF+GitQ{MJ%gx4A^5M3{Nxy$`qyAxbcS(D%IabRI
zq$g6gKT0zf4HxSFJ<Me{4X+)39P=Sep!L5)nbEq{Z*{`%!TKwfd0IK*3`lim;xnQ(
z^P`2T8;KTL)fn!h^Q;|zu>))T{9amnT6e+|T5s~bp>-zi!h<`*xRY!|SaE#`iZ%<p
z%t8)i8?QjsVSz;Gz;E~!gw*t3jQ{m#>XgQ)xm45HQ8oT0J~t8D<f(<`Lld64$nZpT
zccL1PX}XP-4tAxh?}PQ&jpv{LMV5<d5Y7IBmtJDw`VUg|Z?jze+hh0(tvPuk|5UmI
zE0)6k;JQSzNTg|hq=`(@cIe>%Nn_YqNUthPfhOICE4eQaqeS0{QBvXRktN))qPbB_
z-oz^r7Ngpga9@zcL=pk)dI(0(&u{O`4nZ>S)f_o8yR<Z<Q`-k^uAH+s?zTnTJ*CUp
zd6%4VT4FNS>$EQi3sX~RZGAcA@DBI7@3dRY{#5VS%ts0ZitLwh*$XIVpj~^tvi7Io
z3Tb5&T1Jy2-i7d$Fj(31MDd7AN#IJH7M=6Nxe#|qe0~vET66kL!14eH#C^&882W##
zCv;bCM!7o;tbyweVwov*tRA{{!g*l*#>;GTH5g;YX04ZRN`AyNQ@V|@haYC_pZpj4
zKgM1g)(%HBuc=NX+Irgc-MYl|1hzme=y^+fPusAr`$mMZ0Sw3$euRAu=W9ZBu>u7-
z7`sXTnzE1J=*g3cID48eMP@^m0aYUjhB!EqbC5-xV|ftSo5J#61#P3bCopeqYdsuU
zw&80{j2dyxsF{PhGV0vYfX`c9DvTs&T?I!en5d=f+c$X%hI1bD%q1>4TUT7Ua(?!T
zl}g(=XKB*DY+oQUedfsP-)=X4WTyUmZ&-V_m?!1F_#XJw;U=HzB|P@F(D~N$j#Trs
z(~0LHT1`kye5$uWt!U@c-lo40)uua%f)l0A;!1pK1#>4p6{;M{UtGl!$`{!zikJe$
zuYxZ*ajjfqsqm}D?dNs0ElnqTqSi-eKIQc1l97@t<yjbrjAfiA!-2P2)3)d9zcN~?
zmE?>k5;(nU`^Mg+C8dR8Ijyzj{o%aNmGx)r@qv)1U@e&aro1KXj+J74{ecX@hIm)v
zv3|jM*G85pnLBD?LGu(;vVjt31cM3Zk^Y}K+aojM6Vulhwha1xgIkK_<XmsToN{~e
z_Pl34%O)<nxm)V!x$*eV&(aoFuG%pBs+DrvnfujgU(V@MAOD>;<Vi<!I$CT78!F{)
zCwZ@t=~T`})trr7#DepBlywndW|#+=o+w<2e7K03(~1*CCR$HBn|3ng9}{@)0_-Sj
z50n}>p~M1bv1>uCu#Ne7#q_AgF+VrIto`}SU7cGe=h*At?uqKBC$-xqo;dxXm!^hB
z(%LM7WsQ|kVR5Ii{?bbdzWyG0wGLq~ou%x{Q&1;5g)|&riRKVZqR~=z#ZLJ%?N$04
z(Iwi0BmokJBIgzb&6uFiuh37)R<-H*&lrr7#OITn%BxPpzm<FNFEBF@W|~=j<@9U2
zm?>Y$&*#g9FTH<9Wyk!E^3Go|dtx-!W;2-my|vTF$bB8_5x}pnV=j)S{JoCGwC=q%
zbD<T%c==o~UXcrq_{=u6(roCjG#i>79XB*PJ2<5hpAXH6`-wK@_08+>@8j&~(Kq4W
z=cX&u^Z5Dd`1n0Dm6`dO%JeTVW?tWukGTz)LE3(<1d=UQO)P4TTI~NW8V7zjcSmC&
z>P}9ogcINV_$)j3=&FhxW#3P0^7W{+3C9uMMd#6dfR78DNCRU}x!N{a8}SBgJIdrq
z$18CWwDM$epfQmCiB2iH@_N7cOlKIhP*`yuBuV_E9HnBAaN2+b*&4Aa{Fr%7ZtHL$
zIJ`BR_{vxO^P4x%`#+r0j;1wi*qWNo<!3YY(fo(m)YRn60AK6X-K&38{U6AcYRC&R
z)LMZ=akP3?V)wBN2I{wVN%tS$h3Am>PJRwCK}f{5{yW9Es_i7N@;LGiT%TZ<<59#<
zvuEhl#K*7xQF9}IH+lZVxNp~@>UL!u@-b#=@b&U?HXB+;$``zqO7Mm<of&13Vi-(6
zx4H>EXO=U%l>SDfvZtaqaZXf%Sb!k_KaT4-u321XfgBFNp*0mntBXB+zJyBv1fbS-
zag@mF=@!@ZFLQX#pAhrResf~OohLN#6<{6fVx#L%uWKr;YoQpoapX+<HD8yh)n6dK
zi`Hc?Uzb_-K3W#}o)=HJ2N7&oyJ<#JHr<1@lV0NY%wRW&ey-*B%(A2MJ@l?Wp3u)Y
zzh{O$EZ>s=o@n?z(<)>U;^VnOzUK?_J=D)%PukDints|&+Rq$Q`XQVY_cX_RDSub<
z9^_6}2Y5dsW{==Q5i5G#9Q$F*cz$=ncoz6Q^Xy~tJ@hWd?}1WNo|kynJUiCX&&lVt
zp)oI-`=3twu7$=u^e!#G=frs}teLyG=fv?e??DbM)D@vUyJ7X$@|Z{YycXCeTgFWE
zBBpENkC^+Sm={jA8um58kUZ#YI88FD3zR+m_qT8}zx6Q)G8Cv!N;yh3NrjGyY*V5q
zO7TnklN{T~VTja`f>82Z3NjAP4dq*u4^V-fbbsC>_Mu1+aEM?2cG4|pSJDU6|Ezpk
zpP@kP3mKm$PgwUEu@;z8P<4=fQ%ZyD_CS|ME-WBSm>QjkdQ6B;M5+YC`D!j@g>3)!
z$RiVvJaX{qv8VAr^#Q)+o9ukRc)d+32>ViM45mZeS5zHBzBL=(MLA(KXd|l`j5#pp
zz>)(S&gtnp?@ZtM9{T;BLzxe}Kl6bPWZwUQ%w4qLYK-*&##+KBqR|12w*yNdG^KWY
zBCiRm6-jCb;Xe^Th1e#rTL~t{^)C*;-{J829P*XM`Bkse;q^M4UUpFVgw6oVCy=?V
z#I8pMomZ<~&tN}BTTt~m%==j>s(TLHi4MPS#mxlM!x$%>vo_3=9NbCkqo*t9_%f^#
zu^E}o$JjUP%j|*g-f+Wr58pp||J+hhQ$*^I^?mSX(FehdoE&I9YOIoD6|F5ukFy63
zi>K%A$65mxL3AR<&<);TEe`_5RVnt`914o<*u-$Y^X4~yhlX{>9Se8NZAfd<8~&3P
z@D=yj92#*hLF$e@z&jMZ&E2t3{{}~iMxTU#Mr6*E$JtbyygW)0ll>SFj@t!E=#!C?
z<b8ple_;<?^U1N#d}i#E*U;OTYJ|CAt9w7zr2&!Vxvs>3_c4^`<=#mnw{N(8exjf$
zPT;xg>W3b@{`v>ywV42Hmq7?fTTgpN=)b9MfFKNJ>>A>y47d^>Mf@gl(}Ii67od-+
zlpxIopw0#3M3S3+bmMt9@BJC;*f_#J)c?G3;+nDB$FAYO_<O?;*}u--1ztD>yy^n!
zAt{r1Sduk(j)NACmt;&zH^E@(fTO(#@$e#c0a=C(jBWAe5>cByYRdLa`ddCT=JLBd
z{y;v-ufcqR<9b+i8{S<9u0PLl{rLv2gMMJ|!+W!Ze&h?N9*pWu>}~aTvj;#aVDM3c
ze7;Ni8C&Jt)dVsw9s@TdVP>>zQSkyEUJ7|7hUgfvKv*lvn54nq+ky9#%0T#TJPsH*
z`F?s_RYTtt$Aq`Sx&TEVmCh0dLQ?&WLET5rG6pGvxhr0x+GeInFO!DG_hmHQ!BiRk
zw+Ux&Y9!<>B?AT&*veP^ky^&(%GT-!lant0WHeE(viJ7J`wS!fsg053;=3jWjbWb+
z(H{Z$={haGh}oG6T3xyEXll05x2->#D(8~P0gcHUvzKbs@&LIVfPQRS-6T2K&yd~r
zLNrLKIP?rZ$5}-=MH>0;<Q!@zV>CrlwFHL{!evx_fC2b*Yzv`PAsH>iH;9t+k8Cad
zWl_zxnQ@I5yqDqPm3|nWETXd2mQrG~hgrjA|9C#?-<&(+RngfqOB1_|ftkR<yxAA;
z>MP7;3d_TRXrRs1UfVU`Dwh1ABX{h0>)F-mi_S_0cTJM{A8S}%J(HExHW*OW=HjBi
zQEn`<3JIeSjqF6ru2{OW{XHF>j+C>zr@PbFpEA019ePt|!r5)??)3J*Uq7bVwp2ZI
z-8BRGmC=w!8k3~$oBHv+TEKU_C$W0BR8W^eWe88(WW0lZMUC_;7LvGeNJA^idT*Vx
zTz{puO`}ok)DMk(Z$CTg&kWZ;+~e=T|I&*uUCh_civ`OfcY;m=y~SEW9U{FJc@uQf
z4y*)x`c`jbe}Y`r4J?+an(V6z39#u9M<hX*hya9&MGfK=uvygjW&h1j*rWANJo`g-
z^=m3f=`veEMdxqVzsU{LOtpLUMri~3*RP{x=wEOpB$`t_#DHlxdtrP1(bq_SKHecc
zaD16?%?4aM0zV$VDyiC_j8M)tE4(V#R;d!_7`d4W`#fptpakF;N110yT;bX(_+b!c
zRZYS`&y6sRoB?VZx8Z{vv5wkaZ8s9gI8s)7tlu}daPYKp#FsJ$T$8UGo(%N%#k+QF
zhyAo{^!700(6)+mY4N}(Hiu@1`rw@&m+a4tTsK=vOkyrs@QS~eZoyoN$h^JwtUKAh
zp|K0qGpUs+Dh{hDXM!M2T#|H*EhNOl0zqsAI~+%edLmac3lv9LnX0LRuo@7uZDsFV
zc+-Ju^}w4JHoWP;!11RvT6N;GiRr77<>Hb0H`t@Pj^rg{6PG5{+OEpp*UiqpZf}LI
zZJI}Q?b=)g@mBL}kM7Z~j&!k-(RS)S&EtLHfwTHMX-d+A4iesyg_SC|V|=Uv%_p$M
z!BX|#GE?#y_D}T<&lp*|hP7vpO%orKT>ZH;AsO*(P=U&t?6#OVCA1~i1axT9$H3v}
zV<u)fmZfewa>shvKRuIVJ@pro&(t??ypCZ!n;YXnmQ%o=j|Zt_D}h**!C^M_Onrep
z@=S{L7-=Ng`d^4|c}3$vB6MXuFmECxrRrd;RR0V0ldJ!^mrwMO`oc5G`fquknbps$
zw?Y3%zFXvWEO<&n{ERv>qK>@u?`T4M@9Kl<bEV_*eRS#&@2PE<P`Gh7R0<#7Lci*J
z(2g804<j?%UvbjJpz~et6-DK3)?x@9F0m6_kE$&gM1N;buH1IT<m45%t*qQi*IQR+
zu03OD=!|P;X0ADNXz0vqX3G2KlF7M!<<jZ12#-H~aqyx$&phy+i-w0Ude4C~@4RSm
zAiwX;J9gZ#uTa=`!;T$q-j_ckI&<d8@R>7FT!%-`oQcp}DF>8*i54qQqi@>f$+Ls}
z35YbHR;oS{Fa<J`(oY7Ck4qmtzGFoC^}un@WLhH0k*P}PXCq)nb}sTqlVMu{n%GM0
zW(~V(L{e8@dPc(En)kLfFja8j4t{?mfT!q@<MYza`g8JwL((;PPiFNiSeu{VJ;X1I
zH59xqSpsORcp=O1clE1#>sM*&uNL!Eo}*0M>z@=Jdcx0&IB4++E|vU~(r>k0?s`zV
z_V~3*|7Wl?OK})H2pIfAh5@~m@CL&Pv5I;lAByw~>7{4XRe}$}LAhVRf#68l{gr35
z0j50m=<$!RwDR!K@i)=9fTv#pJ}a=G7Lpx^#}wNXQY3ahZsD)|$xA=yK*ghYck@{R
zj}xCJc!+*T8c{wG*V@{*zFp~l@c6aTwUY9VGwRRPpXKjaK%Kqkqz?cl?akAzssAFk
z6@g|T#m&>Lfp80>(o*I4bCT`&FFT~GO2=;*O-abCA*s->I->3aH|=fq+gg}_ggoIm
zMs8w)_m2pVH-3Hto5}Q}#j9`vIdpoHp6%<KO$|gwts4LNll7Qno4zz$zipJg<f_8m
zEmk?W>BjNs(4pET-#_E{*CgBipIr9_j43qgE=DuQ-$xn;Kxg$=(n0Acah{IG+tlEq
z)%x4K8}b9mDTk(S>A)q!{lk}?xy@}|e#cC-_U5VG58ZoYs93%Ep2yCi^<gT{>VLE6
zrAH7!LU>MiNNWpk0`3g}d?Z;_7&T2LuUdrh&|yl-bjp}=U1G$M912+j`l6=I=(GgW
zt`1vgs7*UDf^@{rXw;DmSoB({x5H?(bUU*-lo6S6bUPD$`DIJ}{6sBjBRCJN{u%n|
z_hbExurkT#r5xdLvhz|fD8hOH>m2F)DJc@S9CJy@@gMizyLj)tG0oV-#F(ZwG10+R
z*h>9q{pif~H@)SC8{TpgpZ_)#IDAZc2-w_8t1VTBk!`bYH3r#JFR;Du#;wE~v(K>$
zaBo!4WnTOytq)U;qmTO<ebBz3{b<qWSoOaCpm8gEioJU;mQ3!0-Y4m(5A-<*ZQwBp
z6{j@U^6xeF3FOc{#&hV>-@Q^ubsP4&UVlKfT^-~17}0hkZ(C4pmD{dG(uX;9H}3N>
z1Ss(P{uOQS=WW48+m+G)@>l;9_eEOT#?baZXd4!7n1LO-g43k$op6SsIEmh^o7G9S
z&wpOLLnrM<+{qC<n^4^>zqcxls_J;JP9MA!b6EXPe7}!>_tAHiz5Zv_X{%U4{jNd!
zex@{mdeh%VAF;-m-Y6}yyQ#jHzSL;D3Gcc^ysOdnDruN~O!_|V%QV{VmXhp^(r?jL
zZM1y?^Zpm<MYIhz+P)_(uo>XKUSDXmJ+kU$<e{wBuP`7chvU~*i|i`iwnN+pIhXi5
zH~T%X#sPUIhckH&(&K)}p;yD}_U)>t6&zk74f~R+y`iNap@tEma!&&D!=S{+;B|$3
z)%+9EzTvghb`w7R1OH^kr!IVYRP_(w1<B@q6RuRV%M0b+2nY{&PN@8r@M)fZ3gho9
z_<Iu9J-Fs^J%H;0+~1GS=i)PQnit_p7TzmxB@5wea3xK_A=0n4=&4$L$6MQ5<BMB$
zS^qEXt^K#W_acMUYUr_AGW=?@cFNyJ>1woDd*tgL(JsFCSgriK(PlA;zgxx(Hk-j{
zHFp@TR-?ggO^NSkAn?{|HJdCKTTN#CGg&XO($#FX*1rpXZM0Y{>>7*7Vm9Mf{agz*
zn9LUTX?lvDuAkSq?+`jcm3Nc1{_OgG#gpKS*y`oj8w1!I>+MV3gfSA>ehRTMyl?1j
z(&!!4`{<e1N^t8_6PBK6lj2g6@{H;B+}owcURAx8p1Buw5(8@T-|wb+dAuez-Ka+A
z&Z+G&Df<QEGq~@|7|%OSJsx_*kbK*aG@7`N;xJdgg7Lih)Z?LNOp&+eq{oui@@Ia8
z@$Bd0q1;`R2Zu~)IKcFQ)b=@P@EPM5unXAgIfy^Fljs#>LitpXBdj=l7?ewTpsR+v
zDM1k7%$XYQM0)s?-Fd~fD?(Rku99}W^{xKPVP0da7fHudx2R`N(jSN2sr$R-{2k|q
zFVS2gJ$L!#u6_Hczh!9xwPU{x-7jUj<Tf>#>)_+Fkn#&#inbbev%%GXHZtf^2!l|9
zab=KDf~n{GqJEFbVVA0`+Zl1uH?v*-CQU&9l@6&r#juTk(s&ACqEc*iv-AbkC)FEZ
ztUGZWd|s45@5FIXfRU0sXpJ(Cba9LBc)(+}xYPsc{tW*dZ^K9F3-&&H(61Ss#C1|L
zG(qovy|i0(J?OHCRiQXsj#<zfT#x9F-AL2UR$nLmNOgl6+Od=4EMI&)a0Ba-e#G;-
z<J^$@#aYSqeM%qrp5${rTN+lq7qs7|qFl%8VBd-PQEIFnz}f^@BM1S29+QYkiVsCB
zQb~>6NKOFRs4hvC=%6(0O7*+jED^8S?2TC3+{l+g^E*o#QN2%k?iIfWd=h_8$)HXS
zMa^uQwWF3qZ@|{hrX^E!NE&gasvcX+Z8EuIHcyq_Lhrdm`kd;BdVzfEPM8m0LvrTe
znNpkc;j%xb6Do(T>Y^@}O67D#H56ph=WL;zt1VP0gxaXM5%2$e^naUr20Y^_`zJR=
z4zCjF7631r#{g{p^DLaSc`WU0Ug`-ANT0Ju^1Y#w!QnIa=H=XYpal!6ew?Yoo<a%(
z;)P5tCkeN1_<Yg=j2SR=I7!dJR=*^DMK!3d;JK61G)kM%+KDp|aN<Y$O4A}D0e*|B
zBj6cCeP$tPkv5t(Ul%qZopV$puJxQMwT$e5-R-v9-0qLz$A-_+qQ_?QwEkeI$j5O|
z`l{-7b%wvEp-Gc>JzptWrC0jW^Z3j9`W~hF&iE{S74H@w<tvBJ6TrbO(qEy=KXL6E
zbdcUkNe$JUJExEv67l`*PXDrYX2If%OCxdQT}i=HHirOm2NI>R)hAHTdb9fAN&0Qj
z!&CIzK1o_v>G7!EYKf`yQX-0eq4t$lk4Q<?CE&r7xHJldCCNeuN$Nz5XmtoE4G)*-
zM_J(HKq@&fkc7At@VEm3w<jRh-~*uJXQ(gxzwSR-ttRQm>hoFcUaxelkVqB^$wVRS
zcDda2Bl^D!=gybFFOolXtEK@5nGfMij#6gFa4EZUNE)ymb>E90%=taiXI0-&U&NoG
zT<@GB$@MH7&?G9X1|m{CJ{@;8sLakiZQ%S@<41b-cK_RK_@Ob-**Au>4}7_Z?{86l
z%De$7K*20>g(szuqf@qoJ`?=Z3tb_N(Xr=$EBd-fdJ5;>rjzu=M<zk<cJjVb{KN~N
zFFkd+>$KBcm!q$rNMXn&e?38Fg6L&ry_#WWkiyRn-U)aN0)_`<81@l7_{ku)26^;I
z0E12po5S?%vxat_fA;VWY2aS>Q5$~HM-ebRSBB|H_Zqpj(Ox@Qhv%F>aN4W!BYpO5
z{@ZQ%5pX>l<9e_3ub}6YEs{n>$76HT@-4*AWW=b!aAT0p$N3N$ipK||t*3@Gz>kR5
zLxZo|CDN0i;~PN78(7dv9gHvkGSb~1-~>F>LeixtISp4RI)BGkp`OS}zk$w}u#@C<
z+EwZxIc8F14TT~?&n=arDYM5VskKIzLn_aN#;krr(7~)$J0&w^s}BOlrlmh&|5HD0
z(4KJFm1ppPwgS$|4&=l4Sr%rr%YLUcrs=k$@=aDMX;N03&<C%6TPmtb(yt-8i?NUm
zkYK1}?Z#Lz6tAgYt=1V`PE#=|75(lsvsfMWnGh14;H;PF8_xC$AJ?Z>^{7qsMc^yx
zn43CX2TBi<U3Gi$(o2gk&gbSahmYajjg5P`774NvGy+ul6HeG0FD(`?{p9>->E2I+
zzuk_rM%%PeH1l;lhTTM}1SGk`gLuW=(&*_qKAyj@hg7#nhh;c11>P}AK%<aa*0$27
z8}I0L#H;L~ME6XO%iuLfo!*QOS{l6jGxe8HGw><Qh%}&36`_^nyru@-q9e}$hmBW(
zDpf~DM@Qm;K)ha;D%orW+@jkZ#6#%ouGNg{0H1S1k1pewo@^~N587OU&H!lK6n)^y
zx#HY+a~E8o^r1%|cLByWj7Nc+vYll3;n4$l>dALpZ~>y!@Lqc6i&$y$&4A{G&p~-c
z_)*iI=CD^@i|6tGC+D$Tv<7#rZblyzt3qqr^o`JCu?{@>$y^Tj@RijPYL9(Df^4o*
zz4Qx?BbTgJRYz9uL|X}Mzv692RyC?iR-Zu|#EO@`&tY@-s#mpyF%q0ft0*G$NK7F1
zo@!Sq3M_s`>UOr(vf+?<qP+dbajnB@wWy<Qp<p^iaDGUtsrF0%E%$|^4Y)0Qq$%?j
z&*mkPp<&a}W{IJfExbRerbj)3ls2Jp*w7{V;^V@sDNibmOJs>X>9{DO3VVh|7EGlp
zo=}vJ&2F{p_D;3=eHh&Tet(}?Ey7<@jT4&ov6w4Xl5<F8VZ!`GZX9Q{ob4U*huvno
z*>1>wBb7{yTbxyo!_l4S?BQ$hnboxFV)R9xHI)2B&?nv(=O{&IoK|__)oz=sYs4S+
zn!7CR4ny|YbjlVD^tC$&(IqrHohIJre?V^(g5GGYU4?|bkZwp<|MSyN<2JzM%~=1}
zu6`U4R_s&cKZKc71VLE5HT(M?pK-=J-w8ZBXEmU@bM@=M9~i)2`U%IWvsYcJ_pUyM
zwhY>SB)3`7_9?WDqwNR0ZFx1QdH@&#y%pM?=WVZF-Kn~M^_^&g%<@uQ+^70y)dR?!
z&+n_hfsgSS(1OVZEl~CVS%DR6np&<{Qt2l`UL`sJdQh)(A`s#PfzQ>~GFM<3dZ)S4
zUZOq!+U%{_=ihPQz&mi3zIn9=_kIfS6BVeq2A@+PkPA>D<vCOt3BC6BpTG6i7e4f%
z_zF72dv>kbRrjwxh+RL&X$7pcxL<hVsz7Gw6eUa+ULT5Ivl@RPe_ir#rp#J&2gMY-
zkV{lAQbfVVO-GfU*9L7QTC?4s&$?o5Qd`WG&FA|Z4oBYMbhv)HH0$#FU9(HNk$5tS
z`1fRdM2zpKlv1t0cH9YzK1M^lQj@OB4RQ?xFg%=90<#2O35tSJpw#$ZO5sb8{~ss;
zKV<nH=MvYwDsncy$2nYn1e&x5>qvQyoAi+H8l-eWz;46NoQ_AvC3Bait)soe@=QLH
z?e=uSG9VQ+INj<)QWWvF-$XC8Uq~BGXDH+G6iTL@`Znh|&tH4(^XE7ZJb&@U&r8uH
z>9&(Y6*@9i>eVZxjjFe+H)4H-zc8%|C1nzx^u#0)vqb(r<QCY0E2$xfX>9dKYn6!f
zp>2i7<O~r<QFwx~MM$4>zAE@bmxY=wF6Bz^zX)>CE$T00?DYP!vJOq&hlolu3x~pR
z(O^h4<AZ4t$A~i)#7FQl=g9-e?5|vUP#%=@RbCL||6}hv;Oi)^y?1tJch%)0_a=8^
zuzYoOC0lj^R=e2P*v7K4G4<M#ZDCn5DlR|>y%S0Z2?R(e2`!WmS_r*E2p!^33>aJh
zVT`~6o3h{koSD75vLzQDdEd+TzI%Uj=IoR+XU?4Iv$Npq%$38I)%p)g9@RLP_gf3^
zz9;2jh2%klaOw|sk_W^QT6J{7@)$Lyw7iLKPVCyd_scL{ftx>lHtWgUUfsL*3Y(qF
zV<^g1mBsyFkM`_#PMencIxUN1@@Jj9Q(4puX}rKM1K$pph01%fEP^^g<9+odA`$?7
z=3qxbbjK-_&X^f7yuL6`m&g5@DeI8F%Z7dD7lCg>FZ^;)dO`P7WuP3?+JIVhrX?}b
z&(2h#7uD5}Y8<D_;K)g(`%Ll6q0*Os?vq*1;%#MBAV_~P>c!>O2=uzNQa=vmFp$n^
zLH+}gCcV){Lvnf}gWijw?=sN2IJ$t4-jAU-8R>0yyxdG@w)9ywI?hFlW?=;lYs%&3
z=n;K~4eSq1u||jR>>W$+xsiq0-Lrf3lG;ArFGb%D*X;qiZjD49eECt;p`|=}i)~jj
z9Es(%aB&`^Ihi2Rhx=7~nxE*kW5-_W<J`8Wx_zEbzr!^~s?R@!5x-s+h>Ss+r=VJ2
zl9zW$Qk9Zz++_4%bahrC<lx`HK<65{Nx@W>dO?S$#nc1QNk=MK3elHJk|)VSM|M_r
z3yzV;3_Pm*sN5aO%9=c7O8+B{c+VG%ZwK}5G0hj>2S|NTaC4Gc_oXXfcbsc?z#!Be
z^Z4xWTN7dB8n$q7m8=@P@Vp&s;DN{Vn>w}MF(>*G^KH^06YHlFj8Ckt;4vMtqs!^2
zm!XlUYK{Dns8qcIuc1>TTr;4mylTK=Sv@zu+MF=th$Dtf?zL(Ny@g<UKgT-EyVfeE
zNneT!ufp=m0u7V>IXbO<P&K1Zo}k;|1gL5sJ><yAM-Dkso-i;m)cjlD`Sbf$*ttid
z!!^BB@O);7=X9Q-?waS3Xt;cy6GM-SXrB8HT0V?<9s{0F(L8sk$vg5))rwYM(?fhy
zB0k@T4V>@u-DluD?CU65zijn_TzcWePDlJIQ4m>bedxB~KqP8=U9aHzSy_>ayC#Oa
z6A$Rpcd*WqJJjxm9WiqsbJ)<F{@rPjO_#}w*11T#M@PLdhG9r>$1>S1BaWZj=Jf7;
z2aiad_|x&atg?pM*<EtFnxnzRh@pyyl_<A!tfAmx5VyEH>lj#oSbK5a)w|-fU{7zn
z^@97LkPh-7Xs4Ff7t2|4@X($^2K39y&XW6vaENH$ydf1+M@DfzGpDB<QNT9jQ;+h$
z*t&&zE8i2H{jV|V%k4sQ*gn074CtHPt*bRAghPsR=k_hF96=pH@1FL^!Y<vq^yY8P
zm>%zOSd-9M_d)MPGbuHiquxn1CaR~R;-j03)o8B$W`{j;UhEj&@rYR2{YLcZgRi+^
zv6gl`ZWwUlsCRe)D`(_DT&O)VNAG%&9;y9^yO4GdydSUYb})iaT@H1ZG>oFxhG`T*
zyDeDPMBBwo_&XFMjxJoPwkgIs5nO5RjHPV~Yf{s&Wea#=Yj{DyaDS@;Y42^m)yQdw
zd{@Wj?bk`Zj~jL3Isc`6Q=TdB;e6AGiH<eXf{@<M8?n#Q!eU;_YoG4{%Z7c?dA?_&
zoQLy?`hNOUD1F|N%A1m<>PyWixzQDSbcc;v^iM8DX)cocUHwve^c%X5`_poK+b^YK
zk=#5?wIxw=)To>RIT;Ndh{x9n=p5d4NscPRXLS33p&c2ekJQjr{QWy+)E8H;v~GO|
z4^Nr6f0sT(?48Ay8)|8~_v@a%qw1L6a_k9SWDUW5Y#%;<mx|_yMtbztGrb8-Gtt4Y
z=`PC=z)5~|XVGBz?*sPqMxoD7$4$@h*wAj~SeZ9=Y@Qrzb{iVIQw|;Ow?Sh=xH+-=
zpb_0u`s}-JpOo$+26ex11T{uIdPrsKI$m!+f%fQj=6NjDGt88!KJ$R;$KZEp!O-qj
zo}GuEoo96)T5wmW`Dxb_J<)aGh#o2ZMvsQVj2PJULfsbGBe+e%#bc^}nSlOt7~0Q1
ztfQT^?WCi$vQ8sY-8ONTPp42rRb;`SqsxyTbc{3yjTzL%8sUr@J$jTg!s;?;j5(oq
zWo7UEr)2jX)HSUqzTB49bx>bgOESHcXv5Ee%&3n`zM~V&G<WXfs0}BEsI#R}DsKep
zF$ks>0YBpC!ADF!V(^jDEG@P3?9uz}HyT!{YNactj31HGYw+M+DI>-+AG}9xO+_0?
zJ$>-rI=um-+GpJ+WAr^F_pA|Hup|EH$c6cj@+LQp6KG%j8IGUa*$cO^q_jH{>NaTg
z$gLv7nmA%{<gY}C_9Vv|$KyOj7FO@5t={qLue@VK(=1Xfk^>#`;Xy}esecd-D7xdi
z4ei%8K2c8Tn^UmwL1ku%%<7rjbDz;z@*kPg)6T<e7wH{^^lC%tCGU6FWw29v)M0g{
zK~B5$&|a1V=`~K8I%3E4#$z&v^cu0pZ~@M`Wujg5>j>!;wS`nq=pq(sVurk=bdKI0
zAAlr>qfX=cD!nbjE3_TX<N6Jofa`RJ=l1S)N2va`tIJV$$e@7(%#mhxR(h6wV*9F$
z@Bg6B8jJ5V?4}H;0Vjru@njja+p(opsa0t?{ieu?@vi-bHjF-~)GQfc_skh73(V2`
zpfIvBs1R8HD9y%DnjMxyIL%}^v`-TS5lZuh0}dLwW12mwAUI9GEPCm(ps#OHvp)zX
z7pC*sG>X4N>Gxu0bnoR{&`AlDrF84f1K<hfi#tgF^1(I=B^!k^VBnx3bZ!!hmY-lf
za0L1(yq{<c6GgNZYYfCYCf|nKM+%w~81TP`XN`m}hoKoH!E8J!+yoUm8BRY7bkEed
z427}rZQnm>cLy!g290CS#P~+zDfo8T;Tp%6C`7Zy({VTODH_id7l|u0o@Mm4Mk^eN
zXISML$8C1jOpW6RvNd1hSRJ?M22A{fG*Yogj)fjc{os4nYK`ODLh>+;Lto`eja$Yv
zd4|UEep@n(Z8XW3wYy`CwktI58jslZ8c#7|&RC778oeDlpGN7X8&T&3jb~c9&aE2H
zGGeL!P&k<Forc9I3NM6_lh#M$rqMHPjK(eCWg3@8x3t5`>X)x>s9C(EDK{F)kL*V<
z$}pB&QdPg8I=6ClV^j6A#@s1&3+o$}*Eb}Zs;hEGEoo|6K4I+Gl`B`~B`8?l!un-n
z_t`IZWlhtP+*#F))eS2UEM8yNlsi4KtUC9#%KGMph1IX;DLc0^QP-F|v!Q-g_2TB*
zL_;($5{*nODKDKdQ3W7>c#qNk@S0ItacFfzV@-Wst_nS~l8{Jb;*$ENh4pnSa`W>d
zdE<*FE=w$}u5VhDS6j0nnpc=tR1k|4bx2gRQq!25$Zcv!R8=oaG%U@nU$m=?*VN@U
zEve3(Q&&S`sBD5X5WTKyY<)v+J$xE+7uGk|H8s>!H|BLNznO{V+T8NI+{p;qp(LAD
zFRz}x1e~!1E9)0EtxPmj=fa`3W?^+*BhqfJt3qnTOy!hmxigkm*QvnMRDk_*eQD+A
z<>%!xF&&r4BvvG9Y7+};t5u05a^oe3<R+RX<Z5;r7dF%^Z)(hItf|ebZ&*BbMtqtk
zvJ*#DHI2ycf@Ts33MWyQ`&vn5?v%>cb4yDqr&R8jJ9o<L$us86&YfE_YgWnh*;6Vi
zb7#!TEt@gDe9G)8Gp6Gyo?9~gu-vIrrkC%RTMZ3D#;R8>Z>Vl;%!OQQmMyQXsjkY)
zt*ox@Jj1z*5R}BxxV(B{&7zuxxwVP9#m$Mu)%)cxuWndY(@46*g#{rlt3lE6^Wypy
z)eUtub&GRXLq&6&8>>kLnsyR?UgwgjtW7j7LGF*QZm6$>CUJGDEvan+VJJv$B0v{c
zRyWivLf9$z#7;e$#nnawF3wwQEHRo4dd)3@t2ZMUeE4`Ygva1oVpJjC0;3vuC1N)s
zUNtre8}U5FsKdoT^`N+%VS@dt;4_NpH^F@ZI{vXZUQPczBax(*$1#_|Zy!!^CAexr
ztXyLj=r_VN7%KpYS{&5tnBVE3unexbxxK+nz0r(N3ytdBKA;_XMx087tYa=`B1}C~
zU5xOxaBo1q^N?%G{Y2!j90##y01H#_<Ez+Xc8ITH%|N^g<51?c5&RREB*%dEOwjaQ
zBAnV1glgiv*CBtokUoXZ!*I9=94rHOOF@sqEP`t-s4ifNg?K8$<S2&FMSH<%I8V8t
zM&*`(X@V4}G^i{|B1_>`k2HU1iPv!6sRT(==HQ9SQ<YyOFr^zR^*W?G7O6FGnko+A
zq)W|+Nxan{ZX@#iL-cPZQlpa2Makv?PS#XO=l4t}o1p2-!NF|gN69SEL6Ybq&{@fH
zqui<xR94VM@K4%HdP{jB2~*yD$yB1&OvCdGrce43P@dL~0@cYKb&IrxOm2v?_UZcE
zB%oah&?9|c07!fWb&ND14%r?8n@VN^?Do=WL|&*Amcy6If%Ll;HkI09l->-)pSA-h
zK~6f8Q5C3A3qq6^Kt8^PsG37HmTES=(od~RCF*r9>KHxaiQ9>}z-FUFXF$hh!*?!x
zXW?Ih*EMFtuY%*wfJ-h~ycuvU=NMBMC%VKrY58>HFxXS!OJPXb)!-`7#%f~~a^C>g
zM*OLEP&wA1zAT3%NI$DM|CPW<x_e*3xzHm;)sNfATCot+7r`t9RVu$aNW2;LVx&WS
zl4dr550a(d?gTZ9;t-dV7b;uTE|LFYq(*IO11M5`T@1I?aHCd~w3YPMZv}{>-D!T_
z57L=R&Ql}es#<b9b5xIVQ*BbvJJq6;YT>FlRxJqWYe%k&5ud`5<P_a0G?=Eha`5x+
zMkCt6&%F$e7Eb&P$J}5fx~+Zi#=^c3@)#8DSTwcyh)0cXAsXFrXrzl#RVLy^pr1lz
zDxgRQLKUYN2SJUd;iiS@P_CJ%RI|X$Y$)iVP|tZ#v-!Bs{s`kp<5uHY<7wkIV}ZaY
zb`4yMENtQ6KA04dD$+!{$Pk%=Zes2tx*8XWZlXJ02k!wj`%d&UJkd+^7JWot(a-oh
zviOYXZ#;(=#s`W)B3BF+L+~Q$Ffm+=5F^DXv5y!n_Qlt3_7h`7o*0W;)AL0XFV4n9
zq4A>eyzvjrtX>e~jO}8)C>9gMMDY{chrGWyKui)PqEwXO{Cfp13pmhNhZE#e#6e=J
zm?jQ37K!O%hL|Z1F<v!ZGF~=r$JZBTiAubsH%A;Q=8AdZFfm^oE{+gK8W$UPh@-^O
z;uw(-3&cWEC91_Du~;k-HR4#YRMd)P#)qO#)QjcfIME;)MU!Y2E5u5%%6P+g&3Ij`
z#+^dPixb3&;%DL{@pEyqI0aw8IZd1{&Jbscv&7lr96=v3K3`lQejzRt7a5<3i;cgD
zOT;h5rQ%okYS0GpYw;U#x$%+lsklP?R$Pf&n`+S6Ei-DxRpM%+PW(>%UR)!t71xRD
z#UI2U@$&YK;wEvkxCQU{{T_D?-6n1qcc7AdFaC@JKX;11h`R(XIK>T~XdE#AY!vs3
z`@~<x{o-%p0r8-CNIWba!8?bKiO0ngxE*PmcuG7io)OQA=fvN|^SJxu1$;$`n!Xj{
zC1a&{S-c`%6|afc#T(+E#y`ax@h|bFcuTx3-VtlXyW&0ZzE~$dFg_3;iuGcH*eEuM
zkBn8~WATY-5ub|9#__1cCm267P86SsE#h<0D!ve3imjqed?mgX+r)O`8spF68}Y69
zPJAysyksp*)3i)!+PG!HHB-z~GtF3UrsE3lOf$<k$ILdnm|e|oW_L5k?1B07Nyf=$
zPvaD`m)YCwWA-)snf=WHCO*4u=9+`eA?8qXm^s`Wfr<Pm>}riR_cix3#~3YUo^ii9
z){L0>X4EV&HkvWB&@3`OHa45%%<*QiIl-K0{>1z#F4;K1oP-+&N^wI$xmjVx%>&KJ
zxRv4{bE-MbJlLF$n*wH<hnTa>N^`b3$2`=WYtAzdGv}L!n@5;Onn#&Oo5z?5bAh?g
ztTL<3Mdo6>XIo<)Yc4fw&1GhtS#K^kk24$0MzhImHdmM{%~iN%<9PD~^F;G!=1Jzy
z@qY3t=Begs=IQ1c=9%VM=Go>s=DFs1=K1CY<}b_(aYM(&<|XDY%}dQ+nU|TrHh*JY
zZeC&j7B_WVWnOLm&iuW3jd`tkoq4_a2lJ2S4d#vJP3Fz!E#{xhTg}_d+s!-7KjRJ3
zznFKKcboT^_u}o*znb^sozVx(2hE4fhs{UKN6p8~$IU0qC(WnKr_E=~XU*r#znjmS
z|1e)LUo>AbUp8McUo~ID8`E!?|1{U&gF$baZ<%kK@0e@Ncg^?A_sw<Y2j++7dUJ!h
z(cFX=!av4I^iRwd+>N){{LI{fd(c|VFK~O^R<q6g3b)T~Gq;=H;KsY}%<oOlGAv=4
zmSsuH#*HPem13n@X;!+GVP#rbR<_l}>S}efx?4F`538ru%j#|QvHDv5tp3&jYoImA
z%C!btL#(0JFuZ#`!WwCfvi7k?Tl-r3S!1w%IM#|-`Bu~_uwquBRb-9BOG?Go1Z$%8
z6YHne{?-B3B&)<KwaTn=tHO#~2U?S@Db_*ORBM`bur=M9Va>D-v1VD7)@*Bzb*MGh
znr9tm&9@G>j<Aljj<Sxnj<FKf0&AgFWmQ{?ti{$6tHwIkT58o=%d9%9-db)QXEj)j
zR+H6it*};FtE|=5@zx2}iPq1oldPXxCtIgjr&_03r(0)OXIf`jXItl3=UV4k=UW$8
zzpyT}F0wARF0p=TU26Txy3G2u^&9JQ>k8|))|J*(*45VUtlwMLSl3$DS=U>Cu>NS>
zVBKilWZi7tV*Saw)w<2P-MYj2vvsHS7wazTZtEWFUh6*Vuh#w6->e6$2d#&!hpk7f
zN3F-K$E_!<C#|Qfr>$qKXRYU~zgy2+|FB-LUbJ4aUbbGbUbSAcUbo(`{%NhT{$;&s
zy=A>^y<@Gl-nHJd-nZ6SA6Oq+>#YseMr)Jxk@d0liPd6#YHhYYv$j~DTdmd?)|b{+
ztIhh#`r6uNZMVL$zO}xyzPE5BR|;uLOG;@=N4hdarph##E;D4N%)*`C_(q8ACcDcV
z*+ce}y<~6MNA{KdWPdq84wQprt{g0f$f0tW94<%5k#dyWM~=qs?tXHN#FmSUNL+y>
z3uH_d$|5;Vj+e!9f}ALSB7Z9JvbUThOJu1mljX8P#^r%>vYa9hl2he0d9a)=XULiI
z5IIX$%Gq*`JXFq=^W<T2zC2tWA&-<t$)n{lG9eepg|bRk%SCdrTq0}av2v-bmCIxu
zZX{nWkCP3uQ8vkDxk9d#tK@2VygWgkD1RnTl0TOx%Twg3@-%t6JVTx-&yr`$bL6@5
zJbAvnK>k8rC@+#1%S+@h<)!jh@-q2r`5Sq;yh8p~UMa7VSIghY-^**{wemW7z5Ijx
zqr5@hC~uNC%Uk51<gM~HdAqzr{#o8B|03^_cguU^y%Nj%I1iJ96~~^~h3JianZ7uI
z*I)is-Y@?qACM2qhvdWZ5&5WmOg=83kWb2|<kRvQ`K)|S{#`yV{~=$HFUptX%kmZZ
zs(ekpF5i&<lxyU_<eTy>`L=vVu9fe~_vHI>o%}$4h@C3>9{oV$7VJh}hnrlk#mP3?
zxW~BHxXZZPc*1znc*uCzxXHNL=pxq}cN%|@8{|g0Nq&U)qR%o)<;U_9tP5rs`x}#t
zqp&vG4R1~#V9+V+Q;o;4vU;{`k)O)V@-w+belA<(7xGKFRkq2m<kxbW+%CT{&XeEb
z{pj=Mck+9Q+cs^S_pya-+LkSC+jeZ%PO($%G&>#Nn#i=X>}<P>-PP`9ceiuw9(GT=
zm)+a$WB0ZD+5PPS_CR}(oof%ahuA~yVfJu)ggw$8W$$B;w)e&N7sg=!XRIBu^X;fz
zV8`r2yT~4AkGG5M3HC($C-zV6{p|znNp^`{YM0sNc7+|c540!SQ|yE6srEGcV0*ef
z!=7m$V$ZTG?b-Gm`%rtXJ<mSOo^Ky+A7LM9A7vkHA7dx%1@=O_%C5E-*^BKZc8z_k
zz0|I?m)Ui8y}jH%&Tg<9?Iyd~USY4aSJ|uW<Lwjd6YZbbC)q!@Pqt67Pqk08Pq)vo
z&$Q37&$iF8&$Z99&$lnIe_>x}Uu0iwUt<5#zSRDeeVP4h`#1LG_7(PT?JMo8?5pkH
z*}u21v9GnSv#+=RVE@s+!M@SH$-ddX#r~6ht9_e&yM2fKXZue3FZNyb-S$29z4m?f
zU+w$tzu6Di584me58IE}kJ^vfkK0e!Pufq}PutJf&)Uz~f485v|6#vizi7W?zihu^
zziPi`ziz)_|I=P$|I2>Ue#?H_e#c&GziYo|zi+RzKd?Wv*V`NHjrJz{Bl~0f6T8L!
z)ZT1=W^b`Sw_EKm>@V%DcANc`{k6T#-fn+me`|kde{Xw^;RwfcEJr%F<2bI9;-orh
zPP&ufWI9<+w$sJw>U49uJ2_4dr>E1)>FxA!`a1ob{>}hrpfkwHbp|^_oT1JzXSg%M
z8R?92_Hjl#`#SqMW1Ku^tP^qa@%7CDC*~A7Mb0>9yi<%*=M$ZuI6rmvcMfnSIVDc1
zQ|6RA6}TbcKxeWu#W~2C>P&MEcBVTsoSDuc&Mc?WneEJR4t3@_^PIz+`Oe|a5zdj$
zQO?oMF;2o+;4E~ioN8y0v)EbU)HugFOPyM0nN#P~JIkHpoCc@SX>yvK70ya$m9yG8
z-Z{ZJ(fOHklJj%tWakv;ROdA3bmt7`Oy?};Z08*3T<1LJeCGn^7tV#wMb5>}CC)FM
zOPyaimpQ+7e&by3T;crIxzf4Hx!SnO`JHjK^LytS=UV4F=X&Q4&L5o{oEx2+oSU6n
zoIg3YI=4BuJ9jvLcJ6fkf}5c3cJ6WRb?$Ti>fG=A&3V9i(0Ryt*m=Zx)OpN#+<C%z
z(s{~x+Ihx#)_KnPyYsyB59bBvMdu~wW#<*=Rp&M5b>|J|pUxWRU(TD(Th80gJI-3?
zUFSXLeP<o+Pk0b}EoT^)IUhJ58mBw!oej=LXOr`h^Re@Z)8c&UY<50#wm6?Vt<D$D
zm&OCmR;LXo=btjR8ebZ1&R5RY&NgSe^NsVZ^PTg(<GF?_Toa$ll&<YM*dzVS*kau0
zx|pI4G6ox$8ox4riK*a)m=NAzTyI?Brr?(4D~&(6scss+q;Z9t?q;}|ZWcbb*#-Bv
zbaT7AIc^WPCk~JIcKf(}-F|L=cYr(49pvU3e{~1DL)@Y6Fn72+!X1fo;$_AK#v0>&
zcOQ4OyRW++-YWPPZisl(c*}Ulc-MH_SZloJ=DB0th@0<5-2yk}7P>|5ICs2T>`rhe
zx<7G$>hA9z;7)Q&+)}s9Eq5#2xO<>G*`4AZ<W6;`xd*$`-5Kso_YilMTj|br=eUQu
zbKQCFVeWkQaQ6uJNcSlBX!jU5;Vy6&x>atqyU1PaE^%wzW8I~0t-H*vbL-vZ?s0B|
z+vqmA&F%_!rMt>q?H=!*;GXFI%st8dxqGsEihHVintQr?hI^)amV35)j(e_qo_oG~
zf%^;hLiZx~V)qjFm+qzRuiVSrU%S6?FL$qSf9qc9Ugcix{?7fqdyRXod!6x!@u*v}
zEU~bmzRoFG&``ai+HJ0@iR71+lbv5t647>4+c9kyX?wi3OSE04?Fwa=>iDHPeyNUM
zTI810FRrhvUP|F2`EiaH$*<sWk!Y+y#g7!Fmo2PmSlGO5QEm0Aw6d!Dro=+*T{Jo6
z3lm^khtjD=D&X8upJ;L_ly8O3S_Nk<ts)s+bEmm4)!dhAI;EQXGR=LN=DtjGUsmK+
z1l;FW<g+x8i&*-BA#M+BmmIdlqRxRKuA`B3%6lX>E>aNT{6_MN3(_YC6cm?Hoocj1
zPF|2`aHcfX)K*oyQ&iq449Y96!j|bAm6f<t0uGUMS^7ck>EfPtU4{iZcLgzLT4Et~
zV4P`5E)l9!PD4Hv`D7HGOo0|$ffiUy3oI6OrZXwUU3|PVJw!5AsHnws#$uY0*m!q_
z%2eizCCzn<6AjJFY7@<zb|k+%UuRJlQkhP(T&G#Cvr(?8mTRiz%xfe+ro$IT?HNnz
z8?@?_>l~D8s^vOVg{G<%5;eh@rGzspnUnmALQT6+r&Xw_6>4gQ6;36`O0V2e`h}cO
zB$}^9S)>yz(%C4kaAqe{isUP21lK7P=@g0-nf#(6XO7Z~Ia=rEu+H0a8n7#sIi~}8
zYLzSJ(tv!&slqBR)^@3qcZHT`MUgv4sgyk@kY9ynze4j>q4}!Na*Riuxr-YTE2^Ej
zN)U4cL8Q*Ds;S2QTuq~M7>7weEbvr`kN3%FCgNJq(5U%LFKvFiN|s+y?8}d1MDoXT
z%|P)pgV5)wo6r(Ugd04aP>I&E65RlmXk9H~=|BxwI<U2LO8kaWSHMyozf{LB)$vQm
zxruOvjB`9Rc)AqE>*9}$OJ5iWA#GtYcTQDO8}ch6I@L(rsaDR|cIHOBTD5f5$#_bR
zrJC(h&336KQ0liEe&y0^mua@k#<|r2+i2;ulEe$s7l+tf+%7pZHwDh(5WCTQ)zTGl
zOP9VRh^e@X>ePyL=|)TC5^Cvclt$O6yir)FsTNe3&QV#ZTcbEk)plN$3K=a=Kel~J
zD1BXw1v;Mvg&9j1H&j>GVVk$AW}#E7>Ub?PFKdx4MXNxobuzwAy+F&eK+7?v<rph)
z>X?*@9xrz4lJbBq>U<^}Ld{jIIK3{hydFE@^~;x3yY(vHne`o1UajSRKkc{wej{0~
z^QS6zeub*su$gagp!qE<u<L`$T&{CduC=3FhpN!I@|Crs)M*Iiu5g^wkj!0vMWL2W
zp{7=-sTIbZMvj%<xMQ&tazbd`bkri9U{Qh7l%$MCkaLA#nsSk*T%`Fd*4l};-J6x_
zH0x^7tQx~+ZVa0{kf&}fRHp$g(+#`o9`NipYg$t)kdkf;n*;e(X!a{Ke-)a)3e8_U
z-&v^|!<9-9D+58Ku1q$Dt5svTI`AYd%CAsOS$;)aGZEKn1MNDV>7^att{$Q>)M`-7
zF;MKxSR|^{7}Y@ww2&)RBwEO71>1L5Vu=>2_)*o*!CwhFs{6laA(vMqTCCJ7s#E~s
zRHGYJs(@z}BW%@cMg4MDonIuX${n`m!!Ph6%}0^uqlhaI!f8H=HQgdrY|$c}ZZQ`C
z!ukIGvrfNQ>zz`dNOYW*!#JIvahea@!%mG)be!e`A2d?WnvZch-Elhq<8=Dtw7kdZ
zbjRs*RcjxKj@Rjo*XfMc>5SLujMsF>Yr5k#-SL|4c%85Dn!f5TL09LiSm&qMFCU#w
zv8J!}BC2}5NVG)x=c@rP%5%K6=;%c@%+WOrYw_H~Sd%p+FOf2ZRh1A{z`R7}lt63A
znX6%5B7KUl-Fb;rJ#x)UWK2owE1bD`FN-TIzoKk>5-Xuds=E2%qGdi7gRhl9S_z+*
zgwIQ&9WOYlgK;x>NrZUOV*!fJO+;S8O;97@Q!lGf7<&BtBvz2b3X|BlBvzcnN|RW5
z5=-W<G)b>CNv||XuaxNN5d-p<<R^|0nW3&1j4#%VX9T^lN{#wq^5+)RXCR7XGfC7D
z)f<C&Edr^Ij}RT&q0Y~zQ=p}d;Yu=}1<8CCAfG9<jdXq~FCiC!oLy48d`Uu<RyQT=
z0~5=ZCAhj2K<z4)<1ko#otzIZs{-D$mjIJfFt4+xCYCQxU=FfuK~=&$xY?ZEY|g8}
zl%R%2Hs;J4Yu1u_yRv5SvV=7|(d^Dqq^y}sYOFGtnT<6nnUdl(PQR(XuD&rtr^pW}
zNRbh!lg2U#^A#dPC#GWR1o$CaKlmZjW-O~-tZ3N@&g=r@!(L38wX3RYn-Xrd&g${-
zu*ehV%8=C>%IZ?iYAt6~F<n|_)-{`}YS8O*eys*%wvjX2gv>VU%q~Yp7sBAtt|t~$
zY+Yds)aWQupvD2P3)7f8l_AX$Kcs*cMlfvhMM0RK!3@oZim8+5hiv`ehfHHW*sE)p
z0=wkw5SSf_=lpnt8#mah*Np2~cwCQB;}LG`;IDeqc!V1}Jac0QTMgOc5!JiKOEo<`
z){X0#Ra_4$;(Bfz*CWTco=U~_Xd<4k>E~<uQB5zZ`NN!=`NoKo?Wlf^`p-Ik)Q_+E
zi)#J~G`#{%PftDLdejxylj*n~Q^xg}GhU$S=}C56k2T|JjFKN$V>&E8X!<ctKdztS
z`dQ6@5Ki+O)BMIXeLZ!H>+xG$PwC=%G!xh3xwszB#Z~8>AJ<dBxE}q)RVSPuFY@`&
za*FG8Rp$(U|5@{)M{{vCrG>v=uG(L9hWT;T8N$|dRcDB2Kb+2wo;$|%uqj@q{fo6+
z)L<n)UaaX9Ykt&V0`8hlu`Wk7Sjdm7wW|DhiKe5cgz*whM^6poB|1GlMU0ndIwd+^
z5jB&E<NgiSCpGxUkE_84^qV_l*gPnJ&7C%E9(=%7vxs;^4FltPtu3ynpmD6RG2MKf
zPQIUxrmF@u`SE=HoUhZ#*XiWzbfP+b)Q_+I)gUN89@X)qI=)`7itAZjJgWJKYCf@g
z#(WiMx&=O6?LJP2)9X@kJy(kt=ydV*MHSztqr>Z&VO-CF;(7rnt`~;ldQKGAbD_9i
ztcvS7TU-s|Ab-EU=zQt5$hcmvitAZhTrZ5oD>Of95S<@agJICo`k)4ZaM$$I;2O_5
zKWcD|XPqB4xJJFw&w42;u4iF!wIl_9EpM8OP<yIZkm7ps6d$McPYpiduhUn9YCP-o
z)u0;BIz2V0hMwzZy_6BxOB8W6Xw8r7HQl&g(~YY^Eb5`=OATW2tmQLa(;Kh(#gYi~
zU8cjU!7A#V)(5@n8rQ3?alNt=*OQvK8pI;Jrmt5I;%XL%C1p)NuIcNw?6_XyiO01(
z;#v-B@QZrwhxgqz{SwW;UJ8n<=@<G~P6syY4Qy^lU~~HsDNyAWDHvCgny9O9s;;fB
zNn|FmyoHJ7BnS9&daw&^?j=(hl7FV()h2sSgwooj*Q(=sMJKLTbmDQ{+UU7wTrD_3
zD!NtEbNskoMvd!*&$wPmi0iq3T(5!0^;|Zt7xv<1yru&!C?^hSeFqv-5#SZ^0FQ^l
zl!fr}5RQR%l1_OD$AlnoXPl)KQ>_}l5X;&En@bZmmmX{-&6sM%@La?b4A^>5OV|QU
zOO;?ujTjJCm1HcxM8}~C2$d0Bl5tci$JD3+KB}~1`7C!lb1NT-sn!#==2Nwnc-DNX
z))LRGWw2SxU~8V#C<M=%CpGH8vra$CwH(hn{ise~jXEMR)yu%v>8oA^&pLh8tKeCu
zuX+_ck5f60V8E}Wq{eIT(VVF98J;yKkun{_pPI!YWxll3m<?eycWTTQiRp=cOi#39
zx(>wj#5Jbsd?Z$^ORqRtdcbt)ss0>cbZHeQOAD9|QxZ|Ul|=lK1m^o`%~Ab#B&Pc5
zNKEyou(iMHPw~t(FA`HV19rZmU8W~=<l@uT<MEi<l!(Oi`ch1<FU9osLQJ*wk(e4w
z!Pat8ZB!(t`byZk6jk4dXI+Y_Z^W}M#R4s_f~35F>HO-&pO_ktB91Q40xiFSr2K&S
zaY~gAs4*$xXl+wtQao#ISAA+ErutOaT6U@r#j~!Jst?7p*7lgzb~T2DyXHx++Q;<5
zRZNXp;jhzIn>u*b>Fb58m|l>I=>@HrUeLm~%~U@0f>ul~XvGS(wihO~T`z6L^ioz#
zFJ;B_QdX=`YkOf*+kt6msS$D{rkA;5dYKEitf|!Xa#Bn$BgORcOicA`&}7X`v7T&`
zi%(lGvBio@mDUyOMFxZ^^~02Cjr5l+pwmf>RJ|Kqbcw3bD70E@mg?>CtV=}A#-P(t
zt>sa_29-tq^i-b#?bbB(mQqajj4|Ca#`OAeOpREe<+_wr9~Ftk3wWOZTAtU~z_N_y
z=NCEjMpRzJRaRpv+so^km!)9;IFFI0mGz9IH7&tnKBK9N@FJGRYF6lQjWw%OxJK-B
z*D17`UbIpH@dB3$sMA`WqS9Qh6K(PnWrPwXL?=q9N>pK#D2Jm&Ih;zAQI#kM<U|?c
z#OnPt7@;%>(P<E>(oh(s!Qm(k4yV#!RHeZIISmfTX`n-ONp@sY3b0d^<bb8H;20tD
z6o#l%7)6{gMVkUKX$nOBV?@n$q7`Z`3%fLJQO)A!hUzLT4p9)i8Olvm6yqZGteOtE
zb5j6!?$Dyx7FYhNDZn#Nx8ToJKU$zVUfBM#qF10g-sm{hq{3EoDpbcCtxz2=Y;Fo*
zD}M6T)>bq>8gZI2DJm*aR;in4LgpK*?V7x%hNZG3uW_L)B~V77oInMEIDrEROeQde
zz(EA25|~EdU;@(#%pfq6z##-?5vU|Eo4_0bhZ2}eU><?P2+RjaEm7;7gsFwj#)VlW
zp_NYZP)nVS3o}amp(A3Z>60EzL@gRNE=(!m<xcog0pj2X1q6x(&q#nq12h((MFBcK
zKuJQH0*OeYBqN2E26RgUx}^c#Ql_iVhaj3=;zy=~BAO1J74cCV7fDi&P-Gk$sjjN2
ztxW(=ElWx%bd-cW)KX{T!pz`Y3AwAICBPKF7{w$}Vg&wl#)PnnWKmQk6RBul6zU`j
z0%uf&i$b4FVIqD}WCrI`;I4%g2(~m3Y-zw!sV^I>m<NJI+w4;)3j|xng4IV?k^wLd
zR$=J?3(&0485TUI9+>1WIM9-e5v7Du)v*@sh=L(TvbaG|hg*`ti>aWpLPuPJI02hc
z%BV|cU0|o`Ee67pG7fJtkVjJ8gKY+6$=_!{0f#mk{JdgfkrYuN<T4hrzuDl2#cl)G
z4xOOUQL%&O3lB@<fy@giGpXt{4P(BhQK2FdwI41WtI>22IYcMm1_Lmnqn6fvZVQ4E
zj|C+j<APA9ZZuVtCy`2>?x&tQ-4~SNBUYG9KNg5T7O)cI_%o7PJ|kHIGumtU44-hu
zjIfsL<2*>EOS=<2Ne0W&(`!vH3v?QDLEp7J$YFUP-|~Rl@_^fN#jP(bdj^q7;ln-w
zy`U162MJ=r=_gnbBp5U>Xbg1#?4br>3t8ssTu_ogA#<Tl2_+*H23!{Ur1C2;V)T<O
zB&w<Eun@4U(0L*D@QY9t9EWBU=ZBIsiUQV)h_lSacw-&s8Wz;z6?`q_Vopb$EYgm2
zxX4Fwz9<>ADB!Nh&ojbOPEzM2Rboz3CFZnO33VI^fivcWRYD(6Vj_OSlER0S;MAqv
zIVCu#?3Vk@J2v8dl?6I32v8iLRJSNvenmx~B^4}xeSQf6Quqi{5Hb*AvZN6|5I}`5
z0PMb#lvCBACdQHi2pw&LM@I5=6NOR-oES@n51n?R@P~!P#2FYLN;Sw!JkTXoztu@7
zqCMYNlg!{)6x@|Kiv3c?xd5W(R5UGtl`@+SFz8TpUMh)VXVotOZrgZpj)PQiO{DM+
z8!(qP`CzB;KA#@}TYZG;y*CO*8-B2nD2L{4KXRXfJtx>Hy!i(NttRdN0kaQoCODnp
zyc*!xbmP4-a-K;J4t4}#rSPU8J!4-GR@xl3TShL}9V81Ig#6UVbf^_BC?TcEru0LC
z@1~=MoU%Eqw6oRNyZ})$k%izXn>PZ3XVzG(P9dO1{U#1;LVgJVO{z3js)Ddd?WWbK
zB!#4+V}&YkP3k<YN+rYk>W?IR^#$sW>VWz>1vFXISfxr*zy`5Tj5~Lg3+yB(T?2lj
z0l(3J-)O*ZG~hQH@XH;%rW^3fovd~Z_>BhqMgx8$0l$%e-$)?eNWgC-;5QQR%i~0q
z8kV>)WF(!ysu$3Nb`E%t1iVKASw{lilVe1X2zZYKyhj4wgVq+yUP-Br3%D!}GMB8g
znBE5hE)F=u5|>{t$?-ZS_W|9KP=J7)<QSZmw~`dpz?%h;9Bk4$S26$=w*1tR9W$o=
z0qe=$7_I@6K}U*(t|WzuP=J85II)wFSccnH8qs&*K~2U{hiS?Ri)O5-^J>BhZ=SD`
zP19BQ(`*&~YO)GM%~cVAr>baSs#h(<&O5?nDy*u0CAEL)$2C_s(seGtvwd9qWgXXy
zmHS2<45_6w5EPH-Sb=9SUR%AW2@je4z*iwDDk_-v?czuC1Eellje~xaU}|+8O_3Q}
zrm>9WxUQ$pr_2w2#H<B4fVZ@|Nqc7NN8dYxp0UxOc;W}&OD&%?Vq2b<PZ(i|!bPt#
zkega%P#DXVBCupBoR%%2TDlZP$ro5wh;ck-hgrvSI?A@D9z_d04Oc!bOEBtlw!r5M
zh~jKPz}bQ%XM`!v5KeK1a6V^1ea;Y2bGD#8XA5@VY(a=K#P>Nvd|oxFs;gH^PK*#|
zglL%&s$`}x;*7%)XB<v(#;D?q12SiXg=9vLVVTjhFEhe5XM`%wuqxERrO60!Mu_H&
zP{o<Th%*jHoN+kC8Ka6b4#=Dl7UGN^!<^Bx&l%yGGeR@#8>$vnFRNiP2?wnZO4~t;
zNfvr0vd~hJh00GBT1c|6ghCb;QOKI2EG(qZ6P8lQ!eR<pSWY2py0WmOLQgZ5b%?TN
zDXUUhvz0YRS%)fXuCnGS>o8?up@oPk#dH>^r-jN=itC^qpdgEswOCoGz~qQQ23f}{
zYpJr(Sdb$c9<osB$wE^`)^cSXr>q8LH7X133I%Ca)(T~<R2Et~@>{K}<JsbsxM-PL
zi;e0Xh^SthjjDaVNVFo7Uabf5ppagzN2S0sr~|+ePDPVNkZ?GE35WBLKr!PC7yGCC
zEf^EgZ5ZRa6$9?9MiW;yT~;(V)H8GW#nDVAu?$UmQ=(zDtgUI_U8ZQHq{vy0o8NGL
z3T)u9SXR~7EmjX|jXD}pJ2J4<5?(|dvd1&8C&T6)8bsDhjOt_%+|^QHG`}!SO%fNO
znWTz?i@F-BQc-ajY2?)M)gA!?tA)vYwJ(onwGf%Fb_VdQQp+!lq=FRJpd}gHJ1M*|
zo!TjlXK-cH4>}z#DbV4)5=`h+F7#pOh@ZQt+L^-wrRFEUAeH*7WptOGqJ&+uL_<UU
z%4S}T1%YTPKT{{hAqv$VIL_fJ8indCRCFBD#`SB7#X4r8+6BP5T^$a)0qkF;>1at7
zmhl-5&{KIRQoFJ^$E%*lsomIUkvj8(#aorfh}yTpv)ZqUs*;OD^=?B{y@`cqwGS3m
zyV{YcI>QB9?HokanJhf3-HfO@;{$%wu4q9-y<-KN7qCgQ31@u*rrt|{9rDdj`bK$7
zSb$NbzrKz4w6t46$StPbVj;Ie?N%6aQ+sj+7<sDECS!@^T;CWEk{PF?j|)W~uieIn
z+={hZamcMiyOo68O0`>Q$gNDfm6027?i64c%k>VTiEH0r%e^39iz}bSMG6%u$XDA!
zuzj&XEtO9}(uFGw!m2_mPzUeutO`x9<l~vECu~*ddL<t^!%7BQZJ!nBE%O4sWsd8;
zRf?E`Xzrt0ewc|QWg6A;!;~a&(;Vqd^@6BY8@-8Mpf}MA^!96k-hM66+pPt9>$E^^
zcR;Ikj`TKZf!-!9h-p>AB3&|Vy#-oO<SXHLQpjwjqKs2mKB`*~QO}EYnb1=t6q1!Y
z6cP#^3hApX#fpVuvATxBm4*CRC$t}GX_7C-iLa2K&k6Z4Cn3LLO_TgsM?-!EAwRB8
z+OH^-9^;|(=-E$?@g4m9^vExq9zFZ%F&>IXycLCbLG?`L562{ud1pNE!$uMO6wi$7
zriO7X^L(V53`4jdhH$0L5#1z5BID8;mt)kPN1ake-GbnOo9>9x#dt+Lj@zvS?$4z!
zh2a)jx&X`k8c!#}6vAyPZmkly5$RY!x=PH%TimAszZLg73ET;BH{e@%*ID2l?KVTu
z?NorhMQ_8z%~JaTkBTVpLfk54;>M_QzzR_T_XBZrl)zn4)8Wz}nt&fKjt4wfoC}w0
z#I?Zh7Y_hFBpv~LOgskogm@Y7Rq-0&8nFiO9kCv8qxcxGMYI5J#*Ie;w;bVSUfg1Y
z%Z%t2BS5?=4wr6bH^3gawMgJ*qQQXsn&1;R5alCGp^04MuAu`AiJOMX04vN2zyr+#
z0S`702ApBe0Gwsc0zA|_6!38KaKt^zJPPm_^B7R5GOGX=nTr6Im`ecb%sRm3Chi@^
z9Yc+PE6tUFCz~fD)@k?#rD>jJ9c`Gnqb6Yp+)}d;u+FM8B<`hI4!FWv0k|5s{Yu<C
zb2fa>v(5v&!1@K?CDtW?ms*zsUSZ*uVca+KJHTtL>i}=CZUDRqU&j!*MF#SuyJ7&}
zwcZ6>XRQNVZ$XlDD-2+Z1xeyg7)TPg!F&n0&DsX|t@Ryl^Ti*~qA#4`{+BeszOpYM
z?s5Svmc@XN$~OUV&xav!OGh@~D0>v(EPEE<JbNDCavRd1`z-*kw66rjeHDP$*?$1U
zT@`@1s{-&=`&Pi)ZD<|cR{?mJeHY-v_QQa<p#ty;`w76O?56-<v|ls?-t5l;?Ctgj
z9Ow=N9OVAQu<+JBzK4jn<S)R@Zl*C9u7lu*_xl0yem~$yd>2mO&HjA=_jQpgcZ{0{
zn2+yP3cSl-09c4`nhLznKMt_iMV|3a|3tw3-TeV4xsw1(-3q`;w-ONV=L6QbHGp_K
zAF$3v{@n(*0kFw!0$ky)09@s+0zBSDeZX7#Cjy@2o&<QZdotjuF64!`^-l*p(>)XL
zY~+OMFPSvsLkpT&9-lVb=(})rL#?qNUP@eQ%&JW^(PfhoVd%zeveR(4%s@a<Ijb}m
z_sb}EfjeA!;06WtWTI8*Y2=3D(f2)j;eLf7hFvnhBG-tN&6=HS>_5Ho;9O%`<<!bt
zWB%+}Q|Y=$MM2_bhTaIRo^0GPL*G16PY%9=(HFPtsV5gV(DcJid+I3#_s8_dt$XT;
zZo(NrH}EaR9kxa*!><{BPf$pPX$-qC?8&e{!yybu(S6Dyk6}5(`3#pcJd@#-4DV$4
z48yeyzg)I-*-|r&VHbuy8TMy5gyATLc?@F=Cor7USaW=}8E1G9!|4oXF+7yve1=Cc
zT)=P<L;9#I?ganAkZuSU&~ghUXyfZ*E^gE?aIet+3$8-vL*-^~;El-t^)SDOxf13#
zFqgty1am&j*)XTW(0A+Uvf>DCcASKp9B1OT#$%w_5`F@gNwRIVDI4t!Kf6(FU#;x)
zENzd{wvLzn1}?V&oecDfpqH9CY}i4=rwv~;BKLs(mb`KH=?_WNSN|uToAn&sWuIZZ
z0B#KN+<&w=4Yye4;HJu4F#_X+DDIftAESdD+#)#>w?rNRvjDe1*5SU#z8DvrjJq7q
z$DNH?xT$f3xElW>a2Mkd_}>hZgV1+~dvLenJqYy}Zc=;!w<W$Q-osspEx7Bj6%_j7
zp2L~^KNO+A7f0Z3!!+Dsn5I*qG_yFR^Ua<}=@PTQc+4CEGYY&tX6BhOakV)CX}pPh
z2q&0vd=5QNj4-E(R&y5Oo)3QC#EpYTnN{GhFI+I1K`O_h$6tXP1W(0nfxp1bfLGua
zz(2zEPq^vtJ{sMi6w#w%+yrQxWTMZ+-Jaxf4&y28{+9V6TujDKAa~;glXT%{43FoK
z*Kw?&46_;b<nU`4zQyoDj4}jnz$E%h*yUY@Uoc$H?pHB>BIEZl%oG^e89!q@hv9IB
zeF+-hux~5ln;3q{@EwA<xs<}3&G<mZZ(+PU!)w^(afYWee39YbXrzX_PPYOMVwbN7
ziXjZs86M8=+Zdn2um{5<+5LIO&t?2$+$<?X4#QM}#&*W{Vf-}4a~YN~9K&!VLwueL
z;a_4r8{csiBHP4R<C)kq=%-N^&!v7+%>2J*mf!}WwZ@0IF>?#X-`_$<Qg*0W`{}x+
zYSv6>Cf6)u3qm$QN1IT)4&wTi1-<_b>elt*dSi{a86i}y+OJ)mdI9y7YTkajc6}|r
z*LA5U?))5r`#n)tP(vo+j?QVQ8yi%uP&ENhCn9`L_)TD+dEmCyJQZ%ben6^*`A5h(
zi{T)KQy9h=4q!NtVS-@=LE|*Wk6<{CUCv;9DZ>L9PGdNh;Yfx(8KyHVWhfY)LlC!+
z5+}VGb|HwIq27rZjOVcXREA{?4`mo*tviKvMlgO0yANS_A;W3r&7f0C(D;^JCNUh&
z@N$MW!v_f(VI3Zc*@+PSm_F;XNMk(4Fs#*M*@bl*ceYY3=tRTOl96v;g2wlZ4`X~C
z<A*Z7o*~x-U4vA;$TIswG7~vRqX`$e1dX)>pUQn|1n>-u<xsLT)?}kvy?>E(o=SU)
z{AiR(y&%SWFqs%Hj=~MgG2Es+i7yhTE4*g`!@PmJL?PzF7PtqQAkAE%GX!z>7Quh9
z3sDoeJ&fRbcERY<5Klhv<XX67U|x%lUx}0dZRR4}w48@Kl_!WvxGQ-YZbF`i8;`4S
zyYX_|V|*g+Dn1+c5?_j&hkuWoh5v-xgYN@;2(g~PZNR6BmvHCr+qm6#6K1tvitS<(
zrn8QC8~5;b!%e#bajR|yZqtpJMdAwFlUs_gn?U;^gnR?=32~G;8MN-i{kR#p7k55p
zrvuI2;tg{VQu$JRiMwwb=#O|rdlgeW2{+uHi+Gos7a^s~5cf*+TJuK4x(#>J-j94t
zFdq@~a0l)4xNmk1;97AiZk7EQH`;E&y|Ld~rg=J2UdzuE?|wW{jOUY~Z$uimnfF^M
zC<Vj&n97b}9>ci|^BImNXq?6P5ezHX<ur!hvCCwJgBdPkcp$@R1dVeTFJjo0VFtre
zh9<-F2^!xr+`=w>8TMy5hM_~y*p9Er3o(%K6BthP`oJZd@#6`Kn;7<Fmu3(8FK#Ai
zyvr`HvF{MZKVf_c<Ii}Qtr{P)%T$K*8D7V*A3>x}^m{Sv<_!fNVfS0u<qpP2Fy5Q-
z&ltYQ@K$!ekNFwOE+?|f;f#OGxQg3{@pOj!u<y%^@5@j!EMqv5;Q)pf!(jxC_ZdHw
z@lP2aPVn(nk6|vpb8CPaD#UPtk00^)f>4N_n6LE2EHG#dpf6$rLceaFiB>1myaISF
zyZlyc0e*w{0`Nt%E8yki{`io`vF?yeb0Eg_12N+qjZt(F;7{=RfXTR*eKx|-PvFjP
zf@cuqd4Uj<*yT?Q4`KJu8E#>ha~N{F^4J@Xy&Xzx$PVq8YRU4@j?KgUsD65{aQxGm
zVlCs-7?!dN%}Rtgf#GC^_<$~4hB4&!?V<6HozAK9%)r3R;6K<{SS`rGpURoWj`*T2
z!+Q<!=pT9hbRk-_31~xUc95JKn3LrO=MJ|mWl~B!^`-Rr>Bpouq@SFAZu&*(m!-F)
zf1i<((KlmqMqS3~8CPUHlCdFEW@csf&K#Ioo_TEMMVa?xzMW-ejmnyybxc-6*6CT7
zW!;!{f7T;e&t<)o^+wj)S?jV|vRbpg&Nj0%vb$yX&K{UOEPHfzEPF!sr0jV1wCokx
zCuX0TeRlRG*;i)YoP9_3W7*GSw|42$WptOxT^4n@w9Cz19_aE)m-o6lU59lo?ON6K
zq^^JJ`c&7qyN&L)s@qB3PVaVZw>!GM(rrz*wcS3<nVxe@PD9SBoL}VpKIhJyXL8o&
ze3<in57{HFNB<tt9^-pV?@`sGuE(W4?(FeIkLP;4*Q2#(|DMsF(|R7-^X#6__1uI@
znty5x5c?a$!~rmquxgSfCK@^7Cq^cG3gI&eK9k^6C`ydcq7?2GFmbH-nsSBV%2lX!
zLf-CS#c!8zjM2l}Wc2d37`?r3jlRGOy-$rNVLt`)G|V$F&%!(hvkqZCfcX$+J<JBU
zZG_nb^AXI)FrUD*z<la$5_fr@io0R%fw>pvKA3GV+r3ZaiQam7inm3c26L|0CeMR8
zALas>i(oE>xyE}=-iUBF!`$MncT>GBZW?&K0bI9$>sIEtzt@KLKwum%j9i!@cpeQK
zYr^=pgM+U-IQYIp3UbwgT(uxqEyz_1a@B%dwd^hz#@C>?4Q4ycH!$DAd<XMAjOVop
z14h7@Fcyr2v0)q-7bXQJ6($WP9VP=N6DA8L8>S0PceDqnG58XMz;__fKfs`!71S?L
zZ`BV5V=*xR26+|8t3Y1GV3;8=)Q=2<84iPfN?`3%pv@Fm{S=Ue!1||vJj587Jft@k
zCIXWW6NM>&iNO@YVC`C<1s4lps$i;N7QrlrSptLAPjM{FQW&g(;tLN#)WOulU^P@6
z2ZQxc(FoH7(+q>TmcUxMz^W*|_<)@Pm>Ug8+yrwo%q=jF!R>LFCt#j}c>#vzYcIik
z2(umry#cTLLq;ZKWI{$JWMo1{CS=6pSjfnPj7-SLgp7EH05UQmBNH+*AtMtqG9e=q
zGBP0}6EZR(Bi=`VjPO+hVUC4~z+k=DjKW}KZN^Za&h=WLtu4^j7HDe=w6z7=+9EIU
zT5;cZ4%U>?p;b9BLEUPDrfx9$Lt_Vf-?N5}1)gu%&`#SZKs_x)%XkLjJP7j;%)>B`
zz&r}`7|i1^o!84Y)XO&1%Qn=@HfZz))XNR1mm5$oH=tf_K)u|6dbt7hasxEF6&l?N
zjc$cTw?d;^q0z0-=vHWSD>S+l8r=$wZiPm-LZe%u(XG(vR%mo9G`bZU-3pCvg+{kR
zqg$cTt<dOJXml$yx^=f&b}qu42Xj8m1u(yWxe(?em>UfnnqfmTY-olp?m~-rH_SaS
z_rlx<^Etw8gS{QQH>UT!X~Q@$`+MJ`U1>wR(k9RJJb5<ExrQUpgE=4O0+@?nE{3_p
z`&RxAC3lUtR{qud4DCxB+Lt!>Qtx~BS16}LP?BqOTSKkmHlrU}z5XbP;gE76TDdde
z-+8;T4W+ORrLYa9unncK4W+ORrLYa9u+7*ETA#sef%zP!73OQu-UhQB<{OxAVZMX;
z9>()pP%<qjnHH2x3reO1CDVeEX+g=fpk!K5GA$^X7L-g2N~Q%R(}I#|LCLhBWLi)%
zEn+h2_+4n7?}oVt=3bclU><<`KVaU6`3z<Y%r>}h_cqC9?;W`UW;M*|FlWG=>up0l
z*oJzr4fS9f>cKYDgKhFEmgv{03uEM8F@EY6YOUApLR#w}t#y#rI!J3Bq_qyxS_f&Z
zgS6J6j5Zm<82~vfK&d>7l4wIoY~;E$+}m!TRYQI1j{1~|l4(Q9JPQf8LBeg2a2q7t
z1_`%8!W$vsjgat0NO&V8yb%)K2nlb5gf~LM8zJG1knl!Gcq1gd5fa`A32%giH$uW2
zA>oaX@J2{@BP6^L65a?2Z-j(5Lc$w&tNW9^?c!8O7dk3VhdBf0OqjD^&W5=Wefdo=
zH^bZla~It1hPemkUYPq}9srGhz`PHGe4@m*qr|qO#M)3|Z78v)QDRS{#GaNX8$(bh
zw#idrp9cGMxSauWCQ9mTm~&CW=fRv0a{<gnFc-sIg1-4G)Q#U6nJCTuar^cV)RAqd
zBir0`jOhP=N&HVK391>bhSYWMI#u_)Hw+8)24A5-ZT+kF4#tM6PNMfi__Y`x?TcN&
z9_AA7bMxn3i`n8mYHo)4+I!R72D2UJ8}Cia^|o0lFsVk4mFBItvW;$57Z`kP!s_om
zY7K-bg(-)r^FEiiW2Pt(+O@L1Z>=scT`?Xt30mEN!4GapKeT)4Nb_@~`8m@39BF<Y
zO7ByoXCpmZ$ImuWcM6?qj6$eB2-OFndLosc2v7WG8<}v;gljfjiBhW31+J-ZO-*vN
zXB77=6t1&3EUb%INC{jeC6J9#d3Tfnpu83Be|V&RtM~aH=4#J)_}>spa+`+s%x{yR
z|J2I;J6wd>j6H7?n*Flvd2eDANF_#dt51?Rxr9R~zf61=E^rMnpF)^UKy63e@Iz-|
zZY|_*(8s08lZ-y{=P)N5BjhQtPlbJ&(Fd*c2sagW8caG?VuiH<ylcpOn{t4+RTiP%
z1(-#lLUTvrOUh~JNe;%ib~<{3S=0l=WgF6-3ioN=2Ka4(Uz?oat&uZfAHw0*%Gq9v
za|>D+S5s(1s8$X!3-)ZU4Zf`yflWj2b1>o&jhWzS7M^FrhvKc*K7PDS<b!zI*!MHd
zm+!j)zFU}TI=I_}_*)R71(aLB-L;^;0o<)a3R`3)Y{lWrhK-P$IDO;~uA7(!<=p42
zm2+;(1>P5OA^5C94i;hLxCA3<3$EMXLQgG5s!YIt0jR5Rn`Jffw8+~G-+#zsIoF?n
z`vu@3pwvo~;QKkJOun0v@m1V)@ZAjG%|;4R_%@URaYFIeA_U213uGF^5Bs(m>4>`t
zzAd1>1w3y7cTXYyCb<|~gMV4$eW|(J(2h<ULQ#lKlnNxKXpkg)pLIrebFPtX&NIfC
zhZ%#-`LK_GeWa0N9u50k`2EW0V_pXLt6*OZ`v%xI!v2eqY2Jk}4<PIlz@J2)^y5+!
z_S4XsFigdIN;cL~O0bqvg0++qtfiD-Eu{o&C?#St%!Q~qDc1Sk8td0yi**mo2K0QN
zLo2&@>+MHicBCn&_89Xq^12BlubVLPx(Oq#n=sP4Nj~bmEgwfIKMnJoccFX{_RBD@
zdhg0Ny$|GD@P8ZT9hkK+@4~zX^FGWvm=9n+gjo->0cIo2CYX<4K8E=OrUm9xn9VSs
z!EAwPLmFSfd=0Y=X1lk+?h4ZlraMdyOb?izFuh=U!}Ng}?OkY>z%GR;gDHopfQiE#
z2s0UG3d}(;Q(@2+*ayQ*hnWF`+GZaDGYh5?W;V<mm_uRa!pws?3}!ye0`FaWAxsra
zHOwNI#V|`?YG5w)KCpiUa~aI9VSeL%fYHk<hP2=C*4k@fHo<H~YqPTpwa{yzvFL9R
z`U`~Kj?mi?`il-iQ~d3rFxxwc*)ctpmP4(xyaMJ*m|J0Phxs#FY~`=u&YX5a)BYN*
zw7nx=P9JY;C%l<Xnz!BQg8ZdAslYH+cd+W@WWdh!K5??W&)~b&>FRyubn`wlT!i=x
zzHRXRz{!G*89YL4L5MAegzs1IZG~$axnks)MjQcd1>J9TjBnYGLQ}}E@ze_HZAKb+
zXoYJV!nQJ<Oz(BX`3Rvn1qy}I{ER7X)|^sGUvPW}aX(ACVk`xpkKluziz#+N%nTXy
z72D)Yw8yhht7dzj=$7y^v{Rp;1^Wao*i&f1w&L4os{f)MVk_GIt#XF<7sT9(9^xa!
zZb1*R1r*xQVr~YNb!Z_sA@+x8AvaSCi8kEtwPvF|_FH?^N^Ul?<uq`0urW|hhnWF-
zGhrWskgD}=lM9W$vdYMk)kcn71bZ?3YS6C|ZS$6EX_fre7jDbKPDeU+*IK+b{9C=x
z`2P)d2Ris6X2-w59XkI{b~SIlpCz#A))vfBY)GILGH8MJnK$ze!mXQcqwm^b=h*ue
zqY{jYAen96I>2@4q1ycr*ALO!afo)o^@I1g_jj}${u8Z`@ee6bNwg$=+MtU#j|V<>
z9m2c`D^-SZ+xXjF!FfsA4TA21)*ayK3GXfM3Cs=tSN<S_dm)AE{#Rz6G#kAa;LF~#
z-UjISTE^CSYuE=nDR6t)`vg*254Z`i#e3`j1zDlx#t&m?{R=R5r=3~;X?LtctD1*)
z&hq{KC)(V`gxVnQ_8*H&@4BGf`LSsJXV8Jp|J|74VJ+0V1+B#g#$e2a@a%m+KG2H~
z;B)VPMqc)YOYc3*h4|;as^j_3@1gFXjwIc+_kWj#mI%EgB#+&J_GzkdNN1xFznApm
zXpQayTGZmbj@AA>`XPPlJzoc00~|g79!2{R1CjLq_x-Tb^1tB6HLJ7nH1bbcjJD^4
z9YxWR7BVfY%TQQo_!_FQ)Teomknx`KY0$IsVf!g)H%6HV&tpyRRkU<CX90*)7ts1G
z8eb2ZTQEXc>%E!uf0HQu-~R1b)BpYaKw_=<W3Ke?PixOpKnYLuZbC`k<lUfS;h9@c
zls((Ndx)s_81`!n?BMXvdn~|x7vCQ%(D)Jb-oXg*HT>T}Y+x#6ClLGf+;^&(RdS}&
zN$A}>XCnPp^wN9r!<roCwiF>e*Gduq#UJw9mEL*pqOP=XUF?n(nID)!z?FxS%BbI{
z+sHw3P8j%igdv<|bcduY#KYcv`_U{>{2{+x^+r0^^ak2s%su=55c=UbI@h3wvDlvH
z+QF#pUgS9qCn;1JB#Hi8a{W4&HRZZ5tq>#=`+<n}I+r!&dXLB9ES<hQw@t$u#SXF}
zia+FseC=^B?A`xEQut4g^S?CL|M*WYw|^u5^ls^%{`v#~c`Oln4t&~U!CE1?w|{Ey
z;=Rw$?;EKYui>l}{+K}#M(#!*?+&~%1BiYMC%M?I13<lh`=5%>ed<o*AHCMXs}flM
z#%g8zxc`->UG=v=lrGkCF*exqU&r~OocceO%a57sz2eX3V%K(Ox!$>~cTH#SeW8P_
zX}%oyPWmc6U)ny6Fc(C9M|Z!DaLMejhCp$>e}*aiJ8)I=0?zy#>`huKR~^>@s*yY8
zI<&sg;cRiIdc8N?>`B-kqpT?%jP^UMPrE8>j<?A$FCIaAAy*xA%`>>4=0K*k38Nb9
z<#=Dher`|l@$U@dJ?c~UUIvzCxLD^}2gzZ*%dh~yqc>c@>3XaJtofniI6sYD+mQ3K
zq+hT%c+Ys(a_AhuEZn@24L&k)!vTJwb+}&OwhjEX;T;K_r$f8)Ey_y5{@QyG)YhPP
zdA{S)W9oYd0<CBMpbbce_QUW71aLB;b@1I1-J2d-6GLj)%~yMGn9Z&;u=h=x1<9nr
z7(CO1wNpPzvjYA>s#L1jy;D@kQMZL#_KJIohgOs&(Lrm*iD?kfB^kB*Ip8=2E|^j3
zAC<KJf&M2d1>a@wY~=83=&b6wAnlH45dn9dQ4gfayHULU&{<gD9U*bv9e=;ybjc@4
zDLWbNc^~s_T4h7dd1VI}m6R{FG_Coh1=PcA*gfxxD(F#rgVQmn6Kyy-(#bEVBRf&H
z4V&|V-D&!9`f5jucB+ZPq>gcbJp`c?J8WG^0zRpv9DIkJ>~IL?(3jj!Ap?g{JE9zM
zdIK`wi`8yQl}5SY)C2mRyNAPs@I1WVnP*JIEPhDHwH@lckkq6=r+i7#%G9@dABEmR
z-JkD7)A320{IX>%AM^A*ZnY5m285>Cn#$`qc!LC~-NVHDpk?mUj?EwWf#oZ?y<^H~
z*RO0}dXy9Iz92tXCFZ?j<djZRKvt*)w4S^rx$lz0@9!Jl3ixf}_&hR1SRT1}e?yJY
zF72}uXb7l1)84Q1r$C#L0=2lbmPVYtgq~`{f5*s|ctbhvd71A;P3Sn^-hCar@2zY5
zvfi86YEK=xej9o3bj8v8+NT+mt#YB3oUvrP-F|&7B+cQ#Y3(iI)7lf;`!3lxS%HRd
z-P+@F+LLrT3In}Qj%>XTlle-=`5am??qHO{9PaA$P72;#|DW^g9vWSAz!gpo?&cRN
z-Q9%zZ}-NEI{s8ry>RD12W1700-gO4+3RR7w|nv=Nne`S(^KPz(5gj10WEg2-w#~(
z80*3zec5z}gn|*~9uxWT0{V0RFhy^D`02k9chCybjfm<`8bp22&SUsJkXT3g+I3Da
zqURaEw-qzr4QelMrx@TYI2{!pRV8)DA64t9K@SbR*^C{*4am_};5&rdDW#nqFq=Yq
z$T4-RPcvT{Z3km{WA}8!@(j4!Ik~V4_N_jHRN62u*oIuJ!Cbd5>#c>epLib`x#yE$
zI18Tqv2=Ldl>B*oL!$}ece9qRZWX+*;6`UgX~ahJ*4^|h6n^i1c!MVS^S(@?0a6&C
zJ7S8PUGcQ{y0&8)|Dn$`Ki=b?cMXD~^+WmUleWO0;OOYFsqWF<y!!3F4R7B@(dcRS
zKj`4u-d$L^xyyUcyVG03>k<a-&SOqY?Y~~_@~#ij!f8kNP_4z;Ht%gUL*>!hotSal
z;a%_19XI%SA47M)^q%W{4y(ci5Tkn1c&bx4Z5p`$SFk;;(Yr`PD!J?;M5kWKo-q}t
z<*AM6<cDyf)s#*G?bcb3h5O;2+kU$Zyr%(v1itntDcXJS@TX+hd3%GF_-Wh>V|cG{
zKee$#BJF1UJJO=w15|kCfR_0KT6+P#@Tex)!zM@noJ_kgJ0+}ikLwE6m#?rMNbNqx
zQdC>H<=?vF{KY4-2mRKLJ!XezMyO69U7i=CPFd*f=yXRH=wmkQ%$;+<{ZzY=D7Yq`
znFjcCRFA)NE3bG)Z?>EMDw)T(y>lQHO_%y%ZbvRt{yTH#$J^Q7{mfwJI7p30Qk-9S
zLx0YOMQgO`L<Y;#yC^i*eBFCN(edLT7QMq^cy}sy-1fsiuMSdQ2id=y%$+KMyE_?2
z>FC<(*8Va1)CZc5F@yT4H4wtJr26RhH2Q$M!EnyRdJ_L|-vqVRdM%QiRE)i7V{w}Y
z;s<Ginx;*syY^yF)Q_iP?<s^v(f!i=0|ghm9JCUx#>S-0+;#-CRbBRD=y=#`AUUWf
zfBlQJ6`|X(%Z*he(%jwEJV-+IQ!N;`ZuMT&^nP5cleTbA65*2e>nb9s7E4P6w;SvU
z4Gt52m!ZS9WoJr|jM8(GBeiY4Sl&2QhBE2}jZ9T#veSO%fSqY2T{IskCs4)j2cDOr
zlZyY<AGLX^)#!|p_f%)K3VOr*qa@H9bn?rBZYRqwXe*Lh%PWwfxS@4tlsoOiZ3c%*
zP82MuM*)RU>=269>cU{XjcYsYZm1Dx8cI!5+6C{LS}^CK@nJh|!s$I6dcX`wJ^7q_
zk78u{B<kj?$PxYD<x|F&d5`$9aK3L1{GWivJxM7d#9HrP;QL*F)QS-mOUFAE?)Q2R
z!C=RfOYm-@LT6q>yxtOeUjc9L>0hea$MGLKvst=5LcVEQUL>{sjIp@?XG+L7j8a<B
zutO5xD?Qg`Hx_A)O;Xqm64r?h+l5`s0yXKB-6R3;kUj^R9Ui+BqNI{M`x+3YyQ?-<
z)hfLM!2NkR=D!zjKNeJJh22mi-wygrpO;;?AAYDG$L1bSw+3i;-sO5sJGr!y#OuOg
z{t$wCc<5}P4d~nb9y7!ePW2~803m1ITMIvjag-FTYcMxEwf{O`cvl7Cw}#^fc#@+r
zY8_RLM8Un*D)7dd5NKWyw_^-39!*l^AS4N%jptx2)!m=DwGYz~t=)&{C>GrOmKr@R
zazdv(axltKBO9KBc@GEjz}y;g#JIi<a~?YV@fH49(*gWc(=RlNxb$%=7gq8<_dccG
zgy%^-L*lj&_0ccsc6z&sOG?SGvoZ*sfkFx$j4ImI<Pj==x}GLOBPM1R;3B!7qq*<Y
zLY|)t^NP6G72tC&G{4UDM+fc0bVP3VAv%f`a-%Vk!#zk2a@U3beQEv>9s%h3C3j9O
z=`vFHQx79=lozg9tbbhdc7B(~=K+1+yIktLR^ol+ySKM#HN|)FwbQqid%LF*{@w&@
z&u4mmqbam2Q=h1TyG3^Ru|8njhP(u6>r!VI8oTRXCp3L;*x}W$fL<s-2PjsNf|RKZ
z>w;becM&38n*SR9d?J{|B8<gShelEv(4H?zhTT*vn1XK?@sDfYHoZzlHBq;*J20YW
zEaZyT4Egt4s2#%T$M&t?&SAh$vgW{d4743Tzx4w~DbQR-)!g0k<fnib*QvZJ7d%6D
zd{%(o$_VOIQlfs$9qn-6#xm-dhj!7t4}IxDI;lu^J<bZegY#0jwTQJO3oaYIKZM3=
z4>E0fzwDnF_0hN&Z>l3E#=n~MVBEThmJ5`&V2t=rjQ*a*6HXZLsX4=Y5EzZ+{T?I4
zr(WH_=yzAYP+J_TcdReIo(E+`=PmS)+w9~#+IQVk8@tbRODcY#gEuWyivfFwo$^5U
zJEN>xV&zM*iSyn4Sn5dEFR!59bH2axzR~p5DmES<eXKpHy6Am`lG=hlw3BR|8r{cD
zA^#6~-vM7mv9>=u+d={%)CAH)FG)^9?<IsTT|h)7bPxyv(nLf+qy-hbVgVaAM8&R%
z2#SiRh=__^5D^tov7!8*_u11D5(r%HcklQ8&-tBq=giK`&d$Dl-kJRra_k5s6?V<>
zpDA=Gg!yttk8Ll!cFvT`s;U-@)I5e~;=t+**DVXR@gMpV3BH2eQgMIKG5qnF?_dP}
z2O=~BcPv~%o-v=C-=hnP2*hW~PTKwtu*$+H{tjwGlqQ}C_Ge;b<{H>rA&d?bKcgdB
z75+kaVgrR|GEO`n$SGbk4V*o*qj!hIbJ1xKE$XGEx20$i-0NTc1n3aQfJP`D2fri%
z7KQO(e{cVgk{C_l{^(_hvhmc9d3@r`dxa}XEMgEp(7vD72%Qz`O^}12Mv#U@D?#5p
zp2c}|c-lp>N+hDov|yQV@US~OWq+wXNX#i(5As{K5T;p3E5$#zaE+q4Yn7%iqz;Ms
zJPh4}A3hzwpAy&!`Qrb0z5Sd|hx#u11&t!`tfiFa>j~#wC?T9uW(vgfl^MW+K%<3^
zC?jLR*tx=IPUoM;C(up_TL0;^6<!w4S-h)$3=vs;;wSJNPdxLl=g5^Y-r-pMYM@oD
zbT1O$0leCT@(29SWLx3>7B@C*KTPf%e>u?liARx87-#G#d*Zp$=Ll_wN)xmER+wN*
zaHK=D5mq`>uV^Zqp5$EM8iAu%KG1sM+QsLF%8=qie~V4Q3oke?Z*A~%zo4E_eEA|z
z&MQ=y=J{-7pKW{u2f|wPG!N1BG2349r|{he%9Vyk1j_ysM_`O-tg>7937^vAQjo%f
z*oSsyHYKPFGhNIzPPnK)1Nt>++xvK9g2;xTz8g3r$AESYF6Y-ln7b{!OyRT_ty_4c
zaXrq@hL?nH^)9rlcaQHbx?2~p?lN3C$cs^1_Nse~SKf;=J45XtR$&2hp7glz@f#th
z_FyL;ltp?k)}<g~17748RSskzX4pef7RR@ST0y?ZU9rPXlxQwwUa>eEUf)Xxu-L=C
zptk@gPcPmF&-YvO=G)M00$T9!ozYu?r&6>B!soo$AbO5Cdxjj(dnB_AetripyzsMK
z$k`v_jm6VU;cK9l=n$f_2zR0-AY<m`hsp-76v~lQI5#hR#`{-v^uc#e;DOY_k3kdv
z6xuHOAs=8zAbRWj5O(<ahs4DohD&$|?iz7hA<UARtRF51M9LrYWFM}6il_`+*?Ur-
zvm@a^@CG(|cvea2z-aj`UEFivzR_dPkAbQu%7~)vp{#fm|Lgcopr3-b0bW@2SqIAe
zyN`jfmg|I`PIzu%tu0jM<URAASU3#%%T87^@TA$F-#z|Rs5d86{%1xm@EmyE6Q~Sh
zv);Qf<_*F;6~HiJx+jr=kspDwehQS3djUOs439vV-WI$8zeN=Mf64^f4#_-^QiK0b
zS@{eKlw@Osk5zcHvVJn8n;;rR_+r3I5{6w;hqw>Dm3&C(K)eg$4<b!?JPA*>E{f7N
z3CNrhuf5kBV-Fj`qj1n>G0!u+-|P?k)~E9cNKVnm0`+je@=Wmya$O5&Js;=Q$o(x?
za!05Z@{b0iZ&*NP3lS&t4rKQaQZAtJd36N43gdh@2S)=L$Dfd9P!~AjK{hLSewzVT
z#5jjO;Ugq{$DE8rk>Nc@f$<K>#ZWD#<c?4C<M9waX@4x4+z)?@CObL3pZa2j>j&-)
z_v~picphO~%=4woJP4jtpls+Gs6|RcPI>8LVC2L61F*6J*bu5$x|Ba^fEZr78YeB~
z>7=LMT9__-()R!HlP8XMQN3FvKE^#vBRR89c+V}sMbKiv);tY6A^ghZRiA=FWWMWg
z_?e>Vl4rk)mMr`~3`cPyq&<fs1;ITJKsP%Oz9KM$iNMvM7u#zYa|q(Y*ohjXH?O4-
zCt@zf13D!~h1SE-fHd=axxXoCmacH`|CxW}b=bLAS}V-4{+aeqY^Ct1pLqTs$cbee
zA{9znMde)t{N~^Dq0IdW9Ny!Hyomq45xs?x4$BYkflzDsQ}DQ#|LIV(_plT#V;+V4
zy-+0W3GD{`!`@Y(0R*oM`uq}Y-0#1BSp1gcg!jT<LUJLwO8T(1y@j7Hu2)D3N?k-+
z?T5aGC^T5(Jj-}AfAkj4Zwg!i(pgqBZbqKOa2*LoZAmM;WoKf@aBu!~BPeMv<{(6}
zZba%`*-uyGyUO%pw!-`m-aS<F_A@*=X9@J=)JH!(mufeGl3N3>5$+HcMO$*&lFtP0
zsqnKXx%{cmuvfoB)A4!-9P+OcFEsZn?S$|vywwl~49^Xv@f3;OfgFs0#~;J|-@uuD
zz=$K53l4Zk@V*ADcjwG6Ebbs~N?TrwI49{aUl8nvH<5#A7r7Q@ePu_|_eH-0l>JRN
zBJ~<(fpfebh2*DS2ka^H!uZrcxsqgNwLp9XOP(Bfx<slJ@-#rNReDzZ?T7jhY^ru(
zJ|UPBmhi?7?QsmlP83R>{A{73h5mTsQYh<$KNwY+%?$FI!UaN_otJ+q?2uC7y#;na
zYYt+;sdTFv@EHGqU(lN$)|*Peo0Ix=!^(y~sZa3!19=ms^i1$F5Yv1N@AKv-I7%fx
zDe<TVbcw(mJ#xZqU#}(P6+4b0jut3a_=wr^lRkebjeg6%MY3~&7cb8y0(0~@AJlKC
zjr{@Y`3a?kD~D-hAs$b;CoyFHm`2gtF{dwa7c$!innCIhv{1}lD&6&2nXMnbXY@gg
z;uMsWIY4=5z<<TAN*tPh3-I=9qAxBInx^d5bPQSoc4|WU3yi6(S(Uhm|G{X0fAU6!
z7jxex{|->VdY8JcK#!`t%ase`1hV(jKKO(xqiig86qNY@7vq9`pg0=8V-H%qhg#C&
zmj!o@h9B|>=<*2nmBL$pk%|lL81+xyQE_b%%f-W8EVUL}L!>F<UFC!4D|90{u!cR3
zFZ|_HRPNOdK(tb5&M%PvPaR3$d(o@n==bCo32|xoGvxmK_lQ(!K1F#3_)!tvwluAj
zz6>}QXP^t|oU&K>7Eccl=@UL%Qu>xlF6nvW3!jJNDm6Y8u37RwNQPaAdV3SRmAXv0
zJf<`N1{U{0`6s=6(3ZDSN@fdW2H<zhoU9K@<l-v(^RSNi4SyS)YXOY{6M(lzK<)d`
z%09Gp$ggXiq@7cpLW|yx^QXD~N+|Fj{hZ8u_YY&RaL-WxIRbv%@pFaKS=sf^4MMrn
z%}bPYL13NijTgRF%qv<Byk6pQ1NT@c9tC&*l~>H;Gr`sqB?T-yt>+xxhSc<9ZNS>&
zDjdoC*FLyU+zXynAR6*8Wx-CoCq(i^OGDJ%zjlqHwF9FUo(~Gdco+GIoW>8mJEI<u
z<FA)H49E^ogY-kco>`a!qO7N3A36SkTp2&4(1YOICoKF@jC%NdQRqpMT3$nIN5Ki<
zhX5BOt$HI8DpzD2O8r-Kd-x$B-vNa(m&o1YctfCxfBhPPmWn^(IR;}I!b^B72*Ptt
zFCEg-=x=#UYIA-i8mptB!Q<c6_=V<T{A;3*zlBH%(jBBI-k=+52c`W~EVWPl2`|kt
zokV+in^zO^O~%<z;ou*ftvPk8ffDGMNRLwVD1?3F3jQnl+Y$d`1b&_bIGG#>T)5DY
z{g?Xu6s0=!FAVd&=!-zvGdU7Ne<Qw>!PtpSSc>}(T`9abq1@9+1)f)^4!HCQPvLZQ
zF5HFe+Zmt%H;lW`^NZH~=Z<d=T@`ole`}581>Qq~wlLn9u`6WxhSw@x8rSqFAb_3R
z^)s9jO4rWml{&sEynI04<18pWZ(`^3{(^lg)zgP38=sb_`yME!F!qOC5d1I9Uf`Q3
zgdc|CZ&=}zBtZi*vnYMt0K0grK=^Nl;J?fftv*TBLZ?FhibC1N{|VVGVdo3WM{*nR
z9)BcSanduaZb?abTTWmm3voQ}9$!EoHlodt-;=OtoZ4OBqlhX)<k_{@+42qS&vO-0
z@*dH5kt<&CuMvq>+7IsZ__g@GCNmT`z6gHZ4#z!0CDP9E)$Gwuo_*^0je&;oB({b>
z;Xr=TBkXfojYi#~<T)<kbRp~$tRkk6V#!b0EbvWY89aPFEsX@D6IMPPYxx{0l>(BP
z`j_-4P{S=f*0K$gc4BCT8+R6Hf%jM>620h%`S1P2?9<2zTra!|df~V60(TmI_S9*S
z4wM)YD;7h(8jx=$yfKFYmSBLt@=2NS9tLQ>oIk2Zp6+4%B;LPN@&-B$pLx+fdM$fr
z`5ZmZKd*<}!1ME}1^QaFk+A>hkHi6sH5#^3A*?_!85+Uh-38A{g4ed0<-tN{OZwxD
z2Bc0Q|45NBqWxGTucQV~n(tl3PfdYmL@gk^TH(HgpYhVgKbaHDm7G(!1%H4160_u5
zCqF|x{l;HLRt$zo9z5IPebGu*q6OOZusO6RG-~}6IvXfe+9PWFdsDpBFScdb#Ts-{
z;-@;!$S=Lb5~*R@4+^n0;rL#wvHnzyza0git3NKR#1_31t+|iTaMV8v=^R`KO8;)4
zD(EfL|5IU6pi+s)y51SD=YTP)3H(@f89lT`HNjch_$Agq{S(E-<jQr5e1!hV1M1=)
zMf*S9Pis_=yGxY4F4&r9$xwUp;v<2t>%*IsQNYN@K(2DW2VV0%Ov&@Z2j}pvdM|xa
zm>Jl`g!FO*nB>=dpgVf^+61)I1Z~6f$q#Y^QUs}@ntI$xuU5jzfV>D^ql9w*tFk?5
zW3tb(o7!FvH%>+UVSJzz^6JD939HYOfw4WY<eBAAHv%q{7`J#rv(h7C40JhANJOZB
zC!dR#pP^DkQdQ9k-VOp7h%^h6mE`l>0X|TR{gu+c1aeOAh^tUT@sBI4WV9ueg&nI(
zMPa9Rxl)!UmnfCyR8oVYkB97;qIx_mUUDClIS}3gbR(IUjKbX~!k(%u+!tk_Rbrf=
z&7B_qEBxfcwKYE9eZ(5MfY^V9bvemB#Ru!*W&g)LC)@i``W@a(kskRyy=cd;k%<%w
z_A0z$ku>}T*eg;pPa*fth{lUtjDP)D8sz!t!LNvyV2q!5RL~RomAI=U&YkuMpV$xa
zy@cnUW}C%IPx6mIqy_e=WcvZW8U_3;b_@g0m8*<}{(pxI<!+UJoTa4@=qtu1#!Gwk
zh|wYX!oHRP43JW!KKhWb2B8rC1l#lPS{C?^qwKHA4=6<<jzX<_xlf_p4Unfemi`l@
z(x4n>-#(HSirhnqjl$wzkJ7K<C-cZB@#vJ;#A%(t9IH3~_&ToWw>mH)i1YLA2H1M|
zbo_m#xwt=it58w&BWUv!I^q9w3d$|6ir5c_;Ej0)_W;ic?hnsAgdsQ=zQ#1H1&q3s
zhZo(Ce}Bny@Opq}@<wSS4W8qJUX%WMB6ktR40srEP!dxknyP;mr6~S|b><XFw&KU$
z08XEx%D?Tj7Z>|)YyQ8u;nU=-rM(l6m&S4jxMI2SNgARqaFX-?kyD^K!FtN#5;{;M
zHaoz37}-p2NKa@`vPvtbK|QrmdM|#(@>Q>IfjutS@)7KBBt1SUZz|zVq-Tirh6ndk
z_~ze|ULL;+Kk<{_@8?5BBEC;->7-+IV(}Alz;g<XHt$CEgWu^D4e`Shsus#9?89cX
z_;>ymUc&u7NFVrv)NvN`>>-(BJ-#W>2=@V%k-ra|aVy4S^YJ_3FZXr=mB{i>;m>(1
zP`WfnSwSvy((-|q{e$E4ar8W*;w$%d5#@Ps?2TTeIr4Yn3(tJ<p8(I6vm7bv6~&iD
zu76LY;CYc4V*k_)=2Y-f0of7EKSd&ppLjf=S#cG-R(YoI49RK6v;aq>*K)_6m&NaE
zLB8xzjkxGQiQ;;3W_e+KKWPI}&R;hDqy<Yn30j9f7NB5^?1}eS^f}7v5JcMJImTli
z#>FVq^lGs;M-c&1L|-iF;=#KFX5izhoZ?D`(V#p>Z$?iFO5A1mr|>_S-DeK&(2LRa
zTgTy5{;#EjF@Z0KuoBPe7-r$XU63acY=M}dliYmp$(*E2;8fv#WxU+t*V_kb1aUT$
zQHm6v;-`p}l|5TMoxI3>l;kymMT`{_ML%9?wE0HSGsXSK`0<*>o`Xlh`;^Ao4wNna
zND4Y7^%PzY5TG`XD+=VV&@PJs`Y!&eMRQ?!(*qTtypUhc!;5h20B(7EcAcruO020*
zqz!@S`zr6MC6D(By(M=pntM9`L%yXzE%rpT8rbgPcN;i=>LXh?1aA;*b<o@a?9a3d
zsZCPzc!BU-9Ph_3ggpnu(#A+^!S^Fz?E%EAZo+?WeLUh_P+Ha~oaz&lZ?x@>fKTFs
zR*qmda#{5vR@TQz?GgV6axp7{vq4!7tqkvcIQd1q^K8klW1PHv_}L&<fiH*h{ZC!w
z*(vcqR12m5<)<IsTFGgzuOV#_<0yTVJ>g`3J^xI9_#Ktp*1vKl)Pq8;(AQfir__Hi
zA0zX~;$!vR@GRDYCy}wAbGX%7_{pHwH>mSh;6m8dQ+zV82{<m_lx8eKWdc|stx4MR
zB6wE}^dVF_aLv;_2IZsBVu<pD7Q7iO+1ay*Tshrq6fIwPR?|D{QDKpiGUkDCFLJ7M
zfARbt1kHc!$+W^WjB|d!WYM<p)I<h`t{h5<X1k>{qYevWi`Q<59#L1GqwKth_Y%q3
z0REJwMX$9YP*>U^{cN7r{7Lxruf|!?O)Ep*^+DU^<i}KzYX2YqO@)>&_EzYbB8BIY
ziaA$Vp}7C_tjhm$BPpX(7rX|M3BXkGXG==Pr!L+BcND+rz^{)%Rj-k<w!uFC1*5hT
z*7<Fyu@BbsFDUWO@ik%j&mt$h)FHGWH4nnF{{*$3J^s+~n_%IKWg^mcA3P3wg<AgG
zKIoyW!51Ay?$y&6M01h1=0U3tXx8|D$cy~<cJ9XreJOko_vh)?j;CJ)^1b^E{iDW8
zkIBhKfjW`sLlXTgJFW;%6a7(Qpd^x3qH$%fcR4~2{=fV={@MSwyW{iWQ}LcLbljuf
z+tTGuL?%$9@+5^kRqoUru+Kc%!KaNC_TIgF|5#geF|Ve~e}?ImUdaH&InT%HpM#QC
z{W<bp5q`Y?$d|Y}!8BPxCacM$PXZAmSn?GDS1SF{zXQt`V%5n#c-9E~eKO01pZB3(
z7o+ECC$NO!qa@Y%<*vV!mme4({*yB-Nxg>mQ^NRw6N%M<v$#W{GH<NHViXXoF7Jao
z;_ZjwT{8qxKI~0#=;0yxh0gzPO8wJX;J@eIG2UCDp$Qg0ffx_(?F>)g-yY~=ViVvO
z)XcmmQ7-h1q)));PyH<fpPkexT#CK-=2$$)jH1A!3gVjIe)PC7uCXmpme>{K&D`Un
zgX(~@O#&snBYA;P^)blIZQvN`fY?>f>zQC0BE3Z4m9yd*I(qzJ{M!wAeB}5gfwq8u
zf$>@A*}-UW9ekF%I4XrahC%v&B~Y73_c;E`IXQ+th5v=}Pn`-MAFnjV2eLBs@sC>2
zA`d%LT;7X#TiaV0jY9qN>R?3V>|yBVZylc_<AeJU`u+*u{WzjMf7IUUKx_i{hkYlw
z>rU|E!SVSrn8gI=o@9Iq<rn@}xJF6;{Bl9820t(MO5)ju_@JCUO-%{9n@~uwjl$RW
z@_|bQC?n506cu79pPTHax@m4rx0YMSt>-py)7=a=%WdQ~ahtg<+*WQ|x4qlZ&2c-q
zxo&@Vq&vzT=U(Vea3{I>?qqk0JI$T$&U9zHbKJS^Ja@jk&|Ty%c9*zI-DU1_w?G+c
z0rr4O#5*^WRSNXZH0(i9Q`J(nRUPQ2^;CV;0PkK)R~d-7^x+L`*{YFhteP0*jA)~w
zk!y4@rWjL=X~t}0wXw!{)_Bf%-q>ioXlypN8m}0y8rzK5jMt4fjP1so#t!2x;~nE&
zV~_EP@u~5d@wxGZ@ul&VvCsJ0IADBZ95lW+el(64KN&w8zZgf2Uya|4-;F<vKXnzI
zsvGErx``g9N9xgfte&JN>#2H%nP-kLzcBZiUz-QaL+1D9&*tyuG4n6WuuRLcY%9{L
zZq>IMSS{>3>^tqd?7QuI?ECDs_5=2V_QUog_M`S=ZnPWcCSfF!-4wTmTidPc)^{7a
znXb>xb{o4*-R5pfx3$~O?ck1f$Ga2Vi`=R1#qJDumV1eNse74wxx2u<!o3nLj8z&w
zJB#ndaS^{)2HuD$RTg$(G-7FDR0UNL^Tn0%2AryhACANOGpl3nqKE3K#^X6Wtk$VV
z)D!9>wO9S3jv8+p9~+0Xt1Fs|&1GhRxx!p&UT5B7-eImW?=tT*?>8SXA2c_aZ=3I!
zpIR?jo2{3vE!I}+73)=NoAsLYy7h*&-Fnm7VZCL&ZM|ddwBEILS?^i9t@o`x)(6&y
z)?w>MyS!c3?q?6SC)=0X^X*mk2Kz<(C3~~I#eT(p3-@HWT?u7`v^&5(8^?0EN4bk6
z!3$g!?V|pp_6CfjR<_&O?SiS2?ruNS80?;}qTFHb2vyM?<Bq|dYv7Z{SSXA|6O76u
z_%^~l?*(T4f^QSxR<vpg-0Gs50k@{9=D@8rss-@tS=AEwwMn%ywiw$~Tj17ql_Pki
zIs>zIscyioJ*o#r?o-thn6*#!26i1(eT+lKAvFNF^_w~yW9q7NfmK!1P+(T7IuE$j
zP@NC_YN9Rxjtx_SXCqY}aBZ|2u4m{OY6M33Z8Z|3_@SDH5$mTe#XV0}b1`c3)n$TT
zY927`9yMPuOkE*3rmh5*J*<`h(;iVv1>4jzjPM3kfH8hat#FetVpnl|FCgp&=weK&
zg7SQLZtoE@4R;{&qd=)CpiZ2@*lYxaZPQi!=Lg|@IgF~jV-mHEJ=#Tow*m{$2Ks6!
z6FdZ*1F5TUg;>=HBYUwi-I!s_G-jbSp;)2Lk7c|tT0sib9dsw%Rrk?-bw52opRLc+
z=j%~=qP|$q)X(bY^z-@!y-~lYH|dwmNHfYTYnC&k&5GtQVC`~Z>pkWp<_qRa=4SI{
zbBFn^`I-5-x!?Q~lzQBXw&JY>E6GZ;>XK3$TIp5~tEY9A)ywK_^|AU|{jC1h04vWL
zZjG=;TBEGd));H7HO?AuEwUC{H(EDaw_3MZ4_WK1_0~IhCNJ0<fy0~Zm+g1#o%Vb7
zr}hu_Vf#n>C;O=VoBfCVr&Gp>bfTQHPB|yqDeuHM6`YDrqI0ivpR?9^Kt>u^bjZBW
zoNHcY&NDAJ=bH=6h2|AFV_2;LZS#8b2J;8=uzd{ws$<Ojqowmfjk|as{m{ottV^wx
z=-VCkZ@6L%u2R*Bb*eelokTpV6#SAv1u5XUiK?~{r&5gsqoq+<FyClobTfJxjg3A=
zf8?EQJZ-cke_g|8bvOCz{ot?Lj0eG8w;K<UyFQF3xZ79{4*R*Wf!y_JV?Ungvv{W8
zf;WE$9=j1-_D5qAxa`lyOXRSdH9p1`ZR^IyR^3cDGkyW~Y%`8puiFX6-*$aFL-)0P
z_RV^reXD)D-sE2IUaz+ZzUg*)5?&-U*&MEX=16m-QNx^MPBLnO9-cF5Io~)3jgBZ6
z2OhQp6B^f;*D2S$(R^G*nNOI{sJiC!<`$K1zG`k$P0csVH&k<A$Xlv~xzl`CwKCr`
zcdIt$2j&6Q&ivN=UiCJAw4zjhE5@p%CRtUjBsIlKwbIljRxPWRx)eB6PtCO&TA6B|
z)yQh47TV9-UxM29*}tkM<k_oj_Fs;xUPqsztc$JLa8Av!<|xOSYZWNhy4t!%#R8{p
zRMmi2H>>Kvty@*Rb)WT+N&tqfQ)$4m^{R#&;YNWLwTdKXF@P->sxrWsxxkLg%*&Jp
z=FC%(z@E!h1Tbhm?t6i`Kv}?~g~~Cn06v+hUlY7kz7hCZpxqe2iuhW<jTDrSIer6j
zISpm&<7+}5Hw2V-l-iKUS)loBd|hzQ#%QCjIvaH-sA+(!AWbZzl98@VBg1H-w2^1b
zMtZ4nwX%)1#)HZQ-aM`%K>b^g|BCSn;11($z<0n?BOsmkBMp2}w%~{|fFll|t1GEU
zaL~re)NOTJ(8UMV2da#{+`d+oaj$c)N1rutTPsTs*Ta?86Z8a>oua28=VE;^&s(6P
z8<YV``azlIVe_!E>|>xQjc;wp^)FPk`K9?KO6)h$4@mj1F>*heKVlSrHh)I?SMyiE
z-%QN5L-PNQk^aN{137=0e<>})if3wCriy_sV5>;Wv0OasNDHw&RunL)JTM6(ZpB)$
zD#EH}VP`sM4ApTq-ilW?vC6gT0jnILYUHF_kY2#8#wyxsVl_d2bE^elOJG}sy~Ez2
z%G&SR@2V(!x4j$bPwY<s57-9)zq7wn<?LVVUy%M2xEO`|tOnlki;9K5b5zAa=lK;m
zzd=e_I$!65O5Qf#1}^O~cVUd{TlG~HXfq8|RdB_Asv>yISXBXh<`VSaQtMJx7W`%<
z?(;V5HdWcW!@5J+;Ca6(6Z|Jql>rZmQI)`lDyj(ZqN=JK_))Bi0Z*!?qQRG{tMcH4
ziNGdpwC8geib1s0MB?W}^f(HbC0II<SUM4UKxK6vbb%_W6{J>G>`WGmZ(C?LajHEu
zoNDR<XgSqYM`$|nY8Yf#0<;~$?Fq!~3yIs!K?gO}RA`>HuwGj5d;;-&0`Yu0bWfj}
zL2PeBY;OmRp^-YDINt$UL=!bzHH9WMRQ1NU8L42RItSloq=kuUCcZ7y75GjgT})Ij
zsF%_6t>6W%)Enw^^!y984}IRRzC&-nS4Ys>pYUx)t>j|$n-QbNlbR-wnwlG}jLvGR
z(beb*twbnm0x4^{agA}GnnC(%NBZgjUi`G04gUK)O1@ycfLa@kjVL2@H-U6F0UGj~
zI4jgQfz;Oly!>61fwm0zx$!y93O!CRelQLrEmS#OxH!&2Pgb)@p%;=uFC=YFAZ=a<
z9^Fp$*By07H4w7A6Lg=>y0aRmyXkJo@2PvLA^I$R7IOONKI$Au`o5|Oq<uft6cT>`
zG$wr2U_D3=Qd1!P&qw|+Jq-Gh(DraWUXNFUNZ})(nNLz9^+oz3K%w?gdYYbww9xzj
zXi_tgzC>RFI7iPx3zzH5kzS}50$!=FM*G+3mFN|;30!5n-j4K}dKdD))<3B{GuBK}
zBh4(c6<}+#3vvdS7a*Ny4hLLpE>=CEbu3qvp)apceIaqKQMDj(z|o;Q-=fBvx0$yA
z-frHm8bLd`LnWGbns=(I=4x{_<jY;=U8;h4uX!)d-f!NIx(}KUsx)(*xeht&&Go4J
zsQIWm3-ap;b&>g``6OC?+I$*kUoc-lYcHBFsy@)mH=*Q9=1VHe+yWWb7c%Zuv?emH
zk@*&6+*ruCow(w=kaQKy-H>#BA?ZFq|35K5#aU=cXid1_XmY`5^DA?os!m>5k-TsW
zteykll;4`)sv2Vd;H+@RSo4Va6Vk#X$C$sEzaTA~att|T0y$-4a>_B#!v0jfpotwr
z8R44c&A-j#kbA;A6JSSaq)l+pDzK+4q=k>BkdKbB%2;KPBiwY1Rn{t}CR^pL@+zA=
zHP)(NRlwOwkkr*7sjC7Cmu+mtS#d}UuT3Ja9YbF0gBF;8{3OWq+K}m~ss?nzG~|e6
zPk>~vi?nd!G33NPNco1U7x{5{D-#mGHo5X>a^*2rGpiZO3vV7n-rN|{emc1OENd2^
z$oxpi{L551Yo0X^y1?bu<=~$4t@%hVuofV_(7FO87g>wcEbB_^N>vxy=3=CmSWA#z
z3VmTF^@W+%T5By@d%$`SaFex3O@;RK68QDY*2|C;uUfAHzHYs)GN6sWh4eetJAm(6
z?<x}(*)GVR_pJ9ITXtK!!N=dX-iOrMW5JH0RE>b8_95)7kF3LJ^QiTQ(sl*A8eo09
zzRIvW*h7#WZjV!@J>DL#^6d-l$&jQM*;j)5FSeH{mvTA6zRtc$WkNH%L-m6te7EXu
z-)rBiCfWDf_ajFvl}WHs9#viK$Lz;cH(DxP?5FLgk$%R024$YNpI7yuVZW&2p<!=Q
zm1xJr!(QC1>OkXuS=AKF5oceuUsZATHv2WCU$<XZ4eU4U?MT0AzlpTS$%gh@urSl@
zx9zu8edy}%s7}z=ccP5Q&lr1`{T|XHMH|}h+k24y!2SU3e`tS*^hfqbD%IX=e~h%q
z*oM&a@kSy0Gy5~N|GE9S%CWzI?iUZ;Z=dRH@3;4(KVRElBS)lhL;D;1AkyF3-=YtP
z>_bS4d``B%x4%aVKiEI0T-XhVk$=QKg1h_4{s~wA+5Q<hBEuWPo;Zs1uh1<UK)3t@
z{THbo10Cis<o|8|jatX;<EoxxIEIRMOvePY99uPT9B85G(2u`S1EEVsz(y|PMyj%I
z6!gj{YETy{tzN`WzVgOhAxR68*~S<82)>c{=c;m)&Dg0G->S%qgya=DT^*i>val@5
z;hRPeL{&=eda%7Kz^_vg-+HjYE2#`h@hnR5CY0i>!lZZyO7TvV;$0}kyQ9@ac!-kl
z1vkJqg0eh{vb+N98Tr=6Hy)+x;Jo;fYCx(tz(3JnTfhg9j$;PCqRD1Lnv0BYK^fmV
zOvZPljL)Tv?@Af3;V<chyX>v{U_3<Mb=5#f`g&@Jx)AxI`&LpHLtm&$sb5*mQVTIA
zBKxbWMQSnnz69SiwG`iEwG4ClY3dqvE6T5e7p5NkFze9HBWeTg;0b)|sVCL*=&5K7
zS!xTuG1MEHKyUa6+QVLG56!7PbfEUoh1x@RY7h0)&-iAGM+fcvif<hJ8!^zWD;O13
z9q1FW(8c3m{UyQrOGmzF>J^NpMoU$LK9Cl$1beD@<1FJWl>(cv7fQk^MEY!F7|P@s
zQ_#*-V=C%SGiIrp@W#zX&Lzg>s-ZF8SgbOQCB_mJP3@!+w3F5FrL2LD(lks*$)%3c
zl|Gg_@Z&v)mPJR2fH&_Yw6@vUjDBu4wjwQdLJP4yk%sLF_?7{i4IZnvQAR9>T<R_@
zj9tciXlJ*v8)rq2X(4_;<a}v-iS$>-SE#!mI!ztes9z%oRx0}Zo$(#g-y7ef=c45_
zqLx#KT25DLIZ@Pd8qp4k)s=N+Rh1e~3$b1yS3Lf^+1d;aD_q!tXKV|&_Eu{vc={{W
zE8y?Kmn*_kwhgjPxN|l5%ie&b*=}uDsp2<7zVPe1@ScG~k!#n5|7WL4C-3%=cQ+>Q
zZb{zVhP=Byd3O$ZcW3hMZhqeVqxBQ6{<HN9dL?|^vHrCFM*GL@7}!q2(<|E5?F3bY
zoV}Xez)n{Qc7~k+PUo|m05-MT<7@}JkE(0;wfmx0KYNg>1^?X;<eY2gftQIS@KF+!
zrzB_$NpQJp2|v}9su|@$dt2<Z&Xfn;?3?YIQTJAR72s|5?W&4c_n=v=o+j^!C*MgT
zmq{XL$s`|1A_qw#@9>d#X!4F!@(vRe7l)c+0n{Szu*o~>&;qDV3m}_ZBY|8aixxm9
zS^&++FWS%!$Og}7pxTgYWRq*OA=gMI*MN^4-xP9<G;)m^v<zyJYt$y!XilyXPp;9C
z{33}wB8eO!6Eyz>dLy*$BUNi!1F58Ei}Y-hp6k#8s1CZVpxV<8$R@33!9UXyIbscT
zBE`0$P0-Bf3A$|qD!l+u?1OC5WE;|CGO5v^t&l=GtU+6$HtDcADX<MKhGw)FI*}Sv
zK#eb=HL)AANr&0+vcHNPu^yVyddMaP)+Pm}koMZpE7}=;s*h1p=r9Fz_!-ilgBqKO
zA0BD3EwVv@2ay(UX&X{tGOdkfq(g&rm_m!S9WB;$(qwbeWCCe2fi&5g)R;~CBf%VH
zj#9bQzbacZteL73wXn+8Z1`VV2K_IWse07K>QWbTEz!m5QWtZni&dsB)|k3jQ|e-k
zsf#tGF4l;;SR>lMRjiw=n^X(y7V8$kRn{s%v4~sIBCc<(wpPR1zt6f4R~OyQvF^9-
zM_M#E$9mX$808<a9szvRdKB<!>uJ@%dd7N2HKcymiTtGuJnoxS4*5$W_{%Fu3r|TT
zPst%qi3CsCfqda3iR2?W<RgjXBRS+FQRE|K$w$hOk3^G?lqVmFAs?wgK2ni<q>Lqe
zq=WSf_(%@<NFw;iUq}ld$sr#}Bp=BkABhAXX^ec~9XZq%6UixZ$SI=8Bg#@+EJyB8
zp4_1VxkE+!7W)>|S_Qt4<5Y1lb3u;*`~~nB#L{CBM~^{<lk6m`CQho8s@hVcsY{K<
zrAAYi8chQD$z)oiTDRBj;Zy3MJE)4ZOrvy;&QZ~{Pn+vpovRwqO0A*0=q^Zi)m_2k
z#bVXEyY7J;v0IzaZmpqv>0Zd`t$V8!+OTzL!)DNi&DQ;Of0aN>HiDLHk{+lBs_L|7
zwH~Yo<GSbQbJ4<3Jyg{Y54XzJ7if4cbe_(G-%9M<7(GIdP-QqXP!=BWQLs;CexSS_
zqsORB%u0<_mGn40PF1Ew9IG$X7a~VIUvco4PgIR)9j9XMYO+eDja-{Hazo5zO;tWx
z%Bi%J9X(yc>%p0aRQTCvs#<!Mo`s&w*0XUfv7l4+r5YX|Jy*{~A1>4La4oT>Q}ukk
z0CmNtPSscFE0DiPFG9|hu&lMdR^NjAy;ZNr{XVLn#{E8{pTW323yV8jZ`N<%uD9#`
zsP(h{6YU=}9ax2~Syfen^^I9VGt~swr462Hb~XFstk~eG@c0jd-JNIVAwAq2uIh<L
zSk)AdFf0YJI}FUi-3i-dwY^$Zu-DjYR3zq1?t)iL?2%@eox2CNfLJAIm_@k{>9zJ+
zNIbDn49=+3w;!?}QjKY?q}l82btogVE6MhHdp-1Rv0u_@zhv2u+mAyJm-!age!_l2
zCE8Egu-5IT?59vm?3ygtHP5N~)Wf5kgU&%nDy>!$N2?Mq>kuQ8h>HotzpBK%`oz2h
zVp~08TNJS^Q46+JBeum7+o}`W;)rdX=sii)!}KtWzTj3vzkgJ4E1kHNLELIh+{z?w
zWfQkd;#MYct1fY?198hDZnYwAWzlO`QwxUGB8FuV!)#($BVt$<G0Y%_HKIo*3%CX8
zM6Al9U#0<ZD}%U|3Ea92m^Tj?)|?oYMGR|149g;hH7ABOq6eoFJvdeA!AYbCrz$--
zo%ARA6HtQqaT*Y}GKgE5z^w>)cgvV%;Qfy@Baw~*wl$}(C(BF*&ebB$H6qSs(eKlM
zn3qY+%Od7w(g&1fjxa~44#d1RlsrD-pGo;sp7JM}@~1rIPZP?YWcmV9DSuKZe_|+q
zQYe37D1XXR{xqfhX-4_el=7z;<xgYEpT?9w6)1n&Q~tE4{Ao}5lS}zigYqYh@}~*q
zPcr3C6Uv`t%AfX>KkX@h+Ef0tB>gy`A87BSoVKK#7NneVq?{I{oOsSZwjj+oq?s0^
znU18Hc+d<a8>uCS)DlT*DNAaJ2&0xVq?UH1mKLOzvh)Ht_Otf0XyG|fPCLqkij)ae
zC=)7CCRC<Os7-0mnbcK>)D=g`kV452L&+d|=EL;cX>*CW6f-}|%w^y-;=}V{*1G`S
zHSy%7(v#N$bKuvi`j`j54mmfPHzO@xy_)8&=B-GtGFPc`^zg;d!<SAEUsHPcqUhnP
zirMouX!$PlZj`^rya#FV_SM0RI{1yb)?AA;=GM`sc>d~}519|6590rGFpv2N`X*k$
z7<vKAn2%vDt3G{!N$>?eg}R<E@EOc*rDAsLd7Kr$U{iCWxe;mc4z{9quqM5O2{J2+
zHpNGnN*`eha~o#EQt2s7#cbFP^iceTG4vN!rN7XJnX&iKns^OU={3~mhvrA<=U#I!
zdj7HbG0ut~u_pb9P3b{2;X(XLHAB3_K6o5uP9=kW#8~<flj%on20!9=n3ww=-o#{h
z6MsTl{D^7vBi1#Knn#fqZ(=mPi4DTMiD~pER;D*G1Kvc~Hs*176Enndp=!aKXh5UW
z@F~`UPtn3$ns^iI(wi7-MOc^tqffB{eTvbXp>g3&tbp<rt%@p(-o#{j6YGX~6YJ8O
zSc~4oG<p-O!<(3hnGx|OCexePjNZg#dJ~iBP0XM-F`9nF%Jd^<Soq>9;!RAp8e2^;
z7ueKlihhbWu`a!dX`VNco-jk^npJbmHopkVZ4>-qne>On(I1vVe^_()!?wa__6odW
zDe#KDhP3#@YQP`%2GZN@?U)S`uUPpouUHd$#Ukkyt3t0>CcI+1Q2sspJzPb+VzuEF
zdmlM_;2WzA-`Iy}Q@mpJ=oO2jSInkYtRlT)<>?iRpjWIOy<&;*ihYf`;t$J)KkOUy
z@F2Wm_2?CALa$godc|7OD^`PEv3QwH$Nh>|EQMaN=J1OBg0%R<GU*R1Pk&ey`ol8q
zzu*t6M}Jrf{b2^2SB8pnw4+rGdd2F|D^`PEF`1{7I1;VK0c|W;WfA!LXn9^p%hN~8
z)3Z4n(dNXH!nZlC%~p`%)nPHpe3LiFltJ5aGA+hz+KNqSAGW4tIF2@<k2ax?HsOV|
z2|a7D5v{={v;*7F4xB(sZ!+z-Y}#zCX`xM~-PM|wQZ_B33|d4Pw1~#j7RsPR8cu$f
z0DiYj<&)E;kkjRp)Ab>z>n+hfI4d(3walBq>GH|x>Vwm*LRw}q>XXNr<Z)+_$JHQ@
zt3w`_&$)~w^KS6CeDXLGJZ>%0GOy7a(L)a)Ej+Fld0akuoJk&+PaapFJZ>O)Tt0bR
zPtJGLGM@sc%O|HZP2qI;<aGJubZ3#%<&)DjB&VxSPG^AAZAMAqbbZL_dXv-Tlhc{x
zbou0T^*QU=kNmC<`CSrbK;J`M;dgz=?-Ic8K2(#;kHGcv$?x*X@9LA^oyB>RcyhfS
zoHrRpewR#sH-!8y*Zju(Ms+6FOXuv#FwUOT<m|~Xa=jtsdc(-|E+E$%LawLD^%`&v
zWeB-mZF0R~oI^?E9Lg|qJ<U0kVVpxr;~dH`a=lLEdPB(dx{&J)Bi9>3u9wRBlrfx7
z>B{+(nw(D=Mn2eud~g`~;4t#R2AowHMm}hf4-O$8tjk%IVOAoz;rZl-x#WiF<c7n@
z4K=ypFml5ooLi|&o>-eaF_GLbmvbxeoLd<}o;Z{|aTs~x5c0$ZC0O_)sA1XEu-a3@
zYDW#rp@!9t8kQ4g;SZpO)t4I90BTr$sbTe}hSi@MR#j?PgQ;N+riL|`8rHegusTq~
za;agBpoV2r!x}*i%ch1km>Sk#YFLA*VRfX1pF<0OGA;a(miP`cY1L;Umg+Ti5v}@B
zwC6Kv$!F4r&!P=Knl^l6+VIV2!?&Of-;&mQTUzfUX|ZS0O3$>D?0V`VTIr)`nP<`_
z&!SB}nl^c3+T<;0jkl%LiQxQ89_39W<xL*t%^=E~?wo(g<NQlG&cEbQ-qhp#OCBXn
zJxZDioPX&?NmG`RCYq8akMl2OIRBDINmGIIFL|7Q>CX9=JW85#C~5L2X(~|C<WbVp
zqoj$Vq{*YCiQ)W9InKZ2QQlPG{7W7sO*cxKJW861lr;4yY07i{C6AJ35G74_&cEbw
z{-pxtO&;Y<Jw`cHq11_{)G5PRm^@0IL6kZXGG(GBaxNy1QYVj6ryiwFH)^tohCn<-
zb!xJ4)MTqslRcZ>jq|9_j-?LUjykME9kw048yS#TaijrFE5o3bp=o7Uqyd*S5J?({
zAPtlu4MdOz%8&*$tqhwq;E)Dv(ttx6Fi8U@G1~%W->+QY^aIeF9)$18WzQnmvoh>i
z1Y~J0W$6OS&nS9phtOM_P087qlCv3nwQ-2N5O3{J%FhavpXbqAJD=WKc%kuKNN?>G
z^wUPtPrHJC+6;JU8>kiZ(`L|5yMlh&MU=V{JDde?tVAj`r-$}jO5j%X&|XD3ynr6s
z%PE1Q=#L#je{41-aAW#oTT%{Jpd3Dr{@D5S$Hvefn?Zl<74*l(&=b3Yp4dowVpq@;
zyMmtB40>W$&=b3elH5lhY;(%<R`kJMMIY=6`d}mJcU?ihYX<$U8T7lZpx-r;e%B1j
z|5o(4uAr}V1-+~*=w*$hmvsfbtQqvOuArB71--0`=w*$h?%<<;^?Z6(uc98Ykb1;I
z`cyNhM=Yd=Vg@}FXVXJ*4t*0d=$jZ!uf!mFB^uBxQJ!9jTJ%at4CmRZHoX!9>6Mrc
zAJ`Bzn%=LG@P3`AE~B5KJbhpz=&h(hZ^cY{D~8b%HjCbhOX#hbN3TR4{Sm|IiKs(Q
z#6)@`=F$^Uhn|Rf^g-02528Q44|V8ws6)R)4f-7}p_ic!{R?&IQ<zSl!VLJXZa_b8
z)wcuQqt^mHsy85VL_Aod;lX+yJ(tLl^6+DARU_zqm_hHubiG@@k22ze7^pwhpW&={
zB5KeRaS445b?9rDOD{tmdKqfazfgysg*w#Qrcqxrsi~Errq+i#S~PXBWa?rrb+K6L
zVm+vZRi*xwOwFs0U*{5wGMO4ySL#*{b*pG<Rms$(T<TD1)SjwSZz@B*sSh=#WNJwl
zQcLPVEvYK?qcYTwrcpmyOnYz%bt0EK(Nt<f1=NNNYD4kVhWb(u>P<bUfO=3l>Olq6
zgW{<N6;K0;rv{Wr4Jd^gP&_rD?$m$^r~y@`22?-|D3Kaa0X3j*)PM@80i8t+D4rTn
zS!zH9)PUlt0bNYp$ENO6j=E0)b)T}-eF~`i6j1j`q3%;a-6w*&4`TNay%$H_r+~W8
zGU`5ksr&S%?o&YBCy}~O0d=2v>OOJQeY#WksZ8CcFLj@()P3Tq^%PL+iKo_+f>`CA
z@V!esUT4H84_6%-m6wb7<ni#*OVr7glmu5YPH!pW^p;Z+w4)?wLrKt<lAsMGL0d|K
zE2+g)q$ZMHNE4CS%8O3WLB>%B$)XO@h&o8qFdbwH=Mh>{6B$oUB)yO(BC#YFh3O#U
zsDort2WjNjL1fmjH8qj(^hVXBA8Ix|P-E$Ps!Oj^P5PV0(BD*-o~BXsG}Wi4sUba0
zm(tTTnLegD^e#1|cc~`*N^_{`RHBZfsonIW7L!2zC4u@&67`p!)L$&>FO#UbRH4q2
zM6D!=`bYxxkqfAa<Wu`dqTbPy8b>NMjs$8P)u?OqqkfS@%_4!C#RO^=lc-r#p-$0{
zIz=UF5DC;EdNRhc6Qat?srHB~FR!}L^K~{oUtW|)8_MRkl+A6ZH7rz08Tdu&q2-@e
zR;SKA2dL^JW=)x(`iz+}>O!@7Lf*7V>JM?CV0F-O$ZV8_6i<Te%|^^(FEv;VhwVCD
z%|kT9b?SDtRy~Gjg;&(u>O+(?`uFRYqS~@<EUpv<*`JI^ghsHCJ0phT95n*5oHNwr
zh=aIZ-J$MRk3;sps@_3lgIq5b+Cy1fH3d?>G1}>ZsEZ+Lq?&}-iur1}x<TEk9zdkT
zMzu}tL?lF@pRvkB+(|4nh6a%F?NnD-+2^WJDj(4p3six+QLR=FV&?Tl^_qHDeGIL_
z?l2@bMGeU5Hy}kV?$!US6!m=n9{p3);Q{@6q!=~*cW)t*B@U$<LT6~N`axS6ttPA4
z&`VaRo75Wh5Mnhpsn^vmh23h{e_NG@R#O8yNi(eVL&PJZKF6qw)Fsd~u2MIvyAbp7
zlzItT#(N4YzgWkCpP@Ru1{u&+I;!q!0AfwY;+?y55I=IYx<%cM2$84NX0=`IR-gIn
zxQMEWhhCJ4D3%<=qMnV&*Kum9x>Q}s=#qO7QSuCCncr0JBVNS2P6Rv|35YWBLHFte
z{bwLzPRApDWiFyrR>BK$uUfC3MZC!lwFml-SEmf3TO|4>3y~+e>MS)#<st6nVs#l}
zTCP>Msr%HU>N#jmZ>bN|m+Gs$yb06nA%w#T#}iH=oJ}~Na4F$R!dnQ}jL4ok!hV2o
z1K~!(ZG<}s_Y&?WJWTk9K*t)9H+7T~O<0+*I$;W7ZNi3x*@Vpr+Y)vfF=FCmr#s<L
z!bybl2v-u`P530?Ho^}H4~?9ZKhgPHplcCE62=f#B}^bpBdkl9LD+col)MpcOTtcs
zy$A;r4kw&IIGu1F;ZnluCX5@C=iW|uH{k<>>j|GEe4cPK;Wok@gu5o>kC@<oNcb7y
z0mAPIe<u7xV1y!cCS5#nN<>-0iiB~5NrW{C>l6A2n-aDr?3j;3L|4LIgaZhN5Dp_8
zO*nyY3gJw`x%pE@PKsDaxRmf}!W#%z5w0OzOSq131L3oi<+_^)Um@I1xRY=X;U|P&
z5gsHwOn7uEa5&<az%o?{eT3Z!M-t8@yovBJ!tI3nr;eL6I#Lljgk=dU62=iG5!NKE
zPv|3TI(6cR$&sxIyAuv398EZla6aMHgtrquMELB~slKepZG<}s_Y&?WJWTk9z$l9_
znlO$q4KO>ZAz@>})`Xo1dlC*H97;Hna01~pz(!GX2p1AAC%leu72(~44-sx4e4cO%
zVB@Imgu4kpBRoj>GvVI?%SI4ZBupTz4cMftkFY6WYr>9%T?u;;4j>#tIE--g)Qg8t
zEjxj53gJw`xr7S|ml9r0cmv@o!ZlMbo;<beTEY#4n+UfP?jih&@G#*qf#o6yE6*M^
zCBIw>VQs>OgxQ463EL8OBJ57shj1X|u*Oeh_dj(sAwgt?sDkYLcclzSLh1FHz@lqf
zWk1Zqt6cy4at!Doa=&K+P3S$cN>`r8zbj=xUy%Nt8MIMXBL)|aEwmxJm*K}o4<}9L
zc+krc{n4NndHOJgb<Yf9XCqwq%wRI>o(YV?lauxAMOU*c=)wQLoH1Z4$k?9=6x}%n
zJV{o2E8y9G>|gvM|MRLHKPQ-)5=@N^rp^zh1_V>xgQ@nxRMTKeR#S4%gZN&c9big)
zXaBLS|Jc-j6c4YQukAm|ET#OHHSKbY_8%Spu|1C1Lm|Go|LF4{>-vu={$rf~7~?;}
zYs-2<+o)gtH~;_2=qdMOh)0Z!KP9}0dDZc*Z-44gF!e<+wI`U`5ln3frk)L?s@)At
zNv(D};Z1}q36~QtBAiD!n{XQ8B!Op)Wgc!~brI|**^NShll{-74Oo*xAEytqVS7%3
z<vkZx;R;y7x5Hi&+j|S_La{#&!$Yl%2qOmZ{V7IW!)G)%+QSz;z!++bG$tTge~z)x
zSZ-WrtTOI~=XnEs&07#rzsuMQKk*?%+aALrR?#qwYP<1-a7=FK{Wq{~R{k5;`H%9H
z<i9*KIo<%A@y?5EFyVdvS#tse5rAcNiYF^{UGHet_a6^alIZBk(es&dqL)Umie4AJ
zDSBu0S6<73WBK~t|Cs9DvC>%oakT#^7=s>E>Eu6t=s*7K9jiw33TD-^Rg<dv{CUm&
z$I1Sq;1$}ay4ZhQ;XkhRA9whVzxj_x{YU>bVuyJDWBu*KPAKwU@Eq;O-swL+=09%m
zAGdp>82h&OKd!bnPH{E8W7--oKkXr9)QGfJ36$7{8j;Gv&Mh^uGfOV=B2Wrv;A;^W
z3EWPB&EJr7A#GvzcZW{}Yw6uug!KSpn2vEJox*eq)AgCI&vYbqbI?W?Kw?JPc4egP
zVSn6{=DZSCMyCx<+l+eN{rdd%@Gs39ku0Rvg73$`KQR*6y$9*CkOx?;qH4O+vA;*M
zI}I?+oefyWT?m-&&ID{ysN`JaB)f9})7<%hb=-MUhUrnzA^k1F$K-=wr?oqQ<tG8A
zy5j)TT&#w|c;*AvaVG=TbEg2dV$LXFQZ!_ge_Y)qIFn46>Mlk)jj*P>6zMvIMQbc)
z4S}idGS(1S(=7n3LpVwqsSjZs0=}AXzgxJcMzpXVs3kjgSZaJQHC0+--hyD>6T#F+
zfs}z=JiNLFq=MT@Y8VZf2MkeV4MfMdb&PDl0X)}<=cE**m%qF`3tr!lJNDXG9mvyJ
zNTF`3tk%djIvI=fVtvGHY_>HQTT8KS<RNE{>$qLrA?{ZZ8zPRDX<lY_nO%_?c;ap0
zG3*5&)%nHny>;qI_yD)S^Y%7;Vte7OI)GWapVc2gea9%PA$812ZjOGF$6URW$Hf|Z
z4IqDs-o@im{SJ@I^jkbG*H|No^952L`^T_8j;xO(>*L7!II=#DtdAq><5-}#V-@`*
zP0Y|TDrpi6?bg%R0H$lfk{o>{V6K#O$LJM+i?v|H5`8t`QZ2Z!ObcEt*H-}+oQSvj
zdgLc#j!N3U4lqYw3z&<DYiaE!z$N--z-9VIz~zv3E$LtE2cPP2V9OMEGUvmOyAnRe
zHSnuG2Jhb{_;R<yx4H)s<tud%Qst;RhPf<nJRuh_KDqiM9vABmcwC}C=5eY1kjG^j
z@*m}v>%BY{NPUb;jz)bPSszE%$C34MWPKc2A4k^5u|U7a@w^Rpk&M|mx!+ZQIr>(>
zTsey|Tm!gR-wC)x-wn7_3l=WZcK|NecL5f_M=a}q>cZ377-P{M7}gVB-NC@Ik$N4j
zF-zZva><zMlWVL8tfwCVOxNcEHq!S3=IDC>bM-@ji}eG5OZ0<)%k=$#%k{&6#XYUZ
zk)MqDLuvUjz#RQ3U@l_frJW}Mm*}Sem+2<}MV?uhXGA%yv<z~a02kNK;Y>1SAf>gJ
z0PE>Zfa&^tz()F6z#P31aIt;?aEZp+PVk~L$AHiHBy;qqJm%`JcwDTZ^O2(V^SD%h
z$>TEpIgiWrJ{}7&1L|P_>f?#BK8~!9;}Wa@kbKt1k@az8eH;rgk17<k8E~@R1~^@B
z!5t-I-c?2bE1z+{C<8or4REo>DrmI&2H;Zt3gB}6Iw0bE@#I_6`#k{O{E>{qn*)FT
za!|od(5dbQ9jpg;c^>}uZSaKeQXiV_*tcY}J&$Q-TOM=FHazB<U3eU2cH(id*^$R3
zW@jFknmIf!Gdu9O+|1>%K!1ZCCF_HLY5E9YJ^dqKx;_AyqrV2s#hkHrN13ew$LQ|?
z7wbcSOY~vDrTRO-W%^sd<@yJ};_&V$@{{$ifNA;{z#RQEU@lf$NNc|XF42DgF4MmO
zE{E^Jhk1zhm_z9U${41`V#Z^pnuj@p6`1k41v4=BV&3C1%t(*}n>~0p$!1R;(@fYu
zcw#wbHy(4bVnhCqGW+nj*zCpQ60;wVOU>RqE;G;Kak<%-#{&H~dXub=1Ey*0uY!Ib
z1I#sH@1V7=fMZM(aIpz5guBGF0hgMH<aC!oMZukz7GME<TinG;Bt5uaSICqB;D5s)
zRVIJ~&V)X_&@6+J$z~*AnpqLBo>>7fU5nn($czBYF<ro1vl8GavkKrivohcWtR2v9
zz8MX;*enaU#Eb!4YKm-KW<~)nH_HPS^K8s&$WJz_1E!fGfpbjEfZ-}hfQ!upz$IoP
z;4(8F5b{B!vYCQ(j+qRYTdKROfs)B)O~5oW9k8C+5HKC<cI58T0CUV#z+AHd;3zW_
zaGaR|I00*K<nHPME;efeE`jzgcUK2+nF$>dcUKRv;I#2(5TA3hIhe;Zb0Cj7=Gi>v
zVvUc7H$!<`Y!2aZi3yt<__WkKm&ax1IXo^m&*QPcY=qt<n~ed}%xu6MGYc>mdw9sb
z4FDWtHV0g6HU(T_wgg;iHUnH{HUV62wg4>VX+bMMYtSjs8Z-*D0DS^2K$}1d&?V3U
zGzqi-J)-y)-bcPjL22P5K#_pb!pDFj{iKCGfFk*dZ{aiK3m29az5)~uDlO~>6z(Z4
zd=4m_Q(B1fwC8}X8=wI2G#RD#fWpsYl-d9aFOyN~1Sot=#-}r&@Gu#l4uHbHPS$b{
zoE2^$Eq4bLP9QD!2NW(KE%yQx4j?V}1{CU-miq#h+~+|!EBGQU4+Iokk(Mt29Ayp#
z6fBXJ&j%C?k(SQ^6zq_eO;~r>b1gPS>@fVYBqz2ze$in$I2Sw3`}xaA4lGXjh2;!I
z4t~LQ`rtq2zQb}lBPY91PD|v}4(8}sM2jQ3;ZCekTZ0ugvSZ}EvZ4l&4YF(GLx^g?
z3K~Q;Jc?+B#}UQw1Y#K0qsCn*c^_8GJdFIOk@uASw9-`%t635&QNs5wS;G_d#rn5m
zzE}xY!WS#qctz~p5%$G;IEl0<;fr-|>>t*`o$$pjAH{yL;-}az)&Ldv#eHjIEh1M=
ze^1Jfti9I9)+g4d)@Rn|))&^7)>qa(Yrplib-?<@I%s`s9kRZ&zPEmm-7Bpl)=#pY
z9+51+TEAJpTYq3B>@n*v>u;=u#a0BiwoNQCv2Dk8?FhS!9cf3|W$kiyH1@rWK@4t1
zyOLemu3}fUW9>M*8dlB5+X;3e;&PMi6g$;UvuoHj?OJwiyAJlrtcOV526jU`9c%J4
zu_8aq&bAxbjqN5_TieWTZnv;o+O6!?b{o5`-Og^0Xqt|8j@`-5wL9Bg?5=h<ySv@P
z?rEQ8_p*E2=h#E+K3K)y&+cyzu+O#!+Jmr;|6Kb#d#HWBeStm9&O<ct2z#VG${uZx
zvB$zTyU?CsPqZi5`Pk?1B72HG)t+WwY)`jm*fZ@}_H6qSdyajnJ=ea>p2z(>7uXB!
zE9^z~m5AV3VlTCqVQp`Ly~4iAzS_RVUTI&8XrAls8|)kHo3IbSEwT#$_5e6t>^~9r
z{}p^M3D?6hT+%1v_=))ZWHH!$A|{`R!_Ujg9<1xxg!t;sh^xjL9<1PbRpO};hlHJM
z5Qnq_@kehX?r5j1%)z>x-4Z1&>u?YojeThlfAlG$k3N?uXnUWmv_a$%_MAcF(ILbg
zeUEq}*_HAL;+nB~2C>Y)BGTx0#2Ni5k;{lNIxeeZutvs|7$Zg)85RFFURS!3R+XIy
zr;=0IsbXD<h~+rMD_3{oodm=xCm~Wf1#!x0P7SA~18tz<QT6fvI!Y{#4g*wJln%2%
ziT@5dJfD>KpP@sc!dt<QpdnV6qk1A5?mvr<e*+^=z(@N9^eztj2KI6KI{lpf&H(3Z
zXP`648SI?n40X<PhB%P-F-K9Nqm$!wa&n!{P8X-E)6MDb^l*APy`7%US;~kxs8dDi
z#~j4(=b$7G<opqqqhpT696>4B;oXz+I_9uSbS`n`IF~weoy(kg&gIU0XMwZOxx!iG
zT<I)!mN-kDWzKS^z**s3<y`Gt<E(V9b*^)6ac*_sv5k4ffwmIU2feKA)N$%M^_==n
z1E-;r?qoQbPPWs?@j1{}W7aCmxzkzgta0wbzZ8^j>@;zjI?bHsP79}{)5>Y>v~k)y
z9h|lfbh(&?*nzQ>JK3W2Xp|mg4Ytm)hFIrXL#^|y^Q{Z4Va4rx%Ud^MIzf{(V%ox=
ztYg}%Y;%m&&T4OUusT{fRwpah>TGqfx)$4mjbS@oXBOGz`fPVl$-7+R$_B31Qbl2}
z<fhnbr@3ySTk2N2wQl3wp|KBWOmoBp0R9bw&w%9@(->>vt3Vxy)p5F-uCC*Cf=<*)
zI$5XaRGp@4=$g8guC43ny1JgOuNycQIJcn%S&yI$6D?FmY-B^7t}}F|_USC0tsCja
z4m|fU*vk@SER?|>+gN26q08t<9fkRgaynX<*D<<+uBc%jmOqB|>)5kYms3XhKQL~^
z`<%3Sp@vOq&LzBza2}zTKcDFZgbN9;AY4RvC7@9rGXa3>0I{YWKkUYgc^BEoHB)0e
zRI0WCVb7JnT0ew1-2Vn`=l{M|bKA*u#Z&5urIkkiq!##}mOj-^&;n0x0iB=&%AOMX
zk`nA5DP8zmTD#|ePzyB2{Kw^Pv3ekS^`F#Di_uK&7n}&Idoeq-4?J-vcgWD<G*`dA
zYHhS@iUe?OckXb#cQF)w4+G{@-IGcwkwaw@)Kx}Jqdw-`n;NZ+j#vlQi}UWojj_fg
z%)HMw<{67H_rB7&$+#V}?+;+t^d~X@z8UWncpGcD_F~5TfN>bRT>Xs=3nC#$;vltZ
zLPGf<`C4P;Rae~$>#2t5VR|&yJx#$bJ#(>QX{o+i-=J6NHF~XHr#E0t(kA^1)*<cG
zd$9KCD}7KO)<?1Li8dp!OMYdux|w3uHXEARW^>HIbuzn~eawO8P;<CB7W<Y=GiRIg
z%tcspv=VE;Z^v5h2e2~xNvyWsjJ4Byv0CRCRthIz%}Q&G^iXSpH4W<x=V1-ua;%fR
z$-3RT8|wqtTN|v6*p+GrR)~BETlxrWW%zQfmz+Gn&CYPZmz@!STbz-ATb)sWuQ;Ot
zUv<U+ZgUV}W4-2#6G>;i?u-X~!?_S}yE6gsO=lwD4rdbJTTVXU+s<Ubcbtm=cREu5
z-*u(}?sBF9zUN#FxZ9Zy_`Wj(aE~(+@B?QS;D-)&DM#-v(eUb`e{%p|b}j|n;>-oy
z>Rbl+iZc(TUUe?l@SUQE^YL#J`nUl9UUwD(zTsSfyzR~+4KE`4cqQNtXEESg&Jw`4
zouz>9ILiQcI?DmybqWA?IV%9)bFKp1?OYA`zH<%W9%m)s2hO#CA3E15Z6|4XqU~f2
zZ?&DGp^4e4ItnmNmj$c=eM8$dbu?ftT^_KujsdKrD*)Ej6#?ssexfVetI+00x+>sa
z9SiuejsyHeR|EW1!yj#ZrsDxW*9m}M=tRITbrRrLIvH@Eh7a1>4^3KIU+Xl$1G)y_
zH@YU^K@CgL`c}hVY#q{d0Ke1lAY0#Sc#5qbbbY|Xx&h#E=N9xzIky5<(CL5`bp~K1
z4V}fVtbKr0WDeP`s<Q!ObtAwy-54-KHwDbZ4vgB)(#-*Vx&>giZVA{(w*qXeTLU)H
zZ2(38*7kjZQ-Bx;K#Z8xS}Y6uFFds}cvnLoSP!+G#?WL3fyZ=HF4o!fg*{QnX#$)d
zjQ>%vJ~}~jZ;H1@oP+;mVT<HKk8g%|NDRUMa<EJ~L#uC&H%gp~|Ix5hx<JQof%i)c
z#sBiKTDn5xZ;7`}oQMB0uwlAE|8Ip=UFYL}1z0rQVGXp#n<y^8|BA40dcZblgZEMl
z1BT^U11<PHafIFvE(jkk-c`{7aHQ1{aFmq;INIt2IL68a9BaXci+5Ob0UU32g%aBX
z*2PfRMA=Szq|SqF)W|^#u;^C<COK;WlVN$-u<nPzZt^*8kxq5ab<T3K#NI&U0x$qE
z3wY{yOHd{>(3#XiB{l%pL_~mgSKysOR~xzJ1}obBs#vQG7MWOPXKEq1*NFa$`5l20
zjbkAaBMt8;k|-d|aIjy7`6d2Es-ajRbGuq?BpIp32xGMQxCQ+jQ4>Se?Z_K}wBe>R
z=K_>UH6*ggaMJ*_zpVFW6vL3#ZM@+m9q&eB%nkHznVE^eRiJ@G-%nO4m}jnuIKBGN
zzJ1^sh=0W@+8pdP*9Cid^~O5cfqEF$w1&N32z>iJ{Rvirc9mHQSQ{D<Y6|mKFC*4u
zEB10-ixw_WA7PE^esv7%Lsu9>u_p97V+7WOK5mS`y3S{eh4PLIV+mGnZZlTO%1z@s
z>~*o*xE|{?KR0f-Ub4p;_rbGwo9+#5>1jP5^8HJ_%HHR=m{B!U0!Pq$15|pEw?7SV
z2jY!S6N-P=6YHk9fp;36o~4J8=F>3D$I*^q%M;U(HPQ0VM1&CXzQTBDjM+@3uzGh9
zW^y%*zOUi^M+Rp01EcjTc9fHG+RJhJi{o@2$7v+TX)MR-3XaoKj?=Xqr|UURH*lQp
zkhWprc4gbP)z*SvAF^%%a+g|5v1|8os{p&Y-e|2tED+xAfoCpnb^Fc0KHx?Rqq7<U
z9iWFAi+yx2z#jT}#tL<rakcTBdYHSne8Bx|Kg3Gz9qJ?Q0kIdYl);)=_!_V__Itcx
z;zx`~6xO9y!d^h~?vZq?CrwjLxstRwR+3`nmz8a`#ws%nuE4%>{bwY4bra&IWK3_9
z`v6Zn2Ythc0-qskK-(Ri-by*oI~&=1DRCa})WDe@URn2QP#0SE?hLyHC*saz7hXsN
zwk5a;`oZo4OF0^7*WZgl;8T!J!T&w10r)RZv>iB)0q?=+(t01P7ybo&jKWU8XF(I|
zjU9~p8vXEYn*q)uSKbz4Xw2_md>~W60TS?)X9s@ZobQ~EohC1FE`dit%H?qk(m>6M
z>-`OQd@e^shMXHC_lP@_x6sS3&&Y%2-$g$nkt4v>A$kZ<^BzQ&$Qf;Q1K*ZZD$e!=
zT?3P`DiHf>g0_EE8?aMzym|t>C|$h_J+hg4mzeY(G3iV0C-5~f>4;#Gks_Fc_)g%E
zaTYMXv(XD$;swS)Svzk`lD+(ld|Cf)Oa>*aGcLmF_5H@p=4f-Y@fNA#ZBoViq>7J7
z6~B=x{t~KyD;V5EM+jADS>^o&-VOGZc|a!!e(F@gPhCs!Q+E{n)LjHWbsxb`-B0jS
z_s3f1*7{tb9z6<o-%XE(3_V+qfz%qWF9PPw(AbsLTA(k%`)^k1E36l+7xWUL2fb9D
zgkC03LNAvw*9GvfEz&E%cWddZ5GPkhUyZmt#8lz!X_<N@cvY6Z796>ez7DZ|P4xA6
zYh5#a1KwQMLf?qky;k}ryuq%mz8UhNqrL@ivFoI7#XH6Z=vClr1NCj-ZR7Oq;BOQ3
z9pG`3^__U9-4wkV@3otz*WlfD)Ae0=zuioIH{NkKTi=8C+|AMV;$3%h^?i8X-8{Y4
zo$t=q_qz+-h57-$wdg@SX=qvG4T2$!A*GHYwnA{N18HgyvFaS)=>U~S`Wgoe>Y~OI
zi!S7zLK8vf*?0qy(0D#HlOA|4z#uD6%_hBHL5_4KX;9u!b(2~Onn_m6Aqmq|0i;wq
zA~$63Vn{BLWcHWE`cUCN6+h~k(i=F7@B;-Y2v#Y4W!%V7`BU;IPAas{xH{JvSLZro
zy!i%YrIto5aIE7JN9cWoP9%+AH91!Hvg3aD&5!%VDN}z@*G0dUGhBV={J8zd`a&B<
zR+O)dV>gI4b#+_$@|?&94)%bX-%K0Uo&9}%eGS8M64oTmOF%$~e0!_mSU8)nCSbwv
zH2m7i*OwaBm{qw_|2GHU5>@H(A76Oqp>7Xk6to_c@b{hbE3Na*H^0Yk(4D3>w2qm3
z?YDo<d8OAm2YcKyW0!NRm9Jc|tA>qEUA~N+G|#r2N_t3#tSY`r4*o<`Dm!S@)M=xp
zOiIbgn>;G3vah0KyOp9kT|8xY-lXZ{CQKNWRUWM&H?op5U~JxuX``|dec0vyY%8i#
zWiKNoXVjEw<3^7gkvDBz{-msAU!t5gD^>NM9x!equ97!#^0-N3QgS-@l48qcWoKn)
zXZiRU5?e0YmzCYfm))pIizY3G_|6aO?AiSTmy4`ax&N$*d6TA%8j+HdKV@?M6z_6A
zUxs(NI>FO&!Ib`iEA}5XW%{@gqo(50Dd{O)vVHT7wD18kY-P?j$}8kY>iLGD9)0NX
zZUcJUm{2itPpw(kqz$T{zxV0dTXLpexcSA5K12Sjym|VH9HUmwhSgu>{(Ru6OJ1I~
zJ?;GsFqD2h>$?{>Jk_b@g>PPv+v=T8J8~*cjh(-2+=d2k+?@2#l=#|bU6lN2*2jPL
z&C~twec+dF4egn^_hc^F@%7DL|GoT+LG9YSvT|?t-!5tN)vU-r4_~~v!>Z$3&AvB3
z@cx85t{r#fsCo;o*gUNAmTj-Ks{G-m%MT})oA$}dv<F}R_0MT@>g@lud;Dehy?lH6
zx}^v2-Ty$Hs+Z>ddecP}p8ulH>K^;f`(t19eGTt;U{uPxdu}+eZO%Qtx^_BV?Tb$C
z%Bc6pE}VDX_?aVf-yGI??tqsn&DlEZ$JbuENSmO6yDtC3clob;l!?(`w3RQo<(ElA
zw{M?z%dU?v{h{4QhkDM-_}G{2L;%}u+cgZUwy&lyE%4uGEUG$o+O)|nGc)r?Or4xD
zji{3`B7Y)rEU}Vd9JeBT4h|YTq8%P#VzSlT*VNbe&g?sVi!%I`M@*RzRyWhbsBnbJ
z>5zdk#OK6XR#{(Upa*7zFIrkHFITcaCyuYK{I6i8`jYPk4rf*K#d??%BMlN?(zAVy
zo2O@mqX+26y!>)ymbvw+SwCEMj_-jV#y;`Kmt_*4>pkB&uh|9n_Pe8M!NG);Wjamz
zW#YGk=lBl%KCYm~)ToO2UG87kqQY<WAH8*b^_N$Cd(I8&;T>hqdhG42dn1O{pMC6$
z*@=UCt{oNk&8+srYuzyE)mNL1UyvHHqQk+DKN!?5aYnZ*>sNKozqk4Lw2F82t+rt9
zlfL=ZU7+}7eu|HN>*wa%{(iB^Bx}$3o8qhYDbnMAI}Ld>?8|Cih=#LU1Za5pY0+?F
zAQD+dgHzFP|8Zj`jhZ5K-1wAqyk<mHi%w5JSL41;-JXj+zWQ)pWdCc|-}KSL4a;}m
zI_dbL*8R^eUuB2YuEAgT-*CeR8}nvGo%>qPMbr0vmeV8c`tLV4$a(3GJ!3blXy5z$
zE1Ex3VQY;eBL^R@lAYgc(CT%I@7C|vPkOV*=O2%FFLp`xx$DordC1z^>h_6_{r-lJ
z@>=EgO?<23z^Ij7jy<^U=;$_G9-2Jm>y=+$@Mg?2TNaGGuG$N==6!x(XWBh)KdWc2
zo^kEDqh9_#cG~kD7S-Py(R2CA<=3R&KBH6e*xhTV&G;z#-0Woomo<9fgAv=h-PUsJ
z)`N|rcK&!*{Ljlae(?C9WvxE3?wg(VSj}}AuTI{&vDbpy5r0O#aDVTcBR-F*JLQ2l
zJvyFm48lnD_mvgoC)vTh;j1eDY6)qagk;=#zNrCn0)db5jq=qG{0D(2`Dt|8)O6DL
zjHww@{T!Nv-Yi&FFKQ4fn>Q{mqe#)rX;Y`BkH||OlbtbQ)D&N9>0Gka#Mj7|b!X<C
z>EX47A)KT(SV3v2JUfiJb$(^sUD4euC%xD6!+s-T+nwL^`EvVx$<mD)R-CWuyyCfE
zVJQnC0&hgC4cF9HJr7?s+}CX8|7+gN<DuOCIBu3~GmT|3BsAJ2+cRUWP!iEZT4hO%
znTe?}qnWV`S!1HQQMXifX`xb)79xsJa#a+`P81Ot<o;6kjEuD0d;j{qUianoGUuE*
z=R4<lp6~Pie!ky%COtw!f~Azxys$B~_Bi4q-+p0A{7QsM(;pqYN_9{1hMUA(uOfl=
zB8q;eE!AsgSBVE^bjDdj#=dA=+1s3!oVQK*vb{1@C%BC_U7HJy=UV!A`QNBojKrs3
z93+)SX&%LdK9&2_<m$^@?}o9mwqVY@)?*T%y{tiMuk0rkUT$dMWx8NI@g^FlH5lR|
zWtQO5j(da+^AgiFnVF#(qurJxaL$BXRY=s<vz_y5-kp-q{>L|z@Uz3Cwhx%)Zb;+l
zYv~5&HR7ePdwX}!cBy`I4sz6vwq21|9rCcqe4Zy|Q+y$vd-;K?X~?nGk^+@_qz@E6
zV>dw6#z{;uoZe@)iM3%m#PefXH5WSlh^eqg-*Z9{QUE6%XbsF(8k;V>*|qVuOp2~Z
zRG_dp(Hr>9Y#$C6Z%^a;vDkYE%ODfsN)(o`n4*a%LXZ(&H1n$ozzk~^8&CG(da~H`
z02&qV!=d3>Oa_l&1z8H$BCw{SC3s5)nZv>B;~jk58FUKXflc=!vw7bu9lXU?TU?%y
zM}}W@4TxaI-<U`QT_X__!w!Fcu#-CK?}W{yjsl1L4T|3#vKh4e>$VN1CWy9e<<F%t
zso)s5k{NXBgir#ai3(H^IHi*^?B8V2A<L_2r5ScrPx{M^ic=5rIE(B3UKejJHypjw
zHz%dX(Yt2L9F5tTm8~%Ftl)>NZgJJ8;u%>7@{}U<)KsP1Yno;bE9OEhw~fBI!&?I%
z#4ZaDx{<Z5ORQUIhEX4cPaAkw;x0HXt9*Q9z|r#|+o*6~Yz7X8KW7WuKunDrItZCu
z;-@L3e^9|YI*@KtpJg+;I!$j%s+W>h#wlK}^mxU$c<J)_l<MjQ%ihq_lo#x|ZZm60
zfZ6}Rj_|+2t5?)b-Ftf)>XYi;9aXztvRZAkYIs7Q6Sg1n?qD2m)0U`-Iov~j=z58C
zYRQ4T26N;6(op`5)u+ba7hViC%y!Kh72%T)@EHynh+qalxEKOjN7M%(RGO}Ie1YR~
zz*+uVtwRGBO%;!HgIpnJaU^JpK^vh(B6DyUPI=OtpP%0ZP=S{Tjp<RmIRI{xf(s6Z
zRFwa2Cfl0~Har1Q9Y_n(Ow~wT$e%xHR!Gq4o7D5Bko9#u3@3DyP`U#hg@eGuS6`JK
z0zTD3{G_Os2&c;-=R@jefx8msK(oOBxRK;VH<FzL$ySG`LnIhXqiy<;>e;Kz2yK_t
zqa(a3U-Hi6<T!sv+mIUCh5JqK?hHUuLzYYbgkRMs=>LF@3EJ)+QZ3kF*NhmmwN=eB
z^Hqt<pJUl2;KNt>_?M&azfLMOSdYnkyEgZ(MZ|#~!GYX$uVihPkG3ep=0|+IwWimF
z<}j4LcCRchP^E47MPHG_R@TSU*E2WVw7ybyvb8$_tzdp<aUdaGY)JRe0UP<~@b^+X
zY|*jF6(e!!f$=`riZuh~D_AH8O@@~LI_Oj9PBeDq3lpDA2_AL)k!k09o8M8b(l%ct
z_AH0*f4b{=UfU@FCWT(AyG0ik7Ze<U4)yghsvNf_3+RuPlc-wxNakC)jScdr)10sE
zFD+OTdS1g$EWik1dY62PQkgQNKQywx>BO<oeur90W6aqFydpqbAPSKpQMkiC`}QT5
zD>m7bc|47@bKD<J8T20mkWfP!LWaOKM0p^=7&3&6r+6tKU?Dki)MP$w3Wp)EaF7rR
zb^EkI_$<lQGzQs^%$`b3Ww5gVv3<#08h$<7gUqA{e9aYQCma|#11mu^HZUO&mwpdq
z;im!jl|)Nh0&MPLv6*x-K@O4;4oaXUH<6k6wJZ*e0Nh<TB#l<Kpt9TnRCyqY_TmU5
z)nsByqY~sHS>YrUT52=Tn+9SJlPg+?nDq|}|5euZzJ0Ud{Zc*}{iTMg)XGXitZqw)
zapO1h+Tv92hG9o7=h;Z8e>iwL(oKBZpyb730aAz0ke-9g=;?b=s`IW^;!)j$90Sym
zh+>&f%H9QSYKt--$OP6lA#NXZHxJVA*p+A;mAw5`ZTy#n1Wd+jMofNgee96=u5yz%
zvxuWcWBM-(KGgqK+fr=*hsu!O{^%uZrNo|v$?x7f))3iNbG_m8V`-kX|2&(JviFgj
z=6A06vgWt*^(%5`K`l*(61yRi*|T2E<|lGJA5*X+cY@*z2b)9kf`8XF-P~rb{f@R|
zkJ_r{4rETva4ioS>9}QiM|N#Ak$!{kW`!8_95BPuMO;1s&eYL~<R1`716r6mUj!;i
zL@E#xXzZ3vIwH@|nY`ejx&nxWMG7_WE@2ao+yQNeT*Og3`8F{AM=O|wqByh;nz99W
ztSAI02V}BTA&x2TQ!rjA`al5V+2~(R6O#DXTKfl>0<As4-ichBF!X9;OPn@dZ%|Ua
zV%=+czcJny(h_cWE)pc!5I$8cRfR92KZi1HU!Wt*haE**1L2AU*#f#w;v9r4>|`LA
zTt}UVR8s*6g8zeI?su5}CC7guiY1psCz~je`iw5H%cF5S<l5u=l$_5-IdTFpo`+<D
zPmhj_zlc=NJ!!xj8zwPmb2F^eo-7}B|I?!}xVzNrjMQM0(g~(^Lvi1-qV|2YH_KkE
z9~VC&RrRITiilj73l&ruwYw27qgv(8(&)>!6qH|5963;@d)t04uA`e;@2r`A&wuW5
z$DJE8uLLfMlTVejsCEuhI?>Ve<-DJ{Mw;TLTaDIEhOv#l`tjLC?poZ3veG>Ri3qhL
zFBqmhinsWK6^U+F@28)swFv1>xTX%lG~1otMCZR(+#W7>-Ntb#mTI0tj4cb9e-Xu5
zk$Ck;XrxkrAf>T2<gj(l&>4MC8$viT4`BKR90r5J(*9!@hRgmGHolcJQ^T4;NEeko
zr4R)4v|=U_Qkm965ilUf{8s!_0Qb<;LL>oHkOm~1@3!99(-4+O@p+Q8zC%%&cNhwu
zwggS^hM1|0(A{F2KwZ=a{7jAl>Y{kiBa1OXtrRcj0LED0br%@%5~G9KDG&7gK#L20
zFo+jh1Ky{BzdfKWTtfw~mS7HhVlD&xr+|@-z=qdXo6|!iC<G$IVPZPf7W0%>dLfd?
z(&KuU`+NOd%OjCJ*)oTqs~!f#jQD$kTn_3Hdq>y(fE$7fUe#7y#lF!E=}uiCyWLPa
zg>#<e6_HvqPEuX##mz@9<jd*b)9(xtd^B_FibRaLR3=~gf+0Y!mkUPDuX`0`N7!9x
z$Muu;PTJPhdGBPh*};Nf?`xx<&3z-RwPRKc>k@`Z7t~9vdKbl+yt`Wg%j&Q2EUrG0
z<<9XRNKsx^_c>$H<CbCXF)^p3;<K_Us*XKxer*2&w^Y0C0o3xe##8tCX6nvn33hoc
zH)6+<_`ssDQuq6x#%^^`F0H1;R_0{eu@=f=>a0Bl<K+?YUhZB;aB1Oi6a=0E{dV=l
z3E{AhfVKjm1GE3%wI#UhPsOci4!Ipt`nE9y0X5Z;fB|=$a<~};nF)2Vlwd$GCM?xA
za{kF3byjW*c-LKZtfMtRvy1kG_>^^8{uk~LKTNYF5fK5T7~Ex-w=E%g_fbU6a_^**
zO!>1KGX1L->rwlZqJvg(%Bv1H#3y_TYV0VfNUrDh-EKVD5pa+g-KkjDlbxbhM2kA1
z_v~Sv6w}u+<%~&n1BqE*z4J{n&e!W){y@5NMOtBdNcy}Y5+(R@?cFu{^#{j_alN6T
zVP})i43=!OIu#NdmDhouX|K75qo5e?+P*1iOH?X9R4<2KSzelEm4vm<z5j5a?qz?u
z$F=9ZL9f&I)hYDfHYvO4JpY+Z-7Xq&x#1x#*J{ZCYkRtdvYA_)d=jQJ@*IO1OvR{w
hE@Et4V4hp1))v$faI!bIy&;%81}iNH9s^&1`~@J@{DlAj

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff
new file mode 100644
index 0000000000000000000000000000000000000000..460ab12a638f6e6aa81b0a6d0e6066f318515e66
GIT binary patch
literal 119064
zcmZU)1yo#3%rLw_i@Up9ad#{3Qi{8~Ebd<1iWG<9TBNwUI}0stMHVlx*kV6@pZEOd
z`_4D#=FCnu$>i>4CX?J;Z#7w201N;CfSD%*;Jo$k0;B=30Nl4v|4)<rs3`-0>8*MD
zLiQh6ksEbOYbwaS;UEA278L+MM3|Q$mMJGK^Cr`v4FG`E2LRv(LXRW;<kZzP0WijI
za^?E~FtGSHEVSivnp%<on6gCxfN%)_5YZ2ZCNZmNvU9!hQNGF7djnIWjo&2}PG+tE
z09whLd;<W0&p2M>l-I(`<Bf(<_l<_>AHYzfO<23yH~|0*Z$lWkH*km7%jLH*b9a5y
zrTz_x_zzxR0dO{szSaN$f9@NZ69D#;VXFuSz}Cvl@{OnBjfU?ZAgyhn+rA;+aNBQV
z$~T}zjzH73b@K3e(=Px3Kw$&`$aQn9(G4A4EZ*oCBLDylf;XHYqK!1IlbO$(&aiK6
z|HDg()C}wAZ02MIfDuLo0N&#P0H{=`gj{8=F76%x7ztVcfFuS0Py!U)$-B9_S-tTx
zzI)@<d;{%li|45S`Hx`VlS}E=2%2Ds+yIc^!2g6VAQM9W>-`;GgkIJWUEs#v#z=2d
z!~Dbhz*v}Cnws`pUWmfMjm8ISzt#v`g;Fzy1QG*E0^l$HQ6YQ-BmqzXUV!)i@c@wj
zX%6EKfCIq%<G0>5&+Y4*=<8b?#_jLx+eRxS`a>8`m>ycRUNbetGNr7{f`qEPl@)@G
zs=f{0-J9L+`~LS;9Mt*hh>AMJPxu~>knk{kkFbDK1?Cen>J)%e2Ce#kbX&@FPs{5h
z9x2#6`QB0n+W5GEE>z)LHkwa7+TyhK@0vEhS#0C&eN>|Nuj?-B=?Q-Nh0~+3*)^Wg
zeP%^mjzO1GK6d{7(kq1N6voyff!}>Te9S~q2<7E7g25Nn;wOYQfOAQY_gs)IvuCSQ
zn!_xJkVHX)ySYU+VY&|JxK=sFQf$Ppm4l(>=wC53rPFX!@orycs!(6)b7|>ik~R5}
z?$SJ^)|#Yz+ik@Ocj(I<<L}SaXn`&KTNR<thE7u__InElR0rdJFJ#i)>3Kt{>eTy<
ztJ{OP<;+_T?%XS0dHbiMvSz)XL<&Vx@#@T9y`&HOe{-N{Yql7vWJUI=&V@gP?TIm%
z^?JjUAB~;F`+SM}f=l2SjmhvTVl_Ww{8)oP5qI*1(1^X&HY{$-Q&RaAWZ3AuE~qe?
zmw~o3^T{b7*J&DBs~zl*yej`^!*@-Y*hR6kq7urmV`#}R>)~`tnZ8UO>bl9FYJI|T
z*t3ku$DV(Fp33vHnKu9IoB*PBPiozVO<5<V{yvYautvz2ptM+bP?=@{;Spjg@n_hU
zB$a6Nd`8h6g<pAS#oc?&dd@n~bN&~}`N_G;SZF_$(R)mGx4R=~y_DUgQ77MJ_8!@j
zOSr!%nRl-X=K0I&a)1`pMb2z_R<P>l0G}25ZWAkR`LHcRU3G=~5z5kdR|VHK)e&ry
zhRE=@iYYVvisdAdYNXp%wPAxSSxlN0Yuuam%i=Nt<HF1<v*oVg(UC-$1H9SW%Q>om
zL*r0{jiBLbIEmi8Pn?;Dx5IT`+V4dP2Z$VJpR!8>F*MxeNd3jT_5-o9I+q)D<a<k4
zY@M&t>`3eZ*NW1CrWM#N#G;Z&+_J-SA8bju>5XGrLS`ztcoImxM-jxG*}mi~q8GTJ
zdOMq;X#OtH$e8)U`mBdwvAcZxnfl>?GZ^H<v(sC5PTt*gAZ+z>jw!livGqr(U%QY$
z`O#)_asK(*_Qf9i=i^PG(=AN@-q?!SCgD-{)ACEwM&7?0%@oNLN~_JU^!av5D<_I)
zj%5oif)+h76cj_M{^phW@R`cLICRz|aSUXkHdfgT0;xZaTJ!W*R9DCG=MFVzZivw!
zKyC%kGfiSk6U}zt6tB{z%5ql2Jd)Xjom2m{tSK0S+PcA;LdO&}jKeiCM&mId>fUcj
ze`Ib0uPzE*3Ll3-qWAOe#$AZ`KM%5kHmb+i8G2ETaM|M>-%z_rSsV;PF;BoWiYW3g
z&Nyn`nV?;nddz}pNRWYa5X{2^*bzduD&SMyXFsBAX=8TBeY(2^);%Rl>ZX~O`Vfpe
z6W*}+=W#6A7_Gp9CP1wi)sdz2)c-a*FlMIoB5PRyPW1iR@H*-H*rFeQ@aEMg#7fVl
zAW{$`h{Q2jhC@J}&?U95?%`*MG~^vb*Q3*?gT_xn#`7n*HSFhgr7(ghi745b3W=+K
zb5?yT$;jDbnPdRuOa9OxsfPfR;fd6PY05p~>C-(d{rj@EwpGfZ+QH#f@$k466>Imv
zSPDLrk!8~LmD|G$hc=a^bs3drLplx?bu=j_Nq1hJ{P29#xb+noailJo*$zHeR8oA%
zI|1Q(eo_(v<Dp^!|K(gHcb=#x<tx?l!nzR<*^42@@B2kj-wwBRQ6kSz){7sEvGJ<%
z&uY(a6^}^=;Rd(wU0sZkkGu~63+JLv>1M%NF}>WgWdTi9Mcws*97pWwBy?dvU?$>n
z6MigCB%JM_TZ(Od^Kb3!T-~U%<-U8Q>j-(+ka>=qK)Vj*kQ=#iUnvmcuPaMw)zW#G
zpMj8!Kaf|-1{sZh3i`aQxf)E=R%?B_=--9nuq>rj6YBf!6&L<BVk@Bq=#yhY^aK;c
zw!OL7RLxUuzlqTDCA-tRHc%d|e>rMtu2-C?67C>pfX^mAb?)ciAn><<-w_vK{uocS
z*w-BfIGzgtVFV*onw8m3JK@Pz7YhbW>-57BujRxEzSegJU4jFTzLA{v$D0(l7>?|f
zz9!|f<J0p=2FiYn798x?Bo|+WKLo2IZ8D(sOH6mH&aw6N?3IA)u!0;Ned!w`9S>$n
zCLa%Wh_@I=obQdW4-)Ib#3@&{_&zCk5I^6UC!j3icts{A!>JUqrbTu*&n=brA5<g>
zDq2}L2({nxDZQ`lcB=SzU&pYDz+@;q3V(X1*jP}XRpsg>B^K4?0Kz}Bu{Pyb>X!H3
zl=e3o?AAzG1nZqSU-3>{Cksh^*zf$_`Tf}x@hFI+gdQzH>s|M>1=zxt!cq9;b1S3T
z23L?)>nX{zkJ!ZsSLwYyRuH_MO0Z^;Js7o93W4!&N9VC!D1A{v*XDG7_bg#ZH?=|R
z#x?J}*Fr_~%PmYo*i4tzYN;dLjU~jgNxMBSarR|^9iyUIR0XRk+|WPEP4LgY22DD*
zc43^&bvN~^f$s<Z-*C_Gjd$X`s7+LaQ1VC1WC~C&`kc(<j=8(Ptw9%`r$ixW7LGqS
z575TNs(u}a@_M<rI^wqjU&xj*((|ZI9>$v&M}Dvlo9=gdI#XMOY1dY7KG+p+kK&HH
zTm^qxjCw5zdrhs!py{&{!uo!R+$#5>Wdrf_kNC%!XA7J)Y?_n7;TdQ&xwiKcU;ps0
z4%f?DHEw%R%)z5J-A&3NUnj$wmB^RJjjdZ55||*hyiWe-e0oU{yaw%F272bx8;4JB
z6w?^T`^QhOwOL|YpvTaLGdw2G!vvQb%uba3p)~ea6%C$5mn*`F^~`0J1cNeCib3`d
zAZ5*@&&rk`frPEZpDZF9hcl;`2lFej#jWu?&$RHC%t%|yqdL7|vsE7HCgQFXerr}Q
zW)aB*kMPGe+_?X^i;KHi`m~tt^=Qh#T(gnTN_X_mYDSzwadYJE{;rPWRcx`--`OzJ
z#?8c<b5v4`Q*H$51kF3D0K-2u2!CA{eJ!@J!!U5_g~=lC{Q-`-X^K#GU7JI>L%px$
zgEjo!E$)rt<4Bt1YjY20Mim9><<{4=rD?Iy+6xk31hN^b2inp3$GGn-wgl7j9N?nz
zMYyY17ifYegS&_yAut&6(VePC@V&`a*g4EvKkHt>h__k_xvXJsxHA%H8_DMjv@v(L
z?s_gT9Zse4#9?IAA^I}XTI5lf$9Vds8O1_7lZ)<Yxsy?cqOzSx>cv$H9OU_1>XN6C
z`DipI9Q%$9hF=c)vFD)pY|#+3G(<WLjWl~@U)Tp@GO8<S)@Yx4XB|e~qjP7vjUYGO
zSQM1Nj#U4B$y6a#rX`=4I}2?^`z%4%q-uf5<4$~hEG61VX&i#?ZO5qK(5WJSh;VG@
zA;PAxsPn~>T-$6>U8=Y?S*e3YztUOZ%YZF|Cx)*{fuiu$Qvd!5>Tk>poA@w^tlxBg
zOGkc$giRLTDeX&YU&yv1d{#q689(vAZY@5)1fOZ&vL$fyS6Zc&oBKz*eHZos66Y0C
z+oC*B8IdzqrMsLQeLo}hGKuLd>Yi3Nx$_5!7+&Y#<U$)Kjp@EOsDPF4VG=#Tw&zXX
zCKhRL=1cC?GBA31)xzU;2-{HdLkhNi@8dhmbYqjkQn$tKF~uUqO~nOpW&37ak#lp)
z9tXr+1xRtBftXha1J$9`JLqjV&Z;X;_-Y>?KN6jiKm%db26PH98vn}AmHzdsPo<9c
z_aQuF^I5gqzUgyu{YdD))rTlR2bQZ9<G?3ZF}R~RCrcnFdulNG0f8A0$j(Q#kuYLZ
zoGbvymHcRJAtySPT1%_Lh}hW4oWqxIblcVHpmZgczk034XS($6&PN9Mz{HQi)e~A{
zhV)<jJ+J$BFc$vrczht>bw#*Vv%%T<=RFqyt{cO(jR^&2n-lfnE<x$#Ik_Mt?g48@
zeBhO8b1vuMCn3q?6PnBMb60OtG^_D%VLvj8T^FdqOH1#c3#k7~Pw+McRL*$zL{8gM
zwuS$ejxjRzV{%(`TziC4d;Da37;}4Ub$g^kd*VrZC`o%vPWu;wzz~e<&<2oy`D9zd
zT6?%~dt7IGlz)5Dqi+a;Z*-Jzgq&~usBaj9Z)~}5q>XRlVPG=GO@9N4&zIj1*^&?o
zfs==<g8MI9_vzyM`t3%}slt0~zADD)zxP!>(9)Ggq@{3u()UxuIHC&-u#8Vs;GB{3
zXQ!Yc3+S1>d4F`}A$7XTT{hG+7MDAgaM>V^J~S^-wzO-Co3INFH>Be2j^U5(1~Sr*
z<_nyjb%*oI8~KK25RH7U+|TQdYlUcUt{V*9T5=@}HVDxB8MtKlm5Yf@`1?7y;7t0)
z40OqBATK1#@)W{I5h9~nqdDlYQj{?-+#HQ~Xm;>!<T@+0maKu&@A2F}dLhwzUDCQ}
z<d(5m&<G2%s+6{Sq#AQcmQ5;-f9-ZtPn__5&<px)a3d3_)BEd5Uw6_$=0}xh^H;v5
zU#psrU;tUspht=7Z@mr)f)g&ILI;oHgCpb4soExoGdBMr^2YKrLH~`-hPxjTOAV2~
z7KQX}PMm2RQ&d{hTW0uHwbz`pzB#qGtfjun@QHHh)=GaQ?LEqEnD)rC<n#XZzroZ$
z%js=)x*@LX8MrXn+><NBRZw8$EiLEz{IyCQZD|#;R45#O4q0D{#8#NB*d0Q#Q924)
zA2ZwIMkbO;*p<~Q4&$89w0BH)UQmlv&|KvToua%R$Nm}VNbNsP<rbgIvLzXg0E-!h
zNXUVOF`kURl8o}8jyS9izpoCHu8wvyhqN(=FvtN9;y_?-z+rHO(fLcr{x@brAdN=v
z=dh~k#0LSq@<W!~)N3HO^Qci91;)Wwkp!D7()>{rUrzQzt*(6jtdG{2<7HMt(?iz4
z#xA{;Q=7#4h<*D9y-@9FJUa#E(DdI`_Div$qD#hRbq)M0Yo{BxL66_L`}D;57+ZW!
z&xX8qQ7?`_hqDD*Xf;8}(;6yEJxf5t81YAX5yPA+R*iwErju3Hv;130|KdQ*ovnzt
z*xjPsikb+LSo)$LVA_t@9`h1HW_qR_J4K&%T^hdVX+@t_0j8PQ>JBL+1n`buJhp00
z1n3#l`9Y<v9Gkob17rh6xv_$xKZ8vM(A^j)uF5%Li%QZWxzzQlq?alM(Msoe(hor9
zHw`yU>4|d+9jdKhEK$t?-!xY&IzwnieKq7;VTu(gkqLc9mK9J>n=j31-&D{LN$m?9
zY(Ap20Cj&oCdK$y@|CXy4;r|`!H7B^Js0J4JmgGJM|G7)4Qoc6b4Tb5hq=2x4TO@;
z%ugu_ATj6+90?R-&kU-x(|PaKih!g3I?{DXAhG{R@4C%#1+(uIStB)uVUt6p1SF8;
zp0I0)aDGH&tW}>S+-lQxsUbbSV)mpjE9Sm*|H=9Ldi!P74e*Ty5!Uv#Gk=Am9P@u7
z`2XT~CwK17NA{M~6Npn_r=hP-ouKD%o>BHkr@+Y~Dld!mc|os2XVT8AI+C?7LYfHn
zE*Ej1a1K>W>yfp+Hb<^z8coAjmTSm4QLG0%GLbclWKF=_4}iA1MuUEWJNP^OY>7X1
zqzR=OO<65-e8*~Vb{uCV8%-Iv^DxmN84oM#j$(XCO5UR0q9Lw6U-2a#0L3i4@@N`K
z{RB4>p6YpvXr4;V>a1EQTSr))@qehiDBca)h}@em!qz+M^T#vgKEhd?TY2XQv$!yK
z;4Q_P`(D#$@7H(vobyq@R(!F~_gxj43B+hD*PC~=CXD3D2N0gDG>({A6mqVE>(qWb
z99cm=`Ehnf=i^D#Jv=>MKg@258a&_cZX9_#gd?!`RBj}e1pJxtT=xoaAMrYP2R~`<
zTQk;9-7=cEOw?)aeHzmp+TYXXN``ux1Q%G{vn)Q>#ehCMpG)vFjtbY6tuxmsM);Ca
zEK)v1=Tc~Mc+_@>Bp^!sFTo2IrTP$VgNz{-MIT?`5BB_ad8U-OH0ow~=Bv1>q7GYT
zp}3wRahE8#vD2T7_tZ+0*+1J)k^7VLth@ymYri$Ft^B#_c^YsTynn)HskjukO>bV+
z5B$NYqtY+y0IqEQM!M2xdlTq>7GkTT6`sfJL;|n>3o~_3ANu<2ub2}XE@C3(mSC7P
z32eqExSM#3;+b+I9-DpKnx96^MH!LJ;UsYLa!M4OYW}m7>DGU{mC;(uhV>;z_;u~<
z9(NSO6N7VJ4q3`Wd{27LsoDeRC7z@fmZ?ILDL~C?>9c{#;^*l_$#9Cy0|wT)1^-&T
z!t@s{Cs4Y7M|<Hcggdo(^JT6;!zEa*S9IK+mgYgUAFp&-w4bc#!w)+tgVp)XURerj
z&K$5n3ow(6sVexh@@o~7S_S%SH5+?{7<(l-dlgK~VrGfGf_*b}f_|#D(OB6*$!Bl3
zDunjM)b(Q-@|*Gycn#@6#zL&L1py{omVKU-SZIO;u^OGqcdjL#tmAA+RyuVl&C1HG
zMUWw}9n~~X0e#a#9qBxikS$7gQ+8r3(_&EMG3KC0$d1qmA(>5$Dwi<>VfnT4ydbtm
zR#wN1;f7_8bAv>yUWG8rf<eu~sN=6g$KM3dZ{5)RXJ}$zP&L#J;TghLtp#g`TiP6{
z>X$X__l3?cz0@zk$}exfsvmT$Vti&1-SJiG+P3Ccq*POR?tPhC?zQ1Q@$dG26=z_M
zaMu)bm-RMm-Bl#TVL4PUNEH!7I$PwJC&mO!@PHJQT|o9Jl7}jAjF2m;hRT18>?-o9
z(3FuhHu6)UG9!U~q<*1S1y0TyrB`dinR#bcWQ!EU)&exd!_PW>Z=12I!S1Ods=39(
zp;BxfDbpLzK{NdhG||N8q-+41Y2qhS9<^PbnHMlBcI%LvyyfXG^7P9QE2}%Qfy%9+
z$Db29$mVcb=ZfxNucflZi0-GXg4nV||D>!nvVG~^{<Idyme9Ssuy(?h+P%ZImctg;
zz5jD{jV-79&(F0CqeO6?PO-`LGQXkmW7(w5mfOSGT5U++C|=V=hvcoO&T`L1tTY<l
z&EONF_(IYhPGDHUxlINBY!y|^QZ((cqSp;o0ld08+=rT&&-1iZ_QcJ+c|zGAji!rw
ztU(g)wiPlwzs>b+kyxA4H-*L!$*fBfITYoHet?u0iRh20K^`$j(BuSYv<ftW6`GO<
z4TaN)NBA&=n*J_*pn^x+%9UwSiYZFRH;n0TJ=0Y*(`5zIb!OGyw$)@+CxtpMOLc#)
zD!8o0uT#g;_@4CDvYN6MjMdE^zl1t$MU9$6omb_(or<FPK$^lwbw;Rj&hYja;Y}I+
ze&Kk2sp)=EynY$Yeo3Bw1vk(TG-%onXsi*m;E$hr3oJ5#5qiE^?%wFM=9O^8i18Ti
zi2C!t)tI3164$&*&sW~1<hX<8;ydau_V+7Ryd|my(WnnS$Je?5?%{}v{?Ahn7i(Ww
z%sG{G?H3lyxVwp_Z0Wfh<M(UKc^z~og?{Bsu9McsYW*-%anM^6`nAs?CoqGg>J|&i
z-NCDSn866TT;nO@P4Z>623G6kx#u3j60{Fl)w(Vnv}_CUw~ezpyGM1dH|CxB_DPXn
zW-^HE6U{yh*^uaMjRZ7&NX?vLly(2b=G9XDOlGN+voc{zQpTC*J9U^Xdgf%(n7MR%
zz>y=k(kH83zhHdZP_X~QREAk^Y~WiX7lPmr`R&h181$x2GDiowla&}&$9=}pHW!S}
zFEOvPLLXROy?=2)UX7!^44WxrrsR@hMB<sLWa5`arJH%`;wg<#HMrGa%Z*F}J=e*+
zhw^qXCT{?Ag2ZwfPt}TiME~Oi&)%}Y%m1Ci^w)mnUB3j*)Ll4u(+&T8dD&KU<!-|Z
zz+2yMfL?EB%*DxWb!{g2X^7`e{~>bG8wGy_Db04G(uc+GViaW!QK)jq1?O6SH6@#7
z>IY`4Jh}07-VfTM?^({4w-1>pxGT9v9bolROf$dGW~)8*@bum**}<e)W|WtzXKxgI
z`?`(A%G@uduNpSm)O9aq`~EU%A=dT_qkdd(atl_lpcC^8^{Q&vVN>_LyDb9JpSeWB
z2p&R~7jq%$Co7MNdnGUjlJNo_wrVl+Fom*?LVZ^4H&am~ntpxzFf@<6duFiT<?lH(
zZ2Dr7;Vn6Sg}Fp${9xD(>VAg~t*3F1oO=YY7g8#S47;XKn9fJm+l*frVS~oZutO(I
z4J>x~d*OL^wg`b%SqeijIgdQ$JDe!Xi?rXn(OeYOg+IF(r3|j{!>+&5h6Obd4ppQK
z`{<emtU%~Gu4r(;4b)+@YaHk7hqf>Nx?zvl>%|yT+9E?1h9fxcWNOnkKGs1a?lH<G
z?0-3fMi~yo1DL-0K)7RQ%L@J|c@aa?rMc$nE?GNyo>i&$kM6Jq<%5&u9iTKpR^BDO
z3a$k&Y+sYW6!&qWsV}Tw+aVM&j-{`PdzjB^)N4CK>1C*3o1)zb^$WB|UlT(o=(m_S
z2}2s<Y}#n5TFwN!6zXqnWjrkki2}RXb8YlQyD<*3e{yi;DQoFeY(LR_ZM)@Z7>}mi
z6`Cud$4QAfkx$K;lBcR=P_etBOmA!9X;w($+1)I*Qwb`;xf4@yL8c6E!?2ar#LOBB
zl;_To9HXvfpSF*s%4vh)>HP48bT@J?w~W*+hD6pq2YHOf8FkvBimIS(o~O4m40bmX
z6jmmL9P^lf&nKrLy{@ajxG2F1{9_B$#Gz9rOT*>=`i;v|Lx0^;e}qRu5148zsEM&Z
ztWt=l9QYZRKU|wjMO|;5RDZZhLJNpu%L{^E8lEoZRc2n~AyZdcuWM=%j2GI~Ug#(z
zIgVLVKFPtDmsn?7o%4{R0j|CI0}_>?vtpHLQyv`eWIleWImz{))df@;W}uv%12?kM
z5LvO)v~3fPcUTL*#r(&0;Ocz*M+V@btqnJk(NJEg(KM|Gj(3a~Klhx}Ixn;(D?ESK
zdCq%Eq>K5SK5%ww^l{gD9%BkNfbpE~%nE;(2AE{$(uf^66sY`|tpa8^cVFFd90UMO
z=0bOSO2enfQSt9Y$;@xfD%vi<9E}7t%96?icPM#u{rEx#h7=u=>s}oTkbW<q8W_D1
zxt#VGtOeW$^Zs!)T1WI7{5+%rtUh7|!L<%=6w?1h^d9a$5^W^B8{T*`KWq_P?*cI{
zrAys)IOq_|AT#g=?2rm5h&_=J=l*h8+SUzW=0+5c^UruOzuNHzx*t)L(Y@g7WV~4H
z3KOVMoztp(_zL7nZ@cDcmM)vy#TJxgj;mH9k>4Y9V*Kjfgr#4f1o~z>*dwu4DEx?g
zM)mcvsa%?T&ik?_(GCI!u@EnY<Io*t7Q!9$h%chyh<xVF3(-5J0FzEF?I*EuV6mi)
z`F2QC-+@2Hh?GpyU8U6yG2QlhM7=8pvmuSlZD1=GKGJ0>V90aikf(8!L;)kn!pR4L
zUMzl}!rCFEwSOOcAn<Ks2-jdZB+a=f?6R^XT4e<arOa<)UpYPmGMO<!mBZdczPv*@
zQbHP;*TGgUt)tt%_fs8!@KBr46Q^@9-_TB}1|qpHw9-zgz#&~Ps1JnkL`HnEQ$~tg
z(8b0tZ=hpQ_#>~IJ(5vRs={dYK3jf3k*6U-%NE(vRHr!WYl2aMbw)kXG?f{5HctC8
zt1UT_!F&MYn6pZp{Br&`X+19leT9MArmBbyJ2@o(IWce?Iicm|AO{G~LRl@I_rg3^
zItO%FMnZ3z;+(pP8`Dw<qFw!_nqliNBvoW_q+Ij1c~&=QwEDWFN*jQtv7O{vO@;jt
zH>l=;9t^5Kh37P}$t2YNP<Ik^)6Qc-eoD)MnA;}E73vf`P`g8OPD3HJ(g>i(GC1<=
zL?1_?oyw#5jIucQ9;u4SozcFWlV8Tf1eYsvwy?Ay;7uw`dSYq;@x#is9Sp8TZ_%(u
z>@yx~!oewpElShJfF>D#S}BIhM9>U9of!7TyECUxg-JdPb|$IB+(W`LHrYIxbencU
zYbC=Xmosw@^kn$a-uY}iL=Ey?C>{;t5qP^sWy~ttHP{!#Mow;~sXo7ttW$B;hB`mC
z<`^zhZK`yD_D0w)o#!{`F>YhLbI$pFf%09#koxf`9D&M{)ZmG|QBO@o{vm&Pm+XNy
znoSzN-?;svm*j8v$4DN17a_(o{8zE79Mb$DQEk{?R-BveZ@bUz5kVPk58lQ5=b5yD
zq}}ckaiZFs*Hl6bjxcgl!icSlzb^k9C;oGnUUe<LJ<WCK!sE2QT-=9Hd)0E1YQb>l
zFqMZ!@HhLJQiJODWar`o^Nzf1r6W~)wqjumf)}Qa&TI!Tnf*-3U4>v&PwhdZWv%Q=
zWJ^U^u_mK1=z~_{LS>o}c(G~)tUR&fVZD^%LB1~_RA>LbBg75cNWGcMNLet8tyVvs
zt=v#KL&r&0N1d&Zxr(ox`Gd|vy4Ko)R$4W<s_G1EKe6QDxpeEny072SVlUT`=tgFw
z(~M)J)}CKmx0>breO;0N^O*wwC+A|4>f53m##WGumOtn$jRAaHWpTtd!R(>4r02oE
z&-?bAz_BChN@zpV6MaL;H~jpEP{w(2m)xC}k@B79X8B_^TcI2y1&BsVXQ4Pv4Ln~}
z4Hldb@T)z>^2_JS&#&`KGydMRfTEQIs!n6`Yd$9O%j1%-)9F@rQKw%Z(W;xv`CL7h
zqoo7tOv8eZTRHjFRe=L1gdjmnn9z`)Y=P>$X<{WcaunKV#Yv1OAUUnUBZ~=m2vAF^
zK%K8dtx6xPIUx(NTcU*!Sy@19>_0(se<B4M^AZJqTuJMx$j<F4ag;UDR{3b6aa&wh
zh5x<o!z1Xo7RmyD8XP#M>I>LlA{64ZGyoynr-atpV?p!XI08+Y8OaJsCB@ZQWyL?E
zmr_*Xms2nwE~tGznO94{2HRBK934);K~R<oAxirnq3OpQ(B>=5XIW2yXKmlipmL$G
zpgIxBV0AKu;Lqfx;+2U-;>=0&CZFX%Ch0a{mnxj2i-|^$l4DvSMc>3k?L6gC##vB9
zl_pqV|Gkj0CsW?{CrJY>ZxG+U&T4H(loun7UHNg)YH57YMiqi>5?A(Z6?sYE1mS9(
zUo<+S#nJa;Ga(JT;^2z>@4-wP5cZ`;h)ZeIOR-<#OEqNS_46!)J3>0DUAffUfH%Wy
zh9w4v`8ycg$hEw2N2hD`|1%4+_G_z)*5oB)`ZV9qaX=k$np|;^lG>j(A!6)QjR(1?
zv3FiKdOBbJ52ctt6Pg6&BLNz00W<wOmB>BA0tHP<R)02?C`j(59lWJgROw1`9(SA_
z`kobg`9pF6H|N`iVLe(pte(q#VuzGw?NYX{p3fcH1Y7kJ2Xwr9_MLZlO~oOuHR>0h
z3;T~K=z2~*pM<8D^(yMLpnFJ*guyM=D*D;VtQ~@fWpH8MT-I}x7tHH7728#`jg<yF
z42UHH$QV35BmY<^F3e9BQh560K{#?X1@a&raqkw$3#mL^@E|^LJ3!8hdN8b0CNTZb
zDP$DcoZGJS+f4LPbc2$feS?vnV1t&PVuN~9u0u;%qXTWNT`d2+PxaQdL#a#CqcyX|
zBPo;5qb}3Sqac&qqc?LC5|Wt$`JQPGNzVKPi6)dwimjAS+IhXGN<Bi#wVW+0AL>+A
zi#w8@jXsi`jXjc`-4PMy>JEuJwS~lHRzRvU2_eL_*H6t5c;}xP3v1>=AYt>4g--Jh
zkiXBEstm;rr!Z9@H9cJ*6FpgA<e^9~MPO*gX&xlqXYI(LYbQVrs;!Iw{iv)3)ljB`
zDk$?pWt3H+TFORHv@PEkSty+NN)(v=@_cT~Txdbu{5}`y?=Xc@aWt7+F*UJ2ZUUQ^
zNCK4?Qo@(z(;%M2<&Qk%yNw8Q@5~WEfOkI$<|rF*?64a)?DQ`g<~(+9=TXPTJe9cP
zE^NK_wl}GGGL}nuT9?y#Fs^<wfFyUl=8McT=FQD@=6209Kwi5kbGN(j3##B5)sOzg
z7{X*{%+7>oQ9Gx~9y}xU*K-QH*7Fa$+8~+TUvqT26UIszaRzESv1<}KF$N!hN3W^=
zwt(}e*@&2SeCLSM8t#nXX>jBWd@?|bXFBIipyK0C_~6BihS?boAG4vF8twlP6zwlH
z86zw+Sq%Fq@*|q~RH}*oxLyskv&*&s%p5zorX9n%ix2|N+DQZJY%PK8cDTR{I}c!|
zog?tKEh%u;78aOfs|ZxH;{;;ZiURL!X?U!!8$Y{>(C$6=jnZ6-04a{(9W8@P4eHaM
z^UepHZ`C?59#?vguz&?%Ah6&F=@LzpPOQ!$MLv2etGDUPeOFS7ES@;+56W|tz_4;C
ziF!6At+mT{!Q|BG-uVKmp=(=t^<Zq?dc*SImss(yuUxjF-_|>?DW>Q?AiUK_8L7+Y
zOL1bVc8kJ%nhX$Vx;R@g^&Q^eYFi_6E%*9nM&Kn%$mi*sV$z$5Ma}6TZL1L6Vd%?K
z+e<+68KM*sVH3=57r{(b>RvhK**B19YJr*Qi_ImIpT8J;E}8Z1=qR;Gc|2|q=jt{s
zIUK~Znle<?vj<dxOE7PfRl|z%C3gXmyV&LPT%qcu6A`ZLA_cYWDNQL}LD-J0RPLCR
zi;)Kb3xxwIWnsv0)U8j=d0d-@EjqWP@~%8%w7U6LS|HoZcV!@}rS~2Ms!<>#-6dIE
zebfwFURmZyESV^m0nXY-x<tYbN<*HG?<gFo6+UO`=3ZLDOsFB_!L-K?dvCwNTHp8S
z`k1dV3OPU=?&$TIQ}eP?#(}=V?z~}`3G?Nd%x$w`dU$NhtNM8jn4cjXx`NBi{2YvJ
zzpNG8d@fAo5o4G87`sEM+~6!I0E2GW-hj6XLMebM;4{GFt<Vegl^cKxa{xevg?|IF
zHwb!z<Tn_5t2=v}A9a#Dgb)!^V!pTK4DGiy5zB5#+%((2c-d3io3B&zlx>84(+3c8
zQ4)fLsash<S)ouM;aYeu@s?!?n{y>gX{^`8+*DDcG$)r%46X24k>fvNjy`(VP}%_l
zq=DcJ1p|=EDH}*=wT_8sUBVV^1=W;(3(C8s1dgzcIWCGP-;h`a!w7Cr@|*nfg@fSi
zQH1g3c_6H!&(Z!^pbGq6uvbf_s8iZu7h!Fes(OU-Tx>HZX8h%t_Ckn9a@5qS8Xq}D
ztBM|Np63UMGq7k2B2o99L$B0+0aFDeL<VAjs%+xFXEta)F6GpRA66kQvePfOfJ*m{
z_okRW=n&UQzEx8&D*c}mlrpH3*IKQXJ3v+WA;?VsE8PhsSW)wtKVgo=Y2ia)VK3xe
z)j)ck><#E0>jIn6f(}$}_PfxVUL`QuC0atI>=1&*E{kMxi4oL60HEhBz4KoRBCe6h
zhC8v>iKg>gb2VFl4~w;n=dIw3it%+uz!2DB_8Io(XvXK8du~qG0sF&!Pq61I&0)xK
zla0XjO5zjTBq;Yq*+z7<eca(CCCMke3Y5PyWg~2knol;6yuee&pQ<-)R(q9OV0q0R
zQJ8KwZED?^1zO)1oyWD18??6&8$7d>?(6&t(whZ3UuF0170+la+0D8hH0E84>~SAu
z-hi)o%Efy~Xf}1Z$q6|AT;>r?n|rxul?N~o-3fl&!m0jm#zWsRn_VpLPv6Bhh-Tex
zi=)Od9+X9T^05D&1;Za@eMF^1gtK*IFmn9g`{wHapPoDBi0>I+RxM4natC8JE)RVm
zzl<Y<G;EW>&}w{{!fz?00O>}p5_s<7P>tCFQT#Y#v~YJ^zVQ^2{LvlZgmgFk>&0p>
z69Fj|18bA3b4hkJe+cjHW#8$IIr);Ua>n~Q{vn-3q(t(rbv<NqsjHO|j^s>oTJAl-
zY`vF8v>S7Af)nD5l{wwTuDcKS)gzE2y3*YWGgg))C;9*JQlwS_tqt$HGl!VafhaeQ
zpSBM49CvY(?qyJYGy7T5z(b7q4RK0cyBNT<ogY6~|7!CNdnBlHV#=D~-l3n((aja2
z$Y+slpP&C--!K`K6vQ=2X?UE>J9U(*G3xN&e00Y=kx)aoBb^tz75jCF!>O7lN)g&d
z&^x!K)MF^<?zA<H40+JLxTx8<KI(@SH<t&m$JyAJJdM_Ast@MeJtE#e^k2*hjvdBb
zY>7biqS~<XrR|33`!WQun^Hx;XCPA<3q=HQn_DdvtVOO~U$Krgw!uC#SGI}(o@<o*
z$tpXdn%^%QU{E?s#nUJJVuA&$tgR#lbh<rSWabl{gbV;e%HFJ%uVuAm;|Jf}s#gwA
zQ1qE)QXWMLckZFL_@<h0`<R6o_V;*v$gX>E87Sns=iOK_ykOATo9Q;D#)%xzz)aZo
z>uo`~^Ad9R_}CwkwgSC3lWtLM#7G3kos6$28iHH?ne>=~^EDP{aDt5>iD2~W^ZBgL
zfdyZ%5O?Ny*B-;mqqorHLu~gWf9}ye%TLi~&hm=ZAq{Cbzw6$AhHktbYU?dFl0S5;
zLV9V=02v{Q$!K_m5q?W57cTh}@DK_zJO)pgL)f&`Kmi3}M4hQr&Se3Oiy113Pi{7i
z---<nKLn2#!Fp5HaTn`NY0tP7{1eYSczw)BL>L0p#g)<czc1j0!-e}nE;kKS^A<_1
z|L`t|;QX4Gy7YUQg{9eHB<mKeIhP`_AHBAiYtgGHEme7um8tcgZOPYY`41IGgnG;E
zg|9S}^u;BGHs<?q3{Y_?Y&Rx-cxyiNr)wQ~MTN<+iO|4aIBaBMcziKev)6*m-0b|U
zJe-SH*%I7Ek9d~T_4<7i31wLYso9|k1l9Em{FG$Pc`lAdpljhP_SaA9AkLrl?ozMh
zn5h~IbKDJAp*YXKlOu9tzlCNcgrhvSMyG{kCw~2sM*_Wo;UuC%6UAYs5SR~+C`oI2
zvhm4>9YQXmM81u1SZnz&d-`wRa(Y|Dsn;4w1fn$cunc`Q4*1a$NKJhJmOhx|lMc)f
zSlbX7-4M7o47aVn66lK(7*l=dh6t}Nev}CJ!PSWOUj7Llqp(sO2qdoW>PkCd<Uis-
z`Upkf1MeI$LvYh1$UOQmr}~IV`>aGpU5<L-vP}_;!(A{|w_70fsJHS-vhqm|-@ibl
zT_pf);TyAK(A*aSD$3DGEM3a(D(dbT7`Gmv1OQtdfHwyq<B;$>30<Qc>=bHa@2-PA
zr|6KU5ap1AN|((Fx>B4%cSBBm*aMBiSOs9M15aRn1{{ire{zL|Jk#FQVeWmzQ-952
z2{!B#eCY@=dUc-6<mSqX9J4&9Of3yj)<*f8|07oUmRNw@VqRio0S;?>!#*_L6Na?U
zS0tmMo6Um%oqIjJoGVeC)oEkjdrn4JYvH*I#<YI-fDB;RB(AGBU4{V;<SP&ZW=rH#
zpXw~q_QoVE+8hj=D^ZeFfS>8Ripw+Do(Io98=_!8IMRA4`sA9Ag6c4=mSHC$P)v#;
zN{p)QZsm$TqQMSRL@*jf2)9rC78jONpXdTSbDulz&3x{MZ-PMB=1YG|?2$2AWCP2T
z3YA*`w<gnek22E(sA^kKKu##jJ(=bZ^~olg4TcFZoC9D^mJz8mxbfCX8H85n5|v7d
zzslE%oQQTIxd+{yoj=z-{gr!nN0P!=n8*nMF?No(>O<B29Vo8Wf-KC}HZB<Zm4&A3
zmDDz_{IEGjH+dIV_(#bfbE$j9LwS(@KEsHjYF`rK2=Dcx+wAyQ#<GfWl+R1m&W|n&
zwsu{H8;>Ye6l2_|LUtZgkMpkbj!0|DiFl{=3EZV}ar$ZwK^42CL@2j$RxD=t8j(l(
zg+Ja3<!xI!96c|zH(~=N_|}bzeOzs1_-n?-A}1-fxqcQ>3=pZN*xVV7v)<;Xym_w#
z)ZM4UOyQvq&r>GIgqB(EkoHrm3ncDww)_uj#ThDlx>VLy=*2bWs#+H@#l1^VJ<YIO
zd$>0*{1MV~F8UFhg{pVX2Ac&KA247ab6+PbO5vX*asmf72p4tqP-_%22*Wkq{BiJg
ztUs}(l<M~_>d>iAtkF?Gw7by-FxVUZ>YVepvGDp`KK;-Me@<w@TcPv;>@$Vmm`%zU
z<rF2T=I1P)8)?wE=pbay)&}(*py|I8LyJ?+@4It*cb!g*PMhCn7)N@!0m@w53UA)d
z>XfE0P;9q1)jrUk0;WrxY+H<Cd^Fc)Vm>}d*@Em5(X}9H@6T4_zOAfySwo@)t&b|x
zfv8S=(q8e_gBwrro4Xz5gmk(_BPMBV#dWp~Ic=sSJOe9n6Tri?+LtKJZH5V6s21dF
z0;8VBDTxBLX*B)rpB}!v=v2=qnoU`d9Jb9UEi_QT4OhtVk2J&wzH6J6yW-TD%PiE+
zWFXz)G<k^hO!~Y_F(cW8pGP=M?FEb(4cI4v4l&Kgew;GLDSzRXpWViiHp7i%&{`gD
zSs8x2+dxOJ1}9;o8qZ#qR%Mez=FQ8g=UHD_4&5J87zeJA7#ySeWPTh`+yN5r4-ELj
zPzI8t_~K2`ypuzM_`s&zC@O?~*tLJ*$TA%!QOTnvu{t<HSw%j=h>mqQg#u_pYlLBa
zyfVb@9Q*F>8r8qB&Ao=ANMc5b{LPc%7BGc(pxpWj2g?D|<L>y5<bE5Y%UhD5T!j!Y
zn=2E_a;Rn+tnr1-^_2^--fRBLfx9Nu*}1AO*xlicmJ-#DQHrE3_zw2xmRu+)hL~yI
zDDB)RNF444P=o-02Y5_0It{PH|Ib-42iW4>;zY9YtNVE4Vm9yM**@v8clMgJ;8iej
z^+omViFiX!@EO*hV2dF%-DxxD;@7@|3U>MD{sg_G<-!ElUNbQi0)`?^@p+e$3u!c&
zF7P;uHGhWhl#b;1@W#+$vFI%pvx}k4x<i2bo}#*cksdAY$m2LvF)N9%67DO56L(bm
zv_lWJ(g(MaRvYSaq+u3r_}xve+3U=th!h1@ubida&3H?p>Xlim{OfdiHz3B!jjc-X
z2v^Px>48ukXL;_Xqg=k>#lGjL*tL$u=zD7uft<B_6OF}u(E1^3XvwD-<5&_<UZJwJ
zV5i`$#pV?O_Xnbw_B6Hw8YoLn^z6h5VVOe>d>99y&&t(X;2qumZJS4%hfj)BiE<Xr
z9-)7R08qy#V7Qf!ySKYli8NV4JWKR+-1+NJYp&0OpyVFgx+(fF!c%7{Hw1!XdTaHp
zQ-)d2WPBFQGxMvL<6?yTV0nF1{{*>V^*oPm@0{&2%w6>6=FUfIBb*g>%7^jA7Ws0-
zKHIVIe2aIt1d;QxH#l;i=mi-NQuH^Fe=W$mmbLTJX~oN6o$I#Es?}<(<(a?HGxEZ_
zj9WW2nANH|9Zm~qbSvFHpxkbbdAL8(gj{94Z{OtS(k`pnZvClNOS5(Zduv~4biadn
z-*2NqvsRqMA4vN9(%4x5i@AZI^-|Ay5qE<VU#S7-A95Wtj}sfE0WV{p{!oLG-zhFs
zmzBRdj<&;sN_BFY#GL7Tk~K`172%|a?p_jy(*WHDXpks9kJa6PRksf|7Hq*j-1pH$
z9a3E%aS;R>s%lHiO$})aYT@N^QatW^U^eb6tDp|Kx6?VbW1axX@4kl5x>Z*p7STX0
z7_H5Dy>>a+{%|Vp{gRYw8hY&kQ*nL+L=XCizr7FS;21ghc9efxp$Tx71m}Y^dmIm{
zfAM?mRCShm_v(v~EOfDgtpA=V6O7GAzy*Zq>-qiNI7KAgCbBG`=|ixfj56ePmbmcc
z)CF803V)P+PYxb<e;-^(iqiJpGj{5`_g92mfj$DT2`Q{-S>GltdA&J&-8NZe2%y9i
zv5VpQBUuGIK{71ED#sVJ^=<O0YQzv?5lvZBMDAsn?h12>*JIMTR(iN69cK8(<NJaa
ze$|KqcwVnQM_F!ge;RC}HFulII)Wd&9b6}CskR>MvVq{rXCG69(^2eDJoQmUj26J(
zMA1LukP0X~AKB-Fx45`O?|s1AizYq%5^yr%?-^kvlksD589x`E^WCTl=cUgC2Nrbx
zYmYe_haEkE=jZ1y^w%@pNOoC7x3d@BGs<plSqDLf!hRTIAzql~ep!b!WL#9jZqyhZ
z7*Gz$)HMoOf!{!Uvmq_-#rM+qm|UN|XQ)L7f_spNc4!WApZTd8nfmJlXQ-J2kLU7*
zc*jc>oV6zIa0S1{#R;-Bq?@BDb=9T}k#>gnvWk=ZSxM<J{B;-qY=26X<cGT%M0@?@
z{u@K&rK(!2^YuHz`0V}B>^^MI$suA8VM%ygp9l%h&YYhS3O9_CSlN3yd;!Zjd`HWE
zS$srG^sGwaL{dhzCDU|Xz_EGUIE$(xUyVDS(Wg)5E*Qalr||-i+cEy$&ex5+;|u$H
zV+4eB66m8#vKrT{nD>Q&Gu5&OnAS87hK~TbNMO}I^iPgDYCa`0{WrMCokj$)JQ?SZ
z(!ZqAsPc%kFth`f4VdO4=X}3#2FP0zzIqHxwzsCqThy}UK6#iqsh^IcO%IRUG9`5d
z1UdsRrvmwJ?^@0$Mb@$iRqt5VZVpOgo|HGED7e(YvjvatPL6E_;82aDr-Cf>gME4F
zXHT+Kq`h0EV*myWNqOPvcSf{%7LY*|*Kk;dO`~q?D!?roCIoLY^3wk1c-Z4^p}D!x
zhzf^LX&-+gOg(#c--dc+5AWOQuVU?Q6zzE@F=^rR_j`DQOU&ii3YBRe0K;jA*nij2
zmG4^i#_@+L9EEt%yVE*LWLHj1o+f5WA7`AVwlIPYvTS-E@RTst#*{^Fu#$X41}xQ{
zjFv(1_y)@wD@sX(*y7n=61JV45UWM9KGPP-L2yN}4b^s|CbsTJ#a%J3Pb)jif`t<n
z1ACR91D}F7?(UsQH%<y(Bl3EL>4LAv&XMZ<u~}Ojy?+BQB8-YFj5c_YJHx#B?<J$#
z=ZO4DH>nZO8~FVOKY3g48yC;N7_NW2Ny0;B4m2xtE7GZIFSu<UTgp~j_USi9A38SP
z0roh3dTGwoZZk(-lx<`kHtrlz7dBn0#=0}J6rd%Bafw>g6u^2>a20Kj^#ApHzcb5b
zvbVq1{cfcD>Z~eZPT16hEVi|tJ&>U*&Jz90-QNfCKjnQF!s;FGH~YUWy5HOW#2y$5
z-0|F=FbP`jOKw#=X8qy6kowKxlY*TGd9d-h!t|XCrX-U%@A7Ea49~C~B}ybcd^rmJ
zPt#9?i<PJ;@9ZV$nVPFpifph5^fF2;L>Yd2WUlpI^OuXcQ*2*I`P>#<HT(QQimFQ5
zf@wo#-1x+EvN%SyiOPormr9YXedGVGOHQI(|EG9d%~)koD<!jh?DKThvr`m5Rh{<a
zQ&p{pjSk}VFjH+?v`yLsUd)n0N69;+EMecj@+dCz1|r|03iP;+A*E3|<i-mpx^vLx
z`Ekal;m2*^-ySAw&#(_?KF{wd$JndZ7^F@{ow=Ww9`7tEQ1t2<iHRlDYs_6FW(gWI
z+Y%yuulYd$pzn1n$WQd6-`~9fPr5F60h7y;0WG=*RzSi*6n8R(A!Cf6!PRGeUBz)6
zs$^nr7=_+(Njx!|EI-*kl%?u}j*f%cD($-Li{tFxs#Q@VRQNd1#_>kVmha-#6-~>}
z_8)RAtm5_z;yIZ;KZOE@rA5R(UiEuO{=l%_o{#k5*-T;3ZB{n@qP#t4&tB)JPv%1W
z*r3hfTzi^0RPr_N>PE-0*2(Fdd)CY5V50O(n8^!&K2ctFt@?~t)}zMEgl$iv47GvM
zX#M?oSb=Ff(LNSj*Ab{584=S;9kw!0G3f6k>R##n`>D%5N3LpNRW_1=8@EnZn1tYQ
z7IYiO{WJZhnP!15z1`oF#`6dD1W+7q8+*@B4mQ?r9#r#LqowQldzR202xGY_vjYVG
zET2<poJ!NzPWCWotT}UL*}plYCm8WHk2rMlE6+eBmEB{DIjV`pqtrsI#}uhIK3`-p
zGmgt@@P4?np`npc*H_<`YX7RXw$X9%A@T<upK?AfeQMyhuz*M5dWFjh)pv-A5;*ME
zc2<ppqk#9g01j%S6G<4}D%AOi?8F!?H-TygaL{UW!hk>tO=N%KI6@i9!qF}mmBHic
zF+gkwMdyG!9N`l^PtK3{PHLpPN>i!>B#at;#jH>tYmSSICuesZ|N2JkxTHPUEL}a!
zIHCfuH<2*wPOTz~payQ52t~x(dctR6`gH@s^7K$yh(w3<FLtil4yXFbfH8ya1)rX0
zIo&li55*AGS}AWE|Ej*u3$KkauV%YiYi%NI9t(Z`Lw<$E3e}Q%M?QjL(7c>oSItg+
zTN=RJuv#WV*c(J7E*mtot+@GTybg7DbUaDFC&-Y}@2lw?3_LTj-GSM$#&?CxRx-Me
z8x6R%kGllkwLq^n$PA_T^axc+uMRpnDk>@JF7tP3i=n}uxeuY!6wA;a@}Jx7<<e&~
zC_S>4dmg(V#h9=hve_m5Nn1-aRheqeo7L8GdD>O{8fUvY>m4rjAoMnmdlRV`wLB{c
zel#{+q)mQ$565l~*~S5~L3&5}GGXstn}!@=UnVfV_gF+tQdH(O6AxkLqVBSxuKKG_
zf5a!fVVbO{YBw7%V%%H6^OZ>=W;-@a@!R`p@i@BG*=n(W=9e@2v-!Cv>B7kR%oXee
zGilcq8MQT4{+?>OSMR0mDgW+1worZkj{NxgaCUHCnCCVAiNB3E^PQm!oWQJ&SZCu7
zBG8Y`-ee0}6JOxZ$A_1sHas)IKatjmYWO1I4;hDU`dwK+4|^I+GHgpm4JB;%3IR%q
z18FM|0W6Y;=JToj!dHiX9rpQmHQ$f$FS(x|f)vR{F8YI|$ryb-QoK{pa>o{jF7xaI
z9m2`->WlS6qXGyoqyA!G*J4nuqJ7v1NEW*b#Vz|pB99eex0MC{k{I<XpN~&(c#m;d
zVJJXhVQ!6b)K{E0U^k1M-#4{zF&8t&n6s^s3x;eVR;NmF&_SlhG>gb!W&8fTf?@ak
z&TFHdIoMMIOpHUL#^ooaAcjZ7YlR1SB5+5!DthN<Yox}kG3lqQ_Kl@}%u`|b2C-5r
zg69TaU#AAq&i?ANAhQZs*GY?(DO9iN4+^QMUJSF}GE+~RJJqP`I$mA^c)3AK*6?^@
z8ggF@hZ0z5zHWhXCyh`}!yCtln`t1{%qpSNv!>H+E}4A_&Kmbf+=sO|4DU*5ZTx=G
z*;h+Y(5Z6gdOot+PV)MC=xh@dsH+(7xOasUn#RBo9hld}zrrB<_>kFV9+Q|)PAn#h
zpKxWBQCG~7rKke&Ks=A7#P;6<Z1MMzJJXV_49WwDP7rzFcpIXKh_r6WqG(l;tNuT#
z-ZH9=py?J)kYK^x-7UC7aF^ij?(P!Y-QC@SI|O%kCvXmK=ivVFyw7{TyY8$t|7K?O
zn%=c{RdrW&e8R7$@bId^KtOR4E`?BP%n&UHj4FrRJyyJzzMkII?t^{8H!S5!Yq7p>
z{?t=1#iE6d0a7$n-70CLLax`hnhY44T~E3O0e@_iV<v=qi!I1n{Gb_GmXO;12`$jh
zL}D>~MQ6TPI-8)4@}#xImLi>Q7?MD!w2P@|vEpq=A;B~3wJ64lMrJN;Y!di7HAc*7
zD=!^PC}MizUQ>Su;|$j)j<-#W$16Z39=0N@-e+aCI+(gmnv<d9O8tTn0N-Ca;)^S_
zEruA(B9AcbTZeFlRUv*}fLMeyP8|^?I*i7tsiqwYPXT#q`$g}sX|v<{+8TgicbJDS
z2wg)j)IfuSVa6eAEz2yxNmnq`mBvLdC;;(QeU5!YSWyJ=?%Fs^Yrqi+ir9=BhVU7l
za3j;uEmS=X3S9Y0y=Rrrni=8~RQL47^BU#7pG|nuhFlvkRbelFF0w7vMXUc!rZSmx
z42m<MJ6IE!_{0)Rs^TqI_9<oL?&E%SO1C}%CHK8zG93f{z^TpDXY%VP%uTVAMNkv3
zN$6W_?D3d=A2kzq*un{EI0|;@yMhC0pFKL^*WK5L4og9_%Y(ba5|kP3yGzjJOkzwt
z$5Oj8x0dXSoP<mGXETAY;=y&KS0YK8?O#L$3?3z-NKfOsl2e$7$KUHxs546i8{pIH
z=W%u<V&PPQdN%f1=BnzY8xSdtKl4Q=)0vj(m*k`;ASBm~I+oRPo0W8P^e<+pzwIZ$
zBM)tvy?_bZZJfDL(+%YJ?FsH5zufp=qr8N=^ibiVR5Ml13WroK;t|#=y7sQNc5a-Y
zixa;N3Z+6$=|()j1;r!Ja|?ak-AH%l6FMIm9xyy5>BBNqN=wTd{HcCOpei{i&fr{S
zfkG8D2g(WBOttX>s5Cu)y@t&zE#t!DN^n0Eci82Y6e?fbsQiiNES{HOtz9d>!$lMn
zEOtu7l~1~>$(!5mdFgDT&hMDqA`AcV-29qrp#Nfd%B2)Nzxp+uuoT}XM|R-%bc?Dy
z4G0V7$GD@zxLe(ZoOc=reotC2>rKE>-j(|gwVvL~>?vZ)&ng0h6`=(=5M)}r$>pQ!
zEIj>6&H@nXC(`fpkS_E~bw<fHo8hqK#ukM$_uquQQn{H9j#lbj^&+8>Qyve?=aIux
zujkfW1bgaTE~!qhi?p<>i@9_wZ@&8eE#9J%4Y1Fh^OphD^;Nmhrm_kMl4_6|!QW#4
zNo_QUGZN7*jX0{F?OlB(&V6WBf;k&5(gQYxdc_O46ye2dD4L!=IMQCakIEX|`7b5L
z<Ps6_3gG3Egz|D|9anfzH!Cvi2Ygjv-t#qGtSR%Oc6BmD-#<m<Da;hl@izR2f{>&P
z=QS-Y7Q2s=x<xXK8Llx-^;`uV{Ls!`d*Z<v;^V}Vn?0V)$%083&x&025cN-6u4ZSv
zyPkOsF4j2U4h%<&vF0gYU+ob+58E8wj7`7qptPI#^T@oXA&d8WIz#1m{)Q?G1$tH*
zQc>h{8GMtuXBG(r)bN#ftrq{OIh_WhIaT^}OsN6HHyr;W{S3uQ`Spk~oY70cm4xjl
zB+Ka3GC7pSBP^#)P@G(Bvfo^)Xw!#ij%HtN#?(9xW{K>I$be8TnrHa19di5&NU^O6
zc#qrDtCZ^S>yQowIUbTg;CHc;qlGmq*TCu4nBx3nY7K-<?pQq$=Tlh6FR-!+xqc>|
zUtu$|oA^lAjh9FJA|Z_%^rI_Brrvj|H=q>f#dk`9z#UbXeB3sQ5E+sMLMLbeq~b{I
zu0e=)jS%Jz-%64rkM-CKeHLQGR9>&DbmZGCQ+p`6$>V<|5YKoMQpp=O&K0}nfhB+q
zPF^+*Z@SfAiqP`Lh}b7>3ikCIr|)#@^c&__8`Q)P+$?5@S_GFl!|8ZYMmEdW0P6V3
zfT`P`iKf#SyZn1y2p<@}ezgtv?EkjKcn<e?7J^ob*lFpMp*;AuE_iAsXy>@^_(5-_
zCoSxz5|N(bt~<`_f=uHE*#rt@pg01}<0*7qtae`_M?L;{2wnM&$h5;>Tzxhsvs2l3
z=Jj4zLz{(ePj0pnN#@3Dj4%;BD8_=YFHwvuv79K^;=A^bNT~`VE>dW}k-e4*(It$d
zMawk=to%kSP3|PZt^CdUhx!Y~&2#j<&-+ux?Sq!@;eNlfSuw!VBE4W*$wAQmMnwCb
zPEGl=8zPCXyMy@rIB$D!UKV-8Vm&O{jI7ez<D_((S4^rv>17)+2$n>r+N{oNW3#^3
zg6j&-p7jCFG;<g(>iDIxJRPlebZuQfbPBx!1$XS@si$|tH=casHh3c52gkMkwk77+
z`I>W?r$EzBVl^>nrL82LYr5~Zvrr<fNfXY1LgScoQZhd;T){BsTxXSZ6~_rrKyq)U
zhh)8n@zdVf)sgvC{k)~S`*rToIviPe(uzJMo^_--O=@T<hV0?JjYbT9#VtT**)Q$#
z@ZMWTlx%h7Howck_SAIx?+SO{!6IWX;BRSG)~`}?8qA_T+P7&g)N93O%gMn2#Mlzg
zu4^<AgQ<xQUZmwe5(H6oQKG+ikTBWzmGoum=4#DE&XR9$H5+fYSd^LYwZGp<P>Nvq
zpScNcNK}CehDH-5DFj3LsX!QD|46<>Y6`(vent>qBC?e4H?M|)N#4~AlG(XdAf;RY
zl$ZX*(RXmN&GjN$01>zeEkFo-a|kx<5ii_PPd`I{?1|3EpUP(d&5{IE4GG1(o-AA`
z9$b}A_swQ#E6|B!eVmgSIcJPT;mfuZ6LG7l`NX`>{rUSM!)6sqw2)#B_1uE`>Lh9a
zA2s_Fg|>nV%`^qq=mdAa?u`|sQ?XUp7mwJ?tIMcfw!A*g&eyN%5pKS`p<If|IO~xl
z&>Atjd|k>63VvKctuJdS%VL<wNVrD{4X;|l<4$i)MgVuBT_MB^Tcbos)xdsVPShs<
z5u#n}Hg@_Q7uKXU#_fxZeDpZ{K=Xy;;qc`YT8&)+y)tS5lcpr(AhBjTy<f;>VLh|n
z+l51A{cVuLmeg!ckxqR2mWU|0{zGODcc7<YG!=H;`c}F$e~J8oRMAmEb^q)1nrwuG
zFGZ-LTMPfsgP&|8$zL$|It*iIrSCC(uwvf4kh|g<0{E~Wy(^N3ViIa1m~Ilopp%G#
z>mqmGK$*BoT!=OKTc{h&eb)edce`~#mm7gDWJ2G4fqJiLNuQPZcvrEg$X-Ud{bmyv
zce;ZT>~9E9z2P4}I0d!4c@Xa!>iO$K3gW9Bcb&3ynOJrV?j0}C56*sHmE9x|vHv=a
z9Se5d_%8;6yJ<iK;F`SxtDsvBvL2?1N|#!6@b?QHeF#Bj5cfg%E58!ov?t?}4yC~}
zI*msyPH|T?_<sTPpO^n101<#~L(|>rx<v8{=l>6OEa1JShKQACNrY%0F%%v4%jHi3
z$_0_1v}ivb$b}r3s8@6_P7x<%X<qoHKgOPu;|Ws8kJi#1Edv9KWn&WV_5t}1+1?Gf
zb|#`?2=)?;VuAETn<xh+y?b2a6G6476F5(0Yd<@?Tq}#%RT%v>y2=Obm$iM?BQkI<
zP!7V3-NNlg5-dBfnE&|+Wq1A&kSrivj&^tLiHs+Ym-5B)(%$C*XaR`oq(uc~kuw%%
zNtk7xxc_4jq5LB}g?}B?MN57j5(gInZ%Trd7T`|5bJL03>A>gx!kYcsc#eBl&zp$q
zB)ql7L!^duB(rWU>6#s03%8l2t7n%cnKZJztbO4(c*lXiq|KT8)DqNUlPaeW!=dHL
ziMYQWbD%kR>oUgXsvE<>6j_e*LHjEr9(Y4GM{fln@*37si=Kp}J4de|#?L-#5f@DV
z`8#kHy`bHs38DsWt=u@(0o8{Sf25VYknYbRJWsBC=$|$Kyuf|=lZ*c@C(}}Pj;V4F
zkGtA4)tg_@A;pV9r|ChK!1D{=rQw5)K2?Y>)`opC3ujWfsK6A82);bO<uy1TXLZR5
zfZE?T?Agcr$q<iMI9JLlV=vGF8K7^=k^DxEtn#o=L0O`Css0|{yndDJ{)Bx>^ZsOs
zYdf=CUj;8X@OQ6oF~R~siYHVbefK0EITNKWoZ!c`h4$aneZsBMoQz$0#Q4Wf8;9Lr
z<A?iKHEnTDXn7xtCf1p;)Xs_CMPOU17d6Y8X{yslaS9c(#dP>dHj2V+FmWBQ-u#>P
zI)~U?A&x}Z;uoiX5MS<Xh<K(k?rRB7j)l7bU&g{uYJvH9eUp!}3A4(?Wn3UP>T%YV
zC?{f`lu;NUX->65fAKl45P}dkFtr!kqFc=JNm%5Va;|-9Ou#xe)fJ&jlRCwwhL{l#
zW}C5ynWK279R=7B8>9{sEm?ka*b(p9E8J6x?MJIo03%}{nA7!!j~+nPj@1F{wn8^@
zYeJPLnpb<>IOCQ+#&#=a7N@S9pqM>o5tKl;MGe9Qi1XU-tBjd&>wC59qdhU?vX{=1
z&Ki5`$>bL%uene0&v-^UW#AX&TomQ#z*P<eqY+CIB|c(+Glo9rfbvo-FX0gma7HN@
z+#R8N<Sh@t?R4{kTO=0FO9%4=zXI@Hn}_nlUu%YT<6rrmw^fCHRpc)Nvqr8;OJ93K
zUe|NbQ%xuPl;Y@#$#N;g763&A&<3K1#RadT|75PjTkAv?Mx;iISRgyFV?XX0@CxmT
zXKsz!PxpAI#L3fl#04iM&x%4PG8;yCvl=1`ZR5%vtC$tSi<gAkh%?vL_%5MAz{K&y
zo$1~$i=Aofs*--ZmK-0!ANi#{w>P#o$GVmQrxdWvT<6~}<#*V|-RfO?9cCmI4>LuY
zZl&u2FE;<t3po7#t&ongJUEhov>@(2N$$6-&7z)(BwF2NSi?TfK`$Sq9e|Jx_d250
z(c3uo{S3=QT=Z(g*}3&dpuW@r%V#0j&#!zoSN1}%?;`dpuoQ@%@@%2&yWj$s((*U&
z0**t@w`NI)sOhW#MqMYDK|UT;Yczs{hOJaBopXQ)K4kN8XF;?&Pt>mdIF33DZT@*<
zek85m*5F?v)Y#6m<)7)zExSmo=jSwl%Y%j*x#&x%PY7s#kXv8%Krr$@6Y)7)INJ>E
zGiNB=_tbNdl*09dq-Wz8i6vfY2iW=Kf-DECQRpgl&rxXN1h1xRn3q55=JD_mAPP-7
zTHWJE;DuMibg0NNTbwlPZK#OuUD<W;*G9-)<O!QFLjuNxn|zpOQ~@I<qvqj+gpf?~
z)zu~l@YY&t^Tt~b!hYJ~0xx6m`NH}so=9G;1CyUS@FWCf7lY2wX6M*rbpEPQJ7%0|
z34)Jq79RFv(s5u2SyNW2CaO_`d<ne7_Swdw#{_g|V|=+<RDn%nUV@+8I3=0BU{L|R
z68oan)s@^*yf$IEe;7ORM&oVOh9kbED?u@$NCasdaGtR|tK6)ytbiS}jjA&}Xb%^@
z5ML{_cj1CP*m0KzNbAo!(w4X*^zjfl+p06so8|NVL(jL90}Jrm#&47pTHDSDuq(K_
zW-Q%2(NPp|S$(uQ=aQ2cW!-)i6edQzv&6nz6Z@Smpvx8O%T-%HVPO^hA1-J%^MZTq
z9y*9gm+L%tXT8Ib0M6d@p#B=;Rl)djNVSGY>$pNiq3Ml8vH1t_dH6{{xNb`@AP<RZ
z*&rtVgG}$)00Ib&$koghj^n_o1{D6UF2H-q?b8C@&^*W#|0@z6WW@i!>Cu3W$opjX
z4MhCq_CEq&^EeiE!*q|bJU^|`>c7@_bOL9_KfaiZk*P^86Nd;Pagag#%{07xcOuVw
z6@q%opzRMD;+2|4_1W1}AxN|#5UYBnfGv6`YDZu8duUNZ>T&$`ZY_t>?pj0bD%~~L
z#V$&lCJe9mPpQYRJ7q|XtXM>C#J``ku&TWv9E-wmOQS^p<{wwr<J(zZUf*+9XG2?y
zz_HMFq36YIENu4kk>rhU7Q`|e<JXV)p$P@?GlOUWECAkmWIz!k&d%4dU0SdOLOvZo
z4d|2mBg+#W@VDlAL<N~p2Omw;h*BQ8!4dyMK>tf_clTp#fZ0jejCWXYcgpN1J@q4A
z@TWA%E(I?RStMXn{_k@fk7I1j$?4%BugFncX4FzNYU<jUE4@L=U>&&QSf(O)TAtNJ
z)H-TWmhV6xdnet&M$~Gn2qm?g5rL(m%y^d9&Cq|30xn?(kE!(~#pmY(7LRc!$Aep5
z-5FRrbbM3zxu(}FkL!Z7CIcn0(**fP`qB{^c#Tt-#MuJjBb6O0Pk#78TVw90L+D5D
z7lMV|0C$}$)!qQAGv8%kEIPVZ+Nk%+C2|AD@90Mj_IdU9<P{EgZNwqE!;i4$!Vvp3
z{{5JPC&k#gooAoQan&yfZr=n_6l~kATr!k9m0T7J&lNoQJzdW$nWGi9JDpZ*?@BFJ
zw$^fXT%5|vN-xh<L@xV(&cf{Sya1kdrm3&GFTM}$eALPPuE$+vCel}$C9g5iL_^i#
zG6oT~Co^qPdpS}zHTttK`gHIswbjG+A6MIstLr4M*dw^L*a!?KFs`H9WN+ej7Yea)
z5gg0KbFMBsR90RPbhvHa%8P4c)0;B4&@!*%PC~Z{J^lS>F(m=}HDAw5=ncv<w$}8Z
z`0*UYa58LUekiG~njLPkWq;YvMbRv2`Cg)y@;nFspHa8R%CfDp%^gNpuid0?hwY={
z5*DRM3>y-2EoBKjaz=+UwAb2@P@S#_QR+efP6rbxoitwdl@**a^byic0;(PhPdMAs
z2<8`k@8}LWxsuFd1KwaS2fga|Z+d#83z^A$_^FBdOH{RyfL+GiRQ@N5NR{1=*zNkg
zoBWha(F^&cLP7NNo&Ds2`7?@`>O+2+WOySk3ztnMb#7h2>gg`^k``TNVP{fj=NH5U
zoc(5xR{=K+(3eE0I}Njn%##vpy})9UhsDjna~t$?pa?x8tKU&c`=~V2%(ErxRv+2}
zdrNlI+)JU7zq4=Ro!3^ztMkk59!swc^wx!S^Yw1@nBqD&^;p?;SLW8Sb!EW*GCF@H
zJpRU&1P6W|Jy}cI)|OV+alhAEc#J`%CKuet2>G+5B}J&8po<=JG&jxxt0Cy#0*85#
zja}u_)jUBnl0#QjA^t<;_eoj0MC>WUF$v>4cx(o{r%XTE(>U2aV6W5Hzk9leEqf!!
zy{h!1EVrSXi+c_TvYSTwTqkmH|K|R9hJW&$+nM$>DHQ(gw$diXD73dXsJ^|cuZx^D
z$<;bdIJ+E0=FUDUtfu2q;n$?lW}``5n?{9&;QO39%X@bqiH3d{{|wKn2W&uQ_-zvQ
z#Pi4LzIR2r1lC=(Nx;4MpuRcwo&LOh1BM8U77X3sY(Kt7L?Zl~tGhd<WTqstHce6z
zFlN(c&-HA+)?#t7DgRlO<3-C!cWpMz+Zu`JoR9k|?m683B>08vk;|h@qByWH#O3^D
z8!xaki*fdb_ZQg^<7pLwF=me$@<SQR<=5WmR#ETkno7noNLA5y79c$M&rm%XF)Ij}
zK3^mcm47;KJH=Tj5{3ENs8rH1*JmDMFQM1tzg*7_eI}3>pD%D`ufEEhwyk8tZ-byg
z%Ba4de;1wPC4X+B{d1Q3g@%t(6n~W&4#<qR@oH&_P|Mj2?ZV3s?v!L{?YXOUNlrd!
zv3_Wtw6*68u<-Zi-gCRy*!H+KRGc3C&^wM}4afKC%^m+YH`Obn7XY1?sW`QZSc3Oo
z8_?X>NJN%?9UOCu?ECJeyPuv|PVr6)zy<I=9A$cLgVD<Rh`kghj?lmrkso?3Bz+p!
zNO?O$ikS-r>Kp)z5^n@Dp>SQUWu27OY#Il~sr()w!{c{1Wegvb+ud4ql);*Wpr;#`
zq0i<}nCf}#t+Wm1)Bhe>Nv7j{m+CJ0F`iM@gFR(S`YH!^##|e0GEm>(G)&rB)+dg}
z!s%MYI3=|qi7Z58m8bJ7#36U?C)l5K1}h`(+Mv&_w2I#UQo~-bkZhPN!fVu#Aph5V
zg+lqsLAzx6$&YFPQM3SDaQhH5X*^!{tIp+BAh&t~Xrps1Gz7=Q?Xv$sH)XV`8_HLI
z-)ThluO6D>FRn!cC1vJr-)#VrR({(^gu03I<geuYAoyYE{OYVHT$&k6P6a2zl^7<I
zw~b6`Fjl`R#roUOl1p-5d}hqMMC$agWBYAicbvZ>>=XCYI=YhN&dmrv`v?aP710mR
zCyN-q6#B8jpnzadhBKU(>NVwvP6{&lD)a~Sftc6lSW`YeNBxZ&T4YQk^(FBLikSXv
zOSD2vN~$K7`R8t2N)sS^O6Qp5D{E(&hPQl6XavYA`jx^t6%4^wJ#P89Bvm(RpM3|_
zRV%+Du|mxkx|!fMt~o#R79Zzp7F)$TohM2||HeUYbNTUWfkU?Kv*D49a-~bTGwvCu
z+t)WI0AY=8^=|dDl9`E(t%Ze!*ZZ|?d!I^kDzl*u%X5DCJKnR3*wD=;)M{dJFYbTc
z6*_%+^<Hz<heto@$FzoTjz5%=*^*VA%x9{0*FIJhuYBeO-F+ylepnnj#Oaxu;hXhN
zB|TfKx6*8xT)XzQr}wGg*JKxsbVk0SKRE$qa}Wq8M}<dOmG2XFK|UBK7UTHzZX*7M
z`?z3<h?}=yP@{MF-h3xFkEDM$n8&G+7a`*_{>eGhnW*WWJb&Pb2`q;8i(PfDN%n^3
z^(5gXS63Wtt|N2M0%iICAjH3&nmrWgl8aj`RbrAvDD8uBc`G$2zH8Ry>@NSYIy9tv
zbB|f)3-49-nLK)^%6fd+>+N5Jdm0iKBo(Q0WJauW1k!;?UA%#4V9U^Sfi1Qu-!$v8
z+fP&PzvV6CY7ev9nELeLzRPEVrGYmT6OW3X(b^BHx(Bbg6Zt4Whw2GP^EzE&qO?a!
zz^};vt2|!;!DxL^zOWrLJvE=shTo_EwHwcGF>xgPKcbV%-xHaibSnHQIs3wZqlB}v
z=SY#a8m3jVSACfY2L!N%lY;6<`r4a-oGyi!_c+_CbBK%|eJHb}w9_yGemI82)(@m*
zls3m$A0^@gR8Y9PL=u^HG6qlc9#VJ#uKLOlx4IZhm3-3xol0=6t*YBx>&37f_wLCd
z(cV}IA3kecUxgnt|K7AX0W;{Z$o<HpcsjGlXQ_>ER-ivOcktX>aMrJ175A*vx`w{V
zD-u`oz~p4Xd8s13uiC$LBrcH*mt2x~(?>0&ek#&hKd8&C4W~sEAq-7?^g%l2Z|aO7
zzFvY_pAD3fb-h|)1PXkuqCN9B(P6^zK+(F(o~I>GgL3U>j}2UA&)_qyYf~NfYo&)h
zTt!aPrqD(r(A6#x0q$J+{0{+T0)ieY=SHXNbGnyXMa^?D&z@9sU@65<u<1EVpC1);
zSQ=9rRp=dtX-((5M0d(%V(i|!Dw&o+TSLR}Y3v61xFk4a^GqdD-J@v~&BZgx->3E}
zjas!WB7Jh?t=}80Pf%XvRG&%zKt3z|iUy{k3_9z6PiXRw@#z+dzUOLD2PpF1A?{Vy
zgI1EfX_ZT4eL6?U2O=90bB8w)wm2~=a4uVho|Q<ZAaeik%j&Dl`Z6DR@SUbyk3gQ$
z6Z!g?SCseoeF@HOSygY%h>rW4lfZhK^@?&jrgra0+_u-^)?@*9jhgnZ52Pz2Mmy<$
zsQpB1*lR)K;fU{df2<L?y@^R~Y?~zFEFtEP9)4y&<{9q%o4>1wzza;^8!9R0f6@0z
zGh+f<#BsjZPtt0FlRSqvpR7M6IePo;gZ9{QZ9^W8ZkH@H)rsLRzQS)!;{JdgDF|bV
zwg~!r4*m`b-GlbO@0tKQX;`?QGK6*NRxT^RXW_w!Q-XQ0C#25kN2#JBfB%`s$)(sp
z?o#q4Q-BA5B5_s^P|20s=nBal(v2c4OK-zFyl3_(&eh{tx&Nm@<0|&}lr236{b^xW
zv*rx?IOPFTdHo{h#HjC62G!xt^bd{lQ1eZ3SV!c8Hu7C@f2Gvfq$~J3S$@&paGMoB
zDkAD#;6<_SeqS|K!Wn=Pz(cj$oxdf+bgginl7dq9zCA3gAs%>&jmOvP6d2L1xmh)k
zTO0A%V9>tQHDr^K5tV(>IWIr^@uyGJ(ISJF8d2pfs#gC%;br%BsryUJ9rJNE=8X4c
z>#o(U(Dkb5%N4qbp^qBT510SZ{7;dQ`ClF7S(MIvGy~AmzU3!i%e}r#K#swb-hK*g
zX2+?7fB8@wnGhXF8sJf%_zvZq+gJa^E9_fZ`XByJNP%ucSo2EzOkc)eZ6p`I+Aq_P
zRI&eKFT!$<w<E(_3t>L58pKX(hN}-??1hHm$Z<5K>UsaU)4!-8;f!n0gSS@H^gv3%
z`sxQ;8L|lhW8%w4OuRy6;<qq~D(B<V&gJQFd?uZ7UVAAmiK?1v_6<S^#{cWz#h;;g
z6J716h)CpB6y!;}M}}9|mW+2Twthw@@Y?EqTf%nkP`vcfQ7N<PI(ViIK7aj-ZU?mg
z*%b+~s{{4fG%h9clK(?!pP?8%0CxlN;@i%{m$x7EU?CAH%>VO;gkp5D33eR5Jl*0y
zCHJWVzq0*Twg2OM1i*WZOlb)TE9CdQ!pME5=5tbJKfl-iuLnkHCWq!I^%J(@f)pS{
z(pgnct)nZ&A2&eCy&JT6wwc)!=Nh38nGU%iQ^VoqlRf$61_`JY(wW!|?2fn{oV(BL
zxHHv?k5~=@F8%o}9kLNKu#3)ekDjlp;s<t3JDioQu?`D>-d0*-M6Wh<3?WzXl37CJ
zpck7bUwiA6a4QeV6cS73EgRzfJz*Jjn)4;>=;nDVVHO*Q2PN}a=&%>EyP<d^;IL|~
z(QN#*=YdH!4Z!qZf3>lrSKmgxxqv{Mpf6qCJxA&)Lc&1V{4)tg+Om)uFfVe9;w=k%
z(XjE6*-@NWXFDAB@V@(ylzO#%rN8ZSD97hAlj&ki{>!0_<s>6A7OD4W7&5$^?4a&4
zvt(pF(N!n;t-wthMT4E?9W8nhS9rC+TzDemo0H#I45A18#45CrHt}!iUZ*cqDwF14
zGtwHcdGF-nMhxI%o*hMBDc5a?^cupezGmdyr@DR3(3ES&{Y*DTuar2Ic#(EQV>ope
zY72_Jd0jAskVS?VN`B*Y&-P+h<Xh~<XG43ct};Mgg1%*?12s}sT$Z37R@CK6-s83B
z+e1y4Ul-skR^tKA-q*KN{P8|6?O(sgpR}ePd&JIvK6+V_cu`P8k}P@sqA4eY+<m0v
zB5##UGQh|`M|}1p*Vmf7BA6Ds$ML%Z3dGzT19v_J|K8o%;4MeU_t&F`Y>5j|sREZ5
zlQ}G1ny{H|2AS`S#aTYze}5pvV-`zVTX|}?Ub?s-$YuBp3|X5%I-m{JX+%HZk-CuD
zacC|IWV6J#!3MU}?W}8TmAab;H^7yz`s@h=^MMajR)tX2yP^?r&xw(#B*WD2&!(jN
zGI@<&JC;u)wFch}F-VEhu_vq{w3*gLw8VRoI+?!LH{aGKv1WTo_iQN;?HP>))l4l3
zh@japl3f6}IRz<I;-rmh@1#0AI)#GsPuxI1ZO|8(W+vc3DsMChV8I3s_Q>a9_+55m
zDugd1@C;ZAvz>jl>aOZ?_#UvNq9ReFS+cUaqE$u%QWw@v<oE;1M<^=YIX|dfzlF19
zqv7R>JyTaiM~tRo+JZni!6DX!mpyZsa48RIVMwvxsLu70$L-2v-%^o$an^q`JCr!#
zA!HBPo1H1ukuOS1CTNF>TSGs3T6b|7p4>diur%@LI>K~LIgRSlHu#a?5a@nYOiP*<
zPen@BLyB&&1O@Y2MjZQTP7T0-!UJ15m!?atuu4keI+-9`BbP{>5bvAU@(Y*;8lr(y
z$097+JXkA`qzepvSr!`7OkreaX6DK$WuO!>L-Tp^VOrXvp&7%GL&sY_QS8{(O%5hv
zgmD56w~p5yC)skUZZu}346>d;P*CY{>v4`z-y3{6y#wg-0+XEm2vOa_p7q~V(-2yZ
zmCk_0^$0530sAa0#brHA)>Nvz28IL#&Z^>^YgJ=IrA$sli>>8C;};CZZkGwK>gAj9
z44fEpUHM@XNbv7zUoX_8$5vR8j?ZcuG`EIq`8rNN8;h=Tuy1bk<Qv=Is4gne&=UeR
z-+@(WO^xMSF@-J3%@ZzqulSRrEF`gKLr0}cvgfk4Ap7z_q~Pxy4h!NLbm}8%z9VV+
zgUF?INwn|#p>KYUUUEmaSGMz2zW0ZuwFbN$B}ysKUQGVr=-9$qXpA8L7n)cb!k=u2
zf?HMCOC-3bV2Y0RPZizBu6%Lt5mct?bO{h@J9p!m2t1+m0wxFT(M_2p-Sm){UV7rE
zwZwe3%U!lN`DL-uRnh3?dWCcSO#&I|I{^;d-t}!ObOVuB&E(`<pSoSGTzb*?lK9(8
zei-3wdR7?WRet<vn4id`=Aw+V8QpzYr%~sO!vLNrZE%Z}s2-!8zJ~nk1<UO8u<18_
zi?i2@r`xX;^RF+rw*9oQo-%@5czBK-uk=s1#`UwST^X0TmX$dK<<Zcw@*GX0#>Xw(
zuf;`ev&Z1AR&j|wN9?(L2|r8u&WGm8QJctT&h<?Hn&jG>^*T~bmef5QFKvcjVd>;(
z`=KbYavbCc9UFgsDz}4nU0k5s2;xu5g!SD!-!`39M(t#!g-b7OHSqi8&e^Q=+>?!e
zCJ4)P*3cg;8tGOx%U8ek+<@>AKG(!DS@LHvf3#Mlz^Ro_pgC){5a~VafQ}=YY$%rO
zm2$PtC2@cSM7z>{CD^S>(a1^9!v4J1t>i+nLo_R;xvOR|={f9@MCILrRdPa{k<>A$
z0rArq0u(<j*)J!MV3Jkz^NaUl?=W6ulOYF_1$u=YNO~(c!=n9trtFj^INtmXW;U&w
zQe4X%*RZeRB~7f7O98E<Ay%8djP%K-LYB#_ZUYXy1#&6=REX_sj__=Bx@WrB2pl<o
zZNsBV0@3E<Bt+jN?0v}g@UQRWkdWmtUZS^I9O?&;bflib7vemZFr3Z=LTOv3^%^r4
z8fa4fVk2e$75%$%GX2@w6t81pFK+#9_)p?Jm$KsQ;`>U=a8^`u1YJ!T8qLlg$jY)g
z1eCQe5Syx?Y^0f{dkl(FgTA22(ZP=nk#s*Q^El6nd~ko@-S-nkKck=E^R;aEbzI}~
zw%mPR^a@Sn*ikfkqYUQAgJxt;g?hw`ALe3ZUrG%;DZR^G&e%xmta=LS2h;UqD|fjw
z*4JEPlDbo47<_oQf|J*`V|ITTiL^s;uZA<N%SDx>gj$BkHkQ-ES>VCNmLRb+*u_C=
zRX0GbbCX)nHR-|wIoXMVlV2oc4$ZWAl*+;kM;e!Q{_t_5<KUzIaiL1gyKw*ZjAab^
zno%-3PEkAmbdF7M8%!38__ph`_EJ+8`R*6@r?0!M&12W`uU&kseRzj<X0*nwPrPyd
z?1xYJa2{bK1F`XI|86m>J64aU>?_D&408ejPNQaPpWK;dhzH}4Ad2G%CI3s?RC=SN
zW#(E8F_T3V89O)-DCULpi1KsuJvN7ia{`*H>A*l7-VU0j)~gJ|g#$KSI=G?52HUeY
zuIA9YT$pt>c++>F)n+4cCGUo1v}%LP*|Or}uO*4;_*rgi-S|=-d2SZ=L%<>t$z8c1
zu$0B*f+h&5Xj;v1=%z7r{p1y@$U^4ln;d`&PjuhupCqAgjnk3^AQ38wvbaQ<z?kf7
z)#8U;!>V0?gP!3(508xI+8*fQ{)+Uom=R(`4;b@KP&hrcUyqWCAValn6ZPO%zX!+q
zO$e}#;b#};<VLro$FI!_tj7a~#qjl*ovwyv(Kl?A1x`%b)$O$dP<ATfn0zIN`~1|X
z1~1X2lpN}tg#$12nU`MuRvj!G9h_-R58S!mx;X73?U12bhZ(GDw~rlD&-D(vJj@qM
zrJ6I;>lxE#COjdt0`KqT*t4u0i07cXGn-_hZ4TZ*fI1~h4OS!<-j*wV;e%gSqDg-`
zb>h40L?XifE;$0j;v%gWQVa^4cld+r)qlGyHk*HkQty2ZY$DrwM^o5uNk(w%fHp)t
z79TBnX<DDKNIsEgSFF+^!z`6zM8>z<gDc{-A?07Sp(xSsM<Waw;%iqpbL6-~@ke{9
z48Q(dGLo5060?vxs9Q~?l>2>M7Pb0Aqx;*~tW_mM&JCw}7L~Pz)z@qrLws4fUn5w<
zNwv(k<%Z@%meBC8CYCxE72O?W7*SN^vC?^KKU`{Q4M_4fzAjFH>(kQ%V)LK2j_B^M
zd|@IR>>A`AX}U*)4ohD0pRym7Cfj1+Z{;Btw_64qLf31T6_eMb4GRzb{{@QlRJEi^
zK~6fA*}p+!e)9(*__psLXTma|YTqZ8btqb!)k{>XJM!@siW>@!8;=Jf?TL7g#`V?L
z#QYOAF-dKUofq&bS5WnjcUcnJ3|Bt(Y{G;m|9#q*$+;p;CL*AhFDN{@K>fQm$izJ?
z(w$J~l?r}~C4}6TjMBFuA#U5a6-59R9qLT$-j>^xfm+Y1zHSR!o`L?QlYX`fvUa{;
z`=1x4i7D_wMJrwLDo$IOGMc1%?DevD@P%K!UfjYJRw(hX>j@@i^H=9C<2-jZIB!TE
z2i{3x0n9yJ6qIW@A@&j)7{6w}$3?vb5ktK^`{oEaB*c|uktO(-8J|!t{Pv#H5=CuR
zSC7h?oo)kB+pioZy=&lIwd=G#)x*M{uJiaFqc8tgs}3TeguF%WMQQF~u~Yr5<PC{(
z0}(R^61sCQuf8^C$A(*Nr~B+1{o=r^0&nJfga8*=$-j>IjXZd2uR8QfJRVa^<MI8$
z<R$&LFWZTS03RJUT`ki?Fsw#&qgi~v<U`_%9HV$^{HxL*A^gjjb!vn-xxefz#*HVw
z$QtiosA^@2CYZ2<eYhXCk(yLC?GUrcC_m;*ZEWBXQr`wlgrxISHC>v<2bANhIVE*J
zt3~oXyav7G&dsKn2?-YZkna=UOaMFxe^x#irzIVy`x5f|Ay-k4B=}}$3(Rl&;$qDd
zP9rPLbDF?u<>u<F)SJN;X@|}<Ao9iK2p{zTIo4ZKnPU1#IVS>Jvmg(Bx$VK8FNfEK
zr~QH_vxjIPenykLR8Sh@qh*Z)c5|`jT0vz&T`Lx+WwZTW@BBndtb{ohRy*n#L_|3i
z@f@kyfir?b3XJ(d%amC6mVw^~$T2F#)~`_bx8Ym#p|MQiS;7)raRV{CLW7`$_jEWd
zxZQGbNwguDW`LrTB>G6kS>aLBTn~Ho?^A}=ENM$1CqN&*W^%?<6&^bS0)=t42r0vp
zt}Ki|{*7bN(odZ#?@uJYG^lcS#kO1C`PeBr0Fv0%c6lq0^cSz&*py4++EbnTs(1A1
zv#z{^+0>rhS;*H(vn<u6ayz<6pwuX|a8}>R$O)!;cyP?UIT>-2?yrrD9Ct_qVe5bP
z9G}gm+68}~e3ja^wahp?sQo=6t31d~=*PF&{o{EbuF~pR)Rv|$R?(oeGrAV=rj_5-
z1KrZJTyLazdCyKX<dvH-ITWks=>_V+Ym;D7VPNW3Jh=Rgj<e%$anfY^Al9qeU=rMs
zpGQVf4ID1&oCsyCmyNaEvZ;>q!L_`Q2YWaZ^8Q#!A7RCU5zp2pg8vqtrm}3ZTLcfI
z8vO>ei~20&+g#fD7Yqa!qSku=lrk+tuFG2$6&>og{<JnXtKZ%9!dSKyLv8elPiUD2
z)bVkF(Qpc(yrtnDH5s%Fn)XbuL6I^pdb!0>)NQ<YNbz-twzyoa@2~&DKa`#V>1~$2
z@$x}xHy*Z9J}(Q>V5f{yJ23XueAofipERQ(h*g_4S(7u*RX501WcAy1J!3ZLm5+zz
z$(23f_Uw{w8h1D)VC+?>qm|{4Xeo);F{ZNi3LDz@1Uva4C=6+m#mf_E4Zl|5Cym1w
zC38j$%ek!^clIZS0bO}6{$6o&6GMdp4P0Kz&>}1SI-Xv8D?N>^16K2s(Y2^Y(h=^@
z#f<M<wSZLTQwpjx?+i#W=lI9FT<6%mFM9n#-Sq*6yHZ~Q(qh!83-ziB`i|$e(i&T6
zhnLX1IXM`#9sLw|Sa}=zBWFwWm}IFVj1$PC<qGa;TQVpS9#qe5GRZ`8uqvYOnsM|K
zutGN8xhzr7seMi@GyAc>80cCWArL(xlgZ|Sn$&V?H5XI@Gx^<?r80suWU$;+mvg9H
zfDkAc^{8V*3RiD8=&PntYGt`KQovc<th1@mvei|iSoWV!=K4yd*L1cA!WAhDhV<xB
zc#XNzfPY~_7IzB`N|S-^#@lP%gvaM%nT%t;WUCt)uTm>;y1+6W{mq?=#Zy}ezrQ<?
zFYdW@nU;wj-d)|P4&;HoM`uft<57pL&15SqHo+OEnG)GYcCc*ucm+Wg_zge#s>BDi
z1yOOYoRP}x*L=ozo)-2Dt%!t*@6wC>4zid9Uay5zBE_IcS?&e=*~+Uku_7WPQkXdA
zO3Ph^v(b)J^LXTSCS^w%ToSuO8H|j!DVVa}hsHKMKs&&;sab3on3h20<^bKBwSaev
zVZqmTIWkmCm!;`B0ym(xU@$Bx*+PhpOr+h&5P&6wETtFL&?*Y^SBOPTbcDBZZ~Lb4
zduLuZ$C8oN**UD{$V+R+_{_1K8@*|8)XH`fx_Gq7B+te1jsf!8J7L8fip~5Se-k~S
zo7|ZxYh<SWK8Ul?(zOkJoZ+(OsW(@kZDMFLxjuJ$+V+Q20p)LZnbCYiD^hJm<Roc^
zA4F8^?HvH<c*Exlx7Lhr-m9Btrxo^p<_xjRd%$ewHKZ>DWm^7!^X?emgiZHMl$%n1
ze`u5aRZMuad`vbb`zzh57dU)|3RWe$Euzmlt!dv!=9cbmH+93K&#Y+J=VM~9brSc~
zNw$t$qBofkhBQdD?1(W(anmizi)LnmX$ajwDsXAO)PCv*v!Z%d9=*c+y?TX#tC6D-
zg!(X}|Hz;gyy5F5kk;j7V~J2&E_>#p(SfhEGrB5k_f}e!HoJQdvZhM(9HS<es01xv
zNY~(TTP~oQW5baA1)$e3*4%bBt1BLzAP+fv2YCG5y;wae%IEJ{G+FHQNnb83yZ|Y6
z@RebXz`v6(1{O9iW)i{65reQtpzLb82%;Q_;XzxmLPhR1aFy}4$<FH?1|*EA(Y+=X
zZ_0QaDL$RzQB!U3^d<*9M^Q7l4W6C8osKo4n?`Uk4lZeFORWR<MCUcHR4dpEPtR>;
zSZ(y-I`R2@zL)nY6zL}ZvNni3vD#sYy1HsO;4p1{vAal7hCp)Pdo(U(Tc|EgLn_TD
z#;VEPWASPo?{uIOi&}|z(%}4nI?uO|b-Gb49pDlxr}IP#V<TSV%2~XE$cBVhb*tSg
ziuA$SJl*Q4G?wI-&%5BcZ<ruf6X|x7#N*&m6Nr5amBg*?{|ktF49vBx%ZwGaRyMq&
z_1>j<nzAjxBcd$#lTyd;Yi`eLh)<%3DAW!UyRmR5uxhK44ja-F2`Ujbg+r61<J=;p
zlB(f{F<p2pb|}7avqIpZ8sGR;F^OJKhG(XwCn24AlJ{^<bm3?Tz|$E$J{7ncC~oVB
zVtVw@0jgY~y)?rd8W*uOvL~ao&ka#v3nol>U8yVE;mq>Cb0_oqF>sjl+BeO>jC#}e
znMLB!n;-Ied@NWd0B!j-(f6PVE`n9-oQr;F+nlPX6~|c}w}05v6Q6GKiT60-%zas3
z{X)!R=+1gBNx~2zRW%iBBbWeJ(@%N14SKP)+4Kv!u2gBQndV8AGe!K@YpGwjff<WG
zl@?=F$+&M;`WHu$(NuY8_ZM*wgXO$dqnHqNFwcF9QXWaxdQeMu8u`kE_4-7MdS{lN
z8+j~4N~nzq@un2+3w8GmG<$;y8Y6?CTA&bfupr<kZY5%oH1VmaU7*w-(TuLqu}31q
z?c8eFV#p_H9cBFSdzk$u%6di)jDdrWH()QQq<Zb7#kzL=#MZc5$fEi+1Bm$crQE2A
z##2sy+_K{0XPvBdsSg8tO5@WrR&sBit5SAzjJZTvntH=%+8MFp->yIi2aEYkyes;v
zSv4Y&jI~}+S7lGqDzS%>9Tq;}Vz063hDlmm@GzV6&D!x<M~N-z&ApC3S6?eTm$I3f
zLBb#F-m6sNQBSEvp)GQwmFtF2%wXKb3O^3!%#_XS<|yE{WmR_M7sgb(+PEGrdO}JZ
zGX6X^A@(ub?XGtq1)fQV;;<d1uN)f0gEU{){)FTTgx^GwlBC25O{mD&qWdE|Fp?&s
zq2J}R3}{j3ECWc<qoK@9U1X{8Z+<Qmp88|y2$Fou)?f;GjvEZ{W7dZK*AYTspxZ(2
zB3|Z<(MMa?E)wIlj(qdZ^;=Q<l=4TbRt@&yFUkTEgJ@T0@%G%=*D20c;V*&SgShtN
zQ<%C(glhqL)jooDiZ6)Y0yZvD;*p9Mt=PG9PXRl8NPf4;$o`LWgg(g!J15cZQwBfq
zVW;$e^c@sgF-ss7kK1$M62dO(X1o+I{BreMOibbm8YxVMu*L5Sf{w1c_+n_32Rned
zQ&gOaJmZJ!l!e?NA%EZY=vqSr@1`%qlvDq5I#AMht!AK4M3|f1W`4`-L4xxJ9*Ti}
zUH+^fI2Z--(Z7KB!Z8MKx;C}LdBN+2p&fcdIDUpkHI2mg1M{pO&=Uk$mQ0!$7!oMM
zq<LYrNbx8HMnMSZzp3Yd$1)2Zwermn-Eiz`=!W_rJbR1<^ir||k#na+lL(kZGp0`C
z@O0Lqr9V5c5eTT;h4a5=;*r~8cRh>y{QGWUU|qOnPtlX2r6=fLv@*@gMKi<ak`eh3
zzfa53a}dd3{g`%Dku%VO41$7P`N{(Uph2kAD-CC@!_Hv)k}sT=sOH(7SBrI7P4fqr
zA0nTi0B&ZAD%KW#=NnBxseC<8b$VZSFD0iLpH+LsDLqOk_u7T!A1!<BNdJad4*}@(
zGQimz)O$lCE9Dp!wPIcl+QVzun2(gNcVX!8s*tb~_}!O~$gmyr+Gw3(bdb#dwD0RK
zbM`;alx+tnU){8QPp-ki-$$nEaidQ@a01YAM-*3jdyl^X?`+)qHT&h@kN|=!kt=Ez
zsxOMlz20*QC$B3Mk_EA&LBZxT9`-FRj9&CjfX3Gnesx{KO~^Z)nXBkqidu`gC{4E~
ztuT_L95PPZnw6MRfU(!_A>Kw&+;G#TZU$Us3A_it`h+4L4Gla~_-!hCk)l!hhE3c|
zqQ7Gd^H=~eyVyh)2v%b;GODibz>Kt^+_1+Ub1bRtqQ|!s-JM3e)vGc<W13yCvDn=u
zh5yZT$H8{$1AKiA!RG-+?p*q$s4G^PYk4rjkwOM93J)0pc^6;X93o!Moc>u5AWL6U
za}y=*5d%E+gLcP38BhUH2efeSFmdS=kM%q|vmkz2>cRCq5C4x{Zv6@YNu@DYg1(G@
zU!4O8{jIir0?3;jUn$Xgp}GCN1O##%P$$~lT*t$nuId1N$@?0z*B1nR>On6&{yl&<
zMbJa}>8|3#0O0ycIA7$xXqT?#)SgFMjL&Y-^rkS7hX}`$Gx(VswWx&nUsv6MuZnTd
zOZ$y{B!6CrYqp%<uKhK(zfOC?U6LMa<g*`Jr6<Srv(FjlY(xVU{0z>nm<q8aM4MEb
z|5xJ75BA&q`qkb=f3Vw%;ueSQBkri^no79PFenA;gL|}#;*puBm#jZv8srb>Pd#da
z_6ip#`Q@nLN9ZVLM5vW#pk~H^3AK-ye@qf&Bswj|5O*T;$stRcWscNetsJSie8?-v
zoZ-k<8qSD@m^tjw(MOjwExGAP6)#uf(Q#jA=-7^1Y|B|Gcfo!wxib2>2g+3qmZ}%M
z@7GZk^@UDk9mEvOc}AjFVqcAxW_r*u#mXmNNf7zjO@AJtL5eUPNHKl~*m)|Xcz{&I
z>cj;_!j=AtYct`B1VtaJV0+HAle{sZAK^US82lKeQ7V(>M5<)|QMMBWky`Idm2Zzc
zK7`2Ars$vZeEh3}Pd<M&4qjP)Swa!8zOoS^R8%2E|9j$dk7a+((*FBQ;gza6D9;2P
z9GT;|2jFv7;eLvBP`&Y5bf&TKay#~bVYZ0#*O<Q}nC_?Dg0{dqelw8=YkYQ{U5$)6
zYpRhl#KIDqj7{bmFWEslQ+HGRIEF~eNGwC#A|WPcl2g<WoK9k0Pz{{E`5}@y_hOZ~
z;fXtW+m*FMS^EWdx+mK~JAK;ibIT9mHF|h&!wW<1BFQSBn?(`>-J|2~yx^mTmkVP$
zlV4j{fa3g>G5;tN$+5-H=$N=w6XiFf<RK=RB1xk&?}DtOH7o2*{CVs~MeKJe;N6;<
z7mWWI#vc^HGHDh`rfQ3V;--z>P^h{21^&(N<%Pd~0uc54@%Xj6lBhn0WPsTr)C1?^
z@lB0wi;ZW;e96~GUUZueoa2F07Tmp-A@Ae&c2$~Ih^#afvt&1!NkUIwd&|Mc*nL6B
zhkqc?x~M+7z+6<jO*y{T_9~2um~ZywcL@S_Hveh|x}@U-Eg#5_=^6!_l42>4Mdabe
z#5w5jDE{cF3{5La+-I}ibVqy5B;j%*6{BMHh=>#=!*bg05t1?FHKgUt@X&cl+Vgg}
zkC2N>mXjx*6pOknqw}{NR1`VKPUVJY_@H~WeK#oQ*3R5yMu@+-y4vJIOS;&kMu<H>
zJKGh)N}IpqZ>D=?U`&s_&KU9PLG!c~wUJ*{<X~23?WNH~3Fh2s#gNlk8ey=wkXspb
zY(`TP5A@dh6-#1Cf5O8^%B1f*2%Z490)dzx*E_vOn9RM;7Y>5$I&mHvJH?s;kB4pP
z4~X8Tv*^4kKab3QT)Gx6GXfrJmBT7nLs5`-E9#~*QSHo)qEO(Qew(woLTg$^6icPG
zgpz8#Ntv>g+W#2#E29DA;0X%ib3CDy;rj#6;j;>o7EVrbwsFp#<0j=x$5Xe4hWXes
zbFmcx>Qu5+Pmcv17S0wPMpv5L{H<+sJuZ!-{8Fc4aAuPT4y5dvsLB&Ft&vXE0Wj^^
z`x8b{#dz;zQPp@(w|r4;(%0rsM*%Q?ugkaZGjazvt2Fj~jbU7~hz~aH9|8b>qx8p|
zWLP!7saKNXZ@=L5nxGX+c!?>nd@u!<-bZaSrWE7OV~pR0`6p^{CV$Kvr9s8#qyTwe
zdA*vMmcOQ|LbAi!;Fg=o(Y;}=r=cDjM3lQ{K>gv%xV0{CP}{At_sCA(Zp;(6;kCrn
z-ptwgJ(Gu^6SlMi-U$SsnDqBXMmJgzZJsr)V-8IuO%vz+5gA(Pna`=-PRkv?+*0&x
zx>yP-fZ!PneVz|BWf#V^VcW!2q56d+tYdiJ=V-y99EvrEvuS6TC{bmI^wY~;;KFP^
z(UYxQSh<QcNs6X2i=$-&oJvtpf$z|CcnI#F@8(O-(+6RVh@J=-ePzvBU;KLT*uK4i
zO8eZBJCo4R76VP7`5tkdwpCa7o0cVsp{^ZZCyCv8h=Anadz@6bix&j_1A%6;cE@w&
zG=`7ENB#4FbB~F^+hv4Dr_-0_T&FVWO{3zEXG1JHygZ^hk`b(sn4-mrggJS5XnJ>C
zj%X2C5}jeeXy|^8tnalMP2)ei_}Laa7Y=0*%TvJduDk?92Y++xJ85mempo_tJ3aY)
zyskT;8dDUC;VTj@=5H~ld@u7e(~MX@)wx(3Id`VJkz>T#rZ-y>+s-IfJ!FHr>pUtW
zf7Ih69-{V%)NP3k?O?LvlR-ALq~lD!K!AQkmY<wRuj!Uvbj-8l(i`h*wuHD?{{ebX
zTX>sTi&D%3StYlg$123HIPoC+6V{V1a;4m_2ySERr`vBp2?`#TbZht=<f_~0UJ$2r
z(Q%wN(P_u`+e4#)-a?g15oU|k!#a+uwB4dpKK--&U-pwCpwC*nn%-^UUm)MLci*p;
zbjP=e!_#t!5vbdq{ObGztpEIf0GB{$zq?=KG?;_>mrRrc;DDK2raP$%z3p<%0NqFJ
zw3SR|vVR&2!@_bbZFZFWc3R#n_`tkPc#P(5Wo@&`PBbQ>DF|TWyA_yfpUPulv3?^%
zxXx#)6vrSpk~F>=8Lwg`K4a8wR@oB%&}h!xwRkXX8XO(5;#o!J&|;1dAL#aX+CSm&
z2952yj*gZVclXjj&*c{#2?zon8}l8x=q33?f7lEjf7XD_GQoT@7Vs1JS(+W5m!&q~
zY?!+ZE;5TR@i?%sJ*Wn*>$9-AUq?KDMUxv#g9rjo%`F^XEt3Tk#(+OyS{4*@Ewb=Z
zacb}*FZst=6NBycn5Xh6KFu{6KHA#@-rzQ7NBTOoBiT`Ci*_Uvl+nlYCU<V+Va@GG
zGD2lOEhFKQO97Ci6q&hh=Q#%soa5}C%h=*xqwuU?^v1yn*=rD<#YS&}S&lyWQDQj~
z?s5+wotip2>^}J(=g6503ulfvkr=BN{hG&C+k8(<8^YXGlXPb>Z|?{5@fAVtSL@r`
zo$CG~zV7f>c1M&$iWXXrGpGKB$sUamy0BRv<o^8}2oWFzK$DzTOj?2n@NBmd=sfwE
z7dcT#)PAOA5ooXQ&m>kcaiWLNn}q5X7-J#fWjr3$g9D6NhZkhZC52q>8lPK?w8mCa
z`Yc2;Xf^kaO!zdePS--#2DLuzH4b`TpW8Q^Z(Hmb><Vt%Hscn@nocO^FQ5$=(O#(x
z$m^dkO4b*v(X2v&4&IiHECxRDRWL*(kwjoM7dXE9q|#W38(kWsF7BJ&;r+zwP4d=O
z{3p}cM4NKFwe8F^Pgd}&s(aEF1Pj!86dh#!N<!Rviw@Aj=%BtkUfQReyiZ}~wd&>C
zIdL=rTA8CUv{~9*$T<^fs#~4N5VE`+%XWIbUL7<dW2aiz-tI8QV+z4O5p`vCSP+Dd
z2ydu-dt{`=6msKvXk11EX<ezVOiJ$xLh?NqotF`!c^*w@sp-B<>1HS{%`}bAqpf=T
zq-Byh`4LSx+v8cWWn<oUd1_3x(&kC_g~o2U{Je}Qa_syIx(+;kxcrh!FB_)5uG9EE
zFeXo+YZ$*J?A>roeh?9FuWmXM8BsTjTkmBvam{DWUN;M+_-a9%ySw1Li;d+&8;<34
zmMYeUbhe0~6BSc{)`s}=VTf-7f0oF2x7!*kx>G%2ztQUnSn!Q6vL^jTb1-Q(+KfiG
z(bJ!CTH?L_VBV{But8tbp=@y^$Fjk4E~t|0XA1FQ9Uc2S-6@wn<<krDNd-2Bdji3%
zThHeKCa2?H(S0l)RM^sv0V9{LYc~02F->rLYH1)47+6ZB#bbJ8dU|AJY6{}_9~c}w
zGy;L!4h;?-fPno+ckVoXeCN)i2qQDB9lD?o1)A<z;+>zH)=>s-;v>BZkPg0Q0KW4a
zeWGN{qvsa_M%vd4VCNL4U7jxe=Y3f$2q*OID?0s!llYsb2{Hj&ENVx4hfh5;V3^vq
zFM9mD#}&uFbGWP+j~!f_(%a3-vO-Dux(M^@Ux2S>6hqrKlJVEaKBm1w2PaA~(kYkV
zecUH0QZK=qx#TW0mFkpcF6_pOesH`wezw17IvknxV*v|SJ2F9V?a%rh*`Uck{1N=V
z@_`}GjTe)shwg~4x2Mnh+iLJbOKLoQWz1Gx$C;`BS`5wnTYH6gEl}=TrESIsT_IwU
z=7V7Jt(XD>+)NX=Ej}4f<$b*iNoSYesPlDs`W9fRt@f1<3=HodbWh6USZ+UkqIdU@
zcifg9jRnW@?zO$~u`G>MWGDG1X>O~*=219!2}C=GoVBBx9}3&&#u`d}glun5;+>Ot
z`CS6EfAB<9YhutoaA8O>w*1yvyO}Np2^|AK#~0{ay&%m&&FPRj2W}QsiMA0Q`=dZ-
zV4#bSGj$=b|GxV)xlFNLArk~a=Z=^Q6FSRwli6LIS06krxibm!mc8UPbrrhJzLcwD
z?O@NvV}|lIBSQyAd@Q%j0_>|gkL|14kFKKr9aj=@-P&xARc%Yv|DoMeFTJ<6d+M5N
zYP+ZI73Xi&sS*53sG|;aJt-s3Sg#`O-P+7iqfwxfv@G1o1}7>?L6f2alo~F#(K7*1
zH9b=Ss^H2Gamy$bM`R@fs4Qd#aNOOu^2n!_UnRe4_5EMj{!aO))p!@~Ggbcix5}q0
z_nELqq<;|V=`yIN7&=OPa4bMSAA5MN2ufX(uFQA%u9vE+-jOz@-;2@>$Z6Rit~NcT
zk*>w4rjISPF;z3*?9f`TQ&4P|3m7jhEiA3dRa*6Si|NLfeB>S+7~Iu;z1Reesd!L5
zyC#%Qeo=Px3`ag+@)`!uDc|r)**&y;c^HpwgZk;EeMptrJQ84am%X2PA|#mGP#!e*
zB^D!)uPu2ZOwl7A<SN#eSZT;)%>=BciK}sUc+TWCw-;i1uT>+L?~%(jR<ADBtunYw
zvqrC_WAA)?N-sBzsoev62NrMY^|^ZoM#J;V9j>(BJs61$x&s-fdS!QLu&3nlxcWw>
z<5yf3Pp9K_eLas~1!aw)v}6Y15<Uz0#1#H)Da}QZuw*Arqr@>VYIisj{;_UfU|=!X
zHEN5S5-xW>Xf%g&PIt`S?*6FVmo!_w9co{3X`pX!+3U9y4OUxvB%0`r*i>ysN6==U
zLo&1obs~qHBo3go53O#&e-z{{uAs@WGw?g&nUT58nXmrYoUwuKN(ODN8sgXh6~)w6
zbPDN;ERDpi+1Z?bH18?(F71Um<kNU?N4L2*+B@`$-r3GTA=Ek4?@r~_ww}GCSe4s3
z7%;_$lf|75dFz?mU?J$hzx5Wa>OivK?k%iV6w^b_e8keOn<!31wREl@W$RNll!cG%
z2~yYuGHjRw-G>rv_3Yy=feF61x`W4?G?0u?L@!B0R<mBlwmp=TT&qdg@E@kazA3>R
z%DLmk7cK1(l#5ENwFix4&5HM3KJ9j7hJqJd=qk<$F7H6n&^CQ|$WcD|&OLh*1-q^k
z4P;zu+wgh2)SjW`aC9u|`1nW9e8uiCDIXpC@n28~<<UOg5+(lC&F3#Zd~nebv*F&z
z{P>95br)O_2NT{2p{2q(*T=iDMMgsCvYN)3{Qjx<V0z5#v#9Oqa(HDVHlDS|r}pKs
zfRz}BhSK)Fq&xPJd$F&)e`xOdV%DDP?(@e-(l+7Q<A?p_J-tJR#zHu;Gmd{Sc=?dv
z%uS_M4wVtl@#KfuGAtaT`tBfhR&jiS;zvXr{gvWWpF;6t?0!GRsSbeRXHZ*t@Jb}=
z&EYv3;e#B{i?}F{)BDe3&rwsH$_^C2h`smEHJm($;dzGBagyHuV)mQ^^u0fZ`z<mh
zfA87kz5Mw~{+zSL=bZWnLc*x<24bHG5&izvN|FBO0PhoV7s0PV6i2cKd&adkiZ``$
zz*~eb03JaCx)+fv*YoFphT-p~_znDiDSjir|I-YA2gP4n&A%(0F1(GrcY>fdA+#ZW
za~=II@FN3U^drOCI^4?fIKde`J18HNms0*9&L56*{*Zcau<Klln%aB#^S?~Xr9{7L
z;Ll?W|8)a@zQFKbHSp&%4F9>vAAbLPD4nWx^mANFKes<g>F0PO{W1@Iud0!LnUmoS
z^vfI!Z=hdhVffD*>i74;+bI4J#cyhY-&}n@4$yM7HI|p-((+2}YS%WmxAEt{k<!`L
zSYG@(hBuTKzn0+*<;8b0yrI1KOj@osX?dkMFYliKH_2wX{V&7pe<uM~$*dfYBSsI5
z8=n{MB6h*kB>VyV6C%DM;Sb<YUV;}mf121A+4E&nv|OF&C-wXRe2n2gsOJyhgAD&p
zJ%0f2W%z%I{Ne5PI$DpqT0JuSCcq=ej^2yd6+(Z5z4O}Uc2M39W%Rvv9A<PfT&OVI
z*U&z{PV2>vo@MpI?Wwe0?5tjXUx!;c9%ne|r%w_73%jKC0{B-%Tv9K;0sMWUT{cI{
zg;6tmE$?@vyb)m+`cXqa-O2E$8~W)EhJUZ2pDr={J5oNt?D95>zl^urMx65p$)J8!
z;G4k4TiJPnTbz#oPxJXGOy?tVb*$D-Wnn%qg(*MC_5Ql{_YpqdkUOqtcRa>_|3N;#
zkn1<F>!0Pn|A6HBjqLho`0wxK^ANfIQg;2*VtL{EBA<7{vYXh|!w7A7{buQPv<I$V
zLiwU%S8n5U{f3X%z!&kV3~|0luV2HjbH2z=uN$X1Ut}+?{$75dZoKAvkzK@oU%UP*
z#us*-|9(&1_|5quJHJ|Pc~{+d%{e2RY;yhP`s*kK<$Jl<4;WwG$@%ho-fwDrk=60#
zN4)>k+RO8Gd^wl*i+a9X&&zct?;rJixtjm}4Bk)b`EnKi{Sn?@>iKdRFSnETk9xjz
zHMxE>zrK+iTfpGEUd4syIX(t>?fwpqdz#>Wj!U0^M-%+kCiv}5@LME!gyS!3g5Oq;
z3r}%8CBg6Hcuayn!SP7FoG<*1%lQQ&=X3mdj*r#jvJQ@Wn&5s3E^z#gCityQ@Y|c<
zx74pkDE-G+z5DC%=Q%!BkIOnZ?rDPiCAh%xJDT9PHo<Rig5M&+BOHHO6Z|$wxt`#7
zgyB66>#xF<Z4^%uTzH=2V^?yy1@7<QxJSg%IPkf>4)?SBe+2jcq3-#2F#M^8_ug7}
z|3B;S+Zp~d!2eQ*-@@=ekQhp`2*+R61i!8Jd~6k-;&_VTe+3*1cXB+&@UH_N6Q1CB
zgyD_r#PgcqXEXe#fSY7tj-TITJzKzP)K<lX=Q%zGc<ufUj(eKmevV6@e@7Gi)+YGv
zP4HV7PVG1pzktyn1o|0H=x6vC;2W*e3$TuEtK#H-hK~VWyT60uo+h}T<I?Bf(FDJ>
z34VJM{1yow;rPp%;J4M|!V?^iNbsjPo|52qay-Uyss7=-CivMBJk0U)o9I0X_yB6F
z;==PB9|OF0e+S1sO>jTQrO&^k34Uu6{PrgJEfPG!@s~BhZ>z_JCpaEqc=}X{_+RpQ
z?Kt*uyf)89C@z%?N=z=`*SUO9`+di{>z+-nb9tf3`|sG~`mLK>zkQSIw@9u>)?I(u
zCf9GPzs}_aex1t=bEitguZqn>%9i7oB97PQxiG=mtlY-0vw4|cXR~wN?>ic<dp5c5
zXV;s(|Bg+r-@3{5+c&v>OT+a@!}XVKa{V^xb;5UkozL>DAC!n)i1&lzcy|rw{VYOp
z>9|m0;{w0V$A{YQJJwzIY;v8C7fs%O$0pZr-Q@c1n_Ry|ay_!{`pY)Cep~%@%6ER9
zk29kG*#z}JOQ540`roKF$m}Zaitw^L4<?%XQin{;UDw2Nz6RMD+|3LHv5aWiDsAF-
zros5ELy;*L@jlbNfcKei=E2t3TEg5rJidt!TH!FWgHT_Yb`(Zqq_pbIy(W2fLGC+Q
zi^UbH^OUhP?mqx49d2jdGS0|Y&RO-Mab`!u82&3B+eJKPb{+fGy~=2Lcd_bCQ`}XK
zwpgN(gkAK}oyMQQ&k(;!RzFQVY9v0Z1|Fxx%3=?BH}Y}n$KZ0y-I0l<7atsTn3aZr
zD>_~BhDO)&uXD}C=GH9HUjJml1@1~AeVe{h+tL>3UFoH+8^YS&XkX0Hs>`P>Gu(#`
z-#~K!q?`HB)iye@?R3mB23#{Nc~b!Rxs1DhCVcH{)V*!&yZuXV*iE0UgJ(Y_d>FZ)
zd}Q}4qWQ*@2+`Qg)e@5C6$ypKLmD%~FMe!$TWeeSvI#%#)H)_^obzLI{NlO%>dkwz
ztsiO2?n{sLyLtl?mzR4yL*a?5rY}tn7ViAO=g!C<Wczw|q0ht4&WQXHqOC<r`K1&e
z!4QQP@D_$sOmHL6w~Ck$7x{u8L7xQL<)|HK$CP%k5ti~=ylh_5`tc)w+V>j3hvCXS
z=vlbWiZ*a>5g-XczKruN!&-mQyzjNolK1^yNaOQl0<{!rkr*@ecldF%3v?4QWL&@R
zE87MAt;OJ)&*ATVru{SI8J7!r{2`f=NNL!_#^pc5xPAVqN9l-6G3FQh8~j?-N#pj*
zGaH!f+qq+l#JBN7`9#f)kvPM4Exl!0^jCy;eOVa52Zg`U(Vdo|3HE7W2(Jjw12)F7
zk3#vgwERAXNqEAsi-Zimo?>@!>|DUEpxCXF`(8n@+d1}Pz;313EgZXE$l<$W5jrBT
z$8O`;>B0zpNO%IU2*)l4e&0*^eclGx*&Mr6n8)vtg^85R>-Nw1tLSFo4b-Pv>O-Nc
zrFk~c&cL0BtSXBy7FUf<>pfBY)v(I#usDT`kV-njb{#zPIe6wx&7Y|fpUF(Tv{o&r
zo1-56^r$Kx^I7m$6*_y^kxaoeofd~%Md<uBw80hH2CW<JgngQB?zK2`^Dg|j*bb}h
zRuHxJ0+jV}jOa7;D6#%2Qg;O%_r#_TZlNrwa^Q>bnqR8*wlP(4xYOpNZ)^{@yG;do
zM#!Yi0fzzJ_Z+<cpUvO5E~EyTDERvrd+40-`TV@=13I6rbGWD)v+2dxDGiQ*ISsFq
z7fkN<rsb>k)aK=b*99cydmVJ=kJrjadv-(dc=?*VuSxm%`|8X0DtO(Mwer!|H5L!v
z_e*>~`Y+INT2KhBHnc2lqd#>=HR6_$?Sf_QR4iVdR-B6gu>j)b$$n&Fc0s-^Omrf#
z)OP@-RqplaZ6<?S-6_QD&bwOmR&S`Kf2dd369}|-w5ttDc6_r>p=r}}3K7BO@%ZY>
zqD2u_7VbsC%fbuS!9uIDh*+&WN0y;3P?VK>%|rl+WE#6zWW$nOruW-B%l$1Ouf_0&
zCgsBS%hWnZY3Ty;JE0hg>l;efxHldNbRVw+>=PQEZE$_t;2y7%-SDu-fJL#amz6Zs
z`;zaKH!<g*K%^S1c@KU~<x^L8?;Z|bd(QP2?_Alr^F^?g{%gj>MAz{{qvi2(&$>PP
z>^uH1@?99AblXpj3rB!%k_%{#NF74PDs^kuZIJ7Mxc&)jXOEsmb2G76&Q6hPQy@|x
zvMK!Y>GGzQK!G@f`*h%Ie9nx@-Db8})hca=Muq2RR5O*Yb_UG2>;BgEcJ)I~<mC3^
z>PXk}_ML^3_vfB?2#0o@?Ga@0sqsnFuz#QV=*!$-%P625n(obS+#{2xUho*s^E~Ey
z3oVm|=Tw0*vE2s*^E_VNL7Rtf8StV@A{)x^NS-;kFHNE<89+*`OWf(fG>jZDqRt_W
zhW4b<qGZa)COXVUW4oe5scAK+%;BJ4zp%D#_oCh(44YMkR!xgq(QY)FJ0`xc_uhls
z4&I9oyvgCyD+FOtCTnwKL-$})<u~_)vW_+x*w6%p-sgA|Y;P}BzDPdey!RJsKfDVq
zp)X2fW7qL0Mu1oy&_{s2I$(eR0~@h*{c1-lZ`XkB1lTUtL^rKHd4fkJrp|m8%H<fG
z1?X8f;Wu0hz;T#Gf1PJBeKVMHu|*?ek?84`)@ltD8!Mp3|7xmSrA%S;dwqs|#}<$6
zHTb-KqeH7z0>|}wqh__NHX04IYP2>}(C^ia9bY_SOy~6njdrbAF$Pn6d6&kd*S9Ow
zN{vRXvZupeA*}yOIBi!cp+b~;ujA3T*}eJ}s4}Ir#>n*+z1RNsM;u<gl3W*M#Ww2q
z@k(f)E+nRO(y}nq;wn-LM+0qbvb=$m5B|z{n`(RP(Sz@X98-56eB=xJ-o1Ba&pr4k
zPE>w}4fONP%A0VZ@@4WN?}~#iO%U$lIc>R5bCdp~=hPtHYdkE<#RDh`*YwgTQA0x0
zq_*6h5u2x9l*=S`_j-HcwtYKii>vc9rSzgZ6*y}ky-;%Jvb}Sm;a%!fzBd`v`Ldq!
zz;JI*cfsfE2_!6ua-@5kPTsyUo|(<tS?q=)@Xvr|wh+%kj4_OOjA0e?l~qG8?<7vj
z)%+<sAUF@M$-re2$*V=SXSqctpZe2o@c_ZB-rs$8?k4;e2zs&FeLQzlg~jBd^pF^6
zvOB3BA&cjcoY6T7ymzA2hFu1_rZF`gJP87RoD_>?{$z8B3_19iWP=vceDv9~a^XIc
zKM<sYjIsloyuqwp{mI@hT>$0a1B%#w*?_`gi~U)c0h;5W`;hi>U84_t(~*LYHndb7
zd>k-zvd9JEE_XPq>*p`jjRlX<@AI23yl91%$`>FVlo#qet=XU#`*F2{@-kMt=v|-Z
zT~Mr-K4?E`pzT3gQ*AV*8t-Z%1NVLD&@;a~@Wo^Bu)2;#+7j@{3BR|akuA(g)fgU#
z?<5sxBt4)k#=W@X4U|AM2qsYj$$C2N8lASI!(uV1jX?vRUioOJOQ-RK(`vb5LD?Rf
z>^uJ0xg^xc-V?j$4wXzzVz2O6H_{j={Ca}Q3yTOz<CXCH9rS+r`j{fb|CNj_RKA#M
z8dHz+fk*U#ce5-Joh*h6{ESD@t7YbevCl%fqfCQuF}pOnR-?un(P)0Oc6m;ozHsNa
zZF6dcVooNvIRp4Fm8Y+}4hK*EVsH}4Xe_n&LmO5?{d&+El8QKu5*yDq$)d<=k-($-
z(0Pl?+a{JKl;;K{0YEfZ+|q$D+Z<QOo7e_{YtA_R^fT}e$luCuZ+i8sZ<-~4@Z8SR
zWcXa!zMVVw$ttgsomQzFP+WWQMOVr9@0VY7(Z$y)4r~zDWDm%4XV5lFW3{wrtecH|
zT$1A%H08AnnmQkRsN}Y11$$ONN`tsH_X{&rBqQ$|6YCmTP^rn-#TA4s#<zgveC#sO
zfUcrsPNSo^g=(JH_gZ@+J-Y{ekWF+j8Y&rAa9E)*=a>86@|IYSU!zdq(8&u>HAauD
zg~rR7+H3{L^7z%2md5~YWxH}zV#)dcdzPPGdU}}^n|v-{e3os8cXpyBsh*DQl3{P=
zi(j@A2;R)z$lnI%tlg+svIs@N$KOu5FH}zMqg2eO9(ssT!YYBt?@svhE=r3H>Z2JQ
zEUY$*lq4W)L!_imKGwj@Mkrv~*xGXA_us(bbGrA8LelEB;)~8$*}1msG+}nK@|-y}
znJvtBS;vPa2L@>TV>(8BmaT;x&F9~BealR!;wv9GV|@wN&1CB-!=#>8juqF213+8p
z`2Lk$yLRotpIw15`8iW+vWrny?yWpb0xu!HUb8Y9d;d)en^Cl9<+3U@m!H1_s5y5X
zDYWf+VGL>!?&9&Zd3Sliv9TRln55F4spg2VaEfZ9W64+W)%J8VBA**O7Ek-O<yVg>
zV8YU?4)03Ny3*d`gG0xrqp{he>RhTj5V_*2sWZ>>xr*Md<gRO0c3iVFDe?@~5W9h1
zJ4&OYO`>w~6~OwCsf}ggnSm5smUPg1*GXpn2%GqaWX&R_3A25NCStNXS5{uFOpNdA
z88|W(iA)_CNQ`G~w(NK!E*{mXl^4%ezD%a-v9o6*FAy({)-=Mu6<$em9PMZ}gYz6m
z8-^s)u`umq4;*GDo!X=h)3_{PNMq5Spp#XT9pN`zcJHD4M^^lUJ9A%s<h=71mY2z5
z0lRg3w&f?21`sUQ{@gt>Tt<kmg-I-4q!eTHVrLzm;&?aUG)EG&xvQaE5wx;}Hb-VU
zjNA>fK4RHNjTy1!nJH>}Tq^PN#E1d13*1y|gZN9jV7s=(+@=qEj5`)wMbnNC<KO(;
z+Uw8lEC<~A5w%i2CR1oU`S9$RLQ(k?j5Cv;Q9$Z|?WNwutf{8QAmtWDX!!!vB8r(j
zLi*Ig7Ub!A$=S@~Fqt#V3Pj6n=Pgkhe5D1{GHzVm3%guCb3UF}IBR%dpDSe_i|;<C
z9pu5^D$YKTo%W_9r>m1Yui3G3&8}pZx9IercjnYpS40BcsT?UwoaB_JGL*3~R$ud2
zR#Xd#(DSks9T6O8M4BJGuDlKcII2-ui1L_bGUl1VluWX!k0YP2JC{NCD;sS#BYZAl
z$Lm*wFFQ?Uhr?`gR*xqOY<z_>c%V$T(lSt8CQ`!Ku@~B12&K{5mb5gT#PY~n9+!`K
zL^BPI;VrN{!jX+6Wj;11FcX<W)iHXA$j&4~j@e9Q=kC4LA^U@G>vVN$yx}zd@Ddrk
zx77>NwP75D>h}|&+PIyL=WI@)KFVg~LC3eW>NN3Hrzt~?c^k+kEtzVjm}(qJ6ORqX
z<+Qqz!q-r3Cc=>&yksA$d>3CKmWi!bcxlM0g-uMD$`qs=HZ;*xqG;5owQ-3;AT;u9
z>^d@UONIa!4phg6uhD+r=PK;%_bksZ+Ivi_t6Or5rO$k3woH0|ZT&ndI}YpTSF`>;
zPG@Ag7L^@Gag_eQv>L@=(%ABfwDQ-`%QIV8mI_~tUt40bOCOY3jXGawbxO=CwH4}(
z@DAxJRrpWxIIf#G&UF)BqMHDmuH9r4fWMXLEHGbZB&f_ig7_}+O(bv0I)mrWueINR
zxXehbJlI-YW?b+Pad>AkZlCZF?N_5x%dRxos+g$X!wn#<qH3ClGq7?ImnASWtry<j
zecNq2e*No3(r0{wtEC;YD@!Z8$MAoTUv<^^Er!@=rZAT^kM>Ut73yQdvV6E>ThifJ
z7?CV9E)d0~pUt!2&Nl{yT|T1?-_mx*^6FWN%EgMa)ali0mzS^Fl}zrsdTIIE)wFQ>
zg=d|0;mMy}f5jEoBOdFu3utzr32EM)CLN@cYnqszjIYcsB12^?<Cd(9hj85tDf`AZ
z*3Kk>U|Tyhn$}@sZ$WEP>l7WWW_$aqpfSFs{|I#c?xO3bGovub3i43sWQDKmU_a0R
zYC#3EpI_dzjWrLrTFSSOfU7C(l!}BIKJly=XBZ<N{P{JFb-U7Je3M2IS0NdT6|Ty#
zNdH{(CS!9GOZzA0jUg5rmNdq<jRZM<&1+V0J}JZL$zNtFU&Z-qj+${<0qUU-y=KGR
z#k$651w5KuD_=z`d2S05dzGvX+^Cgjb<$DFtSk<z7wC1f#35GZTco4$eMpW=849qR
zUnGYHZHa}dJ~^;On+930{?tp26#KSr)_7|fmbO)M#g>d4zk<athCNZkvOeJ73T~;^
zW1KK5UdOp40g`pVAOQyJfHDEf9N;Z%T}EUMa6?%0D8M{O_4@YoASw}G9<I&r;L#9C
zT_t&())KQRh2c2HvdAyMaRF*^5sr&++z!X>a9o1pQijx6I1&II)4y*OA^o^yBK7!d
zwOVcnS^j5s5tBm`k(=8dzF(#k)Y;U(V;6}A6d0EtCpJ=A-$bXnM=D)4XS_80m4VF@
zHQ~xY)h;|auC&ohOe>Tn32IB(SF^6Xb*k;*hpV=f1{=#yfM_JzSH`J*C5QHI=qtFc
z>2WKIjyrm_(l+5`^2h_kOo#N`UeQJLqEPQ!H@9f<pZZTrY+`S5<)>n;4}DmXOuewp
zB|hHeQGA5U2792aK6IRwwb=~A!a>op(n#Xm4oJqcPA>iOnTBTPg?__FDUW27YBnCV
z`o46*%7&JXk5002XPvo&4KcJl!@^E#>zHYpN2R7TCf=I}$w*Xe?xt7k+d(K(gvE|&
zE<y4RDAzh1E?qP65!BsLxxM}2kIOWUxMyR*k#!wj4(K~N)Vqbg^B`*DT?MnONu1O5
zJwhJ+;;|JfV}5G3UF-=!hqV1u`Rz-<LpQph>3qwL0#emVbCI2Alj7muoefG&Lv`uV
z#QgP>&tv<A`-}m9h)+j)qglJ_$9up4HapqG0>*SG-+=O@(B)0-2J5Eq=8?OlQx#kM
z@+F9w8$g^)ij6ibLt0o7o7lzPQ(c8%DDM_cV{>@2xp9ow>1U{Ztar2A4*>8r3Tsb@
z<r4PQo2^@%*j`<&tYD}C$zo-$w)VJ!>boWJTe%px(fC3}6q3)rh2>q9XIR7;u6-A1
z8)u^l4b{)BA3|)d^7WM!+_i%!;A;(>D&UE}X`Jetf|A&{e8O)cR<tuUpvVm;Ul|41
z=&&w)5%*)#Vw@=M9SJ2D&nge>1y$2%JTqT(xgcOGQ8alMyI{a>>E89?*=<+v&QN7j
zXoBc9CqXjk4yRi`f;NctkE`FI4exE5cc2#6>;W=1P|tPJmEl&Fk5`2>Rg_sWWjwbi
z(J+-Dg`y;rELnpE3cb61A6eVk>DI}0e(jFck6d>9j^{vHKJSyk$xvuA_{qwhndhDp
z+npBptpPgS=uF1%X1XLcqVW1}K^hixtOFTXOQ048xMn0a5$1;vS~xz#IIC?UBIdTx
z;($RyKN$q^e?|^<I6CDTyZYenPk(sdT8Bj|*O=6+yFc=}acDF5S@Ujp-g+Ni!GrIy
zBwVh9<vkF)>~FOFj6r!Opgc}V`{Cp_kqrz;V8er&rBK9lmSNOxXjLPWK0n`RS)+}5
zopp^iZk_|fz-)XHLYmn4lsp@Rg=iPq3csfLVNt5UVq@(M_pDJ$hN8ie5qecct|VkU
z`Y0hoDX-kWUKc9*dQqLk%b8B%Kj0{c{!Ow8v;<n9C;tz5IPInRi{y#_8@^7M*i-W2
zFG<MR|7G8&%7yWsfDTXNVBF*~sPMGV8R+>RJ46XzHHWgcKwe|<=xy1Mnbf!F9|iSo
zg6fQ*2Z<*rwa)$PzEX`m*}!)yu|ct#IaCRcNU7y9lqPr#r7RYGD_Wrp3fi{kYc?Bt
zpOW3@q<A058waR;;Q2aVA}80^#hJd2>Y}Kfpp)5r=A}LzvWF4kdOa)G>&4MO>+o|p
z-p6qGJ-(0R6GKkQ`vQFbqwo~+qb{^}OHs*f2%`k^<*nIUTDiSN6l?-K$6C5RR&9yx
zaDoWQH6v1_W?~{nGyAzONo>Dx!sxUZ+B=P1p8lP^UZr<6otVzMNJv;`CSVvZ2j)X_
z>bJi7ir21&+GPr5t75LBL!mNecFjd&p8g$$z5}Cyamb_wJ9oml@L8828O;UuP5cbB
zGdGGfdiJi5`N{QrVQTnmha<~e&ohpi_^zV7uC^$XQ7xpbs)f{5PnI7ffoT(AQ^?ur
z%1_2$v~RFG*L(Vz1N}ooNANQmSH>6XhQjEbQG2jE(24C4zdu}gWil3uv)pO;I-q}j
zjxJU699@h$A84?aapwE@8Il+m#`RM>a0Q;FM>g&&ER}W|6S*?YFZVsyFomp+YJgeT
zM(!(I#>`Wg>^}m@{qU5^+GgnNY_a3?RO{5=S{=Hdyy?V)-AYq(w*T9e{oN0qI5oY;
zjt{YY>|dg7)Jx~B4upie=>EKGP%|1O`Ip(K@c=!>Mf*C_Cc+u>M9{I(#K^+;x#`t7
zO;b!VS%i?0``$(2o*?rF#(_AdBedCrsp=WbQ)GY+`&pX*2oZw<Egf%&=zK<nQlahW
zj1Jk;b2D>k`%tt~tpUvF*M;A(cKP<1?U!S8C~g%N6p6ue9((MZ!35||t?@&r(D&d!
zao)zzm)`^Bp9g>6W|?!t1PIpwB?6S{fL;Rha^T;Z4d)0jCvv%K{T#^c$6?Yh=vfzB
zOR}AkgK#v%af;7@lv8XDB%z4K8IbYUEpP_QL<aL^HCqnd4)dI+b8LQQe!LU5CKx)w
z1-(`0v5dr2`cAz{(W20(b%ub)smadH%w{!CkKfqYp#}ca>#-5DS4S&It+GVD*L?4L
z*Lb5Am10q5i@)SFlU<{LY9Uuh#n3AYf<j|Ao%WKr4GW8kYTJA>er5~4y^*{{EKR<p
z)<*7m(}An|=KHQb@TPnA-#9WqawC@i<n!>~Pb&ZX4*Vz9e+c@++wrp-`1Go_<kO3}
zPcN4E^jiKEpWg51_ap-TsgNz{GYk)mmHPX7Qt?4oAh1#h4rg8QaJ=7JoKiai1*b`E
z_8H^R{#Y;+GMkDvSEo1U3-oE_?Y#wmF>I`kWk01cxo4V;Wlep0**Xugb&4KoP<z#<
zmk<o%JoV}&&UrM4-7>_CmTN*CpIBfgpTy66DY8Ff>9c^SVu#bLrQclnHJKkNUBb6u
z-ux|{H`CaKFr)Y9G}p+A)GpMd4(v?l!hL(GeW;VomNI1LV~dr_)$5x%Z6wRf2cX%4
zFeeThZ8{w^+q?JNd<Z`yX_9ojpnPSq@Pp0s+3+Mo%}0U&0RoK{R2|QLh*<xw>&Lq4
zNN8q5A?v6_QvICH?XYz$9a>&KIA|<}I<!iyLeZ*swilN)R&BdVqgE^R9^31_2c^0(
z6_5!Fg5GxdtE?K?qJs1OnT`B+d3OR%tzEzG&G%5&u>OO{oxqPrSlo1}_GY8vbFUbd
zy{m&tI9Te7Rp+;>ENVbTQM9$#y)A8e6_`9<*V@@?Qp@G@g3wjm_U3IBJAUWb&13Ii
zZC;4bea!o}*yiC^8@72PYx87{+m1B!%)@#J<x6c@s|!%MOI+~MrLSA&!pjE_wwv4K
z?UuIv2j&EsOn}q&eWe5NSB~K;e&%QHewVA?{j-Ywsm??yWpMR7e*9xczsrzHB|4u%
z)js?qy2rV^S$UWqQs8>XnpZ(9YyV;fb5fDNhJW~(&wZ|9hdN~Pz#pkR5a;jxHoUh5
z<+t!&Iu0{yBIfBEi8S=m<sai`NCj2)vpBbT{NMCF2_8@9gY>(bzSj<aKFr=L)qQUG
zUZ%dp)PsV1PU!ygo%r?dghl~!7`#J$Dg*KKpMiIDBSd|f^AHL5F%&^XG=aX1q#_uX
z$eT9emJK99F-Us{Z6)Akz=E`QFgZv;Lm3nQ6)W=7dqT)hH7H_^`6w-cz;n`dvdms$
z@5s=zC_JMC&&t5D{J1C=kJ2k4I2&Uc=aM9=as(zrz6cPLKv+yNqTk@Dm3_5P*g7}H
zQ-ZO}wd068KN@mn%))lTQgS3lQx<oAJY)ecp0}98Mq|Qcjd^r~IGi8uaKzolxW%0K
z>RmHhlbCVYsGYv=zFD0yFtWFoq>a$)rtiW^tr2JSS~2hPvAsk}*BC2bH+G2rDjJ0F
zhiDz;+1~FRG(S!=-)vPA-)!8(H#=YT&0b!9Y8ixMXq5Z$JE=@e-`5X+K0sxR2H)%^
zYZfgZvD=vR;VTdsD-22`mhu7m8s67oGFdzKA6*_CGY3t}kIG~+ytwzJFD+)}il0=V
zu~)~eH_<*mhW?#WHuuL~UVh)U6HBbD<YTY$_9yt6rvBKf4gIl|2y=gIE{}4Ja9dM<
z>{p%qG^Jvy^~4EA3FAE7PYHkGw4RNP{@Cj>Q*qM;)0oxzzM9!wn6rur+CJO-NrkS@
zpQtRYo^{sh(#&N8gEKHLd}L<Z((LG3nv8Wa%Kz;^g9e$AeRElf?<+Dh`H$xf<GMvI
zad3wjPK$z8%S1v<Nt~D%xU7F@0Pk7G&wNB5>W#+w!g@m3b7a&+0v(4RVYKx&rA+E~
zjp?onKpACCC|O?KSEXX#3Q)1qKmu)>Rv4e(2(peBjY<7qoA9NBNe)~t=HAu~Gdxt&
zI&bUyGfN)7r9U{fqWJbVRonW41yjT}S4=Gp2K<97YM(1-wC~v2KR;*F=PUtF`LvPY
zgJrUQ6^KkGd=%)kqhzD6_4?Q{s;&B33-!L%JiAVS=NX7Fp{&u@I$X6v;GZOBdxG*a
zmzU2{hI*!BiG^Mt<QB-dvp)UAfIAy77y?<fyKhI~n;@6vwiR9e(Sw5n2O-fB87X(1
z;mA$I!CdShW%P<;B<iI4geJ+fBw4lf+@%_N4YPmCncSsi`3A|zmB1~568Ei+aNp_!
zd+<&BU!55SO-k&<Tju9`M@Alg_{*BHzG%s>t=Rv0ZzPdO@p=49B)$>yvbaa88ZLa0
z<9UJ;kDOBx{2a`|NpvZay4@O@yN%T5-)hrxKw<1pLlc8f=xI@q6cr0*T3CN4%O*hG
zLEKD1>}hnpP7B=ky2L!)VA^CE6L7@fX$Oh3-JbRtw4RjP-yd9_on8L;$L0R{uHE~b
zh57HcDu!eV=j3Jkhj$gsfl%dhLVrTBe}8uWX};8Luf6a!YazDoxk;vhb<fXvj8BX(
zlYw|2+jQMyVq*{U#;)_c#v6NHLwRbR*ZQs<gZ|L)&P;Z~9x>;<1Iukc`I%yQBG7N~
z`L;uf+JnQxr;#Kc-3HtIT>s7;PGh&rNB61$oi|WfElul|#8Up4@KN|4q&Bi&LHRmJ
zUE?V+SHTr@e+$jj{YT*gP5iD^jW*!_q2IOLZiLVI?0C(xFz+;(ob{iRAEkpUrTIIj
zBCHG{I*zDe9QhdZF+Yl<war#DToQ<{^Z4g+7kHKq_y%XejaE9QM!#zuVq<iV#@MEX
zwT~sFYKK)raJV{Rzv@;+o4R8X&z3G97%GX2p-j)*n^*V{4%6Jrrx#`x$w)5HIqs`e
z7imY^wlu@(*h)fNXSb|dQ)nM2U5n2yeAZ21SYU+s9P`cP;nlOxUcK|1IMM@?Ob=Of
z(CPO(-yxF>)9d4JLzV(1?xXFBu0?4-`8|t~Mq0ceuDfL#;9>Ot(8^l|Zo^wxeSa(d
zvcBdkaA7ufPl>cYR(9^I++-zAe3fgf@x$<Jz9JWf$fLNPMW*3;77x+0RM$hoH(^Zf
zrg$1XTa~%-)A$+gr@S?pTk3_6>im@RqMvePdHI>;H>xIOO!~8*AR;%D{mjC7v`sem
zQ|3*uy_ugfZ-(4YxlsW8@atc{{Ln+93^)xPW*Xl=cJakyH`c^J$r>2{jPgTG_KU)}
zY(*2&9T-g-mqz0Et3ilwVKPenelhp^rHVk=gCE?vuie@%SLxfc#!?QPemmPWX1n@a
z;Mi}2(}BQr@YU1fa>cAN7^=LBug_m0+=*J&+bNoR`Z6|=Rs?JFUw4kFU>R`Y53n?+
z&vcV#Lj8B3naw0|UOgRRrSR-T0;`@5T0PW*f$n7x9T(iAU><qtOP9YHSNvq`t(k9r
zQ?xz6dgMWxADa91N)}wI4gGp;oA~wGm|w4nM)P6&K=`O^W8wh8{7i=&r7=omEaS9L
zv#S-Vy5zv-wh0Sa^PCf-W{0)S%o7)qMG-MVY;2(TPqIeB2s8dHp&vI`>Q#-FdR3#P
zUe#!+SN&T~xKfFX$0Ct><(jFtC4M3MJmvfB<28@mZE)O{fpfr@p00W1{txXIv=Tbn
zz-n#$ADb?)ul2+`WlEtv9{Lx}7jmdS-oBst|L%v&8)=;xMC3%0+CBEyEFo9UK*J-}
zkE$)?5ke}pgY2MokQ`dtBu*zU0wb`q&i58`-&=CVJ#Hian#b(}^6+$E6MKj?-s4rB
zc!%8KdSRQ0t1D<#yc2QVl7h<Hmo~}s$=z=o4YVBCvO8!eH`p<gcCD^9Fi4Q<!XHoE
zd}u?X#N~4;GF&v;C19A4lq-bxp=QNk=En8K;G2s%)fP^*ho1Q#=MHyx6QPKf!j-Z#
z7l?37b>i)UFS&s<M0-uGJkR`3eQ-Ie^DUgcqU>}f;V1NgXQ~|lQ<-E9c<4g=H`hPI
zI~5I%v`k0Fa@mSriw}@R4RUg8l$~j+H>iF>ENH6^tRIZ--h1;w5b33(%qcKP(Y&?7
zexNywu5O4KqG}wun>GYqs`c65rRq*KOFu}80Uzdy;%^X_1BK=Sv(Q@=mQPeRu~k8V
z*Bh%4uP3S(>)p&xL)FxuR$?mF*(+6fdKuo!q-o5?j1_2$5vqIHwxJ)bs)?VzAobIi
zc+m0|T3{`-AbK5sdzx5hmM2-`1S1V7OR1h<2h|e<n)uGDUch%2bKhB>T9J;(&3$K~
z#(pi2g6b(ubOqz~xGCfE^+YY^NRQ9oYY7&{R43lm5(S0F;K5Np&G}hXR=JF&jQX9T
z41Fq3Y%kD&wo4;iHlemb&qLf$1tv%ftXpBGYPJ-(JWWE{m_Bp=&b=T-6D!-^r4N4<
zR=btI2B-Y~sUTKW>|aF^ddz%`Y?^((WxX0400k8;m5e4*t({EyZeXhtBc%;ANqGr<
zL<0WIs~5ZPuA}npSH1kJUyUp9{dJViWWGxG?(D!{13H`e?W&si?bdvBmE1?yAob+s
ze!GS`zg^tuw_A$T44iD>yf!w~Vb{nztm@HSZ++F;NV~N|4i?V-U9Y-`h!Yo@lO|Kb
za$)6{XB%Ti_;>c7K1|zfKa}NpD*w=RRHoS&#o5e)L9}v@T{G)3R^DUQ+gb>P@1B*~
zTc)53No_8)E77$v(>b63UHei0C$c7%{gU}4>_h;GenG-F(L6dGJ^6pgGiW!$XaV^1
zf5AtHd4$TU9-;qxK0}oU;zW}*j#Va~&E_+y@VKB0_x*dWM8dQ^QF56gPMyvfF}X?!
zI}$|SBB);zN>IO8AJeV=>wZRt1}?1kJNnIrg^_wA2?Ohh<oRL0L)&Yl=3`2AI8N4H
zmE8CBH&lnAsp;S8eO`8-isB)_AEoy_R?`&;uOhl4p7#n@bs|)MA7}b|?Rs4a*D2k}
zbxJYxY#si0j`tEA2_&8v{t5WRrqM9k*~|hj@zm%=dN%0xG981SN5JWYvk=#VXX^Ce
z#Zp=(b&BP=t!sgCB4YY(EX3#g0%xt-yTVrQ;A+twahTe5rlO}XlQvo+d8e;8X7Thb
zb@{r3hE7++vbe__?ozu;+jINQbLjm6@H$P}Iv}zkag}ZFkSkl-^|}tT)n%||d&ZOb
zT|@qHTXHby&c=c|<DqGPDFST`^@A_|`NC}|g+`!HFQJ<oEN$8iCC_aLqea?Mr{S!J
zX`s3HDC1FU22j4AnaluQWZ|)M9n@SB<etUb;LbFdQAVp;>I{YznlA6gFa*#9?xNlU
ztV6m0Sp`r>7o!q4?7@%JWh`icj<Q$P+S;Pi?Mv@Y^vdOO84kr-Re<RCrFJKK01<Fd
zScaXIR<fS+h(}K(lZn7*_enJtM)X#}dHgG9T$fp#7zw^5*ChxeI_t@w9skOi*HY-M
zU0v8~jtzt(12K~+HV_F9#LT6hT)w9#pX>QpE=O$<G=|hN-HX<bX3!ndmiI#27@`D-
zicQgl5;PsaC_>DrHVSO+dinv>23VIk!Sb^p-0gxhvBCE8W;#HbUuIW<-HeIM5C@E|
zCbS;HFrZ*^2K^TrtC--Lr!t2huonEw)J(x;3TA9Zi#gik9|Wnb;P9?y+!^hHu_xjm
za+m}2(eVDGI*mEz(Yt)1WVe6Fm0b%2GR8ng?Z}QreZ_P{7h4GWpcbb4yv0n+m_HDS
z9qJvqwA<os9d8Rc{V_q~=yPj5zL43KC|25?w)o+qb1>{kd3B<0HwpdwbI_*SfmwwH
zNlUw-9$8Hpqoi{eYkl0ZBaL8X{`+a?oO9ZtbIv*BO!@SBU&`rBgE>`w;_YvL&wJkf
z_7kI?k)xB7N6Kz@`N-rQ*HF1{8~nLnxEkIvCiTE?LXAMFX=QrNs+L=zGi<g?^rM1m
zA!5h2J1<U-*vmJL<8KvOEuAMnKTacYBm7w?zYC2>*Wz{Wa}mHLzR$t3Xw)Jlbh0Sk
z<ZYy~xtfHviy_>PP0{HK=A#3H(Q#)cx~IH$EHZJh*WP3MWY_e?hgTw{$&@#fEF9mN
z+I!lW{epaot(~B5J_WSpYkrnKLW-{mFI2Rl>X46(61q%vMd4#sN4~$BHDhMnqE%L)
zb;qffdhq`?T<(r_#$5}&eY2+QVsCyTq3_Q}$6U$KT5o(Z?;P%S<-#Uk@4Q-T^XiN4
zbh+rv`1NJIH)+chgRbsC3OaqHZ`LSpam0$g_;|)f+MkZ>LxB2jLq=}LV++D2<0&Sq
z11@orHJXfkGU9h7TX?8wgj)sk0`wJp1x(riv3ON|VR5$dW31b^x?1`5V=_Umwrf6A
z#ILVhJo=$$KWU$`TaskIgN^u10)1h$Al(zYNgbGZ9l#HmL=4}!YKe2dj_U?cz}I<!
z{W@IE$2z0Vg&tQvY@QwRWn4)UF8@_$NxNdxMNe>GL9MlVbVY!}Mc?SG(cr}SssB`K
ztX*^6-P=np;BOY_|01*@FG{boT5Fr`X^CxMwf1dnwWci`zBO!Kabv8`Z149+$5*r6
zbB?sJ<n|4uo!GrSvU1qnJsz<}-MYR3&$PRBN*!LfXyMS!J0lTS-r{f$AD<5;PCuNU
zE4oLFp}e;|9Z4NH4X8>YgueiFp+P07K5)a5z(qDHhz2MXi7G{+wu7Amw%pt&w<g9i
zl}GWLdZ*$B`JUI_eD&y5e)`5+->{#|KQZ9jW5BlvDxe8;T0;aT?S_)i5Hhe@A7Z|O
zFwwwqh)yqVxE`ff4a8!>`C5dtx=96;c9Oh7tOLqu;sTbN2RsAo#G!wr7D`@|FJTE3
zA(v1jKAN%VY#yyC>M^*B^Vl2cE2R3Yv4W;&!kI1m!+BFEr?zK?!=6IIr<U8M@}Yr*
z)s`xUZ0V@CU9R>-a^B!j+K$g~4F|F#JsDTbYpZ-|DCbG~92)yX(vkG(k$|GWqlbY<
z9ksT_wNcuQe4gm2=AvyYB*_S1qC60%NH%vEYJMNwSCVt(H{K~v>-3-{25rclU$B$r
z<rkY*bmeq+ej=P%>i0q0!^LRoz#(I(+f$ydd@Ahfwm6+5XDo!1V*9E#JSub4&4m`K
zyZP5<Lp`l;D_1#KiRJ2P>HJtPZ<XqBK2i2ePxtgrPxsmb0lO^_s7;mE-+J3sSKW5o
zbzk*+y?*j(px1{^+XB5JrD{s4mQhNh60?27i0_PWP>fu4vNLH(Nc1Lym^_O3sme6C
ze!lm1>%ON@82lNhH&4!{c|nBLaIEr}eJC_}WW;mwmr-z?fG>AkPv(LWl;@{V9xc4R
zu%+3*lh6KUJ~}ZH8>Cy@k=xeedeM<1FLL#4%k@uB_rph>+Ii)+x8D1{w`{v|XKMVK
z+itu3^4o3`<q#r<{vF1eR#a#*)^O7JSR<nn2&R;9x#ONoQXq5)b}DjQFWPS4&%^)!
zWsb!3dGnFpq3DDo8{a#)b|gG;pae3<eRVQNIxmqqU>(S04nZj&rQiKP>odRy2wkZo
z-`RW!*T?DgLHPbH;WoHF(Sg_){mK8WG5Q|4B|eg=JdR)1Ga1uM$7pzWiNAYFQ(bF+
zg?^t_BP5fwrwE$*H(C_5e!k{%5?$=m&D)r?M@!q=(9G=M(9Fz`Ef}=HN80YLyXBTE
zue{}!>%PppwuE*o3ZT=rK)XnFC#BlJs3yB35NhRp+a{KYVX#1AXN{$zy_*z__H8=n
zNDJgI8Gfx^7z~v3zgEK>Eh!Lm@p$F)#o61hIr+<29QPMzCy$MK`C4O^j#rIqjgBph
zuFc2NzaKdN`~wHhJMTdM$VmUd$cXy2uX)XD$!GM6^Uk~c^7GESqPDge+F)(b@xQmW
zcrEGZ6=iL0F}*=Q@AzL`TTGolAMG26iEE49M?+(Ki_p(M)YX65%1odzp7f?u-A8xC
z=C`lr>ed$bLO-8Hc{JIuw&<t^E<!L-Z@QcSMEC!5Ik8JzPNYW3a>6id@WFDTM_f+C
z2P1t826>A!Uh>5!vUWt*6Q@27>xm(dy9{W&VLj1NwVmR1%ZKJm2gSOjgR*huU~|mA
zr-a{IIeqj!zy7j)+@8ydJhlOk9|2mzXh6DlXyh?pE^yb3|NW%`VWh6xnKVU;{;@fO
z(TRJe9)<NoZoa#)+~XqSXBX8$lCggR)3F?Q`30a~gZ$F5oY3DmY+IU&*0X!xaNBh-
zZqM9w$6W{DJxsPH@0p@?<_11J3T?3irBJRxcTYKGB!(8MLPOk)8)O0`xGt>|8_gR_
zjXw{}dX=*ywuDFD7tT(416@Obfs|9`S&6S5@)V|`-8=d`!I3>bji!&EX^s?q<BOFq
zxE+0I$Ka9KaQvJjnQc9u#L`7G`)*!Kviat#K(|u9+FFwthEQwM(M>8dC|_7+z)w+`
z;Za)X82ot%#u87{v4n4grDKVUn|?PROWZ<jFv(7xGaW1q#L6(3>>5f=WNm@+8W~RB
zSvQ;{3y$n~oDV3ZPT6<@b-IUsw?W(azAyy5+1pCKv%Ub=_tERUz`JjVa)YYc);{@f
zw6(kCmLwAqrs8^NYj3=jwY4`LthVXLbe-dOonQE;8#PVRpiLUvPGhTSY}>YTf)l&3
zZQHhO^TbY0Y)roMn>B0R%<~8A_3V4^8(W`C7|VC|$5*b-zo%z%meL>2OF_>J8(kG2
z2B$1sbm#mZuW!n4s#5`*Nh)37{+CV9sSb)w_7gmAN0XDs;=|UYsdUbRiaGBNhd11X
z0POZ2+<|*BwyZp_1!?R>(I;GC!$P*HLxr$9ZM^jH2A2V*@EVuEv<Z3J_BxrDU)Xu8
zRZ-3xw+VP1%uZfhmVl*gLsN7dCtcf3fro;%)Qd95H=|!5sR!YkKFFr`fss-zvuV$W
z`_@`7AuL+ydn@EYK~n%>DBV@ga5wR|YNhK)meI|x&)<nX>2hHUlN*p+<?t1E)}^z8
zv@AePe$}1x^ehhnSK{J4E$iafNiSDut5m+Ylfmbu47%EB&U(ImEP15lb@Y@7`}g?X
z#ATgKFJG_y8^H6lA+2sXt3<rhY5nMOXOK22DSTkMZB8~IuJxxRw{WjYG<UW-z9!4{
z`WEJ1#Vi1Jehoh}h%)U*qk0-d&nq!BweMJ>VOLW;e#h%bB4bP>i*qEv`uzZM9=bD(
zYgtLty-E~f?O4K*hjz}p66sKlGXwi;fmw&|bk6N?jV!}^xH?q--859QcBtAbHmFw1
zDSJ4t@@mBTBo=oJp4984I1t8`S#$sklmzISrd)!9VpTj^aT`qyI$hj?*;OtTE0$pV
z=T@#d%W015l<~1fpJoM%2HBEwBp3pkH&6ekXI1W1x-UgMqbW=a9x(q9ChJR<PLCxy
zVV3S69i+jmtq2%~$A*M`@xZ*b=FPCis@)Z9GFhXm*Z~s2S>!*%^WhSHAu64KRrX1S
z3M)ASZJ2*lX}{tXA%ba8>^{}OuvjqIc!Y+sh~Sip$)|jBSaZM6^O}z*4;!e5v7*$w
z3B^5_AnsGTaN=cN%zq2@6grOGTk70{xv?Sm@^U6DAf)CMia^x-d3whrFlfCksA0>!
z?WXI?(*&PA+rpS&@O3AaHr6(#VP4+dzO9<Lo?Cr{KZ=3hF56*_odasPu4qQ}vhH;y
zB9qz4KVG2u3!li>u=0zQp}_l17ox$;w@@e)wU<JuKe0T??E+Sg`eu$va1RR7BJIyW
z3b)QU?wycGM=ALpiJ$nf>@p(`lAa@*h4U>WUXrSdOSU7ffW(6b4X7VkIu}h(Z)`a6
ztP1q`isqvAOS@vw%-n~-0W0z)oUK5N<FQO^LXXM(+b1|rubG;ueid$?SR)JpUCjn<
z#1Rs=IuWFZtaHz@!^tKpL7fhu$c*^6K)8yj*t-j<-(H@HihtoImh*URM2Vw+xu0N$
z%(%P?-r^58RA#p<23l0!eV??v+Ll?dQKxv{;(fW_fI1IZ4+Hdd=szvwzjcF<XH0K*
zP>%#5Oqh?JoR+BQP}UAb;Mf^+b$9N6wN-3aOPSxcT!lJ0=rwU0oJJV7O<d$oQA6=Y
z3AF7^<#r0v3OD7)oz(^iF$IpCHa5SKz4laBu=}2?v~kDbsugf?|H0tHIf5UnBD?Jc
zA<N@#`ZA#5L%(wU(^Vai)%L*`RE38Yq#!6Uc>Lo;_V0K2CZgycOZbRf@J<v7*?va&
zRV5mgz`N<#kWCAj>*ubIEw+2yOJ!5YuK16O54bMfNpSE7U139aLDE+nJm=1R`iHb2
z%D26z#{oNUH80d0)c4N79pUb(g2xH8u9PjO#CQBf1MXP)P5l6M-e|g<8q-cy`aatg
z-s;Wfh_{2_M=z_5Ep|S|?_ICK9UaB)S(i&D4{*9=U9wj(CJ$6LWnEQwKraHp-yO(l
zz`(_ukLNFqy&2)13~U8p>z$iyt#CfdrLm)jAGH3A*IYS)k%1b|L6q(=HUmq<Q2XAR
z2_J}^1XWGlQY8;Qd1m3bhE>yUaY&;7(u;5-^Hqmle^(84@!X9#JE{B7vwA(BD1<&)
z!t*{R^*)_mFo!(A@!pDP9djG^WbxnqKFNM)xO|baT1AERvGfMcyB`f5X1?qSE#~pR
zFNkq2s#4w#jFKpO-<+$F@kDT$J;j#;6Im+9V&5uqMn-agy0*5U;K<jlL7Xn+sm~*N
z3{No1ljq~S%dO}8i^{!+xy>c(^BND&zR(VXZ!8$(x{EvvMo#B~It`eDyhEq-_e=1#
z^(UDk-eChG0rz4hbr{x?IH`=bQV-{`j^N(8$GwZn-y+MGwsu<{caXdINR*g9fEZdg
zbq~%t(697;-liCig|)@&cuEOqL3xEH6<9w{me{)q)WSlk6+8X?fe^Q*Z=Osk<qKc@
zJ3-T>C#SNU21o^Sr_R*ddw0ADk(ExXh0e*W8`yD*aUgAtqmll$S?+6Xw*;+)j0vz9
zV1QYSmg3@z`wb-#Rnaf~L{laKmCSe@R$M6J4yz=%2@>(s*mK?=s)qRr(n@~~wtw*4
zCkt&~x^K&lXF5@6V=MnQy}{DV!NgXbeRGd#wPKfpWl=ccT7MEV2W%$vY+%<3SxOeQ
z;cg);_c)+taRnp=ObKbL6?C4A&qa)@azw4!y$I|-HH}2R-9+qw?=uu~m*BfZnN~CH
z8hDSdTRlBLqTjBw^4GCl?;|n18X+?ytP>7j>^<(b|7_H0F3;`njKjz#&9L9zZGU-p
zD6qROdc2ZIoSq8?1x}&h`>W{3OK|RKUn+8;BweF30h|8XgxzNr@)n*b;4Nh?qNenM
z9q>X5tq;?!rA3jOU1qLc=Yub4w%yK)m$T(rt5I;A<l+ildNZ7#v4tdiAc>Vn&=`5j
zT?c5;;`XLoa&#FBT-VmNrbea~x`qN=Bvq|uA9zAET4=0kK)n#gMjjO`SQ2ou9APO_
zO}=sp#PRVQoaoQNv;D`p^$^N*4;xE=j&@D+`4o!qzj}_q<qIp;V`wf%mcq)%8tcM-
zMV%TT8egRT%2x|PSd<y5)(R#_txtCnwdY?To9Us78bihN>Dt7=0C+ewcAByL!b!&u
zH}2EOAeu#;q;JkuvCD-U2r3LRNU1KIOFbHT0m4;DR>8fzif1W;uqvbiJgLf<PaJ|a
zDj)T@IIT{?SI<+jM{KDu&xzVdj$A0d&aHUW(Hj5`{mA7L!vuMGkWQts;%V#Ek;K1b
zAIB~ZA0&B|_o-gE>e_#(ad6bOakpqc&WJNiuE39Vyh*w_8n>)g+WR$F!h%^Z&1Qm=
z&K1!;<TD#@It+A)36dXN6goCF1=yO?N53W+rWPd)kMvS)>vUJ;KPEhq{{ut64xn{u
z^~(o>y2im2Q!Syhhdzh8u+11J&e?)c!u!@FAf;0%1rnuA^rks@*|_l#kwPyj<KM3B
z?9^IIq1#|f|G}m0##6~ay_FcaGb)jxSr<)?ZT3-KW%<`GRS_MF(81Zsz3ic+kOJB(
zK5sL^tP!+!EnJElRJa84bx~UUVlS1^Id!-L((TUik+OlBF(~h>t%uPTAn~M7RqJD4
z?_EmV8p_YZj;e0QDwBuN<>twgVJE$#SexxWimFjUd!$Ero}>+$7@TV^rY=Nh(*PV9
zdIg=hCntssjI|P5K$(-sK3;}#6v-kxU!RE2G!(@YH(0U+EzL}S^)F<GfBI|6U0t-_
z;U0>!@q*S+!%7m*oa3e&1u|Kj)z6@={MTiv!)=jH>{4LhDZ#K(W#0af3D*+)^@7|!
z&ANwlVeR-noR!Vw($X%nQY8t{m<gJV{qXdZ`4M|{$S51iL#J8S6^rQ$Ecx`K2=~KA
z!*2l|NXc7s#temv<5CPOw8{iBi)s@pNy$^c)Oi)>$DJ5S0002)bTZnDZMe8-kQ8x`
z8viWLMBP{HNqJHo-LDM=m+7&851tj&#N@JDx^M@tGMA~+j_Y>PWNbP=z4rbpOK}Bm
zpUuS79U9g=)rpEs>4Xs2?U^!#j-+pxMqo-izU3jX39X-ytjApDe1pMS4nei1B|7rY
z&!-fba^EV~?9G_qL@AL}H!~oXHn^!p-Z-EVp-VKIVP=j$Igzl=88+RnW1Wm&TiQQu
zKe~|PIU+M|*kT&b(akre%N9)a?20CW%ij`X<K>l>2v>K~Wd~a3J-6~uS08n|{k}=0
zObj&4G=NF0qncdL$-%Q7{7T7{z<8`O0vQIrG%`xx`;Hm)mwecsc!w(HPZH0jLBByL
zTHeiOy?l}ktigT2=1#w{>Vp##=f-&{zEGm8_wVVf>RuqmxBDSFe_a=tJN*68y*<XR
z#N$K4K0iA#SBwnxdlJS-A660#T3jVe!cEz)=&}lFCBhcFX^raR^%nRB<E*_ZCekQ3
zKpZt(p(79cbPN)yL@~+;p8=<{--&o`cT$5?fWjh4y6cqj@OGH2VEGzX`0bs6urLhO
zPN&n9C_eXt3Zu@RBB%+l5Myy2jn9E#HhYXO$+VvjdVEQcg2W|lgOjx=39~BTTk}f2
zkc<BJ+<;~TD6f=*t}}Nnpb0x}TQ)7(6@2<#oqL5i&Gz>~hvs}{k7~-ocs9ywyiT1k
zS%NzCGjhklpC@A+j$Epya;7z@5#~v{r~lqXN%&=&)c<hBiQCTiinN&#&Kh5Y7k|pK
zEN0g_{e?vNty`AJ6t*t|?WK+Q%9Ksd0!yL~sZZI)Lxf~b#5Zec_TYRILU5aoP~w-L
z$ZZ}`$&k1M^Oe=q(3kI&>hE|yL0cWRZSV#Pr3<XIO~h1k-=R1{E;;`9?Vf;vS*(-k
z+q+vNCzt05wi%2WIO|7pv%ar;0kda;KU<TJUj&WF%P1;OgshS<O@`3X_4@_}^i2@6
z0cDL!23e7?Ci+mztqw@%Y1&%p_a3vyPJ<h2EL!Vq%uTV!G<#uU0#Ayf#xmRF$^I_c
zeR8q-d>FFVzpQ+~aU@XoF^Q9cn$J)y*vdYQC%@MZvn$+V&*Mni3{6l>JdR9og3a({
zm<dCh#MuI<+{741Y&5V|l!qFw9+m5s@M$BoZ(H$hlFp@qp9^1WbOQBo?)NEhTT1eI
zOMk3N{&+yLBsV~m%4FnoxjTL<IX^@yN_soUP)$~FNgA|vG6l9CrOkTSYVclHhK;Q(
zjG2leM?LlFs~Wizw=$tOE$2pQ@6ggZA>w95Bt^CZAI8Jb4cQD;@yjwYn>4;}uKO@c
zHag4eyeqhBJfg(A{mMXW$0cds1D+O`)}@!Nsq5;s8|8i7HVwIE{`V(5tB&?vG-$sw
z^APo;7vVa-C%xnVv8A*pMvGT<iok8g!scjv4P$6hTgtUn^liHwGEoY`vA?3ucyM=7
zEI9ij)IthEXx;Q4=^O_aIHN(t=3I=13DD>b>zJXp`^(1l^FpSJwbu2xk++H~kDbr^
z{;2!CmI2*K`0l-&rd=%((vqJ?uHK|*mh{TpWojX8H(0ctOMBJo(Hc~N-a(^XJ4D>A
zYS8bh(2U5jD`;yGB3W!5!m`%?W}`ic*<#dFy5(TS9p;^9j1%iD^_8{SIVu#-`a7WZ
zWxYRF7LsXJwlmO63gQ_~V2QOmkhk%?>^b9w7G_Mc0_OB5XVb58_SJUw6Wdn_aM{a6
z@W->x#>=M?Eews$1`1B(WCrO62T+j+Z*?YGKf7ZEUu_Z-U9Ty_I1nSdrlHz)VLCP_
zk!P))mU(Zaa6B<e16*rSj@>f&d@PIast34tRJY2?kS-^U9ZP_P*&p#<cPru`zaV04
zf+oX3RmD*$JU?aMn{9VaKF>m`Jv;nu*~=)#IKC^4y*1uJ?*U^I+hH)(5n5uSO0A52
zbxU6uMJscQh)8#irJkI!OhU<eQ7PamM`sIW=vB~;LcKC$k!xXzksXj{P2xT?UnIde
zv7UCUw_UEzzc)hwM@hq+yXsGwQ8G1lC9j!GCEvUUdbVK@zcto-7jbde8|4F?sL>h@
zCmQRJaCz2@rviJ6Qx9=Iem$<i+tRS?+f4YEVCz9H?IcyEvER4vv?guX-(60>H#EF$
zy*X|)ENyT&Jl1!JmbTb|3sUAWQrjcgdBu^CXN!N2X|45|Hr=Os$3+U)`c2{UJgqNv
zx+us+b~e7g&uAcRHqEhZuI+WqR`W@qt41jjx((s;+#ObVYs*D;IX(tAJik%RS0P)!
zu%BW8ozxfK%R&;SKCkxPXfQ+z;LF`SWxnlh5AWq<ZVG#>DuvMFt=654y69X+TOwCH
zZ|BA3B(vJqXE`5ruV7EG`t#SkaLB%koEntC$u`ecb(kxuh_k72hH;Zcn01=&+tScn
z=2B$wJVk+CgO*_3`P(&v{z!wg5&VR+VBH#rhr69HyTSgK9&{37q8Ery+7VSI`W{CJ
zmn=v7SzK*x49hsOXTSe`U1&4(Owj>0U$=Jat@b=A`T~k)W-4xi0SR}Egdy7H36%n7
zmL~7Z*5Avbh$$^03P&<mAKs@vNn0XGU9bC$cAL=z?QM&Rpl?o8at6$;u4n@2cgXlJ
z+=A*<vek#*s9YlvGC+Hr?X63ISP@$j6~1sSEALSFhG}LfbJW}M-bw|H?}<DU3ORW*
zPYoOb?6hf49`~Ps#6HpcDL6l==prOh<f1(_del#n6CQu0rtCWui6>9Yw64ST9@(=i
zQzgIh{s_SlPYodMeZweQojpvTfT^`%2iSWovnxo<IYtb@?y}9x&Bsfa)IeX(BZVYz
zurwKU7R3+ibTAoJF_2ZXOFN-yjB$HuhfHmyA5ctfvYKCGn0B^1_yfh+uV=f#K;N1a
z6IY!^3cSvVNZ{;xt=0lGB1TK)P@pGB`!1X5vDKYoiqBz3kMoj+F2?d#@<v{MXKr@n
zLEqp4A*D*yYu;q+h489!XpT9HuiC@F$jTro`|LX+>F$2<RUPL3H4Ob4J_clWl1uzw
zN5mP^H5}Ap1?=ARuXJJP(EMBYY#NDfOiDv|KWA9!;#{#8{#*oM6}{IxCDO63otHAr
zC?|_!ku$j`wJOHZW&*IcS95N<I+bk1WzN7Awe^6HzqMo+s>8t=8c)Dy1TK2@=|~fv
z{kwMkBN06IGv76AY0c`)4XrUq&|fcaQbt9)C^TEmwu|W#XG7yp>7GxXU)CJo-Q%vB
zC*jbm*UoPnFSN&vfwvd6ixu*U=p%w78^*+%fywsWVXodtl&L&L$MSK#!PBpZkk04s
zl|YvGTe^aq0;FLoc1Q`^I4Il}cR<U}`x!gxtbdVQbr4YHb@TSRRouznG0(nQmvu~B
zNOE-qMpIeQXryoZ41vsTn;sST82<9+BJIovtF#E({JSq~p$c$rp~CmV@S1D8Btb>}
zm5ZWPaK#!w{qsg4ZFR8S;M9^V;Y8g#kTIz;I0%|;e@oAya!(y%NUyr><@?(D0B1u%
zGgtUr0)+xp&*bEm0K6$R2vdh{)*(jXg=Ko$S3+7NP6;Jgr#tog18m}7uIK4s6~NCP
zP0N|`vq!>k6>k}9*&hCKa%LKlONH%)OFjY(^JhMrpAg-D>S8pouj`Y)oI}s|w?nL%
zYavk4-6_Es?ObOIySxmHk%<wJD5k8M6cw$7pI@s;Tbgh8&NVibCS0RCpAt{MS^>$B
zKB@~{zV=msgqRv#spoa70{IDwoB>`!R%Q1=GELjRN$^4_O&MPoMaJgfAHLm6L77^(
zn;2k*2`Gk58Wj&%&vw2wcu=f;M@b&Z#$J0{Z33s+viD&qzR=oyfXAGP5Q+!r`IVnu
z8U~XWu$gr<CyZa%xH98Y6Z1saiXwvdi1AlrX{!nWpgNEGJ_t#MG!v&K-mHPVrdEkh
zD2V00VwUju1MK!oaXAmsos15D(lujlp=I1nW&!ly6e2XeosfT?g=j8H)Q_(Fhs$$;
zABOE^4n5HEa$4T+^54b?a_r68kCuvb8X@qbw`3i7XnVQ_u8N_(eRel~zS=|%kv%qX
zX2xt$aBh<HWbHf({Nhi5)f%~?zdiMS{|EZu84A0bilO505=VU<__^MDHAd=+JXBR&
z6nsNRd|eSkzw+&4L;2NB;T0Q>ujlHN^zqA(ZFKv`+Ur}&^8*P)C51V($Fx$8KO#5k
zDtmm<#JFF%iDvVv8Vf7221GApcLSsBEv%f6cGdna>1fE8aA9mIRb?g8tyTEfNi*br
z_ls$NF9X;kDoCoLO@rT-3JGyq-dDOK0gPu2Wf$#nv@$G0_+i3v7E9Y8X6LW*VOCsj
zc=3{Ow>tCHeR-b#j~&R<pycCbVnfqQDE#%A@$=8+@>I_Lsy39aDm<(1ZXysuBCofB
ztQOhN;EmZMZ9KjB6{hX#D$DCcv8xRD+|Pql`NrI+@Pw(!-F0TH$6$IJ=k-WYL$EU>
z?#c9@1>um;UQl|ygReEBF$$*b=dDWm?@Z)&pe1IjdD+kkSW}Hw&!Iu!FZ*PwZaU=1
zQ@T5*-0}iR9WcB|+ubcUHxK09_3;u9zpW=-`Iio~JU^)-oSSpSv!Mk$S91H|N<?v~
zq5oPeWh-{F=HA~Z!^ZZXOam`|IHGDJZ)N2?%HWbeFyl=VaN>9C_lgGbk6cy%hdzM%
z`6?fIh$-XDdHX(9`+`U8MUC7XyQ{qn|CTY!&|~O>`keC~;L@G&kNr}s^Fg7NpCWRq
zIiW-LA1vu(94@ltr=S)eVGqHUYZG)=+O9p^yLF@~>0=)56eI5F|8A){B0g*5zX@{o
zuH2gSrimNHls<aT1T(~-@9N7_gye0%@dip%=kQYJ&8WqX)RmW|IMn>Rr<tG=u<ibn
zU%<HTO<FW2)m<d~kWg}71c|t+epZ>Y0i{OUnhw}+rq9WPmTT*nEmMF#J$&L6VJa+X
ze&`*h!Im;<3U)eO&}*B^*Z&<Jb+ocYgsDZ8H!wR3*+=xJeVyB_#nxoMu$6f=va@?t
z9)S1$3CZ~Rx`sO?b}7o4x!a6m$2*i{kMZaA{l6}{O>W>uE!iD`K|8MTTe%mq)$mI>
z^!1G^qnQks<-nzwC`$;E`p8*UI=xggh&aSDZ^`B!p0-ex-)D(QvtNT->x3(q)Ke|K
zDO*_AXDi(zID~EPP5@F*>jTR#KFf+7MimUkO%uU}p(}b^L&Gp_zoIW6Imr~_%ffdo
z=uYj&5*3N|So8`H)YQ_IV|L`xDVOH0>@k(xx8v{TdOFDCuL7vBHMgi-jJZ`Xg$Q6`
zN^(=v5|?XR6hY-0oOemp%C|m(%Z9b4Fix{~xM11Y#wTI&v`vAr4j&YovOcI!JP5Ln
zW&i~zzR4r|7chF~z!hbmH&nBb>t_h~&JWit(fm2Q_nYdE_tBS>LyoZzd;?byF5Xz3
zo<g5uaRbzEMb~olWJ7J!h)&_+=@PkM!M9{NeMv(p3LHa?(s!kW8j`9q)DoMhd(!g3
zUs0e6W*pj8v~bi=2<9Kj<r`9ZeoQ`SzS6x-oYGh#G&6TzLD#pE<>$s~YmU3{bbU$c
zT{6{foD4l}c79WUJJ;`*@LM!WSrRALH0AWRzp`Ync5w;%C5t{s9p;T@D5)kr%9b_V
z_3-1{TjWfiok)~cd=r%ydmjm%{k4uu#thBVCz}Gk9B$;#TZIzEG$yQPhDF>lv_`R2
z;16Qa6DWpV&fhSpKLYltNZ&#x(48K>nuYfmCc}rTJj^6;ZxB3d?{BBo@h)GV87%oG
z$pU>6G{xlKJrg28h5_E+z2kQ|gP{1os5-PGL|r{SBHwcA8cvDV9*Wsl{U5jc&k=A>
z5benN)IGKz_(!jByZEQTwpOC7=}jbsyJSvY88ajMtZ@Iocnsp)r1&ose;K;*Ipy38
zB*||-dq3pVDff<)>ba6k-C{`GLXXrX@A2U968=P$@c)S6S8g?{T-Jrd?}<2LAz7}N
z4cEh&>~O-s9D^<+H07b7%{Be%b+Dtl@g21;(Cx_z52YddwG)$@#L+pQOyTfKyY@G`
zZOV*+p1mN##*Y*%(fcG1KPZ<{Cm9BJ_dk0;qjSxBQ^UNvGTSWm23{Oh3{kB(2>Jc9
z>b@3lTZWlE!wo5<HB?j8OdjyGQRTIiLOpYL7V<ZV)L^?q^!h}*7;fKK-aQNaF{zA_
zO7<T~C=H}ZrAIwlafm{0cy)iIK#!xUTEWO~|C=r7=E(tE-R$VUmkjKY2SPDIIBJSX
zxKdnaL#M9!_5UR<Cz>B5DKAmCpkio>4!|+aH?USkzU*vi$>(odFU7SvJ(3hv#7U8+
zU9FL68>~Rqtb4=rbu7#$M_Y6`UM^Bgyge6Lr|HQ$bd~q>4%?MK+w%P4I$*bWPlX&e
zpNaNYon;OMFW=K22s{0$qEKPv7L~w5??^FbJx=!FZWvlC?0@QFzUXMrqXEAx*%k~`
zP8&J7S1WEsJ2EH_DA`;>#?9j5QDRL^cgxTP8Jf~Sm2aQ@1(rXt5g;(dG8#|}*?vv0
z8aY~iMjZ6^z<d96xu368k;qC{iZ<N|xVnS%^pf+RaawrrZxCq0F1c;Qk#tFwtSbyc
z2O@n{m$E~aNj>k+=G5h<M<;H{+5>%dZMyGpL80&A(P*ao(M0`OH=k|3a=MMYX{(7G
z2frAz|9LTJeieV^SU>~^x`%whH?4(57QFGhC!y04l~RN`KR18;LEwyX<6dhV;w2Nt
zwSr0AK$XzXinJWIl0DkW+R4~tCaZQ+sipws>lu$>@$c$-9ti+;&_D2b>ctC7eDvYc
zn^KoL&fYxzO+Cj@8+>p;t=p}5+~Q~1`0-~$Dyt2%P9UWOG4%Sm3$w~w*lmwz|LbR!
zkr6VetQ*Xbr_0Fm>HpJJK1I;F30sWaG|r7>GWCkoj_g>7jA6GbV`odFH&2a>T{TFV
z;r`}>TgbBa_m>Hl5C+Gs*Q2^*#^8)(SK9+s0romTOyiR@n+c5B6V8<nw0G>TKHNK9
zq$t@V6fQV%3*g8@-_td56%PHGCo{QTWqbegww8}i`_Jz((F`%fZ*g;aB|?J+ufkH-
zz3GQ;`n`rf<2K>B&&<tds@wCju$78^F@L=wU$qUTNE8pJ>R~!;_~&NWY{E^aY3pfK
zqUsp+*MsXjy0S&%QRxZ^VrMw>PqHzVx**y)DZV1%K<hwlp$PQRUa3it{!vZn7(3~z
zWME(Ki#&9~yRnBk-DGaOMQuT(%wE7V;`icAF&(IzrXJKLD=UcvVFUU!O^ljm1DlT8
zYYYRm0_QLFvrkX%;%PSh9X~%sLoq(9IS%}N*UU@5?e>cl&xG3o+qy$=?gRS{1l<3m
zL5N5|7)KpO>>)7em<At&f-Lqw6A9U_UDNL~SZV#=0?=7O$K~S&mq8-)=F@<}=_~kf
z8M2IAAM*dfhd!J8oMg(cO89pFr3Ufr;H|QsJYQX5;FL4i6-aP2tPSq={!qt>?<=RU
zkht$@mT?}WOo$7uHKk8D8FWf#1}`btMqSd$C5@<7gz&|w>b^AvyaxYud0%_`YvJV>
z^zyk>HF`05=hFJN$2rIfBxp?cIIynQHlG^xy#*pSpV5B4t4znl!vRrI0t5*p27?WP
z5crbm&~nAHIi+rYe{joxp%W*8VNIz};!%jECRr_-2P$vpnwAEINDjo>YCk`TA<3~1
zzV}WF5)3}N56o&A&7(Vm&uPk$p8WS4F0TKTUN;+v<7IO3WLw#8I8Pf=bM~S*VUj+T
zTs~Hwhqa}A;Kt{`jH3K0V*RUZPT$u}XZ7o^l~RatcwNnFjUE43fYGNaVL6@}(}Y6G
zp>#v+HnVdKQr_tF%rO%Hg}?=z?rc0#NB0W~VCYz`TVaJ2GlrOA4OP$*&iJEPi-B@%
zGr;n3`F0%35Pz0lkAdjwAQ7TSQuDG9h|(Z=FJz%Evz1DKjOU-=p;B1~&CRt&i$`=i
ziZZj<(W%TxthlG}2>$i7UOGI+Tnx%cdI_s0ox*uGS<2=ABH<|<BHcS&o-87e?xPk;
zVU>rb=G=r}hr#oQ*ei5qt<svczAc>T#Jj1x{Ys)rl{yGon0m1N(!$Hl8&7wK&9&No
zgkYO1J8KRc<v=h7kRuoyM+ed_xxt;@Z<)Iu8W|_|x1wc9^TH!YcW^w;HP3&Cl3pmv
z|3Yq|I1Kw!F6<=_mS5uu*-GOi=FVx`R^_KQDyZef#zr^C_{$4C0nW%nkt^1RNT*^(
zd-x0KsM*;~4LK7m!B;Z#EQtM>O_uej%%c@eoo?AH8UoPTQ87oI<<j_BrM5R^(g!z-
zvr}`c2<}(!yBbGX?*I4@+~-;`F1KD1FBop>)VD85@(Z#jib@ozAiu2m<Y2YH-*d}O
z5FVC%VgwxL{#&HR5EN8(CKTrPYII!U%J1RLopGHnWvp*RZ||)3$n?N2QMuYjL__Jf
zIJc<1_X8ePG6IaX6zerpcnDh|yR+UTmCi>%h?kp{6I%2A#LUcUt2#0ZFrx`%n!>+M
z-q{gOFv~N~hgl#-<MlRL7Y~K38sw&)RcQQc$zS|{W`1*ARV+6w=(_6Wm%`70l}B-L
z$sd&YQ?onFWCX9!d`;I;fDR0gw$4vK*~?)FC+=S|5BRDkYOn4G{Gi|WzMlsN`uqKg
zSws<3v|?~cp7fv8crj)p#kx^P=##%;!95P4jND;!srR?~CzzLy(@S(ov0z@E)9s-8
z>zdX=J4}4Ka&n?Vg`U(KG*hQ?|1xID>sY|MXCw<ZCR((YkTqf|B5Jy~OqEsIZYps=
zKW@TQ2b1)hm8`knvB?TvqW^U%TMG2UP?U&tuUK|q-Q*pO2hf=k9|uM~)7w|BzCH<|
zuM&V&K&4W|hZmjdaf3XKO7HS?GSWA4dU+DXk0;=A*+`f(bXeDM)8S+D+;<*A8X-VC
z)%n)*81u(cbGoBeMcQ?gsiK#2?RalIWOacM6qg3gBEBZnIla{;2~Cde9Dj&gn;dI;
z3W<aVr>Uty1M3v&b8%K>1UoVFE?3N8f;}EST7Pxn5CUENtq(utlXhB}5OEJ1IVDWt
zNUv(c#0B7)2KD1FDdCGSF-3i2ukKJJSL@OhFXT4Am?FO>34fFFnx77jJ{RkA<a4=B
z$auesXq0`*Ze&~jbGMP;+*W+4NnOOeBF`cGQi5KALe0&zIMER|f*X)>yGXvmT%p&n
z3@>`OJNt$oz-2!L%h#Z=aW4q>!z_(cd`$|2OXg_UsQkly&E6{KJmiI7F3Pq6QNEVl
zQuL98M$=NFzFC3Of9#S!pQ-&9ofUnbq>I2zGcyl=dhDsqoz}&r{RkgQ30KgrP{JV+
z#i68*8bMLyd55_Huqiv;wPH~B-{5oKbB@rlSl(-2XP5u;myV2C>tNhA8(-IIH+|^V
zf74dh<P6E*^b9;?U8OAW=ESfFFvz~b7OegZK@-bYcswLA|05`_tk5XHJv%&^ZsA;f
z`&CG@tW|r%uP?4bF@ZhP=8hjwq)?!c;aW_|J|x=qN64RKX4LK~2i3d19!K|h()8xk
zhzOhO8ytbJOVStan0f2QmUP3d8)!fLQXeqnL!+X6iSC$-P3rJy(D6b;xpwK+ktrWM
z<D)0$Ky<=kO62TJ5_y2^t_7Pcv+MyJF~ih^RGr$+&g;1)_;|)6;-5=kVILZv6QV4w
zOuV+x4@J@7T50{;W66i|4ZepqkpAv~e%<e)kXxOP3R`Uuj{G>>!KH8l==B0H-}zzs
zYF^r<y=-;f2LL)<+F@Fe^)nkoZ)uqB;(rmpcg6RMZQJ8zx6>fTPoFp_G946Y9fW;W
zU>*nn$lC1N@ucEiCz>quh(#@}B}^8&ckj~2FmOUS?l1d@RAP?=zZja3Zh)D6*|4nL
z?l)Wx*u}lbevj#LYntn6`#jUt4?}Ws!S-H|z6J-XqyV?Jf4M)RVaa7hRSis50j1^m
zFhB&H1cxVkUBLoNB+oO(_OJ6{EAP}0uGXSuX__r+)igLa2s=za*Qmsp64JIx!<z^Z
z@SN38R1c8))5bCr7KAg_&I6r|!&GJp=i6xGkSjV6+~3)4?SiB#9Q1WiXo*&-|2|=@
z!h|dGkaK_uCKmgF3uP2u>{vCbnEia(7?UpFl8PzC=R6Kr8eKAKrB`fzAFVlM%A9Gt
zxdjW)L5L$PFg>Lc7N-yFHMS)RZUUWdSFg7k!#h*jCzco$R+4nR6C<?=)F|p4_@&%G
zOc%%EjF#B6yh9o*N-ECj@*C#hmwt@xeX94)yUMA@g1Ko8vBKI2=eCldCt76`SBu}L
z7W~ECj2^B<Y4c7Nsf?F{Y&~An9r1&$hTnGZkG{v-3QsG#E&4C!+qbZ<myk(#78d33
z+Z}5Nnd#T)_Pc5pw*DA<dvu3O`U;r?NniM;8eK(8TdqV;;tg`?Sy0ve?cBq<q~(*a
z&zN(qs^6}Kk5MgwSq8LAd%b;okxiN!4;iw?8Lsot;|rDdT>F+Hz1l<^aVhrTY@efH
z&Y<@ZcWgK{D(liM1#$YO|N1)v<LG5@Ys$1(SFuD~ckc#Wwv^$}b4EbalJVA;w1)Ll
z9RJ?rpe<u8kEAl$W+-ak!PBbz^rS49$>B+MBoUhpsXb~`$1v^O%|>AqoxG{+L{c)p
z{G4Fb3*@4r^4N`lW&82hIGijot34$Ng~T5mZ4K0<qv-s%5{m{yOuk^R<vKJXD@RRE
zG{KP<V4pc?<;%Y-Wy-nOuNgYV4J5Nls0<)ekjW;DaaazxDL~e1r|Fp9b$Ou82hc^z
z$ViRv22*t9BHRnd`OCklQD;eqTtNp&9<ORe;hGg5Ym^@NQi?cKEB?Esz5nMIG38#l
zMyBOE^)(*OHzAH+Go@;ljbFwLhb%5M+lnx1B$)p(>E3AcNkUd}Ev}1*%tHl9xrC!W
zO|Hfg52n7uUHsh~)3!aFza7<vqe-P9SL7m3e>~(GVto`)g<U#t$LR}Qzh$xcS@4hb
zOdn-lY$~g+szl0MD7{|7mY(NrdwDQblOFl+1_x6_MZLsT+N62heFEeL^pEdrIOemb
z3M}E7uk-R|&7Mx{`K9LpI00V`-61>qb+wF}OTB)Q)^TiKqil-JkeNkluer~Rjt-ny
z%78a{ald^B(@R|}GjcZ6=5}uHfVy*!$|WBY*Bz1Yd3MA7VW)_U8A$^8`yZm%cKN_f
zp8~WG1|nQ5$rOh2oG4%c!XuQLxE6{St>buu*Bm@pTi(m(o#HkR@*Ir~WqcyK+fa(k
z*>ObDXUJ7=AaN}BvJ-;<DuI{58s8lTkrZ<t`-Uv#u_d3u#sPQukF1Vc9`T>Y{`vyF
zSd6oFKF70U6=8=aJ`xT)fVU!|?SE5fy!U^jG*2x~<xVtNY|31Wrm+^!314`@0ruQn
z@lxLdoE%m{2yK~R&jaaOaAWneSKULFv(Ri!?>P};u3WW{88jY~cKD(@B&`?Hv1ldW
zPCr$O`J$s4Y-r&ge&B;t$K&h>0=FJ5){wo5)iR8U_#t<*@p!m?WE1f>G9&`Pri}c}
z4BryGyPNXln^vV@|A<NjWMU9bK}C?WEIT#1&;g`a6_~a3yfjBkW%B5eOgb;p`<v+g
zA4$Xwq`DRP56&libOgUASOU^p#ScB-;abQT<337%74|q2x1^EFO`SMv?Wn%skw%+N
zQR3@IcdVw#{K0??Ip<|<io4RGqs_<JKhF(G%vTt?^Xy!#j59Pp{GXP`3%0GTqAQOb
z$A_WZ<15S@q_pA;M_J++HPl4h`*x+8WR3qKYh4*NM;28UXP?0>m?Y_f^<Xrmy6%@;
z#b|%bd|djy9<cAQ_?KvH6}&i7q$=2w`82S>;;><2lq>ZnMnco$sx7_D&2he5cMEuW
zM}_C>Uj57Ye!6FsK{U<x?skECxs#g3s0(tlPv3FM5LoiemDNChgC2yY_TC05x>aQj
z>so8ZSd(e6hAK(+)(Or>;@K)n55p8t?q_iH7}30%5=pOhJN1?N1n)+Z_1_BGRF2E>
z(BW&kUT`Ni1|z6hmGyrm?jNIXw;Rffic~3c%Lh0)0CQnKL_ynqp0Hg0yfcq_YPvE9
zbu(Nqu@EaUU|mdt2q)m}<<(3a#Lna6ks1M_zj4)VK}~o{=+ZzR=0;AhP-zAUY8zTY
z@UOP{oRK^d5>awUh~;-ktYe`^51OzrngnK~$_l*vQ~grpxtsfuz)Er_%g28i;cn$c
zH9&^mtW!W|(iKW2&Vn()E8#{=)zNQfqq~;!#V`JWr2~2vo^bQ`jw1z1HhfQwGe5t7
zXF9W2qA$p=dAj%it@0}bT{*GF#%4c8!&NLFtNQY_&awR$Z36fWit$pf6>x((AK6%6
z&;dj35UBZ}nN@jAXQU-slKXBp|KZz~?TglhD3$;Da%7Ytww7OJGwo^M^S}$QT)Pt<
zIF-9p-4JGE->3t*@0PCdWFbA0OVl{qk!RFdTLUa6&lZ;y1)$Cm$8qGawZ8vi<kv(N
z-3EwLrlp<k%^9@OK!@x#u})+JmPb`0ZSplW!|ZP;?^gRfZ-7&e!JSB_RHa>Of_DHa
zC+yuQ((kfy4cas}y-o`|Sxh+oVWL^^Uvl?#0>znz1R<J==jV2Yj8m+84%~S|HcnJO
z-?9@QS(mQe{K{h+;9hxNAUir99~^5A^=8gr+@o<JTU(e_XD@S}b%19XYk(hdt7tv3
zR4$d?RSxMwcVD_lKxDB1jL%S8DwWQZ8aS?pnT<Dv&5#pOd|BqP2vyqL2{R6Msu@Rf
zuqx4_kxRzpN_LMfPdxoMw^(>`HeXf}gn~ZN&f*{(JkaeFP_8pNE}O6*8P}jvp(7?8
z9a<b{jFVKS4Wm^jU@6#V;d?P*m`K|D$UpgmW_A><`iZ@ZC^n#2CEMWvi5lQB9Up+s
z#=)vi({S_MH`#+hZ}r98GRYcO8#%Q{cc1ha^mY60Syh?h!bUp$b7v~NnmyP3g=@`;
zE;G1=@dgy+PFee*8!1J6So}38ycs*FIso?8EGR~mA+p9zydBxTn(kbsBZvNM2nR{G
z`8p>6SJd?^3T(o6ON7l1^Y{!seJEne)M@iG*mtQWc1UMhu7h|*nuL&ME(BZ6#EpBV
z^JeqV=uRgr=4Z5sY|aMwnG!j^RulWrzCx~3X^><Ia_;pvb8;mxtaT&es9{n)s?7Vd
zOYahtM5gV`Er%@waRZJyBwP;ixOjuFVks&`KDOYj*VF48+MK9FX-6n1K7AhXA<cs1
zCs<_m;w6I0)}>MaF66ZP@j3bNd8s3^{XNUi!T%1wF2WOgZ&@_u%>Yy~)^dJ5#}g@v
z{)TOb{^0xmF6(>+(b==~u3m_$*XfrX?5&uQvG+?WG7^<D^%M+_IkRj_-`#uY5)Bz!
ztJ=DDNgrOr{h%6p`Gz#_k&>nR^Df)|mYP(aokg9@I40BlYV6DLu{ut+am^iMYJn-A
zR~Ew4G8UZqL7u4~2cRdVxQWtXr6Fmu9%@*4w{pq&&tBSqniCVk2&lAYuRJiHGQn4-
zGu2F43hx`Ceeu8VMdj{*`Fv(<NbL)QF3#v$j-tNCYIm8WE6z5$!W_8I`@z`G&3g9D
zLU10NKQml7{h=%*>%Tll`?U2jZ`GSZ7CJ1VBe*x@z$KZoWrA?#QWEl3<NJa^R#Ix?
z>RBroW$SwLZl-yI^~{OFkkpL4L?aC#V3XaA)QjAEq1)X@O6myr)N0#<m8ln70s;Qy
zp-9kiWx1u!`?Y1rqSft@x+wwId3jwVvC>4J)S^~}w4pQWfqszv&9Sq3GMI~I(Uf8L
z0bS!eiUNG)^Y(UC(apHtE`3=cXY$9w>)6co_LV><H;b8cu*<Jp5-LkQJx)t{4xI$L
zb8TEliW>+^YFzdq_qUvsr-FRKw0z^nFCV(F^~TeXv9Yu3iDlN+`|iWdgDy-KIMyu_
zb*+v);IuqgZTS}^BF)7iitCb|X!<1h?<>3S`#@JxL$EYJwgo})B)@G9dt77!BF#j=
z@D9t*zK9MCe+=bjYau{kNkI42omhl4n=lL@;;>t3HG<rh@S@*T>-qs?|GvO6qGqzr
zmWj1QXfhZv&$Jsv{dudwTYsAXj8R?QSKLw&LP3*71-c(dN`09SX$l>{@kEG7ZYR8R
z+%N*g{U9Q@??YB=3$|tb2zJIE6BAFxeki$O1uXL=Hj#BaZ?{wEhn?DA23rV?qvIYs
zJpb#~GVS>}|A%$Y-8rLCakom&88grSs^4r>!dX~I-~~!aG-Vz5YjR2PM`PyBvqU8b
z<PfxOKqqLU>Cm_bhe%gY8+RYi2X+7qSuHc-WNJE^1Vhzq{^?;fu*FmH2ttaaO=my8
zQ+IT)E3x#*qN%P&qo=6Y-;^p`I?p2eB)2Gnvt43=s1e>bug$UR%?wF6LY`Nnb&qF2
z&f+-Pj>j{Sz^lqm=E)9V=CV#$cUzRa?iCNVU|E`5`^~omC|VywOvGud9tg2y(|+k|
zteiG+5v@8>q6?Ht<9_Rsu@K95OJMDq@#Wv}PI?cE-_^~cmi89mf<==tX-dsJ8!2X+
zXye7#{)=W&LrbhVY=LbX_W__8a`yWno~LYm`);)RW#w9zGIkRHAb5hqW^zqP`zm|n
zlbb|`SMzvY=;BF)c`8CXblu^HFOevKfXK<e#vTqA-h4Mcb>cI!Jzi9T_hddrI)_cS
zOa5f%ZNtFba46#5cCJ0QNXkN{3Ye!}E)uHq5Ss<{<JQ;pkkK|neh4ZsDrerQJ8+pv
ztUYUa)lj(wAt5qkavxXh2P@CwR+f-=u1NnJjOEGwa|5jLUhjO1YWOaFtNpE~?e<n%
zdqO4PXI*@2UE<%wW<*!J8`9dfkH?|&$At#yV#v`y+8GQ1zAyS{q6+&w><-S?N)Vlc
zuQk$hL)7(?*+c1KNc*{&)*Ex&6P?kTs$=-4A?_KOJ_EnNqpg2-Ju~w`$4F`g?MK{q
zB*WHaNwb5Hl8ra(H9Sj+dFmI-&LxI$tb*AlB7cnH8ArxOVo*Z)N1sF-doBXoYhVRB
zJFqiQx^_2uA<)P{1MAgA-!{Vld9Z;bcA$paPNvt3AKM(jE~J{%N2~2`@NuUGk&B9F
ze83z#+{;r+FT6g(BV@I(ITr7d7;;i~B;9~G>1+Q<KGiYy=X5*8x|e{r*G}W%(~_U`
zp4+&o`=Oys6aH>@k+SK43knyFCeO2O-zbKEoGewrxT#4tWWnS-`xd7=L&&&~%WS8U
zvgsb16#eO{w*6fCALx!|_^5nwoKNJ8!3Q`*Rg3R*2h%)>KO#+JkbbU2bT9}xDio4(
zQdx^lqV1kL<s<dVYmeoqzhWqum8OzS^DMIB<HK8=kxK)DXDZ<kMF!iL-ixcIvd%3M
z${dabve>cpI6Hk7k+NCuy5jj!zZKNMgu;-;Zbb7qW~(k(+^#qXDucUgqzF&W5%L|W
z-7HlXL5E?_%-Xv#J<)?UXGeqPrgoG(^n>H@Tb7r8<7D-eqP}NqRE_XMpiw8E2z%Op
zwnKflo%WG2phPORo*Itzri^zN1qTr3Kp{sWq*d&@OR6C!kh{&c@SX4TNI6oNgKenh
z2agXQ1NWC@;5lEnjGUFPAsi5@748GNS~&8l8m1%GV9kOh3wsD5L@)2svuzlI;~m{I
z>@v_$e%O#(3XF4z`DC49fQlQ|=ec%lOF{M!A#e51kgA*f*tUo>(I52hVPYOMw8=eI
z^KIyWgUtb6DD&>iK0+6AH7c6smKvl(7Rc!YzZWC&iCQ*KRlzDPBnFq}H!R&2cgX}t
z$gmXkujJ+U(eHhT>W8No0a=*38rTGyI`{~tb=zWWWqgOj+jUcXz`gX>#({yrz<~kl
zdV-2x5NIb&&*_@jWJ-$xzL#nHxK$Vwn$ekGg98{!_-eiH(0@%u!t>o}P5x&LSr&^5
zn`dMK4)<T>x|3t)F&^^4ed&#ok$P6_>H%l{F|~T{QCuq53#0*&e^`zj$8}#{ueOOy
z0XajOf0D1uzk?&^%AF(cjJHO-Q}jFb%@fZK%^Ca6huo9a1t5@Sg>jK1u4m55$#SOL
z+K;z4fmA!JqRu~F^u`mfar$g@H*qJ+Q2Da@P;XzLYKqs60hn)<K7&7MV3<-DD?>=O
zk4c^JM8Da>ZZ_q}upq?KEGo);Wf&J~^m|USe$~%KY7&dJ_Jwc#EPfb%*O1{fAMw3y
ze=MzPei^pMMd;h$l?04&jEzeHJOCa|LxhO~W+Rj%<5udSnM5wQFL9iM$*5!BA%dmE
zje-rm!GKIi_`@9C<)`wFuGS)eO_UKohq;Z(vwLaTe_v}^8A0aB>C4#)ys#VK=*Z(~
zqe(X14Yz2GGM+$0m~x|5?%4h0&zcA;Lf)#ChCNL=(-`~<&^a`@2E8vvi;r4F3Sx{K
z*$h#TSt@-Qmr*9mfG4F1v!CJNOwKvEufV4Zx2ERC5TXjsOcq(<_c#lJKDr1SetAr*
zxdf&=+4#YuuM>lwZU<lIV217AKJ~galv-n)QK<?(voJJZ&tIMcv45kvHV^l!sWwf*
zNvAAQ^pcSeu3_?;WEi1F6_cHvi@5N4SrBAV3xN3GeMPSnqF*uJOWyoO(yj=456mXZ
zFsN}<s>Bv@TbxhXRZ)IYBC2`A=ir_g9x9|_6#ijHkY5zcO5Wb{i~r5j1M8$7sYvdv
zmdTT9%6#R@&&(Dlv`3EW=|v?Mx$3|Nn8qG$Z7r-v_b}zqk4jiT(p=w-OmyyPU%_c`
zE^;>Up8Zjl^6NlJAlxIoA$R4pzWCRHLVwD2+Q$HHUCSFp5&!E%z|u}VCQDB&_k@v-
z-;(m!8n>Dnp;Jv9_aJo3KiMacM1w6`+t5{}eWId0O~}%<cub=?ZM4);A7@=r#YCU*
z6!d;z)tpJe#EbRfp5mB-LY$;k_o|2MvwHL$KUX22t15ZY*xpW#9B`q#^X{|~+it!J
z7ptQ-%PY$VjNJP$Gz-g)cGMK8MBg?#<Gp`0oZvjvt$ex&j$35<2&xps*|ucY(1RC-
z8FQ{1@}FR9O5=hyUv~*!JFjkg((1mYn3?!86wYLJp%VFoj$8lb%Ymze(f*d?r`6<A
zJ9Ns%G&>0krQK^bYybnfEsW-`!qV-2>wV5yGUnmIFI}-|1&o<RWcC#J22X>oski5Z
zk~m3ov(dJ!FD?cuo$`rnR7LxQ)_$JcWJL+~6jM$4yaWt@lJvyrxx^9kzHEIj|JQ(1
zJ|2R6JR@_Oz54Iu*)QpY5m!8P0XCxSb@j>)8sEV~<|p<Aty-f{V3M;po%@U6hlH~X
z{5`S4B0*bj#ZN5qrU8pe6Fxm%#1$?0A9Jlfb~>ip=%1G@KK%{LKx3lZ29V3xJY8O>
z2kPFe2npA(P-&JAJpMT?&jn>MfeyLNl|LC-L@Gk_-9?HVN~aVRalOf1JQ+2i*9)w@
z6EZa1%)cbEFf_Rs85*6ytT~zSB=`&}+AF?C_7NAr5|;Y>woO${NDiJnX9~}re~D()
zD|(D(K!UGI-Zv|M$?+3jZG2_g0_FFF@MV4}Me|^fYn_FnMH!|;x&#b<zXV7ZC_*)c
zknLaSa;<<FmWge?b%_WOD=*!__(uk;bUN>sR>+91%N`0~deTEZn?=L9JwE=0pOu?;
zQ_BsAQOrKiXDGhlEXwp+9a-3!kJY@c_cA@_J5Rq3VyzCE(nErjqWkyd@AyeCiTrgj
z6l9emMc_KRMKea8>Zgum8k)|M@`7fW05(!p)KxgFxKq!~Rzu(Mz~h1_zP><Zl^4v&
zEidvB4rDrqHAE1y8&!Cej48hU10aQL<6Xd7oo%UFSUP2E`ntrPv1AP>ke=PIv!<-A
zi5y@hUT1hZx}fR2I!B{h|FYMrHE6cGT`zy#xQIp?h3&Q4)t*-ixNPX@Su(TE^r&ok
z)&#|x`_V&iK+ZaF{PFcPy}-+NODih?q89@w_LxaX_U5i@=j$WuNcb>^DVUu#7g2uc
z57iRM^}pn8`;5g<?<m~_cRGwS&Y{0RWFjSS;BmuOxKIDG9AE02zaEjzxaBTE9y8S<
zo0p@zp6_>lhy-Wk9=%@%N3ndo%AQsxj1~XEk_cix;GiL;XHngnW2mEk7sB!8`CkBF
zK%c(_`CX_kw=I0fX{rR??&K$Sbn<hzEF7m9&&b*5qE@@*W2vwY_byo*5d5o`)Kx@?
z92Z&>B}7FLII>~Gk>=_nzDeKCci-I!w<9z7T*PEfg5wYPaN1LRv>YE}d)f2Omg*h3
zBQFqT-|!s;LKLjR?{5h%jlA7ljn$h&6JZGcLl|G*EsV0WrNlPLVLJ@ZeD}Kb7*QF1
zk{&O6z2)(AdV=03(!FD2y}hHOcz>V{Y`ms75a?Z7=>m4{-o9$(mMtq+ZAUG+v5WD6
z4SD2NVl<X}rB#+2a<~~uQr@s+i!)n~E+0RmyL+70tZy<>37Z~!cS9}&u<4P*k3gNY
zD2*~mT0e0yiLC?J(&&H=LmF3~=zEB+iXY?LC)LccPltIGUm09$rAJD)YQJvW*b^~2
zI&__3{Q2Wo)5@+s{;s~9GTOJY(4xfl3k+VDLMSR!NT$O%LY?{Sr#ScNxP&qzJrd>|
z<pkau@^~`uxa{5=L%nISnmKFol;snrRLT>SHhNznTprMU>AB~AwK^GMGwRUh%Yi;Q
zMjfZzrz!Oja>}tX1CWwLPR?U<PI{j2@Zu+w@PO2d`Bnayb10O~Bm;w{pvwdc2Z8vw
zGh{CYA}PJir5j8aR^$C)f7<1V`2t?OS8eq~oUU}h;&&!2j-c0QH|msLb17F_BJ~L~
zRAn8|NsX+WN<u-3?X7G(SNqoec=Y3t^YX5)=GE-G9;hpob1uf+DqdIp;hD3RtlS%e
z#|>kT2J&vSo)H^Hcg${&dW`+fbRF-v<)*s+el%VQ==Fh0{OI4irgApwm(zq2w?P?T
zAaYLD%43$?LuWbGT>r_Dajius=*-&Dq3dZY{VF~ZhyTB7$z46Zfnb0cLIWJ83~$b9
zN$?l$Gh;$_?la>B7~1*ewqY>iHM4u`a7L|D32K9;-c#2YHAJOVXZyD-8wBS<0#1hm
z6u)0b#v}0m*R6YV_4}@(3;w?^;j4j6Yh)QpxK?K5cw<Clxo+e!Zw>O39g!B5YO_6f
zX0X&;b<uc_#@H!z7&P6Z7hg5rud!%_4vVHA-|({^oM!adY(C>@Zy!F#9JJYj=5uJf
z9A$HSv~T$+P8=6CFKy<OBkP<~jv(x8O>5H%T6<^L@P2&5BUpQpGw*WcofkF#%+FEu
z0PN*dr(iN#!N)Om+q90NE%v;sKufVwCKW1n&o91<Jx6|tZ;0UyUGe7Us))4oV4z<Z
zb#V?iu@?7HnZ+lGSX;|&?uPy;^3&D$t_W`b@d+d!j!^0)%C#<LkzJST-mx3IBkr0_
zbd4waYh|^<R@NsnD+WN%u4KAu+F;7A&lo)ugRjRdo>FqXCgF8E0lzBXw_ezRY$%A9
zbNtkW+1sP6%;}7WGG-|9%7X~wfslCx4oe|LJY0>4sOiN0{MBEoEguq#HifF#5X6#q
za8yi`W6@F~oygcyct5l>etU19)xBw1YB(oW2K%f1na`LF2s67O4D|HKS}7{bo*=PH
zg)gQKe_?c^E7Kc@l#G6(*O9JuXWU_f+g!o>Hy)Q9%!m$sQl}g4st%j9Nh56qBH1pC
zMj@_ANG0oe$zEtLE%I`IV#H4vl5k-<1+yMzVU++Sj<+G5tl%hqZfJ>^sCe92o6sn$
z1<<-|QJXCR9uaB0f6Kafe_FJfdoFHfBNi7(vj@$_flB`%KL>w5?gqM0Yo;WR_uy|Q
zd(2x4JR(`ke&L!xWS%CVQqOEEN>ro>WnT*QrCrWc%^w3XNyxiGPfkpmonr6)$21n7
zBMN$<BhyGF1~X1?w(9IOXv;N&E@`yAW(vE_Mb@{hpqm~RPD2iq;BDuC%TkaS2lKNU
z6x>VOa9EQ6HD-(RcJyJo7&Mg26{|s~UTx7i9Ajh9WlaT=t_*kPi6Z37mzwXfJ<@*k
zH@qBZQbB`gCECPWuHCPWarPw2u;I9h!tAbu_emzebTkc~<ZaRH-gkH==*SSAouSQ2
z8*$delgPGawKkx!Zd%7uHxSzO5pE?y9{T!l|I)nP<S>}swn)zH70+rw9LrG7rFH2v
zuo~Z}_lVg>%#%oXeDQcJ+a2<EX+&+H__u62?Nw;pR;#~5q0jm}8K0@6*cr6A(>|j@
zr7~+xrdV1`1}r#~2!&$Na47MYm}oO$!Qpm!_<6-Z$YJ1fEAsHUJ}cK+2wZ9wrB~9{
z)h#i^yK}W6*m{CJ`Gy#e6#&ZHSB~0)6FqOe8qXGf&G<77ZNFF8%wo-0x$b6w3sFf*
zq0ZUwwa(&nTHq=-gieRqEQ)5cqxmsB-2571^98>_e@FWOo{^o@F6&qFB(9EOD`{1=
zIWg?o%M#6YtzM<;6itn^j+gm&g`y+~0Uti8`I+tkVrrG&qS10;2e)%*i5=WlBh=1;
zbi&6&!cPJ0<Z0YWsj=aYl1#CG{G7ex+j}Uzn%{X~|5tAvJ&w1-esmX<VMIng1|eDw
zrxLA#qtb_I@4PVTYiKlrO4*?{;r*F7zM*-JK}!mP(86^Z_&>~cS%<k~C*P-dsySn;
z*;q*}OdUVXGt6ULncz}$IbmnISVd$zTSd9?xr?d%P%SGJwqj^h6uW}mg@!X?iHY#r
z91|&L<s5;2XLP)ma)rb7Yw5SlcYvoA<z&8-%I3IA^D#U+pv;LJqdA;dQYq{;#)`3c
zffp-tB5BP#{kQF+mjbo4)0wUXTK9B5pH3GFc)yrwB$I<#ha)?fOg1uNWw_csG}K)k
zmg3uEjMqcCbex^y{Aw)B_EG|A)KW8~Y8$yxYUBqr8TlAX3E-JUfR>yQ?X|WswpxNg
zq~c@4tJhJoDOSp3EXHqvA|Q>gR?Fb-7v(XQj&~T3a2nN-G|nmcctVhpYj;K(Hcvh=
z#LRcVQ#$H79dTE?r;Z4$Z%&kFMmww!EJgRwQYQ>~)i~$^*T>_0u*2u{Ssa^J!R}iz
z8EkgF7<<HQYSe0jvYbNy3HX^%jO+d;xKuK~sCYyqnxbowiH{+iPt`)a%dOL?EE;>(
zOu3|INYz7xK>RH>PVL8PfS*DA3y&EsF+<mm?5z!yToH)!;eL)`#f;AG*=ChUJ-Jjj
zM~9t$N5SLu=e*{y$K2NysoDaTkm&K~Y;J=&;x!N9{Vr?DY;#*hQL8dJ{PuXa!;mx>
zTt=-)*Qrt&?Ey!&Mri|L038t$$j)(JfWs7=gF5J)cPWK@gaYqc;rIabsX;8QvDqZ2
zng_Zv#j>WlX;aB=(i_5ff1~_Zk!;;seypL%E7feh2xvD*z72fd;N`c?y>r^}vT2!m
zUZxT5MrIl#q-asE&6l2QOLz4YV2H7$#0KT;8s0zN^X=E-8IU8*uR%ZO_DV05-+|)1
z{B}ovE8hXh+e}TxnjC)RiVGTj0Y#v1-~!4J&+Od!3>$2Krttoc0Mm{pJ_<~^Rv<zp
z4cR0gdQP9(%H$=}2_+-mvw0|MRX7SgWrxC^sc&4Cu@ifS;`02~t<Te|`L&0(ZF@+z
z%hG_88Lj3xwR@?_bk^};QyLbmO2?<UjI!B=A=Su-DFafrj5Us!T9h!;oN>}vDxmPh
zMo!!_mWe1rDSX4@ca2mkBM*FLyjB}$_$YA=@Nv%OJMK{`<D)!Ghnh}ax{*IgqSr=S
zgCE8}h-aB@20ScU^m?s3+M(V*I0(k90?gX#z{Qq6tW=d%QJ)<Te%6t9IrHLYn+GdH
zj7D~<7y?fJ6<e-GCvstN-v0Qlzj*8*z9IDQ<?z3iCAs4Ocu`?D5}8j`2X~aCU*+*U
zb3?RWQ*OYLzCSl$3mP+lbgo**H@qC0>IoJ@rl=!n^=6`}diWh_zK9m_P5eD3_LFFV
z)qN#oQpk?lSlU2ZtB69PqArhX$5)TvHh%r}c=EdIkkk+L0Pi;0|BE0b;R@L=hOAgm
zGvev{(QnWb_;zGw`Lx`}NYa_qT{XYJ?SS3ElHs%iO1;t2skdkxy3lXZ-I>Auc*)b*
zp~`d^X&p46Z+9~uh@#~SOCPFJBQ~1R&Ae*P2P#MnNb9+5i%<aRWK+u3(y+U0vsl89
zTh1Vf2-B_~h^6f2a|Y{bqgqfKHGTbOS?sB}LGKc@dfnf$5wRG-o<|)q2mF7u`Kw4l
zjAT<*W3VWuOhzlU7rgl6xLdddo`NWadXc1|DnKkj?U-rcKnA`~(80OKO?6D}C~1Iu
z;xMIgO%y)dqB<vcYUIPLDsuF!<i*WXk8N5>xbI&CcY@IWI_^(Ic4bfaaNGkIC!5X>
z!<`@(;9i08){R0;tG04oLnB8C*YH?+%+Hpu!D(7+aD2&M4jj`q+fa)DU&O0HiXSQD
zU=EV1rsHd1pGz=S5FU-<{oZW13m7EV!_eAvT%wV2mWrihFPgFancf!Sl6Ka{5zf=_
zfOyzWO8EI>nx<`zgijjGo~EeO7MT!mN)rO09#xczIWq!l5(8<`W(_pI1``5R8=nwp
zP`tzFeLM<y2T+#dJv$&Q!#jwKZJsYs4|o^3hlR*D{)%!)P3bu?%b*&-^He;WYE~7V
z^fla~SQ0Zi;>dDsubdQArIr1*sNI&NRe9fP&KL}(xISxfZk&oirQ-hP3xiYNvD^NS
z*;p@^>$2W=p0I<jZIQOMt!jfAQCZezl7Aj~4RS#}WiJM*NbBG}+ty4h;7VZQcf7yl
zQ*fm9Ao<pk9`pt|mEl4A7hju$fg^Pf>B;A%Jbl2^C(ZM}wK6~5PSTf3A)b$PE}HKM
z&qq)SKZzscNy%=3oHp4Tw3GYNAKPwu)Rl|aU{1l+x`)!~5M204OQ_)U7s3`xxZw8{
zLY90!63gdfkvuEcjdp?VlLPMWLdp3NeP2dlC_VtiOQDdmtwRFYYzW-NZuzt`wydE}
zP<~0&<k<HHLRI03?2y@NH4kOSii5sBaV$G*w%N?X*)g%tH&i&=nF(60!Hm<HrT6Tv
z+_2aeiPXiB+(gW3naGWZ^+=>o9L|kft#Q#BE&2VWsI_&M_68roFOq*nIkbPy-b&*!
zcE@Ys@0c55nEL?O<w*W*(?b00X>eBJ`QYp~{w?1-&-aVwBtMg`wq5jjg&b0E#yC(g
zr-Gjrw*=$C75Sc8s<EVzS~b#N9QDA~o>ab@C9It~>m+5y*XvF66p~$uaCWdXy1Da|
zlay&+$>XnPqxndvFy1}2t@9Lw*_p&|kn5q5w$9nJVq9>~idyo7<|;>K)-E<Hk4hv(
z&<t^_Jj^2NO1?hSL2n_wh|h~b?LzkMN=+f0JPILjJf*R8_cC`8-08Y|jUD$NAVScO
zU1jf%UW3O_RRjlu>9L|a6D)}S;cBoR>@j$ZT@wMtq@<gPZ13z|<U^;=iO;xD-RS&`
zN<R5a_`YO08Xz~4V>DWMog6$uk;r#dySYm3;io9kYyS3XdVTM~2Oqrgp$#jIK9j=i
zGp=0s@TVSn=%M?H!v#F_L})Y;84W$r{CZ)yc;D<g*wLyvG3XYqgTS?tPVN>dS>Q&F
zr-kEbrFfbbz|s7@2XFmc8+K3J_7KKJyh29p`C@arwWsi3fN#3cxpN}QER2@{X=JxW
zC66*`hPy*P-NVdz#=v++%9-Xf2pN8oUqRkYMp-Fd?dr!hcxVW-!e50{HoF&#v*KV4
z=2rBlI)>^P*M~aNgKJB<mF|+g92{A#Z#J74|M(sKibkyFE``?VLPJ~Y8AXSsLu1lp
zmG$kz;asTT4xPBM1O`T@wWGLxXEc({mZ&TonEo052DuTbn8y%1NrkE8Qj}JW91YOU
z4QelM2_LUvlo~kmLdElLPor#7?A7+08ojlli*pbGKG3~1UCj=ONn6extlFZ!sRZsG
z-K58>^qZQyb}M83>tHFqKc+fu7YRG676)lQPCS;XJ1p!1j4adl<L{DtPy&?zTNh1{
z_edc2WPqnmc#>Ko_<hL`3-MT1+!CW5xhBV_ks?M=M_7ZfRgCM5qNkA3I5&>FRN57*
z9chC_>$ZwPyIxT5z1ppG#QRRrs2iQDR{T?4(R1={t$I+|;fNMogM<H;U)JrXy6XVQ
z=AVLW?m#A>>-}g}^pZ9n3(|yOTS9~;MA{N!G$95F^TWvTgl?M9EhR+cs8JRkmxfO0
zbfXAg$80_2`4a>t2g+a?pvNIv^H{LK4cf96Pw?P*-PCCAE`ugitMGl=g4C==j2jxg
zy5ALOXbdm7UEP)LOLShJK5pt8J$;)lu2briHj^%HaHdQptGz#15sSf96&;zvxT&!y
zh>nov`(t||_*?FMNB?+|pgnhg{EjoO`K)8lNmy~}dD@6A?=&`5ibx=vDhVf|HhEt~
zXQSESvli~R3FPE*BvFw1VHPeGTp1oUB>{ImzsKQjfXm6pKB?DMT05KZ0G398V+{oC
z*UVUO`gl;GQLY>4P^xE*2TJ9W4|FOH+}Iislv$<GXUr<CQES_vV2xNx0dGmgM+NFn
zgYYlOUS?BAPzn{$BP}|ZX|>JBxWGPe$^$wkSAiH@ao6)GnmmRO?<;1w+u6iQkn09I
zQ|mN~5T_jB(aoLww1phplW@7<(s8|jQqs#u86TAqVkKd%!0IV=a%WdX<l(p2MO{N^
z9tb#Or@yb&6>9&a&}M(K41U&a-Z(r3KkL?QyFt-SrY>J$?<Ey*5fdMM@4dLPKc+ki
zKk5F=d+)u6Q--kH5wBy(hU^4-{fdo09uz`*KEfCz>7iaGL6mX?@DQXp7(GIK_jO2)
zm#Kg^kxx2?T4xcmRX(b<Qg$#18EiM(sX50cA0lg)EV(qhtS_o;G{EI%c_#g$X4yzE
zII>**BK}N8`G_SknCr<7XY79><7d=M&EM6T?WSO7haZLd04K2aziYwPpX-EeLV9Us
zp0^y~Q)g!0!nEzFO%dcNdKUdpYVi*Eivu7BWj_Qb=M&oA&bBD<KFAq`oVu15YXL{B
z6%e+fS^#PY6)T<Gf!}nb7U;hO`|EFnjKZimTcPc&8ULD`98Rq84MwIS!@kK_eK@{3
zRZAumdSh27zQFByu$j1S&z^7KLR^7k&BGsjfTPXBndT30q4|Rb{Drpp7;E#ppv5w%
zfL6CCl%)j8wz`9f5hTle>>-1EIJiV4D}Q(JSx+CgaHD+YMqcu61(8$FvUK@b3u-WU
zj!doh<om!fcPS1Wm{_^8PbD~d?e2opmGs(UUQ^{<yz8tJwxvc2E~jH{xHLMNRW{dV
zM1S4oz1v~61T(J2_-9Kcq>y>p4^+;fGP?XDXoc`cF3aST&l$hswmxs*T1pD;M*4TI
zxrlt5N}2a{%!%bY+~RME$6NZZ7pp0+W0}`Qsxm|9SV%83o(Ha9evW-|5M$h!u${Xi
z{aN#P<qnKrd=cZ%2Tu<^fiI0J>oLV8wc(V;)S=d^Qe(r=1qQ>uPjr|xb(Q|Q<&s`m
zfbsR)FutbHnRDXe8yAU)#5}3k-M~+Ox62WdeB92_a_c5sXg_Bo$?KkidMoEDIlQf9
zk6ANScd$@c*%R>BR+jqH6Yi2&38w}#j`b^iCBrGt_$E_lovbRayI^YKymeigQ%+K3
z19?v<Hg;nF<)3mGKRe$1gFmV~8OgCP-i7h5KBK4lX|?=|jCY;9r}Ox5@;a7ZmR4ro
zxAnYcG-r-W>O9v|yV_4lrej?L^V|HrRjkRW*4lo4GB&Q?)u~xImNvz0Ul@Ph87!n@
z6?ewBv?tccIn9QhpR{G|N1Fd?wAQ-P<Gxtvc-{KtuCz6yv;|=hv=@WXV!)jb<{ZhM
zh_7TTS%T)GHS0}O5}xi*j?Ia19qac@cU?ax>Wy*1lSBnsGg9!U|FLF!V0>tJ?CR3$
z-e912b-9|Jbd@X_udnDR`lj-D_?#Q`q|<cW(chk=EUmj}$;A2Vs+tpb2-!fv84!;C
zr!wNp#tW*GSzAxB*zMHb+chT^Bd?8ohy{<u$j=y*mY$Sw5x8``#XGpHS8_X#$b9Yw
z+WDA_roC5c;5^P?>Xr!AlN!_-NlZ;ntyTVZ`~mH8Ba`^@Px<2Nu@U8(;V&Qm+y|q5
z{aIxmHp?2jBBf;;jm-}}Xz}YG@DHF4VRX_*vRReT5&{p{i8;0!+E4kjfwzv4_dyHi
zP^&cOU{-?!qF2RUv#Z(F5ZJC9HeGuDHuzchF#LqZd!kq|q3$|<pAMUgUB#(lwe-#V
zHgs*6+ECs2uh@|qNNDT^OVBlVe8V>rd*eG$7ZIJlkc>HYT@JU^#ng%gr{}z7<h8T#
z+F5z+9L)aab>asZx9au1kHgPX_~5~h!OtsWU1L*ly)`uS@Oanw)Ogp}?`fZqan=B5
z^v;QavheuO$(Pg=E$yzQy+Gk+$`jvvY672na2nx*_{UjAu^A^TO3Zeo<I!VKmK#OT
zu8-8(c0L<%1)ZsKLVdZ`h?yllb6SIv-T8UHaM3X=%(ZYn?wDty^D+fe-kZXPnM(@C
z)kER>arxAnZw9AUt(poxno$m96}WE8j1`I#ImbZpQ9L?2GTy`5dU`X&$M}C>R|?39
z<{>WaqgCSyehi=1)4W|r9zVK?#bj=MM^vgWFZ53LY6=c&uS$EV;QnQNE_@1mtMDPX
z!xPP;xQ>?1Jbx0*w`&=?b56Wq^W3OF=J_O^FC}<Fl_peqcqG}x55rSl4u9j254}mk
zljJnhM^$^c55YYT_X%o71094#b}!>a(v^#(e~Zy`YR;Z#{O@xU?w*stS^#&>+Z)|{
zZC+AkUJ7lOA&8mwZ>(KLr+?4eWh-l!34AZyTY27}lV^hE8N-y`ynV?BEYG;yzWX?w
zgKcpBGzZQQ%QKE&<atuSCkmEl3}K$<Jf7!`HaLG<5YFT*IGP3FOv-Q~JWo5$XV1x#
zhCCsbXF|?%Ezk4QHhlhb4n9j+o+<o9TUnUpnVeJB6n^<b>$QZ}OUm=-1<P8>^GIbW
z=hlnod1GFl$wl)7<a#Zc{x_ayfaiI(4WIwFAU?~adLbnmgnkV)WFB;Owj=m7^bxyo
zdwgr@Fvle8u{6}ALGH0i7UDO_opVhE_=*ck-b-6M|8eVKv8V$NOZ`v^5U`is{=Q(B
zbF{(-H2>0injfKn(^)Y`?w#Gv&n)KLZu~uxMOx(JXIEmV+T5VsR7;r&)&2jy^wRK4
zFYSJ<@f!T6FmMKc5ARuUttpJ3#F<8e@A=*f@z(4}%htCPd=GCeL6>uCB3;8dK704w
z*}FeYe}8&!?*997_urqp@BZ8ah~@=ccLJ^zE~7(;u2B&#Mjh~Ef~UFVx5pA{7np$8
z{}qElQ49n`ey4c8<#&pHzv%Si-K{5y*S?JD&~r6XD=tKrV=GGwqgSBbZ<Dy{9nelx
z@cVX7)BS)a9cS%OPl2xzs_C6+d^y||vm3EJfbsX5Yw?pmy5^c6?SFja@yV5CMR_Hf
z2ZMi`k!YsoTH_$@D&Q`qJxo8xPwtn#o_u@+N$a$Tf3HVwG%u7LKkT&)6(tZ$Lg$Cq
zUi(9Ozw550cTFzIDzZy{-e`PenC+-x$^aA`ev$&@&?fI%+Wans$YFB+Gol_eZ`x#W
zmXs#N^t{9w<^+46Gw5IOlUF_4`07_1&t64K!>Av7VXf{yz~4P@T$lHNdvL`nc_;PX
zx#Z5N;gX^}4Bvgcx%Zi?uYQKN%`o7+mYsmj5ajdU8icuEuy9S<!1X9i%N>rNATWpl
zVH(V!R-v{VTp{(q@?AG<{SEG1-p?MIe_1|!RpZXaRqPilH;OU-4!#A6C<8nJ^kJH=
zlGz$O#zC9LYv$o5a5zue%*B>*xY}Px#qEx`Iqw+>wmoC)4!V88P%+K!;bMyMdKBFO
zWjBG>k1$?8BJ=ug*7uc2-zGnbr5MCM44Ltb&D-#kASs$O!fO)ULVkm%nRYdd)<XU&
zB7DWbPuoWpuX*;AgtQKLqI~b?yE~omcf_7D@GS7?sRG-_1f|l=AqFARwqOklQ$kBk
zjkU!)P|id_^kdRDv^}TLhci|1zfCz^nf{2sk`5UZmQ=A8j1A`8?)+eLcY4Gf9Eqo@
zHGGdN=`r+oXO_p(%WfI&HAVw=*!>X#KV7Fa5VJTlVVk=!6wgeQJZrk+nQ9@O?opWi
z2}fnHR_&=vGG)#53L@g)5EVI{^@SwNGyIm^!(xi8m=i<Iyy(e6DMleZBzf4piO1A_
z!b?ONh}!lScUPqa@;M$YviImuqa$TFw`p}HwaSNW(Q0t07!R&0oN#`8;>61EW@BhP
zv~<c6Na{SL$y{k|JroaV%pHT9dfeqoFmm9o4WB%@Hg?8I>F}lzy8O@9$WNr(q)=>5
zEG`R=jm6Kb<1s+zZxf^_o*XoFYQ>CGZ_;Z6-5H}>)u}dXQ%=26ul0A|r*0_LtgP+*
z_*Ff{bpsIvX%Mo0MK`?HO7KppH2oP;5~|3^_*5hNttka{qQ*~4s97rlcHKT{z4`*B
zMxhW?!gKxa?!X6wxq9<aQ_uwe$@?FiDa9E;h~&x5&~_uO^Uukp)aD=?B%i+N>+qk+
zUMMX&Cr$)dWit+O^0Cxx@!l%X<EZUc0e(6D{g?O)&8Oe~DZcoUE<AxJy5L0TA2h$G
zm}KxbPhUrt0DSd4S!U$N1X76fXl=MQ<M-A#zi<ip%h68q<k7X1*X+P+2gutfh|*}u
zoM^MwMOK9ob2EkYd1<DOze|y4lk!<r2244tW~R-^<Mzu_Qi8oTdxbj(w<`5+LrBcn
z9Et8g@6z4ds<A-E5^|4RRv!tuJW1V#^{{?gHTq51*te$3xpLXgr&mQL`aI@}m?VyO
z`aeEVNsUlx0eavc$gNP9GMfAd+8yA|r=DB8;`}_`sAP$!56?dH!-qp*=n4)|S_-Zh
zFb<Uma5W(<78@}95#PM@V>@fLogZ7e<YPN~j=ri;3aN93$1X}&%Lkg@#a~c$rq5~&
zpPd$zx~{F4O-x+2wTs?0iZ7@-l!Y#EubRSJRA10_X3JeUrB?NVO40+|)Bj0EiJFbM
zGbgtLez*(MbIU^_&NTl6o70Ez=bK9o8F7aKcjR9lqk2$!`nP157~$LSg3)acvw*gI
zE2Yw`PT&f(of%tS&Qma*g_m9U^M}&d)O;^}sJVpUlK^~HaeSn{OeA~~G{|Y9hV6JT
zbEvr#zjP>rO-71IzWG-u<fGxEn!yLx=sDpv5#vhpuM|$9`4<<f=u6F|htkdeU@&vj
zuM2C)@43$u<~k*1{G1T$7h)g$lSD_?^fSV#<S5Tacs^wZf#U-=!<53KtLd-i7Dz{-
z=@%g~+uzuJ`uYN1QGTh$bG@SGxE|GJ{~ZcicgJ}nBj??*Zr$zle*3!deJAwwov?3w
z{HhcC`cAxRyt;idou1rYtsFlA8^n)a)_ca?C+__88TI-ZpWb=m-DmXn6t`cyVZ$}s
zOQr4CY}jz^_TmZg@e}*&CyvMAULQDdJjQe?nI=l0w20c*<pubwhDSfFh0N+$$Q;Uz
zkYDy39U`AQx}l%^ThCG7NR~XoXjTC@%YkOfSu_*7fKBWbe1igC-%o_v2ZsnEZFx0F
zKU1chKNiB$Cr78q#^yWx!#;8qYr{98ZGH*g+IbstU6;pk5X}Gp=h!FRf~$FvqIn^!
zr~I7;RTlUX*hzj;%TJm)aBCeLbT8R=bYBbp2{?;0j0Vp@y?)PW0Hrb-z-JNMB`jxI
z$?wSrhlCnof93gQIv^h1zx9nWgj=6|;pk^^w)Jt}(T{OHeG}S_(}Je(8e!fouo-}0
z$ilw*<p;lIM3vf|f6M7H|7)O!{G^tjG;?69J6hm-kM1M;<T6fZzSDf0m9rGi*?WiF
zPx)&>pK_VaAeE19?F_ecfUN8~`VO%l{g+O1QRV2Z0~u1~aD|xQK^ElaaOWIM;6Q{s
zj#*{hKSn*?`1lRL>C%r9ih?&$r8cYacF#nnCpKVH1ow<I6U07tcC>lN0RF&T19!JX
z*X|Y94aNKR4xaVn6OMkH*mwN$<5vJqkpXWxo;!N)06(wzU&(HA5U@a^T$%vmnV`PI
zzogic9u*ayl{?R>ch}E3agEou_NMXp;I*ThpL^s$U%7U}!(Zfa<9*Y=!$-(VD9+ke
z!?{(<-FRn(Uo%(yg0ziC%|l$#h$$aW^^57gh%KZpD>O!@HJo*K+O-jla=0JD5j*2?
zF&(n1mBiI)G+On}e4*k^jEj0_%2QlxZSF}8rtOr@J=1@I`RV&uypyguaflZhFQq1A
zs~6nF6KPN+wsOoYCGjVZJhJSOM-qz0@Nh#hI6T~m*Wq=|gUy5ES6}~$Yp(gk^-@e&
z{0jOac@8ON$!cp&G~zXm<BVba>U((WZCp3Tui(=lZ(Pl6UikeigE0g!9^)`1&So&w
z1zdZqJ8V1-zlv|$ia89aJffm7Sd83*=w<Q+8bg=858|iME97N(|CprHkqEkj{2of%
ziPj4VmS%*s>sZ=SbR19HM+Weupog>oHuAZse}uIASXx+4yMXjS{OVspTC6Rt0crmX
zX?2#ybVXuE+sM1^V;J92;Z;qji2e1~rEgVaGd7U}@NEj+z~R-%0BS<HDs}j5c%S|`
zyg$a?1N0p^ntwstroRa9n|kT{iDVdmnfw4?BxIbfB+Kw;$kUKkk<+e+vTl{ilGDy7
zb^HYRF{I_>w9k+<zLNY0q}AlKr=i~em%I;Yy>i;SWGNmeFF{&KPJ3zEkHJG3($--+
zPy5bv8DGTGHgNjrn11KQe_(#s5mZ2RGzr$@4zNQnM*GpH&}%IoUP)PYCF+oQxSuBU
zOTr_~BL34+up6F=>`5itpV!0FKX9vrARQAj|G@n$uIFcV`3nFM`oIXA@>>Z{Q|u`U
ze_scGPs4o++>3DE3HP0lzZ;%U<qiyI@D<+kxR1^yd}sPzI={Av?|6Iqti8<tOX-W0
zdxpVgGnj1F9J||XTK+yj??$`L#P3_Aba<EUTcmWWnco`*yWL>4Svrk2o6+E~Wu*5L
ztY(YNW-(jOw3#jNW44`Tv#=jq^G8<rBmBvVud<r077P4po@#{zNVeh^Z0rg0?UM8D
z1t3<)VQaoUAFlLejIJ-83w@(U&@ZsQq^BH1_%;>8y?r;5fxBvt(Qhs#;MOOcw7@sk
z_HWF07CuG3cz$gk{pJypM<Ic*`Oqt9ey5aCfQ-)3^$C)H!*~eteGBlp=@|I%PYmfB
z`^Z4*u^NT_Cg5}JG4SEvm}8$RkT0h9v2T6``0QZ#Xps~L2h(gdupct(CrR%i;~R+P
zJB9S1yQ#cF={e^dFnloI*QsD`N|;YX3bhJM+(y)QpSR|`$VG~a$fi$zGI;K}6y6!+
zWpt}Bu>d^lhr_#d&xSqGvlM5Mcg{W6y?r}{x0Vc}CqZ_3P;nu8Sr4}#YRQ+b4@(QW
zR(TRkn3)6<rabYW&n!Af4eOmTH+{1>_!}99`LAq5@Rg%>_N4HYqIO27Rpbrytgr+*
zP;sF)FfV|I?l2D?G<Px%(7?;Q$&k-tbqhU0caA+LHSkE@aCjWyprUsK?jwr6VOsX(
zWHY*&9N=w<3cSf--r#E7NjCTPLY~XW&(Jl3b1@#l{DW(-j{FQhpmMhb7skpId*?9V
zJ<aNTGO43`K=#{Fa3R`j4@;r3Oi)KNb**MQ{2GK(IoTJpl8Rt-$DBZ9qfjB%crU5D
zGu>W|HRiWi{4uM>3-MBDIVX{RbT4`5BbQU*<x~tpx-V|QW4OZ}a=AkG4m?K8@jlY;
z&eVMNgx75LChWc%ErphI7I_675SCJ(x`k-e!OPLj)CY5>iBzLDp{y!oG6hvxfC)14
ziak<rYa*pmL_-fZV(|9>{5ynkWIZ-~!%RJ}T#ufJ8BgJ8+U~P<;3;B?^pIB^v7#$d
zF^B<+tH@*Hfh<^xx?xP!&WfpOZj<PAbptN4)bFH^PCxtZo8(Q@D|8|4g8Tt^%?9EO
zg`9AaH)mEv2+(gCIzXQ0=QA&U_Oh_Z*~>c}Ua!OM^*#ZY9iGWDpWW_jzod8^yUAPV
zP9ew2NiK}-M=x|2E6n5h0$j9k@)o>GkNnQ)^JU<{)nNY{7Un_B+fGgU5!244__GEQ
z>~IFxD#w>v14+`Kgt^O%qMH<Qj(}*8;C>0M5_T^D*ZL9Qc8t(jSMsH}+Gb4%MUsjG
zTs@`H0g^^%k^hkQrRlh3p+XkU5eqLkR_gT%y;=>N?#ZNkdeUGng?!#n$m<J9ZE!!x
z@e_n|{>$*wwOX29wm`t<@cYTjrBu39N~cOuuiNdVmjwR-7<ax&-ltk$`%D8J$O0G!
zvr2A5y^`P9M|$iBy^p{J-+Y>U4SiQQgMAa7b9yYNX8Uo|(r`D3MfIuMdiGoh7kT^6
z;Ei^;5Fh&*=x(Z)qxiyOv9v9QZ-=4qC}IFJ#YVlzd89#yz2GO=xc4fIdn*=zWj!{m
z3>)#Hd&sNjy0>j}p9`>lNutP4{x-*E0@KTgU5Yw3km%dJcLP0ofrdLd4L$P60C(=u
zLzpk(3{6iysc+++lj|Eu&m-Q0cDMjW8EAScr|E)y?N|U$+0(P_Lb%A+ZVcXOhYRs>
zqX))~e?)d9a;(gU+dC});A1jO_zQIIY!8eNvA$%oH{L#KkRCQfv=16wj(;8G_!4AB
z(S<NJE>aj@UD(M4c%)6Fldm%w-je97jJHS?<;lMz6Kex)s|~_DbhVnZKB>er7N464
zN~2pO)$vHf7BqxKY_mBW49+vaV`Jpc$iQP*cSv?#USNRO-i4qe8L%!LSFQ~@NkgG`
z1RR+>sVFiwyGo+x4@enR$iE>Y$3@Bcp}QuBmj+b)=59ey8Qo5EIZnz!Zx&l^qGLQV
z$i{Xq-(YO-VlZErR>Rpu-$3d)bGl+gT320PKKtzQ`%{G}$omB3T`uQkvq(Iz9rD^M
z%g-*C&wh65Yf}_1=(p?1n*h;`=EduP$p$u+U}c3s5uYIg#}^nrf5p$CTgiT8n8Wi_
zvb01Z)~wU0hC20PvWA~a>BmiOgWnQ&`f~v*gYnho2dFmvD$=tVP(8=9eFojCqT~|o
zk|?b84-E7tL!o4|NxJg+F3{4v-mpaT2c~mqC#!RK4v(o@^`L!0k~1P-ir)G4$@1in
z3a6dcf}sW&4*(2%8{JyniPH~0-3ecP{if4SE6Cq`gZpM^=X@jiQLE%{d9m<4{C{=|
znrn)|SOqZl&hyPsL*|`df3{Enet2`bg1SM<gKdt`2ft@La@KSW9hklw(khVluPp7r
zv;v(qeF)NOkoIF%ug^^T(MrIP(ivtI`3^mH>;*sKNj)n@`$o-RJ{qwMSJ(d{sT6HC
zs}R>j!r2Uk^&A;QJIL=iEIrpK^i+ViqIu1V7oPwqs~J2psEz^<WlAC10b~m=>M6qU
z>RcSJidx1joXK|iB5{VB!{$(J9n}N_fZYE+ysu7|(Jp{zL0Y-4d<KxMFv$l_Ipfv5
zt1lS!S{xRKA^+V>IyGc<)_kI<PiajEF<4o2Ccv^YSjKi(RHJP73HK#ydb?ZKAB_4f
zI%|h$$iJP<*yABjhqD(z!px4=%wYZm=8YoLUz{^1MUAtFs!!GY%WJPme0?p@<<jY=
zkXoMg$9&db5(vv~&;Q{UC!BEe&A>mWOo!0j)87I9sRRG~lJV5Z({6On^cNv52Wda!
zX*NiE9@2&&?J!GQI~_((0*Ao76{H=JY?kSb=<4a4AuR=IO(`Gx3VIT+kn%OJU^pHE
zSunz7LHl_}8d(+yUHssZZZ;=E<p9WoW|Ikl2ongbu7S3?3bXoB1+Gi;x95-Cv~%Z8
zh(KNw<b56q{3I#GtP`kI@^=YvroHqJuit+Adk;O7Tqn_V)3gIUKK%^xp-Cny2s@QY
z^2SBq=dm<puaA~rv%vjz^>Eko9Bz1a7oa4jp0#3nshNT%2U@c~Ud+1_8lp+K^Tnb^
z6vd+G6y3jCIpGcl-4iQS{mFFPYK^Cp{Stl$Nd~PWZv$t<=F0WCXCOcVP`Ay)s}icn
z|49aJVfas9pzXMQPry88ZOQFycu%r&e+DvX3$)|hm@*;@>7=sFuz5Ba8zL5+LetsN
zX+2cT<@G+T*?>t&p+vaZN8+&G_IpUr=a9A1nogo^FRH4!#(Bz-efy4_;@o-U%rlRW
zc$&^_r~A6Pm@nG&d1N{Il(1a(7nUN6bRvap1rZ*K%Eb3~IJlyxUc@+2N7j_S$Rk7?
z<k2F?E6(%7KXqGaven(X)AG+CZ-I{aEu>}TSLf?KRHzs^GF%7Z$f#P#v=vS@W3k;*
z;t1q+be+AMBSqe7MX|W%;^>)Yv|c27oI)z-Zb8*X521}70+*BX=mF$NEJBZDZe;8N
z8adJIbp8M?Gdz=lLxwkkqSY$4U-R1|f?8#_*6ik&Z9P_7>@2OheqLMb37>!CG1`Kc
zU7g=2SfF|tiOvNGVFfRg#gK`|&hE-{B)-Iv5{`4989mx+g4VsQ9kg;g=n6B|xsFeX
z9g7u2+E?4&&*g2feP|@Lq}2{<TeJ_pVL0Syy+HZ9pdIcK;(VsQhNy3ala=k~JKCs9
zu7S%2&jR0NV&wZ{oP5uZFw0jh!Y9qdMF?~kNypt$zZb9+(rwSixh?o+qRVJCilTzw
zFPq<*GrZ)JX*fea6`#t}e+Uf|b39LXa!mTLHr7IBd8^O|3xx+|1ZMc@23~$~;aQLW
z79w)Lu3%kYUbjAw&mU+#&(L9t#ZV8RE;JK?!O#*Zhb7%W#Y|a&dpg><=cAh<!wlO<
zVzIV6ai?OZ|M;=vgLB$Sm|C*LyKURg7w>Pca=aR7UgRXs<cH_m+Vc_Qwzm;4f?)Kd
z(8-FELnqxZw+Bw{^ekKE*?GmhPRQmoE+c*DUj#Fo(Fh<KoKDNVfXOV)QNd7<=Dev8
z-s3xY>}20A#VH$0r;xtzwr$}l@sjX)4CYlZ5A!qO5(YE75Lc)Vw`_D?SALRds{q=y
zcZ9c3Z4Yl(T<$+1LSA-n+2S5o2Dc|D{0_kRnl_xZsN+L%PJrNQ;e0~m+#<)>9XKb-
zaLxhFALBR|KLXBj6i4mh*@d+5-t6Df!rSHF6l>A?2ZG2ntpr*CUrq`N)(DrWoh0qn
ziGj4La#06}wwSs;XmW>mmDCZX1y;aFibNweuT_WSHu;`#J+teoA6~zYh={6H+Y7Z;
zcPQRbAL!wAHbj(0lg&)hfJHna;czk3{}Vz4a0sB<BK0TmEV3e{U6xw7Tlt>(Kzn;G
zD0y3CxmFR1IKn=U!Dvuq+Ma<#n>K~VmnF*JpJ{U_;uUrW+|CC2{2$>7hTGVO)8~JR
zXp3$)k!Z>p_PLD~vyf|h1}bjc=pI=crvre~p-gm{EGDOe(NS9C5QdO|Tug&7BE`)4
z9~@01XHUDV&COoyP$o82cd`|aqG0sIU9PytC=}U>$78-Ll0RV+Shj@UYV{{<eANTW
z=IaqJFe@&*kXB74y#N>Hfp9zdDu_U3*X$LF_>QjArDckOst6&?RRucBB@A5<J@Z61
zu@$RSVtlFMzf*7PLiIkSx+%Lzz0XZv@rnOYy)m!5TyL&1iF4|mI=!oRfqMJSjQ(-)
zdas81#+XOFhkJ#3SiSiICD&FwJj7mzl6<zz5a*D>qp^D;DfPgZ*&Ed?Op?z<C0SA?
z$)wF^)15b;JTh&7_9%p^3;F1}4$nu_#Y6FX7eiDgm)L1>hhmy~!{iDp=aVhiCTXl5
zt9CBykm+-Pem4tYWJW3GZ`Q%Jqz-;?Beg_BaCgHMhi6JZACJ$Gn!m8NaF32vBNkFn
z<O_woqChN>>T`-ntR;5}ZO^1`4aBV)S0>}qSmOcfO>ruW>~@88=Y9Na@;b<)ry0%#
zJ|itJ_Wf_*8>vLBLSC7NA7x&!Mk+5XCW>A+`{Q<vC!Gd{iTlkraap8{v%A<DU;1GD
zj3PDk&CH^*o$vVI3ZcDCOx9-Od}3h7*p9$X1qtK=CLyj$rqfAPTrdT4q|do_t+TPj
z=nj}W9l@ZZ(;RRc`S|iOj4w~KF|Ow$$#9O4k!z`zSqQ~v@WDGm+oraKwkycUh%&EC
zXR~RzjYv{@d`VASBZfkvCf>vFU~AOEGCrp=v)5ZG%PB6C>9(Wbwek0GCwV1tQt1`8
z$W8c~_P5yg!G&av^6-2>mcXTnKVzLxkMAme5dg6@$pX4epql_KD7(Pvulkk-+QIvz
z#l*+@wyFLA2KY5g#ABYQE0(xzmCVvnGORE-f{s+0R1^uDLzxF_7s@*x$~&X2JmWFT
z<HFiJuRN&G@JxB<4=sz&Ew2ZRIVkUZQbsol38Y6c-bW<9QuBV|W9J`85!TH7&<Y<E
z8T<a+8QO)rh$q?y;dEm`r{$T&`f^zv4)}c}L5v2iL3zdOu54$ryMXo`yA9e`RCycB
zTUn*EQkQhvJWCYy39~11UV7;W8ICI*wuGWW(kUR0K}Q<_AztSB$8LxAGI=}9FB2M~
zt<1*;mnP<x>7WgPP+MDwye*ssN$dyU3LZX|HNBV>JzLSdagi1n)mWTN0q!H;n?wD(
zLP}^9BQ%cB9|%i(VIYp*+bE7gY%hHjcT4`1u*c+sw)6y!BJ}?Q@KkBf0001Z0Zhsz
zSVVCU1n}9n|GQ@=xVyV2B9hREI~8~LOr}SuWcr8pLZWBf2HEu6nE_BB=Ma3~3_uH_
zn4vA$*rpXlIHJwJO#qEJrGrSs18rjjPqc$H>8D+UWRdofD!X)8j^%`oAWh4@EkH<H
zXo08Qv;|-LX#MacZQ$w*^aCz{dtIdkS*Dk^5HZWNqTL+Q=HDiO1#?FSQ5I;WZCnJV
zX$K9#YT89gaGds07hI>qniD*uBWQ51zAZqCC$u2JOQkI&d6l$&xS2MH^LpPqs}3Ev
zaUeRMaX}r_YYwe-dV;nU5wfs0rqj@AnU;x2q(IVkHs6{2&pk}EXE;59L2@|d@lDb0
zY3Q$`Yu1@3#ZfV0>=W7V^6@e(EbHr(ZI`(8b%=e4Cfg<dwa&SJJRa|MJ7wTzRUNwV
z-y`0+yylrrHg4f|5q##U=`4THVH0cnQOOBZ;}c)SFtg33HF2VfN%7?P?4)|~$pQ8R
z^X<V7Q+0Cw(#GV1=TF{OnjsX$lXb{-@LN7og?f1ZNoU^LkXNd8i;23Y?%%mv-2W=*
zK*c3CoTFLV&cwGIR^Ln9dCqIgFTBHzb%qk*emM@211yp2u<<!Mo7A^quFR(8GsREg
z`qfJ2>)y`SU?vsRVU>3#3f0!t)+fBZ@k<+pj4m&^>aAySzWn4c;-Ok7%aLLM8)7Bn
zt#Pecw3ek~hA)nvv&oNnpp)w8`kYj9tqQRjR~MIxzs_js67pSakQd`Q<N3p}=2Cy;
zlVe@#5x*+uPpcPmesw&X9Z%=wx#nudr`7bVoR`%Uw+lX=zTs!(^lZe|Ng3_CKH8KR
zb#-0eI=fV?t^Ibwyb4jQskgOTxtd$!n~iBuir&V~rG#oovrvf6p>=X^!q!Ibe8bn6
z2i^b)BapvHReifMx;1Hy?BClMG$u(tr}ntb07kpn?8Qdg=vMG8>68NXbWM>QHMFKo
zOcN^T2y1jBW8cenAsy2aaSO7LHKG$`$Q@3ml04P0M(SlZVq3!Um*8jUAJZ7Wo%|F$
zZqSrOcCh^|FYd^}e+_8{Yr=}O9ndb|>4onU2pzP{e~^ZDLlHQZZ;{&H2d;*^u)KmU
z2x<d+O9uA|{0qtQ2{JsR6RPOR0m2YJMBhG)AEGM6ozqL<n#c)DKES>L&W)xJ%^F@=
za`(uOQDxY$9@2eSJD|TMD?Te|Tc9o^{vIiK+(AzYoIlU>uqsX}Vz9FGYbm{iA6{j6
zu711YPI5;FCGG`o?thzxB%Z_T9@??QGj@p)xfZToxH<7wzs2T?jO5Sgk;49TK>hid
z%y_AXW{w!t>|h49)F~qtb=y}}dW9-WFC=eybt$>+E2F{s5@#j&{s8&%0AU2p;cUsY
z$YNpkwRiVD-eNhKf(3Sa@QoRH_n4lGoKX=ztPU`0=|WFg`j7-mNu3+mE5u(8On$yb
zOF5;#V6_?g#S$lzAz$_}Y3Z)!TR2bTj+<2E6{I;jTG0!fxWhWb@0g~zmvk<%6*Nqz
zIHz<b5v9nm33C?zH#ncc0w2M)<o45u{T=nfJ_+|AT1OqUElx0({52%|TODRv3F<yJ
zNlXo|m3XrB&&&60u*+14Poz$2In2iX%NiyE*5Rw$+Z#w*iS^_JmFar;`@q<RlXMP@
zexj@Dw`N95PKnk-@81if0DZ=3_WzyWcZ`(>#zrK@`4uf<v}jPd0k`}QHl%=p0001Z
z0c^`tz!(Go2EgyeY-?e*ooCx=_I}LBwv8>@wr4BX>}=z?d%u*(fBt$db@M;U-k79h
z%BMmqrcx@WN~)$>s;5S3rdDdF&OfhS>Zd^(rcoNFNt&ivn&;TGNXxWJ>$FMRv`hPR
zNXK+a=X6QebW8X2NYC_2@AOIE^h^H?$SHX&b2B@SXP^>FW{^@!E2FHP>}(gi+Rg6v
zu&2H3ovZC*U;EiVgY$<2@|Oc0<Y0$5H1jhga~zg=4tIodj&zix9izMoDypQiDypiM
zpH){wO|{fkM_u*Q*C30tAPY6jB8~E^#+qoVndXjloa3F~L?<~}3oW(MI%~DjRy*x=
z&@n@G(peW>vph?(G*4uhZo2ECr(SyNqpyDY8{m{&lP8_(G^abmK!Xf6#8ATwH^NAx
zj5a3gjWtezLPd&=H^D@cOwOvT$VyW(+*H#{H^Z6Ea<+4v>pbVXz=bYyu}fU)GMBr;
zm9BDiwz(#+xYl*9cY_<V(M@i4OSWW(TixdNjLe9P%9xCHhdVRYU1pl)Zuhv?eeU;w
z2R-Crk9agQJ?3#wcrxSir>Dfzp7E^bNMQ<6<oOhP!HZt<vRAz7HLrWao8I!acf9Mp
z{NjDH%`w+J^DVH@B8xL2<1^8cOtRE6%dN1|Dyy^F2R`(XkA31(pZVMu)>vy@)>&_Z
zjW*eAOD5ZDo9%Y^GE*}p(=sE|edTN4_||v6_k$n(<Y&M5HM8=R-~8?mfBKsscmNFJ
z0002^yV<O5+qP}nwj0%{t<<)e+O}<5v+n*A_y`~S#HT*<xi5U_tKfmJedAl-1(Ck@
zgCG6mXTOLMgax5NxR^nNSYnGKu6W{0AfZGOOCqUcl1m|_R8mVLt#s1M5ImPLh?Yra
zS!9(hcqF?Vat2R>mvYH1kG%59uYiIIDXfU1iYcyyl1eG9jIzopuY!sysjP~ss;RDq
znrf-7j=JipuYradX{?E+nrW_umRf18jkelpuY-;{>8y*cy6LWmo_gu6kG}fpFGQ#?
z;UWw$&>({iG1M@Th8tm|QAQhMtZ~MhV4_JTn_{YIri(JeOtZ{3$6WKwx4=S+EVjf_
z%PhCTN~^54##-yFx4}l6Y_`Q#(YD!chn;rWZI8Y7+3$dZ4ms?IqmDW5gp*D=?ToX|
zIq!mtF1hTAtFF23hMR7=?T)+dx$l989(nAEr$Llwo_pb?S6+MLt#{u0;8(x--5>t+
zm%shvU;h&X4*);_004mgwr$(CZQHhO+qP}nwr$(C>z@Du3WUId2r8K1LI^38(835S
zobV!uD3Zvch$@=sVu&f0*y4yQp7;_-D3QdHNGh4+Qb;M4)Y3>Ro%AxuD3i>x$SRxc
za>yx{-15jPpZp3asF1>nD5{v^N+_w6(#j~SoboEDsFKR6sH&RkYN)A}+UlsQp86V$
zy#;V2yV5Q=GalPxdu)%HnVFfHnVFfHnVA{K%*@Q#W@cu_HhX=}y|Hiqh<z_!sUoUM
zpITC6r!o~%D$}$i?mweT-Ly1man-au>yiDqBw@1cxGdw+{kSw`^X0fa=K~DYG`2Sw
z)jV}a7}YFsW(d_H^M*LpG=8)w)ja*gIMpn9<uKJE`x#l)G;T0i)jaJ$S=B6Q;fq1D
z9+;O+6DFFL|KZMMvy_d;Ws9757}n$1{%F?I)IDj|lf=16*0anz>Xzg9@v4^7^fT+0
zljOC_mb2_vY}ezs;cVB_v?FcTlcc3h*Rw1j_tSC0RM*pK#+CQeNy^s8lguB^Z^8V$
z-@kb_W>|5oVb@;-Tdqw2nzXiro2(pGtXncfQxTJED}EA+$5RTGF`m#Hj>S`nRB=8-
zB9hBj2$s?xkSmtSR|;3MKP1<8AXS(WQD_X7Dc83#RhUs(XbiV4)^|Z$ni62F4HPlY
z<;o=(Q>j~7LusszEjHCwURc_IbF7X|I@gwOoLj?std4I!)>gltUwyM$bvky;4ZuAA
z6T%MIiMB1s$GkutW}m!~w#`e(JVz{MpE#McEvnDFz&v7~`dVTw)QHjcdVxk|G+Yjq
zLunfsq_!&^*Sv&OX&YOpva3APyaHos8=bJWD_>i`gmGyb-?+4^eqF!%4x4V=hGv{@
z)Wmj}ZqfxBhyE=0CrA!)P!7IO4*5V%@2?QDhJI-X=Q&)AJ76#Sx}ccz0&U8D@=p6Y
zFQwxgsoH(wZ1cLPx#I%s%6;mU`}%K;=Q%>o3*e|LbbTaxtR(zZU>)1ZPNP6b9}w|O
zM{+oXaAU}c2s_+qr?dY=Z#-zJ^SqjBvwMRYs=W0=Jxf4<p3k<L&v2VZkgiWjpU;6E
z@qv2ZiSu?$!t**<?S0qI^L9ex^E%x95drr(Y#WKrqDOy<KoAdK{L3Hw8}8RQ;Vu9F
zj*+kTN=VY!9)H{tU4JON0$F}2f(qNd2;4kT{0RIq)4T}0qW_aT!p)bYAIC4ZtQ*HG
z*0didsP??2$j#-4q{u7L52yHB@UQl=A1lwz6DKdvD>E-E|68PPUY=j&erl2XR~X$Q
zuhcl*;%}j{x<!7a^Xge{zBKz;Uitq}H@dleU>N!(djG%jCqu7D%{arL%I#1?_dkD!
zQL=_!p^~zOL8a5;nr^-n^O}CSRnwYYv6l0iLABQ-$9Ap&499MXK{Ursfr2#0UWLPC
z`*xlLb^C6aMOFJwk%o2qUX{nC$M#<lY>(a2|0#R&Ww>8=%Wb+|cZzkqKS_RJf9q5K
zqH34pgO$g>(kDaj>rvr0(PZVN;R5$5_=a(l!y78A*C&K4pSaX<32oy(zP5Q&1?;#2
z!Fd@O=DsPN^1Ou7c^O;kx~aS(j8mi^EsT{XFD;ByW<N2Cl_O3wic?}<IfzxDZas)o
z;eJMvmBkA}l2fD`Op=u+D@>A8W;;-ll_UB(@u|eLupp~I)wm$1!u7y3ElUu^G^5Bc
z(KsznQTboRE=Q8(G^50_@i47G)A=x?!t)OOkAxSBfTNiFBLK~?{)-@reihXqied97
zf)xD<qJk8|#&3oR`n62mrq*7}|FfK5vuy5{zJWilTf_FasNebyPQ<=nLlDh=*n%L<
ze$c=$$$r!UMcuYvM^V*w*oI-<cF@Fe2}Z}q{|9XVRAJqLC-k95AcpgCKw*j#*e6l#
zc?Hh%GCIZAq4S0=2pZN)(>vAsKiK>=2iKK1;m0?SZ!g0sR)BNkHBG~{bj!6vcaaE9
z9hH(8r-(>|c{q0&)BkXqkz;804b3J3Xk28Us0gunJ}Wr^($%iiyeZPNX=Jmy1%i`Y
z_5X$wB}B<XVIlt|*Ox-9A&t6y!u0vi)F+xo4o+uJ<1JL@hRb`%#vqbu(iK6Hanw*j
zl4-(`0l+wJ=>SkFPz{s+zo1`x!FkiL_UpMz4_^qT^MKqirc0k#ai;T-+EJ!UuTYAn
z^Ptj_rc1w6^Sbk}7H}Q-FUbVc?2*WoN|p1K)rFO%wX@uz(YYP~4m2J2V`opOId3NQ
zoQVkF@wA#ksFhK`TZfiJ0VARgHV3vSKCq1+_TN|U?^$L&;}04ve7MrHvoDLD@is>f
z{;ozmy~uh}M7rywE2lFx+%5+)JN|_gK<!67Ob>&wI_BRBEq7|9={kKqEH$=nZqO2W
zP5YqKN)9pVY+pg<nVeH{iXS(s<q5MSQ<`-xq(w<17s?i_a&ZtJUz?r0`(RZIqzxt`
ze4YQNUYmWxttzS<^7WMk+_mx#_D-v{UGvyRt4TzuIcUjY#|DXgfcCmj&s5OO{$L|#
zXiBktJ9%VE8?$ybTiVx_q&Cc}MRC0fa4$W%-{N?A8p&qAjvHwgTCGWYbU&&L1O+FU
zHkc8>^p|S0@$az&=_WLP8@4v}y`E{uk`R|qcPY@qt;9t`ZLSlL*MMkmV$6@xHXVZ3
zynD4W2h2FFF<}WN8=zqMJE1$Yn_xXz+yt)=w|1vCOdHhtw4R;r<-P1hV`HY#Fw25x
zB-r{yf1GBshrO5Fm+7TLd9O*C`Ygn8H#hiqy*h^``?wf{3$^DLv13nASM4+blh*nJ
z4Xoa81yP)%qNni}+-{^@nl?C}R*QiZ9c3ds(&z)Zx5|gK_luqL5G_=c7g|Igo4u^h
z_g)Y7y1(V)zmC$aD@u#BX7Sh%IjO^`j(K6hX#F7o+nNluxnC`z-ezwbrMC*C6T>3|
zl0hKUHX%06NnO!0Blvl!OG>B3RX7#fei73KWLc|D`(gi%+|8Z^Ex4Lk3}9S>O`3!|
z`#Y<qe)6V#Vw@oYIcya-#hzw~UP$pEm?BU(&Mp<LtDnf;&*0jMA7=U3Es~Ccs|s^Z
z-BkrERJ%3yUZxpd=^bOUwojs=gnT6b27=oAb5>-@KYAG!lotN=@3$9MH(K8rOB$Q<
zy%X6DYsh^5-{mBm9n1?Rv9AnJ?9&0?BS*gZOr<G<&`Iio-HcHk(>8>${w}-wVTT&7
z{}Um#x0Tf#nw1;ApY3!=Zp%NK6<TPzmr9Q#U>^<i2{dmpU*WE)q!D$o5_M7LelCdn
zx883KwY%Il2)YVz{jc5_$G#mVKUEE0w_6VY{ZPHH2Cs{e`*UIjYM}OdzX|WAAouIQ
z4o>@-c4Ra(V4)vO%T9eUY%UbnasRjA>Dfs9MJ$8V9>hc2s*{Xq|NkPs9tw+ik#5<w
z(t2PHkL|B|y8KY9(|*+VxnBdQ7xjzS>lo?(DgB@CAT$8pgCKE3F0_^?RxPL%H#A4L
zt>;}%M(NAD%*w|`*+Xfg^j=EJ?aH{bB1S$MuMww@8%yJ9?MIb6nF&q%NmrtYr$c8V
z3eBsVQp_`cIc3+_qw+c?|N2e++@$@&rD|EbVM@fgeH_p}PK(+;Hi8hPaYHn4mD!L0
z-izBUMac3Yc}_#y2DB6DL3vg~&F0~ONZE$1^WZ@lLB^RW=GF5syUfC?x{4`Grvk@m
z&N=;EnXkR4sqn{d?kJ_}O8Z$H&nUm<<*G97=mh8CtlZ|jP4RSx;Yv<x>VtjZpp2ol
zwWv(OK{4s-eQT06JNx<Nud@R7<=pC@RZT;!s~>f8i~B}}fTi0<<!}~zm(KY7=7(b~
zt``flj;*8#3dR@NXdbJwlOy}iggu%%W@PsHr~V?$;!|LM?flZfjGM=2>8i>wl(i+w
z)NO*ddl9vvj@mn~rfu4$+HdKPWT7Ls4{wzUr@&Inh)(NpEtWxPmBB~CD1Uh$rb6b7
z;->jJvIh%|(<ZW{O~MmXofz*#;X(ye9L3t<rsV|krlMsHrDOT`vV#VBGF$dWCI$rc
zX^s?^O48s;(l+HpFN!feiZVTl)2|!6vgAei%^UTv*KINQ<flpLW-YFWAMQ8pu<lqf
zzn0G^XXB>+@Dwq!we!#M&(B2bbWfil{bQ7Xj1ZjaE8>d-F*lhpH@X(HZppT-h`&0&
zt+Bm3c+Lts>rr0@w-0wjJWOV_GZL=~){z4;9(h{3Z}pD@LY7_&u7(OcQ3SeC*E!!z
zc{-*>QzCjN`eU4%fG)QO`nGr1`B`UPQeB$=)Yp&ze>X)UCmoa&l@%~GB?`FDMtG3X
zTR>4}e#weY^;%kf_%B4YG+=3SJ@W-P!?f{)r3C~fU25dLn%w?d_Ptu}GHhj1{}_q_
zg999=Js>RY3m3_2H@W*y)`b?^`qV%Ljpa+<*w7^3YwyK}6yT+=h^E5w9J8U_ZKL{s
zf$cz8B_}@ymfwMTUoH##lql;BYRQ1MV*uA@`Azi`*jG=qIZBc)0|euWWtk8*DS^X`
z<{a#9_cu>&RWYv2D^wt=b+!(`$L2GV=jm!KL9L_hv?rQlLk{P&3e9G@7P_jIuG?Vl
ze9lgm1;`4N2?4SuyaCrG-sy|A?7J6-3%!kBTIYcerf&H&xk4e>Ai{i1D(t8dEqX)v
zEsKebMf&~GAV7uk|ALZV`Tj^4&X^<5>iK*TFkE1fsXrGA>i)^i$W5ofigdyhb&0cv
zCvF=>r}|G_Yc;>hTHzhSkrfq0Edcs_?iF8%q4u2V&jrn}&UWD#xDz+k$QC@V^GJ>;
zFe>(YR9eWg*4bXwK4=Ey-o~N|rhgi2$#MTLsQ*uX#d6Ia?<6cbw7TOlo$df(331ZD
zxnFgj=vM6UwnaF`(as1lAJanoTh|bI$)PxaOjuS5uaYhV>7)|fF*Vk0;@^f)JsbnR
zBh22}rqU9exwyorw7xv;Tx~9<x}FX1!P+EsdELr=yj)Hk=?E?a!T8et{yEKho7IBl
zXK)QvrCL<d@pOnTOa_-JO+0T>Hx~*pm{ZAdw7#NATRT&vxvh9@%KuH>iLGcc!9*@D
zU`7g3nD3YvOfL&2E^zRGK?`Dx`@7{ki!N9nFDk777|-6PAkS_D=V!;0-&K+i@ZhG#
zOxr5DoEDYa%3}+s4z?G@jv7MmMfyr*&4cFi^NAsH^NI7z0W>tfuWo!KQEN(6$9NGd
z3epyRyv3`svmM!m146m>y7%43#T8Dq&I3(IFfmIS^2UDIlDS98ROzv^@<YdI)nf`-
zx>(uEDVvJc+k|~d+tcW#%7)^GGFK&vm2!j2l8?+HF&=Vb%Z(<+`}51{D@nJv=Nk$4
z^Yd*^kYK#3xM3Jmm{S;Zm{b^5m{k~7STTG%ya)U%JUDy^ya@a-JPCX;yb1gfJPLeD
zXA9D}hjg6wYS^X7<}Vm5_l45v_L)tm4^OvtW%rRhM2~w%hEu0vcZ;2nnniD4Y|Gwn
z&bnWE4;lsLUKa{XuM+m;CLLP&Z>Zj5pE|XEKo%HKh@e`h^Yi|swJDua+zhku{?;vQ
zi0f2*URzw^I<=?bL*4*?%o%Zocyv$fHmSbd?SYhDB(6Go7yE&1AP<BfmG?&m=5a6b
z?>_Z5{mKMhM<Wj(uZ{pG4IEG^=DycnLrl7>edEHGLBLVpD~4oGD)PLrP06BAmqj?A
zA)U4qeMx`S>!Eoh3)K)%l+ku>DO3VnSWk+%X1qYHId#E3T~`1Dwn<&Nv<NNqDKQ=0
zO4f)e@|Q07kly{ZdDf8SGW+y+gW`s5_QtfTF$$TiW3xhVv+lQ$8xQ9n|J-{B%k>D$
z8eD!{9DX6?NL-kG_Wb)_6iNA)A~h9{<myY0`-g|J=K)eb5k>-6{IaLgMW<`BVCZO^
z_!yl9_MQfc{XV|tJQnkDgFsWvt^8UJHI#b<YYE%jrAnXIm*JzXs-3~&oJBgELpJPo
zC~Oxv90<TN7#nLXg`K_xHyX|JK-IwLX%g#Bz|}xkfb^-$bbrEUHxV=|sL3{_rmZ&>
zYG9+cS*o2Qg*~`1t>236gxN)5i5V_b&kE@`m&!IVWt2f}!$%Z@SE%zd#f`BFD%2in
zY?=s>IIny;<iQya+0CjWoh!s}1Ae-B3ACn}nwe#e2JUV)!{vLrBEp<?(kYS_Ed{T>
zbdQ9ULI7iFA~DsJSDL<=?5&Kg#mHw^71ujeE62zk@K$Bc!F*Yz|ACvJq*p**cFIdz
z)|rI)>VcbsG%5VlA+TwnMB<M3uKMT4jnAzoJz7&4U~y`T264?BijzwgKlW(1J&V=$
zhkMO;4O>VsTQKKs%*gE@lH2fr?exDc+duDhL7KJ^e{cUj?_opj1x@WCO66NT!({!=
zwd_m93JStHcL0{NbO;mizfkOs9Y8?k&idDMQx{yg|7*%BOp8JN#dF{2DcNFGX|R_4
zzn}lE2M1aHqMTHdOODUS<IC{WN4o?L+$X#qvMA&LFCta{gD3?GTFPqJw(V=7PO+HU
zW=t197`uG^SPILNa{5`o6(?x<Z-r`cj!m@gNEx(ZRis?yBnWTA0HxQ8;@M8K;`zW3
z$@NU@ivxDBod7%ZwH)i6Rc+xdnMz3_<^{s4>v?CDl{i~z5^PI#bT0KKi1HnzkVS%n
zLcw6oJS)nn%H}MHCR?4X@t5k(qF#Y;=8mK{JABXRd6he4nsxebx8ab-R3IhIzyDNI
z+_@SVWp_2<R#T5qfi!%EBEYI;b%fbuOdr3nv#R(TE2pUiq2(Im8poz7eSM&Xex<~T
z(3MC_<C=6o^TnraT95%r-U(g+?pOL5|Nj<{bf6Dd_^rs`<6r{#Mu#BF@Q2~oSMoCi
z)Bj3F4EoG-nE+iT5SN{G$4ZQqqD-GV<f$(QNADzL*pawkUkj*Iz>*7v*3Vx`_MzM_
zr^Verg2E9g<jN#lA(P4!%jL?YJHevT8%!69v_h(?F8JB3QGfN=wmLbcc_c*luv%hX
zas;Na$>^xPZf!&hY?-UDr(H~!+7f3%q4X8n5@|xQ^i|rDtV6-}<zEwWLecb<UlVsg
z;q;mCe>hgV?CQ?!kVY?NUQ416ry^wI8FcK*ur3g@J~<I<lI&VX$B5F)R_VfzGexRa
z>DRf|3VdD-Ki#?xceg&h-@~)q<a%+tzCGD_-MHfNY+8)#07+!%B<i2-JY779qbC0j
zV?tTh7+s6D58<6?)sk!xW)D&9<+!0u(qPBbyY3d?TJ<iM_P|qA)b=7<A?uK5@g0>v
zuM>FF-?52wh?8JI53$|rZ`34;wX1R1sKLZg8{To99^!7w6V5GffyczS*w6qQypmV%
zq$rKT7sI{6=v9!8qFG`B7=)3vzUnQ-*_y>hwV5H3Fp*nLf|{jXA?P*W{rJ{sQPYnt
zk~z>d1g3FblX3uORkNu3Qu{#6oqzhftZYrWv$s{88db4%J$DQVOsNWReHDk7US4k1
zai)%@*l!U)zVrny=8idifh?pHGM>Cn^eq@WnS4oiXx7XbP-xZ+Ow7yrAzU!5yM*o$
z-yJAx0JimCVE|e*<aIC<TfdsM8xZ@AjCHuI8-ex68rsUzlEFbUFl+T_@#biOH01?!
zdX;==us|x$o?YY$2*0}^g;7yDTOwCx>eiy(6_QF0bd|GMB-ftzF9TJgNVCD9F$a*`
z<PCYk|NEk^Hr5!fL}j8D`cTKp)2w8vgc%Cr#aydYi#d@jQP;SzIp^gmE5lN_aIsT`
z=fs9wY?uB4GAVq)@U^V=b$$Q*{Px53JM<LDJgUkc-kshq>HjQXZfrGO1PnDz46(sj
ztTnB1JY^^6;n!9Ed2CNroGz|)iPDUaNg#hN5aTMPS1Q`mls}+y!|;jI5pv?#zy{89
z4c@DAB|ne4)8EbAGj=G_436K^KUPmuT)TH>XK_;LY8M$T7g?Q0&dUK%PT)PoQuf5P
z!pfZptQS*moV>8MW@N4z-r>6!t8X;kk$tAS1*87d8*1pP*3{QuM7FP3yT)P#4lmcb
z#%B>47q6HBXlkGc>m|<NI{?)E6z7l~lU4l~=U^Qx)<bI-&K<*-JDaZ;-k#Igh>ao_
za-Qqh!z34Co}1ajnB%>k<HPzCL+Ir@Rqo}(#y-3NoZAq=cQ~J)Ilv>LJItwGe40La
znn7fnoraCI+PU_csaM+`aNAhez8!8%k!MrPt3A6snW2L&OqM5M&#A3`*mr@q0iNEe
zH;1>??jf6Zjkgt_A)Ytbx3y2W3DJAXoyC>K7MCU#>@2JR6C;zI@N=m*?pHp>i&*C#
zg1NXaLt?ZmNf&+TvEEh15P{i0nAyVH$Bf9s#SpAyQbVO?<kB*8cE;&J4zrk=$;mt6
z4e%<(3oXo*gAZn%rj|Hsd)c)lmpHF`-|ebgGjU|L6=uk&iNR|<zL|gz_PUy428#^9
zxhi4?4G++{YGTHa42rpmXZjZpnz;&R`k4%>xk_gS91TCa>S>0e3>&#htoz3d89XU+
z22BmrKY8x!YVYguA?nH@>WL-lswL_PDe5XI>PgM(YR&5jFzPBW>OuMBeS);kB(45q
z2eZBe8jIkD40a9NbS>Z*CB}<179d7gFPzq`cZe16Up!ymrWVp0+_4U-zr4JpR+Xwe
z({*62xPrL^bbgQzw!Y3he7UweTf!=R>kmu~wR9vT;w#+<-+L$X7@#SZE&wwqicaSZ
z3+peEDT+%J7gSUT=#1(}thVnKOu+?>_af$aF2Qvp+{fhs^*L)pw3nx9OXg2pY;Ev}
zO?Q;Khm{}Je)q;MaP7{1_g7rynPCt$fVgWzL(G-EC5@6SlX8j|IoZ#%gd~ZfACY2H
zOywLSgguZabW0RklEp@nbL=ZAO*r|<30|#gPu{?Xa^J6s>OUjaUnIRPT!TRwq_A!8
z3hoJ`+~ajUUjUIn917i*i*wlbC$dkt2GkPDU~Xsvn`p2G{2Ua)7MC*Uz?KygdKdvN
z;o^!JN{kfr%8T7d_V80GW#-evQxFJix{>b`vPh-QVrn(5p5G|{Wf_+B1F?YgEA9(o
zKK!XbfEj7jpt)|k_;PV3-Z{gMQLp;_59+>6YeL}6S2%Hd9kG)N4-po4{4x9BelEzp
zpnQT}Y3L#4D$N&V@+d;_k3As#Ri~gN%u8sxYRKnYV<7aSJu^64A9M>^^G@`-6bDxe
zEbKmg<ql^u$(>_X+60svTlJ2V<uw(%Pl~nCo3An&Ptn1`iOCa@w}1t-%?{+(A@pr7
zPv4jupeKLxO6J5-3v82Lo7N7!7*a;dz>q5<XOW+XI)S%WfmHms24Mlx0kb)QS+9$j
zhF2sPd_t2vAeeDCbl^FV@P3tvQ*-KfvOU@;+~ne<<;Iv{hh$tDy$bTUxEcw|h?RW|
zXTb)^KAT(67B2Db_`rEX!E>ERJye#`NZRpL5<xnsTlBdfP3hgXrQ~Kz`6(~L3tczV
zWzd;X*bCNVw2%o8Cqzu156P|OzDjPwlxj@Sc~B57Mgof6<ImfrYs5DsWBOPX{38OM
zXiw-4l&nfyvNzN&YP5m#?K$)B>?U+L{?4vkFGq3Uyf|;5FF3f>!XL`%7LR?D5^cVk
zC~gq;f1HD$_22-*0Fsd+&)>~|R2oWB!x~%CAwyfHd@6=!saHirjy1}P7#zcb7<_Du
zm_)0nDkv-IhsN^Evoa^^8<Fi{D`)~(Zm2v_czR%`sl6l163WYZZK}yOSbD}RVl}mn
zp2Y2`o{3cW;Tspj8<J8HB{bnZC2PokQt-tbo_6R=H4dirT3$n_RdnvZ;1b7&gs%94
zUYpc_0s@|GQO~W#Bx1*PEgX~aWPF!;SuKA@<l?OAp^Vrj5xs|E`cg}n=~c2`Mx6_F
zlbl0>_aQ&cQ}vky$Ki<Z{9Nj9;S3g0Jb`DYQ~hNVWOgm};KI`{G%Gg2H|fv3ybH^{
z5T*AgOUdUFVG=GiYLsF`Z(m>pBrc{;#@hlEuO6>;U>2sjBs+=CRP2?~<)@2ajXdXQ
zw=|lNYEC<q%d)d8?G6cE-mft+yl{B}b3Q9F;X%aWpH2Gck*|N~VEwI+eS?WELfU7-
zaC7`cX2=@WKZYK?Tmd(V5uqp_<K`eDt#HlTO_+Q7(GLFL4s0>|H=IExx0>1j3OB5+
zp5_~_w?AKU`-b9F!+n9-TV~3;FG+JS<jLYAPUZ&mLtS*XRUC6S&UarzRe{S4zw(LM
zj7H1x(V`Qm!LC+ny=PChL&`(a=~&gBI40Xk+>=DFj&p#R6CXyuu-XC%%nst1Oew5W
zuWsjKJ|@^GSlYw`juN;pDBSvY3=OU;Z|?Ng34B?08>Y0ypp3&kD`Ur*vk|1o3nrfu
zT=my#7cV95g~L`!^WaN7SXUPs!XqqrN&vtte}eZG)npS@@=^zE%&7gK$yfMM9h9)`
zL>rx^G*X$1!LEx!Y70$F(`)Wnr$=r1YtHVGU#jWQbDyn7OUg>0InKo3R_<8DL|97j
z&LFt~CyU0GIq(hZR&_rdU4YA9T1FM}DuiuRM5Pt^etupqBlnY)eF|437G#8{H)bc{
zxZD3o0X(bqSTp90%KqnKu(K+P36D?}tb(43>d!k}$lnGZxVOCfII&Pv&6BI}PX=3H
zj*t`z8|qC?Pc~9dWC9ex<}T>e&=|P8l)6mSO#6((u;cZ~h0}gd`FGXz(@JF@3sZ~x
z=F3zW=StdzeBya=D;celKzF&%@+}INUZZ43DEr^s-(T~5FqQM`A(7RsOV{NeG-8lm
zI<M$F6Hes(!4#eshF^bEHx`7A*e!!*VZ<Kwz^nf3r`3N}&Y+U;xf}Q0e9fssq#r5A
z_=u@VB!8m6X@}i$nRAb}*T4?zUaS6Kj*Xu;IGHlc9E~(WHu2J@X@qT*X{2eWZnCM_
zGW^{19*jE~aZY3<=169@cIen+J(P4ppY&zeTA5(mZ0&uHuOItEV17>@jIIz>I3zVh
zFk~^rG2}5sB3vkEgh}7UB8_?^NrzQ5{5$p8c)7x)iFPfWu6{W(gJGieP~V}jb+n`3
z6W}?tuCJU*qDig7r4nY*a0a$yP{pE|(+blvx1r~P0u%*$0ue5;F3DxMrYNU8r{t&1
zrx>!QINLd2IYl};I|MovI_o>mI)JV@cgn6nw;0#zCwVVsovP}z>Zs}zn*y7<E3hqx
zE~_q}C%7lcTkD7MM~hFcPvIxm=ThPr7HJHJd@6_8AZd){dUVHncBXq#VRo1uNoDHc
zWH)gGcAtgDm-*|bg~=dila;Zm!|HQMvvc)Tt<}WXXsuO-i*kD{!$?ABK)20>^Yx*|
zVn`M(!*j_+&UV6IcEed0e!Z9MDv4PIx>ui%NeBUbFI42U{_AB7VfCtLsvW<lSP{-c
z2$|<f1MlIh(!YyM?5AeAam49nVGpCv%ki4q_$e)t$(oj8DZ^j7-BM<$mdUwrZFv&L
zxjqDEsQ5&080$c_f{ZfyB8VvaA-351aX!n(eRrmIoKv)qb%<f+MbeHLil0w)Bu{p~
zGQD2_`zDoy^T4MIbfYSTNCdX?enuuzOAHrJ0GsR?QC1XgFi}<<?Lbjh3@O0>6B?~g
zHkd9GF47P&AFW??h%OsK(hxo&txvItE(;A{h+Lo6uL;Z;_C&6U6{0LkpJG2`;vPPF
z{-Luk;h9!_t<*KN^bEGOui=@o<QBl<7SZe$;^G!VM0sFKDjIE@Xt3URfemyUk<h;3
z?k)!F21~>HZG_s7)+;JZmrfUHgt?d2BS=h_MkZ;5K9|-jX-t>F1~9_DQ|sYJu4N@G
zYh>FPa(1rC;5v`WIx%v%ijplW1G@ump30Xtk~cC)hQ9lhO}izd1ipRskFMNduBMlb
zrDc@L+99NUeXkp6r1FH-T^y_qEX&UZLpRGyLvGvPkch^1KgrKQ<w)S=59XA=CCiP)
z4=4MZNIzDZ8&CeBlVs%tU~Z}p$U4_&2@&wN56s8h>j-o8i_qMq$BG^gZ;dskujNUQ
z`HmC$ekiWe79B-bl(B*iIcsHU0^YvTzqy>@t#j!8btqmt%qpm@p(gOXw)@(b(@U7x
z=PgCefPHM1)UM%ytjoTUrn~p!lUt?kZ?rqQX+fB=x~Wqo^Xf@%g7uNn=!^i3*FA!P
z1H9-+tcW-_D5AU|9Z{mZFdLGh{9v)y`(4o;D7AgqxMuS^X!qYJ=enjNeXkeiH=!38
z3DqgErXkC=sEc!57LTXPoG#O5?bHNqhy%TC9?7$<4`8*C4%P$Xv?#(v!@yRXzLzNE
z5bG_Inj1cX7QGzGeZ1wqzx$j_z`cT7NmEBJU8O$8h2ykXvqRnf@!u5gm#|uD2tvaV
z0-~HBkYstO@Zx0onULhAyPxx2zxU%Cci9)~{h}=O8A9HZadt?DS#8$-(^Z!!l(*nT
zQUiUCuh;^mhUaqs^c9QvG|aM1S(Buy*$M>1$ecmL$Q5I4rPunghNWrzkY?^G#D3*%
z8)umg>dW0KF=Vr|Nzh?Gt%E!!DXX!uF+FH_UnCF1zZdw2?@GAmqS&o=gUN~F!m~9c
z#TO{=#nJw*4QwdL!b%~KV@qR_4;{e6BkBH-=+N|rXs7q2J7@&1)HW8ogpDu2PQ=`Q
zufqOgLP=e$;gb@$kI5!R%yz-PyIx>MQrYcHPg@3L2PN&(>s*R5?fvr2Ox$LN<%m%@
zXytEg<`}b}(>~m9nF^J168c<pi4wrE%WOXS1%-t=>>oGT1`Ai@nTf#z*me<fe}y;|
zn0J8yj_7h!CT$W`D>07JTB7@$5UWO8i1$cxOu1&<*C<+<R|Oe`8I@0t&6GUdsmX;0
zobr9uAD|i2%hiygcTBsgf=;{VTe01OxjHWCor!A0hgABYP$Ae<M&x#FO+MEYI-B1j
zf?BYvG94<M6C2%E<dG^XWwnai)F(RS*qB8@hGE4z2PUHI6I&syljkO=BAe+qiA8QK
zS-Id1A_e$W&#dD&FKXrAStl}}8Wf!lv1crdnT$)pjMH9>TMq%|M&QKqx|c-gw#kCy
ze?g6dHVu^NtLnO_>y_trs?AXrEJ0PJkuXcR&3#WLP?@xpLFPHl(HENC0+`&$0{FFi
z%hVLR#ijBNEf;=n6x#0F7T6V>Tr#x8J1&JVm@Lvpf9c#C+alYjsn|LuNhOmmzTRdH
z*mN$zM|iV^c(bK~7C|V%mf3~@05x>zeUcYiz092}Lx~Sd)}sQf#7~jSIB{O0c{s(b
zveKJ3dutqXFeU;yW6~s(lF6&SoxKsUmQ0;;uy|aSpmgDhzlX<{u&nY$&@LP|FkU6=
zMs;m44eBD03(Z@CZNeuB5R+hLj?80jlf-PJD}a_Hy9`N3XWA~%i+B6PyYIU=CT~CY
zP|&&up0r9`x<ZajTz!V0uMP^1TGdBh^O3QgB5ytug+Eg0DHySgdn8jq@AU9G5|R*{
zwu*o)IP(p!Afk15QOCJvvwT-7vKkDAs$6wx?;qob;w@m-AspLF?%mH+-M2V9G%wP3
zGDAN7K8<VZ<?n~w_pdwOkH4mqe%i+Y-l)EOqJ06e{&>r<{jtFyv3`{MxVq5-w2+{r
z=Cc;T$f@5D^x!3f$!L+H{p%mHHYtZzXu%KrI8$Mvbnz(t2Wx&N_tC4uQ0Nj>_%GCe
zE%vdi!eZzWSo%-YXtZ~7)u24`Q8e&zIQG0YY<ci_e&hayGy8FE_ku&WskM6G#0Po1
z`oId8UFsg=8vKrYfvXNz8R~ouaT}qOy}S1nJhy>UW%=5X8OJZCcWEc%+NzZ1?D2`!
zfrn4ZMp0sS;Sq^j{7xozCvfjrDs!-pZgRP^4`R^~%b*h`1cNCe9hT+nuWf`ekv~BM
zdhTNg1}etFa9n>JLV)|P1rl`3F!9h|Satw~X2nU;ziQ1+(e?)lT(PWNPl6yFU6l&e
zF7XV35oq5~x{Vi=0g+CS_cnL^O&l1N0EWQ6NufmU(Teg_3P@w33S*_pg`HajN{dJP
zO~?z*EB5EZ^s!f!=!y<C7>fIL=TEgl0cTkCfF|TA>WSrItBj%%>}`m&+Ns%*r>dZG
z#fJtMTcd&*%EEFZ`+t5?(j0GxB>j3n)F=|o>`~Zzo)A`)R2$_QGGJwORGtGzaQoon
zna>B`AvA}6{m5jo6>?ywW61q+R-mFe|2!sh&Jz3LuFk(3R#I)Y$(Bf?N^}>+dSjdz
zUsS+{&R7n5F-Q5tv=yOa_tY3o;(cQCQ0*>rP{x=o;GOHJAoqhx?B0wulLjSdvfFNk
z<%2+E-07Fp;xpCDbJk{YcLKz1x~Ew#&%VafxyAk5>ljSWjo#xVLz@+aL=R99n_ND*
z$+?ozWbIyiYGu=drW?5R_+H-$-1M-SdzDO&DRxcYLu9MX7wd>W4@8sL4TVHw6%_o{
zv@HvgV^ipn&8rFe2O>T`%iif*7dU^9Me~*mTR$246Qy~nuu%8SL+W2K!7O5IC(p@I
zhi|4Qt#R`hhikfP4{-d5)uD!hRr<2%2t}tZW3j%#?eRPK>$K#nJ!LWn3K6wrl=?a~
z6Sq4I{NzG_oZIC0oUPqBK%rZaH^DznfxlrR6>glls@eaN!|tqiYR)4OOx(>XTs(VC
z^2ja}0*yhZS~0+lJ;JM@o&v$8rC@bHst4FJ%hdDcij3O5LOSGeMzyoRUZQ|j7PsI6
z5q2n)pVV^{)Oz}h|61_a9<bwmXP~@o-G80Z!it|jiX{|Cg2!(S_kBIUc#8dnvkQ_}
zqgI@^73zKJ1hqcy|0~9Fp&|2`OA2m=0g92W9}T(1rJj(3PtB;*jO$g=P?q%UG&}hR
zuSdiOht@d1+tXPz`S-5fT|P44GuT}R)w*$;%F1sY;eFgWjHCF(M&oQ&PwRbmuBzF7
zJT}Gx?U)GL2Ht9kTm5M3%;AIBMd$V<lLT#?)%i~&-tCGrr|)c<R~!Xx7cJ*Y>2CVn
zotIfqcVuo|Jy4zAqT0Tks0o`p#^n>Holvr))hiT~t#_!{5`u!R8BX{!E)J?)-glCu
z2G5ScL6)yHR#Zl7>ik^QVSjWs?6Iv@<-gUv_N%{y30yjPT)9v5VT(?7VGMV946A==
zZfBf<5jYxmM1HzC!n$9iX;+Ks;Z6>J&x_Pv`mM~(ais1in<Hyjg>=22?&BSFj^MTi
z>^>`a^Yx6W_Xi(v)g;{JYwhdd5;GGvYL;6pC9Bj<fy1XBFOY<nHA#asaaj?t4VUG?
z$lTv>x04rq91p}?CQUjZh6@m2sgov55L8z$l#--;HN9gTW)%wR_e^#*P1KPX$N-P)
zBC{{&Sx17gqD^(02L{VX4aw1DNRB)W;mM0H76jc$k2@(F^i2?Wv3%FF1I#A7a>Zy6
zB8$t%TRb>G5l`G@yaaRmr4~b&+C(v*4L-MGNj(TN6@uqZLekmsTM17jz=VQuQ>^(O
zL>q~`=H^%<+lVXs(eMY<^t3^Qnobkz)A<b8iyR2u;;+7x`sRqLadXEtRnexh3~613
zwgKlR)q$TQs-1i6FMM#Evd_vq4qY@qY+`M;SiAUOMkNTrT~T=!WH{uFs7kj4f%e|@
zZ@zE2y`R%b1RDwUIW^y`KEC};M9dLpo>~RQa8TuS*qvh^vzj{-gDbjHY&vTmB9OV)
zkF*BLgSIJypoc>>25xrnUp+xLvQTJANl<&HGk;7reFX}6BxprARy|F4;)$MFhB6zO
zFlce{#^I);#L2veVAQNWa;fXQ`SN?NluhfX@pyC{n}TraViW(P=OB<JO4VJY1-$D}
zu<qcdKxc_9;zo56otyO8w$d|Blgn22M2Xr~&lLT0Q$XzKIQOvmbrv)1w&zl?{+@!b
zcy~zsS-oUz;k`dF+sX2Nn#uOSSNv<6p>Xl{9X-AgP-T`NqA58XSk5sm=!R*bSrA7i
zan><2l6cZ*iM1(+Q)L?*+=X{4u(Wk#Sn!Cvpfa(vq<+h|D&(p(wV6OpMGX%(Z5$LX
zIfj=N1eeq$z@O9_s5U;eU|q(kb&%0B+C{-Q=T4k5zpLz^E;JuhcJe;xyP){2KLo9_
z5H$pktYb0d)}jpg?aF>eNUWgpmqIjbSz{FJgLFStlzx|p+ivv}DG5vTltW++Lg8Sh
zTox;0uUflnwWF?Jx0z{sN}7q?nHS~`2<BmDhZdr1d};*eh`!%QrKq6Yn2DV#eZp_Z
zSIii6K@;qRvqa(jEf%(hmTHZA8&%p?liL|rJC3FVY3yw>IO8N4E<CVXw}b^W)4!a7
zu}0{Yz|q9Id_ZV>H5dA2%Rt-gd$NAH_c%JA9gXxP)&Xax{zjvrobWYcn*o1S0tos6
zoJn+IoFIf*A#JH(zr5QTzOs9h)5P79W*-;I)J)vx2+rDWI-kp=%)WX3TateJ$j7AX
ztqhsg9VM)dj#S|4B|+88!R0B<AG!YgaGS-xVfQ*QZ?SA(3ivO128{H$HZ_>Gc6_(m
zrq2u^KLzp11!OZ@^I8}5P?<z`m&8c*`c#?35*e#~A$jp^+A*U+v7{&`rkFJo4!0UZ
zmEv6&L(Y>nb)_NoyrQd<aJQ#undgeyA+r@|)RZnhlhtOs+R@NRq@J?4T{xQ-B;jMz
zwJ5=tf&h9vma?e4#8NSDHJ~$Lat-%hVT%jvD&FQKT@vM?hRwPpBO&bLxT(pdsd~j|
zjZ5diQ0lDi;C1tj_DwYUrzq3HV(5Y353DQOqxB{V)vOSsLkF(uVJWLYd*jQUYSvyz
z2gdvAGP$A8-i=+~d_`3~$QT4bnQ+s{*CvD;ZJef~;}Zh*9;u66A{t8o&fFOetyL#e
zqs~r*LUwnCdy)AP#v7K*(5KU_uv@)n4l3=HyTqhA={M`k%@UtMGdt$y_cA?G&a{u1
zCbx0J*+alW-$|BLUKn^!`z{9zfC>MQs_W8;LN3g?TvF+#WuH<Eym<~mzcLC#Mw=tT
zo>m~y&C6^!t!+N+{uG^~=&f<Q&8st#D88irCG{As``c8<@MB1i*<L~h8_vG0UAJ)#
zrjD0C`T^aj5y^^VxIAFe^}3+y#R;F<{C=2-y0(mcNC86Gt8wx}?qQ<(7EuarAwf|<
ze`u&b)#>a+(v4$sK7WI<2P{Enhp=JQnTL+*Z0aQ1Ayd~Y<GlK2tV}1xsQY4y`Vxh_
zoSL!R20I1forCbTLQ`sc|L9>I*gbnwx>sSLgP(WLjg#yW+f-Iz-5GP|=B~ebXwG9b
zF)^<i?%a^+y?1r2gEle0A`%};-LH3@b-wALC{hj!W#wyQx*RAe4xuBg_=&VYVtH>t
zNbvK8ISb?mzaud`xohR#jkJudGQEo-@2G73@@=Q}e6@w<+F4;{k+()jzPHwz;WdzJ
zRRtlWxb_DPGwT6LU15m3BPh1aGvv_x<C8M7A?B74^?C6mLI({|ITpeED?heT+^>z&
zs=YbU$Gk4S{ID(Y9>f^?l+&K0#LE+eOu}XFL-c~U7$-Hjj?AgZa>pF8jv)X16~B83
z%|kNuOSUujE?t+>drk!=3J&;(f}k@Gh~_=6xTXuJD(0k3SpS$^{3E2|ADo@ogz_&1
zcO~<`%<4w;W$fmc-qxF~XIHmglXyD#x}*u13>FIp(5+hAbTx%TZ%XZC;B(mOQQ*>r
z>moD}<@9F`6ybB+>H?b43sv(bDkRB`xugUL7`CK>TutrrKNeekY|3Z%_55p@_VR=v
zpafkaM}2i!?_I;oh-dPini|;+_B1-aF9bz?1s@gs^pz3ppMEG?AxQJx!HF<CEpcQ^
zQ&ay*tua)R%;Z0-77e*lWQq>K%p5-$Jqudd+bO(ysk#SC!d{;+f@DSB)JO^EyeYY6
zF3T9DU13z1=w$Njo}cL6Lzbg!%l>!Ws)RQ}-P|f?%o}()Gz*ue^u{aS=D{)ex0GX>
zi-m;5%HwMpp)0NZ)j1xM@w9W|)R*C4Xk3<(%EgdP-@}DPbT8rEXKl@!QD^Xpx(7Zx
zx`Sk|bAVC)3LEs$b4-q;ZS{p&X;J6c05*lj10p)FCY>p~0(t0qVcvlz!u!!=P&Ygs
z3t=;9FT#>A(?A}6Bz&ZCYiA8u>a+Nb>98e)4SR=c%_NM6QGGMfxQt^r57{zsGT^QB
z7mi5Iqz}C8j&iiATlUl~bz?DR%2h6Tb3r~OtKP8cC;r=SDYpibXW|CUt}R!bRmL#0
zS;ll@_)Z}Lo&FvDvEkwi+r@mOX6=TG`}4?O(2L=+4*IL3Fj&P9gf|*mUOTRXuB;YQ
zmI>lJbWUaTD`C!(dCkhHji`KB8?UF9KPVVW3tBb7U}Hi{*-kwrSg22o&B+`#Iznnj
zK4gsLoxcO6M2wj^@evXQw7l+zWD)W@iwE5(5@;PdlV8GQh&R2H<N7?1R{?8_ztbX+
zt_kf}Z!i?4pi<a5vtu2eG;`BAMGR!s00Z~(IO%}0LB+}|^l9=#yzLF+;xWp<r6FsJ
zU1OC$tIib+Hj)U)t&MdWk#wXw$J>uMun`b~^6zNho-l^lq9iY!DU#$l-EcOQ5u;b`
zZffH838F25$hY4Z6iwO8=#Q_V%2vnUOcz+LYY7iGvYO9+3o_c*NUu!_Md5q+gUO}5
zuN8ja-zBImsnWkWGNN7J%`nb23#OB0G_vlx%l3^&6G;qR@#=Td#)-HxrlsiX=7SLj
zqo1(aJqU>+PfLucxnY>Xl7uI}ILF|~eP%n9arOpPp>N*O+WXXeNQw(##h}I{sM*au
zNrrvD%qwzSaY#;vQidFCZYwf}g;UD6$Uf>gM<cDYAe1YaiUPQ^5T9wf$Q|_gX-)LF
z_NrGWj5N%6hJ`Or{-7WOKys8P#?l;TF~>9WDENYyXK_g0Cx>l~=|BN4BZB}4t3a+h
zHcsIHA@mAc*eF2-#~BU$(x*yDZaiR_@FiRkgT?hP7jjtGFvP1LhipR?$wz5>CF1c&
zZUhdCDF-jM3^=w7On|JG3A|@r|6b*-Sh|T7YBM;rsp^M!@@-&Y$X8f!JHgRn5adz?
zy#1TN;Yb8)H*cdzwKJtf2dybGjXy`OqE5j|m0aO60V1WQYz2K<_?f$zp5TA`MJYf&
zaEI^j3OTL;8Bnfn#OtiY@VHhgi}EnAK0%WAyEv!x#qGk~H(@sprR(}PrYw1mX<%><
z*hb|kb%GH@*dyywoJ0IL42`4+PYnr9Cq!ytT{F@0ACh)#aYUIho9-v=yNZ<<CRg13
z)HZUw$GZneU%9R)T7<o9)PG2oVCq~!{px?Vr3$A59I}O2j%b{`pzGYpmOQIJtcPS2
zy${8ng`bg<qWL*bsmo^_kXwoq%EJ=UE6I}O(B!U6qImPa<6}TyTmInZpIF<c=cS{`
z4{yXU3BWSS01amkF_ITP5N=I-G=`Y?vOk?MRv#0jFBK6LdaM^GMF>n+G0(C0&0t5%
zH%#GEc}~-ZE5zd9f|GJ7Oj3PV4L<<&9dWyHR;XI2zyLArDQp;QU0PI6-@!+BhBM8>
z)*^5SMkiCAvDYHoko8NG^yudC%!*;?ND8@TZOX!-U@<+gkBA{5m?3uF^jCV<+_R<8
zrr;iPTwUUCY4pircUml&!xk2{!B4U4+Ww%(`+KD}5rS8(%ZZ`4M@ZXVZ*ldPk|5v#
zGDqFLTJ?4vB5L@d{=8U_Gn<UdC$0WW@Lhc-G+wDa=<_us-|Fw3P^O>&IWhgXnhI1Q
z<N1itn`E^%mBLF_jrUR>!HAyc+kgu~!K8v3B5hoa0QMZoS2Wo|n89<S`MD2#{Q#=s
z#79m+fl}R42K)en@Y_)~>XQ|OooXlV$|b|4e7?G216uYF6Hc^KwV6Bb5AjDdoyZl0
z2{UUVdpP7~_}zyygMnrvZ@)(A#9s@JO}w1k%BtE@rY3%xsqU&A?c>2KIW+Y4pE(Hx
zA=AQOv)HLFoRw!r0I}~M+UidA%7jiFP(oCe=#91U+dZTVi??fW3>D72g?Gx61wI0C
zM*RMK21aw8g?ufqukWrF$?rjPVOf@AH;hY7*f(~HQ##eC*ar%Thmj(m6&hB0INHN?
z7H1-*cKUae25+hPrdQ;Dkmz%dqF0^G2gJB2fs{WvXKxH|un(UU8udO)7ky|Mq%XK6
z?f40%K9Xb@Cg48o@)h$3GegyTbGBXMvTv)=-OBIA?4<9g!l9EURu6w!L>O;uo_?MS
zHreH&M8zs`md)Qf=cT3EQCN`;p}V8jW>+jZ_p<Ii!mt@9QNX$EGDNyKCf39PSot?x
zTav8TxUAcyRr)2#=g|eh@Op;VR+)w+!@HwK2)Ui&BC{Nh;+qoHP6sx=V*C2UVqpbl
z+1z9ubUQR^v7%`628wJLt5T;Lso{;*R~+fXM~{_1&%Qj><kin+yZ1Fv^=vk-wK2q1
z5@9-g>yePlu=Av7JXp?iB1w<JH7V`KY2}^w!Lh6CJ##}GZh!g-+q(A<4^Gq6mc(r}
z>s2<aDS_~U*_qdPc^!2M_Y7g>!gc_a+3-|!ffK!WS7!CH7wCyJ%v^;nyRu!bIE+KR
zKC7`A5xCnCt~w@<*){WUIldqDLRdU1dodsae_Wg<QrN3Bztzu<M75DxQ3S#zR$-Hv
zA^!wFcGheh+uYXWjr1`jSGbAxy?==ktIaGHP&R+i3PQvc(_)|IMh5hM7kq>e@-uZ|
zuqI|Z{jw$qO^&#WI8g5=h!|&QDG^+e7D^vXRv=!Ps-SFM>=t5Usxp9pCLd4r)`r8y
zRQ!=k>~8p)qgIqYSb059<Cc|pFm7s@2t#OqIfEa2`z_AZN~0)yI;~Ed>=$R@GY$na
z&;VtH08q!?@;g@S5b6YsTE!67vzk#cqACpX2p$^!X>HHf<!-4rv=sIlU{C#i&F)4H
zt<^bs;X9f2wd#Lj|1*%4y}&@9;Fvh_eue%?DUZ*R$omLZ6L&0%r-{~oX$7mIi5LV^
z={0z2CeJQ28P;NLGL75ud$a@V=ufn(4;r|+{pIACBw8ejYg{E3hTdtfiedUSIOnD4
z@b5=A&mzVp4xIfgM-=aXZ}^=)I&~k^2u@EJb3eHz_A1vN*!5Es48mle_2WaJd{8^U
zuYz=(yXkp7Pzo0@4szx9^lf>o_<KkI&F{v8#&e9_J4mgbynHzxd)hmm{%MX#Ru~kA
zV=dayuSsXuY*I<}naa_hF_Y3Cc=!l6Sx}5%N#D;AGQo|qSNI?EA~|z8llH$=+Ly2P
z*eIbLRo{Q9qkWOm;}IX<z07S&;H@<G1-+kisniR9EoNtjNZ>I1)sVqk7^##C#Xc#6
z#umebmM88?HOqMBzVEChg^Hp7L|9@Ex5$N#5kn$!RK2{rzFE(b<4#yYz(51xt>bY8
zrMq+7HBB-~J4Y~NC)d<@gtylxyTRD**5vWtqZ=ktR6~l&C{<fNM|?`y<`um{$~DxZ
zeU8Vai{p$tBYwTYoc)icqD`+({(XH%0#7%XfG~&-nnvrj0m(0G_XYL|y~^%4PSy%|
zXf18%Qu|0W{Ai=+6}9n)qK%}K=jhlI?D_!Avo3-3McV7GS8^k~i0(OO6RuxjuMab|
zhr%Rv&aIT<QjuL@jo<OBQ6R!trqa)7?bT)d=rDel9ITFt+&{ltU>l{`dN5uc0+5G~
zuCy{2LI9^X>(+H-MXVxFG5zaO$B)Cq?%I^`PC8EQvcy=2A#X@sb9KnqrLrz)jAQc(
z4x0JFOA7`Elbnk_)~x&<3ss+;sqee53zdqzq5^kkl~*g(B+S8C^)XHl1WWNct}vJ)
zi;V+qg^X*RfmvK^=HQ_aTG-upfkOFnvqt`t7;4Qfuzoz*wb^*&li3J=&cy(pnSOe&
z_o&~lTa(a`QzvVJU)@?E!cv)SHceL97Uno7>5OjZR>)4z%BE|FaBQ)w*`BVA&$=Fo
zbYAURr9VbbP!k#sL~aT@+)PhEMLkb%$=wznSCl#rzCq)oXC@ypbeP}8@WO<#dOYH>
za98hk3Stb~j1WQrY{lu$2#3}3dnt1ct)Ax7jHMWMx;UKP73j?_Z#R6nN7ayTo)MdG
zbUG43Wm~PX+z!L`%Run)la+#RN;$%Mm(Ir9V4tg^kxSz~ColN|jEv=Pox;Rl+CnP}
zKNwc&s3#TNNEM?O6w{GUlbCBynYpPdUmFhCpgpy-jdJhiq(|M4LRn4r4+acM>(yso
z8g9@|o%X^?RdtGAc=|of;Bshh_)Ziyl2{LN#PJ^-{~w;-0lJbW+8&N=JDGT5+qP}n
zc4lHH6Z6J4C$^p3m=oLfm*0Eu|J}ZQy84{zUbR-Q>OQNg_TI(K*664CmeZ(6s?&Qx
zN$uF##8s3&DXP|+YX{z*I*jUv8H=yU<OzDnK=wcPfi{8t-*oUM=@A1gxwFI6bt3Z4
z4ivWG#X7VfMSSr@Ga9l{eDJ?$sM6=v-<hY5acrf_m?%sgN(YnwY)y<2{G2U01thdj
zCoj<@Z*pV9BsCvuXF*UQ0{+TF4LhzsH_q8Srjbm$BuW{~NHbXJRyxElY3{gI2H>ku
z?0PsHpq9YC=sWlNu?ToZoc8J99mK?qTa^U92H2`^RH-&EH!l&l-qdTR*FRKQm2KFL
zwB-VC)wSt&H9k0u;(+g4htI9Jt-X+VaTNp}s}8cHHRO}m`FdX;E)p6!6<syWK}L@r
zY8UPb?&CffU<xO2&w)HsxXfT6a0PdjniSX(_Uj5r31ovFOD#w(r8=x-rTFTMU%5JO
zm3rKZ91SyUip1auER!&%a!f-AjdXQ`aJF`JLkw>OE`!We*{)-lo_yD%tc;zv(^T7B
z&U-_O2~5hn<kEjAMN_loP~9sfyG~VmpxDZOAlix*;sIMJ*~)*)+e$QM0z0vq$|&e<
zhj^-hB^QI!=bHlOzzq%Zc7nVIsTRg=<chPytrenmR%e!$fqIkm$CVaK6H}aT!jU5r
zKHmr5tFNy|9jfMvijFhhkM*~J7n$zV+ym?v^^ysM4Ej5>Zn}if1}UrwG;Nv*v$m=P
z^#%!!agWs>yyj`=sr(I^k7J<R)ZzPe1Zk=+I@6=tW2ppVDSR*T0cnCwA%IfN;}jk3
zTp;C|oURq`MP5#G2Yb_S%lhLgD6f^|MQcv;_POHQ#L(1cu%(Z7&qnR_=}z>u`7@;-
zemDF;|1}d!44i3yE7K3T7)a9-Ez}^_-L{(`FXv7+1ESiP<w4uMhkBJNw8|m8dW}x*
zExfEDje7fY9Nv+ddf#(g-;wV6Kmr`-k^CD-7#$&FCkXP0Q6T{{Qur5T5J+X1P-O^l
z<rrxtFbZY3Vr3|EWu&J)(578qoZxz#@SiI|)uR$|Rmt`)YK2(M*cX_-QwD$kUg*EA
zbl25h;Nx46*%ie$WVFm{tRm$eH2TNQJa`LiV?T=+?nnDaGCr7hZ)iTt7#>vm$JRc$
zcW-^KVBX%(`Y6hU3+*q?ckrTfg8?7NyS7dzun5sM_DIJ+497%~>ZGd1)Mj6bM<k&J
zQS1>HPk<Llc{+GN?>D<t3GveG#E*CyYVX{we@1B7b**QP8a}M&mJu0CYQQ#Pq$y+?
zR^~LKRfk<wGjC8wQ6F8}ER$(z&%;}N#akR(o+%UVwkRl>ObKm`w4)!o5UFv(9@B~T
zm0p(En3=xl1t+&9CZg02SJsUiS6-mf^|s1WCIgVGQ(R+=@gOTERny)eyi~+kj;*+o
zSgt`Jj_I(n&0nq&#;)$9SoJeFNML(ZF}&XLdI|}8*rU8c--d#cpYtNXkt2wL;|{<V
z*&!H^TJK%Ekl1^L5&~kDSN62M_%+N%wxr(P>~yZoW2s{j-L{(j9M4)AvI9fdqZRnm
zF8ASlS#ywd%P2lOKCNCgFkmD178{hwW_aT<u8H_6d((f&A;IKgOK&5d+i9LqZWf2%
zC!ds?o+x<4eIyosT?uumU(Nb9wJgoG>lor617Bk}7F*WTeUE2eqdzNvZtc^v89Wm#
z^b@zbptM%v7u+guHZo_P9MdJMbXoSUc5T)5IV}^9>%?xSf(Ek_-rlvxM{mXDs<ro(
z?*W0m#P{Lv#<dsjoi)pMuUoVD-lmSb@?9C6Pgq;?x-WO11%dyFU#LDa;vee;wlr^Y
z<lup0*ON?CRdAI9?R8|?FjNEIP?P<T&THRivavKXN^R-SA|Vx~pUD^sQRL!DaAQwn
zb!J{HXy<G{d2Fhyb07YKa?C=l8sVFW{y?c6!aL{p-Bwr`yQYFLUv2#IkX;AH+5)eX
z(=5*~{6Fjg7tskLR9J_qGL*%MEYhn*V98f1CnVR~@aetSvewyD2gP9+X&vSG`v%@p
zG}89vBW+N(g&WC-XUiuYuN+g$s0|5t6td-W*6ndS_<D?c8Fd|I4NUspn*rRtw8#^v
z7I)0t(`SmxtOs=LwDK#f<MES=c`0T9jm3&Yc^@p9I7Xy{gDWTRR-LmD+X2Z}sb_M(
z8rD7E8~z;l+Y(M&ULjsBGCf=Qsz^Pfi>e$wDZzJAY>M#20T+CX;tb<j@W<4yXe;6s
za<f&8H`uhbS`KW@RWRKMnwG)TJUm$K-={5WOL-;LjSsDJ9IL_`c9Q2@L@la-P#=Sp
z==_|t`>5mnqnDTC3+xy1W7#kUQ9%|rM5t#(19Z{;T4UtR7RG%OnSUK4{nwgk^*B*<
zSEpSdS9|^mUV?#$bKCcSm7?VQf3fVJk|k5<=H_K1-_21g_7Cs+sc;Zs55}a6Gt#gC
z%~0p(@m{3l1R+#_#4;{WBuV!OVo<PnAyQFL1Jd&-<Q&O-xXDk~YPiXTOb665+%$;@
z1K!F1{A8TD&07;$^h6=`Bq>?}QDtK0c}RG@b5QzPf<qXs7)g~zF3oCTGNLC#Hxsv%
zK?rHe5&ITsEK&=4IFXq%?RpvwH6|q%3ArBxN!Snv&>|9OOJzd|V-VF4z^r@92*+Fb
zQEUUmD-uIL&Ti=6U`nkV^Abw-h4w~k(!6~c1o}Yt(&(-5S!pUGk9mduf!zCK73_6~
z_1K`6kw>9)EWU8UI&i7;<eZ>&ZQcpznuCTzZK8q?i=KL5&-zvN%fx384?%>31NC_y
zI1B$x#2_nw5_>c`CaLs!Yuc^K=rxN0)Jtbons~n&O?ZL|<_C*P3YUItuUk8uObbnZ
zp626tcJ1M!wrxU7OdTJc<Yygam9T~u@sevNznvvN4pIXV{D=~XS-4%?7fH0XQnIm!
zSs}(98FX>RkGAZwB)-;`<;PJIKvl?^jxPKTEQ2Jh#RMkxm|uBx!DKoXb$|9rY=|}x
z`z3?Zkt`|W4mauz`x6q3l@WRPeN0TiLdh7z6bVxts<Dh5jwxOypNX{`0gfeYyZ|Ms
z4vbXI;kSxnUwI2jZk4tgc7jTr^iNyoQ|shBn*wrm_~NoGrOb9n^D;~2)ON&!vLhvc
zO-jQirFn<@xCgtQl>4x_8e)QLO`_|PZJ9%B>M3A8z*OdKs`a-IrTM3ZT8U3S+~tuq
zaY;o9gH`lMc|{&J*QK!fh*AaoG5oaL00F>{2<vWNwl11#JJz4?E`VUqI)0B$(KoCj
z%C3U;wunim*uf^Ly*zUvxnoxQ@{g|)nY%{Tg7)S<J#N@#d5?p_hdXWKv*f+W=jV71
z&<w9OlL6Qk-o2-OPk6?nJ*?gyZ`vNOS^bB7W595ts>2Lh^F*=+kdQ<GO!31~&90Pl
zzE=sD)j3hp@Ikjv-r9e*=)!%t=jcL=KPL2n1}t>kGc+yuJ{U|3<{|%s^;aU^m$R>q
z9chkR5;m`{bXOKXv-M|Ff{Q;Xe5K|&VSPn7dZC3yRCVN>*I0v#FF|swx@aQI{7wT#
zW&ReHd(1Hq0Po6bH=ChHx|%s{i7y6t5f*+EAkY1%Vm!|3{L+2pP#iKu_ZwHyAHQMI
zpLhZHfkLcKRu@C>n6_zHYUtor-3A=A=Chml&lwDYKUQ=_?LM}5#qoT<K|-U?!A%R+
zM;@7VRxBTJ&yF6s9qJg*;nnIGFJzOOYR_r;?6y}psZF-mpY#Zg$-FM8@k8(It6~o(
zz3^vjsa7EPtW@pbc-GXi#(BT21YO)S<@Yu%RuH~f@;H)sEm!IEEM4sx6dQW6t{vX-
zM{;QGAT>4DZ3LWSt9Q_s*L^Nm&9b~cFIs{t-%~>1tl>ChRqOIDn*FJ>ER5&a;Ir0+
zc}I)*OeCFt-+T$`ne!AR=d`dAu#&Y=tv7I6sJKiPiM_D>q{U52Wc^|>Mifdk7iKc_
zRJY{=F7tZC)VJ94I{goc)4Hc=js5zgg9ITj84ZigRv@}uXW>>M&J?)^LU~E1^A`G6
z(mg-Sv6lkhzM9f0Qs6#KlpS#Hj)Gd)p{!(o4lS6LTw!;1i>*19Tng+flUzC*HPT7N
zd`>x$A|qQTS`PS)6trDufh=*&l~!cTD?K8K&tOW!w_%z;ITznoGXa#M-T7rC8#kRe
zXRFQMz{{n~u&N6fwo73HN;#5Lv*!Ld1QG_h6mE=4&qzi90(njLk=lZ_|0%R3oqDHj
zhzI=LkPnF8m`HjW^KVtYOnXxvY<dBC3BDzH5uJqRgt-Gdg1!ZHe3KG5d>8%fU6fM{
z?61dF9~j`!m{}#4FEhf+l@`#oaGg$RyKeY16<n7x72c3R|118&?#H{G)j9KF1t>=|
zMOkujL$oJR0@<}yP>EBj6)a6tt^$>yEMtf!<9xJJo57?3sZa41@*?!T@$*y~_-jn}
zFB!_lWoCf<Ga<tA(>=dl3Gr$8MqPPAV7Z}5S-?;U%Vg#_%7<_u$(M5Aeum*aHU_Kl
zR~#GVxnM%kIrF}{PN)dwrOiHV78&P*PQ01@ti&y)y~ww8BD{BHOCpd;xrEi7a@;+2
zS_HQ7)egbTAUBxpZpJI8^lt2=fUivn`w!#NP-kEy!w<s>**}F7Zrt4bsg@e2GPmmO
zQBSo?i#U0<ZuFdI?)*?^P@BKZHp}qa^6~H9EjC5E)&Cag{XOAud1Y;I3%~q_$m>o8
zRnK|88xVgf{NruF;Pc79Js#hO%aJP&dKCFo7$8_6$uz6S55PU-dZN0A=;0}+Qa*PT
z2xrS(KKh1T6f7K>!qHm_Y{iUCCW3nG=Lv>b1t#Yb*}|ThcwO`IK{5V-5==HC`XO?S
z&U`o}4TFXn5@B|Cq9%rp8}Y;C0+Q5ZT0aJ&0OQ{Amb{=}uQR93i^}ze=*#sc;BXgw
zYA8HC8d(xbIYKVTMhIeZqHuBoJ;9QiWL`<iY+Y9c&_#)vS?ejvtsDkdFhASJ*PZ3<
zH}mD~7kKw9e0U=|wa1SWIR`U$G$Jy2@{ulA$~f$%7nAVfkM{BEBR2Uk(2Dv*vf3$#
z`LqLS_D`4;8yQvG3r8_QFfz^i6Vq?pSAb09nP58)WE*Yh8L20)A5D~Z0p%tYpC=zz
zb`E@^4o{z+|Gx2_X>fkPNfvo%MY0Ln&}|eMZHysRn)Dx<9w}S~)tZoggRBJQx*<1M
zDm|K><ual7Bh-AXyc7BS1~n(#>Ul_^cVcydUm`EKw;Yk?4WM#!5vC5f9pTqKyg4{E
zb*Yft*0BLz=7!u3jcR*R1P&a_>b#@3NS^+hpbn-hL}=zr6?vS@{bPws(YxF!*jDbM
zuGBKE<8p|()q5#DeL2ProZ7d*YK+$Lz}-*RZ_PM5yaPZwfO5McP;Gy-YM(77*1Dc4
zjRv&;b}d{VMbxDkUs3s+bmhdWWc{-=xHwxxmRpqmKuml5#E8Ermg*dq%p|fjEBpd8
zBk;^IMXk@4<~#|nJl|$nhCWDz$~}TZUm+RFy4Sj7`sX~|lv^g2wQ$_^W{mGCdru~X
z8g;%+(##)juAw0Pff08xWt^VMoVUTr`GRy~?`5JnyYvk1lO#&D&`nJfo5>aF6y6S3
z!*m<X;bFel0MyQI?l0~m1(PQP56ilakWH)(?7DU1r|6ZB@h^{U=BJ{y4Nhe8n7!ZL
zW`OYs?-F^H*c1A-LR4$XM+d@X>B!?`1!)yawzD2?{R9uj&vll9t7Bf3>Z?;pmNMeA
zQkH_;6Hb;fS*8Km*-_bqx!iljpC^VsVz-^p@SV_%w?v%<mF+ZS?KSwH9p$?70d<#c
z3g^a(jF*E-lwov0E;P{u9FIvONk|X!da@WoC|;;~(R$N#$k_ofseB0tb_;C~b1Weu
zMmk;+ioMU}0tq;FI-5advJgDjg=5j!fCU_(*dGhjc@m5^bUWe*WF`?zQ+N@7E^t-!
z`|zX^Ekyw-e8`O;K7I~a=D!IONGluj6K77rZ1dzy=(9+OeKwDlUXueTQvDN1lTzh|
zrA;HM6G*~8_MIXKu%z<LnfJ93%;(dutvjhxHxo$1e+HWO(4{^kSn?N1{X>D3OW>bS
zzZVZIZKq5np!7p>j51f>N4~r^S;hL9+pBBRX03&WV`;xXW*k94sa17Hw<OJ?O_GGl
zg8L&WT-r410~PiQ<x|)oFR(eoaI$t@2HuvnCu_S{3>*H~q|mJ%wOxxs-!6nfLmJz*
zFxvdsgu7iUj3Ko!y7<Jz`q8mNo0(RH&DLTnkaIE&Lwhh>YtYnU`TSMGeUcyvZIhmf
zY7+M6+&?ha;p{&J+?LZXSCFoKflrfwm@NNBM)dm*mTtAZ=z+Adr-MW;xk!_!fn+?#
zaZG0}v?0`RGGzj1E|q99cP^E9GDNQV2r_xD`4}>KE|pla=)>QhgF8|SytiTmaa;tE
zyAcC_@CcV<xXzuLhNxAzipqu}c-Bn#dDsd>S$Ud{GixG&h*v@IYr!5T|4e45hVqi4
zg|V@N%Sng^De%dIizer+B&^s{*fLS^<OeO!B$up)T;tC1>fxy2g0FMivRgZ-IFVz0
z=Xbu*xR;k$K4ngxo+o*s?sZ@^1k)_txM9q4!%kte+vb_yxD%Rn|FsD#iORl|Od~qe
z#a^!A@|7Vt^z<?)PusK(_CAb~vft%$>ecujb@(l-i0jjG78UapS*MBB7D%pYmw-_3
zNmY(J?J_8=da1~-P~8hU^YU@+X%|RO2L@X0ayCKmj4F%f_7CL!y3}SHW5P4FUZ17P
zS#iC7366?heZ6rDj>-Xdg4JOTan4&IP8TxX)pCtA7q_2Ojp6(@4|gc5BLav<f^V2y
zy`asld1T?-RdR7oV%!7=>2P|$Kj_(Nm03J4nLwJnc!6e@u*M))JtYoo?-D4$odWFE
zok6qTzrwYbLCci8&{~>*_=3q}GYM7M320I3*NWTCQ9r^on%nzKaj-3DMi7Yx8tUXi
zjlH#Ma5O?N@osxyD!;x+tH3-Z6ZIQyPc4@(+HcRpHkH~po3h4T;_p}NJF0y&rE@l$
zJ1YMAdMJuBB$Er$JUosPl>?hqEEUfqPd{oFR#<&YgfG)5pJcPTn$jwqhKg2feXD7F
zO~0BP951R*H`(nUw?0|Su}0h>l`%R4Bqt{)eV&gR(^DeA>eIdf9Tp{87{3ax)oMF)
z+;dNL`2*?pksNDyD|l}$;LcfM9{UdX#NzsPVcs8v4Pd;<W?NwFr)D|e?1N{QknKfh
zIY8_?7Lt@tr6F{g?I7z?dNts5E9+AFG>BRtbaCzIdzY~67JHZA?6@m-5JILz(u3=C
zU}%ND52h#@d81r2sejScxZC9*bbs2J1FH8*{)K#xD;Oj7!=W6Kd>0_$rWqhh<AYdb
z`c4Y}okNB9<s;5Ildi}Z)85&!r!SOAR8~mKQ?ggiR5THlI?J!nO=22N&-s&%PLRw9
z8%Th=@XY?U7v91<9P7)yR^<J(9uT~EE)5ABzL_Ea%;*&)e6|Gpa{HI-@vb^7i1~kJ
zP*D6G7#YZMGeh~gIw<J-Y>D?Jx08$Zi8~@l@y;6e|3@aimnB^t{h_bVc28{_bkWhC
zMw`Gr{Bn+*TBy&U;Aot(2>Y<;T-BODvb8p$r>`pB>1k$bNJU&~7}U`z195Neu?>7n
z6Aa+S=gNnty59|P$es;GKdkE$ILoxu2TwN!V|6nMgM~jQ++>*jnbSg%GlzRtvUA|3
zaAcQ|$SFOhJ8!OEucYa|Na-&6m#*k^>NxIFtE{8lwi=@w3C>VthgS7D^QWJ`Pt`~&
z5S_nSY36>?Wue=<YZe~<L50!Yp!R;vf;upN>of;({_FH!n7AqnZbcZ<Zo$&OJ^_oX
z<m%P<t^o2hEnv0i^Rzb9t?yQ_<XmJqk{Yh?+F|Cz-LrN*L9X<YQ4}GZs#DA<`XAQ7
zX5^2jtEk1UoYB$O7GAe-th``<H>Pl;%h-~FmMGK`=Kh+F!<v)&BBj5c8-&r<{S=)}
z;EXXF{+`=l3rw+i!<*<&Y7;M${6I!Q&l&n&R97w&cwslR!L%ih+Wm+LE|Ul{husKi
zf_i$%cQcA7?acIK%FjBqxb!|$*~`Cg_PA`$pz?eiC6V6+M0tebNE`eo!%UolNN;PC
zNg095J)iT=zX+LHBIukS$+;}?KN(D;;N`3+iz6pq-=hrcX)@Er&}B{kt8iy!0wurk
zhw^fr<v-`Tl?j@>TtVcI%+_CIH9Hac%c~VuCi9&85n0^_x~anGvQ{R;g^^NPc5JpS
z3cCe-c96)G|BQ9LwBV4>Mh6%sCTpaIR8;EEG=>KnZtJpq{A6i3!lUTp%C*ojvxJA1
zl<T9^&H(~}hBO+&LvSkf;XVh-yMKrTQ=`n4>se@8LZc{@>M_;qP%*PahQ`ZQy4B8O
zF|X?~`Ob4vue;Q$VxrjptG6UN)KIo^X_e_fTc!nvc_uX!pbht5OQOA2c!)Hl-&4X<
zZt5_Iu+R;L>}*K|Q2)}=Xh{5bjg^A8kT;-+k8GT^fKO2sfO;V9s*`hQH=j*t)2L{V
zR4#8Jhc%yyO+AcPy;6V-oxCHR$y5MKmU+!4FNLU+gJ(DYTa@P-q1f|xK;@hrINSx;
zCVO784TiE5YAD9sPaSHrc(?3}%`H@Y5Bo0&0thFzeHO?|v<$Gf4%>Sk9tR{HysAO%
zUjnR3p|A~*Ju_$8yE%S)@<}yPo>^|<?cnnlBkLA=Ke3T_{l9(7@rqNeCVIKfeXaV#
zo2DCN!zroGtleyTQO>B_Sq{av=OeWiddv>-&O@z6ddxL5t*pbCdmi_3&^H~@nnm#Q
zm?u$g9YwVBh|<ecn<-ku4XQ=FB%1=?Ug369eZvR7-A%Hs%^1O{j@?brtC|rSjhyA1
zzvY^pv|A6}e=D=}3b$Gu5<5GFI+(8jBRoqv*bDgORONsTO~phX(^HBEtOb14TG=kp
zhv5ZZsjdYj2P<mnu9~n!ym5U*it?wJ?@C=o1}ctnUA#WywEX6xify%}<j{sLOx)=N
z1WrucD|`RagX7gx&Nr>_rmdf|!^rR`5j)uA@Zy?NM&$fP2l3hbYO3{s8pCqgEX)~P
z7Q6ohu|L0iDPDCx^{*hNO9zUNYNutP6wMv63iQe`mPVTWTCJf;KcKl55aA49yvbaJ
z8|FSzXYq;oi9g_Dq2-8hmSNn*Ql%NzJWz*+P}%pNnX0ovuuU~~$6aC@IAy7_4qG(R
zLj2Dl!+k051pa&nv}~(B_^K9`&#fpeK0Ukx61RcZ(0BoPJMrxA8DTxM*J-C88eLBq
zZvdI?tgRddQ_++y%|qYJccCO?wwHR!9;Lm%WvoX%5RO>alwNm{oGD*uU*@ZUuv-{k
z6jG`Q7KGNPQjH;Ov{L9_=39ZV^Hpz*H-<FdF`!r`$rR5#gf-ke9jSc6cN(VsXc)wK
z_9>fC62~T-iCFYgs`0c3!dl=@$*tjTPt~6Mb;-Mv)v}BVq%(m;)=e9>CycZG2EDNA
zhOsl^viZ^gASMBZs!v44093>aqkY<^<+bw4&~hn|n@%<7r2_a!Ef;^Pr<|ivqX5Im
zj|D8`;jd`acAsuD(`+@<>@d@8H`8o0W1NfCy<DYoSV4DK3B!Mc*o<h?qP5R60e7|g
zHthITYeL50^!QfmLK9GH97^@S+Y#C9@*Kbs@yphP77ab<zsv&>rrtR}eg?jCf0=Xo
zo6{R=uWK%i)AJV>tG;T_ubqvz>2g2O9D(ZiY6&`?9+7@@irZ3I+b_&p>+lX(!z*NQ
z+3z<+0wul+7geX1YMcHck0kkB`Mr`b_L||PFc%?UX?&0EU{@Ody7(UJkQnE8boo3I
zM;P|&|BOsuuY{6w{8<Saq(sY-vLmmL9Gs?kQGoJQ`c|=9VF;E-X!%zY*&%U>*Jit0
z1L+z28W_?_xs*w5TTlgQE}zV<vLvRBZk|(I6}oOrW!NRJ(Qz4J?K#M%8vA_|nNy@@
zK#j7sE6A1CD@M~S8`Pkw|0PpZiiTZ22u0(ZA#-mI-a$k(R|~D(;}D8es@2<j35;rP
zGWn&kQH&YfWRk8CqZ&y><Qy+%M~=!UJ%|&zB1Ou<8WD@I3+BHvO32|7-n?O)&SJL@
zkDnnzta?1-@j$~j?(x9W<FEUYupLnS4ucG{R7j^KC>qX7HyZaqyHSe#ai3p%+i^?9
zXM&PO8%X>0nP!c=rX#LQAgTDktQ)>M+$%oZeC5<~fj6o(Lts%;`aJWoPRm^>R;5A;
zut7X)3d5!u;7Kt~>8?}I){?Y;^0LP(Z<e-CpR;Jx8Z(i{((O0#$7o6Kk-5eDbYNJc
zfj#5WWnZ!3P){LWG%HKFZ_3VE+hCKEqoB|)E)tN@nUu5_XdjWh>V)2ARZfb$oL8Ei
z#lVxXwh9Rj<D%xW!h(i`E+)W$NJdjq5W)m4hFFjl5*C7orG}xV$|K1m0)qp?Bgsqt
zWr3!Iq9h~qv|2hX(6~aiVoCW1@x7^?qn`s!a+Cd28x-qiBp-2&bALR-K8~$Ytx%cg
z7M}wr1mIUKL;Nor6lM5@`F}pBHGk>^x{UH~&8=muW$fowc9J#IHq(xQ`d%-gb-I^6
z_2q0)$=1!FxoHPE$j+L>w$u0NMrA0H>V77}1aExKkfh<7K?k3kBy<Jh?8gO$D4?~8
z{J-G9{{<^pBLaVa2MQ#rm+}GBN@-1{4;4V0u9JeTCIf4pS~h#NOb%N4nUoS;JRqyP
zbz^&zj;4<U4?K<~&1Q^>+%O|<561ia3?q9$n=nIkdU0N2kR%Hcw=^l|cP1GZu&X6Z
zfa^?W8mrt*JxWRzZENNnOozohM6F6k5)ni4x~WCvFljR>^T>I~c1S*wTnl?(JI~>{
zdg!peA&ywv4dUG}73l>^Hv^ua1&ssoueRkv)gGGvdsdp)gQ3NK>3b}buyU{b<#EL6
z04CeZY{)vEo9D;R!rst_LVrS+%s0ICu32T?*#k|<0mDFUY$~4h;u@FeZ-sW{(t!kA
zEFJsG52EX2&CVluDjrfnMh3Bkz>PbC9rB~r$wddupVBQV4?Kuj)_>Srxc><&`Yyh8
zBXCLbthR~h?Qtk49#8}GCL*-4bZt9=iEd+-{r=HPqF=|kj0*}bG&^9^i`Tfsw#R1L
zN4k4(?HkYdY=(DZ9j31|45C2ZctideZn$L?<x9y05bquZb>1hCkp?|V@-Dvg>m4C6
z->O;7n<jFn>Nu7T5Zz>R`t4_tj4&&>{&rgKP_0sXp<zE`U)7uV77E%Vdg$czKVSdl
zS_Ran?nfMsOezsd!SXLjw`_~`=om3IxK35{!*+^u4U5*hl-L`R)hyGg3{ai=+fV7c
zapuhEvtHVb%r(Lb9IA0jf<-f<Rw<nNWj$Qgv}*9=-7mX!lR*qN4Lj`;NxNxRAeIre
zXv1mM4ymzflKaMgVt)0y5g$-deSyPOa_)$90t({*648IH-bV0ET4uj)kyu$UmhS=G
z{J)%LQ~QQ~yncm43@hOD=h33h<O+istx7a#sc2P$Q?1zXd*Yq3iZ}e9ZWz0=IRjBB
zgJ$Vatj0)_;o@}|8of4&MHwQ5cHulo!;!5xe|McbBWuk!XG418E}xHw#L~fl##ob~
zkab$4r*v%-M(lRKs_Wn@a0dFg(5NamJ3KsQhK5?vmiII^Vxe!i07DZMKgut&yohtZ
ziS1(q3B|GDeAF7n1S$K}(m@-IiReNo>IgKL&&ihhp;i#qji?avqp%)_e}_?=?K%-e
z?m5#;4~MoAEbm%uSo6TX-B1IDqrC{Pc1`^vuWoEtJ|%Ac7E(cC_482g31!FO->?ZF
zdM=9^V8b1ckf+138gWbpht`Q{CCNE*R|Quyg`g5d?Kv~l4Cm}P<@ayxd7(P)srtnW
z68hgTN0c)~+oKu^(1jh;;VlhVtRR`IF`MWvEE9+CS!KsGIy2V{PqpGBuVdZi3|D#)
z8}3@ZpB-Z}!<GyXv<!WOegmKfXtdz*jaco1bC@vVJYe6{o9Z}`26wp7M)uUQW8nvs
zS<emQvYZ70!{2QB+k1{9zaqw7X;M)~L%5lUvHDcBKr4+2?Lz3kc~A6w_ui>S2=d6e
zf|%YlXEyF#T=W1-zWCn{oNw@d=NDS;P}V(sDr|XLk_MhW^!3?oKYu^Y1{>Uelt(JP
zO)W@~L}JX3l0;t{D*xCIWaZyi61q{84}lGY?f{`4_@ybJ>K_a+)f@Xjiu*)L4S<#m
zU<F<)NrKZiF^3@y4|(AbqrcaBzzp=Hyl=JPcO8%PZg<dJk*3vZZ;clt>gh}sW9sRA
zV`lX-$BKXI;ms67<`taP@`Zar-C*p(4$9xuaZw=+{q~~VV|E)?jif^RJ5;zE)T*0}
zGSGhir|NBIb-g*;1=g9y|KGeV1OMK<DZ}R8ygY+GYU!>tiCWYM6S65$??!YRyesb^
z)?{q@nb>>I6FV_QGIK<J4;Okx&z~eC%&K7dIz*2?0WOG<e;A+V{^*yxGr5jCWMC9!
zS#WGJ_L&hS1sPTXIx(q*DOU7r5iJEdR*XCmaRo`obnOu}1zE=oJ`sR|qhofTcmY)b
z7!XY2-`L(}d>tjCgV2%4D8z@4Dd*52d_G}Ys-Tv|EH)SdAS(8@wPXPk9wBF;yiRca
z{QZUfuKj2I(EUf}e@x?n^_L9VPt}wL;+<&^y>`1)gIC%|BEHiu85>Rxq~-Dy28x|=
zUYs`qyTHMx2tl+!l7JbWo)|B}8=Y-!Vln{*zu(WKH~LEFZ|Ci^Au~0)nu;LxGhmA<
zpUSA#I2EZuwY2RumWz#9I$#(VM%ET^6fp&nH%zc4{RruZcSb*`A=>*0SkDhPro5By
zsE?4ow`2fD)FIpbGv9{!Cowqate|$=0Y0X>euYnP`RW8O>av%5^YZ8*Wlk7_n<-vZ
zi0XCv818++FXM#=N+lmLM>DNOU7VJCg|NM|DFmu7jU$eYHcZdU-kf!D{%lPN(o0cj
zbYnQV(&gPxcLZ7=cYqGCu4egQ^#Nhz9x4pzVr~urGe>M#>*ERFU;}pC+&l1fK`UO}
zfTR1~3>xs&Qz_zPMs|6V?vCe;Yae@TFZ$j2{&fsc6}@I=Og0Dt;xX9c5Jm#yYCP&?
z6^A1m7%&SaMy&a2enO1S?$0?}p$!aqIdUxb{5sq2Uwm|G-rLK}T$$Fua7hobDAZqY
zI3;vsafEW@42-W~Z=Z&1ng0!tWh~5<)k}UR;Z}Ev-WM&0Ws1RNg2wvhOWJ`3JWcme
zv_f(2AZ>(8USk0IWWB(zc4$>5ndKVDBMRm+OrKW%uMht3JJ)`Q*RY1Y<89AeP2Dql
z)b|cc(B}T*1%g>}XszVaHG^z{?~uH?hg*TrNI?}k6MaGW5XZfaTbywB;jLD(N8`15
zzBVPG`rfwKkoH5T*)VskrTho(uq#Cg?n&`z%r%-V8}axhmBd)Md$na)lyW<z$m+ll
zwYF-W-c+bc_zBN`d>gyzzxYr=yhG}A^!(Ux4$x_?c(OkfWIc?j$x$k*z<CuO8AaT(
z$V_Th^Zcp>Is3FO7cGTx?>3sh2l;$ye{WZ_T>}8_0R}Ds22KG6&H)B)0RYbc1CIc}
zx4(EkJ{P;}e(y+}=0oRXWQO&b8?sAvju*EpY1S7C*|NZgr^0e?2cb!EVBmZHMvXt>
z=M6=9kp^RfZ9iNk{sFsb^OQ=?T;HVWu%89p(PXN#MT(oe`5}utk}5W<<BvNmW^2%-
z)b}Cl>Yz@%TNy6ee^ud)SkpXQwtPr40K}~?X(8B;H%;e8*fk3)-jySdN9`1Uhmao3
zTddJ_KFLo>u$m4CJy+P)3p6Jn#lITaUi!3O_za+)djAtBv=LN)D_>Jw45)ZiJ)r{C
zl<rl~&&v8}Z(;9nHbO=^7r9b*aROO<Q}T}>I6u%sa$!Kd-)Fr$^RzCfYc8&DN}Zn9
zg{p+!Gq0G`z)qdeS*7DO?;%J5y3ARaBG1`**vMt6&zdyC=-3I^5N7Glnz_Pd+8GEZ
zO;K1ia6`y*!~^d^Ad!`?6IuQGaJM9<_~&nAViH*k&wq{+6`pgC0}|3Ck9{Ap+k7XI
zJ>|T?U)c8*X9a}bV2=3P;7k2aC_47jc2x{2Wc{rfE{Z$u)ACt#Tv_xF$4%tNeReQc
zuv{)NJT5WZE-{=glfTQJml*Ds$=|20ml)2M$xfGk=G)sVPuPzi+A+89J5m8NsJ8rw
zOCvy|k0|BLn`Eu;zaZD{TQqi}sygOkQf*oL>FMfUHFN#qzlg_E4Zl0JIf^{dmeP`r
zFZr|VKpfj2X6}{bkPB_W@pYDmIjU-=?3g^zLUKZksDxLgjXcoaXJ&>aj2y%c!z^XE
zO2k63aCI=a{&3-MrP#ZDvSvQz3KlV7shY4-z@DNN)?lBSh(z~oh?U8PwHKAi#<f46
zQ!%_rN3?sL(;%Iq<y~$cmSj)Jd#7bJFmRgdIaIW5sCl%NAG@e79+V_b$U~-O(JcJn
zz_d{<<e*qn$)iVKlS#_DKbDRL#2ib91K5touCZr|3X85`W&lZizHxWw+*7VM5HtCv
zeAtQ~kUIn+jVKJltspyaA<-z)qOI@PA!jHx!mWrqlp!4`4#KUVJ4hkD_g_EAIPe+F
zM~bUjlOfY?cT^nS$07y2Z>X?8_j_~s0%aK>+L-o(65xdxAltb13ld~S7@*o<_R+p0
z&~1GC4G9xMHBfCV`%wv%A~g_gVEZ%))z2aN)B-yN(XEaI8dsPLv@5kls9oEcXUp*m
zN3RcLDQy8e7|XP0j-%cWGA~(@ET@=HN0M@_MQCrlo36$oOc;<tC}7KAUGs7q-9!BH
zbD$hiovU!EzY-$SLy}{%gU~{UjhxjM*qYq#5n|-nAjr)yCb@X9C@oThJ=+LtAPV+n
zA2okuZf~T$mZQ@<0u3vT(9gg4x3}v3P#};cP`)X2e<5A;0RPK2sX>K*7^5mPJHtx<
zw8quu_J$OvFvnD9cSn?`w<px+_XigxGeuWrb%mFuwZ+%v^@WzCvc%Tp^h8!<bR;(H
z5fr{oSox2X*KXYIzx$P4e13I{h03T`EaqwaCpg4zy;Pu{<w3~fezH`knHvBOg^0^x
zvXJhKPAQ+kVY-y<4Ua{y-D0ws>5k7~zuIED4Dg3WBINeiUC407X3%f**jvi+MJD3+
ze%xKm%1iJh7Vv+0+*{85RaX{~-WpPr+!Rxl-5Hd4D_DM?fbm~buA6$kwYEBP&DJ?6
z*By8)FYq;f2?+;<!eCPBg-9tE3`Jm483c(*Cl*VkQ0j-tX*V2<rcfFFr&5_htzM${
zKdmoQFEt1rHoOW9{1V(2?D!0LSzi^z|415=&uso5!fOTn_J`xe((PZuqG7Q(>=qj#
z(yAp>>FkzULE^Hh)mqIKn_=?0Ef*`zmfOEYCF63q+z&TGWi@LyTiuVgf+ZCJhOLd?
zw3h%nxPObKm%J$mg&E`nD=kU&|9ym9|1bM*?CLo%yZ9*VsjU=Dxx7=#^|hqAf#;Ec
z;E#n(>=U;Zj9*|a9WZB#JemAQ!aMvQeVQm&@&H#h8CT-}<53H5y6TAksI49}Sl;ok
zyau>yWtF|8RSg{6$h^-~iB^kL51ots7Clwwd=UKfeQyi+^Yl)H&Zyc>$N7tuJGzlO
z{F`<1uI(3mTZC*|Omw+V?ydh6&J;7jgfqbmZ1$*h_T<m(Y255_YX+GY7MC1PpT(Qa
z?b@lE6ymQf%%XR;gZ1{up=|@van4OAq8(+TJ!il_X~3>EU`HFU=WXy$++f$-U`O3x
z&wcBk{MN4h){eeFI`WRFd+oAo=p~El&uFblwA6-}gDNA6O0B7HX0fmypK0`*n?HUS
z#8V?y$%QY7c4p{VtNj`+^*My+X2_ED(VLmhOXe#WSvEks_NlrIjtPr(f-KugyXNZp
z=9cNDb*Oc#EW1XF+U0Y|mRYP-6I~No`waTOm@N&<s|+sV{7Vlh`Ze*N?IVjXh)eeT
z9ODw}IQX`EcAfHdkzJHt-lMQD`P9iF4N8QkBBEAs^!fB|A(u>ybTC;1Ep@c#uy6gp
zou~<5NBSe3XtH6C?pLG~ZC(B6A}HAkA*-!Kd3k2XB=cmwb@ZHWj|^P%+YlM>gPCwL
zMnyQnjHttmxg?Cpzr}d?_6tEmsYRG&l%iOYT_K4}c+J}AHv7(yaBGlhlp<-=3Za_I
zMEUWaou;InPclt23pWEG$baDa&tiYf5`#0L{FD;Mn<s?&T=0e{D(s1d`qawRz4|(W
z=z$a_iswi5Rrx%8Jy~I`w=|s@0>pQb6#ia=O;Ajeo<5Uu4i?TiXt(L@J0Sg0nQ}r2
zcr~2Ac>nTbM}Bk7-7<XL|6H@V4^;PWxH<v*8YV&scfyhUyivFoT!wr_{L1mqQ~97`
zeMmhvmunb%(xAx-bbQz$^S#i!I@7#3hy<$uyWa5|^vA3?jHgL{RQvKv2|88kF}{>g
zLrD>5S5{p>jg6y}0PgueEzS*Fb$DzcOHviyt@-v4@-z9gdTi$s@U!}KKW-Zmc5(Yy
z-hUn!t}%a^+)o|9&CM7e2eX+OL%=D8;j!g|7c!#)nX#km(a!2IJDgEQoUziJ(Vs>{
zZ>;!G6-QieOghnOM|5u-{7{HTEN{&H(6>hv`TY`!|FOQK<nBfLh1TBDcTdDWBz?#U
zZZkeqen|9eUOj|=NC$2iKK%Uv{}}i%{Yd&?{kZ#({iyuF|B(F9{7|gUMQnsSo2BYn
zXjwDhwWGS|)NfvY6!LB5Ujo?8G##x?T*RI}Y}*oRxWBY~%m!Q<)$Y=~*wm!f?%=)X
z)TGqz@x1udq&fbBdXaE&+u9nGhr#R0$U4w%74J^bJy>s*@6K62;B6J{PU1c2XqD~G
z>NxOimF!OQJ$P$X?9P2Vfc6p!NPs>F_mT=o56{tTC&R%w;>A1S#rlR|AMv6d@t$<v
z=7@-AUpGnAstvO`_cuECyH3;Yc(V=TG7jQ0e%m2j#u41wLEPG5+}a`B+7VpGL0rdS
zT*o0?#}VACLEI}IatRXYII)IFVd9MFZWiPZGlAC$Foc9q9O~!<(&#@lvI&&3e=dK;
z42lw-li|<_M#;S}n~lYj=>~v_?o%<V1;7pLmon=GK#}cRGOGk2ao^sJrWgtV-brr{
z(v(PgVnkjrF~({Ov;q(*ZqKMwwuLg@DaQ{OpN)!L{37JUi{(U9<RqIXg<=UpbhvTc
zS<oL?;1L_(<Qwp&8nEaapsE{?>>G$K8bApfP;*p1{`!H5*!ffmFrP_v${h)c7Rp+%
zSh}!9uNbM?{g!W$W~f89bVi6?wNkauANJ?YGS%*<%(94PyBy&r7*XL^chjwM4xB#l
zO06HVSV4=0b|Rvx%dX}CrrPi&+;RWGv}@FEk=w&y_(!hMuxYXG606#lkfc3?lx0fG
zrm#n<V9d^IUsLV2rLpRlb(FX4(6;8YkB3jOyk^xlJv{orq2W;H>{1w;mSq>TVTZ17
zrkd^iv$QdepGS8Xx2p8AcgHW8pigq*k6(-|Q+PCY3j6uIH$$2eo^AP2*hT^wyhwKy
z+#-Vuv^)7pozx7%ox7eV`;G<MwBRxnxxo5a&v=PTrpn~AdHEqowQM59&S+U@;D6(T
z>n*XBmg`%a|MU4-Z{gSG=6Gz{Bz*9X<@s>zLD>yJu|4(rGKFE&h;KHjU4aH0E(tI|
zGx(K<QewmtH|(q;Z!>N;hJ<aU46|@ZY=37VN>X1wli^^ym~5A;3J(_0Q#0sX&S-t5
zU0-w2)BNR1#x#>qU&)xf)vFA-s0`kG-g#Pxnpp^$C8QL$xtis_nk&kkUC0&3$`!sk
zc_6}Y$Wrq?=N6$D&R{Hr1KtlKZVqzc1WvO<=@+DGj|{wl@ciz&xE|qM<}xdc1k{ZK
zKX$;zV6j6d%zRr}HmH63>31|%1vgMH6Tk;HcZ|8I`LF;<g%9mjdfY=>Cvm$@zKre3
zx)(2>VDXbaKheF(Ak_K#+Uo=Ctd^JOYwGOnh<S&n>vajxM}|7N1R3IF_ikHRYT|77
zUR#+R;&k^swjT{s$sl%NWm`!e8dV~dqpg^8J@aRLQ6cCX7eSU?sc3>wy3tC&NuoZ}
zm#E72x%p4H{SUb1AF>a<6xsklq?r>z01y-a6b1nM06=CEv5qWSkUzznP561X?)YL~
zg<rzPAGw#Iq&^WuktTV8d(Dv7<xP?lC)6KI(omyD`{PO(aW5>YkHeI!nl-)JE-8AU
zBl{X{nDG;vE}Vc_+Xo#!*a9Ojfljy(&i?g?9e&xOI;`b+tGt6Iyi6PU>QE0I&9j1F
zj@iTGvg#)INnHp*&0{$IND&W>@PY_S9}Jj!-!(B1Fp){=pu=4!5?Av>8;rMr*m4k<
zdWztkvtj=!2GZVIxe6(DwcExTFp+LW-Mn_0uRUv&_fNXvGX#v+)q5jCQ{XNz_=go{
z!<WNFu)#y%wHD3;{g*L|p2VmWE=8faoP{MH4A_p#OerReIHs-2D(>$L>kMmZM|Qq5
zrM~5?6WoOcsCl_Hk*Z-!c(~UFg4s-wB@o*>LKAtWo|&Dt=~HqAFfX*3M~a2tJWC@s
zK{(b$cw;NS<7e@6wOsQtlEz!5Dx_66NG@WEptFm@vx~6Js{Y(ZCEW**O52bpnn{^R
zh2h<NnBhP>wa4tqO(%y=8pqM?x-g^-S@f?qgdE+NbJKk<o^KneZe6bS8m#u}uYO*r
zex}jxlWPcqOvI$K(%_p>*%`W~sU#QBX1y6}k5qh=@oNa&O(H|fB}jSRx3aI+=i*)+
zX!Cdg&!`r4qjRmwzH1vC)gEddqp1N7+)G`~R^HQGN()>ImXkkktD(Icj%WL7Bd#l4
z+S4r@2n>t*U)sv82&&h6+f9GO#-{T1K3h$J$Np*I8|AW|364#P;~VrknG}u9aNwhR
zjOz08I!AxIhB385h-Zr%zM(e#883;ic;_9%+?+mwrzz{5UEiENf^SIc9mL#{Nrh)=
z>z!EN0-(Zo#P^P3{+m&X=c((hvqALt?%qp@FT(N{HFUwnQ%F<a$kM&jl25zpUQR{i
z@CnYOThDDw-sh-i)L|%gKfIO^;BUXkU+X`sY&f=)xfxn#-B;JV^9-I&e>=X2T}yaA
zEw>i>4J_nU&k=>;BkrXY8>+Aa{vs`&Dys6I_B_yEe$c}YgzW#9*@J%XFyA`_2oeaG
zwVAo2i=({*2!xn~oEiw8ske(A2%e>jxh)8uow1t(2p-6{hRyd66a?)1Dui#{5RL!2
z!?(V}R63-Ps{YEzRS;@nIQ|q!63$VagEuq`8WaswfoT>KA-)4y7^qy%W^B=KBWRC#
zoOEiOCRmkP5|f)v`+nZDv-V0~z|jK#)7SfSBfKz*%xmI@2-LhGzm&)E6L@_9qr##L
z8p#Pz=x3qp;A<_4Dl1-S(2WpgsabWTFg}g&uQ=7l;ru%4`fvXfEO^qd*q|Y=TI&kt
z{U5&azY0h|2ZOm#;L%8l8BgHTY2CsW$wJiS6-Uq&JPq3d$*)n&yChq0{t__n;GmfD
zBq(|zLB)y`Hm5n*zje0qxk=b6`IxX@M)S_%WYWmMW~i;{tdcXU)^maRlpymVpcFx3
z2KjKwl9=7Jnc?xrL7su?muqMIdWt=goNI%%Lkfqq1w|}ZkNuT}CaQ?hV1#Z&&i)V9
z#|1oNco%;4ZUvz|VQR16qF3y67$stRQ+1_&l=^;!i-R*$?hdqs95EeEwVWw|kX0H_
z4Mg<<ba88Lan7AGLM{D#p{{Rd0mjF;K#NCn)Fi>0FMuGPkr)Xi%CA*9*kSe8eqA5x
zfYv(%M=*s@80C86i1Ke7^ZZsJY6=)K32Wg9eMEYR{JbPd1!x7>HS4NM4PKF^Rnm>9
zr}y_!l}sby8}{+RjNFGPbdGPOW2?}%sQ`Y*X?hyet(LN%8&LUgB5SpnfIGtOJe#=O
zH~(#3Hhoa(&QyIXf7`z&sNHj;385BLJMA+`$H#TwtmD5qWTXS2&o#EayWSrDx=-zF
z0S<Hl@n5Z@pP^D0uA1*OxiP<4CW|)1ZMar-S826PQ>&=~m6|%<1Nv7d4^0fLh{hjS
z(F2@s0`S=JK8u`N)CWe=sTcL^)!wy8v7`+7PZv66u5I2X4zm-hxdt{wO=ALsq=HqO
zHzh7Nzh^<VL4z#}59psW(+|oUkEobGDh^*6b5z8%^e9iem77pvg-whM*QgSfs5(+8
zGqp%H92I;RId>oJjeXoV6BVv3uYy#6y8nt&tsnk@rYezNN7m<L#H<BH4a+P+9pl>A
zxW^3PjFB$~hXKW?QNoN42FLzO9h7SyIyUIn-vx^>cTk1iAK{tc<jGgDxPEaWy1Z=#
z7?9$3`6TXUJ{-8e)uC;IS$oSs<ja+1dC;&T(Ft(q>CcR&ey;|Isnvm!jHMLPUnrGe
z>(V$m)rST~5zFb|g(z<}DlcTPfD@d?aNm`SFYeDnFgvu|Wp|FP4n9;5>#F&;b=BJg
zv4c53&L2|2IvE`G`j|Cy;x(wAvYF^sXE{uv-R|RjM$3Jj05T!!w`qrFN!S1UQa^R)
zR?1L$TQM=G@6s|V?XIn>ebFxM6LDJSqavawT{9f>I~)`H8j3A{<8&ZLJ~wZZ8QeL<
z%O3o-jnlKcc-NN*Ll4Zn`SL;-GsWp;5FBJ$bY}`H{1n~e1*!1!I}5aZXYyc68%mq*
z+u4rU>q6+Pyn2yMh4u$$v_{(Zm|N^`0jxZnm&GnUvt0ffB(tkns^isiJgbG|_26rh
z!QQdlgh?guv@3$tw!5NkDZw;f9>#FM;mtP<oq)_?ndr#?c7!Q==kK(QXk17xYh`Fa
zvM(|d{n1dh%!%0GXBBk47n4^RiL-R`?2)GQbT8fc8}sJ!yb|sW*ozyyF?96iFO_){
zIbk{E2&N@d$=c$p<8rzp<>BUZKBLo+hL-kPl{9(Kqwv~Hb<eVIMDw3AAv%Ib&$XT|
zsL5$r`W#1>FgGgE)z+@${}g@_C<HWX=4K-qo*BgRr`tK(JTuFP>#Z)%nv<yu?A2n(
ztyIq!@n;5>$q<d0sBtxr8VmVTpU;ATiD`F|6bI6qC9D1x`q5hm3a|AOqV?nn2NTZD
zoEbo!2h+VRpq<ByyeKYP^;Irw2@I@>N{4JgXt!re={LIh9i9yp*GtsP?ZMp=RsF~4
zOH+qzE6_7p74zSr;q+E1x53Q4@-=V_A<?r4XdbKCD|gy5cnWTE>Ui?RN>P+4>%zEU
z2MOtE9|JZm{gxW9a(I$kL43nk>VtonK<*~y@v0T$yqSYFM}LR20c>38U$N!qAj5rR
z1k0$$tCcBWe@lMkb-}8oOzq)cbUL*sZ1c<4SoGMrYeap}%$~B6u1%a)iycmUB0NQ+
z(Py`4v^e$8VRT1@-GKd*8Sp8f7mHraa6+{Ss9;$5G@+xB({~Hmykp<1;+bpbHBYTL
z0%%VSW`#6qMeG**5ws|j2bKdeAj|d!SnSThVgcHEG%u-5_9~J4MP7^N3^V=GZKS@o
z;|1_DV-+Ex_IHRDoBpmKA?sC0_uWpM2gB@)(Kr%Xub3^@QW=qw<Eg`m6T{6bUL+cs
z@p(44o^s9>Zdh!>@|pCl(fIfyG3ht5CN6i93JJYT+*E9(_0M+Jb?XV>Z3yE=D!-{v
zpb7VXzI**nAQ(rZynTi@;`~Qi3leV;^FtNXiS%m)vL7LkC|52Xd-(eK+zcy;fYIoW
zw_Y5~BRE@|7+)Aqsq--y=qiAZSs-e_B7y35wcf4!ctkGzoa{=LI`MW?d0OlrMD~|)
zLDMnY=wOrk7b-Q4-fiAnsq7=f{}+%6Z}#r;X*&#67@W3Wl90t^BG)*L&S5j<v!(Hv
zEEzxLY1qGs&$YDUxuy9bRrfk7oUZ4r5eY`uCceBrrNXiAQoB)hYk1tlsYas=3T`!`
zl#VI=ee^ZX<UTI{=*kQF%k4}}RHGi&Y4nl`0WWfL0&(56MP-}Z#7oW`o&E}Xt*_+N
z4#>G(?@FS2c554M`_L60bA#`6W$~tbB9VL`5H*RKv*Z05;Br`!J8a+I#^mscLFbtd
zPI6wo@HnetUK%uZ2kG>!=w}k2C$qloGVvYm_J*BnIDEnB0KNA;n#;;U;Llf%A2aue
zYHNL3n_2U2v+3y)U(+cj;yvv%2pu4<g|n^6M)~2!b*=Op5r>0zS*^VA)XRC98n}4I
zch}d>D~D1YPevT=8^ossSrIXCPypd*faE#~Ak<gPbP^B=36NF(W3I!J+Q`^Q5CLZ5
zu*fL{CWDcK-JwxL!|&ZCCML=_hp0@3IYyiSj2^0o2F8Yes>zR|0|z-oZGklylQSx3
zgv3%IrBa-vT^xgMZyW6>gQtl+k0JuSp-lljbcXpQqq35-))JWSN8}0{0Ry=rbq50}
zWMWXDE!CC^J1Ee0--f#ee|f@9hs{?nkG=IowD;7hnLp4r<ss`}aoxL1T|o6c&Gi%d
zxIJwDJKD~FZ*qA~NIj-MFwo?vXM*vLi$=6pJreX^@ktfx#V<2U9VTcNyd7V7)o1z2
z)}EDx!Oye<-TNAbZMwMp<GFEdvse?~?;F2Ro4ClhsrPaFwTaVsA9tTFm~__vSozMz
z*L&25d0iU42;K+1r>tEWpu1Y!sX8Z6eN$HDhaLMCrN<L0$8~vm^Y9bLaIBMp!Iu|v
z)d^!CyTlhLi<n<;dc5ci*otpd3m8yd;ErB)f8L`DO}lzDv)QGTsT9<XB}<p9rzXTZ
z-TLZJ?_u9I%w$?$#B$&2On$1nJ9p-ZWu=$LrRI$afs&mt9#`qR7`L*OI#O43)NS9=
z*D<l0@qFX{;i78@ZTBIx9ZU-6gq}Qqc-FCilMD;dsN4g>pK1I53_wy|Is!-7VThNo
zGjIgXL%i&P2|x#j|NigU1C7GSrj6|Aibk}aiZ6>pPo(pQ{+enL^blev(1k4W1b#G~
z%TAVGk+w|0SS5lo)!D%Xrn>&H9<tGpf{MBt4Vm>k9-qsm!#Y4qYE)KN38Qn#<9PxW
zjL2QKZt8|UOkNanO(KDi6)TW#GvAkw#e{W%wrus(Ri}vJSjgVP6%IDU=>01V|4lBp
zy?ryO(^aCbKJbvK-^k0v_%`j?7%8b2HSI9DnnviOSp+DX|Gj4Sib&k_Zk0pVd$6_=
zj+zlRzqS2wsqMRJ<(oBSryTGbmS5NUVi<S1$#i5vnbxA}I?VYsQC>?%MbFD{UX?Zb
zS#|oro;{lRFF6}87S?Wh?=`Q&<&7S-&#B-3$>qOm*H<@O54~gjK5^M<tMRJPgEZaw
z3;Un0XnJ`1>F(QVBL5_dfRysi6=9Yyya&du&#Uz=)B_E5YcpPhAkPPFnp5uSw0_Jc
ze7LkE{YrOz%7vv{DIQarylmdFtQMI5Ro{X=^{}^E1U|H!qg~P-znaQEBZ>6G^u=^}
z64--W-j1xuW<Ze>XcQQcV>t*a6-*A2NT?I0hS?4(!}j|P2dXk6%W~j(auCk}v%xGJ
zey$_{CHd%wQYPU*FtAkMF-Zze0YXlu6taw{AsCNPfU$x4Z>u3B{zI;f`8n5C03`hW
z+2n>DHe|bQ6<lTTOLm7dIRRM9fj%5q0CJ9Lj<IBr{sM-=fJi~g@o<IhDhLDuGllJn
z@MAlsv>h0!kgWf?W1%9Zf6wvXU|Pj$b(RY$sNLxxzhX6Uj!tuWyZ+4mtHK4znlWp&
zmhSHR@b&Qu^TM4DqW<0>4$Cax&-9*qZ`7yg=SyFg#_m<^uG8PnwRw8I-R)ZQ;_9>I
zk0*S^ZBVTmsP>~`gA2jsDyQa1>JfaS&VCl#ZR+KU!=w)@YbfVK&4?|pnYA;=>?=w#
z+ZH}|Qo*rBRy%ZaRDABvOw-@qQa6y7=rt;r6n5^p{|v`X&lBv^PhN|%7T(ZSYwgOw
zm~ME?@n|KTlXO>RL>@2Rx3}6S<@KHu<^VOOdB&U77duI_#X6@0!d(eWuWah3@)XNM
zc!77u@eQdf^pktCpEstg^FQ@|uYF7aEXH0yFntD%LV>j0|7RHfb=y#Q0-2Lm4-AHG
zs450lSA4t)j1@|FSQ99EhXKof8e(BY)m<v}R~yePc$${Mh`*OPp@n29S_hUYG*O4+
z05^w|Iv)yycu+jVhZqnGA|oX_#DxUN*+j&~Lw@HWmRN`laUc;=N<_|tPz-W54)L>)
z*8+$vYr{l-X-FNutS$%nW+0ZyNFTBCK7S%DR*Zsd@A_C6j*Z1+($&7&9qDLGjHp<F
zZ9S>A795XupysC+^%M&5H~Dj36(^tRIT(A_Pe^L-o3wAntCabXc-t#R4=!8_YRuos
zjHtzVeK>eg$G*t^#gd+no-<yp!1T|$m34SP69zBcdp_g^KU)<7&%Y8POjL`@oc`)X
z(atQ-HJ6vho#^}Km9X63W}|m61?~+xXkOyiHgbo{yQ`I`qaBqo*Y9pW8YM{T$~JVX
z`IbNOc0+GmKQv=APVZ=C)s{!~w?iKjU2SU0K*RlqF_cGBm~-ou`4!c|<#Vjk7hOv$
zjVk`qf3Agb*q62G)~S;ryb;=(HU2R@Un`cU$413&Am)nEcpyeA|8w_nuo(3bp>2;;
z!2JK|XG_06+)@<eY@n~GNBmGh83m00@hHJsvh2bYc7UB>S9_<KzsS*c?DXV!udBAS
zG$xOE#kxnm&)cp08#$!+vI2vsnB<_1#3QrbHl$oA##6^s#AWW}>h2$<)$!M8J7&B7
z>Lq^(Dyr5!P2cln$@7+y%B)&p`}yZPTawpMSHB?Dw4ThiyT)3z-R{AS8dYvWc=leG
zyHA6-wRh*f$s#7i9=O=G&#*H0N^{CSi)%rQrAMl-j<c^_(|?`VmYSNjKWlGy$#lP6
zDVtVZXi?V)9kW0%jFcYH9F{qCRgNUp?iBl0MQN^ICc(e3_(oUFla7k$6OY=Kyxh0A
zW?090m-0h1EguBb%wtjA9oJe%+*L{T4`urpdPeTh&D4Cc;sA%cl&NX{?HXtDaIeC0
h)21a2$vfK$o1ZQf_M=KKFYSjQ=wAR}P^|j^000u7%>4iW

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.eot b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.eot
new file mode 100644
index 0000000000000000000000000000000000000000..2f7a52c4543db833cabb85e75570767a452dba5b
GIT binary patch
literal 112905
zcmbSxRa6{J7ws?%FoO;n+}+(}7zTHDcL~9RXK;6ScL+}K;O-8A1PBgE@PvdUH{bto
z*SfE_YIRrDKKty`>%3HV^?~%D0Gi*S0D%8G2mk;8vCvUbL8w3=2nApS{09Kkw7vrY
zRw(~W|E>OOB`5&e|Hi)X2hsn=|F`i1bOEmbz5p+PEx`UCQ5Rqha0ht*n`!;SUi}ZT
z2fPG018n}S+yHj}+;IUq|G19-yxjh=z5XFS0E2&s*FQh!e=PTZUi<)V0Pnv$FF@j-
zlJ5USc>jku{bTw3i})Yc@1KqDe{61mC_wlh|K&eb*MEBdaUA|x-2NB+KSiN`moPv8
zAox#3_+Q-rpQi@^;JS)h|8Eum08~^*07`@`N`yR06_RNFJaO9J#Bs*i*4HQ6pV_vz
zT=12kCimH53Ie#-i*OLEWnrkUO;3FKO32b6D$1fhRctqDn>*L=0zuD%N7X8>oZd*l
zfY+9w{QW(tz#3tumvD<nFM3u&lJZ{B<4wZ{AY$j*-79!wAjpMk!QiMcO6Bv!%x`O)
z@DB40;Dai`np*G#Oky4FtCs&lmE)XZz^$y5FOPMU9Oclu?@>(GTGgt4-)DlspLQ%E
ze++J8hc%x_>YF~e=gwqfTG_0~tWRdGiCKXHC`87QWj1Fj({Xcu1r(1XC;*@Mh_LHB
z8Akp<@ZVuagH4Byuy05l0DhPjq3Ss`tjCazKN*Z#cI|f^luMb>6n}qDQV@Dl8Rz&a
zsWv6fMwf3>9P>kmnBEN1-!Oja^_hM{L==n)h4f-EBZS?%FNR~5#@=SAantAatLzWt
z6kwn-fl#O2@?$fjlp3RzTlPRnJEUV`kB3%)#lOzjWJ$H*NP;h)<i16J7A}2$ytEbo
z3;*E}&0D`I4lwwIcSdZ3;cX`3$cs;^FvWclCDp@C4lp;p)!<M?F#-l2=yy_SvCiuz
zbLrEzkwBMK!v2CI07`yhZ3<*`qEjxIn_Yq8z1GdnHqE)<34J6P*4p}9bOgCk^Tves
z&__(q<H&~UDDJZT3?0)bQAKNnQ>Kpo^am6A@ajP(RQAcIEk{L)3^<bEqfpkwr5X#|
zag?~R(-}`cb1qAJWw_S=V8Xkk%#PypBUX(;*`V#`#&w*FUD7uXbw5T5Pao}(K?%W=
zQTx0#L+LJ`<)>As5<jwpvVYj$mx`OYUxVQ;kUJLNiGy2<X1Ui<3CU6KygqqQ7r*0n
z;&era75zxpnku&*OY1Q28@b3wV0@rghhD0(=qoyu)p%rcA8eB<*XZmyZ{28oEnTAl
zb~GxI;Wo2>lJa+5mXmk3s5(a>42jl<SL2d5J<M+$|9IPvM})H87#Vy(qJo>CcLOgW
zt3gy)nJ(9FUq-T(2B3=JQ*OhmVb!k9NP$MbNE($)KIh?fZPzozbV{81D3&|zs~~)4
zyjo$9CGF*!owaRHf2C2@B!?X_px+}gnk`Vg&=rTshK7{q#T>Ww>i6wl7ly?53L4d~
z%ZUepuDN+lJ^R>Wp|ifKSp&lQI+MRWh>XAlwm2i$f0bm>aw`#viXZzR`W`a_r7cuf
z9{1Tg8$F-b*DD)oddecQh4aj@aIWAXHx7I_gcKa0*T0{`weiU`RREnhZR`_uA4`9*
zO4_W0=oKkazh*>W2+MF{(2fS67VL20i?C|x2qmy){jiD)F<Lmg{&IyPn(Of{&MB7n
zjb6Xg^<vFg^~(&o6J29>c?Cl~Fq)atvmO@N-6{r@PjuDi4Ax(E{=pZq&XO(Z;fdmK
zLS!r(cH+mAKo|l;rZ_C&8lc23!)Wm?FZdzfqw`_?vB5_eK%)}!@AHkAbEbaWyTjeV
zic1^PrS3Lzq4gxN?6Ulof@PY3Y>~>>b|(|H?JcnGkI~Nlx!LTYY1b>%->d|h?UOs#
z5ub709rsT8^whL`UYykE$gX>trm5#l<>R6=|MaU!Rln$4KU<f3NwlmfeZLJi3BJ7C
z<dL@DXrxrW@5@cCNP1nnzx2ENxi96O*s1C#2B=1a&VJtAw^Y>_$SyuQPLa9Uz-7Q4
z6T1g!6~IAjKIW~&OZ-Os11py<!p_X8D8D;NuA!A+*`eGAeamf&0z;e8!1i-jG;K3S
zTxb|M4h~xAj}>NAC^_rOUqCflA0T&aHJen3cuM>jpn2D;q+x$~?j#y9CEaGE!)!PH
z%M&s)LVl$E*Fu9x2Giy<r=TTC8-ICemPM?Ctkrw$AIPicgLI~yCHS=-?ujP?Lcex%
z-9+(A^%rhyE0oFiMLK`czO(R*2367klZU%RnTF>(;<GCz>30s$5l1%Jw;`tTll!#>
zg&igcC<RSv+LII!-)$Kmm0qgB8_;AP)^}Fn#UW;l{m*y%{L|R%sbf0jA2kvcDTwKo
z4l&X{y%c6mTvm~AFAeCe<y&-rUi6k9^ItwwtrTXm^XR7zod<YY8%)i;3ysfb4!!+!
z)`C1?kBzcq7LM6wb^w?K*uwn?Vm5|b>|_v|GSK-~5w}?Y=ycOHJg{RE1)5dsjPA49
zp9GK^8y0nNks6wevxl&eUx#H_FJ3&B(n_65qWM?2?Q6jN^t>!K?PEPvM7}O)w+SK-
zUsK)?tNI&}5@EN5j-0BVv~XA0ha<qwSFHUpHv50-&l+nEdOuJmt<w>FT-c0#;5(`h
zlTLc-=C5_!GwY@Vw%K4Gmw4QFu?k^TKPBC|OtJy^PFkQHE9wUm&XTnt`fO8WY>g^z
zI30BDh5S?MdxE4js#e33QMTG?ZLb{}?-xW?S=W}rdgfffo4-QFr&-M5jFf~eUw+#>
zuiX(H#A78N|Hil}d~NXE^wT`wE#vfDaGK&&Kl^hg*em3yQ6wviTXmwb)noFIN$;!g
zh$Vuw)z>(0qO{a^u<*~xfe(1;Q|NL|YG0h8^x?M6uhs6`!~AwxK}OklAy1;*j{pk6
zVIw`o4@aV<D481PAn#eX(ggaV_{P&KBH0<;n}h@b<!9@)$W>4|5Ya7pGm#7Tl7T8}
zgw=Ievm3u5bMH~Fo;Rx6S^K2`>dsrykl2H23=Deqi$o9J9Xg$wW2FkcCI@c-&WUxY
zuu)fcU#}eHFI_>1NWTrtk^14S@5P}fsu0}QzOE)~TT&nxD-8ZJL8L(fEj`bj*6$BR
zm)S{<5_xTQVBioDv}chT%$7cAjFYGc`_e(A_saXN;+`&+-CK%BaGI;GjPpwNVvFeU
z4gbST-iSn#3wbe3&pHGL@N+xX$Z^s7gMj7^UDSJC9e=+`!Po+#X{?k+n1IYcvm8s9
zg>}aIAKk+zXBRqAPOoL8S3=p#_^^gm3djdH1-Bc$tOZXhzc_PdgaFDU8cQ2HvEB9V
zlOTIicnzaAhW%G9O<W(u<wuQzfSE0lv4*(Qvxluf<QLH0751VYX`-zua0mQ3ZN_qN
z==Z?!K<~GlTLgVt$~I-37F@aCKfZeefpY6oDjNM)0}RoeS*VG0y#;>QH8X*>NFAt>
z5XW;nX8NfEnOfl{chxgGhv}HLm@Xc|=9xx<8{BEuy{OJLeoQXHHC1jt3-3^YAWStm
zwXt+fupK&YW;I1s)WsIlb81}3O*M=V?4$FbG-hc%yuh2+!GLYYWjfsXh8Yd-^jfZs
zinbF7JcJbW2uRXlVX3|N^A$?|^9pae@f0Rkj5*_yw?vk)V<J{MPGME(b#KU{l<p8^
z;n<JNooG-O%AW(QGkEAzD6GXP`?~%NY4VzN+zumZBKr_=&T!e8Dipd)<TT5dRD-=}
zDsAb_6~Y>@Ce09=<6d?@<g*)CA}}eda3RQ;%kSxD&q#XAi8oEA!U;Y~oC@S^b_lyf
zK2+|3vhS6}UbB)l?=K;v87BDW+b!M&bTE6GfwA{eegqWo<|?EgiRvdNHQ%;oa!dwq
ze5hUX;GF!z^C4~cY4*myg90C>7>oBS_CS`^X(+;=_4UtmjQ0%`JnXa**l%K&i?4^E
z=rg=hTIwYede68(Uza*FSyBj)L$Zw?RfL7*qgq5R(ZKzVT0Rf%jwl;Y-Rl0UR|SJN
zzJj9FT3{-UpC9hxPr~n%vgi!IGaGsmIpzkZ|5}Or@BUb;!0W&#a@GkD>|m#hipdpJ
z=ScX?s!>ge^JVp!HXP$Lt(#zEy{{o8+D8Wc>>BN7dg_y{3;@-j_D($_4D&FMWEn;D
znAr+DyAc+94@S2kAs5T<6+(M$6v35GG<Wk9VwQgG-lP-jH@3*LEKLnp-6cn+;}hA-
zS-mMv{p{mOE`?cO0A&QcsgMmGfcq#I@??v}4|01be$(V3h#b;@CSm;vlrzX-H$tE1
zR&=F7w@L6K+$BeAD24X(f1#^+mp}?_{X&Px=lfjpS)?>cq@cjBs(5AurK?ms1Cn||
z-vRpW5$cU4tCAxPjjwe-3Lb&)j&`Qa784A!sQ*Iy&OjBfunLI5w{eqMFK3^Oz-V_X
z(sUZZ0R`Q{n=#*f-X-^;qfT<Ns!-GYyp{%?S=MRZdr)_;jfqwk6Q&I{e;GA-XBkVs
zkras1x#=oRL9eYpqbxn`ZIsH`JQZM_M%t09dk~)E;+(iqFXR3s8JyY8VAz8#$@O~a
zr#-dw^&Un^MxXbD^N3-x6fJ8I(ac{7MFp!JISawVkDNbZ?)PWhI=|lx0n!fv(XFdB
zFUd5TA0&2nvwx<cmVPr=-v77Pe!hw{qq(Y{{mn)FZl=}&<@X-YoClv2lkw^EejKKt
zl?t3pZlqbSBl@o$Z?|>jN7w>t<UkY~qF@p7>Vq!Z8}+kGJ(sD-YZEjLjEW1j<-1qq
z*go&og~GlysUL{VMHhN<^lKf5d;}`HB0s3MJ@0c8=(1q%?_uUX?34uy8M268<mJ>-
zh+F{C^&ItRB_EQ$FYA9d&JcWgE%nebNz@~&klQ5LeutE)=q6G6jub=sj|+DEmiKJb
z(6htOldV!_p{a5i@)^RFw{I~5yj*3lza}2NdBdq5{&)haH-hT*{6X9L>9nlKW&*vj
z81eW*N*7<DUfw3SqhaR{qpW{<bz~O?NM^f(Df1#6+B|451%ns$ef}odeOP;}|6!ur
zRz2kBK4J&spjMOn;aafx1K%~V<tm_eizFYY$V83;GkVY6Ea%{jA@!2c*g|%l$r2ce
zhd7KYCsAkQXLKO*&bHaZ)6UMb8_Lzj8q+>Ao~Sih%;d=rs0IkTbgS#<*J_M{IM($&
zYbS|cvSA9RY54M5YlyP=@bw#$+d1~$$i|=SX~?K|li87vf)b<4%71;l+dVa7)!iRB
zwxvzk&mI2I_MU5MXmuh{8K2+pE0)xrh2mzfdT=Q@rYqBY5Hp^7?H7!MY3QBp-WIx^
zN0%3VX{YRt=HQxY2WyO#bma%`ivwM>;~p3MrL8+6mBnQK62D|0frXy<^E2jmO2<mo
z*N6C~3fPq<AQe{ap5Q3Avp*Rm^o<Q;d05o6`Fwijiev02)HafQI^DUBOUAFqmdgYb
z8LVg2hVbA^82CCw=)c(0d>xzk@R1sQt*ic+{v~I!yn^ZNh#VFh96dBGNyW97;&v_i
zi+8y=kT<rPy}^juIsCL!J@tsCmvh!3__1s7l(SNyo<XAHF9q1RjA4N(Ox?z$5_F#|
z%oo0Tu^(v=ypFAu$N7+P7IJm{9iyKF?_*9RYlLApGzB1uvRwPY38sL9(X9!?O{(;{
z)qD?0_oD3}UfD~<NLpYWmXuDWJJTwhE3k-)t>v8g)}cot7qBMvyRxKWUV7~}3eu&|
z+%}PKtAPX32emeck}y_^5b`1mS3*f$!w9HLc9_o?-=;dRO8hlOH3=XK-<e|xhoW<e
z3U1NU2~Vjq5<aUX!rDz2>k@}O!YT9@^K{8~DBlu^l3ofVoq{XZX)mE6UZg?jg*jO_
zBLl+WQq)tBb!B~_^AF{4&r174rvyf6$tI7#TDxi`zl*KbK)(+MYc0o$O9^!&?6H5F
zcm;qLd>FB>==?H<Cz&~P-TXaItOz|LmNAa)#;OlLR6a$v6*X<sZ$xc=(=n~RHf&DK
z-2%$RbabmNt?<@H@!cvV0fJnEfR9~a@55;FUTuQpH&)rKulQRuzi^ex2O2qx-9!GM
z8VuD5k65+|1Vz>G4$h_Sk3~H?Wqo6}Begk-3Y2o7oGIjzF{4HXs7Ea8l;X!3YzQjQ
z_W7EQ7_dwzU-)u2xAF0uU!%P-Po&{33N7sCCc2*E_%2oGYsLuK$Z4J}=0d9`6+1)6
zV0!cP(#b=d{h_~HjmSRBM-ew>yZuwfvee-MvL9(#zsD!mE96$ijmYjuuFO!v-d)ym
zbjL2~@E!CbkmR4-KQYVE`GULkHlp+JU8QXI<?zfl<_<T7mg<*VJnohN%1?_l(U`1@
zUg=Wv;i28#VE?HuK^kmK)l=k!NPeQznt%pnAXD#?e7#p_*(Y)xhWF&!z{Xjl1)z3#
z9{D2k6zpLoq^X*cYk$)20%g0UTZK4WJjElwGwvpe<-mS3i>@L(_6h&ngh60zN;ZnI
zzcJx)N4yJkN103XZw<3r<h)ELNd?(kj>>kKh;d_C8=7d|fN&)#h_L&~G=^qSt<&P`
zd%Jn(RDK#lwRDLq4MBCo4FRq66!pA%_gv50a6f=^+Gc9Bgk`A)g%m(*@6{1z%{R2w
z`zx4LH<zW5>r%JZU`&3TT!n3!mgVKPC?R~aDz(nmLqQ(GjD1U7ms+Yyn}=IrB&bMI
zfzLX~M-aP!l0ETdJ#3=))gN$`$tZ}H4G@n^1abKfvAg~9M;!8Yd{rD72T<eSF62l8
z)^&%_!~_BO`l$~tE!1?jDD^&#<mL3kj7|@7h+;j)*g|@;+BNu*UaU!bDM@)IaNOfM
zOM#l8QeXtIiw>&Qm4kNql38ip38+H!S0XstLE|7ckJ2a?R$65`IAMG^2-0_V7gG!K
z=tZDw7+Fm-L}TUV>=_EB4twGLuJVFm6AJx(Tw#HFDU4C3(MF^(@+72*0{AhOu)|VN
z$*qwBDt#Bc0>y**j()IJ;tA`S&%6zunQed%oHfrJxS^tQCvk5-lhzAQ&`Gtbv2f}L
zMYC-k<W?p{v%R<}rQe?MP@rgPNh~fKCT1p;heSizj|3sfqoCB5XLZVN{_!o(`a~fd
z@#6O3<kER6(s}XHMRU{6`E3+yn(B>BbxEH?a{$M~)p31neApl8o(9qiKh9zo&;8LC
zHdj7FR^IzFehoRg2so+_*{_$^)W>kFkEN<{K`pMuX<`olybiqmcqVA15fQXDfx#A4
z!}eEQ_j;!y+oYnIysW%aj?X2U#U<Kg>^EuT($R$b7a?aMXjob`mfx%x^3QiVUdok)
zH)Z~8k*j-slN%*(<^-bN{XOn~wksBrXpG_s_z_t_mg#xOb&9DF$SsxN3CXd^`=n5u
z`W{iV7t{#cFB#85zIfy^AlmKto&el5Rh6rrO^@v@ymTq}AXc?zg#Fa@Scl=Rz_{ir
zNU^Fh9Z60~0d2BK^dJVE*P|rGN-t8`^>+-soZR0|VJ@wS4mOXiCs}FHB6TZl9&-AQ
z!?2QTCw8b8IOUQrhJ%q!Z}rRzlI5=DDZ=Ks;E2gS?4QwZUdrGytD&M-^gc(_FEJ(`
zrZpstskwW_DR{X4z)krg@N+S+-YuhP=k3+&Bf3rM)Q{P}IxoAq5m#dUR0L%}#JPdo
zCKLW0OOp8gQt|rE&?a)gS{x3A`@p?NRHU!Og?e$sMJSQ`8w^|HUnb&wFG&b<#`O-n
zjDMdr{cd^ZKNuw&?rUNw=%oVciL8*5wP%6LvfD`F7373>2U2cEOZ~#Rd^DV4`Gi?I
z!e-ec8M})+Wx~QA)<`uV&OW}ErE^at{0E%a*U{+PokSk9=5UFePhKY5C_<^d&lu98
z-9LW(>Cmedm;Na@Hc_0zlOws?DY}xNR0Kj%6UK?qN>URZmUb~1*_QiEYLtPzHKWA@
zk<zUo%6F1kx=U9-?dzIQrpq<O!>rV7zl(WqH?VymCR1Bcf>nWk?CJeMD%j{=4b7I@
zIIc~V6Oca|sAyH0ip)-+3_ga$O<Ixkyi8kRT#<SFf^`_x!#t{I9_vsRp5kIz)H-F{
z#F2lOr5O)zNKa+gX5%c?NhIf)vaQhjdCEgcXX?G*TLkbaki_K_Xr)iWS%I(V?!Yrc
z2B~e_=!*YX$9L?LdgnB+R0x61r8C(KXeX<eD<}fA-xtJY?6WAmn*!VFH^2ACK;zV8
za<WoZrB=idj`uLj{Q|b704nsNaMKo1pom3bzFu~f93GL6(o=Gtie1wB6kih=OiOHm
zRForNUh)V?zwuXI5REQkhv>un!O+h?Rw=_Ok;6$5)j<Sr$1G2XcOF05NIwYQX{_vV
z3#u#b+z9Xyz9{Ef_7N+lh~kj1&?<IG7Lvc8^j`Do{yXo8xQ_CA>wLSvVvmq})K(mv
z$SX>F9tf$Cc>l6Q*{leFAY6EqA^X`u|F*qw>#E4>Bb!^3g(`|GqKi7)_sQaYw;qO{
zsT!1OeI@5S+_c1c=B~WL+9<oG%0(AbWuucLntwG3m))4?q;`pk)MGsw#>*T&8(D8D
z%4gcEo_kKE9tWNwN4*uHO0Q1HQCmr4JwbRXM+K+oY7dU)SL6@m|II#2|9K^P#2kGj
zyw%nTHm;QI5X+Br8&a_CWIJXP;>e=cJEb3}PJ=nq?WmLtDq96~$~nDFjUX1~!m7hW
zL`6nQSE(d9=E(7Bg%`ArZJYcEJgx1JYcK9BuAYZaJ66`em~H+hr|cpBlhS!%LIJFp
z+%p@4W|{HWr*YI!<)Z8qHQn1kw`x7+${B{5%F%TTe!C^-1OIv|;HAg{@byAOJVoY)
zVlWkPf4=)E<CTK8Xkf?uNO$^iM9Ur{ENhVGM9oM`79KV?yekUTT77HhYnEbDEp)+P
z&S-FBsGd$`N<4(`p@p_>BYqn)4YdPGlp8=O?`9B!rEnFvHK3K`8K<FE#3X$Or~+sX
zh*$6aepIP*oHNvkru}}DZCEZ!iW4GdFUG3pTvnubE#g@g^Ols+1szBj6(df0q%1om
z8a{__{5Q8ve%Oq5ik@CAw@&@v{}FY;bku%Y0}XxB`Xh<a2vN*w624drJ}4T-9~!Wr
zJj8HLu8oYb;zo~BS2BNA4Hm>;nHxziEJSq+EJKjbJ9yz68EewM;f~p5Kz@?Ng8qQ)
zON8m6s9|82O*iC<O`lGC0hWqLl+6$&A5}B9gYVDkGi<*(+=&bi*AG{Kh8ZuHczg-e
z(m-MKXeh%dg%jvq({>2;+%rkvtJmdzFp7A3`iesmit<=k-BLqKQfVC6k!(NQ7NQO5
zgLM9k`~K;n!$fd$lIGH)B9v27`$sQYq-~+O^4#^p53#tDpSMT_5vg|5pkK~De{)pf
zZ=j4%yvFlY`~wXho99Y2i_vwn%^}<al0Q{N_->XqonIsn0y$zh*JQe)8|Zbz^bV$b
z(<;3Zs#EhkiN_bt-LAAZ$@;px6kKXtp4Tnwbcq$~>&ffL>$wwuzi4{pnTh`rLqPsP
zKuHA{w=SQ-DVrY#(fKTJE+ZV}gff-Gl-VXU52==r9DDD1Aat0Dmxt-?E0;LAu7>Xh
z(2!GVXO9l+rWNx?etXz*#h(YKF`<lMhi}k8iO)_(XfV8<OB-uT^i-?!agzu~T3M&~
zbOY(n^^G!FH?6RSFl9x(YkV@&_RiA^C(;{_wbU&SS@7rNy<eI0R;R`vJt&LDFV*6`
zuqnr`tW=-DzX29i*GietH#0W8qWvW#gs)$u{>b!m0nBWr^QCOA9J8F4LN~r;B^=-O
zKwFTO$!*2c11Lo&D_}&UYW1B5H5NV8cb^6j+SV=gusYmb`V(*JjqJmFHdXXXj5dD~
z4Crs$U;RJ}k{A84JQJFQ0q@HtJLmr_U7sS&k5?A14`is{Eov1QQDJ4hHn@*a5TP)Y
z2NrBzITV}~hr4;B=Hd*a(+m6s`9~U4&p&5PnxXAS5F45go`gpg#o5LSwGAMfBUuRP
zV{9&YyDrg99ESWpcBRVDc?caDe~EiV_p;%!v#F_h;_dlQv_(@7Tvh5KvGV@aB(4i>
zWAWA{ks1-Vi|>krq)Zx43U_`3pxA#W_oyTP&XhB*^sVWzZIVONOl9a7kMyO|T8SSk
z{=L_;1@bjx`213I_C;EY4lS>noH<icEWRujwu*l6qvglSz>dY~CmVX<SOt~ElvN(i
zl%0=w4lj&Y?v|OXc5K|NeEHCS@AaS;G<WplRCwLimLcn{dc#fgP5pMmP5i~gz8P66
znLmUU91y=a*_>Q09L;^g&_!oTQNl+RDFQyXL7VF{%@{s5u>Zc0?buJBchx?pK*p(C
zoh^+PKb6!Zx)=R08ouOP+hBU^gvX}IVdd(PePvKiQkD%15GZaG$gVSJ$j;vw%-qd9
zR~pM<fN=Pfp4(R4sc>gabEF%saX9IvW|ryFsmnb_>0_c;&AfHgn<~q#5T7tQ@tsSU
z+shl}AkkCMbE^Z@rD<F1Y*WI;#`GiMb{b<QN<Y$E7-|te#_Eg`DrJ=_aHMfQk&{!b
z^4cooCdrWVGh(w`t3cDO>9l!<Sw|el@M8U;P7FG<9kR7y&;+f-FpMxXI$}5^95tLj
z+#~W3^c(yJOad?m{6aASGyx0&vjBL8XEMMI#EXr@Y9W)xlFYyDn|gybh~uwxJv$r|
zS;Fx=bHlO!CPD@~IK*Re!V>+NP&5en5?4^zIgdHmvsp7)OjIF>3fzkxh&hn^;Pkqc
z(687-N>u?M=XQH!o!Y$|^h9y%pi6_AUSU=@48*otC>x{x0yTl%+dC<pL6$yLpaPkV
zjv@4FMdgmNt^N@LaOy<nq8%c^$g|O<2_pozhthuUP*a2>IGd8d!+!ex@HonvLd8Nj
zIfavZIZ2cWp_6DC8(bY=LVRXqY+y(wf4^HcFGn6tg_0RjC-IOva>)>_i5(9i4LVG=
zdQjLDR@(KQlBH`)%xJ(Q&}h_d@-W$bMPHd7lEc6+uNS^8qlM`@8}tssV)E;mghmt@
z4?i-(IB0})>W5!)W%!j((QyKsj3zd+133s0+8*+;b3v{O=er&q!&|`>#!9XCF_}d=
zc>6xEawH`$suzTmcqx#U?yT$)XondK)Z#Do8P*p56I{?uK17VhBD_oG**USvOsV6E
zHp+tMPS^9}upm6ON2q*Pm3j9NdZ0g%k@}W-w=2I%#MC?CEs9xz=$rao&uQjvPr$zH
zf?U`!4zxRv)^iU3%%trG%Vv}QXI+v)jxE!0MubEWE)JzdcVq?-&6pV5{o~mMpz10`
zKyTpCrI=)_xUX@@>l&NpLHq<B@dbUa_Dw$zCDIe~)N{Bg{lzY|sJ#c^@HnP`=)bfN
zTmM2))3&)mK2qlf+0aF1;~4Q;jg3%HT`}`!w)^lYR$-}wgaMqQMg}%+Lj%Z`B%?Fi
z@uW*?68oYUS4sn{MuJD85MDLg#R(fGUNypc6pB#gsP|^M#zGs+c1;NI;h;Tp*q!3P
z%xb3}mB$hBZJ3)}(68~c0(DkOqg{RNrPUU}hGH|0+=-v7!SqB2Ah_Eq9TCR_UFWVM
zcj>3YLuT1<8)n<5?Z^$=Yt8*E<MDe_QWpO}Ks5|w;Z4oL_sP&jZ1Mz3zb>v=Vmz0y
z8FboODy<Sx{Chnov$eP|mneG33q18@Edo7snU&vceUs;F-gV(++OCU6cstTKhbvvp
zWj4(9Z+>c9mVX`_cj1o>fXqmfq_jXH!6_{Crt9PaA07A}QAU1EBvKYIzv0)=Jvg{>
z9_acMpEh4EHlvsr!u1|?s`?L0YXr*u*+qqGrBAG<f=AP*#e(r6C;g~UWYXinP=)>i
z9o#rls@^}E;J&rQg?H|id>^SQ``Bu~7HI+J>#6Jot2vTWH=Kw}4Beh}ts+>DdJTXf
zB`;a)g5F<G4Q8=jZANKvL!>6ITT5_@kg*86<0P%47-o}OQcz;AVvn<Xn$2p0v6rx#
zg7}y4C%hNHV${Cbv$B*KK&evEUVQ?KHoj_O6Rh-m>BDbQg+xEDlMv5V-q_kYNb4Cr
zQF5gU%eh#6^`(UDoOn1<KE3Eu--nRxo{_uq>o0iy!^ao{>q}DKV7q~(4k@SobKknm
zgAWz$(YmyEeY5)tSni{e#ZVUUzd)H^OG<uR5q@N0>o^kQL9G7rmPF6zrSw<ORdCky
ztn~sg2)d06D$EMG6rpR4>^Tt}Sd>*V3(VL;UYYDPT~q@ykJ8BdBbZ+J41--=Dt}>)
z>d3qJgUJ97x0Q&FT}GDMIC07%u0ml0iCsO<c<MK+J1a#p$#>cxvz80cgy{%0mUhmI
z-c9Y{<tZr{`lrxw&LYr+1?w#6`3yu1Fc-rqYO%xRboGSkjS+dK<ca1#+W~nYv(VB#
z`1(~l>&-L%Cz`m_b~xO><uBVtjC~tgV)*%DG+iF<_=(c!9ma$c4Zo5x>IuxH)WkF`
zbb^<S55*eE-IrQ{A}m=oLuBeu(E0&lto+O*>z>eE(JE&XXAg`=Bf@gOz}^R6zW<{O
zVwTR_Y~NG9&%$$Nq>T@qYs?4O7e!dqW|%x6DucCv<@RvawsUZOn1Or6QVfLjL5UC6
z;#qnfpU7P8Tv%qWp|e&tE=!(wVYf!YnxHGMB%WW77Vp4{t;HCAj$KKr#8WCn&npMx
zL@q=A9`-|dXs;t?$fqdFLZjf&NG3(Q<Pd~EEsC5N;1+NX0)wFBwAU~z<TBU=t&)lr
zJyoJCHj)6PgXD<07J?m@SH^!mjWQBZpSx?Vjg$i^@RBy#q`IXwE8r#WU|X(e?D!2w
zg+*~qlZHE_CC7A8pE$jzF3Cu)+@YrnvuU?#tVG#|d)7h5W{0bacjG#7$VPV=t{uo?
zbp;j765p+;-VJN<K`_|4$eo^mGoo7G&$hJ}e$dTEo~16m)W2!`NE@|^1#0fcN982l
z`q5G13}Ik6#K+9>W6`(!(O5E!@3Cs4q`$Qxtx(Qoz%XqWctD6ZGtDqS!e}IRc~}WM
z6639Gb}M~{!&drLR5V*hTQn|WN|xQDM^6d%)f9L4pi&jC;_EdOPah}(#lFingv96J
z66Ldq3lt%`;8U@?V{Xw`fh!i$MNB`+(JKg87v!C~Pomr0b9;!EG40;r@AYd3^<BjO
zW)RdUGj}?h>Js{B@`oEVZpF@euNBXmE7;QTo;s;cKa|Ok#Snk|mBVuKj-5@0LHios
z91`PoRb9dgEIb1~lsJ2{h2Qx)y+C3Q!Gp6VRRL?sZG3D|U6|-;i`_KafBz{5{Z!?!
zp=46^J4mRCACq-L@Cy?;gI5$TLX5y^pL!A>L7$Nbg7>)~@p8LwV$ud*B)RAeM#lG8
zFwb6~jLG71Cj=c+r7s>yNdAQXcsqu(ffn673|7GVkuD>;O%;oF^U+yWt2;<e<M)un
zJKc*|{;u{+4L%w}<Cjs2D2e%nLsze$fig>j42qS$3e=JTeHcbab89eP24C$-sRXVS
zv0eBh{=Ia7pDK&Qr)oui!?;60-P|gzZz?`fXxg7=cqR7u2G5Dg(A&Dc65^p41|XFk
z(`#h{lYTmFc;6C{Y^f|4z2IRO38!nD?rAIpe<RJ=D7ppCIwNR50Hd$hrh&zC%nsR1
z?FPM^oUnDJuy@QQgTn<O=lrRUZ=0h7d-Y1RJJZOQ2r2$@F68d<Ity9o3ym8i^h0Rl
z4PS1mp$;lVVT4mFz{^2f282#M7I|Hz;h6LyAVlS(m~qk<Sqx0sjcYcplH!V5?PvuB
zqs`((j8E^;j`-gZKHt<A82)B%Q8m<iX)aq8{o^?tK}vqcn23X)h|XqDf=XJi#}9?8
zt2Nd3n+c33wJ6Yr^Hwp3c@4ZoLKYh(y-6BVjBGyTTkKJ|*#?=?6q`hA(QZUmR`{7@
zuG;e+4!3wR_^BJ;<!Npyi8JSG5x>G7;ZU)fn2FEHanB)Ac5Kw;rleF6Yq86A{Z}(d
z9suST@HsFjC82mxE`(jbbFDU$6+J-mK+E{9C;qJaS?)u{?qA?z8hx;+6nQ!G{$E*Z
z=$5`%iIysL>;N~VFk=<xj-vu~V2nohyn%29yXcAKvV97oL8`Y?g#(j6Uf!egk`FG;
zp<Gn?R`(91=Th21DbD#0lkeqW;RSsuYX_EWZ0bUNq`GB19cwDfg!9%RXT8aN&$HNR
zL-^E}eVN26=dz5XVl&yX{jTxYm5C7`^XqBA;`N!kHoIBIi5H1c4-RUHdhym+z&#;e
z3kvJxN0e8=_}pC;!;7qCg~se`$32PGUJvCUNN*C+IEw6MY@{D(-N5LGd;XKoz+py4
z>lC@6S|6J2(_-YAATA~6rnBe%$ZHd6kgn>skBuJWkwIHJ8)akz8+%iUV-j%ASCF4h
zjF}Nk5G#;3OQkJvKVvlS>Q_EFoC;dhP)tYwvwy!L^+hcS!1UrK!M>)g71eRhkQ7>y
z`BPYT5a<UhwYVl-S56_@!!Kmea+rESi7Af3>-lSWfG<}y!(7iLDOstzP~oGz7qhe8
z>164ZkH^&VOws|khy@oPUC(}&H&6EJ-cqfVp1SWv#Rh-eYaorNvC%f_EEQT;$;87L
z!-cp!PgJ&V^#c7dWtN?jld}zjcQv<8gF>06K(!o8QHq{a-u5C|BN9{j@DzsQ*PAL)
z`bY;AADjO%R4UBM<jHXINg7~vuUh_#X>K%FfnyMtIE&es>RP+qs@>kepLnX+Gwu~j
zH-@HNYe$1yVmoo4Q+WS;NRx{xCf8wLx;&d*jml|ET)<S1)F(b+^ICb9wln1;5pyax
zaIAq!JQAZl0X(mPzY2P#gEVnzj6_pU5Srzm4)lzQl3PHSvu@0hv9f1mX!*aFpF8jo
ztVfIT;Kb+rscxO-Go1$U$A_$Bl$i6JI8Y;3g0Qt)RO*eg07=dnGiGbw3~f0&g5MK*
z7Q$b2B5ZSAdSbI|wCGAnA33AQWL=hq@DbU8T>Q^S(VXz-o7X03yha>J)|n3{T|tRV
z%S>Sz`Nwz(FTVVGwN{|R>cOEVL%9fPE}&D&A#ji@35~Y+TL`~o-#s$<c4zhz1i7bc
zb3;0q%iySa$gUFCa?AAO5Z#{ElJ}bE9D6-t%Ru<n$|X_ONz(LHW!7|4t=t#(NI5w0
zh)vrW3SXX98_T)mbMxc-WV*~%%#IFdw1jG>Wfbrgp^PL&NsQCESR83jVR%)?6jGK`
zo%nL$)6x2UYGuyNY4kEB%I%VF35^yr#I~K!T%RP$OjK^odO3t+NiaYF?WW>t2MP(K
zYo+jXa>-I-DFto8hrLiv#4DbD*x|@pCZrtSIi!(}<dw!BWzD|Cw2gwe*yGSQL`#T7
z$9iD)mD0aug$sfr%?;?L%(j!|MO{YnQR&Qu<>fIC2^GC|f+zL+Ev?_>Jqj@~#zO7?
zkbEqni0_I4GW!zvgl>_lzcWcP6tSu>;N`bhh>SSf441v~(ixqzW!7D9kHE(DwrYsk
z>V{sAr6OdNL|-w_#DTTRcw6%J^C?N9d4>3TMZ<N`byQSnsY6;+1a=dY>DjzbzJSl3
zb{(k+@ejjkBL>F=?yl4rS*4ec7X&axVe&wn(7!lq9=~V6Fety1zO6_DQ|xRCQPfV?
zp^a*Y2GTmN_mjn|$(w+ll~f1A1W~8ef=)#76&)XC9@f|s$|o)@qdgiDc&9hYsUo0u
zWb(TceN0(gp5&dYlumY_`$v(A%33W^9t3e}vtefa*HsSxie*vNXtrLuG;?Y;UXG%L
z=dcr<>h#4mk!1qz_hyLDu$9j#-{w`19vsUEexeEp<GWN&v&9DGtkq%S7qHtsOu>7a
z-^i|Nu&Z9pImX#F9=^TB7OezIAVwG_8!7V!ZJ?`^F>}jNl996|7@6o%=Bg1DbI!%&
zyy60jDx>ujMXA;I*0+f?GU?u3R69&&?qQ2@*E;#b>+<DFzM|m=tIpYN-U4Nt0R#=B
zwxMDr^7YM*urHaKlfFjAqmpm&{WJ2F92I>dwz1Rek$DP6;yQ)b&=vMlc@+Yb`y2Bb
z(c+O@yI`Q+L_aQ|+KR*<Rz9E>*&2!PN3t-LV5W8x4AtESP2nNBpR#*kHb{z&gtzYx
z5N#XavX(T2VGnAHl3z+sVhIs}{7zW7`_b6O#~0UAf(dm>@7zOW#YHYJ!!6gZ8$QKq
zWjj`lDU0tR%&Jl^hc2JHM<s*SwDIZbPM2kxx_IM!kuzH_TdN*II<S4t;>vyeOZGen
z-x0g)x{9+JNjh6{^D_stu&i;}6lY^R@hY$xJJOrII-1qKR2iC{AHph8sEYuL+Nxl}
zkCoe4K)diA=EL0&$jDO59$wy+<a>D3#yy=ivgfCw?eF&SvcsMRZ>X%m#xQ5Mg#qYh
zjQC;Py0>@}kKx9I@jP-jVAi{<bo`1Jg@EJ5g-mW@UPN;Itj@|&nZD4zJ7Gif)V%!}
zuK`25ptFZT;{6BX<I%N$d(udDq6Hd1Z;n5H^vst2jC{nt@>*uSK*r}tXjRyxlTRUy
z+yT@Vn$h-f21%VO$N2SeR1-Eg0i)NxQUkvaU#~R2MFRg^EWMgEHQ}ti$5l)kxVnN-
zTEp`FG*bCvLH84#PeD3@Xo(oidd`f2zE7#Yy3K!mDBCQ@RwkWOSXDR<Gay8<rX$lF
zeinoQ$4&zc)UO~+IlzP_<Y4qWOty=ve;))&sZXj?Q$=cqZB%da{{V^vtqAqd(G%Lf
z^4dk;M>Yl&I0+@cM{HiAw}rBNM=*1{eUUc9?n}{^(@7(e!@%y<!YuHdqyCgI)R{5K
zg0u>n@L4E9P-&**jv*XPUqiY;u;Z2GZ-PGvS`}`a5i@2~6(;gndC0XOFfbW-rTFNk
znY>UDXtI_}|6(TMg!U9vofnntwlQfV6_*(f<4FSB6ZV)0UODeYFvIvFZgQZ-47f+~
z0z8}3*gEE21axY0%bMPpoLkPC*RgVXuhEUm>xA-Efny6seXWKoynU6J8)F~UU;bo!
z%;A=wf9K<-LKY#iX+Qjn(l%{dl@+(EMF;PvT%~_yy4tQ&z|yaC5JX8zR^WAzs(%O>
ztE2ayM%IyZU7rL6N^yrLxE-H^lDIcVNg0G3NrWZI8u`?42L*zvFn>>_&3b0_RC_65
zg4(Ll-2Obh;~=r?C{jK{fS0EV59iUBd)nT*2Bl1UIK-kCtzghrCuh1Kk+~Qgx`CAP
zk>`hLIeWoVS9tDqLQ8iamCX+$N0u_@S+#1719rFeP5pjRleJMYq$pSRdC$KE*MbJi
z7OFK__|rhLJ<J^4%_dG_blyv8x%|32R$C=zfeTgNXn<gu+He9K)oDdnA_=826Wdo6
z{Rtyo_oKVKSUA}owxgq^H@`5?8ZVr*66;|7jlqbCDqQ?q?k8NsJe*Pfa;+4dS|=NP
zEZQ6=c6UZSU(bBqX`WsKUZGc_2%NBI?X6l0xY$Ylh?qPq{e+8EP*jQD>JT@!ds-ZH
z7X4f>_?o~3^?4jtTZ+x`L2OhN*xM!7{+C~>b-F!e?|A2{&v_=~jRzSpKP~-sspa7=
zT7jupEcHmFAHijx)C?W|V_fj32O=HT_nD0c;n`$L_neztA>!R+F@t!rp6kYTog$jH
z?JoDO3b~_)am!V@T!PgU0U_?uSHGp#KBbQRl(Ho38$lQ0`$)$6_ab|&?wc1;mu`S4
zcxVZB{K`e10&yc*0774?Byea<-6!XYxfgpO|8BccUfiTNx49bEI-&DbC=-hD?53vc
zh1JNnm8eiD24MH)K__>%OTOFw9ObzhBNNTr%wKaazKDqyrI?GP#t<*F?#s5FNHBOB
zS(PPpOyEzudRitDpwZV|X1;%oJEA5Pc^$Pju4=jd$%@J+1r(*Qft0LCQcDY*+>Gz;
z;?!3BSCuii=}5N$lqj=&bY|^Hj!oA4nf45{-lF_E;?jD98^+MCo_g?-)qv45I}5{P
z?A4zwLbM@+l??hkT-&yRlN$k`yhFT<O<!vV8i}9GFBWoIC)5HLi8eGmx~%<D9Af`~
zYp@JfDe$Ep0>^VxNOqbbZb80h9CtA~@_3Y(Pmq5u5vMukW;(Ty*~8304#Py5rABbq
zPoXby2;6b(IjvWCJ2vTUX%kIIYsc<Fk3<t<aAhN#vf{92!~T-}9-valhD}RQbiz1y
z8;UczE*y8I^2e|m#L9@$tB*fZ-kr?9Olu7I6D@}q`34%b0ZInSO}sbyh-cr<<AhVD
z(uU4`OgP62hH?~-u6B)t9oNRot4zMPRy~tIyPVr%Nc~C%^fQlku=C8GArKD43v!Q2
zUr=IpV{v-f7VjxOz9;Bma#xDh_Q%WH$@u(NY~{(KAi1OTa$Z?W6ed$L`{`3>*OvW{
zvAz4k`5*Z5<A0`o1KlY3UQi}O<m7@6+s8$$Ji7B*#WFK*?ADK~`5p?=Y~7_@C*Cu>
zZfz}2^K*Y;k=1xGvuD;=+oXfb!bI{HXG!bAv($}<nQNiHhv~6FB0p9aD)_|uXy4=O
zkV&l?y3A*+dSrgw6b_uP8+X3eYdvn_3pS*aqiw~SxF+<Yd`FdS{h(uu?Qu-O+-qeP
zq;dIHNiIk6gNAY%il8GAjuYpL0+faNxLEveu<^81w_(AT;mJ+W@$AO|ildyBvCSk$
z@`a_elB#pCSHBMnNJXRgAb47{pPc^=-mfuSM0~^3A}t<>&&1(_JX2s|gapE_o9pg}
zUZmbAusAY&KX<~yg8@w^pR(rz(POS(g_zlTNsiN;Y^W0|ogYJG7%_2!f!@0ijU)AY
zroSi<o;YDSGeYxqzcz6axsL-#41nr|4Zi>3PZrv&v;ap$`k-{b+IlxZ*#WWo80mq!
zce?q%Vmg#$($%RZfg>NXa+xo5;(2R2q;~l>HThL$9?U2xZ)JiwpQPU?%6Nn(R$``c
zd!<kC(5oGMpetqyjs`l7xEu+iwcTE0Uj{9SQ(Yda=U|F3Msrt4-REhW>4+Zjnv8jH
zFE_Hjuo#km3<2}mNo=)|#FQ%hc*{qqMybWh>*}po+2Z`$U0&=U^#Q9vYq6!>^)$C6
zRk(k)9f+d$3bBs1e3FhPt_PtOx%e(Tqzd2zX;gh?^<sRB8irJ3WoL044cp|8N6(an
zUe=Kohjo{*Yz7=$sC`ZSK-X-|D=xiu&N?%j512ISl<BV0ep0{PUH@%)Ow#;HuC-qk
z*KMf0RlQe+uM(9&+QN_<IpUIhK_$_aV-{~s`_9QlN1B+X6Nldm!f2-)i)rN?{u1Fv
z*ma?#6$Ww?riprpMAg!YpqQT^DmXHDouFQa!pNReQew6^fWmc?j<HZv3<X8}PR5gf
zYbSfFZSd0v1KZ$H+3RGbPBONXU-j41n~FfXjKHfMA28Q!9(xoVqaP{z%5|nQnyBTH
zw4AyU2k@@gXg>ixmHzVwVO!2ZYxih3pI+0WT!{WBmn<mw<Rg)!<1BF+%A+btRtr(^
zjpll<Ag&552DOv^<mf=ni>P~x#s!x0yH>&-d-tzR9uubCkrM2>dX(;4Sf&?)xF<c}
z=c)GhYR`^9-qKp7SRgjMifC$xw7O-P1u>UIPafX9wAY9Zbq2TZmeW>Rx}Nn>Cdv6b
z93BZqp2yRva3*`Sl2wR2DC!+`KtfUxtwDt}L6#&Wlo+a<UNu?T(<kZ4up!NsM}5s9
zD}G_kNG7YO3gt!W=LCLj{o&;Ek@6Mxxc$tan`#4i{fD=a8W|Nb4;a!?b&GA6UnKGc
zLIN0JkF@k=czh6M_zzyI8i=v&(?WFWHsFw)qU)4fAu$Fr`XY$le)}(`eEL54i?BNG
zq)lL1$iY_(&fzUq<d9ddSQoq)yVPlZKb&BVVbg;zzj%U>*2}dQ@RGvvRchS>@#c4m
ze#sQN(wskZHpFzsj5|OXs{J28y36pot$_a6=80|&xQ>;!I9QY#+$z~g>o+upm*xN{
zl8UK9Wk2jXSAMt5w89jBfBucZNI)&>2J2|F?_J<}9Y1BKykDt+z&m6eQ>}QW4Su@T
z2Q#PW@k;5OzS6eXvz+r-_^n2+0pn3G2*i%kGNE;tfPb<1_1m`kY$O_a?8fLsm7UXz
z*y`!8)lq~;&!35%D&;Nh6(Ro2Qvy_MP~J$jlIL;hC=jkqEFC)DKIfBFnnSDOMltO|
zzpjaTagqM3I^sR3GMK(W@*UV$!-AMVbN26dn&OReGl_0;3kg~%g_|CH%?CS=Bac<v
z*=-nor)GH>e?@*ORc?py8Q=)Sd1qHss=p2w2vx-e+(7B0$eYCpa%$uQ%bn<((R3Pu
z4Y2FsI?GdK?>8`1w*6aqG*ssW^uMJE)NSQ{SyFx;!E8@N%>TAei;icw=h6xtR=YhS
zc==je-L#{23fgvp>ipV+f!DiaPBQV{w<*uhijb&Jd_HKEN!Lw!uUeGfk`TXaEosD|
z&46!QM)7aledVk4-#KRY9>2ssqkgYi6%#cBA4)VmeZ95*J4wB)aHxa>4ROo(8kgB>
zAZRD>MPE|Ta}|y55jSc(n6w0SqR$BGndK1zjPxl_PC=Ksam35E+E|2Q4uDA{D6BxY
zV=tIcR$Auqe#{au5_GZNAFbUp9)6%vvu038ydLY2`H`MNg8ylVKj9aAn(mW*L??x{
zRcQBMiCnrSp&;|xx42sSJj)wFCkj4Qu(WWkHD|-b$Pl->{sXDZlBn$)TQ6QMUH_la
zro4S#G%jeU6spV1sCuu8OTbSQ3In1oDk}0g`?Wa~<6|%s2F#em(iT1_aI-EPMXqY~
z6f^P4GagUvz?_NFegA^ukE13z@8TDm^EKQuD68CDlFzNgIjyk-xj#~Y(z^R(IEU0I
zr=0e-8$?+V*+jSid(<;})b)Ezp*^3{r;{Mnj9U`j>RpSLX!L5oV@0h$k~7~E&QiqY
zwz}Hi?>226YCLYfc5)%)$U&tkDuG_xEb4MaRFR3Tz0;ak$gStT>5#u+?WX6dwCN%>
z_E(b1V`0XlZP^}-EvAAQ0Vs|>fs|C0N!j4Nw?zv}SBs?HF$QCZ*9WwtP_f|>2BPyF
zcq#7ak?Xmc9J)R$u35q2j*^^-2!r6ld6=VMjX`vEAK7$Ly}QtXqlF{fM*3~rw0muM
z2;rkbHRyFyu3>5y>HEX1c^E|pQaP9hIHAXmA~EQcf9`Z24<itUunj1uz_|CX&+sYM
z$9knmN7kc!?#Ipf5|zjUre$YpEluA2#Xw8-U_m8HwxeNe#_c32F5!ZOdyFshE*MQH
z`A>waeKTm6w{fZA^uHL&j11UWtfa;CY#cER;C#7UW-NFVC}11EFHKNM;@<5-Mq!@3
z$!}nzWcwGZ1)=60dyJn!W5k9>^{ULu9m8;#JUtL*_r9~Erm<t@%f@Mn5GP{4#D+Th
zv=VqmUb2Ww=NhH@i%%Q(my;*mCO3Q~7M(9OT#R-#>bauV?MJ}yD?+IZxa>aq(9;@5
z!$F<y`}kvMEoXGOenrGOU=H{9ct@f!uh%jWAT5~q0B$|GZ4(~Khq-i`k}TUX#Zx8_
z_FlOZ(N}+8kI}WiZ_VJO_}l__H0e0Rt*Ti1@NL&M!ro=qe(v>i?)+q0!*w*a<*ePX
zFKn<$AYAo)R4h%n2X=awHk)C5s4d+Phcm&BF}}*_nW^wbNuDYzz-f;umBnr>i>UGH
z;Ad+d`yKXDAx=Aa9I`7%+N+IjX);O8NPSVXM-6N}o*sQm%8%(P;4b?;%q8@U@tt%k
ziYShMJM9A99yYq}OQ<;)S}jks>56;1qUT$^{{w75lfRyd78y$MM5+dIjM$ZX`UV8z
zPsE)FAP4@ZFbFU<5nLv?ZFsQ0h4(~gWl4m)2#f`V{}{?VL{}dVD>Hz7KVifc%&dx<
zblh}S;MoRVjb}P^y2@g}!9V$jW7%VmVj5G#y=6n!Zm5)&M#-vRLI#FnSnZD|l=!=<
zkSY!uLJt^>m@IC2;ys(cipgF@Wt=J!9LJP}e}_V(LP02{=vo!>gM$L@w$WW5YJg!;
z`hox+G66PS;>091#v~YB^$5wA3`CE3wOB~|3#c^kZYVJ^PuNjA0`&X|KtN1kp0p>7
z_8ti%#=0$&+$8=`_eKu$fkIZsgoR)uOWm%5bAZJYY6vb$Y}Ug(MKlyp0AMz%w~8Y#
z@J(LS6x1-UVjD2DdiJV76hWRyRCyPVmI;n8D?<Slq*$wnZC4usr@~f<N~Wb~>Trjn
z`E984A|+K*$aNghBEp}CBTKwg{=jOA#63A#LUE+5Ggrx`n-0;jKBH!w&VWxmsB<jO
zjf(1xrb;d0(TO7x<t!kRmfbzAsVuWlua0XjSz%`4BSV=bc$E&C3CE703=R&ovEG4T
z`WtYSl9L2RBlT7rP4Z$(cv3jTND;EBdl4`|@GI;BUHM>vu@J!m*m1|FQWGw0=`awz
zoMq%<0n#;_cB~yP%K^sNSVcbo5b70ezrrmKhHiySyCE!0FZg3PL=`o`iU3Yu)QKTj
zdbTq)G(zc?Qx(T@CXwbAAtCILF-1_xh^!7FLS3krdL2G9(+8Y`zj*X7LGYB9m!uA{
zw7IFPG@6PMI-aH{V6l{C3Qzjh&mE%U87zuRLq>{>eR_6lG0-^=^kB|KGIyLJSghr{
zZGrIm?ipx}YGb8w1d7O#CmZ3jwwdiH!EHkj9$amJJ42zWX%uoyfI4mWaXO6ceZ{(u
zN1T^Y=n*-!=t&rL5>O*tjKmx13!coH6WAYD(WqIC8RfSXPt0w(2!xmR^uom%<@N!!
zLNwtZere$dcHNwSAGfnKezF83qqFKCC=6FeB7ulRtWJfZPTb*FWJU=(LFx+qL(GZa
z$D=m*n+F_Glb}c}CqbC|h7ph1v4<^4Vy>aYKr!Oz{}Bb`uB=|kqbL!xrQ=8hTj;c4
zACL`KMn`QfpCC%Ja4?(5P5?!@BebLSQLAdi0b231$!QB@4)6&mlQm9Pu;^-XtOk1{
z-D9FPQe)`_)bXrInXC2BB9_qU%Ge@Ju!6KTf;U@R984;kjXDtOtuPf-+&iJ-uX{-Q
z$itj0pLWa^!Une8QBYhw>qex?qEl<?qy1Dc!lHP82q=xEpHm2qhm)kif-U;cg2?|3
zTLq@<jBD$Y$`ItIF3@CpEo&&?F(c|@bC-bxqC-V&;Xqh6hK0uBb|&dnIDBS4iIb$P
zmK!Ua<tbn{<RvsqDEtHheJ+1=$)rK7O)l!M0DcPvDF}dmltB+5QPu4a=u(w%Y%mX>
zO!e4qkc0x>umb@kpHYI~iKv2_9Kji+L^KeH><+((pit^2aDqf78B7UU6EWYa6CskN
z>X4*}As(-sojWKlsw1%WBbONz^l`m|dFDDBZq;PiRwUBn8cPzX(Q@x<L^Cytif3y2
zB1#q#+MQCqlyV8zN-PS@D=5&E5Di+XFmLh(m@!%r94?_qqkd$jPswd%C`h29C`hIw
z8_H<mQ9?wmfwktFn7KCq-a_vSJFig*@BCiU+819Z5eN{wrBxUFy~V#Nw6@~gOIInN
zQ;|UhQ<M@`c|`Kzh$Ir>lhFw|#!g-k#8(_4S{5YCk`i)|K$P6hE8;6epAn%Uh;u=c
z12PUoGa&qf5e=>#z;P(}M{^!9WXPH^ETU=^*uBE77kH<IjTIoL!o!L%L}-@<7$30P
z1n3D6XQ5jOtSzCOgkUgUi?HB{{45KVg{}`EQz66-$Undo2PK+J8z7nl$e$WR1Pb7b
z0N^JBu+kEg%ZFu!<op6?CBo1Qt^{d7AY6fR22D^JP|ip+p@<Fu6GDZhEaF`TFI3V(
z0{(>%JeV3@tMX@sI9O4?f0;f@?T^3xSHUmI`RnSQ)%k0}ehq$a#Xe4WSoMd(UzdMJ
z&W|eMxeXAhJl@m_RJ<~!-(>h-<&xWKcFg%~wPVx1Q~Tw|rWNl5kMmTAs+{-fPZsP8
zQaQ(u1pM3M(~jzsQl;M7me&;fH`yHc;-`B!Evt^%wYlFtv+d_a%~WdfqHdmg1kkCc
zZGZKvPdy#zCV)Ze{Ze9=1^fXREg%!e{(9iHJhYCUY+*Q9X&AuEp=3g+kLWE52ozbD
zIK1WcBl?uQr}D}$Q^P$*AKn7E@TCbWfe(fv2B08h%2jF$&T~mMAp8ucgmNZj3u~>=
zSwjGt-ua=I1ANfPt-f?JeD!xEzhwr*0Kw|+J7V>B9pAXU$5!S2v9tz5PXf+*TwU&N
z`PQ&oO_ip^`tgp~pKRPrJ8b5BSQyW$KDHpdL^i}0?-yHG^`O&YAmMzQ5nL^sVlB7D
z++!oSwm<W%wiX)HM;Oaa+Y16j!LW!n_qZXLd~Zt}t?G8Q5&V{`QR#!YpNmk7>x#pB
zA*jFzUtHDpuBeiNxp35A4yd-H16^@!QTsWy7#;oSxQtdZwa=U0U-FXFqwAzDAVS4@
z8Q=NkKM|Pm*K{jy*ThB2Xge|Ma0Yu^zwJrc$KO=wJJ>=te_c9DU7Se05_FX##y&)z
zLNI`OZ*W-V>iYxhhdkD0*9BLv#OMi6XE(v4Xxy;Sd+%`@iw>^BxrXKyz_rk?W}Y>3
z<CV;v;{S$Ro3dYm4jl4z((EgZF=8vmAAAzZ>39|7fr!|V^KqB_Ei%VHFw-5pOhJ0W
z`5F}<sGJF6K7Vkj37y&@2w^RQ+uFZ7)3aT>@2353aba6s-~V%^u(rZlD|_3@S}BRe
znYW)DlKtvz@escBtK3~;!7Kq~Ev{2d3e$jw(Fkd1x*lk{q<uB-G*60JyBh~X<r<V-
zul)onWlJjPWJQ=TQGl3I3e;7Gfj_LqbN?3RGFQ6eiMR>QS>G5a`C3(9F`6!YGvd%-
z#UAwtOvcLyOyTbnu7oFEYKDA$$^g_O?n9V>Mz55!k<9BwQ_AJhDxLHe8aRDC>y|2C
zNL-kPlvKU~ZeE5)#^vzH*%dC2o0q3L!fsqX>*FN680n@UgvRiQS8(;KxkYVmQNto$
z<s344M9b0y*$*;B#)q8|(KV1GgCtWOy}+l|(86~D&Va}c=o{Nmg36i>kVqu-I~*kP
z8)1>o42wkA4PK@L04nI@vZMS%A}wp(xX4-Kv|5uBY$cIY#!NySZ(im}fDUJzH1a3H
zf4fsjE7Q_?>XAhrQ>@|=lm0XT8u2}I2!^q=mI4sXk>Gt0V?D=MG<_EIoO#r+zu}?U
ze-YI*1A5#*aMkJpi1jmOkAc8#=ti6fDVEd>f?3*9K)`~Ql%Ie?nR!a_f=crf>#L^T
zX-E)9{fGd8eU>ey=Yh1}BWrWPTTnj5;lm&a1qC(W0h&|BiO>msENk&6OD%kf((QfY
zD3qdS;5L^E_(!E4z02LaReqCR(jYD}l4&c?qCF)-beEB#k|tV6!cei&LC>!lNCI!p
zy+bc9Wk@HqVz-%AtB@7GmIX@ADSQ~$FqmP9q%w^0gf5$m;u#NPIb@2Bv71t{n`S?L
zGeeUZpcx_GIfhpGgoj%vO*VMok>k>Lo%Q<~1jF$LnLxsOL@=U_XzRU)8R$Zg@K1MP
zbdJ7#HQi9u9#UvUKAI7eo>!JEm(R_|Tcv4zGDAe_G}UOGlh?o(p$lgz1iuovffbRI
zvIx2l?dapb2x#08OK8f=K7}xN7y>|<L~uxYfPo><>4HkW?V4O-Ak{%4?i3aY7IR}J
z&5wcgen4pFv6a#Uhrq-V9}ie1h?oLEA&d*aA(a9FPRs#geyRauL<oQ(P!51Ddsb}m
z2<HG?2r{7to!~eJ6V};DU)f2%)TCGhQesGV^57_+Xo!fv)%kCdF<yj_TFTTc$Ra8a
zPnGO(kU`yqnjgqnSW&E>1!Wq+bC3CMut@3h-k6gY$W`(APfhZjq4M6AOXK7!wd}&^
z@9+n0D6z68(v35)yGvLV25WP-dnP<qN2re#l(3hI`{VBxtSZKFrv+mIG%Z#?8aOK)
zBK@!5i!~a=LNCUqo-Ec$9z0pz)_07OCpyL;`NTNH3ptH50!DHd7)s|M1Yn&x9xz*+
zh(-ztK_(@Z@fmF$(5#r&O`)BT>wUT#^_`fCvS({aJ`*>P>*Bo2miW2y+4z<rGYPNy
zL+^|KA^YOz$Z>i|Ua^<Bjd+m8yi{Q?5z1bNNMS0Q($M34#rZxJs(ol6M89)lU%RK&
z9+b#SkD7Rqhe(2FOoMf78_wxaV{<lywLKwK?i5we@Sb7&ZV;~YR9{QyZDcj1<O0tj
zM}TdR+}N2}E@KQ^AlbO}vJERZRxgZU9_|>%(@C<2L@3}gAx9#55puv_LVtwejdNUC
zN0=V4IfiQJgEevvl)>eA>C)Z=6&>LTYfpqAu4v*~=8s=PgeSSR5nS4ac&Wk+S5ex*
zTp<0;3_qGcm}=;E58V#;48x{X9K@L&cT*x5+f0Zh`0%b6kTP(tBwd-X;l;CTt^^T-
z*##~yWom&Q(-DCn^VwR<I|L%p(7mQ250_yA93ul|6O3eM_EUj{jWM<497SfsrUAJo
z*-wuSfnT88Ol|!l%h^|P2|Eb)(FC^;$@0+}7|@ht(N~+%1OOiBf>fT0vbr5My%}R;
zY@0-nu^bhm33rej3SWd21oYAnP+caZN4#z8zs4{m9&z{ubYqIyS}E?W7vg0m(UvCL
zw_rrCHtYt&FbTBpe#k|%Rg)SiMgVr5sa%B)iT-ikdM4>#hKcuR<i3a>3v@t&P2`{6
z59Y}NhRY-fCf-T%LA)CezN7ClRxlmeAbiTnSh&lAdEflgJN-0$hWK69`so|%6fWOT
zL<Uy+`M1_5Xa{Zd9AlUp=vSNQM9?p^dqMUHyvx#^h=9|onEdfIc>Ef43ZbV$YQz2>
zB-!8)^X`%2ApIC648!?A+zPS^fGn#70<sDKEa)kR0>N&QOccQP9trP?%ys}4L>?rE
z4q?@Q*#S<5)?;sg6(a<=kE;X%zk+k%774Nu!&o3aa6ti6;$-lsbe0M4P_ROlhGAfU
z@KW<b1HXd3^suXAe_()DvcvehmKXrKmLJh#7l0)vuP{h8<_tXSSb#C~8_P_Si3}Ij
zQl0&(l<(~(;GXY=loP<->X*-J42ayy85hM4s$aEG$UdxLk<ZnH%!+`bs+H@o$X!@z
zJoJoXHAz?+5LA^0qnel2e^UCR<7xXy)hBS{6SXHnC023uC#qjw`h=wbR|!GAA5xWf
z<PbNNYEBDPXt1vbYeH7sAfaEIp*a6lr^nRHp<WSCn?+I62u|L<p(k{+GEUC3nJ1qo
zGHYrV5L*&vgfc4_!hu;>w!u*#Om(ybSCZyTzXs^Sv+6#8qbEZ@W=tyvGg4?>Lb7l}
zrUh9L9kE;wp|lGBjUxhNoI)5;Bsvhdm?;4=TrMa@GV%#Hhm_BmEUXuyGFu1?<8dOp
zCSFh~W#LN_B}oaifKpe$n@Ay0O5>EerI`w+6x#w7WiA2Fz6Quu0tg(2ORJ8Ms!9<I
zfR|TAA?mEkL^utg7p4ewkgKarIKr58)0R3)%&b}vJroC3IUB+X1}6BV)P{GZ*$))1
zkf=Wp2O6F#dWQ-3NO-;y8Qz5CD2KvqB!HfhNC|{@f*HtXjq^x&f_e`vCgJ~zKakG_
zbdd2@X21ZLG9Ca?<R~u^W7y=r(i#61q%;0z@!|_JrjAL8*xH=aQAnt$u{;W^0TrYa
zsJXd97mm+&c%(f}BzTg+5Z&W`SjHu$n}UcZ&{0Ti9!sK$uz)2Cz}f4<JmYGph>WjC
zY8iy>uZI32A;q;QAomIh4Jm{jyM{~?F`$EpvvBhG09^os&M764{}5sT_DQx`6o{mI
z^i*!aQ@BndVNqAwfi_?r2b~XqS<sLfbFPRMbUFaDptb{@3aA|D22(R|is;PO4iE_v
zD6xUD>Ok1)6dXGi$Q(PUd$PZssL;}#lum8Z;4@T!3dPXxY9V6T;!GiKRZ9f?U@(|)
z0}1eeVKtZ7ObFs7FE(tmtZrwU+%}2^G-2SREG8pH{k|W_%#apt)R+;m9EGUqv8b@5
zbb?earht)-8Krsu?I1usHi4Q#!A=%UTTC{MxFls8YlLLNC}N3mPSjGbUN>-9l2q{t
zPdMgi$wxRtMb?5Ek<XPt=pmrW^oHIaq&Cp}A+#MhLr*}Nv|ilEoTOwdJhV_j7Bmos
zz+jE15(kh-r4!n3>qR1A%nNerQ$(aY%B)mU%6N`Jl{tk9s$3BXW{O`01mywI0n7u^
z<FJzGn)nVpjTW?Y2qFeZxe2MmgQNyH2T>pqo23!!h&D7)WA2B|&Qe)Z%vMvB`afki
zyU|U{bW>DjG-^5pY-qZMXr~uUDW5=T0?S3nR#?%}nK4SbWD*@I!6xysqofi|9Fkn2
z%t>;GGJtL!=P}F89I46xUSUJIKn7^^Sn-fe&Rej%j2!vGJCN6#2P;^?au^jfh3ZtY
znIx%Y65ShmZjHNllWtKFt%8qFCEH3W5TYc-SwSl>Pc8)^j8HJR1R|C&q&yx3OzacD
z=}2&lg_Mwk{*;HnT(Xp~e>5V&Kj2wQxs;?jNdn46!UF<O&Sge+3E&MS3<cLP%n7^0
zFr;k^!ED+YhMQ<+6@8C8Hrg45O;#DvWCiXan#B#tGEfAQ1bV<W;~7fTqnQ#)1QOte
zxDKH6)&!uSniz1P8W1eOKma&W+Ih}m)qmPV*zz{g!MW+U(jG~S=fqK{G=x{57LdeE
z*0_yG>4?%{@el;io)uWpe9-qyUZJKg`qLMuiAb<+3Re_d(zqy1bB_QS>M&QXkq679
zPYDl+OvgqV>}*7?rwH7}(4-R?LY3+=g&+p%7f8B=_E$pudgxxJx)*v^LjRS}zktdV
zt)jyi?z$IE)k5wHpxrzc94ixhJe5L4hs!D8pJfjO;#Qa@lhR_OdPBdBA>YkGijt@?
zR<#By`=G^olfg6}nhn8|LBQEywLTmPmQd(o4V4IiNkA|9L?2`5J!|MYsp<y&9W$_c
z3LbzDYsrv1Dv9h_0JH$pZzpMH@rdi;Dl8i<;Q)4K3x%yRak7O@3O(f1o#PTm?<PN0
zw8vkznC`Hx1F_*uXsjDCAWAlxjtrZ{r3hnBt+dBs0W2FJV-vO@F^StC5uj@jjRUo&
zXg2e!Fph$&8x~V0Hq!qvYNj={KYYo#G!WS;4D$x6RfRmkv<(If(khY-F(Png*-$`)
z%b?It9kiMamXkpM1voi?P7cwe*Lib8FQWn2C)n328DLKoTuc+DBOa^bV3{Kcv}p-u
zX7~a$K_$q<Eq^0Ms$w;&n2l?1<Y=~6BM=S0BSxxXHLCtbi7(PLbM!j^Vrv*D(8TI6
zbEL3y@GvgA!H3Qf{J}9<mJAn={38KO5GP>OOhy4!I+!)IuwdqKFmrgYOn^{nf_<?<
z4?`&*6Dc3FDIeOJJv&iN7|~4_(R_>%!$v)NDWW!#nj>hYh}tQlHjCUutyGBZ%0zb>
zksZNEj*C(w-qVQf3B-4jaU4LLN4^JDG)C7`h<d|BD4#{{AV;MT?w!O6i_}1d%@Cv6
zsh|s)s9t_(1T$V>5!t0et;tZUfhZb<N(QSV16(2R785>FSQ4I|;aDEy`T_Cs0qt*)
z5AF2;_W*tcf#Z<(3j?=^mf!j%w#Smwn(|s^qPIurj8HJ@%L6I`+tvpd5g9Fb5jtmE
z(HZJc3UtS=ATXP7{W>8gsWpLMl2MdqC@&r9e*+AfJPb0CJ*9+^29^hTATUJ!fWZ)g
z0|ZDxla>bq&>Smr1BDp<Cq!w8@!SkCfne%&SBb7dGcv)|`{Iv?@t5skB5qa&S6&Aq
zRSYb!I4SFh){`%g!CdNrU~&vP;=t{<nr0S&0}(6^aXd+;pv@%&k>E-f!G|ee+_!Nq
zYPwT3)LRJ<H@#fw<CQaDz1T>OU$BuHU}-f3ktmal5w@rfUxqkPI{<u22U?g&MiSgA
z2Ve;NpmG91%3a2#8t|0EHwX$*v4Zs!5R}TGdLs!&!2%2?&ZW-OPI~Tkn)2&&v<Of*
zM|cGrM0^>lS0^*X5}5PSVcgr$0!mRtCt)1}&<ZqiX@iEKET`-y0QE;f75-5$UZ`?_
zqfXqY9;Q_R++-^R%%dQQ)CDjh*wZ5dZMTA)*+PKjsB4mdtng_-RWa1!K^Zofa8rAs
z$qA%dZHKD`KwqPI%=ObYFZ69dUx`j#<b#R_qHaor<Ok1C9pgOU>qE{D!X28RE7tSE
zRfLSF3q;-$fW4M$P(1RVE6Mr7<XU~cm=zdRN(0%CjP_#WdnUv^jY6Kl5_Re%`EOG_
z#p-7CTO}eJJ!@h;YG*xayg6&|a@U~Mst42vTF0$GM<%Qp?Mnz7*8!QU1zu{w+#0Y!
zMyws<Rtk;FgVDKg=^C(XW~?3tEFOuA21l$6Y=$pZ#xG<Ny|yKKI3;@^mFbPko6+x;
zc0pH5&$(oJoRBy}l2!_+g@Okv>@<$1D&VUjdg|rP;FWNCm2iBeTpoeB69Yi{iG^eF
z6ALTt6AHoFCKPrUaYD%rC87dC!WIG`g@OE4*CK2I!%7lv1&yR$v?W`rdqfBw4`i4b
zR9lq9RzlEo+8}tA)iZcDshdkw&FgpCO+%>@=;SHUsEs>}AwxwYLue17u-TwbTQmq{
zK87eCL-HF#$c>@3*Pu^Q=vS$9E3L0Umjh^R3iJueT?*x=K$$e?7WC*5&}|Nx9)WIM
z3%q&-X&XZ%jiKKK(8mJkVtBL(%3TWOE`@ca(7TsH?-qem1xPg_q!hHn6(hR1k~3<=
zk(e$djM}jzXWHpBx<n}$w$h|)RuqgwC{i(Rfu&0E!BVX(RH_XXD#r?yXa!2Efl{k5
ziC2#bRyNY5c9KLyMk9r-NVNrlB14dvpt>d~ehG>S;W0qWCMW@r;>S?%U<lpe6B%$K
zV=FkA%XKJzfpVsJ2t!=_3#1qe$r40>ZlEH_vLDH1zA{h~x(bv8+x^K6&Hy&#i%<>o
zOf^Hw5-fr{5-eE4MD~v=9b4r?s4i4G(&a<3yr_4Cl4;p0%nOjsmV%^<6ds{wSdxI-
z7=uY7#Uh0j#v~LB7=hg`5&5VFj6FGQxil8R7`K}QP)I;n=EFnzFhm6dm@5CU5DNts
zm|e7sa|Aj?pZvjuxeC;gV*D_9pT&c!yjVI2@J|Ta5v&qfZyN-L3K0<^#TwlG`)L;C
z_}Da+@nGK%77g4DZUHSWF@k#u$zYrU2~8xsMNrB`qJG*%o-K&hE<+I|hA9=%MX*35
z|IZo-&{bl@e{5KeX~Br~E7l@R`bmrnZ3~i-Vg!L~Mx!udIV$!ekg|~?#k*q1E7+`R
z_9`^AV#Z5W#f_J-UtvsKr|49v5(ZwyR{2OMR6syU7AhE~E<dAU#vvZXh7g=mC-l9F
z3Oksf-D*bkVwk!emY5PE7{H2R$nC6E0c#Z##4%$OI~Q3mtXMa-ij#w}bTdfM%w2ZA
zv1h5xix#1nzV1v}<69MNt%&UPu^+G`jI@>wi>#3-HX})aD3UEP2F2P-2F2E`%vc_&
zNNJ053=`4WNIR2hQhY@!Pwh&R`!J~_zXHu@{DAQX&1eJQl$(L2N$UWVn=4T=M5RMu
zQjqCFlt?rwMY}?jNTX7V8Z{{30Vzy)yI=&0)k#W5I29?%(7{NpP~a+4rKu@Mv=Nk~
z@{LM2k*P$78k9}3sYSgNN=1@{r6Ldtl>e&*1xX>01t!Z=3Z#ns=}JZs!jy|sH7O$S
zsYWRZlwgKP5yqH+Qkv~BQjrt-l<MnJbtJ5?sX3YzCt<*(<IqM_i%fn}YRMx~NXO-Y
z0zb4MB#H2d6r*G#Qjuytr6BroAtVc$B7u8pudnC2x)<2NGg_1r4dVpFV(QC=9a(<R
zpw!|N8slOH%T}&-6c`3)RWCW!dZu+)$6Zy#5dgtnlm<J*0|xB~3>B;(EEqxp#nuoJ
zEI^<moy9OJWOW+3f|<~JKxdkeDbuP~%!u;EGHJ>4B=>m9F|&!2ngru-M4jKIoucva
zK_*r<^vKk&OpG29WqkuN2^HfhLp6Y0;>>~mB+Ao^G6=Givn5LO$WcU|7vU#>#7W=`
zy)qRNGM0(FAkecV_$2T{EXippMpEH({*X(RE7Ku2o|y`ivn529WT{=54177^h;n2q
z_a;N-buQ@8o<xd}EXWmUW<aGZ$TxCicLyd$rEX+#pypO29LkvzWD==cnHU@#%I2Gy
z8jx;eXl%@lN=c9=(NyvrpmVq$6z*yHKG&5#N!pNEohPX$Y@Rm^w<OPTGdf$6cBB?(
zO0?=kd4MUKeRU!{4hnY@g*&+6PW0f>B?;(2rfB3<A_$U1kVIZ$Nf1P-CVEH-Gt#Wg
z=N*}xN({{45HmDpyv`*B=5e09&Lr@(9KuedKp%jnZ}4=eic}RUBVPnch^1GV!5}G`
z(uFf?>&)V1B+p6<%;%e_S82MHc+;s@cDR*(>hOe-X(0_lk`Ue3gd{9p5Rw&WLS2G{
zI^q-|@&HL$5h<LIpD6|s&_RTwWuY+=tqGr&gv2Q!IuHJp#|{i67y!aRBn%~txQFGh
z$ax@@p+SzpgobfwP*8%<poxJi(0~PcJ6Nu0Rf^_t0IzRAE8MUJdOHADtBIA(3PQLc
zNLK_}nOw~P744BSxuHl`1S(~7dZt%B(<_?%0=+YnE1u*lhUt~g8UbGM{#Uf0E7MoX
z_UR(Ip-5K*DGK0wNLLNWR}IoDogd&Gr+fpYj{tOG;0PS407<+$p-MaO1WNt@eDpvB
z_q3QJ1)c){YWNHRW#BLb?|{G{UIPa$;4nqL1Gha8GMk9y?vx$iGD>Fw!$J+IgWxm-
z{R2U#&@>aB16*G;*QU~;t-RZn9kh_AZ7V06b!YUb5<lWp3D@x|1cf_k8$KmKkfhQC
zDjG(`%`1QAm4N1zW+9|#C(IdOTcT763QZt600gL0uSBR4ucA~4>V}bz$Y~kWnm}?%
zqz6-UjS0;wMsAUx&C)XqX;9kT5}-#wn`!L;l?rt?NbY9o8Pwe)PV-8jxusn)qd-q7
zx+h5UMyWERKu(4<XbTa$MCwhn_Tz=Zb>^DF=9(11iIhK+PdFy&$AW3{mBF-3fkrb<
zZf2Y=^G&L9<$5`CyKP*lcULRDtCin2m$YuK_9l|_YH2T3FeUKn0Uz0g0o&7n0cpSu
zj7UW4VWm7}z$r4|1$l4>EVuwH#Dq?yG_$FOlmg3uSLMJI%t(mpLrXfAX++Gp0$F)?
z5#S9@vBs>9s97EbCz&kolCC=-e|LVF)U(nIesT?R^A5+(k!4Ai9bY-bIO8~mm(C&L
z42)F{%MQAE=>zGO9YB^?W0kPO9kI6}0)PF6H0m^A5Rd4Gopg8-MfBqk%K~)v7=1#p
z!|Vx;g|x84?qiJ0zOcjSb&iFiRfg|3-%QnEyVDt#hQ?*qO0eAys}0$elU%iA)Bv)>
zMCe&zk+X`h%8u7zk)3~Gkazr@P9gFm=UV8G5*Wa&1!T`cV+Wlo$^n?mVUZkJY%(F)
zY^En)Sx%fESx)!sDbxRqr%(PeoiYT#DS`1G=9hL__q!<l?#elZ-IQ}K%%hkcSw}MJ
z%0F`1Mj_;~j4-kh?0~B;?$k%D!+}eB;8NBxk@LMQQWGpir2sV&oqJSDbt{6Sk&uF;
zAl9N%JJk}AiYSzc(L|(JDWxL01t}vDG^AG`r6g)<qDz4$%4>o-)o|$~5j3FZ1eX95
zB9yCX6s2>Br7D9Wl&TRFrBLKjm1d&7xhSO_0*d0?(UMkbisA>%2$Cj2`t+X9*BE7b
zxWoh4k|teOe%-{8X(GA@BbCTZhN(U6%1kDERG3eG1?X#f4Nqx4>?KoYw3d(V!*o~x
zW!=*S*kIKp#Cf9SW=_KfsUbgTq=Ls0pI1qVYK##m#0}^^Z)X)YG7FMAAr^K75l9YJ
zad>5A7mPMhcva3X_Qo#;h(*-|BIp?iyI?{tz2F<dunpnx4a~O&|AZp9V9-cQ`NcrC
znhY%=pr%v}E1HVsU@Kf~2ZKh)Sy;tN9^h3O+(Z)vz`6ps7iNZt(=eroj6^O4A05D>
zu27C96rmhORuTDifSkLqiV(IDK_y`oF03M_b`e*-gjZc*62PK_NKNZvlxmbBLS-R<
zW)y}2nMgPRl%c@Rb{r@Op}@`M4h993I2nZ~a5t+C6tb}4PGt@TWgKuk5aWTFM;r|m
zu;E^F94rvyftped0AvRo3_O_T7IPfIdN|-l@y7y!TNN^?2M4jo0st$DnN)GWn~#dt
z(eYcpt}11eVZenG;?F94S^d<-f>}y9F3l+5l}I=xJYm4L<^<prz@6y$v$>xZX(cgW
zlv0j)Ehy)aMjYp!aO7yCW}<W?GdOW*q7V|y$fZJBm_!xE$rDUr7Iv0rAQp7aB80?O
za{Uo6O%Vu?l}IAxv|-8`W-zKsV+z?0MfM6<sXN0AA}Z#J{iTYLnqq)$>H$xJ%uoa&
z$;ZJ=VOvDT6-7*8Ss23z`%4ui{9%MeRIyU2iUG9!6c`E7Nx)2DSy9UsW@^H~gH;MJ
zHB$qkMNSe_YSFbLR*4WssF-NjvkV&+V{=s-gqs&nW~+cAiCz+1mGT3MvXKFT;tH7f
z0L*=U%yL097#eaI7-mBQpGaVSq%bp#h8<mu1HySmPqK_@Efiupc?UtZD0UOd9s~qX
z^0|sFG72bpZzLRE;){s|D6k1Ag2PipH!{RGT?i~93Lvn75eRrDArF?D2DMF$0uGb2
zVE}^BMT!?-yXLzy1@a|))8tC-?Zh8U|G4A%Vqq)91sP`KL%_1uj_^G_)mSy*yx>9u
z2)2hZinel(Xvs*D;lkRNxIzn>q^g?q5@8Betxy_lH$e#?F1gPfX<KlT9pq7U7^)e3
z`~;$dm(SbcD5e71dTFeoj<J%8cpIml@U&&1qy!}-FkJ6zz83;QT;@Na<<P9DDh()Q
zt9@jygd=j)kEE)HAOsRMFaf$SmdHVMuG;TuTPa4kFHM`F8sBJXq(xQ=QVFk4x{#>!
zuYeN}nB1;}CPqn>36WaiLS$AB@R=eCqy`Usd?qF}Co81X+9#E56KOz)X$3yKboA1t
zbR+rXPDY;S$^)6v_)Iu{Cmprb(~C*OZ4|9g&`$9sRTm*`!J@pgqm#XPWGf5Xdhn17
z7@kxkwjzu*vY-qt!psMggl?zBA&r4IL?u@ySzpM=FKt!AMmVLB0f-ZXG!{xYGFdFv
ztCJ+yvwL;LZ`hnf51X`{BPGyqg#ICuiBlxw0m7+XB9XdGWk(s%A~?lWqynA9acBZ3
zXq;h^=a52b>684|Wci)M=0=dXFq85)hi|g;%A+Y<w*>s^T`JU$5<SbsP7W_ywkP`-
zRcZdG)l!hD`PBO;ceE{tY;=tYseYkG#Ny&mF(^bxz9s%8UKPuG7QQKbpg~87S2$C&
zFPsYU1Xlt&fk!~tAX6#>?q{VuudSo#>GgK&;B^NbK!;Q7t4-G^emQE{)G~E)GvkSy
zi*t_Ch#ACw;&5%mZ4tH4m%xPH?WsoG+h}USdtp(qs~A@7KK2|^RK-lUO#od4mv2kH
z)!)ME!F5WycUku=pA%$((P^?4L+c>*pM_VYS6p;?QL3(pf!aagI8{@+uIi|LRZ6N7
zRf?j?QKzVbY!2zGlyT}ebk`bb`kKm3KctzGb!j8QgYno|M}kj@CpeNFB-2q>#8zqu
zh=Pzo&Ygmo-AF9-5{e0OgSdiGK_8&zpsk?hBgn)kIlsU@k_=Pd3Fz$fNj>nKg6Aay
z*cArBCK<|jwQ#l+w60saS{E%=mV`=Tl(3YE{hSn~6zqyZVwJ&2%%vPdks(2dRRP?x
zh?sgx6Gusbk=V=Fs?e*Y%3OLCb`{zcBzPUBAr%pd#)MKrF~J*Hiuxih5kd%y{5w<s
z2DyVmK-=(bEH~;Jp@yOZR)He#0wl(vETEA9PDo4GNZ(A5Pa!0rkT6R3!#y}*E0CCg
zC`1ab1;7H+L0Mp^I4Z#)g#v|0=n6Fj$N-06EZ`kD4g>@@0gV8w?c}!hU<w!o&H^&)
zvD9nTXQ;L}8E*Yvcj1Ae)h<4(zM>wZ9;n{2{;0mWezAU{`Qe)pP-m_JSOU2^t1P{$
zDH6;|<pjw+uzp9C{e+jmshA}8GqGiqYD;<wg*^x!<a{&{7@(4{6$8}yRpR#50-8yb
zqtHl$*r()j^0q2S5K&K41m0CuB_8n(j$J|_rPXozME_^MNR|ol>LipbsC<yv6VuaE
z&@do)kgOB4(*y94G|tiy0&;p8D`f!9BSRU0X~T#}nL#*%(qZ!=nkresK|oB;L1627
z=VHYQ29U<-Gk`+_1kN?us|SFsoS;J@MGOfTuqU9vngarHOUa|JC1|)23gB*qYQciw
zjV#&<#vZE~hObsCv^=YGRO`x}U{SPBuo|%usdg$&Fr?nJo1%|g(d%kGQXyg^cwVnX
zRjU<%Vr&$#vkiGh!Ob)XtjIcMLE@MMR$v?v6F7XrwQvcUJ$8L|9YS8Jjw~)Z?jnvM
zm{jSND|<8sd*}j^A|!wlqTyl!{fMRBNO<p9QE79KsdYRP7ZeKVcPwEP&eAo+CN3#R
z&g-(G3Z<6HYnE&WT^VXEBqk?HA!vlKk}#7kJ>Yj`l^|@~<|{}uI+9R?)x8|10=g#V
zjp&ruCW&oE0R5}hle=UarXr_?g{(&kM{SID=!b5ESWFHr5@4oYkq%!$7(0OgVJm>t
z3z|{K4nKO}WNxktM@d2;bF`O@1wyDgrlkzhIS8|jBy9_gV@a5610xZ-ts9^a#xc?3
zHIye_#4{bVBPYj%kle!)wGbai!Som(Y+?0P4Xm)+x(&O5cOWi=(NavXx(`W3n8o@j
zgxpX~4Z-Rl7K*|&h}RPmvpG@`{$;B`u)wMbWFMLCj5BHzg!oem8M~%~kHZyNAD3GR
z;@Ex<G-+DBV~EO8;+QIGo&1g@U5?$OO2h^>rJCGeUK%-+=GNv@m@&+!F|>S))e*5?
zDmO<WKXdAm(};oJCfL~U0N6K`+2RcrK@$vg7zyv#{K>vf`=C)Jjb0*35WYmD8PJ&W
zsHcge*tms8egzYw@s5@+g+$=|HUl6iJ+I!Lzf>9hU-)cu2+&KDpN18M41@}ZeU^Zi
zi^P+1nymOr%Kr)B?}yBcJY{gSMS6^q@(9>eNl?p9Hd&^M^x}@3Xpc@K!{=}}Pi=-q
zK(#%m2zcdDcGVLjsu?0t*O?>#T(<oRMm2ep-9|<&+87{Czpwka;UI^M5Gu$M4q5;~
z$^C)d5n*zE;wR+e9Vpu|zC6Jw|HIRukov47KFtXPV1xoNA<NBC{_t)nDuwtYIFX-B
zfKa6BwlkO{$9vWx2^bsLI1p>{w3bwk8jaJC8#YcdQbxHkYoHLYuBpPaynFixq9iL$
z<6;_!aIredfKJhziy)7y+`W|;m*w~Xp)jrtg{OcBn-vbDcEl&FcVO;;<|}j6Iybul
zhZSREgT*S?AV7P;!EtjBw=nx(54EuSTMxBx`&SRCxXR+n;KeMIs!{w2U}}P?1sER*
zWgi|WshfT%-MrLsCZqUlr=;*iK-UL&(qor^%{lRsPLJ>~bb~qYfP+v1Fw_cQYVO1#
zcQh4Tuo|-H8bL>RpOia5k75KN_E@C~l>+D33nkwIM=bjus1LHr6cu98ahXJ}GKaC4
zTU_HoU~OX@9aT^VRbzqGLV#6PKq{_qDyaAkR|Er9U;wJ5U@EK-3aCTfRgv9SJG!Xr
zs;j06Q3!%m3?6DB9z_g?fkFU^l96);;dujmT)xxYe`d2!*lyAGW^)q@;;Rz~^%qdT
zaLZ6(6V?iBhID2oWN&_Bxw6K0N#GEa)%<C^&IHj?>qa8$LdA9TfS&r+bTQ4YPh~XE
zWe6wCtkWiE6A}Rg#DlXbAlOMdlKle@Kg*uLbI{E7HWF1|$X8sl%+9jSwvRZ)MnJ^b
zV=Y-?qY|<=Ws42EwgZ<|z;V^E7xio+y0!!c*1>_bunIP|13j&P(XFr=>ud$O+X$^K
zfbXTSTxo0qZ0&)<&1&cXewn}loU6=!I^85nf*K`4I##T;5}<B{Q7u`en=rPaj18{x
zJbEB{24XHFAY^#wohyjVoX5$<mLclL$a+s6;J0z_cg6N*62GR*S;D+qfIh73;ESn|
z91;g6AR4?xpmgA8C59QHG?`BXMJ6x7{5i$&OU`5&!L1#a?aMF6TQAGYFT$6BM|&?-
z&;a?P)zFvy)<&bOh4(^TO`I32U;tx)tKBBAX6;_}8nVAMWz@7(a%ijjM2B^h!OZWB
zd^|jH_XYEhE}d>aUDR>+Wns62zNX(DX>}v-=Xs|2-fO0Jn|qDsU}JfucwT9K7n$3I
z<_vJW%4QdvBYox~8F2J5;Zhj(j({H|E9`q#;1@K=KpDxNfDP#706oz(1KM8MA96n!
zcC!AwqLyJDt1dAr+C7n6VsFJWn*>FoYS<zz6I4#5wTLpT)hChnp!<m`A`y%nikLZS
zfDw;*03jcs0Lne-d@BC76>wV$vsS{mYavt>;+Yu!v0`9~u`#Hr>4j6#YL!GvRaYqu
zV<<VS4lRerzns&*pWYKKB@a%j9;lFjh>(Eg(13@JD<C`rIkMJpbO%V_45J_?BQXkt
zF#+;GGm=s+l0Yw#ATxGJFIG!j7UZ?U#w%RqVzu5ZR=IA)YngbhcCQ7lkZ@Y%`sJ>|
zxC4RLfe}%u0a5V^?(!AbG6H9{k}!E55Xv49`5q7)4hU+E2$$R_q1ajZ4Xpf(7Jg&)
zepGgkTzdwpU4v8jP}EM7^<PiamY=GvKVPivSCci=nW*Sc)C;BR9m~{TCs7=oV&rNt
z$klHnU!;w3$mz?ZXjmh($P*j->aw7R8~d3V`failAhH%&WGmvxTx}4p;W!%iXtkYD
zYgib|vlz<17|Sjc%P$nl?Gnln31visvg8F|YvB&c5r<_F12VONnS4Q+Rp6|wP^`Le
zjIj_#ReU2X`~Ok%9!4S%l%o_-+fw2@{0rA*frvyVxpoC3waauWHqRk7tegvX;4PB@
zAZvwrfkz4j+B(uWu%$`W2LpR6sYrgQQk0KUr7(oxX)Xuq*bQ5$4A_0d#>4*dr41r$
zw5Qi~BKVsRuap?wE1<}7{UL!eh&1a+zLN{m3`=NO98fY@vd2cswIH*VE*ij?C4tf^
zNGT;?b}J4|PC-dx%-LUa)dxd9kVyz&W~exS(yJt>I`Z*<H7sm9VrhRr0~kAJ?EbE5
zl_KnOemg!`Z(|!;Sf0g;8DEm*Xl<dLH1)er3fHXl1?VwVS;~*Jv8Ecav8v6h!iMU8
zY--XCCUiwMHFhE$W%g`&ei)pBU#U1%Gf{L(m*bR-){|ani0E@c+FMovh-Nbi%|v>i
zP+FL6RT;dYjV9=KLS;ATF|6$`D-T75YinSyH7xYSN~Uf`ne--7){Ca1dX9AMuPaeK
zgGw)Irky;o)1;k+sO5X4Gm=R;M!69U(jG)a(A#R-q1W{l@yUnp6%yanLExbkg=H1I
z&lo>dFVe7DMxhDgXeX%VgMh}k3fBOuK|6I#NZ}GnsZ!ww6Pr>dv&8A}nMOinvKy-s
zIDgoY%6Rx~j0V+!-&hUdjvJT_n_Y0%27YRtIxklR!}7gds>{gwFr2I?bAr)u`uGr4
zE!38XCn5ao*P1z%!I>_@H!ao%V2OqVw@9;jOIZF5Y|?<==AXT8+(oCn44G@k&p(s0
zWpCbJ1(PM7G>tVOnR$iaoL{>o2xl`LwpVQvU{#l{y&~!v*-u-MDdWsJFxI&0C}Nwk
z;-d~+M`}`2u7cZbdN0Hzjs_yMHuM_%d2P-k=_slq@j#8vEeEe!32DhqFFt8b<&h`^
zr{@PPX%D4wB)qmHWS3m<=AR)XlM?$*W>^``PH#2&*vly~c-3?yZzxIw4B&|DyRHPg
z!CFbj_Mzd7`H8to0V6t*<f})H%ec4_@AHCuY8jZg?0JhsRZzB70t8`{tes-H5HDfd
zan#>i9^PFGR(GSX^6Q|n%rf%j%TF`Sv=zE<w#`{t;`$+MI9cmqXmqc|!n~Mo3p-3&
zy2j%A=xP8UkgB_tQW5&<DS-{NnD~=LCu@f?QsMON0KJP{35J+h#$@%hv@XKng!N}?
zHwB_$yJhO?j@BFIjMJI77JNGRrT&k6uPuY>*19kbS5yb952&U^e_OX!Cs4Dh<Eaz?
zQh^RjBT_^@0CqAX7}~dCtO{6lxoIjmP7aQ60gp8UiO?6+{5wl`Ix&YwEI-V&@hS-q
zyFVyrHX3K+wKe)uy;G7V|EHd9%z1z}U#2`gIShi`!VT8=V>8`-);{ezbUw`h-eF0%
z)^oM8zVVrn=9_5|Wu&zb4fx7~SvwnW1W4fv(Tmm)@GQuYXH#0z^N_u7O|-=wOg45y
zjr4?^WAid`mSBO&E-nisr&?3=bUWnYourbR`DB)vfIRX}imasnP4JRSI{L0jS5c{C
zpE+hp&oVkm>60X!`7TM$NV;~aq@Ii;B>zkNmS@UVQZkYZmeXz6xix8iz;guRJbVa9
z`3w)E7>&=X6nobch&`}$fIM3)hg|Ux>jNbYmq%y>>NWQ!fJXwjb<2Ju;FANB$7o-j
z<o2R<$hfHe#}w}v`(V2mGi$Dp+SQ(IRGw|>b26cluxkJ@6Ip-}=?cIJX%E0RDF=WY
z$uB?#WU62b6i$s98l4j9<Fn9w!C(Nd5lesv$dUjA6l@?FR6>9YS`5Gk(d3{8{PxHI
zWjt~KP9CuUTpld|eU1<S8V5JPDboWm4Z|{E3xSMK23dGnS}`)mZ4Myt3>bI=&Kd#0
z4FD*@z!&P^Of0a_BnbsfDGq68Y+)d*K#*T@qCF`kq1F-%H2nr`{RR>~gF60$ZvKN(
zzJq@KgAsngoqu51F5t_TFl;w4Y&V!Sj(;GBmCypjQ1k<&q`(OgS|9^LqyQV|?X%^=
zpTHf(8GsW-HGpA?Wq>3~EC4=G@N{1d`sA;KX(Z=9Iw*hvyC-x3Bu-QV@=0_6bW3aj
zdPu+kT1yZBNhE#%FebnO(kF-lg!Y!7ABhxz3yE)lHpCUcHi&kBJjhJ|ZIOcj)Ef(C
zd^AJXz-~aN!$}x#9V{AILazv3d@=Gb{1yn?@H--@;p~eZ97Y_G5xO}i!60{^je~7#
zAGSMB#ZYle$7tp676!TaB#iCw@*6GSmNSdPkYabi?bpK~g2M1W0f*cO;Xv4F8St5b
z()3B@b1V^ZN<FK*JbS?=!p<X`YzXw~;yMit*4)#Zfqc}@GtC;S>uc$bE7aE&5{(ng
z^)<L-lTnRy1*1q+#8Y34bKSYF?TFXJeN#@xIANY^u5=nsz{+b`j1#*x+TTqj*@ZQV
zV-BMj$ql1PuLVsin83ZG83dd)s$CgI+cX}sF#N>(eil<q@F|?nf>eV(1XBF)vXbA5
zWW2l+W)I-&IqnsCWtxJXa~c5RWAPxx2eb53;dH{bF3z#=9>LYZl2cD*mtYx1K6b=7
zRIg}mpxuv@4ZQfa`EW8rXNII4rQzQ3VJ985l{SnT<cCVaR)z<Xo53G)1(uAV)5V%K
z)<Rx|8=m^pT-fLF@gam~pM{MIQ{D#pK?g1~GMqXho*p;yE9XO~dqA2KWWTqz;mBQz
zm)59>0esjDfoZGSin@)a(I1SYZ)@iUkaS`3dU^h<GtZ5ejkva*IP-?>TsRDib*9gP
zf$3zn6XNvnaRr2F^7TB~*O}ixW)ArzEjVAmHRT^8GQ&FZLMZQA80OzRDYQ~H3!)h(
z2M|3R8a09&D%*H5mT<6X!H34p1ZTlfvq2cab0&f@rbbN!Vz9~@2*nTz8VJR-l<4Ly
zT<(vVqP&M&s<0P@&cnAR3dS4gxS2vTej8Y*Vur|K%hKa5O$t&g#$A18=l6-uB>t9T
z9g~mgN}+fkJ?Eay7|i6fI<#{8k9f2Yd}J_c`8~(E?i0(~67z2Y(%Z}V7a*pdUmOcY
z!AY)RH&@cC7xL4q{zL2VfA#osdi)Z({1W;6ce(sJdHh?P{v6&v0tX+4D6Byn0hl~9
zT6J$wsf-0{DuK^JE|n%?SlkEF%`v1U%)0&$4Bk~ir-joZ2~>-z%*Zz)OY>B!DGgCq
zeCt5&DSnlZs@}be)`d7;fUKgc^?^y1`E5tCzKzN?sYx|h;w+Iz5t>rIpGp<M3bDjg
zI>!-ND}J=(SL>$bRjA~X1Xm`b#Tql3-R)hLL6a*-@#U3j)DcYtQ#GF2r804+lO~|z
z`;l+W!+D<IZD9a8{sm)-MdvMKGeD7>L{3$iF(eZWkl@F={ToZ~LU}oGZPrFzCvFj>
z^>ZS+=#|z<ZF--a`ZXayf{c?6E)2X@T+(l5WX#U>bq=w@bYvUtz%XL957DunGVHsS
zp%Yeu0)$Ko^8c-{*tM_h62og0G0j3G65ZfZg$6SNX#-CEa#AEhXA3A6i5Z!dVoap6
zW-ubsmiJ9;GGJF)fYuqGT9kLRN!G69?>-Mioo#7~@)|`#id-6{LGcePDOWQJR3}f8
zqUIE-@g*Z7ebXsoC&HOYgRIdEuu8G1ahVgKSMB(Lvb8S+X%rY}A?VL683@)8G|e!V
z*x~+U8pnsmTZhJ(!{SKc@dDxTKN5U~wwa#*Zpgks$%EX7q#fG}V0sw677iPw77iP&
z77h>qiw6qwiw6nhiw6o?g9iz~McihXOtKHqA!LIH2>M}3U_yM!y{iPwnIq5@;ReVM
z#zBF@+%Ae$w8$XY2fQZGf@EQFLlYwkUEiib1|%&S0T)b?z%F5uYy(j;Q6ftdMz95-
z$p!$Y%#g4JSjlz(YfP800B~fh0Cpxy*aGxqjesrF0u}(&j(S!AUreOH4??L}0hcPQ
z0jnyu09#72fHh@VU<y%GFag|E762hiy^et;Ut_l6R<YIet88_BDw`c@l}^V_vP=g~
zcQ~>6Gg~J6i`K?UKp6@r6e)%m>z*3zeikV4S?lAvIA{m;EOn{jNk^3ZZM3fT2R{0P
zSkWs{9cPuj(e1+yqj!lKNMXA;ZsW~5$Ta!<SDhSW>0V%;cq6g$grXim1C{{wyD6Vb
zFlXW{W-OS8TWDrXCHYQGL#4%vVc7NoQbw)~6(TIcPlpL%14^9~24DQ9+>M;zFZc`?
z3A!gK>T1FOA;TC0(!(l*diNdx0>YfEY(4r~`br(0CiYQ_QL^Ctxn^o~pi(#nFQfvr
zI>^Gy_@YOtF$`8X)rMqqrd1*^_ZbOU6eQL<PDwAK`1EN+d4uuqcui!&Cj+40xs#O~
zojp)QYMDlT7%@tzD=*3HLKwzwbP()DRK6A1FgsGf#()H9pUB)7FbWtRX?6g(0}X0R
zEQ)DZkdHKm=ES&<q$|YGZ1R4AG#81WQz(<+n)GiX_+gub=!cd-ityMl8~I<14f3rh
z;XyMCXp5oIJR#t#9uZ9Ed=WPfc;~v#NIN2QAD1>nlVec4n?vK@tQ8<Tf}}PA@VoB}
z@+1~Ww_2c4|29`5&&8;%gqV(;N3slwNu#2iYltCh`7%I!Ex@0nsWJd%K$^dzo7Cy<
zEK~*p^S!<a5Ze%d{;%;Lvjk3iCImXP)*vx0R3tcwSaeoR4_2ICAY%vUWkK}|>HFSA
zxWy*1@IZcvksCqKBzIUa#(VaMNtWQ4%QrF)WyIHJc{Mxm4D;)_J5h(&H^V_tAQPC{
zApC%SNzMtGIm+V>$<%fJ!wf`KaGpWZO@95x<R5mekk3C@1lQ+0n)~Do^Hb~>$*4-C
z)IVX$04^iR4}iOf3q;l0cxV$>P6DYRi6*FLl2*APQmA*yD}}JRrB$9DiL6eepJU)h
z7#N{)-O>zqUx#yqc`m8coeBJG5bs0o6Kq=`oBr5@-hpZxCNsJ;kaR=lAMhc<OAdJ0
z!_pD#P~!&}bHlzb(S3~+HsDVT$k@Y28w_9Ig{qiAHW(1-i_|Nk3i7A>dZXGNBKPMs
z-z@qEK%EbE$?}~B@k5!eK)Mk6TgROVbL*g->2V?cP9(i^m7K9Jy60ynxSi53ZQ^d$
zcw76N;Pz)?U7F@A{9J{3!^R(Y=Zl^$BR}E9mx>?c@k?yJ=C|Q-JER|R<L<?K%kf?S
z4_b4#H976z&U12G-yMkNgNmTDsCJF(cY)p$d6nZ%PPv^1uX&A#u<>^fHzALG3gD3b
z8G8|hJ+gjIQ4vH~DdB?A2LrQ#)}JQuB$#5bAW>%m&W&(KL`*>?VB_F%a$AAo7Y)*&
zs10O=c%lyqhOk$fJ@h20V@cvNVS^WJ0>rx~CK@pE@RF)o2;P~I)KAv!*)ZDDVW)dI
zbyD|ferHxa|EiuJ&uC%)D8`rb)NJTy@71eU^<^&prCWdQb)=kSoF^4DfBFD;_OJh3
z6A``R3<Ic7yJA%G4a5gR$%eeih6tp?YjzA1x0ij#-E;GmT(IzGiMU$lhiN#V^Vsm#
zNvZMfI+LECq0P^_;io9MN#PH=b`#d#D)7y$1>M-sA$Du9o&xiCwYj+P2j09{;4jB=
zTcKaJJTd9_++zCC;im34j}10<q<CwqpWMFfo3UIm-oPdC;gIO?(2JiQ@75P%aKVPO
z1&+Az(><&LPCPZQV8JuKg>m76cHXoFqLJaJnDEe>SP9Kw(?G&=&ej7Jh7gI=$PxE}
zD1jKkeq;jb&M*PJ3Wf#U=XOFdx}XpiQOcFaXeK-_p2hm4P8@Z~Eo~;MK)vCu)vOHm
z_DN(twTq}bPYhy=un#L@^fxz|B=6lb?Ss}*HHm_ThgtG#Q&^h(-0yCStY>EGq(t2@
z3*AI06L1i~3+SexVZ$URaL!O5`s)KEHvHoXEb%d5;SMDUWD_I|?6JhyOthpoIrL>5
z0vZCarB2~%;CX|0^(4{E%YeMG1xm-a8xREc&?MB8OtQ-qXl|QviAxiL6|&|fy2inH
zXm*FWtAiX`e%E10b+1jpi9_%V9iQ!vWiwh66Bd26b)#+0VY#BSDFhb=O=IN?n}$>v
zpYo=bbrjH${s_FmP`AtlSB=b93d0VKXCxL0*eaf841dgi7%}{hw7*tpXo+IL)d;DY
z#Y>w<Y4PPv$8gH^1-^lX?afet)D27tdb}Z~R@0>_lUD8*q+<T_Yo&VLU{}@-)~Rc)
z^84#Xu)SzEsjWhiXA}7wIrg8g(&}~kC@#M_2gjUYTz&NK$7PD;HXS2LUrpa}ULcBF
zaf6Ea$??fg++>*abI>8U7)pf}y{*epNcFYbCwLtb1*#B(UX3}BYxbnAKm_ZMvEeaE
z@Y+!!EsYrj?sF}KjK<=j!O&JPJ`Ka<5aF=+K>tF|D*PNjw@~}Z+|RAaypy%26D`UV
zx<Bf|HtbRj^q%9qva;v^{~e$$JLuDq)wreSF?P~G6G00D{|q$=1pX`|;a^-P&<~%m
z-0=Z+vy<nyH@HtZ;3!J_)}Mwc0MPmEN<MfNN6%TI^V<0We=KRz2^H!o3_pp&AH)a)
z=dlFtCFZ=TgfKEcit|G!rawbzQ@fM>y4>C?;V1f3DLoR0qQ>y~6DLP`9mh1)JI9l4
zNWsw;kqr#pUmV2nUqvNGbd9MQnj++GqQ^uj${dSP4Ury}^Wp9B2jUl`C#XF~q}CoU
zEM9Qqtv87WV|H=bhRO0fq1o~~+d>M1`(hVlsC-b748+r<J4jQI>!JTatF!4oJ2=)S
zrJ|!JpwB5!oTo}d?dO9hiRavpNzZ7{dX8qDdOC!3AlwnDF|QLKrgV(|=tKb@N7nPQ
zJK0u8ZAy%|j5TsQsi<V`U^9^$L8fd>G8fw|lTjE5LgLG_7yd3HKKSN~*QD~Wpk8Us
zM@h+YZN!wsp9yUfY#y?uM7K$VkqVHN5&A~Niw1tcC1gm4uE()fV-T(oZ;(<DX(B5j
zL@BG6o^F}aN?OKPq}lr9y*<9>(OW^+&a?4_a>!<4L?pR|t%YD8`D{Yub^vTUqBPn)
z4}Y3%i8||!+I6Qf{SVTZ5fu76$4!h=D59Nj<Ap`aP)-3M&)f^E%t1Qj6nqe~kIim*
zyPB5D@SMfLk}}2uPFTw^9R#9>$5H|D#gud_A1rvBXYVoB3~E`&-LV`oxh%8Xd@{;b
z$&yFn<SY<VP_W3bksE>ogeJshh>j4nA*3V-N3ejQB=I65ZG=?_hKY(j0vAL{0k#55
zf@%cB1zIskXB)$V9h!=OKLL<}y#)jakPHYCfG-d_KnVaQ07hdOO*#OQ1So%^*@*lN
z$Ktl)KG)&6|1qzD2tCT%|EKwn=$0}%a{2EWdLVqg{MX`7=f8O2X<#GyEK;ia!*8qq
zn4e7jDE5ob-?HA0yodU<Jc^RtZ@*6@{=xda?uU#|Lq1CO4|B20K8ZI<p>5Zve%+#O
zm&s?Z%cWH7?w<Mnh`J;U$;mkBU4Xd0uhq;wIle}?hmK<o_^%6n8SX{QQI76)0siI!
zCHaBjj^|~|H`f8L$=4?Ms=uY^vyko{$ACq=uk9VQ{^eVq-Eo4B(Ho@b^uFn--9>e_
z(i>6MqIya6fawy^zfXNqG-qgAtfrHi5i%rY@ys_qJd@d<^E0}U2kqEE8CPKjWu3-J
zT&44|&(kqxMfpgwoxX6>IrCywho1rrZtw+SdCw?dI{*wRU<U2q0b`(s;iGNeVI`hx
zrc+cgJn&#ZidfSnN(Yw?fr;iI8#j~)6w18>3AS1C9K{=EnIdiC!)x8PMtwm@vVl!h
zzJi!*QXdf`z5*#;D=(;~v1+GvP2=2qBd(xKph5J$2rMlE1*BO{HO(!jQ{Z>(j#W6~
z9a_a8K#0xK^N!aQ>hWLdl$TsY1PGzJTy;(<RdTgX8?0HCm(+6aTDi8*^RoEJo5_P+
zby8e~EKSth6gcg<mtEaa_|MkMBV1;40fRG}TCnixtTAP_fPe`M5CD$L&}mGKPt|!0
z%&5ArnB)jeEP((u0d$zoGH)3e7fS?nqp6v4_0A5ZX-knA;gIT)P%@}AIn@{)J{Zu*
zrBiK<42Pgt(@I$RR7zJB);xItt(*h>S#jK1tUHSkb!lNVq6GlW1=p@kcZ!LvKj8qk
z=oLUzgC6$7g9lS8i!QZGmtzaTx%>sL!OAjlwsZhhE1e2%AV^8jS9nmo-~k!%o~00L
zpzKdn05u{MDdBJ%2QL%V^4e+O{r!N3*ox%!rv|4&&R(>LX-JMwSg>sHj8Dr<G`=k-
z_6!=x6qA+m8>}TKC>k3&5fha!4b&E1<?05)g3#QeU~DV|QZZ@<iT~u~DZ^ktB<1~v
zxZhH)f7cV9vU0ZJxInEyxPqV^B<{nZy<OsRmBFY6**R&UwEc3CkDxZsrcUheG=mBi
z@^}|)4ipHe2xE*+>NpER#wRY26*j^rEHD<8Y*H~y0?KL1>&hsLQ<J(7f{V07?wmlO
zwE;O!5L`t0HDF*_!UA~A1tR6ix%)3~vgPyslS3R&odBWqaW}TWTSQ?uG{92ED4UjO
zF5V!UEsPcih$hRn1?WQ)R*nk!Lllfppucz`ZMYy*{s@|>U|nDtQL3B;LBA7if`Y`4
z#NOzEY!2lk7u*#QbSA857Kr3cv{VWzITLN9g6-Lfsw)D(>?GXi!C=5}ZR{utb0?E!
zNWoxWQQ%#mf2rl#m0~Gm2M`2bOCUOcE`TDpYC(xoOWS1p2T%p@1mH<8Y_g<c0-1q0
z(TEKa1Xcp*0}BHCqLh$7j}0N0m5Ce&+2r(+fLzRV2m}ZI1t@+%ZGeq+JSutIf)EjZ
zqOWm=CFo1pgA#9O(OLBT^Yq8)rK&0W8ZIWT*U*=u=B*RxK3q**=h<>{T8Cd{WTdq>
z{-?bLDRw^ENlHUkYnl`7abnj6kD=0(f%<ABB`R<A2_Ypb{r7@GN?l(xH__BK?ooYR
z-=6u978|q>5|$J6xLA={1r;SO^X{0bdj9nEP?gv(*MPF-+nMmPR$aYJK}F14mw=*F
zskcxdL2`QLfE<-9<JFKeHvg><H5+l&01jM(`HTi7N?dhtftN8ZQGg_=X`zh)jl;jb
zu|7u?4G0B=g+55UuNlI^00j2(MdhO1ZGZ*IkCP9wRHwI#U{>kRj<6=Woz-vXxtnrg
z^h%VBh4T;FAZaJ`pig+g0zrj-QM}r+p&<Z}u@{tv@>HRRST6GA*UEEoDp_Y*M$+aN
z%3o<JS|?e?qUGtyGf^s9M_JCI=5ypF=FRJKSY$3~{O;o=OE~ci2pog*n)6zy2@C{>
zt$tJ9S7qa-?s;1IJzgbCVCxIKT)TXxyw<+l7-Mj`+H#V%T;4gB+a-4+x*>u96MWBW
z60@G`39MYixfCiArF(9QV1bL5J8FcfW1FIwAYd!z@l2I0yQl$7xtMbnq)L``x+#GM
zGyKdblBKL{@L+!*9ig6WV6WnDfDSE?&x3_NXS7LO2X)`kE?)hi-d7TTgwx3-wGHKP
zNB*BrBv#PxD~Nn{i_bF-U^B^5`Fgr%7cd;)ysikjvS~EA26^#JB}y0d$V@J1dBeP{
z3-dy1Npg$j1?87MrWA7Jb(Ay8z=0VUam$(4G|1$sU_EKE%UXt4E2#l$1OrAcIJI%c
zB})$4IEq^5^+81?N)c@wMJ-;rTwO>N_+jwcN2)3*DqP;wR6^EysT|mZuwF}}uAy$H
zXoRUtowVp>tsSWn87ffsYHk^8QOdgOY9w%Id?MBt)YAl&FYhLt`ksqwX@W|WW3(xL
zTGn-jza>gt+9|&+e0r?s>P_I$y<ZZPU6$zhu|Z!Raab1r9nT7(e0{_KjYxP{#8}Dc
z^P>9~LD?&!c39pxlT&nQ^RiY<*<|jCO6*@vZy<;u{8kks5N*j~C*t+T7(ZTiIV?A(
zU8|DB6*)fOu+v#&>&qJUB=Yi9p_WkHd0if(lHydZ+^Y#cuVVJ6B}$*V)0QZHD^g-q
zpqGbJ7BI|4B&4Z-2X>__Q*3={2~z%kI!IXV@iQbPOI^!eNLa^PK#Y|t1#}liR>tiR
zqa{lbU5_IyqwZ=VRHnP4LL#@q(K-@Tsh!c?2?JZxS`t*F-P7>_T0jlz6Ff?mBD-2T
zN(##9h~X+xhU`$;Dp>u{sM#rDw__&BT?+2R%@Vt{ySp?=ScTW!ycDUAbY``8J==DZ
zYVDl)brNK<Xq;mO%O;7y*=Wlqr@dKf=!B@dCAa;P?A(6aKgs@SR@$(C3|(|uvhOFm
zEVWFn8fd1KD@$#Nijuk}-G!7Y-DWg|p;qZJj^znU#k&@@W<S?-5hz4JSJ!xB$tvc%
zArB<1cIo;&lA|5kK=MkfmqN>JeSEs~TQyg@JGi?`1gq`WtZ^qOb=YmEB=(~0lF~&_
zg4?0N#GHgKiGxWi61wXeNm{+%Aks>^ZjXkNRy%iEG?Jxys)2<w8y!*b!b-!HRpSXN
zx~f(fNl-?u*ij{BqOI`(B=0(^S|F05O1Q)lRu@%12q$|jP@x2spVj3MNn0IL!333F
zRdWzYQ9WBQ<du!pH3uZDN~>sMN`ke2!xC0$R?smeY;{jTi7L~ozYIxP{Z$BJO8V-Z
z0}@piR3T5AR_|4}O6e*KRkDR7tg@=8DJ6LIXB3oDx{9X2q?KjW=A=rMDJq=+l2+AL
zQAm1~532frl2oBqSOk)@ioQTe3YMx`qz0$aEO-*8*-W$vQ|XC>0I7^qYyec2=~w_M
zvg#^_;0l!`EE-zSw9_w)fG84a;H5^?;VEjc9}*VPR!Q+8ZIwlOVu)TPP}-4Exawv1
zZ;1*#)hT`^n}jX-Qo*5YwSNAR6<1Y)rF0G))oXf8mnWQ1hUK({HR_7KlL^V>*XmHS
zil+)qWGYox73nP9OtL>nzJ+d8XniCv+N!(hQWH`l`dCz6PlZcPod<<UN|k?wNjXOK
zHeSbq3I<uyx`Jz}x2au0K`O}8_j_avI?`CZ{sh74vY}(zzUgbBOErHq#SpRjv#NB6
zSv6e^KbzK0kCe}ESvt$`k<sF)|H7u<NwdO6Thm}%kOcHC8%hFzc_T_&*hfL+uWf-M
zS0yN-S`Q_AOu`gi3RXO!Hw1}Qb7Q^=Q-rnMNfL;YSxrh<q_{0f60;_xI+UV0Xxf+O
zf#p(#RCWU>pP^iyfMGs`Dym!7go#S|qwa+*DqjYLbG!ptbSX+Q{P8QCW&*TgQq^VQ
zVn~!Xn;l|Om*u@;NR)h<XJS&YW$@rgm8Uh9z@_q)y(<>1RsgjyE1f4wtO`<;vCIil
zqJ9=|DPuCTa3p1yH`jZ}<ttM1Pp+Sp3(8o8q5FvvkLHJW5@jQuDqKj`dG`fz15}$k
zi4v-2h8Gm7*-Q44B?acPmXx#^MfQ>9AI%Q!Br6E|z_5&{Ih}O25KNhg9hOu-#NADV
zb*s&8OXWJ#W{<WJ)d-vZu#UB9u}aA59ZhdmM_vrx9b|QBO~*@*I*M~eipc99n*ykg
zs0`XIM0Hk8TPh=|25F5BSzakMl37>AIg0|4Jh(}%x=8ZfCgM^@misjsNgh(1-|9&6
zqtj6Ik>y&=`J|62j%-enJf=yi`bhG{Ccr5p%lVp6q>m_-Hnl+>T1?W71bIQ}v6=|d
z+$NnUBTB@Z2B3{Ej%!|mG{5P;iU`u|=BlV8N+->ZP)3!tHYGtCRg!I9GBmA8t$4`N
zhm&@Zk)>27*W)8gNSlw0jV^X?;xaU;#M%^OX>U_g5s{@@X4K;&N-a&kMn;zVHz^q!
zTa?z!WNA>DyNJlr)+V&0BTM+2(};~JYc}@@8e62%Y7#WG`K;JT((UGo5Rs)VCjOx#
zO03NkVIxYbn{0%QEG}(M0yL%c&>{jftm(gy5v2rXu;3!fZ%rJ)M3sXy=>ZZ}oZHj{
zNq^HvP!T1)rmNs0N+8Wqz(ka#G^=chD_(02vLv^8wPwhYiZfWPktN(st~NxJT$&s<
zM3h%GTx^Lia%~l|C6w8Sn`BE1IhDr9mM!KYZ4oTDOafXWDu!e>(GgV%n}&#zD<)E!
zA})SpaiS+qrU@+(J6)IsG(^r>nf8d8#7u@6B3N56qhyI@?qTN163??6%#kdQ%n=wO
zS=%!7xe~-&!A)`{hqF2hku0f9h8H4O(KB|r63gVpMRFyVb2=-LEWgZG79rSqnVVRL
zV|HZ-u@1;NiB*VpY$i9$5bOlZzAQts)iAAChh_B2`oudJQvv0Ob}MFVRw39yn9A=e
zHS?BXYY^;7Okq|b*uj~PSchR!V7Rdk%Vfv`q&pUq7&S<CEoL>9A=zA*Rw_fXr!h*Y
z4#Zr*aZ(+GX^`beb}MEFsu1j{OlzsfVGT0iQ;yA~!9`9x7;`QKIP8i{JSoR!PGNkf
z9g3-#^!V&=<`4<-*+Pj$PmaPKAf}%kh?GEiK06tE$Yi+eE<|f3$75n6YL^|Bc#X8U
z><8i|DRJ0Bh#yOi%alNUE;|<S8tHM_w~4z)j=&ZnNgg{Hd-7=U*)fQ$M~=*-KoK50
z1PFyBc<h>@E>PpLzYw5@9f_Ei6gcdX#3-S~U^5eBe-(vXOSAZ_X~YIk;<AkpzJC>%
z*o;y9Rsc~4NAXyxiAO(*%uGR{{8j*w21EF)X(ABL;;@ep9y^M`<|X0WRxV;wPU5ir
zh`T$A%eRdo+*WN~Y#qgA9pL776^i4)>D*Qg9&JnFvmo$}UloC~!nD3C48^+&|1*fl
z26>&<p)D2V)2Hz$0P;=LfR~{1rPi>QVdAygXq1NV9P2ucd%P;T&ZEswKOLHhQV#~s
zv%DyHv38y;o-YWl+k~Yf&+fCicBh3$L%aEAR69ixE33(qxgjVh@~-XpM4(<}-KPm=
zj~g!KL`rn>!0AXOWnN8P+lZNq#>1=}e39VdUlBQHgAsg6xI7rk;#?cbd3;JcJOQ2W
z7DsOxPS!-Sr-?UG;>$VZ3DuC6TJd7(SS4K^9$l6RLoW|*fMQS)<h|1&Sj3fXwCspW
zY<ZS<xFwgovpRl-XfG8mj$u)a;{Db)O7`)R>j$Seo>AQu1DuP>6SDwRig{pm=_YpD
z$|JK-<yd$!x^aa@_l*}=JwM6jaoeKiq&&eF!cG<Ac3%q7UL{N6T8qokd^uho5{2;D
ze|cDR6b*s{%#*6XS8DQ5UkaceE5-20t$Bklg-8zv0{B&2@<3k-<lZj@aH;I^mRAbz
zUJ`|Ht6k!>t`*z7m6O7#PXt1ERl4!2>l)5`ycykNP)ftY;XEqRyediI$?4`yo)wn7
zABo{wqsi-|P*tq(8gzUL?!0`H!l^ciNjxe6XftIq^y;%mTRMQLRMQ4e4u1_41n{Vc
z(_T*szZwvkvV~9$3M}VBwKkT-@U2m&%$^ng(Ade_+|TBNwr0Up!JwRu6#^Oo?6__E
z=74b=DracBBZY5G7D6~y%+o-Q6}_|&5yG{GnesSRn9zF3>S}e5r}wfy1ypSi#Bi!<
zqC7_qWsN^1aH-<Yr<PfHOd2VfWz0AEM6;?DrZlIK!l6q*ksJy%v<@=ngQ(gS$lzDY
zLR&9TD*2&=js>l>>}AY15*iJN;8PK!%zg!aG_#NHterIe%P4Qwg*Im(upy+Veg#8m
zI%Z@HubNK>;8J;@jz0pB4J1tAK&CrH(EjGKMwij}GV*BiAAxL*FoW<YPSHd^1dgVK
zQ2Yy9Xk}&W1t+vB*{Feiv@wU^Rr^H)Ixs1%r=gIv3jb+aAAx2qCZq5yRMQAQ0_vI#
zERldz&7e#_0-&u1q4*Z~(?B-@*qUkv;9ql3QXmL!`m{u{yMbBYs*S+7W}Mbq8<DLM
z@pu&Nj4==|0)=e?0{f>#Mu>rU6cR#p#o$nB0Ury%ycUa*crrq1&MyL!nneWQQzK0i
zE?_v|(e}&)3Y%y-D`o<cYck?+DGahasayp($~w#^0@|!K6M<N@i19cSUa{mS0>zdw
zgy2_kWh_nwMOIn_;8A+Qu%Fb-u)rtvC@iQ6{dlV#f`3x7z&JnZN?62H!|HO24kfC4
z!V___2OAImQ^l91T;E)>%VMNYsa&!Gsjuootb3}^`k_l8q5oY4ktl!EhFC0z`(6#!
z83X>eShQ<ZbN)$dBZ2?3H*KW?AN506`w#gdWtNJtc--MPlv=C{*2=OTty|RXChK^A
zVEpSpKvq0fRvRi4_AKKPga2Vaw7K}=sITP}^RfL#<UV2mEGMvnfTSrU3$LWAFjC|l
z7%~V}41(VVK_!6femh=+)^s2ucH>zI2rV2cKoM%Sbw<5(`xivomt%WXwFLvKt4~fN
zGe{tZw;8L`CcoDjRoQ#Rnm~Yj+Mz=RoGZTq#OS=rG#Zn`1U}OrOtS?G>^e8M>*BtW
zQDHIlY^ep2W`RoJuNE0{;Bq15=l&H$FWM^N!C)eG1AEGY%bLoAh3v>}V?j0~njS4n
zfI8TF;mwmytvsk}+aBh&qaWlDa|%krK^`Q|vN@JKa$=qSOZ(nD+B_nr{KLTCu2;et
zG-QNhV3Tn1%&~EB!m4cfgqDihZN>Mx;`)gbY9<Z=O$+e;1GBTf>QexOwaK8RrHCS-
zTT4Q*g$`ubVd&Y%Li2rsco6{Nz)z7Dhcgplz!^7V5;~ALjlqSj)rj&@x&@#;f!J6A
z<0;M<0oE|qXzXxB4f2R7W@d`*DWmtgBL+kBoY8zLRUvT*@4;M5ZU-8ph()+-USk0e
z4j_zuQX*a7bJ}mT5e*`LfUWMh^1T4j*L7T4ge;Xr9J9q`NW`(yZGND^7TEPCe8WH?
zDl;09c$i(0_17ew&(7ySRx8lz73Eg5Dy>lq^gP1rp1Vv;ecr*Ng#dVkl+bWSQ4&y2
zK7xzCT}`4v2gsa<9g(-SxEj@f@7IHhVKE{`T-uDtqgaIaSDR)zErSY6Yi&&vfV1pk
z2vQ|e)tQM=uOSKGtw8KXbeswAMJ5tNO7p9TVz#n*7-fpay^F-BvdOeJL6{*k21j}A
zK&O@nRhK%Ae{yXH$Y3u=13YOPi1v1!>{rSFZ5}^F4$jKin_VZy&sR*LTV*|)9&Yu`
z>A}j~W`IMw05WA{1GLpJDLD#RV8f?oA2j7qW#EmB%pq<8PS&V3{0nnV3rEAaA7Pdb
z$v*`$iF!kfRmUHuwP}e%_5RJmDu7`fWG!*<6Kpu-r*)(A?IfH|FPXfXy$Gj@&@+)n
zrfX{_Bv8N*2ruE<ojdPlU-W~<$~F+VyaM<Iv%9io&XVn@&??fRLA%dDU4ouN0%dJ4
zFDSi}Rd5i)VgW_1a?-pt9E)T1A5s#%C&Q9ih7IyhI%Bt3C?D0<y{8wQ*28=ooHhsy
z6c}h|WE#=8BF=CV&LR>B*2OXIYOo31Toc;q#(R|RZYaZCG6q3xu3#c@XSf~Y)xt9s
z*(IzL7Z|ojEPIU~Jmp;%%OCMDe$j(OJUn9X{*Ff|(kASSm8+;!Bg>%oSXv#ZJFe8I
z>L08q`9n2@q5MN<u>+&CVS^G};uZT!Pi7qvF>2yCOSyxWEbxDvW_uN|gBlsQTb@*{
zDTQDZkUaTVF+FzTC+%#kUX~p?`v1A(NOS4-8w&N*4bRQ$F5j)xMPG%!pKjs)G|djh
zmtPkR9%t0EhInoSIJaZToq{{f(rW1BgN1Q~R66$(49rwG@_R8#hyQDTGQ5Ma+a^&6
zEz^aUr9V>VjYIgzkxi1rGrg5ApR>jE?F4Up(EA267;~9Tt``?jz-2G(DLNNw8?!}F
zkXD~dS%S*K)npn&I>8n!UkDjA>7=fIjr7!3;~T5+(7pF!SATK9f$$eN5mUMZNS&~u
z$>cB|2$vxGqZg9SYfY~AOx1SHn>X!vmU>PGJ=zs2%DRkxHyrBn#Y&#HN>2JAnRTW~
zIGxp3a|$aE+53ID2)to|4(UUxmq4D9#o){))h0D-zszG|<b?)Y8uy&ZKsJqJv1%(*
z%HeWP?@+SXNL@uR?hSuvTiUTL;mUb#7Z5xQ^RbH|SrLT~qjps}ZGASGslU`XK`xN~
zO{r<|MAcNK0zH1#>|fyBpV~N#NtDTces=?ZD!hxtkd8%&?VLLcK!;;mbr+`Q^{o$Z
zU_VX|pRmeu^<IFaO-5hj;sMt3vR*q>QKxW8<J*Yt0J|~AbL<mKh>_%6_fTbq=d-);
z$mgff&7bq(;rB6(K0Axk;B+eP_`4`YLdyPiI|vou+g(<K3K6p9AuL9D*hJlMaHgvl
zlXi&a-R|O#U$3f{{D%~^1}|Y_Nq(!hCM>!NqDp`nX;pJO3;qF?E1O_<T{E$YT&!x0
z@S!N5N{IG5p5sqJZZRt3Xo2W-TQrhzY9bZppNmM1wnOxSL6()gUN4y|aC4zevImeu
zuuV$g#<TqhC{&rmDF!v*Z-8PKq4h8r(#!O`i_lo;q6$e)WFmG;+`^DnS1M;PmIoJN
z`m}6WHx|aPDtaBScS}f_=TuI^oyMbOcI2Y^3PMrPItk-AzU@~GhS;X5rolF1DFP79
ztqB~9qU0%a)ph=tFW&=v3*JWsc(3Ef;-{A#x%(@!pf$awOKLM3HfLg4P**p~6J1^f
zO7CgFrlU~lqeHFbicCPEg`z3cA`d8;%hio}z&lpN<mLJj2sjRu+M`M5)8A_pdR&M~
zm}T=5BNGseUGm+>hlF}JX4)Vgy>2*o4ct6|{2tKzb=OC==mW-%H@c}!bgig(ir~B%
z0@#^Y{R)A=CG3M@s|Kn~$!?~FyVo8RZT7yu_w`xA3>g9uC;;7Jf^qb}OsTDFQNwTJ
z3e_W*TCjLpso@=)n<eno_+*w`KAN8b)9Ui;xO||&drx-Hd}V{^C15EV_ForssE6|S
zF^&r37Klek`lePSO`Ps-Fw=fVEPmy#d;#%7ufB<tg8Jwdmw7DC4|5RhjU7W^Rje^s
zI^y0kX!0g=r;?$gF38o9X8$ZqPsaKFDc0*Wh!M{)?96&Ugl?Fk=hcEyo013X!`jKh
zFoEd#RETiDJYcFh480fG2~T3))BBhjRpWxh9PcGJIb+vS$r83$&ml1}iOofkT!u9p
zv1uRQU8+yb1*Q``O+=2O4u<@4d<UJ2%|8NV5P==9oIA1*?1C#_Fv?EGbwxf20cOD8
zx0@sp1*x3IkBDc8YV_r5>2)QM42;r}x(<`e%HwQ$B8elSzRW2Jr(a9N8xtrsEjnFh
z%UFnYA7|s_Jrn(S*`8BlMhpPb)R0D<Gvm{o2+A)^Vp)J@Xe6x!h*lx-%%d*ssU3{0
z)!wzTA&$!l52Zwe&W;-Ouu;NT<!qqp?v1A#F|&<4Lb}ssC+`zLFYrLVrhudJPEz>`
z=Od^vg<p-Ho93pN$;&t<l3?j~+V@NG;mxM|Wr|E~;FVJ$DCk>;%_flQL8)QzL@EG{
z3p|DaG@`ooP592+(9uAbHBzQ(K%-JY1+%-8(wl@;4D`7Ouvv%`X47Lq4120(ja{j7
zgsaoUm_<#a!ba?L0>JX@@@Od+(E>jx`Nmq<FfBx@bY^lTigTXP02M4_7hi}G{Pd}D
z$TPF}yi#r&b1=ITN>oGT%W1u&W6;<OQxOEF6M`z9(SlI|-DYwKkPr{aBbPVZEIJHk
zvhJ&O74r$gZYGV{W7mvA^M+M$aMQIc){iCcIZGvR9P%wiLFA_nHLiqCB%BP2B?<l+
zZUCk%0J5l<(p;KPO9Nt9I1~e0c4lR-e{EEoLck~nyfKnD4Xk?Utuq3#7qP^$a4bNx
zzkfRMmM&2Q<I1W51W`0MTL>3pHJA#UeP5w?ml-5kQQn~{l$z~l(nYj>+^Z3C*|Fyx
zVg=fC6r3H^DV_z2tDDy<OcOW*QnQ|i)aC{WNf{NBZzSn5jTFp=ouVGau~7!~1;IF2
zq>(|mOqG`YRI-`l*vTZLF_jN0O4dLWih?r6{N%Ns2qF|nb=tBuU8OFgrYp&vO>E_T
zpf!q1C@9*M&WT7(s_L?m*0??(R7zXqZXB}2;!lo8;01H3AdHAQ63?7Fd0d*vVFX&5
zNXFd#TCbj~*5-*7iZXH{WEf8ww!>299l^*eaNEMov*NEUh?ZW91u-jOM9ylRA1YkD
z6{T-NWJTvIB-i^39r?`qPlQS2S*2MWyerdXqGX;yC{%J})tcN-74m7Nbu1AhdTWjX
z=92t!lRq1V-1BU8Yfg&kWUESiL`yJ9ow=ltL<Pt~H_QlJu~*Ju=eLfG$eA^x!B$l^
zykuA+W#kEQD6<|Yf*E6s;tPgSj(U}54o=NlFeVkZn0+|$P&qS|%E?Kv&FWVit-_7r
z@Z^z?kf+&Tkk#5Mb)<*_XYy!>V7dqd{H;KUY19aZAV!tZJxn5Cp4hbB?Iv}S-6pJk
z*Q#H-JLA?%F3m8!C$eRj8kE+zeo~R;XZ;d=)NGf@=!BDlYpb4<8?Ce49h`w9I$#Jn
z6(t8H_nm-k<f8S-eCGH!lWMbOl9)Q_1E}b=CsAhxXIU<Y7S=e5^>-j~-eLNt+A9pF
z7o><Gs4^}(G})B{Ph^E-BH0SVEv>f9uA4*jP0E1-IUwQms1ah44m(DH7Fht}JQxsf
zjt&$z0Rn7bbOnwG@J8-FFuD$KyQ46T^mgoEFAOf>B26{FiWk`l1G!+j_*feEav_ZJ
z*Buh}z0ftMK*ZC#kk)T5IZY_xBcQK-Vp;jTEq&oSri3Iq0p@+%6emEM%evOl(;OLm
zcZOTRcTq>I`XBQ`x^lRG6v~m}mX(OcQVju6EH&|V=zxnD#+Z~kKb8oCf#JUHmWFI8
z9gM}i;LSN1wDTKzsta&RlOYH_0~pdlbD-TG5$H*|upksPIdIVaYLxlj=v5Qx&k$B!
zTs`DK4T;tiwT-hE4Q*il$Mh~C|BaZh*jj?j^6=(}_ZRyl<~77#2~GL)d6#f8mvE!j
zms#9TXT`@*M1?K97<_&gJASwqcJ=z~xtCqjl8l=jsa8jFG6Jziasz)aBO2~QVqB&O
z3<>wS*xe&^lrI+e95IRov~!VZ8jX2JUJgS)cCX8eL*0&w#)n@`Py9nFsZr7Q*+9BU
za%hIY55~QRR|Fd}2~h88ab6`yI#sW-##K^HEAM68EoIy^J#-wHcQ;Qx3+5ffb`^RU
zjRwy+Sm~G<8P@JTkTj)JA4o85_7^q2rw7~)r71vc-`ql*-xtBLAEL%_H5TTMrV+}w
zm14gR5eDLr;D!yOGf_xrLk8BVXQIHrxYAYVG_URy5PAUB{ms$QNNG^Hw1BwZ^Fl2#
zqXo^rLaj~_sFVmLoycLv!f>-VxGz)CX@2%BtGQWLz##y!Pm(8!03W=fYOU6s&?BbK
z-ZPpDj8ij4k&ZPi(dMQmKv@(<S8j{<ex&8F7@Xi>$w|O<n3&5}?tBbM(S8@$S65#u
zTJY--udH39fXhG>I2-3hp83#6=(d8g(?N~Z*WS)u1eC_mrfm;2y%jOMX{u({ut20V
z)f;H-9&mTChHyx;m(2$~QEiQ=bD4lWfo%?OTk9fZhd8C<N`qU&QO72Y?_<Ogh<Eby
zR}Tu^8OsxNvw2-Dj#>sq`>5F)SQzEN&tFvr0T?eJ1zW+<=K{~rG$jn9^mg`!9~r+Q
zZxMD$Qp`cuo75G25vh||j4kPqHWiw6LH0?yjElaIn9#gsb2TCW*Gelclgo446C|{E
zL)d4NnqnEL8UjiGq>FSuNkK^ezaua(@LW%gUeS1YMP@7e3(jHj18VJxIB($1LH5w`
z`nxe$#2ElS+Cx8A5yOm5C)-O$s_=zj9K_;rv@N`v!V(7NKZA{<mYl$AIh?~eMW!Th
z%uc4;PloESKp%mzG2J%X&Wlattq8YCNhYjhFpWuMzb;-DP$@T(lr}@1Yx2o}_~3pn
z+^1Uw3RHO2!NmQ+#62><?yA(@cL^zJ4n`APw~s!%$Dhv2hgE&V9!=JmH1D&#CN$Zf
z9}I`e3^ObpkPE*f57sWx|1BbKOV`nhQ)c^^Vbs~D*-nbj8LZ{&AYDyj#<Q^MSxX+D
zziwPZody`nfX^yJ3|}fs%ghwFlTm$>i$LcUhI*v&68lh$&I4TZXftdmxanbGeXmEM
ztpv?t!pk9?tFp`fQa1GwP=AhUhg5@n!?F;m3dQk^;mLZgq>d=erQ3Oer-UkLXS9rX
zFzr2I7u#@@t+%oaMRS;Yxf23;!*T_f{g5e#jV9W%=mipcVDy1D(a8*)n%IXa{5_7l
zTOq_N45AILL5H|n?NUdPxY5W!Xk-J(=M1wlCB$=vnOPH3ImIlTf|(rPUM50Vj&qX(
zAi_sDekRd}O21r)XK|iW4j>JH)apUB>4C7Ekj~A>8RcALNr&e*ZL$Gj`P?>>d2Nd1
zka7SMuf~TvD_Sgh;bK2HU=1)!JtC?I9|vhV6LLZv2BHhhaafWYF(g(aCo>zrTCCJ%
zK#0|fG9=s)DH*dr24y5zqici=qKg^y*&}l)4KrkWOb$AO<tT=&*&`*yB*kK%OicYi
zgxHpb=$iu0=3UAC((JkP2#i7)RETIX6V(dCb}p1L&D$#!hGzDAJOa|jB-#T^1caEe
z^h$w4MW`PQ@kDl`;q3t0-k5~%L6w>A8;V>7-`QCA=kOkq9;h?0e+&|XCB{Xuid>2J
zZ%A|VqsnskA<oCcFqAJF;e(CH!j;7?MEg>`D5ZVH*6opW=>pwsJ6l_1A&2K2?Q$f;
z^MS0yC<7=23cz6e;J6sj@s`G&0AOg!1tb}cdekAVEQ$s~a=F{ICCjbL#8Am*bt&#I
zY*LakjUrAXINX05gNLyKMP3n>z(lHI4O-v|GGp2YnglB3RuPBiFl@3DL-T>-s=Hkq
z4%LIIp;?WM9*4F?E(5w_(DYV1>jEfUGnhVIn|YQx2C%GlZj3<n>>3-jlQ(L_(!!3b
z@;5joVUR`>oU9X_>DbTi0&|#x8M1=|@RN8~gs7b0P<^-5{=;<c8?aaXk{~mdZJuPz
zE{9#NVI&)7TYdS|tJTo<u|-*UE{%q`&bIAO<?)>`Jdr3bw{uLfp7?_Yxj7=VXe6BU
zj8?6uko6KWdht2w=V%h?CAB9Y=Yh@K>&ZUddZ5#Y(yM74m@5hr*aazJySx+(+}Z*o
z0^5mr9e08ogSMpE0?Q~Ucn^zxPvmZ$Q|24TXC`|gnmZOJX|h0p-ELv!2bc{WCOckg
z@hU)2@@Jt&wAR?>sKT|g>UpX+5Vf33!Z1|}%ageuA+v#VSr0(j-t$=#FuBC3jDjd!
z?`e#V7+mJGxl1RT0k)(ivJ(JvnooHO0FF+*#85y-63<Z?@DbBDn1Yx1<fr3?t^9Yd
zW`p|wj?_A)YaRP48~Ed{?i>}Fg2}<?a)n{BIF2LgQ~VAfEaXX4$$OA?MwaGM=G9Al
zsf;q;nERGA@gjJf1L?%kE~J|se5YqjkSxb~{b1Pg7H;N5?~!XU<i#qlNRZ%N+!jjI
zR2eE>ib~Ap&$Rf{ZTy?q)p{WVyrY~!BBGAOFVV&K2#2T9!s7ALI~kuxZe@(Y9VKu?
z01ny{AO%C1nBNiE^l%BfA^Y@kE9TZcikNXa5#W!qiU|f#Kuc^X1VH(;0@)Du`Z$!+
z5P|ME1=+oJ<0hR|@2;RMoSNI)Dg(IU>rBDL+;=}spz{vG=o^A>Y`R2c*edEdBFa(&
zQPXG(p?(#Gpfw#f>4#1^QxNRcu|zNqA+Fza?y8(QDOme<+^G)dsK$IO&1&TZHz8he
zGMJ;zkEMRJ-t(6HRwbsF*SwdjoO}L(kA?5zmRlH}d&xcKdiC$`UcD{r*Q*{}$6No6
zNPaZRZgzFMrr&9`EB+IY11ZSe;W)(NmOPq4#^`&N1mBIK&a_dy%Oi!ZoDE1~xRk`W
z+-D-WPE$S4K}weq^&;_ekQFKkDiEa1kR?fxA4KfR<SpN(n}s7kQ1l?dgwWZh<ABST
zwC>5<v;m!tx^=K1^v-QpW1Qh2f_H1NQ38~~>B?*@sT+>=%K)s91+tI9{^=i6Lu4}&
zVMTt#RtWb_aX5e)Ks6(M2JuXksBjo#QS5~sZdP@(fJzw#dRAApD$WNpKDAC824+X|
zJkqd_3QYJLnhOwc&FcWj{X?^>U6}#=lILRxOFs8e#a0-Jr%}g-2!~Hm$mKYSCsE8L
zD2b0z#1!a(Z&A+V*o?<f&VHk~jOpJ`nC&2wqgPFlXuFu^vSW|c$Im>+19|EK4uLUF
zcH6QQr6nF?sZFq;Y4aVKY8RH!rZVi2(8RwUIg?PDqryU+9UdVe%yDfNAdAd%wVEb2
z67ufMw_xw&Wvw6sb4%#VZ;!sk(4+{SM9U!X=HGDuMc36x2-_l{q!13Q()%b4_4m`2
zgosACDOZ)!B()hXJh=<QH8xVoNjl|!n`oTk)prsXXHg+;5AAIA_Uu~<TNOi<@iWK-
zA+jRm0=!cKov{~AW)Smqzg2fNYQ{Y7*52IMncAF7u)qEi%4m+<RX7x+2oa2Z>P!Bb
zC@!Yw`;kD9C)E)soAmGrV9uy(sDUI(X$fu4I$`QXn&glRi)mS>(EymKfxQy0hfu`8
z{*Yzi0qD4?5n<fS_7x1-Afzc!4q^|X<XO*D|NSe@Abc+}JIP4%#|g>M?pNGPpBv&A
znNb^Tn0v~iNnByiWp~}@y-+SHR60BO%stmRiKXYRkmPmIEBf=ox9iUi#w&T|J+CVN
zTnb;?b5wMbCszu&gOW%<A4jD&@a!Sj1`IBqcAWL&Ai`($DD%yeo}{!`jF&OZ^evU&
zPjT`u&Eu+%0%9i7-yd4k4x*2oL&sguABA6+$5F_0c-zNiaS9_Osg?z!M`B4UeA-qt
ztIy3KgPasxC0<dV^j|8juT9gP3hLKmGn6_aRKfsNyhB25UJ<5JGCwd|_(>{@A~&mj
zR25^@L44JDiUy}zJt850HpdM>WXe)4B%F4DCt)qaaF8-7!)XlOBNfDRRN5iU#BrF?
zB7wYeP|_j^x^RfdBo0ZvZZ_%LeuIzGGT6!rS+#W&Zk(<z7_wX)>q`aFdE8#4?fQdv
z>Qo8fvQ9Qx=#D)}+V!P0LV;DRb}gV#TOydRv`0Z$1gBb?sJlxlT1HpRS5tDnN&gjZ
zs^gKO<LFZV6_@~p1gMR`g>iOTg%wTme1VX@^{FEeH+{eCkWlut+zp^g2d)#}44x1x
zdFzx)=bowpl`um6n?%JC5FMk0M6n9Jld*{s5;~_RhY~Bgr!q$pC>kdug;FA#Cl0i&
zYFf|24F^iXfVw6fHX{6>ayF*(Fw?FmHuKNR)u2%!8cPR|syoEe0$y&vf#gYBk>ZP&
zh`=+x*5a;&ovToMX#wNAQk6a+L*YxbiHT7<!5b<x{qY`q%9BDm6u_R%%_~^R_`pBs
zl`T4n^y<(?FU}a-KBKJqj)bsQ@_e)EW6!TdmKn~crgf+$gwa>cIa#+<B19q{CE0aS
zW7N~+y`pd}OnxpW6*c5i{;hP9=`7(ffn-PITq|Psi%*SD%VZ@774<DITL3QU2(|L*
zWSOCD5D2tLH};jq_RS<w7WWk}W|Cbuh)ezEr?wsp;Dj`$0b=@~B!Mv*3XV1o009Dy
zaBap#K?{>!dxnFa+Y6ww(sc?K<Vd2t)|kELgo+RZv(Ip2L-Q_;x|I<gi_^g5P}DOX
zx9e~mL{h2C<wiBsy2{vHEAEpbl-buYvyQhd<gjw^Y2((8!hLo<R6ha-@ayP2G5<82
z^{fqw!8>6}Q}m<#yC7yU9hK&^&NAG@T2Dz7QZVWo-{$AhF>p6{%bC}J5h4^a3Ha3u
z`JOA5ORCbh1e~5qj_abQ&d!Tf3nWa|FDQZM;eZQusN+v{IW$q&Z!vGgRp(ay(REWv
zfQALoa`}aAb^`GAjVZh}_!mR=r0%#NUJaXXes<p1=CFc-PS&_}Q-qX5FfI|`FUEXk
z0+_<IZY~>4DOA`OVAdygwFrpGV3b*^0roNgUplv|DU1T15NZ`Ahv_b8)2kK(*4P_|
z#@)(R5)rNl5_BNz>LLUQ0Tg$Z^p?J@s>_T3g%P^TjcjFrqN3;E2*d^>xVNSgfRVNY
zK~-xmlvoE=vB2!AwKM(4<1viCQE*bOtpRX;Q;n^gz+$56H`0WqMcD;`d2CAHhRF&U
z74C{{S-;Aq<9AVX2rR(ZV~>g02{*TsaCbOYU|bYX?&Z#v)VNxLFx5&swZX#Xy!ze}
zKCZ@)L})FWH|wF-Eg>yrF<uO1BR4F??pi_)0?;*lor{J}@njY|LJ0@ks)EWXdw_%P
zy%SNrY&OGY*12sfOWIeTpd}7$6rksZ_@J@BCV*cuXH0rg9+u<Vn1Quv@`Uq6wOXMp
zZX{TKgVJZ=KJare{VtbJ(0wQd7z&|Rn5tF=1NFt_AE6&dg`jZp$cP>`s;H(QxGkkv
zeqUnrw3`Gh7s|wj*al-y%0~XaQG$qmzZ@+Rs*&)S>#xO_4?r^^5Qhe_D;<?RH&Lvz
z;zTWAEL!q~*G?{XnNqz6ev}pI6(pjHi;6WWTXYd>xP#m);>ylRe^nP8@Ifs=!EW~#
zK~ME@Z^{tyRRTuQKQJm_umr9$;QP!`lhhm>^Xo!A4aJh^ivCbA1D3Q6fYl0QoFH4c
zG~zUJ9KmeS6LvI0ot+ue<Q*^S@C>X4k^<_x7%JjD5jj3-1hl+$I4a_xsjv&jN!dWB
zjbh40IVGX6iGKQ$Tyvl;ERN2A*c={Jx87F=J5~B<G7?uHgYA`4+zg`=ZdZf_z%~aH
z;+`PyffZ^)leC9_c-wa_km2&en)q?i*K>#n0+ve3L$rI02`b3vqFBwFqvGG=Ei&nH
zmCH;R#pRSMj*39$L4sv1G1lkji{M>y+()Z#LGSH$VtIf-10%p+=b857nwwe+Ok3eB
z7-_gV{sAn{XjFlE5~_KrMS);&1F8C8k1RnLwNd}eq>_ewP^8=dE?(G8-=PIl7R@W=
zBG#kg`3Wv98YSy&ppyQQQI?S5+Pfp6$3~pxmQYD_dxTY)!?vCTmZA!v@3g*2Swr)I
zY)qA~Ej&lQB1@t07OZ#+i|jt--XD>Fy$_mUb~7$WEwKE^Oibkg(TBwz^`ZS^p$Or{
zKMDeGj%C3j)Y0?{I?!Kl*remfr-%=*L=KSP2T+E^A;XS=5sE{L-05B@;{l*M|DnZl
z+9+gt^xIZ&3#j7q=m=Bj4oRwjgarZ3{$URa1C<;?Bh&{UXq+kP1GIj6wxK|END%(T
ziKD1?faAbAmCQfIww?SlA##F?Tr;>^C7%q-)+4RJSf_4Y!P9r4nbnqU&C?Gn`1H$C
zJ@T*IwGponG7B~y-Us`D29WWZo2V0iE$JuqK)9q7W+LZL0N@dc*EcC1*~_VEa-@v{
z7thPFuHq1;;t&|1INQXe<kHc{`he{MO8lTYr_1Pa0hU)<UOkNd+e6MwN828@{0dGm
zg&aT|!WT3L3@GDfC>bh>o@JL04w#1kTW=`>K%tY{c}NljOoI)<3P^*hA`Y?vS{(Z#
z;sc~#2Kxr!ltIQ_V+a&M-jQ*%VyK=9U}W2bg!<InONgkUb(Da_M9EDNoq>3i1|kzV
zmb-BhT4tbu*(Lgy17p}hSg6QcxpocxM=&8U6Y<Ef$XZdSNO>k(7dKCeB>^c7tDJ2<
z_R6H0bZYbkHk`GmLPHxhqHmIlcUgc+v=h=Z#vNAu4cK|=9D!o!1-*87+9~P~$f8g>
zONq}gty9GSTudVQnrR_0Mcq+Omxcph-U+?j7L($s0V?YtqQsC@uo|(Y*q;QVQ#Kvt
zFuR}@{ArBf8bX+bC8fX{0DGV(y{sC=<zzGx!9LcA&|We4K>r0H$n4b(9O|e;Y(jiR
z;ap~$JbA%F1Wjv%M5oR<-c@RiO_2lMO*#@0qkw>~G6?F^z>w$goGKcD$Ip0<;Uc?x
zhDqwRs!Xm2P52WTkPaqH7LGQT(^FJ+JTa;Y?+2W!BsIM4F{w>P0ju|i^Rd@S`MluK
zp{-&9BVd24Zr)cRhr427O&t_ZCyV!P7r?xR94SJgcd3Lj)f`6083S>_seB4XV?Yr<
z%3v2ph6|iAq7}%P?_j`vi{J_y&Z%%j)pj7769CBR0`zO@)E^oKz;9Z4xohP>c0x!C
z56}c%atd<;zM$=<<C`~;39DUKZluT5l&>ul;jfSo{qWGe!hWls<43v;fF=mF;;C?t
zgXR9AFt`E$UYih(7)^Z#e)X}XVhsXbsaq)O)O`*NZLrxxu{*$K+%+_Cst`4=*2nOG
zvY<^N3*tIk--L>T8D>a|CklK<Q^*Q%P@emzJY9J8H%$?<>Qq$FWBcw{56{hbP8J7H
zXYd}flmN>xJsu5Hfdc@OEr1D3sJ$bsr9hd)y^!c?V1Y$~PNVm=mX@$Dv~e|t06IX$
zzpZTzE?b&)M8Dh!l;EKoz6b6*R^O226iVJ$K#1qtwE`1-*gMWhm8%dqtQ}F_3;<9`
z6hPk_Uj7_wsvt@m2jo5yz$#YSp{xWxMn4T8#F6O)Qn3X=0^{M<6<9}Z#v;A1jOwI+
zzhc(GegIU>@~tws8G>!~`eY}H#=Zv*3Ra`#(1bhDCxWtnd<j6nM48ob4H(+`Ej@ue
z%|g-{mdwr!_J9U3vxLEBc^()>hOGnQ>hLW5Ly+Jnke!-l{PTlyFSFn$wQr^rA80{r
zVRxI9;*>vppk4x-i@cjGSjUx|C_XFd^(7xqQV3eJJ+>`L6cQjO4%j{j|5@y&gw<%3
z0i4rs?t4{-JQ?)n>^s>~KUsQGg@@~owP~FUBLzdE^WwVOpH>|phH$6Fc+>#42Fw6H
z1UJR?btt(hAJb9zJ8Ms0i}-+b!9(OxFWyR<gfEN=&t&2gqNFjntV?DK6$BxUp=$d1
z5$LNt)Y}POcB4Y!9r8$w`|S~T+b=|00PfF<!<34gOH)1k%>Z$SAQoFAv#4F=OnU_3
z9yEIzD06SAI|iQ39=9k66?{To4OyZ|2{&U_cz?5@V7<Io09lyB9>q9_YF6h=lFv?n
z_=%VicKgxO0qzK2k@Mfx5#BMxW6%}q9G{5D9NQ%G4is_;O^;z?v1l*zKdtQCD@&D4
z!ir*iVb%r#m0f5ix0}p1n02un8h&T69Ao#JM8hEu)no<S2-_3jJ|rR}2N{rZYDT($
zo(G}GjvN^E3OG5=gR2L>c{ulCBn74|-p#x=SV9?n?4(IrB<cj*ag^O%LCt`NzNdOY
z$j8$1I0cE`Cys#o*z#y4+g-?`H8U}{M}DPDke((Y5e7)6!jC}kxmY#%th}yZ$)3!}
zPWU57v<ZMj#_Zb05yP1R!Qc&(Xp$kw`QI4Hu<@j`$m9-T0)_wsnrYO85kZ>)5rq2C
zA}_ZZW`xDE;x*YhoPhFkK)Z)Yxi{~S+o>sb@HFyIA*Ls1=Q-_^4RWzaDH)4h>$8Kj
zpUA?x4#g>oNw#~%VY9TeFg6?|U1w0EOXJQN(enk48B<4LoC<NpFpFRu>b7>X+dhPx
z9AHWAFT|5$KuMah(Gv3K{+21ghxqXDoenG`!H53rVd%DBdX9)7F+5Ht2SlF1HOQt1
z&Kfw1AB<CU{tCmH2Vl~E;te|4d<C<(G`MV4Echhq47hAn2Xu8x*?h;dB-kuEB`(Bb
zMJ`M^8u~+B@laU!>pz#o(ZVmb5CIzv%8*~*-0>vym`sHy$z3)xVoyoI2B6LVCD_Gi
z9pLu>0`z$UNizu{0pdlfGv#diQBe>I3<Vw(8*xRL$A7js2}oq*{oUL*h9@A7i$0+r
zfHe-i5e16m8EIx*6CGj8$Eo-T0&diaMFk8u2ROu+UsV7=1WYIO0HwePJ$v#UAS<7X
zL{gJa>p>KNILPS`Oo7@g<|h_GGtzLhpJc*VyoD;5L8lZTS+zk<Tubav4}^&oPye&R
z{0l|mR6Fddgq18n-h4Xm#f0)ikFGzIt<e~g@6y=x4pp0#)(R~gvK1cByxplT)I=<_
zd;(_?rDYH~U1)_&ev-3r_Af4pkj$s~Qz2;{gpc(eX$itp0&$pd${Qch@JHl}YOrL$
zU2a%F{lxc7!`pT%;SaVB>CbDz4Y6jwBnq4a25b`<|K-*S00d_aAcAC68W?l)#K7?2
zL1e`l_Q8ZHSU@B`0^TU=GL!x&d=bUCXut&!%m-OG0*g8j>IrsotYm5(8lYV$ZKk%Y
zDt8Opv^Y*M0SG-LLg0{T$fAL~O+R8$v*xuf0q#~<<XtBKe%(a)N*LgFD=!+_IwQ_N
z1gn6kxd>z|D)<Si{O#ol##(S1AHuj_mv`J~0tF=Ew^sqP66#zp_t=5#WJEydltf`p
zl1mH(_jz);B{}h(b-;@sM8BZNZeWbw7)pd45h20!5$n63q|3O3Q~d8GguY}EaJ3*r
z0$SeaNh%VyifQEI35eI?R{{umN8`bRHzE$-E~I<Jg@D9)gfUWByXvb3UcN~b=-FfM
z!Pu;74a<zbt)GMnNh9xPf#s4IO~l40uhK<{K!DZg#}SxNm^pd*Yh#FpC?U(h+ENd2
z*wm3Ii3spuwr4XF{D-YIG<a+(M!<LjY-k+5U|522QF71l$%RQ@h}#4FEj;&B2e&D(
z$z-wyFfxa`vm*RU_8vRcp*ACjEQ_-T#YJH-S2K(TU%>_q`*;ypOc6ds3)_0tM30<=
zORWeNYdE~afkJvN0f%&K;E_y0wm4bik<u+*_1qLDMCC;ed2&PrgA>$%Z&C7e1OTTc
z(bjKc`Y%k8EYi+Uw6#{xVopLnprh2h*BEe|g=ui{PiJu{0{4jFhmt6d7C*59P?d#t
zro<3HfJoVm*fbW1hN%tAmW)6LiFrtA_5HU2K!j-!gWwnQB1bBP2r5i!3=5=o%Ysj-
z!7T=6S-N823Mq$BC|)O_L?u4LF(OZ{(JJL(Z29<~w1<iV=!=0v+8BuZ-3yK}zk-72
z^1O03oF#<p43Ul!P!v%9T4peznjDF1Nf&FtsY;~_iv2P1Jh2ghCA3WukDRbe*jLW~
zZQy}i51#H*DUhfX25j+vcG+f;28%z23|e6lZP3*HFc;o*-~~s6lwTTo6sHHQhQ>-|
zWyjt&PzA%?gtrkuSY)L|1Kg6ISeCgfsRe|W2kR06QxGisdKyj+4oeKoEWfCy-zN*M
zBt(kER?o1MjACH655&x|rm-|d?TRXVd2;A4Pch0E!Vv**(FA1_9S5QR74LE&0>j}$
zk9qmakCC86xcX<Pt=Wa`&5(&Y(ZE2^qhvIIGA%8VNwhbBupV@Y>`3AC6sR!=j0+&h
zSnX6tqxQ@p8<k^8vN!pRT+R8;c&fKrky+bj{kE>8v>p)aS)rHqBt^_Ibe!-c=ZN&Q
z*r4XvH^4wNk0n0<+QavyFwtJPPp8+=VH583YzPp>fQ_3R6{y6Gz@7`^l*Bg+{g6Dc
zYZMUrQcRkZS#yFiJ;veJ@TWRA0)3%TH$|cDa4b;L(hFYGH7ys<#@QBM_A^mSk3Aq)
zIu%42%t;-|)&Xb?o2V;2y4wuq$FoPF<_ZiJR3xmD4-Bg)0^d|g2c{Q<L)TPQ0t=uB
z6Lr5tkpQ4-1~i5I(6!iK_Ns;cs+nW-BGM6i2{}p<&-V@H2nQP?rv&IVQotf|Tt1m0
zKr*$59b~g00E1`mV74beLjZ_~yt+xan;k@AhzL_4Ood73VAL@UL87V1nuP&e4Eyza
zzXAT?%A&#@42@InlHyY(4f*U@Gq@pu#yyx;czzWmk1Y?$R&dC5H&g}w;Nq+M#Z=su
z_^{x#B=@jpTPdM&6KA?YLtu+@Qc(nKP0hx(HBgG_8?8oRIj6WDWJzpk<oI6hhIoyG
zm=)Lb4-bzW^k0OQi{RKZ@C%s$CpZG5lAuYp*BEN_DoM$e?AfrylBfjf78RoSoQX*%
zFH%+V|7`JtyuMK(tw1Et?V#Qd=X&pePA)(M5X%X}4Uq*d3xAzoA4j-=Cl}I)p;sQq
z6u3maELDO7BU5XDM+1Z~Lv-lRbKvJ+@6;b;%`7D0D1-m7b~4c&=%pm$TjOSfqK4&Y
zbR^_%$f(L=(kzp<Av?-F^?knlbhDTS8G{0J9Qt-%A1KfRDS$`HrxgELsU(@<hDMnW
z$)&F;bHmJCK_@&mjuj#yt_VOF7Znx6F&S=H>sn^u{<m;kU>|8M+bv<2H^qSO+W2V#
zfDOX=(Jvsz4>$nGfGu((ig-u*dJ!G>A;_#z<SQ6azy9IuNh7HkgjR4YW+W+oDu`SZ
zjMRY_xgh9Ck_2E7ogf$tmt+6HHx#`^H|8nz^&>&y<AvdX>hOLH3&C^(=h>>f&4maJ
z4t>NsO5Vd0|1LV_<@Z%S+Ydpe*};+kqG8o-^qXEpSctC*fn_cGk|Z9ATgoisfB!Fz
zp`LjUcsLd)t1b|M_W}u+5&{obUbs+1X^t}@dBYFy<bD%4>%A8w>P&>fu;HnQKyr$G
z?vLRMOj08jt1KcA*hHLyV?Ft7d{=G~Ks5<sf`2$-f^B`{KOn$n8-l^C1qzXnQmJq(
zLGLN!_m#z-BOjx4m;-??HEUdEo$!*PbDMP$<TogJ!t(O7nR>Ax==VrU$kYI-G3l?|
zU~_brQXz6_{zo<Kx^-;3qzRP{3?m@~bNh&jLr7A4A<N#BLE{+Hr56S^2!@)2;o;&f
z(qd+iuw4QnkbO9qbWYLbCM*gJ#n^0>*i<8l@#wdjL+=f)2WKm>3dn9cmw7sPr1WwU
zVOw5zoeVAA2*x=1jb?C8MmAs4;#U!&;&+W2W>;<<#&`iEr!WP{il+gx%X^{mgDg3A
zSVz)Zt=|MN)Dk|@H7O(iL4k^|G+1N<zde5#oXTeJ+QZ4BNJNwcXTGN6h+zUVLR=(i
z0}@2+kxi;iBx#kf&C^Upr>Lzk7er|k)4e-$BANKZ))DER1?$?0`_heu8@V!G!V3$F
znGsRmE+M8CKyvJuOw7=y@b5`5>bd<S7hMx4U{X9FurV72n|j78&Z;GIM5n(~KoZdd
zqEzCb)JsPiRz*b)a1XMeiY22ZEm689N-7TGS|B-S=b});cF!fFn7uZEQ-o11A64Mc
z7?3!_<Pcm)9oHe87fG@x2a<^49lbd>z91xofFfOq1i_<80GYEu(}XnC)zk@WgGQF(
zD9tTm0Az$i(;!OpVH_k*0SVlISIbfcoKmu+tBfxvHhxZ&Z@8f#Tm#7Mdey(n=>>Mn
zWTR(?6wIA?3Egslzzl-t_~0;fFQ(klA%0PhLsJEHvB#!pXul;ap(9Ai(c~f<Aa-Yh
zmQakujDa1cET*SqWC?8uh)5lws36TCa^F!)C|HDSgXqJhg@O^8+`x5Dvq}+aXw{C0
zgG-Mm+F-7Zi2^z!!m2c>$+SgG69sg1Z7V>i5Jnx8STmO3uD{(QgcBZ=E2E9KD~F8g
zbBy5&n8S|Qf<NO9fvSYY^^PG^P?M*`o(w{!VvBv#46p>4v+=!vUw$e`3n1P~jmlL1
zD9)T3Qo5PoAH4o8AR`AqfJUJJ71FF>4lgjN3bBZ4s&hv&n4;1)O%%GuMja1`J4YBo
zav<j%AsrBL=J-U$AmQ!ci1b0hE5Q(mgRk(^gE^$w4d&iUDWs6dz5WzQDL<x8eEJ3(
zUj&LmRk`^|@lj)+#wLo5&>2Z$q70<B93?M-2Ea%hdRe?xNC%7^$d$?rq@+FRxI>pZ
z7Rt=EcEOaECO~8d(Q3-Dfmi!lt!f25DLlaVl9X)W@&qp*(u<fQ0;Ww0f+2{p&`BDe
zw4lc^o7dMR*b%<qMToHptUS#a&W+wY!rvyGE$RC^nnPvs&%oPc4jGK@f>9iRigH`e
zfW^1o;f&D^C7^euj2W9LWtR~$34h%n)(T)!ftKYI*#T-A63ZyKwM_Bp$2y`v#*h$r
z*<1`f!O<~cq#C>30m_-=0T|-$HbqP&D4})!8CS9aBwe~;dICo*kWc9f09>hZqNE9V
zn3F<+lbVqojTBslmjr~g=`3hrLv3e)jH16`<4nKZ1Mx2f942vDGGIn0ubL!JT`oY$
zp?H{WD#ZrbIBfm_+Fh(Ai4_GM8>Z6UDpTMf`QRcVA!qe5#1C@RYtw!rNd3xzr5U&o
z28MEqa#G!E6~K)Mnzx;XX4e>@1k=uf-cOgwZj(dKQt?m%W(`4x&VR`>!o|<4F%!%S
z>CteGP|gpya_|E+G0->wA%H{{8v}_tjVRMpqcl$78WcJe12V+vq7QLT33B0Wei;}t
zXm(Cyk;3O+#nzl9qxp-hsB7-IGw&S^$d(_tX?d8VLFP7L=v{(D9;2YQU;tT+0@X1a
z%6bkV_d?)5GVt&uEm=0}-{b{gwXVA@2CHwRo+mm3I?Wh6C=YPlvCNounH|WoJ$%;$
zoMP-7zAYgRIE>9UfSW_r1vV%~Gv*bjO6268lrxNELMWXGJy>L!W?>I-cI1pb6iFAw
ziW#^?fI^5C#Svei6hxScal$x-aclqm5k+?dgqsl+L=FL7#8sOP5tSm95N74MR67Ei
zO@YGFR9h&6J`z>ke_)WFxkUI+3=O>SZ>l4=U9zLiTh9rexizLhfvmIVGCwu|@QM+w
z@e=hX(0FFWPkZP6COzml$}3ZSML0?9I9c>XXwa&4GkfH<3WNpNG`>H!2lLjYBrGSw
z3&F75>OnPx8q;~{;T&`rwDE>o9^-xF<#wJkAu?tHt%+2)Hpmar3IQpIMj#$gnpwHz
zbQ|E|Ohp#V_`n&A82kJQdYE%dRX81H9beS4aubW~cp?`h{A#9B0~ROm(I^a`84C=?
zI80L8#zPpne{n&yFx2oHHHos9pemK|_VPFXB;yQ21|U!dX}y76sLXX5aE+MPm_ce2
zpT3iiQwkLu$i58%!?-mw$AB<2W{11@Uj*D?2w0I=V-U3K4uhh$o#G1yR;C;pP}-M?
zSUJ!?mc9`=WH55hd8FIJ+Gl1SfvDuO(ao@gdl*hOVd$I}$TZSJaBKzy6af!OP$c?=
zJZeu;Sk#`Njdi!^;6<1KSuu%krM_u-tP9U30J3jjM0|S${sbE&htdpLsip+<4xUvj
zL8P|EHrBSy6m6luIP@%&l;ACZbm2Y>1A30*=MkWlnA1`TQ=P*@tDR*yE__YYNt7Fz
zoeps)hT_Ggn4tAE%l!c`;JBwVn7y$%xir5eSZ@9*w0yv5NJWCcfN@~EE+g#h@rgR|
z1%iMUBRuKJZ*y*0s$Zed$tVPNJHgEqzY~th+QqU7v;TdzXpd!;(I81i5e&kC@ipvH
zxNSySnyGYSjs0*pzP!<oybC6StPv65Z8HP-`DP{gj}1J9=b$NC93T9=WWYF&z>@!u
z_=n5z5^Bg~B@BKuLIX(q<~;E-k`^wgOrir4RFst^is?iDXv1cKRy0btL<$*Di{=1K
zq%d0M4qJ*MCZ-Q2+KQKu<1&UOSuMg({QSiW+NW2nneb_A33=z9$=!*zB9c!8;W-FW
zbEgQho}?DE<tmwQ0d@z<IH-g{PsORx(^_UofIDG=3KpGAJO36;)|XrWse=R*DXB=_
z1&|g|2QdxhHZ4)^qIDwRaenCd0O9J5yIm8WsGz;9IKi1qOTrGCt4Ma5eIQAJf&8Kq
z2Mc!TfmhZeb)JJW5eIy*5jG9+5CBMq5GZh*?Z-%MaUACGGBoCB6tSW-6+pd!X)%0_
zrX2%AtX%L;o(?8r8u2a?WcjoVFx4NIIvly7Q4d2w0`PN5=v@9i0A`=#F&3C9RzT@r
z4A%0(BuhpWD2oskM}tzBVO3Q#M67^RfKHfI9Epy_NY;(PF)YYHrCkWvN#t{_z=R<}
zO_8s5hfz2*6A`%r38BG)L|@dr3CATZ0%|E0PCffbwj%bd%~(~~1bn_!sm8!)5O-4T
zvg8+o5nFJfy19oTBCJh8$zK%Tqvq8lR9%478F0E8*yEdq{Y5vTSDG6!9Aha1PpCA&
z@owGu+f+9`oqIWTHpk+#!{Q0iIR#kguF6x15n<va|DBm8`9Fq-$t?bO8_f~Q&Ola}
z%s8_uhhx+rImja~Vn+e~KmY<u6yG7!RbDy8EPz4sfNR!@f;1ll3`ggiqx#|WAWj5^
zhY%t+GFISW?-u=u<)m@IRL>y}DWgotP8nesA>6W083;j!Qb&r#Zqt#twF(spm$W1%
zb|%OZ4bDOJprD0@jTiIW0CK>7B<TglkO)#iDj$I1G3e{yn}_svUw#cZi5MSS5x|0C
zyOe=Y*@+xzFB*U%Mgp%3_3$RqV5_7km6<MgPoa-9Dtd(VK{8^?P0ZkTJUhmsy%P)%
z6DB&M@e-|eY{|YI5|yAnTF(>jiF;!TQ5xE%7PwHKc;$qVeQ+{3IcA&8#^SFgU^BTK
zmJXIE9jW6M0{dXt?Qlq_iz$gBcq7a$S|(DcY1p9_MXOr0;2s!;i42tlNVl@~9neMI
z6i<M!p~t6^p`B`LkC9A9J1z7E4fFt#F$OzJ!_ysP-K@aLR2V2k5Jjxk#bb(bLOHQ<
zFy1)c=M@sEz>zFY9eM+n2UN()g#iFA*^jg+^ksN7ASNT=vT^FDP_2l?4iTd0y0=ff
zq3$;aL7R3wQM?^Q?@RKQ9@yAdP#@IWbQ9y-A>k=Pf^CVv%Vnx5$+l<)J;glBGy|C$
zIrk(v-Us+JiVYv32M5+^z*k6^1HC+w1GOYYO-V@Ko5K&JnAN?s8VTt*)Bu9R05?w@
zRu^CrhhAK77;Dh61aOZK76S`s6!d{t9SA*kgWS^Bp-@0v7%q_?SC}OZZ&#^2OacJi
zH!~Aq2&Hb)ws^9=#)rEXLd+vq*-wysR2=SCD+Po`S8=LKLb}JKLc2q4<=5@50YHTB
zdX`}Xv4eBMCy3?YJW#6fbP}ZsPT&UZY(-HLq9jhb1@J1vNSErEf$*@{+c=<E)FXNx
zQF=T^g=<c30>n}n0D%oQrBHTph-VQ*BLK<-`31nSZi|sM+&nr|Mjg=sDXpN;iX&Cl
zZNv`MBTeEbEF{RNz?f_pgnX$D?NEA#0Vd%#FeubkB_o)g2-))hL*#}ww+|_hoy;T2
z#!|#Hm{FA*vLC2HtVseviR5!z5BdRy(1b5t&Kxl8{7M<LQS~V4qUEamx_am%#}@mF
z1AkQMP;PPol$4G%7`m4uiTV-Kil~8tG#$@MWy~|KSD{&+94xtjX>EI-F-M<o40v>*
zP0)EcGFK$cI|(FAHJQg7nMV=DvBE;mH#{QEvr5ikBCQ1>MQlO?72<r!Pf3{&MgoL-
z&Vh19&{D2}p6JKrVZq=Ze_~V^)Qb3~D6uZd%|h^lIj0`xh$6(sq)LCtdgsQ1Ix!l=
zbsaa1a85A@C>h}q>J7<_&I;#Jia!Bqp^-FNc*>CI2`cdM-04y`9cL`ek`pBNjJk2Q
zKXWaLFGB+(Tq&cMTo|v+WGC`c6^h6JRbWHOo#la#4~G)x%7AdF%Kg5h2KEIXVg(TL
z%uH)K0eg;fs9Z4YXg&CO5Nwwj%61HWuY>N7H4~~{&(gRPlCn2mXeCR8S<AB&t_b9{
zZ6mC-S;!hy0?JyakZHwBU^L2FJQA`HKm|&uP5_?R31PC*J(i^K3&2lMEXrgaC1l`|
zjD7Q3sXYOx3G4KNW4x<K;}bvwaH0ZD9)L{%_k~J1;im$Rfj$;pY0;%;t_=>7pf_g!
z1L8(;k_3$GfPu7g(~FKKQ)7-dxu=11=OJl77mAeI+>T`z1e9oGuy~b<w&MvU8Dy3U
zG=}?R)RazQNIqn6F;y%R#Xg50Njk5AAdd&4p3_f$Wi<BVr^L&~6yZPZ`yAap@J=%X
zcN9<yRL_yPvYJfi98h%}5X099z>_UQB^#2wN{5n&sIL;WWTH=7NisS*Ltx)!5h%<M
zw?j>x>8;S!soxmf<}lXpvU!w+n(|R4($QQwD3U2?t!$K5%s+mJp@v380{TkTk;0d^
zNqt^^BSV%4qyphf*aQs@FAW8BVnD`e0LJBk=>WNq@zESWUT`?*i{LAh);2+81?G6h
z$SNQg3Q>Tu-Klww>qrc3a+<9l!E}3Nn5{(RK>v-MI<su5u~W{*Jr*sJxOUR^QSf5|
zCoLd1>=TtN&N?+|=WeM|v9dZhCtE6(e;pP9GTC_$zJoJ~$%N04KphZ4gn(BPXEgd?
ze2Ikb7r`D~(6O=~Uz>ZOBoGNBqJdhm2|XPj^qBp%<3VPNzN1t=Rksm`R7S+{374Bp
z5TcXidIY9AbV7WU0zOLe)%(y2cNgD!Sk@bB$Sgdo4wk9EhZ`TooS(m_*or6Q{hmh0
zifT{Wi0KTtBV_%$%qdD%{Vsih<M^d3M3c5HF0r30_Yx}<AsQD1tWfFVh5pEjLA^jT
zQAb+E6{Sn?pbv@`4-y{CM9z~5Ko%%klt@}p1Kde~$f0P_A@lSTy@FsOC|^`aO+7;z
zg&c{YO+ZYdW}riXN1R4LuCXA~>@1P*3mUgVATnD+_TqF9fTHLGSm_z8MiBlFlG-17
z1b_yx1JWYO8uSSO^S}=X1(Z1Q2>=h^2fpQWF!BiiG<hPOC6QGPc?8yD$e#uT4LFP-
zh)+v_9QUr0IZ7udA~-xrNV+0O4Dcgxi78%$l7}D$1v05Fpv2C^0O=f6B&ZQE=71h$
z6iGz>CP<(Mr-bT3JxPr&0HF*_q^D^x*9OWf;H4#4ki?O(0q0p2m;;1g4lfZF6jZhk
zhYalO!r%zTd^@dYX9H(uX=hdqd?2j&ce1{z#_34fXkTMDa3VhVcb%Y!8{yRCjXTYz
zVIxztD0HVy+CgMt%0l&`kg@^FL6vP-O92?ohjgoI+p6l!s_MZ>6K5ANknrPw>&c6l
zH%MHrQWr38kYiU?4zNZWVc7b*wi=qUs(P>*#UWS*={*$nPBn@`w++%%Hpe-`uU!}`
zICpBxqY9zu1X~U)k&cRq4#8;9apG5*CSU5yVA^UpMMh%dnqxk&D_p9TovOA_(-;C}
zo~pID(-ZA7;EEJAN!g>SaA}MoGS;|^O);BkkBu^xTt+6C`LxICnO8;)F{NpW89YR*
zqpB^m#HUQ6aReJd$g)RC#at2OW^}woj_H&^pyIjUL8@i3WH?JlRtA_x10mMh8nucV
zvN{^ArdW%NHQK5wVF%%vqZKe4fK0)fLb7EdaUgDinHg$<4Nx@z%?#2L$lQO45Hm<3
zp{oN(Ab{DHY5KHT`m!0?t!hC9c0;-IbxZV$PCpYYXz2t<*$$kf5g%kbxa=@bvK)+?
zsw`0mL9!f+R9`m}a0qx#uu(Swm;~Gzq$NroA+pB3kl?)CR{9|p?1xw->d~d@#wF^s
zXcUCp8KmS()h|ye3Ai&!NXs762W=xw-;{(Zv{^OmhYuzGqh^qWE|9naRnXz&yu#pD
z*8_sGy<6vqEvbRkd0w-bUa-kNtoh;stt2}WC)Bk$lzA>%V=V&+afm_mW(cMZKr(oG
zBKnHJBAAd0m=u6?4l67Pgs4Hoh&hD-ubPJiB>J~Z5L!w@sj_`#@_k`4eOWUE1qn!Y
z5>KgSV<_S@(-~*jLo0rk$Re0HwUbVf$&zE4-XkIwKqp|B0dg?m#(9Lmtc`~RB>J|@
z5Lm;5sZxDr5<Okf{aG@^1h`mro<FH#TPV{RrLwOQ7dWyMc!{c+Cxawtv{1sWQgiZ!
z917?D<PptgIzEK(FIsw^K-^`m6`;;2@^NkX$rUnlfg|<?jWK2tSSc#a2bAX``3o&{
z{HR=6m8J)e0j*9`=)5i;4PS5dr*J^qfw+={&Rbvd!gNpn3}Ix1qng-uPMM*@PUtf&
zOCA2_$<5?%ZPSyg3y9Fu{1R1-?SP-X*QwK8jDR>v%p40ylv_-#X1V(tV6_ZKE4LYk
zI*VeZCJ!*&pWP>lc}_r#wljj#ybCbWJ#zj91xGdjO@^TE5Gpv^Jp*!@mP8wp19*W9
zkU5-%BNj-XIzYyiIS<g8hY-ZB(e}mq8C7EnX@kelrM#<!T+EL=Y|qrqqO6de2-QU(
z%FE6|c@@oKWhq*nXehR169;)Rk|Q;u8Px-1%OuSplXB!UhrS4tS_3e>QehaY$96{~
z8WaYm8idJo9LkVH(8G(L)kMS@2jvKjc=6JeuS|<*m5J3Rp;`Y4xW3tE$L}<&iMs}f
zc5>MbWQPe+yLl1X-hHKey%){4t|L<5jy&Z8_M=mv+66=WqPm{r%pO$*td)y$GbBl;
zOX#N$y_8-tL_2)jUj!(Tmy_5fV-1G|5miw`2u6hw2&vgnGi4;W*Iri?(j?LC`W_PH
zC`q!Jh(a*7xfxKTON$V;k8i$xTR!XB*FvA%B(_vGs<dvk4RS8tvn2|=iqixU1UJMY
zV=5?hNB2aKqsz9BrD|Crwg{n(H>+oCI`O;^r#@m5E->()R7ykL2H(0q^YqRte=!4N
z@=Dk06mx*W=2NxK0T1IM5Eb?Z;YT~rc%yFPQXr&9or|NP9Ecz|ROOUc!#4B9?rbvy
z0V3jvC|#@T1`u|KsqIKd2I0z=?@ULuTcfT*JJe?jwP36hLJ#y`%VS~Q>fqlzhanP$
zltYi1mY&^CeHA}l(2cDWys}cKQ=wS6L?f45+-f!ze^4TtEVR^a$jLwh)N=dOe?`qT
zU<*DiPz+J?7SnG`47gN{5`;W##kpz(#H1q`*Usw%x{1J0rI!ZBCN2=IS!vif9YG@u
zS|ZlIYm|KTOYK8l9#m6Op%xSp%2z(x+TbZr5c~J7D5=&mtDL_qZ;QkOgbt+ZvIPb&
z2MjUs4ioB+`GBsz5oxO@qL!5$Z?_8<`4PQh5hm5{x*DwBJ*KQL#^7uuk&L2L<q8(Q
z0*8pU^1WXO>(sBB69^fpF^$jF@Vh@NRLNyNeT9(8Fuvf<L|K?wLK(9e<nSc%lz?Vs
ztce96Ts+W!YY>p=WD}2IX1Mdoh(d!fi(qbjMT<^i2B2XmhdlTmgQVRocHF=JBo?>D
zzeURI!U9kWgEA|{3$8Z`YIHA{uht7uf>@(+CV)_BvO7*AnQsG1-W<Bn-4yZ#;82b3
z=WDVPi=Y^P%)#3rAO|uFH+(Zfj?)mVK3EpTiBdb4N8D()FPBlYh`~wm;_*rbkPu)c
zqJVCB_As1yPEO?!N+`h+SEvm=iY?)qjN3)8-hJAlfNFLaKGRqtBPMZ1mJtb8FMMNe
z1t*juuTWs4AbG#yjNuT9=hq8?5PoM5P3)THih>a3CQ>jsH!i(%FAXjOzj?N6Ae&k8
zEZt3Ec-{L82x9Wk2x-g$Su)%I6b__SV*6TB+!cH_c4P2d^Q{<^vI(iyi&X^Qy(;Oo
zWeX3fB9dY752-i>9;Ot=WcC4MJ!uTXdk7-L&O>Gk*iNZ%(w12m=As~kYFqrc6Ho}+
z=8jxt%@Oe2h0HAky;^Qu148`)5g|2f`RE}%){jEg9w2t*3S&TLmlRl0=|!=pMVGu0
z2;C$@Z!{UANG)MIu+k=<GjlF7I^mzmSb}P-o8Dzvd1O}V_1Z6r){ElTBK5-Tik0<5
zoS?p<UO6BX^F|b5mSe+rvoR+O_+A=Ep9U?Gx;D`0kkCZZ#nF6WM;bJ&BIN*sl<_lh
zi$O=G+8dr?t|J3?)|_eoh65a;P#u?|cEB8fk>eOfQ*mr}a(7}qYE9Mg{6=anMuzPs
zVQy`S(Qg%XO-2TQz927hJ(x|o9@&JbGvN@X){phH>x#J|HVoz?S}6M7)Sd!akdAiH
z#tolukWRypt%<-oK|{g8tZ2qT{yhX@=R!2IO=4qiwby0=lxre^URc4C%0KJHfCL`n
zu*zV-V(F_k^QL<KNP0&D#DBYlA|{JICM#`I_{r;IAP~sYEPmR;tr}duEz+%=K%Akt
zAI2HP`I)tDa-q|#p)0WO3lYXXVbeBR)re7GK?x=uB<-=M(CbX0LEL9bvEjCAk4L$}
zToZ`s6uEy?oFnoc<$20%{G@a04K@hIL@~|kDWdQ_YL}oL>;gn3W0MTil=`Pl*D)bX
zGi}4d#tVP&2w@Oh5|_zzgG{G}8C+sF5ks3@bdh?V`VF0?BE+y%$&TW9F66{*mF8rT
z2IN)2Ta)CC%Hi8s0%;l|PSGGt<M30Y&yN@)2moF*Km+C;w@LIh$df(@^#4wZ`3d11
ziO}NL|InWFo+SWm42gJeb(DE7i3R<=s9e04fsBdvXlfR3ConNY7Um(8p`8*H#x6jI
zS0M%yhQ6f23y+XsBO`nE55ihJ{X=N9jKjH#EX?8kSt{|x1-qcWUDFFink6S;hS`Fi
z3w5(uAP7W}6FF!qLQFi4FpEr=b2S5|Yy&;R3w?4r9S$@K0NjE}1iy@*&Lsh$Y+P)!
zq<fwH()c0?HOkqOfLZ{7BblH<5Cjy0hDizZSek%=gse`8MUoR}{2+KkP@zOG(x+h&
zE{ta~g9cK_OUT+dZT{MEXdvU&#mqY8s*aELj<_zOrJRx*x*B=8CB&3v+#lk2AbTe(
zwj;)<N|beBp`ES>n)vN$(bHKAMenLa8uiOE4xgd`@UY>m8e?$GAW~MtEcC<%=F;Bi
zw4Yiei~|h#zaAf{S7HWJh7q9DNxB75Fah}iX*9Ee_Z7zIOtp*_hGa73Ajd~a_*0VM
z_7lSd*ytZoKk5vAac?XIaDVJRV@<9(;ZZgo?E=njx_pn#x-3X(VBn#gr{nPy@RL_Y
zN++Szqh{%k7MF*y8Up9$dxtJe(xZ?)fpbd->x)?y4g9u&f_WZ%rytN}EbcH`B119<
zg}AnyBW6SMIux;k#9u53=r$n%;xSzbk>nE2gw}q3Wiel0QmR)+tnnBZ8o`Sg7)D`t
z4^zj)D)E2zXorZx@NyY$ab_?nH6$`hR;TbyuLvm}%~Vl1+}{Zsq=bd{%Rf}y8d1;2
z{-Jes>b=9>tQ76-+xcLc+(|T8AIyiY3>x$_a-i$-7Jv{vU28Pv(##DDRIrehCXz}|
z7?2lt?B-=KhHE^^Rwzn9f@onSBrBq2&NC3#XR{gUXfUH(z=J9f^WO4y6%j~GH!DMP
zP2(34=%|Vm0zJBf7&qs{@J=$YbVllv4TU@s`eha^W%g<Y?86UZ`nzHj@cxXhCwjr;
zciNmhQEQhsV1)`g&lQn`IxUe7*$V<ybo89e-8>uK1v<B@hM^$D*{7;o(Lc6}7!yUl
z4Ag)pb6~3|a<nmRo4Tb$n-KY}N)l|_blR#pB%DaNJ(GyzrArc}1%aQQjqj{DbR`@i
ziJwMg#Bu65Dr5mcI!FI$fXvOzSZ^**!10=adl;&P17O&Z^b~;{GYJAiEeJ&9)DIQf
z0El;fgH0F9x!MPU*nkp5Owl_e5C@al_zbw<4pn&s2MtDLFUG`2E2rojW{-CS#I{pB
zYb#$Osln3R^e7Ev^2zeih$99rK_e3KRUAhyvS>>84WdD7Ve!0XSrIW_+b5G9c$gs8
z%J%~_5>5Hu;g*}&m@4kV9(Gl1mq(3<B4Uxf#5g_CR)|HkQ+ub`UX><0Lp%_8TuiKn
zxDA<7{#NOpG=_kaG5|RIM;#0mc_I*9+K>ktIUo{XjUWy%Xvo2M1q_NE(oNumt6Cb%
zz?sbQ;K_1G(7sYt^$aBUUt`4VU;ss070_>G9O@}7(Lgy*IALkDCJRnITPQSuke1~@
zkXmKk!C?t7+p|R>aZ7Cxj;oy#M$%0Q6KK2Z0M`T1Xc@Z7fh=L{rv<YvL!o`YD3GZa
z)g{!Qg|cv2U6+nRY1Wqz1J2+D2z8*Ouuu#$A7eaZC>+a#k=li~biq>lL~43V%*doi
z5c+%r1h)2rsDLz8us7nO3H6*n7CpgkivpS=iotbg8(MVxlhI)yfwm--ggU4^5?lsl
z@P>ixT(5w*ko12NFcmiwL&-#5BlaH<be0}y#DN|o_@M)62s0xxC`5T6)!Z|o03LK9
z3Ug+pq#wdk=2-F0yL6s0k(UqPiE=Dj%}F?50=|KQK`QoHMDHN2e;)VbTm1#eUhu(u
zPWV}Al7?uU>f9U>xYZD(+0_E#!pRS)_>gKdL6%zY1nLK-<pnP!MjSPk@S|ZMF0l*&
z6_Ow?yitiHFQgq}=?4P~faJ^XvvJ2I^yj-Pe(X@r_RlqhFwxT|iJUK(TSPXahiEMZ
z!(O{<M^kFZ3|-3bjbftUiv&}3&iq^m+*o!C^7Kw}&lFQqZGlz*OLEDB_oOW=r2Ab~
zQ$e1;@L(IKX<ACc0ZyncEI!l)1_}+}{`)I-Wi*eb6`I9j<<+>bC^HG^QR$FsTpHyf
ziVP1x1o8lgo#6J5QG0Bb(w$VO*iW}Yc!k*z&3FS@U6lj1r11|nnod5nb|eAuT*ZbZ
z<IX1njp3r5o~;qg5W{Z=^@Yp{#%Mfx5ujYKdJ(hF+|*iPPG~s-l;*tHC*1R0U64Nb
zv!)ghO#$<!!d+*@0E8bwW4T&QBx6B6<0UX}L7;AN+okJ^3hMZ=%A;<lzIm#tL~ap7
zVtm6+5(GUWN~=s>0N&~Yj`Xx}uz4219T750OlJh$+!j0Wf?8Mz9fG|&K?V)c${1Y0
zLv#%2qy(lF;vkHvvq@2k7+f*BXdnRJh@K8Bsg(VU{ZY?SN?~JND++d|3Dhl#Y?z7T
z-AjywMNwmz;eEbkFz-!LWCH!ks)a*_69$y(p`(K0d+F7k<Rk#22x9J|K@t))Q~+Q_
zb*Qt;rM@ayF-{)rk=llA^pvbpB`z5Cudrkus|=JY(7)unOt)GzC_TFp?*O|89swqT
z2bwp17RYIDO$itoQfmF*mk{5OEd1UJ0vsw0S5Tjp_a-YtT2m1ocT5N%l<<wg7I4Q`
z9vRaJSSc>69(i)1)o(;Q>Su)VEfbUm;Ez(8udgf92M4S+Ue~lk<Y0k~guco$?K|qC
zq}jJ+$+O-cP|nkUmoh&aEnWF7njV{snM0F~P4;CfV}neF)S(8*xuONtTMk;G**8&C
z7U*unC9=5c8U~D*<gnR<sZ2u$O5tAA1S+3G*QUd(%Bw95fIJQ0E-pc(r$~uz$-Eus
zHDq)*Nnd+%tP$ZcTKE`{w>l=y`-5dzB4GL7GPwL9=L{!W0k(MQ0n==0uAmu7NdUn$
zD<(s((~v#dOw9}EXm*+}Pd6^k7^);=je;>Y0!_M9JSGiJHGOXMKd2C)FsNyXVt^hG
z?p5xFmER;W_>h7$$l*tV5=W}1a_$2bryW*(wJ|aUsz7Q?D%z!~=Ng)+qfjjaq)h-y
z?4%HD80@w49|)$}pDE$5BAY1EC*z*rEfGKgJqm-XC(&%BQ!=<?H-#~Vurjnd^V~K6
zoKTMdO7KUWmn*7C<(b8ZgglN!%-Efy5>YzJ<~-txtR^xFdhx`LU>vBOLxNVxzs14k
zI9-(V9|);{a`CgBea(2MgBhcAo>XpT<qR06SACC_<Hi#^oDq9EJ$Ykfr(qHUorC9u
zZq_NuTGU}<C8<Ie#1El(E72|xdsnSTVT7&>vT?pT)}mwt0U8>k7K&*E7!Z@-G+Q9O
zS}5p=pO8&2Wh0)UU*)k4m~)#^?+!t9&F1N;?8G@?f>%x=C8k_K=@(Dg#(~gzb@?`A
z!AL>%OEiSUCWL-7B(rZcE94#VkO5dZU;0Bsfn*;J??B&Y7<4<l$2n*%9ZlP97jOdB
zy+-IUcZmk;vJ{XrL?f2x&vT*B-{?p*Cb`jcHY<4v&Iwz4Rn(Mz2y=}Hc6`$(znWyp
z`arP?9iT_?`#WeGXFT;E?AQbpKe>T+h{&`a+FonN5B<BdfgrmErzPt7vvUM}g@?zt
z+zhh~TtQ@$<U-8H@u>PNCBnc^t~#U`d?r@{xKd<2@$R?mB65tOZkF8T;-%<afuYZk
zY`+gCds!#YEXW{cm}F2$5TpoYo{bnv?Fti<^F)Ink@?6pno>A;)L`r<D{;_p4Q;p=
z$s&}jH(0oxAKcI`Z(X;P<+<3zi|WLd0%EU0VacA#tPK%Lk0rRhRwO}z@;OT;dpBqj
z5;tIvIHl)F7No`oJg)J@=v1E?=J1$e2r4(Gg5g;dKDb1b@n-`0Ozim#X{dN?VI9|?
zVi98n?r|7IZ_ARVpuNpfAxek$8!=}q<9l9R5%)$d{Uw7N86IOhGqhr!lW}Kukmw&u
zK_tg{By?uE#d)$!(DpUkYP9zT1KS{KFg9O#$qBiG?z#2O?ZV>OD?Y<9YS<zT=tY@z
z*4<7XCfu+Poe;$(AJrg{oaV_ce7LsPW7Rj4S_!jUFiKAJrPg&Z@v24xBm5`h>akH#
zd^<JPcgF1%mpsP5joK>=&i1D(*77_H?gk`nAKltVZ@lYgApe4~wqW4k%o|ioI5b-8
zQXv8pr)e8cGu6CAwik2t!~uex*BsM>h_@TB$5e(4aE|Y5t`>!+=R*W(JBUBAu>Ck=
zl6@YoxE<3b%VjKNovns%;g~dxBP2Q+HC=8xp0ZA)yR8>WYwAi@{<FSQq7<PHGb6W9
z_YHMmfC6tDW`9nmwR1Z&v|^TwHvWC4?FZcY`Sm$@G*s>8E{+hSaiO2J+so@T^Hal;
zMf0z~xJ|Z1k;nHY)`@|Wl8lGrGo2tb=w8tu{UEDso(%0dj)6JPmkEO^7%Jn(sg3dM
zdU=iX(^O^5hBGrxr~)!tfl=mPS)&K~FngGTPz$Gm-sbK>g0-`SpNRFFLJ3T>q|$jy
z)U(VI4&0_JNhfAgqvzLT?1V?HUwsKF=CdaOf=}DjVIppxY4<p;5M=||4%BsYC9dl`
z(%er82&=ESmKA|bw+e$nExiP$aW*t2&~rD02HoMJ8TfLOhDAWUHN{e#1_&_zwt-I*
z1<3WZ^#rnb;-WC2B*adO(`1sOPUIG1qBW8@ys(`}>4*r%@b+w^LI!CB61b?19>cU6
z51Z1=o)Qw&2|VVX9o$qzU6KNgsg@Hb_sq&%N%9zhnMFFOCS<cXq-c6UhK|xvGD=WT
zJkU*KwvIK+Vhc(DX@{iBtH>^M0@l--VVY?8OfSxe)PssWhCZcu0#o@rR+-?@(D$hX
z%PDmjT`eAGsSA7D)yc;jP@g14_GeL5^+Jax2*EH)Sqw(1RzetT9@zkYn*zdY>bUjy
z0p`bQi8R<0cmwvlcu%cy59?fUT9mgN99J6@nxV-F*TIOwJsp~CTw+&=Lbr;BDDXs%
zrXA4yv^d$bnI>tLM_x;@p7woQU;N_6ZiOSp&3{k&PUwQ*c+5%yHE|JWvmJDrAe=s6
zkY+&>HG$jN=>cN|!E*Z=#$+t<>ZDdSI2@ch-aF`5>JV+|Hbyj86l@i7%IjbLDI|#w
zRoejA#j)-Bfym68cKRwt78)-UY`q;u6F7ZUq!j{ytZkK$Vp3*A?h-4^+5+`SsE&v-
zKY8RvvBbPVNx(}8kFA~pF3S`NP!Nd?+|+)84ImNFgFwYWIuYaDG%m6MfTPt+(~zV%
zwCPP*0KjB<xylc!O#`ScOi>4%9$+h)?-WGm@V?CnAVTC6gA_p3(XoTw_4G>5;0&?J
z1tX1B9~mu`qm@Vrl~4gwMFdp10HKY105to8iJEQ3u%Rl)o*$%^FQu=DwNiESGCR-{
zDMN~Zpp>Itljo%xW`^sY8cs{#B^$!90pz1dsewjNyXpZ9S_Kgp*+uFpy~otx@Yp64
z;9i};;Cjh{y^u~?lLIQ!dSJbp#?c&7N@J~c5JBb)3B^g)#HWD{0#nDu4A<509_4~^
z|95*G5^eAimipWqeImGrz}kpoAo0aa0C;r>dngIWJ{r>3BX5$@lOttB<A<8jEiu5n
z?nyk5k!K}jMZR}3N^;05`O^>fc#w5S+%8iHhzk%JA82Y<;4`d0+L*~1j&aoz4In%b
zBaCnnBaX}t>tV)nHEoHplcuytZ~*v5aRKtEoPOezq&8HLYE5v{NwFR^z&;ZpUPW;h
zHeV%<6ze^hKpgi4PK5;p0Em+io&xP!2h?P^0L&*TiHx3zR8NtynEc7I?2zZhC6_TA
zMAb`2sL8T94o~|#%O?j$u6M59C<tiYZDA0^nzk>;j=!WkQaX<j2jc)Go@7q&vPdil
z|BM63QYimL35VB`I}CE5320vtoBnhkFN-!1VX3E-=#k~L-9Y+o#nFT1ii9|g|7@={
z863oT0yY!C@kRKjBvJ|T_p+6#A}*+WD-f*BQrM%0r)KB?NK(xx4YCa~!Z}G6*b&n_
zG&am(2*l1syi+MjBZGgIZZr&x@OPDKVd6F<?9`}4Mogsx6Hwf7W<K#Z&e6J-Bu#t6
z(hR7Kk6aOLjUWdBCO^1=BE1uHYsam<%m{FI5|}?6ff0Cs7Wws+JVF?93OI)E^mO#J
z$eU8zU?GyH7D$&0BgzF1wUw0kiujxZC55S$t{#3{Jl;wpKz~lhnOdIME{G+CGD#`h
zYm^hq6tt*@(DCA@l<%MJW$6T)9&#S(c$aSM(-xKD(iW=s-cMG0^`}n18$eJTL=T4%
zKZr(cwAWpB+NMZP!bjd$3WVVNsF5)hMfPbrRG;0YfhO1)4zgKqO-i;R)et7o3NEAh
zk@0UGB52`9ebQwkcdE~Kd)n7O_Hg|kRiv`T>=pAMzGgq1Tn}4E6zSwPeaZWRpd!iv
zCDRG8Z`4UDoR_@o9f99@OyLsUWT)RTFFxNzw1mHD*q&Q!NUTy?TcEBReTW<hx-d#9
zc>0esq@pvp1BBHi+}pk)pcRew+*ZRn$OQ2Vl5U53&~e20IUKPidF#JMUWLhh@|r5>
zMeW&2C%pyo4oxl2Vtot~dN~nU<?d@bo4-`rUdc=WeF0(pVQr(M0F2y7HN@ryLttWs
zUYdS+Nl-4Z&SwXwxy*7>Bv=fkZQBe2>N@~(%MpW$Nrlvnb;SjNP^imPwmxIPY5e(q
zrarGn1VKJ#%2c>tJVU+H=-_0CU9<(A?iLA?B^^4c-+s?q8~J6P>)UJMDhXo?$+THY
z(K<)4Hd5-kCT{ttTJRtN4}4(3l{*CF_TDW`JeHAk<t*A-DCmKQe;SF6I^F5^5yK3?
zA>l1^qop(9Nz=ej)QgI$(~!@8jgkvx;&4rb3iGQwJSjMG@s9J};tlf<5Rtj+teKvE
zJrXrzk|-B(4;Qqv^s<hs^xM)v#T^+uxJ4X8V27^E5;p*xB}XJsu*O?cbB1l;Na8%s
zi(%)@0Kz`DTI1EU6XKKgrCv_{UjX9xK%urQNY=FU(coUE7XI~&XcxpAnax8p3fHF!
zf{e=jQPc%PcO|x)H`M8(fmGn626eIxkXCxI_qH&~8#&*g5A+61n0*EDf9!|7%Uyto
zq-D4%&{7x7NI;^P774ZF6!TrL#BC8ufCOo|Oo~T#tS;~7T*wB$L5{^@y+qp00@~CB
zW|E*D4VAae_DX<$renCu7|GnPe8Xkb^g)<@<T%^B5)(sV&PudQ36nr>jHShrLSkVK
zO>=tU)wilxSg6vJ%P;=Z4_@8}w5RP@I}Ac44h|wpoMQj3iKpN(0UtK&eVi4Ln>)mn
z2EK=WESd9s>=7;LguRAtz@z+t`H5Gi&9!I=EKLMf!)wd>!!DKzzA0FhDEX-Ao;<~@
zdp#{T>3_`pkJ&60!>U5CvAjMUAUHV#;lRkY&#Ww6*Gp;X#4(2Y)Z*NE=m#0-X-zNz
z`JL81`3U3J;*1k18SR_Cu^*{Pv78Md&-7rWGDdrCd<^3iO1sAy?V5)TnH$D?%hEPe
z88m6B*2u71$=PAAX<wbhzCWn2+@gX<%xZ(>78}Y`;!Fh4-Fl;%zrda+Iv9Jx2t7jC
zxjmXo5OPN|A=YI?P&<0e+CZj4P?{{$Eh06xU1S(bb^LLEJ#re}B9kX6{<LG9UQNxe
zajOaN;yI>m?D`OQmylq?)Td-x39)<&0}*m$U}*|@@C)0PSy`GA?zs@hy!U0$mrkRL
zJCI_2@?MN-`0^@&0Pfj)<4UT)q}Au0^%R_Mh3ivcMF{yq-<^tE&zT3(!|{a;;S)*@
z-d06n_QB&dpk2xT`n0pJ&J|iFBEI8AkwvcL=3oqaeiTriPZ2YOO6udugM9rX&2C-J
zZ=CX^c)Ti__nrl~oZRvpJLP&LdHG2?<`QR1MUlB83+ifcEMC$P#Hsj{`ZV*<97@vz
z{k6B}e18(bkvA6rQ9!Q0^xrFMVSxl>tGa6}I)BErO9U5BR#2ms!mHJam<iu7$1q{y
z!Td;qzO`u#3zG$qYAtqE$?@5VPdq<+O*@_ds;kL>&Bb;#vEmvB!>~HumtfRcMn*EK
zZY4Y|3=A>pQ9RfDis&bcGM9uCKbb65Z+GDE7+ZkQIGl|j4;CkqG6_{no)D(r*ZgJ~
zsC>X4@(;K~3|lqJ{8wk_8|`gB;+PF#rkg)+6lYcH$QQ$uy}z|BN9{{fcAdctp+=0S
zQqn89R@S%WV985c3|0*oFb{T!dYwsew>ku4EW2$o^Vj3ty#~4=Ys?>wh1l}p{u#wz
z2wfQSo=R()zY9@xx<WlPN4If?+(X6A!$GtL(1a%&-nL?5eH*c+Ei<Z+m|kn-UvdP$
zc6_so?mBs)rcr&xsJ`t$Rg}D6b{>X2@D2TpV7P&?is~_fgxrkTYA_{{ZsR(mf1c6*
z^V@YVFWM|L{!mCUJUklx<7ZEQzCdW2>Z)~3#|TjM0X)l?bPepSNcgH9NVg6l+Kds&
zWp_z5M-l3s$jHGAB)1TH1Ag2Tge*VT81K}miDiQLPbsh^s+d_|Xx6@q639S^T!#wn
zqNs13rKApx^@n6D=@5wq4+v(Sz~p!dm{Io$Ph|tkZ8TKm)=(Vz{-&*1U~bV2S?xea
zSE{McBrU0Wkw?Vz4*(oEjkREYKsh2IP^_7z;W&P;@bFjFu8+798W^MgL2Re{M_xdQ
zN^YfBW9=5~heIH{0$ZLr6kCT=C0<3iVd0|x(sW#IIuR>4i4>y>W-Z`6fa7v<JRW9(
zydKtr9~SL1Ew=!>X!(bKD?==ccH$4x0wLQ$h+{uu7|3InG?!KN;KiUrA(|Y=G#&m`
zD&pDJ-IP7fb8LZ)v)8zoFSpYM!>PPaPnj)$KAvYl0MGyh)phgQb*BJ6wBQ1~S<E3<
z7XYDH3}74p4K0uc0L!-khMS@T2xS+C!J*fZq0gQSXWZNdECL!2mH;HrlbDN&|Ly?d
zbx^Vx`YoB;jv<V_f(QiZF&1<Y3}%Rt%$Xi38c@sl1T-5k2xubk7(*%&4BbFd=)@|X
z)b~npH=@#*6Idt}PQDnjJvz*i((UlYhr}_0g?fbAzp8!>@B$Adx-(hoLYGn%;_qSR
z8gyll+lRzR$wL<@3W}74%8WIDzfS_FSUU2dyqd(Pk^x@`ogGg4@%X#5aH>;W=a&Es
zB6V|pb0KXy0`;Plw1)cNInfO}ueu<G7tad^?hc=)G?eRVQzP>ejXcmto$PRS`~xRK
z#Yto`B}lGn@M>fD7p-V(DJC0|ZJ_1}bR~xrw_<VF4ZPdW3qFUIfc|LSSsQ3sUJ%o1
zUxTs<Ba9YRjTL9}uOn+|t`LY7B(y6ko{BI-)$M;J3q69>312P=yJCcwNr}g70l-%Y
z*`N=bQ+oXzT;*I`a4$062#}~=s7NCy7<x_AEcw{YogRWghm(0T@zj<f;q;Jv089$o
z1;*%5uAQVA(w7ge*pNvg3Q~bp$*W3|7sd>O1}5+Rt-@KU0H{cs{BT1rI5Oqj0h`nU
z85f03cMafd!-!uN4*q7%f6S3cHtXPwlRJJ*J>f<MWD>$rt$>$4M@p{D2Ul3DRf9j#
zpgf>X-nlwMj#J+rjg)A4+ZT9$aXF!GB4mdbv3Nb*0YE3vqbt#oy;#H&&96@zE)b3y
z-ZP?vMb1|W;h7!-m{fX0z5S=(3P#tU5!_7IJqX;J<(zb;8;qW{kxAh?F4Plot(48!
z^K*{?OvA1VHRViIL9b#24aNeS@np;Y-ago#ZW-^3Xx+9{n2r#niWPyfglp4CnJ_rA
z&eDrKAc|mOu?P%na%C7iND36{L(+xGl{yJxNG4V;vJs&em=!=)^v<YtFw<sAC|jkw
z%N|63CGlV=E<^CB?w|Krf2P8zQ9!9O^ofW~i--2q$@N|i8o#_L;&=v;Lz^4W>!1=(
zaqg!SpNCWg{mYWc*tG9q=?ZM%`r>IZZ2L|^i+4d7m=p^+3TV)jm$qY2bJDMU8J~NG
zDG7W=B6j7~CS`e4wDmaV%&ID7B?{4D=*0Cy=_fcQ9YIbjvkmSUh{@}-2At?sr+x0?
z(P7ZkBP*wFsYIgDVci_t`E#IR5gk|Z!@xbH%f*ioN#USe3li^XXhw05%A-8n)>Klk
z$RoxE2gD3Tf|0}%a-954kd_uGFx)UgZ@q-8%7iXW8v!5?%ZJ^0Rv@IfP|ptX1pKC-
z>>)|be#$|~#ju|&GP4|?Q#*iZFrcb+x)Y!;kg-v&TdnN{cSZqrQIm{iY$Gg`JC+-!
z*HD%gz0$Jl0%BZOrWwl*BxE#%G?%<fhAz4dlpBXn_IAs=`N<{9-3?I8rbi?Yo2FDU
zvm1#fvg~u5C0NbZZUnvNK9+EXn|57(2cdP|o0G;T+fGyC6T{P`@riNiCJ_&=6OhVj
zdfEv(ye2j>%GW;zF$GR%S>V1{ovm_TXA&TTO<FYDpDh4Faw+U+G5tn(Dh1I8IFytF
zk^ltSa!<G-7_z@AiUX69XTy?!Dryc_1tMFF#IrD=<yTMgbSHNRMFhrU&{DWjjP%&-
z?W#eO>lTXuPgAc|u}+kv`I^_0>L%uF^n^_79f05_3(!_EowkXC_K0e?ST!4c$3XdB
zo53Csw*@1A)Beo(>)w6fm49jn+56%q4tDmhNue|w@nq095m#*L&!Ff#Q0r)O%?y``
zQ3}wBuO`6jfrk=mSvN0U{eV%#eOr1~5d*)RcYm&l_h_k!vbD25&`%kj%IazGd_KIM
zn_r?Z*LInwo1hL(kwA@s;W<@fP|lIw8T0A<d&l=}nxe#?@K!ciW(QGP7XE<#LN1?t
z5UWEixleyHVSM%%C%Jn8yWsqEZKDwfdH3_Cr>9{!cjD-n6AS4RHpqlDk<#-u_4w6d
zC^sNW^<Yw`TImvAt7-b#asqJH1WffUw%0gL5h`0KrQ>~?UbHTtV?hq|hp>#tnvK{I
zMp!KBzGyxXya}zsGc&A6l~2^&%=_g8f)0z0bK?zz$2|N$dxWQA7YFdX$gh__FQo^f
zbQRT>fzkkf$RbLyi$Mq|5ev2aQkx|Pcp}!L6zy>#GRRGePvD9R+7OnGfL|)HTwTCg
zjK%hexV&J63TcIhMr5wN0NHh$ZN@GiI$%_J3W<bfA68RUU^LcTAOK-$u|oifX3pYA
z(!`#A@jS9P9QLC<QYlH}UBu?jL~4<Y;CcSb+9aVBr@YEUkE;KPCaMKp4MNb3Zuh1=
zu>U4f639N_L<>;Qr&I|A7nf&**pF{^U3jn6@`j<Vz<s&g$-LZ*fDXG0mJJ5AXskQr
z+2uE()H_O13H;pidM>5L0s1OjyDv9EIEiIlPrgl@nwz6}QbWf&sbM}P8?3D;YVWdI
zjqDl}0GnQkDj|PV;Pf_#y;+_w4VOG)h>frnIKP!AN}kWqx7T0*T0!`HiF_|hMWy?h
zP2?XK`kP<h#bsBGlTqyhaLLQ7%sJ&$&2;A*g~AV)$^4wk@GA`&90)QN<qz)Yz9)uf
zh(7*$F<irDm~d>rK|Oqymd75s^5Rrf&`L@p&r!baVl~Xz&$c+6t%Habs;Eqc)yh>2
zA%vT512}`cCV29+^QJI8$!>wbYIka~N~n_n^C$m&1u$udv3sZf`m#Ik$71km;c79Z
z_hnt(K7Tc;yk0`7Y-0v~-V>7(w$`o_pFx?UAKWV4&s18qV%WwL+11@C{LJ8PlS3?m
z4j8<Qqw<`4MubOK0h;q*+*+X)338dLtCmFf*vJ>>xTEDB#D)#xm`-j7<4p534Be_K
zo)K7u%K-Y6w|7U!L>Z6o1Om}g{3keX+-4M@s&!9~*wyn*P{TaT=CvvcH$Zbj#WxxJ
z|B!Q*FlwGv2g<rK_-4<{l{R`@PHb=vRKqGcuDX>UWLm@Vf=7518-wHQDc}D2k`k5G
z$WCev%kC7c2OJOq;-7$u&mJllaw!%K8!U1a4gjihL1Qd)5FsX`fc5a)g3O2|TJ(t)
z7|UBoAdc*j`g?+CKp1Fw0pkGv*GHp?@L<O~zBpr8XW_kQ0s=(W(bzCVkKInm18N{z
zx()m?qO;~AbwFecKJaZ`%+YmZJw;7V>nnJkOlagd79wuEFa|vdlnx;OXP(ADE`|g;
zhDF9rKWC&l*&kHlvE5mlgR4Hhe^n6AcYAQ*>baiaDw^!LxwLT!-$6OFO>__qB`2K9
zQ9W_e#zqOYKeH~g%|<s`caIkNE9|~r*BEC5z&XmW&%DVw>md>lI;0GJc0>W5^#qvI
z6vr?!F6^Cw%E!m|dZAMk>6Y4K@BjomS=fNA^WSw~3)SL)9(r^Ee~MkbTG*WFMuP=2
zveMN3><v*~a@#g{-cQwZWbKc`5zu2j_!x|Xv6J|b$U~YijQ7!}q9IleK{o?UKn{^K
z=bU_|#~u^2*PX2}1rr=NomNCg^+DIPQ{dX8?%uNOrd&LZVcro}IViHDfK}V40CF*2
zo6&k8-Uz9J8_8=)W)=<S(*_yqC<ewH8R&m2EJ+^Aw`vd!|1)5+P-?pzgnjpBp5EaA
z*bt}?JkkB=L<4K29fL#v(uAJ=hyS#VKxP=g((<`@Q>JOOE31~wY1k2yil6u@au-hl
z?-eQZfs<UG-a{r+9O$0h_4fI>LC+Bj0|6C^w7hJ{ZWrl5Xbj;Ac^oEY^B8snUTjLR
z>DJlfcVHd#IIcI|)B^<=eQTBu5F>H);E+BFGu5eTx5kX#y7Xv+@Tw5E=69gvKj*Y~
za?)}^_sRjSKJA9@p*ge;LEq}-njO1cl7MSPk7?l3c$@fC0E_R=SxO8v;Q4}a`4h_H
zASjc~R|8dye9rIqJ?uy=4%e-Qv^t}Ay+w6&z<1F@=+2NKLE+Q9@187`LW@ArupHwX
zY}8?a;6oR9ZYnE)!D#|Y`ENiO%}A00)?ftYc+h4eC$pdo8B7Re4;Xbv5M=5$nlkJF
zVDgxweFXrwn&tq&^umOxyC&dFi0jU~?okP`3>A#uop&(67#(D>(Bbemo5mwmHWySS
zB&%J>1H#k-%uQKp+J%{~;%>ACUC#fbHd~}K|37bFhcmbRooC2NXmedwyTNK*+3MB=
zJ#V)EoM;Qe#{)nZiU$7;Kp+?t3;q+oTO~{oN{xXB3C)-fO@beI0~Pb(QnEi*{sb3C
zpg>vDJO%dlr+uhJ1OU`JQUZnOy#OdTvYGdEn;`5m=+0%o9moff<uVOE(GJKWI$Cl8
zq@9^)URwD;84m6{kx#Mo;D>kvn`qwZT;ETAlE!dCAMNODAl#0T1FB6RJkt>zZB*iU
z_OL`DX~+|B?))A1`JVPf80CEHhMB<We{2*csm5(6mkG$vnjnjLm3a^eGn8SJFYRN{
z0N@^ofE9j=2Z3YX&O%$R8wh|E=d3^ZB<>91*6V}v2TU=!;cjy032YfHUYq%9v)6<k
zJe+=@Dsmv5K;OizfSY1b!#uY%x2l*3$-!Q*5FDTQ=%4G(&~0rltZ&nf|FfNK6D5lH
zLy$WMvmN0*s?{(uiQCJ0Cn9sl^&l2_m1q{CfHCe01wK|B634|1bwVJ^X|1G0IxnPs
z*!|<p#1?KKG9I2XDxN>6VNGXn%CfR8cUCE3efC0wJ9gaY070h2?9Om{LR1>~8aIe{
z*)|zpdxr0jXlJs<@aIu-1#&<`+B*^%4=Qw&DVpF)JY*ecAQdVC#0Tw4|D`$yL!*(v
zAPAuq^{#>kJ&PpKN`#9l3P-_ixy2W7=9pZGmrjZnRr!Dfv+6+DC{MaNPja*fr^<@h
z_3m)NH)@*ug|RJyDhlkXrl>JkwRaGc4sk6CHbnu%hz8yF{qp7+!`V3!Li(YucBEE2
z-|@fZ0VB)+AZTrUeZxy3jcaVI6kb1gF`Lcxfc62$<ag?Nw+vjbBL#sRV$HmSe^HAu
zaS=eH7NO!I%7|H~c!--2u<0x=U}6>nZy49279qk{4>*RjKj9Wx(uT;vMY%ORBG*Y`
zM&c1_?+syJc#4!E&5gk~u!lsF#N+`1?7$!xN-^jqID9CgDp+~jA~)>`2tpl`*b;Gs
zJ8+T_APt?Eg@gb{S3DrR?u8_42q&%6DLArQl6S8WCc5zu%H0Jz&McBaAfT`W@yPEf
z#RV|{`MEuyrv*t2cR@}J>;Q2TCoO7}wnmT?l#uSHTFixV!z%kw_+IGR3VBF{L#DdL
zE#`B*KLg1*2o#LN8}LHKq+0;)f}L?iP*Otr9TD@C1(Xkq)(h$v0B}}4u3~a+;%N=m
ze^{w#(smSD5m1hbcw03(ri!QDQooPTz!-^2g2{|au#2U_jKZ#Uax6bKY9fz4hLTH6
z8Lu$0d8-8@R=}E+0mLmqDcA$LpkhxLu%h&*U}~uaA}mgq`~k|MNWN+bIwVz(C@ht3
zm85oopC-dtL+(&A9OvUo0JXkMjm%IUQw1YdQh@T9DF_)tPgldJauf&Rzev%LBuRWY
zZH%BiA%2so^E}cef;{5=BE~y7nu5sbRBwk|zSniq|Kx|qn6V_RtO+Oa<}~)$st*ov
zNQqcbsR-vWwk+h36y7!+3`r1>2n!tM3t#|cRKY=7lsR4(y+|rh5YmFhOdPMnTN*%-
zTo4}{1C_u7s}u0*BL2HZrYeK<Nk81-Mi~+Ct<p7NC=V5GkYRwJJXN|*X2YaiDlLZt
zpwbZJUYFih=?EAGD^|mrFRh}E5L={S6+q&}$UNnOTmnI1KAkuQ!3rWgD~1L3f`T%U
zK6a;(ogf-TFeMQv)L37tli$t~=88U`-LMxb6($#T_T&&aa<%;ej|D9n1$}beBF1<v
zbp=iEmxoH$2r9Hg!{FL(0IfJ$3C96?YaNEg9}Lh63k<X*8On{Kf17U$9EnZnD_=#2
zAXttb;O7C|1xEVVrs)$Z3enjH=^9&NcR^7|*;`_|+a0h2V>_*}mTiv06!D@#x<-H0
zQ>qGzM{3(16p+(LXgGe;Q=$rtXr-n%4KYh7D?nNfNIf9?<}#L61RtyHr}<G|^PP;?
zJL5r}FOkj1$mHiFC?VWWAhRnheqe&Td?g0R5es}JdZ0%1|A^Qa(ebnLKj4Cxwf|v4
z&~V2Vs)QN(MmkUygMq89k0SK1nhqx3Re?`393k%jD*5P*i3JyhXv-6d3hV${E*2&7
zdw9^RbgR;Wvw)O>x-ua-@XNH1Fo)pS1Z>bYKx359VhD5(hXrTYJI(Q_fiPNo$l*zx
zE{1HgNxsRPjJkjf%FQCacq@{Eu%jM#-!EiY8(t_WUMN1jW{`b!C;Z5A>n49U4gr;n
z(gR3trxr%ZwnMj>0hca-Ap$m$?u6C4Rl<U$sAR|e^8soI$aSEYt3?RbmKe6$3G^@=
zw`3&nU^-I3O3i@gl#tR2z;K$l#)QCd<$&e4OBTR#u4pS|1xuw+upMZU7;RV%rg7B~
z>x8K;9LKB^c(`;G5KewTuaJ9CNrU{7@B;G?m=uU7uza!zJfv`V%~%k5UnLKnI&GqP
zuYd<cIn%li^~c|w!QmV=I3PJ^0>B;j`QX5o8W2xlDmQIIR02J8DB6OGE`!c^4TdF8
zWOw1nG@$o{CW@yhJ=)JlTE1b+V%my{Bh0-Dve<p-%^#TKy18K?R!Qu)*~RSYi3?nk
zaGrzVP%lx^Q%nFvnuFnz<tSqJfW@_}9IQGclQSDB&U#5D1px%DIdqTe^oFM6BUChF
zTm&F8Wl{BlRI3ya+JfwCY6SL|4qC-~@euEqmbiD&nQ8*fN2(uh56+Yy)I@}qL8w1~
zoGU1_HPTYJZiQb`#P=G`^$R%&w?Oz!LH;+B$p<_l%DZ_;YLQ_2rn&}|=>$dC#_er8
zPezZBFtg-cs;^1CJSI}OaJh3i0YCcfs=Xi>{4g^}@tzW)C<$=1D^=Li45&wh;RzCO
zrm6C$R3AzPGE>p@l}KZVv@yl2v22_ZC|o#JxO7|Pl3Y1lfjb||8U)46y&%Vw(&5{S
zjg}^iNa>Jz^?<X?(03PN$YLQ4NU7Dq%;TKZcsvZ1X+G79jVue)#De%4Pw3zUc9aGL
z1nLdl2y#`b@&Jw`Yw{Vx-#pp|;zu7)0Nz!;@DAk1vK*$)rS@?Oo+YrzlEQ^7dGI9Z
zlh1sB`5GcnkR%UbnbX4zz$=F<kSBEfvA^S~+<3$*69QGUK}V=R8G$t~l!k-w;^9IM
z8d>6S#tbTjkcq0oH&#a_M#k^5BlPXiS61%mNR(<t!f)mAa|#0V%hEJV3F<B!u`DE?
zTslTrO385M$w4B5;ll(&IBNS!^q-QJ*~U_?#787!5nMP)AY%}?a6cd>60mY^C`sX9
z;X>M$46t&y$j}vok&^(8@rt2XI=F8`U}S_T2@U3Kg$(AenyzE)kY+V`3NS(V@VJ5b
zW%nH@Ec@0DfZ__^D`zM^!N6vPP^E~`>JOq3m>_o<T<$-!C;K{5z;U)9!{B7cF%Ek1
z7{`tURFBMo2EHXn7iN4NFur(!BkJ%QBbioXRS+kjuy8>7Dvy<-uy=<3BcuhJI>>MS
zDM!N;-;3lSlp|#Yn6bhMCDsm-T9aKmbmJaJ?<B;LZdeRdB7nq|sTkoD1*EM>BM2oj
zuy(@6dN|z-Zs4mGoX}B<4*`6s<wL4r40y_iDXU03LGfsdn9TfOAPgB8&_PxrNF@Pr
zD$;1GXZkhUrd5hAP6m$9eP9$SUnwjgJ8`=2YJ*Pz#JIw1bFs~0ENj9FLLiG;86Gfv
zFFv&#1t~^_6A3CDp!?J0B$!W>BmuxTrMT`dJh8?1ACQNwzgcQeR=`GoR3V6B-0HkY
zfsRi)ztBSrViG~&n*b*}+=n1Vqq0C;baBIs#o!)oj5-fV9TXAkknQtLfT7UoQ0guJ
z*)qU9nJqbfZ(CMd?$QyciVc1cI?@K8f;KZ^MoKy7z(IwK0qPDAlGw@swx3Z=A3$b7
zrrf~)^V_TdNYSVV{4$*2l+zFeuyR$7UuIk`I9)0LC_X@wgs;vtk~vhx3$Y1s`iB=C
zqzDU2D`Huyb|WV!C4aM4yrZYhVjfW;!>MxY<o!W4qq)enpi|+heM#l0NhoXB22hj;
z!|GkX2wRY3B03X{TK1e`)7JZ-33r$FLg_(2K(D$%C6qMJDkhClm7M}1b4|x(Dls*d
zTJ-|7p4Z(bs%qd(Uji$DX)~aRnv;A%?I!quC@p0d!7plm=9ou}g5xBhxOf79EAHa4
zZEdB9O6u3-i8XuLrlq}cn+#250XutABTO?j4M2ym`<^khnD9B68cdp^dY^JnB~Hzj
zN<1Wz7Yy&&-O_~ED@W1qIXo}9j_x(WOrjATpvrWj&jYyokO~>!#^Zyf;K8lq7lbdu
z4oY?}xo9Li=<6v2Qu~@nFWeXLa#2Lhm|sdq5+GX}Xy6~7aS1AK<G?=qn;(?}ehcBY
z5HSutC)e+@h7PACbP&SIjCAwDF~BOCMkMw3Gd~eFdmETd-{V8CwC!Y3B9CKF#g|3g
zcQ*~ZL+gTQz5{3|cSFm#hnXS9Xj7`VQmh4#Ej1V2Re=5z!E`#Yd!Z_%4M9seLD_;-
zldazl5rDK<{#)N32@>dLwO9e=Q6(byr!bd5;s2r>ih*4CA!-<QH;hgd0aCjX5}|~3
z^T#~D0P7X{A}TbYUtgV^A7A}W5dy4|EyInzpQFE#?i{5T;sXUeQz+>%Svd`Y%koBV
z`v<ie9L$`oA<@*q>Iwkv43rt=Udd+otp?1R4312p3R%SgB?_O_cz{e0X-F586=4P^
z<N<$}C-hIxAhF_t$To>9i;ssCjt8f%ErgB22x$qQVHc9oZ%)_`+uzz6sD>aewb^t&
zj5bnSC%{==^pfLK9^tSiVaT9!qz#*uWvCs;aM6)-Nz>CBCo_6&7(j#*(z3n%QaOsE
zS*pXekS-4(#o}A8APA7iH(q74>J>-ROc%i=nb1s7sM-=O<Z~IQK1KjA0f}O_);J0x
zXPn06nq3iUP(rW_#S*=8&WddqO$Z|#>e>Wj1P**U-i8BEb>xx!!=cntc#e2`%Li})
z?+=WhAwsx)Q`UW;^0m5s%MqRc9&-)ACOJ}Sx$`B;yvBgd2c>lHfx(mmCHL%fM{!zf
zg9Bl;%<1j_(fu;Kr#Jq0zJcm>z%pbNc{N(u3cWDxz^`_Oa_h`KRk^Hz`HV2jZX;C3
zsmvrsRu&-U#gm#s*<OWgg^6F+$D3h@8)FmGLd&iGNnUjNH>C7cyPZTGuvxc<$b7tj
zXBtfzZ(%*;*`p}6;xxeKA{HbV6%(;dD2JxNK1r4GQHsAuYAEeq?oLIFyUujR#ju9d
zM1Th%{ixuZIg4bj1IFw?lwuS53uV&kYB`CZwgI#-s`-Do3y%wlw<teejT6!pLbEoj
z#1^P<Ny3lo_cgMqe@0g>gX|hbtxy;f1T$WrVH|01x!2I#EU66$<4awJY19j(gu(y-
zGP=DV+Gq=3&y^JO{5YV3!_^XPSw$zzSEfbeRkbS&?0Cqif4HhR0RD!dZ_V;-1_Oz(
z4-O#6p{p8XAGayKQ5B>4`P9L5z(j#q$S!^TT8#|QG{5+ejUwL&7;&vLTumdU;1>i|
z##W#ZedAKR3=##9WH5Y0J~gYG6APj11wvn+7+&BIEBgv60)9_<j)+*1BaFh|455gT
zA_ynm>QQ;=cQS?v77#`vx!z86pTvwrbQbXAPeTGGS~v>wdIfy&ax3R@QKNl<@L6$v
zy;3vsZ5}qV@e8Cfd2Gn&JUUEU$SCuSv<a@jNCt)&irGLs%{4IM#heupY0wA%edRdh
z9BZ<gdMFKBDgf9HHoq2<w{ez)F$vJih&@lC5Qr2o1fnsuboZnKE3CV6XjHLPjCdO?
zOb|z?V=c5bz)|o-hW}zFM`V)d`boz>3ZKjX!C$?dx*jauTg1v34ns(U)EWVf@&KBo
zC5JyelorwsJ(VBQiYS~V2g2{}*7UzdM3iZJ1!RMR(A;vFb#WkoZJ|i@O`xC<5i5uj
zhHu$394S^Y1_DV7`imE`PK&;OEvsD&{FR*vwUUPpAa*y6TGBT-`Uo&Z0+`Z?3U5(>
zB3D0fz!W$=H^Joa-CRE!7LZx|!7vXqn0LD>y^8PeI<F)<v1~ZAHwVKZcQ9I>4l`K=
zHy!MgV=zB$^-BU&BF8a;C`;J5fl@cWg2O?~q;Dc=-c;TL9mIxf8b+v$_iRzxYpW=%
z?1pQRa!ROXic;r+D0!zHRfwrOJ<hSgiW#YdP?J~YIFnbD`2nC8VjxU-6z&KysG;B(
zNLL3`N!p=tjiHdbp>eq*zMNsufnY#_0!bkj4+)e6s$CTaX2EWBl;6a5S<{h#5I_it
zZ>hYPhS}y5uJgzxHVg?GgP>rDK!QCS@lv(zkQ7jr1$pAcZCDafnNLAO)N_Watrq9a
zqX0H;3u{9f%8|4QLu#a#?g$Yo0dcqh3?^71VnGss48pPrE)_wTL39IQn9tPgE+I)1
zGvx_LM?qTV%LtSdsa{D@xWSa%0zMHpfm3v*xPf+JHqu_<az#b;USC-O$(JhBsxr9j
zICnByHx;s<vFx;lKxr*V@_I#MkeWqJFq79mD=LpWz2V}k)OeJo9x@HhC51<cV0QKP
zZ?fUG((^v1LENNyJ21;^c^p`t;3mm!3JeAgJd$A@*}fGdf)R=u0yarVsAq1@uR{xb
zYJtI|3al=n_rd{uhi%q0Oq?naMi@B+cjXG&>o5z2M!XPeA&&M4Fl>imRjAOYd}uOP
zAbhpR(FgDZ)G^d206%CdYoVmq%9J3iVh@69gjMj=EfWHz#ZLzCNAd!q*$D-ZfxM=<
z4PC^4P&{8iW>!!Sass&OoVs8m%X)DLVAJWA&1$mB5fJE2f*3Cl!t^wwpv)wk0x!ba
zk*E?c6V9uPHl(L!CmE(M2x8$in*jk0klkVil7Xh~OaO=Ef@B0cJY%%ID@F)#jYQ{&
zP%uRkf&?ZfqEU7ZJ}9<hgL~Lo%%p6gegN4n5{s0cKfUuLi2lHUL=s5;l-e8N5%Vg0
zL}u)oEJm1NtCgr>SbvfnFc@KK0Vbn}cPMI*NK3#vH3-mhlFA*#o#h8n{Und-6Cj+t
z3XkAGz?cGYVeP{PgZf3|#x!XBs_7lb|5VU@^gV9@r0aO;3#Yi<;{tfnft)9>y2UH}
z;LHjZ*q}<72}KR085u=@NW!>?NLg%TnFsNVci`LcMq`9wtHdtS;|k2R_>M-8Sa-#P
zFrvr`hH@2#+7SvQJ!pBd;v95i7opH&72u4L!;0bC#lwS-K#(G@K(O+Mg`eR7i3#@f
zkP9IYc|Fe2`Uu^o`wL=7;A8q*HN+w>f(4Lh+-KSakOvlu+EtC3%mOL-^oinu+#i-9
zegOEL@$?X#3Nov!)DR(XcI$%*=h$|Y2I%88u1~L2x~Ro7kft{e)t)04^>@MyDMzn4
zW;F95C>g7&>kzl>QGDt?<B?`}UEQ@%;U~h$mG)%91d5y7OvzJ!Ns}kcW=5F}S<<DQ
z9UFm&QZty$WZVnWP@zTBVUWg<l#89CZkujpI7Ag*8WmLlY-V=yBVuyU3wD7NO0faw
z;t&QbD9kEa=JP2j!AXW*EvnOStZ0%TTIdcqk`IeN4Y-;5=?K$5_^j@+LAjuK%Kc0`
z`z=x#$=>^!+KQbpr^npW;b16NImb!7gsPYy8h_YO^J9*65LBah&`&;6(6Dl4LDO8J
z`GYNGk}7Hx!sWB;QCG+4oTa8F*%nw0UWg*DW2~L+09p?esKN>M1i^0+q1-=n`tTx!
z?9eQVWRS5O&O%XgAWxQT)gm_Gx)_F?&h*O0Mbm{}g@;}Ah)PC$)nYmYldu3}uOTB^
zBo;6n3_|pn1{(qwu}yMxQ-X0r*4C7FQ{`SGnD#_CFhM_G7zJLYnL?6{MW_lL&(^#O
z8hN5Qf$-fTLhfi0sccfRNuYFRf!u*7PN$H0%H)4Lw^Q|=^poB>&wo%hJMO!)LoaE0
zFr^1kUuRnx(am=41i~l4QOmbIYQV@VPuS7W$X2>RL7&FoB}g!m7IQSV+e!zO&jalW
zluoD@WjrM=F1zz=hCI}po1+jvpbZdcQG=20cqEVvDUiT{At@}xh*{xKN((#wB!=LO
z%7|Hg5{pD+mJgUsa=3nZRN&oo{w;xkkWk74Lpn3CmKHyCSnO~awXNEc&`>k>e2$=5
zK{$0oA1>amon?WIrDC3ETW&CIKPQK((;rZe{ckQ>=M@TOfn5rlgm7w)4HrPJgE*NY
zeXzRisge?g*};TJSEYBPlAsA0OlVfPTeeF?S0Pe+d0HaW8f#8-@#lh@SdNWJ$>zQI
zi$+>kx@CCIieg$F#{R)pat{Z3w9h1kp#Y2H*=jp!V7<Z|0O4|?1GX)LsuO56O-~v+
z6$5%fhR!)||HvXIYzrC({QUS#Uy+!oje}_p%NfzQ=P}DM+cbgQzbXPX>r8^*8Vw5~
zSuB6y9gS)M5mynK$za)2y3$LNu#q#qI0){+U<x1nSZ4^*84}Ftr$kQJE+H(81U*(K
zQaAhs;;SkSIM~-*MCSNX5Ca(B3)ufV<U}WJE3)qA9Hz6pm#)hU+rO_cQ??YYhin(*
zS=$tV-Um*2gzPt!atewW1D%*Io1*f9O}~t$Mv8W7heNVtH05|?f{J!(SfSYgh;Uts
z(4q2T4b!2(FdRuZjG+&Ei35V!B~D^JIh17_CjQDxB;1Y&r#_RS_<S4=M+Bi57_OX@
zV~%Ca#mJ*@(TXGDF~~%V7*l?l$bjUVPl*9HEZA~{pa3Xqmij&qh9ew@5N-z^(S;`o
z(Bz1)9$}<O$&~Vwmx^*9HWig8Sjpk2LHA_avEt&t4W=JzXKQ=nyA6sQmA=JizNxm8
zXtZSTQ{1y+Y>|#&EEGAKtL5;CIgm2YfO#lt7#v0*&L5=t80K=ctu<g}C=3k7+B+KM
zu=du@&K=<m-|MGiv1I!WGdqmBsMbJG#U;_nNH#zpRrtqk%H@}NJF&n|0cNbrK4S`J
zoC8q_ocg+(ISG9eY})ErqzafsU0CUL1Y1D5m5DfJAS>$Xb|fcsK<!o3tw<eE^R*XJ
z^hM-ok8<i;uw_nA2fY^#mn0(ZfO|%3jhM-!RS70p_g7M-gR*eY_LCP=Vwl)ak3x`9
z5l42#-EISzSPUdc;P%Zp0@2e%5GO0hSwu_7b7t34!yc)Fh0m6kI61TnsaT7K0iwJv
zr&=O*gAUDIO4NIn7<N+XUXX}zhW0L{v^NfulV*7!M=qNecS0H@Ty2h;G@3Fzj$V3*
zYfDM`4$@%J5rS(JF;mhZ`365(yryALo|39%!ASL(`Lv*~wT*z2VuON_?zon4(-Syb
z<+tm7h{KTUE5%Pr=!LTYW{}tObmY!03}2`zAj?~=mAUScl7OffUKA4#7CS`eNDI8u
zqR`_3m}^8Qzz+KVe2ur9*_)q-0zhx6+r4s}U*YtNY7b>^{?goSVV$s{wJes?4#~?{
zMKmx0$b|0ShJQ!MNZXDs;1rO{)V}F2jz#8%ZXB23nz7ZkjP4ZN$Qp$`Hu8g}kS_4!
zB>W;NveIN`i@YL@611E+BrwfxRSW`l<;Hl~6niv07}!A+-60y!<jv?SAsp8f*Po|s
z!o}I4$_#TK+W^PVAKyyU>eOo&sg}`79@XLR=&|@h6?H`o9XMr6Q{n*p5%E7=@+N{f
zkauYjGc3qWT^V5%jbMcq!fUhdwfg1R_qkvwgsAa-&_3WBXj99m#6YGK2?@2p4{b3u
z>Giim!jGO(DlII<U=~XqX-qJH#&fSMSol-0VsXN@hWV-K*WSXq64xw{cU63_<^^)V
z8ctr;ARtq2>ibeullVs>1;nt{mB=b1Lt*y_UP^HLsi5QeZl>c4KG8icDXjts_y<z+
z&tCdSQNg<`MnWBzV6~bd%L2M=0BeKnU^FOle3KuiJ3%Nj%<FTtYzkFAjkz#=lx@nn
z@mN!&xA@M}wnnPU(F&LFFbfW0L~FSX<$X;ehI?p~Y~}?7D%u5O;e3$+BBt0v4~<n)
z^b=Mj8<(K}S^%BNVk@K#@|Vc(1ubnOF|dXdC0TENyVitVH7k>P-V;n<@i82NWM_}}
zT4Pbg=+coXH`5vEk|oF_Z!X$gl>IxAh<s~8olz4-J;OHOP^Y&OZNN%-(8N-08EZ31
z<+-*#^rAK*Eo|dBA^V9C1F?^dJIyk3#2}=IS)B-YZh5f;kW7(Jhw>%xi^WJ$(xG1n
zOyk_<jtM#Wb~Dlv_zgLg*s#mVU{SUwCAbA_V(L{S;P@D?i>cL+ov;(I7gDb--vAwO
zx|fprANzUNQqE;rpZGVVne|>HCv$(aJ`kW8Igpg&gn9M;(Hnv>_5Gu;fVqrdo()l*
zL=o_f1x%VA_>z0tK$2>gq{j+0x3lO<kHuJo(Wt>B8fYzvd!@HF2eV&eeG1{^j=r9P
zZ_~O3o`>LEY<d7;Pk4R;4+(Iu&7v=8Fp4Z~m^V_5e=umh?bTGbdmHJgp!DyhgRoJY
zJkN!$9K8v;sUH(jgGof9NtY88B-Zf^@Nti4Y$3b``a^o6uMc)<^%Jl%Y(Dw`tK%Y$
z>=lg?uuvJE+7Cn&-JcqrT?H2K1Y9AWt^x7K@#9utP!XL;^D43+FryP#G9v`IP=mim
z>`@Xtt;@%N40tfcTxs%IE&5Dxn7TCgg%$5q>UkHxC6Xor6E^T_J~3R*M&)xk`W9E9
zOZK4a)pDHK8FX-MKFr#ZF11FTvt5s%po2O^lqf<BeS??L(q=TgpDw>~-$RG}0X9Ie
zsisZO&CJEtkQozvYayt4BLAt$HjX@l*au-?5cS%FYQ*~uChFdZK^*s^1oI?V(?&wR
zu!`aFxDqT42nr?1T8F<XOkq3LCkF2!mcDIzByXG9c1rlspq+#_gsD%HN5<eqg><>z
z+8clafEOE~sGYMLb0#6e&bOOV4<&T&itecaVvq|(^9o5(>0ZKFQX)ARXzeU}5e+($
za0EEyX!190W$BR{M*N&q$0LTtQBM`=ryuUQBqWW;QtDwQ)vNnKkM2cyH+qVPBECnz
zfn18xmmf?Y<pGYE!%83omK*wBML7r@zJxXr8qn_88urQxE%~TT!lF+v1?XC~bbA~^
z!V1VL!8dEpg$Iki+88uOHJHCdAWD)1wY`VKsR`~BKt2WJ5;7pNit>~NXK{z78pwr0
zh}mqfLVE#EG(`S3ag`*M6p<@8G@R2~sw>ZdM1^MnKJ9Q(Cqq=q!bS0@n6FzY1|^<k
z<&<<+M8M1j_d|Z0vqG^MWzko-ea#f1qCS;E1PXfhUTB8C8)+abwR0kw$PHA6e%O@c
zGKvin-0t@ifaqfHGE2NCxw3Q+MF_zCUsw>CM`vlF*b@;GomC%oM(`JCR*HPHprVZ*
zeQ1SzO8aEkZ8v$v_5=zas*-KN3<?e>3nzV4#FknU-Cv3%l~@*Ns{fi2$EMf(BjvV+
zawhlCqgQMUCg37i__G`48DgS9ecF&=*B5V_G%06SV2JW)n2kW=^XXK?{T(=1U<i&c
zeeD4w!~lW`Q51;3htl@U+!^ysathG3cXSKo^Cj9%Rw#j!Yiyu|#JnfP&gkIuR|Bva
z41tIMqiQP6zb!JG!2k@&?G-YB!$6*Hsz_k@fmm$4^t2Ov(#^#?J5Wx5ZNbF9$gJXH
zw<B3jrn`1$GrD?riNYv2<<p#5F>okC?q(bwRlII@_w(YZj4)$)NeF2ku}G*Gtr=w?
zx-#zu>T@kkv*xJVVVIVx^LD&tKsG2nJIgpP$30zQD3*6R&E)T^Oe971ynIk-VvH&{
zq2W}a(U2UoOLM*@<L2B<VQ~pC_Kz#FfN;*>=s5%thj5%N^jj|%ymEM2U``M)yE_#(
znTT!m7)}Ml(2D^~G=O<IgOm%G48#}2a2b^a@f^(;Vy|M&!6#r^oK^Rg%~XegF?grh
z>IPZ|W|1rn&CIV}zxdBk^PiP6L>?cm+*GXZ2$<tGL)xbVP{Q0SNb!)SxratQ$42Jj
zK%K7sE79-%Ah&x48-bZ?!?+ghDH4w}fw<L!sBI(W!M-XJqch<WEixCF+_-ng0auF#
zZE6)DRC|BaRTm)~a1}MM5~4mc&48x3=uQh+k!ZQ&>CTXz@SJ|`h*IT42LlQl+zXL$
zKL*PMKY<~ZhfL|pKH~#;FnJo;9ZUVc@{a&OudkSOc;Nk+P$rfwmx(n49LIXy$Z-O2
zl5s>&7r=)SUV=)gCWu30tO6zFd4&aYi+lluTu-T}(25O3A;Hu)FYcgpbgJVXOWG90
z_rR9BV$zD;#m5|k9(;4;qT<3A^ZBvQ@ABXb#U)y*3;0y7b?ay}HgMD}tSv%Hu0`u?
zY%R(T3mDd2z<Jjt4`EIxr9w&T9ol&SGy?y7!RHu`9VZh>q$|6k<mok*L25c}t0;c<
zr~qkE2(wanKMCN5rb!40&E5zegV;}t>Qvskb8}rcZx7D#_&=PA?ls(80$N#MM8?8;
z_X;PouGG!&Y^O13Rvj}(Ise)<-F=XcVe1FS%5FFPG8gM+BsYrr7~eZR4^|krbr0cT
zc5XiD3Jdob)F&iT9NUe{&!k!u`)F)1rPY9l2!0&1dyf#*7boD5twy0HE!<PpqG(to
zfF!Y4S>Mo)*nL^pnNaUV72(38p=6}^)#VeFf&=1IvZGYdBlv<qP9vESUlz@Z!CL))
z2p0d%5*I=ohzLwR)ZOTLB7^MyQ^WKssij-lN%Q_+Mv!Jh$DPYX*EPTgiXB?@btn$N
zP+Pk>%7zHCB7ST~syXtaLMOG0?kd3_<LLhZB^kUL$v;=bVleEcM3+!e6q#KuOoq^r
zMdQ%wOPoQE;Ry{iTofbV-9nAa_MjvBlp8s}-ILSu48Gg9MNhwVa$P#V1Cmyv5TM{S
zu%;nLOi!8Rc^|v3(~|HviKsWk|L_mya1h7LHS5UyvTgquO@AwZ6t+LI9}NS|8waL>
z#I_U!AH_1YJF0}cuC&_7S!?0wCT`cpBkZuoR&4M9;QUn-``lGRz};+He)<1{jH;;~
zU98*%u#0u83-F&9?}<oml4sJ$O%iA{0g~wrg{r`LR-xcOjz+(yv6$IUmXJc(BnUeW
z1Ukf}w*1~A6Gwvhw{mxdtHEuU5Q!_O`6=3w)eTf#`q7{<@wbAK1|=>c#1Y@5qP<!f
z`ttSqRlDb|0e}n%m`<a@5HKpD!fU>)^?a3muoAgGr(ESH=+1yCS)IW{^RQQ22lyh$
zC<gTy{%9)umS%OXaS-$tN~)xSh3Mk3{gL({WbVanod<5OsET)t01aBOyXH(tvt)eN
z0<GRR;)tTTU&NrP+0|`RyI9h4;2@ErSIGVGgU9eu%^fPVEItG<N<*8_<P+-37X3FY
z(iBuP>&}^3oV`_JnV<+I7Pl<K-2@{VUAO=yLQB^PG6NfqZyX|}aIBKQJkD&dY#&sp
zc7X|eUp!oB<V!JXeBB*~;OBt}&~CasrW3M?)L^U8=g+z5BfQ^9FJ5O1mz|lOfQ^ym
z+)7jK%}4kk+8Ocp*l?(IN@yjbkaO!o7o&h)M5I!=ig3|Znj$h6oP7lS)dwqrPrl*>
zsZX>^oYOR<IBtgZPPF!^&7<?>`-e^`T<^40eN0fkv{Q=<AFyE9RP2a%KYrX=)9R)p
zUuDea=eo`@ZZ}F_Iag-FlC5><_<&eo!3AYp5Cifahz}!9^*Gi&V_g;40ep6=Q%Kuz
z(ep|PF&H%Ne|zWhe&=X{Db0b3Fo7bFQuV*v%Yg3HYO;C-Qq=m#bNcaxhZL<a4?LM7
zr!irMBc`J3e?G`40T`j(B~g3_{QCs*T6r$cHl>E2TFhmUS$-P;?Ws^KpHo|Vy2YxM
zA_9%gg4*^{6#ywjYT^dl_Qa3T=gI7=U;Guqh?)7M<DNd_&?)a}2(7W5-0VmDtE@Xo
zsrPeoI*&`!?_?mn>JGM7+FaMBi>4HGs|z*kP}D=>ltyEME-<yMOKcBZStGKp?uKZO
z&AfwnZSHN|+alKrLUuER#0y?jiBvd{osgRh>J#_c)oT7=F~vl&V0^0#6qxZ~l*X_-
zf3c-&EQP?&MfUM;44mWQmvamEiah$yOLZqcHso;c!R5%3!5|WO<dnSq!9>8M!$E$R
zmN6lCFa{Po>b8MqK$8KP1I1sON@UGlLU~A6!<^H`12mJ08c-x&j#-dt4ble|$_5k8
zShsg!x<3XzDDTNc*n7#vV9u(N(K7y|rKhN{ESuB>g3eY!?mLEuI%~oJRpO#0hcyS8
zeKK}WD}X8&Kh5#6hUkdu+c81oZAJ^AsO^pG2o1rdr1@;o4ky?WRL!iEOP!iLWe_kT
z2Jn&3NWUp*)4??2-i1GVAZIVgV*D)as)h7hNsfKxj@}u}4YeDh2VC&&peP8PFKipF
zjU{8!VGkU3w!*}=c5US@Jfb)O7@&Xx;RoQ+gD;0<gIN#5-%5sy7IN1v6^3(~g<WNu
z&}Z8C1`T5yiXJxJOz_A1p&y5R=&UDYd=G;?2VOl0-H~I25~3*B?05QO)iy1;0u>h6
zJl6R}BgExfCMsfQ*&&o!TpsJiq)8RalIN`k`}*<W;4l|%7uURXBHVzi1I`nxW)r+^
zwRm#?O*Oqi2l%=;2WnyD^nVB*J%T$2Js)fb@aIp7Rp7ggr~Z#vZn_z<mIHvl6eN|-
z`U3#VSQzUV?=X15`_8r{v_|P+aKm>jdV?;1SO~JhR9x}u6--FS$7pY=-{C_t5-rPw
z*b2d<sTf;{5kKz3t%N*KNQXJM1iRA!CwP&EjMTIv*!eUQ?s6iQlVmdQy41!_N%(d<
zj-Y2pZ1OXN$P2@#6mwP5)~maU?nU4ev+YHtWLpUUR?KWgA<Ztn;0+&s7<?`+puPZM
z8T12fh4X<9nBJ!nD*h{E5(0~4t&EF4$XlY<Bt8e&u81Po<-^4r(&zi-%U$<|*H#z(
zH-HFR7IZ+iUuV>~=L;D?+QM`&x}Dq*^SjNl9X6q!Y*OX^@XnP2`0Rjp_dQ(p{pV(4
z+Fg?Ld)F|oju*OFeEN#yy;lM`rxsMK;<SS!2BsCS*Csink7j8U=#IQHoU$=KKK>xo
zg;FU++uoE{R<wQA!q^w`dc_}{dwmyTNV__+#|6uA?VXFY{k}oamS2WO9{sg6tMIWe
zRfqx!DYSDn<`fB90OXXQ*w0r_+LAM!mU=Mz9*<LHyNhvQ8nar|Sh4vFXS=HVrJx&=
zbOp$x<Wp|kmL{xNH~FoM_EDS*A@jNr+Sy;M^C!Re0^7aeqMAGJ<KyQeb??IU+6zPq
z%YzByvuf|y5_yJ`bLQ6`XNQX`Kp|}-ZUySa2%)Wwn4YNHJ0~r|E%Q1jXpIjwd7W9Q
z56l@+_P#wum_pK8S>grK&e<4?gA@V*j<yNGU|`}^HT(*=B*o^0+$HbQ5Tx|l0e~Z`
z$iNND$vok+`u2g0?62<hu*@uwVMI%KG12ws%Gfx486SdG+|~Y8HGlH3YRbfB#jlc{
zb|)SV-#FyUb6{KuJ&Ud!%{Foc2aq_3ivFbaajQ6w)4Ju#mRqY9K%4T;EV37v3UM&|
zv($0U4u;oixkvl%JHPg&hdr1b*T21&o6xpCY<^XPw~j$@oAf39rIxUnp%8alACE)u
ze3f$>Dg3Y%7Ys|NW7{+P%I&Am_m-#$2w0CeU7qsK>R`8#00HMsfK7Y!Cdyy54?6>3
z=_CX@;c7ZU#kwjYsC4wu<80mHA;ckeJ&mrhB_x+5HN`3GnN1fdtbN%#MryF+{zN>d
z(s6R(I6lI?dUr$6zz4FW(4q1((z-2r%N;m+kWWLBuzD|WTy(H!50;>4J^EANr2u>d
z9K_Fc%@cw<<49t(BwmG*uEkK|aT79J&QSSlg$tK~`*_*{oJ>YeR3-9={Nm-tc<7?1
z10<7@{c$|g@08zS4uY2hsVO<v-rQ;f>l0}9bG17H!-4NJP`JX|cQMm>J|`C)Z6CA+
zHXui@#M#m%{|Og!@q7wj7Qr2DF}~i*7H)^O0EiH$li>~kKG*BHlY{Jahormh<OKnE
zoR2POo10)AZwMs<^@8+x@wXXtN7mwJIBlgXfM83q=kYQ`YHYJb2>U$*D|f)~dPAAI
zf(cA%f&mS<9gE(fYVH<$Y7uQ-PL%B5T1M|Das7;OC%Hif-o!KS4z2y#-*2y{-_H?6
z20lvRhY}b9BPwQKz;AIDVceX~<wog^8GTtP_+a2<(fky7H%0mAV7gd9<EX(qbM$^p
zh<(*35i9-?2CaZE<2w-G>!3)iRTxN-`awa!eB?5rlG4}ck>4}q;|_6kj?tnnVE?Jn
zBo!ZZO<cVqnPfmNLbu4J5Fr(IjYq^d^NW-g@_>BINhRuKM7UM{_CYWy%70;{B6J8}
zdHf$Zl&LU1N&KE#9A88c3AKa9P%^>1g$lp{nF~I?GiWoD*!j!8>C$JIaa@axAG%jS
z^>u*hOBD2nF!P#UBy&T4)R?(h47ISrRK93<0%5<&IWr&+!b#+k+7R6&Bdz=+tmhRX
zfbrzA!!)$2Ba((g2;{5T;S>dMhnVuG(#hr!q?}(WeLKI<SAiRm-1MmKg%;KXN39Bf
zJ;6nflvAlAE3RoPqaHs(Ewm`Nt>A!3XO%g?7_rBdI+Mn6Bmi(@oz5O_wChREL|mO!
zR1|Koz+vg$r8}4IPGOf^mhO=5Zje%H=}wVu>F$v3kQR{cR6yVlh<LsC@t*TL^EC4~
z58roY=EvckMW%#YfSL%>E6UkYM~)zq*cHVaDTJlE!hURAqH&L)W*rlb1E4D2k_*^*
zzMcHQ*xdsUmRmHgI}O6xykyQmTn$b%btK6t9!4>b?9feC<@QC}x5|C7^BF9VFY)NO
zG||z)rqq)nr$9y)=DM87r8SC8<&Jq_T6%reB!xn_6`C|p#F<XFwLJbz?M?Wk1A!_A
zx{s#54kuw0GX=(w3Y&R8g#`LQ>is**rcPm%8TjLp1Ji}<%x94YLOGq8md_WeTIHx=
zL8CcT387^j6BOiiNJw(cWU6DTFgY?-nghlz(zMBJn>`CF@4^MoCeuo-y(lx(v!ZwU
z+o9jbwF<PAi%%9=P%ucstt@&Wkl%4C8kvvoM|pMEcyP*p&7nQ6svT8P@%`cGQOC*P
z$WZrp_uZ8&^L6Y`lj~M36#6f}kk|=V#MmetELQf(0WglKLBCKO+Xivh?84N_nX5kg
zvTj4hgd&+ZpD-u#m)P)#xwhY>=8uz_RN3%Di`jnXDPDzJ?3>F!6@c&TLWV^)uB_in
z;2}RBVErRDnUtIID$^&>_vtxi%hO0wdP3uaKjg&b%GXFs@^3j6E%-1RDk1NHc=Gi9
z+vsEjK87A5O>-?x81*a1es)Jjf~6|aWG!i!-zGC1p+mxBV7iCP`@K$3qf&$8;J+)T
zZ(t{id0MyQw*nDWp~?#V!AHcL%2gwqXtA7xFlx`cP7w)Df82XA+vf){Jm5x_;;wfR
zqSU2~@bwSvmr#uOjik}3se0arncPid98PacYKorKW6yZ@Pm~F^nQV>tP9Z#7H<3<K
zLnrU%-wFj*WpppU9_d0A=Ve&<zSj%}5<R1?^VK&-grxA`eM+GqQ@f+*6(UA0Eo!%s
zUKwpZFwRQQ334`VH>itm^(kpx`{VZ$iXC5Ufz8s@_*tR5{>8Us)5;jK+PrRihu)5;
zIbV+bU}`onsNW)shk(HYWtb^Vfnx>AHC3Eg)s`;3Q`Q5e^bAj}W8HxgqdC?;lVrI^
z&W0>d!M>PpoI+5ki?ni_6dkH|28|FIO9(S^l{S8)G+_p0QbE*gv^tIV|Mu7uXlI2r
zi(a~hZ8zzkPXCG%nVd3AnHZ=JbHaUk9P?Ni`!D6Bl<BzF9*xrZD^TxWbNc~{yFI4~
zj(+3*fXK<qyPr8&NNJz1Pt)Wjxt|S*-4rR$y&5U~Bc!B{c8$)hp91%#;Ya6;c)yS|
zZk+|y)3pp7#ffb^jQMvz;25S{s!Hq=r%RMbkH_eNWGT_>n!m`sm_SZR|G6@L(sIa2
zFiE2QB{W|D(lUMrEMa4N@Kt0~V=Cg`3b{Ax^#~(^g+Sjxm%E!oW#f;cdq6Y^x)+tg
z{7p6XE7;?h4FkAFj)uf2QMv~B!j1U3Lh^x~t|(fmGxbC6m+s_Pu@Wf~k5*jn7Gh`%
z9DLS{P0fohR@sKk2K#Sf?#)=y2J&K``D`efM6j6~ukWLdLyyP|3#Z@nQe*N`;tctF
zkehtNWF4679%ySAEPg#=e`^X>dOPn>RE-GB{@7A;PnCm$g9Y#+jbC6CqNLt6ER7oB
z5*|%1_i$m#3Kowa|6r4XES2Iz6m?wI(6#wK3**f?hz`v`iIV#Y1vtRlOPZxYmr_vK
z%Q%ux-Km=`+dKgje|o`2{`XNW@obQ?#qOG8`eg(4B9V01G8>3b^9B85CR*ljv{x2}
zA>lV3QO!IHYwMuCzae1|!9+MVkm3DK$CYq=IjE^vXqEns&&+8NPxE*k$@44w&vqxB
zmXoh1!OQaW3&TDdIJ7l*j~{B}m%mNShvR<mg8D#J%-Y%9uu=XNE6yc1<<Ng$dAj7v
za&jr=8N!D#D4s~%f5G}v<c}0Lzl%^mOaAY7sYLaO9s49((mtT8`96^Tmz8Ccp?KAL
zOc%KI$Kt98v3u;%!5*Z|_j6hL?SJmbhlN_#NpYmD&b!&o1byECI7sifl+c$43isyw
zsd?V~3SW?N$RKsY;iYGaTBL5TptH&poj!RP&p=uU=|%1`7&-WhV5=i2PH1*89%1@r
z1en1sI0-_aC@o-bjfYng%|)9Z6!;*N;!VFw%?4*UiZA9t1S-!<1*A|sPm#QVpHcJ&
zP`H+(N(NwJc^vcV857C8ij(?4>X1fB%nhNOvPTKF#{wsE51_gdq0iMhDjmLWUq~x%
z_08+wyaZl%PDxd&_t`w+RrA$<sS}!VI>_GEI-0YDG#@QT^&C;(aJRl~l#%S8G<5u)
z2o9ymG`2VvV%TIX;GMZ9-Hwc+x&cJX3|d>`U>;@)D#`zJOtrv}NRi{+RtP&|YJHpq
zF!G^BE!GD{FRavF7RZ7;34hgX+3UFuPnBJXQXD$|2XmK>mh%$5i@ITxN5PLeR#~JP
z`aNf6X^>rg$dzhpsIidMu~O@WQ1{hKiLLsHp``9@T5Imo>Y?8nLu-3XzaQ8~(nDTD
zxf<-DomltU_GNlG=}_v;l6qp%JmL+SHnC{~mz$qK&^NUxRGM8RBeCmdw`PoSN!0-b
zF~>hhH~wU1xviq^oUw}OSJGXw9fYhlc<X8#!pf&26Q&;AbJuzvo^jzPtCxYD_{KP0
zCSjeJ8zbt>&PdeO!20{<y(=Cfj$A+A4?XBz%NtT{#7DvYe-8FdzK_a=bAHfa|0aWx
zcV>0n)WcCcK_WxA!GlxrH~hjp_6*sZi&JgjmU@H3uP?(7vf1~*T;F`ZG9eM_g(u96
zyl<?uW-1m26I%A6b=r^~8t5@WW@o#I4v5`#l5MB|3DJ#S$Y9LJvqptjEg(^hfFv$K
zZO9tUp`oo1N-kg!QoO}LhYdCeM`2!)Gl!IzpdZd-O^rnV^^TCgox;#HYlq@1gNwwP
zVkJee#ICsFHtN5<QXYl4!LygwzgA%w8DmKVJ_^MlnNB45L6?l5ML*p|6l#zwVL&%y
zTTf!_mW2inq#e903>LJ#mxg#5r4Zjee8`vL?HGYVTDU;+aoOo`YQLVeLmcilbdq_o
z7_Qd%!%q5hn#T1Z1x6ZC8Ob~SY*+ar$omg+wY%;>7xfQY^qJR)eD^<z16WJOPka!}
zM<VBOB*}4g+X41e0zcwD7d*oTo=_jturIvdg2L$zM{rJyZq1}379tpB=5yR!RIO0O
ztEA~ymiiO&6K8-ocs>#`i$Q&cy5@Xx*S<%@_Ph^0Y8;>9?=WJ{L<_uOe#A8O5`8CT
z#Myrl@8F_Wt73otIL)BAULmb>ik>a{Jjr)V6u14r<0(a5CgQY2jqjlA+TlvhkAz+f
zhXqP(hX3IDGd9>z_$TTjKCEFAB|O*D3SAG4`+lG(l8biJ6OdA;W$r3xYdh?6fR7(N
z<@pWXXa&xqzGG|*ikv18jw7m)M)i|z7%%t)-3CO2#<za-5PE`a9*46fP=^rFG~;aG
zaOI<>Z`}Db77+qVmH%`xEKAh$e)%Rc@9|HLitA@Lw8poi5N#HKCz}oJ|Lvhg=-w4#
zZTo_6^YkFQGnjDi$}8~L`L?-agjf+&`wdKpRew%g<`2e7n`}L>fJsUf0z?~wny9Is
z2M<KVXdq;t9%X#(B(O^0bWoHwWP#`~WR_nveckT8Hv$oja*X}6Q1#Bdyy{Yne4;+?
zmFrw&#?NbO8(nkQrJ(_4mSV}FKXJQ9!3wrxY5-~6IfgsrJ^&`RnBtg-TKGP$;_yn=
zRr3m)6)u)3^)J)M8+6>_T(&4Cp*NXNX@jH&r$gNFD`DByUm`Z0^GDCN(+Dcz(5P>^
zW(m$8|BZ;(@sQue!o)S+b3z@3(GRktTNxv~TrtM2Y?q@;b;z5iQh%ymev{S`%$Qf!
z_$tEyidN0sBC6N2=Phf36(Lj3P<ohiUIyH1mUOp7hg$hgw3cU(N$d!E{XzEgI%-`F
zMLuDX!A<%1m%m8II!{AQV`3Hsh&|wI>716CF_R7xnGc!emM5BcCY!>#Z$Q1deZ+jG
z2v>n@4$FfKs+iU%u!}hO$nPN3w#d2#Zn$cbZ+8U!GoEFD0n+S>4~lUUlm6YL8xsmy
zb)nGRkQRWW+O47W*`~}jax?V;4;W@;{qsT&ZQoht-H&eLfVofzIzdGz`Mh;i*=zp*
znRj%NCd(pz|1IN@4byb@>ro2jb%~Pz-S#iLjM9n=$Ni<Tk_5`_hTRgwe3#341Ci&H
z05IX^;2yO3mMrC9(K`u7(-UFkTwV4y@y%D7Pe{AUr^a4A#-yv9+*Y`^*2(lEl5h7{
zGn3M8u^ROy{+#WSQz|e_+P`OO`1pSO3<;J!_Z?xzVc3w-p>64#I8nydFCvG1%>RL>
zW-iod&dzhA0Y&zdo#^`4&x2~&H5_y66>C|tMQ@_h??<8xE&!%eydm2!wHii4>28vN
z(RJ7K{-&9Co?WuX2wUt;(@K(KxFFda^E37Q2JgqB{{Xu=gnnUEo;K5JIjb@~ilYrc
zdgdRWAE+~im?1ReAZT&n!0<(03uN=%WEF+mUw^wSj#Xt^N(*`oOJ`o=K_sEqD;L+=
zSZ8AW*7cdAo7jUZ`;P_)dmubiIkvsk)P*1M2p0$Y7Lu&R1P?7Ad@n?UCnu<n!t<a0
zl+`CsOyGYoAZxjj36YDpxWy8WkD|3CfB&dUR6*gZRzaj_6J$7?#TIRH$Q%2xHyL6l
z=f$tlcpvR%aM8BV<#Fp|=)gDAAGEY7tKcsnm{iCgOJcTyvBVkV*_30c^LhGR4D)qN
zmy2TP{a+8&>g?!Az6M{3yZN<cHBBfq-mBsV>S3d!O`D9=Y9P0<Mf9HLo?AC?h;wbk
zM_I~>$w3Rh=x8Wza6%buHJPlczH=IF<*8m5Nl46h!VRnDxL=4hv2iZ{!~Jw~3j)3>
zQ2;`{98|af>b06wH=PhSOV54)6FoAL85xB|qw&B&8=z4^ml(znu5sl7jys9M+F;B5
zZ@Cz@Pq?6G;WmdW_(|7ctfdX}2D3QK0hIzMEzQ=9omnTqX>?SkkczuAJ9;1$bz?a}
zICSHNwY$egTi}MCZ38fj$i^X$n~(Yf84aKB<~7vMVD={yljCY}x9)E7M83QS?HN&i
zDE_2_&W_AIk9wtyl0fRZ3lymIETO0xb3cBiO#shU@AQiH8`l-@C`MRfu&z6~V#sw+
zS6AXHI3Ln}?L)es@x<0}&9JjV-@weWDW!(SElNKNAso$YyK#yYRLvE!17G>)PR>bk
z$u8t`Ty`20{C?HN%tYVmhuk)MnFdb0M6hux1Gd0`-%k0cg7mfpST1-Z<u-UEns`a1
ztm;-05_Vd7cb|16aAJhoi&$ZCK+vTB^dLi%iPO<XY0oJm8%!QxGm*CYpWHKKReABY
z24+^I`cEoV#}YP=Jm~JFSt{1gNNJvRqU!cxXl{8o(@}3VwNalh>vl7j`iJlK(p&uG
zKRKE-F+dm-Bwt2(?(9F-j0S;<SVOf6i}RD|9jbNJ?QwM5k$kD^y}V}#L9?%3G*p=1
z)!Lar^beU3%q}t9Hj6;JBjBpg)Uvymfe=i;+W-K=Lig8UPn$_V*EC^3B{CupgXR{x
zgd&F`4@;<p={e;e0(eCD2;<+&pYos;vv-!g&BUV;6->lLZr<|^r({$cel?7E2j@AK
z>Pi7%NG^^>`Rq3YC-Tid-dhnI%_=XEmFgH2`(z7Gt<o<hHqESmXL^qbIfenzuevZc
zA@-^b4<a_q2aYHj?n;r5pt%s75}z2O%1oJtexj1M=nM`~eLu>)NA^<sBhx%WRmZMN
z5Q|{}`$TJvw8|NcInpqzwcsZI0^Z!w+aG%=DEsJ}nyDs&GcAg(ZI|Y`s{E3&(R^?J
z<8>MlL=jRrDXolctctz+5(q$8JF^4r^v*)*qST`cfm6|%XwlKoap_R??=r&bkm;Ua
zFLT=ErRc0gQOU?Ba$;b%ScPmD6B|v55dB}2>FS)39IyEReEK42VuEltQ>P}yC)T=s
z>B~>L0ZjhkA1E6_S?F91HaGfZIhteu!2h179{~2LsLj2`&nP0<*t?y**lJ%94k+pQ
z$3<FvLKPJhEXXW<i2g?z3u}`vIAEv;hVsX$f}i%{95{*QT@o4TM|Zf16JQ%Fq)m>y
zRJMavj>W4;Z9xLzj@Zi)TwIFP-M|@v+@_Qc9nE9rp?$!fO&ytCy!yj@*CCAfw0|pA
z!Vc-#uvu?Kcprp_5uLTPuZAD|Qv0Zi%$d7w;d&>?`r6VVRQ2XZ6+hX#p3B?T7AHvR
zZb5x2kVGq%4(srPb7{sLN_#*KV+cRvZyp^>%46dntd>6qx|f6{q)j4Aoz(H0hyjva
z1>YyNc9G|USD3vUD-t^+I$1`54JacLTR(!Uep;q{=}Vh00LcRwj8YFl+%iN%3^%Qm
zE=<AWDO#8t3k<{on6d_*hHO1=@Gxpp;K12&@7m(r5MV~Wp^EC3oZ}&tz<E)Wo1Wsk
zBwz@dSkhNKZCrJVV%gi#veT%T+>>0?`GU#8jEJwg6pfbj|Gd}lYEVBLaJ|se>VoOZ
zyHKX~-H)T*RnKSO67eMssDXsaE^s{Oxdu7b+<tL1Kx;;HB5|*08=HNNFFDTs#K)1k
zXLjnY5DLNhnV5Mq3YVx0kDCfJDYai_Dqxv#woz~e^Ku4<UVyVQOg9DY%@~9fEqzf5
zYWj4U8z(Q1a$O&XSMz`>qphsPY4S|^-i3|fZBr<?Fzr^#A4Ncoe5SSR)SO#t(TG6|
zqXpss7v*u`fSS^CrUANl4i{w6k-kEjrQ~8hwwuS2ShD^w4Wl@%Y>xKkxn%p7#s2+J
zrvOfsMTHGCfMF>NBSTr3wBoqA!Ujqd;yv!S^`-)My{6&=qrd{)bv{QG=&_PvR*ktr
zBqndMh%F1T!#|cm;w-{X8KL2)aX^jiNR%j~V$|KxBp7CM$ICrBu?1!dI^`L9w-(3(
z_Pfku0A#^OJtc5A9aP>Jfk9{D!iNH5Mxc02;U8L{^I<RV+*pvy=6>M<On?#Wc_ecT
zE=5b`xBoop3Qwf6Yy5r{Ti*U`VHJa>VPswXe-3TXLi;Nf=IJ-~2f(5Ia-S%=T^}3i
z*CYM>>B9;J{(On}bq0BCM5DJ)S*gq@Hy}l-lf#Llo?MK#emh-HY(O?0VNfMMwpfdk
z5gD18^R|YvjM@;;#?DhM_W2auqfm(Ft!yQZUFH3N1k7oXP#EUlh)Qn{e4a}vcc|q;
z#-vEF7Qmz}yc2kEt1(f<;r7tQvmBj9a65{x=7&xo;Xw@S9Yt}FSOAuEayGw6k>qi1
zk;E;ir&U<EkTA8I_6Lx{{8wtl43U5&r`(J>M#!77zRL3GO0J5kE>0D4J9^v{+JgHo
zJJzU09s`ZbAa;2!1u<wPnk_cw*V~mdJ+DOct#X=FkSmH>Foj~866lP?L&26po_n3h
zC)kH5;I;Tj%sI@V2_g$F1AQ_9X;2aE&T3N1k=;cPg^4$|lJrSwGOilx<2ytZaXpAG
zV_hsPxKV20z8wuKM}_`}tl~c_Z`V3w8qjP+eFPzfMhx>iE}}2OZeAj*Z3jNjE#DH<
zvRq$iu*zJK-a;s<gR#>Zv`LosOyk;;1nPEnqyI2Gb^b8{aZ;TD64NR72yfFACL*z@
zbd8I$T`SayDJqM*!JABG<_!g!u$)yR33cDXq=ZY-{E+n>QwJyb*|0U$nNz&3b5*W9
zo;H<wo9V?z#tx->-~!3+234t;NOP(jt-<msSMZD4=a)7Va|wEf^8nb;L0N{~8DF$i
z^>1E1$r7%?ABz~Yvf)K>&x)2bFqa^S_GgMR=&IH%Hx|Wt;JLyMyb4fH$+<qbP#GE$
zNqzQ;$Dj(P&31HK1bGq|oC<}Z2ZwpkE2Sh^x$vq$>x%652$bL%xeT*uHY%q@6F2P9
z!VfnsmQob02TqpN`Fqr`BFdonz{%cJi$h0&3Ym$u>tb_SVzP|IjLnQ~SZIj2K;@yL
zipFo7!*ge00c~;+!@CXY;9H@Hn^KN!!7$6ii%af&b*ss3*CW0Ahc1k>6*_F;c$8t~
zDBI_D2P+hvP4;+FRXSas>IcJCE>pEcCdVAh&v@|-st?{I>G|$x#DBQC-}F`V>kL*!
z%a&qcL0YUiKnQfL#r#a_GSTH5-NUOr(rrSN{(H%&DcLbV#>RO7nt)X<rKqf2e-(L1
zN^^B>k)tY=PA_{ZheJ((o(C6LI)x4M{gnxM@pYKMP@b?)M>DD={*qH0Z55dFCZ=Mp
zf>2NDVVy)VB}Fe!m%5r%Pa6@b^;<Vz_g|u<9>Y{r4$)y4s@#}y%qv(DNT1t?L#uR@
zOn}bXxVwq^T-#`F08ucfF&fw+@H<Y(t)vE%cyjz+SpF{7Z}3@xwz{tvaPG55U-hA8
zx2mzyuF_~Fb*iWYs@cci3t{<0w{Jg}?4^}Ws;exF1spHBheV%+Jg8qs&Or2R-i-|*
z1C&4bh_ac#{<O|DLJ`MDxW(A7S6qCx#zYbeRsDCt$KHs;1hy_gS^vjaBI?I#^n2<G
z_{YFRh#OR{$A-&=yOJnQsej7sR8ESfMEQM;2OiTw#6l~2oJC+@^+XP$6bLBgeX;_S
z45>&|l3r?8Hg~x485-G85m*BW&o|!4W8)&opX9iB(f`d8ww2?;@0}e5N|4rjLPJ$a
zv5P_FF^&)f(}&NB=N*rFQwhYs@EUQAu$G8O+o`ZV=`=g#Dk_=!ZOZQIcNF1q-C{c&
zZmA7PzyDObd!OK$;y~&Qjfe>hzRB#ewi5zL6o5p%wp+Sv%$?ZZDoNiiO}9}w;Ua{!
zTDk^RPv3S{g`A8gzTMSH7g-}7IJFEkm*kBfndvF*<U>G8He_8YfDstAd_#1@PV}gK
zavk))mJhSk0ty3JfEDMips5UJ*RrYj53?1z3SE~pBfjf|t#$|oaTH4dqZtCdH?<<f
z#c<MRgIf_B6D04!C5kYyr(s%;^9ObB>T)3td!e2D^=t@Bs_JjFMYn|1{JF9GETkd2
zZ}-+ZUyxt+i<iV0oI=oE>Cr61>Kg@oPsDAfFj(H<o&c2}^4#??&2X-EqHIs-%NxCZ
z&#xnGnPPfXQd_?}5Kx5>+=A!Ir>T5)!vsqQa<o@^b2Q4>OI>rTu8#waCcP*gEs>La
z?Rlv|_1zJK9h#C*EzaOud?9+;TPuc>AEpkM#yLj9&$i2B)yaDCd`0*lcgwa1^9Eh!
z(up73(0iBSqLRMu3!vXg9_gOzqt}4K!cW+ZjW&;N9Yf9R#XN*-{Y6Zb1b@|F3EBB^
z{Sfo6o;CGF$!k%ysz0I=5AUPM)L-L0QWKO|3Td4jt!5ms&}d(vc1cbqa$dkc^QRzh
z=cMdHvoi_rD{{Y@w`L>ppSHd5{%~rAgoMn2;zutIB#-f&_L#ThZZ2ifHJqp#O2aKq
zdLV}H4QkyodY)&O{nr^fvMI8?Iqu=@8U6D4w<oekXgPwKI5#JG#b5hQtC<C;pgW2#
zX()5hF0ZY*R!xYJu3Fy8!>@`e=0eZbKGOlMa5HrV`ir?RbVz4opyMG#>P8D=W*=OR
zh#`E=u8;+dC_H&I0A=%rjUX;1rb{jelh1)cy@Xsag&-&9uj+@n!9L<)oZpbedNREL
zr?g~#9V%5P`(LX-DiXdd<sr+cu%L_`&l?HC-TF+i-})jfeDLKDQlDd}w2%BXrPO+<
z-P7n|1a<VA{R1HEJyINn?RsP(UK@m#=)u;)AfBeg8Qq*`;qW6OhD+Z<DOZ+n>q~P-
ztYLZV{J#J%ya*vKHy7V*8pVkX1U38oVF$H(Qi467(VMSqOMVJjv*}I;$ki>uW;lp%
zk;suy(e&jge!ydx42*QgP`k<@?D$E0kwH?cX}4vMWA*MS#OhX7Z;!3oWS-<_o}h_t
zDWPp@HS+$wmsL}yM`R1Yn>XA1%_Vnk0>SEUOmrmAfp42sqhnlTnmdB}2niZYhQR|2
z%F0D;mv8pJ*Rp_BLd)y37!2#&A94h>$w-l_FHcplGtW4F`0A<HWomJ5;3J>EI5|Mx
z*zm}u9Kh_yU<B&H#-dZl$8YQgPeG`2gDa~Bnvp^SS&nRS`X`&j9_J-D+i+c$jKzNK
zZSD4I_fah;QR7_PaUu=7pH!IRyM@;eBj$^v@;vU)NGOe5_mKWJia8Qvya~G8I4YCd
zL`MB6j*`pi7fEY_gX;M|dM}4v7o=kwCP0z9c?$&GJ(k92G&Ir1wC)5c2O6qiul5Jt
z<Aaxm^v&y3n1fm2wMdnoG77a0k;1HXQOz6rp7dRB$W(p5K1j$>gH;5#%Y}YAT@GDB
z%VIj`2{J8^**0M+NMs`@r;#)sCL)5tSIT?ks<`0W$%p>p+GACOZu)d8>c1n@u%a36
zlKMFS#vCB@pFcgKqB=L@I^!D31W9nfue17dHg5rMuACP&{bUlK0>oDk$Hh`_K+zj=
zaQ{JHyO#VPyMkWTTsce4(BHfUJgL7_9U%(VH1Y;M)m7#Z9|StTFt5Np6KfbEsC=%_
zJmAf)F%}<5(v@_#<G+3D_J+~R&VsTO7h?_uv|KWX1?C(MxTYLl3FxWSaZK-6&n8R=
zoVEtD-oIfUC^usU5{_!`5}s;@q4)bvzJ+hGt2@FnDgsR<H23uni-g+QjThq<zc*Ey
z)x(A0K`N~oNtpqF&9ahHO}HHMIWvFSu6*PSqr{2<VLMg|A&hj<tXiK7-+RJZY*~=7
z`~(eG9(7_!ZA5@Vn?i(=ecFa0oQ{&ZF}p<h3A1tz)<v93loci#hAH(W*Pm#EhByIH
zhWI7l`4-{Ap^^rz+z#aITd3FJ>ZfIdcJCupgXJ1z1I-%{eM5IV8O(e|pK;uRnN37B
zix5#}T_H1#iLr|_YLii?P4Cu`pFMklI?uTvn6xJbyzY3x>Xeea&vUojw_5jnoiDd;
z!in?599>hV;uub@VddVwF`t*w<T|W1ifi&#GpdO?uTIpQ0$Z<nE4zSxD=XaHfuFnG
za%CV|R{w2#3NMH|>JBVCGOSIkYz83d$UAu<(9IEN^PI<Bh<=~pUa;P|vjwY+nf=ys
z_cqe#dO7VU)lx3EgmvO;)r6EZ&u0-kn_@)Vkhf0Ge3nH5Ziq+?G~Z|zw?aJsw|G5D
zDPQ>CCXt!);MK7IsGIV%zn5hnT<f-9l_MUh*!w`V!CM@3zi9{%oFO9Jg?P8QqP^++
zj5<Np<7MscA5OZBNP78Gf@S(uhFWs1ju0(qS#jhCX<2c+XG2xSm1);N*3>stJ?uo9
z^RFDd)ZTP3EXir-zow*}2f-*n={yV}()Hmc)H_^($>On4qz8x?G7YJ^buHwTPQM%0
zI3_Jf^PG1@p~9YivTPQAg!ag~@!XHRryZ-bm*Xpr*X_EKKmsu;cC^lJttCpa{K_q6
z7<G5u=ilGQb3EaJmyne0&kzh$84+?c8uEjnHjVF9ea?}uD2=K35(KY^)3Hb(g1iJo
zYA-Y45n${}3Jl+;_2kC%^7Y`L*?ISWW^u*ON&I<a89`D+$9Z8gSsprC(2D8_K}o1I
zs(oyE$<CBxhr8h2EW8ho{UyJTRl6bdXZkY#H>`w5ZxU&bX@g~rHwGx*LLMV?<cEPY
zl7_%sR9rU>cJPb-WY+{tx(F&|P@5zDAy(p0#Znr~#eD!U`{0F`zuY5K!Y%SBM4-kT
zzHHF;#P)n}KljAv-^us<fSu2{+hvr1!QkJL%+}Uqb$n>KE!`RE?;nyf1i8xkn9k6z
zJ5DYcP9R3$^aG`5rea^0A#>wZ;NOxx=^tCsH(QrF31CHBdYM7;gwcvor1;9Nb>u=C
z5E{3Y50$C@uRIwanl-CHs>l+vAvw8o(9(NqWGp8(rXL!_T3~N7oLr}vPP~Ht!dPa1
zMINMI=}3-7*(N1JU%#jeLS=tpD~@e<SV2@)H#u?CXQmZzX50i<+dCzY|06`SS4M}=
zLA8(>#ODWhx#5R)X@Tl?sj)LKM%{l-$`TZ2Pm<VrKJP){DWOx5<Qdwad+$1xDHMjc
z@3>{YRIG5nKwI9C@Ns$&*6Z$JQ&tPAyX!V1^3oN6Gy7GH85Imm=$IKy&Nr1ApRIa?
ztF;%udB>wEU}v2@w<hMq(XNbf9B!TIe>Hrb0*Bb>A4PuPd3H1TufZ|+4PzUl{0F9x
z2xLtl35d%I34IXYz#<=vG`ah-ohg(S0bfI*tHuv)LdIiVN-^R|mnqZkR~V3_&T|MX
z=4N0ogQyIQQ&eHMrhDLcco`HkXj8Wdzr#hn{-uU|Ic0K)mO7B~<&y5euS`R_MD5uJ
zh3!|NP|=W@L)r^~D&v%QL>+~j;rs8+AP?awkBQ*N329Yx^y-CvM8ERZxr4W!h<ht$
zHu~B}3nlkiW3lJ(<o~EteJ9Lc6Nn6}dkmsa$DM>GtxOSRfo!L;w!q-5N2i2T`7ocG
z*FEG!=DDP%zf!ioFmr7H<`8P^7nir5)~70~EW77eKI^Wa--dH%%I6+bU-nCbHrcL{
z=$#eA0O8a@&9S7P9ma}Fly6`5TmK0^hwvjj@!8(>X*Hw9sBXpxOWgma1xK1kYp+cJ
zDq`t2ek8o#_6WjR+KHYopcXrRZKE>xF;$(<KcpZwRp~tc>d)arOrDc|L<mv<EIRoF
z@%zY4Nx4G3-YuFng>N~61*WLKmT_>B!;VL}y9Lx<@XAeJ3)FPMd4i<&WUPFFvD{cm
zzh)0d$rhUN3+<Sbq&r;@73rqNc)$2uz84W`=*(*06sX)Y1#js2b$6n!P9-N%Nm@|$
z%flCX@*6kF-}uL}B}>GP-#W!nfqqduOQw4kr4ii+5bPp8CWs~fNMGW2mC~XM00|iC
z3L1~fcQi74K8(15-zHQUd2u%}*T*|xa;2&<0lcwrUE<vc6v4HO-w)j^GUDCv<Ir#L
zXjH%{+&yDyZ+wi`Zt#g>#Q+-&Bpcwnx9^xDDd%AAvW@%re<Y+~Q{3GOD5zDW37Fn&
zSA5ASFJ((h*D!%BwhJwX0j9gZ4+E_Z;B0ZULn{+YPx-vGAziE?W_j8C+7q%xe>pvJ
zX#N^u!jEttNfP8%<T9?VQH0NXMO)M~MogL%Q+kE8jpTEIN}AMI$YlZ{UyLZjL}(_R
z{Cl87DL*bTuvI-&$lR{2D2pj!_gJi7z6p@QEfM}}+X>Cb$by(m=bFrVS#0#q?+-W4
zxsnw3Iw2{ebm$7+Vc`6T{CmP>p#_d07YM$hDbkRP0Vi@HTI-u4K4@CxqVTr~G0GC+
zsCy!6c1HZjiK$D@bZkG;T1~Q2(s&N4Lr-)<Is6A=&ccaf38R5Mw)j1R)8;<<OKdD3
zmwBgB%uq<`8wB)_b<GR7hsf)~@^g;pw3IZh8z#W%_u~V%zZ0w(zC!zRxkqbl6J%0S
z+8W`A^l8c`A8m{HJ%&8YIQ@xCm4XqFOui{bOYgOg-+CD>f>b)=vJ5==WLQfy5}_S0
zi!F?vy>}4akivG2oWK7nWCeJRFf##<pn-d>j8Vy!`t2vEy`|~#wcjkVbCIRO@?W*p
zm^GYV*%{)OrjwXc|Ln+@xy-Q(#+{aZcwr|B`fP!1Q>OaN{%>awM;dOsp>v4On*ZS2
z`RR?nhE*z=P+19>Ftua`7hGmRjfHtwrX>c(9x2n7=ks$^2ilW_fq30;)xp%`)4UE(
zWT9@#lPF{AC3Jb-R9wBRY2F!HOL?Et-Yw$`ik%)EWG4-X3muhK61YepF1<68Vk99C
zOCQx)Wo~}h$K(-98eUqT2TiY~(I?zfvUcZrzxhW0W4G@z{my4Odweplp+~Y;!|wDV
z$G|ji>+5`vcnK@n*CiRvKPaPJ&#u<vI7u7b;?3ARxjxyupxbezulHh2UfyFgZtt0^
zHo=m+7fh4MW#X_WoqLUPi4iS7s(e=YB+Lz8X=+2U3@^>gh<M>Xjh8J(F&^pL?85|!
z-TS5QNh(X!o+sUTpdxW;_lFRuPUhkX3)Yro{z?DMzCA|y98>5`?1yozp(pD!;Lr5R
z=oxCb$lY*LNsnokPMqd3FvUB=^n}>OF3kB@^HY*lQ!2Vm&a%}R;`mRRcnVnEip4Bf
z-9EPYn92s<!he6BuGtu{qbj6C@%4EuglI2cBC=LSj@t9R@9{VCOkoMGHiAl9SHjt8
zzDj4U$R(e|B~h^jSHNoaLb#kr;!-RV0-gSd-jN~{#TFMScg|9E5R@dyHJc~=I22p3
zeiwrCU(5uktX?R4eTir`Q&e+<h;w8|=ldS+6^8vok}+6-nh-Qbl*#W5>1e@5#k@RL
z{m!_|s=0vzON5C0VY)(c7zakaSrk~A5z2v6|3{bSMnVeQ*4c|iIDi#dNT>vqx<w9b
z=sE+DD5unYY<-HCA=egZ0<3Zr21D{-<b+?Ld^jl5tnf_P$HjoVd&a!<iwP_H(zC-g
zq8(ZjSE$V7G4tOs*a!<h-zEzlxs7F4e3UqakCkH_iza1}O+dCH+b5u%ay1K2wxav6
z2_6L>*v|5!-9oUNM)F8gcLl3pg1z|X$#08FeVLQXa`RrnK0+1)odQ>>$&?m$j-|(c
zDDTYIgVBhmu!%Q0Cb|T+>2Q(>E2mj_Jj!l&a0YmMs-t%&he&F5VMQQCKsTI|Sel(p
zAFANBJ;j|>oMF1v#8y-U(vPgnTGTe_A<SE6u}OhdJo(t}5@RutIxi6LB`}}25tUa5
z1y2Yv>S`Yq{Ju-Jv-ir4OduiTG%SY70rHMM2&B(zVPE}`3W=1T@VdOv3^qenEE&Tt
zAq&^>FS1m1H>3by5p0&o3$gp^svQUpr@U{s(t1qnHH0~T#R^o2BhwS0k+m=`hV<Mr
z=}Pk=?+giGB*3M66Jn4tr9y10KRRKcFvj9{J(3yfWEWAW-EP5A$Q04X6(Pv%d_CoO
z#J2Bu@mK}w;2P|ql^0);<QtJXLK*FjgfgVeo4>1o*f8}i^+)G3w@sQ9oBQEH8B?ZJ
zF1D|vFIvIvUJ0|mcP$8Cu${XI<*<ArX*avEA`dchxGIYm-bE6}zhP@NWAHEE$zpr^
z1Z`)A$~743|BfJHq#v5^rMO!_;hHrZvi#@0b_0E*|CYpDH`A7y)sXhBLc4y-$PsR&
zn;ton$756MO@DxW&S0a1oa4pfl9H7Pvq(~ZlNuj>z4t4labU=rY;JX2$T2m$m_=0n
z{S{730NJYFPZ7xodiAu7^0FVSs~*8%5XKFA{$px*(QhOWVUIUluS$i1U7pX!aU`=d
zt=Ws@))pCnR|;2Yu)!^4i(K`_Z#Q#zKbkJZ(Zk*-cJz}V4atUa%8*IU(<HaekUofp
zLGPqJGSBI&^{s|tVuCkG2@|TUa5DZxKp96*ILFvm1FE4XL-sN&l+s#Z`N#x2s<V#0
zA69<RzzuI!Dfe|8Krng%+j$+0+?R<K*oD|+t1>eF<IfJK>S99jFbP_LXahOd>6qcs
zL4JzJUNmn@tnNOtve0))ZfrhZ=_us5>&86wy*Q!_g#O`*{<g@8EC(wFm$il5ZqGqK
zrZ{sJ$SNIafS*0XJQHl`E=rjuhQgq)IiPn(O>&N#6jN^9g+rD&MZZDsrE%=d8AeI7
zJH?pvasIbUDZ6x|R{0+B$CwExL&C0x62g>Jpii#Gl{et?D{#qQXCVK1ct}%<8AV3(
z;64pAPgdB><mhWGd_LedbHvPdr@G}nF0hyqH#P0|ZR>bBF`uNY3C@0o-(E0fx)ejF
ze74^1qtT{ZL#F5j#4j?qUgM)$kV#r5p25s+an;9aGRL&zycAIjW`ZH(<)l#2^!48a
zMIT3nqib-lAa2W;XL3AQ3R5jzT1!5uVKc$_))wBR-|z#TqOXg^jG&^fpvC10lo68<
zxe-G#x$EVp=v4zw`fl~`SRq1VRXVvR(*zc@O)j0tutjQbB&g-ku&5@A?ca}d`PphT
z^#7Wo%eZWK*-f8_fmGLC6|9fZ_<G_Z{ex93fgiOWje1v~Hb7#+KOG}BfbR?ubF?EL
z4!2@3PDPV@e9Q4TL%3(N8Sh9QfVzwEZFTy$j)+!v^uYl#KAs|Y&}xd!f1j<y;Ow+`
znTbt=5xtQbDW{>xxPI3dSE9z&*NBgXFA-D3aS3x_M)=vONN;|3wl2CSo|kl4lBI3(
z(Nzp<(>=A($(n+Sjbvig+mMEecUbSmq0}B464p>tBy{Pk4*F9PX21u@dqgu4wr@zj
zKt}@)pFOO6Rz1hEYnWLH%Nggw3>#fzaLIm0%jh#Sg83hFl+$s|xz})-y3h+?X!FY~
zM6k#`oA!xgX52nskV^6?<=kVj$6l_H=DDv~|CqCARL`(-l?=(L=lMk>4_)0`9f&<>
zX2|gi4QXhMqbgi3b~t3fgdp!Yk2TmaPvVmLD&8(2+8=+*g{&+5FZ*dMyV3&xny<S>
zsbgZ0zo8w~fXvt~p1oGuJ;zb#K%hy{V?_tIX0VPAX?69+hxd@`MeG{Ab*Eu&1KVok
zp$;UIw%4Kr<%6dchXDQF^Oa)b*MSc*hApq7Hh&ZzO~MSZFtO?CgZg>UoHuOhKENM>
z?@ymD7B0S}e`{cEF#Stxx<i!TKqhG>(*1?4JHN84ufbc=?8vWg;wmV0<Kb_4;!hQ-
z`YcgXF6U>bZ$9O9r)3iGhugj@UH#sMpaAWJl!T#LEZ3fCj*nll>rbGQ&?>l$VM*oA
z=*R7Q7h`}Bw+iZa1Aji_S_}B=uzOO3OC@;)j-5MhE#W%$r-jHuZO=>w(zoo$`XuHH
ziaOBum#vH~G^ZL~FU!5z)c>f4uKjORMeXI|CTIyCET4A4zoxf$!--VWGJKmEU1#W%
ziBYa;s)y#O>5p!&XUpKGO<T^esLqSJvlE7*Fuz-!s7YM;Xfc&ZNdMk8Cq$$9XtOEf
ziI!M2ChUoyL<6|>5R=N=&$*jVM<w)Qr;b&R;Y^#1U{;<LEM~DZSICQAUGf&ZTD|+`
zms685j%`O<4JBXc78R<p0eZ?xG5!ysH{?0_(jHgxfTy~DeqeI!c_AU$fm;=8H&jgN
z0R$>{`2*6ykIj+cN{++8B4go!#E*0zrMG1tP?9%N5O8#-t&{5Bn8Uo_oHWgQ#S54O
zfHybmg>$*W2bQ2|)b}m^?j$!i0$a=fF=;OJ33A`b1WqlY1W}fZpnr)UpU86gNas@c
z3%c}QY%mrr)BO6g59~&sP|B}-_BvDfCZ{g!7@tsic!eM_Y)COWdTi*jfJ-JZysXuq
z`kc})a6mwD%=j-`L2Y>u=vI#h^GY*6I*1n4w{Z^x8*%BY%j(b^D=AOlxVhB0C({7}
z`i%h=zN$CW5L#=O`!CPi)-NzQV=fwG@&{<OZxR_0*TiLV&iU%Oujn>#7-WV77@Wl7
z>6Wj+P5%WIwqHh~Nf^doBv#c{Y)siCj-g8t`lO=zBp>zk)$|N#ygCoEL`keXimR(1
zs%ti?>rbm&N~-7L8r(SU_M3P(arYQXGQTTuw#ONm64%#r&KwvRP<D%bOI608ygtot
zKkjq!B*`2#GSMd!Mkg8PO5zyXlM^Nh5srIxJe@uX-rhIPTNS3Lwf8oh-EYeAxE|#c
zj*AeC3xC`&!_}q5C8n7n?=j@}{Vv64b+J3TIv9_+p=Ux~)yc2pZdI{8s_Jsx7xyWM
zgyVrdHe63#Ma^zy)l~;`Ij%d^RGVi*!A!B+pueum%XK<l8NNigZAMn>!)usX4quQx
zI&(7{YdvN!4J+%sBE%Dqvz?J-xBLX=vA3+ZH(S^9JBm9R4V|X8GpjdgGU>8v@fx){
ziqEu*t8FuB)AL%<%hIl0EBgG8=9QJKdf$&|ZYEmsnwBK92m_99+->zH<a%9^eiwS*
zYb%+V3`ogWYnqJfhw**a#5m#StN#?&`qlc}LR`jd@Mg_S8_Vin1O}Bn7(Pw~!=xbn
zHHEjuUL6ugZobva=M9$}+rvh&%PlA*3=%ay=eRA{Q;iOM7V700`T9Co(QGSQQQa+7
zzO33k>eW{gAOD?}Ar~U!W7R&GD<8{i1l62hX@Ax(Q!ju2N$=K{L-xFk$AQN}wH)>d
zp2}~*CoWpK>{v^p-|Cc?gh0USe$$aMh<)7<eM9V=i^;@arWZ45%IPJ%go1}TG<YLL
zzsmaEOyTp5wPMx8@>>RywWfMaQ_f~#b(5l=<z=VS9^HR|TZ?3)iN_yJPK+fPbBIf{
zvWJqN%xi1X<bmU3XTKMR*{F#~cX{JTb-NL+{N0^1cA`G0N~=Ci*mz&Il+t7<%D}cC
z(hMWR1C;UHMs@WWc?W5uxk9SgNMZrK^kv|gi@X2ha^_;@f4NFu*7%h8?*C{hiT%Z6
zdTi1?)8(7#b;fbnT(9!~LeNl{u?LwBW0;2~2gSXUbX`qrJi^}6He^&;x>jjbUzO+k
z*tGWuvxN&0%2W^4ndLwYyS;v@ZEtF7M;aw|O}GupIYp?To`GNumwl?5Tq;L26P{hF
zudNX$$Jvq5h129)qW_Y)BJ+(EGMR0@8CP)Bo`>t!Ip5UQT=1J24kY^e8*$vZ>mB}@
zY6|TPu-2}3C@}nKRcrUgi~rT6L#nAur_}4S(t8qp;xVzqF}bO^04uKw`6JcXsRbg5
zuS62FL=w~g07;DhFDprm!vBb46pqEc9uYT>@#@Ds@&irHFy&(^iCyD+T2Svn#D_w?
zLy(RikY{&Cg-8@)4+6mcF3H#w3pNs57a8%6_r@rHEYf`R=VF?qENE)y8bke>Lgzl4
zBvKPYbq!PEhDL6J<K-v1a2PM|Ev*cBtTad4IhyC*jVy~!Ww1_iG9A<~4jQ^7#f=+n
zzDvSv0_zo$ws1M6HC3zZ#mSD99PF8z1>2e##@)^V#>@yivD3UE9wX3CgKyrv4?W95
zfl@DY;axU~<w=x%>D>$p!O>7Tp-amfV`}yX-=#w-M^_~%C_7eru?SO?Lst|}ROzz1
z<ZT|CZtnBwgn0324RRfFlz|E&j!%c%V`=hY+pfLJEh?ZuH_pkvNcud39RD1sSXHyF
zroWmcjMe`YDmIhLg7p=v!afZqdPr1%wcSfjr-S(Ou`JW#1~pYE-2NSbHdLK9#ZsvS
zupES{b$sYnaqk8d1M69<h>F!34vA2t6<IKX{o)xb`$_bI4db4NS}2RYpy)Z^;ie6m
zrE8}Tit8B_^*Wek8S(Jukd-m+cG~M{Ct{x!2PUYi8{dePxoAlxTRnrStaAo13uWaj
zFegichvmy6uch89C%|WzVZhHZ=BNUUWH)%2(bTdOz!U_Sfq>jcl?D*4!LaRdb?qxA
zfuQNfA4P|Rr2_2(bW9!v3Aos7L1=E?C(4K)XR?hq`bE+ZzQ6j+MMZ8<JnR9WKCmFt
zvbk*Yw4%9;Qhb66z2I%DS5I>0i~OWT*~2|oyCZu!dAcnrcwHe@K+A%5C_IL=?XMAm
zIPh*U_JaR2BXMmz)9EBXas;$!;Q9RkhOcdaw-K;|eu5-Au2CEimn?sV0}7~BsW?<X
z0dwg@U<Xaevi7DgrKAfu&x(Zcvu~v>7Nc<=(?chf<$4;rIO@%nYd)qq)WiyVGb)%&
zq#E#*>CG@*o~iecM3byaQYWk)8UDJTraezrq%#TiVnG5Ct^9RGALxA;2>QTc`;ijq
zd*%~^V6AbqoH5jXJ>64?#Mi-8H-}7*c_PrvNTKznSk4FWyE+X!|J`B)&LYiJw6>wE
zoxLVmIOyuV`~hvozMBw9R#o(UlfYqpG1{V@;h(2-fm5oP+{8#*(+2O~dVG&K3`7=J
zX(3KHWx7VR43Ar`JfCck=*5^a^FnGAOq;*s>6J{r=xL&WIO7f#_q#y(98$9TT?90-
zd}8}uH-4UjChFSo_a=sHX+eZoV4X?FJmo7H1*y-c_1Y21H-B+TxnclHn%~Jogwm^?
zh>xoiy!A*+MJ%gE&%Ot!OK;7%7~hTrV`T5RpU#|535pLY+EXrkr*O~HcRp~n=@W?o
z@K-3O2y0ml*h39@prK`xtUg$wwghz0I7Wx@-p{#UAa*Akg|@FXhkC7P$49{}Fh~uZ
zzOy_AT_P})y=Vlbi3CC%UxHL&qKT&Pt@p(M22sjZL(Oq4^Oj@GwB`h`D`-WVXhaG$
zN(cJQ>soW}Z){a#-vsct@fz^cu-PpP;%<mB;A+t+p<7Yip~86)|3KQ>4IaH!Vw@mP
z<VZQwL(JAZ?0zQdKoc<VoQSatEB{NMnGo~+KShSJUqqqQ>D!J9P-UU-xSM_&1GorR
z;XspvcLuV>R9#vt)Lu?b6g@v^-x2qm^8t#fqCC`9+;#~tx5C#)F}LEbks>h(#0-o0
zLz}tCVoUmq)Q+18V<g|Pf-sZda0a%k-;P}=8IY7CljXD+-!@!GK@CEE*dwPEvXUF$
z?Qt+-Y7R}YSV07DzemV=0<oXjj;-_wpEH$$TP4bA7MPt?f2->m6RA#TubRv?A0cOQ
z%v2dzOfjKrWeaR<v$mvimP3`f&e@gz-2x_(&dvmnEHc>%lL$J9%Rr}cunmFQF<}|j
zo7p<Cu%yKTw=8R)(p;Mg#{xlkYMLWzY{rWF3KmmC<o|=QA(F8nT(>{1EFcY5{nSi8
zEL@*s6IH0vUZc)lRiV+gTIgISwG3sb<OpmazBgk_nbc`rZFKClplgWvWM4v{sjJ$K
z3Oy%erfZH9f!jzSKo@!U9kOvxSzlSxt|)RE4I1;ss9L)|T-AKW=G?lMo?Yy*yU=m_
z-X=23hSBcwVY1x~zj`mXiqTYw7dg?y!Ty*1@3FO4@)z%v*AtlIy>b9e30!gBEa3?4
zwxjJsVuW6?ZT^%WN-t93Jb$}TjGjG*+I9_8-=rZ2Jlwe!2=dG<z%{eZ!9x)%utI0~
z&U!~;b&DPwwO5?*E`vU58K^ZYlk>2waYv<=xB@T@!;Dxp@pT&2Yi@6vaBHN{TBY6@
zH}d-H(i}ZY>e6pq6~7rVQfd%6p4VM>@Pn;!PC$FU(C8im<HZ=vV3(I_B>``8ghd)_
z(;sKV@P7uQwwB5Ld%oi?rSal*CYp(qIxTcVkP{b?&`RX+7Ib|wglU-Z{*^YKvDYM}
zy&fM6e&yEoSTB(~xmna45>m1*b4a?)%1fW))(#O%n#TEFNAs^FgWDk`a=5IbUXq9P
zp!xBrTAfS?7W_e!4NA?_m?oy=ucEH}jkHQk6(E?c$Z{KUj3;Z>OoO*#qbAISUXHn3
zobxe4htkPBQT6H5s30Se07MW>BsgRzXJ><Jr+#doJ+n=bg(47a<$<dTibWw$*^6D{
z7pVXvSt(S2&8!sB!P{1b=-?qm1%z$5qJxbss-lsN&5WWN*fvkm71d@!5w7?y1}@Jc
zFB^<t{%7n1vkFb2!H<1y_KCgwwtN-C$)6drZ^*G~T_-xtSejOhw#(+GaHG*G7vWD&
z8UKaYmk(01q?2$X7M;cgqDzKmt4Q3i9o)Sc%ACU_)bh~2;V`LvxGzr4Rej_XKyzO8
zCaORuwUhy05d^AdckOT#Kd7nGavh8s`p+d(FzovjF-8?NMU3Lb+N<a4lQ^xJT_(<X
zN?#=~UcONrlX74EqDDaCc>t5L#z;uHk)UM}`%r0UoaHr)Edf-bD&q6B=W<0JsI)1K
z%=2Z~_yp4Q$BI`SwBvUO&G4uw-7~Shj3|7g9l-NjI~%j2V0bI9sCLbi$dUfeWk5&3
zKxZW?US}-%n*>8Shwc9aZ8nn0KuoAtYl3wSlJHMLMU4n8R6TWRs5ML~iM<lKq{<}L
zq#}BAK&2g+X!C`26)U4qk6lk1DuYD`XriSoRE8KT6;wJHDgvkT6YOf1h~)-lI41^~
zxX02e6C|iilaijQqk_z#Gb$wEFr`pwatf@V)m&oAC^l0VscjBY+eQ2aIZ|fEBZ}=3
zfs`15@X8H^#4LJ)W3dW!pwoOJswg#62&rlfOB)Eprvpw`o)ji`!ETb#=p-ZH6^{g9
zwCi-q#tLa*MhtMlHW(^{1t?&lj1(b))vicxJL<YoVyY};#fw#ib*BVa+P;gUaH|Vf
z(RTQ)5iBhcEGZ(zp~Z!v#UY`^xQ)u|LyAIXQIj%^&{B-hf{f5oswq&bqjE7-q7F+E
zF0czx!v=xFpaC>KmA)Kfd^p4^2{5{iDVSAml-SEHkx8~iCeaoVvNe_k29eq#MhFd!
zv_>=XG_=T;nG~_1^(@vsOBx?ijYHI-q4gxxJx3ZJQO#4}=M-_GWfqwgQIJ(o(>PLC
zM5qIqVj^g?TT%;7F_s}Fh@mJDiJ-nMK&%I6YL6QXfih0}CdD|x8vsm>Yp4omrGfVA
z_rFvB0U*oy3+%@y6VPKAR<#N&FCsqTIRwVnUKDRX!81{>R8R0?XXkpxgqETR%gMi#
z3Ic9~B&CahZyx{v00000W?T&V(0=h2X2y(0?!_S{rx?NkD9SxG9P1sP!x^azPujT9
znEa_dXGMX#2LO*eGPfw=J|&$oxVtGMx1<c)63<K$7dApHR1!&%zD}FBIk+{aA<6CZ
zB2z}EL}UnPgh0F#=eLWw1vml*wDiL^`3-(B@nFr&*AvD~XK$dP2n-R%n9U|8DIQ6O
zpj}w~1EGNiEymr1_=$yC2g1;T1bbQCSq3SBkA2medmdRu23R<(pRj_>PciZ&$dpta
zYy&L(p>|W|pgzMQAr&Ft`o~r&IdZOk0-r;#jiVl{gxXN?R;T8}bmdO~k9WRWb~cyC
z4$&FRnt?Ti006?icK_UvyhiK*dO;ndGB&IRkSM`!N@FaafoOH@<PzXEa?wlxGjRD#
z9G*ZyHGcvuKM;_aI|VkOrj~*P_C7iPwR`bdA1Q>3o2{#0229?oZ<&?XBu&HZ$vD~O
zbz>Gz^&%my>LCs#`Jg9|LlepQrE}(hfg>%loaB^4Fhyn*Hy`8&2_-mt%bxy19ok%J
zvy$)s>ncKK2#;P2zH~va^+>#dC7|#Mi7FCFl#EIru>U$mxacF|G)cD(DCt!-1j=I0
zEg>{1i$0Y;QN}=bO-b&<QCwsoBU;Cu6l{602aA+0$_bPLnxu<J<r0x{NQME3qYfO=
z6Jn6h<}d-Ezr1ZC^x8}SL_|)5VegJJUL(Xr+I+5im<g|t5s0`vCDdqm$$V&7a-du=
zJ=r&jF94g7<WLv3X)u(vXbW-~K%4$5ZWPy)*KJdKoV_iGyj?)cU{sALe=S0LiJ%<^
zF?J*Ktjz>K4?E1B3_M(DSd=XOV(XIx64TbuwOX$mh&vpnwVB_3bnhw-AWZQ?WU&;v
zu9QTo$uULixA4SyG$_3Gw^X7l5>k#coA^Z%G;gLj8zx5R49;wtnBB-AqUrS4O(j+o
z-k=K@`)>V;x?Q=BV|#&Li$G;9=67!NonC(=4e;rF9ZWI+N8u|fII-2UMi34HRBJX)
z5MDaMv=RX@Ff4SYGVFaJ{z^<`NP(3<8uA#qQ^V{Tt7+8WR7F=`Vx0t8v_cFZy9&ZR
zViiBEz)f-_nN;UO0I-qzo3QCL=*a{4CaLW*r=(`K!%nZ@Mtrq>voRUe-v6MyH753{
zWduyK3Wsh3DT1c<h%YsR3Qq=InRYSa1D_DuE0~hR{RKV45}_n<Gjcq-FmPfw4V=D(
z5D81c;chYpZ(_g#G{pon#t$0JGaiDN2GH=TPASk9M~*ZlBk>^|5C>C#ffP<ll~Qr9
z^}v$|mYG4;cH2O}eFP-;3Aq9z2qMusR5O6Y!oVTFfl2L6ZxO-l&V#9!vcF6R6hR<V
zPp1lY7{`YUpIWui<>-+RbDc7{IyUu;YCtaq^$X0TI>-8m{8q&s=vih~8<=AP>Vt{t
zfjl+w1f#J;!~ft_hMl$D%YO^YrUpR|Jt`DluR6o~kdJVP1)5?2XGf6wC~m#zFKG6G
zz_D6^zPJqxR1pk8wESM%FfHsU6s3#s00&^e*filsr$Ed>JzreP3>{PkqmxuUYo|2<
z8yG|>-4O<jiIYN17}!i^<BP~6t~~-gi_++!pZh0=zi>{DxIj31fwf`hzLv#+xHw2s
zRjIkT<9J8k`ynyZ%g^`{Rn@tMs8}aFK*Si#$(N<g0iLf>=s{uy8dK*AbJmVZmj%%X
zt=1lsj1yej4|td&CU#?PGG&mCBWY|fjV<f883}}XfLkMhQXsi!zW)S>NK+rr4onk)
z@)%z*0qPjx@c3oYmnosB-S)(VC^Ep{P{Q8vB!EGo1c2WH<rf+W3v${#u{cgRF=j>3
zA5l|%&RdDdW-_H^F);!DxA!|!GJenYF#}faWty}2`rcQy0JMlr+F_?Hu7tu-!Kda;
zH_Ksfd2%$WtKyb{A^@QP$Do@5WoRbAAyNC27%I6<L05(h(Z!4k@5K2&H!}*(p;*x+
zO^F~S-0YYb_KLU&s4haVKdUfdamS!LPDTS;1o5Dp#+K5B0V84t!f`RA%%eTCwF@~Q
zm~EV^R3sFA7Fc!eGY#k@EHD}XMI!K+<4F5!st~6DOhBtDUMuYY#9%|DEAiMsz=q;p
zI~;W^C+shbO-!_^IU(011%i1<LmV~3=&4HRu`X)dC$5X_>5}Os92l4E>1g<gMw$h*
z<aXn9<<+?O-|5;JjKg?fYAD;b30k(N;^HR;HOC3@w};vl2(jX>j5xsNI6)`Y4>Fu!
z3mXMIY;0V?X$Zh9Ym`lOjB)37*eMOLQ5KBQRhA?~WD$g>mbN@=f-+nmC!puVIMe_Q
zGPgY0oJ=ZkxCRl|0HgylB871ZxK~ga>ckj+6UebiFUcoY^Ind;r#Vy3GAix^O$u+o
z50o@VlwPfY8&N*B6&FsHHs&}fm2s2uE|EM&ZD$*N>Bze^?AAnbShGp^S+sCe&6R^4
z${1XXFC6$WaSAdjZ`DFx3PwJHW)_HPWb{MM&PZ)#$OTF}*b8`dy!H>}b`Z|;`mF{>
zj5;Zbgd6a19gb86M3yXbO>1$XV{e05<N|Y<70(De$ZDL`PcE)4=|=F(9``-K5>u86
z`wo~*>E%+SyFa0G*d}mq;>K1=+)IO}<~B8<cr$(5X9P2ZTa14}KW~EEI~R}cj>;H&
zDKg%&Q38`w3#=tG`DT3#>QIM9l>QRwcU-1BOZvWfjfRI@sF-VO_Av9%f`F^MO|pe+
z4K+<ro+ez`T*|Fzq_T}RPrXIR8M%!zQtkHsFIpdSXA_8R$ic>qia;?uBCJwDCbWY3
zZ~^q7=3D|LU|I#2I{AX#b6Kn85@bxwDE}#S8g^AmXX7Jfc}`$$*47sPq)1Ij-L3((
z;;?-6VVBaxj-GI(AJH|-fD+6J)8*s|*9;@p-9}5xD+U^|J1sBLitHp!#O1YEd*jtF
z-b#Y+cF$$wc#h&*c9>4x2x7H=eMWUMkC2ZRrrcUSLKVl#%CZOCd{1^XO|R%|v#huV
zLa+4P9S~NCD|!FlsU~7dm=EM1om*wm>mmanKWjBvy>P@|I!}urhS{JaZJjJ1404i{
zob4p?#5O3QcBBzr7E_|)?C2&x-yJe2%tW#f6^dro5CxOtbjLW6B>x<CRjIe9LRxK~
zWI0^*pHoD|cCH}SQmXaAw_JRdZYw|Q$y7#rZnvH37a4Sim6Hk|tUc;1R7GXZg>gw3
z{0@g(IrY}-02{<zJ=_C!u8>W8lW1GS=(}>mK|!C?@Fc$rbaML@_a6D;0z-MVmXS8n
z5h^o4!+BkCbIgmwiR7HX=gYUHKIWAEs*xpl;6)XY?tiiw5AqQ@ye&$I7Ql4@zrwHd
zOB30dER*55;e{U0oe>^gHwO93Ww}mJ)ifeGf+#x0hjd%8-ggA~{L&*|e$2dCO{gJp
zyM8;_-PBSvbExN>EXBuV#dJ2y5>fD6rMiEHE%KAN?1x@5B5ygL`)~Qk@U3un$-2T-
z5);B2kq){NXw1K(k3++mQ-z6^iQG2AC8r@0&iGCOcmdR#;c6oX^3F!Y#sQFm$J#*p
zaPNdEBVN5uKy#PuI8^0BpqN|$YJbcoRu|dc*5?($^~08UC@9A&S4A2nMJI<Yo611V
zT1p73S5P2>C=rlXE_7KjxCn{VP`#QJ2#y@Fzaq%ohzG6Gy#YjasYIpP<`s}1N6+~(
zhSP(*P(k7$tQQ3m2RleY$2@FoAQm;vg|qADnK?wosEOe4TY)<f#V9y7r5A&Pn}Vl2
z@#VqUt-|g`QT;kd+ICuQ0w7T_{;(SW88}af1*9OxXSSk9lhGf=CGwOv2Xhg|_uPbG
zz-aU=dxjYfGE#>I+59~jKlst&$d6?pb?D5xM96+&?0IHzW@-$=ILl>)H6w-Ccz2gs
zeWciSh_X7dpMG%|93Uv?wu1?%^asqn`UA3=cm&I2q)H_0Rtt&XpgsXPMO-UX@fE=B
z7fI2CmaKwaPz&4*wl9Ol&ytAhkEgJ7JX8}^x(Zs^20VcqiWW|6aYRSbAZeZcTdaz;
z6jf#T+^`M;+VRDHsp==RZIiuEIG$A64h{^Epd+T0wFm@+c*%wQj0CtwcM>)mv^XPQ
zr2+Y;bneLiSW5IIulvM%j$6^_BDZ`1W``4*UxenizF)=zA`%v2CoOsSjMoeR%p~l~
z5TK>mxTlxwPMW2#A``M7flN+~{17Zj$s)l3Ss<pSavUMck9tovA%&3CN&#-tWyZWY
zfuJh-*a-|=`u2JXsxh#%uWjf8E~V2MfJ^xJ-xofvVpX2vyE`uxIOfdad*h-Y?I60d
zXX$Ndm40hhJI*z2U?GG!x5N9fV7SmKu7$KlG9Cn?8L4ZhL2(ONyMkyz?9GNEJ)I&F
zUhXcdh2u^((wv)rQ%iQ_G|`C3FjFJg>FzToae`b$3hov&YBjiwXx_pqA{od}+>5@F
z9j0Y6o{m9|#jTlDM)UC$*Cm@OR@KF8{68_MU@@Wxr<LZYkHn*LG%*P=O&fFqX@(X|
z9%u3IDfmaLqWKJfW<Xh<eB*pA{r0!y(e6%>E-O_)r>G_(Ij#E3AEcGxr*4OckhlX*
zae&Jyyz6?KK$eyD-2uW2EkMKE02?fPAfGYSFSqq!1aol%pPo1vSJ<*U67;IGs2x%X
zg~TK_CN69S6RMD-q={6?^#X{c0(eFi{kQgIS>g%ufVJ!-k)}j*s6*AcnYxW&W2Ta(
z;sq<PSgkCHl6l-QpdBN2hL0rl{#y$^BXBscp&BNU`Y;nRQYO-wvGgQN8o)4Rg8WS5
zIzAw=<`qnc02X6XMnI^FJ_Zu!<gH2XWk(2;dVC##L~<v1vZVk|$0^b-NSIAuKwJxr
zECQbTI*J)>k<|P+-Lz4%0#cuCky!uN5HR~KWsq|wAOp53knXZV76W@PINw*q<a#A~
z=L|7sM5NXo!c=Y-ZZBpU!PR*orSi7_PCzhSK>k{R0T}Z0(%Cdq>d1Dmw=A`bicdzZ
z{k1S|ohcF$=b2G&G<Zm9ZBk5$c)n~1)W!G!9Yaa1>sCtAH6c(SWQ|1-A-Ey9`Pvc4
zJj9gn9_EU&fV@9xMMjNb^HxZL6s?C^H+QEKB3S?n%{{;_I+gPI&O>ZFNQ%f09#wxL
zY#i#o#LJ3jBq>btkjd;vjFwg=DDb2&L}5jb%majD4R3{0Uw~n)g>UEX0Hoa9iKV-X
z1zd(HcU<*0<pnr*MoK`atb$vz0uU}`Jozr{WTff{r0SOa?9jj>DzG`s(Qpcto=Qe+
z+-US=(K8=Pr5i|Svy*0);A{ONp@5e*JOueLtYFg1D2`-RzJuto+zLL}r7}Wc)Q$>r
z5b66;ZQ({u9Cs;Tx9Y0pj=5=)&w(17`b6B=SewrA2>_)K=~8d1P$;quI;5?J*+9eS
zmIL5UCNyC=>=tB#Rm9CPK6UtUlCx86U**GyiS&-C!KQ~>3`u+Cwo$}A2x2Qn*DVe*
zS7Le-w_(#$D==+cAABth2^U>JkMWQWNH~y43UrL*)J^Xty8#Z{k$~+!^aMxO8A?C^
zwg5y1pkQzxeqL!R`0F?CqQn#uO+{?AIL0amTlAxDb%4NKb;c>_I*^3@j@}(T9SJL~
zC@c_Qd;)k6M)wLaYIrVRr}YFa@KX?$8V5Lq@;nsez?b<;SxZRdK?p}&rVx}lR_ZOp
zveg6u);Lu?#ZH<NYB(EZ@jDut3f`Zb6O+Oxie&XU)fJJFJQ%vxfX^G<)(;@<k%3WM
zBPPa>3L5_Y7yCQvWfZMTgJzO9aI1I-aSF-{vBV`AY>dZfi*S`tn<G-Y@6jT#L3>nV
z<;v!VNCHx4sWxtf@LaA3GX}wnM~(X*VIWE#O@9k&q)&La(vDwL)yr&G3iib$PD~TW
zYG!t9Xdy74-<}cBU&nt+i!{%CIyJXExT`KSVPPytI<^b>e7}p&%MwZ@_nz5P0_lS5
zS(fIb<QV3R?p4CvPtI{c0!p&|?TZtku{0rOB}kA_U7!ewR=-nUtIPV==)n}L`p>9-
zq_X(hQWbpzg5A&o$|OG9_LTZg4~%UQzffYHs>8wr0BTMw)utsZB1nkH07@frTx8fl
zw;qf^*eNFMDZ32yh7jRqn_3NXNv}r*nD+O{DKicq9CrlCMe<>gBrWRnCK&X$?d)-)
z(~#>xhqZ{O9ttE<E<wyqY3(9mxnk#dIFdq=lT8dHDK=J0bBa0QL2yM$Sa{eQdp=7c
zq<yww=@XP1I4tu|V*eBDOI0X?D!CHzBH7@vc&xkzIS7*ULrNgQwe#8ONcsCn%?C8G
z4r??M4>k=mVOn)*XLh!i4;4D#L`M90aw7n>N*&;dfkyK1iP5WGxFf+aO(Q%-t~(B{
zr(qsfb0&uz5_ZvrI{sLoOf+hiK;oHNby7!4JhvrEoSmyH5!IZoY=uy9cFy!0iCWaa
zF3K+QT-Yg{-x+Pstr1sFn@3y-tv4hNl7<cPH3%Vzyf|MBLAJ(W&(a-qgEYfZ@P|aT
z*O(p=>RjIS!|(-3l!)&azvjvyCENO@pVf9D$B>2O5fHiEa24|!e~E8S2v^4wnNV3u
zD|5*E8*2Ki`c$%fov{<9#6;{!5{`K%w!sxYo2Z0tg$349O>6r${x)jdUr-PE%~scc
zXlk?;(DIImjkn1Qt$g2%4gp1^>);cC@{fzFCs`1z@z_#yc|AdEZRVm1YxaQ@EwPHF
zDGZB_a130G>hOq$)4!h%7MyAVvhx92X@&@Vc;_RhE*o8L5}De*pkq4naQ(9FBLU`i
ztQYHYs?u*~=yBl5xAuU~r0QllU+LRKDOkm5WHSlan``Y>a`x&aes-W8inZl(HJwB=
zKeZb<&Z}FqGW^J~K+Q(X*<++J1zJ~PlTv|4E|OB5Q7_>%!744!^2r$`;fBa@d-_-j
z8!WJf*$}fDy8QWH(=@;l>Ac%QT(Ielqf|#clM|2_#VklMDQyX}di+GWldQRLQE-(t
z6@zR6bb_u(<2y+U$;6;$!YB_F*pVT|)T@r+(4oNbsmOspBS#Hb9B(lsHvd(DBB15n
z*%k@7Y)}N8(1`>9P`>^L1TjK{z!KEeai5+?V04=ZVBx;M@jjGbP0-uD;)&WS<QCKw
z&N`ANBou@-2_wewblt-*d?zWkeFOj*S28fqR2MB~z?a_#IBZy<LLhtG;bjyVPU8$p
z9}V1DBfN=eL2b->K!B8-STuRLf^UVOff1T9l(+_OV9GI7yV&Ton6PALfRYprm&0Xj
zDpm8XmuO%jus>Q(t)vrA72ea%JdAe7#Abt9<Z*-(a0oEwZ8-Sh61m%|Mnsbas!85G
z%+XhPB9wl~N2+ir#KTjz^e!8mX+PBw20ykqSf<4WQKeVg4e1j~(}oz=0<Ad|s@QIA
zLfYKARtAY;`!SasFixm5R#F=bo0L)Na%R{`g){HVapl<+w7~EtGgf72(<RoCFELIG
zw#T_pXc~=w2DJvrMtLTZVBB7nx@xGlFwz;G&yU@M6!FLbJ&jLJ!cojTKCTJ5hpRQj
zX0e_6O3?}AR~I&rY~)Fe0d$eXC`F-Y&Qp5FxBE@jesM5vy<nH)sX;|uuS;x=@+}x3
zBv|G(HeboIwOvq<cR#6X#o~mRwB4vEJW&DRiJiBbQ+9WzD8zMq_CTt<2X~<47RpKJ
z;RFlkEfdrA326obnF<9eNT$@(rSM@wZq3jj{ZYMet6vsF4bX*uCp9CW9kmJI=W-4W
zWu;M$G;|%HK59$^HmVn(sY-d#BCX;(W?O7nG3{QWcm*+m2<Z<>WwBfRfw9)epk&mv
z*~gT;G^fpHZpQRuGMGFsyq&fJx>4oL=G)BrmIEA!17dKU>rrG&91CXy3V@+-vGMus
zOZtmSFA-q+m%<B8q^gx!V3-FZSET|D0=21EID!~Z&Ye4Ohi{>CSEyP|+Ho?jCnGO&
zn<1<rHknM~Es8Wvd?5Tq@@<yFT0v!ez1=AA#fuE%=8gd?T9DJ5+~p!8d?IsCP@14y
zL$4t<Op~IYM;iklLc?}iYkk%RIQ|rG@UA5rR~K;Hl!IL^AH+IJ8$`0zVoZ5@Dh_&1
zE8x<kC;~u~Q7vqbhmxiS1*%Jzi5s=2b?D?mo#0&u0$+lZ1<`UUO}Ja+KWH+7dP7=J
zYlF*uN-FeF{g03*M#>~4rjMwTmiM-pQgak2BC{mmavZBg#i_HvP-e>O%L0Z%*#R&i
z3MNr57N`)VxGJgLC`ssmRYNF%RV#~(x-{2WxEx)nr;Xew!3k+UiWCq|4b~INRg+eC
zio&!Z$Su)VWf`K`1!Y!uDCMnYvPo1!gfDm6oIt0pSn>w5j^P4>6nRlCdG(z(+oTDC
zfF2xA@Wz6&w<=_YK=!i-+a;N-sX;@ToW`uFuEb4-;v><gNc=*wFELc{<V@RQy{Fe#
zL%~{E?BV`gHJCgBfSs933~qwE$2Fz-%W9G`wmD`aj+Lx3&e20Ml<1);6{5mPa1Xef
zN=E%CU9$Te;IM53o@?Le^yHc-72)mqrRAOhWP&IBd+vm8x$Ga_WI@)~ts`xPg$zQ!
z$cpD{C?X600lFA7@;~AmGuR}90PVblWPu!G+Zv5!Od9{r3Rp1zWr@JXC>c<=tBR#E
z)m+J_)-GOomh8p(vGir0IG8K2vOMAJ6LlqsWAQ!ikyim6uCGb;G+NoyqY*DRxYroC
z*Td9e0$EX&Sl`AnE3^Dl1|U{g!2IvJdXGX1Nk<rhEcu~PxJVOq0v}H~mctx>li{fI
z1u-U)U#L)G#}vr~<P!wIWuaaU21axQ;mnX=k!DBu@|O%vKofa_ZLq<q3#{OQ$t$3H
z2Y_y~j%DmZ2{O|-DBRgr&RLM34SA3$)HrI)h8WtwGHa2ZI1)_A8!;n4&wbjXESimF
zgjlmA*O8eHxh%@c%pSGmX`cn3OkDc@fd!$<bI?Q}9ELX@?4AZCSk2QpyS3=Nkte7m
z{#PP)z$uV=o6X@4;oS;5MH}wO^_`%h=Q<KO0O_I){wbUgb4*3MMjkcW6hTq4=}97O
zpu{pFh{512%2d|vjn0pJ$BKkPFhM2;CLdN5!wRxb&&*%r7`flTv~4qx*rN|I&x#?)
z<*SS$m`U~ZkcgzLLxrG2=`1izfo0nDO22rvE^(296}#-=`bs`8@d2z~p{OxLNSoZT
zt}=V`(wOPXiu^Xv!^1+n$&0>~)<_uRCvJ_D-|KY-2G$*qw=I_hjd@skq9US__Y0QK
zmhlH7Uyr4Aj;a{Y_B@W;1VER}z@^4;VaZ;<L@PN=&SCwRI>2i=2#nzb;+ew2y%dJu
z$!Jb+$P8x#WHNM3tveM)4K@82k_ZrcfKZ^66fR$g8#yNn8~@EWux_4<OAVne6@Zom
z(G*F$5^k7IMA1P9kf+0e6K!~Ca9MXj{PMS=IBCNhp1$Dz#h<_++x!4*A<yKDF)&3W
z+z`-APxEeTASqV6f7Kw$stxW3=fqeBWw5kD@Ec&wZKRI31N(!B4AjbUJ?Y2)dgGRV
zqFrJ>J;9;Z@N&dWPMN``(hy?VOROJVQ!;M7^JUU$GfOzEi_R3=uq$LOFAr=c26c5I
z7Lw9PYIj^ZXO1Rz1O880WeF@GTMSSq28xegLoSat4+}sE^A36YIWIOsKot^(gY@p+
zt9}co7YmWbGe=~B&NahD2HFr?<6uN(bqk3_$I9nr#{+IOj}aXqLE3-@z;j1t;H)c<
ziD)BFCp@oHd-sx{IlUq4OVbqvvAA)^F#t)LUdCGE|H*WQ<S$d%f=go2NgV>hN#x#P
z5lx&mLtQsQW{3AEdR2AQoQ>i=)YMikDX?W>KF7b)J$x8bF=!A1dP_7HV=ZKi{|lso
z&CEs6)&RfEXOCST-l0!)qgOE-sXYQ|auo3&sMg5+l93FE6KdM0o#i!R^bs+>FuNg`
z_}Mez%(!D7lRuUQI8SbbOl6?-ny%tdbe-PMZC-RsiJ-=$ify>Tr}z?N=(|b)Jx5G7
zTZA-fJ-tW>NWhHiTEk)x;Q%=Zz;fz$gBN$RAb=boWr`lNUmxJMbsGJ8mF|-)7JTF|
zSK(FR>;M|tXVf4NfV?AExWgkie@VK@heSn>5>G$Bk%@*j^G2#`M?^nACs{05(a+-s
zLN@g6zl%BkV8L*Jt*GgTOm3KWAmBQd;wLfN4ZbO^48adZJh^fI>ju7zB(rWo9VqG{
zzHQk<Dhk73X-Lwv6kK!LDoY`2y%p*sD8kE&KjMU+3=p5dK-9O)tW|ZE0n$veZA#6S
z#j>&5mq)laj&$iCcVc}v!nvG=$ybJpIo^B;0Fk){_w2RW+cHteL5g3g5`FbUfS?>y
zDr(6EUmC3<DrJIqU+)>Q#%9hcMw6WYpVx<EDe(iK3E|%g>S-XTPM$XyA)W2mk1*Gj
zxW|<ydB<hw8q<~nVh+eQb|1xU!bN70E3C*}iwA4R9|JwYzO%4Os8RC3w&khOaYHfA
z#zE{a1@0sfi*;{;_$)g5irUyVKBj3UOe|vZv&NE_ber~JP9%5X_rb(sYwL<7(qR|4
zG$Uqc#l?}6u^t#`qP>^Ti>IdXlOZ+G8MC7+8<_XdR~dTs!zbmLSGTm&GwZIl85t*o
zAYKXgXrfMh8f3jdKzQw=wL6Z|L$xzQ;aoauwu_Jz3{feKjkX1d3fBRVD#|#vvP?g>
z9n%b&FYJAZCAFMATT|kU#O3f-h8oEBHRn(L%?SGp{-^?gyd<S%EjSYVE+JH7tR)E@
zO_ooH=UF94Pp8AVAu!M8iM3%~m{qY`NUTx^5D`D{HM~&Z#YjL9074-uh0;R{z7^lb
z>lPko4cJ9-Bu{p;O7vtLMuqz-cmPRc`Z?Lf0Q77jTq*;NR4$2v3+Gy!{pwez*lq#<
zEcs<A#a_3}_>E>|P@0DQgDzQ-8htYV*zpp+ZnXohsTxDk)GECDoaHNq9;~z8)m-zl
z0Wgbhy1dGkZjWttl8j5BSA6rl>&xBhQC@8}`cOvP9dP3=>u4;Eql1nY5LhO%k?NdU
zeWm_{-E>xttlx^w%s+hNs4Q9t3NZa6#pQD4V~`vTM+8s|33U5QSm34KcjUzw{!|JR
zELSayRNrsXA=219Aw|>}CNbJ8ItP#qNP_lR;8p!&X%%ZBn}!r79Z)?j7lmQ^u}VF0
zl!4fQ?5Q=sk&A|U0!5M@6#&d1Pq<*9eu3k_S84$X^Ppv4Hm(jto#$pAA}V{wk(h{t
zc%d$pvHHmgNwi5_6LvR_Xhu@0+aWbv<V7$DANSWx^)EJVzEJ_Hd@};EnZWUxz~{up
zj{e&&!}#Xpa?O51HqDnf%n>Eb=rBZ%|0MD%8=kJB5ul$1Nkc2xYM~H9QB|In;KH@-
zRJxlnFu#L9&4e-|inR>S6j_Po6zny&8V#s{SkK__Xf(?iWzQ_)OGXNtmq1@VbW`{y
z<X(9?6^yLCA;Ls0RE+GY5hQ6ju!Qq^e6$)$Im7W0&eCVAB4k23muEO51|4}8*s&aX
z#z1KbO+BUtCB(5r>Q=<<yQg%ajG_)KE6Nz;-@L|C3{liL#}UyN5Ru~)365MuhMMj`
z$HfYGzRl{MCA~$VY-SrWi;VgJA~<n|NZ3K<COMEp1T1mlwI5d_D$dK{Y%Me{HcVzx
zoKZNea|&Ac0fah}BLR$1zZyB-TPaKB>K?J<96CjC=!oM6><D&e1r}!x<IHg2Wzfno
z&V;K-IDN1Rud!;m5z%9<lzv$V9G?h++;9Y8FXqw9f_I8rAgaRJB%Z3<iPKESsLEKy
z>(XI6<n43hK`=UF(^2vWL$XJL)o`p_0=Q%-=%GQeVU_rPcB9zWVd&#W5f=+?P}wE2
zL4%Q_lB+Q^DI!*9O-*IZ`Z1XUt#r8MniQc7(I3fBR0d&)DkNOi4ED_f?sy9YF~<T_
z$AK%sLm1Pa>N#qXbl)?3erC9krOS-K$fBVzJ1)Me5={MLaWE{xzQEk^>Z=*h!2y9h
zq?Q2mIujS-fpK1fNYSGp@>XF=hNBTgqh)fbpCQ#Pwz#Baw_-p_hDG+YnW4GE;r@mU
zaI^qgF@hM>)}kTsAo(y_V>pU{`enl%G&KrOApT-h$`df{1&*=QDAi4ch2E?*&rQHK
zV@X9(j4ECW5SJD;kOel!DN876z2_9*hM{gF=&0*cMe5L47-;Sn3k8|i<PX4I*!6zk
z3>8P7-PYlVz?!v&qZTJ&hf6C5DjQ>RA~6LP?W7BVu*E4dNbBJvf?SL+v)4o2-DK?w
z&0;EJ&N9JeCw7HW3I&@rYTvxAMkR3Sc%reqmzM&NJDEDNwQbhd!%ReOBkPL&&R7dx
zGw#JkU4r;mY?@QTvyE42ZSXK(u!dM$d^<#>(3vp2yBs3(VzZ0lG{w^1r3DTQ(lgXA
zTWsky=|RB1&@UO3AeAmp$Hb3$*(y_<m8oXq&N_)N#;L|GL^V+G;O=USdESzN60A>_
zaTLF$UK=HBA+&^YECk2SRhA>PyIQzGrdNn@M2Ep?{UC6Vs!;qYd-NyxxX9tQFg-c|
zsal|Y)$G_CNZlR>kEtU#{v468J9<k$<v&alc$nk7dBqSgQml3fGx}?9@zrcNeOUIn
zEwYt2vDp+sq{`rY-ux^ShX+QeTVyOj&LfaWG)G*^km@=Mqm&<xN-ZqN1X>zav`sW$
z%|=OV9x|zCJw67mkA^xH=w(R+U#_LW;g-HD(LU8K=DfjWH_i56%ACg)RAL)Bezfuw
zoI!e<GxXeA7fr1*Ju`ZF4(PM>_{4tuz5Wy86V^F)G{g-Dz!aIyC>ufiYpK%Ne)hkn
z(Vv}5n3n=tB)OfNTW1yq@ifZoV&&&>A`P;9sP;2gmshVf*Ou4P5SV0YDoenS%KmDX
zwyAeuo(G}jzzZ1T7%zUto*?phOm7$ouum*yAR!h71no7gi)Mg%RKXhVDq4=VStcf)
zt*qc)YSPHe>`C*UguA2~?Rk+e2j4*$D~3e}1qt7MS-z56F<W;E8A;j^w!lsYlJ*--
zYhtOHSDh4A$u|pejZ)Q3ilkM+N||74sBS7^u;cK_=5EP0z{KD!wP~bw1*ZmB<Fp}1
z1P7!G>f|Y?)rzX-xi!`Vgd&Prus2nO_E@9W3c-d5?kQ5N2^a{+tdezJ7Od`!?)DTC
z^+J+D%%9&QSBv)xs?IgULcCVt-7egCaNW}F*tVKs?kic^R)m~eEb+NkhU_%CA}Ff4
zSkmT}t!JgHcgrI7Rh`a69>#OS2)4(Vq&WxF(M<){vG~&3O=x&>?`+ti0ifnAh+s4v
z&7&dXnLY+C*t#(l-uQ{^i8Tb}xT#COA}G{cBXnzrWG0AC46*z)o%vtC-$MLpgkoNB
zxgq4DJ1D%Fuw()NnXrQfj_Z$nwXJ}%y)+XT3hkq_5XBX1t!aoEr&}$n+ZwthM#Hg%
zjgzzYE!t_}8sz9)avTsLwNofdKhHBc)v*J%a_*S+Acf2>k&rMW@ILP&rx6&P#9p0^
zVelgTM(39n2-rg|e&$BhZuQyeCD(5OG|AAnV)$}Lrf!{sk}Kh+`Ou0B>tl9fXN}F&
zkCQ-1`<o&-&fx9B=WSgkn!_;W-<V}Y?lI6A<PWrVrv7~VIok>AFxXC8D@#SI1XW2A
z#!h7OTL6*=kQ}0mGDyVHP1fTgk|NQq${ct{if&{8W?1;birET>EC|jAFilgHt_Jj7
z5;c<9h0@syV*o-a4?zH+|3Q4%rTc+8?g?P7x&u&QYbew8X7j4Z?E#pS<1A5LW|3aU
z&xbJyUBiQn3YYFWi>bB++B>TBytpb$#J-&iJ6k{$FlSu0K~h-i7)*4|aveXCWXQd2
zwx#Te`FkhJ_MTi~48ld`4fP{3KQqud_@K}`jgcVRUqa8)Xc&PKRT4EEn9`gSX4;Vs
z!_s6FP+pN)4_Gu{kxwNAu%2AK;&sN$DEf|t8ou|Q%^151%C8f4rwLMw2wGHYkER2E
z=Dz$9U{y=g2SGwT*qTzI_;lD1>zV#}2~4ay>x8BT{K$;WZ;-Yvt>aF}Snh&igNdQ6
z%nSn6Z*PXr+3duTv?duCij&iaZ49Qsxcd>@g>VXVsRyH?M-#wnJgrzUh?rqLlg;@0
zN|=x{No?JjKX&zRuPYF1`S+z0((m57b2*8_)Je;Up8@!SnA-Z@02)G7y||w(MfPNS
z5+uHG&2HAtp@&7Z0fj#*a337wAbNNTUwbG388c#xLYyZWLTr5cR|2lH#4DXeGU~*}
zY74$;)n)0Y$Sm|Li7oeFnWH)9+W84Fb~Jq~$X8cVwl9RhSaZQ(e$0Y(*edEyB~iLX
z(pLCpJ`V)!5HoA$1u;kRLYLs8W_~7`K78RnLv^D($CUXJ7KaTvMvP;Uu*hTeYAF+t
z?~bq{?W*kGSOqL{&NXE0u060JO+F%tLkm*U%!X4DE%))AU3E^hb$5;1lxMIAAEIh6
zKxxGS(U-)KZiW(3D;g6NhKMUHz1uun5u_}pVrMutF${&tMI9s#I_Pwx8C|v_#-Py8
z0g?H!Zd4M0qz>vP$J0=BLe1ej#$u`_VD=LDC4)%(x8w_>&NLYmn4tFB<lcx{H?2d1
z{<RJYXAwI~{;enq3KeLPA>V|cTE?A<U|egG!vxf0!ISaHA#8U&nY8Vg#`<v*owtjh
ziX6zr;ltL>U9AcM0S32IfPlc(Vaxcu`Mu=d0V(PGBc*6PTGxcI@-*_(xgsEr@OyaW
zJT-UtyX?|)XueD3B*0ZMpSzQiGD>JVGPfmAQ7|g1b(sVO=pZ`kPKwgm)R}?vf*xSq
zjpJn;s!LSg*92Fk1Vb6Q;u+JL1<jtLYA2R(i2-$`ShnCAV%kr07ShHos{-=%5ip^6
z%`+AAU!b;Ob}Vg$fs`FlHMCSJB#8oUTV~<CrLH)XMuj8Rmy3&lO2@)4hln7SSg`ck
z-TnX`g^4_k+U_h`a9WLdoAzsVI@$QKszR5R1dJr_xJSz{l?aJ|wKLqfU_VKop$$n9
zi&~%WhAr@hpuNL&(50KDrZb^ub70!92tPY*2BF}D{8xK%vjPgHGYp@)cdt?K!)&+c
zrWgYYiKdfha0O0t*Z=?}N<H}U0Qp{EX6lVOt8PIXYov8Cy9>(M7a-F^p6D|uP6r0*
zMTfnF05CZc25Cfz5x534z{1*Zt7fYH7EWkN4A2)Z7jRPVtF>qlAeAT!WZpIh7R)Eq
z&<!RSz$uF(YESBT!o4<7mEqD|;3z*$rrPvAcDfe_q_C4bs*{{9S`^iJ$sE#6As;-Z
z<VbU40mV#6+{&?Oms{2KQ(;!{jD_j+5Ci2VJB*T(Z9vJGiVGL3QQaR;LS+@n8BIdd
z#7<K@joTizwLR#&Frxra7bFbsn)T?AlDVi}a}-+aQ;-Bc1;Zr>KipVB2sGuO{FY$a
zB!|ocuRmG^1Sbl<q~x#NMc5PVPe5MC4&>Eh`ct2V(_?bzVhCxVVGPdl^ziv6bg3}<
zCM4AA!i|_Mkn)ru)vx8B3AhLAw!Hc}|25Yv<K2=FUIU@=3v#ngjdwgk3G`y)EJ>XF
zFAnTP%_f2*rPQgQAt2>)x;brp{~%WtaPp!Ulu5lcfV1W&`eAD(+J8f|<^(;Q=I*Ap
zVP3W>Bk1Zn9v3tjW0C~2W((3uYujQ34W@AL!L;#ApOA-OnsDbzm<<s;qssq!&N6E^
z>o$Xv*Aau#(fFcpCss}=j86!H7?zd&`B8Tg%%5gCTS74G_2ZKrLu)VN0kM(Y{bV-m
z*}5)M^%)m1qCnQ@L_&3`=C2>fk8;WwDv*6*7Nc<h1y^7+!s&hl;*=Z^;Jg=LCSX8S
zyP1jvwzf|9Ob@7tmIqs-NoMf=Wk*OCz&2mo6IM<WRg}Rzs;2!D44-!_gj&@cuoR04
z)eRzf15!`(l*^ELGbT;AG-Q=>liu)yzDt)`nD~qA%|fUt;#WL==qqDuCM6u4PM}U8
zj-V@mBw@!E^{hb24^JU=;cV!Fi07Pk03mt%POjD`Ok7k}l`HZgT1&i7%GUr912D+u
zy1Y2R-h#Mi2^WUPW?(;Uh|G3<#ckJNC_++gY5g>`8&iw7O$Vu{mmLK_u!zy=SlQ0S
zG|&b-=Bn<4S_q?RX<7(?5v}+|hAWPBoqMdapg>|)#mU@&Ney?(O$t#;*c12!22VSa
z8}*q|Hsyez+u~p_b*3q}`J;t7#~k^+&!yvQSn^G(8V-jQhY9UcCwd7Ug<+@~ZeHqi
z;AKVCz5^VhYShmYH0!JN9z+O`ehHn}4G@h?J6}gdP;vw<*oSWS4C14hWP@*`JGKB$
zQNrF`C*Y7HhG5B9ip^P6nwnE-5oy+Cab69sx*<@wV0h%_<`z<tE`}E_O;My$BCvv>
zrXDe9G9C(Qh`=JJ2Uyx&tKq3?X^kslQsjoM)gH1bL_CBJEq-Fr#I}P{p4~8&HxCH9
z?(8Yqyg+y>m=!|=W{w>o1Of?B64fCHAj&5bk@>tUI=SAPj<vIDj9nOPOkWLVLLMTG
zbj0ef9vPc`dv7qo*SB3egI+{Muy45WtcwOSAPXAt0Wu+qQ*MRwpvnyw$Xgw3%9>Vn
z6_1W3`9{0u^Gr(EvjSm54!Q^fVJry>E#RD=SX`fCbqK%~xPtU!I=GxIf$~<473u}j
z99SFp4g5QtU1eVs^@4%LtT~-bBD&tQt5Mcs8oQi4nkXCV2Vduxe}W;{$=6@tsgkp+
zi9qL&qjHo0`3A459hkVw?mOPs2+Piv3+Ezv^y|vnL8QRisCKHFQzisU$^QUi0gE!;
zJm^syt<f5gGzzKjoOiQ>M7)N(tBH#<DIR3uSQ>Rd2|R^xOWM~tnw^>+d&`A8a=kD0
znJ%mL^_CWuuTzrOIv52zg3FIGvhPqJ0VC0!R9eJY8AK9u^RE*nm~En~@KapB;u*|#
z@ML2bjA0qscI*xDY)=>nhApnw_3*n`Tedlk&c)7|ZjXI5uSL=kt4xr@`5jeofKQ7y
zCC{Wmwc=rn?*WmlJ1^VU3WrJ+YUHV-ck(x4_Qr%Xol9zbU3lf-zP_40He69eo7-A>
zO7n5r`n1X-T6Mx<H7}WDLF6^Ve@9ti9#d8-qUfAs*vfQKRH(`bT!0P%J05*JWUM<c
z(4jyLjl3<#g`oKL7!cETeydS~1_9(G8X&lqc9zy0F9|5)vC~*?j)FM<Np!5YdM65Y
zrtK1Sa;|LBbpErC8Dno<=+7OZyd_AMY<AR&Zk(?OFrrLLDEFLX<~dYAI^}120AERZ
z1ej<O1VFmQ|9pC=<6FSW&kiXj8oG384n>2ff*Iy34v}b-*%Cj<DJ#KIRbE(L<q6_~
zsu7SOBy|A+9!hddsa0+S1r%1_T?8H&sv#yx>m)ud2{~*I53DxWjf1N?4BdxZ;+AW`
zxZs&9Crngaa3VC8xV)B=u5rtNQ-avHAF9xEebPA+b~CxlE;fH)m4_0H`D@tY6(4k$
zhwCS!OObIv*jA~_lWD1?x#dWw4_{uv6_(_|%}}NB!6k67s@7i$b}3{lfX#I*f6r$T
zub}N7($JG@B}i{|)G38yGaZ8|SOo50Jc1$5jFF%qfpitcBj`fWf&ri1i)SqSSQHeU
zfx2TA@VSbvZ!$OW1TQL)5afKgJaA#tbsS?v#Scz@cj+TrhZfIKRok+7(&($<nYrh!
UQv~2A6>x?aywoW;i-S-hBoVP3EC2ui

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.otf b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.otf
new file mode 100644
index 0000000000000000000000000000000000000000..fffdbafeb73c497ea3d84107162ba05e829c59ef
GIT binary patch
literal 232680
zcmdSCcVHFO);_$aWKMeTWzHla1X4~;OG3bwb^t|!gl>UD5+IUB3Qa-mT@maRd+!Am
z3pUg%Dt56V)q=e@@;z&>IVbVH_x`@`_x|^x&pc~p_Uyg(TD$L=oTh2hnnb)<BQ!Cu
zuC}?c%{=x=q4k|5gb36J0#?bB{?S4->=w#vr47v!$L~>3nTh+`gviPq-_RI1`O7m_
z3e~en2<_SNQ<|DPx^MeHs7uZgiYmr8Pp>=mj|)qMT3IH<L35g#E4;_u_WlV%C{qys
zyq3;j&v^&!uM{G_RfwwN7PSRiquyM32JY<#sutlw^vQ8E5Pk&CM=a{>U!HON{`-ZR
zk|=~Zt24N~$8jk|rA)xV=n8hWWuJHDZ#chCh}ipky8HSE9~EBc|2*znLcvjuFc06k
z>e;yo2mLHG?Q>iaZ$@W+6XFA74!j=OrG1QZO{jDg|L~ml{(*0Wh`b#4$3%9?nE0MN
zIxZDrilC#=)LeCzh(JQ;fQ2}MSvgL4m65m_V`!SLsj5CtsJ|is(n<cSZK!L4U=0qc
z-wYa*qLKuaucMpFSL(%d4>}1kO4%EJs)ud@bj%bzwyX+=fCuDtO%#g@ZCM`{CPIu6
zkJ#4@kuJWmWrvuj=(ZdwvXxd_juNrTYFmyGS;{%K9H*>RZnWiik*)b`IZ-5NN7{0d
zh}4c@8A`=!cASbLqBUD*6qgunr5#3te7Y^`B1&6}d@Fhs^0Py`!j=``)>qiFD&qCq
zZCMkO^^LZy4+|3^dLkn1>xL+c7_eoB*c@@aEk_E!5wztfk!f6F%Q3=h+-=Konq_=y
z%kjb=HE7F;!i@IWa*{}lK8j`JH#6Ff6ZuVzwsl5+)1%L~!)TCiv}Ii+M?Y5I-Ls;%
zec_^h%j@>I%joEpN556u+C9I`YF^RT-`3e@P3&sv?(OOB4feOSTB8>A_xFsgs93ga
znJY-aTrJ(56{E|nW$pcotf_5%ZM{noEYRK6Z%syBvEFX(9_Vdpd&k9WH3z%;tSP<S
zR&!ft`~2>X)~Rg^2ReeiUYFbJ9!CXq9EYTU2v;5ohkH$RjWgPM``Wv^EDk=UnS^nR
zy8BzYyOvrWm)kX_YFuY<aa(u)0#`@-e6Oq0Rps-$tNwGGwodJRR?zD24Ysy*274D<
z-3$It7HIFX`WLlX)4STq9?ktQ3m)%kt?2Hxx^bu1YUv*6>hEoD>vR2gLrw_}bXW~8
zYXXA)N0aui=xLj_2%1S#Hg_-RUl#0bvv8rKy``<I4`~l{wIVfArg`EdtEs20ivv&M
z0A*IlSRR+hWy#3wXDOQC(qMZ>aDGP{yDn%2YLBvl{bMa#oxYad_MZMeS6_RFtGjn$
zMN?ps9m)UDsI|Qh`JF#N27zyaUDn&R&DO-`cPupb6PwGdnG>f?XqrCFnprz_YVG7{
z6C0bYrm0qa)8vMU(<U}e##z9sojlt*V&de6GOG<m2^ni!-qYLG*Jr`5?VUXx?QN|t
z6q>gGo?&YNf|5D<dfHmr7qqun9l@@J1HpxDWmZpHZ)bZS6&>j;7_qY*u9N2ryO*~0
zcC~jcv{s<3S_6G;R0R6}hw)wi-7^1HxI<;Oxg*%O2u4}i*4y2T0w$|lM{P$x(nGni
zf<xlM=C<DU1qeG))QfI3vnxceXcr5`BGE4_bTDq=0m{O%cbM$Q)mqVt=jMwx$jx}V
z56`uUPOv2=iZ0QDyS<2)jzM{^6?aC-`1^5vtf;_$%jAD9gb2mvl23Nx-e{TPGHBJ0
zrz|lQ@%I6}VkwRkTL7_lNqr|HhE80ytW0RrEd~&(MYLI2!ZrLH&om=sm(+3!!gR|k
zq<1^=(k(g=FQu~(F?1kgFD&7L9mpQzkmm+bCz>D)OCua3$5)Q?f5ykpHQ~udF$4E{
zk$St-oa{Ul`xHDGx-t$q?nchYie1RB1#eJD7rMAAq~8hM79%bSvjA5+r2Z6JB~T@N
z!jI5Z|5thr&y$7t$df^!9~zT?C|6{W#kkguRR6bSpdC4)SQjBiOH9WZd6+%g42eq%
zr{0BhE09{ROp~7>nd~xvCrP(<Jlls{|8Gj<6r@I;w%}P8juY%ysTTZyE2aG?`#sQL
z8uG(78!DA#(FKTSnY0__mP3%YP&%PMm1io+lozrv<t=2HX4IoeIB$~ilg)-=p7f6x
zsFwbF$)fT?u!d>&&vZlD1W~?%h>yzqd>l#7p;|{JAOPDQ1t!mo1^?4JeaH)Wp$B)#
z4^+B4z~r@s@Lm(1pY(5<4CUm%*{Bt<P@6(A&xd_NC4}k&X@Vo_dabN86Gby>x`i4>
z=Qxus$4p4m;L#?Ov1zzF6L+WLzgjUF=MzyIslGMgiiI|?30E8B6BDJ(_X4;_;b()7
zz+DPM)^3AVL#44zEJyBpakUTsQSBf<wxhoEz!FqGTV?*KWgzSR-+S0XIpSDD&-Teu
z(Sq0)04<1>{MRL0t{{$WQco(Gy|Q&9&A8PWs#)|5X-Rn@-wxehh}5W+?L~}KUl$_&
z6}U$2DwS3$x1m;mH2Qxl`L6#}nfYgn^zSYAzqhl^(gJ-*iR;u#sed=T%q`eZ@74jI
zcHk=KkJ}q6Q~&AeLOf65$j%(^L^%ne`4GmpLZx|}E=1x7Ji3S3F|wD}H4!bZ8w%!c
zB1-&fhX~DYIG+E0RP>elN&3^qEymOOA^K|lGW~M>dgE<<seX<=pkJdOsvoA;>UDa(
z-k>+?0e!qaL0_gXH$E`78z1T?>Q7>}r$M&}VPN(Y2@Rq}jEEI+m>nmGM3E$tMT$rj
zX_zZzU>=nvvPF)5g?^oWrSYkLu_IRGiacQoCtRH`3Phn8A&SIE%)UmUb1o63$ZI(Y
zb_Kc`54tkybSm|$^lSC2jn9y+vEpDf8%K-F#0K%Y_+9)a{t$nOKgFPuqU0&Lim6!2
zLCQGgVC7KdXl1?<R9ciarBzv{T%@d5F41o=ZZhsPZq;wn*XuVcXX}sZkLZs%;vDJ5
z4m2ot8@r89jE{_ujoXYp#$MwqW53#M>@$ut=BYE3c%@fgrJrEzGCnu%GIknY=x6C?
z>nj`=pi`_7*NJ<SKK(rXeEk&tRDF$pvhkinQ|=XC7*7~?=x69>IxcoxqTi^m(@)b+
zH#VcwJw{ZE<HQ`XQk)=Gp(<P>u0;;77F)%u;uU4QBi@nb$Z%vjavWKXTt~Je&ygVX
z_($OC9ViSAu>)2*Ow1Fj#na*q@u~P;S*@&5E<`@BSMF1uRX$R7Df^VKl%JK~mA};-
zwOXxLk5Xr;$Eb_c<JB&8sd|FCT0Ko&r(U97p<bh2r{196r#`4YraqxQtv;h}Ro_rQ
zQFm#vT7s6MSz3u!rg=2KcCc2bHEKa^KwGJ;*3Qw+)7EO&Yj<k*Y0qk}X>VxnXzyv;
zwGXwAwa;{i9;+wl>3X(ap;zf+^_luH`dqyQWo<pYdZT`){-C~5-=sgQzoBo}cj;f~
z-|9c+)#pvjJ2G!d-qgHVc}M46owp%xlj$%M%nUQ%EHX>Yappv`*=#Yp&C|^b&CASd
z&EK7hGs>CdOmk*A^PKt4(N2%E##!rZbWU_0={(9g(>dFDwDVYJ(An-><viJWrt>1_
zWzOrJw>lqkKJR?X`JwYu=eN$EoChq2m2PEQrd42#wA_}@s<g&hhguERL~Dt)!aB)1
z+q%HI*t*`j$-33L-MY)V$9lke*m~T0GCw6hBj3s|$RC;S%AcA)C;zzov-8&%s0Btr
zLP2stT0wS!Sx{Oqp<rG?TcNXPL(zjp8;hPSdZuVg(Z7nej!YVPd~r(g)Z%@vBG<S-
z^#g;0gD4Fa>On1<kqu(AcoQD~L3((dvO&2Q9)4BXsq9t0RDM!^Q~pvjrH7}eQ`On(
zaqw`5+N~~ESE*~%v($^#%hjvl;p^ey2h@$~CiN+Jc#FDCeP7+733xb3%hU?tVHZ4H
zV|%z?diXSW_yX-B?MCe`?SAb!ZQDOQEc8e{PEXV`^c>x-SL@^SS^Ba1e7#p+t6!>b
z(C^UiK^=Qs->ko`zpd}o_v+v1KfuG|;o&BDct+U6h8b(7o0d7kEHS<2A?8$bmf2yh
zF)uLJ!NVJz!l^o=oypEjXSUOF7C1|sUgub6opXZoaOV`~RNKRIo%5Z?JJ&c*ah~N|
z=e*o`gY!1$BhD?(cby+QcQ}7={sIptTbWj_Wx>N0mKPqbu?~WV$6GyCzqQI*W1Vk%
z_!fBhPI&l!>mln=>EZOSho|H>=N}CZueCj#1P^D0J=|KD3lBd~^hnVYMVsN_m*L?=
z+rxWZ1+KAw3fseQ^6-Cy7Y#13&kq@Xo#esO55(fwIoOS37yj!8ItM!j+Xu0-h--%o
z9;>}cl76H<NqbwLplzWuoL2xYf?lqd>cx7YUZ6V$e;WL8aGwwdwgLBWNJzIIxMlF{
z!LtU>96V$2)WN$3?;gB&aQWcM!4n4`7<_2(k-?3FkA=eiH~wOb5MTI#YM}D-&pzMr
z`S$-7magv{Da0;lg5%y@C+u3a>m!os->&Vu+IKD9^~SEZb_I9M-xaj4KDp~@+}i|f
z<SRqReP@N_-OWPmeRJ;{yN?7fr>lF=dhU5>&;5HN_r~sx-W#<y5_e+us(aC(?m4jM
z1H^abuFLj3zh^Vfm+a}?bNHUQyLa#2wHqs)yKe)w?0#bRmAlvMUjEtI&ze7L{H*@7
zLq9wCGg$VssXM;iarvj;e0tMI|9W@ryVIl&3R>y|s)-i&QuS^17cEi4Dl5DYK(Bf@
z_;7uZe!SkHcj-N-Fa7e~QhAgzNuhuGa(yMs=&NO3?6Y3<;-?|5D}k#+p@*}6Dei0l
zZqOe<Jq%lRc$j~e_1E-m`n&o^sIB`^Uw_m8(Eo}M5qd;?L}EmGM5YiD*<gVG(e(&3
z!ip$}7!fftVob#3h$#^ZB03_LMnK<)HCTFf8{sl-G#FEjc}7?0=@1(oMvt+Y&WsHJ
zR;Z25#{0%k=nXT`3yyUl2FE1FG{-E*F_4a<kl;BaJLcmE4FBht#b*xb5kArt$K>Im
zaNfZ9=he`e10Me8KZoTQg)9HR9#1(gz-R`eA>(G_Hnh|?Inwn<jN|mPj9vP<`lF5v
zjFmnyMj4|WamF6~W__I_*C;mT>1P|y7|$Bd>8mjAsm3^_MvlrRVO%x`BeP>LrdeT+
zX@0~w?P@u$xlU{_-W7L?SLEpCb+J$Uq@0b>+wT~^{fQCWAVyay7{BGo5!^V8;b;W+
z7{+ixjN)1_f@?G0Q+hFqTSwzK<!<G1jIG9rzr{h~fH*>l6H}E`(X6D2=}Lx}rlgA*
zN~V~t<cPUSKGy0BL{KRd$17#xSj8zil?u_NxJ9?(5j~1m3@BA%xiVIqs2n0zD~E~G
zlz=!@X%HtV<HfJalj3w`f;dB&s7w-PD@TfRl_}yJWwJO=X%cIdY2spKmbhFwMqH}Q
zQRazXluhD#Wr4U;=@B<53u#m+9#KvZk0~dLjmj$Vq;iUQN;y?*R!$dBE2oJq%DLhN
z>=XP;Su0*sE*9IAOT`<?W#Ucca`BdOh4@gpUhG!x5T7geh%dx9%0uEi<q`3%^009i
zrW^Mv{o*6#25|@)ur*4pxKUXo-d3&@?<iM^ca^Kfd&)K9edSs)SxFR26rXrlSt&Xc
zm$*ckEsj(Y#52kn;zi{=<tb&0vK8Zr*Ob?lZOR+Uo61|t+sZr2d#a+msJyFeH%>Fo
zGcGdLI~?|iG!LWGY~ym{3gZmpd}E!%=_qg%If@;l9i@(PhsWV_R6431HI8wP!yI*v
z21k=)isLB9RMgxVsJpYZ<FyWTrnUg%(b?)8^;mVTdb&CV<I|~XvpP+kuFg=8#wg}Q
zj9*r(C#h$s^VFa^Uu{ua)i!m3x)5X7c8qZrW0cd0v23^6gR#yMwO8#^`_%!AZI@x(
zbE<l>dWw3Q_Oza*ZPv53XY?HHSv^;KPS4Yx*G=t3JzslCFVJ4mi?rADQQGVJXl<Kb
zqP?M)YH#Xg+FN=#dQlg~JMUur>eaUEKJ5eDuYIUjY9HxU+Q)je_K7}5`&6&dcIaa<
z-W_M0Xsk9)GEO(nG|n+DFfJ5Rlw>he$r7`aY_V7=7rlyKELEz-GNneGsT?lOQjQSk
zD@Tb7l&RuErCD60Oc(2v8DhOMQ(U1OE3U+z*j370ahI}0Jc_-g$CZ=BCS{FyLOEGH
ztDGsGQ_d1EDd&rql?%j9<u<WPxn1m0?i62Qckg>;BSwsmDr1xj#i5EK4#R#*t)huK
z>|NC>5u!mcM5E#m0VPt5SE9rOC0a~WV#MJ}teCHi5G_iPXjMjvHl<iBP)3P`%4o4j
zDG}{TsW@4w6Q?Nk;wGhC+^ifgZc!GCTa^xRo6;$6SGvR<O1HRA84&j?OT`1qGV!3Y
zTs)+#5Zkd=_kprOe2o3DPn4U)r^?M@hjNSfOu1F;RqhgBDff&0$^+tS<w5l;b-((x
z`i=Un`ki_vMzQCr=c(tb7pNDiYt^6BpD}J#G*zRW!U**$IlkS15$+A@jp|LBLyOd6
zFn5X5;xW2SRBu*qQEyl8Q14XlQtwvp(K575^=Zs!yjrDJrB!QVFzOwvKC3>5QSpoF
zOX|z&ztmUMFVrv9U$6stKpoVgv}i3$%f={qgyz%y>Z|H&>gyOmzoEXVzNNmcP1Fuo
z-&Nnkh<dyFf%>8Pk@~SVU7MkPs_sxfQ+KMn)ZOYHb+7up`h#|;c93?M`lB{py$JKK
zv$6ZRRqNKev>uGOS7}FR6SPU1p*3S>b}43N*Q)Pm{n}D(IY#NpTB??Y`B=JoFUIn>
zs<&YtwoF@rk$XAD?iHF7GqqC9t!~EneiLSLk7*}pCu+UgOl_JrOB<)n#SHHu^?CIL
z^%Jd6TY^zK%~>zfZ_zPl#oUx;ucu?IaHGE7vCi16--<cfB^b%yhLQa3#z^B-^x_`l
zEaL&=4&!lSqw%PIu)fjQYP?~*iTUz7=&L_Bes*B%mgc*vrs|IMSRcT@B8*b#pXS8D
zvVmp`>i`mRd{Y1!&`$yvGIWgeuu33d+yX9Q7<3)uMuJY`ieiRNqX+7nu_Lcv1}<Uf
z*MmzL#@k@*wi9$3ag{UlbHLQs1Ns0M<7R?>4cHCTKt2>a78nP48TcTE@d5Z?hC!oU
z(g`p=1k*Esej@lV2G&vp=5_+TCYE-9qZ#@YV2o`D`gP!A88pH}-zs5z3ZBc*F9y$J
zV0}ekwkXj53aqpUtSm_ASAi*QK))8eiXlggt04o%XW$JCtZ4{A_5yT@;|7LtC-_E&
zaVz*HhH*34hJkUiAU^^61~7#KbP7xN07p9bc82~4_zs3a`J*%d{VecZ3}YAgZiap?
z_#TG-DEMB6BLj@_BEg`v?q?XEfFA%J#Pw0&hZv4H@WTva518}-bjk<KDgb>Qn9=|o
zWY5PK29>qP8OA*DCWd}C_zB=Cr1cE=X$HnhLTm<}2daP<Y#a>UVq+5cMH@$fUjqIG
zQ2BVp2H9sT@EWiJc-;oYzs<&v;5Tes27VKG7q}XDkAbn65bxU{yHa`m5TJBEvO#fw
zY-1mo>`3?tpz;S`42QQ3fZf1v0NIf+2<&Aj@nCu$P*T9317AWWdw#`GEbxBd8(bd;
z{+6K}3jU6vknO)`C`W^T0DeLEAoy2?LHQ#+0HqiFJMbsui@<*|luN*WGZf1E0fs{U
zB)tKQErkM+K=mAbrvyERK2(D0J^E4!iUWPB1QzuL`c?+Y82VTVYzheUwTx77Bm;}V
z0(~zd4IItD7K1=v%*X)8GO*DgFy3XPgJEB3;~C%t8=2rl1~wXml4K(XoXnv1gZv?p
z4<?-eYD+MVW)y%a4S?DejI9}kU`hiJ$AhzMl!3Du)NWz?&2WO@Z|U<+aGs3{u*txd
zfWX+C;Rag_Y!L{B^doox(h0z3g}|7e;RTOiU@Jjj+`^~=k7Qs&MPMAm7z;*QK%h1e
z;~K^x;1UM4i5TZF4g*u(0C5_)+(rQGVu(}0lpjI^KzRVfNnp~OFdiUX0V=Z?ku#nI
z`x)YNaHWk2V9Em^&Hz{2m<S$YV-mQAAy6MNk6|1Mrm_o&bHP+z2~&WB8R8r;<(V)U
zIFupI10QCi30%t%Yr%Cks2tWa#KmCBGhr6c$Pkx<$wq`@0LnigE(KHG2y+0+4`Ci~
zI78NLs!N1T0Ob>)J_)lh#sV<u4N#wf85yGoO!)+;@51<+u@F3!L463u+l)Ri<p-cX
z0Ap~*3E&wFYWp!JXHc1;d;-)@U^c~A1*ZG}f_!?kjZ?sse}MW1jO!UxW{zWs&EUB<
zs0_?wP#;2VoCKA<`3&kelolK0-&O|oElQgW@-Nv4puPn2Q3m;O5rg^?jNuvN$Kx5)
zpI}VSAb)i*sBgg-pK%$ui$VPi#{3NOdk;gr1zuv~3UDuj`WwuR8RXM`2K6PFH!$u1
zFJ(}_fq4Xje7Br|S+T&pLPGW*D<Kme0?2;=^&yylGswT>CxH4H%&8a;gV)$d0$<1w
zKZDmXFy|J^dIo0SLfOEeF$m`A47yI|0QIHxmZb!h!)F;PZYi%aXpE?k4+wPqb%t02
zCLa)L0kS(l<1dA5O&}kVeF5<{ID{)9zrzs3@7lNu{2qhG1j_q1t_E*s&=^7az{WLT
z@)JPg1%>iMxE9#Szy`KZcG*Y-?_~(``92#y@Rtl4b17fhAV2-Y5LCX%)&v*u8$(<I
z{@uoG@Lvo;ZNT3)5-^0$WQb?LSq!Xh2sN8QV=Fa>p_~V<W++d9>lxUl7wQy-@)Y<e
zhOz}b6_|zeP#;z3p&kSICGc?o)vK*w_=7+;R#A@#WMdV1Q@bF;u4*?xW%?8Fa^M8W
zu$hYTsIG<#JE`!!dK%>Y;IjZKf8T>I2FM<;fqJ<O6dLskhC+F~nn6BS;XeZTR=tj)
zd<?!Gpz?SCd>_L&1^fWRK-%hq41;X7kzrf}ew1OX2S3JeIKZ0#*wPURehPq{9MNF%
z2Vg*NmFx&RIpV=6*XkR%ekqu21UNFmq$}VcUy;24M;7=)h9eLB5yO!Nru+a7@-x{K
zFfIr0U>H|`KVukYfKhG<#`$2BTY>@mYAE6ahZC$Y90g#N;V1$l0KriV))|h`;0T7J
z6l^dY<zU!_;P8N97lH$IL5pHID#5T3!GZFq#V{N-;8=!Z92n)BK&#(c62oyAIGN$7
z1E(-(C0m0XH4EVb;6h*|WRz`<^af}hTpPu3%m7m!N^pG^xQsz->Kf{y2HhP;gZ&K0
zTrlZ(Fs{!7Q`&%|4cy3ZECdG`jz!>pU;rR_rHxMTY8&({%ACaU;L~k%fZ;QOIum@R
zjRoMdfOBx2bUu$kbyB;4p&kpqkfD;!YZ)rVeGzayo;?(NBXB!p)O+m?hD!OplR@=c
zy9>A%VNL|2z7SN>>we%F$Yh6S8C0jW=YW@SeF^wq40R3o6^42$cq{NK!ki3#jX`x@
z+XlRW>np(TFsO~t(56UGTH9>|!5`X~4@NzZXaRp_qZRX50XT4ueCUxtEaZp5aRADd
zhI*?f0_l)pS3LtjeIh&QIY0&E%fN1+3i3{HH82+PSKx8LOvvAZ;SU{tpm=roK!@!q
zULE=ow5P$)Pa+H4%g{E1`)nX>+7Ba;eQ7O5f^=ESAbabiA0Zb&9VU?Nb+k<qdEiSK
z+Vfz_1Hl9?XJ{{iudtC1zLKH61is2f0eAz0d`N3a5=Gz}8016!MjNBRC`$zGbuh}3
z1nQZ74}<)y-)o};d>?~+uitN@6#M{#c6Rj#ZIpo@VQ6oGH`+j(qd(5j-Ue^7;R2I=
zVM{7gI@yi@zv`qP!3&U10F^JD^dR^EiVM&_0MqjXKkzPt%Ao$9jY{zQ4DBN@#YLzB
zb~31p>bq=IgZDDDPr&<Zi~)bn&^`r!VWS584MW=j{?^7=@DB_s`}&VI#tD&E&oE8^
zk7pPsf+qkI(f*?y$~%%_oD6Pa7-%c<rZ9{%!BZK=+29!r;~elz0Oj7e0DLsVSPQ<I
zVXOk9{1A*a;7ttUVj)a}A&`#gV9*@hL>(pIB|~ANo)T!DZN@VM(lZknH0L(c8DcRw
zgF*9D(_)BTa6W_Pn&t=wUdj_D$}xfFmnO<00WWL{6XlOU^Gnmq5U_)ZGC`oZnn`g1
z;w&(HPoO!Q34asB`Cy6{pm~@%h9O`pli~$vPG-V?1aTo4J|ocl%shl4E&?CQp!u13
z7(=WB*D`3XX4WypdNBM>pn03wzz|n}8yPeYGXo59B^YIcKyxw^WrHBD0;7x&Xntmr
zt^ln~nxr3~ECG{009q?FXESJSVa{RDdZBqV1A92aJcc1Qfk_WQSp%lD0a`~iDLp_z
znKb7y1nR9BWGLi|`3&(KxP^f|Az^kfXdTh)WMH32m|YC<GPs+ekS{20K<orldI0v5
zgn0@>>;j+4z#fw@Ph-$}pLse1`%c27xByz?Gs%|#&3{bt6Cl0^lWzd*PYILi03dz<
zU&2txhL<vwG2qJ>3dMIVgVs{b4GdaaH?L>VTAg_VLmURakwNQr=1mMy3%;2_Yk1}@
z3{eNZl|k!yCgmT%%e=y*JOi}0XWqfUtGmLaJOi}OXHuB}L?ifa2Cey-_b>#NwR;(~
z{%4Y10D&@R-p`=5K=T2Hm;io|p+tipVu*?0hZ(d+Xg<OaR3FKv0Ie6AWJf^E2S3K3
zbuyF6A|P78RQ>>3Gc&2o0iqTBB!kw^%%>Q5T~(M*GiWW%+{_RQz|SyfP0f6kAr^w4
zW6&C#`8-1`0>8kZ^)_=0L$rfmWYF51`4U5%41SqG>rdvt7~&N0D-4Bvw3R{o66UK6
zTH7#RW6&Oj`8tEvIm~Sg+N&_%V9=U}`6h$*EzGwVwEkhf&7eID^Bo4Qg_!R$Xivj@
zk3s7q=KBoV-!Qi`XpO}DfI)i|=7$Vg^DsYR(B6glF@x4W%ug7!k70hwptTTl2ZQ!D
z%+DCga_~+D?RA*D7|IIpZU(LQn|m0_b>O`WL3-_DC>y|^GX&}K1q1uG!u*m!`vK-x
z4D96!b3cRj2F$M+*xwcAHw;1ge#^j~uQ0!32-2O}1pxcN!lbqUpgjchM+WwWh4~YM
z_6^LR8Q3ot<}VD|Lok13U=LZCzcB>q@;gI;t(=J3sbGwaygF6D0U2>RBY`N$XM&@F
z1jy%t6M-biNZ*+Zq(Mg9&P*T+@_KMKkO%oPum$8p{tH|H6l3f}X^sL$<N8(L5}*Py
z?C*2~9)y7&PA^amIR-ois6iOm&^Z=36f(+~^Dv+mVKTsVKqKTF@C0BY!oViZ!+|3q
zKMbA%9EC8@$vG963AqS7o1s1qKANFE2|kuV^LXc62F>T4^MD|pg|5!|z(UBC;6*??
z(s~wrJb*GzbA4wIumtiK;9j5)GJNIi2L>P?0Hb_6mm!`g@N!@UWZ2ZX5;y^JA^1dK
z6=WZH4RA8#gTbc&@RbHzIL`tuM4YdJ*8&&eI&9%w2V4djws2k!z~1V+;0?g_xIP_x
z18^&3vd3+}y$JIu_&(r%$lrq>U}%SesSE+yL15G|f<``hgrWWj-pJ6#gC7MRLp;#Q
zNw(eu`E2kL3|bR$lHCCfwsVr*0S#@4lk5&?WXsJAjcoG_LxWwMWOqP20{k39qq6Wk
zLz@I9e*m;T;e3&yHG^LQUWPuGfd2)&0{I#+=>(|nfXSu+&EuVDO9>kJ?RADme%l7T
zf$K@&H-Wbxr-I4W0Ig3r-(zU$;P-*;h#$6gegJ$389s1+%%JrG=O+ve<-<w-0JIh0
z9l$QgWni>v&OMNw;Jpm36ugh2xxt?UUm$+6-<QBwkl_R8eg>^$Ill(bPH88Azh!7t
zW`AI4Gr{CnK$`~siJ{E`|H9D5fq!LabHTp>zay;&!G8dMLMEU5#h|q+=idyi4}5^3
zEfK<UFdP?xlNmJkwNe1sRX-1$#-KT{1)CD|Tfmt>7UVVHY=(XsI2Xvnb<`WnWay`Z
zEg&D)Q4g#F2F;(XkqjL+w<;Kpbzs<(U~C3^0Uy?XbZ{lZfih;*0Ams78DP{Cf)4*$
z2Qz3sY#jm|itCqv8yLnD;PDI{b<sjOCeU2kLVYIaw}X2a2I)xl0*q6^{Q&eeO2Dgt
z)sRWwlNiQX;5ES6xb6p^4_pA5bh(&eTn)aSVcZSAiDBFWz6C%&43t}o^Z<<e!IU4s
zcmRAC!yujM8Nhf9OyO|fco6&$@GxY+dX!;24yJHmV<Y%UhJmu055E%(l+%3pnV`d#
z`56pa1IV`+v<8q5KN57rmk%2e43zzR7sL1lJcVIw1s?@WMVL3h&A=SU&x4N!j)VLv
z7&apqZ-LhW>mj4A6sQbiFW6uhUw{)B2I^Ts62m~<D@bM-?|{=72J%{v#W3CnXETh?
z!6w7l4K8IE`@kp{1Y;+79>drHZUx$K{Uf|alnbD3(BYG!4GiN)F#J&TAi|)&7Ci#M
ze#Y-$l)obAVxX=TZ3do!{5N<D!}tmOGQ;>8{4a(>1H+C42lO482q4eKAozHO19mD-
zVK@{p>`gF!0mF91$P=vtx!^Y!`e$1Eag7DWLB2o;s3f5xo<H&YpI`^d?4L;cPaSOw
z_yE!)IM!p!;CNs$p5258agY8DJ}kT}{qv{@9bcI#O2&WwLj!cHG&izR<VIF0xslcQ
zk}GnI_SZ3gzK|Q)^~aKk+>XN&a=W%Ay`CqOo9mN}2UMYmND(j6M6M_lCBh@dV44=d
zw#_tgG$thUb>}j%8r$9HVG4hZxDhY-Jcvp1GuWtk6`NTfU?cD=ObUNjgyO*K!D)Cs
zxKJrkJa{>{PMM@ME3=h(%3{0}yh=GuITs&3U7}pA+=5qwA5u2q<CvH60_%tPK;{eO
zTYLibmnu|;8n33|504b8C8`@A%N(pWs7J`pW#-`}(tdmnbqZd^TdQ7%7w&GxYl07|
zkK#k9EqKxIZM@F6Q~eyTBL1xYg%=K^@giP^R-ld6+<0~H5PS}Ggf>;1t<BRG;w8R*
zymEK4c80cIyAmHp-KO2EJ)%9SJ+HljPiNlKKGF7Q`?Vjn-?c$KT2Ill^bz<Z!>iZe
z)4PB^1)oSAr?=swfIfVxw?;oxzW}e_U5(fA?$GbY=W0*uTl81)A<c*Ql;#WlJN;Mv
z0A9;ah)9cYMifPqMff6WA`XoRL`;g95pirpYsBJ+-iQ?uYa-5!xFF(^h^r%RjJPM_
zp@^p<UWj-l;?0PUBR-G#HsY6vzYWE381Y7$k!uthC5F!!Ycv{@jAmnwu>h~+_Zmx$
zRd@yXTw@(x_}ze4#_u*B!s~y}7%v&G8}AyQ(Mx~EUk=R??MT84!cNCXyaeo*FaM5r
zOm<9n9OGzl9Pj9HEOV@KoaQ*!vCeUY<2uJ3j{6;tI-YiHacp(G<@mtynd5WEw~k*N
ze?@AMQIYYHIgtgCqa)ps)scrpHbzd0Y>u22IX7}aWM^c5<Oz`{N1hqEF7m3#>m%=q
zd@%Cy$Y&y7ihM2d{m4%v_eOpl`BUVdQEF6FRAN*{lo?eNRTkxo8XHv`H6f}gYDUzt
zQLRynqk5xOM6HQBGwOn<OQNohx-sgGsQaTHje0t2OVq1TZ%2I?wKM9AsPCeFjXDq=
z5gi+y5}h5LA3Z9%BDyO2;OK_vBci89&yJoKy)e2fdLa75=u@N5iM}ZM^62ZLZ;8G;
z`l0Ae(a%P|9K9|2z3303KaJiUy)Sxy^taK!Mi0is#-zqLV@AdJV-Ai9#5BdsiV4OX
zAJZ8#5VI=goS1bn*Tmcsb5G2}F;B(37_%*Ad(6(5uVQ|R`8(E#O^D5m&5tdK^~F}j
z9vV9-c3SMb*!I{Zu`6TGj6ElIUF?;y8)9#deIRyI?DMf(W4Fb=6T3b3lh{46`(wY0
z{W12p*uUbGI7eJmTufYCTxwi;TvnVJmmfDOt~AaS=ZPB=R~I)qZbsbPxW#eH;!cfQ
z7k72s^>H`H-4S<h+#_+1$2}SMY}}T(SK{7?dq3`jxR2s?#qEjvJnrkb@8W)q`y=k}
zco82F9~++%pB<kcUm9N>e`x%K_-XO;;ydC`h(A64()c^#?~i{p{^|HF@vp|e9sgnc
z&iF6lzl;Ah{y;)RLTo}xLUuxa!l;CbgsOyt6B-hZNSK;1J7HeJ!i27bfrJwiPE9x`
z;i81g6Ru0RCE@ObhY~g=Je%-x!nTC>5<W@TldwPG$Amu;mBh%zgv9j3yu=ZSrHS6e
zn#98r$0trsoSt}0VoT!jiAxffC!UmeM&kL27bjkocthgtiT5RLOnfTwg~Y9iZzX<^
z_*vrTiQgvvlK6L$o)nXmoRpPhB^4*Rk}8u9N~%vfJn5*USxIw~79@2h^(UQ>bV}0M
zNo$iXOS(4c=A^rl9!z>X>6xULl3q`GH|gV~-AP|1{gCu~vPgC$$0w&H=Oz~>mn3_V
z$0Q$`97sMgd0O(($@7!jlY5evC9h6CJ^8%k^~qNzU!Qzi^1aEABtMz_eDW*FZzgX~
z-jTd7`J3dQlmAN5Qle9mQZiGVDI-(LQ~W98QtDDBrc6nhnQ~l8TS`YtU&_jqlT*%0
zxiIC@lxtFMO1U%Tft1HmHmAIp@><F}DIcZmO8GM7`;^~O22+jHxYX3toYaEU(W&m#
z>eNG08&fBxHmA->4W=$i?M_{qx+?Xw)N@nUrCyP`A@$bOdr}`xeIoU_)UB!8Q+K59
zOWmLPbDEkKm6n*6k!Ge9rIn@m(#EFMrcFp|N}G{(Y+7sD;<Vnh6=|oXU6^)d+RbVA
zrEN;vlJ-X0M``=gzDfHz?XPq#Jvu!pJu^K&y(Ha}J|_Lp^gw!3`mFT1=?l_3)BDp;
zNIxb0?DVzim!)5ueslU==?|tqp8ibwOX;ttznlJX`tJ0v(tk+*Jws$TGU7ARGIBEt
zGs-f28DleQGbUs-Wz5P5W-Q9+&RCkUD&w?_b2HXuT#>OM<MxaPG9Js=obhtTn;F|P
zc4mB)@k7S%nIhAX8K0S!nVVUdS(53?JSek1^YF~0GG}GZ&0LV#nc1ItLgp!%XJ@X>
zye#wD%$qas%6vHUsmvELw`RVT`9bEc%>9`^X8w_-WJP8rWTj{2WsS%x&GKf|WF3|@
zK5KH;^sHmDTC$GMT9UOq>!hqRvd+)CIP0pc8?tWCx-V;E*5<4ivtG-3C+nlEU0M6H
ze$M(UTg#5lPRh>Ac4m*vF3<L7ADkV?J~De+_OaOuvOBYvW}lROM)vvH7iV9UeM9!`
z+4p5{%-)>+a`v|D_p(39-jlsQ`^W4*a+I9NoP?b0ocx^P99K?t&Y?NubB@ZHlhcy3
zIA<W|q@1&IF3h<sXG6|yIrrr}p7UJJ)||I<KFRq!=lh&La@E}E+|=B>+>yDi+%dUz
zxkuzS=g!Fu<{qEho4Ydi<lJ*|*XLf9dqeK+x%cI6%zY~Nh1{*VZ{>cF`&sVix!>mg
zlKXd_o)?psoR^hn<rU|-@+$KVlArT7$qzl}=C$N4%v+q-o!6JQEboN8lk!f@J2UUx
zybJTz=UtX}Ro-=ZH|E`%cW2(cc@O4o%-fXrbl!7$Tl3z@+m*LJ?>AF5W6TsY&nz}Q
z_yoAoY%*u#Bj8SRnR&8#u6c=hoq3aakNK$ithv>E&)i{tWB%&YopH_#d=OmX^f?d0
zhoa5Sx%dRQ*LjljZ0CCCHTVGde&;6V3(nV_+nu|dUpxP_bSufqu|`-f>mVy&O|y=(
z7Fpfaa_eO4LhEvT_Ir=D$$G(h-P&&Lvc9(d%#X-V$j{0z$S=*W%s(hUkUs^V{<h?I
z<}b@XIscsei}SC^za{^^{Kxa3&wnldz5E^d-{k*VpcTXw<P{VbcnZc9G!`@!%r0mt
z=qy-Ta6-YU1?LxBR&ag6odpjUJYDc|!CM6%73?kew&3?dtuU@IqtGgJ6;>D479LSJ
zy>M<}N8!@KlM2r+Twi!i;jM-D7d~G2T;Usq9~AB_{I2l#5z2_95ji7@MpTTb8Bsst
z$PqI~1V^-w=o_(W#F-;58gbQ#n?~F{V$+BhM{FCheZ;;IKaTjj$WfG3lv6aKsJv)w
zQA5$>qG?6P6fG#~DOy={deQks7Z+V!bW72F^0Va^inbQLUG#C$&Z2!q`-^@l`g5c*
zGHPVP$gGjhkwqg*M^=t(7&&8P+sNLLCyzXL<Rv4o8+rT42S+|R^2L#FjQnuqo{`^<
z{JmH!jw{Y6&Mz)4t}H&Zcw%vL@v+4Vi<cCiP<(pvg~eAC-&lNi@y6n3ieD*yr})$2
zFN%LG{(F>TRMM#2Q6opWM~xlTFlzFsS)=BU>KL_j)S6M}jJkN#wWDqu^}whnMr|3j
zZPW*&c8~gI)NiBJ(Xpe`M_Z#yM*Bw}GJ3-3siTh>y<l|D=#`_-7=8Ze^`oyCef{X$
zM&CR7;n7cyeqr?1(eI4jIr{6-f0aa+q?P2CxJnK#IkIF%$=s4fCH*BQmt0tKZOI)a
z8%s8qyi~HS<b#r3CHqT$DmhRZS(;SpEOnLEl-8F{DxFq(OzDEs?$YI@Yf8^4y}0z6
z(mP8ZFMXl(_0soCca(l!`a|iTWqMg`S$dgOHoC03EKqh-+0kXKWgTVxWvk21EL&T4
zdD#tRca=R{_FUPUWgnOAEBmSJk8)9Nl*g7QmuHrn<s-^V%H8Ev<p-75l}{+2Tt2OQ
zPWim@1?3&(z2(cxSC^kweopz?@=MFFF2AAtw(@(*A1Z&md~^Ah@~!1>mcL*AN%`*b
zFU!9x|E2sdm+Fdi#k*2n*)Gd9(pBd2xyHI`T@zeQt~stY*Amw<*DBYkuJc`&yKZ#d
z<9f*TsOxFhbFP26wz=MOedyZh`oi^{>sQx-iinEXij<1%iu{Vw3U5VC#bFiWD<)S=
zuQ;ZnrQ-OCB^ApnPOdn=;*yFD6}MH~Tk&|svlTB_Y^!*$Vn@Zkif<}@tvKM0aL2mS
z+_~;TcM1NU+Zgwu?tuG9_cZs>?)mO^caM9Sd$s#?_j&I1?knBbyKi&f>wd)jr2BdI
zEABVl+ub|d``q8SfA$DZlqb=X;~C*8^;CHd_Dt|JdFFV6o(@l+=S0t$p7ow9JvV#q
z@@(`x<$2k&&GVsWr{`<WPo6<<q&LBv?alX=d41l4y!GBm-e&I{Z_vBQ+wEQIUFAK^
zd#-n#_X_U@@2%eZyc@mGdSCXw?fuZZ)BA<@JMXXF1HK4ftS`lv?aTL#@>Te%e6_v_
zz9!!sU%PLq?_}Rv-!;D5d=L7b^}Xu*$hXh;i(m04`g8mx{z`v?zsY}`zumvwf2x0-
z{~G^Y{*C@E{x|$P{9pNhsZ=UsD>Et!Do0nkE5}v_Dvzw3RynhBV^wigRc&XmrMJ7Q
zc7AW$(zb!FcDJX#0pw|{bu)RH{7h9$W0-20>X{lP)$wz6{9GMBS65Zry|BBhZ83tl
zJpp>a?P;VSZm-`bpL18$2V3w5)aqN>ds_xN7j(2OuWt!LwfffX{$LCK;#+@%Jm=7y
zrn|8L+6Vg^<()>(OQXz7WB4)oKpm@G$12zH<8`cZJ*!;LD%Z2h^;L~wl|79f$~ZLl
zj~`NRyi8~O@O1DO1ij;jwDeNMZnwYM?Q>Hu-JTlXgrNweVqQ+pTRUNXuy<mAdq->A
zM9#;=f5u!Nkm2h&BlWct!|EZ``osSbt=r>cPx&}cKK~?X+({wb5TI@n;+Ii|!g9<$
zHj$5Q<7eCWy_01GG82I@lZWE*SIRj2oDDxG>mSp^d1zWR(6unwJJ8t?9H7M9o(7K$
zU(X(>=TsUvl?K+ff#Yi6xEe?;x5v*RE4@vNx_i5191W~#14q@s0U9|fE?g+aQ>ETh
zLkfEuD>=SOj=hrOsN^^*8=GbD=6|zhCB^Obde}l$oJ19CThll#6uH|YuOT4ETE($e
z$)`P4Rnw(=r?Y9M%i=S=7k_qd`v0^N7ncSyE^JoKRKrvU@-#NGl^Uz2b3vFMwo4<c
z*~m&XvJ#DKo`8Gi!rtK0wwW@YGl%jyv$eeqe{Hb6Z??QYd+3f#ZH)amCmLYm1;)&g
z(aafMQaz0|wqYo&+cSpBE&NB?pxAkXoc-Xi7Kh`m<&sg$?LjS<t6IuB+(=mman@_?
zCW>oB9Y0sc&(-mBb=ARP^&>zJpv7UUj$!|~t6QY@Ekjvtk)CV`XQwsfSx=*z({u+~
zWsB1$@8Hj6QtR0!^U@Z6OzK+4D%Y{fb^LgpU5V{Vz$(|X%JtQ4VU^M1u+IaP3y0KO
zDAQRuJRQ`1-@+j+y%e$AT_szbMMF<Yjl7&r4Li?Uw+JmxyDXCJoDXRvyDrwV`t^0~
ztdvczRvF0KaQr_ahhy1MKF*S_a`D36wze+({mIt$mJVs>4yk4bw3ku%xLk&w<K%p7
zEgzf7&t~%bx?}|Mu|Q2%D7z?BoRv@;#47k}x`OmqiF><y7PWPA&bt3+4dX&;_jY#U
zYBx>|oC#U`JdLvUfk;Cn$*NWQy2JIYft7Ax7dLQ#M%LXfa*cJpLs_V-?hR!D%@Jq3
zlH;i4I4T2uGI-y=8M%_;M)ShYRB;kjzWz{jXn<r9_j)+GDvqv-RjT14RaHG8ojzbY
zohu@>Lj(WQN?eC!Q;c?qn@-v8;>>PXxKuS(57?zQY?nq>vypXaWL+9rmw;!PY-g6q
zd@dWx=dw^cv_jrrF?0u6_cY4Z#M2nyL<8*cK+Q@S&C2051MLvIv4+CJaioUZE6W>-
zE8D4(ngX}Ck_rRJz9=*8t(4DsWk-Q~(s*9(J-n5&o_T9znea*<B8Y6_ywa68BlCb{
z<L|XSC%X=}S9%V_$=W`v;$*8h*(xg92*SzMaAZ}|0p2Q3sD><xAoe}`jMJ;(k|I6t
z_EvK?t6A%6PPUqJTg}N<bF$T(Y&9oT&H1b5^s3o{)tpc@CnOtFw|5LjJ%*zm!%>gn
zsK;<*V>q%g9N8F-Yz!+uhU1jI3?gIYYgp?V+twU)4adn&^~yfO?X8vfJaPo*_STG9
zFn0m|pW9A{js<i3iTfwIf)iz#0?Xn89x7cpk+lLGDuEEWiqN&tAk-BkqkHNDQt&j^
zj|mC22*y>w4&$x21wU>D@xPsV&`v!#JazmjUJU&ZXef2Nr^Gc`MZr`_?KtZj?R0BB
zA;A|CDnmkbNT>-3bs?c4B!n_j7mBAY6i;0!o;t*1cc-pkNPz(E4(pq6Vrx0nKglGh
zhoX=)mbcUNa#Epw$`$Ou|F%)Mm%uqJZa?p1JEHpz<;NGwj}Q6j=%YU}><TVGEVUgy
zi-L7+{lW3U&Q9qmUyZ-92Y<r3yK4?EH}(goEdo!3JC6wV^aLjbJLk6sj~tjhFsr?(
zvz>bLDeY4ibvL&!><mr|4ov4~rz~o(U(`OOubrIltF4jg^mli4_t}xNj6bMM*C_U|
z5b~!TyS#44I$RzK*0zuz4pLs`L)nFtm)5q9{$Lwxvl18aKmO8lf3O{CEvB4w$ec+1
z>gu}&mbZ6vc6!=-7j^ehcKU+@0~|rmqV|?W?U1`Wk(zvl>yA(M{%)V_2tk!n38|-@
zHp_PYC~<j#gisFbbmetBz2Wjuuuw*aKm4CU@-?*n0XMZIAlb15crq8@5mvxW?F#P6
z-X`Ftb_HkDu7KnSGvJnePk`rw0Un?Qcu*hUJ~hD8s{oIF0z8fnaBmv$aGV~F)62Se
zS(kcFy`EF|@|o8@<LA8gbF7P(b@6d5K8}TFGyxt^1b8ME;4x8v$4dbp$HLRI01uP`
zvSaoH<PZguRF2cnaR&G-z-Mw8jv%a=pEdJyoIFzq@Q5V9(}w`}-T@w;1bBQBkiD5F
zz!QxC_wxbSIe7wAcCu`O04F4SEZnotI9VQ@1myGx_iX3zJ=te?0<zBlab&X3z?mI{
zwdR>gfCmNvo>vBHIMcF!_5^D9@fuED_NBPUkJqp}WPj-i$fXHSpq3x!Sx2CjALq$O
zpq5kTIY^+EAFpNQ-Ew9Ta8r-v3CLa-#Aj~mqfiv7YXng@2BKaUB*(D<w;av{cnKxI
z^O`^%-}7+P9y@A|Om^X(fQQdK9JPm|_Hfj44Z;(U69eeN_he^}i~O9IpW~H?0M8Nv
zUQX7_D%JCukCpJ*O7O*M4#G<f0iFN^e4LPvmEaYI0FU(pJi`d^U^~Fm`~c7W13dH&
z@R&Qms}BL52L$Ax1bMJaGAqx^M*&`c2=GiGz;ok3Bd0D0d7gkAv*B^}rX0-RBF7>}
zemG;T<;V|boIg48Lt*DLUSA0C@ID}y8E}s+h%qpElh+3VJUkCnb9s@YCfwun<d6?%
zoSq!=;fzy|Lp~HmKI3U^fak0MIn43|cy%qnt7`!{=t8w%CFGzBXPoyj9LpHHWZB;2
zkaB#5ioo9F<*xuQe+76BAK)Q$Kn}VPlH=qFWI#?Qu$aej1~^V$HVp7wJ`mvC1~{8?
zl!nS>hqNzpoVBbcPxk|IT#xRDq6U$}K~#M~RBzor=>WH{x-r<*-QU*H)*cKCu9jer
z48ucPUv;JILF9q%g?gY+zk*n}Oz?VOfamG~o~s7}T*G<Z5|Aqi$TT+|Jmm}UDpr73
zpzw=6NF0qZ6E7|Xc=i+ERhU3Mo4l^URu$fE42z9{uoxH$P(LI#42c*8a%Pd<kch!)
z_-aUW`(+CPqO?Ke8W1@HM9u(_GeG1FA|8N|FrTkThxlceiTlzoe%VRl41-(_R2vE{
z9p;zaChkkW`8{M#oRM|heqJH<^Rk6swnw<gI?473XRMQKk8s8s$j%pMtby!qamML+
zslwrm)AMqAvb%NrWdjXj8^|UZXPlmFl5xiA$tD?RoSvIUo;atT0mKQ*F$c~#VL9f&
znLX?$fz2jIA-KV+$We&f&yzntPsaRQRQ){V@ypuh_RES!WLp*jM<}~D+@NAh6uKX>
zysU+8f34fT0f8UniIQLTXt>V`$^ORemyHUDoi7JhZoe$PAU0UNJ#fdl9U+ewvHu`7
z;dKH(uM_xr4c0FkPPbnU7C@Y)Y#H2s*`a_qdfA2GjQt_I5S+0;WEX<7kS!o^mUu$%
zmjfx>XUE8)6V5`GfnbNOlZwj06z+2wk%K9maha5zj@vIg9T3+O+0EdL^C`O-oUy6=
zTt?)u3l~`fUhnkts)Jt+v~Z8plWW;H<Men9!p}<zeqM_3^HKzMcBHzz6yfKk2tO}H
zfNbybnuMQMA^f}w;pbHdKd(Z7LSaK?QjX-@eqNsN^YVnBS0enpGT`SW0YA^b{jw`S
zVdKo!gc66qmgTh&zZ_&C7*8~%!1sBo?zg9_D14zJB>MxLvuET;3Z;-sgzWur#)-<2
zJ_;kdq~2@i2?8e}TVA)HCog_pJoj@a;^$7p&+Bo1*;Au1vae*@?)J+r48_3X>g%Nl
zy&g{${cw%T&Bs1TJzWExSn_od_b=;aUWCO?DJ{Sc=&;bfl&|!)FP9hku))?Pr8fE%
z94X;9cQ_Cy&|?!P)Ndz5ObJPr36Ufdk^&_}0wp9_CPWe^M3PL11eroN1j+(2#VlFI
zOp=UQ3KTO56tiR*Gf5mXNit><WX$MxC}I%BOC+O(AY&z_NWl~*k&F@o#|S}22&RJX
zmZNNMqpZ##DkAuqE@~0H7y>X+Ey6{ri?~RQzZY9>OypmjQKOA}RQtR>*&l)IGZ~9d
z_D9}o*;aw%<BhUE@;1u;2t;)eBvbdu^?9!c9T>*nnBLH_F4&Je^|iIT`g<4Gy82q`
zfO?<-XaoYlcwhoB5jY$;0+<9G2}}l>fGNOHz*L|am<CJ-W&ksRS-@;y4p7UhN)UJj
z1;Vg(C7kiX5`@sWhaR#QwjlAU4FtKk)YpPc(k3thL85)&u;dL({;*UPmd1o7$~iwv
zd1r}oFQvM0e0AaY>ca8WQGE7ZF-i7gv}eo_(6+HHVdt17Y|hYQ^(}3!?HwIK5<{jK
zwwo+N$VDjJA6m|Xb9iaW)(@R_NTS4fe;Gn!$jptQxEudrX5NCPfWype??}_tkeP?}
zrE!%l61H4j*m8AYE$YISs}EZa4W9jMeb{pKWCDB3I&>G~HW`jKt|1NEyQZ^{MngN;
zq0nB6pZBr(5{zyq9@@<g1+5_;4BOKVhYu^}rA*Q0HppIog%C30@D*5G4wcoRHCS8>
zm(^jbuy(#M(hXT6Y{hy?FtieDhr?1VYTG{?2HRsBz_t+97Q;66k?Oo(PQtL#f$&tL
zY2zFuoi{9kumTutAP}!ghJuB?=ns3*Pbu=YI>!b#Q5=&)DNYVqL#pbp<WQbQf7rJE
zu=;*_vME$Xn?mMo`bU<VLJ>9%E2H*KJv}~r`-c;w{rXU{_2Dv!S%;mkhH!2g!uD$j
ztJe@#uR*F8GD#CXFZc1o@q|l$LpT*oXzWxP!>NQTKN=>!i;bOdxJuH2H~d47R#L*e
z`yUEl8P=*YoGQjgc3PDb8@~lW!awZS9P*5Ghzv;*-U|plT@}`}iga0sAKk+a==_ep
zP=FeWo?jT?OZ3iwE#b9+P_U}7K2>(^5RUYo9&+*Ykc+4PLq&eYfC3J4vHivYT@6)w
z`Q8Ct_>Vrf8&-JVE_9Hp5nATEp(ZR*ZNN2p86hl5E$w{}iXU%lgztsz6!IRP4Ck~l
z?8g9Ek>67wA(Yc$Z!6H{VHxCi7I1NPDD1HJ7wGb^uu|VKLurLI4}{BwtcLt*10J3e
z^7_zg4!A0#sR<YQ8j7Z|e-Vz;hO$g=KX6zS({O<eH8u7%-n2k4+P477tqc1p>|Q{!
z_ZT429tK^IN4b-Mvx!)I2g&^mFmGu<IC21o$#j_2j)T1c0ci@IVv_?$xz7Q{RtJvu
zz62y}c;JXV50d-nNWRC;2P8^wm_hA_hFy`nBebgDH!vUJq3zH~6YV$*ol>k=nXu!>
z;zU>q)e0<8gs<7Y!V{r#Noy0Vo8J>Ep;(^?UkjC0TAm1nvr8>vvCAGLd%OcFRNt^f
z5qcur`C*|Vd@ZaWwzuq<y<z>lVg0;e{k&oQykY&kVf|z`DXrlR>nD3Hz82Qc8`jSo
z*3TWbpF6CdJFK5Ote-oqpF6Cd96HG~u*PBMLrT1u;|{Cp4y)=8o6;RtH8gC(Do0pV
zcUV<-Sk-W2hlP(&a@AqAYQh-_)htXP!v?Gg>w*;zTh-9;6!XV$e6>S&!y1H!owUpm
zdR7iLW!6IjFIw*i-Nh1zokpmW!^|?QX{c+%wXjy<&IwB%p=TS1?uK;<kOsj{{32@~
zItR#d>ePo{@NL5hO`LF)^QOKQIc);btf{YsCQUfXIa6N?Pnr5!<ctZY%kiR3C+@S*
z+P#b#-X#NVee^4@!^H3%ES&aXN4bNdUNV3)^i(0SqisQdNS42n96CXm;rDPFy1i%x
zUbvxz+PYe4M;1b-E%e~0d%Nt%q#Sx?KHiI2+}3a3vd@O!#L})*gl^#nVrk|aG8i@&
zrOCk3XvAzbNNhL~r0F0?;}Ns@AlU|l#3qC=OwrJpohY3`fo?bqB7XF_Gbkl?-oSiY
zm-)6XU|W~@AzdJ_F7s_&z_u>)!@A55=`#Nxy4YtSU2q!GWqw$f`Mhq>+SM&*_rzou
z$x;`Rq+O&yx{yG2kt}r~iS0s?v<nGCb_t)cF7lLhA(8DulC%rf1?c@a7cuD~S?WTP
z)I|!U3kjr)WT^{DtP4p}7ZQea37@ep@|1NUk#!-dySH@#er;RE5Jc+$2cqS|5gh=I
zXt8ia{lpP16^@vs<A`ZGjuYh(Q+3FgtmBC3I*ypI<2YF!F=>Z9MIMim$EotzERWOV
zak@OtkjI(wI7=R9%Oj@ph=GgLd?~lcBNsQ+P~2T0j|=4y)eBe9G2?i=JT8_;RA5{|
zGk_!NB93TIaO{!CCGyxSkA3op>V&%k^0-tUm&qd<8eCr?k1OSoT1qc31bcbe*UKwy
zUb*q%_BOiP?9nNnY_msV6gfRuiS7fk%pl$&fsD64=-ASYcQfR@Q2Rko+bsx*b{hh5
z1zMN-$&CZO_<eCq-fFxZ?Y-1ZdEK>DJ^1Byyx<^DYFfMTG8>6<84*M)h9J3u<Cd?8
z;*1xE<U%)M;MFAgZUFAd#UZb!lBX;S=<Pkk;E@ZlAi3D&kqfanlgmpUx&DeXT9gOT
zRw;<qF+oxRkKE4o;{Cl2{H}M~l7V0c-jc-cVE0OyHnQj%-sb4-UM|J<t_3Ky{VNcO
z8+xPU_qXHKnDzy@+)vi-z>l`Kw*)&V6|da0z?xK5-vC-CYV{FO>p)At)WPGUo&eX|
zTIG3-JJ{RXy=;J1+MtqGo>AXG=aq5`0WY!1oL0*BA-vU<Ui{2?a3McZDHmt)x*G?n
ztCsg#`EfR2rQAM1EYb>9at8`8zsa*|x%K45CkP$gE8Dsjwo$Tfxdi~CEdY>Q`}ayu
zxxKvn>y<C><BS{zl8fkG`Q8SKr(DqW%C|9aM(c&3dWx)465hlo#}Lu-V@RaZf@^Zo
z88mdu<Fap&0};YIbW841;Klx-D{`^khf!8IW~sjqqpk22G8W>ga`Awggpe8#!?IlP
z_F*6vz9KiCd>D^~ugJXmFfI#Up`wS#Ylp5#3-~Zj3x^?NAWZ$RE4+^G<Bcg$_!jRK
z`Y<XFJ<i*PK9AS73-2HLFh*xP@z$V^w+4N@HRzM?&$xNv6-0FlB>l$=uW&ni#mh$J
ztv?@c{rPz74`l1fdw@Rgka2iB(1&q#NKf7w^zqK1&&!$Sy+9xD1^RgJ$;W$7KHhEe
z@&1vI_m6yX!5M{-ALrd7AMXf(!in*AkdNQ$go|KayCg|59FFgVN)+9*%c2zj8O%LA
zm|fH;m|e!C_|GS7$I_i)&P62(DI>+9XXw;UUyA>{V;3&EGpvBosjZ9@hn}e#N=J(S
zykn<BcZStFI<?c0;y<6U)1f=V>KG+!*C8nmJ%fGRP)?;7zJo>j&>bnVGE(F;JV?QQ
zREl;0x+(*>xiNIRt1%{PX>(C`&_yFMTSj^Ix@D;fG~%5Hmz)0vhSlC@1+9Lx(D+WE
zcd^yIz^ZNSp5JCQujuP<>+G{8cC~c(_H_4BlWetjS$Lt(nvUikXU%xAt__cOwN`ZZ
zTHUzQYqg-;LmS)H=c@1SSs{l!7B)WIWpwn)qyPVu!l*_4{XJtVDwZu<<_eM`E{u>W
zMweO3+WQw-Q_+F;E=AIT?yi1oa<H?_D&~9?yX^cl2fO;LDZSmwe){Vim7*JeapO}Z
z6+dm)r(CH#qb8~zbuxaEZMAx(`Za!BD@x19&ttXX?^&FMzhv=*_P+MDZsJE?8}PR&
zUev#jQ1DZa{)mYYN8@K6Pl{L@vBS`fOv7a?HcoIvIqDtb@pErSJ61bxalGMpFH*%{
za~KyHh@2nU5xES1zu}1}5#@{;fxpGj9<@H|s;H-;_C$Rd^;2|Iv<rV>VQln@=<}j4
zj=nE?ON<#aCZ;du+?bDIcE#q#mf^1-1n{>Hj)`rHU5&qaup{=D*gxa6xX3tXTut1<
zxZC13$E)#?_zMJ!;!lgeHvYl*Z{mMWP!gi>*9A)O_X9R0+@J7B!ix!SCA^>TQ({D7
zZsO|1Qxnfi+@Iu3DoUD(@B8N`-J7&6X-CqJ_<BDgxiYyS`JCh%l5a~9`1(E%U*A`z
zoR077zf3&{U&}8|eLnTG)F0Af)25`&ObezhOnW5lnY1s{en_{{%hPMp4@o~Y{gU)s
z@D2L|>F?v)^)J)^&d~9_`lyVF@+<YejFlM=XKc!NKI5f~*D~JD_#)$*jK4CKOiyM_
z=HkrdnP+64m$@$Uxy+X{_hkN(`6s?GpOiH<s}<jr_u-rJ)mf+Fd-9vI?#_BJ>(Q*2
zv%b#yDeI4{!E8M{E;~7UZ1xm<H@-OggzVGt)%YdZS7u+AePj0B+0SIZh;PNe%|4J5
zkuy5y$eh_Z$K@QK(}S<W*X2Bv^J31MIXiN`$oV$sm)x}6?A)^4%G|^7CHU0b8M(*e
zOYmj6t8-7yy)JiC?$fz%=DwHvV_sZdUS3gNX`VN448HfS#ZUS!&ASNSaX+8;dfwZ4
z+w=CBLVmkF5<lxZ!)!Hs%~j@^=34U#e6xM4d9V4r`JwrpGr}2zFSU#D!_7xJ=QtNS
zdz}5w6XXy1UVxwSz0`Rfeyn+m^A-G5^H<JaEzL@>QmtGo-zv7sERR)X9cDFKv#iC|
zYU_0C0&Bf>wRN*~xAlPasP(k<y!Ed2Ilk8(%y;A`=jY`Y=8wkDG#`|IWd6+jV19dk
zSAJjqiTUT{ug||R|L*+z^Ec&h&VMogb$qe?5x&{poBvh*clo~*C<TcH&Vs^%Q3aI+
zwFO5MOu?7i^9vRh^x)g=6AMl$I168IuP?Z~;F^M43LY%jT(Gs^y@K5ZUlsgTFjyFi
zueZ&@!orgOhp_Jeiz4aPew(ppuv<rD9F!S*S_LzPHRqfY2FwVGAc}%0Q3VH40Y$}(
z5di~15JWH_2r6L4h?sLg5Oqy8Y_q$6HGbdT@80|W&;RWDFjL)KU3KczIqx}j&K#TH
zY<k%Aw;5(L)@GuOlg)e^Uz-&+;WUT)fK3w3;XY||&Zf}jhD{00<9<Oixj)+cZbNLU
zX*RdgmbbOA)!JIy+R~ivE;OrqpzR3T3AT>5Znhq_i*0>vm)Wkg4UN4OQ?mb_d6Y6{
zaLj<%Ve!2iNxhZQG$~d~IORDqlqKHEa}xcdR!R%1nz2%2C9fs@2}i8ReBv%~q`uT&
z>L+nheaT&#PdLen^b^0-vK{$>v?MKVy!ra|MklF-)N*7yTahPeM(vfNxa4fn^)Bn{
z?!I!4zR#rGSF1#FUAZZGV_ck$2tz9*Ye^+3l7%03q_IJ2ND8!%cI2Kc)EB4B>M!!4
zGua4brpw%zsd@>v!Gf4jt{pPB;K$c<MORZ&LOfGNX_?B+W8rc)Jx?wewWQUzZ)5=J
zZ}VAdCAG0_B@K`Ue6=BM#EM!yrrjb6Vs`HOvnP3@Br{1dbyzPt$RqTjdPMPobSFI|
z#RsXLq?Q!zq#jatqG(6d;)hy;XJ4=Ubn^P$yQfCAYVAB~u*h$l%$Ac=N+OKAFRA+u
z^;|I7kkyYpeCkZxS$%P=^VE%^<mA`Ip_z^+D~;MqIZ2m}iBZbY+fFRGrcXVzb=zJs
z=p`E-VvJa&_x9hDLPs&()Pa@iDu+nD17`#{`A@eFSNi8JI~|xagwRE@P?BlY9ax?;
zD82Rm?S!NK5=8qrcGiBcy+?KFiLqz1Px&uSGZdDvsdMa)_R>qLK4aVWx$1IfiFnzE
z&02mmXs*uPYw6?(lMiOhGEC^pI_KSA^jy#9=3ab7cpVunsfbn@C=H@3p_N8U{KYQ0
z(+%M&zIfZEgsZyi(@#i>O@=jt*n)_IK}&Q#eybL*F{ry1O?YWYf7_GewP}Zrq^2%C
z;y!<g_ksn7y^oP7;n-o?wB*Qq_ocMykawD>&fjtI&~;tGwA6N+3}GYKoQSxUzB=D!
zA%1HOzgD5;>(@WZ9di1mh@H~e$#K(T&gsr(CSJLC%71>Ap{RsCH*Mh2{(7lFhu$`A
zZ%(`BExvVSi<V|BpRAiU*JGgln50vVhT(nKaaUf>f34@WxgI}Xvr)>QopV##5Cuz#
z$TRCqMnyA@H`S7cX^FXMxsq78-f1~>#@tb}4B;}bTPQ!0TGNj<>CA>Jo4lUBkX4iJ
zR>Yi)SCZc3H7nIoPL|XwTvxcSm`j&v`H2;2K^c>Yx{;)&H%PDP5*4eipGrP-N}n6!
z*-O%dOZMT?Z=(F>A_egzU$jjGe#qrnk7c?yxK{S#$JO>y1Bsv2d&oEgA1rf4$huIy
z&&r)ipEi>gn@BxTsxAGcq)Smmmm+Uwa??$QmE+`<F#78J=}N3MsONf?jL;97H>G2Q
zSQ5^jjEX*Zi0+0%l(8*-%6#3kNtt9JSu|-c^_05*Y)338Qx9~#_UTi`^^%f|QLS3J
zjvgrT6}kD3w~Hfpvd*hL7fsVo^GrUqS{xa|QmXVL9eS5aEu}$}914zX|EwfUrR^q5
zLFz~jvk#BtUHYseEo{z8bO$d{5_73YOBR%=-sCJ9FmQ%jCz1cDcxLsT<S8$&dKGrb
z5T(qM><FZ6_LlM|$<8Nsbe-1PhjtmKlk$F6HIo{tBv!f??6T51cs3<-@X6p)!I_dd
zxz|W)sN~oA_^%7lk6j#}o^d=rKQm+H(lqhpeKy5$Ld<x5({^*(%|1LUcezOU*HmA~
zIPQ7G#f3U#T}fL`n;d^IDT%b<JU!!lk|~!a$I<V8@rxGu`g(fC`y`9%d+F!jZW0GZ
zv2((WOMUeGT+eHR^rM`dJB5j*YuOV~d-uiZ`P1t&))1|*eaePuu2aLOOwsXA(@Cep
zq^?0yDwnmOyu)kDZqrGX4Ly_6v7BwG>}bdGSw~Y&pC;2d4-Y4&6pt*C-+5;HneBO0
z9PgaE&1vVX0%=(zA}C3HlaZC694~DPbzD6wbS9-h$k|nAjM<~ewnojAqor-eS*sjt
z+C$H-IkPHzJZ+cE={uiY&bfNlGi6R3`9oMIXx_N{yU%mf*%wZKVbDAXr49Z9QGcc5
zB5K>yCnW{Zv+{GqTuCLP-YH8`H>YEl)W18;Vbuy!Xw=@leCS-ZIOZnn<uyNWroPLh
zYeYrNuH1N$nHc1qC|<qIrq7#@JX|j|m-yyXfD9wb_N1A}Uq5~N&1SLx7Itn}&@w+g
z&xVJFM6T6)t&A@86#J8b1*AE9@led}ME#bXk>T6L13%a;#$_A*^!Cn6?VQC?QYW?(
ziIE`1bW)BYo!D~c*@x`)e#_RaHHtA!*{B^mBDd(1_6JWoEEY&D`bh)W30^CWp8B<`
zBBNG`flb-9(filM>x+&b_;6NyNgUW$QZ@m}ex-aRIq(XSY}8&XJaFQS=vd17E}kFg
zrtdeIO8E=dA0;1J>3dkbc%MyncRDymFEx}@HQL~7JE9YL?FfM<>x|m`+{CmrD%1I{
zf;7of%Xd-Q2kc9T+aA4Vmlzs%Fg#ZO?P(!lQjJL~V#K#Eq#=~b>*<EPCy3+_=SMbB
zRr*e<Pjqcn!IG|j7~A!>v{FS9I0H|$>kRFYxERWqG2V;)13f)s0~18D-YOxMw)w{_
z_V%M~ae+rfwX-mpqa7c;CpA^xx_6=QmhPFunVyqoc+Hq^$eqO|#~qGM)Mp;@cAh+9
ztfa7`!{2^_^@|GH8m-&Ae|zpmLr5;$F5D$xu5MPY-^JBb4!d!d&xpcg#%UZ$Q$e$6
zHmBLQQlP9=P$0D=gL?O8)x|ptlON~`XQoj}WE{s{j5xGxvChLcc=0L&AINFEdkLEK
zYXVtJXA42xq~xvU3jDIWf@LO2qd##ru2S>mKa}pvMa7P%L`~T|LG$HbD%bFTQ@IBO
zQcoa5zPJ#DCcDW2PIEfnLC|Ck*dTw(<TTj>oE9&2chS*{WFki|tfg&DvN+AdCKm;{
zF_PnnGW+)HO=3soq;<>PChI3JKYno?{nmL?_E4hKt5*rcoF}Kb%;U!nB<b@=jzD?6
zT1Y*RtUo7zF(;Q*#A4<ho3S(8raKxg_`0MF){mPx-`Pc^8-9Uz)<pd@FZa=FMgG$M
z3nw4zQdXt}#~Ql2vfF~T2Keh7yu4?I7<PLu+`2&jFN`7b{$%JolJk~7o^T{9!!zDJ
zA|i5qgjkr6cHyXD@j15V>^UR5=!Pb^<Qn*E`_E+D(j7A<1;>+f-14o<{B%y<zOz;t
z_IS8$bJ71oJ0ib~qqET7*yT>#+XS-eSZ?f2cG~Jij$`#>7iFJYEsmuUy@rZs&F6BO
zv*t3jPHv{uI%`g;^(cZ;i#AefJ+mS|22l2jTrTjZNDGb};K)2;c357&Ji560C&gs2
zNH(Z6rfqcbrc1fXCUfVH8a4OWPXo!NP~wbA8vJ|&(Hr<2D{`>1pULS#rF5|M!)m9#
zR24rX<_a&4zql<Y?u_n)%Yk-LhE>zq+;#gxSLlpEYy86v{7%mD9$_@zVU(kK2paD$
ziId+L_+`e|#PE<<ykas5LpBmdQNvF43G<rtCH*AkHASZu64RLi)xL!3Ox2xfK&|Vi
zo%-w&rFF_jyH1_Hu9wPc4V#toCR8LFm7PKzXAIM;1Ef(}w<SlCkL)>=uunV_a3aK2
zx5#UWyFpE67`4}~94@>mI%Zs$_dtK8PzJRw4=AYh2%4iGGAZZ9YLVp2p!R?aYDZQ|
z^~X&2m^9bG-#YH^I?vO8-aOC!$9%-ebJ&?j&wJj`^Glu!%q~;3VwV-Er+i4-?@is4
zvhRd-l=8sby&n4(JeJxwB3h+1j=Ug)$bD9-ryM3V5As~OXoV|P2LTzu$t#iulje;i
zt&$9qZnNr2GMQLY+0@dgeSiMKyEKuwn)b0$ZRKy$ni-M}73))pO)IiS?uz(ShZwzC
zuOMHeyWTfsQ&b3*3?;h+NswH$=XRe@yQbq?OI=8ezz^EdWAg|KjYbernr*7ZN<2^M
z2*v>Zl}R^D>FKxBIAgW><d-U{L&!<8UpmPjAYt0Mdlv0Y)g6wHNk}}n%+o)_-!H(x
zUr0#5wn?0@m0cXZD#(AqlI-ymq;!saoBBM44CgG#8)B|GO?HtC?ZNDW`G@k%Hz_qH
zX}P3QNxqV+mhj3e#DXQABnwjZR`ONSn*}oBg*1ZHB_409ZB)GX4ximAx`adf3n)gq
z%r=df={|u%@JR_2qLPeKDMQKkjy=fniTjh1Gj-P|o)|b}g3D-^gG*9<Wwd+3%4AzE
z?NX8*q?)~1UE7WXtE3%LHOrrHb2!>hFIh=-noE(A$B#CozPRqScC6D`!WzZ=w5$VZ
z`m5<~1NzRHJw;UiTh}d*F7y!FkYNu=6SgpAUv!dw%Z|wK9b(KcUFWMG@3N%bRIwA)
zbsb0ydBu_J56bUUJ!uOU6D4Uj;3WG%`t85IsBcNbOyD9Oue%ZP)ZFpJ*`RFw*UukG
zAM#tTGO3BAY1LC2CX&Tc7w!Cc+fTWPgjIdby?C`GWkPF7F@1tPmG9<?-2(rhys&5j
z39(U1c2X4UOoprMinQn6oPI=+L72p{4k~_6tUp;(Mgq%7eSs_^N`;L3)_kD2kD!<|
zCw3BYrRJjKBBQ+$EeU+0`gqQ}XKzQ>Hlq66zMQNlx)ftd(0_=(!7j_^gc<modoQLv
zqSuZF$5AO(BN!*TEOUx5@T!T%Mb1INQBf-meqGr$F^ATs>G_3p9HSnSe(&UQj3bJg
zag2JbBy~RK5jC;2%aqijG)*4GZi-XysY=s*$4_)$G(c1j7s!DlTHZ4-Wu|_Xum8j~
zBEQ><%x)1(K{}nx5;9L(Lb-MmCpk&;h?5M2woPHnO~wvNesbpzWd3t9<-H~8Li&dh
zb34kMZ^)X?TB81PmzcktSTG<)j8bXJZY5;p-O&+rzbdKwk6So%vY}`&o1T#opQ|rS
zTQFt3%S@@hsQKPqMIUdTHEWdpOqXG!XC!C1i4FtV>8Eeb{i;{@+?+j#DD*O1J)ZFk
zuDZIBJ^~+MJS*^ylIMNW;9d9UkM5FTFGf6~dt9>gH${<_kpaB+{w{&Pup>97NSEz$
zgj!asrn0#a`;30Nz@SinY8#MK+`V4hjQOrEhNyBff#ZJ&KS)E%OD2YDH%-}hD!B_^
z?ibXbjpfAQC7D;woF_baOgII3L52JP%7}HzV&YA~A}954JJ@5^bn$#2HuZRJ;x#=n
zyEIg4vQ4a>pj^Ll-O3Q1H2(+Po&yZ!wK|NuPBd#p@>nS~SUGldd%Ze@-6!y~j2}$x
z0*(goGa?_7#t%u|hg8I~q$g3dC#>fCJuBj-B<!oKPdA-YC+wCfY&yR;A>*v>L$4Hx
zF-SA%RcWS{KBu~J$k%P&65r9{0Lep38mlzlpDT-xE}1*q%X_4#Hf^_RN~S0;Z!g(g
zK;_qXimEzGv8<#r9r!6tR*nnpx7L9gB1P1<(TT*e6avd4PwK}1f35X@L4ENbsP86_
z+EPy~?<S~azS;PUG$C6!$||*gJ|Q;5(D9nYc=)VY=`HReU0AZFQYuphN+lQOvj>mI
z@66QS&UWh8XX?x$qaBZ?xrtK-voo`c=TNpVDTH@ViH2DBzb2W@a#-v*Pb5P&UoU#B
zKYk)$aXgjT#QemAZ=z|JWL~{zyTEI+QmBRDkuqn_LTX|hl}!w?OPZr4ZJytuT99Y%
zJrMYDREXYlpA~1XU$HzQe3cl}oZYx>+lFoWBm0f6F=9>&sk@XUdw_@q@nx^@TZ2|?
zTB@Hqb^hr2GR$$J8`71eQx$NS{zn=Lnj+FkAg(3!e#w<38l}{mM6;S#sikag+<|Qe
z$$Cz6HRdNv?~4~ScgQ3v(D^Di(uRKd%4ssDEp#0dE^1QprDlT!VkPSqd*d6Tc}N<)
zVbVWQ-lLm7g0f=WFO_sNc5PcBX-17(?lD8m=+DNd9p8OYfB(#k9@|Cfx-!DJ&eu;T
zHND@KG%`fI(GH(?<_Q&u%I>RX&mN~&Yrm1cebTzf4z7U3|Mf-vl%p?YD5cF6O9cK1
zIVnV%%H9i9)Q_*^Bzxj1B)uT|XA08GR9BmpxIg|NMgCho*kbZ<v~u-As#^~)_1f*B
zA2Mu=t)$2s{alPI*3Mj-R&qHd{djEb>cBWrYN7J+4-E0stI1^<)zl)hNiB`zJ*yu|
z(vgI-nnl+s(ykErr;#6sXAznBf%!>=(@w%GlE^jf1L+zWsU%Y<x3biWu!wr%AUTTC
zU@2YMFPtTlr9)cUE)+=unMe+D<dJstyo~z~PM*xWa%QGfD_WfD;p{h0?=8L4l7@u;
zN+O9z(+U|Tb);Sj$+~njVa{AkIFl|)L&8Rl@2z)rJ&@odjvdO*J$`Xvsb0;HbCf(a
zs9q?nB)n*vOu25fs{JC5adX{c&n_|a9?uTSyz2H&&xggtt~;VHR$fdFaTEEjWD>{h
zHceOTwjy<uc^`Kt?Md97K%vgQ#rr(>dR=PMh<aV9BO#osl?@bNC>`4yy@S1s-W2Er
z9a)hWe8i!w#s$_wGP3G|*u$CoV!~JNBPGIizlGb}^^*Clfz8Ef(l`o2Mp0jlX#nX^
zUfti0bX4-6$^>f9s7O4Ob&iA@GmGw1G7}ZY$49;;ZHtKYTjo2Z^Q;;=uhrg{){<^Y
z>M~J0BO}QON%2VPCrTY8ALRf_<w+DCk+#IFNHQbVB$Jbdlb%aB{+5F1OqRrs<1>;5
z7VFhlh{#?_h}-c$Y}+9H2*;&%j^ZGy?*~!aRw2a<QVx`D+gXl>M(Bh7hix0T%05B7
zBGE0(TP`KdII6RFDjr!<U-{rQv6L3bpQN$m6xIKZtYoQ_MoIo`glVkAD)|@Oerew#
z3VSp^QLrs9_LA=W?3A{f3?ZY~{D>H;9RgN_`h*!yNZquW?;(o>dfPrhU6Pc2Btsv&
zD<W(keXSsw`<twYK(&mKSaE#HBR1zi>~?ZP*#DD_T4mg5)Q@%Y?KNL?YQ>HxlbTDD
z?3K=+*eCAJ@niKXjq7CD(uCc(W%Guu`h#(yGY*I;eW_uhj3=Wv5tfxWWfa94H9D7+
zaMCbkR3BpCL_W<(I#XNCg6b!pj3<8zWN$!RfF&7Bh6$P{WU#ZK)O?)Gsia9HNN(sY
zo2=%%e(UD->$Zqg(%ho+&P+aXJY&%jm${3)UEPwsPl)Q#7u<7$4g5*fg~JJ%hxdht
z#!wF0=`(-pJiWwE8`MIaO(qI_EEz-P=)p7WtSG<eINjkxyPj+|tjeW&BW$GS7@gx$
zpO2viwKSG`lD2H!EBaH1-KvlXqkewKkvx%?J%v<8<`AVox=0V`0$g=W>#~XBE}PI-
z<n=4Ek|Q=hNHfZ9q%&Es{d)P*(<p=VTGey&xJzGkCcTxdy?xIx19`1_5neFfMkj6H
zjRF<2^!_cse20;-0{=H$LO@l2@Nte`;kDRlxu<!AGV02f>*sW&uT)FL`*J`1d9qBE
zemr%5n!e=dgw}Lof76NmH~*LDMh0m~YN3>>BoR`O_J2FWqygGWvR~l)Q&XPwc>K1v
zshK1wrOnmt*ghmxCG~zwRS+4oKXrfl-c-7y*UgKVI8P^aQmH4#`kV4AJp@xeIm$N)
z;fP}~wg1_Ugt{v_2@g14Dx_k85=`#*O>dLtSHA|fZ%w~%<bH?Jevj@=`PJ_P+OMrj
zU3@m>+(|x>ociP;kW(*|WTbS;1VLIxst9#QQY~KXZLI3WNPSKH6;fa0B2Jw^ZC75J
z{9O3OMCO`w%1ZY*%`Nf|6Qxroq6TY)(#35-z#{!LpCqa_&d4pQUoBJrX}PSDEY1%3
z#*=;8X##(VoW5e2^=Q<?Zx2U4q6lv+znauPM7fuOPmjw~tGp)71Uk!2&y~EtsnsW{
zvKy1u>~obw|2WMfN~yi1lw{97A41GS2+v!dsOU}5x{N0(#XYMUGnpq#3FW{>@($le
zMaMoq!1CnFSrn0eA+1PHK~uK)61#d;@Y*1~zwfTZ^!U{5BXs{7$g>FopK6e5Dfx2p
zu$-rAN5#jG_8YFU{gl*T>|M#9jX84iobKh&0?A^;C?6L`!^MGYN?O+5OnpxJQWr;0
zpTQKS-l1zoPas(0%3hURe<!Y2Wf11d@&h~_y<PSG#!Z`-i2*IyHGB3($d2ckTpnLc
z8eMu_%$#^k^bZweCa*njyi4YE+t2cYC8sje#{k*Apdi#DGZIIE4<hwAUNMK`<t1q<
zIR#N(J(EU{B|4CFZdSUams+#kReWTn$*Gbj*JZZxy&@wH-<q?k?j$Ma3!4$MKl+G%
z+qU)Vwu$_FL9NYO%O-Bwy*oB5&he(6?^m?wMhJDUnM=o%VLqM_v-Ry9Q$C5*pkyh>
zO1<9MleTA*qN0*(?pdr1U*;FFKtFK);d>&{(0ep0sma3`#OnB=O;Lvo{Fi}W$;k2^
z1e!Oz<P=9u@8C$HGFecQHh?D_SL!c|YZZTt?u7moviUNbT6pHB{$zG_fBN@8^$4Z<
z^tw}P5@o0H_L&<dx$2}ZggK(R6`h-M+^~J;_MO{y@KLLlZ(5<ZpXE2mT^uJ_unv@w
zs-^^-5U9*l@*hlHbECd=E$}I@^vS0@N%t9XphIcO#ZeAO6e`}e<+W$GCY~zN7bQB+
z+$!FTW}k#P-jfu1N#QuCSD2_y^3J44^0Tu1^Q@FM11XkiQ!>kgrORSQ@;G9~6O9$o
zQ`37RWztqwq^a@|`N;BLTRk&r1fKe1)RY4$|M3@=I;M`$4<11e!$e+rA~PZOr2c%o
zr+ma_PWDp)?N3gA;mKy9pA@!o#tO&anI;W)c18BeoPH#%5p`7X+Sd_TSyyyd=45t`
zFgU5sZHV#p(0K&<OxtKs`*JUN@|zDw?8#(-^n1gdAxzO_N{VIyd`5b9@oOEiZSh@d
zE469SOtS5qJtAYCA)<|n*9Q1)-R~!oma6#pxSjF(({T$%4_@f*Dyq-qB;3pr$7Qo~
z{d@u!>*?^ezo&;5HMZd-UNw@sWN+|9{hX-z;-4I)bk6{O$$56Q(HOQ;@8iEa;aFVS
znS&zXxoV?|*A<`6EV*!E(Yz%2q$+#%xXg~!$=7^@)R1R#suC4d5378&e<rR|ni~Ik
zftuN-##I+6K^M!KB<>$gvP#w@Mp=_cQ;feeBu!A9r@rRAv}?zxBXxUc_5)9<IHDu1
zH<McY7t@sh-b>JY=SgiU+>*#nu7=PxFU+ymRwZs!R?F`Rr+?^MdC5UrsoX`}S!zQL
z6G%J4P=HWQ_Hd%+>monjMT_G6l10AYVoq}2?o|YhBs2e3O$JC7=Hb*F;Mor<$!^US
z(wl9k+$!~!?6$J)RK$*M^^{^J=^1H30rEJ?`7cgWl&b1>TB5p~<ZujG_d-DhBgqyB
zBdIp9y#Hm2^v;u(JgLQGQTJViY;SH5c&V}R75VUrH`OgBt~VIIs_|_m`x&Y8oJhhm
z;;TG-ICdAWsCruEtzD=5^FnoFHe6LD|JkVIrFCT9bJ|;|B8$w^lF;W;s8X$(xYCn)
z6gE+hg8wg%!ZE%2LiKej7T4TcpS}LM`Qn%(Yme&BW+hxqq>!E;Wm@S-g?A3~nB3+5
zhGPimU&S|GdZ-%XzHo)BeyVTE!y3(?QeS(S``{XL_z`J(N5L2GEhf{8Eo-R2lVco3
zAyKRN5YCdS;t~=?_0M>!u33Kd4c1P{8}e_n$^4s+0)L18`(Rr5#qzWRy~kCXkP*E<
zUX<A^WMx>e-q)YnbVpOpoT@oBa-Joh8mXVGd1A>QHVx1cL-hc<x0Wk6?LV+7nVxvs
z5$i#Y)E4C^XEkI<o7+UVttjWe6_M6Nu)Qd?5czk#-dUDWKs-(cR}%%gK^`dgk`FBZ
zfnpP$>ibVh{)W#DOI{={Ry->ysO%ps(9x_7*7Nt2H&XqbogBT#&vA@SnIk$5r1L5l
z_{ewU_j1b%r1m0W@r+n_(#<}6C+oPz%W1rRyw~aMHR5pUboMtjCyDeO^`=jwj(U;4
zaiPH9V~E8&1+m~w7no~L6{H<c{^F>^$(%n=?h3qeCn=(jbbDk+>hYEZ1XQRQKQXuI
z42IKx!>E$vwXW`E9oYBEviGiOt%p%&=WlU?l{^gwcz!aM3``gI+}?F>Pl-97Ca(pB
zmNZD<?Tjl@6I+%)P3n`{9Zypi4R3sFQoN(8T4l23Eg#bXkc~pLsXj+N5Ccs8`HFLk
zh7FzI)_=s51Lr1-WBTxGq_OW!Yfa_?A14f?hC%dM`J~j`)XmgDAY&<c-<MJ8X{s$)
zu6(2^<F_qw5+#S{#98%laozxDo;;T?@RGgE?JhTEM%TYk@Un$bW7P9u9K*YhnP9j!
zhCQCjlbwPkPp(myz!wVql$oSU49`d%e^&lf@CV6X0zdM(z?<@A02FJYbrvXM7kG*f
zN(DYZ);+yt-NP#h_p)YpcCFc+_cE4Do$kDNg2Rls<4$z5uH)3&ojEL@UqrFRg(f76
z!X#eGp=A3o#=mM>0H3T};^Q`#-p8}#5#1;}c}MDKp3sq46cMW;1%HTI`_z)oBT$e$
zo_YI9@s?lxO6GYfT(Y~$n{Ja83_sb#P+KW=`}QNeA?_v1Zy!tr8^r?~IdYD2(;L$A
z73mYe$Z%!+&SPFz^r^91w(S@B$TG69jBJr7L?tsL^&pc3g)QGzIoHQ|`Ir#%L8LZs
z{4kD6Lw>UHEophV=rXZ;%ha^3pu_DWsgy)j-9k%ckE%Gucg8dipApnmG~pR_V5zT?
zn;gBhs#XBQAEnn8`taYF--{IIc+-UE^aj54JTX6C%CC-z4Nukcg=ADAPi@KG)SsbA
zk$Ur*GTE)TiE8E3dY^Kw*ZiGH^JPIEOV^I4o(r$a>d4lluZq7%eQGTz_-R4GFhw{|
z*<zK{p(o4lQobNPSZTCUEx8!qlY8&@4?>&Ed?_O}At?&k?@pYlE%u?OEHQY>J=Eh)
z+4Qw=oR=MC4|qkkNvq{ag(~wn#rwkro@!s|4BdDK0_cJ@pj)|_q~)(KyKc!-e+ok{
z<X7^PCh8IE4MV9juy}n8|I1TaA@$etpQ!JU_CqPROx`)v1pFvaeQQZ!SPe8_`0d6o
z#Ho^=$}v3k5{@XZ9;Q+gjw+--o6(VJGn0<c_gc~S_M%@YZ>nj*E?R!g8iTAs>)st@
z<SMtRV8R)sfmv4<>%l}TXo*{9uL`vIT?QkUl+6Tl$Qra(-ARTyCl}FX^6JydV9afn
z)&yfp6`+l08RP-EU>@_>$T08gAs-Ck<Vw)z8M!9fMOp#P3WYGEwd0Clrmsb7iJ3Jq
zlS_N=2d(>sYrtiOmKVcSn6+SV9cHcSVl&LTDNqcvUMk!HZZc+rfZH$|Y>oTCUB+w{
zPy#b2B`ra2=El=%WoAoQl)@~a79Il+7|=3vk6;$WV;f@@QIA&3HQS}Y4w&sz%9U-O
zF=ljvFJN}a3a=p7oqP?moLaQLnb~<Wxx{chEeiR!qTugZ1))#@^=q@k+k%$Ps|)BE
zETeVZfZ4PXAg}^*>0|}u0@miBHPmPcHTW@D$bgoZ3k0pV#`=K9bz&V@Uxw)g)*o03
z_yPmK1~912pbyXwa0HwHTBMH7t}hS^@PIdid4LbtW%X#yVwRTrI}BPdon3E+reHVH
zN^)Q~{Y`ZdBB8RAYqhJ|4MH5`LeFeXnQ2$3XeV=^S_;MvDxbQv#<Xe`10}E=h^Z;3
zeh|zMMzvbW3{a?O&vhWzUrq!LKt*3+00deF6RJ%N_JP)nQ*8#Eq1pmOL$$Rfg3M^G
zc~y2T7=hJ52!l01802EmYeCD?tMdHd$*6WxGBLnpU|LN<YdWzdH8(|o7Mqiq@;oR9
z;4WREnyTlOz!!j)^dn$g!T5q%17<Ur7|MTO%D|L^`2%K3m^Fsk7?@3h*#emP!z@BB
z5=?6V(-Nv?(J(s#vkaJBgV|fTaID!kD274dE*DHytb$?>6xX150>v{ZK2QmYT1wQ?
zqE<818ira<sI?rm_MlcKYUQEUBh>l<wk}v(uyp-qgAE0{7i<>T-=VAnWgjSGpp1hu
zQRW=gVyGU$yc5g^!rTGot}qXTc@)f(U|tCGOEA9;^T#kRgZX#V=1|*!+C5R*9<|+3
zdj)DAL+wkb{T#J_fD^&>1?K@S3|ut06mXZpJp=a_cnk2Yz>fug1N>Xmp)1%Mb=IKH
zR@8|_oeb0|MV&I#F`;g4)U`(4PN-{-x~{0Z8g;j#ZW8L|q3(UueTuq&L){SS&QOnm
z+7s%vP-jAY5$cCf|A4w0^%SVr4E3g>UI^+PM7_(X_Zjs}uwY<O4;GzaF&-9+VBrso
zRj}9ti%eKtgT+hK*P;F>)L(@9k*J>n%Vx0jfu%nzgJHP_mW9wXgl0N4IndmK<{cU^
zXdt3NFEm(y24QHh2Mtc3!4+uxLhAsnH?-@aHNnapRvlqA3RZ5g@`u$SSe=B`Wmr8&
zLj@Wd&~P9cI-%imG~9@WacEeKh7uYzL!;qnG#ibUq0x0Tx`{^j(da3xTf^E2>+7(7
z3G1KG)q}1zbbX<l0Nn!URzVj7T{d(j&{aXtK`%hx3Hp)HyFu>`eFF4J&=WMaL*rp+
zJR6PIqVZ`oeuTz<KrlcU4q-loFbIhd?m+kx23r_r!w@N#d8bvmMGeGp5RGz`+a``^
z;)*8E(R3)9u0qqhX!;CIzo8i`3-e|}(QF2qEk?7)X!a4!{)CMcY}&zQIBc9@vm7>C
zV3P!!i?FGHZC%)QgzW^_hQRg^nj6r(51J1~^Jp}`gXSO5q9<CcLyH4wQH_>7T6RUt
zp=cS1mdnv{6<S81Wei&8pk)bKzD3KQXvL#dC$yS_R;$r!7h3H@t5axo8?8Q}HHX$+
z(0T}3JE8RowBCi*sc3y0t$#-wOSI{LHdE1NCEDymn{2dsfwm3MwinvYLECj`dlYT&
zqwPDi{Ruk@*mZ@SJ?z|J7XZ6Wusa01T-ZHFJ2SMiMY~C8=ZkhxXqSTat<gRU?N6h9
z9@-b7gC#mFMu*er*c=^4q2n@ij7P^?_)US|?D1P5ev8C!NATM@bn1vs_UN<_oz|n%
zcXY0Y&I`~v44vcAIUk*$qKg4tdZWuUbXkTjh3Ha_u1a)mkFGP&H2__Apld$5enmGM
zbaOzrKy=%WZtu|T1G;@dH+n+Z9Np)mdo;SIp!<1re}?WR^e{({M(EKVJqDu36!ch%
z9^vS57(Gs-$1U_ILyy1FQ;(k8(en*@wL-5R=rs?$E~B>^y=S2J9`vb)KF;WK27Q(2
zt3}_2=xdF>F|r=%HyizKq2FipUx@x8=zkjnx?sRj40wZqDh%w8fvy<17Xz~~s1*i<
zV^BN>6<|;)2K|Y_O)xkbgRf!mcMKVVA;T~v8$)hj$RiASkD>K3bSQ>;VCXRn{f1$F
z7`7S1(lP9J3?GK!i5Omm5zR0n93!q_B#V(fFmgXeW@6-5jIzWiXN=m8QCBd!HAXMT
z=nRa0jWNwI#sg!PVvG@EHek#?jLE^6dl>TxV>yg%gt475b|S{^#Mms1Q({~rjBAf^
zLom(-<91-&S&VxMdlvTXVLuY~9<W~z`*hfs!u}78?}G7e7{3SOZ(;m5Oz40Kb1~r_
zCVap|GfcF>#BrGDgNeH^@gycb#v}_&YKTcqF{wW$&A}uiCLO?}>zG6@Rl%Vl9Bkmw
z91eDHXb*=ja2NoG32^X*gAoqv;cyWS#c;R{hd(jd43k+*R$+1{Ozwxt<1qO&CTC-c
z3R9Y6N=r=Xg(-b7r9Y;O#}r>o*?}pknDP))eqd?<re4Ri{+Koh({^IoQA}51I)~|f
zF+Bp)voQT{%vgaL;h6CiGtDq_8fNaq%oNPbgQF6Ti{ZEmj<+ytDrQ}WQ$IL4!O0Cy
zMmUARDFseBaJmnta;n7P+yc&{;p_(IFgWjkb2OY!!TBzne`2-;W{<(_b(o!m*@c+>
z5_1}0PD{+`g*nqPClGUXV$KQ7xraGF;ZhGS_2JSPE|cLB43{Lhe8${%m^%S;12A_p
z=5E8>Q<(b@t_)mT!_^h8`{9}c*XwZo1UCz~wS}8K+`QqI0Jr;?r^mcin0E&AZerdS
zxHo|NK)7##`*FD6fcsyV-vRTdWByvqKZE%{v7iSQY{G(<@MsT@(ePLTk9c_8fX7cP
zw8g^FShx)fpJQP)7PZ78M=XlOqBB_Z5uPpJ=?l+Xc)o{MGkDF0*8zCF$KrNaydI0o
z;5``LG4MVQ@0VD@U`Y!s8HFW_v1BWj6k$mfmNv!G5m=f@aT<IY!AFEo3;6Vc&lvd3
zhR+iC?10Zn_}qj~8GP%&w<CNV;2QwnMEE{{Umf_hho3$Croe9&{MN!R1%CJ7_Xqqt
z!QTV^o8X@T|7Qp=LqID8cp)Gh0S6F}hJY&wc#QxFfm#IGA#el&T@bh$fd>(oi@;I@
z{*7hLv1}}sEyc2AEPI9JR#@H^%g1853zmmt`3)?uz>3;f(F7~HW5pD#@WqO4SaBRH
zo*~ErL46Q32SG6ix`&`Y5!?d7a}j(1!B4QVAy&F$Wd@9GVVnZvQW!VFm<wYiLO6u9
zM92_?%tlBiR&iK04XZ-2>O59S2yKnfsR-SI(5qNo3#)r$br4qPVvQ1Ox?#;Gta*sF
zwXk*u);ePCLaYtM+9<3|!rBz9O~cxYSo;KP%dz$kgmDP7Mp$cv*&%EI!X_eY9>M|;
zwgX{V2)m51hX|`gcrAoCKzM6}_d<AIgik>DB80C-cr?QE5&jY3CPZ{cL{CHvK*TOY
z#9*B@*7d@=5m*<3b*r&173<Qmt{Cg?V0~+>?}GJ1v3?ZRkHva>te=7P^RPYy>&vnJ
zBO<L3*%^_O5E+ihYl!@g4VKt22OBP9V;yX?!bUr6jKs#B*!UJ3e}LAK-c%o(T4Gas
zY)ZtYKM~a%QG*cWhA2-&`64PBQ3cpsADcDUycnB9usIo<?@<c~TV`U*er&mkE!CiC
ze5*6I-oe&Cv8_F}g<)GXwmrx8KG;4F+xKC6BDUYh4kdQjVn-kB=#L#!uwxo_1YyT+
z?AVJP=dpv{@DV$wVdo6&T!ft`vGXFLyCB*D(Q^>J1<~6PU4ZCIh<=ag3he5KUHh@?
z0(KQ+*9YvPEnl&_9(L=n`y6)XWA{7kQDBb^_Dsc|NbE_+o-5dEiM@-l_YC%4#ojmA
zHx2u|u<tbXUBbRA*!K$iTVj7}?B9d^mDv9o`+p)vj~E-ov_VXN#CRYk0WnF`NWp=|
zI4~Rs7URGn9FPz@5V4C88;aN?h<$^&QHb+LTn6G9#5YC!Sj5L6{tDu6Azs44HaIvO
z2PffR01ht4!R<J>69+Hj;42(_gM)wKP+c4f#o@&`qQ;SKIO2dKTXAGNj>O~0Asji4
zBV{;3kia8hG!ix-;T{qQ61yU?I}%4BaSRe?BXKhl4<PXblC((jN77m(?Lks0k{%-I
zEt1|N*$l}Yk=!524oIGh<S-;(Kym?+OORZO<gYl|1V=mI=nx!@z|s9U`UELskP?BE
z5~TJ-sykAj;@ChO8-ruZacm2YZNssXICdAu{zRH3(q<uTG15Yi7KyZdNIQnKb4V*j
z+Eb)eBJEG4H$-{|q<2DkSEP?b`WU3UBHf7eZAjmV^n*w*MEXOdSK_!WjyvJ_P8?6f
z@e9akf{eAuh(X3NWL!qZ3!JdR2|Ju{!HM6I*%X<5k?DoZXk=bO<`-m*L6$SJe37*p
zSv!$+4q5M!MR2k%P8x8sGfoEKWHwH<#;G-+$Bd`#ae6n-OhI-XWP2ieF|vJ;?T_qG
zWN$<EE@aax<$1`yh3v=3ev9lc$o?B=YvXJkoUM<u8k`Nn*$p^*0B4WkY%b1zK@Ni)
z1#&EqV?a&|<g`alFXT)^&I05Zk+TaqN0F0-oU6!rjGV8?HAk)vxm}Pu0l5p18;aaa
z<X%GV?>ILF=ceP_Y@9oTyynQ;h`iUx`-XgT<m-^%5&6TBKNtB%<gY^hdgO0I{sH7C
zBR>!Mw~=3g{J(MD3g=tn{4AXJ#rgF(AA|FkaQ-bWXmFt&F7(BPiMZf}3*oqshzr@c
za2FROTwH;R+i)=j7w@B>Eed*~U^oh<qhKWpqEHZvf(#T~K*3WKd_|!Og)LCn1BLb|
zbVFef3OAwf6bf&mumVLY6tzLoP!##2Xbp<?peP+hr%-ebMNe?a0+)K>(kxsG!KFjE
zl!{9yaj5{8-r~~VxZDVro8fXhTponW({XtTE=S;U9xhkn3XdxhxKfNOw{hhGt~|%p
zwzwLGt9Nj%Bd(3XH4j`{iEF!YEe+SM<Jt#YZ-ndpaNQZ#SK#_~+^CBi?Qvr)Zg}Cw
zM%<`Eu^PqQQ9J>~i%=Yb;^QbTKyfLGKjUU=+#HIVj<~rTH=}X$C~oHC=3ltg4!2x!
zYdvlq#;rWu*5I}kZVR|=i`!nf{Tz4N;?4lvnT$JLxD$apyKyHOck*!OG4A}tT}#}x
z!`<<?I~R8YaW@KgkKpbF+%3Sp+PKH#o(t|p<K7$G`+$2DxL1vm4k+n@l0hh$gpvf5
zWS}G$C7)1YLWzX?t#H2`?svrfPPp%k`(C)e0{36y{%e%BN9lN!&OvD~O1Gdi6{QbR
z`V0>QJP`4qBOa{BgD5;Wjt3v`;3pm~#6vGUJc@@|cvyso*YL0y4{zb&6FjWIqgr^h
z5RW|ZC>oD4@#q>JeZ*q}9*@Ce4?I4HCnBCK#1mgUS%)Vjcv6n1eel#CPiNriLOflC
zr;&JCj%R)F%oERi@oX)gCE(cuJQwl2DV_)6c{HA1#EZswF%K_p;H4d2I^$(FUS7hh
z26(juuj26PIbN0HwTRap@VXOT56A0~cs&QNSKxIpUdQ8g9^TBrn|*kbhqu66Z@fK*
zcP!q`!@He$Z-w^(cz+P@ucJ(Zvgs&Wh_WD*MWAdq%2H8w4rO;yR)(@a@u4d|EX0Rk
ze2B(}N|cX6`4p79pnNgPm!mu!<=apmgYu&&KZ)}5D8G*KQk1_z`Dc_%s8FGz0V+gP
zv_(aCR189eJt}6P!W9*ZQL!8q;i%Y(ihZa^K*e!XWTT=06~(A1Ma3&rRG{JqD*nPp
z6+T+xV`F^mfRDZLaTq>Mz(*&1^v1^(_!xnY+wd_4ACvGg6Ccmx<8^#2#>ZRucn6gY
zP`MP9r%+jmPxbMsBR(1NDGr}b;L}Tdw!r7+_`D3CPvSGdm$vv4i7(giyB&TXf!~Ah
zdn&%x!`E5(x*cD0@ih-$zu;SYd|Qcck@$8I-`C>%etbWR??3RP8Gek%k3;y8gCFPc
z;}d@N!%uJgyb7WM83^J5asuQNO#NW;hUpkgH(+{!Dl1e4qG~IuQc?9c{$TKjC;l+v
zkL~y)34ff!A9o<}kb)uoK=n9OZ$kA6{Mj0RZp2?4{<?y{yW#KC4C*l0&M;;S6T~o8
zj9D;aR?aAfFp7PQ;x$u?V`@!cYB?~qrZTl=Ftv6vEW@y47}kej?=eb-QMP83V;E%;
zqkO@r1~aOKjOsOG&NAlqjQMe<HkjJ>Ol^Or_FaavVz}-MH-h1e40nj(PBGkNhWpC!
z28JKa@XHzgFvAx!breh;Tc*w|rj9RDhcI;ortVs%?kh&!h*9epbq_}E!KgPd>aR?_
z0H)pnrrs5%-gm~LF=O!?V=<PoxX4(1Vk`(#zYbI1imBh0so#aEKZ>dEz|{9(>hEAI
z%^AyKj3xc>fU$hcSpH-*4H!*BM$?SZbY?U|8O=0CGmp{uF`95j6U}IjF`8UPbDhyV
zW;7odO*PX%%``AD4LUImhBFPOF%3MJ2FsWR;f(eSqb*{zC5-kJqy5Bas~Ibfv9e~Y
zS~FIi7^^Xi)l|l624m&MSj}gwd>E_MjMW~-Dv7Z=#aP{Cte!Ad9~rAErlFE)*obM^
zifP!LX*ir|IFV^Mn`s!pG~CBDJkK<|&NTeaG-}2)YR@#9&NQ0GGzw-KZDSfGGL3F9
zjh-@%erK$ejJ1KW{*AHj%UBO%tfw*7Zj7}LV{K%tBN^+RjCCesozGa8GS;sc>q^Gj
z#ON4CSBKGQ8C`Qm*N4%~U~~zL?mD9@VRWAvJ<I5OGx~{)-kZ^{X7sxmeHx?BXY}_O
z{cEN%!!&NdG`3?J4`CY5WE%T2jn^}c_c4u+GW0OJ@fSu=F+wv&=*0+=8DR?}<T1i~
z#?YKGEMyF6j3JLP++_@}8N+u*v}8nEM(oCjlNfOdBTi$)nT+Vfh;taxg%Q^?V#@c(
z`=%|W%=4$@{WHaLE7OLmR@EEm*;4gWZNazf&os>7Ov{TlY*QKyI_txXH#AICIkVHO
zb}UVbj@6pFsE9&xV@aSiS4#sL=hA==H&$J(P>0eG-<qtXZi0F~N6&an-lUov&8Z6`
zKbYoykdG7PxKw&t=(Si_D#)>3<ZvY!OT)d$VG>#?h0^oSqm|X7QvHo%a_A{x_BTZb
zPF?XUmXBus3=<U3rV485_;bO79x2fi(?K*&>Vlw7qG>U5Vvvzj6Ic4LJ;yxzZc_9Y
z)H4Ki8P}0hZxMb<gUT!XO*iP6<l{#LdHYN&C!n|cj|B8~asoPWm3C-PAK$(sPL9)C
z8|WMEr5`gsKF?Dm)=95u_P{9J|H^5fP$tzQO_v(lWW60qtn}(bv1Gg;&v*sRf#@fw
z{Rou<#iTZIp%myKsQqi=+(-~tNJq;FG;qM2CeJC_a_U8qq*g~7O=uZz%G7uhM;b|~
zB+hbDJ+JI2J!LiN0Rw|Z`wcJ;SNh!#y5?Wffjn(QlXKLhqhPteDvE}w4G=W9Msn(9
z0?8E^;vmQ0I=m8E32JZBQeaM)Tomg$bv8#FIQb-8b9y?b32Y%~PTL9UaN|>so)*&3
zLE=GpO%55vX@dTo@=m46*^$R?Qo3ZG^(B=;r64DUj1tw&$Z~GHppGyScaA<mZ<{D+
zg6<2NoHS0I!O>JJ1@Zc<Xhs)p6P>c{JJR?aLjwsEn>qCyfwBzwDI65khlGoq6AkPm
zM)~-bRTR_vbI2Qk9_12SK}`~4-wFRZxi{B5ai!g_E~cl$>NRrv1p3+sG+AN#{MpVl
zWS{2u1PkhAbYPVDoT9m)j^iSvfixdPj%G6k5H+XyXsSbKAgSg_)xeG_&Bs-a^w$DT
z&|eF1&^KujEac`KK9(ki_hfB}`Ty%z1Jv>X?L$tpOO9gCS86Wb7BssKd}cM5vjj~d
zxkU%PNT5v2(5M?m@f%&`Zvyj{F2!U)9bzPhIr*$#bJ|JJ1U{yzh|(KX7fwAm^0ldD
z026Ims34=Qh&9a(HyLT@Q(tLY@XX-p!P9BzQ*Kc1%Cmjt%-z~_&HHnf2dl=*Yfb|b
zM+)i!fiw|nI%vVEC5uRtf@4xm4HUb$|J<IBQ)hDjv0L*}J9D979I?FEO=wR-=(2>-
zIH`Q@4Jqd|pZ=A7uK7vCGum;2=F<=w_WMwNfM$F!bbSZXoR41_>MrM-%k3qlmNad>
zx*y5VnEw6r_kJbI<!jlu<ZIHD8~<FokxgTX`v@9SynOxCnU7}}(!Z$e(!V>saY`E@
zU&*DTi^}aRgi4;I;ZJwU*>0rqKR5j;X`6DPzvK_;ahV}UU;g`A!U=6pfp$Pp*iG;{
zPD3n{)3jfo%*k#28!J!spZ3iA+TY&KnOWY0Hvg+96rRXqOoL1R-Iv#KcX=$o7alU1
z38Voj7c}HwQ}jBX&e15&DDK|_r1bo6W0XmI<*(!NI4K>jb`xUAcx{0jr64ybo1H1e
zPW|@<8Z$YbM&)Q|RE~m1<?OJfSAGpB`zmR5jv-0^4Cpv%tu5G^9eY7{#x;TF@q|oc
zbHZa*(LA2ztNp?Z8Iny+ujdM%{;vVwICtrvvC?Ic$r*b?6ZEg?$jh>lE=y4F?YUDb
z^qT6w+SH;Wm%JX5u9WyD>z4{sD2?$6r4dIf^u7VR6HXjElN&Am`v*Xz1%EbU|NGB_
zBq}}pon}rTb2ur<bXEI*{Z$e5YL5O-=4W@NiKCH~ci$z^^u$-CmL>x+x1|h~Lvl@K
z+T?3VH;)$640uhoR3NodNgL%fF17L*>BkZWsh`QZQaY@pH%}%@Drve_Z?d<tda_EB
z{p{6pE+_K&`=V!e$jIlG-)J1vLZawTlY{^GW<~s!#P;V^qJKXnuiZX5Hlq5$fn(>3
zbi}+>mZURCZq?nDH0OG9sfs?gKuboxP`x<4)P9`H{0?GIsZjf#7>Xprvr3ibkB=AT
z_v<yur7aDVltz?(drRiNA|u{D5*Ct_`9#@=CM{Lb$d#HGUM3A+PdPVuul&M43J#=R
zx}qa>T4hRl`a(HDEnZ906;&@z`i!3B>fTZ8A!TdHT>6fx$~@0ugC@^!OY_8Nj$!-+
zZo3qmOQ!gn?#eoD1P!0tOf0$hyqnuE9zC6BJ@y_ucb=2?1ifT7^eqkTYFYaB=eZ2u
z1*zhd`|K%~kr_Sp^oJgFG_Au!a-xyC9BCCKy7ppI{zI4hSB>w?ZKukNC@+$hRJlvN
zs{A?%YPsq7ua;p|vpWm&_e`2G(vqtr%|>%;s^$(9e!+m;i~j`#Hkf{P7HB|>@GpFj
zMH)Y@K?p_CHM&g-Wy;By9toZ#WgFE;-`7#u-Ag($fy)<aKm_rmqU_hF2~>*FPjuHU
z6;8=gjDE?bpGi|HH0Wn4tsV(|sI=0Qd2yPb6;xKy){@dk!X#Nx(YEiGsEnd**|+2&
z4!J?|jEQr$wvX^@3&<VjlZKCky`))9AJxP;f1uz+$G=>7BqWf=nn2o1HJM){jOg7|
z5Ye9Ayp%iYDN7;RcIN4_r;mgdvS|H5n-gnfYQ=y2T!g0bpC63S{CHS1B^1(W;D1Oi
zx&MDI{D<iJ)qWyRp2ONw`PHC8i?&jsMPqm#31elc^%FH0(&;E@1i7H83Rx}49~*JM
z=0nN&Yf3?0oJ>v4Uw3LmmzOL6nk=uuHh85lb^M+4+m(3s<eAe^;^wX#4d6MiboX;{
zly|vIFqys+f6<o=B|}JGO6I;&hvnRVLc9=}tG@k<r+%S6sbdXaedCVZBBMBxdSl8r
z%^w}OO;xkBnrbSR{)nd!{NgYgLewl-Mv9wcF1t))s84<&{mO~^7x~GFFJiuFayxK#
z(h{xa@AmYm8b1B?mhm#Le&eo`(mQiVhD*&ms7z^66)2A|m6*7wQsVKgU8&{=I&h^`
zj&j}$Re}|uTJQ%R(wo)<Jb5R-XlLcvZ<@EH%BX!)ntJM#NHV2BI~r=<R2As&zKUjx
zG#pm5>mE`RAZk8cJ|5_kBJaGw!z=eE=#pa(9F5)<9=_8M`;y%n=)YxwzRz@rp`zw~
z=!VdZp$5&{D1V<#OZ4=&GW7Be_2r~GWT^OWa7<cU{0ASuk(s~Zqd?=PX$lNwgKMPm
zb&5PFbS4{WShGS3E+Hf2WP`oLf?ITxOuR{hFR4V5@Aym3{)y%OM<k}EYWNX~X{;$0
zuPho*dRl(1NvlaP1#9nD2hSBu!FOnSP0<jQ=E)DqoMNh`(*FPYtQrs|r$O0iHBV?_
zNNd%<AUw^aP~N2*_!pp;zn!9+SpG)mL#+bZ&_bS!+;W2g5=T-dXzt13a`cMk9cfsz
zdHxS+?*SLp(ftoYaCgZ~vN7DOQSk0!Ni_Bvd&ClB7YmAtim2E-MQp6bg0aNjMeL|x
zK|#QV1;qw7R8UcgqM)czbnZGNzTb22E`lX_e*gCqqj2Y(GwsaGnbYPLrXnj%K})@$
zAc=Xsu(}B=`?^ZzC#-Dx{VMxT{g8;2OCK&->zR#Bg73AQO2T$<PfW1Zv3{RH3~PV_
z`3otPmF5WbQ{DBb{^zHZ!Q^|DGZ8N3Or+Ye1QsfFCDS&t<AM@;4EV%CI|*G|(8c4@
zc!kTivzp`~M=Q4EU0h;V6-+`kVY}ithp%TL=-}&IrM~TKoq)QE3uYD}J`curmiPCy
z&I0Z|@ff_eh;^vNM!KQ=t=)XHT`I)k>ymf_0i9(HN42b^)D{cmc&?m4)jhn+&IqiS
zQX4Q4q*jB?SK9F<4hR&T%m2~9W(sYw#{mUIHy{w@7=$(Eqcp}^5SWc+jv{=&E;UG<
zEnyej|IZ@q;caOTS5bSi2ts{yftuS1?Mw)?NASMG76?0M_h`63IdcB0!;P}ofXlp5
zbq$L`&_$N6TxX;YD!9?HZRjO_#ZHVn9weo*tXNZtMPoi$D@8P9Lvb0*gEM()ra{R8
zrJ=nfHU)_IXB8L@`AROGuw^XiOBqW>A;>Qj8B16PFanB+-H_3w2lnZ%kPf=L5s<GN
zpjNvP*wr|L*o$@o4>z#iYPU2<%NW-%iW_ub<?luT>6)34(#=46XeOlE%0PoU*pT4P
zv$9Em>qB580kxih=AtL}G2SXEa9tumA_*iKASnd0Na@mj8d?=<K8u)A80rF`#2rjS
zBTd)eRr2HB$`4cI$F=bTPVX8BY_=4~(fvr-<|d${6X2Aa#vTNts+_AbBVj)koy$oB
zMl`PDZG{CmJ{JJ$g$nh=Ret+D3YGnH3ya!<qCB-IpO>?U6O}so7nX14OOLSc)(|?#
zytee3O`@yO7tdMg=gLJKHS$xCF43?mNst*>(|fmU1%u?jaBw~n9w*iis>siZO7Dd}
z7dipyE6zXc$=9!UM3deqO#<?A@a4%x@f(gi$3j^C!)We-bYky>Wemjw<%|UCdK{AL
zf&0X4L&j10OgSnU9hLa8q(B`}1)(BcQN~r3^dDKzujLn36^xB67gLU~yp10nx^b2u
zIwkX!Q}U5ue?)bcc3=;gqwv80+MpArD_I>5wri-_<JD<BQYcyT>Q&v?WPcaaFSU|-
zpS`K^jZ2(x!G$+rIR-_&5wm;p=xs*6m|xdS+5KDWVG8)0X&5kM)z&d4wvb)btQfY~
zr;oFefe)cMv2(MlPL!%<(-<zqo);kNO2|l0vKa#Pm|Q*v0`=<L{03Uy3xcN|AAxmO
zf<y8)iMv*28@NluRQ415=~fDJG40Ox)#`f*_%n%kua~ew<weZ26Lqc0J%no1dn)E1
z7sNL{=(jCDpz#y=0S8zaA`&YU1crfeXDJlY>_Fm%88p)D{)>p1V|U8R;dGMc;3TKX
zq!vA8rC%uY@<8qdsO9}9vHUs6TvkSSO$UMDnWFZ}%7p9omkzR>A|Gwv5Os8;39jzf
zb3Ud$>X*k2tnqZ?urVWjdP8s;!%i!zsSk1^zOPsMjXkO@D7q$9tX8#6U71{4QobtU
zYB(!<nrX$HpCQC8X1tlS8P|l{ao3@tN|z9KvkirR|17o4Pg4Y>&FUtqsILyP((#G{
zYh(Tybg-a^q`H3Cp1UjM;uJGzPqgEbTpU~f-)2@v+50zRgF>JLRWqJNj6*eV0GG!<
z&)?ixcuyl1LLwl2!+I*DDB~5C1Ck2%7XI!@f}1~GcbYwIf(wuQ71B1bwtR{~Ji;VN
zBc`)&R$aaI#92uUX#D?`7*ITNtoxOr*JliDSTX`lB=J%nLlwTME>$O~@}Fu-%lBhb
zhl+1ID;r5ymFn1RmXk#4PmG0vO{{dBtzbUVE0ht~7r{9l0_2n&r+c_i-auij+zl@F
z#joDVd(!?i7s5@*F)3-D4{MylzjEQNYJSgg+nbPI6Y4^fj(w4E^6}|?!v}>Lk$%#&
z<QEMN`|tes_49Q07&@ryz@e-53^BHEq49}2JM5N=K7bv?g-Fpk&Sn*BO93=|NX{cU
z;STKB<u1ZLhL;c@ZDr+zP@MIhbMvSF$PnNV0O<rC{|Z#MyP}*Z4EcLI<lt&Tz!SB=
z$0iyj3M3V+Le~Nyr2t8(t>NE(odsw-+0j$17kxrK=<iYX)hYfJ>t(Bn_Zp?GK3mg`
zeMQj#g><5;Ebch63xAnH+=4G8_7<p4ah}mt6rV5Pj>Wc1EaZ9*oQmm{acR5?(H-Ym
zIu`qrG(t_q-m_gAiUVyVU|tZ6t7YK#RFr)kC1!?PeGXz?WdSGI1OvprsOwrVZxpm{
zf&|$P^v7P9pn_QX6cc6KO0cD)@EmklDBc1k)^?OzK>MwwSFsQ(E7aUCECKVe{vd+B
z``Cf_8sAc1A4vp>(XU^<9&aV_8qHfL3}&^ElPD3*U<>#N!)T=|uM2_Nda_P9%_<s>
z42RB{)Jvy$qz!n-sY2jrTu;kW)&w`gy?pvQC~-@ClxDm|X2_@Yq&#=D0{uzB9bQU@
zaKT7Hx(y6ff1Kif20yoqOrkz9=X(d0?}IGeafttE-5<{cQsL1|W<Vjsu4&l5j|~uB
zA5J{O+BnM&+#&x<9WUF}t5M_b@vN*-{t_u89CX|}vkv=yhA|+}+t=OMJ%0Epqkg1-
zKa+_YMhYv5O<pRMql2u}y+h1l%Tr9;Ei9=jId|A_6T60+$zq7ip7~#DKT^Z+C-qom
z<3O}llp9DdA*I_`Y4&wbg<AT1)NX=W`oB^WpIj-zdoR^-LlYs^Beg7=nD-vh*C3kr
z??m%|S9g&2l>V|SNw@EREJh-84O%UVg&>wJ1UK3UY&>1AP=K}I#HNyJ<Pa6zLeVx{
zpx!edT#-A2c2SeU0l70sA66D(Axpy#asaKw!wTg)l!ZbuK;T{`4^rro0L*@+WI}YI
zQVX9a$^)B8ZE)3M?XjVJTe#?SzBe|NHn^WTQ8mgHO~G0(_fW2AsEb7QGwKadC5Q{6
z+=o`Z^@do;{J|#3|J24gTLC+w)gr=LTlBRh`b1X?Hkg%#nS{-<eA5gc>H5<**B&O0
z(#lu956u~)-fjBkI>DyG^XWQ<q&1KJ;tNPW6@d+}G^N6Nsa&Xj!#PT~%F-{DWLOsv
z##On@5nj$z?j<6em}7nuWW&nQ<s2H_P|b$5MY<Er?ByZP=~}o4YB9Mg`1qTY7i<;_
zsdS$ker-3@qqpfg*T}^sd5rG(?lY0`E_aT*BO|Z-fZkpcrv9;Ts%h*Gn&8kqv$nbD
z=kVs)&*_$WT)88&S$|(ds-b;pFHII_?)bM$;i%U-n%~xKnTe>^k6MYM<==WsA1&D{
z|JH;`>R+=Nmkz<WG#SRFLscYhkhd6Oy){rV`wQ{H6$GRLs%0wDD(IS}if{@RM1MQL
zM%z`9L_ae+KNE=|hua}Dq@Vd5=w5^It((vt;d_-}Jc$E*5WwRA9nfA5sS1ck*8wn!
zMKniwJjy4cJf5gkkXLs`r75W>?~wxOR97dZ2!#JWc^ZQaCSEuZ#~k7SHtq7W%O0R}
z$V`1OQzy(IHOX$D>~9zYVpp%74g{QHL^}eQsQ@_wh^ayHEJJ&V1(JzvE4zpt0;TaN
zO-JdGP5dC3#}ko;cOS7nSBZiq(;pS(^%Q=Psz~!?Gq#_~G>)Z`ZS)I`BgW59VvEii
zVtt>p&)dgnXqG+=8F9`~gX!D%Llm{6MsKaQRPy1YR??%>#C)}4BD*o%0NonZEheu)
zL@$6w9B0*-uF7#Sh6W;l1|o(ABEXEe=X;nlGlMWR(e1kO<97n}TVVjD>$ib(7$~<3
zF~HGwQuIGvF$kED6x7h;3~S7E4bK#wkZ75)5KuhKs~bj04b)U;=;<dB_5vXW2<$T+
zTnIz$Ft8e&S895mW>%`QfZb@cm&)=*bT=jGrrKNIB&D}W@AuZ<3<fbg6nI7U<5=o$
zW9n`s&9arLmSd*DR9-YnjcJs;Xp|bdsf;BaHc$FHoF<+Ryv)9N&?P{whMf=jTyKpg
zCPOBm>C(z@lNi5i>%P<LjqHH#zw?BPw<w!-;^FW;2auF(S$ECw0PlWXoy9|)4~#r+
z6w`TC7S#Z@$5Dt2b-v2JepKte(@`XmYM#e@o{AZP&~n3|M>)u2;x@#)B!?<F$a@FW
z=~~uV%&2=BnYwpBF!+oLJ#aWal6|w*G~aLDsD&ez`IQ<xxUc^}7ubvj8E!3&jXU9T
zZfEbtCVhawe`8Tiq{1~mx~|k|$0GPJrQX}-KuOFsqwY`CeB1nguUgD7=YPe{bQY#7
zGPPY!9@La&ZHDY!EKYg|Q@=~gEVe>ga9eYSK~))ZisSEH85D{eQ(xC|mPQ=qaXCK;
z=I&jE&E2d+K}wwNjjHwR2E+Gk?EMdIw(@~2Vhn`$+hi?2tXRu$7e=>P%P}8DzNWKK
z)@r7yhwKIHOPFcek(nkTcF}>*Jv&SNubG7_-mSqLCz%G2fkrjMFO+XLk;-0y+2I<Z
z^4%r=ll&GNE_PddR5mO6>M7sF=7cY)u+K~t5?N_?X|a3{oVgXo|5)TTf&LIi^0#)?
zNqu+#2K_)7^ba5jZ<ss?Iz(|dw1^=j#S9j1u+sC+2x3MgPXK`s8Wen8$Rb+eYkC>#
zZAg*%fbo47B|<)Sa0?P4BUR_9B|SAy<Rq;ab7`UG7{ZBd)4^ex-{sC~G}0l#lS!z?
z%km%6Ya+3^lFC2f!JQ+=Y^nS^SX22I@i_Q_MfR2oyC9ThkxlRcqw~%!0UC`Ib%>&r
z?YvM)UA70~6r~(GZ-rhsbUHp0v&%wI<~}T{DoSwJycNc=2;XPo8+^~>v)RecLKN)>
zZ-w5ZRqymnv=Bylwv*15D2&;6R7E^1y^Fje$}=(tcfwfuD!vkNtn_aBUM`<>r)VpV
zhqnUzJad&&1uw&P;JR5Ebt|XmTcI^3;aQbbm?FyJF0-4g6D`O(fg|&k-8t%QspLX^
z8py)Egd#`BM<I$H843uF3p8ZZvtDW9KV>DZ5~9Q6?~PQ8^{{v=j5*GlA0PNkeBq`-
z;e2@IM(4vDGtLM6_?@-8)@iWy*g6sIq?5|Q&`H@OeFdu2A${Ak?^r%-ASekgf|1~2
z9L&x8H$-M8z5hf6bbX(EBtraW#qxQ7tTv7H8}8G~xpOpjNIp;w!FgBc<p|7C(P`z*
za$U9sv->Omsk6{uT4w3jL|U(`v9E23r4JTIV(EBqB$kc|Lt^Q8ZzPsJ=xR+YeXzKa
zDmjc&B^Reu$qOk}a&e?e<~1$T6oDu{3~O|~1itxN0^ihl-a4f}ZhZ%fQKsc$?=meH
zBlH=BUJU4Be8m-(KEzk+m9_k}1h$$n5&}=y3d;cS&wA-%-0j1lx$W**HFfh0wDVv^
zwDUk~wDVv^YG;V8oinJS1Ffl@Gf>gZmQ>LUs_3BSF-zaO=(Vzmyz6!dk*h)E+=*Nb
zBDc^+E<_>cPUJ#}Tx%j1qL6d%WAVY-S}$R!zm~9q8dIxX`L~vU&S<s5+h0rI?IzDX
zQjxt?jGs;eObw5rhR0LG<82L(pRSA$H9USgjZkycgpV{rEpJ)+Lxzkii3Jhg@|>hN
z95K_0P15)0a6?gDHQ<AUb0U(J4#h$IrbyaT@gFwwpXwOP>8dV^yp?YJBjA)#O=t=x
zc_4AS6fwUDDjV@nQ$rXSpDlwX2x;<S1m+@~zTI2GKPRwLzmk~eHOf}ukOy}vxEd*2
z^($OEXGor@hnen3s+g50G4T$1kbw?lodeEmrgs{~^pluwGSe%GSo8X3RwZKJT(=Ty
zkk?swCFManwSKr;ti8k&E!}YIlDcJz33<}`bljRM<0CXU!GW)E8#|384<=l@oG=D2
z@?hbi^sZvw-@9<5=ZUl&YcYdBko#_SWaYR4a59pGHGq<obtj9^8G!$0*>Ve1ZQy|Q
z0^D;I?h(N~2b}(u^eokWc*-88+na*kC*CA3#<1w&&Eb<JzX+s}Nri1FU1(`JrVdPB
zQbWOgOLY-@dKXS&%n?IeP3Wt10tLuarU@r2R5BT$e3gmoONuB3jY_?7Nu$!dOEih(
za<)%mUum!1M`lD{B{O0>WJYXg&5ZafpP-qItD;6K<c-$KG7C1!&B4fRBFD2Gf*8?X
zI3}N@gV75IBd;Bt4fS{pc1#)lE3l)LmslkR|CE^m$UuFlW<|kVOt~vQ=`XmF4l%u&
zz><g!>!JNO`U~Rzsp<tEADymSzu$uAOb^R>1B<xMBebOO{O199lOLjUSEcH-6JpkH
z81t*35zDLc#+?Pe2d;EC!Dp;n@KB^<W*dZkEspHa@LzO4ZSQ^?`u<P&*Rj`NQx=XS
zYnXSmfi(kzAk__SJdWbcfs%Mwal>PZ^uWRu#W5W6egTxT73wjdZmUrFe|w^_pLE${
z{;2HJr9oIYGtd%ZYibI4{bdyL`a1%zKh}gq8-jXCm&@;@Us90^t6r*@YF7wyznMS}
z(W*K}2jza;EoZ1I@hs`--Gw0hsu1{7f)@TB0!Aas>PQ@5rI!LOy%3zzfIyO?W>^Pe
zJ1b2IL~{xOrGpq;>V~RAq3kJE55^~jpl$)`%HOqN)SZhOACs=6(xsOeQKi%D#yej}
zs+0#+=m2lecMgy9<>1~@q2KX(O%n+(DX2#-J*EJ!NMt(Ppe`(w(2o0>gozQUZIFm1
z`+MmkE<0jQ3s?X#LfPjC9k=h-iX7A%ATPcrWuQExDwRCC{+i^V@$%Prvr9xyad~-X
zp-=-n<q7cwN5==G5o-%N%hNGiGIXN*nV?u2s9p2;Q4Aq~A^W^0(Pyhdb&xz6jvtkk
zZYUy+l}K56;(HPep?&~SRH9Kq4j;8XEzt-!;O`}slJ)*e5UNb`S`}%=qR&sv3KT?|
z9OcUU$_^q8e*8{ACsd)kpc~fVZ6}>l<QdRQNqwyfg<iJdlcyA`kBNJ4{6<)GByT)Y
z<c%O`3I2S50V;+(x5d;K3)EMqt^_0wjWHcQ(`UC=7ftv;uhl(muS2v9>m2EA>e(@F
zaNG&asHlUJ54k|izQ*wQ(1k18H&2_e-iU;dewyi<XYJVK%)a8y3?s)aTOVk`HDtVI
z>9~a>20K^o*|r6?g*Dj9N?v99Y+M`nLy<i8HG^pPl!XQxuAkVQvd`3Z@7aOLE@zd;
zx|DYfhT>g=7V5hOC$#fdEKuGx_%)Y1we2*p?Lgy&!JYQDKs(FYo<`A|=4Tt)^urS>
z2hLweRv*f0ZDONXe}kAo7t50_XCvui=`G=p!pPoGkPv?t;t=I^kh~9H2YKO(o&H~5
z2Pwo<>I$eqE1<tZF5B)ydXLN?m~Hnj6l0ZTV@K<Tww7$j;NXqdR`$jlCjSqu6!WcX
zf=*TOA<~~k-2^|t>-G>*zl9_9+XglDTkx#OF8=VwirBC>euL@pf%BJGDd+cIC#&)V
zx}0f7zrf)GdOAZ(aLnk>Vhk<bf2!<1-J4lW?AE-yx^2P{y6au|<EXCCFW?HDMXt~<
z;0m1sS7={sp5g->a8IQd>h3LuT49p`8%nUrfZYYy=d^<Z@TGF#jK^WP)(Uzaplb>A
zJU}A=Dz0X=X}d)$$Rn7=N@sBJe1jeLtQ92_C}#;J6DXGn<@`xy=e40M$LlcHovdh;
zAsbw<v!XsgbRB*p<Og=ZPPJ3e&7pa=(>K{}?>}Fu)wd=yXPO|Mw<6yM?s-DJ56r7T
ztgme5MI6G{&}AJy;<PEha}(#4ZC7>_Dcj|{vH{A)otGx<f!jS~Jaj@?>fLd8>Ld>x
zhv`#ZC2T&9boiO;;!j<2e%Neh>&?dQp}kf|Iq%rG@le#RiQ^*KRB1rBZSWfStX0Rl
z4X*m0A8$Gum=NUSJapW+?mhd5MfNj#G}DOkfx+j-oS8ka5lo)QISZkMQY=!1SMK_u
z!Z$UArX;rHV^&Ad?SqQuv(mGvF*TtCU#G|fyfm)1Hq0W$ig2?hIMXA*qRE0}rhW2i
z40D+MT8x(~Le2fz*^8N!VzpE7t<!gQ<T{Ifx7(-kuXwp;wYg}_pTo5B1YOpi!xs*2
z9@f{`xbf)vc)^Feu#PLLI1d>&s^5?iE4B_X_HV2i6&o9L0@>4FN+)lS|NUFLM$l@&
z3x9(mvXQ{%qYP-)F9BNu<Vsmi0NQ*PT<1a~x(iupkL;MgZSlq>rNrdGyWl?NDtzi4
zCUI@8@OIZH7{ySZpP-e2o&W<!8QF;FdYDc<kZRaEY}^M!V=L<gK7a0kO+P>x7c>b1
zol<xQ;@noUgrM{}|B1vo^o9B37VsO>k7thfTPe)r9+nYR(Hp4xDx6~4Eb6VpdKPH7
z)KQBEqM}$w!GBw#2_C7Zut@M+*!%BDX?4HM(tI*F;fxFc>{F2oiNwtN1W4`dGZ>K&
z)i4=R4TqGd25xU->3ynL)=H?G%6c+gWzzWr)ZY%U(RK<jGst%gkjSusM%op6pHAFq
zSMWp~V9%j4T!dIF;aBKo+_2>1Kqv@w;uJDsjJJ$S5nA-k^$%OrK*j}WpYSXd_^nf5
zY|?Ri7z03IA}GYG6rxYd%B^Id@TX!AXeEq;JzzMhI%KB)nW=+j751RrX*mTZflm$3
zQu$gu8l#A=7@s4+p9=IN3if<uS)-|TuagteqE1N8*!mOIc*}o2qh8s)E(BP#>!&S)
zkbK*rT}&fn{S{-n@H)*^jF?k}a6ah60E>lfzy;mz2R_J(Pze0PD&n>`V#V9Rm=iOL
z&ulK4NgcQaQ6r@npy}!8U_3gQt`5(wG=;0p!B6GCuYziBCNdt2kNQgNnuI*K{Jyr1
zutCO+^m%2;tSEjcKBm-7(u?1MH>0ZfnKlKAAAkQ<+ek&edH0!3M&P0@)KL#3A{iHG
zm$lT0w}y@zFn}dWg9QB`;SllVAR$5JU2FCCGa<Uq&$Tu{?x_{;FUHavs<dMzwFAbN
z0$#0>ikK~3+0=+!8@Hm>gtXrcSkZPW8vC+<Z+FtcPb_L3lRd2T3Z*_}RIJEpz)e?C
z#f*#UP4B%}9`=e<1@C|Si%yNEw9=HoADD9C^VCLSZEgAk6q1Sn_RFp?SW)pU6wkwI
zco!MODqGfoc0r^Nt6*6JvaX6kf})Rp5CScS)!PBSf}VXA$l-IGB}^fNTaZ0+DwoD5
z_M>Gzj=>guF#C?{DMz;x!+9i*`9VNjQu1`AtnVYsG30DrmPrT>mX(IeR2^wLu9C<l
zKEdZvmUXz2-NNWSIVTl~U1ELYC6G3haHhL-hfqVB*!S{sNDJ!sd(@&PXwgbI?aM3Z
zU@i``Ed@XoeC9iq&)8gF;=2>5@KmzeuEc?Lme1-eOoqU_E7ShqD+bf61KWg?$n+<C
zOzX0$U720un<iHL?1*E$TyyVTUfX(aF6G&BPhe!=cK=db-(g30R`yD4zla{|+LYQm
zqTianIAg2U#rsM>ysUwDFBW7Q+IBm3|6W|e)qQ)X_T6ooH)-C)iO&49{_UC@^=g0`
zlCL88j+8bG(RU745u?VcY3HPAhDSvO#k(;3=k#h*mFAGAdwPu@KF~D(2A<|&!~S+K
zj2gOp`(TsJ(x9g-vp56PYw{CzANiu$=TUg{g`GcC5GZ$x(hBDXGaWp)k^Qq!?rnaQ
zjg@S=7^@;i?+w+Ar8TLFlt+M=3$#G+;}NeyTXdhaMXbT!oA$u7AlI_#meeo!5xe`q
z{sO!}ejzsxyq9}5d3)p$Q~w*9vEKdtd%H9m8+&+;iS^l-d5+mTr}sG8s7=?AeY}k!
z+Ue&sRq#RyH>EUUuEy%nojlXU?A;R<<+6KgkdJ4-!Ms$ENgu)zq=K=6eMcFambqN-
z(R~yW1<%(0mO$Nms9kyxk&6Rj4hF_3308}alxm)E%|T!ysTI_y$2chmZwpmu`54Bc
z`46&T{>@*l#6TV<O8XD`BL<R<EHDant?JsdD@8+IK~&mt%p7YE&MBEkkEk|ueaOFV
z*<<_&U(*RU&8DrJR_t@RoPZaBJ=!)MG&pqQXj7l2ngMZ%fsj(l2H($2V{Z4A`(FP)
z9a!`Y!<cbP)&!XL?Tp;G!)3>+fC*zq2l$xqCQ(JhvYjiouh`-^VR!Vj11`@_CtbhX
zC$32kk8xf-O}}lJwRxNKUni3@c5K75lo0v~KT6puv}=U7X~OWJ!IOL(!FnAY-XhK$
z9%!E<ILPbnNtQ8q!=MY<U5tX7MEOYkmR);Hzt_~%kL~!x$mg-JPX<PYPzdQaS<{q2
z%U!S@1t`yB#b^^&hwodqWKPHuqqqw}4vQvD_+zw-YrkKsnC7__RP-+oHIsE`&r{qD
zaSxt=@s*zEz>Z(%$6UP8RH{*BF8R;*Ul2^MMAw<tvu8t>{sUHS9BdlcLNg-noc|e@
z>UbjhdQ4pM>3!afmtw^c_n^OBq}5V6Ngpo7Nz4IH1Xj7oKEH3zIJ0wLi&4wBcd`DB
z8|JJJS#LVAQPXrCu~GP@6)V@7#-7y7!1D={Tt-e=cWt(*^M<;EH8%(U5?|S+qkF+a
zL%UYRx}4ZQ&LhkOwdl8aH+4x$c~-_H<WECa?}(FT6C0VOnKymz^l8p@yxX+J8zIQd
zEgfXqnsAqV&Q{<B!NV(~5>0)sX~qojHT$}>>$^4fKxEi?(~UH(_^5-n<0!mm8@Vxl
z-}c~uU8Vzgf3#1}HJx34sMWu!_qKk=f=siae|4Yi<@>91<!2tu!KnWM6~Gl=TMI#G
zkJwP;hJJkPaf;WT&Z{W`?fJ2FTMxuIXV;JZv19j1BYGQS+%#dkBEYrrJNyRvj`r(d
z>evJ|UsscQ_Z`!Au<!D%1593Snt@42r=G`yT?HK&&VIm?KhO`a#X!0;%{{yc?#6|C
zytGNoDOaa|Rg;*dG!oC~i7(zY($P5YzM+E;I=V9~2{5tfYR*V)moZ9LVbkc!HOM{B
zHNCpk!-#Fd#>8??vHnmF3#>mx?Ebn&2-CaC7cZ6cfAIcU?CWfnm=m7`2Ohy8N|MLv
zj;!9Xf9X<U#sXI4_TDY)nS6B-gNB6laB(eP3D4YBOs~ZBN8>j|>@tNk)wB;8;?vN@
zyXT5<FVlb~njyz7PB`hZmL(Zl_CJ}EeH2fNN18`QnD{{5z+odM4sy{a;C;ejP#i_U
z2T7h&70zcB1wB1eRXm+J(=vBt{hv9oJ;8=+=eF&NGO-}uqjApnx~Y@KO&{&ju-lne
ztk}7esfRWP`GuQ~UDE6v*k@Z~7haO<s^Gb;rmR?9_MJ)J0x!MUGvV>o#}04`9BH_H
z<Y?Mq|9!qGCRSUnufz{enc_WV*pz;<C>)p^F*T+Mn?mu!tX_UY&EVDn19~|(Io#v6
z@mevzsiE7puZRjeU|Oi%*l&gJaOcreCyY1h$6{x@i(qEt{&!#-F`JH;&az_X`&{gJ
z%CsvyVqJvG+I6$0uP{a4(X93#xOA|KN0(6^UZ!JSUBW$Fh76oO+20gdPqTEz+J);}
zc18pZ*>39K-nUg-XI|`Ld*+CjTRq3^J{T8qIA*`;fKNovKF+<z4)!$aXCP^N3Qj|J
zD6eH5jzdc`>`eEyy#|e#;O)}g&-UI5y{;11GB5d1WL&gyW(CCWBG|k%Jh`*z9Xrxk
z-(kN<JQ6<~Vl9LPFR~F2O^MiptT2U7$OJ1y{%XQ2axCt{vAB@+eU2kh$2`%fRHEIN
zc_LsE?zjSX=bp@+>;;?P{S`<o2}#N6hWct=-ZI?AZt_5Y2HrUJGdNYp`)k3eiXr6?
zUen{fl!$FSDW-Fv$4?(NVM%FOd{d1yp40^Sy+gRq{q!_B5;R-ie`-B{p;F@O41ew$
zcG)Mfe@v+btLLp*>nzWJ&*UK8Qa}HNfi87>dbMhCv~%X^*bRHaO`C>o91zwQiv<3m
zqk=*=hOJq%Jv40k#0{nqGlKjFyP!2+TiU{m69{Q&{Hc^g``<1o)&m1eG%V%6YRPD@
zb^RZURvGae{haBu=gx8op1KTg4R@ek<)Bwnb<3v)E%tNq7&OS!Bf5W%DfpDZCur^Z
zwM$oR+`DYhSZqoN@W%uw1}fH5vJB+9zkPHS_B3bqMt!vWB|>C$Y%gxGvLo{m^1o)o
z0nnYY?8AQHEb#B=5^iycU4IB8ZaEA&3zOKmV8fY1dk@E(x^37$?25~o_}wwl^a4g}
zO*R7QH4=21VUp#0g^}>90&7%ZPsWBHiZjiuh*+a=oA9K*72qg7wcy1p11q*y5uiT(
zn6H>YmJU^-dWt82KYR~(6Qx!^s_Qas<bbJD7yL0zd9rfdCOjsgXAx2i)ndQ<>N68#
zy5=@HZN>#n<^1{D9_BGag7N6;H04o>H5+H{P;lhXd$>mx2z54*jy)!ZPt;Y|t&Hg8
zx$Fo2gB;AiXWv8HVu#n>>_ktj3_FI+Jod<}v$M{^gJ|{0us&-?v+{ga$=3k3<4v@l
z3)?O1h_nim!~J6?ZRh3L%#yBJy+1rYgC91!!%Czv?cIitpdS7L)(LoVu;^fe7_fW$
z{ADpF7JCQWUV^nt<L#hv7<m^@=!m11^&LGQ&#!&QKd-}^n#36H#y<aveP>+s(9pa?
zJj1IZyO{ROk*jOg&z`l;$j`$!XI4<)>`5;A2U31}!z*M?m?1EqGElDs2n-QjSa*nQ
zD-DNJ{E{l<FIRqnjt_#3`Wgz$xF^Z;!I(#NfU`b~0=LT=k!_yh03k>Ovxf_i0Flw5
zr^J$V?`3qL*9h|GYQ>dS7UjNjg=hQVn5n%JyDNI@$~n_F8$+LHmii4_=<UM4>Cg}-
zl)gJ_d5cxN2S(k4xCRH(4z|3i{foDxr>8{bsY%!v6?+w?vY(>pk;=|^Wq?n`GZTrr
zGm-widJi4d0W{{`W0h{&Cu01dxkX5K35+v(+@giHJZquh-)iy7P!CNHzX5%lJ9FLL
z0a!q5?io4^-FWC=<n}YBL|zFSM`_;S{vAaTx9P8+v5zAu1(b%q*vN|~r`%CAg(mUI
z|3z15gu7z@H9Py6Jeq4fbmjK^{CfB1MT<j?{&zI9r%stY*`?o<h?Ay8y5F{j&xZG@
za+$D9%2F;9kt|x0&#>-7{uvz51?P887M<UV@trR$bbvz}))CXADzw<|yrUs1a@mrt
zCTQbkO$nSi(Z!4OT5^>SG+Oypl$X)<c>1Fa;t}8v7T}bHZDlv~$II9{!z~0b(XpW_
z55y6qj#zj7R8uW`Eb$IH{H<#^OT#wfjWgw_NoF1RXS&|LqXNBM^b@f;Ue0ogU|zg4
zj`5nTH%#Za46$t()CzZAv(N4iI6rW&X#tXx+|S~@n`y<Xv3<66tLxlwQ0t$69+Z5`
zDBi!f?RadQF_nAOcn|`U?Z80;+SbCA@Qy31fHN00+<5@gbt_!=Ax7O`VIW;4jlpx8
zec$GM)iHSbFUYjIj%LBq#q*cA#IEmCgX;!0{<XVr)FTr@LAHb8BT+rCbh8Ef(x`7C
zSNK!@LP%pvRvlb*WYr<OkhZedYR{Fu)A*8->~k$|DhF$LDFisQnM=_TIrhjc;;;#u
zgf@{aSr)%IZrMTLEbqOv&kC;#z<H@X&z7u+TN<x?U)p<dpQT=>iI$_5mr!YS;}e4W
z{MKh$54_4a?dbH_X>pxdP)WSnrf*@<K16G-vY9JmR~}pu2g<9wR`pu#eV5NvTH_%H
ztvjhXw08ThBQ7ge%??>+3cIga6g1(FF)pq>e&r56COvnWD+k-N`m`|W(@|U#DN|Uc
zhJU5)&h?W9Od2w204koiZ_=*G`?@iGNfh8Yk4z16qhQTHQnUkcz?R$IlV0&49a6?*
zX_EMh8q7z>C-W>#2ex9ou69)OS4Mr!xewCMu|`?;auWpgu4!mkw0+Um#hV;sv`l;S
z^py*~yE?k}?pAZKY3w}wH=jtAOyZ9Vk?N?M=|9tN)_6x&g;h69o-%ieOXB8jn>V{`
zUN$vg-1zZ*(4*ow``Bq5d{8_22t2<AUL3}G=WHpKZO`zwVH_1n)Yq-roQuilSutn!
zUFBr{dF8e~Uj2-T%`|%=Vs@N%N!jPq+O1Ddu4`%1S107%%rTCw5!h8N*Io8He2w*x
zc(IhW*{x8i9Sh20Cs9FVraMR#RHh1oSc@#o)a8@M&!wZ1N>oWZAFsZ~Q>bL;fgPt@
zQuh0_ZtLBtTuV~}N{msLmBqPkBNoma57NYVsI<!7(>7hGX`n54+57Z)RNnY_yGvb6
zymSrL0vptFQd)m=%AS3B!(kD-W55%4-}q{Oh7`}V`DJd%W%5pyW#7<W`9Je~UmZ%6
z1u`1xr-o+RAA5D2IUIkb%BJ7lgRSxpHlr@n<CG~;7j}c0{EvJ5b5_EXUCiAx1w-p`
z<l3pzN8Gpv_woF-6CQglwtdT{9XrQv9655F-|!Ke$8X1b)M~~eCp>;MEztJ-k(h;4
zBn=T>do4ki2t!w)hart(GM=Rov)+FlQg#v`wsb^P(|Ke-f}*Mhn*(13RVZAikW0{l
zR%C``17(Nv%d-oDm`r*VJxf(K8!UX_wS`vnskIFmN*kWO!;`D#*Jv&1uLVDJw`N;X
z+FcJglON$>H&%~NMP8IL(Jh!}A1nfXY##FdWMS)auA-a5oi)747C|q60VBfIEVVwu
z%}{VVs;wguMG2^;1RDXRFK823p(mm#4q=B^|7DfrOa%K|f6>dC@S~w$kZa<Q<Y&>r
zAxrt4au0=2Aji|O2*sA4QV2%|IVvN_pWu<n!zq;MB{69%?7QLeYsC7~cjO(4Mo=QX
zaQFx%&u3T!MEz3<B08L4GE%}#2npf3@~dW&Qg#@Xr^+u7{;#y9J|avI=8p)Ii(?V=
z@d%M$NC42&8Uf<O5W%6O0T`l?k$4KJ6niRJF(^dD>E6A*sQ)?Z$`(m}Fvdo1*aewe
z9CAPRXSwf<T)yeYwEVuf+Bf;}m3EZh0Ix32?r{{!q|_dNQF%@nNdwUH((<!+xkv6J
zdPBa$Dj>^)17!-6>vKH9=@5M*kHR+`_#WL<37H4zX~e73(q~<SFqaH}F7NzennhZ#
z;9>nHsqdK~vO{?xT^}k@BCH7LXS`P9JcJ75gD>mlslBBSzOIp{HleSu^^h|!2=oPk
zUF9U$F2huvai~Q8H*ztddny8kb=6bF9cIAwG6Qgjxtx?q5e_@tVC30ihPrnL9B@KO
z%M6Sm&@&?zK#U*+FG7d_0?a=@$-h;lYQMP-D5O5<2B1j5^Z`gDAa-!QysWbj3ePeC
z3{63P3tib1Sdj?Ej)3e4%DhgVOwMMZl48~Y=n|N927}lxH$e7v1LQ6@K<)<Q7}#_|
z6-PSi>TZ<xL-Fo%(g2wG+bcfM2PKd=OEDg)D2_yNDv+<QSN)-(V}ctCAlP@Avr$K$
zs%;9CCn-h-bf-b`d!txK4tmd_<&#iFomxnt1;-aS>gt6)@Mux1Qps7pT0p6`64ikg
zO+AiB+I3uWT--?=?@b-wiH-vS4lX+q$Y(dw6%H==@jHRsy${ly+j@JA=4Thp&o#`C
zb?V!p=jPLj!wcpi1+YWU(35c$&%8Ge>*W^|+_A%4G`i#8k=6hS0UkTd??re}$CdaF
zrM~BBi<Js3n0V6cO_g6>1m8SU;yVB_AxZ6b(tG^|Um&^zy|o5-M7kotV@E=yb(XDM
zh0JaOxT-r1Sv4B6?!+q|t}0jIOqj34c!VfcEQL2%T_wKbn%ofa9b~+U+_h=<*-b_{
zxVlbEo!%Rn=k_D>Tn`s+SAL3wd@l)y!{Hf^XpSD5AuwfiB`*!ca-{Mf*#Se#0ViL*
zI08jegn4A72?EQYVZ%SEX!@A;X|+78iIkw&k4Q81Gzwd*qM3SHQQ%eNdFldAfN|6*
zo_#*dwv2M^0C?L@fy}k5NN!JS<sr0?5(Lt402W>pYr*2V1gOFR?Acm*6gJ2N;W@N+
z1Ql~P6F|?*fVyK=z@C{a3a8|uchM>`kSYqZXH=|~Rup{XkyvbK^EcOt!Zda57p*6U
ze=Sc#)SW;kB>?rXZ9F+tQ@UDH4r;n5kAPnrZ9NZY>&d~^!xO_8QdX+}9N3LRX&Vmy
zSaR*WL07g^LCYHQTIApvt2lT<wKKo4gQs$_BdFE+eH1UxM9SyVo!k`R79(3}_`+9}
zf~Lvm7KKh{agdO+?IUZs_&iZ@ShbeJ>$3nP&k9oimCgA?W@S{@Ps))6=aZkL`sC2c
zqr>QxSA^H<9KzXV137t~fFzd>mrsp8{9XP<y!T2u7+Fewc{uV~x<h|bC?TMJi10#E
z5^+AG#8JrAStxYUmU0Luku@LZYdq)H=Q(SRtYhbx?>WlcF&R!p%=bC>)#l|_D1*U8
zsvT>}&O*65M_`<zSh2Z*O0vs6vrDiqv{?)}E-$W6U43rDH6(c3;I_J5ShI)xc1iZN
zmU~kkOxzvbrGudapOZ%;af93=zc@=0pC2h9_sGrf0S)zK=3!t-xjaeRku@^NEpqcA
zXe!A-SuFvFGvosM{qkUk{UzkVxja=1M*uT#!^UY?Om2SbU$o4ZFXBV_DoxRBokas+
z^{iRSpX~9U_6T%lwO`_SZrHkNvkb$NGiRPGGvX!aO3ON2$aR(*miVzln@ZD+Ftk0H
zcBVrmXTFB#8D2invY(bSyBt=-nbqKSS^TGE#{1>)uJBKIWTFPI;mm6=yDID_vyt+7
z)<&MwMA#$nBr5)gMj@#LewwUhHJ4_mvF6UKE<Fpa<6n67syPD>IdglSp{u#r3&~cT
zS#>-{Tvx}NKWf5i;xTge?OZkumb+N?1)P-X!EP5Sh*vA&3;$B9KP;Uc4P#adx(u{v
zDe$h`Jy%GRSTQ6+x+4|IvjqEIF#!THu8iu#jyL4W$mo*aNdAf*FU6v1B-~S<(S8Ea
zXb*dmi3Ft;B}B}QR{-c4?N7!E_eAp8;m?V@uA2ZSE~r`I)P?4rM|01jxlw2?GEX?>
z3d@7pE93-2<kEGsT{b#Y0ZC0;;oowCeob(Wyg$q73KU*FnFDF69$n$BpvTtENe{UZ
za?{b{aMGkimnXTGm@&80<+`gBTgb`X5eXOJBl+Wr?|H>v%X7(y<@$TR$<Wtx<?;Te
z*YjS^e`OS(Kbybj)CHIL=;7@;4ewHGl4*5a%^#~)&tKyLGs)hb?HYUb?`YC@h8Oxy
zbi)&77rYrym4Bf<G3WC1(?&6j6=yx6Lfgt3I^tF5X<Qt@zwFA3A<3)gJ)BkOz<%t0
zjekD2<O}Yag(oq~Id}Yh+$?XSeoSz-9DmO#j(ye%J!{R1p?zevE^{ZFnOL#*Np;Vd
z#2Y`KXtOuQIV^Nt%;B?B##}dU{Zq5qt@*0fF8p&3kB&`Gc0be4BtEJ(q-hK8;LKfL
z)ni{6;g{K=+o6oRM~~kPGaVVQug|Z}wFdNT2`vJ=^z|~&vOj?7Zv2;nEI=a@eR^%;
zPUp)$;gv#-HP`l!eBum2*#M8yZ!?Swv-n>%v}gWc4)YGqcjVty;Cf!4mvZJm-S^B1
zG-d>?H_LiqGNp2LhgR}NEzDXo?7ej*{RrH9g45XqT=2m4NJ{9S=s-%`Q7?G)aKS6V
zOVm>@cz2Wwo~3xPW6|AsvxO$!SIe3$j6QzMB|oZ|NB?82%`6k^tL1HG_4n{_(fdhy
zujK(d5Y&KKL1=)uQg(&UvnMkw`{hO>_GPaprPu&T#33g+iYw!49jzbh;i&fpN`S@w
ziPI{19$48p4bSPydZbJi$KZ+3Vk}YMt>s0?O6A=(xr|GXvA>x|o3>QdEM32Dak$ID
zUB0bCO$&qg(EOPi{qo@KnmI^bGFS0uZ;P%szRFw4b^_uE#!F&jmIjAM)|Y+_kba%Z
zgi2~#=gZ^JO7{}%Gp!h&$66g`WwtUm;u|y9!!+)}1>zge@l5E<e(v;y_~thM`Z8}8
z!P_|MF-kYnm~R%CM!@oB-~J`ukc(pu_p5U_V%rbv!REErbPv1jd?WebwJjTdpSjKW
zP&aeT<lo1*h&Q_SI+%DqKI)W-IcDWosi95$W6QkQ`HsGR{sa0tx7*t@aXgvx9{oJN
zZ3}E);+?)P0*tpOh6Q7i{m4l@0IsWzB>jQl>|X=61<2(dIzdHjhY%5aajiTr*buRG
z(c*QcDfcuX6NBeWcNsZ(MdYq|Oj`8Rl=CqEH*JeqnmX(=o!FRv70k=|Ax$O*$Z>{d
zB`dWGLG_|DE2sUv%4}X@fU~%^Mr5~aqy9It^<KnIIR;fPkYHBIW+~Zq@4>%(6#LAo
zSaW*xC#wLpS;mNS-F6sZ3B8f<d(`aXvm77uZ94uXFV=`R<@H|FV#Q7K;LFkXbS|@t
zJ9IuJs%f1n-d$k*uc2Jh?Xe1BBTEQ2?1@;sWQ%E1re@ZJNg)$m#!XofnKtk7f?N};
znZ@&{A9YzZ9;&Ocz1st$ew)M)Rn`?7WNZa6|1VesX9d!DH-^T$32D5)DFeT~0HM9Q
zk1UnvV;d297nrEoYA_(;cUCjaR_?_zG}us@vKt!gjAgh#o;DV}`FCs@*N$bK`32sE
z=TJtq;D>T`+L4fgj5+7Aa;W+cJB58Ik2QoEZNbC8kd5Q!lq+Ly7`ekZ&DMHL-P<_x
zl07}Dg&5`NviZ@vN&}N_nIh+3igy-o#m<SE$qdqx?(;nHAibdDE-B^MFCjQ*+y#5Q
zy3VS-KopFlgDbX=Z{?~K`daEQ2X>FQ!{!m16zP0z)YdxNjjcBJguCa%gGpC+Y=Y;4
z@dOOoL;7rL51qPeO<t4Nd*Ycj+;nL2stLoL$4nSA+{dV28vIO-c<6K)-RQ&|y3p3n
z&SMWO{`@j?$!&MN;&Np#zY-C7LfOlY{lLq&`2l-5CpN{2@6?9rj8Itm8J;cJed4@}
z_&jdUsJ5*Kbmu<~!@f9g+uZPZk&etMzqp}$(_NVVHFH<5c3z*nbIB%`ySux#YuT%R
z8<VnE&A!I`vYirN*F%44GtOfT<c)?C5z&W@$@Am8;`wt&-Y{^`mCMfJljr%n;9Yd%
zHF7Xct%vZV>PX{Su3;l?SM4k}viaLhyx;7B{kpn{PkImAd~5&j`+i$z;&$34!{(0c
z0Y(4mR_q%LZn^21EF%Y&<j>jnFIai<Jvl)~i-UH~i8&{KKjFwqFJi?Xvxd&B>d#sH
z%StU;^V&w<TUUKi_tQDfH^UQ;oi|oV)^u#yuWD6i-iYbzFxOee7wm}P_Le=n4@Pz`
z&mB5<{b`2r_serHU2?{*^~pnavOGCOXd(2JZ>D^7JLg)<v=qTlDn|gz6*n~{lFfcP
zd|3TvArhxPGBwl*_qcBqC-Qpa!C7d-=r2!65k9&~`VqZtaM{sg3AsUm(BXnmp0Gb)
zy)3n6_C>CfPwpCKzcKf{ddtZ7m<isQ-KA~P>s*klpUW!d{(_|uhgF$|RT+0y=%WI~
zbeE2VG2D=Eu<h(Q^hB-_H}gRT@rIYAkD4XmA#xP0vlUg~gV-s2nF(J*)(&|gVx*b!
z(}xo8#gGvGu*CX?u^-_>E;l8N`yken_nizm=RU-<?g)?T&Gt%i6BMGT7YxpkAcly|
zN4KFM>|w>NZ^NB~m*Z2XEC4+ldN)G<Nk#viEqRBW9`;zclr}d(JeI%`3IAe(t0bOG
z;MY5>5X3WK4F255!?x0ouLOKwA<;9>;=P3NlAdsXPrD3UZ!4}haPN5|k?@qBAQFaP
z@}@+^TcP4jRJ@5w*a{`h_<yAX|70q0<}h0FNOHP-HwANZpZP&V^`No8g|S!47^=!r
zz86ym{@R#j<5xvEZ`-`?<N|1FrzUC2g!CTV*%?sngrdT3S(=fepA`9*EgCKLN}9{o
zK<_KtqslVM3?*ZTuh9(sLB)*0;e)+JX<2oWZefz1&?Nn?VlStLy=e(QZUOUCfIM44
zmf`)#WFU8;DJnpnMsFYtN}3U<^cXTNHX7*fl`cP}E>8<%(**k3531>>9@u}a-Od2N
zJw*>8TY<!yK$7WkZ(}WhuJkialJ&A6>_o4?td8P2*`8=zXWvU=3VQYsJ(Ir#1UjYw
zWU#k{t9I@wI+uaY$+|EGuir#7dqdcl%xD5Ss1eVZ(aF<h5c<<hlr*5UA&|+|%9u>x
zSE#{V7`Q!UFOp?~W(p11F>3OcSqgW;dl`&Xl0_5z{gOZsAFbpUh(-UZPt28BA2a?}
zeK6Ofl{Oaj1dA3>AwDfi#gjqU0u_}<KSoB+%j1sv#5VAbNbT=Oxyz8xRULd<>naQ}
z97@?$+7Jp&KrANU1}1=e;PPg@P}xW*6M#F_95zCk0CA~oPXr<q0xEZ{#n7F{$jt%_
z@m4H*TY&y<7l_4pO$Wq=!0ikS_B(q+bT$$lWg3=a78ZcgDNqVl;4lT^QYI4^(mLA4
ze=WxUJjQ=5=ru;ymnfspPD9!5N>Jh@S9Q=cl@)!GR&*w<=u58FK|dabLARn}$Q9Hu
zrGo0po&W;scz=w7qA2*6#JP0&ES%Gq1>)}6hW3G#*30L4xer}Fe`c~lJVYyFFhR)n
z!YzhatPYfF^fr2po%j$Y<`%7tPJpn-ZAH1gI>>bi|6BHU1CalRtF2rN=pB=sPNw6!
zgDPGUy2##6mN49hh~>Xf0j8$IC<TDOtn_IEKNPqkXw4Sq@UZpqe;CDE*p%vocnxmv
zOx*vsf;Nr)BOoAIy;&#AnS|T`H|tc~tV6B)$1c=@38!Y@qKtZ`7Qo*n_=eV-cqk@!
zSCJZN8&qo)L#fW{&~442q*WeZXBYsrh&NLhenz&Ewknx@&#G{{!~A;__o3wUsmNM&
zOZVi+m<CGLDt-ZxX&Bq<MK;@%cbn})8gM<WDYjN(N!V|2`Jl&1IQ9=<7Qu^shes<2
zN(6fb6@mk45P)%x4Z<A#w`yT4_#LAn`=Yj3IoyV8J3wjau=UECAgF$TS}JdVj$$+F
z;8q<);dR0Aa*e#?aOlY{sXixzmq2|rK7lqDTqYdF<E}EYkBJvuD@r&uc`|E-bMTCf
z=P$muYR+KQP@c487=Dn~jIu>5xyusezVB>5D9^s`^x9_HvZYJ=Ne;qoYObOmQI^2c
zZa7`xw+sbIA`~R2pdd+vg5(S-NSxVAgBVTgVUmh~6>$UbX^2k;d@A6t0X`M*ae((_
zFEJT2C7P{%3W5{+3gGvVZ2cqZqB`sit(O0Tu11y=s_MFFp)};&`wdA$LqJ(sNYS*A
zTx>XC@!1N_nfGz1@wM5TC+NyM){esr%O$MH%7SVP?DJ-JlF-kZ(fM<Bq)sxU`)kcK
zUM{kuDnFg2qict9bcr?!${I7PB;fA-2@<7c#~eZ}vf$2|-!*HknK&<EE~_U&{$de=
z7`6~n9_WR+qe)@jXi}Ivnlx`AHEFy&3y0mJ;&j+;D2{!1QE}|M^V~;Hi0JJC7+D97
zbEgweAxV4hr%4_sl5N>dFy}mX>xTRxX=2W>;OvfrB`3@0xSvn3J?9cD@A|u1c>#F~
zvpYfrmbajAm?{R3vx&jGyd=w(`~`rzsE~j>EdQmzDKc>Y;H)z7DD1=mtTG16(k#DE
zc|jgeWPcPaT>(Bw6^O?d2*iUiAv?PZZ`|@119S}ACs|eiF5o@ccoa^tfZNCzVtJMC
z1Hj={n(Y;uil9t13j}2w*#-*Pp+t6}LbkBX{Ep~TBFbbCRi$Tn5`eu!R4I6fBcx!T
z)~W<Oa3#%H|B{%ofh#d%KCP`M<(}~Il4W)N$O1aFiF`<BOt@8=20``Y{1`<sEX49x
z{&RHnbL!}?B<ne4u>QErAg#Z6#Il?wOkQR!ERZDuFx>o3m^@(ilHT~xtf`>W1oHV+
zKuGWkB)QHeT8=hj-U7`uaXZa#v@~;;a_qKb6D8rWhUrUC<;md*Bv1}cz~t>q!0i1+
z!)z%7a5}IKQ$t6a3rm)PW=!B{ED@Mu-)y1Lwv?vE_mvd7K6h0~bI4trh%@Lej>7?W
zQNiB3s31qFpcE?Dpsd#zs$x)rDsT=>D3EvtC*V{ZpMc5+C!n$|32#Cbez|5HsRH>E
z=wlYB^5-}`i9&uIRZ(a{C{6HKBPMu4C??piqiuqBjhEg`pb3@>QKMOgXK*2E)kqEn
zHFb7BMo!$b;7y7$yA^`78$fRlam8L7ujuZFW3L#AtztNKit$+0;!ex0GN^JrW0HC<
zu)1Kq1odR_NdWi&H^BQO0AXMPZ7s^_usQ)#KSG)MKM0jh2*MnZpq>%K2y-}L4kJu2
z!Ynu^Xz?bzu~T@Umi)N@X$ZTz(n{bfTl;(XBM9HNy{`sKlrA<xnX>9Yrw!g(x3a~*
zhpW`BZu7$u-fgH}G=XTweuY~qqZ1H_NPcQew0ynQ{eF-)`Y|XB{TSqpesuJv5h&R2
z2YG{mmU)ALWTiC~RVwP1ZzZGb`5z^t?)e_xMfUtb-tU^&(VKY8`%R?6V<%`bZM(lR
zSnloB6TrO+8tGmKjdZVqMz(5CjZ{y7*7Jzn+~<MaTF(Q!wW^|?0Ik~739z9Gcy6G=
zb5`o=LGW+X`xABbFlbf9%7q`+vO*FUR(W%fxNv!Jti)zhevXovZ{OxC)|OjrDm;JV
zcf#Cydt|pAcxFh05Q>H-@fNRhqdJ`Yx8xW)3_SLdX-*zHX%f?8_Kt0^$uy%jLN;5@
z>e1Q5Wx6~QVSx(iDXg2cKl80!4~23D>^Mho`^zXNB+HYV{F|L;2f3{Li;8M1Ij^wN
z!j|;6cB2&H=^!2t;_2mtvXs0bqngA9w;4`Ay#N&VK9G3LN1pa0!c&73n13f!t^08J
z3kd^32oG1oBvq(3@!AL?bYT`i#tRu~Z|%M?+cCt_U2{W|V%*TCYi{Kr$GG7Eg;HY?
zO-mjLscsSYp5RG1D}mGbqd3<RPRo8>2^vY6tay>i&^|*Jl3^)t?e<f1YNZruP-?j9
z8>39YH^}J%Q~TSuXFh27RqjBpHUvg~KCguysdxaIz?!CtSIr6^MB9N8QtgUz!d3G}
zSs~T#9WPuptIUuqn-L6pmTdG_VWW37Q!YGsnQLk=ZF(k>YOM@5oKIL8cgEBwRWr=n
z$2`!*t-lg5bYb(>-{)*I-PMV&k<0i^m&rbZe|4^u)14JJ_Cs)QWtCR4l~!<OQ>5tH
zDc@`Y&E;&06K)~=Mp45rr7`JE1*EdMYY<;pdE%w?J-&%An#y;r9PmCAP54Wxx&qaP
zpp@w?hsQ@K_ZBObX@;369Tu*5Sh&*bO5Dx@SEyTvh9#I}z=UPqED9oK47W^c@==BA
zuNEZY{g~mbg#~$dCx@~6!lLvSMajX2KFc6pv-U`VX_bzIPDPp}Uc(bev#fpmFFMp`
z1;#xc8}0jaN)R1o6#T&Ce=xg>N#JXYK#UuP;F?=qu!$QV^~P9~!_DAuKX7>J#}KY1
z473D&z}^@_Vn>W&i&S_W*)^fOPpBx`4i%-^)s=p?%rt<T;QOKEeM+@ECoLDSjlue7
z-z!s`Fbg&pXrL!38t5P8`v%bu`;mZoaf;3)QS?0>^#p%n8$YQtv5lY9f!GG%larmc
zrVsl7oOdTynqVDx6|Q%B^apU_WSAms{Pn+(qw!ba2Bq)(7`ZQPj0mW<_l1c`;mp2U
z+R7wkUO<<l?a*g`J5}u-Xou8}caT?^(%S~wVXyJSOxW;NrgcDgN)o;SZ@(FMer6TV
z-)@wA1v3(0#)dN?0muQ!jk}!Oh$zjQ{ehJC2XAU8HNOIA!>?yL(p>cVu<aAL7v*YL
zuDJD3PCWaQsp2?P9)-HcDOE3}!29u-(^1$e#wj!UN$tKkmA8|hPNV*O66T!+08n<X
z>7B=MM|-@U&g|#B?s4=ZT@MK3BP?SX4(W+uFVOEW&*1~x&o+tvZV9|>bBV1L*kCo2
z)dpm;Y9tLta%jqAMFo9u&TYwL8l^zY-zQH2KfSY&{y~Y33jHnz7h^xO>W!}B;?x`_
zy!z7ebhwEURbCR=w2+R)dU(~B+NHC>D%mH$%F}HJ)<-dvQ>wn?k<R*9F_4-|U9@C5
zMf07=c=~1LN)#`UM&g{N4k%@PlBp~_^QBTG=Eu<i4J*y0t1zBqWv+xqBp#NN^k1;$
zofQVrqB>F;#uYX;831!LUls)rWA@UT`ly*_J}tA4mdv4*hmtWwb8<TQ?-s5VDLk?A
zVyt6hgR7Yig;NnYG3J+og=d5MH)=F)Hn>LVq`xU#s~FSCw(bD*^L^nYvvW_%z`7#`
z<rr6t$~9LEON{GTq(5<m+acCnJgvKESFF33Fi#?G!&{k_@iDxZupP>}i+07jvm!@g
zC?3*AxL&H3%AoY(pHZe2)R$_9`l9X53Ku`jR<TX`GZh%kC~a-W3xa%;a+9F}n(O%L
z$sz{5*Sq~V8nHBsn8_{(aKpp;D)JF{AGMurlODgO2MIyGH5ORzYY((kd-Q{mDb8!C
z%PX!pmREFf>+;&4pe`?WJo9^%jYXn_7rirK0(KPNxC&2*&t7AVp%jdUQX$h*u|JEi
zT`47JGvcxj%!5oK7W?pXDdI0yGnma5UZjsMpfiuy>Wyv5DaG5;;|q$#f6f=M)4w1q
zs}JoQlT2pvz3F>wcJgaB_Mu*Y4^Vn4De{E}IOr(4`OMW-m`XguyumZih-aRHX9@$a
zOzZMuj{^K84BgIkWepW>c^U?8$-4`*r(u!QUxi)93Y$}pzer3aBT$anRlwUY*jgXc
zd6{AJm7FfT79L%~(Et&3bSvEc%ORTkfMGTg$5s-48UO`BG9qi~Pz78@zk<s_Aj!0&
zNu~{iOlw1Nv*NfV3so%0B^+R`ECE@S{)eENfCQk8N&s3wLIGM#f{GT9kc@`7O|YzQ
zBK$Ay>So!{8|44H1MZd$O{g7{X?IQ!{$JX`yIM9I&=@N-Sdn|BpZ#BuMgIgYS~gqv
z=>O-6iIJ?x1Je`!*NQ)<ib*~LDue^L&jlqN&gl8>I^rLWIT#s^Iq(lJn1kqWbq@T)
zF$exb5KEka+1d<_@*e_5^k3;&nBK}XpG!g|$Qvt()Jh_?@*Sy_R#Gd8RQOoS3dj-u
zp5V}cr9{s&5_4g@XI#D{;Ev(%uG}$3dgG4a?_Knc;qU&@JBGjayE}%zyL!j4vSGBl
zwE^zQ!V1eKTsy{Hge>9jeomS^9_unoDw~0A)K2t=FgX&kq<>c^TEO!ADq%k&ruPTa
zE1<!2D`t4c&N<UuMaZ!6w5<#R{v%{kyIF-eo7E=9{oiXqP&WAY{{a65v9SV=dqCNY
zZRszn2vdno{SvHf`mWFmR{*riFX2c5AHFMm50m)pU7;_8eg!kh#z;yTMxyQEwe+OI
zBViIwJyr1c51}Cpp)m}>Ao{n)C`PxYVGL2mF@#v4;uwXQX3*qUBxYLZsn%DNrtNO<
zKha#ts;GQbk@!j_9jOjZuzG8FB=of18vI?Um9ErESG3YE46WQBMy+&JTIrgMXJsv$
z45EK=?2Y5RiCJ9F;eY_QbYdQmZEzZ~W|BAso9-mmntRd)c~IrDN#K=tkhY_%V#aXw
z@S5rdoGETLq{G%NatgM{`ovC?6L6}%tH^e?DYX&m<OCb)A?r3dnYPKPZZnA63Ss_x
z6TOMo{%2?};xsF?azy?|bNH{shEr|3WdSBm&;P&_gWb5UfJF-saVq}@VxcOP16Liw
z*#gd6!VIRdn_4h-N33HvmBudEt*ni;Svx86Ma7Ik)+2aQOPb*Fwh=#A-a5tQfi>wQ
z_aHu=(jI&~=_L4g(ziIB+evgNSIkIIj^#<^iNLo71irNr_?8H?oT9Moq|IR2DOHHd
zW*pYGxi55NSIkIN4(*8xL2aVDjas~QUz>=1O`N!Ald`o1E(Etu+;dLy;+-t55SgxV
zkW2GUhF#Iet{u2!b$o^2E4*G~YaeZRpxfYXJv(~B@zsyFVoN#%YzUBRWxvMTVxJ?G
zHPU!)zF}xK@cfIXQRh=rquN$1Kd@~xQ+K|EyjXt@IrsaakkgL2o3H=LBxlyZ^%0_O
zi@R3i4UA%6Zc3~5%+IK=C6^&zzy@$6cA(Ji6YJ0HbiOcpXT{CN8XJ4XWI8julZWmd
zJ~4OB0pnv1$M~|`fjlv*<hFV>)|4`FdC)j#|H*#C;0TE11kP#9Jqx{Za8O-oXEW`b
z?3d2WBaQda&SCBvq}$;)wECXw1MFo3b>5G+HmpcqbS~MM?SOyf0zQ%bXl(Y=pB|Tf
zInuBcU&n>`$~lK_@5_uTwR-4^A<KOEYW{i2_)2#UT-|+rSE)Zn%pX47xzntUQ`;H!
z=L8<hGFT1!v+PF)_ANX^V&%mwT96kjVIi?_zuIVjo4GjL#!vAQ`%Htl3m!WcUlZ{)
z5rMMW^=zZYP3yz!;C|Nu=?#P+IWyP(6}h1ytU^wOds=rX2)Fb~_H0Uq1G|YFu(Jh)
zZ?LoQy}{Y&J{(Xzg3Aj*NcnEh!ZRJ1Sx$!L>m$D>+p`WRKQE^=K}`uPz#akAl^u{|
z<D`K4gXH3nJ<}bSt9;d9JvHcC4nBFySFIw;`%tvP=vyA3h7lCW7eSUX_YrHV+<@T3
z;$#^y7TMmw*0B+iXF)05bKw4xD4&KDa0r}#9uS8jr64?NKSO$`B#Ya_9?Mty;1dSs
zFLhul%bC;Ek+Oc6U>hm<x^jnSf^x^e4L*tq2c-NaaO$zYeAi)z+}QxDcz#p*ed=8Y
zR!r_}vwY`|mOa@hdw*8KAwu>f19vYx>@5G4WPcJJ^OHTvG7Y;l-$&o3;@eo+^NCQP
z?1y#t9e5MjS1~B77;!d?hO%#t)I}iBzvU(DvH)KK#ThSlynG+#-mB2{Zxx{Bk5z3-
zFz>ztBuf$o%UNy!Gwyz?;{Lo1V?Vjr!Jp%oEOzJt0-QF^eZYofvPQY|pcp+zmQjKQ
z!mH!?Y54w1u7|kE<ci5Zo16bLJUjA}3~Y$<9$E9IUPG#w-o*rEB5(%rw_0|FIr_pw
z<T)#aXCvj3-2DZcAp9&R@O-U5FKKS!$MwT`gW=sqO>-RCLc5#~)4b3^*AZe^m$Ufz
z+H6NwEx#`h)rQA!ytM9#BfS=nNF%lpO^(loCh@c2z)ee>*jv2+aQ}}I>{~F87B7xI
zJHt$x)7v&I3wK$xeD3U}CZyVZg;cwXf`jHyc4_T3u8NnbIj^N@j)V&=6rr)9&2`OK
zEkNY-@!H(lWiqlR1e-$3X#QBXZ0;hL?Hi_b+GaY#O;~Rm+0T-_Y=_iemL0){P3z__
zT44%&)k)G+J-9b85$RSou>()-;h5v-a7)nthOnoBnXJuoC;2O;X{h)ehr{m}j_j9N
zi96j-{<21KJZ7cfWX5(%nl>pn$2@S+pO*AbA4ykF!#b-QD}OBvMG%;mnR&y~X1)f`
zE4)u7h`sID;sir0AyUvsqE(nO2RSy_uw^Z^X~L^{Xw%VX${EM(CH;+H_F1EVP4tu}
zxEIk1Nx_DP2NRg@K2zxPwYj0M9NCXrv3`C6bF`G@OgEmp_;YbAHvp7Z7%?trn2Y(h
z`SYinL{I;+2!xms8af9#I|@ZvJ+?Xz7Q}qLi=$c^jOS1h`qfS-5+^l0_*HY(UUFI>
z?-2J)g0a*82Mq!yvN6MLmIfdSKJDIvK*ce<$us!3W5=qFsHwlsB)nc|<Y_wBMIBDO
zaF*MaDBq#0>r5j{)4iT`ru+BKd;`xhJj+64$Kt$9Rue%}WixoQ#l{B}YU+5i8D;BJ
z$W+a|I;`0YikP}j&y3^QayG}xs~N<q?ccGgV}1gk!;VP$c(C2ZY!(w}e-5E0(=o+z
zZTQ()%CahGa;o}VIr~e%s<HTD6txU*ffb{_w1`K$r<6OP+!v7~d6uPczx|6HhLKoq
ziUm;!`0uiKMby#^IJM?JV#6P?>UdT#5H5uiD4r{@1RJbn<zAkG$rT2)MDA*;#TM~P
zKe9fwCI=YU@N`}7k)gjf>NTvYNzYcWbiB32w2w1!RA>?Y5F*uQw}i{=oKOu(gsLIH
z$x>GSR@z8#)6_LT^8e%PJ;0($mNsAz&l&dYI=YO*>WsrN=ZraG&H)uOprC@HfQVo~
z!HBL|F$c^bpdz9KMHB@wW5l$A0TpvV>afk;{og)=VfTLj_x;cRJom0ccc0E(T~%H6
zmbqLFl*?1gX_Yc21;M1OXc4w=3%C=OLXQI3F92a^-O^#4tE+s$K{ynfxa+j>O{OE0
zw#aN{9a=3iyO2J8>KOZu-hb3x?$=r9fA0FkC)hXt3I5Q7TOf4)5X|SkJe;;}0>C6e
zd58LOu;K6FNgk{e{mR<0dev*P&NF0YE9!h;3y*;ur}7$I0voug029~5_@Q*of%$}3
z$QjQ*yw7OLYO-1b8`P4uF*^}j*fI^3&*H09U0p5aE3!&eN3ojK&-Q=lC$lbWk3bbg
z7%_wiZ^T9~^i4(`xqauvzC8H_n<$!T4oyMOOi&--3fzbDIr#pU-jc5HH4lNQ<8eNA
z2hgRLR39O5hhd?n<D~CU#s}*^<ea72RKMzZR^G*X$zp^TeQ(lr;HQkzG^_VUtco>0
zJ~_U%tlQCMw9ojE;1$4b(z(oN0>iyU+xCR+HEPXXmNXpkIk5&O`4YSd*5_m$%segk
zyCt|!aPf6CR_S$-WB>)OddrrJByG(~e`7p#)PLeZ`NAC`!L3(ZYXtg+AC$-ffwp9W
zX>BiSdBo%&;wb;<fcakzeC$Zka5^L5Kfg+VM=#kjoe}*s4O{;$h)bQ94(b#%dTXO}
z$MD8slkd0@tbYz~bCt+!eaDGRc~R$r;SbcnN^ps(3pVZ((M)T6Ijz|NS~G3t#ILlb
z1E)1R7KU?LqjOQF0a@Mayyk6+SGTsq_~uqDa6m?UX!Vld!64B(wCj#`0f4}_$U1hM
z28dLH9~D`LpwHFMvKn^0O>0s22+o!3Xe+bUD6@;xc}!@p^VsVA#8k#PR~OS#T}&VD
zQ#Onn)TW86_r|P>G(L~_Xd%NGS)f50s^9bitL8Zgi))9))gF{6<fy$A`M*(QHoIu3
zy#%sMb5Zm>aLJC2l1ixI)$=xmp!m9zAc#SnAf5z4q+g4iLFu2UBm{&Wsu!;ii@z<p
zhgje+3<a$c!#L;K8%DICR$-i4rQ$Ak%OTB6OOQ=#8p>%$BU|bP+VMUOw4;3G6RfHX
z*gTs4lJSs;Py#c3L(+39Qb$j2CpGUAeY&?BJ*APXjg$ZnR$3XzZ(P{Qgep$}f;HNf
zs*AczFc(3>@r_&e9x!eQTe4)GtlP8;w{7OynL#Ukjjh~9vr<0t2-Y{yA-L}h2Vm_?
zzY}yZ;0_F>8^Mv6l@+na#r5E6Yl}0PgTUfN?Ib#pK?tT=i0yuWPU!D4K+ez!GG#D0
zK~OXtkJ)LlLntofi^?x1&H&(M7OjecKvX}0sJ7Jr*<!_I9)94x0KOm=#Ppteb&K#L
ziv{yvw35b{#%g|FHNX@xWbc&yK^2#-(yR*&TN1X^8fBNgC8u|m3Y5i&%T`hv*GDyw
z(?OIXu-`;hmu(Yz(KgK6wq7EuN81DtD0ok$z$>E&@LibW1mPY_KotphMXJjZgj7+x
zVE)?@mH_130<YDaD=45DyyKXK-olq1*;fH}t1<`N$4ueOK>?V9vrZR%ZY-#%eTWf1
zLZw+;HrZJ6-6Y|ry@oY``EYHCc5o7z{6eGwELp(NAC_=SoU7wen3W9}yF13d+;m__
z#FPki>|vqn)UiKQhyIVE^);*w25w{G^(N$s)C*%di79QPR{XXOl~O~0>$1#YyGxqp
zo{rx1k>BaHB@vlBSUSRm1LUSP2nMA}-#>g=)b2ayB81KlS+>aNJ!@n7B)Kki7j$>;
zQDq@LX4}RC#x?7gg|3%(d=WS^=WiV7HnqVp8374}M%<~(+=5D9lk+tNY{)krs5SU9
zYQsZ|?^90e$x$s+G8T@tHj|1lK$ebCSzrc+d;ss&-87!FY)YKEt7b_2p0)<v*v{$3
zUsdP9+U?~%QHz_L4yX(cl~E5SP<hp538UT_8%{>WCs+JNsadIRdDs}Wvhxa0#r=~&
zw`OpKWRuvCj{tbJn<i^}Ei0<3+WeMS{AzpAOu!%E5y>i*W&$o1owkMrc9jhFvq)W(
zQXJH(D{DJrWS~pH2pqJ4l$nV$PIjfX6<9eGC@v-Vh>dY*HZFT>sSE)~t}+Du{DAY)
zOat$~x$w`w!w+P4RwHQ2+{v@Yp^m_~IZ?9@bfFp*7$`$$cAfQSd05$d)Nt#;Eiv1U
z0+cJ<ee0xc6CbdK6|gBXFnbR9HYF^QCs^~BK$;w=e-F+d69`_3MZq!Sp{Px!J1_Y@
zo6iX>DE1X`^_~N(jvMonC)Sn$nI>SbP}{~Ctlp?8OBPSIqh+AhxTY{IB|rf<^kzBW
z(0LnL^KJuKtw%KPA0>gyCINB2e5nxR6TEo`6EC?IB`r1~sP_NJ!|VQ2tWn9W%FELw
z^#fcj>)z?I9!fZmlj#j=o4;5}K5q%gpt1<FGDUTox|WRe1rlc&lF#2awdZtP;d}zQ
z@|=ApF!k@VIa41>aRAlUIdhhN3OM@hoS`2{Ru5)LFQsEJ&F?L(1edXregQOY9t`vm
zdS3avh7|ernt-)8*yiF!6sJqXO)-Pt6p6SgbnyX2GiLEpmdLl7Z9)c;SMose$voIF
zbw|62BVdPE6SfRsT<5?i^$Y;baUz3w#F!&sz-->U2Rl@&)gP>s<KStd$H`l$by^tJ
z-g$h@(e?Yb`+ux3WzO_Pjti_=Utd;kAiHW{qaHI20;B()uW#*ojdb#cWg9ja(&7@g
z#~ZK3jjmsBY~Mb(Mog>*4CAXmKWYNp)wt&@Thz|yc&0X6K*0k@<ALq+fo#Bm!%Fsu
z#PYx#xXom>1HJs_R`hXzgy<-|7au5H^;<v@fF_^GoWxzRThD~uwf;wFPqUxGIEpm|
z2kwJQ{l$;E%j<2)Xrgj}KLDqvdlqwFI2pb(jIKa~u)PootL6o-2sZX}@o(cPyVMp2
za_Mkz4K{dy#`PVtA9}d%?q{4Eyfk#4yrZ(PV$JI1YmIw$%^w*q$F#>y^cEf>7e87R
zwGY;B+_+-ZdU;0Sbm@d7v^;h!FcU0qBN_ufKJ$xJj${T{P9>`bsz~UIDYy6tgk`tG
z1I-A_RGkZiYfZxF%=2@v8nvn5vNENQmtcod+VMHneBKMLqoYG^*?tkJF@*|{3omoI
z@HJq1EXey0y_@N{N$V0!mnG<W0A4pHSifsC@6^n~6_U{T@X^^RTrk9=1W0i^u&-DY
z8_2a9-KO(kFHfeE<raDU!}X8WKZIK=Bts7D70ezZKcq%T&ABzK`z;8VI>k6|;ffUt
zAruBy<3i!qElYM9wGVa%B#;3ZoaHTVeWVkgt!~+VBnR=tg1pev0G-<GzGKwpaoKE0
zg=->WZEud-k-Rw`RAlkc1x-d7n8RnZQ$gdvMh3eDO_)0YG$=TBZtR@+b~LgAs~~Du
zgFSQkKm*Mv_`~mVj^Mx0b$<vgrd^_LIX(|G;4a^I1JuD3Hy5?LO5);b8=K3(B^L~K
zPcVBZ*6?|8yT(A*2S;eKG{-#90+pdt0Qf9h4#N+uAZkVevn-%i5MKVGJ8UR4hEzoi
zy(t7nMu$Wj-{+~A^F7}(!E=1jj4AS}I|8);%ti~%sxHEIU++!hjCGnsnQqr7@lec`
z?fd1>P6A@v>-%{E#wR`_Ro1aRdlt^vEweou-CqII0~h)kb&M9;&hT3kK24^*nw@)h
zui0(96zN!pS-Cq7mbK?h>z2Jxs+C{{n9tNLF4X?QkCdjk8tbjX;d)>q9bQmiAfOX8
zp#1>idky^}U~n7Y0b+t$hb4V5Vf~7J#-fPyOhOb&{D;f4foi@D@;%@nUr^MTIq2Wf
zb`v<3PD-^O3l|52!%<#{+T+WfQLQI;fw2w5Co>L8e_QGe7!^}bU@k^9re+-9^b*i9
zGc?yI&(wo+<AfEiPNnZ~DBrep)-;TAO^KST$VM2jxTe6s)Ar?M+HjRFpig;qolxcq
z0nt?>!LqoN74^drGk)Oc;$5H(u<hyO=QUA2)kD~||G;KYs1p-fY?9gF_T(hipFeDD
z2cz5gZM%JCm+pf5@$-S_aa0Du);oYke=N)g+~#j4r6F|N$CbsXw#*w2;@_%nJ}@Rq
zH|xZ7fpTMD*n$((aGYNnod<YYR&ndoc4Tc_gji<gNLp8}9RbAu_}&=f1S~{X6$bV)
zbY?C1LgcFp!G?&a62QlukGZBzlbOth3!FjMP*-7vcvI~EP~T@l<cX89yDrI@thV?M
z5?B)57#M5_kvkGT&;JZgypThpR|=rwci+NbPrxRAN2iz@<|^kYCDWijFWJw1Mo%2)
zF0alv2gEK^17g2Z17a7N17g490kP4iGn%7u2X@37uN`)0O_}egLH*{=U9~D$4rnec
z1Q_uFK)n8&`csET?fD|b^EHA(?QDAZ(Ik1yO~K!He4x9r{qTgB^JD`0=y37Trj)oW
zV{GIc{|Nci4I#>7^qzi3R*{u%!8);yADUAoY?gn-&(iKi%u`^-*{Ck${|tu8jw#u|
z2;4-L2;Jh24V-mN$<{~h-ghv@f8S&;|EZHE?w%SgQ#ISDJxH6jZ}Q}6NZT_tO4jXU
zw#C_e+ntqYFc*EzyV`~-zr!V}!DhA6oq~StL2AmI9rCtktDmiYV$GpA<^r*?tp?k3
z7<T(zQFm%FvsheXc75w!!G6>IjPuR3bS|f*r_8ieH&?0k0mmWX+i`Hm84^D9d_wKi
z^WCkay+<7X$%VSX-Low;0J(`AB>5CzgA<u#$D2b0k4L~B??wX=%3P^eT$78uwGwbf
zj!Va3z=d`AKduX45~C3A47G47Y^fgM0kE>^!zIh-{7Nzhdf9@jXStblfZ!f0JkF18
zBXJcZyLaM7au5J)`m+QYG(@FAJ5`cEmM<)EegV$PBR90M1sOhT>J5Xk?k`yP4@^^&
zRc=I;Ic<22$w)6b{D7G5x9llh{-nyJ8<h=^N&DEMoG$YX<p{?&ZQU1X+_)}u=~{@S
zJ8^|WB%QO;$JlPd@G3s?L{@6fsCgqoMgZ|XWp>Kk6A(z-(>ej5_gYr<JD1`C(R!=U
zz$}|iL!J$}W{}-;%a=H(`^i;*g}I{Vu4I#eEIXB}VKc>EKp&-H%U*y(kA+X-#g9-5
zSy~nS`oYvhQ=3}dGO<Q%y#R)U%TdFa18u8@%bGJPyrAwRFF8uHG;BH?q=QaKdq(f}
zg^apnt!B-VwM*A>8I@OFTIDEcT1nNwbt;7jtc@u^l~6@+OK#*?g*m#34BWJU>k|-C
z0Z^%JS0K&(LSuvzY|IxLb5f+A*%%>B)Ye2-R?J059R9YL$aM^Qn2)P`N&&ck2mKpy
z6SWZ@Zo8av*P!w%W*HUyN&)zlB+taz$%`s#7o%@|rG|)kOl=Ql3n{z8*X?-#b<f}u
znmF#ZNaff#E)Xx~V@KgZ80-ous$WdN(Z%KpO1~vPUWXNi)QewSoSKeNzZ}EAyapvx
ztO<MzzfK@z;x5t9*P2Nu0;*yIfWi*mMf*F}?M3?{N)1-;8IATDXO6ypd{?>tok0?o
zE?WG1h;c^HnuytQ4=Rfo7zyu$sLk8gg&Q}mqM4=;2%baT1NwW*gIF0n#ld;oTr2nr
z8keoP&VKvKVqF8%_tt#jS?yDRq}Gg=`8o*R$qw+C$LJ!!j9}7AeXuDB9KdhYm&&+r
zx9SIet7^>Q14`yX<$EB5-WRo1F^g--%ap0EnictdU8*BtvD>5eR~(%!`1^Ry7;o(0
zgh-lcm+wdI1$K(eu~UAG`@-yQ+kb-S*@X=)>SW20Iq^&gEPNWu1<YXTX`)`m!GgBS
zG6<qS<dU4hfNs}N>B@`P7k3q$&B(kpG}__7;a3ou$VxGOFg4QD1%hx5S}s6l9o;b4
zcaC?kFIc>w{j($I>>u({l~il8VAhz03G|DY`eyTiEs>iez#ne&**0aX_xZXNPKeqW
z%U(QqVN=4kOvHJ4skFn0--;U)0q$rL>tz-(=PR|}?E&xHNZl$~muzUn^IaczJ=eYb
zQ5d+T3W>w%8fX{T_#cWD{J(JXy8p0S%0ph9bM>@atvLKk_;Xzr%<UAod7nq-4<Vto
z$*30M*U;x+Xb?>9xh@$p*eu9k$@O6yaulYyZl(YU7dVRHy5<BG_jOTKldiBj#UL{Y
zzR-Bz%H|?~C&joy0C4`!|4#w?zx}o8?iW48$e3(V=Zx^rJa8<o|Nki@FVOibbEH%o
z@U_6CLWHZDkT}AM;v5mC%jIPWyZg2%EZGEvEt}(o!{D`zI04Y&Yyr<xCGRyzUFm@r
znp}`|v7Js0*cM@kIrux-ZL&MIGGTqh*6CbC^j}<Op*54|G@n(&;CSBUqN|-QtLmiA
zJ=jkMW_Zsb#1QhTzthPFIce#Scgd&Sj=Fa@G#ND%5Mqi2_j}T_Ujp_9L<W$2DeD#(
zBR#XYH5v?9MBtu4n`fWM_w$1n{b@u07rI&+hx}lDR%BeZOghbj(A&XO7P7{%I)YBy
z17_BCXPNOFs{{qK5+-tNcsreTqr?0>LDzki!^+^r%V!yTOc~cvW;#u~Rh>4na)@W(
zhAU%ngu_rW4Wdee$Y{-U#bM&4koi;XbhfJ;!l0!`vr9Iv{v9xG+EorkbtzW=`1bkF
zUpi$pZ{BHOm1?&KJeF^j9y>MaeCEEWW5@PQ?muAa<gv0&yE267Ih(cN65AkZZw5b8
z*4?v-pi;iCscar3zj@#uF7H2{DxdL8^G^wm%&*|N)_upAeW$L)-re(ubro@D4{t}0
zQG<^UJ?(zR`bNr)Gmj0AhMa9`2SmHxotwC98M%K1aEW@k4jkIVQ2l-zvPI4mWs^Q7
z@?iXtExw+^$4qjXXgB-dyyydlgyN2Xrs+K@KJ)0l=-31Dv4LrW(nrGWe%d6DAP=L~
zDL7B@&$B!V=EjpsJ(BWD_jkF7E4pXmxy%a*gIG`2)3q<+5IDj4xdmYACP+$LbJ2a8
z>+HV4)?MhQ;uZ{`-%j*SI%2CJGFfB#OPVB;4OJ|_?I-{TuH9XxZRY6F&(ZEuAK}Qs
z_?VN%Yq4W`*2U9oY1R!PAhcT~Cosvao>62WT{RV&4oOb5S+Yzhq$!0~6mi&e;kvNQ
zgfhzEH<oxn`pJsg*#fYB11;Z26`^tKXMMf6V_op5tSsv|hE)w=0oEAVAIic%;O7Io
zh4tMeC#XW2Kccx$En~ls_ZKT#a>j(gW8YV$R+xa#$@E*&XFdUaMr9$j^NEX>E+_Y8
zomuD6-FwT_x%82U{Rs&^`^S&>^>uaK?|TH35}c!i<ltNK$Ct{j(w9#3VLd#SdWHHx
z;Gq3NQuu)#hm6G`sPhJOKfEG()qWY*$$nvE;FJJQBi@knmB}34&Khbg2&XYPes)i(
zEbI-(+mpoXn4LYsTa9NEp0cuJ2l(=yV=e(iq|5R2t5*^n@x0Z=wGY6jST{^g7?ra$
z3m7eMSr(P!%QR+oAHGbI2Ei!aNeQ+}i?=Y7QJ1JJ0Jut)sN-E$ruo2$eFm79=opqL
zD~2zT1(v9@d5L_#E|Dda(-u~g#n;K7uTzG3osO5RQ{R$xYRcECX~{b6!8+Aa*QrTe
zI;w#*)zPhFou-)A=`>%bUEL)AZ|ii*yiOa=m@rM$0qfL^PgSXtR568%6#w^Rb#uOs
zx8?Rpm#$w=>VrqJ_Rih9$<*QdN_t}@Bl$`$Fs~%s6PJAcziY-yXPw4Mk6SV^)En`h
zC|XF~6|>_AU+Hecu+m3X#H>a@oN+8l7&(1X0760WbH=wB6-pHLPQr15PWo4VoB{~3
zc8b(fgeRb?;3w{YQ8u5Z8d$1{AbKP{&;4j15ohV=W{#9#ijPS#UOqIYpFOi^z`EkC
zN4wSJ^fZs)PlO}%(R9efk5HFDn?$}iz!Zu^)Qg8WN4hsSNs1p>OY=GE2ve;Mv}zx0
zK<dx{>l?)#>zL1x!x+{ugw6Qxb7Y@SjUUmvr<M_4@Jx(#2uYPZ&7(WPN4M>rq;AJy
z^y?4XQMsjV$60+stUL4VIIv`_fNir%vQ-+sMJ&M*${{^c$BIq)bF-ls>tT%bN;Jk=
z@7qv4%|o?Bqy%im^L)IX=JB2`8E@<l<L#r4w;|t;4b9_S8v%ICS~L*jZBoa)A3M3S
zdcka#wRWO;Kc3|KaeFt(^V@h2myCBwDu_v*viR$2;>`Y*3+^<Krnev~bI1WJHk}1>
zt*NcdDe7eyhW1O$1V!!7`mq77y-O%+5Azl{hb>Ut<Legig}ihh(_-EN4a{3WPrts0
z53klhzqGs02`b+N(VUdJcCS{0{R+)}Yfg~zX<`ly2ix3?IxZ&b`Y;E1MhnqJ?T72|
zf*5qxA)H&Kyv*8v>=Z)Jlxlf_X*>4!8s%h{(KYUH-0qa+71Mt|JZXrbpPLK&6;WPV
zYEVIqW3D~=jGEBB&&a5_@$!&P!idCc?w_!$$svypt9y=PI66GYYYTHilgL&V*Am*%
zK@Dr0hX-Zqx&7ewLt77m(OWuU$)E`aRv&i;`nur}=)xKa-TSHV5je+cjW03FNz)e2
z^_4eK1A!L4WiQ1U>}r~)u=mLB_3_5*$<A$B4;$IF&*<pG<K>~9gwe@Y-FQb3x^LAZ
zYLRcLZg?w-M4c8da;O4T?s$cjavALFGC`&;t1o9fFdjJ?=(AhKVK_Q|NOT7y-p+ri
z&X%!&FE!{_dFfMqUzamfE<{d^PTU!5ycj#SP3y7FLovC^>2JrzOxD77V;j|1w~_hS
z*s#v-tWF4<V?H)vU#}l@M*sNE+q@B{2E@>xreg<=pS@!E+&K%6_N7|)s@6Sj#7R&3
zQ|j;KG^nMa`im}bR@L1-rj*lnjTjVl)o}Jm^vR4vZiB|o9OvnYxH0bRl)m?{V;55+
zlH(7^k3Ft>cQOog_2_S>PHKxsv`W3@`0W`=5A=N}9DDf3@ubvC$-`K=_43e3uG7aE
z{n-l+9r<$sp4X>Vc?Z)>%f>AcT29UefMs%8MB-tYbzRhFU`M07dw7JO+^?J99(UI3
z9uz%^!7ysXkQTw-aRuQStM&t{o2<9~-NAF&Zw<G-5}d|*`iyZoG&Rm{<;rC%jmt+&
zaPI8~=uv#w81mdV14;I(G%C3yDOHex0CRPK!L0tjye~Bib~MprTSy#_ZFx(pQN-p^
zrlebq7ZfjA27nZ5B<W5QjK<h%dS8;e^F8aKM;U7owx6>pU+5stX8D5dbQ(-t7MO60
zjsiLlbP-;Gk}mfY3p|3)%d)}wc>iu}lSqg@Qd^fx{%o-RPG)RMqTD+}nCv|%z}+}(
zN=$Md)jt<VHRT%OX7G58T$s+lEN>4g0Pnj|IYbLEAxb4W2>|Y!lGSIW(ruHr1rny4
z_)kRl>w^Rov7z5A&t6o2UcyhRd)?}lV(cfOu$q-cb{9?LZcBAcEtE?XYT}s`JRBuh
z;*PIhuqOPA9mwXtO0th+DmIqMz!B=5Nj1@e`Zu+^YV|IY%HZ$P=6tgFT7)hDS)P|v
zb5OFdq%8S(@Gr<0${<rSnv`vMOsQ;jj3()o%Gt#T0!BX4pRLvOO2QH~1OH}M`g4Y;
ztt5^$XIOW&s$}gAG;qvH$4b^+MUV`&rcUOXI%OAgTPPoHIU9;yMWO1pS`4zV376$k
zD=;(__1DtQWZxN*)}!Z;Ar2kWoUY2+o~&XP<QQM8jjW<x@y#ms6}3H;i`UI*%0;AI
z=V>e`+p>7{pVh5cP-*D#8z0MoD$(nV;K0hW=HAR`WJcCJ@(wF6dpQX$sS-6FORccQ
zLs|Dft6Sd9x1#ZY)4UliI8b>{?9EyRs&$C!+@bPzU803ntkOtUopm*^t|wXbN30Tz
zkj-CG1AMB%r;n)8Nhl4w8mQ|?s@{q!*>&*}(B2_dht)E$TAr*9`T``+>!u<<$^!^L
zJ(ck5v1CpuGO_x48ea5)4F__~Uw+II({<fMxz{Q8qD?eeOhzPY3PPbX7yZRibHmTe
z=T@J(WVjv}HF_h|H_02r58Sx4_|!SW`Ay*`>~>#t5?hY*sv>s@bM0l&eejquUJ*^>
zC-k20+Qm>M&MQalNlESW)7#1Ld--sL*DmJ7MSqcR&QG{((7lY^apdZ9yXy!S+H?7g
zBZseqCEPT885iBs&Z+Ni@x-RU0rH^5!}}PzhEGWj1{(0_;K0e<`m7#4$S`1T;3zwP
ztjjdktmse6jdTes*i3&<q&Y=@3OvT)W%?vpJ!32NcmE9P@U7rZx@-lTA6}Bp{YObk
z)8AEwbP)d&RQj&s%D>Pn<>{g2-xkM0EN)v-HKn{h`^lYVr(zx7eoCBio|W<oAwlR1
zv}8Q)?42>-ql;r50Vi*)iZ?+cBqg5eFQRd#HAwy2VsMDXV@i6AbUaYhUnt~jSpE5H
zsNN!|I_l3yv9N`#-da|V)ejRIz+z~vpmpl>Sjl~26aUWnGnFnF`wkaqWqPHL*|zJz
zcDskJ1py8Q&!B+Gv+dd@Rt~>ycw5{IA{v#tdNC(v-oDv8W!<gRsHnJ1>dp2q$}>cU
z?@T%x8|WKlcjlH5<?eW(o3V;xzqS)M`0faR7&yXvlCu-*PrJ6(GkEz;8|^${N6aL<
z9s}^GIsAB*?@gmNx~OU(&Qf9;Bn;)Zw%owW4^~o*iu>zhmHw`Xv&<|9vliHSrMply
z2op811bKJAF9NmwPf*EnY$>6_R1=hV?N>^?n^WR6P-2+91ai_G#uGMi(o9hxxOgzE
zvl==LSTn11_nAs}=_8(}fR<<`!Z=(-66iaeqSdk&zgB*O*Y$)~zFRGS`CIu>CVn5>
zD5>;`xzbDK9^B$z-Bm9KEA;sWrQd#vC`VN1@4x4A&F9Dviwj@C7k4Bt{X;Pb%uAPJ
z)X4C*^(Ch1)O||d5q6gb3Q31!x1TVcj~hR@&v=h1&hnb~!j<}(uzE1@OeyZkZ;sF+
z>kD+vWc#GZnk+BiCF5(7M75CEoehV}JWq7O*>>VbThq+^XOYQ?pX=_;{({B`N%pM%
z#Uj6pmU&sp7p(I5p^v#(qsZ^$Md*66{yL&B@=N~94;B(%%TeVE$yrwXXi^NQLrmX~
zfBDrA5eDsR!O)_LXp^G!PhjcvSVC7T(o++-UY^ofB`3TmSoRXCqgbh3LqZABQ93s(
zwo(aB&v~giH|X~p&rVq;r^9%+_@=ZzN1qnIJ1SNlcUGA0I~7q#`na9En-zcRTGXz&
z)Aq`VDMGZ@_<aM7wVQNeKQZk?heEvJ^q7}Qqb^d#%O7}6R0Ywna`SIWto&>J<4<SB
zC$|z_KI?j@sm!X1kJ(5)RZP;HiJCcP#FXhnurbTgH9R>SK7ZuwG0TYLtd#So&nLs`
z9=g54$A16<S!(`A<toiuLt_5vN$W52@zO2(U3{5;;Zjb{g+2`$_UqeH?vSBRxqMKJ
z=`EZVUGEEf)^FOi+mP(B-PNv@m{Lc7evfAFhPkt5&I$IH5zD?&ZvNx0H*8+tBl#wE
zyQw?*TCvdIqeb~Q*!He35z&$@(%%HDF(0lRtHjH!hj32RJ-kdk@Yj3>lO5}ubh)u+
zY-PXBK;ibg1%tmag+gP5p`e2EzoYWu=WUMMxO4NIT6;LCM1lThLUPIp|Gn<pWY=)P
zZ$nVnR>RhfoA>SBJ11zTU2KZ5YwCn;<BUCA+=h;f^ot3S6Q&FMf;TS;G|ZS2GHtTY
zmR<gKV@C>;4<4PBV5CkP)&A*x&Pcq?i=k-K>7va(-d_3x-Hv@24<CTe`wYB!lmqOp
z{`jG7QTt{0L}A9vSs_!6V>}OKU5h<*Z1>iAv$x1clZ8Ejp4-P5TXpGMrE1o|TrBC&
zibX~+>K&M2uJ^{hf(N?rZ#AQ7T{wh-%izbwH|b|TeQ->zDOVHku{C-cx<_+50$AHV
zlZK(DOxEfa8E^HzLvypK&P|(?2UPZ%Qa>B9V4AU3`s)|B9y~AmUJ|Cc4w^OChzQ6P
zJ|ddKOsEFxKqun(7(8r!_H*w}{YK7=xwcI{P9E?AnCm7i6%Wpwx@Dq~S+{|pB+9zf
z#;1qeI({PJ=mEPGqAq7dSi;nE#<#$;M`T4;R*|Ye;}Xn9LHV_xEy4R*IU0$N<{|*k
zglT)uTs`(IYxlO0X<Ou}td=lgieJz)ydf{}&iZt#&utoai+;|sNxAp=DgDKJE_v%S
zQ#VAMmc7plfgYpgxpJ1{mpf3gIa6I&LN}%M*)_p;TMz6%V*K2wD_hX-{^<7{wcoR*
zZt*fQ%TD~RLKoVdaJraqA~G&Q?f2+)ho+o1et7i^&|clZ*_Ocr!en&X9)W_VQo~x*
z0iP_Qb$Xw`T?yxp{E@L|)4XY$Wj|I<@bvZ%@`u<2rOvQy(q~&9QifPPwY@Ixp<x14
zYyOBSdR^R&Kk~C%h+9c7Jj-q??xfB_59D>`4{7|5?(p>JEHv);5KOjSXwmVmcrRPe
zOOvFg;FWfXsfkHDNg5JN_L3!>#`>AG%VE9xI*(h2IRmhKjig;C`AJ%Cnd|<PD!!To
z)|ZAqMJVNpH1idED{2e)mxrZKR!t>sJc><yPcDJ{`w6Q!i~A0-Wt4E3xica7jnX^t
zoTT-7XF`A)YpaFen1yAp6o)|mC$*Hc?{?Av7&`Wlv@Vi1+tfnRt~VWGEuKFPP#j;w
zQtD?4=P2rD?&@0&zYdyG>eS^&4^w-?e)gwf-P%A8$QJ1153XGwE(bgk7S9R{on{;|
zdP|C*Oq#uS-%xD>b*%QD)n;|8*Jci^&fPjB`P(&$z0-$&F>3vG65yWD@m^4zbda>|
zDZ+#Z*Rc{;{;des*D-1Bp+0kXWeGDBYpV?0pH?Ow&Iby?QdSKlZJlLbl;(k!p~_VC
zDb*xW2PGVI2Bv|_XAcY>K64=6TV`d<IW;?@3oYmIF16G_ve{l#AFpE_A^G%$RglDN
zFg>tqu(oPu(l%Z8iXOkRJgQW;`rV}E%XL3>l*Io%m1>WFsruO_rUn$u^DZGY-)VXU
z;DD;!^3CoNkInb4E8a2gp(Kp_E$_gx&8n(2_GS$vyvVj$sstAsVaTT7gM#)iW+C-*
z7EfjNS9Ho&=`w;MwKM6I-N?9*^d`xYj2SP_TWyst=$9br8roiY&EC|OO`+ck_rMCP
z6IDX)Uo#L^3VrLHX-T1v(cu1ceQWGBvPo}ZnsOG-2T_OhpB|1)snbM2zrQ8N-_bXD
zF?Q6eRwb!NQ!N!a8{bbk>%r^$C7mO_yr5Sm9r46iX#xGZO8VM7=EB^AsuG`(3;%IY
zyK(tq6VrBb)1Mm;OE;-=vM`G69ER$6I-XYC^z}*Cc{FrGlCZwIIfH7SvZO`4WrV-c
zpIe)}GtH1RE~3FoyO80+$<Q71rW<C=S}=XFT^y^%zsO4e<6FnJN?GT>bqTY{=Va#<
zU64APb1|DiZNpNAzBcNL|4J%d1tq=jQFA_bHy&FlZK;cCe#qR#vy9UNH%A;jm~?8R
zjIblvL`IQyFAnFY{|M;>>Mq7Ioe&{T3~(LgXpU0IW+=1tTh44w-;##dOk15c58Uds
zZBPXSA=WNLSPg_X#*QKTWqAj4c2Exq%THGUTe}TPsASqiar!;Udrt37wO%Re{$#UY
ztHAu>zKA$D7pR;-O+ja0<}rT}g-z5mm-PhN?4-QnY8u_iWbB;z%Wh>PpSw=gZ`ts-
zg|=T>f~EYkz?MdfR5m}U@VaZ9gKA+{d|_+k$z;QO`vc6{4*Iq?qC==K=8gs*b=Fh$
ztD37Zfulxydv}q0u{rt-DwWJiox82k{h1v%b?D%+KAjQGf%VM(428sPvdz73a;BJ`
zYHLOCnfrHZfBv&ISlBZ!J=yYBX1R{>p2}O9rbks8T~T)2v{6IHPV0<V4+tr;-BB9C
z=A_Wj0LAGwr;Stz9*FK_BkfMjSd+5nXhOxl*932G&l#hP%?4ir6)1J#N^X2)kZ+`X
z@wyN@!7-|bk=0;7*MO3~d43}*J6m>dBgFhjY-cJt_U6B-!dWx@Wi5+JBi5!$k<XT-
z^-|v3o79vHs29+ci&V9rDOCB?2?igWT3<W+on8kiOYKd|5fYPU+&Ar{N{9ud^Is$B
ziWAv+oQUOo_RN`pj`2Ze0Wx3KXS*GxOcST}G!isM{m}tiW}SqC<tOdsL}s0I4L?bX
zL%&V}MY(UPV|K{_k+}=1vJTtoKEgbJq>!^I9{XaQbUBN6uE`ZEZxi*s{2e)Y9Xz3a
zyKh=TRUuzFBkx8hQ(N>qTDosqL6v}Ki^TpaEkPHcG5OVW{V}hkCZ{Ir5YFthbU&L%
z$?2J``;7GUD#3f}KIKwpV{aGNri*3W>+D6s(N$Zw?K0{<-{T{(N%xbU{fh$qko*G$
zQd5tn^1l0JquFPmK}Z7)0xr&dQyWf&3N3hgtfc!ALe?f-QOE)l|5-sYj|1~&9!ik6
ziBF&I&r2#zQqO$lXnxnEKenR(AR6g(|4or6jwdCpl2<uM#o@F{^qB58+L6Zc`?q9H
z39%>b;ZD+?6KmFJmh{8TJB#n60zf|UEn~inSqpV16-cMEY}B+mS9HZqr6tN60ONoT
z74OCe*igunvZ?B(Pr6r4CEb6P@NE@Jl5{+ue*J^$z2f;)CwIvwT}o4_E}N>?{ih+m
zR5z!&rQUph7Dx}WdC^rAH}I40PgGUFY8GjDFH^Bn$Z^Z2;h!9`bzdx+O4pUwxLZPS
zLA|!X4fVz19?FFVo_nUY=KQATCtV)FG9>%jzQadlTELuJzpbj7J8SAfZ)26A*Pzta
zT)gr^*1bD%U`}9!d@)N1+8VNbr(y55P5alcS-NDM-L5}`wKHd|_A+*I9Wel*8y7EM
zw0yCh?)i$KSu184!HfQagDLCs;5u*Jkm}q0z`L|kj}zFJ3w+PVzX51O2~QJCm10-n
zPjy$uvpKh^r<vj5PEez-asSRgH}m`@`kgp%v>t1|jYr}Lpund$(jCcU^9dVv0?Iv%
zP;B*gin(`FAfnm9%TTesDeB&&chTq`-iN)t?oB&3;rnlm1HzpTX61lLc!MT%<>vUD
zwW5`hcoWC<`(Ft-v-~e=b=I6+laGR@<X{~}^Vq%c!I$`ly65zpdT1VE4W1){FABZ5
zqSmP^7>V<&)>As$Tu%!eXP$tMY_9Woy$2*5S)TH=q@_^M1@#k`%=;!p>HSdBPB`4W
zc%<GVZ@>!jfL=Vh;sG<Cz>cUlU;rR-b-ZP4{?%$Txtwlr&~<ZP(|;fxC9EVycusOw
zcexj$I-+WRTCH-ySkiA;f`*cp+8|Qn!I&U*y1H;)w4EdHmXjuP^NWQbez|`QMu5hD
z@S-RAG$I9_)IYPIX-XZG|J!0F)K<D})D;Njw2=MG<4(r#xRc<ir8LgTqOHrhU}baF
z_SFh(p;xcUGhRRxYAMlSJP>fDIlRV9_yqMX2D$sdD}6~l)E<7#Lj(oTQ=Y9LyX}im
zKts{S|5OGUhtL5!ZvMUlABXyV+>Zl!1|D)B{i?rs7{LYU#VdxWV;buA%KZv6brxW$
zWR2)q)f|QIY&V_@?Ikeb6FF_Rd{l6os@~~=t%7xar!sk9&+k&Ddpu3;sEb77@d^H!
zhfPSH($ljxj|yq>7adF@C7t&;NUn2WpVS;X1G#($J}T^zO`cyGWb1~8@G=uZP-sgC
zFLm+~jA$G{6r4h^A-9CwgEt@M^@fSpX`Q>}3j*5mPww+io~xheFwY2V+mN@-H|C?l
zM5-G3Md!@RO+m5ks95Jp(=dccOt@NC5>-0*MR$-FIff$Fc-!VP9mywEEi)CcYCn{@
z!mEjT$fuXfC7Xf%r~a6u1l!{W2yY9C*(-Z-cW0YYNr67;l{5sG>%HoTWO_?k#+mWk
z7}cwLD1IK2OmE2xcjqJ&`Gg|yGFevxIS;atF`we*@p~ERFIhDuVwTzz`&rqy!jx?~
zi>CT1t1zK^p)r!KQYAn*TU9qLXJ@c4(3cLGNTy1Ufk2Jq@qh$ujn7C-Zz0uJ7W|X_
z{xSWB+fPl#?blo45?7sUU2%02zTE(Nc5Y4bt~5g;*x^-nA;W}|OTM$i7&=*~7bHFm
z!VNhaqj(ddeu`W2wFSQ=KU?6I#Lo&6?|+4}KMuh>gBR6X@-Uupt@3c432+32pHdng
zwQ7I<Ob&MfFL)-(=dL&(9@<}sa&y`?z-SieI)?W>>?}L>O!7FLDR><_JuB15DpMrl
z)t|Zg`0#<?>AUTiC;MFpiC7eK!~id@{(6ten|AxlG?9K6*88sU!sDmt)TIUV?0uKv
ze#R_<q+8JwTcuPUNHjt&<gz|se5d5GzeU!Dm2S;?gA*<d$7Ff&bA6Q|XJAGyrJemE
zN3d6-)>Xp))E(mbb;t0<!KA8-)AKE^h;PGs?tNoKlC1l4BCclU@TnTrwR>H<)$lAx
zE#Jjlt6|;S$X{2KZ?i7gX0RSdRrf6ZtFF5tsO+A_|6ZH!l|@>~_T*RbD_q5VVS1Nr
zEYw`^Ulo5sy#@bAwZ-QBc$kxS{VSr^n9j40@um&|{*R9m7@h;W<5G9ag-I74Q1yRG
z=B=Jrr<x1wynLs)jRFtki+6<oaVD_gPG|A?oOWfp`M@a4OY0PHHwC-@`!M+xmEp|O
zOO<*0m$bi*&e}_An#z^#q^jFt2KuT4IHFy2r;|y|GV|GH^?*Cwv^V)dLii&o8+wEL
zrnk9E@x@;qq#ng9R36FCOfh+01dqR5N;ivFx372(j_J2d&fE=$9OiB=5)^_mvn*H{
zdJSU#R|wTosl6ZQ5~hyV<;r6$m(u;&0p1|R!@)(VR)>FbtHb}+SSUHAxh+Y*Y=q}C
z3TgrR?d(6b8mxwTh4PQn{*^U~b9U{y7}V)$&j4lAbLuW#%U!ODjEES7C_ZF@3FrO7
z4HqsyGUPc%cZjeXuuE{>?!7hI5F5GkL~=ra&tbdt+rq)I1ESj)nWkO8hV3r8-Iyw8
zP7{vJiVku&czF9cIXdl$bGCDA4;^gc_)MSc3*FmPh>_ZJE)+z7x0;h1#F;Cz9;Q9#
zLW>)sK!hosenWN`Rb7ev0&~7j+041v_6Uq#^7&?}wCczFt!yk7L8<Xw#gqS|qDPr#
z3vJJd;OFg5_y#BgpW8eJo3@UALJ-W_AVa0jXXV@<oX~i;{O-N*WNMd8W?^KF+c#ss
z$OwJ;5M?iGp2R2KN{RCK-fma3+PZ;)Zrl4ghbFrj#`*cV`AiPm=Z(migL)x(a?Ba;
z8^#jN(lux>%(|seYH4q>=QBTstDJ0j@_=02^1b0tw1=umyTCa#dR5%9K0#$|&)J`n
zQar46hRNfvI%-5~dvHKJ!$IY_taUFlObBNES4E88p0h#UwOOr;0T~Jf7x`pR-4Y!a
zTEk#`=$8xtPSpL{9;-Wrd$SIqGVmz=hYD<yk^?T_A4x%6GC>lUwI6h4cwppWF4A-U
znE3~VOD(d|OsT5by88_zUH(mo2e>cq|0v7d`7X=lgG5<@oq{@0>WfPh-toFm`0fp}
zP(A|~0<D$K{;{>{To6Grc*=12VqO`A4+<JczjIlrgjyi?52(11zXUq2<tR{u8Vi3{
z@}cWO=8x6=QY5SZqY1wEht$6OtRV44;i+`gGN|xN;ZSoeyjObN7uo{PkfO=c{U=Y}
zH9bo9pr(3?OJ{M=w*cB|vff7>RN)WbVody7as$IqTYt)nzoI~ar7Or_2fr4N%J|^}
zba{Bu9BOYm!hksZ?-tR{B-{V7m87CjT5PHg_h&cGVe(QDI6SYFK7o9Mhp1AVs^a`z
zJvJC5xn!c*g2y||6FE-F!+~sViZBy<e1_b;kKvW`8{K2x`lvW^mmbFf_6CGL3F_Ju
zO=Wk_-mqZm?S80GrWDxMCuvx_yS+%a&`wu8J#g%Vfo8Rq))x`ZP3kW4HL3e6foe)W
zw7-vEP^mbT#)ns_i%iP_E|2hh1tVCB$Q$7;*nMrGOHNNR+I{UVujya=FYT@FzQw<)
zyB~u3?pypX73%UWzHV8If9zR{A2uy6)`XHt#q5~p^#4cab;TvC@GsRdz2_YGzY}kQ
zJ4Yf;pQ>k0<a*}2eI?k?LMTKA4v`HUMuDqxl4m_cRsa|Leo#W+P=14a`9s2S<u}Mi
zNZ@C>L{nWuX@~R76M2n5YneyZ!MKuNHsed7)H7GfIdlj?RatouW1jWloKhDuq>WiH
zgt=BF;Jkg!0vHD59NvygrVVdr5JbvmrX7mOEKVYa3l!1WcsxIyt-FQ#o|COojgyWN
ziS{4*a~cJ%Su!Vq(wdd(R8I-FH<=T;&;vqS6}onssO;`!YRW}4u7JlBRZ>&g5%j64
zDtaN^26eCpT>APQtokjsoU73Mm(hS0xzsMV1+@dRPak+1Z+pZ;`Az=#Km%~|R4|Y>
z_2O6=xh>Cus1L2=Gl1{h(%d{UqyIopZwFbMAZ-tR-8Vq#^IC=J@xxTcD3;jen)7+E
zR~**z4l6ZixbGO)w2w|_0;FbW3}O^3O>*Rky|KnC$DCnAQ`5_HLeRVwt3zbJW<to;
zn8kp#S<0Hfe8#2iG*!;0#eX@#!0+hY&$0q9|KequL31a&2F+QuYOY;?y|8fmzD0+O
z+DO(sPjMzZ+i=;=O0j0m^`ByIy^xiyRhW}z4y5)%c&cR1zrE-jjQ`=1Le1DtVWsF2
zGSxFUc*V*PyTF#h;%&PY#TeCB3_LpFNlEGW8jnLAY1V7@PSj3=u$}+JGFq8t6>Y0b
zyCyORWt6J<b|@YtP}%+Zi@+@<dsLgk>@Tz4g86OgA8Y)B8V9-n{saX%0_rQO$VCY;
zjoN`lw*o9vASOJQwG(sjtO~i}BeyEA_C|dhs>|)lKh>bRFb{1$Gz(PM`t;?;xu<(W
zVE$=n_ZE2UhSH<tS?h<#tXddRvqHT8_*#Wxy>HO6t?3(2Z%>D1<#xx7L$^BKWXmd0
z8F(IXjlN0zE_d_iu1=6RY)&agmP31WA5PgS#=K%9e2mVMNl$xo*<NuNmC-9d=N11f
zg73xK7}=ZFW9R14n`f5scp-|nRjTK)EgVp(2dhb~0hRTvxLjWj9^nLI{!zle->-f=
z)LPP<dO|DAcm%(F23G~^;ij}ze=qgu{WW%Mg{Iw_Ve$72N-5j+!`#{d_G^Xa{-RX(
z_6EGh9@Kx%0&-Q@tJ|bEkZt{2tmZnqtJQjHSj`3XJ2P7Y)4%FOHRs#med`HWjP6fq
zeIRfZOMUtBg}1Zc_6wdg$hhv|C8~xBa6^>UG@9VqeW4w#ufo=Ay04vZ=!JpGBEuG7
zFc15Xae<vSiNZ{}X9>1YXia^H$fFbj?!FC8eO`AZH;lz=CSRz3YP9|r3Pr9v@ere2
zg~(S`QtWW14w)$XA5WU#hT5z$DFx=d2WTHcp|$Qg`fx|>!*kw;S6}<^9DOK~8>1fe
zrPX7Z`fBmZE3T*N4MTFgSU5vqe4dEs15N!HCdqB!8@T>e@lSZEDDI7ii5r@maWjSw
zoiG*e9{<Cc*|zL8<-W4n0U>c2S;I*L9HK4!vB&{t#PpCkyn|zwD6u=@%$oCt1~$U;
zvaj>B5Nn?fKy(-^&<Lfwe$(YOhc{iehDSp#a~Jm<-I2EWhPC-<Q5yUaFT>3286jli
z<sE>Oc}9o|a*F_4`Yaw>xD!rS<J)A)vjL1)>E^(IdP$)mQ)Tiq3NE=OI&L<@>=}4q
z<#VPX9fe^T*QehBMOmhVTLRH%vef~THWK8hH!}k7qw>3vG}-f=ZlDroTZL1Uu-mK8
z!6RrO%tq`%QMfnlY9+i7M5q7!4vU6xVgvPbQ`#wTONlYeJz1|?Lcbi%yuDhkE$VuX
zSvu3p*{Iv;JTv<EQl2uV)9R!B`Ezfgq+J_K7VY5Y#5rU{0tMn8?E$JjhvRdAJ~o_X
zX=c<6tmR*u=bV>x!vi?j!lJF=OZOOmIK2P$>izw6{`j)~@5kef5|BhZ0Kg{!fDdL%
zu?x5ES^{6~7hwT+b7)r1O+fG!Qu()3zR*fpMcecaBR$%M+R-e{{m_#h4hB|ed*|fg
z`>X8OEVxdMJbcGM<yoZuEg+9-u6cHu${R@E^b)JN#_ndFE;xycn)YFO11tZmH`QFk
zPh!Nf*C4*oT=yqy75_s8;IrYIW+UG;*2NuJe_-U5H!Z*+aL=OvGXP&7t`p&!Yb;v>
za1pb4J%I@SsRHo*g4A^qp0*dO$u>yll@}DXr6?0}io-c5!Antl30{}>4`01jfpzdq
zY6Y|%6_lV{KJ7R4fU^5gJs$1enmyH%eLCd=p_l#uD??Uy(F5fKmrbC>F7_-A*Hb6F
zGrq!i1L>}GQj<*wB~M<sFRH~Ub1KPghukbR*D?4tRm&wEnpeY?PEw-vT?S5b9xb2m
zD(sJp-JWE;b;6}JzzIgRz#*+RZ^*a~MrY6Mk(1@V-Gp&*7be~|!t2F42QM<6nZ+w+
z2P2sc{LbdD1(JGgD-%_$f>@k~n(sehhz_;h0V40WChb|J8FEdIRp5eI#@$U*-*K#h
zT3cQ;C!_KA*ZOuNu0ru8q+GavKcydZy~2o|?PQoJ1kjKN)a<!sDty8?WQO9RgzJHy
z%YJS&o|SEvIQ%Mr^=dJ96|JBg4H0fKz!r(HLENkF<Pmu~JudvFoW)>F_QOlx|L~G`
zG$gNoz@7jKxkn<z$5!YfR!G-@7MZRb@fi%<ykQdqycf({xdQyU%gkmRH*d?%r8|vz
z*OTz7{!6{&Dii&eF7}fZt?A!4J#_)5-oS73f0A#f^kDtX%)O_Q<!_Iwt%sg?1qcG?
zTsBI~*^+krw(<CZA0Ah`^T$=GJ}hebkkFKyM*g?<<HvjYzi)yg$_pUt;Xl7h#W1(W
zZvKar3XKDGsQ1DlfYv>HjVT~ZK_d{@9iR~}IhdXUwbI~iI}v)BpPD2x8yQd!?4<aW
zV(j1)qXVZHJIoXVIC{-KV<*RH?qYWmeDz8HzS~0@%#YwOwRS5rg5Fg4rB9_+@YLqD
zb2x#Y8YjZxV+0xim3zco*f73xG)l+fE*wt4{wPjIIyQ&8T$bu`wc~uwBGc7qTpbMB
zUovUvw~k4yoVqS{SeHbJ#$qKRmle(bN{X2i;1+441TefiW-vU!mUH5C(oCGl0%5wk
zOMBI$ja%$*i~1oJg@0Q#Q1S4ZimQP(@D`5hKpSYpA9Fgg5h?+hyX-MFc=+I+C5)=9
zL9TJ<+uCx#gtGYwxbcK0$1#7y9?*b$Y(O5fZc?rNXMXUn>Z!po&E2>Fr@>>UcagOz
zQuAd6boUF;X9L660S#{>tXbRGQZ-R`jx3d*h3K$NyY?E_ul{`ruxFR=!hLma&Fr}=
ze2g7ECe-kgJz1IAgF;;Abg#IW8{(wRK5MPp3tJqH-^Fd5zA>aK^gum854087B2n84
zQ|o)4YP~K2#`6U*9()4HmrUm|x3yFbmW6W9YXr5%om~C}3FzhCwd(Z=Gq_T^=S3!3
zVcMYlD%oqQP_L68gt#5sH|{sCTlf1?K=)ncm+NzWx!&QI>+^UM^Ct`Pzrg+V{e|PW
zYT;?VvKK#;3(Xhqu)=NTD|b6A?N*p{?Kc7-;OX`YX}JdV>g50d9SB$Nc3izW=OG=F
z+*AF}0?2MR@8L@-&3ni<-)5ZbtI8Pg4e!A&{3-!<?icEd?p%B?#O>L#ey=fX-O{CN
zcqcz0bydjhl|jb-;{&?5%AMG+LQfHWb}J!d{#RjVjSe3Zwa+kX{;-{X-Qdf@KpO%b
z0`~wCZ%zJJMXHBFoEh#72R+@b3z!bHv=7svwsbihE!|obG7BvY827cMUYyBuQ||>0
za28*4zbh9$0=%fImy9w8mkii+7dGKLX~pyERNOfaMC}kvVOW=deF4gV*Zie9s}PTQ
z^ZDG3-bgK>jXNEdv?umx-)j~AzZrILbziM}O$&YDTL8xLt1yf|Fm(G2O2@4Txz!3%
z3*d>EJ%(;inv7Z^B;9lYfgPQgcJ{d09<$xKW!TZ#hlAprNLztvQGlfj3sum#QReGa
zfkT)T{$t)lO*OTk*sVny1r#1$W8Sp6Q|C@XC9`AZ?hD@I^sxfdfem15;m*Gcpm9Kz
z+8D8E|K@1OB3ryR`)>BhWR@H>ZY3tsir?%u95)U(J4Zh#Q2LfMqhbnm#4XPzY1A3y
zoWSxt>c`(RQ5^3wqxc16zQh)ZtG4f2dC++K(9}*cf+h)6TSJxGr7+tGeoGenVUoVf
zO<*nK!SFf1+ej80-|6x!IEQ(~f}aBX=8@+t_&Lb40GFwI5po9Bx7}fCb^5$zHV1y&
zDscp67&gJc1c+~Skp}w+T_HCy=`JNmkqUs?;GYu5Hqd0<&I2ahY4+(he@Nq2g#Y#S
z7Ft6};dD<$ck?LzNkw-9R2wIKiDuHLi}zH%K#TbQ!nTDdpI4ZEho@?VJ2nxYJ@Y>1
zfa9GItiOJC*Wn~N+51Fb!u*Km6{f72w9#Y7@iWmG;g_tdiE~EyyLfxJM7hRJjI%y}
zBs2c1;l{|5ZQx+mbWoqpo}0(*c843m;7KFgx*FPC>4r$1y1V{LL;c~s`=X;Z2TmR5
z>E}AlZqDBMdv?R~;}E;AA3iQ3DRRf|{k!BtV-m(DPq3an)n}fMQ9F*Sy7}|e5PmOg
z155I2ZUHRpJGS@$yW3w|)Pg}|$K0y8Zt_YyjXe$XPUEqpGiRVj0M^ggp-vEb2ZBJt
zV$u?u7gf}^1q5Gsb8-CiadQUFgCDbnMq3NJ>0_QHAYe;b#n~!0uYpbBHE!vWDRM#n
z%lv%9o359cRi^<yL!9g`^cNxy#O_Nno{jV#+Ock9){xoC+9nVu>OLSD?f|u@#cUGm
z17PGC`JlUE{@FLO?nBn_<2|?8LB4yLxhFO*&G4c_DieD+P8~ba?p${v3QhsXjHe=}
zVcI^pPMFLr?b`ARY!6KyImX@BsjutaC{KB4SHbn@^~sNo+TPgC<#TEL2TMBk1?Z8G
zL(AXD?MfF}C6W2D>q2{4tzlJi@qkrvM^xD6?NJq1iobg;9W}{NPouRDc?RR7{8yF_
z^Kla{0bUE{#V<rpR&TE0sF!Yas`k`ri{|;uVX#3bpI7WE3~#rco+Ru%7{1|%@m##;
zkilao4saY35iwC7-UX0XnUerQ-Z%I$Ip7uHg=KmH4Jojqy}|lVxmU=NN_R`G=RC}R
z0-X3OtT~sEWjq`^D`2ObnI*({42$SugzL7IJ#3@<yzfAwy!^3#sM~=j!E)UGxUDh9
zw1ZwwPUF2?v64SyCAsDwUdvWwz(N8bXv~g}_`4Ro^~=?#b?|#&CQl~JW8JN_J%jHn
z74O@md;}bL)7Nc3V?tMAMan$9kb8Y}oYQ_8%W?O}-njTQ!yi4;nPsgGLz+4ra!>TO
zTY|}V@*UyU)6gmxh_~3ihv|~O&(2YMlMKhBcO6fS@*d+oYqGZ=949BUApIccs1xx~
zkul-&ec#goBMhU*O>?r-_6UAX(tYau*fQx0IbuTQ<5hR)r2QG^jzk?xji20Xqdb19
z+e|MYr^oBTPLz5=qp45LdrYX&vIqR+t!@r`lW=lpY>do)TQu0EhjF~e_MOw^0X>9?
zhfe$4f=k(IxS=Rz163c!Ob`e!y)Nr6Osgladch5NS2hxKxoO1%RJ#qp;3;KGJQ}m!
zL(voZ0tiR5X|n3hIGLBEqpCY2Dy3|*XUk%kL#m#Q`VZpV9ICONelp~AO{~*(u+KPG
zyVPF7frHUo;*3dqr%iHTmHl?qm%lqedOf9Vw3kLuE2;jEUiuqp5l0i{p_hdz6TO1Q
z8=a@_iMc~n_Re?(@5fCoS@n6$+R);<%RANgv61Tg2xNe-zK@i}eIJo9-Nb)>^L?ZY
zC_vAWj(ajH!CV>2oge8McWta_&V=_P^3Cp#tRf190@?PPgX2<~kz;v`=EHw*hMwl<
zu=(&}sYi3*o=7=JoTI0lY?cGz@K-faDNqxYg6!e~)!(Ij(drV%zVfPL-xp8dEtD}(
znL||e&KI*=pE#0fSxp10d6H=#F;R8v<KLCI^_7QPpLi13Yc&m2b0le7k*K=$RXGG#
z(lQ2C#*>wGsKURhaZz~$|C$=`{J{_Ig`=hvnQCz7pV6upPVpnv$L78C&6}@Ai8J5U
z6ghtN!Q+N2fd@u!;Ldy-!Vg?IzW89gA!XCnug-i^8py-KrZ~fyZ_*4;IP-Z<be=zD
zxS@WWH+SZHFMadkL#=S)i+m-Yntvb(r2OEHL*JeF4#gye9Y{6gk2~<yiEs7@*=_N}
zF@|1n;tSzUd?A5TdW~5<(akVo?rgIY-!SDT8gEj58i>Uk2H|^?r0AFN--@1G@moI}
z>M>qOL|A%f2|xX5F;8DzlJ0?z+o~V@M0WVyA7zRL(Pk6MtS?E|AicLqt;QrNxdSA2
zmCn!>6P-C={t4*QGf7f0Ak+y8(=z&7k`{mH>A8uvoI-_cC_2f8s-1+~xJhEY)lPyf
zbj5FTCs7FMh@rfb&Co|At9?YW2fkJNh~IYj&HG43^buv$J|bO%blyk&G)X&o7ugPU
zk?r7J#Lr}j?ciMmuJ|Mq8)WVx+J6pEV&27I^f1`mK^RI)wjq3emZ5vL>I?>>Z^684
zuh2DHwPV5PSFqZxVDu_j?bLO2%2w?Xz_d)kyhFk054rLVwM2hf^6s=mZ(8!sEI?lt
zn7gu!_oOWE39Y_LF;^`QJffP2E+eRGkcKYNHg(Q`=H)7p$h$|Y(JNZbyG0EBg7!%5
z8Ly%G=}WgQX=$!iF0TM3?M$?q_fffrKBA=BOQdU%&ijd<SX>WvaeMN`?WrzqPxO^~
z^3GBidP`yE?xGi1+$yJ}DCv~xsRX#W#g}Q&CCep>jTO~Wiu9WjH=o#$Y`sF<<h*(0
zMwiVaDpW>X0J!7kiZJvM0Bs)41mT&;swiCnO|E6_6#XTtkWS(yo6~R+emL+CUBPK=
zLcDyxx)uNA+{Bo^8|4*XRZnf+ee|f|e$V|)>{xYZ_Pc{?NYk9zKg(mhpTDC#6pKq0
zz{g$`FGdHB89iw_kRAZZS>^_vyJZ;#Q{0)@q3KDxjvbbrQv}~>KC{OgySk*mdYO`*
z6}@L}z-~F|ln~|Xve(JTN;hiGs<3KL+LIM3sjcX*(y6PK=wGWRG)JPcBK`L8Hb+fp
zbDbGwU~c6UTk7dlv?k|-Ta~J#oLk{5cSWB?WwJh9=ilL@{aM(9WvFo$Yy64&US~To
z_~}aeb+Rrgkwaan>2(B?v8I04*)C+)MDM>`qu*|#|Kyl$MGG*5jMP2*0iigQHR^HS
zUK0}Rzi^tdg-gb(m#5Ni$M2pKuuD!pEksNiyRW|ydZU&I+f*&D9dHZb#HZZ2$ve}5
z_a_I|PaT+Jj?%Ryf;x4ejx9xPaT!IgbT#*vXP^sn(FIEyi5*!3ZNENx<$+Aetyr9<
zUqHY(U;oX~v+M?q6-GuJn+h;q*5-%rfp4368-XlF3ok@KsBZ)R(N1V6;t^($u!IKj
z%4cDUN@izU7EG=FMq*E1MX{-ndKB86zDo=4>o)Q2a2GKL;umHtIRgKy!*vDSjN8mn
zI4s^G$JjRj?F=2iaG;xk4Y;p#ZKUbM+<e*!OGKXs?Z}Ng{lPI=&yj*GPv4_%_b~W-
z)KfgM_;hHp-AXaB5dg44geOYZ_N<#Ya`m89E_O>q*OyFB!Gb+L*6=-)uC9SMwow4)
zfiw>u!)H)#3&2jMY1^7rW|bc_CyjigbkDJw`7e*1yL#pLpoR^`^yd&k9hBHBaDLz;
zZTN>e^^LBHFYhG2ec$<DeVNtAX7+%0M5ZP)de(^Hlc(~HtD!wt75kf(k&np-jruEt
z^r-nYulXu!t~aKCPZ{2FUG&lW)~wwk2W1MObAy%y8r|GC#stbwccwp}pA96p`QE{D
z7hC7gvg;FZ!Q~lNs<o1Qg$!z+YClr@)cTV6oV6D6#p=L@KNWs3{*vKMm*_@ztRDL3
ztS3W;COvA_Xy?h(9ML})rOZvrxNdno7ZG=?s4phveR@WA`jm)4d*p%p1dlCVo1zU7
zyLJG)G-!H+-SJf6pvQ=v!;SX+oVxdm_c{?MpPwomnH3S@WtcpD`e--T?FS~?jT|hD
zJ$`OFkYSl~QSfz3s*1X+V)=7mNMG(cd(sWNO3QS7Q>H$mP7lD5qvg*R&QWz3lDB2Q
zYZ`e@9zJwp)C)WMy%k%aVbwDSktG;{v5NiyUhlvXS3rI5MZ{O=Dzw1cgXi2)^Tx~>
zS#hZtbaLMDxhDpYXN9H+P@?D`5+VXwu2(i&y}>6R!FTwqi&-7BHoD>pagEoSNoyyi
zGM@^c#XnF}ThW6}T<EgMdEsc(G%tC6^1OthG_gV#aX6b8;<C_r-sp-;#D&R=5*H+S
zBAq+@I;*E;9euJ|hx(t1C*J-)ti1<Z6v@^$&M@>0PV1=5j^d0nO<LVGr#0)E6D9-{
zBS8U?oIynpRB%-g6DD#-#4H&xA)taepn|$)7uR*wnz@D7|I>r+_1^E^_r2fm`~R?=
z>6+^5>grRcPF0=rJiF3%r6gpb_}xCcf_4Rz|7eW9(;m(<hQy5-Aadvz85|iL;f<2k
zWJe@NCNFtr+=pLEb7rJ8R971L4lVYbuEhpIOOZ@wkZ6hNniXq2v4XHs6qX;J8<xN1
zgK>Wm=|VGcnG>(3imwVX5a*wP>&T@m)LDdBn9EE#Ed;Qsm@cK47-^n_90#B&TKmRj
ztR}o!cxjlM`$~TwF7`A-*r6@X7scE15q;~EnID#`Tv<nEs_0JQsmelN%}iWXQIM3B
z#<^88YgUCscqkXRov5ikbh0#UUsTwB?#O9oU#MH+0_9IXPdA~0x*5+QVzY2{?n9!4
z?ir2(4&@}KrE{^OZ7Z01jq^~-h~jLS6n~#R%axNRP47mTQ<hC!YMp$6|Dl`J`G=3B
zq(p_Ja<rS+KPV(35E6xsOM+Eoj;7rX34NzkT>SNtpr%n+gNJS;doEtI%o82no1D2P
zAtq*rdfx?R+sfcLKjm=uIg>aa@sb#3W)b}I-N}a2cQ2JxBIbO-Iit)gv+ho;BL+9z
z?#bSd!HUENOb_cTE}e5qAHm7~h_DhZTeBl^cl`Dp+qm`n_H5j(yn62F4N$K{?&8kX
zVD1sWI&@2jQuZ!l!VIU;&M6*gtGQ?~E({J^73i<<O<1{~Hvkb#;kj~Eptk}yu{!T_
zR}Grrcv3ER4@f(5EG^|gZhFvCXa4|C1UHS@PNU`XJ@#eq*|B@?E-re{{!P1;Cq;*n
z)&=@351fx?wIN=rH023$RORCD>!;pY%fCLcv_+xa`rPQqAAK5Sl~1%=$u@~B#j&M5
zn&$3Mj0~O0#><-d&y9}p8LniIjq--<%Ih3?F_iu$c8Lo04v*RryH34oI<sN#o|sIf
z?BQk2J`^IQZjei7K}jQ_s>b`G;?s@rReUC*GVBi;5+&3#6;X30njGS9gPvW7yh4I6
z@|1+wxLsUC4Uj`)HbnyzeOnTz=`gf~70*g`zMz(F)^@$h7c6QbB3<z$P?VXOl#rx6
zy32P7M{Sx&pg1!l`5y_5#9n;Y<J5S2Hy;l#^^sMc$xD>>p8npx9QtM<);gsCkMmNc
zE03djT>ZU$FcL%+GE+s;UwQE_A+hqtW>NGdCLkkkO^))fp5W>l9N@>7QGmRpJM2zK
z|13?rdg53w_#(rx{KXmvOHtGcj7?d7UVGe>6DC=jnp9do%*)@KmdZt2Gcz9X@>_rT
zV8P*()Tq!DEVPLOgF+&C`Msz$z9}eaLOV8*d7{$f+<jTfgxxV4cW`^JGjWk?Vndb7
z-Gl6Xxs9TzbGm2A)wHW2o;8B}yN!2wJdSqq`=y0d7Z#*A?Bka2aoe7uNZh+8Co3gl
zWxD!k1(V|KiY_>Iv4f3Gso%+!+@Y|8YyA|#D_6UFc<oO0P`k`!{PIgficpuEns%3n
z{UyN#XqyozH#<E(K8ag(f!Podu`xpFwJPZdN4h<@H0;-j;<W?k$1pRB(G$nzEVv6*
zj2?JZP}oG;;ywR>iwm*fm4TkU!-2UBX+s>Mk6&PTfYLE4qlhE6L#Tszbnd*HxDq<9
zR<NDi5)xP{0L{gu;x1J00y@O&2Q;b|HkgMnkfRyA#WwP(V4ucQ_y=;n79AqrCq9Lt
zkktPW{T{m*4{+gV=<Fe(y#Npp{Avj<oG5ajLqhoTm9JcJ&YLJvn9khAEidYH^kY%}
zg`7%gx%|0@X2FWJAcLCWiZM{+W#w;&>%1!5&NKZ*0Aqw^T}5_W!j(6KH(@>BDk!|2
zgGgoa81=OWkcs<R&vout(_MQoDraq;E$L-EM1<Y_>+4rC9&3XFS18x5-y9dgt+r&M
z_w3%7h&E5s$S;w3myFWL9vV#|We?NvWMt1J+Mj2E=|$X`A{sf3D8#adh=6iO4Pvwh
z>WnfPGakrNNEc*&0FE=+!_g(42TBzub2CZ`vO@fl)yGdU2fQ7#W+;bES~3tg+~bNI
zYL}p~L612U{#--B6=w;gIASRpOolRRMC3;U@(%2oB<IU-7-ryy|4!9nN<!)drld>=
zubL3~fwY8#M9%jdvu^F0^{bS=ftf^a6-P%*WQK@In^I<c$}xXlmR6Asm4dtVrB{Sx
zG!*E$Lx(C4tj_W);@*>NW~697?Gfp{HZaNyqh4gr+SI6QJJQ1#`)2~0%lO%c`FJSi
z7Py{MR~oF2Oh`=Hp1vm+vb4{0TR^ZPG%|cOo+Jnu{m}eVv@!C+6J|s@#}@2GEo(3g
zd>Ip_;TL!s=+8NAMy1TDmSL?wUA$M`cu|mcjhKRBaxf&dss8f&_cJf`c3K)1xPr^E
zWA>(}Z_ieq%JP`Em7`9g=+(bOtx}9RI^uWrFBjztLk<<fNE6v?@bX)#lvb#)n;Cui
zaUGdeFF5d!bbTO%UsAOEkE)7aIdXrhc%26T6S9206L`fiy?d`p%clISy{Vbp#$`;T
z*wNQ*o|oJ9L{GJs4dZ{fWX)maUg9HP<X3RM>OjHKWY8HvT^Nb|14AMJFwmm-M(<+0
zgmUHQ=>~sdHisv<At4?Hn6J~@nz9R6!1+mdLQ^IuKV6{UZ=hb9%2P;8L}I0!B%Y#)
zB5AZP4gOnvn#TWB3y<3Et?6Gy`kogYyGYC~3IS%^Uw*Ut%>DZ_&x{>A(`NYaYMYx}
zm4TzzfuiD^11C=8xG!Gf<?aYXH)8yNta>0Q|C2cUDSYrke&s3?ly`XTVddc?J5%zw
zD-)|OOs{29^L8I8R1~c_5}2p1t(|>g(nKcN!)2GV(#1I<*n^vVb@r^9=}e%<8s{Yn
z``ymaQ8T79B&=F)y}0<w)#Bo_=ZY3joU~-|9NZBY-Zp)oPY%+YCpO>nbX!-6@bJAt
z?2bi85HG4PzbBFnjCd!0lX&*(E9@_2_>;DZQ~BAaOY=h94y$F|BdY3Lj@sv0ZtsG8
zzhmXuGU9u2|5a8~`+%t^BZ(R-Y~9_b*)GaByhuH7RFPwycQr7(Z9&{K<tAD3(g<!m
z!fAi#yuU^@!}p7(#fc6b*?+i7vG*6425O?Z2~JPiM-+J=DlebRldRb3wre>TE}F7|
znS>?r-$h%(wyX(LjB}i6=?=iTO=S733sqI53fpfBu>Dqq|KW%j0#z{J0v%9A22_FZ
z16#FKWC}>9X%*1RXOsT3Y5!TIKMx1Cxdt;kvJbn}glAh5k>Nl;MAl)nfuUwI_)Mfx
zb(i14zaK8YasFUcF*of3<K*cc=%Adu==6(Fj@VYyMWSCoOOv43v1$9}?P{{FnywMO
z-dB3|y7EYFkY^@$sg@~qw#r2yk8#fdw2u!rJ({sTC;laJ)7rI)h)ruZuT{@MO0Ago
z&U!h7NCA%FqMb~wUl>&rgV&b<pD>nG%WoD`Rwt|BNIWxf`RSXA*R)xFxmi>iUzT#T
zVBrm8|6tEhw-`g252+Ss#iWO)1)siV?3wG3ZWC+RJhhvcvLOS0q9zJz-Z+SKT!rTA
z@tib0B!gds1{<Yo7JUBuA3P$v?9QJ(<fQ$vr=;y3E*(ZU>F^NSlAz|;R>hp#mR5X9
znYwS?hTWX(PTFJmOYI18-Qk0Iw%t@}vWnZVfC&+e-@uHxFAk>D!l_>HQk!48tXdTt
zAI60a2I1De$ei^BzW}0eXHZ^{=Iqn;!D+!p=ZWE;g-$1BndE`yjC_Y~$Jn~XJ2ZCn
zwy>RDPHPr1o42E7m4LR7loLVD-Lv`XMJ=X`--$IBZYkcjjFX=fCA_JNJCk2@rpvSo
zzRSIWT-Wp0B}DED-?gR-+F$14pXZt8ws#L<j2%R>nc?6ya@i6Qu{mPH`b`^@3C)bX
zNH#az99(NYL*R`yRY89|ZSioCS~g=fpa=@F=`UbpTlQ|)7qcHA`MgYjS5sL-dj2KV
z8u&EwQvIHn>Vt>&7i_6CB#Ii!iDD8rBu4KyBt2_HG7TLrirKqy?_Nmv%Gi~0E4lTe
z*&CQSjpD7L@hjs(4Shrt)-%>Hc>fedPj;F!)04m1bJDH+Od09*T+r}{SYkG8p*b#(
z6BW^33^+TN(Mq`k>Bba@5@<Jup6n}sL?UmC9?(bzJudQU`NT6<%O;YTpJ>cj(GU{D
z0RA|Je@ph)ZN&Ika$QW^-pPO20tlh4Hp~)OqnqW?r<r2Wo<*@y;49K$wS?Syb@S;>
z!A$_J-|U3Vnvf$fK3;$Wb02r%<}49uyQ*Iy6)EAJGfXsj12ef^j7&r2IimXGzLvmw
z=pmw`3|^5Q;+YYSZj&M6n;MCGIT_X{SczTZDAHX>wrO_asrFzF?!mhSB+Azi)5x35
zanbs*k<^r-`9rbpfK{{#Bo)vK9_gh3C$;5sL<h-nrY8_#jx+N`9`JbREAph9nFXRi
zq??Nl(GxSGnI%`mZ-I{xMNHS<WR8j=$A+U&)T5@Nfw<f|TO+vqI~np?NCF8XFFKN(
zo6T(zZC}bXXa<UI$1`VtKHt-dem{eJ?=OxU!(@5-?pv%JI&3mvilwzvUUO*;@_C*|
zZd4sRR-Bu%)<2Vj>T&n+5BKCLGHv9V_BAb_B;-+VLT;TeKUG#v&Pw=3eDm<+(`@ca
z`E1eVZJV}jSM1uf^Oqg!s<KI<r(VMjcH<kgqiAw8V_!d4jE^O{c3q5itvI}Tc@l@6
zJkoolJZjUrU)HH<uT!L_XmjM|wGj&1n|6|)Cu*^Ch)eKXv^TH*CkBx{uZSy|ZNc}u
z6Qs@W4Tt`eWk-+%sQ(6$%r)YzxN>`G`q3kX*jt|6t4S<77D2xkhlTk>cq{wNeGKHe
zA5J}eeKIe|J(olFOSP`Y7UtSwMDUOJeWY0C9$^8>H~*i|g=Q$I^%E@Pd>4YffJW6l
z$YOh*hT~wkyykXpX(_kh7US%&#BYIemS=uZ*3Q&@$s9@JwP{9TR#IB3A?a8>QnV{|
zTSl(p-MAX6KWe_)Vn_8kOQs<IK+;KNX||Vxd#ImJ0H{`ZX|^WA!~rV<LqY-!Jw+36
zUN2r35)%}lFu6H}$e{0bfkIwu`bFUoL7i+7tdARV(&0$swRClht9WASvWL8fuK*gQ
z?yab5N9loMWz#Mg`@8!FyGI#nyu~@|(?gT}F4Y>lowUoDyVX#Z|6)o{G3^>KfU<O^
zg3f!6Ad@bzxcK)R^x{R$)#o#-5l(I_`|T<TlHU@MfiwvGVj?=3Y`B?z>dcO3UFvEk
ziK0&W9a@ejR#mqcLxuFM7vCxgvD*U~;-72|aS~5oyTEg#axx?cep`crv|WRZ{=oEc
z*c(~MAK0v1xt{cRO2#YpZcN;es_yB}#I4#C5vh<B4H{xQe1jTjM}MelaUeLskS-7p
zS;9;aHx)9|#Y5~{zX4*l^x>D$5WTPMMWzmJGL}rOnEzgn@6#A;jtza-Vl^1!qm3?M
zitfkhx{R&gQOv^XDj?(V!>VQ>8Cnfz-!CtR4kK;l8msCSD}L<lQ**k8tmHdEAF{B9
zE<AlmM5OP|z=P_$A1dK41^>76ydtr#w-M_;czuE;@0B^?yT$Iq$1HXP*DTQomA&p?
zR(KuUghBwt!EYaQ#`Zx9ZSs&j`!rns{Nin53^*#%+45H3zLsNXXSM7zSuBx#{?Wt1
zQ7zS)f4#OJf9+NNKiR2D;u!8Bku~YHv~3wMTcTM`o4%H0uJ>(GO?uS$;?K|3bq0<e
zC!0B$xn6VL@e?QVoPJc}YTYelDU}+dDcEEoA)8=_d>{0&ij1r$BVQX4)5n^AcVtP#
zl;7o$EjiIrhnpt-{;7`~L_VWmofpfJs;o!^fM`ZzP7}x2lgUUTJ0)cIrW=+)<kfXj
zD$&euLV!za5v$X6MU;i02<+gHbzkq;To+qkQbB}uMkMIr#D}Eej%-&Y(4e+nlgJXr
zOq1X&L?xSBd4TRm6?RoVXsyHGO1=`Ym0xNxxbh#>h^^%7u??*!;mhSKVvCXyh^4Da
zB3}_=_-Qz9(1P;+wqHV0beWIc*jPtwt{aiyCQS$aisoNc_jLIhk*^u~;JaKVK?4c+
z26Dj)+BYRiJ`Kn2lddR>%7hz1H;F@QQKk=N1;45u;FUL3pKah|jSuFOOk5Qly*^aE
z{U!rPZW;)mH|wK5%)aELU0KRwxjsvrygZgI^G+=A<7^!nS;4~mQ=V4<sm9mSqH<GR
z%*`)N7J_P`uCjv><fuf}7=d~oj0jOB>l*7p#ILP&I>T4ngMYb3#1q({58?6XsoR}O
zZW-qxK`vd@{;C%sKK{#^HGZub-`vI*eyt<@bd5ve?hz%{HgxTit!r_EPs3-nwzTnu
zt#$kAs<9(xgdH(5gwHBF6;ZExj*8qqfBp_9Yl^tFq-^wZk2QXN>Id5n6`ogSB}arM
za|h2di2?43c1qKUqp-t+t7!WRqu!`v>g3KIxtGDs*A$VFn!YPjc|6q@?kJ}s9DV&)
zK+|s{S8sfIaisa#w=eD-1PYsPc()fwQ4OSp>}!~I_s_di8)VvV>#v8(HCC6^mU`wp
zrt%K<A2$Mh#x=;*Wszdm`S}mkvX7BS2m-$`N^+=6sVQg`YyKUPiC@cXNa5eq{S>^Z
zhLo>w>YfSz4*se1zg436dnVtO|F=rq;GW4hclfIf$A2yU!I*lLtZ~f$QQW5p6xTTB
z+u}Y&pt!~{C~kA>qffqJ^yf2j@@r8a{?u(tmeCw^JS~BI|8ouh<MTrne!W19|B{8h
zcZm`^0{@VO_bp3jNi?S+GEuK>bRD$q<7ch<jf{eNYmv8f+a%E}Z8;-<3^YQGVv^W1
z&@X&Jl%ee-tklq|uPX1KlxGvKJeyjTr>>_+DzbUi`v>2Z3jlE|+0X0VN4g&USr0GZ
zO~jQWLCah`gIruZ6AS!X`&z`p1E)PN!!jYqn*_w|v5>gEkw3<++~g(<k5+@I6`eeU
z@IxM-;h@G!2rExco~w|+YK95QGy{e3A!QNZ1heEv+Oz5c@T7ZS#ir+Me1o0>Mf&Vn
z<Od++0u&FXUK8njqv<;D`7s*-Z(m9SQV2>-kr43Jq)4Q8WD5Ynp%;G?V&iuU?-N7r
zNe=QHOV3rb+MxCRZ8YGtg@1$mH!-!X2gWy5mNIc-qAVpi{Y~6rMaN>52Q}q$zUFhv
zQZ!a%EYpPF@X<p|Y$p@tLMB>Fl?$ouWZn{O<jd^MmuX$am#I3+m#I2RaH=cw2j)jH
zJ#9c9tN6?)ws&i>KQPUFu|M#|TF)k`Wqh%!Wz>2$Lu0>Y_h|gm%ETPa+>cCdL^Dqw
zL?_e9L($CmJSFE#*3`TgoY8a_o*@UY!gz-CEWs*uoT!v4&(NNrvZsACN*LQxG|Smj
z7^ZIW2x=KkP_7Sn@>KJtp1P#bqOm}Gq!~l7D2@F=hMEs~&A-ddP0>w82Q)TVl6y@y
z%gHR2%z=E5#rCsDM%?G6p(`?6_?l@sGPUS3+3}f{>oUo9(*OhhLS5SKuNOi}G+iGH
zHC=fz%51S3LjHzYt|Fa24t_+2ew_5s=*VMD(PM<UUnia9f8K8ZtASwDU5jBe7ED{f
zMT=w}rLObJM=CAGPNZzV>!Y7EoIYK6h>JrU<H+iBP7jqbj}`&ZliRr+DJ{v%D=$8_
z-0l#!#ADftg-R4E_(eY3vGC$TuBNagze0KGnB(-hE=y)|(p}*%`@bTc`JgC0+2I?2
zywgKa4DnZCW`7sqpZrOXiYLsCd_so2<k@F7@jm2XFzf&{hk&=$#CpUZ)NHD?ul+)<
zVmy<VcWD1H<%1K`DaS=_ii}j8aG9TO2RebD`hxAb-LGTca=Ty3?d*@%KPW7_bL@EN
z0zm4w3ADAHg5^d>I^b9BZa8kS@2CAKyYhx2QoC#RA3!Gu`h5Rope^a4Xx>#?xhDaB
z=IVrpSXvK?4OG&u-WL2wfbIKZbTsXu_#tAEZCLo`*hqEwU?yf~a&)Rv8V~9ibk*ZR
za$ummQA9lcW`Y$=I^vV#djDv@Xn(BtZb)C3u`b<&+%Tqnrlrogk;h2kDfHbYvKG;9
z0Chq9)euDSCP`#BdLRXE#L`8yZL{Y5Z-R79m@u8fhzx6{&2b_anK^JN$YtWl#ot=&
zCW?tGh<p8LHQdxYY7V>=G{HhH1ouW0t^xG4IVt>PPTFW=T6ot3S@>&B@k6-0Gap_F
z!J90<SYA+Ylyks3oWEDVQsoloyap~;Ocd|y-jR-qceBn9>NS2c9jvAs#NNT4!7G9b
z#~bh8xqsK*ordOnZ_RzIoT}L)f0lJPFFQHFcDVDz$x|>KhD9Wk3rVCZ8H>oBG;@hu
zsQDf)l%hXQHC*E6i6+|&bLgl1Y1ENwTP`|28uLG5DURK;d5c<eeTRt5gfm1BYKOmp
zv<G-LW@7%(gV?DNKk-JsapRU)j!Y5nh}*t3UVY)r?IVwrjkjH_&T?DV$E}N0(COls
zjT>Xs(hB1A9Bo%2B&Sx%&(_lMh%(ifJ#R4s`5GB$T}!iR5)_8C!cS8!AbVd3$zDJC
z3ymp1TNz(_7MnTQSlXw_H2b18q8r9DttB4iOT4y9PO?c7^c2O1^>joF4P;tO`{HWE
znGQtOzY4wJhuJ+rVbjmzamF(m(>^VxVm#q^OKZHb>$9|n1x4D!!lGGn?P2ZVPlwTY
zuaD5)5oBoZ2sN`t$TfpCgIjb*%V7S3G1s-DuL};`)AqQB-^a)SH8vevka1))osKz5
zF#e{~VRSQ%Bh%?%63ksUpp$5Ctk%2WkN=#6D5IXBO>w~=|2c(wVSr@8?-)|Pr-FA#
z>P!U|n2U5Lf^MWUW*paNoza^9DkwUuHThLnRd3OyTa4EEle2itH0JE5p>nOM*5s2Z
zz$5TP=ZHOQ@awbg;FHL2VJTU2i6pjQJDEI_6yfJc7)1DX7hmpv>Mqx0i8XaJk$<`o
z_?0){uWP&C!51nYBd53$6pO7_XW(~l{QgX$jk}9)qqN=SEm`80I>KKbv9?@Oc3*I_
zT$B7jcyp~BA!$|hjE1%}i6>hz<t^9cnleptOBt$(te^F!@W|wIBJ?z-UoRrhKESJg
zcL^DJg?xXHwCU0k-;#`rtiYknPNQlkYGN2I^10`FZ_%xv7Z_g{SUC95_l9&oHT-(B
z*W%3F%<RmJ@fVGqon7pgFEDHghBGrGtqs=B6~t+=tU3UJ$_Bgd0s~16n4)e()nz<l
z`tWB=S5Kf(P#5lx9G=d-KW2e(U9aMP$Enaz>flS91SA%b%U9vv>ns1zP)pi!n(xH7
z{7=lBsc?<)TkD}dv64y7PpLeuxa)nc??v_eg0(v$G7P7+q>19A{NjC;y(d~tu{q^?
zhLgIj{Y|s-H^FJmC<IQg<@eNvk{1*QgC(n>^aX<ei)gtOF~V35wyg62D2)@Hr?NBD
z(1y0LqDE-#;Sz}DXF<CNJ;4L=O87uCm@HS3Su_nFytnCKl7@I-B@kLQgXK<SPzdI-
z;?2o4O?U18M9a})qA4yW`bC1~3&LzoF`26RD`ocueoM2MjFg0uYpM?<7}PVGs|!{9
z8FA-NGc;F6sY11VZ-GhrneaVuI*J@fpd?gtqcw$iXl}@-t6HXL^2s7W$`fI_CLdZm
zo-AT|K|^L~UfdSMlYC*k<^=%co}%0{e6a?6vAR=R{?w4aY0DIvf-+Kn6(*5d+~GP|
zr+R*qc-+Jo_gZs(u_{yp%0L0)`m9w#^0VevZ=|4jI7Q{-E%G-A)zrgtPgqap)FWnE
zQ%?p-q@kL##Y6~b-rm=Kzs9GYmHQxLEpZf(pWt*${57>DDCs6|)H%VZLzbJsFbD;<
z%=4E5l8>q5^qV+c#yfGrHZCJ=C41J~n|p7|{p@?W4YBuZ?-?DxJO9q6yE%8V?`*zn
zcUNW-@!_>Rec#@U%$0isLPA&j`X#PT;$$85yoo@bv2Sl?#>zeZA)#S@zPfb72oUTc
z|32j3gZyF0zY6&$jA;O5S=zq6Ss9_bgMvcW`1vHRPT@2%1Ei&Ah3-LGn2$f7CW|zA
z-_nP_Ctr3z@Jf`ue|0janPR|~`!&sP|Egq^+u=h?Z+ZIO)^dYe%SB!z1EghSqTFCz
z9dNzO#IOO2!?+*P_u_uKXTkkC7-ZpDke-<lvL`sO^?s?G%+SyW&%)==Xsw?go;?Lx
z@0yB^#Jk?YziRCSVk@A1h_`T$cEUo5rji5+Oh`|m8#yOI#@WcXk(Ur%zG=u7rkyab
zHJd%@EwtCv*Gsg0$$JSM^;IIZDQ5+UAG#)_1GR4bR8ok~U<ofZ+S!1>!0ys32@EIg
zY##f<2QXfT?@BZ;$OjcQ;RT2I{Oegg36*H-4TegjnkyFtbSO`IDb!psa8hZlt{Bn2
zq;~3MS*6y>K$ZeDt;#fs*6M-)E@240LE<EdPM#)1oHRFqVyvA9>6!rG4DCFF<GEQ!
zk9cM|IeGdxFC#rAkm`FXUYfObfS{(sfi)sD(b|14(c0V)Y<Vnn*3`*+s<c=V+ww^0
ztepn1x-TM4+wmf;Icwk}(az-Ir%ieEY3)pd7>Q24fs)uHwByBFJCn>10HyJbkh0np
zTU44GXgn)j*VWp5X}B3$n}Mp9gPJ1ZDfs;P8P7iwpeX`^Bk&tri}ONpR0MvSn(RSj
z;z(D9q|#A;ok&}663pL((aw~g&+b9`k8xngaccJ0iB#JS4ciOljZkU#UJ=l~mxTkg
zv*d-_bMq>c6}cYv+quiTn0t})D|;$?&YwFXlEbTfEtpjXiMTG$Oi9eo3E1Z!6SL`;
z7%ny^Ir+%`;3LM<eSH?&Dds2p9>H3iO`TxCW8o1^{V0ic=xf3Da-qBCio7N>yQD%<
z7M$hm8x*?2D{WPJ?3PWNW7RQU!9gyo3~|{vjZLRl39>H=pYtgH^DQS)eE=v;g69&F
z`(6}2pws15RR4-4oqzF)SgQS@HM8a_qL}G8WE~`yV#*dExZEt%j5Bz;<L0r)iUK%|
zrI8BB%59;6ipAami-7e&ckA@>gbTtdx*JNE`cw(rFAD#lKJu!G?=8(H&c;1ax-RVp
z+|yz9RkMrlTPvbVL`5cEv79t<_SH#zRrm^iPaK5bqlUx*`9;zIiGY_v>Io@C%-=l~
zbwRLNtWG7i$`7V@J`x~_3AQ{G_6BBIABpBl@q==~poiF|zVcAjst5TWZ%Y2@I~3y2
z_k^iXhd?zFjCv%@(xKKJOh0rqj~gTM2y|F5n*g9!r`GL%6)u8Wr(6}eq`Cx5=_+Cl
zyUM((iFCq15x~nM4Zu)B!yq6ujPH3cR3R&L17w8;qC3;T#VWYC@|~7WL8rAu8nHxL
zYdh|`Ae@bMoT{P-MZKf~p@NSb`?BV<htf`s*n^@mrFV;4e}JpPW-^9u1`<mLaAI^C
zg|>_QbL9;qI;rN-g-12A5SV$Z<uy^v^?m!Za})d=)v}`C3u0MFviL+oMsC*rmE+Yl
z+nEn5N+-E_ty~5VGttoq@BPb_lie1YLS&23-};c5=zT@<ii!%m6UXiF;dsK%&aT4I
zu>v2=f1{$n&e%h+q)}J~r15A;56R%AqB@CGtNg+X)iP3ZOn!@eM}EpdR6P9pfARv=
z6L;VY13D+#?*tvHg#FRa5mZm8)9sI>RHdB{@@k>w$q|@Y&!L0HLF;@Z#S$o-M9Dva
zXthFUX&yHV=$K~mL$h!(R2rw6tNN>);@lCWgQWwrfv*2rOo{flR-CLvi4G*|o6Bi?
z&EvHaT+CzC(|)JseQf?X@09E)?N`VbS$7_lv(ViBov%>E`L9*_2ME{~2ry(lS%s|K
zwap||)r~sqZk<<!3+8Jdw<3Fexw*DOodD>d=EO@v;%ntaE^kSj=_eVfHuk&#zVjW4
zCkST#0kp5nzF*T5+4C>T`w{7Md-%r~e#yTYfgqleZxBF{z5JAb^tsCypOzy}Q=wcS
z@{>Ndg}t;>TqRmb-98elqUP8KJ937MJ0m-6rn&S;BFiD|B(ih2`7fO%+87;ZKbD<<
zmtBMl4`aa_lUHDX7V!|EZzWr_*m;$d)4p;K)v&E4<A_ix)mqg;b&^`)B5mWp0QcjH
zjkw|@Tybdlzq_Oam;5uNKZa8>?2-{3QuFq1T8-?jhjx<u-1bu`7Zj%*@_Pc*AA~b8
zN#TKt;8l_S8`Q_>V4%Wz0GtZY&8P{_2C(V2&|6#hzfu8c>Z|YZZSo_jpykzMT(#^l
z2HEFm3aqsK=!<3<iSGwhT3a1sz?W9h+8VqrDXH1US?y%pqkO%rlvchu2ckHuwakod
zC5v7wk*{Y47?Zv<n%3}i?l~i>ASs>uXfDd1Rm0qVHuHGSz(?5C9rzQ2)glEkls_ye
zEZ@N`-otoD1_jJj&J9Y-j^q}HG4pp6*gr%Y$DTR>LFq<{`1dJ)aTTS!m{^!U;0e=R
zG++QjIKU0PC_Z^!S1<1<e?M!bwSPvou3lE#iXC1kr8*PCLpz^jsxa@jl4w0{LnO&j
zp`Z2|pf+_to0<+VV;Y3BG&g>fT;AX=;m;>G2q*IAq)Vu~N^AN=LVu{<eYde%mY=7&
zU=1v?8lcUfsmczjklnmNNEH~&`>05txw-<rNpYR}R|$=GcUQ}b=nq;CwDf&kUX-u0
zlhD6QZKW;abpK{br8$V+vj9s{=i$$cUclLI7LQ~tmNjgZkop!2av3Os=N~1iq$%Mq
zXYx5o*Jt6ux}4LHEoiGmR-ozK(r=1H8lIpDPe@KUo=}<)pKvTeM4b}ENLz`t!h};u
zD@-t?o(XN#DNgon+iYsfK8NVD&v&+MOAL3kZHG5kFB81h*AwX3>-p;C>fO=%B(M;8
z2zCjc>5KFg`jhlM^%L}u>uZH#;T++1VTv$Acv5&;cvtvL*kZsKj5U~R5NvS3;8%kW
zjEFI27BG%XEu8aviiV3eiV8$;#3RHD#p&W#hTj=>H5_0#$I#Kx(=g0%n_+=rso^`r
zPi;E1QM4J*CZJ7hn;mUVwP|Scr=+t)DH$f&Eh%6n>~}23+Otd9Kz1*i$sS}+uqA9u
zTbH)m+a|Q#-!{4Jop#;Z4R1HLoohSyb}8+0+I^I&rGunHr9VrTNq0yKq(`My?S<{-
z?M>QuZ*Se+yL~|WBkeD>zt#Rxd)lE*hu{vYI;`oixx>y5Sse;G8gyhk$~u~L9NW>d
zqfN)-9d8-^WHi!fjL{mSi$<@EKFP!~Rwk2~$@<IuWtYA)|8CrOmfwYbxAwc6-~B0{
zB)67_%QwsO<TvF{<gYt*=)`sE(`j%gpH5pkC3VW^bg0v*PSu@mbmltu?>xHm{LWsT
z{X2(t4)46ab9LwX&hLx|7!Na^Zal|$qj8*Zs&RqwW#encZ;drw+I3NNG3{d0CA!O|
zF8jJ1>Qdb0Y?s<D^<D0E`Pk)?LSG?PNEIfE0g6$I@rtR6nF>$EDn+;=N)fF%swh&N
zQQTEDDt=WoE8Z)+D#t0OE9WX*l%C39Ww<h0xkZ_zJg2;?Y*Ic^zEOTue(Ead%5?p)
zYrn1|yH4mjt*c8{_paVugStj_jp-WSbzj%RU5|CW+Vy_d=Uv}*{iG7AI;qsEo~i+=
zA*zw81uA!yk19YFrixW1sFGBfs(jTkRgtP(bw+g`_*5<GPU>#z9_qg8DQZWxhdNlj
zM!id2pe|Eas_WFZ)%Vp;)y?V;>Q9^j$8siIUv3aLj+@Ob<{Y>HE}YxIZRK`yd%09D
zo6F})xhvcQ?wyH&iLr^&q`OIflTjuUO{Sa7F|jjQVzSg^xk-@8N|P-ndrXo{4w)31
zRGQS7Tr;_6^2FqY$?qobO|+)0smipk>CdK<OlO(SGhJ-D)YQXtwdoeqZKnH7Q%o~W
z^GuJKmYAM4tv9`E`m1TP>3h=_GXt}>W->E{nTc69vz}(d&8C{!nK_%SF!MGGGuvdg
z)oj06rrANWV`gP$XUwY2>dbDKHJCM-Ju&;kOlvMOZ)dJB?`}TGe2n=-^J(U`=8Mdo
z%-zg=%md9=n@5>%G><jkZk}v@!2GCrg?X*{E%V3bugu?>|IPgG79tC&h1^1AVQ%rG
zMIVbn7Q-w?Ta34uVll&Fj>S9+M+<igAB$BMkrvSw+bj|-ax9KmoU|ylsI)k5QA>iu
z<>$&WFJ)qRd|Jj?-?K_$aQO*%3iVdpUU-W$Tgp@nPqG0?y!*T*4xX9!PsZiPpHb8H
zqIjFQ6%LA@-979Vc%6FqJm<=(duo%D%))WYd-hS#;Wq{mJvDnQ8?!9$tffo6G0V#K
zIffbNJd*P7`CovM<BA3KZ-`@f+>I}^GVB9Sn>;HeWh{CC(0b6FzQmBrd?lZ;40PMf
zxzp!P9`PNP&aE5BOxQ5b%2vtB3zFlvCvstrm}vNMM=AYQ@5;RwO9WfrVEvpHhz8}6
zaVmL1M#jMczl`O}{r#4^rTZ0dFqaC_k>-yyKcr<KP5OZ@k$<cJ!u4^EOw#NmTUBG}
z`f&R-3&NLRU2Ao5SXtP~!DPKL2(5^1OK7AAvtX6y@_EYeu(;SrE~r1VJ~1geOUYux
z6btkZUXzhcs~`G3;HZHglih#&_(_2CUTQaUfm7~Pb#45;QUx2e1naa%mn}`4r!>I>
zV*{+A2a%pCNzX6fVt!_($1Hamu5_56kh6$eI*M6-`bx+-<$kypPH;T;>gB1b+WdnN
zo`@n}CSJC}1FU+id}k>W7$3STO_7$myDV0{p^oVtW9K$UG3~5h<ytixeu;^Rh=KoH
z$m;Fs37e9(?BiJ8Q<C(0)kNGmjgSgk+KQ=}^`a3Y=avvNwWckwG=yU6{@W1JQ_W&K
zBxuY4mCS1l5ITd#SgT}#W1@jtKc<I7c5)2NWhB-~*lz(#{{gT1Z;($}BHnsAw^mW&
zp59}J+J7-q9Gw~-pz!ls10NVE(T2;P+&)+cm*nF#q!&EQOvNEVu4`SCwDTmOD3b1X
zpAy6BBYy7rT+J=!gp=j*K1wWNE2)gG2#^3YW+EOBsOis0TOoNGZmME=2n^DpuD<E{
z*aK5CxVcFS_8wK_rKOb}Em-MykgQQHwaErgj{c;XKMlL#a><`N6<itWq;T`|n>*hz
z<)FRVb}X~3^qN;4-tzy-2U425%2!7QQs82fKk6&V#}|eV4%?vLKw%G&sM%(EoY<1^
zW*Uxenb+Kc_D1D-iZKfnyU@ie*g-irAoo58$XYS27Sj&J6W+7f2i^JAP-W##o=Jse
zg#|>hpQHL>Hy6*~rAoFF?26Z-aT4}ld>Q^bPli@M2KHc<<2fK%9J(0K&5UQfH$;Z7
zY?U|fZGk(}6`ARK&&8_O)xlRWX1>b|#q<k4b$~=9R;mUOpk}NA`hxI87p6AjL<NxH
zI`lq5C2Bg44+V>plR;O+*Nz8S&vo$}%dsGr*c~pvRJpsjhFg4-S>fOmu}nF}F{`NX
zK+5HetY0=}a}VKfIR;E%b5=XKPFD1IH5Vk<>{GgysL0%h2&_if)KmJJjd}rJ!tHZ6
z+bvVjw?r&vj~&lWIjKCIM*a>Xi&U3MSQD~Rb(}E$fQtI|zq#!T-1hB1-L{kFho2-O
z7IMYYc0aT$na$I7AI~kUtc4rg7us%%DMuHT@wDBu+->HK{D!t$%+q#fUsRlFrR}y}
z8sh5arlajXp`-0C%Q=25hkLZV&TrBe+U~#51Y5BLzaj~K#S#1y_;T-o5LdDG-i8X`
z5th()kEsV7VjmHYQqm4q^?JLg5q1i?_)j1TO2q?clxt6DA-C7SWniH1SvSBBP;tv0
z@!;IK57g|gik;;<%E95aeg4k*yX@}M-;5CxO*(4Lpdjba#<i0oCa#^xE6A&1*H+h$
zAdSY|L?dY9>PcY}fNX_$kt-2bBd*RtI>L_GBgyGGg^Ida$0k}W4RCN)m)kQL$#5W4
z9!d-La9JKOhqDs{lK;1GdDE4H)s@_g8_ZIdB|aDu^e5{2{OzY7D~<-Z9pt-wq0`i(
z!<5)EQt(|K0QaD0C&M^)=kaaFw;x5F<CkrB+TnDOZZRe*(R<*Wnj(}XHqtiIdY!dK
zCONz2Z20NvB-Xf>Xc~=;unDt{fPp27JQH;$@~l15;YQ8M8&96N{8(|-`?#I6kB{TB
z+<*d5m18l>%G=e(UCrtobN+J5;r_Ezj?N*6`^zEcAKo~;Ck`i-FAc~%b|N!9|7f1)
zlz7h1FJP^|(jN}6AFjepgtVW1xBJglR-?xhFSvd1!0z-6ZumM^`#DPQ;9Yw{xaHPN
zXnI~~g;Lt;0rC%rH=VN^*Xr!{)zOW21>qG?{%szoKR6+DU#21_CAlO{y{4KO6tl>6
zx`LJOIK~9Vg>6ev?AyPie2Y4woar6CG<d0EaarKmDCnkG8Ubh$KYVr}EK6)9bRSJ5
z`=}usJ`;*OCD=>hyK+@fII{MW%-Y2)jC5aNtF(2`FOB48y_KBZUY1&{IJPvIC+?Wf
zlyBT034=9kU0^iShE2Hqe0k2{LKrLT3*gY=Mo{8I-pJmb0j8>x1W^aefe_k>j8?xj
zu$cN1@I2ivKY91=@&If_b)VYX0#8?Q9zop789y^p`MY|^{kzFWPWE_?Icbl+3=0>x
zxA1d$0oS$Vk}n)Fi+BbW4=}Lo2fGS;n<t&%wJ#_q-u@qy6EEDL2mWWu3HHX?h7DKH
z1?wnB956*9tkw*!+=oRhnGrrk!d^qD@f9pp=C4jw4{~L;ui6$6pjhG`v^YYYylnBV
z`AY2COMr&t%CX53S;=f0mF(o!&HT6H5?N`7CEk9nP73y4QI2^SB%mOR*obhFDFITn
zcuTXaXo(787PnNI`6AizZCLDZqfbPGB<zzl5_XsBf8tQd1)%TJ$7Bk~+pys$8VN|%
z_du`=5)q4!)ui*Ub1TO0<9)s~=aLUzs8Nu%KOCn@H6M^`NYmt?<`X|W>2GPh%(Wjk
zl$OZJ(q`!H=2M=N#@R0K38BwQj*H*Jt$xI8jEsh1624|<HphCjBGdAGdSAHv_<Q~<
zo1W&sXVZKC7n`0`etFFm;@BezVsTAGG}_^aqGSIgW+0GKY4jzTkg;z}B616lwhh8!
z*V0z>pADnN2@*ChH8n3UFwMgw0Fe4=fYg`XDJ(p9-o9}3XnT9BIfeFjxMBnEz|{PM
zsj1o7sex`Q0t3C#0@dr8?5#Tz_A6PQcNE-iEWZv(+Xk^vXq{Qal1BfsP8krotHhVH
z`QzXnraU!id&WKN+gN`Ohau78H_XFjj!83=;o%#j*K$cF%$E4L&D)e2$x-uDx%|;A
z@d|%V6gNow7XzLcoq~VLxc9{AjjS;ke4J#0>cnU!^JH;qiLx%qe%=-Uj0O#|HdDwN
zf4X4xNPXz3+{r7cu)O3T>A0WU60q58tH;iOF0QUi0+%U?GjW#R-%(V2R(bKj!jb56
zZ$)A7(dk!2Wbn!!bIyFs3|BjQo*w%EK$MPS$H9GJf7)wK3hjo><5hU##}YOgo8rdd
z^2XBAhJ28wYI^awy3^=j2Sm0-ixv^-cruuWL?l)%UDk#&ArT>wzDmF-BG{1q2{3oN
zH4BBiI|1Y3-^0ogSu2{u|Bg<_NN4UCz14;X_=R%m4-{Y8h9!t6l0IQ!$%tMeN^l~r
z*668dI2Jk=lkE(Zi)a`v2R=kOf}`1R7g$+YsY$uHfk{5zK_Q-=DIwViqV$uWPH-l!
zgF_jzh)$7bryxgAlDAJFa-@c2!R5$bLS_}gKuzA%eEnH2>7p{ysC6My<r;l?-o@Pd
z19ceB5RY;W0k(7t-6JPb#1M~Whz;Nxx-`>F5tcA*iElG}O-7J?%`LWKmM1IgC%Vx9
za-nbp28rl=Qjd_uWehbE(W%rM)%NDA9j~#HFLXXsTXUqKwDhp+%<0aqi#RsLRmEoP
zjYaoltBVewJHO=c%o+ABkYtw{NV0EGVs36qQf5X9o*^jIkCUQ{B9?eA!V(!c(Rxq`
z(W8raXMcc4pOb4`D#XP2)<imp{xoI`HRjl3oit9(^ty;#)vRQ$wv7Lg923(kEh`yT
z9-(5l1^aFFQCjqyP8qAbMfrXRGw1ulhF>Budx_6p#Z4yd3*Rt#dlI)ND|g3{P*ud1
z0Oj1JK{LI$IkX)!2I!>X7NFaZWw%9FX=nBfap=B>p(C(QQL*Rrp^FL@i<lIPm;@`o
zFUW9Jri8^K3>LwMOV|j9!YNePKu2@5FaH1&<>Ymt_}yt61b<6xtuesd+*@(Dfmh#Q
zsp^4W)%WaWs~1J9*%3fbXXPi3?@7()yegR00lrb*N;{XFbL%;>R1~{+^R|788!q>{
z51la8oa$Yl{#-qnERvUR%gH*XEZx7%nUg*fZ6k{0=g&zS!xDOU9GN8^XXZX6ihgIv
z(j(z7#|3FN1+((XC?+j-XZ&6zd$5z{yXQ1Y1oydTOf`Mi4>1UIHGRf>onsyMNnV(s
zW^LiM=FmiDJu@PM$j=*yVJ}G86S5BWtMqL>F>IQ1dQ38}&|h51I#GH}LG*@Ppwgdb
zx-Ya<S506J9X*;}t~`IpeeP^02MRFQ_d|F<yYEjpPMx*Tb&}<Ryra&X%~)oBQT@_)
zN~xLT5*wnD%0V{r7t;tkgv7q2ZQ~%GG1L>r{~x!1dpP3|(8eLJB{v>y<=7ZHHVDpl
zA0#*M`gl&V-)<0yQy)>x1IF#x$>5VpB6#~7=1;vQG*hYVT(9L$ygT6is8jHRAS+sW
z$-Ufm<+^gR-<nmN>^>FFx0<GwwldvHgNUq&1pLa%&#z;$<96;%IheVqO37A=&ZTA^
z+n*F2l}K)?b_A~2z8oyzi^hJ>*^ysVY;k(ZxozCs?F=ma)-?zABQS$qo|EZ3AFCk&
zCpbUJl%s#Kfcx@6&tgd%4B`AB-iCTpALtZtTyUBOgBKSqDZ=&WO9XE0slE6@*|O50
z$F!TID-ed8fj+c$>ewEz<Z82+h4%s*pD3QBHkRH~PtRiJ3~?U`EH!F)VC1<W*wS>@
zw7dAOtm?8L|2{E5aC#R6${szCl+Lg6Y+ug6X<zihp>){11;GK%>RcOUf9}D(dCFsZ
z0$ic!m20eACn~IuI#sK)F3P=D?#{~1PHWo9O%w+P1oIKOPcfgGjOl!XM0ybMF(oh2
z;`*&%w+$*;Ew5clo{Qi%Q^HU0ya>QDACm(TSyj>p{@V_T>>5b|F0fAM);E$azde<p
zf!cfoq#{xEtD%Aw{!wduxZR`=L)QI9Ux-3z-I?V~#*wsL$CX!09DW`>Z^;D9MF$Q!
zb92Wsi%RO8AX6ksrOtjOpRn}Yhj$fN1Idr@Jjl^dvGWRd-5SV?i~QDsWpRE#e(Rv$
z0EVrSSfJA<lrrqB2np<>H&cmR!g>e$u5eZ?P4dlH1;h$Ap+zJgwJ@_VEg>~CnPVgI
zz%6gySIq{hHatPCu-bl~3{a6%WTJ|0fmrS*#{fw*0mPV96#w7HoC)8DiV?{qyKj3<
zEX@Q=VAlrn<8$C#ia}{ChBFJE{`+@-LPUP<_6Ic|Hr3n3kvlb-$vSW%tz7xAY+jEY
zT#KRTm#~d|K-kD;3u2*uW-!sN>@oDlF42HB^A{l!F91~oknLBzTyQ_)MerE5JkTw_
zmS#!v5$XA_Xt|eowA?5E1}*mnkCrQD<>#6XG!R4V)wnmzX;M%3VM<4&3>}~t5Hxh*
z2({EM{OOz^O`jL6&G*bAzfj1>x(%DRtmi^ZnCP7e01CNqBDv`VS3?Y$TDt5HvaCh~
zybxAQIxN0sHii9`_d-mv_|DSGHTOF}q$ZfZ(otRXq7&$ZcilmCp;>HjqipdY;GJiP
z9`7zMzNu^x8vJZ``c(u+vP8Ys+S!gl2f31Zys}PlCLnjIr*Dw^imcFV^;Xel7hnG+
z@G$`5$5hvo4;u<g&(@XAr}CYgjqBndN2MQqBqu{(BXB90%<oI22-p+$`H9M@^2*Od
zQg$J$<S<9ateb8%Q0cg0PnJ7pKZ0>7Eex$wO5>>GGhjrM^RL2#*+`&h#)&S`$q2)|
zL?+{VB-IBz<8^YWpV-mFZybylzZ(u80T{xP=fn`(Ez6(GJkPNh!kwOJ-UWXE{Y*9X
z<pDt~d(i+Jvss&dAE>>%_{NzJQE7L!@eM~lAOh?+@dV$1MJv3L4h5-4&0%I7KC|LJ
zmZ03pRd50}w?zI(tVH|(*KH35&;Nb*E)EpBpFfB3E`&Z2dKND*M#vt_QOU}0sbmih
zNmy!h>1SfBW@*tDi2qEWJ=T&RE$_kI_&e3qmK{K&d~@*J?PkSI_d;98<=zfU3Ve^M
zF)5B!Zl3S5c$%M~bbn4((f(XmEE{I5pN7?jQE);Fhx2GZ8jTUjP*&VsBD*_LB`dDQ
z${{-`)2SX4>AS0W;AU|$BaK@dzGaPahGWQJXKwKi4BPlwuX}{vOBM3em0T}de!vk%
z$$6nhvQ`e4*q*RC9f>2L9XrzT5TTx!G&xd7c#6u&1n!gpTya_0B%|=h!l8|iIAB5D
zF$#Yy!0dnI*aK;4`3C~h-8};Q-B+Xq<Y6c>lH^>%)L?OMkYv{pHD2$ANoz-rQ_!PC
zjCovpF?Gb8u613kG?QN!v-xXXjIfwM9?P`^mghn0bQoscE!7<f8;@8yfKiY_<}NMd
zU7hcUVCWYzyoEZSXn`+Nj)->=s=J?=O5m7D_fHk!srDnv8P+e%O!n1`AWg4VSRmN}
z`7myRt>sQu48aPUF*P27&{lWq-h`17*455VaP<KCr~^|<9X=3;G7%oyL1V-_h9x4J
zAV_yB5kSeDh?Oa|auUIT$qEIDNI%3pVvb6-j(`#Kt_F|(ZU*Mg{C;kapZM2@H71rW
z&|xJJ3*KXoN1C`%`;q94s~s|A+;pmEa$|ZE79AG(9k0QXUr9-Z<MbJRPK$t<z8^c%
ztl+brO@!XN&w8ndVTZJ@XUR3ms^IkPn}Ut}E7`Xv&YX?sX76M?*ZFy3|Jg4$cO5r-
zEn^*j!se}#{YVTXEORX`>kyX16ER?OX^$9w#CAo*zRe)YaO_FE=@mrG29b%+NOXDZ
z)3N9L&xL;}o*YztyXJvm8r!GfVSn@|u_Jar{Yg7f`5<%Njr*}VkpqEvvh#h2nEc57
z`YVTrLsQ6IhEL+8C7YTxPA|a_RKha^m0ZP^tL8q>q(hgs+-FF~Y<Uw&s3G=fzglYl
zkR~wF2qsNJOeJZY*99gjB7FU7WguH|;Am|eH!q&?S|1h`<QP~oS;<z1za^s)`1_WP
zhP~F2C%$F_V%8!*Yjm7QSX+r0!S!MDRqPVt(0oiq9B%Rv*l_=XD2>MZohrc`iUk!R
zIi%vPS}e+tI1J@8$=2Bt_DcYu5#b}S01R!(PNp2xRear!#v2N97(*Gqpb2#dExDYP
z-wLaOQsBuYSxq>F;WkX-dzy(_8@3@#85p=bry%9Pu{>^q$Scrk2{{kGcYXPpzh<>Y
zuOw_rxQY#KK=(b6id~n$40n$}?7F1-<pFc2Q(hX<0x~dhMp_!uWGOJ$;TyF_!UAGN
z0XT?WsJao)BviuOgS8<fCHHVfOBgmt16BNz+<VEo`J9-eT<A+)N^HDcEMqunReIj(
z%ZiUfFHzNqv7QU&sjEga2Tv5IoK@DAc+Z-(Y(-CQ=Aio`Rtz}7(BoFjj?`USvy|6Q
zI!+k1VBxe`PMLXbob7nVv9QMFwNm;)C4e<5e6M16g%_z1;bEg<Tcf!Ihg-wACb5K*
z{746}OuqB-6l<kPH+Fqk@P?JjMXZi=Zcic%Lom;<q9y%Et!n3dW)GBpb`8T;CT0~D
zDqi+K(QVS4P&Yeu(HJK4=%IviW#z%(rOP}5W^mI-iCAmrd&8BB7kE!{;A$2#$5PXi
zvXv}?A}oVhSfE&fJ0OAKMbgk#t0bGq-z97SRwDufSTYhO_;Rc(h^dcgLqNzzKjj$r
z>}rmvk)jsUPIv7{+Y^bg@p)LQn*_dP6&puHI;3GL;s=!S%6mIFHaBTSiIROxk|bEC
zK&%zi06+fhXsJZ3hFQyMk@PiqRayB^32TD@5h7sWQ%qsj@=nE9ptG<@5{{OugF%Hg
z4te&mgv3+~hj6$4>WZ!W;)*S;l1SynV!MqY>G_KMq_m1()J5Wfv5rnN6f;gZ{u-;s
zl;VdM3ocR44Ejj1=_A=kdSgOFrh>IAm$3ZTKAniM=qw3A1_%h6r&#qHMu46Znn{8x
z_5rbyuw{}3%a=K+`3}PKQESHVli|irJb4&vR1fv>khFWs@(p20dxqMF+K2Evfx$&9
z3quPnNl)E^Hl|TfrC0`N2UR+aSg}Cz$IW_TQNxfNRuMl58>(};MeuZQAz8_L(;nQh
zBTG#(@S@x#;I(E+|8QcfVnM;p_q?ATJCZhPHib7*jUep&vLOtqb9?hD5_U#M@5J<E
z+seRr4<+s3INF?J6?KP?)*Q(S^~z9R1aiqzyWDX~Dj7DGwq@P(9Ua-vdg&2*!BDy9
z`2l}kgr1Ph9U*@yTF<t4YwU=Z01;QhRT`IO$sS1>wqN)asDFx(KJ|6oSj}RgE_!V^
zHd_5x?aF<#m2`_G?K!^HZjhbV1th3RSjx9%dl7NcFbu1hUE+Qoc7zjvApQWaF43QG
zkG9>&;XMQ})$AU;e{WtBu2~<Z41glZO+QkR&au;=Su2D2<uFo%MamZ#Fo*}_?Pe#9
z>?Q5UJ^)Z{um*!b&ZcWBHmDdz$~<DimSBCxU8nS|?}L?whZX;$8tQ@fD4MKdg>VR4
zgf<T&D}Vs4bpY7&3c1$d_9r-Q{^cq}&9xpYB}T=NUcSE*>?I2|)82mR_0yh6pngNE
zSz?am;V1n3)VZ3qR7rs;u%31tKnE(|7TvKw=?Y3CJD%{h)n+E;60z(pds9G%=-lO@
zjd!b9SJi@QJefP5j1}^jp{#&c?gH#;f}`OC@NREc{mfdGFRyy2_^qP8vFX(09)n$H
zTg^u|ovgy@Tb2Z>-jEd*S<APGv}ZJ35!UmG|JaCaixUU(iwlXJ#C?VR;sYyAaA0vz
z#uKBbWS|0ZLLHt^RlJ&=qLT8_&jLh03yCLI@m0j9j`(8SN2F$(NvHZzV}`X>Se^7d
zqh^)cwvqw~>uBpTQq5+c=g1mXW86$LSnMPjvTrp$Z&^HLuE^7Gsnbl}7q$5*3d%`M
z%E}B(_VNr0_Vq~#$wiOX2NO$AFtHfoZKT0e>QyDLcv95B+gQNbwLy%_-zC^tFl4)h
z|2`>5lN!t-c6uZNPDirgzY+kJ4|>VwrD3@h3XV5N$O3+Z3%Cx!<%x-dumi0Uutwkt
zWsl~-Gr=osnKSSIo$GUiW5v%;J6*T)WUz6;Z=?3JW#hv`x2#r9aq{gwj~hq_Fn!p6
zS*nr-KV*oBgw;(PF{rX+zY3s5hOFs{@kGS_5e{@F)PwwnO@Z?)8GslmEZqWxzaRX%
z**iqVoX_8%kgJT}xhZ-l$5wjSNZ6wRHgg>O!6Neus7zRlw5wo+lRj)K-xY&<Sn{F%
zEEz9}d&RK-wDu%L#49XvA%W3+>To||JZT=&Dz2EP3Q++SHhkgTJ_xL@LRND|@S#!o
zJGNnT_yrjKdCX;2w2Q1@uCwYv%b4vfvBTt^1^KNJw58GBkIRVRGVJzWsmEB)PdC33
z$UuaFD1(7mPlqbQ0$J<sURT8NiGvv_SP@}!STVO?Rr>~o`6#2-ZH|rN*lnAL1#KTh
zekT@C%tCS-?<s{>K!{rzCX$Mq%iJf9n74wr&Gn%&A$ww2%Va6A@|W6((L=gF#zS@8
zi`R+wtf^$nlVHt3ulYsj@hKu!I~P`o(Lt=Yw9!~0aMvGw%eLC+)<aguQH1ro@t`_l
zNs$UYmaU3P3=2?r>AVbBTQZ@En6$<#vm_q647tzCi8~7zpMl^*;<-iGzl}tn(1zeY
z@ooOiIr49g2x_SvJe>_S9r#My)lvc5Vh#{wbGDY$!|K0ot<6DFCACJSArNMbtgGdE
zPI{XJ+(vaZR<sRRoGTBqjd<{$tp`i`hLcMY7AnyGnE?1!LLtjT!INEA$*x)>7UKuB
zNDWz1BgADQ@HH9W5V17&Z>t4Q?y!i$o-Mx_#@-TO()CQp7OC(`^$E!Mgsjn;22u{O
z<w=gGVK4^E!0eYsEDzZEgr#%Q?(AFm9Izq}$LJU~*yvmXZ*B_lY;8nrwb2?hX9`ZA
zlj>)z5ln2BRPlOk3?3LfJ-Tl{vt|(z!CzgR>a&EXfT@DvtPRw7g2r8#(1{39U#FMA
zN+xrk3D~zrb)?P9hgm2PdxoomJ)G3iH^lf2tF^9!5n;{TVc`oYW-<1zVfFM=^lbF1
z_4M@neEz$>t)8|17`^`bzW7w=SquJ-&j6e!;5&c*M$eefBlw8)mpHcKNW<@wzI@Kc
zr>R~yeKS3Uew^NHedEt9LK8hBeU)B2!H3T+`d#&Y&^OTQt3Ob0s-RBqNBu#1Jq1+n
zN5LpPrM@A4>w|QW-bjJ?^EG`5zPHz#Dzwy_s^1UC_qzO3b=L&qw?lfy0yn+y^n2+|
z5d5y!R{uAgKhl%(-vy<5X1eF$pXvYSLpbj9r>}?pa=os9wHe=T-yVD$emyqosrmN&
zzdQ#2+x-0d_}>n^FaDkBjxxQj0>$S)@&2ac^9_!xIG*G9JJKe#rs<8w_h~qK;{4s$
z_pE!i*7rS&f9L;l2z2N4^B+1{;N{_~Oz?8?pAKGL{@;(@!iBnW2BNHgcl6iiW$`~9
zyo~;*qd;%2PJVeA{?~(->HpUw8D;#NgYPHb9(;fKpAKDL;``IL2QO!Kc<z0AgY`Gz
z^Cuj9fBU~XnExifu%q6fuLt_A{?|Uu_v>#D{W*F)`9Ayg(Diq|&;R#_@ZaUt=?h+G
z{HLSO=U;h!^39<y5PiM}{W1lg4LC02Xu?5S&-DiBbdN~y2YllA{1Bg0zv?1hAALQb
zm&OXZ<G0;99W{a1Q-b!NKjPCwp#1#d|6}h>;H)UF|LyAP<qj|mBMys*EF&NwAR;0n
zQNp6QBN7)vRAf^`G>ArxF-8$t4H`7WpiyJg7&XQax1b@2NDNV;L<yn-0umf?#BoGK
z`+d&o?z_y~83x2G|KHp9bG}twTi0^x)TyQWip)w#WtYgW8p!Qt2B>Tk`BpcoUsE{u
z=-Sh8L~dSgT0qCd_M<T&@-FhU2C^fFhpeqm;r2uZiyZ!12)Qn@Jt39vBI9c!WWUJ&
zY_c6qclb}+K-;s>^tBC4e|5ther*nQ%;M4ZYM1u^+_bm%oA%E0rn~d1Igm1TcRGga
z?NRhANO@Dnp94%WZ9Fi|Z+(%c9Zh}byXH`5K=`aPjJkqP>`2nQU-{!$ctnVNg&UPW
zI${?d_zSd@K5{uSI!(kIgTGa3rftPIDS6R07-s6*4yG;n$c%?lM^7V1q(0u#I`N#}
zasQ@i=ls>wgBm-Bn}9gI?0B=kdkJ(UWAXKvkDC3RN#uQ!X&sv_oJrvq*!P7xXWTT5
zgcE9|azCrTCv{o}bN@PoIXJ2J+Dz@Yf$8tGqt2v{2Jn0U&j;|iP}A@eJB)J1I*;l(
zV@(?!Z$+NU*vS~hczC*wf#@;mv8|(yH;3Ar@e{qL4Q<6Zq591R_zYdgzHa*1Crwvm
zpRrej<@V#S+`*J_*KX#1Hg?g6c7|JQf8rm9O!@*D+R}7$mecOfnlA8cKik~&A`izS
z<BqX~riie|J0BbCEH+K`xuej34l#q^oledg#;bbdP55TJsb~LgdfJtw_ay1}Gslru
zAMumt$ulH<Nt-;qqiIQ8A&Ju>d_(Qy!yWdV@MAj^ld`x@SZTlHeh22Km{Y^eN{Nnj
zKkoPAeg);Cyl&61((Ms`>~_WMjM)ye9sVEVPo22G<Nmj}KZN-p=IC&<kn;d-^Z+^w
z=}5iV!%3HPXs=3pFz%ZPBP6;CdW_qG`1SGMM!M9mOMLfH(z_e;PTXIGeh1CQpSpLC
z$FD#4pO8j8&bp-Sw!+<p?@PP5i@1M|`=>FVz&w?_2@T+RKMZ%cmxUjDO~XoWU(6!R
zLc;tUf1!uX>0WQ#dgHega|!03Fc)H86>b)CUou_2{<u*t?;n`t(R&&5ub5*A11WC^
zf9wV+{|FD&K+0FbTXi7#qbJmvI(`##Fy=~VMQpCd{4l1qn4dy_gWibgJ>@IuA2pHi
zu28~zduqb7!nbvz-Ka~g_d3*5PF>bDA4xdr+tiQqHuL~}-Dj?}FXPI-$g7BkV)kKN
z*kne~7uuWg(7&YbVm=?!)0huHo1jt9xv_a6=Cv`6z#JRX73Su!(##4!Ce1C9E^Sun
zG?#e-W@Fr64mS&_j65ZhgDNL)Hv5X4bO#yF9Ta}%9?SS~2>SFLgb_MBreT;<!p~K1
z#_}{RGi9D6x^*+-GOl-1nJM#yv8Es6&*|<I?Ef$=+&-A{?0$?#_h6o7_DRo)o<Qcx
z{8Z9Hm#03MqsqL-G?Mv?JBR%J694CUj^s)5BP4m0=ZgHk2tS#NbYx7Fw3?b$?#0Br
zCJfzc7}KR(({NAdEy9bO6_T`hb|OFQ0ObB8`qfy;M_fP0#`S}IlsTj3U37EFLox@F
zya<Vo-ih%;bPn_b^oT~HTi90_*I%WMG0{KT*rV|i%F;*SzXE#`ZhfK5JXz=1GA@X&
zWIthU$NbnHLzsO{FSi~#i15()l;wGzxgC0$ape=-8k=T`&du0jB|oaui+(8cbJ3fd
z!lyD%uQc^s@=ShhPM*l4KDRf1C-DsO<$Q)d@@w3mX6)TTxpq)4Of6Rr!X@;5!Y6bx
zdX&s5VttQ#DzfdUL(%QC>qc}d>QLq+ao*c&J;ge8I(~C=FnrO|{*bx5!&vW_6QH(G
zbEt7_cEJ?t1ht1GTu1n!mopW2iykQ9TgGM^a}@R0#qMVgr!OBS;go7lzbo;R^jq2z
zbV|~7cA9pYZVBa=^h?a)&ZmTH0*{ucUrqVVPOp6|Hxe0gh`Ypm%Q*_Z6k5pKW})dy
zm{Xkf(7vWOGyr>VXh3Wq01qDm^>SXsd=axh<ABgw)0uf{XMc_9TrkgcCZBpwyknd}
zq+LN9L&kjB+Zkw1h7N{?Lmi+tYMzCEXwG)dGELNcg7UAYFF~Z&$(~6%_nWgtzj9Be
z-j~x~mgBa}G|fsYN^>4*&(pM%XQ*l4r$22W?|-D7=hDCC!rODH*GG{n7nvSz2h)RR
z9jN^L9_vKSd4}Qny{V)3AbI9t+@FVCWXn?8qnVnK3=vr(YY@2E;q=>9`2CA~yu&k2
zH$$9%px-@<e!Y%<B0Bin<e%q!9b{iewj|UI9Xu(ElqZ`go0L!K6w^w}DP`R?of?NZ
zFke`$C#kF2h<cQ|RGM1nH7WGdcugv<f35GR9ZsW7q+PPfjqX{K5*eFNBKvDHr5*R2
z4zVBBF+MyZe3FlpcZ7fPkh_d=Xq-7icq<<XzkOvIMH=}C9u_`MNO@WKxh4`muR@IB
zt&oeS+tZMX$79O66m21WL3maBT5Dv3@F8)PM`#b}ciQJ(qc2HYN}LanuhLe-V?WWG
zq+ZC6eF!;1e`9R#W5*y*MIXQ&o&HPrYGlc^xXCm3C2sQE!OUlQE@Qe!+6Sfe1j+Bw
z=r8hI;oGcdN}tkazKUG=3G*d+=IMkv1pS5fbvt4I9&%tSW(j%z0{!Jk?5)f`N&m6u
zl4oQLGXGF*^A^|>{RLikQ{m_CA;kGE=}2Cr?D9NW)9j3!)XzHFLDJZO-cmo#zvxSI
z@V^LC@)@_2O_9ew=qIG9^(y6+x<GDd`K4`mM$!-DS^B(Q$j@Tr|M#i8*N_=+p&L}P
z9`X)-c)RK2EHZ78_dS@Gc5^agOb^DGBN!8M$C$?%V;*OWk#Xd1#*PJ;HH{IIdDdhz
z6lx2#hC0M%N6a2jXQ;jT!t{gMn?IY*P#fI-H{zW~xvn9v-({WUd$hri8S8&UIe&?H
z0dxlREAIbj4mZzXKbgIaTQE<9DxfEzCHT))^8n{o%!|>_CYoaBDRiLm^oJJcRufHu
zGc^3%xzOzAM9)0L>BTeU+21lP%s=7D^WeqrnM2I)Ob4@o^`!H$KgIajoAL8XNb-0M
zro=IrrDh*fNq(+^Cx(*#XFPK-<`AeW{4s!M?F&CZ=ArO*b>~^~JgAwbbDe3!^A6E=
ztDr5v13w&wIYM=<W{l0E(;NngPA1e8`UWI=S|3RKQcz%>@I%c0kzI8X2`gcag(R-%
zcS3>rc6eq&?(wFTx0JrKzd6D^3OdLf;2w@Sz?7!V0j9M(#&n49TdNs`X-&A+^wC!0
z=8e{Pt$0RhOrpz_qLcn1%PsLs%p+pIHkd-C$d3-pJCA2B(8U=~8+?N_#^NXINd=UB
zff+{o7Q1bjH;w0hJoPmmxrOOoVY)*5L2Y9Dp_oGAE|lC$nEl)X%?U#G3gfZ9w7+da
zKi`)=w;tM;zAg4xKQzBFEun_!@iPB>1CqJrh2{oyoc7e~CUb<@6u!j$zPQU=b0Rbq
zx&-<ebPx10^eD8{4l<pL3D1JYLbpLLK!1W(LT5rFp%b8i&}8VlS>|`JkATKN--Z@K
zPebB19Qs{MH(}lm{TP}KMd`K*H(>7o9RNvMlFkz70cbfS@gIfmi_K3lCH*_9kUUqO
zDbJY){W><qz5se0`a3iQl4r}agrr<jCNZVl;xBXx^h+oy_iLg@b3Yn74;q%op7<rE
z)YE0e+m6{Bitp9Di2J0xRZa054_ysSgpxX!e4h+WfKH2Pg83V3n+O9#tt$NhlZ!EA
zf98Ap^W_^OvjAMS8*8qC4#(|8a}qe7pJOiLXW^F{us>pc3;uzhW8O4tz)z4cj?>U7
z0-HO{c~}>x3-%sP5A27tZf%``j2_k*<P5_7IOjO<6z3FNCNT;)&ehJ<;0$L5F84V1
zVt<BF$#I@z%yOK?tfD&366f#WYtBk=m9q+b%h?FN=WGGXoHB4L>j{qY5wl9iaxu^K
znWbBsVoY^xV`j^aZ9?C1Y+F_$9D6W(1dct_9!i+Q(RCbq46|;}4q%PIvxDG#&mPB`
zuV+uTCxfTjQ^BFEuzL0kdj|MzMqz8uvFCv2+4D$Yv>gqOMG`pn0`{F9JJC)AFSVC~
zm)Xm}@1b)z_BwkVv2L(8fH%448taa9M;gZ+<&FX;x)WL7xYWHAyaE~ExmUSYfz#Y+
z_|9}^g0tP5!CT#1!MW~S@DBG5@E7hcz<ZfJJMIJS1K_XS-++r;>eF4}Qj_jG?mOUm
zcRje#r6%3?+|6K_OHI04U24*;a4W#i+|R(B?ia@K_<^qHgY~`oU<<DW*x5T6JkmQ7
z{Ij<jEcZS#j^D^{1a|a0f<yhG;934z;H5sb;s40L9-Qyb2Y=z;4gS*q75ISvAo!3^
zp8ZGsN5J3uaGn1<|8a1EzX1G`|0nRzKD^;C@t1&0{iWb5{wu~w6{U*6=Begjt5hqn
zb*is%Q%9%9ffuG`8yAjli)(BA+NMgucB%H@L8*hlPN`1d!6{0W>YC~X9-2B7JS=q>
zcz6n4Nga_o0z5KBnfb=kQQ*<3qrrZueqjI9An^3m>EP(p81TZ>h2TZ03E;#O<xfpY
zO#&yUCWBX`t^lu0T?t;DqCcdrNnHb8o4OXfE_EGveTw=@O-W4wr>3TY(<q7bU!nST
zM5CvS$3GGdGc874HEDtwGH%kCi_GE)BPUNZJB&vd6NaX#gf%6mmFZ}Dn7-x|bCx;Z
zOfXlN>&y%@*W6_uG>@BwW~o_WRuj@WeQ5tS=4g%Ej3+f<Eub}H!eQnc=2&y8Iopgf
z7n|>yADNlvHuDSfYx8^ata;J=9r+;7Yer2M@>JF$Oi$7|&I~cb&1f^xTxqU1v&`-0
zZu5{?fbO)+yoy9g^2u78X-Mq0=3pe!F=nti&3xO8F_)ODkVLc1Pt84ybAK>@GJi3z
z8FtN#|IOip+L&Pjh7N0Erk!&7$!*NS(@#9TjVT{C^u#voF-4_kUCJ~kbQjYLjdZ9P
zVaA$E&DCa#x!KG!_nL>z6K0Wl$*eSQ$NBe7BeS15&~#<w{H9@EWWHm@neUqKn;XrK
z&Ckp)k%~{EAN|$*!@Lv62~06MTRZfs-lo4f!3;C!m<!A#<m*&3$J}A=GmoOVEjG)|
z>t<~nCxy1QKN|8O=14OD3H&X-Np>N!_Xp-CbBp=8`4zJFY4bc1{SC7&j#FS7Gv0SF
z-Ax}e5Se|3IS-jV*<5R;nOn_#bH91aJY$xam(41(K8{n*>}w7%2bn|7QD%@i*_>%c
znv2Zk=7)?AKQVWj2hjKaXkIX{pmV-!HjErOVX{A5@qEScijx$tR=i$uhT^S?cPQRF
zs>fxc{D%}5C_bmSOz~C4HHw=Q%N2JB2HvQVmyHRE6iXCaD7I1Tpx8yRhhlHVqZJ2^
z8g=od!3l~Z6elWPr+BO4eTq*gE>m2sST=g%B^L)@3Z^{8`ijMhO%+=zmMV5s?55ar
z?4*&SQhgK$DxRWvmg4z}6BMsdyiRe3;@k-rjvJY}OYuI%hZG-Ed_r-d;$p>RiZ3g!
zoN&pg38~eJYZW&uZdI&M+#y(C6nSOg;z<RCij5VUE4ET>r`TDsyJ9cJzKZ=X!6+E4
zc#7gM#o>zQDUMZ~pg2kKO2un0nKXK0!4$<AigOfiSDdeSui}G>k18%ueCASl?jpsd
zipv#WRa~X`w&DiGEsEuem6yT81v>@nHC61cc!J_+#cLJkDL$^aTyfK77fu{o-zWx(
zg^G<8n=7_bY^T^+vAbfg%Pt;uY5l&6Cn%n!I9748;`NGi6z@`eSn-+5F6(}1{bh=;
zDy~u7q*$)FL$HCTSftoou@vmlpo?Np#lDII6;DzerZ_@zwBiKC$>3oPu2Gz#I7@M^
z;(W#X6dzVxptw+R3D~p2a>dsb*D7vNtWf+?u&_X}v0_Wb4&dR1-4%N&_Eqe!I9Tx%
z#bJuW70*)~d)ejZUsgClagySdiq|SmQJkSTNAY&W`HJ^mcKM~36+WoAKyi`ca>Z4O
z8x+eGcM3KvP%OE6%%n>iwo&Y$*hR62VsFKx6$dJwpg2VF48~y#$=JQOOqUU)G18qQ
z0AHJpwRp|-o?yxpn0n|G4bTW0G7cN_-|ym}gGejw3A*S#&CwmCJ-#lRgT5g7+cWfu
zYmLvkfTSV1mlJbi#FMVNL>Re<{>U279$_1ewP)Bu<L()@*0_6u4QRP`=wt_>Eq6kL
zJs7>QD_Wg_hySnmILsBK&G!UFcP>UIl`v~C@Y#RtZvUxqdv)0VnzU_F+IB(Oc23$h
zENwd>ZR?k|^-9~iq;0He2&e3SY-}DKo4sO_y?6ER5Sy)HvuSJ=#U`s38m=EET(^Jk
z*kq4i?>ok3o7iO4Mcs>IvmiF5Zxg?Ttn5fSCFE2&c>nroo5&`0Yf+iDm8EU#)3#M<
z+skR&lC<ra#J1mka7x?#?oynm$od2>vlN-NV!uw2SuS>Fzu-i{J?65AH$7%t`!gFl
zfOP(yc2<Km=ev(Rn0roS=6x-*!kd{1-^F}Q=H5$~7s~vz+-zsTrNAj>Wvz|V(dq8=
zcKSIdIm4V0&S<_;J=wX&nc~cH<~sA8`<#cJ1<pcN%9cAToi)w|R>dluovdq%hT-h@
zIxU3Rnl&#mo!et`Zfr^`iMzB}<gfDHnX6-i>#TPwSWT00!rDUHCK@X^(V}C9+c`GN
zqYy=x7G1BlplC+Xe7-}ysOZ(A4N=O8*{E}LU(5=UJaOL(Vw1Hqy%&zby~)7XWL-(`
zD<ZRLQIxZ$g-u&E?H;@Jj!o8ABy3aRD>0|V=FPFm3X{6O9Glx?leJ8BkDt+Ocy!+^
zPNx~GH{zeZ7e1H!yJM3TD!pG2o6G5W;=dxgZ{8uQr{?V<v-IA`z4T$@99Z9DCG5cZ
z4pQMjb_rRRYL^-y>qrL{5DFjGS_JFE=WUqtcVYdeH!CUwSzj2!a{^Yd1UrGnYA;rM
z8@0DlduO$GR(pL`v#fI*sGL!{+&HDHG(V|YU07$MOi>uiH=tRAD~-zAJ&wm+X;dSu
znw36?+%IN*Vl>>n3VR{rL32ivcC2|>*5D?CrL1{bR^O(8U0DUQtg&T>ycU<%tcXd-
z>%oIk*GU+)k3p-9Q)Gnh&bm%tR@o%{M6fOEZW8MvuwCjB@E}&-ENgs|z@yY<44hQN
z7!}uRYC1lx72Bq!VJ}r|mtuvQ*n(AK%+eTwZBsMBQpI+x&q)kH)&Sc+Og$uPHQDQK
z*()`og`G(FGpJ?Hj8EHGgO{~Q+*mP=egBZQy_wjYhG`q4f~-rjf80gg;0@0FupXZ}
z$YE_hHB9|jnU7MF75O;4w1qxj*5qTidlENUFPFG&Em~j?*7m2`X?C02(>>aq=FRZO
z`ws`#q=MAo)bP}Xf&~SY^?KL4y57qAoOgj&k7d2_4A#P`%e_a<6RZI)VdZTFYhr6y
zt=eq1nhLW6)(@OQ%c$c{ObxJqQ*)4I-<$hsc7>YL?MgLgaGqM+XWCcPoMm5AbGF1!
zjf>)AYJ5zMkE!u7H9n@s$JF?kv+Z(L=qFm`3@f!#YHtNQ*;~M_oIJFoeG@oHLZ-%X
zw!xCRaKv=>`7J367tFN69kc9@!P(XM*4~DDYkNCbYUhFj>`%Z!oNkcR=7H1g&%l|S
zeJ348yFR+UIFvQj^Wm0BtYlu#I_|BkG2Y9%>f@~bEn+QqIcuw{7*RHuEsQFaW~Y5a
z>t%ptT%f)N**DdkX8)<?bo-W?Gwf<LXIjR8!p*X4)SNBxsTYlpsqry2KBmUU)cBYh
zA5-IF&gR^x)aRX)qP4vXEVc8&0ruzMAn~OR?**sXyTR%9K5&K=E}Y4GSyG3;1ZOjk
zY{~fB5uLmzb<qzFJBd}@v*5AOoFTLBRrUeGwYCp}rS>tfll?8&RrYRDhuQnV0rpqm
zAp0;ljngUeyx)K`?XSUE_7N~&YyBSg)^-6{Y99v&*x!MJ>{H-0`vf?h{a{Jw51@=^
zo_!kI0A|5yX_H8C`$v3Q+l64M{WI9fE&{vSbHKywGvEOG95{_LK9cgEz!_hG1J-Iw
z4zTa2Imm8MbDBlxqot?YO=`}t@2WY|u2XZC-KgelOMF^V<6~-kOpTAJ@i8?%rpCwA
z_?WZp+sXlp!AtEj@Cv(x61BE3fTi|%aDaq?5B>s9voC_v?O(web}2Z^z68!@e%+IO
z3|aji#%lg(_A(~3&OXJ=q8H3Vr@D`R@EFo%A?xkSSP5TgR=dY&-dnr<)GT$6j>_VG
zL(M_%acYin2dX*E?XTu^_gFP&aH2rUKGXfCnzP(NYR={qwUl5BSZcR{o$N<oSGyS;
zVBZ4=*^j|7ZeMU5Cy%6LW#DvM4$iP2fHUp;;4J$gn2+x&ac^xu1xq;xEGbujgY4(v
zH2WDio%6bq&USDXYZu+o6#B7;GK8LSp1FV>k1Ne}>=E3|j?W$Jz}(Ni$K&iss04OT
z)Y7zePg1kgW&T5H2e`+pImkU-%`xr}HK)0!s5#vos^$#$R5fRECRF0ha!*rpw*8Xa
zw6-BwYI%=_eD4GYxy*N{k-^|Nmz}xPG?!I~)O6PeXSnR-Qqu;U<$B<3*0$OuBR$e@
zFk{Lv<llLWDie@^SE5f(aqAJXwOb!7bsK}7+<m~VR`iC$+yZcbn*s;9`+{TKCg6o`
z2{^%R3SQzCfz#YVaJpLz&TwUHo#{3JXSt2QJZ<CdhkI*IY|C?H1RmhB1IANYfz#ZU
z;B@x@a3-f&q-}ImcH3Yd;I;+_)v0s`60)`14lH%Mf}PwhU{~2qrgWv?0JkkT$UPVw
z!|4|(T{m!o+a0{b?FdeDJAl*C-lcR0fiqonNJ`fUoW0w8bEdX)YxgWQOWiZn9N>OS
z%|YyP3qOo;N2oc?9j@kdmpM1?Gk8~6%$e@lYR+=MqvmY)Fmlt{?Fp8;J-`9(q2M6S
z0!i71f#clX;54@vINj|7&Tx+aXL9C8%5x-`r?t=uNDZBW)X*qM0eylL&?ZO$U4j(Q
zBuD{0B7X{R;4Y(}r0^yvBcP=47AT{iq_7H<kuQG=YjGDTDk*FLMS@BSn?RAClEOMr
zB&Vd%Akv<z_5fs>)KWiC<eAjcH$ahPQcD9tkz-On$ATimq<+2$iu|fA<rDE0X&@<|
z0E#4#lurjm3P{SQfFc1T<x@fF{gU!&V9j|x6JOyMN%;&=ctuh^7Zg5`l!t@DBa-sB
zLE#Tc`8%NO<U36tVusa5=2_68;?nE{NY<AV7i`TYM-+z<7iOG7SuP`Rfzs&=;hw$k
zESF<(>5=2o2bT_M7u&3xX(#6y{CoU+Ini*R|11A~In&_(TFx~14|AsBQBE{GCg&Oa
z-*cYf5B?L}{X$MZ5bjC*ANQZa?MeSBW1E(ntMIGo_e)}B|9(Xp)qf9=ZvNksJVl<E
z`{TR?d8q046uFc9<@-JD=l?z9=l}iD&-<g?)_IV#B#XW0y(QiY-cs*HZ<+TO?<McA
z-g576-pk%A-U{#U-mBhg-b(Ku-s|2Q-YV~(-fHhnZ;khs_qO+rx7J(dt>>S)Hh3Go
zP2PLnX769#7Vmwp%=^IG>U}6@RJ?88$6kf^iC5|IsYdTJZ-@7}x6}K=`_c=2<2%0f
zUElM4{@W|%7x?x3`hEky&~M0BUmE$v{yu(Ve_y}EZ{j!goAK{o`}r;W{r#5y0e&mL
zwco~X>zDcm`tAJoeh2>`&cSr@JNpOwUHq<oH~$d7yML(P!#~XL=^yU*@{jO)`$zhH
z{G<H7{x|%i{bT%o{x|*p{s4cVKgd7UKh7WQAMc;wpXi_DpX{IFpX#5@zl{y?Pvd0G
z>HaYPTmBjTnVhfrw*MV}gny2Iu74i?MRvYF${+2I@yGh({0o?yUF1*jFZL(;mv9E>
zyZ$8qGJmpvxqpTKJ^xDoD*tN#`~Efl5BzKWANtqH`5gZSe~N#jKh?j<pXN{ZXZSPy
zS^jMQX8*_j9RC*oR{tmdT>m!zcK@gTJpX6@9sbWb&vWN)bANT-|0?{RpVJ?x!sCzR
z;qkh0bahUy&ch4+XZ`0mrL;)SDEZHGM(G7kD81+}^Z&yC!~NA??*GkynbS%u{J;CJ
z`mgyb{eSqc`)~NG{D1nZ{WtwJ{#*Xr{yY9!f1SVHf7jpWZ}Q*sH~atcxA^b-W&Q{L
zR{ul4-2cem=6~#0_@DTd{-^$S|1*Dw|GB@@|HA*$4_U5r0vou27x+OCq>R(}OXnqH
z_qC=ZC<yiqN`fZd4}xYv^I*TAMX-O+GB_Y;6|@f81Z{)T;J~0=fHu&$(!BLQ*Aw&g
z!=x8h?T3fb6Tgmrc#ihO|4cuWUifq55gOt?*O-(1|1>{-2}f4rNB>!J*W45ZLxR(S
zp~30Fu;5$48Nr#sS;5)Ch~PWH@PP5Ym=o+l|6o8cFc=gZ8ypu54vr5_2u=)62~G`8
z3Qjgo@fOZ=GU^v^fhy7?apJNg%f%M&EZ#<_&1pAVTy72sz8_o@{2;hC_+fBe@T1`R
z;D%sIaAPnvxG9*%|2WPFW(Ko@*}=`hkApeEEy1n9PlCC@9l_57R&0xx252kAL&#-^
z;Gm#m&?)H5|37vKx(3~XLxLW`VL|r*eYN;O;{|sI_XPI_zvQkB;d=&$2fczLg5JTA
z{9oizLEqpTLBHUe!O;P_T=5iB;+^Q7<eluD;+^UZ@lNxGdZ&BCypi7d-Y9RhH^v+5
zjq@(>F7(C|dMu&O^v?3m_J(`k_C|Q$@y_wi_0G#1TGSb*cp#djQ+zb*$+oy3Z`zIX
zj`8~OkCy$t0p37wkaw(ioHsac4xUT3NgbH#km{J~oH``cBh@q2E7d#IC)GD~OzK;y
zGgISJ7pK0Px-4~h>U*iHQr}PgAoau4k5V_JZsf5JPwQhEaN@R?J;L_3N7_F2DBIV5
zBlv~o{A6)&R+hmpneaKx{EB;;{W!JT)Hbut?SA|t=l-^(J;1iIt!*35@s`>HZ9CiE
zcCZK8j<%ESY!4334elg`=4i<rTqT7P&PH~zU2Qjei0#gK-yZfb+cRM0zPMP<N;n>2
zIFG<N;R0LF*0&AV-)LxyY$IE2_u<?y^TS3vd7~$V;B07|Mmwmt{A*6uy@<2M*1cBo
zhl<xJM()?E{RYJ;iZ?1wRlEsw8nF`qJ_;7V(*>*;H)Y?&Wq0flOMRHOym@Zf?YE8Q
z*oXg1w4ML=wVFF?(-n8AC)RZ|+M8P7e|q%UubLKE`wXa>4rs5kSKIG@rI}AYO)z(+
z^R;S$?zsQ>xSLlGBv=1Q-87G8>OUJ4cqddJ*Z6nkYU3YcXg<v~)>pmf{B|+|1a}3$
zh)1aIRYoZGRBIolWE?7NX@2aqb2_u<-plFh^mhjH&Wh~2pYL4YOl0T%YUes<Dtqs@
zI`f>n*nNM<dCYl&{rAPrOU?@Cb#~y_JDZ(yr_%Y-dW<TK8NXUFR&{0!>cx21-ww8?
z*kN|KJ<pD{6YL~=rM=cpu`}!(d%K-)@3jxwNBQUJXY3-o)GoKL+Ew;#yTNX;<+jrD
zuB=<&7P%#E3%8Bi!R_MqaC@@@H_$!79pawhj&RR+FW@bb$?nzeb?#Jm7VnA7bMNBc
zs~>V7;~%USx{KXq?i$|r*y$B|Exj&YUut@UH^H0iUF}`xP4#AZw|euuyS)3nhrGwU
z1>SSazh7pqy_&i7Hs;E#<$8Y(MuLlj^TFqXQQ(qbH26X=23#791z!xtfy)9;*m!>l
zE|ihZdnrI;@%|cI1TGIIfPV`v244;)g0BRZfGdJa!M_LJ1z!y&fv*LZfh&W_;6H-P
z!PkQ;z&C>LfvbWm!G8u<fvbb7dD@?Y@AI~g<nJ2r`QQiOlHgkKh2V$a(%?Emy%_w+
zvUW-iujg(NdAxzUmx3waUxOQQTOLg1?I6kHP2kJHH1L&RI=CX30scLh3BDT40$&Se
zgDZoZ!G8ol244^6fNuo1fUAOA!G8un0apiejrChuR-*mZmep#%jYSjl+u8<TsVxK#
zMBlJ}J6i;{w~fFKwirCf?gMtTjloW$pV$(AK54$mmr<;@hIg^8_m*uAzHRpd-?6Mm
zdu#3f;5yq9TyGBm-?gp44YoD7(Xs~ZZ9<c_-g~wb+-wg7|7F{OTP!m{?|sX9u~%jf
z0za^<AbVRaE5+W2wli364+g{F4svCJpM(3@u3%%^4cwPEnyp`AyMs++57}>Odw|XC
zVPJE<DQ5j{wikGaJpz<3JXpWGJreA}8`0K3jBklqzo+dB9?tug)))QT`VR<Cfz$&?
zjd^`#X5oK9tJMqYF}vuGX5JG`_Dp2V@g^12XTC82UHx!){w(erF#8yY=H3fk`)uwD
znTrfUk3Ry<dpP$EnVB4mR^J;v{M+0YF;6)T9sfwQ@)6uOV%9PkjlT~%`ggc5W)5>a
z`u|aA?B{U54>Ot*m<{wre?OP|#>{U{WNz>cwE6Sku#w0));%%N`;mgI;iBPx6CCaJ
z2gi5=z_H#yaGW;?yuf1(7tQ}TaJ)AdCH6#S7bBPx^$7Z5`wnxX!va!ZMt=|3D!3PH
z&CJ7Rc0ZhXQ}^I#>}`W@2PX%I%6x;93vd8uBxv<ix6~nMpjWCEDklhdCMN=H>SohD
zHOCp`F7S%{4S8o}%*bSBwx=_M)Gea_vcDrJr*S+^VwCbem7D@%hePw_xbJdT-;Cf5
znY+wAPAjLaGs+q3{@z1B=Y+%va~E!-u=D<wx|~a>wvL=Ea#FnQg^nJDbtn~Xj->9V
z+LQia(U}|cZrPbB;3;U}==*&4fPLn6oXhKs_T3$sA#XY#!`p&`cuVkP-VPkfTY=~C
z2H;rU{F}%df0yy5-*Wp8`?lNH9W1*P%r-11)C?z7_}Y<q!F*~SB!zR$oAxGF`*-qo
z-_6bl_ZD}qGs^v``+H}c`v>=FXA07Ki8I}O(Ou@;>i*UJt25Vq*?rx)&Hbml&biC`
zvwwl}04sZU+EdY%p0d|7zQ1ed`x}E4JF1RpsWsT1b10oC-=UQ7aNb@!lCv*Ir-r4@
z;LWrNsY`hqZ8C46UCG;L*YMWab-ZmhMdR-2OpjXC)^Ob4laAv{i&@5+BDr%pA%xoo
z>O<a~ywVtZjh)I)u4U5q9;^R2u(O}k)~9?YLF#FZ*3%bSPv6mc8m;wof!5QFT2C{y
zo_?bBbeq=G?OIR2khGcM4%W1N?`V&8ea5;QaGl}JFbx>-W}8Cqr`~+d0$H8o9ZuNo
z&Jnx~f24CP->(_$oM<j^PIk^U6P%IG&E|*B9OsYb5$9RwS@Tb4nX}BSc3yT~Hg7VH
zEaD7{<(o_EUDg`h_uZ`~<$gqsH1HaE`<jkkQ?C_YmTT*knqFReuf6H*b@X`i%j@Cw
z<t;OdRM5P7mwQ*3`s8XJ=cc4i@5IkRrkzdRs8RTtv4+0gKRDHxU}5l_=3YYZ-mr%4
zADkG4P0gWqkuuy&$()wX0hCN~&4{3B32)MWyzfyXQX8Zj=i*G{6r)r6{zQ-OSV|oH
zPsHruj;-tJgZJ!L;Kv5$AnN}V=Tv8ibDA^MIo%l+OikTJ4jjw=4)w#Bf&^&EPudQ7
z5S$a7W16wT^L<tXB-}_sxb)>x3fqnIP!20TKjK7&_>Ge?QnLEQzKSyhxH0oT&i+<T
zj=-zK?QkmfSDY*nAL|{D+!k9~eEBj564UTj;3sAPefv|hz$tR}H-A7Dbv4hUM;>8b
zQ%?Gaa?-obx8S7rl#{jzCpm3|lQ`cA4>>2p@y9x+pe3H`oMA`Wk<LUr&W>{~v6Jm&
z=TdsYqt18j@9ZY$XYN>ctn-TYiWS-`-q2q0ruK^M+AF@0Ucpi@(!&-=udwy#73*zd
zcZ0jxwiN!fZG}H=d*M&pU-;7=C;VxL2!Gn4!k_kZ?=Y{g{kHTTJBHF9Z^tr*e#?$y
z)EaNU3+H^#UM;=Ke&73<H{agqJ?lMdr%QjZGo&T#Olb)_OX}RtW`%94y&1XN-u@W*
zbda4R@7~&5SXDa2-YRe1+Mmc<w|1_)b!%^vw{Gq2^46{Wsl0V-=gC{Q_GgR_{p}s8
zfvJJ^=g72Sc0O|L411@%b!+cJzD=;dK*n8a@0Pc2?LG3=t-V*?y0yQQw{Goy^46{W
zmArLp@0Yi3?E~`Gt$h$Vc)k5~inng<L#f+Rx5>F6#shgvKH`v`j8c`RpYqx_wNIU?
zTy-{lI?RmJ{&gW7betKlTy&B9E~D4Q^z$BOqV}#!&`eG=SJ8h)nya<H->4GlChddM
zwC~TL&$KqP7zs<wY@~QsPHs4y>R{xOk<5QL?;0xWr?QT^r~M7dBJx1q7v8|mZuYyy
zUG&}Jq55v|X!;u$@A`@vy<3cI(D#N}gH!k9z2WFCc_TOzFL~EDd5gEZzQudAzQucz
zzQsFS-s0utN|ZwK7H@QyyrCQ2CGXxwcgb6|(OvSsY;>2r3ET0aF_R{mZHn6!zZ7&l
z#rlfHicJ+;DwZmCym;iKi=1wX0~LoWUaB}%alYc?ipvz=R;;-AqKhxG^%aX1n<}<c
zELH5N*iEsgVjsnRmtA=E7<;VZ35usE4plruak%0+isvhiRpjdtw5!OtJ;Qn$Q>3WJ
zDcyh-+X7tv-*9!}azv%s9ej{FxDUD;nh(u`=0bCzS<p0S3MA(@+HhjA>X|I*4G!m*
z)bzSUW@>nBPL9pBk=fw<*t{k-mqun`XEyyvr*IxJiZ*F@WxE;eXSKh-!x_hPyI|F{
zsm}#wH15&myfo~kr+8)|r{cO3>81Z^x`ENQ1Zv^5aXRo7k{-M*aWpP+M)?Hvg%g}J
z@~qz!v4YcvHJo{bxC<JhYdIx^evEaVXhmlk<MCwPs#xu;bvE%{#WsGE@!c+8Hqq2i
zaK3bg=sHiatsgzbHYG0)=}OU5+me-{S+>+!X8AfII}ttE_2|d=KF^-Syx}aqA##!(
z?G)MZP8((pSJ-RF$5h7s>p5F}vz^Ob5j2_K5POHc+um;<wvXGV>~nUBeaWt{uiG_t
zz1?iLqRr9#>=Zc8zJlgP&LBC?9K{Ce@($;S9H*YzuNQZ7J!dW@B<MV%apl{Yj?-B2
z01dfWaf9N|IRWiB&D8#xpmT-V%N0Y#t?E8s?Ki0XcZ$V)mCSKU)P0J&bXMF?U3RMd
zKt&@V&4=p#h2na3FH-wlwYOLM(`s+7_)B$pLGey?>8AEK6_>Ea;y8uQCtwG4xj}2D
zwc5WFbUG;(D|S@(&((f`+IJ{^qAnLIwo`1S7}fm6VmB+)<#x4y#43m5?625B(0rlx
z?rNW{_6~|CE3!vL_-=~r1x>l)8g*&Rc{6F97Y)t5tUtbmocZScMrX)>j4sGMU+!4m
zTax}Lz0qoa>=5_Js5hqjqA4e&uBVy}^rhT2)rU0I@_22v1FNgj7n7dYfu1&kw53OG
zkJnj?*(+>mOW6%f_p)>!8*Rr&y~|$jl+m+1LY_oFJcn8PXym|l`kH6wMm>yLHJmzk
zoF<Cx6^AGusn}Yvjp7B0CkUF^YCm7`D0P{m_Q{H;DITuaP4NK5V#VVW3l*bSjl^zt
zs7njQW`gW^K0)5jP<vx_KV5OK;@OJh6#FO#PE*ba)c&-(->rBW=iMFWM8$^cGElLL
z;{A$&;>(KN1x+?TcV%79aY{9P<!#>95bo`xn9bq6)J6H++^Y5(xZUZhz6UC%1S9@;
z<lA$O`9R&zRr|+^+Arch^%wOmW+l_HQMu&H)6%a&!#u}0FRXoG6LxtMiB?7v5<Mu9
zo2#UbUU=z+S2cv_`i8f5gc>qu>{#VZgP~@qIhIq^k`A5EVSWgfDDI<JENC_;zN;=>
z)&7}cnYtV(_`)?Wuq#cj#&h!4IM;n`G>3NyyE#3fK2AU9SZ16<owLAmc&l){bE$I$
z?-gF}OmlAL&B8mJyPf-axA1Z2DZa?HB;MUPC*I#!!&kQ|oE=P!17{8U=DN$_jE?p>
zNb6?V>mck7+n@Lk^Mt2J<8eC}ms6bki4pC9@GV^D96OdL@f9!K4Vh#o5pT1-5^6<?
z(cZ}5WOszP^RstIoPM%L;tZ8t66Y-TNnW-5CxPyjv`cnN>=d_z{S@wXXJsjO5<_-X
zqR{Qwe|g3(<@7eK$@kXj`-+Dv4p;0bXnvyhQHm$13;$U__&~8#k$*+NWr*Twg61~0
zAEQ{JxR2s-iVYN_lv83i{J#Myv{1B)Z54|ZdnncyG(T1REZiUa^=cm!^0g-Z<wjC?
zOz{B4#_IchzN+Uq4-1+N>atdSJE{FM#d5{h!$ySpKz+|syi2izVmm?esoGmA?yo5y
zsqRm!%j0VAt@eG@{<-2B#b?yLP;sH==LWTRQM^FVe5CgFid_}kC^l5=qu5>0tX6wZ
z#gi2eQ9MYoo?>S~Q>ONF)xJaV3w1eA@c9mZUP_p1@`0JY;~XgXeEsK(vqCgw4kW9@
z8TkMQIqwsCjh%uVYG&tQzf@g*rP{}1&URd6$A))q#eMOL#jj_j*ot`q??}d{ygT!T
zOY){eB5CeZ$uV7!_cuUR=>?xrR5`?Vzr^=bb&+|9<Q`l+W$}!xXO&iwZ2gdECn4ve
z_o$NR{Zr%LB&h3Lj>A_5N%1&!iE<-z97YpG`AUN0bXHV}_w1&{J@lzM+u%(<^FK_k
zzA;)tc~s{E`Jx`U#5jK*rgO0$BW3#_QFC^S?O<<HFh8}vpi4oIdJ7vI+u)=I=QNnm
z;ED#<G`POOss>vcR1^k<Jqw2yURpS{@ZrK&3(E_4H1rzQZ`i%z84a&#cyGgH4YwAR
z6!j@OspuSe%erW8(fvga7d=t5uxN47vZ9xZRu#Qnw4rEg(e|P*8+ncDH!5z_v{9Qz
z9U66M)T2@FM&~!WpwYxelN(*zXj-G&8_jR@Xrl#<-fpzBxM^|E;-SUY72jU`VDWRs
z%Zs<|Q@l^NeTM8aexG^!JigDe#!VZKZalv6rH!v>JiqaCjh8fjsqu=EJ|!oWoKrHo
z<m!@HC3lr9D0!)5Mah<u@{-CX1x;EtY1gDrlOaupH@U9KT}>Wq@<fy6P2O%=z?<5=
zoAz%yx#<&4SF)@04Zah9v?+Ctf%?&Z>N`jA?^S(G0Y2UF>5or;e7ZZ|<cqfbaUTR7
z%UsoZSFl!pB|X&fej8To0=t?f;U?28eBU$=cbFE~4~JfWmO?K=%b>qNFG1@G^DeXj
z+6ZmJ?LBBS^e<=&^gdJueGqPP7C?W1o`9Z&o`ODuc7&U}Yr?hOkHYu88=x8dYs^e&
z7Bm~01Kk4M6Tad-NVtcf--K&Z^}_d4^~vi4<hqPpmurq&@;@N0;H%b98>p0fdFx)*
z2@ZvNK%yJHK%Aw}i_kLYFVIWSE=pmxlip_#{~2UHhjv0=Kwm;3|21MD{#VGckPCT`
z56S;DrJw?+9#kJ{02M+FA^vkm|8uPvb6?uL1Zn~`g_=Rlq5Ys1(Ed<M=m3baI+WF+
ztWH~~6gm*%&3UIi#GCZaK@eXca5_QMg>x`OeX!c@Io){PAy9YdP^brV7{q@aIs8wN
zGm<c@p*W);Rxq70&{$|3bOCfBG#<JLngH>CBM#r>bS{DTDyQ>Zh_xE$GKjSq=W>Ye
zbn<;>&$$xfYn{&35T`z!UqcT;zkwD*&qGTf)@;}<@|;(o70?D~BeaS4M5!aj29Ldb
zkDYvveSD8ye2+bRW-SnP#O}Sv-o0n3BeYtNU3-r`dygG^kNtX&-FlC`dXJrYk9~TN
zU3!l_dXK$JkDYmseR+>vd5=ALj~#iB{df=E*<&x>gIhPktsCLijd1HmxOF4ky3xBe
zEcc#bytvpjfU8QNOy8=6Q`ec6^vAa0PUX-;;NHWy=lq1Zk+9D~&q05J7D0c87DLZN
zHTTC#`eP;iv6B8+2`8_kKdz%cuA@J$qd%^rKdz%cuA@J$gOe-Z<O(>s0#2@glPlol
z3OKm}POgBHE8ye`IJp8&u7Hy(;N%K8xdKkEfRiiW<O(>s0#2@glPlol3OKm}POfl@
zp<Qv;4F0KSCNv9@e-XPG`Y|*ITEJHq{s27zJqbMpeT4gGm^&CuEMElop#VBM+==|C
zM1E9yQ^W1vG-w8`GZUHx&4%Vcw?MasJG@`eLidF4dQTA!?F(5_i7cs1%?)>^Zlg_3
zqt#Z$az!Lzh1nko*OJ<APtA%{yb=GJWk>}zUqQ`RQ1cbkd<8XMLCsfC^A%<*X?+Nl
zLmxrgpzWmn8MFiX9NGze0euODVHvGaMr)MO8fCOb8Ld%9Yn0I%Wwb^atx-m6l+hYx
zv_=`NQATT&(Hdp6Mj5S9<_xAk=aa$<asL~%4*C!(hZ4zrdAP#60=f#C0^JDB2rJ<E
z3V6N(p09xCE8zJG@6ND{TKycpZ|6PDT6g0t$-KUn+FDO-t*5ruQ(Nn)t@YH_dTMJu
zwY8oUKVa|i0P5j<T4fO}QAtZ|)PB>Rwt~ly?1f170$Qe$mRUp%S5m{3)Nmy=TuBXA
zQo|dm;f>VrMrwE?HN24;-bf8^q=q+A!yBpLjnwc)YIq|xypbB-NDXhKhBs2f8>!)q
z)bK`Xcq28uks97e4R54|H&VkJcggRA`G<q+sa^QgnF8GiO@(fPra=!fZvPs32>K1Q
z0JlFtPe4yXPeBVw<8P4sTLR^z#dgwSJ87{>#?ngf^6*Jo>`7YeN$)yy0R5uEyB_lf
z%qh6t2u-D>ra?0pduKwkpxMwI=oaYKa2u`puJ;R5Kx=kO6_^9)BNg<Kic|x0!2jP8
z|1~WkJ)<0{7WKUcqrMj|<6Oi&;X>rwO61#0^uVZ3HrJlC2L0z?W?@b21^gr055qEB
z7Ot{eq3zs%2JL`8=U@Gh^Dc6px5P{MN5Zwd&F#6x&_4X5N6T;(|1h}9?GFuvCh{+T
zzYX~^F`*0HM*OE>F|-do(+awcvEheX+7G$cpxQGt&#NHhPEy$!$8XO6KvvCRJ^m+v
zuceWzVnVg!Dea7}`E6tha4o>KIj+sswTQ45*G!J;mSWvPrKqnjsjn}2KDkQQKy%f=
zt)TY^@;_TEe}w;~t6S>-f2gE=J(X$5vqUDr|03nS4j0E>E@#}}?B#w)TRF6#;BWcQ
zg~To{*&!mohDgbbYsQuxD@iAlT2<aiLKl$>hto}*wDYbt#oiC0>r8X+N0`@R-oUr4
z_&<$QJxtExA*Jc-?k0&9q2}9q2ZUR_Ui7<+%@zNwd7_lY^G;$UIT;=H6lP>Y(RUnN
zDtPvZxSvE%KbaBY6zr#ltGpqYr*S_tT;mN3%Yxq^1yXSem4qtS5JNGCg_Zd7^)r0S
zNJD%p@%@CjW%!nBytT1U5^t0E5U)agx5W8MeAnUozNXrM+-)M|ZG<Qz<uY=2H>qzX
zck6k=Ht%%ID2L09PsmOBe9DLGCQU<1p5&}tOYVE;qa}_apQ9<kShU9r(4JjfD{zs!
zGE>hRiU0Ye9)<hJ8$+4Kh9BYkM{m5AdIPyXpW4i%R4ysu`=LHrd^e@zM{(EV`w_k$
zF%FO9S(ztDP9**sLP*`bPn~AsXZu!imTn{|pHI0)@%+)ynD7bWZ}P^GYx3`17;cGk
zxh^N2N<vA9P4X0KEJ{OaBJo+z|D&AA|F)cE+S#-DZ>8awBQU?ifBBw^IRn4j_%G?(
zalaGuF3bloAH@7U|MR$jFbfI01p5n&NqaXn$A1y7$;NuDoiu0NggtNQ7^olgP3Tx?
zF!W=3PJug%5$&g88UK}A=5Au-`-oMC;&83M2&$T<BfZBANAtQ5&Feliulvxn?nBeM
z&--)uw)Z?7_#*UDIM;gx^Y74W;RcUYSno~z*FbMUZ$s}uYoT?}dgxtf1GEv^1ic4s
zhW-U@f!>G8pbwy}(1%btRLL_wg%~eAMs$x6-QNdl4DAb*Kuw^gP&24Gv>((toa=uR
zvp+Nd8VC)7j)jhc21Ca~CqO4c$O8Xl=oE<m6ZYwC{%O!q=yYfp^eyNN=uGG==xk^>
zbbh$O9|etu#z14CanJ?Oh0xq^i_czwe>=p=y+1G9g0{2Lc>e3*8vku*GxUk*9MxPz
zvho!@8E^61PUxM4-bv`~c|uG4ompXa)(|s)deO52k<Q*7(0u3-=(o`Ckl2xbgw=Ce
zLz@0}q_kf(U%`Ii)*A9=gZkmlfLXVk=EsJv9<ag`6o%V_hRB#k;Z}S<3HAwh1dU0B
z^ZmH6{)F$Apa`=OlB77?Mu=^kjjtbmif=itmEwx#SYL7kenPrC;ut&BPeMybxhp62
zN>iUal;c`S*m6y$VfZ?6wh&66Afaf@Et=v7aZcq)6&gPv?$)$xl=2pQ7`Ze>+1n}f
zPNG*vqez7}1bIA^`(gB~ND^*APHjMfZ9sxOfdt#iI2VmyGD7S`_V4sg4VMvfCnLmG
zVwW*OY$JtAB<4q?vK|Tf0kPjhLVhF?5*eP1TEmdXiL{TT<VU8FcM^0m|HH+91d?`{
zHw5!ELPpZN(i_ECJ(}@i4DTV2#T<v<g^a6`w*Ad$RwvCPa~@g2u0{j)*2=<4e(W&m
zZyP%Sc`n)}|0QR8t6%@kuJ)m8v<4n}L{1L-)Id3PP(}&uL##GZH;+BS$c<KGLe`Bj
z;e)UuTo0~igvz>znfRCI^Un&JwuTGC6-W)eNIy=Gw51JX2RibpgbU^QwfWm$vua6x
zzkGBa?=W0VM0h{k7Csif9WDx2^Y2`RadQ8s3~F*Abs%Q||Ib~*k>MI}IUKMVu3n?I
z_2DY@VFeKXGTd0f4cCI`9o)bAzg|&DYA$9K@s(w(RG+l`N_?n~oF13N{BJT<resN+
zy~WevgBeNl-&EeOJ1=nh3Nw&@87v4FAS1T0#`}@nBQ^1XAGYAL@axXSzdQZ#b>=*J
zg-hdSC-<+@XWoYr_kVNNkUorr)ca1x(VPoSg)71w4-<`@$+(#K#r({7=EB!m)34LT
z(`D3s9Z9eS`M61XTb&~AwLmp$ReS9T|9uIuoAUqsCGDDzcawq(_rh~|xGk@nq{eIs
zT*W-purg%A=Y+y1(kXHu`KZZWj`Ro}^;M@t50H^x#{PB6_uFFoTDX53`oNm-t+fAJ
zNvi)zvuY3jy7NMfm8(vmlIQDwT3ynob$jZ+>E0L0yDM^Wum6opyQ`VFN4_yKo~^)t
zS#+!asT<o9m&9NG)0dE7xDs9PPyALA8(S1IFBVWsGFnEnrg$ckH)M{ZJhO(Yfahmv
zIW>ezJG1)0tTnpL%%#%ahSiWgx@yh?HL{H-(gT@M73@a(5+m=Wb-s<<$K}WyD9cg9
z6~=Ywp`}!b7qw(oggRPl9)aRA*C(NttX4L!V}f#myM`++^TMimuOYa!F>ep6KIV~X
zbG^?B{56z$wYIaApt;QZvmREvwdOLfhF7=MUEkKaX&&qO?6Fj>tB~~e<RTAs9CyQK
z_9XrP?KuA@%lseG`Tw^$rAqFzB!udFS@%^!X5A*Mf00w}ow#LOqO}S^bhFK9D3vl#
z5}U>?4j<#pDJWxclv;IUFQdv8#nw?YkFFDGpwU>!YBp<-Rif|lZO!BBo+invEV@A5
zubRpt<xDQEm%Uf!-O68*huX}V%3O<nRa<g(_KRi|8GhKknok~+#LCwa!oyYF<JrDw
zd{tHmB*k!XlJ3`IM*S_5t86~0`xB!w<>!9si`B}UUcbmY8(dNMC+|tfz0=O}WTaBw
zepGWiYphMi-oj~VWA5y6&tv99!#gdcv?+XFc4L?|zaPG`C*|6kaWd;=;d0WgZwgt#
zT2IZ%N>(NRCscyI#amp=zgO?g=jKa`x>+Q=g}E+V8a|+5O2A^?ijmn0S61I?9OaN)
zitS^h$qrhngnro~{G7SpBJ%v}aB=>Y)3oah8IITd!3#W<cNEklzcnQ!&)yr)m*>DS
z?4;@Q<*aXgcIM?OqRonQK9`<JrgM|l<*89xlvJd4Gdpo2rMBXim$%cY<gt)inWmLT
zk|n`2wIWZ>xx6U9F-BeuGa*QQbGR`RKjTw(Tlgt_8`V(WNYzpgsEZos6}q#up=Qk_
z`w@iYlsdm;yo~rZN2{qW?ZbC?e!Ol&YMc*{`#4=!z9^0FCQ_9)TURaj*%`>OYpnOd
zb@Y$Q@ZB8G_$Jf-lIN<mkS>RYrd_s+ET{b?Cz8XM6RXC{_oQsMtf%JTzbxOR7P2GP
zVo&mwuDu$=X33H$OnqvIHN+Yt<akK>A`@$VPR%|!31x1&n0{!%J(;n~zs**=LV5ct
zzOrml?ZIW4IwQWkQGT>JAr8*lGg7wbF6OPyrd}xTaMtOfULGJ`)+&&!#&L0GxVF`W
z-L8YYxk*w<N{D2ipWAxjqe<zghc(eyMTs}7-oKHNR#uwdrxb}s(ooic!Yc_OYsu2v
zv~I&Uk_<2cRb*;8aTPP8JCWj3**-PdlYDDzav}97yH((l@G1J{%9>*C9rvjID1FQU
zdy;Bh`$cxzoZHw7S8hx1UV_r@)N;ABYyMTX@be_aOuI%dBE{8~9!I&8Z#Si{Ons`2
z9)(wjw0E5>$tacZh_qEE-8v<)hk;}aPe1j&bT4jzt+0BM8j^7+=hCq)$K}80hW96G
z&rDMDHHZ55v_s9$uf>OzbAF-~H_jU>n`b2e`^kJ$Z7*E;W^%PBE47%^WU^OSwXY>9
zAhYvm1Bq`POev@An?!Y!hmZ55A)$7`D|uqo$tkk}76lL2)+yT86UYnSCSj?Y=$Ad4
zN}gD?9^}4?Th%fpQENBZh0#$Cy_|PzqtP!X26>94wYVlDzS<ML1?@EZLKD?7Tf<a_
z|6<QClJ*tMYIav^+$p^Sc~~h@0Unf@FR5qg@x0-i{d5hL>rmxR<8P|snD;jP2X(@m
zm*^7}oOoQt)0<~%J?cB*-!f6-@q9CRs36ax--vFrQ9=-Z0~l+ukx8gG;y6hBUDZw9
zwL*Q~hgtdhC}YpEb<eWrSQDv0erwT8_Ke?h9`wI@Q&o!BQjTyQo=89XSLW2L?DDcB
z4&9eT-2?gkcHN{Fy7aX0arEZjauVs@@Ejd;jGV}1PFx=C;)i!6`4CfDT{ZK{@SX5A
zIT6DBYl`=Vvnj_N;mvyY9_~9><9Q|j3|7KazhuRPc+#iJb|+r-loFSWyh&X4zzm{#
z+1;2~<Dz^!zJzaf<h|l>C3!vT>=?_BHb#DX^ZJVUs$*7Ump#vwsl%FO9Flk`@6em@
zZ#qupkxSX~GqYk6t$)azLDxrAi(wT?#yZB0=*jW(<MA{*ohY-J{N>4fGD8)qFZ5|N
z{z>1|k!EWm^Q*?yUbeNWE3wE|_EqIRuWm1Wiq%#fccoA1+)TckoTA37#n2Mwv;=vf
z^wd!@a(mkU|Bl<1{CQzq%+m(hVG}ze-yCWsNf~FAiDK5MQ%e3-D@qc{WA1vM5JeKM
zA+=cZ;QY}vZbj!VhNzoxYSvtHb@(!_TuFFraXI-SLv%G0BfOLv--LFv1q~{y_jCza
z-PTovIDAb;%x^i~#o?0~eu-8<#6Pa7WClpi$zMx63Rq7P|3!+re;el}UAMa-V*}N+
za&#2Z-T>9Q51Oef$wl>RSN=&1p1#v~QM(eSP~D}LL@zFqyG%;bqjAWoLwbtbvtB4+
zxuk^+oXWRJ_{nOkt}}^tCO)-Yj7`xvRfg8O^=sK>$?1W$<t3jVrO^|Z8Nawj5?;x8
zWZ7z64X!39vLfbKshNo5sYU8$8#_HwjTh2N@w_+uBqxetY|OpnX*sP&TA7tFZ8=;%
z%Z;?_yQKf_I%G{DM6cb|+7?nowW8{2$m)%_(i%GJsTQJMC||^huZ)~X^K5#Kkc7!z
zb*9Z_7cSQ4(_HK(VKb>DF1aRqh;uXRZ4x@xK<m>MF+V2nuOu-gx4EN0;v**VkJ+p0
zvU&Pcaz-?YQ8nL;=+ihEypxsT&HRv~;Vp9RI1as#_2iFOiQN>wpy_W2-$i4UaBI>#
zv?WqI;S}8oS{OdfI~U6(cKA#(I|(0;au=t$AgkRn99hiUZM(R%W<}yASM<LjvNtPN
zH}(e(Hv<#TJZ4kA?UV1Sv*s1ITTh<UGhafxb`y!2heNvWGUhJwn8nW-&d$|hx}zDV
zbDiefoCnt?W20UbOK%;|bE1B&H~C~{wi|u&?aY`hS=p8J*xT9Fc8z-<a%Y3~W!cS@
z)wXy?BYGyjGP=XFu|^@ejYiEXnWA6H2ouTms(zcRIAq<@QtV#EGO+3xK)CEvM1;-d
zlI(PnC$|&FbZ<`Y->QbFVKUs86+N$&@+{3Qk?w?)ph*?VzLQ+J{;`|XSuIz-I5h-M
z#(dE`cjze(>05GI028T|9`BHKw5Xh=KnBXmk5BorrlYl+^njkGH>vRDGu+<~KMX&J
zcdz~x{wsQZ_$EFgzhiAMhi^A&TDlTeZL}tO_HH=Ok5j0jT;kl^Fb+u{)tslp>%1#!
zsq~&sEvcv%<z`&S4yDpT*5A_mn)&qqd~P|Z<fNJHQ=?t=6kQ|bzoluZBH@&*Q6w3!
z`GQ|g8ltae+}iL(C*GKlFp@{=GpZ5R7Nb}-t-KR<6C<9q{2B?FZzPtLlqeNRIZiJ&
z)9ySqeI>lEYmSWI@|L+?Q9AkMbF7c26X972SEV)4$VF4h((P(UFDs>7t8(m?T(|sp
zaDAra?4{E>CCnfqH!o_DM0P}VLyYL8gh)48on>X2HXyguVpL~Muy2p@jN97SmeEbC
zW+l6%Wl{sRNVOH2$eEmHxy4dE?a~f@SLvteO4?fI@I<^`T*Hb<R-TfyDCvVz-soOT
zJu4vZUS#@Ix;B$ogv#TV_)6WVB(9q8BtY6kmy5$hwL`tmr&sZ%M-5VpjJqSVmd@_G
zq)grO2Fn_9u5X>=QjS|P`m{7%n0?Hbo`aUS0_|^+q=n>oRns)#i`=b(;!!5afripl
z^7W=DF0s<1S9agjdQ12|HZ_KvxQH*6+I3k0NFr1-;kzh*J4s9BN=9ps0_SU$+N7Vv
zSJ_-eE>wGTB)#RiNt+fXVU%~2voa?Lm|L^%1k#SQMkO}h{KL+enbwNfwc&1qKEHx-
z>fM^wBqHuko`-2K=qG*in&H=eX^zyBnmcG0FZ?8F)2y)nSu5X_p&r(&h9SFD%c+O8
z$ku<u3C*P7kxY=@l6F}XaV5EmB|Po0Q)OfYy{|;W%DK#SdNT6?a+}T5Niut6(pQBi
z^1L|^uB~f=X_;Kt2z3sp@<mUJ#x~`9@|#os+`Bp_zRQ4FQaIKKX`iTP=?T8v1ZXir
zX+FuFn(=ulT3mjyjL40(J9ludoXX1Z2-1QlAvg2M8C)xKG$6)m+F9QkiP{#v-zF_j
zIr+B->>|NMhDXwVH?k(H0;I03LP;gQ)>9@4sgFImG+lCD`=vSOY%V%Nv;rw#@`)sJ
zMMkqAhufjmgj4MzZc91cmnCl_8J;b<;BS$YYoSQL=vlRNxw#{h)P{UZXpb*yQS+2N
zs_k)NSrKVx(fy;e7iD>*tzTDfN**B3rp7Z|yg2e<UbQv}6T58C_uJ8|<NKwN?vRAa
zS2vn^tVzVNo=?J8HyI1%<a<1hSNE@r3-Keqhqr`7v~-b+^ro1zGPRn7uRZNdf6`Pn
zJyMR%C~lH=?I~6FRXGyptGaLELO&6%=Y*%oHEgwTbJdnhr;*d^wQZ0xnwsp(WT%Mk
zp*2^jv$!OIYG!T?Xq?@aR@D;SZ3j4J6}e5`z)QzZYrScgnl0%bo@mN4x6!$Gj_lcG
zJ7qs1OXCv>#8(1ye3S7g>xrWC)#VCbl2CAtnn?^adinBv&V_ch1`TBm=7SjzVoo4F
zwH95HQ)JO1xr_D?v)disn}zR!DDCiW#->%G`w;eSIpZUHldPyLBl2LRLz^TG?wMH#
zCYSU!sc9XP5=S}NQCJhtW&$O)WbBIjxsEH5AFDlCcS-n~O<I`$Fo9x;Ms8OUT2F7)
zuoDsYyJ!w1>ky<7Nf$YfW@HU1X#w^*MVj%|1~f(HTgg?u&m=yHiEctGs_fF!TiAtv
z;&r?ve)60oR$Wa^D=qIO7IHU7lBwJKXyQAde<VB!2dMm@#s8K(OGbL)uT|U}t;<kq
z&TVCQ3xCxZvhzzAc>_pJGDoXqZITr8n>;&esnt3D!Z*y%bKGjYNuD3?c2MG^)Z`{v
z$B0LaD3Qd!YLbMe&;Iwxn>g2!w@9kPHUFtAscrHSw@=1}Jmu)4Nr+wNHENM;+;yBN
zM5ZmHeB|V&N+P;Dx0mWJTPw)qA$cJ0igPjVO-mr|VhJ9N$J(=AM_zAF!q9J4(;L`L
z&1h{&dYCyio8?}MH6x9sr&b*`tKQd=P#wK$T0zRLt0bxLZgP~?OrlXKbB|w6@25|e
z^98205<>f^tS&GnsJ$|hNm|;Dq#w;q)<#dt_iXWrN5hyKl2bUitHjK0fhcU0UfnTw
z1u97cxtNyGlu=q0ibv&u^En0FO@-3?1G&5SQl2XM`RnL-i{Z6ZNK<L&SmTSOGaQ)V
zgDCgeG8~sK(e4JZW%Y1trWK<%Z^?1~-Fu=&BL*?$6q)SCOYTGhXN`-|Gh^HXE{<YG
ztxn2ob)1uNQ%{ps;gf35O?q8UE^=<FhDdrd<&L;RS|o=XiSE&gxaVG!J}F;);;{am
z)O@nWM=i+?hUyf#aqD&$pBhjOuUm{-LY1iBo}?AUtR?BM$17=>oYbqdf{gjpeJpEp
zLhi;*)NUEwHP&Y0@pm^8N(V*v+dvQ5PTtZ|FYTGOWcps(sg9Pa9GcOXGjfQ&BYP#A
zGP8?>6XDe*xewyqbXmbzDbgzHaZx&1(o6cF^!H@0DYJ*lWHci+<q~>nwLY2qq`h}1
z&t|01Uc2{4x9a(<TIbb6>@^qR^2T{mOL{NzhAYSuVlO!9sLL*3BF(5}k%ye#!WPNM
zYEOyB(X5dps;#(nRG!9bhvhQX=^5K9=V+^?oj%(YJx(|@wh15J7vIF^x02WqC+uF&
zlF-a{%Cl$7xU8?vRrD$TvjF-i9xX*H(bHR)ne$t#RD*dLH#x&qPK>PYYRDX(9=I5H
zDaX_FsJGemTd8*b6+ynrCgVHh>lyESXG%^eu3|acMW|Y2i}=^=l3b7$z3Ho6$QmgR
z`(S&XP7-%-_BC=;!APumBYz7tcR72%;u3Re4g6hmiD<?28G<Mj&x>j_YXzKEU5mUd
zht_H+`JRIA{PN_?Je+<a>49rw%vuTJ9hRl|Y=}901w6Dl`bHxtDL;+xBHaNV9MxZD
z1dVmT?y@h;)q;6QMP{T>H-X}`tuB^G8nu+5QM*Osu-KCkIg^8|1e-@XdzMSu8r2-}
zwFcA9IhNY|aspPniE5>qa}|e3lS|}DwrBRvkGN+>$Lvs5?b-Q-H{@GmYtvzL)J)%1
zx3plExCL5V#jB8~N3x)bN8a1)mRiF<8N{d0lq-`H%`y|}8^uo7Q*A93Yqg2ykxzca
zeF`mT_bzz6G9&G4ii>2G)9viGWu4FQqR<)rM(2$?={wsA8GR!rOFm^JymGCaHHuF(
zvRD5$+RVGSKwMn}(CfD4E2*)ApOM+X`HRNBN-a(zq@1vke*pNe_^OiR{p-2nad0`Q
z*GJQouQlxeW%qMEbt>lp<YdIZ`8>ehE33$3{c=<M1t@grLe+KU#DC^0$dU!}^{2J0
z36&7CF;c!lY}87L*r<&PPJ$LtL)alCH(@@8i;I+##YO%LJN><=%tO9Dn@Bc&FS3r~
zpUAZ2{1qkI%$>N19u=*qRA5VMExXP)X~a8zyAHdjA+(1hwet4g+7ivkXnMGmFD|2&
zw6=)iS5;mhk0R}TR}sI0Kk{>tM9;i~08ed07Zsf{+H?QP+McA8T)DeLkt=eqj=Yql
zQa6*by~@cqPW41zy2*^mIu^iz`7S~)h}@|O-RltzMfq0V&3`OwM9vo-xA2MN{5Ii*
z2SiJgJupdcEx)ahyw|IBTtgytbSBm4i}Jhm{+0B=y?DhVX$>jvbspB0hqwe<{+N3b
zxe)ca8glb>IagV2+Wp7Cck*q#X!SCAS4@)O|Jra(%9uWHDPEL5=Ao=IOHP`q@7mpI
z=d2WBojT^*r2nJwi_2HPC?}<%wUQH&G7DIV<|?kDqw)XqwLfJy=j?IaWv5C1%Qxoe
zI8Dwfaz^azh`X?Be}7C$n2a4VmPomvB~j#D8AwPiEz)5vVN_lqAF@UaX860T_nh6L
zbX@HztI<hB`Ycr$#y=?Xl!TkoA)}n_3Cc<#vjcgbMKpssQg+OFNm|(@N!$`MOA|_*
zcGILCYm}neZ?^Adf?2_%ccR5XS6mjUZ4nySv}ir8%5F^jRy6a61yR3a6kU+pa!I{Q
zO1rwU!)lFg;%(}!<mII(CZn629E>l<(5myk#H&UVj+4<NPw&W$k|~4MX!@BNDv^89
z7!YA@^jhvR`IkV|dwuSgG@~)NmgMT-r9I-)glCX8yDWV=QPxm1HIa7RElX~Bqp0-t
zq&KGXlE{v_B~I^_?{+5rprD$3iG6Z8gjJx-^InagBx_BE@0ry3OOp9=2v6zy9x27V
z!v0^Cm9Kp9zN%X|KRbm)+v9(?Xg4hv@>fmGmGW}B2C`%3*bDWp3o%#ITXK0nCm=F#
zL&ibg#8O_{rR2`UNo@23dX=8gdV-npa`}Iua0G-b%gEIvbUst{h|T$Y^17AebFDf)
z3b&+XPeu4rRsVcx<a5)!#kx1E+iN&!wvd!(K_^LgxMu>GaI+!I65(i0p54Jp_zFg|
zx!6QglJQ1X!Q=1q<a=5bH%cmB@nQa2sLxu4wB8a9#ATH{QD#BmJWjT)jN)OtJ4u0d
z$T_u<xK}q>50brH)h}w&R7BQg^*{JZWlQs_sp*<j^j$Av)b*lFS)p_JR@+h5o6=*y
z&c!7^Nt{B>OC28;r4z0tzWj5aUbJD%_gcnXjtWWWIzF;mu>A3p`lU9~Wvv#qRtI@=
zPJ3|$J-<lhYEl-yuqI`eD~ng99bZr9rXYG-n|k5xIY`#`%Az>6Av#T7IV0(+3{Zb<
z$F-4U(_HBOc2>GcPP3e<Tgj1}1eW<|4PRJ};$&(t%_TXB<#){qQtc-G=3BMZoGNw1
zH=3)sR7<I@4l%E4?Ix|nSfv_zl18SaiA%1Tzio2E)OJ@jesrIdu&QruDdqYppQ0b?
zrEd(TODL<V8*)QOcdSIDIW6L59k-(T5w1=9=8Ijk8@!a{q=uc3yeZ2!taI9;+7m=R
z3bm`|6FIc3qWef{CG?so)yA<+W_glIv~w<ZwO@VpD?-DFT`6aU(|cc}oORLPlKk(A
zhq7YTZ0#6%MR^Civx?PG->Y6?y5rZh=BVnk>vCl$&?fsPw#!qhT`^a6q~DZRKj~C0
zcs_@|ICdm%Q~BD3q$hJ3LFh3_6MlUxJEGJ9bzej{_It4JWV}{e6biTIaT{kxt7`9=
ze8D8v%zEkSyo73u?iiJ}J2~l2+G{nkx@GZl)!9-D4Yiw)j2H1Ub~E;WZE*NMeHE}O
zKs(Y>oD!;jNgGC2Y?HXz@e}V|n3;5vfJxmZ_g~#q?Px6}NlUca)08}^9)yI+l>^Zj
znMmc@Q;B_9J7pKR0*t>cQ6)v`HTnhkB(=0ISI68Y@iHb)QXM5zx7xF`S7t)}du^FI
zOUB9Ff4<Hb(rbRX;~|<EvPZ65ex+_@U$U{tDpnul%Nh~}Etgv2jm?P1#ckJDrVJ7`
zS6|W=X5Uj&iTVv~zPlG+Hj(c?%4y#k|79c7s*-wkE|964qbF+lRAUxyi*r>=X7r4&
zp6ANtPU2S8yZ4}v*Yx0+OQVrp%JL~aMbG#}D=OlTev|gEnoe$eRQ0XPy{x<NjI5T*
zw$~vAZRzUaRDvXDEus?zNuU(`nYRv;cGVR^krx%wN;(mdA>1=lND|?$ELq=9$J0Kq
zA^55#B}=!Q#Dk;w$|dH?Bzz_<b<gwd<fJFjQ_91?lS1YR8d+!kPcVyO_Fva4-AmKs
zu;%V{iLYE+<r&q}<?Aw!5q1$I`^dGf=v0rrXD(<HPf1K&UC>sLSsOV~nM2Fepq=m8
z(|C?PEjKoK$ZG#wzvwR0;`w}Qa-)Zpu^zLWQY@1&(&`D1$lN)9|D)a|w5+Jcnt+&5
z4rrAX`D110f!bRT-N&&se)M$eQ{FL;{uyPpgsRGW*(vSXt~?fVR%TCN*YWmth~)g#
z-cI*_A-&y{taUF^Buxv6P=hqio0QD0RIcXr{f|1*>qKH_ov*HvohqlZqjxxop*>go
z;VSNO#?3nSpXS7r{lFUJYLv6&3zw2FTwHbCg><S?hOApw$jexB+d!XZ9FYHL*EO>H
zV#$*A&CaYyu~o{IXg$?^>*9j6+MF9sOQYZW6!)4&%-lH9T_iyhAE~8;>(S~qu$Q<T
zmj&oJ({xps?|^duTspjb2~_I-QDox_)W*wv$9^$#S-u4-XUjLRo<j}Q^^&*8!?jUp
z*4Wol%TsWP)<cCu_=;%SU%o5#cpP>mWoBi*rYn)#;;(f@TK`{p-vM4l)pon5ok=5|
zB%~*l6jDwq2^~Z49YG)oAwVD`kc1LIN`L?&*iniCf(jM{L<OWtSBfY_q)Cw?0)kX4
zckOi&60G0%m*@HJy=R_G_UxJ2vuEag*Sp@e_euWpgE@f@?UNBhGL!HJwO+PTdF*&l
z|F?zm=Zb@D{@?h|54W|7eGm8Izu^1jj0$%g%xiHi83?o`e|c9AuEpK|-POO|+Jhr&
zJShF!7l*%tk;%6yKX|&qEO5<x{QY|b-h!cC#(NCLNQ|5V8frU7_5oY^zlJyudJMb3
z$4Rv0??0@{u%P@sO0>6q<h;wupNF@w2UlPn?$9<zw=6rZeA54GWgx{Cc~4~Mv`f6J
zpMW7i7u3obY-Fx->#si#-pyYhQntr-wTBM_YJt)H-REC#zj7;hi(unGt~+I%{GmJf
zD~$))%a+Qm*vht}(c*zW?)!ZWp5EHu*Hvs+<k%IZioO4CNj{l>@}GzMTz<3-7v-8i
z55?qi@BUYMgRFr1Q~5iD^*lg%+k310_OSOZ`}|+mtYkhV$AN#s`X1(d(suBk@BMRc
z8G~d@`7eKP#Rs}lMI#l@OZKax{@*FFZ&$!f!8hS`7w}E@FHl0v$6xbi4lKXhR$((Z
z0<$`Bz3o`!$o2)ySKY)`z~}IE<oa)7b6MXWFk9wz*KN@c*Oz}+ayr__H$~CTA(ZeP
zCDh7M5!t_rcYGGC49EQa$94qUI{f!X{(kQRy8<d#>??cg|AO^boFkt~<*onSvaPoj
zjFDE4zX>P*AG2+wAN{FxN5AjQ|3qIauKxSh|2y00zZ^%Fvoho?R)<RYL-~JuX7lAp
zW4jj4`JK<pcZeqd3xr+a|2zLvpDK<hw+VR$TluLBgRZdV7q0)YJ$ckWeICR|>5G?b
zN7EM=OQ1gdPwP2*|JWm&5B{Ov#)D*aMd=R*{e1=Q1epfB`+z*IvKM2|U;J%CyhnL-
z#WgER5_Ps$yrsXoHgJ2pZC{0r<4hZlW1b_*e9|`i`RDfj>N==bJ@!l1pW=}6if|N9
zqeik*`Hh>7Xx&c!u=F=g{C~E~A3R-VTzG0_AC&NJ@Xc8Hmp$-vtbE7+m%ruH2?yfg
zznZ~EHsBe^l6*eln5lLLKLcQ2hu~FP@N)oj=howI^Ip3D3G(xoamH!X-Nq4nF~_Z<
zem!a`wrt<vm1mwqZhr!2t-t@`{mGbbEi)4tZ%^a@B$oZB#Q&_ffF8=3VUokhd*%0<
zr60>$eiM0}t-sj5Vw?M4_TQ*3VLz}B_eU(kJ~9kEIo6k*^<ayfm4Ef$h8utW6v&Ds
zlaaHZr79v(P4dUn%yMLQa|Or9?Z5fY3xD4B|82GZjvn-%ac_7lcu%q~WwGH4yhX%e
z+egL)aw=P_kZ+ZLtGPVekyb~0lJz*YVv8lo9BpS}#$fq=+fkL**k{vN%SNGS%eET%
ze?|DQ9f9`bygF%Vn4O2;^2fIRLY6AG`rj+tG9946A=^FJG7@AaTd<8E+ei8jy@Y>v
z9k!3Z?8oix<wwZhW%cFHhexqq=7qL1<^B9c@6iXDcVI8>P<ol|$yA!9!2i`DeNHNz
zWzVbP`Z%7mfq2C$=plb9_W$2h`s3aGC-xrCdoMVeMC7;egZ!?nbhMn4VY|#iY#s!b
z^xz%wJ;}eTX=|ZUJ!&d#mEAcqMSN`QvZ{xF+3bo|dBL`)%-?U>zCSMOXkA1BZe7AU
z1&b(~!zC;E;ho64k$*u?{#TnCSmW>N*?J}|4RgID-<5l%GIR&Czt_Nm4`6FzStD|e
zdHM5MRIUWyUj)_i3qBR6^5f+1@;6>SgS>2?6a5ml{&4-nTb0}Sr*h@zV>=cexwrCJ
zWl!xvPF}IEB2TYWw;O!o2%g6Jin{U=o`~H016aqA`vvm(l)Zs_c$RqfM3t5DXnZ?C
zx1A-wr+}xnw7iY--w&QoS>E)Z9@}zXc|KLv%I}UUKl<-}m&FB{N20xo58myT@-2Cc
z?YQ!qfBp^bCOzaq8xNmhtA{O3!7&npPe0hN2&)-nhM1vd4YQ^hW=5E`&1f^mj58C=
zB(sj0YSuFwnvKmz%rvv9+05)>_BXT59CL`7Yv!5x<}kCsEHX!$qs=kqICH!?(JV2i
zn5E`)bB6hZIn#X7oFx=78Ei8^1cG@6ix8;k)iFo5rl=*tz)d4Wq^OO*N)e6!z!nQ1
ziNk+cOTgUAB&CYttVAizlom>XQm7OuW0b|ptIB%iBV~iKN!hGyRdy&lm0iki<rC#o
zWskB~*{AGRK2ttd4k|~LQ_9!MY2}P^Ryn79qnuYRDwmXRmCMRC<%aTua#Ojb+*a-=
zca?j}kIGNV&uUdQM6InxsYz;v+Fu=@4pQ^fVQQf|O3T!;w6ofI?V@%`yP{pwZfQSi
zzi7YeimvIpZs-oWuO6w_)>Dmz#v)^hvDA3Yc*9s`ylK2;ykop;tTI-c&ZdtUh$j(b
z2AkE*T4uNzX-1i`rqzr$6U}5Z#jI=AHyfEv%mL<LbErAoEHp=$qs(G+togV(!JK4H
zHm91?(83_0;=eTM!azoA0;}wyM>t{}pb9vw3ugbiVMdq-kf17NuzF)oST)Qm^%HGG
zTQL~#;T^F;yer-p$HfV8Tij6&C?}OGs;Rnb)3uq}EN!;-toFP%Pg|(Hsx8sp(3Wd&
zYHw*<v;*4b+SmHW`c{3LzFps;@6>ncyY)}>PxU?eUVWdwU;j)$pntA^p&!%_>4)_r
z`j`4q{VV;LeqFy|xESF^XX8<0m@&yHF%}qWjLpW!##UpyvD5er_oSFDxt32zHM^SK
z@Vg4`QQk$Mv<qAn?c)4Z#u_|FRTyS-vxN|5YqK-Xc+~7G9L)?fOSqc@&4IXc751d!
zSqMCfBs`UOu_WN0Pr$NnV@ZN-Ig4c2Rtr%FwpAojU|X+>RM^*gQ5W{LMbuNaE4xKQ
z*w$W=ChbZzhh-fStzcb8MH@W1uSHu})_KtZ)^%BQRIVsjL|53>J<$!%)D(}ws;Y|K
zu&fZ#2euU@`og}FL^^CNLr6R8FEU|k14KV{lsZae;RzoQ{qYo!i6T6)&f;<0^Dr?U
zPpw2ukoF}e!opq?CDOvgRB2;k8m#OcF$0$Nu6ROPo0y3wyhhBzGyYi2HUsg*p5pUO
z=eiZvCZ35GJkN^vc9@o_nB7tD2v3#&=?Z)BY&OBecB@s(_V>X4DtM|ESRBq)j;bd5
zy8~8$Hqci^XuuF42TD)j3f>|CPj-YdQW>R;R*KP@^jPVgC*||P(|X{6Y7@1o+EVSP
zc2Ya5UDa-CAGNQVtqxU3sH4^O>PPAZb)&jT-K=g=Kh_*HN6ksAqB(2sS_Z84Nm}b`
z+Pm6D?PG1LwoTiw9n?;1XS562&+ydyy0h-5`|E*vs2)yFjnbp_HhNpVo!(yWpm)?e
z>7Dg1dRIMD@26+!{q<~pfId(kr03{^^-_Jh{-QotpRd2Hzpby(SL&bRooqBV!G^aO
z+l<eRFO0*+*T(n8b>oI{)3{^YGk!9Dw%A)7ERGf@OBIW=#l_-kakIEv0xYjv-momQ
zyeXeFtmuk1L>sS7&?ah=v=VKyHbt9?J&Il*YeRcMo1=ZNT{nKgmM@-J+0#<<;f;rQ
zADz+1vHIisv*_DG;~uW)imP~8ye-u%zLo&It6=;D!V7|dxdEb<;v+&7f2FSCDJ@?~
zP+BSNl|-eZ(gk(hl(kAj;_It?S4)Yn%Ym=EmA8PddzH6|uJ7Ot9#K{TVb3UQh^}ju
z3wWdJ@lL-3HeUtCZUV~QP__VNZz&%WVYjOIDBD#-O;mQMb<{e_ZCKB4<&OTT;jjE=
zL>e(_C&OyYRl6JWjaSqy<_qQv>UL>wY9lod(%3MqpRj8Ewf;(VEl<l+YQP^pQfgYh
zwOm#n!Ervou-QUr&uGsJQ+rW+PdIAtYwJX~wn5u2qP1PxZjr3*(e{WGSjcB0Rr^9a
zDC%j4wIiZ|_LX)?G}6A)u89uX4c$?6(Oq>9k*9m<fucYU(L=>py{2AMJPsR*5aabI
zJyuNA6ZCpwim|~s2X8xX+!gQ3cQ1AuzgkT3Df;B7kI=_JoEoQ(6Bd2EK1-PT)A}>Q
z8#eW#s0O>5D|}&F^M#-OhW@tjhlQ;Wp|G-*qPl5kI>HxK;Xq_jU@b$0JuGHCtYd;U
zL8!2tiNXQaGfCLNf=Y1TleNi0hb2uB7Hul*NyGUyfTePg-w)B@yRKNfW6@z7!8jrW
zi-Ncuien?OXo$yASjS>95Rv2H^YK_rpl2f5=p?$~++0zF^#Vi_UGY$&g{H(PNkUaJ
zl`$wkp*$@NWtsApFkv_E2|IZIcGT}wc4EC>Ie_)&z*IX#=L;yqUW6fSL@2Nk3)ZIU
zAsm39i9%Bwstw^6U+G^7d*eytIbm-;Z@z#&tFUcV=xRT;pHS6YH5bPgs0FAQp^o5w
z9bPm?DDb53g{EEC@E076U*J<JmYRs`XN9wNPCJJqE@<cnqWncXxf|LIJjGkuEtKzS
zcd@>w-NV!UQTq{3`X}ut)cmUbDpdJc@lFlh5DvOUH}RGobO)>*VM8vkAv|l{TlW@r
zdNsY8um@N0#a=(%PZ+c(Q;&c>S)@OsCR#__f>k97XFW+zLVb#!igjJsnVqrU*e{%n
zgT_JOXdE$)pnS@}-*GZ78JDoWYFrgnjN8U-lz)a5I^qti0X1$5Z!jHv3k7WFE^6)}
zKIv+{nh*atpdEk}9nucr=|<|2qAGYyZQ%tx>@3`YE`x*{5N0fT@VNfCa01dii~D?8
ze_43y3-yJ<0NULX8j#09*aLlBg$ED_bJBrAUZM(+$XmDqjj9P}Ad;_e0R{%Zj#Q-q
z-#~9XK3xo@We!D;9br?_K8Mmihk^lkiauZgRYhIID=$$GQN>#{0I%^8jlgZHiFEKA
zU(o~{$4_J+dijIrNUP4JRS%(6*MSGr5QX5JHSs^lq=o0w!gIkltzslCygn_wAy`6!
z=u10q4Cas|ibXQmQ*Y4$OEN8gsOX6$nf5<ajK-28reZ0gFANnM#WwVL2mHUT*dxxM
z&u7JX^!9?dihf=bKcJsCu_Tj;j1cz}S236#luHk)qtsKHi$bNP(h__`dQ-0QjPiyU
zNpEUMZ)yzWT`P)#wi|HFMr9+8-=u89G1AL&>1Da#!~3vT`dTi1tuc`MAdUey#`=tM
z279IV<tpDR*HH#qqaJ)%6w?!j&=ZHy2XpCzLx9DNL>KiD^%2n>F}o=^PII-n$WdFV
ztx(@qZ7X`I?bLRt>8N%TJrU76i9|&8&LRnsy(^dz7V)UsL+v375as)#K10m_50XCI
zPaUid7Cq?6SzzFKqQ5#^9gem1>TI=0EkarPc2_W_(I}5q$6`HB9fuYssgqEiqE5kj
zn))=_e@1;4y#i~%RracTQQoH>Lj6VcrpVO1wLsBdi__|1U0-W~nyy+p%9&a}tfy<!
zMO(0oCxs_?@odovk>wdt3y}rL4URld4ANfKUdH+r?G+IZ7P3$TYKyc*!b@AMEk+z!
zqAd|_+Uwfu*t=X?j&tAA-V)Wd71|2atkhQG+*R5t(GGFyeKB17K>GkKuhrIK??!DS
zTHCB`79GLAx8TT+wT}`1wj-8xLM+>b)?_S;*FHlm8-!T)1+I7y5zS3If{4}$5$!AV
z|CIJM_JR$eHHmfuh<47}H`;mOOU!d8<_$!4b4i3D0)8iI$UFyoB?@|LKWH~mmRLAY
zyRF?uSt8;<BBDPLF@cCU5Nzvb(H@NJ7aSwe(M9`ByN~!LG14FTl8UmXYd{%%P?o3}
zLew0n+w1nIk=Qv<chakfVY-X%BI1ak-nyIahP@t$$i9fkURX;^P0)RGACx7s1`$~Y
z5?N!x_WV&Fh}a#5*c~Ejfcu4_Mn-UdMDTEwCGHL+?#3dTM~U`CUl%<Vkv)tUJb)NH
zP_Luc!SND_2NH=B5Y<Nl%Zv45tYvI>Ky05Ns^}B-iHP}=^hv<V61@cF$@*lJr|460
zWT{>%M(fk`X(9rwayrU0^cg5W0bVeQykL~ROkal9-qhd1dW*hA6oMsv40PV6Z$o6*
zrSHP}Q~gsB4c7e`%Af0>V|`FRC^TeVhY)QJ>xU6Zj_5~#+F$BlB03$_k*_d%+94x5
zCSvsC`gOE<NB>EvhMQ3h>qsL~L>o<vUMTl7a)f3KHU^7)V~8;f5p%dP4Ol<jm?=!g
zUpwP@<0TOT2DVUiM#j5Tv^HKhUKe@Ba$`AaWJZ#QTx6AKX{<I@i&o4?S{Q4MwJ5JM
z*5Q~9#s(1yCcRnsfk|%>9?Vz#kQZ(h;b7L=L`|6?V(%_vm+&!m8=s*3sqv|ZGWHmI
zQQl|lLs>?}0OK=clFf|+#sN_qocwc<244OJj*-#Q)i`7vMp?$p0OL#JD9T?MU!nbD
z#xazS8^=Ycal$x>vW%z!;PYRjeA+mT_Rkn+#3RO8a6CV7yz`=&alyEN{#-OJqDIEv
z0OMQZGRof>-=Pmzj4LS1XdG-@Gp?b9?~U(8Q{)HNQU8PS1McpoaT8a+W!yrIjMxFl
z8}6Wd7aTGQ9P%ghU&e4(aFt(C|C{j}&bn{h7m*glq6j~WX3?<LEry7)Sim-$g9m>r
zx`Q*?As4nc9fXtV2>$3urZhyTVl#f^qG6FPsUr>>SinB8IAF^ZRTzmqpeooS+B#tI
zVN~{o!r+7qq6(H!Dh*zY(-FwA-JsvNV~Ien?IB_qv*Q@ElPbmRhK$)w7_*x)X18F>
zZjDw0pacbCF%Y+d(F4gx9T~aZkhjRC78XAo6^8v%GpddlUK?AIr=}v;kH+s9ERwOt
zB7)1fo?0ocH)33WgmJwY<9bWRbrrfud)#FQ(Gkx>@>)}LM|6)6y~GgIOOERyMu<_k
z6B+3}!3U<`PGr3I6{TW2`aT0osCWWPkeG=v`%v+Wn2+NZKy8VD-m(Jiyern=4&KKS
zAwCcr&{N40;>30=uH*_y;0njV6;6OLq>wQ*A!BGk#?YFKAwt~35-*h-v~w4W4|ELt
z-&(~@aTj6W5Z>V2K8lYBM3xtgddbM$lw_r@s7|dT6&YV!;it4y+KFJ~e(iB2vOko&
zDH%8>Qz<|@g-RjLEmDd_4XAEoP%~DUB%+iOWx9w}W+*d+Gx>c2c*$b$hF8H(lF3dQ
zk)1RnJ84NRB@BAqM`&5H6FaDOAEULc%2xDqhq41@nGdAO91~^am{@<NAUA_DbpXf6
z451lWOR926IgECWC`YhYGMH4U@1f?Lat`Hhly7kE1+bYg<f0c*gKQLizN%bB`I>SK
zJ(oE~0$ENNSx!r`97nR81m+vws;BBHyvTS`WtJ)e%kX!rz7+^7QP=_nY`X}D^05P$
zzEj@`e3!WF4n=G?Vw*(gYS6{@AkysB_aeeUA49#w>u{)K2Sg-MI~+RC7r=3e-Bx0E
zBC)$JvAY4WyD_mljo96s*xjlOyKm?>arImJZS+dwxJCb22S(`k4Oiqy64TucU&CKi
zC9+pDY8%nQ--t0{L<q9%B&?H-#@O4$=m=!#WOTw=osAwqrAHA1!i~p_OvD2j39O6+
zE{p_;hy;^FUFcEML>)uMgT{u;$C@)9v@+%zb8+r`V*%DL8?T6}GK+`Ls$wm%ry6m`
zpD5!`WQit@_!B|=i5)S-4wcvuM82;PJ9J`4EV08NcGM!@hqdDhaYPMYqK1`xzbW~C
z3h|-=S$`Zbqc*Y!i5hW4jRr)G0HOx8a4dmDjbLU2Aw-Q(qDBp(Mlw;O8d2jB;)Opk
z!k>r`4WEA>eUiQ%L$6ku0R+*Xb^5bGf38K=?*qSe6OGCJ<LIka=rDCrBQt=e^w<W>
z15%W>@Y@FP(sZn4P7p_*Y(Sq3pf@Va5(4RmA@su<^uuI&U<2j~Da;j`(i;QejhoS$
z%oyV6hjCETccDh+4JphU;^=`j=z)Rsy#`c2n?sK}i6f;S2Eq?dqkIP5m?HIdlx0>C
z2M@fAvQ$MI&;tXQXQa>%75ZTy^V3GmPowCQ$@EEI`lK&?vOc{rj`@eLmaS!rX5?S)
z`Y3%g@>9ve-1RZgS?WH}Sth^}Bo_-K7c+Iq#lpzNOmZ=Ia<K$*u{z{p3FKmR$i?Ex
z#p0Rmdgw3dFNsuro<0xj1^NQ4W&T@_`EP{2SYM3X{tf*NTwQWEi@sc6j<RHM7X2Ol
z9UT9z{w~(5^i^1|)z`xR*Xip-ZSuRO#20%g>sv({@x>4LvJ+*ADSpJ1G-8SaFl9gL
zC64$JN79HRe#DV9;)o-0#ECdkg*f6&9C0CzR40zO5=UwhN9=WpBTe+%z>zfKh#zp|
zSCl1=q!CB_h$Csl5eMK%BI+e}q>(N95h>D$6pq9QC$hyVL<bk5gDcUYrZLZ$hqD#{
z7t$<MEmegl^#Q3?RufgJ4|q`@NU{W3f<&Sv#1bMJlF@{b(U@d3VPrJEz>{IjMpd=3
z+8EkV6SawOXJ+cCrm1PdnfYmo+DvUGYBNi%uC`EHpxjbz35=H+tE#qE+n`3~tx3#V
ztE=tR_NeKgb`ZhLVZ)ij#xRGCSG%ZPgg-M`J7%(hYIn7}@MS)$s*kFV;<`Q6$IwD=
zwYR7)m245OrmN5?)J!!K`jpIbUDYf#OW1P+zzIrswn*kUfQvd%9VlWk`ZP#*s5xqm
z@MK2ptqxI#phhZOKG4O7iUelIAsC|?CPJ7a*J6$wg)yr_VP&Qq!c5tsj#NjYMvgFq
zKu;enYO2L*F?upa9fNDh3_3)8T!p@)j#tME7j=R<5!aI0bckA_PR6-1rw&o4s#8&4
zs+OW=8Zv8DeNLT+`<<_@#Qm;P*W!NHsq66E)+6JNSGTHraMyd)3pneR`ZL=9MYA9)
zG&L{bf$STjfm(<L)MXAHqP5hzV6V)<L!j(uAn(r9GEwfQ^%D_N`9)?5<rkTP%sUi}
zwk<+#ve;NG+>BR^SA_${MwUPWlle#;jKaN!{6c0Wp%^WB1LbALGDJL?p(q?Vi8S6e
z-WG|>Rzi&x#tIxGM^S=|mBvaD#{4Ck`AeMfp79=dxExn8jrWcB!Pq}AkgXdZ8Xw{;
znb*W2ulWf4T=H;7%Vo=DL@HH0OB?m1UDl#S2GACLX@8!yya-yJZzXGUptbp_(%QUf
zZ8d3aKD0J3T3b`9Cw^*%njs=pX<N0+bWmwqQM9dS+E#tqRt#+`j<%)Iwqj^oVYIC#
zv@M;sRgbo1rAAm?l@?Zm7G|Y|8MLr?T9}m<rqIITsmNGiTZm4yDl2uFNZM93Z7T-0
zH36145f+w03$xO~;%Q-4T38A#ES?HZQz|%~RB-&L;CNEOX{w%5Pr-+!juT1Sil%MF
zz_#q5;@WHWQ28A+2b3LQZ7I}xtXdFkt_E!`o;GKt?h{GNi=pLNX?Zc!fUH`UmL;0d
z@)|Jm#M1sW#-A#TKTeE4RTzH~8Giz)1q3tx1Tp?NGyViI{x~!KRAKx{V*E*F{7GW`
zNoM>>VEjp7{BdFYY0UW3nDM7E<4-fjpHRl15XPTG#-BjOpG3x=K*pcOj6aPTe;PCX
z)TRGe;6GsR^qhwDoK$*_KRqXvo>PtEjH&b)3w<V)KJy5DrW$+(k&WJxMsKmFw>Z*U
zOnOUIdW#*sr4hX)mEPh=6~JPwH`b$tkKj3t7!zC>6Fe9b+!zz&xLJUx!)Rd3a%<7M
zycijR7#W-y8G_(%?@+f>wHewI7~z?z%>>d&4bO_v?O9OQq>>jxB`+0Y-Oq_gjCVhe
znisXXC`(nZhBjZDkMaU-fv7@-&y@;aG!?#NDtwMq_`EPm{wi8tqAkVouW7HLEY-d+
zjGO~+v}M{dlre^mHl^|xslBbegFZ<8&w}yFchNVg0=iNKwAWT+%qo&vU?8->4{@&4
z0u!`#7{v;~C>Hb*>VnDICT$bSQXQ;Eb+882L4P^=i8iH17($IORojhGuMjGQAsF@A
zj~+_B(3N_j7xh9bM!*iEHK`hgP&HJwW7=`_^MrN+JwK_P#9pZ*)}W4<Oa)Pcg7}T7
zgLx6>p*YI1lNjoV-qaC;s3X>aj(8R0Z`YtE20=}{iL%rYL#ZQ%Yj-q!w~}h2Gu6b}
zR1*`aCWcZ?^rV^?12qx3jdmYuVvH0nL`|rP3OJq$O|hn&hk-FOsV0U~P4w37bc}RS
zQ*@)I=*;mL6KbLxj(6AHp)5)@F^FnnIMu{Ns)^xL6KhgU45gar3pFtSJX5NPK~xj#
zP)!V?nixbiF@|cQGj&8y>WDEq7F<QDi9vdzo`f;KWIY-Elxku))x=P$iHTIg6a!<*
zA_b$$n~}L~fgTo1J<NxCSTOal6zE|)L<D9{?1Z+o3wl@t^|0#D!}g%O*Vv1(AE}DD
zP!)@!Dwaf5%z>&{RjOjKP{j`6_`}9wTt%v4wV;Z9iJGI(#%e(uJ0_}A6^o!M=0jD?
zpep80Rm_E|m>pHI2&!TMP{l6dT&ah}Ll65FJ-iH6EP|?75>>GXs$zAiidCm7<|jwZ
zalcX(3#KZT0#)ob%2E%Dr5@%&J*+DAuvp_)=wT7m!-A=YDG;v|;bT!Ps;Ev?EP|?7
zb*f@=JW|dVQ88~u8cr-T&sb)jgPD28GV_dO&Kb{~Gm$xG9cG(D5W{_;%E-|r+lW#$
zbIW1O80E-l9P&arDq5GB;UMOOvCIi$nG+6XP8iE<FrL|9BJ;p{%mZ_o=?!E47RQ{e
zE;F=Y%)9C`Q;K6o6wQn%ni)|JbD?NPq)g(SAMkFb$S2YT5$W=YbRCFv?d7Z<?3E)I
zHMEz2booTO2q4`8l;tQ!1Tjt{#<eBJg%aah6XWtZmJy&W1;*tQ<1}F0GL+@GMtjT>
zdJ|=daqWn4`NTMl7?)3siy+2zCC23w<Jxe%qlWe&kS?D{rxEG$iFElyy0%2Rd?H<K
zB3%TLP65(w#aR;RIuPmF6Y27abQ+N^pGX(MG0slJyVk_J0E~AY#<>#jIuP&tfOp44
zo^~9lmruOQC*DO6@7i+Q#FwboisL5f#JfP^T~Fd&n)a>st!PTri{j`>I!8~cbMz#g
zsMnLImrm5{OVsO0)KiIikwm?oM7^3sy>yPD_;U;;ov5dB3?-doC?Om}Nhj((Le%R?
z)N4l6ODF2}B<cloJY@jKQ<`%;r8>t`(usr3h=b|G!F1waByljEIH(f`dlCo3II5Da
z2LKKG5Dn9ahEYVrbfTe3G)yNN_T<<~7%{OXG0~rBn8vXcUyiNxBqlyaOiU*x_9P}o
zl3{s}VY!oGd5~fCBf~Ptuo{wKH6X*XkYP0-!?KWJd5~dsA;aoOhSh}(t0Ng!XELnL
zWLQ<nu)33Bbtl8>PKMQs466|tmPv-yj||Ho!|F$dWsqTYC&TJahSi-6t1&bDCd}}M
zF~iT&rFIy@tUd;FralqFnbr4aJ|DwOKBkfun9UqMfjN9KbNCeI@Ttt+>oa@LV#XfB
zEIq~uG$O=sX6gNzna7l=cX9+Ln>l#`bMh2s<MkPJ>=1P}iwwpa2gaKW#+z=8H!V5-
zlELwpDja{wV7v+E_)7*OO*kWsD<e${Mj9tZnp%uB861DH=lDwoBaJJ^UotrU(vssZ
z8H_ZKGSXx)(zr6xWH8c%GtxLR(qu5wxN!WX3ddhE7;juT{*u8+(}IyEgOSFKktUpx
z#+l<U8H_aD7-?E^{3V0qFRqL?8H_jKoYUaRs8fqk$DX4w8H_sJ7<KIAkck+|v6u`-
zoeV~ua7LXLWU_J|mbZYm0d>QhOxA}?wg=UX-sH0b$zdCi!&=B;8&KVlvlo5n11fz$
zp%19^0i8Zz(gz&q19tQQd-{MKeZZbRpwb5n`hbN#V9*CF^Z|`NpwY5*SoU&Z!lvH@
zZ+Z*bmC2sjv1j(|nH^$jGse=%jGvBFYkU1k<n)1FTbJ>(H{+)p<7XeLwIx(*p+aMs
zLbY}(by^4Nw6m$x#z3X5EoM`vjiF9En>uYNqpqAIETgWRk(5G(_Ay4_dQ@niVjP}K
zg?17nup{-@UJpfJIU}Pk<FFg!a3AWiCDdbGsmI1pkDW?A)|E=^Y$~x1RAOgSiJeU)
zHik;<Y$~y(jO12ouqlk^^{Bx<MGbZ~HCPAguCuAT#!z>Sq3$}Hx~l_q*BHkCdQ@Cz
zQ)`_~m31~%RtKuAv#GMiP-UG>m31~%)>5jh4&)A2>Z^UJtUg5^F@-#03N_Uj@`x!^
zC`M7C=thO2C$))D)FvLKD$#=)SZ%5jE>tCIQk9T%HM@ygR3*Aol^6*Ptd|%-^{YSB
zuRdY|bqW`1U|Ccvs#C2PO|>F}N?0+~im_BHCQ_Biq#n_aN<<iyh@n&>##4z1qY@E8
z4I+#hL>H<LVbmSMs5?}r?l6`rLm2giFlq`TsVR(tb~Ok6oUguu^=s-ftXHXPFmpsI
zSOcJ7Z9vcE%n=vpSUW@()rV13A4aN2)Gu+2)F8U6U#q9FS1J+JsYHyW)(}RmVLVla
zFscmIsV{_4SqLL*D<WUh$kgn~)H;%*Ig^V8k&Bt+V&3FpZOFpB$iITfygHI|wI|yO
zBExD)Ze=02awe+^B9k)7p+d=?e94>a$(uToF$Iw&4IxWvLzd)4eq>L6R78F>o%!Gl
zaw3zQsE}-E7TJ(OHsnV()QLQ(19{La@}Mf@L9@t%{K$i5kpcOU0R@l&1(N~!kpZ<P
z1DZt!<VglJiwr1$3}_Y^P%AQ^S!6)%$bkIFfSkyHW|0B;kpYb$_c6$Qs*wB4BKL73
z_nAfRGmG3OnA~R;xsM&W4`%9NuAUFM&n$AEndCm5$bCAH`^+Nu2_W~GMegHA?&Cx5
z)0*7Jlia5hxlbXvj~`jjEV3RyvYuefNp1`6UCzF1j=9MF#3P)8*9`NJ2ScTovreWl
z5=`T)yeBv-?@302MwQr5!%A$ZAtS*wvKV(Vk!UiJSTd1Va**NVAhF~ivE(2*97l-z
z0|!YZ2Pxn<LVYrk!DJ%QWFoO-BC+Hk!^uHn$w6{BE)Z9VgQRj?pgx(%V5(6ys6&mR
z0yT)*Q#e(p8q}KxQf~^U(v(f5DUwQ46qTmOsWc6v#x#!VQWVvt8q}4>k?DAl<EUge
zoylVS$zS}*UjoTr+LFKM<S%(-E>+1{0?A4O$w&OjN7Bhe^2t5|$vfJTafFa@_>*x|
zBiHCmei2A!;ZJ6fOJ<QrW>J-#qBA*#2N{Gv8AMyosBDVa<5fgs%pZ3VEvPGZqw-~&
z<zZtD4J)yRDMAsp@2}~YqoL;X&(1H%ADSohrp?=S6~0-;1-Zg^U_myr+T6^dJj7;@
z7<?2&bvw-OQ0~j`0N6eXO0tZfYVx<It=i{DYl+Woi+yBi%hJ156jNPP;&TC2XH`Xs
zbF|u9jM~nc>T3vVrp2MQ1u9KR9aYg6b+LA`Mpdfue>HHTKmNt6Tsnw;qEO@`Y0k!U
zi)_(QF4mArjp?4fe>gqp`Ca?_zPSCl-xhqE(51u1=&(g49xJRR+BN+2Sfr_ns=AJU
z?z^AI?QGxka+`Uh4q1MwXRY#}tBQe6O`6G0YTa~;huW)2Tve-w1sirAPCc><i?R#y
zg3~gGWyg71-DS1u;n;LULBGtrkvX}!*>Nst4Ydv)mac;`M-^qq1z0f;r<?BR;c2S~
zPRlMR${CQ8m06UNpBEQo4UoGv53jP_U2}%wDw#uv<>U<vPHSQf^sW*Y9~U1VXXU4t
zca?Z+TzrBxJ|QVJDYciiZ>7$5>r#F>2M^CK#X~dmin6nU)A9?3<rmm4XSK%IE*JJ-
zx4d9*m+~ui$u1a~la*bFO9w{>w}`ivD4~@fkYWg}L~#+QcTh_dMXY-Jy;fb@yy)-l
zaI|LeGod{q^G~d;wLPtH$kxp<9ee%kxpn01G^J+Rn#E_E-MaMQ*lk67L%&?}yio79
zySjPJhfQk?*_Ym|-sesCr@0q;m(0vrQ+v<cz_$zhYPB04v?}i8&z&;WF0a3NyH%7i
zy4h>7GxlGcd-1m?&-Q54VCS<ZTHhO+@J+G9&(}vxZ?fS24z1JNH^0nX_*~Ak?1;%z
zw`O>5-~CBF&tqFAT@R{Kbn4mAw?4i5bJ4i43wK-lO?YG5E72>SxcvHsH^aOh&%FE6
zaJLO-J1%Z>zRyqRo!^LB_-1zS!J~67?H>19`<6}bS3BF(eAe;HK~pC789cgwvwa!O
z$9MhMW89A78=rhUT-D$MOD6qfophJ4GQb(3!ZUr|?Y!Q5_ZH1Nbn@}<8y&yWc4Ev)
zYrMq{)@~T4qUg1(HLRiK+g7F2Yfw?qu)49a`B{a-Vv1-wF<JRTX=4E%igI7Kvs&;=
z#SDZ-c!dE$dWtpKnz$%_k+n3Y?BuM1+)C%h+AONFL8Uc`!7;SwfSS6K)uFrxnw`~I
zw(26Uq{B}v)^NG)riWOAmcoYPs#(2lmg6cLq`gGPTN6{F<0_j6{70KKNoe--pDO--
zLQm_P-w%5Kr*rlJA9X0P^r@5ndgp~+vo8BTYu_~Q_R#Mh9cR7tW6rGVg^up|EtaoH
zb-Ne2YW_;!ZL`1YIY+#+->Kc|197k0^^P3#%h@pjJ=!kI_W8EBale{#@^<a2Gk9`{
z-RvfpPkz;-QNXBH(;~ereP2%*9O}NLQ?<$CKd_eQOW^S{%RJusvs)><f7_gtrym{s
zlAmwK-}U%^-G^*GY>i8K$cN)o%YC@tzvaV;FeE}o?SJy&E;$49vJ0diC;p=!znbNk
z+H~zl)!%5^>Lcg-i?3%oba`&&OUK`da%sII?|y0hF5O(J?$;aD{&o4BIbUtcEOvbC
zleVQJ&!0|f6Z*ont+mrWUU+oSn%RvzT$`G*&TU8aANoIfy=r`Z`yPu|Okb*g85y{*
z&6$%~hrMUSKen>(++NFG4)5sfeQnP1%zDi_1$^e--SOELzr3~L&VU9j-X2zP@!5;%
z`&`#;pWOfXY8z`#Jag%b(AN&ESH~<K_1t6G+pc*RZD>*&dBU#klg~c+O!O<Gng$Iz
zvaD#-ap%Y4XLg^Nu<@&`-K}1(yJN@Y1jjFKEb+TFbJJJv^_W@jl>Ww;(A70o#OxZj
zV^jOdwd{U&+_=2MT)Q)_;RSE*v-xp}(gRPbi`7XQKiy8n(6g7^swrLLZ(PQlXe}&v
zCph>(YqmAAd>alPSmvWeh0*l!QH3#uWe812uk+wowX}A{v6(rUF~2)Bwy3Z$Ix91J
zV0=tgc7e6N>|BtZWKFQfEs9+fUHNPY2!C@npx|Hi^7u;N)_iBq66e;Qfrr~3>zw7?
zsBiLyDi^FlvK!TPAFJ2IKS#fZqb!1mB1YF+^Gu{@d;O_?);gn?ObIjdeO8~Ud1BF_
z=e0LW+t*w;ud(KTa{syFJt2cE$3BQ(Gj#K<s9ISG-?ZvKw918T1D)?0OOtZP&G6d!
z?dq>re|s``=Wv&OFBF~lp!cbbb%N4HUl{%VzHmKw$(uLYY@Z(SjPu0L-F`XQdt_dR
zzRt~>H_5BA@^Z?&RdtWq4|n~=zj)2Wv2W+x`gOqvPF}TdOnA(`!TiV0dVT6KX{d-v
zsj@8Msi-rnZ}nQPyjyiaRBS81<DnmI`)%~|owk*(Dw*ErdV@8c78fVfjv2e|M6kWb
z@b3m!d+f7IuUUIU&1ltV-DeX%+1xO6P*#_D8*_@@-VsoL!n3EhZSX&;kFb^)g8@~Y
z%U~+E=l9Fch%?UTEbE^-9Z|FA?_p}vrw`+Vx3wxBI=F^&_w0fk>FiO#t@5&B%1MQz
zhgbQI;I0KD3X6i<XBUmiFBlS6*P0^Fbo7V|&x#0+w_1~f%a61*0nBKgUl5!*qG(Wl
zLC%=${=p*(vxD>Va*N}dS<~dXnn(TeQ-afSGYboY6M{RA=$D(572L5PXJ}?Y@xx3f
zxQVT;qGE|hNj6@C2v(;86XUU&T#kv8o_zRb%XrjZ5t}j|g<Gxw#fNUWfwi8k+ldbj
zDDQT&(M8#L{c(@oGjntLlPG~S^#?1$BQ2w0|3rgkroFp(`?7ZX4qV%nyk*f7#f9NV
zN1fl&byw2ekFNSHyxe2h!ESzG)t2u$tzbO-hj%Vo0zS7aduQ4@pDD3{0rve4o~&})
zdyO@}Z|9L-Pj(-><LSC3kH7!UqZh<QA0zpyHF)v$E8F_rn(ONO{GIDP27OYHym8#q
z%e=gTUu&gwieEJ6<`dSGw@MdRUGjr}aF32{*7pBmRqlmv>VIGtvb{~?Io|K>8F;+3
z$ybm4_EJF88g(z_EcUH2<h_=jH*Yyl-q9}Z=Z){K2&v!iyUWLpzWn8tX9C~b)-<qd
zK*{{8Jw2{jhn>rP{!Em4@Tn&+XMWQAtu`-3PFr`ZVV%hi*7ff<ed*WlH@-PBX;trc
z?v}%6Dd4ljnph5I0K#x9xK8;tfY7Hh(-{fFEyPp)ORkfRmlhDL_qF!6_Oj?G3TtO;
zt@7qn#ml#>xlyA=5l~@eva#5#VTAy<GQy>*R)62WI<jC`COS+IjkeadMl1?jRI{{t
zS+f#BD|a$>SXO32^uQ$YC`sMHqr9x1<rmV_2PN$fj4Dzd?xt6_hAf4-#`#&Rp#qNN
zUhYWkI<{#Q9UmPZmskmHm(2dG+9M6(&b$>eW6IDyUlqT)dUdad(00PX>^HWayz<d?
ztNqQi)SuLM6XFtn2OUJ)!8Zdoq_;bz{n)Biz&i~_`p;SKmv-S+srtx>(Yu_so_~3J
zVh88t-?m<}smYXSmv2p5)AqP)t9p08uKM))Dfd2X@!ezD9d9maJ>1o6tpAzYN3L$}
z*ggN=-1nAu`k?uWoiCogINzyi!;iwp#w`&yV`ffk={}?6d;9cOPEWtG`_7ytW9N<V
z*xllK!$$dz9V2pUk8W%I<(mvAkH$w*Ml3gr`~UiB{cpZ+`JCfvhnDxvA@$VBpAR^^
z?#xTKoEPS7kLebp%z1qL6sL(JM<nn0wRz^PoV~s;_piNP&->P`^D+0ii+in{ynRE9
ziLZyX6JwIK`kOLe%G$HgxHfU>wUaMAd-qz$Ls=)DT3VxcGtd^KP%kHi>Frmoee1Cm
zEmviQ7Kbf<t>|};%=#Y&K$1fyS(9KI<#}LS9cz-c&I7!>73X1fvpAOJ)AdzF^H7lx
zO5R?nQuVZJnw^_DDzo50YU<+Q3B(?mS(F{zp<rNUUd|X>uINew)(sCczD{CFTzu-o
zfGn>D^R;twNCRvR$S=st$&7Qey2wh?$*xOgUU2LD!t6MhyR33>@@>*TzaK!g7)kWd
zLK&&b64UJdaqd=Ed61)%eb?e)*@!)PMdc@Io_}-VKhoOozP;4x`_xh=r~3!{`<%{y
zS!;S`{!@KRPZgh;6R>HL$KABhmS)HgPt2X#*YfBMyEnJo(xXdr9sKlVm#-e#9)0DI
z`RSKCRwp{np0dT|7vEtU&IHz4zQbkgp_AI$C;ByfJZ#{A1$Cys(&zZ0dH3hfcV2cr
z_o?-3jy`>};ecH!mptR|CjXf5)rKFA&N}q<miGJoZ;qNgBeJ!<_+pa#;Nd?Wn|kKp
zd&lPPbtrB=I<)14o!?LGQvI7o_gl<*{b-{#p4P8V&RlTO+NQx5-#K?Z;CA`mLXSHi
zJw9*ajZ+iWjejnte%CV%qpoB}4hekZ)H!|i!P|$5t#{6SnD&ut>lyJm@0a#%rrjNM
zy@5wgIWE6|C-n@Ie;`npwdSJg<v?YpEdr5n^61tjy4*6N%U(Ft6(E*}E;;Z3Sq#?G
zt$nPISsXJ;TPmgZnklBY#oE^Tpe^9Bw*<~YWU~Dw9B1`=0LC@TF9<NM=JcnBNhJPr
zuKhbO1=l9_GS`l~dA#%2bE1M{Z`fIOw>_V8txoVrYi-%xARS4zHF#0rBLC8I^e@b+
z)Gutve7Hw>*ATASSX%*I%i;#Yl}A}1C_Aq|Bh`ZdWL5vB;i89N`cHBEPe`#{<cwER
zyxUw&exqR546k&zv-7U{^jbQ-N8uRfK{H*(&%Jx+*CSIy*1VWl{NwF5x!FO>ngt%H
zce~$D15b><xP9oW_BT%YypR`lY|GWUo6n9r^uf*}9e%aUw%>REP_uZw?HcQbeaUD0
z#=q@&+HGlePTg)BcD?0&XWExBYug8Tox9loXs?JRACC@tzDGu<<txTU&T(I4*W|Na
zlYCw{ck=%0qZ)=S_U`iGiRL|%o<1=$Vcx3E{c0C|;_7hu`T{L*_L1EBm%TqMy|H^i
z-*>kzdG%0}2^Z(D46!N^XM0|nvHpASJ|%ANwd|4V(ZAus_@{SHsQ#v7VWS1_&Yn2c
zXUwgICr(dzvia(puO<v?8CRmO15CfKDvEW|;{PxhR$c!PHY()IMUze;q?gN{_F9}%
zB{5UC`d8X=jB`egSs{K_g%3SAQICUy6tlF~obl@xH@>+;i(Kv8@*{DoM`!E!N~bu*
z4YTGg%AGh^bb&59LKKKB=%T^c$`pCfN`vurwF2x376VW-ROCQAEymU;l!`FbDOj|?
z{%kBmP?qQP$L};8Q@~?$vCcwGXS6ZY)@J1p2_aA~QN;XL4>&g7y!cfA@oPqhx9pc&
zd;8Lp{nDcw_iO(C6I*-^^xqhf{EqXp`94v;hf_Zr;MUHZU*dXfe4Oj95qjh+$NYx3
zU-`;Ut#W5}RqE{OY^mQn+0JRx66=oRk8e0PF?+gu>7JBzmr5sW?)~}XN4q|e)$@%E
z_X~NYqnEyH-S=qob-tEiFKe5J{`z6=)}`0{Ca=76X859O8!zQ<Sg}8A!Y_|J6E)U*
z>B<f3Iz69qZqfO%D{FqYBz;rLnv<Qk49oW#=lIg=Cnw&nzi!ruO%o2E|K_o@AD;XC
z&at1~+V%1r=Vw;;4R7?*kn=yDOKSMb#iIwc^ZRQLIGExa{cYm$cRpCX&He4Ok-yXp
z+2lWD|KbwW(OROK6>rZHSEAel+TM}|T=2iGEvc@55VtBBWFM<fMaQ%_#|Imx0&{#|
za7LU9*+ptxVqBfL)Wn2de=x`8ZyEPjOpAS?-V@z^%fFMo@mkfFTK|bT7%6ub^f}Y3
z{k+1^4O8pC-S@>{rG@8-O;r=S^=Vo2<Ia<c+{5cloLG1Dq;FE68gupd9LG=Z)yay^
znBOV+Y>%*~pW5~6mofDl|FG;}qt}}>thdJhD+g=8U3~*QTb%0XTjTtM=9A}M-LWk7
ziu?5gt)FO<_lEtnKIe~Kf2GB>*wD@6g1>9J^HoQ?d!P57zH`e&`y;Q6ckUWJHLXU~
z)@KLSHfp>y=m*P{72lkj^ypKArdz_NOeuOa>GbG*M?Du$N_BO+(qizq{>{QOy>mZq
z-M-JBHR{rrwjIjsI_Ok~USGS8sQ=-w=Wg6>d*yhap7quYwM&iO7dy|~bL9~?zi!<#
WZw&i>b#h4aRo|w&zp)zwApZwi;ZRoq

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.ttf b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.ttf
new file mode 100644
index 0000000000000000000000000000000000000000..86b00c067e0a15e5fdfe4f4d97e4665de8ad0410
GIT binary patch
literal 292404
zcmdSCeSlWe-v9qud++u&)u^eNYO3kFu6gWfnx<x|>3OQ@IZRD5X`(Wbq$h(AijX8B
zgb+f94j~jFbezzk2%#t?p+kodGS~0*+3T9*+??C}y?@_7zQe2c+H0@p=e73UGh##}
znSVUV@7t%W|HSav=ftbnhV6iovcUrrTBQ6W-q<verl|u<`VW}<#Z?!H+iZ=9`_jPD
z6U(MdTls;w;aOrF8CZ5w-z$E)zO8uCSt317IkBvL$5U5szgWbqCA@K`pEG{?!X5`Y
ziA1N1bUyX;^Q)q!yq+skzKr{A&X|7YIsWKnT|`E0!Oyv8jz4#LEG91Tt>S*dnNu!2
zV~`gcDRM!UI77EgnmE3)_V%64aodCYohM;YXYO&MxUS+lYtlJYvzkmfKw6ztk#PBx
zX{V1*IQ}xyQof1nigU)#nqK=!hqRcbxQ|X9f6m0SQg>#E^U@)a#HXiEJGbiI9|p}7
z=S|`tD${39oL<)K`6B$6;C_^7**UesMc-Zi>}mCTd?&Tt{n*G`byAO5z4)B!qUtRP
zQ{A0h*A^%6L3EVf_Uf<6(o*ghB}|RmtEb>6bc@>X?_x=mv!z!2ejTEtTqqGEu9N1J
zb4Q#7D9N*GPL+-(2iv;7>w2!^c;m$R!3pBDVfQKNdm^T2EarR_^ED-=K~&7$de?mE
zEYW*}zFbBMrR3zrs-2Uh%qf-*&J47fl$mO@itAf3>-ATXs&35p*nbX-;a=_!h-)dD
zE;&wyG;^+(QYSTb#EnWrr-dA6zKb1k(xjE+NqeV22AemewNof<&Ck->^pxgK0{8N;
z_oask#olu2V6HEN-Jvqr$%pK~{ougQdE9$cQq5VC;^az+`C1a416=QxdTKV$N=A?$
z&C~zSxP4>4)Zk2#w4-IF<#sGuhBaIxVJ*-9Azgmgz1GKn2lb_O7O-B@OtaXx)ZZ}l
zE7%I3K{a**tey12JQ&(?{Y_0h2YIvgeWKR+zhQ#wpJV?D+Jd%+nl_>B;*Zew^1r8@
zJ0=LHfUtg#4vx0PKSJB+AMuEc3fix>;eSWl^#7K-3FCLresV0@U;Yz8U()_`EZWY>
z$@d-7*|`?&1lr&JXVm&L?%f7bSOfjmsp-?&uaCtUA#JtK))4e}?el*g_xIce<AshH
ze?(qvkB%qD;21ylA>+#+^aJ<@d<;L>YbgxI9$#9a5Zi?gt{IDTJgR|lsgG&Ny`@l}
z@rQBB)Q^3KMoshBcRFU(5R6?qe*FP%p7aaGHXYyo9CiN4o!jd_hhcQwJWrZJ@3^@q
z3Zz}f(?7tez#n7ne}%G(kHI<)|6hS|UB~tsg7IC)_&<WNU&sGraau_}?JuZ<pgt3&
zhf`Pj26oufUQ?mfF>N$EFl+t)EZNQjl5Jj=eDjuMlE-}0D)x!foqh#D+tm4|g(OkO
zB}dy^4;f-wNgXpoI+%X3=gi31VQnYQc*1-jXdeS;BMRw?eHyfnR+zO7yb7<-N6ur6
zJ_`OOa^DGP64Vv*q^2dPgOO6l$&qx@@#}o3WwefQM9X7mP$r&vjO!02%e*eNp`qy{
zK7Kkolcl*k9WG=pz8rl-nwy!VeWpa>+RV(1{en3e+Wcx4xKVdXI2iYj>F+gV`X{vc
zpK#N*rriIN2L0BTz9x$@(?04;Gw4m9{yv~_>^tVR<~3`cV4ZV@M1%QO$5Wj<nWLBw
z%Yr$Ob<EMZtyM7JbZ{1NPuD$B>WX<HSl{fWow3$&-j#07)6$NyPn`2(2c2(Y2Mwz8
zuCt%(>oDtj=t%5Kr!W2oGA8}P7@8(|W;6BvoaEAGi&@Qf)_IvRuD6pY^>91bd@GK5
zNg4<7p3eHGz4WK;v^G1KuWFMvZ8wLdwzE|Voo$5oG~pM^K*H*#_cT6@L&LXoe(d8Q
zEcL6XpJuW50`uh9PtK{aZ=De+d2vnbd#9S~pU@xBt77{DYSvf}VE+L2=f}R#e7l9Q
z@7<2EZ{2oi8#D{e;{LbXr%c?(xPBD-htQR1Wo*A<9;BWgWX(c2T5e7!!X+H)>wBjy
z_WN<8=vsw!jN1(Vb-4cx;ZnXX{@q6iZ#jA=_HV&sa2@w4dv`GR`f~jpVZ`TIm$2P1
z_6}~S7k2~K&vU&FeF{C1v?=|F@3PoW?zypVy~eTcy=1f=nuwb_xUZ~|GOq}`BJRC{
zZbV-|*P|E4_ABmd($4FP9r^O!K}n<c2KqXB25ul|8`?hp2L$a$+t42nv@2~}e*)S^
zA+({4KST$i+h9vvKR~~ZvkUzJ{sHgB`7CHx+CTmXZM#ZM+xtIN+N`$QKgIu`EQ50Y
z6Xo=qvi!5@sBx!#oANOq!GrYmTI`jQnOBk-uPh_bZp;h&q=LSXEtBDM?Yrp9an_*^
z!ag`1PK)bV=%sNg&@<wkFN<Q|%fi^Vg!zSrOPzghQgxqzHpKpo*nTA#BTum7U@%TD
zl4Knx-Tvaa{bN761DHSBv!1>kH_GTZBhh)WpM!BTKAs*OGj*S&YwITLKMzoEI%evA
z;S4EuXA$;1%<o7uw;QT)7c(E-gO*E!qkE#K7;|-hs$sE~r##rB>b^$m>;A=EO#1HQ
z{>#LpY0~s4nnsOR$M3Vbr+blB%!wLSV+p(G;BR&;=FVnL*L=;#zJ{H+*Kt<Su!*~7
z{BZh_hne)NGc+CX@)-~>AI3-BGX`nbwYjFDW)GxkQFM*on)yT59IOvmN7UD~h4U8k
z`dgGS%K9Vf^x~d!%zBjem*8BDT@UzmpB(J5bzac5lJgyVJNCy;Z`>qHXSX(M5N$&f
z$ji&bc^KYcUil8YhSH>F&CT56XnKM*y{->+f3EB1#<Wx2r+?3B2x%t0&TrC08iRO?
zxHpVANSFDM^~hhaU&q}06Z!gye4#<UI^wQ|i*aAW@vNhCPZ3}5QBL)oEXq*V_Q#fu
zuB|9T-IK)Ao*k4^d`*4Sf2y>lT@*T(v3EDj^+tw3I;29wxaOitYsdz5*NXPg*<6La
z!#Ysir^PiY-6_9Zr>S(JFBho0fIkku9sX;=PjgaOQxdK@B3VJWDdb<nPmxaM2i!HH
zjiv<m{wTf2hL;^5H)_U^_U_AalIc#nRMxY%SugEybAtH<lBEdxVJ?DxadSV~aC_)%
zHldr)zRUy4E@{I)wN0%Z(k5Z4v>~0rHU4^={)ByqItG#IB2yyALt8inav&OLIrn2S
z+LTM9K%XN2pU{_p@LD@36V3xNTGv<ZFv|UP`pfIsZIZ^vgk{5AO4v(-uxsK7)cKPB
z^aW{umU>=7|5`%ZUP8G(!nks_baZp1BXMO0?fEm#iBgF}h`)$3`V2O6UBLA?%sRHb
zLVYv|)Q%xKmgpG-cFrmE+c5V&CmkOXN12qGcUa#&$NG9V{Y2N`ACZ3I`M-hlE@Mj#
zd91-}@}l`U7V@U~3phc-K|VFF|2-$f-DLcp+n}7Zto{>}qn2gBRsRQPQt|Q+%G=h%
zaOy<s<yc&M&6$*ru{G3;{ePrdkN@YicfS6U{%IrHPJWM|?P&Y?9o$XKLubk;ZCk&G
zwzvN^rxV8SK^xX~Ttm>7wLSk4+RpzC=I}7%Vwp3Xad9xJ=Tg*#_62RLL0^k7HfTG<
zZ_q}l5AAnBpL?6Wq;;u&{>k{Nb#+Sop01m;Tu6`e5aS5_jk&#>Gm-IB*8|wIrmuD{
zVl257JB>3Lzcuj=Vn0i~%;_Fsw>-K|(De3V{i5+|yFDgO?NdRVZ!xai#C}QREW=HE
z)-Tkr+Zyu)j00bxDWv%q)-PQ#howPH|8Y(u&5SXO`5l5fZ-%*M{X$!JL$ROT_V}4W
zIGPsCyT+$ynr*Pt^4U#2Xc&80x73NJU)M{ExqmjQ>5SKt6C#b>Sf3DPP_CL^Eepnt
zApcr7#8J}^G_D}N&WxW)jQ<x?c5gFg>||~5J?9}G(}xdBH?u*~8Sgu?FU>Q*&M_UC
zW4bUW{C19coH^!k<`|tvmNR#(LH}rus3NW^83E}Kft<LuLOVhm$d+HE7_#L>X#-L0
z{@?I7j(p7~tur`hxqv#jp1FQ5`MeLE1f$@7uAh}o@;v6_dA4x_IvftcQ?QZy*9F?b
z+=!mT`fREs@f5DmOr}3HV{J8663mF$&*m)7{cN1=O=sfNxKEO1@;+^H9BuIeX)ljS
zj;!H4X#(c8%%4TfpR+*II2%<zf@Vkq`JVJ#NShcz_&*ZoAhZ<P(LVYSS2FDZ<e}It
zfjx0)e9$BaXO2XPuYFK&hp5Z3w1)z;B3NrRVQ$tnO#$edOlb@~LDy;BK<|aXcTDVS
zw68S>YZ7&<ZU%t*)%Bg?%b3{7HMoN%?7c$YX)Z->cW8;Z6WUKQj%q)NxDzEOejN$a
zx{2T}LLUw6yh`c9b(lCZ;^<l?gEi@s$Jo`}tI;m;dr?%$VEo8o-#M7QK(3ig9rPrO
zGq|VcNeSeAjf|vzliVo#rpa7Sro1LIZlUh^(hizJG;Z#IDr&FPT&tU=Zl(-Tob$!w
ze5tw9h<=_-pZf%o>Dy|KuMg#6NrU59$Ls#{J<z@7S#kwyoNUT<pLCIZvDdgx#$NZD
zQ{gI@2DiaI@CG~ruQ>gswMdL7nz1wBX80St0NdbX7!N~$XRxs<m~o7b#asasVGOK?
zb)a^qz+-W)MsI=Z;To{vhGTm%^Yk><0yHcQXCpian?e0Q0xRPB1FGTQ{%>f!8mGp?
zv*p-d;;QB~@HlLRd7yD?T#DvP^Q5Zz*89o{a39p<`)yrEb6pAJVC3(ZYwp#kmeaZT
zJB+46{5sIHxvt6YzpLJx3>U#vs3~(z_wg_VhR2yA|KMzs!9Xb0fJ;z*f^*ej!n1mP
zX3Z09ak5ZPB<Ta5X6sLG@LXH%U8xh;`^+Tz-28{Qi({T*2R{DjALCu*UFN;uKj6RM
z_3|$DZuORW_xRhq^SuS$dET8~Z?D+v<Ms9Wc_m(dZ-6(@8{}Q!&GJ9+-}gWCW_!<x
zLmE6%>PtuxNI@N`%iiQTsVDU%iBYbhBufgrl*ZCTQl%;5WpnQ~?{4pQ|6^}SD3LzV
zLc+q@MbafhG9`<dC`VdKD_VCOX-i()F$T7meCZ$^r9cX$lXr)Am$%H{O{Tg@PZ=&_
z<W^ZOZ_1BySbmZt^0UNDvT0$`OxQ$C57XWBG`-CjGr^2Er<;kU(%finFgKZ-y?gx?
z{=@!*-U{y~?|yTQx7K^gTNgSm)Y#u8!{o32UjHM1hriQb>3{0)^S|^DIMe*k{8RmL
z&L~sQ%=9ktF825M`~6k^C;sQ&eD50X!q6h=EM4VpdBmLSE%dJQF88kR=6G}c_d+hu
z96tBg`ww|nc~^&)gl_ik^KSI!c~|-yq)000|EJ0+a*<ptm&k>3r`$yjm&s;Y%Ijue
zs9va1s7WX_)I8KQloo0hY7we0UcINN>RmL8knEzAie;Q!Dlf=Z`B?sCE;Vz^_2ly&
zv)a65c9=cpGxMeS&irV8ahf|_oPN%5r`)M<COMOxsm}S%#m=S9Jm*H|X6H8NPUmjt
zUT3xQgtN|B@4Vo==xlbjIv+WE+(fs&o9ss2Hg2xl!7X%qx_#aL?s)e+_agUFcY(Xm
zUF_cDKJ2b`Uvl4Yx4Q4R@44^0AG$l;-CoE`^y+(!y=Go}ud~<9JK3x7PV-Kut=&Ye
z-se5+J>fm=J?p*XZS~&w_IRIrUwhxS=+|O!i{o3AwiwZ(yv3Ln%UUdN@oYF0t{-j^
zP7h~?+lIS`2ZzhTr-!G7uMA%wzBPPT_{WHe)Q&WWG>SBhw1}ifT1PrWx<>j$`bP#w
zj*kqFoE#Y)850>B86P<-a!F)v<m$)`ky|78L>`Q+iENC#9r-ZwapddBp-6Q!6m1-B
z77a%;qB+t0XhF17v|F@yv?Mw>IwN{v^s?wR(M8cE(R-pRq7O#@5?vL2B>H&t$>=lD
z=hBnYo1{n6GtzU?^U_D8pOSuR`Zeh{WjGmrM*WP28I3ZUWrQ=@W(>+0moYIjlD$0p
ziR`DdpUZwR`<3k1vNz{6$eG+Sx#ftKpXFueb^qC`j`4nv&`a{AkBq0aZ;-dB@o$0}
zzR@f<k5a?`FrS!x<_mMk95zRs)S!k-oe|Dx=TvHViZjib<y_*-appTqoTbh(YWN;%
z_;KfH=UL}@YWNjri?iL?#cM?M-3D%|n@J7lQNvy1HCz?c@H}dGk$Z!CpS#L^%zfG2
z@|zkKFTp#`OY)j{&AoiDi`U&N_r`h?yqVr&?-p;l_mKApee4-;gZHMl&HKdL=Y8dU
zLk$n4hEJr1M;)zUKb#nD9FB&w!fnDG!@a^I!sX#9;W^<&;Tx&p<q?TEkvfrvk<>`D
zNHmfWX%p!f=@#i5859{3DUFPX*YIhP36aT>Ig!gF^CLG#mPYQ4tc*Mrc_s30WM^bo
z<eSL%)NsRSYBVhxrH0!_J5s}4qdlnMfzj#Fs^}%rInnFlHT(cI{4h2ASaeNvZBWCF
zkJfN$dRh7yYIt$Hh8s}BO^?=aWo8;R{CM_L+3T}6P{XfM!%6WP-j|n=*X?JC*D#fQ
z>`&|lo!x_<UdP(2Id)|=r$n)HV$=9{D*sJ`b7E6sXT>H3_j|?0x^Jn;JKh`SZu17Y
zujm!m?IBO`+IelgmR_cp;e}#{V&BF-W8UMPvTEjT`&0dw>IY)i#OBAYj$IYIBDN~_
z*Vv=6S+R>^vty6P*2JEQJ+1TlfByNL8Tj);=mMSg@7}*_|NH;R$0w{T_K*_(-M8oB
zJ(uj+QR8~g`+LsXbM~ICd*0qNe$RwG<E{Ok=k~Df+4C$sUE{JwKbv1;+FK^F@2!1X
z_c9mno29m&GJ1Zx=F`XaCG1PwS7%@CeF@yDyU*Fjfck0mrymgB?R#$hbmONRxSsLp
z%uk1WdfMK-d-v?!DYADZys~%w-rM)i**k0Z;@xGt`|s|zyZ7#%yD8b-BX)hgYw5>d
zeY|4FYws?8msJNphLO732{Yo};%sxicaz+XYR$Yl$YZ_Y4e=&<lf5b4RBt-{h1COg
z=Li1=W;NCPc(XiK8T!Lq9poi`HIrF<9=5Eryk*wzxBq&#aA!H(>pf0CJX*59b@kgT
z?+tH@_pY~t-g<!kdf5BPJ5oz(d9~`*N~+bkRw_#srJ2S0Rr^}uTG3h=wX$mE)GDfV
zLaowTXVjWf>-<`zx7HjHKi@yvru`Csgg?$_)%4pRe~Lfdzf|q~<**ty_}l$M%!aAV
zg55%d5E>R587dD|U^-P@qNk`iG=YEN*q>0jy$S_2V*gc}&<V%7;=080Ticqe5H<YU
zpHMW^3Y-6@*HfWItY%mZ`S<%P8L3x<8hcOqr+V}KJ>Iq6+E5eLN+0>H{MMo4{7=36
zy&FSmeoKFxca8s||C0Z*cM0pBF05m^2CK4RtjkVeWmdtO=EC@z=3CZj%Yt>y-Ll+&
zSN<xm2dkSm<uf^Cu3`1|BkQ-HS;56vT_v-AYZ0vAy0eDU72G=3aN}9Uoz4nwqW_+m
z$tvzfUB{WfnrB#Bb>|$Thg8c@a~%6FJvVB^xqTD%dyP5!OXa-0xtwOwWgPqO@g`Fy
zn_L-dB65ytFH=pvOfwy1y6GtAna(oHbd%Ypmt1O!Wu6%zS8&d9nHeZQ@NU7C?A5O_
zgUv9xhEs)W*_|&iC&)r`qAWHeWr-=5rR>6QF{hYu@;&Dd_n0%}VKZIsHD~IoP@du}
zXdQd_r_CkuoVi?{H&@68bEUjs=E*DOTKSt<Ag`Il@`hO=Tg)x8)!Zs?nWgf!xlKMa
z_sCxJknA^)$mjBvStAEI$@tnl>93M1d6d(e9p+x%MiiN2`pA8pglsdn%RA-{dDkqH
z_spHL-Q2~gQj*Lt1@ff1NT!%Px!H{7Nke^kk*6qsHw(@4<`uJ<^~4+IO|!*pHE)@>
z%{KFndCxKC@8(_ezCX`j=-=Sq6bi*xq%ByTHuIPIxA|B3*ZDVwBB6{>cBo~jb*OEq
zU8qB-Ak-<;CDb+4Jyaa(8!8E%7%B}74~?Mbj-v05b|<@2oRi%%SdWf&PI1OMr#V+T
zrL0d!IGo%$Cpn{>F|1-{vwpeMxy-rB8Rv|5COD@%mCi)x4ChSNuxGKxIh$3^Ijm);
zIn!C|%y4Ep=Q>r+d8}<OVBK?tGuOG?ndiRXHFY<5&D<Bg=I%>gn)|ZX!rkbF-M@S3
z?j|q8ecj7;-|$+wZ+flWEnXXUtJl_j%gc4&_S!Lv=CR&+m-TB$_kFLx{lF`9KlD1e
zJG{>BPOppmkyqq?>~(c_dEHp=cK2udm-?6aSNd1`3;abs?>?G_a<XYE<(wg&%~{V(
zQz++~E^>kCDp#8!GT#i9>o}uY#JSM*rc7?&yyr&FvTiab%Wa(T+-^>lJIraaiZi9P
z=2CgaTqe(&IkKL!ub0f#^0JvPn>f>Y)hv=v%u3nA^TJQf!}5h$&5qz{R*Y*+5ocw+
zjp6+jhxhPY>1#aB6l?L`lP~>Eh<92OWT2_d`wIFFab2DtCdvepC8u*vQE75yBJb{<
z!Mj;!n$|MOw2`w+Tbaw5<mH@Ot>B#Oe$HJUFlWnyW{RxjOzkh6p*>`#$!c?+JZ8?9
z$2lu|f^)GooPWK~`_vzp<+77=yN}EY`Is}iT|B$m&9nS{W|e$t9+Lx{dH&Np;e6>F
zaQ^9h<$UcNbgpI<d#$t3xz1VST<<J)4msbkZZ)ps>f7A4oI8T`?Q&MQ_d54EE8LKq
z;MQgDa-3U_)oqe<zw?0e7v~}8VP}=|SLYG8iJR)Yz<#Eq+sW<hc5#bX^>%Y!a$aUt
z{C8)Q^Q!Zj^Sbl7^M%8kJ5IF|b8EYG+@@|bR>@gzfm`VO!+FDblNIz<=Pl=LXPZ0N
z9pb#}yvK_Aedhz`LuZGx(>=)@<$Ubya&|kPID4GE&Zo{k=U>h@Zg01TTkL%64s>o{
z|8)&-sBd<sxl`Tgthg_6hq{B@VXp6%u`|1co!MQ^J8qSGzB`LmdP6tGZNz@8vGXWv
z`3Ieq?87c_FJ$H3j<tJxH^NS>t()&`V155AJGpi4#qMl(rhBqG(k*wpyQi_kTjOkW
z{^oq-p6kwFm9Bf%8@vZR_N?qpb@zHDYlZu~n?g7G8@vbEqutC(ekCjUzxX-+70lut
z{Q3Ul{zLvV{?q<iuc!C4zuDjFzr}v}9p>u&{&yi>uh;#q!&CauP5Nw8B%4)={<snT
ziN;~r;v66#Sl?t|2JbR7)8etx<CGx4e*n$4_-fC(QSo$L(bD4S>OtpbPRqPo(KZ(E
z9<;5+--hN|f)!Ug%-}6Rb*=~RJd|~_;@yenLs!hb(QeQk^95)Ri~j-I)8gxDSJMRk
zhp74iZ#G(N;Vebi+X=HKM?Nsd;@yU_wo$yh(Xkd?;W4)c_#dOES-d6aI1A@1!fsKR
ze}$74;bbAey93p@!Mh8+#1gC+FU1W0ZgjbYGYt_fFYq*sdoBLM=zSLdL3D-1zaNd`
zvrZPRC-9b|>JB`0tM?$(80F+o@mQ0~Ll$52r*VKcA6;ef_n?2Zc-NwjSiH69qn1z;
zl=Y(GYg~_6{Etvh73B%+TcK+#q2tgeE&ivdrUN|9hwduCyAjnmAf)BF&f;rZd&c6A
zL!Y&HdbYP7o+qvs(HAVNl|(kcM(7NGi_;T*CC)JP?{PRaluhs&X#03Qj+W16cmpnk
zH{)pdTjG3+ZjEy*`WCzk%iui=YcY}SakN~uy?zK9&yF}6_Rct;p<0g0A<*^*tl>m<
z!Cp8FT8>H#_E}6lRQ&^I<0AXv3(Q)cUs_BQJpf-}-yQwhVtS(oExZFG@-K@SgMI_w
z<9<B)gT>eUX*z&+YlZctu)Y+Y0|~3l0K>^S>&5`1d9St@txruiu(lL~QPF<R+!>($
zm_q}!-!qp6Xc)|?0elW6%&ivM7;|iZj6g$iQqTm8uuEm`wKPKOSmY$MZk#4)qD4lc
z8m`h9DBqxrN1^rOq@qa{8I3lG(;RJR(eXp;BOo2sG=YvKtfMU%sKx<0uCTVYWTF}e
z$Yiu>oLsb-MaM1H-<AkUeFt@Z4%#A4do*m3si?YB@*!%GX{e@8=>VE0km;zVL+J=v
z7C8^ij?)><vB)g6Wt?s(V}YV$BI_DUFSLzC$3)gSmSR-%1~LzA7iR#PXW==Hu&=O`
zpqdAe%TP_XG7vPaply~Fx#c;u&>~l&o#G5aH4h+Hp<Ut(MvLMML%Uk^xdQtb%kikT
zU65;0ZLdlx^t8wVRP(Hy0KF};5G{^#BHG8oS9ij?&!X+HpGB6SnrEdP`defvs%4~9
zfaV|M7F6@5oC2C3WgHB#1btiklJYEQK0)Usc43w?P)#@JoWYLFG9A@?g3ev6uPtYy
zBP=?Hu->+ui)wyA=K$8=mW$C*79IOplUuaSXg)#b33gMKOHj=Zh}P+tIG3ZEf6%#s
zb-hK~%&8XHfSwjd+rT)B&LKL+1!&uwV9|NQoE}H(x6-0>3*S9hw0^aWK<5(nqZX~l
zNfw<;Si@Vi9w%FLK4DF7(fXQV(Yb{+zU5YQszv7+*8CQ&_vsdS8=Vp7Hgu*%=NtCM
z7Om4Ni_RtN8!Qi@=Ua5%U>{-8x|?NTS1jx+0)qMDBFxGf(E0<NL)d>?w0^aoK<63u
zRF)^vIdK}G*IVQ}^hOJNZZS7m*nNvxZqYRe`*e%i>ow?H%0A4Z?eHaw!!7d<i>?uQ
zU(=%YZ(3vys&%0B0WEjX^%w7%ShNncd_lIMHQbK*9gC>G8|M!6J&Udh%=S3T(DyC6
zMlc`5xf9iT0$nc{&5v>yd}5Ik&^>XI(0vxsI{z$A0s4hS*IeeyI9gAKETZj8%Ua2U
z!xp(2{V~pH^oT`t4EQBZeU{Lv7T%8#r>TY04RM-TbZzA{x0r=!7Ypy*h||v^C!(bm
z^E^7-!aH)}jDT|Dqdz*N!>Pc$2|X3GUu{OI4@Jw^p&uz)#twONredaCooS$L`Xh7}
zT#T7Ab7+swrI;xvhq`y>VLpJ)2W@}<LYIJ+2W8+ajbqT;EJpLV%%XMfP=AWnt#h}<
z>_lm+yiYB>!!6Egi+?%#xWy-K=Lw6iW%abhzX4rq@oz%cSwbQ7S)eRK3Fz}cIfd$=
zS|8w(Zb!?JathT$Y1e#nBmOO@mJx(fQB5m^w63(gAk-B7&=P8a?y!U!p_(5EX+3M1
zg1;2qW$|xAcU%0cP};5HUx(6e6`%5TY2r#Kf*MOG19dE+Y!nAds3q!ILaotSmQY*N
zw}jfEl#3GTfKo0>h`!*~wuCyNl#vpmJ-T%*p{{76CDa|IeJgtU?KZH4iqVFaP+v6J
zq9@rd<>*FnKLE{y9L%(B-q#7xb8xqnB{T}vJhZ`0Iht$HGj*4K=#uu(7_`t5It|tI
z^~8Q0s&PYTBHG^)Iujjl2~9$);5<<CMRCqSFO8#qX>$RS(JSLjL8&vvIT^h=&Kc-@
zSb)8zd7(x7q`S!Cj76`vIGX0g7DvOr0q((XZ}dL+3ugMg`;f)a{61{a{_U=UM{zS7
zrN1bSrt2|y5wn)VOBU_Z?#u8h_A}7eEY2MCb&GQax*7g~o4M#47VY!y7TAjYh3GpL
z9V1-ElmLzE{W#;%593Tg=?4L)qr2l&vX2#@9cn(j1W3gEBzhdsu3Y-9mjsP5Q?6bU
zpg(CjdCj3c=3CKx=#2Rjv<q~@{3Y5QPR9H%l=|?f2MyPw4m`?U!}Um?;=X{AzJR9a
zOpCh#JvR<<>+>*0%U9200yHg)En425rcX%&`mmy9?=dz7v_NmMxEoQ;gA#_N7WePy
zZE@1k+b!-U^o}?g=yHqJp`IlLWTW?5v<|)d;<Q3(ON#p@N?Qt`pLvg1w4S|3<Fr9n
zTeR-I$Ktd_AGhd}UGIrFx#&|C_igm)IE*>oGZuFn`fQv$RLhsL)Hda5*(ubkr|DBV
zf~E<yeR-M=r2sT6a6drRzfuVATC@#%@5SkaZnwBQPz_7z44+uEje2|HbV2u7+>g-D
z;uN9#E$+wY=W)8CUs>E;=+|+&q2E}v?R($G=`PZupT)lz9cb}qqk~{D<3Hn2i{mZ+
zT=YbX&sfo-)Z$-_j<ERGprb7Q0`z2{-TRBsF&2L@y3FEVg3^8ze-8Sr#a|*4_ANp@
z;gCi5=wbS(B7_~LpDMb~4%f2?@rCPKbk7}bY>~6kCKlbNhNBjliKbh0uNls=$oVMk
zSke7un6{|M1t{%L(fwt(qeUo(Fl|E7y;@kq0-29e_loY>!qm4S*P$9N=sql5WD&|L
ztl@(0$->m1BG;qTnWFo%a4(D8fcCcN{w!Q<ksHxI7Tv3b`&#5ClzLZm-xe;h$ZcqU
zi|)h111xeoO50F$PZp+aC~^l%8&PzB7S^<ao=t`|ePCvwS|6Zih2hZ_-CKlDvFLeW
zc#MT-IQ*6!i#&^JI>5|9HEz&z#IVK(hBg@<XA$~sc)Z1ET}-gZ%joGAo(V~Kibc;6
z!{=CdP9))}7I_t&W-(e98aK!%sKy68Pm=KE7TJSdVc{8*gy&iGyf1vEh38HZ*04a&
z_`+J3pnIUO))UCTP^}x_`ILmU4}hNMg>Sa-zOICCv6v$CR*TW_?y~4vYIwOt&(_2D
zSoEwee6K}{(fcfVZWmr*kv{1C7CplYKVXr*=z|tL&kJk*LHePZXV9~~@Iw|UK{d~y
z=X_yp6CnN3zgqOnFZ_r_w5>gA(euBsmJ0}NF8r89&jQ1bTVxRWgvHcB*H~mQ`lLnA
z2*XcVMEj$bDd>4&Sj!P)0=mwk=VW1Riy)_?+WtV#%);8{Kq}GaEP8$xe%>Mz(HAUw
zmKNS%ku%U2EqbOFe#s(dqAy$Yj4iy;B9qX+S@gUu{E9`+LjP{jv$yaji_Aq|wdna%
z_%(}Mj=pX&T1T5L`dlLX4~w2{gx|2}Gm7w=7Cq+(Z?WjJittv8o_U1dvgmV*@Y@zW
z{|Ilh=rfG)I~F|)3BPO6=NaMmEP5^y-fq$78{zjYdPWldz@pD8!XH}n%p<(RqR%eE
zJ1u(t5&p=c&oROuTl6d>yvw4`Hp06tW)}L1MW1zq_gKt@=w6GS_lG~Vn7h$^7SVKl
zW--gr{T9)*d~V^nt%Sd@=<|T^mlmGoO89_9pACfnY2o><guk+gruS<L&wM3(&?1_4
z9T$M-z!KK60Q4C`_*)Clh9!K+qR$P&-&uHGEaC4h`V1lbgN0|v5<YAZP0NoKLs>-#
zI$~I3lh=p?A<TpsNr2jzuSV-YeazRQNzec@@kbg$Bg}*yNrk4EZ$g_v3(U8oQAo#p
z1kHe!terH@R?r&zJJ2@J9y8@1$%hWOAsvy9&;@f{v<SN5hBAzFgWi~FW07L$gPSI3
zU+9myIXVai<AySc41wb@KZ%yYaNLll$Ot$Yb2d8K;yi<nu{h76V=cOmkDO-F{d{B`
zjK?o&jZA<uF?T{I!CA!h5;_@Z<GR<6OothmKSyW6xtOV|NEMuixf-Q?M=l_o+UP8}
z5Hn>Oxd<-CoQckcOE4Fpb6_s!p6KO3UAdG+WIkL^nEyZ*!wuL|7Lgm_R?L(|WGPVI
z&b#PxxCi@_(0k!Q%vv5R;ZfXtjIM^qF#ijE+~W2|wGDyW1Er5CuGYy@7Ux^^X^T4$
zT?^|7hcrdBte?ev4Z7Z<XCe_TcW^1Yh?YCJj3E&%cW|{VH&|RPn-?uE<r2|y2X`p?
zvc=W5u+icUL$y9Y&nF^(x432KCU}+f+>E{kuVcOw)ieRWS3n|Krl9-y2xF<@YQ4Q_
zakbvIz*g)Vpl`w3m{U+KYtZwF$a@yIF}fYzCw$5}@&SB^nL3E<wCH(3<Rgnq`-o_L
zfO{dj3-(~nMH$l~pJI-n`z&r-^fQZ_kM4)h317?a3-}T<br3mV(Q~ZGKY?+|y%_!4
z;%b}y#^RogYQ2Ix5<O&b%hB&GZg=zti+dV+7=9$KC(xhZXUtkBM=W|)75T;Do{Lsn
z+!-R#kR^0I+R&nV-)J&WuHHhlkwy2wQOZ>D9zau}Ddst7GmAG5O@kKL({G|-i+3d&
zg>>xc2hj|R?w_MM7LPKIwzq_CL@86n-+*?60?vOtw38)78;f>@ZiIOiN<UFN>Nncc
zqWj@!FX)Z^&1i|mUyly7c=W|6?O4&hbd>(Acz;2sTYOEUmKXR}pjAM6{Wj<&a4BX@
z?`0N$J~{`k!M+f^4i;h7v@Egs%g}o){$J4*7XK0S0U#ef?KZ0E0RJ&m^8^0l=qih^
zX;weruS3-x_x&f(HSi>6h_1Ex&!FlK^`Azcv-q^tbn0F4X{YJbv*J;f=}jzp29O@L
z=ovsd^{9A+mrfZeK5aie&*FcDmRkJH=x`W;o2_UWoPv2HItEU~{122eQ~bBl#c&g5
z`bvgl@%N#=#s3_wZ}I7884WBxeJ`V-#eWBFWbw&sMpKKw9c^au_oHEpzZY$5@jpXp
z7mEK0I?m$nLMve+_B(iuC=D1JJnAHSxyAn$r5>`MzzzL1`zfIO{2x);Up8s+>8sfr
z;6=>8ps!f`L+Gm(|2y<GOUOkjM<qmhbCQ5O`!RH~B}6&3Otyp!N_i{(_b6r8l04}-
zP#*P`$Na2kKY87tJLW|qBq_iloS*UkGa91J{!H9IdyFk;HSsB-n|Nd}8P3M<v%$7B
zcj#KFU0VK_F^fj8HL)w#N=b`#Qd`{9PHnfAhuhI;|FcR~n{iw?xmdJG$K>Wl2ds9p
z2aG7s935Q{T`;(EL3BWL()h~NUUs0|n7Ckc`{-&ZD?f{WN0z6rE*{<dsBz-x(cK8g
z({S*D^97>`VRAeKG_Y#_3yx~#4vnsMb4tsHm#>~v(tLGs$>`?k>CyhHH<XsI-cZs!
zee`Ht`A1VqiZ3}UHJ;`WY4+Q2Kf#7lR=&Ep`Dz)xV1b5NR-T!@dd`9c%@>f5`1M-Z
z@NX7I{@tQDZb3;91|`vdt(j9wU`S?qbG67!&rBzsqf3apcJ9!!^8TbWeRMmP_icIk
z(Q(?E$9W^Jt$Etb&xtgyCkbtz_HyGU-U{xKpOu!RmQGP_Ml&_Z<Fyh(ZC8uU9@RE(
zMEPo?nOUuSbxGmvurqi9c?sskSOLF5WFNn=#)n>TDe(JoolTO+efzTs0ewpB<N{`0
zy||1*UKHqYwHOU*(W`46rbVLK3q#9A5{h9LpBqjRsZ#<6Me1%L;w)Gxavc8a5mUX5
zBK2`wf3--`GLZ&zL>i_7;U%vn(d8nI(8ePHw@oU5-jvF9Q^IY!SESi2k>=w>(h7l|
z*n)I~Nw4l4BcwN)0K^%LT-;CJ1_$Wv9;5;OGKN7V%!Vbf3h<w?0}e47BtjOHKm}C6
zLRbN~%UVt^o&xh=89jGCV3$MMbI5njetN1vD&)f;Ak8hO18!U5wk2*`;<hDjTj919
zZd>8D6>eMMw$&_H3@c#+Y=^@ltueR8-1?yK>tY}ZMNkTpU=A!5X*(a5!&=xPl1o^*
zgq4f`T>R(aza9SD;lCaJ+u^?*{@dX{&x16etn!9ICCmoODsL5RgdIRxwNHUuSPh$C
z7aSJJPl8rZ4COE#=EHJW3tM16zfM6Q74l&ajDuOQ7*@gt*bWCpIwn9XD28&80@77T
z{DlXEk3fMmcPa$Z+=+Xg(ax%*z4H=S1sh>691-b)-!8dO0u@jN3t@#w5ostQ4Mn7(
zh%^+Dh9c6?bvn$4<**jEz<&F}XSY-|9|plVAdGH{fiSueMmNIfc2J}{<{s05aC#6<
z55noO1qi370O9n^2g2z&4hW~`Vj!HJ`0YtJJrDBoXaYo`2ufiR%n|8Lo_enqDV{FU
zrw43;U2s^WZxXbEVkigP^qmjOVJ&Qd{lS5j^h-tap%f;;99Rmg0e2-wL<Wq5S+JNx
zD((&B-oQ<;3l576N`h8U4COFgWbhoo?O@yv#_eF-4#w>e+z!F*5Zn&I?GW4!nGefh
zEo_1PB102Ih6$uXJ`93!FbfvLO4tC~;h@OzxIaD$ML?QQpx#fQj8355PpAOu{e*=;
zy`QiiwuziLPoxxorT8l)>{7xmCG1kdE+y>Y_#KYl;rJbn-{JTjj^E)s;E>1&{Et`$
zYhW|%g(D(mDL~w1_%Evf{FmXs4F6^8VH+F}8R<b96v8m5gxRnJR>4Nt0f$6RN`YJ`
z;a97d@<3pcNO>0YfRQi-=D{+N(S$LYFh&!`Xu=px7^4Z}6v8-#Fis(iQ!1be7QzZx
z58HSFnerS%c~(#^6_iT_<yk>|6~s3dzhm(`7QbWhI~KoV@jDj3WAQuo052wckOqY?
z3@TwZEP++Lu#BH^<uD!Q!*W;)TVQ|if}xC0Me|`0P%q<W!D3hm)XVtoaF7Gd1R#wQ
zil7uGahM5}m?x$H@t(o;nWSS<uE<%%fZxfa^=x#?UXgQ_icGD7c_P!eKfOd`MiOv;
z=1P%sxvnCN^QMcO-wKZKP~@=4tYsn>Vt-KuY~%&&azJOV=f&zdu!9$>F<<7vevvtZ
zH+PrF<;z8`sDvZDM7UPuO3LM``65@7-mAGcpR~{C-ZfK17T|ZmGG5$UA+oRs4^g<j
z4!4W&e?8aN?-f~$`x{bWqsWa#Ks-0C6j?G7FyCCki+1?C1-o0b;E2dlxQ+O3qfBm(
z@^E7XF9s(9_m>gwGW;$h{$=xE8LWZLuov)qC)am!eb++Z{#{((rPtiQi~Dz{KrWO(
z1yliU?_L4xVH+F}S?)m=^nj5t1?B<n?%4>qy9amodXNT%FbpbTHY@?$+>4w0aC0AS
z?!(P}xVdi%%!5O`pq>caTagR+Td^0gzaKyMr@&^|0S9<ty&NXNEI1f{alI0)0^B@^
zn+K2Z0{eQv-(PU|&@jNwL$hHCtb&bz`-h0<;Y7&dVNoG3u$KVgKC)lr(QUk_zKoaD
z2icd?AD_Yt>V)+K_t$LV#q<hZL|n?tg}FdDYgh5|IcZym`I!~Ga87*di+IT}74Y-?
z5?(gP{e~)$7xDX|>O#Qni|b(<91wZQgET0FVNeN#_0kd`j+ZvV4mc$8aw23w4;Tqk
zU>+=kHLw}>!Vz9<Pk~%0feNUCg|GtF!!|g;i|-z!K_Lu-N|+5xU=?hH9dL*j;}anZ
zdca7S0`p)Qtbxt27mo1ad<x`32~<E8EQA%X9=5>&mcSmQK_Lu-N|+5xU=?hH9dJnG
z)fB+pt0SQbmcSa=28Vc|G7)lta9*1N3t<&(h6B7zp9on{0>tzBJXir6VJ|Q8dyoY^
zU?fa|d9VzKXEWh!R(D54{*eN?Py!WD1q)#XtcPuIfDZ#aNP|Kc29+=ymcT052s_{q
z9}gr#7W9CTFa_qpGFStfVJ{rv<AM~(g%YTMDp&|BU_ESu10q{JNP|Kc29+=ymcT05
z2s_{qA0{M17W9CTFa_qpGFStfVJ{pJc{>Gip#&<R3Kqf&SP$Fa053s$kOqY?5^%R|
z39Nx_a7g5x6exs|Pz6h16>J8=csCJpVHiw-g|G@X!vQ{`NQ5jPE$>yrJXir6VJ|OA
zdXNPrPzm$+z+$?{2aLBLY~e$TTv!35`$N6nE3zXAN}wF(!!lScvNHk5&(3_{{!Z@i
zoC0%zbnjdVgtL=yb`s9c!+fMc`aUAAj|zdXKH4GjG2wrV-N*RZMVPy0!$H1V-^>GF
z!uVt@-@cE8N~q$4jx50cr^9#%vxbj1@cS9=_Y?2_rF_+o{TGD!MJXJBBYez}2x*WD
zJpeafR=^=X?jZaFn?(Lu1cdihD?q;{PhXSngOhkLoC3K0W*Knro6REME`${#hspsr
zhi1WIk?)A(JL34BbbXKiAF%%c`@@xh-^2JljQx)z;h@M*gz<9;EaxK-;{IhErzAW0
z*kg$psS;yK;IJ46vzx_-94RngOs!Pd1lz^<bHs#7VZWG!O2BQxLNRsnf&1)>O<lIw
zb@5ZT6%<1`OalDYT?#A3Bw{|U2h0~!4|ny7#MCbolQa+Zi)pY%Ov7P79LXN6hr@iF
zv0O}}>98Ge*O>4dlb*)o06*-hP3j;hhfQLda=+<nG0ljp8Q0ATulX)9Y4gRjr~twY
zCqXMQku)F;ksWXVj)>uu*+lUl-5@4?v6u|*XOsYbGqYei5LV`LF<FF@wE{>-b}3-a
zA<ULVd}P7>*5s!R@wC~<2Njh-9&+)^e$=!(C?>Cp4=19qN=*JpF&(mCEo_2aVhU!9
zDa?f)!2LqPC{(+JumaY@X4nfy#B}y}nT7NfVb^sWY~iB_uDcI|17dpMrzh7vcZlhQ
z``)-KULvMXrI^0>?Tep&0!a{sd?<!hKwSNBUxNGoRbmDtz$`HXQ-QDtVIGX1!T1?W
z9@z_-A;X{o*79;pIZOiF4dwn&?hidEW*G4eBfep)`M3f9#}m&9+&i%l_VY2r8ZpDM
zA5ko(ECC3!Y&oojEkGFTCCtcGe7sN!T#rfv{EwOq8({|=;)NLepPU6FVIC|4!asRC
z5LbB;6u~%{536AVY!fp&3WI<!M{nX|hXmmIlsQ0J#?0bF2mDq{fyF?)6^HrY0XJhw
z+o_3gfR|}Xf%~Ve1j0UTI~)`<4maa4kM|%SDuA?2z#r><GocdjH(|Y)(+RtBH6J^0
zpY^^u6Z=V|>#UJtCNJgVh5cft5cZTUV$PW&W@<j*XIc-y&-4`FdPXsj{u#KRiT|0{
zox4y>RW9KFJno;L04w<bf%_K_-mGD;Ud)B~yJ!$#z8Loxmp}zn0byLc0`%TCI3Q-W
z2We0UgfY7kX2TL#1Djzl91(L#3gGV2Bp}X9N#A7x+`o+bbGSbz7fPT4s$e0kfb~FF
zb8tHcw{vkj7q@e9I~TWeaXS~cb8$Ntw{y3_0Wp_*kOqY?Qp^>pK)GE(9<LY&vtTh$
z7FTS5?Ql@cJais<WdcND3y|KcNbgmIaaBGL##MxI6=7Vp7zpDk!nm3=T}_&<CQVn9
zrmIQQ)uica(sVUxnopYMlcxEkX+CM1KLw8P0b&Z|0{*YT|20*B|7-An4gRm$2KZ+`
zWftInK_Lu-N|+5xU=?hH9dJm@wTX}gJzykMiCH*L%yp!H5qVieUKXjDyeuLwi^$9M
zr7#KRz*1NZn_w3l7PA;Xi}AA<Ka26R7(a^_!%Ely+u<M|D&pq`{M>+_8<U_F6a)4*
zVt*s{H(`Gh_BUaFQ#nkB`LG<;!WP&sW{E&5<ij8_H*<aSO4tC~;h>mX5+DjiPzsY^
z4lIS$unBg-VKKKRK`SVRa+nVDVL7Z7vy?Jjx?jv~l;`b~+3l3&9fWbm2G}BI8RgHu
z(kxp7D`1V7JI4Xx+&Kphz!5$!q5SXS`mV)5cy|%^-BVyTEEKbR7*xPPG4~MmJ=+2E
zy-UU17Zt;v&#WM>6@<THBWx3MKjGa^cn{#_!Etbam)ks8CFU<BFcK=E3g*EQSOIIq
zJjDHn6Cf4H?<x;)_g4YJd?X)m_bB16#=Lq9knYF0|JVi~eUIbsapHb_C1CeNIZWas
zr9onzOn_xT7*B47y<(mk2Bh(6+^;46wcKAvo}TF;=2`UFU1HX+7V{j}&*A>LLt@wi
znineJh?ottU_LB|wXg~Bv*Dna7m4r1D3I0{2f;WoFX858^ksBoshGcU|8JOInJ(t<
z#Q%57X%pA4E(XG9zhhocg4M7Aw!?lnEM_zIn_EE<5a#Cju!RqvQlS*MeuH~&;QkH5
zdK35TL(H4ly-B{`#Lt^mfIIdg=FQcx5w-(mvPB>TT0svW%q`@5%Pd$3%V7;{f*o*B
z%vKLlfiSmj5%bm{Anvzki`hn4><`R4NpOgdrIrG5y@&hvNXvWNdylZ*Bdqrbi}k(P
z&b{rqPz)ns5)jt*#jpa_!e+qFcGA54h?w`M@BvT);O>KMVm{0Q{C!B6JBom~cB~S!
zlXUDPT-NmFqaHx~9~0ll8^r7?gk55GbG;kCyVr~PgmCu=Q~>_>4ud0NKCKe7kFfTw
z7Q_18?8kmT_xE$}bMAe<UCbA0K)7G#!%8s+N@2g4f8zG51eh=8YxHZv{`#PpgLB0E
zi@5(a2{w!Q2LIobz%nu4mWw%*1e?TsS1IOu%-`=4^8@~W!2J&kfxP^%L(JikeAI>g
zPl>Qs%+D*u94Qv_%OE%;rh2KE*j{nuusBYMIBtqKUZFU(62$Q_`-j9yNQCX;)Ltr1
zopIvS#h!JxlQ<0K!4g;jo5ZQt18`Fh`+6&3GaMABK7Q&KK?UHqKJM$|zWxDml9Heh
z%3(Gv7pK8uSObT}X&42<Y>3-rfm9%z<YhqEDJ8HPaNB61IE``B7&ncvZ!!qV#YxQq
z(vymtrU}6Prn6wJIL+pZ)12^|6JB$|OUs2hfcvy<;<Q)-JH!d&FHD%>*|1BTND`C+
zaYhb_6CDP7#Yr!Q&EjO>He)&ve#UCp09ydR8Mx0Ryv#Jn2i#_s!yF(!o{>43YhWX6
zhXdkd38X+P=mDir3FISZ6C4qzC1JHBoR*}iCGoY~FHWl>m@iIi4+y_CVYepC*4%4-
zSe!QFV7)kP3A^odSP8_JI}$dD(=H3}*KU_MdBso#8^vj#1Qjq3aF?G3+{@o0P6xv3
zKsq`sgH=F$9X;p)gw=7gI0XWQFbi;3uo?)r0Jnuvm;&p?>68eB)roLAZ4;+6{yGzW
z=T<;?olBt-2&eM~I3P|J?sXxYqEx_KR0NA*hd5m;05{#Hz<zPM<FET+aeAx~rzh#@
zNu0e#0(QNJ!76cziL;nEig$_A2kmo2oW9G&>6Zoz#VJXE+2Zu)x<C0CPyt8888}Cr
zLEIZO2#9~Mz;tnjkp3a_0XIVl=MP!Sy)9BpM&fap!{3YGJ%akuP#Oupr%0rK`C2w}
z&DXKJZqRFV+(Ohsq*kxd>%?Q6ct#SqGz}VdeMZ<g2PV8Ft&`(|yGcjyHau#gqs4us
z#7+4f3L2z0$S!DaGDBSodYjB9ZkLv(L1?5oTz&gnMR{KP_Fi88iybbSHqDexb(Z`x
zW$2{J%8yPRJ-YgqH@8-gGt0LMzwe%W<nw#*YfA(26i;wnO>o^~a?n668fXsUF6ya8
zJ+*j7^w;0kB{Tf8>Gqm&&0r{Qm){{dRM0Zdw9Kq$+~k7f%$Av<_nSP}B&kI`uU^`h
z@63PaqJkX-rlPd8aBAl+=TuL37X32wF;);l$(F^_mMm$K&G#Vxefd5kStLM$#ALPC
z(#?`aT&<H7l4Z-77J*49?G~7{6bm|rokl5ss8QH7N~z~$x&<9OcPh+jYq(<#Wm^kQ
z>YbV2w)4Q8eifakmi6yhTzt}mK_?6wGQnBYAiGz)_NDc`#N+#R7?j_{%<0%Bzg2Zk
zr!Ix<H6KPg#11+7caI{{wI&aBwEXHEQ^LQtk+o8Xv^6-I%BDdoYh~m)oeFz71sxkV
z3FVp0jCv%wG3o2lq@FS5y{4R)*M9gpy?Tv{^lH{4r&YfW&BvGJmZbG+b!KAjs7r^J
zURIvhF@0#WNP5rmF4Hf|4iC=jK-!$3jEkxNI+84%YEt(fTX15KGHtC5kCtEKpxjy>
zEv`pzS=n~@xr6%@RGvNM^a5wmz4s2EUDoE*b1$5wf7zINHJ=e@T{-?w#As{HBQEVX
zHMN^SQ}cs5)tcllDF-!~-YC6ML8DCmEi((MzxeV?6Ll6%cyPjt6SN*Q-j9N|-tT`M
zZ_xW}Yz@lHwbh@0^%XI#o1lNhxu(wb?>A-sn#ccPoj)UCYQ?tYFu9GA+x!lH+zvWr
zb}DE<TbS5)Mp<5d*^E8|#z%TJ?U|Q5upn*X>1iF4X75cu=V)Unhz?Cnw~e8Gz3Wb^
z-j&`iNVoR6lAvw||A{hsh7{J+NFCCsqnp+jZ!~SuKE^vqTY?_ONLA1vlYh&qOzo<w
z>K~j%)jyihFEdR>^+)l#k-rnKOHcpr`?(FXtV%}<Ti&U$L*_30H{jKyxc~n$iv8Nh
z)-gb7i)oUP)3Qt0XuBnS^!*R}pB5=iDGcZ3RW;5Zl33KGdsceU0P}Qp?{+74&#-NX
z-_f^768R?NkJ4F7J9n)==-j~+QCnTqw!^3X?QX4Q9W-l6?Z8wgZnF6-NG=E^XS$(A
zWmWFyb6@>(&SR%ieD9govFaJ7@Vpn|<;QO=T!g=)`Tvi-*sbZi4d^RXCW(^VHX)wB
zTL>pz#{Oacel15$Grt8rp8De?1(U7+y7Bt2x8)g0)s_{wX&%pOkgw#hX;RS3bV=5h
z!O+$vGsG{MYnd5#8#O4qqN;96U9WC(-5K-Fc0J$mI-T8rN}=b}s>NSqtKJal6OHzX
zm|_}G+a{g6bZWA+`U8`*v`MEfotsp@6VFFa@{ufK{xBc$TKK(*I$pJjT2G0#o@!yR
zwNw8$xoA?5XSDSMNjD_@g3bLrukJJ}BzEz&1?P1!X(V;}wS_agRDYu5uFeTF86T1v
zA&!o_|6zpC8BFIbof~upJ9Z?{*{hz@vSTl1h@8v}zflT*U1E6g<Y8^v44YhBJo)%G
zZH}K@+_G10>X;Kw7?YaYE3y6POG{6@WK>?>s7p>Py>xW@i5a~|cbR(0B~!bM?wvtx
z*?A#M`PGxgd<FJLE&bS*z}h7~S{=top!*>^ayPDNX~8U8kJkYkF|P*mYuOu}$Cl*e
z^c&OZ)RPtu9X#Awl#+jZ*UqJ#njSRAU(l<4P);NGErGYQ#>$tWHR))f)zada4wkGI
z$y!g(N*jD7iPv_mBvV%8g><yQ#HtTdGGkIp#-!}ulvXn1K%Q&oS6iB)U{nYu*Wt&M
z+z%7xMLUh^m0nY@k#55~HW{AZII~`(2A#_?iYvNmDR!+W&Zv%^I=FV1QB?zL%DH65
zsG_<pvuf2Em7t5hco}!2jO)`wDr)lfUwUnQ&0BrV+wU~W1{8Yzpwl&Axx<1Y=!|Qn
z-VR&%slO?FUx$&*ronip>zlHj1?9!r1G_J~{JP4q{RR%~H<lV`H>AtZij?ZFjl?*=
zE-LDptK&-!<LfWfLxCKf7n*6pnjKRMzqSTDzCJ^;d9^V}UNdSSoy0sNt?{Gdownek
zqi<oJ)85q7KzxN0wBv|jIG}Z#hJ7z?Uy^xByP|IOn`bvZCAED{lk{%G^Se&Y=^ia<
z)4r%di=33vE%Gx{qCHPe?3j0Adh5KLl(a?-YqzWuZc~)ivR}uvb~!_ug<EGOH*eG+
zAv-bJrb||<0i7aR7e>?MBv2P2au_dXSM%roZvJ>Fmi(BYMft%Dm)R-3QD%epo-<!P
z=j2Y9@XI#tmeR+26K2z2!}K*w|98XG)xWk-pB9=-n88f1vr?EvA6?r{P-alqF?}+t
zk~8ze;f`4;(=z&uNlYI!W4M`CJ-^f7+~nlk!JW*k>Klg77?e)FVn@hV8fiFAifi)q
zUs~9Im?)poMOM7J3fzKUhirG#=8G$mnl|tnG_618g4Y@5o-V5F+O@LC3}#B^Z|Sgr
z*T1ioF6aOGcpGWyH2U4riPuT0x=6JHa!tx~2hvDVg9)Yum8p9XCYWPWdrZ1BUAr3z
zxl1m;pld=>f>*au-O`DrbsN|966z;(op#CM;R*G9FH}F_L~`|1r%8o{XBC<u)lU_i
z)rku;gn_&~XJ`)pSFa4(&T*766Dak3bgpqUoz5{iiO(eeVXjG1FG)6QtWM%<f)uP0
zZHAKFf+lv#>}?8Mwo*1D_04h5JTiAsViR^Cjq3Kl_>pJkmLAu%zIR-c#1qVL)ANQV
z`7K)HH@Ttu`RX;dH!BE-3!2>?w0UhC=10<9|JSzhKS{Sv{x+GEcBkJYuF-~#vj^5o
zOY)M!^#)$}w{OiI4`%nz$?2c{VD-drgEDJH+}{&-ZN3?f*R7`o;2l$Dzpj$(c*2mz
zs=~DArFwdw6YqWWnD&|glTH^j>5W>M9@V?eqt!2)-UH0O2?MH|O~7q?#;=#n56l{^
zWm-*)DH>yn)IK`2{yKu`UW1)BCC?g`7*mK*cju&){@IjtG-beL)QGQnbQcm1?%R=0
zT_)f%V@I&c)TyOQp3CGMYT1kNw{fEeY=!HYmTcfU)nkNfyrEBN`oMFBncDn4g{=PR
zZCanvy<*I1310fpP`E={$C5S;TP2>@r)AIFa6)os^ZIEi$2ZG4=gjJzozrqoNozLM
zPiY!$m>woQ{M~oPo!Wep*jO^;qME!Or+Gc@n7oG6A|%Pbn|Y6bbXjK?^0k7wg=QYu
zXjYp9Sv?L@i@>DIl1O0Es)=H<!+T~Zvq3?lkY>4Nm7+W9%naRZn=TpsBW|5B=em)>
zIeCLRHp}cbtWSr&9g7N!niV9bM+%*no*L0SBePFM*WRa>WSw@>$RQ)TeA<Meg}?nt
zeLfY`=fCf%f3G%c_SCliZ1Rs?LH#=89Nkhk?s#%>R;!ZH9rF7(FG^|Iq{ooK-C7hh
zYM)t_n9+A!&z|G@W=5L~ZIC>A=>JFDn+HaARQJMNw_9p0t(IEdtyb^*E~(XObxRuU
z(u}qlX?D%Ncx>Ypyl8CW6~}BI8;E%!d3gztkOe|Q0ytpou^|Kq;juX2kcBM}mav%c
zfSC1pTHo(f)!o#ZfqdT|U)~$K{kx^xRi~=XId!&LIp%lmi4f^Q`y%@FJZSF$5j5Jj
z5UFu%kVa}b8Qaso9ZdzLyRgi<KzkQn-J;Rn%jxXWW}zM5dO6mDZ&0zt!A7+fWN|E%
zYi*=TmIKJuo}Zk0X>!NzTwzDpwt+<!Tyl&I2Fm`yxiQCU@0mC|mkRs$K7MJc8qAy_
ziXU3rhl3%FkLdo-pgV4~wd_^bmegDI@fr7#TRX+Nv5#o+^zhD-CKiF3LQ5ykJFTB>
zg*_&&>0s6hS8Q3Za&#`8nLbb)+EWQwmHH=IRwrU3!EAE<@h_GueRGcF+?h%0eqw69
z;)=A+ExKJxV48ztvs2W62J*mJuRMzdysq|MDvx^a<#6=b@zMPGgbGGVr5FG)BN~Ja
zpEL+kdFf!2td6L(w_~M;87va6Q*(3Oxyimj$<-4KPMtl=9$Rm!WM)f&Hv78cVD&`(
zR_dSClH1I(UxL0P(7N{{|KBY4^gc=o+sOczp%WHg9vM)$^yQ~4E9lBa@Ya%LMd0Y(
zD95_+nc-M3x*kH;L(ta6ChkS6DYO!^w383V$L&sFQaI!c%MW3N!l<OZ3~HPcmb0F5
z2EGPe&C0E2VxhUE1uc=KW%okg?pidJaQow4e>PTK$a>P9?>X-13J>kfb|qZx9m)P9
z$4;boUR6sDl~bvqp}~pe{=$4Nn3?}VS8OmAt$J;aTqIoTw7KW|3UmEFd(&ZOF_51s
z^fcSsJT7nV*i33>Ajm#g862n#l?E&IH<V&wk3F1<r)mCS@MYiU`}3$uTgeD@+DZjU
zpMT?Wwt;5~Vmm-QyPS6+lH8nRFenO+M@-(u7p~p4ykU#(uIydfNabVYC>YzBaR0TZ
z>z`)n$)RYZ{!ZFk6IcPCR6d4P(5asZWoPu>>79Wr#2nJ{vti!bq@~50$Y7>O#CV#Q
zH^!p5TonJ<^L4K>n+k{1>2MgH3;f>ZbDKk!PviGonE!E=8d4c-_&uyN5*M^O+VQL1
z_|<OwYA=4Z!HR<8l-7krFzf7T^R~x*=eyDqBawVQ63yqIZE0G!HuV>k=1VVT=gL8A
zr`9z-M~Z?uGT2z8Nk#9~73N588C`q02#N|N)@);8{5(%v7XNRAY%E#3clkE!6A%2^
zQ};ixs(hrr`1McJzw%E<?<abpUz;yjeu{oMbsLM+S+-j$WZ+R*F@6BX+8u1f*ZkDf
z&_-9Q&2I1XIaX$rotK{Qx|DSo`uMo5E!g{U)U%a?xWeq~qY~@Djv29YK`qAmq@@E$
z2j{s@S_1eUz;|`tNOTJ}MyyMS4_eGZhoRF=OkK=mq#?7js<-eZZI??MD;x47x;#*u
zbtU(d)>h7^GXrBA>FmH5dwxDXFi^-0sq1{Q{!Uu%_>lCZy@>I8biMh%JznBfPg-az
zIxsqYJJJZW?I=fJ+>WGKt!n#`JwF#4P`fF%qm*?oqJM6vHd}2p`byOIqv~ZKiUv6K
z%o2@kG(!6!UdXx!4$WpVvxf!-4$ow>GlvIiQ&Y9t<fNuwB!!-lIDKqo_c78l(5L0i
zDWw&CBHiu*b(J)5um*pPE-r{jSTG<M!(y>wOS>QrE@Bc~7CRRVx@JM-6rzF1DfBy1
zgvHYExhjINLbFRk4EVf)-wXYYuZ%tUfkm#_<zq7u>(xTN3l4om`OD!zCOJo{-Fzw(
zIPiPStLt~9M@``lKUy0x%S+X9Ht4XDEpRuK0^6ssM0P>XZQ?`ez);;7Drp`~=(tdw
z6nqm3Y!|+XwNLv&s7_7Q5ht`Ha4;$7Mk+4rkghthm)n918L2-_lm7ZeRd@Qx+YSVh
zQh$n+F5zAtgYqO~&s`XkOShr?zgX`b(3xmDRCPm6g76A8i~Sf_$tJy?j-IaYjE_Bk
zWU$h9jm_3STK_!fV`M9TBl=O&`yn-)?N>E%ePPS-ajN?8>%=EW^YC$DXp#Z2<#1yf
z$spM)vPk-bA?LZu)u~#1Hj~SAM>6i-p{)Px!ODS1HBb$wlde$O;~&cV{ew%6Y<MLQ
zjt4q@-JLD1y@~$l?17YT!R?FsI=x*^d#f)|PQ*s?y@Ho`Fs9?mZJ5oymir*0O1)+=
zu-(XzwTzJnFH$R33h_&_zButodTKY{!=wRCvSby9Zth$1z*|6e!Jih#)2@X*&a?O5
zzpEqI?(tL{fzoX5d+SZFdCiIMtv5FvwsSilv+P9QzJc1mxT#59$x?1?*DE16Na@ER
zOxuu%7lGup$zBrA>qIX*aq@-q<+dSya)F@Xy8f3))5yijp^ek6*4S>xwWrx|{Y#TW
zu@u`^_bz1yNZvT`Kh&>A+mPO`%c%o=%c&L^h)~n<{{w$<$6A}W%?1<x+AZ&3&u^wy
zGMSasX5A~+AC!;J<9Fk~Cf{$Szv7f2eMj{y^kV#^iFn~*=)$~{pZ6lMD@z>Twsgs0
zIMMAUzxUAj@s@TwOg*hLH_W!e6l8bU$8Wy>!dQzF-<>U^=z4M?m0Cz{s-Jc5x01WE
z*@fgc#kzB%YyXI``1QRcZ74bobqRs!0rZ%p70qB5dQSe6F5Yu5xI4`^dhX5|EIoFg
z-ec#R|HpkJ?Y?$ftEaVe*Bjq_--N^8K?ba0W_kXUr|7}|KlStfx~iwo>n-}OqB-8I
z@i`7z7S**UO;HW~(=<F0l|WV}T7_68_=aAi$2}%(Z<?8A-D$ni6LEU&?$&I{(fYS{
z97exvt?t&9TORLBl_o#g)O1{FDy5_BTR(~|CKHSCA6?ok%$59nO(a0aKLQ;a?Lm4!
zb&XEdM9uaf+9A!Lt*{5V$s}v7coW}wmYx3g|CwS3PE6MS>Le~0tz-QST5nS_L~)DV
z9%ERS+u%tPzEf+TG2v?(o-^U&8a`~oQyN|{;j0>6GU0b=_^1irr{NPSzL}#~4h=6e
z?~C8o#&wH^*VOi$4)<yJ9hbrHGU1PD?e8|>AJFi7Rh;@`Rq2+sbGm`v=6?Ne?eFea
z|Bm-d$6sN>KdQC=4HN!B4S%JI^WRtLnzeJfs=rUMFPj-<1vbbq${L(ecZZB@(G9gm
zA0P=ED?CfI7h17<=?-Wo-yQAHFi3`w$%YIvq%2*8FIzn4#xQOJ1b4P45eUO=ew88a
zVA3LF*bn+9JAENX7%?$-A~wby^*I7ApDW}Vu76&On)%{De@`~<Z+Y)~$^G5r2}V1;
zUgw0f8<AHcj0R)7gpPJ%Y|YRV?^DMn?NIvIq~fUimUKrNX@o6OBlN&TAmVy#8b-FJ
zHtx{r1m@;M=tMhVBqb{eg|G~knH?g@$y#BVRbw;a)uf%}D{r#(4%9!$7TMp{fAN*C
zFjxKF4<BSNyMYZ>uBjuehKFtZ`JZF`^08PS!2Isv`!$Jg9U5NN@B-mbX+u~)yD)Yi
zbjN<nP3q_y-153v=P78@#69{jdwrNm;wya^LQzOv{8zE-NlOl&ISkRy=e84{IX-OC
zENQ;Mxe<gh@@vEsks@*Zo;{x%TAxbRb}a7UQAG!K&CF3$(Z0RQ=N@_FJ+&tG$FB5b
zv40u1{Jpy>E9GAH>Y;)DTs<&3xubS)oOqVy;O45_^HxrqJgdC;3*hBVAH^JjB4o<7
z+YhtjygiRa;=E7bNw(jB(_R&L#)K2E5%`1&U(oO&iBtT@jFs9q@!y?bW3rz)1#w0i
zUPihScoXlx5zhms{==M#I}+c3+Ai=HP&>$nZ}WbWHb6WZj=OE}qzR|-i1ry1PW==3
zgb62}E%0FzPCQ%S1rtuZMc^e9PIM9Ykcw~SDCSAS%PcF#&&Nf)S+uXI?Kw`eMc_Fd
zS30f4vju*K#7B609ly)azR5~FTeQDh$3aix*#f^;#i^g1XA@35n;fLXv(aBLfrFbF
z?lVg2@gWUS3%Z;peN1pnIuldm7-<x3-0t$E#f80uSPJYr(!<@{pF=#<!@ZyU05%dw
ze2U69l9FkPn723gO*(sm&iX&9kzP%%SZ`<0)$VQyyQ-W?#sYBZaz3KCf{E@PPfIh{
zq+#8BSsVXr8G4HKMEj%0*BOlP7<ZCgZ@_6i2|UAYFyOQf1YR=Xv<?J5q~SgVabX&M
zfL&vF53NhlenM+c{h{?I@PY}a^&#*a;g}!l{~f3USk>bt8|FvXN1vuM4)_>FOVA7@
z`5e&Mr^x4OP_x|+Vy=cbkJD`$Jw9pX(@uF?V-p)<(mcs7>#m7F!s%^sw)Td*otKYL
zvspWw)g^8x4EelK&+cyj)_66s|COD5y|(iC%1~`?!Xf(+#|HWcyv$Z4zv(sM{lLEh
zJ&<I^A3$cfAvHEsiP7MZ)a@!H9^tFx{NDqK;e*w^iLYe^Qi9HDE%<E0XDdE^_$000
zg-<$Vk`YBj$j}q=_PgOUsCeV}N8SR8luNpN@Mwm1Q^4HfB0}cQ<6He_?7Ow58}WbR
zbsxpfvG1Nchw*NLOIn`g>lUU&;*V5+9CU!hWLX2A6!_*3fcJ5_iS`+Ze-8MvmDZKO
za}xhH@QRiAqritH4qcjs`1%xhLEx4J^y2eYTK@tclI_Ls(mEITgltdlnQvK%4+^{{
z@#W2&<#T)<1zxtip7WvNX2$YEF5|aa=5+1G$cM;<Mw%P(7l$~-2z?AEX0pb~L;aij
zCOf?T_Q?5#P*=OB1&S9Ki7ylLx00@v+o7=#qWO<8_MDaWzUW&?_8ImS#lmSz1^_#F
z=v8t}`Y3h~?Qy08et<1$Yt@MBYjxGsKF^l8Y}||A{TDu`aLE#nvOFf<LpbhWB`t{X
zN%peMukgL#qu4+VKfvOK_8M-x13F%l*gK~7Wftdqhe0;{3!iIxf7V{0-^K5!&!LN$
z{w|Nd`vqc9euRE~1#{J*$HF%3ETfj)0s7eZ&LZoz0(%!llaeiu_LKvAN5uP%WT9)h
zMtpWih<G)SzyAC?a{s`(>i0dfu!9|_fBod*t$%&)-_b=H6ZZG-aGK%7PBdfZ4LGe+
zfe)!T_y^)3HN4F3ROPiY$=^e<P4u1>?L9_3X2NN`i}n*Hd`-i1Dh|C3af=#$fbBE9
zpZY1@Go-c8ncA1xKFQ}+O?V!-&<hcF$ot>L`yVstb4J{#7v9d-vS@GA3vcIqLf|>m
zdx%d6eAtAO920oKgl}m04iipv6YX`qGe>cg8eV4m`FMFeCFdWaea-Y9(u)Ls$7S%l
zO!#A3`@2mz=}Y20_i8x$qtS=-CFs+9PZ;|}JVN|kN&7pR2hu+T{#yQbR!jfpmvMvl
z<B-V-OCRbSN-L(ceCxbTm*E#7y|5qoej)2p)0fFst0J91x@iaDGmKCAZ}Pg6y*s8!
zdm;C`@vMMn^p+yxR+<u7dv=5zzhnvbVWSC$uhrAzb5o$Hn+H*5tv&4EH4D>|3sD{y
zdEL^?)KWN#nA7jJx7Uj^YbV}G5tQy1^N!JdgU5;+JS1{#|KN$jEjuatl&xpxf^5Ec
zfBkI~hq`mP{^2~fD;3eR=D;^R&>|13l(>R6BXk%Fc_bb$G)-wi)ih1gZD46b3zE8V
zHLF5bGSfJ&@(>BOv2@p=Qfd9}751m~Uw-+^U@S*dscScGFC4sY|Ngu8=ec5enmzZ@
zyYIOjbFNq_;QOz%7C=`+tm?1qZ=P#fe#nqKpF=;WFD!&2V$v9=0v{ZrXDDQy@>Rra
zY>E3lsK)*7o=7HJn~$`2jnxK*E*AhCZAm6vaYxEk3Jgy=`(AmpAsQIGQ;du3W$%_e
z4{LlIT;(OAJ;`#>UfqiVC!Qzp9NQ(|lOwumIN#GW|FF+cjC96QvuIJLGE7e22{NRT
z8>D0CA4z$#;*-a-8MB?`vrV2J#1rF;-o%~L2*wi2T88`b00yZ9SWU6P?B>47jDPyt
z#f%#C8>;RpXOrqlW5^I53}qoT;jvbZ-n&N&`@M1hc#mt?Cp8CF*%E3kWz!DMliiZO
zMUCh0;Ad%pPcS1+vOwTNDh}C!cw!Adz*HMS&V-lQxRepVxjd)$K%UckIPX%QubTcY
zkG~@s!efDXe<>G@WS}@Z37pPI0?(Lm;^hLL&~P8c6l?flhUfhKX8eGLBL<o4l;S-@
z+Iw=Q_mr83>xk>vkFUo1Dd^lIN|8KKLyV!$M@5Vw@lKq0`A&>t&4{Rbvev6He@V0;
zi#=aSYW4_^Uk0lr)<K?e;X0H%lzn*eRCpQ=uEL-T!456=Iw$&<R?jEqubDq_hyUJV
zCxb&Pj$(8v<g4V}$%wyY;n8q@{doNj_Li|zbLmriF7%vO&h8uvgEl-)nXd`*rP%Eg
z%*AOIz}(}o3t9^NFoRs7_FM1+TKk--eVMuVnh3z2WPDE^ICMBIKDtZai4E37ot972
zSqM9r&Xua6P{<%U{g8Zdg8PEgR!7KWhR|t#?D?0wPlhRi`tG|~am4oVbLT!jj${r#
z4jxO**BsJ`G42>!+!jxoa9WF^ea3_n4-$CJgp=MP@L>~9dW*mdCY<EDz)L3lE)5?w
z;iTt?_B%{C?G1rXnD94i_-!WqD;j>I3I9h8-!S2N`<H5Xj$+fb_GPxn=U>p7c(>?J
zjoM=__kkBvEc<}&M{2N?%LTzXaSne)oS0@`$Xh37J&4)oQL&hP&WCwaEO%c<j8X1(
zBRgj2`X`;9o|fABL`)BS_ZFsdnRJNEJ>rzslL~uVtf{4!t!|Bl-+6kz-`!nNS+E?>
z3(7OrDN7EKc2dXswPW+2v?RH9gp5p_KlJ$gDTowJI8!#+mSFu#chu)>Z9dxGxiGSQ
z+&*h{g?pqt9-nNle@KM!V;|GJJj2)jm-+fPu5%-9+!xPqeOR>T^QgUt*1y2@^`9ep
zXt=r_U@fzD@ZTlh2kpDZ_`chUCrvo*JJCL4!fAgAd|2Qj2A#j3VyVe)@k@Gt1D-VD
z^nTGkW5VhE0v|TvBr63zq~bWsBKBRw%a#{u{mb8_^)K4j)b`i}zu@N`f#(E{^@BKe
z-hV`vqW?*{lMZwiIPGhJPndA(kHCji9Q{E&yoQ&VpYO*U&eTRc&jR4bifSLnsWoUh
zrmo<Ij1_ro;5#w^&xi==rZ_MQb|OWplP^Q~JLp8v#dRf$E)iK<uu8$3!Gk)H4ef(|
z#Pha@Sw~i7lJEP^i!9#@7ud*%jfF(6FB|y+W&3_;9DO|q<(Tw%^3rS3+A{J**W--R
z1Fj=TSzGaG^jX1Q*@`4BU>nnO$f{}%+4<{hC+2t(+4W~0TUt7!yy1FpX?1L5-?0DT
zZ{0OHh-tw)YS=$FLKg_)T(w`NS2t+`-P>vd6g`VI&h>y+(5o9XY3J0T6NJbiC#!YL
zU=yv4#OYKdBK(D3N%8#%V`h71uUpC}jD67Y_QBoZTIS}Znd?__`Q10pEF5jCKh<>D
z(SPK=eJ$>`=hA__$-chBuQ+hv73=+H&Rli&Ec#D&_ZO7o=zmt%Wg^u3$hN%~x(rTw
z=pnh`F7nkD;iCxxquHgWs#asrWhjYoK%x9{3h}FW_0WCxzr1B<pv~*-j`lh|so`jM
zHk;}=e_QHQW$@r+!e3r;w6tDpYw}i4EY2RQ^*VfUZ#|{FVNbr4-1mwTCmuRPLV?!9
z<^lF~tOqM3!{xJ*WZs*;K;-JiVtyJ^!C-!s%fi(VfO_!!1A(m5OJS$I6n09+yT58_
zK4P`?6_wXsx+go2;uw6N^1KkP0~27kM;T7e*uPuxgb`Q%1N&68Pn&SEy$L*P!k^Lb
ziV6Qi4bPkKf7kGS6aGsLA2H!S((rK&&r!aMhL<guI6o2NYSr+n*8T;h!y4A`^Ac}D
z?9xXK_?>!t_7iJbYyWZs{!wdH!|%~>^hcvx*3Rh$dYk)oT>HEGw7;X@*YO8T__bR5
z2Tk~}hCig?^!qAZvvy8b_4lzROPho2Ul9{Gh$!rPRsImC9TsoQ+u;0^&Pt@=kX<qj
zZkh&{Xo1zC6@MY(5WVsnVwCVKj(tZ_p~Ci3=HG~e4D)YZyrs&u3gP#n<RBS@xFv5$
zszww!fIxehJ;WX;j5&P)M;r2m`nJm?>MsOcp6-Ba_^;G#qR;mAdDGF}mTD-oU0zXV
zEzslXs5!e>#FSoyT{{e3L~*+%&}!cD2P(BBH`U{HbdFAGgeo^}*0?Frf=*TiP|b_y
z1<s$y3e^iF2EH$l82*B|?jWaB63_ZUdrJ6w($WvS!f`tDkHC5r!{-z}DK>0Ywe;6a
zMC75&#GvhZiV20UihQgAR$`pUBO>eM<ForO{5EU##Qn)#u|ob_t+LA<**#cV9P~HU
zKi|B&78?%clZQ(?4uvac9O0Q@i=8Q_*Rnr+c5tvTiKMN)N4m6>tx};-N=_ZABs?<<
zUe~HGQcm{ejz@#8z8+u4P$nMv+{FAG_z$Ns@g*kg(h2taoG)=)0pE~#o^Y&R1#?0<
zUlE*kU$4%H4Bp!=I$hAG4Ro^OpBFYm^6yg&otP65M@1Gj5f4d0!=0c!Rk{&Uk!D1M
z1bgu<&F6rmWR`!UG_V}L3CTifV3ZakA}D`FI@sdk#(Um#*_5#1TGPRU<A;zJ79T%Y
z89OnZIJ34eu{`n=^1?v3Wt?9@2kd|HJlpMg7UMRH{HBlc#egHS0Qez>^9|ZlKGWZE
z{x9%^v?&n&an7#<o;KmcZv{SXz@Jb)rr~9YBOgq;R=ETlmhhubD#QGDi_rIwCx-T_
zf4#!_a}oNU5$Ew7m|uENna^(@ZVJX6QKcant+W07Qfg8+ypqDh-i8_OAU~D1$Go2v
z)?kXGG}<>vFKv_SK%HUI87N0f@GcQ6L;hl#b&5d6Nl2PJvgGpR^9=PtWH^e@X<o19
zCj+~O!)oH$o8P>#uy9q2HMr2h1E_oR(e5!veDcUh^~hub326Jq4<4*FUHbG;FnNaN
z*ORJ5ckV{_<h=bepSKvF&nRo(7Ec&)KA)m}+Jw`53VhszliU_~#e|dG7I@x-lY9|)
zzX_*xA@H(>=O~ZPfVc7ar*-$wR+7)6eN}4@ocs0!p4D-soy%u|pO?6mzlY?x!0*)C
zv;X39Ti`D@;Q!3!w!rVvaP(878_8|ZndByGg^i8!0S9?L;2_S?T7{;Dj5?zyR>;kZ
z(39LU4kQHrPLfb?lMvSJ5O@-WkX2O<Lb+!o5Y>f7%)43V-jqNqg6Y&u!Rren8Bcq6
z>tzxK<AvU~fZI(1@moA|5YjL`?y@S|CJ?5h5ro)rVfX@N5^C%3lt$mzNP6-7J-#jx
z(F!^x7~~$>bDYyr;As<1>qg-HCY;udz{@852O56Rgwr|}?Z-_xtyh8PO*rYR0?!J3
z^BXv9e4n3Zlf3^K%R}%<5ns(w-W=Ksyv!1Oy@KDG@H}v`5if7{n(%)3g1^FTf+GJe
zq-SBvxV-JT82PPi;82v|Mp1ccWCcZnQ)C6nBnNn$Dw8OBi1?bC*FoN5k=MbkjYbJX
z>3KXCnUW^B&@rXxNkJp>^nU&eo~8$5By0p<0%bnLWi#2vaAvT)lF#uHXje4g34w2Z
z5qKZXJ-4OV?P-aB2KX55X^Ceg{#D>v1-wV%6^Z{0cqf<r;&=0=_has5`*DFov$R;g
zOuR(mRf$g^rUH3}n9CIJe;HS^&|c1M4qCp6d_W)Ocvh7$(to9Eb;iAnwQY#15ZXd7
z_HM+G^^QX%%2MeY)Q}taNMW?Y-P0D`z=d+%E)O<iSmp<ka+-?two=++cO@V;pVg%$
z3F3E|=r3Z%ec%&PBK|jeD>5e_wnnz}u(4O$_6A+RTKF0|lA&{jq;Wsd7=2sD|2~7h
zHP*AzDXAZ5xpf0MqBLCbUgT!7e!ga&0YGc!ReX&t!=A73eVF0+0S0+3_NNIiv!J>^
zO?VzS+4IpqMM3`@dQQrJBNs`n?nN=s$PSWqk<?mX(pIBoRBqV*`hmB9;Qj}8v**A0
zO(ax4ckFK7=UK?8ko6r{hgm+BBzR4YkL3kc<2sYTCmCW%CH}vl1IhNbJ1l?4<5hM-
zx3hAZi1r68?^0<(`I_4M%a(T$O*Vf5Ue;lKxx};fJo2pnm1LTDZi#`XjT-(g51isy
zeuDlYbr;qXEtf)?ytm_BL>U|39i%(Afh+0RJ7krSxuKH`K6cnyD2zqT5&iJgP$hR_
zqmn<VXNtZzx>RGszl<!^e#jF>i5}Q|uy|t}WLP0t^Os`Wg!BC^@Un_;<|w~ZYhPyX
z5o-hs_WS%jdHJ3`^*ts$$_%(dvPQHYH{m2x1fErK%n#0s8h$|P#^^s}1o0u!zO1!}
ztTD7NvxvHuO?aM#xvZJTTK=|j5vwTAuL*6o{RZzp=~6H9aTWNuqEhy4#Z?*2aW11p
zdsRjYoW><^DJ%Ke;YH%p60aEFPkdV9s>~I?Yt`^EQ+uMPc)u#U^H`_IKh<#P0Gtlu
zJ)|Rw_Er5oN;lU91%6)QZJZ9I3kv*By*=ndHXMP!+=P=2N8tBpIQpZ}hjc;W|D+2V
z`o(Q5;_p;lM)a3-C4s+&|D6@|`wre`gH<GfC$Cm{xb!ROe9~w~pp_yrF7nt_VelU-
zkTA|GWMjaYkAI6$G#5X^kc~5kR$V|STK^)n&YXOM6S_f+pK9nVn^bkp%LTpoM##GB
zBO7?uj`ZF1LU>?cC=jL;-qrCEeMJ`UJDg8M`)c!d*LFHT5OMVMjHV`I>oqDD(l?fx
ziXEY^31%P8el2|bC&!km*{|XtNwj#u8h}kD2dO=-=PWeHGo2Pf+ENY~#g2&4`lY2L
z&qqbo9q442#3!BBN*ty5k{V=m37=!!52q^CBE@@)YE4!sVHgp*5|~t4R^w<JI53$?
zPaPPj9SMfl%cbSAA2m5X*Sx0|tHL6(K3F*#jvOATOiWaUCMKBUv*p2}p50s<DvyvQ
z#1(3lrjQZjPiVQ$pMf2OpD$ie;>ugGLIx~D>I%_`@HB>wVlc1-lZiWTIJm0QsSeH<
zIs@Cb8auOHK6a%)m2YicZ|`!)3O&i<cB$FkmSUkR+@9?k@JC7spFMu{EX}LddzJqv
zapFG|Q^@(VI16B|O}K$C0VjP;v^VbSIM)*eo|V2Q@CTxe)}HS}c_yR0^{la4TZ47Z
z=&hwQfbiCenjqx0CF_mwdkm;MgGbD6A2=h;k=hzzx%?Oi*jilOkx+BoeZ}!qG9m1c
zl|Gs64&BNf5B0RzGP5VfXqzOF^**#Z(bwgw_@xChp(Vg;a_KS7*U1hDxo7zf$Ni8q
z$gc*U5%>Yfb<!KAA!pvm<(0t4WqXo8cX9b6@UrFGy!|BjuJJu(%WrVL%W=-vsXgfp
z_+8?E;yLt#Rny-=ui)~D=Uems4#@s~gZ~c4IX@M6+G4~>9teC~!+n&ut>K3(-;(b!
z;|H|%$n)mo6YnW&c+T`5;5=St8S8RZ`7|oT+@S8XBw4_d+ZKrunbTzNPD-xZCBK2=
zVEu@^dg4D}@SiY>4G`6moCnj%guY3?6GdOc>tv(#C0CFdL?hg2$RD@yDu8b)EF=n*
zp?E5kAIyjRVShR`RJ}b^+h6P7Rq_R5fl$7j5Bd6L9sZuZ*-W4}7U+%lC!+oNVkFVG
zw5uLsKN;LR77Y|fqv=XM)8h&C`qQ;+e5}yRY3YHiJg!^<jZ1v4kohffAMo2W{E+3F
z+u{c-Uz2#w)V^%_8ec;mtdW}y@5uwld3p0^^t(K^N&Ifb^81!Yz}iHAZiAe<j`G@D
zw7hm1t)NRuS&otWCKR+6ad1?@koGZI$4LjZ;*&C{MGTIxmUrU6$rmi@WsJa1o7A%1
z;pz3N8Si9%nPi>?k@T*my@x3g{u{NX+j-{u?c<Xo_nngACpj&6{ySg)<cuXB8>$9i
zUv9+{Mx5^p(LQa$Ne>fv)`XKDCh&?0Cp}Eyd65??ewXVh0`E7q|E1P`#DM?EN_v}U
zKW4zc!TE~7$BnqPsI|Y<grCvy8%+2y4Zq!l>+NsW@Ek+lzSh3X@_cOxdXio!`ctL$
zSVKEuqx(6|dReR?c}|vzEc)s(Mhd9XKt$Zr4p+;HQjCD88bkIv5j#LREfi}>aXq4*
zlpfooda)=>My*d^um!NU7Dk=kKt~%&6!2OsykbEq7j*S>!5AQp-Tv0a3~I9&>lbJi
z0Su3i?*(O1`7>CfwMdAD`U+Q2DkVvzvk&`+v?fu70lp86Dk`lRhEYuEp+4MEP6O3y
zE+o1l6z2m4!WBxn8w)Tft=?qNpglC#$9Y8txhIrGt~2}*-zy37^N77-!lNdfbOzDB
zYQ(wDAn>e)=ZIEX`!f6^l!poKr+l98(INi3QFa&q-K}`Si1R%v+NVu8?L~oCB+ly)
z@b?q%C!5(OfB#lIVZ{0SMf<b~r}qoIV#4VxDe$s}53uj>y&`e;Coldd#w&i8_KLu(
zT6@$>;C6O_XC;n3!TyN%zbfX%@}Io_9Opbh;NvEo`XlhNibJ<RodW~@eNO)b<bn~;
zTfWcZd<G#Geyn^Imb$8*aVZm*x3fBkTr;Y9(*+&hg-_!8<O`xb+J#S&#<aeL$Bxbg
zs(z=c$~`_*7Uhxu6yB=G{fp{FC_Bmn<WXa~vwz<d>Z7mZ6VpEDVB!tYdwfHoN@^kY
zo6-Bm_r%5zl}9ER3ywubX58^UxOR??3?CYg`olwe<4e^kSEO^%T?{POrYGLMF>&p3
z?(~U+9ezimcV#wSO?yCRS?`G3ToRU7sN73hs`T+U6hM+E1eCPEV98Zx%-o|AZswv#
zYCRym;1T&Rg+Ibn@W@!ok`6{&3Lb4J;a!>1N+pO&migplSkdbpSzq<UYHv&}cogVe
zGZs98J#KT6*TPEZJWL97ok#1*`A>7Jn+3-nA-SE9@fX3F12Pf62fZf?6Fn6caStlR
zG@-+oP*S$kvUD(gYQ?cAU~!)oHpA=GQEf<GCaWto@f4+EB7TMyMa4R`X4WUDejDbB
z@p^I}f}Clr!LN@&pBPcY!&Etl7_3t<SB%?QDGoNZ3D`!TgPoe{<i(*?p53x88h%ai
zbXo>7dw{PCwRj$F5K0daC7}qVFjX?vCGeT!fyyWWWw2XQxp0+`yvxRdcY4je*KAw*
z&RmJ_#UJqu*KI4|(fXgm{-=7IL0CPtI#|EbDj+;2WPudET(W<tHUirFq7D`f8uwUX
zl@J%e%_;asJ0OE^LWb+BgVIgtUKD=L<I)c`zF7B-FFAwyLI;N?mM;8H*6z<oQnRr_
z=G<=$?aX(lf@5Qj+izf@nPh%(;=oldcOuZm>(;U+yC)ELM?*7mk0W*gW2Bm9cc^pO
zQ0q%S^b4Dhh-Fmc6i8RGW4fpUUaOY<L}T4rs#f<jQk-K<9cz}Csx=lgQ;W5UQnj&#
zn6>pJ)w<Ivn#o$V!68Q^GRU4su~c<?8%ou39!9Yl&vF~a!x*2HtTeP5{dBtW8{&&(
z7NpMDjDw~C4L>((se>lx78R+Yt&cJ~{22|IY#(?#z6nDRu>(=cf`;5@8nT+IK(?(;
zrbqjkN1xz@dc6Y+L&1{E7Yq~&R%N@Qy|KuU(p*@sMX9W5wRRlUd#8_&OkFjXJab_G
z;@*)jQ1xEY+34*1r<ij?WxXDvMvs9S`ry@iKQs`EXE1OL^~7k5x_q*5Fgf5I4u=Ml
z?uA+;?->oP)dmhtr_(b>FjsqAeqV7Sz57^q_ikS-F?V)~Y&X;|@_{|YK7@X?A^S|z
zmK&<0^;1{-sUYlAG#U`Q8IcwwQEBz1E&cqI+leM=J}Fc&jSA^q#MG!yOY$k*MIfzE
z_8uCAmT`w{dYTnj+<Y||g_}&k7RTbzOpnhu)Em9yxFhKF2W6S!YQArJ)!w|icYL-d
zKarjvX?3jzJ<dQp()*@twALFtG)xATm~SC<a@Cu5Elt<L<%~D%fmxr%Uff(%_F|n9
zPt|J1G@KOVH0f(pcL+XBu2#H?tZ~hBY~W;|%7S!phH&zW;1Np95)6mLt58L#?w}en
z1XaXbg^#KjYgyXNP>xS&P1TYv7TTqj<fD?to&c(Oc^%36kJQq9PxWM~(c@ZmKL6ei
zT}owhHtTv*3v*~y`b3<~e&rv)7y2x;SB=VpK4fV-+fL9>QJ@yN7xhYtWCkIr5(Imq
zz$Cqzvk0r93o68}rQ$(?GGv6KU@FZ~N%i!y#{CKhwlTzpR*GKOnYq$qId8<_?dXX3
z!MC=n@qANiyssBGQZyBEm;P-_v1i4S#vXl+%btYp@oKOm8h2^4+yU6+V#2}cLeN7g
zE=+J*9;(Zaf^jvmRG4_IxJCtw{hOuZ$?WLV<Wfuh6N)uFvUjKt7w@E|kN)PD>|_0v
zaYw|rlv<o?jkqf7Q;F2v*@?+Bb4fNhF*PgKFzRok&r~<^Zgu{C&FP{OEY<#Vaw|H;
z7T_Ny3>j922@|qYpW0thej9~lx1FUFG{h{*M{=36&D=x>>t5rG;LJky%CF<>&}@b6
z3Hw!@A5$&vhS(c@euy_A(@&cjim(xN1xaX#LZ7XmL7bm==`?`gbv`Rb=1L*$NtALP
zS{)8q6*g+08;k7-X49yYzJDT-oZLS+Fwyd*nj<lNr0R;cPVe%#_W1p<>P}E$?qf64
zlVsON-<6A)r#@I4wNty)&bHrH%{T#B!B~1BGsw0@+Dj|eo3L%UvC69Gdm5iKntr))
zP>V8c7(x$DGh72EJ%;RAS<MpwK{A13PlVO0d#hn9D|by45~wYnULRPxF1WtK+T(M0
zS^~~wPggwRvyUp)=*ZqmZ!X-)zR)t^NKNeRdoZ8jgPos9^^B%ln#S5XTfOP9uQTEr
zKCv@*)R!NPw{+M~6v@WNEOfSeH>ZJi4_X7a)o1T%I*(vg6LW3FXOzz)twYt)s%vgy
z?s&~^nTg100RAw}yvYPUr7Fj)g*`ixll}R8ba+>$Z+EgUP>v)A`Ua*}ubvzXjYbCg
z_BlM6(NtweyUjTsOAg1odVRaQT=8%ywl<r{bbEG(p<!8)7|S1FEJeM>Ly&}Ia9er)
zG)Zx+JvzV8Y$1jK^GH#Kw7cjQKg9H4d<HoW5m{tN`cOq>79x>2hjwk>Ka~#-lp>?S
z^5ivpCQHR)GBO+}E+0$J4uy01zRCF5io+M)?di@WX4hh&aNO0kyVMmQPR7Qaw)P#B
z)My5|o-`*)6UGt1src8M6^Jb9fNI63s0c=5qNpRP_+qYZZz!QI_@1g~5%X3jhqd&r
zjq_QFRCi@7Cl~U$ou?|(3ky?8GGzCk8r?c4vDvF;X3oyWjvYLF_>ej`SYw-C$5|<W
zGnro>jZCa)*kw2riF!cpE%QRw1F{)YWH#k*c8IE@@(4t=QPs#^oZg1CL(jf_=lASE
z@`ZYWtJj)7^O<p8?i<S=v@UH{l*7tzV6RT-dcVBkW&7Si96~#xydc;t;L$a%9}>Jy
zc@0budqURb1N}v;J*_UPV1(#$eA6Ne<tU~R@~wv#_W0CzR-u8pJk31To^}xrWM#JE
z*?ca!9Ge6m2<*xZtW-nb=(+4z*p=Fm7h*T+zx!->(C;7e_vT~W<DUry)_UBdgM0k3
z<jnEWv6Hh&_%EVk1wTpPzDzxF`dT&|41d<w?ahrPm-a~-u^(VP#$nUFOO<C=q!ARX
zZ73t?K~7SYGF1ORg4v8f+K~(sN*Gaz&VPbRbbK({4YpE=gxjx8n(45u<@B$jNGRN2
zZ*QQ3xbNdx(Bap+bwZqIg$0E6B3Y{S`xNh|LHDW}iLsuQ`DRTDW%fed4waA2XQ5*c
zjqeH9div6#p-j*2NpH$==A+@0j@azk8B(iLy$h~hZ*jV?@2I2gC40XWNYnf|aGwL!
z*zE;R(`rm!!CXbrj5xJ}_gw_PhozK%YX&O#J;f5a;Pa=N<l+RZj!&wIwGmTMR$eKB
z^BB?;!DD_owGavZv7tWiAB3WdQ{C=lQ<uyAg~jpot|9jJ@5V;r@sZef>nAG<>G8$g
z0q?+ke9Y&i+(+E51|HeL*JQs%yY==826ob*V8!MmLF|S6hFh>Cx1>0X7QW`l+D`GC
zq=^ME$`B3&qQ(}Dl8z42w@{;4455|C!u0&C#D#gYV5vALVYtkB^s0$c|4_)CaG^xd
zfn@SPK3H`n+@VU}z~s53nQUJ?)|YV{KU}`Lzv?{H-ciWs3mxr;oYnrT%ZHDj9!w<{
zqtV4=ihL^MOPON-f%)|4H@3<1kIu35s^s$gAcZ&>EEQ{Ml`0sOjU>YzIpb7w9jRa4
z6qKPJe+)hc7u#so{3Mm|#z+3>nk4R!5RQ>(n(e!UL`&);>51RRIWA^-iOMmgw@^R9
zTtQ6~Wiv=IB(qVo>@A&OC{=)zMqxA}1&mCj6z*p{l?W?>>GBJc;lOIV2*Y43xQ^e5
z@vqF!?Thc1V<EdJ#xh{JULA|Hn&@N6kfMP?Z<?`pdqZhP(wh$9erYHrN3~!RWGxY+
z+15<D?Ets4m~JyvqwzE<24^&qh;e^jno%)-E0{l=Vj$0^)iGZoHuGs%L}^ixEF|Nl
z8k;F^UiBgy198qt@5;u<Ha0%So`2?<y7!Zxq<svFAPc~b+726;cDJGoO4W%ejg7E%
zh_p*l)q(uSWQL+FE3&(hU)ez?J)9lLgDf(Al2xN+v~AzU>gvW0c_Rrt#!v^o@eOub
zkLpGJLiA~dk6nvEmfK11k**WdEnu{PXe$XnH}!@3#&1L6Bd2@$D&F$i8tYtJJIRJm
zoTz{LBo>!-^Mk0ScO%B{<CZzi+S70fksZMHRdsEuq|||o8vV`zs<=dV4p3b{^&Wzt
z#Dw1^iNDE%I*h`pgsK4*)<+v0Y|95D5RWed&oa`Cb;nXY^ZoHk%Dp%nPMx>K#{Km#
z1;b5=kk99TqYRg>|7_<_DC$X-g2OXT_PILDtOz>0IpPa=yIg+d37x{2_syR}S6_io
zB?Ns{yTeIxF@0AVui7Kciq2d#+oUt3@UI!;Ax(-5kT^5rNeGNf?Yj@O=dlCw+7mcS
zCRw&3a*IjV{f(vBN<QwzijXm`nW-VK7dO5-U7aCT9?54a-QTPK`S?>j+I3~-ug7g|
zJ?@U~j!q<Q34cipV{jo4OLAGA$BBhXb|?~xI1FiA6sNu~<wp~p8{R-`CoDvXrvd}h
z8RgkagVGoz-aVw?_7_NO?WVW}jjO>5rt^5&9eJ6d=1-<Gj>y9nnTw=piDJnr6^)vf
zOiaikIGvVn+-t9i^8!1+bXB|-nCUOiPS!j=SN<=4xUs?ReP{n-Igp&#`)nz;<V(zt
z*T(Jk9pA!z>L2-+$*-}{&_cd;XpAgRQa-#6d#v%UV11A2GED3&5usl3E^mAm4vgEd
zftY0hF^e|5C$4+u8vO3Yy-KHb(rRGH#!i7>9TY$!H&zchTd3w0i9hmLlCTLu{`W%f
z3Guc>BZ^N!J3J#Df%1fU@Y!R&0|Bwr+)zlL+&U)W7yoT-g<ndu!LO$wpZrp(HiIi`
zw5t&&*%7)Sfj+$Ru@YTe!^b!!$EaBY8_rKM%~JO=8P@_8T=Suuv~`*=Bn9k7Fp3r&
zg6XbGp?-@C>dEFO0xUdePvI1#8;DDJs8ndwpc`;DqTT&q9Jlhu=Hx<=4-Yr;7{>jP
zw_Tmiiz|7A+Mo}bD-V2M@jHkH^t;DmBwk|%@hSx{mk6-<VNH?jiJ_yyHb!T}7&@E5
zCq<i*zM6!97MdK1T(aSlb{CTljSw*5r=h<iPjx``SCXYdxGVK5hjg!{dMObkv2uHF
z%Gu*`M?BgMMC86STus!O8Y3sBUHCBd+lY)86$x)9+x(XF$HuQ<ozi#s(@>LCI*^Z@
zT#9Y59O7;VnNv&3l8Bcfrwu7k(zYSSr+Z<w8^bW9qA%(2y1D|Mvv%WcMV*NeK8{?L
z{la{2(OWXp1Eiz#c~tg6M>qJBWq0*GE>(6ukLZz{N6O|EJJp5x6sKsiVhBqi<*5t1
zC~+%dt@461eNMc(p<Zdrk0d(Hu4L6V&p9tEo1MuY(%3MK0R#Ce_=^wUBvZYD9wf9M
zvQrTEpnJ#dWD(#p8JvUj9L~jH0Hiy+CmAsax<fU>!fg4b#~hJ%o2~ign;z>3(--#q
zk9^}j11B@@tb2d#o$w8w$h;FIf}X+S*+E-3tVD6$uJS9qvf_3q;(w|qHj1i*y6sNh
zK14L-%BD1nqn-#lOV$VUlXaI4&15n&s7rX5J`b15(``R#n<)>^*?(c5b;M_`nuZxD
z9><w<`l^{Yd)Lgw#7zBNi}Uk~)OUV=qw+ZV9)P7zyW#y;_MA>$>b#SNqmF<s1`zU}
z&S%2nrSfFsxmp(Z@<Nb_9DA2)NkJ4zynK9TKELyLIXIYLfiHaE1K+5BIX2{Vgq+Th
zBUn!N^rXv<7=|^25!qS}-@f+Hp%&Z8CL0^IHF<JV#lGnr91b)uQ_5Q)x0@kXv%0mU
z!OJQGD|A&ya&(=6%bmf)1SpqK=$3RuuyIPz{#GL?iNg`2CPtqDdme$i4he5fC<W!3
zV%DmNmnMxkf;3e`i+TTG|J2le_S&_XseM1MoL(*#mrqx2tejaY_AQ;R{B&*I#`ap*
z*Vfjp_4nG=>%a4qlA1X+F#&Ut^6aw;ZbO}zI5m?}xaSdfSiHdcut!|F27iUwq?lc*
z2IJIbkj~yzO;_w1lEDrxPo-H*lcF_*fjYf(pA_9F6j*Wa8>PlrvF<%ONTE`&HS)f2
zolHAT$iC>LHtGXvU(|f_|Bro9luJ{FzAUoGK$ob#KO1iQm7U}K54;&;5RS_>d8aQ$
zMTm+><gTRp^n&NX;z=63fke7JeI;FqIzgYDPA`q&`3gG{=Ld&1%Got$C-hmm8!T#B
zQhA+zPtVgNI(YYl`qPYQYKC}e0aF&Ll!yeNX;cfYX_~JHY0$0*)4Iy_U<gR#U127z
znEgz@IPBwES0!J*4t?!LjI`v-4bjN@JnQBJ%}^jZ14F87*;iU9O{d)MfTt_!?_|}&
zQYGxX%5HOp2BLLxbAe}(9C#jc*$Hl`t*k3Zf~PTS3_O5lvkjkAtx;d!40B1!7MBIm
zg@7xTl3rB0BIiPpEq^e-I2;+yz2d=_Ebl0l%cULc`L5J>ab%b4WAAwnWBF7X(E_B%
zS=dus`_*6#(wWQCBtt<p>Q@Us>4qht^OD9yd`8~s#$`Zl1h+uZ;T@+Y5e4ufb*q|v
z#e>%^ZT#g9>RDHs_v)kXes|rw{yT+K8o}xmTd~ORcbm3o8Tnb#;j#uDPM;s4yAZXA
zMnVr0w#O{*Ultfe2wp@L)~uAGzC;#BIO#(YVc{|!>Q`L;)|d0g+r4c)&TKFT&EVI%
z2+q-5EHzmVHMIoGbJ^N*Z||>nDIAYSLmufrU{7iJ!SZb1z>oOZUU;EMQzKne>St=a
zoXL-74pVbwr%S#>M^8&<YbIoHcqmn}>B#u5OP|u><j5zpfPNWjc}d>1UB9RjPMn{<
zX?8>(<B&C^>5#TeYlrHjQy_)VA@p)s!Z)MZu1MxK^XrI74jCOarV(s)+HjAJ97SFC
z-%xJC0_8YhSB|QDKwtgBl_ZV^6mmtO0s3O6bOb5^Do*EGx`9hgHE6tC?;_<Bu;1l5
z2KDRL?Y6_sxKG4_+(u;qdyww>(dsre*syei;6=1Vael0I)q+KGoUBG_h6Ek6NS+gY
z$@3-XOLbwb(r8E~P@%Wco)t6~_cw^jCpfap!1qapbU~z3V6(LC-*{?c&mJBPj#&4<
z!QFgMrC4jN=^gmL@%qmY0e<c21CPg2FPopF&}r=BIL1cj>wf(Va)qck^c1}jTDs8C
z_5Ccw28A<5=^s{02SygB!=%(VDd&Tn9duJ;Mbtk=$PJP|gwn#?BkSW)XHTf}_$Ls8
z6fTDG|DD;y-yiD?^*E#B>yGr~T0XvGFzd9QSV<n4jnwi!U%nQZJ(65GVRdE)cf|8+
zlW>V(T$HEqW5|z~WtX~c8X~N8{v;xrZRj`EfS^4fy#5qZCHN%_wyK4PqQS7pjqwW1
zar|W)Lpgsg=$vhCw|6?jp5%C;H@sur@zUFvzyAEfRH(94ykJ$1G+F(XeYN>p_fw{l
z@qWaL+RrOU9rO=p4)l%RT>$BVTfX$0`yB6hwc%1kiUHkB?M|n6rw|6uc{T)!xD!$1
z*;o86s*puzPGL)8m`z%*<kO>*51n_!$%pPkBo%@8ho5|=7;dsO^i1z#?|m0`v~;xC
zS~^-sUj5Md2|Mma#5FCm*U!OLW@~A0fgDtCKSckx+>9v30fhwd^Uvaht4V6zE{Ex(
zut($El4eC#FcD?btVwD&M$wBAs(qhA@Tq#6XeTpt-|=*3x-^-in+IFmt(j6sw|4Vj
z+p-cY%niW3dW<d}9IFR^6kAFr7ZN|>edV=2DPFnLGNR7!74B}N^Q0oxE#e(?i%6wv
za<+N@<j?LNY47c@IeHz{yWjB^wsucsB!d5cPyO+?2>K)-n_t9l`gQs=T(Kz$#`RKu
za^<p_C?(uQEtqNY*ouA7A$Rd4i&xb<4>j4$p2&?PJL{MD9f;r3G|@nDJl-pBM7&W~
z?J&N?=DWGB6^6Y=i_6iux|~6ybx?2|p^}OaKOv*YPM1MX=}vmGeXF++1gXCi<_PBi
zzoHSxaSA(?RYsj`gw!zF#LPZnYiYWOz90FvC*uh&_74nu@>9iPQ|pmrGU?8__dB{1
zIArmg9Z_9#=W1mrIGFNw=N^l=6WKo6i;%UrffT$(vmrE`1LS(tbO5T9h3o^q7D=j#
z6E1Pr2E9NSKVYRr4Qtgx`|MT&?N`|K+nZ-k7)`T`ugAAy?*w(d`f~aTKdPz`P^8ID
zQ9{xd&S!UBC{AX($144E{vGjamimy3+lw4rHWM5u4TdUXxzI|o>K|Gu7k2I#4%B}D
zdZn;`|K8k(Ur|L)(1-e<W(KSKl;8U6`gn4p*qfT%Kd|#mY}_|d7@h9UP8C^qV0g#Q
zLV0D#Urnxra$}XyU}+#&|1kQ{iatDrJ{aaqMjbZjM|_Vo;cqb0km;gID=8ZMz6-2A
z;*1f#Q>oTCzdm6rl}O6{&o}Hju(oRlDAhZjxO%B?ZAZeL7zkc?_qW!YYNyHuQblUz
z0q+SU-jXJ7VIM(1Bl_C9LI5|_vQ=xM({W8$vq}3Pdna)e@}E#Sbl7{e@Dr}HL4EL5
zeCX!izWd?ol8KhP)(-4>!?#Wp&y5>MSw2;3T1OZ0d(E58Y(V(|EO{dq(E~3i^)#J;
zAU%m@s{TWkJ>o26cqUmwc1+@N&}`t!;m#aT3f>4_w7q#Xy?O)wZ}s-oG~1243a_vK
z?)d%V^$qs=TGRc+>#S6B7kA!0i;+?$`n<|xuV53PxE{n{^L~+}7e;Y9hm#3h*H+Xz
zz~b%;QLdI&+lV1agE`Ac^o@?~EtmJv=e}}JKGNMC$@lc+=rh;ji^Y7tc-+x<;?dK`
zA3o7PaQxxpryo7hcRDn4!|KvYX2apxmn^N`FcbPx%-0)@_WEKpE{6SSQC@>_^;;fN
z$J7vEDlJI*f|Z^TzHu!eFP+n|aIsXWtQDC)gz;R2J`e)+9#5$FB~6XWN-3eI0Gt+f
z5z|8#h4DEtFBz!$8UVh)wSE_S<l@HMoF_li9~$cJafUq6)Wz=XWM6Q=)e{I#ojuDQ
ztKZ5VTW>06W(ERnE$jB?e4$v$%$5Qa&wsFbqJAslP%(b%Fvg!zAP*rGQ_77z7cK~Y
z&{+eXC7kF5J$3_lpXDCPVeZj#m>axBS6CY4Bzg)jBZ>*b41FWV5jle>GJz;Ul%b0n
zEcl+nX9@;N3T!3zL}6;`QAm(vM0lyyLx(uXCS9lI=DKr}eSwmzCm5W1r}NAM4=jiq
zz9R*sI{z_I$UqeRx^I5}cl}m5X6qkf%yX81RM$v|&futer-dmrj8@)Gp|@x_$TZmS
z)AZ7`;b5O9Aa4L_1k@;30sd!@aDtO?62zIozghgF1*qU3kyQjkkUvJ)e2Fg=@vIO3
zYCx%m$W~&i=gMD?y0lzD;mfW<(EI-TP4wQlc%?PjKz>@peBJR_0@Rsqw@j*YAQczA
zsI;z&(sj1#cBFU$p~cuZPo~9Vh$C2CJ;y$I?p(cgj<0*fX|WlqnWs>`71gkZZ5I24
ze*d5WPf8pf8g`WKjFRm$0;hX!*&S44Ug9~~9x>bO4Bfpa@nMM<fG<%_s>BNt=i{bY
z0umpRxcFVvq?h=FsXc1mOT4Dy$W`Tcvr4>dxyb88;9efWVU^HsWs>Ypr>j&MvFe1+
zn@-$h1`sqRb|-w_bYC*nn04cmyuWn!C+rurl%Q1UbQi&E(&F?t{SzJD-u4?Qrek&W
zSSV_^2EvQ0kz3X2=@~*1V{z#x<^zRx*de;FPmZTV;{;1VJ#qziu3^O=RM&~r5%uxt
z76fDNrHG6b`l7f3S-5S<$`InkXh>#h$%08MIh*K$n2MWRQ2f-2tjj+^%q)tPJL10P
zPtV(I?YG<|J`hSOs+RXB*{zQb-#$`D+4TBjk5=v&VIitwj>Joh3$<Y>=Rs*^ALr|i
z|2M4*`fseqC=)d-w&DpRPPx{yecFVh-h#xlCLB4~60ewW)LW2v-h@+)Jkg(i6OMWd
z5+5<)sDC2yaScb!T&jN}@iI&E+-Wf`%7GW}uWIdIP?A&+OXBAx4td0$H{f>~+P70Z
zEZP3$I*#_Jhb8fQG@NSqs&u1zSfDfLZSL1`?eFf>{*HcM#~(1^sA(>L=Rp&Wn&uLJ
zNW<y(Rk~75bHndLk1B2sDi+vTNc*~=uIvU0a^=bo9o&CSXK}BLHzj36q%w&(O|q3y
z1y?#BQTmqH=LP<aqBcb0A$gU_ip=)|-`&zgrV0%TB{r0Xuo_al*xOOu+#Bp@Lk?5!
z)JyfunZc|qYX0YHnwMHKVmO$2?LCxl5~e&FtzHC6YN=k>H;6x{*lO&Xf8hIu|2N+^
z_;1W(g27&;w&U|G@HER9aH7A!`%U=AG#nvchW4o4D%&44;k4exd&W&T?I(ffO*rjK
zfoBN^AA_I7@(lcMjWs75Gz#!#lHwKAoK!w?X$pUcan9i-VXDWdh?)gS)UxFD7=e#a
zJw}O7vS!|%{4&3X-;+4%F@BuaW5k_PmM>8KMA`lT^kjPfH0qB2y#eQSM^XFcr;syF
zs>jINQ(dKpWIaaICFRdonbYuhcrNNO;`gZ@qajXGDopx#jXpkX2DGI!4{0?`Shwx?
zq&P{pT7nU*IV>tKZm=%3;9~uES&8~jdVf3Vw~%~TA4-+&rEzW6fe+&D7WgyyIO)C<
z@!wWHFZgfvZ;&rd`ng`(_H_B8TU1DqC66<C8!L4Cwd){zwEkUOWPR!LcpZKthW}aM
z?`zjR8`5&M-5W`lA+K*6{+2?I@ZKtnliqY3^2i?hhYQcvkFdhwY1`C-vUKUmg>%gM
zsZU|N)Ni`8yxAh=8`UKFT{O)^3GtlYrA(=wbl&54aN>><E2LjmKkqf@2KrIxY4nJp
zJ<SQJ_r2T`P1-?>kKYXwv~^2Fg!#V1?>u*ddg0;BjjM$%_Z+gswb$04D;;}apL!kN
zcJ~`%oLHAMPQ*3HanXIe6m^dwlU+s$f!-b9qtXD@Fn_upxz!GwBs;K`;!K>(Znb^t
z!l&;&+2wcHT>j1zbT0{89=&F4?3&T~2h`uDduN+r>r?-m?t^WHm6B*&5p#fV6y2ho
zsinH5&%WFU*yqB(hgziktWQTMaubs-M)%p!T8Mj@{8wQgt-lJ9VZX`VeeN7f;$Q1I
zq2tQAML)WTCj3sHanQtWx%>?-dLJa!WZnZmiqIl&5*^@|UDGoE&iPFXkwodc^m#cC
z5k7Vo|IIvp_(l9?yMBw1TuS=5jj?#NqA12dwU&y}y0aK;93}g_`G0zjy|4an?|+ib
zF0iIc3+Mjr`*fE!Vq+})4!mZ_Jp8w~6N>kPVympk5&NF<KIKpFZi+LRwIH9wNoU$X
zNyK8)ed^-oBD%v!98#|oG2%8wjIiw@M%I^?*V)_Yf9t=Pym~R4UA%hodi4uiSvlFl
zj<g(IUOw7Ve`m|d`uC38vh%0Lcbu9{+m0QxrDsp=7(X?iwH@bcssrQe;^Xmiy6(V#
zzZrBj+$1GuN~fz#=HvQ2WvB$Xb(HK_Vm(n_3VF)N>Pz0I4t$bMPlxgVnJF+TL|l<2
z3sPr_qOU|S3>zLlHIuk)*Up#DFWjD(JvIIvYhwEB?Aw0-*#0KAQh%ap|FPeH+w9rt
zgcZg17;G*U<q`0he%-e%6&Ss*`d(CfN9KUwXDI@YR)bMvNpXaFNhjPs#J<3XCucyl
zGTFT_d{xPIs9KtOeBS<-yE74Ye$P#_vp4R^yCWI*%YRv$_VrEWa?^dj>Dp<VyE3!d
zzw7pc0|N(d-_^f5Q*ql)9~!vt_~8EWczk^S;PLwg4)OWGBq)ba<1%AWV18}3-b7mr
z>+XlZ=Q-Ytcw69rRs0V*-ntcMNshOf@Na`~+uhy%L)c}W<n6l_w!Z(3z_Zv1zl)#b
zzpU;9eg{151G`<lW9@nL^Rx6GWnH}I|58Uqtl1d!&p7h#wAwulmNI>|C|*)co!^>^
zE#^!F$BO6#J%wIaDkz#b%V(2TrO-sl$VU37cBUjJ5;RRGBC!y@Ad-MH*(6eirj%($
zh76wG_q`)GrY6=3eS3Vi?%NS|?g)9D?oLNKFu0@HR-N@^BOb-xJreWgW1gDhRWF}9
zH=n9ZUE6={x%H^uXJ2n_Eesw%<4Kl+N2dlnh3UfDKG0)nb4`gse+a`Ia~p9Di)IOH
z@R3P}DBo`>a2g-qZz(=T@|JbNQcv+27cobWw)`o1L`A4D`HIL=gT04u!-4`LNr%D;
zwVYXsjfVTh%>!R}LY3-9X!b_fQlPqjG_y3CC>3Y-Cq@=heMd5iO?hZwZfvaA+Ziu~
zI%>(GDiWcWA6Fi$9Gy*h`{w(H_Xch4=T?T-h6CaJ#Q6!<G&wOi*Sy{wNELj8gNJti
z!CUjtABb;kuCec7eS|Ih%+!!dn;xm!;3Cs~IFzG=D=8!?EIf1z(><jO({@FSmX!ja
zXv!%$>_aGq9;+^7@9-3|35TsP+H!kas5m=dw>{n!3@3cGM;^OS4TKI{_0o~UkDr~o
z<+giP`mZTq?gnsX{2}J92-%}qJuVlu!Dnqq^C1m^yAb~;UlQE_brF^Z(NQb`VDMA%
zbCHPr)NUr$%6~)@pYXyP65Dw7t^HH!;J{?kSB!hSg_*v}O=H20l~@EtBEqqeTu*ez
z!AfncnweR4$BK^V*uiRH=SZ%jD_tB6`wCIF$9**K>*|WeQ(oWT=v-lVeKK)+X}+=?
z>DoUNEhpgj;<2tzVvYtZ*Q&bD6?4?d-<*WhBTsme*JTzt&?34!3`(d*?Iga(L6x}l
z>eG%@E&PToX^jdz+{g>VE#JDl5D~ML_U%ZF6f>Fl$WpHVP_j5OnX42_ow05dA(|Kq
zPsIjGheWRQSi7xblIO1n{kt=iBCRNgt;k?^`&W{^d_DFdp5?tbPZTYS=JnW+ai&|h
zM427o%TZ6oq+4agXyE7M%TNY^ViA%Zk=PGSDxxi#*`3FIy{*1nG&NU=78XyGyGN&{
zeC$-y;K}8_u6Q}IJR7_ikET5BT^;Rqd!%|`a_Ht8&Sn@x{r(dtqGxWrxi3{oc$=NW
z)!zMl95dKg-^82+u~JQ3rXk8gKl@XZg~-CB=mDQR>r<qQ$k3pu7|P6WQCz;}Y{YR1
zVXk`cI=huwtt^^}SK}Mj=IdK*$<^xana9T;xOZc4awuP}f1I5RujEdZN3T6yhY%4y
zqOW6Lbz*0vb$zyhAL>%#X>yc6rjTYue2!v3#6D6Zs9`;<sj}Nj7a3LttaPV0BB-s*
zaqj&2bLG9Gk;v%YvIn<#E1y(c!K6q3>UiHX?|;AQ3sUa$RgcWh9;x~+ece|(zH{gC
z8ioC#UfT<-1%BmjtQPz_g*7yIGxR<SYp0MxE~E7MoB7HexVu1ccRO89XWX%8mfbjT
z_1WWTUpF`=gdzRb^yW`_zHL&^wr$8k(a*WEH;_G4Qiki=4N(^qt1PlCL@liVXP?k^
zE#g}QvmxvA;^2aFixVO8Vy-DzzA|Mc(TR#+KK8oAO0v1b?)SXZYQMe7W(&<Ot>xRY
zdy3tq>PVn1f9HHlS4()$a1b-Umg<>G+%s@^exT*%_Q67G-|7<a3n#|cj5Xl4oKR`m
z;764QuI-0oEYibUkOn}`HCoFS9%l*KXWdzF4;dTO<HMmW`N)0$)D&LsiF6{tIlK3C
z?0xrc*xK6IkGgMcwV!TjzwXAml?h+MGGuoJ^PNK$w`or`MCrtc@G(&vih|xK&xKiH
zTtbsyMMQ0o#z`_Erp<)#2&13Sk45~3wo*8=L%=Z)JI-W@cPwwDvf)bbJT0D{?&hwR
zPG>xDvdh*pnd;3snPRm*uDqrGrSaidiS3dr%4)@uI$9`ncw?1PNy=a>u&;qvxb<66
z<*`kdz70WVS6J!9_i?_!XrW1C?HJ|nGybcm?m+&0q}7%mhTx6#jb|_X>{K9i)%Dl+
z9sBUf*}Lw#dmgmv0Uv$>e0UyOqlwm%w7PXi=fh8vo(DaXB##H5MNaP+=uHw=k9#Bc
zDaFAhAa#oPK7j87_)apqgzqJMC;m-dGH|*r{F_%)sf|cBPNlghTCO(YRW(QA>R|58
z?7kC%t7mss!oF-J+&2s-1*(qpu-`r3Kj{i*yq>VfoAiW+vp#pa8qZWB9U7l^G`9r$
z=LQoK<z%a^ducE+=927wq}-DUyOgGrO^Pc%5RT>oUCk}-U?#{}ztFka&-i>AqFx*H
zDI;gnee6UjRRUAEtH?kx7ARp|rGqo5qIR$}aELw+4UCSBjpCmpfvW9OsG^2XUQO-v
z(cQa`9oxP8C}ssUtQFk-0*zIRC~8PQH%cOMk6SPgBz**TZv{dpN|B!+JVlgeLfVrW
z8Nhu;)g+W#nlw0jNzf`DgSPPV#W4uY-*mN|cXhvPiT$55idBJn(cR&6W*uugJ1185
zrOrNgjr}Fho;cEUGJR-uq9fq3Dku>~d|0vU0uQi(wjM~Iz2=oE<(0l?q|u9Of>iy0
zBHL6KKS?c-D?@ozBI(>GQ|ReXyhSTV$Zmw~N=_aaym2Ejwwz5aM4*Mgq<^+DIyf61
zd7S;}{JELvtL~h>dOj6QPTdHN`|zQa1N+x*izA9jtO+Fr`uiYZwJ4}7tO?->j`4k?
zMv|(OCyMu)*GU|!Ka1l6b)7F3IwezzFLRU*Or^3jhx(a2KbI@?#mDyzl*gT+oWDFZ
ziDaeIlQU<gB4=$)%;q~eJ#u6+c6#4Ze7rxfXa5S0#w7a!kh32_-+Of*uH5uGt@YI`
z_AYT<5yL{grRXiWswo73Rs|J?kgi15mly~+es77LeT$-a+#P;rmuC<fV=ckj)|*bO
zJUSlm*lb6dDXz1EzR(@9hMX_y)7Sgb(77vAK@#ghXa&QRdXTLMDvItAfT((KllnDR
z*{t?ko51UpYI<O#(|fDiyWzO$Om1%$>QrDyqI;k++*>W}T_3(>r+?~!=~rBUZk5M+
zeGB5Vg`MgYtytKp5P=cY&YcapQF^w*|G!yJZ-1wr^>qLJde+lBF%PYqbI^T%208N(
zjfs_d@xN`_m>T3)gSax*Um-y(7|ung3`p<7MioU^=n_nk;!lYhB-k9>d`{a#EU$J-
zmCCxI48f*gb=$4USKRrb58nPt+l?>(i%;D42HS@mY@Lk-{`24K&(xm?!fV2Cuj?9a
z?6?gP8rM=RjGy;iw*w?dc}N(dHyXBSoLa;UEp*LDjY_9;2n~x$*EVsxo4T}`Jwjx0
z6P&)j>|QoBcX~(A+Ke^ESZ91Vb;H7Pm**Cb_tg(P{&tp`JyN+-F0?{E-4Pki^eFL5
zUsaA?UA}7CzvGsP3%{kjo$ptila;q)Zc04w$__5hm9qx^sP9=d5`gs4X7rkFt08+`
z9udI(Si3@(;4uMQ57IYBMcv5qq)%IgcqcaaH}+psO5K!2XXC|Y+r3Rq`B<XZ(iL>y
zkm^5mxUk1<^Xzgwc>ltMk>bRyyJnV$P{S^t-w~S}SY1nuR;!WR=so)%c&Jb=BglgI
zP=0fny$$2a;v{U+N%Yh3)6n`DOrvx#A;vD*Bv&Ca*=>U(g|4uAvNsq=C+2H$NYv8c
zLSWRB@r}%NNBaWtzMv!gfmpQ9(;IDfBt{QTj-Q;4$9%h8?nArMLy4Z&c3&hH3V>T$
zEsLPNANO~Jp$kpu_R%ZEZ<4O08c&Ahw<j&b=)5RPNm0gm&P|Dv>UN4rrlqKoEeRTr
zQ?WLC?CQag8<e;hz@=s|Rg4zbcNP7^duy4ck;HH<J%P;TsRKx*8eJ~B29xFLeM7U(
z@Ib7)R`F;19f9%FJO8V4bUNiN&h-!P_uFjI@=Ut2IvikM3-oy%v24G;+`qp*HeTz6
z?W3b}pfs5x|A=DQ0Uk}~NeAj>Y4zLkv}f{$$SYmjAX{Qyo_5KCC_?h`_$DG%$g3^%
zA~yyC+l)QY%xhdoW(_%lgJrXtw9A8-|I~%L=vG`F<j<f!&k3dZ=4NYu%9{*yDyQyV
z42H`)vv=GR8riQngF|Uo%k<&l9yWUEnX8UuD}HA!I@#|TIlHGlF}*LD+f@mD;JsJB
z?if}f*;B#K*(IFnN~k_$T7?a@a~tH4kxdAtidY00V<^xwi%%-9E6OGk)1cyyIOAcr
z$y#Va8>CVt)(}N(i+E#Js-9UYj1Qd27xwH5^iQSwmn)$n@>rp1wXm7J15imGf2Wd|
zJu|)dn%aE%^u*GkroW#!JQ9dcpBS4uw=<&@4j0%zR<Ex?Ygt<xga3u@M;fy_;SWBG
zIknqUEY9uZlz06k$FC8%1)f*5=k^YczeKh#a-5&hIexut|4ME@|0>?Y@7GiWF7MZ*
z-(^4J?O!I}g9u-|pUZuYZ^-u`QcK0@{x?P76^p<*59IA}hXU{ajr@221@A9eJ!mg}
z_a?e4Qhg7{#d~fN@7eq%CjDmRx5+OsL00$&Y<L~)@c#w;tiT5ee+6K|slCyU@SyM`
z&{Gqx`WJo*rlD{<zhZd~jhd|wsqcsTne6|H<+B_YbVGaP|4RH*9DkMCUipQ@|2M~9
z&GGM`{lmb~|D*Kw*WelTb1VK@iE}?X#b@DniEbq({BHtBJd?x=5~u#02OYAI60gT!
zfI?b-%s427-~Ari8~rH{%HRFr7W^iO6MYyTS2H7zhk-uIro?+WuG8n25_fZ4r_awN
zPM*wWtDq0{|8u<mtquJ*<9h#%exC>NE*cm0--sLgf13Yp>(>5TPfC1C|E)(PzNP=x
z!xA_4AM<GK7P#eEJ}%6#nBOfpW*9ie%MS7Jwrw5n7F-*z$)9ByuL(Ddm;F2MPute<
zvad>f%XrxrCB9|6>|Z6mWxVXS1-^B>TW~SnA7i{ZzMk7a9js>>HRyo#jC)UMJqx@b
z@t=b4eGk6PjHT=4ay9ez{{{Su0te&J_xtyNe+2zO`+bCK^Z~w|Uk~rMKFIsu#SmSf
zuV>&7NSq=bnyqp@1HVP!#F2o@^$h%_5+_%mx}J$I{RN+2mz-ZQkA%OU;{nSvyuCKR
zirLTjARjNSXETl&2Ho%;P?P&5866MReiFVQ@l`{Ah|dVV6kveSUd+pjp#LxUywI+u
zc>(9d`vp$(BJhI5i4Q15e`Vb~FL?it1#X@f;Qx&Np#2{D)d%Uv@&4z5H~2|`)BE2<
z{a4l*tq233vHlN<w{TqJGuGEj+{$r{&sZOoI1N~x7tjH#jlbXWdmPvIsTmjaK^+Hc
z4e<by-&$X$^zr`x68P<yN8pf087`0Pc#6S``N8v-i06a!9J6ep=O^WJtUp@|^#gpI
z<V}X;4R3)RLGz2}&GPwY`E!hyKgY}vo$y@nW5x0*{v6}x&wr-=y|pg?p5#!5_$+_^
z0)PG;^zRLLj{YB|rzDT4fAki5|JLWAhVeP#gkP|}mD7ddo#-#$r1h)F*SFx~pp1BK
z<$4Prm-)G*jC@YxqWy~ee9pHtx>)~89hdD1`JDJyhW01@zV%(&@4r_*ck}0xF4lKw
zfB$azocNhW7wez$=NPx`X7QZ!HH|XXbC-E8DI=cae)t!x9~ApQ^h^0`tzT7b-{@2+
zqLn(|X>I>#>%~fzX?4E;p86&Cg-(|bYJdNC@;U7foi0ynfB#|moc2kE_!p<!6WZT@
zNIs|iqSNJl{5jF(sCdrzjZT-f%RE=<!k<e$)~)HWRp_y8(D#IXi~Ho1v(z8^ysqCu
z?*;#nc=R%O!i4L3^6M^xU$_kZ=w<MSP56Y?pVwaof5eDWJhJS6zX?YitHkpr9C54?
z&+0hze8h7r*Kqn&rJgVJf1;bf=S?`#P2kbX;0Y5>bQA4gcNzS`W$;HYgFh^BaUP-m
zzeMz(VZ~$K1y21J_`C_H{tG;M89ZUassEz=>n?*|xD5X2W$=ehIL*6w|LZS<KVrn`
z&NSIREAe5RcUr8p{z*dE?Nyw2X#E#BPIM6Xyf_DKeu?8m2Z2ZB`Dh7vk?#wECuIB2
z^Y%msfxk}TpWT9AFtqm=&V!Fi{EKMcWxyYn`2PX!vl1P|`(J+<{1J(N4ec|0{fqYf
z5~sU8JE5Vg@5xL2Gr-3<-9-DW#J8RkUv?Q>o*y^AjrT;YBij3K5$)x9mgxU7xemKk
z{)2Na(O=;6Oq_GY`IqP~aKpXCXs_eO`_hf)<=2_sL-QiubKx@hqnE)SmN@sf@bz=6
z?0=T`U*Ob#fzPun-(TXKPUGE>>+KS6FK}uv@OgPo7dVYe;L*$A2@_7^6764i8T`U!
z@JBC$KWxHjy@~g~{xbL@Mx3u7(LQU!i4P0B--OdT6nNf<8|)7+y9_Sv64D+*>rK4p
z7TI3dJ&69o?onkoa{3FL=r8bj;KUCFPV^Ue^fGwDgcJQm``29tzi=7+(aYcun{cAP
zc>n7!gFj-#IsHZZti<!kyFuI|-gB0(!|NC#m$}>r&et>HSv$vxFGB7Ky?~w*oy^a5
z{eYemz0A*bJz@Ljy1qcqiGJq4*Y$?&pX>U=_Rn=aV*BU1K0(ikzUJT8^@{DE>-q(r
zb9$TqUez0BaL+B`p74Glx2}`-e{-DEop8{da8CCkr@MGgbT>cO<ul&P>27|m%jxZ(
z>++hO6Wz^!ugmT2pX>5_`{%kG-~PES&*?eQ-TeEyT;Kk=F5mH-)7|{{s+=FddWX*k
z?-%>vI)-+9e*@=qC!E$h{XMOBl`qh9l`rVeb^bulRsNtq*ZIWu&vkx5&sBb*|GmyP
zwtuekkL{o9d}RCQIzOT3DnHSGU*{{^KiBySo@@L?|9j47EEE^Ei^qi(;Y&1m10v+_
zh!}i?x>uL7Q&15DCVz^~ccX})9kF+myGl8JZhq?y#ixpIB6oqD16hjugDVS{(_Jwh
z%xPs0zc#ZJjISgv9~I_GCgV@H=8qH#=jW~*9Tun#6|iQw?}Nv+v|Cb$3&Lm}n!oo7
zQH?ym7qI{o+bE&}D2jyYUTJskaR-O$oYQ?AtV>3=STnPOK{etfSei~FXk_*H8U?qk
z9p8LcYkubNup0PMIW$vf?cX<uxyd7j3B~q#OrvRT8X{k$r-sL^QN)WV13?81C=N+R
zx0vIQa8FPsA!00KxX~>q{J!R{m_N5XmdNfrRefuGZ)SFFX=l0|c0>?9nsK!vzOcD1
zJ$`76$6P3T_RlW5T7BWPzxNROi}*J7di1y5vc<ot$F~_1iA0JT1y=ZwqL%a_K?07V
zWw!GR%18f}$DW;dW^L_F>zF%KV%*$=JB&YoI5>|Q-=_~+EUW4;t*UIAYUATW1de$<
z>}$8RwKR|2HeF)Pojr38ER|Sm=7zbI^;aJsc%O6dWdC3(FdDz=j<IrhDt-3O$?Nim
zM}O<DK6X8~TOhx4#qv$|A4(RPi59kQX|~<T`O-97v3wr5{r_R^P2eM|s{HYKuPUh|
zRjH&>d!^RYzGbUaW#9L$lkTLK^u9nhYXjY(5ol>}8C*aSL;(?(QE@>=QE}`BMZi&!
zad3AOml?;OC_1jVja~VF&%JM{N~IfgoX_V^lT_u@tM~3b_uRAJb0j$NszITk`MP)y
zhl%8c6Es_dcjFx6N01a?(45BKaHFB1e4~)96Si27TM}q^Wjgv!fbm%met%X#M<VQ^
ze=aX`C8F?u7In9@J(k3*_2@ebzri#ApO_X-X-(jWVbXZ%K5M@cp41$J&q1r=N?HM&
zZ)t5qs)4@Vdts;W)u&BQ)3`6eDa6OMR@~!K!A`dT?5B`}FJJo?z>aVj#y1Tcp+<Nc
z@~Nm^KC7fwT8fJ&`toEHBp&h<8HxaYb~JajPG_^!vIN!H5y3rscOOqr#j~CedxT51
z)r_mNIh+IbDX~{Lpv9>*csu0l?#KKG*!+VEtPCf(-yyMCcq_Y(Sr}}N`vALx!I*Wy
zV07I-G8nTg80=!e-oaqZs$j4ikjV+YjIrFRJXeLiPJ!*lk&rKl-@$b;1$G$t{xrk)
z(G6giDzFpcsPLe+6W_gp!?3o$7arBz3qK*{I!iPnorb~M@`4j|6qSWmdFGEv^c!rx
zSkkySV-015N875LE}I+03bJW$!h>2JYrn-k?>YB9t6B1sr6intr7IJ%&MelZVt%Xe
zsLt$3c+*+j(`|D(tB3}F1{x%PpjM^jlGCN2WgM7w1UoPE3Qux6l<8LFr<6p@^>HD|
z?qN|gq)YBX<R_*1vguQvIlnQ_x|EWiOyUo_F7y^&FxJ}xA>+tcgD=V+THjjjvf4e`
zezBv~8TFt#FL3d=5dW*5S*tu#UxK3VVQNoXB0kI5NNp(SsN+wpuy~@*)(){>>#<v1
z<O4p(Jk=d5E%OHR?8IG5m-++V3p&4EJWbl;;`(WxYo6zQrZi7_X30F?2Uc=t@jTfh
zH=5^j!h6B5?qer=m44e&rj>f~PD(XV0TO-J(J|Bj*btgOAUlSRWl;+NDn2C_d6N4i
zIG|`~c^hIWMUTqzP~Ntq6kX1WaHs+0Jq(6AF;@}6dmDS7s;;+sqcxL5NU{|dQ=yvL
z8l$;Ndi}?^)=+J%72CCbpV{3&(JpaKo?9I}@XFjIIjv4bO5{@kQcn;zw<^qyx8R|Y
z2b9vu(^q*XS3i^vS&1s$i<lDS*{+-EKiHx^^U$Or>a&{fKgTqM_iBv|ZnMv?Z5L~e
z)duY=*G-klg3`0;(4&?x;W%O#^*9Tu<j0iJj#PGz=_K-L^wX>eHLs;imC(69MK$Oe
zaOw`?jn1mu<gDRP40A$?NJ>}|K3I6_(vF=Y(eThp?ur9b6H`<BaGL#oYkD%9pKEvQ
z%y)M-liZ@QDd*<--*j#sX9I?5oivuUG4Xng-40TkB^^*ybU;bLRToD}h`|h~W;>nw
zr2Mi5{LtBd8(w+sRyJ~52(?aerUCy4QRqw`$_bTv6xK3nUwy>jGdLVhV|8t9ZIy7*
zyx~aU7mX>Q=AO!$>Y7KsIi+*wmj{~XW*6Geetqhjj|g42O$bkgdb@h0@hj)&K_EIP
z5W|RfpzeXp|5e6NrZk*^4lW?mhcem)yl;VyPUma+v1xk8OJ7-8rZjIdLNM<$)IgYK
z+=9PS$fAp5*YbRL%B!P{_arpntOd;vl=Bci(T{!z_y;7=AxYK=4-LWTlmt%sgtWTH
z2W%00MJ<YKx(u#VENq^czG8a1ArwpF?`o^wRACR>1|GlR?!_w>?-q8wKI0O!msDsC
zjm_cvgqp(d?+Z6K8nhLcXa!g1^@aBe(ZYA=2lD1mh#$=XFAJJi%Xo>C1%uviO0BGJ
z0(2Jv)C58ab5bH6R{V@63yf7VRzn$ubk2ej@=*B~Sc&6ZkiE-F*a+fv2-naVry0tb
z1jA{;aTom4o3wJFcRC>YQZNRMoNebyEgBaz1sk?+zij)qhF~aSkJMYLYAX!pdb44^
z+v;~PWV+4vcqnKdUb$>#xV|YIbC}&6nE^}p9J{u{q_@@^t0A=?Ba}TB%DAelfX2$Y
zM*9P|Cq3svvnTnc58E5-D)BkQI>U%YJBa;bLx$iPuqzQvnAkDZT_UTHSg?grh8D$Z
zi5M)%YLy9~@^g>A;;kdABX4=-r$2Y<E%U3J?i4N*5`{ksRqW?mg|`Wz!uRNho)tw7
zf&puq!mgGU$V*G;-Eaxz3Kg~Zobo-9?T^B3JWY*SW81M_)D@Q3a;FtiYAO+nDQ*iZ
zl@e8sxC+*>YqEohE!pn**{RL_Q-cGo$%#O3?9#p?S7$Q0iRkD~W2$`tCkS&Lt=n5O
znUvQ(A4%@o+&<T!Gj17do6REskMX8S;Lf6E(3f#dl_Ys>UOp26Sf%p|wD*kIjrEjB
zj5!j=r0$veY$uS7!&T_;q1P@Quc^?D{p<C|(Sl_3%c%DBU!7NHUoTvVIuX9kV;!$6
zypi#BJ|69i7}eemfL`A!Y$lG(;48qpN6r6~Qi#>Pq>htUgluF~KuOJ12~Ge%;g#SB
z=MHFr{H#BX-$m3xgi*{TOrpdlmR9%dutXwB;s=b<Ee%%V{CBQDvm5jH{e3u*#`ixF
z?rRJG$aX)`3gYVGE{r*;p8qS8zQtpPHY4qBvX}Xpe#%dcfJ%yYuRKn<-9Vk7>`gIj
zi-yCNi}$Xs?q0Ek!!dbt(vUYDFj^ZL4A^%TW#1_?kaylK50&gKl3klYA4bq9uL4m6
ztV-CDx6#t-^uw?E{*Q0`#8%vnHjcDuzytpWIB3K78&OX}+An1?O~nD<FPx@GrZr&A
zNS^T?6-xbgWTwJn!zx7589r^l4JEwwwN*xk&1SSVH3)}R?=&@<>Y7q{qpsp&QLG6K
zcOH1`Fje4KymM~haIZs_%j;{BjIsI=(19W6N@{~havZfmAh$QM&j~k59S`aHC~R$T
zX!bd>ZPa=jSX(V{;Q}t~IEO3Y;yiLv<{kCe2fU*K=_FL!gv&^3r>S5hKPYIkkaT2<
zn}j>uO(uJl)!Z017=Lj6p$=W!&a0nk+-9t-yilvN*c*kP|LToz{MFe%j#E~Vmc=VR
z4LYUs6n^zAlcZ{>`%69h!zqDRT&)AYl`GwFnM9RW4Ol&@s73xB;=fd@wyYiqa&2)U
z8VzJ9!(DHC+m6kfcL)#D@4|0i@#Z(b;sW|5%xv0HA&l!5=I0l5g)<df3V+;HapQ@r
zPgd;QS#k2}6E{}u0`6;p>*CrUOVFua&ghoaF)=6_)p@v^tWgnXqbf>Ngj4D^NxXq;
zP)n;XtU_BtIhU_fITz?gz@eZS!t*V79@V3j*0zj475CL5tmzc~MA9jUGGV+@Csh+6
zQHw_k?{Kt-yH^H-S4~U?S{habySBoa-!^dHeKS2eo!~xujQ9)|F@k3sRJtmgrCL9R
z*I?o&DQK3oT6(-vja;fOTrKlLK4<gNvCmxjnPc*NG3R5Pw~e6!B<b6mOMSFuwv%KW
zGmVuB<ET&MPs7vkRH7G>*VH_rA_r|%{b$o_HD~!K<_wQKQZy1^A84nnHu1x3EKZfv
zmW@Nz{mJ1+T~0_xAVW=Hqbk<;sVe3=jXx#)=!-)CO2?kDcw}T}e&5!~sXG_M^ue?C
zmg#KQLc3#6u8+b1*bBrLpdaIOoCADMIhj_rChPZ;osEd9MDgxCR4P|404qtT^`nB4
zAOKTKt4p1`Mk0}s-JM&eCuXN-CWQx9fhc?Pj6AknTj6Oyj$!6BzNj?5ZkbyD%F!_i
zu)%1SRu9V~xo|g)Was)}5RQ25+<NewqFUIJzgy)u>*WG<LU%}dlmU7aS^wMzPWUS3
zhE!s+#0a2+9KRm9I5ps#YMt3t^_M>zR;J^lo`K+{g98`MrPA{k8{3+veUXC~9bDP&
zch3gfQ(JG`y7km@g75`B{z{D14N0z4i;z6M>S!fBT?I&|v6!*B?xZ^Jn1f?kpg@xF
zjf?_Gmk+U-kft6ZMIGCK>=yaN>Hyk6&{=Ofd?N1bJusQ7xN&v$75dD?-tNI8Q}OuJ
zk-<n`+`c?Jw`@=J8WWqYoGif9Ec|Ks@MNTU+shZq>V#o_$ej~)pa<$hv@FwuM4ak$
zieoKoI?@hfh6!AD_(vuk6)oot5s8qw2@OfD4OvhZ6sK!?1+!Le{3G0U;O<xdQ~z9K
zct`fxXLj!%o0t$ZYZ{@>vU^kKOvVc3aQ8RTIEV|9;qq7b3Dup&{w3WoAoz>ms3R-E
zI|z<p;EW||D!l>vlcK9jELfeDN@Hh;o}gdKYr=UIX@{~VLbV>PY^5B;rO+sgos!{8
zLR}nLF<l#XeGtV7Ux5R!uEFGU)lUq2QkK;Z2!HsFv$d&p>tMv29W~bMtTecjzJZ<!
zUE!<XB?sTB(>b$?-Cgr-c4@xfXLWYTPoUR_gb14#=_SxJuy+(sN13cq=T)rr+9@-e
z*&%l9A0Ck*`g1E(M@yvI$$G>;eDLJ(sw6uGFI&hoFCHBn*zX^3_eZA>82|V`Rr?mx
zW1fNd5o2Qc)K+YoRC{pN?ccs~@Ztjz-*j^uhK#wuZW7Ki-N-7hndb9M*TRU9qxusp
zSXnJ6@KT(95{%kjw)2a0Na=j1x{hicFREOEUG*$Z-QkB@C;S8+X-sk-UmR$v%obHu
z*J7)UIeb2c)91U+;rBc6bI+>yWYFzyYI3`S^6S|?#zfg1oR|~xW})vHFiFUB@Chge
znkc**%8BsvXuD^y^F-ze;aot^Xp2VdeFi_0?(1VvvKHfPl@y&%(t;HxoD$&KA$2$+
zyQn5@{yNf&Ywe^LhZ=-UQxbE|KXRkVZK?~U^1`D7le053eWi-BEI6Pqzh!RW!d}P4
zxxQQ*@j?i=>o7+<G)1MebeZf>sqZvVnM89o(43a>Y+1vSbq{u)67#k^BiBkK-I4e7
zk!%fUUos!0iJFy3F0HPuPUX4u%b!^jj`vSO>|mJ+e-iYH1QePI--m?89KaW_Sg*t!
zTxy@5GHpSf0k6wKRu9(}M7AEJInhd)nYL8C@ljAj<_J%){od}*Z|e(OH8^f>w#b{j
zV{`YXKRwh<`=0L)lF2LDYhd>x_nPhXd8VZ>8&Z1>Bu}%d+x%Z!ktlEBc*&Mz;Wyd0
z56Etu^O%$3<2^Uy*Z`*?aWm#bU1ZN=RZ=WQwJcBIDW%q>_%Pj&^GR`%;g0(Z0^~CQ
zoY`Ack6il>hSOGoY$>wK$3&{}Xy7#t)f3ibbX=@8b8o9mxm00Q&(<FPVepO+oU2Q#
zf@byMYS}h8_6V5<m@m=WsCb&~nGspO7896UER^^6=CK6Y8l;kwTbH|8_|~B90PO}=
z6L_<-B~-Wc+itpP^*{cjH@9n){L=a1&hd$f**4*qdyXF6bKH^~ZSC6BYTwz`*O9^4
z)Y_)J=c`h8^E~q840JF#;6eTrE)iudhWjbF6yaKn79oxx@AMi(r`OGDS<|^xYVMMu
zi4}ve)v$A7dUsXf{;FNZ%=S}DTW;8zN^QMi%hIXs8F6CIu3dWy?n{pxxs>q9>z2+y
z{uS-tGHpdgFKh~+kb8iN{a2)(*ceC6!YxR>bE$(AbF;}!CAD9WYMPqtb?vtC0jt|&
zuQXLT+|~a8Qv781p>F*D&s%0IDlQRq;XuL3#z#C-cuw1c43r$5h1Z?i_AFKrOA3eL
z*gX{v4Ky68p%S?d6n?{s<O+y#vs$&-H;PVE#=BIirNjMNsTp@QxG%yv(3oX!7}-9s
zga9GSi~230Ckl^tu!bnUc`DHR+SjgvALxYi!KZo)|4u2Xw1;$SW2p3f4=VoMS!(~4
zc?~2|Vrn8)460(Bl)Q44&w#w~Lp2e#@E{tXeevptbYvG6GDc>{XFgoxgEaKueGu;n
z7Q-v~6`JwAcFZxzv>IwE-oe(iA}9NILoX>FfJ_g)_*{fJ`EPh>A%WK~!Wxy`{Vx_6
z_!F6`pxw2#A??M$+cHj)L4r`QI7R;BRFVI<j{to|0EsWDmV{KGkKr^AobnJIUq!hd
zA7L*AeDIh_9=K`)&cb*d#Vgedn#b#A{A|I>SLC9x5Xu1k@8bi6$UmEmI%~}K_XrUP
z$=b(0sjU<ZEy=$%OrTr%8lzbw!~Gk;k9W$rFT-qcy=t~PYDNzQu4Gr2thi941QSq5
zo0q~cgh-X}io*>IEgdYraHAS=c;n96#~zd83+v(zXW6i^x>3k0ia9i+j#x>~m6Q*s
zYQgGsc&}I<2cf}LvEAg8hItw`QJvI3mLysR6yU(>Q+9@|Jm&ZtC6Y!OGioBhRY#8T
z|H|)8o+tXy*g6`odE{f2sl>S>5Q&ktfc|03kL2+x<`;xUSu#J#WuwkdD!0Mt9w{J_
z2aRH3#7F4BzaFooO_Dc<7UVP{FW4Olckq`i63pxM9)HFNw2?ErS2y(fzkNpy-}H*6
z!$N<|_5VM7k7GVV;#HVW3p93VkE>jfFAU$X#O6HGfQq-DJgjmDKT(lrH0f+f$BX&+
zg?RDCQHHzT&(AgotpSbs4X{YodxTW3qwb9}up{NIK-6Vgk5!5cu(7s%V(Ti44!m!l
zMCpnWr_eX)N8ba!e40%%zRF};nHi;e&UyYGH{4Zs9t-%9MP9zdEcExSM}@X?hIP^h
z&llGrzrqhN-n8aodA#aqqy;Z?W}VmbfTR&fVzMwO4i4OccT=?+(yDN(v?ThYPN|$c
zD#iE9@gGd@B}Rah$*w027GA~3Xnno`+Ax*ThPpG=21II<h_gj}8RNImLdfx=kl8J?
z$swav*hIxaBRZ7JdBSaYX8rnFpOVU?K3U}n#05@+C+JyKGE%(cYA3RXne+pNR#|y=
zuDuhf`Zg8*u(~Q#uac9Q%ta6?S&-yp77z=99f37(T3<s|Qnu9bs5}^6Z9I=$U>p<V
zWubRGQ<oPbDe|_MP{CL(-&H3F!Hyk6;g-#p4=`^_Uo?)cI0u%<*W#bfR6p{G>W<~(
zQ;Vl|G&6rouzyGAm8alv2{l(e3@rmEi-kWi-vm~V>&)~wY!IauWm%1RH9kSrGj*&(
z3N$ltQ;LL8|J7<>&&GHu2|%iwN*m73v`X@>bfTwTN#{_qQD6@5^8C}uNt35uSMM`T
zUi(ki+`9T>Xp~3qkBmp7<B|IdxA*?|#~3E?TnjuSR|dS`;!;^qrr}Flj<F|NcRj|&
z3tH7eQ1gzf+=EWlfJD|&ma0luvQo-qSgFic?G+ocl#HLGf$&({Vy&xASL-lty8iTo
zH%%EGbvmQXFn;}muiOq=xyPOL`LgbNgv~<#n;flPZ>!@?g-`#CgaP70m=Cgo@Z5E^
zcgr}2N;ljuB=ZBF)k9p?$vHtTv{9sp2KuYbrO_fr$?GFVoSw<wKrw)#c$G8&m6BC@
z;1Lru<51+8VLf8uk>Re+B9F(?syu?p3B;?!H~aw}&D^%ZM<1Q(g|p-H8~Oe~X~-X9
zcKRDY0~GUrH(o`aKcgK({>%Z*8)Z)Wzs#Un!I~^$9{)edr4h){kLq~jVnzMjziVnu
z;YbEuQpH1}Hx%;X1sxG(H;wSOW!s2fv_;xHfmABsX^T)*T@kwpxi?rN8{||B83ITV
z1V14B{<V2H>rk;lT8_7DKI=4QB~wRyv}B;*hp5CLwi1nD%$&v$Ndg@8KeTm>Pr^4P
z`P_fPuH!L=Rw>4ihs?i(`LAD)uY=Di3EvX;IVB~Z6U!N3y#&bDgkA!G(|wg(0_|h$
zZ|<84E550ufC#qYvpTN8dn9-Ze9cc#PbVmhg!fkb{TJkLH$lss!QQ9>mtGfSBEwp4
zeCT?X7d#^;luMIfES!{!5M$k>hss6Jc#Aq@3{oLvlUC2SI4S)~!Bo^fvkTs1*QYlh
z8@KyiHiN_39q5|RdMdq(>BMA*x2bPSYimze)<5hWGQQ_6C+^r5tI<|gR#hA})m2p0
z$0i0sVPEgo&hEV<;l10ZrY8K!;Qm9HmzH`x3IB=n8WzkmqQ*BQ-lW!}lw6?95+DzA
z7&J#7gs>!^h+pzrq?Aj;Pn$rkW|1_-j0sUj8%yTIC;ZLy=M&>uZz7TI@#m+L`)6B|
z@s>?H+B2=$W#Rc+Ut1{LY1A3=*+?!_FN6agZ=mqeXuuaHUQc7c1!FJohop{M)uFjg
zK>l!Y>EW=6d0H5KMtB~*NU^?kYs;b!_iDg$t;-3OG!FHiQWIg|f-)FbOcaut%u;e5
zl9VPr#L1r|<%A9j(8nkv6zL**coc8Az~HGi*PHZCVe_o<(0}M1=Fh(Jfk$U6tjUS4
zFBh(wee?lA*R#bVbYPi4r*x+Jn~WX<00<OU62E{tf(f-FhUEBB$Eo_{&cHH4eQdU7
z^crUbN!~;rbtCVP1LLMHiX_A7Oc$MXB4dd%9jTh)X~e%m?1UHT$-I$l6Lb(M|5G2!
zBaVfX81j@NT`1e`&{OD?HCZR6B&4r-Td*$JP+e`Qv$l*iruz<~LhE=70(Jle>Vj`O
zdDY<I!K(yeQ^cmdv@+Fy=rf-=)Ss%nRBMYYtZAOXf0#PvQ3>AgCCq(X_35ZnmA0jt
z#VG+)0+s+{<n<Y&`r2nG3JjVhE{fiAl4Vew@kx1u@O@#{31B9K*ABeW>9=mYl7DQN
zd^$Yelg*Xqdy;x7WqUIGu<TflAZ!I0K`7u)Jwz(S4>)3>K>fhL;lY9WKqzLn)>*2n
z%{~iKul$xO;LYNQH~H(Ddk^<EoBU022fM)HuW#zK`pk5J5gh;mtIs^M8i+fpfjLL$
z@I1pN!3m!d+!mQX9C855DlI(^net-!oK&Kp4L_^5gksXFzW?4=U6r^baqN}%zW){1
zv|ZBrGNJlEAH{$FS@^@#_>Zqy0QCDH)-0{^n6jF;>LQ+jw?sg^LXHjd9;#IJoMNct
zO);_)hQ&DuxsLJ#PV$H=+~?WsuI84&Xdu&n!SrBDb4xth<IP03cSOf?{&+mo8S0%g
zx<WH9YqV*2Q_$=4HCSie?)qRyDA;S#8M?FKt|)@3obS8<Ug0RqHQ8wI75l)+7NN`=
z+CQY<H()Osuoqd(jfTp6;uLV8EKZY9Crn?d*J^9S#(OWhQm@n1hHCE>p8r5}Pm811
z{@a30eg_<bM-V@JLHsUc+0OycQ|dKF%f^eQ_J06JQheCw<rNff;2CCeE+=sc@()uT
zd~{`##2IPIeB|7#Bhxb@jp^f4MKszFsBgOe)X5p)`63dWE1boa=4Z<OjPVuqZBR);
z+O1*Qtzo`fDT?c4yH(BLB;gw1`ntReDT2uuk(!0hb{c}~mBQ1OCcn3KV($3y*=~DZ
z+-#|`R8-Z}xee(tqtjGXUC~fy)T5WfD<L61b8T~2tG!ed>K%u!x77+FZ5suz&u^5g
zi6={2Wcv8<wKu)<gKX~7o}lkmVL$u;G-OxvYb6Usr6DzwOG1L0z$5`wG|7<#@@G)K
zGwlq?yI7LDDfD?A)(S(F!&g~jt`g>t-%w?$GRzojE)vB=%lupC3pU}l{_Fd<Y~}kF
zG$jsToDt0)*&-;@4b)K(tz&kKKGxH^RibsW2@M((uA!Q#JXX!92#dpGLX7?qZD$*R
zn~FZISD1d)g27U)tFcwjzUm^aPABRNF2l^&9DeJB3iJzk{$KoE9#5D5UkbJd8rpJM
ztAEt{*kj%?pEa9nYj{9jGvT+GPf@SO^USBz@5ZwfY41u|iZ(Dq?A4HM`uLN_kK>r`
zBaakpPdz2e>%TC0om8ItGdx$1GX>J(o#(mm0Dw!7PDOQO2|FzL78=XDj-L^pr!}J9
z)U@Z<2E=Oi99|oU^n{1m--uiRyYNP^y5~jDm3)0FovG``{R`k3kaiVpZ?j0d`Q!Hp
z@4rX5Z5Qv`Zd}U?KSIaYO2mFhhfHA%Pod936muKWd`X_4q$a6d7RvfRNDtO4r!!P-
zjTg+WWmG~@Yw9=2Yxh%z9%V8%fq&Y-2b$P5VQA(~b`AC1j<Fe#$AR~cCGRx)I$%~*
zhnM=tBBF(RkQ67W-h)@lHtJ`eP<N~WyrbYkCnbq89i6gtaJ<J>q@m+Thr_0&%u$y7
z1~ok>b-=3Bn-O~*(OKKv+Yb9X#v<NktL`eDBkxX*wmAK{@knb%_YsTVYz{ZX^6i2@
zna{MELzaf{<G0S3EWGEe*);X;ch8!vp^@F)RFvO8b*o@A)(dqe<MO7(B`VHus4x7g
z&Hy?vVV%Fm)+Ed64f<>==*`Gu?q&J78?C;q&C<@T07l3QRhExCef;6$P*_2PR|#)q
zdMbNf9?yRY&$E{0<El?8j-ru#SMzbnmlezrs+&dL-46;8_Li{S5%FiHJ3PnRyF-EF
zpQzATQ{!!~dtGx%|7-yUF_&$R;kiXUEYGvAHl87;r}cTb)5mVV;`U?mJTX`PytQR*
z4W4(dJY03QD)*MpxXD2*S+kVAq$FiG%)=G$J^NuciW$QL4-}0A)&be1<R|WBV{xdt
zDrLL7G!K`13ySwS&%@<hhIYH0^+PERq*I-Kr(hXP&*pu;{A_x(_ks(0!3f^p5baN;
z2VxB?vr~)*kes*<V}ZXC7S#G2Too%Sui<A#D5o9#5Ic^a(jo3j9XW^wDeDh5WZ8%+
z%+znV17q_0F{X~pp+gyA_PFqT@u+@IY!X8Qo=7kHiZr(M(H3=Ns&FNbI=YRpk@4(c
zj-B$6Odp?-F*7rA!386wLm>LJgCD;ax=lb`p|Uy?#W*32hUY#JPPpDnmY6Kl<?~7#
zX54-%vn_z4-~OIy{bxT@GnVzYShMa;*|x1ik?`O)qt7>PcA%}&P>;nt<_!9W4vY-#
z9}aLF!KQi|<8*_Iug|$vaikWhmt<IRLd80F2<6<OPq4DSYNwJQ=dI+5g9$+kT%2=D
zegT$pYZrc#p6!lS?mT{cmp;}roy;uuHZ}DwX0x50+4kOEqc^|M{srOrM_Xq)8bjzC
z(~rI}dsk+tq{hq&o(+$afX{(DvgxG}OMxwQPLf-m*@4ulj;Gbq8K?#(PlyYWUChtL
z5G4e2DM24X1(UM;+O1RK@ta<s?DXfRlaGC*zrQt?`^ZP0Y#8fI^@i&qwS_k~MZyVL
zKlmoqqyc4+uI?9*(<s~dR0~{!X9<q6h->X)1!Qbmb3&epl!B?sSM{u_G*?x=%B0kY
z$+(fG>A+6}J}Tr9L#c0qdS_>oZ33zBMn06VK#3p@y!x>bE99ecloQPlQnL(PI!{7T
z2PPI-*?J-AXfoQWEj5m~&s^IWb9vgl$0sL`f8-+-zUkJTdwkuSzg$(ZO<Um_xOAy^
zK4bR!3SSdD@)b)<y~}&O>091-^o|`7$)0&TPFh5@6s*wen=~)5^^tU(;yra<dxrc~
zJlCI}M<eM^y9?*>NXCN>&zFU3&u$+K$3|D$TP7Q`wv4A^qUOoZS55W$I<2YDk})v6
ze`xr?P$1x#G+TQIH%*MX%~L)fttI8FzKQ8#&1`M^FpH<eC!sgNeFb0W53sPTe!MWr
z=Ev&CL!W|YQm8@x8fD*?=isW8D;*pM<^C^naGid?6S=o9b6^Jex%;>{+T?aMHMuAc
zm%pBURN|!=^H<l}HBYlSP;Rt{9xA^R{|$RA0G&(8!7a07iaDGKs}WPU0?&scu21Kx
z-SDcC1;cp-^&F+1tm|zVMIcBSxRuCFB}vuKOdGwWsoGeh6UInDFrjt-QC&@~S8$~-
zxFF38ooM^iU7HnQA>20ds?j?xBtgbxg~;tPFXAB5K01#^LD{N2GJgi%6S-}NtU=Md
zc#f?iL1?>3=L_Jk2-&2uPapp%lW2Uv9~HthSTZP-VLtT~leM5Lc+`cTqhfcZ(8Fy2
z3|wIQ<iGho5#WENxq$xutc_rECsgU9E`>C?V#`{#r+Gw-Y;3+$0x#XN)*_4arC8Vh
z)_up~`7CU4ru#vJ2;?=v{2)&@$X``0ZOUI&t?m7|KV$><LWu+HW)e?%f#Hh#Nc;kP
zB!DxUhH7Lnn+CoUoQoj7JH56n{1WtiuH031H>!wTpLI=CAm^?^pP}5<*!1zoj^AZG
zq?5Ed+XG~tV$DdWi=wZO9n|z9xvNBO2DU_`SXN>Cl;*B-lG`|UmA1?KZn@?7Lk|th
zYSeJgp+h~wM|NL$;qJ?ev^(I2_${+#h5uqWF=C7+=nCcepc`R>dz1wXPe7G0){mZv
znv#4_#r7x1vFxwWYd`s+t2foyYjjohh9=ukugzt$Rn%77-8Bb<=hwnB(dbP0=)$Io
zibJ9<5-5Cv)(eYvm-tp_PA%u$y~RpPv5ig5mk<^BLBrl^m{JcE{zNu5?uk0m!aG3&
zwW?lQre&+q@iSOO#MPyRkvqZA($Er7-7vB=5V@xgu1s`>a*ZPhMci=1@h{~oe!S~-
zy<hqgdu|PEIO=QMyguhs?OH7D;o_W6#2wC?^XZgwKB<c^&-t`sOfvU%;ys;)AXpHu
zl=B&drJaOa^0IX!t6B<P<zyeQl=FG+7y!%idU+dj@Si+?7~s%O7(3+b-#8HP9<qHX
z2EcJMt9kRfb!Os_>7r^pT|$$jc{5dyipMu$k<K8URaUvVA;w(+Jb8rLIc9(cau#&q
zwF$5NcqQ#<9IsRK1EDpI*J->?0X~bmMo2ah<owRRH68$0gZT1_nhL!&-0-)@1jJUu
z1MfwxIjtcTdg+0IYQi$%nbY9&;7k8UIh;%dD<&j0#K4KBlf@KXp+*^w?goKSWI>KI
ze3%VZ&;-D%DaO#U{*0_tF+$}|l0avK0Lx0+t;7p>#x}1NL3$!d@@DK;2TFD**_tmB
zXs8n&)P=@E=ZiHsVtHTf1OHgzcAqES;BASxD&NP~0dhzTVQyYklB<)D$XoTEQPQIb
z&4kDs{im>ZNs`n2B%PNdoO{TNBT<yq@^Ht=nd4>N`^)yQZCUETzaN-qGLnrg3Lo2P
z#L}XuZ^uVKXMT&%UWR~8`IHfD5oAAe1MnPvdNv$i)^Q#`z1VGd;9a^%%Z846B4c@c
z&;QN2mPI7WFqYM`G$oEF^6p<jxB)$qy1|H%=kOiFdbw4<d6~>mHHI_f=Y>3_RpKd?
zM0+IGjnCi*d3A_+z)-W{Iv3-@q*HMJ2=m#ntlE<J3%PBIBQO*tWD%I#b`^zS<_iUi
zs$#s*<1fW{V`@CPOpBN7OLZHm6Obq{N>Q39kJ7Bqv7{NvQift+2Cz%g@Tt}WzK(ZI
z>$FU1W<?qSRo=j#6u}Yu<p>TY`l2x$OnRdrj=WCfw>r0HNZMDJcX_TQ(FSrYRV|cq
zEiH1$=Qvztk_sx^#`x(B_A$j%>eqLEm6Q?{xoVyz&+XyfQaSfp_8pQmhDAkoY>pxk
z%$)+yDeatR7APuloScVG!8eQG1UU|=rsy)o2w=0V%aJR~bSP#qJhzhbM4sKixg$9T
zz#X-vHgs`n<@a^5;TCs%Y^AMrys^s~bM(zj_jt3m7DwJ&`@sFx$-(6g_-;b19U=K{
zT;@4zqaK_OG2pcUiZwt}S(N3x<XBZPRXoaKClulel%@!CNm5++b|RKe?p8;xB=ykt
z*-u<OPs*mjUNe8iKRu3avA>B-hQpJQ-xO?*7mvk`u6Yu{ON*qAMcNW-NJDi4lT)3H
zdW6W>cxWlfu|&ZPO1K~u(aOe!_Oj(^ou7TveDgbsMtIMO*FXMvzC!qjGRnnX3==pr
zVSRrGoSiGDQys0Uwc_y@f(b)#Vvtm?fuboC?_Hne$#XiX(k~5}azteQNGcD-tf38N
z6@^}6mN&Qd8C|tHgU!(KvU_ho*=cYXbk)}CmTTU0fW-L$d)j78ISvS#=l57sR{X!`
zk8fpS9rMX!&)6^@$=(3pV5?llpHx(n{VL~iP%Sg6(?(-OWLw%P<*^3ZG4J185^tEr
z$Vy`l%=1pZ9kMf+4Gwunf3tiXvLCh2VGStuelcE=uSdBm$Qv6+ocH}Q)hrO3T+pE6
zpEQ*+M*7#KugFO&Y9b3ifGrm+dnxHF|EyU6f+jeE<PbWNcK((`mUXFxe}}x5!iQ7+
zF{`jk^d%BLahG7F+{(W))kU0gC3}L&j*euoCy8oL@|r=a#xz~>+W2X0{IoXbPN{?v
z16)xWHUbnx>}5$Y7IJQ@d8Re0_A2Gbe6MUivNp@JX2iad!E!&(+V3>KC%+HIOEkxF
z6q(P0aukW?cuphwrHDT#zoUStpk%*)lU)~(uH(Mu2<-Z=vg^LU?+==OL3|fznEOT&
z0=#e1_y59t(iF?q>$6meR)(|h!!Llpxeo<>AtWCP9Nj9M>a$DmZsuDN5jXyw@GI<%
zRzzF3%J`RTTh*(r?v2xkEg}Jjah^`>Y9ep4V!cd*=)^l7_a$8d=gw)TOTJz7TP5)X
zElEnVq=Fu-<h7h;iF(nj!)#?{p)cfa8HqX5O*Vh;Qb(jU;4s*2{eg~=Se-50=4tAT
z*@Asr+w;S@`0$*?pESau-JYJv#f(&U&mL{@nkuw9%Dyz#i4~PqCZnOj)@X6Gc8w-G
zwhc7xogM2K^_!OmeXT(tQiop7zeC@)*Pv<YFtVdIYi^ctA=#@N@rg6w9|F$rkbXUd
zcU??(q?t<@iNFu}8(5wy-UskL0RKxZq(0Bzp{Nr1S*adgm4wv=T-l7UzzD-0Dj&26
z2xyx@$VlvK)}mc6Px3=W6my8F@06Hft)val<-c4xMUCR<p&jit8mp_V=2NNVctTfE
zsTEtYs5J`6jj5%0Qm4~v#b)tfpeOBir+Wg*Yd9PTgu@2}(TM6RW|ycr{G}s@n&(D(
zeW$v60IGKvG)JDg=%5S|JoaRNEZ(2A<24?`>vVIb8UJOPzdSSq+SO`2*c(T2t|S9}
zZ(MVWjA<!XLCwWisZL_iQXV`^Mmpk_f{AllL$~BXq9F*Swr5X+r3`7>nBa6P@4~p6
zyG|N_@=l-@x5T?1hWvi%Q*v^1BuarL_`xU(m>T7x_!=r{(>v^OP^uO+(&fgv7HGo^
z2#xC(ZS#3A3Ou8ru_N6V9i4Z^vyHy_WMk5FNkdmO(C79>7Zb6AJ59z!m(%Nyr5kgu
z^g_TB8Zvs@Mq^F+OvD_WLXa)(o*NA0GjU5|J`moX9XOV?HdgGd4!HwSQRirJyYo?Z
zxVg|`Yltjm9BsblF7VSh_Vc$v#|H4voQzpXL)wUjKLw92A)^w=;LH?3CS<;`nODZp
z5Sd4s=%5aoKWi>nUA=&Q95GLQy(i|7UX34m_q*TwzIVO*LpxnPyT?X%bvYbeyGF-$
z_qebxX28?FD4xWVl(Y6~E#Wfh`zg$VMns9+lzAh2a!EC-fojI{eP}tLV9&ha>eg}J
zwwLb}-aS?AYB>9!d-1#=p7(X&z>mEw-Chd7s~C_(3`mK17d?;cBJLsOCn<Tk?QCuU
zY>R@Sda1rIBZvWk>h_OZIvYn?biaEjy=SC(ro$T<TyAmoIPM)Cx@`AiINO`_4z*-G
z*{O7L`^sJf4-bM^1s0R~H;k`E%>`5?-Uj%f2=r-a-+qZh)WH_zk$Mt=PWEXGpHn?w
zB4If`%~meQmaudJN;>ARHeJ-z>78lq7;Z>S<y!`0=Js^7-`ktm)7?Cm_w{yk&xZOp
z8#|&i-b6OzihJso>l&l>cqZ658BW_%gYo>7Radt-m>z3!VQwO_DK)}Ru+}w@5=tye
zGTv0|t2_G)@F8cJl9otTsg{1Qnd$FJyeDI!8X9pu=z$~;MSp`is%i@7Z6qt@Y3hYk
z;U|B2?c!qL7x!yLozZQ2&nDq@g_~C1bM`jRoX6ElX;=*RU%~jA)Eroe?`$+W9<n8l
zjd?MdSBr5G3*iA;%47nCL&_Cnog>=<*K$#w(y!+)4&}U4t@-hxoImO9v<S<;s<p;k
ziRpYGGO*d03(YhphI+aO%$AVQbKssDgA?USJGOLr8D7)a*WU%rG{F<C>>|nKywS+d
z(6|tDB5y`%#FdUes8U(+^n=Th-+!I#0KXF~Ez5(E<oM3Eo+a;qxzp>*#a*IjHk24|
zYYgP4Q}ND@*2ccZ>Oo^<?!@ArS1rerz6o2SvvcQ2DDG^VX>Xm+`*sZUc6SBiTjwyU
zG#27pSOb%qrzBb48_fi98;KL}q9D~MDozESK?63ER{wsTJu%c=_?qycuJO28xAoQ=
zuN^utG5+#bzIhMH8j70`Ka7DJj^a#}w7sNE^o^c(8k&$rTI~Tm8Cm<-eKmL;U_!-*
z&w1`XowDG0Y$QtZC3x+GXRTNo;}p4;I0wq1%efUk5ov3*N15JZ7lf9D?w}=*a741+
z>|_E-R_;0{iW$Xy4gRjhN_S&hCem&VHP<%xIul(1Uu?|iZXSyH+TsDD&OMcl4Wyl}
z%wWu!iuesWqd(prhzz#4h2!qLFWH$%I>U{Q!Z+G8?uge}YwwG+c4NPi{`ocFhkAu5
zbQK}}8>i(J+eo!h(Tx);*vRNAf>|R+1H6;s#i(!%y5gdc=Z>K66nED`>*KawF-Csp
z>33BRH^;hiw(e!`K!Z$JbD_i-BdkO-=q@q7OPC17mgfd~y1NSxs+1LzD9am}yBb8d
zHI9K{y^G~vO05m~S4coQV<Ec-0^mGR3MHIJCUzEmrpiZW!e=)75>ENm8xDKDk%%fM
z8+-N)5AW)7xw>`@5AW$|d@vdeM(Jn$JnWEX3f-P(9$bc#G$&cXXFxm?y@MI&A{r&z
zn|ucxcABDU?9<X2Y9Z__j4~;&Qp+musWWq@>poLSQ<L8)a}tMqp~8PB^P_vZ-34nf
zA~YoOqkH>c7>V#7APx>XtAnks=q2aX0=R@DEuc6@gexXwF|5-}oE=NOf$J{1=(+$5
z23Oo$U+;~(TnW-r62{EdlMDBK-~;z9oZOn(>+0S$GP06)I`b<dBfGjuZgHMu15c__
zM_0y^q~Stm;5>=WF?|Z(CAy~^WTun6`vfT@qK2s>uVVLxcS86w=Kg=JkEDk$o{qJ5
zL<ZbLnSH~V>8vN*zoi-a$ZbXXNNankJ_4JOa%7;7h?Tk#W-HQo{|H=E>PF3EQ_|;<
znfQE+ecp?|e}?%~>c**59pmSu-~C<q`F%QDd@xh^58>^dW6^c|9AnAh+5g3!J!zz|
zQQyb^V1G}+(AE~wnIB5MQgiqvQX1E#0*WoB?td~1RN7;kBh<uBub1rq5-RK%GW$|)
zcgklT%z2|xw*N~g@yb(!E5rd-22Wl2!P5P&?w3Z$E@l6pXC7Q*rd>lGLvBsdDR7Mx
zYo`5AenQIl=P=@Q{GF^1$TMUdfFxBj$*4}8mt)$0$?Uu>=4Vh@Ihc0SJDs*6m?_z3
z;*dX7_^CbXRoH>u*5;M@0q4_m7-^B6BIz@=iri84L|Nk^U8a~HP%VLVIt!iD)U+;k
z`~BUEt!)eRy3p2<&vzha(HNV(a%TFf*;s7$s_B_4XJb3BI&k1B`T-qtJ7s7CJ7wb$
z{Y`eth0|5;hJsJEQ)V~d3+nU!K6c8*GqG%26n09A_(F##(6iX;?s2?nG`DlpM6jhN
z=^bq8@U%~)qEpkG(yE>Ee(;4k_;Ds=y-6Al#&?DiV?jQ21og#Clllz~iXnaRT&4+A
zlwQ;{@wA4mFiv(b<D@GCL0i9U_Qve-mVjp}oOYy#;`uq7PVY(N18L||7%SN)YafSw
zGQ{kYF?m*!eZpo10g8X5HW!;C=Qc%9xcMcRB6IIq5biD<+xecteV$p5J15y9?+0HU
zf==Hjk3_OX*5Ow*Kgjf;<9GZJ#ox#D*pUxUH6}*;dWOsmAz}F7J8Np3?Q<RZrEWUD
z0v?N=@WQi9K8$0<!S8{?Z(-afj9k*EC0U7a%gHv?Fx*I0cbrpIpWAxJt6n~QaB||N
zoA2IB&yjR>$QjDT6yYa&Kb|uO-86{=5$Q=G(oI7eh9PRILI)I!mC_I}L`o^rdze>d
zV^vf-O+uWb^5=o!#;Vb5vZuq91>rcefnZm{rS)u%tQ-t>&Llfm27<47p(%M_%V^)w
zP~l^Zo<*z8k>4>Kid}xVb+OBzUOF-Jq0<~!bVmJ$7;~j=J6N!+R}2;F6_O5z8Awwq
z)+@*la~{1yc!Jo+*~joOI{%H_YVrS`e>9I=I38|ok9L87>>SQa!JpMRPkxS9oQHp4
zJ)KxT@DHr#PDV#=(9JK!A>d|L71t{m{p0i9>~mGNk5|id_C;L(*V5TNI!9uNs}SSy
z2Ho7Y+Zmlrp1S$&ee_(^CBPby{xZqN5ym)wz}9R()=c)H-BYToO0sDq@1*RF*+@1~
z1+g++RU=EKgC|ZLT<=LsZM$*n@(s($`#<o(2X?yq_D_uO>vp-i_l-~N?;|EA%PHzl
zp;&AZ32i(&(ooC&Y2;NgoZFxFF-B<5sB-Ea_{kK1T3KZpDZPjJ(|G1EtKtqOKs`t(
z&k*8*^kits=k%w&{!Z>qgOnm~T4-RIq}1J`Cm-9?(Vt*4DmR^J-n(~Siz=f?ccr>x
z%DGxeMs17>8byh~!pPS9(&AY8^ZC+PUrX6p^3r{2U2}>rE!XNwdh3_#J#j~}Sr7u`
zO@qKnbk4z>wlticfU`>WrM-d4DkU}}9hKN<c09{R6<)=DG(D{ZR=kS&(RAg0G!zZs
z=bg*_Xb&t1cNAW>^8umqE)rg>hYq(1-T(=poHII)|GwOh_J8L?8z1N&sV5)W!Mh>I
zvYYbxt-U13L`jZOJ*y&L$9eYk-_eI=-Oz_N*Tj5iozqG3p?L<JRYS(u=IghTJ45nx
ztc)~8UD-_??F-$$9U}w%15L3#TP3;jEz~k9x4AZ=j2HEx*%Cu7<U{KokC}Dbxm=z+
z^_si)t3I^5V25-dDy7&W=c&ki8mBmAA6h?l826zW@Y>IOXkL7-`p`0rKaqWsV?08M
z7@o_ArUbS&cA@!`B`!2yz3f8Em3q+pQSL$W=h8uV(B?W~gXBRQin%he06b{HWUh&M
z&`#zCQ=QF8SJdk)Jl&r0#QkoQV>AW_8lx-jL%RohN?PT}lAfZj#>PH0SzURlKC~jm
z#U%dLJK(AsZjE(yxO%sG2P|DaPe;rpHqM2%9D!$6a-gjUlcD(DEkrzp4=WC|rr6<&
z+7`Qg(M{Jb?Ynt<0yH&<*!I^ow_zR|_PwoyBMfeC*$%FJ9Ti0iB$LK;Q&XCLNH(!P
zy|_ocdJjpvW^NM$-2;J?7(37_MVY2tZ8@RZo5=(cnavLmT85&Lra)|<YvwYb7xJ2o
ztEBhu)eL^Fp1@lX%Y7Bb5Y=66N3U|-)xsg%2pxja|Cjgx>WgchL;uSPWT<##y;9Q3
z*eH!uL?0vV)W))Ut-ff^*VJoQb@fqc=HC*w9y?a}(2o=Z(7oq1&mpg?<le<uGE|_S
zItV+^Da_)~7Tx;-ZT)<`u1C7}$BqeG3m-Zrn$n?QIvorFyRvR_oA^P<;smr}Nr9AV
zqGIek>4qO(q|zv1c_z^TU76U`If|$D_KG@hBxp}X{q6Rl;I8i2NJ}H?7x*o@b}VuL
z!}?aZuRWEBJHly?vp3piOAaIg+2&+(M?l2@=d;7YoxlNkE|f7gk>1`!eav}rd9oaN
zF1H6`tdVJJKo`r}QR`Ew3RsMxA1+(~0`xa%4_DN)vBrGu_Ti?T88*OV@-xd@qya^G
zG17!Rl<_(+Qqf(6L`3X`*Jz#uEmVNg>5Myg9J+g1TBsTHMRwf@twVUtC$GBdlSF&C
zR=5M#Ms+vfIz4{>8(tCX7jDozBYqTgPSxDep$bsy5ypBgP=bR^BJO{P#!q^Z32kL#
zEF#>{lY8ZG*4dL5g5CfQZwZ=F;bzUVIA_N1L#H*V1|IH%O_HlD+9mtgP291tH<}P`
zR_=itvb})u2=BmnqPiO~5<PxnoESguFMJ61kLqq>@S9}#+69_tHE%_aY{1Wck6*iX
zf$$;CTd`v}j6VA}`b<N;EBn!Zn`+__&a{9L&N^c`G_iI(eDlrC$B*~lxqN5jp10v6
zT%X7F&nwqM-;l2F!~r4Oq0F&knb-7(-*!*r&SiXrapL~M?YKUw`v(B@`28S*<37UO
z41P0%-%N1aKdJeu;1rPM%<xYpJI6mAg-rhUSC^M@Pw5)i7q64P^G)PjHf`{ope-rf
z^3Az9T*mJGP4V~Vx=wt$__~UR&UIbIYl^R{I;vbpPaqwwwN0=Eb5%$GfWn*fWSY}A
zg>Na>70-#r_hEiNHZL|l%<EQ$qe0DY(F6UByx+NWW-6|Ewcr(A3n@(NRfBo4^;(xB
z@@`iqXt4w{E?1_>Vrj~}+7fE<dRm*T)}~gEw<QD_j&T{+t{0wLd#ns^4n*LL!n3a)
zALn>8ih1EV_<^<X&`F$0N()6K=~Hwo3J~!xiTQ~M0191ePT>n{PlFTFKBD@@d>w5p
zc7(Ke#E!6=PX72vp!L$rFVAK#zx>kHz>yz6H#nI0#9amhg3|fHK{n2L^u2e9-^ZP3
z&WM1pIXfs2$C|l-sW`qeI6gi&)t$?AKXl~TSHJq%BY^|ozT%2+AE0@r);4MWpnM;u
zApbt?#10n8f-QHPeRm3Xc}V(ZfZd0_zjN&(!6!ZmOUHq^P&PTug`Y*D?0+zQ3R&Z4
z=aZLTewTLl;Mt}@ToqlrNb@u0d-A&T62H>-SdEjcIePi!Pu?{set+;U@4@#1((^ju
z={`fc6XL1#ya3(>**jP^uw}?amoBntc#2C=b^r$;qk%h1s0b48PX~+v`dpydSEto#
ztE@qnD`>64+d5x!AnypfDgvQUpu!b)+*KRM#Tzrpl+)B`GfkLmZj&pO%rwSxf!e`P
zCbhXW-(Ib&&gNP-r!pbFUYNHK#=QCX)p=9xBVJE2hIer`ej{FE&>exp9FotmAhf7V
zL8L#}X%OxQCQo(N#(eV}5Q-KLH1BUIpG=GYE<VUy7K3ch^Fhi}a+%z0N{uF`JS9eN
z#<l&zsQ53ScST>4=$&WIkxWDRU*k_V{q&vM!+*JlXk=xrQu99XzwsTSQKAsqm!J#t
z%KV?T&;11v2#pQ*oqv)0qRjf*&o=!`y02JtU%hl^9lNsyccwl+EA#X7LbLE#Vd(6)
zg)bFyG?rH3M&TdCFTjSd%KKH)f-rs(LBy;(vkqeM`q&$@J%=rq8wL$WEk}B?v%-y$
zgPA_pRad$CG6y5u>3(f%9}ynH{S2zNPSX8wKVE7A4TIS63ObC5AGii6t%nZdIV}2|
z1L{_%EoOOKf7f05y_I*}Rk<hzD);K|zaM{{{bBJlZ0eXL3yzK1(Mfk<zu2uDbUz2X
zpK?!jU)-_!t#7U7_m<v~?vhx082JMKgxxa1b}`XnJ=;sDU4wZs*-VLxJURkbfD+}V
zpb(U-e5a(N%SR|dkkDr;kxD@c0JnrYM|=)Ph<-Z{<_`wOTwS41B;GgP7tcg}HYCmE
zw)*mpPG88M=$q<Gq+>>tvw1|==85<k&Bi9TC+2gTO-+T#c(l*e7;riR9$#vpB{5<T
zw)r}u_NZgp+UT)6{9b>0Fw;EXsE@g@IiU(;esQePA7D3XF{_BY>Jrtewu<WBL1c(1
zNRk_9WG1|F^_l#h@mO?pS4VnL{QlV{A>7!t+}*#FbritT@eI&7=$B|*4;@gZa!3R$
zwGPWpeh8{;L{v}zR_1qd+9&#le1m>2{1*CoRCgWjr`KI4@LXBMjI;shzERyt20uyX
zIr#PBI~bf_e^NkL5^!8EzO3l_>)81Zk<|ma7w`bMqT+cEl71TG$7Yb+10h0`8pKdz
zOo!&jMn&WoR!~rlv7%0>j3~NLo*-7LS%0XudS9i%X|2s?!aa>c(L-ISshrmxO@(c`
zw5(fyW&g+p=0H=-nS|r3w>9HP_C;cS?Md)ZRlA0a!6xvD4`C1_FA;$PmWd`=GL#u|
zMSN)B>@7eKK8fP@&y;Jao(k7HC{~>{-*Neq;_ATJP5j!OYfs_6C#Czs0}Zewu}EHR
zzdSEKboN%6Z$E|m%Gb(#8|z7DULd2k=Lf~(?8YLKiN~01Gr$@+13x&wvpRP2OcFit
zvsRSh=U|mVv$hxpx>Il-KK!+o7D-w{_R)Anl9|Fl(S7AnaJkFR>2QA+uc5^5%cN+~
zO!ti*J}fv_abGS?rTYTEf}P3m_4u_g$qoGC^9KhDZ({fr>`ZR+YgPPOWc=dVD+UW&
z=vt;5;Cg=T2Kc>8c(Cv$8Nbj6lxyXg72)@;LE#FzE!Mte?f1wEr(V`E<kBh;Ej4g@
zh6=$#0VHZB7Yk2Zi-V@gK5R##aW`|n#PJ!F5ol<#`$Y|`mZn;CDoUiv;q2@{m`M;$
zj9jyl%dK29GID}mPmFXOoJuCA4t8}NoK7aE501pg+r9qWSR~Wu%vi#XY)^NqH))M|
z25VZjUq3&8-L_0-+jaBv*Kcp>NX%R`ICx|_9-lrkIC#-aV!1Ip-JG6mYix41H(16x
zddBSLE{C5ewFD1&Ohnn&#h9RDn7qU&sa=#DcLqt@0^C}~*m-db#H6CSCNU-0By|K$
zNndR4Q*Q|Nrd;k+Pq3>wnMx;`Uwq2@h09F7mS8B`WIpn~rf2}kfI5u_$*1>;Pq8)6
zAscNw_;?PYG>M-a7S)PH1<k?dpTu82{Dq0b>z##;m}I#?S!9q>67*^0{da1z3`XB<
ze}=xpYp{_m%N4_O5dtc)QGRr#-a%*36+C<|K9TeJauad+)t`^q?XkQ+kfYaJW+~WW
zX-MaSO%AiwY;g*`-rRILJ(Kf#b2I7mbk3V{B)UVPo}|N(><NXs6OP```$A@4)xz-b
zh4rRdsy(R{E)%a4-@_yfRYh#X+@1KL3|=a*V}YN$4jAHf5GiAp=j0Pl(Bm3vVpD@x
z$}L324d9AS=29sh+z0O{$AH(?wBSr1s}f+AnoVPOqq{q%?6B?MBUJBw{jQWt=SuFH
zs@4s659_Lh%YHpM`D>x;(&_0-3tw10`mv84U1dDWF6_scKa8E)tGOOy?!|Z$`02%1
zG#HBpqvZK?2|#!U&eN31!4lkgrs-*TtavUeoy6#s%362gn`t&;`eqC6MfarDY{6W}
ztBNP#9c^`5SDuy!y}1QCA$REU#u~`=Lj7Q_sh}4#@2*`m;ai4tNpsQ>wOZ4z$UxSc
zvqtK}W^04ZlJ*7beW}~m<6?hno7w8CGgaFSiAX$eH@6!a8jQyJDr;>bYzZ~i8`mQW
z^*4a0yMQMPsB^chqeyWN=075i7Gb+rk9S;B(_u_nd>y7qhcVFz3V)@5-a5S2;g!lh
z&{@9}t{^T5L~JlamHVydZk6u!ll#{|SJLT9b@>C?y12n@4zx4}tc|94Qn;*iRz`Lv
zVj%5sHnbQ`9odeKdQ+yA__rH$`~lE0)&34^F4}0eNKeOy#H)~?kI*;qDi7vDBtvD7
zY1Z^gWK9PM=`)JHtE8>sgyUf2nWH#1+s?e`989XR`3_w)x3p#2=UPm}o$IG4bj{Cg
z+T43VTZYkk``T`8k9a#I(iY7j$bDkC+!`LoJIWuWgK`3Dg3&u-%sDnO+PhZlU8=ei
z0$-v!!y!#0<51)Hj24wn&EUKZmY6b7r`b}f%O)9p@E_nHBy*rqj*x?j!B&zxf!V#1
zdB~(zB~qLQ1te{=bS~kYGq1j&cjCl-J2stKX^jocMN)lw(J>O}ob+}~r90eW?R3gD
z>u3(!gQFKsj-1@z+q`&Le{xH(amR^<sKad!x)a{I;Cq_)ymt4I`>z>p-*swk^un>G
zXw(;-A5U!^OSL7wc41@tWTyLq*>wKU>$f2fDe7n#Y8OII&mAFObEhi--=L^zU;B~x
zg7`_u^<~YaB{-Dvb%qWLO4yvoJ5C%NhrlDw8f}Ef2?>w1IS7}8L5|Cr|1B;}0xISY
zf~m;ZJTY|j&fMT-w{4y{z9k*ZPe$YIm7;AV*gA-IS&4R+Xqryhdo0m_)!Vmcu=k2>
z9m$E^+2B~CH@?_m4%=M@dxJgfGBtXm3)e2~y7Q9m)WXq`fqg^4WXKzv?n^8T#@Z66
z4>-~z>9%bH;g)UJ&yMXM@YdD!*&5cI?voAmo@Bc{7z92kuklCX>wqu6=305DsrmtS
z6t$)+E>I%tbX;%cb@WJEHGm4~l~@ZM9j1EoRHKfL5R-(Vv##{&!Yjc&c%|!n&~CF-
zHjw>f^+c5L2(h0Kgo*_p>~PL+t>3)MK5o0(F=ks_so%QSG2yt{88}gY;)%JN<{rd<
zczNQ9Cxp72n4Qyyou$+?LzTJ$=J`|60B@RE?QJccD>o=vCuPT5rP8p7B9K$uAa%4B
zK}6(Ip#Ii!2}FxN8{-F!(ea8ZP3xa9-)J`4(IvqC%tJRnbZz9Js9@~wPHasimkVDK
z4QF3Cbqa$7zgr^31Y_g;jx-mBbjbo$N2ivGr)n00RP#OrIcLKS$fIdv{DJT+*DCuf
zx*nv2rB9`1JN@aF?tx(MLi6%SzNIZYI@8&Ad`2|X`r0F*Va%p47w?HQ2py3?&{KFv
zBtC^Xke}ms!jDA<n6gr@K=MJT<1Z$w((@PaD3mDKWnxBX%k3SHC#Ux3v&)`Ad$WIN
zX?`S}w+~JjLt__?4j-9}#61&M`<|ukyWRFNa$2(<#iAZ~HA1v0`PF4uRb!B{kR<H!
z%zfByQYNL;SQR*W+t862G+4i|zd5~W;q7VB;2SzPI(BF{uygCm2N*7BJwJ};8r1VN
zWlxnzkA>Fgd9Z%4f+V`B?m7e&R+UbAVPD}>_<(^Q)*XUXX3E-@gzZ0i{PACihMm`L
zeJu=NS_69S1B}L%H7I*-aT`PERd^zaPI&~y&sY*xe*EN<qG8{wcTjjoTH_b6#sReg
z-Cw!JlwA+MJ7$RfevK_oe$K4exF}iqPN<n#8!V{)?t@c_<jkS&-X+hVtt~vhZDFz5
zeejFE1IqFz-Q!mK-tAlVSufu5%SK{rgb%Tnt;6PX?kUL`rxK}@wZ|5QZ9{dXc>Pss
z*~fhga+U3+)vvCuepNI)_0-uHzDJ=U{%rI$H(*`Ydz92iNrhMND0V;d(kgKU{(Z_N
zIf3uj!;dZTgY)28PVYk`kTs*Hv$1A4);`z2?Aa8^hN7#s^r*45rMokp7j|IRj<myS
zl5yn3bBt<r)iRnX!%=Z^UUA6-#wK;-&%g?EYNkG}#F;ou!W*waueU9&YCmzq2S0c6
zmTA%O-S0kA_}udg_j23`@57iX)VZH)On4&SI~;@97pp%I4Ta@>^4unIAFt*L8HZ)}
zk(OIs6m^40XjikisHdF3j?7YQvRb2ObEAaIYW9x&qI95^jYTmN=zMnw#V1fxhz=z$
zUBA0Y7hbszmEtQzUF){=_7<I3QK1zLzudq7muFx2qNSz1#d7VpzkMxx^F@viQG<C{
z)Shi+^N@zE&O;?zX&%MWgQC2A%v24BYG$x8TO8SD0d=m;A#E(=L#%A+>bLjmbTyY8
zduOk%q6Ucl-HGJI&7VE{f?zz6I@0_&(U8b`8YRIOHp*L92c&X;+2OKLZXnlGl@>!V
zy@ckjJ)@Dx=$@`l{@U3;HPt^jIcbbe9v&XLa3UNTzi?>y@MLuV{^h0JyO);tbKZ|L
z{HW&-1L54<u(-A|#f5lh58{R-Q5jB@nwU1o0v1(Sda`+;2WOENGK;fUbajJv&9R}D
z=8>fJVWDzI25Ksv-@3L}>;X<FzelO@E2&W`PNbs0pyD&g1CXCj6@5X!;QgeDa_hGa
zni5sCiO7ZADR76~UVNgC-08B<DI+227dwx6RxXjTcky=1NV36KYpZLUKeU68wd2q)
zw~w1|y;8>Gm9Mu%8!L26Rme7_c@Pg3fyX+;bC%D!i`2E1h)or$Jo|#|QDOrKX@c0e
zz~Mq)7O|4Y1W4wwtEDH>o4SMDtv6kN)xtzqXHR}yG}K21o4aQ%U;WHyg!)uGNjgvz
zeDZUm6R~n7=T0g=t72Ilot$%rV=+=ye)4Phfoo&~V20d<&A2E-CHDrf8V$;!P{|#@
z67v5vczLWRw2)398Kl3lHDbp(qE!FRKu_avD4d9g`n+vno2O&Wm<(?6HZ?W+ytU36
zcPQh71IHeB&)7UZkJDqa8=OroO`)DNMu0iF@#}NId3kSyjpjr?V)=Y{ac_i&?-f4u
zHsOJN`wGjr=OX<6;4z?UrO$&D*V^cwp90+y{Z)eM>OghOk|dErK21rs2&wGmZr|~)
zwzjULzRpFXyJz=^5Gj0XabRFkNEE(1vbzTp!Bkie%74eRYvG-d=%b8(6)W1Lm&jxy
z<>QuAM0(!`ubnd5Yjq~8adP#8qT!F3g$(}xqbxh&3lafF<U+}REqh*232k7P!M3LO
zbZLJO8_NoHus&i`S^-s$IiD;Zi&{=dtM-mOb@{Qh-l*4AS*wQk4Wi(*uA)|-zU1Q9
z4(SaQx=KUUfN1!0a!V5b|M|~}rDSp`@#nKI{K?<%_4fP!#Bc^&(RqCXPAn_3ODZFz
zu9vjQRDjA(Bs9BdmM#k5P{c`OHQLB~hWeVA%V}`OI;mHtO@e{vl~hU6!j$1=O`TAC
z@9n4Z)mEdfrlBf(-5qZ~)sM1CI`lq4bGpLe1{^JnHykdUE&TCvThi%F+Af#Y{?nL8
zox1jA^H7Jaj*SOFS%1lO<*@$o{_FAvXRXfYH0ED+|0BY}b>1$YugiN~;iHdm+{J;r
zf5tPb;U$m|A$iJFRH<T~^8~OY*rSw}O^zXciiytISJKJqoIvhQA!v&W!cT>(3u}UI
zOt@&@Sm7?po#(ctRuH4Q&td?2eL(Z;wc9p;hl=6i*Olv|CGhVn@OTOQOA5TB1paXa
zo-BcXPl2}-!?k(^-c<}2f2hFwWcXT~Y-R=Crup?>ej?9HTvOnA`Fh~}r&^-|zxo{T
zYf9h&<@#$&;FAjcdKu2fBjYWmXLtj?OU9*LQNH(b`Fm_!D*RLld`Y?frV{wP0)M3p
zXU~`M8q+hp%Fibs!&;Q_STDTU`((<KR1B5!RMB{vBn~nX_^~Rg=1_wjNxf^~hX*BA
zgZq+mmh>bpqaxDh#F1G<y^|abAvhdNkVjz7lozB`JQ2eEnZ7zlW330ihpXX(u=pKD
zm)U9dm^=PQaZY@vIb)9nT~((}k@ZnwZS>dKY^FX_gYf?(Zw1&X^~V(7gFRIVed@S8
zH^~lA=cZQrCwEB|E8b6;ar_-WZ$WVv?wsZEh$_jCL0S)wI*`wTM;)j(8rQ_ooG=I9
zWi>V-FHW3AqF6{T=wipUmT=)Gf=PJeH$VRI9~K_CZ$R*E`hT%ah0jRF@yU~*SvG#Q
zM}N)sXh`@X+oOD5w1+r6NpOr9+3_M2UPuLsh#!$>TxJTXo-wLL%**e%u>Q2FDXbrH
z6^c0Va|aZE!KZA6sUHxnD%bL${gJ*2gBKwNrgJKXDAsqUM0^eYv5RMC&*`l>dh}H(
zov>rQ%ceaM3I_@|CzA`^Ej&kHp8QUjJ1O#deL{%*<xj{FXj^lTF9+}^7<{V$|22cd
z$HQ>Q;UOVIIFx)pv@bb4S^_7&!r^@-@NX*cb_q_prk?SkC)soRgeG?XrL{Quad16{
zw+TVwLzGus0#5)=<EORr;`+*pyLm1I_W#G(xIf448xU&veb>Q5#c;--`SsBfIL(K{
z`%2)%pE<mv1WvTY;mHy>@evMhDS;DSIJ{kkgYUqfq`=z*BcDHwpYdUSeO|gA=?lWY
zh$KfiJTBh{@IN#D%;8r{@Fs=_;@cd4P0{tgLUxG^zqSbeaV_y@e*N__oQ;#{fZ*WI
z1SkGT<AwgQv=+s<4DeklJ=@BB8me3-or`lv;(xq`Lp?Yo*{$G<@Q?A3Ry95)Zyo2C
zRH#znjg&JX`O88QgJemM!X@c`lfBXOKir9?GY4FC9<#wx1;)tOVZdD_F%Qw)*wkRR
zR#k!_vOU9ab(u2vo29vv|MLY#W1nX<hO;)x-gtr05{E}i;6wu)-ckZ58sPAD1@1r%
zJlc~SzD4L(_T&p}&v1C3ay`Z)676w#vIzcrMjIR+CpgxI`VyzaHzAvAMdo#7Yoppx
zXAp0d>jKm2z!C%gDU~9Dcc)>EDPF!7^73UEcT?k0c87FiLXEJh@2JJrdcR+-%ODPP
zIsGPkWlfdUS!Xzh7f=*yDl^0SiY=nnVySO5j@Ma=e1gO?z#D4WdVGPcQ&ebGcno}n
zz!!(N39S;3agq;FfoA~!9%P#b_qiCfY=MMOq=V$pQ{|y_{0sUw&*Tx2VnSLaRZynT
zB-vLKai@eo3qGR`Qxr#Oz~3gkQbe9I7w9w|0+guDk1iebgN#{TRTm{5L!MbUAg897
z7xJsZD{>VJ_^+pM!;gL>ykc?^(}eu{EndFN=<|zg-T}?6Y~GY)9V>!|IDGBD0Z%hL
z@#~`!{40P@Gy381xCH+R;8|1@jp{hOLxNM>#lz^3!;>727@bD*b&=?t!`r3n`E!ZK
za(JI~{Q$22G2?X{o|oX$YjMq2*!pmIo90%=Yf@`b4f%f@s^`Cqo{M>n8TTidO*$7@
z9S&K)g4IhFzvNeWbGpCQ<}&zJCp`5AtHduH(SWO(l&5%)%qbYoe}lQlMcU(hY%S85
z$+!CrhTEsuT117sM1u|yzF1sOeHQfkEkXyEUyy&r@HU}Ck$=VT1mGn9HsiVPV{7^}
zyH7}SJHJ1{QDrcy<M4iA=h{_FjylNSs=&7hmHfH59(I%r*IljoFU>F5_3@JH+k{Fs
z9xeF)``B93{bTwhJ(ux+{yF4z$@dcY-k)G2Li1vAi&|AKl<g$dok>~jdaRY4LrIm$
z;Adx2p%$x0;eL9hDwC8!NAVNVIq75ubSoP&cd>thId|fs)z`*9`h&uUUq0L;SiV0!
zvhT#ccS$@RJ>AKk`&W)XVP3|cILT<1!`o#z)(3uO<@z>ZUY5_4lmqyerTb)+`xL_i
zLJ^$ta(;bZ37q6PhsS03nuGkp3Ve%z^a+W_Y1laV_3g^_@sjIR9yebCPk_g9J@9v8
zl8v7NK(K3tW;TA36~*vSF`Usgzdl+5r}1-myafIw1>R8tC)vfXPZq<eUaJJ}DTXt=
z@$35(cwB^ETDiVWXlCoe#?N>Ozdo;APxB%@h{LZw2mG26IO#|H`fE$zq#tqk^$MKE
zL;4ZHNk0NU+5W(|U~{yrJtwBcFf4>1<mhW<IV`!xRH>rMVSZAJcO$L9J^8yj@*ZJ7
zP#<Uc9pshtsaJy0E|Dz|lH6p0oQCBhUk5J=`v&P#F?~#_{z<9tJQ+%Bb#zi)KMT2R
zV|sY%cMs*7dm6puZr(kZYwmW_+b7Il59fwwZyB1c|3=u@)*l`X?dc|eb8CNiq-j?-
zx$XsPSL*jo`wG9hU|TNr`!F628QX?mkAR0;p$RHyz00_`iVbclJ24O9;S{6cT1c_B
zNHZmilJXKzGf~dwQx(Msq8}(Di@3w4;frS}&vHPx^xr@E$sZMN^>`LHZ}trx7#q7_
z*w5mwyM%39SGH}Tv0_h5iw`nuQStYmXRN2O${I}#<616oE9$2}V+*pekxqqk9^hH3
z&crLLQkI&UIKOe6q#psl>dNhgx`Ebc0t-+UFmY6co6L>1F>}V<(Ps)>G+r7#As)i!
zLwmo1a%%PZ;ypfH1TW?Z)3m3g>x=gk(-$OoT<}OdBu@BJu4j9b;W0{k7I|N-8pWe8
zRVr0?fO;_XG+BF0a+5Aa^%baENQ7Zg?yf6Y1gJ+VdGaa9RH>%|PO@BQRR@WdY2l~S
z{ZVJ<j{cw=Hd$GWg_(WeHRsx;zzXbyaGzD1m^d^b$4)N0vB})wkW>JnS&2r;_)Icg
zfb#?-85Z$UvL`tFW(m&XE{yknRl<KrksTuA?HrB-sUkS(O&s1Q!yzLOzfs^@1nh7w
z!%N_8LQK*r;(!zHrTajJ(|s6^l0Tm>`CbCwBU!=XFl@YElg6uO<Kpod;&~h%6^h|B
zUJmb5;0}uCDDbTsIK<igOW|9DY6(v9AJQZFecF}##7pkeCRDTeVLaORAYLS0ult(t
z1B_SDY{UK?0Nuq^9YhNJs#K?P8aa+sOE#*ad6=NVQ->bdM$8(b$O3+lEEELKrOx7v
z5|ws6$TS64C89&eN`#47h>5dS;m!F4SGPT5^N0Fot1dLPL_2#|y}jFeH(zW$G``86
z8Zt&4Bi6bQ&a)VLFS7eaMhagLrZRJ#{w+8&G2R#GOgaf~JeEXw{yJNiKFu%Ly13!v
zL5xX(Z`J&q;d4EFi{_USobah$-=_H`!>1cMT`@cXICMHChE=a}?lNzoiciwzsw7NO
zju`1}ROJx)Fu){PNR%m7i&y%Tnq)9f8U2zu_rurj@=?U=WiR_~r|vEL_PwR|yEK0m
z_hNMU4L1LPkYMv)4-XZ?nT+PwM@!(O!*F=K1Wq~(hj)~~X&-TTvII^x0f)B~!<lcM
z!@G*$MyB&{cux^r%XA(N?<<CD)5`s?DuG|Fz%MC*A5!4QOW^ADmn-l%`M8zq+k^z8
z10G+bm;fJ7p03BLE=oS}B=WMQSWKBmTumpDJvr3xgZ2*P6H<Pl?9l-OUl)Ze;o`!0
zrq5)xSGCUOJUlSj(9|A?Mv8qqVXv)9>*-k;ERI#?=kk%dhOErH*|>ivo)S^%RE=A`
z<ajBLNa2{{`j{y@62-+g>I&1bx1tDYyV>tFF_~=*HoMBhsX}#w*H-T}KxDgoserZe
zj}%^&==&6t$FGq1u1ep<@M5|@#pE=<o~@I7AF}H!I9#RgIN?Eo%j?|$-Ry&GUwup3
zSNqt$S`QBiMR2yS`1R2eIPD(}@8ED2GyXKY|G)G5YraeOFN24Q;q3nW`e+H9?$6;J
zC2*1(9NsR&VZ$O`sleMb-zECy&t*0PzdkQt58?4?<`3cUIEO=yz;<Ti{|;XlO@ZNu
z!P&m$@V*i_jfcbAWjMyeZEy~6)0}1dEe^h03{L?5C+JU-?;E<WN26qtmPJ3+ycf#I
z(=pk^&x>fV>nK-RuKZ3_s<=F(xF}EApdOKOUL+0~J6OsFk4pGvmGsDWud@8eqep+;
zsr!MPBl+vMB1!Vqy+8@Zx&$1NkA~`^oI6LSxKBKJ9Zg6jIYT4CxRp#iHA@F0<5@bZ
zi<w0!O=tROR~~6POZCyAmJITA4xic445v4Z0X0R%0OY<0K1?M`P)e2BNb;XXRM{d)
zs%pgOC{{(jX|BEVs`=!RCOux_0XY2{WMaO!T0S)Q&L9ej$MY*gAyE)k^;1L90cS^G
z|3H3aI2;+-mCsJp6bcpN#>nIagJ?85J?FE|dm@p^3x|d-oQ&=o9~~hl8t{O#p`r(K
zXj1DCNj<nXnt_~A)QC}%Uy(;4`Dp^mhLQW8@r-R7=1BBFo=H1m;o!t9!%#jmP^pLR
zlC>$7zl6&zDWj{-W^!2!btp#Q8M3cl6_`yWCOdpPj8#?J^>vAf&Q@e0MM8x)iH4p)
z)Hifw`qtMFJ*@2${uA_|g@tzROc6C}l4^`_D&TqnWvU>Z$PC||tYeY1Fo{d6H@IUa
zTaC>SbgtG%`p8%JuBwV1+KNm{_(P#OHqwUrZ1jBcgJA8Hypb|WP(8Z576F~#;Qrbg
zSe&)M9&fxsp4&!1{y)~<1TeCy${VluYRgioq_)(S+ACE_E!iqbW#6|>Z=sW>n_lPz
zx|_8TXoSWV1yRHqWK<MH0T*x?5f>DZ2A3H{oN-Wx(ZL-ZXZ)N|92FHEy7K@1?tQPS
zI_XB|`+sQltGapbzH`q#_iXo^bD3+v9g7O)`up_gIv}nbaYu1*%pY%XI~@VHQH0xF
zss-OQ#`@lCHLaLi<66{RB@XY8iIH4@`k5Zzj`|mfK>$DJ+Tz}xMeOZiZ20|AjLi(+
zye5a&#l&cvo5EYYCL-9etnB&^wSIqTJLV~hzE(wF^%d{xx~PsyZ@RWzhqp8CgxVXn
ztZ_^MVj`{42XA?>^zNTc_85C+l&_QqXZAgE-+kpVaNo<q{UnS@@=pE+FO*{xzIluA
z*&Bt;O54#0tS1cRI)Ll+4UHX&s5?Y@;C{{_`J40|kmn(tiXKDw+O4{eK;tphHurZw
zw6Zohabj_CVsdfu-?nf6RqOl_B<Ia0le32=8KJ)G;Le?U_wL+zP{PjmV2lO6VQnn*
z<yuVQj9npbo&}B@D)CzD=BpAj#r<V+CK)%?)y;^2O5Bd=!?!YG%54`BQzZUB<j%?A
z|9=4c(B4h|rG@@Z?Kl037U6F+0s@2b7+_)UdVK}2>q1VeS7s%)ymD?N`6A=WIR7zE
ztM(}<x0F7uG?gA#uHCf@XnT6sF2EptbY8$fyI9b#h~=+}iCc${>d<ZOx08k$Lr<;{
z1Di^Kia&MiYeazZ5m2%=R>~l}=NsZZ?ReQ|G1hv+*<*()zGxYlk2mpc;FP2x8Luh#
z`#Dn71A>j>wZ=T{pLj?)@%&rgsaR&d^2PD<9(Z_{#6MQBu%Rrp(aO38VWLi9L@ep^
z$dL@8=LUF%=8^S8zLyem5Y?;U<s$vogX8e6b-1#kKnhn{q`WdGhbeH(z2P+g{nUj3
z(muOlMj02dZ)=})j*#NRBDT@$xp#hKWL`PSfB&m^-grDdeqQk+{flB99yR~bJTg2y
zg3IU+XN{5mO<moa`ohNPX=Au=Q+L;<{)llFa|s`$@-G6%&k7t5LGZ2s$6iC(Q}!}(
z6({k$tbHP*Mu=<r_jRj~`(+OL@=*8$vCDAau!h2z{Ei?B#d+xJqy4>?^!6XU`p_pW
zhcCV9RkI^zMJcVCM`mAj)1`+kpG5yTz%&Tnk*(~1zKq}Xvv`6spZH`22Wm_7;xVVG
z1$02qYEs-mdo_dBjEEyEXjs;@C+<YBM!w9yqw~q@$sK46`<s$edj|&hP9>ZC;l=|$
z$o04qg~<4PcW$@Qp6(io_3vg#^zQ!HP*>V++<i`J&qQ)G=i9SkVo&NE($LxV<6gpC
zd`|4sNqtr5!v-Ve2fT4IKgwg+Za4werqicM3XR|^+JxrV)Zz;3H9w{uJct~Eo({SC
zs9&(sDKmFLapk}yJw*!Xm5wu{Nqyzmx=bnMeWmlMuR)F((_(!#;ya*hC_}l9A5{An
zm>noRHFby_sN_A<)4&<zZjp#KgfgS&br3q4+oAm8n4aDt08vRV#;l;1PVD~zj(i!8
z{{`Iy@zy^_H&Xw~QMc*)OX!DCzdQ{o4;}kU$Vj4mt!^RbK=~!+fO`ApvuYC+y<O6R
z%y6RK&N{L(>PhlS`e|un2tMt>nYEgvEhpVBGv@M~+?JtObYOFC`@+$|e#onR*V*HP
z+3aY_xqWLYD&<y1=h1#c=Rq9Md%<^9gA3<%4ghX9r29q#GLV$=oUIF`tz=8c{1WL~
zCLiUBW*$1vckv6Tk?P-9z(E(R>J9R-!YSplSh0^_H{Nt%eTy^gvfAqFt;*EK`U^^r
z9`Gc;{z|j8#`@srH`grfjSmfsq)OX2e;%b|FBwrb`Px!#8ti4=2RK8uIQ3c3Tc)xv
z^k?-Nr>56{!m%>Vz%jKiu1Cr(o^H&Q>Bd;x;8~10pwESEq)YCE$8cqALK~iMh5jW^
z=;L}x3y#a!Lxcw>;?{IOyqCy%f%qsCX$>Hei~jURg}IO(Wnk>Y_3!Vthut=t%Mr-W
z1xJgQ6-R?}d7HP!WwW`%_U`vze`4&p=M>MOP_yx{wXJyK>t8=nY%>`T8=FIiO8@oT
zb6{PDH1^K_LExcGc`XcbZZTB2Q)S(sM7*7zRl(gA=}&CIH|_y3i_&(6GW_e0Q5O{*
zMENfi7#%#EFUB`yazn3}FZLrNBQhEsNbD_~e_=YA8;T8WwI$M<LXo!Amc?WulJNN#
zBk?VhsZqPBexi$K{|OlgJ|=7pS4Gcw87?b#wJG5lGijlXhMD9Jm*l;un}>K17@7&I
zk>(h7Hws0UYPh7%WE#Hj>Pzd)rr~?3_xxSQk?bo=FR1lj?6^4dO2ww@K!D}%;Ny|;
zbzMsL>J7jfVGIJ-enZ)l@G?7EvY3@m&>VFTT_@sR7EXN!w%y<ta-W_Q)J%>>ZmXRU
zE=**NT$YbbFE&NvDX-V%GS^#OLFf2qj^8z{)<6B~VA4}-J))}a(1oS{BWPmve?Sxe
zg>@ZRSBv{hG(inbp6o4ilpUab-OC~3J~aClRE*^etq~_2+KokL*ygFX)j6HcI!DB=
zj2ycX!SD7+y4z+nUu3EY6fzs%z6pxug9DfKO`cou$TckD0;=_D#u5p81%E$H$JOq)
z3V!vFJ}(vBRNgP*GA)d!#P8GeM$DHHc=$H(;DU~*N$zzzdSz`;H|DI=fEUQ!V(4jF
zbRE||t!dOcEn<soTrp~8FL3I~&3SKgldr9*?up|Iou=&M)ereM+3NONTAa%3-*^4>
z?<-w2GL4R)w|2lUaTxSNy){zNtF$2D%G^}EQBuS6AmT~ppHQDAKWfzKwMfm@gBI@e
zF(-=NVMVI2tx}<N$pUynkri8|9_4>#Mn+~z_wwJ@9)0zzj~?VdO3h%=_#ejNpuChG
z-fTXA|I7;u^14~zc&+Zb3>h*39NR!^kRbJC3Gy=9hb}?%oef5R)kx}xtmYbk$XGu1
z*s+ba3t-!Cr*Q&#Ao#=tnBMpCzABH%x;5w_1N6u;UF3JN(i7L9*yDzhpMVW3bz{ac
zq2!Ztk*h6)Q#o6%>>CKg?Z>`tG`VvNeXn^<F=sM<PbAXF^^Zh#%thIjUN_2WTZj@~
z%13Hd9HkXkGp;OVCq^pA>sUT|C;q38Rrv^Ci1)3o7@P6FCV1k2TSFPQ>!N`)Fra_x
zS<<J!jfFmBBpoT4`$agCM0>Y}arJ|z9u!b)v^|KVX^C}-d9r4#Ep<u2;;)Q;9UK)M
zM|y)K_p4aE)tU{rs;V^`ndbI|4=90|&aFey*zi)v)NudE(BP2rk^P@{rbly~lWopD
zsca^RwM1V0F2G}i6c1K*#@E?R)&42g6$=P{OxaG)F6V-LS+6t?s|i@4(y|^hHGS;V
zqsN8`TYPA#W3an_bZD@fLPV`!1D>W6J`ecpu<Fk4%dM<*nM=)zmXiC*2uH4k^^hzd
z+p0scd6rPju7`m169oVJ8u(45f*+0DRd`Lsa*;U(@-!$Jhv9~0!1G>#E66NXJA%!k
z>!M|!BFj{0?%e)w_wJfXwa=a3H?S)-?(I(uZL0a|SL$YqiDL7}g6c(Sg2@dR&qQ;f
zxn}?5mhEGce)l|`w)AzrU~~djAMC_KXXVyfW>f|IY8Qvdysq$bdD4Nb$3gh1o03P$
z7$512h9*Y!0LrS4<!W!1+EQ2<OIt2DcI=S-H5U|jO(v6*y9P#PXGid{MMicMe*i1!
z$Q8*sE#G$E_U*fNZQs5R<3ao+^fKmoc`JFM>#$#0x0-yaI0<E*C|z+hB8^(54Gu(_
z22^mMZt7u3jC*CYhVl=`7Eavww!&z1aC5$PZnl4r6#9iPeBHHaq+_hL>3`l6&ux>k
z_3SwS!XB2f>>_rb>t^+LYA?pqij}9qx{mi%uQg<HK$4Q0>2(4!fO|?Wt~5ClT!Trp
zB;g5Q!QVvLX>M0hl1KMg%X4)xO#$VTpK`SZ+BOWt{Mn&+Q@Gw~wp*Ip`+K}m`!ObV
z9>)P=?c@2(NXlt6?@*2LbS7g`|3i6D8}CQeUqPp%?Zfz;CZW?o=MZ%|A{EPRojj?~
zl#HliF3w|E8G1BTGuDZWp{lHtN}Q5j!GQ%_L=tV$Yf-vU9<!|-<vV&=zM~6fT>V$R
zTC;IXmhgyAAD*2)GM5k~JSN7sFU-pt9vFv~-wU1T8C@r;_M4vB&jIpj#1z<24~|}@
zAnI;wbEqXmRu+`DQ6fAUh<b%l&($yEu`IX>zeQC+`a;!rBY5YGH;kI4;qdj|NW_cJ
z-N)4BSRfFO2LdtudJ0CU5UCiCR@VXJVeGF;-4(lmq_d8Smc7ohtIWtrNJj<tlG2F%
ziY}}Bo~X;peJH}8g6tFfAyDIZ&^&b7GKbA#O$p_;RqWuQy46}Ox2?N#X%M1mYsdY2
zHFa0Hu?;MEC|#}gmc>C?`@KkrEh!g_$fW@FL@IIe>sC@_e2<Z`G*68ObarN)f<<yU
zORjI|K6~nfk#FEbKO0#b4bk$hU?0y!))UK*{r#~XUE<#V_e!yyLbr|no$@$-@B=A#
zMI4LT1Ni+FJ8d2GTEe;5PoT_ooq-Sd03S8#>XjctTIt&5-m$UJa#dHMdWmOdx^KM|
zdKp)?z6M~Iacw`Tt?iE08|0dY9mjTQ$3<z!p<UVqwC`k$S(o9zrF{oo)_}3qBQ^v2
zR$W=&S~tSV{8aQi;=fvpW%<A5V_!b@u7-nVsZX8y-GcyF>QbsYAZTDgUy0SJf-I|H
z#HKDbQsJ5*X|q6-8P027sYFtBX8pEi5VubVX1G`24#Olf#YY#?X?>D!y6B=~Cr|e3
z)LY1sW;4p)Y}vJI%aWsYB!e@79p@%9?W}yS*<qNs0QUaMeuY2F7g;cmCr9dhF#>ue
zaB^kx#3w0rt55hf;v8A*2J-|-ZvU>UZ80!kr!>{g6$j^QO3&A9u(i$|nVLE@n@G$a
znwmN?*Q$JVdTMIA^p?#F3ouY*Zv86sh${Mg8SWviDQTJ0kD#wK@(d5GL9Css>~_tK
zBb6PamUVBgbJ-HE(Ls;T)@-e<ae1tlBLhFPobTP3J-%t&Xg;i}VPEN1^bMU=c?7j~
zt=J`mhtzm>`l?oIs&{Qr3k?2@<zGAZ*JAhagQY)W*M=k_>mxK&cI?+_<`uhy`(mgp
zE<9h{v9AGH>AneS>e2^EJD~yVld%nYNLivUycye`x88c}`$h9__rGoA``^cUgMEc{
z^9SI()A07w?G!f+F?W?Gs-kV4BxPtC0xdHOh?$uRjBw)K9nY6xtsMB`02A`_K}Bx-
zjXMhgKu!J;!gsdCaHZ{=#&cPWjWuWJrz_`K_0i=f)TKY`o%6!@RBz3m7`yDxJLoRi
zS^waJ&*8tb_~<^p`SSul>D3kCqst;5;WRsLT|}kEXoMXH&WY7zr|c5rv12vCngt#h
zQ%Sv?{<_BU?gIB!Alq1-05Q>G;lG^Y4xY#_n=+ddXLsGLOxYfMza<eqtMhJR$^HS(
zKYakhnEx;&+G*o^nK)&6j)Sz!DVI6-O}LV|QJT?GY!?2Q0O-|Jo>A=Yk&DO~rCdAR
zTgK^AzLvRb`q+Ap*>(HGbgglkJ<3Uva_ttuH%{mrdEFXX#{k!P$*bjpFh{Cg5o9l3
z!Og1-Vh$U_<?vM@s)boBJjPlEpymRkVLY`Mo6P%MZgaiG9dwR8a{SI|*v3!4x<4&F
zfQL#yrw34<lbw)dj5j@PPSzE8s>F^H4AykAYNvslKyflV-HMsvz9QEYvrNSdK#35>
z6DxWH>px#&)i3yL9(?czw2S_MP8$JBH|U?W@FMWTod(M~4{wG3xqquiT9E@vIYO~V
z4;QF>eGwXvJXGsO<#|)vOn1u}YU35pu|4>qy6n_>#kKYEhVAcPx6dqP31Z(shvjUG
zb&+G031(iuNmNIXVw$^uwZN7~&@TNktN_VtGdM2wXz<o*@q+J=-8k`fxAm^7k{)+m
zc=fUSiYBGIT-W34!wd*PYy<EL*EQDN#i!$Soy4ouSdepU0bH`K0=<boKnf4Kr~o8m
zc6b^*&wz(#{R}HluYZEQjzU$z7qRx<&|NNq@~YFzqg;3%mY-e;<+K7RAJXV#0(>Ne
z@dVb=$+~q`p%ZB)^E@Q(K<QOAb)^V=;!NH?lIx>Or+fSs0p00dzcT$&ZvP5!RrwsX
zX|LE#mHjd4$>E7A(8mE0tIE4H+x9dK_baZp7PuTkn#&P;5GIowCokV|#{is;zs3ut
z4qI*CY5QJJL3jN-tSzgxOF6oFb9qk^?TmL~J8E>WUDk7;j~!WsvOnchA}&<g_gz}P
zwifq?y+It#RMwr}SJs^~n(i!h!_VVAQg>#K8s4MpjClTe@x0Wr`MkU@LmeCU$@X8D
z+lPeiZNxdgFQ~2H5$({8CJk@Xd9dbEsNlK6VIM;lHKJ<;rH)|Cj5A}!ki20;quvoi
zUVMv|?+Y2C+7oF!5fy)pBZfq34D?MDgoLFf*)JsQAmp!hri>Q%q<dUg2N{9OVa3~D
zELg1E-@{2CMmXKYSwQf{xWJIGRzzOSKj)@9eU5O-<8XUY{jt$mPdwKg7?0;Y7lkK#
zJ6om~5-Xc*^|6j-uP>JHw7V0N0e7I+=F1erL6otzg@*#co>cQxzrQ^Zv4@J@fsOmN
zwbbsm=YkRCZb#DPY!A5uiPC*`TgzC~k!Vg}h$5a-`7ZK1So^<R^K+dbt6;Ud7M+aw
zs(3Q=T6B7>qaA5OVO6Q=+{}VQn>+QZI}vDX3?$sz)s|W~JTY;2wzU<0vWdeBsa>A@
zTu)&(<8ozY3q5mrTDUo^G1eEUsl<1!i!ZOl#mh`_BX&U;cR~x7Q6t5I<F3o{W1(}E
zw=dLq9B?s6-S`2ao0NSX>zs&{qw%<JN)1cbhv_Y(9)>scF<u>$S{<}%9Yd9UPkLzY
zWMX@w=pAd{J&>913`C0yX>Y&pl~diz8^%N1VxG}VyEi+MOw7;CCsgBp@@_BuP9FhW
z`HFqDP8+Puiu7_wo<iD``?eK5Fa<sEET_@Zt$rHV<vJ?gn>-Zm3(R!2_cf-*ySGhb
zQqh6nVC#-TcCM$Tx1%r}8{CLOZS&q(D(Vb->X$OHa6I6hjV4{K{qf9@)7UW4n;cAg
zNN24W6iR+#{kbb1!gbQJqW^QB&7{T2)Ib3u#w!^vHvFO$fKzqEJ&a~b=trohE2q%L
zUi#r1=jZ=$o2nS?PWx-OD5Ir+*#6pY?e|akykRf#+_L&Rg>gLb3Z7qvr|6NHmBZ8<
z0Gqx$Amf;{7>BhU%Crk+5(q-Ky?;1!ezXvn%;g7**-&esuSpsDUacePW~tHm;KurF
zc)^qC%4E8lnqo@LzN0lYuJ+Lkxdb?qY8cXd_pG+_mssHP9NM&yI^1E_eUy4mC8?%5
z23yOnqAd$1CM;XBv$Fded<``PHxDOLlPmfDt-;ZzLNL&g@T&g##KQUE!b~dG-I?+C
zyK4t+;qimB8!wxSC;hWc&CYfxU(uzNc4(^S=G)uzfzTw<_Bj_Z{BsZH!d_Y9>$K4d
z&2!I6-^~*HWe6vsa%?wR-(Yeki|wn*iJs9!qiOmThYl3>%@q$`bloPr$B3HfFDPHa
z+G<6{?6{%4SHCWHx$-WYDG2z6fIUi(lwn9nh9Fu}_(nOdpPfKF_6UyP)#ZWMUlsTi
z0znHGH0n}-L2Pujb*NGj{3*MkKkNvl-0_ZJ*F<XDzJ}%&ySufeDb%;Iw%M0UN3#=-
z_Fh+_E9_5?*gUD;h`&7+s53T?w8#2e-CM>y$*{lHSm%#r0#O{Bp%h)Y=4e|inrMG9
znQ#TYuDZrtB$*X-ggs}(xA|aCcU0)8m3Db+m0e!Z4^N7jLJkD97go-f-T=n-u%--S
z<86jk;DkFtlx|=x7-0E)E4WncVt2LL$Md|e2r@}WyE>f3rND@zC*<!)G^_rZSaJ;H
z0b0sz0ijJSEAC)uvM-;_x0jwv24<SP&dhXoOW55unrWLtqR#~BY#wAJ_KR>nE918v
z;Gys^u`K(#nCoiWrhH&4&+t^M+}3N(YkhXlo@f89d|In`7jW`_Ku>&ExBjkmI%#F=
zMrxw^A+CjS1;GNwsu!Mqi0htbpWUOps&e=!Yx=){GuN`vJkD}{D}(nOVv7FP=eOE}
z@vtYE2=xSdV=MiwV|l+PnhZIN<?~y8t&u=W*yWEld#6GvN3=T<%0`1N5zpy3DXu=J
z{1tF=rt@2&t)1!oR+~7#RU8*14seC`04KaCKva#L=LAp@0(ID$?8&w!LfwJB_;N-&
zz%}ZKbwxv&SO733yE5%91a&f;Qr=a@A@od$0-WD^2zu`ghEL1iIHUCt@?7y7=Y`>n
z)>XC-C<Vhe5S3vuy;j^et&HHT)hqD(M)4beSME~}<2n2t&%IWA4);NRUx9YqhjyHT
zD*DUd1XQ0gfal-DjXK1qp+KV22d>1kxS*|omYAhOuUbag`18tnqCZ#Pbhi7{{pI^M
zuf7)NSDrv`YtQ4u`I#_`S^xG72U))M+{ca{eeB%m(!;xVKfDAeva7GfIhLpOqp4T2
zpR{0KGCi;AK+D%^Jw!!+=x5jJ-8c*DAT*M{<UGs6>Qm#V9vR1Tsnxp;|5<)c$IIEy
zvphVmE{>lXz;jXUeckZ%orK2`m70LhliZyKE%F=u6Tl8Rc?wsVWsDskG9(dJtc4c?
zO=myMa(qNP%CaYkFC*ip9b<X8Z{8IRg&hrkSHql=^*h4hh<mPoyd@PWMtizzOf}s-
z(PAXkqKy;hR~`hEgtszI#(m23D^V*7d)|cChAYoA!8G<^VL)-?T*~krk;8>nVRVSN
z=<?~6mNkc03gDAH+9{kP<A=`xS^u0n5)M23S!J%l<!^9=Ls8d!AJ#({)OxPbrCKdh
zkk&T}TW%Y!tH{N*S`f&jwZ)Vhm3eXBOt~$BXBR}<Y`HCk`}T`x=gMuoZ&9?(m)qLV
zwpl#8P;TqNvs=V{8_I1N+_yp8w^(j#75x$BjpeopC2x4vxEpQI2{f2n(e{LB<5qzj
zTShr<xD!=9t(Gn2wy0t;yjQesEw_bN$CYypKfry!%PQUjTy4X371fpmUbME@>PBT=
z+y}g9Z4o@XAliTztu2N7_KRnMm#X^~MH}#<wYA~d&Ei?$MQiK9vs=V{z>C(F!F?OV
zeZY&>){3@8(MEVB%oC+Q7@k#HC0_LV(DsCAV~m%)FS9yrxO4Ski5IOcTKb0Jy`l|x
zVH@Od7_#bI<*j00ISJWlfxf&Z5Ch^64ll8JEF^$d>I^}dWo;7#{n+e|9kcvI+uNh~
z*e<`|f=e&G;DXDirxzC|kwL^DIt3>M;nm6;U_C_fHnHzX$zM_Bs5Zi!z?;fO;fKy`
z&3R{)RKLaLC|!>Z&`%8i%mZ#8^lR(_=}=d;E~T4JHw5V>v$9XYJt_v3^Z^t+T`T7&
zBF!mBPhcT4wh^Z!2X5<HIM^Obg}fcD?Nj4{uI`@T2D~={d@bO;?c($~?qsaNmQ3%E
zh1a>INHrpWs|%+}#=+3&wgZEp`9bMP>#k2;s%=yKB+<|GZ1MFci!JG5Z?-!cbhkG4
zgvN7$&ZH+6isrp-eYQ+8(-&?DMGDatZ;Q{Bi^dy+ZT?ukvA(l4n2YcnwG?o*A2_dr
zJ+=sJnb$*2=EXfrsrt}W%wP{AZlqI=n>%vHk{cRk;esJ9QQT8*Si+=3sP1<jzU!i)
zp$GSwP5FJf|M|u6zPpQ8Zq;zMi1)`)0|nODncm)j4L?0p!Akck-s+arR^APfvxYZT
zn`xiz-R$po<wBu!Ti6|GOgn%4?izcG4W^E}In__>1cL36c&gDB{QTmg*$m|)67EjA
zN&7fERN0KV^n-5`vNO>BV<1zffQ<Ct0LVC}Og9oDsb9o}3oY8p@6{$4EU>R^T-m>r
zDmdbeQFpG_oa!5z@Fcq<{&+Of7By#Vm+d`#MYDaN-aavwnjU0r_33ytoJ{s~2paFf
zylnyA?1)r<nYF@wW$q={a{r-XWSuZJ1>1rrm6k*{U^8}Y+qfaUp)<F%Z3ntF8ZsFB
z28=xd4W}s1lw{oS8d~P)3m82e;rIs1WddkHINsn62PRrIjAR8ys2gemPqU}W&Wg0=
z$DrubtSK5EpN;mldh)?Q)Sc)I4s2|N9n_ratB*yRJ>mAcV9M@`II;<wBi!aq^f#Ft
znTRhPY#iv0<n1O$Ptw;OcKjwB_4@tpK+6~7-bQz$ttOE5CV)TqG%&_RjFHhOoZqNE
z!iu?6DOnuFXt-8M?=Fm{SY;lG)hhPnik5^_MZ{!VKIu%j%$bls9<!u+oC$l>lkGL9
zdj}`o$?gy){~w!Ng$_>XzshMIZI#o^iI;qAV)a4r^Y4N&oc%oWcV;^}vg65kJh?J{
z<BlCSjt56xJw5$uI8AXx9-e=q{Co{M6=zMKrv6<xo{Ytk<LG5Ydon2c;q#f*7Y%pf
zOgeh)*Ui5S$El)q@cjJ@4Dv-HH4(or8uj@javags*Bjo8ewr%%RMJuz{>;sIFThF*
z1j@x?DY)XTirEv7dBd@xS9RE0TLOMxD4QuPQa*<bFDd7$cT1VAU~H7xxUQ;imNHvw
zga1XD7xz(@k@rRL?1E^cE+gAgxNpCBmby&kzD3bST}HOG;n~gN*@bdj51!p3?xQXv
z@5|u64dOoPGP11|ZHuA}@>Oe_Fnr4Jtojovv&;8=%J76}qb{TMrx>8iyh6%stqpZ8
zq06w1x{SOprW{xL)TdR8<y8VFVf@}Ke%~X02l0Em_<bwa!RjgKVXrcFV-Y)`#WFAk
ztPG!eRPt%W)W~R2?!YS$Qp|W`3p@nt^4s2Kztmpqu2XB=?|JhDx1AULo2YuIrzbw2
zNX(c1q<p-zbmf)cEq!?3alFq7T8N3vcNK4Q;%!l^N|{g2<>toQ>d@xK+qgH0+%YUb
zvi=q<Kv$)1wBW1d6RXhP*Nd(3zljfKe96>-Kz=m2(3eY}Qyky7ZyfLbc)h<3hm+Q;
z&J}R`rcyN2SNg{6IB)^^4cuI59E6`ZsA0kY*cid!&{&z5@78=n74{BZC2U>Gzh@Tu
zBGG}xO#7s}!;$j!PLK76vd)g8ay&G!t-o(&I1=*~nw;m%Eu7<Z_e@~K#K+CRM-A}L
zx6)rqj4)QB4sYeio3s&Qs1|LcJn;V7!&hB-K{_@*GdmvT$S%I@@}tuWTbHQFi+<<P
zFDnpZ?$DzFIF{8UrNB07W2zIq>v13jPoH9Y^xg0N9DAHQGJ70LMDK4(&<UX=UX*qH
zabEO(`jm#x-g~d;<k;NDWgo=v4Zv?qz$9>sK0?4Z#rt23XQ&oDDC<|bO#@Lz!gfq}
zI~}RW!0gn7Gg`a#UA{%2dywcJio`s9O)j8&TV2i0nZI+BAxYfaB5=d85H~{WA=Uv8
zBWTDcL1X3Y$i9`oU0L~Cj^-mDDJ?zmL>VWBThR|9ZnS=kjCVz(WZw$!EiK9W>=?Hn
z_cdWf$rZ-2TLdlXsvaJKi}o!Y6P`g|HWXQIiWQXOsn$$KvQr6{z8mgqgUefk{SNeH
zlin)y!#E!~2JTXWO$bqpT?FmaBSdV8C=+c&`gv4+E5<wazTuudSB(<X&wcJgr5B%C
zyrKM#QM|(};FYw4eQ!yHz)IiBr^N8yUPT*U!2Nz%_XzNii|{$((+t`s&!BpUv$4cC
z?CojiX6X@-0=mjMQpoPoj*-I2OntkzwisI$_iU{(s;wK6i%C_jAplP=Ej?XYIvLp#
zI`G632SQsSbZ}}ox(V=bUrfS5c<S-t8sK?Q5+3G{5L^1YMNYLt9A3q@?z}N)G+MUo
zxG|3l-}hg8<4didC@uYBPhxZOQ+$^yc*X;uX`Tn=t(sjoRu?H+WS^HghQ7;IQFwlm
zT_}V?I7vsp_6!gA6o!VB<B{RzzTV}*aCmUJw{LkkGQToEx3n}jzarjCzHtr4$TOdG
zD(2{#Kp9+3RLMOW-;i&WM^#H-!(GYId?3&<nwS~g+u0!~z#i#sZS7Au-t~jcDHM9+
z*g{I9@(9MpbDby~c!(}5yv4P5P%0QOPA{%hkNBJCHo0`0g$f;vnX{bR^ju+hxPYO4
zVS2Y`{#=QJ-q6xiV=>a`t!u1LDWBWEz#%Ve|JZ0(!?E*qZ0x$K$?rB9N6ip<gp;`7
zd@~-u9dL4W+3+EU!XZq+2W3g+I3}8ZV$MY<W##y4iJLp)BYA&k>d5)KCx*|<=Y~1+
zI9(vwHP-ma2Ojv@Tmslp3_h&sbAg+zzzk2G=3A|hT6VzX169d5wg_4(r!AFz=_CM@
zMO+`~A`f4-JepsQc6-MniFj*h#2NM5o7;-9)Iu=p=?sOV?ZM$}Zdo}VjShJI2+8&~
z1gxH5(i_OfT%ka(!yWMW{Ph86S8i|%U~R$>&If+1pi&7ZjW^ck<{3&Z?5~1rJKlVQ
zvgHKsyku^!^bU*x$D(75luZsn*(Pm_wRn!9s*E7Sc*?0(;)~^n+jcH@wxzn3b}GmB
zUiPcs&-VAv{{B~&?L~j9FQNCN=#K`ST$lQq#7>01602e|3&xw@c-}~zqaLSW)eUcd
z183r2k}L+0{1=_K)+sltjp#Eb;@%~%s*d*LI-tqw!H4D<<6)W*?ZFx1S=t5>Es2p-
zzqcyzrBYesz>XaWOP$$RW2-4F^wl)fsOCCza%tN|z2;i8YOb|(6TWXHW)Qy`|JJu+
zbK+WB`kuer=j--=53j-~$+!*!Udbyd>8WjTWpVZL+#;QSqq41lk>?i4Z-`peu~e*%
z&f)p%dfZOUiDP^7)}}gRjoq3(@7SyM^wc=&)LKVPmvZBezPY<G>hVMycYo`92OV*@
zJMK8hdHEl}v;#0TLKaKygRoe&w@Dp@^#WXLPA7Wp>v!ero%L#+t1iFeb;^zRDUM70
z9e(`(lG3jb#l-RY(f2v%yH@aG(h%hp&3N7YLR!*m#q$IrSD%XniGV5p*B@6BU;n0Z
zV~;X0*Hik+EFjYKTljWjGUfrjH33=+U?<;WoFOTcbM5|yy!x>QnThO|yk6|q$n7n;
z;g852o)ry`RS^+I9{1}z`gb2zePM66HyoNzzk0gH<nB@(QO9_<a=e)78>kCLT@6J?
z;I=O$oc@U>$6QU++s5&#hEA-R^Nri!!H*a=X{)X5$<nGNxOhaB5w~+%C5RS)YQZq-
zusBEnvekouG+-c7h~PkLD}(aZ?C2sP9ogE?cstxC>%_9r-5D60@umv7P-Z$FcSM!r
z9(PRn=C%D!?|B<DQ+eNXfB(Vw+wAp(7k+iXn^vC&_9#UtCxu>ym;PlsuU&a8F_iHI
z^25>A9($@G;7E3Lw0a}9xT9Y=?#)iLw~gn#&9?sf`k{`_L3>@F-A6nLyF}nAT-F+>
z`*Jl<_YGjqXm`puVa_H`2jbO(zfgZ*?4961ayzowi^2pBZ6b?(bO?Fe9~j@@OLqqX
z8K-G^#%grt%#lbW7J_4V&-T=4#_MY8zp~UBbNHqcZw>Z#93@V8{`_%e6gUaO_rpCw
zi514tL6;Jf<075_3#0uQ2NuGW(mpP9I<XCg3a6C27OO}M;#o!M0``dk*5?w#dA~n1
z5NYj;Hmd5^&4m<#fc(SP+-7a`JHzcjTW-8PJ)ZLgbH$*ou|Avi796gp>@Cd=Y0jAg
z{_S5H_kk-@zaey9d<YZa;kqJBCR_=Vv>xD&lX#Mmry&%NNjS#x`G#ONoCr2q9rf)K
z6IiR}Q6pjj;_mtp)ifBHDE$uzHDLG+ZAR>kk71vAr$*JnAEd>~35uSByOpB00QH_%
zGk(tjUGyKKO(2e`D=Z|#>mYz-$Ttx=4#X9?Ftsfad69t(fK(QWg?B)1vkxocp!(`U
z#=>y~s|dHycl5sD%^eL*o<>KoIoTDo2kVawT5H{jjzFEqX07pthDJvBZPC0H(Nt$k
zFk9!X_ho<6o@);v!QJhQ;IKD%4s+o~qj{{R#U9Lr>_)S>q0Zir%63mH?bs!XM6k8;
z+mPE~Q;bfxN5rIb0*6}!U2{Eg<+I)dwGr}qy00~BPFu!RQG=b!W><e~pmW8EZBRG*
z`R29b?(o9UKYk(J>T*9PX%l-chQBuM#M)>S(wve*c({Q~&7y#xO?sf1vvr=grN!GE
z3Qa7lF9qE006(SIE3+k`E32zNG5pT(X7twxYL93$OK3SM<kEC`HQ`E)2@|9{TxqUY
zApOhl^1FTYP3DGLPvdfzReR^}Or~+w7;M2Qybq#?iB*3;X_$B-pOkhC-$=PYJB$a8
z8__PSK2QqLEl$=b+py;GcAlILv1j#kE}O2}ee5;6mph2D(!bw+%ja(CKL^O-JB}MZ
zf_G4YVm)wF_|%9sni9oT3quN5=4<kaWd~-rzQ(N_@5?LKmTnHHV@9Ux08Z3hdm5ey
z=7mS`Jm-|L)T|H|6-3QhWexUPKu8&b`_RIyeex{+mHfdYbghC{B%~sa5ObtYzSWbU
zuOE!ObJ_|H9-H<x_s06Wmp!3i>xw57z^p5?IZtHBo0uOaJ*0jt{vl0BTy6o3ZV@e^
z(;VNc!zsNe%%`9(R7Hgnnld18$#zcF7~PT#BThkvd~p>OszPRvAN=3iJdZ{Pa(;hq
zAQ~Cubuf}>ZB5`K7++i4M9%BYO|(&NOb>K+4Gwm74q%*+t%g4-=Zp7-4I;M+Ga)o5
z?h<LyM&LxcY9XhnQ4o&<B)}t#rIAA8j7ad4s2$prNJmmU?e)OD%Wy!7)y^p^>Nf?2
zL=ASNO%s|_{gd)FWUWepnw&iNcU3Z#bxHq3pBwNK60(glO?nu3hJjhr=6G^}S%5?l
z&-ig>tP?c;7NGTsfEz3_GD0s%-jT+6K~l8+$>iwpPAvM;JqR5&)=a!58V<)>vVXdK
zz~R|-4w2U$EA{?;<c>h0=b{RoD1gfWpEuPFycHjrp+RI>v_xdNogvnlw?JN^Wh;<8
zYt&TH?y@#oowe>vBgt}b(qvpvjV;N)m$K=&(u8+p#U2>f+Zs8cvla%UBf3x^fYP7^
zVm%2s%VJ$;H7IyNJE;l|My7gMxXp5VeA?gY&3k?RY_KU7Xqp&kEqc<<xVyR8hOKWj
zIcAjOepjEv>27qn>Mag$*pnIXHWeBgo%Y&>`dYK4u{qkDN0~NMTLr&(-WUd0BN`_Z
zuvb%-NuwO9n4};sCn~TuT*)#8bEi?1=tF3bNZ51BlL|jL+||)jH@9tD-r3k>Pb$Z!
zi*Fq>?%X-~)<Nrt*~<6lpm%Ikp9I~ERli^Jl?%$|J9Gm~f2SSqwu5Ol0eeiQ5lWG6
zmazbaP>Svt=z?I0Czq#cjjlfB`25h<z8FuYpDUfr3bz>EPupY>@2`c$is9&Urv>B-
z8Bdld=gdlWRxXut{L1C-kTKM~^a_&1`!BfQ{X)P<+w<q>(}Pox{(?S1{5mGVP^k?w
z^p&a?x{_nl-zl9%M!IVnmBZ(*BpoJKb}sKm{NUzo2a_(<nG~?>+xPzW<5N2MmR-Bv
z0u;${jsqr#VW}D>EyApfXX2Oc*BU@#25XnDE2OIl4A5AEgG@ljqb#|Ufe{#H5-><7
z0a?u@2Y1CoCSPdh!6WA-W2O+ID?a@0AviuBc+W^*--v+6fc=OkVH2K4cUlHb86FE(
zNF4+}@z2?o-#~+aQ3w}`XL_Pp!lufEwJVEucYUM1&L63<+_cgU1J-1=TXRcSH;-ap
z*EnGgdmYO7UEX}a*WtUX^vOZG!vU8U_-hgLKt1y>v)x!R!h>{p?_F<r{;qqJ8}t7<
ziT}&~XbbilcVV0kfp=Nkk(IlExN@~Xo!iiP<axa>9cuEm7bBe$p7zG}KqAvUq}=$h
zBc93!V?8KY<m+|$lhNcr0x9#95!@a9cjX5{I&)`q&93E1%$bV7V}?L7+!F>j1Hg*~
zuQ6S)c5H9hesKF|w%>ohGI;;}=n2{9iW~i5yBnm)7#~c&gcrBJ4!0_9-l(j;1LsA3
zPI*Z9O60hBA2Y6W4+FI)YhN*J6nh1B<(l|F(={Ko*qfYnHdjr+p7?2|ziVZ#y*FH6
zV;-z+#DjQS4RmkPh7U@$Zcnb^O4P5B79yx30;NRKhXt(>v{AHh{Y12+AaW2PT%;L%
z8l{NiRz%=NIzcV^Z?oNQ*X7Fvi`{C(r)TTME>BOkzQJp3Zum`io3|sTc;4YjHa90d
z?<oB;-r;NO?rXA#vz-BZ6EGG~u2V*hci~$E9z<43p{8mAtK!ILA~a*+$o#)%{so`~
zz*w7cjpE9{j1;xCbkS=(&4+phtLjs)9K1OGXDloAg`@q~mv+6Zc_rY6{dY#VIs5;Q
z;eI4{@!-)v3wP%F{t~pJmoW>0Q7`1j5M(cR)@Zj1D;3zrsk0i>riD%0P{hmP8U&VU
zZHI+UEVt<Of-lu^<3&VFyf4)oZ&Zy>o7&T!R%ggR1dp_@eIOccGu?)ronUUD#nx1x
z&e`f=tnS{Lp2+zoQkhsMPzKnveMmqOI-Tokk%>aOFhxX47fJ!DO{CUp`BrfUP*Ec2
zq-9}<ly#&t`2c!?-6>Pe#I)5^<pbEgk{-=^+oGkD)gAy9y8dsKt-xahTFhw@LOTFg
zz#4@{S&2&F8ie~<tU*5vbIJwj7}rZx&`C~Wt{73H$~yIqVN*1HW#sikEt4%FZ&!0V
zt-9O&<C?CgTBlaVqS2;!V<^-5TbHwFx8<U>X@`5qLMvPv=}76(sSV#x++eqL=X2fU
zVX$EgH^B~)`&6_;^?j<&Ww7LLmb5t%@p9@HAy~YaC;HSRwL395u_IPx@1?80>)ZZ5
z&7j8Kg|`3yto{W(A)Y{OGyJ1^p@4&$u(r<zfsuKy+BPC$7BXrMXDjZ<-%gLIWi5$}
zQmf{AnQ*|qa%$~a@B5K<AL4kFdz60lqk;i4iWPMX@H}Hl8EDOlQ6!&gk4;sg1X$q5
zTDn_3p4RRb{TfZDqxdNIxRX6$Yzw&c>u@%n$YvAqEc(Y<H0)LWQ|-q}%!Bu7a;Q=*
z^&~b?^!g7hpxY+W4sd9njPV7-gTAYuK876%D;ytme+bh=8UW4PhQ}OEr(<k*rfX=Z
zYj${?zs84Wy~UQ6e(%NE;o)p%WMuEixOXrXAM}oo%taz|{1uOhUrmjTO@;B^zVY$C
zUPye!kY9Z(YBT>QAby<=vF6`F+^{x;N_M8qo}!lydw7EI851otVyV!}^MItQhqkZ>
z!{iyz+&_}{J%-&H`7BH}Jdwj)%m>cPfDo*MvJKE-6467b*Q}HePYs*sUh{mnV{g1S
zvC!V#)iyde+O{;a)HT~O+|rwD?~n}}k6vg_N4K=Z^X;)*GL|3joZD+Ve4!;9nnwIr
zI-HKhI;MLT4%m+Xt^yG8ef5o4`MY%-Xt^a798>}lPeR-(z<{n!WH3J6{3NH9m9?ab
z7Q^UhGQ^=cYoUf|2FdBWW7T>OTwdJlw|Y>(rfW!5FPyg3G=%yVbH%OU30Ef6*;{A5
z`&MHhsMzOyJBszL`dM?J;Lk7g1T)F;W`D8Z@ANIYoAV<f6I}d&5gt?Ixt;*`y;L8U
zRxj~P<D&Q9BG?;kL5BO$lVFEsAlWl3NVw3-@$j?+-o^Q51~grIRGWihoGe^|&uMA~
zMkg$zC-1rEp4Z)d?SwthXtD?G6UW|l^S$@pdl$-VD?N9{rsDCb*qx=PQFQw*454Za
z9>Z3B3|eBwna5xxkAarKTKp1jTG)+%k8rZCE#YL{z%#@6<UMbGpbEMV+<xziW6E3^
zvd6|=lyEg8mh6w9nLfjnI$T=Cmovj<hnS=2p!hNa3hFtu|5@-wRx@Jw9O;FBiQ~#U
zGq@7|EUr{t5g!lLl^L8Qqf~F-hyvwXluXb`iDjuQZcmGX^liO9m0eL5I+n(Bb>oAI
zGB{qBpIYh3ZwpPj^P&DZ+kgJIqCE9Q`%EF)<DE?GKq0jA1_w+vjWyU#8ZZs*8jFFx
zye&%$qZXSLyGo;To1>ADd>0U*8b(*Yr~Iq>W>8KXkv%f6k*c<=mMSZTaes!CLtT%K
zV4Y$(!Wd0TX#EbmA`4q0;|RimOForGm2<l4te%hdbaeFWKmV#|aTCrrVI{hBAm{7~
z%_o)KflYR$wQ*DFiVJKvT-LjNENwk>P>p)$Bc{^VRA1wUK*Y@D09x{`-lzOfy&Eov
zZb0fo3zKeW9_aFcmDo|80`o+F4C|4Q>P3YDVP}mg<FN9J<qE(;YB$oajuNUD^#`0D
ze|u}K`<w-r*|z;WcbDB;=X0b}X6scaeCFo%@dK)Td#y5k&Ld0a?u!rATX&dhMzX`(
zzm?xS5G9O8<O#l2`8D`)4OU*C;axgyX}P2o+KMve3;IZzNh4m8=Tui3DzzImHr~rS
zdRazOYpB$BqxVu)bt7+Y5<X6<H~P0+`CDH5hN`59Pc}AtT`8;E>%#06Ve07R>);2m
zQkE5%Mh%vZ<T*}cqoQoE*ew0c{sG&EQk|LXAzO>PA=fyuF+8xf+m^F6H92fqdtYL*
z#!=fJ%(*Ay+X^<d1I6qInoP>~jL%;=q1@)bvShfxXubS3iMw7gbH#Fh-9-nDhpzN?
zjMq7=r2%s!Fp}vsUVxd@`FfAx^*SCkZLWf)9wMbj))r-LD@nVI5|JF9G-?4I&~wIE
z2VF_^0$*XsEZLgC9W=>Xape>3xRTnrZhLTNw=_AK(=6HlS)_nmv;3D-4?)l|XuN1X
zXsj_U4_l0;)1-m<19u{q;;-JI`U8*%-g62A7Q5d*Xm0Q~RLKOlf2<*3A8Q*7QYe^d
zDk?8RCeV|efC|!K__B^02T=j1X_-DWk`i^lQosnSGDvNTd8xGM9NHESz03;6N*=~t
z_XMsHNDtJ{&<s*ai(338g)1Fsi~>mGJMqb<$)V}j<#$RI{*6+F_p@3zpXYkym0XhT
z#4hj4lZSW<X;%Ter3^wBAGmnINPtT5fq~%RJqa9103XfYG$ixiG1(HoUBG`=tSp{8
zhySkFw&^uZdGp{6!$y0D8oleT(#Tt%e?D(6=FBhPKZF23|NQgH_P%02a^!(Q=*r6P
zflCkeQDUgsp)ISIkxvqPErP?CK^L;>PYf{$&BAzy0Rsv~6~o_n78R%nzi37fXE9vG
z*?@@N0F%UCqo5QcqI?`66(u3u42i{=nYU#(4y7$4BbM~=#!TuRwWEwT8moDS^5z-y
z1J3kVela_d@%&Wn+0~UPo$96o1y!GZ1%}=vXrmV6Nh1ze8<Cb_U!jZ`NhKy%4fC_O
zR!9#q%?P3l6S7u=nls1M;}tX!((0`1D~5ILtoVx?W7cauNgaa}V8wGhX($e3D+VlK
zt`UdoLK<emYc>KC#)6B^9Q@0ID@Oh=E&f_+h}bVR)mqwXOMh&g9ZO!++#TK%>1o~{
z9~@7-GSMC_m~6Fai>f^EKxx};i;K@GnY>Afm7aU?MI~B#uBY^EB~$wLGX6sR7!6aH
z@879!#cZ`hUlmp&cOf!FMuy0se;ZB^h>r|_&cRwWU;qvHUW2PH2Kk!`6zyDY5|Lpf
zrIlFO)}{_c>c#O><v0c1Mzq2%`tib!md@cwBIh-|<t_U+ZQ5F+dIsvfDFk?U6NT(e
z%B!wCuqQL!;rF^X`o@Na1}vomZQkHkx9?_WQ-8iV@P)B4%z2rHqwxQBLOQ%kpYxZ|
z6e$&D_PHDw^%>GBDVKwx_F~6J*Ic-^$qlLNb8S=a@5PlC0>5_w2@xQG2|n7|#r^~4
zvYC1e6&ibm#=Y1Zz>@Cog@7rN)<Nx?u4<kgR+Qn{`u5^XYwC^mV(NsV+<BMs&d^fm
zP0Gc2Q(w;X>cQ!5Yh#V2-rN)Ki8X=vdjh^2YZ|S+=K2$2FCYWi`$Ndyl;Lt63z|Q+
zLirV2NOF9pfRK(kURF4QZ9{7S--7tY>UpU2E!H-x=fMgRf0dGgW2bw-Tzxi8#nz!)
zm*^-sU=%3EuBAb2o-K86ZJ!HHdb^_wn>NjPTI*LHA3o>kA#2aJs}^RjT<NVna-k&?
z9`}WAc*RvG?DcQiSNh42?GWh~`H9e3e+Hd(sG_s3(<>@=j@;WMF;fTP9E*KnT=hB?
zlBAQ`Unu){=USarX4i`oE`{*ZWT2i-FT-(!<->{QbjPYrE;cIu{TJ8G%!lnU#{&x=
zbNkzp(Sm<4x^;N@!n&HRuXdzePnCXSv*+`zGtq8mzPn)CdrmSqV0MHW@K4$oZEFck
zB=S49cv~H#ju!i9W859j#X}pNA-9N!VQmKLTtCHHNLDICY06P$<}1}o^s1e#BZ18k
z%qU~jDfdX_bp9A|CC}q(NSvnOis(OG!-Zz#5Xrq(&qD)!{l&|BmWN}};pM_~+d^Qn
zG1=UaoD47Im5Bq_JCtXf*PeReLQB{3u?=&a=>2<5?a^_U-&|^~?;dIGuws@K?6|N_
zF>SshIt^>pqbeiO4wMjzAS)xv^ZmHR#MB|iWpSoyop3%GQN@+amCJfzv{qP43bCSs
z8&eV?bXQolh)_pZA(VGHmDsGGn;Ds_d3xdI`kBEQ<>p%hNz3fCbz$J)*WLG%z4@*|
zb1J%L)X^Iqn_YJP<|lyPx%wOBCxAb0xIl;hWjGNxX-tCQ67%Fggp?H!DKGh*>ym#X
z58`^GRH7xtQvi{G(g*Ln_!K-vk5zoeFhx}MnY(p(1^*p;7yb*6bc7V+erx{)x7l9G
zP3OjQ)A=Xgylr~hI6hxhQPm-4b=Z6n-_!+@td$(YJp2&j@K$W^b-bi{t(`Uw&IDi;
z;{dF(W*apn(i2C*zj7oT87(W0Oq@4S9*>CcERX5Q>+s(L$`kkV`re7@iSdc)$uDf*
z{-((pew}z0`~h)x8q77Ih;of{t;9=(dMZ%MSR-zkk^56iR%ut0i!->CwD9Bu3(7V3
zmwu)^p?qb)JX#u5$45u`F6vH?13v+1p=C;a*_rleo`@4zYOJ(L5lU;4v(DWE!ayGs
zITf$e8Yy-utH^hy#V_QGmPuk)<)NM){AO@&RuSUlEuGs&6Uni2I+9=cN@#d;ayWGN
zfVnteR=Pde*{*KXH|ig|TiG-+I7+u9_JMYQud1*sjj$;}U2F4KnY(I5*?|u$hvrJ}
zwy7UDwF{4-mY4P%@^&6S({JYD;tZy{4QY|PU4tvmki(<MSysNqS3`%#J*E$dcQcwN
z4V!1&u+ear4u>YL9A%weo6br@^>hl*tGR<{sMw9w<~<#HvP?6})5x;&Ja~p)O{f5v
zfFU5i4c7@=J8+!?ad?3TW0f1ZI%61dT;<TB>UJSI7zzOISath934HEalV_~Fu(sje
zH4S10l$y)e<|CIry{>6`T?=#01~4yHF)!1r|Dniv+0WUq%qbt_v}pI(*W9y3+=D|P
zwR<?fE^!Y|k<<ElwYX<ad04xL@2XwX&w{vTR{5fKPaOAn#XU0yMeFB!?Vhh!^;3Vw
ze&$c>$A89t<`umk<U1SXJ+mNvIrd}XU6p%y2K}(;htf#i!{~CWWnMwmx-x!DYv9=?
z?paViqus-IImJEm<$mP57L+en_0zbfABmq0<#7>*b!+aC?^-P1!*}__J!{9cc-q+I
zJ!|1P{T?~44XeM@#typyV_#H6_?<=@Yhjk~Y?R}IR4Za#&jB7r#d*M)^M>>FHT~z8
zaHaP2NeDXqNMRnO*d|O*u2>!%Nye!&N3k-&x}l!o_!Rw%_bh8t^0EtLBK~#a@`p1n
zGq;|mUwTphw!RVoaKg19X_!`4HC@e0`~!IC1j>(8=C_65zhhVm{58-|DFv-yGL(X>
zEG3j?VLc^0-+K7r9S=Wz!4oS_;Q#DHi7G!*jsdUh_nP96Qqh$a%oeMVT&sLT#i?8P
zpWM;sZWuOeuuW6+a&zXg;XCdazT@q~Z^!?y9eKx{BX`|3a_2in?j&Iv0qY829mhBF
z<sN<Rw3%sOMV&f`LFsPN%ZSMN;9*iQav?pfRoJiQngH}ip>!Ha?&S{w|5|G(luU*~
zt;$9EH?h_}ZTKVdp5KnDHrE(lshCAu-0%tD;iqcK@-4$F3>N$=<7DE7YXElwvetuf
zGhm(GbStky+si9R&~8*b5k>h?X<B*Wi?`hJ#cMvg^3ek`U8b%Xj-B&V-G_J<eK0D5
z0Sla;aiy<Q=|iF~A6K5ZMm~Muqr|<6=M5SR4bTrXiK<aOlve$a)e0y${Kg}}`TVW7
zex6{x^Nxde92icU(!+mRUjAS7SpkjOOPt*)Plyg>ZwKx;SbBy%R{A78HW~(WI4im2
zXD3lA*q;RfQYon>R*pjwZ0YyP6Su#6`Qe9`-+en?rx=Qg7kd4@n3pm}DzaVA%ML0y
z78l;FMy2@9{dXTIc9}Z)+%2W!ciwUf36pcv3*7DpTPWAS)neUh%Q}LlsG>m*L7uZm
z8;80Utz5}GsPR!Nt?1ZY-Sm$aU=76J`-KreYtA~bxc~NTKUSI+H;XT&|6c4pvGUg|
zC&WL1DQb98c}{sZC@u?{V+}A`oz!s|OUrV~%sAt3Mkmva;)F`oid_%{Y$Ao6o-i43
zr|bxKwzYaP(Xr@!Li;)zoqN$A_78XTqT-l;xU-O_e2yA!Ri0CAp#L8W`u}m6{=s9w
z9}uxw#bfZcz8FqeQr=j)TX_Q9r1UGSjg;Xg^+mM-k(J$s5mZS$iFK|5%k+|x*$#+r
zti+oW-{?c-?gH0Bi<YVB!%WEFopxxCTw{;HK8GeLR!S?jf8qS#@mA6`M3<i&FwK+J
zs+t65EddW@Ce-nXy&WcdEYlN?4d?uU&dGGRyFF$%wVpqgp6Y4|b<dP8OAdR3BZ*YD
zQ+ZoQ??Cs)>E!H9BO{J@$QkSyjpygO0*;o1vwO0od$zp`Rc$ZJ#Zz6`M6yR2YU>)@
z*M*&X;&H?37PWxW=`8A{Vol_r3%>-p6^2KwT<1{px}QnulzZ~60xQI%%sr=fofQu;
z^Z3RcWELIJk$`i3MdY-YdSRzQEiBir`*~`nHxe1#+MQZx85<k!DkN8WF1@;K!=bLi
zMn`ZYJTyLN3-)Zt_biXZ;?dy62f7wwt#ALE9dABVJb!s-Yj}37Fo2<8t~yr_DqD@s
zfQnHB7PQE@rAYMyV#1__-?0*v?z|J{LNZ>JQ*?nNSYxw!+kFj<wua<H!O>#H&o-Y;
z{Jht!Za2+u9Ju!Q@!`UbiKNN6-L$Y+{)zX*S3jgq8GFHDNRKrdeZgmBw5E$LTG|lU
z@O&!XcWh|B`%*IwL^N8=AKd!vPUZf{;AH6w&Q>S>um00Z(3}L_8`L?}EwHGNv-q6{
zBYP9-6Ij%9#h87oZ&Vf7WerdjG|sEVqQU}XkeeiM3SC)DkVdr22*wrjxQzJ6_rqtD
zFO|OfxhIwLuA5VOmEO4nrqX|vexdD2ub}_^=-;}IkD-4u7Gai)<E&$j71ef4=?B-T
zFPyTex1YL_Jhut-^%=zJ#IdF}=n!hY8W}Zty7@&9fkD(5khNfCz_F}3K>rPQ@3kFO
z_?|#fTFQ)YNFf$P3*0k$bbpnCHPsol)cYH9{=CPJS_4z(TzIHE9?m<np-op6ib0Pz
zVRNU4)7U{>Xbd<0W^~6uV0p{=@7Wq2F0?ew1#+tSgM~{*+mpi>PY2Fn`mOqQ@T2a^
zsfI73;n5E+UCeYJGh+&;MQE$04lNn_6U!?ltcH|WJfvWQHOwOfiUn*1$9hJUUL+49
z;K*vh-;}p3-nf5YVE>Ja8*n}KMU&as{))-jYcjpvZ!P_k@>z3j=IHq3(M)Z9-|p+@
z=C0q}$7`+WGsukW=o=~E4DDU!N9*fzg}!{f?Nh`z_gep3ol<%BBI%ZE$0}BgS?Pm^
z6V&2WvZY@tu7Qs!Z!TT+u_mR?q|}Yyx92|G*|z#Kby97@vvGZfPpdqOL9^H_*(L_-
zu%=;DTGI~2a_@vvFS_w7w|#6tag}~K@Uha>0-iMBIj0N{cYL9IVFjDhMKJbsQSm5a
z0}qw1R&IL;4>l2!@zU?9v;0NyU~5c=2Rog}RVjKErBM3a#Jzjjk6#S*w$jxf8z}u!
z^qF7%l5vCj95_AoOL7+KmtGKl-q<o?Y<cOYXhOSx_2b69>I>R^TztIGT&pT4OXn-^
zQ{K14e|UDZ5w-L_Z9G@~6(mX;ISA_`pLq1l>C_?X6P;fFxmZO#{JU~;`#Y|foV?;4
z+x6@8@m+m=yN*v!Uq@27Zn}HNR4O&Kqg%Uf9J=hC=kLAi^5Nmj@7jC*J1-kr=sfR+
zty^!{+10g^*Yi5}CZ~26`*%;ZwodKtAJ{#a<XBb2B1xQ>G4rQ$T-G>XECDfuLrbl#
zF-I)FQT^uRslDo7pE@?8esA(r=f<LXo4{E&`k4jJnDx(?GYz+WAQMlw@<x;L#u3%n
z@zOuza3It<*YB+<Q!2SU*&6R}jVbbxQ<tmG(jT-3H{-M)#!fwjx%occLtR<Uq11Ef
z@h7b4K*@`D4H(^}>rAEV<T&-`SRH%)lQIgAeMrq)enXg~*h$d)E!JvXZ&HU&J*oG9
zqf)EX0+w#j%`E6k;(%`@-2j|~(r26%ps3HOFa5KzgZLpH^!p_qNPFDx)t@oP6#cQc
zoq8TYdD_F9Pdz1Y?guV5lySkQX*bYDlgktqC00Ie5wHCIOTQ5FfJgD}%Ciz5YoD&<
zb`u}6N3wv^`?l8V-ETVeq&lSP@3^t_2h_vkdlpxJuYN~;FK|*@k!}_LS9Qn=)ebN%
zsvTv5Tbxlh4xjoV&pNA9uN*q{&Y2zrH_CpEX=4)cR^dv&)dvW`I|fpusmky$srR?a
zNH-zBLCuJNv6}HJxgFrJD%*lH`AvzU+Z5S5Si;G`BZm^DTV|Ah>m6Efr`*GrY`%G_
zd+?Pbmwa{Csb`f_JOA}HHv*;&Lldrc@2L;Zh&eH>{zAP@eF*%3^ob;6F(;%WCLv>J
zWe|*r&M;c<jcn-I*f!xa1s8W6DJ~Q*-n$fXFW)}jJ^H%IT@T&&SH+3K>+XH@V$pXH
zp07Wtk6^s)oApLG-+YIx6;!RQISOH;%-x}YrFWfmPu}23g`NJ~NWvYnOqyyNeXe+C
z&=zRS)R;#GTY9Dgb?z|aYr<_ctM*!ZqqD)+(bXGjU-Ub?nPA5@XX&;1nNBb8-@p2M
z*fjTIUK=Yl@wLp3GwGaiYUOSQ&*23oknrUayT-zL@_zUJ`w!fIf59|VEDo85`uppY
z6=kLLVClgFH(Yb<HLp2#jljV+<$Z?ls2>NFSM%_o;%!v6xvzG$gEQNe%ikmPEZnPn
z2=}I}5EMAi!DOIE4K=FK#}~_e@NZnFwBm|i+}Q5AT6y1lE?1zZY41`kd>+3Clp9dz
z_7kGcEq_ldx1i4LW1`M2f49JfzgPWlylKB-hp}Be(}1?yMcblbMQghR=jLt(?OLr7
z1@VI7zJEpAW1=lyZo63RRZgn^f%{sk+9uHUYqSl^HjKxK+SFGHxkkBvdhUeJvd^OW
zo_dP#S=1HOnSBqQZ8yACdv6i%4dA^NYy2wQv-%I}sNtjHcZ9zUuF?yJD_0-K-*-;&
z_a1dzc}o2*`bd{yI;u|LOs>b#Rw%c<0q?q3zN_4Jg*vQ!TKzHZ%a_~Usdl0U@}JOF
zEVsQ^?N@$bM6`@`u-x{vI*B@DUqV}Vx$U7<uW~tLu+_Svu<iiidvdi)xk<F0EAN9Z
zuYL8m(8>M)it%FSqZ4v^9+u-i>=Ipz2;AEZPwE=a2%`!{WQYZnRBTPstYm4A1@R5X
zS)hm=+Zci?>q|1~fDs1<Y&Da6VQU>NZ$itP&~meA;ifxV!?=cFT91GuO^LrG(Yk_G
z_Oc6C-nAds{kW?i-w)&aVSMM`FT?lC@ZEy%SK&K146nnLPJ$cgf~)deRfmmNw^yeU
zS9`bq|Fl>4U;W-o>|U?k;cf2V)#+`n)qamQdA&_d-e!k(-PzdO+=%;}+I456*W1|S
z^*FVwet(^#x!KX^YtCuU?f1Cc9*^7Qxg7tv@qf?JW?b>Dx%5o4+lBw!&B|*$NE!FI
zou1NR{Wj%O&G-{;Xf7Qo-**Fg<FlU9zpU@qBkxBZCHTkcPOOn(tdaG5Pw+8vGZ)MR
zE=%=qm)@q1zH8G%eC9Ct&7_f)+1Bn?2@6Vp#{QwPd(@9#v*{K-^L907$QkW;rh#YO
ziL<MDqY<6QH(Z@mb5FaU!F^u_JRf>_c=(7q__if=bnqb-^IiQs;JN$d;o&p(!aZZ^
z$A@ka&-@GExm>`*I$W%6!)-RmF>5Y$^+t908TZoyKReW3!-vVYVCezus;psw9|aC2
zD`?h)03%_f2*GGXIFS{hVjsTZ*cJKfP1mdYZn-6U<OpFspnl45pK<04{R!N?e1G>H
zIB}roQq!gCx30J%wsR-@TZE7J5%92PQIWEG?@++UG<<Go(%7Smn@+HLv@w90DGb#P
zFrhlk`csi$W5Tki4ixdVrP1j!;=76fUhlMNb|Wr{sA)#va0YzxapRUVyjzTg#X$6T
zb0d}SW)e~5-Q~kmr1xz@uszz+=x8=>GL3bM?+Gius*k&U?qJw5J%#I#Wtz3>R*$JG
zhQ9_+miZ~nI~CLfKf+%tK6M3U)RomM)n^U2pOKa{Tw}uV!0iwu&x*S1kQrLPkds2@
z>3!gLM$p4vb=dHJ@O_Vg^@i8so493Jt0v&r0sJBv0YP<$Nrrxu8A-d<8DoPl*4!NP
zH5g}9cX~t}_Gbqo_0E{TsmUL6)<*`ievWUCI%2pV^XfSBdl+mXs*CFHDd_gOF*}-e
zE4$TjdwW>jt+>;p>WDux6wCDXW@1AboK~`WNPWWaF5_mb#I<7(c%hS&Im<k#3Q3b%
zJ_SagENrq)S@Nk=-ZEv~q&~4>q&}9(#Og;jNM5oV{XPKNUJtYA_hn$tkEWgK1!^df
z2;qXW-PI?UKNHPnqs*ZJ%#W*+h8f6Axu1gFf1&39yz-WBIF$<HqfS=#F7VuE)xS5)
z8|U!c8F`fji@v&(NLyP3ANB7mov4_LDa^&=Lgogct;)B{MP&nFQ;6~WwrU|%sDkWB
zAdv_J<MD^_3F5mtl?bq@@*)1z)m<3h2aLnwJ!S8iW?u*la>lum|B{zp8j$BJKdzm%
ztbR#9Zdt$LoyzJb)FH!p##(5;YiXgv-|$uzz%XjccTrYWN!58msjPKnvnSD^4t1NI
zPIt4qK^^S&#eH_I??((fjaQtZZ*Bcahx}RlZdh9MU=2OeZAM(TOC447X{~Q{^%k|$
za2&dpo_EG{R$34is58`nt0%R3(|>4ue25=UDCEIM?HtPHhK6$4p^mUW5Do|YbcbOs
z-l0BbxWstv|GNLq;o;7Xk&zBpFz9jzgX&|2Y_3qqWebR;^acW6FIG4Eza4pA--TYt
zIO=LI0|ZqBDNHcyc5EHRN9}L<MDoM<;F((i)4v(77SFJ@y5K%W>Ul;(8KdO5M$iaz
z?J3U2;V!%Oz{abN;iG>0p6r`j@F5I{J5eVf+n|4AC*lmeOog9}=`dOv4ErNs=yOO&
zwfq(8#4VY_hcmaJuLJ5AAlH`8(3gPh?0t<1iPnSXUlHB8Gx`ej^-~oY7V4=rb`i|0
zM#XF1thm(VcgF7qK2pHpl^PCNIY&wXxkMPvqXG>U3AVuLRTpjDaReW=|HH{owBUn2
zLcr;@8cxr+<`~Y#HFu^Cue@sGfn)fnkG(m2PYXU0uX_R4`{B!wHSh>kBRZ)pUa^!Q
z7O)wE<OaA=_X$yukpjZpk;`?c{kAY90c1nimK+$6{T@<Jf^TmG-!9L7HFu!wA>Ssn
zJb0SxwNi-VJh1GAG6Ppnf@@3uE&Kiw^oSm#1#6YmDD81{5oZdW*P<08x2QvzF83gI
z2%MpyI=(42=}!6E6>qaYKzjNhWaC!MhwOvCTVaceN*oj)%+62Ys2|Vf6>ByX@~DWD
z_r`sled@H@>~=cgRbBlW<lYdf=*T|gULJ?iuT{!M91p^HqV55c(F`EmLs@ks?aK%l
zHl?O$H|abLGP@6hQ&t~ZH5&G;J_XvOO<D2XdT|6W!=(3296dU5YIb-Q_uh|tx0UY|
z-Xa)Du<&^jCjzRs9i5ms`snPJdGABeRrjc0M~~$_)k@us&tm1!HGsl&co46^-8+T_
zJbysW|NY2$l4DfRCOFpV?6o%0R%_W&--s${%0oTYWWo__NIUX@SXT`DN2{ML{mC%A
z`W1}GgE2Ahh+aqXKdZ#Lg_6<hNiiqCI6O5mF_nr&Q>B;GfzHmNnpYxzf0V8}^mX@Y
z(r{RenSJSFmWnMS@_;81On&%la}#slAHMiv@r)7Ad=Ph^{)}8I8ouz{VLbA+J1)L>
zxctmhpfJW?z;hyCt}HLcL36zdT<h<|^Z5UxvzQ*@{O;8Sy!UlrOwvCf`#^vkCg<?i
z9vvRW{6D_hW|&$1hzk4KV0h_gf+qH?b{g(q{V>`JXoC+O_uaB;H5_04XS5a3_N>6g
zU8`Qhj@7TiAodDLPi#sFPu1K2F(`dd)QUie=huzqXM7t5&i{Fj$?b|+I<R@y)d4s^
z3_89@eO~KFN+)UNQoW+u;gV^)VqJJM=wb)^Qb$A&CUobHQqe$P0w#=@wMyy1tP?QN
z>^L1JsA>gl-)dk*^Br@cWSWq9njOuS^CxR#5dqu(>;68q+J!xE$RNQxDEmpz*xTfe
zCeFeX+hAk>&6xqa$5%f;8gw)_1suKK$mKk(QGZQmq1oNgkNOYF>L*uIhU?ImNA%UW
zwy&zlZY7u-wKoTB8$<CHN4={i<mmfuN4~i&9;os52AbV9mJvHWQp)N#;rHo;-$$nz
zl0DZn&9qL-HcROR_>^$p&8soPiPet-!}^{R<AX2~o@@;In!IWF#UHJ#+<rS~X9w>6
zu%I2R>6d;i=xOh&&+z`$&w-xuX#0WI)`+%Gqiq6h-w|z#t5L%vt0&QxE<by0b+h5G
zSKo;?*c~tZQQilc_K319?<*Y_WBD@H{d{@d>w!P?X3KSN>}zHys<p45JCMU%^H}?(
zmynO-_ebFIFLrif?*U^?Vyq8qV-+=^#aOwHxY$n&-!%MvgpS+}8F}-n4fjH=z}?(e
z5ng%ReUdB=9EUjKb2zmlapJ`%Zo27(2OsR(0&wx3Evrq2Pp*CvD}IOIEh=V~Pa-B6
z@{ulW#@b4!lZ*#8enYk~GKA$E_;*H#unq|G!<f^<Hpa(?Q2Wy=%RGs&hGvgdoNlQX
zNwau9SttbBa0F9ZptonthfKo}m)GO{KTC_jP$;;#RMVeGM6uEmiGB(1`=NX6Reu2L
zBMq1^LXB3cBDV^eLizt{vR(htUI1Na_Bdn@<`%y-8yUah>IXia!CE=8$~r=2nW4#W
zEBCMQLb{VhiCkpimiLdl3)$_e+itSf*y?@X80u}a1!|pkMV&Omor``;18M}m%xBOq
z<+lmYa}6qG6#y|HcD1xKdgR|vocQ-6(XLA`zr0Ym{PIiHNO62@Y`oag=C4PYd-P>o
zy-=Mtyc@M5W$YR2_^`HX9eO1%B!{O`#HcyO*VN(4*l`Dx!|H&uY73}iY2vHiaM+7t
z51(Pd2Ygq*96pi#wfM?rHsLDXzaMtcdyJd|#=iBg(M_RGa-*QJ42-T=5g3|c1g6>)
zqXsOPkro4dsRl{wz75wL(V_X001i;x@%qkJ9@Bpiw?>>o-Dh~v=&r(tu?inlw#kRr
z;)BX}wF~hye6(+0c%7%E#p4czeu5A3lv>ouXPp1!hlM~Zq5N4t9|@tKaV{PMbljI)
z|L&KYi-QwOZ(lbTS7cATN1p@zdfHq_S}4y&MbDv)AW!-s0(ktuT12=IX;M8O)rjaU
zT(e<VgXZ(vTo`voU)fpunLY>l_4K)rv_aamVJ>uwoNi=0Kp>5tjU2q7(`q;GtF(F8
zH@iKxS)Yq7`W*QG$@xr!{-eA$ir`|5sV!nIkb5cSpat)2`-Xf!GcR2D&hrxL*oMC`
zzo!{j)^b2Tb0z4E(OK}rRg-8nir#JPNcoeYKvT4~7heMj@l{znh2QMzZ*(+fE%Ne4
zeG>I+g^se?x=I6f9dBGVbj|4p5}gfqX}HU(*Z2_)ictk6^|W<8t-tc2p`nNL?^U$)
zZteX%L8sb(ChSDv)B3*vL|@axN;s(lQeM*c4h`K~p(35Xod;>g5?6h|gI-;M^CZ{_
zOkZl2Jog^6h?!&N3^SQ{M}RXZ4B<rjY_oRZLDRwX-aUJhYv###-t260&z|4th|#Z{
zAIbNg(clvG{OE74R6Ej$8~9mkPoDumX{$F@XGK(#RnNYT1EvEV`|er0`nFscTU?A?
z_$D1=`jzWXg+Fuvt33o5>w!Dw_|*$e#G0$*M7maLB95Ss(hp7sd~xc)o&%{PrvHz<
zH-V3;$o9wYty}kAvIhtdktHf1AcpQvClL2+jVJ;VK*hC5LWqPUlLZtV_iYsSWgPcy
z+_!Puhf&;@abeVP7)1pnh!7E(7!lF_eb1@7eLEpR^yzzV{_o%U)T#Z{sZ*y;t+&!p
zeqfatzt=Ix>{UAAl)dO2RK%LFC%(y|J6$QbmDP<@(3II*htvKBbuaoCBwhj3rH{`&
zy7K7UW93D|XO9+-?soj~yG6`VvqHfC!xr4OxHN(06keIqOuA>9_k_~&Xs+FR{(+k2
zJx4T;VVbi+^TnFxZY8-Z&7_iO2Q(#tZYsp1d-m|-J-SEiS&qjsnAgTSYdGknSDU+|
zSFwW7(hdVXB<ZnaT<6uKSCuo9GP4GcNS<&I{^78$k{oSk;J;#uuo$^V{~=klRMBm+
z*18O3_v>y1Ry%iH+oU@}=zlcPk-b_kd9^(wrFZ|K!&4?4u)l7r<WVv`y?3SvTO)TL
zHA2w<Swp+!gNDJZX}51Lhy~b6FIdw-2Ys<cn;`UM8)@3X2{OnNA@7>6*0>&17TbFc
z>$lsk*=gDCINu5O%$&K`0Y?YIX_;vw9c3|Z=ArGcww_?RN_R$H|0_g#9J^AC9^Ida
z9PI4lJHfr9j@s>@;{y4l{9R>H`|&vi-c7V{)0Acm_+RndKj|xax(!WDM{a5|eh89h
zZ=DY;MEK~kI^L8zz{=QVj{yVr*d@a{fKM&{H2j?K20ppyJ8aj?%w31|)h8EJwmM&U
z4Q2QC`?Eh|P>n=GBTbuV(NF!E9wxw)iS$*%iNo0AC)Oup*J?j^?5I&=VNJ3QIeqMc
zYHVE%+k5X}boB7k>q^_0ZkNLuQCoI&sE4|?gwMJDzf@PMC)GExt~4v^+qtfV^%DbK
z>N)~5q4tEzvizyGtwNg)=Ns?4>KmQA>b9lgNc|97DUALl0KJpbWdonC*nrjX^Qoap
zeemz{QVuTZGh}3P_pEqiFPVX7>TtVq?5F`lvr-pz!xpdoU%(_iVfL=SBIZ$^2qGa&
zB$SqPeGr!2l~CN~NR)^{am|s@nOA!#4Pxa%kBu5WuM^WmY##O|uf{#--u#UtjawLT
zF<#LZ%JkJTtv2cXNP0_hINU@ceTkie_&q_AKFs4wusF->PMwS>zyq@T+M~vd8D;M)
z`VK32+TLq~)+_t_PO)#_p(Fbx4;VgtKyts4L;GIcMZt*JiFi-%8tbp%AKmZ(tFZE=
z_Ed**^z5<HdAor=I%K6Q88rK(FU30_*mXzd!4vI$oY7;(jCS_1Cw}Csl0>cY+yP^g
zvxg7QP9A%}@4KiL^tVM~oN*p_=|Z>c)x)?%Dv#uk=%ZOB>6rM~qy*37<*}oVJm$zz
zM@x~DJEV`5>kb<^a+sTI^%;^Y#toi1bMXGtGY0P7H@)AGA^p<(?mm$AghZ?kI`|6k
zh{mV*w=;>m;a$gHk02T-X{yTyc6x$><v@bYIeyGhl}C*^R*J|3aBAe}(IdgB2};vO
zrWcM$?w6C(FL_KM)4}J(*0IoaG)nv5lha|h(z9Ie0rY9k&{2znKg4i6{Zg>{fWOg+
zGmY_dM!kab$4}rAbtMUBS46vvyeNn-e1=#D<ku9v07L?3Ik}jRq+=%Ahjnh(|BA||
zd9*Ylg-;DbH*I*rptt8~mu@KT9=rQx?K!mXArtHg1A31i5iJu3$@BqxWbYLeB@+LS
z!OnlT@0%#^FqC&@LV58w)pZ+eR~`*Ey=j8dsXS=nh+p0*CDCDB%PW4f@4G0kR^%C1
zS^Kfh^ZEoerB|IHaA(8pu?#CO*tAPD1Vs*q-1Y5r0?}Qc7}{^d;NAyLNEtD>Z|^03
zS554-c~)wlfxU+ewL&5-H7UjVZI^Bf8V?6gE>GY|w{1W=kCqrDpYb*TP5EIpMM@X+
zec*Y?y$7HP4(U5|&r`V(0(PI?d&m+I+$(#J0qIH92rPe8=D7)FcH0h#Wyaf~bD3y}
zgfbuFhUi>oe`*LW(`$=<7=NfO=pEhxs17|wL+wCfMk2QT3K-4b-O86q(Nn~9aaFes
zFg~ew-@zkNCLBmJ*X5m<fAdHyB`Gycgsh=MdJpWAN_XdWMd#WD-+7F{Ivw{VjbY{#
z+K)4KjkSxsgz!Dh{i#xT^K&h)_{iM=L#sc6+3+d10G121+rlVvsdmeRG&a7ydR&J)
z*caHO-L7$hN!Nqu*9&hP&(UuD_XqO~?M}h}JzA{YY360-AGJH(7>GHr%8UO7Xid@X
z-bOF$IORrUs-<z7rjcwl>TqGCV2#3gP27~Ra8gSon9@kHu7J)lC5?kCt?RWLR|4fJ
z+AWN9d7pM$#$?H_mLR=MNMjq#c!pl#af~sxm)A9x+IQ*jUPjod*6t)D+wsauF+$Ft
zb$FVU<Fsmbx)Dys7ko@xrZFVBP`i5@naM{eH!6{xtZ|~gS;?pCaAEXMzEZm_xbM+!
zY4k~cwxqt{<i?unxy?DDKrk?dV2EKjr>L@ic2!RK$xY2w^P6%e)>YIuHq<vpo2x2w
zM$T<+ZrEq+*o6xh=0+)5Zbkk4v7^T1EUamsn=`Gdsj6`Sl11w4nsX*c=U3&tS6<)J
zSW)$lTxI8!N9&q$rZ(2+lvmBKnO$F7IjyR?r8e3a$_<19`xccJ<0%@>K?#v=Z!aC<
zrWBXWtZHnksjtgX$)}c+BM{hkZhdn_ecghbU~V9He8Il+qw}ijo9E=#*31s&=I0jV
zg#!iMW7SmEH04Bdnj52)Rr8~b^K$Cv?1%?7bvey*t8!-4)euL@o52`lud5te-<VU6
zn8uun`j)!p#+s_8+@4uEHQG{}Q<|G|Fp_r5)aH{Ls;18cWz5X-`Z>)Dqm5NL2&k>8
zsH$s1*)4UID2<3IpExOJN<&qhN<2v=7?b0%E0`P1&0%CZFQJJph}P6bXV+G##*5}e
ziVn|-Ht&<8$!V%+tZ8U&%5AEt&8=^&9y=v6Nh8^gqRN^k)OU6ZF$Ap>t;>0@s61z4
z`9E@si^?aKkI6Y=;`D>3%$S~YMA5WqMU$sbEGy5MGA*ZM%H-0C(<e@u3|}OtX!21x
zhfbVaIwq$I!i0)doz&1+)zp*&zShidsI950%!Sxg^<3ecIY>(EXlkgcsF_n!ky9J3
zt8R%_SB=SOsA`;F(?r6<jRhvouR+tXzq)=wRbyREU3JdMkiDFirYaJF=IxlD+cRgn
zh_@%T<+ahKxnRnos>b?q2pD&`+M?QKln1%ViTcj!@~Xy~IY>JZ|0t&(iuPoq5zpXN
z<KI3v8#zV@R~mybW8&^mf;)`RBBK)dW*b#-mm_x*@>SvSttR*<8g)hmVjF>%V3gx3
z5i^qUHzRx>3}0h$ahm>ek;224%Q@#GZWNce5L7iISB^0a_?uuFjRk;&EduOyOz&i1
zn2*q$oNQ22Z?qs)g;ABW3veg+k*6Ff>zK-^NK?-tM0XA9Qg74(FO^db47Etv2u|dJ
z55$jsQRh<Jx1Iu5B2EvZ!nZf#I^$FMrXXjTF%xl(D7}U$CqDbwry{2p65#UYB2_c<
zqYibZ&kQMbE+*XtpkY4fn+JT9W)4DYxekOeAEp4GCxwx^;3v_VSg#!5qt=YVG=pkt
zBdQs3Wgf!nQR>f?gBr8}VVw(%IryBt4rP)2P^*^1r6fj`UWd@JD6J83R9DJFZj!JT
zZhw+ol8xM-C6!ZA8nt!~S~nN)V2zb}!p=!*GvvPk6if$gif6uL5=Z9%&qC%K)mEjT
z)`EnxEUJ1_U5LX}H;*&r=u4B}pThWwXFldhoiI>O?J8X)FJy8ODC=CVM@<y+6$L($
z`PqO(r{D8P0wUn;;jpP?_JQ4*J58tywL$}8sU1kdYhhEXRipK$ApfK;l=wC2iAR;d
zLVATT&qk|w5<<P6C;>!&FXDbP(I`i6&p|IEKYXk`j(}@AT679zY&v3(K<qU972#`)
z>4+=iyi*WD|1fL{LQ6TvM0QhuB+5z3CmTn>J`}N(hPYh?s(fjz!qtfeP)c%0a;xOE
z2K}W0oFMtE<oc6#AnyM37S4ejDXd=JCYFi{V4nk10j$)1b*#OjfK^N<NoFH!IHF8x
z9=~T%9-@-!LT&5ESEDr2w2i<>{k0nSPevH&)*L|6#hw-*ihfM;bAOi1bk<0ouFb&{
zo}|6I>e_PVKod$*eQFWYPwA8f^GCQ^v}r9uRsEE{A(`qfw3^EyDV(G6;?^}^;KI7*
zF(~nFelES5WZ|~paIAy&#K1QSUoq^32H6{8FcykAh<v1?^P!^0L8TX>TkVUlhW3Ye
zl|kqxKx`)(hd|^e;WdWI5X7nIfYU(AbO`fIi1LvT$ys>!{utv};{oF};}zpUW40-<
z+Ndz4X`7Den!WH%X|kDOrkZK^pe@79G<zGDnSIQ@_;$P>MDlyHzY)VbBiZII=0I~-
z<8P?otL7l%b^J%|A?8ps$K1`_-Q2?*W)3$;n0uNd%~9rPb1%I5F~;26%r(cF0eoZ|
z!soVOGaui@y<xm*78q}t<M2P##+!xaKIXpWe&+rry}o^rS!5QQC1$BvW=6~j#%l9m
zb0S{1In<nF9%jrjC!15uspjFvyT&r(@5Vz$wK>f!$Jcu^%$ep9=8@)6<}CAQ^BD73
zy!Y|2d7OE?d4d@=XPXsfrCDXpF{{nFW{r8GInS)c_grhtI<wwvFn?n<noVZ2*<vm*
z7n&y-?;GzK|G<9^n`<sIPcct5e`}s*o^GCjf2?tqdA50ud9Hb$dA@mp`8)GM^CEMx
zd9itkd8v7svBA9D_=|akd8K)kd9`_svDW;(iC0RE&y6q4>&)x%2Fi&Lka_4zwfG+v
zHyL&2&E_rUt@w8EcJmJNkLI1`UFO|*NbX+qKJ$L#7V`n~LGvN=VF>XL=AUqx=n?bJ
z=A-6grim9mp-9ZfjVAL6^GWk5^J()h<`TSb^o;qexzv2leBOM)d=alreQUmKzGA*=
zzGl8|{>^;DeA9dj?=6v<TwpH48%TdQ-!b1c-!uPVzHk21_@}wt{FnKG`JuVO{K)(m
zFQu$BSDCBLPmNE_HD;^1*8I#|XMS#+WUe<im~G}4=0;-?I{YcdZ;eyUFU?KnSLSB(
z-)6h{wb@~QV{S3OHMbhK;w_@@%x&iP<_~5JA7$e)Jz)tcY`jY0ieC7iAIV0mNWp6@
zX(HYDoyfo|#l1xz(N|=Ne#Ys>X~r3%zj3A*AhNM%Fi`9&28qF9h!`qz#BO4Dv4<EY
zhKmtmPcc%A5~Ial_&*|h8*L)jcv_4V0TC1-k!O5{6SRC$V5~PbigEa2rV!r{?<@Ah
zwe<tUf#M+SnHS@pYpE#1`xz6&!MG}ah&WVC5{HS&Vv3lG*9E4Daxq=Z5HrOQ;z)6n
zm?e%D$B1LaapHJ!f{2RQ_%@<aREasFTFezS;zTh|)Qb6{PSlGA@f*=7nnbf`5evjZ
ze7AeDSR_snr;6W-)5PiG3~{D7OPnpv5$B5Y#QEX^@jJZRagkUoF2-vfmx{~8<>Cr)
zrMOC5Ev^y27uSkE;8l<7#SP*{ag(@N+#+rjw~5=u9paDTPH~sGTihe=759nz#RK9&
z@sM~J-;zEe{wy99kBP^{6XHqn6uu_?i&!H5DxML~ilyQ?@w|9JyeM80FN;^itKv2B
zy7-%TL%b>85^sxT;_u=e@veAJ{6oAi{wbE@OY0BBhhl~JNPH|l!RO+u#A@-WSR-1+
zTJf1!CqBnZyVr{iqD_1uHi|FBCh?WnjJGh_#n+-ke1n&Dz7<==cVe6PUi=_%t=BRw
zVOf^6Y|F7+tCy8zC0i+0s+DG?TNzfS)!XW0^|i9BepY{LfR%0SVhyx*wFX&(ts&M>
zE63W++TGg28fFc*M&Ntxk=7_{w6&Kt#@ZWunq#ei6|_QDo)xz8tpaPDHQp+;_ObT0
z_Otf44zLci4zh}@Vyna|waToBHNiUAnrIzj9coRo4zng(Q>>}h;np;(+?sC9ux46E
zSVvk%S+lI8tz)cXt>diYtrM)MHQTDNDy=GOj#X{VwQ8&rt$9|hHQ%bU>a7OrH&&z7
zWHnnY)&gsxb&_?mwa7ZfI@S8Eb((d$b%u4Ob(VFub&hqeb)I#;b%FIe>q6@yYq52)
zb%}MUb(wX!b%k}Mb(M9sb&d6V>ssp%)^*nP)(zH;)=k#U)-Bep)@|19)*aR#tvju|
zth=pytb48dtoyA8tOu=!tcR^XS&vwMwjQ+}vmUpeu%5J@vYxj7VlA=$YCU5;Yb~{&
zv!1tJuwJxYvR<}cv0k-avtGCUX1!s(X}x8=Z7s9@ZoOl@YrSXv!+PKPr?uSrm-T`5
zp|!&L$okm&#9C>svQ}H4T5GIUYpwN}wa)t7T5oNz+N>|Ejn<deChIF}v-NMQ-TK<<
zu)eXjSl?P(t?#UD*7w#ARtzttnNmngN@+_+y0Vu{lF2efrph##E;D4N>@EAqzA{Vp
zll|oYnJssb1LdxAkQ^+B$e}Vv?k0Dad&psOxEvw(lq2ORIa=-|$H={9t{f`^GKgEd
zc`_{XWq}+g$IC*wkK9-8C-;{J$OGj;vPc%o5?LzCWJFGo2g`}_5P7JaBoC95<rFzp
z9xkWJayebjkTc~G@<@4<oF$Kz$H-&laq@V1f{e=9vO-qMDmh11%ek^fo+#(ZS~*|V
z$$Hr!e<K@ZlWdkPa)DeZPm(9gMe-DRs{E}yO`a~#kY~!X<k|8Zd9FN9o-Z$uzmpfr
zi{xT?vAjfHDle0l%PZuS@+x_?yhi?BUMv3~uanoy8|01hCV8{GMcyiJlefz|<R9go
z@-BI|yhq+E@00h-2jqkDA^EWUlYB(}Sw1QslaI?MB=+WUza|UkGyQQgl8v*Xf!LKD
zB%hK`%fHAa@~`q4`K(+jpOeqa7vzibCHb;^MZPLuldsFa$v5Pi@-6wcTqgf6-;wXi
z_vAn1`|_W1x%`*>Kz=A!$dBa5@)NmIu9B<er*aKW_UM1n4>9h;4(085`Q<j;ShTSl
z`-JhR@tE<V@sjb3@vL!=aj%gnTa8DIKg+f9Gr3NFZoFWeZxqY*as%$4q~iZ*9)!0N
zPry0K@pub$9ZuoSGM+ciGcJ&A@(a09eknJ}ujFR=Z`m%tmL2jNxkY{}x61E~i{v)r
zLSwP~Uj86s#vV5A580+IY|ECmZ9BGW_p+1hWIM%9wbSf$JHyVjd)s~NzIK+~&+cyz
zu(R!5?1A>K_8@z(J;WYr=h(a1yW4x%!|dVq2zyU^q&><WZSQ4|vG=xf?Xh;i4%#6*
z&ko!9c7Z+49&Z=g``G*1``P>32iOPN2iZk-v0Y-9+GTdco?strPqYuQ549)RhuM?u
zDfU$RaC@3vZcn#o*fZ@T>?7@?>{<5F_A&Oc_Hp*{_6c^>o^4mym3Eaq$F8>L+BNox
z_B^}Ro^RLL^>%~(8@thNvYYJ|dx5>sKFL1WUSywQpKAZsKFvPeKEpoKKFdDaKF2=S
zKF>bizQF#SeW87kz1Y6kzQn%NzRbSdzQVrJzRJGZzQ+E&eXacm`#Sr2`v&_)`zHHl
z`xg6F`!@S_`wsh$_MP@!_TBb9_PzFf_Wkw)_Jj6A_QUp{>__ZB+mG6h*^k>#*iYI|
z*-zVlv6t9?wV$z{wU^q@+0WZA*e}{I*)Q9#*st2J*{|Dwv){1awBNGdwwKv|x8Jef
zwcoS<VZU$x(_U`>%l^Rr&|YDGWPfabVz0DU*{khO?KO6*z1IHBUT1%9ueUeYZT1)T
zM*B;9ll_&w+5WfPZhvie*x%S&>~HO@_ILI+`+NHbJLVXU=?KSiq+>e{UQ6obBss}W
z3jT*lnv?EiIGIjwr;pRu$#VKR{ha|$wzG>f(Am`)<P3I(I76KrXE$eeXAftXGu#>B
z?CFejMmeLMy__-5-cGJF)(JR4C*<TgVJF`yaK<^~okC|HXJ2POXMg7a=RoHmr^qRG
zN}N)s%!xP?oP(W-&LPgB&LrnBXR<TJnd%&l`|st>bZ3S$(>cO9(mBeR<s9uC;~eW8
zhu0QPaH7s^r^2aps+>7awKLbLaZYsRIknDwr_QN&8l2xajZTx(?6f!woQ2Lw&dJUq
z=M?8u=eN#j&gsq>&Y8|x&e_g6&biKc&iT#-&hMNHor|2s&c)6p&ZW*}&gIS(&Xvwp
z&ehH}&hMRToj*9&IoCTkI5#>s88<pN8#g((IJY{tIk!7^IDd5RbnbHQcJ6WRb?$TS
zcOGyabRKdZcK+l%;{4fp)OpN#+<C%z(s{~x+WCvK#QCf9jPtCs)OpT%-g&`!(Rs;v
z*?Glz)p^Z%-T9mIhV!QLmh-l=%=x?Xj`Obbp7RgqednLfa_3*p2hNAi3g;u|W9JiR
zrL)Rejkgu(todBy8s}4Ijd70C>a2A>bJjVZJL{bdPMh<Ev(fp|+2nlXY<B+bv>QvD
zubmE@^}LM#mELZ2INvy1oNt}2&Uel>=X>V|C*~Ti=?d3!rE9wm&TYTMY0;Cei{<Q4
zV>ja}<7(qdECesba_}zW4&w^97hYw)!T6(_<R%+`Fs^e`+*CKsO~=1g&UAabecZlo
zmfO$mkEcbm-Cf*)?yl}2cd$Fe9qQ&7Pr19fySsb1!`$KS2zO81MK3WfHkKQ!+)?gm
zcQ1DgzF7E|af$JP@uBgN@rkj*_}EzK=DK6ufE#o}Zk`)<^W6e>oIBnvboX)h#Z8?3
z-2>bM-GkgBx7aOlOWiUz;!bc6b|<=rxQDuv+{4_-?i6>bd$>EzEqAB8Gu)Z(5$=)h
zQSL1FX!jWRSob*hc=rT1>dtm6+)B5~o#R%!bKM&EM0cKB>&|!U+<Ldc{f*n`Ho47i
zi@U&G=$_=B>@IRoaZh!B>z?MG?w;YE>7M1D?VjVF>z?PH?_S{k&b`pR$X)DS>|Wwt
z>R#qv?q1<u>0aet?Ox;l-o4iSgL|EOy?cXuqkEHkvwMqst9zS!yRp=G&MlfBt!S*T
zbBbm+RxPM<Tk2{8!IDz4gJnelZHKfS)^>rm$7{Pt+a=mAQ+Bb=U##;N>-@z9Zc%-8
zeO=W&N{83MIbR@H#_0l~aGuH^C`c)(sA;TdnLnqt>ZIh7%KGML1r9};ozjXZh}Nle
zsev*CH`Yg+oiY_$rmI%QRZA|5XV=te>Wek?#TrksroKc|U!tim(bSg|xMe=|!LlH8
z1GNaJOh}-1LZ{+z>=tq+Bv2g+q)^=h;c<by0M|DVEX+$e*vFu#4CzusMe^X;(MD%t
zb4_h!l{-<@jnbgKA}Vc(u2D&mJJF{QMVF);(itz_b=Pf}r)!rNb|ytDaJ1u0ic^VH
z#c~qrq0q;(=wk9T<MK4a!kS^>kTaQ4De5BQoyiF(!}$tZSXV5p2?>vPr>IJ$O_|$L
zR~>C^nO_@i;j#n4(x9%QZln@jW~nZ-R9B-^V=dKKOPSU{Fs#$(hwLeH>l?M`l<FFk
zYOJL?Rhh=B1rj~MnWmUCEnbsgS-!@dugl8U*zz^D{4%GUbETAb<$gXF6bJ=1D+_di
z1-crAWzO_?Nr9jWMsi(3fi9syp$QfgI5U)7%+NAFgJs^H(TL-&v>Dy-Q;S?Fw+8q-
zPBm6(p|*<^zsoc~%L?2XN~G)=KL5%z`DL0e{F@3^9A%o1k$`hVbz^ivm2-q*#1TFt
zl8&gXslvfuO_OsJr%5@=k5p*JduTKf5zS~w)GWrAJgZYD3zijn{No&f;CSvCXnrOT
z@*HxbnnTe<g{KQD(o$BW6;P3u)gtB&#DKX2TXUz#Q<S;`7VG@QI)AawUp&r@CU(dO
z=Yzu2tuS6Ue_&inh0lcKig@ju%D6NH%L2O8K*Xt1!8p%mC0?a8T~$1v;$yKUyI7N5
ztPvD@dc*5nn(PuycF8!m$|oC|P76sSKczZ>%<4|XLEYpz)d}Q=f=bgBu%=6y>*rL|
zg>-3!x^+XvaxQ7Q8YR&+s&14PVyYQcqH9!A?A9m>leC>%sZxeYQ%>w$5?Wt3W1g;O
zUViGl>c*<7I-DO@)>JsPs*l$)@v;`xQn>Q8SjY40((^Pw^E4mBnvdZ;r;bsn?2$sJ
zF3u0gqONCL5o)T!g(-E>hI$;a*Eh_qa_d#S)9SnFyjse=aoW@Wo{}up^;4ZYSf)BR
zY^EC&XnOPW?0Ua5m+IP-YUwD|smgS%JYg*>b{Z3Emp{&FjMpw$maln}ud(H8Z21wV
ziF2hib#0b>E(qF9XD!eL7UVh2am-MHTq`8gm<u%K0!?S3mQH*%-=ajPMR$u9r3_nG
z8Mbu8PpvJ~paCh<id_v4@Ox@aOKKTP(#o*K=U<s7zf99trs*rw^hJWsLZu8BDn=~y
z8IiOwt_)9B%J5`AlB6hDrc_z5ETV~sXt9BGEn<Ahi#qi~C_^m<g`5M;&V&U*N{rDR
zG(+>bQw2i#ELO0+aK)BTzRDj`;~e4@qeFW93*~cr1ww^Nyh2I@kWMMxkP-#>nT@d3
zs1@?sT@8MLkZO0>nhvkQ@o&qh^W&{<ZF2{LU(->j@fN6N3l->c3%LQ1&Wrc_y8J>d
zcS?W)p>diI<8*z-X*%$MIhQ|9(}90}r2LwWak|`by8h#I`QtRd$LVs%>2j5}4}`|+
za>na&#_Mv%>vG0xyyG?A@fz=Vjd#4R*LaOz4VS>H>s6@hQ|PsiE~ilA*K!e3qh26X
zq~e2W!i)ACZ_PP=jtz5s4Z~Xao7vTDP0Wq<n#iI`4i>=NXxc<yYAKkzVQw^Kq9@(C
z(Ih={&5fo`jLR#6iKCdvDp#<qWPIFJM441~^U{S%JXaX8RupALJzAn3EzwT2;0_Sx
z&7dWkK#QIWP<B=kxluPtO2WflQl?xO@q=+!Ufh)*ca4j?3gfQgxT`eoir23=j;}b5
zuQ-mcnDFTt1L_y2CxR4d2}3UkuhxX8`lGNajmBY$XASBR5JItO#Oi<=je)!tiPXSH
z4xQSe!Oz2!r@4*kO1z$V@p|T=p1o?D=mr!%uA2jNc2RA^+^8(BYL40yqVwlRxx3^+
z?8+K&%dEam&O($`hUn>Y;gS=vuCot~HZ(-B2AMy*GAa&h5tCcQku_Kn)X>aEOs%n|
z&8@e~YpUl*t?AJgcZNb`O`Tg~mB37Gs!_!h6()1}&GmKlO{uy>_VhxD?0`6FS1P$Y
zfk@Sbshqk1_GD;}moj<E{Hkh&%Z_qoXQLi=HC5KGtg3B}x>dTWix6Q^BrdF>sx?&A
zd0f?6uBsxsxJ1;oh?8nC>T`XqMpU+mE8C39w&=<>prREp@Y?l6g37HsY@V7O1@hE9
z0Cs*dQ>QAVDPm7A(83N(n><#K%d23jrbFe_#j__vd%Tp%Ob18xPQ<_=SzQuyAkiF*
z1X#JjR-<M_ufijGjv5KDvO~NYO(OwTcJQ;ZgRQ3Qk$@UqBgGn@p6f>R$||BK6%oBQ
zj_8?VL@%WxdNvUWYWzWsKcw-6G<{f8Gu@bRvK`X?kmuL=LtcJOUr5uJr}5=!e0u2_
z(X+0IUQ9>yoHC;4oRK_@PcO0~dafB!bCh62&FQfDpz((_{)qNRv|p`&kWSMZ*7Sxo
ze!X;y==objFX<wBHWShFxrm<6MbzLOjOZm`M9+RAY7h=a3OqVApCY<kH8>;Q^J_Zv
zY%Zdfw21fGRmZErFc?vTA#9CT4TkW0>2!Vc+A*T1O_35EU#R(_CM&^6p~h3F=~0sj
zgljy7x*gSIAsA76Rl!J+#-o>nks^&pFAXC_x;(u^j1*}+MY>)AwUUY8Ef1C_HTeie
z)Z_#5&4V#)o)p05K^rztK47a=L?oc5ff2pe7ST)42=>?*Z%~&L^vcnA)ubjE32J{(
zmlM?G1a&zfoj>H|*YRo+6pVy){*cbE_p2g$RTl|qIzpOG?4B`Qc^Yq?hgXM>)9LiS
zR79`UB6+&pJWZG0jEd+rSwyc4BYF)K(HlS!y)hKgYodr=3q|y1RYb4ZB5D!`{(JpJ
z*Gun3M)Y=7M6cQ+dSfI~rs+|W=wL)mhJi=RgPH^)T;o%dYxs42)Z`j|U4J#XM!(X2
zy%iPFtFVaLl0v-ZH?2iTpXwc?h+aHJ#%cLelTXC!^3|joeqFwrRKu^!Q<G}Qx%TU=
zjELT%h^R?xFrxQ#BYICaq9(EEhng-miG^SDXS~KY-ji2P9&~y&Sw+9o@}PHJBYM|0
zqIY&8dQlTmlUStJ`1S5VM6Cj`rL6HsG=9C89no7nk%;C;MDsySe$lVJ^j^5eU!>{R
zTR{=E{K6Q^<-lgSfz5gZHtUZ-o@%#1-ng=)XkC4CRc%#GG%fDRt%x>I`yrmogPm{l
zD4E2N;?umLHa>bHm6k5OR~^wiIuX626NzYTqt~7hwc!M=XsxE#_z}I08qph{5xtWT
z(QE&R-UE;5wQNLh>_tj=PX|&^N)*!m4kV_`cb7$ccO)TANrJmH!HtP_98YP28w&zI
zoZZZ=u+nOQu+nO<xiw*P>%mss3@a@Le*rHrVCzXOxn^rzss+Pp#(=b{CBwlYore}6
z)J6!2=TWU3R<j1gsMZb#neXtkmJfuL_Jqw+4O`Qxv?ctSPNgm3XDNfNX;QNg_%%&x
z)&ajRKg7KpeqDY@m#=0Wfv_57VC(YLr~<#{lNwdvXDNrR%MXlGH4b3HuehY<Ye=Cf
zQS&qSH6?)(ox@w2g##rXx73^sX*G3f&K3ykg??Bsw8Od&g!RHTtonQ)T&P>GFy4A_
z>DE)@InwCXDvY-lTslorK+#qd@LCcsFHX0J8ovW!HBJY@YCMIl<JEWyKli*qSoI9p
zL4~_SFX$-5!>#AzVRa}G2<!c&u-;z^>*Iy6()EF`noGgfd{R0p5LRO)Y~6}#Y=mF8
zq8c0F*R7bR`IQ&v7hJl&dh;i&=A+1?+cQt|FE7qNxV${YN(R)N6nV6?sW~b9TH4i^
z8VIW~6}IM`8bjgN(yqo(__ef!wX~}_EW$NSde=UzH?G2J&Wd<lzB<%_Uze{pvch^p
zDy%oO!g@n1tj63xSZ`>B^@dhBUrT#_T-x>4R#<Okh4ofeSZ`&8^R=|+$E6)E%`G)U
zMk%@#^)?q?Y*Sp++eu-)jTF|~GhsEdL6S8!g?h0~As%kM#TG6sR#I1}HyMzo*h^ES
zCDPlnfK10FQjKm1(JiWGqmXJXS!%S0U$=-_jX|bETFOIS4=M?H<*6|P(yejmBc-q&
z8N+&H4D0>lu$r+z%5^KNF)9#_<ncKHq&&B&k$D*k1`8berYbk!Dyu1p?S{IR`Mq#{
zoXd{ph4t)6Zk~(He0C<y!53cIRkJ{+YpOX(rE9`Tcb#%p(WhD}A-)V#33XWwy;PYE
zy3l5?P<BwE<j{qZQx&RQR4AvTLOGo(l%1+jPRNC_iwmpw%3ueTK@MF8IaL|TMP+b0
zDudIhGT5og;DlTTC*(3Ppt{66vZ(~vNs4oD^<u`cgV0kN!cJ)va&jr$l!#GNA{rk9
zYOND0Q)^k+#mRGOs#_YXDzQ04N$~Y4tEdp>Mar*K2f|quAe;xZ5RS!Fyix`5^KuLE
z-1S3wYT$+K`4zrAHSmVUDU}La;VDxCZ>UTSys%jn!B+GH)zMZc7z#KoSQHf$DXZ9x
zHly-QRd!8obK^W&l-pDxiwTqvC?!xvAVOdQfrAN5Byb3ULkUbGa2SEf1f~#}O5kt;
z(+HFkm`-2@ftdu3AaEpsqX^6bNGekMoa9m)olO<#MF~5d6rr{{n<`R^ys0B{ChMCX
zj6`i3HdXX0;_XhvQUl`R2PK3P8=e8*8S<TB-&x>0$NNs=kj6kP(oW)$au)k|i+#Ms
zKHg%+tM7*(n_c8(ri&sP58V~<oVYF$#~z@}xHM8#SyNjZg*&Mv&ZUH_Bpji(I-4re
z{Cg!7uCA8ArRc>hChjCc5KnhZ$W<0^in4eiWu2Qs-9$m+)Uw2;&^J>UiPscq{{0k$
zYi9Y3E%q5(?2}aN@di8QK4YPqJq#s2V@sH^`szwN0p`IfEnQ%NGd<xB3%p4a;`I3!
zTH-lER8W$-)}jN^Fhoc?D+G19C7!&H8Y(^Eii@AeCo@D9b?L4P>?D1}K(08C6Au|E
zA};R!F$1dPoim_;6Al`@x?*7wXOYk35@xb@*x;qbX#>bkxIv?{;sniO9=67Pp65|z
zlGJS)c6pLUjfza9KU}(2qwyef0v?|lOuz__+FJLh&GTD4?6-KB8$#W>(OA)*geqyW
zS9;Q9k5P(_aDKe}u+RRmPfD2cPl-$Ulz0nF=`7__JjAI}5~W;U=Rql%oo@8R2`t4(
zuO+?2muaj8z0gv>hNV7#OMPlfeQHY;wH~+ZDTJmMU-t3w`JJfLFAxh(ufQ_DKwrT?
z8R`T$L-o_<Gtbq%pg4kjrb68kif79Asm%9K1<NpF^oq?VtV!y!5M1dA_k}pZYeLm<
zoSL1uKNQDN;FDfJl%-YUQ+V8Km|cr+`!$yfxg2$~NC(p8BF~BYMe(EsK6M3NospJm
zk~AYO5;Ni=F{86csOv~boH`>>B=q$pM&c=!UVKRjL7AQIDIq{rx71VbIEeQ|7S3^g
zf<oU(eT%XM%gTHyDP#WY`%6gBi?1;GDSal!TN?R&29$XW!09`2IZ0h=Vpp6230IpC
zks80<M5)vTCw9ftC){?T^hYJKi7PNZp;W&v5nq;6|5i7l2=^>cOw#;oQ3zM;DD+wx
z_W}r;Q`S5eR<G%FfkCID`%-ZyPFB4ZVBN-(b6liCXtWofu)*chAs_5se9q@(z)>GL
z_1POGqXR$KD3nw4u^)v`#F-Q9UVQim2ec-g|G{M+)<SSH!y{|p#-SUZjZyGa3UF{D
z2&)$#3X&h^g0PZjsM9hE!Ra7bI3Q$S6XPK*oL59blR@PtFusq@nh=!1Ri%@yrk2^r
zl7=eyz6?GH^!+Tc*quT`?etU}_Jq6^fHN-A*s1c<#-*Efr{Wmmf{q<3KQu1$v?~=)
z>xn;#@WdBRZ&nAVCsT07n;N@RaSS*h_K@-5u4;jk<anr0Z^)-N<kK7S=?(exhJ1Q?
zfY*3^dU=r5p+3DKpWcv9Z@{NF;L{uM`5W-*4fym1e0q7Fs7k{Y7p9CP6Jd5nb+Au+
zz^6Un^E%+u9-kuug-?6Hr#;})?rU3Yd&Rjr&Zn}_uUx#(VtMZ~xX`BzTU=hd#OLc+
z-1~To5)%02#OL6&y%ooxCf>}5_+*pzx#9`1vE`K(ADFT1_eqbB#t8L^^aoOGbj2~0
zB_!}Eix4@f(fN4Br3qsfJZdqHK1@qiShQkApH~Z3MDu!;Y+9}&o>r@fSBq6R)LIn@
zc&Q2vQ*}}WPTr9wO}Q%T7n1%<`Athz6TK4ycZTQIap}Kl!OndXE{4=n8Au8*23ELJ
z*<D*Trx~6!_V9B{3X4jnV>7*MUV@~#C*z_Y6_`|2M@wXO&DXBf2D}4Q=V4}#moa@d
zF5u0pYSxh%+UrH9k{<^RiYE4WQEL073CHrheZmgrC_?lu1BIzw2IXSDQU>NMrPI76
zr{*qYQT&A~J%Mm|GZIOMKLu@DQ;(*FI~mVP&5yFvqinWE861kT**;~n<CKw0QHFGi
zGNkh;gVUo72{mQ2J5x5h3uUttC_{daGUVr7lghe!wdKSPqKq7xXXI2oQ!b*6(-CEy
zPEp2AMHwe#%E*<#Gx8?#jQk$Y$gL?Or=kqILXF&->>$d>p(!J$qD;AnGEPU7aXLjA
zI~8S|kSQZq0%hb)q>TI?W#rbBku$Bnv2qTc{$eyy2U-ZN?LcFag^`IYXiBos`N@KY
zBnw+8WMLD9tcl9PMhf|`l|mLaQ^>-03R#ntg)J5GO;y(6%9^IEa%D|d)(mCMRMrv7
zI#O9jDGM7dgiHyhGh6v8l%)jMfgYeFbCgxBEOcNB#3X~P6O}bjSx^=f2*pDdIz3rX
zWn?ud>o>}3R92I+pjRkKi?S9dYoW5B=_u}GWi4Whcj7`NYA-gVPar~iZ#JaP`2wM`
zKuVRK!~;W0m7bNtok{}$u5c=x%z~)H^@}=OhbWpEcepq{#nWJnMC&kiYb^%1b23z1
z$z)m9(pb;L1q(xIjAA}idULe#WLaC&$fr!9Kv99yfY;@4e+p#4TPQ2*>#CJU?NNsU
z>O=;%+QJK{OZM>dell!6p+RQ7#i(uuAzW=0hJyLYYLPexYLYq*UI1&XOhU(DM-!J8
zRA&T8tTrZt>RcXvwGkOqCj;=S(t`PcB%tCRG&hw;C*^KRAw8wtsodGLN0-Ab1w4FK
zf(4zbg}w|O@M;%QCv(`K)bs@Nl4!h|Pw(|9OgJ@*Ha6BTY~kHlAP6O~p9V2bk+06c
zaSvDF$X9ovLgP?2-gS#s>zw)O6ae>jbvm2|aD1i4qdA#h!gn};Pt~D7oyy`Kukw#m
zr?H^|b>|10x2lc-b#4W}I<E?;mJ5XRX+ubTi3PtpK?$i-?LbJ~;exGB4npcq7X0co
zBc$&5fF5-!nio*tSi$BEY?5qpvpm72zDt0e5F3oghImexhgqe!zm4y-bXZ<OSXhUJ
z6T<R!Sbjp7I+M%8%u~%a*%fWz{>E;<m~lG$xP<KEb=dfXutFVHm=IQ^!-^8Zigj3V
zLRg6oE1@tx+{wc<mirx86Vb8$k$YZHvn$B#B7q9z1=X<-Y>#aaOBItB58)1jw5rka
z)WtjaRio*heE7M0!d8v0ck&@KEM&0N@mZceGSAaT=6NB_SS&#_^&!natVH5G4Qc*i
zN#ciTiu9p+UPz0LK19#chv<3w_%%--zvk)V);xW5nx~FCAl14?`j|9NACu;VwJ2ee
zE?%}i0?jM%gm63wWQGz^c2ious+$*3{%YMO<O?LEWZ_Oo2?0+?>4_}m3Mb@ZaZN~9
zk`Tu-q2tg?<8-l`=t_w5D4{r}Bq6R)<D@v2(S*3XggEX_I<6q0Ja#9PM}Dt7c6W*M
z%A>f%^2qO%$L@rDL|Z`uE$E){`r(>HyzcDw<8V-fI7KtNwW?va=6MjM#?z47OG9oY
z%>k{F1A%eLO%0f}=hC2*S~uJGu<8ydS&WoLB6!`(#GAhKU&!zRE<J!Hw!n8P4853p
zC|<2H@gmZRfb{H`z*pR7!~Fo>bu#fL#AART;#+4E-)MIjCcRDtm~Cbo0xwIAfjeY|
z;LgXZQUWhVl>(NT_%DR!1iTz&;;pF32x&B%;a+4e0=&??5Fxjkx553ixdiYTb1C5S
z=JS9rntum;*L)9fxw#zhBeNCoGjly)o7o1q5icH@c;)Cj!^A5_c+7}iF#^P=;t1&@
z`T+LBt3@VWCfW^fF9AC70#OiY@&#&*w}uWhBwiXS0W1?`fD^<7z{A90fK$X2z-eL{
z;7l<S@Mv)~@*XFS13W>T01TC)5^#=~12|XA1*{WwfDHm~A>)mqCcuSaA>bL}4CFdn
zoDFzB{$rTH8#PhG#49xwfOS@#A@MFv1K<K{0pQ8j$$%GFct;s8&s+p}v2_XH6?l!<
z#LF{R0bXZa2Y9n}GvIC3?SOY#cLCmG-3PeT0zc`k7{E`gPXJe2s{varaFSky0c^9t
zNxTUIPU1C~cEE3~ZvnSi-{Vzb`~h0h227UtKXiEIWgsBlase!qg@Dh=4*>DbhhgHC
zjtsz&_DH~K_B6mF?IQsjY;c3#w*b7sz5x*LRRG>@{}B*xRRH3x3cv^K2LK<kA$9a#
z1>mFhqkzxa&jR9w3cwfb7Xe?kUj}^Je%mndWq&$gwwnz&#2o@S)ZNdp@YOwDKE_w_
z7vp6&VeE#`p@_rx{ebwsA8=3n?>Q4+_KyPG%SEl+z1>{EApRewiEsJy0Q2#`QB8c$
zKMt_aMV;|YKmJE2upa<;kb4kdv0DaM?v?}M`+UF}7ytW{zRm}%b5Vb{(QO25cAEhg
zxC;PJa!&$W<f1>|D}B5^jqmhN13be$1Mn;t{KD7z=K!APo(FgVYC`>&OtP`Yf@GFP
zCQUa6R-D{eYmC81iSvwUwb5pJn3Dh59eO<3$#`342%uR$tvCno%h2oI5?E63;>=L(
z6VM9%jhuvh^gkd6;C+SN4ZCPoS&k7XnKnJgIAC)5VL8U6@<YpWj9JsC9ZFA2Dtr<z
zGh`#R^4WM}hW?+5@;Ugw8w2sWp7ObPfo4~{w5NQ%@P5o7yt=1+^b*csdVy~qUcogs
zGu*=P2ZE+#n9MMfVSk2$81Bw+Bt6t@<}xg0IE!He!}A#4!0-`<uQL3YVf*}f_*Z|)
z3^N(_XE=!A?hHpV%w-s6xDUgFnraqRi3r0(7*1w5jp0m&vlt%7a5lp^3{T{CrT-?3
zSIK_{q}Rz!NV$a;wDI4{T)e1Z@c-`k&kr?qJyack3cMRUxC7=Em>XcOg}DmmGML3M
z7r>kYL;v%ho;wcUWygc?lH*jo)_4LWTO!WH)0J$?G0JvlX}ek5E0vuxTid5<`(<UP
zj>h9Qz>|6{+6QftcG9p5hc6y}=ZKjH=FVMy!FkU(=&#<-e0}=sPom6J<1J8Qn6Ljw
zo3rtXWfsgpGshf(nL-G!Odf!c5atMn;PuEu@K)q8coTB2S%)_t7nx_^HOIwBe+ANC
zi@&MnO)yjOBICWtb%^;e(mjsX6`#jDif<vudw3ynCEh}8!&`@&;jhCxhnRgZ_CxT-
z;Z(eBn2a|JlT|6AKXBj6C7mY*p`^uPcl<BVkubS<lW-rrJs2^s#Y=<J@T%Z(uq(}U
zaiW=n@qB?e6?B|u&cxe*7vLShtKdtAX~y4Fy#IF#-uk;A@A^H7H~e12dwt9BHs1=o
z!?#XsG+#w~V%W!Qr7uC_T!Asuyo_NAhkPPh5t792vnbp+OT5G>0nG<E?-+)C7!Kx?
z>lm(Kc)hp~DF?9oTY}~Sc5h-BW4MvSZ(#S??EVwOOq1qxSsZ>2hm2;p3x{lD_Z|!l
zN@;w_;omb{&Ee_nzKY$$+5Hr|vl-sbAuln!kwbFX{UO5_@#dt77f-(i9Kj)HGiQdf
z`v-#ND2AB~M{@Xg?4HZ+tqi~BkQ#==7!F~mI6t4<#xf4MhTUJ`B}&uWm0=1&<9l`o
z*nKg(M=(5$VTfTa!{G#tO$=9XNFVV&u=NqI7-;TSixHcO7tS!cnp6MB%v`)%^s%u9
z?`&?utbH5an(YOd&EnoDxId22JyP|?cwaO&Atm=myvth3eew$Q#+$ew-pg1wp)XQT
z9HIN7*AqveryYY(>XBQ_A9Vlgk9R_M$D5$>UKa0Tm3W(zdzU!NY(vkINI41p@Hm=V
zLl100Uz2!ilY1DrYKS|)=Y9-_Gn~q>kl|2<ISl7AJcOWeF}r6o+?PWxV|O#d!x`o?
z%w;&3VJ5=~3{x4ZTp8pxwsOcoh64!V-P6ZG+e~)%;qY>X2Qxg1VKu{jSOPC#$#K~I
z6o=o!@NjW2@Epo8jYCQqj$wEwLx<s83<Cs>M0wsD|HI2PcW3-8+h!`e_hFbQ;RPJR
za&BC~?jEGw+?!+fVCWK5@^6l2_ZJ*~JiGtRko$%1Q?GGsCa=R(y@KRMzXrrBuz)YE
zd}%G*shAC-m1(xhM)lt1#G{v9f9V}g(Vxdr%os6iOv8+GB;IHa<2~ks@DB4Nytzz&
z5scu32c6HH#W0IuZ-$u!jWrBE<q-TIa)jW&i37HA2<EOR^VFAaLP#oB#slCz<5x46
z;jQLeyvm%5H<%B?d&`sXn(~o=$Kkc)6Y(zc0=#{E7T!6&1n(JNXWoMMiSNf7#7|<?
z{36~HUWPY=kHbsBtMMlA3apIV&8=7vJLU?!<l6^t^$syB@iOmd5df}BM1j~3skVw@
z<i8*Jo&=6Z#K8!eY~G0+)A63}33$~v+dNLpK}lF?<MrG|`a`~T;v^WtcpBcwy%6v7
zUWRvYZxFX3?+tkE_CdUC`!rs$ec3z+Z`QtJPQweeADc(wJ=%A~dW=e&@aF6=u?;WG
z_OjB&IaU@@!_WC%hL3W598WzAWjrljwg#dVjM#d#W<Q4c3}-PMNzk~G-4zTE;gE~j
z?J(S(;R1$J86Hm1xSHJuGR$Jwo8bh8DGU{6m)yoS4jIT$Fx-t{Cc_ZJWP--;8Gakv
z74EaxT^1Vv`gi3t4>KIhun)(c5*vZo`w1FrIAkTqj$-$>3^y@+KZbR-@dd}8!0;x9
zBNz@NXne!&K@4|g%!M5O6o)**?(yvI%kJ+Ou3-2yho>@J!t|WY?lBDK5;VSI_i%=L
zGt6O_#&92o0fNQ{><%+LjNw>@dooO7IGUi*#_r?Uy_Mnj9I^+&7e+kyGSY0PA9z1%
z4}vcwzmS=bqCeI^{jsw2^#dfx+yEZ05a&Q!4-nVF-M}G#<k`o=<`#r}h!?I+jCM%*
z{IcgUs>jP5f_1_WtYSxFW?lfepHYmp0{v?OPt)ANn&Wo_jXT+0#*qI1xYk3)R*wCK
zLueghnyhJ_Kj--i6Uy4Xi)K^0Ef<>YNW8h~mG>{se?DV8iQR`YoWLQ98d~FEG+~&_
za5O{Kcz<2{e27cs)rNu9#(%J}umh2WKX8Y~R6}6b3+@*U^SSA~7P}N$b{}Ze#MQ<X
z;$XSfxxroCYfP_D(vp-&%A}OzQfgBcq@0>^R?6~}^(pPCPHH%HR%%1)d8zlOzLUBs
zb!(bTOHK=<%}hHr?Y6X6(>A7OrSFqIDgC(ghV--2uS&l&{r>dF)0d<_pZ;q4Tj|Tw
zKTcnhzA=4E`VSd0BRL~8qkl$D#)ynD8KI2v8M8CyX4GXgXPlOCLB=&1H)K4R@o2`!
z8QU`ZXNEJUWuB3FP3GO1&t$%lxw&^{@7&%~d!N|*+TM@!ezi~kK9zk=?9<R^L7yA?
zJk#gJKCky#mbFjTq^#qzDzg@4EzY_r>(Q*&vzBG8&)SsL(XUs(A^nE++o#{uezW?W
z(eI{y5BGb#-y8it?%%8bkpAQQ7x!=O|9JoR@bL5gMt}1FV|VjFn1j%NlFfaMEOS4j
z7h(d4DMm~&VghE7F~lrJco|FtJwnI@Myfmsy~UId#oB)a?rrpotu+S3HW=Blt;RsO
z^I=|sc^T#vm{(z5gLxfhHPU<vvj(OWW-Y=#gINdjIm~*P4KQsmU&Pj$kHS0#^Ek{C
zFi*mK3$r!0R-PJLDbI{;kY~eO80(N1!7PTk80IpV%VBPfy)ExXx_e>ni>-8%VjJ9K
z(0UiBZUfbunBqaP4(J1kS-v!A=WKWQN5iIlf*?!?hUQ5xA<xS&ufV(t^BT<SFh5cY
zV+-(o3$qpGJD6=S-^2U>6N`1228;<KU@RC3W5YNwE=(_&B$#BF6qr<)G?;Xl446!q
zzG(9-n0_$*VFtit!|Vbx5N21HK`?`1P*)RmHBnb{H<;aF_JA1%GaP0F%$_hKVMf7#
z7v^3t;D@<4OfJeB3lo3|!h~S*V8Sr@Fj1tz9*S83gB?t>3T6&WH4OG*%o>;zVdlZq
z!pw)kzPVWsgPn8pH!#?%F`HnpH)FQIU@zTV2y+q)cGPk9AkDjB?t!@%25(^F#6g-b
zz`O{9Jsa~an73h;!K{I4g;|UJfA9!ngB0MA0FMNCB)}s99trSBfJXv665x>lk1(s1
z0z4AnkpPbbcqG6h0UinPNPtHIJQCm$&L$-OQ-Z{QN|0hKOaKNlBp^eWJ4+EZB&4+!
z(%K4XZH2V9LRwoPt*!Ek*e1Loo@UH9QXo}XFn-_afTXT62BAOh7Td-WIu_EK2R}|~
zjB}CpuQ1QRJPWfF<~f+>VP1ggxj%NGKX#x$cA!6YK$2IXKdwT5T!sF)3jJ{v`r|6}
z$5rT$t02kkkmPnqayuls9g^G*Np6QEw?mTKA<6BK<aS7MJ0!UslH3kSZighdLz3Ge
z$?cHjc1UtNB)J`u+zv@@ha|T{lG`E4?LR7A7sfW37r`usxftdWm`h<UgLxEZQIEkq
z4)X*I{_D5-6~e!Ty%mFrh;0)#j01B(Y#a1P2lPjWJTJCIUI23;TIV8|#V{AcTn2MF
z%oVY%@@BNqt+7w#lSqfz7j#JnbV-MMRcxDkHQMBGwAym5S4b1K<3De1MT@l=!@*h7
zisvG}XC2ZG&bNc}?cjVnINuJ=w}bQT;C#EW5xBmD*#z?y%x0J^!2K=ER+#T#w!wT4
z^8-vQ)`r$-Lu<65HQLY`ZD@@)v_>0RqYbUmhSq39YqX&?+Rz$pXpJ_sMjKkA4Xx3J
z)@U;iMt|;33ok+Vn=q?jzJ%EX<7wuW*fO~Q=46<2V9tfPFxC#4Z->mcL+0Bd^X-uN
zc6np04P5;Waz70JZ<Edte9gRi2i#f>ZmkBlR)brs!L8Nc)@pETHMq4J7{4$~XE69M
z8?CYwEzyCNXytx09Bl;+2F;!d&E5+w(}9**3J!OG!yVvo2RPgT4tIdVt>ADgINS;j
zw}Qj1;BYHA+zJl2g2S!ga4R_63J$k|!>!<OD>&Q=4!45Ct>ADgINS;jw}Qj1;BYHA
z+zJl2g2SypD(?r!wwY&vyO2}!9GG)q&VxB0<^q_zF>c=jb1%$&FpnbaF__0;o`880
zW(jb-39||Y^+bzpLyK)gi*;Zu?T{_8C(vR~pv9h$XBdOgFWTi<u+N5l4#LibIS(y$
z0nCLMdoO}n40AEeWiXe+ToK!h*8Ei7Z1h5F=Hm74!RRCH=p*fJ3eJN5|CadQ(h}4&
zHbJYYzIV6kd$Csy3;kvZ^xJ#TZ|`9qsQP3!_oNk=|LlcTSU)j0woaTLYZGm;<zgeu
z7Wlt~*$VSrY@G!?Z$ZynNk*2H99wB+;QTuirnix84T>$dhQJiVl)}`-*2#xrD-etS
z3v6Y?wpy7mz0orTL8}j3h(lOB4tg(TyE6Uq+L3Y_ux!)$vyG(fQYRTBK~*NG%0#MR
zC}o&oGrbx355t)-L~9?MB~fTP(h7w76zv?wolAx1@MAxKUq7HEP!;DuHqXEXLHPjm
zf8wnCf!Mm8tkurZ@P8qdWSs_m=IJEJKWVvNBg7OfI42j7>^JNf+R8)=5_~AOChn$?
z#1twn4O-F<^<5r@L_9vWuCn2!P6rjHycT0zvOEp{1Lky?GmLC`ChW6dpKWA9OJ}=D
zu#;iv^whN0QZ5CVZXpN9Hp&9@JKtqde8M`B=#p|0Mv}uYhn<WS*)+^|OoX(f>_ZVg
z2|fKVj1ZIIo)TLwr@}rQ{%Nrla(b-Ixer>v)fhUEY7?iJ277v}1F@S72eECyL9rc(
z{Tg}O5W9)<t<*7IzO@vCeC-^&Ueo2pu0rev#+m}^)&lcpq-X=?Hc)p9u&)Dkt5L#c
zSq@uK_=aI4<ytNu^+V`d#z8grDBHv}x8-ci5-UJwC2BASv&XrZJzEHEM+o`aj3gOF
z{A^%X>AsRxsMDO-SBU+KJdta?2Gq|6H+@W-2oqwz<dP|NZ9KoqyBe`yA@(bb!%>vw
zmq3(I{uM|;yx9Pr`uP)MJB$?MU5nT@VBY|mH-Ngwk$<hM2GyWn*2LCpDpz&F(}7f!
zVl9;djwu|(2`^@~(N`Q{WQ!w>Vd5xbkeCJg7}&=eS>kxu7b5OzBU4<1@Ec*@1p6-7
zcf<a((MvpvG)s{7MYvzWnDonHGwoL(HHk0@dnei0H^G@V%z-cm!4$znU=D`46g{Vx
zwHPDX?_+J&<1lM6@_mI}hs@YYdnrs;oF?@iV-{v!cVOmq2WDP(V5W5kW?Fa1=VBkr
z7a)PJz`P#2O1=&I?=bJi)=2Ea$`2900_G!_k6}K6SqZZWW;M*GFl%61Vb;QY2D1+4
zbC~ro8(`XCzJS>X^CiqCm=2Wj4Gczfi4k35M7Mjx^nvLMlLgZcra#O8m~5C`U`EHT
zvWs9B!<4|3!j!>8U?#vE3^Nht5ST+@pbPB7U?#&%fkAJx4~LlsQw}p7W(Lemm?L10
zggFXk7R>C}8oL6f5~d1f4oo%7T$mb|t77YIoCVm|z+mUzzBaZVvz_-0X}=#^VSfy>
z4(4l`b8Htv8hSY-7UM1AwjlL3q~3<qTe?Y2`L`vc+15kO?(wOz9MaD6I+z<^9)NiW
z=1<VrDqg|uDeVELy#-p@?n;-lOKf8gv<W9Uw#~t++emVf;KE$p!48v?8r$NeLC0jo
zHX`<Gr*~|t(+5~wq}Yhq4#ci^(qU&nlVrv=BgJMzBK8}^ZbE1Wg<|HIOcVir4ZK@*
zj;$O=sVOD-HUWEwkqjC(A+!T&H!+^H*!#${9;vtlN`=;3&ltbZlu}9UoZms-jqy;0
zc|Bq<axq3a+ewv^&@0s_(k`b$A5VjSI(nAUgzKTF)<A=;fd+dV8f+uRIW>OK2(b;i
zf18{VdlfmiVT9O-+-(>kHUmQkH0D>pvKkul3*`O`8uBaBkkH}Ys5Kq>*wgk(OMYc!
z$Vo7V8AIe`m?^+F753psskC>8tiV`ZiSeS!$dYqlS0k<l<0|16_f=wd(s<yq2bSSf
zBL!z`ZLtpg;e?6*Hsd6qn;+Vy``@5$ga0>&ihECG4&3{|gIJ^3;J_yEpba$?_hPpZ
zym|NmjNF*j7%}V{!-gEh+GDE$S7U@q_#vkkzp1<Ugrsq2Y)Nbxv<ClxU*iLAY6Cif
zRxurrLMnep@!}rrT7upm9=sN}EEgdoWIwh!_HgXu*wWYsu@^C7{2%;*lS{w@x&!!s
z?ne?CTLJh6Bw!t+dIh^y$Ch&pb^sCIhA`~l##RDi-U0tR|LKf^rp6De3jIrPb#P2v
ze|a(BN2ea=<^11dvrb9SIKPxk$L{tu&HtwQ{@S!a(w7;fu}6(wu}7gJ)?<(NEAm5Y
zA_nrX9x+RPZ7Tk|@yFiBnumX}mvz~m|9$kC4KQB#e=}*&J{SqX_iY$QJN+<I!B4?X
z5r!H&y>Zct)AF2-Jnv&qf2V#ZokrdFp$XPQKdz<Two@5@u|z%2s(!H&{`VomY0CfS
zf7Gts$*xy%l3vJMH`3N^7-7R|32-^qp$2w_jMy_|Vvol$!mnc3##s*a2p;u$PKkK{
zjr=tBuVT61tlcXi{hKi#SP}au9{-Vt^?%at+QWZsTEMYQJSSky^J|y3Gx*WE;n*E$
z#XDm3?F#+ikNq7XXm_@~a22Z|#<OLJe^q%g+Qr>oh!>CjW&8-n-osq*S^T|++;FLs
z-NIhr5{;H>)udN4-KOjmNM-i$>xJ?YW;s2iiU(u&0jpN!_19AIXal<;KkL^s4dBRT
zl!zXP6;-dFfS+=7`(vJO2KBlg-6l#1<aDW;hZ3`tF8NeTCS=%2XU`*$u5&UF4Z?0^
z_D&+C8{9qobe)%UrM-vb)W#Asv?Yj_z?#kegv7r>oj>4qrW$0^x<8??9Xorj^9PXC
z%{xEeX5M7$c|Oiqy7DRpd_U(08g_ErjXnKy@c(D$`9E3b|Diemf3~D_p*}%F@O&@9
z-z8;&*W3M5L7jaR=7*@g3WAuMt-}nZgVssp;=Gx$hjHf=kj7$#ZF`8bj4nTwn@7=Z
z<~nKys>VX>W@8VsOZK1b?Rk9txhSzKi@Ctg|9Ywm)zkYiUw*kd|0Mc68g^v&ROcPc
zuXcoPr{mO$!k34i#(A$8FIRUhK{DJmT(9<N#@A(sfH20M_wfEYw(4&_Rf%%4^ChY}
zbuazY7q_c(eE*``)!?$7FZt)B{AJpiN`_YIwjcG}&YWwlAuh*lX~VcNbnC--p$6Zy
z0Mpvo20D$ws(C}~?VnSxUowxsUlw}<c$1A(>|m`1=V&LZgT6(<d<$Q3Vg3EVFIjGP
zxWJpGBwMgo#a@ox#c8qtGx1dntyb_$=sSHBg`kpL|Asc%idM=(zZ@9*4r{-qp!uHI
z^WC=`<KAiDOFYvDSwN}yMuBb6+Y=%x`<E!6%7Mh-B#q0byS~XdnWtYm+AN*dbMcjA
zoSOJt9vnrB0t<21KZzqPwGnaM%61$}Hx6KHV_e;6GB3H$6)L&YPbzvfR8eVu3SeIs
zYxVQ{F+1;yeFM2w9O^dHcGw;8qQ`XwpDeBEd1jJW1k&P`I{v)zQps(nS<Uv^KK2R9
z*ZVfWhWi2J*LW?wD5E5R?z>~xY&+@`3FzboPSQ6W$kPt^X{Si-@!Owh?#hLDJvcSm
zWee$Yv_DZo6lzKAny<T(62lTo?MD6*Vm&S-X5N9@qbtt69@8f15|t*ITOfYE)?-GF
zApE2gdoHKvm>w{X!S~-|@Ev$I?u>Wyi_zCt`j_BR+=G<)JVSo^qWl2k5S<)f&rscz
zPs`S5BPmATaPHI(TH-F`OV|aX-8lSkXLv`u3qP3$-BROW@oEUoenaQhi#_Po4t!Xl
z#wyf!9nbq)(F16wc>`+U%}CN{A1HPbQqW#9^)}{h?4KS17=hY-E_<P5`*SB?d@?bn
zC$~p8=LQwTM>?$nd@=SU`sRB*<@{yB75`9sEdf6VYtQ>@J!8YYjbGr`xut&^LTYz#
zc@wp3_q%Md?>vltyQ&b<;_Ql#qwvw&P4S=4Pj;b4A!<ZCdZ!%TDCNlrwUv)|r%?RN
zL^OuSOZ_a~i&NlA-5w>U#5mOH$75TkkpDd%d_S>cVm!|Goa(=)9eOT*2Qk<=#~;m#
z`*fQsQD!Lt&Xe(`+Ar|yZY8&4w8TY^lipcj*S_XqfX?n_HsHnXgiZCNa}&jzZsfQd
z9F*!uWTl&2I~C;bfT`rMl{=N~*GVK}9|JM*M*StOro0ln@`3za!n)SU%erG5r!YLq
zVP1}JYt`u2DF<j$+L}VW5ue@Oyalt<#2;p&JZ5v6j@aio^HbWs9jlt3I&0iUy#xBN
zgR}x<kXF9Ho-mKc7ru$5bE?h(U3{E>ZI{4qy|I6QC;0Lb^NDuccwCOsvwg0sz7u=X
z&#K4sb)cagG}HWs<~FUA0{Pbf>RGI^k?Nm14>bOd@n+{|g<Rg333PqsyAxc21a~K=
zrxif&4rV4lPu@Be^q=bKs>OFukJz<{g!V)K@^8)ZOUcyl==5Fveun=3c;~bh=F%6$
z9>Ki%A>2f|Ep{A_IR@Rx#F}`MI>nD&=g~nnwK~ttJ7S;2-lZEM@W0FOw%Em}$91tw
z*!LO2w_=ay?e15wlxF)M?U*1R^{KX>l5cxVUWl)6ypW$^JBlwqHD|)On2A?SvhZd{
zw?CaOtJ}z(4%GT1$DqGo^7mh)YbQyeQ}%9tJ`a1=anQss;~RP-_9l;0-RPx6{ps(R
zsQnLGGw}Wh&tk9(MPnVt4OOx(UyrAWcoeZdeccf6tx!qpllexCf7Ca5q}k}{{H}Sq
zmu>7Cid>*8@z=%Q?cARF6n0yA+@(InYcqN`*#*b9%fU75)DoZtwFi&9ky~>Ar<*|Q
zyQc-?VmED&nAUS+<hu-9@h~Hpbt2h4&MAq0o)vjWy0L$JouD$2)Bu~FdEoxh1@O|G
zI}--HiJh0Q*8Cv$7DDm!(!-_ei5D5vZva`b25@{WW;g3GgHn8t*ATngyo;dI_he~#
z>lB?Cd%~9&wF5%&np55i5R`+yL5S#u{UnNC%8<`*H8pYG{sbNC@Jy@I90j=7!0hlG
z)aMmZvHkDI;=LRweVZXwyCP32hZC1*UYt%o9~1Rx1a#sddJ6fmUr1^3qZT$Gsd$?N
zf3(}m`%E-DqnI82FgB@istvQ&jlaq%OQ#;VBU-wPLv8p5rXQy{;>n61k>J|lZt!+`
zA|YcZCpe=d9$W-(Hshp6aXb~Rq}RQ%uRCQiFgAAnQE8o854ilDFm5@7eA_wGkNdp-
z`{OBlN<s75AKTl47U5aZ_Bd$whC<OAyz1F5MN*7j#L+)rPsC+5zDDrUB<?z+&FK_Q
z&*$S(Y<X#YEM7=w8)t}D`TK2@TF*d}(H2@Bz3*4NoJ4KsQNW8K8~P8cSDwpu)2F;U
zqAEvMx-p_(fSbYFurs_4f6$|`%jw>+PQ3*C$zNe7c5Un>#=j=^DQ2vcZbkfrHjB6u
zJBLq#mc*XIHy3YE?%31b>Lm7vqE6#{G@;#miKPD_@FPFwENNWtm#q1vxJK{9<{PD6
zWH)wyyzSH7Z>MKoy4}JkDcl{R9}gpq*^Pt*el+Kg(3l|4zGQcv#RM=jj#C|%+fD`V
zNXM#PrL{MY=bf_ts-Et2W?~rn<j4M)O{Dyo_V}gA<#yG*4|-<}_hmZGrQJ4tqM^z}
zERF7vSv{j5YSpOOg(&n(8ex=P?;5wROF)7bErru7tpmG`0Z5m4iwJ2uOGzRgujFAA
z81K#T^IM)FavERy60&#eM15ZFTq8aS$-+!3mCl{$*EwE?5zlt;>n=|Z$-Ob3=AB#l
zmIw7Mx-9@3S}Q)@LD!*0=`ICyAl>}<27lPoVeWc8AZ&~W7QB3h@C~sqV_)dgtIuPf
ztMX$XB8K$0o(*=A+qH~~cfz(Ct&u(PG#uq?3_a9~g0l^bL)1r^@_2e)cd3?&pXuxX
z3rC^e7#9*#v38*SxA?hcck}=5!a8B;gflUwM>o$?c#kv-t(1;GNJ_#e;*HmM!LJhz
zny>m{Is89rUZpfdBlxK}g1tqRtEZiJq+N><k6L~OrR;7brkxapg)nP;+Kz{#)cDVn
zb>4Ht2u@#_^H1UFUO(&kcpM4J@}w$06ICIMC1GyY1HJ@Iot-SP>pO>a?}OC)HOE;x
zS|<xD2o)w(i+H+2@di26O$pL&v^$HPWwZgP1s4_1`oX<L(TuQ_+U3tpyONSv(>CJ3
z4z$`bKeJDHLYUU#@sMGVch-K4mvA%BArpGPxQ88+1e!ctsOjBQU*#v8?+Vbj7k;0L
zbJNR(RNaJmvBVqJ#9it362xuH<#Zaw9q{!A^eVjc$VoDx<F51f(sBAun8AB|!LkCB
z^H=8x*@Q4}^ciG~!Rq4%>N%JtF2n3^DdB?Vc!zNsu~*<*4x>jIj{;7`Si0*?Dlc-y
zN3X=b$$azVUfZ05Zd~XeYwexc0q`<xXG883ecOPG^@=}hSBbl8l^tn6%FnvFi(c5S
zXr;ZWT(3=2y)-O4ELr{y0<5jE?*xc;L~C@wg)jf$#+VtO717(-*hk><+c8dk+S8td
zl5Vd&*kbNM)HhF^b=nU`A>Y*8iguB)ue~-+Nc%tQ#Je)!!)l&k&?(g$;KNGj*8heZ
znqI|~PN3cr4_T_D5>#mok9OF`I<g(TFN@RCz06g7GxIJ`n<&#BnxAE(uaZo3^W{Kn
z<<26E>*Sryu+!;Szwm8Q?P9qHy`Adc*|*cke>7o&7S=ODw2$gpe1oqu0<;)XF`b}}
zZGB$~Elz)0M|95hQ+$wIx|QY22($%Cg5K;-&mgp;(+mh>HQJfK8c}Tvx!+7Jk9y+2
zJ-|&GoOHO-_CJ9%+7$qHZWYv&@-v@&6vU68^JBcAe8)eg9CvduM^HPE^pcO#$nE~j
z0u*k6`2gv7cA?vnZuceVTcyJjH5cTYbmdAIHNOaVtzBp8kczlLZwdYEAGpXgC5~!8
z8(Bg|v@^~974D@85pn0Q)tkHmsBCcDm*VGD4AxaEy)-&x4S(N`nYH%6tmY10s_uBh
z*!4_8=X$|QzrBsIkZ!)~aeVvuoe4pHCHIgmk`S()3ZdSlCClfkmwv~%{r<#Q86Plf
zTjlj|?-<kev8+clUE9ZcA?PP0^|;|ldJV1}NORYgi{t3j>$z>9Wf&Ws%OqmN+=DsS
z!K*kA!FG0M4sf2ItgW^~`jZ17G0Q=%_XS=&e|**(59!$v@8RA|nbtPE_U@#6ezctu
zOGudUkp{vmft_N#@hG80n)B_<FZMd6g5<F6<-m-dUY_st!|ZAWW+*FQ-|a^rXD#xB
zYwAaoLKiJ1pE^TKY<I}sV#GeGaK~=>f8>1!d=<so{_JcENeH1PkdQ`60wg&JE%XvX
zmo5mR^ePYplp-Qcqy-hrwV-0hUM_m=A|j$9A|fK9q9P(9q8E{iDF5eu_MDTGLR0T|
z@Av=q{LVYGvoo`^vu~fWkWD*9_d(v(GRH^8CgD-pgu<P{9g+fd;2f5Pz`!BYCOu7=
z6iAer9g(NP*`iE=SU`69>6~)Ky9RGh$XOu&sYASBe8U8PKSx7rw<9-aZ=GT!!cTXe
z4J3XD)ZuX#nUAK#hZJ}N80QpjhFu$=DZ<_g9HnU{a3v5zH^EyZ@8aw&#07u+e!M{W
zz<mOx&NgISL4Gf#z;}yrGNye8P5e0i9|mv|7(o7kH~wzmULxsHeh=Y(&o6_g#=NZ}
z+`@Hg4595s9$5h-GnqXvSyG_JvP0b4dsDlLT^GE8eO@f>lqZ4v`$s$Q#DS+qYXW`@
zzr^q=30yB(C31si|NHojztz$<kE;V~{!>Swx6u~=`zcC6n~Le9fgERUtM^7i;hD>L
zIf~w;*N$SXDNzYW=l-I;3)KpW+7P%Q){5hR-5caUIP-IGPac!9c7R_W3*-Ua>;g4l
zG_^=;3)F|OSkH!}pC($wjfGN6O3jkzr>W>HFP+MR6xvsTs!py(i-MYoCzXoMajh8j
zgC-AS2c|uegET7M1;_-(k9s_bPn(ANJ=<iDcc-%MEm!=~(2os)SvW{1$1MH^yu4n0
zXAg^epaOM(F9vxuo>AT^{(h<KV17;*&KBVx93Ln?iZ9PoLO<UD9dA8wZ6~;?yl210
z=jYDAz#=^GS|7^8k<!2$-9Tya9v&)si{8pxw7BfidldB~21?2-G8v7R)(Hm=k&E6v
z{qPT9u~*W2>!^7T<($Y(&L%5?C#CKipt@qMD0WgZM}V5~+#Ytw8!3j3C~n~`BE9&5
zrw=?|ILg5P9q9Rhj}N^hBN)^vikCgRGykjsV))sWI8Cl9y!J=x@=Bhj>VMCrz?&&n
zdx^IoG9P{K=e5Ohp2Lav-imZrzc%BSzvoa<Fe`Mwy`Yd|Xj_o$1uq68MYI=8I?G5&
z3@y@_i}(;|N5)F_6<HSnOa!iOD1IZXO&1TwcHveY#d-CFa4(@jq4$8TDb~Z$fHXsG
z#1c?xDVi*Pr@!t@?hQ#ns{QMwTj_R|?DNt&{<0Lo@=9gY7NB168yrp<IsSqqN?nWs
z2Dlk|S@<DlZz1OK$WnLl%h3?Y;q{jP?U0}PeTRod)^Uz)iFvf8>JHBB@@^*>>W>K?
z-seB@&)*7^_AuexC`)p~+BqC*EhFX2(pUwW!Z!=>|IsfkMJwU#Erdn$w{}v4*@85g
z!*v)XLiW`V8y*z69_jKN&x4{q!>HeO#_?4I*_BP?JD#tRf8@L9$&m|3w9M^7uG8=q
zxqfzsv;uX3n*Q7YUL((gaj-vLPoV5yNo#1)5lCXT4eeXY))gE3l@vdwo&vv5{X}?+
z!8rt8F5J)S(GU+f-s&Fk%ftBZVJ_KEfg``TbCDemI+6MS_xNFmCkSg;HsZ=&KZb7w
z4(<2$Xatm+pU2g890Bg^^<R+$_3MB>85hP;19r%fB1yqC0nx$O*+e{U6far5_vXoA
zi3cQdQ42yUjP-Q(kd$E5>p7HX4+fKqMNW6ESjJK(Uayo&E|K7Aashr4dNFk5N79R=
zV`#3D@zC}HH)OA|J;6Mbn!&Tuks7cP58%JP#HC2w-Qxu%E|hs1`lfc{O9uYgXT-|D
zjApTfT6(2}{dBrF<=1Khnnzju!%tJtg3j##jvp=J_NOWf&MLFpG1?X~KgaTN7wI>&
z8&80Cjv=SFM@$HRD&p|OTA6F)pV5f1`p=-ve1#PJaWoJBz3!*7o>b}1FNifTeBJ16
z=*20>DKl*33jqHWyDCZB|2>Ca4sJ&6;m|Z?x2EHOGWz)?`c&ov$jpfU;rRf6-Lncm
z=FUz29iX5?M^e|78UIB`SO_nW-JkZrCsYMFD}l=&kr;ZVip0<xM=%pK3_XN6{@~om
z^G{%L6fs#+<XhOm{i2F)^6!fYXXCoavy^|r(*pCa@I?D@CMlvvc^;J`hy}HlGq)Rc
z_(%NCocE9BAccc#l}W#+tF(wmgTm$c{LjcIJzYV$R+3+UA9>pQnF{`i>)@a3q<GO9
z1mM(9&_zY3^v2x(w6-TT1&-pQLtZNQ-dW;Opq8@>@od{L^9{3lyq#`}WHMy|FtDrx
zxz~E>=n0PXh=xMEm9_a#hDhYHiX-jhvw`{B$S*h`TAGZ3Nqu|pJA}Wi>t!FGqLQ;r
zMy=kC^5?YvN+|FzJp7XM6gB?kI84uj{|Wf~e(VYG1&`)V(VBl(atUwKx!(qOCwt?0
z-pjyRF{uXMYeQ<_8H4jJ<r1FWk3%8PEG?<Vt9#DnJ%`lb*Qxz@8=!w^{F3tL4?HKH
z25&1cBT}q@?a*8$Rdh6bfBy7$IY*n_-*=&Pg8s^qIh50A*^y!rJG9^#;-vQ{<p~3_
zLu83O7ycW(!o_(Ya`I`x9rhp(`33kxh{S+}f5v_<Hd+)cOG?=VokY0LM)ELxK@oQe
zU{f%s*RnqX#Zw6DK-RN}W^kQ6JHlH6b%j1jAT1DvXhMOca}4nwPsv3|H^<Jg!jSCV
znrKO&$7LO3>!5)x_WWrjMq~V|qG3O*_2>>#bZzlB7wC7X=}bpxUiRodtfoGMw!H0?
zgmjacgZ=|Dw4~h^xOB=87$?%B4C*Ler05ygqrrPJSAg$%GQfkyi=XDKsQr?uG}Ra1
zNz;?Tr>X8NE|DUB3E&L4%^9CQSSfs{MLiKrJ*P<V=k<z$)&tZSY)gQ5oL%LhZrQgp
zKnG!^_>2EaaSVYMsOWy%{C5&xlfr%`&;ifx-eu(iPSL-In*6we@xKzDud>Sh*|d|Z
zLTd<Ud-(1a-W#6_{FfnHMO+T{KxoNg@kpLEK*?R8mg2ZyEF*Z}-l7CqiA7vHBj+wE
z6NrHhKvkTf^(-vo&HT>HV5EST74g+T?y^Ga5&O%!Qf69}vQkURN5PgL?>Tbv?UL8a
zs-vtlw#~15!@Ip3GtFK?&CBucF8P5y695C)tdM7eU^Hf)-3CwiR!FlO5fe>G<c)a2
z{rmHjb+-~}cv9KL2li_u@3jfs`oPH!NZBcO6f5ZDEtuK1-7AOK>Oc*655;C}1ky`~
z@CV6QF7=C3X)40&Lg){8McxuyvNrmpynVe;;%pB*Q%LUOc+2-F{-&Vpr!6k+36zOs
zTh8)kUOgxGpuBv!j|bkNAMg2$XOs$o+-G^qQrXHbALw87M(|ln6+LZ&tehhi9|7e@
zk*@}x1v{+CGs_WztMVRq1X~m4t=2}rVD%jS;@>;yl{p=RPE#hIk$TAkc%AQYkH^{A
z3XX4w)Ej7NNK)x2S|l@p#U4Gy4$EGdq8<!lNwLbxPA!(D)QNx3w^H7m5`Ba{noFdV
zs_ASK{J6^A4ZJ1Ds$#OP=t;}2wd{9OcHXj5OP2S}15a4;YFRauokl!`e#nC>27^y1
zUe&#2m4YWCh-n@+Q*L?vBUl@}T2|>(rvaA&Ejh)=N0~Lt9@fR)MX5Uof0TdiQdhi$
z_!7F0)K&#l<JDTp9}_E2YVk(S<?QrFOYS1n52cUFT;br@7itbUKyQKep9zOTN}W2I
z=3VmI4(NjyD~;=_Hz*&jRXcT2UODq~g;tOhdg71ET}mB(tV#pj94<Z6sZ{o|5?UfL
z4P~pzZWmIY*fIj~e^TlMzCIaRQ2GFUABB7v??L<o<TYbnE~Lf!-*ITMlJQ1?9ZdY1
zSrdBaC08Zrj^5My&=Mc&-owI73&G`*)=~}TI!6$Y7yf&kW9k3e?7;uv5eBaS-Xq==
zW(k!(<Q;m4KPF{E%Lgu>AuOsVkTKA=f%88fQajp%Ckb-2)7L3&q8<beQ=AWYGBUuG
zPhX4wDtxCH1wI1k-&>+YjY2it0X|S$P?tN))&|NIg}4)Sl%l>RWsxe2a{bT7iux=d
zC(r%<v>1XuzvA)`ni+VH9L4b!eJkUVm4sKp`ye}ONFHdp=q0S!^l)6#&U_R-gXAr)
zFYygy+>^C<bc1((t_OBDk^LWKw(lvwvQhL_rS{NPfT!;F?#Sn(#w^(8Z`ElU!#Td3
z&s7{dQMRPs{Re3LR5$ixsVCXxS$+YfaE_nnQIYG=Z-UoL)>Hg_l)QR2=i+z4Jwo18
zX#6Z{;F~U;j~pa0*TS1o5Xj^LKg;aHz<Z^KQ250W&y$XV;2}7Nr4XnDX9olR?O-|5
zJab@IOFUWd%}F_66n42pxIK`+s4k|Lv3GKSl0YekPri>DitfO|wECZg6$R`6Y>yz7
z2IVkYw?oPkYfIdtbiF4xiDto-Y%-2~T8~cY(tj)k+Qf5GlHLWr1+m)D67n3pnNw)z
zf9!6!5ARmIG};jI{)=Dp&Whf6SyxY$1`0a}f6Qh)#U{xkZ#{q`Vmp^jf9Q9~Egn_B
zCLp2L0=$*2WtR$V1A1?*ckVC6^4{IipR&f>`!dQd$yE~fLTfs6oH*vktfDc2Gnf0T
za|Gs3{nhpUZ>aAaIqTU!lE+OWQQ#EZxXh}=wjy6G^Xh*z5mYA}J7j)!iRP4;o$amR
zL<v$Z>2N2`ipkBhrk_}pl<~k*@Kvv6fgLWTT}UyRdIs)P;u%6t;UPZ=pW9y0Jmi3U
zqn$po`}~|GWY5l!LjI^cS3v72ef4Zoz^(Qd&&Q|XexH(lDv4RVjCba7(7+Yxr2y7L
ztJ{mQ#LY-q3ms=My~5ZB6z8u5^UF@4()W*pH@<=1*n)lR*Ml$1UZ66!d@uYt=%KSc
zWcB#TJzj43*!Q597b3;;hYE&Z7t!E#*;ndmf8OnQW_adLbp-gfTxVaQu2UYE6Ikq;
zNDR?T(t@egyjVbX1k+C&3G^#6dGz15?Cf5xxK_Lse}MJ_8Wo;6iT5HD4FtZWczLSe
zy?FW0g0rtJn6q{;cFs2ky+b3Dw<!mDH;EBKK4Z!E2!0C<^#I;u5=LTV4rq#3M%sWg
z>+CpAu*JX&9FeLs!&1P{3j*&^xV?ACyvxv|_!+L?4ot%ndUJIB)^TW||KH-^6zk-f
zsG$=t@ve@8hk&~vRc5eJbCt7GAHjEX>MZ^%-rb641J{B^ce>;3>kq93ZxPx!IM-3X
zPG0OuPUYi)^|CIs7BBAQMvYrbUn`k{-g~ZOTG4rtja?Kgx_YiL>6tUpPw_Sfa(jGH
zApgZ=a)7$erZun%=zj{lLtsyk%X{xF^zGs5FKqK4_gRTOCF8)y0gqwMCvgYw`Pi9T
zOBp0G<qsdYW6-ZuR7p{PNxO>D&n3pT9fW2IeG^o-4=dfbAqJU`-Mnc7%i6XgoIwuE
z>cIUr;3p&7`!HYi71jcM4!tArG_u*>wxDK9yY8?j{cwNTS8_4x$4XJuvmG(4Q9`PW
zib(s4-tm{v%8=*uhnItOeR%quC9ekY3S7D9n*Xhz1@;$}kzNTs`}fAZ))r}u#Cq%r
zC*NcCM*7j7kS8kHn!lp0MRzY*`=2>S`(+$iW@X4M*6<MfA@H?lRv+Lr-n~$!1kKAk
zL=ON1fmisx^O@RIlp}x>Qi8P{_w%5GOgTY##`+}JnU0`*6k0ss<t8mqmcaY)SNn4|
zmu`_qgQe0vJxG#^Vx=;jJ^@bxO9RxsRq};WF|M3qZ$i9B$z62MqL^@<4MlJ1RQCqo
z-r!v;!f}-J_&DY{BF>)n@aN3+o$5YF*Oj-3)}I@md#8#}*C9o;Q(1A-3$=&IpRv<a
z@qg@6JoI$2xX^3<12McCtc;bNJ@DTZxbS~6l-@}L$HQ06KqD`q4<si2lZKgUNAVvG
z{MrtxT8IBu%$<7yd-Lu;`4;T+J5XW|(tbvc&6wj>l>P!ziq5<hyi)Qj*!H_o>V=bk
zJGlV!t;I4CdAkSSN%Vgy@xSXWpoKCsOmrA|R<3InI+j$fM1J0DFU}8obN~HcquP(_
z;C*;L@*-TLhJl`Ay1!KLj5;fK{rC7r*}XumNHiIl{VZM);cB8k?xB?<*3CiWk@M4h
zd7<pO|F@-{i$CbU<Js_5@SdbCe%Y`MZxM3XJ47x}r}AWlyjAYi9I$o->xfU1j=V)@
zjEUyxmBfs}z;!QID8x0-$Lb%2A})I=@?8-gUJleJ^XdfCFgp*S{5`l$VxhJExwvQP
zfD3H*p24$7V41ALIsV=u^g}A)zU#n!?Ci($4S^gI`qKmb!(2=kyU;5s&vS~_qYYwr
z;3}R_sLbn`kXZ`+R)^4>csTw2Rdj#k=WHO}@gQ2rf6?{-O|jBX_utrh^!H}yXu^>n
z#UJ*aKejWVli}QtAsz)mOA5Xtz9-pN)2ksQ9VsDa{wIf}h{J>aq~d{xSH#MF-W5N+
zAMw_YOB%6@T!3f$0dw(F{yAKd$b(NJPa`|%$yaS^17cr2uVsR1nCm6_u3Qz*&{53(
zUJDG~inF=?N@R|Cpnp~eJi#Yd!)v*Xy%HJ7Ct=`?2WF7_uSJqBf$PQ7i=TzobEbG`
z|9E*pk()zH`FkyBlNVhpveQG-HbI}*f!=tbC@l~}kI2=ZpmppxIYs)%{|1hsFVXkp
zDo;votWL1JQnF3~y>?%qjzAdfAHUrcOvkxg3)oZsT1w;!<UU>KmkVM?qQ0U7?{;0_
zO!9d70x4$>p}Pr%1nVeX!b=A(EkqvS!Fz(&4drta-DEe#t?kxvQ{8m8zMJ7@y4h|+
zx3SyQZRWOcTf1%D_HLfr!OeI3x+C3D?l|`ncY-^~EpR8hQ`~9p<?al3mOI;><IZ*G
zy9?b#?qYX|yVPCgE_Vx+p%y^ftf>;9c_yi3c++cPj%*!OSEWKXO;`0)ee6n+f$v~u
zfkv|Nm9>VLd)e41Z$udljC`Y$F~yi_OfzN~cN_N@FBmTxFBz{GuNv!(H;j$Oo5m*N
zE#qzD9b>ccuCc{<&v@VXz}RVgW_)h!F}^UqG`=$S8ebdV82gQHjRVFZ<45Bs<DbS6
z<7eZj@r!ZH_?L0q_*GZc$-2I7pd0I<dZZq$$LdLXvYx7^o5Rcz=9lKz<~Qbk^PqXi
zJYxRKJYoK38J1~TmTiSwHLQA8eXE&$m%ZA)*S^ob-+s_uV?S&^Vn1d-VLxR*?MAt=
zZUTBD(M@t|xpmz%x1QU;&2oKij@!s>;^w-|-Ii_}x1BrM9q&$bFLkH7m$}p3neG+t
zmF`vUJa>V6wR;U}7^^hC(qt(c7Oe|jRSy1$2#f=ihYni-vwtgMMp$KVf~uIo8iP4u
z)iJL$PIXh=)p)#z$JFEM3H6NnMD12TtE0wN<5T0Hc6B9lvAN7FG*_4_%^S_z%)88c
z%zMoT&4<i~%}302=2r84^K<JpYrXZlwZVGB+GxFLZL;37-nQPcHe2snTdeo2t=9Y2
zHtPdxyY->9!}`eDX?<+%vJP86+7;|HyN`W=J=vaT&$n0EYwcI<*X;H7279CZ9-hf?
zI}=I|X}6zyKEm>NMtO<^!3*3K^`iV!_FD9#R<_&G?WC03)$M~47q}Oz2zRJELRE6d
zxMT3-8u+Bq7YcpR7`^fYehu-=yMb9h<JTCt6{VU0w>qh&z^!R27r1qgY6kpzK{W?{
zty3+G4aO$b8o0Gt<q2M?j=-$#std4dr|O2D`&@MgW__)C0=o{VUdBP=py~(QI;PG?
zpStQoU{zH$7?_o;E&^^fP!|Kg8ml3|v7t)vY@`|nTpO*1>*;#B8i5|(sz#z0cd2RU
zu|DcbJo98V2fa35T_yOX<^sd+SMvqK)YXDx>Kb6#V`>R7?FqG1uuUyP53f~)=;PPa
z3O4~gb}jpN2w@jM7kyF<l;^{H`;eGvxc!kH0ZNrGUEvD)<`q!bCSBEkeE_bPN3S}-
zIFvSaY8UN&16Y7M&{jj4;341~h+T_2#Hfbo*~^T}jp@b=V<u`7iWTboRQe0O6{JAj
zPIu6qbuZmp_tE|I`T8P#u^y!->dW*D{epf`zocK*ujp6xI{lg%Zbq1qW_dHptYi)a
z)-ETu-fuo(zHGi`t~Xydx0oN8d(1D)ede#A)RR_}6=%g;308`gMoMj9Wmw&;?$&u$
z538ru%j#|QvHDv5tYOx0YlJn@8fA^P##m#man^Wik+s<Rn{}&oyLE^4sP(w@r1d`D
z$;<XDz~OcF>-PKhHv2>SbNdJTu>GU`Py48S%sy`a>XdWBod_q=Depu%6`W|NqEpGK
z={(>(=&W%bmYxO{9W*a7=a^TSbIp0?d~<=h(7YN~467xeZQf+wZ2n*#wol-!2Kvn3
zTe<+$xSh|@2W`B<y3$&Sw%uhP!yTh>mugOoQ{AcI)Wo|=!ao62kOZDvQ`I$MRk9Ip
zG&iaU<{J%-E=CWdk<rWOi?s8N=Zx0mulMj>-ADfV5cumR;}LMz&BmkTu8-jj?l7JN
zhyB7>OYZudu@7(b1-#Smz?;7Zk9`GP_D5qKxa<+*HFDVX8i%n#+q#kQhHk2x8b1Sj
zHW^2)x9xc2ce|dQse9W#`&QlGzTLi4uXAs5Z_*nC-*g*239hlp=5XaRN17vzTIM8k
zl2IG<@S;)2`PMmLv`4;J@URt1nb(^)D%bp*`F9mzK4U(w(#)644JyNY)7+$*nD3bH
zs9a#kd#aha&HO;MFh4YRs8;63=6==2{LVb2dYV645vs2hZB<s2tZG(*nqnneDe4NV
zj#Wop2^>mSbF2ndmYQodv|6Zz_Dl9xpti5=U(_@5?$svyH^)_PqfHUkW!5Y>r)FET
zm1E7Z3YBYJXI-yifKz`{)qz*Hsv5wp+f|(Pp!KMV2ZlYaQh;Sos#<QC8v$C>Dx93f
z0JdDB$^m2M06VTSuTmPAGgpNJd*-PyV9<O#_X2Z)vVchom1ABFd@@nKHh8K0WPOMQ
z+KmRRgr5c6NJ5Te{0zwD6y&Xkp9y)~05A(b8xlDiG@pZ?3+~wnb@W!}qwEAV4R95t
ziDgtaGL&g#8jY1Uh8eREUus;ZY-5e_h;o59e^+6k{tZaqXlw-BVr&I`A3QY-(s>`^
zz!zl;jwk~-;sCn3vI++WZKO=yTDJyWd~AKJ%Gt~98&o;>M)xMPSp&DVvh;90TxmT)
zPe9%&dJ0l5)0gqO1uD8(8K9&elxZF|v4ews0yL%Zs{^_IrHV4YGQUEOeJ0ugDgO<6
z?nm=S^x_fo2;#q(zW^RHkD+(}W&R62ecU{bl;6zXl$LJAJGCuag<Fp0;w^_;;eZjq
zp$fnu^tBaZ#i%f=x>a43gRW2mSL3WWWfPxVD;@ac2t6Yu!-CubRy9&lR%5F%(sQk5
zfX#ttVfGe#i;A>Aus=`{_6~ao;-A^r$I0Gr?+5(e{$7>0f3|-{{8wOM1fH-uxW>;a
z2AU35p+MXD1u4fMpDbOV3qT)R&8@(q?dEp$Zau4>stP@(zN!X(*hf_YcNwcHg2P;a
z7F=mvsUpE?R^mDDu<lS*th=nclnrioOqt+3;i??CPqeBG4um=B;6l|@d2pf_6%B4w
zT}6Q-)le0{18V}0w9$%hU@*GRQWJ@p6Vc)b;FRF!MB?W}XaH5zMbHAOs^*Ya)l>^e
zl^E3udQGfq1Kp;&8Up>MhH3{LCr%B8^ooa`BUn9wSbYhxx+y52wwel^vktyNCKx_}
z7(M~|rcYf?3~xycZw)P>p}LrO-WHleV>MGXf%Y_5^~A3UF@K^Oh+h-p|3ozdzg%@S
ze$z+`6V=P=b+q{n(0_CFj`{*^{!)F7*6vf^qn(G;PiW^q@oPd&<T7>4h*slCK@&(p
zO^p^tM>W;xY;=Y`BGfd&xZZeBT~2ChO=@Zj&ikC232yrm^1N)kjQp<{uON?5*#uJA
z1n9%>;;PWv1kzetaPAL~2f8uf7seO3D%3Z@_`x`gIJh;^p%1H>q{K@|iI<QDCy)j&
z0WWT&`s((&z3LB{-2pmIN8M44(_M5Iq<7cd)gXPIJ`X9qbT2g!61}%-1gYLfHHKvG
z2h9jSb%7qB2dF8K@)sk0s2&PENN9Mt9<Rr%0i@&+(7-3Dk@`}7DWFjGC_PP2LtJRP
zA2g;Jh+m<v0GzF7qlS5U9^wo2LcnYEb*TS(y%Md0)_}Wg)|(N3S8qr9H~ODym>FXx
zsF7y2*#fYo*$FBA%pr&mGlv5%HW#bz&@Ps%D$t8psNRq)*Q>gaEa2SGk#AFD%{$CH
z0Pi&KR5{Q>?otWnYIC)!X5MYy4LNeJd9SKyK43n8s}GqEq3k2(BdV79xcN9zo;06C
z*{95>)OnCo&!|hyXU%6(^K<5NxcajBGHQF(d{y;={=E)4Uo&5W{M!Io)*G_yP1Gi`
zEXRBgvTQ75**4tq14y)r<_<`--jHY?qy3+mpW`aDA=D<^ZZx@Fl)2aZTGb%Wt3;kR
z2G-4fl?n;?ovJN%4z3Cpj4^*Q|B1Np!ZGI0=Ff-=M;t?r7*CGakQ{Lgw5?xN4`^H`
zkVm*<1@m|FB;=d$$avUG8gbJy!DVnDE?hI2Tyu<7&MJo#;hkfwNUOY>Y*nx-sBCi3
z7^|XH5mzfiBG-UKt_CPPwV@Sj#Ud`8HIbZk3^{8Sw7qzwCqQ<mLUt#s+R*({kRlR1
z9uhnaapAjT$ak|K%^Rp5<h~WGEJ*fL^5D_r!DFnZR#W5`PCSO3xFMwa<>2Krt(kx#
z+ruH-uTtf$xz=3B{CU<q@XGnte8d-63lLvuU5%WJtVL>ub&Yk6N{3dt81W_662zB6
zFPKifV7j%&T7%jiwjKdoXRT9Hp(VWr?)<v-IwZrJ)|-HDTW_ljXx;B2{=W4-;0M+R
z%7o>$9n$7Q>qAJA9o7zT?T@UFAf0wvuvaKO!(fr^Qkm8#)?w6n)H<%TUD2)%SkJDf
zGVFHtAjF5;<CJNSx5ujj`x1LHB<7{|HQ@D&?PbcP{0*~jv~N+F(7^6eePHq4r@Gn?
z*bk^l_CxkVND+%<5^RyDRA>8X`)SpM7D*@jIr}-ppSPb!o|o*GR6S_Yuc|m`((6=Z
z+ADFe3)ibOXx6W*I$|N>>YMhPD%Rd)zlHeQ_S>p~{f@mE@ptWa5f`ag(|!+@WJi0e
zy;aqRPX4~igI>N3c|=-9+uQ9A5f_<R)BecbiTKC%$Ebgoy$kVA>`zpRz1#j2agnGs
zq0fJg_#S%?>i@$2LbbQQgpL;n9q((EZ|}4Bp*`Q&-ylU~Z%zAK`vBtK+25fJ2knE1
zi!@HM57~!M!w>ckssrqU!$|+h{s~X_Py3&^`w{yHQbc0cgxzoy@n4`rHh>O!9PJkw
z9t~aPH>Ce=|Bg~8?USmWV>pJ2b4<qsv>aPCa2#lx9iaz*tNKG{41+CP&J9<QZUpql
z2x>}~D6L+_Uw$TjLXsBbu#F$I5B$P$=Bo0P#FgPyC<kd9j$bULat(MGB4I(4$1jDR
zhH8}4>9DaY!hcf<zjWBzl~pEXb~a^p;}DtMnlif`Wp)S3>`s)~T~TXIc!Cn}vmv*W
z&;rp%BPh8m!fugYUHsyZD;3wpXH*L^ygtrEPi+QUKLcSVexk8vL4u21Zx$lg+fc5z
zr(DmcT<=V|uHhHyfv4=LdZ9l=uXR;_NcVI#NL_+-(QzxQ%hYr{iAee?&<7UcNkrb)
zP>a-Jw0#MFDQYQxiE0_f>{HbB>UQK`1#e3_{4I~8o+s2=Ji#;grK@MvOK7QR3E64`
ze$mtw8beq31iHd*Xbid37}`-|=tPa7D>a66bp*d0@!X)EU+{~C9|Pa5H7XjFR4R0c
z80g%wMyyJJm6w5Z(a0+rO^oKM7JVJfVDWWVamIPZc`6CEUk~Jj^@sTR#!%!LW=ugn
zQ;n%8JI$D>YQyU`3n^C^^Hc+4zOh(k8B2^MDvJ7jL+B-ULvOeT+DQ{?CvB*m<WoE8
zOkYYW{B<v)X3<W<;I(@VwXHYSqn&RUZy+xAKr^v15r>Tl_?`jV44$d2$Rid)KDCx+
z#&+XF)U(6bfvcjyG!y?GQob_2LVT~W7iITBn@NQ&`VCTGjiSxp8{Z>-$T)<Si;dBc
zT23mpoX*s8BB<pwq`eWNtLQ4K8a19~Vx_7CKmT2Ctp|q{F6_Vqwn3%A^YI3F`bKLb
z_`C4sO7Mtnf@~A+TpfO~cOYptTbm)_;2%S}@ar^q$+oI`<l1TQ^K1hj7vAk7?`}li
z-JHC;6?u1C^6otH?vCW$UHrWJN9&)s`w{DBv`YB6WBqD@M_4EAXxK=?(<|9E?08j`
zoV~hT-_B6+cBY-Fl3`^x25e%t#npCpFL0LLc5jsGV-EmVx&SgD&A!kc26-Toz(+|?
zfs&vRB*8q@9R8?lR8w2zL0enwv5u4nUF=)!TT%9Qdlldv_MNJ#Sn;4)t)3(AsZPEV
zPc9Qr&XPes5>E~iPu`J9-l54m5~=T-<Q*1yM;3X9P2N$L`aZB7cgQB!s6npbqrTsP
z`hG6?MJsCk+29%VVLb@f$R^ilMXphkTm!yv{1V7Dl4uPilWU}qYt$y!XhN=0om`_m
z`9(Z=L_9e{259~nv`J_?lT@u~0VI;1Ez+}1dag^YKNfUbQMIM+pG{iz!4K0MDPjS1
zAjP(#9gu5u2i>*;l@0+En;@Gs*@`q-lhkO?N=P6bCX)_plMb7Z0$b5m$fd2&fz+4)
zYJ3&7iN%mjI?RSQ{Y|8Z-H=PWA)6Ffn-rKp+G|DcXGi#>K1EKU!vxUb9>l)@HRg)H
z9dWTLvO$3d5Erj#D^g%h+8Mc|LxXgfK>M@}?b8ON$tI-98l=e@q{)_~#%$UjHOx`w
zD3wqBtCBU{ngRP%w6IFnEcjWP2mLHpff7U)OQkO6TB3`kQWtZni&dg7){webQ|e+3
zsf#tGE|x=GEQi)^W$PB}7S+tU&AJV6m9+{`?B5o&f77kIt-E2{KWIIOyNmATSPxkb
zAubx6V?Aa)hWt-hPXIn;Jq7rj^&IH`dFy#qpZZ+~@|SY(tglyj<S%jHFB=gTo)Sl%
zl1H8r4xX|F>B2|i$Vc+XN8-pw^2kRb$VVc{N6M3rM3IkFARnnkJ`znnQipt`oF#mu
zo%J*LNFMn}9Qep@hzlRdBOi$)AIT#h2?rl(gmmE@dDIr;$SLy3DI&-tBB?EwCwHho
z?hsAxP{+Q_z73^TfiL7aRh_D;3jG7(t*ox9(mzm*{(;6$qLZi^Imu44YE6wMl^Tsp
zjV6^EO%3pq$+SkbZmZkEchpX|Q<Z3$M(8}9r=n<|=IVT%uj<oEt))BZPKbBbox$V9
zV%55<?uHbxTN~4Et)+YD9!Tk_d#WVbuxYemGik%-=)StIil-$TMoTt9_t*VZ4cfC>
zU!X6*eFy3bQNv(8Sk)3ww#v~%H2f5Lm>vfIl-Rk^dW0UK%5elB5}xi+stLydD(EqK
zjLO33(^yqmkJIB+6<WkG`VxH!QpCd*3%~e8)sWV4GRCMTt7O{9b!j6vz?juk<)fvX
zOiS6(m+Q-sA|njR@TbpEb@WU<6D^sgXW?FAK_}}gHT*kzj-I0`=&STx+)J$KWIbOm
zKv}V=ll9g5YNRjHi;!{+ENiWA(6`}vZ`V)ad7skH;d!6e&!gX7fW@7o*Xwui)SLA_
zlsck+Mg1pC2UekLR#TN>ePcAxOg6!FX@e)5oz1?uDmHjBJo`gocMmg%AwJw3uF}Qx
z3(FLqUswuacNiFLTMgUfZu@Rk(Z0vNM}=c-<X-r|#2#siQMmhIUx-zbg3*!(5np4k
zfy5IF#o)+EJ^NAnQPqgnN{aos{W$W-C`zLJr2V8yrTvmY`z71{yZv|Q;WDn`+Rxa}
zKx2Q_hP7`0!~O?KiCvQoyXHmc=c0#4I0u{qkW^Z&B#u@gUe+Z>)+8?0ApTV$=A{$!
zYJ^~0II%5G3%11&+v*V8Vu@|lh;1F{J&Dsp^-xt$3vSi-`#}Y_8W6WKh+8d*TbabI
zY~q$l+{z?wr4qN=5w|SjRtw^mk3Pa$S}?3OG0aB{vx#9j#4sN*%piv4&?DmmZb3Q`
zt9<m!)FW<X5VtacTUP<|<^scViD5osSPn7FM-0m)hUL(M(}5nGD)ivQ(SuWk9-I#P
zGyNH8So}Ekh+7%NtxVun7`(XU%yRJZhnwMuM*!P$>Fe>CiNLwq#JL>eoR5B=dc?d;
zVxEtfmq{Ox&m3WnQ0<6$ttff2h<_&KPkG9pNXnn`ls}Cqe-h{mNTU2nr2L7Z{7Izz
ziK6@|Px;fB@}~*qPh-lTCX_!7DSsML{#2m+X-oOjmhz`9<xf84PYUHvGUZPr%AW+v
zpGK5F36wu=DSz5h{<Nk1X-@iaKtIslNja@aIn78p@uZw)q@3y;XKY5AaY!@GNHgt8
zGu1&ekZh!uJW@+JQcDD>#U-^=CAEZ+TH26Wnvq%}=ml`>7wi{M!;7GtHk1j`lnIq7
z6Dm?B$hcWe)s)h}vvTW_x~fq!BvLX&Q8FZg-X5dhPMb^2r5NE^W-bG#5g(opquYh>
zu8AivnV!6680)@4)x&uAjY#>Mc`M@L)vImZZr+agDsz=8PY+)-J$xDT@HL@_FM=Mv
zY8WNI2Q}Yo-iQ46oA)Cw-o8|foP*z(Ys@u>V+<X2is!GM`Kb9A+93Wv2ji7bpl#v>
zjHVZ`ocT1ytm@Ghm;hhkKTuYDfep>)F^ZLpQ7rgN=of5azGA+DxOfL!&^uV0-obbo
z{Y0JOBTS}`u$j3Dqh87M6eeTTYYSQ^{=#Vb3#-vz=)(xuhp0`whRO6AYIB$Q3EH{a
z+>MrhYJQ5V;zz7aKVlPl5KVXx_o}9t7x6Vbjxu(VNk3u?{fLS5BQ}K}@q3KF9fCJ8
z5#GdqA})T!6#5a<%%djOR??doMQ>t#dJ`Mbo0vjxVikH5GvQ5yZDXE<H!)Kj7pe}t
zi3W5$4WD8inTLTfGw~*-(VG}!g;^NsqEE3ReTq>Wk8$Bmtcd)TtV-}KiZ?Nl-o!L|
z6C2T+m_~169eNW}=uNBvZ(>d8nc_`Mq&KlCy@`qRCMMFGm`QJ96#a-*=ts=7@WWli
zo0w=dvKnK|uZh(J?G$ff8oh}r^d>f<C(N)hrmS)?s{AS}w{`G`WzioNOMh4r{b9NA
zhrOZFF>7KYd`oY_AC^vkSS|R&-a&k`y%}Ra;uWhvuUG?m#TwHq7EZ5NReHs;;1%1B
z{2$sM;x6J9s|&B#M@ZQT-&kGv#&)S%^opg^D;7(ym`$%(C3?jw&?^>3uUI<0Vm09v
z`vzsjAC?1u*tclm0eHpI=@n~CuUI<0V$JClt3|I^oQ#^|dBrQ1M6Xybykb8iF8;7A
z`ok*FA6AwAuq^vG_`}la4@;sy%z*RCP_d47w5mm~SUSC8wdfU-@kp63qA_nq5GRY4
zXBI8b@w7a%XnAJQ=FFkZ*@!l0Q(BvsK!(?VS4Kvcyb+}g+Ln`PG0MnjHta$f6>Uz-
za4c=YEZT%wv<b)4Cd{HWm_uu@5$(Vhv;!y5(wj{CEt@u5b6RMVX?HcJrIbyJD1#PJ
z1}&m-w1qM#k%p1q#ev@~Qw8L7iR5$z<a9mB>3Ybl9$b}?i`wQb;B*D#bm`!9s}Pq_
zjCArilRU0Fd0Yy4TvzhA0*+<WH17kCD<F?E!Q<8-F5?<KFiYrR#D&M5M;=!|9%qur
z6_CfJlgITVk1HUL>&Eep+U7sN=?ci{Omeyca=HR?y6)t31>|(~$?4L`=?rkX^(ZBr
zt|vKN4|2K!aypZou7I2_onxH6$?v+7-_^u;=Z7dO{H`bYT^#t`E;Y&g1YECx{H}of
zE}i_YJI76Gkn45fxXBRmy9DyPf#i32=C|gzssp)R1CE{y;pj;%j-Cu5*BeN#H-ud8
zVsgEK<a(N1uO7MHKytl0<a$Fmh7!*)lp*ALnqw$KIEIqUF_a<XdhN;e29oRLlj{v3
z*BeN#m&Eau(Hu|d$nlg~98VcSKA2BFID~v~2>D<=^1&hGgBJPVK=Q#<j;ai?YJwYH
zL~fWzZrFg_a0t1fCN~^HZa9!*E2-p(b;uLr$qn;3wo-#*D+9?BFC<SKLY_E~Jh2`%
ztjg4|DpA9#Obu%|H7uJNR%>clt*Bu+)UaAn!*Zx$Ri=j3ml{?tYFK@#VfCVh)rT5Z
zA8J@tsbTe}hSi@MR)1<(gQ#J(p@!vB!x~Nv%ch1koEnx*4XZyjtp3!n`cuPdOAEgp
zE&R!}@JCqUJIth2pNTnBZ>dXZ)sLh-pGiwTGsG7-iZ*;h+VD+i!{^e5Z$|6AC9U@n
zwAeFgrDxg+cDlNhR{BU<=9zx)os8g&qD|hAHhC_s@s^Z2VURkns-cuO;gmN+DR0iF
zyy?vGm!TYgDbMkjp_Dgi9Df-~Ns~rN6HQ6eiIOIglBO;t%}|cNl;ilzP)eF;j=v1$
z_)BMwzYL|Mxqy;pC?!oaCCyMunlwt92uhlvlr$AM{!*UfFGDGBqB;IDl#-?sCCyMu
znu?S(X_Pck9Df-~Npn6WO=ph34CVMsH08}u%9}LKX{bV}Q<qYw97kb>QtF&fsS_qc
zCTb$bVun)c45idbqtxj{O;+Y%#VGhT;N6I!CL2plb^yH_gQ?Gsp$^-MI;=w-wiUe_
zGJ7$WG@wZX25CT(1}xHmOBx6#4TO;f%8>@bNCV|a1DZ5olLj2pfK3{3NCPHmz$9i{
z!0d;V3!Hu!debBDUAb&o7+Y43EenGz&8I9~K=~O#Z|$HmBxfxAwaqC%2UC7lr2M>y
z-rD)}*1`*o-$Ht8ucn_ioPOFB^wVa-OIu&9pr1CAe%clE(=MXal{vy9b!A3UE<Lmt
zQUbT2hxS^^;RW>2&Z7j5pg(p{F$pX)GMZBkSEL-ii2m65^v6ciADc;k?A7$gM$;3!
zf}YrLdSX}56T5<**i3q2SI`r?h?3k#A8an=c?<erucZ%m1%0sL^t-O0-!+qd*G&3d
zSJ3YoPQPm=<$nu$TvyQ7x`JNT74))()62SoUe-){Sy#}@x`JNTMf9?UQ+M#uzj`q}
ztJhMGSV%o$A$_Wu)FT$sLouBmiu38A7)am5bowSPpjTo5ePH$Jm8d|kL>+o1WUl7<
zsxG|}{ppps96qo?YBarHBjNqJNL@ugMFsl6M$lVPi{6SE^i~X|Cu}CY6<5$(F_&J6
zVf04~rzawno`{L`M9iTlB9)$qbowAt>4WG???Wp64yp7z)S}<v3VIn*>0d~tPvLU<
z6sE&>bu-#|yS@|fe!T|pDZLgmN5q3Q8Xl~d&~lkMQUQLfH`EAvAEwj$aJk;0KSCby
zLG;(3>pi$Co`_oXL|j2%Ln?g@bLeGArI(=={R^q|ETmFvn?`-jq^4Gmnp!XFXi?O~
z5~+*1)Wu?`i*=(GR*m{sA~mmG)VX?4+e)N{)tS1LL)|KhT2&%7DVI7_3bm&i)SJpt
zZ|X&jDUn*zCDf9-QA?^u{iq!EqiNKS7SkSFLY>H^PBfL;P$9J;gW6CWwV~eBgL+aA
zDx@A%o_bIr^`JQFL50+S;-~@Dqz05k4JeKpP*-X|h17tmPy;HY22_(8P$4y-F4TYu
zsR5lw4JeKpP$V^=LTW&9)POFd?qgH;DNo&}kh)JKb)Q1&K84hMlBoL>Quhg??t__n
zn5!2{-KUVc&ob&hy{Y^3r0!El-KQpXpF-+BanyZcsrz)L?o)-jPjBizQ>pvJQR^wB
z))PmqCkb<syTkV`v+p`$F7j~Io^$Z>F%Nk>y!0~b<QhtXYd9-!DQD#^rzB_-q7AhU
z(S}-65?n(qrV=%g3~C}-)I_qVgIr1-B#Syo7Ilzu97o75rGqr14l;$~2ra3JjHf1&
zK}{r!nn)IPkV~n9WKjnh$8mw|5FMl$#|2ta6B$o$RBig9X3+yRmcFMndYx+1-!z8)
zrZjq*M$yw$kDjIm^fX;bPt#=jm}b+v)PUZl+Vm^UrlwPwI*z7x(}!A2JoT4&>Mse@
zU%FF&v8caHqUKVSI!gkzk_74_@zh6#P!lPj_K`rnqdPT@WNIAo)HteB*XTq2B7vGk
zJT;36)GQ`Zv#3g)q7QY7%G4m@sX=t-jLHs}Jzie5#r*LKsuTUn=hO4$&GPWHhSnik
z!$M^!?Ej?)S9nfY9XfXJr)rFtIc0+CHD=1FOVs)a!=_DA$HjeuH9#j}>&jkXRUnVk
zAW2(d9>fJ|I4sx8)m+SFxKZ7y)~Kg3S7D>ts&*l#(YH_gB-NT_V{oSkNd82X4hh^!
zb;JycfocTiZBAG7Fbm=)b(eZb{T-6`P4zzJHOT#9pgTn3u1S#bjZjY~%()n(Myg4e
zS215LS2wHG>S4^2ctvee+b|Cz(9RfTV%A9v^o9D6@NHCQ*w`1UQK|rQF&3yo^*435
zdIaOHud27y2kKMk6n48o`AMo@UY~wRYH^Rg=Ow9^`gZG^qz?D%(=ExU?SFa;^H^e$
zy8$$YwyF>2c#c++)huWwE7UFO9`z_@YOGUltL^GDfBS7!0a{HhXe3QBlN0kDG0$_1
zx>Q{OJ>yz+tGX96KK`LzgO&fG`rKc}ftR5Md<L1&Robhrsvl;Tj>VUCXJhurb?P>C
zALfTVr`D^@YKPk6FXLiPO&qkMEX-la!|c=ZG0SzFnyRi;*Klsh{g_YkJjR&cRUcut
zh}XAa@MFYdj)@O?O$TT{{V~gQJZ7)V!5o#9@IgGFo>VVjw#gQ?6Qj{ynR1xhB6DxD
z;o-<v=cxf|7-qd(rmn(_mK)R^>Ou9CdJ%fld+KBLmD)RO*o0~JAj08<;|Zq_&LW&o
zxRh`u;cbNXjL4Zf!hV==E#WJKn+UfN?k3zvc$o0GK*t&}Z0aZ{im(b{4Z<YCx`Yh~
za|m+@TN8E|F=FCmrz_!L!bya430D%{NBAt^Cc<5W2S-jSnCSd2(6tD|38M+C5ylgy
z5T+4k5;ht=W!MO}IbjFF9)uSV4kw&Icsb!*!li^aP8c_4n0qJTeS{AaK1uj2;Y)<;
z2{#dLA>2NpV8jG>7vUbl{e*`Ij}RUg7^VoFNtaEW5*A5Vi7=Khfv`4VJwhL06T+5+
z?F$fubtddV*pF}!;ZVZSgcAs-5Y8Z+Q!r)Zq_BmAO9`(dyqRzn;XQ<F2p=b0OZdWM
zx$io{jf9&Cw-N3n{ETof;Q_+Kgh!_Whr><?ELV-tN7$8cB;g#wTL_;f+)TJ{>bOax
z!xf=J7)e-(FqSZZur^^mLLXt1sS`&`4sS`=mGA<>(S*|o=M!E>cqiebgfC2;>dOw_
zM7WJ`H{m|Q!-U5LMp%SVgt3GvfH@Hj2pbW$B<w)gov<I_V8W4v69}gPHjJ1}xR7u;
z;f;i=2=60&lyEKKON1K$8%1m;+(Ed9@BrZv!rui(h7ndGj3=xM*f`Qh*o3epVSB>P
zggprR5e_08N;rDzWy7aNP9U5@ID>Ew;X=Ztgx3+?Ot^~ho~f5jo*KD^a4q3F!p(#`
z3HK5nCOjdqd>CPsS)-;Dlush8OW1%ghcK70HDL$Bu7te^`$G<E{6%*ERiOz9BI`i0
z9O~Z|Gaw12)qez*T)B!hH1N!au4Vo2OEI8>$n*XYXhQFiwYc&={#`Kx`hv9Yk3kz{
zHD=(#t%W*7_cHw0=;5Tv6c2hSqCXncBF`NrvFsm%HCXnK!9<q*BQOGQPFAg#T(hpA
z2mfEWV!&3Acm7A9=+4pLNwTI}0nh$pXK{=C@2hUy>|kt4Fg7+AyEqu@7mRfc#@YsB
zO@c95Gs&F|;(CB~fGKeu{b6f=*u)=Z`op^ZP{t@FzpPxBFv=e~{;(}V?356f>kobY
zFwGw(`NLR$80`<?vt>D<ZIrKZ%zs`5E#<BYahM_Fj|p#LT8*Q@*uh}z%V2D0Ft#Na
z+YpSs5QtU3515i%{Z7JL2v-s=CtO50mv9#0G{Q*&|1g$$xQVqzu%Bel2?b8}KNmM(
zO$vRSJIsOYISH2c99V@bU<uy|drfTb4X_Kv{yYr-v@*hsXw2?UGSUp6k!!StC%T_8
z*cfR{z+C;=#zJGcaig)yxDS5kweU1=z<m1c#%_3t4`QzE2`p6=4a2Cu18)dnVgv8o
z!0K2zH*WNY@|NUW-kF3q182PJA{$Kjo{wk_e_;M!q)zf=g--KAvz|XZOi7}nCP&R@
z%!yhWwJPfIsC7}>qV{?<2f_;Vyz}T9URZgoKOF531!K^HsvZ2{E`NB$3#&!(4raB;
zY6;bR{<K_wIN2WxUZIX^i~ZpWf4IgUZt;i5{NYi5=)XtIAn!cJUr)@066b>Fs6S@4
zKYZFBuJwnTy<Uvj>Yc~d_4+Bcwil+{<E5uOs*GCU)+&KAbD<W#5rF+!YGePEe58dT
z7p}n9A}}1dodlb|0Y^ew!|v}2p9)sYyLAZD0izj@b|s#~coO6F7_Y~8IQDGNMkhdG
zM#^Sor0isS+|#CP49TNYE=XCAa^Ca${N-?#;`K;2Vr#(nqv4+z3GCj9cqHV3%-*l<
zUXEQn65VNlDef%5RCgg@hC2hWaj~3pkdo-m226411E#ujB@g4HphNm=gpbJwzfMbc
z0`pG-Om@csrnp!Oh5jr6Om!y%rn^%BTQFr5FewT$%HOZ<5?o0nOm-I|o<dmLU5a=r
zVaXE9Swdj4yNo3S)^-a4Qwc{YBl%JEL%>%P>URtE)QA?=4W(pX4oi&>#->V5Oj{64
zdnOqBBoH&OSBF>DfK+f>NC~3>(|{o=(!kspH`T}i?8j>zcujIadinFqyWsr|d19}Q
zy8~%D8!?nkmbDr=Mh9b&UaWsI8=0-m#nw`+8hO;2?K*B}caXa`Y;D-la=GPZmD?Vk
zi8tOF9>X5+QC(aH-+Np=3m@PHc;2?cC$<~js{I(FJED#Q^&KNpL+Y55+&uj*!+gDs
z;bM&)1(3c(Z)dnvzt3=)evjdDjTMr(UMS_UOAN~+WO;-vkC5dNvOGeTN67LB3-xBK
zn4hGH8CrTJMP@>~>H2!W3@uoar>_Cbmz?exy#jEt7K~V;uLE4F1s9fS!HebkTEN26
zc&l$hdLl-sr2ZQL^YjgX`Iv7lwcP@^MBfUyO#cmVIiy{4`WO4ar#c+iG6kN@`S9be
zgpcta_*I{V_ir71xtrlz-3f`ZR~>*<IjT-zB+Khh$OZIIzW#*aV*N40CHhl_OZ6^>
z%QWOa@-5f985T-;^h=&bd4w#FkmV7wJVKU7$npqT9$}&Wko|cFo+1%raq_&Y0Q2<i
zfcbJ2eRvPxV!ax0iM|hTsTM3;rtbn=uI~jbgpW8Lk~a;WR+){}78uqYUfm0TV<YwB
zxW`QWAo3+*q)+bgBw)IJ0x&~g2-r|R0GOxm2h7)x0xs4M11`~z04~!H0WQ~%0haZ)
z{*LrSj2=qOPXp%ZrvURYBVOux7I2CF2jDXO44}v}3!{w42b(v@Z30|ezlbY|7=M)7
zUIR?m>i{$K#efa<3xIk06~M*%WxypGD?7o9{x}Bg;hW6UpEJzYdl@d)(D_JF`xq|O
zUol*!zhJmrf6cHE<DVV|pgi6v%OhlYgiA30U(#6~A<H9Vd4z=+MHPx#4>(zG0=!&r
zz!N26)Kz)_>z?tv$OAlh3vjW<8fet|4&YL~5pcPF8xXU5@#b67``r)T{E?i6Hyi%^
z<)DIFpi|ukI(QP?<t6yrH^CFWUF|a4ux*KETZSoSYleAdD~9=ICx)ZU4h$EY?HMjH
zJ2G5q<}qAmwqv;5%x74rzeS4@^#Q;X{S#oi{t+-k?+47&-vH)g#8|td%$9&-^dZ2-
z`XJyEeHd`5{vL3d{tj@t{sFKoygQ2YMEwh3ivAfePagry$65=i?O%XP^l`vt`WWDH
z_%3`HhiHp2lwP2Wp=vBfJZ7l57$aDL5ue*I0`maIJ)Xvh1UazTjZc$kc4wGk!v4V<
z%QL$$%*T2SIUi;AVz}7s!ElM$hv8DQC&Ojtc?_4Ey%`qj-_e>xeG)K5V;2>)`vhRV
z33~^%bp{+`nt+Q<cp=;+rVY5%#5_)S8B`QJiD>~A!neh}szlO*`*ns)=?DHd6jEgZ
zIN%KE(+kaV$eCz{1E!dj0MpHifEil!hK6PsV4mp$=9`rPN10Ut$C*_CCt&4(b_>iX
zz{O@H;1V+$aH%P>b(t9fxZJD&SjM|Ct0O(ptO1x}iUiIxF#?9WBmgcp;{lhLH365I
zae$ByB9+Y~#PdwdWQV?YHcwXzITOv=fGK7MV7l1=FaxW0<mplX^UP$xe6v2_C^HLi
zoS6wY0V{9h>Cylfn{@$~Kzo;`O9fnJLWjiDr2`h8Gu{l~drmYjV3=a|XP9T6&oCb=
zd_24v%y6+eh~W|wHaGBTsd*v8W#&MJ%gu`z7Mcywnnbe^V2YUom}h1K=3@sBdA5Fl
zW6WH@#by)0C1!KLrDjvWWoBc*<z_R$GTs)n0@Mbb0<}S-Kn>6*Py@6H)Bs%qH9(U<
z4bUUXuHhr3ixiX^J^>U7C^dWvDAG@A*a;|-uk0H3AYHhy)UX#&IH=UH4^X(L)bItM
za89Wq!qc7ux^931z|*9c+5!qclU`~CD7;L1sRN+!G3lR<fWpJ1f7$^G|2kdG-EdX7
zfz;d;P&k3q+!s)|fYjUrP&k0p+!Ii!Uuy0Rc<MF}z*WH)skuL(;EL2d1aOo&7*Mc8
zYQ7jyFhpt|2q@SgHJh;Ru(MiBlGtJRXG=;<SNyTNcQ6I9m}%bMpGQ()amqg=WiV3k
z57yHQ=NS7AN$H4`oMI`>ky1C9qGK|Z>`}HFE7b16`Wo36@&Q>-gLw_IH{_$3(}49e
znA3ng`!J7TEmq1ri?h3sS9Xy62d+Pj*$mGj_MFny4y&0mQ{oiAdu0Vr$PcUE%J^X&
z+$nxo$HqHi=Z=scR>R3Wi&Olt>W%HgO1M%#?D0|N59@u({9y%9SwB3tHr8O?%DL}6
z`H8jL`qcW&`rO)MePMlReP!*nzP9#R-&p&tZ><B?ch*7cd+U((gX~dh{bc=9R?}l1
z%P-b3>tEJ!tb;va{bv1+m9W@|z}B{j1tzxb*sdLBm$Sp|2s_d)Z%1Kw%V^Adsbp8S
ztJqcTYIckrYgfmb**H7iu8CQ>iFT5mY^T_@?Amr6yRMyz-7wQJN2b2rz|O#m{4A`;
z&$e^yhIS*nF;><#wR7!ec5}Oh-O_Glx3=5ZZ84Xoy`5)wu=DMXb|<^D-No)|ceA_O
z=h;2%p7ua{klhPw`1{y>?SA(8c7J;SR`FkGUt|xqFSdu+L+xRhhcm(+X^*l;+hgpp
zu+1*9C)gA1Np=BtGrZKEVo$ZF*_YXu+tckC_Dp-0eT6;SzS5p!UuDnbuAK|)h4$6<
zBKsQ5AzorHwU=QAPocfSzSh3ZzTRGG-+;M1H`zDaf3t7FE&#X59st+@;9Rl4H17Wy
zd_NVghhn(IOXGNHe15hJY%Yz-rE&NrS=Yn8B45MYqt|5x57zIzDYL0D3kmz!U>4FA
z%s$$RSx4JsT@F^|?2tLqvI++?qp>RuW*>cyxkq2f9BBJ%S!aWJN7!)&^NtQ;*3lu%
zHj=$3f5NP0tewG3=3g++=wFy+^sCHU#tfsAvPK3gWK5Z1#Q8-=rQeOWm9DI@20P5D
z>{M~8T32Geax7*m*Kp#Tc+6Bzz&zz7%u-HqYB{wXXakjws!#vdQDRwi7@)$EbeIiF
z{CCjd#iYdl3>^v;-VS~Q4YA^E)g5!;{<HY_J20{oKH4v%b+OnZu$R-@>ErZu`Z?!2
z{ha~M1<pWcuyc_!$br0%K8hUeojj+5lkaqNIys%4E>2gco72PT>2!C_Q%3Xwoh(v6
z`T+j22YXO{Gv#<lijF=J{S$J@{_I{Z9er5Ubgpn_J6Ae$oU5F<&OB$nv%p#CT<t7!
zu5lJSOPr<7GH1C{=&W$Ab*^)+cUC$#I5#@CIk!9T*hX)3pshsrLM!V!sZN@c?$mSY
zI}Mx+C)3Gta-4>a&w;)gy+&EiYUgg}9_L=1B_V$!r?Jz-Y3k%U&79^=3#X;i%4zGg
zb6Pvl<)Rm2x5cyEuNJxSJr`?$b%8a|8f0B)4Yn?_F1ChPL(AITmXB^kcYr2oM7M@N
zSx2|Uj&ftHHdb4!oz>pTvpQJ$R!6Io)w#?Tyb`jXbykVJtj~7`oO&;7+}Xh0nyU!x
zh};A_?d0lay18zlTk2NMT^hT6M(1Kq0O0R1_zYNn(T!Af%v!IeV|1*pu50Kx9j|NZ
z1f8gpbh1v-wRCM=N7vP<I!&kRdb++d#JK}C$Z7;-n5dx&=0-Nq89GyEX`jy4Il7^4
z<iK+ujeRST$3h<Lq>VLpVY-|S*AW=sD6gY*1s$y`>Pi~+VTBV|y^ftpb$Mk}IF5cR
z+vlXsOEhdsa}MEEgmVeK^!bc0AY4dzHQ^${YXFT37zqG;91tto@yDLa7<ZA~TC+6z
zLnUh)5cXV!>-3|Th5O&2?fn0*)!cD9UGa>1;@L{0zfueQPfMTbrL@4)TR^3BK-p13
zUvUb%M{*bcovq#TKd1$oWB%iEw@f_{t@=;ure$cR_RCI~)wPU$*!!2>uN^Y9EX~!g
zuUfCzwM7CrcRF{u-WL~2er*9`s_to}l*pmTcy+B&+o*>z_a;V5qdiuE_29VsaAT}7
z2_x^bjJd`ljJ>ZkZZYn}==;Oi8~s^~zpuxa1GZuX*KUlM?>7!(kE`FYT|qeHNGzmQ
zZAd5|BwtIcyXvfaU^UesJyegzs;4Q~qh}7*D=pR6>6`T`eUDzFAJ=QKB59r8h*e12
z^iHfi+N%%f!}=(8J<(<u_QJ1X)-aRIx@H42$IQhDTnDqO*~{#24mO9IW3g+=G;@|Y
z*Ia}ZM=P-c{7$Uoei-YrpT%11^;kK*8*6n=V4ZM0R;;u{PY<>xSktiDa4uF5F2^d_
zTdX^+`>;CjNo%e33ihPhg7qQ0U`zi5TN%Dw>osQ>;Cg2`;Oou^zzxnwz&D&xfE%6B
zfNwfu05>_9VPn1Jj1x&`z3q$#e8;&2aI-T3@Lgvj;1*{R;CoI1;8tfc;QP*{fZLoY
zfFC$h0k=ET06%mt1Ki<U4)~EX9dM^J1Mp*KCg3gydy%7cS7>;3(Z1P$uRB))ZgA!R
zzTsR2xY3!5TyHw_G<>IM;e4E}LmL<1>}_Wu;5*LMNZafz((odpjn@EfaTWu<=PUu-
z>MR9(-&qE@%~=lkfl~;$-B|(np>r+Z4(B?+kDTiPcRDKpKXz^a+~wS;w4I>giMA6p
zyw!G+h9+hw>j=OU9SK+q`i8b^>nOlFx&mNb9SxYOD*~qJN`UF2pXe&~D%AOjt_HYU
z#{hn+V*x+Y)d4@(@JCyFbR6IpIv(&#T@&ytodCF3Cjx%0;e)pJL6g?jH#!Ayzpe%N
zt*#AtK*JKWzSHm*TL*P2;P)CHWb2TIr`Y;I*8@DP>jR#2ZbPe-b30%~odH-$X98B%
z&{^y%+6P!w#*po5ItMUDHw28;jQ}%s6TmF&zo_kOoeSvG%>Z+BbHIkW1z;oH60osu
z1t|KrwjUIn0z^LmqQ|V3Vp-U~;jNX!7a4lNdZ_C(f+jlvJf@3svC5`5?1@yTF>w9@
zoJYX==m5>V3BC<65a*GwMe?D?H^rAC2I0IsER&AV>T~hkhzoHZ1v{k^bo^%cio{@?
zSAf;h85)0cd{g2goJYfk=>q+~1=e(3jPr`HXu850Xo>Gl48eIN*f-r^8??gLCx!yU
zhFSeB_&pIq?*|uz4;NpgXa_jbY7aQd$^#s2bpRY=<pYkj;KRk2Dmnp<w>m?K?FQ>&
zFl?e6r!8U^!8U5>paxj<cLOFk_W&ls@~~mu4}#s~b6O*w>|E%a=VXh$ftd@y0L)py
zTgSJ6vY>&^pcX1~18`5w2+-~dd^zYkBi~$WMcI4Hw8~(SiDmXjEd=*^(SI?%BT#1J
zSeS{Cf-e!tEFg?<uw91v70$xdV62e2Q{8PO7|F&6W3>5q3;H=`O$=6dB5efXhMU2Z
zA;^_%$jl<cO##&Yyx#Xu3`1(S@g0*4d;y7bZlHI|$V?dS0u3DcexgdkICE{x)2j#V
z+XtS3`L9?*n}?m|I$<ZTo>(Q@Uk}BK){w6Vfp34PKf^lE&N4~?YeQp(n!>o%>zHfu
z26l2?gBpgYPq0FDpE`lnp(~8RSP^=oF#;<>|89)Is?O()h4Li}V+q!6ZZcNNx=rIo
z>~yiixCyH?zcB8!UbDv<55lu|hwce&={Y?g^8G8l%KqAMF`{ayc=n+8ou`Zv-+1ch
z_Q!XfCY1d}Czefe179vWH%kva&9`Bge@8urEpJRi)<nsfi5Wsj+l&6t=(8D0VeRfB
zjO1z<ec!<Qj|7bD2YTxl>?bGvw443(8~f=Z_R~oA(^&S?)$FIG?57*pPdBljZe~B-
zC3VBX?aaDutF;BcK4jejq%O6VV$bg7Rw4Fu{hPH4bAj*;54`in$a~DdF5pHpqoW!G
z9iW>Ui(PbwVDJ24#tL<nah>s^dW?Iwe9YZ!cVQj(7WD~tfY^;%%3;MUd<|F`dkEi=
z_z^u4fmNxMu@jJdVI%{qNmEo4t|QIGI#R6svU04JSY@Wc71&m;{tQQ}Zo#}M>C-#p
zIl$8fqHX9=;4@?mXuG}B6Q4VN$$5pXmmC-INex`-=H+#-19hQh@5!)Na7{d!?7<6(
zz`6uCK|k1gU@3b8_4->e0DKD4DR|z^>W6cAqiw)>40sPlpRM=7dihV_V+8j3Jr9~#
zPwZdZ+vtNY*z|K2x$;dALt}gg{R5c-4iJx@ygTp%=VIq#?8I<|a|JvCl5ZIMAO+N{
zxZ2-<$7dd9WXQEK@{D-0aFmukpOFU3zmtAKW{v<?2kAjT&HFL4M6PJ73;4Fgl5w>+
z=o*-eRe{)56SVz{T8n*}<J2?YMH%XK=#fp;2gIZgiAi5^H-T@6Nk0iD8A*aknBNH;
zGR_0WcQkrHOB`bKmzDFzB-zQ&D3I0f#$-^!<Hn^}yS~r3)f{b(Hr^vuY$a8EM5_3N
zRB?<{@taTuT*2TTI!vfS%Np-5@ddEG=6)S7_^FcxKXo0!Pu*VdQ+E>l)V%~hbsxb`
z-4`pFTj~pidh{qfeHT3%GW2{s22yLhz7&`<U1LvHYk|H3U%6SOueM&cUe-&59`sUq
z6MC7v3B6qUTo=N_wn(o4->svs#XPxGeI4fIVNMmkk(Q-bf>&kh8^Dnp>KifFud%)f
z-==G-Z^rlOn(4n`?p_Oh3%*m=THgx!&|cq$Z`F0sx8qA<{q!pEwf_1J@V0UKPVl!0
z`Y!Oe$$B-uTsKAEjjz{D)A!&Dc9-jW@fEun`aXQgZkE0uU$dL7AHWyw=I96URlB)*
zjXU3+uOD(3x(oHg{5H`ec+=3b$QuMh8bL}O#oP+PwRWVb0mQ0-z|($e80l*qFsPFn
zPb|8GI|@w%o#)^?Lqg*P&`i3inV_FxY8L7JYI3A&NQ3ens$0}j&`hFQ4oR4z3L&L3
zFmpq8E{5b1NoIdlrVkbVQ}LtzQF;Ss5q{u(8&lTJ>Tx4S6-+6ZIH}k=;~HFNT!ZV3
z@s%6omr@$C6CCTL%p>#;p%aPYUtPi~UUKZeeDh;}cFNUT)Opb_<qcP_o*%mpNndKi
z$d2%pbL{$2rmkTt-!Lb<zJnd$<~P-bwYsmbx357+O8h+ubK@}~M1DQha4eiHP!q6V
zcpCn#<>yNdsm!X<eRCV_e!r`4Z{2s$mv7$EeqOU5pI<${^5eew<{|tCtTwfwb@ZGY
zzWa6d#vTI?bh~Z(cIQM3U-@8D4I7P`w~UQ6&$pb)dQiLUs=mq&PQofj4j46c+Ndd$
zlJbU49+h3iS4ooH$`Ktdn=*XZq|3)mm@q240%}8Qcx9*G*kRMBjmoa+!yf<VTM?D3
zcnL{)qozz7H+tNNVbjJHOv+C5)s)L-<!b)R{l-niU4~7ZJZ{pMq`Y>%gqZT#IoUZm
z**+eFV#??EvU3{xavC;n*0|Xq-^C$~J-=_@cHxz)^qo0z*raKrMkM7GOqpCT#k-x)
zm+9RuHF#NWnAA6L$G)ScTt05ZsHwPhQbtmz9N&B+CA5PKTbc8X3JU4rdcI+(ryl)#
zmww&;7GEiRXPueXrwpi9u=}~X8}g=Jvi{Y~UW0zEvi|ZFc}AVQwReA+e`NnZu6TXg
z=9G`t!ch9<yzgIK`;QK_FL`%Jev9`zY{{!MHD>;@ack?pb8Et*Q{w8LcWL5N*`NN}
zdzkL~z{5XxX<*ODzdviqmTzwT=J(}a4rtSA<I3G#k6qDl@67OD4_~&p-Kvvsn7wa(
z_@fDT-7xN&QRxe=UO%+ThD~p^sIqI_yu*p*r+v0E<&n34`E}at)P28njl1f>*YC`D
zeCdG)_C1_h?aE=l+;VBfm%i+Ecek%EI{tOkgAML_cvR8{J8#~<Y4-g+I(Il({mTyS
z%7~A~E}VPO_!%Sf-yPa<PQTYG&wgX(k8izpsWw3a_s%=+oA(P}Wz8rs+A2eC`+3sf
z&6}s)w*Av9e`xc`!R~W2KlSA}VZe6Vb`8U->#OZc37q?kMb*Ymn>M+5R#w4?sgpCO
z5p^<06ig(J)vRn7C#^7_gFu5vw81N^nP}zun)n*6&ROkSl<6-#V#<V&vRNKRg(6g5
zyG-OEKG&>cMf$=6Eil7;QBrFKxswGtaeQfVUeQYSCEf=d&aUo@@h~S^DkQ#S<oFup
zW@Lw=2k6I~H&2=6ZohWs4_6KJJ^aJiXO4eWuI7t9=Q|fQ9r8e*yQ&o)h+kQ*!=#@l
zes{ra-~NA%E37p&qEbPphaPWM@mRg5Zhx}I>npw+c(ZzJOXPV^Z_R!nY;e6<C%&9j
zb3pesqhi0E*>-rHn<u^bX4CNtlEYTCJMihp1KQM_-sPHl)trkT$Q_?j>E7Pe7tDFq
zH{ZG!6u-<*@lo#`$=&q(tBogFJICJ=SEE;n7XRC6$fIFjc5X2m&S@5);o;{*!;OGQ
zWEu6(M8kc@jhQrRiqLVRGt%)rBO;o0c<#ko4|eGCV${jI4-X6Pd&85reDYX>3SHlr
zbaGM4zUNn{y2WZ!|F?&3zWL)<hRuw)@U8BPF8_K@UbmE+4y~`B_u5@M$F5z`w&$U%
zbDyvHMy;PlUU0Z-PC<_WcR#-PKK)U>gm=4r@#%;UW0vGx_~ga64q9_ZTCb>>LpOgi
ztVMqBn(tNWAF;C2iANqkI=WS-M<-ADX5}|S-i>~K!-A1FR)4w9+%NWTOSymR3wqYw
z({H$N)a!?0roGf|QN7(^-IuRietpKB(>o-N-LYoc^iQHL%vsidS;Ln<9<iy*9nIf(
z<3PiRZ9m={cVyWsAOC&8vKF6N56((?y7uFlZ%%&Wl^zS~hW#4x@<Tmu4f`TGZOX&%
zdUQPB7=WJY>x&fRC)vTh;j1QRb%ZodLo)7M-_!s(fxyT3M)~Rm&OzV_ej1%NHG?!h
zeQM@ZKZhovHx1_1i|QBU9X4)QW{Ip>)22?%7%?nkOit#AQB!;^rE!T?V_!pG_Uf$F
z8KI?xA)KZ(Si#v+c}@s(>$q{;y-{7OBz)L?SDz6vZ7y!|Qu%$pL}^AXE7n(SZrR+g
zxRiwufj6SX+Ux77?uV}(?rS>Z-i4`dLG06?)!Dsz`;F$qi+a?#>$bLL{HI&Kn)y!h
zSZCL>Icq1rdZa<!5e@ft89A~1zSqY@{bJwOc*5)@)i!?n^yg21`)Sg~ODnv4)3n{s
z4*u-rripno_RV<a-83ud-iLqewqbGl^-*)*uXy6q!Iw|!d2v*J$99v-KY1Ycwx^o!
zDtBr0iTIgo=U(yXxFf%<dN#6J{U5Kouw1L#FZ{CF+m+`{RGGQu*Q8(D;ESh^40_0T
zqUx#!SzY2jNqO=0-)G#|`}IXn&0l=c;Z|#V-#xQo{md(#-<?#h@}=L6uYTcs`|tM+
zXt1P9o9ExV>aAB>r;HuZ_qLbEO?&i>nk}zdx##tl;&)n?`R3c>!K(WB+0=xAKRon>
z`XcHp=Y?zcq}Lf(l1<HfyEvbS@l{2qL)VDvKWfT2A@&AIUH)J5<{j45^~P~BWTp(m
zk{N~~`&>rY2!ad|L_kqgFbjx=fC<AuRb+}2tx#ns5o-af$f_)nAEKgYwL&Q<TMz{S
zm8G?mo&Z6tw*Bk(Jbic`a?Z&)Z_d5<y`T5{zPVvi4EUl#3@^)ngW$u8V22YtXyH+z
ztX+sDFz2ll!y_vx+5{s2hy?!3ITMf>PN6IUDIz>LltquGQ3(-j8X=U);2>*&18*$`
zZ_QsqaA1(wY=SYtGlI;ZQwW|cdI*Wd`Bdo;?B{HSb9g*5ozpcif|-3}q7m#8`Aj@;
z<kN$l*HM2bZ02<oJmim1{N#{rfYsc#O%^8bx4mXhIE_h#$GC~api^gs5)@5TsEXhz
zotI(%CW8(;6mskH+#fs|xkIeYImBVFY>n!#^|@m@RW+=5ZqPTZX``anvi!zw6ns|j
z?d1VM<(~!fE+<#WCm5<Ii;$Z-zM7CL1)=_4k+MfN#oS7@jN4mwdGm9D0r@4wVL;%%
zesz;PenwK^)Z}a5;JYm1^{-R&WMv88xuP~0<)n`t0_K;JxH7qKl?c9`ZspX+MU3Zt
z);|iX)w|iH%at?+Jx#K2+xo|8Wk*fR7j&+I=B^SK>9KL~_*?GChwFt`)U3%vgHKws
ze|>dArR1igijQ(!=I|E$2nc(|IMt&k)O7sFAnES5OKzuik}ICrn#GHP$}-2()1%i5
zVoi&-U7q6OGYR4|4w&#^20^$IK&`{?LlDX@RyvW;aoO-J|E<=c!HcF$!1{x2z)uhh
zn*zWKtl*nNqhuB4%|%5;%>osA8PAv@C5#Q>HZQo)XrQF<cQaXGB)H*Oi0T7fpq-<Y
zvph*--Yk!xi#KT)Mj;vN2bs?5D4ukOI!YG6hp*<89R|J7!hEKvba>OHuo^(^0(4hI
z5iElP@J3q7zmeQM-CXsJ^o<acMYPR5_Hfy18>HuwT1rAlV;kpuak1YgwB6rC`@XK@
zRn==CGUj0M8@kXKG5!lWW@)=~Ou0J1y%Y1^)m8bjO{7wKrJ}?0@g(%>h&^|3b^Y1(
zChNuXU#=~!u}?@I98WG?_f*o=YN|^nwKCz|HRqwNG|#czwYw!{W0ZO(T83|UZVG*O
zrX+vEk4{%^f7?BfiIcIdS{Z}n3XB;XPIg(E5;rOm;EGE<+c24)8<P=%Z*YEXyDC)7
zQ=6f?XC3&xZwC%<*J2)#FT|lv-?Q!;b@@iDThwJnXqOc_{^!77Dtb<ji=U&{8*DT{
zrSILBfQyZcAT~}rk;duw6|$+im00FWDX%9>&v5;&#@AOn$6nNO7l<ZetZPW8DUIir
zjKn66bfle}8u4tVv>(5q$+-b(3q>K8FA4)Zipno-z2Z_tQRirJzYG7%DFgp80P!@W
zDKLeu!OsH`GhhnL7I-<1;DMB&*nB>1jYeVcXqXW4bo-(~w6w4zjX{bcu@+KO3A{8U
zb|fjBMp(}ZA~EUFbGf4AtOH}0;DwCLOw17@i%)^f`!wjj!Z=X}h|R!I7L!gwq<{o(
zPzWdNO=1$(hO%i0ba&p6C{Dqi8cK#x<-jC5gw2ao^NA^qiYx_^yh&m>5g$$%4aOd3
zIDa8V`X3hltE?S*`C`MUMG_7-(?pf;4$a0m_GBLSPwM3Kq$}4Pz)v}-y9lYhJ#;3~
zUvTpq;ey(6tbP(hR1upuINVaN|EgK&-mkZcO~j5R)JpuW5LVrzvLgSML`-uBru-1u
zcCS`YV3ygzv)i9GXUt?~is$t+j#rkprjFSL-Z6h6Z8SxEZ`@Y>w)JRpSFOiSN@G#+
zDLQLK1Rft)x^wsYCy6~xB~Q-W7v(tZQFqyYdo<Boqi@xW^U;f~t4gIoSI6P30pMoy
zcu3smk<{S3bNI=sy&2cvbndU%_l<$IPmitME1J$OmDQcku*FRi%^WcK?3zQB<k}P?
zdRdbH8q8GiYa2YB&*e0DrcTTz|ByghV0n%PA5_Aa94I7k_>JEBe9zFIzu>UC0*Qsk
z@-%QDuSviLfbC$bpxBNi7gW-_H7FrDL9h-i*n&Kk<AIY6Gg&GR#}x7cjF<C25W;vF
z?u*lSB>uA2{tHZ@)}CeWY_5%rJ@x8J*CQCd5f*G%*H0fYBSZpS-gZ^7Fv$jl9F-iU
zBtHGwltuf39bP`{%ikIdS8l)+(sdr^FkIp11Ht?{>TIN12tWY+4~D}(!Sok7{smDi
ztdnxqT+VHn_&w`Rifn*XZ^p2^--Uy|>}c`e!xH<>OifO=B&wBuYr=Uy;l`k;=B-hA
zWHmwlEvS9pKz+!0kvARkX-vH*wZoP-dcSV|@pjAlX~AP64`!Oz7-83yg6apvUVoz>
z#JZ&}(CC&MtM6Qrn@s-Ipxi@M_Spcn)lWP3e|uC<`R>?|e<emIeQA!c{X@S4@@daH
zW-dnAYH{VfueCdEF->icG|nixLDmhwD=9koIt!z6tc77cD0eOCO+%J{VO{R|X8ZjE
znOD^SO1pQ<i<HVyx$SXMB`&@ec&hC=qtx5`H44PotFj7@#U{!}kDqJr-hafYc<j7!
zunQ80t$>&=L!(gO0QWzJVYK9DVdG;tGv`1j4C(x`rw9hYEh=VWfzqO$7$OdH%#X!S
z8F&vZEW{$Pf)s6MQ}rP;LNk-B>zQbnQU1r(0B5jo(GnaI2ADaF*qs92ur3+_e<nwP
zbx{KBkp!5qR!R`?gkz!bH4u)32+(2elmmNFuoVt}Fh~$^hVRqh-!9nZt)aqK2RMf{
zJC_0fQ{adfv=K6Ab8(1-g+Oc^O2Fo#dArSn32q9>>d*<A#D~0?im^tNl`#2-8br!Y
z*KQ)JL-M?AEdHdjLA=hE_3Dy+t!1%UU7PDPmwV&-();Q%Oad9Ahl_kIQPk&L{~1lk
z^_sP^l~aP4wuF=KyNu3?$S|~1bqve<rB&6#ExDR$Vc&+>4{vKZ`_*)s>(c?u%|{=W
zY<6OQ<v~i0=+~gjbfO~sq)u?($qW%&Dz&5^NXlOP4K%;yPOnxkY-p+68=bW(uEHXT
zO3Bgl?kebYxzV056D)mHY8k>jM%j|w&UR`s#22ciDh5|p_{f<jGzQ4ryH@AkztT6b
zEl|q!Ct}@5E^a1Zb?f9^XS{wJHx4ZZ;8UO<ubv<hhk6HTJI-@p*8jV<gqHlQxV6Y3
zw*&c)8^a)C3mqX8bjJmUTY^Z;stXIm1TjM_Oo88L?r1r5u&Tr>^H$B)4oPx*-nEpI
zyUV}e4l>yXN$%OFcE__5CAxDXV;=u<)PiGu-=DNo+@LY0NBif8(KRk!(VY{9GO-@2
z+&^xJ*65LB)eSVQ8>(Zj<R5fwQe2DO6()coD;EYiYBNIFqfF<9f>fX7J~BXfQ!$+~
zRV?*ByI{rH+DL)#HrPp<$ITpiu=mLKm+1w`_X7jlz{@V*qd`}&9)baNLn&Q$S9@=I
zS*b*q1Q$u<Y<RIg;6-4hj^Wd2R|T?Tkea&KJ_m*1&0!g_Jv7zc;z*0Hn_Zs&UY4eV
zu?=kKL?3;q&f*Tv5Y1y7I&@Fk-TP_CyPN56a<lE16>-6%<$@1u%QPYzg&q%0-PbD!
NZ!^EJg9yI>`4dh{B2EAR

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.woff b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.woff
new file mode 100644
index 0000000000000000000000000000000000000000..43379631b2da4cc061f2dbf5069740d3500a20f0
GIT binary patch
literal 118412
zcmZU)WmqLWur9ig!CeM-hr!+59R_!IS-88qyA1B`KDav!4g(DCuyDJ4d!KXfkK0eb
z>7=@<QpuC9q|?>ziV_k4FaQ7mHWLFt|GGlDu>rsV7+<;n-ytHbDh>eaq5ird@gK|x
z^?Jlqr6s>;jsO5EE&zao4MTwOA}J>RrBkaL007qp03ZeePs6+<l@wJ0V7k}<fD{)1
z3>;wVP`)myswM&eD^>yku$KV<KJDO_csfN@MwTx*;xGN`Uog}!U-dSzGy2kxSpTJ8
z2LRyEkKsFKH*s_M;-NPE;-UQyV46q}=8hJ2000%jS7RW);0&de!)amU?D%C%^A``y
zfB5_aKv>v%ngalwDF84qQ2@B?oD}5ePfIhSFI`~eUpyTD0d{o@&+?1-Mf>|zCjJ6B
zTp*&lrJak%mwjJ==L7%<HL+~Zn{6FTzWAsU003mjFPbilynnl$k;j+K;9p|@BTEe1
z0`6#UWM>8d<5~p(zR3ds2yIr_TcnN-&Mp8jfv-Nriv$2<0fmoJPL57yU$WFFU$UxS
zP*=t6{pz!?9QZdvuKS=a17yB?04&7u7X`2YhyC`yS8uxyu8%nwdx)*CGVE8?|49Hm
zz)TEH4Gnv5uJ|D!Mq~WHfBxXQ4Irfs@Wllbqe7kj#|51RNB|%JYyjW>R|Ww0pXFfA
z00;osfAZ!@Mp1@_W`>5R;0p){+bCJgas3g>h}09)BU4iYQ$s^Zzkh>rVX6B8-{Ke)
zK7?d;KmAMHKi9CaGaQ)UXqlL1pvRee&9lIhObnp_1e}P9|Jk*i;p&pz_849VGB=ZJ
zWouDgvHPX4KD1jrrKf6snUVQ_4$om`RtGH{kZ<w0fPmKi0`jNFjHJ&ujmOlQx@4N$
ztOy2noBN-c)zH!%+eC=trY+z3Bi>4iMX$5}t#Vk?90(40Izrr&bt?#UNf%r)koeZh
z&2gK%qNK`giLX~un77QNX3QkC*QR*g$6=h%o>ZtyC!R7IZ3T6zOk_(7E^kgP)=0Ib
zzZf<zov~2YUnp-J8J=FI;<t3!R(Ovy-FG$5_a%I)tgkhDsdR4Kzqz9zFx#LVZ;^9$
zSi~A3C+9GrcID$qU+_$F$2ULS$=s&=t4y%^`!@2cumAO$zq-UWgkBU{h#y4$sj-)X
z?zp|*Z%sRKLVH(s7Ycb)GWtAzsERh_ro9F^gOv?QWS8V^nsvY98l>pJu~LiYt*FxQ
zNI`JPz&`S_hVaL|Wa*f7-uiE^9l4H&yzHEEC7Ppy>z)Fqgkn-&=fwWis{~qg)#h-t
zOG;Lq9iOytmHDB`-lP<W%mYs#+)PNn@)yw%U<%99m-Ksyh%Rom*RS*r5R=d}8e8Rn
zd1R~>tc#XckP6PJ@kZEUWksi<&`U3ey@&<&@!~sJ2JcNX4G4c7&E^x)`^e<lA8+XX
zr>>78bVDCA52e}VhVtQTQ!Hq)#w>yk;*Aa3m_|VR??O(W><;O-Q*j#AJ95QG5tBo@
zEseeJNAar%cq@T7;S}#R`7tWYRwWPVPV7s3HKiE`e-uFvF`m(Pv8aTHX1%T-D0e#@
zE4!H9`sVZ=$8D_l>+|Eeh&Bz*KntdCebg!Tow5^;C~EQ9%l1S9uHK0SmsFn(|Ef4k
zC`>D@tt9esd%{D4-~T$oo}tfqlUE}pI31s|7b7v*%>AHNNGqTb(~YsX;s~r?0k!)o
z#`m-_i5(QBceubnIhCdJG)|-OV|rgs@9%JTN&O60!jojge9TqhQ0(y?CGWFi{`BPz
z2f;+hB))UBXS~IxthL4Illy{-R7B3veIuSlIWq(?toyoNpl>abTQ4-S^Y2k!9OUJ+
z$#6GHPU&aftxiI7g?S{c&)qXUI8gHKBsaX4iM4x(*Jdu`a=dlJ&RAZ2NJ+L-XmfXd
zq^G_3?%jfqc&E4po7#+=nw(Yh+YH7zjG8OtcQqWJ{X#a2*7HJcQgJZB1(Bz;Ku-Kv
zwi&MzOD`zPAi_T{+W+2!fvb6^crB@9mIj4cN<u9hJ@3Po{{nT2SKgQZ)|0XmxE*$B
z>Q`T`Gp%B&6a(RZY&~LzuNU=D{06-q;9K>3omlKsed%+!{oFz5^Dp5@7gA5wt*4`4
zjy%6N(UK}>$Q#<o_0D2ILom!i7DtZkHU6{3m|&bhP@IK*TEQyspK1goHbk5?b1RAO
z>qvH@*>n|cn-s~cr_@zNmzW?5kQRsr<aifM;UOx+5~idsye8s8_=5C8*$Hp=J8yYp
zV6AjG?=>vQ|EDms_Zu@0njYZF^Bu<T(Fbhuubt-k^Y*hE&$S+OZ>!edCcLSUOPbeu
zWkZvqzxEqFO8NaYoA>m^H4{l(2q3v2fli^`WbQ*`7v!h;Z9S0q?7m}_9R%+{tG;`<
z37@ke)+~uroEEJ`Ce+9qtgWqfrITFnqTIv|v!Lc?4<S`@GVm6Eyb;KP&4API*hGp=
zGR-w8;`_}tEi;eCF-hxS@315RmlZm(_3A_c?K+p%mHCbjD;WA)IP-&aF_sMVad4dT
z#bE#aF~W(Z9WP;Gg7(?y-c~JjlR$WDTc1JDUB*uAQXe&mAknq+P;K^P-qM=q@RT*D
zdaGDa&xv~qbHDP!NX;4B1iFvRt0G^FogLNAzNpq9Sk5QI6j_5H+1tm{PAt#AokNYM
zcK|1r<JBoCjk80X&L&=AkN43`vijUqWfqk(e*lkc6^8MGNPg6V?0fF{&i>SL4|JN8
z;_Is>axsIfbx@iLQHa#lZ*BeJ3#SzU9mawmsyq}sYi5O+@pzLx+#Y0I?#`{vt_~F?
z3oMq0hgGVF{|=AO|0EIyBOaEhOX0cl9>mLP)}^S=A$(|Qe7iuyrzs#eF-vKh*8HB^
zk9%7(($k>wSjzAD*)=rV^ZNqbjeh)tdjY+#d|_0kRvj%^c@EKuc+rMY5fwvd3N;<q
z74AU$R<}#HPWhxNO?6wVQd(o(EsbqIy*MVnsx5_uw^p0}xi!yc%%(+KqN}Dj$K?Ym
zPUG*s1YbdaG>h7O>UdlkITS@oysCk4+ETyLf-4g!pDlzOiT#uv#O@M-!P}d#M@&1c
z<3l=3&yZ|<-qGE}p40GYo-b@_my1hjQb08oBoe`sE8LTqd91ELl*nS6rn8A#$~r^O
zvN#fDh+yNVN+}xSX-YLBb82>MW?AI)&iZ&lb@)O4>YWIgfJovS9}>i0LQ0(iXM4cy
z|B;8C9*o%UN8k<O?-uV(dUN}l;NV_2$1CGWR1I5u`i_5G+J$ryHGFb&P)<U&BxGDS
zn>rn>cXB>ipf$OD@Xkd~Ws#SlN!OMzSJRJkMYg-zWAAsn8EEuulzsU%Ij0HAH>!h2
zL9pjYL-tgF(p?#E5v1yZ$t;jH;%tYro?c)9a>hN2)C19fTdh=UM;m%(ha;OH8$hHm
z{OrVYeK(?Mu&DfpJ268uULE2!uigE!)-|>Kj%uBk$f)n<SpL0F6Av)%RHMShn|pHQ
z#@^{Qz|J>3W$ksOttWn4%Zod|kZ;b%Kb|-ZUo^8NQ+y|6D>3Q7=Lvn>@SIROKVksT
zG_iJncf+x@<-~C${fjY0#lo580EmMjR<A1dqBL{B=^}exo#;5Xk?TDAFLy2NV^yOH
z=WJBs3d@Jz(q8==aQ$MIOS#X@#sU1qc;fuS$4b46xi?X2ZerFS|Ncn1uPnbz5Nj)k
z`yo+y3YFKdN5HN9*^#5dy??#&7<bPCdhavwe9I@YT(KlsoAz6^V7h}o(S42!*|tVG
z6pj4z$WNh*zFubJU&y~6c%5=F&cf$Pdr_gKAt{A9kKsb~O_acfm56OjQ832tR1oGr
zIp150-jzXH1_P%`Gk<j})JGSuBwRQ%pg5ELRVoi~7EDTVd5Cgh{0GUd(e5pHFA5oi
z9@Fq!;$4*DrBl~~S&^mbZt0iEn`AB+a(kxRD--LR_|-&i3tWo%ijh*=HyJ~36P{%*
zgkG2<&v@1eq1@s?&c2Wr3<PF0cii~-8ADHW_1tK=0E(wkC0jG;3h_&(^mZp(Po557
zTr%~;p1t6QdHmrXa_TYu<H!jlg%WILp6xL*_uS|Td$_rF=FU6`2jXzT#YW7vZ<lA*
zxGgKcuo7cpj7B@JQ3d>q2=c=6vC>JN(lPG&k5GY~<qAdKJs|-TstO9CehGKQjzt8|
zRcrJmuUK$HM$*s+e?q;X?aO`~P?;ar>G`KLz2>VZOX%GNidf0dD-v#$U_$j^(PBs*
z(WSCUeu~)JTmny)i9+N=ge{4IZdRMktLeIcog9XXtJ+PPj=4XdAG!!#I{(DRe||eZ
zb626;$>bcfc;3l+{Y_KPsEf2R$m@vQT^KH#7?BCq^?Uf5g%2LykjECe$PgPJ^0n+(
zHv@uq(AEQv@X@U4uitEiBWw<Q8P#ZPhQpl5@!se<j((8NF8$6UVf*+Qi{J-ltOwko
z2XA`+g+4uUKg6{_&Of`^`<S5M?%wk=`u)EnDXz0^SC%eRt4O8QWEXeRTSQ33J5Fp=
ziI1HY#yzpiD;HprzXfQ#`3Xh_^qEitKpUjmkz*%$MZ#j6pOq%$Z$xy1PYGY^=9n>v
zdTeu)fc~rN%R0M_Ry*F-|I&>^F1K6kjp{AtuKjN;0EixB$97tHu)oX*&yTUPAMXkI
z0nyK>yMhCsB-?Y@&yCo4lW&L)r|;c;@e%a;E4*F=M0*Y|Iv=fl`&TdCAHDv6iC!f2
zXU`<nO(j}6A1J89l7$o6BceM(WIJLeJA&vsqN+N=Y&zo3Is)-JBC|U}b$kPm?*bbZ
zy~`%sV>dd2c{`%JI>Nm>;$J-jpgkkPJwqftV@5rLs63;}Ji{zJ<Boh2knj5&@H|3S
zp0h+iCR}IFnfXtlJ5Q;C2ihHa_Q|~e7(C_mQ&$e;X~-!`LQ;}gRJ6ThkWVOleN1EG
zq?u<Vy%~wf2z+{H@4ubgx`>|dv6c??jz#B;#ojasA`Q)Rl`iiYV#Myf1nZKp_e63=
z^#G|UNAtMOFM5JGrSv=l({V<ARvhH^M7M#|w>Nc$9!yzc2OGF3y>uMXy~+dxCcM3D
z9MC5{BL}*rl;IW<B-jeTM6uxz%n@z0=!r_{7Vb|*TvR*Rw{q-d+ln_9Q=c%Mh23Du
z-EPPolygddn2_;u)6181xFqYdh?Gvsj3@RuDaB2AK5O}{=-i9@YV`ei)7G4{5wEFq
zZAs)<{<E(7dJG^a9CRsGSkdYf!a8HoE3k1XIy}+unyPKKxnS@fB5W$V;P&3yZg{K-
zS#AjXv&5rqab{0un<U?s+B(CruD)TPnP%6~x{>@T&cV;5St}-t-*=MJFzu3S%HjU!
ze@Dyzq<t-R_qcVv16Kyy|0D}Aq@}6ZOUhV&CRQpTF0aFs@C1LKgVPqpv*aZxat0A?
zm5hQm$Bh25!r_R=?n!7B1u@TOSlcGpFDQmdtFE&IP7&XYqcw)vl6sGmIK|}r*bxba
z21f~k!Dd259#248OMrh?f*DqVI#2>jRYJU<gWZ~g9%O=AWP+w^K&Ns9)40ZFypG)B
zN+Hu~99B@6py9$SJNl86d<SH;AJuCoLOx97i?z7L&l`pJWM({4>(1lM6gJNoFE!(t
z9x?|ub!)AiTg26e99TbV1*%72T1nFdrmj?4FGmIPFY6oCHE^zNoNqn&z5ZhTttH4o
z-Rg0EG32&~aCNeHG@Gx6SnZcEtt`LXyA0Hg6nv%R)6K4=R~`s&K3k{1$a@g+F7id$
z-3f_~+AGW{uMWYBqAaXAChv^uH7>@cqom!nlJV%!B;$yfmhougqMeDV>J){AKHl|;
zK~ty>S$s#af0l1ALnEw4UbHxdzc+h9dOtQ8KysoYx-DahDlAS3V^Pwo6kD#~Ml6|U
zOFdjPzHhj1PK}$B?o?<yM&(x>@Jw+;rO<szudf276(pJA;}}q;XPN=E)Hzc04h*?<
zVHHCm!1G|lxJdi!QHaJ93D**_o|Q3%{b4kOU6&*^TqF$;Mm6O|b*o40b4Dn1hgrK-
z1_JSC=BH%1V5u|)PPmHDW(MUuDBSmI`HsV{Z7I5iU>WyQyC1S0j~RCh&0(8@&<I~d
zxrAUP-_UAt&}%}{H>xgTAJi$j6=7dLQF>EXWpX}x_Oq`)A41oi0BK|};Fh0Vd22*v
zDF3;r|9d*KcD*vTCZB=qe7kf#HR`xshjaC^gzbDM3rXBeHs`tB3heQ_ZtL(iLU~l7
ztsSnSRnU**4eR05-L^+=XPOLy*H)_unc>X`Tr%KP3ndJWS)T#zbxk_`SdUPT+F3&T
zR`{_c%FUUra~!9N5LQeV#aqqk5A$FV0qM_co3;WR@v`px?)(9c9*N(Do&iNa*rgDa
z<NLAhg<O?#mk?cLTa@V4;CD_?U1Ro1+=w6tE%=^{m%!`owK-#Gb6z1#F3sGtd4D+2
zbz&|@8GGJQW*yXbdt7o5ftQC`=XtL4&G;fWm1)h}nq!Bt<N>hH)|y6)ObVDckLwgy
zY);HTDqhSz5qX$Gb<c0_ch9ri{5tPXds`>&Ho?%0y%k$=#XkEpuA6Q?&LeJzkWiDx
zp4DR=q^+ZIt2kZ8?&py`f&IO|9SIQ5;~{*jdRGPKx~Y(c=X0<cqe(Cv8M<=xB6)9!
z1;V5PG;Vmdhes`U@qEGsudzN*iIs*h8pL%`iGFhw)G+3CNYN%mr;xTt(cMN@7Is?F
z@kI9)3Oa;CjGZ@9Kat8#W;J%4!}TZRnz?f?)uuIVtnJ_Sz704GKD~YaQGO$6ncA|h
z?OVgFA>S`yb6nAqhQIdP^4{0^BEV8ZEjX9X4i8HE4@&Ys?U&DYZ<*|<U_Jv;r&!(i
zNnp!&tjCE`E`8dZkk=Lur<S)-V}5ElV+bLP-0Wg$yXyZPEYofO4H><S)-CfJ<lwv7
z*?+9zRBu%Fx!D9s&oRBJ+2@MSiytv~wcxbnBD6k=X3IZy<d=R<FNp*bWgJq`&n<Y@
zY89k@sM#&1dUtjd%z{{xi?%=J@|7L@CHwftoyp0b`TH?TR{8r03TbMrM0M8ZxBDcB
z%$c)~xmtl41hkd@Kjl6vX%)+nW~&$&%LN!K2pKEEB9}6Xt);D7NMp5=)%C_o4~u`g
zJ5@q=EG2KAiWA<K1wbi_4N@1NrYvyLTK+g-ONx4lHNjP+kpIQ9%$9kYB|=Z3B&u3b
zk-4;}i)%$P&6ZEuyikWfPs?Ko-_x8G7e%||7j}v==n}BYGlETEQLVtDPla7}CpXWH
z=8~D&IitH}+H2n+)TUL=`(r_;dSTS|&ynp4)=OH?OWylSoUdQiixu=ch@(mk+zO+l
zB}~C9bJ#1C!Yj4JE7r^__n@+W@l;;_!X%<IQS{ET`joFkRc`KEsZ-9K?g8#fN58y1
zFq^k~imu!IFL>Q;7|~JLi<X}P46;}j-zi(9!7<h|tY20>fl3$~iSHOTOL#Sj_ZY!#
z*js@iHGWi>N`V|TmUWnRfm=Cx_6D(ATf>EMS7unND9F-eafpqRe)`EWeO;N+Ri0mU
zhmA?T$T&>AFNTS18gg->nZr&_XK|*PlR$3Na&=~&ORvbOQ*!cwt*6k{D_fwn?!@9n
zasw&m630d&o7p^ve-~{dnIV$@AZdM(A(MYUX`_iDwCAtNMl?fg&)&ku8AEc<F3UzX
zLv+tU<N5|ecF%s}M!H_yajr&@!QCpSuKsK3q{WWY^TkGOfbS?~^HrzF1HZ;<?^To-
zBIf<z8;syW{3E(=Q2wPw`S;mMlE~!<@>3bNdy;%8B_#-&>d2q-<dxRAE$q2GS;BhL
zg}vsBLe7@u;%qC%+Lo~NEvef)V=x5f#c@nBk~lSsa!WXrC!~umktZ(+u`dzwFCp|V
zNx3h95Xv#oG(!lfkf{UZZ0cr?w3DK=;ToPnwAb~tw-K~A<+OJhmDla-2?}=7b#A6g
z-Yk_6nM;XNr()k-DXSz@B}}NRT3r6{bXxN3wFKI)OS#(>hI1^c@}AV`A<WrBStAEG
zr}ujWV|pd0dWExlrMGy+yL#o{zXTw@q}04b>AmFddnvVo!vUyYF1O2^o9s5+VsELD
zUxRHC8vplcj8*=KZrP^fDC?HB-9>cp9Q78sPDG6{MKHk`^`K-*tn*<V4k_>dIrV(C
z5&FZJSyt0}VX2h02WQHXlC>%3pxT(-Mst$qPxj;{etnc$jgh>K)&|d?113qX8CV6U
zsKuOJ%(~|pWWSpYwo>+ZPkM7;l~%5E&Jj3P$B<dA<MLtaUmni(ae8~_@UG3K+zZd&
zqJ%dYRD1_Gv(G~ocv?FnJ`FU<8B^2}&VLx(TC3g(Ol7mzCM@wvnR7j-j<WbK><pSR
zmd_8FvbooOOQ_c`=sz^%AJiC%(`k(jq&2ZXa}N<dG){scHFpu%+DM+QMbg_IP>;4d
zAa{jEe$MjH{P=YL!vy-&4-XwSlFmrV!AB0mG?LHwUK*Zi<f@4&J3`XnRE;J%G7WUy
zByb<f-9?_f2T*Y1N-Doq$#CHO&kT5xdvLz`zf+<1#-H4~58s)(D;sx;;l_`TzcP-j
z?U+88n+FXqcYo98q9t~^w`0AO1#_nNaU8Tpj}sSVXS)z6gJSlO3p0m^6j-DEbIcPB
z38rcLfm!lzPHbIIgO*7DOlQkFh76>gWgWv0QTvFd=|0G_6yJK;`krL1z*0=p%Sx28
zw(`>w|Dw{<^^0mN1dTR#KZ#m?yNO?jvJ9oxj_ylnMfK;lqx&FTR|q<4?s;;ygofRp
zi^C3K!~XGM%p>+@=2HG7d&~r@zkrFRP((LOB&Q)=pIMt`$gfA%uWcQK=#u+HckFeu
zGKYvpS%f#dBgrW}7ia(7AAF0n-=<UTZQLdM3HsO#HhGZ%t-64h!b8H{h?5t3i_A#3
zQzJ<6Sm0)5;eBtm5Sm<06j>%AmoVuU1pki@F)zr`9C(F={XOIoDo3bc$3H2<+^Wz=
z@}j!GDVhh&7Lha@5g~wE2*ZeX==NF9?V;Y9L9b|=MaWa?d_yL>Bk0ZqiqjSz=6)m2
zk#fb1*UWySREL5-w22-d)=2Ww{C!zB+?P}_mbtnc`YyJ21=53)M>K9J{{$(U7cxIH
z_u@Wj$NUe5#Q0;Pr)d7<5BkIo5K*LU$*0Uely^najoqQtQiNlR!o3NlE5uh%16{k9
zw8&^7T{7G(@(7Yz=2)vF(zNzcwpQsluDz_ec1oPRNE?a$Yz!&lS_*kf6|%(k2eyXs
z2=YCixnfH6q{uU=<m@Ral3FTxt6SpK_OEXx((!D2+eKFLe#PjI0`d-U#KG;zmJ+Hc
znM1x(tl1)Cq_vFG)=?zc?O<$OG@<x=VRJd9_)d{{63*FhV`TOS(>9eP`R(&;eHB6A
zdtr+~r95zvud&}bB$dTBHMN(PgqVT*mOxc>3ORxl49>(f7FT8MO;ha=HX$uwvL&}F
z^1-lt0j8YqPYljrbryLgtxbIG;btK<AiO2}BGmHmbP>B8-4YvtlI&((b1QcY&z|~1
zXDQxk<c8c?HuAjCChhv1izFFv<7+;^lOMV$lAktYLw8T$;1rz`+4NgqKoF+`N?O^l
z!r2WG6xmH%Hlw=-wQ`!w3vU9~=VOGafJc@VtT=i@xg~nj<Syv$k#3x<bE2E<FRhuu
zd3*MA?o)i-beELAvs0t5d-n6lQ{X<-mmC*n-}lIX@m3B^Xud<fa<5tP$5fZj>pQlC
z0HDEK;9hS@@Dw4!_eXvL;|HVi_N!y2CM+^J5jm_!_*{zq?>suXM4cj=Zk-FDem9`v
zF;Wv;8Tsk48t~wlecw@U6UJ-s=a4+G>V$p~qHTDqfU*(BeYod@zX|(sc<XEUq48n3
z=L@jN-e_(@ybS#qqyyd`+av?>qt3(ySwnA1+Iv8BtT2Mn-svC4x4Z5@=M$n*ijVIa
z=^rM0yjb!im*ny^i9oj0_B*x~vC_FcG;R^P=qg1#sejmZ)QQf`sM_`Mi)ogFy+RuW
zysvN<B#E!hWnzSL?l--0Rv-wFiC_@~ljbNL55}NNOd%Ol*gJb}fYv$DG5*x@K|BK!
z>W`E$&rUJY$77X9zT!!W+mzZN+J`=uaLA%#2H26gEi}1;SBea2WGSX>!W5?Ba9{{Q
zFySE3?T432PzMOV_WIca1l2A8eRm82t2!5sR$3ZQE+<VSn~^4v$VB5yYef4Z7xWDj
z3JHHA3p+BefhJc{NAdT`OJM-SMruTfo61CYPd=sK3+uelMm{AE0eiQgG!VoV77}VD
z2OGVhiT1s$f#QeszLaLxNP0cKJhjocEU5t*wuTTjOE^<QjiSuNSiOAn^m^E75+l|u
z^o~_}OF~$kc^~RAd--Uo)x0z@EjMUw>4Dnj%8)H9Nm%bWf#YaGY}4&QrbSE>ImH<E
zE8`ro?8Tc>JW9hP`{Zqm$ku{I^7S-@bW3j@(L$3Gx#}<HS=FH2=IM|urn5MWW+&NZ
z$m<QWMKTX`p;Bn%ol`|45K`PH?ZWCIpGO5Xib*cgwNDUA*Gan|^aN&~2ZCzFpch|D
zAqcbLJZyP(D^6n4OQW58Maw65M}KFZ{n5w8x>=L71Sekv-Y1i##wF+DKCj(bfnk{R
z6%H#$y<^hH9-b3f!Z!>1G>dzai&EXhEzVF<2%ud-Uf8J=#CuR#86@Mf4)KaxWU*yX
zY+Lbc6c6*=%*;Jg5`2$v&tqW2X^`rMcWD?8!Q9g;rIS~$M!Uk*vvV>`_E<SFPe$Ju
z>Jo0t)?FppmhW8rH^OjZKfgtZ{1EA$eaYzwl<MXM)sKgxb5)!r`%nBEbybDo9P*ZO
z$Qo!T+a~i`!RY6|A^d6|HDSbKhydI0wM=&zsD&m@aoAfzkd@-P!(;XYtCYMK^Xl9C
zOv*s~UQe+gPHpyQGBz?(5TPM<$j;TZ!~gfHxZzgU>e<^;hr~Nh?#aS>^kS`0hF8TM
zY#${5+;p5~JyW7n)sbLdbZFd}n<aaqV9ij(Yl8Jb+u4<6b4*}8Q~X%Y9o}1e7-m{4
zu@=@^URtC|&AUjW*0fNOqIbMhxppi!vFl>Koa91yz{OK%{jD>=2~AI_g+)(}JCmVS
zJC&hKS1w({PC`S8p@6QEql}J5V<A;-V?iyY>bSD<;@Em(*~NAF!G-=nyR+3=vNO(!
zKu@CuT~DziueNSI)Be|{4Cl`aX-*aUBD|`H!fficMR_&v#fucG<A+L<6NU*o7mZ~t
z7tRCr&aPA2&hT5FEmc>fEm_at%Nm~a%c5?{M>RdUN7e1J*D8hrNot}+GBu5bq7=pB
z`O2ze?g=ih+EY}oJeIt?I<FM{U(E~fYVnIzDGXjMr#N1@EK+qEJ#r38lnZ!jb#vK2
ztLC!RG#0y3P(g%dc3yRr$G#IhAirglmw-kFUnTYwf#PaOB6Y-~c<Qr7NwvWflL;sg
zP)#&niKAGtQu|nSLIPy9Ob)^^GkK}DR(Z*3g!R>D$MF?jOX)4o%IPh(l`v437dB9S
zD5|Uc{;Q7Wb#X-vet|Ou;yAl9^jK#i5M;MJ03tXbeyO!aeaUlT@-=9oCMduc5mcg=
z5d4W$LR9g+jEL@NLGkC=ykhFzu|?(m$<YJ^2!6Q$BzqwIl6uPY(sGOPF5$}cuI`!P
zSH=_MSH~yfuS6j2|C6vpup+KdkS>1S;HTuGL8`^ELnZpj)kKp^@hLfvjAvY&dam3k
z_3UCprRp))!8aa#SK8cPZz4Ks?u#4;8tb*4;cnDqR%NGt>m@OTTb0n3@hn*nm4wB<
z6WHr@UJ*#tCMUm6jd+x;iu}v-e)-dGff$#YKn^A0A4OhqA61}*&!4kY&d{j{R%N1d
z1MXCx>88j`#*knbVH>&Qwsv<)|L+#af0;i!-Q)%z>C@+VUbX{DFw=xGgT$oX<gp=R
z=Zb7_g-w0)ni11^Qv1XL-n589#IIP0;Q4fvkn&;wbn~TEiRrx=<ikNZH&#%lX5l4k
z3AwD%R!INM7|Wg$@>!X`9ESO5$*@um>zNg7in&ASfl?l8U^94SBl_a$-o-EW;SG74
z=(g}bm=26J;V+xnc^pEjZszL<)7;JhtwK5vsOv}<YqM6+E~fqkxpSHC;cj4`Y4Voq
zh+At7R>&Yz=tceG=^3fl0zqC*f`EeaHy7-Y+o?qt{1N9KuH1l%^92{&L#IQy-0)}J
zIyo#unl2u_u$G(-*%c%HSN<(xO2#c}N~|q%N}?^&ZOKkGIpt2ojShjl%ijtQj-9gI
zsxECAtuFBy94>VkZZ7#5gf4v<+n|7qB+#!6V^Bhd3Mc|wGCrz8Dt`C#sxtWmHpg_f
zv}~wLPBHpKY&POVWH#zVVs@90m!&5l`rHx}l~E3=%)kcW*519ffS~Lf(-$_3c@}w%
zI~Tf)I~Tn@#uUVfcA0red`T%Od}%2Oe8Z0T{E2)6)6a83sU90AHr=~EiZAMN&@aMr
zYA?!i6fe?p>@VVS3NLDMdM}7Oo*xn~5Q1yr$BZ|Zb34X73xdW^Ik4BmM6yK@1d>Ih
zxZW7C3~qd}ByO;=p{wV9Y;mi?Y=nDF&~uQ+(2D@bMyxsF26QX5hAk`Y8>%^%y@z>(
zu`yR!*61rsw|{@PN!Zd?OW4|0Q`wMj8>tpW_T1(Rjnn6ijWy=>jMEq0_LAlv_MjFN
zj%O5vy^D}}2`=dDu`j}R&*fa$M(Xe8r1#9{pZC-k#rOWqQD{!+%ce)`C~8D)2x&y>
z2(LtJD6E)3c#~~~Oxr@*qPGRxL%Zsn*aP2m5MyXB*<(pKIAdwt=nzr5f}tX}6p|yn
zg%=~dMJFS9#V3ovU-@bxaL+}XDNpMa7kBp<7JwOJhj-*-=#L>hz*#FXV4bBYkkJYQ
zm~Q0)?6R^2u2|v&XDz{j@s=_`MJr|?vL!$8(UOeK{I2PzBOm#{_ur#rH+(>%6DV6#
z{}P@0)c4%W0s9BVPUP3Mz7ten{xJ}ke*$}h$WI|qXOkoqF_qcZ9QxE9pCo}PNM1vH
z3GW+J_JXIBMNDq)@QXVkdAe^tpJeFHQcB4mjlEvC%>N@wF!7VcGB9nk>yBuOf(H8Q
z+lro&xV9)Wib4-Rn98INSM$}ynxW_L7EAjEj$@fynh};8KQ@P}XOcl*1}Z7DjhLmh
zf2Xb|TWuc}*-wycNQi|$qg4nUNr`jCnCtI>TtgF-3{Nx`@w~jHs7sN|w3CzMX1Vd`
zLG;^)l!V|#w)Lc;%HDrKd5Bo!b_qq)a8E)9Afba*9@{N~Mk)^W+8(T5`#;$!nOhLU
ziJAN(ty~e@AYh?jAgMG64uZ7pttFRbTenr?0bk0IZH!zq&rEI6G6S-7(QNsfOTI$*
zqMqim1co+3x+S{=T^Oo(xWfQ*?JGqbb|<keTjwu$CWLa23ngPWHC|eTfN_8FQ=5NZ
zeX#NS*K~bkVx)975S=w*bH?@;CF98G?}DCOap(!-)fr2ZU!-IJG}Fd8<s|UNfKE;B
z)fP@B>h?e8GVLB$hEgz5tG}sx0!f@8Oo#wc6R28%uV_MDfH}Yg;QJMjhVaP>Kma=g
zAb>-CLEsC1U-*hY10VZ}LHnv7VL~(j1r9@Em(_e^HTnOp1l)RT&l}Iy+~|3uuTJ{_
zzaeOTF+zS%byiZ#4gLGGCnzCJyCNQ?Q>BjBmMUarDIJ9wh4k!HF~SRSK9dJVONGRy
z`BJDgiwAbCO(ZTefmNM|WW^$(i|k*+ksY1CN$06Sgll|Nl>><%DLE))sIe1VnvSHS
z{7ta}u40!5#){rmd=^Ak3{9u}wa4hou4d!<(;cMnDI(F#qNbt8t}ff6@nLou;v>qg
zp+oX1a<OFLRZLU>h*Fbg|EU<e^gjf0fA~Vp)SsgFOJX%k!dr86z9Ax<AQ^v=UB{Bj
zLT&3`=GJ5wTIIPfa`C^8WeAoKdlvGQe&|+ImZ#yCD<aIZnqY%r1Lmr_mJii8T06c{
z-gRT=Zh9-e?e8Yt^ll&GPhsx8@gF<9`LXzi91haIBCNGfMynrcOgZmeSYmh{8O?Z)
zJjW~+U?L;tUjqYL&X0H)pXCWL*%o5GkQvN*k5KOtI+5yz{Nkr9$ih2f-6b9F(jcSC
zOH+ZA!GBj}+?+GZe5l~P1wOL*Xf2EJ*mIuba7j>^U$}7U)82KDDEh{Wf+RXo_fyUm
z^QFniNhNYv!EDxMUG;DOR{%J}U`{vMF)Mj~wP}C8-;Ix@usF{2-~^=E;GPu~NS2Ti
zi{WATR&6Hu_$&oywzS_hY0fn%#LwQ|Ar1z(sM)dJXsv0mn_c>E|Kz`A;<IQcp?Xrh
z&Jj6vxbzsK2RfDKnBovTjl79ha*#(s)9R2k;Vt@OSZXPAkF*g+^y;v<K53hyt0YDt
zOARbZxODX%3g>f#fOuLlM{c6?PtPoLA*g-L5rNu0L9+GjI2vg?r;H(5q}{CsFjJ;D
zv-5pgg9gUE!-m)<z5_<%(eyIz|4Vmh$U~1($$b!0`pxzS7}Mn=UOjZnHp-hkMY~q5
za=Mrc8ODtKT&!S1Fxoz;(M?vvHw{Z14E$k2q>-rcA_-zGB5yg7L)bIppb9`3X^8RF
zJ)pOqpp|i5M;8WL)C~7&<WEi>p#I(v9o;>&=?t%&`6nb{kX#)Yk?kWE=Sfi^Z(*EZ
zBJj=ckukm<0v|bLl(+-=GS(t|%(eW==#YIAmw*|m2k+#C`aYH+_RM4m@602|JtqAs
zWF+Hi$RA;e{nw%)3c&Cm5$_(8`Bd2CDylmkaMjUcfy(20uRj_KnUK$9BnF4Kan@%L
z>;2%;sYXDccqW`*un~t{pp)=Opyk-1;1Hq~8sgSk%VEsHP_vgzr+%iqJHBEP=*q<m
zcBQ~D+NIiibQ0h@Qx4qY%}2!co_V{AM)~}<&#2J9oqlMPKe=aLH*$}8qlf6>MnAB=
z(!mVI-cjM#R-Mlgp*dvzz$7ChA&u<pVA0-}oRFlvF!<Vq9%0p(=}Yc1RxwBS2#y-9
zIZY_ReCa0~3Pc8H%@{Uros-OlGa-aBXNn#^H^T7Uv0@6&5b*N&pk@k8!ad{DpG86{
z7|n|@f`2W44#&?w%y^t?KZ;%xA+qblSXw<2hwyY8erSwzH8_b}G4?O=bGU!*Vvcxz
zH}0N&v+z^uihsFNjd2ywd7MPj^;au$c$oCPyHaI33h(j9{gkcl<7|o#LE^^T`$W&^
z|M9&kRAAkOro3Tx2kL)ql^&-)DWDvNG|qan@Yn`We;WYA$Y6&V{ht#_A7Sv?_^a@0
zzti;nFwXn$Sa+|#7dR^&H0nDtEH@@S1mkxO1$&TSDaMjZj9m9xhsWG!it@r7dWIHv
z#Ie7^ScN5yM?*c(spylUsF19_9=+j{y`<R8)O=s$Oh-m|@b}O}WJg^{P*z-GBquKx
z^2Z~8QE>qkQ<D?Q{99sz>O9M}vC;m&kvBnAIBOmW%I$MqzT?jcYO7<|scL*NkU!PG
zpUnu}nyXwL^PkBoN{h@aH|9rs!k-Qj(xQrn<_E-uMCeYmJmB!Ws9XLxm;`~LvG5LW
z7E(yCfRMniXk+3?<__%Sp$u}UBy6#Q0Y7*l6os75)p7is&8O?#uB%9qgT38@?9zrr
z>Ys130Dj0-Oh{#H0Rmo=jX!vJ4gY7BP(0VO-8k%fVvyD2?3Cv0aa8NX3{&F@sUkjV
z#gr)^95F&|m3D{gM^vT`^*RnQ$_RD+y6F*fwXkJ;E%IX|(08XP2y3jv04Dfa-|KfK
zVeO#6i86gNIIrh9^lg59aM}4~CRT*M0K#1{mXE(xsI^Dz&O(*3qbRnDGHmSc8H1}q
ztrL0D@<$Gs&7D+m=ROB2-+G7!A}k}UjEhC``l{LcIiz<c`4==OFQ0qx=be|ps~sI9
zEQX*fLF>Q{f0ca=njgu2i?52TCyd_DoU#%<rgAhs>EnaW`huB0ZrD`GJFpf&z0%)I
znL*3fx}{2VpaJqsQswrzM;7sKRFEX-Ulj~8A)lE>-RSaRE-|8ph-D@<u&5Ua*`4XJ
zaHI+$Z}@OQnm6fCn(QF12<M1WRu<s6?H0$VaxX!!@>&>Y$H>xpxZ8!kve<)M9U!f}
zGy`$?wosxszM9IS@3tCd!m_<+>SL@7_wVJU0B<C)<E^?LZfe&6kq=slHKFO-jbO%I
z2xK6Rs7@ejNFts9!a04Ao`jcCvfNMlOiRJ@K`o{xvjjQYuP%eHVS-7nhYNQ^jqg9d
zIj0YNMte?MLeMZv@>HyVoJp5a(B^d9cG+W%n9QL_7T-GeA*Pb755g);h?M7o+>=E$
z$m*EH5D|R0h+x=7hZzLK?6gF$9QF#N6PC8~ig^j+t-~|){DQz;2X6fF*8IGH{hYn<
z6})l9%6XS~eaBdl3iAI{`VD6M()=4<Fi9#HpBi$E_-I1aF+Pg>p8v@Kv16H~cAvlt
z7A|GJA2P>CDS#7~{g(sJ5dQ%7E|!0gWtt-_MB!LbBx3s{={^o2xw1GiyzrYvLM`SV
zLLpNCn!6&_#s1}G9!nTw?^9tFKawYet_+VZ&!%U9FNy-tFF*5Y+uzUNkPP)LUl96P
z3S8@>@@z*msF@|YC+!7wZ6U5u@kG$7Bwo5Tk=q1jCDXfOT+noqXF?RbxlnNJ5NRxJ
z-?ujJ&@+!wBd`<hzE+C9Um8@VnU|D}t@?stGBLB)`$hrlV}RP<B;!rzg1KMST_+Gx
z&5k;y@rsFa8dLQdadxe?eH)Jw>%u(2a~gMkz~}xf69DsxW1dI;U<Ufp8=Y&4^Snnx
zej@-(tLi==BEdZ|PVr1SXOf$ZF$y#K`bojLYPx1*wT7b&7udSmn#*tBK05O~Tabct
z(}K^7Kie-Sn{O9S8Dn0E@h*bVgz?BTg2z1Xkb&_@9N(;&X^iD1ttH0yL70Ix*25W`
zYg$kLI+|<3vY*o_|2mdB%JNsb=TJ&p`W@dtc+@ePPcBZ+0nS3|!a)7Q8^3=2nY#qe
zH?m0DbsRGSo1$y#70)3opQbTfn(zM7fU=HBct4W#1>}$f34$%T#@IDR-v9K&U!5~a
zr2}H23;{wbGbOo3z(grsNxaL;b;q*ZOD{HET!zH<_OOR3c!$2rPZ!e=yBXLb_o7F!
z>->g%NLZjE<m0G68o3x0B0|Fe4f64;SisH@*`;Z~7a!U7lH{HgaV%VChEcjVX$0?k
zGBF8@rC|i-P%e$|rq+9ojWFYpJGZ0)yfTQnAIi<QApok=V^A)=cVQStF``FT6wkaX
zNet=MfS)Snj-9)%%50xb8Q&?EVD)_9v2`1#)Z!a=5fk7SURktVSq{UwF`nKNlo8QJ
z>xxNrW9x-xe4=X3y#I|=^|K4MdkL~+HIB{NBv8RA@3ngrCo|6?)|~csnlR3l+lq^o
zGr(2&C=9%r_|g%VB7)H=bF_HB?O1q;r<Cz#o{vfb;-fCICW6_@*P1@>Xq;w8?)#LO
zBHVJTC3~OJ*{m^xKpbvb&H+oEwDKV5QiThfGi*I7FkMU45Bm!9@Rt*VfX0dZz4lVY
z$m9A3SD%95=_p!Z2;oP82BL}9gcFi84!c#(go2NQ_KaZ8GGAKg4-2|*?s2m`^ui#*
zrDBTM$RB3xyxcQdwRc(A><Gk1e|F^#Sd6VUBDyxFe~yY(U*SjdxScHeL!F{ABrzcY
zs4sNat-9U(+Pk{g*c3idPrhAbN{M=x)-pQPKkZ$1U;jC(+fmT09g~E*))T9iLTe~A
z7Wc(^7sk<pjKIt_O#1d+I!U57BXc;PHH0<uNg^O)oDYiWsN^xFVCI1IpTTnkcb&OW
z{HGw=U&1!ZOD`z?c7f#(A3XE+XTrOU#@P$X((A1mVz15jsCI9E$3F{ptCPJugnXmj
zNcoGwJn?Vwae`>S`jYE@8Yz~|fY!XHPB#S@wu}Bu9zn)11!wAJuC>fM=<mO6PxzJ{
zz4Dy@?MEV1RYaJDn8H`a2-{^W({B22^?SkbC#=P8!(MZvb$Z9#u3I`Uv%?+9?1iDJ
zwGrRbjQecDiQBZ}Zm(%-w_i5Xxo3)9<!~nYghf$fYQ*|{L_V{QM#7lmVV|MV?4#Q<
zq97w~t3A?1i#VVYJ7Rp50iI!0nMtFZTq0<-UI|6C0cWkT+YX2_bg1)Vk`V*)@f(lv
zuWCcBb7<yJeCmiBE*d&M19ek!4l*6}X4+B{!Mus6nh_l>AoRL1OQ9JB_;KX$(+|2e
z%$r6P`u^>b4bq@zu83%l2ul=$k-)<8$X4u#6V2EyuBa*xST{zxf8ye7;)*ffyi@uj
zcN*c?nNgyFsN;=Mi2VquPR2ZL`xHqxdg`9!GZU5n#35gW`zn2J`V_s?tABjGB72QI
z$k~4Fuzh)}ivb3SOo8)37QH8cXK^)EhB1Nt`_A^rw4w>(8H1%U*ct8HIKGah2F573
z^^cE9jPM+j-lVprhA<x)hzZTz1e?6M)*q2ff7CuwX=WOTFv0xC3*$&csvW~yG|Y{1
zDybXGjfq}0`NKKbjZBrgg78oO=^2D^<BeR`G$7w`d<#hsc81Yv<0`8Gj&)v;&4_#B
zpB`t3W-GL~`4+?9xkHb&A2E7cE_%NZaq{&6PPVkuJiv;*zPW6Sy}ZYmO1i~FRgcLv
z9{f7cY#?Zh9n_V|;;_TDY`gx|zGj~J$b8St%4$NyD(XhWYVr|}Q~B1LXi6a<?d9~~
zuV5EHT5+`fy6XemSSSjk>|Jq0jJuWy%}z{6Uw}-^<^qC%nJlP+A!}u^u_bN{OlV>8
z#?(Uj*nmz%+%|44coY7|q<+2At&u4Ex@6<GZdl9Ze88&SffOoVZzVoLs;c5uPd!(H
zV4f-ZWN;cycsikNx|THUTeu%5n|=)vKjmJTQRF)Xoe<H_%v8?4t_PpOzC}T!wv>X$
z<GX&-tp7a@I42Guz{9RL4Hj2-9+c<UG!6c3mMB{EHx(8r5;*?|ARnd9{4o<@FXs$L
zWiEEuHE{OLVaN^`uF>~A<gi`vCe(kIoScglT>^g^yOe6f*>jgGgqo7eQ4ge!SvVd;
z0=*N<^ixSeBqv37(hLoDRgFQ{yTlGg1YriLL8^<1QxKJS7!V9fGG95XlGgl-4ppeY
zY+4=$1yAe}GOuXkCqf-YW0i$>dV3@1<8Sr3zmdC!%4@72NXHL%)b*LLQT=_rrSG6r
zqfOy48-OT^Yw1%)yC=mEJ)jNu0`KsXMY<+2G?7mMLo8v>EP>0#lo{uQllvYm%_(FL
z=|j;Udow@r458(DDpKM^st$XZm<7cn!YS8=7)B=_@6tNG$;$3|HE%1xj2c7H8J}j~
z%}GEo=|-HOvDl8qRtud9&wFb~Rfs@=C-;uazQt0i>)^kQr(MPne@|03n=4qNq@jOb
zS<zLh^PO?WZ$ms}Jo9PAu@vHBqd)RR>$_NDJ9CW<ghrL<>fD$;vGg^p{;s%3-iV^Q
ze_LnN{!(gko#1n1@)*~nWL6#Wn}2@SE}I*!p!oX*(FcG^kH6vrxOFIA-x2Y^FPH6)
zBCgy6w8l_~CG*h}q>lI&`ptlAv5zfxTAuM9aR;Reva`vKOy+5-!g1Ssg%J%)&O&Jq
z{UhWOf$(uLu1Zk4nM{<-TB&JzHEyqF`)4U3lXeXCE1<C!h4R-5oHAT<P&mx&;^b;?
zclAedXW<7P>x%t=^u6Rr$FZ{`L+k=Cm&U8Y6GIZcOV7KF{~%-V=WOAh^&hRVSgcv2
zFw!)tQO0|1*S>!TcZhfhvq7#BO=|}uo9#_i&Ah3{xFc5@-s{Nc3b-#*zqu7$%yn|q
z8;!PZ4NV3WIL<qRnhS`fv(!yj)bB@Rjw&4C1|!)96&V-%dOqQ+9($Zo|Gje9>#L?a
z9!(Qfy*#vmrDL{SQb$>l8Ao6R%Xk0!$Ekq(mIu9)ECkQnC<r0bjsRl#$4ZM6;jp^X
zb1VFh(?&yT-}-v5P*aJveF$|Hkj@Z^K)-;)EOU1bGD#y42p{g}P9yY=Yh6-K8|Wyw
z%l$rKT@v^@YT|q2VSw-$1knQb_jLe%>B{Kjn@GV=j3ozLzRs3)<~DldLAaHM<YZee
z*HZO=Y}NY}MkLf)a@~@_abPbs288vR_~{@lz-vqyHD|gb_OI=yl$mUq(^)`P8j*d_
z+iwz7Ot%D*UqOMxAU@RE8W`<+C)G@!Z`-oQjd73SG<?h6ZVs}O+f6+^7LP5>=e!%)
z70u5_4_EnjZE88U=lsdgmwDsn7MB7{p0m|HlxwUyogR-{Sh7w0(oGCv!h)REVi3Hy
zkm;GQx(Tq|<~??7d^J%`n0NJm&W1Fi;e(Udm^3u`-eMvfXilRT+v;?4en5VNJZ@<x
zvgabHC_?4(QHN7ja*_U99fQKhU;7Iahg|Sotp6lUeKmA3u~ZvUox^T8P|=*2s>Eh#
zj~LnXB-WZmS(m<66))xWXnb@8o;6iWZFRM_qMIqz24jm)Cr9C7COtCh;CZ{avz5!7
zar#I6Pgg?StP>|w74@^2=|H(y_rMXth=gZ5_J;(-Sq_D9(ipz1<7&ADsA%1F-bZAY
zoA(xaBxy2ZK(^~k_{97+XzVhb@49&r9)gSv0^Tt2;bvi|Tk)Mt!Uks6-8FSX$}f?)
zPalGp`plI?$`P_I*+9CO7-I?W4NOjC!$v}w%&Yort&LT7oJ)4)C&x4kGk!@VzoY19
z?(Hv+>K>bPsuX*^!*mLg1{+!p0lJGg<km4gTd~_|38zBFZQr5HSwbl`3krh_hkA?C
zB6_`wDItMPhFIvLX&Q#1rq*WGZ50`IL@Z;kcYs_9qHRBM$wWM*%dy=81foy<p|Y!X
zC^|gsF=X#M>RWick{y+z{wtIZ4=nRG#14+;=M2v+rt5~~;X)rWUy2U%UiQxtYAKcZ
z^k0LPp0$d)heNt-S&GjL6t9Olk@F=qKGMF%M%A(V>mzVa9QT>3vPH0eTOI`eVnQJ>
zEOo_(>$NHQq5RGokK0aYJel=>p7C@DXsHLA-K;SPVtf3kT|BrwVc>(Jz)8-AzgRdO
zqvsV&r^0)?M{CTteX>bR#Dj@{Tc-^|ak7=@0&9~xYeNn5n}KLcv(wKW?&qbPmE*xB
z_?|tg-s|$nT56le1Ha!u08qc8<Ew1Co6q&o_07LM2Ji0QPZ*1rK}UO2-TCz#2ha9k
z?Z#n)DDJ32iOy<SCps<5(Y;(LgR|sQf3O4#Y$iSC^QsqdE(F%x8m>U^xP6wZ2H?S5
zVRzoy5q0}7U|wtL2007n4Q$O~I3-Fcc$B^<-}5uV(ax8n`Jjq~IsEmvc`ke0{mWs5
z<`|0W_%<r&yAr{B-r`YonYbZ%r}4J8QWj2bMg8t|KV`r^o%Q#GNSjgMC;x^>?^<Jr
zK=w1Fu4QOD>RUOM67IZYP!!-dER1l@-|XwJSk$MB(=x|drjO-uBX$ooWvQ^Ydzv>z
z#{_ei3a`R={J)|P^y6y@v**vdl3#yqY%fEq|0VHHFhwjnBGL0s@v%4MX>9CQr1byg
znn~V}+Q>%EPN~}eZ(t~D$OC7gz01mSS8$s%6T71xYvb9Jm_5bP%5UiMxnrM0);K8A
zE#xkk9#MV<!Z-7>wLBJGG_T&lK&kUu>OOq9-sJ~=x8@Q25FVOxO>K<uc7tlZSS)qq
zWx10ps&y@*E>2@VvAyi=_mCJF5nNBY3i_dG`N|-Pxe~p?hWWIiv8arZ?n)_~L{zO%
zi-5+p5{#BcS%!`F6#S_9d*}3%)r=H^Y3N}+?^m9eJH1>z;o-~(SCxF9oqi>i^K8b)
z99%g9K_AOE!;^Foh?{)#`lHtfe$K6mi;bPSsn^2#d%a5g!PHJ>|6<N%Hm;3CJUG{9
zmVvyR20hf!^kFND#!oT#$Nz_|w+ySJ>4HTA1b24`?jGENySoQ>cMtCF?jZzscXxv8
z#x`u+T{f5ZJI}el&iwD0UfosQHET`RL<O)h%hzq54L#ZY+9HfQ;q1nCst$e-!ZKO`
zNd8)tH~Y=jvJ42a3!evIC*w$`NsU?9%-Vj}UO+%m1-VCrXuxUyo<z6E3Rb;uRxO&i
zxkSVrGQd<|>LgE}+%YRsv82O2g9E-y&d_YugTw>rF?g<OY|})g`4q8)n*v>QK~ioX
zI7cLs<a~8d2gWYu025vvnz_ije^C;Fg?iK~wx}gKGMR#S)mGI6D0EV<3#zmI%WsBM
z(rPCl``3pdxuRH}+nP&vTKjj!`VTMepn|F?TDwJn@IZY@Vus5>PqZOO?8+_ng<hIF
z#3ow`vs=b;iw|-Q%}r`g9@0yK##o1p@-AJ=5nA@Q7Q_i0HAiq57##llqNQ+(D_k@U
zlje%UqAGfk2KF=yALM4N*sW6F%~@@J75HNtgW!kSQGmMIBNxLIS{N0O8!P>X@iVN}
zzc#MWMhg76)7LMxavQe;m8Iv;5I$beBrcqh?^kNr9Fj1|Qsi887_)3fZVr7DnHeIv
zoyJRTgr_0j)+3$wtaAU^P;&scw%4hn>(!GHDW85&8{*A8&F6a(x%yB%_s4RN^XZ$s
zCatyK?I26AZ70bd+_npvo-;uykXi3^0=$?>7_M+E)xMMaGH(9RlMC$Z(?;#o3z<$!
zAL08A7`*|zIR51(93WM3(V=1iVcka)B|K$H(<f0skcO0hln;Yc)N|kz?BgWOH>Sq$
zO!!3v!dJJZd~<gpDEIMY@|Qw?uGUYcuZFt(ymR@>3qTJU@(`F0uuyqtSM&s#s@%s>
zwmf_b?UD8;_&3&QjnnF`IT-$`W9B4cIxm_s$6~|L-cdh!psl8cMB=4!P|>4KnXD*9
zPREqKLZUla!ZPU1xEknrzGx<=1eJCd3RTWk)d!_`Uu(xEvCH*CI-LDt#0QXsmj3x|
zTA7ur>-Xi&H;o+k@RpWVRreKe#_=WGKN8Gr3ySDsA?q3KsicW`yQW)wL;#N|T@t=r
z`0i->(c{)_c%|odW5P=*-%aCerSRL~zs~zj2zTsvD5rK6Tl?7tDkPpw`C;*NNpoCg
zcy}#^=SjoPFk^vW*RBkLt_Pv~GK&-B?NWQRSNOY9V(q}Zv<p}yXDRP}@fm1-W}Qpz
z;5w9v)6a^Nbrpb-G<I!p&H^3QTv|;EvS*|W|JEJpM9Pj)@62?#`v!b{(3Hw#q-fb-
z-o=+VW}#Q=w=~<i#7)2gmsJnv=Wlhfd&9Y!r0g~!$&-!LMgY^iE6rEwZy~U^1omp-
zB8t;}6z&@>!lOScToz%mrY8{hn#7;>u^2*L6Z21A^rX!Z+{_ujBbmWrNHeML+&E(q
zf9GuH;TK|)dqJvhtyK2t6Zh%#ZJGXgcxlT8%Z6UDE{!RJKSY3wjKfy9zN*7&5h#`O
zo;T};+>e&-#4+)!&z10nf12Zg%TlUoriK?lSf+G*Zb17Xb5flrB6CJlz4e2hNZ^Tl
z>a*3dl*ZNHLqcaa;|-E!X~b+#<vJ()6%pKq6ZFEZviq4qn-;}XnK|2+o=LmBs<322
zDE!8mv~T4OR(V(U>2q~vcS?e#f$xURo-aTKR2Yep!03sU-)u(q`SO9i*gW-hK2P9_
zmmmie$7;_Mlx4T`9WP0se~qMLsa9X5l#A@Ubxc{e+<Q1LLm>4|A~KOhL}Q#52OMD|
zk%$-to_DYtNw6~nmW>7PI%~By|2X=c$c)%Tg*w|m8crExm8e?~M-b-1M86f8c4Vmp
zSMCG!&2-QYhsCU@SXhdvLMf}O)ibb}Z`I{bS-iv0%$?nChY@B<{^V=bMx$9Op&hqa
zT}WG!AD&6{hqZK28;eSvD^E-qRd;?m<<nL7D1Z9Tes$DqAN5B+bW#=kO97X-du9^@
zPKBHwx5R1^2SIANBJH)uo*c`g!T}ea9PZ15v0|fKaH|3FTKyU2wx=UpJ{z3&I!{Dd
z5XaxMk%*~+wNSf!fN}TGPW6(tAO6W}*?YvhlQABALc0Quk^D=So}hg?fr^_F)$|<~
za&ag7d}MU}jb^Bgsc@T`kITT@>DSX|AH>+JM<X9WLj$=uxp^-eg#-5wvB(#g+?-Wo
zKy3&#;4TOHBN`BO#X!0D9?1>!1CNSJZ2gOazr#&2Y`W(L5mKzrS$D!k;~;IMGkfRk
z_Iqi=G_q}LHDY1RV8voxn?)C7m{GJ?)>PdS;#P};*9)H$d|~}M{sb3^RFaK3>s8HB
zukf|a*z>(HLdM#cO!Q^+PNSQuPFa+G<NDXLo9bD=aRc962weQ1?j}tgJGS@zy<vgx
z_u(U4`Ht8Q-?$7JY`9QL(AD|p*LnsQKIr=^icFFk*DoOVMzS4hVOO-b6bkMowgd*(
zI2snfQ8}pmUSB5GMp?QiQ<6J-t(r+ns$BTO1D`=pk(op?Z_n$xa=k=zZt?>Qm0v)I
z-iiJ>-e`dDr~{n0-{ND<tizPRhm~H}D}hxzA+B2|8;2{)cfH<)8MN>!p<K6tskzW@
zgfiKql^yn@?6m3jIzQPw<kE*#iDbqpoy}l#c|3TaI&}zU6o0Y@nOl5bfawbrkNC^*
zc$fUvka0%GbdHSri^`LEP>q7`kzlV?fC0UR7H+`(hi4=oeEp6}loGj;v>&01!X77(
zDrz*boKh%6fZ=+7OiRWO$Gdx4k6=OW+pHSs05KDcb`zaCYYiMt-yNj_YXWH~!NkDw
zse^tWxdxv`+7;owN5jzP@i!`r4}Ks^$`fi*ujtD={@Z)i^J5g`3g(1Gq{xd*vc8m=
zdCcHVTbKfu&H52yOQ*K*F@*<!->311R{<9!y9gj*Z;!8vUK}YA{%0{-VoRmK@{pLq
zpTweG0^2IL=a;v_sCMEeHZc*cf|XsDC!(_9S7lCD2LX;`B;StS2TqT-EnWcv{bRTF
z(+80<a<lJFj!Hj7v<AA}lh9ps<HdHncL(Yh_P)hc!*vcvJK?zt5|3$DRgCfgA-IOt
zChYj7`6z)%?E;&5P!7|Q8BO@RE^g3EF_&jf2`u15#ecmzU2Y%mi}hY7wV>l_?m7MI
z_88bOyZze&$L3gH6(gis=gNO9yK2HW0ykLu;#5MSsc}x1%oybOE|~Q~>7x>;q)Oyn
ztEQg)M$33wBRe?ru{XpX1o_o4A2v=gB=saWXwz^>(V%HbVmPn>vLJe8<Y}uzcW0fi
zLQ{i}4TBc;w0)P2pc?kH!?xSieeH)$SxUeFx??Fv&bRble^X~yfP#?*-mFy&K+@FR
zyk}&cC(Cg<QmFQZZ_fJqhHB?IJ;plzm#0%t%mwJU9Y>}c**o=u^;!l9A2mx}E7uj(
z^^Io*^ZG82{5_Pme8f$1?6zrW<cnrN)M=m2GgRWN;f?{&^W5(k+VFyz%>tImTYWEO
z3=^Y3!Z5=N*;{6h4M-O?`)yYC^G<VzOmWuvi6HCbtzPLsIB$swOF|d>C<cb5g|P&9
zL-S*Ww>CQe@|RCImA>_cyrs71YCFmpI%*q=?)n55;7g2iPX56Gj>Q<oW(xWtSJt^R
zZ3xCt*z&C6R625<(3%hn`K`=*;d5Dc6niXT6@Kh!4+^o{7<IK)-<`OHZZb#_cZ+QW
zNM)fWlR38HNnwpznK_xYbs~n#EWESqy!VE`)Ej7d`JUjMANybyi02n_XFeg_R1M{f
zA&wcy<A(di3$3IE;CLHM(1Z(6UE7awj=&$hWoA>GH-N1F$OiO1@C=FZ4PizXLo!Vl
zXrP!r@_K28F(@iv1lCXb$||fox&7GEev~|$ap;^rCv9S>RX$aIJwLD}p}A|%?cZez
zA<?M~Kle=*#?A3!&T;O7ASS#K*kT+ZY#rk0yQD!V;1C+P7iD%CdJ)Iir#JC2(;B*i
za~+4w(erZKWi~BXo<^B@;)AG(*60;G+YV<_JisV_7jv>w4$VrsWXn=T0qZ*zA8!nN
zbyZXQmc@@yfb$_9sC(Rn4z6VC$n=N@-|dLBEE|{q{TSJ>Phb;D=0@MKvnZ9pOd#mG
zXV@`4p}Yy*@r2qgbr7q84}kDesU~BA?}6JaA4x1nQp^rbd|jlz3BK!W96Kc!<j?n3
z7YywpfBKy+d7%l26;J{UjTX5vhy)CRo^BQhB8W_g8m?*T-KYt}h#QYrFY`>}0?Ny|
zotlmbkBBeA!*G!(YsAM)O>LR%IZ?>Y3<KogmKO0D^)yr0ko^;{I?l1}Z`O(xK0A))
zRdDpW5Ntbk(85RIoTqr(?##dNa&5WJl7Flh=ZB{?L*_WAr}s$Mi}*G@2C`aBCGj3*
zleH>WApuHy4|EBnI&)HcVdUTIU3bvd-U$*vQ9Uh7h#tM`hp;#5&n9cGy<ZiH(T*1i
zGvP(dy%#Ip7Xezc&93AB+Cm$t`P`o-1W3Mm^3{30$h&gp>G>U<RNw~e?}U6Ejq<$Z
zYm9Mz{}aWXguC8V#zsteBhcL~XvBb=KP#Jr8q19%KzXeLbdPcrtJ!TkFzJv0y1Ff=
z_C$64I_9MF&z~{bU~~QK51S*=;Q<la!O(r~PzlB-I1`_^fZ0Q~V{#Y?WJ)q`a5qc;
zkxr_HZR_(1Tm2VWrNW<sf8a{+TyOs59My~c3?CH;`%DMSt_Vo33SgYz4B4KPeP;R=
zi2S)QWi1Eas2-dSiIJPdc1g$ku}}=EC}$V39^6BoDI`{XWpDdAB@Tw(|A0c2?BX|@
zdf>T49cW$*PLlHpn!X#y9=CZNT7f2>UY+~HI*VGb7E8ulEdQ6n4ctE69A}YuN^ZpJ
zzm#nqi1xi)`25^J-l+M!50n|~a?}85wc%=I@eh?Fr||%yl%goG-_vd7X$#A8ml`!a
zvHcdyV`Kt1&u}(`{vn7Z92`>e5VXe@Oc7{c187@gc$d+A#bSicaUVQyo|-4;Fm#LL
z`A9n6=WkrwqTyOlViM}9`vNry&_45)LMcB~x?FWOiI~AnUzzuH;B~%XH9lY(;P4O2
zCMR3`E0lM0;#YPM^qr5T5|$!VpN+1%P2YCM`09#q!wBY2*o9|L_3M^uf~38HuMaFW
z{eIZN*S`J>t0DA@7~Tee>Y&g=bhp-@AU!5$BRjjNiTTx^{bCsZ&BA|6MTd$LvRAb0
z8NdE(&JMxx*NUHR8e_mZAr;keUs36)8-u-}M#K|V87$}d6zt}4&FZDz#MkxXdGa4=
zws(j1k^_wo-fB@TM=M%@Y$eGJ{<z=@L*sh1O4Q2X?(&x6v&RwQW^}1>DovCoTA6BR
zJEQ4SXX!=9^&!io6)J$Zq1A1A%yCrG?7!@t?4jEx7}Jy;8+oV9Su)b+m)QS7en%g1
zYLcIE;*{p=^C!{&YnarT`5W(<na^$<l-TH(J%*T>KwUPwVB90QiF|&pF&CgJS0a_j
znZBcDl^$ZU2!{f<)Lr@<BN`1M_wKT^3f(_pV3#0{S{As~HqwiO(x%D_8%f-uw04?x
zoK=#9JiFzzlL=bvsgy#@d7baKE~xy2Dgl*$aY*>~a`7HBdK5ujqeI$jae69=VkfJJ
z^H!Z+q;}|jjOBj(E%f>`o{Xf+VyJXKlm%OiSv6Pz*AYv~8mL~gc`4LHg-Hp_GJkU#
zHK|5_Di{P~6pT*Nu!4H{3ibM_vIW15TO*p92M*}_D9rB$=WVw;{rt8+4|fg@bZr2K
zl0(`Y=Hveln)$(aYwnFE)h0io11qV7V!D{GQOSE1_8uvERrVgqg&X8w^b&35bK(V*
z%9)M&?jjPkw0%T_XtaIU6+cZ+4pzU#CTU|*ICIamdU&0bc*1K`(G76a7*@Dsgq!-X
zF4UnWxM_K;h{+9jTH3^=N51|<!|7~F%G_S79{KH<_bkWs25cr|7YmWVbpV8NeZ+Ra
zOz8OkUiWK@I0{Y^3XHSK&Se^U8SXEfbU0n#=xoqwUOrdL85AZz+}ADfyq1z5NtnGx
zas(l+&QyCz?|t@<vIn_6T;KGbjHd-wY;^Y4Gv;kuHWE5P)(^v5^gksSLP+42pP)6w
zMA8cUKN_(syo>Uh`bIRT^*hd}cs@<W+I#eWp_cl!kgXs&9IbluN=XQMDSWC%gFOXc
z7?-29JZge~l3<lU-{%CWvBZwb@(U@R^*!qFYdUTGypv{82`kMx?i(`*SKSH${jrl`
z?bB<Iu3?IlZQkm(K5@!QV1eWq0KQh2gik)Y*On~Vz~18<8tJ~19zMLQC_LqU7xHWy
zA6mFde*Z;GoRr4u`}XV4)i`nil1|yUn5Kj8SiGSTZ(V-QSWWLm^}@mmonsFmD=+KM
zOu9g=|D6|w<xx7r+=XLkb02L~BJnvpQbPfezJ-=KMTiOUPty+GKPiTrEYIRqx*i9b
ze|NvqzikAw{DP2et?})56D_)n@GqFLzt+OwRx)ybw@}!2+1Hrv7L3_G-CW98bM<NQ
z{R8?mgz|N>vs;lnJTz?JcinQI4OnhOGGa~*6iyXxZ%T)+8-U3-V}g<yV%vQ5K83&P
z#K%^`t=aoK(v)s2x9uD@?36WBd!*li`yylsxHxxShYfLfb*jQ5lBYI(mvW3TP@9_O
zCeMF!Gip8eCeE9=394{^rN0o;T5ZQu19WN3N?IDZ?DS1~+6+7{XP2Nl*Vd-!-(&S~
ze_ieHhB^)_B|f*<Z4>>)7kD=eDBT)2D|evgH}CIc@$@`b;UAfwu+8Vm+DyE?b`RS{
z+`a8gc&z<)-U>wL(3+u0kb5J#DIJ>q#v=PxGUgs794SC?J({FN6@c!I+&=QgJa!9=
zn#8^8u^XF|d!~K=OZu$R&#&Wy*}HYu8K}HJcA0om9s5S<GOg|?qv?oqu%58ZAGe+I
z976>b0J5Zc!9P!yZ3m(S3Y&ucFHk4`eZVN_$1jdoc;p~8;^0zqO<sRz(&S-e#_vT0
zH!uo~kHpo@k?{@FSlES3Wzu6chkFY=(qAhnj+J%QHPM^6{Q6VoIHst=TUhKH*~7zW
z?CJgL)5r4N;(&6ZRFZfw#8B#Z(w_UDfvM??*W8xD167ru1Oo#gX%`&r{|koF7hOdL
zejQ=q+@h$4D=}fL<k*FPnMk2?y@al#LRHyTu`PdZ1vaQHC^S+pG4U!6_{3f8#3Tmi
zd~1upBQf&4Ue)oXVt1PpF`UcJfPda7iT>Xb$)Y?C=HPJO$f<L7Syysp_$hG4o!{`0
z*@h6sx0q0j?)_(3n=@@4RYu-~Hy`fh>AEU>n&kaa&DlvFc+cG*Tq)V9rF^h%Kfe8@
z$DCpF%i8ueAEIjAjy^4}W=$;?$!N)q&q6=Q&rN=Vl*m0cuI&Xe%4z4~CH%fRU1ikn
zt;mB7?Ds2?OG_wP-!j*GHx$J1V--G@5zvS;-uQAH<f97_I0HR+bAUx%(h`rL3MU9e
zsNpelEOm|sNh@QVg(^8eL<z4@u9JNqhZ(VBdviOjIQyxlCe`z@WX@z<CJTD=v!{6)
z7-)Xp8wzSpI&I-R&H20SicA2K;HV-={dyhq0)L$u25@2P#k=|f;y;EX%l*g)YsZl#
zC=1{4r`?Y2WAsLLS?q0V&XCU{=7)oB1P<VnzlqEc%E~y!JrAXF&4xJaLxMQQRAxo6
z@|E(1x7luR*4mq<Zi)AjjL;uLX{Kj1eBk<p4$WRv04u;J7(KeXF{R8}`~e;h3FQM4
zsW8Tl>D45bz!?U!6?|b#@ZeK=a<9F>>ke$f_ng@a&Cev3{*UwJkPuA&-I077ZzT#y
zn5MP$H@~vms6e_{$y(D{PaaJqMF%qN?T_&SJ?W{9?sNf@!wGMobCi*|VagLeP$DW2
ztDX58Hp!Cm^KF8peZ<d=8sPd2nZ6y~#dzR~;_VW}(EUG(Xru#%9Jvo}`8ng?P$~cu
zV@l*J^7rXx_tX=%`?tRV6VAdv<JHGW+6{E+xSauSLf7?JU3t%$9w-~xsOu)i{fUWb
zK|hCZMve}Uf@yz?mG9hF*qF3=&b7oEv*x-ydPRh<hCb1Hq72yK)$*zj&;P(fh52DJ
zN;A04K|{8@!l`Xki*rBx?%VY)A^u9JzxTf|{>Sddv0ID}>>Ka@6O>faDTZ)_fc4e#
z;8e=sW1~uaZvgK&9_VU{J3>H-qN*FRAgK-I4Flv5Wod=yhLcJ=5D21(Ff#zKmuQ!d
z?@B66Ake2`+bN!yTITY&B6CFd#0%ZIW0m1cKLt(L3!@ddQO4wFS|Jqx3Rpf*DhFQi
zy%>p(B|L2kn8ykNv13!LMXlC{C}14(poD(sN|E5c83ifPf)Z(<Kj5!QU0}Rbu7n|s
zD*QeN{vZ(DdwQo-98O2serz&$MUUW_2GC++g8YU6$Y|D#7bwo9V#c64O~2)r@%L6%
z)xfKSeuU&VPQ}8R&t3u|`}x~we9TEJT}giz;5)(#pE<$>|7hWfgWlw_&?92>iJK|s
zn*vMNq-KDLIKRzSHBF{pO{nUmkIelN_yMOti)un_Sr{L-5|LXZ-0D@3Hf<tiYiG($
zY%JV&YYvdl-nBoBwc@D7^1;g}z6wY~yM9yY=Zpd!TXhD?>ca+9oY#lm+$TL-UPuhI
z`mVKw1QnOeOH-I|9{mxRzmCHVeBo#DxyE_9l_G%<I}m(Tykf5nVOuN@fSE|gV(ZCB
zL15sxLeS%Y2NdRo!hwbG_`hEANCr&Z)2A@uYOD!H-?;)~{t&;EM1jU}y<;y?S<~+;
zJ>l|01Mb*ww&hl2;6|D>eqSE<WyK$$UcHKd4a4Z3k%nB(OgI<%Hwg9kA2-cCF6;ip
zUWIcVAyAt-v*XKcP`s?zB1oL~B^3wUC#&7r_8%iK36f;iyoD1=>M;$nOn?X!rZ|nr
zOQ+L5fn^Vv&+J_s>a}S?7dmY8b4!}VBf}A}I-HOIaz+)1<=cH~*=K>IS(RS8cO9U&
ze66uh2&_{Ln`_?7vwmX`+ClJ*fAUvwpi^1pzIog4_NmDNj04i9|L0zH?5P37RDFpV
zvmN6+6qZ1-{i2CVPD*%lqbf8}cp?>`ens*h2{R@zr2-;`CjSouQ_SvN&D&F9uYK|9
zdTkSXvz?0}1Ci!E(O9DT(zM1wvXil5d}IU8MH~`{vBLCd!e}_ASBM#&zgC}VC`KyS
zBJj`@x@0skc~>RgG_8I*wRXfF4QrU&LgQ}KQ)~V5=LXy*B;a-hSnTFin6F7WT?dSS
z&v&%V2csrR-}!@jl9Dv)C9OQe*1SilO>9MdS4ZItRAhyAwm%~L7Y=|*kdg*(hW7(}
zx)fBZ6x@Q{p4o7yS+I}pB<OVi;?kP%%1ZX2v2_#$f6%i^S?+E}by5nlj7W4;K~fy)
z$H#Db%s%N;;23dm8?JGjZ0F57O!)qc^7mX>mi>c-p0w4zXBhZXt694i7xA9&ypy3o
zj-@?^A<QpLLX=1-2QEy#UpUAR6d1-6x!bQfFcBdW8k+)H&qMz+C0>zl-fsWz{s=Z{
zd6=7I7r@?I*n<so!QP<L7dBk9BFSofBK!PIu^i^DdpyWl=^LSQHJq?z9&m94jCXk2
zU&1q^eO);8Nn4AWT(Nx01jL&94iS`hv`4e4*8HK?W|@DyF$?Q(`O7z&gG%<Cu}86k
zG_mr!aF$NimNg0r1-}rQ$}Bad)=50II&fknV|mP+<<;q`s>26*k}l$hI-oG^SA30s
z3vunx`iOsJ4_=DC9npJ!%0oXr8|8Uy(w{Pl^Na6_y=_he+y95gr2N<V{}2m=1jVIW
z07Kr)S$p7X{M4O3^U+APgs0K?$G&_{T*A)1oGh1Zv@B;0>-xM20?gO{;mu&GHO`O5
zdog)d<~dg)U#iB~r$5UuyqDW1?}o(;yS-@3rno9eJj1(JBExG^9?NLZ!Y{aX7aVh?
zLI7@%T;!TiOMjwSoQuW7$c}e`57W{Y52;3S(<VMMdYMt@NT$abU@OR9@F(e|Az?^G
zeWmB8&x+H@;0E3wdvAdV^j1LlYx(kCTV%ETxlvy^eE87ta{z5eC4po11#mtKmBH7=
z`FQvb?Sj{`>;g$HjUDJhH#CI~4JPOK*qhLATtNPDigdqtfp2Zp*8<+Zn$dSS?kq4@
zf{aXj`5!uMFujxfesuwWwx~(Ci3?Q=9aPPb50-w!CCZ`Up(rR^czDE?w#phjf3VS4
zkl|_Cakn#6!VK6uwx~vZQ~7rza>9>^?Jol?LId08y)*f@QCA4UAM>(y3A>ovKJr>W
za`7(p|NpJ^b5%(Fzgw$f9yR#eO>8RI8L07Tk^6Uyrt}UsX{Gd4mLjlds8%c>WayDh
zxJ&*eC&_kdAx=Q)eiE1UGxM2MMuX)Q55|A+k+BkMNE&`IV+f|v+Y?7LV(7SA#v`<W
zB@(q=i@QwexWPi)R{D0?bR3~pd8X(Xm_V?uI>e1*)~qr*_Qj!7u%%+C?F|gM8M6P1
zol1AmNU8Xs<272~qC!Xf0N*DFqy8s7m^?eklT5~cRiyoGCT#3SpE(E-E`o*2?En!E
zD~E&6Mpw{{Y59o|e~3ft_tW~$ezDRjleh977ts7uag%)t0c``a*#$I5{<l1&E*2bd
z@aSg}|Np9Sq?_WMH^Hw01<8?F&5YhdQ~wiB!XaI>*Pmz|8$C9i(@I=WG6YkBYmmKl
zCP1I^edq1{Ygewh%8U`S^8xuy_RvQ``^Oi%s*amq*S^~+OdHAO<0svZ7CPxbfG^=}
zY`OOflA4tmz8EAD6LNTRJ~CN%vM2!=B}6isD1q5HrLh{U==$%voDO(vijT|g%M<C@
zWIUSA?Z<axGnwAUJ3u>V%jKdX0V1Dn*A_h+R0#ROG7%WeGImAVU$Ipl5_>ERCoBpP
ze3@oxTT#Ns=}OAUlyvQ`egm>TvBTQ0WP^+`K+L!VzW%~W=Mrg(xMf0<o-`gi3f@ST
z3!xN#v0LOeTXuUgJnmWEJRXCg7OZtCILUduW3ohe$J_AL4>RuOF8aOeYcT2WP}%63
z;>pMT$F*7Ec)um<P5I+h@qsie>TILCdFk(ij)hcLdtnf$fhbfzox7NCy!RV~>a?Gf
zMv`yz-%_b1_ynwGOcMMwmdvZ8(w$tmGRsDf?8`CX9juAx_@NBJx}Vpn7$j?qG1%}4
znP;5CF2>KYu6T?`)6EU~9My#68zj~T%d9d}p>_gj+h5n1?e!@fq$l6f<h<+Nu*d8F
z_%(lZ;E;z8Xh@}&BRu**LLR0BbMP>ijnN-Wz0gl@OM;Bkl`dSLc*pvCgX~<IU9KiM
zMyhAAr1A}g|HTEwfW~i&DfyJ8LUe@3YcP^Q*AT^FsmfT*uI70OT~aosOA9LsUNn>K
zkI~r`m%ywi@bzm))|K`L>A^GCIc+HOR;K0`Mrv`War<_0E?8oSQZ(~8k3L4UU+8GT
z?<999I1c3LdlWDd6_fi9G4U5PlN-x3;Nu0yA$r?IY`p6s(Fns8UJ`rMRbQV)EyGCS
zLGY3KM|ucf_v~+TMYJ{%>pJgyhf!8wCDXz8PFa#`buGf_g@xb(QCkU^u0vdT4ZW7{
z(MuIJ(`!CG@cA+ct6fs*|LjV?w=FSi!3Ho}M)+AI{%zS5+Lie|*oLjrE$o<_#x;&$
zA4)s+!s}h#AgQ*m$xr&S98LY&UL3&?yy}J)K}}<(P&1~!z8Y?{$}yOkeb!X&Zqdm^
zf*GbuLO`NbK8Kex-f6A7pdT=Naf@1w1%n#@^60oG&|GolKY%eN@?iMpXKo>gX<u1k
zh{A3qo#VH>!!Mb&a!_un_fBV;vG8wqMd{E$MXc47tw5Iq0VcvT(UP;aF?;{Lzun;c
z+|>eA<rqnI3%M+2y-z4aSn9||1mCU7!J~;1IvK-Udfg~5O;dgTb<8(;B}%&Zo0+_8
zLrDNn_MwzDQ?P(zNK^}CYQkN`Rh<u4YaJ&|RsZTKO4ih&V$ADb>}CVg=G*VX?N%mM
zB5Q4R6^=t#=cw`6+3tuQAtQ(GI)<bkAg25SW;*+8v!AoUY=3e{CipqXN){4n518{Y
zxZsr<c<<Ho@*oAM{gE*@#KvYasQ$*<GqW^o&TS*jP{gtB;{Cw-$5w_JNuC&n+JKiq
z0ZBi94L=>!WfVb-SrnZ*0z)`{Xs-Sm)5}tJ_!>)>>RP+{mbmrg3WD5?6x{^Og)SwQ
zDcv-#G5SGykFmCE%s^Q+Fc!IXzfIrBM@QDud$0@gPOjzlSC7D#XhP=}$+kIZa9Qfi
zdKC@LXycwm;ThPN+Ez~L(v02?2la%8sh3(sO3Vm0GOsoM3O0)kh^ZD7`tBaUB0L8-
zE?7=%Ii4`Vt}e5!cJ<q-j9g`^f%=WHdk@tU6-AyKyO%z4X5jbCSGq1ty!Ge5r1ZYY
zYeLPF0>qgF_8!L#8?gRC|DfKXUZvjKN&=m}-Z*C5NE(KK+eep%+{v@u%)`4s%wNv!
ziacJ<za*gzia9j=UJT&6h%c_ciE{EkP#PmCQhC#Pe*VFH;nVYZrpLp7IOU(1p@@1t
zUvl1+&e*Gbfhux_hp^1SX8YU$8uVs0(fRe=`k)9qwEe~7Gc1>9=}S&Prq*k?2hi=}
zun0cH0bp~VLL;%!Z0lw9Q@z;0D{(IW$Cmyc^l?=Utabb|vQA=7m)yJ@$5G2&X~w~r
z?^V@eHl^3^un=qo)}$@@wFZ#{P04=`rZ3Hz8>z0*JSFD|&j_W)8)^%qXB)l}DLVF6
z4c2ee)hp(j9*D)Ab#%5-JR4V!IWJ2=V1=lhVzTAcdho9b{?)~~h52PWB)(~TW`mWB
z>oG;wrj3ooznjG6d_q$X9;D_1+JCq=Cgh17ZU|9x^glV3qr_HdU7fi3&C*lD=T*q=
z?v>u8a%k1BHt-vMTt_FhXcTYYK)Um@TGZmsz-|zVR4YT8wko0MR*+q-Y|-)UQ)icM
zjJIOtEgy0IFuKv7EmqKX%#OEGrb}}BsEiGh^3sjdrn0z$0`(!Pj<g+fD>Dx1UoUs+
z2iS4@ME;;j{{VyR>W?uyg))P!hp9g3Tc~5N&C8R9VM`BaDZacUE0ewrj!G_m5Yjo>
z_E_=g?%hd~t95nj<flt6t$O#`56`jB#8(*1JPM(#{Z)l{-<KtM00pbks&W3+asWL$
zuiS%^lbT6=f*`h*19|Qi2Yy`a<ur<dBFakzIe&Yr?>onJED;fj5bNGrv-?KN!F*$p
zZ$m+1cXHf8Ij}mYFPgxYJs(xN_oDr%eWuMoZ-UO?Ss#Y=N#oyx+rV#2Yisv_9urut
zDekw|-pBV4N8GGgf6Z0uP5BWU;SL+9tP9fONwS-UwnD7u(xiVf7B0csUU_VCbS$J#
z>kEJ-c<+n;Ml=^4%?{k`Dc)y3TPw4khn=x#>}#lhk%1!|KMo-_#CbS#TodsHF)o}>
zAiGtp*WC4Ld3Vn0borxfE6cktw~1RMQhGW~0Vmg}wQi4R_}7@PVVyJ<WeiT_>UZb-
z!JTI_9ETpJrK7^#L*Ai*gD%0Ig}C;SQa!r4#&2I{et-j4@NZ=0^bsI4MElCD44C`(
zTAY`Wc(D~;XGYN@ICRvjK~S}i*Oa?ZRc?f}kNuoW2R_j&3zB+VnkxVP^sgqZ@#0Xk
zdsuFFaX89;CC(#T*!;y-2>6fyku+NZ`&h9nq0(jYhVe+Fna<T)iMH-s^%8}I?{zZ|
zjG7C-tS8LW))WI`WgV1U)gpbl{yh8DE~-|O+?zPb@&B|U73UjEZfN+a&NUkPE`JMd
z?U%`T-@<<O-o9{BLT)*IN7l^)zpDB7M=8Gb7<nTYI`-dI?&Y7E)j8VCSjfkD`%Xy`
z61M6RFbutzVHnht)glwmUvWw7s8NVe>_q(gy6yqhO0_D@Kn(OFZkpFRMwTBjm-r4#
zS~20`>aBoKwdP$XoOkAS<lm9Y)G>UyjnNEp6Y8eOkwzw3$48*)$`_aJZeVid$y#8n
z)HVHQRi)8fHBN<U*;0LW3injLc|jLg7_vbCa~;^AKjWL|_o0@T)^)g#JyroXFKP3Q
ztQ}>j_JJcYRNsNOpN6nsG1)!e@6G`CDTS&tm_IUO#=d&2Qt82&#7&)KW6FaSgpFCY
zm6e@=Xr1~eEOpXHnZSC|nx(QC?#AwweK<(_*j%rOk!M7}zBi&;zV~Tdbvlf0IUS2H
z9;ln*q9=+4m#3vd04Y&X0M=($hXPf1ak?*-E+JQyuvOdq)%QM0C(zouD3?7Ymuyro
z`|*;AfShO4D3kr?XPzv2t&aCn=CsPJWv}xC(3D0=D7?V;X}9?Ldi0p*w*-xyc*0*%
zi|;fEWHo=op^P&GDnt5AL)G;!sgpf9w~mv##UOwXfi<ce>kV!$#=B-LEAimeC@A4~
zI)Ij@mq{vFV7ShP6cD`2xnVf*viZfsfvVNM(T28N)u5+}t+6d~<I|^ir)H}&#%NoN
zDc81uYVD5M1pN7a<ykeu{1xuoV8-M+V~XnO+C(;#{i4@|5dN1&SNVp{r*X&PP<|e)
z!x-9wm@E`0cKfUlvshQQx@60?Elk!ps_wO40X9SU+8SOjRl}s~dB{Q$Yj*y~D|EO8
zq?c}O$U#lrw%Q@RI+Qk=du|?4lXe_7?wY$0-dh>HiOp{5&pT58e!Dkj_E=O1lIzq9
zW<*aSLEP8~FpR^Uv%2!b&B`_9xHerr_m?dx2^tLQ;OI>ec;DVhbDeM|ll1%Ri-qJ#
zmWY<E9IX@as6~c1ocA&Z)Ln8+ZMb_pVfshor1Ug*H&3f);|i1_^8x?n?@LP^l;k^_
zxnob1kV<y?+tb9g9C8(t-T05B6Cl7V<)7|Md^=vx8-Q&0_+p@`v<JzgO&o)X#R07R
zB5mRksox|f!8;=Hya?5q8(bh^>>D>BkT77FCv-Hu5uTEj6x7vU6%%meNu#uPDwLQz
zvHJF&lP~Z4d%CB-$B%TJ?Z#DA>HXg&ia-o;Udq2WmxRVHq0OLz${K8aSL75)oZ4iu
z-1b>Cs1a=6BX{bk+2Y`X>)z{vKejvJ9WV}&kQ!G{5FKyFPj3f5(?XWU$Yd%vg~M`3
z&A-A<N+}uM5WqouW!y1u23}_k>u9DPQZgus+21T2zp>KkK&3xJbd}s$5Z#tq?-DGJ
zhyX_PPR|PZ#x!iZGepm({EF?qDPSaKDPbu9$>~>1@qUDv?fIxoK+14AiTqXe)ZzNM
zAbswESZjT!G@^4m-{2wqGBemuYp>&85_Q!#id`v^O20yKJGbmr*j@Lf5xWRIT?_SS
zM7P~YC9+Gez3W7ZjCuUI9i>3llf+@p=@-{DRC6@F{~(Ymg1##K@J5zV-x}UZp09iI
z3wEU9gdAoww9gS=l^NGmw2ip(AGoS4uXE5Q$!T?MUNAZ{C?wrix4E=}vG#ziS@$YK
zg#$wNH{$dXy^8pPe&)MPiJ~nBk+P;HgUv0rHb1%Xo0j)hacg+EYRkMURyy#(Owl1t
z38`co;*PLcIVd!@T1P8r2+l{P$MvtdOnAGdRTPe&y^ETQ4EL;sVQvy(iZJW~Ye9Ly
z(4H@sDoc6CMH@!NQ;n7pe%6486rI4YM!t%Ma76y=so`49PIUx{eJb4EjwKo49Z-Pd
z1xMLKsF3n^aQ~{~#VWChd*x7chcef^Fb-E2DW~);skX`1vFuh}x5Y4R(p5T|T<dD6
z;%2@f2})SFjNyR&oxdI*$Kp+S`mX%SpPSkV^k&be9W)gv?`|_CJ~yY;m`mb|OHyV4
zKPML#^gUtNYi0mL{DVWLi$xQJe_K$?7X+xLN!>554W9*dOuwWIt?2rdG_G}K2wx6{
z{eMSKvLk@q!IsOw6E$I`{ChWoC6u_4q87_wYBko9heQkH6dbzj7K8Su<OAyAd>H5p
z&F^^RA=g97r3OCCAp?5j9b3}NORPRge!a@)bQQH)CWMkO1%2ZPaC%>%pD7<pn{J{y
z;-<aCU#JfG@?f|ViT^mD#qf?BWy=n!LQs}npXb2Ba_{TmM8IZ%lef4r6K2mQ4O6#-
ziIwCpC&Av%osf<gtt`wAxG|(!b}Zlx%h0|n063tS2tD6V_1lv2>+2&5>{knKeTL+o
z%%4KIu7rP;m&Y3Vt#;sTytuX|_-x!P_DtZaioO4Ca?Javx?ML-|J9MGAR%HQ@bqvi
zVrL5dSZX>lO2i4(1+!S8hq{JfH_7j6VfM8B3+`HX%*%^w9&lP4uzhLyAxYUmwk*ax
z12Hv(@U3#5otJQ`gEREEbe3f1)l|LVwv807lOkOTZ@IQTD|dEH&4L<rLSbTVkSv;V
zZbVdKsJe992-WuAo1ZScUIx{yS?aL`EVwAIH!t4Lcty>`Wd{w9-iz>sv|j{s97b~U
z<x!#Ud~!riTUvJY?f6a?iPY)8$ES9V*)YPN1<dY(wDaEDk<TNWtLR(FXC`nO?cxrE
z!k*>zb#S)NXas(p5OEa5DZ00JkaGjv+<tTCjhFgfyRQE*>S8VOJu@X8<RO52LBj;1
zfsy7klnB-H^+}39OGB|W)HgN1-9!%RTU->l9q8aJr`-_cJQU{Bk4aOj^q)p@;uQ+s
zoLI`_3C+~~uS-ao2wFe%7}4(Jda%{1dN!1K$%W;k;8u1uDL|TQMw0V_;rRZ>!DV>q
zQpSHCaH#LbHV3#h-<Z(reKbaJQmE|`(8hm?h3zcHUAu*}ZO)m^#)jW=;7pE053mJ(
z&&BOgd0>OUS2XJFplb^r7hC{(d~eUmW)?{0dev1>u%9NADx1`eM@V^_Y^Ui{ieERQ
zhBru@L_GXW;8tJNVn{i`$Zpv4;MGSi#@w&9W3v$(>p@dv{3ogTXZOEDQtWEl;P>!h
zYWbUN->s$Yg3RQfGk>)#YQIZ~v<1}!ICsNZ3qbV54C7%XIBL<iaQ>}8i5cTak(azH
zJUuzCGc%8y0&1Cr!N{e4*G3~VK0M_;s3m!l;}js*A~@+kT!#@@k>g{Lxr8R1g|M^m
z_{y%W%T@3;HU8|~@RN=B0u)v7WC_{EyX}PfTwD9}_TAlO+ogcU$;7TuZLc<?Degir
z#cBnnYmbtY+dZsQ^Z4WU;YF;&%O2PT5Pj5}Tpxm>d7+L?{i^_xN!w@@09wu@vS%=&
zVwRq1OL<!e^*35uI%Kup^xs(O4;uc{+DcJ{?m7G78QXTF(#V_b8FzLydx68b8*k|7
z=KKxr9_{1DAq{Hw>W_CB7c>C^2Ep5DRwJ%H=1laS86${FEydikSZxZAY3UN#wcpMJ
zZ~kmCjh>w^^9*&(Pn*C(3Vvc?CIo&0aa#{MVUOoS%H$QPDF>^MqM!8`cywOay;VK>
z?MnW$lMK=1s-$zxefq3CxY}Z;HslwpW8K=}Rgy3KItJp1gqrgKQc(A3Dp4eLh#IPz
zU^8C#j@F9L?D*okzSpyy=4%>#S#YW~KCjUFrlhh4rVgy!5^BuIeHyw-mZiAS<qy{-
zpLV_m5r%Dh@<lj?=6vfwf}jVHdV#R!UD*+#MI3olajS!VYJXSSt#y<%SUroczINXw
zrYbwFcKh>--yid>djsbmeI*$tkDqy40&uyMJCiPG!lDIUZGIc4<8Q=XdVg?2r<G|G
zwfu2i*}T>4@~W=fA^)gh0z7I)2@5rFeT1y-gHE2Lp$1pit0H8Y(5EC6x<>RlR$5X^
zRaq7V7$-|m#Sy?Qd%T)Z*Pw%H&#qb9U2Jp~`WO%CZ+HHw<GPAiqMcknclS6@+Df?w
z3Ca!$3YD{udx{W(^5*5Xh~9Jc2YN-2bR;?3=CU$i*fbv)vI$5in=YTi$js`LsMHL?
zkA4aO=DG$iA5SS>rcXQy;#<Y~y!^;EtS{m4HYjR6j{SGP633WTcSkghhFF|jK>a;6
zYDwPri$El}Sk`rcu(EbFM?OzE#copC-)~-O>|{`H>=N#YizVilUCGcY6b^>PN-={S
zw&B(;yKwXSwh2g4h}ZS)#+9d$W~>Pt+SxPqrQg~edk`mT1m`xpa$yo)o;P3ziaklh
zu^K@Ta3xE`UqvkRQG^_Pn)6SB!EIEmb-bKC+Y6Q#3GS%P5wQDhTgyxQB$J=N&vXUr
zNR`r@9!Zy<4ND!xN*&nP^j1Y1F0V{;#;@Vgfw1j%l9)4f7`@De*yU}VqH0_m{SMyJ
zhocM!=;R76uiQ-PSIQsD&dP;fZqJdQyR#59+i$W`ogZh>Q-J6JsdLABZUgz%D0$@C
zvx|k(IPE=Zg{rXS9D0L}lewIj?7dh2^jsI%4HX$3vH}lgJx5XRHR{+Kxwq@yL3TaX
z`nE%KyWC@u2-3xUV{ev7z?AfP$eV;DOHKBxX7Nc75BZw(-@snVb!nLmLfl|P+~g0O
z8hyCEc0VW~!>-E9m!3TtKg*t=rAb`t8G|>(0aC#jang-nioag&;b<X!lUxMdweoyU
z5^K_rlM&L=ITXUbzI6C<nX}8?`O}$3cdTz1sHD(|Zc|V<j+%1$cApGgY&=$PcJOEE
zw!52epLb%u5)I-q%aam2^GU@kvgq@iJr#}GId?KyBz%w9K*ul?Sx*yZsQ?*Ia7xcf
z*TsHk{S~pw{o}?QnRb?H1$Mmfke7n0_xpf4J@nm>*J%6#1~ng8{_oJ6EG{+m{ppoG
zYCaJ$r+7q4{ESD+h_Mqai5*Ra@Ht)HxCN<z)0f^3FW!Lrhj1?|9&=mk^%}d_k-fD!
z>2*nkB|X>9n2g%$e-AMRrSD`xOL`IzyX2v?if1CQ^jECI=)c>Xl6T<UnD`{pLegz)
z|9N+YV<m?biCOhKnH2`39>9TO(<*;K0R<B+;;R$Eax=-IEs}nXMy;N1O@i!+b!G0<
zo&Hx)+3(z&taSFG`fLqM-rNVu&}tJ0Jv#4~dk0<9d;HQlQvX`z{D(v~_I|wZRfnBm
zeHr6ocXxXdLHNq>ix#>V`$s;ccT||lKwH2_8^l1a@eKhlh5L_P`LfwmD7PNSQwvq|
zMFEk8rKwPqR<?`zkH_Wnu-NStBbNQgaoE$xae}k*JiH(lh;fc;Q7CttzKQ!JCRQTC
zAJHm{Hx%01JfWn*Zhta`hhDmK01<~%n5hC0@0PSP7ro7pkFJ}NS9yCpJ7nRFJ}po5
z&gfTg!bVD0?<S->21E(ye!56sNJ3s!eW)QWQ@1?fuL9PdGa&L=J_{2Q!hIY^BH1*-
zJ7gnTEbG*d;J<3VvnbvxvI5J$&h;i6M~>U?SCq3ds)H}V6VYe|N)N3BOn+laE$b(D
zYiOa2k$kJC%SKI4n$n_$q&dy68`{2{%Pe>_Y@X;@Rezt~Z>>o|cLzDsB@38lb&a`0
z!8o*Yr6d6wdSqjbN=K+En$wOe;G?Bb_a0ZXP?Oee9o}9tMT<JlB<2a7snQzKY2Kf1
zHacq<v1Hco_9`7`4K?~uvWEps%g^`NP(>-g?7^2!Mst^p=^I9vj~aUefsiDryTV@t
z7zasV1Q-UlA-vSXKk%+fkv<4_pz*=JeXm~<<~$(t`$Y)&r#F_6ylVW2`&sxPj1JoJ
z@{C4mYj}*PU?2kPV;y<>YO70OpKvVvDu3HT2Y4a`(2P1J?n-^>l?nHR0AsAZ2O>Qx
zX#xs{2i)KyK@faQt&om9w_*&9Mho3-^{JCYqFMB=Lej4#aN^n{eT`HzLip`C?R?x{
z+b|{<#5KhycOH{~hmyXwh*2p~>XI{Vq28*usOiO)vUC(3XJnBj6=S$T?`S*XPow^o
z<899{!IyS^ejy17Kk;$Fm{;FWG<Jkx1n34yp#&%f1EHQY{}-Ow6aSZli7V1CB-A{>
zTr866Bv;iBNM4#Ssaa%lk1Z7!beic=THuq<y(%3kML*(qQi@SnCkmiaN6u!#J|*dX
zhI5FzD}uj~7gkLpba!Z;a1)M*(Jl{=nCcWzAS1jS$#TduUMW8Fk$?6Cxttm(l_2+w
zhi>wW*RO<;U0!Rwj|oSkzSF(>qnUP7N!3WUU;4L2d8+p{<#IX(GtT9JHRX7BaP&m$
znA|a%i<epj40B~aAoA;<S!#dWviq<%@9-)XWLksr^{`D#JdT*gJ|JW5zsikhM;352
zR)f%EYH7)JqHxNY4}EHiZH<iqI(<&Fa-f7vK{~~RjOm=*GDR7Pu)KirqOaawEV^ID
z_+_)42G#gFibj^RL5H7Uve|aklfTI|*Wc0NRZw$5wJpbwy@ZvZl7jHpD(bAb*{nE3
zGog;5kYOOTEtc*1b0Ob0ORqZ_i`SU!ZFQw<q`y==R_|~Oaf6HB(mk>c|D2XKziy$y
z#+s+Qj1nymTyN!lUkCD0(7QS+qwI-n*&naHyOr9FlI9aEKHCik-HflZZbowpt|Fe-
zYRU=eTY6AUNOhO?v7<W2_}`MeTVuyL-Ij(``+CZOzW$<|i!~}T{;|^9nY|59F~b?V
zHG7p;QmDiO0XH^6l;dr0YZ!b@WkO7M=zOX73~gVKPZ!*N&^Yeo<z5(DbAKG15EL__
zV}SDa>^<vSPFDp>fV0Ax0^4fk@pYTHN=0dYNNp{tt(v6N$oJW4hNgGIJz<wDLbu~e
z`$;mJP7XJ793Sp*X*Or|ub(4Vu<A+Z3qx$%i*tbs7<`wPoV#yI(EDQ)1&px|n~<>Y
zvh1xJjWj%D3%2!+wJXS4i{F;|!1>^F@}eio=M!-1x`UXVxv(DK&-R#^I<un>D703(
zUSWv7S_Sj~x+z44YYd`y#sGkxZd2o71mE=PQh(iL5{7+SmS-@|Zkn<TLO#|NcJMQS
zEIPf%`1zNYlw`e$#ZBR=w8^{7u8lw0!A&+_EaRFgbmnDWvN(}F@6U-J4A|HLj#q(c
zJxSgEy;%NYu#$l1LxUW`E4%BU@aay#+e{Lan9y}b>M~`~J=d<oO^+#5vopRsT7W{=
zuQBfSA&j4J%d-5N;@Rg9E~hR;^Zs@YXd%C&z7J&j)e8aVr9dns`0Z9ge`%=Ca6g!Y
z%@mO&$;IGrl>-Vy3y2M+74_RW)7E_s#9fSeDz(n^6!UbCS2scT5B3+@ylJ|>XG0WD
zCMieF;ou=c35H|59gerr{bG0HeDUHZp7`+qT_mFc;jLp=KFu3}QX_ZeYtQTB_bY+O
z{ez{w+hMCoxK;HJM7$qJ-SKq>9W&dLJr;sf5e=AIZAIF4?%mpU;HgMg#z)0pk#=+H
zZAHtK1eE`%sRK2o%*6V?j3+H`OXH@IA^kJz1vsk|2C}7Rax<*gQaXTaB1B3Y)nM(3
zyW^raBgxL#;U*q}NAd3QZcZ|~y{_i8zwvufdIRS?T9>Le0jor(+G~zi<>&mcYT>KO
zcFs{(raty6S7^`uQ8z~je71#6W%+TjgyQ&GkigHfJ=c$oF`hZeIo6aZd$(qDsp%d1
zO}I5fd!QQbtl?J!0uu}CeS=jb-q?Ykl2(+K@*6HWoni}HJ#KzxjkT=!(r0k+2)k4j
z|ME#<>Zfx&nhxLdc!L&g+LgTAJwVcZnRs#@_6-c`5f+^|opv);A2z}cct@9b_L~4J
z#G$EAmmOEfK)uD8Lt<ll^pEU2R2p4K2X)`NaRoCCE+T@GQqjmpNU{)MAv>)bn^9`8
zT<J3J%b2y(D(I`o6_9#R3*W@JKo|Ygp`&3Kom7Sn`_cMbv4A&lqf!ZE7taLC!erNZ
z*|%e^rO%(!^)38sD!Fgnc9JEolpyGF{ijkjrk!-2ADH_JL3v(i^2<9n*@8VT{S+-(
z`zzAdmg_UU9N3VD#b4V*j|8#xyW$UfB(LK-36n$@E<On8DV?6ST-zy#$g@X+&dr^c
zw#;0Hkxe!s*C^$@hs%U_{3RCE%jd{=)5KdP^)=^EJ^l-(Yxo%+w{`scwjk$>0t@ht
z6c+~a^x1R(3G%tr|Hs%@Ma97dO+v5$AwY0<cXtTx?(XjHlHfMDy9al-4+!q=?k)q&
zptJdR-*@-rp8L{uZueVv*R7iIv}Mi3l5-RR{v>5_T25GsHMBO^n;<cl!S1b-VR?E*
zx>p&~&je6reB2NIq$E&o_uY{FQT$1KT1b;-lx|k$uMx8Xjm_ZLJ`-*e)k5lkA)DH=
z!++V{@R>>a$w)%;7R{TT43duGtzL0T3N@LeyN=13OahzQE`J45<#~uz%`QY;6*ZYi
z20X>AFE{`?U`lko9qhczd;MMJ;y~OUS6Q+)y?DD*Q6Hl90wyZ9`kHcO4DFVMz+`09
zFjj2X9{+ZKh-3!k7u|wJ)y1@C2disb>cb0bM(0uPo$u?VYVNnn-ydidE`&@@`~!v7
z7N-Q+#ifP(P18+wF7}%adHM)r$-N?b_-<tz?|o7R`xA2r`s!~ZE|t8#c}Q^#vm6S|
ztdH#|@Z3MOr8!85kR4XV$HkH2Z-&hNC%&ZeyT=4$Rm)d}g8&Vztd49fhbd4gHcw^t
zRJ6P-o~5|WtPLuU8*pAlOhD%E-c|Yh(+AmC4r;PM{-KoRE+8f4bu@JvWHwVDmr#E+
zEi;i8n-gW&Ni@uZ`L=*moml7g^zyFrOwWk)yU(y>(Wd9(1wBCZ;_g>kVQ1b{<`i|p
zc;Cw`<IYM#-5-KbwVl%m4iNX!R#A&+YIv&rB=vH2s4}w!!||!2Df=!h*IIO$^)-1x
zQz$u=k?e_9K&11^?pjp~J~LLDHa9IMAnAPAM&3twCw~UZfoZ;aG`mG{=7m|n_aPQ~
zvG8_dsjX3Ck*W%yV`6KXJ%fY4&?jX@vt>96K+1{5pRSy_qmhL|>0zNLO-~PN5GJgW
zffeJn{M=OfkPdYpIkKaGp4nG?69gH1tIaR`4&Dt?ZFVzGxmc5wL^qx}q{9wp^xZ*k
zAsNwNVj=pPL3cW2+K5F=Hv`wh&1#G>anD@#-feY96Oli7O;ct=&F?*x`z<U__l^Eq
zu>4udQ9WnGezQa~6aGtj6g+aVPr=>F0qR?qpsnD5e=2P<b1Mh7J(pk8Ij3>xc!9Mp
z<IqXhj=N<=GZ5r4)+g2ajgC=2n52!ExF_cCY<D)+Jaf}s*N?#c#o60dxbMUw`D;&O
z`AImvXW49GDbZ6ysENKl-?nKFxvU-YmegGzCY9PAaL4=&stCulx0-fy;@<{d#!h)(
za>)zSZEfR~Qf6(1gF&mg{p(e!r;EJCIqOZ7vVaB+o&)vnGF>6Te9!D5UF+glTslIf
zdc@t<Y{EG{ajDQnlScwVL(^vAOkhM)omS@Qa=c>OkxgX1$f2`Vi?TP^&m*9V#X^Cs
zLdj-rk@T#Gu0p_Uk(>McnylNBV{8lT`z*Lk+g=nE(iFd~WoceNkyNkfOhm1_)K;!O
z`54HzyuG-nXvE0&NjhGvHBsK?d`hUeF5Ip@Vaha>)QIu3`@(|mw=n#Ps{{~Z;A%%9
zQ7a0Obl3Na<lqO3O`3ZU48h*gW+-#Z?;<fh@T3On{z0_|Q+3xf#v-`=4NjHxK+?Zj
z3PXzp(Ec>b4EH_Y^2_l&jrXn18is+<nR6?i1av?N^%!BHNoQG)jXKjy@5CqSI%=l1
z{`lWr+R5*Sb*VFonreI;wOw~%!6x#fk~D!r9Hx-cSebq46pHm50J`<Q@cT}q_|Q#;
zp&|zA#z!a)dUQ@X$yU!l?_sF71}I<>N^us-=(~?aerYZ+?hxBo<UV<agj+0T%`J*W
ztD^lI{NT`}Y)t|{$_&wYSB-wL!d0RsYXJI3O^dUM52Wxiq!^lE%0B{00ABDdy}UP2
zcJuvY-O~2DIqCDAcCvttbk%dYsOQSA=HR2GSD_XFikUcgKs25x>hs4Z@u?=oeXP}r
zUzro79O*%AcW_=4^7k*8E>yX)DSho>EIRgg5a}juKZjv*JDACUi+)B}%V8fEW^h#{
zuQyQW^BE8g|I^bWiU~`Gqky#$mvI?Svy5|_;DChTI<azTuWZ@P*!fs~ZI}_SkKl~k
zb<Y_asYiLQqV4j}7`Lv1U(z;NzKyE{>$5-J&u<rDLRERy*cjmV3T0@&Dh2mTFjDLB
z#|Cw7TVg-c9JNmW1(SBuJA;mXwhOTYN=uPNAv+e1axOiZ#<VaOM$0b*cv%INvMe1k
z>_1APOAL~bc<tbuX6-%=*ZEkH$7KeiN^mZ|^Qcf8<kR(j{{Y5I;i<v!D61!4Fokwq
zIj{J=ee49Cq-;u?X%$+<Fa?*AVob^8)UW;PQ;UUPyV|N9r;I$d`as$n&itS!;O4S5
zHoi2$bnE0A$$*!ygv-E+weLORZ6{KkLZC?-2*8eo*EcjIOW6|wQJ9|YPYsaS-&%fD
z7}NA5#A`PxWABXG!LX1{oB>A>(gdL$wh(q_x4ny7W>|cnn%M@W9DH3YCXLm;I3uZ_
z+T1Dg7$<%=Af*25cNiaYiH~1QY}_MjziNytbF+<|v&!%d<07Z7K+rG>WGu`kxG3wk
zCRx&(|7&TmxLzQ`U9ziwJ77rOEKA`V869NqTM$iiSvh#hxRoI2tMAYGItJww)9A(J
znIuvM#;e9PN6}rK9eJ%KkI~ZFO*D2Ksm*P~93E3`0g+=@ns3<ca@UtT{B!NrW0!2R
z=Z}*Z14;#zx|Uv&gl(2x8QJ7L?a8l1N|@3gHly(GJkd3<6DiF9cxiu-7u2dq!)pwb
z*+MM4D7goRr9zup*p`Oa3oWW*Zotpc9j*52!kmV8p2wjduFb(N$cSYZ`TtDh-?O$V
zXVBw0j%{bHYxhexR@$B46V~&@q0Iw0*IU=CR600@2Cl?1P(<wIahLO57P4iXn4cey
znIu5-8|iYWup4W7tCOG<yCqS-!Yvv(<HeI}Db>DB&ro?IOhHXOQRW2#0}Y;%$N9%u
zR^8^zP%#QaB-4+edcct+&QpFSmjrwF6*m4qACVO3lHC>Rt6r;#o2j_S`mPn#HAb7O
zJW<2Nxi)5u8)4Ah0MUMpW{Ni|B}zC9kbZYAS%f{wGvMMd@^%fY#L*ncCmi{1;c@-T
zNQc6kxklWx9FfUERB&saLt#fTkvmBV|9IXi{d~}Hjgh~h^GG&!vGZfGv2W?q#vy1h
zo$wo_brXO$Yrc_`bAMlvjy!n_1U<mh6l`;W_0l-i_j!ICQUB=7u+}5q?GKL{9~rjR
zhWqJt<C8DL6dNnlv!j~u2VHCsy4?D^3Cj}t8|M&9qKk$F@1i&BJFSSw_opv8xIqSk
z@=sidN*DHD^3z;oy{t|P_Ev4JdG$efLCMCa26#Bc@Pd=B+z3rT<G=Op=-s#8<1e=J
zP@vw-Eu6ZcyA(o^(HWWz&;1|!C`-(9%1;+Ov}i*RnLC&tJEHdl=m)2h*I#*T=aDyX
zKI0N;S%vyT`ohnWGE(bU$N>eWV0rmd<ls{<#<yU+IiNNmIDVhS8q9(iRPC{whZzVb
z#&xg%^_!Q6t0-y5Q9*b-mJie&?kJs5br`DYk_;n$ocPZK!v3WFej{t;PQ>NbW~g9R
zdu@ug@fV63*R3XiNbq4t5K-{wpexaxG(RLKZpMo5Lz8z7)r*AhBSd??KViGwSLow_
z7*Jngyftv|`53#&TbCkY+-NvBpYknOlIT5s;pv{;UOTp@SCh9z+iJF}vM&$04r1=L
zoBnh?EOG$udOjd=2{81(2l4jR^@34;e7~;!CGHRTc^B0I<<-t<OLRNCMg|X+;QBsm
zu>)>(;b|T1&2*P8j@%PTygN)g{8)tz)@a&gf)2jecv^cJ&cV&otEoIf9dO?3=t>rW
z?N=C_@09yQdshQMh`<z2o2ZSae?m`n21UkQ2>d!8UbNQnoU5#Z!-6_U_kHlrQtxB|
zEHyd7pA)XIv*DX;>+X&Brw{E&f>1tj2dv6Fiq|=1r(dpLL&GKukO%rH*2PbKt1s4N
z_h0KPJdieBC%ar<^#DAz1Qp(H1_nGz&ZoRaJW4P>05=gq`r$CaF-I>a(IQX<&chgD
zVtU43gQ#kx$-0OeOG@wOSO9}vn8oiVqoCBcf?~uK0>2S?Fy8ROEmnNP&D<f&@hAkk
zf3)HA-}P{`Ao2~zl&E;rcqRdouw>-+p4M;^MvJqi>Xw#0>YPL(tv`O>&eq2Xq^L*e
zI$$;Cn2{NkWNDEPdLLPE1%FhS=GX1Tg3-YrFs#Pfcal9gK@iu>b_Ou{4op9Uc4`+Z
z0DV{AuKnOgW<3Kh1#y-8d-}v7tt|LK*Ot(wFW}4B#6Sm~I~4$J4lC?l{UoNhxIX}H
zM3Tx_7`Y$vBQ8O%PY||07<NRK%9uE0H~9OAJeBcHq}OfOz3O<zF#o7C9SH)T7OI=W
zcYjsnJ@P$sSm_W1DDTyQKz0KdFp=loqUYV_<zD;5UC@8GHKDs&(a8UMRQ7+yflzl1
z3Ny~|d?JxCSRG%%ncq;MZt6ncEIQ!t1TOX}{>7~hIHz4pXPb&758Wdfzy>Hp{J+ql
z1gGwq+aL==K{S#7s5ZfI`~O}QVEiopKaujh+0;HgUqJW30=@SB?$AT)mHi5a86J(j
zcK3G#*j25)cDMI-Sf1FAkX>Db{`kY$AA*$cxObGJ1vEZ6ci;ajA%uAUPWeRj$=qLl
z`-|au7t8mF{JVSj%U;I#b8{+$rZC^-|5gXL+;x52j|}(M=rELj8RHI2zS#&}mAFgT
zIYR$SFK+Ma9n{_pe}{5}Jyd_m_n@xtLH<PVT6jCC;Jkm8q<7s%2#K@=CqOGt+<8M0
z!x_{C^Qt2B>qOu{^(&Nv=0bNUq#ucyLSjP_&<UZ5p|%VWK;tebd)`X}%KvIvAG%9F
z^akDE{5?pYiuoPtj&)S_!|?+2^>Txakm-;VH4N{&8#Ez~<*2A|$l<T5!y6zWXdGZ)
z1=w}XKdhK_e}4uN_G^0e^k0DUPWgiLk6jaS_ISrohU|%!ZV^|C%+F5PnJ@T=%Xw=i
znOqD~i6Woy00>op?pgOO8iBe>{-9A`K!Nb={pLR`t@ZoQszdMmQ?O&&sA*v2VZ%(t
z3jd#JgpmQZ0L;6G05mJ!Ddhi+@&f(;hl01e&pXADY`g{wM2;<?aI+7Iy?8a`s_jyv
zrosWutTy8(Im*nMzd!zo4}7>+K5}p({956=k`4ri+DZgmG8Nf&d#`BkGANva{7LKp
zH&Me{(#C57Q|Xs+WKM4;K}__RKh0ZOFHn5A#5{#LeBe?ajNll0^rkF>gBx5;m_QEb
z;uJ*B$)mACLYSBmrlyuj{Oyc&HQSqnL^~^*ZUN)WsH52_@<dZcywS2vfftKkXUivm
zWfK`1sJ5hx)|AHZ+Dsy)!VceFc(0QY@0+%@+)Gx><EI|MgNOd^&Oj%mct)iJ1P-Ov
z*bc04kLkbt4UJT5?OQ_u%waFn6zW}8%^WtZjPjq3V5M|#5zX2DT0)t>;!7QeF{@`h
z*6~4Nli!FTeRsnwth>$Is4UEVK?0W*wf4Z$i2I5}7(5lt68ZR&UV6fBvd+nene!n9
zy~Smfji)h1oK6lL@jI+}Bhy95($?+$0aTv-<>tyw6pokA#649shlJmVJN))^JoG`A
z!Vhcr;(|(U*dN~@6=>8+(O;dV<72Avgu|@o)nT>W3<hJ)==PluG4yb^_3yf62oFaS
zf4dxuhUq#uNRI%T9erZ=ONC>0!?|d7e#x<Mo+0aq&$JfeJJEfSeJ?1ZEB1Su=NpRl
z#)SO5c_|S4vP)~%Q6@Vf`y}v=+m(EVDPi#kP<=6$=vuzSpMZJS-dFd+U-m{$7D<AI
zqQO5zU03mnl~rGF{KlRWjW_b4sehM~lzu#^U231XubIYNbu6>R5_epuMjQ94byCRB
z6XWRae37xGKHl3$`*;vLY{gyO%)K-qEY5!|s#@ACU;;{fMs0fbhfcW<Gmi|%45Api
zfpQQTFdA)GYy$2~H*7+8Cz?20uhoWZlUlH4d9N!N#Bal|5u1Ju)&xTj42BR<y?+uO
zf}-))hC>XQ;`S4w;OL2lnm;%`8U14K;7=|Y6C&o*Cdn?>Z9+C4oYLm80F@b5D4&#{
z4&~!!TpMA~WH~NUMEq{kBFXkUhLG&(1un~zt;t&1ep9bXE@Cf&J8LX{>7}f(Wc!Uc
zEqRPG;A$zV(co)gnU%-6E;g(EGd6(t-ds(D@kw8_iTi75ZNdR=cLecpbv?N^a9I>&
zj^mWrytjTsF>_F`q?a;UPfX<O9loa6N;It%I!^Zet07T(qId%AV63$3Q9+kA!<IUo
z`TSz3t??>?;p_dpR{!c2^>(A^?N?p?t}y6%Q+A!4%l2kLvwz3WI(p|*gj^iV{3;u2
zg2TaAtBH-ydH=TbTRQvGw=s=}hzYMI{S~`YmV5v4wE%+HD<M)4W?f7lEYz!+{<y%%
zv{nMO(U%Yd=w!jP3(CysLNdAa&j0RpA1K)-|8<97!JCfMp>oUANBF;wnv((nJoYFv
zDw9jBu1#3!2cPLH*sXQZ{rv*uRoTn6Vijjz=ML9)x|<t?jtxrMl0Uydaf#||W}}@@
z`7o*&>7k|>Y?DgVlEm(3GX;jT9W9_JSBf!*-sJO7|GmXprhNJ}$>fDpdtsFZUhq_u
zTy8v<F=1;(HyfH0ll-r$561TNX#NZ}+1MmsejVu{HQiT7tfmV+<}gxzJ+=J+6`Q2L
z!`_k;6L%-A`)cp;=<zY=$8=Bv8C%-)tarBdgHZU=YlrVAk%)LdvYMmz$3}+>QPH+U
z*8*XhT3CxD^WMeEs<kO{&KJb3{+c{%J&uQfNv~+P5|P{zcE*>}GOo`LzO6rx7w`D@
z$D<m|Y3mNEJne05-1~>fRp!Hxwo%u~?RchXCe&bSJ<~}R)bf*4ZqIywyH^3!!y9eo
zgVB$`?cU47Q*>$%QrECG0U0A04KA5uWcH&V1&#zS1>p*^gSKC-(kN*kvf78Ck!CX-
zWq(#UC$}Z+>#{mU1P_RB*|L{qNYa<RJk8TjY8!+X%g5BXqhq8I;ziZP8DyJmHFXd7
zL!7)$nzFLIf_X*zcnDIn;nn}+1)rff>vcJtEBb)0Wf`zp?9eoyHTE1k%D|`XaB5y@
zYc5Gqwd0$yx5GsTsAsV?Ji%1YCBB0hif6}EeG;?;<X8dcML$uYo(@HDPn$S_MEism
zPseOFsSM~3<CDUcd^|lzftl8ydB^LVi<w;dmFT|3-q@sF=zuKWymzU23#8YcYXL8V
zCUgJpRT56P*4OeC_%x+zb*4w$EvpfQoEgk}e@}{T=5?;(C%8eYJVmo|>0OT58OJ$V
z6g^K4-Byw!M*qJBE!;fl+}v&Jil9F3lRu+Y(pOw0-0Pe8<F4uLdCy|5QE?;`ZpD!*
z9Dgf#fbU%%NGr|xWL8f#wy!l`i3;!K3j)Upq_w3X*JTB73-OS)hAuFC0IYOu@POjg
z)Am75V?UTPaNa-MhMDL=;qW+DPU$ryx0RU8;*X7_(oN`EHZ=xX>IipZ33UEspkW@R
zudYtM9Hy8-qv^ZkdeK?B!|dSJ<H@h{q5;5KX$4DwE2ObHd3?*l#zB(kb_??%IlziY
zfIoS>W3de_?s{j7Z?{gx8E<0B(ot}C0CPW&c-ny!AuKfqN7QNOgrn>o$Z61;B~7V{
zjUm<yH|Wq0U_=Tk>v*z|4>fz=trw_NqaDeoT+a{E>Y(=*=*vBdcEPH<>Z%3P!}^ky
z|NW<Y+n0V0%YSF(ryOxh9^hR_bSe1Z>FKVvq03@3FV{Kil5PFlT#zS)<BHW=NA~v5
z1rYz2GKRi3=w=Bal#QRHA-~R<=MPSh%eJ_Gn07MYTp0+E6}UM+=w3gQPPJOl_QJ?E
zw^8VOT`B6sl4{S_Tt@E*wo44C!tMP@lc-CaBlaII66_<+jlSV_vpmVyu<<?EWE|8g
zl<RAct#i{YQDixaTfp0dc`PuH<DA4!EH4$VI6RFc)RdCV=Hyp~5D=In+!=3BXEv9}
zcXu0xfR`R>DnWdx9o*BPC2z0ipPl=ii=I@3>0W^fpCFwq`NH8ZG==Pbt%IXlPP|m>
zz$yT>zE9MAwdLi&x3zd*Ow{H+0rR`CTdLKbj^EIGc}d`jAD=AgZLA>ASHfHK%V%=2
z2SH+&ps2k1pPDb+Ho~|kqYA4pmB9KGR&SLGDXt|wwE_HfX3Nx2q&Bma_;oFVP-APL
zt%4$ao=~A0<g9DRFlK5()B0+2IX+%mB7DbU6!O%q-FxAE`pGWZ8zWJE3(0liiLG!c
zF_dApJF{ESBp3Q+ZQw{z@HhMAXWY^D;Hj~8Z2)Peq=a?+mM&ykfX8_!nxrr|HaKAX
z(ioDAd`2SJ-BAXuOv}y0=%9v4Vz;LDK6w+7Q`dK)F*G4JR9RiuS83`UzeS=St>7ti
z+0K{{P4CFJdj<akOCv|)XRGX|NLpcA-KTAuj67xDq`KJeaVa$i_RjwNTG4QRU`kCL
z_F?vy6B;3TAH4~xEUt9<lD_RNyt8$#qh2$&i4-T}Vd}<#<XvHKTl@4gJ?5I%jht;<
zjA*)uRn-jPcL7{t$d}qMe(07mHLrauo5n}T3WLZ$q0RcE>#}+VzTjbo%${DnM?0=(
zr3O_?Z>t}~TS>d|0Vf}2SvblzW4`Nozb?u7X;j(j{lKP$VXg%YdGXDt9D0m4H8;fH
zErQGMFcNk1`DCc?-`q8S1QS9Y?R`wNS9k7ZTs)}ygEyBR3AhoX#ZMK^vm8L>O28ch
zh-x}X<}|W|uoS)<s{giUtDj&Nt|b1SnUeiOgbeLJ_-|+m1@jjxgE#XgE*{FJlT$}q
zQ&*UM-f658so6~P>64iKN{I|FMs$DAFJEvftEHz`mP@GQ09Qq+H8nIaqBjP$E<8tr
z@PQ!YnQ(fGlZ8ln!<c$D7|G-HhX0Zk>*b?9-sX`HL+j1~>)VPDaE{%og2fcuS+9@H
z9XLR+(WQt#CEFDal}Mz;K5~=$^g7PD+jg^!AfrUa<kK|+L(h>m;-8|90-Re{os<@>
zuYaML63kI(`5TvPI%r6b<V60XP)9&Kvthy8g?`6n@!~>0b$mQfNPM)MBI(>*eBd+6
z*4HU$9rIdU8i%ETKDpNFzMew5;x`vCjO<sP(Qh#ys%lWP0Z%vHnx0+R!NR@9G3UxR
z;O{7WTosEl?2lK>bdPubMh!4R|Lb0k(dYcHm%Xu>t91_l=Qw30vz7>#oS<1VQ*K+*
z!To%Q44OOKSOge{^On&r^<m!38*T@|2WP-HuFQqNRy#45tl;<Mr15tjY81`nsH8&p
zi0pNz7%V<QOj7Hx)TLz|)#Ae(iRR^%I#=D+6be8`&=U;!g+zxxfM_$~_smshmt~o%
zWo#$BKLO^jb5iHgoB$@0yjNv~KbblGIiih!IQj~+h?S>QN3Q7T%pknQzFg%h?9;r0
zty7YzW2<O=3WEDQ;RCY)65TeR$9TDg-TB|SJ!nv&BPpl5%11^&&$Y2!oB%w<=+gW#
zL3@%Y#_i+G`j&tfQP-Wx99POjgS9kB5lom8|LyCz`{MHKahSxCluPT{sFd(nBHFGl
zLqZ1TQ1ncbT%QV2b&|Y78dp>^R)Hk@(#SM(#`=Mqp}kl4^pPj1>MnED3i#r{?R@@W
zAd(}YOTbvF=xpw&!X^axJ%urvN#clq&EMZL84(|{Fn9R#*%I$F&*0gUE%gSQf~(9V
zGwd)kc4%P1LeSEqUA41gS>o6%SimUvB*p!6KZlcBF-IhSw16l#J16ft195`Y9K-iz
z_k@S&oWppm-09ai{wh1(N<6^PX4EE(sDy1g&YsHx)v`;2s4SIX{tweJH<Yc!ii%-F
z&p}PC(y4DVvEC33Lit$JqB4z8O<079@jagH%YcHB51sA5uZv4b*j2!$mXH=wmDfW2
zPC(sc)34jVp9^t!lH5B2jxX0A`3w=%3Uq<CiQbMkFI%S({%0L5xBlMIEI-5!E?;zv
zP1KM!#ba2+*iv7EopGY0_f3Wb#t%rEoQbyn^HTF^0j2xSEjv*=s!?1cU(;8<6!$du
zWN%6Kbz>42;=tw&#QwD2E8>Uw-TaZxt8~}yZulGf89q?Kh*%WOG?2Jbw~Z&{_3p>8
z(ZfS?EwofMDrd$sytc4HJG_A~5eBh^xs`^KWEu@}+J%3&uXc)r8}t&Rg-wXh1hU&Q
z+J8F%!0Bp{Pgi3n5bm=4sWcKsN{Tz)`(`hV(v?tULcFI3i&v%=`-kE9#8!FF$>myv
z2ZI%96P%U=^YBvT<3$>Mub&~VGjj!3Uc%`3+YvL?PPtxI?)suePlatef9K&yt-jM5
zc7k)a>EsH5H)Z&EZ@2d?(+0D!*OeKpue>$lG;5HkUS;p6?N1nu%Kn9)qT`IJ$muae
zC<igi%J1~EwpDDcp7=EIDBSUts*4tFT>Za2hLxWPZ^$6Ry_R)F`{bhNcbH6H9}Yg%
zt|aABOB(NDUO%dx4(7zPN~6Vvt|RqrVz&HagH2@J*xc>~D{E~oUurZ3?c>K{U3n_X
z1a&MOGr#&u=)Uk*QX{o`-TkJmgUc=iJ)Uc_lhC>x%pC>}-ySwBNx`i{Y7?y!rJes^
zH6kzl)c$QZrPy%kc=UvqJ!XCXE$xO#@U18sZ-Lg5+9+#R^33yY$_^9Ry;m&ey)LC?
zelm!rp(dmT=S1$+us=wA!?9@^GYHQ@?vsGq>PJUl^p%wS#U~IC{!^~K>MMq<wN6js
zonzJ*Pp+uzM4=Dd=queE>QBvNTA8^~pKJsSBLA4ggakL1?^!>AM>-LN$cZ4f2PcYK
z<fA|iUq@5_8<jO>PIid>8<hFcE~i~MnZtWOEBc<!B}Ksx0ys_n=lX0!%$z=^Wf$|F
zV5<FTq^cp^F=j&!tdzdei!TF`vx~lFP7z6-f?1uv8p~qWah&M&35{A8UdJe?-Uj)*
zhxnwpoB856a>S9Y>yA;iw^a+Z90+*1xEhW24lIPDejjCGKZ0ee<SCVdOGYBO-<#k2
z){u2bu87Q&(j!IYaT8YBe@aMm5Ff(?2pLgb1B=aj0^R=UhFQV!rAOmCnEuARLtQAv
z*1ISzfw4kpzarDLeSeW4g(ul))>FTPtmH8*6xJ8LLIj8oYlMadu}Xz(F)LTfk`Z8F
z(v{r5OQC)12S!<?@`~1~;+mfTWvzI>z*GQC;6q_-f~XdX@=@aABXwpx(fu;4h_s7F
zk+YPY^ex%9-kyQ^O0-EJXKE55Mewm$tmkS=l_RFjOeZAYJda=5_{Y>Gu4mtyZf>Rh
ziY#H3`6_hpV8Yj4L=RIUp+18w&!A~>g0ZWm?>mF|CZ}S?I?V0O)XVLVo_@;KloQ9P
zFB16ryRfjcry`ks4W|LVpNLQog0}=w);%DtY(qz0^&eN-h|uhf!m7#h#?u~MO$G&|
z?9160XN-5Go!!Z+n;NCQZ5VT`$Z3IT<<_SQ0@qb_!w10X>JHyD`mA%Wq+8PH<g9ap
zk*t|vn#m%hL9M)DJ-FjZwwmz{jUwzG_agiBMekPAtLqIuLK){ik3?JjS8;STtkXTM
zDtp&i${dnU3-{HB@$)hQ@AAyPVS$EbmzQ{n{R3q#A(gaEBH*pZZeO<(;H4?>K$O2t
zHyo26bG)+W(~e^yRizD7cB^({C)=$yhSk(GQRI;z);82lL?Xmh=4ykbmtl30ozQnS
zvs{1?{qR?4AX>$S+(-GoHBbb?cOcw)xTFo=IT!xlsooFaZ+t#Ca;5u-wR%bUASl^T
zrDkZvu|ah@o`-M4V#7!Js$5zuB?U?y;G`+F>Q=>hJ1rI?(4MqYzE;jArd^5ML03YL
z2f{gn_hu8b_KFwJP8@=f`Hc&|z*Ie5(9Nm`+kZBhE!H9_d=?+@WAzt2g*XR5Xwbz#
z!w1FEN)x84Sa7?p6_c4z=Y-kcSB^EP|BT>ZHJ%U}GS6@&rHn+9wwm+~8$DYk29_v`
ze)=2(CDxNRg&)^vXP(h5N44$FKPe$(ZOXw^yA}PhJ;=$BI9>pEQRtZ_M4FhhTLw8p
zM&J|jHv?W>GB_R4kTdNJQfaSvuam4Hi}f8@see~?M~0~jQq~@S$7RlXc=z{^Sen|V
zbXMk}muz+{YVZgW`6rgN8S?`e#OtQD<TmN5)mo8X0l3q}D@wGtCUm>@FmbQs&RZLK
zJqTD&|8K_r=(H0rpT_=EQX%-G0!btd_bk`U;Pme!okBwGaa+{1oAH->^st{iSWw#<
z-`chIXrOP8eX`H8`(^C;$q)|x5net~4~DMAZ8>BAh}*^Q?81hl)>`Wha#($7D5fp7
z0bwX4i(@pAYYE;-QqUu~Y7S~pac%R~_b@lUOdzIg+G%8=2<6{|*Obh6rba1w@&$hA
z^Yi<4H{YP2HoOW!yq+%GBK7}{jFd-|WVc07JNmfIk+?iLGCW=ppj>UT2??D8d{GI@
zUum`c&uPGXr8L*yw0zyPH2V-f976C4G-&@@rTNw=^MvM@yj;tIL7L7j(6tbmRWCu)
zG-Ja#e>pSz_xqIRU-I+eyu5M16?;(Ka@sutl3h4`0m{j{9^oBtZvMfjII(ufYUQ9e
z+D7#y8P{rk<X^gyWhm>rHN1DiN=Z5CnT@7BGvAKdJq*2i8z>g?sn*oY^@>u*%Kx-&
zHR&8lz+vA_Z_w$JM-`5a2$)s)vOV?U7k=~1R-!_5Y*zyJ%RoV1bpvQQS3yla!&}z3
z!!bKd-?zd^+g=1}MEt&noGUN~V2LR6ug4RN{e4B7j!EFW%9;m7r3U?|abnuKRhQo!
zFz=cQ=%sGvm@EgAb~YDi(@69r*3@4?D!-{u0th%1ZGSzRWxEvM=vIhD8?QfDIp?(Z
zcIxh0$s}xId`QbitVFl;#f#;0-{vSAvUzx%A;sZ@O5GoffdAW{4gS3Q*>i6;kGs_p
zF_Q>EtCxHi8N?{P#wc8@?1$I%G=UnSV`X+7O@KWzYqqI6p|>;(kZE*CRvZ4sO#HDj
z^kh!aAl2CRz%}t#Fnr?O74bjP#wk*cys&et1DKPB-4Y@~L4M9ZPv9YH@tnR+-O~k(
zRfhJy=sQJc0C>x>vackNE`Ae-tr_FdskYw4<@^lME}3DY+3#ekipI=|I+x=uftl4w
zE%zbiaAa>#wLfd`xbJZb{+(|~w^<@cOE;+MHh6NfF3JeA_o2+$7b0(z+WF^jxZ{PU
zfC}<a3VvT54_@E^CVsx5KTQ32a^KOqo?Eh%C(=maBA;rZv%}V=tuHdF6;GNLwr=iL
zx1G(T;d2?7QsGYng!$!-&jIS@BxZ=BDUm<>d|Q`A?76}MC}NE&CYPNuo7Y=*nETt6
zOH`gLV7AG`ZFgQUCPM|)y>}{ahsGZe-Cz3h;v_Z4BU6&;qX+m!JeSNK?x&9BR2@+M
z?7Gb#%Y_#&@4jNcZy|{JFP;c5lEjWI&~Qu3cp!>U+OG#Uw#In~gi-myDfl>x>d*3M
zhxCf3zPPoye6UW3vXFC3K}#`bOuTVi;&aecFudAyOJ8=Mj;J?-J7bu6jRn0=z9rDT
z5frgRja&duq2Rt)+HQ-TRk!q#{ds~fQ7J~AJpMU#{9pZLpp*6G(ffFcyHNROl+tdg
zvyGi?bLEdiyV&x|&Z1t$T2Amai;%cXA2k-*a4cL67fIjDS_~Y&LrDGX^22f%nHZSW
zZF>3^OlmJcg7Mg{SUN32-p^G;bm@UVt(kA2$t=bt<b_{km6VRKcmInFxc&D-skumW
z*}{vf?JWClaGW5UQ?W|dbJA5bsvKvhLxuA|8`XfP!II!N_xC37VlTnf<&iemTh}j;
zXBUkI8Oqzy2}S7rx3*t35LBcEsKmAy=J{xAqc+*He^e~ooKqt&0}Wc(@QJEyq5_&=
ztPWAkdv{|mZvn#X8y1{+P@A=zZm9p%%NWIsYX(`)WXr!TDe5OhtTNHYPyZvo_9m>Z
zXpnzpF-PE7LY|=Ppa)4%hfToy{es^IYMasMUSB^oNVE6~{$}#T(5YxpWdk6`cq{mV
z76cG3IXD*NIWL@>y1_u;+lPMM)?A?4mwpMf?CRqOVHNTEiLWozbwixqKfCX%z2!YO
zm+gJu)!zv_rEyZo4#OfwZ9kOU5=@g-6{)E;ttV@{8k-_osHvu$EPKOrYJCT<v~G%4
z|EpqAF-AasXmtNFHp=<^2)Evm%9hX!%@8wEu!ruMZc5v=s|u8#)DsWCmIU>}Ifk)@
zZ82;)WN}}eI5+;onL9><M1`L1GW<#UbkIk`bZo7S#M3(-A&)Nf04bc$IX1qG>1Io!
zfua(exl_9cw=wjhbOkt0A>!}v6S_OgYsT-@aM!BH3R>+x;e>~r<r8P8?g|Cca96c<
zD3+9$S=+h=rL}>(xv_ky@x$)g*Ez-?c(*N!U_`W6N!mLBBFw@CA~#dx2ueSGrFjf8
z+*N1hPTXYB1QXMMI5b`kwXimSKlNTEY|hZXjkhwwvA5lQcc074J$K8!y1MsQ3ThHH
zjZ(I7>Sn^y&S%1x2QE@L2qqK-mxVulxLDT(TwB)nCby^b#pTwUAqUmvlQ=D3p*-pT
zhl)cfKbPFL1RTQJal09ci_u-~1%084yQC6{6qbs`(?j)GdLBC7_=0=77a42+y04aX
zG2m_Tp<~8;>vnwl!#ohjU{0F)H>f=l{vdk5<*lysd_h>PBYmz|RLVlA-vE}4LQ1FC
z_k+qP38t9{(VtusldHjR$S{n$J!ftyO)!8r`c&!Ql)mzng<p|97>yegl(M*@p26M;
zVUmKs>n}@PF1I*2a){<=F2ONirKf>bbxL^w_e!+g|A+Bg5W}-KT5n~%*Q#(|khr}-
z)(MnYx_h&OcZ?&v%bxF9fug%<#@+15i;KHa=haE=VU_&TyhFR5pxtMC2thg$HO_~U
zI7w)E6)}$+v+AJ}PL53WLn_cIT&_U>kH$gx`>iQ+IZ6yy_1||gwp9!}13q83cJ?g+
z40-0Kmw-U|b%&zF>#Iw30bmY)zg%e*V4b<UU@6}8$;@kdAr-&5J9Ct8@Q627HLqIx
zUQSE0gJ{d{T*fwXib}5ynO;-t;p9N)oMq{*ew&*qx98<qXCN;pTIiwi*Drv<jX8;b
zO<)h&EwascRlM;nGJJ7Efi<6*kRVPx5;U{mH=p!_ni12Axt}X*uwD4$hOAG^jaAE+
z_LU6lwpo9gOXZWa6VLv5^u(E<W$Bm)qDea*0!Xb+aK9G0CBrz$L7{Ga0mYF|k}K;c
zm|GQWtkpQPNgH%&`LA7!@hU4R=Dn|t;u~-fG58w_<rFyBtub@!Ah7Igv?ng{84f!m
z8@@!;>c6Ff_%OVCF8*G6!M_BZ)V2Wn!0!1X*UDEftau0`OD`Y}sm!NLYo~A==A96n
zI=XIiS~TL#<*fWB>v&n|Rf|b;W83T-cdT!&5Uu}FkhvQhFijX0EaP}YVNwFDdn__*
zj~hR6DPYStT5l?U^)v8^3qX~5IYdu>7(JvLBT+tG(E8o}6?Nr)z|n|=_p={3(Au$$
zec=CQ#$gNX+k0NhdeW>LC|o_Q?I!}#70&pP-QT(r-8Zv=W&xDq$l~b}9mzxppRe;1
zz*}FOBaItmWsvE{hFzX4C5j`m1H4u}vo8~O#EaT;6PxH0l<ln6IH~U4*DWjs%pyw4
zS7Yd7;20#D5ag+xJ{snjmXFjE2d=MO0;Uv!tzwDKmP#$Q;?<c+w`ir=X>u<{&;bsn
zaO0Y<%gMFk4K2w5?-p5m35QTr=}xpEQ==r-@)H~Q)veFQl;++PH%!-Wa8o1W&OSTz
zIC*TPfvvcd%Jf~0d0bZ&FT`)g>$<UjV?8LkFP$HIoX*3&)&?DBrB6&h%CBJ{%lrb4
z7yWuWjwGb3kwopRGA!`?KiIzV|KM3pN`2<!l*Ya=^FgXjJF<D#e<uXjIVk|r{S8Zy
zc9(08y7BY*UdG0|mm;wYsyKH1o!7m&C=CW)jRSWz&z!1o?hJ>Y0=0EB{CA1Gb9-+4
zl9F+`7W~03ET3!n6w=QIdSrh!ZY=L-Df^klO5jC|he%p{VLl79^*#$vHa-grUgtDp
znaZ&xQ?!mbzJu^;@y*5Uo5xq&&_vp?Gf~2=U}(6RxH$>2F-4W{QvwPCGw!5HYuXT(
zKwpk)iib1Ch~K2I-?GQGE_M!#W7Vdm1YUsO7ZCL36^Q5v$_0HSY8OI($+3P3mZ-f#
zXPXoPnr3`^epWS$>DZ4*Q9dFF>U(SJqsdS7c(*{6zQnKi@3gtf&K0FVdD1sPm}%>D
z5lXlqB4&Mcu!M~EB)rQ2wHWt@FP2e}L(fE-$A6!|f1Xwp%TIXadm>MRRv|+S7R};m
zAFU|Rw?+OWark`BCv%sVugbrKdb@C+#Th%h6XHvh&^q-yyo=CtrTMd(^Gg}esBeWI
zg#X*-qZxbS3`B36P6XjS2rJ%oHczd?x+63PuM_{Lvog0($O*dv@yrRCE9wIE{-%wp
z>IgoJ_+>S5>_!rB17RbXxd3Qzv&j(BvgQoRPiRG8_{$&^rH3cy?GL5uSeffsaYt}o
zO&{Y?WM95IwrPPK#p=Fh4yiBcrwF#h<Ku7KNn?JxLXg+-r}lfQpLV=?)*M(&oL$O8
zS4Kc&bEjb4cwi&S3$h)VQBODv?iNi|^1f!a|49(==W6A8isr_f{Bx5jo%Y_YIInRz
zQ`o_o=n>7WS+2@|=0ObREFWl=lqg9+S&TSB?Una0$zgLPU7)-eldf{yc>~d1cSuux
zS+04F^_POo9@llF6^eWJ9u7B>K8E!mzgzgnI@Cs1rAz+lxUXq)^7mm<ZuwX>ELL-K
zD-HcBt<x<IQhV5$+P8ItSHt9N11=<!vATv`1edb+DugwCr^-=Zin4{%OC=j7?usLm
z!|Ee_unP<(ESRbptdU^;nYeO3_HYv}oY|pc<YO$NJmt<t7IvoBQ>6zmO{&p8wJv3Z
z&7~ZT7{CtKTOInOKMsqQr>to#&Ng)dZd*x#z3KisVyM&i#MvoZi!%<zTG1&QzF_d7
z2g?9vqz9yD3N+gq$dGgSruD$rs6qC_{Wzqvi_tXP{+J`?PG$oeZ#V5cv%#BS@Z@tn
z%gA~qllwHU7PPZSNT7E^-bEn7AT8s`qqW^LP!~{uDb6b6h*HYKG|q9asj91fE4qyd
z$LxX>z-wCP#C2*>7dgTb@K6Ou?@*<{gq#uhsA|UbBJM(umWlLPWE0SmjE%7oI-{PT
zrn?xm`X6kAloD!Ss$N~diu?KYe`gP?ZkO+a_SkC9^@Vpg)y~0>^8qlQxGJ4X(qk5$
za~b!Lz0-?V5AN0bbH+Dk?%$Adqnl$y;k;L*0wsgvMLcGVS(-_G{@3Ldt?-FI7k>Bp
zM*dZW?A4gl5hstaM(&BsrwEFOC2UT@QS<KpD6TLs?I0Fs#&J?#cB{Bjp@9A*;e=ky
zFGt73d17T9szWP3D+3@_S-qwJ73yZb258tfnKlIJpy#|7mAQ`+u)LFhKN`BsgC=^=
zPuksIJH{7WIkZJNHY5EI3=o!!9<+3N@IYX=isVc#<+oR3{w587-A@v5E2an`$yb6q
zrva?^uCVPjG-7atp<$S<ea$Mt<wcCIzquA=YCayY?21{4fakb6M>yxTj`fI<nRLZH
zW`2@S<(dNMq3M5Q#39xnx28rU_h`LxI%r8ES>Eh&C%mdxl|lZFvsrIH!Efo6A6Zag
z=99R$YjzsgIv9MES4a?TMlx9TA+jhtikpAz$z|aOJy+BN<3TGiZ#W`}en%XGu`)7#
z8!Qdp{RKbIO}V+bQpv9W6JFRC+XqzMtwVFU1K03I{y;~uc#W-AyfxjV!G**4-4vx9
z*Ga+Y0<^hMVk$pq?E!MUM)LBRqEB)CZ;=b%i36VfyD^!=<FoVSRKgKC1<=o1K@oE!
zFM8ZSM=>u{v8Y9Tk(B-qsH{uT#>QdckLI;h_s-V55ccJU@YyC0&kong3KME4e@|G_
zzcs(icALKHkN85kChtzmys|&F<$pU6O<Ts`KR92Orae9PlExlUwv^LwY@SNb8E^JK
z1+40<%i4g{Gs}t|?c!5kN~rAB@iA`BWTdHw@~}eExxp5J|2DAT8A6V4@nAT+4~A%u
z7UfzeC+;(+I2P&Rm<TCV8Ebt!H}wE}%5oK2Nir(Jhev9MHi>$K9T@0W{wTOs(weiH
zFZ{268;2@i=7m?|g?eEZHe$}!4o6YbNUvCj;Rlm`Wk&Z%4;}?lrzw=F9nGc;4JowW
zkeVNcx$x|JqGqMsCce=xdD<a}_^hDlnpz~`MvqZ-CfQ^*@VP&WE{Qe7wa5%sK*hK(
z%L<tKLU-A)n14cv$gQE|VY%y8rAh>$rO3iAD$AvF8*^rUg{MkJ{zh5zc{?SxV@sNU
za^zDi!r5jLZE;-}o+(t``KMRl=)9dzTz>wp2rHg{!_l>C2+@Bgd+o>-9JxF*rL&fy
z4DVTFYi1$8b`mN0Vj)3dcn9lcflxn%e}(dv{lTp)qmsGEtuJhWTpD9*?(bs1kn393
zl@vl=!#q_h6TU@DlaXlmY}(|<VZ}LUv7us`_cgRkmZG63npwxNH>7XMG*avGYtBpe
ztN5+os{bx%#yikvc%$1oz`?tHeXG~sAwao4ZDRB5em!EvSl-ByZ|$WDC2LG}$4*`8
zIM$lOVp7t3;Mif|!Qd4`{Y9pWV}B4y(5gps>&KSzbJCmd_(wjupiAg>1i{{ZP{ZGb
zH$GG2u=7}HHEwx%dBEyGI-YNIQT)j@Nv{vH*j6!u!%%c@N##1TwTlg(<26^mr2{xw
zNdA|D@f2U~41d#N^cukME$aRbEv+n5@q!?%k8?w>^<a4lW|-fWzzv93jPhW+Ks7fA
zi12l&-Xcg5>?HIJ^K7N;*B88D;I$U$lG-?2e0fySS<U*2!uwY2@2>{*)i&0i%?&nb
z?qcA)jI&Bvi7IjIoF-<MOg4JcAT^Cam3&x)m)u-XF%xvOyp$D~O!1HTCI+)s3_huy
zA&eQA)R+dTlLwZS-Npwr&rLNsa=R#VInU%QE}kko@@y%qM;{IwzaKs>sNMJ9qQix6
zl>5$-_tp9U>p;2wt>!zX*9~bt5Jj;9RHm`hJe;FI2D?au@&!yYC}ryEEe0qJHNRp#
zEiH=!y^gs8cO~y5nh5us%;v(;$^L)CmfHEO9va>b-8|szM#)gG&_6+65)g4ux1=T6
zxm<UfhX9^2M%WEWvhbmJC4H>DW8Xp&POYiy(`s9XU0Aj$Ds$Y^`EikngBjIg_cGrf
z242I?C{35Cml6!TZW<Ac1k5h}tB>asGEbM!i?Uu8eZXIX6shjA2KI{t9rortB4ppy
znSs81CufUI!J-&=fuIaQ7!-Qa^_gw}XB{kxFjo!d;uSAvH;3*bXYs=alDY@4<~#SN
z3P?htV$JJRarGNXZf?hCS^Ym-gKXLY)FE1Fu$PM=cUD{Wj~UVhV1>{aJK8+)oY)S+
zy4rzQ=$5y!^2b_8y>DlWIH!GDHJio?$=_oSt71;6vT&Hg$8zHO9Skmn=9w#vR0kgi
zN9^P&+5<apZx*hNt1OF##XaTL@>j-rrvwJUy0)^2p*n@XC0c9c&HDpk!`XyL`Uj%z
zaz$R!{6YgoEhq&o$A*n!>{f_t)5DN6g^k}z^3|0hYxAM7)WJbHwK!NG^fFoK5{_I<
z3}2h3;K|%O@ZZ_j)W*_KUt?+%@qdpWr$Ai4>EuYO?cd}!TCel18C~cAKhJnCb>=b8
zz2~F1eHKWJ@=30)&*_3nx0(lgtocHL+DS_7OoI<-6D$3^*{?WSKYy4*UqGX__T&cc
zb2X~C*7OML6*K3}V6~?1<oya+#QT=MD(io{la#c*tz{3oNlNPNeNG7L*+C1eb&f>z
zogYAH5x4u5U5}-PT&hqNkM?R|CGCi5E`9x;(i6_<AD{oEaG_1dJ)s?>UwjRWZ;>rS
zouf8gJ7)Q$PAA#iG-tr?5#1u5PPo4Go_k?XzTPVpavV!=BS`+zVt|zR7IoAqqeYda
z)7AFuTPGCsu7|qLszaevyMouKSE9imU6rz_<mk7FAbi)RSkXoW()IUB0NhOIGrky>
zlyv*oe7)xzr_Ci_I=YyW{mDEfOP->{TJqf@+1pSN?guoR>yhQvM$p6QI0WY?>F-!L
z$No&+UZEpzXD}sSiYF|5TWOTw!v&IWX^A>>Le0M}2E9m?ZK6-z4<hC>{|9&R{?KEZ
za&&b4Uijf-b+GmbETJFmZT!}sJ-b`ZDix7DOmf(cJtF?_lDi`yee=QLbxY@28ML3U
z4zfid;+dO0It&gKnjRbtPH}kG2K5GXUS?Sw8m}OCM|jqCOk;bWN4U+XM8yZ|D)+pP
z6d8KJuW@-C9+RXdK->hbXyd*+6%wf-x75J-?R>eoPf)>#3q}yQIKj20gS7O8JHX@q
zWreeGdBSxs_q6`UB+6-+S4L{w&Pi=m!u9$m-OO&8$4ZnLheuO@3V!EKcx+Ino8+i%
z&Hs_np;r|!V&}(H3@9UR@3yX_XpZi4p71yZ8veCbCCcv(@H&a<bn&@~$y%R09c0iZ
z6!d`$91ynb7!fXef;bhpS(J~j7<r_D=-jzZ!dD=NffM1)`wr9+&vdT*EFOG<z4AnD
zMnL-!H-^}h9S`RzzSJ8x52X?DMUL3$2jSxn3!_YFJkIE&qZT#MpW_oYbO)!q*@@9N
z1?$;S1RL4B{9oXk_}0g{X|`pX=Ik;&XBy~|pLxq+5Z%pqlM8t0Qvo(RDWpx9$<H+Q
zpp=hs*3E*r`ptrt^yH<3s%x2#TA87UHge$Ydf2W;kK3`(a68`#VOwtP-(BY)dI5io
z`*4zgIBg^b{-*CDJAPMF2<6xFjh{QFhTS9ygnrWUv1RUk4E?R6;c{I2_quJu3MSmU
z7{oytbG4$vF9FKuMk1{_moXQ>O(Rg#rSx}2#hrl3oaZ!;tX*?Zmf7rtC>UtC0MVe0
z;FtG)SQL1n`hNbh()h0-a4$;j0QH2>;?vI(#zT(r8hPR^&3g@37|(grYeqMTT4Mmy
z1BQ`3;p;l4tA(Hykry+B_P8fhR2&ggZ$`YhllK|)VDLf-k^J_}-<4`>kw?-)tXS3H
z^tr7+Yx5fE3=yj8Y24+l<p%TMK{vQh@;u=gp+S7Y!oFn)%M?lFJO#!tz>Eq{mWY;A
z@}fk6rcR+BAY&;{1eXQ;E}DOe^yWnIane4>x<7qG9hCbV>=uBUTz`!*T^97*8eCMc
zUCSyRNri4kzEGFB`>D4wTkh0ztoY_@^yR&VQk<3lOBjHp(b}u9vWI&crRn0ON&E+3
zRX69tc3!S}p{TlExWy<1dpBsY?U*3l92Bq@3aVRsMO9F`x^2|+e^yo?K5Hj~y<B3b
zUajO`+Rwhkj76#GR|@>?*}~DFgdW5@FO#>GvbQsIV|}X0QdGbuB5qk(u-|pLbnRTY
z!PzFK>X;qul2xbXj4$vsX14k>^{H`7fxXpv_p`+y!^<1RFx$zzi_`JxHx^$4GgHj~
zB!;=xpV-5;^Sk|2rQr%c`H2pac|u?elg|90;C#6wk*tE(+Ruz<xi&4w>WqP}dfKf%
z<Bv9SeLh@`!}6-N(nC);_5M8jt60W8ZY)kcvCKxg1ZVR`vQj4sfggc^LK~1!{+8&0
zU#d*YMMQoWx?@eTFYj%_U5SVRMBUxx-xWcSn(xyp>XF>H=KL*#3UL>6grVu>rk?)`
z&_FN0c=L7Js5*mdI(CivLe}hJSLdc4*Ur(wfk9t*?>5k(y|TuhOZTtn(2UXHG+mf`
zCc-+!j@R+|^42#UDC^MfLSfW}MyqsawKHH3fDUZ{bZ9E_K0q*Pycwv_p(TN@xsB=2
z@-M7HbH`*VG?%udLd(fDXzq}tL38I4UZO#p?+Oo54cc(nnhbl02F)AG`IrXnRBk9<
zNX4unr=|Gy&ZHyawrR{`VWL1o2y|$7llCRh*g82ycOD&@|DV*Mg(?~HN9UlmX{00E
z-DU0D<{Z>_yBu9%t6-n^Z#h<0pzXp_{>Z*9wDS}{3<@+~_~`M>QjaUNc+J-Rx9o_r
z8r1)To<gr?{>in}OJ~^-h0X45G}n+P7E>pDz65>IR<Sz0<QiJIhRiipMXy2T&al7Y
zLethv4mUfKNl!Gn`GFz*a46{Wga^B4FJUs3M3=1g?^Q2Y6L=f3<-Uy25K>%aLWms2
zG|vvH22ASzA}PN(`lawTnz|1;P>qy&>a$X1)Pfk!Dn(@lsV~xss|sz1xBR<!+m%-q
zKlD>z0KN7C`XzoIu3hCNLxY0^%7ubHt2c`k*S<j1E@&0K{Mw(m5^pPh=t@D8@Ou*p
zub*(YB%8ci_#hcUQ4~Y+oT%V*!<^%oZ%LrklF*={YS~qoE1UM#hBjx=Yl?^5ou*;$
z?w;^y+HUrR-FihQA;&|=`fi}VGaikY0||$vFO)IH2BV&ADwgW<00;OyJA&VUpJ$p2
zpwUNZ^hpkUM!vI=e7PNj#+Fjw8dQX{CXJ%(x>m`dXE$9yPI9-4M;o+^*08J7G~!!H
zQUb~A^UGT}LBT#kY1HITI?aSq!B)XUj27{&=rPh48dxo8f!Bi8r)e?h<0i$`q8Z=%
zsVlDd6zxmoT>Lt6Zb)$h?L*}6H`q10@eSyV@Npguqe22}5Rda>6+t=8uLwm>Ibu<<
z(H;)s8+vmu9m!gH6WHtY1nG6g@Ga=9@F2gAn&-gdrGpzQM#+A55nDLm3`OxRa1C-n
z*5?U5`0a$Akm4pvC;9sghLh{#4+#$v{APyVT*B8bKxfe#1&W|^PnR(KA@oKR<`_Gh
z9%HpD2gq0>(aVfyBIj8loGX}><_B)MC3W)Tz#Ep|5WM@%++U2G{~VmJfb+@!X5-=H
zl~*Qj9SFSn?%*4i*%+tS$FC*lhZL`%bdtXxVR)Y4Z({f@48Miq2$O#GEo{Ld7OBT<
zh@Ag46f*XkZ!IsA-|}<F{^B<No9_^xOJ9xOc#Sc9$9LxEQRzJ4&-Km|zFv7=!+rJ6
zYq+)YyrvUy9z`%a4;#I?rW4PT#GB+yPTzOy()VF@J<1bKA8FT}()@`2Nan{^N%hWo
z%v1!u96Rx8q-XqZDe-@u&g@;*q*t%^Cau<_Pp|hSU#|D3osJHl!Qks~IMaST&mnys
z{^i;uRdksNU21&x<r5P~I#0;sUkazlc{aHpFV$CqqptKLAwM}ufMWNW1%Gwz>qy70
z-3-?@vUN{n>mC_Rr+$9S({b^omu9n<UV3qd=h)AGIW&}aM64<mF-qr$hS>cVNZos@
z@C<5YZEoakHm7h!k=}0(O-u|;_vCUt_Z>U?@|T}I<~jJi%P#xgLHhgn+9G-$e&57@
zFDq5tc#{2gnq1{R{!0(L4*mVg+Hvd>9z#lGCT(fpZGmtxdMzqylh?{)mtK08xM%2`
zZ;0i(K8}73zr*mm#`5pz9*w+0mtOkVT|>e%L;rXWIp*Q_E1)>}U5+3H_B#*Tvyo4b
z5BousDDP=_AE?;TNC4S^Niqj)YUme&{?e0jwTYtGWbj(8UPBZ4*yc)k^5%fG!Q=OP
z8ms~HU9Fy6#GZ`BEgHK~GpRA!G}d@5X^-SQtwa7~d~-*>vsuxc&2?;!C;jw!v3BDC
z&|hx18S*KHX-{VKtI2y<qMyfo(1*$dL`dDu`ZU{NXN`QTO#y$XlF+<6UEP?p`!0#d
zT$T{onU{zxHOZ>6u_oCymQs`WxHy2vgfByFb?EQhbB?ZQ`mCt_)#9(-As+q5-SjuR
z)*8|Kgx?^M^)X!PW4f$v*TUb#U;e{FFeAC{!g;PMX7y{oUi>w`u26AZCBL#lTGhyv
zMRxUt1)Rc<6o=1!4?j`NQCd3iP52eUSCIx8<Wdm55BVvZtP5E)o#K_@S7m#T>MvCd
zsZQvR^=9YrO~FISe(M!iSo@QQf;*%dO&`Pek?W~Y=Q`O>UrIG0$fA&x=~BET<&-jK
zCgN7X7}h_kyz4IIzQ()mYFrXLjr)}M+(W*dd$#f(Mr4rh;3S&O1$vbNT*}P;u<OA!
z*>%Yko8S1xW_oS-MEMw9dw}e9K1xQ*BpZ#iFKSs|jFV5D(%MWN7Y8xlcjzm11Pa<K
zL+jn}T?#s+BsIYufx@WEZ1&T?mP7eNo^flp-ye+hPxMEUA(xRj&E>Ya^5%le?~e9Q
z_eT?9wZ@Vf#oHZ0mtCj!*&Jb)O{eh{ry`+#tKDO<cpR?yU^+T#@@8CJAyddaW3W3+
zX1CLw7)quF&DyY)^kfs4A3uhlC;LW`v?_SMI(P&iyD{2>e5ENuhhMsSCck$g92(o*
zl~@v<Ip@Oxd-rnBz}Bp}IEi>)#0$JH+M$<|OLGTaDJECy^;y<8SERmAUo_7sk#YY>
z<nxf?TDIn2%Y9{u>??YN4-)(o!%xw84(WX1?F_$`<87t$g%?+xe=R*92`nGTTL|t!
ziL&P1OPlPKWM~6~qtO(&VJ1UMVWYxXTJ6oi)hC5Crn!j3^GMboYHi-%sInMZ^T|N3
zeK>TuJ3gIr+CuSwQIROg*55oZdV$X43tM7D@zvLnG{^db;r`ATnQ%b5rfUpB*d^RY
ztre(pWy!LYg{&*WeS_!j;58J;-(SPI3XnUbwd8e|J|?UVo?ApnTDu-6*FDA070YWp
z%Yw7A<I=ov-?=+W^Y-K9y8K+3JdoAVHEKtGNI1zZEU-24O18GCSgzcrs#TH2#X@DQ
z7S=DkY?TZXLRYZm=+SSd(|olgYaiPOv9)6mu3Nc!G(c7(N#9kf(OOzXy*hf`(9xsV
zvYJlw)s+0@e848UrdIJ+U*a!0{*j^LYZxD}iLTpK{MDEEOU}J)sJI1W18l0#-@EWf
zim!on5&asQ>ht%mA$%FVEV)j4?a#u)td?~cO`!2w(dw>pIvY^BMb1k5!%pI8+#@06
z*icQwYL&wa9Ip;E!dH*JXjd+`>qVoZSJU^aN4pPA$70imy1Ng}#9}jtMk5oQPIqoR
znC!PC^#OCXx2MAyGlU&OE$JQCEi7ESJ(=8o?ZU!!JJMaz+2cb)$7UjtnPWpk$7iF<
z_Uue5F_p3VES>H8@vh!+ldjwBrreS7Ax|38k7_28!#u?(6}zJBQ#bk4CF9QdIS|&B
z(?=M&I1)d9+oxaY?TcG&@m_CtDi%*fQ|E8;0ep$ZmG=6xKHahR`9dBiZL0(Kks5rD
zv$p2YAj@8uBTH$FymB;v>8vDd6NG$ok#8+b|CS|Z$C%bFOU$$dhINqlEXCL_JIQE?
z@f>WVAD@p6IbI>fOhYb!4^KxXb1qkIGE#bX=ffsbIPdo4=zA`?)tlD0Cvsk&S!dAc
zEx6B_n@J>Qb53V&Hj$XgIpgMNkKf-LGn-?*et%EY-1iliU*~GtG%|8Tt7)ZqF+_Zc
zaINqjy27yNPCJd8PfHdDI|~q@T7EskV3vlgV-Nr><^L+xRK=j-wQxI*lv`7u^GjI*
zbiCL!O}InTNBGUg1AB4vzT0=ltqN;w_jI#jq-R9Yj4%29)YR{B_r)_a7Z<;}dg2qG
zII$|NJNN*h`NQO?^`Yws&3%O4XqvneTF@EVRZF_SC{*Ai`w;HnE@{ahL=LV)r;!+a
zJgs$s{4xQ*Op{;s@u!)lT2+3840ZloC4q%Jtu$s5v}`E5u_UP!YBczckz7m{GlvX@
zgf%#rb><8~Z9r#eH|i5EuhtcR?Rs7u=*Z{{t~O1xNfix7@+MuUs=ZyU);1YhqXE6&
zu2rvRlz?o6Pj?YM=}GV0v(E0(T$<5>Z1gH&rB?C;7YZJXNeV%cZ*f{s@(k?&()z8X
z7>sj$jTSc4o!uI3>l^p)p6-~%8t-;{vTYHSP3K9cJO;Za62q6sTcu_(5rYY{r9G|I
zbY;7`w3=iGqB~{Mk3S&1hvohbpyRb#>!g)lSZht>lb^NL!Mlu!x7x(JwQxo{)-3DV
zz!T1c+Aa6$q~XkRlhA=&)!yOb^INyfxU5Ujh-G~fareUf;^w{!GD+6gJJ<Gzy~1nB
zinIkCMr6W;^?8EozImV=MspA!pJNTPvjEHoS=J>#>*Yamo}Kmb334pXvtm!P<^;*7
znVM6!pGf8Y3Wd3uhK4m}*Uex&T@H<_3rUy>zhn007xYbD{kENpH}2{P56%bU{Yt?+
z>M2Y)yQULeHlcMUZk;oy0w(X+@u|^M2l`S=mkh+Vc<no{ZV#DlCa*2(Z1cV+wfFR%
zWB0shq;vO;^J7QGeW8#mv@j9hHXhGJzkS5sIhE|WU@nnAeEW9dhZHim4|ig}#qm17
zD^;*YgAxyaD*Q?K6yex1x)^u}{9>Obftw4^IV2vESGqPIC$%s*7%yjlm$Uy{UTScd
zG80O>;H!tPTFDJv^6Jf#C$}WL`KeH(vr#aPdOL<lxvXfXRnW}DO}+Y%$KdSWJJfgC
z_O96Eo~(D=?u;yT=>jIJ%G7QOST%NMXwx-YcfaAHp7^E{ql5d0y)nNtJkuZDG!)K6
zA3SJIj3zSM2LtKt*UgO|7<9I^^&8vQEVfhaT1TwY<n<zf`8EDjxQ%ecjjpMd52_QC
zfJ`UJtqmZps(3b+HXb^x<5H%c?{19z-O6zXKhH(&?KEv5du5gEW%RR`pNvC2Ik3~R
zuuZ#pw`sz7m3iE_v`f2fpLx=JmBn+l_UbRr-#q^j@*jEo;upV&+itGTX@&$^_W}P(
zP|-@=r02-v%2oBkTOl<pPyDLl6|Du*iIn_XDFvclndO1TqCQLGEtOx?-K0~S)FdkU
z%zd}qcTMoV5LWl}M7Kp_%f%-I)ww_2cq7z_$NwX!_<Xlx-40Y$Bi5E?v%oyo*`F?D
zA8#S={(rsdK^$-WOnk23PNaJVy?vWf%cJ>pCObA;=s!6ts9If}LH`J8O@A)Z8*Im2
zL66r_e0wl5U8+Tme=e9w3wqY+AXN2gQG@Lm;-Bj;GdPpmHxY?VAIN8y9Ydy+dwA=@
zXdrJInpFG8kBp5Rn+ir8lLph?tvmMEOylMHvP!~NH8P-FU9OgGkbFU4+|zTORaO7r
z`sU$dv!uZKk%3fVanoB9g32{~Xl(rOh-YQnt`9)n&-=-JRcN8kU7_pA>Oas<g?W`u
zWx8aWR+ascbWG-AudR5;Pal2szXjFGHQP?FAh_?ntdIB9yRR$-P9x6?2NcNeu@&$7
z`D2d>s{JqD`3(fm_)p{+d(ftT@fj2EdR}?_dMch;nEzG%Ctt{sDZ!}0c%bLdbTl@5
zxTkNcW5}2ZOl;q@l(HTAn(H7u{+MmTVA{81%YMU!TYhWzbAAY|>^W?%!w*o#sp@17
zg(n4bA1m1>&$7LB^;@f}-x5@hKYs2{Pd^RM0)2(tTddM3scIC?XV)V|ljy8~z=!8*
z@_Q|cZ-CcSMh0&Y6YZ(wa-`ROX<*s0=*jv+tH#8bx+C3Fh~)83GHORVoj|8xVPoXT
z#(4zJdDUZx+O?Y44ukb(?o-{uF<E9jC1ITS$s0cSrBipz2&y0c@J#Vb&uw}O@5k>G
z2+L9Yd^AB;JD$akT=GYPs<^zr)V3*d9Vfc1&UN5%R}YYCFD}+LjGR1%q!}sMCq3;G
z?30-vCA5Gj$uq{cVLuN_-g@00pCYj9T9PTgK~QvTPwYr5goXxDQ2qA6f#06{)7SLr
z&b0oT?|ttY_Tg*19f++DyU#PO>r60Js|R_QoaQ#Rj&Pdw=4=WNP^!hS--QXWSG~1Q
zp=i12%6IfB8d?Zr|L5x1g{d!``x91Q9Y2<Ol<A#VO{17#uIaa~`rrGlr@Hr!1%qRI
zy9?5LVPJZCU}$Pe9hy2iGJIq*5S%zNJaTj@bl|}9);)W+E+3HQe*8PaGYvA;oee>!
z3;DLxFdG_S{s*Ooj&A|BK9<_lOJb2XC70$d>+T_aR~H^mr$%Fj2XN!gWRTZo+9&i1
zX6D~Bw=Qm8wZ57qyT1?a-=;0;D$L*s)5bH}1S>d0M|-6=P@}S(9X83C^xrF2I(A)D
z;@*Wj^rNwMSF5otvv7DPW!BEazuhsRyYuoAA1}XMAF?+nwl*~*SVILtMToSZ<$8RC
zXIs;;N5}W0WE!9*O%PDbG8S`<i4My7e=)Jx<L&9V`MN7MO?DT0^Amzf8yrgY%;~@N
z`Ojl*JQDLWz2N`gF9{ZuCK9_m{jBN*eC{*|@vQt*ui<7`i2Mdsc{oySKy?ZsH<rAv
z{yKDNxYxfa5hV)i0eeT#MB<3z11p|h`-ndfjrjYWnSjyJHLs3&7o9$z-Q{exwAlPf
z7g6AtBDPth!{x9zG$xhBm-hL46BekA@FhW2qc(!7Zfyjisy4y{Z^0jWGro8K{^ByN
zbw|diNUmu_S-D-S4xdy!{*TJ@e0<U+rDAQt@$BXv*U9coru&4eu%x#2?it0w;&+z@
z2bXZP_`}gXy*8-Rj=xXt-HHnJdXP-eCOw{a6Y$5CWgU9o2d|k{n_3kbgL-Q9gM#WW
z$xTV}?=O7qq`Dx1z{rcX*1aE?HV9y5RU^&o>Vp^wswJqAd*`WGehN7)l~k4U4BdF?
zl?kO<sc14ZjqD#H38xhet;)nj7oHwgsu~oHs-{6f^|#oT82R_NzeTskVq2qsJNKu*
zx(A%j0ry{d{Y&OwtU^|FnLNK#wd7iBI+3MjW?W^4Mk{Me6FEm<pETr?ntd{Ij3<sM
zH%nh`SL<6|dt<)YpjNcBH)XGV-CJ)QP#IMUmA<(bw-%4KlhDFQ`_baL;$JQ`#w?bY
z@lyWmKgZ^eLfv+h$p+dWEf%3?T{^6H-*atVWocEYE$aM>?|B$+y4Kn4a&<eeEq?rA
z#Qi)F{xp+=C*-=L>h%)lgtA|@0!C9KK^oJP0!)V#_8KD?{|aAKT*HcSe0=|S@h<8+
zFYPTwEQAzaV0mOb==W={u7Ue2ap5VzLo)msz#}sJ3BbE#`2B##Wcbs7r)Bgg0q>Tb
z|19ABC44PHa24Pg^!tDO0?uCpJTJSx8t|*?;4hNl9>A}W;ZuNLS4j`>EiCbEJze51
z_}%qzJvn}(4Bra)%`$ue@R!Q&|1{h`U3q^bkmDgX$2w6M?OzuapsFb=TeuZi%|obK
zcvdqiJ`sc~XIo&63i9LS0*zGB;3o<PjmUOP%sUV?5%`{Df1BCf>L9v@tB4Ll?>4Kg
zI*ZPs>-sw=Cw`Dhn!;Xd(~URM-A9AL?rt+0HT{}){GVJ~LG>r+$e;HJG)bHZom>}T
zp{maG&(tMN$i(Irk$)mTfQ*YKutzj;Jw_X-X7#Xd6hIQg%509bs2P{Hz}}o+i520K
zqCQak1=iqKedqrBpDo_|wn6M#{Lk=W@$-CheCiZ=c8q>D7Jn~|Mf^4TOnJNR2Rue`
zLa~eBEu_6>W)VMz>TQL%NXJ?n<LP&-D9oN}oGYSZ5O+Y^OO8T4AU8;PJ{}1|RL|$v
z(@+LnI5$^UTXW*X%i;>WbG^!@GwKg`inqjKn|jickH7-{A2z-p<$1M&|M)A51u|1z
z4#B_3@NGDWN-;t|7ct;|oFqKtxbPI<AsPNG;QccEJAij`oat-W`H%7QeG<MFA-D?g
z4EB=o&ghrnQGyft*|T#Jys_a;P|NjxM)#Mb`5CwH`^j;CB~IJJ@sJFE7Vv%<{siD%
zGW>qPV>0|{z|%7PJAij`oV1_dD!?;XP211UUjsbP&tD|?mxX5lk5pX$Z=xFTt2pjs
zd?@2DsyP35q6hG6WPF<f{JKgyfp1}nZzXzJE%y+iONIPsZ{1yDd0i$l7oQzlAcun%
zwXl6F4eBdt>zcW?j(p;YDq(J{(3kl&VueNiqQrp4WY_#%Qlcqz9&4LJr_wi(iIGi*
z9$OQiJOrKH*KRU2HIfOj+?Otaw%@|r&U9m}FMWmgrQR|wJOy}2hCdB>T84iI@J_(Z
z1UCb|1@|BX=RXU0zwA2q10Jiu|13NMc!c7TZcm5{uR)z?*ZFqvP?5$8Q9yps@=3*o
z(`7ARnriuyRa(B#It%N0^nR^Yl`z<CacfMCElmbXo2rf$P!L)glOxK8ErO`mYwhZZ
zHhqOokk2u#?0I~ZKaUQWV~DO0@C@$YbBslXCkg&Ejl(6^xsd5(%;;F%U0S&!FFD9u
zrI=J%RdGw8tKnHzVT$cN+IcE+J@Z@u69X%1!^<Y<q^!DTvSc{shyrqYnrR`wg<q0u
z*hK#8E#C0cpW>HHO-c1pXerJoS^xYRmr?Iz?WRuF;R@U@;cLGkctUsz@DRtpN$?rr
z8NeeP{{_Lb!V`dZalA-yhj2gOF@9g_759|z9l$$f_k9-det!NS`Sx>R4e&h2XVxO<
zn}Q1P47!ueHSx6&`W;)pa~qm#bbPL9=DQ9v%pqA_g)h(R69cVAtID-H>CmbSe7-P;
zJl19^JVko>Od;|752P&-;c1{P&1t5(-Tz>`eVq5fJnw^M!NS_|1RvvF+?OvR!!x)G
z*1t+TN^rXVZKnED_DsLdpXqC*>r-4f0r&u3S-V2IFTquSZ^4bQZhjhY>Pi1I^xqOa
zvhy>zk<lYE{C<vyl`(o>IL_#m{Vq!IzaqT$dv3RAt;$JWrOxE~0VR{OFhca5`KF6d
zhf!eFEO`AqI-a=9$s#R?hM0KnGU3q{J-&K6^6?)PKYaa2FV;UZGrIrk{qKaD?u>u`
z&gb$4kWZ$B?*QJ(al#LRs{qg7h0^*gAa<Q6`E|17{A%1&i3`sH-Y>(S0X$N|*USW0
z0lo!yAOz=s2k=ffKLY2==ePwK9wj*KM@+BF===t!Gexdbjr%Kc;VHmFGW;39BQpF6
zz`JDl{eZ`0_Z0!}m7V`A;QfF{2yO;EgHyD<{QNb*^Rnx!0l%sa{vsLf0sI;nJ_Y!7
zmGl6A!V-T<bTPlhUkV8!fUL-iqUbb|sm5xq!z@yZS0inJPi<6t#6GpdCkGsLa!iUc
zcEif;lM<7_c@h4JuG?W{7_xs7*LUu=EgH-Pp6WB#6;={W{hr}ms@LwM>gGK|xm1sh
ze*B{DsX%UI?vCL(?SBN+nSsEVe{T=fH+KvKMt!?`sOlaYy5oQL?JxfBg6+BZp99>k
zK>j>T<^=<xdE3S;j*tOfeMXWN(K=}n@g1d9Iow;4NXmj@FstKshsBW#=cv=+Aintf
zpZe5Ki+4I4OPe>lh7XR9Uohfk(&28recP_>TeuBmM)(NZEzWI#R=P_>sD)8yWowQ^
zn-?r2;dL^T8A5KralVe7WPlj_nj3eh+6Fs9(OL!*b5p>lv$uwINn2OH#(#W5ZaqP~
z56{ps-ms-&j925HN?ce2JTJqa0X%{oFct{E0B2)>@iD|~NdeS>X4Yl!P}QhGKynZA
zmAjGG;HB9@f|b>EA%ClsZ5fOu8e9=kS;@$m#6ZYW*g4=WnN4;rg#&DV;MC<hIWx(+
zALuuT(aFPuCELj*H~Dm3W-bEYR24sC!qYG(q-Ar(C4k?;ab|a6bL_V`|NUiL_zvKm
zGW=P<`%CzmncynGx8N|y6qR@ehw0qN@%uSW)^K_q+3^M0@1g{!YX!5zFnYhu=~a^Z
zb6j`|@Q@6D7Vv(+%>=gqz6}wDxE$y0XhsOG^BurD;W`o7`5D~I=qKlk?-4AB<BD(N
zA2FTrcJdqsNxzGL48je+FK9<<CC3p+9-6b{M^KGIs)RybMC;=vXKMIdDzh!|n0B3C
z$M;2iVB^>4H(7g3Nu%4}Ki70blMWU7R-Ju2`Zix^I6SdviVv%U=21hNpTx7M`i`4i
zqoc*I;_2jk!M%mVOic893NZ`IFM|;0^HW@&{w?E=jqy_j_%=jxtJlD{px<&lBEvK2
zw}hV*Uy$KZg8#L`hNVT@>S+sQvmq|!mxJnbO;BgHg?oy%LXixvDWiW%Gxr16>~>L$
z*Nb2L!-C@9_V53<z8_M$nca)^%m3i>Rg|>98uwS?!c%~UWcV|HM`ZXDfOpC8`vH&1
z@TUP!%ji)8-d%yKMG^2`*>#=;ykB;m1mIW5@Jj)|NQNH<{A8W;F9ke8b=-hwaFq4~
zPR|<Pd3rvzJ93?P4E5F3h?m_-N}3!EA3IHwe;{adQsR0mq-++)6Uly!!PL|-mvcyl
z$#!3-ClsvI?F5|0CehKmYpBvznV-)G+uF0GxtrTdZxl$TLsa;u?WM%Jc(&SRIw->O
zP1APBEvTJ3w?)I&Y=bvttv09P=60u1>r{~?+v<vY42^%G=2g!38`*mNlB#}OiF+z>
zVGZ!S41Wgj2;dRQ2f+FBmTatS{Ct;Re?K|D8uwS?!c%~UWcU++cS*QpH)PlOKG#?L
zuqN)W#D%8-56SQ+0Pm9F-vPX{gs(*it^z!Ren{KP&tC&PFT2h&fJY=;vOzLBf57Q1
zmT}=(!24zRcL47!;cF3ss{qfSbCe!}FUasH!T*W`uKT9*t^@6;YyB+yy-<%l1zVe>
zco8JUia<s*4XkGhaM_?WA}eaenk%dlt~qdzeAg=Tk34bW_XWj|N<Name<N{{e0d)s
z8GLjot(LkzIw1Uk)=>lT&<gOxlZ75}FP+t;<Pvw&nK{v&CvG}hwV~m3lKANyeQ0OO
zhY-)fD|ndSsvm8ZXYr}CQZ+*spXRh=t5U<x!U-B_Z)JYog14$9dbpFIE{r4jUBi9>
z<5lJKaA?rd<vB2z-!&2lj_%H9CtHfeh6#0W>VhFsXmn=YWms?ogHuO_hmTB!c2A6r
zPI4bU(gp`<gAW~CSA)C0uOK-EGNV!}q#e9rc-=GZv29G#GbPQWDb3{<)4FQgStDfr
z!k6mfYHOQOW7VtLNHPM)uxa%Q&s;n@)#ci$Zfe@0Y>Q47I*1oi&|iFwpz8I6T*Jp^
z?!1-diP?{T!h9x;sIURANs?nk7T4IuYuSSTPHB<Yx_W~xtTDD2RbI=gHrP*fb?<Cy
z*eNz7<M{bvb9gjkXMEf*AnrF(rze0$m-){^%9eJf$CYYPweuWKgl{}%qq!{kv9+M&
zUFQdnJ4Pj5wfb5O?K+!5WbSqsbLYD@Z|<E+#d1T?$Gz^#et3WN_a|%!d=RM3OYsHJ
z-Te>y{wVkcf0+4HrZ?bIS>+L|+lp8IQ&1f!ZbJg{P^TVtEfvbu_3D7DfwbI0zH%Rv
z95Gpwt#%swm7aTVxwrV1UyO8$o#Xf`#h&r~54`>DWxE|~1F^Nh97(_b0D&%_eW$v4
z5&RHE!gW6yt0Ql~bSNuZOi<7rXuxNl>f4ns;G6h^_b;z^P8^<{9UhsT{pq%CzYR_u
zBf)tSfxyI(5o(-RIka=<-n~0_9+GHBUtzR=4ccO1-=6@VsqZnJXm$fWQ&J7xW`w!M
zhI#~){dN=|I88mK3>xM!MLYlViOmV}?|B6Go?`d@cleIj_a_-&vxJrh1r^VuFox>6
zoWjTi-*TuM3G<?g+qu2QAb(}?EyYh_ZSi6JqLmfGwkKCsV83i8G<*a6l$G2k?mWJ{
zoFDQU%3d-}(O!K2>end)@P~@qppX5Iwe<|UPn7)m4D%VU?>ki1Mbq}neTVq$%I*EM
zrG+rvqnMRmWAx)6!KZ%n+Bf0G@vnSgXxDo`v4Rln(HIS64+Sy>{r-K%|BkiakQhlP
z&5w%0XbMU5UWl!O4hUpcaW8`wo>3sgcck>ajfcQl`Md2b&DdZv=QOy12&H8DR_1sq
zs$7<5lv5htHr3xhg-_7G&lPqJ`FumW3dc(yu(EHU;jaz-eSQ7pZQz*+(Vd^~$js+l
z;@Ftz%FSmw=JRfGg0zqOvXS<DkMXz{Az_)>X6DZ4R{_=EO|*>=+SjUuT_LlV>8LI*
zm%>urJQ_bf$Uaji3fz9=<cWOOMP2z5Cy(6Mc=Y0zTsP6*fN^oHp?~7Kmt1_b@jfYc
zpwJ_jQ5@~sfZmn&XvR;(r6ntmX>z0`&1wK*YhwhBvA&SyT!!p@RA$OaX*0MP)R;Kf
z=CW!7qkFr1_KpU$R#)4>rxTref7U%Tl}YRtHQ|n4Z+<tOZFc9qy&YkVxO;PG&v0NM
zVc9b?yeG67)wRdfk%y5;*AL+%JU+@u_UxzV+GnX3C&d+;eCMv>dQ1)Tqf~Ke5<?bI
z4U62Z6(Z#&PpU?k)K^xkBBk)Viu<_CD2CbiY$Kmf(WhiNzgIF{doY*US|IKj>fm#0
zk@}20u7gr1#dhHTS}lclFhT^{U&J`;FKKj)(veJC{`r1mKYzdB@>k-_2Kx`A`i1)t
z{>bV^x)Ez>m2AP~_W$N``@;F<c3FfI%N+xC-Wowq+YYjZ7o>Rzy4^~BE;lC@d%d3S
zg~Yb$6FqsdUhRLe#@7>%4}{vcZ3=nT%RK!1hnXMHI~m=2Qm?a{*%Mr3=DD8IY^mo;
zTaK0>ltb=bI*(!=hpsN?X!VD4*+ERJ_<3o$PNJ03H!4XV(ugm)K;>u;>y>JiN{L73
zRELY7K4=Vl<LU-wlk(orFElOf_4Ri5hl<-4K2K7~Ueu50Es;=Uz3juJTqJyt^tTu~
zy<xegoy#?JS4Ztb?M(WT<eO$D<!c}+mb8iMTr|92HuFmR0(p;+-v?0ynW4sWn9aB^
zP+{LBtNM()2Txu5?u^D|P^<MiTXNDqP`IQpV4qB?%}si>+ThY;-hJ(<!DpYv#v@LX
zcvKlFochK$P8A{w@u+BW9w|QeEX#EiCi>pT86TkMIcT#Tb^KJ?AgTg^KGDH#Ks1U{
zEla~+uZ+5>!X59AJx7xT-%Kpgd-+r$Pa-nh1NLtJ-t4{$!huAuw|A4;AD(x*Bca9F
zfZy%6SZCe7#gWi}Mxh$+ptb)HlEw5)p!3YKPz6`TeI^@`p8IcW`P|!)!8$+7Rjd^K
zI=1d*3wi-v)S^)Iz5V3HEe(pkx6z68(bTc{)kQK$zL2^wb~RR4$a{|x9gpNk*MT!@
zH*gy5gx6NIV?#bcB8^+)K0zQ8F<X|FRS7qcqaySmlQi2xsn!%OcbBcJW3yV1FJw0B
z^$jYe-rhd+scY^U6I4%LZx0xomB$3Z;Jl#tOV%gW{!aSDbA*?+s$AT4_P?;h)lu0Y
z&9xk|2s&Dn6Bn4&$O>~7+Ffd+O5M`l-rk~fYjFSS6~y^n;|^!kV#9GolPw#Yd&4{t
zEbr~UBsa1>Ypf$z!+u3B<HB(zo3B1nC7Xi(B|HC%)p8@<$IyDJtWQnJW%N3HXkbsJ
zi5y3~k}~4nb<KP?ZI(*x4q=hUvxyq~vZUFhwM4WnpS@-}t%#4D{D^g4-EyGO(T-pK
zu4}J-SMhlNm=xEXBJDdWn3>$_=5iG{3D?v{NfMs%Y)PLg^7*KZ=WCH9TceiG##}p$
zB@s3#3AB1C0Ui@%u_OWheZ0Say!bZy_ofrqUw`5d{ezo&3gUl?g&ygx_=$yvgXF)4
z>1pYG0ihbQ>sGRc46}I25xRn?HX?mgWS57WPED-$^Z)6Rv32#q)j9QHvbW!cKg8Ap
zcE4fr=PZlcDbyW<MhY0q^PK|5AhU6=t0_%6qr=Db5htn2>9``-ZS!eXzauIPiRs*p
zHx?2K@rURB1alM-zhKW-KaROxE0tVEZ?0@Dm8wp>k^IlwN?!DajJKkR$rYP<eeinT
zKu}p7N*>7XR<1+e%<V-DIVu-ba9p_O+`Wv7IrY8w0ws*|EZ++Gv&3kzLhCslb##-B
zF#ExdS0>r`b27<>yL3PDK5QFLZ|e1U`<7Cpefj?0o?iT+1D|gX4<ynfk@h{Icq}00
z2oT=P_TcTvj%MWhraJnmCTfQR{S@Nd!Q{Oi(!EfwkXH@Lgz)OQPp|e-+I+oBsh&)J
zptmPO7ZE|Vjyx_C{)WX{nl~74seoObhOH2cOEoFky1J=E#li%oVxpP?mOY%ze_t2O
z$PN7AgRthB%3=)Yssw%*hBTR%K$mOddB-_5ARo{)6<nR0|4!G+Xec_lFW0@|95Uzq
zz4J|9`%241!Cx@-PYY(^l{zwW;kYN^oHSWS7Pk$KSPfH?rF`3BJE7Hr0_aGc*%~6F
zs#P3yD;+d|tV3l}DXPK^x@cMjoU(Wj*V1MQj_mSaxbg7n>JiP2hYKqsfxyU0cmKph
zKY6L${W}UzlU>lU%L0=;-gf`CZ7VC=w(Um(^`FF#vp6p^TCU4|7`JjIA;gI?RUF+!
ziagT>f&oMX94c;dHzZoxoDq#5U!6X6^Xsw$o}Ptd^W;RnhxX7%9{GlTzCSe>)c*Y)
zzQmTgF#vUZ_vyG<`;*W`+7qlBLnt3>Zfe1X=wSq_S35ijItBv-38bZjzkX1fL+>g}
zo#Zju@O}5|gSN;_x7Ql)^=VzI_6AL(DVpyzdo-&wu=5&)*d859#`;6;V#5wW^o3(F
zh47#FUfBEmmdJGP<aRhMmFXZ)hZ`+y)T4@z6BBq-nOMdV7$<cyI4G$(2$#}#ko1_5
zC`sSZMbme5kZqjmD_?7x8<bLb_{NS-j2)ZwvlJe~L))gOq#PdL-(e9NslP^*-n5RM
z1Bs}O;A)Z&PQ^6v14tGS32g;K3HK{4=j2p#?`)>GsK{HHt@uoH$c~#`F0;kuy4LJ=
zo5}0$Rbi{wX7l-MHgD<u+=qEy2k!fOHKm{V{t8rf6`p1NEQNNQPkMzo^%RV9kYz!K
zpaDA+r9X70N~W!_mT}=WSej|qOSzFuda1`l!;9Xtmy5gj<_MXBd&8AtFHFWD{T{Da
z7sMukR_t^WJ;_EiHAc|X7}ND+3MH=|uRl}L*&A7WJb9%-hf~qc94$l!tH~EvJ4-9>
zd%lPZQM%|xsD209@$}QuvVxf$(8=O(C+biS0q3yh>TApc7A8^4N4^vLtA=}OF6+3m
zBU?GdW8<0Arwa)-vSFWKXJh-z;G1^?#}UIH<8xew;cQ>P_IHwxSqJ*v+6`QmMNGcy
zqw-eEMr2u;)=VbF(u`?aSHHCS=GH?Ef=ZI=?!C7pO9?_Z>jTs4b^(x9LySucm<yB^
z4QHiyCDfRs+XKRB5U6-4L=BPQCC87iKJ-vmsrP2%w9m%ys~1;R7MFCv{urqVtlJ)l
zMST@^BR!$i`%lb^2B~r+%!}?cAr9t6dv#_DUPaQI!Xh{SR^_(no@&9`mdQfTR8#Rc
zO*87?<grmwYRvDSI5IkVY%++yHa0psR(#FE^z=f>PPE4M=o1^5J;*`WnM-l@2sA=Q
zGLy)o+Xr#QY+j1GZ)nl0{rZ6(qeX2}HaF>w%1cQEer#*9Yc77x{E*miR1jR2;%RPk
ze1PQIRiYf#kcw%``7Jkct4+3$6^Yg6_w5IoiS_ZG;$Mr~XcytWWvyuQhT;X9=@GEl
zH=Ql(CPdIdHZ%V+=Gy=+W&WINftWo{pI$v%X!zrS*Y%%0E9v6MxOtxNJdNHU-=`Sp
zO${}r&4-W$B!m`TI8oppPSkd%BFCE~DU{IE#%6T`w=CGw(){5(BVk^?_YITZ#Yx+o
zJYF8+ta5%T=xs<lXQo@B)A3V-mz-ZgchOGOz4t!*Y+W7QC+XIS>FAc3jxLT40)MJJ
zDy#N!O*}J)ljmX3qzNC`vvEQdYCl0V;3XKNYa40ch7@<CtzS~a7X0;9cgv&dd*9vY
zchyzi4KHclSJDCWk@mUJF=*fU{FF%@2iTc6@+cK;#cHNyZ4_7~>Sm;XC+ettqB3n6
zJU;yO*j;0*)f%%G?`Mx|ozm>n<RS5O?G`p~oT@X1p!e2KH~}+DwJL&dh|TLa#I)II
zsrf=0w#BSZ%2j}LV>~+R9Z6dBh6Yum!QMXjz%_3iBYWc~ug{02#vCdBif8~qFSC>T
zo0gvmOf5B^2_=IrK1yB<T#@ElCeR+xC!pa^fW_N!>k#Goua>A~XqBoDo_?B250dJD
z$=J(W#-5VV!Y8FV`ymy0T4C@+z+A&cdbwC9GhQ41jUqChan#6-SJ<q+_x&yL(Orf0
z`SJQR@2;{lmveQPsw(T%(lybzeg!g0oMT!RI@4-6B6962eK(OAw_TcB<%wLRNw#yh
z@~(=M9(P@Ea`o*61<pWTk8ku*hY*Zf314ZRL>Iac_<Eik3;Y>3LS6+8(;d>RT>`Rj
zt*4$>ez#H0diBTyKMKD*GYT7fugE|Wl<VZ_Q7+g;hF>WYiY!6O`*}YZCVe(U_14f&
z<m6ZN6WAs<LOny{8R#z(wY9W;l+aHv$u)knggUv_5Be`%w|^_wIr7I|Wgi1gP8*|0
z&$G(wYe~3Y(MKGF04FDa*dP=N1F5|H`qy`p+y7or)!5&0yVqBV?D{CTO`KSJ8Q3Jh
z3OPDD(C-<}^Hd0pG@nC_SpE*a@8^DhMA!c23LD6~Kz5E%*%@^7pO?j`y$o>rdlIn<
zGWNSb#*R@L8}Q!)-b-;LA_w_>P%xt?%ApbTI(fawIy<8zWV!AqP&@n7LePGx_YyS8
zK6&6gC-U%5G_K3TKKaOJC)AtFg1nk%D{K$VULvcB1A$*AW^pF{KVQf;Dyak!)?kq+
z-AmO=r5b%w*}-om#?ls@D`eCejG?@DV8ZB2m~2D7r17|Gq$}+hoAxiyt5x2V$!ziZ
zjZuSt#AdK{sV%XB%O3MP)vjKfy)$GQ&0C{>x5im8chBwL;%MHjN!Z=^Ze2j%9(5XQ
z{^Hv;YR8~Q=QsJo+@BNwK(Mep@c(QsI@g90-Q%Y80-cx^(xrEU-`3V<^BefPIy8NB
zc=+f<FgSUHyibQ#jLFH)>_kkjk4<DdCzD2AtCHpyX{w)(OI`z+%86&IDj?r=NpjG+
z9lv3^$*4Q`CoUVmm&qmrsGbtBTpCZB<v<>0+QO!a+Q&6Z(uRBYj`+9v3+BP-?(W!F
z+U6-ths}A*)uWlMGegcTUgJP4YL52@{8N)tenC8ds31U|%ZCVENwlzm_!_9v1a@1w
z92lxwjTXee>SDA%96933*~UAfxwg<yX3KCa<mtBe1b1ZPlbw#PRCdhUGpCMur_A1v
zr`=^#EycVppUphs3Fw1)U#z!XY#r_j^n{J9z9nfCN%_g@&~B}_TFU%ni0sex%uPHe
ze-pG!eMZ^^X!$wJwqB}28!lI&_5S0TTc@U;zf-`Xrd@N>A|5C{zU`*}IA9&Nm|bSd
zXUE!~F!kf{0iR(`*-#DI*7UzvhxVEAeV(jsB$4bX#GOG~PK$eg*sKc}XsS_P&zvgm
znl}17VzCab){C3=pJ-~*M+ahbmSFnuUaq_Mpv3ui;82G)OnQi1N6B^h5KCFVBCV;a
zAgwmO(B}`0EGP4u>;u}Y-Ins31?!Z5dY>yh9`a_=F>Bt?+@p349h#WCWYQO~PH0W-
zQ6hYKmX@PLQr(`6Mw2$@NEac4*NA>Avx#I;9ci>~JzA+2tzW7|`wB&Spb%Zdr#c7x
zZHlqWj~vYIpDY|Y{^EINXYC}sdyMcdh%#sh?bv`9JE<K={qT5F#t`adD}$XNA*eu`
zfR&+>_ki^kXic&Lw1c>un6k0}?cd@vd6&)^GWb&Vj^WUj{jDa4#t?L9ow>PYlO+-M
z#D{g!F1^3QWexYMjiD~LHR`psh^GFiHy<=C4jKb4YqQv5^~P+TeAt8w`h>|7@p}Bx
zzXbexyIJ4TmT(8+tRE4ZGm&8}NQF}6eiWn)4<glh>dpq`b!WM6ycz`wPhPkJt$fA!
zjio@kN!ZhoYA-C=`gNU7YszmDtmEFmAn6{YFU1x~M;qRX4R+^9E*Vcoi_ZpZ<63ij
zY%Jq&86pF*$S4W)8K(Vg%3H3_s$w-%lXZNq>lAFIH9Up-^;*BTXV3TKwMvOBMDAr~
z_sSp{%j$TGtF`4KuGCGyjq4Y2-SfTg?ZMZTi;oJd|Gq+q*R9{mocDD9TK!gy-RCj}
z{LW5Wmv=cI986k`o`6#)Lj6`t&~0<L^j43_Jn9VTJQ=q$?y)=EMmbLkYtQ1_1#`{%
zt*YAfTh(V_(69ooLY)Gxj3_rH>Zmf%84voM8C%Y`HO43;FP*o;<BWN2gr-18Eb5@7
zj<`bj&A>xelXZa9Z#_cf-W$*-rSGIh>k$;9-=!L@YZULsS#(A?O3u59oi~R2(OKa#
z^8IGSkCU3IM^T6#mujZ2@$<;~eHp=TX86q<kC6(f7TnG1iMF$Pog_gb&ef^cIrpn_
z{m)+sx79mOH~{A@tlfmI!YR~RRgaI<&#Yg_@}}(%o;dN~cF)o$cJKbg63Yj36M9~L
z9WGvx>(no3c@w{ahh2}=thyV!ghLywXL(fk>d?6dq<WTjle$=kHdxQ{=#Vfwbgr8m
z^YHs+SUt!zK{D)jHmGr-f%Li|h%zRtHI%dD?xBQD^@~{!_4DeFodNQpe@Irw@@Q^K
z?{T_xtyX>OB#v8kE|=RdnICe5+yzf(rb*G1>GTxbAqQ_K4p4gQ*01!FPXS)PGJyQ&
zsb9&~82W6>)hip<6|ZE(2ReD-%Ko9FH7LtZ8r&|I&Kk#)t$J&#&gJyzr*bq`9O<pw
zMZKVG97PCAwIjBW_cc*Tura{A_+~uC&Kn2JO@2GgunE9I<h%pyx0AB-W*IgGScG5;
z?6=c^b&}sMvh!vDi;?qY*m<*n1?lw|HV4=+PNMILy9qX5K969ZW!OT+^{zp0#J?ig
zB48feh~CMtO@O)9hVXXuw8WRSIf*aieGPq+@&z#O+8mx@=ZypACcm9#*aTo9a^3;<
z+ez7ZvkaR8EJCma_S<Q|I>~Pr*?BX7#mIRx?7UgPg7kU}n*(gP_&oX^4l=&Lc?A0`
z!xk#8H-_H0_6f=tz&yn>=$#DPBw;kZlB`wR@oSk~Ie_S7Bp0q=>1D>_b=Bc3oh=@m
z*s)`RzC6*WhrHC69zJ~W#fJ}HIyN>tJ3=Ce#@PI~g_@1=E66<MA$L<&-;Gy!I$N<R
zeE;@f!aRXP`9{62cx_o0og#EwPy$hfS(WLMsp()NsG+K9dQCQaz#7X%zO1ohd7s~H
z3hDlTt$hbzT*bBM%-n6#*1PR)(e~c8O}o-cTJ`28EE#uPD8_&RgB>t9@Jw@(7kV=U
z3`rn8^i(hj>6JK-m+rifyx!6akB?XX+_|$?D`^e90=}AiXJ^iwIp<6{Q_d;4rjmoJ
zEWwQH*6yj@i9pmNWFv`@x~n^1a8E<IKA_hWl$)U5=UglBXV*K}5nVQoa8Yw;;!=g4
znLA}$*pz<ll{`tu`%Gc2qbFSHid9Ofyx(n&7z>_y+La620v>-xh?jNAaI);}^7xAW
zE}_d|N&ACFcib7s7`3^GJMH5UK~bR9PM~=wGNBp3TDcNyvGc;R=~nH@=7k?N6_R%>
z#SIN5RjryP3v5iKtAx})dG^?aeSM$Up;Tmcr2pT4)OI{r*}sm_YzE2?qHZYN+^%#z
za?;Wf<r5^LhT__(X;5OTn)bQU8fT9s?eWCoUaQX-Gyn1-jiE~is*cqj?GdTtawmMj
zs8Q$s!pw|P36l?>Hy^e({p_y+UOK6DmbS7_7oTKvEc#RIdQ3|@kT(>2mZ@OC!LP5H
z-#HsC@<F5Dnl34$<-Q?XIPY@?{l2(gnbcjf{esKvhN{*uG#DN26>Y1J2L0Y}xR9kX
zUVuMqfo=vAf3votJSB1lp4<{8>o8|>$KB84u29OQ<GR<cnvPB9(zEL~0$2_uq3+XA
zcOOck3iT<;x37JXnk4HG-<VT~B3*cc3{ZB2Q6weL4SSa8Q}SX(tY?KbCBA>oUyj%^
zZkOL0%DJnnBA^G^qh)QtXSaD1o$jc?;p0;w9q)|`p&pZhPx>4&x3QY{Wef_w5OyTI
z{O`Sf!RfTRx?TzjMypY$aixS1qH7vd?!>+=Liy{@y@|<UKWnQx+E!uW)}kIQN@0b%
z>z8Zyj5%acCOytzKou>RLk7PsRZ_-Ey~EaU-UH14w#ib=iY)z+#O8sB#AcE4h^?7_
z0{ZixzNtU+2U6K=svZso!}Ikc8#f-QyZhfcI{MCjF@FT|pOEvn_h)`yJsb#x>i}h*
z<#baxbl$q~8oD1{2)SM83`fhC_W3)-gFz0TPvdhs{C<biC)LBha5H*8z%em6^6C*Y
zCjoFIv|^zaU`0zXf|a&lK=20ouFdKqT`s4?lS&q6=$MV(z-N;O*<3~=joA<`klUm&
zo5cmN22av-V{)7i@=npXaXBsu>2}h*6HC&~(6~uCE)H>PXx=F~t^j%0(sa{uToTev
z({wX(TttLN<5tOWL+Cm5WAZCDmtpB3?gWinvj`6(n9E!)joB;?>{_Dt)3|jl^*w~k
z<Yl5#T`SFP;Cl`Iewco{;d=x9emA1Fu3;W_EtjWv;ZjJl#jS@&E81_CZ@U@kunUJ3
zSxme8ZFd_kHgs4!iN^ZqZRg&)*?)(hoL?veCqtph#_Ra0#_az6h(l#4?+}z{rsq#8
zNL1`4KbL+)*nM(8?ciax2I8!;eS9bD`n$yYoQrm&?MpmXLA)50?+ErL9pUIMS7snQ
zRZhpws?>Mvs6*LLX`OL!N~$I1dFbs;4Zo+{I5{r)-Sq)&_H(_c3%MC3P)<6*z_YGQ
z5X(NZ=dOQDPL+NB>P#{*Y|ZjfM`?7h$CEN=EBKJ7y1u78U-JcoqRD*L#MD`WwJ?MT
zrN>P`4-MjJshXTb5se8-J|)%MB-L1U&d3yot1h@=|GBY1eQdn$7i+fnl6{wsPOY02
zg`dKm1h`rh0;rhQg;|qi76dp}r%noe(I{LQ>puI?LobRDC-#gVf+o_0H$vsajU>9@
z74TZ&l(GJE$B$DW2PU3EGJUTD`UU_eMq7a4L0uHa+om%!nERXb>Z)Hn37Z`fa(vWR
z9UmDo`#aXX&oKk!?iI=1=L^`%CJT^zeWzyA*q5w6xh_X3ZQP7DO2%tVPC7xuJm<@|
zBg^w2o1g!fSeuW3yfJ&?giI6kZh*rfErY}5Xg<C?4{1T<rE~_Uw-eHtkg-LsRJ4vu
zeOTR@9kTU0QXb!&DNw|RqLE}aoWtJ6Prc>1Ame@yz|x^SqhUv`S%=R{ex+r9R2^*B
z4Dv~Bw#6S6REfK1`z;S|yJA2@^~D!I(s=C~GuO#w3_ux5iZ5pPDkLf7i;(p>TD^N)
zWaEpF-ic~5Um+i(rxIkllX>9iWInRY45!5tkV{>XmU?72QrLsbTi11QT{GL(X*d#@
z4$p)M(TE7VJUjbxWA=I9TF<T%Cw6((`kr6J=LW#Xf?^{63?D6P14^W2_!yU#&8$<%
zrEWTs<~Y^bjYl#Nh~@qJ_TX&f>Bj7TYzwUkKPQ$&s7yc3^-_OOLJN1Tr{KML`}|F;
zD*P%nRrGkklTI@%)M|xdUmrf?tId^5bG=?~?_8-oSMyEIPfpCvPE5`t#QKecT%P)T
za<{Z_6Vk~o(ndMf#$HVMSa=}ga%BfXV*}fBSt<brUnvsl3Gwgy`I@Lls+$KJ@u#6~
zS`?>agE1#rcnh*Jj3&u3z93DHWWP<8x97L%)nctygsOgVbgOOhY>5UX&+Le?;xh`J
zMr{<oxM51H^3;YW2fFnK&S_F(%M~W4RlyA?H4>hT-}F3wf=Qr`^-w(0BW{^HCQ$!m
z%E-=`WZK*x0AWC$zwFOAbJ0ELY#pj?&ZKK1alpGkxO>p}%;S&$^F+u)ebxcr&j#A0
zC}kXs>*`ZW{Vf4KPPKYlvb-H{OBitaY-Y}%7Y2QyV8qjJ_B##scqI^>a;I!LkJq1Y
z*HY;@e8}&w3Qn)!5cDp!%^en8nSjOPD)CmA&EeF#%-!kUwScP$s&Ed_M~y6uI$Tb&
z&#e@>#e68;b{$@O7*bv|G10h>wxbe0M8_tcO16U4v4b5|)k~+v<--^BMfG><H_heZ
z(eBwz_|W!Ce)H$?o}TeP|K^hI^vn%FzZBqsLdPUlE00TZOI&hj=B9UT?(gKaL~H7-
zZMa3`#NUR+v!mg^ZT795_y{oq%m5l-FlBhlJRC_Qi-Ybw+K@xG6su+BzLlq=T^l!s
zRGmsrqtg_p${M|fC_9zm+4UEelpRW<>`>)J{C*G`gY&DwAN(LNLBq!E&zyOOBk%l~
zgs<3fT_E?Bgw3{$3~!8x+<zOHZCZo;W@Ensww2b?Ici}MOU>Z}+cRoYC#Nx}Q=1Q5
zyRD$%J4pwx>BdKX@%^nvzs=@1ZvDZ}cJo22HOTL#cS-@LjkNuE7)~NCYF65!cOuI&
z??iuf^OlU(tR<b6&dkOe@sUR`e~~lmgnt(`e)EV_Unjsmi_RNjOolpWJ888evS=$_
zMemDPM1karHs|+Vz@hJbA0H{;>O`UO^>IX+^IPNqj+dD<n<&RUv`;dbBnd_Awl|_P
zM`^dzDbbGEM_sg1<-sA5crkHqA!=1OXM46@Kpb8nFL*tZv3HJY6xMFS`}ukvAF3qF
z)lRqHqOb6-TfZ1GJBLjCgvKw#rM@T!_?^S8M^@xRs~LXk+)`@^7J8tJnH;7lvdTj@
zB^xY8v;&7c@*on0Nw&DyzHCP~6cqL7SA?upp&pv!tU1@<m=G<dJ;~8vkoV(5HfsQX
z|EeCduz6K-B;y$E>De8;+n{Cl$N=9M(9`ojobwv+=fP3G!<DJ|BLzcL@8ZMV*@)oN
z1^FI)NJtGO;`Ov(*Y#+%ec4>Ep|fmo0G%Yggwn|?&l)tWHE3v+KTq{ejZ6&F$tF>x
z`GZa7CPOR+lQqW3N?96yK2)D}#PTjz(yW*pQ*-9D(&zI9Jg_jlZ9{Y*DOgNB`y06c
z?-&i;<t}9}m3Zg^+y;OqZWKm&nJRFOPCor^5o6eCKMRB&HrfYQjP@!uy%<D2V;3dM
z6)%Qr8K*N@^+n2lBO%{Y7Nc+o$XPphtJ>%^dlNvmbUhKPrycHe#jP`HQz@ayTfSlF
zvg>0a&v=-3{wKEs2`I*}6LJ(Md0ErK?BaCF+5;@dNk~cj^I&n~W-yb{yHnnf+oa~T
ziJ>8AtI7cm&H@Cj+J2(w^$j)tAL4)uzZZ2zR6v7h4cf%G)p}NrO7sLu)1kJALNrvu
z_XO>@bYh%z&4n4}5yM_U*2S1w2P7*ZE7_I^4H#eP-70o-Oxk9zVd+j%>pX*LMUX`N
z{6K9@R&TNydAB{>?KZfz2YS^V)=<{fY164Sf~T*4V8>dvTH%l8y4<NwLF-8UK9Nqi
z;HHn&?1OWTuyUC88ad^lrpw??dJLRWsqZxCqpAETPQWga&j(v8fACm&9p=nd8$FYf
zqx%}7T)Wx2oR!T+2t4X0KjdcIa%wO)r?m70s=0YHY=c_y5ook^t9PpJ+g}VuEY?>g
z*^C13-^*>HHeoDmPDWR_Pce;R*`2M;LRXhy_jrcp$Qv%J)g?ZSoAG$#c?xggSLjdZ
zHh^aYe0}oVX>qYtM=_RWOqHd!=2Wd^Ijs(@NvZF!8Rxpytjs?t6m`P6yYQyQC%}k_
zx>-J>lh{u(Jx0gI1tp~ubdC^D*f>a-*S<~`$Fz_N9ri@3DX!Rh;QFm|S&?Fmf4u$Z
zi${CTLQ)xr(8r++7(rX+FB(QAu?odLEVj(+God*ixU1Dz@u6}CU)8wDMFu&AgeTF1
z?EC4>Xg}-C$w?7MHCyZyxvGPh4#3bUuV6S%N`01^^$)g_6mx-INEMbaUu|oKxluLr
z;DJ$xy%gxl&)Gcg$h^(t0<Ponw9VHigeGgEJVbv<{~#pG9N=h08Cm9}av7d%6~)Tt
zLQD!7Hp``OM8jDnG4z=OR#tF}6q4o|(*IcJ`K-U1b~@8lzpqyedwrouBm@ub_~P-Q
zv>>F1;^Me5TFrI$_IBs0(%6b#$LG*;z0%z(Hgjq{Z3I10b7~<~-AILp2N6)Sr7Vgl
zC4y5FYMBU97ZVd~mBnE-H=>61EjJxe-PxF8h>fbR<L`ucmo%V;hj)KT9#iSq26(Qa
zczWpArk7V3L>~sq7S9Dr*`78JC@UFi`X*{+df<i)Z~}-tzc{qLuHdu6(2OHifTN?F
zX6R18*Bk6gy}qx?+qRq~5-$;Gl)mh{$5kv`xF{zW@ZwQ~?P&1usAM@&Nf(jXb_SD=
z)@=+BPYsDy3>LLfZSJrpjiPk)4lB4R!gYneER9WvunEdYq5k&cM6+vweI1BE@~F@S
zF<~~WFH@9aS#FsJB`*=glUS<TgQL!fkP#ftl-m?=nTD#7iY;aiTJ3fnY<)u%KZXxE
zEoI(pHCilM6)$*g$*N!~>WyYYhhE#ER2l7ld!~=A)1Y5-USwmqw~;IblbjAQWX(w-
zyEG7+6;p~r<vN!3zpT>e|KVD9w$M4TetpJlG#SG9&}ikZL2lEg;k$a({Ytf1ei~@E
zihK>^W>79)UMpv`V`aCNX@Jl`RewY;(=1WTD$PmJJ=Ja)Sc2iXkq*vM#)l^RzVlKr
z9DB9#e9G!u)J<lf{0<al<+mQlx3JrbjAv@GJCjYN9NIsZ_i&#4?B$|JeDK_JKPV0`
zO!xd(fN4V$ZwDqde9oqO(rnlyJ02I`TFPW4i_0}ee8JiCVP0WLO=PTaesInD-C+wc
zhbb;Qc6<;Xz~{~_Tke$WSqGeWG|O;mJz*x(S;q`QX{bRd9b39G$|@R$SR)&n3`i*}
zW)fm*LBdRP(e5olkHX>Ew0qCya6sXK(-j|ms1FuC9)GmIT<)j%AUp;5IGNlny+I@6
zqoPaVT2{J=y+Jy9HKJuPv5uGMX$CxFuxgElPNz?!x?#Qt6j+7Qpia+TX&=Cd<A#)8
zfyeb@LdNCDI*v7->8(rhAOM}Z0I&a!?p6^OXJOM^ICjggk3Ec!WPUUZ{}y$@61N5F
z$<um*ZAWIgOU&73F+{N4?1*_xjzq<m8?q&g30EkY@54u)<%7|TJ5UJlAxFvL4Ew{?
z&?{2kn-zU$;h)p4KaSe$z$+n<LOyJbrHi1IqQJ$9>g)#nhTR)Jv*EGFaPMP}QJk~b
z3h+KFpWPw|N%%tY8zCvSiV5+;edr(1i}(q;RzmAV(}8fa6$WYcq%K#y9MhW)2CJrn
zA66Mm=1!eO<1&Q)A=%SCKanVTwHjq_hf%7J2K}DOh69Dr>h`^oIKM{BLB9{FnS7`q
z)+g=7(knndb}0xo2Ny{VULq-8+&s7u3yJjqSSoL|?3*j93~COZ!n(Z{TOp;@3!Gj5
z`+Qu;2C(fuTi9+7+wN=pXE5uC=gTI8H<fc4OrqX^uf_x1F?jO<FM8Qo3<Y#mP&29`
z*pY$V|Fbh`a*1<I2>lQmAdH?8X<ZSxx6-Pfdq?ly;9F=`<d2v3T+`U{rs@^N`%rtl
zDfj=6@&0srZ||jViFfjvo`&$|coQT5-hJd{y0ex?OiKl<HL?|N4YlIU&dWmRKE?bF
z$TPN{O4Hy=>ncMf1S(au6f_d<Wkn)pi<mvmK3I`<B&vRITyZO`g1ghzE}cmmOY5|N
z)z)>fp|oQtnhfL+lJ$KyCu;3=*~vsnj<w7&hBON3b1TQU#pM7iL)}SHUz{VgUjrz(
z^HGInXjH9eSp(QQ9~(#saew3amK6YM^Z5^W9pLIiDTeD(L#-57KQgwQN`W>A-vVuU
zPDo;8W*=o!74$v2M2Q-}E2ei=m56t<`+K5mxXUAS+hZ|eO*rdpu1C}(^MiiBDQNU0
zBY&`%D+XQK-x1@j8>b?$q!IHqK07jfDs-Jem(Qg0Y~F`%;MTK!D$=q~m7AkV6XOv*
zFGpU2R8U9x#DTclqJwa$ZW(K{?eAbAKGfX*|8et0ItNSQ=-cExiig;i*ghK!7|HjO
zcz?f?CXI_^=Zdqk7J8<(gQQC(#L|(DGp73mOGi)~Ka6|GCna44Qd;Fxnw`vI)SK%n
zPj=-aHd`d$)eQZym>(Yeur*xp!nT058P-z4P%0G)rlhurw&Q;zJt%-OD8ACl?(-<f
z>_12sPvT9deRTB$LZL_YJ|^x^sAE)AVwD!u*4GAkvzZ^Pjdl0+b&uET;#a*kE>ya@
zdW5~HS}m3A@88~E7kUH1UZLJU;qy(1U%>$VG8v7gV!c$Z*UP24NYl*1U0`eA-vHwq
zm)(UlzR4|iE&Ptzt{!GLVr{ZNphXLIHrcaxP)Y|m5>j5aPM>D?J2TROkaEjy_pCxT
zbGN7jDChxzpJulQOQESmzB@iJF%X{}o9!O&s&$pZiL4Z{>eBO+G5^}GU?verhXa{<
zZeqLcg7Z`<&nTS#ig{y!Kz6h+wac&v@G4Rpbnk+ezjfK&5@XxDC2Gi{m8TQQB{$40
z%wmu<MGG*^J9tt)Y8VTZ#qM_Hya)6K>3~$gR_yL0<h)UxM(-)lq$}&ZLzbi`SL#$h
z_-@YS#)e79#){UW9ap-F&dgN7oebCQ&PvglbIe%nnSPIAH*GIwde8MR@}P^CS>S3{
zFLB*PB_D0$PD&c00a7E`W}=1F$Ih$=3G4>6i%px|%ySWaR$PS^pRYaq@WVGgc-4@>
zWmFj4hM@!RyXpAx<Hx|vHZI&B7zqYP0{1sw2BX`@(2_dX(7I(d;o8@MW3!A-b}UiS
zu#F5)GsDvYc(%n6@Vo8t7VJKB`|;NX@q~=o=LcVt@Up{Mvi|~^DWm<%EWWhI%YZbL
zwi;$##=!J{yKK#fXYyj8@*<^7vK4|9^PZP$v2<3hL`&s<T!EKCZmC%+mDSdTMS+s{
zUGY?Qww~^+_hQ^z@63$M7c%QT!`6(aXF~UHzs2|)FB!&){(>+Z+6acwHuqK)8lwib
zld6ioErS7&FQIF8YCxq^!>-c6#2UY^KhsV7yn%(E;UAIPKyrepf~0$m3fk9lvON$J
zlN<$v&K8N$&>BmY+WDqo%R$m?^3fPSh(+Ypwoewa*}~3quJBh@gMSmz5?#!dHg|g_
z!?;vkZNL%Z>c(Z~>aM$_v|%u&K7Tjy3zI%Y<2%G*oObz?yCt4E79PQWM;@dr{9vzy
zUAk$#<)DYR4yl7?_DDLK779c?i^>Vmo7otV4LSg&)dudu9+%nXOhh`YXH8j@x(%DH
z-3Fo4!N;OX^%aL5N_(Qdix@U^;L)=_J*&*`JzuNdsL=GMY8!r#SyS~(HbwiOKmHx`
z#~Ne+*?QlyyQGV<<rgFTEfFCxA_NgDZ8x%rk{D595zD<d`$4)8>)TE2Cbdp}OUrK=
z_ST)pqR||?V2P@&f(5u&iN<8}b)qgTj%7tPB~px&7-__KTBTF<*qv3~N20l8>U>?7
zRi8Evt@2ja<#lPD$;9hYhH_|F!*}$!)7IhO`l60xF>X{%3j8zf*ZYU?t<L=obS|gf
zcYWyC<ztu4^>kjin>&BMkga#}>PA)RbM+^4+_^3NdI8;xmd@rDsZ<an3bJi0Cc8$t
zhu6p(b#xg~o}>!&J~jEH6dPjJiz7^`6HMAu5EdY19#TppKt<~Q&oBx|ZC3niz;qzU
z_Hq|ax;c$vuBPG?OGX3bhwkUp<gafbP8W;_!db<t%HTBgD)ml%%a~ww4(eTo!FaD*
z92AtIs)%1BhpDa{LUEKuUv1Kc7fHdd6e;;WrHazV%I>9#8XeEJc&yCo63;9)gdp@$
z+aornkgAx0t0-GQ6Hfue7(K15hc@P<cj2V;n~SA)v(d)G!T^g;v2+=+4-twnOA&TU
z#Y5=yDGJPd7JbCy9*_nS*hH@^cj&{JpD1*pKTN@Ym(9<dJpun+wtn^Xri`-px*BK5
z692JdjsClS{p*afl2-l^{(~dHzy9^F@rH7x2WxV4?G)iZ)3M2o0%-5s7@s8Sby3Mu
z%D24(5M!rQ3b32g0r*Xj?EwpnW`U+}Kt9AgR8dLcQrO1ZL=}!MGlXWw#_mq7>WiuR
z`&F^ps$}%OjsfwU(V*r&eA}4vadT`iGm{!h+WvtQwsa>Or}J4P_J0e%L5P^BY;*ul
zF?9d38}^Ge3WyN_sYV9YRz!ISFeS*)9BUcY9%j)=pfcg1O4DMC@xh~pU#v)wZ9PeI
z443!|^E4C$3<B~wR7(+hVnN9PCAgwRT+D&L;t0-(|HtUB4ZY8Bv7$qj=xF>`WPC7u
zp*`>2<}28D27BwFcZ3rDqC(dZQxW|5<Bj#V&dj`ulNkjLG+uq}HSBM^T4?+bCmTPU
zgI}b+Sv+<8Cvq2XD}gd-wn?3&NQ`9j-hzn^^GR`PD=OTwvu-vFvTr+E@$@i_Hq2IM
z<ZbPy@i#RupHq-^L^bF;znt3Gm8<zeX+d%4ojX^rUZ)|ps#b_vtwAAFOx=L5-M?#F
zay07{tg9S@eSK9`V^>^oud_OCGMjobmFgD<2Z86Z4Es?O<xmM-`!;5ZiypvaFXSMn
z?9M-%y%<_%E=KWpHrE%})sYf}4))%CN<1^wlxs=0rTMTpk5Mm`aY39y+loCU7+|QZ
zgS4-{!aiQZxHhg$RK_CFcNr?t!x-Ox3_swR^}Gk~%_z!g#XEaP^J=3;rBxP!g@6f!
zzu<Bl(HPYwrS@>2boTu&m>>KbP-5RQoAt)_7LDkhi4+=`Cw7}`;mFOb=V=j^t>*=$
zUzyxvwmhJ0^-Y6U9(?6R8{b?v*!uJJ&gR!8Cfvh9-aoZ^^@J^=oqwTr)}`mG3+u0#
z8s9%(>ezFhD(S5|Jl9=*#bJZ?&K-?k_36%EoU{HjjE8+_|MGc7drxre%wGqav+AT1
z8M2)UNu<N#FRVr#ZRV_nMGwVv@EgP|SYgME4twx7(Bkuw!_J+1JI5xyh5-Ng)RR_c
zJnSzzd;RNbbLVwx*1eODS-#Quz0Q!yM8^Dib0%NZZ9gmQt}1zt9{$7}{&<&bD3sZ_
zR*3Kee3xOs7_<h{LC-3)$13gJu{qa2KwAi-4a=-b7~6XB<e0@<*rSnc-`bdzcd;3+
zhqZ=K>kM}}qhoxJG{b$OTJEXrE6mjb{@Pq|G(P1THiqrl@UV9(gNJrq!{b-XSDpUj
zd8+QY1Je^CqjzpsB>Z)YQ`v}U^Zk*m8n}$nglMOj>U?{a*-K<KksV4fdx^}ypR~oK
zgom&b06gQTmGM(x_QE_=u3bPkkF>@u-fd;mniMVvT4pdpC^j+HKcRVf>L%@2?-;)6
z-L9}|d{jMEefGvjeziT*-K&iHw+-+m|KRwX`S-sP^}U7P<6i;(L3Hlh(pi<j0gf5e
z#0*o7*e2P#fpJClY{I0{!qyvLb)G&&Tg9fP5A$P6mq9O>hyM<|5B~G^XFZtPsqQ)V
zR^1!v(R4jMn)%vo>qpnu;rS*3s}2D*uXFeuBj*nL*nPymgL(+);&y$>o7dx1OFc|Y
zn{9d~PexWVGpm_}){Oa^kn2Owcgl78+STyi<M_m5V)*`{(V_a#=<pXeY<SP`nD{y*
z+Wsdp&Ki)2-eopQ+F>p2{OhFNpILlly*L!ki?Z;w$EWbY#~S~PPvEatl>?1lQXd$A
zvgo+;0+i)KA++ahaoWaKA`XiyR1Rqfb+S>%Zd&x5pk$$2q!*Q8so!N66ve0Id^DXL
z^3D4dbU3*)w|*cL9y}`>{`%KFwc+8K=fSG7QdQ!-Ej8Yq2m3}ngAd}>{k;Q{9h8NQ
z(618ED>>vqD-f6NuBvene-xiT(RfHlK6G00i`L9XRH_%+eT#Q-xfH;SN%x%~1Rrvc
z74ARbA3z9iVj9IqXxT<;yP=5cXcaoP%$6^|++q*kmYvIchvj->t9l=l%`|t)!$B8Y
z)s$>R^a1hX5Dr0@g>XVtqk#_G8Ey>YGsG*;5dU3D&n?UD8RI`Lk2t<8f^q<BR@_H!
zd}>A1=!zJTFIC`+n(}3I;hz{^c2d4f;15ICOk-G<W-UzvP9PDI`D>wRz>6G9^G*im
z*%mk*%iv7WG~@UsmL>>k1e#_HVV33^mgajcaI|gVOfG@rYzt>nhU1gdjLR~4U|E_d
zq^Z#~6LOmSSeoCp;G<ZE&w83>3V)`hEHh0rxmXrU^VJqO#<umEX7!TNbha&PhNY3p
za<r}2469dbn#ngy!|FA?@SiNr2ut()nQ><Ltdi=5l&AvjdV;oV9kS6Kg>%r`Zo-SU
zr=O>%C=9YI#kkyJB|}Vh);Y44*}P$on=fa&-7ocJ=SmmxucpCY+BP$5^O}C+wdUJO
zO8~4b2+R7q1FbTQusA1xT^{icmj_8!88K96xe;w~MzUx+`v=cHyYbm)&pk1J0{)3G
zupj>dAh+8?3c@JmpP#2?<<V96B<Vt0x^Jam_h>6Iahs+hh?_H))b6>bcF(=Fd*R<z
z{rBD9f9zQQ{rC0XFX@UwG!MAeS-)IZwnnU{R)5&3ghe#qcjin=La5c$PiwCUi2lM8
zi+Nfe5%KRtJf3ja<B8x4n{QO!K85}Z&)|EJT5%A)11qJrj-CcO`~!)qet<4VD)@UR
zqwzt&I|O5`4eHIY-9WV%(%D`H!v$?4w)rsrMPn47c<JcTmkxe%{*$}Lx)t4HXax+G
zmz|1Gvl(L@mvgwRv<1cN_{2de_pVP$_nd+VvHW`ES|;_fGx}Cklt3#9oiDum-Cq#H
z2kzN@&#qcb5v#pEH~02owxEVZfe^vr6BM8XZPz`!8?T5E8B8XRMpQ*B?vkHTM459v
zJu7ihSfL(FU>kqNCvJae?%8MO9=aWh!>ED<nAaZ%{9P-?cKKem8y79o38cycJ0ILt
z=~m>#d`BCH?mv3;e#V;;;Jg!A(1v9;+d7up7VltHV1D+@Y=*6sI}a5*y0tjR?#|aS
zR7W&9P$`P~96SMab!O-7>wk$&Gi&He<F_-V!}IT*KTQ7sd_Q^(zlt9MX-R>+XaPD$
z*T)vkDI+!`RzqlFhDRbn@hnBtM22+00&n!@;t^ZYKj@zfvDX3r#A{Bkvz9Go#2{D9
zNcX7Ujb9}?kpEv&`TwOX|L4;FL5cJ&eGHUV4wM5tepll`d;)rt#%~aZqUZ+l8qrg`
zbp2=!(iadxNbYQ_^vwcsY5Epry9;7l=wdfD9q>D%ZwYwk=v$vSlY}=YRlERV;93o^
z2`$cTA}uxvl#6C2NPTE~R$&Mv3*JC2?R4daW8QosU{FNP8H|l|cX{$-jZ4Bc!QCH<
zrgHf1Y^j=GH5wkjp}(IGdd%+ZKrl1W?c%#a=KOG1emv0)R&6gy2czAoP`H5m;@!PF
zy8ETEY<giWDS~%86}gzUi8Rb%-++GHD|;}MSKZr<Sj_lYgi=MMWT)&qlb7xD`J@4=
z<vt3n>C)pWG9msoI#%-ede`NnQ(c3DweDhgzHsrC@#*usi>r8dzqha6t8*8oGljYS
zK+x~ryQ_OD5V`k`jkld&IcIKD#5+D%tg^GS3%l_;&JI`!Xwe(GG^9G=ZHd{IMdZ}d
z7%8#nT;8qG>4bzsZ`A3-Lq)zz4WDs`j(#3jk`0Q<Rn@Bw9jX;K4uuum2F28j{3*)g
z!bivmS3*WAj~e+bnvzq;Di&$)vH~lgSh#Q6{@}&RPKAO~DL=gK$D8nDzTV-+7tIkf
z{3G9e;{dZCfXD>74fr)ezccXt9#Q8YXR|%BcM(kOh{c!LZ7@=Y^b7&n6*N_%EnHdj
zYii-(kK^xN!Cz^7^Tn^>%~wz05-v^bQZ)X(@gHnYdLH2K1o-L|{g{!t>=Pl1?yTXN
zC%S`;pI=S>cv?qpKfPa+FB8buXUNMa2yJS5*;<XIy=Kj92}`zMr31%i**<V`aYxmF
zMTx4k+A3KzXlHA#S7B&VIloHl)Tf;pn-gpejGT4e`T3wXV@`QiUs0^MZ9+(Ajn!hX
zgF0pO8h<~qvFe&zd(NZlytQJNX~LBz$`2PW8c2j|)Sly?$REhPz?VFld>b=7SO;fI
z%!u8X@-myCk~W?^wba6|2M2;449ic_R&ddPaiB1OOEGD)SOve~J7<pUtX6j(nVE+0
z^h*jQm$-a*{9v+_zpL?G{5fSu^3wY7rO6I$dFwS36W44li(!Z2GjKC9TkbFRPvR}g
z&uX>lVmYJLJ*Q-H^jk7QG<3XO^p*~|;W8G~AT0t;HU1M@s!!tE8dp4N!kr4-S$|~P
zBjO}=;h)JcF+tv7Tg$VjsIgggEmFy=W4H*c<FV@a5Y|#KPJHW=RcvYeXZ6X(l@y;C
z;B%IYj}l^tgiovj9eb>TZFsQyMB_?)>l2XCBw|u;{22;)d-$jp@xc|*KX*mIxY+p9
z(DCge94D>lt&J<6tTz4=N#}09!cCJ`*|{jp=9i-2XSl9@uIr6|VCQESp5nHXKeBX$
zrBikg{Cwja`~m!dS@=U88FR?L@G0(W@*8>wzSidClNa9J+WvE8>F-d`hWjoX9=`0p
z4b5=$(3Wy}%c0THt3^?`dNjXrBpMyrm}lXtzDpiBXZx{zwc5U8+s}F6lD?_j=Ihq2
zyKYl=_a-sioZB8A*;?t@IuePDZ0)IT9S+m^luQ#P>R8s}va<w~LX`lojs*BXW)=DV
z@agU3y{8ZKgYDzfxm6W%t2B29IO9Mw<r10+We^iv9=}V0-_=jJ>>GbW5NS!PLHflq
z<@AvNma?4QN6d}Cu#9U+mGbZ#z?)N$*T#6r=DE!Fg1`d+oS|8&oV9VaqH#5?r<_lN
zifwX&ILU8n`AxG7Zl!~PUQPN=f2|4s2=2fglm<^hy<TNBfKn+9AX^BRxpA75yh`5q
z8!k)euX1`u2PEzH%6XIl+{||O>0jfHX67}gzahyf)M;9#1;nr#Vb&}#4?r*^p}9`I
z@gJ0^l<zDrqeq+EKo9v%Ex&1&!B%%P!LL63HPR=SaisB=#$RYTGYfwvKOyg@^40d7
z_~MZj#74JPftwj4t7@nJPV{xwN%r@heqgLX;tVbq<HE>{ybSI#2Lg8aIDti;_eaE&
zZfyJp;5>{zN+?R&4&c>zy?ZRPI#jVLeA{~)qeR<(eyDMD4F7$pZ^|0A)-GCe(@4Je
z9sL)5bIa);<I|gdbo~*)X}WL7k`PXRbd34&`44h6c>-A|PxMU6G!W_~Ig(M}pj1wM
z+&5iV6(4da+%sGDRHiC>x6gX4bGJ|C2W}kR^28&5T^TCgc>J?_nJ>zJ!mpE0qd0}#
z$zbc*ShRGu#uvSubazM1>`;kzPj0bAy=G^+KV%K4h7}z~hXu^d>RiU8M%mxnRTy=3
zTD>s7hOBBOF?1M=X1ycZUGgMmoV<{9XV;q>f0Y@_3DhS3pFyWNPHmTzm)Q<(H-<{A
zm3A|<5|c%PMs(MhYEQyXAA4-qV~-UTeU(a|qOYf?6VK!M#wQw|*md2(1J_@F;Gkr?
z5Ptyuggk{5OZsp(7L0hk^-4<udS(OO_o!s23O+spX`^bY2gBd*Q5byy<0Tn}g252A
zxXMeb5|%6R2OiyrAwMgNsKor#j_q~mBzc<JxfQ=h@lkY&d>+0f`<7iKgpQNnLP<N(
zMlM0)^bmJDjhjL9EbbyQfY)$gi1T4HTc7$7#C@K|1?9NCq=cU*{{(T7mbf8^`yIs9
zAda2aBM!8myxR8eghRDMMI7JwhL~4H=CPMN3V9RgE(Wgx<+`9;l{$C@d@p>944_Za
zZ=d*$ER8>+{R=O^_ofl?dmE|aZ;+n?jF^nmrDOzun!EsUMLF&kDC@XXmK=8(so_tN
zUqW0)j(dRQzy|W`5Lc1o-cNe)e{dYc^~!NClVN-|`3l74<+vvn1iTN4>E^MW#eHp|
z8{a_V&Svz{p~S);hzI|Lp0^I69IBy7G>3M;F40wR0{3?GwWj>`i{jcZ^&d%QQucYY
z7T%`lTMxW-(>JqhUoy$u;G$ep#JeHpJtyITn46fJe<{`rp*IKRKqDBTzl0%n{-gwD
z3rn^0Bs`F+2i`9@2~SS?{gRXLu#1FOunpj=Av8mHowx*dhGXNc@k_2P{~yJlsoaYU
zf?(hUdsYn1g1v)%510hOWD@K=3pW|<b|b`_r4YUa!Dtd}W)?Qnck*^SZ*<tx?0cup
zVzt?<7TZ4fW3|G^rFID6&E9y$ZneOFRy)4lW)@SKZH)_>$?$V_i}(iV_Q>h3vq^bv
zjlW$9*CwU6NqbM5ppDeHaGSj+J#`MmuB4EU&E8E0-naS*G0z3i-wbp6+vKsd<}rL^
z@L}@Q!PQ5_Jol0`N^=I<t`Cdp9a2IL5(cNQ43qTB)>k0iR{@`oya_%m3+cUkmJIYh
zv08-v1;FRQH^GPHF%%yjBv17nrFs4q@YzT4(IUyV4HlEZ(rh|<<tkEp#rm?eH%Ch7
zqhh~>lFQb+C_b3o=~PfBN|-HBa+M-1@P^bMz3jkcnQIi+kR3;lruOU+;q4;Np+~r}
zHt;NO4eya%hj$e&R$NSeaM@*nO`Ak`Go+3_4Skp$b+@CJ>6Gk@Qg;8XJtZArwk%ly
zV~XmyGwO32L#i24t-x!S(QM)1oxlNJVN@}`3WAVdF-B=P2L0p<+}agoGrIFFWoua3
zx+P_+mae`{yA%E{BX8$cD+crQJ*0+L@`BZ2b$eB#BM|nfMn}c650H8EUh*j8AIdQ{
z!#cuyv4hO7UJYsXlOLno+sP86HOp{2_L3h%2D*pJ;KDeWpx+Dzd?%?qY$rAJLFo5w
z$lr$El(s5(Oi)K&Toj;p_XdeLKT7t;tYnPSI|6olz@g{Hh&9$vYR**Er!@zhCX+K@
z*7~X`r&!K5(vKbkzVhwM>0ssPn&lLm`Z<>xh*|Mg;!PyHWGlAD21vg%*%wHbO36T9
z(h0E7CnwPRxHZrc{q5+Y2Dl1%Iw@?~QYkQKYPEVqm5D|(suA^Sa$>q)8%QPt+Wu*&
zFWCxkALqu};B0vdoHGM4GdY)dLLm<XX2AIby*HCe`Ncal0Q&_pjK*Nh)Go1W%C~gU
z-e}Yd4;fzEyMTP3BVR_7+yv6Ll>xwKDG*;g?t_PXc@YQ!UW@=QUSPhG&+G@8JA)tO
zJ+4s5<qig)g~tu=WF+K*pyiS5YHWe}eTb{ka^mf=efx!8%=|0Az<e!}uPk@FOzHD9
z=|h{j4rFX6XRJShM??G279+3*6795kqAB(K8e1q!`tnM%*=i@#q&M#fIt&c<r_m<v
zvNo_SZwt15cE$#B^69)1&UIVJ0LjD{Y_f2a<j^7Vx_s|U$215PGBe3&zwy{tulI?M
z&Ev7bLvnqobYEXO)tB`;U0$!t>6LhKANf4Gh`Z{)4L?__<+A<#S&Q3kvAW&l^TkxU
zSWKsiS*IYlT!P?~;NMPq&`&u|oZT&1Wq^Uo2U->AR2$a~z(abvo(_K$9?0`<!0GR~
zD`}qaGOv`3qOESArQxiO1@%?CR$Xxb9`eJ7Q@3@&gV@+Mggz?HzfrXPSSwwJVb@?p
zcp_o|vyYBynajw~(c}deB#+W@?Taw3&9;GMd2?8UbVMsa{>%NFHu*0HSpPu6C{Io=
z(~Cg8GGalw23tt@C-nz`9#Np-envyLJPJU_PV*3Y_I{D3S6sMm;~scO&qu>gcfkWN
zJV4W{7){%>xi<&6|B6++4!}b`e_QI|E_e_dBYI$rI7RPuGm9gqS{pAFcTODl*jddT
zbSOwl1B5c0PG?Dv&I=;}j1690xLTFqo=={KetQ-4+u?SYYFWQc$6H!R>n)Sb&}C1_
z9XNR&dTpuymSBH{)KP&`AtR-EXOreZYBpM>W|B_&lHJx`*dZ``+@!ubI&6(P6Iif2
zT_TJRlNwsbaSR5ml}fs3mTR#+9d%|ywl(wWRMcZ5HO?Re9l0_YC3dUXtOOX}fpM>o
zQ%Er2Q8L~)EoB2DfQR2&Rd7l`!rGT2{V_+9;;=eO_avHq8jRUxTDK<_IJ9ly8%Vuu
z?N$g$d#BrmF1>W<^muI?(mn=h*UM??Y7t9ogS58d`b&p~F8%EISI0%TWB_!??;+(1
z8`TzZk$}*p0Shezih$G`YZRZq;3r@_xeXbY$Tz>V3+xERJ5(FBMzE5GpD3uqA>OTz
z@fla3J75vVwZ`kHw(xbp(gt|y8J<n+x=^f2B$i-{ik(uWHZn9c67~C|jW<X&m#dHr
z_Bow?BJuvgg)q8+*4frl=cY9vs5{$XzTi6(LldWJd-u{j9OU`%@;t1mFnU403n0sP
z?%BJyCg=GEJAa{FnupzhQOS8(nUEj;eRdq!GfrVl0gM}0oWD>*;tRg>*;)<w|H48X
zjV*kffPRh88~;pYV%tIvJ+|;sh$}+ef6}<43u<&|;cp<W0&zd4v^cgPpp6UPL^>oO
zMoo635i_?+(i#*qg?>)wKxWJ_T|MVt3ks_xpvuDLU3V5?D5)P^NPf-WNTY|O=Bk@k
zw_0qn3rPU6QG`YMDFg+8v-(wN5htjzk-}1=P6|uC0w<82qFP4FpUF;m!Z8suo1M3-
z&Kd3q_yD*6dw9<+bfe3~F^I~ufyp!Tu~R9E5-3gZ?a8Xa=Fm<KxOuzD#g|T|)3%7;
zsmT@XR(+4b1hAf2h@z_jmW{$PE{D}}vKzb80|vWGx5^Xj;<XlyhcEv$o3Y1(E{#xf
z*{vE?zrjrD_kCFR$t}FFd`*d}RXNpqRpXDarUdD3S_q)S3r``nypoUEO1{+ihi|C8
z_KW%X+i$05Ed%JIRCa10JHMpzw0*&WKDh8A#AP7v=Pb?$ai4;?A&C14jhk8Uqfak9
z4{<R$?}3Fi=)DUMKwJXi{!2;+y~?NYoRqF{h}Pw+(C#PYc8}$DuVL+;E8E4%h`QV(
z_SZGB%|qL7ypbh-r_+Zsq>{^3X<frm*JoK>xh3tW2+!f#4YgBnbmVqKAgvD4!nA^U
zXHqQj>ZFqM#o&PK;nz;waKj%z@rmxWlI*TsFrjA_o<Sb8k@gb=*&uzZ%QBn1=p^kx
za`0|zxhZFp%{fT-!(8ll4}_i^luV~#O?zBwIuVm?li8jr7F}_TLKAnD3WE--VClCA
zHsN1pXWSl-duCSC6AJmErG-L0622cKVYHq69BJA44Ov!NPHq*GMfo2ICz>CLBJhmq
z;{;S&%0s3j!*`s*e+Amgo&~TYw8B4vS{ySJ(*8BI#iX(>%6h(-+CZ!Zg<7N2I!^YL
z;yPD{*?`HgQbF-<REZDPGG9SFTL;!l`!(_ufD^ap8k_uk{_*hPf868mzIflhVsYQT
zi;1sN9~`V#y5df))+yr1Eu2S2(L>x0`Ao265u}ryFh|UOkAj`A>11ced7zK_49ZA$
zcIcae*DDA<-)G<v;GKNcdpPwwc$K1ANXy>|deEaB@PL+IS~=GdHwugl88)$E$fy`H
zty+;d0~T5}BUWT&$MnHHO>Dl>#NwWtbMH9N{6G|+c~VB7;H)k5;ADD8lWn}59&GX*
zI}<$;8>Viwb#>XS9?!4fvBEnUe#QJ<r%Tcj<Yy&6La14Gb6@Vi$BW%Vv-hsx#bv3(
zkG>f%SlOkO^BihGUPhv`4IwP*SmjJwYOZ*2y2gtA0xO!^<bOx5@y{|UZF!-Ud7-10
zd>6-8!&``hAhzR{?`s(!c8qU`u4(dOZIk}a@0wrHH$P-vRM?r?3KH!>+iBTdP*(h;
zRKA8Tb4mUZI>k74zsJsOIdHAZULk26PB;UJ9^$f5XV~L1`8!JR>I%_UyqtyK@9r`3
z#*|75-nD|6GVUpvc8hdVv86fvThK1H>`>_*R>%N$Mw*C>Hj8|sukVRAvh)xuzq|bk
z$NvZsxlPxwH@u=rAMfis-h5xA!)BzW7GBC|(Yk`6*`1t{=H)8MS3kQsV`ZFliO5jp
zH55A&*UsCm*d5!xZF_hbpSaEA<Kb=Fe&2>aj6Sb0yav$<Ye!7DPp#CaS0c#tYa>1b
zf`uK~U5Z`V9S<*WeQVDP%*+JNdr!OeM_@g)iV^3bs}?>a-tp726TW20EK(t%K-aCs
z4tQ^L*S1~JJ&Mcc>gSVcYTLHdSoGS|K??IqSQGy(cbLLVpJ7Fk>EW!dVzWB6Sb*51
zcVxGow>7(6@z;^vN%CA^$Bw`RPHZUv{Kjjfif(VgS&KT}66Y9nT1}iU$?U5$oMX`g
zX^OK0aK4q{-2FCimaQ;qPc1E^iTCcvjwasG*jzWGHToAWLT6nu)DB-t3JTT;kEsQ8
zWvMpVtjduNlhqULoE+jkQC1~IQfV~sW>O;Yklkz5A(<!t#N9#lyVBd`NjpTAx{hkr
z_OG<O-51eL4i2z7cP11D18*WFE*?xonXFO1l>rA2s<f>?yXj4flx}QkAvCj|*3-(*
zl|8O3lkZi=!nT0hp?9b&i?2YQv(HWqZtX7VP5QV>3MgI|18wf*K11;udu!VK?~rU#
z>~4}w+C|Jfs=mcnpx)-qfuVD{%VMvumIA<0+Na>QAPzZEh-y-bMgJQNJ@LJxX=Rws
z7?y5WkkZ!iOX;H2AZK)j1R>-!a)Wf&;_1jurGKY87nZQwWO9csZ07>XX8Q}@gtB>*
zUO8is>d(Q0;nA{-iUw)QWW-B$9CACRFYAO=tA2GZk;p-?nwz;k_l`ZVbQR8I!mx<-
zKd39$uCAAiZ!Mgmt_Mpuz3+cjSIp`w*OkqREKBR!d)ajNvbsiLCiKUa%A!Tyo)7hm
z&=c=&cB0eG>btnGF2&g(44hoC$Sy1+fv>}C_s6wUqh@csvpp%ENhyp*=qrXvE+P1=
zx@%UFMW)G@kzSrL%D0FqO#q=4h*Fi#454E=qAK+gDs{;{hjA&bLQ)UH6`>zXL@r(=
z8f&vPXtO26i+3F9xP=z)rk|3uO+SP#cp@hy6uZPY_&vrptQN80+O^bZPuN0g%0xPy
zP}Ybg-1B*5D#|*OfyGx+v-sk+P9YKzI&E>E<=$l-3|Y8{yoB!KP9Qx!;URV{t($Uy
z7qzV}*)icM$)wq5XvKzIJ2a=Jm3^vYI-OMYDW`wlzE^o^FxTmbL>!&D!TXnWEr8!O
zq=Ie%TB?x~rQW1p2DVcC^sL><W7ASvZcl95wkfeyLHt>-nairf@pu>%R<k!tDxR~?
z_6*D$T|tY%=JnbPmY~Z>akv!v;JdgJbbPA5tv;9`WMnf;^AdzwiMAuX`Mk~P?Fuq6
z36zQ_lX0Nbq}0<+%=e}{ZGOM4Gu=z^p!>z#cD6RMcn@1C_dQa7BVNt%CElBFEMN!u
zYJSh)x5XW2!uFR>(fs~){fF|@N<hx|U+3Y5kCz)P?;ZX!03xuLlZE++0U3}PrQ3K#
z)i-C49jv{XO>CTI%kz>WA?O(UtudcvW>PsR@YU$9aWbSZ2q8x*Pev6X-mEOYV)-tV
zw+6~P(o&xBP0M2)Fu$TasL;e>dDo8a3NJ5j<hzzvpu9^+5#7V}i+!HlCX6lMz3@0r
zNtTo>%t?foT9sJ71JSNc_-s)RU!T-QJr@3j_N}(a>C7(P>*ESUuj|lq?_4=AI16ZU
z=Uedrv#lWYA`e)9C-=+1gj+g!0Z1}q@x=~PCUh&!d`K}$@+n71Fm#AakjuQeJs;Ya
z$@s9mOkhMynV$kiEHBe8G6JC%Uf38f>`<lvpgoKaXVietr1>r#m+ooHfNBSC@kF(g
zb#dnU<0Zs@B+h9&bb3<Yd|uvV)={68fT)wajG`z&@41KZIz;0a{z!@~@i9Dr(EkTu
zIjFt>cmYhxC14#v5C-6XZ{hd~VU7wjCpJEjQ2`S&VP+NP$Y;ZK<*L?uU#_k<5C6jK
z?#wqc3!qB;f<Pu_09qg)GqeR8`?N$Q&S>@DAB`Tor44fNo3=3`4DFy$jL|Lvu|xYP
z5XW>V&czKKp-{HdPw_<d)6d|@p^OC($T3>LlXJ8MUvAJc={;J(m6wo7xB$M$7%kAG
z)@ciodO=I{sSmXJ?~lfUwrPVpy-wTsr0-}4ZDyQyk#AzOj~4Ta4rRIdNk?e&H2oB%
zUN`*=PrZSR1(5HJ(*oJvHf<r-yP{>%546H_?_=-u%<A0a_{2haOH*@GT`ISvbE32A
z&~Y1Q!t)px)Iq)f{@c(cJwekpM2KN+ET^H<5-k&vD1oHyY@RcDpZhSDV{A=<A#ynL
zP2o2q`7tMDyD*$zhG?3=sViFFwO&V4^8Z#bb}t8m?RKj)U`7>fGx+C-w>GYLW`gk>
zz|LD2d8!-3-|}|t3-evcj;PuNzVI#Qrm>5*E@!4%*V>QOa6EjKoE~Sdc1QpNa1Zx5
z*s|lZ_r?d?I^MxAa)vM*zFM`hXx)ZKYN(z+ebwmCrj1Kg+r?NtQBNN|9zMN2YG0KN
ztT}pJnnwH2+%E6qz&egA!|$BMiSr00++8_nJ-4uUF50z=-kPB94s)T`HJ>Ve4d|_;
z#>>vkSEx+L%-dz$YA>bMwlFRr_u7@lOEGym;jA-m2cGNzN8Hl|UPg)~Snn%0-e_Cv
zMQwJ?(|n%1WgTB~Urs2z?P5^D)~fZ@AUmHZzP+N-2HbbCjwlN0wBv6{&T0OgkCQyj
zkN876f1SOX^M_<MOQ!SmEaz;-C)xBgou}Cpr*lrGpZHBWJw0M$g+}wG^CkoaueRxG
zYf8nrF?U~>m#r6T=uBakw%}U3YOO0!(HY;^5Wt2s3q&*)t&?-rZj5)<ReXtg;58y)
z1mcaWs=JxFHr_wxtJYx!Qob7KFkte+)kz(Z4^zPUAXd5Yb_r}sC)83$m*mM(MJtNL
zG^Qbq@Eq-BtOxlqq=ZWNEyzI5;T<SKZm=_@<fwqvQzxqyTM5hmBz}bcB@OV~%1;5Y
zkEX=4f$bm3xFrkx3epVLfXCCOk9H2ElX|C!&_K)l7v<2dfhx%G15$@`U#li3RbD{X
zipId#(gLTNO372v8nOmrj0i)y_bc4_l#VH*S65>85&L)#Z^YaAW$-+s_fmf#E0yz=
z=oj$ZYlfm(0Trnb>;|@x*c3gdr?582`<aYjmeAIOoZ|n46cCTlry=&=sr4#XR(R5Q
zqI9toG+04i26Fkwb709y)Rp+X!^!@z<&Xr~XLryJ#GkQ>kI048>ZCR+X!S?cT#%M-
zGrFX(zTQRsjY*Bj)Il?c4>-FrnYr*3;S1gltV*}QvUEf4Em=#s+ku%JRZp;I65m~k
zJh>9#i1@~IVP526sqD7AhaPY6Sef|+R&(Xe(~>u#w<1R{!q?adR7e*(iqeN5v6S#!
z!Jff?B9;6ON2To2UsSc;Pl))*WXSuTP%hog`2qH0IpZXZe1J4ZM>Bed9cNf)_$4&O
zIi)l4&7fgA!9Jx^@km7$8|q}if5QF-7GNZ{A$yoctY4^;>VwqYiq=vCEjX9TRsXdy
zf7D^7r9?gW2JtC?S_+b-e@?z$8mml&V7$ELVLuy(H%ol1SfljzV6Px;#MhCPs7#mr
z_kpoWP5oCO{z6yPpUlktU+<gWFJU0is-Kjv*aat3q!0gaz$JKMe?Kh}W4}#XNggje
z@8YKa0R};y?*IS*cmZt7Q@|Jm00zMC#%yb0ww-6&Y4(21$hM6w+qP#b*X(TLxqH8q
z$bbHNE_L%i%HEiyWXh*PDyC8@r%I}(TB@f;YNl3dr_MjGUh1bo8m3Vir%9ToS(@kA
zv`EXeO6#;q+q6sjbV$c^O6PP**K|ww^hnS2O7HYZ-}FoW49F>YEORqEk7u9~N@kE!
zN-LwRo$PEEyV}j}_OPeD?47IaV_*B(KZEm!1M-&x9pqq#I5hJ!By${=c@B4ka*lMA
zqaCBX3M#6kvMQ>omY-EuLrt~RR!3d+)Yl-3vmgsK%p#5QtHzpWs+s1Fb)4g!;6x`m
zSqm+-(mHFk(N;U{b<i<Gb<$ZEU9&t(vNTU*m~Oi3p{HJY>!YuJ`WxVsT$3lA>NKZ2
z!$5-!HpEcF3^&3^ql`8t>y0%|fkH)!jW@wWlT6O4tjJ1JGTc<tOgF=s&T_VMoa;R2
zyTFAma<NNX>N1zR!j-Oab+)-CuejEAu6KhQv(Zg%c1yNohg;p|_KeJkjLMjdc85DN
z)?H?r<!<-5*M08yfCoL~VUKt;Gd<>UPk1up@~5Z7)1L9H=SX1+Qsns*d%=rd^0HUF
z>NT%>!<*jnws*Yiz5L>Rv&}KrJo7EE&?1X7A>%XAl1#GHGRv*7(kiR7+6O-Lk&k`i
zQ=j?V7uHy7UDjD|gN-)XY)dBFYMbqL_%c&7CDSq^(|zS@-}u&dzW0M4{p4rA_%*Zg
zl;8aB4}bcbAb0=_;{X5v_`BJxZQHhO+qN6ksjbwuncB8(TeI%|6Zi-p`^2X{^SLj4
z>8s#@uYKcN-vyDr_k$n(<Y&K#5rhSyLAaPfgjiyWBd&PjOCX^{5=$bfWRgoErBqT&
zBdv7O%Md)5F^HB)W?5vFEqElm9C8LvgO_s2EswnN$*+Kd3Ms6JqKYZ5gpx`rt&FnD
zDX)TxDygiBs;a53hMH=rt&Y0tsjq>C8fmPFrkZK4g_c@rt&O(YX|IEhI_a#7uDa>2
zhn{-rt&hI?=`Td6FySH$Fwh`_4KdU(k%k*#q)|p2W2|w;n_!|zCYxfaX{L)Z!%VZx
zHpg7^%(uWoi!8RpQp+s2!b+>Gw#HiPthd2Nn{2klR?)WEZik(A*=>)#_Sx@%gAO_D
zh@*}<?u3(0Iqi(I&N=Ubi!QnBimR@<?uMIgx$Ta-?z!)QhaP$CiKju7XP$fErB_~i
z<E?kz``}l<`Q0D>^q0T=<6r+11P=f}0001h{<dw~wr$(CZQHhO+qP}nw(Fk&0t$q{
zf(R;@;6ex~l+eNmE1d8mh$xcCqKGP*=wgT|me}HmE1vigNGOrSl1M6<<Wfi}mDJKm
zE1mQ*$S9M{vdAi%>~hE{m)!EmE1&!dD5#LaiYTg>;z}r~l+wy5tDN#GsHl?4s;H`(
z>T0N|mfGs5tDgEAXsD6KnrNz-=2~c}mDbv5tDW{b=%|y<y6CE#?t18{m)`p5tDpV`
z7-*2eh8Sv?;YJu~l+nf*Yn<^Wm}rv8rkHA)>1LQ|mf7Z*Yo7TQSZI;OmRM?;<yKf}
zmDSc*Yn}Br*l3f@w%BT$?RMB{m)-W*YoGlNIOveWjyUR=<4!o~l+(^Q>zwm0xagA0
zuDI%&>u$K|mfP;Q>z?}_c<7PGo_Ok+=U#Z}mDk>Q>z(&L_~?_*zWC~!?|%5{m*4*Q
zPY^r+hC)CA0DQHZZ9Cf@v+ag#+s(|jUEfBwZFAXfxSL3r6qd291SCq5EJdm`=`v)>
zk}XHBJoyR~DpIUOsWRm%RH{;~My)#amb1JStY{@GTg9qYv${2`X)SA8$GX<Dz71?>
zBOBYqrZ&@{QIlpZT5WC%TiVLjwy~}4Y;OlU+R4s#v8&zeZV!9f%ii{}ul?-r0BzcJ
z=yafi9PAK>I?UmYaHOLg?HI>8&hbugqLZBL6sJ1P>CSMbvz+Z5=Q_{%F3_c0k6wNH
z4Hz_J*oaXVy2y-u1#lg`vSt!P?3kG$W@fgJ9WygCGc(&U#mvmi%xuTZ%#6p3$IR>d
z-}`p=Rqbx=XsTwWTh*FsNiCJs`g(xQzI06M;)iP6=t7l!<*C*sBzxP)gpGaq+WG~&
zYunhyg?;tQ`sG)IG?O+glQiQd&Vw}5E{Is{CwasmdDH=U<U)CLpuB#rFuJBeX)w<j
zQnbhTUe;AXG0!>Hl*i<a&Q)G=#~E6+$HeL8RZ(-tIo_qm)C=!bZnW1KO7`>kVOPld
zaMWl?*o)vgzO%h%fv~}N_~(T5U=ZcnhzAv6sMB6||B=aLz)JUNHN|%K8Z$&?>zQtr
zm>4^sb2XnClt-LqK*N;JjUWDwdD}_wdPL6mGEnVv)6VyLOz-<L)cqcg^f6=?fz7VZ
zbb>-0hg=Nh|NRT$XFvH>{=fH;&-cn76fuAO2}|_+VSW~T0!$EB*!6}J=7|x76P20e
zh5s!2f7v6#d?}_eqH?Rcv7g0S4r9dCULfk69DyIyc_jv6)VT%!j9w0-<vDp0RONYP
z7G>qRMH&|6`Bfe#mN~g1*p_*vCTW(rg(@1B`IRoKr#bmDT&H>E|82O@%i)K_F(}dh
zKiZ#k{UUXfbi*q515LeuSBG(urhcKail$+u^WvIbzBJpKLAiC)ntrji%bH=e_dWM^
zjvzeuZi!(O_fCPL4EJ7z<7E4Go+MrSZkc6O`%aOjP5WMz=Y{8Xt|-3eZs~uwJ^8Y{
zFT3ToT`xPux;`J|Q21YZH9oc4<#cE5`H%HU*Z+J}xKA`$duzHPeF(kcTxb6Zk<;%L
zCR9jR>bQWj^%z^*ysmoaxCA439v<SoE}inafYE&(UFy27yd;TLVj3xoQJ^X<j8)+}
zHja@eOEr#FW?KQqDAKh8V^w*d(B$NP2BFC-F%BfkDNq(B%Bye!mF46~6P4waSr-=M
z6loh5<W&K8tkZJDk*qUH%oB~%3e=VV8QA5?Go5FY**ET{73n+gW>op!;QnRdg~O4k
zClLkVnAf3*Bbin)4I`O1!BM1{R!|kCnKxjWCz#eU^qN|GaR1+Se$A@6Pv#o=tZoh8
z^SplR>vvMF{TkvZu7eg787^Q0^CZ_{2Mk@?ejRmH+d&(SO&hR@`vQ`YUjPxSA42i-
z5N^obU%_ae`+mhKo`+t^YOl-he9t3O{2jWl*g_DYJ@h?OJ^!tlzho1-{fhtg1?<c7
zP_p&-naP@#(OR0-+JT2?xR$PJNwjl#1j;;;hpgGZTbi*`NcT1UCJIDsM6Z}AnMFPa
z6*1c7uJpVa+LKvCvxX&#vwZdcr6o#=QH3D<_(xrz17ZzDB<K;>_uo^WD0+D$-963M
z5Z!Bl&!DYg1nZ<5iWJL;k)jmqgcI{P%b1npxN?D7sKWn;{@M%9nuc^<&RqZU2jjZ*
z%ManY_KFv0xD2WvX1MkUCu_M3C@*Qb_DMIdy9{YRtUvstGNDulG%Dp%m3$Qq5fvGo
zOb<A0z}>hbeaG$S=_6+Lt7$z?0?PL|1}$OC%E$+hV@radF=+><BWEN(<i<CLudBDW
z?6Y2Rzy?cSKw4JTMbXpG%@JVkYWU-`oELS3hi;lm8fyb+IgrgM7eNrS5A`4|6x#Yo
zU@N5Dxskr><mI5$#HP7HTl6LMoklw;*toNO1)XnlPT4tb%(#{>)QVDh)~%2MBb7=x
zOQ_1#QDSUucJk((Lp_k;4<*UV{J-Sd?i+1Y(PmSvuPhL*mA`X!TCeR|#57t@qDs%f
zNewwQNbZm8tPB603cB7OXyge=E_P_Aib!r_)2Zf64Ps!^fq$_qu2+57OH1mrJX)Sc
zv)!-bMcai_Z_*jrk1PYjAo#=Zhh>~Kmv*x;_ehdr6HcHFUx)5i->hRv7~tDo`e5l^
z;;N}W*Eycofa+jsB7oC29sIL-_i|<KA^oJrl>HB7KQ(*qgx=t8yv<~B6S4u)+Ku`U
zLs0AEdRCgZ&$2hYt+{5yEc;Jmq1H#Hqg2~H{Jo^!3~ybUTP>QDCt>cJxq;mE>TLR~
zqhc@s=3gi>r@uj6wbR6`+Us}p2>P&!Vg!dpk7Lh--Dtb?ZAiYYmi;TbD#rE{Q9$|E
z%DdFJ^PRI`ZA^@322@|$z08ld9#5{i-10G~!!(<U(jx8IpPZ;XbYZkdzYri9{GrFU
zwU}#jK1;#`Wo;X$wF;(@A)}8cfkCTpLT_47xM5|43-HmEluk>i@+h@Ikud~h+Ne$Y
z;loDkX3atrTuv+ouq+`YP9mM=&Z=u1zp5OYq>KI-vW}hNO0~i+q`nhM7Azd&l8(|d
zNZ{&Yc55XHwYu*XO~W8mgTJNgszMO1-5Px>(+aEfiMCzaC)ZR)KU8=H!|VZ{6<zX=
zT1J3iKz_;n^6ci$@O#FJ-nM-2SZ>4SN4@}TIr(M>+k$D#3o{JYbimh$;V-^ZsVZQM
zQhJcrqqIj14WS&cWjEjKF~bbNQBrzZIV|8fc#-=!PX^_;{G&MFgr|FG^|=G~u^=8H
z@)q+IZ<<OPF&8T_7iDkff_P!|VY$_Ba@wF7E4~|i{*6h@>p{|E)xcG|P5*-*rqAWT
zRWW*Bc65IY%wEqIk=<nUK3#-?X+N`$^o9mJY~Zxq)MtaufdL%#efcvz8$q;)XPELA
z^}w#`IDOjxKb+s5ii<xZ+_P$B^dTMZ+h6qc1YlOD{pfCUK08nk=BKjPank;s``_O|
zSmQtMgvc6l;Izf?Y9Xw7;kdi)yl%47OP}9lSKc?u?n)bF_L7r9D`PH7IQdw=jCp+B
z*&9!4->W<*P3hZ@yAn*j96J**=wIBGqo0V%X}U)5Rn~C@*01a5CLI<o)XLh8lEcp&
zVjmo0wdovU!bvb1H^c&0*^G#hy?Nb}g{|(A<}`I|Av)3SRAx2RZSU?#Rctvsfp;n>
zvM#LAFJ1>(WtQI6Rji@96$H+6E@^Kn{Oy063ctbfMk-%bI?NJyMfx=_SC#Qb#k&k;
z<}~MRN~AdsRr1)-0ry3M(g)YpA~Q$^#AT}YZOGT`9p;yT%|j05yc!=>O@png?{)Hv
z`^JUiOQ3s|Fm?ym&ba*MyCZGDv!!{*R^kLT%d=b*pLN;sp+jf<9(^4fI@kPTUlDHc
z$wOc5{8ImnyXQygs_GDojTOceDBj1Th|Wk?{q2{QUFxPftjv3o@S*#=k7|W;V5wDj
zr%jkP`+$t<z&%N%zk)AoAzONJ(|jG}ou%eU6J_Ei$+4Mkv`>Oap&}-MQteRFay(U2
z(XyuUk-}RUut9;+j;oQC8AW57JK438;!h<-n@WN=^{75|nLhQ&=l#91<XPp_2Q$|j
zRQ!GN!?bj>mQd7>@QY4pcZ|4S%SWV(NmE}~vN+}1*~i$&M}ke7m+zp#5k^3IFhTVt
z**Q?$U3S!+vBkVws%<MgR~Oa>-=~A`w4k#d^Lb$VU`N!`bXF%l;j&;IJs|y_ueBRw
za1;={^ips+Sm1>r*p0c)^J>P|F*TAL-ZRk`?b7t%3IZC~-CX5oo_b4nY5hxHLp<`$
z6uG=iP-0|ez|@r3_-z)-ovi)>h6>wrW?YK*((>JZShP$1R<>6&p9~lHHonl*fS|++
z&Ab;=&_8+Ks^u?2S0)XPV5o7pzZ0|vgr<J-Mf2KCZ~jd>*XCTG>aU=;dhQ(^oaBG$
zIe(WPf9@@!udq79ZD@DjsQzEf_6G!IXFq0k*g$<XxwKwontH=p$_KmAaknRhO^suO
z7cZ<i8uBhf6qAZ&*<em-!GrYXZ2WGIS1(>QaX`i;<^!fpmhQN(?MDRP<K<esdPm#I
z-ze@4d4i8BEZgN;xT;#lZo|2=IeR(w2aX5X;0KQQ*N1h<H>P53hwjCpLLZao*7=7!
zGxz+N9N}PmFcE%MRW3})7X3k@mc@j|B7?ptum{ER|1hOK>HcUqF1W)_8u|R;@Bqk&
z6!3+Dx_?pAbJD2sBAju>Tw`sJ$=XJ+Y5y&2tp=*B71=QiT}e^Qa@>I5qvDfeq%&s*
zzMvJ_*)9@|bnLDc(ee{;7Qr0}Ny~MM$?&7Bb+$*X7mgXdr?IGl^<M?HWPALFY49(4
z#d6KwuSo=KI1Q&GM!kNL60*d9sGl;A^(yv$wS_yyGRz3G9Wg-vBWsYV<UnGaQbbPr
zXC-4W+HobeQ%a2c#6JaLdO8JsMVY;^OJN{Bb#;waZGC>+x!hb#aXTH_L$FQk@&?Jj
zKVM87>Iy9c!T)A}1)t^sWwzk?8D2f8(Jm_MdO1cFCViJJO*m`Pun-O~oKwwqvbm&B
zT{~5x2UWZ@<-^i-;wxEBuu@3~np1!k<~t?)VUmNC5Cq=gFo2m5!nS;6*Msc+g~=cY
z$+!0*#J3yH^U?9>cbVw>0KBd-*RhT&XTapO_S_<<L+F9Gr-Rmimbp}2^Q8aycw~;)
zeB?P4@qiQftrr(T+L|2MF;>KZfwsjIXZfPyVo!PQh*GYz?sM~geo0WRdq*Gqhm1WH
zePh3D$-=W_s`SW3<*wtT>OPq=O}y;+gi}@fb;6;f?QvvNbwg=G1yG4$t<vDS<SV;K
z_7lCa<ys5p?df^-g}mFx>y@1M=?Rn_BowD6VHC<5>KqCeDjiB2Y8{FfT8!L|?1}t>
z{2e(MSrmB)nH;$o*%bK@83Q@FvjuI;QzlktHS|Js6AB*BW1%#veP+}7-OIgQ#bY=R
z)$`Vg`NX-{!*VCMX3^(2zE#f`7roDM4-NzVRu2YJzY^j2It@-GH$?xwSA)(VAQSRI
zn7CTE^W*lowJD88!W_5o7UUi}2sn|L*O8FCO8Hyyu3$(s>VmpLHnJxUN~~{pzoTFh
zjjfK_#lNHM&jTY)`SmRw_oxRQwpXLgpfdiKld-3-cSnG;CIJL3TklJc5iaB9zDZ%r
z!1!VB3y##^6!du!+mc1$F3T`}BSsx*rjov@mjjCkcG|%QF&4YIr4Y&QBKp#7HDd+p
z%_$2WX?lV<2u&I)rA1gFj|pkm)^f(I5m0*H2la2SEHVeJmbs?K8k9EdvNopGOfV?r
zoSGH?H0yl{zV>wa_OE*nWw{<@Srgy~;PwkHM+4yYItc84Y9#p|jnq`!Q)w*S?;jk<
zodrmPqYMYG_+?F{iA~pJ!ZXr4^Ru`JexA%M_Iv-F^H|Qu4m_CQZspf<t7F`v*ht#t
zELHlxJP#dqRqYHEXD>1m9B|^d!{ECj5kQYGLvnJ|QrjCy@?z0H^;h+eoFsDW1YGua
z1<0JZPWQ!sbd$nyK$vdhYT5bFVg@$)n5Wn~Q9FDWVenhAn=n5wEHNj9`MW~##kI0c
zTm@r5$LJoz@CD}VRB2<hf)?|y3_g9hXsma>Jo><lr`%@Mq3$JWn4tjUyd+lBOwG(P
zcLQ%Xr_u5)V-ZRAI>i)ui?*V7Z<=TPO5r$5X#yGTly|Cuxg1E=&T{x8v<mP>+sZwB
z^8iwvbF^4i?YrY8F6j|ekel+>k#iwuyS(G&rbrAsaSUwgFOj_YbyE%ge(ekLV!~=F
z8(*B-qDNixf#Ctj5yc$twr6tKee<aKs%iHF(hkyP8#iM6o76V)_;y;Z>o)kU9$3>h
zD(p7w*<Vh~9*C5`q$&K1r??zn0n5K>IUv9|=75mdO9$}b|BH*?u`?b}xwHN`-PHRo
z()T%K6=A@k`)qSxm}od-)adb+{lA{U)_(_E{?wdwlWVr``~CCK)O))m0n!JuKDyYC
z{$HrHeRpEi7+A@xq1$#Zg}TM!>YLGB0+3t^^`pt`k1A=W0hc@w<*<s?65N|u-4U`_
z#cF6dDv8iOMght%6~(ii=Ed`Y!BXoPHs?St$ejRt?6qv0omCx?E!j#bQnm$>s;hYy
z)s<K~8FG9p4Qzl$6Lk3wTJRz<uu$laR-QG@RAqA}bd#NK=Gb#}XHkz}7+Xi;t38od
z)V%5qI{iA+7f{%bBU-SMW>~~(>Kiv><E*YG!fLu<TCj$X5EKOU%#Kjo^y#B#E)G?H
z6O~l;Agmk{LX((O<<AeSkk6Db5wa3tWm1#oXR-LW%>dRf^=snSIN@gkkNck)q#T(7
z7GRZ_eH~55zc8Z6F(WcVeI`F6NQ2L0%xu6mmocu#3g)`A?o^4hQk3C)gFfZk@bpGb
zi621-`MH2f`%rSO*!lsb>=45Hd{W%~Ehr3?TE0xG^+#fvQn`G&OebVyT7%g_k#=xZ
z)wuwt4JOoIyH;nXRL}URzZ_P$7u<oVoU*#=FIyW?f?F1<T&d^NrFLW)Fc`gscBEP`
z?7fwC<m)g9z4=!pJTUaV<yT}KFa*7(0`E@MuDg0OI}}li8CO!+Ln$a(KMgx}WjPke
zI3AtJw8(dDqN2r^<f`<L$5<oOstoGfY6U+ohaN$0L*1>9Z@0+o*E!z2Zm*B_-q&t~
ze4CbIx)0>CjFR<F_FkXJC6SZ4L%1+jHO5zB?Sns$wQI?@NU{d0_p;rwCh75`>)mz>
z2(5dTOaCHMSJd{PTchhzW%3`EKdlq{Fx_y9c1V!pzzuTV8f?@gh_|bA+p5Dy(;3|W
zP7Vk+6-efmx4uV5yV}w}G<YYi-bm9Jhb@MAhcc<69Y(Q72QZ7EYk$fuCD@w9$F!Xx
zl{A(A#Q2`2TOsZ-{Pq5&(XyrwUo@k?YY<ZNtR@+VWL>kU_gs5N#+!cvTUNHF(%I80
zL5Hc-x}GzN2B};%esvl9Gp)Sby5m#>OR3K?fNJTJxtKHR{K;gepqBOe<;>KAvy;J}
zc!OobmJWku!_3OIY!D29=h!9j2><FxQ!{Q?f7`{>qN$*Zqx9*Wd}iM-4vUU=u&fu3
zch3>h%KnK`Lf=1YeQ){dWQjKA{owo}b=P2tR-QGx2nYzfIj4YERX$y!Qeo}ZrrQ;k
zP6~9Bw_K#snfEV)P^M0`#i6$tC%?`c^g{mU#Xx<uF-)1(R6XRbj)SjR*-9BV1k9VQ
zR=E~;B1y8Yaba`L+e=QCy>Q`tr|PFOCwj4c+B?{!$T{=pvfAhM_2c8qH@B~FQ(*I$
zs))aKdb(u(y@0u~)pQ;(*fcT732(X9w8s6Im6S(RSBZGvo}x5eT<aRC6)qc3^;94Z
zC}mPE+S5`1(z@gL#_9??b8p~3%mW5))c{FPBOXjQbGIxVO7sI`w@mld)6`cUomrVY
zw0b&4#>++4XA$%A;~2-tUgF7n6565V&crs0$=A-_cv~~FSIlq7-HX-Nns4a7)7?Um
zi1kLAdTKTG_2&`oD>iO1c!5L9wQg~lBqqfx=Hv7=FeLSoXUHAnbbZukKRPC>`f$!5
zJ63E4*Unu!hAwtCU(S8Jrtwi5MbG8E*71kP&&9nqvxacTdc4Ml45$aO%Xg|g%7;vR
ze~lA>f`#6Ye8ICH4oPotr+SF!dlf#zR@m+|Y^>GJwbx9&*!}%(7lY8d!;35WWQKdW
zXP+lK2<*aTe-!bW+Ui4i6MXIG>zR6Wd|mAxw0+ZjUGW{{dqsF%`#_oyyQSIrbZ%~O
zZDPmI#0xMrHr)w3lYZrW;b%FIarsL;7whKOhIJ|BY9KS(v#Jy<IE#pzC9-|Qf<9CX
z%|R(WSZYosBRgkrk{0ARi>sBCv=i2VtXjO#!d5wOXWnUMMX<J)RZD(B@Ur*SzRE3w
zKz3VkhLVo#d#&de)9(X4Zf3ZDMEjB4lyHNF`WfA{aHGiw#N8w^{EG+7-9$3{Ob686
zWHJH{ho0Q@wL&n4jNK&H{i6pBAC-85ruyq2z4rA!x3c+B_2g0Y#S`?@6ZD0Z^putK
zrRVju=k*0y^b}e2VSMvGz*=V#SO2x&yS@Zrhw6?FdG(-E7aMyq$-v!{x_lP%!_lpF
zrBa)vfKaXvaUEa=QR)oWss*pRp6TqGybP?n5L>h#*@16e(w%5+w_5sm_;{W;y?}U@
zUO+^N4Y(f^qG<Az(cxvqcYUcaPhd4)3@k-WWiy$C#g?rV61uxv#@jDEpn8aQx>M{k
z%N!A3QV2gvjS2VK|EN4Q7?vJM5GZw$PR<3q&bNI+kjb*&oo@}vy1#ioJj_kMirMm^
zAwJ(R+-{c6)LRZ0h$Nr`!imGN6+Lcgvf@ghjfJL=hXti65do3~kn<5$`P=i*^(NEe
zZumNlK((Xa=(jyZ3}}$W(W$J7f;HT@KVbBswGgs{7OpJaJf7!|6$if39tBA2Q^EEk
zS|QZyAFjk-rVw)0V4T4a+Y#da5bdqCBgzmEl8WkH6C%mQeBBt5=OKOFQo_3H9tw8e
zs<N!Fx@%K8)u^%zt%7Kia7H_IP!I$u#%L&#pGdW$7WJ^C{a}ETs)zElLf4Nbz}`3%
zda#9VceHZqrfyS3a#1B4sO_vK`<W;7V10bUgl@!xiRtE8qGxJ8l5WqEMe$6qw7=9L
zB}MoATVt*GW6qKe=WJmi<qdb6#%3(@k?j6tGt<*vZRr>Oq+#oC(<|JrfXh8(ot!tx
zM&Cw!{ml~U@wF%Udy9v;)d!;PNn@=Ef+Mu-Yn%6^hZ}j`(jnZpTOQY;8Oi8!+$1&o
z5K{O-#r`2kzA*AcF-7m$Z{k1;=#wAfo+C+<aed{apK(pqL{50K;8J^iC=)dI>EIoq
z5fX?f6NT%vreL)lZ=uFCR%j4L_dpdLG`12!^TVQ`p!v}U2f34$v=p(x6rAPRXyfJs
z(&^Aq_BvTdB8S+sKZ!?5PtaQF5P%viE`;7ryUg)94<-=A?Yh4g?qVO;{1Wk$un(k$
zm&#q9PJ{%RRp6-cK8u(O`P;WU>MPHAxP9O-)^If;d*GT}X&{aq^v_E_wB6~j@Troo
zN(Z~PMGzq6+vY%Y*gPNT)-O*)JOQIdDe&on{&O=oNFa%Qlvx=^l%s}1>fy>*45IIP
z1k31u^dLQ=`ZSbyKoGB3_N>aT1K?Bn=t8*f(Usp;#dYU&xTJ=TX|zptz&-I9BmLcB
zg~*ZT9@Ete_EtmP3p&^Fm|GK6Z$!p-@>@>reX!#(LnaNJkng-&@V`p!yLVw{@@2Cm
zDnY-SjQRi!_l(2z+6qFVB}(tv7pA!O;;*0QZ|cM>#~@JtaIVUXFZIG={#oinpGJVu
zqu103;X&X0J&L@~SwnF4MX&~|K~MI`UoyvB5+fF;&qxz`I6Un;k*C}xg5wS%2eio^
z9L+#FO7QEClXQJPccpW<jS{C|^(%hN?|i>27q+~!HAmnqsOnJK^zI2dcJTDSBo_K!
zSRbk|zzybqa5#{G829Cei}lWJC+4SeNh$mN`7oMmnVTC5xz<K)sUHk2c&K6nFvA&Y
zxvi-!srdMVqXR>}so6*r5(bq3j1^5sb9ur(o#=X65Rh)<j)KIe>k2!szAI_`)cq|g
zFJ52SQSLyT#TgVA`q<^WqS4C_Z||wSvYzV55lzgahBxvF`HKOf^}@igr=;Hnb|kUi
z1iW(ajnUtvYxS_cBKhWKHogJ~lujR6bW!6ts?d_%3UXNvujA-aXEiPx#kfWzwaW3d
z@1BR;3p9GBB&t-NK>;4ZU9gEWvs&07vD9INleZJ2wDCHG&WoJ&qOq<$fC9}8iE7d(
zzBIk&6aSsQyFym7D$u%gcM_E4)r+)3se7ZhLY+OV-z6M1rY@d5#)uq`XeeeMq1t|j
zyQDneW<RjheIc`C+EI2l*e`S!e7+Klw=IX+P-r~7r$?`ZPBhe`<OT!V=X0d)=f!;6
zOR|i@wZnuN{XRAvnfn*jtfy((Z&LY6z#F9zs#Vmx4v>4~j?ET;uh~}5oAYF^xf(v&
z+_aAT^o<9;yM%qg@X?879SV#A4{#Wh-b>bUb63*sKUzPW8G}Qp>)&{#Jg<G_{Q5C2
zJn0W{#OasuRg<63sn2Q|JF`7@t&jIg^olD5ih0Hz)g2Wi>;{p@vIhFgt?YaD;x}oa
zvfv=vdZ&rU8@9A?+uTLaFe)0-suC7Ts;**5CuICRTR!{X<^=z`wEWy-MbudLbrCN;
zUQw0HSi$n7WK&F=GWl8Iy}H}HsV{qVHeeXAU2aElg0aJ?l=PQnt!}r@z5A|We(S}g
z&ow<u*o-0a_3p-{CwqC;diYIGR;h_Nxp$KRoLQfGjr~5k@ol0SuIwpWhtViT6@d)d
zZ|m=mU02YxrWNCN&h(*=$?C|$IGlDq8}HW#Xmx076kXQ?j++eP%(;waj!Or0PFF4j
zZrS!-t#fTb?Vu{;rM)Uyts!lUjar-F_D0W~7rF-(*T(kAE9@1KEXG+1maqumV8Gzs
zVEEvvNUFTGm);pm7u!9y^Pu})8I~oN)YxsR53`<0s`Z4-fm;3F4E;&QOGe3w!~>5T
z@f-IW%bPl2{i-I?DX(SWUCmw5U6wP`h{O-lp!gz^N*NEf($&42hzF@_R1cf$iieKl
z(yMtlUXY3BO$Tx3UZ<-Yh8z2P9KiE;E${~zhmXm<)|T)rx2v_MWx731vAlKns)nXM
z7SE?E$V+D<d-|!T>__8Tixg-r)p647u+OTlDyZtbs<X;xsbtJhEs}+JsAaNcsb$M;
z>v25Al7`I%yLdyzHSGoa!TKV3BYfj~(7X+*%{f_Y;YNgJ2|>F{r=2-F6g4$k#d^^v
zWw~3qz`U8!m;8dr)9I<qZggpcRC-b##TQhs^ckP7zx-=#&NrgaH|kpG^jZkbTDUd)
zEJM0&qPFP?Ed-C5U>{gLM8Psm%@AR=2vW5leBa76yDBF~5$1otLOG8TpU(UiX~;p-
zEdw}E4M`8dIxiY1f}wLyaRn9Q@0W^pyYHd`a|y&^qhO5~=?paeCGD~3$idj{Crzw+
zRIK`3UPo+ydTC8XfANR<83C05GW&+@B*fnf&P-F&3(1XZM}*B7B8*G-^MDT1ju;<W
zOb9tH)?caMCmz<Y5PDr~fY$y`0tgBrq%e7Zg#`O<2c>NVtv_S-5LNvFxHpLSgT!vA
z(L44$e&pAvS%b`O=u<oH9ltTIk;!(9JN#9zv2})U+)xx5;pP~@PHVs7)MB;Qe)qIT
z(mq00VBZ$uL5>L_At8n+6%*uQiV3ALBL3bwEXeyqE`$g*AH0x4kdw-elCBTfA|O`R
zD7l#bHPVcqdUd`;YxH4PeTT4I>#??p$LNHU$yvatY?>WQL*`y*@=+o;Tp~(4XhAKY
zQ7!mx`S(_}Xmrc(@FM~Cha-Oa=jrILum(`P7l)!>_yZ9|z$K*r&q{fxX+N1SQHh3R
z$%CFS>k-Jc46nhItU)y#e_4TiOgW+|NY@*brV{$N8jhAL^s0k&7AnSvGZTW*m?`=O
zawNJfY$Hr|!1eW3FA)pJ!=o}fCLw!3YRuodL*x2sOOk5+V^3?7Mmv@Q@9ho0_Zn~{
zOz_P3n;%v`#WGS4)eti{`sNjiFa)tT<X0)b^sj&@3b7QuKM*R*dcj~aLd1}@A$@?+
zn{;hA(wlZWcw)?fhs-CmM%At`_A5pz`C>970QPhUdc&?F>#!zV+ykdW>b5Tw-|_gN
z?}v5mVt~$VE&&*3e+<_YT5zC=3~)F&WK@G_=O?l@QMff-Ez!`?nT$P_D@m~s=@4u^
zUJu0}13bauBhoL#pMgkz3fgJEA@Ss67<yn~Dr$P*zh{Jqz#1S0^NqL?A<ps|y&&<5
zke10sVoL$r0spFfm{iTc0X6?ZwGmdA9o#=y(KUEM+1_0eLRO((Xtvwlu~dA7Oaygr
zA?HKm%6Va83pr6xOaE2j95Wq+d>ATu>L#^eN)|@F2El>_@76@uz9c2ECz3v@o{HU-
zfJS8@Mh$Ua?%|`H>F)B8K-(xjN)~w<g}_|CT#vhl`5fMosFS`c#``_$`|)qX*3?ja
zmgc~|ebfWk1a4Sk6J9z;Pc>{R=Ks35s;2CXrZOFz0UJIGl%<2lgKoT)o9`bNo_q0|
zH&UZlg~r<V?#<{YMje{A1Z~oJRS1Sgb=(`9PNuzOHC$%~>YaX@VeK>4b#<qGm|5S4
zfG1Hv_{epyiP2d(fT=+je+F7cVvA4RymGre-DsJY3UE&YamjzTbw0k**;}tto>m=8
zdhsW>uP|Tr-jvhAmA5x=@tegiP73bZH`j!69n*jjU0_6gw;kL^JBvrWTlhgIw67i+
z@QjRyo@Zss!(`==KFQ$q_|>yYT(lxG?i_jL1b&2f#Ad{l_!x(lcZqpL{nXj_`tA!y
z4EZVHZco2pzo~7CmZE4yFyxN5E3?wTQp*c0^--LP%zEpQ&q77nsb&d|TFwMp&UsQS
zYAXMM&XmAKof&C^oaULdHE9#0O|xs`9O&3`8Nxz@>ld@OT@GZ)PYXixd9R8;C4wdH
z^MqwDHDz@96!UN*7VxZMB?P(fLfSZL+K{5qqB`lh19bg~#?Azm+)wbk!#}do5KJML
zI<T1J5u__<<WRlVR%&cyi^8R%6C0;^k(18|u|$%Rxi%IBm<Wct@?6#sH;GOFZ2>{I
z?@AVSuwHA>M}b`AX;_KQ{de}~LnXrVdGkzyoLN8BKj@;q4E-)Zxf5qifV5!#{IRd+
z{x<E}p2K&$7sOk(t!{|~q%Xe^ZW&F`uXpjqfreOzRy6UM(nkEIim4Y?BJ2Jwg%Pez
zWcZOTX^)e~`%}bOvK{_zq}S-B&Nc&%^qZoszEVXWlN$<~C_Jnqmf9AasTmslj|6OL
z&?<kF^`zBsWMW1#u!kJ-GWFdbT!!sHXzo<rFVmigWu8R|&7y339o<T<!JXT39I*Ix
z4|hmoCn#49nPv2dy8fzXir#Au&+yOfSNI(W1b>6Cki1~C{}x|i8R?-L?KlqieA(A$
zL)C)^M`Rk(!u&)3`)wWv%upXUA{d$hiLA#c<y-h#=_XabvOcRC-r{doeOfh~ML%bK
zfEoeYZxb^=6|(@Bqu(;ih;06m`Y6k&YyszIing9d{x(N`I!6IM919Mc=5|~eUrjZl
zbm^<ZJgV2)H(z3cetJH5GM$y)7rBkPhqFbf@R#Snef;t!-6?(j1^f)5-TDcUU18eS
zYKOP}g<agbLUide_2s*VN1qCMwTJdGrOKn<4|4733!EvpwkU3yYA3Kur+m0#(b^#v
z^{>tp6V+9>YHjn|6ghuNT5ru@?7=xCI3)5)9Oc34cG%U$WA%l#f{!%uO9`KAxkE(1
zZU~l|!hKyqwEdO+TV1D^EI1tN3x@B6*1Y}wu!P^8=-siIvpw5IhTzVA7#CCAV81$J
zN#*op%N%c{YfXlW{T7(F3pckK|Lfx`mAvwdiCHaqW8$(&&=Ks(ue}6=AsUf(>*|Rj
zkEDBMli-9jw=P6g&RWgjmay4^(>_Qh#q``DpUQr=jG2o_OV88_?F@_!CLPa^&i$7{
z-jj2!IZ`TzjnJh|3OKKR5IP8&2E$td)cN5<K|l9luYP#qoo~B+a$1#~;6{Y5mL&^a
zNUvbiaiI?49bG!h{BB1);#{-CJ)f3mhJGqErm0GOm_u`z;W&ww;RxUDt7<nX&N)O2
z%ou1h$b4v0BVSC*TU4D6)sW{wg_9>l_qXrkU8iAL3OqFP9_;Wu%Ov~L$4}U}gKq)3
z5y_w5cbeRe6hF-B2rk3|WrpaHkK8sTczJ`X7s^_e7BzDSZ3G|TIf_j1^hA59mU!>;
z+*y4ls{U@=?UwYL4#ui>oQ&E#${yug5-Gadi}cDv3_7a-70ukBT)a|1nb&OJbgx`)
zXrW9zx-)EY)r-$}2V2QOS#{Cw4p}H?VeLLb7E&o7dEi_Jo}*$Fe4oa#r#g*v?JzR`
zF|2AF4?hUHNtbD07H;V@(pzV^Yzk-PNSC|nwcih2Id{pk0e;r56XA<;Yp_r0?v2$f
zId+gQ;BVc}PyBdvIDeE2-v=_S08e&)g7%db>YQcCm>}y^W9`;a=nKWut>%}djgf)O
z=a79M%GZm2gMD|P-F)CpGlLb(rYoy9d4XgQHo@mk#OrE|k&KoFEOhO%C1m&ojW_L^
z8r|l&WMfJ8Au&i?e6w-=JG%Pm7X8H`N#+yhgpbNa#oYee+Y(o}I90K_Vj$+?zD)`G
z#l-3kD?Iy}ki=!-Vg$OBH1?j^?0^`_ij=uU$n)6B0M~)`V%VrYXdTv4;}q2-rwiJV
z@cgDh45s*{I*-9yC_DMjkz=dVAJXG%r{jkG=;o>Ps;Od>PM>eyn+d$#-X-q56Kjo&
zoa1`l`FE`pTR^X4li#8*JYC}-6ys0Wl8j;etjx*s0-hf-;cV!V)Fb5)OhW?4r6Yi;
zsGjFvq0U<K_!i>Oz|CXb>qhDsBqTK7=c}%1@g>d~UQzM|)5R!lUN){jhPM$%SE+wt
zlN6mDXGb3ggA6Yn$4(th3p957Y6;S34*ztcSNFN26DDwlP1S#?oTa6I1_{l2PN;V4
z=iU+*63CU`!`GTsaeF<k?qn(n$)xK?L#oiIv#o>+B)6$0vdRA4?UtgrT&n=FQD$K1
zuu!i`jA(K<|D^4gI8hYp?|<`BYRe2(H%g_t-2QeAe%x6Q0<k8m4+O}rg#pv1p9hF^
zSYRV(SpbbFG7r^t275p2IyAr<?gA;#&M9mVI_nCmRB{>X!P<=6e-*#tR^PK_<3<nF
zNhWV1;=U?n0iwD7m@rNRbE$@ehR$;FkY%slgqFLc8y!F??zvbV+lPIv9baMFk#nmL
zFiwXW1A3|Zi;4UUzPu6l0QV0N(JV<B-h}E9Qf$qJHy@aFL3`Z%axXIm>l7YUanjFr
z8JfFYT6lS;tGl+eoE@XS^_{U)=b4xl7`caHv;}NV_EEbrHM;LBZ=rwb!0)?2Y<RK`
zJVqPKJAqSlZ~NxLG(R=;qpV{!8?c$4$Ii-zhj$D$c@a|R9vt&0pS}2n)K^B+YGCI*
z#9>Q$QY>&Jxprk|y=In+dzhn+xD{=(cH-GyQh+OXXT-xzEj7Z{I^xpCa_W+Md~~pH
zv%{laghvm>b9~2vzb<cIC^+|bRy6TwvFsNHj?F3GcIDS)ABzJ-Tpz6_@8`6@RE5^%
z;X_I2C5nUr4?g0T!LVg}Q{lnXFNhIDfa1Jvf1WoK?xGGJYF8|r)*t#|5r_Lf`^ZGz
zm_wPZMwXAL<Li=`LBKO!xbH0LsxRJu*|@Q~swkW4_aS?&-ZHZ=gx&ZqRV@f+df?B;
z_zFD~=yRR(p2A#Y6KJ6cDp&NwKy<t!f6-{Tg{<VyKc0^jRxbGnu(uDbk1Z)c6EYyW
zLQNLD=0#Vc3rD735daBSY>Rz-slsX_UQpt|?a3>vlVa~J;?0#rB({X`#1Ctfc1~OT
z03Tble2oToGS`~Xm*wrqR}gVSiew&2uvWq+z~4J7WIqU+S3-J}m+FBX#DmT;cB9Ni
ziF8BBI}Xe>sH+%WLlWs?XOkjXyiziEaat=s(TcuQ451(Pw)w;p(bA=;7Vmw978jl4
zG>n(rgHi+f1#bSx{^97PF=deVkdpFOebluuY8bf35<OtjOi%D)cG?(z#dk6pw=@yk
z&4mS&xA8ftVI9b7+INUcejmS=Elb0Hg}f((Q`}%5<VZErB>wGx)?^n{!;tCmvmG;<
z>>#?lA-j_C4jcmi$_nk2N749#vvKOxQetU+e{&x5$zie%-79PV9b7W}1=`HOi>e>O
zMI>S)b#Lpq$b?lYI$`e1VS%@4!JBONDqBUv$fF@QcqBkL<jxp1vMe-2q?t?~Mzj82
z!njdW<J?l+cu$@7uJVg90XHe%c~+XD)cNRhv(=njD>YAAF-10$(@~8(NI{5qSSy{T
z9qRh3wzf|l4mT=DV#}tlY>=(J`T-<25<F!3s^PBpF35M`_krc1b%CeL&ZEJnm$|yL
zh?5z4KK>oQ@1uxfAgWu0iPl5*%1~_OVD#(p>tZi;ZI7gRQTD+^Sa=ls+~jn!KW<k?
zVV%`r8fZ@dp($NCOFRf*(O^E;e?@d5b8cAf5QL`T_3OmeA+?Q1)e(R7$;j!^^aL}h
zC7hHBv~gqeef_h8p`n+;85Fz*|3cC{PrW@^xQ=VjD0*}*yqtKidS6wICU-yX@UH9-
z`L-(s`!s4_C@3XD#dU>qGizb{4kL<xQkIwd`YPnt`N~A2=|paXMc}QIS@277(LvoR
zmN{zhsCahPe5*Z$G*qq!AH7_L+qK9g(|SMm^#~buCYGr$xyTyM;$eny5We_LU;WOr
zKTPi-^_?TrrJK7U8iJc;3Zpwm$bH<h;ctf=?a*Zl4Q6*R@CO`C`xz+5Oswr&Ai5VZ
zqhy&Z-!RxoXIu75W6}pGU!SMLT3owQ(DbA?=6-7qnjmi{j}aAWT?(M(H9_jNL+Fh7
zlK#wE5A^jw*}@@l2(ycE4?RvnLol}f!Y#A21UOCf*7qOMIy)?kJR0q-b5z>LpiN`C
zX%r-G%4--{@SMWM3O+S(Bq1yS9@ptN0p1xpF~h}^#j1GPx*-+k@dstn_Vj=mn{`Qv
zD>vr}Z89F<RD73&NyaV`#&15~vZ>k5<W4J44m`~}v#<@aAAs`R-?A#{(In&(V;3at
z1<nV~&=+WHJ2Dv}36QDn1~nB;I8M_<aL`ip%euOMb5)ykvQ#!s&1}<5CQWh*G|E=V
z_Yt*E8l#^yY~aro&+aTZ_3L&IYSU03wlxr><{DzaMbVvWm6wa692*TPwz*>1|IAVH
zG#$rWZ(5x9H9i;affat+e_;u`q7r!9nAUxG-l!ws|CJ1Y)oyfFZ*wwl1q4y?{cyFM
zjmZKG8`EJ#WOo5wyP2N`y5FC=-<*!qNfekbrX*8?L#kM_zcBuREXU4P=d6X2h7g@%
z%@aEpP%JZVtTHH`9uB!9k%*VuWojm6y0KOw$BK+z>5e|JChf&vyO51UUr0!J#H45)
z379G@&g3bd$xDGPHReLwJ7LKsp{LJ9+WP`2$sI&2ZA)N;PG9;|`#rFsmZ@1mAQ>@U
z?V7|II_OV2((4>mH`j|3XSS(~%4kf|P~ce!#H?Ndk*JdQ>KIwB7{;myk!*lN{>hH3
zq&LLRT(Mi=H_Op!ykrR|)pQEP?MIlgpputB{!-o39LPTR6EHRB2jaNK1JyV5xsj@k
zL#|g*8BH#s{@$UX)KWG3F?kwVXvH|KGl1@w%ePCT2{;!gE{9v!71RpbyURJwXJ@)<
zLfn+}s<~1PoyZ#v3-u|2^NLt5eYrBChIz16;)*Mmvc=%<X3==GCaA>t9i<U?!khHy
zjaClP29tpI%Na848l9yQh5Vj1K*o#U0!T{|S_xx0?xii*bBa_?zA<KLt}tzwH*Pa8
z?U76!x&01dmd0Cu6+wJ}z}Q`V{41?{QH$5!(}UOPIGv~9u5^3~nY68Lk&ta|CWiDc
z!Uw!kVwuR*w=nuRbc=hR72q`1pS*g}eItw+Fs;|cN6)`Z2CYX%6?=Fm{qs-DyfS&k
zI<<+joU~<*qt9zI@*8=_*H452!I}maj`L42(Yx_nis@i(H!i(-^_hcWySHM<`T#6;
z*P=i{?SR|CMxwP*&%9p=I5%qe(%7W;7y0Kip-~zDD`}gvn$~p({!01@Se|n(ul2vv
z`Ns^V@nom-Ox|QbdxIV*$XYcJ3WWbI?^m7dB<JatH9_Mvw$EVe#pS1er}bp#lFClc
zQ6BcnOAo7Anr4ansoz=)SRc=7e$nT{%aSc^NEi<#%3l8^mgm^aiuU|oz^%)>l`{ZA
zr4&2ttbtE&DM5der<^?sQ8<9NgXPzKgYF46<%HA?jx3B`7pVb$yuTJKTHu2$`A1wd
z9_iqeN+^g@qluL7rN4lwa$K#h?#4Rw4QFo%4{17&^9QfHJXk$Sgkwf08!-vY>A0dg
zIUAxhQCQM5e>Q=O(-fz)fQP7=TTj8{i=J%^ygY`kc(^BINgQVjLX>f>Ud7z(g2~ZS
z0@B`TS{^_xjW=mJ*U{i{2301Pv4nlP)ZHJL+FoJ;(0wj7<k7Dc4H3W7%4-IP0g<#>
z+ctPrm+eygL>P+)vu^-%-a0WgHxjaKeWZ=J+`v|e(+`hv{&;|_4deQRd2Z`H@yU)k
zq6LsE{4Nt?cnG80B1$N!bn3Jnvh$OBw#U$J;uvZxXfCNGsWVcZB&m1;ETK=@2T#uT
z8)>GY-1ImN^>vC@v(g}aWdlCld3S$HnQ@}+Z}Vl~UFf8i%a=)vDRW3Q?-k|gCQ^2P
zK~`*Y16V^F5chDVh3!~ku2#q=I*BE=2S({4zeFC+*fVXbg81FLGx6pBOgY&EW=5LM
zwzsildZNqw?wi861v?zvs8O~^IH;%mvQF^cUUo`jOY+cPIdNfwUf%E36Z&yVJfT#{
z68_UcEj23bL&Y`&WNI;%%wvX6rF!@0@JtOG!l1Uj-w9grniKdn{anYPmOr{`P~j77
z)qpZljX2V5pTFtIZbke?R=Kq*U7XVPspn?I_Tw33t9uf?n|-nZPkZ7~HVX$+p#vxn
z_1teLYVmD;E9Y0;{aQhQVCU^O{a{=+3@zvXz+7ix+R?}u<O{Eq88qARdh?1aA2%DH
za}b16nOGF32Hh%9_GZc}td@o*b&)J)<j+liBIKby=N)ST<-2#GoK{3?lbvd29GUCp
z<aNe7TeS+FPJG&3r)b47RyYg8m$#GRM>h734=&JFQ39->Gi2b;i8DWCADVBL>_}7A
z$hdK@yYk<b)2TfYArc@)Ge6yYg*Xw-#+=j`oyzmUtC&|UmI>xU`g3A530)ve?fJ2=
z56s)Kc10P~r!Uifv8{V>$)u2q+@gks^Q}(#YZW(WbdK4#Yw+Hg#G}J1$DIZz-Bs*%
zy7;kP;6!UQ7@{p?q<SWvE|$g++Md48NtX(87b4btR_;DM!)%vAXTVJR4EdLtNP~Su
zau(C(rK_-Mr4)tlI;Dx~No^c&oXcC@5Coaz{CR#rAy9U4S$SkT2s7f6eWdScM96<%
z48N1{#D~yW5@{=J{m`vwdCto=VhwEqGF&ZkQjG+cRRwad*!-H@i3M56@V$l-pR3_k
zG^Hp@Shla<WVW+zGx(cTm*^n3xT5<NxZ6-we%i)Qll}R}TZD9P-eSJJzEQ3I`PSXV
zp7}4{GqPT=xoOXU4VWBLS0DeF3$<IoVA0E1lUi34mYZ`D#2+|QN=<Q5Pd%8*p;Yh4
ztclkWfW@)8p`tx4E@hm7gr+As92JO<xw~YhzM4i!(2#;}=vCkOvHr6+BRv>_rt+*|
zSl(PLcvLHvr_Ocx(y&VJT~tcM_E*&DY6h9;fi!SHcFlRHR<(}e3^cD~cOVfCxL0+>
zAB#9ykrdL!jf<0|;ugEY<+gqPYaknl1dY#PU3f8jay2}-kR2CDEXH@fS9!s1_T-5G
z*gAsUsc|57e#-p2wN>p+L(tqE!4MsQ96@zh6Oh~3Z5bs|Mt_r1FoorL$fjjkw60zS
zFcQ^P*gAUQgi3@QKE%F3M8*e2g9H5m4Gkry&|^XQrDWF#FkZ7G<?f(o7Qi^k9(aw9
z5~cP>>fS<Tt-AYoOCwB{%X&(x5(4dp)o3EGWlY<i=AwQjUSqV=>^T)j*qo>bxa{d&
zVWAa=pz&W(j?1&hW^)S_i<!7@X`9VqeEX(_3yQli<Gbm`cV;r9->&<?p7&H8s&rj6
zNCK)+@%S+Q%<Fa69IXV0Da(?O;m({~SI)MV`XF?vlxm>l%VWb3y*Q~4Kavlrr?J%T
zYL*gF21^&ih*jve`}&7UnCM=bT(Rj?cD_kSeOM^C66cgtIc}|-?`4!rbUG39uiV&M
zB^HHM_(&(-VQXgRdEnNT&%<1TJ8r_MmtGS_li*(5QukL!Pt;i(C>&-#)oGdHhC2+Z
zODclivA*?QyW-5mP%HM4<)jW&nuY3ungUg3lHys{)$zccBo*^VON72V&MSLlVXJ3(
z{Qj+6=5fClgN|`;R%|C$EA8-<LoRG`4dCNji7!KwY%f)5FgF$YMxYsi&v+Nmu0^)P
z{I^IZ`o<VEm4r9Vc_U$}n=D9keBz5F-GkGve(8DatZcGY|1-FbmzU_+*-GZtzQ`Iw
za#$47+lwaDyRU{t3%B^w%cVKc!20XSUt#qAFly90qj%F3vcr4tiWWzO7BNNBB5r+x
z)7EjeKnSP&TtE0f$qKoX17Ei?ke*Y&s<}TWU<?4w;4PhC#`kvlGow<HEV$DHp>&nt
z)+5He8M0)zXFja>^a;6CN}Wx_5H2dF7c7w(Jeb_cU`0&p<L}E1?^tp!#C*!<P7oS6
z(JQR0+(?^|qxvGv^_Fu+iqxKU%h>AJ4HX%;IGMoD8I6Cth!6lfrg)-CV|?LD`aD$3
z>nK#Ngjac(bHTx4_a&8#&$h;dd1Ks&-H9=7X{OO?#U7S1^Gt13;gs|F7+>pOEhHI@
zLc?CXBHLT~?%XmpWIDs&)#N7{m!=RNw+$L2-45g7F`oFH^xk|Ak$CKV)>F_i(viyw
zg)jOY1n#ijy!?Oh+{Wul@I+0f)IEuUdEXw&AJHQ5ABVn~nvg)=hCgJZ>*x%^F5D|>
zoFd@o-i>oxRJ)5GW^a-kt3}SBoj(pjVxY7%L?;XNSJV`OEHV#-80|RoD<T2t?yLnP
zoK$L)#>-#1K2Zso)|O|mm%=h&ds~UFrNHCWUqnA+;+RBqE9z9+DS4;D<9&Qa2Q@iA
za?QRt+1$1#s<sU5pFg^`sK|<5rUq@;pWoe@?SJqgUaO@AXPnArqPsdCBV|qTS!OJx
z1J2Cl2N3Ie!`zxQY3$hB;{DVv8h1@E!gVlCd?tLtxTg9`vKpgusR~sp0`BH<+0CY@
zwrgj(32^R=I0U-q^?mgTdCj@WtUshIRvmgbv%<kRnws#p-c{dJBmcYvAKI+?o+_qU
z@#SJbGiI(IBf_JlA1onL!!aG>6`}y6lNDlV{*<jcwmHcXn($6)=@xg)i~ZJ*{c&3H
zbZ^&qm?CK6dtRf9F|u>yUQruouaNG1SU3Q_Nw+hzlQguEF7~#?@fKN43uw9(SYV37
zW9LhqUfqwI&)@DiDI^aYRKEA#7@1USs<o<DZ%f??9SOGqRhxtWG!@ve*e4BMmTZ#`
z)QfwW&=y;QZ+L{#KlZ;>_sE$>2Jf@1FBOkYB_DJauRc$VSt<0{WvO1tb|6Ypyf#gG
zgJeUOaG`9Wg#Iwjm$v!7)q&TcJkdR5#4h_b*3FXT#KqN&DJcTK9c!JWbLJB&$cGHm
z8lW-8$x09z%-F#C?UOQnh(NMQEMX153Q?M0A}2|HH+KJ4jHX1|eNcd)TE!#e*wq~W
zJB48=$q;G*rm)fAb%QBxNsYIsAtXeOuGKNrE{`1JR_Q`VRaQ-qH6EDYb3W;ADhf=Y
z<t1^yjKH8pnBx?0wUzMg6+Ex?d)6^Z)Q5VbfT)@l18I$fISozsx7?yTXjdmCoaQGg
zsUgw$G)K5slv2UdPbW<FCydAXRu#?1(3uK5@Jby6RP$7|ET2@MRXUyV-LWUw?{&eD
zEc;(D(j5+7lj|g8S6Al&8oHtS^1N{72JWQcENaC2m)f+NHeNc_==~(DeWX~4sTEkJ
z8_m>Y?rA=)`y$|Y1l56I*;8S`Tn%SLhbt7`q=)r1_aO6RY@AnfCSEQufJZ}O8O@Qo
zJFxulKz?T;xDv`gf}*^LnqUR{;QYeu8AxM#Zb)TQ*iZ7ngH!Y@w%EDcHTBGwH}+Mk
z!suzYxUI}q)+BBuuy46(A~LhlVD0`BzJ$AJ!r2O8(X;Di^X22vOYyk+C9n9RTE<z9
zJK=}1z=|BN5>%o<q8#l!6susS96bwEq(J;MO#^JD;Mz1@0|K7F76S(?G;wbU16Ksx
zUhg9VqZGVi-z@|4IJ{%uYYhX<CvHu9@5WA+oox&KIzkVTQ7*Vd9;!q>>}VeDX#O{<
zJY=f;A7y#iW%-a6dFU4T@F#irC;5J;F-E0yc>CC?6!AuN;|a+?v?r0S#7m=8nq=iV
zmBkT{6+#^2c&jAZI_0Jjmleu(;O|$GPcJFZr&AxXgHqH8G$&>8|KRByfMn?zaJ{x|
zoV9J8wQbwBchB0kZQHhO+qUn1|GjmmCz<Xfo$0EXPN$ML&wJRInIh?+UOlQjmW(r&
z#Qi4ilftLPpgOGVxTFp2+JSu;+`ea1iG4%bX3qH+{7j#xnC!7Id+EVL*>{2Oi4Iwj
z=^@z+Q)Q`K9r-8UcdX}J_o3#4?Mw3;_ov!-$M=-)IVbQi7EMAxjxrJMNMJ~gLkV_C
zuu6_=5%x)NV3wU3c1o~fmJ|k-XdsoIPzp-1zmcA363Vf^vzCAwO0qu-0VX7%e;1LE
z0PyWsFmWgfNc?+y$Uy|jg9yvR48?^r7ZL%dorc?BgbBOh<L?T3Mc>>3*T)fY9g1>X
z_)}H7o^^Tj@aD#x8ooz%m)4wCycc&@-JEu`3%H)je66XhQ)*gUT2)mwJT>>Ru9I$9
zX<AiSH(WIjxUAD|SbJL4Ts3^T^unzZc9^Aj@$0U=+^u}v`S|Ic<~-!Q9r+aL9<97O
z`*4B$@=5E63!uLQd?BEIhwJl+M?rVSPwu~CzDzsE`$D4kun3$Wz1>Eh_Ed<2HU<b#
z;0F5XQ9_7hquT%+=Kv^PW6MMEOW#L}v0|%?n29x4auL_kBZrMHP?-sJcXBD-H2h5J
zMObr5*4F)91gdA_jIQ`i=bZtx)7o<8qKt3_W#^r-x(+Kdh571}LcS->d!-A@F>FZH
zjqRY<%A+;MRDm}|hHbz(90M5sRl*MaWt);7ATV(Q2V;r|p-;oS2;lh47%`-6XhwM8
ze(U!_dges)Knf<wj@*+`c;>w(HOJq_lU=u?WBSCrHjP%@_mhjq^rWA@v9`aQ#E9*u
zRu;DQY3b5JpVpm74WwQ+bGHj>Qy+%f*bV=3{c3-$U>72ecAWr3Z{2As{5P|!11bTZ
z=lJ)v`|tZXLxZAGxm3a#qhRt7>cqLxaVj0h#}Df1dh2s_!o`tC2XA%G#f^=9OFN-W
zWX67RhwWy|HCM|bjpM`?REq*Ki}-^jp!9OT2Ul4aUGbCimt4xZgmzJdbH??u?xQMC
zwQsG$Po2?3BQ=$|ag~Es*-}-obCb>TmWP_`g>hF^%u|yOYcJS30k)N(RVi%49&5kI
zI<89!kGbqd!*gesDgLTxbHa{MnXX8%>g$qE$<EQsd(IcA@0{+vs#o;PL(d0azL&f~
zBFa$=l+c)bA2|sn3Tm{3kgbrdh^_F=zcf-|Q|H9#C3j9;^iu)t!U$(b5Q8bqF5YU{
zQ_!x{pFn~Djt|@BO?H)o?AM#q0iNl4j%SFM=lq!iY{l2)eR+#SJYyk}UAgog62Naw
zI1)Mec{!2#!ZMU3%TkYdbq_J`GZJr(72WRm<hq`2B;Se^17B}VR=JyTwDYc2?VS_!
zO)~sBecz-R1J^H!=!XcO0b7sYZ7-Q$3W4MzRGUOqB(6)+K}@Cn_EJhyb(|&fTA^vc
z;VNkkiSI{wck#uQ<wwa@)3^GMza}Ccd`t%mfo*jXHgxM9Cqk2REnKn#r^<+g`|?1G
z0wE`AR&ul5FJ_wu;B?>}!=JY-=Z`qwN{zgF&jL$n-i0$T*15@6<S?-jSNbXKR+LG*
z>Pub_-eQ7Tk?AA1$2p0lfUacS9}LT(Dq>O%OsWWVl|D*6ILvbYHltFsV@)2*;Gu6W
z-@ql8$&-D@8QU1x?;3JFWSn@b@F@_h<|z>)$15KY&rv)P$}|t8v%_<9qu46bICI-|
z&(S~n__@>+9}q_Z0%8L0?8L*<e+rFJ?&DJ1ZVOHDaK_SNgytInAc@TgfhaUUh{Pih
z&yem5?Yx4ABywRW67%Sd$;BB_jLG@c$A9}cr7{#2@_5dr5YA=)-j#qn3ix0O7}D-I
zyx<c4C;(Hk6ai+!#HQiw5W)9NXx`HTwY{N05?jC~3RM|yl5%0V&MP91&e%tfL3bX&
z2Sy4-_M!6s!ENMSY;vL@yd(pUo7p+R7w*1QbHf1wzg^k<%Z4x=<x=2&CB%j(a*~Qv
zgI#e72|;xRq(pZvocfc%a#RX+c@Yv<Df$QzXw&CiJCUPzOnXLx!S$sa?Z}eCAp3x@
z`sQm`?7OnV@sRQjYD!O#$`&IOK}}FEBxxk|M-X&O4r)??1{E^d=4{jyGr4a`Y9cVk
z9ZDsLTX@(bxP-3GHm>|#tQl<i-$PUtq@kii@@~tU_2`Z3$ClXr$0u*J?>!$w_9GeQ
z%$p<mZi6@Lh;M8^F?-<xOMRTg$tXY87Eub5dpx+~!6rNLoVZKx8QvD~9$a~Ts`3GE
z_=5U-F8!7<JJg)M31R-kB)<>m6p>ir26s&UbAA_uY|BKzygO1{%yokQAE(@Yv0P|W
zQ9w?4N`+IAGqGYK<6HusS`eVj#(xDi!SaTG88H(|#|Uz85@d(-7iq{vScL7%F%`<t
z#0oSBv)W-Xm9UKzT7K6JU@G!(7JDd3ITIz8kmdm`fe>d_5NFo0vapbLx=Xo9E*98C
zao9$IEy6Ghsa`jbEzy(u!r0_u`F}ccXIVs&EE?6Ku{WSpw4F4q4)WLz*K9uM;~dz;
z9N@gT<E6CCP$>x-DJsU2QD9)I&YrgVV~I1Jg^JIMbLNHBrnCRlc7~PNvou9kl(A&J
zP)+7;_>5R4k1Oc(NG0E4sbJQaCNbC~RcRSl*-vU5Xm=R1)$FaM-l@JNRaEj;>%>Oj
zEL3sGwhTwMB8d(qu~Sy}&Dq07=cBg>=&md`4K-b^UAYgRopKrkUR-iIc4u4!V{5yv
zWHEJV(QWodZ(~2LEq&wya(VJSx}sFOuC!gy$7z47Og}IO0@}mEI}vS(X`!p$6R;(B
z^Q}tTA!Dd7VeFH3jNvpi&&7}xpW)0nG+>x^ta<eVwfs96vSB#Lx+diP(SLz(9a03|
zsUNc5bF0`GctgI10y8U59@MKUn8L`oV97iyX|d=23(mM*<eG;qi~f>V%G*0VpOJN>
zuViGJ=lBr$2@`zr@Xmbz{SI_~k8=M<;#~3_Dg0vMozdeS<ckvO4Er5Sb!WN7{ifrc
zcKi(d9nh3_KE~~4<ej0tLDoAO@;%6>kIc77*WS5|_Glsb!r^iM%@edntBh*xXSp`z
z$%IaGrlc<AZv3h}tD?gReWz8^^&#rR3BQJ;6uj*x=h3wKo;fhSZUZ)Ii&j16oWW=?
zTb2E}Q{N*Vw-$+O7c)`yn=hooiNEmNxT~L`D|W@ml6AyMDEcgPG#s}sdmfSFA>`W+
zkK6t$EOHeW`h4ddo)HGjC@u9P1=0~9o+rxB&DS=54y);=r<uWYqZ#@){I|esr>ntw
zqg%J=vDs2ld(Fy3;_Mney8%Zv7{4{6g01@aSfw5b*M_Wf-J&sINj=LX3Yv2ZtJ1HB
zRUNr$NTYO9Y04(e*p9ZM{h;0kFQv(U<05w_$OXP&s|&05<7sYhzZ@78-_OxC?c|z~
zPaj!>qS`h~S?+nSwJ&1`c6;-<xh?GkX`pQ|9anirnq*_)xiJ5Vvf%2YVi>L#c=i+c
z>aWca|F3hJ9v6mBDDL>7zDw$J?ZA~?)IMd*KYVl1{+NFBOPg1qb5s}5jq3V}GWb>C
zb<C8<TqMX-{lq<c&&>Bko+5Fr7sp%lOVD%4=XeL=niS*08r4JMTGb@7psr#d@yJf3
zb9Lglt}+VGiEh)An&*;Y_kb3K5ihBP-+mnU&S;C$bjy8JW0$S;H~r2We98x+Pa{-b
zk1*fR%q$ArrB{{6ewWb1o3T$?^8?kF1Sc`lYm`qx@?C})@r1}9_4S)uu3gvntjW!T
z7c&?#@1Ax0dHB+?F{;~;Pr|6(O8n*A1cWp0>lmsBvQP0>#qUJYPjg?e?@B&sQPicg
z-v&-&{C5o+OEj4;f5gFru99b|aaYe}P4Ao(sqVwdp6x64rSHN{V9$|l+04$f>n=GZ
z)6JXb?aP<<v+pjx8N<&kU;aawZ$8PF;*V0A?{Ur?zh~M{e@~$Ak?tLC_jAo&X`RQX
z=1(&0&YP=-zt=6#7yg%MR4lU3{(|pw&ROoN)$5XP(9dxX!%xXi*^uDC#U16(?9a;2
zQP20o4|B5YTj8@8ZBBv4HcQ;h0c%P>xNlz5ZKQC$U74JUb6)ws{9wg(tg5aY-CUg7
zzx;4^__>uprSgc(Wgr?#VCtm~8Rh&X7Jqd+nHvLTV#)y{p__u){K{r8)dd?)GQ}Iv
z6~NG7r*!@>d!Ef+9xXx!FM(?D<YJ6#qmFOoe)l4nt<ax_u@!u~v0yEOq^c(92`J_w
zrSdp=Z>KqV@6A3939O{RXzP+Xd8ez)O8ox8Dn<pipf#YK@s~W-HI8OqNtr!dn*!(A
zEM;-?sUN$gL(U+a&&6g-3jVf4FGJoUJF`BVoN7F4fseQAw3vyt_{(n<dorWa>Z|Yo
zoexk=mX$muAFph@|9uEFRAa^&nBT)lh903W&*`(;KLY#49#x>Z&P&BoC<wkoSU94P
zOluc&PoNCWF%xqvdRxS|#eIl>Rgv@5V5lm^tKX53ivQlVEQU>8qrV!=&RUqJjNf`$
z1gNp`oLl3<Ee&&$;}l48GU8Nd+Pg6wNzodej<6$h4B}E}-yDnIlSvM1Nz}hT+_D<Z
zs(tu=B*+Sx7j&3EDzM9h!X8bvV<dfQd&J2)v8TbSHXaMK%zJR~2;!+JR^4OApuF*P
z;+4P;ig{BTIGmL&%PE>UjTK?x$NB>Mwti2x{pOQAMj+cl6rJ1nsXnjcSqNZj&gwMk
z?hN~FO|HB%XING1tSbwoTcOzOpWeI!u2;HxO0L_I93vq$WZ-E|5Hw^EX-t83N*gRH
zRA{11X-&&4)+TmVwk{+D_aZ$Py2^B3l0B*DzpP)H!}lDDJXg9ZuueC3dF}AYFL<5s
zDaWr2%l%fmt`%R(-t%03`GMZmgsVJI9c211+?Ub%FF=<vdN2I7AG2MT-$P%;KrbC1
zg68bm_P%Ys5HC4&s(?~8k5Rl8Sfks!;GePeKCAFlP{}-~IwfEJ7C?6~kVYKK_!a)O
z>{&RaPT_nsUXJa2s)Csy1(_hmnIH*!#I33i-@HGyChYKN?C@~=-0X{dS2-%Sw=YL~
z&Oy3m>6t?f0^HD^Si3T4<3@xN2smQ`vDB9s!MI>t8v3GGF6^reKwR9Hr^Pob3oj$N
zB1DTAMK^TwFQ$9KQWy9Oe_x~WhA|dH^F){y#rUJpO6R~>{*=zav2f-MGcTI`!vgP(
zppG0B2qc6dkZcYSZ_)>-I$Vo0mCf!j|9T>9LDk6ph>2U8Tl5+|2Lh`VGce@VV|5l9
zwZ>8KXg0{yi<BBRs!wAst_?(Uz=#`=abTAQGSt#XQ&l65q9Kf`As@yV9^F$@TiB70
zWSiWFH6*T00BMfxN_~3BtrhhyOT}pp#PKP>$Vr{Lx(crguZ!)?L21w)B(BArNhJxP
za9H)vxsJ(!iyt#*ToWV39y{zVw1@dIlhRG?mII&fq1>9fMpK^cr`)o>ZjQxqL2Fl|
z)2<AmO%_GJ$cs3d8=^cjKz6FbY+nV@whE?Yl|jcIajDo;yr!6HE3z?n)4oo&g!|b7
z|G9Fs+)SS>XKj;CFX=GeL~9X#U~Y~4bzw4_zH;d3zrbrD>*T%2hJEv$<|zSu-}>W4
z@sAGD%N)wfT@zBu+@AtcioyvWB%0W+5c2;=5YZ?DaY*b6P@?0zV&FIwAw=4Cg#gji
z_P+lsNMUz~Phv;xM<o4U6y!&gAfYEJplRig0$E7zk2usggmfwghC7}on4){0LU}g<
zj2<r~T`aP63G93c%yJ3bbP24Owk%aa$|O%Z@57vqhb4^{RU9I+K)%4TTDs;>GrEDK
znJ+QfIEo~x6#hF+;^&eJR=WttwF(C}6S7KJKBP7U*D%2HuSI6B3fCnO7qy#XJz51D
zZX;p<?x6O-r4zS?nlvM3ta(-3B_8Wey+QF3C276Pr5)@NhD#8)jYRXnr8y|8f4a#r
zY1nb%%8N@EbQ1t&BgiGMxDA}VA>zs)YL&z#to%};Lum=aK1<ssr2>ksx`paWLRxPm
zPTO#Wyg#nP{*b?8yLyGZ7)O5`vt!I=o}3LPZp)yhbi$@dGpTvwk~K<iHg3yYf2XeF
zk~V2=%O$3~_H6XJ;e#byQS>>N2cz3}6c1{L8)tI;QeLxMLDQszMbGn6-FemVIdlE;
zO>gtyx!pTg<YTs5G3m?3w`}!W#?&A6xX4l&^|C`+o>Kz+e1BK|J@)aAa-grE_A;m7
zTyOs*_~gMq=H)0^*ZDYES9uSYqG!D(`N8rNOZm0QrwZzevqy&Hbu@Bkm#q|^%KRnc
zv-q}i%~l0AIDY@QaL4v#<B3nv#1C5(LAWo+{fvQ$Ns;a;er1w33_d<|U~+O2#`O-+
zE4)zxrB0-?ykuQhdru?H34as(p))_SP4+rr%D(5YRX6;);=@8vi^2K2<HLsNI^+Yf
z>wV#ic}82&sb@>~;S=6gB4(ZlqYJ2D%Z>v&j;NL$!gnjS1;9PvXKoq7T5xt5+?r{2
z8Q!{Uwpo-1Ge6sHb-Y&vNK<`vyl)xH>PWu=LesyB+iI$Bnbit6q)K@ein*TxA|tpK
zKp(DO0s)QS5+g8)oRP2|^$JAUkM=;H3S9GTbQx07ff1=0L?7^fWvn3kB~UVXpk&xU
zO+)<`r2Ez+;SvNdiVl9itxtuwUfEV50Lw}|%7VE}ysKI00un1?QhGoO@)&4qL{JCs
z9_aAM{4YN^XRY<9<_I_FEAqE_AK%n#3Fwc~?F{)h<_MqRYYFO4<X(=-=Yqd)`Ku}7
zkJ8=DpKpqT9L8_+0Y1%FQ|KS7y&UgPrZ8X9TUpSb$o(9sZ_J_ppM(0GF#N^cY@FQC
z=a8&EO+TS-!U5dLMB9*-I7Qu%hRe!?z=k|Etl^?A32bR@K;v9l6w<WVkSx7iKdF&k
z3Q+cO@I6T9d*HxoFTf>p+7F4#o`+1fSPQ6HJyl<=Gf5weslhOiO7fg-lXBWPy;?tg
zUg<n{>py+b2`hI`O71?<o?mh7EWNUylF@FRUCvh3(Qc{p;xwZ{?sbLIjT2-W*S{jP
zcd>-bQ<q!fVWKnhv<cK?D?|4*->Gw!G<DXry~=zvbCI=QBl08pB#&Pe0ktXvYBh`Q
z%_0kpvjqRu$nkYBT8()b>_;9M&7)yr!niRZ<;$H(DkYs-PH)o+we^A-MAXDd1f5u&
z^}MjY$B~k<>+k8)N2eA5hgT4Q$;rMk?z0Xd(i(_}_s-H&Twf@+!{sx=dfU(6X@^6%
zdHdnBgSBV}$rAY$#<#?q^Ts6Xb3IelhscCu56|xexi7i#qUtb6h+_{cn%RqpZa3)7
zu}@a<+2E@(p~_(pL`2GNaMbgeLSkmXm);sldYu~vna&<gS}l(JWAVvnzK@ljDv3-~
zA%J6$q@A9c8-|+Bj>suk0xD$>p?FD#zd$IBGyl3rZ<S%T50tK!7sh2~5JY-xX5ddM
zBZ+)s1tG2V7x`sw5R};-P+Ch6`NMut9><>Mv{{<jp71hI`^tjuQr(|a<-ZfI3H0NL
zFa2>FwG%^N5A-kGR*CVNLql*!2WU07T!bl`$x%COSn!g^2W-l{Bq^68!eMg_s7hC9
zDVL+dqw)+c6zV*&e03?Cqr*`Z>Ow5s7oWwBMilB$P%Gr?#FZ*xQL#maz~t&=lqyAr
zjtdQJD|-i;5A|;v2VNBFuuwOIhb)vXAy6gd>(W$~H-qKtgq1G;Qa&%B-PJmCTLHjh
z4-71Ce2)%Ta9bh5|JtR-NjHyN)fJVhMTP%HRQMb-V-I{I&iubL9bmvl-f}|6*Skfh
zQW##!_FGb{`i>i+Y+!e|LwCX%KW^~j%rr;iX@LyY^-Z$}k<`9qI)hBD{Q;R^GE$sW
zJH38rWH@H_h23#KZ18Qdn;~1|24?|JdsVWcuu%WsZJHVd>x|&$xu?_frW<FisSQ~V
z1z<KdgTyXn6p7ol<@8GD?V6TZEvx~6he@svWX=DFOEU8q<qR*rTFh0fJ-}@tlFIRp
zdYk1e-0ACeHIi!h2@^eX!*COM_=>(-YxwJR^EXY{%d$Obg*`N9s?}hV_aNN9uhl>+
z$KLce>*_t)^sYi&wGet9^|ubsLaKRK@fEVID$=bRnYim%C-C1C(BB;I5%<Xs-0iIx
zzNwD=Ey9~?)|+n^n|)oy8aLI>iwB#TjLp35W;XF{p53if*NVDGW78-PBG35e!!jQ6
z^Qf|vMNK(dsV>?lutjXe8;+;>yiG@P@vdq?@sRt~JmM#nQnuo4&Zl?}!*iZ{iWOet
zffDW~im^UtI8yM00N~%)69>ofwn%ww`>S{_Gq{2oXO7-{wMc*7?ovgE@s0!eX3p-3
zFTo{h8w^F5Uu}|_Dd~N3@>1e_5{``RbhuTjYW!ApZ7?g%HQU;FviW{Y`g5Q3+YXtp
zEvx~iVyaf-zsQH7l6rvCNDUl@YNQqpLnT_j33HibfYVSd1?D1BUz@%XI+$g&)&^r4
zcA#BfEeCTMabTROQWu75;{Treo5%)p5v-3(^@$wxQ+VrZ`5~;_lX_<Q9%iciBRWGz
z`8M>k4fJF2$^zR{w%5Y)8SSy7deejYkuRY;DPwGkG(-6n!>GG>IFbHYL#n%QxMAUi
z?+o>v(wl*_4YI9uAU*Sq^qf-uMRIGh{*5HY6vYf%c=ksc)SOcc`8g&3izK#K-xu;j
z^0%1S1EM*QIhGjmf2E8IAq&ekbj$y%Dfquq5zKzf(uHXv>FK{m$5`eb&ndM%%(tY!
z_2vWvE}rGe%t0ZSI!18@y^Imt+eSbxLN2C>WYH$z8q^m^xulLo)33qnuyx<BX~KE-
z>O0mLtrj&W%43Y|O|k8;uaB<YbrtW$VfSw3A;xqJyJE!!D%Oe}p%L^K)vhSkIu5U&
z`hGooWa`h%N0liR1+dDk_0nROTIDwTHN!qy<r)HOW1p`6T>+!SHe3HY0hZ1>TkjVP
z%luh?aX;acuztk$)y(aq>a%8DQ+bf&+*L1Qe#SwwwK&6D)%ESmVSYvN)mfGU{`i1a
zwUyhXF4<ys#aeP@zrNd;wg6T#mC4F}6@3mDe~z?{9QYgzltbDmh`UYPcmcI}Qn&I$
zO&`NkGyv}OiWalATle8^bzHZ>?ZOuZi?l&h$8QiYXo7@I>>@e_4)YwConulf2!;*Q
zJfa=YVRD_`W@)#A=Q{Q7o8Ag$2|JFJ*d(eRP;c_P!$N)mXMDxM1@n4tUC-$hz3LFX
zYEZt$VGtoVi4-mwxQ~^QYK*K}Hi$~ez)$ilA6B5W|0juEgoIWxEX_b~Wx??MsrGcG
zs&Sm+nV}ZEai6{_wE)%Ce2BYBtq|2xX&*19RrZgF*dQ`eoxp#e7y%gi2<WE+5Uv<|
za3O62e~dBqpoygPgDED_Iy}<x&^tU-Y;=`sCayxx9X-Tq@zDF;<5k)Qy7$#|7l7aC
zCGkzlZI@miQ~9;3eU$hXfRXG|g{bR;5tnNPFh$4*^t<T=&_puVeUi-KC0vB$F+{k=
zjICG<ODx0dSe_FPj0~`gFh0@(l(D#nbWXT_pmj8bEVLD{^&5|<RqE9;hFELW_=2iV
zYT`RZQY}N9CHmV3RcM+uWRyw7n=mb?c&v|$Y1yI>6vf3~D9Uo;mmlO)VsvijTyOgD
zr4~){Pnc1d8~+6>U|}8Q>cc_7X$<rC@l$|<0v3TJBFhQ?r2u?FltY-+0D=M<ha`t6
zP5I~l4-Ar=B)13z1tbw^R`S`reunWG@>zYHx9@jD{Q&uJS|u~iiMm9-e2DNCSu;)b
z_V;%9Eg`;UO7!tqH>2^4X`FL%nV=vmCo93DY?#Xso7vReG26P`nw?qK$F=jjfIcPD
z1-`otWT*1pN8{+r1yW{ub~X$Xi*pajs~~lW*x{d$1yUL2Aw|F<i~`fBHrQF3Y3u;Z
z{Ul#M15%slA8@fk(ztZ~Y(}vu0$0pJ(_ntM4|H~sKQD`=SDcGnpy$!gjhfEu)ojui
z(j7^~ni2~-Mdm&8kMiao`3&B2DbE#>8_q@Wg$=>>X!BDTLq?zRcanW{z@PKGDWZq<
z(dtl?6mG-^aa6?jsk~6v7zEKYgK>x>q{|ow5&qPS^=^OBVnz*c6(bpju>40M40`kL
zwJg;w)g8*4@|*s&m3m22>MAlV+8G36@&16eANO*&0aDKZ$Ety2fb7;ZUnyFH^Zbrl
za=FkpTQC0(VB%IBl)XKV*d0M+x)}|b$8c~GQWW$CJr#K4I{d-~Ho9izxn_@4MF(_!
zInc>CH;SqqB07vH<Vyx(G0`-vE57h<6IDA;pvgG@@X^r<E&6Ug;Or5fv`#MBpi+o8
zD?D++W|+sZG;{3o%X%(-bi=TVa;~)rXdST1#~+a|<W7XDqiI@p1mN9Au6XTIi6Y-d
zJB;)3EjHPp(+F2PM72kyTZcKjupjErcx;7qqaCNN)(;|p-noMk4%go^334apWaICj
z_;)_W68-Ui7Uf!c>(@GgW4Ko`n>UQ-NY=0|8Nj>CWb-=AAQ)kgarCoW=}@dxdZT2y
zU|G|eu&SNd!h7mu^S<2p=UBO*P2LYX9F|c0Hwn$VIMuW*%B5q(Q0F#T)(hP(+A%mn
z>ssVsNK&;_qryjVs->UQbMwNU&SRsb8=ifHYhkF`E&&qBh+Lsy>Yw>=W#gL8i+jK1
z_FWo2&@|+<Lm1VTRlZPK_>u*iSv#o8nnBJ7&zbSf`(}(!dDRsLd-0_$+!-K*4M1rB
zt#TXAFD%S@!z8{Ue=N@hyy^e4#HJ2)y|}yzhG<uTX)YrK?TKXu(^};yk&=-r2d7%m
zV-AEnqh#-RzMW9^C9?*?5eAJ?!I<>nCPRd4QB-;@;tSIRaIHc(;fBLnF<SQRJHu*>
zw`K!-qOV_1hlEmr7WC03gFtK5M$f6+CiGaW{#DgNmtzd{u_KXHY<0M}%nS{+{&F`|
zHlx7r*t3Tw$_dM^Gu-fVeu46le7M5sP##JRLVTosN~wSi`gqiVB(*py43|X9{a~vw
z8+v3gdEsc!!+yae7yEWNVF&h<)5AfnI4k=mo93L5A9v*0!x3({H~WTOVK;Y{tKTAb
zEd^wtX#Jez2Y)l8vG169VO>`Qb<m+sM~G9QnDkgD1A=OW)Dom@IVuCH=mQaP!Vm0e
ztB14p?DG1z58M!K4-~y(_;9`N7(&bFBdig1d8vbsYO$6FOjhBHl^6^(7gz8@4$Lwm
z8|)dXho@Sx;WyA8vW6?%@OAf1KQB(v86b-XaGHm{f@(pM2PoB`vGtg&0<!2)qFo?A
zlpAZ=;0E{Dkwy-bGNYge<e4sYqciOJvWI^u_B#i*BmY9j-YJt2M*}(N@zMGe)Br2=
zajgPrv}jeeJP$s}MsRY8+5PE1RcAII9UQc>mp!q6e{k->|4k}vG(RA0xOkLXayBOn
zynJbEvsixnJ<tBa5WdR7<UXbr#R$Ss=0^!4Zgu4e4}F<<4(0yd$w~)8`hs@=kPrM*
z<yG_!$Trj(`+|%9hD-JV7xiIUxRnzHrfFmdh8rGo!@x)WtZ{)D=t=tAZo}?69qHZa
zpuG8$Qlq{-UIeS9F;#@Br7>CLu9ZGkM4^Q>Qv{lue^J97;s$nyvJW{ZeOJp)1~=sA
zMtZ>DG_Dv%hSV}tu<zfhnTasa{uo#JvA4F-l<5FzPwBloZ%NB@FmFh^buceYtBqK)
zFHWEoK0*&~h}XLr(FX0vb&NI{m3krcnf1bgPm;(Gn%BdQT;3Cxpodx+AYBXV(#OjV
zGO~;Eed&#Sy+4y<yGH~>Qknt9EMc7<TAZI|#;XyTT##f&vmV-<pJhhJ85*6Ra7x`C
zTAiP9O6w7toqux5;t|8E$O{30itmT+Zp7VDEI0@r29JP${G4<N4#538yRHamTEu99
z!V92aZCOL)GvN|=5yWK&)z8yk(C^rP(GT8#av5hBvru<UtNv0&sw3Q)^3-d!Pd0d?
zej?yG?U1%<XY;2_nnXvoGun;qj(2}y@FkQF$(O)qhO;Nq4fjrCM;)JtSH{cl_0OHQ
z+~vn*`)uG$wWg{pK-~<`lESw<qB%x+vVRR#d$s9OLxu(r%9WnE2^2|We%Kv7WN|-C
zD(r(EAvs8U9}d&y@#d6!;sf~!-0zl{jS_y${P@bfY5a{33^>cD-gbnIs;ph^5m2@^
z!G*ZurrfkLI!KxoOzUKbRT-#wn>vR1nEy|I@rhK<L&(-hZAlZO`B5hL;9?4f>__E<
zb+ZlC^}07}LzpL1RpigLAULu<lvK&e{<kv>m4|b-#zJlN%F)^r%*Z2H@PdP}F$lyQ
zzHW_&Yc?zMLdV^s4R;r~?60r~+4F8thr5nU79%~Z%l*&(c<#9Rsmsoi*Mnz^t&gJM
zEdyPmj{gD{tu+R2*g|x*OP!?ba9BMpYW~ECId?S$$ms0hoV^*+z>u3Q>q^hRi=F<Z
zU)|urL3;Y?v<iwtYM@Dh_M*)>t}UZ2m@S)cOf^gUG*t7vU$!J&L5`$W;wu4%vO~n7
zU>PKRBqlvLS}&5?9(eZ4bRS787~3A)W{Bu5N_L;58}Q8@mBJ*0R6TKM{#=^j%j*BT
z2mf!IYdyrJTg}q(abT>Z?3y|1`GCe}@%Z%y!XP@dUi|HtMzqL%Ox)DNA%m+YqX?dk
zyvToy;atlhjJyBzQ6t);^4>IGljKwNXj!C7^`+6In={s2Mu<7=NK%Y>Rx}!Ui)6`+
zKYmRnG8W=oWf~kV-%cv9HZVl4u9&Me6{HYy#(5ai#$vb|6U2vgOrDCI7Zt(^IQ>i4
ziX$QFp-WB-S5RD-SKyS8#Vid=CucIwt6Y?_PU&(`lNon!qii|K<4$S0U(0m#$#(Y9
zaq!Wx^U<;Q(Q)$0cJ<M5@yY&8FPe|ZK`(tgI1#4&(l{HLVS42N?NXfM!t6?z^#p@A
z&G+CeH$B*cX_OrpP<O*n;t8d=BPlCXp{uv-hpNCnVlix*QplR?n=~BuGNC@1Otv>k
za*{SaW^{&AL}#)kd_ZF`2TVx*95S!+@5H*7V5i!x3~4}{=47|zhMUQT-To2(3;Fe-
zYTp34Zeqr@dgAh|p5$#4*n@hHHoCzr`Yj4n-2tNI2-$jtWVb-FTP@j3lkyLn7SL7e
ze;EZ9e99kX>#|Ee<<E*|WPqyTy)xPv8DH(qEFJcG@Nky`H_8rn081Zo-k~^`M_O<W
zw1|&~Ob-{X=4I4PMRkqI)AO2O72pTP<&!Gt$^QZHxQu&nk`^51Obp@YtXwRlGL&Zx
z8Xz>Rcr9=<G-r(*q0+5%_!Fi`%<4Hnq*-GY9sxk%<!|Gey!tS=MW=Y??<6AQnF=l`
z#_<X+ImWYNQ$$ZapV8YqClXzy+=1U%4rOO~|9(K6@U%gf{HlRE4pa6Objl^Y&1tWS
zIv!K<7&ROjwU5UQq{lt>P*>3$u2EdBQJk((?5-1k_g$}1oUapq4;`;j?5`8;uDy(R
zc2-}|pTE>2??3m%d}a_Wd0>}E7WBTt<<svH)qdZ6?E4=P=<$lms7nborS0eEYb{E~
z+C?p}r&INQo$9QGu1L!%38&XQ8CC$c?N2k0a#HXGmcZB=E5Gi+)l*jVE=Yk{fqG>8
zYvOt?NS`w^!y<Y%LdU_T670o7L1>s7DC}|U*xO0gPTx%FFFAaLv}lS3OeB!!NCnmC
z=LP~1eVan1lELkTrIOL@ua{)BAL60yZkLpB=SaENJIBSD6VmP}8TGVm##%PzZJSCi
zZDpqpic3eu@e|UZDH)WDgsi9*iUq7B>k7Fv$m<db8IPyp5!sQa;vw10r(?J1Gld0(
zw-7Vg3EZC150@NMj&~q4d4}BRvR|NkIDriawEV3Adr*N92-AYCpXh-X2-W<puzRF|
z9SAo3t$=%QfxVAEghZ^^w8kSvm92@ODffE{HlJf*eC~H-=--FEIo!UIv><KthyJn9
ze`!J6*bnn#B?V}~+8_>*esjRvxDV@NC;nE0wJ{!s$5sebgR}u1QpQ%j25OV@?&U|c
z+Ty6(pe|Ca*5Dy_?WA9<#4Mh?KM^Ih`Rt*rP+i!Lx<5(0Wr#AKqrRN{x{wzleQ<3#
z>Ic%Jfc`}QS^?^sm)h(e;*p*MWDW0JgG&Av8=4xJ7@6sh6f~@7ue8YA==2B^Da8yz
zY=kn&&WT29k{saLhFcAie<=B^N|?U0netwSOk=yCTcL-1`NOlbUFU@W0xyE_i?00#
zch$4-UvHBfke^T=QJ%pbQk=pZQ=P*dRG7pVRhh*ZR+`2dSDVKhSdhr@S4QdxElFjG
zt;yvHE=p#KuFB>LFH2{OuiL}Ne;d2{9}L%O-0HvjO0T|ux`l!yl*^ZLRsJ*j`Gt$-
zD`&Xiayp+a7pUg=0E59|vKlO=+9Q)nr?DC?XSze9(Wo~YETubRvs$k;8?Iz~gTvu+
zxa=>cIik~Qx49fFXL-Wo@wh+lFJ<J$y5jSCzdawU<ov5G4NYwgEKF>Stjz56kH6<D
zdyGZ-?^13XdwxBxI&zFQSV=c*I8CpxRsQ|u_YZ<VCDjTPlg}RtMJ3bm7ZQ&z5=$c0
z4wh1{KN?LU)BVpKGKpNdSnGdRU#eW96ELiM<Lmpwx5L-*?en&=#)titFeIJc^gqzF
zjCT9e=~BtgKYqdBC=3>p%|LO*;;B>?(`|oY$>b`vCX=mTY0c)V)h5#&KS9yxEOzJP
z%^*qD>aAAilkEUe*=*g`hLcx`Y-*_8rIKr|B$$FU;$LlZLfwB4A;<sM`)}y#IWoHX
zD(I=H;7huGkjwEjrM!dY6anFhf{gDIHs_03WGWdjrVl%t+$G=|mNH?;5M)mrV9z9C
zkLQ>)#(Plj6$oj(>4^ENsT$N-+4HWr&30DHD1A$*95}j@_?)Q}tP-dix)kygJeOyC
z;`{deZ1ahG`NTt}Q*5VZ`^Ur)(ZCVn$Px3<_7A!(RI)8HqRb=b-g^pTiUDWB9%lwJ
zb5uNYk|J{&GjrUWR^pA(A<NZc>27PMX6h~p|7RPu@RRvyqy2ekM@Mj+ZOaaCPaf~U
zK6_U@d*3{JPd)p<U1wKVXWv+7Pg&={d3#rSd*6C{Pn$OteoxT3X2mh+no*G=LTwT$
zxjyo!QjerUZHjZbA-Kn58aeAO&I<*9YQ!wD;0@Nw2svY|U!}P&3-{6pUbHS^E8TwC
zcoikXV!^6?sy2;v!ej#{!?MDvsj9B2d3t#RY{M+Ws==gY<r1`c7H!Qy(?HTXjiv>)
zxqfAh)?u7y`6)@eI_A55Wa$ld*_wxSTx0_S+w#DwQ@S>+i`3116!I;PJTb6d4)<I@
z&<u(ukH#tRnx2jtB4ePrmg*Anqu<Yt90ziwKg^CY6Y}J7RZP~>(R(hGl(_)3%1n@p
zb9PKLSJGWW%kKU}$1$%BmKHmJ9wTj3fHhc;JXoJyM34B_1c&>u03e85fI&hooH5Z6
z6u+3usEvB7?*b098lF-vj8drptf^Fx2kX^tO5FY|-7vji%Ljy*5Yu}W{c9E<m>z*b
zOc-k(7wmh{9i*_JCj#tSEl2a_=LDn&lpimK2hmgE`}qBAm8s6uaAqhwri-A!ZyhpL
zHbs2;Ld-sZKkKO7qPOqp4`D^p8EN*r?)=r~k1GrOhhxsR?)%~Qy2YcfvUmN>8PLx#
z9zuv6hUoX5%q`yv=sWCBmUphg7a7x2@~N>@{n(2NWrnZq(;kuMmDbIL>eW#gP&v@;
zp4Xr^YWZ;tW#Y5ak5`iaxm=I_wTKczk}!+B;v!;HG^xnKf%nVO+^|`P%Qn0yS;51)
zXAdq9y+^CdP7V$alSlXSjxKH&hllCo_i4d8!;it^)al3EjQ(i=vynaslw2?ta~^O3
z1L6V$dPE)4MICB~J;I1RT8cgL%ZT8e88@Qrh~u3>CsNIb=ADff0{)2Uov|14FU^?8
zD;|HB=@TL6Ai^uC=7FYrBIYUKONwuY?y2HSq-X2qDdbDscU$+V<qP<0;LGqU;fv|(
z;Y;$X;tTsr^h@<iwkij<0qSCwtZT7(U5Cqx?5b0{Y2*2?XDiQgw$)7I$@;`q)cMnn
zCBBODTl3ef&$V97KINN5b#l!f)|*CkQq2M9n@4qu?Jn4xh>g?s_MkKbR##fak!GuK
zcarAOMyqsp*2WQ6t6+Bm*HK5SWOqi#k!P!DcZ%oHN2_di&c_kB+h3np@S_knF`v|s
zEY)@*43rZttP?J@6E3_HF2obAv(Ec00pZNsMv)q&VJ7?j2K#=;X{tSU=3z{_K}@>e
zcnFhj1hZxkvt}5xW(c!p1k-j9({>osb_mmU1oLJP^M;dHgg`u6sD6?kKP{r05&p}F
z_k98gCN>CzJR<f_L>#4LEU9GN^}onLLEK9s3~Ih`sW%3ru^1vvA0WX)G6p3dsDZ;0
z1}z^jqC-;#1s^z$`-jma-M`tNf9{V`<Oq5q1>R6m#%l7_d|*lLFUXU2{-%ABjvvvz
z>J>S7g-Qt*NeL!Ni8f9Cjlv1k;J|QZM1Ep~hOLK^uE(0HN293+tEz{yuE)Eo2gI#M
z%u@Jj@d6UC@~GrxxDe}<I^h#6kThX5bzqKI)l;<clWrELt%WzWhlyA-Q?$+-_U6bi
zRPQIvFo|Hk9^t?lQDEJ0(yX-ioj!6)t{XC0MT!Eq!y~KBtYTeAw&0F^;D|&0U7FM^
zb$~*<ORQ4AWwPNArPvmmpgshbVMxU+bMQw-pM}f1y2@!=Wz8$&BzMK8ZQbJ#3!7wR
z-K=eTc=U-?#irKYp&%+H!^(ft3R&AoG1H!+q#>GzQ*#)zvgEpV&npq9Pjn*AD^ij^
zB!VM}<#OJgHpLFhvg{;yGnNQipt}-kiPiz!nfR<$YzF4RS<97W&xCoJZv~8)cjKaG
zyx1XKVe-|u>=>X*G9F}aw6xRrzwyD1=BNtOjqR=fJ$^QtdDJ;rpBuMupS+_uzifLD
z_I(g6&)t3uA(&NSnha`I!GVU0eRPm?{^cSR>v2X8+bc+0j9ZPtp_|D=EFR-qKbQy-
z)RoPo*;p<mTIDE01Nrn+589W}nct|_RbTZq{WucQ&&1YM&?Rp7%7ZS+|LQzC&kGRK
z3qUje%0+LjWq7aU2y$c=utzhohpbH=3D6!hR_|wdh02D|>i@+6?uQUI2Dq{Vrraa-
z@>jHmU$_Ht{k?TDT|&ByC06Nh$QuR-_khMA(Ss(8JX;wz$vyjN_EgsRHW9C5fd{ts
z^f}16(XtZ?p4uz5IEJ>*qWA4Q>Dm)Duin0aVkSK(kll$ul)3xb>wK)tR#xV#Ypt#D
zxrV3fG;xqehC12#Xrm<$?pqnFqb(2KTN!Mke?=lY&$`J(Ap4M#tpraE3SsgQW(+y5
zc{84fAT$k204t7Ul>P|aNX5Ve;oqstWTl53JZBu<M;y{mna6H2ZP^QOGiQ9+3xL@R
z{MieA*$WH=LLC`Y0KatCM(kWmXKbOLf**eUubk_kKOUiYVFtOr2Th>2WsRaFXXIb>
z;$WkChvRZ-(Qk~3&%>l^s@1*f4oO-;BZn$&s4){;4s6-8mQNbokokIUyq!>iZ2cRd
zd%pzsTC|mUv)rRbtaJ<Msvs8))r<T9*4g9J(yB)2Nlg$w)l(?#FaZ~pko-_n4-|+x
z&vhXHAc0A7|Koi-0!QOx3zQF^s4@VEI+B3Bi(&66+CRNDQsrXGO7{)bKmy&enz`)~
zKL_RrpWoEO7ceOAYma)kh70=(0fc6#^*=UO0Xk2<w`v$qG(Y-`S|X!jm?Q<pQYNO{
z5I}nlGbN}H!l;%CYnXm%=4s~Swk+Hia(ycqXPAriVDnPz0+qw2&`|I7IJ4;j%K(<O
zxCYYnJu`c4)91u8KyFAg&m@a}oXaB?{ut(kSYxYxF|*h?YL0m*3FEC|<>HE)1Xq!T
z;F*OXnT6;^m2r>Z36DO1#4U*9jl>MZg0b$tj4;6M+9MC7rW1oE^`oix9cWXAO#0XA
z15fUZIjD_7tlCDZT34#v2CLlqt6mqYUMbc4r0V@a<58*2RJdmp_J(dLD~Ng3neN8g
z!(^W&yy|`T6Nr#<aFSjR&8(}m**Vq*+FYK1)2alWs2wXaAKC^-)rXqKD61C+9>uO_
zD;_DY#d&Y}%7|Zgl#o7k$1^?EVK-#1t*IA}c!veOuPvok`IPJ2t){=CqLR6LU(Kd~
zqvD#mN7>D10-}<lxd+|OCIzF?Y`CeP!@JzvE|EWOAq>r6Vwj_c@5l`)VnnfJAKW7u
zno>uwR3+Ur>zXo0uyv{2{TZ6m$*@c<-Q(+;v&pb+vE9QNTGC3eTs7S_Ht|{>9^K@)
zLrwpYgXdqp1UB}KEI-;Ud$cPaWR-^vpJ7Zo_1s71evi6_9|xiLL#yd!xAY6Nn8&R#
zV^~h+q^VtW|4Mu3X<hAFI)3mSi#fkdw-@_$Or#YrVfmp$AH`+sE75&g;Fiv16?x8k
zo@lPWXrKoI5C7}g1O5hx-v9yt2LNPlWNhnTYi$DnA|xWE1b}7e?qCIgW$IvT34mp#
z?_>jj1@P+~^ZNn>0Qx-(=GU)7<$pE&`YKGNg8o(1ULCpd-yH2T!zfZX*qnonzE(g%
z#WC!4vTBXOz@T?prK!0hb&1&8s_K+Tkq!kkc-XS;=eoFPukg%1S>$>7`J8Tm=0}it
zj{g=Anb+kJbHVTd5g6b#X7QA7E!71s@<)S)%^@syVTJ-d_?KQEA3zFbT?qo1Uf&+T
z2o-_kkt?rek0b^V4TZK4bzD>&TXTsDZv2-!6u6E6Y*3W<dmg=3=@g~{-J9u`N~fKZ
z_)kW{x~Ja3C~YOf(11`M9>G9|Fb9PJEJ~oDsf6z0ll#fxay7biDTrlU*X!T#tdhLM
zXyN$r7-<-0kTPkmVt}6a-&iyy$X67wn3>&raU~5r;AP-;g$5`<^vs#5+&bt~YBb<w
zAS{InPJRxK5S3BWUXxxSi{9VC6ELKtz9XiFR41&QG5rCwUa9k8gwUO>u}Li>6b&1^
zU;b!57@#9CY$}i<Iejc{85kA{fT9+_(9qPx6cuVAg_MiZ{I1<ONEb0bZPb+Mthf>!
zTg*TbJUD<l@8&Iki`8F+`Q1=)7#qNZ>0Ls>giJAg6apc23R(mS$bJZU4Fm&KQD}K`
zv!7~U#4&l_wDa<nb*N;uqE$z%7`P6xBWYgWV4R$H^&77~0m|`Y54m}~`Hy|EG0<=6
z3Q_PB!PD>5YbNj*kPWHsB)ok`x>r`^6jOrC5$;nv!=yLb>ap5X3bc>C;u%P0r}<=D
zZ^UQ`VZw~8lTDxQ^S73_D+)lLloVDGA98#5KXN~xoW3rz>wc1{fy!KXb*$8eD)g7*
zrdc_qu6O4w_+9S}#x*p|uTzp$E;=_qlR2E9>b`|zkyYr+Tvurubw_K_dxPeU-${y2
zGR-5B`PnkBk4lae2f?^7^8xGQ=&B_)(XjA%^cL_c>fxS=Obt%`h53`Qn#h7BWI04q
zUBqsVSDPrzU}1jc^|HB@x-L{x%ymMQI`8Ma&#xJ5Zxxp5#ZMs2PQoei834lSOZ=E|
zsZdZsxL{WQmh>=lg$8kW`DQlO(gaVA;@%i3V$U+Q(uOA?$QJ=rP|1n-%uqmp3R$5m
z$?U+Z4Z<-(M|ZFn+Ngt?ryYbTpu(|)M9xPatxO_@fS>v>^_2XI7fVTSAtMIE7%>QG
zF7#;phDe2!Y7yyUsYEr`^Q7oxP<GGHKz>m8QtKHZ3Ytyga!rTTY759tW=lpaOvv^F
z$C0_`TZnB4Xiw?2%h4vUC$4aqP&;2owe+S2&K&xiZ|>&b^m=@!cn_eVxkgk3I&2RN
z%WwKMl}0wuea-1uCBwFd>Aff*CTpvVbldhB$~G08_2onrwI%+k>k9?($a7dnoDfrO
zm4g)ApN04#Xa)&=cHSV?xR<OvoVPI9SXo^aCXo)`{VMT%xq}ZGVDx724N~`6Fa|Jx
z^6s<&g?YONdRTmrm@=kzB~EtVZHMnfIH##zPa!XUMPX#j;KViN=i(F3RaUE4rKs*<
zJOuaBSVcv?*x0+b&Ys4`TjuEiY}Xo%rMu=-EaMhK6%TNWj@TBCaI`Ryo-7j&snaAE
zEop{27mDn46!AO_Y<c)=89U(?mia%{^dXEky6feO))yj!mROzTR=ID1#Hm|zxKWx|
z&&DU&FX}$}9rvv>DZH{hMc$VN?#B)Vip@pVbk~~J-JUqw)D&8*(e`^ufImjDquuf>
z9^dnCl9|isV48>Ao5OTgvpAw@Y#!MYWt{Izq0ZYWw9c)&*F9y7XIZZ8*MG;kb4)Im
z4Js@$cn+!DQ)EVx;T69kxte%vk}NWwA+Dn}@7dAv6=G4vfnM`!1%V+DjPLvtznfy^
zDL}b{0A|2o^lA`xk9Q0cXB^{)+z4YPKYTun{H__4&}kfAOK79SKiVh_jydMcW!6v_
zv-&{09k5yf(E%c|hGfF4;`Dx0HHfx-T@w{icF{c2)Qd37Out>7y#H(w5KMg)4m0Ty
zI%^uj0@gjgJbr{BDNLch;b<Aa3-{<G0&<6!o4~2=VW_Zeu!dVE8@hxVShH2a4W_bg
z`B1m&rxj@VraI8SNYxzBw@)O5PHIJ&qSv#0B(b*D6;BiD_^59weAS0JxrZ-Tp?(ez
z9AwD4tI0)VqvE!+07;gw-;tj0TXm467ri)jGe^<sjTD&&2ZH^oES%k{w{Ns-ScN|#
z%69e4$7oG%R+>WYghJSuhRfcnFjr(cWymLjMzgUtF3~uem0yZ&M6Z@~FHUjv=k=WT
z`&;slAkl?Bf*Qy=pSe;A5L?+}C8Js57a<fmf2nF64+czP_L<0tc9+wUmZqOo4yWQ3
zvJ7t>v}teCYU>_*h2}J@_z+2?gryRn(G<(8*;m$b8OMf42N4=qRwLi>saijA$Y6hU
zry-~2U}zPwE~5(}ShKiOm3AQp`N1jDGG-1E3@|?h;9MCmVY!b`cM+YqkU#-k=VP=9
zCLxaO#2dYQ;6f&-O^o92-C>YIrjU9G|52ud-pHLOp+$`lwZ-l~FsVs#Qe;m|7TJUH
znQ#^oxa)fPC5qZOkOH~x-oYam3BT}@CQtpu{FUE}2jAk;uE)QPlihHx?VoKF41a}j
zA$5o<FsC*t_G(s=Ar%~!b;o+P-FL)ut~uOqPSteP)wbuO%BI?lDy8xAV0{bM{0Xy3
zfW@V7hZjkMVO#epKrLz%J-fO-88>-JY`LmtH(_5`+mxa?;7<_A>ErJem!u|`#@BW*
zuWPYe&)YK0=AVI0+Ux)nzi+<~5V@hWJ~+D3EjiRWXwOM+cf*boTgUN}$PK01nF7t`
z5=QzeZz(QJd@U_VdwFTd=DFjkv~XvjtexNOjk*Mrm)mN!rJC}$?$o6x8D>p@54`BQ
zSfcJh0rur>a*Zjn6)_d{zG@fMmYjswf?$<pMXo->lXL^U$7@J#;V9=;W9|uXvHqMc
zO?pNhIsf7rU+TLP?4#=W6?n^^H~W5GfAf2V$D$$vse&Rz1Bg`@00;;UNtFP^A;7C2
z@f~x*ltl$f10V30Goo<>{r!W%x{8Y>%>2Ert*@UK=@|O!qEm2k*BhGWVWwyCS(3iV
zjb)c4xCqG(z;$O=S2e0ZSfr3y=!lnfyq|bQ8c>qP9rFjMD^D7b$0_)Yq@X^fVHr!!
zM&J-C1AwUQk25$h1t~9Of7rf|pEjzQX47r-oETrLb;(g?S{vIr2zEt<qHpe1BzR=i
zNk+R&Cz!=esZP$Ur?y_o&Ya6US3|-X!&GVvBBDvh7nBrLOom*}Q}`^=LqzrN44<~^
z9E*(O$HZtrNq~up)1wMbq|I#f?V0VIu9w$w2$6o)0mj`;`JWOqWJ#%wcRZJzF#M^v
z+VkH36F&#Q`1XXup?fa>)%tu5Uf=)3h!VI8dPkmD5w1H&*rS#nfnU7->if#7lGXWy
zt6{JG130*NJC;LHH2CslBAyWV&@+F#iXijrb>AmF;mdHX>fr+_lYP+T_p<&z*0!=&
za|81tc@!B{Ic@q(d}%?x`;D)mv|i>-<8_%1$Fb~}I*IkVt0bxW$}gS_E8Q|Y1}b*P
z_@1V%q~F+}^s02$tELr8`(MS^&>I(RvJsp?Xj_HQb}%VSkKKQC=eRxL`{`DK;gZe#
zpK1I53_wy|x&b%Xb%>X+2XF%(L%i&T2|z~~_x<0qFB*lBO&i(K6^&>;)nEpTR!HLx
z{WaAh=pn=|pz#@`IBqtL%`BE*k+w|0SS5lA#lzJTrg;6h9@5c}f+}8}ip)BT!(}sR
zuny3Y8ddPBNi;SolEY)bh}>oChBpq%<YXY%B;fHGxjgAM^L_aknXoR<maQIMEm@Gq
zK=vLsf3P7&?_X*7Z*sZw<%@(KFA*L;@F3H$m9q{L+_q*>ny6XOR%v#+jL=WD3Rkgw
zJ9pKrH03dGRCk>1#X5;t>L%E29o-KvI(5~kTz_<_+7-8O=2@*T#(5{(%!h5iq*YSW
zggH7l!++ZF?5wpOv)4~(s98O*W{u{yr>sTC57sVz=bv@O^MxLz-~FRY-O0DL3u;=<
z#@;r4S6DvBK2i<3U#2^0%E$UyZ4VCAuezx&2raS-pK-ZoR+9CTfPt_DTWSLi>VcM~
zd2648D8Kuin#p%{IzDV5ygxB*^{F?_GmcGPM)pl^^LOlG*iSYe+58w={h+T#0Ny`7
zLOr1!IfueLBuWdx^yj?xBQOWKyaHK~C4ej^&~RWYwjKnPDn^VX5_rO>B&R`TIDNn2
zKutzuSq_{f2XQ)>0LCffCW^vQq7NY`6$51u4XhP-Y#;?E4<To!6teV;AsE{#z}N`?
z+iD1j|B!2Ae$KTO013ZqNNlNeBssrPRlXYil=;eoQ~(_0K(_%_fFw2-n~DbM&!a00
zh!mt8Pf^&eqCf<&P}r^rKeo%1wgbZylJ!4#%vZ$pZ#n)uOsm?@S?_5O)$P8Odu0wW
zU8j9@w_)n0*(tnY&765!(^vJs|N3y2<-xyP1t0sOSPYA8A?9~|`Z7LcH%@<kF?XZd
zn<m2*Y{&Yu-QH)~r`8<4{4nmT@<O#+12rKOZ1h2J@|Jsh8f6!*Rc8}}={@S?m7NCf
zD;|-L###^`KhLa9wW~T;WU)MDV#4-4CH9rNV%4BKsbz*M9ybkaDfAyMF-SVn7&_K%
zabtnY>iuUj9QfC?)jM9V#h5RA$nxzlI3jv;b#2<-^Hm#bf@VBlv(FNs?Aph^m~*_x
zV1iKRKzNE5A=7^YW%1=1);n;#fVF!Umd-LP?%mMXI%9rl^}CHOIpMGndkn$!Av6jF
z$|V2KF#PMbq3{G!T-FSXhHj`D2F5Es-UOx!B^;~?6utVu`k#ha7*Ta`px=qlYw~T@
zWH`jna$bG(+rIQLFkPVu9?k=7F{^YElmv00e25FtAqGT3N;HTK@sP84#Ku8>vk*%z
z#DrLo04WtBXM89JISWJl4CFN#BFWlhBEM9m4p&x}g?!TyOCr)ouDs8mNQ)JsAipi1
zjefWKBy(s!bC)o*K5r{I_U;DCM>S*DX;>%FA+WEoNqZx)l(5u{Ty8%$&Pw}9?V-}O
zEo08x*e2nhR6aSs+BJ)%K5u`DH!Aa)ByGSZIL_uQ@p!*7rf%lak1dq-YWgg@#rDoe
zpXymy@x3KBEAsxz4eB2MaJ|OY6%h^3F&FNBRvHt^(}<;2<Uh4$>NlhEQ+1X|KInJ4
zKRiBM@0K=k%O_CtR`PYE)!wTQk54OJ8z4O9CCa3W9g|viw1=N*oH>xAw?M}TW-p|V
zt!U(hK6EDRwOnkHbNpDcf#=K{>H61?oR4`rA|<OXODE#C`}tQ@_<{71wePQm5uEBI
zLNpEt(JKGkJ!M#k`hd{3S1Mrc|Mat^UmtEM3UUH4RMaDGsGx!ZrvG@9U@cj8;RU<G
z9<Y}iNc}~Q-kq~g97tSq>GZfJ?Tp54N9HV@a`ZQH&|f#37PD^olycrIt=6i7lKX!z
z@DljmOruTGB;P1$v%7bv_;h$;adV%uerc?Q<l7nb(~dNv71_r3>dBHl+h+$qFp0!Y
z&Vw)+W_z=P?N}UM4?FDYj>XBg$@)NbbTyOSU#;_T-Hu`F&lW(N69V--g#&YMO`E@U
zH*-hD&8)0C@UkUkLG~VOtaAGK&N(fC``Rxg`j{6V$l0$YPIwWQ{vxZu-npST!Z;&1
z+tLa*oobvjCU13V8^fZ#y1;8{P584fhgR5Q{Ijk$qZiz<;z~LO+&xRLHaRQ}yneeg
vsg<4PdZF&`VZxlAqsn*A9<naDp>n^o|EA*(ex2v0iS7^t{R<bGjynJVUE7-V

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/bootstrap/glyphicons-halflings-regular.eot b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/bootstrap/glyphicons-halflings-regular.eot
new file mode 100644
index 0000000000000000000000000000000000000000..b93a4953fff68df523aa7656497ee339d6026d64
GIT binary patch
literal 20127
zcma%hV{j!vx9y2-`@~L8?1^pLwlPU2wr$&<*tR|KBoo`2;LUg6eW-eW-tKDb)vH%`
z^`A!Vd<6hNSRMcX|Cb;E|1qflDggj6Kmr)xA10^t-vIc3*Z+F{r%|K(GyE^?|I{=9
zNq`(c8=wS`0!RZy0g3<xfGPm^&oc(t0WAJyYk&j565#r82r@tgVE(V|{tq<<xco!B
z02==gmw&z10LOnkAb<tH1OWX@JOI9bn*UMykN1D0R{xl80Mq~Cd;ISaOaQKbJU)Q^
zKV{p0n*ZTg{L}i+{3Za_e=Uyx%G?09e;&`jxw-$pR}TDt)(rrNs7n5?o%-LK0RgDo
z0?1<k<naI!SC})WF>{M(8^tv41d}oRU?8#IBFtJy*9zAN5dcxqGlMZGL>GG%R#)4J
zDJ2;)4*E1pyHia%>lMv3X7Q`UoFyoB@|xvh^)kOE3)IL&0(G&i;g08s>c%~pHkN&6
z($7!kyv|A2DsV2mq-5Ku)D#$Kn$CzqD-wm5Q*OtEOEZe^&T$<q%?GPI*ug?*jFCZ7
zl1X3>xIb0NUL<TDAlC~xMcGnHsPe)Gh+nESIamgk2)5Ql^6QPK&XkQ+!qk}`TYc#I
zf~KwkK>}$)W)Ck`6oter6KcQG9Zcy>lXip)%e&!lQgtQ*N`#abOlytt!&i3fo)cKV
zP0BWmLxS1gQv(r_r|?9>rR0ZeEJPx;Vi|h1!Eo*dohr<W65y|5+tpvz!HDS=Q}DgN
z;O&E^rmV416<Hj_N10HwLk^Lwyhx2j;kDE@F*S-tuqy|n(-6~PPF09Xvxq56At8OG
z4-2Gj5=K^(f;q@WOp+9uP|<!09J~a(Y%m)hsl;TbWEvvuQ7(qWx_eKYE@rH9B(V+`
zF8+p6+N8}}{zS_o7#)%b=2DFYa}JT{_i@;_#xxEDZ)+D4Lz{Pv;LE}#`N2bQP*W;6
z(wPX2S3Zb<sNz$mW_!uE^K&d`O<hkRPv<3DnX$`Y*)_qR>&^lJgqJZns>&vexP@fs
zkPv93Nyw$-kM5Mw^{@wPU47Y1dSkiHyl3dtHLwV&6Tm1iv{ve;sYA}Z&kmH802s9Z
zyJEn+cfl7yFu#1^#DbtP7k&aR06|n{LnYFYEphKd@dJEq@)s#S)UA&8VJY@S2+{~>
z(4?M();zvayyd^j`@4>xCqH|Au>Sfzb$mEOcD7e4z8pPVRTiMUWiw;|gXHw7LS#U<
zsT(}Z5SJ)CRMXloh$qPnK77w_)ctHmgh}QAe<2S{DU^`!uwptCoq!Owz$u6bF)vnb
zL`bM$%>baN7l#)vtS3y6h*2?xC<XQJNpZVS!tVtuR(<D$%K=CTVlwa)G)}qDJup|w
z!YRUAk-}+0)MFG#RuE2vlb~4*bP&)ex6`$^%6ySxf}MiQja9&+C4)UgIK)TIHVp>k
z>w+s)@`O4(4_<t2L?B1i*y6fuRi+P?QZCG2j9(btWTetUT@0Q|8XO(SqEH6LSB!2L
z<;M1lya0G`cm9UEex~so>I{L-!+b%)NZcQ&ND=2lyP+xI#9OzsiY8$c)ys-MI?TG6
zEP6f=vuLo!G>J7F4v|s#lJ+7A`^nEQScH3e?B_jC&{<S@1dd<&?JtuP@v(wA>sj>m
zYD?!1z4nDG_Afi$!J(<{>z{~Q)$SaXWjj~%ZvF152Hd^VoG14rFykR=_TO)mCn&K$
z-TfZ!vMBvnToyBoKRkD{3=&=qD|L!vb#jf1f}2338z)e)g>7#NPe!FoaY*jY{f)<G
z+9IWTnFJO0p&^rK`xODpSZARax-jN9(N|ZWyg~(MGSuQYzXBQR*+_`oO>Bf>ohk-K
z4{>fVS}ZCicCqgLuYR_fYx2;*-4k>kffuywghn?15s1dIOOYfl+XLf5w?wtU2Og*f
z%X5x`H55F6g1>m~%F`655-W1wFJtY>>qNSdVT`M`1Mlh!5Q6#3j={n5#za;!X&^OJ
zgq;d4UJV-F>gg?c3Y?d=kvn3e<VW2IarGgIy4I@#ozBH$Q(a($^uvXS?@=l>V)Jb^
zO5vg0G0yN0%}xy#(6oTDSVw8l=_*2k;zTP?+N=*18H5wp`s90K-C67q{W3d8vQGmr
zhpW^>1HEQV2TG#8_P_0q91h8QgHT~8=-Ij5snJ3cj?Jn5_66uV=*pq(j}yHn<uy|J
zh=_`9%JG63kQPJ-Et!mF@={HFp+sB-S+XTFvdzD^x19Lbj{TXx=?FGKvX;|1-3-zU
zl2DyEls20Izb)isO0?xrx(b1`<I3ZDSNBd*<5l=jC`?Re`XCFaI(ny#9KlP!NYbU=
z^;IWB5he_V3}{Xdl1>f$<x%N5|7+dpJoB>Ft;5VVC?bz%9X31asJeQF2jEa47H#j`
zk<KNJ>&uxf3t?g!tltVP|B#G_UfDD}`<#B#iY^i>oDd-LGF}A@Fno~dR72c&hs6bR
z2F}9(i8+PR%R|~FV$;Ke^Q_E_B<teU&M|M>c;$)xN4Ti>Lgg4vaip!%M<tZtx+eW>
z06oxAF_*)LH57w|gCW3SwoEHwjO{}}U=pKhjKSZ{u!K<P`9nrZXY)DCi*vvJQDx`q
za_kyA2Qus4JQ%8kM3_Gd%I1O+cF3~V6=ZM1u9*Ea+iXPId}M`kd7I1T0d7Zx)Wa&?
z{PLQlHM^=&Y!og~I(XQ;5lJScjK~IrV<F7J6v`iM&M1#EkRsHYX8V%Dip>?1zm1q?
zXyA6y@)}_sONiJopF}_}(~}d4FDyp|(@w}Vb;Fl5bZL%{1`}gdw#i{KMjp2@Fb9pg
ziO|u7qP{$kxH$qh8%L+)AvwZNgUT6^zsZq-MRyZid{D?t`f|KzSAD~C?WT3d0rO`0
z=qQ6{)&UXXuHY{9g|P7l_nd-%eh}4%VVaK#Nik*tOu9lBM$<%FS@`NwGEbP0&;Xbo
zObCq=y%a`jSJmx_uTLa{@2@}^&F<l?4N8$IoqA~y`|!rgD24&AtvbWWlPF%K!I`Fp
zMCDiMrV(MWM2!hiB6=^)Er#O8q+%t)I4l3iuF$d;cBXqGAn?Z0Z*?MZRuh=zmPo~-
z_rOvv7sERj79T<uPMWCHIto@agn)X&#=QQyY*6wt){yHQ7~yFoEezd#C<dQF+u)2-
zEIMy-5P*TYpqPxY25dY9J+f-E^3<^@G(=jU{U&hQ3#o`a)dOUR&JT?mTRlBfHE<p|
zO&J|*26{JJ28qC1saVtkQ1WW^G58Smr^%f>4c%z6oe-TN&idjv+8E|$FHOvBqg5hT
zMB=7SHq`_-E?5g=()*!V>rIa&LcX(RU}aLm*38U_V$C_g4)7GrW5$GnvTwJZdBmy6
z*X)wi3=R8L=esOhY0a&eH`^fSpUHV8h$J1|o^3fKO<edeL`~4AS}?bGhbI@wd%7ob
z;HUsAzX8f<5Tcj`x1L`~p_%qxb{Gobu+`2Hh*bfnN@EZ$w1F5i32YXO9vreTkznl=
zRv&F3;kE3d@_Cys2UVvUxUU=oDO~U>|9QzaiKu>yZ9wmRkW?HTkc<*v7i*ylJ#u#j
zD1-n&{B`04oG>0Jn{5PKP*4Qsz{~`VVA3578gA+JUkiPc$Iq!^K|}*p_z3(-c&5z@
zKxmdNpp2&wg&%xL<cX5MdFnpzW;X?cI|~qZbhDWm)F_t}i=(x><xZ|=$k6lbFWo~R
z1yEA-t+BaHz`?1Zi{N`F<t?_rS*zpAEN-Lg7L9qKTVj|Ih7gOmTvLqTlA1e51SXNm
zeA`1UhC`&)%k?V^ii%`|O+coBH9$HjP#Fy1CjYhyW0DPZC>3xZNzG-5Xt7jnI@{?c
z25=M>-VF|;an2Os$Nn%HgQz7m(ujC}Ii0Oesa(y#8>D+P*_m^X##E|h$M6tJr%#=P
zWP*)Px>7z`E~U^2LNCNiy%Z7!!6RI%6fF@#ZY3z`CK91}^J<kz;gXvl4j_QvxfXmA
ze1j4n*Hru_ge<*I;p<wHXN`XVFAk2bTG~Vl5{?nXF6K!!HeqOu6_U-movw7Gx`O<C
zM~<jbZlSC}oXeAQr_Y8Tq)(9YogPgPY{6ELohD$98O2Fj5_M2=J84FuR#dyoS!A-|
z*c)!)9^dk4^<2$Ks79AAMW;%o-!%g7j{1(Pnwwy1tca#dUTE1+4y#<A6VSeCR)wQ`
zCEFu?oS$y=05cpTr}VLe+YU$GFp$#&tfXaK<ia*q3-&+6KDQP!)!Ru(yh0c}7za6=
ziFP^Nq3))g21c{b{ESQRdZN3Xnpa8jUP0DA2r&uofBU7TtM^7^s}7#&aUnGsvE`fu
z>$F!EB0YF1je9<lP78|=Z6bmMhpLsL)Tz)Cn&pP#eF?{kB>hJKU7!S5MnXV{+#K;y
zF~s*H%p@vj&-ru7#(F2L+_;IH46X(z{~HTfcThqD%b{>~u@lSc<+f5#xgt9L7$gSK
ziDJ6D*R%4&YeUB@yu@4+&70MBNTnjRyqMRd+@&lU#rV%0t3OmouhC`mkN}pL>tXin
zY*p)mt=}$EGT2E<4Q>E2`6)gZ`QJhGDNpI}bZL9}m+R>q?l`OzFjW?)Y)P`fUH(_4
zCb?sm1=DD0+Q5v}BW#0n5;Nm(@RTEa3(Y17H2H67La+>ptQHJ@WMy2xRQT$|7l`8c
zYHCxYw2o-rI?(fR2-%}pbs$I%w_&LPYE{4bo}vRoAW>3!SY_zH3`ofx3F1PsQ?&iq
z*BRG>?<6%z=x#`NhlEq{K~&rU7Kc7Y-90aRnoj~rVoKae)L$3^z*Utppk?I`)CX&&
zZ^@Go<Q-E-9qdDk;`1UZ+I6D_?B@62xgSC03f%4S8VtH3(P3D_6<1>9fm&fN`b`XY
zt0xE5aw4t@qTg_k=!-5LXU+_~DlW?53!afv6W(k@FPPX-`nA!FBMp7b!ODbL1zh58
z*69I}P_-?qSLKj}JW7gP!la}K@M}L>v?rDD!DY-tu+onu9kLoJz20M4urX_xf2dfZ
zORd9Zp&28_ff=wdMpXi%IiTTNegC}~RLkdYjA39kWqlA?jO~o1`*B&85Hd%VPkYZT
z48MPe62;TOq#c%H(`wX5(Bu>nlh4Fbd*Npasdhh?oRy8a;NB2(eb}6DgwXtx=n}fE
zx67rYw=(s0r?EsPjaya}^Qc-_UT5|*@|$Q}*|>V3O~USkIe6a0_>vd~6kHuP8=m}_
zo2IGKbv;yA+TBtlCpnw)8hDn&eq?26gN$Bh;SdxaS04Fsaih_Cfb98s39xbv)=mS0
z6M<@pM2#pe32w*lYSWG>DYqB95XhgAA)*9dOxHr{t)er0Xugoy)!Vz#2C3FaUMzYl
zCxy{igFB901*<tiyD63(hW(uERHv;@J~7F`;-e`O5Ld!(Fl>R2*F4>grPF}+G`;Yh
zGi@nRjWyG3mR(BVOeBPOF=_&}2IWT%)pqdNAcL{eP`L*^FDv#Rzq<iCP<KO7gjv}{
z^5ElYuo)cUV9?9{6e*c7eWVK@LCOKKaBR<2_;6r+GhH1i-~$};rNpE_D*2ZJ=O+cz
zyj}kfz8;}sw88^SYgzvxpkB>l5U&Suq_X%JfR_lC!S|y|xd5mQ0{0!G#9hV46S~A`
z0B!{yI-4FZEtol5)mNWXcX(`x&Pc*&gh4k{w%0S#EI>rqqlH2xv7mR=9XNCI$V#NG
z4wb-@u{PfQP;tTbzK>(DF(~bKp3;L1-A*HS!VB)Ae>Acnvde15Anb`h;I&0)aZBS6
z55ZS7mL5Wp!LCt45^{2_70<L`Ib`SKM1Oi<HkO)Y>YiI_Py=X{I3>$Px5Ez0ahLQ+
z9EWUWSyzA|+g-Axp*Lx-M{!ReQO07EG7r4^)K(xbj@%ZU=0tBC5shl)1a!ifM5OkF
z0<aV&1|hwix;hV`l{C+KeqEjnn@aQGS~k&rcJ^K626yC8@~#qf$xT7;xJLzv3M&rA
z)MirFFpng+&}hRJHKQ6_3l{ABCJLmIrj8g#cem2@!i;W7Q+}Wr^IrTp((?iq1h?Cq
z7Z^k%ps^N^e})9!YkyNa0;x`m&~<4yTQHl1+dFNY1CE<&_PZ=1v!ch(qU_a1lHd~T
zC&a1>w2xQ-<+r-h1fi7B6waX15|*GGqfva)S)dVcgea`lQ~SQ$KXPR+(3Tn2I2R<0
z9tK`L*pa^+*n%>tZPiqt{_`%v?Bb7CR-!GhMON_Fbs0$#|H}G?rW|{q5fQhvw!FxI
zs-5ZK>hAbnCS#ZQVi5K0X3PjL1JRdQO+&)*!oRCqB{wen60P6!7bGiWn@vD|+E@Xq
zb!!_WiU^I|@1M}Hz6fN-m04x=><rLlCfwyIrOU}U)<7QivZH0Rm_-}Sg~$eCMDR*Z
zx`cVPn__}6Q+CU!>Exm{b@>UCW|c8<K+|Vc^j#>vC`aNbt<B+h3ox;kC6?34Wa#|Y
zXq?n@d6k6MUBqn%SYLX5^>A@KCHujh^2RWZC}iYhL^<*Z93chIBJYU&w>$CGZDR<q
ztx<5t>cHuIgF&oyesDZ#&mA;?wxx4Cm#c0V$xYG?9OL(Smh}#fFuX(K;otJmvRP{h
ze^f-qv;)HKC7geB92_@3a9@M<H_?qNxE&=>GijS(hNNVd%-rZ;%@F_f7?Fjinbe1(
zn#jQ*jKZTqE+AUTEd3y6t>*=;AO##cmdwU4gc2&rT8l`rtKW2JF<`_M#p>cj+)yCG
zgKF)y8jrfxTjGO&ccm8RU>qn|HxQ7Z#sUo$q)P5H%8iBF$({0Ya51-rA@!I<SEC1_
zHUdTwrTB3a?*}j?j1(f*^9G0kG<5JX4@l|rR&H;`Qa2VcYZ3UxZL+D>t#NHN8MxqK
zrYyl_&=}WVfQ?+ykV4*@F6)=u_~3BebR2G2>>mKaEBPm<p!ix>SW3(qYGGXj??m3L
zHec{@jWCsSD8`xUy0pqT?Sw0oD?AUK*WxZn#D>-$`eI+IT)6ki>ic}W)t$V32^ITD
zR497@LO}S|re%A+#vdv-?fXsQGVnP?QB_d0cGE+U84Q=aM=XrOwGFN3`Lpl@P0fL$
zKN1PqOwojH*($uaQFh8_)H#>Acl&UBSZ>!2W1Dinei`R4dJGX$;~60X=|SG6#jci}
z&t4*dVDR*;+6Y(G{KGj1B2!qjvDYOyPC}%hnPbJ@g(4yBJrViG1#$$X75y+Ul1{%x
zBAuD}Q@w?MFNqF-m39FGpq7RGI?%Bvyyig&oGv)lR>d<`Bqh=p>urib5DE;u$c|$J
zwim~nPb19t?LJZsm{<(Iyyt@~H!a4yywmHKW&=1r5+oj*Fx6c89heW@(2R`i!Uiy*
zp)=`Vr8sR!)KChE-6SEIy<Vn-l!RzPhNVxOkQU85Nng*5JUtkAg)b6wP&$wmih=Au
zKs;dHW6q)pI2VT$E`W=7aAbKSJnb;$l%#?edH=)1)avHvVH)345mJ;(*l$Ed1MA<a
z72%vbZD4`I;B-RS=m{iM`7(#1x>i(dvG3<1KoVt>kGV=zZiG<Y+hj@$zd#Q#=4iVE
z)x-IdMbP%iC;0pg$QUoVt(A;lO{-jJjH=;buR+E#0Eulb^`hidN&<0Z-tju^RGPcG
z(C4$AS6l7m-h>7LGonH1+~yOK-`g0)r#+O|Q>)a`I2FVW%wr3lhO(P{ksNQuR!G_d
zeTx(M!%brW_vS9?IF>bzZ2A3mWX-MEaOk^V|4d38{1D|KOlZSjBKrj7Fgf^>JyL0k
zLoI$adZJ0T+8i_Idsuj}C;6jgx9LY#Ukh;!8eJ^B1N}q=Gn4onF*a2vY7~`x$r@rJ
z`*hi&Z2lazgu{&nz>gjd>#eq*IFlXed(%$s5!HR<!{AgXHWD~USVRvxKdGTp>XKNm
zDZld+DwDI`O6hyn2uJ)F^{^;ESf9sjJ)wMSKD~R=DqPBHyP!?cGAvL<1|7K-(=?VO
zGcKcF1spUa+ki<qEk7@%dE~%eGpEl!oK*hA!YE+isq^GFdJ#{KfWIULzmRCaF}4(*
z-$*W)k94bSp|#5~htGbQ<~v1feWKv$%wM~TX}E><`6K#@QxOTsd847N8WSWztG~?~
z!gUJn>z0O=_)VCE|56hkT~n5xXTp}Ucx$Ii%bQ{5;-a4~I2e|{l9ur#*ghd*hSqO=
z)GD@ev^w&5%k}YYB~!A%3*XbPPU-N6&3Lp1LxyP@|C<{qcn&?l54+zyMk&I3YDT|E
z{lXH-e?C{huu<@~li+73lMOk&k)3s7Asn$t6!PtXJV!RkA`qdo4|OC_a?vR!kE_}k
zK5R9KB%V@R7gt@9=TGL{=#r2gl!@3G;k-6sXp&E4u20DgvbY$iE**Xqj3TyxK>3AU
z!b9}NXuINqt>Htt6fXIy5mj7oZ{A&$XJ&thR5ySE{mkxq_YooME#VCHm2+3D!f`{)
zvR^WSjy_h4v^|!RJV-RaIT2Ctv=)UMMn@fAgjQV$2G+4?&dGA8vK35c-8r<daDqE-
zlIJCF%-7v?-xOAOA*Z$Wv;j3$ldn=}pR52aU>)z9Qqa=%k(FU)?iec14<^olkOU3p
zF-6`zHiDKPafKK<gsO-HjX!gIc-J@mlI}lqM!qAHMA?>^USUU+D01>C&Wh{{q?>5m
zGQp|z*+#>IIo=|ae8CtrN@@t~uLFOeT{}vX(IY*;>wAU=u1Qo4c+a&R);$^VCr>;!
zv4L{`lHgc9$BeM)pQ#XA_(Q#=_i<x#Kw|T_b{oltLKCCP2b6F_+)lx3b*Vc?@JD8p
z>SZL4>L~8Hx}NmOC$&*Q*bq|9Aq}rWgFnMDl~d*;7c44GipcpH9PWaBy-G$*MI^F0
z?Tdxir1D<2ui+Q#^c4?uKvq=p>)lq56<F6-{L-8bs~8_dC8J3p4CdV*Iq;6IOvBJh
z^E(Ti1wkp{O6qebTnBYm)da^xs3^-TV5tGhoGrFBA^b?UK`APfD~Y+F8!rz@iSNu3
zFO1o9o^S3!%nw&2bpBxHF!V{IaC(n}+(HqYMb(3!l`YX-ru;2?$oSZD;K6*RvAS8r
zf1jgZer>=Eb|N^qz~w7rsZu)@E4$;~snz+wIxi+980O6M#RmtgLYh@|2}9BiHSpTs
zacjGKvwkUwR3lwTSsCHlwb&*(onU;)$yvdhikonn|B44JMgs*&Lo!jn`6AE>XvBiO
z*LKNX3FVz9yLcsnmL!cRVO_qv=yIM#X|u&}#f%_?Tj0>8)8P_0r0!AjWNw;S44tst
zv+NXY1{zRLf9OYMr6H-z?4CF$Y%MdbpFIN@a-LEnmkcOF>h16cH_;A|e)pJTuCJ4O
zY7!4FxT4>4aFT8a92}84>q0&?46h>&0Vv0p>u~k&qd5$C1A6Q$I4V(5X~6{15;PD@
ze6!s9xh#^QI`J+%8*=^(-!P!@9%~buBmN2VSAp@TOo6}C?az+ALP8~&a0FWZk*F5N
z^8P8IREnN`N0i@>O0?{i-FoFShYbUB`D7O4HB`Im2{yzXmyrg$k>cY6A@>bf7i3n0
z5y&cf2#`zctT>dz+hNF&+d3g;2)U!#vsb-%LC+pqKRTiiSn#FH#e!bVwR1nAf*TG^
z!RKcCy$P>?Sfq6n<%M{T0I8?p@HlgwC!<R%oqdMv88ghhaN5z;w29c{kLz0?InueY
zuDv#J^DHLyGoyzt8(sCID)#E6<WCYlz7uC1Xvs8QhV{45h-M4rLYe7xw;{g462-zX
zIV>HoWO>~mT+X<{Ylm+$Vtj9};H3$EB}P2wR$3y!TO#$iY8eO-!}+F&jMu4%E6S>m
zB(N4w9O@2=<`WNJay5PwP8javDp~o~xkSbd4t4t8)<Wt_Xc73S;VOmD#Fsb|nTsJs
z59;v?-{=r}I{BDxTN)Iz2&5m`sG^%wjY0*@1I`W29gtM7#wwIQTHvQhS2gB?6J62R
zJXy=)7L1!%o4(?3j6J3Pc%v5LFvsR9gKoej%77dCetZylr9&mT=u=p$Kn1Z^C3ySy
z3|Tg>9jqu@bHmJHq=MV~Pt|(TghCA}fhMS?s-{klV>~=VrT$nsp7mf{?cze~KKOD4
z_1Y!F)*7^W+BBTt1R2h4f1X4Oy2%?=IMhZU8c{qk3xI1=!na*Sg<=A$?K=Y=GUR9@
zQ(ylIm4Lgm>pt#%p`zHxok%vx_=8Fap1|?OM02|N%X-g5_#S~sT@A!x&8k#wVI2lo
z1Uyj{tDQRpb*>c}mjU^gYA9{7mNhFAlM=wZkXcA#MHXWMEs^3>p9X)Oa?dx7b%N*y
zLz@K^%1JaArjgri;8ptNHwz1<0y8tcURSbHsm=26^@CYJ3hwMaE<khA9_uuFNLm1L
zw+Fp#304~-S;vdG5Nug~K2qs}yD1rrg&9Fcvifn@KphT~L22BKMX?U^9@?Ph`>vC7
z3Wi-@AaXIQ)%F6#i@%M>?Mw7$6(kW@?et@wbk-APcvMCC{>iew#vkZej8%9h0JSc?
zCb~K|!9cBU+))^q*co(E^9jRl7gR4Jihyqa(Z(P&ID#TPyysVNL7(^;?Gan!OU>au
zN}miBc&XX-M$mSv%3xs)bh>Jq9#aD_l|zO?I+p4_5qI0Ms*OZyyxA`sXcyiy>-{YN
zA70%HmibZYcHW&YOHk6S&PQ+$rJ3(utuUra3V0~@=_~QZy&nc~)AS>v&<6$gErZC3
zcbC=eVkV4Vu0#}E*r=&{X)<H<fOshUJUO>Kgq|8MGCh(wsH4geLj@#8EGYa})K2;n
z{1~=ghoz=9TSCxgzr5x3@sQZZ0FZ+t{?klSI_IZa16pSx6*;=O%n!uXVZ@1IL;JEV
zfOS&yyfE9dtS*^jmgt6>jQDOIJM5Gx#Y2eAcC3l^lmoJ{o0T>IHpEC<k{}Rs{I@x*
zb<od>TbfYgPI4#LZq0<d#zAXFmb<Y9lgw&{$vCxBQ~RnTL=zZ7D-RwUE3~Z#wraN%
z_E{llZ?GrX#>PKqnPC<SBsRloBYG4ZO7Eeh-Bv2C$rMVb@bcKn3t2`<&0ke8{h|+|
z29&HD`tAtGV2ZA(;c{wT$(NWY+fHTL0b7Km+3IMcIX(?D)PQ;HB*^`ex$kl}K>D}_
zyKxz;(`fE0z~nA1s?d{X2!#ZP8wUHzFSOoTWQrk%;wCnBV_3D%3@EC|u$Ao)tO|AO
z$4&aa!wbf}rbNc<V}`mLC?8U0y^+E9xuE>P{6=ajgg(`p5kTeu$ji20`zw)X1SH*x
zN?T36{d9TY*S896Ijc^!35LLUByY4QO=ARCQ#MMCjudFc7s!z%P$6DESz%zZ#>H|i
zw3Mc@v4~{Eke;FWs`5i@ifeYPh-Sb#vCa#qJPL|&quSKF%sp8*n#t?vIE7kFWjNFh
zJC@u^bRQ^?ra|%39Ux^Dn4I}QICyDKF0mpe+Bk}!lFlqS^WpYm&xwIYxUoS-rJ)N9
z1Tz*6Rl9;x`4lwS1cgW^H_M*)Dt*DX*W?ArBf?-t|1~ge&S}xM0K;U9Ibf{okZHf~
z#4v4qc6s6Zgm8iKch5VMbQc~_V-ZviirnKCi*ouN^c_2lo&-M;YSA>W>>^5tlXObg
zacX$k0=9Tf$Eg+#9k6yV(R5-&F{=DHP8!yvSQ`Y~XRnUx@{O$-bGCksk~3&qH^dqX
zkf+ZZ?Nv5u>LBM@2?k%k&_aUb5Xjqf#!&7%zN#VZwmv65ezo^Y4S#(ed0yUn4tFOB
zh1f1SJ6_s?a{)u6VdwUC!Hv=8`%T9(^c`2hc9nt$(q{Dm2X)dK49ba+KEheQ;7^0)
ziFKw$%EHy_B1)M>=yK^=Z$U-LT36yX<F=`VawpD(xy$9hZLKdS9NJ`Zn_|f^uS`)c
z-Rl}C$-9t=SeW=txVx%`NS&LLwx4tQT@F-lQnBqQ-sOH}Jc&bP@MTU&SQLci>>EKT
zvD8IAom2&2?bTmX@_PBR4W|p?6?LQ+&UMzXxqHC5VHzf@Eb1u)kwyfy+NOM8Wa2y@
zNNDL0PE$F;yFyf^jy&RGwDXQwYw6yz>OMWvJt98X@;yr<mIFkh{a&op3>!*RQDBE-
zE*l*u=($Zi1}0-Y4lGaK?J$yQjgb<Bq)i+tJ7(x$;ieC4!=clV5G5IPlSyhAR$E4=
z$1c&+)JfppzZ*VSL$xH3n1^iI1K%)!-^sJU%xwj7WT8t7w6499b3QQ%J+gW)4)JMb
z8GVT`4`(VvLA^xbTV6K2V_8Mv*?gDDUBYV!P-qg?Dq*YIhGKXu$p#?E9&(-}opTbz
zZ#J#VgX+|T3gSW)eF}>+*ljUvNQ!;QYAoCq@>70=sJ{o{^21^?zT@r~hhf&O;Qiq+
ziGQQLG*D@5;LZ%09mwMiE4Q{IPUx-emo*;a6#DrmWr(zY27d@ezre)Z1BGZdo&pXn
z+);gOFelKDmnjq#8dL7CTiVH)dHOqWi~uE|NM^QI3EqxE6+_n>IW67~UB#J==QOGF
zp_S)c8TJ}uiaEiaER}MyB(grNn=2m&0yztA=!%3xUREyuG_jmadN*D&1nxvjZ6^+2
zORi7iX1iPi$tKasppaR9$a3IUmrrX)m*)fg1>H+$KpqeB*G>AQV((-G{}h=qItj|d
zz~{5@{?&Dab6;0c7!!%Se>w($RmlG7Jlv_zV3Ru8b2rugY0MVPOOYGlokI7%nhIy&
z-B&wE=lh2dtD!F?noD{z^O1~Tq4MhxvchzuT_oF3-t4YyA*MJ*n&+1X3<j>~6quEN
z@m~aEp=b2~mP+}TUP^FmkRS_PDMA{B<dV*k52^3iWFIaXBr1MC#nA4rRMbI6g1e0>
zaSy(P=$T~R!yc^Ye0*pl5xcpm_JWI;@-di+nruhqZ4gy7cq-)I&s&Bt3BkgT(Zdjf
zTvvv0)8xzntEtp4iXm}~cT+pi5k{w{(Z@l2XU9lHr4Vy~3ycA_T?V(QS{qwt?v|}k
z_ST!s;C4!jyV5)^6xC#v!o<DVtBeh%T7qnQl{H-3DV=+H*Qr*Tk6W^hU(ZD0kJnpt
z6l*<^aakgBhlA+xpS}v`t7iyV?zu_V<U{&GBzBLYIuzDQe~f#6w^zD>*uS%a-jQ6<
z)>o?z7=+zNNtIz1*F_HJ(w@=`E+T|9TqhC(g7kKDc8z~?RbKQ)LRMn7A1p*PcX2YR
zUAr{);~c7I#3Ssv<0i-Woj0&Z4a!u|@Xt2J1>N-|ED<3$o2V?OwL4oQ%$@!zLamVz
zB)K&Ik^~GOmDAa143{I4?XUk1<3-k{<%?&OID&>Ud%z*Rkt*)mko0RwC2=qFf-^OV
z=d@47?tY=A;=2VAh0mF(3x;!#X!%{|vn;U2XW{(nu5b&8kOr)Kop3-5_xnK5oO_3y
z!EaIb{r%D{7zwtGgFVri4_!yUIGwR(xEV3YWSI_+E}Gdl>TINWsIrfj+7DE?xp+5^
zlr3pM-Cbse*WGKOd3+*Qen^*uHk)+EpH-{u@i%y}Z!YSid<}~kA*IRSk|nf+I1N=2
zIKi+&ej%Al-M5`cP^XU>9A(m7G>58>o|}j0ZWbMg&x`*$B9j#Rnyo0#=BMLdo%=ks
zLa3(2EinQLXQ(3zDe7Bce%Oszu%?8PO648TNst4SMFvj=+{b%)ELyB!0`B?9R6<HO
z0ZCx8TWpL$G_aCzv{2o6N{#z3g%x>aO{i-63|s@|raSQGL~s)9R#J#duFaTSZ2M{X
z1?YuM*a!!|jP^QJ(hAisJuPOM`8Y-Hzl~%d@latwj}t&0{DNNC+zJARnuQfiN`HQ#
z?boY_2?*q;Qk)LUB)s8(Lz5elaW56p&fDH*AWAq7Zrbeq1!?FBGYHCnFgRu5y1jwD
zc|yBz+UW|X`zDsc{W~8m<GsO<mO_1`^L`RbrG?Z6Us2*=^_x$`JV{a_LYEsuJtJYL
ziPBF7dm}M2=6vrP;RB?Z6!7)Zvt4B!$rUPf{RA&_8%VD|7)NrR9*=&gO*sOzLhB*~
z^{cR)lY*pt9GGm(POd`WZo!H=s$8fLl_}-xnV5A+4*BbLUMGLAzH|i9_k(p_(`_J-
zjFFqtuzWuLa;BGl;mNUQM^&@rL--@GcC@@A*GDUdTjOrweNe5I+671K_l#WVI|@LM
z6mSs@4|l^kTD;Gvy}KaDi)#o4AD~D*LX@4{{bfG+FoqQ?-6%VkN)4{7vy<hZ9gNX|
zQxtE>$sh@VVnZD$lLnKlq@Hg^;ky!}ZuPdKNi2BI70;hrpvaA4+Q_+K)I@|)q1N-H
zrycZU`*YUW``Qi^`bDX-j7j^&bO+-Xg$cz2#i##($uyW{Nl&{DK{=lLWV<rkzZltE
zVX#Q@q!0kD+4jwZ#haJNHLSu>3|=<&si||2)l=8^8_z+Vho-#5LB0EqQ3v5U#*DF7
zxT)1j^`m+lW}p$>WSIG1eZ>L|YR-@Feu!YNWiw*IZYh03mq+2QVtQ}1ezRJM?0PA<
z;mK(J5@N8>u@<6Y$QAHWNE};rR|)U_&bv8dsnsza7{=zD1VBcxrALqnOf-qW(zzTn
zTAp|pEo#FsQ$~*$j|~Q;$Zy&Liu9OM;VF@#_&*nL!N2hH!Q6l*OeTxq!l>dEc{;Hw
zCQni{iN%jHU*C;?M-VUaXxf0FEJ_G=C8)C-wD!DvhY+qQ#FT3}Th8;GgV&AV94F`D
ztT6=w_Xm8)*)dBnDkZd~UWL|W=Gl<gto;(*wC9U9tZbpA!j<N3*HCbtKUlby_Vyr4
z!?d@=(#f`*(ud3VsGC{9IRi#5(w*FK!J}~s9(p0ap?ykZJBp1cTUR*jPbbAP&K)BP
zDUly$`B#Sn(aWroZGbyL&=Dg67A>u!$hc|1w7_7l!3MAt95oIp4Xp{M%clu&TXehO
z+L-1#{mjkpTF@?|w1P98OCky~S%@OR&o75P<Wn%&Jm$EVDF7;}E<;f25{W=vmcPFf
zmJVk81ZR1bRmlb|#0}DPdayCjq(27hQh>&ZHvC}Y=(2_{ib(-Al_7aZ^U?s34#H}=
zGfFi5%KnFVCKtdO^>Htpb07#BeCXMDO8U}crpe1Gm`>Q=6qB4i=nLoLZ%p$TY=OcP
z)r}Et-Ed??u~f09d3Nx3bS@ja!fV(Dfa5lXxRs#;8?Y8G+Qvz+iv7fiRkL3liip})
z&G0u8RdEC9c$$rdU53=<QkS9aMArWJ!P8{(D~hr9YfM2Q0nl|;=ukHlQj%<P$wYfa
z?$=heR#}yGJkpA2LI#>MH`p!Jn|DHjhOxHK$tW_pw9wCTf0Eo<){HoN=zG!!Gq4z4
z7PwGh)V<N7ESN6`*^`^Q73fj(wcMs7=5Iu(yJo@Q_F?W?yk3)SdLai+cM6GrKPrjs
za_NJm=uOAmRL5F_{*Yjb_BZNY?)kCB%$WE8;A{ZK>NPXW-cE#MtofE`-$9~nmmj}m
zlzZscQ2+Jq%gaB9rMgVJkbhup0Ggpb)&L01T=%>n7-?v@I8!Q(p&+!fd+Y^Pu9l+u
zek(_$^HYFVRRIFt@0Fp52g5Q#I`tC3li`;UtDLP*rA{-#Yoa5qp{cD)QYhldihWe+
zG~zuaqLY~$-1sjh2lkbXCX;lq+p~!2Z=76cvuQe*Fl>IFwpUBP+d^<W!tp~MwxCaj
zHBQw{tTF&?2^15<bHvmlCS|A$khwaGVZw*2lw&_pOQz;LcFj@Ysq%CZ)?t&74A|dB
z4WL~cZpG-0G^KuK)}aNOTySm-Lt#QyW&mN^>&E4BGc<j4bbw_-4Ttv5`+q&kCfaBq
z#Rl}~m+g*DG5=zM=t?z8cf%Vr>{m#l%Kuo6#{XGoRyFc%Hqhf|%nYd<;yiC>tyEyk
z4I+a<QbTvlzlVm5v2!^bF)s*0Cw+t*kzz%N#&QZ42CimT6ySz~?+nd>`(%%Ie=-*n
z-{mg=j&t12)LH3R?@-B1tEb7FLMePI1HK0`Ae@#)KcS%!Qt9p4_fmBl5zhO10n401
zBSfnfJ;?_r{%R)hh}BBNSl=$BiAKbuWrNGQUZ)+0=Mt&5!X*D@yGCSaMNY&@`;^a4
z;v=%D_!K!WXV1!3%4P-M*s%V2b#2jF2bk!)#2GLVuGKd#vNpRMyg`kstw0GQ8@^k^
zuqK5uR<>FeRZ#3{%!|4X!hh7hgirQ@Mwg%%ez8pF!N$xhMNQN((yS(F2-OfduxxKE
zxY#7O(VGfNuLv-ImAw5+h@gwn%!ER;*Q+001;W7W^waWT%@(T+5k!c3A-j)a8y11t
zx4~rSN0s$M8HEOzkcWW4YbKK9GQez2XJ|Nq?TFy;jmGbg;`m&%U4hIiarKmdTHt#l
zL=H;ZHE?fYxKQQXKnC+K!TAU}r086{4m}r()-QaFmU(qWhJlc$eas&y<Oz%^3FaFm
z1?*33BSANpZbOjV<(WE=T(DuY)_XOR{Jho+f)Z}g61HjnqKKN*8E0S?ATVoi0{#On
zGn@2R)R+{|FLX_EYm8{*=&UqzSkXCnZ)vWGS!9t02v^*;nhYk{U}PXVkPhlRc3UH{
zA-5Xc>?=H9EYQy8N$8^bni9TpD<bzO7YS=tCt}zYcl)|7!PRQIoif~D7yjeqW#(B3
zmpkmPyyRt85TQV!liLz!S@Olwr9!I#6DL45xU1kD`j8+MN!ST75vIA5J=~k_se^q#
zaC@(uVW_ra*o|Fs!(sX4Ik6k-(M%QP2;-Z@Rf=+&=pE`Dv8K9?k1Fg2pF%vW*HO>p
zkA^WRs?KgYgjxX4T6?`SMs$`s3vlut(YU~f2F+id(Rf_)$BIMibk9lACI~LA+i7xn
z%-+=DHV*0TCTJp~-|$VZ@g2vmd*|2QXV;HeTzt530KyK>v&253N1l}bP_J#UjLy4)
zBJili9#-ey8Kj(dxmW^ctorxd;te|xo)%46l%5qE-YhAjP`Cc03vT)vV&GAV%#Cgb
zX~2}uWNvh`2<*AuxuJpq>SyNtZwzuU)r@@dqC@v=Ocd(HnnzytN+M&|Qi#f4Q8D=h
ziE<3ziFW%+!yy(q{il8H44g^5{_+pH60Mx5Z*FgC_3hKxmeJ+wVuX?T#ZfOOD3E4C
zRJsj#wA@3uvwZwHKKGN{{Ag+8^cs?S4N@6(Wkd$CkoCst(Z&hp+l=ffZ?2m%%ffI3
zdV7coR`R+*dPbNx=*ivWeNJK=Iy_vKd`-_Hng{l?hmp=|T3U&epbmgXXWs9ySE|=G
zeQ|^ioL}tve<e`!rDYCFUej_ysJ2z(4AIN3g4xGaB0&Y<^`&A^@AOml<{gmBP!-y6
z!IsbSiZ8eH@;)gbXcV?N4*>N{s72_&h+F+W;G}?;?_s@h5>DX(rp#eaZ!E=NivgLI
zWykLKev+}sHH41NCRm7W>K+_qdoJ8x9o5Cf!)|qLtF7Izxk*p|fX8UqEY)_sI_45O
zL2u>x=r5xLE%s|d%MO>zU%KV6QKFiEeo12g#bhei4!Hm+`~Fo~4h|BJ)%ENxy9)Up
zOxupSf1QZWun=)gF{L0YWJ<(r0?$bPFANrmphJ>kG`&7E+RgrWQi}ZS#-CQJ*i#8j
zM_A0?w@4Mq@xvk^>QSvEU|VYQoVI=TaOrsLTa`RZfe8{9F~mM{L+C`9YP9?Okn<Y+
zQ`?h`EW57j4Qxm_DjacY`kEKG93n7#6{CBssPbH&1L2KSo|Htm*KD+0p<wD8e>Lw|
zmkvz>cS6`pF0FYeLdY%>u&XpPj5$*iYkj=m7wMzHqzZ5SG~$i_^f@QEPEC+<2nf-{
zE7W+n%)q$!5@2pBuXMxhUSi*%F>e_g!$T-_`ovjBh(3jK9Q^~OR{)}!0}vdTE^M+m
z9QWsA?xG>EW;U~5gEuKR)Ubfi&YWnXV;3H6Zt^NE725*`;lpSK4HS1sN?{~9a4JkD
z%}23oAovytUKfRN87XTH2c=kq1)O<qRzRUy={bH%*8V=pA##jg=-EE6(Lotu<IYEm
zZ71>5(fH_M3M-o{{@&~KD`~TRot-gqg7Q2U2o-iiF}K>m?CokhmO<lc^{s0_OssMw
zc*3nzZ5WN~$;I6TzaKlN9W+6*SX5vHzSUyIfdtNx5K}gB*a}Ei-T%?Pusx0i{k6zW
zVCCXrjNT1#YIkZ%s$(OfAJ`FBR*66B?{y$nkK6iXlBVVr@2#yGM6%0i_(U5#>DaLB
z1p6(6JYGntNOg(s!(>ZU&lzDf+Ur)^Lirm%*}Z>T)9)fAZ9>k(kvnM;ab$ptA=hoh
zVgsVaveXbMpm{|4*d<0>?l_JUFOO8A3xNLQOh%nVXjYI6X8h?a@6kDe5-m&;M0xqx
z+1U$s>(P9P)f0!{z%M@E7|9nn#IWgEx6A6JNJ(7dk`%6$3@!C!l;JK-p2?gg+W|d-
ziEzgk$w7k48NMqg$CM*4O~Abj3+_yUKTyK1p6GDsGEs;}=E_q>^LI-~pym$qhXPJf
z2`!PJDp4l(TTm#|n@bN!j;-FFOM__eLl!6{*}z=)UAcGYloj?bv!-XY1TA6Xz;82J
zLRaF{8ayzGa|}c--}|^xh)xgX>6R(sZD|Z|qX50gu=d`gEwHqC@WYU7{%<5VOnf9+
zB<I4+b1=sZ53G|-kvYcPViY)E5R#f6q2$x?f020VY)3|@p~2oGrySSwa~uPN4nC&g
zX!I>@FX?|UL%`8EIAe!*UdYl|6wRz6Y>(#8x92$#y}wMeE|ZM2X*c}dKJ^4NIf;Fm
zNwzq%QcO?$NR-7`su!*$dlIKo2y(N;qgH@1|8QNo$0wbyyJ2^}$iZ>M{BhBjTdMjK
z>gPEzgX4;g3$rU?jvDeOq`X=>)zdt|jk1Lv3u~bjHI=EGLfIR&+K3ldcc4D&Um&04
z3^F*}WaxR(ZyaB>DlmF_UP@+Q*h$&nsOB#gwLt{1#F4i-{A5J@`>B9@{^i?g_Ce&O
z<<}_We-RUFU&&MHa1#t56u<quT+%|#XvIpRJ?co{{tU0{tvlHG=;UJAM%ZgS1Wk*<
zbzK}T;?L5YLE4NLu9J0u#X!J<y<O?uV#gKBNVOZ@7SW<kFyslWRX@_C90;+zxGfEz
zb5V;-W-;gzJ|=>_oM(Ljn7djja!T|gcxSoR=)@?owC*NkDarpBj=W4}=i1@)@L|C)
zQKA+o<(pMVp*Su(`zBC0l1yTa$MRfQ#uby|$mlOM<xEsq_18&vqMDMD7Zoz%Fkm7A
z3)Py9=vTp8h$K)n9Uvzc$sVOT&zol^a%bZk8R4Y8^rZSJmY_uRt<`DC1F!?x#33tZ
ze&XW>s=G`4J|?apMzKei%jZql#gP@IkOaOjB7MJM=@1j(&!jNnyVkn5;4lvro1!vq
ztXiV8HYj5%)r1PPpIOj)f!><jg)vV+x8*ZL<Q!-CP7F3VXp#~OA}`YkX&1&s!htsT
z^$c2`mPAtTVX<qUk`r6!8Vb=Uc23%M)2;P#-xg0%R+ozayS`Bp$+go_wMt83+CODc
z2B}|cG;*tiKwHPYIq{X<`rJQAk*7&QC@O%H3Z553ow$9gREC4~b(*v-N%(bN;Y@mL
zsmAcMVly_+3OO{6?K&3Aei;$vMv!82h}`Bdn#~L=J)xK(4o*51?I7`(&5m9X))pa;
zLPfmH5<-xa-W%$*L{V<;N$-)VdNT!&jA&vHrEgBjjo5UU0If7Vhz3vkcHNAY5aT+C
zc5euR<}4<-qaBP_Zef)X2|HW=07DGXb>pc^3#LvfZ(hz}C@-3R(Cx7R427*Fwd!XO
z4~j&IkPHcBm0h_|iG;ZNrYdJ4HI!$rSyo&sibmwIgm1|J#g6%>=ML1r!kcEhm(XY&
zD@mIJt;!O%WP7CE&wwE3?1-dt;RTHdm~LvP7K`ccWXkZ0kfFa2S;wGtx_a}S2lslw
z$<4^Jg-n#Ypc(3t2N67Juasu=h)j&UNTPNDil4MQMTlnI81kY46uMH5B^U{~nmc6+
z9>(lGhhvRK9ITfpAD!XQ&BPphL3p8B4PVBN0NF6U49;ZA0Tr75AgGw7(S=Yio+xg_
zepZ*?V#KD;sHH+15ix&yCs0eSB-Z%D%uujlXvT#V$Rz@$+w!u#3GIo*AwMI#Bm^oO
zLr1e}k5W~G0xaO!C%Mb{sarxWZ4%Dn9vG`KHmPC9GWZwOOm11XJp#o0-P-${3m4g(
z6~)X9FXw%Xm~&99tj>a-ri})ZcnsfJtc10F@t9xF5vq6E)X!iUXHq-ohlO`gQdS&k
zZl})3k||u)!_=nNlvMbz%AuIr89l#I$;rG}qvDGiK?xTd5HzMQkw*p$YvFLGyQM!J
zNC^gD!kP{A84nGosi~@MLKqWQNacfs7O$dkZtm4-BZ~iA8xWZPkTK!Hp<LTap+x4*
zUK;Ha0;Jc=$HCCwcHw+aadnOZR281fO)q}D^z9=|qH9;-;e${xK|?9elJ8=LaM<65
zE6;>A5zr!9Z&+icfAJ1)NWkTd!-9`NWU>9uXXUr;`Js#NbKFgrNhTcY4GNv*71}}T
zFJh?>=EcbUd2<|fiL+H=wMw8hbX6?+_cl4XnCB#ddwdG><R|vBc*yG=?!<`t>bki*
zt*&6Dy&EIPluL@A3_;R%)shA-tDQA1!Tw4ffBRyy;2n)vm_JV06(4O<t|JggQ(KZT
zsYO62-6u^^mX>r&QAOKNZB5f(MVC}&_!B>098R{Simr!UG}?CW1Ah+X+0#~0`X)od
zLYablwmFxN21L))!_zc`IfzWi<Gu||u|EiUx`=l}NMzvxMP68pmmwjICH*y4{3)P@
z%y44Q*AVc4<$z9@nMeRAeVJ+>`5>MxPe(Dm<mb5oz44!o-XIzF2v`EK`q7j%sCMv2
zL>jjO1}HHt7TJtAW+VXHt!aKZk>y6PoMsbDXRJnov;D~Ur~2R_7(Xr)aa%wJwZh<i
zvMmaF%EvU)a6S{Gh%whrx@S36i|iv5oL=QhR4YK<CK74@mwN~dH00RX{_e6r+#l%j
z7OK<7e3kn;@H(@8>S3gr7IGgt%@;`jpL@gyc6bGCVx!9CE7NgIbUNZ!Ur1RHror0~
zr(j$^yM4j`#c2KxSP61;(Tk^pe7b~}LWj~SZC=MEpdKf;B@on9=?_n|R|0q;Y*1_@
z>nGq>)&q!;u-8H)WCwtL<LrD$x{Fa((5#4K!l=^|krt6e2?!PZN=Rmwt*1$d&$Q{J
zCgeI0rGg+wn3iR*eck$cFmbQ~E3GYxr&dJb(4{lgPt?n#^<GT#&j{om5`|wE6bW}}
ze{Pav1oDZnak%Fz$PD1ZH8xBo#FnqUG6u>&7F4vbnnfSAlK1mwnRq2&gZrEr!b1MA
z(3%vAbh3aU-IX`d7b@q`-WiT6eitu}ZH9x#d&qx}?CtDuAXak%5<-P!{a`V=$|XmJ
zUn@4lX6#ulB@a=&-9HG)a>KkH=jE7>&S&N~0X0zD=Q=t|7w;kuh#cU=NN7gBGbQTT
z;?<kJaO{>bdSt8V&IIi}<ThZP?O{MP;s77svl-cIdCj)d-BZGJap1Ull?cz;BdUt4
zMAS0={#2iyI>sDTzA0dkU}Z-Qvg;RDe8v>468p3*&hbG<I%;HTx8<Z&Ih@Xrl%AO4
zEZ252P#-|8MJE+L5IXho^0!PtBR61%3tAJ8RP$~a8%~<+5(4Lyh@;kvSLVbDc4PRn
z?4(9&{Rpo>T1I3hi9hh~Z(!H}{+>eUyF)H&gdrX=k$aB%J6I<Mis<6rrEG;E4zw&M
zYsQ6$FFc_^cwkYGT9ds?4^G_w2+$2L@}W#bXUf0JW}7J?EgbIp`jFFailmTZXuEyM
z?LcqfTM!s>;6+^^kn1mL+E+?A!A}@xV(Qa@M%HD5C@+-4Mb4lI=Xp=@9+^x+jhtOc
zYgF2aVa(uSR*n(O)e6tf3JEg2xs#dJfhEmi1iOmDYWk|wXNHU?g23^IGKB&yHnsm7
zm_+;p?YpA#N*7vXCkeN2LTNG`{QDa#U3fcFz7SB)83=<8rF)|udrEbrZL$o6W?oDR
zQx!178Ih9B#D9Ko$H(jD{4MME&<|6%MPu|TfOc#E0B}!j^MMpV69D#h2`vsEQ{(?c
zJ3Lh!3&=yS5fWL~;1wCZ?)%nmK`Eqgcu)O6rD^3%ijcxL50^z?OI(LaVDvfL0#zjZ
z2?cPvC$QCzpxpt5jMFp05OxhK0F!Q<m=7hVYzR||ecS~Bi9y8}>`rPhDi5)y=-0C}
zIM~ku&S@pl1&0=jl+rlS<4`riV~LC-#pqNde@44MB(j%)On$0Ko(@q?4`1?4149Z_
zZi!5aU@2vM$dHR6WSZpj+VboK+>u-CbNi7*lw4K^ZxxM#24_Yc`<w`lM<_9<AjZra
zPf9|W$q@ib+eT6)aN(T>jvb9NPVi75L+MlM^U~`;a7`4H0L|TYK>%hfEfXLsu1JGM
zbh|8{wuc7ucV+`Ys1kqxsj`dajwyM;^X^`)#<+a~$WFy8b2t_RS{8yNYKKlnv+>vB
zX(QTf$kqrJ;%I@EwEs{cIcH@Z3|#^S@M+5jsP<^`@8^I4_8MlBb`~cE^n+{{;qW2q
z=p1=&+fUo%T{GhVX@;56kH8K_%?X=;$OTYqW1L*)hzelm^$*?_K;9JyIWhsn4SK(|
zSmXLTUE8VQX{se#8#Rj*lz`xHtT<61V~fb;WZUpu(M)f#<N`ZtP}(nwt@v*JXMv*g
zTjkPmLef!CJNB3?7*>;I+2_zR+)y5Jv?l`CxAinx|EY!`IJ*x9_gf_k&Gx2alL!hK
zUWj1T_pk|?iv}4EP#PZvYD_-LpzU!NfcL<ZIyO_4myXe0OU}<Cprr_|XIrM73FXg`
zNRt~K9+=_-Laa5&Rt6kJaobEvjFnh>L%fK&r$W8O1KH9c2&GV~N#T$kaXGvAOl)|T
zuF9%6(i=Y3q?X%VK-D2YIY<MPA*$`<$Z)_O$(a?^Bnjd_-qk6atAX5(s0D1W1}`G9
zl)%h^mai+5Kwy1+I$Zaauh0oNm3mQUQ=`8aEAo=0zrm72grj|c8&W!-^+^6zMgm-+
zSpJe{_P`h~;t1=21VLIQ5n~@Q5Y=~VMN|L<mJfGW44?>FPH3f|g$TrXW->&^Ab`WT
z7>Oo!u1u40?jAJ8H<j_H`^tLy@LZ5-N)dU$=t?bXuTI1>y`bv}qb<AzbCJ<X7c~}%
z50@S(*;X)_P8TrUWZGQQn`AI#Eve&0+FNaAqg<m^ZNYdEveME+t5Q5DV5-rT<{g7@
zG+rSFooLii=nDW~qWOU#YzUJee#V*XI!cGhpz&<{SF!$pIm@`rT3A99J?qG9DPU@z
z9jawkO0(cqfU^RIM<K3r*yl0SKgPT>gs8)cF0&qeVjD?e+3Ggn1Im>K77ZSpbU*08
zfZkIFcv?y)!*B{|>nx@cE{KoutP+seQU?bCGE`tS0GKUO3PN~t=2u7q_6$l;uw^4c
zVu^f{uaqsZ{*a-N?2B8ngrLS8<WR!m{e>E&s6}Xtv9rR9C^b`@q8*iH)pFz<!x=AK
zf6E-O(MiUN4a^nRWR%`TBl@CGu2cFmmpRkBUAPvyvw&qDg1_6Y)ycUoITv4yV(Mk5
z=Dtmg6tsakVjdG2BV~=LD3YcTEr=j6ou|^*Qem;+#vOz?`MQ>f1|kCfiLw6u{Z%aC
z!X^5CzF6qofFJgkl<Rtc72CagCpKF^gmhb1CH>JV3oc|Qc2XdFl+y5M9*P8}A>Kh{
zWRgRwMSZ(?Jw;m%0etU5BsWT-Dj-5F;Q$OQJrQd+lv`i6>MhVo^p*^w6{~=fhe|bN
z*37oV0kji)4an^%3ABbg5RC;CS50@PV5_hKfXjYx+(DqQdKC^JIEMo6X66$qDdLRc
z!YJPSKnbY`#Ht6`g@xGzJmKzz<St<)P9XB^ZWQT2VtTE^8HdQx8o;%`J{lUpkn0!&
z^d*IdfCW?sDnD#zV!vee5Xd}&#I@u4z;`)LVXVayyf`~NUMeM>n|abYbP+_Q(v?~~
z96%cd{E0BCsH^0HaWt{y(Cuto4VE7jhB1Z??#UaU(*R&Eo+J`UN+8mcb51F|I|n*J
zJCZ3R*OdyeS9hWkc_mA7-br>3Tw=CX2bl(=TpVt#WP8Bg^vE_9bP&6ccAf3lFMgr`
z{3=h@?Ftb$RTe&@IQtiJf<Z$(x)W;Yibdk0Eou)O=h)|ox2XJhbM7gDjm$)%o0c)W
z!;CM_%5jr$Dk{vl7{DX~*^!MCEDILf;SGbcLK^kRyl}+&4r>V;O&4fzh)e1>7seG;
z=%mA4@c7{aXeJnhEg2J@Bm;=)j=O=cl#^NNkQ<{r;Bm|8Hg}bJ-S^g4`|itx)~!LN
zXtL}?f1Hs6UQ+f0-X6&TBCW=A4>bU0{rv8C4T!(wD-h>VCK4YJk`6C9$by!fxOYw-
zV#n+0{E(0ttq<e;u-JNg<=7mR)Baf(#XbsMPDR?mv12UXo+AuGM*TW4&Dbw3MHmyv
zzQ)3g$Jc}F5k_3<jP&G5r+akl<UzYyi9?xB4hK@h8+B`?3~Bn5^eKgTbZcatPPir(
zn|7xaL9v;L3{V1l&DQSp%TOnp^O8OS$m-yD0^r7mU@qJQ<RvUSI@G_}IuDMi8mq0p
z?O{gor*9fmQL7Mrb|ducn%AQOk@nhAYv{%&-E+j$)7Bpd*!L2Cg%7pf&3ZLxA5Fwj
z%8~}*Sw2G<h3E&$jhO(1=)P&U%mN)4Rk5JcPDUdUN*FM8j0Mg^@Z|6~Ym*2e3TCV6
z?5B1NxqE*aMe#2m&+Fz%OG!n`J`B2Ww|QiS6U=1^3d+6`ls$U%hB`nu)=J>_#16B}
ze8$E#X9o{B!0vbq#WUwmv5Xz6{(!^~+}sBW{xctdNHL4^vDk!0E}(g|W_q;jR|ZK<
z8w>H-8G{%R#%f!E7cO_^B?yFRKLOH)RT9GJsb+kAKq~}WIF)NRLwKZ^Q;>!2MNa|}
z-mh?=B;*&D{Nd-mQRcfVnHkChI=DRHU4ga%xJ%+QkBd|-d9uRI76@BT(bjsjwS+r)
zvx=lGNLv1?SzZ;P)Gnn>04fO7Culg*?LmbEF0fATG8S@)oJ>NT3pYAXa*vX!eUTDF
ziBrp(QyDqr0ZMTr?4uG_Nqs6f%S0g?h`1vO5fo=5S&u#wI2d4+3hWiolEU!=3_oFo
zfie<EEFWI+<HRR}kMBRY{{xT?Ubu+n1E+3-XyZ@DlC1|CziB+t8LH;pSr1_{$txb2
z{LD6Cutu@sVLZ$sgxfHzi88%ifnz%FWxPwItQ=UFSeRQ?XX#H8uXPtSY1Da8V^-Nz
zx}G&3QUOW&pFuYAPt>?+4W#`;1dd#X@g9Yj<53S<6OB!TM8w8})7k-$&q5(smc%;r
z(BlXkTp`C47+%4JA{2X}MIaPbVF!35P#p;u7+fR*46{T+LR8+<Ms(<(ewo92Plp}^
z0K5%%0PpyoHDM$82Vjt^Jp>j25oduCfDzDv6R-hU{TVVo9fz?^N3ShMt!t0NsH)pB
zRK8-S{Dn*y3b|k^*?_B70<2gHt==l7c&cT>r`C#{S}J2;s#d{M)ncW(#Y$C*lByLQ
z&?+{dR7*gpdT~(1;<m}fXp@S^XBCFbD&Le<rzooSQB^d8r#S^ok_xS36-~w}kc?Ej
z7^zYrQY=EF$c06)iin^U556ixd{lb)^l<R>M(FfF==3z`^eW)=5a9RqvF-)2?S-(G
zhS;p(u~_qBum*q}On@$#08}ynd0+spzyVco0%G6;<-i5&016cV5UKzhQ~)fX03|>L
z8ej+HzzgVr6_5ZUpa4HW0Ca!=r1%*}Oo;2no&Zz8DfR)L!@r<<lmB!F&$32&71xdc
zAQ}KMGyqI!0F2N8;eY{y00CwIf0+QV$OUD<C@ujha0p9)KwJUh;0%`lShxaZKm`>5
z2viSZpmvo5XqXyAz{Ms7`7kX>fnr1gi4X~7KpznRT0{Xc5Cfz@43PjBMBoH@z_{~(
z(Wd}IPJ9hH+%)Fc)0!hrV+(A;76rhtI|YHbEDeERV~Ya>SQg^IvlazFkSK(KG9&{q
zkPIR~EeQaaBmwA<20}m<i2yt#0ML*D!NB+q2RLvyLxH9o41nNb1p??O7J)#e3I!NY
z1wlX)g#bnj0Jty$0KoMI0Cb7`0i50h9gE~g7Om;jPg0kO>BO?)N$(z1@p)5?%}rM|
zGF()~Z&Kx@OIDRI$d0T8;JX@vj3^2%pd_+@l9~a4lntZ;AvUIjqIZbuNTR6@hNJoV
zk4F;ut)LN4ARuyn2M6F~eg-e#UH%2P;8uPGFW^vq1vj8mdIayFOZo(tphk8C7hpT~
z1Fv8?b_LNR3QD9J+!v=p%}#<WkmT3SAH~zHvL~<r009F5U;qFWp(o;x5Q1O?TufB{
c@Yw=E7;q9obAc&xg(1}n;wTCO(gbOOU|30r`2YX_

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/bootstrap/glyphicons-halflings-regular.svg b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/bootstrap/glyphicons-halflings-regular.svg
new file mode 100644
index 0000000000..94fb5490a2
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/bootstrap/glyphicons-halflings-regular.svg
@@ -0,0 +1,288 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" >
+<svg xmlns="http://www.w3.org/2000/svg">
+<metadata></metadata>
+<defs>
+<font id="glyphicons_halflingsregular" horiz-adv-x="1200" >
+<font-face units-per-em="1200" ascent="960" descent="-240" />
+<missing-glyph horiz-adv-x="500" />
+<glyph horiz-adv-x="0" />
+<glyph horiz-adv-x="400" />
+<glyph unicode=" " />
+<glyph unicode="*" d="M600 1100q15 0 34 -1.5t30 -3.5l11 -1q10 -2 17.5 -10.5t7.5 -18.5v-224l158 158q7 7 18 8t19 -6l106 -106q7 -8 6 -19t-8 -18l-158 -158h224q10 0 18.5 -7.5t10.5 -17.5q6 -41 6 -75q0 -15 -1.5 -34t-3.5 -30l-1 -11q-2 -10 -10.5 -17.5t-18.5 -7.5h-224l158 -158 q7 -7 8 -18t-6 -19l-106 -106q-8 -7 -19 -6t-18 8l-158 158v-224q0 -10 -7.5 -18.5t-17.5 -10.5q-41 -6 -75 -6q-15 0 -34 1.5t-30 3.5l-11 1q-10 2 -17.5 10.5t-7.5 18.5v224l-158 -158q-7 -7 -18 -8t-19 6l-106 106q-7 8 -6 19t8 18l158 158h-224q-10 0 -18.5 7.5 t-10.5 17.5q-6 41 -6 75q0 15 1.5 34t3.5 30l1 11q2 10 10.5 17.5t18.5 7.5h224l-158 158q-7 7 -8 18t6 19l106 106q8 7 19 6t18 -8l158 -158v224q0 10 7.5 18.5t17.5 10.5q41 6 75 6z" />
+<glyph unicode="+" d="M450 1100h200q21 0 35.5 -14.5t14.5 -35.5v-350h350q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-350v-350q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v350h-350q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5 h350v350q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xa0;" />
+<glyph unicode="&#xa5;" d="M825 1100h250q10 0 12.5 -5t-5.5 -13l-364 -364q-6 -6 -11 -18h268q10 0 13 -6t-3 -14l-120 -160q-6 -8 -18 -14t-22 -6h-125v-100h275q10 0 13 -6t-3 -14l-120 -160q-6 -8 -18 -14t-22 -6h-125v-174q0 -11 -7.5 -18.5t-18.5 -7.5h-148q-11 0 -18.5 7.5t-7.5 18.5v174 h-275q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h125v100h-275q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h118q-5 12 -11 18l-364 364q-8 8 -5.5 13t12.5 5h250q25 0 43 -18l164 -164q8 -8 18 -8t18 8l164 164q18 18 43 18z" />
+<glyph unicode="&#x2000;" horiz-adv-x="650" />
+<glyph unicode="&#x2001;" horiz-adv-x="1300" />
+<glyph unicode="&#x2002;" horiz-adv-x="650" />
+<glyph unicode="&#x2003;" horiz-adv-x="1300" />
+<glyph unicode="&#x2004;" horiz-adv-x="433" />
+<glyph unicode="&#x2005;" horiz-adv-x="325" />
+<glyph unicode="&#x2006;" horiz-adv-x="216" />
+<glyph unicode="&#x2007;" horiz-adv-x="216" />
+<glyph unicode="&#x2008;" horiz-adv-x="162" />
+<glyph unicode="&#x2009;" horiz-adv-x="260" />
+<glyph unicode="&#x200a;" horiz-adv-x="72" />
+<glyph unicode="&#x202f;" horiz-adv-x="260" />
+<glyph unicode="&#x205f;" horiz-adv-x="325" />
+<glyph unicode="&#x20ac;" d="M744 1198q242 0 354 -189q60 -104 66 -209h-181q0 45 -17.5 82.5t-43.5 61.5t-58 40.5t-60.5 24t-51.5 7.5q-19 0 -40.5 -5.5t-49.5 -20.5t-53 -38t-49 -62.5t-39 -89.5h379l-100 -100h-300q-6 -50 -6 -100h406l-100 -100h-300q9 -74 33 -132t52.5 -91t61.5 -54.5t59 -29 t47 -7.5q22 0 50.5 7.5t60.5 24.5t58 41t43.5 61t17.5 80h174q-30 -171 -128 -278q-107 -117 -274 -117q-206 0 -324 158q-36 48 -69 133t-45 204h-217l100 100h112q1 47 6 100h-218l100 100h134q20 87 51 153.5t62 103.5q117 141 297 141z" />
+<glyph unicode="&#x20bd;" d="M428 1200h350q67 0 120 -13t86 -31t57 -49.5t35 -56.5t17 -64.5t6.5 -60.5t0.5 -57v-16.5v-16.5q0 -36 -0.5 -57t-6.5 -61t-17 -65t-35 -57t-57 -50.5t-86 -31.5t-120 -13h-178l-2 -100h288q10 0 13 -6t-3 -14l-120 -160q-6 -8 -18 -14t-22 -6h-138v-175q0 -11 -5.5 -18 t-15.5 -7h-149q-10 0 -17.5 7.5t-7.5 17.5v175h-267q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h117v100h-267q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h117v475q0 10 7.5 17.5t17.5 7.5zM600 1000v-300h203q64 0 86.5 33t22.5 119q0 84 -22.5 116t-86.5 32h-203z" />
+<glyph unicode="&#x2212;" d="M250 700h800q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#x231b;" d="M1000 1200v-150q0 -21 -14.5 -35.5t-35.5 -14.5h-50v-100q0 -91 -49.5 -165.5t-130.5 -109.5q81 -35 130.5 -109.5t49.5 -165.5v-150h50q21 0 35.5 -14.5t14.5 -35.5v-150h-800v150q0 21 14.5 35.5t35.5 14.5h50v150q0 91 49.5 165.5t130.5 109.5q-81 35 -130.5 109.5 t-49.5 165.5v100h-50q-21 0 -35.5 14.5t-14.5 35.5v150h800zM400 1000v-100q0 -60 32.5 -109.5t87.5 -73.5q28 -12 44 -37t16 -55t-16 -55t-44 -37q-55 -24 -87.5 -73.5t-32.5 -109.5v-150h400v150q0 60 -32.5 109.5t-87.5 73.5q-28 12 -44 37t-16 55t16 55t44 37 q55 24 87.5 73.5t32.5 109.5v100h-400z" />
+<glyph unicode="&#x25fc;" horiz-adv-x="500" d="M0 0z" />
+<glyph unicode="&#x2601;" d="M503 1089q110 0 200.5 -59.5t134.5 -156.5q44 14 90 14q120 0 205 -86.5t85 -206.5q0 -121 -85 -207.5t-205 -86.5h-750q-79 0 -135.5 57t-56.5 137q0 69 42.5 122.5t108.5 67.5q-2 12 -2 37q0 153 108 260.5t260 107.5z" />
+<glyph unicode="&#x26fa;" d="M774 1193.5q16 -9.5 20.5 -27t-5.5 -33.5l-136 -187l467 -746h30q20 0 35 -18.5t15 -39.5v-42h-1200v42q0 21 15 39.5t35 18.5h30l468 746l-135 183q-10 16 -5.5 34t20.5 28t34 5.5t28 -20.5l111 -148l112 150q9 16 27 20.5t34 -5zM600 200h377l-182 112l-195 534v-646z " />
+<glyph unicode="&#x2709;" d="M25 1100h1150q10 0 12.5 -5t-5.5 -13l-564 -567q-8 -8 -18 -8t-18 8l-564 567q-8 8 -5.5 13t12.5 5zM18 882l264 -264q8 -8 8 -18t-8 -18l-264 -264q-8 -8 -13 -5.5t-5 12.5v550q0 10 5 12.5t13 -5.5zM918 618l264 264q8 8 13 5.5t5 -12.5v-550q0 -10 -5 -12.5t-13 5.5 l-264 264q-8 8 -8 18t8 18zM818 482l364 -364q8 -8 5.5 -13t-12.5 -5h-1150q-10 0 -12.5 5t5.5 13l364 364q8 8 18 8t18 -8l164 -164q8 -8 18 -8t18 8l164 164q8 8 18 8t18 -8z" />
+<glyph unicode="&#x270f;" d="M1011 1210q19 0 33 -13l153 -153q13 -14 13 -33t-13 -33l-99 -92l-214 214l95 96q13 14 32 14zM1013 800l-615 -614l-214 214l614 614zM317 96l-333 -112l110 335z" />
+<glyph unicode="&#xe001;" d="M700 650v-550h250q21 0 35.5 -14.5t14.5 -35.5v-50h-800v50q0 21 14.5 35.5t35.5 14.5h250v550l-500 550h1200z" />
+<glyph unicode="&#xe002;" d="M368 1017l645 163q39 15 63 0t24 -49v-831q0 -55 -41.5 -95.5t-111.5 -63.5q-79 -25 -147 -4.5t-86 75t25.5 111.5t122.5 82q72 24 138 8v521l-600 -155v-606q0 -42 -44 -90t-109 -69q-79 -26 -147 -5.5t-86 75.5t25.5 111.5t122.5 82.5q72 24 138 7v639q0 38 14.5 59 t53.5 34z" />
+<glyph unicode="&#xe003;" d="M500 1191q100 0 191 -39t156.5 -104.5t104.5 -156.5t39 -191l-1 -2l1 -5q0 -141 -78 -262l275 -274q23 -26 22.5 -44.5t-22.5 -42.5l-59 -58q-26 -20 -46.5 -20t-39.5 20l-275 274q-119 -77 -261 -77l-5 1l-2 -1q-100 0 -191 39t-156.5 104.5t-104.5 156.5t-39 191 t39 191t104.5 156.5t156.5 104.5t191 39zM500 1022q-88 0 -162 -43t-117 -117t-43 -162t43 -162t117 -117t162 -43t162 43t117 117t43 162t-43 162t-117 117t-162 43z" />
+<glyph unicode="&#xe005;" d="M649 949q48 68 109.5 104t121.5 38.5t118.5 -20t102.5 -64t71 -100.5t27 -123q0 -57 -33.5 -117.5t-94 -124.5t-126.5 -127.5t-150 -152.5t-146 -174q-62 85 -145.5 174t-150 152.5t-126.5 127.5t-93.5 124.5t-33.5 117.5q0 64 28 123t73 100.5t104 64t119 20 t120.5 -38.5t104.5 -104z" />
+<glyph unicode="&#xe006;" d="M407 800l131 353q7 19 17.5 19t17.5 -19l129 -353h421q21 0 24 -8.5t-14 -20.5l-342 -249l130 -401q7 -20 -0.5 -25.5t-24.5 6.5l-343 246l-342 -247q-17 -12 -24.5 -6.5t-0.5 25.5l130 400l-347 251q-17 12 -14 20.5t23 8.5h429z" />
+<glyph unicode="&#xe007;" d="M407 800l131 353q7 19 17.5 19t17.5 -19l129 -353h421q21 0 24 -8.5t-14 -20.5l-342 -249l130 -401q7 -20 -0.5 -25.5t-24.5 6.5l-343 246l-342 -247q-17 -12 -24.5 -6.5t-0.5 25.5l130 400l-347 251q-17 12 -14 20.5t23 8.5h429zM477 700h-240l197 -142l-74 -226 l193 139l195 -140l-74 229l192 140h-234l-78 211z" />
+<glyph unicode="&#xe008;" d="M600 1200q124 0 212 -88t88 -212v-250q0 -46 -31 -98t-69 -52v-75q0 -10 6 -21.5t15 -17.5l358 -230q9 -5 15 -16.5t6 -21.5v-93q0 -10 -7.5 -17.5t-17.5 -7.5h-1150q-10 0 -17.5 7.5t-7.5 17.5v93q0 10 6 21.5t15 16.5l358 230q9 6 15 17.5t6 21.5v75q-38 0 -69 52 t-31 98v250q0 124 88 212t212 88z" />
+<glyph unicode="&#xe009;" d="M25 1100h1150q10 0 17.5 -7.5t7.5 -17.5v-1050q0 -10 -7.5 -17.5t-17.5 -7.5h-1150q-10 0 -17.5 7.5t-7.5 17.5v1050q0 10 7.5 17.5t17.5 7.5zM100 1000v-100h100v100h-100zM875 1000h-550q-10 0 -17.5 -7.5t-7.5 -17.5v-350q0 -10 7.5 -17.5t17.5 -7.5h550 q10 0 17.5 7.5t7.5 17.5v350q0 10 -7.5 17.5t-17.5 7.5zM1000 1000v-100h100v100h-100zM100 800v-100h100v100h-100zM1000 800v-100h100v100h-100zM100 600v-100h100v100h-100zM1000 600v-100h100v100h-100zM875 500h-550q-10 0 -17.5 -7.5t-7.5 -17.5v-350q0 -10 7.5 -17.5 t17.5 -7.5h550q10 0 17.5 7.5t7.5 17.5v350q0 10 -7.5 17.5t-17.5 7.5zM100 400v-100h100v100h-100zM1000 400v-100h100v100h-100zM100 200v-100h100v100h-100zM1000 200v-100h100v100h-100z" />
+<glyph unicode="&#xe010;" d="M50 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM650 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400 q0 21 14.5 35.5t35.5 14.5zM50 500h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM650 500h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400 q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe011;" d="M50 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200 q0 21 14.5 35.5t35.5 14.5zM850 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM50 700h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200 q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 700h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM850 700h200q21 0 35.5 -14.5t14.5 -35.5v-200 q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM50 300h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 300h200 q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM850 300h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5 t35.5 14.5z" />
+<glyph unicode="&#xe012;" d="M50 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 1100h700q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v200 q0 21 14.5 35.5t35.5 14.5zM50 700h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 700h700q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-700 q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM50 300h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 300h700q21 0 35.5 -14.5t14.5 -35.5v-200 q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe013;" d="M465 477l571 571q8 8 18 8t17 -8l177 -177q8 -7 8 -17t-8 -18l-783 -784q-7 -8 -17.5 -8t-17.5 8l-384 384q-8 8 -8 18t8 17l177 177q7 8 17 8t18 -8l171 -171q7 -7 18 -7t18 7z" />
+<glyph unicode="&#xe014;" d="M904 1083l178 -179q8 -8 8 -18.5t-8 -17.5l-267 -268l267 -268q8 -7 8 -17.5t-8 -18.5l-178 -178q-8 -8 -18.5 -8t-17.5 8l-268 267l-268 -267q-7 -8 -17.5 -8t-18.5 8l-178 178q-8 8 -8 18.5t8 17.5l267 268l-267 268q-8 7 -8 17.5t8 18.5l178 178q8 8 18.5 8t17.5 -8 l268 -267l268 268q7 7 17.5 7t18.5 -7z" />
+<glyph unicode="&#xe015;" d="M507 1177q98 0 187.5 -38.5t154.5 -103.5t103.5 -154.5t38.5 -187.5q0 -141 -78 -262l300 -299q8 -8 8 -18.5t-8 -18.5l-109 -108q-7 -8 -17.5 -8t-18.5 8l-300 299q-119 -77 -261 -77q-98 0 -188 38.5t-154.5 103t-103 154.5t-38.5 188t38.5 187.5t103 154.5 t154.5 103.5t188 38.5zM506.5 1023q-89.5 0 -165.5 -44t-120 -120.5t-44 -166t44 -165.5t120 -120t165.5 -44t166 44t120.5 120t44 165.5t-44 166t-120.5 120.5t-166 44zM425 900h150q10 0 17.5 -7.5t7.5 -17.5v-75h75q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5 t-17.5 -7.5h-75v-75q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v75h-75q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h75v75q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe016;" d="M507 1177q98 0 187.5 -38.5t154.5 -103.5t103.5 -154.5t38.5 -187.5q0 -141 -78 -262l300 -299q8 -8 8 -18.5t-8 -18.5l-109 -108q-7 -8 -17.5 -8t-18.5 8l-300 299q-119 -77 -261 -77q-98 0 -188 38.5t-154.5 103t-103 154.5t-38.5 188t38.5 187.5t103 154.5 t154.5 103.5t188 38.5zM506.5 1023q-89.5 0 -165.5 -44t-120 -120.5t-44 -166t44 -165.5t120 -120t165.5 -44t166 44t120.5 120t44 165.5t-44 166t-120.5 120.5t-166 44zM325 800h350q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-350q-10 0 -17.5 7.5 t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe017;" d="M550 1200h100q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM800 975v166q167 -62 272 -209.5t105 -331.5q0 -117 -45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5 t-184.5 123t-123 184.5t-45.5 224q0 184 105 331.5t272 209.5v-166q-103 -55 -165 -155t-62 -220q0 -116 57 -214.5t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5q0 120 -62 220t-165 155z" />
+<glyph unicode="&#xe018;" d="M1025 1200h150q10 0 17.5 -7.5t7.5 -17.5v-1150q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v1150q0 10 7.5 17.5t17.5 7.5zM725 800h150q10 0 17.5 -7.5t7.5 -17.5v-750q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v750 q0 10 7.5 17.5t17.5 7.5zM425 500h150q10 0 17.5 -7.5t7.5 -17.5v-450q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v450q0 10 7.5 17.5t17.5 7.5zM125 300h150q10 0 17.5 -7.5t7.5 -17.5v-250q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5 v250q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe019;" d="M600 1174q33 0 74 -5l38 -152l5 -1q49 -14 94 -39l5 -2l134 80q61 -48 104 -105l-80 -134l3 -5q25 -44 39 -93l1 -6l152 -38q5 -43 5 -73q0 -34 -5 -74l-152 -38l-1 -6q-15 -49 -39 -93l-3 -5l80 -134q-48 -61 -104 -105l-134 81l-5 -3q-44 -25 -94 -39l-5 -2l-38 -151 q-43 -5 -74 -5q-33 0 -74 5l-38 151l-5 2q-49 14 -94 39l-5 3l-134 -81q-60 48 -104 105l80 134l-3 5q-25 45 -38 93l-2 6l-151 38q-6 42 -6 74q0 33 6 73l151 38l2 6q13 48 38 93l3 5l-80 134q47 61 105 105l133 -80l5 2q45 25 94 39l5 1l38 152q43 5 74 5zM600 815 q-89 0 -152 -63t-63 -151.5t63 -151.5t152 -63t152 63t63 151.5t-63 151.5t-152 63z" />
+<glyph unicode="&#xe020;" d="M500 1300h300q41 0 70.5 -29.5t29.5 -70.5v-100h275q10 0 17.5 -7.5t7.5 -17.5v-75h-1100v75q0 10 7.5 17.5t17.5 7.5h275v100q0 41 29.5 70.5t70.5 29.5zM500 1200v-100h300v100h-300zM1100 900v-800q0 -41 -29.5 -70.5t-70.5 -29.5h-700q-41 0 -70.5 29.5t-29.5 70.5 v800h900zM300 800v-700h100v700h-100zM500 800v-700h100v700h-100zM700 800v-700h100v700h-100zM900 800v-700h100v700h-100z" />
+<glyph unicode="&#xe021;" d="M18 618l620 608q8 7 18.5 7t17.5 -7l608 -608q8 -8 5.5 -13t-12.5 -5h-175v-575q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v375h-300v-375q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v575h-175q-10 0 -12.5 5t5.5 13z" />
+<glyph unicode="&#xe022;" d="M600 1200v-400q0 -41 29.5 -70.5t70.5 -29.5h300v-650q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v1100q0 21 14.5 35.5t35.5 14.5h450zM1000 800h-250q-21 0 -35.5 14.5t-14.5 35.5v250z" />
+<glyph unicode="&#xe023;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM525 900h50q10 0 17.5 -7.5t7.5 -17.5v-275h175q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe024;" d="M1300 0h-538l-41 400h-242l-41 -400h-538l431 1200h209l-21 -300h162l-20 300h208zM515 800l-27 -300h224l-27 300h-170z" />
+<glyph unicode="&#xe025;" d="M550 1200h200q21 0 35.5 -14.5t14.5 -35.5v-450h191q20 0 25.5 -11.5t-7.5 -27.5l-327 -400q-13 -16 -32 -16t-32 16l-327 400q-13 16 -7.5 27.5t25.5 11.5h191v450q0 21 14.5 35.5t35.5 14.5zM1125 400h50q10 0 17.5 -7.5t7.5 -17.5v-350q0 -10 -7.5 -17.5t-17.5 -7.5 h-1050q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h50q10 0 17.5 -7.5t7.5 -17.5v-175h900v175q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe026;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM525 900h150q10 0 17.5 -7.5t7.5 -17.5v-275h137q21 0 26 -11.5t-8 -27.5l-223 -275q-13 -16 -32 -16t-32 16l-223 275q-13 16 -8 27.5t26 11.5h137v275q0 10 7.5 17.5t17.5 7.5z " />
+<glyph unicode="&#xe027;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM632 914l223 -275q13 -16 8 -27.5t-26 -11.5h-137v-275q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v275h-137q-21 0 -26 11.5t8 27.5l223 275q13 16 32 16 t32 -16z" />
+<glyph unicode="&#xe028;" d="M225 1200h750q10 0 19.5 -7t12.5 -17l186 -652q7 -24 7 -49v-425q0 -12 -4 -27t-9 -17q-12 -6 -37 -6h-1100q-12 0 -27 4t-17 8q-6 13 -6 38l1 425q0 25 7 49l185 652q3 10 12.5 17t19.5 7zM878 1000h-556q-10 0 -19 -7t-11 -18l-87 -450q-2 -11 4 -18t16 -7h150 q10 0 19.5 -7t11.5 -17l38 -152q2 -10 11.5 -17t19.5 -7h250q10 0 19.5 7t11.5 17l38 152q2 10 11.5 17t19.5 7h150q10 0 16 7t4 18l-87 450q-2 11 -11 18t-19 7z" />
+<glyph unicode="&#xe029;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM540 820l253 -190q17 -12 17 -30t-17 -30l-253 -190q-16 -12 -28 -6.5t-12 26.5v400q0 21 12 26.5t28 -6.5z" />
+<glyph unicode="&#xe030;" d="M947 1060l135 135q7 7 12.5 5t5.5 -13v-362q0 -10 -7.5 -17.5t-17.5 -7.5h-362q-11 0 -13 5.5t5 12.5l133 133q-109 76 -238 76q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5h150q0 -117 -45.5 -224 t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5q192 0 347 -117z" />
+<glyph unicode="&#xe031;" d="M947 1060l135 135q7 7 12.5 5t5.5 -13v-361q0 -11 -7.5 -18.5t-18.5 -7.5h-361q-11 0 -13 5.5t5 12.5l134 134q-110 75 -239 75q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5h-150q0 117 45.5 224t123 184.5t184.5 123t224 45.5q192 0 347 -117zM1027 600h150 q0 -117 -45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5q-192 0 -348 118l-134 -134q-7 -8 -12.5 -5.5t-5.5 12.5v360q0 11 7.5 18.5t18.5 7.5h360q10 0 12.5 -5.5t-5.5 -12.5l-133 -133q110 -76 240 -76q116 0 214.5 57t155.5 155.5t57 214.5z" />
+<glyph unicode="&#xe032;" d="M125 1200h1050q10 0 17.5 -7.5t7.5 -17.5v-1150q0 -10 -7.5 -17.5t-17.5 -7.5h-1050q-10 0 -17.5 7.5t-7.5 17.5v1150q0 10 7.5 17.5t17.5 7.5zM1075 1000h-850q-10 0 -17.5 -7.5t-7.5 -17.5v-850q0 -10 7.5 -17.5t17.5 -7.5h850q10 0 17.5 7.5t7.5 17.5v850 q0 10 -7.5 17.5t-17.5 7.5zM325 900h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 900h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5zM325 700h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 700h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5zM325 500h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 500h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5zM325 300h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 300h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe033;" d="M900 800v200q0 83 -58.5 141.5t-141.5 58.5h-300q-82 0 -141 -59t-59 -141v-200h-100q-41 0 -70.5 -29.5t-29.5 -70.5v-600q0 -41 29.5 -70.5t70.5 -29.5h900q41 0 70.5 29.5t29.5 70.5v600q0 41 -29.5 70.5t-70.5 29.5h-100zM400 800v150q0 21 15 35.5t35 14.5h200 q20 0 35 -14.5t15 -35.5v-150h-300z" />
+<glyph unicode="&#xe034;" d="M125 1100h50q10 0 17.5 -7.5t7.5 -17.5v-1075h-100v1075q0 10 7.5 17.5t17.5 7.5zM1075 1052q4 0 9 -2q16 -6 16 -23v-421q0 -6 -3 -12q-33 -59 -66.5 -99t-65.5 -58t-56.5 -24.5t-52.5 -6.5q-26 0 -57.5 6.5t-52.5 13.5t-60 21q-41 15 -63 22.5t-57.5 15t-65.5 7.5 q-85 0 -160 -57q-7 -5 -15 -5q-6 0 -11 3q-14 7 -14 22v438q22 55 82 98.5t119 46.5q23 2 43 0.5t43 -7t32.5 -8.5t38 -13t32.5 -11q41 -14 63.5 -21t57 -14t63.5 -7q103 0 183 87q7 8 18 8z" />
+<glyph unicode="&#xe035;" d="M600 1175q116 0 227 -49.5t192.5 -131t131 -192.5t49.5 -227v-300q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v300q0 127 -70.5 231.5t-184.5 161.5t-245 57t-245 -57t-184.5 -161.5t-70.5 -231.5v-300q0 -10 -7.5 -17.5t-17.5 -7.5h-50 q-10 0 -17.5 7.5t-7.5 17.5v300q0 116 49.5 227t131 192.5t192.5 131t227 49.5zM220 500h160q8 0 14 -6t6 -14v-460q0 -8 -6 -14t-14 -6h-160q-8 0 -14 6t-6 14v460q0 8 6 14t14 6zM820 500h160q8 0 14 -6t6 -14v-460q0 -8 -6 -14t-14 -6h-160q-8 0 -14 6t-6 14v460 q0 8 6 14t14 6z" />
+<glyph unicode="&#xe036;" d="M321 814l258 172q9 6 15 2.5t6 -13.5v-750q0 -10 -6 -13.5t-15 2.5l-258 172q-21 14 -46 14h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h250q25 0 46 14zM900 668l120 120q7 7 17 7t17 -7l34 -34q7 -7 7 -17t-7 -17l-120 -120l120 -120q7 -7 7 -17 t-7 -17l-34 -34q-7 -7 -17 -7t-17 7l-120 119l-120 -119q-7 -7 -17 -7t-17 7l-34 34q-7 7 -7 17t7 17l119 120l-119 120q-7 7 -7 17t7 17l34 34q7 8 17 8t17 -8z" />
+<glyph unicode="&#xe037;" d="M321 814l258 172q9 6 15 2.5t6 -13.5v-750q0 -10 -6 -13.5t-15 2.5l-258 172q-21 14 -46 14h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h250q25 0 46 14zM766 900h4q10 -1 16 -10q96 -129 96 -290q0 -154 -90 -281q-6 -9 -17 -10l-3 -1q-9 0 -16 6 l-29 23q-7 7 -8.5 16.5t4.5 17.5q72 103 72 229q0 132 -78 238q-6 8 -4.5 18t9.5 17l29 22q7 5 15 5z" />
+<glyph unicode="&#xe038;" d="M967 1004h3q11 -1 17 -10q135 -179 135 -396q0 -105 -34 -206.5t-98 -185.5q-7 -9 -17 -10h-3q-9 0 -16 6l-42 34q-8 6 -9 16t5 18q111 150 111 328q0 90 -29.5 176t-84.5 157q-6 9 -5 19t10 16l42 33q7 5 15 5zM321 814l258 172q9 6 15 2.5t6 -13.5v-750q0 -10 -6 -13.5 t-15 2.5l-258 172q-21 14 -46 14h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h250q25 0 46 14zM766 900h4q10 -1 16 -10q96 -129 96 -290q0 -154 -90 -281q-6 -9 -17 -10l-3 -1q-9 0 -16 6l-29 23q-7 7 -8.5 16.5t4.5 17.5q72 103 72 229q0 132 -78 238 q-6 8 -4.5 18.5t9.5 16.5l29 22q7 5 15 5z" />
+<glyph unicode="&#xe039;" d="M500 900h100v-100h-100v-100h-400v-100h-100v600h500v-300zM1200 700h-200v-100h200v-200h-300v300h-200v300h-100v200h600v-500zM100 1100v-300h300v300h-300zM800 1100v-300h300v300h-300zM300 900h-100v100h100v-100zM1000 900h-100v100h100v-100zM300 500h200v-500 h-500v500h200v100h100v-100zM800 300h200v-100h-100v-100h-200v100h-100v100h100v200h-200v100h300v-300zM100 400v-300h300v300h-300zM300 200h-100v100h100v-100zM1200 200h-100v100h100v-100zM700 0h-100v100h100v-100zM1200 0h-300v100h300v-100z" />
+<glyph unicode="&#xe040;" d="M100 200h-100v1000h100v-1000zM300 200h-100v1000h100v-1000zM700 200h-200v1000h200v-1000zM900 200h-100v1000h100v-1000zM1200 200h-200v1000h200v-1000zM400 0h-300v100h300v-100zM600 0h-100v91h100v-91zM800 0h-100v91h100v-91zM1100 0h-200v91h200v-91z" />
+<glyph unicode="&#xe041;" d="M500 1200l682 -682q8 -8 8 -18t-8 -18l-464 -464q-8 -8 -18 -8t-18 8l-682 682l1 475q0 10 7.5 17.5t17.5 7.5h474zM319.5 1024.5q-29.5 29.5 -71 29.5t-71 -29.5t-29.5 -71.5t29.5 -71.5t71 -29.5t71 29.5t29.5 71.5t-29.5 71.5z" />
+<glyph unicode="&#xe042;" d="M500 1200l682 -682q8 -8 8 -18t-8 -18l-464 -464q-8 -8 -18 -8t-18 8l-682 682l1 475q0 10 7.5 17.5t17.5 7.5h474zM800 1200l682 -682q8 -8 8 -18t-8 -18l-464 -464q-8 -8 -18 -8t-18 8l-56 56l424 426l-700 700h150zM319.5 1024.5q-29.5 29.5 -71 29.5t-71 -29.5 t-29.5 -71.5t29.5 -71.5t71 -29.5t71 29.5t29.5 71.5t-29.5 71.5z" />
+<glyph unicode="&#xe043;" d="M300 1200h825q75 0 75 -75v-900q0 -25 -18 -43l-64 -64q-8 -8 -13 -5.5t-5 12.5v950q0 10 -7.5 17.5t-17.5 7.5h-700q-25 0 -43 -18l-64 -64q-8 -8 -5.5 -13t12.5 -5h700q10 0 17.5 -7.5t7.5 -17.5v-950q0 -10 -7.5 -17.5t-17.5 -7.5h-850q-10 0 -17.5 7.5t-7.5 17.5v975 q0 25 18 43l139 139q18 18 43 18z" />
+<glyph unicode="&#xe044;" d="M250 1200h800q21 0 35.5 -14.5t14.5 -35.5v-1150l-450 444l-450 -445v1151q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe045;" d="M822 1200h-444q-11 0 -19 -7.5t-9 -17.5l-78 -301q-7 -24 7 -45l57 -108q6 -9 17.5 -15t21.5 -6h450q10 0 21.5 6t17.5 15l62 108q14 21 7 45l-83 301q-1 10 -9 17.5t-19 7.5zM1175 800h-150q-10 0 -21 -6.5t-15 -15.5l-78 -156q-4 -9 -15 -15.5t-21 -6.5h-550 q-10 0 -21 6.5t-15 15.5l-78 156q-4 9 -15 15.5t-21 6.5h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-650q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h750q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5 t7.5 17.5v650q0 10 -7.5 17.5t-17.5 7.5zM850 200h-500q-10 0 -19.5 -7t-11.5 -17l-38 -152q-2 -10 3.5 -17t15.5 -7h600q10 0 15.5 7t3.5 17l-38 152q-2 10 -11.5 17t-19.5 7z" />
+<glyph unicode="&#xe046;" d="M500 1100h200q56 0 102.5 -20.5t72.5 -50t44 -59t25 -50.5l6 -20h150q41 0 70.5 -29.5t29.5 -70.5v-600q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5v600q0 41 29.5 70.5t70.5 29.5h150q2 8 6.5 21.5t24 48t45 61t72 48t102.5 21.5zM900 800v-100 h100v100h-100zM600 730q-95 0 -162.5 -67.5t-67.5 -162.5t67.5 -162.5t162.5 -67.5t162.5 67.5t67.5 162.5t-67.5 162.5t-162.5 67.5zM600 603q43 0 73 -30t30 -73t-30 -73t-73 -30t-73 30t-30 73t30 73t73 30z" />
+<glyph unicode="&#xe047;" d="M681 1199l385 -998q20 -50 60 -92q18 -19 36.5 -29.5t27.5 -11.5l10 -2v-66h-417v66q53 0 75 43.5t5 88.5l-82 222h-391q-58 -145 -92 -234q-11 -34 -6.5 -57t25.5 -37t46 -20t55 -6v-66h-365v66q56 24 84 52q12 12 25 30.5t20 31.5l7 13l399 1006h93zM416 521h340 l-162 457z" />
+<glyph unicode="&#xe048;" d="M753 641q5 -1 14.5 -4.5t36 -15.5t50.5 -26.5t53.5 -40t50.5 -54.5t35.5 -70t14.5 -87q0 -67 -27.5 -125.5t-71.5 -97.5t-98.5 -66.5t-108.5 -40.5t-102 -13h-500v89q41 7 70.5 32.5t29.5 65.5v827q0 24 -0.5 34t-3.5 24t-8.5 19.5t-17 13.5t-28 12.5t-42.5 11.5v71 l471 -1q57 0 115.5 -20.5t108 -57t80.5 -94t31 -124.5q0 -51 -15.5 -96.5t-38 -74.5t-45 -50.5t-38.5 -30.5zM400 700h139q78 0 130.5 48.5t52.5 122.5q0 41 -8.5 70.5t-29.5 55.5t-62.5 39.5t-103.5 13.5h-118v-350zM400 200h216q80 0 121 50.5t41 130.5q0 90 -62.5 154.5 t-156.5 64.5h-159v-400z" />
+<glyph unicode="&#xe049;" d="M877 1200l2 -57q-83 -19 -116 -45.5t-40 -66.5l-132 -839q-9 -49 13 -69t96 -26v-97h-500v97q186 16 200 98l173 832q3 17 3 30t-1.5 22.5t-9 17.5t-13.5 12.5t-21.5 10t-26 8.5t-33.5 10q-13 3 -19 5v57h425z" />
+<glyph unicode="&#xe050;" d="M1300 900h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-200v-850q0 -22 25 -34.5t50 -13.5l25 -2v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v850h-200q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h1000v-300zM175 1000h-75v-800h75l-125 -167l-125 167h75v800h-75l125 167z" />
+<glyph unicode="&#xe051;" d="M1100 900h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-200v-650q0 -22 25 -34.5t50 -13.5l25 -2v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v650h-200q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h1000v-300zM1167 50l-167 -125v75h-800v-75l-167 125l167 125v-75h800v75z" />
+<glyph unicode="&#xe052;" d="M50 1100h600q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 800h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM50 500h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe053;" d="M250 1100h700q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 800h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM250 500h700q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe054;" d="M500 950v100q0 21 14.5 35.5t35.5 14.5h600q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5zM100 650v100q0 21 14.5 35.5t35.5 14.5h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000 q-21 0 -35.5 14.5t-14.5 35.5zM300 350v100q0 21 14.5 35.5t35.5 14.5h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5zM0 50v100q0 21 14.5 35.5t35.5 14.5h1100q21 0 35.5 -14.5t14.5 -35.5v-100 q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5z" />
+<glyph unicode="&#xe055;" d="M50 1100h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 800h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM50 500h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe056;" d="M50 1100h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 1100h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM50 800h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 800h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 500h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 500h800q21 0 35.5 -14.5t14.5 -35.5v-100 q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 200h800 q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe057;" d="M400 0h-100v1100h100v-1100zM550 1100h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM550 800h500q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-500 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM267 550l-167 -125v75h-200v100h200v75zM550 500h300q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM550 200h600 q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe058;" d="M50 1100h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM900 0h-100v1100h100v-1100zM50 800h500q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-500 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM1100 600h200v-100h-200v-75l-167 125l167 125v-75zM50 500h300q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h600 q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe059;" d="M75 1000h750q31 0 53 -22t22 -53v-650q0 -31 -22 -53t-53 -22h-750q-31 0 -53 22t-22 53v650q0 31 22 53t53 22zM1200 300l-300 300l300 300v-600z" />
+<glyph unicode="&#xe060;" d="M44 1100h1112q18 0 31 -13t13 -31v-1012q0 -18 -13 -31t-31 -13h-1112q-18 0 -31 13t-13 31v1012q0 18 13 31t31 13zM100 1000v-737l247 182l298 -131l-74 156l293 318l236 -288v500h-1000zM342 884q56 0 95 -39t39 -94.5t-39 -95t-95 -39.5t-95 39.5t-39 95t39 94.5 t95 39z" />
+<glyph unicode="&#xe062;" d="M648 1169q117 0 216 -60t156.5 -161t57.5 -218q0 -115 -70 -258q-69 -109 -158 -225.5t-143 -179.5l-54 -62q-9 8 -25.5 24.5t-63.5 67.5t-91 103t-98.5 128t-95.5 148q-60 132 -60 249q0 88 34 169.5t91.5 142t137 96.5t166.5 36zM652.5 974q-91.5 0 -156.5 -65 t-65 -157t65 -156.5t156.5 -64.5t156.5 64.5t65 156.5t-65 157t-156.5 65z" />
+<glyph unicode="&#xe063;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 173v854q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57z" />
+<glyph unicode="&#xe064;" d="M554 1295q21 -72 57.5 -143.5t76 -130t83 -118t82.5 -117t70 -116t49.5 -126t18.5 -136.5q0 -71 -25.5 -135t-68.5 -111t-99 -82t-118.5 -54t-125.5 -23q-84 5 -161.5 34t-139.5 78.5t-99 125t-37 164.5q0 69 18 136.5t49.5 126.5t69.5 116.5t81.5 117.5t83.5 119 t76.5 131t58.5 143zM344 710q-23 -33 -43.5 -70.5t-40.5 -102.5t-17 -123q1 -37 14.5 -69.5t30 -52t41 -37t38.5 -24.5t33 -15q21 -7 32 -1t13 22l6 34q2 10 -2.5 22t-13.5 19q-5 4 -14 12t-29.5 40.5t-32.5 73.5q-26 89 6 271q2 11 -6 11q-8 1 -15 -10z" />
+<glyph unicode="&#xe065;" d="M1000 1013l108 115q2 1 5 2t13 2t20.5 -1t25 -9.5t28.5 -21.5q22 -22 27 -43t0 -32l-6 -10l-108 -115zM350 1100h400q50 0 105 -13l-187 -187h-368q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v182l200 200v-332 q0 -165 -93.5 -257.5t-256.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5zM1009 803l-362 -362l-161 -50l55 170l355 355z" />
+<glyph unicode="&#xe066;" d="M350 1100h361q-164 -146 -216 -200h-195q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5l200 153v-103q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5z M824 1073l339 -301q8 -7 8 -17.5t-8 -17.5l-340 -306q-7 -6 -12.5 -4t-6.5 11v203q-26 1 -54.5 0t-78.5 -7.5t-92 -17.5t-86 -35t-70 -57q10 59 33 108t51.5 81.5t65 58.5t68.5 40.5t67 24.5t56 13.5t40 4.5v210q1 10 6.5 12.5t13.5 -4.5z" />
+<glyph unicode="&#xe067;" d="M350 1100h350q60 0 127 -23l-178 -177h-349q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v69l200 200v-219q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5z M643 639l395 395q7 7 17.5 7t17.5 -7l101 -101q7 -7 7 -17.5t-7 -17.5l-531 -532q-7 -7 -17.5 -7t-17.5 7l-248 248q-7 7 -7 17.5t7 17.5l101 101q7 7 17.5 7t17.5 -7l111 -111q8 -7 18 -7t18 7z" />
+<glyph unicode="&#xe068;" d="M318 918l264 264q8 8 18 8t18 -8l260 -264q7 -8 4.5 -13t-12.5 -5h-170v-200h200v173q0 10 5 12t13 -5l264 -260q8 -7 8 -17.5t-8 -17.5l-264 -265q-8 -7 -13 -5t-5 12v173h-200v-200h170q10 0 12.5 -5t-4.5 -13l-260 -264q-8 -8 -18 -8t-18 8l-264 264q-8 8 -5.5 13 t12.5 5h175v200h-200v-173q0 -10 -5 -12t-13 5l-264 265q-8 7 -8 17.5t8 17.5l264 260q8 7 13 5t5 -12v-173h200v200h-175q-10 0 -12.5 5t5.5 13z" />
+<glyph unicode="&#xe069;" d="M250 1100h100q21 0 35.5 -14.5t14.5 -35.5v-438l464 453q15 14 25.5 10t10.5 -25v-1000q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v1000q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe070;" d="M50 1100h100q21 0 35.5 -14.5t14.5 -35.5v-438l464 453q15 14 25.5 10t10.5 -25v-438l464 453q15 14 25.5 10t10.5 -25v-1000q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5 t-14.5 35.5v1000q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe071;" d="M1200 1050v-1000q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -10.5 -25t-25.5 10l-492 480q-15 14 -15 35t15 35l492 480q15 14 25.5 10t10.5 -25v-438l464 453q15 14 25.5 10t10.5 -25z" />
+<glyph unicode="&#xe072;" d="M243 1074l814 -498q18 -11 18 -26t-18 -26l-814 -498q-18 -11 -30.5 -4t-12.5 28v1000q0 21 12.5 28t30.5 -4z" />
+<glyph unicode="&#xe073;" d="M250 1000h200q21 0 35.5 -14.5t14.5 -35.5v-800q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v800q0 21 14.5 35.5t35.5 14.5zM650 1000h200q21 0 35.5 -14.5t14.5 -35.5v-800q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v800 q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe074;" d="M1100 950v-800q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v800q0 21 14.5 35.5t35.5 14.5h800q21 0 35.5 -14.5t14.5 -35.5z" />
+<glyph unicode="&#xe075;" d="M500 612v438q0 21 10.5 25t25.5 -10l492 -480q15 -14 15 -35t-15 -35l-492 -480q-15 -14 -25.5 -10t-10.5 25v438l-464 -453q-15 -14 -25.5 -10t-10.5 25v1000q0 21 10.5 25t25.5 -10z" />
+<glyph unicode="&#xe076;" d="M1048 1102l100 1q20 0 35 -14.5t15 -35.5l5 -1000q0 -21 -14.5 -35.5t-35.5 -14.5l-100 -1q-21 0 -35.5 14.5t-14.5 35.5l-2 437l-463 -454q-14 -15 -24.5 -10.5t-10.5 25.5l-2 437l-462 -455q-15 -14 -25.5 -9.5t-10.5 24.5l-5 1000q0 21 10.5 25.5t25.5 -10.5l466 -450 l-2 438q0 20 10.5 24.5t25.5 -9.5l466 -451l-2 438q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe077;" d="M850 1100h100q21 0 35.5 -14.5t14.5 -35.5v-1000q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v438l-464 -453q-15 -14 -25.5 -10t-10.5 25v1000q0 21 10.5 25t25.5 -10l464 -453v438q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe078;" d="M686 1081l501 -540q15 -15 10.5 -26t-26.5 -11h-1042q-22 0 -26.5 11t10.5 26l501 540q15 15 36 15t36 -15zM150 400h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe079;" d="M885 900l-352 -353l352 -353l-197 -198l-552 552l552 550z" />
+<glyph unicode="&#xe080;" d="M1064 547l-551 -551l-198 198l353 353l-353 353l198 198z" />
+<glyph unicode="&#xe081;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM650 900h-100q-21 0 -35.5 -14.5t-14.5 -35.5v-150h-150 q-21 0 -35.5 -14.5t-14.5 -35.5v-100q0 -21 14.5 -35.5t35.5 -14.5h150v-150q0 -21 14.5 -35.5t35.5 -14.5h100q21 0 35.5 14.5t14.5 35.5v150h150q21 0 35.5 14.5t14.5 35.5v100q0 21 -14.5 35.5t-35.5 14.5h-150v150q0 21 -14.5 35.5t-35.5 14.5z" />
+<glyph unicode="&#xe082;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM850 700h-500q-21 0 -35.5 -14.5t-14.5 -35.5v-100q0 -21 14.5 -35.5 t35.5 -14.5h500q21 0 35.5 14.5t14.5 35.5v100q0 21 -14.5 35.5t-35.5 14.5z" />
+<glyph unicode="&#xe083;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM741.5 913q-12.5 0 -21.5 -9l-120 -120l-120 120q-9 9 -21.5 9 t-21.5 -9l-141 -141q-9 -9 -9 -21.5t9 -21.5l120 -120l-120 -120q-9 -9 -9 -21.5t9 -21.5l141 -141q9 -9 21.5 -9t21.5 9l120 120l120 -120q9 -9 21.5 -9t21.5 9l141 141q9 9 9 21.5t-9 21.5l-120 120l120 120q9 9 9 21.5t-9 21.5l-141 141q-9 9 -21.5 9z" />
+<glyph unicode="&#xe084;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM546 623l-84 85q-7 7 -17.5 7t-18.5 -7l-139 -139q-7 -8 -7 -18t7 -18 l242 -241q7 -8 17.5 -8t17.5 8l375 375q7 7 7 17.5t-7 18.5l-139 139q-7 7 -17.5 7t-17.5 -7z" />
+<glyph unicode="&#xe085;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM588 941q-29 0 -59 -5.5t-63 -20.5t-58 -38.5t-41.5 -63t-16.5 -89.5 q0 -25 20 -25h131q30 -5 35 11q6 20 20.5 28t45.5 8q20 0 31.5 -10.5t11.5 -28.5q0 -23 -7 -34t-26 -18q-1 0 -13.5 -4t-19.5 -7.5t-20 -10.5t-22 -17t-18.5 -24t-15.5 -35t-8 -46q-1 -8 5.5 -16.5t20.5 -8.5h173q7 0 22 8t35 28t37.5 48t29.5 74t12 100q0 47 -17 83 t-42.5 57t-59.5 34.5t-64 18t-59 4.5zM675 400h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe086;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM675 1000h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5 t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5zM675 700h-250q-10 0 -17.5 -7.5t-7.5 -17.5v-50q0 -10 7.5 -17.5t17.5 -7.5h75v-200h-75q-10 0 -17.5 -7.5t-7.5 -17.5v-50q0 -10 7.5 -17.5t17.5 -7.5h350q10 0 17.5 7.5t7.5 17.5v50q0 10 -7.5 17.5 t-17.5 7.5h-75v275q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe087;" d="M525 1200h150q10 0 17.5 -7.5t7.5 -17.5v-194q103 -27 178.5 -102.5t102.5 -178.5h194q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-194q-27 -103 -102.5 -178.5t-178.5 -102.5v-194q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v194 q-103 27 -178.5 102.5t-102.5 178.5h-194q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h194q27 103 102.5 178.5t178.5 102.5v194q0 10 7.5 17.5t17.5 7.5zM700 893v-168q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v168q-68 -23 -119 -74 t-74 -119h168q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-168q23 -68 74 -119t119 -74v168q0 10 7.5 17.5t17.5 7.5h150q10 0 17.5 -7.5t7.5 -17.5v-168q68 23 119 74t74 119h-168q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h168 q-23 68 -74 119t-119 74z" />
+<glyph unicode="&#xe088;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM759 823l64 -64q7 -7 7 -17.5t-7 -17.5l-124 -124l124 -124q7 -7 7 -17.5t-7 -17.5l-64 -64q-7 -7 -17.5 -7t-17.5 7l-124 124l-124 -124q-7 -7 -17.5 -7t-17.5 7l-64 64 q-7 7 -7 17.5t7 17.5l124 124l-124 124q-7 7 -7 17.5t7 17.5l64 64q7 7 17.5 7t17.5 -7l124 -124l124 124q7 7 17.5 7t17.5 -7z" />
+<glyph unicode="&#xe089;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM782 788l106 -106q7 -7 7 -17.5t-7 -17.5l-320 -321q-8 -7 -18 -7t-18 7l-202 203q-8 7 -8 17.5t8 17.5l106 106q7 8 17.5 8t17.5 -8l79 -79l197 197q7 7 17.5 7t17.5 -7z" />
+<glyph unicode="&#xe090;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5q0 -120 65 -225 l587 587q-105 65 -225 65zM965 819l-584 -584q104 -62 219 -62q116 0 214.5 57t155.5 155.5t57 214.5q0 115 -62 219z" />
+<glyph unicode="&#xe091;" d="M39 582l522 427q16 13 27.5 8t11.5 -26v-291h550q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-550v-291q0 -21 -11.5 -26t-27.5 8l-522 427q-16 13 -16 32t16 32z" />
+<glyph unicode="&#xe092;" d="M639 1009l522 -427q16 -13 16 -32t-16 -32l-522 -427q-16 -13 -27.5 -8t-11.5 26v291h-550q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5h550v291q0 21 11.5 26t27.5 -8z" />
+<glyph unicode="&#xe093;" d="M682 1161l427 -522q13 -16 8 -27.5t-26 -11.5h-291v-550q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v550h-291q-21 0 -26 11.5t8 27.5l427 522q13 16 32 16t32 -16z" />
+<glyph unicode="&#xe094;" d="M550 1200h200q21 0 35.5 -14.5t14.5 -35.5v-550h291q21 0 26 -11.5t-8 -27.5l-427 -522q-13 -16 -32 -16t-32 16l-427 522q-13 16 -8 27.5t26 11.5h291v550q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe095;" d="M639 1109l522 -427q16 -13 16 -32t-16 -32l-522 -427q-16 -13 -27.5 -8t-11.5 26v291q-94 -2 -182 -20t-170.5 -52t-147 -92.5t-100.5 -135.5q5 105 27 193.5t67.5 167t113 135t167 91.5t225.5 42v262q0 21 11.5 26t27.5 -8z" />
+<glyph unicode="&#xe096;" d="M850 1200h300q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -10.5 -25t-24.5 10l-94 94l-249 -249q-8 -7 -18 -7t-18 7l-106 106q-7 8 -7 18t7 18l249 249l-94 94q-14 14 -10 24.5t25 10.5zM350 0h-300q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 10.5 25t24.5 -10l94 -94l249 249 q8 7 18 7t18 -7l106 -106q7 -8 7 -18t-7 -18l-249 -249l94 -94q14 -14 10 -24.5t-25 -10.5z" />
+<glyph unicode="&#xe097;" d="M1014 1120l106 -106q7 -8 7 -18t-7 -18l-249 -249l94 -94q14 -14 10 -24.5t-25 -10.5h-300q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 10.5 25t24.5 -10l94 -94l249 249q8 7 18 7t18 -7zM250 600h300q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -10.5 -25t-24.5 10l-94 94 l-249 -249q-8 -7 -18 -7t-18 7l-106 106q-7 8 -7 18t7 18l249 249l-94 94q-14 14 -10 24.5t25 10.5z" />
+<glyph unicode="&#xe101;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM704 900h-208q-20 0 -32 -14.5t-8 -34.5l58 -302q4 -20 21.5 -34.5 t37.5 -14.5h54q20 0 37.5 14.5t21.5 34.5l58 302q4 20 -8 34.5t-32 14.5zM675 400h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe102;" d="M260 1200q9 0 19 -2t15 -4l5 -2q22 -10 44 -23l196 -118q21 -13 36 -24q29 -21 37 -12q11 13 49 35l196 118q22 13 45 23q17 7 38 7q23 0 47 -16.5t37 -33.5l13 -16q14 -21 18 -45l25 -123l8 -44q1 -9 8.5 -14.5t17.5 -5.5h61q10 0 17.5 -7.5t7.5 -17.5v-50 q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 -7.5t-7.5 -17.5v-175h-400v300h-200v-300h-400v175q0 10 -7.5 17.5t-17.5 7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5h61q11 0 18 3t7 8q0 4 9 52l25 128q5 25 19 45q2 3 5 7t13.5 15t21.5 19.5t26.5 15.5 t29.5 7zM915 1079l-166 -162q-7 -7 -5 -12t12 -5h219q10 0 15 7t2 17l-51 149q-3 10 -11 12t-15 -6zM463 917l-177 157q-8 7 -16 5t-11 -12l-51 -143q-3 -10 2 -17t15 -7h231q11 0 12.5 5t-5.5 12zM500 0h-375q-10 0 -17.5 7.5t-7.5 17.5v375h400v-400zM1100 400v-375 q0 -10 -7.5 -17.5t-17.5 -7.5h-375v400h400z" />
+<glyph unicode="&#xe103;" d="M1165 1190q8 3 21 -6.5t13 -17.5q-2 -178 -24.5 -323.5t-55.5 -245.5t-87 -174.5t-102.5 -118.5t-118 -68.5t-118.5 -33t-120 -4.5t-105 9.5t-90 16.5q-61 12 -78 11q-4 1 -12.5 0t-34 -14.5t-52.5 -40.5l-153 -153q-26 -24 -37 -14.5t-11 43.5q0 64 42 102q8 8 50.5 45 t66.5 58q19 17 35 47t13 61q-9 55 -10 102.5t7 111t37 130t78 129.5q39 51 80 88t89.5 63.5t94.5 45t113.5 36t129 31t157.5 37t182 47.5zM1116 1098q-8 9 -22.5 -3t-45.5 -50q-38 -47 -119 -103.5t-142 -89.5l-62 -33q-56 -30 -102 -57t-104 -68t-102.5 -80.5t-85.5 -91 t-64 -104.5q-24 -56 -31 -86t2 -32t31.5 17.5t55.5 59.5q25 30 94 75.5t125.5 77.5t147.5 81q70 37 118.5 69t102 79.5t99 111t86.5 148.5q22 50 24 60t-6 19z" />
+<glyph unicode="&#xe104;" d="M653 1231q-39 -67 -54.5 -131t-10.5 -114.5t24.5 -96.5t47.5 -80t63.5 -62.5t68.5 -46.5t65 -30q-4 7 -17.5 35t-18.5 39.5t-17 39.5t-17 43t-13 42t-9.5 44.5t-2 42t4 43t13.5 39t23 38.5q96 -42 165 -107.5t105 -138t52 -156t13 -159t-19 -149.5q-13 -55 -44 -106.5 t-68 -87t-78.5 -64.5t-72.5 -45t-53 -22q-72 -22 -127 -11q-31 6 -13 19q6 3 17 7q13 5 32.5 21t41 44t38.5 63.5t21.5 81.5t-6.5 94.5t-50 107t-104 115.5q10 -104 -0.5 -189t-37 -140.5t-65 -93t-84 -52t-93.5 -11t-95 24.5q-80 36 -131.5 114t-53.5 171q-2 23 0 49.5 t4.5 52.5t13.5 56t27.5 60t46 64.5t69.5 68.5q-8 -53 -5 -102.5t17.5 -90t34 -68.5t44.5 -39t49 -2q31 13 38.5 36t-4.5 55t-29 64.5t-36 75t-26 75.5q-15 85 2 161.5t53.5 128.5t85.5 92.5t93.5 61t81.5 25.5z" />
+<glyph unicode="&#xe105;" d="M600 1094q82 0 160.5 -22.5t140 -59t116.5 -82.5t94.5 -95t68 -95t42.5 -82.5t14 -57.5t-14 -57.5t-43 -82.5t-68.5 -95t-94.5 -95t-116.5 -82.5t-140 -59t-159.5 -22.5t-159.5 22.5t-140 59t-116.5 82.5t-94.5 95t-68.5 95t-43 82.5t-14 57.5t14 57.5t42.5 82.5t68 95 t94.5 95t116.5 82.5t140 59t160.5 22.5zM888 829q-15 15 -18 12t5 -22q25 -57 25 -119q0 -124 -88 -212t-212 -88t-212 88t-88 212q0 59 23 114q8 19 4.5 22t-17.5 -12q-70 -69 -160 -184q-13 -16 -15 -40.5t9 -42.5q22 -36 47 -71t70 -82t92.5 -81t113 -58.5t133.5 -24.5 t133.5 24t113 58.5t92.5 81.5t70 81.5t47 70.5q11 18 9 42.5t-14 41.5q-90 117 -163 189zM448 727l-35 -36q-15 -15 -19.5 -38.5t4.5 -41.5q37 -68 93 -116q16 -13 38.5 -11t36.5 17l35 34q14 15 12.5 33.5t-16.5 33.5q-44 44 -89 117q-11 18 -28 20t-32 -12z" />
+<glyph unicode="&#xe106;" d="M592 0h-148l31 120q-91 20 -175.5 68.5t-143.5 106.5t-103.5 119t-66.5 110t-22 76q0 21 14 57.5t42.5 82.5t68 95t94.5 95t116.5 82.5t140 59t160.5 22.5q61 0 126 -15l32 121h148zM944 770l47 181q108 -85 176.5 -192t68.5 -159q0 -26 -19.5 -71t-59.5 -102t-93 -112 t-129 -104.5t-158 -75.5l46 173q77 49 136 117t97 131q11 18 9 42.5t-14 41.5q-54 70 -107 130zM310 824q-70 -69 -160 -184q-13 -16 -15 -40.5t9 -42.5q18 -30 39 -60t57 -70.5t74 -73t90 -61t105 -41.5l41 154q-107 18 -178.5 101.5t-71.5 193.5q0 59 23 114q8 19 4.5 22 t-17.5 -12zM448 727l-35 -36q-15 -15 -19.5 -38.5t4.5 -41.5q37 -68 93 -116q16 -13 38.5 -11t36.5 17l12 11l22 86l-3 4q-44 44 -89 117q-11 18 -28 20t-32 -12z" />
+<glyph unicode="&#xe107;" d="M-90 100l642 1066q20 31 48 28.5t48 -35.5l642 -1056q21 -32 7.5 -67.5t-50.5 -35.5h-1294q-37 0 -50.5 34t7.5 66zM155 200h345v75q0 10 7.5 17.5t17.5 7.5h150q10 0 17.5 -7.5t7.5 -17.5v-75h345l-445 723zM496 700h208q20 0 32 -14.5t8 -34.5l-58 -252 q-4 -20 -21.5 -34.5t-37.5 -14.5h-54q-20 0 -37.5 14.5t-21.5 34.5l-58 252q-4 20 8 34.5t32 14.5z" />
+<glyph unicode="&#xe108;" d="M650 1200q62 0 106 -44t44 -106v-339l363 -325q15 -14 26 -38.5t11 -44.5v-41q0 -20 -12 -26.5t-29 5.5l-359 249v-263q100 -93 100 -113v-64q0 -21 -13 -29t-32 1l-205 128l-205 -128q-19 -9 -32 -1t-13 29v64q0 20 100 113v263l-359 -249q-17 -12 -29 -5.5t-12 26.5v41 q0 20 11 44.5t26 38.5l363 325v339q0 62 44 106t106 44z" />
+<glyph unicode="&#xe109;" d="M850 1200h100q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-150h-1100v150q0 21 14.5 35.5t35.5 14.5h50v50q0 21 14.5 35.5t35.5 14.5h100q21 0 35.5 -14.5t14.5 -35.5v-50h500v50q0 21 14.5 35.5t35.5 14.5zM1100 800v-750q0 -21 -14.5 -35.5 t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v750h1100zM100 600v-100h100v100h-100zM300 600v-100h100v100h-100zM500 600v-100h100v100h-100zM700 600v-100h100v100h-100zM900 600v-100h100v100h-100zM100 400v-100h100v100h-100zM300 400v-100h100v100h-100zM500 400 v-100h100v100h-100zM700 400v-100h100v100h-100zM900 400v-100h100v100h-100zM100 200v-100h100v100h-100zM300 200v-100h100v100h-100zM500 200v-100h100v100h-100zM700 200v-100h100v100h-100zM900 200v-100h100v100h-100z" />
+<glyph unicode="&#xe110;" d="M1135 1165l249 -230q15 -14 15 -35t-15 -35l-249 -230q-14 -14 -24.5 -10t-10.5 25v150h-159l-600 -600h-291q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h209l600 600h241v150q0 21 10.5 25t24.5 -10zM522 819l-141 -141l-122 122h-209q-21 0 -35.5 14.5 t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h291zM1135 565l249 -230q15 -14 15 -35t-15 -35l-249 -230q-14 -14 -24.5 -10t-10.5 25v150h-241l-181 181l141 141l122 -122h159v150q0 21 10.5 25t24.5 -10z" />
+<glyph unicode="&#xe111;" d="M100 1100h1000q41 0 70.5 -29.5t29.5 -70.5v-600q0 -41 -29.5 -70.5t-70.5 -29.5h-596l-304 -300v300h-100q-41 0 -70.5 29.5t-29.5 70.5v600q0 41 29.5 70.5t70.5 29.5z" />
+<glyph unicode="&#xe112;" d="M150 1200h200q21 0 35.5 -14.5t14.5 -35.5v-250h-300v250q0 21 14.5 35.5t35.5 14.5zM850 1200h200q21 0 35.5 -14.5t14.5 -35.5v-250h-300v250q0 21 14.5 35.5t35.5 14.5zM1100 800v-300q0 -41 -3 -77.5t-15 -89.5t-32 -96t-58 -89t-89 -77t-129 -51t-174 -20t-174 20 t-129 51t-89 77t-58 89t-32 96t-15 89.5t-3 77.5v300h300v-250v-27v-42.5t1.5 -41t5 -38t10 -35t16.5 -30t25.5 -24.5t35 -19t46.5 -12t60 -4t60 4.5t46.5 12.5t35 19.5t25 25.5t17 30.5t10 35t5 38t2 40.5t-0.5 42v25v250h300z" />
+<glyph unicode="&#xe113;" d="M1100 411l-198 -199l-353 353l-353 -353l-197 199l551 551z" />
+<glyph unicode="&#xe114;" d="M1101 789l-550 -551l-551 551l198 199l353 -353l353 353z" />
+<glyph unicode="&#xe115;" d="M404 1000h746q21 0 35.5 -14.5t14.5 -35.5v-551h150q21 0 25 -10.5t-10 -24.5l-230 -249q-14 -15 -35 -15t-35 15l-230 249q-14 14 -10 24.5t25 10.5h150v401h-381zM135 984l230 -249q14 -14 10 -24.5t-25 -10.5h-150v-400h385l215 -200h-750q-21 0 -35.5 14.5 t-14.5 35.5v550h-150q-21 0 -25 10.5t10 24.5l230 249q14 15 35 15t35 -15z" />
+<glyph unicode="&#xe116;" d="M56 1200h94q17 0 31 -11t18 -27l38 -162h896q24 0 39 -18.5t10 -42.5l-100 -475q-5 -21 -27 -42.5t-55 -21.5h-633l48 -200h535q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-50q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v50h-300v-50 q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v50h-31q-18 0 -32.5 10t-20.5 19l-5 10l-201 961h-54q-20 0 -35 14.5t-15 35.5t15 35.5t35 14.5z" />
+<glyph unicode="&#xe117;" d="M1200 1000v-100h-1200v100h200q0 41 29.5 70.5t70.5 29.5h300q41 0 70.5 -29.5t29.5 -70.5h500zM0 800h1200v-800h-1200v800z" />
+<glyph unicode="&#xe118;" d="M200 800l-200 -400v600h200q0 41 29.5 70.5t70.5 29.5h300q42 0 71 -29.5t29 -70.5h500v-200h-1000zM1500 700l-300 -700h-1200l300 700h1200z" />
+<glyph unicode="&#xe119;" d="M635 1184l230 -249q14 -14 10 -24.5t-25 -10.5h-150v-601h150q21 0 25 -10.5t-10 -24.5l-230 -249q-14 -15 -35 -15t-35 15l-230 249q-14 14 -10 24.5t25 10.5h150v601h-150q-21 0 -25 10.5t10 24.5l230 249q14 15 35 15t35 -15z" />
+<glyph unicode="&#xe120;" d="M936 864l249 -229q14 -15 14 -35.5t-14 -35.5l-249 -229q-15 -15 -25.5 -10.5t-10.5 24.5v151h-600v-151q0 -20 -10.5 -24.5t-25.5 10.5l-249 229q-14 15 -14 35.5t14 35.5l249 229q15 15 25.5 10.5t10.5 -25.5v-149h600v149q0 21 10.5 25.5t25.5 -10.5z" />
+<glyph unicode="&#xe121;" d="M1169 400l-172 732q-5 23 -23 45.5t-38 22.5h-672q-20 0 -38 -20t-23 -41l-172 -739h1138zM1100 300h-1000q-41 0 -70.5 -29.5t-29.5 -70.5v-100q0 -41 29.5 -70.5t70.5 -29.5h1000q41 0 70.5 29.5t29.5 70.5v100q0 41 -29.5 70.5t-70.5 29.5zM800 100v100h100v-100h-100 zM1000 100v100h100v-100h-100z" />
+<glyph unicode="&#xe122;" d="M1150 1100q21 0 35.5 -14.5t14.5 -35.5v-850q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v850q0 21 14.5 35.5t35.5 14.5zM1000 200l-675 200h-38l47 -276q3 -16 -5.5 -20t-29.5 -4h-7h-84q-20 0 -34.5 14t-18.5 35q-55 337 -55 351v250v6q0 16 1 23.5t6.5 14 t17.5 6.5h200l675 250v-850zM0 750v-250q-4 0 -11 0.5t-24 6t-30 15t-24 30t-11 48.5v50q0 26 10.5 46t25 30t29 16t25.5 7z" />
+<glyph unicode="&#xe123;" d="M553 1200h94q20 0 29 -10.5t3 -29.5l-18 -37q83 -19 144 -82.5t76 -140.5l63 -327l118 -173h17q19 0 33 -14.5t14 -35t-13 -40.5t-31 -27q-8 -4 -23 -9.5t-65 -19.5t-103 -25t-132.5 -20t-158.5 -9q-57 0 -115 5t-104 12t-88.5 15.5t-73.5 17.5t-54.5 16t-35.5 12l-11 4 q-18 8 -31 28t-13 40.5t14 35t33 14.5h17l118 173l63 327q15 77 76 140t144 83l-18 32q-6 19 3.5 32t28.5 13zM498 110q50 -6 102 -6q53 0 102 6q-12 -49 -39.5 -79.5t-62.5 -30.5t-63 30.5t-39 79.5z" />
+<glyph unicode="&#xe124;" d="M800 946l224 78l-78 -224l234 -45l-180 -155l180 -155l-234 -45l78 -224l-224 78l-45 -234l-155 180l-155 -180l-45 234l-224 -78l78 224l-234 45l180 155l-180 155l234 45l-78 224l224 -78l45 234l155 -180l155 180z" />
+<glyph unicode="&#xe125;" d="M650 1200h50q40 0 70 -40.5t30 -84.5v-150l-28 -125h328q40 0 70 -40.5t30 -84.5v-100q0 -45 -29 -74l-238 -344q-16 -24 -38 -40.5t-45 -16.5h-250q-7 0 -42 25t-66 50l-31 25h-61q-45 0 -72.5 18t-27.5 57v400q0 36 20 63l145 196l96 198q13 28 37.5 48t51.5 20z M650 1100l-100 -212l-150 -213v-375h100l136 -100h214l250 375v125h-450l50 225v175h-50zM50 800h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v500q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe126;" d="M600 1100h250q23 0 45 -16.5t38 -40.5l238 -344q29 -29 29 -74v-100q0 -44 -30 -84.5t-70 -40.5h-328q28 -118 28 -125v-150q0 -44 -30 -84.5t-70 -40.5h-50q-27 0 -51.5 20t-37.5 48l-96 198l-145 196q-20 27 -20 63v400q0 39 27.5 57t72.5 18h61q124 100 139 100z M50 1000h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v500q0 21 14.5 35.5t35.5 14.5zM636 1000l-136 -100h-100v-375l150 -213l100 -212h50v175l-50 225h450v125l-250 375h-214z" />
+<glyph unicode="&#xe127;" d="M356 873l363 230q31 16 53 -6l110 -112q13 -13 13.5 -32t-11.5 -34l-84 -121h302q84 0 138 -38t54 -110t-55 -111t-139 -39h-106l-131 -339q-6 -21 -19.5 -41t-28.5 -20h-342q-7 0 -90 81t-83 94v525q0 17 14 35.5t28 28.5zM400 792v-503l100 -89h293l131 339 q6 21 19.5 41t28.5 20h203q21 0 30.5 25t0.5 50t-31 25h-456h-7h-6h-5.5t-6 0.5t-5 1.5t-5 2t-4 2.5t-4 4t-2.5 4.5q-12 25 5 47l146 183l-86 83zM50 800h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v500 q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe128;" d="M475 1103l366 -230q2 -1 6 -3.5t14 -10.5t18 -16.5t14.5 -20t6.5 -22.5v-525q0 -13 -86 -94t-93 -81h-342q-15 0 -28.5 20t-19.5 41l-131 339h-106q-85 0 -139.5 39t-54.5 111t54 110t138 38h302l-85 121q-11 15 -10.5 34t13.5 32l110 112q22 22 53 6zM370 945l146 -183 q17 -22 5 -47q-2 -2 -3.5 -4.5t-4 -4t-4 -2.5t-5 -2t-5 -1.5t-6 -0.5h-6h-6.5h-6h-475v-100h221q15 0 29 -20t20 -41l130 -339h294l106 89v503l-342 236zM1050 800h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5 v500q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe129;" d="M550 1294q72 0 111 -55t39 -139v-106l339 -131q21 -6 41 -19.5t20 -28.5v-342q0 -7 -81 -90t-94 -83h-525q-17 0 -35.5 14t-28.5 28l-9 14l-230 363q-16 31 6 53l112 110q13 13 32 13.5t34 -11.5l121 -84v302q0 84 38 138t110 54zM600 972v203q0 21 -25 30.5t-50 0.5 t-25 -31v-456v-7v-6v-5.5t-0.5 -6t-1.5 -5t-2 -5t-2.5 -4t-4 -4t-4.5 -2.5q-25 -12 -47 5l-183 146l-83 -86l236 -339h503l89 100v293l-339 131q-21 6 -41 19.5t-20 28.5zM450 200h500q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-500 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe130;" d="M350 1100h500q21 0 35.5 14.5t14.5 35.5v100q0 21 -14.5 35.5t-35.5 14.5h-500q-21 0 -35.5 -14.5t-14.5 -35.5v-100q0 -21 14.5 -35.5t35.5 -14.5zM600 306v-106q0 -84 -39 -139t-111 -55t-110 54t-38 138v302l-121 -84q-15 -12 -34 -11.5t-32 13.5l-112 110 q-22 22 -6 53l230 363q1 2 3.5 6t10.5 13.5t16.5 17t20 13.5t22.5 6h525q13 0 94 -83t81 -90v-342q0 -15 -20 -28.5t-41 -19.5zM308 900l-236 -339l83 -86l183 146q22 17 47 5q2 -1 4.5 -2.5t4 -4t2.5 -4t2 -5t1.5 -5t0.5 -6v-5.5v-6v-7v-456q0 -22 25 -31t50 0.5t25 30.5 v203q0 15 20 28.5t41 19.5l339 131v293l-89 100h-503z" />
+<glyph unicode="&#xe131;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM914 632l-275 223q-16 13 -27.5 8t-11.5 -26v-137h-275 q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h275v-137q0 -21 11.5 -26t27.5 8l275 223q16 13 16 32t-16 32z" />
+<glyph unicode="&#xe132;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM561 855l-275 -223q-16 -13 -16 -32t16 -32l275 -223q16 -13 27.5 -8 t11.5 26v137h275q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5h-275v137q0 21 -11.5 26t-27.5 -8z" />
+<glyph unicode="&#xe133;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM855 639l-223 275q-13 16 -32 16t-32 -16l-223 -275q-13 -16 -8 -27.5 t26 -11.5h137v-275q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v275h137q21 0 26 11.5t-8 27.5z" />
+<glyph unicode="&#xe134;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM675 900h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-275h-137q-21 0 -26 -11.5 t8 -27.5l223 -275q13 -16 32 -16t32 16l223 275q13 16 8 27.5t-26 11.5h-137v275q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe135;" d="M600 1176q116 0 222.5 -46t184 -123.5t123.5 -184t46 -222.5t-46 -222.5t-123.5 -184t-184 -123.5t-222.5 -46t-222.5 46t-184 123.5t-123.5 184t-46 222.5t46 222.5t123.5 184t184 123.5t222.5 46zM627 1101q-15 -12 -36.5 -20.5t-35.5 -12t-43 -8t-39 -6.5 q-15 -3 -45.5 0t-45.5 -2q-20 -7 -51.5 -26.5t-34.5 -34.5q-3 -11 6.5 -22.5t8.5 -18.5q-3 -34 -27.5 -91t-29.5 -79q-9 -34 5 -93t8 -87q0 -9 17 -44.5t16 -59.5q12 0 23 -5t23.5 -15t19.5 -14q16 -8 33 -15t40.5 -15t34.5 -12q21 -9 52.5 -32t60 -38t57.5 -11 q7 -15 -3 -34t-22.5 -40t-9.5 -38q13 -21 23 -34.5t27.5 -27.5t36.5 -18q0 -7 -3.5 -16t-3.5 -14t5 -17q104 -2 221 112q30 29 46.5 47t34.5 49t21 63q-13 8 -37 8.5t-36 7.5q-15 7 -49.5 15t-51.5 19q-18 0 -41 -0.5t-43 -1.5t-42 -6.5t-38 -16.5q-51 -35 -66 -12 q-4 1 -3.5 25.5t0.5 25.5q-6 13 -26.5 17.5t-24.5 6.5q1 15 -0.5 30.5t-7 28t-18.5 11.5t-31 -21q-23 -25 -42 4q-19 28 -8 58q6 16 22 22q6 -1 26 -1.5t33.5 -4t19.5 -13.5q7 -12 18 -24t21.5 -20.5t20 -15t15.5 -10.5l5 -3q2 12 7.5 30.5t8 34.5t-0.5 32q-3 18 3.5 29 t18 22.5t15.5 24.5q6 14 10.5 35t8 31t15.5 22.5t34 22.5q-6 18 10 36q8 0 24 -1.5t24.5 -1.5t20 4.5t20.5 15.5q-10 23 -31 42.5t-37.5 29.5t-49 27t-43.5 23q0 1 2 8t3 11.5t1.5 10.5t-1 9.5t-4.5 4.5q31 -13 58.5 -14.5t38.5 2.5l12 5q5 28 -9.5 46t-36.5 24t-50 15 t-41 20q-18 -4 -37 0zM613 994q0 -17 8 -42t17 -45t9 -23q-8 1 -39.5 5.5t-52.5 10t-37 16.5q3 11 16 29.5t16 25.5q10 -10 19 -10t14 6t13.5 14.5t16.5 12.5z" />
+<glyph unicode="&#xe136;" d="M756 1157q164 92 306 -9l-259 -138l145 -232l251 126q6 -89 -34 -156.5t-117 -110.5q-60 -34 -127 -39.5t-126 16.5l-596 -596q-15 -16 -36.5 -16t-36.5 16l-111 110q-15 15 -15 36.5t15 37.5l600 599q-34 101 5.5 201.5t135.5 154.5z" />
+<glyph unicode="&#xe137;" horiz-adv-x="1220" d="M100 1196h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5v100q0 41 29.5 70.5t70.5 29.5zM1100 1096h-200v-100h200v100zM100 796h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000 q-41 0 -70.5 29.5t-29.5 70.5v100q0 41 29.5 70.5t70.5 29.5zM1100 696h-500v-100h500v100zM100 396h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5v100q0 41 29.5 70.5t70.5 29.5zM1100 296h-300v-100h300v100z " />
+<glyph unicode="&#xe138;" d="M150 1200h900q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM700 500v-300l-200 -200v500l-350 500h900z" />
+<glyph unicode="&#xe139;" d="M500 1200h200q41 0 70.5 -29.5t29.5 -70.5v-100h300q41 0 70.5 -29.5t29.5 -70.5v-400h-500v100h-200v-100h-500v400q0 41 29.5 70.5t70.5 29.5h300v100q0 41 29.5 70.5t70.5 29.5zM500 1100v-100h200v100h-200zM1200 400v-200q0 -41 -29.5 -70.5t-70.5 -29.5h-1000 q-41 0 -70.5 29.5t-29.5 70.5v200h1200z" />
+<glyph unicode="&#xe140;" d="M50 1200h300q21 0 25 -10.5t-10 -24.5l-94 -94l199 -199q7 -8 7 -18t-7 -18l-106 -106q-8 -7 -18 -7t-18 7l-199 199l-94 -94q-14 -14 -24.5 -10t-10.5 25v300q0 21 14.5 35.5t35.5 14.5zM850 1200h300q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -10.5 -25t-24.5 10l-94 94 l-199 -199q-8 -7 -18 -7t-18 7l-106 106q-7 8 -7 18t7 18l199 199l-94 94q-14 14 -10 24.5t25 10.5zM364 470l106 -106q7 -8 7 -18t-7 -18l-199 -199l94 -94q14 -14 10 -24.5t-25 -10.5h-300q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 10.5 25t24.5 -10l94 -94l199 199 q8 7 18 7t18 -7zM1071 271l94 94q14 14 24.5 10t10.5 -25v-300q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -25 10.5t10 24.5l94 94l-199 199q-7 8 -7 18t7 18l106 106q8 7 18 7t18 -7z" />
+<glyph unicode="&#xe141;" d="M596 1192q121 0 231.5 -47.5t190 -127t127 -190t47.5 -231.5t-47.5 -231.5t-127 -190.5t-190 -127t-231.5 -47t-231.5 47t-190.5 127t-127 190.5t-47 231.5t47 231.5t127 190t190.5 127t231.5 47.5zM596 1010q-112 0 -207.5 -55.5t-151 -151t-55.5 -207.5t55.5 -207.5 t151 -151t207.5 -55.5t207.5 55.5t151 151t55.5 207.5t-55.5 207.5t-151 151t-207.5 55.5zM454.5 905q22.5 0 38.5 -16t16 -38.5t-16 -39t-38.5 -16.5t-38.5 16.5t-16 39t16 38.5t38.5 16zM754.5 905q22.5 0 38.5 -16t16 -38.5t-16 -39t-38 -16.5q-14 0 -29 10l-55 -145 q17 -23 17 -51q0 -36 -25.5 -61.5t-61.5 -25.5t-61.5 25.5t-25.5 61.5q0 32 20.5 56.5t51.5 29.5l122 126l1 1q-9 14 -9 28q0 23 16 39t38.5 16zM345.5 709q22.5 0 38.5 -16t16 -38.5t-16 -38.5t-38.5 -16t-38.5 16t-16 38.5t16 38.5t38.5 16zM854.5 709q22.5 0 38.5 -16 t16 -38.5t-16 -38.5t-38.5 -16t-38.5 16t-16 38.5t16 38.5t38.5 16z" />
+<glyph unicode="&#xe142;" d="M546 173l469 470q91 91 99 192q7 98 -52 175.5t-154 94.5q-22 4 -47 4q-34 0 -66.5 -10t-56.5 -23t-55.5 -38t-48 -41.5t-48.5 -47.5q-376 -375 -391 -390q-30 -27 -45 -41.5t-37.5 -41t-32 -46.5t-16 -47.5t-1.5 -56.5q9 -62 53.5 -95t99.5 -33q74 0 125 51l548 548 q36 36 20 75q-7 16 -21.5 26t-32.5 10q-26 0 -50 -23q-13 -12 -39 -38l-341 -338q-15 -15 -35.5 -15.5t-34.5 13.5t-14 34.5t14 34.5q327 333 361 367q35 35 67.5 51.5t78.5 16.5q14 0 29 -1q44 -8 74.5 -35.5t43.5 -68.5q14 -47 2 -96.5t-47 -84.5q-12 -11 -32 -32 t-79.5 -81t-114.5 -115t-124.5 -123.5t-123 -119.5t-96.5 -89t-57 -45q-56 -27 -120 -27q-70 0 -129 32t-93 89q-48 78 -35 173t81 163l511 511q71 72 111 96q91 55 198 55q80 0 152 -33q78 -36 129.5 -103t66.5 -154q17 -93 -11 -183.5t-94 -156.5l-482 -476 q-15 -15 -36 -16t-37 14t-17.5 34t14.5 35z" />
+<glyph unicode="&#xe143;" d="M649 949q48 68 109.5 104t121.5 38.5t118.5 -20t102.5 -64t71 -100.5t27 -123q0 -57 -33.5 -117.5t-94 -124.5t-126.5 -127.5t-150 -152.5t-146 -174q-62 85 -145.5 174t-150 152.5t-126.5 127.5t-93.5 124.5t-33.5 117.5q0 64 28 123t73 100.5t104 64t119 20 t120.5 -38.5t104.5 -104zM896 972q-33 0 -64.5 -19t-56.5 -46t-47.5 -53.5t-43.5 -45.5t-37.5 -19t-36 19t-40 45.5t-43 53.5t-54 46t-65.5 19q-67 0 -122.5 -55.5t-55.5 -132.5q0 -23 13.5 -51t46 -65t57.5 -63t76 -75l22 -22q15 -14 44 -44t50.5 -51t46 -44t41 -35t23 -12 t23.5 12t42.5 36t46 44t52.5 52t44 43q4 4 12 13q43 41 63.5 62t52 55t46 55t26 46t11.5 44q0 79 -53 133.5t-120 54.5z" />
+<glyph unicode="&#xe144;" d="M776.5 1214q93.5 0 159.5 -66l141 -141q66 -66 66 -160q0 -42 -28 -95.5t-62 -87.5l-29 -29q-31 53 -77 99l-18 18l95 95l-247 248l-389 -389l212 -212l-105 -106l-19 18l-141 141q-66 66 -66 159t66 159l283 283q65 66 158.5 66zM600 706l105 105q10 -8 19 -17l141 -141 q66 -66 66 -159t-66 -159l-283 -283q-66 -66 -159 -66t-159 66l-141 141q-66 66 -66 159.5t66 159.5l55 55q29 -55 75 -102l18 -17l-95 -95l247 -248l389 389z" />
+<glyph unicode="&#xe145;" d="M603 1200q85 0 162 -15t127 -38t79 -48t29 -46v-953q0 -41 -29.5 -70.5t-70.5 -29.5h-600q-41 0 -70.5 29.5t-29.5 70.5v953q0 21 30 46.5t81 48t129 37.5t163 15zM300 1000v-700h600v700h-600zM600 254q-43 0 -73.5 -30.5t-30.5 -73.5t30.5 -73.5t73.5 -30.5t73.5 30.5 t30.5 73.5t-30.5 73.5t-73.5 30.5z" />
+<glyph unicode="&#xe146;" d="M902 1185l283 -282q15 -15 15 -36t-14.5 -35.5t-35.5 -14.5t-35 15l-36 35l-279 -267v-300l-212 210l-308 -307l-280 -203l203 280l307 308l-210 212h300l267 279l-35 36q-15 14 -15 35t14.5 35.5t35.5 14.5t35 -15z" />
+<glyph unicode="&#xe148;" d="M700 1248v-78q38 -5 72.5 -14.5t75.5 -31.5t71 -53.5t52 -84t24 -118.5h-159q-4 36 -10.5 59t-21 45t-40 35.5t-64.5 20.5v-307l64 -13q34 -7 64 -16.5t70 -32t67.5 -52.5t47.5 -80t20 -112q0 -139 -89 -224t-244 -97v-77h-100v79q-150 16 -237 103q-40 40 -52.5 93.5 t-15.5 139.5h139q5 -77 48.5 -126t117.5 -65v335l-27 8q-46 14 -79 26.5t-72 36t-63 52t-40 72.5t-16 98q0 70 25 126t67.5 92t94.5 57t110 27v77h100zM600 754v274q-29 -4 -50 -11t-42 -21.5t-31.5 -41.5t-10.5 -65q0 -29 7 -50.5t16.5 -34t28.5 -22.5t31.5 -14t37.5 -10 q9 -3 13 -4zM700 547v-310q22 2 42.5 6.5t45 15.5t41.5 27t29 42t12 59.5t-12.5 59.5t-38 44.5t-53 31t-66.5 24.5z" />
+<glyph unicode="&#xe149;" d="M561 1197q84 0 160.5 -40t123.5 -109.5t47 -147.5h-153q0 40 -19.5 71.5t-49.5 48.5t-59.5 26t-55.5 9q-37 0 -79 -14.5t-62 -35.5q-41 -44 -41 -101q0 -26 13.5 -63t26.5 -61t37 -66q6 -9 9 -14h241v-100h-197q8 -50 -2.5 -115t-31.5 -95q-45 -62 -99 -112 q34 10 83 17.5t71 7.5q32 1 102 -16t104 -17q83 0 136 30l50 -147q-31 -19 -58 -30.5t-55 -15.5t-42 -4.5t-46 -0.5q-23 0 -76 17t-111 32.5t-96 11.5q-39 -3 -82 -16t-67 -25l-23 -11l-55 145q4 3 16 11t15.5 10.5t13 9t15.5 12t14.5 14t17.5 18.5q48 55 54 126.5 t-30 142.5h-221v100h166q-23 47 -44 104q-7 20 -12 41.5t-6 55.5t6 66.5t29.5 70.5t58.5 71q97 88 263 88z" />
+<glyph unicode="&#xe150;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM935 1184l230 -249q14 -14 10 -24.5t-25 -10.5h-150v-900h-200v900h-150q-21 0 -25 10.5t10 24.5l230 249q14 15 35 15t35 -15z" />
+<glyph unicode="&#xe151;" d="M1000 700h-100v100h-100v-100h-100v500h300v-500zM400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM801 1100v-200h100v200h-100zM1000 350l-200 -250h200v-100h-300v150l200 250h-200v100h300v-150z " />
+<glyph unicode="&#xe152;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1000 1050l-200 -250h200v-100h-300v150l200 250h-200v100h300v-150zM1000 0h-100v100h-100v-100h-100v500h300v-500zM801 400v-200h100v200h-100z " />
+<glyph unicode="&#xe153;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1000 700h-100v400h-100v100h200v-500zM1100 0h-100v100h-200v400h300v-500zM901 400v-200h100v200h-100z" />
+<glyph unicode="&#xe154;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1100 700h-100v100h-200v400h300v-500zM901 1100v-200h100v200h-100zM1000 0h-100v400h-100v100h200v-500z" />
+<glyph unicode="&#xe155;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM900 1000h-200v200h200v-200zM1000 700h-300v200h300v-200zM1100 400h-400v200h400v-200zM1200 100h-500v200h500v-200z" />
+<glyph unicode="&#xe156;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1200 1000h-500v200h500v-200zM1100 700h-400v200h400v-200zM1000 400h-300v200h300v-200zM900 100h-200v200h200v-200z" />
+<glyph unicode="&#xe157;" d="M350 1100h400q162 0 256 -93.5t94 -256.5v-400q0 -165 -93.5 -257.5t-256.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5z" />
+<glyph unicode="&#xe158;" d="M350 1100h400q165 0 257.5 -92.5t92.5 -257.5v-400q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-163 0 -256.5 92.5t-93.5 257.5v400q0 163 94 256.5t256 93.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5zM440 770l253 -190q17 -12 17 -30t-17 -30l-253 -190q-16 -12 -28 -6.5t-12 26.5v400q0 21 12 26.5t28 -6.5z" />
+<glyph unicode="&#xe159;" d="M350 1100h400q163 0 256.5 -94t93.5 -256v-400q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 163 92.5 256.5t257.5 93.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5zM350 700h400q21 0 26.5 -12t-6.5 -28l-190 -253q-12 -17 -30 -17t-30 17l-190 253q-12 16 -6.5 28t26.5 12z" />
+<glyph unicode="&#xe160;" d="M350 1100h400q165 0 257.5 -92.5t92.5 -257.5v-400q0 -163 -92.5 -256.5t-257.5 -93.5h-400q-163 0 -256.5 94t-93.5 256v400q0 165 92.5 257.5t257.5 92.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5zM580 693l190 -253q12 -16 6.5 -28t-26.5 -12h-400q-21 0 -26.5 12t6.5 28l190 253q12 17 30 17t30 -17z" />
+<glyph unicode="&#xe161;" d="M550 1100h400q165 0 257.5 -92.5t92.5 -257.5v-400q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h450q41 0 70.5 29.5t29.5 70.5v500q0 41 -29.5 70.5t-70.5 29.5h-450q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM338 867l324 -284q16 -14 16 -33t-16 -33l-324 -284q-16 -14 -27 -9t-11 26v150h-250q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5h250v150q0 21 11 26t27 -9z" />
+<glyph unicode="&#xe162;" d="M793 1182l9 -9q8 -10 5 -27q-3 -11 -79 -225.5t-78 -221.5l300 1q24 0 32.5 -17.5t-5.5 -35.5q-1 0 -133.5 -155t-267 -312.5t-138.5 -162.5q-12 -15 -26 -15h-9l-9 8q-9 11 -4 32q2 9 42 123.5t79 224.5l39 110h-302q-23 0 -31 19q-10 21 6 41q75 86 209.5 237.5 t228 257t98.5 111.5q9 16 25 16h9z" />
+<glyph unicode="&#xe163;" d="M350 1100h400q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-450q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h450q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400 q0 165 92.5 257.5t257.5 92.5zM938 867l324 -284q16 -14 16 -33t-16 -33l-324 -284q-16 -14 -27 -9t-11 26v150h-250q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5h250v150q0 21 11 26t27 -9z" />
+<glyph unicode="&#xe164;" d="M750 1200h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -10.5 -25t-24.5 10l-109 109l-312 -312q-15 -15 -35.5 -15t-35.5 15l-141 141q-15 15 -15 35.5t15 35.5l312 312l-109 109q-14 14 -10 24.5t25 10.5zM456 900h-156q-41 0 -70.5 -29.5t-29.5 -70.5v-500 q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v148l200 200v-298q0 -165 -93.5 -257.5t-256.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5h300z" />
+<glyph unicode="&#xe165;" d="M600 1186q119 0 227.5 -46.5t187 -125t125 -187t46.5 -227.5t-46.5 -227.5t-125 -187t-187 -125t-227.5 -46.5t-227.5 46.5t-187 125t-125 187t-46.5 227.5t46.5 227.5t125 187t187 125t227.5 46.5zM600 1022q-115 0 -212 -56.5t-153.5 -153.5t-56.5 -212t56.5 -212 t153.5 -153.5t212 -56.5t212 56.5t153.5 153.5t56.5 212t-56.5 212t-153.5 153.5t-212 56.5zM600 794q80 0 137 -57t57 -137t-57 -137t-137 -57t-137 57t-57 137t57 137t137 57z" />
+<glyph unicode="&#xe166;" d="M450 1200h200q21 0 35.5 -14.5t14.5 -35.5v-350h245q20 0 25 -11t-9 -26l-383 -426q-14 -15 -33.5 -15t-32.5 15l-379 426q-13 15 -8.5 26t25.5 11h250v350q0 21 14.5 35.5t35.5 14.5zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5z M900 200v-50h100v50h-100z" />
+<glyph unicode="&#xe167;" d="M583 1182l378 -435q14 -15 9 -31t-26 -16h-244v-250q0 -20 -17 -35t-39 -15h-200q-20 0 -32 14.5t-12 35.5v250h-250q-20 0 -25.5 16.5t8.5 31.5l383 431q14 16 33.5 17t33.5 -14zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5z M900 200v-50h100v50h-100z" />
+<glyph unicode="&#xe168;" d="M396 723l369 369q7 7 17.5 7t17.5 -7l139 -139q7 -8 7 -18.5t-7 -17.5l-525 -525q-7 -8 -17.5 -8t-17.5 8l-292 291q-7 8 -7 18t7 18l139 139q8 7 18.5 7t17.5 -7zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5zM900 200v-50h100v50 h-100z" />
+<glyph unicode="&#xe169;" d="M135 1023l142 142q14 14 35 14t35 -14l77 -77l-212 -212l-77 76q-14 15 -14 36t14 35zM655 855l210 210q14 14 24.5 10t10.5 -25l-2 -599q-1 -20 -15.5 -35t-35.5 -15l-597 -1q-21 0 -25 10.5t10 24.5l208 208l-154 155l212 212zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5 v-250h-1100v250q0 21 14.5 35.5t35.5 14.5zM900 200v-50h100v50h-100z" />
+<glyph unicode="&#xe170;" d="M350 1200l599 -2q20 -1 35 -15.5t15 -35.5l1 -597q0 -21 -10.5 -25t-24.5 10l-208 208l-155 -154l-212 212l155 154l-210 210q-14 14 -10 24.5t25 10.5zM524 512l-76 -77q-15 -14 -36 -14t-35 14l-142 142q-14 14 -14 35t14 35l77 77zM50 300h1000q21 0 35.5 -14.5 t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5zM900 200v-50h100v50h-100z" />
+<glyph unicode="&#xe171;" d="M1200 103l-483 276l-314 -399v423h-399l1196 796v-1096zM483 424v-230l683 953z" />
+<glyph unicode="&#xe172;" d="M1100 1000v-850q0 -21 -14.5 -35.5t-35.5 -14.5h-150v400h-700v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200z" />
+<glyph unicode="&#xe173;" d="M1100 1000l-2 -149l-299 -299l-95 95q-9 9 -21.5 9t-21.5 -9l-149 -147h-312v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM1132 638l106 -106q7 -7 7 -17.5t-7 -17.5l-420 -421q-8 -7 -18 -7 t-18 7l-202 203q-8 7 -8 17.5t8 17.5l106 106q7 8 17.5 8t17.5 -8l79 -79l297 297q7 7 17.5 7t17.5 -7z" />
+<glyph unicode="&#xe174;" d="M1100 1000v-269l-103 -103l-134 134q-15 15 -33.5 16.5t-34.5 -12.5l-266 -266h-329v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM1202 572l70 -70q15 -15 15 -35.5t-15 -35.5l-131 -131 l131 -131q15 -15 15 -35.5t-15 -35.5l-70 -70q-15 -15 -35.5 -15t-35.5 15l-131 131l-131 -131q-15 -15 -35.5 -15t-35.5 15l-70 70q-15 15 -15 35.5t15 35.5l131 131l-131 131q-15 15 -15 35.5t15 35.5l70 70q15 15 35.5 15t35.5 -15l131 -131l131 131q15 15 35.5 15 t35.5 -15z" />
+<glyph unicode="&#xe175;" d="M1100 1000v-300h-350q-21 0 -35.5 -14.5t-14.5 -35.5v-150h-500v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM850 600h100q21 0 35.5 -14.5t14.5 -35.5v-250h150q21 0 25 -10.5t-10 -24.5 l-230 -230q-14 -14 -35 -14t-35 14l-230 230q-14 14 -10 24.5t25 10.5h150v250q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe176;" d="M1100 1000v-400l-165 165q-14 15 -35 15t-35 -15l-263 -265h-402v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM935 565l230 -229q14 -15 10 -25.5t-25 -10.5h-150v-250q0 -20 -14.5 -35 t-35.5 -15h-100q-21 0 -35.5 15t-14.5 35v250h-150q-21 0 -25 10.5t10 25.5l230 229q14 15 35 15t35 -15z" />
+<glyph unicode="&#xe177;" d="M50 1100h1100q21 0 35.5 -14.5t14.5 -35.5v-150h-1200v150q0 21 14.5 35.5t35.5 14.5zM1200 800v-550q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v550h1200zM100 500v-200h400v200h-400z" />
+<glyph unicode="&#xe178;" d="M935 1165l248 -230q14 -14 14 -35t-14 -35l-248 -230q-14 -14 -24.5 -10t-10.5 25v150h-400v200h400v150q0 21 10.5 25t24.5 -10zM200 800h-50q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h50v-200zM400 800h-100v200h100v-200zM18 435l247 230 q14 14 24.5 10t10.5 -25v-150h400v-200h-400v-150q0 -21 -10.5 -25t-24.5 10l-247 230q-15 14 -15 35t15 35zM900 300h-100v200h100v-200zM1000 500h51q20 0 34.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-34.5 -14.5h-51v200z" />
+<glyph unicode="&#xe179;" d="M862 1073l276 116q25 18 43.5 8t18.5 -41v-1106q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v397q-4 1 -11 5t-24 17.5t-30 29t-24 42t-11 56.5v359q0 31 18.5 65t43.5 52zM550 1200q22 0 34.5 -12.5t14.5 -24.5l1 -13v-450q0 -28 -10.5 -59.5 t-25 -56t-29 -45t-25.5 -31.5l-10 -11v-447q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v447q-4 4 -11 11.5t-24 30.5t-30 46t-24 55t-11 60v450q0 2 0.5 5.5t4 12t8.5 15t14.5 12t22.5 5.5q20 0 32.5 -12.5t14.5 -24.5l3 -13v-350h100v350v5.5t2.5 12 t7 15t15 12t25.5 5.5q23 0 35.5 -12.5t13.5 -24.5l1 -13v-350h100v350q0 2 0.5 5.5t3 12t7 15t15 12t24.5 5.5z" />
+<glyph unicode="&#xe180;" d="M1200 1100v-56q-4 0 -11 -0.5t-24 -3t-30 -7.5t-24 -15t-11 -24v-888q0 -22 25 -34.5t50 -13.5l25 -2v-56h-400v56q75 0 87.5 6.5t12.5 43.5v394h-500v-394q0 -37 12.5 -43.5t87.5 -6.5v-56h-400v56q4 0 11 0.5t24 3t30 7.5t24 15t11 24v888q0 22 -25 34.5t-50 13.5 l-25 2v56h400v-56q-75 0 -87.5 -6.5t-12.5 -43.5v-394h500v394q0 37 -12.5 43.5t-87.5 6.5v56h400z" />
+<glyph unicode="&#xe181;" d="M675 1000h375q21 0 35.5 -14.5t14.5 -35.5v-150h-105l-295 -98v98l-200 200h-400l100 100h375zM100 900h300q41 0 70.5 -29.5t29.5 -70.5v-500q0 -41 -29.5 -70.5t-70.5 -29.5h-300q-41 0 -70.5 29.5t-29.5 70.5v500q0 41 29.5 70.5t70.5 29.5zM100 800v-200h300v200 h-300zM1100 535l-400 -133v163l400 133v-163zM100 500v-200h300v200h-300zM1100 398v-248q0 -21 -14.5 -35.5t-35.5 -14.5h-375l-100 -100h-375l-100 100h400l200 200h105z" />
+<glyph unicode="&#xe182;" d="M17 1007l162 162q17 17 40 14t37 -22l139 -194q14 -20 11 -44.5t-20 -41.5l-119 -118q102 -142 228 -268t267 -227l119 118q17 17 42.5 19t44.5 -12l192 -136q19 -14 22.5 -37.5t-13.5 -40.5l-163 -162q-3 -1 -9.5 -1t-29.5 2t-47.5 6t-62.5 14.5t-77.5 26.5t-90 42.5 t-101.5 60t-111 83t-119 108.5q-74 74 -133.5 150.5t-94.5 138.5t-60 119.5t-34.5 100t-15 74.5t-4.5 48z" />
+<glyph unicode="&#xe183;" d="M600 1100q92 0 175 -10.5t141.5 -27t108.5 -36.5t81.5 -40t53.5 -37t31 -27l9 -10v-200q0 -21 -14.5 -33t-34.5 -9l-202 34q-20 3 -34.5 20t-14.5 38v146q-141 24 -300 24t-300 -24v-146q0 -21 -14.5 -38t-34.5 -20l-202 -34q-20 -3 -34.5 9t-14.5 33v200q3 4 9.5 10.5 t31 26t54 37.5t80.5 39.5t109 37.5t141 26.5t175 10.5zM600 795q56 0 97 -9.5t60 -23.5t30 -28t12 -24l1 -10v-50l365 -303q14 -15 24.5 -40t10.5 -45v-212q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v212q0 20 10.5 45t24.5 40l365 303v50 q0 4 1 10.5t12 23t30 29t60 22.5t97 10z" />
+<glyph unicode="&#xe184;" d="M1100 700l-200 -200h-600l-200 200v500h200v-200h200v200h200v-200h200v200h200v-500zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-12l137 -100h-950l137 100h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5 t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe185;" d="M700 1100h-100q-41 0 -70.5 -29.5t-29.5 -70.5v-1000h300v1000q0 41 -29.5 70.5t-70.5 29.5zM1100 800h-100q-41 0 -70.5 -29.5t-29.5 -70.5v-700h300v700q0 41 -29.5 70.5t-70.5 29.5zM400 0h-300v400q0 41 29.5 70.5t70.5 29.5h100q41 0 70.5 -29.5t29.5 -70.5v-400z " />
+<glyph unicode="&#xe186;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 700h-200v-100h200v-300h-300v100h200v100h-200v300h300v-100zM900 700v-300l-100 -100h-200v500h200z M700 700v-300h100v300h-100z" />
+<glyph unicode="&#xe187;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 300h-100v200h-100v-200h-100v500h100v-200h100v200h100v-500zM900 700v-300l-100 -100h-200v500h200z M700 700v-300h100v300h-100z" />
+<glyph unicode="&#xe188;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 700h-200v-300h200v-100h-300v500h300v-100zM900 700h-200v-300h200v-100h-300v500h300v-100z" />
+<glyph unicode="&#xe189;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 400l-300 150l300 150v-300zM900 550l-300 -150v300z" />
+<glyph unicode="&#xe190;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM900 300h-700v500h700v-500zM800 700h-130q-38 0 -66.5 -43t-28.5 -108t27 -107t68 -42h130v300zM300 700v-300 h130q41 0 68 42t27 107t-28.5 108t-66.5 43h-130z" />
+<glyph unicode="&#xe191;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 700h-200v-100h200v-300h-300v100h200v100h-200v300h300v-100zM900 300h-100v400h-100v100h200v-500z M700 300h-100v100h100v-100z" />
+<glyph unicode="&#xe192;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM300 700h200v-400h-300v500h100v-100zM900 300h-100v400h-100v100h200v-500zM300 600v-200h100v200h-100z M700 300h-100v100h100v-100z" />
+<glyph unicode="&#xe193;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 500l-199 -200h-100v50l199 200v150h-200v100h300v-300zM900 300h-100v400h-100v100h200v-500zM701 300h-100 v100h100v-100z" />
+<glyph unicode="&#xe194;" d="M600 1191q120 0 229.5 -47t188.5 -126t126 -188.5t47 -229.5t-47 -229.5t-126 -188.5t-188.5 -126t-229.5 -47t-229.5 47t-188.5 126t-126 188.5t-47 229.5t47 229.5t126 188.5t188.5 126t229.5 47zM600 1021q-114 0 -211 -56.5t-153.5 -153.5t-56.5 -211t56.5 -211 t153.5 -153.5t211 -56.5t211 56.5t153.5 153.5t56.5 211t-56.5 211t-153.5 153.5t-211 56.5zM800 700h-300v-200h300v-100h-300l-100 100v200l100 100h300v-100z" />
+<glyph unicode="&#xe195;" d="M600 1191q120 0 229.5 -47t188.5 -126t126 -188.5t47 -229.5t-47 -229.5t-126 -188.5t-188.5 -126t-229.5 -47t-229.5 47t-188.5 126t-126 188.5t-47 229.5t47 229.5t126 188.5t188.5 126t229.5 47zM600 1021q-114 0 -211 -56.5t-153.5 -153.5t-56.5 -211t56.5 -211 t153.5 -153.5t211 -56.5t211 56.5t153.5 153.5t56.5 211t-56.5 211t-153.5 153.5t-211 56.5zM800 700v-100l-50 -50l100 -100v-50h-100l-100 100h-150v-100h-100v400h300zM500 700v-100h200v100h-200z" />
+<glyph unicode="&#xe197;" d="M503 1089q110 0 200.5 -59.5t134.5 -156.5q44 14 90 14q120 0 205 -86.5t85 -207t-85 -207t-205 -86.5h-128v250q0 21 -14.5 35.5t-35.5 14.5h-300q-21 0 -35.5 -14.5t-14.5 -35.5v-250h-222q-80 0 -136 57.5t-56 136.5q0 69 43 122.5t108 67.5q-2 19 -2 37q0 100 49 185 t134 134t185 49zM525 500h150q10 0 17.5 -7.5t7.5 -17.5v-275h137q21 0 26 -11.5t-8 -27.5l-223 -244q-13 -16 -32 -16t-32 16l-223 244q-13 16 -8 27.5t26 11.5h137v275q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe198;" d="M502 1089q110 0 201 -59.5t135 -156.5q43 15 89 15q121 0 206 -86.5t86 -206.5q0 -99 -60 -181t-150 -110l-378 360q-13 16 -31.5 16t-31.5 -16l-381 -365h-9q-79 0 -135.5 57.5t-56.5 136.5q0 69 43 122.5t108 67.5q-2 19 -2 38q0 100 49 184.5t133.5 134t184.5 49.5z M632 467l223 -228q13 -16 8 -27.5t-26 -11.5h-137v-275q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v275h-137q-21 0 -26 11.5t8 27.5q199 204 223 228q19 19 31.5 19t32.5 -19z" />
+<glyph unicode="&#xe199;" d="M700 100v100h400l-270 300h170l-270 300h170l-300 333l-300 -333h170l-270 -300h170l-270 -300h400v-100h-50q-21 0 -35.5 -14.5t-14.5 -35.5v-50h400v50q0 21 -14.5 35.5t-35.5 14.5h-50z" />
+<glyph unicode="&#xe200;" d="M600 1179q94 0 167.5 -56.5t99.5 -145.5q89 -6 150.5 -71.5t61.5 -155.5q0 -61 -29.5 -112.5t-79.5 -82.5q9 -29 9 -55q0 -74 -52.5 -126.5t-126.5 -52.5q-55 0 -100 30v-251q21 0 35.5 -14.5t14.5 -35.5v-50h-300v50q0 21 14.5 35.5t35.5 14.5v251q-45 -30 -100 -30 q-74 0 -126.5 52.5t-52.5 126.5q0 18 4 38q-47 21 -75.5 65t-28.5 97q0 74 52.5 126.5t126.5 52.5q5 0 23 -2q0 2 -1 10t-1 13q0 116 81.5 197.5t197.5 81.5z" />
+<glyph unicode="&#xe201;" d="M1010 1010q111 -111 150.5 -260.5t0 -299t-150.5 -260.5q-83 -83 -191.5 -126.5t-218.5 -43.5t-218.5 43.5t-191.5 126.5q-111 111 -150.5 260.5t0 299t150.5 260.5q83 83 191.5 126.5t218.5 43.5t218.5 -43.5t191.5 -126.5zM476 1065q-4 0 -8 -1q-121 -34 -209.5 -122.5 t-122.5 -209.5q-4 -12 2.5 -23t18.5 -14l36 -9q3 -1 7 -1q23 0 29 22q27 96 98 166q70 71 166 98q11 3 17.5 13.5t3.5 22.5l-9 35q-3 13 -14 19q-7 4 -15 4zM512 920q-4 0 -9 -2q-80 -24 -138.5 -82.5t-82.5 -138.5q-4 -13 2 -24t19 -14l34 -9q4 -1 8 -1q22 0 28 21 q18 58 58.5 98.5t97.5 58.5q12 3 18 13.5t3 21.5l-9 35q-3 12 -14 19q-7 4 -15 4zM719.5 719.5q-49.5 49.5 -119.5 49.5t-119.5 -49.5t-49.5 -119.5t49.5 -119.5t119.5 -49.5t119.5 49.5t49.5 119.5t-49.5 119.5zM855 551q-22 0 -28 -21q-18 -58 -58.5 -98.5t-98.5 -57.5 q-11 -4 -17 -14.5t-3 -21.5l9 -35q3 -12 14 -19q7 -4 15 -4q4 0 9 2q80 24 138.5 82.5t82.5 138.5q4 13 -2.5 24t-18.5 14l-34 9q-4 1 -8 1zM1000 515q-23 0 -29 -22q-27 -96 -98 -166q-70 -71 -166 -98q-11 -3 -17.5 -13.5t-3.5 -22.5l9 -35q3 -13 14 -19q7 -4 15 -4 q4 0 8 1q121 34 209.5 122.5t122.5 209.5q4 12 -2.5 23t-18.5 14l-36 9q-3 1 -7 1z" />
+<glyph unicode="&#xe202;" d="M700 800h300v-380h-180v200h-340v-200h-380v755q0 10 7.5 17.5t17.5 7.5h575v-400zM1000 900h-200v200zM700 300h162l-212 -212l-212 212h162v200h100v-200zM520 0h-395q-10 0 -17.5 7.5t-7.5 17.5v395zM1000 220v-195q0 -10 -7.5 -17.5t-17.5 -7.5h-195z" />
+<glyph unicode="&#xe203;" d="M700 800h300v-520l-350 350l-550 -550v1095q0 10 7.5 17.5t17.5 7.5h575v-400zM1000 900h-200v200zM862 200h-162v-200h-100v200h-162l212 212zM480 0h-355q-10 0 -17.5 7.5t-7.5 17.5v55h380v-80zM1000 80v-55q0 -10 -7.5 -17.5t-17.5 -7.5h-155v80h180z" />
+<glyph unicode="&#xe204;" d="M1162 800h-162v-200h100l100 -100h-300v300h-162l212 212zM200 800h200q27 0 40 -2t29.5 -10.5t23.5 -30t7 -57.5h300v-100h-600l-200 -350v450h100q0 36 7 57.5t23.5 30t29.5 10.5t40 2zM800 400h240l-240 -400h-800l300 500h500v-100z" />
+<glyph unicode="&#xe205;" d="M650 1100h100q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h50v50q0 21 14.5 35.5t35.5 14.5zM1000 850v150q41 0 70.5 -29.5t29.5 -70.5v-800 q0 -41 -29.5 -70.5t-70.5 -29.5h-600q-1 0 -20 4l246 246l-326 326v324q0 41 29.5 70.5t70.5 29.5v-150q0 -62 44 -106t106 -44h300q62 0 106 44t44 106zM412 250l-212 -212v162h-200v100h200v162z" />
+<glyph unicode="&#xe206;" d="M450 1100h100q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h50v50q0 21 14.5 35.5t35.5 14.5zM800 850v150q41 0 70.5 -29.5t29.5 -70.5v-500 h-200v-300h200q0 -36 -7 -57.5t-23.5 -30t-29.5 -10.5t-40 -2h-600q-41 0 -70.5 29.5t-29.5 70.5v800q0 41 29.5 70.5t70.5 29.5v-150q0 -62 44 -106t106 -44h300q62 0 106 44t44 106zM1212 250l-212 -212v162h-200v100h200v162z" />
+<glyph unicode="&#xe209;" d="M658 1197l637 -1104q23 -38 7 -65.5t-60 -27.5h-1276q-44 0 -60 27.5t7 65.5l637 1104q22 39 54 39t54 -39zM704 800h-208q-20 0 -32 -14.5t-8 -34.5l58 -302q4 -20 21.5 -34.5t37.5 -14.5h54q20 0 37.5 14.5t21.5 34.5l58 302q4 20 -8 34.5t-32 14.5zM500 300v-100h200 v100h-200z" />
+<glyph unicode="&#xe210;" d="M425 1100h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM425 800h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5 t17.5 7.5zM825 800h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM25 500h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150 q0 10 7.5 17.5t17.5 7.5zM425 500h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM825 500h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5 v150q0 10 7.5 17.5t17.5 7.5zM25 200h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM425 200h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5 t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM825 200h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe211;" d="M700 1200h100v-200h-100v-100h350q62 0 86.5 -39.5t-3.5 -94.5l-66 -132q-41 -83 -81 -134h-772q-40 51 -81 134l-66 132q-28 55 -3.5 94.5t86.5 39.5h350v100h-100v200h100v100h200v-100zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-12l137 -100 h-950l138 100h-13q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe212;" d="M600 1300q40 0 68.5 -29.5t28.5 -70.5h-194q0 41 28.5 70.5t68.5 29.5zM443 1100h314q18 -37 18 -75q0 -8 -3 -25h328q41 0 44.5 -16.5t-30.5 -38.5l-175 -145h-678l-178 145q-34 22 -29 38.5t46 16.5h328q-3 17 -3 25q0 38 18 75zM250 700h700q21 0 35.5 -14.5 t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-150v-200l275 -200h-950l275 200v200h-150q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe213;" d="M600 1181q75 0 128 -53t53 -128t-53 -128t-128 -53t-128 53t-53 128t53 128t128 53zM602 798h46q34 0 55.5 -28.5t21.5 -86.5q0 -76 39 -183h-324q39 107 39 183q0 58 21.5 86.5t56.5 28.5h45zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-13 l138 -100h-950l137 100h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe214;" d="M600 1300q47 0 92.5 -53.5t71 -123t25.5 -123.5q0 -78 -55.5 -133.5t-133.5 -55.5t-133.5 55.5t-55.5 133.5q0 62 34 143l144 -143l111 111l-163 163q34 26 63 26zM602 798h46q34 0 55.5 -28.5t21.5 -86.5q0 -76 39 -183h-324q39 107 39 183q0 58 21.5 86.5t56.5 28.5h45 zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-13l138 -100h-950l137 100h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe215;" d="M600 1200l300 -161v-139h-300q0 -57 18.5 -108t50 -91.5t63 -72t70 -67.5t57.5 -61h-530q-60 83 -90.5 177.5t-30.5 178.5t33 164.5t87.5 139.5t126 96.5t145.5 41.5v-98zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-13l138 -100h-950l137 100 h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe216;" d="M600 1300q41 0 70.5 -29.5t29.5 -70.5v-78q46 -26 73 -72t27 -100v-50h-400v50q0 54 27 100t73 72v78q0 41 29.5 70.5t70.5 29.5zM400 800h400q54 0 100 -27t72 -73h-172v-100h200v-100h-200v-100h200v-100h-200v-100h200q0 -83 -58.5 -141.5t-141.5 -58.5h-400 q-83 0 -141.5 58.5t-58.5 141.5v400q0 83 58.5 141.5t141.5 58.5z" />
+<glyph unicode="&#xe218;" d="M150 1100h900q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v500q0 21 14.5 35.5t35.5 14.5zM125 400h950q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-283l224 -224q13 -13 13 -31.5t-13 -32 t-31.5 -13.5t-31.5 13l-88 88h-524l-87 -88q-13 -13 -32 -13t-32 13.5t-13 32t13 31.5l224 224h-289q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM541 300l-100 -100h324l-100 100h-124z" />
+<glyph unicode="&#xe219;" d="M200 1100h800q83 0 141.5 -58.5t58.5 -141.5v-200h-100q0 41 -29.5 70.5t-70.5 29.5h-250q-41 0 -70.5 -29.5t-29.5 -70.5h-100q0 41 -29.5 70.5t-70.5 29.5h-250q-41 0 -70.5 -29.5t-29.5 -70.5h-100v200q0 83 58.5 141.5t141.5 58.5zM100 600h1000q41 0 70.5 -29.5 t29.5 -70.5v-300h-1200v300q0 41 29.5 70.5t70.5 29.5zM300 100v-50q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v50h200zM1100 100v-50q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v50h200z" />
+<glyph unicode="&#xe221;" d="M480 1165l682 -683q31 -31 31 -75.5t-31 -75.5l-131 -131h-481l-517 518q-32 31 -32 75.5t32 75.5l295 296q31 31 75.5 31t76.5 -31zM108 794l342 -342l303 304l-341 341zM250 100h800q21 0 35.5 -14.5t14.5 -35.5v-50h-900v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe223;" d="M1057 647l-189 506q-8 19 -27.5 33t-40.5 14h-400q-21 0 -40.5 -14t-27.5 -33l-189 -506q-8 -19 1.5 -33t30.5 -14h625v-150q0 -21 14.5 -35.5t35.5 -14.5t35.5 14.5t14.5 35.5v150h125q21 0 30.5 14t1.5 33zM897 0h-595v50q0 21 14.5 35.5t35.5 14.5h50v50 q0 21 14.5 35.5t35.5 14.5h48v300h200v-300h47q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-50z" />
+<glyph unicode="&#xe224;" d="M900 800h300v-575q0 -10 -7.5 -17.5t-17.5 -7.5h-375v591l-300 300v84q0 10 7.5 17.5t17.5 7.5h375v-400zM1200 900h-200v200zM400 600h300v-575q0 -10 -7.5 -17.5t-17.5 -7.5h-650q-10 0 -17.5 7.5t-7.5 17.5v950q0 10 7.5 17.5t17.5 7.5h375v-400zM700 700h-200v200z " />
+<glyph unicode="&#xe225;" d="M484 1095h195q75 0 146 -32.5t124 -86t89.5 -122.5t48.5 -142q18 -14 35 -20q31 -10 64.5 6.5t43.5 48.5q10 34 -15 71q-19 27 -9 43q5 8 12.5 11t19 -1t23.5 -16q41 -44 39 -105q-3 -63 -46 -106.5t-104 -43.5h-62q-7 -55 -35 -117t-56 -100l-39 -234q-3 -20 -20 -34.5 t-38 -14.5h-100q-21 0 -33 14.5t-9 34.5l12 70q-49 -14 -91 -14h-195q-24 0 -65 8l-11 -64q-3 -20 -20 -34.5t-38 -14.5h-100q-21 0 -33 14.5t-9 34.5l26 157q-84 74 -128 175l-159 53q-19 7 -33 26t-14 40v50q0 21 14.5 35.5t35.5 14.5h124q11 87 56 166l-111 95 q-16 14 -12.5 23.5t24.5 9.5h203q116 101 250 101zM675 1000h-250q-10 0 -17.5 -7.5t-7.5 -17.5v-50q0 -10 7.5 -17.5t17.5 -7.5h250q10 0 17.5 7.5t7.5 17.5v50q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe226;" d="M641 900l423 247q19 8 42 2.5t37 -21.5l32 -38q14 -15 12.5 -36t-17.5 -34l-139 -120h-390zM50 1100h106q67 0 103 -17t66 -71l102 -212h823q21 0 35.5 -14.5t14.5 -35.5v-50q0 -21 -14 -40t-33 -26l-737 -132q-23 -4 -40 6t-26 25q-42 67 -100 67h-300q-62 0 -106 44 t-44 106v200q0 62 44 106t106 44zM173 928h-80q-19 0 -28 -14t-9 -35v-56q0 -51 42 -51h134q16 0 21.5 8t5.5 24q0 11 -16 45t-27 51q-18 28 -43 28zM550 727q-32 0 -54.5 -22.5t-22.5 -54.5t22.5 -54.5t54.5 -22.5t54.5 22.5t22.5 54.5t-22.5 54.5t-54.5 22.5zM130 389 l152 130q18 19 34 24t31 -3.5t24.5 -17.5t25.5 -28q28 -35 50.5 -51t48.5 -13l63 5l48 -179q13 -61 -3.5 -97.5t-67.5 -79.5l-80 -69q-47 -40 -109 -35.5t-103 51.5l-130 151q-40 47 -35.5 109.5t51.5 102.5zM380 377l-102 -88q-31 -27 2 -65l37 -43q13 -15 27.5 -19.5 t31.5 6.5l61 53q19 16 14 49q-2 20 -12 56t-17 45q-11 12 -19 14t-23 -8z" />
+<glyph unicode="&#xe227;" d="M625 1200h150q10 0 17.5 -7.5t7.5 -17.5v-109q79 -33 131 -87.5t53 -128.5q1 -46 -15 -84.5t-39 -61t-46 -38t-39 -21.5l-17 -6q6 0 15 -1.5t35 -9t50 -17.5t53 -30t50 -45t35.5 -64t14.5 -84q0 -59 -11.5 -105.5t-28.5 -76.5t-44 -51t-49.5 -31.5t-54.5 -16t-49.5 -6.5 t-43.5 -1v-75q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v75h-100v-75q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v75h-175q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h75v600h-75q-10 0 -17.5 7.5t-7.5 17.5v150 q0 10 7.5 17.5t17.5 7.5h175v75q0 10 7.5 17.5t17.5 7.5h150q10 0 17.5 -7.5t7.5 -17.5v-75h100v75q0 10 7.5 17.5t17.5 7.5zM400 900v-200h263q28 0 48.5 10.5t30 25t15 29t5.5 25.5l1 10q0 4 -0.5 11t-6 24t-15 30t-30 24t-48.5 11h-263zM400 500v-200h363q28 0 48.5 10.5 t30 25t15 29t5.5 25.5l1 10q0 4 -0.5 11t-6 24t-15 30t-30 24t-48.5 11h-363z" />
+<glyph unicode="&#xe230;" d="M212 1198h780q86 0 147 -61t61 -147v-416q0 -51 -18 -142.5t-36 -157.5l-18 -66q-29 -87 -93.5 -146.5t-146.5 -59.5h-572q-82 0 -147 59t-93 147q-8 28 -20 73t-32 143.5t-20 149.5v416q0 86 61 147t147 61zM600 1045q-70 0 -132.5 -11.5t-105.5 -30.5t-78.5 -41.5 t-57 -45t-36 -41t-20.5 -30.5l-6 -12l156 -243h560l156 243q-2 5 -6 12.5t-20 29.5t-36.5 42t-57 44.5t-79 42t-105 29.5t-132.5 12zM762 703h-157l195 261z" />
+<glyph unicode="&#xe231;" d="M475 1300h150q103 0 189 -86t86 -189v-500q0 -41 -42 -83t-83 -42h-450q-41 0 -83 42t-42 83v500q0 103 86 189t189 86zM700 300v-225q0 -21 -27 -48t-48 -27h-150q-21 0 -48 27t-27 48v225h300z" />
+<glyph unicode="&#xe232;" d="M475 1300h96q0 -150 89.5 -239.5t239.5 -89.5v-446q0 -41 -42 -83t-83 -42h-450q-41 0 -83 42t-42 83v500q0 103 86 189t189 86zM700 300v-225q0 -21 -27 -48t-48 -27h-150q-21 0 -48 27t-27 48v225h300z" />
+<glyph unicode="&#xe233;" d="M1294 767l-638 -283l-378 170l-78 -60v-224l100 -150v-199l-150 148l-150 -149v200l100 150v250q0 4 -0.5 10.5t0 9.5t1 8t3 8t6.5 6l47 40l-147 65l642 283zM1000 380l-350 -166l-350 166v147l350 -165l350 165v-147z" />
+<glyph unicode="&#xe234;" d="M250 800q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM650 800q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM1050 800q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44z" />
+<glyph unicode="&#xe235;" d="M550 1100q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM550 700q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM550 300q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44z" />
+<glyph unicode="&#xe236;" d="M125 1100h950q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-950q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM125 700h950q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-950q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5 t17.5 7.5zM125 300h950q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-950q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe237;" d="M350 1200h500q162 0 256 -93.5t94 -256.5v-500q0 -165 -93.5 -257.5t-256.5 -92.5h-500q-165 0 -257.5 92.5t-92.5 257.5v500q0 165 92.5 257.5t257.5 92.5zM900 1000h-600q-41 0 -70.5 -29.5t-29.5 -70.5v-600q0 -41 29.5 -70.5t70.5 -29.5h600q41 0 70.5 29.5 t29.5 70.5v600q0 41 -29.5 70.5t-70.5 29.5zM350 900h500q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -14.5 -35.5t-35.5 -14.5h-500q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 14.5 35.5t35.5 14.5zM400 800v-200h400v200h-400z" />
+<glyph unicode="&#xe238;" d="M150 1100h1000q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-200h50q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-200h50q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-200h50q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5 t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5h50v200h-50q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5h50v200h-50q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5h50v200h-50q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe239;" d="M650 1187q87 -67 118.5 -156t0 -178t-118.5 -155q-87 66 -118.5 155t0 178t118.5 156zM300 800q124 0 212 -88t88 -212q-124 0 -212 88t-88 212zM1000 800q0 -124 -88 -212t-212 -88q0 124 88 212t212 88zM300 500q124 0 212 -88t88 -212q-124 0 -212 88t-88 212z M1000 500q0 -124 -88 -212t-212 -88q0 124 88 212t212 88zM700 199v-144q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v142q40 -4 43 -4q17 0 57 6z" />
+<glyph unicode="&#xe240;" d="M745 878l69 19q25 6 45 -12l298 -295q11 -11 15 -26.5t-2 -30.5q-5 -14 -18 -23.5t-28 -9.5h-8q1 0 1 -13q0 -29 -2 -56t-8.5 -62t-20 -63t-33 -53t-51 -39t-72.5 -14h-146q-184 0 -184 288q0 24 10 47q-20 4 -62 4t-63 -4q11 -24 11 -47q0 -288 -184 -288h-142 q-48 0 -84.5 21t-56 51t-32 71.5t-16 75t-3.5 68.5q0 13 2 13h-7q-15 0 -27.5 9.5t-18.5 23.5q-6 15 -2 30.5t15 25.5l298 296q20 18 46 11l76 -19q20 -5 30.5 -22.5t5.5 -37.5t-22.5 -31t-37.5 -5l-51 12l-182 -193h891l-182 193l-44 -12q-20 -5 -37.5 6t-22.5 31t6 37.5 t31 22.5z" />
+<glyph unicode="&#xe241;" d="M1200 900h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-200v-850q0 -22 25 -34.5t50 -13.5l25 -2v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v850h-200q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h1000v-300zM500 450h-25q0 15 -4 24.5t-9 14.5t-17 7.5t-20 3t-25 0.5h-100v-425q0 -11 12.5 -17.5t25.5 -7.5h12v-50h-200v50q50 0 50 25v425h-100q-17 0 -25 -0.5t-20 -3t-17 -7.5t-9 -14.5t-4 -24.5h-25v150h500v-150z" />
+<glyph unicode="&#xe242;" d="M1000 300v50q-25 0 -55 32q-14 14 -25 31t-16 27l-4 11l-289 747h-69l-300 -754q-18 -35 -39 -56q-9 -9 -24.5 -18.5t-26.5 -14.5l-11 -5v-50h273v50q-49 0 -78.5 21.5t-11.5 67.5l69 176h293l61 -166q13 -34 -3.5 -66.5t-55.5 -32.5v-50h312zM412 691l134 342l121 -342 h-255zM1100 150v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h1000q21 0 35.5 -14.5t14.5 -35.5z" />
+<glyph unicode="&#xe243;" d="M50 1200h1100q21 0 35.5 -14.5t14.5 -35.5v-1100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v1100q0 21 14.5 35.5t35.5 14.5zM611 1118h-70q-13 0 -18 -12l-299 -753q-17 -32 -35 -51q-18 -18 -56 -34q-12 -5 -12 -18v-50q0 -8 5.5 -14t14.5 -6 h273q8 0 14 6t6 14v50q0 8 -6 14t-14 6q-55 0 -71 23q-10 14 0 39l63 163h266l57 -153q11 -31 -6 -55q-12 -17 -36 -17q-8 0 -14 -6t-6 -14v-50q0 -8 6 -14t14 -6h313q8 0 14 6t6 14v50q0 7 -5.5 13t-13.5 7q-17 0 -42 25q-25 27 -40 63h-1l-288 748q-5 12 -19 12zM639 611 h-197l103 264z" />
+<glyph unicode="&#xe244;" d="M1200 1100h-1200v100h1200v-100zM50 1000h400q21 0 35.5 -14.5t14.5 -35.5v-900q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v900q0 21 14.5 35.5t35.5 14.5zM650 1000h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400 q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM700 900v-300h300v300h-300z" />
+<glyph unicode="&#xe245;" d="M50 1200h400q21 0 35.5 -14.5t14.5 -35.5v-900q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v900q0 21 14.5 35.5t35.5 14.5zM650 700h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400 q0 21 14.5 35.5t35.5 14.5zM700 600v-300h300v300h-300zM1200 0h-1200v100h1200v-100z" />
+<glyph unicode="&#xe246;" d="M50 1000h400q21 0 35.5 -14.5t14.5 -35.5v-350h100v150q0 21 14.5 35.5t35.5 14.5h400q21 0 35.5 -14.5t14.5 -35.5v-150h100v-100h-100v-150q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v150h-100v-350q0 -21 -14.5 -35.5t-35.5 -14.5h-400 q-21 0 -35.5 14.5t-14.5 35.5v800q0 21 14.5 35.5t35.5 14.5zM700 700v-300h300v300h-300z" />
+<glyph unicode="&#xe247;" d="M100 0h-100v1200h100v-1200zM250 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM300 1000v-300h300v300h-300zM250 500h900q21 0 35.5 -14.5t14.5 -35.5v-400 q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe248;" d="M600 1100h150q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-150v-100h450q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5h350v100h-150q-21 0 -35.5 14.5 t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5h150v100h100v-100zM400 1000v-300h300v300h-300z" />
+<glyph unicode="&#xe249;" d="M1200 0h-100v1200h100v-1200zM550 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM600 1000v-300h300v300h-300zM50 500h900q21 0 35.5 -14.5t14.5 -35.5v-400 q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe250;" d="M865 565l-494 -494q-23 -23 -41 -23q-14 0 -22 13.5t-8 38.5v1000q0 25 8 38.5t22 13.5q18 0 41 -23l494 -494q14 -14 14 -35t-14 -35z" />
+<glyph unicode="&#xe251;" d="M335 635l494 494q29 29 50 20.5t21 -49.5v-1000q0 -41 -21 -49.5t-50 20.5l-494 494q-14 14 -14 35t14 35z" />
+<glyph unicode="&#xe252;" d="M100 900h1000q41 0 49.5 -21t-20.5 -50l-494 -494q-14 -14 -35 -14t-35 14l-494 494q-29 29 -20.5 50t49.5 21z" />
+<glyph unicode="&#xe253;" d="M635 865l494 -494q29 -29 20.5 -50t-49.5 -21h-1000q-41 0 -49.5 21t20.5 50l494 494q14 14 35 14t35 -14z" />
+<glyph unicode="&#xe254;" d="M700 741v-182l-692 -323v221l413 193l-413 193v221zM1200 0h-800v200h800v-200z" />
+<glyph unicode="&#xe255;" d="M1200 900h-200v-100h200v-100h-300v300h200v100h-200v100h300v-300zM0 700h50q0 21 4 37t9.5 26.5t18 17.5t22 11t28.5 5.5t31 2t37 0.5h100v-550q0 -22 -25 -34.5t-50 -13.5l-25 -2v-100h400v100q-4 0 -11 0.5t-24 3t-30 7t-24 15t-11 24.5v550h100q25 0 37 -0.5t31 -2 t28.5 -5.5t22 -11t18 -17.5t9.5 -26.5t4 -37h50v300h-800v-300z" />
+<glyph unicode="&#xe256;" d="M800 700h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-100v-550q0 -22 25 -34.5t50 -14.5l25 -1v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v550h-100q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h800v-300zM1100 200h-200v-100h200v-100h-300v300h200v100h-200v100h300v-300z" />
+<glyph unicode="&#xe257;" d="M701 1098h160q16 0 21 -11t-7 -23l-464 -464l464 -464q12 -12 7 -23t-21 -11h-160q-13 0 -23 9l-471 471q-7 8 -7 18t7 18l471 471q10 9 23 9z" />
+<glyph unicode="&#xe258;" d="M339 1098h160q13 0 23 -9l471 -471q7 -8 7 -18t-7 -18l-471 -471q-10 -9 -23 -9h-160q-16 0 -21 11t7 23l464 464l-464 464q-12 12 -7 23t21 11z" />
+<glyph unicode="&#xe259;" d="M1087 882q11 -5 11 -21v-160q0 -13 -9 -23l-471 -471q-8 -7 -18 -7t-18 7l-471 471q-9 10 -9 23v160q0 16 11 21t23 -7l464 -464l464 464q12 12 23 7z" />
+<glyph unicode="&#xe260;" d="M618 993l471 -471q9 -10 9 -23v-160q0 -16 -11 -21t-23 7l-464 464l-464 -464q-12 -12 -23 -7t-11 21v160q0 13 9 23l471 471q8 7 18 7t18 -7z" />
+<glyph unicode="&#xf8ff;" d="M1000 1200q0 -124 -88 -212t-212 -88q0 124 88 212t212 88zM450 1000h100q21 0 40 -14t26 -33l79 -194q5 1 16 3q34 6 54 9.5t60 7t65.5 1t61 -10t56.5 -23t42.5 -42t29 -64t5 -92t-19.5 -121.5q-1 -7 -3 -19.5t-11 -50t-20.5 -73t-32.5 -81.5t-46.5 -83t-64 -70 t-82.5 -50q-13 -5 -42 -5t-65.5 2.5t-47.5 2.5q-14 0 -49.5 -3.5t-63 -3.5t-43.5 7q-57 25 -104.5 78.5t-75 111.5t-46.5 112t-26 90l-7 35q-15 63 -18 115t4.5 88.5t26 64t39.5 43.5t52 25.5t58.5 13t62.5 2t59.5 -4.5t55.5 -8l-147 192q-12 18 -5.5 30t27.5 12z" />
+<glyph unicode="&#x1f511;" d="M250 1200h600q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-150v-500l-255 -178q-19 -9 -32 -1t-13 29v650h-150q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM400 1100v-100h300v100h-300z" />
+<glyph unicode="&#x1f6aa;" d="M250 1200h750q39 0 69.5 -40.5t30.5 -84.5v-933l-700 -117v950l600 125h-700v-1000h-100v1025q0 23 15.5 49t34.5 26zM500 525v-100l100 20v100z" />
+</font>
+</defs></svg> 
\ No newline at end of file
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/bootstrap/glyphicons-halflings-regular.ttf b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/bootstrap/glyphicons-halflings-regular.ttf
new file mode 100644
index 0000000000000000000000000000000000000000..1413fc609ab6f21774de0cb7e01360095584f65b
GIT binary patch
literal 45404
zcmd?Sd0-pWwLh*qi$?oCk~i6sWlOeWJC3|4juU5JNSu9hSVACzERcmjLV&P^utNzg
zIE4Kr1=5g!SxTX#Ern9_%4<u(w1q<J@CsjEOL>&01rlrW`<y$HCCf?Z+y45=o|!u{
zcjlhEoqP5%FoVJ1G+bj44I8ITTQqxJ-LCg=WdK{*^eI!Pu_*@0U|>Z!56xXTGQR4C
z3vR~wXq>NDx$c~e?;ia3YjJ*$!C>69a?2$lLyhpI!C<oCzO?F`i#HxWjyD@jE}WZI
zU3l5~SDy9q1|;#myS}~pymONB?2*4U816rW`)#Xn!7@d1<NOHDt5&bOWb2!+g;p30
z4<NsI$%PwMp0nZD-M=sx9=^?B5SrGVvvng|Yryk+==sq4bJm^rO#Q?6;T&}k_iWs7
z@g?8i`(dlW@aQ!LgXLG3o_Fr~uM{nsXD~dq2>FfJsP=|`8@K0|bbMpWwVU<h#k=?&
z2hLD3ege)J^J9<Jz!_dI-O6?vWP>Eygg0=0x_)HeHpGSJagJNLA3c!$EuOV>j$wi!
zbo{vZ(s8tl>@!?}dmNHXo)ABy7ohD7_1G-P@SdJWT8*oeyB<gVy2N^Mz8Y_p4K;?4
zVT9pf!y_R}Xk_T@(1FkoDm{_X>VYVW9*vn}&VI4q++W;Z+uz=QTK}^C75!`aFYCX#
zf7fC2;o`%!huaTNJAB&VWrx=szU=VLhwnbT`vc<#<`4WI6n_x@AofA~2d90o?1L3w
z9!I|#P*NQ)$#9aASijuw>JRld^-t)Zhmy|i-`Iam|IWkgu<LN>aMR%lhi4p~cX-9&
zjfbx}yz}s`4-6>D^+6FzihR)Y!GsUy=_MWi_v7y#KmYi-{iZ+s@ekkq!<s)V`@Q^L
z`rY8W#qWgQ@xJ2-1w&;af5?RzOBGthmla=B{I%lG6(3e?tJqSpv0`mSvSMY$Srtnw
z=2y(Bm|8KV{P*SWmH)c@?ebrg|GfOw@*kDIQ2vZb)ms;}`oI6t>@Wxz!~BQwiI&ti
z>hC&iBe2m(dpNVvSbZe3DVgl(dxHt-k@{xv;&`^c8GJY%&^LpM;}7)B;5Qg5J^E${
z7z~k8eWOucjX6)7q1a%EVtmnND8cclz8R1=X4W@D8IDeUGXxEWe&p>Z*voO0u_2!!
zj3dT(Ki+4E;uykKi*yr?w6!BW2FD55PD6SMj`OfBLwXL5EA-9KjpMo4*5Eqs^>4&>
z8PezAcn!9jk-h-Oo!E9EjX8W6@EkTHeI<@AY{f|5fMW<-Ez-z)xCvW3()Z#x0oydB
zzm4MzY^NdpIF9qMp-jU;99LjlgY@@s+=z`}_%V*xV7nRV*Kwrx-i`FzI0BZ#yOI8#
z!SDeNA5b6u9!Imj89v0(g$;dT_y|Yz!3V`i{{_dez8U@##|X9<u78GO6Sj7w|BmAX
zYy>A};s^7vEd!3AcdyVlhVk$v?$O442KIM1-wX^R{U7`JW&lPr3N(%kXfXT_`7w^?
z=#ntx`tTF|N$UT?pELvw7T*2;=Q-x@KmDUIbLyXZ>f5=y7z1DT<7>Bp0k;eItHF?1
zErzhlD2B$Tm|^7DrxnTYm-tgg`Mt4Eivp5{r$o9e)8(fXBO4g|G^6Xy?y$SM*&V52
z6SR*%`%DZC^w(gOWQL?6DRoI*hBNT)xW9sxvmi@!vI^!mI$3kvAMmR_q#SGn3zRb_
zGe$=;Tv3dXN~9XuIHow*NEU4y&u}FcZEZoSlXb9IBOA}!@J3uov<cnLsMTt5KB)Lj
zYZXCxu;1bqjH18<x269<Tv%)JD-Sv?wUz&5KB?<}@bC!>p}yerhPMaiI8|SDhvWVr
z^BE&yx6e3&RYqIg;mYVZ*3#A-cDJ;#ms4txEmwm<RofF(aiZ;^6Sh1kbq&8p87Q}2
z)<!HT6VUck^|BOZR8X4U*lI4NmphK3T)k;q2UF1)TE2tD(Oq%0w%C5uBAc|kj54!X
zjK;0TBFmM`n@u^bcUhg<U$UozsV%ZmyUQe7juv~qZStAE?UA}H^b(uR^svd6<ohSA
zPN(&WybCrXyU=981ISP9mNdxHZPF8l4xGdT{y?OqQH)eNL?x_*jVgBKQggghY;ER4
z2ZJLPNi?@5u<K+P9v^?cajfyXk(LSV0q=;>@g^s`BB}KmSr7K+ruIoKs=s|gOXP|2
zb1!)87h9?(+1^QRWb(Vo8+@G=o24gyuzF3ytfsKjTHZJ}o{YznGcTDm!s)DRnmOX}
z3pPL4wExoN$kyc2>#J`k+<67sy-VsfbQ-1u+HkyFR?9G`9r6g4*8!(!c65Be-5hUg
zZHY$M0k(Yd+DT1*8)G(q)1<YNpB7js)5y12Eq7a-+TSy$n{z4WbFWWmXqX`NmQ;<8
z&#kMnTCG)e^Wqb#OY{bR(&}(pp3G}-_B)F+rS(l(vS<RecZ%(lx`adE6b#<MA*v6|
zqhg4L;6Ok2!XZ8=`3{3lFr+}jevG<T8z$m4n8_pfbf#&K;T~jROxF%RXK8L@N{?d!
z)#u0D$E0^47cxZAeVEjp$RK_kRO2h>&tDl=g9H7!bZTOvEEFnBOk_K=DXF(d4JOaH
zI}*A3jGmy{gR>s}EQzyJa_q_?TYPNXR<v?#Pfy-SGCMD6($H@d06+dYtCwDuCKCO`
zfTh}KuF@>U1O;fcV_&TQZhd{@*8Tgpraf~nT0BYktu*n{a~ub^UUqQPyr~yBY{k2O
zgV)honv{B_CqY|*S~3up%Wn%7i*_>Lu|%5~j)}rQLT1ZN?5%QN`LTJ}vA!EE=1`So
z!$$Mv?6T)xk)H8JTrZ~m)oNXxS}pwPd#);<*>zWsYoL6iK!gRSBB{JCgB28C#E{T?
z5VOCMW^;h~eMke(w6vLlKvm!!TyIf;k*RtK)|Q>_@nY#J%=h%aVb)?Ni_By)X<wQw
z7V$PDEtth$n$E;Ll`Y4%BO_9n-ugy!JpHdGlaMf3-bFSa<&`Z$)FNx2;bGa5ewQ9G
znS9p(JK$Y-8V}<ibr6q#cKkEx`_lIfW`o_}!WDwa=VY;jm&MFX_KN*c$8NiQ<*(1K
zOz-}+aK2WdJ+of=zJ0eN>NxY)E3`|}_u}fn+Kp^3p4RbhFUBRtGsDyx9Eolg77iWN
z2iH-}CiM!pfYDIn7;i#Ui1KG01{3D<{e}uWTdlX4Vr*nsb^>l0%{O?0L9tP|KGw8w
z+T5F}md>3qDZQ_IVkQ|BzuN08uN?SsVt$~wcHO4pB9~ykFTJO3g<4X({-Tm1w{Ufo
zI03<6KK`ZjqVyQ(>{_aMxu7Zm^ck&~)Q84MOsQ-XS~{6j>0lTl@lMtfWjj;PT{nlZ
zIn0YL?kK7CYJa)(8?unZ)j8L(O}%$5S#lTcq{rr5_gqqtZ@*0Yw4}OdjL*kBv+>+@
z&*24U=y{Nl<J@lPNofl42dq;77(U?JMya(0Crr4x>58qJyW1vTwqsvs=VRAzojm&V
zEn6=WzdL1y+^}%Vg!ap>x%%nFi=V#wn#<ZJY+2YKgUZIdddsj}x<a~(_z&i7iw6j~
zD6-dYj8)6VXu?|^ZEI$`u2WRyTK0%)bZh&!D^9oe9c{ncschFCaT|SNh@Ip0Y7e<>
zUuheBR@*<muvvX<=P{exAmqKj@)RY=k${p2#1fI%*ObNn_Svg5fBeeKm;N;8<i#ex
z@xiUPeR$hjC=hitVD9x2{{y_iS9U^gG9f@6f6&^Vs3zp5qf?=KTW@F7W@hJ`ZBCj<
zPCXs%#Cv+T9c^4a%MvhtBnK>KS)5Mn0`f=3fMwR|#-rPMQJg(fW*5e`7xO&^UUH<N
z8S{R+VU}U8VWDBEjsa+<a|A}qi`v{;%PNhy=5G#TrE#}Jn{iFX7S1~=;h}j7?-Paq
zPz1GeaZ=ceNsUv?a;Nj+<UmnU3}yC*^X?4%XYRVxg{MEFholmVGnq^}E!rMBWy|R_
zg)925;70bcj_+u_rTSN(=HrLgwiaEHUwf>{L(U8D$JtI!ac!g(Ze89<`UiO@L+)^D
zjPk2_Ie0p~4|LiI?-+pHXuRaZKG$%zVT0jn!yTvvM^jlcp`|VSHRt-G@_&~<4&qW@
z?b#zIN)G(}L|60jer*P7#KCu*Af;{mpWWvYK$@Squ|n-Vtfgr@<WJYami@2Z&u=;5
z5Vc}@3ijIdgOz2E{1ewt+&m|4loMa2;l_ZQ>ZOmR5Xpl;0q~VILmjk$$mgp+`<2jP
z@+nW5Oap%fF4nFwnVwR7rpFaOdmnfB$-rkO6T3#w^|*rft~acgCP|ZkgA6PHD#Of|
zY%E!3tXtsWS`udLsE7cSE8g@p$ceu*tI71V31uA7jwmXUCT7+Cu3uv|W>ZwD<C#<5
zr)TgUn*z=?aQx5GtI}?)S=9!TmC))*YbR(2eeE2+a>{&O4Nfjjvl43N#A$|FWxId!
z%=X!HSiQ-#4nS&smww~iXRn<-`&zc)nR~js?|Ei-cei$^$KsqtxNDZvl1oavXK#Pz
zT&%Wln^Y5M95w=vJxj0a-ko_iQt(LTX_5x#*QfQLtPil;kkR|kz}`*xHiLWr35ajx
zHRL-QQv$|PK-$ges|NHw8k6v?&d;{A$*q15hz9{}-`e6ys1EQ1oNNKDFGQ0xA!x^(
zkG*-ueZT(GukSnK&Bs=4+w|(kuWs5V_2#3`!;f}q?>xU5IgoMl^DNf+Xd<=sl2<ov
zdi9d6DbT*4=K1<NxE2(`@^$C>XvkqviJ>d?+G@Z5nxxd5Sqd$*ENUB_mb8Z+7CyyU
zA6mDQ&e+S~w49csl*UePzY;^K)Fbs^%?7;+hFc(xz#mWoek4_&QvmT7Fe)*{h-9R4
zqyXuN5{)HdQ6yVi#tRUO#M%;pL>rQxN~6yoZ)*{{!?jU)RD*oOxDoTjVh6iNmhWNC
zB5_{R=o{qvxEvi(k<Br-9y#p7E~9amU@sQujU02m+%O6`wmyB;RZm|f_25ZIu`sWx
z9Z!xjMn{xa)<lh?>hbRS`FOXmOO|&Dj$&~><!ER!M(aXh<Y=PO>*oo)bZz%lPhEA@
zQ;;w5eu5^%i;)w?T&*=UaK?*|U3~{0tC`rvfEsRPgR~16;~{_S2&=E{fE2=c>{+y}
zx1*NTv-*zO^px5TA|B```#NetKg`19O!BK*-#~wDM@KEllk^nfQ2quy25G%)l72<>
zzL$^{DDM#jKt?<>m;!?E2p0l12`j+QJjr{Lx*47Nq(v6i3M&*P{jkZB{xR?NOSPN%
zU>I+~d_ny=pX??qjF*E78>}Mgts@_yn`)C`wN-He_!OyE+gRI?-a>Om>Vh~3OX5+&
z6MX*d1`SkdXwvb7KH&=31RCC|&H!aA1g_=ZY0hP)-Wm6?A7SG0*|$mC7N^SSBh@MG
z9?V0tv_sE>X==yV{)^LsygK2=$Mo_0N!JCOU?r}rmWdHD%$h~~G3;bt`lH&<YttXG
zCx4~x@x7rvSlVC8c4`|@!#-B8ZKS<EH?nhD1$CFfEvQA7q3vKKC(B@*EPV@^RffeA
zqF7{q<g?nf7wl2mS$#hW3X3?XI^l_=xWmcuOlQEQZFITVPFH}vOiW=uH41qNTB4w>
zAuOOZ=G1Mih**0>lB5x+r)X^8mz!0K{SScj4|a=s^VhUEp#2M=^#WRqe?T&H9GnWa
zYOq{+gBn9Q0e0*Zu>C(BAX=I-Af9wIFhCW6_>TsIH$d>|{fIrs&BX?2G>GvFc=<8`
zVJ`#^knMU~65dWGgXcht`Kb>{V2oo%<{NK|iH+<q(5YAazG9MX#mAntl?z6uydZjo
zUFklHM_4M@0HYVoyB8BtKlWH`xbBg99hUSZMa9}uddMW%i`jRIi-g-Oj+Dcyby^(`
z%RQFN&dOf4Ittp8bTTLHYY;pny(Y2BDO&N?wA-C_6&0Pd?aun4t;+U8o0V7xD{xVE
zT_xFkLYF;IV~uA~NIx^oe`|Ag_zBH%@tGSHD~4^4RZ^~BcP(EUF`avIGk5b#Qq_%$
zWYy4>R^|Gx%q+env#Js*(EBT3V0=w4F@W+oLFsA)l7Qy8mx_;6Vrk;F2RjKFvmeq}
zro&>@b^(?f))OoQ#^#s)tRL>b0gzhRYRG}EU%wr9GjQ#~Rpo|RSkeik^p9x2<p!Ww
zwwmq`!~oDTY^~4nP7mqhE1&11QI*f_7OwLIc0Sdl0He@3A$?sO|G#_xO5%4jys!Au
zz!P*LF2Fu*;<$-+ZxX4HAsc@9KfXGYIspZeD-?_4;Ohrd$nih9sE;A+xh%Yxa|I;O
zMn43xybbA$h%OeU78ZAGUa0jg*n))`>+=rUr}vfnQoeFAlv=oX%YqbLpvyvcZ3l$B
z5bo;hDd(fjT;9o7g9xUg3|#?wU2#BJ0G&W1#wn?mfNR{O7bq74<ru+<wkuK7q*HuJ
zl3ikW@`O=kCFAR2we{1>7tc~mM%m%t+7YN}^tMa24O4@w<|$lk@pGx!;%pKiq&mZB
z?3h<&w>un8r?Xua6(@Txu~Za9tI@|C4#!dmHMzDF_-_~Jolztm=e)@vG11b<LZFLt
z=a@d3MJ-E4hYQZxA3y&6-j%$UZvUfp^pCgm<jTEuP^)mszD-y$n3Q&{-23}Wv_2Y8
ztp4g>ZQAs!tFvd9{C;oxC7VfWq377Y(LR^X_TyX9bn$)I765l=rJ%9uXcjggX*r?u
zk|0!db_*1$&i8>d&G3C}A`{Fun_1J;Vx0gk7P_}8KBZDowr*8$@X?W<UwWy2E;b%8
zDnv;u#sg4V5Tml=Bw6)GO(a6bm@pXL5;t*}iEhY9Zim8L-OM$RpsE=-)J6=6)|MD4
z8{19*DSK107+0Kbw2EdWh!twa9HVGLVmN$BX1?}c?!DT~m@%MuO{=cju@-!?UnaO{
z9Q;H&SNsH&+9*iqK+))0P{pW#u+IR2<&dC||BFzIuVKjDIAwxj0gQDf!MLF#VHC`D
zN_zXShCf+#K4Io(-dXedBI4SOK2y)rryrPZ_8G(S4~O-`iR!5u^?GLIlD&{}so=+h
zoX&5625-D!az-|Zx~ma2tVY~n7Eznkush<8w1#D9lj%>6v^LYmNWI)lN92yQ;tDpN
zOUdS-W4JZUjwF-X#w0r;97;i(l}ZZT$DRd4u#?pf^e2<Tp(F_Ylx9mIONs=GDOR7J
z!s@{!h&%A8Er}aMdD0mk#s%bH^(p8HL6l-6iKJ%JY$!?VLmDqZL7D4xf%;gN>yaFo
zbm>I@5}#8FjsmigM8w_f#m4fEP<w>~r~_?OWB%SGWcn$ThnJ@Y`ZI-O&Qs#Y14To(
zWAl>9Gw7#}eT(!c%D0m>5D8**a@h;sLW=6_AsT5v1Sd_T-C4pgu_kvc?7+X&n_fct
znkHy(_LExh=N%o3I-q#f$F4<wlfSnZ{aNtlaHgD*%*;+!if9}xbu`<To}#^Vl2QkO
z7|r$zhjK8GE;uJ+566KrGlUndEl83;o70s<D1jcM$y_hC&+<$#S-_D`DMkXCs6&Ja
zX$kb)3d(TSz&8E5_#CeAoC7l{hxp54WI)}a6Fq*MuVt{GA?j6in~9$1>QJpy>jZBW
zRF7?EhqTGk)w&Koi}QQY3sVh?@e-Z3C9)P!(hMhxmX<?O%M-wa0Dx5a@<^0#9_>LC
zF_+ZSTQU`Gqx@o<HpS{<a}-BAGy@<S0>(~<vXHshk{*j+nj`s1+omT#^krl>B$dbr
zHlEUKoK&`2gl>zKXlEi8w6}`X3kh3as1~sX5@^`X_nYl}hlbpeeVlj#2sv)CIMe%b
zBs7f|37f8qq}gA~Is9gj&=te^wN8ma?;vF)7gce;&sZ64!7LqpR!fy)?4cEZposQ8
zf;rZF7Q>YM<qvPX@rO5R|G8xB*d=47F5FbX>F1~eQ|Z*!5j0DuA=`~VG$Gg6B?Om1
z6fM@`Ck-K*k(eJ)Kvysb8sccsFf@7~3vfnC=<$q+VNv)FyVh6ZsWw}*vs>%k3$)9|
zR9ek-@pA23qswe1io)(Vz!vS1o*XEN*LhVYOq#T`;rDkgt86T@O`23xW~;W_#ZS|x
zvwx-XMb7_!hIte-#JNpFxskMMpo2OYhHRr0Yn8d^(jh3-+!CNs0K2B!1dL$9UuAD=
zQ%7Ae(Y@}%Cd~!`h|wAdm$2WoZ(iA1(a_-1?znZ%8h72o&Mm*4x8Ta<4++;Yr6|}u
zW<lfR&2thZ%arCCv7^XWW_6jB>8$p&izhdqF=m8$)HyS2J6cKyo;Yvb>DTfx4`4R{
zPSODe9E|uflE<`xTO=r>u~u=NuyB&H!(2a8vwh!jP!yfE3N>IiO1<sg)|!DAM%5V4
zImfj?oZv3;y3AIvb^=HU^uh7(X5<6aoUeyP2Mi=23DNrjwj6G-I5MpbGBBkQgLzRx
z_Qg%sVsEslI2A80hOod<S>jI>7e&3rR#RO3_}G23W?gwDHgSg<QXM9d4Lsp5W&)6?
zY*roO0w$UqxC4|r(Er$DV(2l9h4At3N_U`+Ukis<fpRRCK>ekzQ^PU&G5z&}V5GO?
zfg#*72*$DP1T8i`S7=P;bQ8lYF9_@8^C(|;9v8ZaK2GnWz4$Th2a0$)XTiaxNWfdq
z;yNi9veH<s@9We549w!!z+8C$Xr3bE8Io{iV0-^0*Z((QCVLd1<H5EqJokRheRd?M
z=9-#Ba=FG%;bgG2sZn!v5}(U9c2N6|uSx2-^nZJN<Y38%>!j)ba$9pke8`y2^63BP
zIyYKj^7;2don3se!P&%I2jzFf|LA&tQ=NDs{r9fIi-F{-yiG-}@2`VR^-LIFN8BC4
z&?*<A2U+2yvz#~5iMlAv#&#x?J%g>IvLiGHH5>NY(Z^CL_A;yISNdq58}=u~9!Ia7
zm7MkDiK~lsfLpvmPMo!0$keA$`%Tm`>Fx9JpG^EfEb(;}%5}B4Dw!O3BCkf$$W-dF
z$BupUPgLpHvr<<+QcNX*w@+Rz&VQz)Uh!j4|DYeKm5IC05T$KqVV3Y|MSXom+Jn8c
zgUEaFW1McGi^44xoG*b0JWE4T`vka7qTo#dcS4RauUpE{O!ZQ?r=-MlY#;VBzhHGU
zS@kCaZ*H73XX6~HtHd*4qr2h}Pf0Re@!WOyvres_9l2!AhPiV$@O2sX>$21)-3i+_
z*sHO4Ika^!&2utZ@5%VbpH(m2wE3qOPn-I5Tbnt&yn9{k*eMr3^u6zG-~PSr(w$p>
zw)x^a*8Ru$PE+{&)%VQUvAKKiWiwvc{`|GqK2K|ZMy^Tv3g|zENL86z7i<<vQD<>c
zW`W>zV1u}X%P;Ajn+>A)2iXZbJ5YB_r>K-h5g^N=LkN^h0Y6dPFfSBh(L`G$D%7c`
z&0RXDv$}c7#w*7!x^LUes_|V*=bd&aP+KFi((tG<uj&`TKbvJwt*s;^z;4Ys<BrXj
zUcC9nsnf4nJ}oNAV^;23Huc6W7jNCNGp&VZZ68xTF&1%{6q~EkQlv<(iM7j~voh3C
z@5k4r3!z`C;}lPV?5N1<S*Q-j1No*l<5(hps4yh~OUMfaqfZSw{1(}GVOnN8<B1ow
zokS3`Befl=7x!u#A9>*gakSR+FA26%{QJdB5G1F=UuU&koU*^zQA=cEN9}Vd?OEh|
zgzbFf1?@LlPkcXH$;YZe`WEJ3si6&R2MRb}LYK&zK9WRD=kY-JMPUurX-t4(Wy{%`
zZ@0WM2+IqPa9D(^*+MXw2NWwSX-_WdF0nMWpEhAyotIgqu5Y$wA=<qv3s0%`78x7-
z!YG+vXM)||6z({8VoMOb>zfuXJ0Y2lL3#ji26-P3Z?-&0^KBc*`T$+8+cqp`%g0WB
zTH9L)FZ&t073H4?t=(U6{8B+uRW_J_n*vW|p`DugT^3xe8Tomh^d}0k^G7$3wLgP&
zn)vTWiMA&=bR8lX9H=uh4G04R6>C&Zjnx_f@MMY!6HK5v$T%vaFm;E8q=`w2Y}ucJ
zkz~dKGqv9$E80NTtnx|Rf_)|3wxpnY6nh3U9<)fv2-vhQ6v=WhKO@~@X57N-`7Ppc
zF;I7)eL?RN23FmGh0s<krvL@Zi`9X>;Z#+p)}-TgTJE%&>{W+}C`^-sy{gTm<$>rR
z-X7F%MB9Sf%6o7A%ZHReD4R;imU6<9h81{%avv}hqugeaf=~^3A=x(Om6Lku-Pn9i
zC;LP%Q7Xw*0`Kg1)X~nAsUfdV%HWrpr8dZRpd-#%)c#Fu^mqo|^b{9Mam`^Zw_@j@
zR&ZdBr3?@<@%4Z-%LT&RLgDUFs4a(CTah_5x4X`xDRugi#vI-cw*^{ncwMtA4N<n#
zKe-3R=W^+cuK>KjByYBza)Y$hozZCpuxL{IP&=tw6ZO52WY3|iwGf&IJCn+u(>icK
zZB1~bWXCmwAUz|^<&ysd#*!DSp8}DLNbl5lRFat4NkvItxy;9tpp9~<f);nGGD>|@
z;JctShv^Iq4(z+y7^j&I?GCdKMVg&jCwtCkc4*@O7HY*veGDBtAIn*JgD$QftP}8=
zxFAdF=(S>Ra6(4slk#h%b?EOU-96TIX$Jbfl*<nInof4ph4hK=1pB+w>_7IY-|R%H
zF8u|~hYS-YwWt5+^!uGcnKL~jM;)ObZ#q68ZkA?}CzV-%6_vPIdzh_wHT_$mM%<x2
zq&@Ugp@y3#qmCWN2c()zUb2i%NHytqe#*|FOc9=9=lm37FJ~XnjPaYV#gu{Rxk3h%
z6(mfsR@KE$kTrlhgn%DPo5HpDO0=1-df|X)k_Bt?_o11|zfG(qa-#Sl@L(<sfroJg
zk#3es02GuhOy#7gPL>vws9lxUj;E@#1UX?WO2R^41(X!nk$+2oJGr!sgcbn1f^yl1
z#pbPB&Bf;1&2+?};Jg5qgD1{4_|%X#s48rOLE!vx3@ktstyBsDQWwDz4GYlcgu$UJ
zp|z_32yN72T*oT$SF8<}>e;FN^X&vWNCz>b2W0rwK#<1#kbV)Cf`vN-F$&knLo5T&
z8!sO-*^x4=kJ$L&*h%rQ@49l?7_9IG99~xJDDil00<${~D&;kiqRQqeW5*22A`8I2
z(^@`qZoF7_`CO_e;8#qF!&g>UY;wD5MxWU>az<ULIsNY$DJI@Av_2K^yD6wo0kqHs
zV#M>oo=E{kW(GU#pbOi%XAn%?W{b>-bTt&2?G=E&BnK9m0zs{qr$*&g8afR_x`B~o
zd#dxPpaap;I=>1j8=9Oj)i}s@V}oXhP*{R|@DAQXzQJekJnmuQ;vL90_)H_nD1g6e
zS1H#dzg)U&6$fz0g%|jxDdz|FQN{KJ&Yx0vfuzAFewJjv`pdMRpY-wU`-Y6WQnJ(@
zGVb!-8DRJZvHnRFiR3PG3Tu^nCn(CcZHh7hQvyd7i6Q3&ot86XI{jo%WZqCPcTR0<
zMRg$ZE=PQx66ovJDvI_JChN~k@L^Pyxv#?X^<)-TS5gk`M~d<~j%!UOWG;ZMi1af<
z+86U0=sm!qAVJAIqqU`Qs1uJhQJA&n@9F1PUrYuW!-~IT>l$I!#5dB<cfvg5VibV&
zDqvU$KKCo4v0yI;auEcF&ZcvUE7}qhEUthMrKK<ZZorlPhfA2o9*2RG_C6<ZwD)23
zgbU<ugZCNmzTNu!GMX!>aiAK}RUufjg{$#GdQBkxF1=KU2E@N=i^;xgG2Y4|{H>s`
z$<vvU|F(3Nv^%2-!)gt%bV2|xrF9!>t`k8c-8`fS7Yfb1FM#)vPKVE4Uf(Pk&%HLe
z%^4L>@Z^9Z{ZOX<^e)~adVRkKJDanJ6VBC_m@6qUq_WF<AGx+lu0P|(*RBdki}PPC
zR884Dd(Bf1Tr>@Epw>AYqf%r6qDzQ~AEJ<N!$QjqcKBS<-KzqABShp7@2HODUtuI-
zM1Hm0Vba1HggryAaeKKwP<qS1QZN90CS+8P%>!jtUvLp^CcqZ^G-;Kz3T;O4WG45Z
zFhrluCxlY`M+OKr2SeI697btH7Kj`O>A!+2DTEQ=48cR>Gg2^5uqp(+y5Sl09MRl*
zp|28!v*wvMd_~e2DdKDMMQ|({HMn3D%%ATEecGG8V9>`JeL)T0KG}=}6K8NiSN5W<
z79-ZdYWRUb`T}(b{RjN8>?M~opnSRl$$^gT`B27kMym5LNHu-k;A;VF8R(HtDYJHS
zU7;L{a@`>jd0svOYKbwzq+pWSC(C~SPgG~nWR3pBA8@OICK$Cy#U`kS$I;?|^-SBC
zBFkoO8Z^%8Fc-@X!KebF2Ob3%`8zlVHj6H;^(m7J35(_bS;cZPd}TY~qixY{MhykQ
zV&7u7s%E=?i`}Ax-7dB0ih47w*7!@GBt<*7ImM|_mYS|9_K7CH+i}?*#o~a&tF-?C
zlynEu1DmiAbGurEX2Flfy$wEVk7AU;`k#=IQE*6DMWafTL|9-vT0qs{A3mmZGzOyN
zcM9#Rgo7WgB_ujU+?Q@Ql?V-!E<ESfbH6cV^f<TVZZ6$j;;%C;F7k#%v)~#tDz@O9
zGjF`&rD{{KBD!Z>=jbypS+*ch<nT0vi*LE;jA`dwa7L|Pk{%Vkrl+;{Q+Icda+|DH
zxbX_5rMru~l@p?-nW}qiMdIwMuOHt$v$Z->I&zA+C_3_@aJal}!Q54?qsL0In({Ly
zjH;e+_SK8yi0NQB%TO+Dl77jp#2pMGtwsgaC>K!)NimXG3;m7y`W+&<(ZaV>N*K$j
zLL~I+6ouPk6_(iO>61cIsinx`5}DcKSaHjYkkMuDoVl>mKO<4$F<R}h5tU~DoQW2-
zb@mx6M$TIWS(5Azchs1S!C1Vg!dX-qRh*Tlox4o><>YJ5J9A2Vl}#BP7+u~L8C6~D
zsk`pZ$9Bz3teQS1Wb|8&c2SZ;qo<#F&gS;j`!~!ADr(jJXMtcDJ9cVi>&p3~{bqaP
zgo%s8i+8V{UrYTc9)HiUR_c?cfx{Yan2#%PqJ{%?Wux4J;T$#cumM0{Es3@$>}DJg
zqe*c8##t;X(<vs5F6*OK5RBh`;EMHg+sn$v%w2!Q1AFLXOj%hwP6VgZXe#dgvNr%C
zbK2>4$?A`ve)e@YU3d2Balcivot{1(ahlE5qg@S-h(mPNH&`pBX$_~HdG48~)$x5p
z{>ghzqqn_t8~pY<5?-To>cy^6o~mifr;KWvx_oMtXOw$$d6jddXG)V@a#lL4o%N@A
zNJlQAz6R8{7jax-kQsH6JU_u*En%k^NHlvBB!$JAK!cYmS)HkLAkm0*9G3!vwMIWv
zo#)+EamIJHEUV|$d|<)2iJ`lqBQLx;HgD}c3mRu{iK23C>G{0Mp1K)bt6OU?xC4!_
zZLqpFzeu&+>O1F>%g-%U^~yRg(-wSp@vmD-PT#bCWy!%&H;qT7rfuRCEgw67V!Qob
z&tvPU@*4*$YF#2_>M0(75QxqrJr3Tvh~iDeFhxl=MzV@(psx%G8|I{~9;tv#BBE`l
z3)_98eZqFNwEF1h)uqhBmT~mSmT8k$7vSHdR97K~kM)P9PuZdS;|Op4A?O<*%!?h`
zn`}r_j%xvffs46x2hCWuo0BfIQWCw9aKkH==#B(TJ%p}p-RuIVzsRlaPL_Co{&R0h
zQrqn=g1PGjQg3&sc2IlKG0Io#v%@p>tFwF)RG0ahYs@Zng6}M*d}Xua)+h&?$`%rb
z;>M=iMh5eIHuJ5c$aC`y@CYjbFsJnSPH&}LQz4}za9YjDuao>Z^EdL@%s<cic@|#d
zk`VYkAA1)5&zzBlUXwX>aRm&LGQWXs*;FzwN#p<?>H&j~SLhDZ+QzhplV_ij(NyMl
z;v|}a<m1KirP40Q9;?ZUGeiBO`6EQCP%m`AbDrv}WVxc|a9*xhB0zVg4PQB(Updr=
z()&PI0+wG1-G5cn-?{zrU(p$hh$VW4zkc`j%O6su+dqN;>mvxRddO81LJFa~2QFUs
z+<rMf(`FCeM}FJ^oJ6DQ^2{Nc9R`a9PEsYsk4d<kKA^opcC1pDZk0kh9^Gygk8>Lk
zZck)}9uK^buJNMo4G(rSdX{57(7&n=Q6$QZ@lIO9#<3pA2ceD<ex)Co(^yo~b^iS?
z-G6>pO_340B*pHlh_y{>i&c1?vdpN1j>3UN-;;Yq?P+V5oY`4Z(|P8SwWq<)<fz%B
zj)+x<OZ_gB*%c@YSI6p9w+Ydpc!Zcf$QEBFDuqEL6=PD@Pe~N@st{xMy+-n;*Mt~v
zmrteH;(NO63jTi5?DV@CF_fsL-w|T3X%De;sQHBB^9@P)Y{)Bp<max_sHiv=Y2ujB
z*Y0pN2vXRDgae#VLF1APpWP+=i6luTbXun4wCl7o-h=Gg-_V%L+$3>n`W@AwcQ?E9
zd5j8>FT^m=MHEWfN9jS}UHHsU`&SScib$qd0i=ky0>4dz5ADy70AeIuSzw#gHhQ_c
zOp1!v6qU<Kxjvk}u}KI}1IL4P)HQX%3Qy1||7)ACyj<$_yY^HUY1Qh86mASo5oGq6
zE#i-HjkgKyfR`wC1AzxilV;sCL6u<;DfJ$k2lHogcuG&96Y=9Dx08l3i%#>)@8MY+
zMNIID?(CysRc2uZQ$l*QZVY)$X?@4$VT^>djbugLQJdm^P>?51#lXBkdXglYm|4{L
zL%Sr?2f`J+xrcN@=0tiJt(<-=+v>tHy{XaGj7^cA6felUn_KPa?V4ebfq7~4i~GKE
zpm)e@1=E;PP%?`vK6KVPKXjUXyLS1^NbnQ&?z>epHCd+J$ktT1G&L~T)nQeExe;0Z
zlei}<<dHMjP`dMgT;)rz@KwnNqz2u#jL%!`ao{S@tM3IGYSeTv3Fk3tBkVZxLRlho
z@Yxs}5wdFIYX}Vx7;lNy5jfXGDv1)02|!y=K!RAWW@=@lh*MCQ(we#;x;&XaD>_ni
ztFo}j7nBl$)s_<W4is^tCJZEK$$)&HpdlqLPzQFWv`<{7GL_AD92F#&(|%OzJIbuy
z+Ol{_jn76nNgzuA>3odmdafVieFxc)m!wM+U`2u%yhJ90giFcU1`dR6BBTKc2cQ*d
zm-{?M&%(={<F~lIWhEX{d2;PTbK5UDb8+WLo7GcN=5=ow@4S4W$LOt!x3rG3C8mvr
z0>xYHy?VCx!ogr|4g5;V{2q(L?QzJGsirn~kWHU`l`rHiIrc-Nan!hR7zaLsPr4uR
zG{En&gaRK&B@lyWV@yfFpD_^&z>84~_0Rd!v(Nr%PJhFF_ci3D#ixf|(r@$igZiWw
za*qbXIJ_Hm4)TaQ=zW^g)FC6uvyO~Hg-#Z5Vsr<Zy{+LyD`h4YS(ghy#BfWzW^5Uo
zQ8PC9sjEJ4RGC&$F|HxuyK{woR4L3OZu<36tuvn9l2snS_;Y@J&z1A*lMO*_Ur`v=
zX;m?{v#RtbKP{_C_Pwp$oMe|?dH6}PAjk=@Y1ry|VVd(HV4<-(-0+OjB`EyB0T=kn
z(gB<B0#L(B#0`VW)>ybz6uOTF>Rq1($JS`imyNB7myWWpxYL(t7`H8*voI3Qz6mvm
z$JxtArLJ(1wlCO_te?L{>8YPzQ})xJlvc5wv8p7Z=HviPYB#^#_vGO#*`<0r%MR#u
zN_mV4vaBb2RwtoOYCw)X^>r{2a0kK|WyEYoBjGxcObFl&P*??)WEWKU*V~zG5o=s@
z;rc~uuQQf9wf)MYWsWgPR!wKGt6q;^8!cD_vxrG8GMoFGOVV=(J3w6Xk;}i)9(7*U
zwR4VkP_5Zx7wqn8%M8uDj4f1aP+vh1Wue&ry@h|wuN(D2W<Jk_Ub)RM4SgV&OId4;
zn2zn6!@5a6q<V@&t`j1NlR++Q;e@+-SbcuS)(a+|%YH!7_B%_B*R5T=?m|>;v6b1^
z`)7XBZ385zg;}&Pt@?dunQ=RduGRJn^9HLU&HaeUE_cA1{+oSIjmj3z+1YiOGiu-H
zf8u-oVnG%KfhB8H?cg%@#V5n+L$MO2F4>XoBjBeX>css^h}Omu#)ExTfUE^07KOQS
znMfQY2wz?!7!{*C^)aZ^UhMZf=TJNDv8VrrW;JJ9`=|L0`w9DE8MS>+o{f#{7}B4P
z{I34>342vLsP}o=ny1eZkEabr@niT5J2AhByUz&i3Ck0H*H`LRHz;>3C_ru!X+EhJ
z6(+(lI#4c`2{`q0o9aZhI|jRjBZOV~IA_km7ItNtUa(Wsr*Hmb;b4=;<J1?+^3A&j
zK3cnIJ@xJ)8})7lyFf5`owi5yu4lj04lY55Grhwxe6`Vjk5_%2h6Srm0%!Z7OTJgS
z7xk*fSj^YWvFa#^cCzaibaRR7wifomC%U_?eh_XL=5Hz83qQMDCary#^CqnoCok6y
z#aKY5h8k>R(gF@GmsRI`pF+0tmq0<eALkrdNz?_uQPl5L<ziG;l8G^BKV7-hN+!<*
z<qETgy|$oSZ328w$u~CVg?j38Ne8Nec!$^z3O9)SK=%x<?=HO#`R=(x+xbP_2n9~L
zA~@Y5=^p7G^ly*h(SjbX22XE{f_H~{EwlIe71&(CF%AC-KZ!PkfDiovb({chpQJjK
zFbjvUr>zy~wnoJD(<MLjh**JGO%zg$#8^?N-Q#VEMllAeBN{8Gkcp5385M+IP?10`
zKNJCQBzyb5Gta#5ZT-NK&Jkr}EY5LG-*{2<GI5k_E;Cjl{9Li(svK!m$F~O+U$JQS
zMZAi<dUJWWO0+lGoKxMN#+rIpvr}TmT8W9)5>LSEwHjT<no^?z{l8Hbtg<ND1Cr6K
z6#0!VQ^*}KTk66St&+e*u_9r$$-(;3c2C&lF^#Wti6x@NV{uFO48lerx@~U7EQm%~
zi8-wSrE-(Ma!Z+cdXdE^nH(<3+*mF-qjhezv`kVwaQ)pBtm+Jzn4-9>Ot4xb0XB-+
z&4RO{Snw4G%gS9w#uSUK$Zbb#=jxEl;}6&!b-rSY$0M4pftat-$Q)*y!bpx)R%P>8
zrB&`YEX2%+s#lFCIV;cUFUTIR$Gn2%F(3yLeiG8eG8&)+cpBlzx4)sK?>uIlH+$?2
z9q9wk5zY-xr_fzFSGxYp^KSY0s%1BhsI>ai2VAc8&JiwQ>3RRk?ITx!t~r45qsMnj
zkX4bl06ojFCMq<9l*4NHMAtIxDJOX)H=K*$NkkNG<^nl46<z}8DjmoX!f<;!=?S0X
zNm_qEi&;s|L9ptUk0h&55Ob{uhVekW1KY3{I#Svm7#;P3BE~;lg8EY6Q79rf(MCE=
zN8VGwjyg@p(Rvv6Qeo&vGBF~WTM7Tu+BS~CYXlw<;F93zrP+w<0f)nm=oOTD0XeL>
zHWH1GXb?Og1f0S+8-((5yaeegCT62&4N*pNQY;%asz9r9Lfr;@Bl${1@a4QA<GQZo
zHC=)78Wbo&u{ERGcuiNo;G#(z2^9z>vMLbV6JDp>8SO^q1)#(o%k!QiRSd0eTmzC<
zNIFWY5?)+JTl1Roi=nS4%@5iF+%XztpR^BSuM~DX9q`;Mv=+$M+GgE$_>o+~$#?*y
zAcD4nd~L~EsAjXV-+li6Lua4;(EFdi|M2qV53`^4|7gR8AJI;0Xb6QGLaYl1zr&eu
zH_vFUt+<?-wHx^jA;=HXzQKp_j)#`&591BSP(wIOS;Ce(17%gs%~hdM@>Ouf4SXA~
z&Hh8K@ms^`(hJfdicecj>J^Aqd00^ccqN!-f-!=N7C1?`4J+`_f^nV!B3Q^|fuU)7
z1NDNT04hd4QqE+qBP+>ZE7{v;n3OGN`->|lHjNL5w40pe<qclDY+ja_*(_95xs;%%
zq{v>PJ?^Y6bFk@^k%^5CXZ<+4qbOplxpe)l7c6m%o-l1oWmCx%c6@rx85hi(F=v(2
zJ$jN>?yPgU#DnbDXPkHLeQwED5)W5sH#<v%tu={Y=OlW2%;gK%O0*}OtgP0-W>-eS
z%#^4dxiVs{+q(Yd^ShMN3GH)!h!@W&N`$L!SbElXCuvnqh{U7lcCvHI#{ZjwnKvu~
zAeo7Pqot+Ohm{8|RJsTr3J4GjCy5UTo_u_~p)MS&Z5UrUc|+;Mc(YS+ju|m3Y_Dvt
zonVtpBWlM718YwaN3a3wUNqX;7TqvAFnVUoD5v5WTh~}r)KoLUDw%8Rrqso~bJqd>
z_T!&Rmr6ebpV^4|knJZ%qmzL;OvG3~A*loGY7?YS%hS{2R0%NQ@fRoEK52Aiu%gj(
z_7~a}eQUh8PnyI^J!>pxB(x7FeINHHC4zLDT`&C*XUpp@s0_B^!k5Uu)^j_uuu^T>
z8WW!QK0SgwFHTA%M!L`bl3h<zOXT*J6fe~c%_xb0$mxr#<2VD=$rO0L8nX7*#{Ksu
z$LONOvFCTfJN5XIapRVZlX}Y=<Lbb4!eHVHYIDPW9?-^*TjQ2+nH<TKdTCuE{W6Ky
z7>HjPp)|wL5Var_*A1-H8LV?uY5&ou{hRjj>#X@rxV>5<xG4RL_K~wL=!|H8*ZSVn
ze*QWuVl90vQ035NRw9cT+>%-9hbP+v?$4}3EfoRH;l_wSiz{&1<+`Y5%o%q~4<MOn
zEoNk8R4!uRxI3kmMnO0fow{Ibz3`A^4>rdpRF0jOsCoLnWY5x?V)0ga>CDo`NpqS)
z@x`mh1QGkx;f)p-n^*g5M^zRTHz%b2IkLBY{F+HsjrFC9_H(=9Z5W&Eymh~A_FUJ}
znhTc9KG((OnjFO=+q>JQZJbeOoUM77M{)$)qQMcxK9f;=L;IOv_J>*~w^YOW744QZ
zoG;!b9VD3ww}OX<8sZ0F##8hvfDP{hpa3HjaLsKbLJ8<m2C(MCx~x+Mo`}Jf7gdL>
z0WpY2E!w?&cWi7&N%bOMZD~o7QT*$xCRJ@{t31~qx~+0yYrLXubXh2{_L699Nl_pn
z6)9eu+uUTUdjHXYs#pX^L)AIb!FjjNsTp7C399w&B{Q4q%yKfmy}T2uQdU|1EpNcY
zDk~(h#AdxybjfzB+mg6rdU9mDZ^V>|U13Dl$Gj+pAL}lR2a1u!SJXU_YqP9N{ose4
zk+$v}BIHX60WSGVWv;S%zvHOWdDP(-ceo(<8`y@Goy%4wDu>57QZNJc)f>Ls+}9h7
z^N=#3q3|l?aG8K#HwiW2^PJu{v|x5;awYfahC?>_af3$LmMc4%N~JwVlRZa4c+eW2
zE!zosAjOv&UeCeu;Bn5OQUC=jtZjF;NDk9$fGbxf3d29SUBekX1<Pr@Tu%2mF`vob
zdsw;fW5J;CqD*)A#3k~8m#E~>!a$Vmq_VK*MHQ4)eB!dQrHH)LVYNF%-t8!d`@!cb
z2CsKs3|!}T^7fSZm?0dJ^JE`ZGxA&a!jC<>6_y67On0M)hd$m*RAzo_qM?aeqkm`*
zXpDYcc_>TFZYaC3JV>{>mp(5H^efu!Waa7hGTAts29jjuVd1vI*fEeB?A&uG<8dLZ
z(j6<v3j>;-%vJ7R0U9}XkH)1g>&uptXPHBEA*7PSO2TZ+dbhVxspNW~ZQT3fApz}2
z_@0-lZODcd>dLrYp!mHn4k>>7kibI!Em+Vh*;z}l?0qro=aJt68joCr5Jo(Vk<@i)
z5BCKb4p6Gdr9=JSf(2Mgr=_6}%4?SwhV+JZj3Ox^_^OrQk$B^v?e<VR4r!cUQcNa*
zLw&@@0{2I&$oQBHjs;Rdk`@6y1!<-(7NgjbFuEcwrG9}&Hy03(S??>Nz}d^xRaz&~
zKVnlLnK<O~>#8^y=If2f1zmb~^5lPLe?%l}>?~wN4IN((2~U{e9fKhLMtYFj)I$(y
zgnKv?R+ZpxA$f)Q2l=aqE6EPTK=i0sY&MDFJp!vQayyvzh4wee<}kybNthRlX>SHh
z7S}9he^EBOqzBCww^duHu!u+dnf9veG{HjW!}aT7aJqzze9K6-Z~8pZAgdm1n~aDs
z8_s7?WXMPJ3EPJHi}NL&d;lZP8hDhAXf5Hd!x|^kEHu`6QukXrVdLnq5zbI~oPo?7
z2Cbu8U?$K!Z4_yNM1a(bL!GRe!@{Qom+DxjrJ!B99qu5b*Ma%^&-=6UEbC+S2zX&=
zQ!%bgJTvmv^2}hhvNQg!l=kbapAgM^hruE3k@jTxsG(B6d=4thBC*4tzVpCYXFc$a
zeqgVB^zua)y-YjpiibCCdU%txXYeNFnXcbNj*D?~)5AGjL+!!ij_4{5EWKG<MLirH
z+DX^Dk(~hl-o)R17Ke7NBWBmGx0}_Yh*L{$3or|S`y{XU9=}stg7(?(^wZZS2Da%+
zWvCP|MzT2WK(<`aoEV!R1WAp-r%3{)SA=78<qFf;<rwNmD*Y*6(NUk(!LD}1(qHA3
z`=B=489M4KM^RxXd(tHgT%9X5Tjnh2mdXv4MCT5VYa7rd+N5ISRlSW}1lw5{(5L@K
zwzTh&rM#;2<;oP^LJod0{WsXpN5C{w?l*Jg>av0^={~M^q}baAFOPzxfUM>`KPf|G
z&hsaR*7(M6KzTj8Z?;45zX@L#xU{4n$9Q_<-ac(y4g~S|Hyp^-<*d8+P4NHe?~vfm
z@y309=`lGdvN8*jw-CL<;o#DKc-%lb0i9a3%{v&2X($|Qxv(_*()&=xD=5oBg=$B0
zU?41h9)JKvP0yR{KsHoC>&`(Uz>?_`tlLjw1&5tPH3FoB%}j;yffm$$s$C=<NH+_Q
zuVOy!BKDYAHt^L);tLou9Iw!KVrZ;__9lB4Qu}AkDaaH65g@R}lia;0J%u}*93`p?
zaeF={6)8oIBzH4kIggVAVvNSbROx-Z(+`hO*myDp7yv#WCwMIxk<hHjD5AkCV*KFy
z7uwrr!(roY4b(1>RHi`I3*m@%CPqWnP@B~%DEe;7ZT{9!IMTo1hT3Q347HJ&!)BM2
z3~aClf>aFh0_9||4G}(Npu`9xYY1*SD|M~9!CCFn{-J$u2&Dg*=5$_nozpoD2nxqq
zB!--eA8UWZlcEDp4r#vhZ6|vq^9sFvRnA9HpHch5Mq4*T)oGbruj!U8Lx_G%Lby}o
zTQ-_4A7b)5A42vA0U}hUJq6&wQ0J%$`w#ph!EGmW96)@{AUx>q6E>-r^Emk!iCR+X
zdIaNH`$}7%57D1FyTccs3}Aq0<0Ei{`=S7*>pyg=Kv3nrqblqZcpsCWSQl^uMSsdj
zYzh73?6th$c~CI0>%5@!Ej`o)Xm38u0fp9=HE@Sa6l2<mw_Yh7ly>oX9^^4|Aq%GA
z3(AbFR9gA_2T2i%Ck5V<FfGDt5jFr`inQh;1&EJ*>2Q2WW-(a&(j#@l6wE4Z`xg#S
za#-UWUpU2U!TmIo`CN0JwG^>{+V#9;z<j+vge|-bMmFe5eQtw=$jBe&1J+DLGhNXR
zVF0LJkT6h0B8nsw@>vx;ztc$}@NlcyJr?q(Y`UdW6qhq!aWyB5xV1#Jb{I-ghFNO0
z<gP-h@3s4i1u==>FU~+QgPs{FY1AbiU&S$QSix>*rqYVma<-~s%ALhFyVhAYepId1
zs!gOB&weC18yhE-v6ltKZMV|>JwTX+X)Y_EI(Ff^3$WTD|Ea-1HlP;6L~&40Q&5{0
z$e$2KhUgH8ucMJxJV#M%cs!d~#hR^nRwk|uuCSf6irJCkSyI<%CR==tftx6d%;?ef
zYIcjZrP@APzbtOeUe>m-TW}c-ugh+U*RbL1eIY{?>@8aW9bb1NGRy@MTse@>=<ra>
za%;5=U}X%K2tKTYe9gjMcBvX%qrC&uZ`d(t)g)X8snf?vBe3H%d<Ke$F$Z0AGpq$L
zh*N9G{;KEPa}gmeOBNBk0zORp;`+VU|1_04|4V$bCz(R~xePApA?YFdZU$CR63IbQ
z2Pq2(THUz7SlMWdHOdM19(SYTR)^7j>G=b<Uy4X-FL@RBUeVq-s%!3f=Wp$pdFiyc
z*UH5I+~YQSU-pf1Z~4Z+d0X6)<0i*Q_Z}vh)KKf>l^rv8Z@YN$gd9yveHY0@Wt0$s
zh^7jCp(q+6XDoekb;=%y=Wr8%<!i<hjG`j2f#)CHoE%?oHV1t_^966$UcQ|tMEj_Y
z^Dp_?#syJ7V{9Es?J3v}f}pPx{87yPa7|66#gbBs#7ePJ{bo_oH&rCWA~hx1V^t$U
z+8@1TWfn_Z`;{~9gC9mv?eoQ*Y-C)rhp|}dc#r5_J0yspKw$C`a}OGKQh(E&3WUik
z4AxbHbeGhXO7DYJ7=8m!=+Sj-HxJCb*@hx`<Q?E73ZqASI|ZO4gQX;PgpcX_I2dEP
z4PzF^;fhXQ)40w{k(P#>6;z0ANH5dDR_VudDG|&_lYykJaiR+(y{zpR=qL3|2e${8
z2V<U){GkH!99$-?(vZQ6`9xYUH;m>;?jgHj7}Kl(d8C9xWRjhpf_)KOXl+@c4wrHy
zL3#9U(`=N59og2KqVh>nK~g9>fX*PI0`>i;;b6K<iTA=O-~d|1@8nQW|764_gHT9A
z+Jdw)Cus?cfv_Gsi;gF31B#4DZ2^Yn1Wk~wI*LZ!hnDLnI_*R~z#5pH4R3KO1Ir1F
zNQX5wC;<FU(7pj+t&{Y#h#K(_6=WtrHj4aPX$5uUHjT;c(e}35?V4?SZCg90+pyx(
z`_R8jCQe*LR*{P)PNV>F|8zg+k2hViCt}4dfMdvb1NJ-Rfa7vL2;lPK{Lq*u`JT>S
zoM_bZ_?UY6oV6Ja14X^;LqJPl+w?vf*C!nGK;uU^0GRN|UeFF@;H(Hgp8x^|;ygh?
zIZx3DuO(lD01ksanR@Mn#lti=p28RTNYY6yK={RMFiVd~k8!@a&^jicZ&rxD3CCI!
zVb=fI?;c#f{K4Pp2lnb8iF2mig)|6JEmU86Y%l}m>(VnI*Bj`a6qk8QL&~PFDxI8b
z2mcsQBe9$q`Q$LfG2wdvK`M1}7?SwLAV&)nO;kAk`SAz%x9CDVHVbUd$O(*aI@D|s
zLxJW7W(QeGpQY<$dSD6U$ja(;Hb3{Zx@)*fIQaW{8<$KJ&fS0caI2Py^clOq9@Irt
z7th7F?7W`j{&UmM==Lo~T&^R7A?G=K_e-zfTX|)i`pLitlNE(~tq*}sS1x2}Jlul6
z5+r#4SpQu8h{ntIv#qCVH`uG~+I8l+7ZG&d`Dm!+(rZQDV*1LS^WfH%-!5aTAxry~
z4xl&rot5ct{xQ$w$MtVTUi6tBFSJWq2Rj@?HAX1H$eL*fk{Hq;E`x|hghRkipYNyt
zKCO=*KSziiVk|+)qQCGrTYH9X!Z0$k{Nde~0Wl`P{}ca%nv<6fnYw^<s*I^w2}g4)
zDT(2xL%uqsByOSZ61tavt7O>~9dYxTnTZB&&962jX0DM&wy&8fdxX8xeHSe=UU&Mq
zRTaUKnQO|A>E#|PUo+F=Q@dMdt`P*6e92za(TH{5C*2I2S~p?~O@hYiT>1(n^Lqqn
zqewq3ctA<T{c@#lWCZ$(!d{cN7=2we77Yx!0ew~Gx<3;vHo@;Z=)<i6dXzL;AY|z|
zQh^P>A%0E)r53*P-a8Ak32mGtUG`L^WVcm`QovX`ecB4E9X60wrA(6NZ7z~*_DV_e
z8$I*eZ8m=WtChE{#QzeyHpZ%7GwFHlwo2*tAuloI-j2exx3#x7EL^&D;Re|Kj-XT-
zt9<G*I5j~YwPM=zQc<-<5T)`?p=k3wJ6%=B%=d_@HDXhwqg3ij6<6Gneq}IMRsO?+
zZ$ux+&=>08^soV2`7s+Hha!d^#J+B)0-`{qIF_x=B811SZlbUe%kvPce^xu7?LY|C
z@f1gRPha1j<g?ml{#gpkD^O$XNTr0o(I;d;h4uA8LjteITT`#--;T+ZYX+t7g{&jY
z%jLmo;U5!e_41&}2`Y3PtJNiOtyHYGC;e`w)XqI9cfa-k)QH;zlhbma7)pQ1mZ#s9
zrt1Z7OQrg>q|=f}Se)}v-7MWH9)YAs*FJ&v3ZT9TSi?e#jarin0tjPNmxZNU_JFJG
z+tZi!q)JP|4pQ)?l8$hRaPeoKf!3>MM-bp06RodLa*wD=g3)@pYJ^*YrwSIO!SaZo
zDTb!G9d!hb%Y0QdYxqNSCT5o0I!GDD$Z@N!8J3eI@@0AiJmD7brkvF!pJGg_AiJ1I
zO^^cKe`w$DsO|1#^_|`6XTfw6E3SJ(agG*G9qj?JiqFSL|6tSD6vUwK?Cwr~gg)Do
zp@$D~7~66-=p4`!!UzJDKAymb!!R(}%O?Uel|rMH>OpRGINALtg%gpg`=}M^Q#V5(
zMgJY&gF)+;`e38QHI*c%B}m94o&tOfae;<xSoo%JWgt|4OsWqBge(0MrWCl{^{1qR
z$9kiQL{yp=)4GQGI_Jm5&g#GDTYcGhkauMJQ(qfM)1pg_a_8YpGwNbwNKp#T3-1@6
z|CjTBM~_fXe$Rs`cJE+v;7^0eysLT1ugyST5y-lLQ?!t5I+r@})qno};JoRD-E=Xi
zX_8OynCqNAP{M@6q0{1lA$fd7YVYB^B3HOC?;KS&skUZdpr&?G*{Dvo9Hf%gnd2O9
zvFCA)Qg13bH?d=3bMwL-iMgPupd}c_KuUy2B!UeZUr<=BIK|YBv?yV$q58*?!w_CK
zhp}K1=StAQ6{?zIqvi9mLesqVm&dX(9+AzcRVtrMpZ;{ErIyVQpVYzYVcvn6%u9m3
zENe?2g{r;1I%;x<{deB!54%lK?QVcb%q|Y(3&@xG42;qPh~(~r6ouOokrhp}g_Byo
zKp4yiKG~E3?*xr!?^(OHXYKbID@Vk%L$MJN?dLjF_FD?rZRr8zTic`kxqVF61s8OU
zY1cLlYqVUOIkCpn>og&!J2;6ENW}QeL7<PXg{yny8O<B+-%z=8!`{k@uZK?dU2tpL
zoDCc1bk4tH!`>3jatbI1*9X~y=$Dm%6FwDcnCyMRL<PZ=`4kP-O>}zo`0=y7=}*Uw
zo3!qZncAL{HCgY!+}eKr{P8o27ye+;qJP;kOB%RpSesGoHLT6tcYp*6v~Z9NCyb6m
zP#qds0jyqXX46qMNhXDn3pyIxw2f_z;L_X9EIB}<BZV)NY+Sf`GmW4*C1<w9<G3@Y
zR-2Ao^uw)%Z0Eww)CNf&GoE61(l=R$@lLulhRTBom-G)|sA)*B&(~_KWRT_L+saB5
zo*q>AhyC`FYI}G3$WnW>#NMy{0aw}nB%1=Z4&*(FaCn5QG(zvdG^pQRU25;{wwG4h
z@kuLO0F->{@g2!;NNd!<zny}%07Jn8Nf<E`qd>PfqM-;@F0;&wK}0fT9UrH}(8A5I
zt33(<pT6JhCadCO^EwcP0}B}m196bLHZSD1wzS~lgDzyBOMDp_>+&U;CLN|8+71@g
z(s!f-kZZZILUG$QXm9iYiE*>2w;gpM>lgM{R9vT3q>qI{ELO2hJHVi`)*jzOk$r)9
zq}$VrE0$GUCm6A3H5J-=Z9i*biw8<GlN{|J&^K2l_*g<#Pt^RN|DX}11Ly}*7(>ng
zi<1nM0lo^KqRY@Asucc#DMmWsnCS;5uPR)GL3pL=-IqSd>4&D&NKSGHH?pG;=Xo`w
zw~VV9ddkwbp~m>9G0*b?j7-0fOwR?*U#BE#n7A=_fDS>`fwatxQ+`F<!Rj$KZl*<p
zT?$eX^b9WOf%^Fc5Ow$#oiLZxFXB|4X4Ah-N23bVC3rdbHNy5`I((oY2SI(gVJE_3
zv~k-4(EcFxN5Hx@>zhBGQUAyIRZ??eJt46vHBlR>9m!vfb6I)8!v6TmtZ%G6&E|1e
zOtx5xy%yOSu+<9Ul5w5N=&~4Oph?I=ZKLX5DXO(*&Po>5KjbY7s@tp$8(fO|`Xy}Y
z;NmMypLoG7r#Xz4aHz7n)MYZ7Z1v;DFHLNV{)to;(;TJ=bbMgud96xRMME#0d$z-S
z-r1ROBbW^&YdQWA>U|Y>{whex#~K!ZgEEk=LYG8Wqo28NFv)!t!~}quaAt}I^y-m|
z8~E{9H2VnyVxb_wCZ7v%y(B@VrM6lzk~|ywCi3HeiSV`TF>j+I<PcrA4vbhkc}Ds9
zVnPj;dD9hvN^{*9tq;`Y3-i35x*J^9kk!Mknb6QMp+R%r;|Y~}U1bd=<D2Z^=6NHx
z)o!mbv)c13!qxVmdz@Dme2Ud2?)buFbw!<Z_N}SPHX2@PRM{c<oRhmdQ=Q!h%GA-#
zE|+zRyX;@_)`kh%@3wm_ZjUz-66I&coi<`>jd|p*kyn;=mqtf8&DK^|*f+y$<HJ*z
z{kCJi%r~syv1<5SAj?Qn<RD-N0#-mimPHVGsjQ(4>38+9!sis9N=S)nINm9=CJ<;Y
z!t&C>MIeyou4XLM*ywT_JuOXR>VkpFwuT9j5>66<JwXm0Iz|uD_GISrZ<tb63#|b6
zmesyu7v#<;wAs4wx|xl$8!C)O(dny+&uQp5Yiylr74+Z{`kuduLfD{$!RweaKvq@@
zSKvT=l{+EaFCqSAuk-})NiD5^S-DyEOCPWcr6mSZED8GEaH3HbBi=sIw&e0Ek0*HT
zg7i-oY%env)m$!wZo6{H^btX$@qVG{e!&!~J#BILfmfs_E?=UpX#O6)G;!&c?y}Qg
zZDtQIxqNpZ+R#vKv;FOFva`NsR7883$-r&2{_WuFALO<~3Fk}Bb(WC&g8i;%)qzDY
zRjOTdfX!%Ad(<}BcYy4>7A=CU*{TBrMTgb4HuW&!%Yt`;#md7-`R`ouOi$rEd!ErI
zo#>qggAcx?C7`rQ2;)~PYCw%CkS(@EJHZ|!!lhi@Dp$*n^mgrrImsS~(ioGak>3)w
zvop0lq@II<?zr~h{;~Z%uibTbs^_R=H(HEh%|uq3KKIc_zxBu?d|hToq+T%unvO@H
z_7G`_g*WS&kUbvS*4>SuA0Ou*#1JkG{U>xSQV1e}c)!d$L1plFX5XDXX5N<n2C0jm
zX{r1Jy%RD8vWp=4fyb$$F_f=*`nvNgb$TK5DH~vUeDX&BtW7RGgbP7rCk$}DqbN_=
zG+@cCNjfaVNpOlFw+a>7Ns{kT{y5|6MfhBD+esT)e7&CgSW8FxsXTAY=}?0A!j_V9
zJ;IJ~d%av<@=fNPJ9)T3qE78kaz64E>dJaYab5u<efW`3H($g#7XgvMkYf+oz36no
z(7hfLHbbB2R0{1uae-^d+wzih8L%N9he3ud^j?e&dq$dH2awC*y4Q%$6QP+9{{{^S
zS|%?I`*;k>aU`n~Zdp2h{8DV%SKE5G^$LfuOTRRjB;TnT(Jk$r{Pfe4CO!SM_7d)I
zquW~FVCpSycJ~c*B*V8?Qqo=GwU8CkmmLFugfHQ7;A{yCy1OL-+X=twLYg9|H=~8H
znnN@|tCs^ZLlCBl5wHvYF}2vo>a6%mUWpTds_mt*@wMN4-r`%NTA%+$(`m6{MNpi@
zMx)8f>U<?#KGhQOH9sd_@m#$xV)2XXy+)7rj<v$+@Y;iI(?-Y3Sg0r<Nksvzzi#Zp
z$q~EP;jFN*8js?YBQ<`b?Z-d1$^IIsy$A>4hd!row@gM&PVo&Hx+lV@$j9yWTjTue
zG9n0DP<*HUmJ7ZZWwI2x+{t3QEfr6?T}2iXl=6e0b~)J>X3`!fXd9+2wc1%cj&F@Z
zgYR|r5Xd5jy9;YW&=4{-0rJ*L5CgDPj9^3%bp-`HkyBs`j1iTUGD4?WilZ6RO8mIE
z+~Joc?GID6K96dyuv(dWREK9Os~%?$$FxswxQsoOi8M?RnL%B~Lyk&(-09D0M?^Jy
zWjP)n(b)TF<-|C<kuA~or~e()IVaJB8ThDOo%m84{2#Jw7lA;F7HB%yOOfao*a-Bo
z9vF{4tjJ*|r>G%!Vz?8Fu&6iU<>oG#kGcrcrrBlfZMVl0wOJvsq%RL9To%iCW@)#&
zZAJWhgzYAq)#NTNb~3GBcD%ZZOc43!YWSyA7TD6xkk<oWhdAZNF5oEMySt*u%}=mX
zY^=DnO8CU4$;_0G$Mo-Kkj5NlGljS+>)n^FaRAz73b}%9d&YisBic(?mv=Iq^r%Ug
zzHq-rRrhfOOF+yR=AN!a9*Rd#sM9ONt5h~w)yMP7Dl9lfpi$H0%GPW^lS4~~?vI8Z
z%^ToK#NOe0ExmUsb`lLO$W*}yXNOxPe@zD*90uTDULnH6C?InP3J=jYEO2d)&e|mP
z1DSd0QOZeuLW<s88&Dqv$ZDY(qEHICGi1F$d4+8O&b2468PMe9JW2)dic7s&U~)}9
zv>o*NqZzopA+LXy9)fJC00NSX=_4Mi1Z)YyZVC>C!g}cY(Amaj%QN+bev|Xxd2OPD
zk!dfkY6k!(sDBvsFC2r^?}hb81(WG5Lt9|riT`2?P;B%jaf5UX<~OJ;uAL$=Ien+V
zC!V8u0v?CU<?sa9rw*YNr=`U}IHdv2<G`|o3Bx8D;^GeQOIB`c%X^K&>a)4*Q+Q_u
zkx{q;NjLcvyMuU*{+uDsCQ4U{JLowYby-tn@<?{mQ!v2u1l{5e{t5@ZjF*S!>hatL
zy}X>9y08#}oytdn^qfFesF)Tt(2!XGw#r%?7&zzFFh2U;#U9XBO8W--#gOpfbJ`Ey
z|M8FCKlWQrOJwE;@Sm02l9OBr7N}go4V8ur)}M@m2uWjggb)DC4s`I4d7_8O&E(j;
z?3$9~R$QDxNM^rNh9Y;6P7w+bo2q}NEd6f&_raor-v`UCaTM3TT8HK2-$|n{N@U>_
zL-`P7EXoEU5JRMa)?tNUEe8XFis+w8g9k(QQ)%?&Oac}S`2V$b?%`DwXBgja&&fR@
zH_XidF$p1wA)J|Wk1;?lCl?fgc)=TB3>Y8;BoMqHwJqhL)Tgydv9(?(TBX)fq%=~C
zmLj!iX-kn7QA(9snzk0LRf<%SzO&~IhLor6A3f*U^UcoAygRe!H#@UCv$JUP&vPxs
zeDj$1%#<2T1!e|!7xI+~_VXLl5|jHqvOhU7ZDUGee;HnkcPP=_k_FFxPjXg*9KyI+
zIh0@+s)1JDSuKMeaDZ3|<_*J8{TUFDLl|mXmY8B>Wj_?4mC#=XjsCKPEO=p0c&t&Z
zd1%kHxR#o9S*C?du*}tEHfAC7WetnvS}`<%j=o7YVna)6pw(xzkUi7f#$|^y4WQ{7
zu@@lu=j6xr*11VEIY+`B{tgd(<i-P<xW8QmX{Uu}CW{$k=4G`<yQ5DK7nY#9L<7KO
zZl2V*aS4sKmaEUS-mY%P1^cv^q{7lxZ)5qzsWF(QH6y#+dwE4lRddpa#$Z}_cCaKa
zE;TlFY<W#EqQ=~xoZ>c3zO8%nGk0U^%ec6h)G_`ki|XQXr!?NsQkxzV6Bn1ea9L+@
z(Zr7CU_oXaW>VOdfzENm+FlFQ7Se0ROrNdw(QLvb6{f}HRQ{$Je>(c&rws#{dFI^r
zZ4^(`J*G0~Pu_+p5AAh>RRpkcbaS2a?Fe&JqxDTp`dIW9;<O_d1fh3g+@%<JHS<h;
z`xr?<<utwG<Lj5Zdhfz~Sd#5Kb7T9+cKkOui1y`+Uv$r&om%~&H3ligXMa!k1A}&8
z`oKdmM{uQUq3k>DL%0wxX5;`KxyA4F{(~_`93>NF@bj4LF!NC&D6Zm+Di$Q-tb2*Q
z&csGmXyqA%Z9s(AxNO3@Ij=WGt=UG6J7F;r*uqdQ<A<k`&*~1mNB0QW1T5I+z^l>a
z?7j!nV{8eQE-cwY7L(3AEXF3&V*9{DpSYdyCjRhv#&2johwf{r+k`QB81%!aRVN<&
z@b*N^xiw_lU>H~@4MWzgHxSOGVfnD|iC7=hf0%CPm_@@4^t-nj#GHMug&S|FJtr?i
z^JVrobltd(-?Ll>)6>jwgX=dUy+^n_ifzM>3)an3iOzpG9Tu;+96TP<0Jm_PIqof3
zMn=~M!#Ky{CTN_2f7Y-i#|gW~32RCWKA4-J9sS&>kYpTOx#xVNLCo)A$LUme^fVNH
z@^S7VU^UJ0YR8?<bG~Mj6Gj-lk3HOub{MXq84f%T`QY6$SQB%P+{DM48!0oDB|1i&
zZKxv58$HkYAPzeA(N@4W-r2I(ob~ZN%-H1^uVTL2tUjwxrv8WT<9HEQp}oppV?S-b
z?TWa%T=%&4xZ~a0-G(Qtj>Oy$^IYuG*bm|g;@aX~i60%`7XLy*AYpYvZ^F^U(!|RW
z*C!rJ@+7TGdL=nNd1gv^%B+;Fcr$y)i0!GRsZXRHPs>QVGVR{9r_#&Qd(wL|5;H;>
zD>HUw=4CF++&{7$<8G@j*nGjhEO%BQYfjeItp4mPvY*JYb1HKd<ZQ^<n)7B(e{N}R
zNACLEJ-M&vp2!R2b>!{HJ9*)(3%BR%{Pp?AM&*yHAJsW({ivOzj*qS!-7|XEn6@zo
z3L*tBT%<4RxoAh>q{0n_JBmgW6&8hx?kL(_^k%VL>?xjAyrKBmSl`$=V|SK}ELl}@
zd|d0eo#RfG`bw9SK3%r4Y+rdvc}w}~ixV%tqawbdqvE-WcgE+BUpxMT%F@btm76MG
zn=oQRWWuTm+a{dy)Oc2V4yX(@M{QAkx>(QB59*`dLT`<?!`ti2@y+pV_8st7_#g52
z1!@8-14n{+!KuOff(Jusq1w=z(B5!jxFx(cyss+1s<Z0Bs-u@|yyQrAPIYVbrs`9d
z>Pz3Lsj9iB=HSHAiCq()ns|Cr)1<p6y)@aLys9>*c605Cx}3V&x}Lg?b+6Q?)z7Kl
zQh&1Hx`y6JY-Cwvd*ozeps}a1xAA0CR+Da;+O(i)P1C;SjOI}Dtmf6tPqo-Bl`U78
zv$kYgPntPp@G)n1an9tEoL*Vumu9`>_@I(;+5+fBa-*?fEx=mTEjZ7wq}#@Gd5_cW
z!mP{N=yqEntDo)|>oy6{9cu+-3*GTnmb^`O0^FzRPO^&aG`f@F_R*aQ_e{F+_9%NW
z4KG_B`@X3EVV9L>?_RNDMddA>w=e0KfAiw5?#i1NFT%Zz#nuv(&!yIU>lVxmzYKQ`
zzJ*0w9<&L4aJ6A;0j|_<vbtcWAbbzpCj3Gin*xk%@5HxYh(fosHrML5=EAoJzwHRw
zh@)_=)rwlI8GD^(O|@nqTobf9QEEG(*M$^xqkm*B>~i>+y(q-=;2Xxhx2v%CYY^{}
z^J@LO()eLo|7!{ghQ+(u$wxO*xY#)cL(|mi<iezIsIQq}e;H<1HsO1a%jmXB^n!Yj
z`bEguLTH*W^N>H2_ck2yN{mu4O9=hBW*pM_()-_YdH#Ru{JtwJ^R2}3?!>>m1pohh
zrn(!xCjE<?5dV)b*C5Aj$gepjhO+1}F~03sn})p^Uz6_w9HjtSwO;4fgQNBdkCC(S
zXIQs_lKEg{DKt7!64@q0U7<~Z9sWW2MiWn5C=n^v2(+j+NQ}hd(YScLR6bFX1e5GJ
z{f}vqE*X+(y(=SeU6&=<n3p71@^G&#A3gi#b>0Q&EH1<ywPMV@T7r4FN~KK7(R*2e
zG3w@Kn+NlNX^aE);gT>QK?zA%sxVh&H99cObJUY$veZhQ)MLu-h%`!*G)s$2k;~+A
z)Kk->Ri?`oGDEJEtI*wijm(s5<vO`uZjc+%3o%>f$W78FH{+qBxiU{~kq((J3uK{m
z$|C8K#j-?hm8H@x%VfFqpnvu@xn1s%J7uNZC9C99a<_b1J|mx%)$%!6gPU|~<@2&m
zz99GDp`|a%m*iggvfL;4%X;~WY>)@!tMWB@P`)k?$;0x9JSrRI8?s3rlgH(o@`OAo
zn{f*gZ#t2u<vX%PzAIbh8QCV^lkM_->6K??hx|aElOM`Xd0t+SAIUEHvFw%?Wsm$s
zUXq{6UU?a>Nc@@Xlb_2k<d?Yk`js4zSLLAmT7Dyk<TW`guge>9M1Ctr<#+O?yd}rv
z_wu&<L5|BGrBD7Of0n<<JMvdKA@9n2@;7;3{*GxNK9rO44>=_t$!Yngd@N_AUj}T;
z#*Ce|%XZr_sQcsWcsl{pCnnj+c8ZNIMmx<;w=-g$Q>BU;9k;w|zQ;4!W32Xg2Cd?{
zvmO3kuKQ^Hv;o>6ZHP8ZJ2`4~Bx?N;cf<0fi=!*G^^WzbTF3e$b&d^qqB{>nqLG81
zs94bBh%|Vj+hLu=!8(b9brJ>ZBns9^6s(gdSVyP9qnu2_I{Sg8j-rloG6{d`De5We
zDe5WeY3ga}Y3ga}Y3ga}Y3ga}Y3ga}d8y~6o|k%F>UpW>rJk31Ug~+N=cS&HdOqs;
zsOO`ek9t1p`Kafko{xGy>iMbXr=FjBxZMYc8a#gL`Kjlpo}YSt>iMY`pk9DF0qO*(
z6QE9jIsxhgs1u-0kUBx8D@eT{^@7w3QZGooAoYUO3sNscy%6<6)C*BBM7<F8LevXU
zFGRf%^}^H(Q!h-tF!jRJ3sWyly>L`dk$Xk%6}eZQXgo#!75P`>Uy*-B{uTLG<X@40
zMgA4}SL9!je?|Tk`B&s$k$*-075P`>Uy*-B{uTLG<X@40MgA4}SL9!je?|Tk`B&s$
zk$*-075P`>Uy*-B{uTLG<X@40MgA4}SL9xidqwUQxmV;~k$Xk%6}eaBUXgo6?iIOL
z<X#1$JSg(7$iE{0iu^0`ugJe5|BC!8@~_ChBL9l~EAp?%zasyN{44UW$iE{0iu^0`
zugJe5|BC!8@~_ChBL9l~EAp?%zasyN{44UW$iEuoJ{&DaDjY3GsEwTSjAnVzEDxIH
zL9;w)mIux9pvk``|C;=3@~_FiCjXlJYx1wjy(agXylZl<$+;%y7~~jDCpp*TT9a!{
zt~I&V<XV$!O|CV$*5q1~YfY{-xz^-blWR?`G3|Ub9pqZ`yspW&Cf}NTYx1qhw<h13
qd~5Qp$+srontW^Wt)qNLLXk-9aux9_WlUi5WYd6^D_dVgyY*ioe@L+a

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/bootstrap/glyphicons-halflings-regular.woff b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/fonts/bootstrap/glyphicons-halflings-regular.woff
new file mode 100644
index 0000000000000000000000000000000000000000..9e612858f802245ddcbf59788a0db942224bab35
GIT binary patch
literal 23424
zcmY&eV{m0%u#Iioo_J#0nb?@vwry)-+qNe*Z>))v8{5gt_uj9!t5)^yb-JtjRGrhi
zYInOUNJxNyf_yKX01)K=WP|Si>HqEj|B{eUl?MR<)%<1&{(~)D+NPwKxWqT-@~snp
zg9KCz1VTZDiS?UH`PRk1VPM{29cgT9=<v;Lf`EYagMdIet=H@a8oRlWfPg?`f7?L(
zFKED?%?+Ku?I7~Mb(sI~^#uZMZsTe8&6R_I$YX<mq!jz=4cJ?l8k&HBDD{8auziCA
zQl4qm;+y>D?!Wc_@}qzggFv;gb@2cJQAYWWtpEZ7?y@jSVqjx${B5UV@SO|wH<<0;
z{><1KdVI%Ki}>~<`46C0AggwUwx-|QcU;iiZ{NZu`ur>hd*|<W)sXtmhXDixZoaeV
zklo$X=sQ21?>Hb(|6veERq<PbegkBRzi{?HIp-GW`hU_n&12ozz{J4dAGi@L6pDe-
z_ud2pJc-_b2pj}b3Pc9vzvpJBX4(Dy6a52IgD!!AfuwLEKN$^~jn+XAz)Mg9U?T~E
zgqNfL`tz^91n&aBz=T}M5SD}tB`7H25Mn@BQsEK4gL$l9qzGE52osF@rxjbO42^t7
z#@g=mu(37N%+Vt`PAJL-lQ=FQENF`3={3?oV6ei1hBKA`DuVTzgGk7b#0j#++TdzR
zI(97e!~g}_G7m33x=^Ssom?;fl4q}a+^;UP-1|ZzG9$*2kpk7p8YI9lAxj<90CjKp
zE8u&KGi5Zv=157hgKP@$c2&H4zuKcOmHoZD%?+qY(Kf~v8|7crq{Nr<WvZ$ts)Fb$
z8!IcdkQ`H>xu=b@5Bab=rqptGxd{QJg!4*-i_$sES~)AB46}Fjg|ea#e@?J}z%CUJ
zOsLWRQR1#<tB|QIEY)&I*ZbudHp)E;$><nb=BbXZ4tHi(jj=+TGtb?X^faOKFyozE
zS@PKF)~8;5xRSNpTm4ugp<(oc@Q3%7K-)@eyP?m1z&l;rf%%J4?;rfzsBU`M+aNyb
z*@?y5Vm{LN@ggUHmiuxx_Dtj5rsol#BM~=pjyHqe<HcvPas11*o_#i9ZJ%`X+7&6Y
z4F}#7CrnT%)O76bs<&03Bs~CBL9-lPzgZEx+oS+S$-gV~5q;R39w5(FZ(Km5B%*l&
z(rrr`BO68!fN#?(kC!s6W?du1@vWLl$02}9k4Iw`sS*azt|mzMLd*ov1C_X-Z_DEc
zA>ng^sD)A4FDuY!iUhzlgfJh(J@BRqd&P#v2B`+saBx>m+M&q7vk-75$NH%T5pi%m
z5FX?`2-5l53=a&GkC9^NZCLpN5(DMKMwwab$FDIs?q>4!!xBS}75gX_5;(luk;3Vl
zLCLd5a_8`Iyz}K}+#RMwu6DVk3O_-}n>aE!4NaD*sQn`GxY?cHe!Bl9n?u&g6?aKm
z-P8z&;Q3gr;h`YIxX%z^o&GZZg1=>_+hP2$$-DnL_?7?3^!WAsY4I7|@K;aL<>OTK
zByfjl2PA$T83*LM9(;espx-qB%wv7H2i6CFsfAg<9V>Pj*OpwX)l?^mQfr$*OPPS$
z=`mzTYs{*(UW^ij1U8UfXjNoY7GK*+YHht(2oKE&tfZuvAyoN(;_OF>-J6AMmS5fB
z<XKU7YH10@@&WJhj71Cj$=TP(r@q<cW{2}t$FbdUw)ad2!elcuLPw0X5toDsPadV*
zO3EPF>^sY6wea&&${+!}@R1f$5oC-2J>J-A${@r(dRzc`wnK>a7~8{Y-scc|ETOI8
zjtNY%Y2!PI;8-@a=O}+{ap1Ewk0@T`C`q!|=KceX9gK8wtOtIC96}-^7)v23Mu;MH
zhKyLGOQMujfRG$p(s`(2*nP4EH7*J57^=|%t(#PwCcW7U%e=8Jb>p6~<TTQ9e?y3C
zdb|J>>RAlY4a*t<yx)M!`#-^(n~+nSXHt)XXPCd>s=pl}_J{->@kKzxH|8XQ5{t=E
zV&o`$D#ZHdv&iZWFa)(~o<E{GN9+27JE4iktONzQ1b)q{Sex30G?of$HMKN~8KD%g
zA+E{L7XRV>Bh-Osl{~CS0hfM7?PyWUWsr5oYlsyC1cwULoQ4|Y5RHA2*rN+EnFPnu
z`Y_&Yz*#550YJwDy@brZU>0pWV^RxRjL221@2ABq)AtA%Cz?+FG(}Yh?^v)1Lnh%D
zeM{{3&-4#F9rZhS@DT0E(WRkrG!jC<!Dwf@j`RqVrLtHFoIyn_L9bxbWrgS*Z9wMu
z#p1&N;H{ZGv&zD_N*zbkas>#5?OFjZv*xQjUP~XsaxL2rqRKvPW$zHqHr8Urp2Z)L
z+)EvQeoeJ8c6A#Iy9>3lxiH3=@86uiTbnnJJJoypZ7gco_*Hv<E!$|Yb^#x+eGvv(
zIp;Wt3|Xgi12|CZQBu5wnkbr4Z_o<}@wU&ThE&G4r6LGOs?2M%<}Vu1j2>KOH97B?
zWiwp>+r}*Zf9b3ImxwvjL~h~j<<3shN8$k-$V1p|96I!=N6VBqmb==Bec|*;HUg?)
z4!5#R*(#Fe)w%+RH#y{8&%%!|<UeDoR>fQ5JcFzUE;-yVYR^&Ek55AXb{^w|@j|&G
z|6C-+*On%j;W|f8mj?;679?!qY86c{(s1-PI2Wahoclf%1*8%JAvRh1(0)5Vu37Iz
z`JY?RW@qKr+FMmBC{TC7k@}fv-k8t6iO}4K-i3WkF!Lc=D`<I4n3h#nG>nuD)v#Na
zA|R*no51fkUN3^rmI;tty#IK284*2Zu!kG13<C=xWI7mp_-$=}wb|<b)!OZRv-HEP
z{%b~I$E(4`VZ#-glOe-5)a2pflY1Bz-1#4je?)~T9!X4-E;pkTTM{XAe2I!K$wY&{
zHEYHdnV_WuXSOaFHmg_J8USFkT|e)_-*FkL@p7z7`X=kCplNBVHgHbdYiIA4b&ia%
zF^b30NW{}~a)`)^H3EMpr)@2a^C3(yt-t3eigT2)odQdx2zf*pafN9pF#;@+u4LZa
z7x<*Yxq9&rRf5M3B$p^s`skXsITAn=Zo(y=33sGRSGWuaK?&Ne`Pj#q{feF+D~&z+
zEyT)MiaBL7L|^V76c6eAiTxZof6@zS20aGf%dzLc3HH8OA(-=u{w4pJ6%*OO;uayC
zzR4O{sz+f(78K2km*}=(W9{c=$lUj4eqLf#^t$Qwnbo?bEXMO?j$N^G)CbdGe8!P9
zJnZQX@k)7bzDG0I8w{~ZPTf4?D$;UGe$M~$TSzciU_@dS=0n{mhB=qm5O0^X+E9+o
z1x?ef8>!$OlxJAt@zLU`kvsazO25TpJLbK&;M8kw*0)*14kpf*)3<d6yUQxMZe%8t
zXy(eYN2(&WrmwSg<nK0tWy!~|3-Ib)_FW|=FVb)tUsL?PQ@qp22p>;GiDh;C(F}$-
z1;!=OBkW#ctacN=je*Pr)lnGzX=OwgNZjTpVbFxqb;8kTc@X&L2XR0A7oc!Mf2?u9
zcctQLCCr+tYip<jrMK$>a_k=;1ETIpHt!Jeo;iy^xqBES^Ct6-+wHi%2g&)?7N^Yy
zUrMIu){Jk)luDa@7We5U!$$3XFNbyRT!YPIbMKj5$IEpTX1IOtVP~(UPO2-+9ZFi6
z-$3<|{Xb#@tABt0M0s1TVCWKwveDy^S!!@4$s|DAqhsEv--Z}Dl)t%0G>U#ycJ7cy
z^8%;|pg32=7~MJmqlC-x07Sd!2YX^|2D`?y;-$a!rZ3R5ia{v1QI_^>gi(HSS_e%2
zUbdg^zjMBBiLr8eSI^BqXM6HKKg#@-w`a**w(}RMe%XWl3MipvBODo*hi?+ykYq)z
ziqy4goZw0@VIUY65+L7DaM5q=KWFd$;W3S!Zi>sOzpEF#(*3V-27N;^pDRoMh~(ZD
zJLZXIam0lM7U#)119Hm947W)p3$%V`0Tv+*n=&ybF&}h~FA}7hEpA&1Y!BiYIb~~D
z$TSo9#3ee02e^%*@4|*+=Nq6&JG5>zX4k5f?)z*#pI-G(+j|jye%13CUdcSP;rNlY
z#Q!X%zHf|V)GWIcEz-=fW6AahfxI~y7w7i|PK6H@@twdgH>D_R@>&OtKl}%MuAQ7I
zcpFmV^~w~8$4@zzh~P~+?B~%L@EM3x(^KXJSg<wVEvJN(*DSLK{@lLZ^>c6I=;)B6
zpRco2LKIlURPE*XUmZ^|1vb?w*ZfF}EXvY13I4af+()bAI5V?BRbFp`Sb{8GRJHd*
z4S2s%4A)<beb5!5W2AL1ws>6Uc=PK%4@PbJ<{1R6+2THMk0c+kif**#ZGE)w6WsqH
z`r^DL&r8|OEAumm^qyrryd(HQ9olv$ltnVGB{aY?_76Uk%6p;e)2DTvF(;t=Q+|8b
zqfT(u5@BP);6;jmRAEV057E*2d^wx@*aL1GqWU|$6h5%O@cQtVtC^isd%gD7PZ_Io
z_BDP5w(2*)Mu&JxS@X%%ByH_@+l>y07jIc~!@;Raw)q_;9oy@*U#mCnc7%t85qa4?
z%_Vr5tkN^}(^>`EFhag;!MpRh!&bKnveQZAJ4)gEJo1@wHtT$Gs6IpznN$Lk-$NcM
z3ReVC&qcXvfGX$I0nfkS$a|Pm%x+lq{WweNc;K>a1M@EAVWs2IBcQPi<R5t!qadV8
z`@w2vB^p<`Z$u8twt230^FDUXk@KFGRjk|Wy)IU*vs&-S4^@ur^QOw}{f&PX2ZUtx
z2^VHiFLv0j^tM_qTCdnm{?$%kSnzz+Rz#c}<%d@@&Y%vBngG@bQjNu*$QIzHiMtlr
z%<!I8J_+!}g1P;40riIDVp#J58>EJNt}+Ea8~WiapASoMvo(&PdUO}AfC~>ZGzq<X
zA{wc(2{B`w8<FdY#fUA=!$2hWfZJFFh^biG^FRul&;5HGQt3HYB*8-U;tAm`ZDrW?
zLGzSCAtG}^Y%BI&AQbV|jc8`aQkJs}$KZGr4&D`BKH5)pk?++zISItrK-zIx+|7D6
zd{(|~knMc?H%TN~Ttm8w#&X{*x_x0Tx_urTbWQT(rM-zoT(XUHVI3m?V@uQP4J|db
z_OkbMEz8a;6}80;ZBwYhBLn3A0_Q%9Xo7*<Qa^td-Q$KXkb<^$rXNS+J!!v~e_27-
z?B(DtKu5zrraAfXQ`1kqTCnO1=JFF~4jJA+&eXD+hsTX=d50Jrj6yJ)U-=XHF8z-o
z1o@Y7@sl2x7U<!Ygv?%s5eyX!wKt`l=(%|REJ0yS<TOH?s9B)is6Iv13lr}2%hiI}
zPUW^d?_dD#I&an8I8t^fY)SnDOhO39OTDNje$JA5dr5!UH92rZ)87wX;yQSp&mZg<
zmgmz=w6D&%v&B;c-vM3DEvl$Gev##x*ndtU#f^N2I}99-3HZpRE^$`D%!0A_ujaQb
zI5z(Mh2X@IN1#BF?<;^jK#~(MAEc`h<3P$Nghud=)(&&|-qnC?^x{5VK>Wjd)4no(
ziLi#e3lOU~sI*XPH&n&J0cWfoh*}eWEEZW%vX?YK!$?w}htY|GALx3;YZoo=JCF4@
zdiaA-uq!*L5;Yg)z-_`MciiIwDAAR3-snC4V+<n|J*V*n#h?&wg+C8sg$z312~u%3
zz$RVnQhlm*2c)>KA>&V%Ak;p{1u>{Lw$NFj)Yn0Ms2*kxUZ)OTddbiJM}PK!DM}Ot
zczn?EZXhx3wyu6i{QMz_Ht%b?K&-@5r;8b076YDir`KXF0&2i9NQ~#JYaq*}Ylb}^
z<{{6xy&;dQ;|@k_(31PDr!}}W$zF7Jv@f%um0M$#=8ygpu%j(VU-d5JtQwT714#<!
z&vm@KPB=l<TMpuv%DS+RW~~WnEOz5WiaSxW4<ph#&0;zqiCMt1ekX<hrb8#^mBYaW
zJA2vi7UWJVhfbeu%Rejgz>f0z+Cm$F9J<FFP&8OfSp_OMl7>jGr_G!~NS@L9P;C1?
z;Ij2YVYuv}tzU+HugU=f9b1Wbx3418+xj$RKD;$gf$0j_A&c;-OhoF*z@DhEW@d9o
zbQBjqEQnn2aG?N9{bmD^A#Um6SDKsm0g{g_<4^dJjg_l_HXdDMk!p`oFv8+@_v_9>
zq;#WkQ!GNGfLT7f8m60H@$tu?p;o_It#TApmE`xnZr|_|cb3XXE)N^buLE`9R=Qbg
zXJu}6r07me2HU<)S7m?@GzrQDTE3UH?FXM7V+-lT#l}P(U>Fvnyw8T7RTeP`R579m
zj=Y>qDw1h-;|mX-)cSXCc$?hr;43LQt)7z$1QG^pyclQ1Bd!jbzsVEgIg~u9b38;>
zfsRa%U`l%did6HzPRd;TK{_EW;n^Ivp-%pu0%9G-z@Au{Ry+EqEcqW=z-#6;-!{WA
z;l+xC6Zke>dl+(R1q7B^Hu~HmrG~Kt575mzve>x*cL-shl+zqp6yuGX)DDGm`cid!
znlnZY=+a5*xQ=$qM}5$N+o!^(TqTFHDdyCcL8NM4VY@2gnNXF|D?5a558Lb*Yfm4)
z_;0%2EF7k{)i(tTvS`l5he^KvW%l&-suPwpIlWB_Za1Hfa$@J!emrcyPpTKKM@NqL
z?X_SqHt#DucWm<3Lp}W|&YyQE27zbGP55=HtZmB(k*WZA79f##?TweCt{%5yuc+Kx
zgfSrIZI*Y57FOD9l@H0nzq<E4Q@_YK<1;`>Ou|Bhrm&^m_RK6^Z<^N($=DDxyyPLA
z+J)E(gs9AfaO`5qk$IGGY+_*tEk0n_wrM}n4G#So>8Dw6#K7tx@g;U`8hN_R<bPv^
zP6}0b!dly7dCc=KnICM>;^Uw9JLRUgOQ?PTMr<oQ9o~>4YD5H7=ryv)bPtl=<&4&%
z*w6k|D-%Tg*F~sh0Ns(h&mOQ_Qf{`#_XU44(VDY8b})RFpLykg10uxUztD>gswTH}
z&&xgt>zc(+=GdM2gIQ%3V4AGxPFW0*l0YsbA|nFZpN~ih4u-P!{39d@_MN)DC%d1w
z7>SaUs-g@Hp7xqZ3Tn)e<dV~D-0@M0u`KSW@qBLlIFNKze0?;|tm!<F9_5{TDKnUY
zJB8#(%G(di5;`|v12#{)=^Bhy!6zu5lq~#Rj8QgnK?%W-bqS8Lq9_xGRU?MD1Z_M>
z7x^sC`xJ{V<3YrmbB{h9i5rdancCEyL=9ZOJXoVHo@$$-%Za<Y<=Dws@<HVOn84kp
zy7czzAj#&D?|uHYH^U!oq7C#CS4C-HKPWUJ-r}5;#IkR`+-?7IMg|O#r^#PS@coAT
z<xl(XMO(JUH%Fc8@Q;tlw>Nm-75Z-Ry9Z%!^+STWyv~To>{^T&MW0-;$3yc9L2mhq
z;ZbQ5LGNM+aN628)Cs16>p55^T^*8$Dw&ss_~4G5Go63gW^CY+0+Z07f2WB4Dh0^q
z-|6QgV8__5>~&z1gq0FxDWr`OzmR}3aJmCA^d_eufde7;d|OCrKdnaM>4(M%4<dMy
z`?Qi<9Ebh#nVT{&VVFv66RU??kcC8}u+l^~F(m>V`PxpCJc~UhEuddx9)@)9qe_|i
z)0EA%&P@_&9&o#9eqZCUCbh?`j!zgih5sJ%c4(7_#|Xt#r7MVL&Q+^PQEg3MBW;4T
zG^4-*<N;_j_KF=#ltp<I^9_IU8#T_ulQ_w;P&0IS=TATWkvf^^ks|nDnb@T^ShFUW
ztuyr~q)6&!?68RQ-V8G+#+EoOhWE-6A7rk5HfHxAG?Sknf`kY=i0}11&e`cz`MCO{
zQd*rofIJ{OtoMr$=gf?H!$EPT16>8L%s|A}R%*eGdx&i}B1He(mLygTmIAc^G(9Si
zK7e{Ngoq>r-r-zhyyg<ieAPsqNv@SQwQ@xsNn5Vw2I}E18CcU&C?((>K)*9cj8_%g
z)`>ANlipCdzw(raeqP-+ldhy<kGNs8`S#*G-e>Uv_VOht+!w*>Sh+Z7(7(l=9~_Vk
ztsM|g1xW`?)?|@m2jyAgC_IB`Mtz(O`mwgP15`lPb2V+VihV#29>y=H6ujE#rdnK`
zH`EaHzABs~teIrh`ScxMz}FC**_Ii?^EbL(n90b(F0r0PMQ70UkL}tv;*4~bKCiYm
zqngRuGy`^c_*M6{*_~%7FmOMquOEZXAg1^kM`)0ZrFqgC>C%R<qRBgHG)$UB@XBA@
zshx3_1QSr};A7TJ_s8FNBrzB>JvQSo_OAA(WF3{euE}GaeA?tu5kF@#62mM$a051I
zNhE>u>!gFE8g#Jj95BqHQS%|>DOj71MZ?EYfM+MiJcX?>*}vKfGaBfQFZ3f^Q-R1#
znhyK1*RvO@nHb|^i4Ep_0s{lZwCNa;Ix<{E5cUReguJf+72QRZIc%`9-Vy)D<o;c>
zWKhb?FbluyDTgT^naN%l2|rm}oO6D0=3kfXO2L{tqj(kDqjbl(pYz9DykeZlk4iW5
zER`)vqJxx(NOa;so@buE!389-YLbEi@6rZG0#GBsC+Z0fzT6+d7deYVU;dy!rPXiE
zmu73@Jr&~K{-9MVQD}&`)e>yLNWr>Yh8CXae9XqfvVQ&eC_;#zpoaMxZ0GpZz7xjx
z`t_Q-F?u=vr<JfY4KbWG<xAz}usjoo`>RPaj3r<9&t6K=+egimiJ8D4gh-rUYvaVy
zG($v+3zk5sMuOhjxkH7bQ}(5{PD3Mg?!@8PkK&w>n7tO8FmAmoF30_#^B~c(Q_`4L
zYWOoDVSnK|1=p{+@`Fk^Qb81Xf89_S`RSTzv(a4ID%71nll%{Wad$!CKfeTKkyC?n
zCkMKHU#*nz_(tO$M)UP&Zf<GNy8?Xs8hUzIu0nqFC9@Ka{&R$vXnbN*?hR?iwv-x*
zPrH;>J#*q(0Gr!E(l5(ce<3xut+_i8XrK8?Xr7_oeHz(bZ?~8q5q~$Rah{5@@7SMN
zx9PnJ-5?^xeW2m?yC_7A#<rjP_en{9P5bFL68vgKu`Lv^loBE5&?9+BtYGMUT06bd
zXEt*_Sdl_o?{!kSnxeJB_xVtFwR-bF`2MlsSO1bZtN)M(j%)mHVUj4b&G~L_`|PNv
zb05EL`!%-lV_>WK*B@oIy*Y@iC1n7lYKj&m7vV;KP4TVll=II)$39dOJ^czLRU>L>
z68P*PFMN+WXxdAu=Hyt3g$l(GTeTVOZYw3KY|W0Fk-$S_`@9`K=60)bEy?Z%tT+Iq
z7f>%M9P)FGg3EY$ood+v<G?d-tNS5y+I=S1dlJZvs-NC{^w-&Jr{gfwR>$pdsXvG?
zd2q3abeu-}LfAQWY@=*+#`CX8RChoA`=1!hS1x5dOF)rGjX4KFg!iPHZE2E=rv|A}
zro(8h38LLFljl^>?nJkc+wdY&MOOlVa@6>vBki#gKhNVv+%Add{g6#-@Z$k*ps}0Y
zQ=8$)+Nm||)mVz^aa4b-Vpg=1daRaOU)8@BY4j<Xy)*mrZf+Eqj^RX06GbC^vLKT|
zpteFBLq#626+?=M@k2|V@k{2aN?cRlCum?`TP_u}%3Y{AVZHbKwm{q2d`D~XsJSyD
zl=xk@5@i0e1=0fu$jfj1+lTA1h#%78*$MuUCU^B9>S>=5n#6abG@(F2`=k-eQ9@u#
zxfNFHv=z2w@{p1dzSOgHokX1AUGT0DY4jQI@YMw)EWQ~q5wmR$KQ}Y;(HPMSQCwzu
zdli|G?bj(>++CP)yQ4s6YfpDc3KqPmquQSxg%*EnTWumWugbDW5ef%8j-rT#3rJu?
z)5n;4b2c*;2LIW%LmvUu6t1~di~}0&Svy}QX#ER|hDFZwl!~zUP&}B1o<!gKVHBj1
z!0%hK_{Iy`*BgY<Qck8#<-rH4Lg1;Qj-hq2OvPXM$(Gkmg`0T7B6Gm*>KAxIzt~so
zb!GaJYOb#&qRUjEI1xe_`@<o~iP+Rf(GIMHq*yg6%vf7Mu<-aQ)$}%3o$R+x;;~W%
zCQ~RFyB5g)F1k-t!#^TN>7qv_-LggQ$JE8+{ryT4%ldwC5ete+{G3C#g@^oxfY3#F
zcLlj(l2G8>tC<5XWV|6_DZQZ7ow?MD8EZ9mM2oV~WoV-uoExmbwpzc6eMV}%J_{3l
zW(4t2a-o}XRlU|NSiYn!*nR(Sc>*@TuU*(S77gfCi7+WR%2b;4#RiyxWR3(u5BIdf
zo@#g4wQjtG3T$PqdX$2z8Zi|QP~I^*9iC+(!;?qkyk&Q7v>DLJGjS44q|%yBz}}>i
z&Ve%^6>xY<=Pi9WlwpWB%K10Iz`*#gS^YqMeV9$4qFchMFO}(%y}xs2Hn_E}s4=*3
z+lAeCKtS}9E{l(P=PBI;rsYVG-gw}-_x;KwUefIB@V%RLA&}WU2XCL_?hZHoR<7ED
zY}4#P_MmX(_G_lqfp=+iX|!*)RdLCr-1w`4rB_@bI&<E#m-6fJX?!@HMojcz?@FV(
zEwb`K9p)6DH8Vt-HX;X2^%28zP(BOT@+<+Oy5Uv8eD=4p<t0n4?tw(5<&#sr?h6zV
z!&Zb?gM&8<%??jXTdmMb1(#@6)m(rk*#aUo^iqOs4-#{`NA;|yExPzdS?_q~O>Uz#
z!>9C3&LdoB$r+O#n);WTPi;V52OhNeKfW6_NLn<EDp2Lr=qOaId}Ifx9lEG?H#PEN
zbI74Vx*PNK+cvB53_AWmzs=zCb5!9-mCcW#<QbIdOJM|=ASw5QpF+P}oobETGwNf<
z0{kapJo<fgf(@=YJA0C%pNqB2CMVFcToi3AV3#1!n@Z&vX@98&`Sz6*SUYY~uWq>w
zpFTuLC^@aPy~ZGUPZr;)=-p|b$-R8htO)JXy{ecE5a|b{{&0O%H2rN&9(VHxmvNly
zbY?sVk}@^{aw)%#J}|UW=ucLWs%%j)^n7S%8D1Woi$UT}VuU6@Sd6zc2+t_2IMBxd
zb4R#ykMr8s5gKy=v+opw6;4R&&46$V+OOpDZwp3iR0Osqpjx))joB*iX+diVl?E~Q
zc|$qmb#T#7Kcal042LUNAoPTPUxF-iGFw>ZFnUqU@y$&s8%h-HGD`EoNBbe#S>Y-4
zlkeAP>6<Z7QQ9XL^<-l?vhbA^VVM{w_AGyBxGo2D4xc6Tl~BnC{PHYDLP{4>2k~-N
zHQqXXyN6<L3Gg$i2mMBKaSbx<i~TEhvQ{`W#&P&}*M*bY-+RuxoiU+jyjZtu*2#d`
z4;V{mY|5$$TfD^8s7AA{v{=Q~S8RRnPkT2vB+qp-b$~mY>7hGD6CxQIq_zoepU&j0
zYO&}<4cS^2sp!;5))(aAD!KmUED#QGr48DVlwbyft31WlS2yU<1>#VMp?>D1BCFfB
z_JJ-kxTB{OLI}5XcPHXUo}x~->VP%of!G_N-(3Snvq`*gX3u0GR&}*fFwHo3-vIw0
zeiWskq3ZT9hTg^je{sC^@+z<IC+@jyb5}hL&*c9&Uv=C+8r5MFr<BeiUxikY7v-2j
z#^Wp1Woo#;-OnJd6+u?>3FAd}KNhbpE5RO+lsLgv$;1igG7pRwI|;BO7o($2>mS(E
z$CO@qYf5i=Zh6-xB=U8@mR7Yjk%OUp;_MMBfe_v1A(Hqk6!D})x%JNl838^ZA13Xu
zz}LyD@X2;5o1P61Rc$%jcUnJ>`;6r{h5yrEbnbM$$ntA@P2IS1PyW^RyG0$S2tUlh
z8?E(McS?7}X3n<sX7)_F=$tGzECOdx`5F$56$H6$2HeHDocU>AAJs2u_n{^05)*D7
zW{Y>o99!I9&KQdzgtG(k@BT|J*;{Pt*b|?A_})e98pXCbMWbhBZ$t&YbNQOwN^=F)
z_yIb_az2Pyya2530n@Y@<KMNVgC+@Hh^eD5>s>s>n?L79;U-O9oPY$==~f1gXro5Y
z*3~JaenSl_I}1*&dpYD?i8s<7w%~sEojqq~iFnaYyLgM#so%_ZZ^WTV0`R*H@{m2+
zja4MX^|#>xS9YQo{@F1I)!%<Q9x6E+JCnjAm>RhM{4ZUapHTKgLZLcn$ehRq(emb8
z9<w{<)uy~=x}G;ZX+CDl#T7`~iRBx5XO`@><&Nx*RLcS#)SdTxcURrJhxPM2IBP%I
zf1bWu&uRf{60-?Gclb5(IFI*!%tU*7d`i!l@>TaHzYQqH4_Y*6!Wy0d-B#Lz7Rg3l
zqKsvXUk9@6iKV6#!bDy5n&j9MYpcKm!vG7z*2&4G*Yl}iccl*@WqKZWQSJCgQSj+d
ze&}E1mAs^hP}>`{BJ6lv<q%AGiq()8hz}1^1ex;^<jj#cc=g{s#0iIU-+2jVmxWDS
zd7qq)5u4+Paaui>*>0-ft<;P@`u&VFI~P3qRtufE11+|#Y6|RJccqo27Wzr}Tp|DH
z`G4^v)_8}R24X3}=6X&@Uqu;hKEQV^-)VKnBzI*|Iskecw~l?+R|WKO*~(1LrpdJ?
z0!JKnCe<|m*WR>m+Qm+NKNH<_ye<gDWD0Fl@Ho4<!fm=u&SGgDO!cbo+8PUwfWk+V
z)@b~#GtD0d4#K=39kiev5hj=8h(Nljd<HunOw<O@9z?#m(rb)ZnCBDPu~!uM>fIml
z+x32qzkNRrhR^IhT#yCiYU{3oq196nC3ePkB)f%7X1G^Ibog$ZnYu4(HyHUiFB`6x
zo$ty-8pknmO|B9|(5TzoHG|%><C<pr4&IxzPg{!KcQqRSE~Tvrur~GxUa*ce)ipeE
zWgS=NE-mtVKb)JH#~V9~Hf<heFWK%N<`blD%sTD$A|XGR=J%4vWJQ9B3q;($v$3~e
zpgG#}?8+2jU@b$OcWYMF>s#7)CM(i=M7Nl=@GyDi-*ng6ahK(&-_4h(lyUN-oOa$`
zo+P;<GhFDlQ-b}GJ)A97b8DT!@21D?+G`33xflj&^Ajw)WxefL*Yy?uny35myNvN;
zJu2^EIk(I5BXd2N-yKn?<jAHF(>C4d@m^p9J4c~rbi$rq9nhGxayFjhg+Rqa{l#`Y
z!(P6K7fK3T;y!VZhGiC#)|pl$QX?a)a9$(4l(usVSH>2&5pIu5ALn*CqBt)9$yAl;
z-{fOmgu><7Y<XFolPQk)mb~-4Wz2OqAihGXbfUWv<O@$JoEd1wcAoD{S1ZgFTS^!t
z+_d^VD?_*`AXb~e&yM8k-n#rSNZe`F1hkVx1o46tWKB^*u4Iztzf9jS`;huL0efN_
zw(C5^O4iFb>J5k>*0Q~>lq72!XFX6P5Z{vW&zLsraKq5H%Z26}$OKDMv=sim;K<Yz
zr-(K#w$yhGyI)R05r<FcNBPUs!f8{%L|!+M;WNfIk0#<kNVlmop1dan3IH7GPG0zR
zbu5#oKma)07cl(sMbhFbgIx|mM?)DnP$;1oA~OW0kph!a5>?vsoVs(JNbgTU8-M%+
zN(+7Xl}`BDl=KDkUHM9fLlV)gN&PqbyX)$86!Wv!y+r*~kAyjFUKPDWL3A)m$@ir9
zjJ;uQV9#3$*`Dqo1Cy5*;^8DQcid^Td=CivAP+D;gl4b7*xa9IQ-R|lY5tIpiM~9-
z%Hm9*vDV@_1FfiR|Kqh_5Ml0sm?abD>@peo(cnhiSWs$uy&$RYcd+m`6%X9<SS+iH
zB{MTIilfs+m}FIm`WFe<b<`1NL(_5%pWxy`61V?hXOmI!N62_Zv-n^jPyCieqxTv3
zu0_=zb8f!dMp?R&UxGJe1qNBBRLXVmj-(R6+9rkXoo6CT-@FKe>FN%?<F{pFRdeJu
z{9WJNuwr(Se^zX7t-vqF<$J*yv&MnYO_uaKBS^eIab7YX1r1^(=OyZJp!PzX%0e7b
zeEpxGl+qFvtIR-KD}KZT9sfArU;dGM3-23I#q69NU-%A?w~!T{F+*-_Lil`8wsSSR
zeW-s?xK)R5p&SHb*TI!J314$wOF*NT7qT*&*Og`^+jXq)LaOJ8#&*`Gy)1X0+KiH$
zU-5JNg0Goq-9^C#_ZqHXSIP}b7@(P=L?LSJk~7{IhyH9xAy{$zEDuPUgJ_RJae#PE
zOqO-BK*KnjogIL_)Jz3RACJUY?ZEW~+1H$~{2k_o%Y(uIH3R6z`K|NdGL!=5lV$Vc
z*(&fGI7OherXM4x!s0w3{b4Ax#6<l}lTU2>w}s~Q=3!pJzbN~iJ}bbM*PPi@!E0eN
zhKcuT=kAsz8TQo76CMO+FW#hr6da({mqpGK2K4T|xv9SNIXZ}a=4_K5pbz1HE6T}9
zbApW~m0C`q)S^F}B9Kw5!eT)Bj_h9vlCX8%VRvMOg8PJ*>PU>%yt-hyGOhjg<ke2;
z7Th2%k_wZpW!A{?Dn2nLFJ4=lqYa4jV<d3;8-+Dg@?%0IvOWsDfrv_`J~>!2pZR4{
z=VR_*?Hw|aai##~+^H>3p$W@6Zi`o4^iO2Iy=FPdEAI58Ebc~*%1#sh8KzUKOVHs(
z<3$LMSCFP|!>fmF^oESZR|c|2JI3|gucuLq4R(||_!8L@gHU8hUQZKn2S#z@EVf3?
zTroZd&}JK(mJLe>#x8xL)jfx$6`okcHP?8i%dW?F%nZh=VJ)32CmY;^y5C1^?V0;M
z<3!e8GZcPej-h&-Osc>6PU2f4x=XhA*<_K*D6U6R)4xbEx~{3*ldB#N+7QEXD^v=I
z+i^L+V7_2ld}O2b-(#bmv*PyZI4|U#<t4E{c3+Oa>Q5|22a(-VLOTZc3!9ns1RI-?
zA<~h|tPH0y*bO1#EMrsWN>4yJM7vq<?d%8sAQUGrndP7J-=xw$nCMSpe7!xoUBNp3
zGTsNoHNSmE+wi-t?Vjri@)nrwy)cL`f%zSrKknks+ReH>FZr?uw$H8*P<CaW^*(*P
zrk<ZDEOj-RoW=I>hiHRQg1U9YoscX-G|gck+SSRX<zu*#%uOZJ$&`iwbI4f^EJ9pa
z@T8p1=V0x-K77AYupaOqRJ8Y8`CFqe-OG4O?Pk+3)K=lIg7Aj+5B{LP8{|uD9bb*L
z=JkjZ*a>!(e7@~eeUEw+POsT;=W9J&=EV`cUc{PIg_#TQVGnZsQbCs7#Q-)<h~+VJ
z%O_$A%X$-T2gv^1iV6X%A*e(F(fO?hnMA3<=C!;L;mUog>v#BicxLw#Fb?#)8TYbu
zN)5R=MI1i7FHhF|X}xEl=sW~`-kf;fOR^h1yjthSw?%#F{HqrY2$q>7!nbw~nZ8q9
z<TlAz0DCai`eopoTgUXKr$&x3a%Yszt2{+eo;=r&?LuF;Zj%RNLHAg=LM|in10Rm2
zxd6;k(nHtRPkOmYqHW7fNcCybHEd(KrX46#z77Z9Q1dkPl|2ZTAjBY-ol(B)e&98T
zgr-$?X`Ytyy13^aY2fa`@Y1*X*i2)xR`@;KF^;++G5hoP)3auvu~w3;5+L|E0eJ^s
zgZRj(m;s_<P67c5tRN5r2qBB}z`g`y!oX~V8oXD2oDd8#khWZ&toq|9@%NQ>h{vY!
z<QL?e6`jG`+hK%nypIRco?pA%s6+zYx(b~=Fi(E95-40VeV5w!L2#*>%i=H!!P&wh
z7_E%pB7l5)*VU>_O-S~d5Z!+;f{pQ4e86*&);?G<9*Q$J<tS(vm9lEGpTY@s(2ek+
z8c`{)@2$sFJY{r$73(<V2UKiNm)(n(&DNp1&6b1{q_xZVGIdKSwV*O`Z3q;#cCe`U
zk~C47tS5LEB&@mN%p)_=XY@OEf&MPgH{St5oHz7A*3o-mSC#2S@XC^m@?vD0WoA3+
z%jkw-8_?@Gk~M`p*@7Cp@q?r=ifcr#f5J(+ee*SCy-59!ceTk_CH8c7hwjNA;pzKD
zr8zf+A(f>EJ!ZxY;Oj5&@^eg0Zs!iLCAR`2K?MSFzjX;kHD6)^`&=EZOIdW>L#O`J
z<!j^{WZ{m%sbn?E@W3)ou>f~$M4}JiV}v6B-e{NUBGF<D@nTna4Fj(s(L&KkX*F3!
zglkC}q4NM*a2HP+ijp5<SToUO6J4Q%w}VEJFwp|MQ|{cP2x=Zt1r&nh4>gj-*H%NG
zfY0X(@|S8?V)drF;2OQcpDl2LV=~=%gGx?_$fbSsi@%J~taHcMTLLpjNF8FkjnjyM
zW;4sSf6RHaa~LijL#EJ0W2m!BmQP(f=%Km_N@hsBFw%q#7{Er?y1V~UEPEih87B`~
zv$jE%>Ug9&=o+sZVZL7^+sp)PSrS;ZIJac4S-M>#V;T--4FXZ*>CI7w%583<{>tb6
zOZ8gZ#B0jplyTbzto2VOs)s9U%trre`m=RlKf{I_Nwdxn(xNG%zaVNurEYiMV3*g|
z``3;{j7`UyfFrjlEbIJN{0db|r>|LA@=vX9CHFZYiexnkn$b%8Rvw0TZOQIXa;oTI
zv@j;ZP+#~|!J(aBz9S{wL7W%Dr1H)G-XUNt9-lP?ijJ-XEj1e*CI~-Xz@4(Xg;UoG
z{uzBf-U+(SHe}6oG%;A*93Zb=oE>uTb^%qsL>|bQf?7_6=KIiPU`I|r;YcZ!YG7y~
zQu@UldAwz$^|uoz3mz1;An-WVBtefSh-pv<`n&TU3oM!hrEI?l@v8A4#^$4t&~T32
zl*J=1q~h+60sNc43>0aVvhzyfjshgPYZoQ(<inR$cERK&%N~SSiy;WaiBTgdl;Bz@
zMx7h{4w6)@f3=XUfD<5b*Di$-gK~XeKu8qdfa(KL$OL~#uI0n&gFVreVt1RX*+{5+
z#8$4WWjNT2me=PpYKo4u#73>OOh>LbUIoblb@1z~zp?))n?^)q6WGuDh}gMUaA9|X
z3qq-XlcNl<s-dSKro}45AbD<^IA@6tvSaLv-;sRc5uLj-i(AB^*}0)lznJ6A48b01
zt^mDP9!TqxILrO*cRjO@t^fSYOWb`|vQ*V4*6V-Ii_hT$&15AhsiGo@jvJCCnY0);
z)Gbzh<7K3LRm`L**mLt1MLc+MqqaWkz{2JV0hUf-(7U6vlP$%@`2fR-Dt+r$66q)X
zh2sR=$#8zbejz`}<A~Y#k!TUpiD??3amyj(E}M)o)o#H-j|LmgBHBXsF9$ok?Wh84
zoxjF*=Hw;;!?a%bcJVG|FBP7@_uu_xpir_`+UDHcZX;}|^THjvjdPRUJ+HO3O$%_*
zsal`RIk@07Cuvh)iE1gNnn7n}$9q`Da-o@9CupmsX{@4y;aIQ1WV^7X(Rcx&McA%o
zqa*mh{MZ+m6i(RP#X)4DdX;+iKAzev_!HbYetk>dy5==T4rq*~g@XVY!9sYZjo#R7
zr{n)r5^S{9+$+8l7IVB*3_k5%-TBY@C%`P@&tZf>82sm#nfw7L%92>nN$663yW!yt
zhS>EfLcE_Z)gv-Y^<SaxB6gHmR|E)iyYeg|g|R}ujv8tMcq*gC>h1;xj(<<JyurkO
zku;yk5>4nD4GY{C-nWUgQc9cMmH{qpa!uEznrGF^?bbJHApScQ$j>$JZHAX80DdXu
z--AMgrA0$Otdd#N9#!cg2Z~N8&lj1d+wDh+^ZObWJ$J)_h(&2#msu>q0B$DEERy{1
zCJN{7M@%#E@8pda`@u!v@{gcT3bA*>g*xYLXlbb&o@1vX*x+l}Voys6o~^_7>#GB|
z*r!R%kA9k%J`?m>1tMHB9x$ZRe0$r~ui<kO`4q0h1q9yWTy1Vw;6%l{l&HBbZk8-0
z4ijBu+y@{d)|{@F;ZFKw{xPkg5F+CDU-3fF>}X}jOC)9LH=Po*2SLdtf3^4?VKn<h
zHzQbKiZ9a#y^bZOa6n&Wk$r`rPcR^1TWQZWl`R8PvM?r?^F}g*>u2ox&mV~0oDgi`
z;9d}P$g~9%ThTK8s}5o<m&w0gVXSc39p)SfaC_U5P2<JPm~s|o1ZFngBTt(DrBI%x
z4kDX}YqUJKdxxsso$;8{1MQ;f+HD&9TGSGCQS)Y9GN_l)t8XY5-si=Gs(k<5;!fvW
zxE8*OW}N`jlcqPjb~+szeAOl~e_-nyQAfun)m7Qku$%99s}G7SNoRK-D2Tt?3bf7l
z_f&iauzO~DnLmd4z7qW{*#v(VPN`62cvfV3MGioX->w2V4?(-lU*ed8ro|}mU}pk%
z;bqB0bx3AOk<0Joeh}Vl@_7Po&C`Cg>>gff>e<EyzTH_%h@VP9GTpHG^0d?A+RMpT
z+TYf8aiHmG?aSY>7fu41U3Ic{JQu1W%+!Gvz3GDO2ixKd;KF6UEw8F_cDAh08gB>@
zaRH2Q96sBJ>`4aXvrF0xPtI<C%^cGg^K!B-fX;2xnF2UCh5PH@z5cKKOHR==RLnzf
zSmET?(5QuFJxq~ag0rPdFM7)-DQc6Kkb_;fb-^S9@$f%6aPJ=U;g7Zr?Ox#q(-JyY
zKvu&Cw@3?z3?xc$8o*T2<9qK!(D=t1JD`+Ta(zAy-y-Frq_L?(ciWSU*N3cXEeC5N
zwIavKBghMD()mO&Qc6^H#jRYCBJ}jZ#?v?4($m6CK2G!{)QNVBe9)sd3#Jc(VH2H^
z=FWxE%(d%&VjzHKBh>WoA1pPsRQtU~xDtnEfTJnl{A9u5pR^K8=UdNq%T8F$)FbN>
zgK+_(BF#D>R>kK!M#OT~=@@}3yAYqm33?{Bv?2iBr|-aRK0@uapzuXI)wE0=R@m^7
zQ`wLBn(M*wg!mgmQT1d!@3<2z>~rmDW)KG0*B4>_R6LjiI0^9QT8gtDDT|Lclxppm
z+OeL6H3QpearJAB%1ellZ6d*)wBQ(hPbE=%?y6i^uf%`RXm*JW*WQ%>&J+=V(=qf{
zri~yItvTZbII+7S0>4Q0U9@>HnMP$X>8TqAfD(vAh};2P{QK)ik`a6$W$n<S7xQ?o
z_{n4xoeaH~jS^3HDy+veci7_+aLh^-n?E!YG6S#O$LPEC_>G<{bR2U<qLrkRpb!v0
z%U*eD$^H(<WG-@VF0k%r-g68(2_6$K`r1T6sUwW?8=<u8q_-5ITGbK36tV>fd!^iE
z#1K58$gW!xpeYHeehuhQCXZ9p%N8m<Fx1W4{1&odf~Dg9N*_P3FP{`cbE*_n{Eco>
zB+l~T_u-Ycr!U><XH<{<R0eR`Jn1$qaE<CV>!?xu!!*6rNxq37{`DhMMfY6NpD3Jw
zkYQDstvt30Hc_SaZuuMP2YrdW@HsPMbf^Y9lI<9$bnMil2X7`Ba-DGLbzgqP>mxwe
zf1&JkDH54D3nLar2KjJ3z`*R+rUABq4;>>4Kjc2i<Dy@)!kC&Aw;NA8e)mD}M7}y*
zi5fe;hrp`ef1|wy(>QEj7pVLcZYZ~pteAG4rm1{><Ecc%k1Tki@ADmF<}mEh$<1ax
zS8dQ&w8<!Cd38+}XJ1#f6|D`7AJ6+Fsr$rBs%wDxJx&tw*&5k&wN_-uj!ur;28wi0
zO+Qvl)mUZbXZm|~oa;LAHy_>PQy<rI@3u-En9*i_l~-?$0z#b@Vco$oFcZc}d3oKO
zD*z%H@Hm`{0l9tDx7KHebXBjGPA%mTPf<pnOy#m~KL9BjL-WcR=L#f{u~T2e78Ilg
z(JT)-B~I|YWyGa#aWq+mx~dt<5RI9)@9nr`in)T{m4a6g9DZqFJ{0ZDQ&w4XPvcfW
z)Zgnax(EnBgW0T@l}fNuwENi8sV_h5iwfdBoer10OP+L`!QRkj>=!QiV5G|tVk)53
zP?Azw+N)Yq3zZ`dW7Q9Bq@Y*jSK0<1f`HM;_>GH57pf_S%Ounz_yhTY8lplQSM`xx
zU{r-Deqs+*I~sLI$Oq`>i`J1kJ(+yNOYy$<j89}LeB{DsRRYsqux%gkK#X#@e^U8%
z#M!7}cTMHu<FLh@jarvDc8P_@QfzNdoQi_n+%?2AM>_>R3Jfi680<|^u#J@aY%Q>O
zqfI~sCbk#3--^zMkV&Yj0D(R^rK}+_npgPr_4^kYuG=pO%$C_7v{s@<a9Q#wuB)t?
z#;9BrH!k(Q*;IUj?T<*@HX2{0em!6debb4D8+OTu+|0s%`KdJcokszE{b|_{ztw|2
zP8WR(1+AaeXov%C!=7CsT*LuDx^}pAS;||)2N$TDO}r&-q#K7;nWjNxk~onpjleeK
zUPThfcj0^+;uf%68trL0i1;=y3B3G^4+!l>-{M-P@RL3^<`kO@b=YdKMuccfO1ZW#
zeRYE%D~CMAgPlo?T!O6?b|pOZv{iMWb;sN=jF%=?$Iz_5zH?K;aFGU^8l7u%zHgiy
z%)~y|k;Es-7YX69AMj^epGX#&^c@pp+lc}kKc`5CjPN4Z$$e58$Yn*J?81%`0~A)D
zPg-db*pj-t4-G9>ImW4IMi*v#9z^9V<wSEy0;H<_ip{R`3n$&`z?qY&+x1%E`|f!X
zF^6qcbMj~^Y|&mU__An*YVWv%D)nfhgB<CJl`_02TU%zkuVLq-ifv^5t4@48WjUK6
z<1pI%d1Hq!eHx}*)cFId$Vc5Z{|e7mEOmtuWJf&C8D27?iS2&%o3DCSW(Dy{q!vBU
z<@J%bdvlGuCbxSa3MmV6=PD4kiAVQdnmr=bOicK#q7Xa-!xi^j8Y6rBUZPWqHJ^kK
zO^AmTc89bc5I+T$XZ64^_c1Pnu-4Kq8TW>D9h@9t;3jMAUVxt=oor+16yHf{lT|G4
zya6{4#BxFw!!~UTRwXXawKU4iz$$GMY6=Z8VM{2@0{=5A0+A#p6$aT3ubRyWMWPq9
zCEH5(Il0v4e4=Yxg(tDglfYAy!UpC>&^4=x7#6_S&Ktds)a8^`^tp6RnRd{KImB^o
z2n=t#>iKx<*evmvoE{+fH#@WXGWs$)Uxr<sPjul^54Bff9y%ZVHz+5}qAbDf+|fnm
zNd{_kS$6bt11Qz5?-m)?lU>tf?r>AaxV0?kf0o@oDboJ6z0cgP@A$;k>SK1UqC?Q_
zk_I?j74;}uNXhOf_5ZxQSgB4otDEb9JJrX1kq`-o%T>g%M5~xXf!2_4P~K64tKgXq
z&KHZ0@!cPvUJG<f9>4kw-0;tPo$zJrU-Nop>Uo65Pm|yaNvKjhi7V1g98;^N1~V3%
zTR>yWa+X2FJ_wpPwz3i^6AGwOa_VMS-&`*KoKgF2&oR10Jn6{!pvVG@n=Jk@vjNuY
zL~P7aDGhg~O9G^!bHi$8?G9v9Gp0cmekYkK;(q=47;~gI>h-kx-c<vM%*#w&fX{!h
zF%L>eM{ml$#8KI$4ltyja<rI2qq{$AR1|U_tFD)9Y-d_jShjldAw-)(k${x89fc)V
z^uj$O=9MXT2cL+;^v%uZ%TIiT&+A8q@<LEWivxLuc7cEhkMJup7#M4iRHWn;gs)|%
z*`|SUEl(kbPZ=F^TZ)n%ySX6erWcgVc`2wiVw2VTP%;PP;UMWPi0k}AaIl!DD+>qP
zki^cyDERloAb)dcDBU4na9C(pfD{P@eBGA}0|Rb)p{ISqi60=^FUEdF!ok{Gs;vb)
zfj9(#1QA64w*ud^Y<WE?99td@r;1MVEDo>sN5&PeiI>c`VioE8h)e}W%S9NMA55Gs
zrWL6l+@3CKd@8(UQLTwe12SGWMqRn+j)QZRj*g)Xua)%ayzpqs{pD(WWESJYL3{M$
z%qkpM`jFoqLYVv6{IbCkL?fEiJj$VG=$taup&RL9e{s(Sgse2xVJlw0h74EXJKt<N
zv_^nt|CWo1^pEn7x}Dzrxu#9#iylF>2<mjN(C1_G037wJ*c!9$6Ya%e(y$WXL!EqA
z8HVt{2cY#I$^(s5lIv2_V)0(hY4lKgWN5U}$n%K8Jg_QsDR2~!MLCfAxETJK@puD+
zRpJ+#PBP2wu|C*%vKJ>eX|dx<CQ&quy2)IJEnV9z;^O>z{->0)3W`JN7Bv!rLvRZc
z0tAOZ2yVe4g9iq826qXAg`f!*+}(o1;1FDb>kKexumFS40KvK0yH1_@Z=LgWZ+}(Y
zwYsa;OLz6tTA%gS=>8$=Z7pLh>|K2QElL)E=Q*(n*H`8R`8={-@4mTD-SWBOYRxV?
zmF(-rJB8^Wlp?319rTrh^?QEP?|Msxrv?WbJ-+id+V#F2Y4(JPJ6U9bv+U1cIIH^W
z)lg$_=g^Ma>2~Pyd_YOAv29Cb-U6DJO?NxnW7~QP*SmYi*vdUVuW#LWQ_u0`hymZi
zaQS3Nb^4`ro$>0G%zbXmr5|D|iq0R<;S@?kr0j5Ruq87-Z1>crx%EzVZ9#U;{?}ti
zW2W%*9MQg3Nbh%Ti6LhDd|-aFSgXoPG`mHlUU1iCHr>ru>DX?W_#13(`u*!Plu2OP
z6jk=2>BC0l)aw<WV`x+C!_sw{a5i*Q67F^#P-aA<I@z6VbJW-5&rwZfvvRk3_cA8b
z-o}<6m7#V@uDa<CVdlJ4d|5@tUf!yN<DjY-Ylj}w8VTHcITO{giPiM2=!{`C)-kgy
z4M#`;s$Hx(F&Ry_6@hE&#+WZxZsYohII;=<B$l#U>;HCmxoYD1i4b%m$1`DYC_^L~
zIEAnFcHvad=-aO3(_MI=9#`z6-9*_!&$?<%meb5;jG<wc(D1r`!k7AFaq^l6-TVCr
zn@T;NWtk;qx(I~IDg2;{VNza#Y9hnvC&&D^iJtYTc_&lLexMB!uC87mR>d5Qp=MGf
z6BD{%`L#TAOq%z%@*ib95Ey7NbUF=BlszVk3Iu3imD&*91N-ij%hW?W@~2TtdHTfP
z#n0@Xd7X8Dyu36n{k#PwQ~T~X7mAO^cNV+z<<Rr{6qP*fL{*O`It}aSc#<7ICz`zH
zfdvuUP1@TR@FL!bPH1@um7aB~aO<rmJ%*b)*b*mqm<2+)la8vi-b#-P?L4aM?FRQw
z!SL2{$6_lC;MwX~JFGU~u@(2B?<Z2dhI@qhN$Or_U*}$DGND-zz*x~AawYee{HE;I
zGAb(xm0Nq$##BQLFEgd@aqT*NJhB}}du8b8cj%ob49sgx?Oi-i5sJpioR>HO@3X-#
z_@rAn$k~(l@kciCC;&Qd*fWRI>=;fL{UPlciNDWyj$bX<#r^(r;EE8wwUVQm&7~QY
zCXRj!**r^xybAEPq>h3W$uvI1j=yNIyzkE_D7fpGw)OV{U*Uwm{xB;mEg2(|y|ICd
zMdQVqzMb-=XM6|E-a9kNh)^9lY`-DjhhHD1w5lufRcy+QLgJ47!fFn<KQi>e86#F;
zX{ufroVBEZJOY?rDo!;Te6aOZ^1SO!dYRxQ*2njyA~dCWawn)>!*k7~>8Ikt<J9hI
zLTxVl%^kbxFjaJKz4UwX+jy29ohPH6;RO0%T`A|oSHWhqWuNJ8tYd1Xp}S%w!~<wT
zHSeF;1&d?WDhsdZgTM&TfZ@=Pp`{?gU%*=Eo2o<UfasbP*Vgmv1Y;j}@b2Fxb@=4D
zWq$ckb3BOYn%N0MW}!64?YGvuPD`}=WgRB1BPo(kSV>&e*0>>V5ZbO|*1+2LFOqVe
zXHb!aMk03^h%&9L8GMy7UDI2Kev>V@(R}*Iu6x+!Hn4~D@wj`P%#Hdbf(lK{+DD7f
zJ&(v*mhn_e(R$^5L#bM^^Q@-!*b!l|+Xrb(q*MRFJYnrE7*xko!SJOy9LngR2|q5k
zY`Ioiu+YBfzF{Labszk-E#*BYQk>$()=xWEGZRKwY)*UxP}0dGuPLZOk<u~1pRF`m
zxYnI*6_BmyuVfiETJ#r=!}C__TJ(hS&_}hqJq6T(xXbQJ?{M?GH1d;1)n-8$1pDWw
zJw5OAAMQDHK*ksFYeeo`fz$TbpGy<)Wsk%<#FfYFVTT9*sy=H-wkS^x;7&PL{erf!
zzf{M*8sv9&hkoBZuv}-Nb}O!f7}9<9ZL1vRNUZ5T^4kV6WRoRqMQo_+AH>NJDI9Hy
zFjfwiK6RjhH#rHW#B0(MW}i%V`943<6@Z*Nd^JEP5uZonXm=u%AM>{H^U@&Jy*i0s
za_Da^xI6pMtXzHc{e~_ZcnKP*;=YL2Z^RmzDl{dJTk7*}E_h*NvgnhnxVKB59Duh~
zqouS_WoOR*{UvUw_K#OWz;gMracr%8>QQ&V*jv!8)ho;U8}9~8EU{N<=Z_gR%IpMT
zbkePUG_a<Uo93~%MM1nso9|UdE|j>fm=#|iIfFmdqkpLMGxY5D$`?I}&T7>TexU@v
zkBx09kG)O;09ckj#(_Uov6vv{{HOcr-%H#DUQ@*GzF8Zh{iSM13%fuB%>wjdU@3Nf
zlnYE!GTyNrqes|;nLFXfWU*Wg-9wmr=NBd$nCk+H?iwNvcd0Wab^3CT9a`>3V~oWI
z9=<ivyrYLX+hLVmYbCVC7nx>_H+N-Q=M<NIna#%7G#cG5P!5#|H6`sbgz{jBdvfcF
z%F@i>Q(io4u4mpdQ;k&5FXnKV5M7R`@WJ9h(GrAirO#XXOU{qQpk^B^Vd=Dt{wiqT
zg-#j9J~@o%H2;W9mg)o6@*Vo;BSs2*4HAHpDk02mndAsov08R_48zJZ@J)s7+hyCo
zy*0L#y)?AqZt-wX%+_Vx`8*A95OLHvs1$k~{h-_N<KA7r(+uvizi3XCB3#4TpjNrJ
zvai45nQG0Co%wk~tYgN!u~~y2n6k!jjXBHc$+Gq4hqTzEj>_vov_gHJE=`X>L?5K+
zD?u59=mjtImMvd1GsDytuYp{Iy<NXRrLZ4s+5CA`p}CBZMPL-T31R=B$JFH(h7Qq$
zc5;cO7Li&TJM=S4-dTKdpeXu!TD{GoUj}7yzx4mPG(VBO;Kq@rcXv?}P$X>UkW&?h
zF>$#`n$~bZ)KN0B$<p$VcVWI@lvp&2*7))!ZYjjYh^fBV(ceia`pW>XGeMYh&`;g8
zo_2-koaO6+8O!+L>SpIQbG(i;QW9UJi{Ecewlo?s&D!^>i$|#jaW}#HJuxt|W48=?
zb^Y&O$a1s5ddr8DIt!sD!t=y1g(d4GR(s;s-HfV$GXl&m;+sAAxB^rk(3_NjE$p#L
z*t4em?tA0d+XwRxN^OQwzbDZMuSE0J1)Ky{mq)^t4bnSl*)s>zNM@mMdtd78&ebHN
z`!(|lE5q-p+TsRaNnMXwALaN5QIZ2IUi^Z22tsN5>nvIO+YU}Q*xh6}ee6@rR~<&1
z(PB4z>9ZBUMXZwSMmd9-aKKsmJeJq^G|#JclOh*xf0?^e0(`40nsg1z)(48;4}B_(
zGwPI)yo|{oX{dVDL-5-aMGr;~vU1cPtJP5JM(sswz&Q`e<@0?y{YhsO9YK8EYJA;L
z>7oG_Mts+(wCBC*Md82#XdKw&J*IizR?9k^rf1r{Ot-&>V^ke{9nI9zavlcNkIJtN
z7T>?o|4rENk-?|lewZ(EfdR;%BUrzKJ^UkCpsM)EA9QHBVV8trT&*O(9?FO{MLTFL
z=5P0H+T6C^jAuX0k4U;~GM!x`!X2N~3_n?qXY$HI>x@(DHEy&Q3ucT1R6fj28wX!I
zC=&d$@bJ_v^%?W2Ngl}e8ww`b%BrN-PzGH;$@B2Ky1?%GMkm#~Okj(-Admyy;qya|
zOi7<TIqKLJIjsT6%xMurCppK$`tFA>3kr_pwt?5Nj<kh;AkqM0FqJNvpLG2%nBiEz
zf%ifK$Kw|EzR5(&`uXcro~^V8i}*)jhx5-t$rA$`c)ZqIf9DQr!qkCRbJWjUI$JZJ
zm$fJ9L9f6?UO=_r2e^Rac$+nqbYU6z^YgMBa7iN^LoJ4qw_S?6p!J<$X}7t17(?2t
zcE?oZJ$Jvt+q&PyLJYNC4pJ6B2Qde+jOF0Lu$QB|%Hl8GeqMD>3p=&H>81!w#>Agj
z(QXx{j0r=pTl>micAI_5vUw<3`Sht?Z}-j2Wx~<RLz32QGv22&J{94fr~V)YDG95g
zjef+~vo?CO%A&z(jqgjVppWOfXF_a0rF&LK$Mau_gV9Ob!+u&!{<c^Y1J5Po?`a)A
zQzS-wDNMkxF(uva11Qd*)ipedF7L8cQx?g7Pl*j{fhk~H=G{iXJB{lDwggu}3W3aA
zqf(*0b}y=rmt<QkiQ35c+=PEj9}{Iru7J~e%e$QIlUdUy@-hWEOf@ncen^;YeTZ*X
zH+U;(?Wy8Xl+h@nkoL^sjJj(5zUISeV;JWYIiaB7RDchD*VdjmbXj9)pN{CA%vsJg
zciJ6y-i)!8uXW&CN8ViTMaOYPM$w1*SL53`0@H8hO>F8DKCUQrsXl2?W8hur42(F_
zsSJ)_36&x6A|YkY6c<2a94SXbv~d>4CC4nkDPvf9Z5Fys^6^5r0j5=E>Cgy_Dk@tS
z%?c}9!qB?t6t8(XMH%le8UeNWp@Nsma~Ql+^3Bo%_npMryeQJz4V=BAqE~T?dejng
z3ge<X@Z7g2fW4F?C!aagtvam=!RFFVpJA`q1dy-E%du?YwT%+fTkMY4<03TZ)j<Oe
zuSu|TMbn$JCNKw9K<+@tJ({pU#md3G(`)NO28!Z^`B|&xuS!YWO}}^8(&l&<H`8f(
zO-EXMeXU|crFs+^NzF_IZ*xCTMAZi{Y<c;sK84v<>{fjCHoNAfYBvsfq;G%VL|j7t
z`X0sy1EEgpyD;)tS1x+fnv-?C@glP0{RCW}Ma?3qpoq_&IJAYOy3G#s`rsh5=3>`K
zkj``<PxYPrnJ%66XZ%$jT_UO;S&LzWfo&581S_54ry#ectge+aWQh>=;|*x5HSjZC
zXNvPLh372q;=+6ja|SC!R-`JcL}}wwskajjTUGTpL(1zkN-p?BA2lmf<wk(A{@fWd
zR@`1h3RtSO<YT(S4xL@1hiEAxTBBzva~C*l--DU9m2vX&A2fTNg49@_4&`2Bzy8!U
z)6qtF$FpZMEKdNYC;O-#lGOq92InNM@``qD2YvzcS>+J3WsB7!k`0Brx8^cLTF9<g
z@nKD{&MQpkhV&mNuFe;7?=GL>h)r+LZ$vsZo}`OpOs)?c6$hclR!R#MAeh|_DY|9r
zy+_3c%IO9h9X?ksp?an&>Lw;QeQ`T-Ku6HaK~H?E9-Z5$cZu{YU;1+-6B$|JD;%!^
zt(4l>F8}a-UkC4YtOxFHckhl4VK<o_&-lD0mk1#hZYAraLBA)XZd9SwQ&Pgn$a!)D
z;&eLCGu8&`Ky;&{YdGM4YZMiZi$_@v^1aVdy+K+*Qo!QYDDtW4@Os*LbJ00k{m)5`
zoRKnSu)novfL2Ts{!-4+5Y{b=o+LpM;89G7S{vXl;M_l=ND-Rc5qgt=ci7TpEo=mH
zL6*Xt9up_3hU63OR>r6P$P_O*U!)IDory%}Wz`YeFx6TO{y2Y${SBm?H9cTWV=WWJ
z`_*CGso!ZN>l@~_jkeXtV}<eU5O#LliK7g)klc(Z=e{4*h!dp)V6v<*N!NnT1w~8K
za~UIar=<m6R+`}h>fczfA{TUkyeD>)i3|NFGcCsBmK3HXp&ol_@GVs7PIpfULy!hi
zs+%KYgS%(n7_z_}6<X(k(VFudPeVYWZh9|epL*7btD&ckkCMALmGw(owKL=w(~r63
zOyHtRRzRvkW>)hblk~W#LZ@&2)fwm6xkFP%&Ju|MFWbNiTwy{{g-pV1RK`L&=RE2D
z4|g;~vd<LODHcrO&uLo^tGtrbwh8*iCTXkJcd4-eXXU0I?k1m)6`j}QSOp%!d{k#o
zIrMoZ12w1s%;qprCkWS}WH>8x<?cZds#+JB{z{||9jq*<HT!M-cBcH=;7~J2uQ_26
zvZro;_+w%PUpNkSI<TD8&2%vNAnp4avGA`e@UKhI+!{F{Jx<Cv<%&v?&9%YQ4BL2T
zaOOpQFMay>d|teYS%w!IlT4W$&FTrk-hcTADX!P?*f1YWEIRwq$Ys%^(Z9w&HT$>}
zsMD#6Df=uJrX!JHP7<>Or;e_Cf=}`!`qR=i8fBj)$6Lxx{HRzd8Tnzd0p>kSps{OG
zKJkml>bUj8$u|F=``l(-aMxWBC@CGZ#FXClQZ<4|&%jN}Tkg#q8z)=>Ly{$i0`rjU
zv<vjl^OND_&nt8%K_DY<c$hBE?ht3o;zMF?PraCx<3H?R+3c+lcVP-`!*=iR^+4=@
zjAXY+K30oPt-hFFYy6`C$csm;r=3u|c~FmFo6B7|^>t|QddO&i=91e?h3>s~i;+6{
z8X4i6a1wDLrSuE#W(zhan+U*Zq+8p3a))JFVF4ffaV51K^YgTs<ELvmzH15OGhhY8
zrA_+PnYK;aeddV!Pi3^WYTGZ2*J)4~@C%)8#kRVzSG2!MszRFau_EOo^?}G1$p^yr
zk#PoR%ZY0-+cfohw#0i(2hnkZfA7b9`g0$EfREag|7IgZEqyUPIUSL{ls?ZdY2jlv
zX?1Mzw~@8iav*U46179*NN~X0%-qa(h<B)RSSGS9k|=WNp6TA~=CbwUXG!l)zfkxA
zNej9!)gKN9qFfwPo;8s*!hnDPngF9Kp{ukrX|iXeI3(#zb*h?bb?@D>o~3;Y*NmM;
zx8T?y-N0uyWY(8=me-HUC9xtABvX5~%yg+Cp&XF$Bq=OcK6T*D7eZ2EmIoCFWm{$S
z1PNw8HDpe5hHeCusN8kdeb&f2#=3M^A~7YwJ7FRrhq*)PG9x?JIAaC<n&nyz&js(6
zJeGWn+?QRH9iX#RFkV(w>{MV}5}<q?f|v9)L^XT#O^Q+lTLo@~KU5xyfaaECe?QTB
zEU+ll%CA@S4EasNBgDg3P3g>g#7R$-Ly%)4=IUkRCGOR|XTMjn&okRmFjaO^YF5^*
z@)#MCBOBezD)*xQNxydlUyN?dW{fS(s-T`gv*0BEnk}<MqB*2*JFz@&Ut*5R*2h-J
z)_1&Q{C@mZhFSfyIyZ=2gNVh5&AtuX!f!}*i1VjIDopYKYu?w1#R<cS5`I@F1PQbP
z*(_N34x08$O$DXg^I;Q5K8>`BdmrbmPO8q8y(X$AA}*RH%I7Av!~84pudHb&%Q5-j
zt?=6x(iR?<^_7X0v6Ys#VAL}dKk^hcjI=|EY;kPcZ_w<*H`_*|N7SacaM1ERD@6ab
zg`!iTm7$URV+lpW_{V$ruR&A>jrX68k4x2wo$45}&wf7o<|o(@B!u-L@bKyQBAGwy
z4#}UrRAu>^>Vb6k2-th^>WjvP;Nl|i3WrjWv3ISkj{m{eAcQIW^_ndxSX@|8T(ASJ
z?_<Q%GX;J*nopDj?vlGTW3<2Bi-14h9Ft?$MJo-;vYeHFBv>$fcP2u*6uOBk-{d>^
z0vWlfGQMvysI%R=iE|A+!!Nw?C917EU*_$`;;)px?s83CRd3i_jBN)k#nR5t$dJ(+
z_sP;wG@Ad)^(3LRj7q}0b2O(b`|i0~5SYb%Sjk^*5ISZ-Ab+}DGu$-X1n^TF1Ndw_
zF|e*1)cI2%`TR&AW~XpqpFb!=3cHbS>np9hYD_Mr5}y5Y<hjKC>`SY^r7isA2Q4(z
zazRQEqWDKT2zIEbjSYdCPi1ZOGz80Nsl}gxO^<!<`)h}k*WrLKhVC9A^uqPrAX2rJ
zk_X_<UKVZj#SZ`e5i&Jvd|AuDABtCTp9RP@piFO@ZU#$^j4fEyi5WR4tQO|sRzdLJ
z86FxwO1hlidA6EQ5OI;XPTXTa$K&JwxgTfPhh!ZPwc^HMC{@|JRTI?xh^Ptzlf~Qj
z4+amGs<?A`M~9~Ge+{a1r{l~f$XZHt1Ik1~ki({=W}#a+O?yAslpyDBa!(JThcKg+
z`7_G`o=!47FD0IvP768*p<&Vtm`CtC?;Dj`fo;v%1qH|i1@RjM=o$pEJq4&d1&L7t
zjHm`Qe8@BW2ApUJb#%iMo6qv$oT6Alh&RB*5@4ncFm(r*OBC@so8*msJq8zql&b-+
z5<*+q@YE4P>DWMY0AV<2K&OL{&^6#@L1?lXu#6xSMh%3^5c*}oM6DQGY#(a^@z<&D
zF(43I9e&5`h|A$5!+UFuOH0>F3$shBV4`0#M4RSB8=6F0ZgIbq<2LQ$Hh^(kAJu=!
zt8ZGXTacD{(3W{V1$j_{Jc)Ka7<N6;sXR!iJaN-JXwp2f^gSr_JqZ^)=odUOg+0iG
zJ@H#S=vq9neLbjrJ&FH#F#bWI5hI@wqj2Jp)bXe%8c1>t6u}ho`4kF+4@t_0!mCBn
z)}o%eA}L)_L?=jw6BIfll7tb3n}?*yLt&XADa=rW>qz=_6s9ziOd5sXjil>FVFx3r
zf>Feewk0v#W9>Gp4GacTRr>Sd2T6dWi-{YX`v!D)kCWzG5xQB=?es5ON(%nkwUhNl
zV>@xkWWWv*N+{e$(SrExvN6BXzU(Hxlx27{VYHf+LpIbTO+Yu(ltMk<<mdQtfilQ%
z#zERxP>;)3A(LU@ytVYFkYvTa79idMtUFhfxx?P!)2F`prNWW#Fub#l>N2s@nh&n_
zA4{#}|AIs9|A4P0ZF%fy=hDN!t#ifH<)4u2kirK~JUpjQ-J+~cXOZI&dI<edX<Pe$
z<5K%Sv8eq|W{$&;<^B}h+C6HiudVR>ts;P}UeXslP6zKvpEKSN-$y>kJ^nw2tC9bv
zo(|lT@?vZ!{_l|d^8Yh)eEBh*5ABh<!=o}_%`M5uz0&2FvS#W)djCI>+Lzjw+?V)o
z#P<J#52aEke-8d*<DbLpV99;)|DC457DTn))TG@GiB9R>-W7361>E(Y4;@`sv;VKn
G`u_lkUM?>H

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_alerts.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_alerts.scss
new file mode 100644
index 0000000000..e45de83058
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_alerts.scss
@@ -0,0 +1,68 @@
+//
+// Alerts
+// --------------------------------------------------
+
+
+// Base styles
+// -------------------------
+
+.alert {
+  padding: $alert-padding;
+  margin-bottom: $line-height-computed;
+  border: 1px solid transparent;
+  border-radius: $alert-border-radius;
+
+  // Headings for larger alerts
+  h4 {
+    margin-top: 0;
+    // Specified for the h4 to prevent conflicts of changing $headings-color
+    color: inherit;
+  }
+  // Provide class for links that match alerts
+  .alert-link {
+    font-weight: $alert-link-font-weight;
+  }
+
+  // Improve alignment and spacing of inner content
+  > p,
+  > ul {
+    margin-bottom: 0;
+  }
+  > p + p {
+    margin-top: 5px;
+  }
+}
+
+// Dismissible alerts
+//
+// Expand the right padding and account for the close button's positioning.
+
+.alert-dismissable, // The misspelled .alert-dismissable was deprecated in 3.2.0.
+.alert-dismissible {
+  padding-right: ($alert-padding + 20);
+
+  // Adjust close link position
+  .close {
+    position: relative;
+    top: -2px;
+    right: -21px;
+    color: inherit;
+  }
+}
+
+// Alternate styles
+//
+// Generate contextual modifier classes for colorizing the alert.
+
+.alert-success {
+  @include alert-variant($alert-success-bg, $alert-success-border, $alert-success-text);
+}
+.alert-info {
+  @include alert-variant($alert-info-bg, $alert-info-border, $alert-info-text);
+}
+.alert-warning {
+  @include alert-variant($alert-warning-bg, $alert-warning-border, $alert-warning-text);
+}
+.alert-danger {
+  @include alert-variant($alert-danger-bg, $alert-danger-border, $alert-danger-text);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_badges.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_badges.scss
new file mode 100644
index 0000000000..02394ae7fa
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_badges.scss
@@ -0,0 +1,57 @@
+//
+// Badges
+// --------------------------------------------------
+
+
+// Base class
+.badge {
+  display: inline-block;
+  min-width: 10px;
+  padding: 3px 7px;
+  font-size: $font-size-small;
+  font-weight: $badge-font-weight;
+  color: $badge-color;
+  line-height: $badge-line-height;
+  vertical-align: baseline;
+  white-space: nowrap;
+  text-align: center;
+  background-color: $badge-bg;
+  border-radius: $badge-border-radius;
+
+  // Empty badges collapse automatically (not available in IE8)
+  &:empty {
+    display: none;
+  }
+
+  // Quick fix for badges in buttons
+  .btn & {
+    position: relative;
+    top: -1px;
+  }
+  .btn-xs & {
+    top: 0;
+    padding: 1px 5px;
+  }
+
+  // [converter] extracted a& to a.badge
+
+  // Account for badges in navs
+  a.list-group-item.active > &,
+  .nav-pills > .active > a > & {
+    color: $badge-active-color;
+    background-color: $badge-active-bg;
+  }
+  .nav-pills > li > a > & {
+    margin-left: 3px;
+  }
+}
+
+// Hover state, but only for links
+a.badge {
+  &:hover,
+  &:focus {
+    color: $badge-link-hover-color;
+    text-decoration: none;
+    cursor: pointer;
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_breadcrumbs.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_breadcrumbs.scss
new file mode 100644
index 0000000000..3641e333b8
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_breadcrumbs.scss
@@ -0,0 +1,26 @@
+//
+// Breadcrumbs
+// --------------------------------------------------
+
+
+.breadcrumb {
+  padding: $breadcrumb-padding-vertical $breadcrumb-padding-horizontal;
+  margin-bottom: $line-height-computed;
+  list-style: none;
+  background-color: $breadcrumb-bg;
+  border-radius: $border-radius-base;
+
+  > li {
+    display: inline-block;
+
+    + li:before {
+      content: "#{$breadcrumb-separator}\00a0"; // Unicode space added since inline-block means non-collapsing white-space
+      padding: 0 5px;
+      color: $breadcrumb-color;
+    }
+  }
+
+  > .active {
+    color: $breadcrumb-active-color;
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_button-groups.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_button-groups.scss
new file mode 100644
index 0000000000..63ccd927c8
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_button-groups.scss
@@ -0,0 +1,240 @@
+//
+// Button groups
+// --------------------------------------------------
+
+// Make the div behave like a button
+.btn-group,
+.btn-group-vertical {
+  position: relative;
+  display: inline-block;
+  vertical-align: middle; // match .btn alignment given font-size hack above
+  > .btn {
+    position: relative;
+    float: left;
+    // Bring the "active" button to the front
+    &:hover,
+    &:focus,
+    &:active,
+    &.active {
+      z-index: 2;
+    }
+    &:focus {
+      // Remove focus outline when dropdown JS adds it after closing the menu
+      outline: 0;
+    }
+  }
+}
+
+// Prevent double borders when buttons are next to each other
+.btn-group {
+  .btn + .btn,
+  .btn + .btn-group,
+  .btn-group + .btn,
+  .btn-group + .btn-group {
+    margin-left: -1px;
+  }
+}
+
+// Optional: Group multiple button groups together for a toolbar
+.btn-toolbar {
+  margin-left: -5px; // Offset the first child's margin
+  @include clearfix();
+
+  .btn-group,
+  .input-group {
+    float: left;
+  }
+  > .btn,
+  > .btn-group,
+  > .input-group {
+    margin-left: 5px;
+  }
+}
+
+.btn-group > .btn:not(:first-child):not(:last-child):not(.dropdown-toggle) {
+  border-radius: 0;
+}
+
+// Set corners individual because sometimes a single button can be in a .btn-group and we need :first-child and :last-child to both match
+.btn-group > .btn:first-child {
+  margin-left: 0;
+  &:not(:last-child):not(.dropdown-toggle) {
+    @include border-right-radius(0);
+  }
+}
+// Need .dropdown-toggle since :last-child doesn't apply given a .dropdown-menu immediately after it
+.btn-group > .btn:last-child:not(:first-child),
+.btn-group > .dropdown-toggle:not(:first-child) {
+  @include border-left-radius(0);
+}
+
+// Custom edits for including btn-groups within btn-groups (useful for including dropdown buttons within a btn-group)
+.btn-group > .btn-group {
+  float: left;
+}
+.btn-group > .btn-group:not(:first-child):not(:last-child) > .btn {
+  border-radius: 0;
+}
+.btn-group > .btn-group:first-child {
+  > .btn:last-child,
+  > .dropdown-toggle {
+    @include border-right-radius(0);
+  }
+}
+.btn-group > .btn-group:last-child > .btn:first-child {
+  @include border-left-radius(0);
+}
+
+// On active and open, don't show outline
+.btn-group .dropdown-toggle:active,
+.btn-group.open .dropdown-toggle {
+  outline: 0;
+}
+
+
+// Sizing
+//
+// Remix the default button sizing classes into new ones for easier manipulation.
+
+.btn-group-xs > .btn { @extend .btn-xs; }
+.btn-group-sm > .btn { @extend .btn-sm; }
+.btn-group-lg > .btn { @extend .btn-lg; }
+
+
+// Split button dropdowns
+// ----------------------
+
+// Give the line between buttons some depth
+.btn-group > .btn + .dropdown-toggle {
+  padding-left: 8px;
+  padding-right: 8px;
+}
+.btn-group > .btn-lg + .dropdown-toggle {
+  padding-left: 12px;
+  padding-right: 12px;
+}
+
+// The clickable button for toggling the menu
+// Remove the gradient and set the same inset shadow as the :active state
+.btn-group.open .dropdown-toggle {
+  @include box-shadow(inset 0 3px 5px rgba(0,0,0,.125));
+
+  // Show no shadow for `.btn-link` since it has no other button styles.
+  &.btn-link {
+    @include box-shadow(none);
+  }
+}
+
+
+// Reposition the caret
+.btn .caret {
+  margin-left: 0;
+}
+// Carets in other button sizes
+.btn-lg .caret {
+  border-width: $caret-width-large $caret-width-large 0;
+  border-bottom-width: 0;
+}
+// Upside down carets for .dropup
+.dropup .btn-lg .caret {
+  border-width: 0 $caret-width-large $caret-width-large;
+}
+
+
+// Vertical button groups
+// ----------------------
+
+.btn-group-vertical {
+  > .btn,
+  > .btn-group,
+  > .btn-group > .btn {
+    display: block;
+    float: none;
+    width: 100%;
+    max-width: 100%;
+  }
+
+  // Clear floats so dropdown menus can be properly placed
+  > .btn-group {
+    @include clearfix();
+    > .btn {
+      float: none;
+    }
+  }
+
+  > .btn + .btn,
+  > .btn + .btn-group,
+  > .btn-group + .btn,
+  > .btn-group + .btn-group {
+    margin-top: -1px;
+    margin-left: 0;
+  }
+}
+
+.btn-group-vertical > .btn {
+  &:not(:first-child):not(:last-child) {
+    border-radius: 0;
+  }
+  &:first-child:not(:last-child) {
+    border-top-right-radius: $border-radius-base;
+    @include border-bottom-radius(0);
+  }
+  &:last-child:not(:first-child) {
+    border-bottom-left-radius: $border-radius-base;
+    @include border-top-radius(0);
+  }
+}
+.btn-group-vertical > .btn-group:not(:first-child):not(:last-child) > .btn {
+  border-radius: 0;
+}
+.btn-group-vertical > .btn-group:first-child:not(:last-child) {
+  > .btn:last-child,
+  > .dropdown-toggle {
+    @include border-bottom-radius(0);
+  }
+}
+.btn-group-vertical > .btn-group:last-child:not(:first-child) > .btn:first-child {
+  @include border-top-radius(0);
+}
+
+
+
+// Justified button groups
+// ----------------------
+
+.btn-group-justified {
+  display: table;
+  width: 100%;
+  table-layout: fixed;
+  border-collapse: separate;
+  > .btn,
+  > .btn-group {
+    float: none;
+    display: table-cell;
+    width: 1%;
+  }
+  > .btn-group .btn {
+    width: 100%;
+  }
+
+  > .btn-group .dropdown-menu {
+    left: auto;
+  }
+}
+
+
+// Checkbox and radio options
+//
+// In order to support the browser's form validation feedback, powered by the
+// `required` attribute, we have to "hide" the inputs via `opacity`. We cannot
+// use `display: none;` or `visibility: hidden;` as that also hides the popover.
+// This way, we ensure a DOM element is visible to position the popover from.
+//
+// See https://github.com/twbs/bootstrap/pull/12794 for more.
+
+[data-toggle="buttons"] > .btn > input[type="radio"],
+[data-toggle="buttons"] > .btn > input[type="checkbox"] {
+  position: absolute;
+  z-index: -1;
+  @include opacity(0);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_buttons.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_buttons.scss
new file mode 100644
index 0000000000..f2684c1b76
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_buttons.scss
@@ -0,0 +1,159 @@
+//
+// Buttons
+// --------------------------------------------------
+
+
+// Base styles
+// --------------------------------------------------
+
+.btn {
+  display: inline-block;
+  margin-bottom: 0; // For input.btn
+  font-weight: $btn-font-weight;
+  text-align: center;
+  vertical-align: middle;
+  cursor: pointer;
+  background-image: none; // Reset unusual Firefox-on-Android default style; see https://github.com/necolas/normalize.css/issues/214
+  border: 1px solid transparent;
+  white-space: nowrap;
+  @include button-size($padding-base-vertical, $padding-base-horizontal, $font-size-base, $line-height-base, $border-radius-base);
+  @include user-select(none);
+
+  @include button-variant($btn-default-color, $btn-default-bg, $btn-default-border);
+
+  &,
+  &:active,
+  &.active {
+    &:focus {
+      @include tab-focus();
+    }
+  }
+
+  &:hover,
+  &:focus {
+    color: $btn-default-color;
+    text-decoration: none;
+  }
+
+  &:active,
+  &.active {
+    outline: 0;
+    background-image: none;
+    @include box-shadow(inset 0 3px 5px rgba(0,0,0,.125));
+  }
+
+  &.disabled,
+  &[disabled],
+  fieldset[disabled] & {
+    cursor: not-allowed;
+    pointer-events: none; // Future-proof disabling of clicks
+    @include opacity(.65);
+    @include box-shadow(none);
+  }
+}
+
+
+// Alternate buttons
+// --------------------------------------------------
+
+.btn-default {
+  @include button-variant($btn-default-color, $btn-default-bg, $btn-default-border);
+}
+.btn-primary {
+  @include button-variant($btn-primary-color, $btn-primary-bg, $btn-primary-border);
+}
+// Success appears as green
+.btn-success {
+  @include button-variant($btn-success-color, $btn-success-bg, $btn-success-border);
+}
+// Info appears as blue-green
+.btn-info {
+  @include button-variant($btn-info-color, $btn-info-bg, $btn-info-border);
+}
+// Warning appears as orange
+.btn-warning {
+  @include button-variant($btn-warning-color, $btn-warning-bg, $btn-warning-border);
+}
+// Danger and error appear as red
+.btn-danger {
+  @include button-variant($btn-danger-color, $btn-danger-bg, $btn-danger-border);
+}
+
+
+// Link buttons
+// -------------------------
+
+// Make a button look and behave like a link
+.btn-link {
+  color: $link-color;
+  font-weight: normal;
+  cursor: pointer;
+  border-radius: 0;
+
+  &,
+  &:active,
+  &[disabled],
+  fieldset[disabled] & {
+    background-color: transparent;
+    @include box-shadow(none);
+  }
+  &,
+  &:hover,
+  &:focus,
+  &:active {
+    border-color: transparent;
+  }
+  &:hover,
+  &:focus {
+    color: $link-hover-color;
+    text-decoration: underline;
+    background-color: transparent;
+  }
+  &[disabled],
+  fieldset[disabled] & {
+    &:hover,
+    &:focus {
+      color: $btn-link-disabled-color;
+      text-decoration: none;
+    }
+  }
+}
+
+
+// Button Sizes
+// --------------------------------------------------
+
+.btn-lg {
+  // line-height: ensure even-numbered height of button next to large input
+  @include button-size($padding-large-vertical, $padding-large-horizontal, $font-size-large, $line-height-large, $border-radius-large);
+}
+.btn-sm {
+  // line-height: ensure proper height of button next to small input
+  @include button-size($padding-small-vertical, $padding-small-horizontal, $font-size-small, $line-height-small, $border-radius-small);
+}
+.btn-xs {
+  @include button-size($padding-xs-vertical, $padding-xs-horizontal, $font-size-small, $line-height-small, $border-radius-small);
+}
+
+
+// Block button
+// --------------------------------------------------
+
+.btn-block {
+  display: block;
+  width: 100%;
+}
+
+// Vertically space out multiple block buttons
+.btn-block + .btn-block {
+  margin-top: 5px;
+}
+
+// Specificity overrides
+input[type="submit"],
+input[type="reset"],
+input[type="button"] {
+  &.btn-block {
+    width: 100%;
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_carousel.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_carousel.scss
new file mode 100644
index 0000000000..e9e2f7ce1e
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_carousel.scss
@@ -0,0 +1,243 @@
+//
+// Carousel
+// --------------------------------------------------
+
+
+// Wrapper for the slide container and indicators
+.carousel {
+  position: relative;
+}
+
+.carousel-inner {
+  position: relative;
+  overflow: hidden;
+  width: 100%;
+
+  > .item {
+    display: none;
+    position: relative;
+    @include transition(.6s ease-in-out left);
+
+    // Account for jankitude on images
+    > img,
+    > a > img {
+      @include img-responsive();
+      line-height: 1;
+    }
+  }
+
+  > .active,
+  > .next,
+  > .prev {
+    display: block;
+  }
+
+  > .active {
+    left: 0;
+  }
+
+  > .next,
+  > .prev {
+    position: absolute;
+    top: 0;
+    width: 100%;
+  }
+
+  > .next {
+    left: 100%;
+  }
+  > .prev {
+    left: -100%;
+  }
+  > .next.left,
+  > .prev.right {
+    left: 0;
+  }
+
+  > .active.left {
+    left: -100%;
+  }
+  > .active.right {
+    left: 100%;
+  }
+
+}
+
+// Left/right controls for nav
+// ---------------------------
+
+.carousel-control {
+  position: absolute;
+  top: 0;
+  left: 0;
+  bottom: 0;
+  width: $carousel-control-width;
+  @include opacity($carousel-control-opacity);
+  font-size: $carousel-control-font-size;
+  color: $carousel-control-color;
+  text-align: center;
+  text-shadow: $carousel-text-shadow;
+  // We can't have this transition here because WebKit cancels the carousel
+  // animation if you trip this while in the middle of another animation.
+
+  // Set gradients for backgrounds
+  &.left {
+    @include gradient-horizontal($start-color: rgba(0,0,0,.5), $end-color: rgba(0,0,0,.0001));
+  }
+  &.right {
+    left: auto;
+    right: 0;
+    @include gradient-horizontal($start-color: rgba(0,0,0,.0001), $end-color: rgba(0,0,0,.5));
+  }
+
+  // Hover/focus state
+  &:hover,
+  &:focus {
+    outline: 0;
+    color: $carousel-control-color;
+    text-decoration: none;
+    @include opacity(.9);
+  }
+
+  // Toggles
+  .icon-prev,
+  .icon-next,
+  .glyphicon-chevron-left,
+  .glyphicon-chevron-right {
+    position: absolute;
+    top: 50%;
+    z-index: 5;
+    display: inline-block;
+  }
+  .icon-prev,
+  .glyphicon-chevron-left {
+    left: 50%;
+    margin-left: -10px;
+  }
+  .icon-next,
+  .glyphicon-chevron-right {
+    right: 50%;
+    margin-right: -10px;
+  }
+  .icon-prev,
+  .icon-next {
+    width:  20px;
+    height: 20px;
+    margin-top: -10px;
+    font-family: serif;
+  }
+
+
+  .icon-prev {
+    &:before {
+      content: '\2039';// SINGLE LEFT-POINTING ANGLE QUOTATION MARK (U+2039)
+    }
+  }
+  .icon-next {
+    &:before {
+      content: '\203a';// SINGLE RIGHT-POINTING ANGLE QUOTATION MARK (U+203A)
+    }
+  }
+}
+
+// Optional indicator pips
+//
+// Add an unordered list with the following class and add a list item for each
+// slide your carousel holds.
+
+.carousel-indicators {
+  position: absolute;
+  bottom: 10px;
+  left: 50%;
+  z-index: 15;
+  width: 60%;
+  margin-left: -30%;
+  padding-left: 0;
+  list-style: none;
+  text-align: center;
+
+  li {
+    display: inline-block;
+    width:  10px;
+    height: 10px;
+    margin: 1px;
+    text-indent: -999px;
+    border: 1px solid $carousel-indicator-border-color;
+    border-radius: 10px;
+    cursor: pointer;
+
+    // IE8-9 hack for event handling
+    //
+    // Internet Explorer 8-9 does not support clicks on elements without a set
+    // `background-color`. We cannot use `filter` since that's not viewed as a
+    // background color by the browser. Thus, a hack is needed.
+    //
+    // For IE8, we set solid black as it doesn't support `rgba()`. For IE9, we
+    // set alpha transparency for the best results possible.
+    background-color: #000 \9; // IE8
+    background-color: rgba(0,0,0,0); // IE9
+  }
+  .active {
+    margin: 0;
+    width:  12px;
+    height: 12px;
+    background-color: $carousel-indicator-active-bg;
+  }
+}
+
+// Optional captions
+// -----------------------------
+// Hidden by default for smaller viewports
+.carousel-caption {
+  position: absolute;
+  left: 15%;
+  right: 15%;
+  bottom: 20px;
+  z-index: 10;
+  padding-top: 20px;
+  padding-bottom: 20px;
+  color: $carousel-caption-color;
+  text-align: center;
+  text-shadow: $carousel-text-shadow;
+  & .btn {
+    text-shadow: none; // No shadow for button elements in carousel-caption
+  }
+}
+
+
+// Scale up controls for tablets and up
+@media screen and (min-width: $screen-sm-min) {
+
+  // Scale up the controls a smidge
+  .carousel-control {
+    .glyphicon-chevron-left,
+    .glyphicon-chevron-right,
+    .icon-prev,
+    .icon-next {
+      width: 30px;
+      height: 30px;
+      margin-top: -15px;
+      font-size: 30px;
+    }
+    .glyphicon-chevron-left,
+    .icon-prev {
+      margin-left: -15px;
+    }
+    .glyphicon-chevron-right,
+    .icon-next {
+      margin-right: -15px;
+    }
+  }
+
+  // Show and left align the captions
+  .carousel-caption {
+    left: 20%;
+    right: 20%;
+    padding-bottom: 30px;
+  }
+
+  // Move up the indicators
+  .carousel-indicators {
+    bottom: 20px;
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_close.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_close.scss
new file mode 100644
index 0000000000..62ce30fa37
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_close.scss
@@ -0,0 +1,35 @@
+//
+// Close icons
+// --------------------------------------------------
+
+
+.close {
+  float: right;
+  font-size: ($font-size-base * 1.5);
+  font-weight: $close-font-weight;
+  line-height: 1;
+  color: $close-color;
+  text-shadow: $close-text-shadow;
+  @include opacity(.2);
+
+  &:hover,
+  &:focus {
+    color: $close-color;
+    text-decoration: none;
+    cursor: pointer;
+    @include opacity(.5);
+  }
+
+  // [converter] extracted button& to button.close
+}
+
+// Additional properties for button version
+// iOS requires the button element instead of an anchor tag.
+// If you want the anchor version, it requires `href="#"`.
+button.close {
+  padding: 0;
+  cursor: pointer;
+  background: transparent;
+  border: 0;
+  -webkit-appearance: none;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_code.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_code.scss
new file mode 100644
index 0000000000..3a434b946b
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_code.scss
@@ -0,0 +1,68 @@
+//
+// Code (inline and block)
+// --------------------------------------------------
+
+
+// Inline and block code styles
+code,
+kbd,
+pre,
+samp {
+  font-family: $font-family-monospace;
+}
+
+// Inline code
+code {
+  padding: 2px 4px;
+  font-size: 90%;
+  color: $code-color;
+  background-color: $code-bg;
+  border-radius: $border-radius-base;
+}
+
+// User input typically entered via keyboard
+kbd {
+  padding: 2px 4px;
+  font-size: 90%;
+  color: $kbd-color;
+  background-color: $kbd-bg;
+  border-radius: $border-radius-small;
+  box-shadow: inset 0 -1px 0 rgba(0,0,0,.25);
+
+  kbd {
+    padding: 0;
+    font-size: 100%;
+    box-shadow: none;
+  }
+}
+
+// Blocks of code
+pre {
+  display: block;
+  padding: calc(($line-height-computed - 100%) / 2);
+  margin: 0 0 calc($line-height-computed / 2);
+  font-size: ($font-size-base - 1); // 14px to 13px
+  line-height: $line-height-base;
+  word-break: break-all;
+  word-wrap: break-word;
+  color: $pre-color;
+  background-color: $pre-bg;
+  border: 1px solid $pre-border-color;
+  border-radius: $border-radius-base;
+
+  // Account for some code outputs that place code tags in pre tags
+  code {
+    padding: 0;
+    font-size: inherit;
+    color: inherit;
+    white-space: pre-wrap;
+    background-color: transparent;
+    border-radius: 0;
+  }
+}
+
+// Enable scrollable blocks of code
+.pre-scrollable {
+  max-height: $pre-scrollable-max-height;
+  overflow-y: scroll;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_component-animations.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_component-animations.scss
new file mode 100644
index 0000000000..8c3fd07a27
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_component-animations.scss
@@ -0,0 +1,35 @@
+//
+// Component animations
+// --------------------------------------------------
+
+// Heads up!
+//
+// We don't use the `.opacity()` mixin here since it causes a bug with text
+// fields in IE7-8. Source: https://github.com/twbs/bootstrap/pull/3552.
+
+.fade {
+  opacity: 0;
+  @include transition(opacity .15s linear);
+  &.in {
+    opacity: 1;
+  }
+}
+
+.collapse {
+  display: none;
+
+  &.in      { display: block; }
+  // [converter] extracted tr&.in to tr.collapse.in
+  // [converter] extracted tbody&.in to tbody.collapse.in
+}
+
+tr.collapse.in    { display: table-row; }
+
+tbody.collapse.in { display: table-row-group; }
+
+.collapsing {
+  position: relative;
+  height: 0;
+  overflow: hidden;
+  @include transition(height .35s ease);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_dropdowns.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_dropdowns.scss
new file mode 100644
index 0000000000..df50ec0cbc
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_dropdowns.scss
@@ -0,0 +1,214 @@
+//
+// Dropdown menus
+// --------------------------------------------------
+
+
+// Dropdown arrow/caret
+.caret {
+  display: inline-block;
+  width: 0;
+  height: 0;
+  margin-left: 2px;
+  vertical-align: middle;
+  border-top:   $caret-width-base solid;
+  border-right: $caret-width-base solid transparent;
+  border-left:  $caret-width-base solid transparent;
+}
+
+// The dropdown wrapper (div)
+.dropdown {
+  position: relative;
+}
+
+// Prevent the focus on the dropdown toggle when closing dropdowns
+.dropdown-toggle:focus {
+  outline: 0;
+}
+
+// The dropdown menu (ul)
+.dropdown-menu {
+  position: absolute;
+  top: 100%;
+  left: 0;
+  z-index: $zindex-dropdown;
+  display: none; // none by default, but block on "open" of the menu
+  float: left;
+  min-width: 160px;
+  padding: 5px 0;
+  margin: 2px 0 0; // override default ul
+  list-style: none;
+  font-size: $font-size-base;
+  text-align: left; // Ensures proper alignment if parent has it changed (e.g., modal footer)
+  background-color: $dropdown-bg;
+  border: 1px solid $dropdown-fallback-border; // IE8 fallback
+  border: 1px solid $dropdown-border;
+  border-radius: $border-radius-base;
+  @include box-shadow(0 6px 12px rgba(0,0,0,.175));
+  background-clip: padding-box;
+
+  // Aligns the dropdown menu to right
+  //
+  // Deprecated as of 3.1.0 in favor of `.dropdown-menu-[dir]`
+  &.pull-right {
+    right: 0;
+    left: auto;
+  }
+
+  // Dividers (basically an hr) within the dropdown
+  .divider {
+    @include nav-divider($dropdown-divider-bg);
+  }
+
+  // Links within the dropdown menu
+  > li > a {
+    display: block;
+    padding: 3px 20px;
+    clear: both;
+    font-weight: normal;
+    line-height: $line-height-base;
+    color: $dropdown-link-color;
+    white-space: nowrap; // prevent links from randomly breaking onto new lines
+  }
+}
+
+// Hover/Focus state
+.dropdown-menu > li > a {
+  &:hover,
+  &:focus {
+    text-decoration: none;
+    color: $dropdown-link-hover-color;
+    background-color: $dropdown-link-hover-bg;
+  }
+}
+
+// Active state
+.dropdown-menu > .active > a {
+  &,
+  &:hover,
+  &:focus {
+    color: $dropdown-link-active-color;
+    text-decoration: none;
+    outline: 0;
+    background-color: $dropdown-link-active-bg;
+  }
+}
+
+// Disabled state
+//
+// Gray out text and ensure the hover/focus state remains gray
+
+.dropdown-menu > .disabled > a {
+  &,
+  &:hover,
+  &:focus {
+    color: $dropdown-link-disabled-color;
+  }
+}
+// Nuke hover/focus effects
+.dropdown-menu > .disabled > a {
+  &:hover,
+  &:focus {
+    text-decoration: none;
+    background-color: transparent;
+    background-image: none; // Remove CSS gradient
+    @include reset-filter();
+    cursor: not-allowed;
+  }
+}
+
+// Open state for the dropdown
+.open {
+  // Show the menu
+  > .dropdown-menu {
+    display: block;
+  }
+
+  // Remove the outline when :focus is triggered
+  > a {
+    outline: 0;
+  }
+}
+
+// Menu positioning
+//
+// Add extra class to `.dropdown-menu` to flip the alignment of the dropdown
+// menu with the parent.
+.dropdown-menu-right {
+  left: auto; // Reset the default from `.dropdown-menu`
+  right: 0;
+}
+// With v3, we enabled auto-flipping if you have a dropdown within a right
+// aligned nav component. To enable the undoing of that, we provide an override
+// to restore the default dropdown menu alignment.
+//
+// This is only for left-aligning a dropdown menu within a `.navbar-right` or
+// `.pull-right` nav component.
+.dropdown-menu-left {
+  left: 0;
+  right: auto;
+}
+
+// Dropdown section headers
+.dropdown-header {
+  display: block;
+  padding: 3px 20px;
+  font-size: $font-size-small;
+  line-height: $line-height-base;
+  color: $dropdown-header-color;
+  white-space: nowrap; // as with > li > a
+}
+
+// Backdrop to catch body clicks on mobile, etc.
+.dropdown-backdrop {
+  position: fixed;
+  left: 0;
+  right: 0;
+  bottom: 0;
+  top: 0;
+  z-index: ($zindex-dropdown - 10);
+}
+
+// Right aligned dropdowns
+.pull-right > .dropdown-menu {
+  right: 0;
+  left: auto;
+}
+
+// Allow for dropdowns to go bottom up (aka, dropup-menu)
+//
+// Just add .dropup after the standard .dropdown class and you're set, bro.
+// TODO: abstract this so that the navbar fixed styles are not placed here?
+
+.dropup,
+.navbar-fixed-bottom .dropdown {
+  // Reverse the caret
+  .caret {
+    border-top: 0;
+    border-bottom: $caret-width-base solid;
+    content: "";
+  }
+  // Different positioning for bottom up menu
+  .dropdown-menu {
+    top: auto;
+    bottom: 100%;
+    margin-bottom: 1px;
+  }
+}
+
+
+// Component alignment
+//
+// Reiterate per navbar.less and the modified component alignment there.
+
+@media (min-width: $grid-float-breakpoint) {
+  .navbar-right {
+    .dropdown-menu {
+      right: 0; left: auto;
+    }
+    // Necessary for overrides of the default right aligned menu.
+    // Will remove come v4 in all likelihood.
+    .dropdown-menu-left {
+      left: 0; right: auto;
+    }
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_forms.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_forms.scss
new file mode 100644
index 0000000000..3aaf044c2c
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_forms.scss
@@ -0,0 +1,540 @@
+//
+// Forms
+// --------------------------------------------------
+
+
+// Normalize non-controls
+//
+// Restyle and baseline non-control form elements.
+
+fieldset {
+  padding: 0;
+  margin: 0;
+  border: 0;
+  // Chrome and Firefox set a min-width: min-content; on fieldsets,
+  // so we reset that to ensure it behaves more like a standard block element.
+  // See https://github.com/twbs/bootstrap/issues/12359.
+  min-width: 0;
+}
+
+legend {
+  display: block;
+  width: 100%;
+  padding: 0;
+  margin-bottom: $line-height-computed;
+  font-size: ($font-size-base * 1.5);
+  line-height: inherit;
+  color: $legend-color;
+  border: 0;
+  border-bottom: 1px solid $legend-border-color;
+}
+
+label {
+  display: inline-block;
+  max-width: 100%; // Force IE8 to wrap long content (see https://github.com/twbs/bootstrap/issues/13141)
+  margin-bottom: 5px;
+  font-weight: normal;
+}
+
+
+// Normalize form controls
+//
+// While most of our form styles require extra classes, some basic normalization
+// is required to ensure optimum display with or without those classes to better
+// address browser inconsistencies.
+
+// Override content-box in Normalize (isnt specific enough)
+input[type="search"] {
+  @include box-sizing(border-box);
+}
+
+// Position radios and checkboxes better
+input[type="radio"],
+input[type="checkbox"] {
+  margin: 4px 0 0;
+  margin-top: 1px \9; // IE8-9
+  line-height: normal;
+}
+
+// Set the height of file controls to match text inputs
+input[type="file"] {
+  display: block;
+}
+
+// Make range inputs behave like textual form controls
+input[type="range"] {
+  display: block;
+  width: 100%;
+}
+
+// Make multiple select elements height not fixed
+select[multiple],
+select[size] {
+  height: auto;
+}
+
+// Focus for file, radio, and checkbox
+input[type="file"]:focus,
+input[type="radio"]:focus,
+input[type="checkbox"]:focus {
+  @include tab-focus();
+}
+
+// Adjust output element
+output {
+  display: block;
+  padding-top: ($padding-base-vertical + 1);
+  font-size: $font-size-base;
+  line-height: $line-height-base;
+  color: $input-color;
+}
+
+
+// Common form controls
+//
+// Shared size and type resets for form controls. Apply `.form-control` to any
+// of the following form controls:
+//
+select,
+textarea,
+input[type="text"],
+input[type="password"],
+input[type="datetime"],
+input[type="datetime-local"],
+input[type="date"],
+input[type="month"],
+input[type="time"],
+input[type="week"],
+input[type="number"],
+input[type="email"],
+input[type="url"],
+input[type="search"],
+input[type="tel"],
+input[type="color"]
+/* .form-control */
+{
+  display: block;
+  width: 100%;
+  height: $input-height-base; // Make inputs at least the height of their button counterpart (base line-height + padding + border)
+  padding: $padding-base-vertical $padding-base-horizontal;
+  font-size: $font-size-base;
+  line-height: $line-height-base;
+  color: $input-color;
+  background-color: $input-bg;
+  background-image: none; // Reset unusual Firefox-on-Android default style; see https://github.com/necolas/normalize.css/issues/214
+  border: 1px solid $input-border;
+  border-radius: $input-border-radius;
+  text-overflow: ellipsis;
+  max-width:348px;
+  //@include box-shadow(inset 0 1px 1px rgba(0,0,0,.075));
+  @include transition(border-color ease-in-out .1s, box-shadow ease-in-out .1s);
+
+  // Customize the `:focus` state to imitate native WebKit styles.
+  @include form-control-focus();
+
+  // Placeholder
+  @include placeholder();
+
+  // Disabled and read-only inputs
+  //
+  // HTML5 says that controls under a fieldset > legend:first-child wont be
+  // disabled if the fieldset is disabled. Due to implementation difficulty, we
+  // dont honor that edge case; we style them as disabled anyway.
+  &[disabled],
+  &[readonly],
+  fieldset[disabled] & {
+    cursor: not-allowed;
+    background-color: $input-bg-disabled;
+    opacity: 1; // iOS fix for unreadable disabled content
+  }
+
+  // [converter] extracted textarea& to textarea.form-control
+}
+
+// Reset height for `textarea`s
+textarea{
+  height: auto;
+}
+
+
+// Search inputs in iOS
+//
+// This overrides the extra rounded corners on search inputs in iOS so that our
+// `.form-control` class can properly style them. Note that this cannot simply
+// be added to `.form-control` as its not specific enough. For details, see
+// https://github.com/twbs/bootstrap/issues/11586.
+
+input[type="search"] {
+  -webkit-appearance: none;
+}
+
+
+// Special styles for iOS temporal inputs
+//
+// In Mobile Safari, setting `display: block` on temporal inputs causes the
+// text within the input to become vertically misaligned.
+// As a workaround, we set a pixel line-height that matches the
+// given height of the input. Since this fucks up everything else, we have to
+// appropriately reset it for Internet Explorer and the size variations.
+
+input[type="date"],
+input[type="time"],
+input[type="datetime-local"],
+input[type="month"] {
+  line-height: $input-height-base;
+  // IE8+ misaligns the text within date inputs, so we reset
+  line-height: $line-height-base #{\0};
+
+  &.input-sm {
+    line-height: $input-height-small;
+  }
+  &.input-lg {
+    line-height: $input-height-large;
+  }
+}
+
+
+// Form groups
+//
+// Designed to help with the organization and spacing of vertical forms. For
+// horizontal forms, use the predefined grid classes.
+
+.form-group {
+  margin-bottom: 15px;
+}
+
+
+// Checkboxes and radios
+//
+// Indent the labels to position radios/checkboxes as hanging controls.
+
+.radio,
+.checkbox {
+  position: relative;
+  display: block;
+  min-height: $line-height-computed; // clear the floating input if there is no label text
+  margin-top: 10px;
+  margin-bottom: 10px;
+
+  label {
+    padding-left: 20px;
+    margin-bottom: 0;
+    font-weight: normal;
+    cursor: pointer;
+  }
+}
+.radio input[type="radio"],
+.radio-inline input[type="radio"],
+.checkbox input[type="checkbox"],
+.checkbox-inline input[type="checkbox"] {
+  position: absolute;
+  margin-left: -20px;
+  margin-top: 4px \9;
+}
+
+.radio + .radio,
+.checkbox + .checkbox {
+  margin-top: -5px; // Move up sibling radios or checkboxes for tighter spacing
+}
+
+// Radios and checkboxes on same line
+.radio-inline,
+.checkbox-inline {
+  display: inline-block;
+  padding-left: 20px;
+  margin-bottom: 0;
+  vertical-align: middle;
+  font-weight: normal;
+  cursor: pointer;
+}
+.radio-inline + .radio-inline,
+.checkbox-inline + .checkbox-inline {
+  margin-top: 0;
+  margin-left: 10px; // space out consecutive inline controls
+}
+
+// Apply same disabled cursor tweak as for inputs
+// Some special care is needed because <label>s don't inherit their parent's `cursor`.
+//
+// Note: Neither radios nor checkboxes can be readonly.
+input[type="radio"],
+input[type="checkbox"] {
+  &[disabled],
+  &.disabled,
+  fieldset[disabled] & {
+    cursor: not-allowed;
+  }
+}
+// These classes are used directly on <label>s
+.radio-inline,
+.checkbox-inline {
+  &.disabled,
+  fieldset[disabled] & {
+    cursor: not-allowed;
+  }
+}
+// These classes are used on elements with <label> descendants
+.radio,
+.checkbox {
+  &.disabled,
+  fieldset[disabled] & {
+    label {
+      cursor: not-allowed;
+    }
+  }
+}
+
+
+// Static form control text
+//
+// Apply class to a `p` element to make any string of text align with labels in
+// a horizontal form layout.
+
+.form-control-static {
+  // Size it appropriately next to real form controls
+  padding-top: ($padding-base-vertical + 1);
+  padding-bottom: ($padding-base-vertical + 1);
+  // Remove default margin from `p`
+  margin-bottom: 0;
+
+  &.input-lg,
+  &.input-sm {
+    padding-left: 0;
+    padding-right: 0;
+  }
+}
+
+
+// Form control sizing
+//
+// Build on `.form-control` with modifier classes to decrease or increase the
+// height and font-size of form controls.
+
+@include input-size('.input-sm', $input-height-small, $padding-small-vertical, $padding-small-horizontal, $font-size-small, $line-height-small, $border-radius-small);
+
+@include input-size('.input-lg', $input-height-large, $padding-large-vertical, $padding-large-horizontal, $font-size-large, $line-height-large, $border-radius-large);
+
+
+// Form control feedback states
+//
+// Apply contextual and semantic states to individual form controls.
+
+.has-feedback {
+  // Enable absolute positioning
+  position: relative;
+
+  // Ensure icons dont overlap text
+  .form-control {
+    padding-right: ($input-height-base * 1.25);
+  }
+}
+// Feedback icon (requires .glyphicon classes)
+.form-control-feedback {
+  position: absolute;
+  top: ($line-height-computed + 5); // Height of the `label` and its margin
+  right: 0;
+  z-index: 2; // Ensure icon is above input groups
+  display: block;
+  width: $input-height-base;
+  height: $input-height-base;
+  line-height: $input-height-base;
+  text-align: center;
+}
+.input-lg + .form-control-feedback {
+  width: $input-height-large;
+  height: $input-height-large;
+  line-height: $input-height-large;
+}
+.input-sm + .form-control-feedback {
+  width: $input-height-small;
+  height: $input-height-small;
+  line-height: $input-height-small;
+}
+
+// Feedback states
+.has-success {
+  @include form-control-validation($state-success-text, $state-success-text, $state-success-bg);
+}
+.has-warning {
+  @include form-control-validation($state-warning-text, $state-warning-text, $state-warning-bg);
+}
+.has-error {
+  @include form-control-validation($state-danger-text, $state-danger-text, $state-danger-bg);
+}
+
+
+// Reposition feedback icon if label is hidden with "screenreader only" state
+.has-feedback label.sr-only ~ .form-control-feedback {
+  top: 0;
+}
+
+
+// Help text
+//
+// Apply to any element you wish to create light text for placement immediately
+// below a form control. Use for general help, formatting, or instructional text.
+
+.help-block {
+  display: block; // account for any element using help-block
+  margin-top: 5px;
+  margin-bottom: 10px;
+  color: lighten($text-color, 25%); // lighten the text some for contrast
+}
+
+
+
+// Inline forms
+//
+// Make forms appear inline(-block) by adding the `.form-inline` class. Inline
+// forms begin stacked on extra small (mobile) devices and then go inline when
+// viewports reach <768px.
+//
+// Requires wrapping inputs and labels with `.form-group` for proper display of
+// default HTML form controls and our custom form controls (e.g., input groups).
+//
+// Heads up! This is mixin-ed into `.navbar-form` in navbars.less.
+
+.form-inline {
+
+  // Kick in the inline
+  @media (min-width: $screen-sm-min) {
+    // Inline-block all the things for "inline"
+    .form-group {
+      display: inline-block;
+      margin-bottom: 0;
+      vertical-align: middle;
+    }
+
+    // In navbar-form, allow folks to *not* use `.form-group`
+    .form-control {
+      display: inline-block;
+      width: auto; // Prevent labels from stacking above inputs in `.form-group`
+      vertical-align: middle;
+    }
+
+    .input-group {
+      display: inline-table;
+      vertical-align: middle;
+
+      .input-group-addon,
+      .input-group-btn,
+      .form-control {
+        width: auto;
+      }
+    }
+
+    // Input groups need that 100% width though
+    .input-group > .form-control {
+      width: 100%;
+    }
+
+    .control-label {
+      margin-bottom: 0;
+      vertical-align: middle;
+    }
+
+    // Remove default margin on radios/checkboxes that were used for stacking, and
+    // then undo the floating of radios and checkboxes to match (which also avoids
+    // a bug in WebKit: https://github.com/twbs/bootstrap/issues/1969).
+    .radio,
+    .checkbox {
+      display: inline-block;
+      margin-top: 0;
+      margin-bottom: 0;
+      vertical-align: middle;
+
+      label {
+        padding-left: 0;
+      }
+    }
+    .radio input[type="radio"],
+    .checkbox input[type="checkbox"] {
+      position: relative;
+      margin-left: 0;
+    }
+
+    // Validation states
+    //
+    // Reposition the icon because its now within a grid column and columns have
+    // `position: relative;` on them. Also accounts for the grid gutter padding.
+    .has-feedback .form-control-feedback {
+      top: 0;
+    }
+  }
+}
+
+
+// Horizontal forms
+//
+// Horizontal forms are built on grid classes and allow you to create forms with
+// labels on the left and inputs on the right.
+
+.form-horizontal {
+
+  // Consistent vertical alignment of radios and checkboxes
+  //
+  // Labels also get some reset styles, but that is scoped to a media query below.
+  .radio,
+  .checkbox,
+  .radio-inline,
+  .checkbox-inline {
+    margin-top: 0;
+    margin-bottom: 0;
+    padding-top: ($padding-base-vertical + 1); // Default padding plus a border
+  }
+  // Account for padding we're adding to ensure the alignment and of help text
+  // and other content below items
+  .radio,
+  .checkbox {
+    min-height: ($line-height-computed + ($padding-base-vertical + 1));
+  }
+
+  // Make form groups behave like rows
+  .form-group {
+    @include make-row();
+  }
+
+  // Reset spacing and right align labels, but scope to media queries so that
+  // labels on narrow viewports stack the same as a default form example.
+  @media (min-width: $screen-sm-min) {
+    .control-label {
+      text-align: right;
+      margin-bottom: 0;
+      padding-top: ($padding-base-vertical + 1); // Default padding plus a border
+    }
+  }
+
+  // Validation states
+  //
+  // Reposition the icon because it's now within a grid column and columns have
+  // `position: relative;` on them. Also accounts for the grid gutter padding.
+  .has-feedback control-feedback {
+    top: 0;
+    right: calc($grid-gutter-width / 2);
+  }
+
+  // Form group sizes
+  //
+  // Quick utility class for applying `.input-lg` and `.input-sm` styles to the
+  // inputs and labels within a `.form-group`.
+  .form-group-lg {
+    @media (min-width: $screen-sm-min) {
+      .control-label {
+        padding-top: (($padding-large-vertical * $line-height-large) + 1);
+      }
+    }
+    .form-control {
+      @extend .input-lg;
+    }
+  }
+  .form-group-sm {
+    @media (min-width: $screen-sm-min) {
+      .control-label {
+        padding-top: ($padding-small-vertical + 1);
+      }
+    }
+    .form-control {
+      @extend .input-sm;
+    }
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_glyphicons.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_glyphicons.scss
new file mode 100644
index 0000000000..0f6ad34520
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_glyphicons.scss
@@ -0,0 +1,237 @@
+//= depend_on "bootstrap/glyphicons-halflings-regular.eot"
+//= depend_on "bootstrap/glyphicons-halflings-regular.svg"
+//= depend_on "bootstrap/glyphicons-halflings-regular.ttf"
+//= depend_on "bootstrap/glyphicons-halflings-regular.woff"
+//
+// Glyphicons for Bootstrap
+//
+// Since icons are fonts, they can be placed anywhere text is placed and are
+// thus automatically sized to match the surrounding child. To use, create an
+// inline element with the appropriate classes, like so:
+//
+// <a href="#"><span class="glyphicon glyphicon-star"></span> Star</a>
+
+// Import the fonts
+@font-face {
+  font-family: 'Glyphicons Halflings';
+  src: url(if($bootstrap-sass-asset-helper, twbs-font-path('#{$icon-font-path}#{$icon-font-name}.eot'), '#{$icon-font-path}#{$icon-font-name}.eot'));
+  src: url(if($bootstrap-sass-asset-helper, twbs-font-path('#{$icon-font-path}#{$icon-font-name}.eot?#iefix'), '#{$icon-font-path}#{$icon-font-name}.eot?#iefix')) format('embedded-opentype'),
+       url(if($bootstrap-sass-asset-helper, twbs-font-path('#{$icon-font-path}#{$icon-font-name}.woff'), '#{$icon-font-path}#{$icon-font-name}.woff')) format('woff'),
+       url(if($bootstrap-sass-asset-helper, twbs-font-path('#{$icon-font-path}#{$icon-font-name}.ttf'), '#{$icon-font-path}#{$icon-font-name}.ttf')) format('truetype'),
+       url(if($bootstrap-sass-asset-helper, twbs-font-path('#{$icon-font-path}#{$icon-font-name}.svg##{$icon-font-svg-id}'), '#{$icon-font-path}#{$icon-font-name}.svg##{$icon-font-svg-id}')) format('svg');
+}
+
+// Catchall baseclass
+.glyphicon {
+  position: relative;
+  top: 1px;
+  display: inline-block;
+  font-family: 'Glyphicons Halflings';
+  font-style: normal;
+  font-weight: normal;
+  line-height: 1;
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+}
+
+// Individual icons
+.glyphicon-asterisk               { &:before { content: "\2a"; } }
+.glyphicon-plus                   { &:before { content: "\2b"; } }
+.glyphicon-euro                   { &:before { content: "\20ac"; } }
+.glyphicon-minus                  { &:before { content: "\2212"; } }
+.glyphicon-cloud                  { &:before { content: "\2601"; } }
+.glyphicon-envelope               { &:before { content: "\2709"; } }
+.glyphicon-pencil                 { &:before { content: "\270f"; } }
+.glyphicon-glass                  { &:before { content: "\e001"; } }
+.glyphicon-music                  { &:before { content: "\e002"; } }
+.glyphicon-search                 { &:before { content: "\e003"; } }
+.glyphicon-heart                  { &:before { content: "\e005"; } }
+.glyphicon-star                   { &:before { content: "\e006"; } }
+.glyphicon-star-empty             { &:before { content: "\e007"; } }
+.glyphicon-user                   { &:before { content: "\e008"; } }
+.glyphicon-film                   { &:before { content: "\e009"; } }
+.glyphicon-th-large               { &:before { content: "\e010"; } }
+.glyphicon-th                     { &:before { content: "\e011"; } }
+.glyphicon-th-list                { &:before { content: "\e012"; } }
+.glyphicon-ok                     { &:before { content: "\e013"; } }
+.glyphicon-remove                 { &:before { content: "\e014"; } }
+.glyphicon-zoom-in                { &:before { content: "\e015"; } }
+.glyphicon-zoom-out               { &:before { content: "\e016"; } }
+.glyphicon-off                    { &:before { content: "\e017"; } }
+.glyphicon-signal                 { &:before { content: "\e018"; } }
+.glyphicon-cog                    { &:before { content: "\e019"; } }
+.glyphicon-trash                  { &:before { content: "\e020"; } }
+.glyphicon-home                   { &:before { content: "\e021"; } }
+.glyphicon-file                   { &:before { content: "\e022"; } }
+.glyphicon-time                   { &:before { content: "\e023"; } }
+.glyphicon-road                   { &:before { content: "\e024"; } }
+.glyphicon-download-alt           { &:before { content: "\e025"; } }
+.glyphicon-download               { &:before { content: "\e026"; } }
+.glyphicon-upload                 { &:before { content: "\e027"; } }
+.glyphicon-inbox                  { &:before { content: "\e028"; } }
+.glyphicon-play-circle            { &:before { content: "\e029"; } }
+.glyphicon-repeat                 { &:before { content: "\e030"; } }
+.glyphicon-refresh                { &:before { content: "\e031"; } }
+.glyphicon-list-alt               { &:before { content: "\e032"; } }
+.glyphicon-lock                   { &:before { content: "\e033"; } }
+.glyphicon-flag                   { &:before { content: "\e034"; } }
+.glyphicon-headphones             { &:before { content: "\e035"; } }
+.glyphicon-volume-off             { &:before { content: "\e036"; } }
+.glyphicon-volume-down            { &:before { content: "\e037"; } }
+.glyphicon-volume-up              { &:before { content: "\e038"; } }
+.glyphicon-qrcode                 { &:before { content: "\e039"; } }
+.glyphicon-barcode                { &:before { content: "\e040"; } }
+.glyphicon-tag                    { &:before { content: "\e041"; } }
+.glyphicon-tags                   { &:before { content: "\e042"; } }
+.glyphicon-book                   { &:before { content: "\e043"; } }
+.glyphicon-bookmark               { &:before { content: "\e044"; } }
+.glyphicon-print                  { &:before { content: "\e045"; } }
+.glyphicon-camera                 { &:before { content: "\e046"; } }
+.glyphicon-font                   { &:before { content: "\e047"; } }
+.glyphicon-bold                   { &:before { content: "\e048"; } }
+.glyphicon-italic                 { &:before { content: "\e049"; } }
+.glyphicon-text-height            { &:before { content: "\e050"; } }
+.glyphicon-text-width             { &:before { content: "\e051"; } }
+.glyphicon-align-left             { &:before { content: "\e052"; } }
+.glyphicon-align-center           { &:before { content: "\e053"; } }
+.glyphicon-align-right            { &:before { content: "\e054"; } }
+.glyphicon-align-justify          { &:before { content: "\e055"; } }
+.glyphicon-list                   { &:before { content: "\e056"; } }
+.glyphicon-indent-left            { &:before { content: "\e057"; } }
+.glyphicon-indent-right           { &:before { content: "\e058"; } }
+.glyphicon-facetime-video         { &:before { content: "\e059"; } }
+.glyphicon-picture                { &:before { content: "\e060"; } }
+.glyphicon-map-marker             { &:before { content: "\e062"; } }
+.glyphicon-adjust                 { &:before { content: "\e063"; } }
+.glyphicon-tint                   { &:before { content: "\e064"; } }
+.glyphicon-edit                   { &:before { content: "\e065"; } }
+.glyphicon-share                  { &:before { content: "\e066"; } }
+.glyphicon-check                  { &:before { content: "\e067"; } }
+.glyphicon-move                   { &:before { content: "\e068"; } }
+.glyphicon-step-backward          { &:before { content: "\e069"; } }
+.glyphicon-fast-backward          { &:before { content: "\e070"; } }
+.glyphicon-backward               { &:before { content: "\e071"; } }
+.glyphicon-play                   { &:before { content: "\e072"; } }
+.glyphicon-pause                  { &:before { content: "\e073"; } }
+.glyphicon-stop                   { &:before { content: "\e074"; } }
+.glyphicon-forward                { &:before { content: "\e075"; } }
+.glyphicon-fast-forward           { &:before { content: "\e076"; } }
+.glyphicon-step-forward           { &:before { content: "\e077"; } }
+.glyphicon-eject                  { &:before { content: "\e078"; } }
+.glyphicon-chevron-left           { &:before { content: "\e079"; } }
+.glyphicon-chevron-right          { &:before { content: "\e080"; } }
+.glyphicon-plus-sign              { &:before { content: "\e081"; } }
+.glyphicon-minus-sign             { &:before { content: "\e082"; } }
+.glyphicon-remove-sign            { &:before { content: "\e083"; } }
+.glyphicon-ok-sign                { &:before { content: "\e084"; } }
+.glyphicon-question-sign          { &:before { content: "\e085"; } }
+.glyphicon-info-sign              { &:before { content: "\e086"; } }
+.glyphicon-screenshot             { &:before { content: "\e087"; } }
+.glyphicon-remove-circle          { &:before { content: "\e088"; } }
+.glyphicon-ok-circle              { &:before { content: "\e089"; } }
+.glyphicon-ban-circle             { &:before { content: "\e090"; } }
+.glyphicon-arrow-left             { &:before { content: "\e091"; } }
+.glyphicon-arrow-right            { &:before { content: "\e092"; } }
+.glyphicon-arrow-up               { &:before { content: "\e093"; } }
+.glyphicon-arrow-down             { &:before { content: "\e094"; } }
+.glyphicon-share-alt              { &:before { content: "\e095"; } }
+.glyphicon-resize-full            { &:before { content: "\e096"; } }
+.glyphicon-resize-small           { &:before { content: "\e097"; } }
+.glyphicon-exclamation-sign       { &:before { content: "\e101"; } }
+.glyphicon-gift                   { &:before { content: "\e102"; } }
+.glyphicon-leaf                   { &:before { content: "\e103"; } }
+.glyphicon-fire                   { &:before { content: "\e104"; } }
+.glyphicon-eye-open               { &:before { content: "\e105"; } }
+.glyphicon-eye-close              { &:before { content: "\e106"; } }
+.glyphicon-warning-sign           { &:before { content: "\e107"; } }
+.glyphicon-plane                  { &:before { content: "\e108"; } }
+.glyphicon-calendar               { &:before { content: "\e109"; } }
+.glyphicon-random                 { &:before { content: "\e110"; } }
+.glyphicon-comment                { &:before { content: "\e111"; } }
+.glyphicon-magnet                 { &:before { content: "\e112"; } }
+.glyphicon-chevron-up             { &:before { content: "\e113"; } }
+.glyphicon-chevron-down           { &:before { content: "\e114"; } }
+.glyphicon-retweet                { &:before { content: "\e115"; } }
+.glyphicon-shopping-cart          { &:before { content: "\e116"; } }
+.glyphicon-folder-close           { &:before { content: "\e117"; } }
+.glyphicon-folder-open            { &:before { content: "\e118"; } }
+.glyphicon-resize-vertical        { &:before { content: "\e119"; } }
+.glyphicon-resize-horizontal      { &:before { content: "\e120"; } }
+.glyphicon-hdd                    { &:before { content: "\e121"; } }
+.glyphicon-bullhorn               { &:before { content: "\e122"; } }
+.glyphicon-bell                   { &:before { content: "\e123"; } }
+.glyphicon-certificate            { &:before { content: "\e124"; } }
+.glyphicon-thumbs-up              { &:before { content: "\e125"; } }
+.glyphicon-thumbs-down            { &:before { content: "\e126"; } }
+.glyphicon-hand-right             { &:before { content: "\e127"; } }
+.glyphicon-hand-left              { &:before { content: "\e128"; } }
+.glyphicon-hand-up                { &:before { content: "\e129"; } }
+.glyphicon-hand-down              { &:before { content: "\e130"; } }
+.glyphicon-circle-arrow-right     { &:before { content: "\e131"; } }
+.glyphicon-circle-arrow-left      { &:before { content: "\e132"; } }
+.glyphicon-circle-arrow-up        { &:before { content: "\e133"; } }
+.glyphicon-circle-arrow-down      { &:before { content: "\e134"; } }
+.glyphicon-globe                  { &:before { content: "\e135"; } }
+.glyphicon-wrench                 { &:before { content: "\e136"; } }
+.glyphicon-tasks                  { &:before { content: "\e137"; } }
+.glyphicon-filter                 { &:before { content: "\e138"; } }
+.glyphicon-briefcase              { &:before { content: "\e139"; } }
+.glyphicon-fullscreen             { &:before { content: "\e140"; } }
+.glyphicon-dashboard              { &:before { content: "\e141"; } }
+.glyphicon-paperclip              { &:before { content: "\e142"; } }
+.glyphicon-heart-empty            { &:before { content: "\e143"; } }
+.glyphicon-link                   { &:before { content: "\e144"; } }
+.glyphicon-phone                  { &:before { content: "\e145"; } }
+.glyphicon-pushpin                { &:before { content: "\e146"; } }
+.glyphicon-usd                    { &:before { content: "\e148"; } }
+.glyphicon-gbp                    { &:before { content: "\e149"; } }
+.glyphicon-sort                   { &:before { content: "\e150"; } }
+.glyphicon-sort-by-alphabet       { &:before { content: "\e151"; } }
+.glyphicon-sort-by-alphabet-alt   { &:before { content: "\e152"; } }
+.glyphicon-sort-by-order          { &:before { content: "\e153"; } }
+.glyphicon-sort-by-order-alt      { &:before { content: "\e154"; } }
+.glyphicon-sort-by-attributes     { &:before { content: "\e155"; } }
+.glyphicon-sort-by-attributes-alt { &:before { content: "\e156"; } }
+.glyphicon-unchecked              { &:before { content: "\e157"; } }
+.glyphicon-expand                 { &:before { content: "\e158"; } }
+.glyphicon-collapse-down          { &:before { content: "\e159"; } }
+.glyphicon-collapse-up            { &:before { content: "\e160"; } }
+.glyphicon-log-in                 { &:before { content: "\e161"; } }
+.glyphicon-flash                  { &:before { content: "\e162"; } }
+.glyphicon-log-out                { &:before { content: "\e163"; } }
+.glyphicon-new-window             { &:before { content: "\e164"; } }
+.glyphicon-record                 { &:before { content: "\e165"; } }
+.glyphicon-save                   { &:before { content: "\e166"; } }
+.glyphicon-open                   { &:before { content: "\e167"; } }
+.glyphicon-saved                  { &:before { content: "\e168"; } }
+.glyphicon-import                 { &:before { content: "\e169"; } }
+.glyphicon-export                 { &:before { content: "\e170"; } }
+.glyphicon-send                   { &:before { content: "\e171"; } }
+.glyphicon-floppy-disk            { &:before { content: "\e172"; } }
+.glyphicon-floppy-saved           { &:before { content: "\e173"; } }
+.glyphicon-floppy-remove          { &:before { content: "\e174"; } }
+.glyphicon-floppy-save            { &:before { content: "\e175"; } }
+.glyphicon-floppy-open            { &:before { content: "\e176"; } }
+.glyphicon-credit-card            { &:before { content: "\e177"; } }
+.glyphicon-transfer               { &:before { content: "\e178"; } }
+.glyphicon-cutlery                { &:before { content: "\e179"; } }
+.glyphicon-header                 { &:before { content: "\e180"; } }
+.glyphicon-compressed             { &:before { content: "\e181"; } }
+.glyphicon-earphone               { &:before { content: "\e182"; } }
+.glyphicon-phone-alt              { &:before { content: "\e183"; } }
+.glyphicon-tower                  { &:before { content: "\e184"; } }
+.glyphicon-stats                  { &:before { content: "\e185"; } }
+.glyphicon-sd-video               { &:before { content: "\e186"; } }
+.glyphicon-hd-video               { &:before { content: "\e187"; } }
+.glyphicon-subtitles              { &:before { content: "\e188"; } }
+.glyphicon-sound-stereo           { &:before { content: "\e189"; } }
+.glyphicon-sound-dolby            { &:before { content: "\e190"; } }
+.glyphicon-sound-5-1              { &:before { content: "\e191"; } }
+.glyphicon-sound-6-1              { &:before { content: "\e192"; } }
+.glyphicon-sound-7-1              { &:before { content: "\e193"; } }
+.glyphicon-copyright-mark         { &:before { content: "\e194"; } }
+.glyphicon-registration-mark      { &:before { content: "\e195"; } }
+.glyphicon-cloud-download         { &:before { content: "\e197"; } }
+.glyphicon-cloud-upload           { &:before { content: "\e198"; } }
+.glyphicon-tree-conifer           { &:before { content: "\e199"; } }
+.glyphicon-tree-deciduous         { &:before { content: "\e200"; } }
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_grid.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_grid.scss
new file mode 100644
index 0000000000..f71f8b9015
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_grid.scss
@@ -0,0 +1,84 @@
+//
+// Grid system
+// --------------------------------------------------
+
+
+// Container widths
+//
+// Set the container width, and override it for fixed navbars in media queries.
+
+.container {
+  @include container-fixed();
+
+  @media (min-width: $screen-sm-min) {
+    width: $container-sm;
+  }
+  @media (min-width: $screen-md-min) {
+    width: $container-md;
+  }
+  @media (min-width: $screen-lg-min) {
+    width: $container-lg;
+  }
+}
+
+
+// Fluid container
+//
+// Utilizes the mixin meant for fixed width containers, but without any defined
+// width for fluid, full width layouts.
+
+.container-fluid {
+  @include container-fixed();
+}
+
+
+// Row
+//
+// Rows contain and clear the floats of your columns.
+
+.row {
+  @include make-row();
+}
+
+
+// Columns
+//
+// Common styles for small and large grid columns
+
+@include make-grid-columns();
+
+
+// Extra small grid
+//
+// Columns, offsets, pushes, and pulls for extra small devices like
+// smartphones.
+
+@include make-grid(xs);
+
+
+// Small grid
+//
+// Columns, offsets, pushes, and pulls for the small device range, from phones
+// to tablets.
+
+@media (min-width: $screen-sm-min) {
+  @include make-grid(sm);
+}
+
+
+// Medium grid
+//
+// Columns, offsets, pushes, and pulls for the desktop device range.
+
+@media (min-width: $screen-md-min) {
+  @include make-grid(md);
+}
+
+
+// Large grid
+//
+// Columns, offsets, pushes, and pulls for the large desktop device range.
+
+@media (min-width: $screen-lg-min) {
+  @include make-grid(lg);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_input-groups.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_input-groups.scss
new file mode 100644
index 0000000000..f56322e3ba
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_input-groups.scss
@@ -0,0 +1,166 @@
+//
+// Input groups
+// --------------------------------------------------
+
+// Base styles
+// -------------------------
+.input-group {
+  position: relative; // For dropdowns
+  display: table;
+  border-collapse: separate; // prevent input groups from inheriting border styles from table cells when placed within a table
+
+  // Undo padding and float of grid classes
+  &[class*="col-"] {
+    float: none;
+    padding-left: 0;
+    padding-right: 0;
+  }
+
+  .form-control {
+    // Ensure that the input is always above the *appended* addon button for
+    // proper border colors.
+    position: relative;
+    z-index: 2;
+
+    // IE9 fubars the placeholder attribute in text inputs and the arrows on
+    // select elements in input groups. To fix it, we float the input. Details:
+    // https://github.com/twbs/bootstrap/issues/11561#issuecomment-28936855
+    float: left;
+
+    width: 100%;
+    margin-bottom: 0;
+  }
+}
+
+// Sizing options
+//
+// Remix the default form control sizing classes into new ones for easier
+// manipulation.
+
+.input-group-lg > .form-control,
+.input-group-lg > .input-group-addon,
+.input-group-lg > .input-group-btn > .btn {
+  @extend .input-lg;
+}
+.input-group-sm > .form-control,
+.input-group-sm > .input-group-addon,
+.input-group-sm > .input-group-btn > .btn {
+  @extend .input-sm;
+}
+
+
+// Display as table-cell
+// -------------------------
+.input-group-addon,
+.input-group-btn,
+.input-group .form-control {
+  display: table-cell;
+
+  &:not(:first-child):not(:last-child) {
+    border-radius: 0;
+  }
+}
+// Addon and addon wrapper for buttons
+.input-group-addon,
+.input-group-btn {
+  width: 1%;
+  white-space: nowrap;
+  vertical-align: middle; // Match the inputs
+}
+
+// Text input groups
+// -------------------------
+.input-group-addon {
+  padding: $padding-base-vertical $padding-base-horizontal;
+  font-size: $font-size-base;
+  font-weight: normal;
+  line-height: 1;
+  color: $input-color;
+  text-align: center;
+  background-color: $input-group-addon-bg;
+  border: 1px solid $input-group-addon-border-color;
+  border-radius: $border-radius-base;
+
+  // Sizing
+  &.input-sm {
+    padding: $padding-small-vertical $padding-small-horizontal;
+    font-size: $font-size-small;
+    border-radius: $border-radius-small;
+  }
+  &.input-lg {
+    padding: $padding-large-vertical $padding-large-horizontal;
+    font-size: $font-size-large;
+    border-radius: $border-radius-large;
+  }
+
+  // Nuke default margins from checkboxes and radios to vertically center within.
+  input[type="radio"],
+  input[type="checkbox"] {
+    margin-top: 0;
+  }
+}
+
+// Reset rounded corners
+.input-group .form-control:first-child,
+.input-group-addon:first-child,
+.input-group-btn:first-child > .btn,
+.input-group-btn:first-child > .btn-group > .btn,
+.input-group-btn:first-child > .dropdown-toggle,
+.input-group-btn:last-child > .btn:not(:last-child):not(.dropdown-toggle),
+.input-group-btn:last-child > .btn-group:not(:last-child) > .btn {
+  @include border-right-radius(0);
+}
+.input-group-addon:first-child {
+  border-right: 0;
+}
+.input-group .form-control:last-child,
+.input-group-addon:last-child,
+.input-group-btn:last-child > .btn,
+.input-group-btn:last-child > .btn-group > .btn,
+.input-group-btn:last-child > .dropdown-toggle,
+.input-group-btn:first-child > .btn:not(:first-child),
+.input-group-btn:first-child > .btn-group:not(:first-child) > .btn {
+  @include border-left-radius(0);
+}
+.input-group-addon:last-child {
+  border-left: 0;
+}
+
+// Button input groups
+// -------------------------
+.input-group-btn {
+  position: relative;
+  // Jankily prevent input button groups from wrapping with `white-space` and
+  // `font-size` in combination with `inline-block` on buttons.
+  font-size: 0;
+  white-space: nowrap;
+
+  // Negative margin for spacing, position for bringing hovered/focused/activated
+  // element above the siblings.
+  > .btn {
+    position: relative;
+    + .btn {
+      margin-left: -1px;
+    }
+    // Bring the "active" button to the front
+    &:hover,
+    &:focus,
+    &:active {
+      z-index: 2;
+    }
+  }
+
+  // Negative margin to only have a 1px border between the two
+  &:first-child {
+    > .btn,
+    > .btn-group {
+      margin-right: -1px;
+    }
+  }
+  &:last-child {
+    > .btn,
+    > .btn-group {
+      margin-left: -1px;
+    }
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_jumbotron.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_jumbotron.scss
new file mode 100644
index 0000000000..110c97f54b
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_jumbotron.scss
@@ -0,0 +1,48 @@
+//
+// Jumbotron
+// --------------------------------------------------
+
+
+.jumbotron {
+  padding: $jumbotron-padding;
+  margin-bottom: $jumbotron-padding;
+  color: $jumbotron-color;
+  background-color: $jumbotron-bg;
+
+  h1,
+  .h1 {
+    color: $jumbotron-heading-color;
+  }
+  p {
+    margin-bottom: calc($jumbotron-padding / 2);
+    font-size: $jumbotron-font-size;
+    font-weight: 200;
+  }
+
+  > hr {
+    border-top-color: darken($jumbotron-bg, 10%);
+  }
+
+  .container & {
+    border-radius: $border-radius-large; // Only round corners at higher resolutions if contained in a container
+  }
+
+  .container {
+    max-width: 100%;
+  }
+
+  @media screen and (min-width: $screen-sm-min) {
+    padding-top:    ($jumbotron-padding * 1.6);
+    padding-bottom: ($jumbotron-padding * 1.6);
+
+    .container & {
+      padding-left:  ($jumbotron-padding * 2);
+      padding-right: ($jumbotron-padding * 2);
+    }
+
+    h1,
+    .h1 {
+      font-size: ($font-size-base * 4.5);
+    }
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_labels.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_labels.scss
new file mode 100644
index 0000000000..42ed6ea123
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_labels.scss
@@ -0,0 +1,66 @@
+//
+// Labels
+// --------------------------------------------------
+
+.label {
+  display: inline;
+  padding: .2em .6em .3em;
+  font-size: 75%;
+  font-weight: bold;
+  line-height: 1;
+  color: $label-color;
+  text-align: center;
+  white-space: nowrap;
+  vertical-align: baseline;
+  border-radius: .25em;
+
+  // [converter] extracted a& to a.label
+
+  // Empty labels collapse automatically (not available in IE8)
+  &:empty {
+    display: none;
+  }
+
+  // Quick fix for labels in buttons
+  .btn & {
+    position: relative;
+    top: -1px;
+  }
+}
+
+// Add hover effects, but only for links
+a.label {
+  &:hover,
+  &:focus {
+    color: $label-link-hover-color;
+    text-decoration: none;
+    cursor: pointer;
+  }
+}
+
+// Colors
+// Contextual variations (linked labels get darker on :hover)
+
+.label-default {
+  @include label-variant($label-default-bg);
+}
+
+.label-primary {
+  @include label-variant($label-primary-bg);
+}
+
+.label-success {
+  @include label-variant($label-success-bg);
+}
+
+.label-info {
+  @include label-variant($label-info-bg);
+}
+
+.label-warning {
+  @include label-variant($label-warning-bg);
+}
+
+.label-danger {
+  @include label-variant($label-danger-bg);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_list-group.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_list-group.scss
new file mode 100644
index 0000000000..63027b8802
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_list-group.scss
@@ -0,0 +1,159 @@
+//
+// List groups
+// --------------------------------------------------
+
+
+// Base class
+//
+// Easily usable on <ul>, <ol>, or <div>.
+
+.list-group {
+  // No need to set list-style: none; since .list-group-item is block level
+  margin-bottom: 20px;
+  padding-left: 0; // reset padding because ul and ol
+}
+
+
+// Individual list items
+//
+// Use on `li`s or `div`s within the `.list-group` parent.
+
+.list-group-item {
+  position: relative;
+  display: block;
+  padding: 6px 8px;
+  // Place the border on the list items and negative margin up for better styling
+  margin-bottom: -1px;
+  background-color: $list-group-bg;
+  //border: 1px solid $list-group-border;
+
+  // Round the first and last items
+  &:first-child {
+  }
+  &:last-child {
+    margin-bottom: 0;
+  }
+
+  // Align badges within list items
+  > .badge {
+    float: right;
+  }
+  > .badge + .badge {
+    margin-right: 5px;
+  }
+}
+
+
+// Linked list items
+//
+// Use anchor elements instead of `li`s or `div`s to create linked list items.
+// Includes an extra `.active` modifier class for showing selected items.
+
+a.list-group-item {
+  color: $list-group-link-color;
+  border-radius: 0;
+
+  .list-group-item-heading {
+    color: $list-group-link-heading-color;
+  }
+
+  // Hover state
+  &:hover,
+  &:focus {
+    text-decoration: none;
+    color: $list-group-link-hover-color;
+    background-color: $list-group-hover-bg;
+
+     &:before{
+		background: $list-group-active-border;
+		  content: "";
+		  height: 42px;
+		  left: 0;
+		  position: absolute;
+		  top:0;
+		  width: 3px;
+	  }
+  }
+}
+
+.list-group-item {
+  // Disabled state
+  &.disabled,
+  &.disabled:hover,
+  &.disabled:focus {
+    background-color: $list-group-disabled-bg;
+    color: $list-group-disabled-color;
+
+    // Force color to inherit for custom content
+    .list-group-item-heading {
+      color: inherit;
+    }
+    .list-group-item-text {
+      color: $list-group-disabled-text-color;
+    }
+  }
+
+  // Active class on item itself, not parent
+  &.active,
+  &.active:hover,
+  &.active:focus {
+    z-index: 2; // Place active items above their siblings for proper border styling
+
+ &:before{
+		background: $list-group-active-border;
+		  content: "";
+		  height: 42px;
+		  left: 0;
+		  position: absolute;
+		  top:0px;
+		  width: 3px;
+	  }
+
+    // Force color to inherit for custom content
+    .list-group-item-heading,
+    .list-group-item-heading > small,
+    .list-group-item-heading > .small {
+      color: inherit;
+    }
+    .list-group-item-text {
+      color: $list-group-active-text-color;
+    }
+
+    +.collapse > .list-group-item{
+	      &:before{
+		background: $list-group-active-border;
+		  content: "";
+		  height: 42px;
+		  left: 0;
+		  position: absolute;
+		  top:0px;
+		  width: 3px;
+	  }
+    }
+  }
+}
+
+
+// Contextual variants
+//
+// Add modifier classes to change text and background color on individual items.
+// Organizationally, this must come after the `:hover` states.
+
+@include list-group-item-variant(success, $state-success-bg, $state-success-text);
+@include list-group-item-variant(info, $state-info-bg, $state-info-text);
+@include list-group-item-variant(warning, $state-warning-bg, $state-warning-text);
+@include list-group-item-variant(danger, $state-danger-bg, $state-danger-text);
+
+
+// Custom content options
+//
+// Extra classes for creating well-formatted content within `.list-group-item`s.
+
+.list-group-item-heading {
+  margin-top: 0;
+  margin-bottom: 5px;
+}
+.list-group-item-text {
+  margin-bottom: 0;
+  line-height: 1.3;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_media.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_media.scss
new file mode 100644
index 0000000000..5ad22cd6d5
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_media.scss
@@ -0,0 +1,56 @@
+// Media objects
+// Source: http://stubbornella.org/content/?p=497
+// --------------------------------------------------
+
+
+// Common styles
+// -------------------------
+
+// Clear the floats
+.media,
+.media-body {
+  overflow: hidden;
+  zoom: 1;
+}
+
+// Proper spacing between instances of .media
+.media,
+.media .media {
+  margin-top: 15px;
+}
+.media:first-child {
+  margin-top: 0;
+}
+
+// For images and videos, set to block
+.media-object {
+  display: block;
+}
+
+// Reset margins on headings for tighter default spacing
+.media-heading {
+  margin: 0 0 5px;
+}
+
+
+// Media image alignment
+// -------------------------
+
+.media {
+  > .pull-left {
+    margin-right: 10px;
+  }
+  > .pull-right {
+    margin-left: 10px;
+  }
+}
+
+
+// Media list variation
+// -------------------------
+
+// Undo default ul/ol styles
+.media-list {
+  padding-left: 0;
+  list-style: none;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_mixins.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_mixins.scss
new file mode 100644
index 0000000000..b565f013a4
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_mixins.scss
@@ -0,0 +1,39 @@
+// Mixins
+// --------------------------------------------------
+
+// Utilities
+@import "mixins/hide-text";
+@import "mixins/opacity";
+@import "mixins/image";
+@import "mixins/labels";
+@import "mixins/reset-filter";
+@import "mixins/resize";
+@import "mixins/responsive-visibility";
+@import "mixins/size";
+@import "mixins/tab-focus";
+@import "mixins/text-emphasis";
+@import "mixins/text-overflow";
+@import "mixins/vendor-prefixes";
+
+// Components
+@import "mixins/alerts";
+@import "mixins/buttons";
+@import "mixins/panels";
+@import "mixins/pagination";
+@import "mixins/list-group";
+@import "mixins/nav-divider";
+@import "mixins/forms";
+@import "mixins/progress-bar";
+@import "mixins/table-row";
+
+// Skins
+@import "mixins/background-variant";
+@import "mixins/border-radius";
+@import "mixins/gradients";
+
+// Layout
+@import "mixins/clearfix";
+@import "mixins/center-block";
+@import "mixins/nav-vertical-align";
+@import "mixins/grid-framework";
+@import "mixins/grid";
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_modals.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_modals.scss
new file mode 100644
index 0000000000..df980e55cd
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_modals.scss
@@ -0,0 +1,150 @@
+//
+// Modals
+// --------------------------------------------------
+
+// .modal-open      - body class for killing the scroll
+// .modal           - container to scroll within
+// .modal-dialog    - positioning shell for the actual modal
+// .modal-content   - actual modal w/ bg and corners and shit
+
+// Kill the scroll on the body
+.modal-open {
+  overflow: hidden;
+}
+
+// Container that the modal scrolls within
+.modal {
+  display: none;
+  overflow: hidden;
+  position: fixed;
+  top: 0;
+  right: 0;
+  bottom: 0;
+  left: 0;
+  z-index: $zindex-modal;
+  -webkit-overflow-scrolling: touch;
+
+  // Prevent Chrome on Windows from adding a focus outline. For details, see
+  // https://github.com/twbs/bootstrap/pull/10951.
+  outline: 0;
+
+  // When fading in the modal, animate it to slide down
+  &.fade .modal-dialog {
+    @include translate3d(0, -25%, 0);
+    @include transition-transform(0.3s ease-out);
+  }
+  &.in .modal-dialog { @include translate3d(0, 0, 0) }
+}
+.modal-open .modal {
+  overflow-x: hidden;
+  overflow-y: auto;
+}
+
+// Shell div to position the modal with bottom padding
+.modal-dialog {
+  position: relative;
+  width: auto;
+  margin: 52px+10px 10px 10px 10px;
+}
+
+// Actual modal
+.modal-content {
+  position: relative;
+  background-color: $modal-content-bg;
+  border: 1px solid $modal-content-fallback-border-color; //old browsers fallback (ie8 etc)
+  border: 1px solid $modal-content-border-color;
+  border-radius: $border-radius-large;
+  @include box-shadow(0 3px 9px rgba(0,0,0,.5));
+  background-clip: padding-box;
+  // Remove focus outline from opened modal
+  outline: 0;
+}
+
+// Modal background
+.modal-backdrop {
+  position: fixed;
+  top: 0;
+  right: 0;
+  bottom: 0;
+  left: 0;
+  z-index: $zindex-modal-background;
+  background-color: $modal-backdrop-bg;
+  // Fade for backdrop
+  &.fade { @include opacity(0); }
+  &.in { @include opacity($modal-backdrop-opacity); }
+}
+
+// Modal header
+// Top section of the modal w/ title and dismiss
+.modal-header {
+  padding: $modal-title-padding;
+  border-bottom: 1px solid $modal-header-border-color;
+  min-height: ($modal-title-padding + $modal-title-line-height);
+}
+// Close icon
+.modal-header .close {
+  margin-top: -2px;
+}
+
+// Title text within header
+.modal-title {
+  margin: 0;
+  line-height: $modal-title-line-height;
+}
+
+// Modal body
+// Where all modal content resides (sibling of .modal-header and .modal-footer)
+.modal-body {
+  position: relative;
+  padding: $modal-inner-padding;
+}
+
+// Footer (for actions)
+.modal-footer {
+  padding: $modal-inner-padding;
+  text-align: right; // right align buttons
+  border-top: 1px solid $modal-footer-border-color;
+  @include clearfix(); // clear it in case folks use .pull-* classes on buttons
+
+  // Properly space out buttons
+  .btn + .btn {
+    margin-left: 5px;
+    margin-bottom: 0; // account for input[type="submit"] which gets the bottom margin like all other inputs
+  }
+  // but override that for button groups
+  .btn-group .btn + .btn {
+    margin-left: -1px;
+  }
+  // and override it for block buttons as well
+  .btn-block + .btn-block {
+    margin-left: 0;
+  }
+}
+
+// Measure scrollbar width for padding body during modal show/hide
+.modal-scrollbar-measure {
+  position: absolute;
+  top: -9999px;
+  width: 50px;
+  height: 50px;
+  overflow: scroll;
+}
+
+// Scale up the modal
+@media (min-width: $screen-sm-min) {
+  // Automatically set modal's width for larger viewports
+  .modal-dialog {
+    width: $modal-md;
+    margin: 52px+30px auto 30px auto;
+  }
+  .modal-content {
+    @include box-shadow(0 5px 15px rgba(0,0,0,.5));
+  }
+
+  // Modal sizes
+  .modal-sm { width: $modal-sm; }
+}
+
+@media (min-width: $screen-md-min) {
+  .modal-lg { width: $modal-lg; }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_navbar.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_navbar.scss
new file mode 100644
index 0000000000..6cee973c35
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_navbar.scss
@@ -0,0 +1,658 @@
+//
+// Navbars
+// --------------------------------------------------
+
+
+// Wrapper and base class
+//
+// Provide a static navbar from which we expand to create full-width, fixed, and
+// other navbar variations.
+
+.navbar {
+  position: relative;
+  min-height: $navbar-height; // Ensure a navbar always shows (e.g., without a .navbar-brand in collapsed mode)
+  margin-bottom: $navbar-margin-bottom;
+  border: 1px solid transparent;
+
+  // Prevent floats from breaking the navbar
+  @include clearfix();
+
+  @media (min-width: $grid-float-breakpoint) {
+    border-radius: $navbar-border-radius;
+  }
+}
+
+
+// Navbar heading
+//
+// Groups `.navbar-brand` and `.navbar-toggle` into a single component for easy
+// styling of responsive aspects.
+
+.navbar-header {
+  @include clearfix();
+
+  @media (min-width: $grid-float-breakpoint) {
+    float: left;
+  }
+}
+
+
+// Navbar collapse (body)
+//
+// Group your navbar content into this for easy collapsing and expanding across
+// various device sizes. By default, this content is collapsed when <768px, but
+// will expand past that for a horizontal display.
+//
+// To start (on mobile devices) the navbar links, forms, and buttons are stacked
+// vertically and include a `max-height` to overflow in case you have too much
+// content for the user's viewport.
+
+.navbar-collapse {
+  overflow-x: visible;
+  padding-right: $navbar-padding-horizontal;
+  padding-left:  $navbar-padding-horizontal;
+  border-top: 1px solid transparent;
+  box-shadow: inset 0 1px 0 rgba(255,255,255,.1);
+  @include clearfix();
+  -webkit-overflow-scrolling: touch;
+
+  &.in {
+    overflow-y: auto;
+  }
+
+  @media (min-width: $grid-float-breakpoint) {
+    width: auto;
+    border-top: 0;
+    box-shadow: none;
+
+    &.collapse {
+      display: block !important;
+      height: auto !important;
+      padding-bottom: 0; // Override default setting
+      overflow: visible !important;
+    }
+
+    &.in {
+      overflow-y: visible;
+    }
+
+    // Undo the collapse side padding for navbars with containers to ensure
+    // alignment of right-aligned contents.
+    .navbar-fixed-top &,
+    .navbar-static-top &,
+    .navbar-fixed-bottom & {
+      padding-left: 0;
+      padding-right: 0;
+    }
+  }
+}
+
+.navbar-fixed-top,
+.navbar-fixed-bottom {
+  .navbar-collapse {
+    max-height: $navbar-collapse-max-height;
+
+    @media (max-width: $screen-xs-min) and (orientation: landscape) {
+      max-height: 200px;
+    }
+  }
+}
+
+
+// Both navbar header and collapse
+//
+// When a container is present, change the behavior of the header and collapse.
+
+.container,
+.container-fluid {
+  > .navbar-header,
+  > .navbar-collapse {
+    margin-right: -$navbar-padding-horizontal;
+    margin-left:  -$navbar-padding-horizontal;
+
+    @media (min-width: $grid-float-breakpoint) {
+      margin-right: 0;
+      margin-left:  0;
+    }
+  }
+}
+
+
+//
+// Navbar alignment options
+//
+// Display the navbar across the entirety of the page or fixed it to the top or
+// bottom of the page.
+
+// Static top (unfixed, but 100% wide) navbar
+.navbar-static-top {
+  z-index: $zindex-navbar;
+  border-width: 0 0 1px;
+
+  @media (min-width: $grid-float-breakpoint) {
+    border-radius: 0;
+  }
+}
+
+// Fix the top/bottom navbars when screen real estate supports it
+.navbar-fixed-top,
+.navbar-fixed-bottom {
+  position: fixed;
+  right: 0;
+  left: 0;
+  z-index: $zindex-navbar-fixed;
+  @include translate3d(0, 0, 0);
+
+  // Undo the rounded corners
+  @media (min-width: $grid-float-breakpoint) {
+    border-radius: 0;
+  }
+}
+.navbar-fixed-top {
+  top: 0;
+  border-width: 0 0 1px;
+}
+.navbar-fixed-bottom {
+  bottom: 0;
+  margin-bottom: 0; // override .navbar defaults
+  border-width: 1px 0 0;
+}
+
+
+// Brand/project name
+
+.navbar-brand {
+  float: left;
+  padding: $navbar-padding-vertical $navbar-padding-horizontal;
+  font-size: $font-size-large;
+  height: $navbar-height;
+
+  &:hover,
+  &:focus {
+    text-decoration: none;
+  }
+
+  @media (min-width: $grid-float-breakpoint) {
+    .navbar > .container &,
+    .navbar > .container-fluid & {
+      margin-left: -$navbar-padding-horizontal;
+    }
+  }
+}
+
+
+// Navbar toggle
+//
+// Custom button for toggling the `.navbar-collapse`, powered by the collapse
+// JavaScript plugin.
+
+.navbar-toggle {
+  position: relative;
+  float: left;
+  margin-right: $navbar-padding-horizontal;
+  padding: 9px 10px;
+  @include navbar-vertical-align(34px);
+  background-color: transparent;
+  background-image: none; // Reset unusual Firefox-on-Android default style; see https://github.com/necolas/normalize.css/issues/214
+  border: 1px solid transparent;
+  border-radius: $border-radius-base;
+
+  // We remove the `outline` here, but later compensate by attaching `:hover`
+  // styles to `:focus`.
+  &:focus {
+    outline: 0;
+  }
+
+  // Bars
+  .icon-bar {
+    display: block;
+    width: 22px;
+    height: 2px;
+    border-radius: 1px;
+  }
+  .icon-bar + .icon-bar {
+    margin-top: 4px;
+  }
+
+  @media (min-width: $grid-float-breakpoint) {
+    display: none;
+  }
+}
+
+
+// Navbar nav links
+//
+// Builds on top of the `.nav` components with its own modifier class to make
+// the nav the full height of the horizontal nav (above 768px).
+
+.navbar-nav {
+  margin: calc($navbar-padding-vertical / 2) (-$navbar-padding-horizontal);
+
+  > li > a {
+    padding-top:    10px;
+    padding-bottom: 10px;
+    line-height: $line-height-computed;
+  }
+
+  @media (max-width: $grid-float-breakpoint-max) {
+    // Dropdowns get custom display when collapsed
+    .open .dropdown-menu {
+      position: static;
+      float: none;
+      width: auto;
+      margin-top: 0;
+      background-color: transparent;
+      border: 0;
+      box-shadow: none;
+      > li > a,
+      .dropdown-header {
+        padding: 5px 15px 5px 25px;
+      }
+      > li > a {
+        line-height: $line-height-computed;
+        &:hover,
+        &:focus {
+          background-image: none;
+        }
+      }
+    }
+  }
+
+  // Uncollapse the nav
+  @media (min-width: $grid-float-breakpoint) {
+    float: left;
+    margin: 0;
+
+    > li {
+      float: left;
+      > a {
+        padding-top:    $navbar-padding-vertical;
+        padding-bottom: $navbar-padding-vertical;
+      }
+    }
+
+    &.navbar-right:last-child {
+      margin-right: -$navbar-padding-horizontal;
+    }
+  }
+}
+
+
+// Component alignment
+//
+// Repurpose the pull utilities as their own navbar utilities to avoid specificity
+// issues with parents and chaining. Only do this when the navbar is uncollapsed
+// though so that navbar contents properly stack and align in mobile.
+
+@media (min-width: $grid-float-breakpoint) {
+  .navbar-left {
+    float: left !important;
+  }
+  .navbar-right {
+    float: right !important;
+  }
+}
+
+
+// Navbar form
+//
+// Extension of the `.form-inline` with some extra flavor for optimum display in
+// our navbars.
+
+.navbar-form {
+  margin-left: -$navbar-padding-horizontal;
+  margin-right: -$navbar-padding-horizontal;
+  padding: 10px 0px;
+  border-top: 1px solid transparent;
+  border-bottom: 1px solid transparent;
+  $shadow: inset 0 1px 0 rgba(255,255,255,.1), 0 1px 0 rgba(255,255,255,.1);
+  @include box-shadow($shadow);
+
+  // Mixin behavior for optimum display
+  @extend .form-inline;
+
+  .form-group {
+    @media (max-width: $grid-float-breakpoint-max) {
+      margin-bottom: 5px;
+    }
+  }
+
+  // Vertically center in expanded, horizontal navbar
+  @include navbar-vertical-align($input-height-base);
+
+  // Undo 100% width for pull classes
+  @media (min-width: $grid-float-breakpoint) {
+    width: auto;
+    border: 0;
+    margin-left: 0;
+    margin-right: 0;
+    padding-top: 0;
+    padding-bottom: 0;
+    @include box-shadow(none);
+
+    // Outdent the form if last child to line up with content down the page
+    &.navbar-right:last-child {
+      margin-right: -$navbar-padding-horizontal;
+    }
+  }
+}
+
+
+// Dropdown menus
+
+// Menu position and menu carets
+.navbar-nav > li > .dropdown-menu {
+  margin-top: 0;
+  @include border-top-radius(0);
+}
+// Menu position and menu caret support for dropups via extra dropup class
+.navbar-fixed-bottom .navbar-nav > li > .dropdown-menu {
+  @include border-bottom-radius(0);
+}
+
+
+// Buttons in navbars
+//
+// Vertically center a button within a navbar (when *not* in a form).
+
+.navbar-btn {
+  @include navbar-vertical-align($input-height-base);
+
+  &.btn-sm {
+    @include navbar-vertical-align($input-height-small);
+  }
+  &.btn-xs {
+    @include navbar-vertical-align(22px);
+  }
+}
+
+
+// Text in navbars
+//
+// Add a class to make any element properly align itself vertically within the navbars.
+
+.navbar-text {
+  @include navbar-vertical-align($line-height-computed);
+
+  @media (min-width: $grid-float-breakpoint) {
+    float: left;
+    margin-left: $navbar-padding-horizontal;
+    margin-right: $navbar-padding-horizontal;
+
+    // Outdent the form if last child to line up with content down the page
+    &.navbar-right:last-child {
+      margin-right: 0;
+    }
+  }
+}
+
+// Alternate navbars
+// --------------------------------------------------
+
+// Default navbar
+.navbar-default {
+  background-color: $navbar-default-bg;
+  border-color: $navbar-default-border;
+
+  .navbar-brand {
+    color: $navbar-default-brand-color;
+    &:hover,
+    &:focus {
+      color: $navbar-default-brand-hover-color;
+      background-color: $navbar-default-brand-hover-bg;
+    }
+  }
+
+  .navbar-text {
+    color: $navbar-default-color;
+  }
+
+  .navbar-nav {
+    > li > a {
+      color: $navbar-default-link-color;
+
+      &:hover,
+      &:focus {
+        color: $navbar-default-link-hover-color;
+        background-color: $navbar-default-link-hover-bg;
+      }
+    }
+    > .active > a {
+      &,
+      &:hover,
+      &:focus {
+        color: $navbar-default-link-active-color;
+        background-color: $navbar-default-link-active-bg;
+      }
+    }
+    > .disabled > a {
+      &,
+      &:hover,
+      &:focus {
+        color: $navbar-default-link-disabled-color;
+        background-color: $navbar-default-link-disabled-bg;
+      }
+    }
+  }
+
+  .navbar-toggle {
+    border-color: $navbar-default-toggle-border-color;
+    &:hover,
+    &:focus {
+      background-color: $navbar-default-toggle-hover-bg;
+    }
+    .icon-bar {
+      background-color: $navbar-default-toggle-icon-bar-bg;
+    }
+  }
+
+  .navbar-collapse,
+  .navbar-form {
+    border-color: $navbar-default-border;
+  }
+
+  // Dropdown menu items
+  .navbar-nav {
+    // Remove background color from open dropdown
+    > .open > a {
+      &,
+      &:hover,
+      &:focus {
+        background-color: $navbar-default-link-active-bg;
+        color: $navbar-default-link-active-color;
+      }
+    }
+
+    @media (max-width: $grid-float-breakpoint-max) {
+      // Dropdowns get custom display when collapsed
+      .open .dropdown-menu {
+        > li > a {
+          color: $navbar-default-link-color;
+          &:hover,
+          &:focus {
+            color: $navbar-default-link-hover-color;
+            background-color: $navbar-default-link-hover-bg;
+          }
+        }
+        > .active > a {
+          &,
+          &:hover,
+          &:focus {
+            color: $navbar-default-link-active-color;
+            background-color: $navbar-default-link-active-bg;
+          }
+        }
+        > .disabled > a {
+          &,
+          &:hover,
+          &:focus {
+            color: $navbar-default-link-disabled-color;
+            background-color: $navbar-default-link-disabled-bg;
+          }
+        }
+      }
+    }
+  }
+
+
+  // Links in navbars
+  //
+  // Add a class to ensure links outside the navbar nav are colored correctly.
+
+  .navbar-link {
+    color: $navbar-default-link-color;
+    &:hover {
+      color: $navbar-default-link-hover-color;
+    }
+  }
+
+  .btn-link {
+    color: $navbar-default-link-color;
+    &:hover,
+    &:focus {
+      color: $navbar-default-link-hover-color;
+    }
+    &[disabled],
+    fieldset[disabled] & {
+      &:hover,
+      &:focus {
+        color: $navbar-default-link-disabled-color;
+      }
+    }
+  }
+}
+
+// Inverse navbar
+
+.navbar-inverse {
+  background-color: $navbar-inverse-bg;
+  border-color: $navbar-inverse-border;
+
+  .navbar-brand {
+    color: $navbar-inverse-brand-color;
+    &:hover,
+    &:focus {
+      color: $navbar-inverse-brand-hover-color;
+      background-color: $navbar-inverse-brand-hover-bg;
+    }
+  }
+
+  .navbar-text {
+    color: $navbar-inverse-color;
+  }
+
+  .navbar-nav {
+    > li > a {
+      color: $navbar-inverse-link-color;
+
+      &:hover,
+      &:focus {
+        color: $navbar-inverse-link-hover-color;
+        background-color: $navbar-inverse-link-hover-bg;
+      }
+    }
+    > .active > a {
+      &,
+      &:hover,
+      &:focus {
+        color: $navbar-inverse-link-active-color;
+        background-color: $navbar-inverse-link-active-bg;
+      }
+    }
+    > .disabled > a {
+      &,
+      &:hover,
+      &:focus {
+        color: $navbar-inverse-link-disabled-color;
+        background-color: $navbar-inverse-link-disabled-bg;
+      }
+    }
+  }
+
+  // Darken the responsive nav toggle
+  .navbar-toggle {
+    border-color: $navbar-inverse-toggle-border-color;
+    &:hover,
+    &:focus {
+      background-color: $navbar-inverse-toggle-hover-bg;
+    }
+    .icon-bar {
+      background-color: $navbar-inverse-toggle-icon-bar-bg;
+    }
+  }
+
+  .navbar-collapse,
+  .navbar-form {
+    border-color: darken($navbar-inverse-bg, 7%);
+  }
+
+  // Dropdowns
+  .navbar-nav {
+    > .open > a {
+      &,
+      &:hover,
+      &:focus {
+        background-color: $navbar-inverse-link-active-bg;
+        color: $navbar-inverse-link-active-color;
+      }
+    }
+
+    @media (max-width: $grid-float-breakpoint-max) {
+      // Dropdowns get custom display
+      .open .dropdown-menu {
+        > .dropdown-header {
+          border-color: $navbar-inverse-border;
+        }
+        .divider {
+          background-color: $navbar-inverse-border;
+        }
+        > li > a {
+          color: $navbar-inverse-link-color;
+          &:hover,
+          &:focus {
+            color: $navbar-inverse-link-hover-color;
+            background-color: $navbar-inverse-link-hover-bg;
+          }
+        }
+        > .active > a {
+          &,
+          &:hover,
+          &:focus {
+            color: $navbar-inverse-link-active-color;
+            background-color: $navbar-inverse-link-active-bg;
+          }
+        }
+        > .disabled > a {
+          &,
+          &:hover,
+          &:focus {
+            color: $navbar-inverse-link-disabled-color;
+            background-color: $navbar-inverse-link-disabled-bg;
+          }
+        }
+      }
+    }
+  }
+
+  .navbar-link {
+    color: $navbar-inverse-link-color;
+    &:hover {
+      color: $navbar-inverse-link-hover-color;
+    }
+  }
+
+  .btn-link {
+    color: $navbar-inverse-link-color;
+    &:hover,
+    &:focus {
+      color: $navbar-inverse-link-hover-color;
+    }
+    &[disabled],
+    fieldset[disabled] & {
+      &:hover,
+      &:focus {
+        color: $navbar-inverse-link-disabled-color;
+      }
+    }
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_navs.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_navs.scss
new file mode 100644
index 0000000000..d9957806ee
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_navs.scss
@@ -0,0 +1,239 @@
+//
+// Navs
+// --------------------------------------------------
+
+
+// Base class
+// --------------------------------------------------
+
+.nav {
+  margin-bottom: 0;
+  padding-left: 0; // Override default ul/ol
+  list-style: none;
+  @include clearfix();
+
+  > li {
+    position: relative;
+    display: block;
+
+    > a {
+      position: relative;
+      display: block;
+      padding: $nav-link-padding;
+      &:hover,
+      &:focus {
+        text-decoration: none;
+        background-color: $nav-link-hover-bg;
+      }
+    }
+
+    // Disabled state sets text to gray and nukes hover/tab effects
+    &.disabled > a {
+      color: $nav-disabled-link-color;
+
+      &:hover,
+      &:focus {
+        color: $nav-disabled-link-hover-color;
+        text-decoration: none;
+        background-color: transparent;
+        cursor: not-allowed;
+      }
+    }
+  }
+
+  // Open dropdowns
+  .open > a {
+    &,
+    &:hover,
+    &:focus {
+      background-color: $nav-link-hover-bg;
+      border-color: $link-color;
+    }
+  }
+
+  // Nav dividers (deprecated with v3.0.1)
+  //
+  // This should have been removed in v3 with the dropping of `.nav-list`, but
+  // we missed it. We don't currently support this anywhere, but in the interest
+  // of maintaining backward compatibility in case you use it, it's deprecated.
+  .nav-divider {
+    @include nav-divider();
+  }
+
+  // Prevent IE8 from misplacing imgs
+  //
+  // See https://github.com/h5bp/html5-boilerplate/issues/984#issuecomment-3985989
+  > li > a > img {
+    max-width: none;
+  }
+}
+
+
+// Tabs
+// -------------------------
+
+// Give the tabs something to sit on
+.nav-tabs {
+  border-bottom: 1px solid $nav-tabs-border-color;
+  > li {
+    float: left;
+    // Make the list-items overlay the bottom border
+    margin-bottom: -1px;
+
+    // Actual tabs (as links)
+    > a {
+      margin-right: 2px;
+      line-height: $line-height-base;
+      border: 1px solid transparent;
+      border-radius: $border-radius-base $border-radius-base 0 0;
+      &:hover {
+        border-color: $nav-tabs-link-hover-border-color $nav-tabs-link-hover-border-color $nav-tabs-border-color;
+      }
+    }
+
+    // Active state, and its :hover to override normal :hover
+    &.active > a {
+      &,
+      &:hover,
+      &:focus {
+        color: $nav-tabs-active-link-hover-color;
+        background-color: $nav-tabs-active-link-hover-bg;
+        border: 1px solid $nav-tabs-active-link-hover-border-color;
+        border-bottom-color: transparent;
+        cursor: default;
+      }
+    }
+  }
+  // pulling this in mainly for less shorthand
+  &.nav-justified {
+    @extend .nav-justified;
+    @extend .nav-tabs-justified;
+  }
+}
+
+
+// Pills
+// -------------------------
+.nav-pills {
+  > li {
+    float: left;
+
+    // Links rendered as pills
+    > a {
+      border-radius: $nav-pills-border-radius;
+    }
+
+    // Active state
+    &.active > a {
+      &,
+      &:hover,
+      &:focus {
+        color: $nav-pills-active-link-hover-color;
+        background-color: $nav-pills-active-link-hover-bg;
+      }
+    }
+  }
+}
+
+
+// Stacked pills
+.nav-stacked {
+  > li {
+    float: none;
+    + li {
+      margin-top: 2px;
+      margin-left: 0; // no need for this gap between nav items
+    }
+  }
+}
+
+
+// Nav variations
+// --------------------------------------------------
+
+// Justified nav links
+// -------------------------
+
+.nav-justified {
+  width: 100%;
+
+  > li {
+    float: none;
+    > a {
+      text-align: left;
+      margin-bottom: 5px;
+    }
+  }
+
+  > .dropdown .dropdown-menu {
+    top: auto;
+    left: auto;
+  }
+
+  @media (min-width: $screen-sm-min) {
+    > li {
+      display: table-cell;
+      width: 1%;
+      > a {
+        margin-bottom: 0;
+      }
+    }
+  }
+}
+
+// Move borders to anchors instead of bottom of list
+//
+// Mixin for adding on top the shared `.nav-justified` styles for our tabs
+.nav-tabs-justified {
+  border-bottom: 0;
+
+  > li > a {
+    // Override margin from .nav-tabs
+    margin-right: 0;
+    border-radius: $border-radius-base;
+  }
+
+  > .active > a,
+  > .active > a:hover,
+  > .active > a:focus {
+    border: 1px solid $nav-tabs-justified-link-border-color;
+  }
+
+  @media (min-width: $screen-sm-min) {
+    > li > a {
+      border-bottom: 1px solid $nav-tabs-justified-link-border-color;
+      border-radius: $border-radius-base $border-radius-base 0 0;
+    }
+    > .active > a,
+    > .active > a:hover,
+    > .active > a:focus {
+      border-bottom-color: $nav-tabs-justified-active-link-border-color;
+    }
+  }
+}
+
+
+// Tabbable tabs
+// -------------------------
+
+// Hide tabbable panes to start, show them when `.active`
+.tab-content {
+  > .tab-pane {
+    display: none;
+  }
+  > .active {
+    display: block;
+  }
+}
+
+
+// Dropdowns
+// -------------------------
+
+// Specific dropdowns
+.nav-tabs .dropdown-menu {
+  // make dropdown border overlap tab border
+  margin-top: -1px;
+  // Remove the top rounded corners here since there is a hard edge above the menu
+  @include border-top-radius(0);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_normalize.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_normalize.scss
new file mode 100644
index 0000000000..ce04b6a2f9
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_normalize.scss
@@ -0,0 +1,425 @@
+/*! normalize.css v3.0.1 | MIT License | git.io/normalize */
+
+//
+// 1. Set default font family to sans-serif.
+// 2. Prevent iOS text size adjust after orientation change, without disabling
+//    user zoom.
+//
+
+html {
+  font-family: sans-serif; // 1
+  -ms-text-size-adjust: 100%; // 2
+  -webkit-text-size-adjust: 100%; // 2
+}
+
+//
+// Remove default margin.
+//
+
+body {
+  margin: 0;
+}
+
+// HTML5 display definitions
+// ==========================================================================
+
+//
+// Correct `block` display not defined for any HTML5 element in IE 8/9.
+// Correct `block` display not defined for `details` or `summary` in IE 10/11 and Firefox.
+// Correct `block` display not defined for `main` in IE 11.
+//
+
+article,
+aside,
+details,
+figcaption,
+figure,
+footer,
+header,
+hgroup,
+main,
+nav,
+section,
+summary {
+  display: block;
+}
+
+//
+// 1. Correct `inline-block` display not defined in IE 8/9.
+// 2. Normalize vertical alignment of `progress` in Chrome, Firefox, and Opera.
+//
+
+audio,
+canvas,
+progress,
+video {
+  display: inline-block; // 1
+  vertical-align: baseline; // 2
+}
+
+//
+// Prevent modern browsers from displaying `audio` without controls.
+// Remove excess height in iOS 5 devices.
+//
+
+audio:not([controls]) {
+  display: none;
+  height: 0;
+}
+
+//
+// Address `[hidden]` styling not present in IE 8/9/10.
+// Hide the `template` element in IE 8/9/11, Safari, and Firefox < 22.
+//
+
+[hidden],
+template {
+  display: none;
+}
+
+// Links
+// ==========================================================================
+
+//
+// Remove the gray background color from active links in IE 10.
+//
+
+a {
+  background: transparent;
+}
+
+//
+// Improve readability when focused and also mouse hovered in all browsers.
+//
+
+a:active,
+a:hover {
+  outline: 0;
+}
+
+// Text-level semantics
+// ==========================================================================
+
+//
+// Address styling not present in IE 8/9/10/11, Safari, and Chrome.
+//
+
+abbr[title] {
+  border-bottom: 1px dotted;
+}
+
+//
+// Address style set to `bolder` in Firefox 4+, Safari, and Chrome.
+//
+
+b,
+strong {
+  font-weight: bold;
+}
+
+//
+// Address styling not present in Safari and Chrome.
+//
+
+dfn {
+  font-style: italic;
+}
+
+//
+// Address variable `h1` font-size and margin within `section` and `article`
+// contexts in Firefox 4+, Safari, and Chrome.
+//
+
+h1 {
+  font-size: 2em;
+  margin: 0.67em 0;
+}
+
+//
+// Address styling not present in IE 8/9.
+//
+
+mark {
+  background: #ff0;
+  color: #000;
+}
+
+//
+// Address inconsistent and variable font size in all browsers.
+//
+
+small {
+  font-size: 80%;
+}
+
+//
+// Prevent `sub` and `sup` affecting `line-height` in all browsers.
+//
+
+sub,
+sup {
+  font-size: 75%;
+  line-height: 0;
+  position: relative;
+  vertical-align: baseline;
+}
+
+sup {
+  top: -0.5em;
+}
+
+sub {
+  bottom: -0.25em;
+}
+
+// Embedded content
+// ==========================================================================
+
+//
+// Remove border when inside `a` element in IE 8/9/10.
+//
+
+img {
+  border: 0;
+}
+
+//
+// Correct overflow not hidden in IE 9/10/11.
+//
+
+svg:not(:root) {
+  overflow: hidden;
+}
+
+// Grouping content
+// ==========================================================================
+
+//
+// Address margin not present in IE 8/9 and Safari.
+//
+
+figure {
+  margin: 1em 40px;
+}
+
+//
+// Address differences between Firefox and other browsers.
+//
+
+hr {
+  -moz-box-sizing: content-box;
+  box-sizing: content-box;
+  height: 0;
+}
+
+//
+// Contain overflow in all browsers.
+//
+
+pre {
+  overflow: auto;
+}
+
+//
+// Address odd `em`-unit font size rendering in all browsers.
+//
+
+code,
+kbd,
+pre,
+samp {
+  font-family: monospace, monospace;
+  font-size: 1em;
+}
+
+// Forms
+// ==========================================================================
+
+//
+// Known limitation: by default, Chrome and Safari on OS X allow very limited
+// styling of `select`, unless a `border` property is set.
+//
+
+//
+// 1. Correct color not being inherited.
+//    Known issue: affects color of disabled elements.
+// 2. Correct font properties not being inherited.
+// 3. Address margins set differently in Firefox 4+, Safari, and Chrome.
+//
+
+button,
+input,
+optgroup,
+select,
+textarea {
+  color: inherit; // 1
+  font: inherit; // 2
+  margin: 0; // 3
+}
+
+//
+// Address `overflow` set to `hidden` in IE 8/9/10/11.
+//
+
+button {
+  overflow: visible;
+}
+
+//
+// Address inconsistent `text-transform` inheritance for `button` and `select`.
+// All other form control elements do not inherit `text-transform` values.
+// Correct `button` style inheritance in Firefox, IE 8/9/10/11, and Opera.
+// Correct `select` style inheritance in Firefox.
+//
+
+button,
+select {
+  text-transform: none;
+}
+
+//
+// 1. Avoid the WebKit bug in Android 4.0.* where (2) destroys native `audio`
+//    and `video` controls.
+// 2. Correct inability to style clickable `input` types in iOS.
+// 3. Improve usability and consistency of cursor style between image-type
+//    `input` and others.
+//
+
+button,
+html input[type="button"], // 1
+input[type="reset"],
+input[type="submit"] {
+  -webkit-appearance: button; // 2
+  cursor: pointer; // 3
+}
+
+//
+// Re-set default cursor for disabled elements.
+//
+
+button[disabled],
+html input[disabled] {
+  cursor: default;
+}
+
+//
+// Remove inner padding and border in Firefox 4+.
+//
+
+button::-moz-focus-inner,
+input::-moz-focus-inner {
+  border: 0;
+  padding: 0;
+}
+
+//
+// Address Firefox 4+ setting `line-height` on `input` using `!important` in
+// the UA stylesheet.
+//
+
+input {
+  line-height: normal;
+}
+
+//
+// It's recommended that you don't attempt to style these elements.
+// Firefox's implementation doesn't respect box-sizing, padding, or width.
+//
+// 1. Address box sizing set to `content-box` in IE 8/9/10.
+// 2. Remove excess padding in IE 8/9/10.
+//
+
+input[type="checkbox"],
+input[type="radio"] {
+  box-sizing: border-box; // 1
+  padding: 0; // 2
+}
+
+//
+// Fix the cursor style for Chrome's increment/decrement buttons. For certain
+// `font-size` values of the `input`, it causes the cursor style of the
+// decrement button to change from `default` to `text`.
+//
+
+input[type="number"]::-webkit-inner-spin-button,
+input[type="number"]::-webkit-outer-spin-button {
+  height: auto;
+}
+
+//
+// 1. Address `appearance` set to `searchfield` in Safari and Chrome.
+// 2. Address `box-sizing` set to `border-box` in Safari and Chrome
+//    (include `-moz` to future-proof).
+//
+
+input[type="search"] {
+  -webkit-appearance: textfield; // 1
+  -moz-box-sizing: content-box;
+  -webkit-box-sizing: content-box; // 2
+  box-sizing: content-box;
+}
+
+//
+// Remove inner padding and search cancel button in Safari and Chrome on OS X.
+// Safari (but not Chrome) clips the cancel button when the search input has
+// padding (and `textfield` appearance).
+//
+
+input[type="search"]::-webkit-search-cancel-button,
+input[type="search"]::-webkit-search-decoration {
+  -webkit-appearance: none;
+}
+
+//
+// Define consistent border, margin, and padding.
+//
+
+fieldset {
+  border: 1px solid #c0c0c0;
+  margin: 0 2px;
+  padding: 0.35em 0.625em 0.75em;
+}
+
+//
+// 1. Correct `color` not being inherited in IE 8/9/10/11.
+// 2. Remove padding so people aren't caught out if they zero out fieldsets.
+//
+
+legend {
+  border: 0; // 1
+  padding: 0; // 2
+}
+
+//
+// Remove default vertical scrollbar in IE 8/9/10/11.
+//
+
+textarea {
+  overflow: auto;
+}
+
+//
+// Don't inherit the `font-weight` (applied by a rule above).
+// NOTE: the default cannot safely be changed in Chrome and Safari on OS X.
+//
+
+optgroup {
+  font-weight: bold;
+}
+
+// Tables
+// ==========================================================================
+
+//
+// Remove most spacing between table cells.
+//
+
+table {
+  border-collapse: collapse;
+  border-spacing: 0;
+}
+
+td,
+th {
+  padding: 0;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_pager.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_pager.scss
new file mode 100644
index 0000000000..6531fe6f89
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_pager.scss
@@ -0,0 +1,55 @@
+//
+// Pager pagination
+// --------------------------------------------------
+
+
+.pager {
+  padding-left: 0;
+  margin: $line-height-computed 0;
+  list-style: none;
+  text-align: center;
+  @include clearfix();
+  li {
+    display: inline;
+    > a,
+    > span {
+      display: inline-block;
+      padding: 5px 14px;
+      background-color: $pager-bg;
+      border: 1px solid $pager-border;
+      border-radius: $pager-border-radius;
+    }
+
+    > a:hover,
+    > a:focus {
+      text-decoration: none;
+      background-color: $pager-hover-bg;
+    }
+  }
+
+  .next {
+    > a,
+    > span {
+      float: right;
+    }
+  }
+
+  .previous {
+    > a,
+    > span {
+      float: left;
+    }
+  }
+
+  .disabled {
+    > a,
+    > a:hover,
+    > a:focus,
+    > span {
+      color: $pager-disabled-color;
+      background-color: $pager-bg;
+      cursor: not-allowed;
+    }
+  }
+
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_pagination.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_pagination.scss
new file mode 100644
index 0000000000..44c12226b0
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_pagination.scss
@@ -0,0 +1,88 @@
+//
+// Pagination (multiple pages)
+// --------------------------------------------------
+.pagination {
+  display: inline-block;
+  padding-left: 0;
+  margin: $line-height-computed 0;
+  border-radius: $border-radius-base;
+
+  > li {
+    display: inline; // Remove list-style and block-level defaults
+    > a,
+    > span {
+      position: relative;
+      float: left; // Collapse white-space
+      padding: $padding-base-vertical $padding-base-horizontal;
+      line-height: $line-height-base;
+      text-decoration: none;
+      color: $pagination-color;
+      background-color: $pagination-bg;
+      border: 1px solid $pagination-border;
+      margin-left: -1px;
+    }
+    &:first-child {
+      > a,
+      > span {
+        margin-left: 0;
+        @include border-left-radius($border-radius-base);
+      }
+    }
+    &:last-child {
+      > a,
+      > span {
+        @include border-right-radius($border-radius-base);
+      }
+    }
+  }
+
+  > li > a,
+  > li > span {
+    &:hover,
+    &:focus {
+      color: $pagination-hover-color;
+      background-color: $pagination-hover-bg;
+      border-color: $pagination-hover-border;
+    }
+  }
+
+  > .active > a,
+  > .active > span {
+    &,
+    &:hover,
+    &:focus {
+      z-index: 2;
+      color: $pagination-active-color;
+      background-color: $pagination-active-bg;
+      border-color: $pagination-active-border;
+      cursor: default;
+    }
+  }
+
+  > .disabled {
+    > span,
+    > span:hover,
+    > span:focus,
+    > a,
+    > a:hover,
+    > a:focus {
+      color: $pagination-disabled-color;
+      background-color: $pagination-disabled-bg;
+      border-color: $pagination-disabled-border;
+      cursor: not-allowed;
+    }
+  }
+}
+
+// Sizing
+// --------------------------------------------------
+
+// Large
+.pagination-lg {
+  @include pagination-size($padding-large-vertical, $padding-large-horizontal, $font-size-large, $border-radius-large);
+}
+
+// Small
+.pagination-sm {
+  @include pagination-size($padding-small-vertical, $padding-small-horizontal, $font-size-small, $border-radius-small);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_panels.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_panels.scss
new file mode 100644
index 0000000000..57cdcbc1f1
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_panels.scss
@@ -0,0 +1,243 @@
+//
+// Panels
+// --------------------------------------------------
+
+
+// Base class
+.panel {
+  margin-bottom: $line-height-computed;
+  background-color: $panel-bg;
+  border: 1px solid transparent;
+  border-radius: $panel-border-radius;
+  @include box-shadow(0 1px 1px rgba(0,0,0,.05));
+}
+
+// Panel contents
+.panel-body {
+  padding: $panel-body-padding;
+  @include clearfix();
+}
+
+// Optional heading
+.panel-heading {
+  padding: $panel-heading-padding;
+  border-bottom: 1px solid transparent;
+  @include border-top-radius(($panel-border-radius - 1));
+
+  > .dropdown .dropdown-toggle {
+    color: inherit;
+  }
+}
+
+// Within heading, strip any `h*` tag of its default margins for spacing.
+.panel-title {
+  margin-top: 0;
+  margin-bottom: 0;
+  font-size: ceil(($font-size-base * 1.125));
+  color: inherit;
+
+  > a {
+    color: inherit;
+  }
+}
+
+// Optional footer (stays gray in every modifier class)
+.panel-footer {
+  padding: $panel-footer-padding;
+  background-color: $panel-footer-bg;
+  border-top: 1px solid $panel-inner-border;
+  @include border-bottom-radius(($panel-border-radius - 1));
+}
+
+
+// List groups in panels
+//
+// By default, space out list group content from panel headings to account for
+// any kind of custom content between the two.
+
+.panel {
+  > .list-group {
+    margin-bottom: 0;
+
+    .list-group-item {
+      border-width: 1px 0;
+      border-radius: 0;
+    }
+
+    // Add border top radius for first one
+    &:first-child {
+      .list-group-item:first-child {
+        border-top: 0;
+        @include border-top-radius(($panel-border-radius - 1));
+      }
+    }
+    // Add border bottom radius for last one
+    &:last-child {
+      .list-group-item:last-child {
+        border-bottom: 0;
+        @include border-bottom-radius(($panel-border-radius - 1));
+      }
+    }
+  }
+}
+// Collapse space between when there's no additional content.
+.panel-heading + .list-group {
+  .list-group-item:first-child {
+    border-top-width: 0;
+  }
+}
+.list-group + .panel-footer {
+  border-top-width: 0;
+}
+
+// Tables in panels
+//
+// Place a non-bordered `.table` within a panel (not within a `.panel-body`) and
+// watch it go full width.
+
+.panel {
+  > .table,
+  > .table-responsive > .table,
+  > .panel-collapse > .table {
+    margin-bottom: 0;
+  }
+  // Add border top radius for first one
+  > .table:first-child,
+  > .table-responsive:first-child > .table:first-child {
+    @include border-top-radius(($panel-border-radius - 1));
+
+    > thead:first-child,
+    > tbody:first-child {
+      > tr:first-child {
+        td:first-child,
+        th:first-child {
+          border-top-left-radius: ($panel-border-radius - 1);
+        }
+        td:last-child,
+        th:last-child {
+          border-top-right-radius: ($panel-border-radius - 1);
+        }
+      }
+    }
+  }
+  // Add border bottom radius for last one
+  > .table:last-child,
+  > .table-responsive:last-child > .table:last-child {
+    @include border-bottom-radius(($panel-border-radius - 1));
+
+    > tbody:last-child,
+    > tfoot:last-child {
+      > tr:last-child {
+        td:first-child,
+        th:first-child {
+          border-bottom-left-radius: ($panel-border-radius - 1);
+        }
+        td:last-child,
+        th:last-child {
+          border-bottom-right-radius: ($panel-border-radius - 1);
+        }
+      }
+    }
+  }
+  > .panel-body + .table,
+  > .panel-body + .table-responsive {
+    border-top: 1px solid $table-border-color;
+  }
+  > .table > tbody:first-child > tr:first-child th,
+  > .table > tbody:first-child > tr:first-child td {
+    border-top: 0;
+  }
+  > .table-bordered,
+  > .table-responsive > .table-bordered {
+    border: 0;
+    > thead,
+    > tbody,
+    > tfoot {
+      > tr {
+        > th:first-child,
+        > td:first-child {
+          border-left: 0;
+        }
+        > th:last-child,
+        > td:last-child {
+          border-right: 0;
+        }
+      }
+    }
+    > thead,
+    > tbody {
+      > tr:first-child {
+        > td,
+        > th {
+          border-bottom: 0;
+        }
+      }
+    }
+    > tbody,
+    > tfoot {
+      > tr:last-child {
+        > td,
+        > th {
+          border-bottom: 0;
+        }
+      }
+    }
+  }
+  > .table-responsive {
+    border: 0;
+    margin-bottom: 0;
+  }
+}
+
+
+// Collapsable panels (aka, accordion)
+//
+// Wrap a series of panels in `.panel-group` to turn them into an accordion with
+// the help of our collapse JavaScript plugin.
+
+.panel-group {
+  margin-bottom: $line-height-computed;
+
+  // Tighten up margin so it's only between panels
+  .panel {
+    margin-bottom: 0;
+    border-radius: $panel-border-radius;
+    + .panel {
+      margin-top: 5px;
+    }
+  }
+
+  .panel-heading {
+    border-bottom: 0;
+    + .panel-collapse > .panel-body {
+      border-top: 1px solid $panel-inner-border;
+    }
+  }
+  .panel-footer {
+    border-top: 0;
+    + .panel-collapse .panel-body {
+      border-bottom: 1px solid $panel-inner-border;
+    }
+  }
+}
+
+
+// Contextual variations
+.panel-default {
+  @include panel-variant($panel-default-border, $panel-default-text, $panel-default-heading-bg, $panel-default-border);
+}
+.panel-primary {
+  @include panel-variant($panel-primary-border, $panel-primary-text, $panel-primary-heading-bg, $panel-primary-border);
+}
+.panel-success {
+  @include panel-variant($panel-success-border, $panel-success-text, $panel-success-heading-bg, $panel-success-border);
+}
+.panel-info {
+  @include panel-variant($panel-info-border, $panel-info-text, $panel-info-heading-bg, $panel-info-border);
+}
+.panel-warning {
+  @include panel-variant($panel-warning-border, $panel-warning-text, $panel-warning-heading-bg, $panel-warning-border);
+}
+.panel-danger {
+  @include panel-variant($panel-danger-border, $panel-danger-text, $panel-danger-heading-bg, $panel-danger-border);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_popovers.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_popovers.scss
new file mode 100644
index 0000000000..1cf27aed55
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_popovers.scss
@@ -0,0 +1,133 @@
+//
+// Popovers
+// --------------------------------------------------
+
+
+.popover {
+  position: absolute;
+  top: 0;
+  left: 0;
+  z-index: $zindex-popover;
+  display: none;
+  max-width: $popover-max-width;
+  padding: 1px;
+  text-align: left; // Reset given new insertion method
+  background-color: $popover-bg;
+  background-clip: padding-box;
+  border: 1px solid $popover-fallback-border-color;
+  border: 1px solid $popover-border-color;
+  border-radius: $border-radius-large;
+  @include box-shadow(0 5px 10px rgba(0,0,0,.2));
+
+  // Overrides for proper insertion
+  white-space: normal;
+
+  // Offset the popover to account for the popover arrow
+  &.top     { margin-top: -$popover-arrow-width; }
+  &.right   { margin-left: $popover-arrow-width; }
+  &.bottom  { margin-top: $popover-arrow-width; }
+  &.left    { margin-left: -$popover-arrow-width; }
+}
+
+.popover-title {
+  margin: 0; // reset heading margin
+  padding: 8px 14px;
+  font-size: $font-size-base;
+  font-weight: normal;
+  line-height: 18px;
+  background-color: $popover-title-bg;
+  border-bottom: 1px solid darken($popover-title-bg, 5%);
+  border-radius: ($border-radius-large - 1) ($border-radius-large - 1) 0 0;
+}
+
+.popover-content {
+  padding: 9px 14px;
+}
+
+// Arrows
+//
+// .arrow is outer, .arrow:after is inner
+
+.popover > .arrow {
+  &,
+  &:after {
+    position: absolute;
+    display: block;
+    width: 0;
+    height: 0;
+    border-color: transparent;
+    border-style: solid;
+  }
+}
+.popover > .arrow {
+  border-width: $popover-arrow-outer-width;
+}
+.popover > .arrow:after {
+  border-width: $popover-arrow-width;
+  content: "";
+}
+
+.popover {
+  &.top > .arrow {
+    left: 50%;
+    margin-left: -$popover-arrow-outer-width;
+    border-bottom-width: 0;
+    border-top-color: $popover-arrow-outer-fallback-color; // IE8 fallback
+    border-top-color: $popover-arrow-outer-color;
+    bottom: -$popover-arrow-outer-width;
+    &:after {
+      content: " ";
+      bottom: 1px;
+      margin-left: -$popover-arrow-width;
+      border-bottom-width: 0;
+      border-top-color: $popover-arrow-color;
+    }
+  }
+  &.right > .arrow {
+    top: 50%;
+    left: -$popover-arrow-outer-width;
+    margin-top: -$popover-arrow-outer-width;
+    border-left-width: 0;
+    border-right-color: $popover-arrow-outer-fallback-color; // IE8 fallback
+    border-right-color: $popover-arrow-outer-color;
+    &:after {
+      content: " ";
+      left: 1px;
+      bottom: -$popover-arrow-width;
+      border-left-width: 0;
+      border-right-color: $popover-arrow-color;
+    }
+  }
+  &.bottom > .arrow {
+    left: 50%;
+    margin-left: -$popover-arrow-outer-width;
+    border-top-width: 0;
+    border-bottom-color: $popover-arrow-outer-fallback-color; // IE8 fallback
+    border-bottom-color: $popover-arrow-outer-color;
+    top: -$popover-arrow-outer-width;
+    &:after {
+      content: " ";
+      top: 1px;
+      margin-left: -$popover-arrow-width;
+      border-top-width: 0;
+      border-bottom-color: $popover-arrow-color;
+    }
+  }
+
+  &.left > .arrow {
+    top: 50%;
+    right: -$popover-arrow-outer-width;
+    margin-top: -$popover-arrow-outer-width;
+    border-right-width: 0;
+    border-left-color: $popover-arrow-outer-fallback-color; // IE8 fallback
+    border-left-color: $popover-arrow-outer-color;
+    &:after {
+      content: " ";
+      right: 1px;
+      border-right-width: 0;
+      border-left-color: $popover-arrow-color;
+      bottom: -$popover-arrow-width;
+    }
+  }
+
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_print.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_print.scss
new file mode 100644
index 0000000000..3655d03953
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_print.scss
@@ -0,0 +1,101 @@
+//
+// Basic print styles
+// --------------------------------------------------
+// Source: https://github.com/h5bp/html5-boilerplate/blob/master/css/main.css
+
+@media print {
+
+  * {
+    text-shadow: none !important;
+    color: #000 !important; // Black prints faster: h5bp.com/s
+    background: transparent !important;
+    box-shadow: none !important;
+  }
+
+  a,
+  a:visited {
+    text-decoration: underline;
+  }
+
+  a[href]:after {
+    content: " (" attr(href) ")";
+  }
+
+  abbr[title]:after {
+    content: " (" attr(title) ")";
+  }
+
+  // Don't show links for images, or javascript/internal links
+  a[href^="javascript:"]:after,
+  a[href^="#"]:after {
+    content: "";
+  }
+
+  pre,
+  blockquote {
+    border: 1px solid #999;
+    page-break-inside: avoid;
+  }
+
+  thead {
+    display: table-header-group; // h5bp.com/t
+  }
+
+  tr,
+  img {
+    page-break-inside: avoid;
+  }
+
+  img {
+    max-width: 100% !important;
+  }
+
+  p,
+  h2,
+  h3 {
+    orphans: 3;
+    widows: 3;
+  }
+
+  h2,
+  h3 {
+    page-break-after: avoid;
+  }
+
+  // Chrome (OSX) fix for https://github.com/twbs/bootstrap/issues/11245
+  // Once fixed, we can just straight up remove this.
+  select {
+    background: #fff !important;
+  }
+
+  // Bootstrap components
+  .navbar {
+    display: none;
+  }
+  .table {
+    td,
+    th {
+      background-color: #fff !important;
+    }
+  }
+  .btn,
+  .dropup > .btn {
+    > .caret {
+      border-top-color: #000 !important;
+    }
+  }
+  .label {
+    border: 1px solid #000;
+  }
+
+  .table {
+    border-collapse: collapse !important;
+  }
+  .table-bordered {
+    th,
+    td {
+      border: 1px solid #ddd !important;
+    }
+  }
+
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_progress-bars.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_progress-bars.scss
new file mode 100644
index 0000000000..a656795773
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_progress-bars.scss
@@ -0,0 +1,107 @@
+//
+// Progress bars
+// --------------------------------------------------
+
+
+// Bar animations
+// -------------------------
+
+// WebKit
+@-webkit-keyframes progress-bar-stripes {
+  from  { background-position: 40px 0; }
+  to    { background-position: 0 0; }
+}
+
+// Spec and IE10+
+@keyframes progress-bar-stripes {
+  from  { background-position: 40px 0; }
+  to    { background-position: 0 0; }
+}
+
+
+
+// Bar itself
+// -------------------------
+
+// Outer container
+.progress {
+  overflow: hidden;
+  height: $line-height-computed;
+  background-color: $progress-bg;
+  border-radius: $border-radius-base;
+  position: relative;
+  @include box-shadow(inset 0 1px 2px rgba(0,0,0,.1));
+}
+
+// Bar of progress
+.progress-bar {
+  float: left;
+  width: 0%;
+  height: 100%;
+  font-size: $font-size-small;
+  line-height: $line-height-computed;
+  color: $progress-bar-color;
+  text-align: center;
+  background-color: $progress-bar-bg;
+  position: relative;
+  z-index: 2;
+  @include box-shadow(inset 0 -1px 0 rgba(0,0,0,.15));
+  @include transition(width .6s ease);
+}
+
+// Striped bars
+//
+// `.progress-striped .progress-bar` is deprecated as of v3.2.0 in favor of the
+// `.progress-bar-striped` class, which you just add to an existing
+// `.progress-bar`.
+.progress-striped .progress-bar,
+.progress-bar-striped {
+  @include gradient-striped();
+  background-size: 40px 40px;
+}
+
+// Call animation for the active one
+//
+// `.progress.active .progress-bar` is deprecated as of v3.2.0 in favor of the
+// `.progress-bar.active` approach.
+.progress.active .progress-bar,
+.progress-bar.active {
+  @include animation(progress-bar-stripes 2s linear infinite);
+}
+
+// Account for lower percentages
+.progress-bar {
+  &[aria-valuenow="1"],
+  &[aria-valuenow="2"] {
+    min-width: 30px;
+  }
+
+  &[aria-valuenow="0"] {
+    color: $gray-light;
+    min-width: 30px;
+    background-color: transparent;
+    background-image: none;
+    box-shadow: none;
+  }
+}
+
+
+
+// Variations
+// -------------------------
+
+.progress-bar-success {
+  @include progress-bar-variant($progress-bar-success-bg);
+}
+
+.progress-bar-info {
+  @include progress-bar-variant($progress-bar-info-bg);
+}
+
+.progress-bar-warning {
+  @include progress-bar-variant($progress-bar-warning-bg);
+}
+
+.progress-bar-danger {
+  @include progress-bar-variant($progress-bar-danger-bg);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_responsive-embed.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_responsive-embed.scss
new file mode 100644
index 0000000000..a884d49fed
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_responsive-embed.scss
@@ -0,0 +1,34 @@
+// Embeds responsive
+//
+// Credit: Nicolas Gallagher and SUIT CSS.
+
+.embed-responsive {
+  position: relative;
+  display: block;
+  height: 0;
+  padding: 0;
+  overflow: hidden;
+
+  .embed-responsive-item,
+  iframe,
+  embed,
+  object {
+    position: absolute;
+    top: 0;
+    left: 0;
+    bottom: 0;
+    height: 100%;
+    width: 100%;
+    border: 0;
+  }
+
+  // Modifier class for 16:9 aspect ratio
+  &.embed-responsive-16by9 {
+    padding-bottom: 56.25%;
+  }
+
+  // Modifier class for 4:3 aspect ratio
+  &.embed-responsive-4by3 {
+    padding-bottom: 75%;
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_responsive-utilities.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_responsive-utilities.scss
new file mode 100644
index 0000000000..7cd861bf11
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_responsive-utilities.scss
@@ -0,0 +1,180 @@
+//
+// Responsive: Utility classes
+// --------------------------------------------------
+
+
+// IE10 in Windows (Phone) 8
+//
+// Support for responsive views via media queries is kind of borked in IE10, for
+// Surface/desktop in split view and for Windows Phone 8. This particular fix
+// must be accompanied by a snippet of JavaScript to sniff the user agent and
+// apply some conditional CSS to *only* the Surface/desktop Windows 8. Look at
+// our Getting Started page for more information on this bug.
+//
+// For more information, see the following:
+//
+// Issue: https://github.com/twbs/bootstrap/issues/10497
+// Docs: http://getbootstrap.com/getting-started/#support-ie10-width
+// Source: http://timkadlec.com/2013/01/windows-phone-8-and-device-width/
+// Source: http://timkadlec.com/2012/10/ie10-snap-mode-and-responsive-design/
+
+@-ms-viewport {
+  width: device-width;
+}
+
+
+// Visibility utilities
+// Note: Deprecated .visible-xs, .visible-sm, .visible-md, and .visible-lg as of v3.2.0
+
+@include responsive-invisibility('.visible-xs, .visible-sm, .visible-md, .visible-lg');
+
+.visible-xs-block,
+.visible-xs-inline,
+.visible-xs-inline-block,
+.visible-sm-block,
+.visible-sm-inline,
+.visible-sm-inline-block,
+.visible-md-block,
+.visible-md-inline,
+.visible-md-inline-block,
+.visible-lg-block,
+.visible-lg-inline,
+.visible-lg-inline-block {
+  display: none !important;
+}
+
+@media (max-width: $screen-xs-max) {
+  @include responsive-visibility('.visible-xs');
+}
+.visible-xs-block {
+  @media (max-width: $screen-xs-max) {
+    display: block !important;
+  }
+}
+.visible-xs-inline {
+  @media (max-width: $screen-xs-max) {
+    display: inline !important;
+  }
+}
+.visible-xs-inline-block {
+  @media (max-width: $screen-xs-max) {
+    display: inline-block !important;
+  }
+}
+
+@media (min-width: $screen-sm-min) and (max-width: $screen-sm-max) {
+  @include responsive-visibility('.visible-sm');
+}
+.visible-sm-block {
+  @media (min-width: $screen-sm-min) and (max-width: $screen-sm-max) {
+    display: block !important;
+  }
+}
+.visible-sm-inline {
+  @media (min-width: $screen-sm-min) and (max-width: $screen-sm-max) {
+    display: inline !important;
+  }
+}
+.visible-sm-inline-block {
+  @media (min-width: $screen-sm-min) and (max-width: $screen-sm-max) {
+    display: inline-block !important;
+  }
+}
+
+@media (min-width: $screen-md-min) and (max-width: $screen-md-max) {
+  @include responsive-visibility('.visible-md');
+}
+.visible-md-block {
+  @media (min-width: $screen-md-min) and (max-width: $screen-md-max) {
+    display: block !important;
+  }
+}
+.visible-md-inline {
+  @media (min-width: $screen-md-min) and (max-width: $screen-md-max) {
+    display: inline !important;
+  }
+}
+.visible-md-inline-block {
+  @media (min-width: $screen-md-min) and (max-width: $screen-md-max) {
+    display: inline-block !important;
+  }
+}
+
+@media (min-width: $screen-lg-min) {
+  @include responsive-visibility('.visible-lg');
+}
+.visible-lg-block {
+  @media (min-width: $screen-lg-min) {
+    display: block !important;
+  }
+}
+.visible-lg-inline {
+  @media (min-width: $screen-lg-min) {
+    display: inline !important;
+  }
+}
+.visible-lg-inline-block {
+  @media (min-width: $screen-lg-min) {
+    display: inline-block !important;
+  }
+}
+
+@media (max-width: $screen-xs-max) {
+  @include responsive-invisibility('.hidden-xs');
+}
+
+@media (min-width: $screen-sm-min) and (max-width: $screen-sm-max) {
+  @include responsive-invisibility('.hidden-sm');
+}
+
+@media (max-width: 768px), (max-height: 669px) {
+  .toggle-sidebar {
+    display: none !important;
+  }
+}
+
+@media (min-width: $screen-md-min) and (max-width: $screen-md-max) {
+  @include responsive-invisibility('.hidden-md');
+}
+
+@media (min-width: $screen-lg-min) {
+  @include responsive-invisibility('.hidden-lg');
+}
+
+
+// Print utilities
+//
+// Media queries are placed on the inside to be mixin-friendly.
+
+// Note: Deprecated .visible-print as of v3.2.0
+
+@include responsive-invisibility('.visible-print');
+
+@media print {
+  @include responsive-visibility('.visible-print');
+}
+.visible-print-block {
+  display: none !important;
+
+  @media print {
+    display: block !important;
+  }
+}
+.visible-print-inline {
+  display: none !important;
+
+  @media print {
+    display: inline !important;
+  }
+}
+.visible-print-inline-block {
+  display: none !important;
+
+  @media print {
+    display: inline-block !important;
+  }
+}
+
+@media print {
+  @include responsive-invisibility('.hidden-print');
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_scaffolding.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_scaffolding.scss
new file mode 100644
index 0000000000..8cea4cdc3f
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_scaffolding.scss
@@ -0,0 +1,150 @@
+//
+// Scaffolding
+// --------------------------------------------------
+
+
+// Reset the box-sizing
+//
+// Heads up! This reset may cause conflicts with some third-party widgets.
+// For recommendations on resolving such conflicts, see
+// http://getbootstrap.com/getting-started/#third-box-sizing
+* {
+  @include box-sizing(border-box);
+}
+*:before,
+*:after {
+  @include box-sizing(border-box);
+}
+
+
+// Body reset
+
+html {
+  font-size: 10px;
+  -webkit-tap-highlight-color: rgba(0,0,0,0);
+}
+
+body {
+  font-family: $font-family-base;
+  font-size: $font-size-base;
+  line-height: $line-height-base;
+  color: $text-color;
+  background-color: $body-bg;
+}
+
+// Reset fonts for relevant elements
+input,
+button,
+select,
+textarea {
+  font-family: inherit;
+  font-size: inherit;
+  line-height: inherit;
+}
+
+
+// Links
+
+a {
+  color: $link-color;
+  text-decoration: none;
+
+  &:hover,
+  &:focus {
+    color: $link-hover-color;
+    text-decoration: underline;
+  }
+
+  &:focus {
+    @include tab-focus();
+  }
+}
+
+
+// Figures
+//
+// We reset this here because previously Normalize had no `figure` margins. This
+// ensures we don't break anyone's use of the element.
+
+figure {
+  margin: 0;
+}
+
+
+// Images
+
+img {
+  vertical-align: middle;
+}
+
+// Responsive images (ensure images don't scale beyond their parents)
+.img-responsive {
+  @include img-responsive();
+}
+
+// Rounded corners
+.img-rounded {
+  border-radius: $border-radius-large;
+}
+
+// Image thumbnails
+//
+// Heads up! This is mixin-ed into thumbnails.less for `.thumbnail`.
+.img-thumbnail {
+  padding: $thumbnail-padding;
+  line-height: $line-height-base;
+  background-color: $thumbnail-bg;
+  border: 1px solid $thumbnail-border;
+  border-radius: $thumbnail-border-radius;
+  @include transition(all .2s ease-in-out);
+
+  // Keep them at most 100% wide
+  @include img-responsive(inline-block);
+}
+
+// Perfect circle
+.img-circle {
+  border-radius: 50%; // set radius in percents
+}
+
+
+// Horizontal rules
+
+hr {
+  margin-top:    $line-height-computed;
+  margin-bottom: $line-height-computed;
+  border: 0;
+  border-top: 1px solid $hr-border;
+}
+
+
+// Only display content to screen readers
+//
+// See: http://a11yproject.com/posts/how-to-hide-content/
+
+.sr-only {
+  position: absolute;
+  width: 1px;
+  height: 1px;
+  margin: -1px;
+  padding: 0;
+  overflow: hidden;
+  clip: rect(0,0,0,0);
+  border: 0;
+}
+
+// Use in conjunction with .sr-only to only display content when it's focused.
+// Useful for "Skip to main content" links; see http://www.w3.org/TR/2013/NOTE-WCAG20-TECHS-20130905/G1
+// Credit: HTML5 Boilerplate
+
+.sr-only-focusable {
+  &:active,
+  &:focus {
+    position: static;
+    width: auto;
+    height: auto;
+    margin: 0;
+    overflow: visible;
+    clip: auto;
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_tables.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_tables.scss
new file mode 100644
index 0000000000..629cab749b
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_tables.scss
@@ -0,0 +1,236 @@
+//
+// Tables
+// --------------------------------------------------
+
+
+table {
+  background-color: $table-bg;
+  color: #444;
+}
+th {
+  text-align: left;
+}
+
+
+// Baseline styles
+
+.table {
+  width: 100%;
+  max-width: 100%;
+  margin-bottom: $line-height-computed;
+  // Cells
+  > thead,
+  > tbody,
+  > tfoot {
+    > tr {
+      > th,
+      > td {
+        padding: $table-cell-padding;
+        line-height: $line-height-base;
+        vertical-align: top;
+        border-top: 1px solid $table-border-color;
+      }
+    }
+  }
+  // Bottom align for column headings
+  > thead > tr > th {
+    vertical-align: bottom;
+    border-bottom: 1px solid $table-border-color;
+  }
+  // Remove top border from thead by default
+  > caption + thead,
+  > colgroup + thead,
+  > thead:first-child {
+    > tr:first-child {
+      > th,
+      > td {
+        border-top: 0;
+        font-family: 'SourceSansProSemibold';
+        font-weight: normal;
+      }
+    }
+  }
+  // Account for multiple tbody instances
+  > tbody + tbody {
+    border-top: 2px solid $table-border-color;
+  }
+
+  // Nesting
+  .table {
+    background-color: $body-bg;
+  }
+}
+
+
+// Condensed table w/ half padding
+
+.table-condensed {
+  > thead,
+  > tbody,
+  > tfoot {
+    > tr {
+      > th,
+      > td {
+        padding: $table-condensed-cell-padding;
+      }
+    }
+  }
+}
+
+
+// Bordered version
+//
+// Add borders all around the table and between all the columns.
+
+.table-bordered {
+  border: 1px solid $table-border-color;
+  > thead,
+  > tbody,
+  > tfoot {
+    > tr {
+      > th,
+      > td {
+        border: 1px solid $table-border-color;
+      }
+    }
+  }
+  > thead > tr {
+    > th,
+    > td {
+      border-bottom-width: 2px;
+    }
+  }
+}
+
+
+// Zebra-striping
+//
+// Default zebra-stripe styles (alternating gray and transparent backgrounds)
+
+.table-striped {
+  > tbody > tr:nth-child(odd) {
+    > td,
+    > th {
+      background-color: $table-bg-accent;
+    }
+  }
+}
+
+
+// Hover effect
+//
+// Placed here since it has to come after the potential zebra striping
+
+.table-hover {
+  > tbody > tr:hover {
+    > td,
+    > th {
+      background-color: $table-bg-hover;
+    }
+  }
+}
+
+
+// Table cell sizing
+//
+// Reset default table behavior
+
+table col[class*="col-"] {
+  position: static; // Prevent border hiding in Firefox and IE9/10 (see https://github.com/twbs/bootstrap/issues/11623)
+  float: none;
+  display: table-column;
+}
+table {
+  td,
+  th {
+    &[class*="col-"] {
+      position: static; // Prevent border hiding in Firefox and IE9/10 (see https://github.com/twbs/bootstrap/issues/11623)
+      float: none;
+      display: table-cell;
+    }
+  }
+}
+
+
+// Table backgrounds
+//
+// Exact selectors below required to override `.table-striped` and prevent
+// inheritance to nested tables.
+
+// Generate the contextual variants
+@include table-row-variant('active', $table-bg-active);
+@include table-row-variant('success', $state-success-bg);
+@include table-row-variant('info', $state-info-bg);
+@include table-row-variant('warning', $state-warning-bg);
+@include table-row-variant('danger', $state-danger-bg);
+
+
+// Responsive tables
+//
+// Wrap your tables in `.table-responsive` and we'll make them mobile friendly
+// by enabling horizontal scrolling. Only applies <768px. Everything above that
+// will display normally.
+
+.table-responsive {
+  @media screen and (max-width: $screen-xs-max) {
+    width: 100%;
+    margin-bottom: ($line-height-computed * 0.75);
+    overflow-y: hidden;
+    overflow-x: auto;
+    -ms-overflow-style: -ms-autohiding-scrollbar;
+/*     border: 1px solid $table-border-color; */
+    -webkit-overflow-scrolling: touch;
+
+    // Tighten up spacing
+    > .table {
+      margin-bottom: 0;
+
+      // Ensure the content doesn't wrap
+      > thead,
+      > tbody,
+      > tfoot {
+        > tr {
+          > th,
+          > td {
+            white-space: nowrap;
+          }
+        }
+      }
+    }
+
+    // Special overrides for the bordered tables
+    > .table-bordered {
+      border: 0;
+
+      // Nuke the appropriate borders so that the parent can handle them
+      > thead,
+      > tbody,
+      > tfoot {
+        > tr {
+          > th:first-child,
+          > td:first-child {
+            border-left: 0;
+          }
+          > th:last-child,
+          > td:last-child {
+            border-right: 0;
+          }
+        }
+      }
+
+      // Only nuke the last row's bottom-border in `tbody` and `tfoot` since
+      // chances are there will be only one `tr` in a `thead` and that would
+      // remove the border altogether.
+      > tbody,
+      > tfoot {
+        > tr:last-child {
+          > th,
+          > td {
+            border-bottom: 0;
+          }
+        }
+      }
+
+    }
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_theme.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_theme.scss
new file mode 100644
index 0000000000..00386a2881
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_theme.scss
@@ -0,0 +1,258 @@
+
+//
+// Load core variables and mixins
+// --------------------------------------------------
+
+@import "variables";
+@import "mixins";
+
+
+
+//
+// Buttons
+// --------------------------------------------------
+
+// Common styles
+.btn-default,
+.btn-primary,
+.btn-success,
+.btn-info,
+.btn-warning,
+.btn-danger {
+  text-shadow: 0 -1px 0 rgba(0,0,0,.2);
+  $shadow: inset 0 1px 0 rgba(255,255,255,.15), 0 1px 1px rgba(0,0,0,.075);
+  @include box-shadow($shadow);
+
+  // Reset the shadow
+  &:active,
+  &.active {
+    @include box-shadow(inset 0 3px 5px rgba(0,0,0,.125));
+  }
+}
+
+// Mixin for generating new styles
+@mixin btn-styles($btn-color: #555) {
+  @include gradient-vertical($start-color: $btn-color, $end-color: darken($btn-color, 12%));
+  @include reset-filter(); // Disable gradients for IE9 because filter bleeds through rounded corners
+  background-repeat: repeat-x;
+  border-color: darken($btn-color, 14%);
+
+  &:hover,
+  &:focus  {
+    background-color: darken($btn-color, 12%);
+    background-position: 0 -15px;
+  }
+
+  &:active,
+  &.active {
+    background-color: darken($btn-color, 12%);
+    border-color: darken($btn-color, 14%);
+  }
+
+  &:disabled,
+  &[disabled] {
+    background-color: darken($btn-color, 12%);
+    background-image: none;
+  }
+}
+
+// Common styles
+.btn {
+  // Remove the gradient for the pressed/active state
+  &:active,
+  &.active {
+    background-image: none;
+  }
+}
+
+// Apply the mixin to the buttons
+.btn-default { @include btn-styles($btn-default-bg); text-shadow: 0 1px 0 #fff; border-color: #ccc; }
+.btn-primary { @include btn-styles($btn-primary-bg); }
+.btn-success { @include btn-styles($btn-success-bg); }
+.btn-info    { @include btn-styles($btn-info-bg); }
+.btn-warning { @include btn-styles($btn-warning-bg); }
+.btn-danger  { @include btn-styles($btn-danger-bg); }
+
+
+
+//
+// Images
+// --------------------------------------------------
+
+.thumbnail,
+.img-thumbnail {
+  @include box-shadow(0 1px 2px rgba(0,0,0,.075));
+}
+
+
+
+//
+// Dropdowns
+// --------------------------------------------------
+
+.dropdown-menu > li > a:hover,
+.dropdown-menu > li > a:focus {
+  @include gradient-vertical($start-color: $dropdown-link-hover-bg, $end-color: darken($dropdown-link-hover-bg, 5%));
+  background-color: darken($dropdown-link-hover-bg, 5%);
+}
+.dropdown-menu > .active > a,
+.dropdown-menu > .active > a:hover,
+.dropdown-menu > .active > a:focus {
+  @include gradient-vertical($start-color: $dropdown-link-active-bg, $end-color: darken($dropdown-link-active-bg, 5%));
+  background-color: darken($dropdown-link-active-bg, 5%);
+}
+
+
+
+//
+// Navbar
+// --------------------------------------------------
+
+// Default navbar
+.navbar-default {
+  @include gradient-vertical($start-color: lighten($navbar-default-bg, 10%), $end-color: $navbar-default-bg);
+  @include reset-filter(); // Remove gradient in IE<10 to fix bug where dropdowns don't get triggered
+  border-radius: $navbar-border-radius;
+  $shadow: inset 0 1px 0 rgba(255,255,255,.15), 0 1px 5px rgba(0,0,0,.075);
+  @include box-shadow($shadow);
+
+  .navbar-nav > .active > a {
+    @include gradient-vertical($start-color: darken($navbar-default-bg, 5%), $end-color: darken($navbar-default-bg, 2%));
+    @include box-shadow(inset 0 3px 9px rgba(0,0,0,.075));
+  }
+}
+.navbar-brand,
+.navbar-nav > li > a {
+  text-shadow: 0 1px 0 rgba(255,255,255,.25);
+}
+
+// Inverted navbar
+.navbar-inverse {
+  @include gradient-vertical($start-color: lighten($navbar-inverse-bg, 10%), $end-color: $navbar-inverse-bg);
+  @include reset-filter(); // Remove gradient in IE<10 to fix bug where dropdowns don't get triggered
+
+  .navbar-nav > .active > a {
+    @include gradient-vertical($start-color: $navbar-inverse-bg, $end-color: lighten($navbar-inverse-bg, 2.5%));
+    @include box-shadow(inset 0 3px 9px rgba(0,0,0,.25));
+  }
+
+  .navbar-brand,
+  .navbar-nav > li > a {
+    text-shadow: 0 -1px 0 rgba(0,0,0,.25);
+  }
+}
+
+// Undo rounded corners in static and fixed navbars
+.navbar-static-top,
+.navbar-fixed-top,
+.navbar-fixed-bottom {
+  border-radius: 0;
+}
+
+
+
+//
+// Alerts
+// --------------------------------------------------
+
+// Common styles
+.alert {
+  text-shadow: 0 1px 0 rgba(255,255,255,.2);
+  $shadow: inset 0 1px 0 rgba(255,255,255,.25), 0 1px 2px rgba(0,0,0,.05);
+  @include box-shadow($shadow);
+}
+
+// Mixin for generating new styles
+@mixin alert-styles($color) {
+  @include gradient-vertical($start-color: $color, $end-color: darken($color, 7.5%));
+  border-color: darken($color, 15%);
+}
+
+// Apply the mixin to the alerts
+.alert-success    { @include alert-styles($alert-success-bg); }
+.alert-info       { @include alert-styles($alert-info-bg); }
+.alert-warning    { @include alert-styles($alert-warning-bg); }
+.alert-danger     { @include alert-styles($alert-danger-bg); }
+
+
+
+//
+// Progress bars
+// --------------------------------------------------
+
+// Give the progress background some depth
+.progress {
+  @include gradient-vertical($start-color: darken($progress-bg, 4%), $end-color: $progress-bg)
+}
+
+// Mixin for generating new styles
+@mixin progress-bar-styles($color) {
+  @include gradient-vertical($start-color: $color, $end-color: darken($color, 10%));
+}
+
+// Apply the mixin to the progress bars
+.progress-bar            { @include progress-bar-styles($progress-bar-bg); }
+.progress-bar-success    { @include progress-bar-styles($progress-bar-success-bg); }
+.progress-bar-info       { @include progress-bar-styles($progress-bar-info-bg); }
+.progress-bar-warning    { @include progress-bar-styles($progress-bar-warning-bg); }
+.progress-bar-danger     { @include progress-bar-styles($progress-bar-danger-bg); }
+
+// Reset the striped class because our mixins don't do multiple gradients and
+// the above custom styles override the new `.progress-bar-striped` in v3.2.0.
+.progress-bar-striped {
+  @include gradient-striped();
+}
+
+
+//
+// List groups
+// --------------------------------------------------
+
+.list-group {
+  border-radius: $border-radius-base;
+  @include box-shadow(0 1px 2px rgba(0,0,0,.075));
+}
+.list-group-item.active,
+.list-group-item.active:hover,
+.list-group-item.active:focus {
+  text-shadow: 0 -1px 0 darken($list-group-active-bg, 10%);
+  @include gradient-vertical($start-color: $list-group-active-bg, $end-color: darken($list-group-active-bg, 7.5%));
+  border-color: darken($list-group-active-border, 7.5%);
+}
+
+
+
+//
+// Panels
+// --------------------------------------------------
+
+// Common styles
+.panel {
+  @include box-shadow(0 1px 2px rgba(0,0,0,.05));
+}
+
+// Mixin for generating new styles
+@mixin panel-heading-styles($color) {
+  @include gradient-vertical($start-color: $color, $end-color: darken($color, 5%));
+}
+
+// Apply the mixin to the panel headings only
+.panel-default > .panel-heading   { @include panel-heading-styles($panel-default-heading-bg); }
+.panel-primary > .panel-heading   { @include panel-heading-styles($panel-primary-heading-bg); }
+.panel-success > .panel-heading   { @include panel-heading-styles($panel-success-heading-bg); }
+.panel-info > .panel-heading      { @include panel-heading-styles($panel-info-heading-bg); }
+.panel-warning > .panel-heading   { @include panel-heading-styles($panel-warning-heading-bg); }
+.panel-danger > .panel-heading    { @include panel-heading-styles($panel-danger-heading-bg); }
+
+
+
+//
+// Wells
+// --------------------------------------------------
+
+.well {
+  @include gradient-vertical($start-color: darken($well-bg, 5%), $end-color: $well-bg);
+  border-color: darken($well-bg, 10%);
+  $shadow: inset 0 1px 3px rgba(0,0,0,.05), 0 1px 0 rgba(255,255,255,.1);
+  @include box-shadow($shadow);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_thumbnails.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_thumbnails.scss
new file mode 100644
index 0000000000..3d5ed86d05
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_thumbnails.scss
@@ -0,0 +1,38 @@
+//
+// Thumbnails
+// --------------------------------------------------
+
+
+// Mixin and adjust the regular image class
+.thumbnail {
+  display: block;
+  padding: $thumbnail-padding;
+  margin-bottom: $line-height-computed;
+  line-height: $line-height-base;
+  background-color: $thumbnail-bg;
+  border: 1px solid $thumbnail-border;
+  border-radius: $thumbnail-border-radius;
+  @include transition(all .2s ease-in-out);
+
+  > img,
+  a > img {
+    @include img-responsive();
+    margin-left: auto;
+    margin-right: auto;
+  }
+
+  // [converter] extracted a&:hover, a&:focus, a&.active to a.thumbnail:hover, a.thumbnail:focus, a.thumbnail.active
+
+  // Image captions
+  .caption {
+    padding: $thumbnail-caption-padding;
+    color: $thumbnail-caption-color;
+  }
+}
+
+// Add a hover state for linked versions only
+a.thumbnail:hover,
+a.thumbnail:focus,
+a.thumbnail.active {
+  border-color: $link-color;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_tooltip.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_tooltip.scss
new file mode 100644
index 0000000000..dec674cb40
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_tooltip.scss
@@ -0,0 +1,95 @@
+//
+// Tooltips
+// --------------------------------------------------
+
+
+// Base class
+.tooltip {
+  position: absolute;
+  z-index: $zindex-tooltip;
+  display: block;
+  visibility: visible;
+  font-size: $font-size-small;
+  line-height: 1.4;
+  @include opacity(0);
+
+  &.in     { @include opacity($tooltip-opacity); }
+  &.top    { margin-top:  -3px; padding: $tooltip-arrow-width 0; }
+  &.right  { margin-left:  3px; padding: 0 $tooltip-arrow-width; }
+  &.bottom { margin-top:   3px; padding: $tooltip-arrow-width 0; }
+  &.left   { margin-left: -3px; padding: 0 $tooltip-arrow-width; }
+}
+
+// Wrapper for the tooltip content
+.tooltip-inner {
+  max-width: $tooltip-max-width;
+  padding: 3px 8px;
+  color: $tooltip-color;
+  text-align: center;
+  text-decoration: none;
+  background-color: $tooltip-bg;
+  border-radius: $border-radius-base;
+}
+
+// Arrows
+.tooltip-arrow {
+  position: absolute;
+  width: 0;
+  height: 0;
+  border-color: transparent;
+  border-style: solid;
+}
+.tooltip {
+  &.top .tooltip-arrow {
+    bottom: 0;
+    left: 50%;
+    margin-left: -$tooltip-arrow-width;
+    border-width: $tooltip-arrow-width $tooltip-arrow-width 0;
+    border-top-color: $tooltip-arrow-color;
+  }
+  &.top-left .tooltip-arrow {
+    bottom: 0;
+    left: $tooltip-arrow-width;
+    border-width: $tooltip-arrow-width $tooltip-arrow-width 0;
+    border-top-color: $tooltip-arrow-color;
+  }
+  &.top-right .tooltip-arrow {
+    bottom: 0;
+    right: $tooltip-arrow-width;
+    border-width: $tooltip-arrow-width $tooltip-arrow-width 0;
+    border-top-color: $tooltip-arrow-color;
+  }
+  &.right .tooltip-arrow {
+    top: 50%;
+    left: 0;
+    margin-top: -$tooltip-arrow-width;
+    border-width: $tooltip-arrow-width $tooltip-arrow-width $tooltip-arrow-width 0;
+    border-right-color: $tooltip-arrow-color;
+  }
+  &.left .tooltip-arrow {
+    top: 50%;
+    right: 0;
+    margin-top: -$tooltip-arrow-width;
+    border-width: $tooltip-arrow-width 0 $tooltip-arrow-width $tooltip-arrow-width;
+    border-left-color: $tooltip-arrow-color;
+  }
+  &.bottom .tooltip-arrow {
+    top: 0;
+    left: 50%;
+    margin-left: -$tooltip-arrow-width;
+    border-width: 0 $tooltip-arrow-width $tooltip-arrow-width;
+    border-bottom-color: $tooltip-arrow-color;
+  }
+  &.bottom-left .tooltip-arrow {
+    top: 0;
+    left: $tooltip-arrow-width;
+    border-width: 0 $tooltip-arrow-width $tooltip-arrow-width;
+    border-bottom-color: $tooltip-arrow-color;
+  }
+  &.bottom-right .tooltip-arrow {
+    top: 0;
+    right: $tooltip-arrow-width;
+    border-width: 0 $tooltip-arrow-width $tooltip-arrow-width;
+    border-bottom-color: $tooltip-arrow-color;
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_type.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_type.scss
new file mode 100644
index 0000000000..154e4fd04d
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_type.scss
@@ -0,0 +1,304 @@
+//
+// Typography
+// --------------------------------------------------
+
+
+// Headings
+// -------------------------
+
+h1, h2, h3, h4, h5, h6,
+.h1, .h2, .h3, .h4, .h5, .h6 {
+  font-family: $headings-font-family;
+  font-weight: $headings-font-weight;
+  line-height: $headings-line-height;
+  color: $headings-color;
+
+  small,
+  .small {
+    font-weight: normal;
+    line-height: 1;
+    color: $headings-small-color;
+  }
+}
+
+h1, .h1,
+h2, .h2,
+h3, .h3 {
+  margin-top: $line-height-computed;
+  margin-bottom: calc($line-height-computed / 2);
+
+  small,
+  .small {
+    font-size: 65%;
+  }
+}
+h4, .h4,
+h5, .h5,
+h6, .h6 {
+  margin-top: calc($line-height-computed / 2);
+  margin-bottom: calc($line-height-computed / 2);
+
+  small,
+  .small {
+    font-size: 75%;
+  }
+}
+
+h1, .h1 { font-size: $font-size-h1; }
+h2, .h2 { font-size: $font-size-h2; }
+h3, .h3 { font-size: $font-size-h3; }
+h4, .h4 { font-size: $font-size-h4; }
+h5, .h5 { font-size: $font-size-h5; }
+h6, .h6 { font-size: $font-size-h6; }
+
+
+// Body text
+// -------------------------
+
+p {
+  margin: 0 0 calc($line-height-computed / 2);
+}
+
+.lead {
+  margin-bottom: $line-height-computed;
+  font-size: floor(calc($font-size-base * 1.15));
+  font-weight: 300;
+  line-height: 1.4;
+
+  @media (min-width: $screen-sm-min) {
+    font-size: calc($font-size-base * 1.5);
+  }
+}
+
+
+// Emphasis & misc
+// -------------------------
+
+// Ex: (12px small font / 14px base font) * 100% = about 85%
+small,
+.small {
+  font-size: floor(calc(100% * $font-size-small / $font-size-base));
+}
+
+// Undo browser default styling
+cite {
+  font-style: normal;
+}
+
+mark,
+.mark {
+  background-color: $state-warning-bg;
+  padding: .2em;
+}
+
+// Alignment
+.text-left           { text-align: left; }
+.text-right          { text-align: right; }
+.text-center         { text-align: center; }
+.text-justify        { text-align: justify; }
+.text-nowrap         { white-space: nowrap; }
+
+// Transformation
+.text-lowercase      { text-transform: lowercase; }
+.text-uppercase      { text-transform: uppercase; }
+.text-capitalize     { text-transform: capitalize; }
+
+// Contextual colors
+.text-muted {
+  color: $text-muted;
+}
+
+@include text-emphasis-variant('.text-primary', $brand-primary);
+
+@include text-emphasis-variant('.text-success', $state-success-text);
+
+@include text-emphasis-variant('.text-info', $state-info-text);
+
+@include text-emphasis-variant('.text-warning', $state-warning-text);
+
+@include text-emphasis-variant('.text-danger', $state-danger-text);
+
+// Contextual backgrounds
+// For now we'll leave these alongside the text classes until v4 when we can
+// safely shift things around (per SemVer rules).
+.bg-primary {
+  // Given the contrast here, this is the only class to have its color inverted
+  // automatically.
+  color: #fff;
+}
+@include bg-variant('.bg-primary', $brand-primary);
+
+@include bg-variant('.bg-success', $state-success-bg);
+
+@include bg-variant('.bg-info', $state-info-bg);
+
+@include bg-variant('.bg-warning', $state-warning-bg);
+
+@include bg-variant('.bg-danger', $state-danger-bg);
+
+
+// Page header
+// -------------------------
+
+.page-header {
+  padding-bottom: (calc($line-height-computed / 2) - 1);
+  margin: calc($line-height-computed * 2) 0 $line-height-computed;
+  border-bottom: 1px solid $page-header-border-color;
+}
+
+
+// Lists
+// -------------------------
+
+// Unordered and Ordered lists
+ul,
+ol {
+  margin-top: 0;
+  margin-bottom: calc($line-height-computed / 2);
+  ul,
+  ol {
+    margin-bottom: 0;
+  }
+}
+
+// List options
+
+// Unstyled keeps list items block level, just removes default browser padding and list-style
+.list-unstyled {
+  padding-left: 0;
+  list-style: none;
+}
+
+// Inline turns list items into inline-block
+.list-inline {
+  @extend .list-unstyled;
+  margin-left: -5px;
+
+  > li {
+    float:left;
+    padding-left: 5px;
+    padding-right: 5px;
+  }
+}
+
+// Description Lists
+dl {
+  margin-top: 0; // Remove browser default
+  margin-bottom: $line-height-computed;
+}
+dt,
+dd {
+  line-height: $line-height-base;
+}
+dt {
+  font-weight: bold;
+}
+dd {
+  margin-left: 0; // Undo browser default
+}
+
+// Horizontal description lists
+//
+// Defaults to being stacked without any of the below styles applied, until the
+// grid breakpoint is reached (default of ~768px).
+
+.dl-horizontal {
+  dd {
+    @include clearfix(); // Clear the floated `dt` if an empty `dd` is present
+  }
+
+  @media (min-width: $grid-float-breakpoint) {
+    dt {
+      float: left;
+      width: ($dl-horizontal-offset - 20);
+      clear: left;
+      text-align: right;
+      @include text-overflow();
+    }
+    dd {
+      margin-left: $dl-horizontal-offset;
+    }
+  }
+}
+
+
+// Misc
+// -------------------------
+
+// Abbreviations and acronyms
+abbr[title],
+// Add data-* attribute to help out our tooltip plugin, per https://github.com/twbs/bootstrap/issues/5257
+abbr[data-original-title] {
+  cursor: help;
+  border-bottom: 1px dotted $abbr-border-color;
+}
+.initialism {
+  font-size: 90%;
+  text-transform: uppercase;
+}
+
+// Blockquotes
+blockquote {
+  padding: calc($line-height-computed / 2) $line-height-computed;
+  margin: 0 0 $line-height-computed;
+  font-size: $blockquote-font-size;
+  border-left: 5px solid $blockquote-border-color;
+
+  p,
+  ul,
+  ol {
+    &:last-child {
+      margin-bottom: 0;
+    }
+  }
+
+  // Note: Deprecated small and .small as of v3.1.0
+  // Context: https://github.com/twbs/bootstrap/issues/11660
+  footer,
+  small,
+  .small {
+    display: block;
+    font-size: 80%; // back to default font-size
+    line-height: $line-height-base;
+    color: $blockquote-small-color;
+
+    &:before {
+      content: '\2014 \00A0'; // em dash, nbsp
+    }
+  }
+}
+
+// Opposite alignment of blockquote
+//
+// Heads up: `blockquote.pull-right` has been deprecated as of v3.1.0.
+.blockquote-reverse,
+blockquote.pull-right {
+  padding-right: 15px;
+  padding-left: 0;
+  border-right: 5px solid $blockquote-border-color;
+  border-left: 0;
+  text-align: right;
+
+  // Account for citation
+  footer,
+  small,
+  .small {
+    &:before { content: ''; }
+    &:after {
+      content: '\00A0 \2014'; // nbsp, em dash
+    }
+  }
+}
+
+// Quotes
+blockquote:before,
+blockquote:after {
+  content: "";
+}
+
+// Addresses
+address {
+  margin-bottom: $line-height-computed;
+  font-style: normal;
+  line-height: $line-height-base;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_utilities.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_utilities.scss
new file mode 100644
index 0000000000..3ad5f2eed5
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_utilities.scss
@@ -0,0 +1,57 @@
+//
+// Utility classes
+// --------------------------------------------------
+
+
+// Floats
+// -------------------------
+
+.clearfix {
+  @include clearfix();
+}
+.center-block {
+  @include center-block();
+}
+.pull-right {
+  float: right !important;
+}
+.pull-left {
+  float: left !important;
+}
+
+
+// Toggling content
+// -------------------------
+
+// Note: Deprecated .hide in favor of .hidden or .sr-only (as appropriate) in v3.0.1
+.hide {
+  display: none !important;
+}
+.show {
+  display: block !important;
+}
+.invisible {
+  visibility: hidden;
+}
+.text-hide {
+  @include text-hide();
+}
+
+
+// Hide from screenreaders and browsers
+//
+// Credit: HTML5 Boilerplate
+
+.hidden {
+  display: none !important;
+  visibility: hidden !important;
+}
+
+
+// For Affix plugin
+// -------------------------
+
+.affix {
+  position: fixed;
+  @include translate3d(0, 0, 0);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_variables.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_variables.scss
new file mode 100644
index 0000000000..93435f5974
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_variables.scss
@@ -0,0 +1,852 @@
+// When true, asset path helpers are used, otherwise the regular CSS `url()` is used.
+// When there no function is defined, `fn('')` is parsed as string that equals the right hand side
+// NB: in Sass 3.3 there is a native function: function-exists(twbs-font-path)
+$bootstrap-sass-asset-helper: (twbs-font-path("") != unquote('twbs-font-path("")')) !default;
+
+//
+// Variables
+// --------------------------------------------------
+
+
+//== Colors
+//
+//## Gray and brand colors for use across Bootstrap.
+
+$gray-darker:            lighten(#000, 13.5%) !default; // #222
+$gray-dark:              lighten(#000, 20%) !default;   // #333
+$gray:                   lighten(#000, 33.5%) !default; // #555
+$gray-light:             lighten(#000, 46.7%) !default; // #777
+$gray-lighter:           lighten(#000, 93.5%) !default; // #eee
+
+$brand-primary:         map-get($colors, orange) !default;
+$brand-success:         #9BD275 !default;
+$brand-info:            #B0CDDB !default;
+$brand-warning:         #f0ad4e !default;
+$brand-danger:          #F05050 !default;
+
+
+//== Scaffolding
+//
+//## Settings for some of the most global styles.
+
+//** Background color for `<body>`.
+$body-bg:               #fff !default;
+//** Global text color on `<body>`.
+$text-color:            map-get($colors, darkgrey) !default;
+
+//** Global textual link color.
+$link-color:            $brand-primary !default;
+//** Link hover color set via `darken()` function.
+$link-hover-color:      darken($link-color, 15%) !default;
+
+
+//== Typography
+//
+//## Font, line-height, and color for body text, headings, and more.
+
+$font-family-sans-serif:  "Helvetica Neue", Helvetica, Arial, sans-serif !default;
+$font-family-serif:       Georgia, "Times New Roman", Times, serif !default;
+//** Default monospace fonts for `<code>`, `<kbd>`, and `<pre>`.
+$font-family-monospace:   Menlo, Monaco, Consolas, "Courier New", monospace !default;
+$font-family-base:        $font-family-sans-serif !default;
+
+$font-size-base:          14px !default;
+$font-size-large:         ceil(($font-size-base * 1.25)) !default; // ~18px
+$font-size-small:         ceil(($font-size-base * 0.85)) !default; // ~12px
+
+$font-size-h1:            floor(($font-size-base * 1.7)) !default; // ~36px
+$font-size-h2:            floor(($font-size-base * 1.15)) !default; // ~30px
+$font-size-h3:            ceil(($font-size-base * 1)) !default; // ~24px
+$font-size-h4:            ceil(($font-size-base * 1.25)) !default; // ~18px
+$font-size-h5:            $font-size-base !default;
+$font-size-h6:            ceil(($font-size-base * 0.85)) !default; // ~12px
+
+//** Unit-less `line-height` for use in components like buttons.
+$line-height-base:        1.428571429 !default; // 20/14
+//** Computed "line-height" (`font-size` * `line-height`) for use with `margin`, `padding`, etc.
+$line-height-computed:    floor(($font-size-base * $line-height-base)) !default; // ~20px
+
+//** By default, this inherits from the `<body>`.
+$headings-font-family:    "SourceSansProSemiBold" !default;
+$headings-font-weight:    100 !default;
+$headings-line-height:    1.4 !default;
+$headings-color:          inherit !default;
+
+
+//== Iconography
+//
+//## Specify custom location and filename of the included Glyphicons icon font. Useful for those including Bootstrap via Bower.
+
+//** Load fonts from this directory.
+
+// [converter] Asset helpers such as Sprockets and Node.js Mincer do not resolve relative paths
+$icon-font-path: if($bootstrap-sass-asset-helper, "bootstrap/", "../fonts/bootstrap/") !default;
+
+//** File name for all font files.
+$icon-font-name:          "glyphicons-halflings-regular" !default;
+//** Element ID within SVG icon file.
+$icon-font-svg-id:        "glyphicons_halflingsregular" !default;
+
+
+//== Components
+//
+//## Define common padding and border radius sizes and more. Values based on 14px text and 1.428 line-height (~20px to start).
+
+$padding-base-vertical:     6px !default;
+$padding-base-horizontal:   12px !default;
+
+$padding-large-vertical:    10px !default;
+$padding-large-horizontal:  16px !default;
+
+$padding-small-vertical:    5px !default;
+$padding-small-horizontal:  10px !default;
+
+$padding-xs-vertical:       1px !default;
+$padding-xs-horizontal:     5px !default;
+
+$line-height-large:         1.33 !default;
+$line-height-small:         1.5 !default;
+
+$border-radius-base:        3px !default;
+$border-radius-large:       6px !default;
+$border-radius-small:       3px !default;
+
+//** Global color for active items (e.g., navs or dropdowns).
+$component-active-color:    #fff !default;
+//** Global background color for active items (e.g., navs or dropdowns).
+$component-active-bg:       $brand-primary !default;
+
+//** Width of the `border` for generating carets that indicator dropdowns.
+$caret-width-base:          4px !default;
+//** Carets increase slightly in size for larger components.
+$caret-width-large:         5px !default;
+
+
+//== Tables
+//
+//## Customizes the `.table` component with basic values, each used across all table variations.
+
+//** Padding for `<th>`s and `<td>`s.
+$table-cell-padding:            10px 0px 10px 20px !default;
+//** Padding for cells in `.table-condensed`.
+$table-condensed-cell-padding:  5px !default;
+
+//** Default background color used for all tables.
+$table-bg:                      transparent !default;
+//** Background color used for `.table-striped`.
+$table-bg-accent:               map-get($colors, lightergrey) !default;
+//** Background color used for `.table-hover`.
+$table-bg-hover:                #f5f5f5 !default;
+$table-bg-active:               $table-bg-hover !default;
+
+//** Border color for table and cell borders.
+$table-border-color:            #eee !default;
+
+
+//== Buttons
+//
+//## For each of Bootstrap's buttons, define text, background and border color.
+
+$btn-font-weight:                normal !default;
+
+$btn-default-color:              #444 !default;
+$btn-default-bg:                 #FFFFFF !default;
+$btn-default-border:             #e5e5e5 !default;
+
+$btn-primary-color:              #fff !default;
+$btn-primary-bg:                 $brand-primary !default;
+$btn-primary-border:             #D95100 !default;
+
+$btn-success-color:              #fff !default;
+$btn-success-bg:                 $brand-success !default;
+$btn-success-border:             darken($btn-success-bg, 5%) !default;
+
+$btn-info-color:                 #fff !default;
+$btn-info-bg:                    $brand-info !default;
+$btn-info-border:                darken($btn-info-bg, 5%) !default;
+
+$btn-warning-color:              #fff !default;
+$btn-warning-bg:                 $brand-warning !default;
+$btn-warning-border:             darken($btn-warning-bg, 5%) !default;
+
+$btn-danger-color:               #fff !default;
+$btn-danger-bg:                  $brand-danger !default;
+$btn-danger-border:              darken($btn-danger-bg, 5%) !default;
+
+$btn-link-disabled-color:        $gray-light !default;
+
+
+//== Forms
+//
+//##
+
+//** `<input>` background color
+$input-bg:                       #fff !default;
+//** `<input disabled>` background color
+$input-bg-disabled:              $gray-lighter !default;
+
+//** Text color for `<input>`s
+$input-color:                    $gray !default;
+//** `<input>` border color
+$input-border:                   #ccc !default;
+//** `<input>` border radius
+$input-border-radius:            $border-radius-base !default;
+//** Border color for inputs on focus
+$input-border-focus:             #66afe9 !default;
+
+//** Placeholder text color
+$input-color-placeholder:        $gray-light !default;
+
+//** Default `.form-control` height
+$input-height-base:              ($line-height-computed + ($padding-base-vertical * 2) + 2) !default;
+//** Large `.form-control` height
+$input-height-large:             (ceil($font-size-large * $line-height-large) + ($padding-large-vertical * 2) + 2) !default;
+//** Small `.form-control` height
+$input-height-small:             (floor($font-size-small * $line-height-small) + ($padding-small-vertical * 2) + 2) !default;
+
+$legend-color:                   $gray-dark !default;
+$legend-border-color:            #e5e5e5 !default;
+
+//** Background color for textual input addons
+$input-group-addon-bg:           $gray-lighter !default;
+//** Border color for textual input addons
+$input-group-addon-border-color: $input-border !default;
+
+
+//== Dropdowns
+//
+//## Dropdown menu container and contents.
+
+//** Background for the dropdown menu.
+$dropdown-bg:                    #fff !default;
+//** Dropdown menu `border-color`.
+$dropdown-border:                rgba(0,0,0,.15) !default;
+//** Dropdown menu `border-color` **for IE8**.
+$dropdown-fallback-border:       #ccc !default;
+//** Divider color for between dropdown items.
+$dropdown-divider-bg:            #e5e5e5 !default;
+
+//** Dropdown link text color.
+$dropdown-link-color:            $gray-dark !default;
+//** Hover color for dropdown links.
+$dropdown-link-hover-color:      darken($gray-dark, 5%) !default;
+//** Hover background for dropdown links.
+$dropdown-link-hover-bg:         #f5f5f5 !default;
+
+//** Active dropdown menu item text color.
+$dropdown-link-active-color:     $component-active-color !default;
+//** Active dropdown menu item background color.
+$dropdown-link-active-bg:        $component-active-bg !default;
+
+//** Disabled dropdown menu item background color.
+$dropdown-link-disabled-color:   $gray-light !default;
+
+//** Text color for headers within dropdown menus.
+$dropdown-header-color:          $gray-light !default;
+
+//** Deprecated `$dropdown-caret-color` as of v3.1.0
+$dropdown-caret-color:           #000 !default;
+
+
+//-- Z-index master list
+//
+// Warning: Avoid customizing these values. They're used for a bird's eye view
+// of components dependent on the z-axis and are designed to all work together.
+//
+// Note: These variables are not generated into the Customizer.
+
+$zindex-navbar:            1000 !default;
+$zindex-dropdown:          1000 !default;
+$zindex-popover:           1060 !default;
+$zindex-tooltip:           1070 !default;
+$zindex-navbar-fixed:      1030 !default;
+$zindex-modal-background:  1040 !default;
+$zindex-modal:             1050 !default;
+
+
+//== Media queries breakpoints
+//
+//## Define the breakpoints at which your layout will change, adapting to different screen sizes.
+
+// Extra small screen / phone
+//** Deprecated `$screen-xs` as of v3.0.1
+$screen-xs:                  480px !default;
+//** Deprecated `$screen-xs-min` as of v3.2.0
+$screen-xs-min:              $screen-xs !default;
+//** Deprecated `$screen-phone` as of v3.0.1
+$screen-phone:               $screen-xs-min !default;
+
+// Small screen / tablet
+//** Deprecated `$screen-sm` as of v3.0.1
+$screen-sm:                  768px !default;
+$screen-sm-min:              $screen-sm !default;
+//** Deprecated `$screen-tablet` as of v3.0.1
+$screen-tablet:              $screen-sm-min !default;
+
+// Medium screen / desktop
+//** Deprecated `$screen-md` as of v3.0.1
+$screen-md:                  992px !default;
+$screen-md-min:              $screen-md !default;
+//** Deprecated `$screen-desktop` as of v3.0.1
+$screen-desktop:             $screen-md-min !default;
+
+// Large screen / wide desktop
+//** Deprecated `$screen-lg` as of v3.0.1
+$screen-lg:                  1200px !default;
+$screen-lg-min:              $screen-lg !default;
+//** Deprecated `$screen-lg-desktop` as of v3.0.1
+$screen-lg-desktop:          $screen-lg-min !default;
+
+// So media queries don't overlap when required, provide a maximum
+$screen-xs-max:              ($screen-sm-min - 1) !default;
+$screen-sm-max:              ($screen-md-min - 1) !default;
+$screen-md-max:              ($screen-lg-min - 1) !default;
+
+
+//== Grid system
+//
+//## Define your custom responsive grid.
+
+//** Number of columns in the grid.
+$grid-columns:              12 !default;
+//** Padding between columns. Gets divided in half for the left and right.
+$grid-gutter-width:         40px !default;
+// Navbar collapse
+//** Point at which the navbar becomes uncollapsed.
+$grid-float-breakpoint:     $screen-sm-min !default;
+//** Point at which the navbar begins collapsing.
+$grid-float-breakpoint-max: ($grid-float-breakpoint - 1) !default;
+
+
+//== Container sizes
+//
+//## Define the maximum width of `.container` for different screen sizes.
+
+// Small screen / tablet
+$container-tablet:             ((720px + $grid-gutter-width)) !default;
+//** For `$screen-sm-min` and up.
+$container-sm:                 $container-tablet !default;
+
+// Medium screen / desktop
+$container-desktop:            ((940px + $grid-gutter-width)) !default;
+//** For `$screen-md-min` and up.
+$container-md:                 $container-desktop !default;
+
+// Large screen / wide desktop
+$container-large-desktop:      ((1140px + $grid-gutter-width)) !default;
+//** For `$screen-lg-min` and up.
+$container-lg:                 $container-large-desktop !default;
+
+
+//== Navbar
+//
+//##
+
+// Basics of a navbar
+$navbar-height:                    50px !default;
+$navbar-margin-bottom:             0;
+$navbar-border-radius:             0;
+$navbar-padding-horizontal:        floor((calc($grid-gutter-width / 2))) !default;
+$navbar-padding-vertical:          15px;
+$navbar-collapse-max-height:       340px !default;
+
+$navbar-default-color:             map-get($colors, lightgrey) !default;
+$navbar-default-bg:                map-get($colors, darkgrey) !default;
+$navbar-default-border:            darken($navbar-default-bg, 6.5%) !default;
+
+// Navbar links
+$navbar-default-link-color:                map-get($colors, lightgrey) !default;
+$navbar-default-link-hover-color:          map-get($colors, orange) !default;
+$navbar-default-link-hover-bg:             transparent !default;
+$navbar-default-link-active-color:         #555 !default;
+$navbar-default-link-active-bg:            darken($navbar-default-bg, 6.5%) !default;
+$navbar-default-link-disabled-color:       #ccc !default;
+$navbar-default-link-disabled-bg:          transparent !default;
+
+// Navbar brand label
+$navbar-default-brand-color:               $navbar-default-link-color !default;
+$navbar-default-brand-hover-color:         darken($navbar-default-brand-color, 10%) !default;
+$navbar-default-brand-hover-bg:            transparent !default;
+
+// Navbar toggle
+$navbar-default-toggle-hover-bg:           #555 !default;
+$navbar-default-toggle-icon-bar-bg:        #FFF !default;
+$navbar-default-toggle-border-color:       #FFF !default;
+
+
+// Inverted navbar
+// Reset inverted navbar basics
+$navbar-inverse-color:                      $gray-light !default;
+$navbar-inverse-bg:                         #222 !default;
+$navbar-inverse-border:                     darken($navbar-inverse-bg, 10%) !default;
+
+// Inverted navbar links
+$navbar-inverse-link-color:                 $gray-light !default;
+$navbar-inverse-link-hover-color:           #fff !default;
+$navbar-inverse-link-hover-bg:              transparent !default;
+$navbar-inverse-link-active-color:          $navbar-inverse-link-hover-color !default;
+$navbar-inverse-link-active-bg:             darken($navbar-inverse-bg, 10%) !default;
+$navbar-inverse-link-disabled-color:        #444 !default;
+$navbar-inverse-link-disabled-bg:           transparent !default;
+
+// Inverted navbar brand label
+$navbar-inverse-brand-color:                $navbar-inverse-link-color !default;
+$navbar-inverse-brand-hover-color:          #fff !default;
+$navbar-inverse-brand-hover-bg:             transparent !default;
+
+// Inverted navbar toggle
+$navbar-inverse-toggle-hover-bg:            #333 !default;
+$navbar-inverse-toggle-icon-bar-bg:         #fff !default;
+$navbar-inverse-toggle-border-color:        #333 !default;
+
+
+//== Navs
+//
+//##
+
+//=== Shared nav styles
+$nav-link-padding:                          10px 15px !default;
+$nav-link-hover-bg:                         $gray-lighter !default;
+
+$nav-disabled-link-color:                   $gray-light !default;
+$nav-disabled-link-hover-color:             $gray-light !default;
+
+$nav-open-link-hover-color:                 #fff !default;
+
+//== Tabs
+$nav-tabs-border-color:                     #E5E5E5 !default;
+
+$nav-tabs-link-hover-border-color:          $gray-lighter !default;
+
+$nav-tabs-active-link-hover-bg:             $body-bg !default;
+$nav-tabs-active-link-hover-color:          $gray !default;
+$nav-tabs-active-link-hover-border-color:   #ddd !default;
+
+$nav-tabs-justified-link-border-color:            #ddd !default;
+$nav-tabs-justified-active-link-border-color:     $body-bg !default;
+
+//== Pills
+$nav-pills-border-radius:                   0 !default;
+$nav-pills-active-link-hover-bg:            $component-active-bg !default;
+$nav-pills-active-link-hover-color:         $component-active-color !default;
+
+
+//== Pagination
+//
+//##
+
+$pagination-color:                     $link-color !default;
+$pagination-bg:                        #fff !default;
+$pagination-border:                    #ddd !default;
+
+$pagination-hover-color:               $link-hover-color !default;
+$pagination-hover-bg:                  $gray-lighter !default;
+$pagination-hover-border:              #ddd !default;
+
+$pagination-active-color:              #fff !default;
+$pagination-active-bg:                 $brand-primary !default;
+$pagination-active-border:             $brand-primary !default;
+
+$pagination-disabled-color:            $gray-light !default;
+$pagination-disabled-bg:               #fff !default;
+$pagination-disabled-border:           #ddd !default;
+
+
+//== Pager
+//
+//##
+
+$pager-bg:                             $pagination-bg !default;
+$pager-border:                         $pagination-border !default;
+$pager-border-radius:                  15px !default;
+
+$pager-hover-bg:                       $pagination-hover-bg !default;
+
+$pager-active-bg:                      $pagination-active-bg !default;
+$pager-active-color:                   $pagination-active-color !default;
+
+$pager-disabled-color:                 $pagination-disabled-color !default;
+
+
+//== Jumbotron
+//
+//##
+
+$jumbotron-padding:              30px !default;
+$jumbotron-color:                inherit !default;
+$jumbotron-bg:                   $gray-lighter !default;
+$jumbotron-heading-color:        inherit !default;
+$jumbotron-font-size:            ceil(($font-size-base * 1.5)) !default;
+
+
+//== Form states and alerts
+//
+//## Define colors for form feedback states and, by default, alerts.
+
+$state-success-text:             $brand-success !default;
+$state-success-bg:               $brand-success !default;
+$state-success-border:           $brand-success !default;
+
+$state-info-text:                #31708f !default;
+$state-info-bg:                  #d9edf7 !default;
+$state-info-border:              darken(adjust-hue($state-info-bg, -10), 7%) !default;
+
+$state-warning-text:             $brand-warning !default;
+$state-warning-bg:               #fcf8e3 !default;
+$state-warning-border:           darken(adjust-hue($state-warning-bg, -10), 5%) !default;
+
+$state-danger-text:              $brand-danger !default;
+$state-danger-bg:                $brand-danger !default;
+$state-danger-border:            $brand-danger !default;
+
+
+//== Tooltips
+//
+//##
+
+//** Tooltip max width
+$tooltip-max-width:           200px !default;
+//** Tooltip text color
+$tooltip-color:               #fff !default;
+//** Tooltip background color
+$tooltip-bg:                  #000 !default;
+$tooltip-opacity:             .9 !default;
+
+//** Tooltip arrow width
+$tooltip-arrow-width:         5px !default;
+//** Tooltip arrow color
+$tooltip-arrow-color:         $tooltip-bg !default;
+
+
+//== Popovers
+//
+//##
+
+//** Popover body background color
+$popover-bg:                          #fff !default;
+//** Popover maximum width
+$popover-max-width:                   276px !default;
+//** Popover border color
+$popover-border-color:                rgba(0,0,0,.2) !default;
+//** Popover fallback border color
+$popover-fallback-border-color:       #ccc !default;
+
+//** Popover title background color
+$popover-title-bg:                    darken($popover-bg, 3%) !default;
+
+//** Popover arrow width
+$popover-arrow-width:                 10px !default;
+//** Popover arrow color
+$popover-arrow-color:                 #fff !default;
+
+//** Popover outer arrow width
+$popover-arrow-outer-width:           ($popover-arrow-width + 1) !default;
+//** Popover outer arrow color
+$popover-arrow-outer-color:           fade_in($popover-border-color, 0.05) !default;
+//** Popover outer arrow fallback color
+$popover-arrow-outer-fallback-color:  darken($popover-fallback-border-color, 20%) !default;
+
+
+//== Labels
+//
+//##
+
+//** Default label background color
+$label-default-bg:            $gray-light !default;
+//** Primary label background color
+$label-primary-bg:            $brand-primary !default;
+//** Success label background color
+$label-success-bg:            $brand-success !default;
+//** Info label background color
+$label-info-bg:               $brand-info !default;
+//** Warning label background color
+$label-warning-bg:            $brand-warning !default;
+//** Danger label background color
+$label-danger-bg:             $brand-danger !default;
+
+//** Default label text color
+$label-color:                 #fff !default;
+//** Default text color of a linked label
+$label-link-hover-color:      #fff !default;
+
+
+//== Modals
+//
+//##
+
+//** Padding applied to the modal body
+$modal-inner-padding:         15px !default;
+
+//** Padding applied to the modal title
+$modal-title-padding:         15px !default;
+//** Modal title line-height
+$modal-title-line-height:     $line-height-base !default;
+
+//** Background color of modal content area
+$modal-content-bg:                             #fff !default;
+//** Modal content border color
+$modal-content-border-color:                   rgba(0,0,0,.2) !default;
+//** Modal content border color **for IE8**
+$modal-content-fallback-border-color:          #999 !default;
+
+//** Modal backdrop background color
+$modal-backdrop-bg:           #000 !default;
+//** Modal backdrop opacity
+$modal-backdrop-opacity:      .5 !default;
+//** Modal header border color
+$modal-header-border-color:   #e5e5e5 !default;
+//** Modal footer border color
+$modal-footer-border-color:   $modal-header-border-color !default;
+
+$modal-lg:                    900px !default;
+$modal-md:                    600px !default;
+$modal-sm:                    300px !default;
+
+
+//== Alerts
+//
+//## Define alert colors, border radius, and padding.
+
+$alert-padding:               15px !default;
+$alert-border-radius:         $border-radius-base !default;
+$alert-link-font-weight:      bold !default;
+
+$alert-success-bg:            $state-success-bg !default;
+$alert-success-text:          $state-success-text !default;
+$alert-success-border:        $state-success-border !default;
+
+$alert-info-bg:               $state-info-bg !default;
+$alert-info-text:             $state-info-text !default;
+$alert-info-border:           $state-info-border !default;
+
+$alert-warning-bg:            $state-warning-bg !default;
+$alert-warning-text:          $state-warning-text !default;
+$alert-warning-border:        $state-warning-border !default;
+
+$alert-danger-bg:             $state-danger-bg !default;
+$alert-danger-text:           $state-danger-text !default;
+$alert-danger-border:         $state-danger-border !default;
+
+
+//== Progress bars
+//
+//##
+
+//** Background color of the whole progress component
+$progress-bg:                 #f5f5f5 !default;
+//** Progress bar text color
+$progress-bar-color:          #fff !default;
+
+//** Default progress bar color
+$progress-bar-bg:             $brand-primary !default;
+//** Success progress bar color
+$progress-bar-success-bg:     $brand-success !default;
+//** Warning progress bar color
+$progress-bar-warning-bg:     $brand-warning !default;
+//** Danger progress bar color
+$progress-bar-danger-bg:      $brand-danger !default;
+//** Info progress bar color
+$progress-bar-info-bg:        $brand-info !default;
+
+
+//== List group
+//
+//##
+
+//** Background color on `.list-group-item`
+$list-group-bg:                 #fff !default;
+//** `.list-group-item` border color
+$list-group-border:             #ddd !default;
+//** List group border radius
+$list-group-border-radius:      $border-radius-base !default;
+
+//** Background color of single list items on hover
+$list-group-hover-bg:           #f5f5f5 !default;
+//** Text color of active list items
+$list-group-active-color:       $component-active-color !default;
+//** Background color of active list items
+$list-group-active-bg:          $component-active-bg !default;
+//** Border color of active list elements
+$list-group-active-border:      $list-group-active-bg !default;
+//** Text color for content within active list items
+$list-group-active-text-color:  lighten($list-group-active-bg, 40%) !default;
+
+//** Text color of disabled list items
+$list-group-disabled-color:      $gray-light !default;
+//** Background color of disabled list items
+$list-group-disabled-bg:         $gray-lighter !default;
+//** Text color for content within disabled list items
+$list-group-disabled-text-color: $list-group-disabled-color !default;
+
+$list-group-link-color:         map-get($colors, darkgrey) !default;
+$list-group-link-hover-color:   map-get($colors, orange) !default;
+$list-group-link-heading-color: #333 !default;
+
+
+//== Panels
+//
+//##
+
+$panel-bg:                    #fff !default;
+$panel-body-padding:          15px !default;
+$panel-heading-padding:       10px 15px !default;
+$panel-footer-padding:        $panel-heading-padding !default;
+$panel-border-radius:         $border-radius-base !default;
+
+//** Border color for elements within panels
+$panel-inner-border:          #ddd !default;
+$panel-footer-bg:             #f5f5f5 !default;
+
+$panel-default-text:          $gray-dark !default;
+$panel-default-border:        #ddd !default;
+$panel-default-heading-bg:    #f5f5f5 !default;
+
+$panel-primary-text:          #fff !default;
+$panel-primary-border:        $brand-primary !default;
+$panel-primary-heading-bg:    $brand-primary !default;
+
+$panel-success-text:          $state-success-text !default;
+$panel-success-border:        $state-success-border !default;
+$panel-success-heading-bg:    $state-success-bg !default;
+
+$panel-info-text:             $state-info-text !default;
+$panel-info-border:           $state-info-border !default;
+$panel-info-heading-bg:       $state-info-bg !default;
+
+$panel-warning-text:          $state-warning-text !default;
+$panel-warning-border:        $state-warning-border !default;
+$panel-warning-heading-bg:    $state-warning-bg !default;
+
+$panel-danger-text:           $state-danger-text !default;
+$panel-danger-border:         $state-danger-border !default;
+$panel-danger-heading-bg:     $state-danger-bg !default;
+
+
+//== Thumbnails
+//
+//##
+
+//** Padding around the thumbnail image
+$thumbnail-padding:           4px !default;
+//** Thumbnail background color
+$thumbnail-bg:                $body-bg !default;
+//** Thumbnail border color
+$thumbnail-border:            #ddd !default;
+//** Thumbnail border radius
+$thumbnail-border-radius:     $border-radius-base !default;
+
+//** Custom text color for thumbnail captions
+$thumbnail-caption-color:     $text-color !default;
+//** Padding around the thumbnail caption
+$thumbnail-caption-padding:   9px !default;
+
+
+//== Wells
+//
+//##
+
+$well-bg:                     #f5f5f5 !default;
+$well-border:                 darken($well-bg, 7%) !default;
+
+
+//== Badges
+//
+//##
+
+$badge-color:                 #fff !default;
+//** Linked badge text color on hover
+$badge-link-hover-color:      #fff !default;
+$badge-bg:                    $gray-light !default;
+
+//** Badge text color in active nav link
+$badge-active-color:          $link-color !default;
+//** Badge background color in active nav link
+$badge-active-bg:             #fff !default;
+
+$badge-font-weight:           bold !default;
+$badge-line-height:           1 !default;
+$badge-border-radius:         10px !default;
+
+
+//== Breadcrumbs
+//
+//##
+
+$breadcrumb-padding-vertical:   8px !default;
+$breadcrumb-padding-horizontal: 15px !default;
+//** Breadcrumb background color
+$breadcrumb-bg:                 #f5f5f5 !default;
+//** Breadcrumb text color
+$breadcrumb-color:              #ccc !default;
+//** Text color of current page in the breadcrumb
+$breadcrumb-active-color:       $gray-light !default;
+//** Textual separator for between breadcrumb elements
+$breadcrumb-separator:          "/" !default;
+
+
+//== Carousel
+//
+//##
+
+$carousel-text-shadow:                        0 1px 2px rgba(0,0,0,.6) !default;
+
+$carousel-control-color:                      #fff !default;
+$carousel-control-width:                      15% !default;
+$carousel-control-opacity:                    .5 !default;
+$carousel-control-font-size:                  20px !default;
+
+$carousel-indicator-active-bg:                #fff !default;
+$carousel-indicator-border-color:             #fff !default;
+
+$carousel-caption-color:                      #fff !default;
+
+
+//== Close
+//
+//##
+
+$close-font-weight:           bold !default;
+$close-color:                 #000 !default;
+$close-text-shadow:           0 1px 0 #fff !default;
+
+
+//== Code
+//
+//##
+
+$code-color:                  #c7254e !default;
+$code-bg:                     #f9f2f4 !default;
+
+$kbd-color:                   #fff !default;
+$kbd-bg:                      #333 !default;
+
+$pre-bg:                      #f5f5f5 !default;
+$pre-color:                   $gray-dark !default;
+$pre-border-color:            #ccc !default;
+$pre-scrollable-max-height:   340px !default;
+
+
+//== Type
+//
+//##
+
+//** Horizontal offset for forms and lists.
+$component-offset-horizontal: 180px !default;
+//** Text muted color
+$text-muted:                  $gray-light !default;
+//** Abbreviations and acronyms border color
+$abbr-border-color:           $gray-light !default;
+//** Headings small color
+$headings-small-color:        $gray-light !default;
+//** Blockquote small color
+$blockquote-small-color:      $gray-light !default;
+//** Blockquote font size
+$blockquote-font-size:        ($font-size-base * 1.25) !default;
+//** Blockquote border color
+$blockquote-border-color:     $gray-lighter !default;
+//** Page header border color
+$page-header-border-color:    $gray-lighter !default;
+//** Width of horizontal description list titles
+$dl-horizontal-offset:        $component-offset-horizontal !default;
+//** Horizontal line color.
+$hr-border:                   $gray-lighter !default;
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_wells.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_wells.scss
new file mode 100644
index 0000000000..b8657118a6
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/_wells.scss
@@ -0,0 +1,29 @@
+//
+// Wells
+// --------------------------------------------------
+
+
+// Base class
+.well {
+  min-height: 20px;
+  padding: 19px;
+  margin-bottom: 20px;
+  background-color: $well-bg;
+  border: 1px solid $well-border;
+  border-radius: $border-radius-base;
+  @include box-shadow(inset 0 1px 1px rgba(0,0,0,.05));
+  blockquote {
+    border-color: #ddd;
+    border-color: rgba(0,0,0,.15);
+  }
+}
+
+// Sizes
+.well-lg {
+  padding: 24px;
+  border-radius: $border-radius-large;
+}
+.well-sm {
+  padding: 9px;
+  border-radius: $border-radius-small;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_alerts.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_alerts.scss
new file mode 100644
index 0000000000..9a0b590071
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_alerts.scss
@@ -0,0 +1,14 @@
+// Alerts
+
+@mixin alert-variant($background, $border, $text-color) {
+  background-color: $background;
+  border-color: $border;
+  color: darken($text-color, 20%);
+
+  hr {
+    border-top-color: darken($border, 5%);
+  }
+  .alert-link {
+    color: darken($text-color, 15%);
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_background-variant.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_background-variant.scss
new file mode 100644
index 0000000000..4993bd2b80
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_background-variant.scss
@@ -0,0 +1,11 @@
+// Contextual backgrounds
+
+// [converter] $parent hack
+@mixin bg-variant($parent, $color) {
+  #{$parent} {
+    background-color: $color;
+  }
+  a#{$parent}:hover {
+    background-color: darken($color, 10%);
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_border-radius.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_border-radius.scss
new file mode 100644
index 0000000000..ce19499875
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_border-radius.scss
@@ -0,0 +1,18 @@
+// Single side border-radius
+
+@mixin border-top-radius($radius) {
+  border-top-right-radius: $radius;
+   border-top-left-radius: $radius;
+}
+@mixin border-right-radius($radius) {
+  border-bottom-right-radius: $radius;
+     border-top-right-radius: $radius;
+}
+@mixin border-bottom-radius($radius) {
+  border-bottom-right-radius: $radius;
+   border-bottom-left-radius: $radius;
+}
+@mixin border-left-radius($radius) {
+  border-bottom-left-radius: $radius;
+     border-top-left-radius: $radius;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_buttons.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_buttons.scss
new file mode 100644
index 0000000000..58ad13e502
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_buttons.scss
@@ -0,0 +1,50 @@
+// Button variants
+//
+// Easily pump out default styles, as well as :hover, :focus, :active,
+// and disabled options for all buttons
+
+@mixin button-variant($color, $background, $border) {
+  color: $color;
+  background-color: $background;
+  border-color: $border;
+
+  &:hover,
+  &:focus,
+  &:active,
+  &.active,
+  .open > &.dropdown-toggle {
+    color: $color;
+    background-color: darken($background, 10%);
+        border-color: darken($border, 12%);
+  }
+  &:active,
+  &.active,
+  .open > &.dropdown-toggle {
+    background-image: none;
+  }
+  &.disabled,
+  &[disabled],
+  fieldset[disabled] & {
+    &,
+    &:hover,
+    &:focus,
+    &:active,
+    &.active {
+      background-color: $background;
+          border-color: $border;
+    }
+  }
+
+  .badge {
+    color: $background;
+    background-color: $color;
+  }
+}
+
+// Button sizes
+@mixin button-size($padding-vertical, $padding-horizontal, $font-size, $line-height, $border-radius) {
+  padding: $padding-vertical $padding-horizontal;
+  font-size: $font-size;
+  line-height: $line-height;
+  border-radius: $border-radius;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_center-block.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_center-block.scss
new file mode 100644
index 0000000000..e06fb5e276
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_center-block.scss
@@ -0,0 +1,7 @@
+// Center-align a block level element
+
+@mixin center-block() {
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_clearfix.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_clearfix.scss
new file mode 100644
index 0000000000..dc3e2ab426
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_clearfix.scss
@@ -0,0 +1,22 @@
+// Clearfix
+//
+// For modern browsers
+// 1. The space content is one way to avoid an Opera bug when the
+//    contenteditable attribute is included anywhere else in the document.
+//    Otherwise it causes space to appear at the top and bottom of elements
+//    that are clearfixed.
+// 2. The use of `table` rather than `block` is only necessary if using
+//    `:before` to contain the top-margins of child elements.
+//
+// Source: http://nicolasgallagher.com/micro-clearfix-hack/
+
+@mixin clearfix() {
+  &:before,
+  &:after {
+    content: " "; // 1
+    display: table; // 2
+  }
+  &:after {
+    clear: both;
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_forms.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_forms.scss
new file mode 100644
index 0000000000..ff72f0efc5
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_forms.scss
@@ -0,0 +1,84 @@
+// Form validation states
+//
+// Used in forms.less to generate the form validation CSS for warnings, errors,
+// and successes.
+
+@mixin form-control-validation($text-color: #555, $border-color: #ccc, $background-color: #f5f5f5) {
+  // Color the label and help text
+  .help-block,
+  .control-label,
+  .radio,
+  .checkbox,
+  .radio-inline,
+  .checkbox-inline  {
+    color: $text-color;
+  }
+  // Set the border and box shadow on specific inputs to match
+  .form-control {
+    border-color: $border-color;
+    @include box-shadow(inset 0 1px 1px rgba(0,0,0,.075)); // Redeclare so transitions work
+    &:focus {
+      border-color: darken($border-color, 10%);
+      $shadow: inset 0 1px 1px rgba(0,0,0,.075), 0 0 6px lighten($border-color, 20%);
+      @include box-shadow($shadow);
+    }
+  }
+  // Set validation states also for addons
+  .input-group-addon {
+    color: $text-color;
+    border-color: $border-color;
+    background-color: $background-color;
+  }
+  // Optional feedback icon
+  .form-control-feedback {
+    color: $text-color;
+  }
+}
+
+
+// Form control focus state
+//
+// Generate a customized focus state and for any input with the specified color,
+// which defaults to the `$input-border-focus` variable.
+//
+// We highly encourage you to not customize the default value, but instead use
+// this to tweak colors on an as-needed basis. This aesthetic change is based on
+// WebKit's default styles, but applicable to a wider range of browsers. Its
+// usability and accessibility should be taken into account with any change.
+//
+// Example usage: change the default blue border and shadow to white for better
+// contrast against a dark gray background.
+@mixin form-control-focus($color: $input-border-focus) {
+  $color-rgba: rgba(red($color), green($color), blue($color), .6);
+  &:focus {
+    border-color: $color;
+    outline: 0;
+    @include box-shadow(inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px $color-rgba);
+  }
+}
+
+// Form control sizing
+//
+// Relative text size, padding, and border-radii changes for form controls. For
+// horizontal sizing, wrap controls in the predefined grid classes. `<select>`
+// element gets special love because it's special, and that's a fact!
+// [converter] $parent hack
+@mixin input-size($parent, $input-height, $padding-vertical, $padding-horizontal, $font-size, $line-height, $border-radius) {
+  #{$parent} {
+    height: $input-height;
+    padding: $padding-vertical $padding-horizontal;
+    font-size: $font-size;
+    line-height: $line-height;
+    border-radius: $border-radius;
+  }
+
+  select#{$parent} {
+    height: $input-height;
+    line-height: $input-height;
+  }
+
+  textarea#{$parent},
+  select[multiple]#{$parent} {
+    height: auto;
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_gradients.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_gradients.scss
new file mode 100644
index 0000000000..a8939f5ae6
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_gradients.scss
@@ -0,0 +1,58 @@
+// Gradients
+
+
+
+// Horizontal gradient, from left to right
+//
+// Creates two color stops, start and end, by specifying a color and position for each color stop.
+// Color stops are not available in IE9 and below.
+@mixin gradient-horizontal($start-color: #555, $end-color: #333, $start-percent: 0%, $end-percent: 100%) {
+  background-image: -webkit-linear-gradient(left, $start-color $start-percent, $end-color $end-percent); // Safari 5.1-6, Chrome 10+
+  background-image: -o-linear-gradient(left, $start-color $start-percent, $end-color $end-percent); // Opera 12
+  background-image: linear-gradient(to right, $start-color $start-percent, $end-color $end-percent); // Standard, IE10, Firefox 16+, Opera 12.10+, Safari 7+, Chrome 26+
+  background-repeat: repeat-x;
+  filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#{ie-hex-str($start-color)}', endColorstr='#{ie-hex-str($end-color)}', GradientType=1); // IE9 and down
+}
+
+// Vertical gradient, from top to bottom
+//
+// Creates two color stops, start and end, by specifying a color and position for each color stop.
+// Color stops are not available in IE9 and below.
+@mixin gradient-vertical($start-color: #555, $end-color: #333, $start-percent: 0%, $end-percent: 100%) {
+  background-image: -webkit-linear-gradient(top, $start-color $start-percent, $end-color $end-percent);  // Safari 5.1-6, Chrome 10+
+  background-image: -o-linear-gradient(top, $start-color $start-percent, $end-color $end-percent);  // Opera 12
+  background-image: linear-gradient(to bottom, $start-color $start-percent, $end-color $end-percent); // Standard, IE10, Firefox 16+, Opera 12.10+, Safari 7+, Chrome 26+
+  background-repeat: repeat-x;
+  filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#{ie-hex-str($start-color)}', endColorstr='#{ie-hex-str($end-color)}', GradientType=0); // IE9 and down
+}
+
+@mixin gradient-directional($start-color: #555, $end-color: #333, $deg: 45deg) {
+  background-repeat: repeat-x;
+  background-image: -webkit-linear-gradient($deg, $start-color, $end-color); // Safari 5.1-6, Chrome 10+
+  background-image: -o-linear-gradient($deg, $start-color, $end-color); // Opera 12
+  background-image: linear-gradient($deg, $start-color, $end-color); // Standard, IE10, Firefox 16+, Opera 12.10+, Safari 7+, Chrome 26+
+}
+@mixin gradient-horizontal-three-colors($start-color: #00b3ee, $mid-color: #7a43b6, $color-stop: 50%, $end-color: #c3325f) {
+  background-image: -webkit-linear-gradient(left, $start-color, $mid-color $color-stop, $end-color);
+  background-image: -o-linear-gradient(left, $start-color, $mid-color $color-stop, $end-color);
+  background-image: linear-gradient(to right, $start-color, $mid-color $color-stop, $end-color);
+  background-repeat: no-repeat;
+  filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#{ie-hex-str($start-color)}', endColorstr='#{ie-hex-str($end-color)}', GradientType=1); // IE9 and down, gets no color-stop at all for proper fallback
+}
+@mixin gradient-vertical-three-colors($start-color: #00b3ee, $mid-color: #7a43b6, $color-stop: 50%, $end-color: #c3325f) {
+  background-image: -webkit-linear-gradient($start-color, $mid-color $color-stop, $end-color);
+  background-image: -o-linear-gradient($start-color, $mid-color $color-stop, $end-color);
+  background-image: linear-gradient($start-color, $mid-color $color-stop, $end-color);
+  background-repeat: no-repeat;
+  filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#{ie-hex-str($start-color)}', endColorstr='#{ie-hex-str($end-color)}', GradientType=0); // IE9 and down, gets no color-stop at all for proper fallback
+}
+@mixin gradient-radial($inner-color: #555, $outer-color: #333) {
+  background-image: -webkit-radial-gradient(circle, $inner-color, $outer-color);
+  background-image: radial-gradient(circle, $inner-color, $outer-color);
+  background-repeat: no-repeat;
+}
+@mixin gradient-striped($color: rgba(255,255,255,.15), $angle: 45deg) {
+  background-image: -webkit-linear-gradient($angle, $color 25%, transparent 25%, transparent 50%, $color 50%, $color 75%, transparent 75%, transparent);
+  background-image: -o-linear-gradient($angle, $color 25%, transparent 25%, transparent 50%, $color 50%, $color 75%, transparent 75%, transparent);
+  background-image: linear-gradient($angle, $color 25%, transparent 25%, transparent 50%, $color 50%, $color 75%, transparent 75%, transparent);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_grid-framework.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_grid-framework.scss
new file mode 100644
index 0000000000..d6df41f0fa
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_grid-framework.scss
@@ -0,0 +1,81 @@
+// Framework grid generation
+//
+// Used only by Bootstrap to generate the correct number of grid classes given
+// any value of `$grid-columns`.
+
+// [converter] This is defined recursively in LESS, but Sass supports real loops
+@mixin make-grid-columns($i: 1, $list: ".col-xs-#{$i}, .col-sm-#{$i}, .col-md-#{$i}, .col-lg-#{$i}") {
+  @for $i from (1 + 1) through $grid-columns {
+    $list: "#{$list}, .col-xs-#{$i}, .col-sm-#{$i}, .col-md-#{$i}, .col-lg-#{$i}";
+  }
+  #{$list} {
+    position: relative;
+    // Prevent columns from collapsing when empty
+    min-height: 1px;
+    // Inner gutter via padding
+    padding-left:  calc($grid-gutter-width / 2);
+    padding-right: calc($grid-gutter-width / 2);
+  }
+}
+
+
+// [converter] This is defined recursively in LESS, but Sass supports real loops
+@mixin float-grid-columns($class, $i: 1, $list: ".col-#{$class}-#{$i}") {
+  @for $i from (1 + 1) through $grid-columns {
+    $list: "#{$list}, .col-#{$class}-#{$i}";
+  }
+  #{$list} {
+    float: left;
+  }
+}
+
+
+@mixin calc-grid-column($index, $class, $type) {
+  @if ($type == width) and ($index > 0) {
+    .col-#{$class}-#{$index} {
+      width: percentage(calc($index / $grid-columns));
+    }
+  }
+  @if ($type == push) and ($index > 0) {
+    .col-#{$class}-push-#{$index} {
+      left: percentage(calc($index / $grid-columns));
+    }
+  }
+  @if ($type == push) and ($index == 0) {
+    .col-#{$class}-push-0 {
+      left: auto;
+    }
+  }
+  @if ($type == pull) and ($index > 0) {
+    .col-#{$class}-pull-#{$index} {
+      right: percentage(calc($index / $grid-columns));
+    }
+  }
+  @if ($type == pull) and ($index == 0) {
+    .col-#{$class}-pull-0 {
+      right: auto;
+    }
+  }
+  @if ($type == offset) {
+    .col-#{$class}-offset-#{$index} {
+      margin-left: percentage(calc($index / $grid-columns));
+    }
+  }
+}
+
+// [converter] This is defined recursively in LESS, but Sass supports real loops
+@mixin loop-grid-columns($columns, $class, $type) {
+  @for $i from 0 through $columns {
+    @include calc-grid-column($i, $class, $type);
+  }
+}
+
+
+// Create grid for specific class
+@mixin make-grid($class) {
+  @include float-grid-columns($class);
+  @include loop-grid-columns($grid-columns, $class, width);
+  @include loop-grid-columns($grid-columns, $class, pull);
+  @include loop-grid-columns($grid-columns, $class, push);
+  @include loop-grid-columns($grid-columns, $class, offset);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_grid.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_grid.scss
new file mode 100644
index 0000000000..6358016283
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_grid.scss
@@ -0,0 +1,122 @@
+// Grid system
+//
+// Generate semantic grid columns with these mixins.
+
+// Centered container element
+@mixin container-fixed($gutter: $grid-gutter-width) {
+  margin-right: auto;
+  margin-left: auto;
+  padding-left:  calc($gutter / 2);
+  padding-right: calc($gutter / 2);
+  @include clearfix();
+}
+
+// Creates a wrapper for a series of columns
+@mixin make-row($gutter: $grid-gutter-width) {
+  margin-left:  calc($gutter / -2);
+  margin-right: calc($gutter / -2);
+  @include clearfix();
+}
+
+// Generate the extra small columns
+@mixin make-xs-column($columns, $gutter: $grid-gutter-width) {
+  position: relative;
+  float: left;
+  width: percentage(($columns / $grid-columns));
+  min-height: 1px;
+  padding-left:  calc($gutter / 2);
+  padding-right: calc($gutter / 2);
+}
+@mixin make-xs-column-offset($columns) {
+  margin-left: percentage(($columns / $grid-columns));
+}
+@mixin make-xs-column-push($columns) {
+  left: percentage(($columns / $grid-columns));
+}
+@mixin make-xs-column-pull($columns) {
+  right: percentage(($columns / $grid-columns));
+}
+
+// Generate the small columns
+@mixin make-sm-column($columns, $gutter: $grid-gutter-width) {
+  position: relative;
+  min-height: 1px;
+  padding-left:  calc($gutter / 2);
+  padding-right: calc($gutter / 2);
+
+  @media (min-width: $screen-sm-min) {
+    float: left;
+    width: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-sm-column-offset($columns) {
+  @media (min-width: $screen-sm-min) {
+    margin-left: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-sm-column-push($columns) {
+  @media (min-width: $screen-sm-min) {
+    left: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-sm-column-pull($columns) {
+  @media (min-width: $screen-sm-min) {
+    right: percentage(calc($columns / $grid-columns));
+  }
+}
+
+// Generate the medium columns
+@mixin make-md-column($columns, $gutter: $grid-gutter-width) {
+  position: relative;
+  min-height: 1px;
+  padding-left:  ($gutter / 2);
+  padding-right: ($gutter / 2);
+
+  @media (min-width: $screen-md-min) {
+    float: left;
+    width: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-md-column-offset($columns) {
+  @media (min-width: $screen-md-min) {
+    margin-left: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-md-column-push($columns) {
+  @media (min-width: $screen-md-min) {
+    left: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-md-column-pull($columns) {
+  @media (min-width: $screen-md-min) {
+    right: percentage(calc($columns / $grid-columns));
+  }
+}
+
+// Generate the large columns
+@mixin make-lg-column($columns, $gutter: $grid-gutter-width) {
+  position: relative;
+  min-height: 1px;
+  padding-left:  ($gutter / 2);
+  padding-right: ($gutter / 2);
+
+  @media (min-width: $screen-lg-min) {
+    float: left;
+    width: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-lg-column-offset($columns) {
+  @media (min-width: $screen-lg-min) {
+    margin-left: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-lg-column-push($columns) {
+  @media (min-width: $screen-lg-min) {
+    left: percentage(calc($columns / $grid-columns));
+  }
+}
+@mixin make-lg-column-pull($columns) {
+  @media (min-width: $screen-lg-min) {
+    right: percentage(calc($columns / $grid-columns));
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_hide-text.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_hide-text.scss
new file mode 100644
index 0000000000..c5a281ffa8
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_hide-text.scss
@@ -0,0 +1,21 @@
+// CSS image replacement
+//
+// Heads up! v3 launched with only `.hide-text()`, but per our pattern for
+// mixins being reused as classes with the same name, this doesn't hold up. As
+// of v3.0.1 we have added `.text-hide()` and deprecated `.hide-text()`.
+//
+// Source: https://github.com/h5bp/html5-boilerplate/commit/aa0396eae757
+
+// Deprecated as of v3.0.1 (will be removed in v4)
+@mixin hide-text() {
+  font: #{0/0} a;
+  color: transparent;
+  text-shadow: none;
+  background-color: transparent;
+  border: 0;
+}
+
+// New mixin to use as of v3.0.1
+@mixin text-hide() {
+  @include hide-text();
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_image.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_image.scss
new file mode 100644
index 0000000000..57d60a32d8
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_image.scss
@@ -0,0 +1,34 @@
+// Image Mixins
+// - Responsive image
+// - Retina image
+
+
+// Responsive image
+//
+// Keep images from scaling beyond the width of their parents.
+@mixin img-responsive($display: block) {
+  display: $display;
+  width: 100% \9; // Force IE10 and below to size SVG images correctly
+  max-width: 100%; // Part 1: Set a maximum relative to the parent
+  height: auto; // Part 2: Scale the height according to the width, otherwise you get stretching
+}
+
+
+// Retina image
+//
+// Short retina mixin for setting background-image and -size. Note that the
+// spelling of `min--moz-device-pixel-ratio` is intentional.
+@mixin img-retina($file-1x, $file-2x, $width-1x, $height-1x) {
+  background-image: url(if($bootstrap-sass-asset-helper, twbs-image-path("#{$file-1x}"), "#{$file-1x}"));
+
+  @media
+  only screen and (-webkit-min-device-pixel-ratio: 2),
+  only screen and (   min--moz-device-pixel-ratio: 2),
+  only screen and (     -o-min-device-pixel-ratio: 2/1),
+  only screen and (        min-device-pixel-ratio: 2),
+  only screen and (                min-resolution: 192dpi),
+  only screen and (                min-resolution: 2dppx) {
+    background-image: url(if($bootstrap-sass-asset-helper, twbs-image-path("#{$file-2x}"), "#{$file-2x}"));
+    background-size: $width-1x $height-1x;
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_labels.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_labels.scss
new file mode 100644
index 0000000000..eda6dfd29e
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_labels.scss
@@ -0,0 +1,12 @@
+// Labels
+
+@mixin label-variant($color) {
+  background-color: $color;
+
+  &[href] {
+    &:hover,
+    &:focus {
+      background-color: darken($color, 10%);
+    }
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_list-group.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_list-group.scss
new file mode 100644
index 0000000000..5f05e7ba23
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_list-group.scss
@@ -0,0 +1,31 @@
+// List Groups
+
+@mixin list-group-item-variant($state, $background, $color) {
+  .list-group-item-#{$state} {
+    color: $color;
+    background-color: $background;
+
+    // [converter] extracted a& to a.list-group-item-#{$state}
+  }
+
+  a.list-group-item-#{$state} {
+    color: $color;
+
+    .list-group-item-heading {
+      color: inherit;
+    }
+
+    &:hover,
+    &:focus {
+      color: $color;
+      background-color: darken($background, 5%);
+    }
+    &.active,
+    &.active:hover,
+    &.active:focus {
+      color: #fff;
+      background-color: $color;
+      border-color: $color;
+    }
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_nav-divider.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_nav-divider.scss
new file mode 100644
index 0000000000..21f2cd5be6
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_nav-divider.scss
@@ -0,0 +1,10 @@
+// Horizontal dividers
+//
+// Dividers (basically an hr) within dropdowns and nav lists
+
+@mixin nav-divider($color: #e5e5e5) {
+  height: 1px;
+  margin: (calc($line-height-computed / 2) - 1) 0;
+  overflow: hidden;
+  background-color: $color;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_nav-vertical-align.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_nav-vertical-align.scss
new file mode 100644
index 0000000000..c774a327e2
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_nav-vertical-align.scss
@@ -0,0 +1,9 @@
+// Navbar vertical align
+//
+// Vertically center elements in the navbar.
+// Example: an element has a height of 30px, so write out `.navbar-vertical-align(30px);` to calculate the appropriate top margin.
+
+@mixin navbar-vertical-align($element-height) {
+  margin-top: calc(($navbar-height - $element-height) / 2);
+  margin-bottom: calc(($navbar-height - $element-height) / 2);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_opacity.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_opacity.scss
new file mode 100644
index 0000000000..df088adfe9
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_opacity.scss
@@ -0,0 +1,8 @@
+// Opacity
+
+@mixin opacity($opacity) {
+  opacity: $opacity;
+  // IE8 filter
+  $opacity-ie: ($opacity * 100);
+  filter: #{alpha(opacity=$opacity-ie)};
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_pagination.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_pagination.scss
new file mode 100644
index 0000000000..43fff6863d
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_pagination.scss
@@ -0,0 +1,23 @@
+// Pagination
+
+@mixin pagination-size($padding-vertical, $padding-horizontal, $font-size, $border-radius) {
+  > li {
+    > a,
+    > span {
+      padding: $padding-vertical $padding-horizontal;
+      font-size: $font-size;
+    }
+    &:first-child {
+      > a,
+      > span {
+        @include border-left-radius($border-radius);
+      }
+    }
+    &:last-child {
+      > a,
+      > span {
+        @include border-right-radius($border-radius);
+      }
+    }
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_panels.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_panels.scss
new file mode 100644
index 0000000000..3ff31ae51e
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_panels.scss
@@ -0,0 +1,24 @@
+// Panels
+
+@mixin panel-variant($border, $heading-text-color, $heading-bg-color, $heading-border) {
+  border-color: $border;
+
+  & > .panel-heading {
+    color: $heading-text-color;
+    background-color: $heading-bg-color;
+    border-color: $heading-border;
+
+    + .panel-collapse > .panel-body {
+      border-top-color: $border;
+    }
+    .badge {
+      color: $heading-bg-color;
+      background-color: $heading-text-color;
+    }
+  }
+  & > .panel-footer {
+    + .panel-collapse > .panel-body {
+      border-bottom-color: $border;
+    }
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_progress-bar.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_progress-bar.scss
new file mode 100644
index 0000000000..3275ea33d4
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_progress-bar.scss
@@ -0,0 +1,10 @@
+// Progress bars
+
+@mixin progress-bar-variant($color) {
+  background-color: $color;
+
+  // Deprecated parent class requirement as of v3.2.0
+  .progress-striped & {
+    @include gradient-striped();
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_reset-filter.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_reset-filter.scss
new file mode 100644
index 0000000000..bf73051200
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_reset-filter.scss
@@ -0,0 +1,8 @@
+// Reset filters for IE
+//
+// When you need to remove a gradient background, do not forget to use this to reset
+// the IE filter for IE9 and below.
+
+@mixin reset-filter() {
+  filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_resize.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_resize.scss
new file mode 100644
index 0000000000..83fa637917
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_resize.scss
@@ -0,0 +1,6 @@
+// Resize anything
+
+@mixin resizable($direction) {
+  resize: $direction; // Options: horizontal, vertical, both
+  overflow: auto; // Per CSS3 UI, `resize` only applies when `overflow` isn't `visible`
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_responsive-visibility.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_responsive-visibility.scss
new file mode 100644
index 0000000000..9867db013d
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_responsive-visibility.scss
@@ -0,0 +1,21 @@
+// Responsive utilities
+
+//
+// More easily include all the states for responsive-utilities.less.
+// [converter] $parent hack
+@mixin responsive-visibility($parent) {
+  #{$parent} {
+    display: block !important;
+  }
+  table#{$parent}  { display: table; }
+  tr#{$parent}     { display: table-row !important; }
+  th#{$parent},
+  td#{$parent}     { display: table-cell !important; }
+}
+
+// [converter] $parent hack
+@mixin responsive-invisibility($parent) {
+  #{$parent} {
+    display: none !important;
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_size.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_size.scss
new file mode 100644
index 0000000000..abbe2463ce
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_size.scss
@@ -0,0 +1,10 @@
+// Sizing shortcuts
+
+@mixin size($width, $height) {
+  width: $width;
+  height: $height;
+}
+
+@mixin square($size) {
+  @include size($size, $size);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_tab-focus.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_tab-focus.scss
new file mode 100644
index 0000000000..7df0ae7ca1
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_tab-focus.scss
@@ -0,0 +1,9 @@
+// WebKit-style focus
+
+@mixin tab-focus() {
+  // Default
+  outline: thin dotted;
+  // WebKit
+  outline: 5px auto -webkit-focus-ring-color;
+  outline-offset: -2px;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_table-row.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_table-row.scss
new file mode 100644
index 0000000000..136795081e
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_table-row.scss
@@ -0,0 +1,28 @@
+// Tables
+
+@mixin table-row-variant($state, $background) {
+  // Exact selectors below required to override `.table-striped` and prevent
+  // inheritance to nested tables.
+  .table > thead > tr,
+  .table > tbody > tr,
+  .table > tfoot > tr {
+    > td.#{$state},
+    > th.#{$state},
+    &.#{$state} > td,
+    &.#{$state} > th {
+      background-color: $background;
+    }
+  }
+
+  // Hover states for `.table-hover`
+  // Note: this is not available for cells or rows within `thead` or `tfoot`.
+  .table-hover > tbody > tr {
+    > td.#{$state}:hover,
+    > th.#{$state}:hover,
+    &.#{$state}:hover > td,
+    &:hover > .#{$state},
+    &.#{$state}:hover > th {
+      background-color: darken($background, 5%);
+    }
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_text-emphasis.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_text-emphasis.scss
new file mode 100644
index 0000000000..1101e03662
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_text-emphasis.scss
@@ -0,0 +1,11 @@
+// Typography
+
+// [converter] $parent hack
+@mixin text-emphasis-variant($parent, $color) {
+  #{$parent} {
+    color: $color;
+  }
+  a#{$parent}:hover {
+    color: darken($color, 10%);
+  }
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_text-overflow.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_text-overflow.scss
new file mode 100644
index 0000000000..1593b25ea5
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_text-overflow.scss
@@ -0,0 +1,8 @@
+// Text overflow
+// Requires inline-block or block for proper styling
+
+@mixin text-overflow() {
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_vendor-prefixes.scss b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_vendor-prefixes.scss
new file mode 100644
index 0000000000..f91f57686d
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/assets/stylesheets/bootstrap/mixins/_vendor-prefixes.scss
@@ -0,0 +1,219 @@
+// Vendor Prefixes
+//
+// All vendor mixins are deprecated as of v3.2.0 due to the introduction of
+// Autoprefixer in our Gruntfile. They will be removed in v4.
+
+// - Animations
+// - Backface visibility
+// - Box shadow
+// - Box sizing
+// - Content columns
+// - Hyphens
+// - Placeholder text
+// - Transformations
+// - Transitions
+// - User Select
+
+
+// Animations
+@mixin animation($animation) {
+  -webkit-animation: $animation;
+       -o-animation: $animation;
+          animation: $animation;
+}
+@mixin animation-name($name) {
+  -webkit-animation-name: $name;
+          animation-name: $name;
+}
+@mixin animation-duration($duration) {
+  -webkit-animation-duration: $duration;
+          animation-duration: $duration;
+}
+@mixin animation-timing-function($timing-function) {
+  -webkit-animation-timing-function: $timing-function;
+          animation-timing-function: $timing-function;
+}
+@mixin animation-delay($delay) {
+  -webkit-animation-delay: $delay;
+          animation-delay: $delay;
+}
+@mixin animation-iteration-count($iteration-count) {
+  -webkit-animation-iteration-count: $iteration-count;
+          animation-iteration-count: $iteration-count;
+}
+@mixin animation-direction($direction) {
+  -webkit-animation-direction: $direction;
+          animation-direction: $direction;
+}
+@mixin animation-fill-mode($fill-mode) {
+  -webkit-animation-fill-mode: $fill-mode;
+          animation-fill-mode: $fill-mode;
+}
+
+// Backface visibility
+// Prevent browsers from flickering when using CSS 3D transforms.
+// Default value is `visible`, but can be changed to `hidden`
+
+@mixin backface-visibility($visibility){
+  -webkit-backface-visibility: $visibility;
+     -moz-backface-visibility: $visibility;
+          backface-visibility: $visibility;
+}
+
+// Drop shadows
+//
+// Note: Deprecated `.box-shadow()` as of v3.1.0 since all of Bootstrap's
+// supported browsers that have box shadow capabilities now support it.
+
+@mixin box-shadow($shadow...) {
+  -webkit-box-shadow: $shadow; // iOS <4.3 & Android <4.1
+          box-shadow: $shadow;
+}
+
+// Box sizing
+@mixin box-sizing($boxmodel) {
+  -webkit-box-sizing: $boxmodel;
+     -moz-box-sizing: $boxmodel;
+          box-sizing: $boxmodel;
+}
+
+// CSS3 Content Columns
+@mixin content-columns($column-count, $column-gap: $grid-gutter-width) {
+  -webkit-column-count: $column-count;
+     -moz-column-count: $column-count;
+          column-count: $column-count;
+  -webkit-column-gap: $column-gap;
+     -moz-column-gap: $column-gap;
+          column-gap: $column-gap;
+}
+
+// Optional hyphenation
+@mixin hyphens($mode: auto) {
+  word-wrap: break-word;
+  -webkit-hyphens: $mode;
+     -moz-hyphens: $mode;
+      -ms-hyphens: $mode; // IE10+
+       -o-hyphens: $mode;
+          hyphens: $mode;
+}
+
+// Placeholder text
+@mixin placeholder($color: $input-color-placeholder) {
+  &::-moz-placeholder           { color: $color;   // Firefox
+                                  opacity: 1; } // See https://github.com/twbs/bootstrap/pull/11526
+  &:-ms-input-placeholder       { color: $color; } // Internet Explorer 10+
+  &::-webkit-input-placeholder  { color: $color; } // Safari and Chrome
+}
+
+// Transformations
+@mixin scale($ratio...) {
+  -webkit-transform: scale($ratio);
+      -ms-transform: scale($ratio); // IE9 only
+       -o-transform: scale($ratio);
+          transform: scale($ratio);
+}
+
+@mixin scaleX($ratio) {
+  -webkit-transform: scaleX($ratio);
+      -ms-transform: scaleX($ratio); // IE9 only
+       -o-transform: scaleX($ratio);
+          transform: scaleX($ratio);
+}
+@mixin scaleY($ratio) {
+  -webkit-transform: scaleY($ratio);
+      -ms-transform: scaleY($ratio); // IE9 only
+       -o-transform: scaleY($ratio);
+          transform: scaleY($ratio);
+}
+@mixin skew($x, $y) {
+  -webkit-transform: skewX($x) skewY($y);
+      -ms-transform: skewX($x) skewY($y); // See https://github.com/twbs/bootstrap/issues/4885; IE9+
+       -o-transform: skewX($x) skewY($y);
+          transform: skewX($x) skewY($y);
+}
+@mixin translate($x, $y) {
+  -webkit-transform: translate($x, $y);
+      -ms-transform: translate($x, $y); // IE9 only
+       -o-transform: translate($x, $y);
+          transform: translate($x, $y);
+}
+@mixin translate3d($x, $y, $z) {
+  -webkit-transform: translate3d($x, $y, $z);
+          transform: translate3d($x, $y, $z);
+}
+@mixin rotate($degrees) {
+  -webkit-transform: rotate($degrees);
+      -ms-transform: rotate($degrees); // IE9 only
+       -o-transform: rotate($degrees);
+          transform: rotate($degrees);
+}
+@mixin rotateX($degrees) {
+  -webkit-transform: rotateX($degrees);
+      -ms-transform: rotateX($degrees); // IE9 only
+       -o-transform: rotateX($degrees);
+          transform: rotateX($degrees);
+}
+@mixin rotateY($degrees) {
+  -webkit-transform: rotateY($degrees);
+      -ms-transform: rotateY($degrees); // IE9 only
+       -o-transform: rotateY($degrees);
+          transform: rotateY($degrees);
+}
+@mixin perspective($perspective) {
+  -webkit-perspective: $perspective;
+     -moz-perspective: $perspective;
+          perspective: $perspective;
+}
+@mixin perspective-origin($perspective) {
+  -webkit-perspective-origin: $perspective;
+     -moz-perspective-origin: $perspective;
+          perspective-origin: $perspective;
+}
+@mixin transform-origin($origin) {
+  -webkit-transform-origin: $origin;
+     -moz-transform-origin: $origin;
+      -ms-transform-origin: $origin; // IE9 only
+          transform-origin: $origin;
+}
+
+
+// Transitions
+
+@mixin transition($transition...) {
+  -webkit-transition: $transition;
+       -o-transition: $transition;
+          transition: $transition;
+}
+@mixin transition-property($transition-property...) {
+  -webkit-transition-property: $transition-property;
+          transition-property: $transition-property;
+}
+@mixin transition-delay($transition-delay) {
+  -webkit-transition-delay: $transition-delay;
+          transition-delay: $transition-delay;
+}
+@mixin transition-duration($transition-duration...) {
+  -webkit-transition-duration: $transition-duration;
+          transition-duration: $transition-duration;
+}
+@mixin transition-timing-function($timing-function) {
+  -webkit-transition-timing-function: $timing-function;
+          transition-timing-function: $timing-function;
+}
+@mixin transition-transform($transition...) {
+  -webkit-transition: -webkit-transform $transition;
+     -moz-transition: -moz-transform $transition;
+       -o-transition: -o-transform $transition;
+          transition: transform $transition;
+}
+
+
+// User select
+// For selecting text on the page
+
+@mixin user-select($select) {
+  -webkit-user-select: $select;
+     -moz-user-select: $select;
+      -ms-user-select: $select; // IE10+
+          user-select: $select;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/black/default_scheme.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/black/default_scheme.css
new file mode 100644
index 0000000000..2ee93ae03c
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/black/default_scheme.css
@@ -0,0 +1,380 @@
+:root
+{
+    /* theme black, flexcolor */
+    /* main colors */
+    --pfore: #E6E6E6; /* main textcolor */
+    --pforehover: #FFFFFF; /* primary text hover */
+    --pforemuted: #B1B1B1; /* muted text */
+    --pforeinverse: #181E25; /* main textcolor inverse */
+    --pforeinversehover: #232323; /* main textcolor inverse hover */
+    --pback: #000000; /* primary background */
+    --pbackmuted: #E6E6E6; /* primary background */
+    --pbackinverse: #E6E6E6; /* primary background inverse */
+    --pbackhover: #232323; /* primary background hover*/
+    --sfore: #A3A3A3; /*second background */
+    --sback: #000000; /* second background #FAF9F6*/
+    --stdborder: #515151; /* standard border */
+    --stdborderfore: #E6E6E6; /* standard border with accent*/
+    --stdborderprimary: #336CDF; /* standard border with accent*/
+    --stdborderinverse: #000000; /* standard border with accent*/
+    --stdborder50bright: #A1A1A1; /* standard border with accent*/
+    --badgeback: #E6E6E6; /* badge background & progress-bar & blockquote*/
+    --progressbar: #D4D4D4; /* progress-bar*/
+    --token: #AF3604; /* background token */
+    --highlighted: #FFFFFF; /* highlighted element */
+    /* bootstrap */
+    /* bootstrap titlebar */
+    --bsheadfore: #E6E6E6;
+    --bsheadback: #000000;
+    --bsbodyfore: #E6E6E6;
+    --bsbodyback: #000000;
+    /* jquery-bootgrid */
+    --jqueryfore: #E6E6E6;
+    --jqueryback: #000000;
+    --jquerybarfore: #E6E6E6;
+    --jquerybarback: #1F57C6;
+    --jquerybarborder: #1F57C6;
+    /* login,(complete indepent, despite textboxes) */
+    --loginback: #000000; /* loginscreen background */
+    --loginboxtitle: #E6E6E6; /* loginscreen boxtitle */
+    --logindatefore: #E6E6E6; /* loginscreen textcolor */
+    --loginheadback: #000000; /* login-dialogbox head background */
+    --loginboxback: #000000; /* login-dialogbox background */
+    --loginboxfore: #E6E6E6; /* Login-dialogbox textcolor */
+    /* textbox (all kinds, tokenize, listbox, textbox, bootstrap select */
+    /* foreground */
+    --txtboxfore: #E6E6E6;
+    --txtboxforehover: #336CDF;
+    --txtboxforeactive: #336CDF;
+    --txtboxforeinverse: #E6E6E6;
+    --txtboxforedisabled: #E6E6E6;
+    --txtboxforetoken: #E6E6E6; /* only tokenize, pending delete */
+    --txtboxforedel: #E6E6E6; /* only tokenize, pending delete */
+    --txtboxforedismiss: #E6E6E6; /* only tokenize, dismiss */
+    --txtboxforeplaceholder: #E6E6E6;
+    /* background */
+    --txtboxback: #000000;
+    --txtboxbackhover: #000000;
+    --txtboxbackactive: #000000;
+    --txtboxbackdisabled: #000000;
+    --txtboxbacktoken: #E65C00;
+    --txtboxbackdel: #FF5252; /* only tokenize, pending delete */
+    --txtboxbackdismiss: #F2F7FD; /* only tokenize, dismiss */
+    /* border */
+    --txtboxborder: #E6E6E6;
+    --txtboxborderhover: #1C4DB0;
+    --txtboxborderactive: #336CDF;
+    --txtboxborderdisabled: #515151;
+    --txtboxbordertoken: #000000;
+    --txtboxborderdel: #E6E6E6; /* only tokenize, pending delete */
+    --txtboxborderdismiss: #E6E6E6; /* only tokenize, dismiss */
+    /* page */
+    --pagefore: #E6E6E6; /* text color page */
+    --pageback: #000000; /* backround color page */
+    --pageborder: #E6E6E6; /* border color page */
+    --headlineback: #000000; /*background headline box*/
+    --headlinebackshadow: 2px 2px 1px 0px rgba(0, 0, 0, 0); /* shadow headlinebackgroundbox */
+    /* navigation sidebar (complete independent) */
+    /* unselected */
+    --sdbarfore: #E6E6E6; /*textcolor navigation sidebar */
+    --sdbarback: #000000; /*background unselected navigation sidebar */
+    --sdbarhoverback: #000000; /* background sidebar hover */
+    --sdbarhoverfore: #D66E12; /* textcolor sidebar hover */
+    --sdbaractback: #1C1C1C; /* active menu #ECE7E2, #FFEDF5, #E5F4FF, #FFFBE5, #F5F5DC, #F2F2F2, #FFFACD */
+    --navbarinverse: #000000; /* navtab */
+    --navbarinversefore: #336CDF; /* navtab */
+    --navbaractivebefore: #FA6121; /*sidebar active before */
+    /* special  characters */
+    --link: #FA6121; /* OPNsense text login and links */
+    --linkhover: #E04605; /* OPNsense text login and links hover */
+    /* accents */
+    --primary: #336CDF; /* primary accent */
+    --primaryhover: #608DE6; /* primary accent hover */
+    --info: #008CDD; /* info accent */
+    --infohover: #0FA7FF; /* info accent hover */
+    --success: #388E3C; /* success accent */
+    --successhover: #47B34C; /* success accent hover */
+    --warning: #D66E12; /* warning accent */
+    --warninghover: #ED862B; /* warning accent hover */
+    --danger: #FF5252; /* danger accent */
+    --dangerhover: #BE2326FF8585; /* danger accent hover */
+    /* buttons (complete (independent) */
+    /* unselected */
+    --btnfore: #E6E6E6; /* textcolor */
+    --btnback: #000000; /* background */
+    --btnborder: #E6E6E6; /* border */
+    /* hover */
+    --btnforehover: #E6E6E6; /* textcolor hover*/
+    --btnbackhover: #000000; /* background hover*/
+    --btnborderhover: #336CDF; /* border hover */
+    /* active */
+    --btnforeactive: #336CDF; /* textcolor active*/
+    --btnbackactive: #000000; /* background active*/
+    --btnborderactive: #336CDF; /* border active */
+    /* disabled */
+    --btnforedisabled: #999999; /* textcolor disabled*/
+    --btnbackdisabled: #000000; /* background disabled*/
+    /* badge */
+    --btnforebadge: #000000; /* textcolor badge*/
+    --btnbackbadge: #000000; /* background badge*/
+    --btnborderbadge: #000000; /* border badge */
+    /* default button */
+    /* unselected */
+    --dfbtnfore: #E6E6E6; /* textcolor */
+    --dfbtnback: #000000; /* background */
+    --dfbtnborder: #E6E6E6; /* border */
+    /* hover */
+    --dfbtnforehover: #E6E6E6; /* textcolor hover*/
+    --dfbtnbackhover: #000000; /* background hover*/
+    --dfbtnborderhover: #336CDF; /* border hover */
+    /* active */
+    --dfbtnforeactive: #336CDF; /* textcolor active*/
+    --dfbtnbackactive: #000000; /* background active*/
+    --dfbtnborderactive: #336CDF; /* border active */
+    /* disabled */
+    --dfbtnforedisabled: #999999; /* textcolor disabled*/
+    --dfbtnbackdisabled: #000000; /* background disabled*/
+    --dfbtnborderdisabled: #E6E6E6; /* border disabled */
+    /* Badge */
+    --dfbtnforebadge: #000000; /* textcolor badge, traffic badge textcolor*/
+    --dfbtnbackbadge: #E6E6E6; /* background badge*/
+    --dfbtnborderbadge: #000000; /* border badge */
+    /* primary button */
+    /* unselected */
+    --pbtnfore: #E6E6E6; /* textcolor */
+    --pbtnback: #000000; /* background */
+    --pbtnborder: #336CDF; /* border */
+    /* hover */
+    --pbtnforehover: #336CDF; /* textcolor hover*/
+    --pbtnbackhover: #000000; /* background hover*/
+    --pbtnborderhover: #336CDF; /* border hover */
+    /* active */
+    --pbtnforeactive: #336CDF; /* textcolor active*/
+    --pbtnbackactive: #000000; /* background active*/
+    --pbtnborderactive: #336CDF; /* border active */
+    /* disabled */
+    --pbtnforedisabled: #999999; /* textcolor disabled*/
+    --pbtnbackdisabled: #000000; /* background disabled*/
+    --pbtnborderdisabled: #635D55; /* border disabled */
+    /* badge */
+    --pbtnforebadge: #000000; /* textcolor badge*/
+    --pbtnbackbadge: #000000; /* background badge*/
+    --pbtnborderbadge: #000000; /* border badge */
+    /* info button */
+    /* unselected */
+    --ibtnfore: #008CDD; /* textcolor */
+    --ibtnback: #000000; /* background */
+    --ibtnborder: #008CDD; /* border */
+    /* hover */
+    --ibtnforehover: #E6E6E6; /* textcolor hover*/
+    --ibtnbackhover: #000000; /* background hover*/
+    --ibtnborderhover: #336CDF; /* border hover */
+    /* active */
+    --ibtnforeactive: #336CDF; /* textcolor active*/
+    --ibtnbackactive: #000000; /* background active*/
+    --ibtnborderactive: #008CDD; /* border active */
+    /* disabled */
+    --ibtnforedisabled: #999999; /* textcolor disabled*/
+    --ibtnbackdisabled: #000000; /* background disabled*/
+    --ibtnborderdisabled: #515151; /* border disabled */
+    /* badge */
+    --ibtnforebadge: #008CDD; /* textcolor badge*/
+    --ibtnbackbadge: #000000; /* background badge*/
+    --ibtnborderbadge: #000000; /* border badge */
+    /* success button */
+    /* unselected */
+    --sbtnfore: #388E3C; /* textcolor */
+    --sbtnback: #000000; /* background */
+    --sbtnborder: #388E3C; /* border */
+    /* hover */
+    --sbtnforehover: #E6E6E6; /* textcolor hover*/
+    --sbtnbackhover: #000000; /* background hover*/
+    --sbtnborderhover: #336CDF; /* border hover */
+    /* active */
+    --sbtnforeactive: #336CDF; /* textcolor active*/
+    --sbtnbackactive: #000000; /* background active*/
+    --sbtnborderactive: #388E3C; /* border active */
+    /* disabled */
+    --sbtnforedisabled: #999999; /* textcolor disabled*/
+    --sbtnbackdisabled: #000000; /* background disabled*/
+    --sbtnborderdisabled: #31C234; /* border disabled */
+    /* badge */
+    --sbtnforebadge: #388E3C; /* textcolor badge*/
+    --sbtnbackbadge: #000000; /* background badge*/
+    --sbtnborderbadge: #000000; /* border badge */
+    /* warning button */
+    /* unselected */
+    --wbtnfore: #D66E12; /* textcolor */
+    --wbtnback: #000000; /* background */
+    --wbtnborder: #D66E12; /* border */
+    /* hover */
+    --wbtnforehover: #E6E6E6; /* textcolor hover*/
+    --wbtnbackhover: #000000; /* background hover*/
+    --wbtnborderhover: #336CDF; /* border hover */
+    /* active */
+    --wbtnforeactive: #336CDF; /* textcolor active*/
+    --wbtnbackactive: #000000; /* background active*/
+    --wbtnborderactive: #D66E12; /* border active */
+    /* disabled */
+    --wbtnforedisabled: #999999; /* textcolor disabled*/
+    --wbtnbackdisabled: #000000; /* background disabled*/
+    --wbtnborderdisabled: #515151; /* border disabled */
+    /* badge */
+    --wbtnforebadge: #D66E12; /* textcolor badge*/
+    --wbtnbackbadge: #000000; /* background badge*/
+    --wbtnborderbadge: #000000; /* border badge */
+    /* danger button */
+    /* unselected */
+    --dbtnfore: #FF5252; /* textcolor */
+    --dbtnback: #000000; /* background */
+    --dbtnborder: #FF5252; /* border */
+    /* hover */
+    --dbtnforehover: #E6E6E6; /* textcolor hover*/
+    --dbtnbackhover: #000000; /* background hover*/
+    --dbtnborderhover: #336CDF; /* border hover */
+    /* active */
+    --dbtnforeactive: #336CDF; /* textcolor active*/
+    --dbtnbackactive: #000000; /* background active*/
+    --dbtnborderactive: #FF5252; /* border active */
+    /* disabled */
+    --dbtnforedisabled: #999999; /* textcolor disabled*/
+    --dbtnbackdisabled: #000000; /* background disabled*/
+    --dbtnborderdisabled: #515151; /* border disabled */
+    /* badge */
+    --dbtnforebadge: #FF5252; /* textcolor badge*/
+    --dbtnbackbadge: #000000; /* background badge*/
+    --dbtnborderbadge: #000000; /* border badge */
+    /* link button */
+    /* unselected */
+    --lbtnfore: #336CDF; /* textcolor */
+    --lbtnback: #000000; /* background */
+    --lbtnborder: #E6E6E6; /* border */
+    /* hover */
+    --lbtnforehover: #437CEF; /* textcolor hover*/
+    --lbtnbackhover: #000000; /* background hover*/
+    --lbtnborderhover: #E6E6E6; /* border hover */
+    /* active */
+    --lbtnforeactive: #437CEF; /* textcolor active*/
+    --lbtnbackactive: transparent; /* background active*/
+    --lbtnborderactive: #E6E6E6; /* border active */
+    /* disabled */
+    --lbtnforedisabled: #999999; /* textcolor disabled*/
+    --lbtnbackdisabled: #515151; /* background disabled*/
+    --lbtnborderdisabled: #515151; /* border disabled */
+    /* navtabs (complete independent) */
+    /* active */
+    --navtabforeactive: #336CDF; /* textcolor active navtab */
+    --navtabbackactive: #000000; /* background active navtab */
+    --navtabborderactive: #336CDF; /* border active navtab */
+    /* inactive */
+    --navtabforeinactive: #E6E6E6; /* textcolor inactive navtab */
+    --navtabbackinactive: #000000; /* background inactive navtab */
+    --navtabborderinactive: #E6E6E6; /* border inactive navtab */
+    /* hover */
+    --navtabforehover: #E6E6E6; /* textcolor navtab hover */
+    --navtabbackhover: #000000; /* background navtab hover */
+    --navtabborderhover: #336CDF; /* border navtab hover */
+    /* tabulator (complete independent) */
+    /* tabulator frame foot background */
+    --tbfback: #000000;
+    /* tabulator header */
+    --tbheadfore: #E6E6E6; /* background */
+    --tbheadback: #1F1F1F; /* background */
+    --tbheadbackhover: #1F1F1F; /* background hover*/
+    --tbborder: #515151; /* border color headline */
+    /* tabulator body */
+    --tbbodybackhover: #333333; /* first row hover*/
+    --tbbordertable: #515151; /* border color table */
+    /* odd row */
+    --tbrowforeodd: #E6E6E6; /* background */
+    --tbrowbackodd: #000000; /* background */
+    /* even row */
+    --tbrowforeeven: #E6E6E6; /* background */
+    --tbrowbackeven: #000000; /* background */
+    /* tabulator footer */
+    /* unselected */
+    --tffore: #E6E6E6; /* textcolor */
+    --tfback: #000000; /* background */
+    --tfborder: #E6E6E6; /* border */
+    /* hover */
+    --tfforehover: #E6E6E6; /* textcolor hover*/
+    --tfbackhover: #000000; /* border hover */
+    --tfborderhover: #336CDF; /* textcolor hover*/
+    /* active */
+    --tfforeactive: #336CDF; /* textcolor active*/
+    --tfbackactive: #000000; /* background active*/
+    --tfborderactive: #336CDF; /* border active */
+    /* active hover*/
+    --tfforeactivehover: #467ECF; /* textcolor active*/
+    --tfbackactivehover: #000000; /* background active*/
+    --tfborderactivehover: #467CCF; /* border active */
+    /* panel, example: Reporting health */
+    --panelbody: #000000; /* panel body background*/
+    --panelheading: #000000; /* panel heading background*/
+    --panelheadingfore: #E6E6E6; /* panel heading textcolor*/
+    --panelfooter: #000000; /* panel footer */
+    --panelinfo: #E6E6E6; /* panel info, example wait circle */
+    /* content-box, example report traffic*/
+    --contentboxfore: #E6E6E6; /* content-box foreground and tabulator frame head background*/
+    --contentboxback: #000000; /* content-box background and tabulator frame head background*/
+    /* table */
+    --tableheadfore: #E6E6E6; /* textcolor table head */
+    --tablelegend: #E6E6E6;
+    --tableborder: #515151; /* background table in a table */
+    /* table not stripe */
+    --tablefore: #E6E6E6; /* textcolor table */
+    --tableback: #000000; /* background table */
+    /* table stripe */
+    --tablestripeback: #000000; /* alternative background table */
+    /* table inside a table */
+    --tabletablefore: #E6E6E6; /* headline table in a table */
+    --tabletableback: #000000; /* background table in a table */
+    /* scrollbar */
+    --scbarcolor: #4D4D4D #000000; /* scrollbarcolor: foreground vs background, the following colors are not important */
+    --scbarborder: #515151; /* bordercolor scrollbar*/
+    --scbar: #4D4D4D; /* scrollbar foreground*/
+    --scbarhover: #5D5D5D; /* scrollbar foreground hover*/
+    --scbarbutton: #4D4D4D; /* scrollbar button*/
+    /* unbound (complete independent) */
+    --unbiconsback: rgba(33,33,33,0.9); /* large icons on tabs */
+    --unbfore1: #E6E6E6; /* main text 1 */
+    --unbback1: #1F1F1F; /* background 1 */
+    --unbfore2: #008CDD; /* main text 2 */
+    --unbback2: #1F1F1F; /* background 2 */
+    --unbborder: #4D4D4D; /* unbound-border */
+    --unbborderactive: #336CDF; /* unbound-border active */
+    --unbsuccess: rgba(16,175,66,0.4); /* unbound detail background success */
+    --unbsuccessfore: rgba(241,241,241,1); /* unbound textcolor success */
+    --unbinfo: rgba(51,108,223,0.4); /* unbound detail background info */
+    --unbinfofore: rgba(241,241,241,1); /* unbound textcolor info */
+    --unbdanger: rgba(239,48,64,0.6); /* unbound detail background danger */
+    --unbdangerfore: rgba(241,241,241,1); /* unbound textcolor danger */
+    --unbwarning: rgba(219,57,61,0.4); /* unbound detail background warning */
+    --unbwarningfore: rgba(241,241,241,1,1); /* unbound textcolor warning */
+    --unberror: rgba(18,19,19,0); /* unbound detail background error */
+    --unberrorfore: rgba(162,17,42,1); /* unbound textcolor error */
+    --unbshadow: rgba(47,47,47,.8); /* unbound overview circle shadow */
+    /* dashboard, (independent, despite the buttons on the top ) */
+    --dbfore: #E6E6E6; /* textcolor dashboard */
+    --dbback: #000000; /* background color dashboard */
+    --dbbackhover: #000000; /* background color dashboard */
+    --dbborder: rgba(80,80,80,1); /* bordercolor dashboard */
+    --dbchartfore: rgba(241,241,241,1); /* textcolor dashboard charts */
+    --dbchartborder: rgba(61,61,61,1); /* bordercolor dashboard charts*/
+    --dbtoolfore: #000000; /* textcolor tooltip dashboard */
+    --dbtoolback: rgba(241, 241, 241, 0.9); /*background color tooltip */
+    /* graph */
+    --graphfore: #E6E6E6;
+    --graphback: #000000;
+    --nv3daxis: #E6E6E6;
+    /* rgb */
+    --rgb50: rgba(255,255,255,0,5);
+    --rgbshadowdark: rgba(255,255,255,.1);
+    --bootstrapshadow: rgba(204, 204, 204, 0.2);
+    --boxshadow: inset 0 1px 1px rgba(255,255,255,0.075);
+    --btnshadow1: inset 0 1px 1px rgba(25, 57, 183, 0.075);
+    --btnshadow2: 0 0 8px rgba(25, 57, 183, 0.6);
+    --progresshadow: inset 0px 1px 2px 1px rgb(217, 217, 217);
+    --progresshadow2: 0 5px 10px rgb(255, 255, 255, 0.1);
+    --mozshadow: 2px 2px 1px 0px rgba(234, 234, 234, 0.5)
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/darklight/default_scheme.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/darklight/default_scheme.css
new file mode 100644
index 0000000000..5522478e3f
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/darklight/default_scheme.css
@@ -0,0 +1,380 @@
+:root
+{
+    /* theme darklight, flexcolor */
+    /* main colors */
+    --pfore: #181E25; /* main textcolor */
+    --pforehover: #323F4D; /* primary text hover */
+    --pforemuted: #748AA5; /* muted text */
+    --pforeinverse: #F2F7FD; /* main textcolor inverse */
+    --pforeinversehover: #D9E1EB; /* main textcolor inverse */
+    --pback: #F2F7FD; /* primary background */
+    --pbackmuted: #999999; /* primary background */
+    --pbackinverse: #181E25; /* primary background inverse */
+    --pbackhover: #D9E1EB; /* primary background hover*/
+    --sfore: #242D38; /*second background hover */
+    --sback: #DBE8F9; /* second background #FAF9F6*/
+    --stdborder: #647D9B; /* standard border */
+    --stdborderfore: #F2F7FD; /* standard border with accent*/
+    --stdborderprimary: #FA6121; /* standard border with accent*/
+    --stdborderinverse: #647D9B; /* standard border with accent*/
+    --stdborder50bright: #A2B1C3; /* standard border with accent*/
+    --badgeback: #FFC59E; /* badge background & progress-bar & blockquote*/
+    --progressbar: #181E25; /* progress-bar*/
+    --token: #FA6121; /* background token */
+    --highlighted: #FFFFFF; /* highlighted element */
+    /* bootstrap */
+    /* bootstrap titlebar */
+    --bsheadfore: #181E25;
+    --bsheadback: #F2F7FD;
+    --bsbodyfore: #F2F7FD;
+    --bsbodyback: #242D38;
+    /* jquery-bootgrid */
+    --jqueryfore: #181E25;
+    --jqueryback: #F2F7FD;
+    --jquerybarfore: #F2F7FD;
+    --jquerybarback: #FA6121;
+    --jquerybarborder: #FA6121;
+    /* login,(complete indepent, despite textboxes) */
+    --loginback: #101720; /* loginscreen background */
+    --loginboxtitle: #F2F7FD; /* loginscreen boxtitle */
+    --logindatefore: #F2F7FD; /* loginscreen textcolor */
+    --loginheadback: #181E25; /* login-dialogbox head background */
+    --loginboxback: #181E25; /* login-dialogbox background */
+    --loginboxfore: #181E25; /* Login-dialogbox textcolor */
+    /* textbox (all kinds, tokenize, listbox, textbox, bootstrap select */
+    /* foreground */
+    --txtboxfore: #181E25;
+    --txtboxforehover: #FA6121;
+    --txtboxforeactive: #FA6121;
+    --txtboxforeinverse: #181E25;
+    --txtboxforedisabled: #F2F7FD;
+    --txtboxforetoken: #181E25; /* only tokenize, pending delete */
+    --txtboxforedel: #181E25; /* only tokenize, pending delete */
+    --txtboxforedismiss: #181E25; /* only tokenize, dismiss */
+    --txtboxforeplaceholder: #181E25;
+    /* background */
+    --txtboxback: #F2F7FD;
+    --txtboxbackhover: #F2F7FD;
+    --txtboxbackactive: #F2F7FD;
+    --txtboxbackdisabled: #181E25;
+    --txtboxbacktoken: #FFC59E;
+    --txtboxbackdel: #DB393D; /* only tokenize, pending delete */
+    --txtboxbackdismiss: #F2F7FD; /* only tokenize, dismiss */
+    /* border */
+    --txtboxborder: #181E25;
+    --txtboxborderhover: #F94E06;
+    --txtboxborderactive: #FA6121;
+    --txtboxborderdisabled: #647D9B;
+    --txtboxbordertoken: #181E25;
+    --txtboxborderdel: #F2F7FD; /* only tokenize, pending delete */
+    --txtboxborderdismiss: #F2F7FD; /* only tokenize, dismiss */
+    /* page */
+    --pagefore: #F2F7FD; /* text color page */
+    --pageback: #242D38; /* backround color page */
+    --pageborder: #DBE8F9; /* border color page */
+    --headlineback: #242D38; /*background headline box*/
+    --headlinebackshadow: 2px 2px 1px 0px rgba(0, 0, 0, 0); /* shadow headlinebackgroundbox */
+    /* navigation sidebar (complete independent) */
+    /* unselected */
+    --sdbarfore: #DBE8F9; /*textcolor navigation sidebar */
+    --sdbarback: #181E25; /*background unselected navigation sidebar */
+    --sdbarhoverback: #2C3744; /* background sidebar hover */
+    --sdbarhoverfore: #FA6121; /* textcolor sidebar hover */
+    --sdbaractback: #3E4E60; /* active menu */
+    --navbarinverse: #222B35; /* navtab */
+    --navbarinversefore: #0089D0; /* navtab */
+    --navbaractivebefore: #FA6121; /*sidebar active before */
+    /* special  characters */
+    --link: #FA6121; /* OPNsense text login and links */
+    --linkhover: #E04605; /* OPNsense text login and links hover */
+    /* accents */
+    --primary: #FA6121; /* primary accent */
+    --primaryhover: #E04605; /* primary accent hover */
+    --info: #0089D0; /* info accent */
+    --infohover: #00689E; /* info accent hover */
+    --success: #31C234; /* success accent */
+    --successhover: #279B29; /* success accent hover */
+    --warning: #EB9C00; /* warning accent */
+    --warninghover: #B87A00; /* warning accent hover */
+    --danger: #DB393D; /* danger accent */
+    --dangerhover: #BE2326; /* danger accent hover */
+    /* buttons (complete (independent) */
+    /* unselected */
+    --btnfore: #181E25; /* textcolor */
+    --btnback: #F2F7FD; /* background */
+    --btnborder: #181E25; /* border */
+    /* hover */
+    --btnforehover: #040506; /* textcolor hover*/
+    --btnbackhover: #C6DCF6; /* background hover*/
+    --btnborderhover: #040506; /* border hover */
+    /* active */
+    --btnforeactive: #F2F7FD; /* textcolor active*/
+    --btnbackactive: #181E25; /* background active*/
+    --btnborderactive: #F2F7FD; /* border active */
+    /* disabled */
+    --btnforedisabled: #647D9B; /* textcolor disabled*/
+    --btnbackdisabled: #F2F7FD; /* background disabled*/
+    /* badge */
+    --btnforebadge: #181E25; /* textcolor badge*/
+    --btnbackbadge: #F2F7FD; /* background badge*/
+    --btnborderbadge: #F2F7FD; /* border badge */
+    /* default button */
+    /* unselected */
+    --dfbtnfore: #181E25; /* textcolor */
+    --dfbtnback: #F2F7FD; /* background */
+    --dfbtnborder: #181E25; /* border */
+    /* hover */
+    --dfbtnforehover: #040506; /* textcolor hover*/
+    --dfbtnbackhover: #C6DCF6; /* background hover*/
+    --dfbtnborderhover: #040506; /* border hover */
+    /* active */
+    --dfbtnforeactive: #F2F7FD; /* textcolor active*/
+    --dfbtnbackactive: #181E25; /* background active*/
+    --dfbtnborderactive: #FA6121; /* border active */
+    /* disabled */
+    --dfbtnforedisabled: #647D9B; /* textcolor disabled*/
+    --dfbtnbackdisabled: #DBE8F9; /* background disabled*/
+    --dfbtnborderdisabled: #181E25; /* border disabled */
+    /* Badge */
+    --dfbtnforebadge: #181E25; /* textcolor badge, traffic badge textcolor*/
+    --dfbtnbackbadge: #FFC59E; /* background badge*/
+    --dfbtnborderbadge: #FA6121; /* border badge */
+    /* primary button */
+    /* unselected */
+    --pbtnfore: #F2F7FD; /* textcolor */
+    --pbtnback: #FA6121; /* background */
+    --pbtnborder: #F2F7FD; /* border */
+    /* hover */
+    --pbtnforehover: #DBE8F9; /* textcolor hover*/
+    --pbtnbackhover: #E04605; /* background hover*/
+    --pbtnborderhover: #DBE8F9; /* border hover */
+    /* active */
+    --pbtnforeactive: #FA6121; /* textcolor active*/
+    --pbtnbackactive: #F2F7FD; /* background active*/
+    --pbtnborderactive: #FA6121; /* border active */
+    /* disabled */
+    --pbtnforedisabled: #647D9B; /* textcolor disabled*/
+    --pbtnbackdisabled: #DBE8F9; /* background disabled*/
+    --pbtnborderdisabled: #FA6121; /* border disabled */
+    /* badge */
+    --pbtnforebadge: #FA6121; /* textcolor badge*/
+    --pbtnbackbadge: #F2F7FD; /* background badge*/
+    --pbtnborderbadge: #F2F7FD; /* border badge */
+    /* info button */
+    /* unselected */
+    --ibtnfore: #F2F7FD; /* textcolor */
+    --ibtnback: #0089D0; /* background */
+    --ibtnborder: #F2F7FD; /* border */
+    /* hover */
+    --ibtnforehover: #DBE8F9; /* textcolor hover*/
+    --ibtnbackhover: #00689E; /* background hover*/
+    --ibtnborderhover: #DBE8F9; /* border hover */
+    /* active */
+    --ibtnforeactive: #0089D0; /* textcolor active*/
+    --ibtnbackactive: #F2F7FD; /* background active*/
+    --ibtnborderactive: #0089D0; /* border active */
+    /* disabled */
+    --ibtnforedisabled: #647D9B; /* textcolor disabled*/
+    --ibtnbackdisabled: #DBE8F9; /* background disabled*/
+    --ibtnborderdisabled: #0089D0; /* border disabled */
+    /* badge */
+    --ibtnforebadge: #0089D0; /* textcolor badge*/
+    --ibtnbackbadge: #F2F7FD; /* background badge*/
+    --ibtnborderbadge: #F2F7FD; /* border badge */
+    /* success button */
+    /* unselected */
+    --sbtnfore: #F2F7FD; /* textcolor */
+    --sbtnback: #31C234; /* background */
+    --sbtnborder: #F2F7FD; /* border */
+    /* hover */
+    --sbtnforehover: #DBE8F9; /* textcolor hover*/
+    --sbtnbackhover: #279B29; /* background hover*/
+    --sbtnborderhover: #DBE8F9; /* border hover */
+    /* active */
+    --sbtnforeactive: #31C234; /* textcolor active*/
+    --sbtnbackactive: #F2F7FD; /* background active*/
+    --sbtnborderactive: #31C234; /* border active */
+    /* disabled */
+    --sbtnforedisabled: #647D9B; /* textcolor disabled*/
+    --sbtnbackdisabled: #DBE8F9; /* background disabled*/
+    --sbtnborderdisabled: #31C234; /* border disabled */
+    /* badge */
+    --sbtnforebadge: #31C234; /* textcolor badge*/
+    --sbtnbackbadge: #F2F7FD; /* background badge*/
+    --sbtnborderbadge: #F2F7FD; /* border badge */
+    /* warning button */
+    /* unselected */
+    --wbtnfore: #F2F7FD; /* textcolor */
+    --wbtnback: #DB992A; /* background */
+    --wbtnborder: #F2F7FD; /* border */
+    /* hover */
+    --wbtnforehover: #DBE8F9; /* textcolor hover*/
+    --wbtnbackhover: #B37B1E; /* background hover*/
+    --wbtnborderhover: #DBE8F9; /* border hover */
+    /* active */
+    --wbtnforeactive: #DB992A; /* textcolor active*/
+    --wbtnbackactive: #F2F7FD; /* background active*/
+    --wbtnborderactive: #DB992A; /* border active */
+    /* disabled */
+    --wbtnforedisabled: #647D9B; /* textcolor disabled*/
+    --wbtnbackdisabled: #DBE8F9; /* background disabled*/
+    --wbtnborderdisabled: #DB992A; /* border disabled */
+    /* badge */
+    --wbtnforebadge: #F2F7FD; /* textcolor badge*/
+    --wbtnbackbadge: #F2F7FD; /* background badge*/
+    --wbtnborderbadge: #F2F7FD; /* border badge */
+    /* danger button */
+    /* unselected */
+    --dbtnfore: #DB393D; /* textcolor */
+    --dbtnback: #F2F7FD; /* background */
+    --dbtnborder: #DB393D; /* border */
+    /* hover */
+    --dbtnforehover: #DBE8F9; /* textcolor hover*/
+    --dbtnbackhover: #BE2326; /* background hover*/
+    --dbtnborderhover: #DBE8F9; /* border hover */
+    /* active */
+    --dbtnforeactive: #DB393D; /* textcolor active*/
+    --dbtnbackactive: #F2F7FD; /* background active*/
+    --dbtnborderactive: #DB393D; /* border active */
+    /* disabled */
+    --dbtnforedisabled: #647D9B; /* textcolor disabled*/
+    --dbtnbackdisabled: #DBE8F9; /* background disabled*/
+    --dbtnborderdisabled: #DB393D; /* border disabled */
+    /* badge */
+    --dbtnforebadge: #DB393D; /* textcolor badge*/
+    --dbtnbackbadge: #F2F7FD; /* background badge*/
+    --dbtnborderbadge: #F2F7FD; /* border badge */
+    /* link button */
+    /* unselected */
+    --lbtnfore: #FC2529; /* textcolor */
+    --lbtnback: #F2F7FD; /* background */
+    --lbtnborder: #FC2529; /* border */
+    /* hover */
+    --lbtnforehover: #EC1519; /* textcolor hover*/
+    --lbtnbackhover: #C4C4C4; /* background hover*/
+    --lbtnborderhover: #EC1519; /* border hover */
+    /* active */
+    --lbtnforeactive: #FC2529; /* textcolor active*/
+    --lbtnbackactive: #131313; /* background active*/
+    --lbtnborderactive: #F5F5F5; /* border active */
+    /* disabled */
+    --lbtnforedisabled: #999999; /* textcolor disabled*/
+    --lbtnbackdisabled: #3D3D3D; /* background disabled*/
+    --lbtnborderdisabled: #3D3D3D; /* border disabled */
+    /* navtabs (complete independent) */
+    /* active */
+    --navtabforeactive: #F2F7FD; /* textcolor active navtab */
+    --navtabbackactive: #FA6121; /* background active navtab */
+    --navtabborderactive: #F2F7FD; /* border active navtab */
+    /* inactive */
+    --navtabforeinactive: #28323E; /* textcolor inactive navtab */
+    --navtabbackinactive: #F2F7FD; /* background inactive navtab */
+    --navtabborderinactive: #28323E; /* border inactive navtab */
+    /* hover */
+    --navtabforehover: #DBE8F9; /* textcolor navtab hover */
+    --navtabbackhover: #E04605; /* background navtab hover */
+    --navtabborderhover: #DBE8F9; /* border navtab hover */
+    /* tabulator (complete independent) */
+    /* tabulator frame foot background */
+    --tbfback: #1E262F;
+    /* tabulator header */
+    --tbheadfore: #0089D0; /* background */
+    --tbheadback: #1E262F; /* background */
+    --tbheadbackhover: #1E262F; /* background hover*/
+    --tbborder: #647D9B; /* border color headline */
+    /* tabulator body */
+    --tbbodybackhover: #323F4E; /* first row hover*/
+    --tbbordertable: #647D9B; /* border color table */
+    /* odd row */
+    --tbrowforeodd: #F2F7FD; /* background */
+    --tbrowbackodd: #181E25; /* background */
+    /* even row */
+    --tbrowforeeven: #F2F7FD; /* background */
+    --tbrowbackeven: #1E262F; /* background */
+    /* tabulator footer */
+    /* unselected */
+    --tffore: #28323E; /* textcolor */
+    --tfback: #F2F7FD; /* background */
+    --tfborder: #647D9B; /* border */
+    /* hover */
+    --tfforehover: #DBE8F9; /* textcolor hover*/
+    --tfbackhover: #E04605; /* border hover */
+    --tfborderhover: #DBE8F9; /* textcolor hover*/
+    /* active */
+    --tfforeactive: #F2F7FD; /* textcolor active*/
+    --tfbackactive: #FA6121; /* background active*/
+    --tfborderactive: #F2F7FD; /* border active */
+    /* active hover*/
+    --tfforeactivehover: #DBE8F9; /* textcolor active*/
+    --tfbackactivehover: #E04605; /* background active*/
+    --tfborderactivehover: #DBE8F9; /* border active */
+    /* panel, example: Reporting health */
+    --panelbody: #101720; /* panel body background*/
+    --panelheading: #101720; /* panel heading background*/
+    --panelheadingfore: #F2F7FD; /* panel heading textcolor*/
+    --panelfooter: #101720; /* panel footer */
+    --panelinfo: #F2F7FD; /* panel info, example wait circle */
+    /* content-box, example report traffic*/
+    --contentboxfore: #F2F7FD; /* content-box foreground and tabulator frame head background*/
+    --contentboxback: #181E25; /* content-box background and tabulator frame head background*/
+    /* table */
+    --tableheadfore: #0089D0; /* textcolor table head */
+    --tablelegend: #F2F7FD;
+    --tableborder: #647D9B; /* background table in a table */
+    /* table not stripe */
+    --tablefore: #F2F7FD; /* textcolor table */
+    --tableback: #181E25; /* background table */
+    /* table stripe */
+    --tablestripeback: #1E262F; /* alternative background table */
+    /* table inside a table */
+    --tabletablefore: #18271E; /* headline table in a table */
+    --tabletableback: #181E25; /* background table in a table */
+    /* scrollbar */
+    --scbarcolor: #50647C #1E262E; /* scrollbarcolor: foreground vs background, the following colors are not important */
+    --scbarborder: #989898; /* bordercolor scrollbar*/
+    --scbar: #748AA5; /* scrollbar foreground*/
+    --scbarhover: #B8B8B8; /* scrollbar foreground hover*/
+    --scbarbutton: #999999; /* scrollbar button*/
+    /* unbound (complete independent) */
+    --unbiconsback: rgba(60,75,93,0.9); /* large icons on tabs */
+    --unbfore1: #F2F7FD; /* main text 1 */
+    --unbback1: #1E262E; /* background 1 */
+    --unbfore2: #FA6121; /* main text 2 */
+    --unbback2: #1E262E; /* background 2 */
+    --unbborder: #647D9B; /* unbound-border */
+    --unbborderactive: #FA6121; /* unbound-border active */
+    --unbsuccess: rgba(49,194,52,0.4); /* unbound detail background success */
+    --unbsuccessfore: rgba(242,247,253,1); /* unbound textcolor success */
+    --unbinfo: rgba(0,137,208,0.4); /* unbound detail background info */
+    --unbinfofore: rgba(242,247,253,1); /* unbound textcolor info */
+    --unbdanger: rgba(235,156,0,0.4); /* unbound detail background danger */
+    --unbdangerfore: rgba(242,247,253,1); /* unbound textcolor danger */
+    --unbwarning: rgba(219,57,61,0.4); /* unbound detail background warning */
+    --unbwarningfore: rgba(242,247,253,1); /* unbound textcolor warning */
+    --unberror: rgba(164,164,164,1); /* unbound detail background error */
+    --unberrorfore: rgba(162,17,42,1); /* unbound textcolor error */
+    --unbshadow: rgba(40,50,62,.8); /* unbound overview circle shadow */
+    /* dashboard, (independent, despite the buttons on the top ) */
+    --dbfore: #181E25; /* textcolor dashboard */
+    --dbback: #F2F7FD; /* background color dashboard */
+    --dbbackhover: #F2F7FD; /* background color dashboard */
+    --dbborder: rgba(24,30,37,0.15); /* bordercolor dashboard */
+    --dbchartfore: rgba(24,30,37,1); /* textcolor dashboard charts */
+    --dbchartborder: rgba(24,30,37,1); /* bordercolor dashboard charts*/
+    --dbtoolfore: #101720; /* textcolor tooltip dashboard */
+    --dbtoolback: rgba(241, 241, 241, 0.9); /*background color tooltip */
+    /* graph */
+    --graphfore: #F2F7FD;
+    --graphback: #181E25;
+    --nv3daxis: #F2F7FD;
+    /* rgb */
+    --rgb50: rgba(255,255,255,0,5);
+    --rgbshadowdark: rgba(255,255,255,.1);
+    --bootstrapshadow: rgba(204, 204, 204, 0.2);
+    --boxshadow: inset 0 1px 1px rgba(255,255,255,0.075);
+    --btnshadow1: inset 0 1px 1px rgba(250, 97, 33, 0.075);
+    --btnshadow2: 0 0 8px rgba(250, 97, 33, 0.6);
+    --progresshadow: inset 0px 0px 0px 0px rgb(28, 0, 0);
+    --progresshadow2: 0px 0px 0px rgb(0, 255, 255, 0.1);
+    --mozshadow: 2px 2px 1px 0px rgba(215, 215, 215, 0.3)
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/light/default_scheme.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/light/default_scheme.css
new file mode 100644
index 0000000000..8d6de04f7e
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/light/default_scheme.css
@@ -0,0 +1,380 @@
+:root
+{
+    /* theme light, flexcolor */
+    /* main colors */
+    --pfore: #131313; /* main textcolor */
+    --pforehover: #181818; /* primary text hover */
+    --pforemuted: #3C3C3C; /* muted text */
+    --pforeinverse: #F2F7FD; /* main textcolor inverse */
+    --pforeinversehover: #D9E1EB; /* main textcolor inverse */
+    --pback: #F5F5F5; /* primary background */
+    --pbackmuted: #999999; /* primary background */
+    --pbackinverse: #181E25; /* primary background inverse */
+    --pbackhover: #FFFFFF; /* primary background hover*/
+    --sfore: #131313; /*second background hover */
+    --sback: #E5E5E5; /* second background */
+    --stdborder: #2D2D2D; /* standard border */
+    --stdborderfore: #E6E6E6; /* standard border with accent*/
+    --stdborderprimary: #336CDF; /* standard border with accent*/
+    --stdborderinverse: #131313; /* standard border with accent*/
+    --stdborder50bright: #A1A1A1; /* standard border with accent*/
+    --badgeback: #FFC59E; /* badge background & progress-bar & blockquote*/
+    --progressbar: #131313; /* progress-bar*/
+    --token: #71ADF4; /* background token */
+    --highlighted: #131313; /* highlighted element */
+    /* bootstrap */
+    /* bootstrap titlebar */
+    --bsheadfore: #131313;
+    --bsheadback: #F5F5F5;
+    --bsbodyfore: #131313;
+    --bsbodyback: #F5F5F5;
+    /* jquery-bootgrid */
+    --jqueryfore: #131313;
+    --jqueryback: #F5F5F5;
+    --jquerybarfore: #F5F5F5;
+    --jquerybarback: #1066CC;
+    --jquerybarborder: #1066CC;
+    /* login,(complete indepent, despite textboxes) */
+    --loginback: #F5F5F5; /* loginscreen background */
+    --loginboxtitle: #131313; /* loginscreen boxtitle */
+    --logindatefore: #131313; /* loginscreen textcolor */
+    --loginheadback: #D4D4D4; /* login-dialogbox head background */
+    --loginboxback: #D4D4D4; /* login-dialogbox background */
+    --loginboxfore: #131313; /* Login-dialogbox textcolor */
+    /* textbox (all kinds, tokenize, listbox, textbox, bootstrap select */
+    /* foreground */
+    --txtboxfore: #131313;
+    --txtboxforehover: #131313;
+    --txtboxforeactive: #1066CC;
+    --txtboxforeinverse: #131313;
+    --txtboxforedisabled: #131313;
+    --txtboxforetoken: #131313; /* only tokenize, pending delete */
+    --txtboxforedel: #131313; /* only tokenize, pending delete */
+    --txtboxforedismiss: #131313; /* only tokenize, dismiss */
+    --txtboxforeplaceholder: #131313;
+    /* background */
+    --txtboxback: #F5F5F5;
+    --txtboxbackhover: #F5F5F5;
+    --txtboxbackactive: #F5F5F5;
+    --txtboxbackdisabled: #F5F5F5;
+    --txtboxbacktoken: #71ADF4;
+    --txtboxbackdel: #FC2529; /* only tokenize, pending delete */
+    --txtboxbackdismiss: #F5F5F5; /* only tokenize, dismiss */
+    /* border */
+    --txtboxborder: #131313;
+    --txtboxborderhover: #1066CC;
+    --txtboxborderactive: #1066CC;
+    --txtboxborderdisabled: #3D3D3D;
+    --txtboxbordertoken: #131313;
+    --txtboxborderdel: #131313; /* only tokenize, pending delete */
+    --txtboxborderdismiss: #FC2529; /* only tokenize, dismiss */
+    /* page */
+    --pagefore: #131313; /* text color page */
+    --pageback: #F5F5F5; /* backround color page */
+    --pageborder: #2D2D2D; /* border color page */
+    --headlineback: #F5F5F5; /*background headline box*/
+    --headlinebackshadow: 2px 2px 1px 0px rgba(241, 241, 241, 0); /* shadow headlinebackgroundbox */
+    /* navigation sidebar (complete independent) */
+    /* unselected */
+    --sdbarfore: #131313; /*textcolor navigation sidebar */
+    --sdbarback: #E9E9E9; /*background unselected navigation sidebar */
+    --sdbarhoverback: #FDFDFD; /* background sidebar hover */
+    --sdbarhoverfore: #FA6121; /* textcolor sidebar hover */
+    --sdbaractback: #D4D4D4; /* active menu #ECE7E2, #FFEDF5, #E5F4FF, #FFFBE5, #F5F5DC, #F2F2F2, #FFFACD */
+    --navbarinverse: #FDFDFD; /* navtab */
+    --navbarinversefore: #1066CC; /* navtab */
+    --navbaractivebefore: #1066CC; /*sidebar active before */
+    /* special  characters */
+    --link: #FA6121; /* OPNsense text login and links */
+    --linkhover: #E04605; /* OPNsense text login and links hover */
+    /* accents */
+    --primary: #1066CC; /* primary accent */
+    --primaryhover: #0C4E9C; /* primary accent hover */
+    --info: #10A6D8; /* info accent */
+    --infohover: #0C80A6; /* info accent hover */
+    --success: #28A839; /* success accent */
+    --successhover: #1E802B; /* success accent hover */
+    --warning: #FC9510; /* warning accent */
+    --warninghover: #D97B03; /* warning accent hover */
+    --danger: #FC2529; /* danger accent */
+    --dangerhover: #EC0308; /* danger accent hover */
+    /* buttons (complete (independent) */
+    /* unselected */
+    --btnfore: #454545; /* textcolor */
+    --btnback: #ECECEC; /* background */
+    --btnborder: #1066CC; /* border */
+    /* hover */
+    --btnforehover: #131313; /* textcolor hover*/
+    --btnbackhover: #C4C4C4; /* background hover*/
+    --btnborderhover: #0C4E9C; /* border hover */
+    /* active */
+    --btnforeactive: #F5F5F5; /* textcolor active*/
+    --btnbackactive: #1066CC; /* background active*/
+    --btnborderactive: #F5F5F5; /* border active */
+    /* disabled */
+    --btnforedisabled: #999999; /* textcolor disabled*/
+    --btnbackdisabled: #F5F5F5; /* background disabled*/
+    /* badge */
+    --btnforebadge: #131313; /* textcolor badge*/
+    --btnbackbadge: #F5F5F5; /* background badge*/
+    --btnborderbadge: #F5F5F5; /* border badge */
+    /* default button */
+    /* unselected */
+    --dfbtnfore: #131313; /* textcolor */
+    --dfbtnback: #F5F5F5; /* background */
+    --dfbtnborder: #131313; /* border */
+    /* hover */
+    --dfbtnforehover: #131313; /* textcolor hover*/
+    --dfbtnbackhover: #F5F5F5; /* background hover*/
+    --dfbtnborderhover: #1066CC; /* border hover */
+    /* active */
+    --dfbtnforeactive: #F5F5F5; /* textcolor active*/
+    --dfbtnbackactive: #1066CC; /* background active*/
+    --dfbtnborderactive: #1066CC; /* border active */
+    /* disabled */
+    --dfbtnforedisabled: #999999; /* textcolor disabled*/
+    --dfbtnbackdisabled: #F5F5F5; /* background disabled*/
+    --dfbtnborderdisabled: #131313; /* border disabled */
+    /* Badge */
+    --dfbtnforebadge: ##1066CC; /* textcolor badge, traffic badge textcolor*/
+    --dfbtnbackbadge: #FFC59E; /* background badge*/
+    --dfbtnborderbadge: #1066CC; /* border badge */
+    /* primary button */
+    /* unselected */
+    --pbtnfore: #454545; /* textcolor */
+    --pbtnback: #ECECEC; /* background */
+    --pbtnborder: #1066CC; /* border */
+    /* hover */
+    --pbtnforehover: #131313; /* textcolor hover*/
+    --pbtnbackhover: #C4C4C; /* background hover*/
+    --pbtnborderhover: #0C4E9C; /* border hover */
+    /* active */
+    --pbtnforeactive: #F5F5F5; /* textcolor active*/
+    --pbtnbackactive: #1066CC; /* background active*/
+    --pbtnborderactive: #F5F5F5; /* border active */
+    /* disabled */
+    --pbtnforedisabled: #999999; /* textcolor disabled*/
+    --pbtnbackdisabled: #F5F5F5; /* background disabled*/
+    --pbtnborderdisabled: #635D55; /* border disabled */
+    /* badge */
+    --pbtnforebadge: #1066CC; /* textcolor badge*/
+    --pbtnbackbadge: #F5F5F5; /* background badge*/
+    --pbtnborderbadge: #F5F5F5; /* border badge */
+    /* info button */
+    /* unselected */
+    --ibtnfore: #454545; /* textcolor */
+    --ibtnback: #ECECEC; /* background */
+    --ibtnborder: #10A6D8; /* border */
+    /* hover */
+    --ibtnforehover: #131313; /* textcolor hover*/
+    --ibtnbackhover: #C4C4C4; /* background hover*/
+    --ibtnborderhover: #0C80A6; /* border hover */
+    /* active */
+    --ibtnforeactive: #F5F5F5; /* textcolor active*/
+    --ibtnbackactive: #10A6D8; /* background active*/
+    --ibtnborderactive: #F5F5F5; /* border active */
+    /* disabled */
+    --ibtnforedisabled: #999999; /* textcolor disabled*/
+    --ibtnbackdisabled: #F5F5F5; /* background disabled*/
+    --ibtnborderdisabled: #3D3D3D; /* border disabled */
+    /* badge */
+    --ibtnforebadge: #10A6D8; /* textcolor badge*/
+    --ibtnbackbadge: #F5F5F5; /* background badge*/
+    --ibtnborderbadge: #F5F5F5; /* border badge */
+    /* success button */
+    /* unselected */
+    --sbtnfore: #454545; /* textcolor */
+    --sbtnback: #ECECEC; /* background */
+    --sbtnborder: #28A839; /* border */
+    /* hover */
+    --sbtnforehover: #131313; /* textcolor hover*/
+    --sbtnbackhover: #C4C4C4; /* background hover*/
+    --sbtnborderhover: #1E802B; /* border hover */
+    /* active */
+    --sbtnforeactive: #F5F5F5; /* textcolor active*/
+    --sbtnbackactive: #28A839; /* background active*/
+    --sbtnborderactive: #F5F5F5; /* border active */
+    /* disabled */
+    --sbtnforedisabled: #999999; /* textcolor disabled*/
+    --sbtnbackdisabled: #F5F5F5; /* background disabled*/
+    --sbtnborderdisabled: #3D3D3D; /* border disabled */
+    /* badge */
+    --sbtnforebadge: #28A839; /* textcolor badge*/
+    --sbtnbackbadge: #F5F5F5; /* background badge*/
+    --sbtnborderbadge: #F5F5F5; /* border badge */
+    /* warning button */
+    /* unselected */
+    --wbtnfore: #454545; /* textcolor */
+    --wbtnback: #ECECEC; /* background */
+    --wbtnborder: #FC9510; /* border */
+    /* hover */
+    --wbtnforehover: #131313; /* textcolor hover*/
+    --wbtnbackhover: #C4C4C4; /* background hover*/
+    --wbtnborderhover: #D97B03; /* border hover */
+    /* active */
+    --wbtnforeactive: #F5F5F5; /* textcolor active*/
+    --wbtnbackactive: #FC9510; /* background active*/
+    --wbtnborderactive: #F5F5F5; /* border active */
+    /* disabled */
+    --wbtnforedisabled: #999999; /* textcolor disabled*/
+    --wbtnbackdisabled: #FC9510; /* background disabled*/
+    --wbtnborderdisabled: #3D3D3D; /* border disabled */
+    /* badge */
+    --wbtnforebadge: #FC9510; /* textcolor badge*/
+    --wbtnbackbadge: #F5F5F5; /* background badge*/
+    --wbtnborderbadge: #F5F5F5; /* border badge */
+    /* danger button */
+    /* unselected */
+    --dbtnfore: #454545; /* textcolor */
+    --dbtnback: #ECECEC; /* background */
+    --dbtnborder: #FC2529; /* border */
+    /* hover */
+    --dbtnforehover: #131313; /* textcolor hover*/
+    --dbtnbackhover: #C4C4C4; /* background hover*/
+    --dbtnborderhover: #EC0308; /* border hover */
+    /* active */
+    --dbtnforeactive: #F5F5F5; /* textcolor active*/
+    --dbtnbackactive: #FC2529; /* background active*/
+    --dbtnborderactive: #F5F5F5; /* border active */
+    /* disabled */
+    --dbtnforedisabled: #999999; /* textcolor disabled*/
+    --dbtnbackdisabled: #F5F5F5; /* background disabled*/
+    --dbtnborderdisabled: #3D3D3D; /* border disabled */
+    /* badge */
+    --dbtnforebadge: #FC2529; /* textcolor badge*/
+    --dbtnbackbadge: #F5F5F5; /* background badge*/
+    --dbtnborderbadge: #F5F5F5; /* border badge */
+    /* link button */
+    /* unselected */
+    --lbtnfore: #FC2529; /* textcolor */
+    --lbtnback: #ECECEC; /* background */
+    --lbtnborder: #FC2529; /* border */
+    /* hover */
+    --lbtnforehover: #EC1519; /* textcolor hover*/
+    --lbtnbackhover: #C4C4C4; /* background hover*/
+    --lbtnborderhover: #E6E6E6; /* border hover */
+    /* active */
+    --lbtnforeactive: #FC2529; /* textcolor active*/
+    --lbtnbackactive: 131313; /* background active*/
+    --lbtnborderactive: #F5F5F5; /* border active */
+    /* disabled */
+    --lbtnforedisabled: #999999; /* textcolor disabled*/
+    --lbtnbackdisabled: #3D3D3D; /* background disabled*/
+    --lbtnborderdisabled: #3D3D3D; /* border disabled */
+    /* navtabs (complete independent) */
+    /* active */
+    --navtabforeactive: #F5F5F5; /* textcolor active navtab */
+    --navtabbackactive: #1066CC; /* background active navtab */
+    --navtabborderactive: #F5F5F5; /* border active navtab */
+    /* inactive */
+    --navtabforeinactive: #454545; /* textcolor inactive navtab */
+    --navtabbackinactive: #E5E5E5; /* background inactive navtab */
+    --navtabborderinactive: #454545; /* border inactive navtab */
+    /* hover */
+    --navtabforehover: #131313; /* textcolor navtab hover */
+    --navtabbackhover: #D5D5D5; /* background navtab hover */
+    --navtabborderhover: #131313; /* border navtab hover */
+    /* tabulator (complete independent) */
+    /* tabulator frame foot background */
+    --tbfback: #F5F5F5;
+    /* tabulator header */
+    --tbheadfore: #131313; /* background */
+    --tbheadback: #D5D5D5; /* background */
+    --tbheadbackhover: #D5D5D5; /* background hover*/
+    --tbborder: #131313; /* border color headline */
+    /* tabulator body */
+    --tbbodybackhover: #DADADA; /* first row hover*/
+    --tbbordertable: #131313; /* border color table */
+    /* odd row */
+    --tbrowforeodd: #131313; /* background */
+    --tbrowbackodd: #F5F5F5; /* background */
+    /* even row */
+    --tbrowforeeven: #131313; /* background */
+    --tbrowbackeven: #E5E5E5; /* background */
+    /* tabulator footer */
+    /* unselected */
+    --tffore: #454545; /* textcolor */
+    --tfback: #E5E5E5; /* background */
+    --tfborder: #454545; /* border */
+    /* hover */
+    --tfforehover: #131313; /* textcolor hover*/
+    --tfbackhover: #D5D5D5; /* border hover */
+    --tfborderhover: #131313; /* textcolor hover*/
+    /* active */
+    --tfforeactive: #F5F5F5; /* textcolor active*/
+    --tfbackactive: #1066CC; /* background active*/
+    --tfborderactive: #F5F5F5; /* border active */
+    /* active hover*/
+    --tfforeactivehover: #FFFFFF; /* textcolor active*/
+    --tfbackactivehover: #1066CC; /* background active*/
+    --tfborderactivehover: #FFFFFF; /* border active */
+    /* panel, example: Reporting health */
+    --panelbody: #F5F5F5; /* panel body background*/
+    --panelheading: #F5F5F5; /* panel heading background*/
+    --panelheadingfore: #131313; /* panel heading textcolor*/
+    --panelfooter: #F5F5F5; /* panel footer */
+    --panelinfo: #131313; /* panel info, example wait circle */
+    /* content-box, example report traffic*/
+    --contentboxfore: #131313; /* content-box foreground and tabulator frame head background*/
+    --contentboxback: #F5F5F5; /* content-box background and tabulator frame head background*/
+    /* table */
+    --tableheadfore: #131313; /* textcolor table head */
+    --tablelegend: #131313;
+    --tableborder: #2D2D2D; /* background table in a table */
+    /* table not stripe */
+    --tablefore: #131313; /* textcolor table */
+    --tableback: #F5F5F5; /* background table */
+    /* table stripe */
+    --tablestripeback: #E5E5E5; /* alternative background table */
+    /* table inside a table */
+    --tabletablefore: #131313; /* headline table in a table */
+    --tabletableback: #F5F5F5; /* background table in a table */
+    /* scrollbar */
+    --scbarcolor: #C4C4C4 #E4E4E4; /* scrollbarcolor: foreground vs background, the following colors are not important */
+    --scbarborder: #989898; /* bordercolor scrollbar*/
+    --scbar: #C8C8C8; /* scrollbar foreground*/
+    --scbarhover: #B8B8B8; /* scrollbar foreground hover*/
+    --scbarbutton: #999999; /* scrollbar button*/
+    /* unbound (complete independent) */
+    --unbiconsback: rgba(229,229,229,0.9); /* large icons on tabs */
+    --unbfore1: #131313; /* main text 1 */
+    --unbback1: #E5E5E5; /* background 1 */
+    --unbfore2: #131313; /* main text 2 */
+    --unbback2: #E5E5E5; /* background 2 */
+    --unbborder: #2D2D2D; /* unbound-border */
+    --unbborderactive: #336CDF; /* unbound-border active */
+    --unbsuccess: rgba(40,168,57,1.0); /* unbound detail background success */
+    --unbsuccessfore: rgba(241,241,241,1); /* unbound textcolor success */
+    --unbinfo: rgba(16,102,204,1.0); /* unbound detail background info */
+    --unbinfofore: rgba(241,241,241,1); /* unbound textcolor info */
+    --unbdanger: rgba(252,37,41,1.0); /* unbound detail background danger */
+    --unbdangerfore: rgba(241,241,241,1); /* unbound textcolor danger */
+    --unbwarning: rgba(252,149,16,1.0); /* unbound detail background warning */
+    --unbwarningfore: rgba(241,241,241,1,1); /* unbound textcolor warning */
+    --unberror: rgba(245,245,245,1.0); /* unbound detail background error */
+    --unberrorfore: rgba(150,0,7,1); /* unbound textcolor error */
+    --unbshadow: rgba(47,47,47,.8); /* unbound overview circle shadow */
+    /* dashboard, (independent, despite the buttons on the top ) */
+    --dbfore: #131313; /* textcolor dashboard */
+    --dbback: #D5D5D5; /* background color dashboard */
+    --dbbackhover: #D5D5D5; /* background color dashboard */
+    --dbborder: rgba(61,61,61,0.15); /* bordercolor dashboard */
+    --dbchartfore: rgba(19,19,19,1); /* textcolor dashboard charts */
+    --dbchartborder: rgba(19,19,19,1); /* bordercolor dashboard charts*/
+    --dbtoolfore: #F5F5F5; /* textcolor tooltip dashboard */
+    --dbtoolback: rgba(19, 19, 19, 0.9); /*background color tooltip */
+    /* graph */
+    --graphfore: #131313;
+    --graphback: #F5F5F5;
+    --nv3daxis: #131313;
+    /* rgb */
+    --rgb50: rgba(0,0,0,0,5);
+    b --rgbshadowdark: rgba(0,0,0,.1);
+    --bootstrapshadow: rgba(41, 41, 41, 0.2);
+    --boxshadow: inset 0 1px 1px rgba(0,0,0,0.075);
+    --btnshadow1: inset 0 1px 1px rgba(0, 102, 204, 0.075);
+    --btnshadow2: 0 0 8px rgba(0, 102, 204, 0.6);
+    --progresshadow: inset 0px 1px 2px 1px rgb(217, 217, 217);
+    --progresshadow2: 0 5px 10px rgb(0, 0, 0,0.1);
+    --mozshadow: 2px 2px 1px 0px rgba(21, 21, 21, 0.5)
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/bootstrap-dialog.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/bootstrap-dialog.css
new file mode 100644
index 0000000000..c3318009bf
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/bootstrap-dialog.css
@@ -0,0 +1,119 @@
+@import url('default_scheme.css');
+.modal-backdrop {
+  z-index: -1;
+}
+
+.bootstrap-dialog {
+  /* dialog types */
+  /**
+   * Icon animation
+   * Copied from font-awesome: http://fontawesome.io/
+   **/
+  /** End of icon animation **/
+}
+.bootstrap-dialog .modal-header {
+  border-top-left-radius: 4px;
+  border-top-right-radius: 4px;
+  background-color: var(--bsheadback);
+}
+.bootstrap-dialog .bootstrap-dialog-title {
+  color: var(--bsheadfore);
+  display: inline-block;
+  font-size: 15px;
+}
+.bootstrap-dialog .bootstrap-dialog-button-icon {
+  margin-right: 3px;
+}
+.bootstrap-dialog .bootstrap-dialog-close-button {
+  float: right;
+  filter: alpha(opacity=90);
+  -moz-opacity: 0.9;
+  -khtml-opacity: 0.9;
+  opacity: 0.9;
+}
+.bootstrap-dialog .bootstrap-dialog-close-button:hover {
+  cursor: pointer;
+  filter: alpha(opacity=100);
+  -moz-opacity: 1;
+  -khtml-opacity: 1;
+  opacity: 1;
+}
+.bootstrap-dialog.type-default .modal-header {
+  background-color: var(--bsheadback);
+}
+.bootstrap-dialog.type-default .bootstrap-dialog-title {
+  color: var(--bsheadfore);
+}
+.bootstrap-dialog.type-info .modal-header {
+  border-bottom: 3px solid var(--info);
+}
+.bootstrap-dialog.type-primary .modal-header {
+  border-bottom: 3px solid var(--primary);
+}
+.bootstrap-dialog.type-success .modal-header {
+  border-bottom: 3px solid var(--success);
+}
+.bootstrap-dialog.type-warning .modal-header {
+  border-bottom: 3px solid var(--warning);
+}
+.bootstrap-dialog.type-danger .modal-header {
+  border-bottom: 3px solid var(--danger);
+}
+.bootstrap-dialog.size-large .bootstrap-dialog-title {
+  font-size: 24px;
+}
+.bootstrap-dialog.size-large .bootstrap-dialog-close-button {
+  font-size: 30px;
+}
+.bootstrap-dialog.size-large .bootstrap-dialog-message {
+  font-size: 18px;
+}
+.bootstrap-dialog .icon-spin {
+  display: inline-block;
+  -moz-animation: spin 2s infinite linear;
+  -o-animation: spin 2s infinite linear;
+  -webkit-animation: spin 2s infinite linear;
+  animation: spin 2s infinite linear;
+}
+@-moz-keyframes spin {
+  0% {
+    -moz-transform: rotate(0deg);
+  }
+  100% {
+    -moz-transform: rotate(359deg);
+  }
+}
+@-webkit-keyframes spin {
+  0% {
+    -webkit-transform: rotate(0deg);
+  }
+  100% {
+    -webkit-transform: rotate(359deg);
+  }
+}
+@-o-keyframes spin {
+  0% {
+    -o-transform: rotate(0deg);
+  }
+  100% {
+    -o-transform: rotate(359deg);
+  }
+}
+@-ms-keyframes spin {
+  0% {
+    -ms-transform: rotate(0deg);
+  }
+  100% {
+    -ms-transform: rotate(359deg);
+  }
+}
+@keyframes spin {
+  0% {
+    transform: rotate(0deg);
+  }
+  100% {
+    transform: rotate(359deg);
+  }
+}
+
+/*# sourceMappingURL=bootstrap-dialog.css.map */
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/bootstrap-select.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/bootstrap-select.css
new file mode 100644
index 0000000000..4b5e1b707a
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/bootstrap-select.css
@@ -0,0 +1,407 @@
+/*!
+ * Bootstrap-select v1.13.3 (https://developer.snapappointments.com/bootstrap-select)
+ *
+ * Copyright 2012-2018 SnapAppointments, LLC
+ * Licensed under MIT (https://github.com/snapappointments/bootstrap-select/blob/master/LICENSE)
+ */
+@import url('default_scheme.css');
+select.bs-select-hidden,
+.bootstrap-select > select.bs-select-hidden,
+select.selectpicker {
+  display: none !important;
+}
+.bootstrap-select {
+  width: 348px \0;
+  /*IE9 and below*/
+}
+.bootstrap-select > .dropdown-toggle {
+  position: relative;
+  width: 100%;
+  z-index: 1;
+  text-align: right;
+  white-space: nowrap;
+}
+.bootstrap-select > .dropdown-toggle.bs-placeholder,
+.bootstrap-select > .dropdown-toggle.bs-placeholder:hover,
+.bootstrap-select > .dropdown-toggle.bs-placeholder:focus,
+.bootstrap-select > .dropdown-toggle.bs-placeholder:active {
+  color: var(--txtboxfore);
+  background-color: var(--txtboxback);
+  border-color: var(--txtboxborder); }
+
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:hover,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:hover,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:hover,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:hover,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:hover,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:hover,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:focus,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:focus,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:focus,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:focus,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:focus,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:focus,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-primary:active,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-secondary:active,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-success:active,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-danger:active,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-info:active,
+    .bootstrap-select > .dropdown-toggle.bs-placeholder.btn-dark:active
+    {
+        color: var(--rgba50);
+    }
+.bootstrap-select > select {
+  position: absolute !important;
+  bottom: 0;
+  left: 50%;
+  display: block !important;
+  width: 0.5px !important;
+  height: 100% !important;
+  padding: 0 !important;
+  opacity: 0 !important;
+  border: none;
+}
+.bootstrap-select > select.mobile-device {
+  top: 0;
+  left: 0;
+  display: block !important;
+  width: 100% !important;
+  z-index: 2;
+}
+.has-error .bootstrap-select .dropdown-toggle,
+.error .bootstrap-select .dropdown-toggle,
+.bootstrap-select.is-invalid .dropdown-toggle,
+.was-validated .bootstrap-select .selectpicker:invalid + .dropdown-toggle {
+  border-color: var(--danger);
+}
+.bootstrap-select.is-valid .dropdown-toggle,
+.was-validated .bootstrap-select .selectpicker:valid + .dropdown-toggle {
+  border-color: var(--success);
+}
+.bootstrap-select.fit-width {
+  width: auto !important;
+}
+.bootstrap-select:not([class*="col-"]):not([class*="form-control"]):not(.input-group-btn) {
+  width: 348px;
+}
+.bootstrap-select > select.mobile-device:focus + .dropdown-toggle,
+.bootstrap-select .dropdown-toggle:focus {
+  outline: var(--txtboxborderhover) !important;
+  outline: 5px auto -webkit-focus-ring-color !important;
+  outline-offset: -2px;
+}
+.bootstrap-select.form-control {
+  margin-bottom: 0;
+  padding: 0;
+  border: none;
+}
+:not(.input-group) > .bootstrap-select.form-control:not([class*="col-"]) {
+  width: 100%;
+}
+.bootstrap-select.form-control.input-group-btn {
+  z-index: auto;
+}
+.bootstrap-select.form-control.input-group-btn:not(:first-child):not(:last-child) > .btn {
+  border-radius: 0;
+}
+.bootstrap-select:not(.input-group-btn),
+.bootstrap-select[class*="col-"] {
+  float: none;
+  display: inline-block;
+  margin-left: 0;
+}
+.bootstrap-select.dropdown-menu-right,
+.bootstrap-select[class*="col-"].dropdown-menu-right,
+.row .bootstrap-select[class*="col-"].dropdown-menu-right {
+  float: right;
+}
+.form-inline .bootstrap-select,
+.form-horizontal .bootstrap-select,
+.form-group .bootstrap-select {
+  margin-bottom: 0;
+}
+.form-group-lg .bootstrap-select.form-control,
+.form-group-sm .bootstrap-select.form-control {
+  padding: 0;
+}
+.form-group-lg .bootstrap-select.form-control .dropdown-toggle,
+.form-group-sm .bootstrap-select.form-control .dropdown-toggle {
+  height: 100%;
+  font-size: inherit;
+  line-height: inherit;
+  border-radius: inherit;
+}
+.bootstrap-select.form-control-sm .dropdown-toggle,
+.bootstrap-select.form-control-lg .dropdown-toggle {
+  font-size: inherit;
+  line-height: inherit;
+  border-radius: inherit;
+}
+.bootstrap-select.form-control-sm .dropdown-toggle {
+  padding: 0.25rem 0.5rem;
+}
+.bootstrap-select.form-control-lg .dropdown-toggle {
+  padding: 0.5rem 1rem;
+}
+.form-inline .bootstrap-select .form-control {
+  width: 100%;
+}
+.bootstrap-select.disabled,
+.bootstrap-select > .disabled {
+  cursor: not-allowed;
+}
+.bootstrap-select.disabled:focus,
+.bootstrap-select > .disabled:focus {
+  outline: none !important;
+}
+.bootstrap-select.bs-container {
+  position: absolute;
+  top: 0;
+  left: 0;
+  height: 0 !important;
+  padding: 0 !important;
+}
+.bootstrap-select.bs-container .dropdown-menu {
+  z-index: 1060;
+}
+.bootstrap-select .dropdown-toggle:before {
+  content: '';
+  display: inline-block;
+}
+.bootstrap-select .dropdown-toggle .filter-option {
+  position: absolute;
+  top: 0;
+  left: 0;
+  padding-top: inherit;
+  padding-right: inherit;
+  padding-bottom: inherit;
+  padding-left: inherit;
+  height: 100%;
+  width: 100%;
+  text-align: left;
+}
+.bootstrap-select .dropdown-toggle .filter-option-inner {
+  padding-right: inherit;
+}
+.bootstrap-select .dropdown-toggle .filter-option-inner-inner {
+  overflow: hidden;
+}
+.bootstrap-select .dropdown-toggle .caret {
+  position: absolute;
+  top: 50%;
+  right: 12px;
+  margin-top: -2px;
+  vertical-align: middle;
+}
+.input-group .bootstrap-select.form-control .dropdown-toggle {
+  border-radius: inherit;
+}
+.bootstrap-select[class*="col-"] .dropdown-toggle {
+  width: 100%;
+}
+.bootstrap-select .dropdown-menu {
+  min-width: 100%;
+  -webkit-box-sizing: border-box;
+     -moz-box-sizing: border-box;
+          box-sizing: border-box;
+}
+.bootstrap-select .dropdown-menu > .inner:focus {
+  outline: none !important;
+}
+.bootstrap-select .dropdown-menu.inner {
+  position: static;
+  float: none;
+  border: 0;
+  padding: 0;
+  margin: 0;
+  border-radius: 0;
+  -webkit-box-shadow: none;
+          box-shadow: none;
+}
+.bootstrap-select .dropdown-menu li {
+  position: relative;
+}
+.bootstrap-select .dropdown-menu li.active small {
+  color: var(--rgba50) !important;
+}
+.bootstrap-select .dropdown-menu li.disabled a {
+  cursor: not-allowed;
+}
+.bootstrap-select .dropdown-menu li a {
+  cursor: pointer;
+  -webkit-user-select: none;
+     -moz-user-select: none;
+      -ms-user-select: none;
+          user-select: none;
+}
+.bootstrap-select .dropdown-menu li a.opt {
+  position: relative;
+  padding-left: 2.25em;
+}
+.bootstrap-select .dropdown-menu li a span.check-mark {
+  display: none;
+}
+.bootstrap-select .dropdown-menu li a span.text {
+  display: inline-block;
+}
+.bootstrap-select .dropdown-menu li small {
+  padding-left: 0.5em;
+}
+  .bootstrap-select .dropdown-menu .notify {
+    position: absolute;
+    bottom: 5px;
+    width: 96%;
+    margin: 0 2%;
+    min-height: 26px;
+    padding: 3px 5px;
+    background: var(--txtboxback);
+    border: 1px solid var(--txtboxborder);
+    -webkit-box-shadow: var(--rgbashadowdark);
+    box-shadow: var(--rgbashadowdark);
+    pointer-events: none;
+    opacity: 0.9;
+    -webkit-box-sizing: border-box;
+    -moz-box-sizing: border-box;
+    box-sizing: border-box; }
+.bootstrap-select .no-results {
+  padding: 3px;
+  color: var(--txtboxforedisabled);
+  background: var(--txtboxbackdisabled);
+  margin: 0 5px;
+  white-space: nowrap;
+}
+.bootstrap-select.fit-width .dropdown-toggle .filter-option {
+  position: static;
+  display: inline;
+  padding: 0;
+}
+.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner,
+.bootstrap-select.fit-width .dropdown-toggle .filter-option-inner-inner {
+  display: inline;
+}
+.bootstrap-select.fit-width .dropdown-toggle .caret {
+  position: static;
+  top: auto;
+  margin-top: -1px;
+}
+.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
+  position: absolute;
+  display: inline-block;
+  right: 15px;
+  top: 5px;
+}
+.bootstrap-select.show-tick .dropdown-menu li a span.text {
+  margin-right: 34px;
+}
+.bootstrap-select .bs-ok-default:after {
+  content: '';
+  display: block;
+  width: 0.5em;
+  height: 1em;
+  border-style: solid;
+  border-width: 0 0.26em 0.26em 0;
+  -webkit-transform: rotate(45deg);
+      -ms-transform: rotate(45deg);
+       -o-transform: rotate(45deg);
+          transform: rotate(45deg);
+}
+.bootstrap-select.show-menu-arrow.open > .dropdown-toggle,
+.bootstrap-select.show-menu-arrow.show > .dropdown-toggle {
+  z-index: 1061;
+}
+.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:before {
+  content: '';
+  border-left: 7px solid transparent;
+  border-right: 7px solid transparent;
+  border-bottom: 7px solid var(--bsshadow);
+  position: absolute;
+  bottom: -4px;
+  left: 9px;
+  display: none;
+}
+.bootstrap-select.show-menu-arrow .dropdown-toggle .filter-option:after {
+  content: '';
+  border-left: 6px solid transparent;
+  border-right: 6px solid transparent;
+  border-bottom: 6px solid white;
+  position: absolute;
+  bottom: -4px;
+  left: 10px;
+  display: none;
+}
+.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:before
+{
+    bottom: auto;
+    top: -4px;
+    border-top: 7px solid var(--bsshadow);
+    border-bottom: 0;
+}
+.bootstrap-select.show-menu-arrow.dropup .dropdown-toggle .filter-option:after {
+  bottom: auto;
+  top: -4px;
+  border-top: 6px solid var(--txtboxborder);
+  border-bottom: 0;
+}
+.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:before {
+  right: 12px;
+  left: auto;
+}
+.bootstrap-select.show-menu-arrow.pull-right .dropdown-toggle .filter-option:after {
+  right: 13px;
+  left: auto;
+}
+.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:before,
+.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:before,
+.bootstrap-select.show-menu-arrow.open > .dropdown-toggle .filter-option:after,
+.bootstrap-select.show-menu-arrow.show > .dropdown-toggle .filter-option:after {
+  display: block;
+}
+.bs-searchbox,
+.bs-actionsbox,
+.bs-donebutton {
+  padding: 4px 8px;
+}
+.bs-actionsbox {
+  width: 100%;
+  -webkit-box-sizing: border-box;
+     -moz-box-sizing: border-box;
+          box-sizing: border-box;
+}
+.bs-actionsbox .btn-group button {
+  width: 50%;
+}
+.bs-donebutton {
+  float: left;
+  width: 100%;
+  -webkit-box-sizing: border-box;
+     -moz-box-sizing: border-box;
+          box-sizing: border-box;
+}
+.bs-donebutton .btn-group button {
+  width: 100%;
+}
+.bs-searchbox + .bs-actionsbox {
+  padding: 0 8px 4px;
+}
+.bs-searchbox .form-control {
+  margin-bottom: 0;
+  width: 100%;
+  float: none;
+}
+
+/* OPNsense edit to fix https://github.com/opnsense/core/issues/2612 :
+ * Move checkmarks to left hand side of the dropdown.
+ */
+.bootstrap-select .dropdown-menu > li > a {
+  padding: 3px 20px 3px 30px;
+}
+.bootstrap-select.show-tick .dropdown-menu .selected span.check-mark {
+  left: 10px;
+}
+/* End OPNsense edit to fix #2612. */
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dashboard.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dashboard.css
new file mode 100644
index 0000000000..6a605eb798
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dashboard.css
@@ -0,0 +1,372 @@
+@import url('default_scheme.css');
+:root {
+    --chart-js-border-color: var(--dbchartborder);
+    --chart-js-font-color: var(--dbchartfore);
+}
+
+.ui-resizable-handle {
+  opacity: 0 !important;
+}
+
+#save-grid {
+  width: inherit;
+  height: inherit;
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  transition: opacity 0.3s ease;
+  position: relative;
+  width: 50px;
+  height: 30px;
+  margin-right: 10px;
+}
+
+#save-btn-text, #icon-container {
+  position: absolute;
+}
+
+#icon-container {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+}
+
+.fa-spinner {
+    font-size: 2em;
+}
+
+.transition-spinner, transition-check {
+  transition: opacity 0.3s ease, transform 0.3s ease;
+}
+
+.hide {
+  opacity: 0;
+  transform: scale(0);
+}
+
+.show {
+  opacity: 1;
+  transform: scale(1);
+}
+
+.grid-stack-item-content {
+  text-align: center;
+  border-style: solid;
+  border-color: var(--dbborder);
+  border-width: 1px;
+  background-color: var(--dbback);
+  border-radius: 0.5em 0.5em 0.5em 0.5em;
+  color: var(--dbfore);
+}
+
+.widget-error {
+    margin: 50px;
+    color: var(--danger);
+}
+
+.widget-content {
+    position: relative;
+    width: 100%;
+    height: 100%;
+    padding: 1px;
+    cursor: default;
+}
+
+.widget-header {
+    margin-top: 0.5em;
+    margin-left: 1em;
+    margin-right: 1em;
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+}
+
+.widget-spinner {
+    margin-top: 20px;
+    font-size: 2em;
+}
+
+.fa-stack.small {
+    font-size: 0.5em;
+}
+
+.link-handle,
+.close-handle,
+.edit-handle {
+  margin-left: 0.5em;
+  vertical-align: middle;
+  text-align: right;
+  cursor: pointer;
+}
+
+.link-handle > a,
+.close-handle > i,
+.edit-handle > i {
+  font-size: 0.8em;
+}
+
+.widget-header-left {
+  display: flex;
+  align-items: center;
+  justify-content: flex-start;
+  flex: 1;
+}
+
+.widget-command-container {
+  display: flex;
+  justify-content: flex-end;
+  align-items: center;
+  flex: 1;
+}
+
+.widget-title {
+  display: flex;
+  justify-content: center;
+  align-items: center;
+}
+.panel-divider {
+    width: 100%;
+    text-align: center;
+    height: 8px;
+    margin-bottom: 10px;
+}
+
+table {
+    table-layout: fixed;
+}
+
+td {
+    word-break: break-all;
+}
+
+.line {
+    display: inline-block;
+    height: 2px;
+    width: 80%;
+    background: var(--dbborder);
+    margin: 5px;
+}
+
+.canvas-container-noaspectratio {
+    position: relative;
+}
+
+.canvas-container {
+    position: relative;
+}
+
+.canvas-container > canvas {
+    /* ChartJS v4 workaround: https://github.com/chartjs/Chart.js/issues/11005 */
+    width: 100% !important;
+    height: 100% !important;
+}
+
+.cpu-canvas-container {
+    display: flex;
+    flex-direction: column;
+}
+
+.smoothie-container {
+    width: 100%;
+}
+
+.smoothie-chart-tooltip {
+  z-index: 1; /* necessary to force to foreground */
+  background: var(--dbtoolback);
+  padding-left: 15px;
+  padding-right: 15px;
+  color: var(--dbtoolfore);
+  font-size: 13px;
+  border-radius: 0.5em 0.5em 0.5em 0.5em;
+  pointer-events: none;
+}
+
+.flex-container {
+    display: flex;
+    flex-wrap: nowrap;
+    white-space: nowrap;
+}
+
+.gateway-info {
+  margin: 5px;
+  padding: 5px;
+  font-size: 13px;
+}
+
+.gateway-detail-container {
+    display: none;
+    margin: 5px;
+}
+
+.interface-info {
+    display: flex;
+    flex-wrap: wrap;
+    align-items: center;
+    height: 100%;
+}
+
+.nowrap {
+    flex-wrap: nowrap;
+}
+
+.gateway-graph {
+    display: none;
+}
+
+.flex-container > .gateway-graph {
+    font-size: 13px;
+}
+
+.vertical-center-row {
+    height: 100%;
+    display: inline;
+}
+
+.interfaces-info {
+  margin: 5px;
+  font-size: 13px;
+}
+
+.interface-descr {
+    margin-left: 10px;
+    font-size: 15px;
+    cursor: pointer;
+    text-decoration: underline;
+}
+
+.interfaces-detail-container {
+    margin: 5px;
+    display: none;
+}
+
+.d-flex {
+    display: flex;
+}
+
+.d-flex > .justify-content-start {
+    justify-content: start;
+}
+
+.d-flex > .justify-content-end {
+    justify-content: end;
+}
+
+#chartjs-toolip {
+    z-index: 20;
+}
+
+/* CPU widget */
+.cpu-type {
+    margin-bottom: 10px;
+    margin-top: 10px;
+}
+/* ----- */
+
+/* Custom flex table */
+div {
+    box-sizing: border-box;
+}
+
+.flextable-container {
+    display: block;
+    margin: 2em auto;
+    width: 95%;
+    max-width: 1200px;
+}
+
+.flextable-header {
+    display: flex;
+    flex-flow: row wrap;
+    transition: 0.5s;
+    padding: 0.5em 0.5em;
+    border-top: solid 1px var(--dbborder);
+}
+
+.flextable-row {
+    display: flex;
+    flex-flow: row wrap;
+    transition: 0.5s;
+    padding: 0.5em 0.5em;
+    border-top: solid 1px var(--dbborder);
+    align-items: center;
+}
+
+.flextable-header .flex-cell {
+    font-weight: bold;
+}
+
+.flextable-row:hover {
+  background:  var(--dbbackhover) !important;
+}
+
+.flex-cell {
+    text-align: left;
+    word-break: break-word;
+}
+
+.column {
+    display: flex;
+    flex-flow: column wrap;
+    width: 50%;
+    padding: 0;
+}
+.column .flex-cell {
+    display: flex;
+    flex-flow: row wrap;
+    width: 100%;
+    padding: 0;
+    border: 0;
+    border-top: var(--dbborder);
+}
+
+.column .flex-cell:hover {
+  background: var(--dbbackhover);
+}
+
+.flex-subcell {
+    width: 100%;
+    text-align: left;
+}
+
+.column .flex-cell:not(:last-child) {
+     border-bottom: solid 1px var(--dbborder);
+	  /* border-bottom: none !important; */
+}
+/* ----- */
+
+/* CSS grid responsive table */
+.grid-header-container {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(100px, 1fr));
+}
+
+.grid-row {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(100px, 1fr));
+    background-color: var(--dbback); /* fade-in color, transitions to transparent */
+    border-top: 1px solid var(--dbborder);
+    transition: 0.5s;
+    opacity: 0.4;
+}
+
+.grid-row:hover {
+  background: var(--dbbackhover) !important;
+}
+
+.grid-header {
+    border-top: 1px solid var(--dbborder);
+    font-weight: bold;
+}
+
+.grid-item {
+    border: 1 px solid var(--dbborder);
+    padding: 4px;
+    text-align: center;
+}
+
+.ovpn-common-name {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+}
+
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/default_scheme.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/default_scheme.css
new file mode 100644
index 0000000000..2ee93ae03c
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/default_scheme.css
@@ -0,0 +1,380 @@
+:root
+{
+    /* theme black, flexcolor */
+    /* main colors */
+    --pfore: #E6E6E6; /* main textcolor */
+    --pforehover: #FFFFFF; /* primary text hover */
+    --pforemuted: #B1B1B1; /* muted text */
+    --pforeinverse: #181E25; /* main textcolor inverse */
+    --pforeinversehover: #232323; /* main textcolor inverse hover */
+    --pback: #000000; /* primary background */
+    --pbackmuted: #E6E6E6; /* primary background */
+    --pbackinverse: #E6E6E6; /* primary background inverse */
+    --pbackhover: #232323; /* primary background hover*/
+    --sfore: #A3A3A3; /*second background */
+    --sback: #000000; /* second background #FAF9F6*/
+    --stdborder: #515151; /* standard border */
+    --stdborderfore: #E6E6E6; /* standard border with accent*/
+    --stdborderprimary: #336CDF; /* standard border with accent*/
+    --stdborderinverse: #000000; /* standard border with accent*/
+    --stdborder50bright: #A1A1A1; /* standard border with accent*/
+    --badgeback: #E6E6E6; /* badge background & progress-bar & blockquote*/
+    --progressbar: #D4D4D4; /* progress-bar*/
+    --token: #AF3604; /* background token */
+    --highlighted: #FFFFFF; /* highlighted element */
+    /* bootstrap */
+    /* bootstrap titlebar */
+    --bsheadfore: #E6E6E6;
+    --bsheadback: #000000;
+    --bsbodyfore: #E6E6E6;
+    --bsbodyback: #000000;
+    /* jquery-bootgrid */
+    --jqueryfore: #E6E6E6;
+    --jqueryback: #000000;
+    --jquerybarfore: #E6E6E6;
+    --jquerybarback: #1F57C6;
+    --jquerybarborder: #1F57C6;
+    /* login,(complete indepent, despite textboxes) */
+    --loginback: #000000; /* loginscreen background */
+    --loginboxtitle: #E6E6E6; /* loginscreen boxtitle */
+    --logindatefore: #E6E6E6; /* loginscreen textcolor */
+    --loginheadback: #000000; /* login-dialogbox head background */
+    --loginboxback: #000000; /* login-dialogbox background */
+    --loginboxfore: #E6E6E6; /* Login-dialogbox textcolor */
+    /* textbox (all kinds, tokenize, listbox, textbox, bootstrap select */
+    /* foreground */
+    --txtboxfore: #E6E6E6;
+    --txtboxforehover: #336CDF;
+    --txtboxforeactive: #336CDF;
+    --txtboxforeinverse: #E6E6E6;
+    --txtboxforedisabled: #E6E6E6;
+    --txtboxforetoken: #E6E6E6; /* only tokenize, pending delete */
+    --txtboxforedel: #E6E6E6; /* only tokenize, pending delete */
+    --txtboxforedismiss: #E6E6E6; /* only tokenize, dismiss */
+    --txtboxforeplaceholder: #E6E6E6;
+    /* background */
+    --txtboxback: #000000;
+    --txtboxbackhover: #000000;
+    --txtboxbackactive: #000000;
+    --txtboxbackdisabled: #000000;
+    --txtboxbacktoken: #E65C00;
+    --txtboxbackdel: #FF5252; /* only tokenize, pending delete */
+    --txtboxbackdismiss: #F2F7FD; /* only tokenize, dismiss */
+    /* border */
+    --txtboxborder: #E6E6E6;
+    --txtboxborderhover: #1C4DB0;
+    --txtboxborderactive: #336CDF;
+    --txtboxborderdisabled: #515151;
+    --txtboxbordertoken: #000000;
+    --txtboxborderdel: #E6E6E6; /* only tokenize, pending delete */
+    --txtboxborderdismiss: #E6E6E6; /* only tokenize, dismiss */
+    /* page */
+    --pagefore: #E6E6E6; /* text color page */
+    --pageback: #000000; /* backround color page */
+    --pageborder: #E6E6E6; /* border color page */
+    --headlineback: #000000; /*background headline box*/
+    --headlinebackshadow: 2px 2px 1px 0px rgba(0, 0, 0, 0); /* shadow headlinebackgroundbox */
+    /* navigation sidebar (complete independent) */
+    /* unselected */
+    --sdbarfore: #E6E6E6; /*textcolor navigation sidebar */
+    --sdbarback: #000000; /*background unselected navigation sidebar */
+    --sdbarhoverback: #000000; /* background sidebar hover */
+    --sdbarhoverfore: #D66E12; /* textcolor sidebar hover */
+    --sdbaractback: #1C1C1C; /* active menu #ECE7E2, #FFEDF5, #E5F4FF, #FFFBE5, #F5F5DC, #F2F2F2, #FFFACD */
+    --navbarinverse: #000000; /* navtab */
+    --navbarinversefore: #336CDF; /* navtab */
+    --navbaractivebefore: #FA6121; /*sidebar active before */
+    /* special  characters */
+    --link: #FA6121; /* OPNsense text login and links */
+    --linkhover: #E04605; /* OPNsense text login and links hover */
+    /* accents */
+    --primary: #336CDF; /* primary accent */
+    --primaryhover: #608DE6; /* primary accent hover */
+    --info: #008CDD; /* info accent */
+    --infohover: #0FA7FF; /* info accent hover */
+    --success: #388E3C; /* success accent */
+    --successhover: #47B34C; /* success accent hover */
+    --warning: #D66E12; /* warning accent */
+    --warninghover: #ED862B; /* warning accent hover */
+    --danger: #FF5252; /* danger accent */
+    --dangerhover: #BE2326FF8585; /* danger accent hover */
+    /* buttons (complete (independent) */
+    /* unselected */
+    --btnfore: #E6E6E6; /* textcolor */
+    --btnback: #000000; /* background */
+    --btnborder: #E6E6E6; /* border */
+    /* hover */
+    --btnforehover: #E6E6E6; /* textcolor hover*/
+    --btnbackhover: #000000; /* background hover*/
+    --btnborderhover: #336CDF; /* border hover */
+    /* active */
+    --btnforeactive: #336CDF; /* textcolor active*/
+    --btnbackactive: #000000; /* background active*/
+    --btnborderactive: #336CDF; /* border active */
+    /* disabled */
+    --btnforedisabled: #999999; /* textcolor disabled*/
+    --btnbackdisabled: #000000; /* background disabled*/
+    /* badge */
+    --btnforebadge: #000000; /* textcolor badge*/
+    --btnbackbadge: #000000; /* background badge*/
+    --btnborderbadge: #000000; /* border badge */
+    /* default button */
+    /* unselected */
+    --dfbtnfore: #E6E6E6; /* textcolor */
+    --dfbtnback: #000000; /* background */
+    --dfbtnborder: #E6E6E6; /* border */
+    /* hover */
+    --dfbtnforehover: #E6E6E6; /* textcolor hover*/
+    --dfbtnbackhover: #000000; /* background hover*/
+    --dfbtnborderhover: #336CDF; /* border hover */
+    /* active */
+    --dfbtnforeactive: #336CDF; /* textcolor active*/
+    --dfbtnbackactive: #000000; /* background active*/
+    --dfbtnborderactive: #336CDF; /* border active */
+    /* disabled */
+    --dfbtnforedisabled: #999999; /* textcolor disabled*/
+    --dfbtnbackdisabled: #000000; /* background disabled*/
+    --dfbtnborderdisabled: #E6E6E6; /* border disabled */
+    /* Badge */
+    --dfbtnforebadge: #000000; /* textcolor badge, traffic badge textcolor*/
+    --dfbtnbackbadge: #E6E6E6; /* background badge*/
+    --dfbtnborderbadge: #000000; /* border badge */
+    /* primary button */
+    /* unselected */
+    --pbtnfore: #E6E6E6; /* textcolor */
+    --pbtnback: #000000; /* background */
+    --pbtnborder: #336CDF; /* border */
+    /* hover */
+    --pbtnforehover: #336CDF; /* textcolor hover*/
+    --pbtnbackhover: #000000; /* background hover*/
+    --pbtnborderhover: #336CDF; /* border hover */
+    /* active */
+    --pbtnforeactive: #336CDF; /* textcolor active*/
+    --pbtnbackactive: #000000; /* background active*/
+    --pbtnborderactive: #336CDF; /* border active */
+    /* disabled */
+    --pbtnforedisabled: #999999; /* textcolor disabled*/
+    --pbtnbackdisabled: #000000; /* background disabled*/
+    --pbtnborderdisabled: #635D55; /* border disabled */
+    /* badge */
+    --pbtnforebadge: #000000; /* textcolor badge*/
+    --pbtnbackbadge: #000000; /* background badge*/
+    --pbtnborderbadge: #000000; /* border badge */
+    /* info button */
+    /* unselected */
+    --ibtnfore: #008CDD; /* textcolor */
+    --ibtnback: #000000; /* background */
+    --ibtnborder: #008CDD; /* border */
+    /* hover */
+    --ibtnforehover: #E6E6E6; /* textcolor hover*/
+    --ibtnbackhover: #000000; /* background hover*/
+    --ibtnborderhover: #336CDF; /* border hover */
+    /* active */
+    --ibtnforeactive: #336CDF; /* textcolor active*/
+    --ibtnbackactive: #000000; /* background active*/
+    --ibtnborderactive: #008CDD; /* border active */
+    /* disabled */
+    --ibtnforedisabled: #999999; /* textcolor disabled*/
+    --ibtnbackdisabled: #000000; /* background disabled*/
+    --ibtnborderdisabled: #515151; /* border disabled */
+    /* badge */
+    --ibtnforebadge: #008CDD; /* textcolor badge*/
+    --ibtnbackbadge: #000000; /* background badge*/
+    --ibtnborderbadge: #000000; /* border badge */
+    /* success button */
+    /* unselected */
+    --sbtnfore: #388E3C; /* textcolor */
+    --sbtnback: #000000; /* background */
+    --sbtnborder: #388E3C; /* border */
+    /* hover */
+    --sbtnforehover: #E6E6E6; /* textcolor hover*/
+    --sbtnbackhover: #000000; /* background hover*/
+    --sbtnborderhover: #336CDF; /* border hover */
+    /* active */
+    --sbtnforeactive: #336CDF; /* textcolor active*/
+    --sbtnbackactive: #000000; /* background active*/
+    --sbtnborderactive: #388E3C; /* border active */
+    /* disabled */
+    --sbtnforedisabled: #999999; /* textcolor disabled*/
+    --sbtnbackdisabled: #000000; /* background disabled*/
+    --sbtnborderdisabled: #31C234; /* border disabled */
+    /* badge */
+    --sbtnforebadge: #388E3C; /* textcolor badge*/
+    --sbtnbackbadge: #000000; /* background badge*/
+    --sbtnborderbadge: #000000; /* border badge */
+    /* warning button */
+    /* unselected */
+    --wbtnfore: #D66E12; /* textcolor */
+    --wbtnback: #000000; /* background */
+    --wbtnborder: #D66E12; /* border */
+    /* hover */
+    --wbtnforehover: #E6E6E6; /* textcolor hover*/
+    --wbtnbackhover: #000000; /* background hover*/
+    --wbtnborderhover: #336CDF; /* border hover */
+    /* active */
+    --wbtnforeactive: #336CDF; /* textcolor active*/
+    --wbtnbackactive: #000000; /* background active*/
+    --wbtnborderactive: #D66E12; /* border active */
+    /* disabled */
+    --wbtnforedisabled: #999999; /* textcolor disabled*/
+    --wbtnbackdisabled: #000000; /* background disabled*/
+    --wbtnborderdisabled: #515151; /* border disabled */
+    /* badge */
+    --wbtnforebadge: #D66E12; /* textcolor badge*/
+    --wbtnbackbadge: #000000; /* background badge*/
+    --wbtnborderbadge: #000000; /* border badge */
+    /* danger button */
+    /* unselected */
+    --dbtnfore: #FF5252; /* textcolor */
+    --dbtnback: #000000; /* background */
+    --dbtnborder: #FF5252; /* border */
+    /* hover */
+    --dbtnforehover: #E6E6E6; /* textcolor hover*/
+    --dbtnbackhover: #000000; /* background hover*/
+    --dbtnborderhover: #336CDF; /* border hover */
+    /* active */
+    --dbtnforeactive: #336CDF; /* textcolor active*/
+    --dbtnbackactive: #000000; /* background active*/
+    --dbtnborderactive: #FF5252; /* border active */
+    /* disabled */
+    --dbtnforedisabled: #999999; /* textcolor disabled*/
+    --dbtnbackdisabled: #000000; /* background disabled*/
+    --dbtnborderdisabled: #515151; /* border disabled */
+    /* badge */
+    --dbtnforebadge: #FF5252; /* textcolor badge*/
+    --dbtnbackbadge: #000000; /* background badge*/
+    --dbtnborderbadge: #000000; /* border badge */
+    /* link button */
+    /* unselected */
+    --lbtnfore: #336CDF; /* textcolor */
+    --lbtnback: #000000; /* background */
+    --lbtnborder: #E6E6E6; /* border */
+    /* hover */
+    --lbtnforehover: #437CEF; /* textcolor hover*/
+    --lbtnbackhover: #000000; /* background hover*/
+    --lbtnborderhover: #E6E6E6; /* border hover */
+    /* active */
+    --lbtnforeactive: #437CEF; /* textcolor active*/
+    --lbtnbackactive: transparent; /* background active*/
+    --lbtnborderactive: #E6E6E6; /* border active */
+    /* disabled */
+    --lbtnforedisabled: #999999; /* textcolor disabled*/
+    --lbtnbackdisabled: #515151; /* background disabled*/
+    --lbtnborderdisabled: #515151; /* border disabled */
+    /* navtabs (complete independent) */
+    /* active */
+    --navtabforeactive: #336CDF; /* textcolor active navtab */
+    --navtabbackactive: #000000; /* background active navtab */
+    --navtabborderactive: #336CDF; /* border active navtab */
+    /* inactive */
+    --navtabforeinactive: #E6E6E6; /* textcolor inactive navtab */
+    --navtabbackinactive: #000000; /* background inactive navtab */
+    --navtabborderinactive: #E6E6E6; /* border inactive navtab */
+    /* hover */
+    --navtabforehover: #E6E6E6; /* textcolor navtab hover */
+    --navtabbackhover: #000000; /* background navtab hover */
+    --navtabborderhover: #336CDF; /* border navtab hover */
+    /* tabulator (complete independent) */
+    /* tabulator frame foot background */
+    --tbfback: #000000;
+    /* tabulator header */
+    --tbheadfore: #E6E6E6; /* background */
+    --tbheadback: #1F1F1F; /* background */
+    --tbheadbackhover: #1F1F1F; /* background hover*/
+    --tbborder: #515151; /* border color headline */
+    /* tabulator body */
+    --tbbodybackhover: #333333; /* first row hover*/
+    --tbbordertable: #515151; /* border color table */
+    /* odd row */
+    --tbrowforeodd: #E6E6E6; /* background */
+    --tbrowbackodd: #000000; /* background */
+    /* even row */
+    --tbrowforeeven: #E6E6E6; /* background */
+    --tbrowbackeven: #000000; /* background */
+    /* tabulator footer */
+    /* unselected */
+    --tffore: #E6E6E6; /* textcolor */
+    --tfback: #000000; /* background */
+    --tfborder: #E6E6E6; /* border */
+    /* hover */
+    --tfforehover: #E6E6E6; /* textcolor hover*/
+    --tfbackhover: #000000; /* border hover */
+    --tfborderhover: #336CDF; /* textcolor hover*/
+    /* active */
+    --tfforeactive: #336CDF; /* textcolor active*/
+    --tfbackactive: #000000; /* background active*/
+    --tfborderactive: #336CDF; /* border active */
+    /* active hover*/
+    --tfforeactivehover: #467ECF; /* textcolor active*/
+    --tfbackactivehover: #000000; /* background active*/
+    --tfborderactivehover: #467CCF; /* border active */
+    /* panel, example: Reporting health */
+    --panelbody: #000000; /* panel body background*/
+    --panelheading: #000000; /* panel heading background*/
+    --panelheadingfore: #E6E6E6; /* panel heading textcolor*/
+    --panelfooter: #000000; /* panel footer */
+    --panelinfo: #E6E6E6; /* panel info, example wait circle */
+    /* content-box, example report traffic*/
+    --contentboxfore: #E6E6E6; /* content-box foreground and tabulator frame head background*/
+    --contentboxback: #000000; /* content-box background and tabulator frame head background*/
+    /* table */
+    --tableheadfore: #E6E6E6; /* textcolor table head */
+    --tablelegend: #E6E6E6;
+    --tableborder: #515151; /* background table in a table */
+    /* table not stripe */
+    --tablefore: #E6E6E6; /* textcolor table */
+    --tableback: #000000; /* background table */
+    /* table stripe */
+    --tablestripeback: #000000; /* alternative background table */
+    /* table inside a table */
+    --tabletablefore: #E6E6E6; /* headline table in a table */
+    --tabletableback: #000000; /* background table in a table */
+    /* scrollbar */
+    --scbarcolor: #4D4D4D #000000; /* scrollbarcolor: foreground vs background, the following colors are not important */
+    --scbarborder: #515151; /* bordercolor scrollbar*/
+    --scbar: #4D4D4D; /* scrollbar foreground*/
+    --scbarhover: #5D5D5D; /* scrollbar foreground hover*/
+    --scbarbutton: #4D4D4D; /* scrollbar button*/
+    /* unbound (complete independent) */
+    --unbiconsback: rgba(33,33,33,0.9); /* large icons on tabs */
+    --unbfore1: #E6E6E6; /* main text 1 */
+    --unbback1: #1F1F1F; /* background 1 */
+    --unbfore2: #008CDD; /* main text 2 */
+    --unbback2: #1F1F1F; /* background 2 */
+    --unbborder: #4D4D4D; /* unbound-border */
+    --unbborderactive: #336CDF; /* unbound-border active */
+    --unbsuccess: rgba(16,175,66,0.4); /* unbound detail background success */
+    --unbsuccessfore: rgba(241,241,241,1); /* unbound textcolor success */
+    --unbinfo: rgba(51,108,223,0.4); /* unbound detail background info */
+    --unbinfofore: rgba(241,241,241,1); /* unbound textcolor info */
+    --unbdanger: rgba(239,48,64,0.6); /* unbound detail background danger */
+    --unbdangerfore: rgba(241,241,241,1); /* unbound textcolor danger */
+    --unbwarning: rgba(219,57,61,0.4); /* unbound detail background warning */
+    --unbwarningfore: rgba(241,241,241,1,1); /* unbound textcolor warning */
+    --unberror: rgba(18,19,19,0); /* unbound detail background error */
+    --unberrorfore: rgba(162,17,42,1); /* unbound textcolor error */
+    --unbshadow: rgba(47,47,47,.8); /* unbound overview circle shadow */
+    /* dashboard, (independent, despite the buttons on the top ) */
+    --dbfore: #E6E6E6; /* textcolor dashboard */
+    --dbback: #000000; /* background color dashboard */
+    --dbbackhover: #000000; /* background color dashboard */
+    --dbborder: rgba(80,80,80,1); /* bordercolor dashboard */
+    --dbchartfore: rgba(241,241,241,1); /* textcolor dashboard charts */
+    --dbchartborder: rgba(61,61,61,1); /* bordercolor dashboard charts*/
+    --dbtoolfore: #000000; /* textcolor tooltip dashboard */
+    --dbtoolback: rgba(241, 241, 241, 0.9); /*background color tooltip */
+    /* graph */
+    --graphfore: #E6E6E6;
+    --graphback: #000000;
+    --nv3daxis: #E6E6E6;
+    /* rgb */
+    --rgb50: rgba(255,255,255,0,5);
+    --rgbshadowdark: rgba(255,255,255,.1);
+    --bootstrapshadow: rgba(204, 204, 204, 0.2);
+    --boxshadow: inset 0 1px 1px rgba(255,255,255,0.075);
+    --btnshadow1: inset 0 1px 1px rgba(25, 57, 183, 0.075);
+    --btnshadow2: 0 0 8px rgba(25, 57, 183, 0.6);
+    --progresshadow: inset 0px 1px 2px 1px rgb(217, 217, 217);
+    --progresshadow2: 0 5px 10px rgb(255, 255, 255, 0.1);
+    --mozshadow: 2px 2px 1px 0px rgba(234, 234, 234, 0.5)
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dns-overview.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dns-overview.css
new file mode 100644
index 0000000000..d04d2c6e32
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dns-overview.css
@@ -0,0 +1,209 @@
+@import url('default_scheme.css');
+
+.tab-content {
+    padding: 10px;
+    border-top: 1px solid var(--unbborder);
+    color: var(--unbfore1);
+}
+
+.banner {
+    width: 25%;
+    color: var(--info);
+}
+
+.stats-element {
+    height: 5em;
+    background: var(--unbback1);
+    overflow: hidden;
+    display: flex;
+    justify-content: flex-start;
+    border-radius: .3em;
+    margin:auto;
+    border: 1px solid var(--unbborder));
+    color: var(--unbfore1);
+}
+
+.stats-icon {
+    height: auto;
+    width: 50%;
+    object-fit:cover;
+    background: var(--unbiconsback);
+    border-radius: 0 2em 2em 0 / 0 3em 3em 0;
+    box-shadow: 3px 5px 1px 3px var(--unbshadow);
+}
+
+.large-icon {
+    position: relative;
+    top: 50%;
+    left: 50%;
+    transform: translate(-50%, -50%);
+    font-size: 2em;
+}
+
+.stats-text {
+    height: 5em;
+    width: 15em;
+    display: flex;
+    justify-content: center;
+    text-align: center;
+    align-items: center;
+    flex-direction: column;
+}
+
+.stats-counter-text {
+    margin: 0;
+    padding: 0;
+    text-align: center;
+    font-size: 15px;
+    color: var(--unbfore1);
+}
+
+.stats-inner-text {
+    margin: 0;
+    padding: 0;
+    text-align: center;
+    font-size: 15px;
+    color: var(--unbfore2);
+}
+
+#bannersub {
+    text-align: center;
+    margin: 5px;
+    color: var(--unbfore1);
+}
+
+.list-group-wrapper {
+    margin: 0px;
+    padding-top: 10px;
+    padding-bottom: 10px;
+    background-color: var(--unbback1);
+}
+
+.list-item-domain {
+    height: 2.5em;
+    background-color: var(--unbback2);
+    color: var(--unbfore2);
+}
+
+.list-group-item-border {
+    border: 1px solid var(--unbborder));
+}
+
+.list-group-item-border:first-child {
+    border-top-left-radius: 4px;
+    border-top-right-radius: 4px;
+    border-bottom: 2px;
+    border-color: var(--unbborder));
+}
+
+.list-group-item-border:last-child {
+    border-bottom-left-radius: 4px;
+    border-bottom-right-radius: 4px;
+    border-color: var(--unbborder));
+}
+.btn.pull-right {
+    margin-left: 3px;
+}
+
+.odd-bg {
+    background: var(--unbback2);
+}
+
+.top-item {
+    display: flex;
+    white-space: nowrap;
+    background-color: var(--unbback2);
+    color: var(--unbfore1);
+}
+
+.group-p {
+    overflow: hidden;
+    height: 20px;
+    margin-right: 5px;
+    text-overflow: ellipsis;
+}
+
+.counter {
+    position: relative;
+    top: -3px;
+    color: var(--unbfore1);
+    font-size: 14px;
+    line-height: 1.4;
+    flex: 1;
+    text-align: right;
+}
+
+.vertical-center {
+    margin: 0;
+    position: absolute;
+    top: 50%;
+    -ms-transform: translateY(-50%);
+    transform: translateY(-50%);
+}
+
+#maintabs > li > a {
+    border: 1px solid var(--unbborder);
+}
+
+#maintabs > li.active > a {
+    border-top: 1px solid var(--unbborderactive);
+    border-left: 1px solid var(--unbborderactive);
+    border-right: 1px solid var(--unbborderactive);
+    border-bottom: transparent;
+}
+
+.query-success {
+    background-color: var(--unbsuccess);
+    color: var(--unbsuccessfore);
+}
+
+.query-info {
+    background-color: var(--unbinfo);
+    color: var(--unbinfofore);
+}
+
+.query-danger {
+    background-color: var(--unbdanger);
+    color: var(--unbdangerfore);
+}
+
+.query-warning {
+    background-color: var(--unbwarning);
+    color: var(--unbwarningfore);
+}
+
+.query-error {
+    background-color: var(--unberror);
+    color: var(--unberrorfore);
+}
+
+#searchFilter {
+    display: inline-block;
+    margin: 0 20px 0 0;
+    vertical-align: middle;
+}
+
+.tag {
+    font-size: 14px;
+    padding: .3em .4em .4em;
+    margin: 0 .1em;
+}
+
+.tag a {
+  color: var(--unbfore1);
+  cursor: pointer;
+  opacity: 0.9;
+}
+
+.tag a {
+  margin: 0 0 0 .3em;
+}
+
+.tag a fa-times {
+  color: var(--unbfore1);
+  margin-bottom: 2px;
+}
+
+.tooltip-inner {
+  max-width: 1000px !important;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/jquery.bootgrid.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/jquery.bootgrid.css
new file mode 100644
index 0000000000..7668c34c20
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/jquery.bootgrid.css
@@ -0,0 +1,151 @@
+/*!
+ * jQuery Bootgrid v1.3.1 - 09/11/2015
+ * Copyright (c) 2014-2015 Rafael Staib (http://www.jquery-bootgrid.com)
+ * Licensed under MIT http://www.opensource.org/licenses/MIT
+ */
+@import url('default_scheme.css');
+.bootgrid-header,
+.bootgrid-footer {
+  margin: 15px 0;
+}
+.bootgrid-header a,
+.bootgrid-footer a {
+  outline: 0;
+}
+.bootgrid-header .search,
+.bootgrid-footer .search {
+  display: inline-block;
+  margin: 0 20px 0 0;
+  vertical-align: middle;
+  width: 180px;
+}
+.bootgrid-header .search .fa-solid,
+.bootgrid-footer .search .fa-solid {
+  top: 0;
+}
+.bootgrid-header .search .fa,
+.bootgrid-header .search .fa-solid,
+.bootgrid-footer .search .fa,
+.bootgrid-footer .search .fa-solid {
+  display: table-cell;
+}
+.bootgrid-header .search.search-field::-ms-clear,
+.bootgrid-footer .search.search-field::-ms-clear,
+.bootgrid-header .search .search-field::-ms-clear,
+.bootgrid-footer .search .search-field::-ms-clear {
+  display: none;
+}
+.bootgrid-header .pagination,
+.bootgrid-footer .pagination {
+  margin: 0 !important;
+}
+.bootgrid-header .actionBar,
+.bootgrid-footer .infoBar {
+  text-align: right;
+}
+.bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu,
+.bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu {
+  text-align: left;
+}
+.bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item,
+.bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item {
+  cursor: pointer;
+  display: block;
+  margin: 0;
+  padding: 3px 20px;
+  white-space: nowrap;
+}
+.bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item:hover,
+.bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item:hover,
+.bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item:focus,
+.bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item:focus {
+  color: var(--jquerybarfore);
+  text-decoration: none;
+  background-color: var(--jquerybarback);
+  border: 1px solid var(--jquerybarborder);
+}
+.bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item.dropdown-item-checkbox,
+.bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item.dropdown-item-checkbox,
+.bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item .dropdown-item-checkbox,
+.bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item .dropdown-item-checkbox {
+  margin: 0 2px 4px 0;
+  vertical-align: middle;
+}
+.bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item.disabled,
+.bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item.disabled {
+  cursor: not-allowed;
+}
+.bootgrid-table {
+  table-layout: fixed;
+}
+.bootgrid-table a {
+  outline: 0;
+}
+.bootgrid-table th > .column-header-anchor {
+  color: var(--jqueryfore);
+  cursor: not-allowed;
+  display: block;
+  position: relative;
+  text-decoration: none;
+}
+.bootgrid-table th > .column-header-anchor.sortable {
+  cursor: pointer;
+}
+.bootgrid-table th > .column-header-anchor > .text {
+  display: block;
+  margin: 0 16px 0 0;
+  overflow: hidden;
+  -ms-text-overflow: ellipsis;
+  -o-text-overflow: ellipsis;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+.bootgrid-table th > .column-header-anchor > .icon {
+  display: block;
+  position: absolute;
+  right: 0;
+  top: 2px;
+}
+.bootgrid-table th:hover,
+.bootgrid-table th:active {
+  background: var(--jqueryback);
+}
+.bootgrid-table td {
+  overflow: hidden;
+  -ms-text-overflow: ellipsis;
+  -o-text-overflow: ellipsis;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+.bootgrid-table td.loading,
+.bootgrid-table td.no-results {
+  background: var(--jqueryback);
+  text-align: center;
+}
+.bootgrid-table th.select-cell,
+.bootgrid-table td.select-cell {
+  text-align: center;
+  width: 30px;
+}
+.bootgrid-table th.select-cell .select-box,
+.bootgrid-table td.select-cell .select-box {
+  margin: 0;
+  outline: 0;
+}
+.table-responsive .bootgrid-table {
+  table-layout: inherit !important;
+}
+.table-responsive .bootgrid-table th > .column-header-anchor > .text {
+  overflow: inherit !important;
+  -ms-text-overflow: inherit !important;
+  -o-text-overflow: inherit !important;
+  text-overflow: inherit !important;
+  white-space: inherit !important;
+}
+.table-responsive .bootgrid-table td {
+  overflow: inherit !important;
+  -ms-text-overflow: inherit !important;
+  -o-text-overflow: inherit !important;
+  text-overflow: inherit !important;
+  white-space: inherit !important;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/main.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/main.css
new file mode 100644
index 0000000000..1a243c3d60
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/main.css
@@ -0,0 +1,5937 @@
+@charset "UTF-8";
+@import url('default_scheme.css');
+@font-face {
+  font-family: "SourceSansProBold";
+  src: url("/ui/themes/flexcolor/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.woff") format("woff"), url("/ui/themes/opnsense/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.ttf") format("truetype"); }
+@font-face {
+  font-family: "SourceSansProSemibold";
+  src: url("/ui/themes/flexcolor/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.woff") format("woff"), url("/ui/themes/opnsense/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.ttf") format("truetype"); }
+@font-face {
+  font-family: "SourceSansProRegular";
+  src: url("/ui/themes/flexcolor/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff") format("woff"), url("/ui/themes/opnsense/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf") format("truetype"); }
+/*! normalize.css v3.0.1 | MIT License | git.io/normalize */
+<svg xmlns="http://www.w3.org/2000/svg"
+     width="150" height="30" viewBox="0 0 150 30">
+</svg>
+html {
+  font-family: sans-serif;
+  -ms-text-size-adjust: 100%;
+  -webkit-text-size-adjust: 100%; }
+body {
+  margin: 0; }
+article,
+aside,
+details,
+figcaption,
+figure,
+footer,
+header,
+hgroup,
+main,
+nav,
+section,
+summary {
+  display: block; }
+audio,
+canvas,
+progress,
+video {
+  display: inline-block;
+  vertical-align: baseline; }
+audio:not([controls]) {
+  display: none;
+  height: 0; }
+[hidden],
+template {
+  display: none; }
+a {
+  background: transparent; }
+a:link, a:active, a:hover {
+  outline: 0; }
+abbr[title] {
+  border-bottom: 1px dotted; }
+b,
+strong {
+  font-weight: bold; }
+dfn {
+  font-style: italic; }
+h1 {
+  font-size: 2em;
+  margin: 0.67em 0; }
+mark {
+  background: var(--warning);
+  color: var(--pfore); }
+small {
+  font-size: 80%; }
+sub,
+sup {
+  font-size: 75%;
+  line-height: 0;
+  position: relative;
+  vertical-align: baseline; }
+sup {
+  top: -0.5em; }
+sub {
+  bottom: -0.25em; }
+img {
+  border: 0; }
+svg:not(:root) {
+  overflow: hidden; }
+figure {
+  margin: 1em 40px; }
+hr {
+  -moz-box-sizing: content-box;
+  box-sizing: content-box;
+  height: 0; }
+pre {
+  overflow: auto; }
+code,
+kbd,
+pre,
+samp {
+  font-family: monospace, monospace;
+  font-size: 1em; }
+button,
+input,
+optgroup,
+select,
+textarea {
+  color: inherit;
+  font: inherit;
+  margin: 0; }
+button {
+  overflow: visible; }
+button,
+select {
+  text-transform: none; }
+button,
+html input[type=button],
+input[type=reset],
+input[type=submit] {
+  -webkit-appearance: button;
+  cursor: pointer; }
+button[disabled],
+html input[disabled] {
+  cursor: default; }
+button::-moz-focus-inner,
+input::-moz-focus-inner {
+  border: 0;
+  padding: 0; }
+input {
+  line-height: normal; }
+input[type=checkbox],
+input[type=radio] {
+  box-sizing: border-box;
+  padding: 0; }
+input[type=number]::-webkit-inner-spin-button,
+input[type=number]::-webkit-outer-spin-button {
+  height: auto; }
+input[type=search] {
+  -webkit-appearance: textfield;
+  -moz-box-sizing: content-box;
+  -webkit-box-sizing: content-box;
+  box-sizing: content-box; }
+input[type=search]::-webkit-search-cancel-button,
+input[type=search]::-webkit-search-decoration {
+  -webkit-appearance: none; }
+fieldset {
+  border: 1px solid var(--stdborder);
+  margin: 0 2px;
+  padding: 0.35em 0.625em 0.75em; }
+legend {
+  border: 0;
+  padding: 0; }
+textarea {
+  overflow: auto; }
+optgroup {
+  font-weight: bold; }
+table {
+  border-collapse: collapse;
+  border-spacing: 0;
+}
+td,
+th {
+  padding: 0; }
+@media print {
+  * {
+    text-shadow: none !important;
+    color: var(--pfore) !important;
+    background: transparent !important;
+    box-shadow: none !important;
+  }
+  a,
+  a:visited {
+    text-decoration: underline;
+  }
+  a[href]:after {
+    content: " (" attr(href) ")";
+  }
+  abbr[title]:after {
+    content: " (" attr(title) ")";
+  }
+  a[href^="javascript:"]:after,
+a[href^="#"]:after {
+    content: "";
+  }
+  pre,
+blockquote {
+    border: 1px solid var(--stdborder);
+    page-break-inside: avoid;
+  }
+  thead {
+    display: table-header-group;
+  }
+  tr,
+img {
+    page-break-inside: avoid;
+  }
+  img {
+    max-width: 100% !important;
+  }
+  p,
+  h2,
+  h3 {
+    orphans: 3;
+    widows: 3;
+  }
+  h2,
+  h3 {
+    page-break-after: avoid;
+  }
+  select {
+    background: var(--pback) !important;
+  }
+  .navbar {
+    display: none;
+  }
+  .table td,
+  .table th {
+    background-color: var(--pback) !important;
+  }
+  .btn > .caret,
+  .dropup > .btn > .caret {
+    border-top-color: var(--stdborder) !important;
+  }
+  .label {
+    border: 1px solid var(--stdborder);
+  }
+  .table {
+    border-collapse: collapse !important;
+  }
+  .table-bordered th,
+  .table-bordered td {
+    border: 1px solid var(--stdborder) !important;
+  }
+}
+@font-face {
+  font-family: "Glyphicons Halflings";
+  src: url("../fonts/bootstrap/glyphicons-halflings-regular.eot");
+  src: url("../fonts/bootstrap/glyphicons-halflings-regular.eot?#iefix") format("embedded-opentype"), url("../fonts/bootstrap/glyphicons-halflings-regular.woff") format("woff"), url("../fonts/bootstrap/glyphicons-halflings-regular.ttf") format("truetype"), url("../fonts/bootstrap/glyphicons-halflings-regular.svg#glyphicons_halflingsregular") format("svg"); }
+.glyphicon {
+  position: relative;
+  top: 1px;
+  display: inline-block;
+  font-family: "Glyphicons Halflings";
+  font-style: normal;
+  font-weight: normal;
+  line-height: 1;
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale; }
+.glyphicon-asterisk:before {
+  content: "*"; }
+.glyphicon-plus:before {
+  content: "+"; }
+.glyphicon-euro:before {
+  content: "€"; }
+.glyphicon-minus:before {
+  content: "−"; }
+.glyphicon-cloud:before {
+  content: "☁"; }
+.glyphicon-envelope:before {
+  content: "✉"; }
+.glyphicon-pencil:before {
+  content: "✏"; }
+.glyphicon-glass:before {
+  content: ""; }
+.glyphicon-music:before {
+  content: ""; }
+.glyphicon-search:before {
+  content: ""; }
+.glyphicon-heart:before {
+  content: ""; }
+.glyphicon-star:before {
+  content: ""; }
+.glyphicon-star-empty:before {
+  content: ""; }
+.glyphicon-user:before {
+  content: ""; }
+.glyphicon-film:before {
+  content: ""; }
+.glyphicon-th-large:before {
+  content: ""; }
+.glyphicon-th:before {
+  content: ""; }
+.glyphicon-th-list:before {
+  content: ""; }
+.glyphicon-ok:before {
+  content: ""; }
+.glyphicon-remove:before {
+  content: ""; }
+.glyphicon-zoom-in:before {
+  content: ""; }
+.glyphicon-zoom-out:before {
+  content: ""; }
+.glyphicon-off:before {
+  content: ""; }
+.glyphicon-signal:before {
+  content: ""; }
+.glyphicon-cog:before {
+  content: ""; }
+.glyphicon-trash:before {
+  content: ""; }
+.glyphicon-home:before {
+  content: ""; }
+.glyphicon-file:before {
+  content: ""; }
+.glyphicon-time:before {
+  content: ""; }
+.glyphicon-road:before {
+  content: ""; }
+.glyphicon-download-alt:before {
+  content: ""; }
+.glyphicon-download:before {
+  content: ""; }
+.glyphicon-upload:before {
+  content: ""; }
+.glyphicon-inbox:before {
+  content: ""; }
+.glyphicon-play-circle:before {
+  content: ""; }
+.glyphicon-repeat:before {
+  content: ""; }
+.glyphicon-refresh:before {
+  content: ""; }
+.glyphicon-list-alt:before {
+  content: ""; }
+.glyphicon-lock:before {
+  content: ""; }
+.glyphicon-flag:before {
+  content: ""; }
+.glyphicon-headphones:before {
+  content: ""; }
+.glyphicon-volume-off:before {
+  content: ""; }
+.glyphicon-volume-down:before {
+  content: ""; }
+.glyphicon-volume-up:before {
+  content: ""; }
+.glyphicon-qrcode:before {
+  content: ""; }
+.glyphicon-barcode:before {
+  content: ""; }
+.glyphicon-tag:before {
+  content: ""; }
+.glyphicon-tags:before {
+  content: ""; }
+.glyphicon-book:before {
+  content: ""; }
+.glyphicon-bookmark:before {
+  content: ""; }
+.glyphicon-print:before {
+  content: ""; }
+.glyphicon-camera:before {
+  content: ""; }
+.glyphicon-font:before {
+  content: ""; }
+.glyphicon-bold:before {
+  content: ""; }
+.glyphicon-italic:before {
+  content: ""; }
+.glyphicon-text-height:before {
+  content: ""; }
+.glyphicon-text-width:before {
+  content: ""; }
+.glyphicon-align-left:before {
+  content: ""; }
+.glyphicon-align-center:before {
+  content: ""; }
+.glyphicon-align-right:before {
+  content: ""; }
+.glyphicon-align-justify:before {
+  content: ""; }
+.glyphicon-list:before {
+  content: ""; }
+.glyphicon-indent-left:before {
+  content: ""; }
+.glyphicon-indent-right:before {
+  content: ""; }
+.glyphicon-facetime-video:before {
+  content: ""; }
+.glyphicon-picture:before {
+  content: ""; }
+.glyphicon-map-marker:before {
+  content: ""; }
+.glyphicon-adjust:before {
+  content: ""; }
+.glyphicon-tint:before {
+  content: ""; }
+.glyphicon-edit:before {
+  content: ""; }
+.glyphicon-share:before {
+  content: ""; }
+.glyphicon-check:before {
+  content: ""; }
+.glyphicon-move:before {
+  content: ""; }
+.glyphicon-step-backward:before {
+  content: ""; }
+.glyphicon-fast-backward:before {
+  content: ""; }
+.glyphicon-backward:before {
+  content: ""; }
+.glyphicon-play:before {
+  content: ""; }
+.glyphicon-pause:before {
+  content: ""; }
+.glyphicon-stop:before {
+  content: ""; }
+.glyphicon-forward:before {
+  content: ""; }
+.glyphicon-fast-forward:before {
+  content: ""; }
+.glyphicon-step-forward:before {
+  content: ""; }
+.glyphicon-eject:before {
+  content: ""; }
+.glyphicon-chevron-left:before {
+  content: ""; }
+.glyphicon-chevron-right:before {
+  content: ""; }
+.glyphicon-plus-sign:before {
+  content: ""; }
+.glyphicon-minus-sign:before {
+  content: ""; }
+.glyphicon-remove-sign:before {
+  content: ""; }
+.glyphicon-ok-sign:before {
+  content: ""; }
+.glyphicon-question-sign:before {
+  content: ""; }
+.glyphicon-info-sign:before {
+  content: ""; }
+.glyphicon-screenshot:before {
+  content: ""; }
+.glyphicon-remove-circle:before {
+  content: ""; }
+.glyphicon-ok-circle:before {
+  content: ""; }
+.glyphicon-ban-circle:before {
+  content: ""; }
+.glyphicon-arrow-left:before {
+  content: ""; }
+.glyphicon-arrow-right:before {
+  content: ""; }
+.glyphicon-arrow-up:before {
+  content: ""; }
+.glyphicon-arrow-down:before {
+  content: ""; }
+.glyphicon-share-alt:before {
+  content: ""; }
+.glyphicon-resize-full:before {
+  content: ""; }
+.glyphicon-resize-small:before {
+  content: ""; }
+.glyphicon-exclamation-sign:before {
+  content: ""; }
+.glyphicon-gift:before {
+  content: ""; }
+.glyphicon-leaf:before {
+  content: ""; }
+.glyphicon-fire:before {
+  content: ""; }
+.glyphicon-eye-open:before {
+  content: ""; }
+.glyphicon-eye-close:before {
+  content: ""; }
+.glyphicon-warning-sign:before {
+  content: ""; }
+.glyphicon-plane:before {
+  content: ""; }
+.glyphicon-calendar:before {
+  content: ""; }
+.glyphicon-random:before {
+  content: ""; }
+.glyphicon-comment:before {
+  content: ""; }
+.glyphicon-magnet:before {
+  content: ""; }
+.glyphicon-chevron-up:before {
+  content: ""; }
+.glyphicon-chevron-down:before {
+  content: ""; }
+.glyphicon-retweet:before {
+  content: ""; }
+.glyphicon-shopping-cart:before {
+  content: ""; }
+.glyphicon-folder-close:before {
+  content: ""; }
+.glyphicon-folder-open:before {
+  content: ""; }
+.glyphicon-resize-vertical:before {
+  content: ""; }
+.glyphicon-resize-horizontal:before {
+  content: ""; }
+.glyphicon-hdd:before {
+  content: ""; }
+.glyphicon-bullhorn:before {
+  content: ""; }
+.glyphicon-bell:before {
+  content: ""; }
+.glyphicon-certificate:before {
+  content: ""; }
+.glyphicon-thumbs-up:before {
+  content: ""; }
+.glyphicon-thumbs-down:before {
+  content: ""; }
+.glyphicon-hand-right:before {
+  content: ""; }
+.glyphicon-hand-left:before {
+  content: ""; }
+.glyphicon-hand-up:before {
+  content: ""; }
+.glyphicon-hand-down:before {
+  content: ""; }
+.glyphicon-circle-arrow-right:before {
+  content: ""; }
+.glyphicon-circle-arrow-left:before {
+  content: ""; }
+.glyphicon-circle-arrow-up:before {
+  content: ""; }
+.glyphicon-circle-arrow-down:before {
+  content: ""; }
+.glyphicon-globe:before {
+  content: ""; }
+.glyphicon-wrench:before {
+  content: ""; }
+.glyphicon-tasks:before {
+  content: ""; }
+.glyphicon-filter:before {
+  content: ""; }
+.glyphicon-briefcase:before {
+  content: ""; }
+.glyphicon-fullscreen:before {
+  content: ""; }
+.glyphicon-dashboard:before {
+  content: ""; }
+.glyphicon-paperclip:before {
+  content: ""; }
+.glyphicon-heart-empty:before {
+  content: ""; }
+.glyphicon-link:before {
+  content: ""; }
+.glyphicon-phone:before {
+  content: ""; }
+.glyphicon-pushpin:before {
+  content: ""; }
+.glyphicon-usd:before {
+  content: ""; }
+.glyphicon-gbp:before {
+  content: ""; }
+.glyphicon-sort:before {
+  content: ""; }
+.glyphicon-sort-by-alphabet:before {
+  content: ""; }
+.glyphicon-sort-by-alphabet-alt:before {
+  content: ""; }
+.glyphicon-sort-by-order:before {
+  content: ""; }
+.glyphicon-sort-by-order-alt:before {
+  content: ""; }
+.glyphicon-sort-by-attributes:before {
+  content: ""; }
+.glyphicon-sort-by-attributes-alt:before {
+  content: ""; }
+.glyphicon-unchecked:before {
+  content: ""; }
+.glyphicon-expand:before {
+  content: ""; }
+.glyphicon-collapse-down:before {
+  content: ""; }
+.glyphicon-collapse-up:before {
+  content: ""; }
+.glyphicon-log-in:before {
+  content: ""; }
+.glyphicon-flash:before {
+  content: ""; }
+.glyphicon-log-out:before {
+  content: ""; }
+.glyphicon-new-window:before {
+  content: ""; }
+.glyphicon-record:before {
+  content: ""; }
+.glyphicon-save:before {
+  content: ""; }
+.glyphicon-open:before {
+  content: ""; }
+.glyphicon-saved:before {
+  content: ""; }
+.glyphicon-import:before {
+  content: ""; }
+.glyphicon-export:before {
+  content: ""; }
+.glyphicon-send:before {
+  content: ""; }
+.glyphicon-floppy-disk:before {
+  content: ""; }
+.glyphicon-floppy-saved:before {
+  content: ""; }
+.glyphicon-floppy-remove:before {
+  content: ""; }
+.glyphicon-floppy-save:before {
+  content: ""; }
+.glyphicon-floppy-open:before {
+  content: ""; }
+.glyphicon-credit-card:before {
+  content: ""; }
+.glyphicon-transfer:before {
+  content: ""; }
+.glyphicon-cutlery:before {
+  content: ""; }
+.glyphicon-header:before {
+  content: ""; }
+.glyphicon-compressed:before {
+  content: ""; }
+.glyphicon-earphone:before {
+  content: ""; }
+.glyphicon-phone-alt:before {
+  content: ""; }
+.glyphicon-tower:before {
+  content: ""; }
+.glyphicon-stats:before {
+  content: ""; }
+.glyphicon-sd-video:before {
+  content: ""; }
+.glyphicon-hd-video:before {
+  content: ""; }
+.glyphicon-subtitles:before {
+  content: ""; }
+.glyphicon-sound-stereo:before {
+  content: ""; }
+.glyphicon-sound-dolby:before {
+  content: ""; }
+.glyphicon-sound-5-1:before {
+  content: ""; }
+.glyphicon-sound-6-1:before {
+  content: ""; }
+.glyphicon-sound-7-1:before {
+  content: ""; }
+.glyphicon-copyright-mark:before {
+  content: ""; }
+.glyphicon-registration-mark:before {
+  content: ""; }
+.glyphicon-cloud-download:before {
+  content: ""; }
+.glyphicon-cloud-upload:before {
+  content: ""; }
+.glyphicon-tree-conifer:before {
+  content: ""; }
+.glyphicon-tree-deciduous:before {
+  content: ""; }
+* {
+  -webkit-box-sizing: border-box;
+  -moz-box-sizing: border-box;
+  box-sizing: border-box;
+  text-decoration:none; }
+*:before,
+*:after {
+  -webkit-box-sizing: border-box;
+  -moz-box-sizing: border-box;
+  box-sizing: border-box; }
+html {
+  font-size: 10px;
+  -webkit-tap-highlight-color: transparent; }
+body {
+  font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+  font-size: 14px;
+  line-height: 1.428571429;
+  color: var(--pagefore);
+}
+input,
+button,
+select,
+textarea {
+  font-family: inherit;
+  font-size: inherit;
+  line-height: inherit; }
+a {
+  color: var(--link);
+  text-decoration: none; }
+a:hover, a:focus {
+  color: var(--linkhover);
+  text-decoration: underline; }
+a:focus {
+  outline: thin dotted;
+  outline: 5px auto -webkit-focus-ring-color;
+  outline-offset: -2px; }
+figure {
+  margin: 0; }
+img {
+  vertical-align: middle; }
+.img-responsive {
+  display: block;
+  width: 100% \9 ;
+  max-width: 100%;
+  height: auto; }
+.img-rounded {
+  border-radius: 6px; }
+.img-thumbnail {
+  padding: 4px;
+  line-height: 1.428571429;
+  background-color: var(--pback); 
+  border: 1px solid var(--stdborderaccent);
+  border-radius: 3px;
+  -webkit-transition: all 0.2s ease-in-out;
+  -o-transition: all 0.2s ease-in-out;
+  transition: all 0.2s ease-in-out;
+  display: inline-block;
+  width: 100% \9 ;
+  max-width: 100%;
+  height: auto; }
+.img-circle {
+  border-radius: 50%; }
+hr {
+  margin-top: 20px;
+  margin-bottom: 20px;
+  border: 0;
+  border-top: 1px solid var(--stdborder); }
+.sr-only {
+  position: absolute;
+  width: 1px;
+  height: 1px;
+  margin: -1px;
+  padding: 0;
+  overflow: hidden;
+  clip: rect(255, 255, 255, 0);
+  border: 0; }
+.sr-only-focusable:active, .sr-only-focusable:focus {
+  position: static;
+  width: auto;
+  height: auto;
+  margin: 0;
+  overflow: visible;
+  clip: auto; }
+h1, h2, h3, h4, h5, h6,
+.h1, .h2, .h3, .h4, .h5, .h6 {
+  font-family: "SourceSansProSemiBold";
+  font-weight: 100;
+  line-height: 1.4;
+  color: var(--foregound); } /* !!! */
+h1 small,
+h1 .small, h2 small,
+h2 .small, h3 small,
+h3 .small, h4 small,
+h4 .small, h5 small,
+h5 .small, h6 small,
+h6 .small,
+.h1 small,
+.h1 .small, .h2 small,
+.h2 .small, .h3 small,
+.h3 .small, .h4 small,
+.h4 .small, .h5 small,
+.h5 .small, .h6 small,
+.h6 .small {
+  font-weight: normal;
+  line-height: 1;
+  color: var(--pfore); }
+h1, .h1,
+h2, .h2,
+h3, .h3 {
+  margin-top: 20px;
+  margin-bottom: 10px; }
+h1 small,
+h1 .small, .h1 small,
+.h1 .small,
+h2 small,
+h2 .small, .h2 small,
+.h2 .small,
+h3 small,
+h3 .small, .h3 small,
+.h3 .small {
+  font-size: 65%; }
+h4, .h4,
+h5, .h5,
+h6, .h6 {
+  margin-top: 10px;
+  margin-bottom: 10px; }
+h4 small,
+h4 .small, .h4 small,
+.h4 .small,
+h5 small,
+h5 .small, .h5 small,
+.h5 .small,
+h6 small,
+h6 .small, .h6 small,
+.h6 .small {
+  font-size: 75%; }
+h1, .h1 {
+  font-size: 23px; }
+h2, .h2 {
+  font-size: 16px; }
+h3, .h3 {
+  font-size: 14px; }
+h4, .h4 {
+  font-size: 18px; }
+h5, .h5 {
+  font-size: 14px; }
+h6, .h6 {
+  font-size: 12px; }
+p {
+  margin: 0 0 10px; }
+.lead {
+  margin-bottom: 20px;
+  font-size: 16px;
+  font-weight: 300;
+  line-height: 1.4; }
+@media (min-width: 768px) {
+  .lead {
+    font-size: 21px;
+  }
+}
+small,
+.small {
+  font-size: 85%; }
+cite {
+  font-style: normal; }
+mark,
+.mark {
+  background-color: var(--pbackhover);
+  padding: 0.2em; }
+.text-left {
+  text-align: left; }
+.text-right {
+  text-align: right; }
+.text-center {
+  text-align: center; }
+.text-justify {
+  text-align: justify; }
+.text-nowrap {
+  white-space: nowrap; }
+.text-lowercase {
+  text-transform: lowercase; }
+.text-uppercase {
+  text-transform: uppercase; }
+.text-capitalize {
+  text-transform: capitalize; }
+.text-muted {
+  color: var(--pforemuted); }
+.text-primary {
+  color: var(--pfore); }
+a.text-primary:hover {
+  color: var(--pforehover); }
+.text-success {
+  color: var(--success); }
+a.text-success:hover {
+  color: var(--successhover); }
+.text-info {
+  color: var(--info); }
+a.text-info:hover {
+  color: var(--infohover); }
+.text-warning {
+  color: var(--warning); }
+a.text-warning:hover {
+  color: var(--warninghover); }
+.text-danger {
+  color: var(--danger); }
+a.text-danger:hover {
+  color: var(--dangerhover); }
+.bg-primary {
+  color: var(--pfore); 
+}
+.bg-primary {
+  background-color: var(--pback); }
+a.bg-primary:hover
+{
+  background-color: var(--pbackhover);
+}
+.bg-success {
+  background-color: var(--success); }
+a.bg-success:hover {
+  background-color: var(--successhover); }
+.bg-info {
+  background-color: var(--info); }
+a.bg-info:hover {
+  background-color: var(--infohover); }
+.bg-warning {
+  background-color: var(--warning); }
+a.bg-warning:hover {
+  background-color: var(--warninghover); }
+.bg-danger {
+  background-color: var(--danger); }
+a.bg-danger:hover {
+  background-color: var(--dangerhover); }
+.page-header {
+  padding-bottom: 9px;
+  margin: 40px 0 20px;
+  border-bottom: 1px solid var(--stdborder); }
+ul,
+ol {
+  margin-top: 0;
+  margin-bottom: 10px; }
+ul ul,
+ul ol,
+ol ul,
+ol ol {
+  margin-bottom: 0; }
+.list-unstyled, .list-inline {
+  padding-left: 0;
+  list-style: none; }
+.list-inline {
+  margin-left: -5px; }
+.list-inline > li {
+  float: left;
+  padding-left: 5px;
+  padding-right: 5px; }
+dl {
+  margin-top: 0;
+  margin-bottom: 20px; }
+dt,
+dd {
+  line-height: 1.428571429; }
+dt {
+  font-weight: bold; }
+dd {
+  margin-left: 0; }
+.dl-horizontal dd:before, .dl-horizontal dd:after {
+  content: " ";
+  display: table; }
+.dl-horizontal dd:after {
+  clear: both; }
+@media (min-width: 768px) {
+  .dl-horizontal dt {
+    float: left;
+    width: 160px;
+    clear: left;
+    text-align: right;
+    overflow: hidden;
+    text-overflow: ellipsis;
+    white-space: nowrap;
+  }
+  .dl-horizontal dd {
+    margin-left: 180px;
+  }
+}
+
+abbr[title],
+abbr[data-original-title] {
+  cursor: help;
+  border-bottom: 1px dotted var(--stdborder); }
+.initialism {
+  font-size: 90%;
+  text-transform: uppercase; }
+blockquote {
+  padding: 10px 20px;
+  margin: 0 0 20px;
+  font-size: 17.5px;
+  border-left: 5px solid var(--stdborder); }
+blockquote p:last-child,
+blockquote ul:last-child,
+blockquote ol:last-child {
+  margin-bottom: 0; }
+blockquote footer,
+blockquote small,
+blockquote .small {
+  display: block;
+  font-size: 80%;
+  line-height: 1.428571429;
+  color: var(--pforemuted); }
+blockquote footer:before,
+blockquote small:before,
+blockquote .small:before {
+  content: "— "; }
+.blockquote-reverse,
+blockquote.pull-right {
+  padding-right: 15px;
+  padding-left: 0;
+  border-right: 5px solid var(--stdborder);
+  border-left: 0;
+  text-align: right; }
+.blockquote-reverse footer:before,
+.blockquote-reverse small:before,
+.blockquote-reverse .small:before,
+blockquote.pull-right footer:before,
+blockquote.pull-right small:before,
+blockquote.pull-right .small:before {
+  content: ""; }
+.blockquote-reverse footer:after,
+.blockquote-reverse small:after,
+.blockquote-reverse .small:after,
+blockquote.pull-right footer:after,
+blockquote.pull-right small:after,
+blockquote.pull-right .small:after {
+  content: " —"; }
+blockquote:before,
+blockquote:after {
+  content: ""; }
+address {
+  margin-bottom: 20px;
+  font-style: normal;
+  line-height: 1.428571429; }
+code,
+kbd,
+pre,
+samp {
+  font-family: Menlo, Monaco, Consolas, "Courier New", monospace; }
+code {
+  padding: 2px 4px;
+  font-size: 90%;
+  color: var(--warning);
+  background-color: var(--pbackinverse);
+  border-radius: 3px; }
+kbd {
+  padding: 2px 4px;
+  font-size: 90%;
+  color: var(--pfore); 
+  background-color: var(--pback);
+  border-radius: 3px;
+  box-shadow: inset 0 -1px 0 rgba(61, 61, 61, 0.25); }
+kbd kbd {
+  padding: 0;
+  font-size: 100%;
+  box-shadow: none; }
+pre {
+  display: block;
+  padding: 9.5;
+  margin: 0 0 10px;
+  font-size: 13px;
+  line-height: 1.428571429;
+  word-break: break-all;
+  word-wrap: break-word;
+  color: var(--contentboxfore);
+  background-color: var(--contentboxback);
+  border: inherit;
+  border-radius: 3px; }
+pre code {
+  padding: 0;
+  font-size: inherit;
+  color: inherit;
+  white-space: pre-wrap;
+  background-color: transparent;
+  border-radius: 0; }
+.pre-scrollable {
+  max-height: 340px;
+  overflow-y: scroll; }
+.container {
+  margin-right: auto;
+  margin-left: auto;
+  padding-left: 20px;
+  padding-right: 20px; }
+.container:before, .container:after {
+  content: " ";
+  display: table; }
+.container:after {
+  clear: both; }
+@media (min-width: 768px) {
+  .container {
+    width: 760px;
+  }
+}
+@media (min-width: 992px) {
+  .container {
+    width: 980px;
+  }
+}
+@media (min-width: 1200px) {
+  .container {
+    width: 1180px;
+  }
+}
+.container-fluid {
+  margin-right: auto;
+  margin-left: auto;
+  padding-left: 20px;
+  padding-right: 20px; }
+.container-fluid:before, .container-fluid:after {
+  content: " ";
+  display: table; }
+.container-fluid:after {
+  clear: both; }
+.row {
+  margin-left: -20px;
+  margin-right: -20px; }
+.row:before, .row:after {
+  content: " ";
+  display: table; }
+.row:after {
+  clear: both; }
+.col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12 {
+  position: relative;
+  min-height: 1px;
+  padding-left: 20px;
+  padding-right: 20px; }
+.col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12 {
+  float: left; }
+.col-xs-1 {
+  width: 8.3333333333%; }
+.col-xs-2 {
+  width: 16.6666666667%; }
+.col-xs-3 {
+  width: 25%; }
+.col-xs-4 {
+  width: 33.3333333333%; }
+.col-xs-5 {
+  width: 41.6666666667%; }
+.col-xs-6 {
+  width: 50%; }
+.col-xs-7 {
+  width: 58.3333333333%; }
+.col-xs-8 {
+  width: 66.6666666667%; }
+.col-xs-9 {
+  width: 75%; }
+.col-xs-10 {
+  width: 83.3333333333%; }
+.col-xs-11 {
+  width: 91.6666666667%; }
+.col-xs-12 {
+  width: 100%; }
+.col-xs-pull-0 {
+  right: auto; }
+.col-xs-pull-1 {
+  right: 8.3333333333%; }
+.col-xs-pull-2 {
+  right: 16.6666666667%; }
+.col-xs-pull-3 {
+  right: 25%; }
+.col-xs-pull-4 {
+  right: 33.3333333333%; }
+.col-xs-pull-5 {
+  right: 41.6666666667%; }
+.col-xs-pull-6 {
+  right: 50%; }
+.col-xs-pull-7 {
+  right: 58.3333333333%; }
+.col-xs-pull-8 {
+  right: 66.6666666667%; }
+.col-xs-pull-9 {
+  right: 75%; }
+.col-xs-pull-10 {
+  right: 83.3333333333%; }
+.col-xs-pull-11 {
+  right: 91.6666666667%; }
+.col-xs-pull-12 {
+  right: 100%; }
+.col-xs-push-0 {
+  left: auto; }
+.col-xs-push-1 {
+  left: 8.3333333333%; }
+.col-xs-push-2 {
+  left: 16.6666666667%; }
+.col-xs-push-3 {
+  left: 25%; }
+.col-xs-push-4 {
+  left: 33.3333333333%; }
+.col-xs-push-5 {
+  left: 41.6666666667%; }
+.col-xs-push-6 {
+  left: 50%; }
+.col-xs-push-7 {
+  left: 58.3333333333%; }
+.col-xs-push-8 {
+  left: 66.6666666667%; }
+.col-xs-push-9 {
+  left: 75%; }
+.col-xs-push-10 {
+  left: 83.3333333333%; }
+.col-xs-push-11 {
+  left: 91.6666666667%; }
+.col-xs-push-12 {
+  left: 100%; }
+.col-xs-offset-0 {
+  margin-left: 0%; }
+.col-xs-offset-1 {
+  margin-left: 8.3333333333%; }
+.col-xs-offset-2 {
+  margin-left: 16.6666666667%; }
+.col-xs-offset-3 {
+  margin-left: 25%; }
+.col-xs-offset-4 {
+  margin-left: 33.3333333333%; }
+.col-xs-offset-5 {
+  margin-left: 41.6666666667%; }
+.col-xs-offset-6 {
+  margin-left: 50%; }
+.col-xs-offset-7 {
+  margin-left: 58.3333333333%; }
+.col-xs-offset-8 {
+  margin-left: 66.6666666667%; }
+.col-xs-offset-9 {
+  margin-left: 75%; }
+.col-xs-offset-10 {
+  margin-left: 83.3333333333%; }
+.col-xs-offset-11 {
+  margin-left: 91.6666666667%; }
+.col-xs-offset-12 {
+  margin-left: 100%; }
+@media (min-width: 768px) {
+  .col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12 {
+    float: left;
+  }
+
+  .col-sm-1 {
+    width: 8.3333333333%;
+  }
+
+  .col-sm-2 {
+    width: 16.6666666667%;
+  }
+
+  .col-sm-3 {
+    width: 25%;
+  }
+
+  .col-sm-4 {
+    width: 33.3333333333%;
+  }
+
+  .col-sm-5 {
+    width: 41.6666666667%;
+  }
+
+  .col-sm-6 {
+    width: 50%;
+  }
+
+  .col-sm-7 {
+    width: 58.3333333333%;
+  }
+
+  .col-sm-8 {
+    width: 66.6666666667%;
+  }
+
+  .col-sm-9 {
+    width: 75%;
+  }
+
+  .col-sm-10 {
+    width: 83.3333333333%;
+  }
+
+  .col-sm-11 {
+    width: 91.6666666667%;
+  }
+
+  .col-sm-12 {
+    width: 100%;
+  }
+
+  .col-sm-pull-0 {
+    right: auto;
+  }
+
+  .col-sm-pull-1 {
+    right: 8.3333333333%;
+  }
+
+  .col-sm-pull-2 {
+    right: 16.6666666667%;
+  }
+
+  .col-sm-pull-3 {
+    right: 25%;
+  }
+
+  .col-sm-pull-4 {
+    right: 33.3333333333%;
+  }
+
+  .col-sm-pull-5 {
+    right: 41.6666666667%;
+  }
+
+  .col-sm-pull-6 {
+    right: 50%;
+  }
+
+  .col-sm-pull-7 {
+    right: 58.3333333333%;
+  }
+
+  .col-sm-pull-8 {
+    right: 66.6666666667%;
+  }
+
+  .col-sm-pull-9 {
+    right: 75%;
+  }
+
+  .col-sm-pull-10 {
+    right: 83.3333333333%;
+  }
+
+  .col-sm-pull-11 {
+    right: 91.6666666667%;
+  }
+
+  .col-sm-pull-12 {
+    right: 100%;
+  }
+
+  .col-sm-push-0 {
+    left: auto;
+  }
+
+  .col-sm-push-1 {
+    left: 8.3333333333%;
+  }
+
+  .col-sm-push-2 {
+    left: 16.6666666667%;
+  }
+
+  .col-sm-push-3 {
+    left: 25%;
+  }
+
+  .col-sm-push-4 {
+    left: 33.3333333333%;
+  }
+
+  .col-sm-push-5 {
+    left: 41.6666666667%;
+  }
+
+  .col-sm-push-6 {
+    left: 50%;
+  }
+
+  .col-sm-push-7 {
+    left: 58.3333333333%;
+  }
+
+  .col-sm-push-8 {
+    left: 66.6666666667%;
+  }
+
+  .col-sm-push-9 {
+    left: 75%;
+  }
+
+  .col-sm-push-10 {
+    left: 83.3333333333%;
+  }
+
+  .col-sm-push-11 {
+    left: 91.6666666667%;
+  }
+
+  .col-sm-push-12 {
+    left: 100%;
+  }
+
+  .col-sm-offset-0 {
+    margin-left: 0%;
+  }
+
+  .col-sm-offset-1 {
+    margin-left: 8.3333333333%;
+  }
+
+  .col-sm-offset-2 {
+    margin-left: 16.6666666667%;
+  }
+
+  .col-sm-offset-3 {
+    margin-left: 25%;
+  }
+
+  .col-sm-offset-4 {
+    margin-left: 33.3333333333%;
+  }
+
+  .col-sm-offset-5 {
+    margin-left: 41.6666666667%;
+  }
+
+  .col-sm-offset-6 {
+    margin-left: 50%;
+  }
+
+  .col-sm-offset-7 {
+    margin-left: 58.3333333333%;
+  }
+
+  .col-sm-offset-8 {
+    margin-left: 66.6666666667%;
+  }
+
+  .col-sm-offset-9 {
+    margin-left: 75%;
+  }
+
+  .col-sm-offset-10 {
+    margin-left: 83.3333333333%;
+  }
+
+  .col-sm-offset-11 {
+    margin-left: 91.6666666667%;
+  }
+
+  .col-sm-offset-12 {
+    margin-left: 100%;
+  }
+}
+@media (min-width: 992px) {
+  .col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12 {
+    float: left;
+  }
+
+  .col-md-1 {
+    width: 8.3333333333%;
+  }
+
+  .col-md-2 {
+    width: 16.6666666667%;
+  }
+
+  .col-md-3 {
+    width: 25%;
+  }
+
+  .col-md-4 {
+    width: 33.3333333333%;
+  }
+
+  .col-md-5 {
+    width: 41.6666666667%;
+  }
+
+  .col-md-6 {
+    width: 50%;
+  }
+
+  .col-md-7 {
+    width: 58.3333333333%;
+  }
+
+  .col-md-8 {
+    width: 66.6666666667%;
+  }
+
+  .col-md-9 {
+    width: 75%;
+  }
+
+  .col-md-10 {
+    width: 83.3333333333%;
+  }
+
+  .col-md-11 {
+    width: 91.6666666667%;
+  }
+
+  .col-md-12 {
+    width: 100%;
+  }
+
+  .col-md-pull-0 {
+    right: auto;
+  }
+
+  .col-md-pull-1 {
+    right: 8.3333333333%;
+  }
+
+  .col-md-pull-2 {
+    right: 16.6666666667%;
+  }
+
+  .col-md-pull-3 {
+    right: 25%;
+  }
+
+  .col-md-pull-4 {
+    right: 33.3333333333%;
+  }
+
+  .col-md-pull-5 {
+    right: 41.6666666667%;
+  }
+
+  .col-md-pull-6 {
+    right: 50%;
+  }
+
+  .col-md-pull-7 {
+    right: 58.3333333333%;
+  }
+
+  .col-md-pull-8 {
+    right: 66.6666666667%;
+  }
+
+  .col-md-pull-9 {
+    right: 75%;
+  }
+
+  .col-md-pull-10 {
+    right: 83.3333333333%;
+  }
+
+  .col-md-pull-11 {
+    right: 91.6666666667%;
+  }
+
+  .col-md-pull-12 {
+    right: 100%;
+  }
+
+  .col-md-push-0 {
+    left: auto;
+  }
+
+  .col-md-push-1 {
+    left: 8.3333333333%;
+  }
+
+  .col-md-push-2 {
+    left: 16.6666666667%;
+  }
+
+  .col-md-push-3 {
+    left: 25%;
+  }
+
+  .col-md-push-4 {
+    left: 33.3333333333%;
+  }
+
+  .col-md-push-5 {
+    left: 41.6666666667%;
+  }
+
+  .col-md-push-6 {
+    left: 50%;
+  }
+
+  .col-md-push-7 {
+    left: 58.3333333333%;
+  }
+
+  .col-md-push-8 {
+    left: 66.6666666667%;
+  }
+
+  .col-md-push-9 {
+    left: 75%;
+  }
+
+  .col-md-push-10 {
+    left: 83.3333333333%;
+  }
+
+  .col-md-push-11 {
+    left: 91.6666666667%;
+  }
+
+  .col-md-push-12 {
+    left: 100%;
+  }
+
+  .col-md-offset-0 {
+    margin-left: 0%;
+  }
+
+  .col-md-offset-1 {
+    margin-left: 8.3333333333%;
+  }
+
+  .col-md-offset-2 {
+    margin-left: 16.6666666667%;
+  }
+
+  .col-md-offset-3 {
+    margin-left: 25%;
+  }
+
+  .col-md-offset-4 {
+    margin-left: 33.3333333333%;
+  }
+
+  .col-md-offset-5 {
+    margin-left: 41.6666666667%;
+  }
+
+  .col-md-offset-6 {
+    margin-left: 50%;
+  }
+
+  .col-md-offset-7 {
+    margin-left: 58.3333333333%;
+  }
+
+  .col-md-offset-8 {
+    margin-left: 66.6666666667%;
+  }
+
+  .col-md-offset-9 {
+    margin-left: 75%;
+  }
+
+  .col-md-offset-10 {
+    margin-left: 83.3333333333%;
+  }
+
+  .col-md-offset-11 {
+    margin-left: 91.6666666667%;
+  }
+
+  .col-md-offset-12 {
+    margin-left: 100%;
+  }
+}
+@media (min-width: 1200px) {
+  .col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12 {
+    float: left;
+  }
+
+  .col-lg-1 {
+    width: 8.3333333333%;
+  }
+
+  .col-lg-2 {
+    width: 16.6666666667%;
+  }
+
+  .col-lg-3 {
+    width: 25%;
+  }
+
+  .col-lg-4 {
+    width: 33.3333333333%;
+  }
+
+  .col-lg-5 {
+    width: 41.6666666667%;
+  }
+
+  .col-lg-6 {
+    width: 50%;
+  }
+
+  .col-lg-7 {
+    width: 58.3333333333%;
+  }
+
+  .col-lg-8 {
+    width: 66.6666666667%;
+  }
+
+  .col-lg-9 {
+    width: 75%;
+  }
+
+  .col-lg-10 {
+    width: 83.3333333333%;
+  }
+
+  .col-lg-11 {
+    width: 91.6666666667%;
+  }
+
+  .col-lg-12 {
+    width: 100%;
+  }
+
+  .col-lg-pull-0 {
+    right: auto;
+  }
+
+  .col-lg-pull-1 {
+    right: 8.3333333333%;
+  }
+
+  .col-lg-pull-2 {
+    right: 16.6666666667%;
+  }
+
+  .col-lg-pull-3 {
+    right: 25%;
+  }
+
+  .col-lg-pull-4 {
+    right: 33.3333333333%;
+  }
+
+  .col-lg-pull-5 {
+    right: 41.6666666667%;
+  }
+
+  .col-lg-pull-6 {
+    right: 50%;
+  }
+
+  .col-lg-pull-7 {
+    right: 58.3333333333%;
+  }
+
+  .col-lg-pull-8 {
+    right: 66.6666666667%;
+  }
+
+  .col-lg-pull-9 {
+    right: 75%;
+  }
+
+  .col-lg-pull-10 {
+    right: 83.3333333333%;
+  }
+
+  .col-lg-pull-11 {
+    right: 91.6666666667%;
+  }
+
+  .col-lg-pull-12 {
+    right: 100%;
+  }
+
+  .col-lg-push-0 {
+    left: auto;
+  }
+
+  .col-lg-push-1 {
+    left: 8.3333333333%;
+  }
+
+  .col-lg-push-2 {
+    left: 16.6666666667%;
+  }
+
+  .col-lg-push-3 {
+    left: 25%;
+  }
+
+  .col-lg-push-4 {
+    left: 33.3333333333%;
+  }
+
+  .col-lg-push-5 {
+    left: 41.6666666667%;
+  }
+
+  .col-lg-push-6 {
+    left: 50%;
+  }
+
+  .col-lg-push-7 {
+    left: 58.3333333333%;
+  }
+
+  .col-lg-push-8 {
+    left: 66.6666666667%;
+  }
+
+  .col-lg-push-9 {
+    left: 75%;
+  }
+
+  .col-lg-push-10 {
+    left: 83.3333333333%;
+  }
+
+  .col-lg-push-11 {
+    left: 91.6666666667%;
+  }
+
+  .col-lg-push-12 {
+    left: 100%;
+  }
+
+  .col-lg-offset-0 {
+    margin-left: 0%;
+  }
+
+  .col-lg-offset-1 {
+    margin-left: 8.3333333333%;
+  }
+
+  .col-lg-offset-2 {
+    margin-left: 16.6666666667%;
+  }
+
+  .col-lg-offset-3 {
+    margin-left: 25%;
+  }
+
+  .col-lg-offset-4 {
+    margin-left: 33.3333333333%;
+  }
+
+  .col-lg-offset-5 {
+    margin-left: 41.6666666667%;
+  }
+
+  .col-lg-offset-6 {
+    margin-left: 50%;
+  }
+
+  .col-lg-offset-7 {
+    margin-left: 58.3333333333%;
+  }
+
+  .col-lg-offset-8 {
+    margin-left: 66.6666666667%;
+  }
+
+  .col-lg-offset-9 {
+    margin-left: 75%;
+  }
+
+  .col-lg-offset-10 {
+    margin-left: 83.3333333333%;
+  }
+
+  .col-lg-offset-11 {
+    margin-left: 91.6666666667%;
+  }
+
+  .col-lg-offset-12 {
+    margin-left: 100%;
+  }
+}
+table {
+  background-color: var(--tableback);
+  color: var(--tablelegend);
+}
+th {
+  text-align: left; }
+.table {
+  width: 100%;
+  max-width: 100%;
+  margin-bottom: 20px;
+  border: 1px  var(--tableborder);
+  border-radius: 4px; }
+.table > thead > tr > th,
+.table > thead > tr > td,
+.table > tbody > tr > th,
+.table > tbody > tr > td,
+.table > tfoot > tr > th,
+.table > tfoot > tr > td {
+  padding: 10px 0px 10px 20px;
+  line-height: 1.428571429;
+  vertical-align: top;
+  border-top: 1px solid var(--tableborder);
+  border-radius: 4px; }
+.table > thead > tr > th {
+  border-bottom: 1px solid var(--tableborder);
+  vertical-align: bottom; }
+.table > caption + thead > tr:first-child > th,
+.table > caption + thead > tr:first-child > td,
+.table > colgroup + thead > tr:first-child > th, 
+.table > colgroup + thead > tr:first-child > td,
+.table > thead:first-child > tr:first-child > th,
+.table > thead:first-child > tr:first-child > td {
+  color: var(--tableheadfore);  /* textcolor table headline */
+  border-top: 0;
+  font-family: "SourceSansProSemibold";
+  font-weight: normal; }
+.table > tbody + tbody {
+  border-top: 2px solid var(--tableborder);
+}
+.table .table {
+  background-color: var(--tabletableback); /* background tableheadline */
+}
+.table-condensed > thead > tr > th,
+.table-condensed > thead > tr > td,
+.table-condensed > tbody > tr > th,
+.table-condensed > tbody > tr > td,
+.table-condensed > tfoot > tr > th,
+.table-condensed > tfoot > tr > td {
+  padding: 5px; }
+.table-bordered {
+  border: 1px solid var(--txtboxborder);
+  border-radius: 4px; }
+.table-bordered > thead > tr > th,
+.table-bordered > thead > tr > td,
+.table-bordered > tbody > tr > th,
+.table-bordered > tbody > tr > td,
+.table-bordered > tfoot > tr > th,
+.table-bordered > tfoot > tr > td {
+  border: 1px solid var(--tableborder); }
+.table-bordered > thead > tr > th,
+.table-bordered > thead > tr > td {
+  border-bottom-width: 2px; }
+.table-striped > tbody > tr:nth-child(odd) > td,
+.table-striped > tbody > tr:nth-child(odd) > th {
+  background-color: var(--tablestripeback); }
+.table-hover > tbody > tr:hover > td,
+.table-hover > tbody > tr:hover > th {
+}
+table col[class*=col-] {
+  position: static;
+  float: none;
+  display: table-column; }
+table td[class*=col-],
+table th[class*=col-] {
+  position: static;
+  float: none;
+  display: table-cell; }
+.table > thead > tr > td.active,
+.table > thead > tr > th.active, .table > thead > tr.active > td, .table > thead > tr.active > th,
+.table > tbody > tr > td.active,
+.table > tbody > tr > th.active,
+.table > tbody > tr.active > td,
+.table > tbody > tr.active > th,
+.table > tfoot > tr > td.active,
+.table > tfoot > tr > th.active,
+.table > tfoot > tr.active > td,
+.table > tfoot > tr.active > th {
+  background-color: var(--tableback); }
+.table-hover > tbody > tr > td.active:hover,
+.table-hover > tbody > tr > th.active:hover, .table-hover > tbody > tr.active:hover > td, .table-hover > tbody > tr:hover > .active, .table-hover > tbody > tr.active:hover > th {
+  background-color: var(--tableback); }
+.table > thead > tr > td.success,
+.table > thead > tr > th.success, .table > thead > tr.success > td, .table > thead > tr.success > th,
+.table > tbody > tr > td.success,
+.table > tbody > tr > th.success,
+.table > tbody > tr.success > td,
+.table > tbody > tr.success > th,
+.table > tfoot > tr > td.success,
+.table > tfoot > tr > th.success,
+.table > tfoot > tr.success > td,
+.table > tfoot > tr.success > th {
+  background-color: var(--success); }
+.table-hover > tbody > tr > td.success:hover,
+.table-hover > tbody > tr > th.success:hover, .table-hover > tbody > tr.success:hover > td, .table-hover > tbody > tr:hover > .success, .table-hover > tbody > tr.success:hover > th
+{
+  background-color: var(--successhover);
+}
+.table > thead > tr > td.info,
+.table > thead > tr > th.info, .table > thead > tr.info > td, .table > thead > tr.info > th,
+.table > tbody > tr > td.info,
+.table > tbody > tr > th.info,
+.table > tbody > tr.info > td,
+.table > tbody > tr.info > th,
+.table > tfoot > tr > td.info,
+.table > tfoot > tr > th.info,
+.table > tfoot > tr.info > td,
+.table > tfoot > tr.info > th {
+  background-color: var(--info); }
+.table-hover > tbody > tr > td.info:hover,
+.table-hover > tbody > tr > th.info:hover, .table-hover > tbody > tr.info:hover > td, .table-hover > tbody > tr:hover > .info, .table-hover > tbody > tr.info:hover > th {
+  background-color: var(infohover); }
+.table > thead > tr > td.warning,
+.table > thead > tr > th.warning, .table > thead > tr.warning > td, .table > thead > tr.warning > th,
+.table > tbody > tr > td.warning,
+.table > tbody > tr > th.warning,
+.table > tbody > tr.warning > td,
+.table > tbody > tr.warning > th,
+.table > tfoot > tr > td.warning,
+.table > tfoot > tr > th.warning,
+.table > tfoot > tr.warning > td,
+.table > tfoot > tr.warning > th {
+  background-color: var(--warning); }
+.table-hover > tbody > tr > td.warning:hover,
+.table-hover > tbody > tr > th.warning:hover, .table-hover > tbody > tr.warning:hover > td, .table-hover > tbody > tr:hover > .warning, .table-hover > tbody > tr.warning:hover > th {
+  background-color: var(--warninghover); }
+.table > thead > tr > td.danger,
+.table > thead > tr > th.danger, .table > thead > tr.danger > td, .table > thead > tr.danger > th,
+.table > tbody > tr > td.danger,
+.table > tbody > tr > th.danger,
+.table > tbody > tr.danger > td,
+.table > tbody > tr.danger > th,
+.table > tfoot > tr > td.danger,
+.table > tfoot > tr > th.danger,
+.table > tfoot > tr.danger > td,
+.table > tfoot > tr.danger > th {
+  background-color: var(--danger); }
+.table-hover > tbody > tr > td.danger:hover,
+.table-hover > tbody > tr > th.danger:hover, .table-hover > tbody > tr.danger:hover > td, .table-hover > tbody > tr:hover > .danger, .table-hover > tbody > tr.danger:hover > th
+{
+    background-color: var(--dangerhover);
+}
+@media screen and (max-width: 767px) {
+  .table-responsive {
+    width: 100%;
+    margin-bottom: 15px;
+    overflow-y: hidden;
+    overflow-x: auto;
+    -ms-overflow-style: -ms-autohiding-scrollbar;
+    /*     border: 1px solid $table-border-color; */
+    -webkit-overflow-scrolling: touch;
+  }
+  .table-responsive > .table {
+    margin-bottom: 0;
+  }
+  .table-responsive > .table > thead > tr > th,
+.table-responsive > .table > thead > tr > td,
+.table-responsive > .table > tbody > tr > th,
+.table-responsive > .table > tbody > tr > td,
+.table-responsive > .table > tfoot > tr > th,
+.table-responsive > .table > tfoot > tr > td {
+    white-space: nowrap;
+  }
+  .table-responsive > .table-bordered {
+    border: 0;
+  }
+  .table-responsive > .table-bordered > thead > tr > th:first-child,
+.table-responsive > .table-bordered > thead > tr > td:first-child,
+.table-responsive > .table-bordered > tbody > tr > th:first-child,
+.table-responsive > .table-bordered > tbody > tr > td:first-child,
+.table-responsive > .table-bordered > tfoot > tr > th:first-child,
+.table-responsive > .table-bordered > tfoot > tr > td:first-child {
+    border-left: 0;
+  }
+  .table-responsive > .table-bordered > thead > tr > th:last-child,
+.table-responsive > .table-bordered > thead > tr > td:last-child,
+.table-responsive > .table-bordered > tbody > tr > th:last-child,
+.table-responsive > .table-bordered > tbody > tr > td:last-child,
+.table-responsive > .table-bordered > tfoot > tr > th:last-child,
+.table-responsive > .table-bordered > tfoot > tr > td:last-child {
+    border-right: 0;
+  }
+  .table-responsive > .table-bordered > tbody > tr:last-child > th,
+.table-responsive > .table-bordered > tbody > tr:last-child > td,
+.table-responsive > .table-bordered > tfoot > tr:last-child > th,
+.table-responsive > .table-bordered > tfoot > tr:last-child > td {
+    border-bottom: 0;
+  }
+}
+fieldset {
+  padding: 0;
+  margin: 0;
+  border: 0;
+  min-width: 0; }
+legend {
+  display: block;
+  width: 100%;
+  padding: 0;
+  margin-bottom: 20px;
+  font-size: 21px;
+  line-height: inherit;
+  color: var(--pfore);
+  border: 0;
+  border-bottom: 1px solid var(--stdborder); }
+label {
+  display: inline-block;
+  max-width: 100%;
+  margin-bottom: 5px;
+  font-weight: normal; }
+input[type=search] {
+  -webkit-box-sizing: border-box;
+  -moz-box-sizing: border-box;
+  box-sizing: border-box; }
+input[type=radio],
+input[type=checkbox] {
+  margin: 4px 0 0;
+  margin-top: 1px \9 ;
+  line-height: normal; }
+input[type=file] {
+  display: block; }
+input[type=range] {
+  display: block;
+  width: 100%; }
+select[multiple],
+select[size] {
+  height: auto; }
+input[type=file]:focus,
+input[type=radio]:focus,
+input[type=checkbox]:focus {
+  outline: none;
+  outline: 5px auto -webkit-focus-ring-color;
+  outline-offset: -2px; }
+output {
+  display: block;
+  padding-top: 7px;
+  font-size: 14px;
+  line-height: 1.428571429;
+  color: var(--badgeback); }
+input:-internal-autofill-previewed,
+input:-internal-autofill-selected,
+textarea:-internal-autofill-previewed,
+textarea:-internal-autofill-selected,
+select:-internal-autofill-previewed,
+select:-internal-autofill-selected {
+  background-color: var(--txtboxbackactive) !important;
+  border: 1px solid var(--txtboxborder) !important;
+  background-image: none !important;
+  color: var(--txtboxforeactive) !important; }
+select, /* Eingabefeld */
+textarea,
+input[type=text],
+input[type=password],
+input[type=datetime],
+input[type=datetime-local],
+input[type=date],
+input[type=month],
+input[type=time],
+input[type=week],
+input[type=number],
+input[type=email],
+input[type=url],
+input[type=search],
+input[type=tel],
+input[type=color] {
+  display: block;
+  width: 100%;
+  height: 34px;
+  padding: 6px 12px;
+  font-size: 14px;
+  line-height: 1.428571429;
+  color: var(--txtboxfore);
+  background-color: var(--txtboxback); 
+  background-image: none;
+  border: 1px solid var(--txtboxborder);
+  border-radius: 3px;
+  text-overflow: ellipsis;
+  max-width: 348px;
+  -webkit-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
+  -o-transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s;
+  transition: border-color ease-in-out 0.1s, box-shadow ease-in-out 0.1s; }
+  select:hover, /* Eingabefeld drüberstreichen */
+  textarea:hover,
+  input[type="text"]:hover,
+  input[type="password"]:hover,
+  input[type="datetime"]:hover,
+  input[type="datetime-local"]:hover,
+  input[type="date"]:hover,
+  input[type="month"]:hover,
+  input[type="time"]:hover,
+  input[type="week"]:hover,
+  input[type="number"]:hover,
+  input[type="email"]:hover,
+  input[type="url"]:hover,
+  input[type="search"]:hover,
+  input[type="tel"]:hover,
+  input[type="color"]:hover
+   {
+  color: var(--txtboxfore);
+  background-color: var(--txtboxback);
+  border: 1px solid var(--txtboxborderhover);
+  outline: 0;
+  -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
+  box-shadow: var(--btnshadow1), var(--btnshadow2); }
+select:focus, /* Eingabefeld aktiviert */
+textarea:focus,
+input[type=text]:focus,
+input[type=password]:focus,
+input[type=datetime]:focus,
+input[type=datetime-local]:focus,
+input[type=date]:focus,
+input[type=month]:focus,
+input[type=time]:focus,
+input[type=week]:focus,
+input[type=number]:focus,
+input[type=email]:focus,
+input[type=url]:focus,
+input[type=search]:focus,
+input[type=tel]:focus,
+input[type=color]:focus {
+  border-color: var(--txtboxborderactive);
+  outline: 0;
+  -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
+  box-shadow: var(--btnshadow1), var(--btnshadow2); }
+select::-moz-placeholder,
+textarea::-moz-placeholder,
+input[type=text]::-moz-placeholder,
+input[type=password]::-moz-placeholder,
+input[type=datetime]::-moz-placeholder,
+input[type=datetime-local]::-moz-placeholder,
+input[type=date]::-moz-placeholder,
+input[type=month]::-moz-placeholder,
+input[type=time]::-moz-placeholder,
+input[type=week]::-moz-placeholder,
+input[type=number]::-moz-placeholder,
+input[type=email]::-moz-placeholder,
+input[type=url]::-moz-placeholder,
+input[type=search]::-moz-placeholder,
+input[type=tel]::-moz-placeholder,
+input[type=color]::-moz-placeholder {
+  color: var(--txtboxforeplaceholder); }
+select:-ms-input-placeholder,
+textarea:-ms-input-placeholder,
+input[type=text]:-ms-input-placeholder,
+input[type=password]:-ms-input-placeholder,
+input[type=datetime]:-ms-input-placeholder,
+input[type=datetime-local]:-ms-input-placeholder,
+input[type=date]:-ms-input-placeholder,
+input[type=month]:-ms-input-placeholder,
+input[type=time]:-ms-input-placeholder,
+input[type=week]:-ms-input-placeholder,
+input[type=number]:-ms-input-placeholder,
+input[type=email]:-ms-input-placeholder,
+input[type=url]:-ms-input-placeholder,
+input[type=search]:-ms-input-placeholder,
+input[type=tel]:-ms-input-placeholder,
+input[type=color]:-ms-input-placeholder {
+  color: var(--txtboxforeplaceholder); }
+select::-webkit-input-placeholder,
+textarea::-webkit-input-placeholder,
+input[type=text]::-webkit-input-placeholder,
+input[type=password]::-webkit-input-placeholder,
+input[type=datetime]::-webkit-input-placeholder,
+input[type=datetime-local]::-webkit-input-placeholder,
+input[type=date]::-webkit-input-placeholder,
+input[type=month]::-webkit-input-placeholder,
+input[type=time]::-webkit-input-placeholder,
+input[type=week]::-webkit-input-placeholder,
+input[type=number]::-webkit-input-placeholder,
+input[type=email]::-webkit-input-placeholder,
+input[type=url]::-webkit-input-placeholder,
+input[type=search]::-webkit-input-placeholder,
+input[type=tel]::-webkit-input-placeholder,
+input[type=color]::-webkit-input-placeholder {
+  color: var(--txtboxforeplaceholder); }
+select[disabled], select[readonly], fieldset[disabled] select,
+textarea[disabled],
+textarea[readonly],
+fieldset[disabled] textarea,
+input[type=text][disabled],
+input[type=text][readonly],
+fieldset[disabled] input[type=text],
+input[type=password][disabled],
+input[type=password][readonly],
+fieldset[disabled] input[type=password],
+input[type=datetime][disabled],
+input[type=datetime][readonly],
+fieldset[disabled] input[type=datetime],
+input[type=datetime-local][disabled],
+input[type=datetime-local][readonly],
+fieldset[disabled] input[type=datetime-local],
+input[type=date][disabled],
+input[type=date][readonly],
+fieldset[disabled] input[type=date],
+input[type=month][disabled],
+input[type=month][readonly],
+fieldset[disabled] input[type=month],
+input[type=time][disabled],
+input[type=time][readonly],
+fieldset[disabled] input[type=time],
+input[type=week][disabled],
+input[type=week][readonly],
+fieldset[disabled] input[type=week],
+input[type=number][disabled],
+input[type=number][readonly],
+fieldset[disabled] input[type=number],
+input[type=email][disabled],
+input[type=email][readonly],
+fieldset[disabled] input[type=email],
+input[type=url][disabled],
+input[type=url][readonly],
+fieldset[disabled] input[type=url],
+input[type=search][disabled],
+input[type=search][readonly],
+fieldset[disabled] input[type=search],
+input[type=tel][disabled],
+input[type=tel][readonly],
+fieldset[disabled] input[type=tel],
+input[type=color][disabled],
+input[type=color][readonly],
+fieldset[disabled] input[type=color] {
+  cursor: not-allowed;
+  color: var(--txtboxforedisabled) !important;
+  background-color: var(--txtboxbackdisabled) !important;
+  border-color: var(--txtboxborderdisabled); }
+textarea {
+  height: auto; }
+input[type=search] {
+  -webkit-appearance: none; }
+input[type=date],
+input[type=time],
+input[type=datetime-local],
+input[type=month] {
+  line-height: 34px;
+  line-height: 1.428571429 \0 ; }
+input[type=date].input-sm, .input-group-sm > input[type=date].form-control,
+.input-group-sm > input[type=date].input-group-addon,
+.input-group-sm > .input-group-btn > input[type=date].btn, .form-horizontal .form-group-sm input[type=date].form-control,
+input[type=time].input-sm,
+.input-group-sm > input[type=time].form-control,
+.input-group-sm > input[type=time].input-group-addon,
+.input-group-sm > .input-group-btn > input[type=time].btn,
+.form-horizontal .form-group-sm input[type=time].form-control,
+input[type=datetime-local].input-sm,
+.input-group-sm > input[type=datetime-local].form-control,
+.input-group-sm > input[type=datetime-local].input-group-addon,
+.input-group-sm > .input-group-btn > input[type=datetime-local].btn,
+.form-horizontal .form-group-sm input[type=datetime-local].form-control,
+input[type=month].input-sm,
+.input-group-sm > input[type=month].form-control,
+.input-group-sm > input[type=month].input-group-addon,
+.input-group-sm > .input-group-btn > input[type=month].btn,
+.form-horizontal .form-group-sm input[type=month].form-control {
+  line-height: 30px; }
+input[type=date].input-lg, .input-group-lg > input[type=date].form-control,
+.input-group-lg > input[type=date].input-group-addon,
+.input-group-lg > .input-group-btn > input[type=date].btn, .form-horizontal .form-group-lg input[type=date].form-control,
+input[type=time].input-lg,
+.input-group-lg > input[type=time].form-control,
+.input-group-lg > input[type=time].input-group-addon,
+.input-group-lg > .input-group-btn > input[type=time].btn,
+.form-horizontal .form-group-lg input[type=time].form-control,
+input[type=datetime-local].input-lg,
+.input-group-lg > input[type=datetime-local].form-control,
+.input-group-lg > input[type=datetime-local].input-group-addon,
+.input-group-lg > .input-group-btn > input[type=datetime-local].btn,
+.form-horizontal .form-group-lg input[type=datetime-local].form-control,
+input[type=month].input-lg,
+.input-group-lg > input[type=month].form-control,
+.input-group-lg > input[type=month].input-group-addon,
+.input-group-lg > .input-group-btn > input[type=month].btn,
+.form-horizontal .form-group-lg input[type=month].form-control {
+  line-height: 46px; }
+.form-group {
+  margin-bottom: 15px; }
+.radio,
+.checkbox {
+  position: relative;
+  display: block;
+  min-height: 20px;
+  margin-top: 10px;
+  margin-bottom: 10px; }
+.radio label,
+.checkbox label {
+  padding-left: 20px;
+  margin-bottom: 0;
+  font-weight: normal;
+  cursor: pointer; }
+.radio input[type=radio],
+.radio-inline input[type=radio],
+.checkbox input[type=checkbox],
+.checkbox-inline input[type=checkbox] {
+  position: absolute;
+  margin-left: -20px;
+  margin-top: 4px \9 ; }
+.radio + .radio,
+.checkbox + .checkbox {
+  margin-top: -5px; }
+.radio-inline,
+.checkbox-inline {
+  display: inline-block;
+  padding-left: 20px;
+  margin-bottom: 0;
+  vertical-align: middle;
+  font-weight: normal;
+  cursor: pointer; }
+.radio-inline + .radio-inline,
+.checkbox-inline + .checkbox-inline {
+  margin-top: 0;
+  margin-left: 10px; }
+input[type=radio][disabled], input[type=radio].disabled, fieldset[disabled] input[type=radio],
+input[type=checkbox][disabled],
+input[type=checkbox].disabled,
+fieldset[disabled] input[type=checkbox] {
+  cursor: not-allowed; }
+.radio-inline.disabled, fieldset[disabled] .radio-inline,
+.checkbox-inline.disabled,
+fieldset[disabled] .checkbox-inline {
+  cursor: not-allowed; }
+.radio.disabled label, fieldset[disabled] .radio label,
+.checkbox.disabled label,
+fieldset[disabled] .checkbox label {
+  cursor: not-allowed; }
+.form-control-static {
+  padding-top: 7px;
+  padding-bottom: 7px;
+  margin-bottom: 0; }
+.form-control-static.input-lg, .input-group-lg > .form-control-static.form-control,
+.input-group-lg > .form-control-static.input-group-addon,
+.input-group-lg > .input-group-btn > .form-control-static.btn, .form-horizontal .form-group-lg .form-control-static.form-control, .form-control-static.input-sm, .input-group-sm > .form-control-static.form-control,
+.input-group-sm > .form-control-static.input-group-addon,
+.input-group-sm > .input-group-btn > .form-control-static.btn, .form-horizontal .form-group-sm .form-control-static.form-control {
+  padding-left: 0;
+  padding-right: 0; }
+.input-sm, .input-group-sm > .form-control,
+.input-group-sm > .input-group-addon,
+.input-group-sm > .input-group-btn > .btn, .form-horizontal .form-group-sm .form-control {
+  height: 30px;
+  padding: 5px 10px;
+  font-size: 12px;
+  line-height: 1.5;
+  border-radius: 3px; }
+select.input-sm, .input-group-sm > select.form-control,
+.input-group-sm > select.input-group-addon,
+.input-group-sm > .input-group-btn > select.btn, .form-horizontal .form-group-sm select.form-control {
+  height: 30px;
+  line-height: 30px; }
+textarea.input-sm, .input-group-sm > textarea.form-control,
+.input-group-sm > textarea.input-group-addon,
+.input-group-sm > .input-group-btn > textarea.btn, .form-horizontal .form-group-sm textarea.form-control,
+select[multiple].input-sm,
+.input-group-sm > select[multiple].form-control,
+.input-group-sm > select[multiple].input-group-addon,
+.input-group-sm > .input-group-btn > select[multiple].btn,
+.form-horizontal .form-group-sm select[multiple].form-control {
+  height: auto; }
+.input-lg, .input-group-lg > .form-control,
+.input-group-lg > .input-group-addon,
+.input-group-lg > .input-group-btn > .btn, .form-horizontal .form-group-lg .form-control {
+  height: 46px;
+  padding: 10px 16px;
+  font-size: 18px;
+  line-height: 1.33;
+  border-radius: 6px; }
+select.input-lg, .input-group-lg > select.form-control,
+.input-group-lg > select.input-group-addon,
+.input-group-lg > .input-group-btn > select.btn, .form-horizontal .form-group-lg select.form-control {
+  height: 46px;
+  line-height: 46px; }
+textarea.input-lg, .input-group-lg > textarea.form-control,
+.input-group-lg > textarea.input-group-addon,
+.input-group-lg > .input-group-btn > textarea.btn, .form-horizontal .form-group-lg textarea.form-control,
+select[multiple].input-lg,
+.input-group-lg > select[multiple].form-control,
+.input-group-lg > select[multiple].input-group-addon,
+.input-group-lg > .input-group-btn > select[multiple].btn,
+.form-horizontal .form-group-lg select[multiple].form-control {
+  height: auto; }
+.has-feedback {
+  position: relative; }
+.has-feedback .form-control {
+  padding-right: 42.5px; }
+.form-control-feedback {
+  position: absolute;
+  top: 25px;
+  right: 0;
+  z-index: 2;
+  display: block;
+  width: 34px;
+  height: 34px;
+  line-height: 34px;
+  text-align: center; }
+.input-lg + .form-control-feedback, .input-group-lg > .form-control + .form-control-feedback,
+.input-group-lg > .input-group-addon + .form-control-feedback,
+.input-group-lg > .input-group-btn > .btn + .form-control-feedback, .form-horizontal .form-group-lg .form-control + .form-control-feedback {
+  width: 46px;
+  height: 46px;
+  line-height: 46px; }
+.input-sm + .form-control-feedback, .input-group-sm > .form-control + .form-control-feedback,
+.input-group-sm > .input-group-addon + .form-control-feedback,
+.input-group-sm > .input-group-btn > .btn + .form-control-feedback, .form-horizontal .form-group-sm .form-control + .form-control-feedback {
+  width: 30px;
+  height: 30px;
+  line-height: 30px; }
+.has-success .help-block,
+.has-success .control-label,
+.has-success .radio,
+.has-success .checkbox,
+.has-success .radio-inline,
+.has-success .checkbox-inline {
+  color: var(--success); }
+.has-success .form-control {
+  border-color: var(--success);
+  -webkit-box-shadow: var(--boxshadow);
+  box-shadow: var(--boxshadow); }
+.has-success .form-control:focus {
+  border-color: var(--successhover);
+  -webkit-box-shadow: var(--boxshadow), 0 0 6px var(--successhover);
+  box-shadow: var(--boxshadow), 0 0 6px var(--successhover); }
+.has-success .input-group-addon {
+  color: var(--pfore);
+  border-color: var(--success);
+  background-color: var(--success); }
+.has-success .form-control-feedback {
+  color: var(--pforehover); }
+.has-warning .help-block,
+.has-warning .control-label,
+.has-warning .radio,
+.has-warning .checkbox,
+.has-warning .radio-inline,
+.has-warning .checkbox-inline {
+  color: var(--warning); }
+.has-warning .form-control {
+  border-color: var(--warning);
+  -webkit-box-shadow: var(--boxshadow);
+  box-shadow: var(--boxshadow); }
+.has-warning .form-control:focus {
+  border-color: var(--warninghover);
+  -webkit-box-shadow: var(--boxshadow), 0 0 6px var(--warninghover);
+  box-shadow: var(--boxshadow), 0 0 6px var(--warninghover); }
+.has-warning .input-group-addon {
+  color: var(--pfore);
+  border-color: var(--warning);
+  background-color: var(--warning); }
+.has-warning .form-control-feedback {
+  color: var(--pforehover); }
+.has-error .help-block,
+.has-error .control-label,
+.has-error .radio,
+.has-error .checkbox,
+.has-error .radio-inline,
+.has-error .checkbox-inline {
+  color: var(--danger); }
+.has-error .form-control {
+  border-color: var(--danger);
+  -webkit-box-shadow: var(--boxshadow);
+  box-shadow: var(--boxshadow); }
+.has-error .form-control:focus {
+  border-color: var(--dangerhover);
+  -webkit-box-shadow: var(--boxshadow), 0 0 6px var(--dangerhover);
+  box-shadow: var(--boxshadow), 0 0 6px var(--dangerhover); }
+.has-error .input-group-addon {
+  color: var(--pfore);
+  border-color: var(--danger);
+  background-color: var(--danger); }
+.has-error .form-control-feedback {
+  color: var(--pforehover); }
+.has-feedback label.sr-only ~ .form-control-feedback {
+  top: 0; }
+.help-block {
+  display: block;
+  margin-top: 5px;
+  margin-bottom: 10px;
+  color: var(--badgeback); }
+@media (min-width: 768px) {
+  .form-inline .form-group, .navbar-form .form-group {
+    display: inline-block;
+    margin-bottom: 0;
+    vertical-align: middle;
+  }
+  .form-inline .form-control, .navbar-form .form-control {
+    display: inline-block;
+    width: auto;
+    vertical-align: middle;
+  }
+  .form-inline .input-group, .navbar-form .input-group {
+    display: inline-table;
+    vertical-align: middle;
+  }
+  .form-inline .input-group .input-group-addon, .navbar-form .input-group .input-group-addon,
+.form-inline .input-group .input-group-btn,
+.navbar-form .input-group .input-group-btn,
+.form-inline .input-group .form-control,
+.navbar-form .input-group .form-control {
+    width: auto;
+  }
+  .form-inline .input-group > .form-control, .navbar-form .input-group > .form-control {
+    width: 100%;
+  }
+  .form-inline .control-label, .navbar-form .control-label {
+    margin-bottom: 0;
+    vertical-align: middle;
+  }
+  .form-inline .radio, .navbar-form .radio,
+.form-inline .checkbox,
+.navbar-form .checkbox {
+    display: inline-block;
+    margin-top: 0;
+    margin-bottom: 0;
+    vertical-align: middle;
+  }
+  .form-inline .radio label, .navbar-form .radio label,
+.form-inline .checkbox label,
+.navbar-form .checkbox label {
+    padding-left: 0;
+  }
+  .form-inline .radio input[type=radio], .navbar-form .radio input[type=radio],
+.form-inline .checkbox input[type=checkbox],
+.navbar-form .checkbox input[type=checkbox] {
+    position: relative;
+    margin-left: 0;
+  }
+  .form-inline .has-feedback .form-control-feedback, .navbar-form .has-feedback .form-control-feedback {
+    top: 0;
+  }
+}
+.form-horizontal .radio,
+.form-horizontal .checkbox,
+.form-horizontal .radio-inline,
+.form-horizontal .checkbox-inline {
+  margin-top: 0;
+  margin-bottom: 0;
+  padding-top: 7px; }
+.form-horizontal .radio,
+.form-horizontal .checkbox {
+  min-height: 27px; }
+.form-horizontal .form-group {
+  margin-left: -20px;
+  margin-right: -20px; }
+.form-horizontal .form-group:before, .form-horizontal .form-group:after {
+  content: " ";
+  display: table; }
+.form-horizontal .form-group:after {
+  clear: both; }
+@media (min-width: 768px) {
+  .form-horizontal .control-label {
+    text-align: right;
+    margin-bottom: 0;
+    padding-top: 7px;
+  }
+}
+.form-horizontal .has-feedback control-feedback {
+  top: 0;
+  right: 20px; }
+@media (min-width: 768px) {
+  .form-horizontal .form-group-lg .control-label {
+    padding-top: 14.3px;
+  }
+}
+@media (min-width: 768px) {
+  .form-horizontal .form-group-sm .control-label {
+    padding-top: 6px;
+  }
+}
+.btn {
+  display: inline-block;
+  margin-bottom: 0;
+  font-weight: normal;
+  text-align: center;
+  vertical-align: middle;
+  cursor: pointer;
+  background-image: none;
+  border: 1px solid transparent;
+  white-space: nowrap;
+  padding: 6px 12px;
+  font-size: 14px;
+  line-height: 1.428571429;
+  border-radius: 3px;
+  -webkit-user-select: none;
+  -moz-user-select: none;
+  -ms-user-select: none;
+  user-select: none;
+  color: var(--btnfore);
+  background-color: var(--btnback);
+  border-color: var(--btnborder);
+}
+.btn:hover, .btn:focus, .btn:active, .btn.active, .open > .btn.dropdown-toggle {
+  color: var(--btnforehover);
+  background-color: var(--btnbackhover);
+  border-color: var(--btnborderhover);
+  outline: 0;
+  -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
+  box-shadow: var(--btnshadow1), var(--btnshadow2); }
+.btn:active, .btn.active, .open > .btn.dropdown-toggle {
+  color: var(--btnforeactive);
+  background-color: var(--btnbackactive);
+  border-color: var(--btnborderactive);
+  outline: 0;
+  -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
+  box-shadow: var(--btnshadow1), var(--btnshadow2); }
+.btn.disabled, .btn.disabled:hover, .btn.disabled:focus, .btn.disabled:active, .btn.disabled.active, .btn[disabled], .btn[disabled]:hover, .btn[disabled]:focus, .btn[disabled]:active, .btn[disabled].active, fieldset[disabled] .btn, fieldset[disabled] .btn:hover, fieldset[disabled] .btn:focus, fieldset[disabled] .btn:active, fieldset[disabled] .btn.active {
+  color: var(--btnforedisabled);
+  background-color: var(--btnbackdisabled); }
+.btn .badge {
+  color: var(--btnforebadge);
+  background-color: var(--btnbackbadge);
+  border-color: var(--btnborderbadge); }
+.btn:focus, .btn:active:focus, .btn.active:focus {
+  outline: thin dotted;
+  outline: 5px auto -webkit-focus-ring-color;
+  outline-offset: -2px; }
+.btn:hover, .btn:focus {
+  color: var(--btnforehover);
+  background-color: var(--btnbackhover);
+  border-color: var(--btnborderhover);
+  text-decoration: none;
+  outline: 0;
+  -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
+  box-shadow: var(--btnshadow1), 0 0 4px var(--btnshadow2); }}
+.btn:active, .btn.active {
+  color: var(--btnforeactive);
+  background-color: var(--btnbackactive);
+  border-color: var(--btnborderactive);
+  outline: 0;
+  -webkit-box-shadow: inset 0 3px 5px var(--rgb50);
+  box-shadow: inset 0 3px 5px var(--rgb50);
+  outline: 0;
+  -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
+  box-shadow: var(--btnshadow1), var(--btnshadow2); } }
+.btn.disabled, .btn[disabled], fieldset[disabled] .btn {
+  color: var(--btnforedisabled);
+  background-color: var(--btnbackdisabled);
+  border-color: var(--btnborderdisabled);
+  cursor: not-allowed;
+  pointer-events: none;
+  opacity: 0.65;
+  filter: alpha(opacity=65);
+  -webkit-box-shadow: none;
+  box-shadow: none; }
+.btn-default {
+  color: var(--dfbtnfore);
+  background-color: var(--dfbtnback);
+  border-color: var(--dfbtnborder); }
+.btn-default:hover, .btn-default:focus, .btn-default:active, .btn-default.active, .open > .btn-default.dropdown-toggle {
+  color: var(--dfbtnforehover);
+  background-color: var(--dfbtnbackhover);
+  border-color: var(--dfbtnborderhover);
+  outline: 0;
+  -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
+  box-shadow: var(--btnshadow1), var(--btnshadow2); }
+.btn-default:active, .btn-default.active, .open > .btn-default.dropdown-toggle {
+  color: var(--dfbtnforeactive);
+  background-color: var(--dfbtnbackactive);
+  border-color: var(--dfbtnborderactive);
+  background-image: none; 
+  outline: 0;
+  -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
+  box-shadow: var(--btnshadow1), var(--btnshadow2); }
+.btn-default.disabled, .btn-default.disabled:hover, .btn-default.disabled:focus, .btn-default.disabled:active, .btn-default.disabled.active, .btn-default[disabled], .btn-default[disabled]:hover, .btn-default[disabled]:focus, .btn-default[disabled]:active, .btn-default[disabled].active, fieldset[disabled] .btn-default, fieldset[disabled] .btn-default:hover, fieldset[disabled] .btn-default:focus, fieldset[disabled] .btn-default:active, fieldset[disabled] .btn-default.active {
+  color: var(--dfbtnforedisabled);
+  background-color: var(--dfbtnbackdisabled);
+  border-color: var(--dfbtnborderdisabled); }
+.btn-default .badge {
+  color: var(--dfbtnforebadge);
+  background-color: var(--dfbtnbackbadge);
+  border-color: var(--dfbtnborderbadge); }
+.btn-primary {
+  color: var(--pbtnfore);
+  background-color: var(--pbtnback);
+  border-color: var(--pbtnborder); }
+.btn-primary:hover, .btn-primary:focus, .btn-primary:active, .btn-primary.active, .open > .btn-primary.dropdown-toggle {
+  color: var(--pbtnforehover);
+  background-color: var(--pbtnbackhover);
+  border-color: var(--pbtnborderhover);
+  outline: 0;
+  -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
+  box-shadow: var(--btnshadow1), var(--btnshadow2); }
+.btn-primary:active, .btn-primary.active, .open > .btn-primary.dropdown-toggle {
+  color: var(--pbtnforeactive);
+  background-color: var(--pbtnbackactive);
+  border-color: var(--pbtnborderactive);
+  background-image: none;
+  outline: 0;
+  -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
+  box-shadow: var(--btnshadow1), var(--btnshadow2); }
+.btn-primary.disabled, .btn-primary.disabled:hover, .btn-primary.disabled:focus, .btn-primary.disabled:active, .btn-primary.disabled.active, .btn-primary[disabled], .btn-primary[disabled]:hover, .btn-primary[disabled]:focus, .btn-primary[disabled]:active, .btn-primary[disabled].active, fieldset[disabled] .btn-primary, fieldset[disabled] .btn-primary:hover, fieldset[disabled] .btn-primary:focus, fieldset[disabled] .btn-primary:active, fieldset[disabled] .btn-primary.active {
+  color: var(--pbtnforedisabled);
+  background-color: var(--pbtnbackdisabled);
+  border-color: var(--pbtnborderdisabled); }
+.btn-primary .badge {
+  color: var(--pbtnforebadge);
+  background-color: var(--pbtnbackbadge);
+  border-color: var(--pbtnborderbadge); }
+.btn-success {
+  color: var(--sbtnfore);
+  background-color: var(--sbtnback);
+  border-color: var(--sbtnborder); }
+.btn-success:hover, .btn-success:focus, .btn-success:active, .btn-success.active, .open > .btn-success.dropdown-toggle {
+  color: var(--sbtnforehover);
+  background-color: var(--sbtnbackhover);
+  border-color: var(--sbtnborderhover); }
+.btn-success:active, .btn-success.active, .open > .btn-success.dropdown-toggle {
+  color: var(--sbtnforeactive);
+  background-color: var(--sbtnbackactive);
+  border-color: var(--sbtnborderactive); }
+  background-image: none; }
+.btn-success.disabled, .btn-success.disabled:hover, .btn-success.disabled:focus, .btn-success.disabled:active, .btn-success.disabled.active, .btn-success[disabled], .btn-success[disabled]:hover, .btn-success[disabled]:focus, .btn-success[disabled]:active, .btn-success[disabled].active, fieldset[disabled] .btn-success, fieldset[disabled] .btn-success:hover, fieldset[disabled] .btn-success:focus, fieldset[disabled] .btn-success:active, fieldset[disabled] .btn-success.active {
+  color: var(--sbtnforedisabled);
+  background-color: var(--sbtnbackdisabled);
+  border-color: var(--sbtnborderdisabled); }
+.btn-success .badge {
+  color: var(--sbtnforebadge);
+  background-color: var(--sbtnbackbadge);
+  border-color: var(--sbtnborderbadge); }
+.btn-info {
+  color: var(--ibtnfore);
+  background-color: var(--ibtnback);
+  border-color: var(--ibtnborder); }
+.btn-info:hover, .btn-info:focus, .btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
+  color: var(--ibtnforehover);
+  background-color: var(--ibtnbackhover);
+  border-color: var(--ibtnborderhover); }
+.btn-info:active, .btn-info.active, .open > .btn-info.dropdown-toggle {
+  color: var(--ibtnactive);
+  background-color: var(--ibtnbackactive);
+  border-color: var(--ibtnborderactive); }
+  background-image: none; }
+.btn-info.disabled, .btn-info.disabled:hover, .btn-info.disabled:focus, .btn-info.disabled:active, .btn-info.disabled.active, .btn-info[disabled], .btn-info[disabled]:hover, .btn-info[disabled]:focus, .btn-info[disabled]:active, .btn-info[disabled].active, fieldset[disabled] .btn-info, fieldset[disabled] .btn-info:hover, fieldset[disabled] .btn-info:focus, fieldset[disabled] .btn-info:active, fieldset[disabled] .btn-info.active {
+  color: var(--ibtnforedisabled);
+  background-color: var(--ibtnbackdisabled);
+  border-color: var(--ibtnborderdisabled); }
+.btn-info .badge {
+  color: var(--ibtnbadge);
+  background-color: var(--ibtnbackbadge);
+  border-color: var(--ibtnborderbadge); }
+.btn-warning {
+  color: var(--wbtnfore);
+  background-color: var(--wbtnback);
+  border-color: var(--wbtnborder); }
+.btn-warning:hover, .btn-warning:focus, .btn-warning:active, .btn-warning.active, .open > .btn-warning.dropdown-toggle {
+  color: var(--wbtnforehover);
+  background-color: var(--wbtnbackhover);
+  border-color: var(--wbtnborderhover); }
+.btn-warning:active, .btn-warning.active, .open > .btn-warning.dropdown-toggle {
+  color: var(--wbtnactive);
+  background-color: var(--wbtnbackactive);
+  border-color: var(--wbtnborderactive);
+  background-image: none; }
+.btn-warning.disabled, .btn-warning.disabled:hover, .btn-warning.disabled:focus, .btn-warning.disabled:active, .btn-warning.disabled.active, .btn-warning[disabled], .btn-warning[disabled]:hover, .btn-warning[disabled]:focus, .btn-warning[disabled]:active, .btn-warning[disabled].active, fieldset[disabled] .btn-warning, fieldset[disabled] .btn-warning:hover, fieldset[disabled] .btn-warning:focus, fieldset[disabled] .btn-warning:active, fieldset[disabled] .btn-warning.active {
+  color: var(--wbtndisabled);
+  background-color: var(--wbtnbackdisabled);
+  border-color: var(--wbtnborderdisabled); }
+.btn-warning .badge {
+  color: var(--wbtnbadge);
+  background-color: var(--wbtnbackbadge);
+  border-color: var(--wbtnborderbadge); }
+.btn-danger {
+  color: var(--dbtnfore);
+  background-color: var(--dbtnback);
+  border-color: var(--dbtnborder); }
+.btn-danger:hover, .btn-danger:focus, .btn-danger:active, .btn-danger.active, .open > .btn-danger.dropdown-toggle {
+  color: var(--dbtnforehover);
+  background-color: var(--dbtnbackhover);
+  border-color: var(--dbtnborderhover); }
+.btn-danger:active, .btn-danger.active, .open > .btn-danger.dropdown-toggle {
+  color: var(--dbtnactive);
+  background-color: var(--dbtnbackactive);
+  border-color: var(--dbtnborderactive); }
+  background-image: none; }
+.btn-danger.disabled, .btn-danger.disabled:hover, .btn-danger.disabled:focus, .btn-danger.disabled:active, .btn-danger.disabled.active, .btn-danger[disabled], .btn-danger[disabled]:hover, .btn-danger[disabled]:focus, .btn-danger[disabled]:active, .btn-danger[disabled].active, fieldset[disabled] .btn-danger, fieldset[disabled] .btn-danger:hover, fieldset[disabled] .btn-danger:focus, fieldset[disabled] .btn-danger:active, fieldset[disabled] .btn-danger.active {
+  color: var(--dbtndisabled);
+  background-color: var(--dbtnbackdisabled);
+  border-color: var(--dbtnborderdisabled); }
+.btn-danger .badge {
+  color: var(--dbtnbadge);
+  background-color: var(--dbtnbackbadge);
+  border-color: var(--dbtnborderbadge); }
+.btn-link {
+  color: var(--lbtnfore);
+  background-color: var(--lbtnback);
+  border-color: var(--lbtnborder);
+  font-weight: normal;
+  cursor: pointer;
+  border-radius: 0; }
+.btn-link, .btn-link:active, .btn-link[disabled], fieldset[disabled] .btn-link {
+  color: var(--lbtnactive);
+  background-color: var(--lbtnbackactive);
+  border-color: var(--lbtnborderactive);
+  -webkit-box-shadow: none;
+  box-shadow: none; }
+.btn-link, .btn-link:hover, .btn-link:focus, .btn-link:active {
+  border-color: transparent; }
+.btn-link:hover, .btn-link:focus {
+  color: var(--lbtnforehover);
+  background-color: var(--lbtnbackhover);
+  border-color: var(--lbtnborderhover);
+  text-decoration: underline;
+  background-color: transparent; }
+.btn-link[disabled]:hover, .btn-link[disabled]:focus, fieldset[disabled] .btn-link:hover, fieldset[disabled] .btn-link:focus {
+  color: var(--lbtnforedisabled);
+  background-color: var(--lbtnbackdisabled);
+  border-color: var(--lbtnborderdisabled);
+  text-decoration: none;
+ }
+.btn-lg, .btn-group-lg > .btn {
+  padding: 10px 16px;
+  font-size: 18px;
+  line-height: 1.33;
+  border-radius: 6px; }
+.btn-sm, .btn-group-sm > .btn {
+  padding: 5px 10px;
+  font-size: 12px;
+  line-height: 1.5;
+  border-radius: 3px; }
+.btn-xs, .btn-group-xs > .btn {
+  padding: 1px 5px;
+  font-size: 12px;
+  line-height: 1.5;
+  border-radius: 3px; }
+.btn-block {
+  display: block;
+  width: 100%; }
+.btn-block + .btn-block {
+  margin-top: 5px; }
+input[type=submit].btn-block,
+input[type=reset].btn-block,
+input[type=button].btn-block {
+  width: 100%; }
+.fade {
+  opacity: 0;
+  -webkit-transition: opacity 0.15s linear;
+  -o-transition: opacity 0.15s linear;
+  transition: opacity 0.15s linear; }
+.fade.in {
+  opacity: 1; }
+.collapse {
+  display: none; }
+.collapse.in {
+  display: block; }
+tr.collapse.in {
+  display: table-row; }
+tbody.collapse.in {
+  display: table-row-group; }
+.collapsing {
+  position: relative;
+  height: 0;
+  overflow: hidden;
+  -webkit-transition: height 0.35s ease;
+  -o-transition: height 0.35s ease;
+  transition: height 0.35s ease; }
+.caret {
+  display: inline-block;
+  width: 0;
+  height: 0;
+  margin-left: 2px;
+  vertical-align: middle;
+  border-top: 4px solid;
+  border-right: 4px solid transparent;
+  border-left: 4px solid transparent; }
+.dropdown {
+  position: relative; }
+.dropdown-toggle:focus {
+  outline: 0; }
+.dropdown-menu { /* Listenfeld Liste*/
+  position: absolute;
+  top: 100%;
+  left: 0;
+  z-index: 1000;
+  display: none;
+  float: left;
+  min-width: 160px;
+  padding: 5px 0;
+  margin: 2px 0 0;
+  list-style: none;
+  font-size: 14px;
+  text-align: left;
+  color: var(--txtboxfore);
+  background-color: var(--txtboxback); 
+  border: 1px solid var(--txtboxborder);
+  background-clip: padding-box; }
+.dropdown-menu.pull-right {
+  right: 0;
+  left: auto; }
+.dropdown-menu .divider {
+  height: 1px;
+  margin: 0px 0;
+  overflow: hidden;
+  background-color: var(--txtboxactive); }
+.dropdown-menu > li > a {
+  display: block;
+  padding: 3px 20px;
+  clear: both;
+  font-weight: normal;
+  line-height: 1.428571429;
+  color: var(--txtboxforeinverse);
+  white-space: nowrap;  }
+
+.dropdown-menu > li > a:hover, .dropdown-menu > li > a:focus { /* Listenfeld Liste drüberstreichen */
+  text-decoration: none;
+  color: var(--txtboxforehover);
+  background-color: var(--txtboxbackhover); 
+  border: 1px solid var(--txtboxborderhover);
+}
+
+.dropdown-menu > .active > a, .dropdown-menu > .active > a:hover, .dropdown-menu > .active > a:focus { /*Listenfeld Liste atkiviert */
+  color: var(--txtboxforeactive); 
+  background-color: var(--txtboxbackactive);
+  border-color: var(--txtboxborderactive); 
+  text-decoration: none;
+  outline: 0;
+}
+.dropdown-menu > .disabled > a, .dropdown-menu > .disabled > a:hover, .dropdown-menu > .disabled > a:focus {
+  color: var(--txtboxforedisabled); }
+.dropdown-menu > .disabled > a:hover, .dropdown-menu > .disabled > a:focus {
+  text-decoration: none;
+  background-color: transparent;
+  background-image: none;
+  filter: progid:DXImageTransform.Microsoft.gradient(enabled = false);
+  cursor: not-allowed; }
+.open > .dropdown-menu {
+  display: block; }
+.open > a {
+  outline: 0; }
+.dropdown-menu-right {
+  left: auto;
+  right: 0; }
+.dropdown-menu-left {
+  left: 0;
+  right: auto; }
+.dropdown-header {
+  display: block;
+  padding: 3px 20px;
+  font-size: 12px;
+  line-height: 1.428571429;
+  color: var(--badgeback);
+  white-space: nowrap; }
+.dropdown-backdrop {
+  position: fixed;
+  left: 0;
+  right: 0;
+  bottom: 0;
+  top: 0;
+  z-index: 990; }
+.pull-right > .dropdown-menu {
+  right: 0;
+  left: auto; }
+.dropup .caret,
+.navbar-fixed-bottom .dropdown .caret {
+  border-top: 0;
+  border-bottom: 4px solid;
+  content: ""; }
+.dropup .dropdown-menu,
+.navbar-fixed-bottom .dropdown .dropdown-menu {
+  top: auto;
+  bottom: 100%;
+  margin-bottom: 1px; }
+@media (min-width: 768px) {
+  .navbar-right .dropdown-menu {
+    right: 0;
+    left: auto;
+  }
+  .navbar-right .dropdown-menu-left {
+    left: 0;
+    right: auto;
+  }
+}
+.btn-group,
+.btn-group-vertical {
+  position: relative;
+  display: inline-block;
+  vertical-align: middle; }
+.btn-group > .btn,
+.btn-group-vertical > .btn {
+  position: relative;
+  float: left; }
+.btn-group > .btn:hover, .btn-group > .btn:focus, .btn-group > .btn:active, .btn-group > .btn.active,
+.btn-group-vertical > .btn:hover,
+.btn-group-vertical > .btn:focus,
+.btn-group-vertical > .btn:active,
+.btn-group-vertical > .btn.active {
+  z-index: 2; }
+.btn-group > .btn:focus,
+.btn-group-vertical > .btn:focus {
+  outline: 0; }
+.btn-group .btn + .btn,
+.btn-group .btn + .btn-group,
+.btn-group .btn-group + .btn,
+.btn-group .btn-group + .btn-group {
+  margin-left: -1px; }
+.btn-toolbar {
+  margin-left: -5px; }
+.btn-toolbar:before, .btn-toolbar:after {
+  content: " ";
+  display: table; }
+.btn-toolbar:after {
+  clear: both; }
+.btn-toolbar .btn-group,
+.btn-toolbar .input-group {
+  float: left; }
+.btn-toolbar > .btn,
+.btn-toolbar > .btn-group,
+.btn-toolbar > .input-group {
+  margin-left: 5px; }
+.btn-group > .btn:not(:first-child):not(:last-child):not(.dropdown-toggle) {
+  border-radius: 0; }
+.btn-group > .btn:first-child {
+  margin-left: 0; }
+.btn-group > .btn:first-child:not(:last-child):not(.dropdown-toggle) {
+  border-bottom-right-radius: 0;
+  border-top-right-radius: 0; }
+.btn-group > .btn:last-child:not(:first-child),
+.btn-group > .dropdown-toggle:not(:first-child) {
+  border-bottom-left-radius: 0;
+  border-top-left-radius: 0; }
+.btn-group > .btn-group {
+  float: left; }
+.btn-group > .btn-group:not(:first-child):not(:last-child) > .btn {
+  border-radius: 0; }
+.btn-group > .btn-group:first-child > .btn:last-child,
+.btn-group > .btn-group:first-child > .dropdown-toggle {
+  border-bottom-right-radius: 0;
+  border-top-right-radius: 0; }
+.btn-group > .btn-group:last-child > .btn:first-child {
+  border-bottom-left-radius: 0;
+  border-top-left-radius: 0; }
+.btn-group .dropdown-toggle:active,
+.btn-group.open .dropdown-toggle {
+  outline: 0; 
+  color: var(--dfbtnfore);
+  background-color: var(--dfbtnback); }
+ 
+.btn-group > .btn + .dropdown-toggle {
+  padding-left: 8px;
+  padding-right: 8px; }
+.btn-group > .btn-lg + .dropdown-toggle, .btn-group-lg.btn-group > .btn + .dropdown-toggle {
+  padding-left: 12px;
+  padding-right: 12px; }
+.btn-group.open .dropdown-toggle {
+  -webkit-box-shadow: inset 0 3px 5px var(--rgb50);
+  box-shadow: inset 0 3px 5px var(--rgb50); }
+.btn-group.open .dropdown-toggle.btn-link {
+  -webkit-box-shadow: none;
+  box-shadow: none; }
+.btn .caret {
+  margin-left: 0; }
+.btn-lg .caret, .btn-group-lg > .btn .caret {
+  border-width: 5px 5px 0;
+  border-bottom-width: 0; }
+.dropup .btn-lg .caret, .dropup .btn-group-lg > .btn .caret {
+  border-width: 0 5px 5px; }
+.btn-group-vertical > .btn,
+.btn-group-vertical > .btn-group,
+.btn-group-vertical > .btn-group > .btn {
+  display: block;
+  float: none;
+  width: 100%;
+  max-width: 100%; }
+.btn-group-vertical > .btn-group:before, .btn-group-vertical > .btn-group:after {
+  content: " ";
+  display: table; }
+.btn-group-vertical > .btn-group:after {
+  clear: both; }
+.btn-group-vertical > .btn-group > .btn {
+  float: none; }
+.btn-group-vertical > .btn + .btn,
+.btn-group-vertical > .btn + .btn-group,
+.btn-group-vertical > .btn-group + .btn,
+.btn-group-vertical > .btn-group + .btn-group {
+  margin-top: -1px;
+  margin-left: 0; }
+.btn-group-vertical > .btn:not(:first-child):not(:last-child) {
+  border-radius: 0; }
+.btn-group-vertical > .btn:first-child:not(:last-child) {
+  border-top-right-radius: 3px;
+  border-bottom-right-radius: 0;
+  border-bottom-left-radius: 0; }
+.btn-group-vertical > .btn:last-child:not(:first-child) {
+  border-bottom-left-radius: 3px;
+  border-top-right-radius: 0;
+  border-top-left-radius: 0; }
+.btn-group-vertical > .btn-group:not(:first-child):not(:last-child) > .btn {
+  border-radius: 0; }
+.btn-group-vertical > .btn-group:first-child:not(:last-child) > .btn:last-child,
+.btn-group-vertical > .btn-group:first-child:not(:last-child) > .dropdown-toggle {
+  border-bottom-right-radius: 0;
+  border-bottom-left-radius: 0; }
+.btn-group-vertical > .btn-group:last-child:not(:first-child) > .btn:first-child {
+  border-top-right-radius: 0;
+  border-top-left-radius: 0; }
+.btn-group-justified {
+  display: table;
+  width: 100%;
+  table-layout: fixed;
+  border-collapse: separate; }
+.btn-group-justified > .btn,
+.btn-group-justified > .btn-group {
+  float: none;
+  display: table-cell;
+  width: 1%; }
+.btn-group-justified > .btn-group .btn {
+  width: 100%; }
+.btn-group-justified > .btn-group .dropdown-menu {
+  left: auto; }
+[data-toggle=buttons] > .btn > input[type=radio],
+[data-toggle=buttons] > .btn > input[type=checkbox] {
+  position: absolute;
+  z-index: -1;
+  opacity: 0;
+  filter: alpha(opacity=0); }
+.input-group {
+  position: relative;
+  display: table;
+  border-collapse: separate; }
+.input-group[class*=col-] {
+  float: none;
+  padding-left: 0;
+  padding-right: 0; }
+.input-group .form-control {
+  position: relative;
+  z-index: 2;
+  float: left;
+  width: 100%;
+  margin-bottom: 0; }
+.input-group-addon,
+.input-group-btn,
+.input-group .form-control {
+  display: table-cell; }
+.input-group-addon:not(:first-child):not(:last-child),
+.input-group-btn:not(:first-child):not(:last-child),
+.input-group .form-control:not(:first-child):not(:last-child) {
+  border-radius: 0; }
+.input-group-addon,
+.input-group-btn {
+  width: 1%;
+  white-space: nowrap;
+  vertical-align: middle; }
+.input-group-addon {
+  padding: 6px 12px;
+  font-size: 14px;
+  font-weight: normal;
+  line-height: 1;
+  color: var(--pagefore);
+  text-align: center;
+  background-color: transparent;
+  border: 1px solid var(--pageborder);
+  border-top-left-radius: 3px;
+  border-bottom-left-radius: 3px; }
+.input-group-addon.input-sm, .form-horizontal .form-group-sm .input-group-addon.form-control,
+.input-group-sm > .input-group-addon,
+.input-group-sm > .input-group-btn > .input-group-addon.btn {
+  padding: 5px 10px;
+  font-size: 12px;
+  border-radius: 3px; }
+.input-group-addon.input-lg, .form-horizontal .form-group-lg .input-group-addon.form-control,
+.input-group-lg > .input-group-addon,
+.input-group-lg > .input-group-btn > .input-group-addon.btn {
+  padding: 10px 16px;
+  font-size: 18px;
+  border-radius: 6px; }
+.input-group-addon input[type=radio],
+.input-group-addon input[type=checkbox] {
+  margin-top: 0; }
+.input-group .form-control:first-child,
+.input-group-addon:first-child,
+.input-group-btn:first-child > .btn,
+.input-group-btn:first-child > .btn-group > .btn,
+.input-group-btn:first-child > .dropdown-toggle,
+.input-group-btn:last-child > .btn:not(:last-child):not(.dropdown-toggle),
+.input-group-btn:last-child > .btn-group:not(:last-child) > .btn {
+  border-bottom-right-radius: 0;
+  border-top-right-radius: 0; }
+.input-group-addon:first-child {
+  border-right: 0; }
+.input-group .form-control:last-child,
+.input-group-addon:last-child,
+.input-group-btn:last-child > .btn,
+.input-group-btn:last-child > .btn-group > .btn,
+.input-group-btn:last-child > .dropdown-toggle,
+.input-group-btn:first-child > .btn:not(:first-child),
+.input-group-btn:first-child > .btn-group:not(:first-child) > .btn {
+  border-bottom-left-radius: 0;
+  border-top-left-radius: 0; }
+.input-group-addon:last-child {
+  border-left: 0; }
+.input-group-btn {
+  position: relative;
+  font-size: 0;
+  white-space: nowrap; }
+.input-group-btn > .btn {
+  position: relative; }
+.input-group-btn > .btn + .btn {
+  margin-left: -1px; }
+.input-group-btn > .btn:hover, .input-group-btn > .btn:focus, .input-group-btn > .btn:active {
+  z-index: 2; }
+.input-group-btn:first-child > .btn,
+.input-group-btn:first-child > .btn-group {
+  margin-right: -1px; }
+.input-group-btn:last-child > .btn,
+.input-group-btn:last-child > .btn-group {
+  margin-left: -1px; }
+.nav {
+  margin-bottom: 0;
+  padding-left: 0;
+  list-style: none; }
+.nav:before, .nav:after {
+  content: " ";
+  display: table; }
+.nav:after {
+  clear: both; }
+.nav > li {
+  position: relative;
+  display: block; }
+.nav > li > a {
+  position: relative;
+  display: block;
+  padding: 10px 15px; }
+.nav > li > a:hover, .nav > li > a:focus {
+  text-decoration: none;
+  background-color: var(--pbackhover); }
+.nav > li.disabled > a {
+  color: var(--pforemuted); }
+    .nav > li.disabled > a:hover, .nav > li.disabled > a:focus
+    {
+        color: var(--pforemuted);
+        text-decoration: none;
+        background-color: transparent;
+        cursor: not-allowed;
+    }
+.nav .open > a, .nav .open > a:hover, .nav .open > a:focus {
+  background-color: var(--sback);
+  border-color: var(--primary); }
+.nav .nav-divider {
+  height: 1px;
+  margin: 9px 0;
+  overflow: hidden;
+  background-color: var(--stdborder); }
+.nav > li > a > img {
+  max-width: none; }
+.nav-tabs {
+  margin-right: 1px;
+  border-bottom: 1px solid var(--stdborder); }
+.nav-tabs > li {
+  float: left;
+  margin-bottom: -1px; }
+.nav-tabs > li > a {
+  margin-right: 2px;
+  line-height: 1.428571429;
+  border: 1px solid transparent;
+  border-radius: 3px 3px 0 0; }
+    .nav-tabs > li > a:hover
+    {
+        border-color: var(--stdborderaccent), var(--stdborderaccent), var(--stdborderaccent);
+    }
+    .nav-tabs > li.active > a, .nav-tabs > li.active > a:hover, .nav-tabs > li.active > a:focus
+    {
+        color: var(--txtboxfore);
+        background-color: var(--txtboxback);
+        border: 1px solid var(--txtboxborder);
+        border-bottom-color: transparent;
+        cursor: default;
+    }
+.nav-pills > li {
+  float: left; }
+.nav-pills > li > a {
+  border-radius: 0; }
+.nav-pills > li.active > a, .nav-pills > li.active > a:hover, .nav-pills > li.active > a:focus {
+  color: var(--pfore); 
+  background-color: var(--primary); }
+.nav-stacked > li {
+  float: none; }
+.nav-stacked > li + li {
+  margin-top: 2px;
+  margin-left: 0; }
+.nav-justified, .nav-tabs.nav-justified {
+  width: 100%; }
+.nav-justified > li, .nav-tabs.nav-justified > li {
+  float: none; }
+.nav-justified > li > a, .nav-tabs.nav-justified > li > a {
+  text-align: left;
+  margin-bottom: 5px; }
+.nav-justified > .dropdown .dropdown-menu {
+  top: auto;
+  left: auto; }
+@media (min-width: 768px) {
+  .nav-justified > li, .nav-tabs.nav-justified > li {
+    display: table-cell;
+    width: 1%;
+  }
+  .nav-justified > li > a, .nav-tabs.nav-justified > li > a {
+    margin-bottom: 0;
+  }
+}
+
+.nav-tabs-justified, .nav-tabs.nav-justified {
+  border-bottom: 0; }
+.nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
+  margin-right: 0;
+  border-radius: 3px; }
+.nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a,
+.nav-tabs-justified > .active > a:hover,
+.nav-tabs-justified > .active > a:focus {
+  border: 1px solid var(--stdborder); }
+@media (min-width: 768px) {
+  .nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
+    border-bottom: 1px solid var(--stdborder);
+    border-radius: 3px 3px 0 0;
+  }
+  .nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a,
+.nav-tabs-justified > .active > a:hover,
+.nav-tabs-justified > .active > a:focus {
+    border-bottom-color: var(--stdborderfore); 
+  }
+}
+
+.tab-content > .tab-pane {
+  display: none; }
+.tab-content > .active {
+  display: block; }
+.nav-tabs .dropdown-menu {
+  margin-top: -1px;
+  border-top-right-radius: 0;
+  border-top-left-radius: 0; }
+.navbar {
+  position: relative;
+  min-height: 50px;
+  margin-bottom: 0;
+  border: 1px solid transparent; }
+.navbar:before, .navbar:after {
+  content: " ";
+  display: table; }
+.navbar:after {
+  clear: both; }
+@media (min-width: 768px) {
+  .navbar {
+    border-radius: 0;
+  }
+}
+
+.navbar-header:before, .navbar-header:after {
+  content: " ";
+  display: table; }
+.navbar-header:after {
+  clear: both; }
+@media (min-width: 768px) {
+  .navbar-header {
+    float: left;
+  }
+}
+
+.navbar-collapse {
+  overflow-x: visible;
+  padding-right: 20px;
+  padding-left: 20px;
+  border-top: 1px solid transparent;
+  box-shadow: inset 0 1px 0 var(--boxshadow);
+  -webkit-overflow-scrolling: touch; }
+.navbar-collapse:before, .navbar-collapse:after {
+  content: " ";
+  display: table; }
+.navbar-collapse:after {
+  clear: both; }
+.navbar-collapse.in {
+  overflow-y: auto; }
+@media (min-width: 768px) {
+  .navbar-collapse {
+    width: auto;
+    border-top: 0;
+    box-shadow: none;
+  }
+  .navbar-collapse.collapse {
+    display: block !important;
+    height: auto !important;
+    padding-bottom: 0;
+    overflow: visible !important;
+  }
+  .navbar-collapse.in {
+    overflow-y: visible;
+  }
+  .navbar-fixed-top .navbar-collapse, .navbar-static-top .navbar-collapse, .navbar-fixed-bottom .navbar-collapse {
+    padding-left: 0;
+    padding-right: 0;
+  }
+}
+
+.navbar-fixed-top .navbar-collapse,
+.navbar-fixed-bottom .navbar-collapse {
+  max-height: 340px; }
+@media (max-width: 480px) and (orientation: landscape) {
+  .navbar-fixed-top .navbar-collapse,
+.navbar-fixed-bottom .navbar-collapse {
+    max-height: 200px;
+  }
+}
+
+.container > .navbar-header,
+.container > .navbar-collapse,
+.container-fluid > .navbar-header,
+.container-fluid > .navbar-collapse {
+  margin-right: -20px;
+  margin-left: -20px; }
+@media (min-width: 768px) {
+  .container > .navbar-header,
+.container > .navbar-collapse,
+.container-fluid > .navbar-header,
+.container-fluid > .navbar-collapse {
+    margin-right: 0;
+    margin-left: 0;
+  }
+}
+
+.navbar-static-top {
+  z-index: 1000;
+  border-width: 0 0 1px; }
+@media (min-width: 768px) {
+  .navbar-static-top {
+    border-radius: 0;
+  }
+}
+
+.navbar-fixed-top,
+.navbar-fixed-bottom {
+  position: fixed;
+  right: 0;
+  left: 0;
+  z-index: 1030;
+  -webkit-transform: translate3d(255, 255, 255);
+  transform: translate3d(255, 255, 255); }
+@media (min-width: 768px) {
+  .navbar-fixed-top,
+.navbar-fixed-bottom {
+    border-radius: 0;
+  }
+}
+
+.navbar-fixed-top {
+  top: 0;
+  border-width: 0 0 1px; }
+.navbar-fixed-bottom {
+  bottom: 0;
+  margin-bottom: 0;
+  border-width: 1px 0 0; }
+.navbar-brand {
+  float: left;
+  padding: 15px 20px;
+  font-size: 18px;
+  height: 50px; }
+.navbar-brand:hover, .navbar-brand:focus {
+  text-decoration: none; }
+@media (min-width: 768px) {
+  .navbar > .container .navbar-brand, .navbar > .container-fluid .navbar-brand {
+    margin-left: -20px;
+  }
+}
+
+.navbar-toggle {
+  position: relative;
+  float: left;
+  margin-right: 20px;
+  padding: 9px 10px;
+  margin-top: 8px;
+  margin-bottom: 8px;
+  background-color: transparent;
+  background-image: none;
+  border: 1px solid transparent;
+  border-radius: 3px; }
+.navbar-toggle:focus {
+  outline: 0; }
+.navbar-toggle .icon-bar {
+  display: block;
+  width: 22px;
+  height: 2px;
+  border-radius: 1px; 
+  }
+.navbar-toggle .icon-bar + .icon-bar {
+  margin-top: 4px; }
+@media (min-width: 768px) {
+  .navbar-toggle {
+    display: none;
+  }
+}
+
+.navbar-nav {
+  margin: 7.5px -20px; }
+.navbar-nav > li > a {
+  padding-top: 10px;
+  padding-bottom: 10px;
+  line-height: 20px; }
+@media (max-width: 767px) {
+  .navbar-nav .open .dropdown-menu {
+    position: static;
+    float: none;
+    width: auto;
+    margin-top: 0;
+    background-color: transparent;
+    border: 0;
+    box-shadow: none;
+  }
+  .navbar-nav .open .dropdown-menu > li > a,
+.navbar-nav .open .dropdown-menu .dropdown-header {
+    padding: 5px 15px 5px 25px;
+  }
+  .navbar-nav .open .dropdown-menu > li > a {
+    line-height: 20px;
+  }
+  .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-nav .open .dropdown-menu > li > a:focus {
+    background-image: none;
+  }
+}
+@media (min-width: 768px) {
+  .navbar-nav {
+    float: left;
+    margin: 0;
+  }
+  .navbar-nav > li {
+    float: left;
+  }
+  .navbar-nav > li > a {
+    padding-top: 15px;
+    padding-bottom: 15px;
+  }
+  .navbar-nav.navbar-right:last-child {
+    margin-right: -20px;
+  }
+}
+
+@media (min-width: 768px) {
+  .navbar-left {
+    float: left !important;
+  }
+
+  .navbar-right {
+    float: right !important;
+}
+}
+.navbar-form {
+  margin-left: -20px;
+  margin-right: -20px;
+  padding: 10px 0px;
+  border-top: 1px solid transparent;
+  border-bottom: 1px solid transparent;
+  -webkit-box-shadow: inset 0 1px 0 var(--boxshadow), 0 1px 0 var(--boxshadow);
+  box-shadow: inset 0 1px 0 var(--boxshadow), 0 1px 0 var(--boxshadow);
+  margin-top: 8px;
+  margin-bottom: 8px; }
+@media (max-width: 767px) {
+  .navbar-form .form-group {
+    margin-bottom: 5px;
+  }
+}
+@media (min-width: 768px) {
+  .navbar-form {
+    width: auto;
+    border: 0;
+    margin-left: 0;
+    margin-right: 0;
+    padding-top: 0;
+    padding-bottom: 0;
+    -webkit-box-shadow: none;
+    box-shadow: none;
+  }
+  .navbar-form.navbar-right:last-child {
+    margin-right: -20px;
+  }
+}
+
+.navbar-nav > li > .dropdown-menu {
+  margin-top: 0;
+  border-top-right-radius: 0;
+  border-top-left-radius: 0; }
+.navbar-fixed-bottom .navbar-nav > li > .dropdown-menu {
+  border-bottom-right-radius: 0;
+  border-bottom-left-radius: 0; }
+.navbar-btn {
+  margin-top: 8px;
+  margin-bottom: 8px; }
+.navbar-btn.btn-sm, .btn-group-sm > .navbar-btn.btn {
+  margin-top: 10px;
+  margin-bottom: 10px; }
+.navbar-btn.btn-xs, .btn-group-xs > .navbar-btn.btn {
+  margin-top: 14px;
+  margin-bottom: 14px; }
+.navbar-text {
+  margin-top: 15px;
+  margin-bottom: 15px; }
+@media (min-width: 768px) {
+  .navbar-text {
+    float: left;
+    margin-left: 20px;
+    margin-right: 20px;
+  }
+  .navbar-text.navbar-right:last-child {
+    margin-right: 0;
+  }
+}
+
+.navbar-default { /* Seite Kopfzeile */
+  background-color: var(--pageback);
+  border-color: var(--pageborder); }
+.navbar-default .navbar-brand { /* Seite Kopfzeile Logo Farbe (nicht aktiv bei Bild) */
+  color: var(--pagefore); }
+.navbar-default .navbar-brand:hover, .navbar-default .navbar-brand:focus { /* Seite Kopfzeile drüberstreichen */
+  color: var(--pagefore);
+  background-color: var(--pageback); }
+.navbar-default .navbar-text {
+  color: var(--pagefore); }
+.navbar-default .navbar-nav > li > a {
+  color: var(--pfore); }
+.navbar-default .navbar-nav > li > a:hover, .navbar-default .navbar-nav > li > a:focus {
+  color: var(--primary);
+  background-color: transparent; }
+.navbar-default .navbar-nav > .active > a, .navbar-default .navbar-nav > .active > a:hover, .navbar-default .navbar-nav > .active > a:focus {
+  color: var(--pfore);
+  background-color: var(--sdbaractback); }
+.navbar-default .navbar-nav > .disabled > a, .navbar-default .navbar-nav > .disabled > a:hover, .navbar-default .navbar-nav > .disabled > a:focus {
+  color: var(--stdborder);
+  background-color: transparent; }
+.navbar-default .navbar-toggle {
+  border-color: var(--sback); 
+}
+.navbar-default .navbar-toggle:hover, .navbar-default .navbar-toggle:focus {
+  background-color: var(--sdbaractback); }
+.navbar-default .navbar-toggle .icon-bar {
+  background-color: var(--pagefore); }
+.navbar-default .navbar-collapse,
+.navbar-default .navbar-form {
+  border-color: var(--stdborder); }
+.navbar-default .navbar-nav > .open > a, .navbar-default .navbar-nav > .open > a:hover, .navbar-default .navbar-nav > .open > a:focus {
+  background-color: var(--sback);
+  color: var(--sdbaractback); }
+@media (max-width: 767px) {
+  .navbar-default .navbar-nav .open .dropdown-menu > li > a {
+    color: var(--sback);
+  }
+  .navbar-default .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > li > a:focus {
+    color: var(--primary);
+    background-color: transparent;
+  }
+  .navbar-default .navbar-nav .open .dropdown-menu > .active > a, .navbar-default .navbar-nav .open .dropdown-menu > .active > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > .active > a:focus {
+    color: var(--pfore);
+    background-color: var(--primary);
+  }
+  .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a, .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:hover, .navbar-default .navbar-nav .open .dropdown-menu > .disabled > a:focus {
+    color: var(--pforemuted);
+    background-color: transparent;
+  }
+}
+.navbar-default .navbar-link {
+  color: var(--sback); }
+.navbar-default .navbar-link:hover {
+  color: var(--primary); }
+.navbar-default .btn-link {
+  color: var(--sback); }
+.navbar-default .btn-link:hover, .navbar-default .btn-link:focus {
+  color: var(--primary); }
+.navbar-default .btn-link[disabled]:hover, .navbar-default .btn-link[disabled]:focus, fieldset[disabled] .navbar-default .btn-link:hover, fieldset[disabled] .navbar-default .btn-link:focus {
+  color: var(--stdborder); }
+.navbar-inverse {
+  background-color: var(--navbarinverse);
+  border-color:var(--pfore); }
+.navbar-inverse .navbar-brand {
+  color: var(--pforemuted); }
+.navbar-inverse .navbar-brand:hover, .navbar-inverse .navbar-brand:focus {
+  color: var(--pforeinverse); 
+  background-color: transparent; }
+.navbar-inverse .navbar-text {
+  color: var(--pforemuted); }
+.navbar-inverse .navbar-nav > li > a {
+  color: var(--pforemuted); }
+.navbar-inverse .navbar-nav > li > a:hover, .navbar-inverse .navbar-nav > li > a:focus {
+  color: var(--pforeinverse); 
+  background-color: transparent; }
+.navbar-inverse .navbar-nav > .active > a, .navbar-inverse .navbar-nav > .active > a:hover, .navbar-inverse .navbar-nav > .active > a:focus {
+  color: var(--pforeinverse); 
+  background-color:var(--pbackinverse); }
+.navbar-inverse .navbar-nav > .disabled > a, .navbar-inverse .navbar-nav > .disabled > a:hover, .navbar-inverse .navbar-nav > .disabled > a:focus {
+  color: var(--stdborder);
+  background-color: transparent; }
+.navbar-inverse .navbar-toggle {
+  border-color: var(--stdborder); }
+.navbar-inverse .navbar-toggle:hover, .navbar-inverse .navbar-toggle:focus {
+  background-color: var(--navbarinverse); }
+.navbar-inverse .navbar-toggle .icon-bar {
+  background-color: var(--pbackinverse); 
+}
+.navbar-inverse .navbar-collapse,
+.navbar-inverse .navbar-form {
+  border-color: var(--stdborderinverse); }
+.navbar-inverse .navbar-nav > .open > a, .navbar-inverse .navbar-nav > .open > a:hover, .navbar-inverse .navbar-nav > .open > a:focus {
+  background-color:var(--pbackinverse);
+  color: var(--pforeinverse); 
+}
+@media (max-width: 767px) {
+  .navbar-inverse .navbar-nav .open .dropdown-menu > .dropdown-header {
+    border-color:var(--stdborderinverse);
+  }
+  .navbar-inverse .navbar-nav .open .dropdown-menu .divider {
+    background-color:var(--pbackinverse);
+  }
+  .navbar-inverse .navbar-nav .open .dropdown-menu > li > a {
+    color: var(--pforeinverse);
+  }
+  .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:focus {
+    color: var(--pforeinverse); 
+    background-color: transparent;
+  }
+  .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a, .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:focus {
+    color: var(--pforeinverse); 
+    background-color:var(--pbackinverse);
+  }
+  .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a, .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:focus {
+    color: var(--pforemuted);
+    background-color: transparent;
+  }
+}
+.navbar-inverse .navbar-link {
+  color: var(--pforeinverse); }
+.navbar-inverse .navbar-link:hover {
+  color: var(--pforeinversehover); 
+}
+.navbar-inverse .btn-link {
+  color: var(--pforeinverse); }
+.navbar-inverse .btn-link:hover, .navbar-inverse .btn-link:focus {
+  color: var(--pforeinversehover); 
+}
+.navbar-inverse .btn-link[disabled]:hover, .navbar-inverse .btn-link[disabled]:focus, fieldset[disabled] .navbar-inverse .btn-link:hover, fieldset[disabled] .navbar-inverse .btn-link:focus {
+  color: var(--pforemuted); }
+.breadcrumb {
+  padding: 8px 15px;
+  margin-bottom: 20px;
+  list-style: none;
+  background-color: var(--pback);
+  border-radius: 3px; }
+.breadcrumb > li {
+  display: inline-block; }
+.breadcrumb > li + li:before {
+  content: "/ ";
+  padding: 0 5px;
+  color: var(--pfore); }
+.breadcrumb > .active {
+  color: var(--pforehover); }
+.pagination {
+  display: inline-block;
+  padding-left: 0;
+  margin: 20px 0;
+  border-radius: 3px; }
+.pagination > li {
+  display: inline; }
+.pagination > li > a,
+.pagination > li > span {
+  position: relative;
+  float: left;
+  padding: 6px 12px;
+  line-height: 1.428571429;
+  text-decoration: none;
+  color: var(--primary);
+  background-color: var(--pback); 
+  border: 1px solid var(--sdbaractback);
+  margin-left: -1px; }
+.pagination > li:first-child > a,
+.pagination > li:first-child > span {
+  margin-left: 0;
+  border-bottom-left-radius: 3px;
+  border-top-left-radius: 3px; }
+.pagination > li:last-child > a,
+.pagination > li:last-child > span {
+  border-bottom-right-radius: 3px;
+  border-top-right-radius: 3px; }
+.pagination > li > a:hover, .pagination > li > a:focus,
+.pagination > li > span:hover,
+.pagination > li > span:focus {
+  color: var(--danger);
+  background-color: var(--pback);
+  border-color: var(--sdbaractback); }
+.pagination > .active > a, .pagination > .active > a:hover, .pagination > .active > a:focus,
+.pagination > .active > span,
+.pagination > .active > span:hover,
+.pagination > .active > span:focus {
+  z-index: 2;
+  color: var(--pforeinverse); 
+  background-color: var(--primary);
+  border-color: var(--primary);
+  cursor: default; }
+.pagination > .disabled > span,
+.pagination > .disabled > span:hover,
+.pagination > .disabled > span:focus,
+.pagination > .disabled > a,
+.pagination > .disabled > a:hover,
+.pagination > .disabled > a:focus {
+  color: var(--pforemuted);
+  background-color: var(--pback); 
+  border-color: var(--sdbaractback);
+  cursor: not-allowed; }
+.pagination-lg > li > a,
+.pagination-lg > li > span {
+  padding: 10px 16px;
+  font-size: 18px; }
+.pagination-lg > li:first-child > a,
+.pagination-lg > li:first-child > span {
+  border-bottom-left-radius: 6px;
+  border-top-left-radius: 6px; }
+.pagination-lg > li:last-child > a,
+.pagination-lg > li:last-child > span {
+  border-bottom-right-radius: 6px;
+  border-top-right-radius: 6px; }
+.pagination-sm > li > a,
+.pagination-sm > li > span {
+  padding: 5px 10px;
+  font-size: 12px; }
+.pagination-sm > li:first-child > a,
+.pagination-sm > li:first-child > span {
+  border-bottom-left-radius: 3px;
+  border-top-left-radius: 3px; }
+.pagination-sm > li:last-child > a,
+.pagination-sm > li:last-child > span {
+  border-bottom-right-radius: 3px;
+  border-top-right-radius: 3px; }
+.pager {
+  padding-left: 0;
+  margin: 20px 0;
+  list-style: none;
+  text-align: center; }
+.pager:before, .pager:after {
+  content: " ";
+  display: table; }
+.pager:after {
+  clear: both; }
+.pager li {
+  display: inline; }
+.pager li > a,
+.pager li > span {
+  display: inline-block;
+  padding: 5px 14px;
+  background-color: var(--pback); 
+  border: 1px solid var(--sdbaractback);
+  border-radius: 15px; }
+.pager li > a:hover,
+.pager li > a:focus {
+  text-decoration: none;
+  background-color: var(--pbackhover); }
+.pager .next > a,
+.pager .next > span {
+  float: right; }
+.pager .previous > a,
+.pager .previous > span {
+  float: left; }
+.pager .disabled > a,
+.pager .disabled > a:hover,
+.pager .disabled > a:focus,
+.pager .disabled > span {
+  color: var(--pforemuted);
+  background-color: var(--pbackmuted); 
+  cursor: not-allowed; }
+.label {
+  display: inline;
+  padding: 0.2em 0.6em 0.3em;
+  font-size: 75%;
+  font-weight: bold;
+  line-height: 1;
+  color: var(--pfore); 
+  text-align: center;
+  white-space: nowrap;
+  vertical-align: baseline;
+  border-radius: 0.25em; }
+.label:empty {
+  display: none; }
+.btn .label {
+  position: relative;
+  top: -1px; }
+a.label:hover, a.label:focus {
+  color: var(--pforehover); 
+  text-decoration: none;
+  cursor: pointer; }
+.label-default {
+  background-color: var(--pback); }
+.label-default[href]:hover, .label-default[href]:focus {
+  background-color: var(--pbackhover); }
+.label-primary {
+  background-color: var(--primary); }
+.label-primary[href]:hover, .label-primary[href]:focus {
+  background-color: var(--primaryhover); }
+.label-success {
+  background-color: var(--success); }
+.label-success[href]:hover, .label-success[href]:focus {
+  background-color: var(--successhover); }
+.label-info {
+  background-color: var(--info); }
+.label-info[href]:hover, .label-info[href]:focus {
+  background-color: var(--infohover); }
+.label-warning {
+  background-color: var(--warning); }
+.label-warning[href]:hover, .label-warning[href]:focus {
+  background-color: var(--warninghover); }
+.label-danger {
+  background-color: var(--danger); }
+.label-danger[href]:hover, .label-danger[href]:focus {
+  background-color: var(--dangerhover); }
+.badge
+{
+    display: inline-block;
+    min-width: 10px;
+    padding: 3px 7px;
+    font-size: 12px;
+    font-weight: bold;
+    color: var(--pfore);
+    line-height: 1;
+    vertical-align: baseline;
+    white-space: nowrap;
+    text-align: center;
+    background-color: var(--badgeback);
+    border-radius: 10px;
+}
+.badge:empty {
+  display: none; }
+.btn .badge {
+  position: relative;
+  top: -1px; }
+.btn-xs .badge, .btn-group-xs > .btn .badge {
+  top: 0;
+  padding: 1px 5px; }
+a.list-group-item.active > .badge, .nav-pills > .active > a > .badge {
+  color: var(--primary);
+  background-color: var(--pback); 
+}
+.nav-pills > li > a > .badge {
+  margin-left: 3px; }
+a.badge:hover, a.badge:focus {
+  color: var(--pforehover); 
+  text-decoration: none;
+  cursor: pointer; }
+.jumbotron {
+  padding: 30px;
+  margin-bottom: 30px;
+  color: inherit;
+  background-color: var(--sback); }
+.jumbotron h1,
+.jumbotron .h1 {
+  color: inherit; }
+.jumbotron p {
+  margin-bottom: 15px;
+  font-size: 21px;
+  font-weight: 200; }
+.jumbotron > hr {
+  border-top-color: var(--stdborder); }
+.container .jumbotron {
+  border-radius: 6px; }
+.jumbotron .container {
+  max-width: 100%; }
+@media screen and (min-width: 768px) {
+  .jumbotron {
+    padding-top: 48px;
+    padding-bottom: 48px;
+  }
+  .container .jumbotron {
+    padding-left: 60px;
+    padding-right: 60px;
+  }
+  .jumbotron h1,
+.jumbotron .h1 {
+    font-size: 63px;
+  }
+}
+
+.thumbnail {
+  display: block;
+  padding: 4px;
+  margin-bottom: 20px;
+  line-height: 1.428571429;
+  background-color: var(--pback); 
+  border: 1px solid var(--sdbaractback);
+  border-radius: 3px;
+  -webkit-transition: all 0.2s ease-in-out;
+  -o-transition: all 0.2s ease-in-out;
+  transition: all 0.2s ease-in-out; }
+.thumbnail > img,
+.thumbnail a > img {
+  display: block;
+  width: 100% \9 ;
+  max-width: 100%;
+  height: auto;
+  margin-left: auto;
+  margin-right: auto; }
+.thumbnail .caption {
+  padding: 9px;
+  color: var(--pfore); }
+a.thumbnail:hover,
+a.thumbnail:focus,
+a.thumbnail.active {
+  border-color: var(--primary); }
+.alert {
+  background-color: var(--pback);
+  color: var(--pfore);
+  padding: 15px;
+  margin-bottom: 20px;
+  border: 2px solid transparent;
+  border-radius: 3px; 
+  -webkit-box-shadow: inset 0 1px 0 var(--boxshadow), 0 1px 0 var(--boxshadow);
+  box-shadow: inset 0 1px 0 var(--boxshadow), 0 1px 0 var(--boxshadow); }
+.alert h4 {
+  margin-top: 0;
+  color: inherit; }
+.alert .alert-link {
+  font-weight: bold; }
+.alert > p,
+.alert > ul {
+  margin-bottom: 0; }
+.alert > p + p {
+  margin-top: 5px; }
+.alert-dismissable,
+.alert-dismissible {
+  padding-right: 35px; }
+.alert-dismissable .close,
+.alert-dismissible .close {
+  position: relative;
+  top: -2px;
+  right: -21px;
+  color: inherit; }
+.alert-success {
+  border-color: var(--success); }
+.alert-success hr {
+  border-top-color: var(--pfore); }
+.alert-success .alert-link {
+  color: var(--primary); }
+.alert-info {
+  border-color: var(--info); }
+.alert-info hr {
+  border-top-color: var(--pfore); }
+.alert-info .alert-link {
+  color: var(--info); }
+.alert-warning {
+  border-color: var(--warning); }
+.alert-warning hr {
+  border-top-color: var(--pfore); }
+.alert-warning .alert-link {
+  color: var(--primary); }
+.alert-danger {
+  border-color: var(--danger); }
+.alert-danger hr {
+  border-top-color: var(--pfore); }
+.alert-danger .alert-link {
+  color: var(--primary); }
+@-webkit-keyframes progress-bar-stripes {
+  from {
+    background-position: 40px 0;
+  }
+  to {
+    background-position: 0 0;
+  }
+}
+@keyframes progress-bar-stripes {
+  from {
+    background-position: 40px 0;
+  }
+  to {
+    background-position: 0 0;
+  }
+}
+.progress {
+  margin-bottom: 3px;
+  overflow: hidden;
+  height: 20px;
+  background-color: var(--progressbar);
+  border-radius: 3px;
+  position: relative;
+  -webkit-box-shadow: inset 0px 1px 2px 1px var(--progresshadow);
+  box-shadow: inset 0px 1px 2px 1px var(--progresshadow) }
+.progress-bar {
+  float: left;
+  width: 0%;
+  height: 100%;
+  font-size: 12px;
+  line-height: 20px;
+  color: var(--highlighted);
+  text-align: center;
+  background-color: var(--warning);
+  position: relative;
+  z-index: 2;
+  -webkit-box-shadow: inset 0 20px 0 rgba(0, 0, 0, 0.15);
+  box-shadow: inset 0 20px 0 rgba(0, 0, 0, 0.15);
+  -webkit-transition: width 0.6s ease;
+  -o-transition: width 0.6s ease;
+  transition: width 0.6s ease;
+  margin: 1px 0 0 0 !important; }
+.progress-striped .progress-bar,
+.progress-bar-striped {
+  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-size: 40px 40px; }
+.progress.active .progress-bar,
+.progress-bar.active {
+  -webkit-animation: progress-bar-stripes 2s linear infinite;
+  -o-animation: progress-bar-stripes 2s linear infinite;
+  animation: progress-bar-stripes 2s linear infinite; }
+.progress-bar[aria-valuenow="1"], .progress-bar[aria-valuenow="2"] {
+  min-width: 30px; }
+.progress-bar[aria-valuenow="0"] {
+  color: var(--badgeback);
+  min-width: 30px;
+  background-color: transparent;
+  background-image: none;
+  box-shadow: none; }
+.progress-bar-success {
+  background-color: var(--success); }
+.progress-striped .progress-bar-success {
+  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
+.progress-bar-info {
+  background-color: var(--pfore); }
+.progress-striped .progress-bar-info {
+  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
+.progress-bar-warning {
+  background-color: var(--warning); }
+.progress-striped .progress-bar-warning {
+  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
+.progress-bar-danger {
+  background-color: var(--danger); }
+.progress-striped .progress-bar-danger {
+  background-image: -webkit-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: -o-linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent);
+  background-image: linear-gradient(45deg, rgba(255, 255, 255, 0.15) 25%, transparent 25%, transparent 50%, rgba(255, 255, 255, 0.15) 50%, rgba(255, 255, 255, 0.15) 75%, transparent 75%, transparent); }
+.media,
+.media-body {
+  overflow: hidden;
+  zoom: 1; }
+.media,
+.media .media {
+  margin-top: 15px; }
+.media:first-child {
+  margin-top: 0; }
+.media-object {
+  display: block; }
+.media-heading {
+  margin: 0 0 5px; }
+.media > .pull-left {
+  margin-right: 10px; }
+.media > .pull-right {
+  margin-left: 10px; }
+.media-list {
+  padding-left: 0;
+  list-style: none; }
+.list-group {
+  margin-bottom: 20px;
+  padding-left: 0; }
+.list-group-item {  /* Seitenleiste Menü, ListenVordergrund */
+  position: relative;
+  display: block;
+  padding: 6px 8px;
+  margin-bottom: -1px;
+  background-color: var(--sdbarback); /* background navigation sidebar */
+}
+.list-group-item:last-child {
+  margin-bottom: 0; }
+.list-group-item > .badge {
+  float: right; }
+.list-group-item > .badge + .badge {
+  margin-right: 5px; }
+a.list-group-item {
+  color: var(--sdbarfore); /* textcolor navigation sidebar */
+  border-radius: 0; }
+a.list-group-item .list-group-item-heading {
+  color: var(--sdbarfore) !important; }
+a.list-group-item:hover, a.list-group-item:focus {
+  color: var(--sdbarhoverfore);
+  background: var(--sdbarhoverback); 
+  text-decoration: none; }
+a.list-group-item:hover:before, a.list-group-item:focus:before {
+  background: var(--sdbarhoverback); 
+  content: "";
+  height: 42px;
+  left: 0;
+  position: absolute;
+  top: 0;
+  width: 3px; }
+.list-group-item.disabled, .list-group-item.disabled:hover, .list-group-item.disabled:focus {
+  background-color: var(--pback);
+  color: var(--pforemuted); }
+.list-group-item.disabled .list-group-item-heading, .list-group-item.disabled:hover .list-group-item-heading, .list-group-item.disabled:focus .list-group-item-heading {
+  color: inherit; }
+.list-group-item.disabled .list-group-item-text, .list-group-item.disabled:hover .list-group-item-text, .list-group-item.disabled:focus .list-group-item-text {
+  color: var(--pforemuted); }
+.list-group-item.active, .list-group-item.active:hover, .list-group-item.active:focus {
+  z-index: 2; }
+.list-group-item.active:before, .list-group-item.active:hover:before, .list-group-item.active:focus:before {
+  background: var(--navbarinverse);
+  content: "";
+  height: 42px;
+  left: 0;
+  position: absolute;
+  top: 0px;
+  width: 3px; }
+.list-group-item.active .list-group-item-heading,
+.list-group-item.active .list-group-item-heading > small,
+.list-group-item.active .list-group-item-heading > .small, .list-group-item.active:hover .list-group-item-heading,
+.list-group-item.active:hover .list-group-item-heading > small,
+.list-group-item.active:hover .list-group-item-heading > .small, .list-group-item.active:focus .list-group-item-heading,
+.list-group-item.active:focus .list-group-item-heading > small,
+.list-group-item.active:focus .list-group-item-heading > .small {
+  color: inherit; }
+.list-group-item.active .list-group-item-text, .list-group-item.active:hover .list-group-item-text, .list-group-item.active:focus .list-group-item-text {
+  color: var(--warninghover); }
+.list-group-item.active + .collapse > .list-group-item:before, .list-group-item.active:hover + .collapse > .list-group-item:before, .list-group-item.active:focus + .collapse > .list-group-item:before {
+  background: var(--primary);
+  content: "";
+  height: 42px;
+  left: 0;
+  position: absolute;
+  top: 0px;
+  width: 3px; }
+.list-group-item-success {
+  color: var(--success);
+  background-color: var(--pback); }
+a.list-group-item-success {
+  color: var(--success); }
+a.list-group-item-success .list-group-item-heading {
+  color: inherit; }
+a.list-group-item-success:hover, a.list-group-item-success:focus {
+  color: var(--successhover);
+  background-color: var(--pback); }
+a.list-group-item-success.active, a.list-group-item-success.active:hover, a.list-group-item-success.active:focus {
+  color: var(--pfore); 
+  background-color: var(--success);
+  border-color: var(--pfore); }
+.list-group-item-info {
+  color: var(--info);
+  background-color: var(--pback); }
+a.list-group-item-info {
+  color: var(--info); }
+a.list-group-item-info .list-group-item-heading {
+  color: inherit; }
+a.list-group-item-info:hover, a.list-group-item-info:focus {
+  color: var(--infohover);
+  background-color: var(--pback); }
+a.list-group-item-info.active, a.list-group-item-info.active:hover, a.list-group-item-info.active:focus {
+  color: var(--pfore); 
+  background-color: var(--info);
+  border-color: var(--pfore); }
+.list-group-item-warning {
+  color: var(--warning);
+  background-color: var(--pback); }
+a.list-group-item-warning {
+  color: var(--warning); }
+a.list-group-item-warning .list-group-item-heading {
+  color: inherit; }
+a.list-group-item-warning:hover, a.list-group-item-warning:focus {
+  color: var(--warninghover);
+  background-color: var(--pback); }
+a.list-group-item-warning.active, a.list-group-item-warning.active:hover, a.list-group-item-warning.active:focus {
+  color: var(--pfore); 
+  background-color: var(--warning);
+  border-color: var(--pfore); }
+.list-group-item-danger {
+  color: var(--danger);
+  background-color: var(--pback); }
+a.list-group-item-danger {
+  color: var(--danger); }
+a.list-group-item-danger .list-group-item-heading {
+  color: inherit; }
+a.list-group-item-danger:hover, a.list-group-item-danger:focus {
+  color: var(--dangerhover);
+  background-color: var(--pback); }
+a.list-group-item-danger.active, a.list-group-item-danger.active:hover, a.list-group-item-danger.active:focus {
+  color: var(--pfore); 
+  background-color: var(--danger);
+  border-color: var(--pfore); }
+.list-group-item-heading {
+  margin-top: 0;
+  margin-bottom: 5px; }
+.list-group-item-text {
+  margin-bottom: 0;
+  line-height: 1.3; }
+.panel {
+  margin-bottom: 20px;
+  background-color: var(--panelbody); 
+  border: 1px solid transparent;
+  border-radius: 3px;
+  -webkit-box-shadow: 0 1px 1px var(--boxshadow);
+  box-shadow: 0 1px 1px var(--boxshadow); }
+.panel-body {
+  color: var(--panelinfo);
+  padding: 15px; 
+  background-color: var(--panelbody); }
+.panel-body:before, .panel-body:after {
+  content: " ";
+  display: table; }
+.panel-body:after {
+  clear: both; }
+.panel-heading {
+  padding: 10px 15px;
+  border-bottom: 1px solid transparent;
+  border-top-right-radius: 2px;
+  border-top-left-radius: 2px; 
+  background-color: var(--panelheading); }
+.panel-heading > .dropdown .dropdown-toggle {
+  color: var(--panelheadingfore); }
+.panel-title {
+  color: var(--panelheadingfore); }
+  margin-top: 0;
+  margin-bottom: 0;
+  font-size: 16px;
+.panel-title > a {
+  color: var(--panelheadingfore); }
+.panel-footer {
+  padding: 10px 15px;
+  background-color: var(--panelfooter);
+  border-top: 1px solid var(--stdborder);
+  border-bottom-right-radius: 2px;
+  border-bottom-left-radius: 2px; }
+.panel > .list-group {
+  margin-bottom: 0; }
+.panel > .list-group .list-group-item {
+  border-width: 1px 0;
+  border-radius: 0; }
+.panel > .list-group:first-child .list-group-item:first-child {
+  border-top: 0;
+  border-top-right-radius: 2px;
+  border-top-left-radius: 2px; }
+.panel > .list-group:last-child .list-group-item:last-child {
+  border-bottom: 0;
+  border-bottom-right-radius: 2px;
+  border-bottom-left-radius: 2px; }
+.panel-heading + .list-group .list-group-item:first-child {
+  border-top-width: 0; }
+.list-group + .panel-footer {
+  border-top-width: 0; }
+.panel > .table,
+.panel > .table-responsive > .table,
+.panel > .panel-collapse > .table {
+  margin-bottom: 0; }
+.panel > .table:first-child,
+.panel > .table-responsive:first-child > .table:first-child {
+  border-top-right-radius: 2px;
+  border-top-left-radius: 2px; }
+.panel > .table:first-child > thead:first-child > tr:first-child td:first-child,
+.panel > .table:first-child > thead:first-child > tr:first-child th:first-child,
+.panel > .table:first-child > tbody:first-child > tr:first-child td:first-child,
+.panel > .table:first-child > tbody:first-child > tr:first-child th:first-child,
+.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:first-child,
+.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:first-child,
+.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:first-child,
+.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:first-child {
+  border-top-left-radius: 2px; }
+.panel > .table:first-child > thead:first-child > tr:first-child td:last-child,
+.panel > .table:first-child > thead:first-child > tr:first-child th:last-child,
+.panel > .table:first-child > tbody:first-child > tr:first-child td:last-child,
+.panel > .table:first-child > tbody:first-child > tr:first-child th:last-child,
+.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child td:last-child,
+.panel > .table-responsive:first-child > .table:first-child > thead:first-child > tr:first-child th:last-child,
+.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child td:last-child,
+.panel > .table-responsive:first-child > .table:first-child > tbody:first-child > tr:first-child th:last-child {
+  border-top-right-radius: 2px; }
+.panel > .table:last-child,
+.panel > .table-responsive:last-child > .table:last-child {
+  border-bottom-right-radius: 2px;
+  border-bottom-left-radius: 2px; }
+.panel > .table:last-child > tbody:last-child > tr:last-child td:first-child,
+.panel > .table:last-child > tbody:last-child > tr:last-child th:first-child,
+.panel > .table:last-child > tfoot:last-child > tr:last-child td:first-child,
+.panel > .table:last-child > tfoot:last-child > tr:last-child th:first-child,
+.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:first-child,
+.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:first-child,
+.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:first-child,
+.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:first-child {
+  border-bottom-left-radius: 2px; }
+.panel > .table:last-child > tbody:last-child > tr:last-child td:last-child,
+.panel > .table:last-child > tbody:last-child > tr:last-child th:last-child,
+.panel > .table:last-child > tfoot:last-child > tr:last-child td:last-child,
+.panel > .table:last-child > tfoot:last-child > tr:last-child th:last-child,
+.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child td:last-child,
+.panel > .table-responsive:last-child > .table:last-child > tbody:last-child > tr:last-child th:last-child,
+.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child td:last-child,
+.panel > .table-responsive:last-child > .table:last-child > tfoot:last-child > tr:last-child th:last-child {
+  border-bottom-right-radius: 2px; }
+.panel > .panel-body + .table,
+.panel > .panel-body + .table-responsive {
+  border-top: 1px solid var(--stdborder); }
+.panel > .table > tbody:first-child > tr:first-child th,
+.panel > .table > tbody:first-child > tr:first-child td {
+  border-top: 0; }
+.panel > .table-bordered,
+.panel > .table-responsive > .table-bordered {
+  border: 0; }
+.panel > .table-bordered > thead > tr > th:first-child,
+.panel > .table-bordered > thead > tr > td:first-child,
+.panel > .table-bordered > tbody > tr > th:first-child,
+.panel > .table-bordered > tbody > tr > td:first-child,
+.panel > .table-bordered > tfoot > tr > th:first-child,
+.panel > .table-bordered > tfoot > tr > td:first-child,
+.panel > .table-responsive > .table-bordered > thead > tr > th:first-child,
+.panel > .table-responsive > .table-bordered > thead > tr > td:first-child,
+.panel > .table-responsive > .table-bordered > tbody > tr > th:first-child,
+.panel > .table-responsive > .table-bordered > tbody > tr > td:first-child,
+.panel > .table-responsive > .table-bordered > tfoot > tr > th:first-child,
+.panel > .table-responsive > .table-bordered > tfoot > tr > td:first-child {
+  border-left: 0; }
+.panel > .table-bordered > thead > tr > th:last-child,
+.panel > .table-bordered > thead > tr > td:last-child,
+.panel > .table-bordered > tbody > tr > th:last-child,
+.panel > .table-bordered > tbody > tr > td:last-child,
+.panel > .table-bordered > tfoot > tr > th:last-child,
+.panel > .table-bordered > tfoot > tr > td:last-child,
+.panel > .table-responsive > .table-bordered > thead > tr > th:last-child,
+.panel > .table-responsive > .table-bordered > thead > tr > td:last-child,
+.panel > .table-responsive > .table-bordered > tbody > tr > th:last-child,
+.panel > .table-responsive > .table-bordered > tbody > tr > td:last-child,
+.panel > .table-responsive > .table-bordered > tfoot > tr > th:last-child,
+.panel > .table-responsive > .table-bordered > tfoot > tr > td:last-child {
+  border-right: 0; }
+.panel > .table-bordered > thead > tr:first-child > td,
+.panel > .table-bordered > thead > tr:first-child > th,
+.panel > .table-bordered > tbody > tr:first-child > td,
+.panel > .table-bordered > tbody > tr:first-child > th,
+.panel > .table-responsive > .table-bordered > thead > tr:first-child > td,
+.panel > .table-responsive > .table-bordered > thead > tr:first-child > th,
+.panel > .table-responsive > .table-bordered > tbody > tr:first-child > td,
+.panel > .table-responsive > .table-bordered > tbody > tr:first-child > th {
+  border-bottom: 0; }
+.panel > .table-bordered > tbody > tr:last-child > td,
+.panel > .table-bordered > tbody > tr:last-child > th,
+.panel > .table-bordered > tfoot > tr:last-child > td,
+.panel > .table-bordered > tfoot > tr:last-child > th,
+.panel > .table-responsive > .table-bordered > tbody > tr:last-child > td,
+.panel > .table-responsive > .table-bordered > tbody > tr:last-child > th,
+.panel > .table-responsive > .table-bordered > tfoot > tr:last-child > td,
+.panel > .table-responsive > .table-bordered > tfoot > tr:last-child > th {
+  border-bottom: 0; }
+.panel > .table-responsive {
+  border: 0;
+  margin-bottom: 0; }
+.panel-group {
+  margin-bottom: 20px; }
+.panel-group .panel {
+  margin-bottom: 0;
+  border-radius: 3px; }
+.panel-group .panel + .panel {
+  margin-top: 5px; }
+.panel-group .panel-heading {
+  border-bottom: 0; }
+.panel-group .panel-heading + .panel-collapse > .panel-body {
+  border-top: 1px solid var(--stdborder); }
+.panel-group .panel-footer {
+  border-top: 0; }
+.panel-group .panel-footer + .panel-collapse .panel-body {
+  border-bottom: 1px solid var(--stdborder); }
+.panel-default {
+  border-color: var(--stdborder); }
+.panel-default > .panel-heading {
+  color: var(--panelheadingfore);
+  background-color: var(--panelheading);
+  border-color: var(--stdborder); }
+.panel-default > .panel-heading + .panel-collapse > .panel-body {
+  border-top-color: var(--pfore); }
+.panel-default > .panel-heading .badge {
+  color: var(--sfore);
+  background-color: var(--sback); }
+.panel-default > .panel-footer + .panel-collapse > .panel-body {
+  border-bottom-color: var(--stdborder); }
+.panel-primary {
+  border-color: var(--stdborder); }
+.panel-primary > .panel-heading {
+  color: var(--panelheadingfore); 
+  background-color: var(--panelheading);
+  border-color: var(--stdborder); }
+.panel-primary > .panel-heading + .panel-collapse > .panel-body {
+  border-top-color: var(--stdborder); }
+.panel-primary > .panel-heading .badge {
+  color: var(--pfore);
+  background-color: var(--pback); }
+.panel-primary > .panel-footer + .panel-collapse > .panel-body {
+  border-bottom-color: var(--pfore); }
+.panel-success {
+  border-color: var(--success); }
+.panel-success > .panel-heading {
+  color: var(--success);
+  background-color: var(--pback);
+  border-color: var(--success); }
+.panel-success > .panel-heading + .panel-collapse > .panel-body {
+  border-top-color: var(--success); }
+.panel-success > .panel-heading .badge {
+  color: var(--pfore);
+  background-color: var(--success); }
+.panel-success > .panel-footer + .panel-collapse > .panel-body {
+  border-bottom-color: var(--success); }
+.panel-info {
+  border-color: var(--info); }
+.panel-info > .panel-heading {
+  color: var(--info);
+  background-color: var(--pback);
+  border-color: var(--info); }
+.panel-info > .panel-heading + .panel-collapse > .panel-body {
+  border-top-color: var(--info); }
+.panel-info > .panel-heading .badge {
+  color: var(--pfore);
+  background-color: var(--info); }
+.panel-info > .panel-footer + .panel-collapse > .panel-body {
+  border-bottom-color: var(--info); }
+.panel-warning {
+  border-color: var(--warning); }
+.panel-warning > .panel-heading {
+  color: var(--warning);
+  background-color: var(--pback);
+  border-color: var(--warning); }
+.panel-warning > .panel-heading + .panel-collapse > .panel-body {
+  border-top-color: var(--pfore); }
+.panel-warning > .panel-heading .badge {
+  color: var(--pfore);
+  background-color: var(--warning); }
+.panel-warning > .panel-footer + .panel-collapse > .panel-body {
+  border-bottom-color: var(--warning); }
+.panel-danger {
+  border-color: var(--danger); }
+.panel-danger > .panel-heading {
+  color: var(--danger);
+  background-color: var(--pback);
+  border-color: var(--danger); }
+.panel-danger > .panel-heading + .panel-collapse > .panel-body {
+  border-top-color: var(--danger); }
+.panel-danger > .panel-heading .badge {
+  color: var(--pfore);:
+  background-color: var(--danger); }
+.panel-danger > .panel-footer + .panel-collapse > .panel-body {
+  border-bottom-color: var(--danger); }
+.embed-responsive {
+  position: relative;
+  display: block;
+  height: 0;
+  padding: 0;
+  overflow: hidden; }
+.embed-responsive .embed-responsive-item,
+.embed-responsive iframe,
+.embed-responsive embed,
+.embed-responsive object {
+  position: absolute;
+  top: 0;
+  left: 0;
+  bottom: 0;
+  height: 100%;
+  width: 100%;
+  border: 0; }
+.embed-responsive.embed-responsive-16by9 {
+  padding-bottom: 56.25%; }
+.embed-responsive.embed-responsive-4by3 {
+  padding-bottom: 75%; }
+.well {
+  color: var(--contentboxfore) !important;
+  min-height: 20px;
+  padding: 19px;
+  margin-bottom: 20px;
+  background-color: var(--contentboxback);
+/*  border: 0px solid var(--pback);
+  border-radius: 3px;
+  -webkit-box-shadow: var(--boxshadow);
+  box-shadow: var(--boxshadow); }
+    .well blockquote
+    {
+        border-color: var(--stdborder);
+        border-color: var(--rgbshadowdark);*/
+    }
+.well-lg {
+  padding: 24px;
+  border-radius: 6px; }
+.well-sm {
+  padding: 9px;
+  border-radius: 3px; }
+.close {
+  float: right;
+  font-size: 21px;
+  font-weight: bold;
+  line-height: 1;
+  color: var(--bsheadfore); /* Wichtig!!! */
+  /* text-shadow: 0 1px 0 var(--link); */
+  opacity: 1;
+  filter: alpha(opacity=100); }
+.close:hover, .close:focus {
+  color: var(--pfore);
+  text-decoration: none;
+  cursor: pointer;
+  opacity: 1;
+  filter: alpha(opacity=100); }
+button.close {
+  padding: 0;
+  cursor: pointer;
+  background: transparent;
+  border: 0;
+  -webkit-appearance: none; }
+.modal-open {
+  overflow: hidden; }
+.modal {
+  display: none;
+  overflow: hidden;
+  position: fixed;
+  top: 0;
+  right: 0;
+  bottom: 0;
+  left: 0;
+  z-index: 1050;
+  -webkit-overflow-scrolling: touch;
+  outline: 0; }
+.modal.fade .modal-dialog {
+  -webkit-transform: translate3d(0, -25%, 0);
+  transform: translate3d(0, -25%, 0);
+  -webkit-transition: -webkit-transform 0.3s ease-out;
+  -moz-transition: -moz-transform 0.3s ease-out;
+  -o-transition: -o-transform 0.3s ease-out;
+  transition: transform 0.3s ease-out; }
+.modal.in .modal-dialog {
+  -webkit-transform: translate3d(0, 0, 0);
+  transform: translate3d(0, 0, 0); }
+.modal-open .modal {
+  overflow-x: hidden;
+  overflow-y: auto; }
+.modal-dialog {
+  position: relative;
+  width: auto;
+  margin: 62px 10px 10px 10px; }
+.modal-content
+{
+    position: relative;
+    background-color: var(--bsbodyback);
+    border: 0px solid var(--pageborder);
+    border-radius: 6px;
+    -webkit-box-shadow: 0 3px 9px var(--rgb50);
+    box-shadow: 0 3px 9px var(--rgb50);
+    background-clip: padding-box;
+    outline: 0;
+}
+.modal-backdrop {
+  position: fixed;
+  top: 0;
+  right: 0;
+  bottom: 0;
+  left: 0;
+  z-index: 1040;
+  background-color: var(--highlighted); }
+.modal-backdrop.fade {
+  opacity: 0;
+  filter: alpha(opacity=0); }
+.modal-backdrop.in {
+  opacity: 0.5;
+  filter: alpha(opacity=50); }
+.modal-header {
+  padding: 15px;
+  border-bottom: 0px solid var(--stdborder);
+  min-height: 16.428571429px; }
+.modal-header .close {
+  margin-top: -2px; }
+.modal-title {
+  margin: 0;
+  line-height: 1.428571429; }
+.modal-body {
+  color: var(--bsbodyfore) !important;
+  position: relative;
+  padding: 15px; 
+  background-color: var(--bsbodyback); }
+.modal-footer {
+  padding: 15px;
+  text-align: right;
+  border-top: 0px solid var(--stdborder); }
+.modal-footer:before, .modal-footer:after {
+  content: " ";
+  display: table; }
+.modal-footer:after {
+  clear: both; }
+.modal-footer .btn + .btn {
+  margin-left: 5px;
+  margin-bottom: 0; }
+.modal-footer .btn-group .btn + .btn {
+  margin-left: -1px; }
+.modal-footer .btn-block + .btn-block {
+  margin-left: 0; }
+.modal-scrollbar-measure {
+  position: absolute;
+  top: -9999px;
+  width: 50px;
+  height: 50px;
+  overflow: scroll; }
+@media (min-width: 768px) {
+  .modal-dialog {
+    width: 600px;
+    margin: 82px auto 30px auto;
+  }
+
+  .modal-content {
+    -webkit-box-shadow: 0 5px 15px var(--rgb50);
+    box-shadow: 0 5px 15px var(--rgb50);
+  }
+
+  .modal-sm {
+    width: 300px;
+  }
+}
+@media (min-width: 992px) {
+  .modal-lg {
+    width: 900px;
+  }
+}
+.tooltip {
+  position: absolute;
+  z-index: 1070;
+  display: block;
+  visibility: visible;
+  font-size: 12px;
+  line-height: 1.4;
+  opacity: 0;
+  filter: alpha(opacity=0); }
+.tooltip.in {
+  opacity: 0.9;
+  filter: alpha(opacity=90); }
+.tooltip.top {
+  margin-top: -3px;
+  padding: 5px 0; }
+.tooltip.right {
+  margin-left: 3px;
+  padding: 0 5px; }
+.tooltip.bottom {
+  margin-top: 3px;
+  padding: 5px 0; }
+.tooltip.left {
+  margin-left: -3px;
+  padding: 0 5px; }
+.tooltip-inner {
+  max-width: 200px;
+  padding: 3px 8px;
+  color: var(--pbackinverse); 
+  text-align: center;
+  text-decoration: none;
+  background-color: var(--pforeinverse);
+  border-radius: 3px; }
+.tooltip-arrow {
+  position: absolute;
+  width: 0;
+  height: 0;
+  border-color: transparent;
+  border-style: solid; }
+.tooltip.top .tooltip-arrow {
+  bottom: 0;
+  left: 50%;
+  margin-left: -5px;
+  border-width: 5px 5px 0;
+  border-top-color: var(--stdborder); }
+.tooltip.top-left .tooltip-arrow {
+  bottom: 0;
+  left: 5px;
+  border-width: 5px 5px 0;
+  border-top-color: var(--stdborder); }
+.tooltip.top-right .tooltip-arrow {
+  bottom: 0;
+  right: 5px;
+  border-width: 5px 5px 0;
+  border-top-color: var(--stdborder); }
+.tooltip.right .tooltip-arrow {
+  top: 50%;
+  left: 0;
+  margin-top: -5px;
+  border-width: 5px 5px 5px 0;
+  border-right-color: var(--stdborder); }
+.tooltip.left .tooltip-arrow {
+  top: 50%;
+  right: 0;
+  margin-top: -5px;
+  border-width: 5px 0 5px 5px;
+  border-left-color: var(--stdborder); }
+.tooltip.bottom .tooltip-arrow {
+  top: 0;
+  left: 50%;
+  margin-left: -5px;
+  border-width: 0 5px 5px;
+  border-bottom-color: var(--stdborder); }
+.tooltip.bottom-left .tooltip-arrow {
+  top: 0;
+  left: 5px;
+  border-width: 0 5px 5px;
+  border-bottom-color: var(--stdborder); }
+.tooltip.bottom-right .tooltip-arrow {
+  top: 0;
+  right: 5px;
+  border-width: 0 5px 5px;
+  border-bottom-color: var(--stdborder); }
+.popover {
+  position: absolute;
+  top: 0;
+  left: 0;
+  z-index: 1060;
+  display: none;
+  max-width: 276px;
+  padding: 1px;
+  text-align: left;
+  background-color: var(--pback); 
+  background-clip: padding-box;
+  border: 1px solid var(--stdborder);
+  border-radius: 6px;
+  -webkit-box-shadow: var(--progresshadow2);
+  box-shadow: var(--progresshadow2);
+  white-space: normal; }
+.popover.top {
+  margin-top: -10px; }
+.popover.right {
+  margin-left: 10px; }
+.popover.bottom {
+  margin-top: 10px; }
+.popover.left {
+  margin-left: -10px; }
+.popover-title {
+  margin: 0;
+  padding: 8px 14px;
+  font-size: 14px;
+  font-weight: normal;
+  line-height: 18px;
+  background-color: var(--sback);
+  border-bottom: 1px solid var(--pback);
+  border-radius: 5px 5px 0 0; }
+.popover-content {
+  padding: 9px 14px; }
+.popover > .arrow, .popover > .arrow:after {
+  position: absolute;
+  display: block;
+  width: 0;
+  height: 0;
+  border-color: transparent;
+  border-style: solid; }
+.popover > .arrow {
+  border-width: 11px; }
+.popover > .arrow:after {
+  border-width: 10px;
+  content: ""; }
+.popover.top > .arrow
+{
+    left: 50%;
+    margin-left: -11px;
+    border-bottom-width: 0;
+    border-top-color: var(--stdborder);
+    border-top-color: var(--rgbshadowdark);
+    bottom: -11px;
+}
+.popover.top > .arrow:after {
+  content: " ";
+  bottom: 1px;
+  margin-left: -10px;
+  border-bottom-width: 0;
+  border-top-color: var(--pback); 
+}
+.popover.right > .arrow
+{
+    top: 50%;
+    left: -11px;
+    margin-top: -11px;
+    border-left-width: 0;
+    border-right-color: var(--stdborder);
+    border-right-color: var(--rgbshadowdark);
+}
+.popover.right > .arrow:after {
+  content: " ";
+  left: 1px;
+  bottom: -10px;
+  border-left-width: 0;
+  border-right-color: var(--stdborder); 
+}
+.popover.bottom > .arrow
+{
+    left: 50%;
+    margin-left: -11px;
+    border-top-width: 0;
+    border-bottom-color: var(--stdborder);
+    border-bottom-color: var(--rgbshadowdark);
+    top: -11px;
+}
+.popover.bottom > .arrow:after {
+  content: " ";
+  top: 1px;
+  margin-left: -10px;
+  border-top-width: 0;
+  border-bottom-color: var(--stdborder); 
+}
+.popover.left > .arrow
+{
+    top: 50%;
+    right: -11px;
+    margin-top: -11px;
+    border-right-width: 0;
+    border-left-color: var(--stdborder);
+    border-left-color: var(--rgbshadowdark);
+}
+.popover.left > .arrow:after {
+  content: " ";
+  right: 1px;
+  border-right-width: 0;
+  border-left-color: var(--stdborder); 
+  bottom: -10px; }
+.carousel {
+  position: relative; }
+.carousel-inner {
+  position: relative;
+  overflow: hidden;
+  width: 100%; }
+.carousel-inner > .item {
+  display: none;
+  position: relative;
+  -webkit-transition: 0.6s ease-in-out left;
+  -o-transition: 0.6s ease-in-out left;
+  transition: 0.6s ease-in-out left; }
+.carousel-inner > .item > img,
+.carousel-inner > .item > a > img {
+  display: block;
+  width: 100% \9 ;
+  max-width: 100%;
+  height: auto;
+  line-height: 1; }
+.carousel-inner > .active,
+.carousel-inner > .next,
+.carousel-inner > .prev {
+  display: block; }
+.carousel-inner > .active {
+  left: 0; }
+.carousel-inner > .next,
+.carousel-inner > .prev {
+  position: absolute;
+  top: 0;
+  width: 100%; }
+.carousel-inner > .next {
+  left: 100%; }
+.carousel-inner > .prev {
+  left: -100%; }
+.carousel-inner > .next.left,
+.carousel-inner > .prev.right {
+  left: 0; }
+.carousel-inner > .active.left {
+  left: -100%; }
+.carousel-inner > .active.right {
+  left: 100%; }
+.carousel-control {
+  position: absolute;
+  top: 0;
+  left: 0;
+  bottom: 0;
+  width: 15%;
+  opacity: 0.5;
+  filter: alpha(opacity=50);
+  font-size: 20px;
+  color: var(--pfore); 
+  text-align: center;
+  text-shadow: 0 1px 2px var(--rgb50); }
+.carousel-control.left {
+  background-image: -webkit-linear-gradient(left, var(--rgb50) 0%, rgba(255, 255, 255, 0.0001) 100%);
+  background-image: -o-linear-gradient(left, var(--rgb50) 0%, rgba(255, 255, 255, 0.0001) 100%);
+  background-image: linear-gradient(to right, var(--rgb50) 0%, rgba(255, 255, 255, 0.0001) 100%);
+  background-repeat: repeat-x;
+  filter: progid:DXImageTransform.Microsoft.gradient(startColorstr="#80000000", endColorstr="#FFEF8026", GradientType=1); }
+.carousel-control.right {
+  left: auto;
+  right: 0;
+  background-image: -webkit-linear-gradient(left, rgba(255, 255, 255, 0.0001) 0%, var(--rgb50) 100%);
+  background-image: -o-linear-gradient(left, rgba(255, 255, 255, 0.0001) 0%, var(--rgb50) 100%);
+  background-image: linear-gradient(to right, rgba(255, 255, 255, 0.0001) 0%, var(--rgb50) 100%);
+  background-repeat: repeat-x;
+  filter: progid:DXImageTransform.Microsoft.gradient(startColorstr="#FFEF8026", endColorstr="#80000000", GradientType=1); }
+.carousel-control:hover, .carousel-control:focus {
+  outline: 0;
+  color: var(--pforehover); 
+  text-decoration: none;
+  opacity: 0.9;
+  filter: alpha(opacity=90); }
+.carousel-control .icon-prev,
+.carousel-control .icon-next,
+.carousel-control .glyphicon-chevron-left,
+.carousel-control .glyphicon-chevron-right {
+  position: absolute;
+  top: 50%;
+  z-index: 5;
+  display: inline-block; }
+.carousel-control .icon-prev,
+.carousel-control .glyphicon-chevron-left {
+  left: 50%;
+  margin-left: -10px; }
+.carousel-control .icon-next,
+.carousel-control .glyphicon-chevron-right {
+  right: 50%;
+  margin-right: -10px; }
+.carousel-control .icon-prev,
+.carousel-control .icon-next {
+  width: 20px;
+  height: 20px;
+  margin-top: -10px;
+  font-family: serif; }
+.carousel-control .icon-prev:before {
+  content: "‹"; }
+.carousel-control .icon-next:before {
+  content: "›"; }
+.carousel-indicators {
+  position: absolute;
+  bottom: 10px;
+  left: 50%;
+  z-index: 15;
+  width: 60%;
+  margin-left: -30%;
+  padding-left: 0;
+  list-style: none;
+  text-align: center; }
+.carousel-indicators li {
+  display: inline-block;
+  width: 10px;
+  height: 10px;
+  margin: 1px;
+  text-indent: -999px;
+  border: 1px solid var(--stdborder); 
+  border-radius: 10px;
+  cursor: pointer;
+  background-color: var(--highlighted) \9 ;
+  background-color: transparent; }
+.carousel-indicators .active {
+  margin: 0;
+  width: 12px;
+  height: 12px;
+  background-color: var(--pback); 
+}
+
+.carousel-caption {
+  position: absolute;
+  left: 15%;
+  right: 15%;
+  bottom: 20px;
+  z-index: 10;
+  padding-top: 20px;
+  padding-bottom: 20px;
+  color: var(--pfore); 
+  text-align: center;
+  text-shadow: 0 1px 2px var(--rgb50); }
+.carousel-caption .btn {
+  text-shadow: none; }
+@media screen and (min-width: 768px) {
+  .carousel-control .glyphicon-chevron-left,
+.carousel-control .glyphicon-chevron-right,
+.carousel-control .icon-prev,
+.carousel-control .icon-next {
+    width: 30px;
+    height: 30px;
+    margin-top: -15px;
+    font-size: 30px;
+  }
+  .carousel-control .glyphicon-chevron-left,
+.carousel-control .icon-prev {
+    margin-left: -15px;
+  }
+  .carousel-control .glyphicon-chevron-right,
+.carousel-control .icon-next {
+    margin-right: -15px;
+  }
+
+  .carousel-caption {
+    left: 20%;
+    right: 20%;
+    padding-bottom: 30px;
+  }
+
+  .carousel-indicators {
+    bottom: 20px;
+  }
+}
+.clearfix:before, .content-box:before, .clearfix:after, .content-box:after {
+  content: " ";
+  display: table; }
+.clearfix:after, .content-box:after {
+  clear: both; }
+.center-block {
+  display: block;
+  margin-left: auto;
+  margin-right: auto; }
+.pull-right {
+  float: right !important; }
+.pull-left {
+  float: left !important; }
+.hide {
+  display: none !important; }
+.show {
+  display: block !important; }
+.invisible {
+  visibility: hidden; }
+.text-hide {
+  font: 0/0 a;
+  color: transparent;
+  text-shadow: none;
+  background-color: transparent;
+  border: 0; }
+.hidden {
+  display: none !important;
+  visibility: hidden !important; }
+.affix {
+  position: fixed;
+  -webkit-transform: translate3d(255, 255, 255);
+  transform: translate3d(255, 255, 255); }
+@-ms-viewport {
+  width: device-width; }
+.visible-xs, .visible-sm, .visible-md, .visible-lg {
+  display: none !important; }
+.visible-xs-block,
+.visible-xs-inline,
+.visible-xs-inline-block,
+.visible-sm-block,
+.visible-sm-inline,
+.visible-sm-inline-block,
+.visible-md-block,
+.visible-md-inline,
+.visible-md-inline-block,
+.visible-lg-block,
+.visible-lg-inline,
+.visible-lg-inline-block {
+  display: none !important; }
+@media (max-width: 767px) {
+  .visible-xs {
+    display: block !important;
+  }
+
+  table.visible-xs {
+    display: table;
+  }
+
+  tr.visible-xs {
+    display: table-row !important;
+  }
+
+  th.visible-xs,
+td.visible-xs {
+    display: table-cell !important;
+  }
+}
+@media (max-width: 767px) {
+  .visible-xs-block {
+    display: block !important;
+  }
+}
+
+@media (max-width: 767px) {
+  .visible-xs-inline {
+    display: inline !important;
+  }
+}
+
+@media (max-width: 767px) {
+  .visible-xs-inline-block {
+    display: inline-block !important;
+  }
+}
+
+@media (min-width: 768px) and (max-width: 991px) {
+  .visible-sm {
+    display: block !important;
+  }
+
+  table.visible-sm {
+    display: table;
+  }
+
+  tr.visible-sm {
+    display: table-row !important;
+  }
+
+  th.visible-sm,
+td.visible-sm {
+    display: table-cell !important;
+  }
+}
+@media (min-width: 768px) and (max-width: 991px) {
+  .visible-sm-block {
+    display: block !important;
+  }
+}
+
+@media (min-width: 768px) and (max-width: 991px) {
+  .visible-sm-inline {
+    display: inline !important;
+  }
+}
+
+@media (min-width: 768px) and (max-width: 991px) {
+  .visible-sm-inline-block {
+    display: inline-block !important;
+  }
+}
+
+@media (min-width: 992px) and (max-width: 1199px) {
+  .visible-md {
+    display: block !important;
+  }
+
+  table.visible-md {
+    display: table;
+  }
+
+  tr.visible-md {
+    display: table-row !important;
+  }
+
+  th.visible-md,
+td.visible-md {
+    display: table-cell !important;
+  }
+}
+@media (min-width: 992px) and (max-width: 1199px) {
+  .visible-md-block {
+    display: block !important;
+  }
+}
+
+@media (min-width: 992px) and (max-width: 1199px) {
+  .visible-md-inline {
+    display: inline !important;
+  }
+}
+
+@media (min-width: 992px) and (max-width: 1199px) {
+  .visible-md-inline-block {
+    display: inline-block !important;
+  }
+}
+
+@media (min-width: 1200px) {
+  .visible-lg {
+    display: block !important;
+  }
+
+  table.visible-lg {
+    display: table;
+  }
+
+  tr.visible-lg {
+    display: table-row !important;
+  }
+
+  th.visible-lg,
+td.visible-lg {
+    display: table-cell !important;
+  }
+}
+@media (min-width: 1200px) {
+  .visible-lg-block {
+    display: block !important;
+  }
+}
+
+@media (min-width: 1200px) {
+  .visible-lg-inline {
+    display: inline !important;
+  }
+}
+
+@media (min-width: 1200px) {
+  .visible-lg-inline-block {
+    display: inline-block !important;
+  }
+}
+
+@media (max-width: 767px) {
+  .hidden-xs, .page-side {
+    display: none !important;
+  }
+}
+@media (min-width: 768px) and (max-width: 991px) {
+  .hidden-sm {
+    display: none !important;
+  }
+}
+@media (max-width: 768px), (max-height: 669px) {
+  .toggle-sidebar {
+    display: none !important;
+  }
+}
+@media (min-width: 992px) and (max-width: 1199px) {
+  .hidden-md {
+    display: none !important;
+  }
+}
+@media (min-width: 1200px) {
+  .hidden-lg {
+    display: none !important;
+  }
+}
+.visible-print {
+  display: none !important; }
+@media print {
+  .visible-print {
+    display: block !important;
+  }
+
+  table.visible-print {
+    display: table;
+  }
+
+  tr.visible-print {
+    display: table-row !important;
+  }
+
+  th.visible-print,
+td.visible-print {
+    display: table-cell !important;
+  }
+}
+.visible-print-block {
+  display: none !important; }
+@media print {
+  .visible-print-block {
+    display: block !important;
+  }
+}
+
+.visible-print-inline {
+  display: none !important; }
+@media print {
+  .visible-print-inline {
+    display: inline !important;
+  }
+}
+
+.visible-print-inline-block {
+  display: none !important; }
+@media print {
+  .visible-print-inline-block {
+    display: inline-block !important;
+  }
+}
+
+@media print {
+  .hidden-print {
+    display: none !important;
+  }
+}
+* {
+  -webkit-font-smoothing: antialiased; }
+html, body {
+  height: 100%;
+  font-family: "SourceSansProRegular";
+  scrollbar-width: thin;
+  scrollbar-color: var(--scbarcolor);
+  background-color: var(--pageback); 
+}
+
+body {
+  touch-action: manipulation;
+  min-width: 320px; }
+.widget-sort-handle {
+  touch-action: none; }
+  
+.widgetdiv .content-box-head {
+  background: var(--sback) !important;
+  color: var(--sfore) !important;
+  padding-bottom: 1px !important;
+  padding-top: 1px !important;
+  padding-right: 1px !important;
+  padding-left: 5px !important;
+  min-height: 25px !important; }
+  
+.widgetdiv .content-box-head .btn-group .btn {
+  color: var(--sfore) !important;
+  background: none;
+  border: 1px solid var(--stdborder); }
+  
+.widgetdiv .content-box-head .btn-group .btn .glyphicon {
+  color: var(--stdborder) !important; }
+  
+.widgetdiv .content-box-head .list-inline li > h3 {
+  padding-top: 4px; }
+.page-head { /* Seite Kopf (Funktion nicht klar) */
+  top: 0;
+  left: 0;
+  width: 100%;
+  position: fixed;
+  z-index: 2; }
+.page-content {
+  height: calc(100% - 52px);
+  padding-top: 52px;
+  position: relative;
+  z-index: 1; }
+.page-content > .row {
+  height: 100%; }
+.page-content-head .container-fluid {
+  color: var(--pagefore);
+  background-color: var(--headlineback);
+  margin-left: 20px;
+  margin-right: 20px;
+  min-height: 47px;
+  height:auto;
+  padding: 10px 14px 5px 14px;
+  -webkit-box-shadow: var(--headlinebackshadow);
+  -moz-box-shadow: var(--headlinebackshadow);
+  box-shadow: var(--headlinebackshadow); }
+.page-content-head, .content-box-head { /* Seite Kopf Zeile unterhalb Kopfzeile */
+  background: var(--pageback);
+  padding-top: 5px;
+  padding-bottom: 5px; }
+.page-content-head .navbar-nav, .content-box-head .navbar-nav {
+  width: 100%; }
+.page-content-head h1, .content-box-head h1, .page-content-head h2, .content-box-head h2, .page-content-head h3, .content-box-head h3 {
+  line-height: 1;
+  margin: 0; }
+.page-content-main { /* Seiten hintergrund, Bereich um die Textboxen */
+  background: var(--pageback);
+  min-height: calc(100% - 64px);
+  padding: 15px 0 73px; }
+.page-side { /* Seitenleiste Hintergrundfarbe */
+  background: var(--pageback); 
+  border-right: 1px solid var(--pageborder);
+  border-top: 1px solid var(--pageborder);
+  border-bottom: 1px solid var(--pageborder);
+  height: 100% !important;
+  height: calc(100% - 52px) !important;
+  left: 0;
+  overflow: auto;
+  margin-top: 52px;
+  position: fixed;
+  top: 0;
+  z-index: 3; }
+.page-side-nav--active {
+  background: var(--sback);
+  border-left: 3px solid var(--pageborder); }
+.page-foot { /* Seite Fußzeile */
+  background: var(--pageback);
+  bottom: 0;
+  border-top: 1px solid var(--pageborder);
+  font-size: 12px;
+  padding: 0;
+  position: fixed;
+  width: 100%;
+  z-index: 2; }
+section.page-content-main div.tab-content { /* Umrandung Boxen */
+  border: 1px solid var(--pageborder) !important; 
+  border-radius: 4px;}
+
+.content-box {
+  background: var(--contentboxback); 
+  border: 1px solid var(--stdborder);
+  border-radius: 4px; }
+.content-box-main {
+  padding-bottom: 15px;
+  padding-top: 15px; }
+div.content-box.wizard div img {
+  filter: invert(25%); }
+.tab-content {
+  border-top: 0px;
+  padding: 0px 0; }
+.tab-content > .tab-content {
+  margin-bottom: 0;
+  padding: 0 15px; }
+.tab-content .tab-content:last-child {
+  margin-bottom: 0; }
+.page-content-main section[class^=col-] + section[class^=col-] {
+  padding-top: 20px; }
+.brand-logo {
+  display: none; }
+@media (min-width: 768px) {
+  .brand-logo {
+    display: inline-block;
+  }
+}
+
+.brand-icon {
+  display: inline-block; }
+@media (min-width: 768px) {
+  .brand-icon {
+    display: none;
+  }
+}
+
+@media (min-width: 768px) {
+  .col-sm-disable-spacer {
+    padding-top: 0 !important;
+  }
+}
+
+@media (min-width: 992px) {
+  .col-md-disable-spacer {
+    padding-top: 0 !important;
+  }
+}
+
+@media (min-width: 1200px) {
+  .col-lg-disable-spacer {
+    padding-top: 0 !important;
+  }
+}
+
+.page-login {
+  background: var(--loginback); }
+.page-login .container {
+  min-height: 100%;
+  margin-bottom: -60px; }
+.page-login .container:after {
+  color: var(--success);
+ height: 60px; }
+.login-foot {
+  color: var(--logindatefore);
+  font-size: 12px; }
+.login-modal-container {
+  color: var(--loginboxfore);
+  background: var(--loginboxback); 
+  max-width: 400px;
+  margin: 100px auto 15px auto;
+  border: 1px solid var(--stdborder);
+  border-radius: 4px; }
+.login-modal-head {
+  background: var(--loginheadback);
+  height: 75px;
+  border-top: 1px solid var(--stdborder);
+  border-top-right-radius: 4px;
+  border-top-left-radius: 4px; }
+.login-modal-content {
+  padding: 20px 20px 20px 20px; }
+.login-modal-foot {
+  background: var(--loginheadback);
+  height: 60px;
+  border-bottom: 1px solid var(--stdborder);
+  border-bottom-right-radius: 4px;
+  border-bottom-left-radius: 4px; }
+.login-modal-foot a {
+  color: var(--loginboxfore);
+  text-decoration: none; }
+.login-modal-foot a:hover {
+  text-decoration: underline; }
+@media (min-width: 768px) {
+  .list-inline .btn-group-container {
+    float: right;
+  }
+}
+
+.btn.btn-fixed {
+  max-width: 174px;
+  width: 100%; }
+.progress-bar-placeholder {
+  font-size: 12px;
+  position: absolute;
+  text-align: center;
+  width: 100%;
+  z-index: 1; }
+/* BOOTSTRAP EDIT */
+.list-group-item {
+  border-left: none;
+  border-right: none; }
+.list-group-item.collapsed .caret {
+  border-bottom: 4px solid green;
+  border-top: 0; }
+/* COLLAPSE SIDEBAR */
+main.page-content.col-lg-12 {
+  padding-left: 90px; }
+#navigation.col-sidebar-left {
+  width: 70px;
+  overflow: hidden;
+  background-color: transparent !important;
+  border: none !important; }
+#navigation.col-sidebar-left > div.row {
+  height: 100% !important; }
+#navigation.col-sidebar-left > div.row > nav.page-side-nav {
+  width: 70px;
+  height: 100% !important;
+  border-right: 1px solid var(--stdborder); }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item {
+  font-size: 14px;
+  text-align: center;
+  width: 70px;
+  height: 70px;
+  padding-left: 0px;
+  padding-right: 0px;
+  padding-top: 12px;
+  border-bottom: 1px solid var(--stdborder);
+  border-right: 1px solid var(--stdborder); }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.fa, #navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.glyphicon {
+  visibility: visible;
+  font-size: 20px; }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > a.list-group-item > span.__iconspacer {
+  width: 50px;
+  height: 30px;
+  padding: 0px; }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsing > a.list-group-item {
+  padding-left: 10px !important;
+  font-size: 14px !important;
+  display: block !important;
+  position: absolute !important;
+  left: 70px !important; }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapsing > a.list-group-item {
+  padding-left: 10px !important;
+  font-size: 14px !important;
+  display: block !important;
+  position: absolute !important;
+  left: 166px !important; }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > a.list-group-item, #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item {
+  background-color: var(--sdbarback)!important; }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in > a.list-group-item {
+  padding-left: 10px !important;
+  font-size: 14px !important; }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > div.collapse > a.list-group-item, #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > a.list-group-item {
+  padding-left: 10px !important;
+  font-size: 14px !important; }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsed > a.list-group-item {
+  padding-left: 10px !important;
+  font-size: 14px !important; }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > a.list-group-item, #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse > div.collapse > a.list-group-item {
+  padding: 3px 8px !important; }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in {
+  width: 168px;
+  font-size: 14px;
+  z-index: 10;
+  position: absolute;
+  left: 70px;
+  margin-top: -70px;
+  border: 1px solid var(--stdborder);
+  -webkit-box-shadow: var(--mozshadow);
+  -moz-box-shadow: var(--mozshadow);
+  box-shadow: var(--mozshadow); }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapse.in {
+  color: var(--pfore);
+  width: 168px;
+  font-size: 14px;
+  z-index: 10;
+  position: absolute;
+  left: 166px;
+  margin-top: -26px;
+  border: 1px solid var(--stdborder);
+  -webkit-box-shadow: var(--mozshadow);
+  -moz-box-shadow: var(--mozshadow);
+  box-shadow: 2px 2px 1px 0px var(--mozshadow); }
+#navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsing, #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapsing {
+  display: none; }
+button.toggle-sidebar {
+  color: var(--pagefore); 
+  background-color: var(--pageback);
+  font-size: 14px;
+  border: none;
+  margin-top: 18px;
+  float: left;
+  outline: none; }
+/* COLLAPSE SIDEBAR END*/
+#navigation.collapse.in {
+  display: block !important; }
+.list-group-submenu .list-group-item:last-child,
+.collapse .list-group-item:last-child {
+  border-bottom: none; }
+ul.nav > li.dropdown > ul.dropdown-menu > li > a {
+  padding: 3px 10px; }
+ section.page-content-main ul + div.tab-content { /* Umrandung Tab-Navigation */
+  border: 1px solid var(--stdborderprimary) !important; 
+  outline: 0;
+  -webkit-box-shadow: (--btnshadow1), var(--btnshadow2);
+  box-shadow: (--btnshadow1), var(--btnshadow2); }
+  
+.nav-tabs {
+  margin-right: 1px;
+  border-bottom: 1px solid transparent; }
+.nav-tabs > li {
+  border-radius: 0px;
+  border-top-right-radius: 10px;
+  margin-right: 2px; }
+.nav-tabs > li > a { /* Tab-Navigation inaktive Reiter */
+  color: var(--navtabforeinactive);
+  background: var(--navtabbackinactive);
+  border-right: 1px solid var(--navtabborderinactive);
+  border-top: 1px solid var(--navtabborderinactive);
+  border-left: 1px solid var(--navtabborderinactive);
+  border-bottom: 1px solid var(--navtabborderinactive);
+  border-radius: 0px;
+  border-top-right-radius: 10px;
+  margin-right: 0px; }
+.nav-tabs > li > a:hover,
+.nav-tabs > li > a:focus {
+  color: var(--navtabforehover); 
+  background: var(--navtabbackhover);
+  border-right: 1px solid var(--navtabborderhover);
+  border-top: 1px solid var(--navtabborderhover);
+  border-left: 1px solid var(--navtabborderhover);
+  border-bottom: var(--navtabborderhover);
+  outline: 0;
+  -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
+  box-shadow: var(--btnshadow1), var(--btnshadow2);}
+
+.nav-tabs > li.active > a, /* Tab-Navigation aktiver Reiter */
+.nav-tabs > li.active > a:hover,
+.nav-tabs > li.active > a:focus {
+  color: var(--navtabforeactive);
+  background: var(--navtabbackactive) !important; 
+  border-right: 1px solid var(--navtabborderactive);
+  border-top: 1px solid var(--navtabborderactive);
+  border-left: 1px solid var(--navtabborderactive);
+  border-bottom: 1px solid var(--navtabborderactive); 
+  border-radius: 0px; 
+  border-top-right-radius: 10px; 
+  outline: 0;
+  -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
+  box-shadow: var(--btnshadow1), var(--btnshadow2); }
+.nav-tabs > li > a.visible-lg-inline-block:not(.pull-right) {
+  background-color: var(--navtabbackactive);
+  color: var(--navtabforeactive);
+  border-right: 1px var(--navtabborderactive);
+  border-color: 1px var(--navtabborderactive); 
+  outline: 0;
+  -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
+  box-shadow: var(--btnshadow1), var(--btnshadow2);}
+
+.nav-tabs > li > a.visible-lg-inline-block.pull-right {
+  background-color: var(--navtabbackactive);
+  color: var(--navtabforeactive);
+  border-color: 1px solid var(--navtabborderactive); 
+  outline: 0;
+  -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
+  box-shadow: var(--btnshadow1), var(--btnshadow2);}
+
+.nav-tabs.nav-justified {
+  border-right: 1px solid var(--stdborder50bright); }
+.nav-tabs.nav-justified > li {
+  border-bottom: 1px solid var(--stdborder50bright);
+  border-top: 1px solid var(--stdborder50bright);
+  border-left: 1px solid var(--stdborder50bright);
+  border-radius: 0px;
+  background: var(--navtabbackinactive); }
+.nav-tabs.nav-justified > li > a {
+  color: var(--navtabforeactive);
+  border-bottom: var(--navtabborderactive);
+  font-family: "SourceSansProSemibold"; }
+@media (min-width: 768px) {
+  .nav-tabs.nav-justified > li > a {
+    border-bottom: 1px solid var(--stdborderfore);
+  }
+}
+@media (max-width: 767px) {
+  .nav-tabs.nav-justified > li.active > a {
+    border-right: 0 !important;
+  }
+}
+
+@media (min-width: 768px) {
+  > li.active + li > a {
+    border-left: 1px solid transparent;
+  }
+}
+
+> li:last-child > a {
+  border-right: 1px solid transparent !important; }
+@media (max-width: 767px) {
+  > li:last-child > a {
+    margin-bottom: 0;
+  }
+}
+
+.btn .glyphicon {
+  vertical-align: -1px; }
+.btn-default .glyphicon {
+  color: var(--pfore); }
+table {
+  width: 100%; }
+.table {
+  margin-bottom: 0px !important; }
+.nav-tabs-justified .nav-tabs.nav-justified > .active > a:focus, .nav-tabs.nav-justified .nav-tabs.nav-justified > .active > a:focus {
+  border: 0px !important; }
+.table th, strong, b {
+  font-family: "SourceSansProSemibold";
+  font-weight: normal; }
+.table > tbody > tr > td:last-child {
+  padding-right: 15px; }
+/* helpers */
+.__nowrap {
+  white-space: nowrap; }
+.__nomb {
+  margin-bottom: 0; }
+.__mb {
+  margin-bottom: 15px; }
+.__mt {
+  margin-top: 15px; }
+.__ml {
+  margin-left: 15px; }
+.__mr {
+  margin-right: 15px; }
+.__iconspacer {
+  padding-right: 10px; }
+#mainmenu .glyphicon {
+  vertical-align: -2px; }
+.list-group-item {
+  overflow: hidden;
+  text-overflow: ellipsis; }
+.list-group-item + div.collapse {
+  margin-bottom: -1px; }
+.list-group-item + div > a {
+  padding-left: 44px; }
+.list-group-item:before {
+  background: var(--warning);
+  content: "";
+  height: 42px;
+  min-height: 100%;
+  left: 0;
+  position: absolute;
+  top: 0px;
+  width: 0;
+  -webkit-transition: width 0.2s;
+  -moz-transition: width 0.2s;
+  -o-transition: width 0.2s;
+  transition: width 0.2s; }
+.list-group-submenu a {
+  padding-left: 56px; }
+.active-menu-title, .active-menu a { /* Seitenleiste, aktives Menü */
+  background-color: var(--sdbaractback);
+  text-decoration: none;
+  position: relative; }
+  .active-menu-title:before, .active-menu a:before {
+    width: 3px; }
+  .list-group-item.active-menu-title, .active-menu-title.active, .active-menu a.active {
+  color: var(--navbarinversefore);
+  background-color: var(--navbarinverse); }   /* sidebar active menu */
+.active-menu a:before {
+  background: var(--navbaractivebefore); /*sidebar active before */}
+.alert.alert-danger {
+  color: var(--danger) !important; }
+.nav-tabs-justified > li > a, .nav-tabs.nav-justified > li > a {
+  border-radius: 0 !important; }
+.navbar-brand {
+  padding: 10px 20px; }
+.label-opnsense {
+  /* emulates btn */
+  border: 1px solid transparent;
+  display: inline-block;
+  vertical-align: middle;
+  font-size: 12px;
+  line-height: 1.5;
+  border-radius: 3px; }
+.label-opnsense-sm {
+  /* emulates btn-sm */
+  padding: 5px 10px; }
+.label-opnsense-xs,
+.btn-xs,
+.btn-group-xs > .btn {
+  /* emulates btn-xs */
+  padding: 1px 3px; }
+::-webkit-scrollbar {
+  width: 8px; }
+::-webkit-scrollbar-button {
+  background: var(--scbarbutton);
+  width: 8px;
+  height: 0px; }
+::-webkit-scrollbar-track {
+  background: var(--pageback);
+  box-shadow: 0px 0px 0px;
+  border-radius: 0; }
+::-webkit-scrollbar-thumb {
+  background: var(--scbar);
+  border: thin solid var(--scbarborder);
+  border-radius: 0px; }
+::-webkit-scrollbar-thumb:hover {
+  background: var(--scbarhover); }
+.widgetdiv {
+  padding-top: 0px !important;
+  padding-bottom: 20px; }
+select {
+  overflow: hidden;
+  border: 1px solid var(--stdborder);
+  -webkit-appearance: none;
+  -moz-appearance: none;
+  appearance: none;
+  cursor: pointer;
+  background-repeat: no-repeat;
+  background-position: right;
+  background-image: url(/ui/themes/flexcolor/build/images/caret.png) !important; }
+#grid-log th[data-column-id=__timestamp__],
+#filter-log-entries th[data-column-id=__timestamp__] {
+  min-width: 3.5em; }
+@media screen and (max-width: 767px) {
+  .table-responsive {
+    margin-bottom: 0;
+  }
+  .table-responsive > .table > thead > tr > th,
+.table-responsive > .table > thead > tr > td,
+.table-responsive > .table > tbody > tr > th,
+.table-responsive > .table > tbody > tr > td,
+.table-responsive > .table > tfoot > tr > th,
+.table-responsive > .table > tfoot > tr > td {
+    white-space: normal;
+  }
+}
+
+label > input[type=checkbox],
+label > input[type=radio] {
+  margin-right: 0.4em;
+  float: left; }
+div[data-for*=help_for] {
+  padding-top: 0.4em; }
+#log-settings label[for^=act] {
+  margin-right: 1.5em; }
+#log-settings table > tbody > tr > td {
+  vertical-align: middle; }
+#log-settings select#filterlogentries,
+#log-settings select#filterlogentriesupdateinterval {
+  width: 5em; }
+#log-settings select#filterlogentriesinterfaces {
+  min-width: 100%;
+  max-width: 100%; }
+/* fields in firewall schedule */
+[data-state=lightcoral] {
+  background-color: var(--danger); }
+[data-state=white] {
+  background-color: transparent; }
+[data-state=red] {
+  background-color: var(--warning); }
+.tokens-container {
+  margin-top: 0px;
+  margin-bottom: 0px; }
+.bootstrap-dialog-body {
+  padding: 15px; }
+#OPNsenseStdWaitDialog div.modal-body {
+  padding: 15px; }
+.modal-body {
+  max-height: calc(100vh - 265px);
+  overflow-y: auto; }
+.modal-footer {
+  padding: 15px; }
+.bootgrid-table th > .column-header-anchor {
+  color: var(--pfore) !important; }
+.bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item:hover,
+.bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item:hover,
+.bootgrid-header .actionBar .btn-group > .btn-group .dropdown-menu .dropdown-item:focus,
+.bootgrid-footer .infoBar .btn-group > .btn-group .dropdown-menu .dropdown-item:focus {
+  color: var(--pfore); }
+.state_text {
+  color: var(--info); }
+div.tab-content.content-box {
+  border-top: 1px solid var(--stdborderfore); }
+ul.jqtree-tree .jqtree-title {
+  color: var(--info) !important; }
+ul.jqtree-tree .jqtree-toggler {
+  color: var(--pagefore) !important; }
+.nvtooltip {
+  color: var(--pfore) !important; }
+.diff_record_default {
+  color: var(--pfore) !important; }
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/nv.d3.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/nv.d3.css
new file mode 100644
index 0000000000..356c1eff1f
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/nv.d3.css
@@ -0,0 +1,649 @@
+/* nvd3 version 1.8.6 (https://github.com/novus/nvd3) 2017-08-23 */
+@import url('default_scheme.css');
+.nvd3 .nv-axis {
+    pointer-events:none;
+    opacity: 1;
+	fill: var(--graphfore);
+}
+
+.nvd3 .nv-axis path {
+    fill: none;
+    stroke: var(--graphfore);
+    stroke-opacity: .20;
+    shape-rendering: crispEdges;
+}
+
+.nvd3 .nv-axis path.domain {
+    stroke-opacity: .10;
+}
+
+.nvd3 .nv-axis.nv-x path.domain {
+    stroke-opacity: 0;
+}
+
+.nvd3 .nv-axis line {
+    fill: none;
+    stroke: var(--graphfore);
+    stroke-opacity: .20;
+    shape-rendering: crispEdges;
+}
+
+.nvd3 .nv-axis .zero line,
+    /*this selector may not be necessary*/ .nvd3 .nv-axis line.zero {
+    stroke-opacity: .20;
+}
+
+.nvd3 .nv-axis .nv-axisMaxMin text {
+    font-weight: bold;
+}
+
+.nvd3 .x  .nv-axis .nv-axisMaxMin text,
+.nvd3 .x2 .nv-axis .nv-axisMaxMin text,
+.nvd3 .x3 .nv-axis .nv-axisMaxMin text {
+    text-anchor: middle;
+}
+
+.nvd3 .nv-axis.nv-disabled {
+    opacity: 0;
+}
+
+.nvd3 .nv-bars rect {
+    fill-opacity: .50;
+
+    transition: fill-opacity 250ms linear;
+}
+
+.nvd3 .nv-bars rect.hover {
+    fill-opacity: 1;
+}
+
+.nvd3 .nv-bars .hover rect {
+    fill: lightblue;
+}
+
+.nvd3 .nv-bars text {
+    fill: rgba(0,0,0,0);
+}
+
+.nvd3 .nv-bars .hover text {
+    fill: rgba(0,0,0,1);
+}
+
+.nvd3 .nv-multibar .nv-groups rect,
+.nvd3 .nv-multibarHorizontal .nv-groups rect,
+.nvd3 .nv-discretebar .nv-groups rect {
+    stroke-opacity: 0;
+    transition: fill-opacity 250ms linear;
+}
+
+.nvd3 .nv-multibar .nv-groups rect:hover,
+.nvd3 .nv-multibarHorizontal .nv-groups rect:hover,
+.nvd3 .nv-candlestickBar .nv-ticks rect:hover,
+.nvd3 .nv-discretebar .nv-groups rect:hover {
+    fill-opacity: 1;
+}
+
+.nvd3 .nv-discretebar .nv-groups text,
+.nvd3 .nv-multibarHorizontal .nv-groups text {
+    font-weight: bold;
+    fill: rgba(0,0,0,1);
+    stroke: rgba(0,0,0,0);
+}
+
+/* boxplot CSS */
+.nvd3 .nv-boxplot circle {
+  fill-opacity: 0.5;
+}
+
+.nvd3 .nv-boxplot circle:hover {
+  fill-opacity: 1;
+}
+
+.nvd3 .nv-boxplot rect:hover {
+  fill-opacity: 1;
+}
+
+.nvd3 line.nv-boxplot-median {
+  stroke: black;
+}
+
+.nv-boxplot-tick:hover {
+  stroke-width: 2.5px;
+}
+/* bullet */
+.nvd3.nv-bullet { font: 10px sans-serif; }
+.nvd3.nv-bullet .nv-measure { fill-opacity: .8; }
+.nvd3.nv-bullet .nv-measure:hover { fill-opacity: 1; }
+.nvd3.nv-bullet .nv-marker { stroke: #000; stroke-width: 2px; }
+.nvd3.nv-bullet .nv-markerTriangle { stroke: #000; fill: #fff; stroke-width: 1.5px; }
+.nvd3.nv-bullet .nv-markerLine { stroke: #000; stroke-width: 1.5px; }
+.nvd3.nv-bullet .nv-tick line { stroke: #666; stroke-width: .5px; }
+.nvd3.nv-bullet .nv-range.nv-s0 { fill: #eee; }
+.nvd3.nv-bullet .nv-range.nv-s1 { fill: #ddd; }
+.nvd3.nv-bullet .nv-range.nv-s2 { fill: #ccc; }
+.nvd3.nv-bullet .nv-title { font-size: 14px; font-weight: bold; }
+.nvd3.nv-bullet .nv-subtitle { fill: #999; }
+
+.nvd3.nv-bullet .nv-range {
+    fill: #bababa;
+    fill-opacity: .4;
+}
+
+.nvd3.nv-bullet .nv-range:hover {
+    fill-opacity: .7;
+}
+
+.nvd3.nv-candlestickBar .nv-ticks .nv-tick {
+    stroke-width: 1px;
+}
+
+.nvd3.nv-candlestickBar .nv-ticks .nv-tick.hover {
+    stroke-width: 2px;
+}
+
+.nvd3.nv-candlestickBar .nv-ticks .nv-tick.positive rect {
+    stroke: #2ca02c;
+    fill: #2ca02c;
+}
+
+.nvd3.nv-candlestickBar .nv-ticks .nv-tick.negative rect {
+    stroke: #d62728;
+    fill: #d62728;
+}
+
+.with-transitions .nv-candlestickBar .nv-ticks .nv-tick {
+    transition: stroke-width 250ms linear, stroke-opacity 250ms linear;
+}
+
+.nvd3.nv-candlestickBar .nv-ticks line {
+    stroke: #333;
+}
+
+.nv-force-node {
+    stroke: #fff;
+    stroke-width: 1.5px;
+}
+
+.nv-force-link {
+    stroke: #999;
+    stroke-opacity: .6;
+}
+
+.nv-force-node text {
+    stroke-width: 0px;
+}
+
+.nvd3 .nv-legend .nv-disabled rect {
+    /*fill-opacity: 0;*/
+}
+
+.nvd3 .nv-check-box .nv-box {
+    fill-opacity:0;
+    stroke-width:2;
+}
+
+.nvd3 .nv-check-box .nv-check {
+    fill-opacity:0;
+    stroke-width:4;
+}
+
+.nvd3 .nv-series.nv-disabled .nv-check-box .nv-check {
+    fill-opacity:0;
+    stroke-opacity:0;
+}
+
+.nvd3 .nv-controlsWrap .nv-legend .nv-check-box .nv-check {
+    opacity: 0;
+    stroke-width: 1;
+    fill: var(--nv3daxis);
+    stroke: var(--nv3daxis);
+}
+
+/* line plus bar */
+.nvd3.nv-linePlusBar .nv-bar rect {
+    fill-opacity: .50;
+}
+
+.nvd3.nv-linePlusBar .nv-bar rect:hover {
+    fill-opacity: 1;
+}
+.nvd3 .nv-groups path.nv-line {
+    fill: none;
+}
+
+.nvd3 .nv-groups path.nv-area {
+    stroke: none;
+}
+
+.nvd3.nv-line .nvd3.nv-scatter .nv-groups .nv-point {
+    fill-opacity: 0;
+    stroke-opacity: 0;
+}
+
+.nvd3.nv-scatter.nv-single-point .nv-groups .nv-point {
+    fill-opacity: .5 !important;
+    stroke-opacity: .5 !important;
+}
+
+
+.with-transitions .nvd3 .nv-groups .nv-point {
+    transition: stroke-width 250ms linear, stroke-opacity 250ms linear;
+}
+
+.nvd3.nv-scatter .nv-groups .nv-point.hover,
+.nvd3 .nv-groups .nv-point.hover {
+    stroke-width: 7px;
+    fill-opacity: .95 !important;
+    stroke-opacity: .95 !important;
+}
+.nvd3 .nv-point-paths path {
+    stroke: #aaa;
+    stroke-opacity: 0;
+    fill: #eee;
+    fill-opacity: 0;
+}
+.nvd3 .nv-indexLine {
+    cursor: ew-resize;
+}
+
+/********************
+ * SVG CSS
+ */
+
+/********************
+  Default CSS for an svg element nvd3 used
+*/
+svg.nvd3-svg {
+    -webkit-user-select: none;
+       -moz-user-select: none;
+        -ms-user-select: none;
+            user-select: none;
+    display: block;
+    width:100%;
+    height:100%;
+}
+
+/********************
+  Box shadow and border radius styling
+*/
+.nvtooltip.with-3d-shadow, .with-3d-shadow .nvtooltip {
+	background-color: rgb(32, 32, 32);
+	color: rgba(0,0,0,1.0);
+	border: 1px solid rgb(255, 127, 14);
+}
+
+.nvd3 text {
+  font: normal 12px Arial, sans-serif;
+	fill: var(--graphfore);
+}
+
+.nvd3 .title {
+  font: bold 14px Arial, sans-serif;
+}
+
+.nvd3 .nv-background {
+  fill: white;
+  fill-opacity: 0;
+}
+
+.nvd3.nv-noData {
+  font-size: 18px;
+  font-weight: bold;
+	fill: var(--graphfore);
+}
+
+
+/**********
+*  Brush
+*/
+
+.nv-brush .extent {
+    fill-opacity: .125;
+    shape-rendering: crispEdges;
+}
+
+.nv-brush .resize path {
+    fill: #eee;
+    stroke: #666;
+}
+
+
+/**********
+*  Legend
+*/
+
+.nvd3 .nv-legend .nv-series {
+    cursor: pointer;
+}
+
+/* .nv-controlsWrap.nvd3-svg circle.nv-legend-symbol {
+  stroke-width: 1 !important;
+  fill: rgb(255, 255, 255) !important;
+  stroke: rgb(231, 231, 231) !important;
+}*//
+
+.nvd3 .nv-legend .nv-disabled circle {
+    fill-opacity: 0;
+}
+
+/* focus */
+.nvd3 .nv-brush .extent {
+    fill-opacity: 0 !important;
+}
+
+.nvd3 .nv-brushBackground rect {
+    stroke: var(--graphback);
+    stroke-width: .4;
+    fill: var(--graphfore);
+    fill-opacity: .7;
+}
+
+/**********
+*  Print
+*/
+
+@media print {
+    .nvd3 text {
+        stroke-width: 0;
+        fill-opacity: 1;
+    }
+}
+
+.nvd3.nv-ohlcBar .nv-ticks .nv-tick {
+    stroke-width: 1px;
+}
+
+.nvd3.nv-ohlcBar .nv-ticks .nv-tick.hover {
+    stroke-width: 2px;
+}
+
+.nvd3.nv-ohlcBar .nv-ticks .nv-tick.positive {
+    stroke: #2ca02c;
+}
+
+.nvd3.nv-ohlcBar .nv-ticks .nv-tick.negative {
+    stroke: #d62728;
+}
+
+
+.nvd3 .background path {
+    fill: none;
+    stroke: #EEE;
+    stroke-opacity: .4;
+    shape-rendering: crispEdges;
+}
+
+.nvd3 .foreground path {
+    fill: none;
+    stroke-opacity: .7;
+}
+
+.nvd3 .nv-parallelCoordinates-brush .extent {
+    fill: #fff;
+    fill-opacity: .6;
+    stroke: gray;
+    shape-rendering: crispEdges;
+}
+
+.nvd3 .nv-parallelCoordinates .hover  {
+    fill-opacity: 1;
+    stroke-width: 3px;
+}
+
+
+.nvd3 .missingValuesline line {
+  fill: none;
+  stroke: black;
+  stroke-width: 1;
+  stroke-opacity: 1;
+  stroke-dasharray: 5, 5;
+}
+
+.nvd3.nv-pie path {
+    stroke-opacity: 0;
+    transition: fill-opacity 250ms linear, stroke-width 250ms linear, stroke-opacity 250ms linear;
+}
+
+.nvd3.nv-pie .nv-pie-title {
+    font-size: 24px;
+    fill: rgba(19, 196, 249, 0.59);
+}
+
+.nvd3.nv-pie .nv-slice text {
+    stroke: var(--highlighted);
+    stroke-width: 0;
+}
+
+.nvd3.nv-pie path {
+    stroke: var(--highlighted);
+    stroke-width: 1px;
+    stroke-opacity: 0.6;
+}
+
+.nvd3.nv-pie path {
+    fill-opacity: .7;
+}
+
+.nvd3.nv-pie .hover path {
+    fill-opacity: 1;
+}
+
+.nvd3.nv-pie .nv-label {
+    pointer-events: none;
+}
+
+.nvd3.nv-pie .nv-label rect {
+    fill-opacity: 0;
+    stroke-opacity: 0;
+}
+
+/* scatter */
+.nvd3 .nv-groups .nv-point.hover {
+    stroke-width: 20px;
+    stroke-opacity: .5;
+}
+
+.nvd3 .nv-scatter .nv-point.hover {
+    fill-opacity: 1;
+}
+
+.nv-noninteractive {
+    pointer-events: none;
+}
+
+.nv-distx, .nv-disty {
+    pointer-events: none;
+}
+
+/* sparkline */
+.nvd3.nv-sparkline path {
+    fill: none;
+}
+
+.nvd3.nv-sparklineplus g.nv-hoverValue {
+    pointer-events: none;
+}
+
+.nvd3.nv-sparklineplus .nv-hoverValue line {
+    stroke: #333;
+    stroke-width: 1.5px;
+}
+
+.nvd3.nv-sparklineplus,
+.nvd3.nv-sparklineplus g {
+    pointer-events: all;
+}
+
+.nvd3 .nv-hoverArea {
+    fill-opacity: 0;
+    stroke-opacity: 0;
+}
+
+.nvd3.nv-sparklineplus .nv-xValue,
+.nvd3.nv-sparklineplus .nv-yValue {
+    stroke-width: 0;
+    font-size: .9em;
+    font-weight: normal;
+}
+
+.nvd3.nv-sparklineplus .nv-yValue {
+    stroke: #f66;
+}
+
+.nvd3.nv-sparklineplus .nv-maxValue {
+    stroke: #2ca02c;
+    fill: #2ca02c;
+}
+
+.nvd3.nv-sparklineplus .nv-minValue {
+    stroke: #d62728;
+    fill: #d62728;
+}
+
+.nvd3.nv-sparklineplus .nv-currentValue {
+    font-weight: bold;
+    font-size: 1.1em;
+}
+/* stacked area */
+.nvd3.nv-stackedarea path.nv-area {
+    fill-opacity: .7;
+    stroke-opacity: 0;
+    transition: fill-opacity 250ms linear, stroke-opacity 250ms linear;
+}
+
+.nvd3.nv-stackedarea path.nv-area.hover {
+    fill-opacity: .9;
+}
+
+
+.nvd3.nv-stackedarea .nv-groups .nv-point {
+    stroke-opacity: 0;
+    fill-opacity: 0;
+}
+
+.nvtooltip {
+    position: absolute;
+	  background-color: var(--graphback);
+	  color: rgba(0,0,0,1.0);
+	  border: 1px solid var(--stdborder);
+    padding: 1px;
+    z-index: 10000;
+    display: block;
+    font-family: Arial, sans-serif;
+    font-size: 13px;
+    text-align: left;
+    pointer-events: none;
+    white-space: nowrap;
+    -webkit-user-select: none;
+       -moz-user-select: none;
+        -ms-user-select: none;
+            user-select: none;
+}
+
+/*Give tooltips that old fade in transition by
+    putting a "with-transitions" class on the container div.
+*/
+.nvtooltip.with-transitions, .with-transitions .nvtooltip {
+    transition: opacity 50ms linear;
+    transition-delay: 200ms;
+}
+
+.nvtooltip.x-nvtooltip,
+.nvtooltip.y-nvtooltip {
+    padding: 8px;
+}
+
+.nvtooltip h3 {
+    margin: 0;
+    padding: 4px 14px;
+    line-height: 18px;
+    font-weight: normal;
+    background-color: rgba(247,247,247,0.50);
+    color: rgba(0,0,0,1.0);
+    text-align: center;
+    border-bottom: 1px solid #ebebeb;
+    border-radius: 5px 5px 0 0;
+}
+
+.nvtooltip p {
+    margin: 0;
+    padding: 5px 14px;
+    text-align: center;
+}
+
+.nvtooltip span {
+    display: inline-block;
+    margin: 2px 0;
+}
+
+.nvtooltip table {
+    margin: 0;
+    border-spacing:0;
+    background-color: var(--graphback);
+    padding: 6px;
+}
+
+
+.nvtooltip table td {
+    padding: 2px 9px 2px 0;
+    vertical-align: middle;
+}
+
+.nvtooltip table td.key {
+    font-weight: normal;
+}
+
+.nvtooltip table td.key.total {
+    font-weight: bold;
+}
+
+.nvtooltip table td.value {
+    text-align: right;
+    font-weight: bold;
+}
+
+.nvtooltip table td.percent {
+    color: darkgray;
+}
+
+.nvtooltip table tr.highlight td {
+    padding: 1px 9px 1px 0;
+    border-bottom-style: solid;
+    border-bottom-width: 1px;
+    border-top-style: solid;
+    border-top-width: 1px;
+}
+
+.nvtooltip table td.legend-color-guide div {
+    width: 8px;
+    height: 8px;
+    vertical-align: middle;
+}
+
+.nvtooltip table td.legend-color-guide div {
+    width: 12px;
+    height: 12px;
+    border: 1px solid #999;
+}
+
+.nvtooltip .footer {
+    padding: 3px;
+    text-align: center;
+}
+
+.nvtooltip-pending-removal {
+    pointer-events: none;
+    display: none;
+}
+
+
+/****
+Interactive Layer
+*/
+.nvd3 .nv-interactiveGuideLine {
+    pointer-events:none;
+}
+
+.nvd3 line.nv-guideline {
+    stroke: #ccc;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/opnsense-bootgrid.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/opnsense-bootgrid.css
new file mode 100644
index 0000000000..4fade7d53c
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/opnsense-bootgrid.css
@@ -0,0 +1,335 @@
+/**
+* Main theming elements
+*/
+@import url('default_scheme.css');
+.tabulator {
+  font-size: 15px;
+  background-color: transparent;
+  border: none;
+  border-top: 1px solid var(--tbborder);
+}
+
+/* theme: header */
+.tabulator .tabulator-header {
+  background-color: transparent;
+  border-bottom: none;
+  border-left: 1px solid var(--tbborder);
+}
+
+.tabulator .tabulator-header .tabulator-col {
+  border-right: 1px solid var(--tbborder);
+  background-color: var(--tbheadback);
+  color: var(--tbheadfore);
+}
+
+.tabulator .tabulator-header .tabulator-col.tabulator-sortable.tabulator-col-sorter-element:hover {
+  background-color: var(--tbheadbackhover);
+}
+.tabulator .tabulator-headers {
+  height: 100% !important; /* make sure the border below appears */
+  border-bottom: 1px solid var(--tbborder);
+}
+
+/*------------*/
+/* theme: body */
+.tabulator .tabulator-tableholder .tabulator-table {
+  background-color: var(--tbbodybackhover);
+  border-left: 1px solid var(--tbbordertable);
+}
+
+.tabulator-row
+{
+    background-color: var(--tbbodybackhover);
+    border: 1px solid var(--tbbordertable);
+}
+
+.tabulator-row.tabulator-row-odd {
+  color: var(--tbrowforeodd);
+  background-color: var(--tbrowbackodd);
+}
+
+.tabulator-row.tabulator-row-odd.tabulator-selectable:hover:not(.tabulator-selected) {
+  color: var(--tbrowforeodd);
+  background-color: var(--tbrowbackodd);
+}
+
+.tabulator-row.tabulator-row-even {
+  color: var(--tbrowforeeven);
+  background-color: var(--tbrowbackeven);
+}
+
+.tabulator-row.tabulator-row-even.tabulator-selectable:hover:not(.tabulator-selected) {
+  color: var(--tbrowforeeven);
+  background-color: var(--tbrowbackeven);
+}
+
+.tabulator .tabulator-tableholder {
+  background-color: var(--tbfback);
+}
+
+.tabulator-row.tabulator-selected {
+  background-color: var(--tbheadbackhover);
+}
+
+.tabulator-row.tabulator-selected:hover {
+  cursor: pointer;
+  background-color: var(--tbheadbackhover);
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg {
+  color: var(--warning); /* spinner icon */
+}
+
+/* Command column styles */
+.tabulator-col.tabulator-frozen.tabulator-frozen-right {
+}
+
+.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right {
+}
+
+/* Tabulator groupBy row styles */
+.tabulator-row.tabulator-group
+{
+    border: none;
+    pointer-events: none;
+}
+
+    .tabulator-row.tabulator-group span
+    {
+        margin-left: 0;
+        color: var(--tbrowforeodd);
+    }
+
+.tabulator-row .badge.chip
+{
+    background-color: var(--dfbtnbackbadge);
+    color: var(--dfbtnforebadge);
+    font-size: 10px;
+    padding: 2px 4px;
+    position: relative;
+    top: -1px;
+}
+
+.tabulator-row.tabulator-group .tabulator-group-toggle,
+.tabulator-row.tabulator-group .tabulator-group-toggle *
+{
+    pointer-events: auto;
+}
+
+.tabulator-row.tabulator-group:has(> .tabulator-group-toggle:only-child)
+{
+    display: none; /* Trick to hide empty groupBy header rows */
+}
+
+/* Checkbox column styles */
+.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-left {
+  border-right: 1px solid var(--tbborder); /* separates checkbox column from table rows */
+  border-left: 1px solid var(--tbborder);
+}
+
+.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left {
+  border-right: 1px solid var(--tbborder);
+  border-top: 1px solid var(--tbborder);
+  border-bottom: 1px solid var(--tbborder);
+  border-left: 1px solid var(--tbborder);
+}
+
+.tabulator-col.tabulator-row-header.tabulator-frozen.tabulator-frozen-left {
+}
+
+.tabulator-cell.tabulator-row-header.tabulator-frozen.tabulator-frozen-left {
+}
+
+/*------------*/
+/* theme: cells */
+.tabulator-row .tabulator-cell {
+  text-overflow: ellipsis;
+  white-space: nowrap;
+  line-height: 1.2;
+  vertical-align: top;
+  border-bottom: 1px solid var(--tbborder);
+  border-right: 1px solid var(--tbborder);
+}
+
+/*-------------*/
+/* theme: footer */
+.tabulator .tabulator-footer {
+  border-top: none;
+  background-color: var(--tbfback);
+}
+
+.tabulator .tabulator-footer .tabulator-page {
+  color: var(--tffore);
+  background-color: var(--tfback);
+  border: 1px solid var(--tfborder);
+}
+
+.tabulator .tabulator-footer .tabulator-page {
+  border-radius: 0px;
+  margin: 0px;
+  padding: 6px 12px;}
+
+.tabulator .tabulator-footer .tabulator-page:not(disabled):hover {
+  color: var(--tfforehover);
+  background-color: var(--tfbackhover);
+  border-color: var(--tfborderhover);
+}
+
+.tabulator .tabulator-footer .tabulator-page:not(disabled).active:hover {
+  color: var(--tfforeactivehover);
+  background-color: var(--tfbackactivehover);
+  border-color: var(--tfborderactivehover);
+  cursor: default;
+}
+
+.tabulator .tabulator-footer .tabulator-page.active {
+  color: var(--tfforeactive);
+  background-color: var(--tfbackactive);
+  border-color: var(--tfborderactive);
+  cursor: default;
+}
+.tabulator-page-counter {
+  color: var(--tbheadfore);
+}
+
+.tabulator .tabulator-footer .tabulator-paginator {
+  color: var(--tffore);
+}
+/*----------*/
+/* end of main theming elements */
+.tabulator-paginator {
+  flex: 0 !important;
+  background-color: var(--tbfback);
+}
+
+.tabulator-page-counter {
+  flex: 1;
+  text-align: right;
+}
+
+.tabulator-col-sorter i {
+  display: flex;
+  justify-content: center;
+  align-items: center;
+}
+
+.tabulator .tabulator-header .tabulator-col {
+  padding: 5px;
+}
+
+.tabulator .tabulator-headers > :first-child {
+  padding-left: 10px;
+}
+
+.opnsense-bootgrid-responsive {
+  white-space: wrap !important;
+  text-overflow: inherit !important;
+  overflow: visible !important;
+  word-break: break-word !important;
+}
+
+.opnsense-bootgrid-ellipsis {
+  overflow: hidden !important;
+  white-space: nowrap !important;
+  text-overflow: ellipsis !important;
+}
+
+.tabulator-row > :first-child {
+  padding-left: 10px;
+}
+
+.tabulator .tabulator-header .tabulator-col .tabulator-col-content {
+  padding: 0px;
+}
+
+.tabulator-page-counter {
+  padding-right: 20px;
+}
+
+.bootgrid-footer-commands {
+  width: 90px;
+  padding-left: 8px;
+}
+
+.tabulator-tableholder::after {
+  content: "";
+  display: block;
+  width: 1px;
+  height: 1px;
+  min-width: 100%;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator .tabulator-page:first-child {
+  border-bottom-left-radius: 3px;
+  border-top-left-radius: 3px;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator .tabulator-page:last-child {
+  border-bottom-right-radius: 3px;
+  border-top-right-radius: 3px;
+}
+
+/* border line corrections and hover/selection behavior */
+.tabulator-row:first-child > .tabulator-cell {
+  border-top: none;
+}
+
+.tabulator .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title {
+  padding: 0px;
+}
+
+/* Row highlight behavior */
+@keyframes highlight {
+  0% {
+    background: var(--stdborder);
+  }
+  100% {
+    background: none;
+  }
+}
+.highlight-bg {
+  animation: highlight 2s;
+}
+
+/* Tabulator "loading" and "error" overrides */
+.tabulator .tabulator-alert {
+  background: none;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg {
+  border: none;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg {
+  background: initial;
+  font-size: 18px;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-error {
+  border: none;
+}
+
+.bootgrid-placeholder {
+    font-size: 15px;
+    text-align: center;
+    white-space: normal;
+    font-weight: 400;
+    margin: 10px;
+}
+
+.bootgrid-overlay {
+    position: absolute;
+    top: 0;
+    left: 0;
+    right: 0;
+    bottom: 0;
+    background: var(--tbheadbackhover);
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    z-index: 99;
+}
+.overlay > i {
+    font-size: 20px;
+    color: var(--tbheadfore);
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/tokenize2.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/tokenize2.css
new file mode 100644
index 0000000000..b87bbd9379
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/tokenize2.css
@@ -0,0 +1,174 @@
+@import url('default_scheme.css');
+.tokenize > .tokens-container {
+  position: relative;
+  list-style: none;
+  padding: 0 0 5px 5px;
+  height: auto;
+  min-height: 34px;
+  cursor: text;
+  border-radius: 3px;
+  border: 1px solid var(--txtboxborder);
+  background-color: var(--txtboxback); 
+  color: var(--txtboxfore);
+}
+
+.tokenize > .tokens-container.disabled {
+  background-color: var(--txtboxbackdisabled);
+  cursor: not-allowed;
+}
+
+.tokenize.focus > .tokens-container {
+  outline: 0;
+  border-color:var(--txtboxborderhover);
+  background-color:var(--txtboxbackhover);
+  -webkit-box-shadow: none;
+  box-shadow: none;
+}
+
+.tokenize > .tokens-container.input-sm {
+  padding: 0 0 4px 4px;
+  min-height: 30px;
+}
+
+.tokenize > .tokens-container.input-lg {
+  padding: 0 0 9px 9px;
+  min-height: 46px;
+}
+
+.tokenize > .tokens-container > .token {
+  padding: 0 1.2em 0 5px;
+  background-color: var(--txtboxbacktoken);
+  -webkit-border-radius: 2px;
+  -moz-border-radius: 2px;
+  border-radius: 2px;
+  border: 1px solid var(--txtboxbordertoken);
+}
+
+.tokenize > .tokens-container > .token,
+.tokenize > .tokens-container > .placeholder,
+.tokenize > .tokens-container > .token-search {
+  display: inline-block;
+  margin: 5px 5px 0 0;
+  position: relative;
+  vertical-align: middle;
+}
+
+.tokenize.sortable > .tokens-container > .token {
+  cursor: move;
+}
+
+.tokenize.single > .tokens-container > .token {
+  display: block;
+  border-color: var(--txtboxbordertoken);
+}
+
+.tokenize.sortable > .tokens-container > .token.shadow {
+  border-color: var(--txtboxbordertoken);
+  background-color: var(--txtboxbacktoken);
+  filter: alpha(opacity=50);
+  opacity: .2;
+}
+
+.tokenize > .tokens-container > .placeholder {
+  color:var(--txtboxforedisabled);
+  padding: 0;
+}
+
+.tokenize > .tokens-container > .token-search {
+  color:var(--txtboxforetoken);
+  padding: 0;
+}
+
+.tokenize > .tok01Fens-container:focus,
+.tokenize > .tokens-container:hover {
+  border-color: var(--txtboxborderhover);
+  background-color: var(--txtboxbackhover);
+}
+
+.tokenize > .tokens-container > .token-search > input {
+  padding: 0;
+  margin: 0;
+  line-height: 1em;
+  border:none;
+  outline: none;
+  width: 100%;
+  background-color: transparent;
+}
+
+.tokenize > .tokens-container > .token-search > input::-ms-clear {
+  display: none;
+}
+
+.tokenize > .tokens-container.input-sm > .placeholder,
+.tokenize > .tokens-container.input-sm > .token-search,
+.tokenize > .tokens-container.input-sm > .token {
+  margin: 4px 4px 0 0;
+}
+
+.tokenize > .tokens-container.input-lg > .placeholder,
+.tokenize > .tokens-container.input-lg > .token-search,
+.tokenize > .tokens-container.input-lg > .token {
+  margin: 9px 9px 0 0;
+}
+
+.tokenize > .tokens-container > .token.pending-delete {
+  background-color: var(--txtboxbackdel);
+  border-color: var(--txtboxborderdel);
+  color: var(--txtboxforedel);
+}
+
+.tokenize > .tokens-container > .token > .dismiss {
+  position: absolute;
+  right: 5px;
+  color: var(--txtboxforedismiss);
+  text-decoration: none;
+  cursor: pointer;
+}
+
+.tokenize > .tokens-container > .token > .dismiss:after {
+  content: "×";
+  color: var(--txtboxforedismiss);
+}
+
+.tokenize > .tokens-container > .token.pending-delete > .dismiss {
+  color: var(--txtboxforedismiss);
+}
+
+.tokenize-dropdown {
+  position: absolute;
+  display: none;
+}
+
+.tokenize-dropdown > .dropdown-menu {
+  min-height: 10px;
+  width: 100%;
+  display: block;
+  margin: -1px 0 0 0;
+  visibility: visible;
+  opacity: 1;
+}
+
+.tokenize-dropdown > .dropdown-menu li {
+  cursor: pointer;
+}
+
+.tokenize-dropdown > .dropdown-menu li > a .tokenize-highlight {
+  font-weight: bold;
+}
+
+.tokenize-dropdown > .dropdown-menu li.locked {
+  padding: 3px 20px;
+  color: var(--txtboxforedisabled);
+  white-space: nowrap;
+}
+
+.tokenize-dropdown > .dropdown-menu li.locked,
+.tokenize-dropdown > .dropdown-menu li > a {
+  text-overflow: ellipsis;
+  overflow-x: hidden;
+}
+
+.tokenize-dropdown > .dropdown-menu li:not(.active) a:hover,
+.tokenize-dropdown > .dropdown-menu li:not(.active) a:focus {
+  background-color: transparent;
+}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/LICENSE.SourceSansPro.txt b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/LICENSE.SourceSansPro.txt
new file mode 100644
index 0000000000..07efc6de21
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/LICENSE.SourceSansPro.txt
@@ -0,0 +1,93 @@
+Copyright 2010, 2012, 2014 Adobe Systems Incorporated (http://www.adobe.com/), with Reserved Font Name 'Source'. All Rights Reserved. Source is a trademark of Adobe Systems Incorporated in the United States and/or other countries.
+
+This Font Software is licensed under the SIL Open Font License, Version 1.1.
+
+This license is copied below, and is also available with a FAQ at: http://scripts.sil.org/OFL
+
+
+-----------------------------------------------------------
+SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
+-----------------------------------------------------------
+
+PREAMBLE
+The goals of the Open Font License (OFL) are to stimulate worldwide
+development of collaborative font projects, to support the font creation
+efforts of academic and linguistic communities, and to provide a free and
+open framework in which fonts may be shared and improved in partnership
+with others.
+
+The OFL allows the licensed fonts to be used, studied, modified and
+redistributed freely as long as they are not sold by themselves. The
+fonts, including any derivative works, can be bundled, embedded,
+redistributed and/or sold with any software provided that any reserved
+names are not used by derivative works. The fonts and derivatives,
+however, cannot be released under any other type of license. The
+requirement for fonts to remain under this license does not apply
+to any document created using the fonts or their derivatives.
+
+DEFINITIONS
+"Font Software" refers to the set of files released by the Copyright
+Holder(s) under this license and clearly marked as such. This may
+include source files, build scripts and documentation.
+
+"Reserved Font Name" refers to any names specified as such after the
+copyright statement(s).
+
+"Original Version" refers to the collection of Font Software components as
+distributed by the Copyright Holder(s).
+
+"Modified Version" refers to any derivative made by adding to, deleting,
+or substituting -- in part or in whole -- any of the components of the
+Original Version, by changing formats or by porting the Font Software to a
+new environment.
+
+"Author" refers to any designer, engineer, programmer, technical
+writer or other person who contributed to the Font Software.
+
+PERMISSION & CONDITIONS
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of the Font Software, to use, study, copy, merge, embed, modify,
+redistribute, and sell modified and unmodified copies of the Font
+Software, subject to the following conditions:
+
+1) Neither the Font Software nor any of its individual components,
+in Original or Modified Versions, may be sold by itself.
+
+2) Original or Modified Versions of the Font Software may be bundled,
+redistributed and/or sold with any software, provided that each copy
+contains the above copyright notice and this license. These can be
+included either as stand-alone text files, human-readable headers or
+in the appropriate machine-readable metadata fields within text or
+binary files as long as those fields can be easily viewed by the user.
+
+3) No Modified Version of the Font Software may use the Reserved Font
+Name(s) unless explicit written permission is granted by the corresponding
+Copyright Holder. This restriction only applies to the primary font name as
+presented to the users.
+
+4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
+Software shall not be used to promote, endorse or advertise any
+Modified Version, except to acknowledge the contribution(s) of the
+Copyright Holder(s) and the Author(s) or with their explicit written
+permission.
+
+5) The Font Software, modified or unmodified, in part or in whole,
+must be distributed entirely under this license, and must not be
+distributed under any other license. The requirement for fonts to
+remain under this license does not apply to any document created
+using the Font Software.
+
+TERMINATION
+This license becomes null and void if any of the above conditions are
+not met.
+
+DISCLAIMER
+THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
+OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
+DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM
+OTHER DEALINGS IN THE FONT SOFTWARE.
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.eot b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.eot
new file mode 100644
index 0000000000000000000000000000000000000000..e9f423425ce4cf2be93117ca950fc6e5d39e1315
GIT binary patch
literal 112325
zcmagFRahKN7d1LFI1Dzp5AI}eCxg3taCevB@8It4?h;&ryAwQE2oO9Z0RjZi$@gEJ
z=loZv`l;SkYp-6t`=)z$@9ObRARxX22mt-tkO2Sy2n!7f2^k3lLIwi*K>q-MipC!h
zz#RC`^}pHwS}_m+{h!UtX%+aN{l6PEKpWr&@Bw%NtN=Fuh}r-PfGfc3-$>&h=Jt<_
z4v_k1odMSW#@+zEe=N^`eusaU>pvC`fC~Wow}$~l{~e+I|01yegV_ILdH+-XAJ_Mv
zkNf|yxd1`{fq#6Lf9G=gr}saO?LUw6KUK^BqsaenCIH|C@cmQyU(hW7KT$&eKQRIT
zQrhww|Myh_07ytS-N4XrU}!Y3Vux`4EMeO3o!yLsm5+CnACuL`GCnsxb*|G-$ugiX
zA7yO$YMAM(YSI!OeiAU(3kfl+P8C^C<q7%3m*JB{H~;>qnAQNH$8E(@<S>sXyhT2u
zw9Ut;wEUv=o=$2M4^2;~)7VJ$XD-n)uKG_%m$>Mg!^vJ$-S9g`{~Q=#Iuj*}^r1?a
zVTW->#c$ol<f7}=Y2aw4+HbdulHBvlG3p0$NG+eKUy9kp&G7GOCpAWM1jXZbor`jt
z2@wR2SeX11#PeeaHL^b`RH(7Wu+`S);Z5=#t5{FRN8Br+Y2tc4IQwNffqQjIYM;X8
z;BdJI0;Un$LrRm88s3KS9Ot`eWi@gN(^VRwq<J}^qzYBc<9ZazwmST}B~>S2DUwja
z+A=`*z|gYP9vzQMX$?X{*+tT2WPV%ptP%dosdo7E9ZcdS;#HK3k3prRZqIn_NVk+u
zHu;8G`Xi|-sss3{tKu+}-8hLHH#uwK8VCO+qlaCx#ao6(A;}RM((q1_VvjbRUP3oR
z7P+;zXDIjY*zKX0J(rmEU;hlb7_#&S?wqBA#-p$+4hivlQrF5+t=fH#aRxUn^8bd-
z{fJzeTs<EbH($AtzGIq#KNMN6ysHW?q|izMN7X5LVKsESiW>Js=(n3$P-&<hl4eMU
zLse_t^-AQiDkNzEl`d*2HR$Kb%aA&wmZ&kSqr7GZ!4}ZL7n{hRGw14tjeKJi4UvBz
z*ZC!_^d(RZ1?A`=-<;TIXG8-m#&lK{&pXje!esy8YxKS{;871<p5PV%8O5JE+FL$g
zI9<$N%OBnj9K<vFGr)@B_i<aqMstc$jcivF9@4a;VNF*QDQ^PWb-Y!+>*3rzSks>=
z>;;Bpx;ppMg^rp(;Tq8g*V&;B{}S=0bE>KLfD(k}6kUJhW~2c-UQl62I6ib<c+Y=|
zSs*shp*UB?OVGeq5UOYis6fCp1(!1-F+&@c8XEO?X^(ySZs+#SF_s)(6|5-%`GKWN
zug{^ygz5IB(Yi5@dHZHy8WiL+h)rVh+)4jhX>s_$?B%%O=MNJjCnBQf#TU{Rc|nO{
zf!;Y-i9*&1b!Hy6zlw$f#i_H#3B4I8TdY*Lm~l@+II8|8!Kbm0s}0ychC98Vw?&Em
z5_6m5p_q!}gI<1mFea_g!iIFAB9Ew<Ecp$Tr$9T$FABC7>9B)w!=Zw#OYlj$|2#P^
zkpHIPNO}1uTv%?or{oRgIkc<D2obmKPYZMp%>*)Eq(PLTylM|{rRc}z)kUEGz0_yw
zyW+`F60MbzPSd+T5hpn<<Y9H@DmA3y5{YQPwWIFv3RKIs<*Se>r5-K$5cYiZx!J7r
zKO33|A%paKKQAmR#ibiUT=86yfY`AZOTchhjL)e-P3Ixkz*7|E1kF`cyjx-nCAI*A
zr?@s25lX_KPs4jbuaZKK?uG=iEjUSEaO*fnH9Q>;+DKNgO8DLoRQ)cS*ytuD5V$($
z^_Ep|oIUmGo9iT*UhVO&n((w5Kbw%TVsP(QElHP+D)<4T=2Pk1l)u5@R_2t%Ih7F{
zAv#BkP`2<iL77_b1eNAmItW+&)r-gul&~zYsmNkHBE-I7RQ4Qx*XVyhU2A%xQnq~`
zL8aUukAk*4Nq??3MbG!jY%8lKzWSFLtv6;kIq{ACyHriVfTT4GZlTO(VT`QJqQCNv
z!e16xnsjk)N8vEWky~;dh&QAo$e4ANx>=eir*aB}pF7K84Qr=hbe#QqHl|9lK?(a0
zwDW@@<*P31lo3dyd$tO%lu-U%1%~>ccN!vH<j3nGk#>P=lC>{=aqE8}#%OPF<thB(
z*#Lf7IjI%_uGDP0VQmw|$`(ZdTm>pWU56>cCqD*cIyhn~zCx1MZ;Ku@+q&T8Z7l@E
zmrn_r31FRjN}Y&wBLkj5J{8>VkYxyx6;4Dwr6dno|G|mtmq*Oa<aMDk02#Yt!pHo9
z!(YW%><p5Oqp_UDH@PWJ!~lYYNU`lZx>xrqD2ut0V+Zx*?rL~%qZ+>#W;Bm5;xOKi
zhDME~tP1yEiY5>(jmrAF#<bQePTc$6a{<+nD-W*wKh{(K&TcUs$8TlO5@MTH*rLe@
zIhEb6GAq0H<OouRnKr1bMOgm?{a0ak&BI&0Bs|n+Xv2unZ2ubljT4kv)%|Y71>0sx
z;n!BTPEyq{!j(VN$V1xS|GY(GVbYI2PltDzm9h;7iJ9OAXNFxamv|5g2N5Jm!nN+t
zSif1i<z85rgQCB~bh%GKXQ+{Bueu@nYP5n==5|{}_+JMZX8UD93s*Gql-ujpMMbRw
zXn?TfsKPaB@kTV2(dxYNf<oHOEr=I%#K|4c;RktUZ0VGL)bxU2s&Y(pku6dOA&nXK
z?$?A(<!^?OtH!Oh_HLO8jU>$e{G1+x+AuM<!qhk-#qy~W<hgjXh4!?5-VYIF6#27?
z7undKvD@FbSzpw&1`2X~TYZ>EQH(Ar4a(h)n|c*rkud1AwL{bkhDdshu%&qK%p<9P
z`Y?o4zE=YS9&flAvkhQ-FwyK8QQ0rBQyB$vJD^rX=SCOdxVTlIu%)pB|Gbb%BI#u$
z>}CmSg(G;Tvf-i(BbHv?8C$d-kssh+1F#Cn)|$dOe$B*lK7-STXrEF{HBzXw(cmtN
z^P*JVj>Un2)p$e}mD9G>-oSv)haU9zNWmvEsLBIS2DVz9rFyBfx-#i80yo*y%4ya#
z%nMQhEN#0JQnXw?hIK2gytDsyMK9e)NuIF>SLYn8AE0Lwp{urynlEquHtcAR+a`tD
zoV7B|+#mxg(Il*bVA~{@1y!Xw=RGukR5;T<*~0MX1erosU&M>Y0=FSH-z#}5J{w^P
zd4_yb0}~Q_w{v1C30_pNu5FTnnGxuDu{ymouc-5j%qD&&#rbP8By;n<f;Mn)#zcrt
zJe_RW0uo9)Bv$HA?%Hdy%j=Ao%QJ;M<MIe<n3Z&s8~Y4syJ3#@h@tK_VUE$__7J)(
z=#3`EcpA&G5^j!mL>&Lj36nrgrp(S@wbYgpQAEL*+Jd!|o0?o9Y}q@}N#7fLvIz(Q
zs{1I!X8p%YYce&dC4>#ou`2lA7!Ymk4hb8ypvYud#!{JB6ct1RnJ|c2WmN58{DB5>
z%yBLEE>WKKs1=Hm`WC9q4pk`iR+^#T?A4Y_L?(;7z>oA*kzb%ivDy*do^cdrAKqX`
zaknZczpsc3`;VM&(m4h?q7JmLp-{vI@)GpT^9b#%Z43A2UPt~uE48GJdBDgf(1c)3
z`&H4RyI?x?|8P$@xid$wa#Qg@LTokkadK_Tw3eqswNge)?f8A|J=N5R5B(f*d>Q>T
zLw+j|2!<>$a2oZW5fi1@i0bOLvS$NOP-v7<nq!Y2-IZRF_g@UsR!H;2wt%_KeV|x!
zXo?j^*_yb2ESc;PwZ6bY*bWA3llAr3gvN8L@qQ~XBWF<|JQPBjH*A=Xa$o8R(cdF|
zXm5aIe&B8vq=l)u{JT^9BDRjFfy;X(ue5*nV38)NmAW9LAWjOWDClO23mT<<{xYO&
z@@$N#{4jh32-3nJW|C~Ch6YMcjBW9MG*z+fW#hhUd6^<uxRS#fVgZT2&j9<0sB;c$
zJq6_(<@#U`a^0GQg8T=C*hX=kMhb;`g@YWod+Az^%pqQX=;iYuxF}O!K+p-XFy}1l
zi~|ppVf;HxQ^u}^*KE0v%Ge<y4cBM~eceh((*0u(&k!4>IW~{o;kl4-Dz$u<NrA_m
zFlah?<ofo@UA5@-_rXgV&xSnG1nISlhxXj2=4q!#+={j3T|@2_{5p8hI5J`MCDa(g
zD>f%NRac*TXk_JTeZt8RAMqJk0MosthULF3%ZnfN<`f%ML!WG%C77o7@kd8%j&3B<
z#ytm{9)EYKSf!7IwXgOMnVjXfzRmN`0i&jEBq(YwYGI3uS@nr}TJ`ze^N<*|WVJ4G
z4j>|SavdnX1a<92q&l#TF5*%RVSi;K%vv{PTrlhv8WjmuP-JFI$yeZ^k$<Re<*~X?
z8Jqd!TYh&fP(l+b&&HI`P$(_y$Ap6<{k742igrv$B2Zp4@@yqv_{2g2peOT|kit*y
zFDZ**+k*cop|LVd8CT0#d!|zK`Sa>Y>j;Dh=Wq+<L1y*tHA{&uf#!#UFAn)ZX)`@l
zOuO{OMn`B$-o0ZNS*7yK*hIzX8|_3iT~B3_Eu__+S>oaD%+G(a<c-jD2KDScpQzjW
z_jcv<4)f?bHJ#nPv!cB}gti{(qXj394OY#jGpQGul;Fi<Ox=>8*AJ&1U!@MNO*z*b
zY?|>e`)Y;TD@abyf)p5~9FB3*OksuTlKx1`V+^rooWwo}L5wx&w)Q6+p7u$M3@o#$
zjiVTlS9Q-v<+GK{p+X+L`F6rgI%nrCOV1HDC&EQQ+?!V8bmb_9U71}25xR$g1M2J<
z2idfz(4YJe*iBdsO~Pkh<*<)R<9HGCD>6l8i_Q65)-oo`jmx}~stVGLQRGo*MM>J{
z1dGvXl=~N<^{r<;wPvv`BQ7Vo5`cbz9D|Z3x;@~}Ifc)+q$|y6nlUCm8X_Rmw{XlU
zo?29OT}skq=>@sj5>E6kWF9fl{uYX;4sPHqGExDej?Z{T_fU+)?()tQZCHyj&5+!M
zjYkXs(G>W7%`JsMLd7qm8UoUqSQiK}Y5EtQwjgkhj0hiQ^+~-*SS0;jX9CcPWovxH
zNIJ5w=vs&ZFMYnG)C%I_Dqd0xhA#O8VCbTgIc?I_9dOOCJP<5lF{i1<G@p4aJ_!v$
zjADI!#x-dvWPzi}1SDlO_*H%_EOWY^nrJ6W%@nKzCF6<5KJpsl?KHaF*~Ewgf=$Gz
zjGc$y<D<<9F2w~3lj_%gp+zKU-KHoJF5s?q<_0aqF@zIx<Nx&u*2a4|C2>bxd1k{W
z=8_pNq*gqJBDk`0@pDtW9}h{=b!=0Xa~b#oOuPv$Pw@%x9s(!nHHB+-#$hYJYUR2C
zsZS+OGp*2o@%;-;0YX(0pWG2<2rs|K{J`7}A6;clNnRe=dh16td?$=W6RtT1^AVt`
ztl%G#+q@^Dao32ApclNZh{$$H86|Q;OdlB)3G<%>tRZ&btDZAv8GX~cOJ1izp74E+
z7dBa|j!u+4EI+a>PGB+)AwZN~A)XJ@afe~a+5Io#`+SYIHy(~j|4Xi_vwyOBM0S1?
z+(VPVa^&!?NuT3oq+id~MJgli#vsvPrdE4NcpVQrG=d51$N0s9?2n~oW6VJ|2i`Mw
zwVpFR1|vFqMcJ!A0QgI9OmlRFDP7RTR#5uhat~4Y#@Lpe1B>>3&IABmUZ;Nv@BPk5
zPIj@!=r?SPtKm)-5ip~t3Grr_VwKpy(k9fYIEn|r^PSKk8_yB>l@9xO?s4c|G~S*n
zgHSk^?8tj_IZlrFgKRf(DG9($F*<3%E0?dxh>*0oa`_7is$R%iy{9auG0CA5F=Iz4
zZX9I=peD|N+Z~aat$vkcHJQW)KxWVi!&Lvy#~U23sXkLuzPvw|3e_;)FxesZpltA!
zs4Y~=#xb;pmU9OU(hcat<<!h)qxPVrCY~{J1lS%kjyy>F)Rfe|sMQ>m+RcN6(>y;t
z1w0*IMkNk*{(#YI3p)%k4W)@eNi(>0%z;w--v}z~(%++eb%@Pgp0+*-Y4H_2xRL*>
zgIQ@pXAA?rK^pLM*Li&5wtydzur<h8VvQoocPOUfK*oX*_L!Vls8jSEQfAG(2TUui
z0&~jHg`_)skKH(XW}<1*Tak;24q=HnoqXbscVED|c!^GA2jEG$GZk#VXN!!M2)lyH
z&@{p#nZl~27!r-?RrELB57oD7k)BsE&O?uMLWBL^#S-H_A20I$2VZA(U%c#a(MA7W
z6@<F9_H**ffA3BhjW$xyh4_o;A66{T(s&Mj*Z}D4@9Rp#$=@n~@z*&WlH2nrybet%
z`91#IvGlJ=GL!IpTX&bl%R?<F*fO~X_mT9(YFOk@<C+^VzQg%6oxU<aEM|*n_6pw6
z9qxlq9yyJN$QcS>UfSXx=hB7q3w6R-eg#3l(hI8KR?%mG)<Fp9dQvFbwMaaau0nI~
z{t}TNO)X+|IA$>7?wun2I0aMICKy!8?yieCP<Qr&5u<0&+B_YklE+CwS4ZisNO9cb
z{U-Mti)?c(UtnfFWD2GEcs-1H1vvCk4Mg}QoHvirOq}^$t!xAz{}l77-skhaQz|HE
zzqVa)LZc+k7-c4nDRth=3p<!9rid|`#K#6E(VnLv!`=aC{dN&CJSA|fDv}HMw=C7B
z8>3UQ9zoi1Mda*D4fkSV6=a1}BPCBvvn6um7!?^M{+1XT^$2F%^2?he&3FJ?v|uQo
z5m+-Y$BNjPr5p*&kW+(|I;aL*_Z}iLm;e$DIS)go!qQ7EF^MYitb!sO0k@(<)XdSN
z?Y2RpW-d{VjV057cVL}SNy;;nQ9^NJ`cyIwqFULo3fCO1)(S!f>oDD1Xr??JgxOmP
z!vsAdRy^l0TyAmbF+ju?S(!F83Rs~HB1+ScY9Yj{0lveEj5yJY;IpbF<?^5%pD#(t
zP4{FnPaKUmj*yv6$#IKBXHhBDK@(QFL7vWazqWy(Dx`w`Dx|`v@k&Uq^H7E6-X;m`
zHHPf`1$oSYEu!Auk76_!+M))PWv`R|LfrrBa_jNOE2MRN6a3^><WV^l+bY@tz`g3<
zV0s<Uh8%N#NpdxMC>|QAc}C<0BfT$%{G}L%Z0{M9;my8K%o)n&O%%tYd8YR)qfRi7
zP7tSe5O84HcqkNuwVLja^UAQsE$@iPrMCWa=pHc#&U7E{bRQ;0A8H}T9%p`cae7U3
zdQEG34cGK)h~g?<#W_Go1f?qf6tm>4=*&b6<~>G+Rb0;a`*Qfx5{kspc~JhUXWQz3
z`Yii@SblM7&XJd2^Gm;Rj2dBbNTGilpkl9;!=_OwWCWC7Kr5%r9Xj?8JLLFW#dqb-
zS7h+@7Mi3U)#DKzliqY9c&hOY7bWYmEJ^hj*-K4-c@u+QdUC8ZHezW0wp@PePXUqz
z{LEzdk(SXnZ1><I9PqHtiw`(BZI`GHyiIOdAaqJ4z_;or`IC%!t-QVQ6UqS&(NS1P
z$E!7@bSILj{P6M%&qz&FGScDWM8fXf3rDT#^6I_3cB(O!EuCdr+LuoPwIbmpxIa4l
zt?ODcG*h{WnFvgZFXhvOzR5bq3gq53@wEQAp_JNx+c4+AeFW0ys8g&?X{<bsCLp(@
zWr3lf18lfbm@|^o+J~*y>%YtAX&0f##>AfDe0Zm>74VHhasd;sNF~Mlt<zF5oBaxd
zIB~KT7Ji0|4VkaNvkiw8m@)p;=?LkEpu9whkSoRp-(QQmCYC3Rd5N(FUsFQchA%pU
zB0Ex5*5`;s$I6;8<Gh2KE47+YHgr0YiG7Yrbm^j{dXeQ&Bu9CtgVfN?(-utzJ|WaB
zuB6t`?-iv=?d?RHCg+8=yGMXxc%rvNuVzJvtQ{@JUl~b%x|h$$J7%`3&@h)~Uig~`
zznkqi3=-<P5B1T~AHAwY_u|Jj9FghUO?dEyg}FB|AL{Di0o6AruUD-L(lDP(IK9Ix
zb2*G5C$2>jJCrat-#VGB#lGpMqfLcV5zhiHxlRu8vES90&l^C3^M7LYi|@qZ#jt}a
zDJbbpy@@B3C-lo_!iQkMj=f56YwtdHwa!n(@M3)f>jS~hFp${NlovkzKu8a18V*al
z&f3K6riVE&9VI>sY-ZzP)3$D48Wy>)_0tJ>dI$bcTFdsw`3p93jPjj<z_<u!8s!)N
zO^dEv6qQ_c+8urA4`bfZb=AJ;!D)OJhuwJ1u5Jf|Vxvq>vKc?=?f8YHKjwDDW3<=_
z{#H!QeUVx7E)!vW!n<G&qB5_CW5`)7RT~KDSvpD`sz%D>w<;Et{TyL07}u79S}4bl
z(2<e1f5@mTeIdJdr$H+VpadGgw<G%OfOtdwlR$J4L@<2eLsC+L@lu=OHxVjtep%ge
zncwB|`91d;uWt25`RrM<@4gfFF2vkcY;%%I_%{+z{Tc|ADVU~p=Y`cjjYV=`^Blid
z@qKs<g?z-6j(x)zQ5+FV&w-r?u-jGa)k}oWit<?o8oJh~nf3ubg~f##WDVOZovw>s
zEYG+PWdTdE<j$Np{2~wLN5Y6H?ghOW)8841BwFaAj<98|a+d%V(Fxh5-YttzGM9;b
zq}IY;N($SLf`(#f1O-`r5h*#N!cT^%1f^1hMPMlQxACiV=w_6BG*Ke#G3xSKyq39%
zNpiuDNX-t0^lgiM5!(<7-Ig_itBUw!ji<@x<ZMJkOH0qs8<EL^ZCHNur0&ps%=cLi
z9>ehY%C|0@Fz5W1SvAIOhi@|j&!OJ12IOc$aI2M0Vu+feYgyNyny!mX5x}_>c37Io
z$Ge%SWL?Y}wntDQ*Sgpaf_@^BaH{iqrNxvsGU*X+6xNYt`2|4d)<l{4WL*8d%sD^c
zoYtm4@a@Ivqv@D{8}>`1fz%vK^k{<s@r<)`9Yd8tW1bk;y8iW>Uo#TSs$Gj%IT)KJ
zblUd(DMdv^!7v$r<UOP%|3AT;jJdH8dLpbqt8Mj;6W)rf%iwm7GW!eM6G8y~P-F#X
zYE0Nl@`8O3?<<-8EIr4Z-z_4yAfA)6eb6SK3(=CZb8x1#LT}UoPuH&*VlT(HJ*9t2
zD#u$qIyLucY9^;ZP9ED#dsu6>b_rd%W|jFe4^C12Vr}CgFFu(ED?y-^n6Z{oE2EkQ
z+mw7JSbDFEKyYW!k2Tb5P2OjNOr7pva=#}TWUc~jWl|Uw>^*3ZUm4-aVT79BP`a_f
ztx&uQ23r!Mi6DS20}vqREud&_$BgEOMJ;2}6z<8w9OfEy#a;f4vmuS~{ozSn#Yr}V
zwNPa&$|}OLlkr7rD0B)ciG#l-xHRSbUdG4VM^D6osFfesO88;SK}Ir6HB6_J7f=fo
zfOEp3Z<_|S0vr=0e#hdLmc1%iO5WRojC*LL7<lFBXWwPdFPcf7E{FT9taYuzy>#%u
zN2vq1P2{QGb<cUU9*|v#eT^TwgFBQ)h<r+Sqpt10DEF1?b@uId5#MUt%$c`G{J{ZD
zJJ@^~os6!=Lc^K=(<j8JM<Lpt?Pjy|BhGPZt#Cx=B`A-Gk}_4&SCko*hS2*BE<ZY}
zWJiXxp-ulv@~!)s)xr#}kTm&fJ{wnR!2TzczUQT)%9j;Wlr{G^$q8}0C2c4Cbm>y`
z*Ga#T3#1t6h)CKNSm`fLcgsyOW2|ic=uaeHP!N@(QG>O!k;iZkQ*@~kBHGmw)rvyi
zFAEc*qm;RKYf>&Yo?e*AcSeYoVV3vvC#>3m15XPqC_js^bcJJyZs4{tu2p>e5AStu
zYu7W=W{2i--gJ?`li!QvGj%w`!;haxKTNq;?vYP?DMrMYfVquTOAG9^*pGQH3uFOd
zU<`2#U)tD&N8#hWMp)w4XwZi$D@b#25Kg)R;OH=Jgf;CH_7$vc262vC5`>sTK}Rkb
z0V1QKjr=y68E|@)0K<oEEG0BZ*{HsE>#{5iI~+Hby1x5w^1w{$mZqeSZ13yW0R2zY
zM%$HAZzZG@1SdiO`_)qZ{pqxUHgnzbVh*R1ZdaC_D$jm{UxUPcd=|X-7)_GUS+ExW
zmA_xd>H9VKjeVPHUQ>2~vEW1Zhk=DS^c547bFaX5?V1FlJq`)Q1?C?M9;CWCR%6Ym
zb>4Og!+UM!6GDuW>o&r4L;82(3IV09h8S^Ex)Dx<2BQoPcT-}`A%((OO};2Nk=qT^
z6}jb$y-&71lz0O}4|JsLm$K$udjS&Zg#rEO0fmS^!w!<P;tArJ{hten2$t$UD=&LL
z8UzqI{?~!bU&PPIU!+Bz5<_&_w`MwqX~k-Z+JfxB8TknH);o2ZW{s(r#Qw3)(kbFo
z>C?;D`##Q%V+yIex>R9pZi8nlPBrboSj;^YSJF(9q*Jr1GR}%0lQ&99uUw8*YQ4Hm
z;C!RH+kQa!7%F%oG@&J+4b%o{d1|8b$s(>?lj&EqGPHLy7cvPmr0IE#6UMr<B1*fX
z3(?PsW!RWKaOSD3MPhsyyd!=(EDo=MbwrERqLN~A2Y6m>6l^J{NoW1@JezC`WmV#i
ziS*g{*)IQeC>uNdz092)I60O$OsK+0Wu{eOOum*lO+3OX<_aH_gQu}_RgDyc4M?me
zzu=p*r*zm;s>xlVA2A!Nk3EY8K)e~emBiEmX@CNFO{pO*7;6kgK4Jtz58WUiA}JQ;
z6>%1UEJYKBIl?`J#dL{|03(_Khd>+<A&?Kr9Q_i<oCpAhTmLI<^8-!+0+;f8Ul)F1
zQ;R%&Jvhmd5V)_sek0`9d#s+aVmr~zu<<!x!e47|a9lln0ByUZ{x@%-sQ~raXbDmC
zgNJ*Xjsx1G%S_S;;z5a!GK95$xovzO<i!$2N$tQzPJ5$s%Dqff`c}p^DFQSWF`2fm
zqF6R4$(mBy1>cR{MI=D|(3-<6&flFsHz)3ejs8I$Ko>)XcpOcSj}nD->a~rG7?E5^
zwXsbp6E`TeU|YE4^P$^&YZ#Jkco)`6j>IHliM(wmvS(KNnM)!^g^vl9KL^fZJWB8h
zoyM<MEo;7)_dPZLP3;|_1*w_fF2S=R*Q^=23VjcqGSY9V;F|iC63U1v9YYfbGPI@v
z1MN15N~4J9ks-}gak81FZ^YN)O?k>ZLcjCJuyh>CTpnvil_DQ51uZKI@{{ut&o0L3
zrQp+=L5bz9L;a|lNl=G$hA943`<HREu)r7w7#g1NF2pUG*cXi7-q1Ec11Yp05rr~^
z2ki-y9h-zuig&*|4h+o}imEsq?b*ZjU^&hm`xa6Aj+2tMyU?BR(A8LCeow6v<d!-X
z4O-wf#ui+s)X1mn9&@)Ga|qSkQ;>w)-q!jTd*St%Wx^bLnIJo-?m1SK(Y#a*!p9@t
zU{cR$heH(}W`=iTRWGI5@4@gaWL#2{VC&uHul11_B-fxQB8-L@CIM1)n3|Ow1~r&;
zgMzzeBseUPyv?(Ee$=uJ<ZNu&AG%IN`qpw-;Rr&gpfOgel%oV%4bc4FaQf2OAq_%|
z<HhmRpwwh(q!Az_Sp6z26z;uB%7BWFF+`|)D5RJ;gw*FV1O>9>DWOu%AZ@5m#_@8-
zr_l^__BRwxIvi~8hof}K0+dcWfIa1#jyO6NEVP;jrNO=6B`b$k{vY+1whhtPvcThv
zJ^zZ07e3h!WRVSFJ;ZNgN0iR^tr#(QlbHmV9+HLz*?#52X@n>qG9xg`;zt8-JOMxc
zC3-KllsbBVAqxcSCvR2qQWUko5+_X0vjSFCZI%LYe_D2{UFHXt=kgKpI~>DhB|e>W
zjpn_R3_dVLN~z5I_<GW&2Gve)IY!IhB1;x?9t9}BJ*M6(ie<$zO|W4yjH2t{3N>H3
zn1AsmDaqZEFfzE|85;Y>m*K0sJM;LF2G%gJ@+Q4?@gn|9OeW~9Lj>t)OY%^96Id3Z
zg=Qxt^>ng-u<e-kgrO}vd;EPdPRq|)`86Du2r<HS4F_&(exj%4x+CtTcY?bM0DX0>
z^V4qGtz9uXgxM~`mF#ly*7QFlC!LTVmK{Bc&2aJBZr7+7oBkm*%3Chr6RxfMtA%&X
z(RRI8XO|JC#jn|;5h>ii17{=C+?TdlhD1dlbc@lTFRyM~7Cx=Q6Yb?Dy2jo&JB#`n
z%x&dM&bP5ozssF4k7cPqsv;N44o(=5r$BvX2vLaCu82t;D^%pfpArTX4E(o?FIj(Z
zdYSw}|8n}Ir5O|Q<D|}g44I|q8=FpkoC4OHokCWcL8Rl~HuF;#zc3uZJbuq|?}<-5
zvfK#VKp3O?+rEDj*5V+{y5P^X5+iWBcb4=(SRyxZeH;A=Z$_37k#MuLq_qGsd?2Ig
zU*=D9ef(<hS!O6Qm`B1iRPSU*PXUj-hEd1nGfQX|&VFrI@w~=it@Agj7Sn^i1kFok
zBPT8IefB-YYgUhzn=)MQi~icZ!UmLIX)+P2?;||jwaiGF1j!}nMFa#YL8lX=$fMR7
zXR$FOoXws27?hyR*R<_4+I|0FrxRNRtJ9&kpK;>d*@rZ{%K)vQuXXP-MZ!MC?(1Nt
z7jfflheI>FOKMcuxOGwM5VQU?=kgkkA^^=1#<#Ruwj0Zy)}@X4Zj)8xlI%G|z_g(n
z!h|EdI7&iV)|qOxV0{T7g+Bh+6^1VzmEspBEWNY|9|l&Sl;unnB+{N@<4$Ha*;+}C
zUqnZs)<Y~cKNX1&Ls^3v7El)p%0}-D^(D!-nOu}A^#F<xw}V2dz<gAv0VS`}sUSK^
zbWC*Hk`t+E)K*Fbc07M+h0D=tY(l~*bXF+2y*czbVg^(JPT7~DMLi(i%L{!&$Ct7o
zH4W54l0lDgD&4T`8{sapHC92&S%TTy)=Z@{t1yzC!xYR@CeDhH*ymQz?1`<&67YF9
z=A{|uthre*52+j?M+KM&>uFs?^M6E}Yh(Z*xp`KetsME<)Zv!LvFP(sun;*lj^9ce
zgb|jyCzT*mC^oySr!497b;ZbZUN{%3qaA|*x}HXahDwa5MRF4CZ6t%~y%!!02A{<z
zWv;)ahw>As{|Sqk-XL`)kE&QinELc?-)c#)CAL@$Lfy1HNSF6di#;!h2!AK}%3YO!
z;|buqDGtajy&|SDH3ksBmf+<GV+B&)f-fRtG_&I5hmm~Nu-<tEPa$d7y=9Ctxq<m+
zx{Iv%@`GL)dMo>eh?-^rP947_)$j-h7u~bnZ%>=)DbG;x9L=ox&f_7;b89cR5+#MH
z^|W1~uU3NhXxt%?nyD2et*GotL%f!zKuwDLDjA0YWQB={a*{FSSjUFIgukvob(8P^
zx^jM0=qhG}ka<T;kEh|muPVQtj~o1Q^BdYoognra?P4FWQu%POLIH5~{cbm@#eXbI
zYI-3VyS8bF;w8ex?YNLbA+z6yn(p%C@Mp#HitFBmGW;`$1)=p`(ZI78N~rU_Z{m>J
zspOs7$g2P`dN!TLBc13{<L6z7SEUivct+5%6P`hl#mn)hPn6zSM)QzV3)j#6(uEW=
zg(M#gPSPhbKmF`!uLj;Uv5-KUws@#MY?L1BOd*DCBS#5Vp;hl~-{*;*BsbWam}2b9
zT|LNF9zlWe910`!)S(0x5o_XTdsU=SesqihtlId8%xr|1#RtJcb>n*g6E7fNMx<L~
zIdZV?Qe0#VEVT?XMr%6C#K1ZccrLMnpTMFyL6m<?Xs1pui;cXgd-waPO{k)=bQ70*
z>C`^7jFFIKylH|)qzY&)ZMm&1ukB%_AW8<+YZ$WyB1c2=F+dV=_Vn;XnY48@7H;H$
z?M*mN#ScnD>#goVp)nKsTZkiM&#ZSOycCzNhdu%<iB8V{myGLI!&M8IRxO)w<2#P;
zR>#4AXr(2jBc87@e)Xr)$bT4eoQq2-9WK<_bx5qSoxRsz+%Kk<Wd?E45C-b{Y;|Ie
z@4DkBoPhHa{0!XGjI?;fC>rqOw>>ouE%GdFVNkyJhbG}8Osrj6_Mg*D(U2lv$iMNT
zxLK&~x+<|2)Rr@v?u%MjB+d{YH0fMO7RRS)Ij+ir3v+YKqUP5bJ*@_e-)7s;=71BX
zRBWN4zDHK$xll)oBpvQJ9Ik6gp=rZi{wur>IQ^`4-a)vyT&nI!TnscImkf)m;Nsy6
zq_^DFu06Q9Muud2ivMYR*qMn#?S0{E)m#2fS038v8;fUwabSXNvsG?!5xeqD7i7bM
zuRnZshi6a%#;dX>c1+}C2@JD=F8L{?=KAa(BvmDCExLEA!lwrpn*Y{?VJ+SUrA^Ev
z_Xh-r1eBVU{bV2z^$;tjiqu^mS4-|U*8G)>*+YX4$-xVYxYJ^^nND}rAUahwXTI6>
zTG~hALz&W|Gp><O^^RE;f2SRZr2CbbeABbSvzEh<0CJnCh*cw|f~8u;ne<a2w(PF|
zUD_e<g<R$n*Xv{mGJYrlyq<Ws?)+1)DBC61oZ1w~bhhk6g?ghXI+o4#*}E*tJMF2L
zrvNqsqu14Ex%H7EVou?*+u7rQL=BCJVRRT(K$8h1P@`cj2O$#@sl=Ts+3#IV8_WnT
zE+nSX+!cdssVbi5BP|kkePCKhvkM!EDQh#-Si~kIikW9g(NT@_HF@X{b597qI4lmP
zC#b_XZw5@AHs}3>@TLM4P?roo;0AiU6G;4iHmJem{wwxc_JC;KzA{#is<$T|oIh=L
zS6_gR4M&L4V)yfv1nQ22OBx(HuyW(?r<tzfF;Xf4PNzW>$krMjea4Qr`xTPotmrGP
z?S4+$vP4XJ{-o(KZ$Po7zni2+Z7#Ax_9h*(n=!DyH3BJ0yXL;(xci8bV?VFUcx=w$
zbP;5*?i91J_+gRQ=bnW%f9kiK2vY3J-+lN)%-cS=H0^4#f*64yW)2I!BmS5_#21pY
zM}hrVp0-%3+WadBeKqO6SLU`LuNm6PSG20@p<&2C8yu+p427^biy6U4F6HCM0e_wT
z+O_|3twB}yidA~U@j{ls8`D3PS?~PKqRx&bmXae3srXSf<1vuU^`KX#_x&*I+i^g1
z+-Wn^kj0S~-IB>Xc}qxlr_?h-^3Oy$Q)IJpwN+g0qFf~B16j^PpPSY3+H)4|7tPsx
zv@5wC_nI}Q+UA{I*5uk$&TwJ;tt(lBnex^S9oL~YImN>Qz+mHNU4lq03N9_gNV3wT
z)nsYL2BS^ATjOU2hEfz0DGM$nWxbpFnu-wvFVu08-k#e@rAhL?z^e9o6~a1tqwL2m
zmmic(6N({?S?z53WbzD~308g1b2btdLx!ZeQ0Y1xIof*@l{sYDNL`XMf{&1G-=U05
zRLo-{<VMZeq%taf<DMeCFYyUe!)r$C>GwM;0$Nivl;FZmkiS7R#X!N4!j&}L_^i!L
zJgnhK8Jp-@;*pI^%SmcB?Z;w{`!!j19NGOgz8{aOwgDcR;kVFF7!1eTp(cleiQ71W
z$hLAH8>0-_d4(h{2598&zqNJ#EKl^8t+zFVtaUdSv(eJdEdE|f6-Xyc4B)WPPUrSW
zWao0QAN!%-RObyL(-7A&;gUcCnc$N{RdB0$C_WH!oH)Vaho7-bTrZ+OrohRY#I96N
z@17BT#d4-Xc*N-pm}p}|QSDUx;AV)H1!8R@>!Bo-UH*=LTxs`%{Z|&;233FFa%oXf
z(C1wDpTpxsB#1b|DNM_x4G1j`Q2dj!kTcoM{@cVLF-`o|Z8}+0QsI({PlSLS0`t()
z7VAu70<k!=@51H3Ma&~|a8KL#U-(eUwUDY~GSuFuko&Fc#LJB`>UA(bbQu7NRSoEY
z<p%O~*BAf&q+Kc#0vvHfdN-Y}@{8?Vwo|GiGgQuIZEoyvBuR_;Hp7=4QGduucb&2f
z;aNoGWj+KM3Y%xhH;d1VT8*QVw+G*RQ*PN*M$To^+&g6qX#s$B+)RfH>D+p35jeD*
z;IF`O_CWHg0s@m9W9rN>sEX7`|L8eB3Zv1adb%`K3E=+YDk-=?nlzhokRE(EZhC}>
zr7#5V<n6O48{yPyjtoW3VxkNUw94!%+iH_gA{0?c0PHc_i`4C?(<MYXSFlxu$YJWq
zW}8AdW_L_Ayj3?Q;<~n2JPg|k<LzraVWoyehFj5Yri}>e5>jQ?xH2+KQDj7Nh4!P*
zKJ5c>g^faCwTkEj8sfmVNB7UiL-(h<@*PgLpJ5>~G*Ik~M*@s&85#P09g{0fj6DM6
z=_v|H=w`IM-<RIy0wyePbM9cNcX%a*V?0?0Ql$d-e-G{Q0!j`I&k5ab4=y#CM9&QS
z*nc`(Vv+1+$&jT4EN^}J!5<?;xW}oR^3@xiuFtn832!9zQ_IN|qgpR?jolc{urC6h
z{74#V1KBk7Xik6f3Mrsqe&{$Uf%Q357o=j2yN9>ttMGMe^ZH9s{L(XZQTMM62AnQ_
zB}klQir^HvJm<0g_ko_6<d$V|I^&{;pXa`Y;8SfYc0A{doOgSxT6aw(aU01==bfQt
z%|ji)9Y`CtZ?jn-8kDJ~`7quyv8p2A{Z|E_V3z&vM7l4K)ng`ieS6WPF0-gG-kom~
z$Sq(IVkso!dl$V2-RVQCSPjpV>Y#-EjQ3mlinjezzli~K#_AIzalTY<`&2Sa86|nG
zSSuadX(LTDlTrD>q)aaUi{}XvvJ#yboeUF+u{}N!&VEbMssLG{)z{z8X?cdMqo2k4
z;L9rjf@BvN04G0#keTbycg;N#n3m9m3Y!DqhZS#%=m3HP*4XqsdZhl%EY7({?SNkb
z4{V(5XAV4Nwp90!%gUhD0PhOF5?ixzS!UVpGwT>~rU&e%1s)j#osn<~&b^3>45{GH
zjZA?W@5zz+ncVm|-GT*MPO=`oSbb0H@-Nh}U#1H7JbQKiv=iS&y{RtxSo>B)j!V-^
zo0w!yo6$I3^4!H(g}d}L>`@nkuyX0-5L8rwWx7Ft3{%#eF;~-#oL`G${GdZL_$7F*
zx%#tH<i5u%%8^u&4r8Q)vO~8#u+n@bcbON3<#0%~ERApKlIStRGm=5=30&-Ga8OYH
zX;2v#+%;7@cDl$&`>~AK9*Nuq=6LqsuO{gP0$&JIl}@B~-<ix8_7mz(rBF`f+&>lQ
zbtUGfG6K2xdYm2m_W6!%)^za>S~bX07pswkzf`N*D0CWHw>AIk(OSaO7B3rXUzS^e
zzo5UyEo9r?T6ZX9E*<PG`)%dU(Uy0e_VR4Z3Z0mTm)U7b5e1Z9RSsQMb@ROlT%4Pz
zL%oSYgWp@7N@{*Fxv&tAh7@WasPtW-%OfF2NE?2WI#w1$L0#?BnXjrRRmv?+!z7=N
zg{KwDtRF>mzKt`tUD3DA(k5kLK$Z3)SA%hByA3-M+kQ#p1KFccQ_tIy&BdNbX@gai
z9VRX+qs_N;3PS*hxKp!trkAz5Uk4QV$br}n-MY2HgfUOhF&CIIT9b~RptX1Forz3^
z^@{)GpJnq@OSEfr$8*b3G8qVcHU`Cfl)GYY7z^$;sXfm_sRW^rqM+%`wt+27)}e*r
zVm~~M26G%QuoE4zrOF-7P%jwdiYz@!py*vJ2dxu?5glSON1)XsKVd`!s3i=>!wFTG
z1?4mxke`oTF!!kq+kaE*QNB9NaFj!i{Zr<6+TKsElmiibHwU}HtZ}j5at8kDQe$eE
zuDN2*O9-Ml4C%&~i@uc>>k8rvG1p8|oAYg#97v&vv1OfQ!N*9@1p6twhu{3_r4H#}
zzJf1<UN0P{eLozu&_DQwUgto$i8y-O0s}Bq_-2k`&GYiC_W8qTdI^}1#4HOSvt-b=
zsQF;pX%h=RFTBab-!pym35^~t5H`aDCh~FQ-k8)0pKKK{Y6AIxNCT2icr#hPkhjmW
z<x|f8DJc_G4Nl>2#CWV*$jzQf|9z42sx!(j%>@t+3_GZL$PQrunus>F6@Kt?A3vdZ
zh7pk0QC9(tQX3BwkFF#patRrh^C>WBF`{6ciHQP{gb116LeThhbQYpbE;|&wj!(!_
z8hWdIV72ot*IO~&MS@JUK%LJ~N|Iz+p_qog5iJ8bV`?gBsIVbGFJX7Iywguo1UeMc
ztn4?QCJ#i1rd@AG8ePjIvY7{>f@rZCj(W5A?e_XWU}q9Rx&s04|0Ju)dC960oqk~3
z$ihCs75h=!y$q(+Osnd6jIqMw6_dyR?}SIIVz__4EbX>gfwJxQ)mPZNL`^65hD?K!
zFA*oUj^`~C8>&^xNt>+&X`IMUeRKM<iXL=B3UqAKrMXF-qzP;etT$$dvlS7^e=2;+
zJWQ1ftdP?7$MSypOGhhsVlh)zW&F+MJl3H(#?pG3msq|ham1^QHmMO~I#i$Jc;#VH
zBBENWl=hcgxhnh+C#ya2*pso3&2^gGsXI4PfTySA_h4jMs|M{<pezazMOTs&x|=p!
zp;S|;vl<#f(6l>pkSj)fMadocPjV~?pjeeJ)jTB=1cqPqeqvxgJo#N(jr)TIRp^<o
zb!l~lg;|@17mkh2D5!2MUDNCd9lddMiecI2@%uzar#aSZ{)GJ&fQc7OnS;%cfz04E
z4~bGpu<Rc?Z_b(L&n!bx2;b(&CylVAUPIq1Q7%wK>Op($13J^Xk6~!?S*Cfa>YN!o
zmQ3=bS%<Q^@Mo7@;dS)W&@g^Z_?Q3}-0&r@`-o*pP|Bc9Twpu~zLipRh~4@7_v5!-
zvR<#@rNa<rmpnQm0;m0;hZX!1SOWrwEhiZ$3B~@7&g<tk4Dwhfj8Iu5tX8mmIU-~e
zM4!!V<moEQ_WHt$tDfiyp)pu}|HlXg*f)ARN12B5ZO#?t5`sZ)j8oDxfkCj>0I2*K
zn{*EJv`liIQqi#n^LD9s{Zz@lMgs|sKyC7BC5e1lwCw*>;$+$$#T^xG9o053EBNwq
zbZDPy*7{Yysl1ve4&6!zHNiSN^wF=3f67s$Ra<nD4WZ?4Rc5@4&1&`FkkQarYY#$3
zCSDw7iSWc^!2q@AsvEJM4`>RBRs35!uOQ;$nD4OMt3)(T+mat8?ZAL6Q+BP%v#>Xz
z|EswK1M}bFnA_mu(>1Dxwrz8kXHTbPat`Kd-|+SKDa({i3&@dvW+xsDy_?v+NXyp*
zQ>Y2o9=fX0SUJyX7-~amAA@lBvc*>8*$aL`6qLQ1y2<?aXuqEmC^>)jP+t+gsQ_$D
z4c?lFW0h%B{8g`*ID}!PS&cesaHrMYyc~%!Eock!uO#sF+pf|iORG5i7^0W2K+w|b
zG5@Fl<t%`<2MI$y0@1B^ghMU>{ZVby-1vXxKN8zGGpPxLn`onfA3<PC19k$Kt`~gd
zjttoaoKeXLfUug|;=d*4SP&foQy%q?=C`OO=Ojt<6FY@TqsfJqCdbXDmQbcJDq?eN
z#TsmjLViF8Fb6rnB^yl)zLVN1@oi()_d`XAu)<LoVtB|DOT%$7kv^?Il%W`!q8ND?
zHiKNn$8`O#-meBEdZ<)tDAU{XM5perIlPG$|A3k#N*}eU-%|Q@IJmQB{@7dkPcf2n
zh7+xz?(ND_fZZbS;t9tSA8t!#uGB(vvk9U8<!ufE&^C?71;(MtNiK?n`1b10{ghXy
zPzt9rRNqH#F|1G_9X_L-wB*@?8Kj^zjMvFo7UiZJs{=YiDrkBQocWY>x#6i*{0Qw(
zXstlH(-;EBKRj^aZj5VIp!oRBWAKWA>EtQkfdUN+(#A?OmFKE-nS353bu4E~&}Xh?
zDtiu=8NO^)SF#i-z>`F4!oe>6K4Z;q&g8U3c4N8YUX*iTz-ghSnZ^-A3XA^tn;BFD
z^Q~MhVg3M~+DW|=$+>@@iE__Mfvi?6K!qRx9vV=$MokC%3ICAR9-inw?{heOIJ<Lq
zVOHuq8sJ$Pf>6HkLJr&Rf+hB==&#P5Y8&I!+0`~HqOk>-UHEdVbFvh0QGT<~Xta|)
z;ie-OJbzc!%`{^0FD1KQ1|H&b(^pvmNibm|$B*ZN?JLimF(m|-MAX}w9Uh-ODaiqX
zfOsk=R-V4P-P#r^cXdX7ov^Wa%#;!Mnl8a1Q67#c<<*`18LDPxvA4|BO;JxtiMhQS
zMN$EexEvMv+4^UZr81ZRT)a}@EZGO1eHas;OW_X2Oyoxq`dFN~13=Mog@!be>`!1U
zErK!7^3+H9iJUQTdrI6}Ey*h>8Y@w{KH%7m{+`6=d<+YGxRi+t9ttrl3c#VZu5trc
zJ%mgDNc{aHjenUou>d@$%7C26Vu3jRfpS4?PUBb`ms<I@w1=z))#_3AWE{j4L46w~
zr^4=TUrxFt-f28Z8wi5Dqq#Vitd!2R+b!j#A~IOi-;$_rc_pY$QzMDwEKidhH?^Tv
z*~<|fe*!AK*DcwUT<Mb#)zT(V20h2GTTA>PrM@+mV_sx#OrzwHURxikSOdD8f&#w|
zOrtKKQ&$NvarzHa4FDO`ipf7+qN<K%`DKXUz|8ss%aIRyr3|-t=j$m`s7i36YIp(*
zb*AQ-(~|!3{Cfgq;h-hFF$u=Qq^O2IQy}^9Qr_Dhxl$4f*!}u!p|O8fqaM?A{}3iG
zwR~`A5ueHU$>If2A&19~gi@M{WVFFU_V<*kT-I;h&gd}=END#hc}c;fKYc+Io&mu{
ztrPW0_J1z8(?5FQCF|C>`lgVLEgn7fv>}4(<!h#`^Tze{wb@Vhq~I1HpH}k4>kb!b
zQNW_%>sbI}3^MH>Icaj0dL4|T$m-j}o_$$07xz~nFUoV?7#=rwb|l<a-bMwDIsqjm
z^=+;>MuHeWy1?k>#->hF$Q_GkO{`;-k`gAJq#p2VO+aG#qYBU!8@&6sa|QJ@4ImRh
zr}rmOaF{-!PY|T}V<2F}`LiJi9#n9+8JfOniIM?gUL}cG$V*!aO;pERBG=TuSk;mb
zywZ_PfY(q0>nQQ2%NW&32$pz`sGMBN8!I;(87=kYl_WZq4DG?5L_gRKh9yhO@Rts4
zsLh#d?9E9*R;%Gm=s=sQ9I~{d(ykOya3eq?@Ual2oxg+)6$YF!@e3jRRu9l^P*awt
zSOjH!taP~HDAU7_Uy0C$z#Br5n=(uhSs4UQ6B7)$xD^L1GN==UKnsS5A+Naf9p5vo
z4I(w{pA|I6fp&6h&H|sRqqp#k6#1t9^KDRl_ojnsQ^EKzct15=-cRohS({@5u*E4n
zr!~t_y9`oh#0BzbwV1Tl{(+~Fp;mKZbVbVdtfz9qLf@I7RKGm^xtL-fH-lsC+ov1`
z)yF^~byo&+l=HGEE^F@BJf3lla<M0CR=qEg<Qn{gPz&#&5b;7MFUR2D0smf5(Mqj^
z)(?2pwc5g?aAgEf_i73gU=VD23Ea{%YRDB!gvt-40Hw`^897^`kQ(0^6YmIysF5T~
zjik(HWacyyl3?OC5lf(^5}h(;5oXvKlTK*4nhBb$xuQFg&A#sb`}${bx*8IX%X0V7
z{FRRP6%&#fL#wT6_`h3{iRZ8`3Zj%H&IowzM%JW@9<H0c>LAmnyia1O2f`K`As@G-
zWTws--`<EIz+qfKjs4aR_^)mpgVjiNt?ZaMxc2OJfYh18PPZ}-^k-tpU%ZTv+LmiQ
zXNi^8kL8$Xqg5s{cb!IcOfb7d$UW~m6osuv%!dhz-1V~}!I=m5{J@-Gisw5U68DTT
z5)lnoZ1ebd==7gcKmi4DDpR9`IS&%T9lljz=7uI^M$S*<66S)+JQ3E!m#Lh!GY^kS
zWGsqu3jp&B0ufGZJ~*&6?vcXym&I@}oK?w0nazSV_2}hT?nL%u7~jX`z*euVJr9(p
zPOco?6`RE|jzWt!Z3Y{|q$06hn_W^&Y?z!HE7I0MGM9=eu}^HGhKqj~s1v5doa4d6
zpM@A~b$+O`cD(#ro%msHZu9<LNK;$$rh~wb=>Gv-K%&3!*+lb6I3gSh&P(7hAF^%J
zKznNnSnfBYgE3cyaMIJ;*h#7%F-)@#*wlO3fC6!)hh<+TE@Ne5MiVIjVd=Y5V#Ycm
z<c(+NBUhxiAljqo^T!$_(fltQ<`gpKRZaG5f=VPC4$x8cw17^+2QF5*lM@o2)txcH
zce>O-3_p&1Rh#0q8MN_h*l?6eWyp}oN*2{$NQMP56r*Z;=0$SI4#fp2T1*!ch$sL`
zQ3Tjv6OPW;KtAc6@1@KH(9R7YJ1{O55){&vVF#aJW)L05kUEGDY6I=+%SXtmv_gYw
z7{d99?WqBBs!`LxKqg)J)l7gy<f9OGP&B~-WIvpY&}Ry)@JSXm9FJHY_L^hU^`}n#
zM|Q888bDCsp)`X16rt4+V0FMC(#Ct$g)AuSi09Ncz{S)Z8I+np+B9j5ro;a(nW{ua
zpFo#62?hs>MeOGVh8<PqO0JNSFjF=HuEv(QYvsi+`$e1a3~8zRG~5D^RO$jPNlhwA
zqezYgv|N85L`OlwIJMCoVmX@6>K`AX;ZEmy$NF-T_K`VVTwtY-QR-w1=#-S5npJ1<
zl#|nBLckBTu~itOQ48T~(GKEJvex;eQs&%E2vki}bs<h|7>6em#PuLNu*yVPZdTMy
z!7~DYFgeZ;fHgjltwgjk#0Z0M(kwPwK%$?=C@e5^N>P$AW?F}gp+Nvj2Mw&k08rkc
zOOgm@jG7qlDEkkIwvdrZ2Zu2^YC%(Uy}|@$6cL9&law-1QiI4*3H?ja#|O}sjWKZ`
z8F)sKvV7qtMqOq7y=M=fJ&q0fR^^}_0C*HY`6G9T2SXwO6TPDXR~6?Dk5$lV5)1RA
z0Ennab7*Pv-O1<1KEUW8@8+t?AIa0o_VgZl>E29xgp=`1p(<eHPpuEpM!I~&%-jmE
z<vT~i9u84qAA>w}mrLL66HjJ3gz7@icHeA4&L*Bldn;;CB(HVouo)Exq%;L@iBsGw
zoN^#o^?nmDh%8+Ki8zdH*lt8y;@;FMl5}BXOg}R$RGxPcC@_@dr}`?-2PgR^(#1l-
z!3a=62r*$5Nx*zW^I`ZfR757MbrG>)z(7cwkRFkXOh;HZ??KI^H`@_Hts_Y%jTla;
zEr(T8mIP-IW<YtuJxvY{h$N{$<OYEhE)ocU!=w%kf#&9E3>ORJGi%GULKxgO&EIRL
zIW$vdhQv+#O`#$tc!?!^!D=b9qreFe7b(iEpcOkoQwgSl<A4s!Cv6-Yb2U-|7RhoD
zEYMaXZa>3lAH$%aj-v5(+U6&6bN2%GdSnaF!rA%c#e{MPJ;8KAN62yZDcp5vNLfhz
z5rv^MkVK<t?I24Avu<A0-rEJvOsc#UO2@~-f7k=vj)4)8cfVxCU2grhhyp_Q5536m
zfB2;-LC*m5s!~j{4Q(`rmDE87KU<<!IMZF%@4Tr?99AgLl!7}wUo<@MMU%$xK(=Zc
zVoKl`j-)=im{C|Ku51ZhopS38zW)KB)LMt4_@|HY!+v!7ogT~;TIA)BlRFk!NCe}=
zbfFlBbv3!q8s#U3h$k}w7bJ2tlKLYkIl5z35@AGHY-{xs`y)b3CrQmX-cX>hw6yJB
z{(vNeS095yE1q!wBg$#g5m{dj$vU9-Q<?`BkDfk>3L^-Ba!LBnDt*G2AYjAmoj!B{
z>JPqoS=}ZPO*}XJ%3}k}xG-SX0}>{Gm`F7CW1x6-k%5N`@O`kk-BV9ZBQ-&UtcA?F
zq&MilvY4e%7cyPZZpEaPmQggLQi=tn7O-FGXhl6r%aoEWOpPSkC0vE_Hi-T}5Q@Zi
zkXT0XwnMHMkne_L8>nLAql^r4A(;)-J(1*=NQOl~(6XAKf6?&`Ofb0h#%>r`Tt|xG
zbBXv(;S7Y_En*lD;GEiMfY~P+pl*c%DPlqbcvD2gwgdzc735o>{vpqWycIZifi41J
z8DayBdY=wkhd_1(SHg7ffxHCT0{AqxNK71Z1%Mx5Jb)wv>>JQw0FDI|55JSVH{qY`
zJVWLm?4CV%XY}9Ee8dQdX;(vp4i!66jO<C3B7DN~E63Umq$6iu7HK=+4{IcL?Pp5|
z1_WKDAa|3jU9jzd@o7Sxh3f|+`)9`B6w*Yxr98sx4+ed8(_UHdW5gZ|x^2}C^z`41
zu2p(V#4llbqstCLy-?&USawIy)uPf+x&G5elXt(SO7Wyddfnb#>B>k5iS5>_T7(2n
z08VFtljLNIL?qISI}?L9${g+`077_%P)477!U$xWYHmVBjP1+m=_ndKeW0_WFW0`z
zcuGeAPO=dlWeqbe(oNwrw4t*=CO}-!30N09@<ru$SGbk-x;6Z+>eIGYb!icm?ydKt
ztzgj%t8E;tyXAMRse5r?C#juHa@)kaT)L1zF`*_{Wnk)FxU$z*Flg6WmRC*Dy52^x
z#Fyi>hN72Nu-6MKx{g_7YcA_knzU{x2BNQ+HE63{tyn%GE-s`!;VEHL{tRZ7KCxXi
zt-fF&ex464E(emz#+3mL*<8-%tEdszEg;gMBiaF_KxLKI!=FQ|N`R98&~)J@Vrf#z
zK3CTvmK1GXgl2Hl7ap0@Q_7#GCsEPiFdN(6ZXcn!95)du6oJ2KoQ@<|Q>im!4p+w-
zJ(kI^k$$B4Drv5mi8zE~0zY`-?bWZA55r`8nAa|ddtV9BPM-YA!iPa~3q=&QY6njx
zv_cAzEeI+^$Up+k>zjRg)8For`j*inZu`K)juJ(+(0~r`=Yvc>n4Oj8@J7IAEO4vm
z`w2XvVLKR@ft)%_2D*I#3J^w|@b85C@i2iqWg)@>GOfhUc;}W(;r|fW8PBYh;Fl|S
zbXv`CHPcu9vPQ`(5_&lMuL-9ly?*<_LnCDJ<+p&a`^~pihuOXPUgOUL3puVWX1r~*
zEeP_UdQ$v468GP*UeP!Cuzk@jad~RUGK0!IR>N}nw^6X{On{$(rMZ-q5KiegTyo1I
zcL67^Z@+(Yc@^fJA?%9qfQk!YVj`i_js1kLuTW1fsYdIHw@4yc8vWMyS<Ed#YpZ!$
zhS;`M3M+NdFI=8o{OvHl<nrzlGWaFQ%(?-5lS>3w%)dpkdouNTd^KgrBd6U9ep#1r
znTG{KnQ^FQP(UJvWds5iQcLvU!LVQ((JrRarrrhN03&d`y+me%%Z1Vq3~P%p+0;Pb
zE!CrCVdbw@y%i&{7=RI6daGeimHQI_Ow4G)PK)#ajB$U)$^=WBlpI(iu3KEML~ybg
zUR=l`Dvi@D=)7>&0?Ql2h0+u)+CV6@Qa<p7E=vE{NK-Vbhy*0(l)8`!8;ZwVSSTh)
z-niIQjF*<&f%nO**zhh<I<#m37l^^J*e_x!EW7?cx)sR37|76oU%oj=L?HjOl!QUQ
zkR&B65cx+Qg|MeBt3u-c2rTh4_!c;Vs=Mp!sTeyv${W4Y9_R^rsy60_{}qN{QNi0o
zDvfop%Fek;<zUw>5wtbs;8m6FaCgdsTi(>7Y5zC{5~U<jnT}GeZYs)F))LSF63fd8
z9jvS{khQc%5*uCTV*nP`aHVTi5wtj0VGwThgULcZ0~uTZ$ixQ#H*t_)0bc0UZuz1C
z7vDM1l`-EpSH5pk;IQN+^JoO0eBuEn-#LI!G+NSH7^%Abt)qQiO9*nWx27?iT+l0X
zBt;2dQna=hGYWT_q+KJp)~**+al(~e0aiK7hOqYXqS1Wx_$9Jd!_yPD6B0fHaT2W-
zM;fPFIiR5M8$JP939&#HqG&6u!9N51WRRFLr5E4JB1lh{%w(6yD(3uxM}_jU@hsA3
zuomm`ci_UmCr&<YS*Zqvx$wh!E%?Bnge;G|A!I}F^afj=5R8jFAuJ2SS)Yf?`zG}^
zVSs%Qk_GxY2AA7m`&D{6VMGK<bW9mCPWdYI=C^*1f#|50HjvDYi#b7c{T%~2=JbRw
zWbkxvNU=E-5sJ+m8r;>cGHiHES5O*XikjesDXv8-{&8Ebv<y5Q9|V4Ia&-~=!3jfr
z8r%3ar}#MEgo5xwUD&Z(Frf}Ig_uLMYlDi;65AmpXAT1xF)zV_C0TqJDy%p?P)mCp
zV&EFiF$hQJ9Rwqk_2{Xw>uW!;gU98u>lP^3;xQAovBi=Tr8g@=CC%Lrm~(Q|<Q{2q
ze1cOzaq>LTRD6j|6)%|-yGaZq=X#}2l&qU)3nAXq)VSKSFa=!B-e7!%o^S}eALt!O
zhP<7z*yjtzNABR^Y*W_<`w?xy<+1*|gzRexUMM6_5!nmG$^t|~^Ick79_3feA9Lk>
zC(nlJo3V-^aL=?ZA1&1@v5TL2^4bDk#BnUvfDszA&)Cj@^Ooh97h(#v0l`-ehtofH
z`W~THppZZJpYKq~=-4CorwuDUp_NRzdWN4$OPO*BKyfbg(D1z=i~-4*_5hHB%^ci$
zqnJeOPHK#y5E>SQcD5kP8L)Q(5mTO`5^b{XO}1UrVUK`}aM}@&K)kvTPseCM1+AnB
z?QJXYIuL!WItsC;Kt1iD02WXV^=^a@Vq!pj7Dhl=X`z>g41f=14#p@poFTpvc;5Lr
z4X;y>1<dGTEr=ZGVxco3Wr3TP(8LuHXQBM7T?|QFTWO5?PCX0`dos#kNPt^RNp{SD
zrGNlh8GH;AQ;~mit2UZ{mDmS14J91MRz>=`q@e@6TTP%rHEfOU(g3ay7m@n8O3jM^
z2$#Q5<0F211M(o}1NBefZ+GQI!_n${yh*ST_(KKoKU$Qje<<=@Ei}~Bl0<2uCS>sM
zbxv=|Yb6Kr;LtbiurDgu4dv+OPzx^+Y}(5rISYY%Z`#^rMZ!AR8`Rtj$lk`%QSfMN
z3)!Kvuq)VKEDO2-)jE&Ahf(o8YKxix$f}Q$8|pqK51_WGuZB|Dv@w!{y9)t9_x0#I
zuil`x&*N!}ik2N^tgyBh{yMMzcU^z}0z()6C|~@q)&Rc-+7u0b2)MrncZEb#VE3p4
z_g&1$5=LfSfKSlQX*^~Cy#`<kmQnYHfVE*5Yo_4y4||9Z6M-F}x#d(3@G^=Il~4il
zwtxaJF9ReKSO7l$>I+h(7*;$BC=>)?b)%VINsI%6*=$xHm2?6bDvphhD#!$8vXBa+
z!Vpk>>XdI*LL}`Z!Vb_`Fq4&10Z!;W@m&Wy*^X-^z~T@JW7SzGL1iqVI!akWQ&16c
z*+**0{_4r$o<gXsbtOt#x_O3U)l@NiYFJ`4RhMCx={RFS;R!0rzVa~L8j>0v2SqXM
zs)s(RC~_MWkXO2(L`yNv7FH}LD}l^Nf<~>O>A{$<AQ0eQk4^-~s<E9PZ63r|V*<y-
zR|wTm=c-LWdbCvlfqYPaf#%zQ?z*~qnUi2C2;-y$I6u+?ohl?iZ;rrMHl~>K#Sq{(
zx8N(UB+N=vra_7Vot#DjofR8^r*9VlTc$^@){{J?CwgMY#_UF<AlgyJCp!Dd4;77I
z>ZL=)JV<qA;6%in60Qp!Dtcj3*GRCj(Hz8@LDfzPV8JIgRwSgdWl+Es1>&ek9h1X}
zB<Ar==YpuPb%{BwVh15&!J#}js(ZtNsNM>ZlWcv;I1_ATK~eLDd|hL~LV|4;ROy}|
zq0bDQ3Vs4Ak;jV_a3~)F+dpnC9l^ytjtuU$k`<-{eZZ!<6#i0NBA!#hPhw$y0^%;d
zDlszPk<Al(R!PCj(c6P+Qn(U70N(=rsyi;ls5myK7Y8p_ZUm-aSs+T*vIMP!s^A~E
zIgK2+Hj+9;yIE-T+V9*PKttRbQ`x{5fJorc6%D|bQ3e80sZS0LKWDf%{K285j%H%P
zL4g!$Xy~g$h^u3GROUc;=ooY^)V-F5kL_qAK3pPbIY0q%p`Dm_W~VlQ5@|4zMlgLr
z6bkgYkyr#n<O5DLrvy$0$f{k^9VM}F$_QA+BcTGfK)_9zb578E5Y8enNIhs=7b3{M
zNN3eiauK@MU1%i@$R--}Ryrl{(2Z%T!@7rVWK$uTcH{Fcayv5kF6_?f$7Wi@Ze`Mj
zW?%PqZ4Tlrn*r4s0>Eq;kTN4O1>%FjjC+g=*Qs%%BD#S~#Cf`Z5ME6e5JY@sC6g6E
zR$8$&moF)NxcGNvFt}D*&lQ%Wgyo{3sHVL($9=?X3gR!3+)q)Ezqn3pCa#FR!pIQ6
z!*0^qQKLYF)!Jc7WN|+P7}RMAA($FU%{W>iNH+wLme#>`96Q@G{R(&O`V`54yZRKc
zowy?F0_hB}p0ZS!g$ropU|B;ZAx%<&3Pe4FS40RMEr<|4o*+Q^@L>b~q{IwvNmBx?
z#2QT?ZnMS##G`6)L2P<NNffIGrjmU2mHA*KIysds<Y`pm&3}%#_oIp~hG=+mBHD<y
zKwOvzig6Q4BT_^FcU5iy3yawtl%Yr9{6?7s3lZhE(@M)EA;5@;QK;G2h$sNkz(Tk%
z$*RsWSA8r-LyY$0m}K)|hH5~Hg_6XOYzk7z4C7boWkwq%lweZ^&sY{xMi>MHNuy;s
zHtv+LDwC~&QAmtAeIPL9Qd~uoMjPFMRXD;e(I*&1d^tyotlI*lryO@+jo20Q6oo`J
zcEGBWFervZ2gNo#d}=7+@j3<{--3_nAf}lnK(b&Vh!oPGkm8ik7b{ABF@R}wbfheQ
zsH`4N{Y9{7PVrb85aXez<NA)lzGGp*$9|)f8}IyB8~5cAD#|h#nLE`RVDY%fbZWiD
zf$YGL&9V*|rBHCq@PmeGJ_;G2SO{jmfI~LM0vWA^Xmq||u5D7NpHU_<85<ZsQPQE0
zYnBO&Z5IiiAf=#kbr1w3uAtpvf^gUpLcrv4iqcGO(||6&M~8`|Xm+rv<p{c(NrdKv
zTRZ}`I?Xi|fCZ3WO9I0`;1s580D{8%KPfdWFAe?=?*9j;|AV!GY1S1bpNR(Y1T*Ey
zMG+=-2;RT3Co}9%Xo`r<#6}oYL_lh$DZ7V&K%Nf(g0&9-fKTiLCGQ{^VDbT#FUST?
z9zZf9c}UCO!rNpqY1g5PObPOllB>E#SWe(v_Y7Et1+tn-lVKnnqM8BpQQ&e9#)gyi
z0Mchr4H|lYXp^W0qIrOBcq9Xwgn)Ak!~;VfAYFVA!JCADm>eO14Adf6C3s3B8JGql
z$tS^*PT7i1H^z~dxsy8u`7xwc#wm$;e?a3CNFjg{g7obouP|FUEd~VDHH6o218l4T
zI1^9_z!qGZliXlQBGkhX+L(EZQw=5oqH{a}g$gyM1SxNmWXOAL3Cr<?I^QM*xMskT
zCNMi9AB5>owWDr6v`$u;qRYpO4b0IQB6(OzOlS<P{pqq_O-gZ^EJ=T1LEqMh2|YJC
z6Y05<`fhR;!I^Mu8RJ_MR3%BRv&7lIiLvEMVa%Y~HO5XQfpyvn(f0%ZhS`P|Vx}@t
z#b9sK5``)l8|9#={>loDk=aoxDT<Af_EbyWa-*JRDmxRRqEb^88ztzdmIp;dx8!>R
zAmNq<n}HJ+8@?7B@Hm%3VaK)t-B=h$e5wl(_#>pk4>3U{F&XbtEkOH8g$C#XgL`^_
zsr4^V6o$MIz(CCzM$<-FG*Oi<Six_-OBZ^UF7?hVW-MHMdX@l-<tzagsbC1bO8`ad
zlmRv*Fb2j$0Buw-2E(9$H2DMpw=TdM8+HKP7hnw-y8vu>7~+D(@_;6TECCR$>y!aA
z9iZo2pb5Qjp(8P12#;Q+fPUqni~O(&df@<pX5<Zua)ETtK$+3V6AQTlcc6(%2cGRL
z1Wj9rs139{fD))eKng<-AOz%{KnbFPEvO7W0Bleh>~OFivxR`9U|J7b%R(ktx?QnG
zjRDe7exM^3P#NaX#ev06g50z*6Gj?z5sx%7S|bTM5Z<SS0buz?7V$v|_P_5LK;d}G
z4<;s{dLYt(!23fFA+#{@b3+d|fPqjLAZTE%%#0L0cAa8rWMGKM0V0C5>#rp9#87nw
zOaA-3^btVveAFMVjpN~T0I?uonCd_bZ|~kpG9&bX0I&<Rft@=f>;x_V%^+oi0zj#N
z4-yYX@gzQfa@j8kZW2tDPMw&ft`ddSTuNa&1nj(fgt+gtON&5Jk`71olH7~QAZBO*
znnI`oFr+GKQ6t?fT9B#$gUJeDAyl-fYEdB<N=lxqg(%RjUUEUwk`fL?`Y6{H0*jEs
zp4EOwT02e2snObkq$ne!5k{760`)lBGybx)<IZFsL(sDdu|xn;rwOhBM$!E+L<9k4
zw!x-OQ(T_i<r;O$6(9;Wy~qbD%>ZB`JYb0wV~G$2FebBUmHyjCNOEs90guoIQ~?>`
zVgvOcYd8lI`KALTHVtPINc_``xnigSeQG&@Sk)pJ?+_3K_aVZrB)dR45qeY%LjY+&
z8CqQ7)SBlG;emc22}f!;B#;2efFsmlKoh9+P!2qYqS8;PAIVM)R*ArX4?q(BEg@p;
z#CE$UPhE}9uD}x|N+j88Q!t{XGio%gkVTfSt1VZnEmG?(a8_FWthMbbwLS?@Ds3b>
z)hep11fk@@K~;nPO<;^uSSA$K3>7tk@S4F1Qn)o57Yqt(1Z2u#4UKSwCa^{aSQxw)
zBlJs~Q98@i*SW}-HllTwu`X>#@I}#47es0j$g^sOkTfHStPzS!1^7kTp&f`t#Muhw
z(nz?lQZ6h~E-aLbixCPSXAY+jGe-vyGghGl4C5E%4E9PqKt@492pEI;C4wnQV7kb<
z?qECtN&v%8%?ryF^ow&5v<Jh>=^G(uq?V2<6)<8y=nV&iDrUh*rYuB?V#VSjnj5A}
z#$zH%ck-5<Kcu6APtn3h==N}ElNJpU!aqk2pQDG5(bfm(_V8$v6q+@PO&ZHvT4t7Q
zX`2=e5~&7>Zw84z57FVUXqM#ByTPJWleBR8+Bjx*k9KyB9e+faq|vNWXx3Uy8@V)Y
z@92{7<cC=zLtMsU&PeWI<c!#_BxenIBQ`6^8Nz<kXfa5UtF(z4wRs~9+sPO&%JL<A
zNvT$VYE^1AD$<&jUZTksAu%f8ol3>pM6R-35fV`VQ$Q^d(E#a@cq7<e2)~QL5V?3G
zU{(my%E4?UH)_r|j#y1XRubA3gsHMuOB1SOBA^YEUyRKZ&;*GOikX#9QSqNvqtd1@
zwZx_|eh$q}V2O^Hm_?#`OE|U1Q3Im@!5|i}Gy#x<sxhuMqZ9eH7_$th#q`RIZT(Fa
zV_<`lIxf({fLh}y=IBx;CML9EC<U*G(6O=cM(RW|n8@<#G*){~8!=76Q8TSBqI5t9
ztG2@t5oHm>-KdS=C|@-ZhBqzLyUTTzeZv6-upR^gmc4+Tw6g)Q!i)xmtCPgyW6J_n
zTS~x%_yD4SQu4t4#-s#N^b7(DLF^1|$FMP{%SbH5zYGEu6Ar*56#(NVd_`JR1VrUj
z0>3r@s#taaf^>TT){K}3$*@{PLI(F7z%dGrU>K%`una<21^|M*qF&iF!%9FY5VlMK
zN~2P;o!{633RA=amAxub%wklQp9z2<sasjO*NkTLE0Z_>g?IHEB^7DwMVf{9M5X|e
zGM5>RTIsU0b5qxuxuyVbM#V=9Y;iV4vBJn&MugPlf*x0V5r~~u8M%U@nY|rwnZ8ou
z&H9N?X6A7e&FfQwl97qm25;4Bb2m5=V>dM|?BD1=X66eL&FzSmWA*3BeH8R*i6MJ8
z>LhP-H&0+B(V}B>H}JRI&H9u}H=<O2WODWqrdY?~AEZK-ws8tt`-f80MslT%Kz+^R
z-$GsZjw#|rs$2MjscRdxOL<cNQHb7|DI^gNq<}zmBo#v`A*?cz9|4q+WVNndYVF>P
zr7%)UA8M0jPsB!2y!NR!G*+aNo>ZilxK$)Tgi=QcMI;14sUf&|NhK0Gq>=j7CYhDd
zrpF(xQr=;Mg;A6M(vn4CRV0$4s!3#lsUiXmNef{&k(?}SQfh4zQb@&GlWmDn6)bd+
zYFdN=scP^MXqhh%(V=5nmgyupOBt1G41hPt0YqX<NOF={aHS-Yp(;rPrz8)T+s9@0
z_}jfb!Oor)T<PSgI&TL%Vc5RZW?yRGFQhM}^n^UVkn3w9=)T2h=hqkT=)=<fme60%
z8#(h55`2vge8C~Vn3ZqrMrQuRnzVnM6r=vH%04>8qcgW88P<-`n8|rg-j!&`j^u+T
zo!K%^LncYth%(&HIE`oz1p#Sbv`;n+JOx9{Kt_dP0x-CE3ef^1;i2HEOCO+R%K>;W
z@D;xn0`HV5ASDXK1)GO}cnI(gXC49Xi@;eO1WIxWfH9H+UCY2(1^ncI2Ou<t@!F)t
z<qEt7ob})=g(L)^l0Zrocne&IfOV;O3nA;kTh<LAJG2b4avn$vqS8QJ3P=m+S^_u1
z&=H|lfQ_g;1!<!|RLGDQlghLNVQ|nDgRKD>-n0a5t3XC|Bn8iJ)WKoEXehaj1p!Kv
z7Tc%kAhi8j3PCv_woM)YW+xs}L2iOUY5KGjo8aGzp@x9i05piWUNjUTMuLYx&`^#7
zI!-puGzS0uNU5BkPjR~aBvj6%fWga>0|!-LIHoHB!@XDz3XK7xC15yrs{zYOkQ_h#
z-jOZ=q(%a<pfqQ)L}Yc;^zmCdL}YbR1Cb$MHNY$eg-Sqh@{$7wdXOCUf=Iu70!Y8L
ze(2W@bg$>hA$ogB3)86~Yr#lZgbG5$by5~BLc+m}EG!%OlDN+*1vuScu$4e8B?Kc0
zhw3nxCX6N>QG~_c?+<4S3H6a-J!UK=L41`$11eP`l8h;qG+|7C$qFZVAx0ULe+DBL
z@pF;*8I>J@l||TC5q1{rF2e3b*j40q24yD08A-6l${Pb!iLkVkHU?!T!x>Q68hrhM
z@IPQ}@irGSe!%z>VYnZ#G*nH6&WW(AVr(fyO@)3xU}jQmF_fDOY?EQQ6JfL;usD#L
z3MdJ%t06WNs2<Y=586!#(z+1{dq>p$k~4|7+Bi$GLBq$g%shJ~!^g3FJbQEl$B}$I
zc_{~u(2@AcXbVhv2dq3~_#KWJo${H0@wx0CHz$L};<$L!UJNF>e3d)e7-(}WG>oN&
zmEbVYp2U?iGq9yh>~JMa%%z5q>he^~%0QMfmJ&K3f>!zvO2C8?uyVpiY~G$&F1(d9
zGLR*VTBNDtE!3%+Qrc9^%2-I_Qo=@MAWImM1hJH`k&Z$MQE_1-Gm8lr8`P=Vdnr>h
zIDxd*)RjDCEF^cr!bW8%ByJFbRA>-N*w0Ftno@#Cc?cy@lhUSUbfl@Ai9w`gAZ<0W
zXA{~26JFqi(NvVKBV>UvY?Kp@QW7emf$<~nNkKWFpqv;06K5b%?eG+P9s-Y2fKl&I
z6np>i;5TR#Ar<>J&;HGqhokc>&j5J}Yt{5@FZ67PI$xPbOZ`7a%U?#$e@4weM#3S|
z{K`bSWg=ZRM@#pgqh-<3{K`bSRUI$c{*93GCDKGqyoHQeT&fw76D%1?XvRvZosijx
zD$6`C+m8alUNTs^;7oyE@>pxXfnbsN77V`v!cpCZK^?q_&{u`}A-Y&UP1s_!Y?f-x
z8cE?mnT9b}`(&~vVT@G*c0>46Z9fZiW*FwZQq4bKg}}~O7Y_sDWvW@C--Xr(Mjxvi
zIHr0q{jvBT3;zS+0nLZ%8zvvJSx6oIjDg!YY(8al79Z(WEW0&9Vg6N_hu#w~`cl%c
z`c;0z{SV>2wTmuHkV7l>T@ts9x)hg;x-h$Crd5@e;^tOcxJt`$T_Y{U0!CYk?Tv$`
zTgxnrwc#Tv4iU1DDKWB;D#pq{xrvm4Ru)nm95R$bxMe6pM=!ms89>uu%PJePczo=h
z6ipdt_#B=@R*QTDaC{Yb!SGkXi{RvQ7s0_SA0v&y@+}M>A`89pGP|E6S3X9^bL3SR
zzDa+DOQ~dCcPPn%6&O+?iwD9Y7+$6L-sj4)?R>0O*UEx+zEt01<xNT7D(Ic^I+MO3
zsXBsKQ$Blxne)*(d*?DadW+)gpFbk4eElx9?u1xWBZAof*z+iHn6>FbIv1kwO!j-E
zuU-FzW=(kERpy@_0;Z;X5~?%D4TWaJQKFwQ!^xxU0YIbN9B}jRa3O@xbe{!xrWBb>
z`TeLb6*0&HSiUdiP)PwSUzgIoEFq<enAI#)*9jt~HGV6&6QM(f^p&4_I6=J~HkK=H
zcbY!?%?o?Y2z};{wut+LPD_jj;_y33%qO`yOl~JWAN9Tqx+^u2C1f0=?tMR7)b*k)
zpLMvQ%<e3}oyR6dA}Ar}c>OcHZ-(6>5;o}@vP1{-JD}Fd6O-~p<(5d5fXNb|WQkTe
zB2nKbvIC4o$bbw*$=ER$A}LQ`LP~oADM)NZ7=|<6NNOt>hB7!}7{P&vV<tu+j?)A+
zUNA#bsKhamMInv|DGX#$NMmO(LsgClYhWo1WR#>fBZVQ162Sw{I3RhtDGkU0cj(I(
zevM1NcniPcVR!s$F8{LN_Q`x6+jT5o2PmXB6Y;;KrZ@Bi7k*>ONM<M!kjT`eGBW~@
z-*+3J1;*&H7k*<fDGk;F5Zq*!e}|Iq@YGHDir<GNqLxBfE|&-4#?edciUa;~{5Z5y
zVj$@+I3Lv#C=N`NupB{KaTfvp2lqZ8{Klmp;i*UXc8EjGY!vkqf}Y3lQ`E3d%}9km
z8kDDa2vhS83EL=KNipETI|ijm;s=7B;O<k?<;r^-xldBLJ24^@{AwXj>g4T_ZYMj*
zWAJ|5r?y!ZE4D?P7!oV03P`;o9#r7vJgq0`<!KGal_U0wD@D;oZ|q8yvY}L};uS^&
zj;bK#c~A$Jm6UE1P(&N*;!EnQi;(D&r7%jRFcs9M4Vsk0#R_0%p+l`PF$gdUQVs<u
z(b^$IlWJjeWHNLfOMt`3cn*3Dnqwp^2b9wYtpX$v@=|6VLM9tlm>|VW5Y7mh#z;iY
zL7{y_6fdha>Au#ALD|06j(N$R*-44SFq6no!TUZCOrSZk;R76M5p$1WQ+GBJBH$dp
zR!sf+H8nq7yqce`JmcPer3J}R51*-!3M#gW3eW=CrO@=Y+YU}R3N7xrWq@u^2vu(d
zYY47q?by*1$oL2JE~n{~M55{h-BHQQEsc}hg`4ImrUi>(Y{0)Y<K-0bBWXKfZV|c7
znf#PoQFgnxIE(zC;3rWnx$BXX1JQ$0nw2*>3<J_Oh1SCf--N)PIt4TNjgnn!mu_=3
zSt!?YQ$4xQjSVF<o>a1elIloPNi}6@4&Ds>5(Lc8!Cp+X{1tpi&%sqiEc_9mxc7$Y
z;LpJz0++ipNurdih`UNh%XmpEJw~MwjZS2;%3Ro;BsS+#_dhOY0+1$V(HVt6QW0`e
znL_DEblIlnh1RFl)lyzkNxQ2^6SVVl@}<mDl@=O^Dgres0qv<{fP#=lHi-H#8IKM+
zvs4+??v>!Xb>4que=`|`#H0|GvnZ*BnNeb@PvDCati)fE@{o@*m6DJ^DxQDO?)VBq
zQ{hNqJz`XZ!G}nOY(@YqF!|W7jv6Caid5XK0+7Hq?7+{=TvCx{V@*Y7Yk7yuKx!6P
zh+D$4iUKJpldObCT*->1FP<IE7U7}wIP%STkGzK7N;gyct})a;btzp;a{4hiT}m?I
zY;oy0pd3S&9A_AY)&|p+PBL;!K`u0F+iqJ>EuyBI!%tI6Nu<QnR%JXQMZ>7k>av{7
zq^4IBC@{)QGMp?YwN&D&Q8<v;zM=%w;)f+y1zUw&Wl(ymK~#XN#G+|)1G30y-&9TN
zFXbMhiycL_qZUzaDBl!7wwZy?mWybbM5e)0Or+C+HQ<|*O*o{PX)qL8LiL&|M3$OQ
za!XoEdP%w=9E^yq1YX4K6phjjq7Iq}u=U1zFFn9=tT}U>hpS&CQfDtSoq5WL<O?}&
zoT|=1$1!72JrDsnf{Vb`ertI(CCy{zq{*y&)kQTon2iddmNv<Z{KOP71Wa^HQzknm
zBcm0A7L^%TgiTM#8^tleW4awN4uC_s!O#eF1091v&LwKNn+IA4Y=?CRbq7Rat`X57
z?g7<e5>XPE_b~31cXl$j88-}~hHS$tNXYUsCZ3(Oih0ar5E;W2e-&62Iy<CqAsZnb
zK@@j{Y5f8x5f;#C$Th+nqzO7gOaUrTlXr!g;0Q~sBm)WW1jNBbz){!~+6w6f7Wg=y
zzXid9t$|12t>C@4EU<J1(*X#8*gPFiv;wCAUI2u^DDW3h4sZoH1K;wlKX|rD9-s5u
z<|XHQ)y>vT)^XH)>iOzEu#?OvXH#z#_T66HJ-Yi=Hkw;e*y*;+R^#qgo-Nxs+tsxR
zwBxo(wB@%mwehye5J#h28SMwWPtf}BS>yO$?|t)u{o}dE$+7GrE0+9c<Q?EwKNeHQ
z7t;gr0PGm<O(@8>eFN=|yD;$@m)J=2FKiFT6YUR@;x3i3d;{l>xT1#CsgxkuNR0(J
zDpJbnw|AL*4`Ru^iSh?mse(tDk9o7>j;*4Gi!4jYpA2<b6Z0r01>_HYI})sn<0*!Q
zc{tMdt#t?<^@m3z%!vrAUfu-vgRhE-OM61csfL0lF7b~<iSHX!iXSi-!jrD?JTB6b
za-LI^<6Ea7-8rVoP&7{?M7oOAp9MW(U$K?cC0A3ucEJ|tZD!#s+ckQ;t8+lJnxf6>
zw&I-}snJS}(^0lcHOWSrlu<Dz8(UJU;fjECNRv7<5{)R*ri~%wDbhldSpq}nk`tXW
zOcWLBl|g3PoZIl**xH@i)Y>R*Hf<ENApPgt(r++|?Dl!lJ?Zo_OoUtM+q|B1b=6bR
zbCBtEJ-sgQCdI|_q*FUY*Kpx?luY7RZ4g-uxYdg@X+qRFtCVJ|vnZcjsMn$8CK(#n
ziB3A^S7x59gFFMaP@3~(yxTs+#YO89nyIlZsi4oM324x3jmmHSd|{>|i|2QebA5+5
zDj7^>8w&6%!w7QbWWBs#VQWEaIOJo(!<2Ux7u9gkD}@as_eQmiQ`VGPU)Nf-{Fp?~
z{uC0Vq4bpqh~iqTCAxxCcpV7pppLnbrPQyKg>Pv=%D5M4AdaO-=wOEVhw1u1U*mL=
z8L~q4lwS9usuJRNx$2cDdz3&#*o04*M3V$gTfY96$OYM=`0Fb(+`>4QAcArse=Ur+
zb`zZdO*}JcMgw4>lHy>Y_Rd(dmjcYg?N@QU@?m=RGHRJ3=LI&$Zmd4UZFaw1cFBMx
zH<8}`-bYwBtcJ6)<;>~``2Y+)Q{~_e)*h=zw7V0vx!7dyz^s8|)-1RZ7^oktlD`Ih
z8e~VV_$dI$17Z0C=XNQK!zpQYf~$~<O#mm?-~ri8&;+eNfDf?fU9ibrxXDxanO0#C
zzPEHwE{PC>`R9RvvWpR;`~fdS@Z(4j1*I&)&mw>!b;1Fb3U4`==~D&0Rx0SZ3r#5+
z<_&bxtEf=JO(SAcE+40*1w<%bo|Qu62~BpGL+EFpRORSx=2zKUN4@4Y2>a(YW?HgA
z2}^@G^?4x@6Y&XDgcyYL4xGSi=C23WCMR;3Ofl0|Ww7EkBxb*6Cxk}3e?`52q(DDN
zn*LH-#2?`e&Ip?IJ;39n=&tspuE#2U*3-M?aQk}<8P!$_Owx9^*~xUwEhE>0pw3;j
z?_W!^+~{3lJevc6sz$ogzDmZvWtg3tEYIkgf~!QT*GNMnb=s&EC`>m0sntb&8WPby
zUWNEd^PqbyE{g=7A_{JRydd~!UqW`e3J=C5h;rX>1^a+6tO0!B3+Dh|7y|Ra6)y=Z
zzHIqN50w$0$eNlNb4C7w_5hGV<N-B7fdGwq5x{PN)B!d^^Z;=z*9Q}A0iN+W0iGn>
z^oRipBBl|9F)7Fbs&WS9Id!CvxL-$B_=c;_e(=D6M@k*9(J=vjvn*I;eH?2re2!V0
z-xAD86_sU|!c~hIR%N&<$`{2?l$ofSt4H0{lTP}nKV4YsuBz9ns*|d&Z#7(wYOSv|
zSyuH_i+ZdXy;WzuRX?>?FKVtv)mwn-qTxEIKhCNi$0CNLm{4FRy%Y(7vcfQERzzD2
z&p(JA<OQ(mI9ogtIA<nS>zvxaP7Gns<KA?Y8Uc{HGu&Mn3Kct=F+;gY0A-&Bi6*3A
z)ZPeNM0hQrRtie~f|9Hr!yMU;9;A#tdmmmFe{UJ@ZwQyCj@NgDo3Yenv{}4}i;{1L
z)H6ScFI8TBRa0=YF)*`pc)|g;9=@C`Q7kM)ftE;?x6KW$hm$*D%bl<jXKW)gwhCr;
z!)u+e^yO?BSz8XyR>O}AU>?HQLt$(b%q@n>`(fg~*eUYX=ztPOq<|*L%55jD=H=>>
z<?3Qe)mXSx99${`9KVTnTi;e&*cABlDkKcdl}13eC=a?NQJV#vyL~J}{+zfwVg*j%
z)k!3MDOr<EJiM`gZ8zP5YctDYHpm=kK^2>Tx-SMJo`i9LIJ*h1Uo;u(P`wW_#q&Y@
zrvJ7Lv2ym4aQ4ISrI0vM!L9*XICywK9m*^%qF2qi3!5?+wh3=oa7WDG0OH})mTc)i
zjLAK$tgUz1Q1=xVEh>bx@hgQemCK_LNJXkBYeiJKB<iVah1F8KKPsdS?v+YA66&Ak
zx+$JlMK(_8rnOxZ%?o0h3v5#~tcqpi@k|{}6wTDpOgzhKKiG9i*mY4nAq3C|x?2SD
zYGeWUf>;DG1h4`@39trQ1ORu6O_mRk`8b;XotKPZp6sWr60mI9>#$A2rjn!or)r@8
z>Dr&tGgy1`4OV!~VmnaEA?p)dlcqU-0346V085{c0KYcMH1^6g_EI$UzYcpx3VIxz
zbLNiygqTIaOl`nPO2A1JKvYuwRipQWwkLK0#SAszueZpKfGL)n<dt*el)KO#=b%02
z;3SsHn418=@U@gS0rYAEnWzZ8tV8XrKzWc0J(P}BkPHow4=0}f<$GP(uWPAQ?Q+dt
z*EN;xahqP(CTiO59a~(RQ?<_RJ6#v-8K`X50;om;sFoGli|ev$MAAGw!6j%y^=L*>
zXhmsYLS0x#s*%MA<A!(DgtOkjYnQ-l55Q`jU^R2F8t{V+LtW=sf1OO;`nmnJSoGC1
z&s`0A=LQ;vF1>l$_2$>8Z%(lKHAb{+md~$0Hnjt+<uWuZ5&MW5ZXiLpflV3*;h`~A
z3KP`}hN>0`R4yK<R~S}W`RcWCRcnn>%O_CE&`!$*PRh|v%Dzs@8Kz}y6Ecor8EeT*
z%gRj4Hb%;~BV}O`vXjV}Qixe~NLf<EEUvl+SeVNy8IK|+_>ql@Ds887LkI?4%D~8!
z3hTJ4pj~$LM|D4!wSs|g%u8@UQLU=v0J?%D`dIW<cV(6Eu}aPYEw6^_M_wOXb>MPU
z4eFsSRROBC<P-rElAsKwvCvx{t19{CIJ(6r2q{5~Pq|EFt<D$qPZKS&Ih?|Ki9JB>
zq<EPSfBuG4UlA=c)m9T7UF!<`IqHBWDh^Di!=BMPrBmC~2SXun@*Y!%2t48Cli^};
z>S6xGdQj|Ro)$u;aCa0S9KdR+Ntzb1wbk$~hk0ua+97;*!MJ;A*ka||DcIv|SB$rN
z4wBXpTt@ZD2E3Js_uX^0Bid0>uf$s}Z{DcYa_nD}9T4)DFpFwZ_>mifEKg`kPdW~(
zxmbNjR5`BNU{nH?hBFB7Ns7hLW|*p89Mo5RENHnt`LalLF*#aKl1f?6O=~<EBc-7o
zOz$#U(jUssScM_I8D*tAwIX{F@<z&eIH_VM#Wk9d%GgMcEJWoL8)_yb8)%^0J)c9c
z4HY1^!?+BHR)&ZOIuY1*QM@J;bqlNSj=*Y$kSC2Wo~0s4b&12OoIC1rP6X8CaLC71
zb|}a~>ByRy2m&yliG=!?ZmG!Orb<UP^g*^H8&rczr6P4A4N?u6g&@~Ei|XbYeO-<T
zWa1Bfh1Pl?9=;@U95OCMVwqP`--!CD;q6d0BT7<O6bAgME%^RKOZzErBZ;Nn+Df~7
zIY4X;r)n+KXE%L=C-p)SMp|Lh=TnZ9M^DDU(lpnM>dO}Z8kc$V_)NzPO6^{3J#y?9
ze<g1YQ+p37s7=X+wxO*9D`CoR(2|^21hK`V>_aY#LGYx2x$l9`nW=^weWD^v9T5oz
zDIv_Hu9=4EzRU+YnH%MiD%`0jc`Zo@Wn(L3!{lL>Oz&n3Bm|H$nN8|e+3w6oJ?RkT
zotI6D-jZ4Dcy?GlO@ox^u#%lErghLWte=e5`L{@YBBBr-MW^6$oi++nxHxCNftlrk
zVjevasG)d@2w2O8v;7JLL&U`iqM57n$-Y_^{YxlHVE#Z-1unK+3AfrG+7^Y=+B&UH
z^jNE5nZ%aX(QYhYSZIttZDc$SS09Qg7KWi4<J4E`Dwr&%Z5c6#&sIg6a-?k@gM{Ox
zZJu3>06by+YVvG?VT{fbPWpmNov*>9Of`Vj5~M=xkt_r2Hbht?HOEM<6cVNW7z`en
z0y8{DUMyZ9c@%tgd|3Q_{8ijl;Dpg8_{ufuCczE|L|-9_FZ#P3hjd%Xn+N8ktN;#q
zq6$Zyj^G4M;>HYP5q-=^rOt>uhY4XYF@|g~LQ5Um`DsiNrz0gm<c~EoWMCLOHi#mp
zE09v`fu~4g9wo!=Bv5qjY5|lQM;Ek(VI4h{`{Js39&Mz}k}ixuI%D*qY1q)nM~){e
zv58_H3#k^8>T4cZbNwU_!$iZWlpExrmQ;eny@_0cv_zy8kWx7FypB2%mSRnAaq<i2
zSMrh9oKCOK1;3v`k<$JNHOhdI1k5QMleCWYaUyz1OcV5p(pX5D#XO0ho|z%bGi8x7
zlG;tg+}Tn<h8@xC2Dl><+p$h5FzSj_2&9lK6=al#43XR>=BiReZr_p*Y*r8teKs7I
zC1B*RX2&O!qBu^YaqP7f4jFSUx>yf|1Qo{w(7ha6#Eg5AYVb9{7CA;GY!suceRUEK
ztyL%0WJiNh*_5^IbG#!YlYAiGNSqKrNOTd|OSmGUlJFphNyGrHNO;kbU`<Ps2LAsG
zm#_f*(JTWdYH$PeZR`LzG%5hun#%yb8l?bOjAuYS26zB!j9dUsOeg?lMt*=OMb*F=
z^22})^5)<UAxmHdNnMKC7BYnYG8E7Xswe}DiUEH`027eF7U>{Bl#TiILj^~r4O-zj
z!*EscxG$|S$dse-ur~%$jX|YF;KF%$Gc3FtTv`n8Ee08jL54CgWGsvtbVdxTkb`ZA
zL8QVEZj;J<W!<y`@KI<0EL4~R6szC@`Bs1q6ccO7a#gSfaFDPAkeNUR@h%VoIXyrU
z!ioYjDt*&i66>C526-n?1%W%@3-V-O8FExW402WA74iij0kRjs2T=nc4e|bf8&Sf5
z5$Lz)lU#E607Pc^1U@p<0G>8j0GS!U0LU{?10Y2EFDNmgU;${tfCgco;0BejwxFjm
zm=FgK6{rUYzkmioU%(kc>Hv70bNIP}oq!C&w}3Z@wH5{TD&ztDE))ZJQg{ZTe?SL8
zE5HqrG2jQW7$6G41|S4mr~q72&)~(@qPP`)QLxQA>N5qUxOXZK;MbGdEnVs&O?^W-
zj7T=u`YF{=bQ{h~ZVqk+Bhx&&JZj@5wr4o66W#6D@jR$YUFSJ9nD;<WJf5LxZK2K;
z<sRZeGsyrtmW57m!tD25LOg`H>1*lCc7}Vk#vV(tscT^79S}M6E{!Itid(>A0{o18
zBLS^nVU%xEKvhYqq6f+VaLyP2wK$*wwEF-(CH?@vlCT4gT_6g{qWDBl55=ZeW~0Ce
z#()eM$|p&<er-%-7L2E3Z0k>fqys(x0~&gC+W@06k=;<=N}(X@h5|LqHjxo+2zXb+
zTfia^UQ^9;XHZVQq|_7qXbj{Td?wTB9~^;fCwIUmq27>GYpjJlx-kxk(X?>%6nOE9
zgPBAWlDvnH3)k!(xbYa_&?I}h21v3aj9~Qz7+xP?ppK)nlM^V&n30mPJbWOUO3)HY
z+gnPWIR}c9&J1vlLGd&>z^ehwi;ClJHK%zyCJd|R>_c5?(;>`<OqHNLRU8~ar!^eZ
z=Hd=nHOM(+RseF`^E`1$yxEt)(9YhFy&PZa%<52~jiOOpZ4j{>JB0wjqXN+JPRPK8
zFv7v7#3-CJB#F*AXh=c%!$Lwg3YroPepJwqVkuKXLFkGa5)XPYp|hadQH>p-h8BV;
z(@K!Sa~6!%xLh$1cwwmtn*j#rLq@jD87Qd>3KpcpEJm#6%&=||IT*_Y7Dy46|5@Ou
z#%C#^!=Q#I9`OEl_}pOD!$Xdm9l1$1DI;bf%Gic1it|fRHn#>w!70{ZJBC++f|gn~
zkrp{ZAbAra3~4eTJt9OD#7KZBM2Im6kq3Bz5NijK0vve|D+Kg&U^29GGvFI`URc0a
z6qpz?;@(&~g|F?9rkPhTvUS^&!zmM6v+-@mkN`!g#TsJ$;)bIVg4Glf>kt$RA&Q7h
zgslO!s<sB=ss{>@F1J8rZCBy3>3Av#YjBTiQN)8NhZ3$@QlUWwa4OVsAg8F}L0?F(
z1px(pb%|94u?%&%r19<iBcQ)mx?~lhCXN&=?)pL@po?ik#8ReCG~NuFh4YR<?;Jnm
z(?F~Le)tXCjnK@EieP4dA+n=Hs(HSrNSmb&3xZVd?clwHF6DqUmX=%RZDFJ;^wV7=
zSDmEYAL(NOOJ|C)(VoMFWFXqhY$YZvSDE=+Q_^$G8jIOmj2ODOD1oMU%d*ZkTspK1
zGU33l*%wgJu{u5H@?&cfGCeLB>wX7nq%!X`?Ap7a6_#A^&K2J!9%n9MIwG4OTZD5&
zy1P(~4Cx5VsQ|7srG2FDKr^imsp%M{kj|#7gkQ}fsYFtZUu(i{vcA^YUrR~Ls@KZ;
z`8j!o3le4cD>VjQ!pLZbiX(8>kUWH&lB@WFqE+PsWf2%?8o0@Pi3ZAsG|d=QvAV8Y
zCg&+e<CLPxWhjn0N;g?bCaK9tYiXG%0&zJh0wNC=83n=^Jfc8_XD|>()0hY=q09sq
zOy&X$T5|ye=Q)6aWR}1|Il~4%TYTXyEj|#WVINeOUa5a)Q;OC;!WrkI{8HN|#W2hY
zxBtCCP?z|eT1kCzygq;4>rbEE7^;8dFl$DS3MP8Tkpn%k=b@hv<gqks9@drNk2pnm
zvF(vwOnHJU%EyNSzOmL|ueLi=E6t9+r5sr3oEhnCb%ZMRI@~Jz9dOF49SVxAj*~@L
z$8LpLW0O*-V}W^8Sm88PCO9Y+O2-5#R<Xy_t88#DDw`aA6;8(m6*L!f<xYbrDd1HX
z2nv$T;3!HV33|>{wSO&kmn#-*j4M><mRbTjiydm%UW@b?b95t$z-CPbwTzNA5yi<G
zPhR>sbsCIF)k6*1X@?$Ky1-)xF(&jelcbx1q>$&qr&NL-G!Act=as3w#2^}Hk~0!b
z!&1x4pm`AvP2x*!1$cZNfK(r8g58ZpG#BgENx`Apg4-<M@@oaIfOb`vKOc2WlTXj*
zen+jD#*!bVNUdSO0F@HaD;K~Zq^VgCQf5_SZ9-{)88XP;G(fO>aGIP5(BC6!(jup?
z<ZLk*;Ytor&YGY`9=jPUA^x#cLcL8YAP0Sv*h~aLl)9`cp_+kUGAAgh`>Zq7#73i>
z2+G>THSBf$VQvHr&D0`>imh6ZwP5X)C=6)B2R*r<fx<2W2bybz%pO3u;K?GII3(wm
zU=gttV|xYpG#jLZNcIA5Hbe`24Gb-wfi*E63@8Oid0B`B2cjSq=sY2rVsJ)En@9G9
zG#u%M3~Ivn=5VgIDxklHtn6eN<W7J~JM@xlAo+ID4IFiWJanL67YE2L2H|c;g<Jcs
z0^A-aY(q!C^%cpJbEv9262f+L=O1ffiS-nD09rt$zu`zGGzY>^d0*6Oh~fNHbbey@
zC-{c!J`A;UhL+86$o4$`QLYEz#H3&0#8*S<)@kCghtvw;Qw)d{8NXK;)o&TKYZ!bC
zsCNyt0v?Ve!|=&B=v|pwhmYgpkX86ScE1l(qVKN#DLra1xdtDR=&lTmV++L~8=;ZG
zPZ=DwuN3t+QY&06(BZ=?0+97Aip6i@cCRlUXjzA;Ww3gc6#RL#Q3vtr64><*U!?#E
zv9X6YbLIjEtE<ql9<F(Iy#zS*Md)(1U+wh^;N@_c(l^?d#o_A_7{(b<+yAQGm&D%&
z3C1w)a0x}#ZJdxn#bW?0F<otnhu1?y4m6N1zy!p6MPe2BgF89=u0uOD?GD9o_U0jU
zTbbVQ^jE$-<>1a<b{pSZ^mWPqjw*i)oXYKIiM&zQ?q_)0?>GeY2Z20!)n_N3^6XoX
zj=?_jqn)sG@z2*)-DP;I|D5pW=h!%i_V*Q@X}}>u^WQp&$ZlqM6Zm$ssotjhCoeo{
z*e6;zmf#DDFMoK0flu#oS@v#VxB%<plg@jXkM4nSGnn1D;%8<$neDIfb_lhJ&|C=q
zZw_=bklu9bhxE7t1?{m|UU7f>oUWlgy~QWDG};e1Z695X?Ey7u?_9WehnHMt&kM-N
zySOw_0O5ZYSiu2!!0Yc@c8-iNslnpab9ECu-Sp4L*ey6540hnb@X1+^AAVqQ_vVX~
zHJrWq>wJCq4|pvYZ<GA_y9dUMHJR^ReO5lrCxG3a|E}Ak3<jeO-p9bId0koAopcvv
zs;K+PM}@M(sy53l(sVNx>edIkvY>TeUb-hb&@vfWh6|!?S-L^I`%fcEQM8gEclyZW
zn-P9cZk&0I7;YT+VN!fFcNKz!_V0A!S6{gq&rbt(6Y^bF?8g!wxjq_8%`CnrihkGn
zbQ1^|io|9-H4(Nfwra~iS$mCuEZQK^mUS|Hq>V{xI{?iXVwJ1ST4xJ5+BDH};ksM7
zh0F$*4G?35xNeIsCBto5a>y2P8Op_$HUb=%3@OQmewgCj@|atURtwpnj4R28hhbnH
zGGU>3EE5~lTP7Qv#Ct>;`6e0JlMO|MfTseHT3qEOUtk41FrHAxOc$&LB9U|WTLfI$
zb`V3KnT5ErU6Kr(-~;87({T*UW5<NIJCRiCG_rn2Yi9sPFPfNTjQMAtbK2vbb-zS|
zTK>JPDHC}{<_Rqc8+pwgV`-Mnc5ACV*~F78ZL3-va>jNSGljM0!QiYWYzmhPSqhgH
z(V2eF5jHZ5-P3?$z?HpBz{4)BqD+VK=&~J%hCtg=+)W3ZCpfxd=pl6r@NmVQ@pA@z
zK&L4H_C9_PVAHHgw4$g}BR!Nb?PAf4XPK&NwjKMZIHp)gv{huYNP%a<nzOJisZ2+6
z>$hc>(kO|AptLc8HgGhii3(@aKw3K5mIfM2GD~&fG}H@4BLSK~^*RvM&!D%C8Ed9k
zE2_%}wYG{rq++o{TA;;(iW-p5`w`0$#3o#gD^MIJs|cRC&0q1N`_>b|G*g;rC}VK(
z4gH0A-UhGnXe@9q;jn{G&{qP_4`y(-9LW8kH0XdDcHm}t(>`Z&|1BEQWuV-qw3E?2
zkvTJvWGu%}0m@n{{3V=e!$)3tY?UR4Ws>C;^yP1*Nmt=g3nuH~fQJ<22_(x*GE71^
z;8c(+-GEI=UMHfl>uR<}J~}4iHi$adOUsH}81{k$BddjQ(U_WnkC9G@B;b{W-ytI|
zA8xdOSppge>`Fkk3Jih<M1}xO4jeMT0^PbGq7|JOYCObyE!J2+jEb(Z?%pTCk-Gcx
znvj?)!?YZqd{k0Kx-uV)$)E}!ogiBSwIuv_{+_Cgg7=6g-WeHJmk2-%G(`%PavTD0
zgaYKVrKql8wZj=6%fXT0WEmc|!z0=359yb;Hy@U|7IX$%yhAO)h-7;Lke6HPN^T4c
zjJLPY{uahmHg+fPL+zUQqhJW9QR+qTj71dg<~9_xZIO@MIKt>Wnn0prM^1qtX6o|3
z=>b{^5**Yl=fn;mo#f@&-PfVXM*Fi5OKx$x&U4)9@wgLSBhqXY)V>w2aXbKB;n-`O
za<{C@-Ke>jyL4;J)%C>W!3`7*ehkFeGjT@C4aAx)7?`=2!Y1!8VAonGu42H?0dM3l
zkgy!EV7D;430^Xj;)&9hg?I|Ll=LeAQ9M(;sZlzzMLURq4PJq<U2sV?O9E{;2}nr*
ztO?gpOc+QtVH<Wys*)}wUnT=--<C;&C)PkRLx72iwAcr@>XS0qk1t`~<+&A73Gx;M
zRY>uVSyz%J<U0sh#&$*l3;~S@w)B;VXbCmg&h>y1mNAxLkAZ=LpTaDJJ}i;vv21D)
z*#0T~sJZqT#jI)hlFf%!EMb(hiD>>G^`BbfCMIdvhaoHg_IV#?;F=yQ8eO70J-F{d
zbFsG>YFgCOX8s)^f@HlCAju7wp%z)pcif6p-ZjnJ<F5lD2ys3kO=s1(jZf8!Ozu(`
zD#idUSjzh)9Y~Un2O<z5a3u=5s}c};oA?G*jZU?=<8!MUmaTHBVU?pf&xf!Gh>sBu
zf*ayE1iOeZ2>%Jl5+EV?M*v08p5YGy9m2STJ_3IQ#s;(%0F^;50ha^U1Tqdh6-fo-
z+>|;fOEoNgP6hf3loaS7a4GO}KCJtb_Yb=MZLU5B_v+ut2}QQ5#IP|E-p5##s?!l7
zmDHy1CNE+CwtVgJ!mk(ve4DOZ+B{QxZR20kUqYz2;)BEGFRGrSX;-g}e<hxgdOhVo
z*j~K-ID6(MMN??Bt`n(0Jp7w*JK$HvJBl5{=yol)W$hnP1>4hOrro+cvOU~BkE#{#
z1xy^K_KFbuykx%aG{q{M6EKo@GZos&j$_^Nr#>wo-8{@tp3LhiWc9&}-xEg(ot2KB
zxNN;ib$_S~%JQYXS@d$#+dw@&@}bH9FM?oIOOl>Zxsl}*o+R>@F|7YGfX|tjc3+H!
zxcT7;h(0Ws32-~bqY8{0_z7_B;>(Q|3M^4Lfz5voIkSKU&73g%xNbh(*MC*=SL80M
zyX|^3^Mhl1eanlv_l3T4{!7jKOD2VGV^}aBCgQ~zDC0cO<_*{)V<JiUs92)Z@bQN$
z$EeT>5=sX1F!J1)f#XJd$B8mnS=?Y9sjL?@v7OcqWsz_ABaFcF>x;4HF)P7ic$A<o
z8Q9Kq1WY+I?<CR@MA;VhKu3=zQlrQXDm;n4Si$q;IkLD)TNE-*J1*74IPnn0<p`F!
zJY^#Q&6>*881aT;@&wcdAGaDw!*LBx&q)I0=p~v?M_;P?g7=%-Q75j^AE~5n3YeDM
zn6{!wA`@9#p7kM|!MM!k0h&7<HK{ZTEO=I)M}<iU*(Kk9Z(Be{XX!A`EU_LFWqmNw
z#{OL2PYitWqIwXt{ebO=mUC-OSz=^ohA=V#gLxp(`(!k9$RnZi8I|O8K0N}Cnp4JJ
zp~EMsk<<5NtRMo0OUHN5;obMbP54(LM@Yl{u}wK(*|_bb00`Q}pkj5oBgJe|Fm)uc
zIGHDxBygk+i~tmg(lH6r+`bW1>yjt~C2=RBOd>?|fCU0qT7?3yG6!0RLbz>88h)w@
z&qG~mxm<)MlwMv!ui(F0&4o`wYD-i!RHPH@SU9XyBiEXssB8t-nb4}Y->p@Gzg|6R
z1PaA`I@QS)028QM=S62CYRgdcRn5KVVx$!acDmId6?tj(ue4QW>3M2PVTH`=QkYh>
zB}gY=kn1C^S4dYmh1Q@rsgH%$ypdcbccG3LR6ecimpUt{5+x@vSENqdNdQP2PuG<|
zR(DC(zadnHcdcGRvq{fG8Gx(~JJ9+Biov5g^Y#_x#dVSp3W;$2Yt0SS!gVeb8wJ9h
zKEqQ89<0Cvc`!XnEWJU0={aG%=l-dF!Lui>tky$7r>?BP!)k8*QtJa;_kO8!VWRV=
zQs{$U2Twy3kZF?T)oz?M!g1<XaBc)FGNn5P71#Qtf(AHC{Z?T^I_tiMx&ZxZ?^4Bs
zGfDkY3xgK)?x_)3#KhjE(*`aHU0KtHLW1?xVUQRmrFB?=hC9Na0=R;SNgti@o}qBF
z5T!y73Py!@1rRyj5qSIYY~(<Y09-&<1E0l~vT4Bez>p?<3IYdQ1~LWS1tv1|P>NCx
z7yao}2oF<v6GXG`HC~nQFCZ?Wt_GkE7zh*103!SkKpkK;;+_Qt2B4>?og)@Nog_gB
zKvRlQSRoWs)S*B~Ks8EQP#|DM)VQEXk}jo7fgU7XN+^O-K*uS1eg&jHgH$JK_t|f|
zU^aU4QkB0BgFQ-<{4z#5l#5uZLQ(0cZM9AGkqS(`Ur})pub98@HsNlib9^}z<}8GY
zbuOFbXn*zz>BxUpR{s)%KcJsy13I$w_;d>X#r>WK>ai^Oyb1k9dyU_!%J$o7=Ii~q
zDd;rE;IFszE$zo{s}b*yj=$GWpsu}E3kOXH4a9^_-A~e0PF@Y)iW^9tj<y=S8oxa@
zkv(X4$agR3ztguKs|xLQQ!LzFeJPzaYvZeb_95w8cU6RP@jJL+4|i?$t##<8D8Y?t
z&t)4E7lPO0AFlnqRs-KBJ3p=uU)uU?fqZ^w{>{BN=;^X=@{yDJ@ARvarpV7oegDnR
zSXs>2OJiT&{OGv{UFov3t{PZ4-K})yaZp;AEl+IpsZLaEA;Wh(lw7Os^w~)0w7dCn
zX<a##N=qGX=jN5k>c8ea&d$G1Z@J=`U;+=!?zc{LJsj14FYZB#eKt5V#4^CdL!0#;
zn;@Cu8DL<A=D$Ox$Tv?756w@Q^zNH8xndbmV&%+2S51@*vIi&QJ(M%d<q;|_Dgaky
zhLsM~^DUFpnJ${R|CE0S6Uu_$s{@n(EikFPs5$&?oOOY1YzgH-cO-&y%k!0tewziJ
zk2wFA^{`%4AM;fTH|O=tjxSA!XH0BQ%$nE}$|KHdp~U=~w!wK}<DhpF^0u}a<q^j+
zEMb0YJl0`!*z4#hLHyAzi_S<Mfk4oHU3|iz^w~t{W`p^}a(si+V0F+p2lC*yAvGXW
zaKLcd6RPS5O@i*kBmb@^SeyQvDmw+I|50yMGwz!P4V8z#Q+rXn-kUo67EgY%i)p5_
zg4X7tJ^HyChn{rV>avEs@SRYPI&AjY{de`0YeaX`VAEi_@9HS)26fY8>#@S?rE9i#
z-2F?IN1ah05aXH8^Vu0XfDxmPeyhH?Zjp?EN&?}}PDag<&2=V*+|(yMIY4ZIxan8Q
z%IRSrrH(oxJiNJI_4Dh7*Ip+LELVLup210X)wNiceK#h`ir=koQB`kEf|kyrzhruK
z74+F-*sH4ktzu<e7Ah#>ud2nV(5IroT0#XsSB|FYo{I!vmPx*@jy=S^76>QmN%8*T
zKS|MKPbYCF#@ibM{T3bh9_PL=JXR;VELL(2M?G<qU~{6x_Cbv2#1oHU&WjSfgITZk
z!4C$yEI0BOW_~09-yst{78iLU208-d$aXQ&VE2*MW1`4DOA&sBiR6zL=*Yv7{9mI!
zjDul*g_Y!2;-im<Sr2Sfa!(wTj8kR$oQuN#z6<6STi3ySrLh~=#QZEVO&7ZEKyCL`
zl)cQ$Vzp!svi8*7JWa?wsjer@%_XPZSl6tCx3tFBFt<iWn~wsXuS?O*AL;eHLBahB
z;JFF4Hl?k&R*&RBS64KHx)t4W86D8DOP&GU3Rc|Kj_6bB;rDH-%GVU@Yl^8abIWLi
zg`&7uj_Ap!az}2R7Is{g+DfWGiEutQqaeG6c;1C{+*u9iSar^r-i3Eu>KV|oJB|UJ
z3U#>Z8S85qxZxSlt5wNp&V^rGDGBINp657ELe~ULw*q>Xmf?t=bt&B9C!J*%5(IOr
z_TYGqb*S9N5zet&h~hcb$8kVEI)tuEhv!%w#CT41UtFRI&b3>fVL8{GbC3@@%We$7
z^Q*q(1P?mnt^t5^ua@G72Rfl{0c{T*b+;cD!49Jp$LJ1qs@y?<=UE-g4JA{q8lcbz
zI;^Sy=?I-d`io!r)HtckqzF3mDtJHVQ6)&P-0K0T0sEa+wGov2=?}ldPu}HBLZ7%>
zc4a?!RW=%Z=_*&A`|{+f6*T+T)WK<BeA7)Kx$pTVoP*(cPZ8#!U++4C)gd19tfrv%
zN@;(Ps2<bv@j4nji{51fY671AbA?62Qq>t~GY79Zm1{AKl{5m*Ov`!mu1>q&HCm%7
z;V>Wb<XoBf*XJ_bW@2R?%&L^Y@6UjAGx{W<;gyRr7VnvU6AuY{`1wvQz0?zdFJ2ug
z-d?%pS{%J{7piAy+Ev)}K9*F}byj35RMdEU%$a(t<)NyHPj%!}9gi$z%6rTZm5gN{
zOsY#!GL4fc^5aacd6#K=)$O|+CH_~o?j6rIK}m;sdGN_Zyz^zDG6}~hp6!EaN<a|2
z-z|OT2;0}mL5CT3;@M+6dbnl`eoMDz${g*@VuoSMF5K-bM{a8c`HK{}^i;mg`K)Nn
zRVB}l<$~wR9tc%`YNM1{ei?eR)C?7uE`63gmo<wN&-A%^M4^^GuN4DjCC8Pe9I^Fy
z%n5*(9}<@@k2RZ#kes;je7`I?tm{nc%YR`?8Q;xi(qc_4y{C^fB`Pio&<w@?uUo|i
zTlw}{1^%$2{s$$yx23*a&6R}6GFv*%S_Phpy8byOv#w<h*Ue{K!mhs=dEO7J@g{@&
z)UScpxb^c`$e7lau91|fS2daWkYu#|oVir<Si+beQ{k=W%mqFUgSXRJPYJg&<I>8H
z=b7ZEnPc-A^56`yDTkdr%9G3!DCSuF$Tb|wRm@n?%(>~2`Z<+%GY2iC${tMq(af+(
zjQTm0<(UPenOAcWDmj#cFzAmguHKlHEUDuJap;el%WTM0eAYuIc*o6Uf?%pXYY!7Q
z;^weYn52uE#q7Y$T-FHYAR^|mT`{j0HI|u_xVfybOe;mrV4*TI7d4sLhq$?HFs3%*
z<+9Z=O&2YYDT{cyZ0by7May8PGM^VMgOtRCT$TkBGLZ6EubE(nlEV&VDjrK4a~bgR
zSS-xW!^vVtGdm9@k=dCDc`TyL>O;w4)iQ+#C6*b82stcE=1`#IuvnR*gOblg&kP)v
zS|&4K<gq}RY=e@|#Kk*&mSE;U8|1LsnNDw#%?!i|zDpw07VYv_56t~H$zZcHPTwVm
zq`^hLOBXXMjq+I;nd@(o#2RJ|u1hep04;J@I82GP$zp>r*4HJFnTaO3ENslSHOXL?
zFu>O(jI71GT$TXS7EN+kJD7hp$z)n$?XF8TQ!R~hS@D?7Ym&^o$|GEserA5!<gsrs
zdux)xc4Td?OCS>sHhC=U%+9mPWwK%X&n21(fa^Spf|yye#-yac1)ez)(;*CTu0~{8
zjy#@B^s&cgN?-`b9(v65vB#Ty%~6g!5F#v$aoMbi`eTmI(I$*>**%HvV~)(|lqLA=
zKScL0$6_2z0{nJQqDTwz*p(0-UyjWDMkRhbD&h)@@!742sjtUkLM9!4I~p-0mH6zp
zh<;m+%Irj)ZaY5WdY0p|w-cnd9i0&}t8v*gh=VJ~V|pMCuN{TRg{r)EQKC*2<FPLg
znpcj=Y)^8$b_pT?D)HGVh}2h(#w<cvUONxbFiP>+G>DNY$7M1iSw1@$F$C23>?uU2
zC&yyOAh@3$lX#7U`0OpBG>P%qq=*tH#bXX3B%c+NsF>9FtnS1nlj5;k5EoC1%^D&k
zpB0m+ltj3!QX&AUaacG+)Fs7d(k7)ID-f|OsPS1Uh}@&aWqKtM9xFT13uJh#Cqx+|
z#bp8^G>;XFxQnECtO??D5aP4z6SWR26?@odaami4&qIpLEKM35Rt>Qj$Z=UC#HXRf
zWV#_O4l56lG)Q4s(TD;=3c_k8H4G~PNSMdrShI;BKL*JZLUH&uFrqi7VA=hMygLTQ
zOhPE^8#pm3j={4t5Cb~~%)%yd*fueu2<Kqfp+v4b2Fi2B+1NIF9$F5;viaZ+UJaI~
zndRWvJiH)_!LdVmY+enN&j$kVY`8r7F9yH`;TB#EhGP3ecU9zM-+9T@;HaANwbX!A
zX?bSo^ee4-qU_KsobW*HJS+0>80x-^M?5<^ucHy~1TLb&spp3WRQeP=Lpw?jQMZK$
zX+cmm;M=NvSvlev&|lhk(XQP>P5APl?aV8}d31Kd5><~c?#{xjw~U8sVI?PdRCNjp
zqwgeckpU$T@mA`G9YJ`3mx53E=fJ!bA|45);ID<}h`bg3yt=vr4@6HTZp%Wf2aDHL
z0qu?C<<*c@mhqzL%oS~33>}$;Y@RAz`GI&3D(;yIrzE(N=UG5mo6nQJ5G<wTIn$U6
zB6zTLqXLDm7w)O@Ro9X?R6j8O@>=NX4%A*w-6FuJQ_1tW$vIHoNFADksXNabyD%x%
z@=EH5=DfTM9nLQ1+sfg11lry<h2SfF;sm?}wmk8dfzXNOn7j)#uP-j3;IL+S_H?5H
z>0V8Xz+20~=)4IP?>41iDIMqBtOaO1Y88OKXM|Z;3S2y|6@a@&hw)en=xC8E0d0*a
z<zOmHLCCBHf3$kCr?VGr0;W{-6SUIsRsy~42ePm_sAv_FfVDP<`8W$GX+mTo0?XQI
z+0+3=Z71a5D$SvAP6GHe60)7%W$~i9ok$m6(P&Nwe61Yh;3$~V+)e_zS~ywH0Z2^(
ztlmJn=9i@4EZw8<oCOzXS!B)5=W|7?A$Sy>X-Y-{oy|V1<paC6fpHiLC}~(D0c#CE
z1Yj-kra>4BQE6mG0@Ioa#9%Jzr>iEZsg^rcFJ^27NVHTDfUY)&$rv4&wAPV;ri%mV
zY_gU;G!e4OoO~NtvMU11np4QYP|c?K7z&9r4YH?$EE*n2z*nn6V=r(j;i1%g1);PH
zvZo(!8WzXEQgx)fd<AnfqYtyJowOEZl(%C;<1!#w{i4`>1xsmcW}pta8b61?T`NGC
zd<F8fe=}bKmu(Rv?Apy5Xa>OSk)rr)1)sE}jexqwj-jw5m$WX%z*}=flPka}aiL($
z><To{ZyNz*Z58b3K&u9VYd?T1>86-$1%0%ci@jgQn&Ee-V$k|$CF;2})C;{)W`H2O
z)~eFJF7=+Y3`O3h<3rt_5gp)Ycx4y$WG`<QdVuW<rdlKEnhav^Q#L2XaJ$qAX|^uT
zWEyC$6MFoIz>u5Q{5%%~-lVHZFq`_bXe$$X=rocEy=+YgR#o1h%SZbw|5Rf@9h(=Z
z%F_rY_0u$!GDrHDbt-NXdfzle6MDQ22%+y<R+6yys94ZY9`$zGQ^Ve(n@Ny+lvdF4
z9_1*sJO{Z#ttO%FSHnf{dz7Nm+8*UyG*_}f<vB%^lG#1M2*lYxe}}uj#+4Ra{!t~S
z^_)K`RMKF`h08W*<z$WJJX%l#+_()K@b@Vq&?*mlr6shjhq-aFk?ON3?ynk6gWYED
zSz35K%8t=k9^!18T{4}+;{?$$HJSG<A*Df@cPW}qHsJO_>6UkZEJ(tvNmL`OS*L9W
zy21-7W7AbeUg;gjXrkSiOauV6Dc=dm@$>eQ)(QiI>Hw$#9}|Bckp4c|^AX(5aW`Y|
zm6B6VBqR_t;Iw(CLJHLc@*A=*icYe)>k2ghmJ|oilSk1A-qX$8J><$}1?XU_G~r?t
z>&cpAq^<-zf2fR~jVw0;>9ABHY>4V(hhaNR0|Cva?F}@d<XMAzX(S#FRT&E6Egu!(
z0CS6vbRbMF{#ef8VES}Z4~pxLHK2otFZm4cZ;gW>%<ls6;H}nHDFG*XcK`;zyYD81
zfNu~%y;4>aDS;jJksxQo6jbc5-JaVf*W7qUuf@dPQ@Tt^wx~85y_`mhWz~xEqf=!a
zG_^%5aV`D|Xb{-OrKy+UB{Yx$ZaiQU+Zt15V#VrIW2VC*hht0OF-;F-&mqXk$HR0K
z13&_r<M4=hK9@+kwpI(6A!8`LRy~+FuN(lDSL^+g-qMf@gL#qA8mm)^(^f0sv31!M
ztiwpKo+T+{hdYusAV>%rO5ae)S5NCiLr4h{?eTG7sF6+ZS4@jrYoMzrjYvEH35~H=
z_5TY82Y<P$gEc+LzxwmAbX*a=LWF%*pb+Bl0J;Jxu2#!hn?=pFh)I!D7g^+wE+57s
z_{_+~$_E(=)1d}rcYJk9KhJPl6(nC04~_3FDTGh--d|K)aF?PQ1nt-@@UOR`>J=F_
z1BK;prbZB|+CLkcPDOD`IHf^b40s=|TRoQ*B-yog#TG7y(|$jXt5G>D?~PRe7lqOH
zO-XX^d)ZLN^CFNhaHgNbip|g=B1Iy@Osu{`6&0hF+)uw|_Few8Tst)3(IVCjA`p2o
zC?gxW+E6OkQDz8a+MLRo-B=F;iP)NjuZ4AzffkWTw>6JdYDg9>brn)WP&jFirw+9f
zBf1xmeR_5VR4R_0&CR}%Ab(NHZ6g!{nM=k^sTPE3L<uW$?UM(=OuXD>GV{ZyoS<Z0
z5egbJdOVFCl?(CoArR_xNx@^#3g5Q%kdlx?j$G9$hQK7ND(;2apn2Yii|Y!vmkYdE
z^tBh_kw6PvXFLTcsJ#`i&B(djE>HP#vp*CU?VR7nD}<Cu_<pjI`2(9*R2%8<G*GEi
zUfR4SuB(G>BV}C`K^iQ1QE^F(h8IeT!^dB{74rYv=Vvf%wQ`D|h-i78%w(?NBTUQ$
zB?wXvTurV4|4geV$>)14gt_`i3Fk(Bo&7){;<<>TYN^;|ZYd)J0K!ytbh<TB+j21+
zi<}j;@D}42z6kE0x$-UUEq+ATp!iPYqJlyBuE9;PI5X<{1bIPUiOVQV8`Zl~gze2h
z-G#S>5!wJGY$BQ%c)q{#CvO_G5j=q5B53$f-)V}(H*tn<?P%~F4Ci`JaHzpCJcJJ6
zVdN>2>p1wiftf@KgIXZKZFIT-poUS@0Cx*@?FfYm#*LMUj1=_g#jeq#0GQ0v8Uo7>
z>46$FQnxN+cuvs}x*aLb6&)e#=ZG#bgAf~>RSN(LxC4U;4p;^*G?K<7;d%|Q;|^T@
z>%jSls!R&kb^@A-6xt&$aW23!-Xg+bq7TZ9q%tX*LXoh*`j$R!zlt0coH+DF*H8s>
z4!6M!*`Vso{ZQFLc#bcpykqbvs6xD`==g?iDd`%v=y&f|vTrhM0XkI-j(~;Vya?i*
z>7BgjK$QW&4}^DH1W~|1KvhEPx)HpHTa?zb8w4`73aCxw(g7DU{MiQiHQa3bA<>`M
z5@pmgGLS*}ZgT8xI#IWEDi~P0q)DkEP+JgGTYwM9QrU@UGq*koT%NIWSYFv3e!m^H
zvb=2ExMqRWC(DpOBMk*GS8`D<7r&N3b=ScM>>I!fwp9y^I$cpi-Zt#?hCM=_nV_dg
zqBz$S*>SBJ(<r{q;Dn-=dm5eA$8D@zF1I>oZ1w<-p|ErpBxz}uw0XJ0&v3P<I5fL0
z_E)|E?%w^%$8x-hJO2}{N{}{cv9RRXw`qOoX+p^Wu#wUnL>NJOk>?E|yvTUHn0gQp
zB<WAYuMmtr_^G*vL=X`;4|3vn+Y-enZxiEnzGa!@4{cPRoDx6)dK&W538YWk8)?43
zia$qVYovYq#jBU-sh5C*&bZ@Ty+W_5a8%Vjy7&keFvZ*Qa^TNXt0Q=)!1&PzHuZG#
zLM#Oh;D~2dKn`w6boHwl#9TNzr9@KU*cuF~B&;MLPuDet@^lgsM{XmYTCLyB@zJSl
z;!qqu#_gCMZVY$O!O&)#yx^Cj+ok*I4p@*~wna#kk8%}tDH(iuGGGswWl(~Pj+tyf
zmhR#eK_%kwarD+NuxhwpX~kXXgr!oJ6>EjfNUxht5fQvTslJ4>Bc_@!m0PX%evjV0
zd$7<kUL2JennMWgc|}gV`$^T7$0gv0tC7k`r3u_QPff=tXjj{^99))LNZrJoz$;Gl
z(*53@;qiV3NVcb{!%KlyKfSr0!U*9eFbwn`40K|AZvwRM>J*W5F9KVqHDr7B(jMKT
zizSW)TY9{z-nUmfgEu%#$9FJuNe%J6d)BC`Zodz8ogB2xsLO^fFL`cSHT0ErR%x#V
z?mx5>)43XLk=h`gtvGnFiZK1Ikf+It>`PrDYgoC1WVChy7<9i;e5wzQik$`8B*f~#
z?JS?1-z=dQrZk5H(s3-JhX`QLQO0CB0;sEvAZwB&?~y0_L3%YkW)8h359{*1_{N*c
z<ma>Uc{4Ncde~;L1$EIT9L1+|szH)G%C+3tnRyYsBs`{%S51mKFU=Zp5-!=ru)oEy
zc5O2a2xIyqIs={tpt?C@oN7!g1d5Ylm&Uu~ZvdP-=anfb;<&wOgHTbkEvdQFBy)&_
z5r?rHL-Q!y7#M=gQPax@bJ#x?Q-2ljmWGTW@kw*H!n-3Dhhj={m{@&?aAlBbcI-=o
zDW8FWK`FDI;+k(1>jr1xVO4?>ZQB%jyewW%xUH>1!O|)jNQAu;n$OMwXtUs53?#$w
zjxf+kTGCO~lw2YY(o}%peTi+Dz*)*A45IDcEG3y^3RWO>IJHrmH!=o|F&zw;;#!Sl
z*jSNpmMr^NQ7PLt!-6=HD~>MLnT~;qDy406G&%&<Ev9G}SOjPEtfb4&2sFuV5hO11
z6pEK8lM;vjBRuNGgs{=L%cOrNNTql@ik2rDGQj9?c4ntyAc=~-GSVzNsmm$K*ASq#
z;;UVt08DDU6xmMY6~KPOG=!;%@(nyE{f6+r5uHnn-I;ANEVSI3GXzp?`O+hRVW~_s
zC(Fm_CnS`X=W3nds~FqTIgE;R%ErmkU;{J=z2E000CUbvw)$~5P2BBAk_rtkd0YrQ
zXUoM?BFD@150r4`cc0mTCUZel;#2?hoQSqzox(kX1QYXfsQ*RB$q(9OSo$_&Tu&rD
zoiXCQbMsgvay@<XM#Q_JbSETu9)EKg)-Td=C=!5y1oi?%%M8S#=`^qqR3mO|hBV3S
zV{3cvNAucPP%B-(uL8D7H!KCd|3V%`1j9E|?$mX&5s&^qn1UgQOV3~F6hD}%AY1uI
z7=MKQeq{43$W@~)g6(2WRxZUeT|b0^j7T0%G^I11F;+7gQkmsWDG8Su;D!(7N|}gI
zc+barh&OuWB~F}{ZKhOYdf4cd$xZ{EFvEl}9jI=_4xSjexRw}-LSuTnr6wFmHh6?-
zD;6#xv@)<o#yI(Gh4K;)X5)Sg{D3%NfkP-opo;^j1J?ZTS2nl}X((F(b>Kuz)m(+W
zWM2}x{$&`86M>M{KB@&IthUeXXh|qI;!;WJ<Zo^&y=USASoMjBsQ4Nn*@8Crmw|}^
zpYqR{SJ^ON5J0jn%8~@Q&_mT7F4ZtuRq!3Ll!#&~oI(!~m6mCJpN{6kg*X)o{!(Pd
z4C5WgAU)VOLSRfqGb4f(N<}Fku4o=xYfz(aBD)ZgtRS*m4cL4rBq+e#f;M>X`SJk}
zN+AgdHF>Qz)^5@zvW6I$p$i;6e-z@rV!;wsf|SxYRnZ&}>zU6txhI3+)yCU&!w{<e
zPXumW#+$9m6DhZP+Y-jLA3H7ctA{e*-Zc_h(^KqK3Ym>ShDHD-0EjD42!ddVh$(0U
zK}{w=A|BKNA#CMNhC~4{$Jy&`bS5@CjwNXZy*abu6QMo9^+CNyp%$>g;1hEnfru>!
zM^S9Wysxn!btad~GeX%yNXmEY8ZOnMGrlsG0@zOIjS`u&Dk&XHAB2;gG=fjpqK~Vv
zs#cYCLk`?w8L%ePh6#qYX*rd41tHq-)^E*^=>-osq<B0BwTAI!ZWX|oFfc_`T?Uud
z#Re1!aTMA-luL+BHjgNgVhoLA%!8<iD_H*lq(aG@dv{Turga%5w9MUB&6Cj>Wga4L
zrnSyxKe#eaZj09f+a&)iQIKR-kSMKBX9|)EMXCIfgK=t#b56M(Cab&&YM<CpoCJDe
zm^mO{SfB0%Bn?W_@kHq{sh1h_<+>N<`$~|EN0+oyPJ3qs`67|ZmB!-&ml>D5!s(A1
zjuJej)xk#_)O0im+tHj!M9xBc%;grLX*N_2j`3X9<jSMcPO|kBN(f(=_B7v$mOSkc
zk@?S-hhSn*Gs)HaO889lH$ie4arSHAxQ{)nP(bA{j!Y$3O<uOW*d?IAHa)WA#c3X0
zTOk==Rt&n?EN#cQ*#xT-*{c)#iqx0qEQPIll{zK!fm$#5EW)84WP&ChCVg}}AhX5<
zgAd0AU@At?sZ_ht7PXI~7myL_EX(DA+}K(<a4nj=QG>fpzBiL#6;f-WC8Y;0mCD@j
z5*`UBvC&fbw_4wRZrnRn)Qss(%pgs;wjBd!AL4t4=2jao8&Mc-c-Y#G&Lf5+MV+M<
z*H4wFt<|TEK`96oN$hY+Lb*zLX+>773D`{_!%;<GqqQsi@l_y?v_vN>N}pAD03<;}
zWY+R)W|UeR6*ehJq|`?~rkGSE+(M#)1OHNzkc54r?=q5*gng_Y)PmYH@|R*mT@rt9
zDniK;dsl>{q^L#OT10OBp}v}d!Y<JWiFZtTUj?-admBNmN7~wZBOVCIQ~Stjk4xay
z(*ZMLi1RKehqZ`KnhI1Y`jRz4Xi9SOf-#|`#ySW?Os({$<EQ&|trASH4g@(FN@T|8
z*6~BOQ*oZZDdeFUd~qPBjSJXfWr`h53;k$c#oZvQs3BU9Mm~3{%Og!i0QYFOAta2@
zd$om%l16Af+E+SX6K|$sKpgEq>}aPC=;4EXtPBIg1lfN!0Y%nEJ}T1PO4%7=v2$+!
zO(ZG%hQ`G?QbkXp3U*2Dt@Ak%l|CX8$DN&8qxF!*JuH)9y5#;)9&yXo$`T0jvl$^o
z1D-n36&c*h8js^WXAu&(f=^gm4cygGD=jh_c)9M14k5E~!ya$W5@c{<k4!R^nvcP-
zbkJ9t+_{_H-Eh@}sTD=$)vC=&m?R~q#2{2ZZX{$cT6dfgpYWC;#$+o?NV5d5R`)Xp
zhWlb~TZ9{^z2^HxMylKcWu+7x*J$v?To`Pa8aPY#lnd3M*k&|vm+j-uO<9EkTMlt*
zr9v{mN3_-jsH(z_b`u!2RoQB$PtLy<VeTtb3cpQ+hS+QnLh?z|)@hjnmhdA|OI{$U
z0kvh$Hxz*v2f%P7XxuzF>_xXc1Jf3d;?|Gyb85NjOC0BnM5qx2M8>S6<uuAZP~H}o
zrl{??a>IR<<h>Uq05&>gD*@aTI0Pl;SW4{oEWtgpj}2i3V-5S<rAzvv7N$SzEjk+>
z#Y@k>`^u8ywZ@(P=MAwEPU`DYL+}53Ducq!CD_wS3tAZY`$I;SOA`ZJHVmnf<s!i%
zS-b{8*uZ@sAO7kY4WPevzNafe<)d34x<mc(j`f5z7(bB<L}W3O^pAzGHY16bl8Mz^
zP@l+|N%s4G{|~9ykQ$JR?|jxGaKDcr0X;KfbfDr)y-NIKVo6=6#AqvtRXd}=x_*!&
z+D#%$&F2XZCOBy15%M)zA+mHo{rhF-?-*HBl|blrO%xAiiWbC6#L}e(awX#lLW21c
z@=S?Buz`Nd=|d!eds`uuQ4cSfa&~EW;{O&pXT$~&F(w0QuHKIy;idgY<36{dkLc3&
zOTj@fFuyiRt}IDjSUf-$P2Gp#jH;xRxMhYHi>3w-mPgE?LGeanq&LiU&nwiRV>ZUP
z%&_`b&Um}koyCc!Ew!%728koZNzs!@<sy~8uU!YQk#BXE2@1Zfjh9^+V2zTipQ2On
zmqcQM=kp7+i^M?Luk8^E81Qp<R38gBZ4tblLx{HyFtYkgAx_CZVntDIw+|apIR2*U
z%@zruEt%7=65Z$FkP>(+eoD4KpFQg-i`PyEY5#cxc(K?3Q))Q@BW^>?&XZ0C9(m;c
zpP!)WW~Z5pV5e}XE*v3L=`5Au$S7g+KmX_yD}yd8EiHRL)kk_%MxH4xbKgky4w2?T
zt?>gxnrDtb8Q`LJFuiE-P(2u4ENCGh!iiXH*%)4bh&5nl8KgKPnd&r>g@q}Q>&VXp
zup(O<e@U0KuHuQNWD?C}^-#$uGM(3kT~vxlGpK=5^pOD1jKSaTt3H`Y37!MG;Hf?U
zJ7oh$gQ|)f2Ez-~Zsi9Nh2)WySR2Jjwa{N_<ACx*x`5_U(!or3Py=G`Ou~XfUh&<*
zsfo<M$PJ5xLFSN0Q}z$6n;JauS3#`MUuZSRpk^$+Ml8M6!)Ve`Me85iG5~|Hsd486
zFrxAJqx_}B@zMKXcqn1CM3BjGyAVk6&CmyP4is|Yya)WA31TrbPqvG5#&iu#>YGbA
zlYLtJxvrd2ofKAs(>N&lnnArWO9j7$$6<dJSG-F&tz@tUIo}e4_fG5+PrQ9zH*$Pl
zNHBLgK|>_IkBuo+I-dYbazJ+v+7>zu4kwKgqF5<ohcgNV->pF#f3~a#$Tk%kf)-)1
zK#cK7Aa1_2hi-+w-kO~wx)_?4G6`*xm(A%gYJes0-<~x<)g7giNu_}pc-0a+xE0z9
zX9yO94i_>67(s^(7=jT1L%LW(5kNzb*&5{@xDcKK9LmVoC{>_?GzfAUv=J`?9V%G}
z^nng+0W>!d0nd(2A-_Ne4oK9(18qPK)u)smp90C5!0z`ZNpcxs{<X6rO42_}o?h<U
zgG0ia<gZzMlngKmCUC07vzkbu$Nxx~!Y(PT`VVFZ3z^KUW2G_+P>q6&#aj;pDHaqM
z&89rRxSqXgwwqxViT+otnByqv^l;8!&153|JR(K-a?v;-C-`vC@+X+AmHr))N0=>d
z3@u@;&dEY-DQ{yA(*hR1hXK<93cm*o{_T8TtG+;W;ERfdZb<++Mu{9i`?Lm&5;%eP
zXk8Q_qv&w!*?xjY*{_eiyI>h@6u|Y1>(J!-5Wpwsa7W(OWJZ7nsmp=m7Lr6j(=dbH
z)G7o><wu>PZzcSHYe3~e-xjLMcQFdWVc<e=R&yQ&g6NxA)Ehl<<y(<TcjF9H;=}<X
zZ)DCt%kjqXwsc;eoA&ZAWWu;qfZu_ZM){dW{+HSE{_C0kXkW2>gbD~EI0P<{zu7Rn
z=N9>Yx?wp<ooXk<*P9+;#S@?i-|&A4&P4pR=H?n-i;jlqNP_Yz71Mf_Qbok1Q$djC
zfJ5B$No*TmO_>ivYz&R{C)1$FUjQ(Le2?u(Ci8cMHl`NMklklg_!ugI!cEvqo<Ij<
zN%_6wOAMDpPufbU7OB}GZiStr`Em)N30iA(_Z3$}y$&{ol_>}gzabD1t1^vP!fiML
zzGTPI<0Z&TcA|{g)lL6o1SB(LAj+wFxoX}S2C?cMYFu?Fk9Hn%Zqfn1Q{x~ZvtLcd
zuwDO>=#33G0Hb@YwgfUI6FSdgTT#9TEYCtdJ_iqvLL~kNERO;T-vf_kp%NbhjRfNH
zm$2%Yc)(@Ybknfrw<i*=`wrLru=e*Y^(okKsK3Xv`4HpSb4$M7BKj!{7Cnm6jr1{>
zVb3yQKwS16;3b!qK&BsKk<!S&G&mDGh=ajin~<y_W5982pdgFDbL503F_Q7FJhvF`
zGzkyXMuoFs_Unz^Ps5&4`&61Nl)U!(QR+T@JPW!7Do);ll3{(bMSb-17biHS^o<i>
zl|Fp+?jRF^F&@wXsg$?w`g@t$dbtfVrR8P-g=8(5!<3mjc1(z2d%sh!->0YhTg7CK
zJTrJ65_Ta(CRq8-b9YY*Tm%TFxuQfX!K(^N=)@0LZV<*~VVEEZV`Z~3Dr)GC5`QV@
z5F1GCf|wk{Txm=?>~rBDMKAIj0p4=hezK1Nlgd+ZG4-|qTlgYP7`~{b_#dB8NtCbp
z2p^=xuzWx8B+4JlQqjVfQlQ*(o6WZ~Qs>p~Cg?dk=p|1<nT2tUY5Gs|^LgL!2t_Qi
zHmOr8bf(imxhutC+sv(d3_L^*$hhQS49ErB%)Zftiv|eAISSb-;${-%deN09nisp*
z1ucr@W_+AV`1ohJJsS^9C;<+X!{hfZ%ZKf*^u^|b3Ji8yU#6=vkbw6=(xR1`eVvYj
zv-oNlQx}`k@E7?Yo4UWA%i*erxaA?oZg<p!Dc&mxB>@F*v^GbkA75V!?Q^?Dov)F5
zL{3fsSsVk(X%ADECR8B#e4$-lWC5aqjHyE|=uf66gR|%xtcg2N36orklXG~P4yj2B
zT!aU?dgo)LtFCry&t*XI!pRm~tH*R;2QTD5O?HW*M+lw!QsmJigiigkLNJH+;mA@j
zg1>O$nFvGoaN-dJNX(4w5}x7A1}bK8JBJU%h@?J(n)aLrMjp*WfkT>m1IN*(y{rv8
zY%?<OIi~a&N@Sl#ns&Jefk3p-JGMnAEI~{P$0Md}4mN9ysi^wsOEBe9R|%#nW+-pV
zHIsVlR>LsJuC$zvx2oO3elDl81n0N`5`FgMM+OD*MC-%#pEzdq#i>}0DpL>|{lN)s
z1Txsvd->}P-^ipJrer6lYBV$<^`LNY93zRKc33z-WuS6g7$9SqbKn>tmdrSm2odGX
zI1is~uOV&dYKp+b>Lof4SX6!HOdWytQ)X>)y+RKa>#AUZ1ff_PnNgqy5DyiEZqw~*
zNNA=4Xo-GoCZlgr8jTVfK2)U<iiD{ymRD=`S}bWLjaO^%JS>TCNGhD3c`(Wms<N-?
z82TQGhn6rB%}o1XuB^UJjH@$hhRv-sRux%5nKc7s)U_3rrc?74rtBL03c!0b@WH7R
zh%^Oo4tC<zClUdsS!NAO*flJ57;fJ(KK>~vu~INJBPg>&mW++Wq};QdB<UkVPj#L9
zM)84|9BbafyShpTNL;kGaeWqLt9=@+0b5Cg>tZ<W+B7v3OPg7^tELe&x%EOSZCgji
z1_L5-Ra2<l@X{%QM)4Ij?F->VW?4YRls_@gmk{m>GqAHN2x?1B#_P}(kksjOmw*_N
z09JABJiXadhAllds4vtK&?<>ji2k=N+@sA$_f#U0FuTvg9R$1<K#^0c!s)Tf+O=5-
zYirz7I0ai$vw(q0+VHD%c$!M@P4GA{?O!PGk=4brcpZOPlEqBpBcTASNFeMhY8u{;
z#|j@63yv0i&;A&MA2$`{zH)RYd!rPj#2V$|Ot9q%m_rAl&qXd7q;lnO<L+7(8Zc;*
ze8Uu8lT#T$EO8WYVgwz@9+2$@VzBFttG5QJcxu)vXIyPk{>D6!mliJY7sYxP#d}=Z
zsrwRUqg2($^dreoZ~~^g?SVzp6?TqbD>2l^p-^@OQg&)Lw54kVF`}XNu|ZhPMq8eN
ztH2L`%L<c?1goD&HUy+j%{6guU~z~IA5kNN8oN*)qD93OcKmq=bW|K{@(?~!91<1`
z4jMzCzGfoP6!y3&4o>W7EFh=0v0j*z7(L$-)Q1&(I%+Zvw6#}L+W)DP1Cz#^tGZCo
zz&6s=#w;ibibJ)c((=L(=L1+41>R>B?K#juuy{*S9P2VLZXng-R*C~w)0K!qpCFi`
zG~q<5X+cd@coL{ifFN86RDQKUdbPECTu%Z`2-r;_XjLp{+m|smy0J__qedXq0f#`b
z!i?Usi`g2K0}w0V_&_U+L~=9Zf83{0W-27X|EdnKc7zNx_zlekD4dpIj48@fk+eGD
zhy{*}B~SovQ!}Ib$@{AW=jkQH=jjQelzx&KTy#&;X5^2tO-`_5&XklA1Yt}fwF#m#
z<MRwAE1XDi1IZ`2!7m!|NSY*Gs|MD&lSuFm>%-MFo9_q$Q>+882LaJp>Q1KDwnh<(
zT7b4GsJ!E@RyY(N>=2ji5RRldDN-SGAdRK3qIg}<SCt)=8bgkF0DYf1P%Y&)v}Ij#
zAs=|%s-voO7(@~u{4yw|=#~x)487pKXu`-Qivd2i284B+xp=WlLFcNSxBU}{!RR7P
zh?Fx*J~hnV!g68^m$aZSVQ~Xq8ALQG4h{yv+{+xFc2lyJt%`X|yc#UYMJ;O+%S(>O
zlE?G3#Bj?@y^GjmLj!^&drDXOvBc`g!7Vz9PPN1|a@G!<TM%Hgfwqtc!KkIFuc$zB
zkmkJs&2I#OWC}ZflR|~#69W8<4l(>*EC8dnu7R>ke8f8wyhvJ3uFTO%n(eX*0h6*0
zR+V;2>cwFsh0egF45ZdT(jwTcb<1QS5meUM|H;Kb&^YjUyb}gpW$X+&Ay;_<4^*bb
ztbIKyqjtaEtl00;1X2y#8x)Wc{L=(I>lir@HvD4CtuDzpzBRl+b>T=P7e#@Ut63Ty
zSV*TPO9073GOP>-%u2vJFPY`l6bF8$j>0)GC5{3+5gUR!22j($b`yJryOsclXGRMA
zTqhD_kgXl2Zo>ecJq<`V-r)-|$1!F&-rT3|(10%>G~D|(0lR$I3J|CNd&24Rtb)J;
z=IKDe*{Mi<I-AQ_EAjQ)B1dL4cAB;Xc<2uD*bw8OIK!wQR-ilcxHD46tpVQR!tttr
z>Q0S5<_hDWIn*o~E`a8qaf7CS=I&5~RRPMZp$dq@jS-p@jA6&sdVStQj$c*W{#y_-
zfs8ecsIc1!GDSFc5xk~vU~!yfGohN}sIb#I8Wa@u2V*5e%4P&0I57RDaKO<;$P~&R
zbeC0l3Fe|SZ$TU`95W9t!9E&(LY|*im7g~!&5XBe$RN@73xQpu%jK{tANO~$s%50O
zW3Ko3AARENWZNh~^C&_lFyT%}lNSLSUl_xW1F=64aCG*mqG$UKYe9IZYNps(k*l!8
zmZR93nec=-A`UOa*DOW%H8Tq$0M05F`XmKr7?ETMyG+<3MNlH`E?@}Q#2r%*caK8i
z&w?QDQus57W<SInD8MlA#2woUPzx1Pg>C_${oezX^wtSjTC}Ugiqu2fQw+U<LO`uV
zA<-F#b`dLtd=Ad3UKA_~o1&LE*gv)W%`flo0d(A)uizg`$rnYVOa2g2upZE8KLdaX
z^TDM;NGgZ`i{Nh4QHer(dtr-(34wCuaBtC9eg&oeC-&P1-fC<B&G>g0&9rUGBN`fE
zZ%TKDh(x_Y$-i)IQUhPA6B7KqPfU~GP_`!l0EvH4KW`rZKoe~bYUA_BC|NNdpMbWy
z>N>;biT?_~q>4oT3&KQSP4X)PgLWCz=?=%eDN?!v1@iwAx@*40ccix=j^6XoAdpUi
zkVvQaDl5_gtHC1aJGc=YAhh1w+C{E60YYG^`R##dyu;veA$67fDIY9S2-7ndABdI8
zKqxT)>tK*RL6{k({MIo!Z(TGUE?RcrElQevDAOC0g&?4EYfCPw1tL9mxJL-QfYEl~
z+{#lguFdqa(`*AlbSNH_0}!=;0sTA-+p*~Y;_py2*JjS^6s4WfW5@tHkSBCb;jcwG
zXhP~DnVZhNCUcAZa`1Z8>7R%qAQEUh4VThJpTq6Mf&E^9StA`@t5s+iUUhFqWg|z@
zZsG?Z+oappcrp<Vrq$URL-WN3<~4~y!ks@gAWpP`yDZuUlA&2TN+EO%z;jTBIiT5@
z0>wseg*SZEt1Ow1a`b+wj9uxEW1;17w<Q#HfAcp1W2yPn-Qcdyi*xtS6LBfA)k1lf
zj$shpV_@X~`o2r1jR6FwIV#4gqUq9cYe5E7!oQ`)(t0Ey5ncw6D%y+8Gqtm+Rf7M=
zglksxW!SgXJ1=AsxeCYJ4Pa6VKtPFbjFJ8Erlb%UkLS^ByFEaFhyW4<gWePb3z8HN
zjFV-qAYy=O#tYtNybz2Jr1_}@J>@?m%vtI{RHI3th|CeJavFisdC=Rh{H`*BKIFM<
z#7GUhJQT9-g)+FgkYwX)0hQO#HQEh3a$_VKkh8;ayxP8LrKlmTT$Wc6Q()hopBpiO
z3<kJF6cqSM3$Jtm>4s%1iqcAQAnLsUazKs0ErT}7{cU?|I4p^x3E99Acilpe0t&5p
z++GAgY4%!e6<!~h0Lv^^qz)Ypx40Kbg7VX++z7WMoa9)N93=?O{cbv$q6UzjyW}dN
z284zQ!lj@Zpvl4L$}4qpW~cvnTy?=rY~Ob3n@61upQABytvGN`F5j)w>5d0BU6B_h
zUt6`O2q`1oY}wrVDs;7UU+^%r3z~uAcX?&~KwNBTMv!x$JL123T4d%2LY#tKWA{2E
z_%5W-tnLMj?f}vCXgx+h3n=g5@P-Bv*L?}0{pN^N(;rkOFWsQ~-`GVQw^r{Q!DoRG
zr>dv75b@yirM|z#)yWkofGgCW#*-Fa4bxa;yQEwIj|S?7RQ+nUk|d;SEILNCDvq~{
z{0t=AK?k~DY1NOoE%H>ACi6y!+tef*8-8q}!2pZ@n4a@NSyn4H;6fte^#Pr|K*MH)
z_|SRVTSmG&u6lEaPr1eu6iNr=t12}+=@S4Inx3>9K#u#^0sMy8LyQsOFHsX^dA0gb
zf!>slIL^RtNO`Fd|GwTj<#GWw`T$68l)Fja`TB3}13<%?P(^s!A82x_rbflsAvs=}
z9wKLPpm2}95{`!-Lp#yxEde?c2moXC`j{9e@z@r?R1%fH7QOw7F2#7KxPftRF9I&j
zTygZGk0gB%WWd~a9d0}-2*<;#2fKvxDFuvdDg8YcLh_;$<iMeB0wOJCZ;8Xw@>P-i
zH?P0m<v@(_{_j5iNWdDk8n5`9DNt=76SNVU{xLByL+vI4b=NvNPWp~v*f~-}7udyS
z*@&Dz029ho<Kr((zyj(F!w&G=QAij1>lz;+9mNn}hIyGZ<9e3Ndd*}X0mIPgq8@}B
zAWw_cWe|U0sXt^nxHYh41}B3{$|<EI3B%ym5xJ{iELb?{pi{2VIHquq{+EJaP=GA4
z<i`tm7pYa#5F#wm0(x1ZoCNwfV>GW68;0Yfu+YAt1T5QOaHeNYz(nYadp1f&_m#L8
zI$<xF8Eg*vfV%I)G<PkBEg%FHj`>ERMQRg!0w4uV&*xk0rMUW=e|_36L&LxX%Em&u
z5i0`Km@q_KvKhR9@F}P8yB!NGd#!#eIRlA7q97Gj{->9~yo4<wZh1})oBOY+(vw?=
zWonk4uc^H6<Kx@}N@u7+_s0Tvs1d%02~V$12n;iK%d?o}k3{cyh)0wY_G+Dd04B}{
zrCgy6b@zBHhQRxoH=hMZq9l!)QumM>aFWCYsQ&UL0;-0q-DyBc9>*h@K$1#XafJ^=
zr2BU-5KFIY4hYEjcJ!#mEf|55tp8v!A?pJyK`a=;<u#p`55ZD!8X_>Rb9|*`E@})K
zd@jN+hkyVzg17@BGy9dw+G2bxn!FPA2f0M-xHmLUP!#yIr8q<bHr7uC_jM~kiFx|_
z`P`b4a;rtC*(r2}dXkprMHmP-l&erb#)6If1~4f#JA<LCOAwg+J#2^FrKU3LT)k;%
z4n9ct5UpY#A3egi{mt<L*R*47nXgsXi{kDF;3$RXUMSNtxsvE2C^vrEyn%g`d&dlr
z2(99<3jP)0F&hPb1iS-ZUID6-g^fu@vyN6f_5qOZ@ZIm}nlzOVH<iCqL)WFaL<0Ij
zdBjSgz;YVVwLX6hE)8aZa9wt9B-3qFcrIdeyvnUcS`s86Qv&U2EVH&$60G~vwxSuB
zZX;QS&z6s$3Tg}=_=WL(f3lH{|B$j}@p|j<O$!~*fzB2V9TqDc7kWGVnFxydWO4D|
z$?hUZ%X>YJQDhdR_!9@3suBdq$80hs(%vHx5J6@h|80~ZLLrF%qwJSF6Prbi8TbG!
zNRXRL?;tcXH2XIYd1|$_Ddj?t+5gr&*I;R}zg+@eJoGQ9T#%T7oq@N56A`f}AeRRS
z+5;ttAda%zos5B@V8+gKx+HB0b7Da{2zv#`;dyXMx+HA}hz>3dpZm4YiW%CU4$PdA
zHr3mHI1L;W#m=4sTa98NB@7#Lj1jJJfmnh}9RmoHlyof*^l5Oiq8J6z21BDdiz*~z
zI{*MH=nH#hENGF3WY>uxaQqM`r29=uQbX#IJDxYsjU##3*LmI1CGW>m$Ld_EWYWe=
zP~aVamNo&N3H28zL!p$zOla89+?2$|jqKp%WGp2yM`l=t6U07&kQ$J{iYO(3PLbbC
zvxxRM*28*s+U$>De4YWolP-`l^!HjccxvE*m1uByPYa4M6aT=GL;?#2blwaqb8j=&
zZV#dWpGR2*UofS<Ze(kR-Qy0|-Fg4d#E2N_c$y5}BE;?>@F1|}<`B<Vwz87fLC7x7
zFqZ;K)#`)Jm;hk75Spz9sA9*L)G=t6Pa9H@@?k8>VWhM$LBF?$2fcs}2*55;fl^RF
zyc<&GrjHJnuw_8GNy~8yh$tgOHlSg9vu!sRjfVmR2=u4|{zM@QHr-o(<tn;F5ZyL`
zTmn*kf)SQfxl51)TLj1}HY2&%G=;&aZRQD}ymQgNa8r`Y!2qH~ZxEs)(m30Um;@(}
zws-@~Da0HvV`Q5VJOe2}m>ITS&)!h#_^N$w`L`D+JTY3hLuW!%?wWCt0fa{Cn&2<e
zW{yh=UtsPCe=Rq|>UalgxKIcN<hQpsd=VZDj3OX0dKOYyihHaD{!=!z@spUsq=!@U
z;@EHv4Udcli6(I16d~2=ZvI)G_RMG?i<f?BWU1F2auUc;&@<+{d3~q0EaWN>WRK}3
z>4pQQ?}u-pKyNm{6zs?smv1Mt@YFouQa+#|cNi_!4D2Sy-dy`g?-5DCWO^5on?-Cc
z0Rybs!Qv19vK<d5TTUy{HOpZyd2i7a-cvN2h)4u-z90$Bcq9RGU!t6SF6b1V>scUE
zzVZ$yiI^+`^|HLt3}ok)z|Ac!qb8ZT_aRG0wrzIMDipetmrr`wk+TmJK7jqyS}=Iw
ziU29^6yojF)Xf<gQV>awwmv0vTi3Q>0|Wa6rD~w^H-(*GA<^mq6FCLAVm55SxzedO
z1_2=!J}`tJ44M+vn~|{!EQ~S4Nh}!P0FXvEBEoGd1{S9f2qIWu(HNz(r`X5+Y;I;i
z5b15TMwc2*Ivi#yl;9k^t0TVvZEYv5#l&iKa@;a_f`&u)d%T_MN+|B<Y`)FW(oSBK
zqb>x==HOrXg{Sk<Osv3k?|$REbd!<{y(B0Mz~v%b3C+ThlmCb;lUYp9Ni=_~eHtu=
z=~CQDm{TR<U*wpRnS~GpjX54gkt!y2@f;bVO?s6<59AYv2B5}T)J%^r)o9A;FwpYs
zOo6q5bWl*V6e@)w*Gn7#*RptlB%!Y!i~*nbi84IDZN1yu&jGg5&)}F{7Nng5n_r8#
z4hLttln=8dxRWX(rv(9e*Hk{928zvKWF;Ot9WN?Y17IF4oWj!7A?NzSV|qWy@VNPi
zhXGlENXyC{>(Aoxl@mckr)SXP)z%vf4a!?9tguzENV$XEi-Ko>j@0A1x^tR73Mhd&
z(~<;15Tl3$Q(f@hDF9t6I!iw|4#tqU5i<QZS5wDDsD$p2op{`05TI3)a=ZEmo^nJ0
zxmOVg&c!c}n|Svtmd+C9PpJ-k@0MoKl&(8)Es=z-L}u4>^HKIJK~QlM8N9P+BpGu9
zp%z#o0UnHe;^yG|LG^9x-@LBwE8r>*4@%>j7Ee>)7y&ti=Nc;v|6wlVPdigBcgd@x
z_|Qc^<P4w3y)wh_pW;gL0V;urs%jas1Ig4A;$tl%;ek%wEhgVpw3u;Z&BE52b{%jg
z_Hbk%QlD4q4n_rl<IP6bN{s(2h3M88yiD{zZZLQJ*tWY>d*G!16Vm`80LA|?uQ+5q
z{#J1ipf)C1+4pvLn}E)(Jgxsp)HIYQ!N3kOjOqvlU~aQ&iSPkD1%hVNO#!TT@mO^~
z6e{x%&p_?->VGmAkMNj$FKGM`ue{V`XJ0p}Z!eGj*Og0jg6&RagGjYJ7$vliD<q~{
zHeMyH0c9{CedqFMkRE`6(*<@v1;Rix{Nf8_gCX1sjwyzQFwzhdy}1EyUJxv(ex4G;
z;2`M`A1M(z6mf@HAZdGUR6vbECL%^urjS+98VUkG1WBrt(@DZ$SsvybJ|s8+he-~N
zy}@-PJSM~Eb^ox7xqf%YxR8fmT0!Gbj%fjCQvd<KZP5A~X1oh`WRhHwCa^AR7TDHg
zM$`mr9?1!-8(Wy#nY`gC1<j4G^lemzv&4isDB6YNYB4RCgdifu)@+evQ=un@HlacA
zz&A9+_`wI1VaKTT{dE~kgq#@K&5#eFbkGo}7yk_;f*z|?7$Qojk|IjkfGeoVL@#7t
z1*chfjzC|GEEhS8>y=+Yp~E1C2sE`6^E6&3<t$9%y44-cl737B7D@S7$v;GiFA79=
zVCxz<aY1>i0b-~*D7xkD^M4jHFn|ci6;~gPOw1wPkpVG}Br1|@b)fuVABe-Ju>?3H
z4hG@~0V58|t`QE5JHTXKGsYa_t}q`)9G!?b7H|-YUp3FcXK?Aqfz(0Y_3V61=mOmn
zR9sC$sL)rFb5=@ZpbK<OUxOlmJcv8MF|RBEO*@1~PNMvXh)o|D4;7^0H9{CM2O=s2
zc*GqA772_QQ6XuHDZqyrl}fk@!R|(}U38UOHr5IxEhFxmRu7{D?4;ykAxrsH3b0|-
zA9zvdc1a1I9MWxq`bxxPB)S!eE}1nX&QBt(2h_<N0!3TLOd~H4bj2WoS|H@rAc52&
z$%-KW6d~CZ0zNQ@O`p=vriIRSbE8jKaT1UeO@u|i<0@TGSVdB)jt;`rIIxB-hpZxy
zwNI=f^`t0Ba~`{_EJCNWP8P$rX^K=i>m-n=stX7NS`-@yNO1lrK<Ba)L)L7dekN=o
zS{4Tnl?K9l@n!N5iYBjlqnQOb_3P`#Z?$<_g1n8ONfs9=$k_>4DnvnxHwTPFEGBUf
zuu{(2Y)BgSAxaKa$qkcwi-9cxtEiue&Kf2hIGpF)N$O<95fjYI`g90lLqR71f<+;r
zU-nZI4_Vco!<9^%>C6!-D5yAi9y(6_3XGz{73k@fMVtebatbF6cC}K^!lWD#@c+_E
zH-Tcbd?#R>gS_~W5Kn<X$YVqmpfG_%@QiD81PO|cS@NJbBE{{G+w~j*xR_AtQC$L4
zV;@c{co0jAWX^0SiF6SL*-4XPh4uqd_ajUB$ANrBT8|ZKpfOfP`|wTbl-ei!;a2q|
zKo1(!@(N;&a0=~qJ`IBIiB#~znNX<90t1O!evK9-qi;QyXyxW`wv$87aNI~Up?Ya>
zS#L{G!Hx@_Z&)YsDITlWQ-dpr#9<39a?E57lo7wUgQ60lFxS@*LVzMS<n-?&#0XsY
z$*V_fzX7_32_p3>#B^`hGh&HgSu9M`v4Mb@II3Cym5hF#gF&%T>xg58|6<tp@<{rF
z>x;k=N5*n4lZZd4{#v4-dU=??$>jv<7g>0fgr*yGfQ(RqiIOS?fz^((f_(XqC{?(q
z=3WgaD)=s9NOb}OL~<}ev=@lBM6@!a^-xu7CnWq+9CDGN=diKhc!=XJsD0f5;NI$i
zpLkZVlYy;l2$+o2M9=EN2cOi4N^_(7t249pd7o8gdW5=>5<%BJ)B^a_zE9GVz|>3n
zdlMZ#O)jA6q`|BzR_~++FrUx!Cyh>$y6hZDI$j?RWm6u>aR`b{d60Q5XP*T{{wFWu
z$D`hs+j3ATA{PRS*&gtCp-A<{KuL{p0PKO_uyIRPMng||aHtG&9IFG`NdO8p6Y}|J
z6^Z1lfp89w@(ef8U_yBWnh1d7^f(6y*Qhp&{%{?76E_7oC^DiK$Xn8-%;SZbN4YDN
z$zTkz+#VH*NV-JXPiUWk#sik}g#~SL@<bK}5@kjdvy-|UR0@*_1(^epEKyyGy^zam
zh84x!udOc>210-Wz5)OSAgN#2nvFz-Xn>h%EI8J+Y5`mW*leV_L{%A_XCMJUfF;pj
zao~;{xw{F6KTuj1zrhMP=Kt-snVl~QrgTkY(h)ZL1B@OO-~c@V4sa223AWDZ%!q%&
zr0kQ1IyL+kya9S0e@3zw<ad<zin(O7=fk*uDawxCFr4Kq^)PA|&{Fz;U-}DM53o;3
zj9^s~3ab5noD*-DeO;dkDUgSh6lCzC!_^Mb4G3#q&r~@iI)*5y$K_QZYBEZ;vIQ)Y
zXjIUnGgR+Y_y4*AK!?DPSQX*@K%6Y)llp4#Hz6wr6$oK2PQ4G6`-I9N)jE(jDB4NX
zD2H2N>4Y>f-Ei(nTUrC*OCqgfo(2NG))Z12Y0Twj?Gk+xgGdb33uomvEI_3m^qH48
z8%PICKM2KFkU$7V7nmO^1OWO^Fyy28ac)E}+ilo)>iu=aCS>bHMO2~}SKSK2AFz`e
zxljnOq3<k<3F9bpP-PHp<_1$WG4K*N469auO1|Wv^t<1e5xSa)$jwIpb1Ilx)YI@(
zIA3E5(}m@sY#bZ>jwDbReMxj^!Lj_<F`~M<V;E7%N@2ZL$GJSOy9D9}E9LUtBp@lR
zz;r3oMl(#*y$Iq!tqKMw;<%)cZfrXoUcZqQsRMGZhu|<Xqe~6L<Viuj^dvNB09I2j
z%aX3ds8!2NQtV0>Ap??jB|8e?Dj@9IWIieipO_;DAPM2%Xk#;7Yl@XArl(qUhH%D;
zF9w95aAE}CSQQyq*K462F{8|iAG%sw6M!0!7V_w1r!cG;Kg6Yp1;BvM{l~wyb-Du&
z&xdLe)8UoDl_ZiCZ@#A3)fSb3BtT*m4aX**DzM?N;W}BZ9aW{RCKl+zC1`C1NH8s^
zqD{p&;OsMA4yAUz2*xg%JhB5-%>!atLRd~1D$R?;z2||BN71jRtFj@zvseYF$dH`@
z)>EH~v2?2gp>SJe;Gv}SAxNzR@Gdc32Upqpv?T;lCY2=~H89WK>##<{COl^b03=2r
znMb%9(p`!p{4fx-Q-X#9V@nVhfA4F&?%jx@-;d9}(_4lIIQVx&o{&Fq0$B_9=z_2%
zs)Vi|Z%R)P!4N@zvduHKXbG+rBdY))&<7w1Eq9<Wd3bz)0z9Tuaer<AK{Ut$As$KT
zqcTPRSEl-_sF&;@jyW}oHi;3<9$?!95A{NkvI1Sg@S)9O{&TOc32Uy*c9Wn}075y4
z*$CDw&#uMSHXyd_r6$;6$)%va1lL;mzHt61>7s(2CHajZqAlFkfFWxDKy65A_lSVI
z^f6ckM72ZHc$4loEaZ>f$*CR?Ge(2QfYo7qha_Bu1>M`JbY3T{0#dYa-g{rMPn2Cd
zwV6KbG8W@mqzK``Qc#vf@8-xU8Nz3G25zrdftCt(Ark5~rTun~PB2ZE{YhD5&Y-^J
znp&b8HpT~H%mP63bh&eq@??rfqh(D}YXFN@!$i=G=KlEy1hU{DSz`!*^$|8eHKq;5
z1<Ed^uwk;sMk}UlR{>cBCahpU0BF3|F#r=B0*OHp3*PuG5sV{bgR33)sl8)NgNA*#
z1^|y8({A=o5ta`R;$KCg9Hkye3WAkKby|Xj%o!@}TSoRlk{c=G7$A{cC9Vly0A}}M
z!9c^PZf@(A1@|s@dazL~Dv3zv`@V4y<(5Tt1%ZUE<owjQklH0cFkdhiR82*ltJ|6s
znVdrVvJjoELx8MINk7<Sq&AM3axECF1&Rh6_eFD2pp2-%*|mxb!2vZyVL}5{@LMg2
zXyPwl!QKFeTYkTFNIW0`%*HYZ%L~Xecw0#8ojgc?m^e$f2ulGlX%B(8HjAD8KDpe;
zcH{R0oZiIP-ct->d=jXD`^#6`^1v--)MXhUqM-Y9$-FUTp65HL)b_H%cIW{x6S$OX
znK1DIVk8e~2sOzL%9s&IR&`jjKZ=dPkPy&@!knTEwp1<$t8c7Pk{tCG@dKoE_4CjG
znF(t$Gkm39ormwf=BDem4GEq;_j4EvBUVZXQx~>|vq=G{N+d8Ji-|>w$4nL6;;jUu
z*yS!5;~^{Y84h<3d|$kK82<T8HvuK5rpLWd>Kk@UVgg%_cNU&Y+~yryWv@6OO|@uu
znKr^uf#Yo+{k2$x8dx^)Ixbs2CZ8{B+4yU;f{y_;Mx>13nC1p)+{Ro)!KJM^6olSZ
z#Nx%17#z<FtJC$Xql0aL1qt63fx_04_G*Y8S5Js<#p8g*1tmTkqV?q$bWC0J4Y9#A
znHg$ZRVpw{q|roPreS|_2O|)m7s5)~B>y{Xbx940PIEYs4iLrZ(Fqz4q#B0kmgLRC
z^`^kCg|<qR8%qdm-3lUta)gV-*e7ytQ%I71ymA=8><6NNpkWetmi!OO5iWPDWKn>-
zl}#0(36XVz&9ghxbD6D01rqKQX|WM4+X_<c;iUug1YyX;F?l_{VQ#%>yn#SBw$O1h
zh9E3!#Z1?j#jx<xfV2>S!i~+gOw)uI1pOq?44$DZL(M!Kjj3`njIf~~wjM?p-f9`X
zUIqfhaQTX4*my!u2h~LK8#N5rjQAA#=knshN0fLmGF}rf=NnK?MF4onc5XKU*;fEB
z<KS;>+XB=8(>yp)js*__h2~Zo^?`!cAsF~!qm=^OxFvD51>m2a2sPs%Lll7$1_9<d
zlD#g3?3E5D7P8|gUF-Z53IvM<K(f&^EPYtO>OKmt4;|;lg>OGqsE&6*x<<B6=o}SP
z#zH!x86!}6)ftGB2<nI2m8p<+k}MJq-5XvQ>rN&xjo@Hpy$zdCKtziPtqVBXm1<1m
z#C5r`wZj7WS2Kf!8y;E2z(R=<WWXGQHzy@D;sKo*PrQt0-)0$Lo2a|I*@Enw>|cQP
zZD<kKmy`C3W<{v*SnG`pofLk@L@~S^LaF_@P#$;^ENBl+q)eBMsR+u8!BLsP@wEqw
zXr@LBNygN~TSVlZhO)SxODSvE>HA@LFd;Hv^hDajJ=0|mNCvKWxDkX`WKbL&W{8hY
zOUj#yRf|C5I+_X}xXeR<hDor6?#`7;#L&cTZqg|z>NcVivP%yeRIu7iM4ej2E!^&P
z77IZGZ8d)10j8So*+IPG+}knS<SZ0;+L}#-9mdqoY%9!dMvXq!HZ~!R(Sn~D8F=dB
zYd}TMb~GHOT_6_;TtFbcaX8FBtXDGs=#2*{mIwu!`ZlDb373*Kq+|({R~u3q1kMwh
z4pATw3nZzaSvIi0E~H$OVT3E@Z&^W0VT*u^J>9oPQmOw1ITk-@p(6=76g11P{;|c<
za$H~9X|O>w89Hlz3y3PB&Qxtpg2!r$0(jc<3mvK~0^(~5ER&gC`Q~*=Vua3<&=3<*
zJZM%}xiG;VeHgr#m)TWZ)FQ1jvBSjD<kUyvYru5P`dL-X^#OivAk<UIOdBQ#)pGTv
zfS7}!;%drGnoyc$aSh|-ivuXLuPg+K^F<z6d`#LU2BpdJ>{fv>>yQn?qG>KQc{LMU
z_Pm;iku`^ENvhf=vqMxE&t<oOr-r7Cn%^dmtc%w%j8V|2>dN$FRm2=5Xt6LjgoDlu
zVuy^5FZeGUh7tf4Voq^~D1DL`;2vlZjTA3~VoyXaWHgW^vazH|f|O_tGzm(H4opXQ
zNbH1(0!nKN8UQXtQK)S|5eyq}PYwkL>YIBsLB^n|f<f9AyzB)-;clk1OuaJ<#*76;
zwzN&EC`OpFt93sFqH5+7zAA{(O)(^urwBcLVy9q~O{&5V1r{n|2*lU^1VgV>Q>n86
zO!$mCs69~9>O_HwVCMuumI+iqyc4+NLPf+<U|2aO4U&TV1=`V}E<wp4hj0vq3aM7$
zOokMX3&Ei(L8%~X3EmPqsS|J}K?+nG8W<8tH6$@0)j>LqgBfj~7-g<g<+(-x;#>j5
z(SljgV%7lcT$-}g0tN^V#j<LM`1NrZ^=*{G6wn6`__a;cibhy(fvx=@jsyYI6oLV$
z1Ea<542Dp;8G<?rk%%ivG>Sz?2rF=K>dMgw3z~5J8llzwTcyog0KJVyK)BEds4H-G
zw2wrjR^a7s1)W(s0ReMP6K7N~v#VjRt5cv-DS&dcd9SK&oKh*cBBEr$ijh!6sm4!>
zPBd8&t0=`RKS3eD;uxsm0StPDlYz-eL_}CqnzBX4Efy?hLDu6?>bkG?YEXSKWl_eW
zS}cl~vY6vjLM)>uAab;Ht*UNqsE&&>8Ac}B-L}+(qNy^BO|_J5jfE2ZvW!i!k8O(u
zJ!1a0uLZUtA?3y@L^d4NQgnt+;JXzwp|MPNJfw!hhwzOIn_{PII_9>ljKG0I4c#?$
zezi4ewKZt1v51#g?RPd`iW7S>J0~z6fSkd)LGn61%HouIg}Y5l9-wvsx(47qrOQgG
znhvq2t05>LP}+9&Jzq^dT4f_yyr6{(LBlO0Q%szbFT~Rr=^+z#gRZ26W*QEZ3k)3X
z2QFzE=46B-8V+u(FPO>PGIzH;a#sPU30xYa9u%GdG{r#Bb&UgA2_XYkLz{EWd6SK3
z6OCo^azw5S(h1XzOj0sLt_;#fvc!m9RyvWI;EIJ>gUSHFaI9bG#wiq%=?s8ItcME4
z<`@AtQx312>m?vSHK&I*X8Q6bdd+3}%A^PsGtl8uU#VI{D4blhhFGQ$kI(_|AQGk>
zfHIsWA0rSFrXy@e43@HqfyG6EF%onfCj*#Z1jN8PwqLB2fdINr9LksLo|Wq_mFp*v
zAWlhxgV|oNM`aU+nma5@2y(pA*GW?jrm}^>XC6#LJIQ1$l!WXS0D~b85vQ0~1I&0j
zs#mOxVF0!!9KMz7mX+%)mFp*rAWXu8gGpYb_{^d-W{S$JNCP}zN3%Kj4G;NG7KOUq
zb2_lImr*;52aVAxB^!><Skj)b=06^%eMt1iP%Bt*pN8z*!e+WpNY{ruqS6Y3)-kh=
zeNIV;aKm;W(y|`teWXH@l;$6TyRj@go;gZ~Jf>VR<)5eXR)&R1BOIV9$0m_z6h`Od
z&%Zv;<xu2k4e+9}9&KO3a^X}XMORblijK|e7D&*_o#Bx-noi$&+`|~@l}G-_jZCCs
zc#qsIKDTZ!C`xu}?zzRvryz54D<K{VsH9SUpXHgK+spg#4?NgSd+g^Sr0b%Q!jgWe
z*Nw!v{7j&&d@F4={a4d)+P<0A2Tj9J-B=qU;-S$9;gz*ul;-VDH?kR3^|`mL{ZWzZ
zu0fd&5z9DC6)bTUyu)Yt-Q-<(M|%v~-+!o;#fm{@{thSJ`K(C|i8hsr!hH<;HH<qh
z+oh4>!*`eCh?l$oO&JEXB@;K7aK94`!00{99+ZeiB*{k8`ct;z86@n%s%j=UOlv|n
zs4hy#yWKYyy1?jfmGXl33Qa6|SvgF}<xI}qsy|NBm>(0hr|xw8^*)m}JRQmG0R@1D
z#MLyi;VI72u<^{6@wYATihBg~a$PGf6rs*Sftyb23Lrj9l>)<Su%Lj$sCGrWEVB`2
zu9#4mL$KnF!^T1^iZ)oniK-o(6l{@&8e4i9Y~=}tg74@_EGR5nftR?L(|BP*x5B5b
zB2<;1(BPO+bF_WLYLp!oA$b~LRH>0JWKdIx7|kPDePwt;&9`$Z+b8-FPnH*#;0C&C
zr998mY+8abbNfmO3+%uzOjNwJ&5&d2^;0DcRWZ3m-ScZd$3WP1F_@+*Oq|p<Cp1Ys
zY2f1_ie%Nrmw9y3;F8vK17yp+a&yW+aA_ZDVuhTFewI67qL_hMx#$G~a>2~eSvP3r
zY9<(&_}<%xHXF7!!y@W8cv#+HyG}qHH-8QT0%Gfnj1`_4$;!6Rwies91`u-me4^Fa
zI<QirT^&}=SfRaOT0K!{OgB9&Wr`8@z=T59Z~I|kwk?jqRrU)rCQ@C;+E@_f9KILV
zdbO8pLU8_#XqOIQ$SkA~lW|<8QYW9tl@iUgDoCt_sH1F#A{o2*akkkkps;O`sKWdK
zVj4khnoBVVse&+vD~)r`<f-6lW2)fRPCF_;ZY`lk$ZG{#3MUkT@Nuu>s~}13wiH!#
zpc-;%o1Y=$x(|gY%ziXKF!hbBlQV!28Bs(T$K~5*!HAJvO_MG#s)t(97EnrfXYGn*
zN>UYxmm8^6fvBfNr7TTd>}lz3V~u)%H-ytt9`5gM^(%yAib98Bgv+NS-Rzd9N?|K&
zzf6TVTtM*B(%+N*8dZ$aW|Atxm`}+EMHlrb&L<MAN+zTO$S4|i*sG<j+#UPX6aP2x
zl&l4_@+uV#8J`Sr4fb88Gy(p>1)EP_?oPp?Fc<6xxMRHyfVCD)T<2$BtBQhkcz%yu
zVj&Mt8>JX+&}nj6TCeMg23oLExN@rEg&eFa_3@2NbcYO9U|fLI?Bu`WB-!L#9M4^i
zs7YJB)ciXYg|7+WC)xtMOL$Xji!7W~y3Rsz6xO;CVYd++e&Qoc3OHx%<R!{bq4w%W
zFkwJ#QqmHnEJXkR!W^eUd;zP~!eG5&)TylOnR$#`A|nK7Ob0N4|Gl`0bm=maG>Edp
zf6FM+N|D=R9!EfE<>rewV1sf_Ca++_L0=3{U@VcbNrq;cTCb704jTB`07vy4T*y#B
z@BLtBrV?lXw4K~(aiuYU)!skIEqdK9b~lWU%1Hsu8wfB_YrNn{l*y~qBYGY*nL!!b
z;?6cP?kc#giq3?ZN}YMSn(3NE3tkkOVq)9DC$y325Tw`-CPqQi>ZL36Y<x}bL6P$x
z^;qItW5{^;w*(U4!0cSfiicCc#3#Vi37j8JrN~)2I?w9wh!7MHp&>I&S`;6RrZzma
zSVg_m1c7#dZrjn_slKvt-JF*MzV1G;$wJ7t))0uwYA9z4l6CXte$o;N>2@F4T)-in
z$sdW(u!m&JP6ww-Y?de6q172yuOAAGzgR=$r<&tQ({e*dU1AjPGWNMYig&~mp+n>*
zFTbRRw?4!#il4jjT0UD=44)ZT&g=7ec)TYXDWtOcI1Ch9gWNV5OSn0yu9g0AEcp<b
z64C;t-}L!#fd5Gzk~PF>wsWOe?VGz2{CSKfm&G;mMfh=<ZCYtC!#5-oBqxP>9Wr4H
ziDb=POBo@DPO#K~R*V9uRxs&xfu@oUG=wLD)I_kxXS2CvOZ>m_hy@mqn-3`L(MgOh
zQ`Q`GOJMjRxUi0;*_GVkW?1eJH*zp`Da!IIA1lbrxx6+-#tjm!B6a5Ra;M7+{a|w2
zg!~r9V16?eBhr%N@tiDt*_Vdo9d4Q8GJVh}W!R&}xf3$T+rR~i9Xr+Byg^~L;%C*~
zXovx;#9E8+#V}+|I~36%?i(Y;(sbk~n80nZt9ZSsO5^#^i*8=mSQE=G_&5~K&SbNY
zQsz}`SYW#HKI1L*)}_?U&B5LWcp8+yLJQK&yP^pUE|UZDucvA1L<p*TWLQC_N(=~U
z&@!5)rv8)+oJaGZlt~_-G=6aLmUNFl>+&TDnQc`eG~`8H=jsm-Sd@pmFcf1c)L~0Y
z=wvG-WSsLAF~UHMddTiN6~UB79J>@)rgHphG2yv0rtiFne9O-uMV1!iwzcvBkqZU&
z)VTQ1Uq-yJ7N!P>&$MCjdQL?N!R*LLFwZVa>A;quXH<112;l^g8K{399jiiJK(I^5
ze<hwQuR*(&?M|fQ%sbxa7FDysZH0DVNPVnaXvUR0r|ZPmi&?nBAW5ty6)cjh_i!BJ
z4k<`C7@~8D&(7|t$n6={kefSWmm@+Jm2)3^odjVX_l6Cx565<U-WW9I+4O9`<#%}W
z2jUQ8OojqEg8z++3_L~A!7@_x76Lq*H*x689^uu;B9Q~)>Rz=_I)&gmh2!C1g;2yM
zNHpt-Ct8^Sws|Ppj$4Mzz~i}qZ+a2}=%;xV*_fmR0O8p~B%5JSIZiGP!bf%(UCVNJ
z7SNX0M9o<+>A?^OQ?Z}NQO%CA58S1V9Vo~x5;dOeC<fd)t|?_SRmCl!nAYRI=)NL9
zkn<ylh@fvAHVnMW6Io?NJ(=P6s_MtWkp)wZVXR+U7ny1)ryU)*>KTst-jY@?-B%}_
z>f;a_yxDhag^?9jLiGj-x4JH2qQI=)0}`E8FiRrf{5u<Yc^Dasl@jE0Y=$@AhInTN
z4m1&zl7)U13ZzhUbvZMgtYJv1oj(_aSGOTppc^w1y~sx>sZygP??c916rPAA2dF|Y
z?l=nA>R$;G1c&zshM>4lBC)cL>oEA!9Bpj{;xRAUeRPCe7NUwah1;kG%_|9%L!JSp
zmKU?YG?3BDHiEC#!~}Ueeb`l%j}j`+gnA}jm}26}1^)=Dn($WPKAUH`kP3$}1OxX1
z#sbQ;-EkDhAOWomU0P@WX&Z1Z>>_LkTC2W@rQkm(T;`dy*bt4EC$Fv%4$^v3VUZ5E
z$0k~u#vsKjDJ~4S-3Bgn%WUKp*e3#mAZB+zMhR6+Wegm$4h?Zk2VNM~r;UaM%7Q1n
zW*Y^__v&1r#~6W?z8XGu8l(ZAF87^OYO$>jhmV*TR3=F+S$Ml6p;*s7!<`NC=z|Fa
z&3Ocf^k#Duie_iPh>s~kMQLmhTZgmJ&4w|`7~D~6kwc8<gOQE07-S-0#1_r%1rcPT
zE9`RFmh3lD8v&Fkr?I1Xga_q3<3&mHnq3qRq2~ecw$J>m0AFeRSS2CIhsAg+ii>H+
z2GOGA_cokOs>T#{PvkU0h1IEm6EXPq+}Jcd><0_&lfW=|LP2aVg?0teZ1C&OfP;a0
zJq7}=!!mr<1M0U1C58&d3J+=NLxqqD*P1ZUUplY#2622;>A(}^2IXmsYTr1baFjDJ
z&?ynXN2gC97<AcY+#*xNBQwPivE34(4mD2<P%VX0s=Y{zMU>)p8^xMXHrOVWT8veN
zNcca|e&H6Sc^lPmQg)R)Nh9r^T~Ci(WlpI#GU&5&5z?Z|Ob-uLg7T#?c+gy~O^W9_
zW#K^U*f6{_5r9>OONBkBxpkJTqG{SMME4^N)Q}oj{p*Cufb>LHqv4#cBCbd)#c1N|
zL!5-JLc*i~j)IevVp@wa^9Zn-Q%VGY<;Z~$giz&p=`vsLH}&x%6AIhYK(fwK4qEr|
z@nSvaFb(7AYtGENJqkDtW0ZR3V53(k&#elCSBhtJK^#vrfgT}1>~QaGM1(m-7dN#e
zAY_aagjtdd>@R#re1}QuTK@=)5mVYmpsFK2i--i@Kq1Z%><a<3bMt$U268LL`|hc>
zEI$2MELMzZ!+1W^QU(sx1Q8`-Z&ywV7(VnAOA+uJ?+sCZw`isk?7hhgkfv}E{<I5<
zdh!do@>hb0#FST!%IJ(4_UO2XrQp6W^~reAusyfW;*%;3&uax?wv%E>>4jjl+@h(8
z%mMdYw?+Ql!=TLBRnl9?NDmu;Cz46rb{?eEQLWVovP!s#fr6~9m+jMUSghw6ERtrX
zm`)LrdJ(W@0-ZL|@F1PxjF;Omgkx;7<u@|`HJ~64umMu?E3mBkG4OwSMBv+M*%V38
zaDPy2lPoJhh!sg1+4Q7bU}==d@|c%hPpFkDVu1$Nkch2i)GKb`deB^mIxR6utU^x%
zw%z6i;o=Q;z|q*HjNGs?O@KgTn;p<sY_&+UXgHqJ5!uKvN@(olYV%B^T_h`L0tjd)
z;@C#ZJ;<wXWYcUbq4?`+NE{NZj-beWk}chkFcKj&=4W#X1V%6j3^mm-35AB+OBAY5
zi|*i3ZcW~y3bj`(?{8|2OGh?0VzVS%^m&?MK6y59o;rMaNZ`6$8b%1p6^4L($fZde
zYlN9fl+BHxi(iTN1Q<^(hAU^ac=3WxZ@8vzE7*buS`NWN(9gHFtJ)iJin!u%RMvaQ
zsK8XUeYnLyG6R5xZX23lV7(5=B`^np4h0C|Ek>z^aC^8erX=7BHFTdfb+QgYJ$XGe
z$24<i&tdf06MeZ@tUwo-(`054)iw>^pt%)X#WEoo?|$^o7%n90&~k$;Tai~YY;Ca#
zg+vajdQUeKoj8J3?azHryqEx+HUy%=1})TyMbV#x<t`w70xgDd`EBX9-0sp(20U95
z-x4u|iTF-ZmcL9XUT7wAUd@+I22s+r@D&icnSq!4&?_axGp<7HgNP1AG1H9=ibpd3
z+sqXW4BF5LBb1^}X4C3lB{Ce0>{fZ?gc3!pj3=;m{xi#=2Q&mE<tgKgcK*DK6jTL=
zf!eHt0NJRELM$bgi0p`3X@OR3qjS3)%=rcPChHI+OMQmTOSl?KtiCK(z)m*%>@w<7
z%S2re5U9bK!ATuJ9}zKyj!?BgU@uVD`d$&+qw$B6LCn*o9$8X#N7=xTP$weBJU(%-
zST9Y&zQcbUPa{Ae*Ib*CIL2UQtr>FzH6A$rOJBc+uHGXSMhHQ=`DLQjBTXCj6Sjh|
zD3@67k8PFcWR_FF+V@Im-H&XHdEztZ(g+b1cFbi)7ev0j&crGtLKss(ti?EN7#3p&
z?bj30vFt1|${xK^^5!!~g7_JB5sF*oU(8qZa>^7U4)Z?7Gt5031dIDYt)2N7RnasI
z?Z`*;`nF-3Yi=vO>F(Jg6|x%^Rs;E1{O7h$B@G9el`d&AAN)s>>MM$b;kr3!^@w*<
z6OZZ9i(j6${k7uh#ZO#L+bpzPUx5tF4l10=4qyDq%=EfKGWf-ZFMFA;)@`lwxL7^Z
z;9{-!WDQG?PpsJF2bY}@VrXiF4MW!n9AfY&tvJ1pP$3R=#qS(@%TBgIm)mWINj9zV
zX{9`Ah7Oc6-SgSKnf1=aF!~4v35;qGpNxt%f%wB`s%A}{<k=zm!KA@21wbh!K}g!_
zyJ)&N+nr$OjsU-n26guhxQK9Z17LQg`9cuo2@*$XVnUmi+9dEhX_l@0o_Ps4-EiS#
zC8(Ll3nAFhcFYNArf&6y)L&&pC#S-5K(I%N#P5E={SbX~cV-T?#HvdnPnlTs^iqb8
z7oJkKHG2N2?QAN8@tZoi@bB>cje$PjpV(4iWiledVno+-wTG(lBKg?;JLG>CL~u0)
zR+{;9mD#7O_x}=a(CkCq-6qEm*GrE!Jz;bv>>j@5*0YQ{gA_O6^r~W3%yQsYHy~G&
zV$`vI2{^M}ONmQ^+*}akdkhnYUll!gHnsiN+e@q79lD>4ifB|1ADKp>5cS^hdSt-!
zlAt$p&m&Z|7i0_UBI2I_%?eFmc!`!+rYHHaCD9R!gXGW<(jq6VQu+^Z(|dHBbnZR#
z7d-hN+zDb4z7?N|Z11*?1i*NVm|YB9ORe?a?8IIXEfS8m6LVONktuA7W`}BMcWE(`
zz3B0arFCy=rUxVDiXkRlLd<U~3U@3D^hq8T!aDBgGUQ&uB)~_2T4@Cx3;j*sr)<Pj
zzh~r>BJF)zG5$UnCgaF*6}BV#S=0rJ#m9xjv#SZ|cb^Zt%(A93>9A?Upw&kO!U{E$
z|K02&%PKk`ng`S1;C{6~W&FIR8P$?oBL19AMwp6Y4e_=`{Wz5(jU24YlR_|v7eV_7
zFbrKEFh(b-3Yltq<~-o}7``rvHYq?LH$4PQ+uu9UAxCzorQvE0IEn>#8yF4_feKAQ
z20{Gfh_u%r%Sckho8a@9ud3Z1rAYPF0Z2vVwh|x?pQmJ`iczX`LdntzF>Pz|6l(Ls
z%brrOQs2!PeuS<j0}5K{-@Zc*=Mdw{RzeLKGx%<vD1@F*GOr#vXosjF&^>7V@rmN7
zo8bRbgm840ig)+8C-!7bX;}A_cXBB@)Aq3Q%F=SQ^ZF#D%WsAN@<t8FFB$Di9W*6G
z#)y?Pl3j5W7<4ip`FAj2B*K3h64Q|fzoc`l$!7ZPjBSzI39hi}VUqbr9A4tc1w*#o
z6xJBQ`maWQTu{X$Loi`Tuv69Gn^hyFGWkL%{`zz|A0Vj;g0tZy7WWU7HYE&NJ7@Na
z5n&_L^f=ji1}<{wKtC>SVU`lvn!@Cx_@X*ub--~2LdtF0KPFMXB@+0QT5b$0GUN-a
zSZq9>qrQ6>$Sw4ZjKsQ$$p08SSGy>HZSIghkIE#Xq=BILrI1Moh%>g-t`$3pX-eGZ
z&p2}er~cu=4#EX&if9xNq6e^Ta@>^A^hd{S|E99<(S|6IYbnYw81zF2t4cZ`RA_-e
zA`$#!qM=B}8X;^${2|0tm``M`3=~^K%2I|S^C(SY1!My(d`ThDgne{h@vNGS3&UJt
zkLtC(NrWZ53Y@}ggbmkL%;d#;5ar58Tq&2kfS+yQMROIR8=@*%AwphG#ApeOiV;O`
zhiiTfRM7_UV2hZINlc?AaHha)D4J{?m#SJeeRi{oPOLz9^Hbwtc(9TgXn;*c{3*ts
z9b7JTWZw-mEVB~~JC2Z*5~L1ja3%#bxffs>LjPJ8=vTW?6LZ&>f+opGc+%L5U6M+n
z>P&C^M8-9t?Mr$XCa<65lE+}yjC>vuZYyTOP;%c)iTX8#kzS{S%EOUZ7ei+@s@;~`
z{gAvtIN1qmJF61sm|jkVJZwYRV1j0w9;gt^vCX|LB!!kD02g@wvoO)LqsCIjaAg68
z(5r$_9NHcg4S!Jl$sE_8^^=796(dV9Kl5qZyBq*F7G3%zaaYSwY;q8j$W(E41N;-k
zn^xN4eg+@UlSC<^h+5J+D06&Gbjy!|@%3XMy0PHD9VChZ5%qZ}l^?O$2P6xN9%v-z
zU`am9uN(vFA1RF=)783c{`OI)Pm!%8bni-yu9fNUbnF0#TZ`%$NN!Fl2Pl8aaO0Nw
zGkeM!p`J@}FQucgXrr|Y&4onLlsr<2!`ZHa6O0;}MBghjvQZBY#x8|U$^pN_V25uP
zQ`zG|{tGg`5yKk!FZyKz4hKN3D`}jl=D&Z3C7>IK2mt>yU@p{%;gA!B)sk~yL%;4E
z1Q_Hx0AY&KOx^L7c6P`78;0IChZBoxLw)~)Td1R=d;bka=nR?Usg&$p1JJeL_;fF^
zvI3RU<!zZaK30?-?o}lyRZ%1Y<mwFx7ttUVFXSE#JF%nkMp|o6j=4M5zdu9;_z}m6
z@gstnE!;XYROe|Cs+@i+ITNTKa3WVB#{qOeQMy1v(*lAovlEZwDU~SL#;Cp@4MwQ{
z%Z1YDcbW0nE`UuWx?KC;qh7?3KH=V+4P~%9q)awb)<}qN)T8^sp@!zRA+_~tFfa^x
z)`m0XO=W8Cx8+y_Gd8%MK3!Nw!btj71#1(Cip~R+S}Ve4iIyPT^Sanl`_}c7hw~Ng
zu|>p;0-_8#X3W?hoQ@5#gD#w{#Tn)`Dfsr?<KZKNZ%|Gq^$_4-o=;FE7!qOFi1;u~
zybLXINyAe;2^az(9uF-9l7}aTBdW{3IWU+tktmES#<sL_K#AP<B_Y5Dn>-f<KTj;o
z(of$2WVaWbZTf%h-2PcF)wv{Tzmu}kYB?cF2ja$oM|6vavLdTV!TvoezzeI>dhhy9
zqr91mgpKhS@r6zg+|9&vNXM+6!Muq~&FWG^_hk8i$1^t(^m8p)y<A$6DD#;g#YFSK
zct7dk1U=YfLRDu>S7fh*SNT+b96vd^442C{>%Yec##W(Gf_!jyrNMs-tU3ul*E90#
z>gYHmTOrr0LlIFPOjCfnp(~qmyv9JtVg(a%@kZ?1cR0vZM{rsfw$q|#DkQbO4$#U$
zuV6e2!6?q%e|bEQRS|&ZYm2+JB7!u<w)QgwWX@82f=H5b=1G~8!0P<K_pc(YD1kxP
zd4!K6ijP5;8ws)j@M9@d<ObHF%OcEhMG$p`X-oC$vzqxXEpJjF1dPrIqZ$M!Os^Dd
zF5n6+MAD@K{p7{6M?if7-YamGP;_6!1<RZ4XzWOHfvc=IfM#Lx4z6y3;TqYlY!9fF
zKtxE}jZUQ6Ns@*H;lyH~W~WSKL<{%g1~%=L83-(kuaj5<5yDn&WT&ENibeI{OiOq?
z!PE+L2&aW1PXSU(K*<dA-Qdemi-b$po;gAJRQJ`wV?nOImmHturP|FhB&3vW%8b|u
zqXb}r-qz}sKqE$YpyP1Hpp!sWz~!E8FN(amN-LWF2c4ZOm*O6R6R88o&jTG*>8>_?
zG$8}gVK&mBeUNzhCK09wkqRE8rZQj+pO^?=TbRqk3rMdvYF3h%!D_07*1+P+0WR_A
zT?Xl{ZKke4cbcl*g!WMq*)}(SXq^@X?9>f<6+K)+8p$L=h*rMdv&_QomzhVm)kLMF
zWrqWN(Oq;jP}(GRK<BH-g~&|#x*mWJ3x|Q<ssq!};7@f;9hOv{3;;gi_Ac(MrpFyD
z-h<pcg?&XBCQ=~uKnVye6rt(xG;(o5WKZR0Q;7h-KO}Iak_YpYqRP<`+Csi3VahNP
z@IVsMquWlKz_+mm#Q`LOOt2;4QZ{I{ebPxe_eJe#Y7Hhr&Evq%<bzNE48B_J3R>84
zkzWY=nvkG=Z>va%?O#d^%fB&fCkH!T@_#_2ViIJt$zab47J1tW8rwQ}up(HQveiI<
zGflRUG<cFjCk*m1XSJ#5_}<$0BP6QP5Y9Gm!RO!gjK<3~G-<`FcTyjZx}QY2k9NSf
z1Ho2C*$=jIBF8?NpTZHkG_tj{=-Yir1(@jg(4oyg`W6FBQ!Dir4<DeGHM)9@lW(J%
zet3NvjVLv-^;9$U7_|j!^!%9(`P+>36iAl2Q3?TD+c|#$*8^&}w9T9128=jN@XM}s
zyDAi7enpcsAqW%+@y+%jf)9Sf<R}$y5E1#8@gP{}>I`kGB7FBiKx-4u&kcfz;u^-B
z(7-*NLw{o@aDP3Zoo|+`n!wofAjYrAOBUV0Od1+LB&_L6dL5!>XCVt!+?<-Ys!&;l
z@Pu1MF2;vw0}!+{MM%pBwVYE>z$RdS=08}@GXCGd%PHu@Ee)=PDHw$hU(|SgWsT$q
z7=>&2#~3hS^LhRiSg#8LoeLAW2{Uzu*@MM{V<{b8k~nO?Vhrg_A!@U3VCbyeGGa*U
zYA2hbvvNw^=2a*i&?h;B?h+Cr>Sr7VSGh>oo-)Y#6=!1zSiJc!A;~b{@=57_dfIX(
zPS+`&|JTSwW$4QEiy7n|M_{7RE{4#AhX9x;3oz9|4VJ;t>|zJH4N@uj#OqASwE`N#
zz8vn+PKvjF5`GtiD2q|n64P?5`r#zyV#qO?8acr8TGM%QK86hS!01@B2I{Hb6R~a$
z&nq~UN{sCtUsM%}2s3kDnymHG1+^-L853aCa?s8~7hs^EC~{B6k<7uffj^A_1Aiuf
z6z;ENR6o?)bPCTf@1*o}Q&qNhKCuT)m>R(uzE;!GqmF`&qV56Vx!kYU^ndycgcwE!
z96!N;bt4E*za|9<LUm#y1CVm`VM0b(psMu*vMET(fZ6CGgYq(xlcrdRWYNR}F8N+P
z0GCX&-|S2>9WK<7j5Wud<ceU?>y2}!SShL~QK{&@4Tiz?#UH9V5Fy7O(%xASBvSjf
z8VZ9E;XH73rjoJfhLQ)PhU}Q68+8Fw&zm7)iMELNX@*KgG!;7>`!_KL9D>yq*NloF
z?t+#mgT@u+b>U56BdKqZzXA4Z0xnP<=%Mk^4fNP&@iyVr<(!uo>fO*RWu!5Z*ECO4
z<#JrjVTe#ZKq)OC+kkZJha*E%MPKG-@zhiG!kVA}pQyWBh1VrYjZWk1Kof~)j8}&d
zjv+agDU9%YRnqdZ57RRSg$W%MPYzOpgOZ@R6}!Y#Hqfhh0MmZCG&qC=wqm0y%mnX(
zgyz1KBh~bwA4S+U^gmDuI26nFu;yUP?LK;Vt0&3e=HL%}5>O7@P~~wmaP++}_fAOx
z5BKV!Aq17Vzw@~bl_AkWzaiG?{d8gQWkM@1-U|xLK9dtQ`UEuEh4<}?O;1Y{G=imf
z6%aYkm;u`4tpN9vaP^qo;YBpd0_vX*CX^z5jI{$hC718?z4`a+j=P)3q5Q%mX_g&a
z!m9Nne+MIego&jB=cNNe22`EExlKk_+yKzPVu1lJunmYyzW`gIUYGzrK*7H&{lfU8
zYp&)JF(4E~()kzRwAvRTOrHV8F1w#-QIoiKvd{J51{ySQ^dqTqScX^L6TkyHd$c^F
zFXH8KfP_&p?vsu-=*W)I@;M*qg>>XhC_d8zG;()vCM7I3KwI7qwE_skuk_=if==!0
z)(~!^uvvu$xH4Q1zdqt0%%2yi0e2dF#qkNVoJo5EP@mc!31z%Kdi&%Wa6TiGW!!_e
z4z20~uYvqDsHBYshF#17c0dQPuI^wu3!T=OZ7EGscVTH68g2)Amlje91+o9k4~klY
zb<-)(f><Y$yD+0Z_9-A!XIeH=E6$&6*z*J8gVo*7!8E_QeW>(@VlY(_dl4t|z|<7Y
zdNyKC3ts<8cX_mnG{VJQcQDkb%LzM$rW;GzgrJ&JOS{CS-Q1ms7vO(j(lJRplY!|X
znjlcEwNxzh*Q0ky9U&<d2y_($s1%*?=#rCS9Cs$9B!aQ|93o7EeVqiG&%p%HtCuBw
z1lKjxCuax^E)Z4WZPjtVEde7#XTW&>mcKY19s_Ns0LQ8n&2(^iL(O2SzPfAFqT>Jw
zQWBGZkYi({lHgvabU=QVHR?R-yv<TsX)YQMcApoI0M<ziA+tX@bbkR~l5YV}t!ToI
zED?_u+pv<Xk>cX0#h^CB(Wx0WAF2<JFpQ0DCs2{I7_KW-Wml)*jI*}WNG~{Tgy(P_
zvVx{ylOdj|QM<yW0GN{mq|jqVO-;U`1=c5XcIx^-p^f3l<a0T_NX&pNLPK6IZD!q2
zG)u<!X)#uE?w@(g6_K_BLTr#Hq7Fs?I&F7KK>0;RwNA!vx@bGZE*D!);lL0AkfG#l
zA<6<_%)3A{CD7I)EQQw>1ZKS{-lwfiA**u+rQ#WrG%aK2Y(zzfG;zany+8mVA5j78
zg=Rt(S3q&mH-Yp$mXB}gl=+oPfw)Tn2tGbgnV9CAYon%<AM%}P=~HZ34ddJcPu4J~
znVV5@9S_l0o+OB|JnO(!LXj`Xc$aAyMD(2I)QEQ@-A|{|&@2bH8N$!_J;oboZ~q}Q
zoaBT}#&Kaw?*YPd;8@i_othvoqG3epGZ#7@9kaCI1pp%8kIMg($_NBX^K8XRGYJU$
zj8XHTrnyzDif)p;rV&*fYaK(L<7o(YCWf-YOp(!}G2V!cvHQDR-z*~CGa&%6pb(Xw
zks~UD8sSiq@T8X1?k*LAHXeclEiYjXHbLxKfq0Y%KsHzwgj}@qA_qduoz6zwg_(uT
zL=?dw(_L$YbL$J@i|pS-YC_$Z6FE*;fHBG9%9(I9MA(!Ikl{in0D{~k`Y^Fi2h=Lw
zd{i@MO{{OfioLwf>o)3W;_Ar+yiNWhfKDpBJN}8P5gE4**UP1mE>ie|vBMojmQqFB
zJ|+etJ$c~qX->TX@M6?Pl3h_0AW`UG?(0>mAX7>fkP`qC&pQ$;S6fj`PDLt@ja07z
zxYOP(inT<q4gmtgX)08eTA~8e7p8SQxOV_wOH69N&N@DpsQ;VfW5{P3((LnLQPXY^
znp0V^tR!KKvtO89E_w1TvwI_3&8Q@FhqJSFtGC!91<5>MQ6G&R?ZI;urn5mx)Ef$u
zkON{3gLYyDNyRY6Z+fj2O2=9c`YxD}tKFDd(uo>1Bx-2C=q+W6dpTri1jQbpUdqVz
zC~RWh0V73E>ir|UP#DJSPOJd=FQt^V2rvs<Z2%0&HpXQPJSt(ZPl&bXfSsPy^TZ*1
zv0DV74QMprS#`{_vawxdbUD8t`w|`C;T<NAWt>BsQCVKi@pWlsC{2N1NdH(;t%YVP
zz*gg(9S2q%u}#5FAwh<$tZ`@p(vD)P5OT1l1Xi6xo4jO-+~m3x9+$6-+ax0s2dV1t
zf7yI@ea>Iul5%*doW;~+_-KuJ*WfDV@Ykj|CMVQ*IMQlLFE?=WW0)|dR5`#Mln^R_
zorw~J9F7%Epj;_Aj%L}2d!++i@Te!D_`+|*PZDu0Q@f!a44Fq#2!CRVc;AZ!r!rmi
zk_EbC&`pYlaGmC-Dd6Nvyq=GUQ6&O|)dmzz?iyH_)K*Y*NFD|PO#_=;IjX~Y9d8^K
z7`&n_O|i7(fYl|h9GtPPzx_4$<tN~nmhNJ1nQVtz{cbDY^vcLKyN`4^N=QI%8^Rj&
zD8ZR$t|am}UO4Ob&VF$gl6elRYmBtpH3T;4zw*QQ1T5Aqi=r);he-hoVk)j$a6Gbi
ziI#zjf`DIF2b<K1@_!^{jVFnjqV8~+lX3>(D<i0}s7MO<!+VG<QLzBA+{Qx5>FY%|
z0YFRGH7e@BWDk*Z5(qZUq%h4al{85IYl1$_t!-n0Obx219|c@`Z4Xdji7Q4mJ55#C
zO_->YdJ!*?sBs6&(9RSTls7lMVVMk~g94=AD0~MF!Au;4yy?66vNg&T8ljK6!8je|
z_bH05V>(TtqHq}{EekP~nk_6k*P=&skjSJ()eB)wSi=Vf6(|xMF=?fL3TYNBrdFOQ
zz;}oP<#=y>vcMlWPoTBTm%nGJcsfB-dA;(<XVSj`B*i?tYZ|)(FLd?KyJ2Odj~+{b
zo<{6L0EGY#4IPdhPAGYBvINgIrAYGQRVM>eI~~19rbAG5PKX4RM`#}~qzcNTl*f{z
zf#%7y9$+?oPFh|nvjEdbgDH(vp!t&UuE~Qu6^ejc0_(u%=}u5U|HkCN!Bh_vWB6z%
zFj*HjS+2MDks=R+Rrz4yfC(@T?H$sfm?`GGuW3X7Dp_2a(wnTxWZ^MW^8!yTdubRw
zsKc_GT_11Y3gaA?d>uOA@Cc0<Y|1`AoL{Tj#6w&cR<?`gAMA#&@Cpk*i}wIv$25@k
zvpM9XqzBut5UW}E&(A2Rd)?K{7py+_I49gczn_XE^3D}l6(u4Ds^B*bM;Q=}{q<&C
zs17``0jU6JI{+9MkOvnc{fW9fdOor_GL$hN_AY5ey14Oi2L|sLJJ>FzOSEWxf{Ftp
zF+@eaLnxy%^06fGh}jIVFh1#1D!F8~71;6FSKO%Uxe<I0_&<n2@9R$RismED%LD92
zN}bRtR-`yrP<>+{lsf;@;Xu_u9~f}v2HyCNAbxS(8I~NT?X4w(N<E>GC2G6KS9`w3
zV20El!n)%yuJWg1iTcKvDRrE8u!ugeq%sO{tIF4BO*JQjRg5Q#<+D|k$<0VkW6H@U
zahLrza%%C~URQ*K^d!$!R2Ek-JhcI0SG3bG2SbE-!yFeVXg3h*a%fGGci~19LAEMK
zcsEt_4a4W3paUq&AJ2`H0DnL}fq$`(km3Q_7T|G}I{%t51BE-jC-n0hOcKtEtl+$%
zxEF!Tmy~IDG}r6FJiblD>0T;RPM{2D6qx`ZjLNrtaG7Hs?J4CrIUsBd`3r$$r8R`7
z{t9~qfK2%{7H}9A9u46i7@;2u&LxvQA?QEi9#&sCE&q1_m!suKA<805Y)I1R8GIS)
zqK0GuI3oH%*aQ}PUsWU#3sT(>UoBYPIlZC}%o~uO8cP9eDYl@9w0`&dK$t~C#Ccpa
zU`@aqcNdekVel$(({wOVnRZvJMLCmMC44aUWP&?T<<VV9tS-|SiF51G(($=$Kz72j
z_5>_rC5}M3eKQr0v)biHq@wzA6Ol5+i%elA!j4(CMj1pT31aQfl4(+jM*nNY<k;lM
z3>Kle9y!ASwW+}NVWN;6BKQeQlh2~|QQx}0ZXHN`Cr_Y5d8cdtY@WZ(H?I9aOH~P2
zR7eI?ZCTL;Xp1G7k|oyr?(1)enHZWQ>Y7CVB%$y|q^MccRJ;V+(V!d@M*#1byq_}y
z>_NHr3#<X2GENG$1=F$gECd*LzHfn04Kxb%NC8=GDIj93<bW`c0eQGr0gM~Wm}K2u
zgQQGCPh3z(+g}DJB8H*><q82|CFQ`}p-EY^!6}M;FE4FWv@vzyUzN)b2kIBkfT4Ke
zr#u`>VlbbLP2}Jm!UTeF${K)K#X!Ggy_enM;h!IpQd%eagntyR9w?NmL~UzXkItv_
zxAGd$q-3&c4X0>5A#XyM12kF}W&p=Fh_Fc%i7N`urBBi0EmfpAoJi!$0_KaONmu)R
z7I3V~S%RAYV#OnW-tfj$bvzleF`=3BCqXrUF>*^V_*2Ff_phkNy%3lK;}r09D2Ybp
z7j_gAGgyi2fyUMnhs%rXBmVBRbrhlOs}?0;I)I_6Tlu=MrYTFc;f3kg%NSuqu+Tsm
zG);3yo!&@ldPZN;KBTq@XagV6>p=SeWv*SsspT+W-&L#%-wRvIz~1#YZ{^meIW~AJ
zQ9t^hUe+K(0A-LTuNDo+FfJxgFb%@og&=yUDQHgLrU1xp8qP;LsG#mMkGf<nrPse`
z19L%!`-VIfFf0_)Pn|Ud*-sH=4pEH39aJ@+3(4sCB1O=4Q7Rs#_y;IRg1F{AhAcRO
zq#nZYpETl_A3J3FAaV04b9;BP`r5h}$fCS{j5%8Rg@*(Z2dorSgz9>Z*Vm$ly1Iiz
z6#@#X+gGCG2Z&>pvpJ)qrnn#~H0~lRuDVrj8azl<0AwxP5H=awt_1*O33TFqmU%^|
z(Nn?iT1Nd@sY<ajo8Gvh%wGNp<24pmhKmV$Xh3fq4As4eqZk8RN(lz+LbO>{gP_X1
zm_Vz>PhaanU3sb*9i3uV<<*(wpr|lB*r)I`=X>)!9y%g@#y!}8H34A-3L}0(6e5fv
zd@^_&`+j}1?HG?eeftUz{y|&4`Oiv!v-!G))|?~IQdrrw33fOh%pf?6x)4U^HrV4a
z8(E$<z$28sKn)@ZNF1n6mXE<1?d5f0M+x*_j;ND75Xv`~ZPTDZU)cKKn0q1=V&k&T
z(45X;y2v)6`Y1m91z4oV0IC4o5EJg{ruQXaXw+w9U*LsNK<pC;gn`t+B)<ulh_?jR
z<x4&}`S1_>zCPVfHf*7y>zD&@KsGlt0zd!`kW>WIKVrvi%x4mDGHnEn?$8;Pg-aO$
zSr8PsPE2w%dJQxZc?ba2*?)Em;?0YR$n?{MUHMAecW8mHq}|SHO=@#l!wCO7j5T1L
z8sStITfb_&Yi$z%Z_p_W#ZU(21dzTHt^Eb{c<+Bg(7h>eHpB$1b;|(9oj=z4L@?@F
zb=#xEC@KrZ63wGxLw&{yNLNrh5EZo)3<_+`D?#BwL%H3L;r#0gvO|ljJi%FIH4MKl
z#)f;D3M<(L6K337?lT4FbfV9AL~hcHOyLnVWfs-KBgT+fTL6e_Ah%z7+AH_05Dr4W
zvdi*ADIm0WBsr!E$Q{{YL2hz^Bgr7Pw{En;_>9bg$-BZZ5(`a=0_U;=*L#3b<S&@A
z2e2gq=Isue=!h0UY5ma^M1t0GfeGxj*Ls>=HiM%WD2PZAA}$&N%v(R5Q~4LBNWYw9
zh=6p#SUY7Q%HlH@j@tA%<zdVftgX!m{{#tUA1FD~uT`nAzS-ZK^tezofLg<He9;Y#
z47eSei#2G>9Riq(=lx7s&m6<FX*qGqT%0y4Mk@YAO2&j9A)WCLdoWgkVjbD&gN=V{
z8kc38z;ZObZUH$!xz+(g;S>PD_MYE2T`NLdg347G(R<1%?wjgWQuB{e7-YMGHlD!m
z6&=7qB0+^MOcW>90okog6(UAy1j)Sdn>bD$q>_B%hLw30MLS5T;^>X$L0}!x95iCq
zajG+mG$9i%h}TQUB#X;alZ;wJiW^fBm|YQFYIXJs6FSu1xWfa8NI5(}na7Z#lU%$(
zu9?@GPnQe_3}cdZwqQ789FPv%J=9B`8m(JL0nAi#N|uB}7{$A+m<|Fl$y!8Lq;~|3
zoMMu$Qgymki7<<DLc5)*?8Vevu)QI_`x^g3t6K`GGj}#9W!4aBk*;(qlH$M_et=qR
zED=2*G;5q_LDHNR1`1-B1U}eNFjFu2_=1K}(C2Xoh6;E_&TbBcv-^>4#N{<gFT_ux
zn;?fSP<q7)v`i9Cb;Ls01-omQ4UAxtvVd4L)bZdJ?8RmUfcB?&fLs2s$6o-lrC}P-
z45^(5qtQcjM>G0k9u9aQr@Z-0Ec_5s5d-T4d-E(_?u)S1#WY9`er50^UU2--L;fFj
zqzBX1bPh}ehzGNZ<=Ptp3C<8Jd<#7_IT!_`IU$`eQ>zHRwK={pQDPQB#V}I`^e0Wh
zn#Y0~e0+Z+w^ba$4A)e<{-sFbN*RR(H4)SrfsW&gH>N3qm{w-@1dt-ZOq<h!Ny+s>
zh$(@#oAOexsu6+SBdPUTkE$CJfixw(B&Ev?AA*<~*}WxVDkeo~59_Oguu}-3h1FZ`
zstv(RB08N^0Gwd16cjpJv=mcvc-1ok<s>b}iJI1ECK&RL1xG003}BEoW&nYt+JUqS
z1IN}8j^>04nhD}7tWHY7POzFD^?W19paicQ4};jcS5IM9Vw3z(rY9okw_8%oZ0hLL
z`X5iP8X9E^z8T;Ql8Fp;ZV;oWbyB!7I5`6;H)5!LP7JOwILU&a)o8&@#6{8v2z0}g
zf(ADKbKCI3)4B+n6c^-#@C97pOPMJJpe5Kq03}HxZrQr3y~R{1b|)g>v?hc6h*=C7
zxfl3v5!@S2Fe%P3MP0V5_kOgaWqK=dlX7NDp?hX}WNm?DTD^c7?r;MO&5s8yI7M-(
zz*s53vTGANg#~s2PBVmGXBZ-;SXApcM%KWzoY50~fo(a0IrasVgv88?0>HiXtL1@b
zhNq0cun8bLw}~tZZHb8<mIbuDb)|CzWY`u;Oc8%zT4*L0JD_I>Lv{j?@M%2*Nb)&|
zfl4C60KMd3zK=rjiyejw=obD0KqPcRpM~G3zBo#cYj(~B0B~>;nca|vTn7{)aRFf*
zc1Qi&2ehGxVi!1)MY5xefJh{ZmGxZaZTJz@_;M>NC@$rYW($sp(H4h<Uocg3dijYI
zI~l_G(i}olSMpRcJS5|S7op|G8@3UByCWDbN7P|nGMW|EP+a60UJ4)NUQSdM1%fC^
z@2#c*AT&mNmE^Ue4R1KZC-*AEc%}bGI<cV%f+}+aNK6X~9QhV2?!u`oSKE;QYH$_>
zw}g%lg>INGRC=>mE@QxEBbHp6Dpb%){l98Jk|D{vGKA-nM_GnoyOm5wCtMypqyR%g
z+mq?dT>nb#Lu(fRi(*S+!l;!S#}$x$x&#7~C}MIJ6;{g;vM?>!!m20%smL%b&bzj5
zJ}RY%!SX_<V5BWiCc>&AB;#<F5w?~YS88f13R@HL!&c*EIzXL?8Zjvr6*@~1tFA55
zxUf~J-L5S-mKd65`ftDIT<9(~zOF4$xY^=Z#t(xMYZkZR%!R&M>X!^i(!4W2MhYLL
z5nZ8Q@6S{8joCi|kPV4Tc>h;*@I*KO5DWz;Ak=oK!#02CbROP95A-1O5?JJ>qQuVj
zao<mCy<QO$W~C^(oqKazI@bFH`RjioJJ=FtaWyU!PZ&v%-NfQ{0R+*~O)%pKNQQ>?
zn#!j7jE93b#@Pgbd9^obLMi%4melN}2=G}VM+|G3bFwHYfZ)K$S_&0?5lOn!oFfI;
zcVxj>E2#o|hXe&Y`$?j1Ch#(h2FzN@nWYHN))thKB1^0-qa;Tdu(F(y5T#*m&GocN
zlFgaJ0a{2AzP7p~3_|M*2l2#js|zxt2&WbnQ7x&bYYPBzWoab!Abb{FL0DU8(8DWX
z2q+o>E-S%-<TcaRJ&P#+<f1XSSDHGg?8@Rvj!bRABNJu{Wyc02j2%qybrM~IS`^rY
zEdH$q87o-=1!qyWW)zwpmLlkQF*<VpZ%GME7${)b#jgHUx2VD@QG`ef3vEL%M71oa
z0JvtyCx}>EavJ=iFJwvV5PjIu;zn*J@DR)qHv+1ep$L+yi)bq(Ybk6$!S_0V2v#%R
zcnj1c0Qi+;nV^^l#H%Ht1V-YhwL+zOXRp*vz^b5Rx5K!e7%DBY_+va&T1{CXWEI}<
zb@AN~R`!H(m1Madm<On<B|fQKBA!5cin341Vv&p#Dd39RlVCwYA_K^_EULjaftvJM
z|8Ca|X6)3R4A=h?I%vv1CaDPv;U}!=3Sgkkln4>^d%sVZSJ3z=1VSFJJpyLPbu|KL
zz#k{zPVAcXI@Y0rf(>lLq8JJVsHB%5x^1_x!KkO|8qeftkYTmT6Z0&BZqRMQq8reS
zumc`QZN8zIkB>{G#f#iA59HqZbFH1w)YmP5a7PUw$Q%N|i^;4QC@sW=ni(A?Oxzz1
zP^6&aU!I@aYO7PSV&tL?@u0=nWHYe0^>1-qv}Dsi69S-^D6nz-!A8wl15uffQrF8y
z$nhe3155BHB6ty627zcJ#v(59R&&Dw26qJJb2&F`nNYl~Ha2xHh~Vvq70wg_a{C5x
zI5cBiNL3QHGQrIS7hk5=<8}cR)&aPgl%<1l{Q2v+nPzI=jzKpc?<Sr=Hy`KlA{W}?
zKWjQM;IHQ3$Z2^*Cq1_x;S^hlGglA|5gU(3aS*Z_kFKHqxc&w&Fq1#@$w){fs3suV
zbT@?dM%Ny0WQNsNkV$_|l2&#cr0K@(bDS7r&KNN&JtR1s-oi%-c}Vgu_QU4GeZ{Bo
zsK=ZKdgJ;#8adt2fHyIS9T(11V9jZT;x1EW$*I-2|2Mdpi1h#jaB--MBhL@(kKy@o
z|LN||6QV3&F?K>hhX)Ml4sFN!F(tW-V@);Oe?M@OZ!r>6*uS|q5oY7%Y#a#WZa?(t
zzgR5D{+i=BM>vq+9KJEx%&nYuHi$Ts*hLRCc8gIxs5sPUsGMt$=ry~*htvZsK{mc;
z-(w}`Hy@IX@p$xoF{--e0?dOs+5$k}?{ScknL=?mwo?w7{&q)s>vV>{5!LdM81^8s
zchr~VY2=2eK1LN=dCUlht^9@a6?1FMb=VhsGwX_nJEI?fPBRaV`bXQLtl&4=gL{rz
zS`f~SmIwh7upunS+y?wq^5V6!EpJ0&wcmHQ{{FUz&G=7YaH!~&EErG%@lT~Rq#Rz%
zYY%5i{a9d~L(;{l6B7_mTqUDgbUo(sSBDA^`Za%s(7AZx6{U{4YPs7cq#VryC-m1A
z0}2qy9144H9YXwXDHn|Xh5LDsY}P`s<py46Y*Q`|Wo%8&a1x3^)~^d_FbnK}!h4nl
zoKl1`FtbOb*te;lfkFq+D@~^Hc{Zg4fzv|}>CQ2$dU*!+!V~3cXFiUU!8IEXqJrQ8
z?pBruz=)19g50!lWZ6gCz7BU#d)9GhKR(};63k9gMIUS@i}E%bfzizeQ(nY``W!IJ
z89f4pV|zxRwl9lygxy=g1d=74zkDT~VF?I*6deExR>}!~yih?O!25CayHh{m&cK6|
z?0-YJ1mjj+9sb`)QOO5gSmtK670Bj+8H9svsS;h~PVyE0p(Uqc6cDEh#UHR9mjl{f
zoi0~BA74lAL^{kv=#dUxfF?64<PT;UoX)jva=MV*%x#c?{Rld2>{m~$%+PN|Z=`{+
z+J$w9SXxrT+DKX+brt*B#=C8oVLq3kN6~&$3*PUmeR;Bixl`HUDgG|BNEn$9eC(*~
z>v*`gJs|l{mf)w7OP=V@Ba7l6EI^QPK;VCWv=5^E0(_V&`667Wg^9(#Ps|-wvIL9m
zGSN>Z`ae|RR+RPdbpkh$T-QzIEbz6TE-MsL1E*+wy)@Af|03c*s({5FfH2f&7E(Hp
z5XhwYUawsAO*Qs-9Q1FAO;0AlAYt6I=Rs&5%DWGv3|8s_AOg*;lyg}&i<c1fco+dk
zW9-!ovJ(u&6r$FeiklwbjC(;s$qYXN0h6+M7IDj?-$!<3;#c5MwNnQ~yDvQ=o_O5D
zXf;U*{e~FIhmU~uP#3%hQwJ)bEaj0r1|N}R3b%?N1kpGcNGe7ayQO0oNzjRRGNM(g
z87UHyFf^*tTTN$Ml{+2X7*?$}w&^^KGenR~<w7%$A%rkt?)Jwcv3&O-g&T;y##YHG
z!IyRV_~<iB+)2kDl?EOHRr-R*p@tL4VZYP>6wAACn{=TMA%rr)2}ov(F}To)5>gQm
zFxXId1`uE%Z$Xc6{T;K%TfsbeU_nY)fAi{7wOUfO@1~ESy8^M=ijS8YS~QZd@;PIG
zK%A8W4_X)jX<?v^K&BS3f#njRG()>s?NDE91u+8*#Gy-S`OW)|uXA95-a^p4f$1ww
zGfxC{9GTa;*bX*LVF0s)r=sO<a&C)s^n2^*9n+Xac3!dvUWxMpYA8`-e2X<pKADFZ
z3h8n!Zy5OArY9kI??k3&WriE*9^x|*Pzq~M!p^7+fqYr2)|g2|d~zT~rKWngqykn+
zIFjEi{(>$7Q|WX*ksH_)gXPUK5HP|di&XkNh7rTc9lrxFzFJqPE(1XpH<SvFzq<k`
z7Da-fM9kAr8YTi$Lgxd;%d1r=ig7^lFwFLtPA9_(#;@o;?%9bM=(8yCVX1f|lYhAh
zPdKp7v%*42fxc&4qen-C*_o=C`V$U?!9mh5wuaL}x(RDZDPWi4hj0fk)Idd?wm9R0
z`lw5g^;-Rrs8Q@F`Z_}ie#nwYiDuuiR%#_i5Nww{Q*%M=zhp@+3P5;6xy`D9QtY$I
zld2@6sKenE`iUP@RiFnGxF`H~z|1jN?xQh;BR+K)eAF!f4}fKvs7S3SJ3~bh1Rz;7
z1&F|LK!;!xr$Z6dDs0dIAbF(Vp+ChM3W!{I{h81+&ygMM7+U~fM;~S)L8SmNp|ggR
zcow!&77nZvnRuBxUDN~KF55v^U&bGEjsYqQf`j<pxYlif8+KE<a0mp%(3a1KJh%i`
zk_67M0^;bO%q>bY4tjXQ3&L}yL*o}Bgq14Xpb9_&1}=q-9DyPu?aq8NuVvTngC79I
zwum$L6O$7_VnWD$Dv%4bn#?5vXRIA0&8z_jDe3Bx)y)ty4qDN#wu?WX=xD!}bjTST
z2ufX~3~$7!2gBLxDS=Ko(mw+;uHhHSzlfA%L*X4#AN}8Z=p+z?I{-^SG7ymN6!k$b
zk$*Kiz*b=<EZD_q)TN|-rA?#Q(s$+uDpP|I$6<*c@WPo@<8A~^CLT;R7PZ0Xh8b*!
z9~gp6YAizw@rWRZd`ji!fEZ>2$P`LEmme$Jlu?4)Y=!6;xNMgZp0~y&0{$5WTt+~^
zcmiSlB#p^kb}IH<QVT-V3TW`E7)}GGD}j7;Ct%1Dr~(35@Dr8Ik@&$FZUbOI(V%Eh
zf0h(uh&cm@Zm<l1hIF1cm{6kq7JEW~jEOh^Mjr!&1Z_7}wBCN2h}ita>lmgo1AL09
zP{6UyQxTg#7_+xj-6Fgioze}EdCNKSVkjDyhd`*|#Cl+Z2#YvJrb~oaN9&f}2K;&(
z!yt5HD6rNuqfcEs_HvBqvs41bv6OHlGgSpl#RM+M=}wE}jsP@)uQM5FzrZXX-??)E
zfD|r-Sb^!bB1O<R5)7fb#Skpm%4cALn3Fh!=VC_JsQmYdu7!*V>VbqAN1A!Eqz)>i
z`;sk>V!UJhKnR|~Qso)3@1qmrE~F(3<F)`rC66u=>V|!)n<(=f-5Zefg9sMWMSv*T
zGz5x`6d(|YPCZlyXz(co@pT+U@md6%8aNhIOvb{(z=u#GWC{x?3<L@u&j|E575B+x
z_CsygAw4h=t0#azhPsgoE(;*Ri+3N07(CQA*u$?-aWysdJ+4jgvF$A~)jNBF5}Bp2
ztiDd1_^%DSiLygek2D2%vxPzFv`-cIfZOfpc}Rxx-zWr^9lDEF7o|s+!EGx6vK|=V
zU^5c}ntg@ph;c7M2aD?tfXKFh<_*4g^mD)zBZWVT9v`!EsHb>X*`_2Bq@dlhW=P%#
zq%`!6jWmX|iUW{cmZXL{I*R28T``_vAkQzWV2%z4TjL=Yo)EDDhw_{NpN@sn6+z_H
zjPOc=^|A=why^?nlx@v)gF?r9c_9F%EyA-CptyIgFuwEfPhe&%3m@RwBLFA5%J0Jc
zD?6?-%d*03yZnfW@$6HTgS0fj6ou=tfsezKf&sHfK-U&YTPt=Jk94pEY#~}}4C-X2
z3p@?DD<+iQ6k_J)L33FlE{ln%D$9<`W|6xBYE}a&lun7USQ8NRh=Awxi6Et&2|%OR
zl~_r&FyJ@E^o#<P<xQEQf~a?MpGqqBxpbfV9ha<<L1gR^l8k5e;KH5Y>pqDOuq?Go
zh2Lewg$81q;<NdVt7#{5gb`9ao6u~Q&iJDNboo*2z7M9&NzmoQ^**)t-bA3sz!bWs
z2HtYp92Ep0R<#s$AE#YY@4A4)5{yH<!qY_<A-k~Cv$1u^y+1oAyXKnUR7*`Zb%>u-
zYQrfwbgI+jvbQia5C~zXQRq*uE1!m}Y+AM%L|n8d?5)+ulRg$9?}XQlH}xaJc5)7z
zUms#Yk_MxOLoC@82pzCHCDo=v!1^XD^1=?1jwGlsD;G_SCLq7@h!dp9km-gHjB#J!
z%X5*L@z|E`WJ0omb3r(fpkTA2g~$eZ@3X|!mbNmKkMd~^E8`WLlCq+I5ik{VRYZ1@
ze1!Cd*7!pBZkGK`eDUlM8zrKaYnhHYV42-!rZ99SxHa%2JvWu#zETx@5FIefFeJ;a
zCWxX*9K{3~8ND5J2Ea*a6RQ$V>Y3ItVsVc*E2hCHw3<?4WKF&(HG$oxIOS5jFcli>
zNspOItc-)Z4cUd<JSz((4!O#RZije504@#)(H*uD@3WFEO*SAO{@`h04nyY{NPpyE
zqy-pfAHd&RPJVGNoatvQ_747TUzeB&k9UJRhdBT=M{Jbt6MP)2+7;5R>@P@~Y7K6}
zreHW18B&l`z{-n2MuK(|R%RDW1BC=*jpyQlIr9nC*ooLLLJByJv@>;<MgR^Z#aa({
zssS44!fE4Tl_q<cfg_RoG~-89XS&%t3bNA{e}AqHlns`fdr%x+m(Ic{5eH!abA0S4
z3}QeT$kLwEOI{$&V?c8LDcwz;ff>=pqZ0mb=G7i>;4ugsuL_7ioH@?NoHzzixphDi
z`7%=$ph3V07)3aO@+d`QLBL#M(J2g0xlC~FLoRB-6Rb8rIzT9K!-WEkro?$0Ga7aA
ztLI1;N^E{~gJ9~z)upo%XlN;|vJuka+^@?tGPVw?`(DUd!#^&pfiWim2T22fsPMyw
zl{%n<rSh1vtw&O3H$1;nHWT$6gmnnAp_&c!nE)d-Qf1_FOfA9dEYykZGWWT84s{E%
z+|5O8;yK3oQ^u_<%G;?3>P=)LsbE{HKRSlO4&|*!Tz^8abEpFDSjfosQBeHq0Z^mS
zKZ$N!McJA)^|cb~JSpT3s=c`OPO!_o8iMHDa$}}Wu=j&mzdE@D^0GM!*82J|P;~Yq
z>B*cr@3mbfjkFhITN??+4xwDiB26O`p<Rl+LU#*|y)8E2yz$p##S27>jmo<j*a;d7
z9kRO?PXwYjf>Py(C3YyAr4wk(MsTpHazYjcg{DMZilxk?^nV-Uv2il&R{vpfJ}oo~
z>|IhCWM^Hgc@Z2IDKzfbe2B;xGDj~#TMG#VPM=)L0!<>bpk0cr0(6QEyDc`*r14i{
z#S27=4amD0*a;X3ovynUKLnyTLQ>_3C3YxdVGT*2$0%fuSuPd<MCL?Uijqhqv`Iw_
z5zA078v@cq=!DQDXh)P|&k$?}w96h}8<sxwQ9K>-`z^c;J$egOuAtMx#)gD}4_fM;
z$vr55dnAyl2CB#!GZ*&u-Lo!sY#0AK{A!Vha`nWmJQtkX%QjNZOv1DbQQ6t{YkXEP
zaByePaN0K<riUc9GmohiR>e@c$cWW%R6C&H(Ew~=4Nst`Wx@~!%4jL6Gxq)84p0hi
z5}q@c!K#C3dwycoR~9DWzr0&zGgJ$uCCO$16I??x(Ius2jyJ-bx2(kPX5U6F1I#Ow
z^?l+YenP)z4oLP?>e|T!zMb}UNWInG@8f$1Pvw=~=>WPdB-^Q7^wled8h9#F-CW;Y
z6#XzJ!+iK4gOXB^ot@7e&=FKlAHQmoxT_?5zwH7<i!_~GvH|J%*_q&T$cGKugmmzO
z7d@4GfZelc!&=C~UFiX&GiAS1;HEm@mRAauY_c=eJ8TeGJ3QO*xpBa!yebP7Pca!Z
z)53|JEL_4OhowrBmTNnJ@SsLs5?V|Is>TWp`f^t@*7m-VvZu0;nGKE@b`w4s4j%Ng
z@=evubo*jy@6c3wVKzRIVvzQ5s!<D51K;i}*_#L>wvh*x5_p_2G~hS2#p$?_t|6Fk
zx~Kb_tVX8x3Kj#lZPG&O0vWdnsNg@Nd<_XJF!2Y;Ucpt5u`sRy)~}8ChdH5kXq42?
zY+bpP{=np0PgEoo3SfSCnF)Q@Lv>_6avz;arLM97u7Tzxk@`0VOku`CK*cwBa`0NL
zfJWJPye?XsA7*k`NjcHoDF8MIA}nXP>GN^+8KaWw^`_vRNt3GjNIA33@p5L0m@wd*
zkn-39vrwg8A5<^J(Y+zNg03SCD`%*06ZI4q&E)tGn)_I-%pF>=p`NAe-b2Gly;1LR
z3Hs*H2QUznA~%TcxQ-++5(0>dM7^J?sPAg4%71%AJP-kAnw;NPTU1SwfkGp~UdyLC
z2G*f=@Ki5Nq$;RZ4bn;o-*q#Bi$NAf63X&w1l<b)ZnEjJ%r>U@r0OGJ(0S9#nM6qd
zK6Hz*Q;1IB;k70v+YX)@>~-U3(9yY<V>uBb;M29&V#U~$H0;SP8|zt$1gyfV?!%}P
za?u#u%o{QS%v8!`T{dyX)ZYx6p>a1&nA$|z44c)=KdmGUmKFYk2JbdTV!+6OL6M$}
z$w86okF23!5rz5Wal$8*`@IssE9Cq?iw>6>48t{P41t;`#%i&9$~iFSkTt9X4Z`@-
z$OilzGzCYG?ng;AJ|RS*6hx6D;Ac*BLpW4E`mIv*#1qoS1C1%_o?z`sSYtGnE?>oc
zv<+T5B+!m4$J--l!b71-Vd5bEl>(G<OPs6GIjJZrgPmPUafz@|Qiz96nT3k$14Fir
zGmro*^tW1-#0EHhcu1q7Xeg4DMTc}oBmG!(<xH+P`VqA4TA(~1Af>Poo2-VKE%L7c
zb&3}>AoL0#By!0e5eMpvaP8bM;x!_uQ;7*4vI{0iB5Bs{g95CPO_B(LI$}>f)rgmp
zGUQ{*NtI(*+QU$futHhYgU;<WRLX$|Qu1ib>dvdCKrHgvfE^4R%(u5_a5ozwkf6d(
zL_mhbOw;Ac2bCv42(+WAlNghnf{|}BgahSOHT*=bA+QaeL{_7!sB~6eIaDEvXWq+y
zEb#enMSfFxX@Pzj+{}p-kLY)@gr0!lTGiU%b^wv;oC0hv+{6Wd<}z||1k??KkxV2x
z(C|1Mp%{<v5<Ckq+y=eLJhIm&o7SJ4D!73>OEVCDew>?K#<5g~^QXG=Q)dU5nK0wh
zA9HzJ3G8<rthnkqpq`|164;uV{#|942}VJR6B{)P{<9F|cqD_GV1^+cEDR9awF^%r
zAlk!Py1CWG!jnTbqidiu7|3O(M<Ofu3k+{JB~2qBG?Sv1ecW%r!3T{bAwyvi8-SH3
z3X%>fn=1<YBn&N$^xq44(BmJpT4BzXj1^uTBxV;eQ>9EwTmd+y6~QMSAHt!hbE!?q
zQ$VtbgwiFP3;}zIVbhNzq+&)T4p1zA0xh!{izVg<sjJ&Ph8$|8=AXn2J%o$bRJ<&L
ztnid)0+Uz6*I?XcqyyRt@a;b&A;q)|m2^%8yKcJqd_z#@AXI{0dI}oq8N5NEj)8gV
zcy?|t$><3+O~JJ)V_{uHo@M3rl2K95TQteR$5}<|rm!u^^9_;otwc`lO(gcmGUP&S
z7gIR$um^iF%`X7e6QLC|Sgf>5b-0K?D8wobYz6?9E~WzQXa*eFxJ5Rb-nLez(kcRE
zz>`W>lq?FcoTuL@oNbk3GzCBX=~J1@&q({<P6Vu<gu{8-aUmoLE*<jl4G4np0I3!k
zu)HZBYcKkgWX<7R`;r0nDr9@BW+`-url2Rg>mCUHn)O}`3dSr6wFi4{ev%gt>_V;I
zALoK0Sa4@1Ppy}BPs^o6n|y#nDLP=j!CL|(Qe^~5b)f)xP)Ol!@sQkNt!_o1-KghV
zC2O37vd7#dm4wTW)_Wm=3`~-%Wsy$j0(11}Dh}i`>PQG4J8%<(2omra6cMfN)ShX7
z9rbA|cFP&q?<QUHZnlpTDfg~Ij~%SBhO>OO50!Tn&d#ig*$ArFG?ANtSEn@F)~TPb
zu1U2fvD=f2(a#ovxO;zdgVw$i2c3zXv*XSvxrKtwvJ^FH!Q($7CgGXkv!w!cY)i)k
zE{ZL<g@-2hVI2ktrr;>ph~S6zr3CbP!O)=KDF$%WlPr45Hq>Y$`2K|r?BI6T$Q-`o
za0Az9vJtdlC{-O}s}idU+t@{d(5qCr{e_oNubEU7Q&JhCb%HK?Xa$pdq3FtxG$J(q
zm|1N5L6U!lR_L3<@wmh(qZNq^u+DWt*s_iUspnH%h=#!D(A8%cP?E3~YZz2CIzT{t
z0rd<3B-XvInsQbF?)ee2%Y8c97r?rr`9f)eqj+YZt`oMY$c~1Y(K@FoP}`57f+E)w
z{vak8<`pwq+89R(QA0933NU)(iLFDkNn9n@Q7sXw2p?Y%c!K90`=dQc$<aIj#fR|q
zLrr*fh6)Xe7l|mRJQ|IH<SDzuLoC$m>uS=z^6B7+HQeQ%BKxVGmyanNJPIT$f_`hS
z5PhKtWg>*%b{VS-&UIcM>I#<$foZ-KLLG&=3pn);D&b^BxKAL|RdKVd)fX)my(m+D
z(8F~a0;~b&gg_|s3}tbFbibC4q7LkEyBQbMTehd32eB0sPSwbdjjRes*~Oip2I|Bx
zcAP;bb^u`AQN9MnSvY7YAVpy)EWx^=_Pz?V7iEF-oi*;x3oLDk8U7w?gX~aG;2i_B
zMRO**R4xl3U<HeYp{|HzzAfw)et71B4twxEBLz@pJ3zD-mc&QoWt*5jvL1k&h04LI
z?*%SGcY_JHpzVF<5w)DA*@yrPrD4L4ceH1AYd<xeflEUeOl-M5&6*<-0ImoLdCyEj
zYkM+K3x$hkAtz$UP{yLDn5m))xV9E(fH$JXkOY8UmWB*GR8YnDnVNs02(z)S<be&&
zeGy!7yzBQ1>EVxlgXOlsU!gDzinynM94{A{xZ+I!2`IGGBpU*eqAKJu8c*ABfpN%q
z0}7slM5g1pY6<mBP9YHs5o@Y&zW&onR2VdJ6Hv)kJRK-$wCRnTSUX3;8Yn<+%m{GW
z4FLopk~@PqxGG7T3bYWy3Ni|`)6}w|ZzB@uLv0ZinDeP49RUN-t3U!>mA>lY5tuOp
zxag%%%K%RodyF9L?FE&sM#fioSYN4W_?qA9l9_4zl*T#bnG(Hyx2Inbr@Os{xhl*)
zQQ2F%tc#G^;}C^Zm3JK)H)!xy6^q#9DYs*ur=we=Hyc`ELAgNtr*yy~?-ROCn1eYP
zcn}i&h&rk0+T0&@W(8SiipQoi{I9bsp0by_vIDrd_e1G%?^T2Kcl#VtdGnNitkF~7
zb~)doG?hz^W@0IlHezx~fPo@cZFRet##?{}3qxQqD-x~q=j)1H?b?#`MuPVOC4c1L
z_np)<iOnqJo5w?&KHg`Gx;;k^3;1m<1;W%~)U3}UNE##xfeuv%U$u5CS|G-`EQYWa
zgnACn>_cbgXe`onfS5o)0}w+F4OJ00QRJIP*D=_&RBhwJ{Rge~TMVqv*gE<QIUk^1
zKsMXC1Q#;~#;|#Lc_Q4TqNw2HDZ$dnKibxv!Z#Bzh~|G^jO`};;o*v;J02k&R1nQ$
z><iR}2ndj%G8ih2)V9gn%G$ih4fvf;S>bTR-a1!7QQkTCMZ9iX4y6R{t=6q_<G8|3
z(HK(<PGI!?7;qiX9j@UUgoDe%==gnzzj#LFTs%2l7{oj$s(MBg!-DiHBkJox(ugwo
z;N=ZkvOl;RV0n&GvvMCPhXCLh9vkjSZtseP9@byX>%!fB{~#id!`@~j^qM`G5ctjf
z+Uvy<0xjz{ABS;?*$*CnNf*YoJgTL8S<My;F=~V=l~Hq&iJF1JI7bID7g7kp0`n#W
z8S3L(6GLgRUKy+^ffK$X!lPwAu~_u!IOPnG3_Or8QbzE<2p`$h=%=OaV#RAG1_Pv~
z=c|}VJFoy>1|0!I%|sya#}Nom2cDTu#IaHCIowcnB)m@|L;920rGQ4XQ_#8FlzVi1
z{VjwtECfjfU3mw)iyY9N(#nyGEGU*Uy`syJLJ!>cYe?<R4zfUT-1f9l;&q)>MQWm>
zYVegFhM~m+t95%=_=UF;qQ%I)1jM#UPYO)>BI3PiKG|R`X7H@S<>RqY*b*#qlJZtX
zfg(-p2$$wa85M_0QBu!i!E0SWUh@%vPFu8_)dz@O1uWeu92H(w;twKO@FgoX?FRM(
z4h32*aFLCzv!G3~AZ50te5TA%&M0|^ff&aT2?YHa{~GpdAUvnCRkO}mhHjQpt+7uT
z@d}OG0MqOSd=>h^d55@WEvBQ&WvlHpA+*86oI+?q7_t`-HdBccF7pu`tUJ8r;!%!@
z=VvY#Wuu1Ft2)z!WDuQIh;Jdn-@=4KQ~l?w-ggQM2f!#L4a$cRy16YN<i3^CGh&GM
z(`2i>$H>IAbr4YQU((cTJ#7eg!fVraRX{Rue^6&L28rRfG1OzM;Kan?tX=}X4~_zJ
zV@oXW(3DuorrBtD$y`z^VxcLBJEWkSs*y_((IkCb(kQe^QncEKfb~?fr9)inFJNC4
z1rNDG2B0)%!^-d!>%>l|Q>`{U6e05^uBmTa?j6$@I}GHmSzi*NL32Z{B$4~rS3z;5
zBQ*9`$Ul3VyQOP^e${ze1WWjH*W2hC*N2seIJN5Hh&po`bX7Yo0=i5Fy6I16W40$q
zI0N`^#6Glr^Q*&3`{`<QF%mDn3eVu=<G~0&Bg8B2@&YZlK>w_P+s80&1<kPM*d=V+
z*M*^51GWM&vsjP3EzHBi22A=K`~(Ah9E*H0^O8GaxUDO%im-U}^hEd~5655fsv(-L
zW9XH24OVwR^-4uZNfbiCok(U%ePnE(!q{NJKvjfPfcBjn&<7zR;o-yG+R~*h?sH72
z(kdE7c|`J*Mj3?TrTA|gu^}j#*YB|hhU{U)dMAuW(nwRY)5^JHFmi#0@hS9vv?<z5
zCbH4q!v+Z>gcTG!E$80D-Qt|&?JZ$4N8*Dz;8dVc$cnBzgDJs|h*jNNB<Pz+o${g!
z5V6ilHhKbMn$qK`7EpDPllaiIeTaBkV{v$>^zHUX&cbTx3`FD2T59qn+5$OHkc=*s
zHEbC|xM6IC`=@7qy(zZRm{18Cf{vk`hiG&}$n+WW;XTFfb*x^iul3$|L&&F7NsPXG
zdkFeO$K4aFs)+^<uZ%*eQJ_U?ZttQ;TgojMwh6?)h5*lBL`EjD`yYl*9v>WlC^kR2
z$>cw|CyD_W#_-cOVy8&uuMTl%KJ=7(e8s*BXqj+weFOMGS}!O{Tx+T$XMZ158ntR8
z{xE^pY|lysXG4Mljq2-Ys8)pyv@K`ASPpgHg*jF#u)ssq_}0F!#6w&uHi!8n5?qoa
z9I`wL-$33*OBNh#ouF!@z&J=5>}$y#E63PickyD4HKXi=QC#7DB6}4uS$eyEIS*CP
z{VgPGXC#|Ho39&mCbqMR1Y{$@C!P9cwFBg>7ZP&#|53Z4Iv95~E1|gE%hJBpuQj(A
z(0Y9)(s)_1{NsS)W-xWb`Vh?nM|PNP5=)fFZzJ&T+)v36nPz}B-Tw^S`uILL*#_1i
z-W4rT9<{bQe8vI%wF+QtNqDU;M=?b59e{WpY6#fpVV`$vBeOpaZKPEb(zWMc2<W>G
zl36I%4%H4a8)Q###`ql2q$0P-L5S`c6(LXtk`lM>mTjnD#0iv8+yh^(;mQfaTDQGo
zvX~}zwY5sQc78ghC}%{*YtqG4VzF(5P2na2T`KqWL+W~?6fQna3u=|pGsT9N&+3>B
z+gldzyrY<TZM%uU9@lDK0aMP}j}aatlK?o%3ML*$t#7t()Ao$ADXxClXw3)nSjXz_
z)(Z2YEU@l_yFi3QnOOmUM>xvp*vhO;3^*paOWQf!7#Iu%fj~GYSOHc_B5;F31egT?
z+}vU&(`PHGRlIK_WT&kL2N`5*1XCsBZdhky)4^r*4IaZWTV8g?oOuoL`QBidki(d*
zUWA!1&oIu^$%xjx<w=V0lv%g-zYPt5jRcg5g`0qJOQ1F{PDQUb8vAje1hen}(vo>`
z>Xk-ezz$V%m5eoQVJHj$1E|$XUQSwN;-ZaX6PRQ8G0(*uP}VBlXs1<01Vw?O=OkgR
zd<>(B$h>8mP=vf@eQpUPBby@9np^uPB*VrS5sG&!LBEZRqil8eax>3w3NjJkpQHHA
z#+1OgoW+K^;OrEg%`-BupXGtffDXb6;kwgX>z8L&$+%noYG?@g)Txp(?b0NQLgyd_
zDJD}BO0JO&pW}!%<^bb>+2UTIWE~zcnvx>2^d4uIyb$ik27QO$tpk)XQwVzsxhvKm
zaM!!bXfhcO1N~}E7y%^peq(@vA$gKY$SUG8xQ5DnNxYa~V>raNfn{sCf|wG7wD=q=
z1&rhL9a`{=*&yqUQh4aFY>h-uNi4MCjtv-f1o)||_bG(?AQr#*^5j@Ybw4&m6M-w-
zumR{`VaRJ8G6BIDb{H6P*WoQJb~tJ7DLvc<-d<5VNpzaEIpPSCe=u++M_`Xg5R>!4
zirxCfVRp<gavj66utjq!k~xKDEJzS=gYva`b=MLlYhhC_I%3Nb4AZP~VwfBp1`1}F
zG)2H#0@4mb;=coxc1dACDXcg{Xo3U^C*$T|ZJ_+46421tsMpf$a16i*49tsFZH2y8
z$ZEc{iXRZPumF-RU?s0%`WZb<sL#LEF00`{^fBN8Oi%m=WjD*lljW&wKzBoab0W=t
z*0c-31LVwM@b|$oVWN4VUyXz^z`+c#I0{0TIxang^t@iUa-?C)e=7b=BtE<nA5Iny
z@6$n=AXqyo77p!_sXl?!l^)8A(5Z15`r@V4P~^cv;&z1-sXND9>aL7m`N*>9iE%mo
zf+ep|<G~XDF*($k6RAFPqZG$@dhWBYH+dgJov^pM4Fm{ho;8AL^f{P7yJrEpZbUWO
z1XuiV{>4VXN)InjH~<JmmIlU5=2XPc;ZebhU@i_eAdsLv1Awu>HzEa~j{x$wq25;w
zM(xdFnM0d{%dy%Xt|ZyGk~{&?f&VVJ$fo!Y&?oTJ0TUKthStg_mcyOMxgF#jq{W07
zH=%5i=;_6>6)<YkJbPB{+7#bZU+UmeSb}+hro*ra@JgM|L?V$NAhF7Gu_2%~FuzAL
z3?8Ha^+sfLB($tJ9Fs7xhb2=W^uI_5*AsCc9*>VB3ujS;R2j0dY7Z`9JKqxr?oBxv
zkzrKVy@<!`;G+?P0080l6{pk*xf$J{4kliD=iaQ$^n<+u>tl;CQ;q98E!)e%>ca$i
ztk`6gh>IMqwG9io?4e*G{)S>=$Q5xoz^y4IN9aRXw$*4vq$NCh_rAMb+%iER%2t!L
z4FmQ256<c&KoY9_hyx|wtrC77jHKcV<)Whao~ZaO^ofacY#mI45pDVrDT~Ne5s-ky
zE1b{GWV;@qk8HPS__e4g7#ln0-7b=tWC4;zhK4OrWtr@lxgF@oUTaRPv&x$8tf@#~
zd@GftQW-<>h!{S#R;WNtfwkT0Jtm5&ZiWJvJ5q5d<Koc!V_pxgb|)*0N&>uX7y`xk
zaV(*5h|Gc|l>lQvoWGz~O1BiXMOsbMx<c@DLE*fVTv|k@A)HUx+5(iEH;T+5B}oCr
zJmHyFF$d3XE*EetSC%Pb6i1P_AWCtJOlSiR%TE_?E}lD0;du_#VWbz%<WlCl-q3N9
zMeluzUeh*zhP(SI9_ej{tR<qOJ{nKRt!ryc&hE3-G9wE)q?Qx`M~~BQ@r%;JrOjfb
z70sh?OZGA`Ztmva+UG!2_%FaIal?$u+MT~&tlM^9Z`fy$*=?bdtJFn=D$`SV;~#p;
z>ojZ+9|&@~;$u)B*T*z(#3-yM$k6$%TzFjU?&{)ORyH25$MLz|2#aW*R1kkK$F%j<
zG*6-IE?BYZMd2&2U&QQu7-$1|zN6^wM;}l@Ln_c3-Ea|~l&jkY9LgYPd57YDc0m^C
zRr6s9o%cUM?5s<~Vik~wXiHUFZ6%8(j=l1#D(PmnY7TU-?E~VqN6O3}P^gO%X9y%X
zD7R}m)YL{YlL{p`+p&-c2(hwv1F<TIHrn}rQ#oD~<bDt9w}xZYty{&rU)n}9G?8fN
zbXrkX8B)CDwOugz0_<D`X=*6oiy$yqpMV{!Rsw5}io{59T+SgO7Q`oYV#`Y7$Q}Cr
zDQW620-VrYs79}_mYCTwueoOaITz({LG4`p6KCQTe6d2s{!W&L#4SMt0CN3?jcCq~
zTkcRqe7oCFq2%L?^y{kQY^Mq+S~+&49;14##Bj|A+d#pL@8lp&F0=Iw&rtbSQBDp2
zJ=)pAp&rurt97A?9@VYe)n0bZ36!M{w-{Bl`VZN~ktbT2&Htqkg3k~|Qda_aQGiBZ
z>!>r|tkqWM=pPV(Zt!#DN3{(S5wTBL>tjM?M*zjRjg^6C^l1s$;#9Dwm7t7DKNYW=
z<w$t7S$HMkrUnJfz{V0Ux9f9>py6`B(3mir;QYT=OO2Z9|B|CUM{U9}GnweSP;S{2
zp}ua9@gq@?;d=RRZy04Ob!B2I*OY(~qC`qBDXV#<r18;;A(&^Z^<O@VENmgH)36%?
zfO^S#lQ~jg&d3qUlWSa1W-$jDFR-{cFd&dioRks4g`gK&WalpBYtWnixXn>4>oNHG
z-tM*q;^%gHm=>><$k96j$|eG@RhAOM*PDL<cY6KC<GtMKA+ngJmNWpUgn!xO2jmeY
zR=X<%mDoau8^Skb%K-oC^@|E|0g@r&3Q$N;&9B!^$Z(i7Vf7UtCf<X@6tGoU*R0PD
zTy~=}C_{*-{}Ur`vDDezI|S8WOrT5&*(%Hk_PMZ``%o$e8+oBIj2(S~H0Yq2U+`2J
z*(L+W<#S;(1^KL{)mUl-3sqv$->-G*tGmtsZb6~A0#&}j<xnugDhItbWAqDI?#Dq8
z8c&`$JPodZJQUlCLRetDV7Brh-<a?jea=IrL9KY=m`%FPwSeJ*se%*!`pCt4U*R(1
zph^vi`i??!Doi5ozakZZZnRrZupZz{r}#mm1VL-KPUCoTE^EB-w1KjFDyC-it1Aud
z5CIO-s!EPF5#IhBL(@S{8F7J<3LuE<2;FXyoXR72ZoWyRra(1-h&K1lS`Wzi0Bo(h
z$omey5sWtO9A?CK%|oB~;}xyIRiqOd&5kAvYN22qLSIi;3MvFgQL}51){flC+6qQN
zRKCp>pZg@DKKwe2<fhNZ6}>^wcIa6bzN2{Cja0$l0c8())gI2qby*<tq}#aRkCG2O
zx;r@OCi0IFDacSBYl2B^mseziYCZIn;lLi&6d<>Bfmx5i#(5zI7=)47TZWLs5S%2T
z6o3RF{J_NKz&KU3qbx?O#}g&J2+)hdwtKCu0u%9AJRvm=JzyqR>#dMUw2L<$w&93P
z{njdt4EX)aTI*()MIlziTY$KcNE2#6AUU-*U3reMQ=vKMN7g!ZZi4}AZ6Xg11j*fr
zlXH-NI#y=k?}ptD8x#@L7Tm>QZm;WZ->k$QB!T32|C$E)yvnHu?T>YgR7?f53WK`F
zZY0bACz0(S&atXvz{O`FsapeGV<g9PY+xi}2G}PUk%DEGD*whhbCdxf4k(;;9SUD0
zQH%}sY4I%J6%gLL0dn@+aphd}j!?}4K>W9#?TW3|3oBVL3+yfYEEDNKuq`li`YGJB
z)Y1Z$N-Jy9-x*(JqZ`M)?`YF2$ClmYOzx{K$E=+h6ytv$D0B{$#i{plivO4{A4Ct&
zx-uQg!LrG=Z2KGm*rm4iI-_b!OmA<3S(e1;W~($bMUzq!qB4CZHIGT#??KXi`md5P
z#jnUVB)p$OC1RE13sqYdH;De-04=)uyK4<LP^eaimL(1yuOPu5DG)fG?*3I1EE@Lt
zk5FlTCt_{~E&$}LJ|PDSu>wPI6QZ0rHH3PFq87(YSX^~Tm6(PI@CMIEVYkL#%|cc9
zrnia7-<s_Xs*l6t$qP(RMUUUHd0trj-bVwfKTJQDKrMwd#wUwi7%Mb>KE6^w9Wsa0
z6^mh#zw-(sI;Uh1k}J8w<hZ)!aq!(hInc-k%5Q1r+x}St&s<jrX-9Gnn0#A_dLA(G
z16{}wS{uY-TQU&9<IN)?yX{_Kmp3eE`?WtOa?ORMjJdl@NB-8tJ9$Z+%{}+-$InUy
z8>~GjJ7XlM34&am?z<KBpd=PbZ9+jdiBFA<@j`wvD2?BWZ)6;Z>@K`qC4)B{0A*bt
z5U%s&pjlpB2?s4HzBna<8UPSsD7?`Rr6fMlebN7SOb~~|eK8gV=tRps4@}O;T{EmF
zJQB7ZvnF0c6WEB+U}|*QL4$1_Y=445Kggd8^4k2GcjV0+il;FaP?Mmd-riA2C#z(!
zs3DU*2J@B50Vt08F%6p-hbG^Ior2{F7WaQ#T(8i&#|zfq+_tt-3bV{#Jq`dQDnr8^
z<!?R_@o<r19q-C{IY@vJ#|3~1RdO<06Pvud11PtLK8Pudi+xLsF}FPm4vvJ+L(mGA
z8V-Pr{kdfyC9w1}v(M|coIW0gT<)_9{06Cw&lidxpES(Is<RA6^0<mf_ClbArI}>u
zpahJm?BpiS3Dkw&SsqRCWGT?WSF{KM+QBwI4&dwowto(`daDv@u!W0k*s5~&Q3G2)
zha#X8FaV{p@;%5%ipLQJC<jLaHZ5Ed!T}-Ho`n}Y3rI+lWkrwPF7enCq}gd6P4Oow
zgPzHuK}H)(tQ67E!aHA_<)2V?Hp;<4VrYy|G)xCH!t4ukvR;w71F~cmb8-cRU>wL2
zUY%Tw$r(CXbva|Om(MuC!bc{i6I|{wLRf~fv|@dvG9QrSZ4zfD9_)u99@`E9MN=?T
znw?^wEy8oh@)N*a`MFzB!P_ez8VDIwSx+H3X&6!sPZ+!*G@Fjbn25#&@{MV~N9;8V
zS2IHGg-KbLwnftfWy+XlSYYqmYY5`S+RuV#qPFqXY9Cz+78wwd2$F9<A49UxgNxkL
z%nWxl%{GQeplOqv*UQ_UGe(63DXHcfOZ3-pBza2zDlb_P62o`LbF`RlZiS+bw?ZZp
znQ*3rvQLK$e+U_E01pPP>a#w74ABS~YgsU@FOIf$Ysn2R3o_UTp_c*76+wLk<aE;=
zqgnuLBokUekaMi3h74`QWckjL*b3TqwuV;B6D3YlR{GY!irO$IQu}~XIQDJH+@R!n
zV<<a2D|gS}|M~NYF9Azr%E*ZBWeE`(wL7E8jzRf8+_C>UrohR4l2^{H9nXU|fW0Bb
z9M0T)_`K4*Mi1&+XJAw$b`8FnX@>#gNEF+j%)vnWJA-!3J>mqFBtWqf9__GT-J1(f
zUBJ%aJnXjcpPl<XdLz(ll{d-;A)XNcQ5-$I;5+$N8gjD==%jj}t@8|L;?32Rf;YW=
z!cy#<YYrT_jxwwacP-9Mx+Ta~CCF;6k<AY(d`uRtn5$?oT+*v<HEq{RU+HOcKmbdI
zA4@G#!&K%#Xh~E0c^X+_mM(=M<u12@0I*yv;;Rj#=qs0nGKF8J-I*+hl|PXn&8?(w
zPJXHpwyGYA>y^Tj--Z_Xy{iWxD|1*7>6snj3Ro8=(n!~fqIZ#m?Mg00G(eyfW;p=-
zxVKs}D58shM>tY8l5=5fnNZ%9!L{fMhYt~62=jv%h8eEZ%5KxaWr6|!oSx7-0H^px
z|LXtPij#0}Z`face^*$`<w{5n9`Se|o@qXOs5sIrfi{zatb+w%i3QK)fyfkc(S6-D
zM&wZZt?Xq+nFb+Cg-1W2h$0|A48{_x4yd67JE8eUth{0cvYcZy1$_>eQV0+Nf`e>k
zE=d;nhNfx8rbfo(<kWV((ccE!r0IZJ*Z_{qgrU<RZUH|rCCS>h@4w>I7BrWY0p;u(
zMH=bm2wqpw@q9MNw}h_dS)|wr0_RzCM8l$xiB>AI9PPpDgmMC?V2k0vDe51*E695L
zE`s*isWcvhB(9zfP8y;6B|+grgx-n@6A^*wJCHYyO!$jmuxV#{T$z8{s?6v>T_IB#
z#+0skdR(m@oG^%KCI-RuA(6JMEkaDZn=W~h{BAu89(j;TCS1$$yTAp04^u%@KJnq2
z4IymE@JPJemT*FM7#F3V2?}}#sW9Mumf9>*&vbf3{!2*6j~Hk(GdS%dhbGZ?C=%g?
zOQ4~wjHrSwIDIybg@xtp>!bkGSZqGDJg(O_HAmz>tD!jk2b3O_mH;}qc<h1c1c(c?
zzHwkis=}!KtNRPq2c$$W2V~$p%k3BW(vs$i1ckXKPUcF#YAolTT#5W?hLk5%<4}Ua
z{4B8xSyKcRPoRu8R%bnH$9F%cl#VI_5+w@J!fnwTM-CPyB7!RhCOp<A<TfRvn_efr
zP80;eXE*=~O`WY2k9;}MWu~jN2oeMYni<wD0F)1pjXfFw<HQpT$CH`>#!?Q2ntTWk
z%S>@G&zeFe0js}^3zv#EOwz2uLfU`?JGb}th9Zv?CJB?MheaL{<J&-Vi`JsA>A$21
zTI|V-3SfmE-7s>Fa#;>r$VJ!!Nq>PO!Z#Zo>q8CZ$kA{`(atMu6NWveB*K0TLY+%Y
zR~}plJLgDRab##d!<cy?QZ)XfXlXiBlfuApQZjxZU_YKRFU|q+EDV7fqVqYm5Kf$U
zkJ@ou5OzFq18FqzBjXnl*iGy@N9}R|Bf{JqA!KWsN9+_geJVl+u`Q|!M!7mwsLlhT
zLk=At!K`Dg><F7z0C0W4?Hi}C@Yn(qB!F^i?GZHC<BI{!nRvmfEC@)?%PBG5?<T^O
zC0{^x5Ex|~UPuF<oDj}&y)x3i$Uw>GA`X8r?b*)2E-*GtrVd+Tjwb-+P>QqKc00Jg
zAuwj>L>LX`Lx>!9lYkA*FY~x|Dg-2e6E(NIjbLC284n9E2T+H<Fb(7!Q+Tn=d|ZOV
zOWn=%4rjt8pe<jSd0_-U7lX;q&Dou8?OeWaa9&k-b1*<i`kGD2U<a-eIKEyttT}}q
z8#V`*p-wKMm56C1f*bJ*B%ZWU>YJ52CFtX8%m4^MBO4e<Kl_;0;d%wd!NdWzEeaIl
zn5vD$r+U|Ln<+29yO;}Y>;@Q7Pzr$FAM6lUdB!{x5&_ek)|vLF9>tVhU|jeFx(3kk
z(O-~dFJ%bP>`Vb?%O+xc{Zn<{5C|>(%@A52@xON_$-``ZL$otnFjnX5E0@Bd4^wbd
ze3M5Hg+?nO{Nj0kz-BP27y1fu%LqTdAPvw6Y*P{wf*^wH5a@zBSB3*&8LA};L=o5j
zDQInu%ol#bfM8;!ErsI1JN6x4O)bb`FP4TK3N-9(EgQnE-2o4%g^oa-!z)BHw;A6)
zG<d!+L4a01U=L?g{DSQ<iq;e(t2`Vc=nfHmc!&$ZP+|jQdmur<5E0DGaMRZ+JY*4m
zAUl`S%9qeX2r>^mwng|@h#$yQ#1n=DJMuuiNe)5~rO}jzF8~`=*>2#puabHx`=h9>
zj~40D8yH+lf-gqp4iuGNMj*cIL_hktSZsl9g^3~Z6a*XF?mJS=c#G<Q1=Mth9n=)`
zL3Hd%E|?ywT0ADLg0@P+7Wh{}E>Tu_H-{@C<uz99NouLda1y(mxy@43M%YTX7^*t!
zYMO=N>BEFKgmEzaEAdbdIj9KuhYEm&ceaT}%lWN5D#Nj~AcBFyz@tin%BIGp!i*eH
zghid{K)i@UZmc~^yTaK;T&t6vQ%2OlQwpYj^iNPO@4^rJh`oS3;Wg=G%qYlo#8(<U
zwmf4ei|Y@BlorKtUjj53!N4Hct}b{27!JNgbJaoc09?h-Y#3j%IJY2lVke6p(;xaS
z6VMd8mU!5>Pur?Lv29YjB)Dc>o2ro@p^oTX2)N?2FFzRN-<<i}@T&?i@&f;ve&)UD
zyhK-+o+x^HeK%xJ6g@aRODr1CBgk|I2uBS*Le$IZWf0bogG`PO!%vVfz^C0Z#6JvR
zz-Ef!_+jaR;hAIw1|NnrS*CyhKMOvX84tpbJ=$sBnZzlNnWzD=x~|%i>QffNYo?n3
z{3!FCg1omETI~;ZDTE(~_r<wZm{Vv2@T0^1*Oe%+6~dc7AB7%ruup7BJ`=&2b^-WF
z=ON<U50+&>AB4*0%VT3x#kCfQwg9fmF2JsHK}sl&Wp24tKdOdcz``WE55gLRkp!*{
z)IkJ785HgW`r4o)XptL8WJSUXLPPL_%Tvb`Q?{8C!|*f8b}1Ul5W%M7IxuExgaTbw
zYq)^cLR`2|dSu`Yz|V)Z_RU?i+#7(f3sc3>3U~u>6UrmNGT*Wc%ODN^A2P%Pe}|H-
zLc@c9hlclv=rhM#Cv;9Ct@n3z2#r$}caYtwk>|^GOA=fO+-P%7#W$*P*K`)qDWd(`
zNQmIwJSw~Jt3(ZuH!!0@8h*h%yn2dLyr+(t?s^9%UlPKBsf%J=c__NX(A=?dGojLp
z#mGcRP$k&WfUw#SgLCGh*wu3oZl6KXSV^IRx!1E;O7)6t$-D^!IGqTLGlsFyi!N{@
zf|M3p{7Cy)8?_-~?DV?9g+CgR8bEM{Sq!?%QGPYGOUo3DLet96+et2nU7ouJ+gSeA
z8>7&%%}szI=la(4-H@&b0>}D1l09`6I4>NQAtPFWTs7U4Q3c?O|B;&_XVD}JBE`j>
zs<hVjolrv^o6`XwK{)IWVo4~AHGNdcQ|n4AoOMO$^H7Gz5c`-5<>axF4+JVENRuRk
z5L4!Sd18t#(PG9$PYu_)>b5e9k=b+&s&H{GB(bCMkrryWo0_K#4vom9vxG(>n239g
zLLq@OO)Q$%-CnN(GitRK{15{T(o6_-fKrD`X@xHNt{|2=KLQt`(c2>Ni@RC=h>LJW
zC^cX;T-;j`7A8AaQ<v4yZZ#UJ|C`L9f-d|WIGB(9a#S;%ix!R0b2zoW`lp^pDi?_$
z;v!%|xr!W(v@k@mYTG$%&bEPDhFe6yM>@IDves?IzY5!(Y_g6-FU66;3gLJU%`R5l
zZU>Vgt+Lk5N^jxel~4#XswOfku5T61d_0(?Ps3Txl*V;G-CNyI&S8nlD!zx1s&uJn
zJ=mDK8DXok=&tbhgNkVWsW-ZlE-8_Ub@1rHc}q|Gg{D&=FC|!+c%*pL@>Kok?`;bU
z)3E_M%<3uByuZkFQ3EN@QyHUx>%>CwgEAs6d-8!YC}`Rl2~F`$et{Zj5~;3uU+D5R
zy>M#2DEd5yU=A9pTgl`Z@TS`=T{@RFdH96a2AWhMd0;tIEH4u}oGP-4y=sE-vZ_Qc
z@_7K$OK`kNp*~L<PxFKIA%g!Wj4b;Ew*UZ^<qpDuZcH56n#bzZhaRYq)tvXFDaC18
zbtRPr`6{lobqJ@f>NMzvRd^;{0-TvpKe1I?6o*u@s0rnh%DD=G@d}|@pk0`FtWkSL
zFpB6rtO}*Z8x2foPYjcyV?sF4UaKM-)2K>-J>N-pp;RtU3iD{h0Q4AoAKo^bsErH@
zl9dAK1wdpi!BG1Nlc6dG6=><3fFR7Y0Q4Cr+@IYHQPIut!^XMNfy=~2*i^$p46lpd
z6!b_!NS(SA%uoberB9JF%bgN7g=Q@r3Of=4jv6Qo3aG-gHBfk2h4X@jm1~W(v10n|
zC@l+qgOvNIRaN-GL@_X4RH)3Oc!fZ@6ahXGvAS-J`*oERXTTT)1uy_0VK(C!LUhE&
zErh~oUann6R?l)&+*1x!yukG33wN7DOLaf0kkDDlXqO{`;nS6PWQ_te&J)Ej`3*#%
zR}&tsU{FE!muJ985{6|!j9DvA)dIG>p=4T}Q3i3e4cDY<hd7ei+`3>d!~wgN_$Od?
zm<#aKf#@9yzeBm8#8Pac(ym<{C<^lmVW99r<bxPEn^6e>$3ZzJg56K5fJGslG^pA3
z(X~d&pFsQiiGh|2?1w%kXs~*DMPMxdNr{Ch0YU}sgiX+b`5{3PDj#Zw2ZL&ELBUmm
zr}azfx0ODsTvZa7%`-$0B+&tms{x;R8h^1{0x?nwHy5W>S~lUMh24?F-~hetbhLzO
z429%e&@~f)Qf)$D1h+EsDj}stfEM52D+!kx$HC%&a8ABhL);e#^fKaOIv8c8IRvmO
zYpPHcHP?tz!e}#1oPds&f>^;10A7@Up{uI>%<B4%I)hpeiFx5}gXvfs1ehp82iQ-w
zW+o#{u$sj(F|q?d428hzsd7fhKc<XI=mc6~<mN_&_Z+x~JL}&nEo$U7(M+-$(`i$C
zytWBwJy+SN+ZZpFBF%0y5UQKGGui_tYhH6)jT(k#3=W<#Uh;@c`Bi;TTt-#dn3=;#
z?$UMg)e&#(ykBBlUWw|H7?U8VTI}zg6PR^yrfyQ~Z_Or%HoeixmFS4a%2WVv&n$d0
zW*Q9x1^S*aAJ+}jLAUA3jF}1R%}@09T*smRr7&FyC4|)3h5AABJXdFvTXSaEJ2Kz|
z7v^}Vf93uQp(r&Estfh#7yTa>AGtRp>hh3Om8Ja<zeE@>yzv=}?o02to*tjS2a>LB
zY}_DUY3@VizTm#o+lPuaomqiES!nQIYitHuU<>R#IX`9_T!WB5S?xB=d<W}3Sl)QY
zS>W4G5FmcD(@Rg~(+?%hj-_BcGtib}@cC&zyu(?kh%;RJ7-tucRTX{7W&C&ea+#=U
z&Wh~}+RFMC1;bjk9Lk-Ux0^c@(;ihhX?i9o;ga*o-J1-erL*YL9RJKQFDX=!{E#-*
zQqqW%c>kscWEOfcG@B}CNjsLFvgD42%%~w`J!L!`^NLVeu(YfuL1qA!f|{;DXYN}v
z_$0u}?wR<~#RF8$m%xV1Tq&~%Zku)WbSqaZ42q^4^s9NOR0JHS>BRTuf>{JDkL75e
zAT|>%k@AB16=dE3G?kD=?$V5Yi$Z0^l~D{PYhe6EK2~L9HB8tzZ*CB)M}@{9uwh^U
zn9$rOQkd7YX2zQF!DD2>{t^sT8f@8mWEh0s$*k!&I_y19)Ui6B1Be{wP`xu+U_C=q
zZKjJ%%q3^Am@hh!kDm#|bEz0G)AeTug$82M5dk&Kv|(KuvhY$3uFcTXU(HY@hRK!5
zth1b8%vx+`LF@x=>XxW=U^i}$l{cbg#!!~CY6)c%SHaF~HS!J5ln)rp%RD6*05LZP
zqS#bI`k0v-KnDyaw-Y)iy9HG)W@6RECzk_7`5a>=M%?SsfT>1qnq^VcG_e@=#I<>h
zDTvkk7g0<r&Hx7tNe4JMm~V(_X9p(}NP8N7TYtJBh&joC{L;5HQ(wW&nH31B6LOyy
zof=(WbulbyfPorkl)!#sZecJ!_90UgOqeUa!l866GQj|d9SoZ_G6)`+Q08{y2p$84
zPfJxsEJ3AkqG&XlFA$9km+EUyqti76A2f>vDbik&0ue_Vj3a`rX8^(a;ku>vQx!y|
z?3-o0)|S!?UY2PA#CH_2!<DEE(ZTOR!H<R5ev4Ca3ZP#H7D?d#-+>EPK*6T3#5C$#
zO!fc;DrT`J!c2{&dH_C^v=$={nQY$x9@m`M`@A+4+cc1m)U|9<(-Ag>()lOx1dofU
z=K7_S-IU0{93c2VMohC_PPqty0X4DX55OkSFyd(HYKm&&YC2)<FkqSMdNGDC=gMF*
zXi{%7WjbM9HF{-K)M&a<7SSv8x8SgeWfGMTWfg%EZ5LuM_$rJ3!9BV?hdg8WR#x72
zbjEmD^>Hh6D?BQmSHS5&cmvSQ-;|jW0!(wUSV>uy0p<Agb3BsfVeO&e?D1pd&12eV
zsYJ7xhPWbx4u?D(7NxM}M))1D`j=|6n=<i@jf#OP35&3uieef8Z%Kd9Uc7lU@nG`6
z@YJ<#wmhDJFxUQ<X59=%ojL>G{nq`dj*~^Ryl2c6qD}f>f7Bp?VzUStc4geAzaoM0
z+b}XKiF(SNMe7s4T@#JyOa^vWYtYPO;{#-PrN#j0o(JAuayn5dy0?UQA!BiI;TAJ;
zxUeP-OPgyU5L~BeU_>HMvanuXh(uTRVb8+qyt4_@n4v1d-38H3dg}<8!XrxS5uJLb
z@>L4LOej)F)x{YCpoLnzGbQ(eWp&&@3yAG_PHh4n-mMKn$<aYsdB|08&8)m*S!N2$
zk3-KR;aPuZ&2j`*TfO<m(*OY?DZ<HBV6g;-@us5l(U>fTRD>F7`E{<M?!}FBri$)x
zytEmhz9(L(w{APucRH*G5sZYWP$ZP;5kzk&iTy++uhIyb7~Hcrzb0a}!(q@nt?Z?1
zx!Dy8WRaGj$)thtMqmYoH4`AfZd@`lA_15Bf$?Nvd$XY<5HM(%&M^cJmz4-E65;H~
z;m|TCm;z%MW5cGIn8SveWU43-B@Ae73c$E<$R{y{xNQNzzp^)SMQoug-9S$-dAkA!
z8v^+dWuz^*y4J+Fr&U`cc#Vpi@*{opgVr*Mf?gRyfNp6lT1{;@m#r4Q<d@VW%T6=e
zDTJ7s4M+f)np40^B<WfT&huH&vd)B%nHwf7r(+Igz`(4jM7|=tzhZCu!~G^-a0=GU
zz|zHCzzU^`NSei8mrfFar4d;jfDYB28V+PotLoHVX)41KJP=`g5iupckOJpi?=3A}
z1X*I)JscB(Dw1%o*hc~^WTo`zB)SbFmOZRCOg4=CS0caxs)3?!M3rnVg4^FO$u6K}
zwN64?oDN_Ib|R^Kn`!fVHi5x$#FnjEE$fmPO>k7S^pryjc2Kqm5;Ti-O$Ef*Sq=o_
zY*Sqbz~0Lm>(^i=NtJyGolOy$tF^&MHkw92&?g!tB-WJt2>ACgSfy5__6l56Jf=;0
z&lD2CL$uxG)X*@!HO5i|g0MmoDldb5Q<yQ_Mk!SxKA8>HK44$P=BOC9AgTp%brMZy
zxr6^QSOr#O1aT%8&%AM8RW!*;C^CYOg3JmHW>QnR%w|+g)*)p{IfMr(#`eW1gCIw5
z6k+g*hGnM|MFIybsb3!_ppP+XV?4*hr;4X-<Rl{JWO9}rgd>qlf~?6+eTb|>C7k$h
z{6cYJ;V?QbblP0!t0s4?^ys907MYd`+98HLJ)JUC=Y}aK`rlg2VaZg;J7teAf>coT
z<g9p1qVN?m4nrOhk~~TUMjBy>N|Ht3Nup+%2>UWL0B9jhZ~=rFn>3+>_boDr11kkj
zDDWh}R>fLAh+Li50g)s;5|xY+(S)m*<O$I@7qDpe5aBxVCMmL5bA$osDP)Nt1d5nH
z8<X1m2AO21W&KWdNLImMOK?8V7)tLC3gZ5yO!+Ad{L5!fT*Oq3{!BPa45DIyBh-Ba
z0qt%#k~!gw1!sevMT$jCM&WdPu?MwA*5WW2`rY}&pZ(0)&d050?K1S7VvssZtw>^^
z^K~mvStt*zr9e-C%*Qd98BY~&A}Fjd@5HC#2+JD)+JGDp@mP_md7+Ydk<~(KRbN$b
zCy%@dO&Vyu#weaJ$d>^^av*JH#IDZQ_HVRU!T4C2n1zv_%KUkh%moLNLe<Xawn!Nk
zJRVF0NhUAABZo+jmMI<naH{0@6Y7SivjqyEX0^b@nZ(WtjG|B`w0yJvu<sNSusR77
zlZAZX17$kd;bIeIO3ntU*f$sTFfj@&{D#hWf|N!leR5hs6qXD2fr<-fE}zaL3Z>2|
zlGK`!(J3N7szi=zqjaAomB6-5itP&6-6<m>q;Y~vVxm(U=2}2vtKjCVs1P1PVI>`f
zN@b><s=UIDOvcM0mS{QC0hWf7!opJ~#O+Gt(<c;GEHC*(LbAlEwkJDoP?=svF!tel
zl7^5}E*34}K&GXo1I6Cd&#)0FLZ#Coxd3pK0e#X{6b~nTHyxPshyNoVPoQ{{9_Y`=
z#=0<UI)sQx5Yy61Fp@Ll_$v<ZjQLT1k;*gU|1`x0c9U3a27Ev}=0eF_W~ww>8sH53
z@odqjMtnjjX(AQ&S+$KD4F-lLu*)#diHg*CXwJM+G-QnEVZngu&`O(HPy-!Cb>TvE
z`iH|fI#Gh)U}#bpCuEpXU`s?X7?JRI-&su>1}6D_ki1z0ti_OA{R;$16*sKLBWg4l
zO^R5F+$ETc(hI1qA~t&{VR?ebf}iGkxxw?7PoO<u{-f?rsfR0KB+!J~cDaCYP#&^+
zTkBNYapnj2K0IeJ__drsJ*nxPiY=Xsczu)?4uO%OqRH$U;W8)ac(KPLgNNE4EOklQ
z=TjZ}^HBXU`G>Rz2_+(OcY<{8=hqw@I=K5h2uLcO^YNK!!+pnup1Lc7KsPT?Bm&+C
z9MA4JfOxoRMtFq%2>|+07Eca9wSU2k2RFD<IGo<8`NN239}e+2x4oezd$yoSg{T+(
z<qqz<H?%_jmm}c6mLSZ<pjC{(9|v*bZiJgbHOeP=R1O=Rf;l>Npp$`~A{P8Gk{Rcn
zf!)*$^H|KbNy~v$wOebz8RVT8AtN&}5&@pbblCnQf?MF<r941I@&-e`&*K1_R|Ww<
z+$}_sfI>_dQD->8xw4+ha76E{a|h^dVhDA3!TG;2UN9X&d}0XOLI6|pp3in*@*5b2
z`aEFqxG;Zh4;ISP9fsV+a!empZek4VkE%bI@8j1?NeW5Z7&}8#5Eqc94&KDDlN=y>
ziB%>zS^kAYOmf!~<OYTbgJ^eilL2HgIO1~{WMD1Z7$jN836?R`V6b{$tqc(6yO%fv
z3xw!#dCGw0Qx1$BGAPIc7tC8TD9p1D4E`|8$P+Hi85m$>L5qgD7^rITnkG3Lb!cE>
zw?x#0`x8A)?=@6ha1s_FGl;YzA`9`nrUr$l0g;h50WL1qEIPr>X%n4dj0qb4VQkgo
zOe=ypQDY6}1jJ`TA|Qe}XYsS<-I~yD@rUsl!DMA|wSqH(5i{7;qeo3ZH2~b>d(Epe
zxIF}#(Q^;xCd6S*0|(|84fQs(-$4*lhPWW-4aNk-M@<Qy#%`OMYj8erUzy%vbT)MO
z)&z!nlNJFJpvcY2Ac51aZ4rm?fx*Zc7!U~%69Zsy;~r(Pit{?myqTP5K*1c)NOMKN
zXGaB}oTCnaC9zn!kYU-LrWu(6W!Zt_3=D-aa0DD_019&x91XTKFw4Vj{?3d4W@!1N
zG@XdRC&@tXGEgyR18Aen(CxvO4}+s4T#RrsBh<}598)Um8pdFt*5d$XyqH=wc+tqy
zGiZ^9(*TCrcahny)1`pVqhyV_HIUtt4<^zS3@WI)!s$!dE5<a5>kttY8ns3&bhARu
zOUf^#x?;P6Us4w09zr*CVPA5h4p%=Qz+n4u*{e9YV)Y8DE~v3Gk3r>`%aux2d0lM*
zA)G)z!6ckgYY_|TEf+}ze;8iWJTEa&r9=lO@{BW}*FfFsI28RnOG6D|Ag-FS=Z5E-
zi&`KA<AtSDI4KP5ykrfBpl^x6GgucoND;Nx#lawTZ%Xj!AY33#@d8e>|Ncl4^+%i$
zT-c~$`xOpTDMw`vl@wE<P6aiUhE@SbWqFihQ>j-a2Z}E#+@_M-N@OjFtrD9{vmUNU
zBO4KDWwXW=2hoHOcg{$$?Jl8U{y&lkkt_V8SL72qQk9xj5njc}7jjz(dL<l-oiFUF
zQt1nO<Ti3F*s;>g3m-1%z2fAG<Qv5%0$6!RGLvNyimxb&QE<Pq>dW>Z*g?FSh@)mC
z2q8q5B0Y%YCrFcl1Tqv61!cF`gTV#D4dm1WH~(}L4&TyFT+HHGxUobPiq|4s_riY$
z@mPl;#z*-IVj+kOkaHo#MT1Oy^E8e?phcA7V}n+Kz~-@$l1Bi5`4M6UWJJhQ5u-DK
zQG_TG#R(9EaLvtQD=Gv)<c1|IC~uTVuVYoNBh;4(kU8=4TL>~joSk%uVwrM^iA?h`
zjzvdsul4IEEQ5F06$ch*_#jb283&RJq#TIwC(we|-g+unNQ5Vm5hOCe0=g)Y9SCqC
zpo|yrS0&}~0=Xbj1>`~y(o1Oz#HA6SLt!=Kevx=hu^6Pfkk(2`BV@A@nor3dMDNC^
zE3qc%inj430wuVH{ouOXlY&`E9w$ha0tRHZ6Z%V`1j1MeA12hF23Fw*UKCzFMe%vm
zV&<TT;5uF;#hhYjEqmFE1`lvb1-05LyJl2vs%$@|$`l)BgA#<Op>;(Isn}gkRl<yQ
zIgnr+Ui(d4Y)h0dh!U<c?Vy?}+6~w%n8js#JBboI4l`G^hle9iiBu>OTscMY*Z~TG
zJJxullR;GnRZ<YJN5XoP59Uf0=g0t$t+4)EBFk@E(q1TbsZ6Gcl-Kf`W<dV}7deo~
zPy@~2ZduZR<Q)hW=<t_sy*g7dB_W_>c)JasXhK02SF{Y<({BP7jPyD!y|g_{+w2Vn
zG1%}qAz|E5_KU7NQaz?Rh_wiv7J?WoT#iK<s>if*v4xV?ZKE!#LCpcTUtt$8GM2_b
z4{$}m8tsGABFS#t{n<>GglY~Mxb}jF)Mjwky1#)trQYYJwaE57rPOR7DH~`mb)Y_;
z+#T~D(gUK2(okqgZkf2QnYf49Ez4RTmb5VUmU;!(&$)y1VbE2|@WP@<ZW_<fCqD4j
z7fM)-nzcBAZ1Z$?z2TF*;ep<8-(B$ET@kCSL|~4!`D|{CsT4jv@V*;7Gg|y7^0f^t
z8=&YVO@|Clw+v3Ho2i$i(#mwYOrq;uin~iOgOKK*3-iZAI#~^IA%apEsUf8IPCKrj
zbL3bKRXmmRXarw3R_|M>Pdlkjd#~3;4C_ZxFG*Yw>)sAljia#DWO!!eIf$b%8OGu#
z0*&lUSPx)3Tt{r!>^f!@nWDNYrq=AH`5A;8D101T?(NXU(Wzv5H$a|S)Isj2A-+ax
zD9vjbfiYO86{O;`^hOs?DJUIDK<Y*ZQPS}7w-i7G1mct3dkwdC<p6+Eqh!A2L17TX
zmbDOjv&9!IV0a|~w@ko>O_s?kQ7EMmqhd4;QKFT{y+mplZEFpHvLEeb62(^|ZE6a0
zHBkeEtwgE@6Khh57lV2r8C9YT5ZNdwt9A@O-OD}2+%{B*36R|w42=pTMK%qex?`Oc
zEROR;X$`CgJ2n^KMg*9m2WNjlD+#Qk7p9>v@8G~Vc82BxqX_8NVk4s~dxL>eBBn1c
z1<)P#T}o`al-Yi_*?zZ^VHh+hiyupyI*74KF0O>zHLb_Ma>O`BT#UE*G|SP%RD+4c
zSD|Q9RJM18D{dt~Tkgp-?#xT(%t)5W*TA~AO8nl*AnGO)Y}R#wIm2eKmO$JhSOq4@
zMw|mKY)T3pzinIUJzMH4W%MDg*iaG@jsr|5JGj7zU~0`@$gUb#lyqjsU>dSFy0SOA
zC?VLIOI`pL>4qDNqzRy2jA23auEZDTPKI^w+U@%c-?9Vt5~FPwP2gO_$T-Saq#bCj
z+hJd}iZf=4HKU5v9KwU@E|7CWVUTq|5>RkBh#UfNjudb}cA|dY&)9OUyE8>^aTrm~
zJ@W~cF1i&#cCtNJ6m(puiXSl@v;}&HOdpC}+olV}EN11L9LR1ofu|>+IBghW=>(G7
z95yZ*>lW44E#WC3IGpRORqL!(>s(dqTovJ#463{pRX8xi7f2d_p8>uNp^gUKyMExW
zec+n;!Cv;kUh%<R@4a5{y<Y6ShU>jL>Akhldfm}`4aIv5GQENsUcn5nV1@UvLd)18
zRqUZv?4d>Mp+)SW9qXYL>|q7wKJ?JK^w6!ryIz_V-o_JMPN#4tJAx^<76Ke9EQ&{y
z2{8()A++XbQ27?CtK$WqWMmE3S)@c2LPTg1jga*A0jCnh47m-&%?X!yia{nprhrV(
zNZpL_ZX>Wr!ex-agzJdhs#%gOKr@MXTnTYp2y88haa;&&uM*{VG8PA?w23QRD}wp1
z;;weu+)>TNLfBkQL@R12R-$xhD}h=P;e82kzJIu1KJcd!;#dn>7uORwKx#GyCaY8`
z7`DX$o1ADMg^yLHQ;T%)uta$S6g8M5?MFbdoCsxXlavE!%T^k)b7(6;Iw{x#ngGH@
zPix44G#E!?HNmP~JAD?V)+ZZ@#m$u{tk8p6;52#JEb)BL7HgRWgHm<sGj#9s#;#TK
zkzQ>e#^>l5$+QI?hDBVDT>9?TfRR*NOw?||>M9x;a<^FGkH|3FU5bNCa*xAI43#@*
zBe6=^n-biTNPvd5nG3im4Dv9|K+!PC!cFfBYXHF@Vc5Oo%@_zJnJ@hsAh2NYnJ=J(
zWyXOScO!p+oS8^@*pLlagoghyY{>yB8fSJ9f&wxwKx~uFxOm1<d~BiqP7+?iDtHpo
z0J(lnqVdG3AS$2*qMB*JfN2ZcKW-+4sB*9Y>1~YKfn#{u4|p3Bw}nJGAJhY(;jud!
zO-b4yW=_nkV+V{i0PC+|5fGbrQ5^kiLaTy+t0ok(ky{VxZci$CqKBF*Y#lAplQlA8
zJnE*WDw>G%M0u<yn!$LVOBj@~iAxxiv7DV;;_2Ph*e<Scb*AS{-E`XN-jx}yl^PzF
zsCrtQ-E`*bsCQb1bl#SzN?M?)YI~ij%66w2+Nxb@q1LV)YO&IM%xa04)6+4hW@5BD
ztmBPYoNCPDS$0Rb)>>wDj%5Xn#9GG{tC-K`Ue!3}rNwGoFPTN3nPWXOqdhUxwv;O}
z#2+%m8#446GV~PL4=VH#D)b2|_WiV?iC3bDSE4CbqA6FRCdheLp=np4Nf)(Er8|*&
zcOvxeMd{p&)27II7pGD$PGnw`6f#!^RN!r0_SGnDWUp*ib%M+<S;gzW8UVEA*{3ee
zB_m8p8AHag-Hl>Kl_N#*s3eU+XKBkjM|P6!v`=ZvGfr8WO3KkbHg$$J1Afx4QLJ7g
zEbTGcX$9gni@a+Wc$O})EL@^5?KN|WRn8?>CQ`RVy=;kk*vnbgTFyjW;&SZ?TJ}+9
zSw)zMb1M?%p_N#fR$?Vth>G)->gdZDm1QDTl3~n)2Y8aQ5hYm|Rdywc)JqkZSE~@O
zRhVlw!VJ_U-u-%sTRRA|EF#Ooxs`=;Ckoa^6<VehbX~9f3SYr0p8Bhs>)*B2`CQ()
zo%JuH>b@dYUd3<MY7Tu$4Sh>=`mNLJ&|2z&);FwYeM$j+N&tMbzEA5lIekiS@|L0H
zS@)Nx3o3B2y<<DdQ-_qM?-q1tCe?zKb%L7Sy;|4MxQR{GRvT{&3?+`yc?X%W_2yTU
z_ms;em0q#91wt^Re~1X9#D%n^N<alsa<#5eEQD5Krm=d-ZdWT(#p^j|R<|oPWmdJq
zRS{XLn#4J$>C2)-P>MVS74bzfYg?@?W35>=lr^HTx)!ffs{%Y;tf5XB(_9s+Dy4B$
zq*SqrmPBf)N>sTWK&;EGseDy0>ZLbXwB2JtIb%V!O4X@V^(v^PXVlS@eL}b>RwWAJ
zp-7=)6fAOud5vLtjbM3=9)dkJ<;wHRmDiUl?=DrIT#@C;9$b;-$sSyh<;fmgk=4mH
z28h<Tab-Qo*YO&gqgK>wQnN^uMil2wFpJ2QO%l4vqn&5k2#<B2eGj5lnEJa8>8_Rn
zbE_|ttdEnh-kPu_z#&bC#2T8h-8o|c#WdN(sk4kVvBlM~WUX<iRb(24Qq(t%5UYiN
zoZ`y7s&A5}CaUU+RI*BLEUId;QdG|3>pZGgM;EQ_$W>E2Y87!x+Zcshg2dMhK{>`X
zvlR-s<!Noo%-k9#swr#$=4ONIK7Ctqv9{%6ZObIuYaZl%TV`X}Pb*F=bXnzT1&(Qr
zjA@OEX^n?AJgqKZ8eG6MxqoSL`pV`dmCQpcm=;$sEUsV~T)#58er0m_Jx%GNRDiyA
zo?i3HVtHE6Eb^@)N<ybH(q5MjDv{+9qy?4R6!GjX-OM@Ns<G)}k4+M%#NjGHSYq_G
zs>0BzAe<pf1WZYYg2hf$z+p`>VLdHjlC!Y7vnrL75b~-6HncN5A%u}mU|Te)s@kTj
zYz8Z8nyj!(RG1l5l_HL-ol`TcfPti)T6`9lW?FJ_jb=1p0jwXBJtx76gCZOwgkFj0
zmFfz}GZoB2Cow>b55f>s@JB`^Ku*JlI<P~aiRl;~uW^$uiq@bwTv)h;TLRAt<3y~x
zZ3#=G&^DSvV(9b10*qFq3NctB^KyYMk5;s@Jw+^>McIf-SvZE$WgfViqLxlBuFOk@
z(qK%unp|BZmQXC6VZ8u{P(;ZT(Q@)ia451!N?9}d@ChPE7Ee)2GYM3)1TaMr?*@Xc
zBAw(-V`e{0taMr2H4%A%$d6hqiKE<AHgQrhs*5ywgPGc!&~$qh3cQ-g-7IufZ$~;S
z%P`TS4vO>QFyzrGtVc!k=&wdLHY)^aAnP<=B6Nu_J1jDLVNw+5&44znDvKL8i~2bf
z?=XaALMs6jV2s#D6dS+|s|JC=zTnZwG-M45gG!*#h$JEj)dcqfS-~x!mhdZB1ZDvq
zfJP~T((_CpR8vYL)3-~jW`DnBG|DkLG`SGUK8$5WPk@D*Wt@6&D7ecFlqSbTqETSz
z2B+J)C27wut{H=FPdi#mno}snk{wZi+EHLJlvd1T6|&4IsPfVH3ZVm0;ZCTGs~T!P
zl~%*Qc@jKlFw|@?7;J>WWLH3JgO&s1%&>r`2T>@f``WOf723%59FQ!NF-`y{>!I-d
zbdW!COvmfD*wga|c0VwOr^~VAIDB5*R|C@exoEzwSudij7gf>4b#!rET^3hYLKd(O
zmv$-+BJ6fG8Lf)At+)$_x|3nGT%6QQ;bd9x04)TkySC1Ud`!w99zYv&fT=JPEh?d_
zMbvzmsGICd>ep17mDMJ+K`)%4nm}qw9X_FTNea)e>3kg7L<K0RFgCL@#RwppL8uf+
zEu5eUnBJ-C#6MdYtV)W<3zDhM0`Z{5dOk?ZY&xs;8jsqnCBb>`O_fan`(FAzYu?L`
z0J80+V=p*V>j>oKm;$6%x2-VH+nVw{6?O{5uD5blTe&GW={%&ja!_s(VEu09Hnqok
zw&iexwZt}-KaRxp!N{Jt8%q_#X=1b!23Do(Faf|HA0&cJM_-~av410y8CY_vdO1}M
z#%#j#ymiq8dM|F(8+Q6gUUyBAU<YxkvDj*NbsC-BEsVX3c5cQcWanTH=cic`PpY0U
zLsS+5$FL@05aYl=?N8$4ik$pqkS#0O=v7u1jM4-H`tC`N31iF^H->Lxdfc(KbwI6Q
zo7mLYBCR2^=+GIL7EsZ3jAIPD=V4vTqT+DVv&4;+(VKKP6+A6*V+zX8_BO`#JPWp~
zcp5w|$DRz@nR^~+rL}DC+O~IW7|4V(P{3#h$LV2*sbPnK#1M2az>>(k!sAG^e3l8X
zgU1*%2;y+eBPB*M9Q^RFBV;VGnDDP;WBk-C2j*l72YBjScb3C2MmY_S!%e2ENSSU0
zSK!ld6rEU0CbFWNM)`pkr2+*Q8B<NeJaIDHkAqD&Z)^cgH)5@TG=zYGq{!59Y*X6U
zkAp)U&1MlE?(CUI#IjKl^4g)++nGd1k^sM*krCjn!wal<zO{pJnluvMn~T_SVgfdx
zQ=}aKX%K~UXnjnh{YDhCFpCL9OJV+3kFvmfk{+eZ=K?Y<qwvo&%yym=jF%hbbloq;
z=|wk5;j(2;@pydIEoNC>FiQb?NM4r`^uLv-1gAWO8Q&;LQ9@S-viLldQPiFd=2Y(p
zJ~x)Jw62XMd}SmVOMtpx#Z!V1Os8wEkv|?gJHm-76iRr0Ujy=r9h0!+$(-OmPyrN(
z2P9gkZi_}8ymZ?lwVPpXL`60n;Z{1*taYV0h$6M>ekdYlC?a62l`|D<+E@`3!8ydt
zQVD{T6$cHv2&D-I&Hj(WOm~EWDM{qH?}pZPFoXjWlQTvR@cox|%`Q+^wQ}J{dQ(Cc
z=}N7*7KYcQls4UJ0**E&glxgw)!mMSM0Fgj894yxzdPj$5E#IFIx-UnqWT<QkuKE4
zL`d3i$$&;(B?Y1xHVqaLKA9>6CWi`zyj-x;<dZofXjGfhWfgRJ5*!0z2gC!L0t{Am
z91J4}Ks%!~n;=`#V(lOVhT(1V6_OzMq&+7z4<ZY3A#Yo3TCWk?zNM-_Qq`&!Rf^g?
z)6h-?wTF(<)?Oe5izp1SX5hJMn60uXN;E^nQOl^%fH<Ra_~k1>0{QZIfL1FK6avJB
zLa`w~Ey&U95+B7fLVQih4{7o=dVGoLHzZaR<4;SvAx4MNbHIHkJSIqaff<t0U+F0?
z^)f^LB_%i<u~Mna5)K72L;g&Vg3%)-_(RC;^oNnaX-trTVwoWV#ExEIMTs20QaOI9
zk{_`grywJjcmR%25F~P~6p0885*dCF;yZaE#Bc&pa!>f9XZ?c2@o3=#%IF)AeAHwk
zA*#r*a$XKf3CTP;GDjy6<nbJt!*UEaKE~vDZbs(hG;T+x<SuSQCg(uh^O}~U62xL$
zj7v$092k+&i5D216B2eYB(oAVF+8Rv0%A=@B;aC3#wFNdTSg>aPFzIfW=>3G<%CW`
zl5#62B_$-{QjsY*5}DB{agvj{DcUWD(z$WnoRvFJa4M$Wct(d~;QV208)7cv3s~wb
z58_-k!-Kww0!n~hwq<bE6uV<WQevI3N=;Vg=^U}0=tbNyc<KTxFc5cV)?5bu!r6(<
z_=?W=g@aL6hic-IzOk=F4dx~hds67uU=uMLcBT<kSt2f^1-yXi5E4|u6QqUZASf$J
z%QJg0=T`EB>nwAG3OI@eV!XO_phPvGM&bhcKyXM8Ao0;2B%{QHRtbG&sbFiKBjGy(
z**gc82DaWj6pWO3r5V|H(wP=eLx~D3!9yWLohb2SUliD2cEO<B)T9J(ZH^xglje`b
zT0)_UJ*L8Y?X9NF$z67Q9w^8T2q!r|Ok*lQmfnNrS5g5H4xeO<5gwyn6x9~J8ew{5
z^p(`6UooRTJUk)_SJB6hm{nF%x*-UHsyOj>9w$S^WhrMlgvC^fx{?kQfqA2df{jYi
ze7wd|DyGv04q#+RnTaB13^WQVP6{$a$V)c~k#t6v2(HMDcET%C16nYO?vUl)(7+Bk
z$`bxNIACv347|VyaG*DS___!U$G#~d14%E6j)2sA;<_L;%s3+)xf*h<Ab~V}>h=VH
zy@7)0sKSB5lda1j4iq)r95~~Ih;XBh7XiYGG){(!R=IzP!K$f7i>T3P8Yxy4RGbk;
zN(~i5VN_(G(N^fG5h$q<D6RuVA;l3P#d#6Ofg6=n2NmQ@uA*ge0HtvO>f!-Qp!I!S
z39nqxAm?y`>$tUptU5bagM*9=mjj4xhY$(@Bo^~Z85bL6HL}ZOTkVl<wnY3ija!4M
z6gky69~+Bojvx*+w#b&j7hur}>a38SQa@UdH$b`th*u?Cgz}Qsqzlj?nD-!}b;79^
z5TbR(RXA18!gG#Khr;54ZC5Q=#Q1zHBh<WnB?Snz<1yJ+nj&m6cj1ZH5fozwOyVSS
zWBq~!EZT3?tF=2E`T;>SzRPucf;`s&KEC^f`nUZCh4ZVvwhC@q7iKzUq3~dQ&$Phy
zk?v-sXp&p`4S84U4?UatNi$f0N&!d!00000WoC@}(0=h2X2y(0?!_S{rx?NkD9SxG
z9P1sP!x^azPujT9nEa_dXGMX#2LO*eGPfw=J|&$oxVtGMx1<c)63<K$7dApHR1!&%
zzD}FBIk+{aA<6CZB2z}EL}UnPgh0F#=eLWw1vml*wDL<f`3-(B@oQsL*XxX$4orhk
zga*j_OlFl66b|Hz&@QZgftkRAA#t~1b^<0igW+gEGj6lGvt#gzJ@-~;?Wtunm|&k+
zKVuD?mOju)i72Rg*alg-LhSg9ZVs$jIBN=MIHv#LlUk4B3G*>Bg975^^`!?Y74A$o
zR8;cy@^za}c2j!dngv;tL<TUR03>&m-JeMi&29Jvgb<m2hTnk7s^*39M$bp^Bnf@<
zHUJV2S}Cv$&AwRND?|e?R|gSk{E&o`<|*|Jf>;kYAhgo;pMdyDvyj$p&o0%l24*i6
zwje>Z$EXZpFafYZMxP`?mn-x8x!XUb{v8jyvk}CLk&Wa;03;w_0DR-tgMomMqf*#o
zpaoYH<zWC?ssV1rZA{xbmb{7-JoE^eoH$Myty<05<b#?tIDbO|bQ+c!aL7bxyMmpH
z6xb&w;omC(Bi1bUAdjbgC%bTPkPDBZF$oS96~^wDWJ$#>*-=B0WnqF`sNu?8A_=Yq
z%i0*&3l^wR^m8t`0x@2l3+NXKt{VV|i6#~Sf~8$gL|Ed%Pa=rT6UfXuz5>wU?|P62
zCJA)mkE(+H)7~41#R3Y3<dlOJnwv%D7-1x{EWN(f#`SQOu~?c|($ng!6?GIqxY^{?
zQctoAQM0t6ud%{-%0&opX|XMzhv0*SAPA<-%jt2IuVg0HHUQk!h_^Ggg$p94_pn(e
zD0Z2s(8u|xAHbeUfT`=@H8spZVM8@;qTy$KLDc$}SyMYIV2HFDE$Nm~ac%XIz@e-*
zr6gvK45A4i0ExObB@6!j+k9zPLPG6LX^wACmsZOfHLBkU7R$ngXDmcr;elSKJfQC@
z8+M$^c4Mcj1mqYFCK75WV)68%#GM!;rGNN4+g-thRcvMMl{{HU>dLf|j4Qr*i(7sL
zHtp~#Ad@lxJOU%K5Pb4abO7)uH_Qr2iW+p{1s_18cu&-|JSpLZp#x843L$dTSdtKG
zPelY!PX=L7W-Xy&140(?0P9<MF@UuD`7X>l3@Qss3+U4cpp^6BlCpjeSpJVZ?CwPL
zQ`U^egnehixERo=Z<V0L0#=`sJEy9JWLf#E^b`Pi8bg1BNO2dLLk9z<JhqDqy-eG2
zC)r22Mj-$YOi6-N$w)*QrIT_%=TwYi)IOGO0P08RzzJ0dXfVSe4x%asiiD@3T74eZ
z{!6vqYY1cmj#Gj<N~k!l^cG_Szp#k#xu!?V(E>(E1Q1SjIuJl}Pq2mVX!;1?@LC3a
z+WF0Z9Sf--Mui#2q)6H!&|dCSfM4GSnFMz$Z>j?zv=5}k8w+yd081}|!?!Lr{r+?i
z66-AOLMFwf&@_|lgk!s!P^np-?4N2AM2zmS1Y@E_+B;VZP4=#oE1T&Bf`+*y){QLs
z5t`g=S`Yykv6guwt%m!Wd%8>2$?Atz2CFvfudCT(b5CSky&r;~m=>!0;3uM3Nv|w0
zF}~Q|f(Bnfu4XURtJ;WtnkEd`*=@shgJfm->kJ1fWDWXLKqjwG#V}*inTNN3&Rjm)
zS&f@qcX6)bhqIIkkaX431<Jt(iM@(o)LtMxd`^Zl3u*k{87XrRA%rgL5ambz*vugv
zqn}Y6QpovB;1iC0)R&q`2Zu{05$swpT*112_dM+kf$@Iq3^yhtNY(rdo~tNX;O()z
zI+%4V=wO4qUBHWp8rqM7ywXHhOb|$@-+62wM%gA4i7=vfi|D{CTW$Ut{dJw)N#Bh^
z?2s%29L8^;Hzp`eh`;H=OTkG8mZ#0~zpE~mGqUf$rR*r%1i$GBZ-PxKP>v2}Opir$
z_<g)H-34RKBUu8#lbk<5s`HTAS^83A|J=}eJ~cW8Og>j?2pZ9HQ7FK<cNw5!BXbzm
z<Cz-d2!+opK-V(?bwyKcg2VHGZ>bvKiJvCX4Z0(-K0<!Gq6B%J^Cbwegc$3lCz*Nx
zK%E{L*xm6%xfV5|G+>iMb8G7tJS7IL&;jo4DqMUa0(63g!V=7qTrAn*A8PQ-SvA4O
z0*L8wCI_neQ6tpPjVGE62m7!Y5YS;I4M|`(#ry#-Ma<>&9Lt6xJTj>7@Fxu$rp6zf
zvv`S$QJaM7CU8=vM8GpZ0TBK$dW4FN#?muSoat|hxX>9{LVyJfgR8=rfO3h}nWB+J
zo_d&(n+j{p+TMUU;1eQxT9u_zBhPJ3T1OB#RvW6Mbi@#an+P*D-0v>PjFL|%d8*!K
z4GhQ+LDQsCe~{VmXF|VD#%D=|>X)T0$4<LZl6Xm&yA6{YR@Naeoz)R+5Ry}GUp_Ix
zbtLT)X>pJhL8P03@Q$rB9I(^{C=j%yG1zJfCb&m5>X;EsmQj+=lXOM1asjDzs>x+z
zqdl8urR6=7lcC%v%2ePHiUv|Z^<ksRHA5VC6(p17lSRrfh+%feiedM7cbRt5WRf*u
z$FrW&_P4k$F0$>~?~6lkPFJC+65zTc$q#r#619mx%$3*ci5>W!Z!CCC?A3%(s_Y@G
zL`*OSNhkHiDodvZ1yn%!{rV95oCOFc?YoxkClNPKJl!eh$PC;@OG~Px*EF5OtDBUX
zxi2#Y2p4B7J`YDSz3B30kzld825GUBAYr6QNLUlLjLRs>b(Ngt90oQURjuk~z^yes
zOWY4?B+68uHOG+}WXyc$LM3NXSJ)g+pa6h!Zn|n95W17Nwu7Xzu+qPiFmwYH-2?Mr
z9H1cz;5kzK(d>!DhBEIJ>$Yi;PByv2i6f_IS0D%|IDy8kfe1*D+&lvq<^(}XWF{W_
z+bo#9e3I7DIzs}1Le|k{wYN;+HuiLreV8^Ae$}kuo}lds+qjeNn*k$;&oGKGKo_ZN
zYYP3PC!cCjh6K6UZ7``@(RSw>lwSafN_B@OmE1<LCgkXFakCx}3JhkjWc3Ckwabi%
z1CyP!9Tr7UMT{n?F`#B7xTWo#W`KvLVX><8R*QH5tLcmJMpx~<ehQ<aq;ZS5(lA>V
zVz(^H5s0|R*uhK0`?Y2J?XFaBLW0VXf6riyuq-oSZ`($MM?saq_;9Hz2-!wLn$$g#
z_!pcJg@{QMArg%j8BdcJwuOV4J^1`f4=gcgxS2YJ3AkP}kMJ3=*)9;aD}`71Q;iOB
zeA4?m+9(|E>54HDOs{O)&YO83F8jA9-L&Gam^=Xh(}oZ((o_#7Fo3~t)(-uV0ih}e
z4MY8h=tTAupva7ixeCfJGeO@hZQdxW32KYwk$49of}QOFHXznq&{3F`eCnlGD%Kn4
zT%vU#1q+}*j(mR{dWrGVg<m}gjDAu-qxe@{`o)zc1S|p;WQW|XpFIjLTMfD}_v;!2
zokffymLl1cJRF;B$_7=x73^ztPUV3VI7l>XVs5?mY%H<=3c-NZUuJf#9qRd);ej5u
zxLy(~Z4>~h#;_41DUWw03$@vEK$}kEo7`PorL{QU4YXX#=&Hp7C6kpEj<>Fz{|iJy
za?(DBN5YJ_)Mm*^LbiWxRwBr7*8BipQ50}4j}cN-1w6@5Dp(Sx7ns!wCR+7+DN7=%
zocA7fV8ti18ae{l5?IZn0M9rhMgd5woF!=xYhg;Rrd`&NF}&gkCt*gjp%`=~IgF5P
zQz6_fCj{mHVIbEKx0d1+93Ie#gReK!j;g#)gVPH=UAjV=*>Vh5<QJawp@U72cI80^
zZPTc46hy+S8rN<OKiRgq>lkMQA{C$pMr&>S!}~3c<10-9PA7sa>T}Vqw7|mcSe&a>
z0>hj3GW>R99wY`SWr_!%!hl}n5Q_&S{)$5F!HUd)Y^d%1C>+r?=zkuJeIdDT!I&Qn
zTm!7^S%szLt~Rpp9wWA%fh1rtBsj9nQt~H=#Ha2O`*W<xTBQSQ5`deQStX+qvP2EZ
zyrd8f<O3^40s2C$Qi87FxS5is;lcM3^a0l-orrRPMo@ls5;!djpL~xQ;LuRIpfDQZ
zh#*L<K)nJVNRYr7d!`uC{)4csJt+<%bLZM^3h2=^*@|5d2sk*4PZ*<p#@3mcnL0u7
zgCJ&3yIIpJ)~0_hR`4#&dXdi$o+qk9%OS87Rl|kp`*hMdkX6P=D@Nm<KDC~zuhF4X
ztZEFdxOFl}o)&JYQzra=>N%QR!pS>r4ONaXjkjMp=`i|1EE!S)CPE`KbGT8IY;gWI
zA<}Co%f&Y_gEAwMt7;OOxBx~4f0p`8y3ltTxFrRtyH9{TW)2I^5W#*wsN03nO-Yk!
zgNRTylXjN{GaSoYi*1@t%f=iG_4)rp22E`QOoCC1PtH|9C_U*_w|k^!U}7&QUlqK5
z!m{nE*GzZpeYKfa!@<NNU-~|T2MiN3AqP^UqEMpcyX4NzL>n{uhQXt6i;rcSg3$?p
zl^tIRD9kP?`r~;5f7m1|v=FL}q2Az`()aA61alHC`(i7u0CJq5QckNe=PFi@bk@8O
zy~2&4!uOyKmQV}Ib}K|NZ!|Gvk5v<h%6wRa3^lT{HW^iOxtM0878d-0Xt43HFs~G1
zF2)qc;Cdz_2fa$fK{D)-FbrUGm@NTA>_reDA+#$i8bXt#Kv5O(OaqcG{_+w9BPMad
zX-Fhatt0oio<8F35-%g=+U^W^4vrU^87p=ok`Aw|g$aockx>tmGiHI6nI=fT7_;oi
z4d03&(qCVZO|e3l4JMPa!(tC{TTTZH>Lr<it$?W+xZ!ggQn7U*V55P@-hU1L_5SZK
z`iA<N2Sx$HcRi{qN?d{<0x2DI#Gl7KHd7CD+IRM9A`{kAh66kTP&=41ExriN{B}7p
zT<wX)hOHGN#UsLUaO9bBGSWY~XVJ1<c?#>tk6s?zM?#N6@Bj|6+Y{G(=zbUG!kHhu
z#1(PA#sF5rj=p{kX6j}p?S1edIUuM>x)+3`YTw}_NxlzvS24)oXpR&=0DJiYGcr7R
z(lTxuJ55$Ni)2i!3D;^Kkv$iqYH<=I4pfb)+I5Z+tDTk@=@ea5ONdZ!xe;t)w<#+A
zN*%bBVzb<;UaTH{%IrEY_ZS=~p>(an)*8N|dxzx0X%Z+9vte)pd&=4xiJU~vR32tX
zVMb$0r#m(vDgy4EM0OK6H9FE1iPN3-%Rl%cAiO!=Ir1k)2}m#z;OID!DT|}PZ37<b
zk~pIk;8B>dn0ZH_h|DTCVS!Q~KdE3-QX!32bE+(9lAy>4s@)PX@?1#S@vRPu@&-0<
zl-A9ezX6quM9Sl`!S)Q^nN~{&C9_5ib@{npNDAm83mFutNhdQ+*=bwg9>fEgcA1MU
zXGX$<Xo=%6S}X~NQmJ$G90VMN8}%bfX><W9eOM-Rv_QLK28{EEjJcF>nr_p<iY`e}
z*HUjVG7?2$2jM5PU5Fw@pQ=`EMo`4q6}?EUtBb7tE{ZVHLA6RFsg2jk>3kwNu`DXG
z*4cJ@>Z@F5m=%8}luk*)th0h2=sjFTaEE)pmPHbP*<#}QSb4`s@_UnDVO$95Tue$P
z-Drn%R%JPu1JW0bj8!psC9nZ<p6x=Z9A`5+M22WVRwPjlBv}s$Q^UU2Xr}8ON`spA
zH&wJDAZ+87zKj=x2$?U2s^fh`>otx=s9;}<k;i91Q)v1C3m`?j!%VoMpi^OjckO_?
z&Fu_^%LgMq92(hkpHv=BN2*lHk`RFxv0qEH91E<ys4;Fcv6$dMWww=cOjtzQ(3H-=
z?4gl6Wet)B_{=5%baBX9u_*!pNQPC$yUZo1Sfge{xS4iP9ELTQ$>oS-yX*4CqDy5b
z??%aL$y>9=TC|~)RU_myqS#BKAtC8~`Qw0v_Z}=cJ&!P^fx7u<n9?x91ER_-VL;A)
z(K_<ewThLf!P16)CQAX0WP=BG;LWW}D?yI9U4}KG9h7P(n#<DM@xF?j+r5Z3NPlHC
z1zn&z1(hHM;b4`5(~+J<v-1L)_|#-2$;-Vo+A#y`OTm^A&tyRqH+K9l67ALWJc?1%
z{naQsPOo*RUaCu-)UW|JY0D++m2Gt7x{Y=_fr2dkH=2PhIkm>PywEyiMW6v}7(sl;
zO|=}sGHggzGQ@;eAWh*#wvxNrd7+6f;;jPP8wDa(BP8q9&r*}{roH0dN*}r>3n@}s
zobw^|sp<sAok3R=C87R<i$Z=ohqAFj4^n`aN+%_E*`)-CSf}uhFS)S}RpBw3Ti2i#
zL4ZJM`=Cz*26zrx1{tYj@<qTUbs)8+0jgJTg1K_pv#@e$PC;P%*B~4sT6;p`>RD!v
zo+n=|h|4u%rn=({3f-5t!-2RV*cK+}WG>W)Avg9rp1Lu9#%gH@ayEML7t;q_#ekZb
za$*$m`LA{Nr;>%haqkN#Q&3>6Gh=pa?wAD|07S?bwCy(i)+oBUq*9AzW0yu#&yrM7
z`QpzCO~lynJy}g)tN)GBbnn$tOS;kXq#Fx#hwvQ|?p~P44^H!w)G<<Z7loJS^adbS
zI>DkAr9Bg+j`@bg?BF90WA`8TH)v;WVG@%L*f#N6Mwis&A8GV8Ab;wHKrWs_jvrOD
zbnL5-a{XmKxOvB`?w*za{vEn6bK4!v=nfRs6zM;g6ri_u>8HwQ6vYT5;AS-B1E5?r
zPd2}Tr;-3DKe?a_ZpC@F0a_CM(Wkch)YMJuEGWC@&=Z;;Za9${=5VRIirUkuy`9TO
zrriGFD1~V32wA!OYLG<tq~+7v7qJb<Id-lcbjN=f^R?*J_d$-1GDZ3qv8M<XnmikY
zqzq(Lj^H2wOjs>THk~mqe8M}T*>G5GJwO<>InIC#HMu*~TBMc?6_^fNBGne%K>Jfe
zra02~AU8TOJ58Q_5VbV(ml9@&)yR2C*J{3vHAw{zM8KxW8_yLbdvjdVVIjb8LZZ9+
zf;>eLPG(f!G9}wHUi3Gr!-{7+ESpbKQ7f7WNHr?0u@T;NmJPLh)6_R~S9(e%M)$)K
zYf`>xIlgIt%~ChCqC>N^@*o;S6ImWzX9!f1HFy#>lwzCCiwMfupjbNPn|3M83PQ|y
zsSdsEsIR>Y-m+#Y{owsPaLty`FioDY1Euw%yh%Kn0q$`as7HTw8>?C3oMal@yxdWM
zmn@&fLCs4+5nzKYoQLTV)JBE^AbA?_c`7Yl0I7U}I9h8N;c*a0AiBzPLZXN$SsyBa
zjRPzlG?rUU`P5Gi2#u@}v(8!X;|YhXg_4M-6Ib-ba5T~+LFS)cNk#ZyTUfL!;}Xzv
z7=zO=&6d8RA`Lnk9x{%e7-$C%Obj##u|rkHWnYJNU6NdEG(`Nw4d`%SrPZCL;tioy
zB#6zsn-|i7e#g-j!3(tbLV1J129cJnNOnavnx_Eh;!TSKxW`gB+Pe1bDwwK}_PB9S
zz=oB%t)(>wn+Hi{V^-&(**(z%E>3GZ!;tiAXeNX?q5WrfvQ13GP1|nP9tNX^r+qEH
zsMo?9SQ=xiJOzM^9%NXhqOAm$Cp3H~?MI9x0YN>L%_2pCrcYB~=I)ZyYJp7yH>jh6
zz2F?x0Tdm7kswqnku4I9J2u8O=@FMsRUBdwJIf}{!kD?kjQIovMI*^j@Y-GZGB$)d
z12kW$i}eMAr(oDDuyZ8=oa~H9nXHaG7X)9Jd_bj7c(%n*6qB$<4>RpTUr9j(HcKjo
z9iMP2Zy30#|7Y@8wJAb98o3pFZ@*L2;;~dTQG<OU3-zX_$<?h_2}a$Rs4EEuDD^9?
zq`|1{?Ne;cT~$<9cA{mNuBdgcdIuY`2s1u+|0E60TuRcb$vIRz<`DrL*lnYgJrFV?
z33rws1dXZisQ?1<{7oQ+O5M^abdX&f;EI2?6F@cxt{DpTpjTDG$W10vbi$$Jj2cQZ
z`CI~`jN*?kt5fwW1;`OYl&S{wwl9d`D55b69+)6oN`u<!5HYzhR|<r%cZgOSxbict
zQB1L4qHefasPSl0{X8s?%AaYM9DS6k+wLGPBz`;uwsi}53p5t@extm0o6CtDh*r8p
zCqQvQ45wj$nw#iYL)4$y2vi&sD2=Vx|7cJOpA1M!w;Ed3L{8V>dNBJm&Jk%*jhoL`
zj$P$|{Z;A!v)_84xaL%4$9Pcy*d?Wfz~NL&b-&iZ47ibhrFLeN!8hV-lBH<NDq)ym
zYhYn!%BlM*02kn?H+I66mAscJ*ckXmz0TQ$u)1wVNeG3uv4DWZx+8AzMAD{G$PTf+
zFcj^0EbC~Esk*<AVzw{r#GiqY+ep`}arh^4!Me0_M(R#|`rw>XaHo6&6wo3>Q2{H|
zwk<D6_H-sD1qHh6Q8@81Ho#Hm0gfu9_M~l5Fg<0s@_`XSTEHG6Xl0vCrAIj$T8yAH
zE!%TK57}P0(l!xq`NZ%e(M^*40xD$Ih>kS9d__#x0?i<dDtoI97PMZ1*F-%gr`slt
z^stBXv?m#ei12_Cx&fS#5r#wu;UZHE1oVs*i=z$zexqGJ3vs%JpzWoXtkEbDlKE)b
z5Rj+k2MrX-&?cZ1K>9h_k<@~Ev)l>(#0Cvm?dVuPAeBD>C8Y<?;>RsF-mk;w@lDzC
zTE(Wz_E7uteffON*Y21-bmMw}M-<5w3^hd?e*;Z73&y@@;tl5PhKPtAqs$PYF_a~p
zGch@ObY=WWn{fBzLue1drJ$-9Kk&r`&+LT!)+OK$SFT#f&}@|Ig@bg)VGR;aND@$~
zhl@%T$^6`MF8N;cKlYEDa;ARTIih+wg{<{3NQr?-O3IXo?pMp>i*HUBv_=v{xWqe^
zrBfMj44ss1X_Stf6|AU@7ULlM5Z$B<2$hh@+tCYY-gbWeP}ra}-6P|amwqTD#%^r#
z<)$cMwm}>Zvo#Fp8_|R<e<RmCF*7ik5EC|r490FfSPl}wJKZMz>!seyO^;FmmS%lx
zOq^t`Ymw0D8(Kg#&K?n;7NpEA@ESFOhXY)aoBxcI+HFFUqR?z>RLz0oqbf|+lum5(
ziaUbr=%mA+!<r4T4Tu3C=`6`Xi$;4?OgYuY#@BvUK{vay4#;Sg*Kc6$8<w>tQUL}%
zv1i+I!0O~^$Tf}pvD1MT>`@JigtpeJB@-YcPZ;*KJZcj)w1M9MltWEQ19hygDDK+D
z)HFTN2v2JOIffw&B9V7NG#&`*IzwU_YvXfNNZ%?eO?^<;@uBSiY92>pZ4ay806?hl
zW0ZlAky*7Ds|Rx#!m+P!*GLrwAycypcmx^;=yK&ZS<U@sbX`Jxkcg0E#6XRl-}j~D
z<=eOT4K!44a_V*H5d^d<0ciZJxc8b8Y|Dez?#=lIY>*sErk+<;tu`+R&LmQShr9|R
zz<%>c9Vt#QQ@wN_PE(L%ggn4A&ON@jPW*w-Ge|&;)WI(|Xc?prC%tPq5Y~%*rRUT-
z6)XaUPp%*oRGjQ<#IkIJZAO56Ma<zVVmyc$#WULZB{v6If}0Y#coX6lcWAb-{{hft
z!xg%#dpZi_dAwW=N%5Qt;T4%E;=zv!r<t@uo$mx#AiK2!N;;K@RK(JiqRTRA12SyM
zZX$3unwvyayMqSzicoRPHd(kchO=raJ-CE4dzvuSOm*R2B%?6ahzlb95D=(VY;;Cy
z`>#b*r(mxP&KJO&HWsUn4_DGnhlN0*)at-}gG9?&5WdJl!&f1-lXpGQM{U$Yj$sHR
z$W4L(qbPy8P<D`HX!YO=po?rD-JSw<q(_-(!YD1R&-~xIkjUj@p%y==2547A3Lh?#
zW7$lJnG=&#0%T8zfmKf>2EpzPW@u5`eUA{pG#HHNw|3|9z?f#?0_%K;l|TUv+4^Ur
zQob=wO@I+8tBT2AjP1yDy0}=1B1HwURl%e;4jBppm|1m;O|7Bf!Y|uaCagLNW~*GJ
zUBsN4h%z;oz~Puhbr6F4Y`pr@vwwoaCLl?n8^E%<BF8xE|4^y3lx_LGs^b9ZQPBjZ
z8!uNDNsv*-q{mLl=M&uM7H5oFlU96KER((1{OLRHO;-9yD_gA0<#{8}$(R|cS063W
z5c1vr<VWX3?Wyvrs*vdEJ#rytC>AcJf-k$Io-q6>N|OXcpHXKA%=EnD3>bS7Hd$ew
zrfs$*%w?I8s<*xb_R}sCly>ud*_mX0x)w3BDu{*JPBJV3=5oshO*qR_k_RQ|HekVV
z0t^{2yMUN*(S}SP{nL4ph#=VH@mZN=LyDI?qd_<q%Sj|^tD7KTXZlr>J^_k@#nUi7
z5tdo749Q}bO0a3p*eMzl+zATU>4g1E%bdKim@A2sCMOSQU(Q0yF>#5sMuKQnq8Kh{
zpdnz)5NMAr$se$}eX<pEc9P$I&Bj?`9>{E9tso{Lf{Xw{i;h5Yh@aez0J7R*QQDVW
zC^VU|M_r3YbOISZpa>BmDh#kEaX2mrLtfeMb!Z+#fx#2lCRqa77ZY-1_Q6LptV19z
z8n;QJ9i2->{*guBuDDET`9*12;YTMryFbcCkfj5yu5`;bivm6IMlWnYh4lHvN&mW3
zpaazOZ_b7Vl@T#n5VPDL=MjxWptU-gnMea$oUqMR0ZWmYT0(4@ea28jWgNCfmbb11
z!0!q&VeNv-w1+1302z?nL<@;``+te}q)MYnQoNS->@JLtUPKGyESu)d;*;+<7K{0F
zuw4ossJ?>i{h8F*1lKr;L_6sW$a=xqu5{^hY8vQnL?>POm=b2gh$wPlhe=uq^8u)+
zv3&WrYv!n?R4dJ4^B?{rN(57qh=9g#0C-hw^9y-ws{jk!cL2#|IIsh@1KbHxK}o1^
ze-)F#Qm+c&4%!VtL)<bFFBrFgyiS{Yu8<~xvPuDLP8AlKjr=c`)p#`Es0r0g<!~Hv
zmC?+9g#gwyJ17H!qS#8&v!aoFn}W63g!`DPWDm1_JgT2pN>}jEsb5$Z&7Z$mH^bh4
zS5O~LrU&NJ28FXCOHvjwCEVwq7?QRp|3<%9U|+t<eudUS?b0n0NNbjdWrCs&NrJ)%
zHn|DF_h2+h>JIeYiQ>R<M)YiQk*FOu$q4BoZU<T)9an`!c^k)p5PY%3jE_f-`}s<)
zAF<M4N-Nc}N4AW1qnLNO<p>f*+`U%FoG^$WDdpgd{4{_@*bsT5&fpv0?1-R8C`Uy&
zLQ3tQd~^byg?xxS6a?gL$}!5|VYz8#fr@~Mss>JMoy6c(qb5-fMw%V;6dKIl{`ZR%
z!$^G$QVKj?pCUs`Yy<9SNY%W3bW>QTOax}H-9kE31bD@Qb{899VvmkM0TS>w&_um(
z0A<y0n2<#kfKBRRSyK1u&`L2Ej}~{T1S_Qj!yQ}>zr_%3Sg2V(*1#T54}FTz56y#M
zK1f|GSxh)=6CdVf1c5tCt4Y-ykBzhKDbY@~(82^zi4?T=;p3nO=&}79gF&(ZGSE;R
zI(=4lPcGTZ3_e@xzmpN%QE`_F2-3g_U5$y2h(A!&s8LQtdpH4*E9lmyT{?}SU3xRG
zN=d%2TEVL*p}`vbwJ!WGk!QuERp7DAf+R=Mz)dg^y%S2=`!Tklr5@Ajzcc<9B_+lQ
z3GOkBxMNsx9@2mrgi-TIIQqdFq{U8*cxJ-n#U)P$g&z#sc{I1$b*2ze{-y)!E<9kP
z)>R^ak4yyMc_1g0tZ5+QJ%~vOfw8{vpqzcowN5>ky?m<Dd<P!H3VV)#=K!={0~~r>
zsw}1yeXBkxfXl#aC0fM>5$Km4ECSOj!CP_#CRQLIfb3{XB<fVkx}c4ChE@|0x2r;g
zJ~k8_i%r+&EjQv%zz)+I-NjrSxh%};gN7>qVAjN%1E!+yyZ|n}lzYdjpBw=N0OZ(F
z_OovLd_=U~eFb3{+?_Q!D3}s43yqZNte$AOi6o{1gdkKev%+j$p5X;>Vcee;lb}uM
zdx;*x!wSUS%Y%cv&mBI46V8tWarXPXg1^S3(vl&O;nL;wcw05au4KL;c!`)(lO?J5
zS-^pWfh8~vD!fEyVc%EA)0{`)9!%idQR|$%MwP2xtDV@-MzIJ&Rl8AAbjnif_(zi7
zHpHhPd7)^4h-I)1W)G0XRyiLE#}oJBfE6~L5sNKH795BcY*b=9K@ikHzeQg-5yD|q
zy%PiZ1waL^^z4(%g%-?pVpT$3?Pds5221a#=!mt^AvuZPc)|%%kCr}NCKNa(;Ql8!
zt-pwPs+p>J0ScXqO<+%k-%yrU=q&NjuT~?|ufgJpTmHwGb80Qk;9+tlN3yH5>TLxc
zK5{t(JZ@Bw;hsP+$$;)maPN1Z%or_Lp(k28QLmUtyI{4t4r5a<@M8COM>&9or~M@D
zVNjcQWx6c7K5OG(EWRRA!KS#}rWn0jf_@tB{|W3Yx<kN6oh&yTmSb3RZFf2dCXW=v
zb&*(UFcpd(gFQ4{K+(w+9x-V-h|>(E7HrCfE?r!9Rt%Xf`apPY#b=}+3!C^E%NU#V
z;XC9J=K9?a(i%GXFmdUVI_K+>*erK;j#l!+t3^ahmWmxK-8%EFiU;|$d@n=sGFrK5
zQS8Un9A(az7^!2x%m6fVa$E7HNq{UUUH{a@sd=~RyBdZn5UcH=1B*tbAV#bpR*Ugq
z8eGn<>9J)%i^sS~P!`{FU*e0RyWT-Xp<AoZ_OV%P!bj{dTT{O?4!Hj%ZeCs(bR~Ri
z1sN2-#aF(|_-f@raoN-FdKQ%PD2cnOqFpGWU4vdE0to7;Te2vBRa%U@Dyxx#f0gL0
zIWrm|p46MsV8QQSe-$M*3A>Dvc(9vI<nPLqrOu+gD5<=Yb#=i4$wkL!g>01-vVr&a
zvn%gpehIVDb^B?$1bWM^R?_{l8UGujx#YrtEVNE8rGnn5l?y!yQ;!=Pv##osUoX0H
z6{={!WpYSli~uzL7D69qM@?4sRBdyiQ09CTD}HEYyH$I3`)>G&Q7jpFP{B9oW`Dn&
z+9}sPj5k~`a<t%@B}1`o2fZpK#~XaCu$y>(aln6|vEj?iw>ZgJaw*%Z#?5GO+7V5w
zk}*>ugn`-dT`^NzX<y^rHNa_Of_eal@s+<-g=GUpW=&Csty@%N%*3!5(9@2KFfJI#
zr$S;i2^TD4pah|c_Jo{=X)d0v&I@+@a4$ug7o^aMU`6N3vR{_Ys!t$vSjzi4r-;Eb
zYAFAmb6T7x^@&#SduJ%JxE%>Ra`dN1Yp^XhZUlw^!f_D)W=h0i49B_O^QrHM$nP>&
z_&4uHW2PJmcGf3H30;Eju^B488F1OLQ1!HB%hp{y6&z=98BvmM1EZ9<8=d7C9CQik
z4U)PsBQw(NtV)?>>}i3DsLcr`GgKvNXCzHpW;&}QV@w{%2Xevc%6dOdA0Bj@wy3cy
zB2s^FIY=^<Jv187sDU)g3Turc^f`H(<nlDeZJ2|s^5CH4Dg~$Ylt=6FH8U>6H*`jU
zbV0&xX~J0Ysh*tcp=8s=5an+N@I-(ma4*mdvCvg^<dpSx5s-|z&n@&?+`up_kr+#I
z8yjNbKXMf-PL(U3grbzvcOiS`w&@nr58oeW)Qbi&P#Dv%Rq&4L(}S}89?AsF<7>%t
zlL^2<u84s?21D?@D}Oi)iwYLoi!mGuZlnQxp6?>x5=pNwltDomVpl*phzyfDP9;tc
zT{$a9Gzb|8VT*3VhY3WZz82-HNS^43(VN5ChzcAyN=$}GrV+64PlrvtOTi~k_{pEh
zUb!N&=Efs7ymUU!Vu~b1mLJl&ZiA3A5CmuM8wAUZ0aprOJbOlhIyb8bHt<n!&q!-1
z*35rRJFXs(l7Lef1J8665Zua1twsp;h7G1A)%1dDLy~Y}c82|mWt#9EcSP#O3AYFP
zZRLm<zS;mJ6nkQnsmMh)8rDb6$++83NeRGVVUuTNvrZn=ba5wppt3Z(m{rlL7!r70
z$QdaeSf*sl!)>K%|HVcm2GnwsG*ualf^n{xGGZ29(hr%2N-MMlS=1cNIhg;W(@_pd
znTT5uW*nETe5tf)inltO^S!6Lu|Tf<`{HT}l<v$eX33<8*t9v)el@xAdyRadWsby@
zI}GPW#K-m(!BrnK5*-g~_AJO3QLn>hi3>a31sy2tDC7il-O-lE*9#1BIv^_hFkL%C
zVPndux=VrT(*a^xl^6jx%xjy3-~n~mOlyISz7&!t3fVJ`1K}~!fm$o2NxOPJ%-I^?
zzd_$vcmsC*(-#Vd=MEfT&ju7j*N?g>QtBNPV&Q!L%ZFi9d5mf$UiRKgTq86}AXQ!|
zk?UDYLqFN(vS4pQ70sTyKIxqHY+DwIjSUt;y;<Q+i{Pe2#FxUE+*o&2Nn<U>K1h0&
zFe~l0rHqnMe}|3$y1Jj-+{Fz8R{O|tWFJG5WRgKxNFpE>GjXZf4+)DjFk4mbmG{#7
zc9F#(hc$^0TTV+x4#D8UJv9_AMfQKyvN$pWU;e~o8vv?DU)6CudJMrEaVsPHIVpy6
z?229>)*mZA$b|YE=88rJOKB`X1#eqSh^UD%W1pt;6D?sAHXxAXiT*YyHuc3A6Lkzx
z1U9TBwEgl?o@f&*ds=m{wI7M3F_HW?qO|9ut-`e-lp4V>RrSVdkbj<CgnRG60I1U5
zK1yh`zMGs0_L>78Uzm}~){s)v#?q0cffUz~&cibcFKru_(v5I40?I-M{V<|lzS`Pc
zk<4A+Z@S(djBI{=dyjJe4x;Sx4m$8RYQfIghz26@`}gggy32t@eaOvE;QW{aw<tVo
zqA?rKPO};iR_`MZ!sg#d|A)FkA&N|B47;N4zi@+>zNM7u?Wb|{Z(xt@ha0QzL2_qy
zMb#E6sc`hDRMay)^e3pvn}c>Wb}`VP+MZ>Ol8x9=KqP;5`BhWTJSM>n0IWt~;1_pU
zKw0CJ)kD%NcIvijn1murg3Y4UTxi0Z48VpSbr$hx;>XPU8W!L`W;AF?yz(#+l)O;~
zsuT|i25;Esh^iWWiB=J2AHbHt<C<wn0!>f@lDB}sm(tKpBUD|;*Bz2U?qg$Q9zguO
zkuoEj(+zb|VH$?ErvV2kJx8HycDiZg)q&GE!a{j!F78iBiG3>^WKU-eYPrE=NPxO`
zWeSP6^~v+232jsvT2csVCCGJtCVJ}^si=q@LDh&dSB`+$h<1hq^D&;^9c6gYU>}>I
zArO=zvo3CElSKyQ0;_MXhJX=dOYz*0t&zo_d6LX~^xq3@lIxxgK)@L!>&Af;g~%vG
zXv7+!%0WI#eoW7z@Hbo+Kj*rriV#;bns6|ABFJQ+#t0u|PVwJzAF9HOnqaIYjI}j4
zkQA`o8N=wYXB|6CH1UKRc$qIhD=|50N9|Cv#T2X6aH_9S#Hy|i2FPxZ9q5Z<q^|ma
z0=o*P=EfTVF78|+Q$nUdjxwWwQc<khqK(_3wpUwlJ|Wc__L(;Ni*DGf`b$dXlJf35
zFHQmrM*+i|OCB}7sxPJp8A&x!QXGc)aqM+<<}zjF4K3@$m+W-b5KV?Qpj}$8b~qsG
zlzgf}csd=C8<Ho7rkE@DX`evfh?kPwl0!OsL%1My$=GHf!_BT(h{upZrA^4XY}eZ0
zBmv(D%;VG2F{XK!{?2$*XdTy(tt4L^22nDciU_mb35bt85xyA&R>Ak0fNDh8fb<mq
z(HkF*1T~N@_rec4F_WTD5_k&(-OLl>$TlOpBwe$35;)N(E7~B+5<bg^Y?G)TwE(<8
zEr(o}77E@MMzR9Kfp7S`-diU*n8gXBX?$>jhXqk=_8>(8QXLUU3Ux;9KrH9`d_n|p
zYQE-LvCPJ(2fG~(-*jv{ado-bewPC$DhC=*Xb#C(1;>#<gs|eW+d!Tv;qCB#JzGeq
z5b|O}JAqEX5i2$E=8C5u3vMHBmjy{;Q=xj@#g3hr2nI1vhy<HnLlf*6iXia9cpq<x
zN#4zUSjjog(i(%ULt|;8oQ6At=?PN`BStJ{r(yaH+rkJ*e~5VUEMq=7HG>1Ewju_d
zp_HzB$^mq0zF#FECm`MqOd`=>W^TBF>gi;l+7N?n^!Lk@{kW{aBf5Y)UjAVC-tzX)
zBTSezAdF3}BSSg!h#v`aqF0$=-Gx^2MKD+}yrP@8yp{xEMQIH22-|e}gW08^a`-UQ
z>k9E*8gGr!ws9-(jtNIx?duHvdWw}QFyUHkeS<tB8Q{e<7<e8afl)!Cp|BL&wJnEU
z!=d6^FbmUa!_EgL2-@N7T>9ig{_MU|fxws)d3~L5K28W{qY5figYU){O^)Q+#=2-H
zkh?rH3(Fw~i$R7@U$SsO1tx)pjSo;DJ&+fB;%K7x7>BmSFJV%x5ew3tScST=>jY;i
zUnZ-HdIFH6D8YKUMUp@kGY(4Ou9Ei^n?stQ%3ZETo0I}M(C&BE$kr(TSfYxc)S##X
zwD1gAiN6?8g;AdA6)!>3z@P>y-<y_0jlw#5gJi1LFu>E$fj;FFP8mT*1oLgsOM%K@
z$yGud0GgZRrp2*w5*eB-OIUWG@yr)#bczULjt0p#pDBX`VW@arl?I{M!Sv9O00GG|
z1FFnZ01_h!-lpOqfT%8AR9=#st6Q;@1QcVfP2OCwwHE{O`gR$3qR<SxqF$I=mVb-4
z2STJ9q*og{y$*)uVP4q{4yrcB9%$$|3dKC6p6vGh=+5-(Z?mFY>qA2M3S|&!*_OIj
zPI7g0VkhtsDtP6{&BTds&ln<P<jWCzes3w%NQ%SQK`9CEI>{*}5?Id&fkW15ArO5$
z*GB^egs{_tzU1yD?*w6)Ch!eG8g=Yy8&>^NIM{^Rv?;1WC}2PcBfz;amJ77mAlp?@
zRdhQ*qqB;iDR@l{4O{t=p}h~>IF6(zBlM6`e;mf(Y;TSccM$Cp98v-P86QeWZmmH*
zJ!zs^(slP>0*S+2Vz7_Jj|_S$6%K@Sp<I?3U^0jU8CMCQ-3)p;>}imA$bkkMCj&iF
z1s!o<^-U}vxJVes5o{DB;Hb3Ofn-=iHEYrEj8+B_<$A3RFM{jnUE<l*HD(%h&|He@
z!4ki?PGKN#&fzhMZvlr2PL7TTQeZe~RGy?Z;c9CPUzIkaMMNP|FcTmCP({2rUmi7a
z(PSYK4q9rrjf+DpfmFK1w7>MeH;gnv)dpn6R!p?-l6%@rq+AEY9TfG(*ivH*##tP*
zfM>Dng<wWf0wM;q4ztqNiX;W$7&(X@xXZ14thX#}b#Vg~q}TE>1viEwN_sfylTh~I
zp=QgL3f)Il?D?}}ZFtJpt<jL1H*8a){b8J70=NCOmxmLzo5m*`%1;T<2*ofMF5ZX_
z;0q$IEtUaM@csS98@<1tefci?My*RrZx+{!U19%^2r&tF1a=4UyRU{2Qxb4{I#(G?
zS#Hkmf_!H#p_0|QQJ=;@*HZx|R602U)+zI&RaK9mrx5n!fk{fnAc!R6eps@6LUZvB
zYU63gT?y%iSUG6BxnfT#Fa3HNcP86QXxHqyCR;F-(+-bBI{R?X5Q&~DZL7jgPXaiB
z^+(>diQPQn_=XtBaxG9(zmSqwwq2E9T!JPnx5H`g<pn$t^#U#^EWu&Sv0&$Yv^9$q
iXt_Z$tsCpcN#Jg!LF+iI#`||ih0gpG5w}*1gp)uVV=3DJ

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.otf b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.otf
new file mode 100644
index 0000000000000000000000000000000000000000..98dbee74d5d159649e4de157068c482dbefb60f8
GIT binary patch
literal 235128
zcmdSCcVHFO);_$aWKMeTWzM7#(oRlGLco@G07ZfXq*&mP1c;=OLQ@obZ(y(3d&7c?
z1sgV0u!9Xnz;^Au!0%am%{dA8zW4pU@Auz_KJ%=Z*|YcBYwf;ga$2TMYZ38cmC(f8
zhWgg#4)d5Ng|;$N2oY!u1gtMh2mC@bbqQtLCrzyr$G^QXvK05{3XzpLzNtBI@>gf9
z5b6Op3!yzbeo9O0W5>V0QK%<8FBCCteCzavQ~$iMT&RaE6yku{Ev;4FISJeD7ebkW
z_~*8D2m8)D;G1e8;=U20=GcWD!S<-FD~50n=b~mIE<~RcHyz=Na9*^qdvMtWZLh@%
z)tn@RIkP*stj}>7MWsx@!RQHgcWm0Tkm3ho59sS17~J=$@Irrt7Z!99LX9xvjDM|}
zlW@Q<Lesv$74c?t=BFXvTf6u9$ZqWigw=#fSMd+eY47j-PKd}WaKARPTgJrq<k4}N
z5K{ylg{D@hPlyO4bdEX`=Z7&X#|p1fimNdWP17}1)#nQJHzYth$$#}t4K2bF*1mn}
zxBCoAQAvWz*V9eqd-W2K1)X3A<&p4HeRLC`V}j_jWmV|nBwN-*p*Yo+b&)D=wdDvg
zMm%oIhDa7a+Ok8;Rdid96xm9<Ek}u1<wRSK5n0MPwj8Hiq}*i7@giIEu?(eRwZm;$
z5z*Q#TUJGk)@I8Z<Q`krMU=K2`BU^L<YtF<iY+U`)aTi<DkAk&wycSOewHokVzmCc
zEk}qx{a0HyL{Y?iTXu+z5$D))r0^Su+H#c0G)}bT7~wT8v*kF=GG4Ofc;S!wf@S0@
zGdkCn6_Fb4w`EnNM^CV24f3(Jtc&F6!N%Uc<^7!t77kiox5r&UN3T5kt@`%fc^y{k
z@`1sQ?g49JPg`$)UvGbKu%q1?y>M`_Z){c7(xppXK?>$->+P;8t+1AM4lcB&b_{g%
zFF~+CZ_l7L8D-ykyR~<yzpdjP7qitG>>048^!GOOcC~w5Zm)YB6|!-Bmu})-CEdjJ
zmWJkkd&;6aM|SiNboTaG{P>hs62>j;9c=6ESz>uyZr7Naaoxd19le9|U0t2?ysm0j
zjnD6{`Oh@$*gFTTpf%VZZ13m}_Ajz}=l^dO=<Klu7j{_FdpgM;t%EQN9`9+d>g~6B
zai`yE>mBMD?C<OtaQ$~fP6-ZmSxqi$0)qaJCLLVf*D-A&G?S)m?VUfkG}zx^;X+qu
zTSw0T(jMw*M{1-@>%>V`OJ7G12cE<MDy)#9JT8yRl9AcZQZ&IO!OpJWysi#*UC;{D
zA7KRt$6B^J18x1CeS-t8fzB>hZ~ua-mcS%ClK;@Cy>kHhoi{`VfnS0>*4y>1*2LC#
zEHvK}TPv&?6Q@mRnLf>$Q9pHR{p4vAn_I1xsa9jl<fe(!Cbmq*S-`5FJj*(4;^d|Z
zs{=&|8S7Zq*WWQPV8O1P-F;o19qlfwwWH&|XV{vLpk$7LzK*ue`JHW6SFmTnP;fy<
zh1J*5-`zPt#YQ>{M(pl{>*V=@-X$IVJ)J!ZtmP=H*3du)6@kJ3Fuv=*Tc))uIIs}8
zU(wOu+lrDT>s42M*B~NB0kML^;)2$W{?7RbJ5e->UbK(PMZf423&cV(h}P6A+`<D?
zgk|pt*^jIBq8-o86CIFS@$>+m>k!>wOH33!q78TZ5icEs@?JacjF#~a;`&%oh5wey
z|6B+Wip?dT?8d!Pnc`AtHHfDyF%|I-0R3VKjucw}vG+)QCnJV#T(zuBXwxf(5UNdd
zSXsg~@*K~!B4m%$atgxqiUyzyv3U{FE%QANd27P;7BOzWXG2f&bCuyIIeZJwoA(R<
zpJ`d)XO5Kl7(m`A2W0Qz)Tbbp(3Nq>c`tHE*6cyPEqH}Oy3j|}K)-I}W)b3|F!OP>
z3o*`<u~p-&M)-sup=<Wj>%Zk=gx!!%r?gQJ(xCKUJ5r(4`jMW6^ycIEe^&-NWsb?G
zRCcE0j6BR9ZH2_8g~}0msvRYP$`GZ=&yY;^7{XoBtrO1<Ah-WF+Dt(jL$I0!kGpW3
zV8=?e;Qw7I9Yophg9g)(AGX<WsU(ZeM?6cV-6*#lg1m&%3H_-&Q%R=0kcBC4A<ML)
z9!<h|i;SO2$#Be*_KSgP>A#mKDklVMgl7Av8`36-auq~;T{zCek@Os{byNZZu<a3G
z^2}K9{?-{lUdRi5xJ!PZQr!h6uPuQ0TJZd&f74_*C;!bx?TCfi6pDEs>=P;>TwkbU
zP+hN=b!DPxMNOyLMdvt^EyoN<)8Nq-l(A{JI|Fy8;=g(^8RrvaZ6)hY#l1%GWRwAV
zVxp9(4wB|n$|s9i;KOi-!jQE)pw)0`>=4V4`+i&<z<*Ry$&a0=FMY5CmCtsW|5iw3
z-T&_%wor~Z*3h#9vQ)Go_W3{?VkQ6ez~V#T1xSbVq>|YWJ;;`!)@Hb7(KDna<%N99
ztr6W{fYhj!?MIAMUl-uoa$KW!l}am>+fXY&8vQ?&eAoX~nQ4`I8o;w$OIApYdf{Jg
zlZN}NE_kU6S6O3jL8!d`PgfV<c?w6C<9H`xT#b1N#-&1~`IIh1;&vW=!-^Pr%j=qm
zme&pCcZ7)&zu6%|^9)@4U;iok3jHMgY2#MoY5gGmME!F83jGG-ZGDM;jy|Mcs~@Z%
zqSxyUdZXT?H|qg?ygor+sxLFP8{3Qz^b_<aG3(NxTZAx#LqtM@Xb~e~MI2_S2_jJ>
zVXl&bc}$u}7a1Z`WQlB%qhG0CuU}<+qF>^O6}ci$n8FFq<%<H$eu_k~7$r*3E0>Bg
zQI5P;qMTNt$MB#Jp}wP9zgoXezsC3!IU6euL@RKVxLm9iZ-_s{@8VDKxA;r!Q&N;X
zC08*OOF2LpryQsptQ@7xQ-VsH(xJ2~tCfqDHOi&>jmFK!UB+$t&H5Vs7UgXHQT-A9
zF-M#u-PnQl;U432<74AP<0IpCW0$ep_}chJ?KSoo#~O3hBb9iiUtg&oZ|pR_Fzz-!
zGrrW%($ChHJ1#)qRwu3(_bLPWdHVVKDf+4UD*a^RJ%^^;C%!bEFz(dP(9d*S;<!}5
zNnfp>rk`$XMBjO|s1?VG*<yt_UaUmPzE)g^99|<fi`T@f%6Lb-Bh8WF$aLg5vK+aN
zY)76WLFn<1z|}iY7#v~;taON&D^3(oi>=}l@q==rvP!uS`Mg27UwKyfP}!;MQNC7w
zQT|Z=QFGK<wNX7nov9wJE>w?Gd(<WB@#=}{Y3geAQuRvpTJ?JMM)iL6LG>~93H539
z8FjO|RsC4qsl{puT8d_AWm<*i(frzhT7%ZC1+^h<g?6HLj&`1Qk#>W2mv+DQtoFLL
zReMK!Pur$_pnar$syp;pJwZ>`v-K*yMjxxs(2v&V=xr!#Yv9$J^t<#2_4WD&{aJmh
zzD?h$f2n_`|CHC5H!<(<yeWB8^JeB9m3K|v+Pn>>!%Q$U%zU%hEH}rQ6U|n$&FnQ#
zH!n0VH?K4Qa4OCyXOc6`ndQuL<~vKB9%r4i-r4M&=setcgmZ>-mh&j*G0vc~)49@l
zvhz&m#m>u}H#l!|KIDAf`Ihqo=O@nZoIgAFS`I7S%C=0az#3(_EuU3wjkON8nyiV|
zVr#i|l6AIqfpv*>gLSiYn{|hEw{@?z&U)B-+<G!UB|jtI$}h+tmG8=*nm;@L*!;8e
z*A%D)MnOVBazR=_c7a(?UNE6xZb3((vv_UsgT?EMpDcc+cvJB!#hXVZjXJI*rDST!
z9#^qz++X_Mef##IG+3wy^=L!ZijCq;c>G7{;nm7o<vw`$HRUs9xAK+pv+}$0x0)$E
zJVl+V&Qgzshr85Xb(y+SU8SC-UZP&1UIP!`01vNI*Q*=Ur{LjD>K65Vb%!S4;Uq0n
zD};w#@Nk{&;X&!))8OF?w2QTyw7azjwCA)f`*~RCk$Rk-sAuRox?8W+$LTZmWAu4?
zzkZQ^nZ8!PQ@<B=>~Vdg{)Yax{+Yg8|5pDI9v%-5x4^?khCOVUv1YnynMG!q=`{~B
zr<ya(E_0Q6fw>wUUh5Q2)fw$fc4j)WotCq}S?2UQ$2uFF6P$-Sr#PqD9-iZz=RD52
z%6W?OEaz(H70w%-w>uwkZgRfs{K&b(`J?k!csSY0v~n#A9<H*y@Nk`V06aY2>azx|
zmDVcjeA~mf!ozpL!w*;wS&vE&r-wZ}CBHTQD0uiH+rvrla8}sE?S;AU@Veqhik~Rn
z2oJvu4=36l-t8)Ijr~j59)^=g{@Zu)zWMg~K_jn|yzlhAu{d_`>&3AL|Mddh`?~gZ
z?!yWmt{t@R80}4x^uzT@+S~dBZ4;g0yb5p;^h&*4FVPG20^PCi=Y2oz+atu@Ex^4T
z64D)eZ{2tHzO(k7x$lg9r|!FZ-#z>8+qZ1rihU>STet6_eUI#0zwfb7*#E{~juGNZ
ztW17c3sisc=@&b`*!JJT()G_q39%EJ;JAC|@jF-U{E%e&w{zRh&Yg>PZr%CT&fv~@
zJA?MsCwD%LdmDiDd}a8!=d6(Yd8-h+-`u_R^TWZ*=;|)Cp1U5}^}z1P-Lbo)cSr4x
z#GRPk>TWcsyY}wdj`*(HdHJsAcWuP^;$8i_4&629^Upuu`T0jee11Ey>GLN(zv}Z<
zpD+9LqEA~tZT__J(}O=f@Kad!)2TbY+i}Gw-+prQhp)VQ(Yw>64hmZ8y{d^8_cHZu
z^;a!X!)hnI5J0bbDELr)p?;j+rT6H4s4s)^-V%9~GD)F-`Z9e5%jm0RUhK1e^x~%>
zuB(7+LZL^pei`np1#Z;Wp&o`UJ2K3_%lhm37X4lQL)6x9P+x!7|J47E5D|Jrd_-bI
zdPF9MDuiqXKTX#o%m^!@AfhN@RK%Ew$q`c`=0|izEQx@=5v#BS>^8z>+GsMS8gq@F
ze^1%yGWxLMhkwRe04v4DM&o_sXY_`d=mp0*5QAfqW13^8<7i07Qb_P@k{$DK1V;XI
z%;YnN^avm6ievJ~P&jX5?0+?M=75Ly|L3qAqjBZ`*W)S21sKg>G-TXj+>Vy|W=FdI
zh;gibma$VmSAW!zfw9uZ#%QC|5oheuZ_!sfa*YyWu70-hjPb1ToW2s{o?47!>g1?w
z62@h-F)}+EW18jmnC2&p)2@-@n(M_{<6Uu&cvX&W-Vl4l&&t^tz5Rjl+g}*L?ZfCQ
z1>?6oIf5I9F&vHH9>W+eh*4Y{MsOX*drCh>ajR(@r`)4Fj<MA^@sBt_>=lP8abl{H
zDq58^F<r?J)0A{^q>?FSDLG<}k}u{e1tO>visO_Dag5>=-Aa|{QQV?e@rXXfD~6OB
zu}m2&PEZaKCn|@C)0BWXRcR6@DdWX&%9G-BWr8?EnW#(>XDf$`bCoIL9A&aNPiYYs
zDbvIy%1m*Ea<sTinXSwfzbYHV4a$6Rm(nM0R2I;vP&}d>FCJ4)5bKqd;z{Kc@sx6^
z*r=Q?o>op1o0N0K3s|pzMY%}4u3RFvD3^(?%H`rs<qGkZa;5k{xj}rc+$p|L?iF8(
zZ<U9{_t;_hPI=h48*`2OltJ;Ka-%p14cIEBUfiTC6mKh6iFcH%#k<Ni;yvYB@xF4M
zn5-m<#fncntgH}Sic4Io%o2wy3E~;$4Dq6Jp7NBkN!g6?#Oul%$`)m-@}}~Z^0xAh
z@}8<FFDmaU+l<qU^Nfp)H4cY8BF)3-G~2ksxY9VoINw<9a5@Sc#f}n3siWLc>F_vw
zj%r7(qs}qTafqYA(d1}xOmQ6Hn2MTvB<k)g?KrJVouSRgcyyLJTRlddqn@r#!T5Bl
z+Nw@dr>jS*M`09m0>&>Vswb&usB_hzI!|p=+tm(rzPbQo*iMXb7Gadrjj?R6+J~{u
zVzpl#PzTi^jBS@<+;ggWvU-Yon)bAwrES!+wP*Ak?O8ondrr^Op4Uz7MLl18NiWb|
z)r+;)_0ifJda1TWFVnW_<=UHih4z+SiC)x&@y@##zk0Q8x=-7#`?U}BYVAY4M*B#w
z)jrn8XrJhH+75jz#=GN;6O0p$lZ?}iGmUeM3ycfJ6eU^AP_o2KC0i^~Dn-BI7fX~{
zu~exOXDWw^vy{Wc`N|RE0%fYWP-ztxE7Qel<w&tcnIW!JjuBU3Z|Z7gj<{P{EFQ%k
z&*RETVuP|uJfWN{o>k5i&nah#mz49x%gP1fGv#)%Q@KOzQtlF8VVCU(Wj#iWk1Au7
z3&p{TA`VehQLkvC0eeV|N`z=q4AHDOL_moY<CQ2eL5UU<l^AiT5-a8@MWRh97VXL?
z(V>)x`O0Xq0DEK$l`_$(l#7#<262kgC~j6d#VyKl;#OsmxJ~I2w=3P^4y8xjsq~8b
zl_BwfvP7&?mWl_JW#S=ax!8t1v+c@S@e%f=K2~lPpD4G89m=iZQ{^_XTe(|&tvn#U
zQPzonDG#b&tKX>qQomKdQ@>Zw#3=S$^*r@_^#b)m^&<6W^%sm=6;0J>$1Xy>T8?km
zVuX96dXsvy=FlRw7|dPbw0Mke6V+SPTh%+%JJq|?yVZNtd$kNLQ+*oq8Lw8Y)o8Wa
z7>s(ys?Vy=VO0F0`jYyx`ilCh`lb4n`YUz<_p1A}C@osc(y}p1F4BCOUwut|U3~*1
z=&kCT>RamD+C=S8^<DKnjHtJ%+tm-$57m#f>DrO%C+ZIMQ}r`-r~0|NOWm#hp#G>G
ztR0{oqW+|fS1-o=>ul^oZq|CW9<2`}?v>hM+5~NqW@xRLnO%mN*>&nW+Mu>XTZU13
zvX-i)VLq0w-iNXLZR+iqhb`5XW8_|mv3r%~#7wPRbE_LMzTbeE++*7D+6h{}Hba}H
z&D6$eb1=huNPS*?LH$@8&=zBqPIK0a^;>n!Sur=I+3V>TE8L{7ajZ5r>bGHzb}2^k
zw__xKhcU`H6}`B}ILlaP+-W>+tT!Ij57gHin~kl;o0u=ZgTDF;;}-|EP-(uaYO3y7
zgY^OYE5;~={%KAeEE{OHunr(0$2SF#0sSO!Aw$PV532+c#;xFDhC$acZY1b5t|(#X
zG<u-E8T+~V<=`@gegn9iVZ05lVCXdBs$}TrfT^zsblU00xS60|3w8r_kPilr1;#;M
z3O;~gYzH66Fle+(IswK9V0s47PXHgnz*>sH+)kj^#L^CM6hprfjIj+tzaD%HgGPAh
zTP2K7z;hV-CE&RXtgi^n76tlWft414l?4g?YA~e@=+}W)GUSNyM96^gDR?adYZ^k3
zy#Sr!xRGJp1-^-4+y=gxVcY_?VPKq$eQXJREttXqI)$ZsfFm7z2Sa}Zd?&-8{81VJ
z_K$_Qn_=t(-^0+)1>eii9|hmXaAbfnUL+Wl)&mUVWAHlQL0lgVeu&|S13%0#c7aI`
zK&O1rtOC$igDDNbLH2x%VNh9noMFrbZ(!(WgP#DNLR!y&pJrgJB*aGGd7uV(!N!5$
zO*SThU$k)q_$A;KfXc_KHpo7kf!BfMz#BFw{w+3s0&lf(IrvTBUEmtvJqE^NLcDK-
z>`LYJ1Ax-`&<4f*k&QiIvLoSVfXW|$F&y3o06qtP2gr_ueZX#p5)Y>50VM_e1@IMQ
zvgg+f#R7i=e2eSjz~3>HgTdc36tevf4CN^BkHD`89|Zr#Ferbd2cYzW{{a4id@=ZM
zhH@$RABIAC-^)<QpQJZ{v87NT5~!Y|@06hD(1%J;y+>avL2;l@mB1RkK;Ozh8ABf{
zfi-@CzLt>+j$~jZSfKA^q=BOu*f9|3iy0Z<SO#_n1jf6JbTI5IZG0p+!A2%Hk%4^!
zp(NSJ0Vgx4{UCox<bz2kfZ7s_qZtKYN&}#F1!HSQA(+wt#Bty(8x`Pe2DMule>0q5
z_*?qC8=PmO3T!g4!Y?p3XSl%@11tVQA^iv*fOG<|uOKj{XL!Ly4D1XDj9VBr;86_h
zj|hxo7-PX`3kcLEVqC*G2wcXXHWA|-#vx$J8z4>tSK0`GT@1X(BQUREG=V7(0N(Xs
zy-D}+0O<-)nZ<~l@g&&K5T}EyZA<`D9sqF$xYou*@E9ADz;z6P`iOZ9<8UyQT|k@*
zrt(Ud0vyN?=YT2Cgvr3c3~?U#5F0JvdWN_N++c&sVIxCa0;W6@W&+I&aRr!cL^v9t
z`~%`LFy)Of8=(9U<^qQ@WZkB^MA!gOJ^|{JFbiYM2b10a^%<CvG5WxiPk{O^jIS9B
zz*8C2hhV(T7ywg#0O|uU24@@(K9WIgKgQ$?Dl?Q%fcgo{rWh;1lpjElPmi*33YhW_
zP~U)YJ%h^3u?(>hJjVu=fw>IoL#U0Dpt3iQLH&l(W`q3O&Y-?U>99fmB^v?Mmta21
zAU`f-P+x*EJcImr9E183jOiKVuPz4lEg0i7E(iB8sGq@@pFw`_V~DrFi)~y9?q^Vc
zgSjz-d^*UWz6A3I#+~3L4C*&9k6@7RmN76Z7MNE^$o^vmWWqxL`46Bz1oLkO`Ir0z
zP(On?72{#>DjP}Q3mM`U@M;F;+(KEy!0cNnYZ){K!91No*XbOfzLef}l%R6>EJMXD
z<uwM45f$<Qfv&&75UarC142DOb_ZzurI4)&<U_JAAl?Rta24ct7=rj+8&`whW6+pD
zdEdr0;B5>VBPiQ#Tni>Y0W@AvC_jYjfX^7%j~2>K8;RiE3_(8MW5Wmjia}#8<!c+{
zr=J;u$`{$1-~xVUh)cnL*q8<Wn<1zT_{T;9hR~S|@eDYNfz=J6W;1APrRFe{^T4$X
z<q2>j1H0`)ox)I_0w2LpHi4%CGm#$ZqY6FLqanWpJ{F*QwHXY55Xi<V>Jfo#tRin}
z4`kR??FFbze+*s*91j^bQ&Aq(6CuM+Dtxb=2KgKCSpb#4AHbIYWDnRty}||xjd~?R
zp*&v0AfK!7AAx+UUe8cI0^a~odE5)WpJAK=UdJ$yw)!B$AX}|x7#D*dWf*I~k1-q$
z@CE?3bVP!m0$?XcG?@GW7|>fKJHk$mcrePfx)s+i1CxyaM<$qb1svonvKQdU0)N18
z<bgkAIMTqBAHYF=CYu7r72q8V<4W+S4C4$i$}Pb-AB=KKFkoK|MV#Ppf)$3N0IV_`
z#b5*=I7+}e!%+&3U^vRb2E$PahFu5_4;XeKI8Ya~D2AgN3>y&~D34kU!%+v0WjMxx
zQN9VZ`mH4~9EX6D8IA^U3WHX%HP}(J5Iz7d1V%wd+15yJfY!ma(G16tV9G-ouFnKl
zFlbF(Lp{`>yW=RZpW&DTCjAb?^|@e58*p@hn;DJ;;2^`X5IhJB0VJ=m(G5P)20e>1
zCvhD3bQ@h@_>7>=0H0}NKKLx)99$=z&tp)X)GlDC$AB+nsHF2n43*-(7`Oq?9t^$-
zxC1iky>=%<rTpH-p!%)d4cvz?CxB632rB9I0PqZCvct0ss?*wYz{|M482k!DT?KxX
zp`Hrf47`RgCxc&SP@UJd09$c=Irtq0wGkTH6bVXen~fm&0~_<es0R{l;7@I|V;(C2
z2hNcXJran8{4h8UK)KRTZ}mhV9Wv~yX8@>AWG6ibsDgYs*bUS`{tR3TjD`F)cpNYT
z@(*D6Lx&$IUL8KrVS9=f?}<xjPlKVKL>9Q8p=|^Y*g)E}A4VYi(proJ>2eW+?5&f2
zgj@i1m_WAI(KbosfiGid&x0us1QWP|p}h#c(ndb`Du(tF_-Y#k;I$0$A+04z6oYSM
zkPr2nY>Wn@ED^Lfz$i-+sAu}U4Dz#npN%r`{S5NG{(y~g@Hz(V?CKBNr~p60(B1;C
zw}CcCf1IJc4c=hG1t$B#mQ<#6vK;|_)k!~s7a*MgDqlM3LGS?-7ocqi)AIyB@GgVO
zp#GkXYVi9E?L#odMW_KjV^A5@ciN~0?`CKpgZJ1N1O9@ceFFZ{MjiNDhPDIzosF^J
z9~o5k^`C5v6C$sXVH^)0&oE8^PXH#O{YN{LcR0g18Qj7!&{pJ4VHjtEr!tJQ!ACNT
zbHFnIlzZa>@KFroBJec~V<i~nhhVG%Z(tag2w@rwfpkm<gXZWa>L>y43<?wVltA-r
zGoB%ko|(X)Ik%b45R1SW44S8!7DM!d^BFYPG>aH`$4;0i#{`;Rnkb6|yniW7ls^K^
zFHJ8)zz!zL1cByiCdCDav%v5@f#z%`{7n$&gDGBs=3(X-hJdY1iWi_cnF;?9#D!q^
zj6m}<^B{(}7<@2;=4a+146zzq&!D-Q*}xEM!0<bP=51yZLtF`NX3#v$3^2r1V3Z94
z&B;uZ4T88Dj50!?`I$+&0<<=1l74`)7)<^EXsytk#h|%`Ih#T2h2~KV?BNLWXolDT
zCOrUU6`0ZnXdTg{^Z*5A(wxf>sJCX2p^z`;F~oD=HU{>DgxSTQbwsn9fqf!j_AtcD
z;9iD8zM!-L@fn!X1F)YY%u^U*C-_tb_Lziu8iUsR%+ndzcM>MW1<)FwNxlSV{$rA#
z0PzEud;?&AN|;m!0P!REQieh{yo{lY0bkBgD8B0$w3ceFWzgEXc>{yi>dYG%;t=pn
z3|hA{Z)S*k@GT5l!!vJXhz9U&3|h}KDgOZ8%@ro)8KAX2^G*id#1$sx8K8AOlgb1j
zn!)!lXwA>Omm#RE-N&HyKa=bN2$VVV0S2uFn(G*10{B6O5)FQcAtr(!X3!d;`3OT$
zeI%O#v|ebE9RV>9{1}7Q$xJGXfM^3#`2%Rp%%n00h<5Ok3|c=kpJL!$Rbf8OptUq}
zBSXvwKf|CkHS<}9SO9*GL2GR0^9->N`~rj4+ssW2(FuN$L2Ga3OAK)`_+<vIKbfyE
z#3|rc84CGmGlTXe%-0ySwqd@`pgjun4F;`qm|GaMUtw-#(3*$&CWH1Z%(ob{{$ak&
zpgj!p9R{t1nC~)ZPs4nVLF*#s`wZIOFt;&ijl|r}puGz70|u>mm>)7|@520uLF*sp
z#|+xXFh60?T8O!WL3<nKrwnBo_%jCWb(lLD%5w1M3|j9ucQKUf!MhoP^xDHv)`Gua
z2-4+C2KH@*`4xlq1I(`(*vl2>Hw@YvF#pBC{;n{;WeC#uI|lZAh50>0knYqj0N4i>
zCbb0s?ID;yF|ao*%%2&wZ(#nyz<#kXe`U}fg83T*d&t84ogqk<KNt#Z<wVp@1!HXF
z)u{pw$cWP!2}D6Y6C4dBKt30o2qZy9`p#q^4Km_(W&&A|*MPHuJjj=WEg&EA-{1nE
z1Y;*kb2Lzj>sN!zfGWtaztatP5C(cUy+AGG81NXN4q;$J=UCui$S7mZLx6gO$pAM1
z&5(1z6M%^b1DiMx1rCS&Fn9`Z1j0Zk=Tu+@<YMqFhWa@8D2DnZ_!tJw<DGLDG@p0Q
z1%h}Mx;p0p3m{j67XqC~>sjz|0LnPc^__jdV#r^D`+)(-@Rf5A7=pYPjPmVVig=>H
z%YfyOVN>S{;CRS|;1htAkbU4)z{!vg1fK%HR~l^LJPWuGalQt=2)G#6VGHMK;Bv^Y
zh4Tsk_Ez5ouLW+v_37Xnf!iRHJ#Gi?Lzqv%_X7_={sFv>p&bmSG6ZM`fKkT?8u{cA
zhWZnDJwqE0eiV2N@jxdh*?I%yv%ya=XidaPb_X=r&PjF$G_)a3vOA!WEjKbWvduFL
z4R&#o-2v?|@N*1}%EI#uZ4#LL0nqw{^F@Z%3VsQA8Twobeg$|H^0i>n2~ghwlT87d
z$2-xM5;XGL8w`#7wguRV>q+1@fwv&1g2~nZtxq`LV`%B%_knGQAGUUG2R?udA2>f^
z(0YOMV}^$E;Us?m+H&v?U?=1XFxoWdF33*sZiZG4-owz`;4gqL5kJ}QE8uI$@PYFi
z2CZW`{{^6((vAmz$Iz(E{>ac~fXT0bHVynULz@Zym7$FT|HjbffPV-6Kw1xi{{;Sm
zOg{OWL2Fgce;C>TcrQa+EQIA?I4%SyGidH>r2w$2ejYfDL33aWHYMn{f-`|E$g9BF
z4E;24E|7=os5h3$&`$?jKt8Uc9#{nonm=2k7&>fjRWTf^!LTX8*a-FlKCJ)f;A(~g
zWz4Dr#v;x$z^Eq#9sacrWYB!rItVxz*DnP(F^ng`;~6^YqJ?rypt-b#`b^O80QWHr
z(vj>17^i{<0qAR#fmZ@2LMDArVi;$ER{>|^x*vQ#Z~<h}<r0Q*4fqCzaS!-rhH)?W
zRsi`hP;M>K127%{Q+@zr9r$jBK|0ejfbkfZ!r{L0AowBRVaR~>D8qOhOyR)BdhnAB
z17$TIekT|xr}^+RL5D5#GZ?f6kZ&<)4Im$WB<P4QA2uQwDEs*?hVd<U3d7h8J_4AE
zFk8W`z--9RgO37^h5Q;AHX|5sfiD8qKt^3DP#MN<u)#3C1Sc>I)U$#lhJm_QkjyaN
z0jDtx<h3A+VZ0B{W*A?9O@{F~xSV0^0i#?HjL*Px8O9E9JJ5maAL2ElTmWr@4xbdS
zWf(t!;fLY}5eD_O_z?j1GyVXh{1rnN19i1{Bk&C5f54j<#?RoF8OAT*R~QZr3_B7W
z(05cKfIJ)fz{fEhuv1A2!=Zp-Z-VhF7`7`xo@gD&1;4q_KhxTeYb-Dh@&!UbB?%Sr
z{DtTL0y|J<|3cb->1bQPdyyW&u?AZP#{rA*>;^oDd-QML!@|qb{zpaV_{vOCQvUOg
z1JLF2+{kK?8(E{|M%LmhuE;Uk-^cv5B{#DB&(kAvdpi<x7k{0!H4nR9J;}y8RVX4-
z#EUeMD+)!K@Q5*(q6M&JGff<Y$q0R@xm28pt?u(MeZN-RgqM3B#02>nY|^}jjjZk1
z1pFEk!ao$DIPhw48eR=9RLT?&UJPzfCMm7TEM=~;2rmS$R8CXQ#Yaz<D%U8t;<ez1
zlnwYW=4HIR`T;(U`BM1~pFjPr3e};;t7&SkTBw$(ZhR<npxUG!CO?&#ix)@-@hQ|P
zcn$9&^>VyycMDz-d{BK9A3<%xOMY+TRld*EFYp@TFY4cT*)SR};bmwATB+v7Yl8>j
zQ>eqVsoE@UuC@R#@D1X1yOXsuv^CmQ_$caj?LO@h?Mdx<?Nxj>^PcvxwoCg)`$_vl
z+ownCDSDP(gwHX&dL2Hy3+PkudDO9b2R;ZGz-M}^^fUDf@ao+)copwX{Q-Qc_O!l9
ze+?hee1OkrzSO_hf7AEkmHdQ=v<PQJaYRLgFQP8u;D|uPq=+LUj)`cGSQOD8u{>f`
z#F-HnL|htiO~g$R_eMMv@l?bM5wAwP8SzoX7ZKk@{2K9(p%@M$-bgcYjY6Z$@EK!`
zW@D1kYRop~<8}OgV~Md6um7HFtj5c}Yw^1HJ;p<L_3s(uCF2d_UE@=F;m`Qnp*f-*
zNq9Nf=@^9<fc^5t-|>#gj_Ho09c_-|9DR<Zj+Ktn9OpV#JFawG@3_<Pfa6ie(~eD!
z&5pMm+Z~@ezHof!_|@@uq!t+!86TMwSrAzo>5i<8JSeg`a#Cb#<jlx9k@F+FBL^do
zk32c@%*fS|S4Z9ud3WT4k&j0{6Zul)>yhtAeiFGm@?ViZNB$M1Mny#>MrA~qQN>Xe
zQNF0LQT0(1qFSPkj5;Q&J!(-@f7J4*RZ(X~T@ZC?)HP8zMco<oK-8mAPe*NvdM)bh
zs1Kq(i~2I^`>5Zd_C`lU$3~|_XGiBpkB+X2u8BS{x+(gw=&8}OqUT00i0+9ViasIw
z)aY}fFOI$<`ugZwqwk4+D0)Nmv(Ya{Z;5^{dVBOI(Vs`}iT)<~yXfDd_r=7<q{cX7
zM#uPL4vY!Jw8YGe3C0{3(;YJuvohwKnAI`Y#@rfnZ_L9nPsO|#vn6I*%x5uQ$NU`g
zPplD}5StmBA6pjdi>--0ICfI(wAi_^ow18!SHzwfdrs`?*sEgK#@-RTE_Org^Rb&_
zx5T~^yDj$P*j=&T#C{+9Q|#}tf5$0tj<~3}n7FvO)VTDxtT;0+KW=nfd7LZG6E`NV
zA#QTqk#Te47R4=%J2h@~+%<7G#N85iXWV^pkHkG5_hj6&ahu{^joTXce%$uB594;m
z?TY&%?q6}=$Nd)fXWT#WB0eHMHa;ajJ3c?YJia#m;P?sg)8gmGcf}tce|r37@pr~Q
z5dUcW)A5_)UyFY`{)70>;=hdlKK{4(y$KNsu?Z;&*$MdxqZ6tUY7!1iXi7LNVQRvx
zgt-X|5_%Gb5>7}sHQ}6uixaL$xIW?5gnJSmO4yL_Y{JV4TN2(&_&8x#!Z!&&CH$GF
zBt|ACB&H|kB^D)?Cwdd>5)VlnpEx;jdg9TEZHdPvE>2vQcv9jSiRUL?l6ZCEjfr<8
z-k-QW@u|cY5;rHlmAF0e)5I?lzf1fz@t-6;DJCg7DJ#iJDoJuBRVN*g)R=T=(h*5B
zljbDNPwGw@OgcX4l%%thE=syQ>AIv_lI~7=FzNB6XOdn@dL!xGq>qw5Px?CP$D}`!
zMY1C~J~=HpH@PsmEZLJhCi&pxK=R?q(~^%$o|oL2+?TvG`NZVYlg~?DlYCY34av7B
z-<SMI@{`HWC%>BfX7aY=9m#u=zfJxn`R^1hB|0T3B{RjDGAgAq#h)@Rr6FZv%9NBD
zDaWRCq;#bWq^w9eIpwUB3sWvjxi;nIl)F;ar976hG3CXS*Hhj}`7mW?%2z2rr2L+;
zFV#qmOHED9Ni9e%O?9W%rXG~qoH{ABHFb7sFm+*SZ|aiNm8qwto}0Ql^~%(>skf!x
zoBD9-6RFRoZcg2nx+8T@>Nlysq^W69X^CkWX=Yk+T1A>KZERY7+Jv;0v?J4wNo!AA
zl-8fNJngi!3)8MjyCv=Zv<+#S(zd33n6@YF+q7TO{!Z7@qtlbpGt=|a%hEmRW6}>!
z52UxG&rF|_K0m!XeK7s_^i$H$PQNJq^7QM{Z%My9{lWCd)1OIyDgBM~chf&g|2+Nc
z^dHmz$PgKhjQEVSjNFXEjEW3j#@LMdj0qVn88b7284ELdGnQnm%s4IM+>F&3S7xlu
zxFcg-#$y>9GhWVkGh<uEXBl5-{Fw1arpR<;#%HEw=4KXVmSy@f56EoHJT&u&%$b>U
zGUsP@XAWi_pLt5=*_jt*UY>bf<}I0bXFi<yROSnrn={|a+@85J^P9|{GXKm{vLdq*
zveL8ivWl|Gv%Fb#S%+ke&zhVyJ?rSKwyfi_7H2KXIw|Xntn;%j$+|l0#;iNC?$27E
zwK40(tk<*N$@(yBXVy1azhwQLtz}1NCuL`5JF`b+S7!UO56li^AD%re`<U$c+1=So
zvQNrBBm4a9OR}%dzA^ib?EACVXK&1YIeSa?d)Xgn@5=rr`={(bbCjIOoP?b0ocx@U
z99K?l&cQk3bB@TFozs@HC}$|=q@1&IF3h<+XKl{yIrry0p7UJJ=A5^4KF;|f=ZBm>
zbJg7F+|=B>+)=r%+%dTgxrgPp=FZLy<{p>ZpSvRW<lJ*|*W_NEdt>e$x%cO;&wVQQ
zh1|`#Z{=>!{WSNB-0yOK&HX1&&x^@R&dbWP@=EetdDVFb$WM7&<VT)!^4jti<SokU
z%^S#Dns<EONqMK{otbxT-i3K<@-EN2I`8_toAPeUyDRU$ya)5v=WWP)I`6r>&3W(S
z?acco?{`x*W6TsY&nz)L`24roY%yoy1K@6Rsd=(_u6e0>y?L{FulcC?thw2I&)i{t
zYyRfcopH_#d<<OX^f?c}N20CHIr#jy-+7YrZ08#1wfOk=0p|wi3(hy3+nhU{|8o9i
z=~j}JV-;C0>i{cYO|y=*7Fxa5GV5gPLhA~A@_Vnf!Fs`Z!`f!;wEkuNl^>Cxke`)b
zkYAo(oqs@nAb$!z`)$kb&R?2;a{f8_m*iiYe{25z`H$y6pZ|LPd-*%^zs>)xKr4tV
z$SWu*@Dz+IXf9|em{rhL&|R>k;P`@53(haNyx@j{y9ypIc)H-_g0~7jEZAM}UBMrP
zT47vaMxj;cDy%K6FFdSpdf}YHuEHgSCl#JuxTf&h!rKZTD15x|xx%f5+Y5IWeqZ=U
zky4aYlv7k(R8>@0)L3+Q(Tt*CQD@OW(aNGTi!Ls@y6EPjdx|y`y;!uRXj{>qqMwTX
zDRvYm73UNe6;~FIEp95FTs*D#=;HaseZ?z^PcJ^d_>$slif=8xUw*RuLh<I}w~Ie2
z{;YUU@i)c47XLL$85K1uVN}*A=cwXQ<)f-cHH|uQRL7|PQ74Z&chse$t{-*Bs0T+q
zIqJnxTSt8`YS*amM*UHumBf`~l;oF`msFP=Tr#nwwd9zR1tp71jxRaA<ie6GOKvK;
zr(}J}GbOK<yi@W?$(JQRmHac>F*<2<?&wjY-J{2jZW=v#^vu!oMt6-~GJ4hMb4Fh>
z`nu7#k6t(WiP4)zZyCLP^yj0$9sPT$S{hrLUTT$=mHJB$DxFX|we;xH`K5iOD@xBO
zJ->8K>6N87l-^!?U+Kf8PnNz=y1De7($7l&Rr+^XbXi(iewnN6z_P>3jx3u~wy<ol
z?Bucw%dRWCvuu6Y#<G{nwv=rz+gbKa+0SKr%OlH^%AMt|^1AZI@=4{>%8xFeU*223
ztbA4ZIpvp>Ut4}x`Qzm;l)q8_e)*2_FUo%`|Eof;h^<JkuqsL`YAXU2M^qeD(O%J2
zF<5b8#hDcsRa{YVW5wMS4_7=_@n*$G6?-avuK2T3R2r4BmC2Qvm1bp8Wm%=WvZnHY
z%7)4bm6I!{RnD%QTRFe7tFpgxS>=h9r&XR)c~RwMmDg0>Sb2Npy_FADK3=)8a#Q8z
z$~P<Dul%_3^UAL(zpwnY@^6>wigd-hQeD|D%QebX;qtl0y6RmMTrIBIt`65?*HYI?
z*Qu`aU01kna^35C$n~h}Y1ebES6o|M@3}s3edhYo^}Xvi*WRj#s@STOs_d%#s`4st
zRbAB~RpYBBS52=vx~i?}xT?if%c@SUI=|}Ds<l<OSKU|jc-6C2FIR1;dar6n)t;(v
ztA4B6>yB{8y3^db?m~AN{s!9^_rdOf`*8O(_fhV7?oM}~d#U?G_v!BQ+-uxdxo>da
z?!M3ci2F(R^X^yOZ@Ra+cewYszjgoO5uPYdq9?~w<SF;mcn<VT@U(bldxD-W&w%Fy
z&zYVzo~t~!c<%PB_dMl!*|Wv-f#);NzdS#C_IV?{3EpgPzPG~b^B&-B^iJ}&dS`os
z-i6*??-K7y?`ht1y{o-fde?ey^WN`W?|s($viEK82j0)TUwXgy{^s55i}1zzQheFI
zeBWqam9NHE@0;Lj@y+&i`j+@k_Fd$=)_1$_LEp2!*L)xP_V|AFEB-`(j=#)b?Qin8
z_>c8>`j`1n^{@6{>%ZH--oMGe)xX34wg1;@r8>4cqq?BFwAx)gwmMLKc=fdE8P)4+
zN@{BAyMt~0y*>5w`a70%4E1!nJ&jEuPjkJS$;;$ts$m+#RL|7N)GVoipKIXf8u+<}
zn)==ay*(X^5X9{X&;xEyGX-&b{XY4eyQVSNhCh1N*w)$KHq<@8t7BPXTM()>w)YMO
z+wfP~2AkwLhvqch%}vlgIM^)jG;>~>WnP-YkI4rbSmg#*xq%;VV3iwL<wjPykyUQ2
zX%4IGY4%XYp}BwjuzKTVI^##CgTMOc9Y3t4mm+q%{k3kNn{w&))cGb1M<5mRa&q4K
z3G;&e69+rH+B+t4J|^xTb7Me;Z{&<L)=vzphg2I6-7i|V$H$)Xah`nsNz%BJLb@S9
z!z9EnqYQ=Rn0;&_AKS*yw()x>%Lrs90%Il*$K$V-arikKeooduriJs+vT&$pL9l<Q
zyDK<EiMc&Z9vQxoJ<!OhG;u0TtZfs=)x>c%ky>t#pF>uATNd{A_sBS!Skoqss)++M
zb5vZoP>iQay{Cp0_B2;>eAOI#HOEoSaa1?A%HXa4X3c7f+wJwRg=#p78rHV1d0HrP
zw?|$>K#sMBW37=-dunQ?OZQG^(@dAeXL>*WRNnOev=SGWCNeH;R?Ae!)By4{H?x(R
zYo>ESm>#xEGppImN;I<)&1{~4d&YwP;F69RGM_Vs^Esovvjcx2uybIRygzIBj!bQg
z{WvEYVB-bG%$Cv29$8X7&2_e6D6HEvhRQAcN7|s+d4rt&;D{E7<F4nDQP1r`J(sI`
z$~xRgSqE{}>+L3rYeWM-*TBy;@N*5d!4dT%Ko6kBVXKZ||G8`1r1ovYS#6V^Yzt?n
zJ>*$Wvzya&2ij$e(;@HRPh3*#*&*}N5q?bS+Q2F|u*wbmc!OPu?MlEZH?qo&wH;xV
z(c-Yr1Jw(L)mtFbSuipk)P3KAVJ*EBvD;lETbzZ%PfCrvoK77(&)cvNEl#H_lAW9n
zX(YQYHnRGS4V|o%O|Ets$lG+>ev!km>?j{+$ydE-L4QX_5B_FkduLmhv~!nKvkThG
zD12NlL(g$?KDL&R&E#h@`F%Yy0{K{=t|ydT6e`Y2s10Hj{B=D+`pdxmy?qNidO2sk
z|5?MhklMYS-MHF~Qxj)G);>?OtbHKT5J|FX)xO?veQRQ+o7lxo9H5zXw~JhJL;r9V
zs%!g0SwM5d8L#FzsyUA8z<>-s@NY)0rnu3(@G~`>M2&AS6df8MS;V~_j;@BIt6`Pu
zxJcF14oRmE*-qz*NbS(je_Dy_uxyIa4sp{d+g+U54GWj5=Gq~<^oH%y%xX5XF3qe<
zGwTxYES2rdQkl=C!}(kqYKNA~`^$&#AnTrH*_wEo1Dt4pJszlAA){F_vSy$iVmH=N
zSU8T<aC>EWLvdw0RZ~;o_EuA20NEF1roGkjIj`&}a8DY~%e{xUTGlgfoh%bx=|cpO
zO`KP{5@%!{kZk<Dw&!Hm;r2?;fjC*)XEmH`4JTVeMH@jl**cD_MmoS-!wJ=qMG?fl
zXP<F;bzD-U=iS~~&SouZUCYVVa&Bum*;-DvmXodJglai|wVYlpTd<ZBs^x@aW9s&f
z;i$)O)MGg6F&y<6j%*A^Hijb`!;y_)<;QTGvX?<*tb847U1!^xqpssP*{NRHXSluf
z@}5VI;N0H2G4tol$NzIW>CiQQ&LHvNL|1U4EK^`vT)@Mn3n#KxfI}q^B3BW*78-=Q
zf@E}0V?YX?=EgB0p&r4w3fN)1jke&&tswrlQxDpy2S=ukKc9=C9|8@hZugY9CaWlz
zDybc3W3!!Zy(c92LPB*&s0|5qA)z58G=+pvMjAr#G=$=52*uNYc<k=f6$~j5z}*pj
z6HaU`hx;d)1oco9lE(6OnqE#S)K9sBUHIQN3ilE?hsEvZeQZZ`-=X~YLizC_KV1X#
z_kvx)`G}>yt8Zbjp<^&OKG@wYJ>{$OH}~PsF8B7##^vV0;IxI{iE!s(!M?uWq+s{F
z_Tb?|lZR$@wsdz=Z$71S>cZaE&IR4UX~CiC{Opv4osA1SrwnwG^L_PoGM&NRp56gF
za+dK&km(x59u`9Wv}2do?N~?3!@)Wh@WVmM%RDH%fb!Db(KQ(CU~N|5BL2r;XC4f8
zBCSP~lP;MPsb525&(N~YUd~QmXaB<90m{x`aA=4l=v&y?wy+a&Z#Pnt&v4!G$==`X
zlN}+bS}Gy+w9{tU&L1T%FOU$*ft{|rZl^a=9u5}D=*Wlvr;vONt$)BxEeS|=ECHU(
z1$cxNa8tX2d$P9)xT#&i8MP}QIl>IMW#1FvxnO_?XaOG72e?lS@boIcqn`ke;{)8A
z20R?6hvW3JE?(B9kyCHv)V+M>wa@rDul*eB;$>ZY9E*=*;TcVU2NVIGi3NB}6yWhv
zz{j!h^en&wrGV_1JpnmH!6cRA^mCj6J`3=f9EKwZYvyOo{2V9G6aqXV3GnnGz`b{X
z$0q?Ep9ExY<_YjbBf$N9Kz2@^K#iR&n;^gm$sP;$>@!Z5M<)R}J;FWPIebs{8J>Xb
zGe8`f>@#p?2Vt#wW)k3mL4fC#fjZ8#?4Lb>I)1#4Q<r@yF7o4b><-yqdIEB3!V{?H
z$9dKfsOQId@)4-#)OijPsOQJ)S$VgdSp?kFV|fCy*9GyJoBAjeMd}(s)Qy3t*9FOO
zY``stGXY*g3Gloo(7^XR9JR-enj@24xF_J@GY?1Y;ix?vwOoVn1mwg3y6`>O+2bNV
z=jG>kB_hDHgn*Zm^|DHheCA^%e6|vNv6h4IQbT|z00AE-<YOgxg(1LW{Q%D}0zB9b
z@H9WbbN>Jjy#qYv4)E$jfad`LIVeFM?2^pN^YT%E*B=5r6A19!IMB?g%R!zeAjfQY
zoV_UrGq}jH$dMn;SZg`*!x`sKj{H#A`Ha^W0zAAA$YloHV+&#oOy1=6fdCKB1GQXU
z<fsYvI6XP!!x^V1hkQ8W6y%T(MUl^VS{vXwYd{XOJON%^3-Ib%Kn}W4Em#RT=)xK2
zeGJDk#x7a5H#wvnU!fwfH+lIhz{_6&p2G)t2py1vE`;Pbc>)=b(+Mo*ahw5;la~zx
zJeLmyIJW`LrW~cAa@is6iyUV?>&esofE?GO`=O{o<ZuvGUl7$>w@*62?W=7L_Vf;R
zbaiwF!-A_V*eApA(AHO5Eqf4opnIVnDAcbY7A_OK9vI-cdVuHZfdJQVp0@<#N&+&?
zjR#Np0=$Y9;1wwRstyuIW6Z>hivgbf1b7uD(8wllXtGs>x0}Oab091Rh66MXi%r8K
zMuD7Jq&F;La2mcE65W2;f`BM(5V;0K&H#}!K;#S%IfIA?U?j}rE7Bo;*=6Fs^ow71
zk~qU4mjl&@LQ9AFWw(j@(r<nbnG<JZ9k-uXNd3HQ;g{_ZF0xLtJ;E95B-<mLu?Dj9
z#TjcLyIY)bdS0q<IOFuZoSy7%-G13XgV+YLNyZtcC!1uPaeA^z#u=yQ=8-4Psb>Ij
z!g9=kGfr5JIdEnV`$=H4$x#SyuqtvC;`a08&(D)FKNnR$PkH>Z_PPDCq7m7ag}@QY
z?hQAn*b;^Ahb%8^q1#{Ywr@b-2YI68mpvNpvqG}Jar<SX0%GUO!Ij%Di!X=`)@Tph
zac)P*<3;R0NKJU1z|ZRheqMw1%ZAhKmxBcmrzu+ow_kQBAdX&kAvj}y$SwqD><`(6
z;4EYd2%IIJ(EH^;3isJDa_EG!kYym)p&O*4axjJaTt?(z3TIp<WvAoz%T5Qx^+a|v
zIOBZEZU$#;DnFMIIqbqk)_~VL{k-bnmjf-_<MiZOHqJObUW4%Sl7gR?BK*7*ft?+x
zE-yv+c`3rrOA#R3ySygh=T!(luR{2F6~fP}5TH=lP??k?Ik%seC;YrT;pdeIKd%h<
zc}c*}^KZZG3Q*WMvvr}wA+Tk6EyOPeSqR1xO)2nwo~rxp=_(3es0hja0O#x(Ig&yt
z<Psr!Kb&!*a-@&K$S!I0+IfP&NywJh?dQphpBK;l+==+P6Y=wUoL~0TD2(hY*|xj=
zvI|2o@VEy0DMGKuQ$xQ&<8t$HKvG}NP&bx*UBrV+dzlwvu~SO(@uN2^bS~j51D(s{
zg#m1^^+>6Me$Ylr_?;XM#0m7-#0d@B2@z95l4U|9$%Ldp36VevNtOwb#0ilk6Cy#T
z&<laGKuj@9mNAngW0nHNOajF$S;kBf$4rupnFJX#x*dubMDY^IXd%d0i78Sr#YrTi
zgupREkP(8Z;Jf80+uJOwGl+@^ep-uK1TTgFOjL_-k?JBYQseK%mKziK7iZLH;~v#M
zuTS<zAp1<l;*<T6w^p`QAo+N+?2o+7vOfY*T?EP0J#u~C>p=&G@i(S7bZiI?B2NPy
zovy+DMfI+Mwg#XPXabsn05Bey089i91r7ry0fz&Vffis2a0D<FXa%ML(}5#_8Nf_n
z7BCyA=T#*Lyn+H@#JUpBcwq@bXxu{&*$Z2cc-01iTwEGxLndhx7=a+sK5$s_h9!Sk
zstHSD!V=}2pQXIBM7ftzLpZ*MaC{Bn_!=lad#{)z`!U)x<_Kup*p{$!%n~+d=&{DO
zj`q&3t{{maQ;gV6mLcRK6z&f%=fOF=G-d0DPCFz~;=I2Mp*dvc=1|<t`<a=ypef)8
zGuu1TbTwq=;eBabWs8I@*ATW`Ls*N3u;m)VmP3PQKie3#TqBvl-m(te#kfs|qm64w
zBlfQ8ETqx!4t6NCm*VGrY`z4e+lhyEvqM4a$Oj|#w8P=Uig_thw7Ctk*Iyxoj5u-y
z7MDY1b$AUH7sF+B#44<vFN}0UmIzz1krE88#M<Go6pPxnpTl5#Yy;R9!rEfkran@g
z_sdBbQ92NwYBX(}gQW9DL=aX0gAD}YRmo7WuowMdFZwA(-d5+>;3kS=awx^gA!|rg
z{nZ@G)9er1)*n{iPfxal%4kc-ye<1>xg``~%ZM^+@6^-dBe#DzG1{*WCEFM-lbChb
z`DzO1rYUT{rm%WVVfC7%dLfgv(DQO1KO9fE<Tr&=!Gy+6r8%5RxbmZ6;=9<`35TmD
z9eBe(^k_9D%)9@g@YP|hs>7*bd}OCpO|kJ?03_^Zzt)gvq(fv#lJH(Y=;@lUrZuF?
z0{l=Oc0lKK4TJ*JQS|)60AHea25bqh4TOT#g!QShbBA!G_w<m9r-xiTeLofX6$1)5
z!o~I*2Xr-5>E(L|bm4#Wx!thB`*xv&REy9u-%WL4iE0C`(aQ*7Nor~DgHZf<TO)ig
zY^RX-@MJir&0#+V$cp@)0tum<j(A&vE|16{zq5dgvqE7<yuUz~M}(F7ju}oXta%_@
zE@U<2R~zu~?2y-oUvt1!8BJZd(AQBk&4UYZoHm?gdi#OHqL_vYY^bTRukoe@g3-PO
zNN!!&Phs~0lD)?OiS{t)f;`Hd44h5G;yXz0XMlN21H$1$I83I)%uXEa4G2h6=oFhA
zILdtvFt$2ywD%<-VZ#GQ?0JwpKu7XDc0M3cdLs;KKQ!Ws+#R7+{ehu*2oG(CPg-cl
zVfd6{#ma;oKNcs#Qm9s7i6VT>_7$E8l}lQiVBP$lPzlBQMEF{$tkUvCD4bnt5sO{+
zAlc&`NTK?MC5q4!;m!{W72#`P{jj}d$LtO3=MC%U4eRF(>*o#Y=MC#8yGdycZ&*Ls
zYw@+Pe%`Qt-mre|u>IU&{oG;w++qFPVg1};{p8R|rhzpMJ0DWw#T<87Rd-lbci5Ef
zu&SY96IMCGs=C9fy2Gl58#^p~gp#Wbt5p}yNT_CE0vR@7U04^ac-X3jhNqZ6hU2Rr
zz8lscH0-2hj?lAmuqm@18hFuqN9Zn=IP5e+og8MCVNF9_8?J@53U^Le@(4ZKJbX8-
zOMo;8cH>u62hce{mQ$wz{Nip0PH5tUqntMlw8?1`h-OU#Z8T}ZQO=nL+IY$|&?aY0
zI9-MpZMt!vh4$X1)bK7I>KLG3W*s4h?_l9{06WTE6!qdEoS~-*iCrD@2Sc*_W#iBZ
z!i>C!)6ngO%kjbuCDhT=PCK#?x^1BkKeyXsKPKhSGxP9X%%YA#`<8t+@+Ovcr6P0-
zzx7Hp=a9j$xhPErmPR9Hvq56RkswV6K^l*k%?HUgAS5;+gb|8{&g?|#6bkghVG!{{
z&D}vMvGa!J*}BZLbphMD%nRuPfpwW@>jJiQnHSb&UPzaD`{`nzg>=DbNSAqGUFPw+
zL3>ZHoZS<XT_j6gNRoDu0_j2m*+sI{g(S8MNzyJP4BI7q#=6K;)`dj23rW&0SQnu8
z<6Oj~i)5(_Nm3UnkS-*UE|R4#B(W|eNnJ=7)+Kz#y2w-3g+$hcq~8Aa`5oPzGKL^p
z2RINd7mnxva72rRBkCuPXsK|-BppXg({Y?AkC>`M#$+8wOxJP5gdNAp@`y=0<SFua
zggj1_$5wfqCXdtQ@kn``A&)cVah5z{DvubrNX?USn>=!HLk-2<`SQ3x9#Oq;1syYv
z$I0U&c|--q6*L1lqAucy<^;z+d0Z@y{qi^<kEl+#J0y=w<Z-DyqM^a{<?^^f9;v1D
z@<Onemwmmw(&m*LA8v26yTcxx;>iwsBu0_bgVpFhAj=Hm9TLcR>w}JMy?8f6-V3!K
z^t9cAkZ89d5SOEMX`I|V)Q{f;$K<Wf+tt}m-IUi|U(<(QOUDZi@}#c47caAsD3=jI
zv|<R7D>!cXiYU%_aY!z7BL-eglJ5rKo?IOAda8NKGN0bwLku3d5DSuvO&+-ri!-^r
z<dN&IIHN^*5N(x$XdM$I74XRIY%kv5>%wnwcPt(XcHu2a{G@filxZW2uHkKt{@!I$
z?ChD3QaiXDk+`8ZO8#IcUXAITkIRE(?JoS#dS_d(i&F8*JqxT!)eH=wb)r@u5w#Ds
z4N4t6KI#c@y`x>8*SUlJ{k=<vXr&D*dF2`P4Rl^Dw-E3Wo6Kpod>_JFTkXY9lLr^@
zBh_+o7O%T;kcL`$ubm%f16IrJ1H>Y&P$PGs@ba5HtCd?%UVMVk)w`mjXF&%g>y}#p
zAld=|$+ds4^pxAn%fDXv@;=VUVIaAP?v?Ltpm@p!U9Wr_181~e2x_FrswLq~d~ysC
zEkA}tDlNDs7o9=Fw>&QU7C8_hyu-KTE(KofAHE_N>wOqyg=3cb`!L!HUm;^5o*EYq
zs7VN^0WmDg1#ce)V&N-t<H?8dSon&}s}JL{@D(b0h`fIIinM?a<Fs%XG6uplj<~|>
z=sw<<0)=n!UZD@8^3dbFZRqoOZM*RPp$}tpwi9m+`gm*5$6JFw`TmTX7hXYBw?NW=
zyzmOQvsb)qRNngY@z$S@xBfu3p1cR>^9~z_w*!3`SBLcEok1V(4EnsBY2FL;@m`>h
z_nv&b_vGW<CLiw~`FQ`xCl{Pi82NGDE%Nb>5Gb4&ZwLAKtxmWI=Cw<b6vN^8PN+oD
zJ-aMQasOcMk-_YuM#1bdCdK`qupLWxMmQIhD5Q)Oho7NSJAEncf5$FdbZ0~Xqf=WM
zDGonVGn|eT_rGJOLw82hJ36(~k>dW(*y+%n5p|4`wd;@+ho8YdZYZZx4Bx>bedvx9
zSs5vE8XlxzKPp8#09};<+}s$t-L)8#wRO0tJLsVinJuF{d)=~B1)A~BgUii-|HA4V
zu!7bgT4;PH(7(v)op05*_s;9ET9*$Dc61L|6MNcv`}=zPsY$jvdn~-rXH7?QkF!?1
zSl5Bad)ljd`>kHw>9^X@?V*kB7;rWA_AQq~9t#^E?g~13<<bAYr7(Ko;9%d_s;Z?+
zm%4(ahzld6s?rK;Y3JZVYbrX>{v}8{(AzU;O%8T<SS6f~5|^Ey)?m+oHKo5-&7;50
z;m1#IpM;+-_)<wwN|go5naZ8`nYW+tcQMARE%+I=P53((McQKgwC~OM`xV>qW4=G@
zQTR#d8TgwN_vugRKStz5cq7h@SR3&S{+h&BMx}8%el+<}<8}N!h#&BGAS_3x<HyK~
z$d<^pksBgEjNB2G8Rd*RH0s)@^--@ztI-MgTMEADanXV3DbdG72cuU+pB8;x^pnwV
z#CT&4k7<ut9J4IugqT$^H^nNk1+hoP&WSxP_O{r2V;_!v41e9=W&FK@1LJ1kZxq}V
z_j7za{^CGG{H*v3;@8AK7XM8ANAZ6oh=k&VBNMvucLO#gypd=mrY4R`bSL&Do|Sk@
z;_f6h$${_t4@|00IxMLrX<5=qN#`fsn)FE0(@8JlJN;^Wqdz&hEqOumYsv2<f0z7c
zN_<K(zPVo`zpbaQ>Yq>f1>ey}r&_7Ur>;u9F!k!x8&V%geLQu0nj<YGZC2V{Y3tIS
zPJ1amD}6zFZ~9&7-=+VQ{#S;Qk(x0I-=;6lI6LFQjB7G(&$u^Zea5qy(fIznD6=WE
zBeN@WN#+TeYcuc9+>rT9=BCWoGQZCJE-Mk=lpm7SoOMdp>Z~iXuFv`)>(i{=Szl&-
zoApE1pV=Z?mtT#W@>}t<v#-m35Z{D<oV`0I3*UgdbJ}wTb5`V>mUC{-nw;n5_ukuc
z_T+q<^J~sOxe@r{J2$r|w+vr<PsyE`ds6Nhxfkc&o_kO3Gr6zizM1=B?l-wV=kCoj
z^5XN-@LhLao<DC~UPE4M-om_<d1vQcfiJf2&0ClEZr-<fznF>{X~vmVW`jA!oM9eg
z&NCO8{pQ8yTJtXR5%VeYIdcoX&HmWjY3{{O_|`ZNbT&HY;*0Da=YVq=eysOK=Q`(8
z&R3jU@l(CKoL@PAaQ==TWX`huR-HA$nvCzUXW@(NPHWIQ$vO>RWM5`oYu#wwhOe?;
zu->xXw?4r)*}q!*^7Z_<{IvY+d}n@5{^9tU-i7%q@k6~A;A`v$@;Bsf%6}{Wqx?Pj
zKji<K|4)Hl5Q86Q&L}7?IH;hZV0^(*1-%8!3r;IIr{J=JYYT2ExToNug2xJ;D%e`^
ze!)it-xvH+u(!}rm{^!rm|f^B^b|JYTkMX)zQW@R&nP^v@Z!Sj3vVsFt8iW6BZZp^
z-zogC@SDQFi;SY!qU56VqP(IKe2-mQbZ}7sUt}LqG_z<<(fp!CMSVp>MJtL<F8V)|
zy=PbyS=Tmt7f{_;r7hC7O1IU8NHAc|jydNnDj*`L2#Asd6a^C^DwqQXL<LbvDk8yz
zm~&Rlj$y<srrk_AGiSB)%=68A-tYW47vpsGuCA&bR@(PktJX@#ZH_sVm0jX^+VO(p
zUB{P>Uz|86!Ksc@J*P%at(-bJ^>7;KG}LLVlb6#ZrvS>$o=Mr+@lI=;Qk}A$ik*%-
zoprk6bld5n({racP8Ck(%xpOG&I09T>nJz7v2#1;p3Xy^J)He0H#^FCk#iDdXK!^*
zcg}Xsr~K^G&X=5TIp1@B?EKuh-1&?1pDxxe)m`+IrS0s}*rhpTYIk($y7khQyPL0B
zuTX92yS2;K0h@-_QDl`8tn6SHr99S*XCA6Ng+7|A6z@uVUg@n8b*vYw%4#xyHdU$0
zsw=(dud1R^{1tyzRjJ8($xLh2a^z!^Q8;<;#fy`jO}(X&?OV#?;jGNU!hlQ<kAOfg
zudKksvW87!YjhirZoIIegu1Y4%!Yv*$F29N<46xv0(7jQDuaP%EmRo_eKb`mT}^4c
z(o-d}^RYVC^!sP(Ne}xEN>in|eM6<E((Ah;Yc8{DR=p>leg7`M^!nBOQH>f-9NJeF
zhi=WAdEJn=d(GOd@+`V({JhwN1%?@s8?x^1XHC+XT2`D?Vn)h})yeYQ`+UNJCCe5Y
zBBEEPuU)n|ag!|4i04Wr7g>#BnRPQIuo7vg;vefdkN(&+;Ye)p+`?YWzmC#C#YX;!
zTol4jiU|#IH_VG!k+^`ao+m`Dh+dPb-?nYT(In%dN4&x<89Qm1zSo7|(+iB^p@QR&
z8T72bBC;AvZ>5hSC^eM+3XZiuG{G3JSg1wzjE3Cl#Tzz5W}g*@ADmjLIdMXd9=-*v
zrqRSH4V2GnWyUL4*4ZfDS#@d8RsD6(!%FQW<AN6a>G<t)!}Jl63qltgHO#1eIFEf(
zdei)xW~sFA<}n-JyAFNEPaNrOj91ag9s)HEljulMEmp?HDb0;an@KwD{dvyj#(Ms$
zF1yD)GKyTB>5(OyT~9C{ZM3W}iGN}KJZOtqY^?5dQToYjIZ4H;3EJXmlD2r*5^s+Q
z2GP`AV9j5?W_UHOq*JEcE}I{@!#g=ozb|w9vEzAB0f&rt%K4KcJMHOaQ0g{rqrmmz
z$Sc9}Q$PMx*uEGa{iL9<A)|+8<arv~IrD=rzYKgz_vB)AzunI%D3n==vVe$^-kzn7
zi4I;AY)~{q?lC>9edGS8liA_Zv*fbZe1Ui0gG~%d55<v97MQ)FW<(&gSBjou@Q&JX
zLuUDki*in_*c5eTFpA8NX5Q|`^_Rc(${Dmn9-A_LL#94$Yx4e_?C6kO<K^dkruWFb
zT@8x5+n{D0Zup!HmybmrofDuBiHe>u(PwM6m$82{-sk9@8J7&=htk6@*2=#m^F9lv
zhk6;jrl%cTApbI#Z@ISA<AZ^CtF`JSvly6Hza1a1s{dr5FRx*|5R<Ub5IlEX=Hu0@
zK@zi;X|-RgXqhkWzNRnn%28~RjI(=~mw8^4epcin^D?&(H2p3F+^o<u{=~!IUY2%L
zcqjj!{RSDuX;Uu_GIW{X?zlvLwU|G!V*TcA^x)?gPT#vf{BWOnvl8NG%d1ZCtnqKk
zJk@N)ttgP+oU(cK4nyXy$jO0W!2$kZo3cXX0b}{GIi)kM8$@O+?a$uxC0TB*4hfkV
z9Y8I81s3~IMYJ4i>L4f$STcWoZ_&B8de%(g4=YBa602e^N{NmQysIwDpE+>g#DFfc
zsM~Ow4_z6#HdViKd-CZO#s$PDwc|a#`|JB&3c3?VwCgVPl$Ctu!p^Y`g2*Nb=T#q+
zo;+)&QmQj={^ag`$8PGGo#O$eno*f-e#R;tGagr;&6(vfA#lbJSxg8IO^7gz58JeR
z&z^0?`}fbAnI)fi&1bp~N*QKQtem|Y_@;Rtjh5rpVnD#@UWVRdyqy=zZx->nE0Q;+
z7(`2EsKo}T&aorwkFF_MbJ%W$YPH82xAo&LDo5(D!7655X;0F@OF6xu--131dXsdx
z9&<hBa&LCJj#5L_TR9!mH>OWaAG>(f!fW%dExhVwKG9eu?vvUj^WJeGer^W0klaIY
za=W>_$Z8gyey~DTY*fAp(P4fDzv!KL3FfcAtSB1JY8o``rI6|F?iYAP(58$Lv|cfS
zcKQHG)}{;*WNnVWWK<@owJAp=(Vp!Va+xDdlcV+%OO4fCIJv&)qCBFUC!gqoKtsQ&
zsW~}2l8^7&laP=he^qPCyGz<n!=k55?WcG8GM0plNNiwudH3TJ_aj5HOx9At?gK~8
z>A!ZlrdTUN+kOiA<&Hlx#Z*Na8tCEKMeq2!7t<QGWqBrB-GH<SX~*?PGIt(0ygR@>
zVD7Zg=|=5~DN2^k%`5BVfz;fLboqh*iHMPUH@^^fqbAm!s6T&_Z^}4BeTRlhThUcu
zQC)QpHwUs{MGPmNxF|8O+9QuEHJZ^+l^U-`j^Q;g1Z~+GN&AAS>0qg#eX&4NLO-zq
z-<1Kc*i@!c6jArKxcJs<{o{bcL%ae5$9ZMXIFyvMY<ZG#SkUC5LB#AA)rT|Fcjg!h
zHqGow6nXFLnfrG<4|kh3J$7ced}(!h-YLVbZLxDx<oqlAws61Hkp{)Oe_O>yu{qoE
zo4ojuZbtC-lZ)h(lx=HM3|U*F{HM%}4wW@#g|jTqFn!*}qHwt%b3M*#@dev9ZQ5g4
zwf?0PkvPLJ&~ru$Z+Vc?i0{hQDw49cn`#hi#J}|R%ou2x5s|QHj-000@hjGCShmWr
zd()f=+vMX)t$vCtKYr%Cm>@&kyk#rq$zk-9MaiiNdkp6bQePCx4_IIRma>OQY|ky#
zL#3~HBKEgMCyXmpM--boN`L;a>JICFl-ckrREtK(HXp4gX02mNQyQv&Q33;6(%c5V
zXwL%KTtU>mzE;L+v#Wwq`)Zfh@*}H&;H>iUU3;^#c1>&AG&mqY7NeDEtj%3!FDbRZ
zu)d^e?*B{Cy!oGc=02&JH>73m|4$`zhjh&S|Ed_amWVD_ki)<8E2OS*q&BZA<JD}6
zWE6F4i}_heu`Ac<H*8vcbcHeI46j(kPY(ChyO)GrTx1lNxl3YnDs_grQcnv1)swRS
z*^@%*Ng4H|@V`9~nGI{SOAtv72kA1?w&!GrZV#LmI@5n@+RVK&OR2T@@3v`yf461I
z8tSL|?L$_F>3=z|aFa%bP7IJ)gOw+bUN`K^iwN5;mp$hX`VPryXHfJ?b$eyL62_`D
zW7Xv)%tAL|V&=yfxiEd-)-1!}oX~zf{iaQjHM+l*MbBj3bADj3yTLthSMhwgCzB*y
z#U)y>iUGyPo4(=|YgN-`yjUvP7PH3e5Nq6sRo8yHE@{gH1?{JQj56c@hf&5x#Oh8K
zrSHp^SCCz`TCy!;A0=k5^<>=y?X&<%yCq&CoA2^%r7N@V?8<AnGUj4AgUF$L%M9kP
z)R@JK&qz`X6}07tB^D5?yIQpOXg+CvF?Ez6&W|-U7FZ*a*qtQPBE>~Tv;0uqQW9V1
z7ZmT>y)Z0YEQ@^>catdcqT;~1DECP5RN5={%52sDxj2$lH(x(Sr48Ro>oi_@sG?g?
z2k(C<$}h~zm@zEXxTp;;?pnrFtP|ttaajWEM&izj#NF4jT5Pe3)nis?nBB9nNBVD(
zSE#k7l5Lq6PU~3>hkc5{sDzo7MY4{$TvuPqiW=)VEvTp5N7+L**JHKz>%+Y85kq}u
z{32^|CGFSLaf0@}{d)7!8A<!yetbx1fRA3B#W+4;VLY*U?A&#GWz$i`<wpToZjDE<
z7BAQ~r6X%B#xjw)3Sw-mB<gwzVnJ5s(ZZ=26PLs<Te?I(vuFR=J;uO`d}Gh?J(}n{
zWV)X>ih;|%GvU>j@8trk#q^3btM_w2)5x;=P{_C&zWcjw{yCnDn|B>A)PHr|rBpF0
z9_Hcr>Asv$A4`jw8W0gaN*=9D(J_Grb4GP8BWf}kJVVI>SD(1}F-cZbs*wpXLEZ-M
zm^~*+!KhR&Nhby}wLxRD7xwPnypu%>X1z<_GBY-({pTAyr)D-DckTO+pX@ckSQ0vM
zPjAD32~&N1<am`>)|qJJsfvBAY|pn<iN&n8V9UBm>&(Q-P7}Mhmfc|kWHyVIVha&!
zU!_phBsgH$u<2Q^jjT{{R&v$KfJfa}BctdgXdm{FMAh2SiNhv|wU~>jyR(SjwQBA9
z&17s?-IvG|h-K=Emv31WT5>Dm1bbGO?7m-E4ejHFlJ*0eBpq+WXB^Jol4mGQnc+=C
z9uwJdxPxB%xc#aAFWFw<!2aFulI7(Qi8EJ*t&X${2@Z_*H_#?$wC>uP+{_}wi5)&e
zWpR2~{wTw!sZ+ZyG)ucax}cfcGg3FCZr>yyh}yegnm&Z^eX>*BVs)2GQ%_!($LE($
zyKOjqIW^~)Jnju2;TJe(ieacn*0p&uJD^J1khEi$o*DXoQ)&+zAM7!a6cA_9w^0Rz
zhsKUxXx;yXTAas*2<uJxmg{S=mSlF=C1-ES+LT9T$5!7>0h|3VDRy;OdzI3UJ!G9(
z8LzZZjZvz{1kLrI<3l#atb=p2=j<85s@GB4tBAd>^P0ix3wvh!2Zhd_77(&2E9|Es
zmwjr+RfE`NL$g(VXb&)u7^jQ*UX8_Tg7)_dYfH9W(iczOt#B)ha|iRs;*;l-of#W9
z%e<X<DqNxkVb4`vCHJWTQ;e%$uxKLg|1CAe*}6-~Q(3TM1W#IgtnPoyP$hyj70YUw
z+DodF7nzOXXWsiM<Jcuy$7#IMN~Jg|ZhX9{tt2XY&Pk?~kz#HwQ#0Ci#;8~{yUjoQ
zp(E>ml3IyYZu8>em|2UX4U<B5oRpad@tvA>S9KJPdbUzW%r+_xb0qOf@qx2vJ@@zP
zJAU%ep+%Ff%B5D}QCoJUr)=4=BV~3-aMbK@S+hAKt!VQe+Mvb_Su|jrUNJHU5@mX|
zqEn{KnI7U59b~sewesBR%SZH#ZmSmeZr!zapZ?0wye{2_P(bF+;OsCX*^_3g*q3!z
zd`*%>7QCC%-8>Sq4Cax@2%5dIC`4|{T3shu_e0pp?D*AlXC_WJ4DtwSHBN3vc0mue
z)>KDed+w;-k|JL-GkC=egMGuHia0#eGbhY!vGNIVixXlDv*)bZ86%JQlyjHQ*tm7|
zX2a%{tbs7yFv2ThP>}4VSn{LTK=w{z?xm`;3NPwL1QfjYmt?XP$x>v=ikptL`RzK>
z$);FEP>c20HYO?-E7aoF)Cd;Bs<3gaidhe^QOwcOJgg8h_KmE{Rn~;HRIHCH^<^d8
zEP<}**to0e2L+*h`%d!fNa7}0Fq&i`sPxxg_mrMHyLVKZHq%BCTb<lmeE6Y$-`suC
z+l&f4Y3OSrX6n0m$4pKzis#IG)ds31x0c+9ziT})w>T!>@a5Bc)`hidT}~unaB8m%
zlUbCa(@meYCNoI>tbTH!r1W%#S4$_K3GT#GD%EOMXUnq}jJH0m6t`eK)O{TTyDn0y
zS&N;P9h1bdu}sx5!en4oi2PVj6>G(+-=V>cRH|QBI?GB28q1HCI##kv{rHHly~4Rq
zXiu0zs3eXjfo`&k%#0KlACN@ig!)XQx^RP8DWiEt1Ur-!vL3WEQCh2%7RopxUT3Ag
zigppSZGK9d{S`O&Ue)J^q>kHQ6qUkrQswwa)<n_<vp$k`-wgA?LP?x*>h`P?hMnx5
zZp750M>6R}R-+m7Bl&u0$Lh7IvN+DHRyuxR%}g$&_E|hh*P0AhnDEH$c#l+eQ@Xl)
zf6-+<vut%isoi<tv~k0Yw_ETzdD*FjhNBrF6UO@aD=N7@8U4(dHFcziPw?Q;p1bx<
zmisp4M;G1n`)ttYj^+@0GnH8rfh;D?!n%CF^Z7-;eTs(Q4fU~W&y!>^BV$6T;bd0M
z-4$~0wR~{={McCrG4_TezKbRNq&ZpaU0F5m7?}fEtbrwaLEY>{#6;x7LX;}ZTIuH8
z&EIpZe8rj1%qiM^-teYmv{GfA{G+QXVfND5bM(q|W<fvfX=GKcx{NDk+(Mb{r8j%e
zb@S+I&_pnNW4_--)?FxPO>9d@+_hvbG$tETFSl;xNE+73Y@i-u3rIk{x<Dq>t3hWD
zv>+48R@H(`s5z2e)ZNeIy&i=>dZ~Z0<8k3bW2a1hc&mWUil|qrW_3Q@%BUH)>>b0q
zckgU3(PC=}Kd8<ev|nlI$%Np`4^~|9%^tkzr$#=rd1pbs{zI!w#nPzwsaSnttaoSB
zM^d7Kf+A<R%fpq4ItJ3n*Hy>2hffcP40n??izQ7!SZHjZL9C@6?ah)Tt($iT`d{iM
z^HD>|p52~AYoPkXf+f+U6*R+`z~7iUc4uEhWYm(yG4f8O7N59gZQ@!(#+H~F$#Q-x
zrKPgRjGxg0Oy!S??3QG5CFZUAV=zfe7nS(!tRPkfvUovzgVmC>Su8@*9z3Qr?<)+A
zWma$BeP&i%F0&<zzMdsZq*b$F+y~Z%wRL{4)E?Y_uHR_+h%29(ox5Sb;rzjX-s@%M
zs45{gJ~%|LNH-l>J>wE)r5hG{;FQezs`|~JGTp<VQCjX5#K4(hQ~mTl+d|T3n<Zp$
zc$TNZBRHxrVP-_q4I{(?RxB*8tj08wvQimyN{H3Zk6k=#2{B8FGM1@Lw<FC<T}n&c
z%DmLi$rAlixr!Nt4@V2HtdV<d;HNJP4<nTwzH|3NxmPUTZ_QD!4+e$gl<xXMeiv=0
zwi?74GYUo-Mg~mn8ZT=eEhAnUaD#>?auqa7{;aWOIy<4etDIn?2;E~fzp`)^uGIXX
zc*x2iB}>(HG0(!3<vKQi)wrS5pewIR?2XRDFYU_BeR~fT9t?EZD0_uYnH69NSH2UL
z#B9E^`E-f!N~x}>8+TOdDEfzk84i@D<!2GNvv}0FUWO^YsXHU&&aHUgyz_of44MHF
z%a(}O-m+!_vkdrk<Y_Z1**d~hhgB8#(>gKr_iwaNMW$5C|KOt^X~p{3zxj!ex)P|^
z_qz+>qozStXY%}dZ<Lh?)%A^ex#tYZL#x3)2XDuc3{`cH_3;^M&<te91TNV$+cLQp
zb5$L9v|)Gh?hP4ab!?uoDQNSI!yW37HA1r(#~j%jUU60V|1xhz%=Gy)$mW=vF=uy7
z#)JoTl$K_iU%+eTORSpGLnkVGSCJ~0*<jmqtj{m+v`<-Eq5F>{o%R~5l5^oPv(P{D
zJKle+Prz8W{GeiEQsS~C!}4*y<GY7gYtqfOeYG1z!z%6*txKz)>k_NGqs0E-B(@T&
z>K4bdP-TdYReN*8m9G0Poy`(7N{#caSp%c^_1$Y`MLc%P%wjKy!^(-lUNj`uvbPOl
z_5sW#khVePq}{}f^ZdarscYGMAtrH-p_fP4FH>ai=KKUUP^qm9oS^dljeju3V`neJ
zoS1~gvGNY3E}yt+RpM&H&eR1yTjY$v;uJxpz02$bah*HQ=-u6t(pj~tE1&5fux%83
zP0Ol`VRZ%4>3-{cXoKk9#(}Vh2RDw~ESi?-yIB@<m9d8i@3IxxaONk8%i`C|e_IIR
z6-$%2K*xI1CRa<=g^%J&hEs3)YeKZ;tN5}eik9`3&sh<ssivJ#d-_v<BNL0M>nZK&
zPpxo@3z5>lFk3=!s|n&VW@Bo=Y(%ABDkD^7<2OmAJ$FISZZx$QwC7F>+THV?u^E!M
zLtUJfn!RgN{G!dqU9<&S8$NmMM1x{*Ywsk7v){;88_9aaNTOe8Fzug%bLm+wmSwfX
z@$Gouh}rYQ4U6Iu6XWD?nzh9nHYRK`Trb-8<e+@&8-GM(9<<3a83@q&Y^p06HNOh9
zKQ$1ek=gIUdeWAFAVIO$`6;L75h9>{!>XBo`c68@+UqV%A~~gPc8b5DoY#GnF3lyO
zpK*fsS`oD&MZYs`{k;{&d4w6%i0?VAuiia7<og1$W)G2cb0DOGJQI^#$>?!V>Ng=2
zV6rmlwPM5S{{wM^2y7<XD2TghS0gGDO_q<?fJfZUZ;bzH$%dFLbx+GK62);{F12mj
zWdO}E$_73q$Yj#&+!Li+_8mB|b;_vGv-~E>q_mnbH48a2pINnIizRVCt4ijWcxE#@
zD2b(M86_9=3>~j1jehAiV+^V7hJ5Csyp&^x6Z<2^dQK1SEca8mXDV&^gZ*KnMtTPJ
z8}61;=q`757Wa;0&CSFt#EO|j^}bIf@q(nuP2ZK19kR=hERakB?w92fRn@fmTN17(
zNf^ttrtC;jH+ANw%>N)hvi3NEK1S`6pSX|lZ`_9(|ABt!j2ZngY7Vdq0&UICn+c~C
z<GF0pHOuT;rfV-$io5A7uk@nNA7^>iGDmln1(&ihq<~K<W3DN|ye2no!X?A8+yl2(
z$pcsO!ErHW(_sgz%dd=yNt|ow<r&#-l9}hmimZ*Yi)U?BN+|oCgmW=Z)|t{ySw%MO
zD)Z){A<_SOLa<1$u^9qcr7mJ;9pPVXZZWGKCauy>rOf$Z<egcDTG5kQdcvHx=5Ec~
zoJ+zj!8d-0k6ux$HM(Q_^Gc4J^wJnNQ+Mefd|so=P1}=~7rMt!)|U8%1o_I^RNwTV
zTqA2zOS^L4-{+=KqhDx{uWwpVuB<d7u61N&znU#*MiNFO+G!%0)tkM!DMFkXzbI~w
zL7XIYQ36>%p%(Sk^=DtzfA`h)-+eVwUvoF-{I{=;Y7L1MrRi5eY$PdsrKe6bJ<|0T
z$Q3hq9{z&+JY4)n{wIlj6hv2MOFmdyaR+T>BjSdvw3Vw#xR4>^BHm=Fw{7>oZ};ZW
z+qUlrLLDZu9_HCIitc{X4v?uyyJ<)Mi+Ro*M@?XsimO8Zc(c7+NgJ>!CRg)}D`C2v
zf=%1RNZWjd9;A^!u@<bAlqPG-18(z+7R+5V*AN-8Aw4@ayJR~F0+BEcvd`ZM9BUw1
zvY{er6*E@JUm?uWp6$6p-^g|m33s#+b^j1A+b@tzAb}ujcCsdk*LYWzMz>GW{$NuD
zZQ&G28^t~d;-mNHUp}&BLEoBvBQZWiJWw>VfX$S|2o_65=RmUcZ!u>w&g+@SU|{6_
zi`%v>eh)$X-y|`zTo6wx9r&xNldJ>L>3p_WnABjVsV1?MXDoB2k4~{>J5n{i3Hwu6
zKaAf^rbqfY+Dw%eD3&CR>EEaV!ulNf`n2_Hsrt&?`69)gM&e$i`l`6oFP)`-fKJUz
z7WTrnkUUSq7j0^x_~^#1Z;!Z~x6I;$B^w}ixZr<xAqlu}5~dB5ovQfAuqBfW9sTyc
zlvxYKNok>0dX^7jO%J6fuH0=DpPGIVSm1k!@R~Fh_#=(ERNDVorP8oKvk56Oce9BT
z&YCQX6p0iGs}&9TDKo{Qgn~txM#WjRZcO5kNqXfSGwxR3Nj{vr-<Xt?n3$L(u8fUL
ziZb*a6V_|0JWLUIUqS}os)||H9n4m7Sx)P;RPdid##t!aL}b=bkZHDiek3wdi&I0w
z%|@;6(5m!(C5DppDc-B(C&~QtB_se;<UAYOr_~Z!!zta^0>M(TtQ^Kli9}h)S3@5v
z&FpzmU6LL(*(W5*&1@Q0r5!|7k#Is6v3R;i#t=i#zQL0R$>Op|(hqe+MSZvnt1jMV
zn`xcy#p=FSyr->)Yqt+d)$yJY{*&bucg-LL`Dq3zGh)Wh@r)fueww3mierxrVl&KM
zTv7KfKEL3i{=&q9M)Ahc>LbgyMoiaFpEc7x(WnWQr~^c{>XS?s)uo%$ir1}O62H!v
zPLAa@v%*(RF(~yXG*>uctpe7Nbtm@Xm8vT7`zxjrqe!EPy6D-fHqMrrojPUfW^xqd
zZVegMKV<qe(g&s*e_;l(?q4hCfu=40xp@!2ahGB3+JuBPvS=VDyDoIbnw=psY1D!N
zhOvH=yT=hL1(AEFv3MqiX&Ybd`*z?pTahgk2=sIjxw7{JGq7%oi&|{;YBIB?1#;67
z{Rds<<6`H<#TvpRH>B@L$tl?;n=#rSiwH>|q)=(IU@hy;D}rjR(p_n@mX6e{jc9w8
z?m5&f<kKR5f&dk?)S}5LQgq4g|B0sMps-S$A<!tV_I)zu+T69YC<JS9tOMgLSqJkb
zS+63AIEBb1O0X3RHf~For%_iHh>R!3p=KM>oi<`B**hZJ_Kmj7O)9(hF<T^RcA8bC
zNnM~sm`#|4W~*Q1FRx77b=0sqB|eU%*)vw1RyIL03$;fq=@FM+!K!|?Gz+xYWvrfQ
zO{B;j{bG64B<e(VjIeE{;|?-g%P;iU@ps9KMdY=d5L#9#i6@Hlw;$UO%cMGrb#%+d
z-4(TUd^vTe@>Zq4E<yE2(GNR5UR_!AL(eCw#I`0cFM4z+^Lfo3s`Rov#C&v>Ua$Y~
zQfZW>Z2TAQ5L-%(<8^H57iFnR^ADETWudI8m|S5ia=(&gbdp_@Sn!P-y+q}P+9M=n
zc7S1G)XwWaz0zt;_%i7%F)u;L`^`ty*acQiRF8}a^Nop3ToGdo7HP>jTass-*gTfm
zHi<B$M~W{wl6WdhGrYkz(5}(@%MWi7)@>g&BreepJ?4Lr#C)$oE**@bZ649I`PODT
zfPIqou(r9(!7Qo&1)u%xi4lKoA&3tqKd=?kOs+bn`(fTx2C9;hHzlSU#4^?CT@l`s
z{lnco$L-9TDEDnl3)|2vxTl)B2|AO#)cR6Ws<~i(*gINh^?jy~jocZzZH=gO)0tGH
za^9*^*%@BEN6LXnN1Q8})w=nk2JurpTDeRDLbwa`ROi3{S(3o0Mg=Cs%28fqmpT4O
zQ`*rr_2{!beL9M^Y@{HXu5uSDED36)gU@uJ7H3|b^nq7EcWfo(iEJ<lMjdOU64mcZ
z$NlCJ%(ED>p3kToj~36y>fRnc#Rlfd8%}LFx8c0CXh!K~8M^;O>Dm%X*Hg?;Gt1i^
zN^_-o_tA=_tRbwE8S;N)Ae){w`)%lL#nFN0f;v-+^$sTeV+IR8iL4u0sP`pXmP?pI
z4f0!*i@!=CN@vm@kBLpLk<9r)^OQv}hP~|uR(&{g8BSn&>TRM`ZRL<#v{;|MrJC1j
z2upe<iJNz)M{WwA8966p`nG7ZvbEu8(?qySt6GGntrwdQ^QUlt2c4)Zwx-rJEp13)
zh;cXQ8Ho~GLAt?4;V%-#VI#8YsSo^Uoz?vplMC*$$fbW{_+lxV??(G0gM+i#N$Yl>
z=DeGZX^FH*h|tYQ*=fuljY$}gI*%4@Z?OiV?FptAO^qcsI#MK`L?#J<G}$bR=8J6B
z{L`kK7u@aBrnN6D&A1j}DtC_FCh}8p;=j>14Zmj28gUm%T#?W>5-<%pMre;EYe}=X
zjD(XbQ*-Pxv$y;yHtasJzCWdvSw%c#eg67u0*Tl9BD1c?tW8wtga9*NX7gh`S^2Hh
ze+RNC;vKVaU_<G)BB#{6#Vl@Fis`4)FYdZ%y+X8o$=(ZM!hA#EywoGIIDCij6GvqE
z#AfCdEfWdSAbaoAJ;Hu8N{r%qPplkH1Wc3QEZSzXhDt+|w>H(ZKvX50dPzhBolK3y
z<UNKnyM7{<V`*DBmPYRJk=9MkiS{8;vB8FgixLyb`A|8Zwp9JeKg-Th=i4exX`W-*
zV5NP8NW9*U`k;ipVT7R23|f=gnVdIv>||fjFC^GsoSGh-OKWFJ6R)$5*Tq!oElmU|
zRI-yY>23pKnS6sylSo=P(sr>PYsVZ#HFGZGAF37SE@br49^Urvf8riLzu=%rzPrfS
zB__6I7g+<^ak_{t2-mCig%M)MQ3ws~mm)a=%n0%%kAbMPiy-&h-&#Cb^^uL>l>n8-
z)SKK>#0c7sw{5R~6T@Sfohc(yET`xucEr4nqNy#@()sSUZO^<D$s!%V>RO5w6DpW5
zQLR}a*_Mf>x`ImVW9mUIF4PYS9a|`tzAxpJIxl`DnmQ0-I?k~qR^=yQm};2uR`H!c
zh(tqCVW!wKTd(?&@+@YXOihR>(pZVG-}jiTIj*8vtQ`J`M&rhR6cvg96{(&bRVK7U
z4?9pv$V|>$06H5KeT!Uh3DvL^+y+ak{>*JwgX%&a;LO#Q4}wdx1C?<+#Bs;W_2s$a
zHK=eNcb%t_dE8w~P~%|^$AP2Z9*9WfxL4It0*(phBIzeMbGg8iR2;AtPQ!xADxQIb
z!HP=lS=d{ctKM$~mBqtF;2cNQ_izCg&KxemqCqvRghg9RT!BSLHEsY`Ig1{^by)PY
z!yVuzXE7eQ4GS+7R>5MjNX7gtLU`PTMWhuT0A(Dg0^@yH%n`AMvshA{3Q1dRw8T1C
zY*CquK0oFxXn;>)kyeZ9&YMfJK8M8-D=PnIal*n}eR~JhOa068)L&Mo7C;TusKWPc
z45}(w4KQ$+MI{dbZz_@rM8jNF+!E&6?$)3ZgH&M<GdToupz4cJpmKzK7%&4!03XhA
z9l=Kcp+Gp$4SXbrDjYfiT>wwO3!wUqG`h|}Dj)*EoVm(*82DM$shl^T0CO?%WbjKZ
zP!D_}6<GwI^p`4WE0#g+3ao&-Ne^s?xduA_vjY1hsOcsXp$-M-3UydDD!;Ct&p`#u
z22y~{ph}2bFHXHs#dWh()19lrT$+40unlT@gb|RaLM+rt9JYW;Dymlk6QEuNY=C;T
z3+7m03Dm__6x)r3z&s9%fW<J^Nsj~Kp*}tnL7aL$O%n%<1l)esdZ&Q}!~D~wz#dRo
zI1vXeGpG#bZ@?RH6f(|(6U;^BxoB`ie4D}T21m450Rk(yKVV@)R0WGBuyBWkFD#;9
zu@Dwn=K8)C1)vJMw7OLL)`H0HH*-N~i*K-Cuxtj)mayyw%OS8F4$FnGTno$fu*`yG
zF)S~_@*ynCVPy@gy0B^ks~)f#4J&V0g@Y<$TBVz7TUy<QRVDa3;9Gzn1bzwlBjE2q
z)eWkiPz``;HK;r%&Aa*{)c2r%4Ydi@BCMTY-4oW{u=auVG+0N#dI7AHV4V)@LRg=H
z^#fRcMin)xbVQXAsN#<*v8b{eRnDM_34#`a6NC;BhCuLxuoS{p2!|j%fH)pv7{t{O
z_e1=Fs#Q?67OK`q)jp`|hN?cOIs;XsQFSe<=A-IaRK1O=&r$VvRMVnbTU6_eYQCs8
z7u7bQ+5uF%hiadosSiz8Xr@B59GW%IY=Wi;nh&V1NA<3#J_XeiQGGqCZ$tG=R6mRA
zFU>S;Bfv%nn<lX73mY%kgu^BmHjiQRCu#_&(FiqCQG=nz@37@yYYp4}u-ydP2ha|I
z))(5@(5{2_0JK+8(-JisqGl)59D$mCsQC;ve}}FnbWNb!3Ed&+o<a8qYUxp{C2CDT
ztuWMzN3CtBRf^hGP}?50+oSeK)SimkF{r&CwTn>u25R3!?boPXi8^CZ#{+eIP{$v2
zGGPbU^?=<l*m=Qj2J9BVE*W<FV0Qs_@1U;+eRJrCKpzJELg?2)zX$qK=pRD=7zPIz
z9ASunVLuFKVR!_?@2J}Zb%&vD2<omw-J_^`50ncb*+c3BX&R)(kWPZa#EcS*y<qf(
zalg5WJry&jy46&A+I|e|OJM&M^#-EeSkwzbz4@rO3H45*-XqkjfWt&M1j8W~4r}0$
z0f(1x_yhHgsNW9thogP~>L;RpHtJtS{g-gGfnzH;?u6qBIG%%(0H=;{nhK|EIDLS#
z0nXFmJO|Eu;am*o%W%F5=R0tI1n19i(ZQuTTzbG|G+YAVvI;Ke;8KAGA{tajg9d2O
z1r0pWAP5aMpg{^6oIrzjXlRRuZPCyl4OgJy88m#2MmjX=fkyq&Xc!vJMWZ8V^bU<B
zG#-k^(P+F6jZ4t@8XCWVs|Z&YxORu@aJWu_YcyQf!Sx_qZ^HF8n%JR9M>KImlbL8z
zfu<|bbPbwrLeuSNdJE0;Xf^=N4x-s%G<%KaHfY`%&1azbAvAxC=AY0)jTRDGtV4@@
zw78BIpV4v(TFyhuOKABDtt`+=Mysx9<&RduXcdW88_?<$TD?JQYqV~T)*fi>gVyuW
z`Y2kLqm6_%L(pbA+N?vH&uH@vZGM2XSli}k>xZ^0(Ka1zi_!KL+I~R0Dro13cD>MU
z651_ByM1VP3GEo#3us>t?K`0TFtneB_P?P+Gjy1P4vFY+9336daSA$~#xK_RWg&jK
zf=)Vg@<pc^=oErZVd(TbI(wn>F?4B$E<@4fEV^7kR|C4vLst{JwL!N)bjw1w8|W^e
zyDPfyLJu{1xT41p^q7nu1?Z_p&qe52gq|PJs~dXtK(FoSbs4=rptlCSd!qMp^v*-?
zO7!WDK9|ww4f<9^->&F;0R3vAUjX`TMt=+RABO&m(ElO^w8DUa7!Z#E2Qc6-4D5t~
zAsBcYgPLQ|Gz{8-K@}L>8G{F4uqOsj$KVARd<=u{WAGOYsg5BI7}5zt#$m`d49Uk(
zYYY`J)D}bSFw_-8XJY7n41I}V4j488!xAy<6ox&)Fa^VFV|Y^xpNHWWF#Hup@EGBM
z5pfuC6C=A~WDkt&kC8zbxg8@fW8|M0RS%=6PVjP!T7ywrF{%Kg$}s91MvEBT6r($1
zv<F7VVe}e|UWd`UF**~Y_ha-CjJ|}?pE3Fe+yuDwgqsK4yx^7yx7Bc42e%DyI|;XI
zaC?q112AR~#w26RW{la2G5av)48~l=m?s#^VXPiwJ7H`9#s*<*1;+KpxMGYu3U>qC
zjc}g>_gJ_epgP9z=m(Fr@HD{F1)dw=nSt>tjPH-}UKqay;~&ARC%i_&YY!&0#Dr{k
zJHop$yj#M%1H8M#dosLd!aE7x``~>F-tRC`i;2xKaTq2}z{H7|xC9fkF!3fPGWfKD
zPau4v;Ij%o+3<M|pD*xL!M6!~hr%}!zMJ5C7``vy%P^@LCbht%5ttN-Ny(V>7?bN_
zau-bY#bkd>4#ninm|TR(&oPCpn%<bQ7*p0_N-CzD#*~+s@)!K-!LL937Q^o-rdGk!
zP)yCm)bp774E`Ma?cqNi{t58k1OIynsDc0)0fP~+2m#j+Xh7f`1YX57XH4sZX%U!~
ziD~5sazc;~g0>;30@H_JdMKu6VETK^aK;QT%-Dz-*Ad(R!O;jl0x}~*1|cLGA*Bed
zi_j#5enr@1gsnnYCc+LNtO#MZ5%ved?GWA#;oA`Y2WB?K%mJ90jhWvNQ3Vk;h^UQ-
zCWsh@h$)Czf{3k%*pG-pL>x!NZA4TevN|GLB62w*Um~g#qQ)a?4x$z!YAK>J5p@qy
zzhjmQW_e-OI?O7-tb3TvVYV}755eq}n7s$HPhj?S%>EU#zazRfqFoU^2+>m!y%5o9
zh(3krM~ME8Idw3nALayLPBP|P#av6wZHu`cm^%k^w`1-(#8@N788O`v<A#_(#4JWk
z4r0zD<`ZHa5bK86`G~!SdB0$u8|EFrd=2I|#{AKkABy>#u|S6fE3r_Gg#s43U||m|
z?2m=RvCsz#=VRe&EZm1h4Y4R4akUZG6mi~&OGMm$#NEbXD=hAe#nZ4j1B>4wz9r&=
z5Wf}ie`3inEQ!IAdsy-SOWt4!LxL?5T#?WW2`!P(3kf5UFa-$_NLY-7bx24@!fqrK
zAmIiQeno<UrFtywgr#G#)DKH%Vd*j~-HN6Av9uIRPh;sbEd3M9>S9?3Ec3*&I4oO(
zWo1})AIsijc`qy<faMpkyaHqZC$>Ridn8Umq8}2MBXKJd8Ir0aNk)<*l3b9~5J|0&
z)D1}kkyMPNBS?CRq(8Bu7FKk@ibYs)3M))l*&8c&W90{|G+|YBtP01fWmt6&tIDzJ
zGgez*bsemhu{s&68P>GJnl4x~6>DO!CJt-1W6d?Jm9e%S*2ZG(7OXvowcoI=9@fpm
zx?@=P3F~WMeGjZ(j}6w?&;lDKV8bD7xPXne*cgP38?o^kHkKh-jpS}f_CazClJk&!
z5y_X4`~jP)Vv`1&oUy4bHub}%0&FV6rpwrD#O8+BoQ}=cvH2;sSYS(SY-x`zzhKJ*
zZ1KgG0&LY|Yj<oNjII9I8i=jo*h(eVcO#`QQu-q$1Sv^K$wkUDY_r9-;n=nu+nyq|
z3sU2dx)!N7u${Io?%2Ky+Ye&<A#A^n9oE<(V8>kSxPcwFu;T%CT485Z>~zA;KG+$C
zomtqKgETeL9FaC0X>*Wv66q4s`yqWc(zhY~B6e9}*L3XKgk86h;fRcm$nZo)9x@&w
z<0W=$v3nSHhhTR&b|+)^7VN%_-FLD3Gxlh(#|C>^Vb4J9IgP!=$n->J95R!Uc>|fZ
zkogRmFOc~OS+$Vmgscw8T8ON3$ohtCOJw&zb}wX)K=vqPdn0=_vbQ5UAK8B)rx$YE
zkQ0EMOyp!Ervy2r$hm@?zmTgzt`WJ-k=q5i3y~X#+>OZHgxp=oy^Gx6koz6`I%A&)
z_N8Dy?b-Wae>x6S$AMNjuornY$TJ|XKk~eh=YzaB<P{+AB@XIv&=&`zaBv+CrsCj!
z96X7GH*xSe4t_?y1@g7XcSU}0<o84VK;%zAz7O(eBYz$8_aHwD`9;Wofc%d*WQju^
zacCwE<={{$4&6sV4;1W0!ATU{M8SI$@+j<#!jULkgCbWHd7>x^MOi3%h+-Xzd!cwI
ziVvXp42sK8{1%6`INS+`2jj3W4oBkfavZ*cBU&6;j3c*jbRv!(!qGo)>@bdp;P`PI
zKY`<CaQqyO-^B4(IQ|YLRZvm~C9Wvxgp$4}8I6+3D4BzjSd_$}BpxLnQ1SyOY;eLJ
zCmQ3#6r2dgiBOz~#)-u^k%SZLabi189KngpIPn}OKBAOEsfbb;rOi>=7p3D-Is>IE
zQJRg?(<ps{leRe711CLk@+3~4!O6=w)c~i~6V`##Za6&|r=xH>0jIa)^kJMX!|AU$
z{T-+O!WnCv(c+8|XIkS-ADkJ9Gk!QT4`<fm%vqdyj5A+xwhGR+#MxmuyA)^BaJB$v
zui)%UoFlZP9?rGJx#2h$jdQ=_d`+Bhjq@XMJ`d;5;QT$De~$~*aKVTREpVYXE{w&6
zU|d*?3(2^Ug9|0Na2FRo;i3u`?QpRRE{?;+2wYr^i$%D28<$kLR1cT><I*%-3d5z@
zxU>nEuH(`VT&{=9{cza_m#5)!1THVa<rG{l#^sy1{1}(t;0lK;dR%FVEB$e0KCa~8
z%2iw)gsZD@bses5!PT9(`VrUq<Jua~M*n&>TyKo)opId_*8^}p9@o=wy$shYaH9%t
zIN?TD+$hA2GTboXrX6l}#LeBfc?>t-;1-WtGH$iQEg#$p!L50?wFb8i;?_0XdWKuy
zaN8EQ9dNr9Zu{f*LflTl?E>7sjoTk_XE^SR!W|FX@xh&J-1!T42ji{>?)u~IY}`%6
z-A%Zgfx88`djoghp{xqZ98lH`Wy4VBgR%&eEk{`f%J!h_J<2}f-ca0|k9)Up?;h?w
zz`Yl^UkCRk+;4#Uop3)1_fv2`3-@2*{tw*$3lCiJpd}u(!Gm^qFclA?@L)b3yupKa
zc-R^bJ@9ZE9>(KgDjuG~Lxu1wJnDu=J@9BC9;M^aUOXzp<LY?qgvTLx9FE8P@%S7b
zKg8o_c>EHNU*Yj*Jh8x&x_Gh{PuAnfaXfj5r<Qoy1y5(<>25r|ieKyF*LnE$G=9B;
zUti!^Ydq_YXKU~*1J4TZ>>Qpw#Isj;-V4uD@cb&C-@)@wc%jFO-gvPbFOu-$HD3I{
z%SLz^ikHXnn;m|eir=>5x3~E1D_(WNt7N=7jdC94I+VMkJPhR#C{INB3Y6!f{36OP
zqx=hA*TCz2pmfVO2E6gYo3nVU##>*!r2~p$oQ-!+@m`Pjeer%5-hadgD}1Pj4^8l)
z3qB0Thl%(Qfe*{@Ar&7U;A2gEY=Dp5@G%7+f8difKGnphM)=eQpL*ca5PTYkPgC$I
z1fS;MQ#?Mc#;0xgv=^Ta;nN9xx{FWG@aY3S{f-JA6}G65P~n1#mZ<2AiUFt?jfx4V
z2tY*)D&kSG3Kg4Ck%o#~R1~736crayaSIhsQ1KcSKk(TapN;t35TD!P^Kg9j#Akne
z4#($Md|ryr>+pF8K4;@|E<W$a=Y#nC9bZP^%LaV8iZ37V)f!*j@O3u6F2dIX_<A2-
z-{D(Vd|QlfXYuV1d>@bRsbB!B3pN~V5m-4)9bpQCX$wp#FkMBZEh;CXG60o3@VgIw
zpNrqO;`bX+1SsvH%!jfC$~Guh@xy>01MwprKc3+a1ODiZKUU$7YxvV1e~!SPEAeM8
z{w&3xmH5jYe}&+$1pM^?e?8*RpTjr~(>W~Uu#rO+hnE~Tj^iG379BW?Rh-2o&axY4
znZj8~oYf_cZ^rRioC=(3Ij8!AQ_th9)tvQm&iXr7WjI$QovZSi6RL5-1Wxebgvp#R
zl@sDQ;Vmb2<izQmc$E`>=c<n4sxIKFfveV)tCq=CyTxe+bDB_2vxn0#u6ir3dN5Z#
znXCSQvynNQo}A54&So)Zvz4>i$Jw0cY`$<cj9iT&T#Z<+MmAUD8E0$H*>>k_qd41D
zoYuf;-8k(@uBIbb)19k1o~t>5tGSM=S;*<?bGqG}?gpo0TrEegR$s1`Cs!+qtM!Jf
zt>bDNx!SF`+MT)DBe>e3T<vXK?LA!W<6P}0T%9glojF{cOPrmCv#Zb9b>ZwhIlB<f
zZVqRc$l0ZEcKbNHW1QV(&h8;+_m<OJae6JMci{9bIDI!x@5$+dIQ?8szlzhRbNWM^
z{v4-&$?3mvb*pi8^<3SCT-|nD-JV?C;auGbT-`vf?rg5^a;|PVS9c#*H;=1(jH`Qs
zt9zNN`;e<!&eb(>l8TdLPHN6c-8pFpCwXwvWKN3Uq&QAm$4T2bDVvi@IO!#46gXoo
z&e(}F26Dzo&bX5^?&FMSIpZVF_?eRpoZN_$yKwSIP7dVc7*1Zw$(uPjos$o6atSBj
z=j5-P{1<2M$l15x?E7){BRG36&OU&%pTpV5bN0!c{cg_wIA{NetJjjNH-@X{&(&MN
z)l1^)o#N`<=jwgs9C*&59_P@Fa~R4wOynHmIEQVVLm}tzlyfj~^{aFBUAX$4x%&QG
z{V1+}3RnLqSN|qg|1IZe!8sZ@$I+bQBF^zB=lGU$YR);$<ecI-r)19Q0Oxdxb9%=)
z{mwaCbIw#=z9Hw_m~(E*Ik(`PTXW8BIOk~2`3SRG_M0i>75Csh`}Kq6gIcCtl?{IE
zQn7(QF6$1I9eht=I0qXZ=)$*ScXi%xrk$Z+0af6ziLSiTS=pd7snu_kAv}c!4AwPa
zgI}{Dyyk~SvzRg#%n^1wm{k)=6C|0`0$0Qu4;D11%>Ja76y<A9WH3khZV)s<V<lff
zGn%ehML`ISnazHIjv~kt8bRN-kb|(9O7ryR9jLvQWeZ93mOYn#-eM+sLo+DSZcl1N
zrG4aDLDPrTkgf`v+@IggKe1dUXxM!6-wsM;5dwR|^x8s-J*vYNs<dST1<gcBQz|tU
zG@GSw$^a%jjWA`iw}LsP&ys!&UCWV=$mv$=@3$(D14<s*p{2|Ml|#Ct2iI-bDTjRL
z<Dx<r&oGP{zO^WbTy(h)$qCm}|G!?;FzBUHjmguEPDSs#F{43~lghgOJ%}-s(9v1a
zn0SFBhZu!2H@0jpX=bt<iqP_=0hS1wXEZF1{J1QNIaoHLlgpT_2+T{cU1YjK2@500
ztF2;VDGhqA&_y}LYxhO<n%h6Br**t4@@CBC$Qzy6sX9t?3P)NeamkgtdP<r&$&Ip{
zD7KaSx5MX3Y>vuB&`c?pxLngT%OpXwU1EC5`}3yAE=P*+Y9?sX&E8}3+)-FhW9<<(
zRnpG+V>nZ*wMRCT5S@6lE)tud-kY(@WFu)P9xGC^bo=M3s)F_i<x0<aB599o6*M~~
zj+s~uO9xuJ`Kc^S`oyfsN&J$c*ABjXB2YNINz&f>RSGtHzqJR+|E<<c6EurbO`MP*
zY4W9uQc$X?p=7yB((Iwd&HR~j>hyO+g7%0xZ1!O!J!<|%ik8)^5j5e{8}eK>vaBy?
zvW3Ou36G6r)TxK;4`mQ#AXau#)bw74|0F?AN*PTN!W8>mSiB=MOOETxcVzW8N}AX7
zC=W9w8ecQXvK5VTOf1V5xTiFUZjxrIq#3o0lF4dEavMzX<fgC1x~N!N(;^Cb8lc3)
zxW|l%9YaA+$77Di92v-B%t22YHd3<PSvgI+k9iB)Yl8&ME$OphyTKHv-A9Qf!6Awj
zttRV1&k~lg*#fuU<Y1X1{7)Wxli?%%52m}5(OOvSC$TD*n@DYMwwLHQkKGfVnk0ep
z@+c2R`<*q<qZGdnJt&#-wfVP)nLWkc`v^bNWI_%*ncJ?twx#z?{20kfwWgm}eeHj3
zf%!z?(<ai>LS1V~WByY5tdwJ&Z$7!1Ar<OYnICqPp1bmB8)-4|aMSWpM95yOZHDxx
zh0Z}*{Euv)@KBDWfBX5s`~$jn<_o`GX(BDi>LakzIl8ZR-OswT;mwcur@8QnuF*4(
zVV}BC>p!>odL`>DXBzzG=Y1Ar1)2Nz_UiVBQyx;Vhsh{unYrr=vI-<-BWacW)NuK~
z9itig*|(n;x4p^s34a!u`$(fIYeIoIp1PZ!B+1Mn&Av+E_<v4NV1=j7l}XJ;P>7C}
z-=cs{{nMdBa@C*XSla8KH!WdJbr)A2+i^x;FeU3}Hs28bX#8f%=9@h?E-Kzwpfvw^
z+oLybo8vwH)#ay0b(g5a|77^w`B#R|zlTux^gpv}UXMSUSyAtQh9S_bn{2;Z67{u`
z(q(@N1)V>4(Huj>tc_`TIfbPw<$vBTqj>*e&r|5lzurBQrwWMj@EEKgdX&PHloZoZ
z-T(EaHJVa^{$tTatp&D?0zlH3YW*&OSl{y5Yg-egC@L;QI)~UvX3}Xtm@Fk_FTIaJ
zdq~MpHd9!RO8fmPYsi!6(jIyvX!Bn_TOb@=_VxOWi_ciYZ?+#v-t}bl6pqqwfB*P1
zpV)y}ooB{Z?#G*MHHUlrC`-vIE!8u@;ea`xIQ&N=Rrff4z-={M8A|V3xvsvtFVbV&
z)M>paueeZmo!Q<{Y%e}iYkz-O5Y(rS*Az-F-lYsHfAg;t=Hcu}|NkU0SCXRm-$~5B
z|Nls0uKaHjv-Yb}PbnQOtWXx7VWT2Uhs;{0K1HrCR~G8nSK;`TwWl%*kK1*A#rsn|
zQ#V87!T))Q%8TNhnL%0dz1Mu<guZ!{%ick$uh=Tn6c2j40?(YH<cV$h<Nrs=MpyQ0
zEs)CndYKIn1`A5B%JBB)v-|)4-lo#4jrr?7)|AelV_gOdah2oyNdKtjqnH1soadSz
zw4pQ7&A-)lxv++{CDo`6-ympzoKxNttDO2de?PT)xiE|!31c55I$PdaIXhaoBK_3v
zEQAEq-$&y~GSLz7ov(0^BoiGUr9)Pmqy-(56e<@e-OPvXKvA3DKawD#=4-FZh1Nf%
zP>6JvL=ZI<KBcSte##*Fc7()?5W%`oG);)a{EqaIf~eQ-Qn@gnwWZi(YMlO4`p|F9
za)&H~6W=VOB-Y6+c&IUtB3kIldb5Q5M(sIf>G<|vuOrdE|L+S)wBKHvd+_xN^`OfC
zOIZE8{a@1RXEVtuv)vQ=#{A$aB&n$NZ%I`yv@}bq&-i(wK+=ArU`$E-`#h3X-*EXq
zgP}?LdpvWZq=PqGP@3?wpVBJG%<nbbe_9haDIkE-bAPftt1cAe6%-}PE1L>`*t26Q
z{|GP7A&ipp=)wP)QWh*w<kA2}dj4xKrSAgae^^=z&9wCNZ&Lb?@uhS!)6-KS>nV}X
zf7%i&$C-7()1O4;D?DXg5?C$mn-&xvo@l16v+TS?sWOx`MG2&oGDEK;`nr&QakPb0
zUy0Od|7=bV`AMJuxnXBBkv<hpy{6x$u+qNt+uzN1QyNx=n7f!^YAwxpLqT`76pJ_7
zm*o4@ew}xVos_h1@&B;)9&lA1+x|F+=RkIHiL!HyLiRbRQH(8U)Tpr#d+Zgvf?^jt
zpjbE>dyTyVVgm(ih@z;7U9l^QVpl*R#;eF|9FqLMYxX%b&Aspa{_pd0pPW5w*0eP<
zYgWaLmTi6spm_loade}xF|1T=VEFxi7PH7CzdjW;WfH;`z0yq$nZ9|u^RCcM5o=ax
z*2cEF6#)~M4{~w$Y}dpjKb*68?i^?N_oY*(ES^#<ypiBinWAkcjZu9Lg3n~-CAJN=
zxXXlX+%8scw_sw~T0x(ge0n;oM_xzESPO;qe$<Uskw5H|Q2ZJD2|O7L1s`8+eWL|y
z=#&L_0r|={HPCP~FL0cs242_8$v0Zs%U53UD)w@6b?ztrcC(k$s@pe*Yt~p^)gWJa
z%>3%v7ck9_usQQN=u6n2JmQ{&j<1rcp}+Lw9C(L*ufmyI#4Gr2!S{GD7_2l_>A+M)
zPJ1cfucj)wuBwAH6dRVRJb$@LYJ#0ge_vxYS4p?AC+Wv^;GKib&LeV9-pY{bzn2p%
z7<cVA$e}-?05b$`-sw6_?7k-tLu-p~Zi^}65o%d9#_A~O2k82gXe8+|+7QP9y#dhu
ztI|-S)IH3bu+h%@JsYn9R^zWP4el`9rbaNuJ8(X{StNnMSt+pZ!Fk3U@SH%|U=~kh
zIe(@a(2MvCJz{&rgJqkkT){L6d+ai-0%B-P_=y(FDNWwQ$|-UZ3+ELK7xiFc8!DY(
z-+Ch7aQjp?`!`$(MHi?(TnIa`siJpTtQD0#$*W^vhkzW1?h|Di^^S06uo0qr;yYR0
zJ;#wqr7B8)zGh&FFL|O~&SnSx+KyAXlQ@;1C=F-?qJGk!sXe3~Xp&6GAAw=r!CDwj
zN9o{3BHVXaO?x<C>3Toowd?5EIvC%k+Pii_*q={7oY)b}0LuJTZ`N&50G8MZUI0&7
zlgD^r9kIT!9=4O%X)HWzFBn0*z%p39r+~O;g?J5!vtnf43R?u6_$LGeiLfZwF9W3r
zj52@%ql`gdlwbr#VJ$#CC?=x3%Um1a#I6soK~E0?8tMV44ITt`|A0a6W9}@;Jv?wE
zZ18v~J*B1CL+)&@?6d4usI<mRl{T1BX@{9AHNeWqcg*e*8qmh%x{Eb|UyR(JAbkP2
z8F2DIwhF^~ibc}!#j$!}0E!}@g8;frKzmq-7}--=3=Pho#Si=lZWsHU7Kh%UtJMpG
z6#8SPdZ7-!WM8f(@h0l~`uIqPo+n1@i3>P|y$UL?$gggww^=p7?ZJ=+OT%z)4nyf%
ztu%|<sShflRGg!8SmGSq&00|gucp48C7R?eYVI2RwGU1Gq&~vj?huddORU}{@d`#m
z{3Y1RM1_5Kiw=F4_wm*OFZCAg&qO8TN;Rp5dZj4iUg&e7tB}4%o}+UaoCG(%f(sFi
z1+_zPqb23D$|aT>XLJIqyg_4?r_3|rrT$1T_Ne?T?#o{>RD{yA)W)s(3UT%5!o;ol
z%6ypyBAB2eBf(@^x%@;W@^Ljuy;l-<*C!@vbnalf7Bj@Pn5fuVLjBk=atD4AaAWvM
z)18-1&;HUt7u~n>=GHFU5|i=!uqOMvnp)Mp)8)cl-RQVeffrqPCHB%FqzKUwL4ILI
zM0?z>`*r8ssJ+gt62dO}j$6Ii4`KxtqFX+3={R3!{x!lk!Z$Jw0u%mu9|d7FKBp-g
zjoZLq{j7}I1@e*A@ap$LG)N!Vd}Cw7Wgh`9%2(l&_#{@o0_%uqWSiLM2Ci>(0(RQ9
z?j2!zQ&?VYz2iUy|Cx!x1}dvGio?=6(Ey#_AJd{4<y{B=foMi~+!A8)AEFrzv{1lK
zY)2qy2?7NPQaq#-8=$yr296Y)|AIt*Wph%!4UX$JUEi;4UP@Ry>d!@1FG<6e4P<YD
zEBn8p%3H`^;skt8Op(M&s|~?vpUMH-QO!;*31_(|ILleyLqTwj^M`BP&d}&%TTIMw
zHYJU<|5$X>Kbt$T20=#O@goQI1p73er9m$AQLxRAL^=ytY8^?)c`Qt|Ch2L;-quyb
zXTh~DWKFii^WZ~cu)8bSzgsEMcp}_Bc?;s93@JT(0m_awR+{EL6MRy%c92q8D66*?
zg@LH}*Y><*j5)uMn7cMCk&o0srkMc~Xu~V2I_pL8r<pYtH$}9#??hw$Sv-P^P*1pH
z-d+PP6T0#~(3MwIIQ5%&V(75D3Q4T^_u`?U10z@HYg^*v{PG_?vJ*sHXS3(iLDUj2
zA6#E}`{>Y=VdJeQS<WItrSbn?gi2XW?0Iwajb8`VD|<rm1M8_aR;bBp@)38X3h|qH
z?h*!s7ZCMk9&0ie-EqfG-$2Z&AB$7ydl0L)M*E(%6kD_cI9PHZJ?G=E9)u&weY`Ob
z0OuxkF#MOlzWFfc_ckZKL!>er=BQ(~zCYaNWn8#t9XKLaHpz|hYQXrvoc+7l6HiV?
zj~%_qi0`FW*VTbzC=n1dY_PM}xG`R1eAnzAWt96hsfF)D_g)<S#6`#fK|U5q;2hS>
zGM)YXVJBb8iM}_;#vSifM$U+4ZIm7O+!}|$Qg~Ig)}y+&ln?l0wtP528vEx;tgXA`
z2Np;x>Mb~}Dsn~wqITT=b1nw!r?Ej)Zf*PLKfQWLevs4dy8%Z6%V)HUiP*=a8<0nO
z6tv7e)atl!i-;{(=C&E66#EuLq(t9{Q!bEjat|UV`hJdF4c;Ki*{g=|p}kjCk+ZH5
zqkj(vMHb!Z5cuNqd!w|(<<|}%ZyCbby^0Bk)9{#xL2ykUGzN~r;l42@Hla+x=WP0n
zQYtYD0qgUZg*#A#UK)fw>2aaY3$&Mx_ztlbnw<~1*HTsuo0rO#7at#2awo45c&-;7
zUjy0}THn8nzXmiN;ey$noP??O?}bl&ZWb6&`1T}T182uJ@HvLp((e*E9A{gr?z);^
zwVKj4H|GTa5<b|xLxZ>jvoTqD3k2;xW%ohfRh0p`-LU6=RGwN-N8xa`CFeD(@HL!@
zt<T0CI1s~3OgeeuD(m1}IQXqm&KB`+P1g9g-l^ZQ8ncXY-ju2R2U#RWj{Xw<6HDta
ziB-==`)hC~WE7668*eXXZNx*rWuC46A0z8pdz@XI76{$FV(9Jz-M#;at|;|nW10w0
zb}>9Tz?1!-@mMA{U!bnK5!Y%Jud6b#$EyWZ3wb-6h_@6zfL3jx+!!P^hl~MlrH_U1
z57q92J|UaGsCEa&R{~>EseM(|4Aid(HQcORM=`gNU@<fDrTTLA5OsJZs!JR#!d6&g
z^jO9Ih}5HwXoWVlcNhG$>v4DS@G5{v&KrPJ!4q#bCu;pidbU|hBh-Q7<%SlBDZlh8
zg1Lp$OVJ8|x8k>|m-bjJP%*HX>a#i$e&cx4ln(4CHMg#UFSr<OSs&H}iU_tyRa+@T
z={Y1~W7x9(tR8(|$giSDLy5Omzn6d@Pol@pQV`VdJc49T`*Bu%3D2xv?6cS6i3KUN
z7CY<9G!Z-N3S?llx&AmWZ*qSPUwTBGayPJE5A0J8PP9bNI-op*FRJR!WFfm*KwN}7
z1+2IXZ}VwvUbPqet2Uj+c=k43=M~fzlG@ikA@XE+jLWS<-FQ{rc*M}bfisr<W;Tt2
zoOnja{yDo`9JfN#<nR>Q8-cPW%b<s>o^Aaz8BU9_Y0TD?>&UD8>15x1#sv77E+rpR
zZmauM{Y?5uE3;i4>HYE7ICW$r`dTTClsNI=Vy8ig6aPIlFx*XD`7^0^lHmV}Xbn}<
z;cn<wBVC4Zts?u{04~Y~faA>nR!1SKfjr8lA@mUD6yQ4#(6Q1FY?{Qs0e!@w!W6*A
z0o=ctI;=K89%TTcJB$Ao<wsB+i1H&SpTtY5GkO5vQaS*dK7t>no9m+@Abxw)k%s!z
zwNvmN1C$S($Lau2yqN}IrV*HdYO2j1b&z2?a9v9~5I_Swj`A5OK915rA9ZYdr5Cx=
zTH=cV(_B_>G7#MZ+!4Ut16)inPX+y`_6qCy0w51_dIBQbOZis%UYe~A#W7h;!4!T8
zAK7A4$bu!d^^)P#z&GrR#>aJ}D*H6lu1kjcOm5sWn}4ozq?W$C7k2^ZMr6u)T0^Z>
zpZU~^{{DJ+^`aZyufWUCjoV$3V`<d>H0oFywZ9p#e@L>Qnbnr$$sXzA&jwPFkz&2`
z2m1ikkD>MhR7O}#T6OuznZIZoV-+5v8{Z`tCXK`DOLkb1CnWNwh5(64pN852sHc)V
z0db}mX<!%^u+^l_r)K&vH(>ps4Q{cT{*+ey*0ofhR1~*Q*2b1xd~AMZT6*Rv;n=A$
z0~$w<@U7m7E{W06cUGD_R_MmF(qgn*ima=Jl4gjt1udo0gvHZ@rP72Q@zCf=j<X5;
zb3aDiiw}K@O{=f(A130?p+~>}0Y_7LgZef3#Il9T^f@zJ`~%kPFv*)E!uDR;Y-D@w
zS@o7Tx!kw~f*lwWD4u1^rh_ggL&pw8Jj-4I^}8aT<rT!UOcN1Z5mQy(wboNNA#mWJ
z&d&0NPDe+dG0K;r2T5uK<>7yfn2C6q^6USLh?$ONg%4yAjijROJ<7m~%JmM5=Vpiz
zDNN@BGvajqZvN*$oe#|an@FAVLo@%A9qS>@Mzn}J{wy87@<vIhi}5<7kPrwQ#+*IU
zDI|p7ND2v|OJ<Gj<xw}_axD+Ljc5t-L=XGc(D@E)do?eCl*>B{l*`|fa(Ny3>JDzx
zV32n&#5TMlA?83E7T*P&_ybZ&AJbIQ4+?5oRnqbi#5axa0riySHBtd~2#DYC1WK4+
z@DvGG!V+SZ$8OrQyIhw{UBLL!Q%4~{G@>RRPP`EoGAm%K>DnvZuA%+5baX+e=zmp*
z9>(qQ_w2JNn*PPA@D5f}8=(y-94e&|dg#D;vs@jHT>3~SmgVa&>XY^geLIg^NRhUX
zq|Xy_$W>|zh;`3?Xl!dB+SdfAsbkXQL(rZFKzn{@GyY}U)b=D_91Hp4T%2?_gl3*e
zF|6LGn>Yq{^QS<8$=T1Ujc4&y@a+g9hGXz^^H(MlBIHV>0*_{MgAB*w!Xl#(j#&0z
zHBiUCR8Q)!{-#T6Z7+`zi{k$?qEpLbTCne$*)R9d?HVyMv^zY|YvAIPqj|;qHQ1L%
zrc+{4ZXMiDA%-VyH}UTg*s_qKzZwhkmJ0O#O<7nY{G>^;SOV}Z>=I^at2Rg0k9FD3
z_R3bed7Pf(-l-0%{ZK(d=&lgM!SG!%2gdC3_Vyh;cu>UXgC<Cl#*{f2fv>*!ItE|E
z@f8?B`EZJl?|{nL6)?qo28->1)-R<yy?Ml%JgTo@t;@pjHnc=mL|hwc77SAtR_`|e
zJg1s<(JrK`nDZb+4d~43El0^DDyfsV4J8;+&lgT?U5;66iyK(5xJkAmI7XOqKb^J5
z$*D`1b1FyyY^y<jj~n(iF4&wDnvE~-<<CY}wrPM;<eK?Jd65f7l*e6gqN(%54TEU{
zlKIppTrY@i#T>7&dRJ%`a?D!c9}-<A+y<8kdfb4d&KMXLC4X#z02B)&=iL@}M<;QL
z(&*P@Ee0x;{l(rXK{z-kPF}lxe@OVV^QJz}b$-J}n1{Oj(mV3z3=`PvV-$CH$9BZs
zZTS|8P(+KV!s{Bb67`vFHCAE8%0)}p8YlRT_UYr?>G0^YM&3bPg-5C%(L>SI<9evK
zAPZ7k@LzgJqou96ts6;aCG`1?gqRd^EAYNKt`sslfkH-mP{`<nvzTBHEo3wb*)*Jb
z9*Z$%*MSmmoI4I=cUHQT{zhv12y!C%$43H*!x+?Z5Wubk>@X0Ig3jx6TN9IV7OK;l
zZ=^6*&&SecDFQE50A32<?>*M%wg6e2mCl{KefEvCDtosE{mubBeA^j4eDxc8__i~8
z_^y<thwntAuYN<L@2Jrn_j9?;bAW_SkAhLMQoxbp1stzKfg{HYIG80cwhYw*M)^7v
zI2d};F}HntAb6DVMjFWC%m0TiXM1qx+`c_9rNkh<k?N-7buG6@uZ4MiSMopgx+JwI
zdi}oSK<R#N8!X^_koQ}6(D(b2DUvYXVc%R{pnP|uzA{@#vS82ylcGhe-Yi_iAKoj)
zf*ON#Cja#VW^lHUM+ozu`+xllSB%h;iQj-|NJ|nUu}0FxJKprq!#lYBkoKfy8X_RT
z!l{&mNMN5~o$)aX8?k3PA~bDH#~THKO4FF>E^)f4=x16A)yu$f<HaftXKuq-MLeYd
zls)WLZGqAu!-~=)vj=^7Lub0Bl?ACd(-U*My}+P;%)uL}loW9jkE3e%O5&E;B6cQ)
zNo}Yau<nFer8uc__MdwoW9Nyqy}m{828yv6^SX}Zv8F<A{0vjcz#XYE`UwGp2X$dD
z(W_axA&9(LPz`lFFq0Im5%3uV|E2(*hM$@4H2Tq6=C<aMHn6-~cWCx7X^!~;K55=A
zW8R)AjdG7+)_gUQBrLA(X2a%+ef5_IbZEZXh!AFi;<7F$Wz-G~gawKf^VL>N7->DA
zCG$mm%ahQU>(AaqtllmnR&P7R>TP0))mxMI)6Hl75d0xRX_XrUJ>=T+N+i24$(|IN
zcg<Kt(n4rnxn81rnr^?Exczu(fcP^rv}loJn|6`4LKuBOZvu2bf^LFn8i*5mNaBY{
z6xf6qhT+-r8Uoq@pfv=v6d@TQ7rg8aC>((rRCx?2lE9Jx7D-?mW(Z-5fML+deu+g=
z2rQbwt^h2Wz&7(?xu*>fo<efU`uxQ}zWgv|<00_w2m2L<1=>Y5E~3URs<DaJ<t@OP
z>=e<6ost1Cjt!-lXY$@+A?`6jNy>5e!`pQTt1V&`{}=N&^()#7yKjJ^YNETi^xb%6
zsF?8plaG<5+yhw39Tk>xs&or|WxF*QGqN}ohJ8S=zXSHZ1@_OO0A2|j0N}?z(`n~D
zRcJR*Gc|zzI8}Mbp4m55dJiA$jWFl(@tGH4lE)fhp8z<E-k>#<8tJf|aw|`7P^xj+
zrbv|-vsUMV*rdDZIU0lK=p2if+*P@j?T^NysOrHYHD7BLOZ_<!)QaY`8Q8$;O$7WA
zg1=V;{)m8wZR0$ehdI`1SitHbvW|R@D!eLE;ht9E7V{UAF-MR*rN5xjrxJWt5%^RA
zpYo>%4vrl+q|5AkCsy}y7B(wYfKAYJR7oyUMVl}_n}6F$DQw0#Qyt<h6*6mFtqy4<
zP14v-L|lTQBX6fJ#oom?@zhtOD(T>5s`85I^1X_Z{PHp$xj6NbF`q9}s46}06{!~3
ztXiz9{1z}-+*Tb_o67L6SEQ~izAH+yQIf%{s8f0r?m$m<z)^w}EUwlA4|OD#8Fr(J
zw3^j}x=K{d<4<tX0g@ixij<l&M=S7By#=d8CBz7cK~z)+7Gr}xE-u0aX~lSEpHb?A
z392Xo!+g=2<&BMD5F11T$uf&#ysDu&1S9mG7$N-GK%!3LF`eJ<57z0F|4J5Y5SqdJ
zQ;`}I|JWF~#B`}cO5!L*S+VIFtG*?k1*$~wEQqnA$FZl!JD>uB<X5m`{h_B~4zE~)
zn|^18A2J;|(>-=z58XDO{_Fd>z|_kDZ;j?#x<q@K`gKY4j!n>w-+yHKQ5QEBYIwLm
z@%)zHIWsmG`FF6yo*TSi%Xa5Kcum8kfEDYenV=x-sQYd5l1by8>-%)?1cl;!<ZR&f
z?DOA|5A1W1w_y)#jy;gM;V0&V2SrGb;nwkp(=n#*F=t1eb2)Q`vM9)VdKJr~a3DXA
zLL1~!=+t#o_rb=KLp&o}Qh#mGUz0qRH+Y8txyGeXLG~D(_{1a!JlU0a@?>OpFn(j}
zj_lsU$R@JRg;PB^`bhXsP_hp+;6&g>s00B9alPcv)`Kxg0}exkKL+>UCZ!PhSm>RX
zO=rE*e_>UrUW&~}74Mo+GsR{TX&fW9&2XDemsd7m0t!*>e{2>CQbEpiZ#(;|6``k9
zq-C$~5qYs=V2x*xOu>K6j_}P<@mow;aY@%%S!dROJG|nhAx*ceFRzwWlj)|L<g7^n
zqkMXcyL~ddZs=G%Za<8WS$CYcyp84jTd6>;vxCl>{fHF2gCYg*N2K6gB2w@e9DVW&
zsJon`*V@4>2NUQOfCdxj6@W$y&>S4e0810ML_b_=n+PxofSU*~34oCTP~O0Pq4N<v
zAnRVl{W}eTF@j;q7pcZm)VN4Bo}$JLtwz!<aXwmWOqQ5FLoEqi1|+tZ#hL%Y2GuUx
zP`wv6sCe7PQqvrjX}L<}D>nQ8s;D(gHaZj`If+_)j;cvi^EoQs67@X95nI?+JDT3*
zu->K@XTAY9uPt8Y_$*GX{O`TR+uVf&1&x^v0)E#-fIpPRX7^waAu^O0<oIx9>nWXl
z?^(!^bGMvDraI&QW2QPe{_xPG@#p3ast=VVcOi2*Tb8J`xi7m9wfTe6(4x9TZ|Pl%
z?u?<=2RN=DaI|a_Vgv31_NAaM^uNQc0HK0+IT^%kt40R-tLe-ETw5iW>$GR(hruLg
zv)TZ1?SEaom1bf!d5d|Mo#lqdQzBkDKWUu`fk)k@)w#i#H<eXVN7~=rb@Y5p*ccz9
zyt!G6aZPwx)?#T>=du0)BS!nK**3x`_wVJVlQ)k&dMNNL!p;jT`4jiaPX2HjEakTf
z29DUbp4t@aYx?i-SIZ!l89)|hLn&&a8Qulu@UiHnJ6D9RC?{V;LMl0_P)aI!Q}xJJ
z_x+9XhJm$V01KG_rY%Y$6tkh|^i&Xy8%!NEoxCT_idNJFl>NpN6BeNHay^MLvy{P1
z0~!P>gnJ9|W1{15RH^7RomCvj+{V#s0Og1!n>(boD7R-{+<1ymacI?U6Pswb>ZNCu
zAc^_>21i`X{mKs{&Vp;ec{SBr8m^=g8SaMiJB@t@Y2{D|wxc1}773aloG&Tpaks`8
zL5x>29qh3i{}-`Ffc3QjaFmS(J;{u)y<Y(tUMq+;{4I&)ZLtgE05}D3aT=Ka5H+PX
zHR+J?sU{n%Z+f6KGaV@0A0c$G8+V3W9ykJl<A{dC?}nO6kA&UIGZM|4l^zhyljt<w
zOd~MU5X>6rRQR{vf^>ek60F`n3e18b#8{65as~j8Yj88>(H`5aykcKoxCV?h*-fd+
zKVTf9-k+%Wunsr~t`SeYny)Y{2Wr$URI})~Q*uYBjUYDf#9Ou2Kx1zd0{*Duqd$CR
zz(`mUDHxC|%u=aPm7@4BAsp$cJ&jqp#yxei{{p_YwZtw<;4Q~t5ce?FBN*#FZLIOn
z1+7sI5%uW{puCzh0Z<u36$DMD@UJ4d)=u@VL4H$BnW@RCOV{uZqac2WBVFQkXMhK*
zKjBSBK^tcYIW-JdNKU;a`f`Yokk~`cOnJWKE7o*ia`d_ux^Yvy2SXGc-02A9DvqNR
z{CAy*aFlY4NV1?)r*oz=H>CZdeyJsJnj-I4hL-nhlcj3~g!yGU`vs&@Ha!FtEVN0L
zMth)El#NzR28lX>L@_bTSiPwlb}=^u8VAUG7QmPkF+;_jVHl%FMKKQ<^>cdAbfY~a
zJZBD*=gi&q60DfT3%?s}2q#!ZO#@X@St`m_;r0GWzZ$0GuJHbcqFT8t8li|9B8QyA
zaLAb~9CDCg27eCAJqrH%t&kQx5v>7WngEC=fNA@3mr<*Db~wRSx!y+z;CHkP_gPou
zSgFa&Fo$~nxs3vx)Di&g1yuC~s$PU@9lJkKKzbtC<rc)2U7cg+hDfC)btrw8yVOt(
zUPC0<xJxXL9F5vzMD1v*?axN!t|VT647eNr6sd?S5%X1Nf}IfFMX4mp&^(Ngl5j3$
z8RGLTQpeVZ+7*hg!RidUf+bSO!W}99Ge09f<1~GR?@mC%)9Ew~##`Ym59uLIp@ccV
zA}H}eXdimRe~N9#edG253fj8tyKe6r-8Zo>&JRiA6`K!??6<Su)^hD?M+Qa&?wDMT
zJ9OFCmQ}d1f9OuH&7S2V#`>)Faj974M>s;b<<w-QOuvE0?B4I-z56ly&O}Ad92sF+
zJZ;hRsm|Z}^zCMZtI%781T>_HuuBsDUI;xt@3zi2Dmw6}3q`7K!fG^m%}Wm$IN5i&
zY1wr|s%HLqFDyZyS#JqRji7Frqq;~ChgqI?>>2N*MVYlVv7@kMVC(arxp?Ry{B$0k
zjoK4X%c2^|b}ERCDW{SuH(%Idk+e8Yr0goWh->de@*xCP#e8WwR)m!5If;o_vp<)|
zg4(r&D+4L2`a!%T&H&g%nPMWqzF*t1@0_V;mTp|%Ayd3v+K=0LaGr_v-tzEjj&n-y
zGxdJyIcA^_p5o^7=pjccpBgDmkS?Y<i!j`^kKDO4IMO9NbegZv2;U0RkQ#>#DwsQK
zTyM<Q&xq^Yv-kMnKFB*aGhQ33y?$*x909!##7&Mx)c5>p)07UXJ^NQSx%rWFfLsV;
zHFPgoLsrEj)2b6%a)m7i@sb0eKU*Q?%_k*L?AjBAm^=(S<tu@_>sK8#2&)3ki?76@
zu(qrtC<?3-UQ+BQZkNFgExS$f9b&p(T^G7FWM!nw`NPP5)wg^5k)t<;j5l?yrt>;_
ze(FhZD0WEZlAJ~M*y2^zl)`2o`NJ^DZ{_+arl=h|gSWYCUpr;0pa0|$CM1>m*|2)|
z>hQJO9Rj0cW*u^QfAQ+$)LzGa?AK@Vkp89xs~4_W>zo#U`cBw3sEv%5o)uLab=cT*
z#~_pch$%jSUJj0PK~rb7u&m5Gz?OZb*dc6kC&OOWRhp&hl-vQh9)7Vel(__ciE)R*
zc1N2QHq!lcyahv|qs8nf+!MDeFPQyI;nx@qb&<c8_#{jpzaebjiscIztT4)BC|<hk
zzdSHt*(f~K`Zua(THK%@CyE@cIcM&{u`MzWAwvnPke!KLUbiAvoLBe>xxdCQ8@B|B
zYmVug&lotejmwZBYqktC^{uTNe*C)sS(j$)iXn0L{<BASk8Zz`HXjIxMm1b=JffUd
zm?4OjU|&6Yf~jV&5lfb>LmOpZz!KgRx*&9Zuqh!-*J#U$DMwr)wy#|mV)DJNn`54V
zta77ggeEUAwcK8Fu<oW$t3%aXy0x7?th-2q6di>$NJpareS(pyn12a!TyYt^P&Jpi
zl<9NCw%D1-f^=6mchQ_V&K^TNJ&lgs0m*se;OO-)SUkRATY?N1PORB~&eSCXs*7Q>
zd|i6@AUW^W^(Rb^vXJVdwZ8u(q%YnU60>LL%qd7;{7M(mr{{()F0R!nd+~r%fyf0X
zzv(#5YiJv1H&()v>5Pt*&;;9PX(NM;#yD-W6aKj3wYTF2BnUgTY1`og&aZ37e%qn@
zG~b@alht*bBg0qkaXA<k;5)`|T0c{ps%ZM5{>0Yl!-o&?@9sNn6(+h%O`XrBljbBB
z$Do2Cv}fPn!IpZ<!qCXKOnQPO3(a`xCmgw1UU8e6UR6wTn&>A5NPcVWr>!TmH?oo?
z`;Ek4x2%r?&=Cyx)oA^o01S6~Nc6RR1HQ!*yQ0s)=9skAbVRY!H`o9uuM|e4Ilx}H
z-0?~4B*))4@TJ4*b~XDV0)Wtnq!vkS=WTyv!?t}ZRxF&q+_)WiYb<p5)qwgxL3=mC
zo|5xW{^2S}by4wtW%gy<p^%73)4UG4esjl-Z00h!_nPhfOns~32;BwSwgcqA+h1|)
zBRO`&27dkfYq5X7!}c$2$6|sEcdzZ-3%kGhe8_i?>e<gia>4+Y*8LMQ-kpv+dpLBO
ze}oCC#G}0WZ?EqH-|o^icq86|{i^}{+T_@s4@<X&xxg1!84|ZZq-)4HcjoCa|NTRg
zOspD0U6W6*&kXMwqk{&(r}yxTT{8~0V?Jdm9eu658oHrv{fG2+u5-RihB3XQ|BOxB
zcdXhK8f*GZALg~%cdYaH>45=8$5}YJp5es$oEh!dJ}lkmDVLaZ#wV$BqA7eUvOl?O
z+B|pGT2oApZj)dCRfAo6be`C~pDD3#=dC?leEQEqs>Fk?x>aj7{kGX<XL!(<t)|Z1
zhqUeD%%!{S*cV3jc}XAt9S5Se#_WkSMUUJ%XoT}%|8YZ%j&mr8J8}w;*wK#VSzVxs
z4;?&a0@7uEoRt0Q(Z~aPjk9a$;DzlE7R4$5EGN-r7Bn|E-YP9jd^@lnX1$f)Qt2E|
zrE@$B=eXl+oO9|gq8g%67r8rkTfqUW9r<qThCQxKpxcBiQ*EH&zFY?3<yW>>fF215
z?5@CNy$kz+!xl|2(5;b{pfywnd^L=|CK7>?0wvj^K6$<tFSBH%|8-*%uit2?5iTXG
zg8H%wi-JcSZzsH~aRa#7ohZW&G5h8$_$Fj!hq(Ps9^4$!#K(a6OWw><Cj)UWRw9Kp
z6$#L?*=fGoz;wq)q<CHEf27>v)r;4xc2*}N9{Z2>zXb*^o#s-#o99pU&$P`ve`HJa
zZqt?#p+1`jIB;+Fvtitf;E>=A>$k4oG<!y{Y1G_l0b^Xyr!RBM8;<Qk^1oq7{^!Uk
z<00#C<H9xDnJMsNvIE5&Hmu}EJ!O9o8D)&cwFKYNFw?L<C)lr=9=P1krIWXJw=ReJ
zzco$2VHgs)Ve_U{YeV<0_VG6@fGgNxERLqanue=q53ZhH>FVjq-Tv%gUvYmOq#}2`
zpu!dw6A0Cjo$AasN_jH#1^}%<X>i*=NxU+$MF=#=H}Mj4=ZS&@iJgS=C6coq*%udU
z>ap#h?{$}?!_hG@$XC3k9i`@?2hcP9s8M65PH-6%5Ozc4UEt5`M~xmcb)t)R{+ILi
zywuUAIgnzWRC1L9qWxdg6`e3@oj4n_J?^k+c1`#=?Y1&@P<T*c1NmXD12K1o17wXy
z%-!pM%(^Q-oOvmq*L(esxqBn+yUm<9!aQ@yvYE#5!~{P4HF)csJxC{?C>^G@<O5IN
znb@NOU5Um*&e8WV`;VGAOVq<o*c>)zuc)Mk7vd7w1-4eQ=veYuPxkDs(%i)N*;hPJ
z2ZC6~z(vTO)(+F%j<s`20uj}MY^WF3N?}GMi9R;_(wy@!U|R1RGGN0PNQZ}%WiEhL
zKxlnd{PJ5T<9z+}aR0bz;V|_cQkJ{u9cN3d%A)K)vYzIUQ41u8Ft0omWY{0EWOba0
z9m(dS{$S0rc(bR>JBRPpukJH$iH{3%xH{G0&3H@Z)ByQTS1<=d*B(*K_U*|7r`K&*
zFmHp2@35aYZ5pzwI<h*yf?GI@fcAvn9xn%b;`8cDc`YbAQVVuaV!e^^r#IUMiD-~&
zt02ws@sqo+?13@M8aT3P)OA45euR4S(*R#6d1gyF@nXQia;&>xf!Sp=r5aG@fJP74
z1B(TD1-&~S|Ms{O+t9)0$(E2F8}GEj8%RFS4%%PY9=CO`OX!CAb2pocByuC7G3(`Z
zmi>i<U8R`}1?e_@>Y<%c;cFKBy3-iOzSOOpFl2cj7wCV!=Os;!uzr0FBLy4rp!p0M
zy5<V2m!N;n>*?5!dL+i|p^Mudb@-|?E9HKG>x~@pC^wF)Mc!|JVtc^g!Q;pE1eQhc
zQ~2sN9uAf8gusciu?+JP8?mmZzBa3?<3H-*S=3$EfBc96t(|$Pv_VX7+>C%IJ;#T{
z?BBlgglRwj3WuT#(yf-f$ZQ+<!;R3^DU=y1is%^7Vhuy1<!)SmAta-w|D9wMY3#iR
zt&bdF`sI5aatqt;b7zhRw=Z8AVjQ2Xn>XD&f4Yl&WcbvuxcMeId0uG9f)FtAB0Xj9
zPdI}vV@P|D)J0v(e3iU4U`+~Gm(w62@Gg^3!p9b3ULcF?gzT2REwVheiZ<mQ$po=u
zp{&NL1espm7xru@QseEXq_F-hRQTggc6y4#1G=P+YoVA){z(t5a;dnc%tlCKj7#-$
zM@V~ED4cXX$w{{((nvvO<B8`))%;&OkXMRwDDLIs4B`%!m!4-;0k#9V!>0~)aSWiV
zU<U-H;cO&~{M?X3V+4oL4wekNG2hjn=Dat_ckd5BKWvY2X)4a(5!LPGTYLKl_iyUl
zVodk;?Z+hEFv`#G1jp@-Grr;@x&4Fr02nrGc*mcd%Rg~tHH?nqsf`0nj}R#kKGgzW
zd04#F>pXy(3SMP*S>>NERvkTg!JH|^jWA4JvSRt-6)t-=4*jWuZ`&UI$3>->P$L36
zX16`B{;&xvV|47UevPL;g+*CghLzV}Vl&pouRF2s1hT5F?YX|^+CE8qMp@)Y;f>VU
z2rdLC+dhlHolJs_9-^bzZ7svTLDH+hRq?+aU3CnVR`*`jcWs|jJg_WspPXcYYmclt
zCJI*eUfy?QpQBVzS<g#p*t~e3nf+(?|J4(zGG`^siklTTfb}WMJ@k%UVbAJ-e$CPP
zb&ic#dt?p%4^6D=v$o%c0XO)FvUtVwZfd~Bc-_8r+jhjetX@BF!79^sR#LY-AYhrV
z3;)csEics%PtlT#5N`uc#&y7+RMkVLh8#CF^n+Zd4VpfDnl~ltJUA_SMvPZZS^m8q
zsc~QH5Z46<$PFP&*-ck#S31_WEMFOH8jrWyyqWX}M4n!6a?d@bOUWzA?O6wV?!yyx
zjo6$S_H|<Guu?`x58S=yQ*bia+p6tS?AU<@hUF2<cdpp#5RILja5?4H;JxiS_w80^
zsA=-z$%_M)5W2D{{6k@MJ?-cC&z&@Pk^}4mni+zE76rK+4GRkmaS2&HYl`3GfI%3d
z1U>*KGR}-)!~{5^{y@6?%cyCTUk4(cl_19iX229|(94h0Zd^)YCDaO1KjY1sy6DK5
z@Z&D0_l)d>bbf6I_2>F#M#tu&DstUZ%}~}GHL*(`bN#JBaY<~vgzSF2#HF@rE$B_v
zADW*CYUx{ouOdHY-vYir6g3XK3_P@xPM<h;8_o4K-a>P`52CqKXs-LPZk3yvJoJ=D
zsf0ahmD3kO29JeRX!{!LC~%cyCG<^~>zV>x<y*r}C87^MpXhX{s|k0PgC1ZYP&~Sw
zZy@`uE&C$VZaI5sKsb)lLkNFcrqBB-Q~m1wjq<EC{l9-#<NqFFkDRrRezdjP;dR{#
zgng7b?`B`^X3jzb{LM>90p_#$HP~nT8~#lV{u!Uo=f6a{;BQP|<ootL1%|iX(X&U7
z9_`HA@h*M4^)<0}C8HvCMo0VZ95KRo?C{|cW1~!t_rRZ*X7*_!&(6$%hydi;k#DM1
znF$#spRp5|&U3_;-(<;({H$;)QTY-j6P2G8PbaE2$D+ef*O4*8d<%xDF6=Kl8Z=ju
z&1%(05;5;U81+iAg0pLRrP(>?7)2szL|@R3t~9FJ7_&W~P_@?u)zqGONXMwaO5|6V
zOqYPd8kY;2&5sc!j3xYEuoDo(@&0-_R?9tibkFLQ+l@G`mnk}4m%WlOR7gB%sQw5g
zg|w*lj%pJM*d%&D&z9E$Nn@?UgzHn7V8Rk%ul^{|Sq6#Tf@^MzXj$UHFbVfdp&!g$
zO&FvU`SOjL0DC6Dh=4=%$e1KeRI?CX0pBPz(}`FuyuxWbJ`S@|&D1Io`a%85R0#^s
zn|W1`A>CI^GRSH0XitSq_c`J&pe_QYIBm*LoqK)~RN>L;EyQ3z8NxRmffJ}72AY9_
zH*?jOvqS;hYn+hxO%pCsoj0tqdK>W>P>FmEwf<dJlM$u?pAay`iM}CL!?j7$TlEs6
zAs|jeTZn++c?14Ii_<V%L&V>bAh@lFNrK|%)})kP@GjeC8p*ztB0_dY?KH{5VOOV(
z6NAJEvDuo#Y0*|cE?_`k5vGJ1r|?Evf6&M46lUZphx?2g!8*WwhQb5bskM1q@al&x
zo-?jI(0(2ThWJC#-wk>?=O%dCOS}Sxo1$BxA2!3+XS(pI8BabnA=~G~xHyiG@ZT!c
z$6Fd9g{wY|q!lFehjnyoMIL}WW=kOFUm*!=B_=gYXYfklcIgNo05O}Vc?RMRnA<|q
zvc}vIn`?)8gkt0a?eQ~Sk^6W&R)>)6y@wgX_dXsez)cD}CN(F89TFzVn+Q!mLNi*R
z*(A_JTG4DGG<|Jqsou4zUr^&Q$%n<)Ma|8q*dO(LsrAj&c$B5>&D1nEsFQo34wQRL
z>huWd`*^8GGQ#zvmJL<25%p|DMH_2P8>(s!R((k0w?YycKPF9r#;+xs4E8|n0UoG5
z#)E1Hdr<9Y4@>P}57h3D+WnvdTp?^D$;dnel?I~DSgI02HTGC4gaCeEH+4jNizPdl
z4kjT39+`AqMy)8+I!LuHQ?1*UT9;8PI#igslYo&diJ0^{2L_vR_HgVhFJVc9+4}yT
zWffU)QETdAWkqa=1WMtn^M%w4MnuCU<Qbf=ph{)UPX`Nd1#9TWzq%rCqzUOu6EaFn
z$VM?CyR8$lktU?C2M~ZY?2|xdM*Ur3W`sW*NSg6Jh74lMAN3U?hiD>)SV0a~1UV#I
z$>9o-L$q0=N_mgXU15)eMSh5pa{J`g2o&**JbC)(d-4=6T#dq~=tF@64~_Pc@Ze!m
zRwhmhAdx=|m!_&uo)YnB?mJBCm#hsr`F}LzJ_$rY1wK9fT|eQ|gGtzuzwQ<)g&ir@
zo(S~{&1^KyY^<2sD`IAotuuRtW;V)IBUH@D65-`DSJR$;QJcJc5OGM*6Z={?`mD84
zn-=l(Ar0ypGgPQaLWOE?FJClYQ{;0tN8`6gN0UFqPMfv8bmOOZkqULKjpojC(F}i{
z8xXid?$}4#u6Af7;Tei0guL_NdRSfmB*_mUpL`AZ<U`0O`A@1p4v>RndW+<w9UtM9
zz~x8s0~-MUZUg8CHUR(K2JjDHrUbR9d868aw%<XaJVYggse%4fen2&-0>KkFK|kE6
zw#AuyP)di9Ikm7ZI}xxC&D0k&b;eA+F;jQURN;~Ng8EAiDhS;?di@BHe*o|i;Qj#E
zBS3XlyS4`i&Kp9BP&oDfsr`Grtm@qZb3h76z&1!n_BuDNPnVOa3u)AaWa>g1bs<@F
z;hx6>wIdyix9M2Chhvc^hBCy9)c&~~h3j%%C>j6WeXk&SyPkFBHOT7su(0}tkWaJu
zrDrgVe(?$xKqvBs2wUGohNwSXNYzvirXU&yUl=WuHHcbCg6)x<p?!t(t1wr_SJ?AX
zLAF-V^sUwINM+w?M!bodeW$0?l<b-LZbTXF5@4H*+dP6THIPXzE^+n-2D&=O(-xM+
z_60t{RKgB%Ex|ol7!md~ue1T`-!71k6^Y!4aH(C9N*Kx7MJ8cO_)})k!lxAu&{;eP
z>U*T51V?6oDPJZcar8p;3_I|X+u+d347`{A_q<x=Axq2;m0C1LD*XD@)y#w-oD@-X
z@9Z*ozT9PqBzi6Q#`?=4HyxJggPX7WC8R|PKV6o&>v`{7R~>JOciN}p15ser*}W8}
z1a)X$1@=IGlTbz-im(Jjq0zX?sv6h>h!-B{yRfefYFB*ks@LMMvM$O-Wegared>6-
zePz_~h;tH$xIAnKuZQgAP^Xm2>sDLO`XagG06rTWb>TRvAA3_fvbKJ??ZIlB@KP>=
z|Cx~TnmsT)Ja#f=t&yL!Z@jkmsYlLgnKD22?$$WS$WGd)1Rd*9-<hxB?+~)(sh-tc
z_dbKwc4oE8Kj(GV8K3Ynb&;ocM)}&jmNT#Yz9y?X0}^$pW)V;I1YRX}$h};GBw^=}
zXq%1Iv)XGjQ(0?gWKsW?SGVUShj=xgWn|a5kzccKzRD+-m2_s+Q3kZFGaIrWf{c!P
zr3=dQUSKbK(L<|OV+rrQo~I=?k|N*YV>86*>@~#twU*@%imz2T5EtuvP6`TeLNBUO
zupRlX+6s|&^18BDhKxWR0^uTN6*{e!L?dcRynHAKY+fnmhnD`kKe?Y;3sF>^SoLv=
ze1m;cM!v|F;;#mX+`0k(ey6~jGfgzK|E|&ye!cKLQ>Vl1>=FcyO<DQxp?S-=#9Jaz
zqki6<`FH2tbMQQNZu&`=%(s_W<%~|(nv$06WK=}_6=zo3^)xTRe`v;SxXB2|g|+;H
zVMzZq$A*})mb_e=Wt87MUK*Zw#^u1C@jbdt7|_IQ+U%;6GnTDgw`7CMg<W1fTMroN
zX>uH(jtg0fK6hu8@X+i)jaS#7T5!{R!3f&u7tQR$StAGJ<DSjG80XsiTLjRRy@s*!
zp3HgR6$d;+tB%sW=T)EbIo!#)^@4G82N@lG@vc$lK=>8IOy6VoRX`Yr49&RV*(>In
z)BQ~CBnVA@KKV;@wDZRGYjz*MJayuAV<ethVXYc%YVN{Ib?Mr+X?)K_M61YXIJ{+>
ziq5=ZHqvei+u5E2_uouDc<9Pz)1l#!K3$y~3>^;rWgBeelDwgR?mCDsVqoVB2G~w5
z2iZYv(x#*+=es_UZXw26o5w_?I{yLPY7_SLJ>zob0P%r?{`~THiw`bw;I6LU@e2Gi
zXI?+8XL^9~PGHE)an9qXOd1OnQE$a@3_aL-XR#jQt@<tW^cC&cPDq(tz#7w2)g4b&
z7ygaA_Eb$1PgV78$=Il2yw-9PZwO7;@~AzrE_qW+dW|^1YRxgRhI(FW&WOQYE{;<q
z$5E^Ocl$$Nk_*K`MaV|Wm<@6-)?iKBTMgM4eX`22O^Q66c`6R_y2G^&w%p&x!EwB(
z@&u7j)~UPYz0AXmtlEs?RLkSC_){ISzVjC9V#LMtYIlj-yL2A=>x@yR-EhEOy=C+A
z2$zF<#`julS~{JN$is7dBSy&e?2C&2>Tkj>p)xbdjgp8g@EqyK!X&wo3KyMztOCqn
z=b3{R%yJnQxO(@)6|Blq=3s)d4`thw?u%eoZ}8WMYoWRfy>45Ex$0qw+3qkiMzH2Y
zQ}Vi5T<^!f=)+4=U}o5o{^<F_K^_jGy2t;O%$tVu_T?NA7^b1WI)}o+IXE3;)haNz
z=L{E@`i)rJ&9t}^c9#z|*4{LD!&T?=2?ww2*t%eL1QNc(2IbdrQx=YO={e$1+{wLB
zCry|ehrA|O@{`NAE#9}p!PkH4&=Jm^B72{iM2g_-pC`0$S=X7Del+0Ue#Ydfp=PoE
zW3c`cC}MJJ+#wL0pT;y*_mA*bOQB0RG88)FU=|!4WY`<I0+OmgNU9c0n}OLGGj&Z=
z*kUFve`<n>Zr&ye$O_jh8+*ACFA>C*iM$*F+%UIUx^?X9b#N_{Akx>@pT|p#ah5lI
zySEL@8K4%0&A@paTWt`rIT%5Pi4eoER3%smr#<YV1YfknY%9r^Up`|MlgFOxvr~0Y
zjxUU!cXEycivGp-Kv%@22Hb<!e~(Miv;-DHo+IO7g?=|Pa(_Z%MBBzj`EbKg{jrzo
z5_-r~ZD9wG>)}$6A$H%&Rl7}-Sqa@7zo`qRxJ;V1ChF|sN6Vg&MZJAq2{9^LR+&$<
z|2DeKJEP+^h5cJ$HPyOOFK{fC5imOivJ0#70{xx=t8lCS0$NchFdCBrqcId1Fj6bU
zo$cjRJbt%HJ$WPl+!}O9tyIGyX{y7!7$B>k2@1!JIg?e|&HJ!>I6v=`Wbp?+0QrdJ
zy%55U#9hrRjbdH+CEkU<f>x^;L?;l+<SL1n=aOjcGl<LL**PL_SfK0K&r8$avQEw^
z)9*~YWkmZGM(egVSlOu~<o$yOHkof!w{YjYE%tTCp1o+=x8!<^bKJs%zy78;yV~=z
z7h$~J1u@xJYsD7%%fWm6uGqPPe=Ex&u0g<9(%8Jhp~U{pJK|6Zz7p;HV03uRNMpOO
zVLKi;-`{`Y^48E<0b$1LaH}5Ho7}3)asBuF2j1{^&-BrznCTm)jB+0DKaNhL^<Zw)
zNtU~#9^D<4aK_#Q1;C~PPqB=4x7^p^wz$4)_X)Z!xJ@GVQH_@6aa&-KV9?uvebo{t
zD%YtaU}gDu*^Y$MF8g*(?ACqkKwfq<4&KFKi?=S`=D=+DD?`tYd$LU{7p+|B9DI7m
z%55$;Bl>%G95||nNjnpVq{E!=bEjjl11|w8t&9Udn{`lE8xC&UcX+WeVaY+SmAsMz
z|90A#^Jksqtmk=K46Fua)LzV{xPu$32cKB3t5?Uh-YNbqTOMxWt>%px(a%NB@|qNS
zH3G8?C74maYV@Mf{hfJ<Q%zV!%rwZ!7IOJ7Ftb%*WKjm|2^Q}(EvKt~{;3707M^xs
z$_gfDvc}Hr`=6deT4~b|;p>dhD%4*wJTcYz>bBFzE*QDvV_m0~UX|-O^TzB;cUEbR
z5!enG?u150?%z73TBQMAEq*mFJh$lF8E40a(r9(a1F4PDQGM`0>aA4Ho%KMPB5_Ch
zxkT7n3Rg)Z8AnfAg2)>66nPTUBNPX3Nv6kzPLkg0&<E0|_DU~8woOUJ3-jObsGBB1
z5i7@GFQs5F#ib~6Y<WUejMyG)UBLFxK_jnQ%8YB6u1FvF=jsdA6kX}7Y(wZ(9kAoP
zU!-8&is0|7fyMS!?haF0-FCY99$Jnh2zBKQSB1}EeGtiRs^oZnn1bL*D2lfhDSU!K
zzB`#*EjucXhu9HmS}roMD}2B%$r1MG^TB0EXS3j+Fp;V}2R4-ODty#kI4v+dH*WQX
z^W{7O3nH)yg}|EdQ3m-|8<^t0!)Y=jAJqse%(BM{Z^fq<K{Y)e)$l@Ku6%j{syCsm
zq>_~>KTcrJ3FexIt0F)3;HfRQqb(2CU6P-89Kx6qSOqFLr~JWN8vq_CIf}aBAJ?s&
zjX;&G^*<pHf#M5CjsJ9Pc~-6$P5<@xm#{urY&IC*fi(H4n0!&ju93ekeb>><C$Bl9
zo3zqzZG`jIuuZ3z8RaX1w{^VKd=Y&kjh3Vc7k#GKZwpr)-%IIm8&99JS%{<PCa0-x
zjiob+Ws$DXA|=xz9VIZQpe%NsI;U19AhATLSfVUiqWuMkW(q_~V~KrkU84d_`>dE?
zg9A+82q>{c`KZ<)&@XFydoJSOVltYMBw;ofelZ)bX*M(f%m+hoVW?YY4~3-oH7jSC
znTMds*E9je-wc?8;-9o>P#c6kSHu*cwM(koLnVI>uF@Q&V-D2%fDtnwU@8-gn1Xan
z!5vJ2>aHP~NnO6ADi2}YWF3D2mYN!ta~jY$0!R$siiX|5@Lw<q0;wDVO4!R1Xncw8
z7@&OGo!=!=J?~DWdeR-FdTlR}>S=c?slEZJ<|7HuL?HP>Se}k!l?d2Eu%ATZ$n|&<
z-?uCPE_OB>4<y8C(w2Zu0}X;GGMoyLPz2@n8etyB^xqZJUkg;?$gEGac-9KXfgrP0
zsvA{`q)PcSy@_Tz2{U~ZfEH3)rB==d<hA*5R#Dlnp&=q$r7HQQ1#_K`XP<_L2yK=6
zO+F+a41bx564I`yL6&KDlTUiE1cEs2L4A_XduY>qO`HgcbRs<QplLpDJrPdQiD1Pc
zX1NfO1Th;mv$0MdmYMz}Cdef2Nd@7X>6bNnG+RRVenYjUvexp1O;RV*6Sf<>3I{AU
zRHB^_cus1lHbXGrza@1jMXOC0rC5Pfu>!--!A`xphQLnkPW5ZD6d$b0e|;aTRkaS(
zMrsqF&#jnWSvwtQwc=@C)YIT<!Eun_D&)h7-4Va`jBd*6scW}7Zw(HK{|&qrj;YG?
z`VDU9Onb)lob>Z;Jf%Sx;JC$8{YviVgrbY(sUCbjQnH-%;uMLdHcgglAd@Be)uiIp
z#J-9y-T^u%wGPO^baMRyiQ0HD6usGJt>{dlK%nV@<j1FqSZP<Gb*s%CPVkB*K8Z|9
zt{7PFtM>N~P0%8x@yF?ioLu}kzFO!w2GfLwYS6A?7bLj1xj`UdvPd0xDC@(_QjxR#
zaG}cDUiw&C!5=aoTFH+~EOLy;g8m_QAo{-{T9YH)B&vsf#FDjQSO%i_e137>mpD}`
zBHk|TkF%TETm{tq1VD*qb$|wS&Fm)07tB0~HSKS``mUSlKss&4PI+n;JH<S1QY84g
z3ug5zlBpn=B(%5?=~zSK-GXumIxQ4Ef9Zs0RU%^dQpj^_x%{TFI(?SJc2ee~de{it
zA#J(9I+l^okhJ9jq%9XAZMgtx%XbWlxj4(7SPkI}ZHhF2r?5t4<l6+E0`PkPPx($6
zB%rZJQpB=M2RwYy0sWj+y05sh+cc~HD-n;{Uh5<F%5c$Y_Q$OXyaih)j>s66mozkN
zooG?*-9J<lJ1MR>A*bXMGVP>h7>0E#4FI+zgolP;%1nb#GGp|YZ7}>Kb0Oi>CUe2w
z0ys8wq?x+)vlSJ#*ES8+%l`=~vEL%i#rv6L&hID`ezfII(6}AgWN>1Uz`w<n4J{*w
zhEi9zxT33DJkZrGu5g{3<H~2KgK^<4a3%WM;tKj&?n?AE$JKJ-opPlMFCS%i=9~YF
z@|<fswl|+{7k!LZquX<?M7IaoB*`h)kz^wx4NyPz?w{2o5w@Z#L?huyHiB}&G^=|6
zQ&(f0f3h;pJ*P^!xAW!$el_5G!X};p9(=U=PCyG@nxF+Q{Ub>7Cy=DvBiB2xqoq<0
zG!o6q;O5L7jXJf>8aLg*T!fweL9AX6tlo#9yk)4m!i)xcm{B<jm4mW!_iL2}k8Q0i
z$f~Xx{7VBYi`>=xp?Y2qYvry~d7IYqAg!`szD4B%?z>RSe#Khes<j-hRTeC{wX&d;
zA}v=a*0PBLpb)FB9zy;4RWx?Jjsw{B`tvn*y@3OfMEy1(iH22(B<jz%kVLQgfl}_7
zyg?Ytx+<86UiC2+3&!wFm4AeB9j~3w#5XAW5n7ER>aXiNZgT5cCb?IY53YG>`N*pP
zxifXw38^arobIyk6}jn7Xnk{I1+9dj2Ll0f%mS0o+5+y!gaY2SZ^BgR!(u@$YZFkX
zZ$jZp*Fa`L+0dw<R$bI0p75uHe5Uuu1fre<K|To|+%)<jEIoiF*9%QsI9yb({aAIo
zU%=-7@R+uK@5g<mZ%S^`*6=YZ_I`|t14Tug1J|itRIE%D1>rP!48p1Vm<Z?bhX>m7
zQN6BI&(qrAOiMlGexc_;;TBgEYq5v5#dDUL--w!mVv00*vuKm5ii%hQE9;Ezy4TcL
zXZNMVI@fa4c)Hq-w7%{gK{j=264}&pw31DeK<Pt>Ae-N6VkEtqU;zrD6>MH1y!C^L
znFe0%_4i4{a_5>KJ_uqFC_C2#%BGOIxspuJUyWmTB#IR%_ck9YgAGeZU~f9D`<QVA
z_Qq+Ay_x$b{~FY`-i$sqFayD5)=O$gZ$(^*qIOp=x)-~6QT47~sNOXc)w_CG@5Y*5
z;&S}3Sy0ysFCePv1w=;)5#5!nD<adN0|J95Veljjp1>fk%Z^?kFHf|BAVgjtDhcvh
zLul#&P3}Z?hn`Qv2}|}d%kz<ls-_na)gH0L0-RdS9S?AjR5XFVJEl=nN3Y`7hNoBl
zwE-GKt8c`D7qp7wh;%$?cmNxv$lcuO!t1)1=AfH9M$oM@M$pZ@(1q99z2L$FI67F(
zojSN(ba16R##7B59mH8hn9;{=7R<Q+{ySztqwU;_52TxW{y^l`?ikAt?jO>`SVW6I
zphZ{#mRHn8)*Df*X`A+RE4Hal<7v|#<7v|!<7v|#B=K{5%dOa~J<)QT_Mqh!?TMCu
zZf~Jw_axBrVnNIE+hbhrNrhVxm*jtIrAt!bi?UhLM@?zRVwWV#u~?=3hjc;dqQNTd
z!=+6@K@yuup>8sB{{H)g+2(JXnPwX~J{|u5qw&Aa^S$~GbO}HN)M|==4R`?9RXKm#
zG&0*@qaDAjdNqLpZ5`PsHIyRBK1sm&5!{rlziqq;4z{kt403Ec4TmVJjk0ioBes`1
ztct?QPcb~$IFgOypHI>`{xgoYh4425j$jSPAi{BDf#Jc_8!$TlJj{ZkInyKmNVVR{
zS2F+pJKJod+CW_A!QeW0CT{zwD7bmxd`R|aKxQ0BkCN>1I_}`%13Sld4mHk30Q^`F
zZ35(j9=u%cXM=DO@Mai@xu4dHeDn)5|F)_B|BgO3;f&h1r$WtiW6cIhV*Ic<QKa^d
z{<hg@Sr%^pNRGqG#9?LPtQ`x}Y@x)2!Td^*yjlF;fA1Hw62nWAkrkB*`!GfNF<s2M
zSmjFT;3f-C1$^T%8<%Y`8<A$r#$}tLvk_^wG#X=muGx+4A_EBuc;z}l*f~{|j^)T7
zSZI*p;;A)pmrPwVbYpx5%^Ky>W;mSq!q%VI5wT#wPE)qMobxkMcyyjRba)%*O7D8X
zho?8(_^T-b&jVIf8k*AtA?5a{cbh0}lt2mw&_-EGp#cb@2SK#UY9jHP>LY{vww<Ua
zzH%3Qmftp19~CF5PgQJNfR2|I6<binB6O4~u>cC0_bA7wsZ=W$qRRMc3VnQlkMnbm
zLV_DRFL!zqrMJ>GccwR_&_i?Kv<?W+c@4!k>v2<wd*;p-^l$xIIg7bdMgFhc*~L3*
zg(+OKZ9YEtELK_6w4<8EdrAZetCJ3(_le9%#!{g6_aue?PMw1AUC50v_)djZ{k^++
zQN*)Y4@jPpJv!5-;QG0|*BtI{Bq|*Ep>knjN0;(3FU$nL_y34FHX$f?a$!2p)CjYN
zQZ1diGvjv@OQcYL5pAtVf1_;B-^(`WF9MC^_cz8IoI8u`b@Jn{K|DG01>A^?9y#)4
zi2V;k>^~V|e<U4xYLF*YQveX~z$qrDJ}&kmdV$Fkh~%b7jfv!@NL`5J0POd`X?<4z
zV!(V9QQzctgbe^)v$hojK+u#59~0t#LD$yOUcamjAEPV#5qSa|EzOkVmCV>Eb78XV
zXM+JBw84n|Y)I1)V8bV=GQzHSw4@)mp#Z`0m0xXPW*uhSn2e949x;=C#7x!vY(}yk
z6xurzQ<s3M{$}<$s#!ub8bclxowymTwJ<C|46Ce}2qieac=sps(G<{SiDHd%X^c#l
zN21wXXmuntI&lG`=nyzmCZ<pq|5<qg1x|l8V<AobKLZuguq;79mKVxMXft(}!Wdi<
zOL<)Sc+6%#IX8gKLk#m!Rt6JjX8thH_BhVn5kX~)#JuUIe3)ZK?v)=UAH<-iK<re|
zldijYId?>XoOML?ZlV;@EzO~LVTFFLr+|2@u{1ghY9GRd^f$u|a#lMSpG%dp5QvvP
z%2_Sd;l)pfPt-!%tH#pz$hc>z)ro2qIT=W4jm|qkZ~Y=C5aGYFgO!oE)T#TTtmgwN
zTbgrSE0ePl=w635%<l!%Qb{>eAow}b3qfO`@;Z{D45n>_V-NtN9ss~E=UPz!IW~^=
z(WlgDvuS62s$d=MH57~>jD51+7sbfGrOgHw!V1B^$U?q|BHfZ>#qnK~m9WD96UMgr
zZSoRX@QNvhvExTO4hVn5jyuVm8{(Lq4{>89I%Y9D$sU-VSdSEOk=MwbS@;MoTx($_
z&gf6nib>c<doG^~*rq(DAe7Jx!gC#C<zLbHh=wlPprI%mG!$dT%qs;a-!|n@Ix5t7
z#9$K1%OhG+!K%pzaf6cO<~HSB27sEe_*TV+8^bHn7X6R<NZeXwXzTq)paP}kHsv99
z9%ic=d#)gqCNFbIj&-Hka;4dFr9p)9TH3xlQi}FnOepQUgO+{QT2SF$%F_Au&pFT0
z;}5P<CQ)DxHXlksf_s&$oF>rn%Q>z{)W+Hp@fB0ZG6NA_@sHmT(Ge0*-CpH-)?f>g
zUy0g2U_V-m7G~|T;(wj=@u8j%R~!X4rxnGjtWYb8zmh*9D*_|Bg2BSR<n`?9#yHI3
z`Xm4DiXr{s8c1jOdoLWsf4Jfd&kF4)5a-ue2<yDBH;Ecqp{Vh@E6xKD)9X+i;MtE+
z?{z2+aI_+5YOk^^eHZ&WDt#WBxMxO%OdIA+q?AlNT_(Z|ZsMa^-B|Vn`6#PheD}A_
zXV%w2Y7wUKA$Z2uU>Q?A&_q#&F}1UJKBV!x46MIEXMJv5eAlAzgX5u1QJiK%Y6jMa
zHiXt(6z@Zue8h&zO8F7`CgHsw7`a_;v;juSc&S*Mvb<J2zavBwa<?_H6#d@}s!-dF
zbHly=PbaJp?k>6EcvM-3Bpy#wvZj6~@lm<E4e~vkLQ^XWYiA{5y!UN*h1}i6Z;$_g
z1`n$uZ8XX{tf47OXo_4X`GEQFpMCE<3LaSZi#)L8`<=0vnVqqi_vww5*}3Rq-nYE5
zKqZ9+E#FH3+wvu>$lHK)?<Iib@4MpFW$j{q%L_BRYP3mDyZf$1$mqU1wd_tUyHd;U
z#aed#6d9qHBXdK*q~4>Q^PmbfPdmrjbpA^!vCy8tTPiuUNZZK?Xge(dZ6}AK?X-lV
zZ6}9*vh91J3vwfb>3Jx2;l0olsfXe?l?Huhym+X0hkaX)Pj%&nmDckM1K2ugYtGT?
z(4d%EEu!@vh`t4~?1AL+L_*9~nV<Ezx-yc;CdG`i%~tst?+{Vrz{j*w3?2uWt<ny!
z4*`GdBcjOfNb|EB?;~GKcV&3NE98EuLR@`jsiIu{{ZioSGfRQ1zh5e!tLJrnK-|Ao
zrjOPgF5m0yEoj1l7NxU=CO*}0{v+l8sNwtW>^qGpIulW7?Sm++Z4094uC%hgV(`!^
zcy*-}dvzt#t1FFOUC9NnE-~KQ9vE-3N5ObqSsRTWZY2;sxTZ+43hpUfg;Vf;c18Ss
z){T4Nbj4?|YNF&<sk^u(^XOFnU?zY<8>>1IPOiBc)yTg%2^m4>7KfJe%(IA;KGkX=
zq#cOP{tJvZ(I8;*FWP@>l=meH%>#v6!Rhj~g1;}`NAC17?OH3+ZEUUh(crA@w9W4p
z-O&FCF8^ib4j+*{TFSqJ*Rx-x&X#LCXFjb?n_{ysBi@e>k?@CgAYnEiB%D*FAGM#4
zgf8-5r9I*%&uK$QsuV|(Ge1xeBWnX<{LqUqwE;247QWhll@i3=F4%|cgkmVxYgF}$
zPMPe46loOi3{M1DI@_rYcxS_|{fYMuUALGz!_pac&WC<D*lJ(zVcmOo>f`C)H~|qd
zA{zQ{@kg{33Mw4RDy@SNe=rOG!_aZ;>9i+16VG4R*}bm&*sdK+@~YN6f-LFfIt$Lt
zKQ;fHgWTj*_^oGJtYQ5tE+f#e9)X#Sa(C{0=ZDO(Mn_m$`m5(POHEKa?8lv8VjOcm
z<XV*T&GC^Hb{cDM9d_WVb7uVh+lS9DT5!||(Og4&q|tF8!`d3}n!g)oIzMgI)Je|%
zf#ZE)rpYU@(piYlLs4K{5o%A^QO{*|^IyDiW^J>0d;J3TgN_YCT!L46M{oYi2c50@
zFILG;UC4hiti8JO@?~chg_vA(c_6E8tj=xj^g7@9NSkte8MiyfzkCsY@4&;o<<^Z}
zGkWDn{u?h@79Z~%yc&INcey40i~anZJI(1F^o!9kS>d~&hU@?<;#PL79&B}XL1p+z
zQYQ-cpk43`J8t`cHMD!6mNjG|vOv=?ChI7E(5^)&fp4B&LKy@Q2xiB1)%5*%Q<&3E
zkXVp3Nv#Lv$|6KBoU9@OkknV1L^p>moAAyK1_CXSiyV3l3?BiVh6F__Ri$ug67oUV
zvd|nm76cF8YRV^mKd@!Lp!~L))I^!2o?x?VA*yL%2eaY#5*nVQBFab2EIanKdehJj
z5Y3f`_~oVEEY5rsfov-(W&m;|K^EaJCgqyI2s20A9}s99W{$aj$Q5x5bbk1@(hq&M
z6fexYk_;QA%j!8?*D=@&NdQ53TcExUcdut6-sE1E1>amqhsJ@{_ac})X6d<@rAlh*
zLiE@AGr&4&>Qy{ga`0M#h#-<lr<A<fFt)P2{@!k{+Kg==yPmwd^d$)CnPjz@0WqUt
zK9V<3ZO;O2{a6jVeQJ9$Q3#UwZ!CjMEJN7>`eZTN^MYanYJ9#Ng)poPW%H>}=<K|p
zvI~U<zMx`9wLkmDYG7lnx!zi{gD4ex4Qo}k3E5A&PgL)1m*mdS2^^A0@nAJSy9Q-E
zKwu`h7hcP5`Fi$3keb?HFVyQr{lB&>LUj1%5V+J=M0&tp@FapW*c?5q?h&r#J64hF
zjv%aCEhK$D4riz?u*J!XHn8R?_IG0@b!_i5wz28cPGsqe;Eufx4ocgZTRRc;t`>5}
zGL?4*S^Z1O`&#eMOPkyKaeH50dqmeUGaY=t*RSK_bnI(Avr{)1Hr`);V10@MbIPm2
z1N9NdLa%Ll>fq?xOBoE)gIE|4MX<W?2nq`bS>>eKz()V#k}~W^g<LYauuPr&^b{+l
zJF+EoZG_A6HH+r0G0A7QvU2#oV!Hp5DK0;Ij&tvCYRRkWy6E9hw2Hg(RbA{`FhqNM
znl`|5$ImWP{1?ogX4=Nf>6WctyJ$J$R0j16GbJM6AKDLsC3ZD*z*e<IaM9eOL5A=x
zOIEBmO=RV|D!ST-WBo58p3qSk`j@t4f5Qgn-;(2WSZzTZ0ZV=+Q{JR+Vbl(%B;n*z
ziP>Fe&MAFPwcQNEa%QjS+FpAy;jxS3ZOQR>_N8)*8KLE_+?g#_et|W5KQmiE4%}&Q
z6fv`!P+Z%v%?XB<O1$KFD8Fxa$<yk1kYRVIrE9CvwPW%A=Ug23QqT4wFT^!HE34or
zx`$e><i$#Pe$|%$A8FqKR>ifo4dTqfF&-l)2lbrH89Vk8dsM{UTg2W$ML`8Y0R;iE
z$JiCciqb?tQHqKnV2?fa-YaTiLD!H?ZvJ=A0b_FS{r>Oy|0hOa&+cXIwbowiT`=<8
za4yvNA@2lvrz@KtZo0qexjmH?4Xuh|sCHqMqOWx`n1eqn@59Q$VTM(iIwQ!_95!#+
zGX7XUomCPH8|DEiXE$cyzxeF^)1{CHqStF4d8$r}3ExNhyT6^<NVfe+J!<ENY<<`I
zKgLX^knO_&TR6Rt8FTwB=pc^#U1Q@Rqgu}A;q>k=$QjebR8-CJ>EVp~t1T==*K+mH
zgU=8diXlY0;ju{0>ptA4rY8EX`W@!H4*qrqIL5V`Tm5_XoryL5(30BC<^FchmeNBR
zSBX<k%>LUO*ve`*Y~@PW%79*rVQ#96oP$ld4pwcu0)Tc`lSWc)JGBl178h2b{-7NX
z5H($m39wbG%Q$0&i;;XxhD+mHYq|r{`9UctT&LEMbOyBzmf{$Y1w<ruN51+?)rttN
z#bY5OFgs$<!0B&_Bl(F`m4u^k#;nS|I>{8J3x%`i@a`BWQthHfM(X~v?rz%Df!)XX
zI3tE#yjDxNH9~1;s`22BOcMYiPOGGzD5!-cO+=ww6!IR>eH02&0V~7ZN2_3)Z2z)2
zk1!5uF-ycTUnRBtviN1)y;Kw*t+n}wv|Wv`qj_+kXi28`6huMn8?s~HH*fDgdW3Sb
zfsmN8cUzYEZtmE+n-n$^xKaTkD;+XuWGnLzqvMh%DeW2wy^mk@#CcHdaf%vnyN_>q
zi0sa?8VfchLoGt(ouGRKLJ>{E!79%>u?98jv$iu8CW-*&SfN$|+7*=szANjt<wG_4
z4qK*lv*A3lde+THkF(mTUF6}dnkxEzQ3z0uTe&6;=1cgkwuCHHgbSrOf;Fm@)930m
zg|%Vp1Zpe786{M>BDzo+V>`E`GiTDa-&C%#UZRy!(R9S=1<e9*#tVs+K_p(oi$HLQ
zzabbel?R}1a~wICU`lXtLwN1pSl7PT16x%N-&yMR3G|^6vpdD~qXHH$oTAX52r<MD
zAnnnu*uHgnvib5puWo=v=sU@8+T8g+0qxB&8o^Hm!`As*cPx%I199k|?!7dD2Mhi~
zI>?vgU8wQF<)qVjO1tO6WUp~PgUwBTI7mW>LV)Im<>l+GCo^uFGk4FNnxx!(DI6Hn
zEwzOixRnax8V0c-GSwhl0Dq6y{)N}?KV3vwLScWpCF3uP{73(iJ=K*ERU2nIA0&u5
z6mN0|)fvNVjmgNm1v+%pN{1dqJ^&s1RWt-+7Dni_Z9542u1K^}qv@O)Ww9z#W+0wo
zD5%jq#SrYnsZrLvsHi2$W<#(#kBr#g>DK){+6Vn7SV)&aP#~a*m7#F#De@|A`ySz$
z00s#Rt?@&`&zWL44AO0Lj5%3&({ReW2Zqs$-by-kbrIy8!=G#Cr$<j!Ko^Ra*j8KO
z9{lL`#<rq8;)?CD%cIRVcX<Ij4@*ydb=0KcSyp4J4;I{l1=nW*Pkc`^Ddm4b*4fO$
z{>b?^+Rl&kN|e6}v(7zkGKeVHMF-H)q9M3U3~&ALDnUj>6YnCIP$=9R8GqU=;o8A!
zVKyKTKX6hfMo@nNAb9RF=$#kn-9gSgIDg2eGPdY=ZQO?#Rt-lQB*H7zCI=L$5)(5K
zwb4Bv6IzCOy<)ZNAsSy9+#?`Of{~mPb@%qn_@Vpw8SNGQVQJA)L}HNqRXpdw6lA_y
z1pmw*9I3Ym4@bS~ChT3eIX1x@5wU2=8eB55gk{~iCLn0VBy+uyLs<E#%0yOmcBinO
zL7jko6>xdZ*}%*8hN11?Sk4-A@U1V7g1C-=BkdptFc*Qvi+V5Ga|!CzuWjGq&Wxo!
z#_Mbk48QgOa*0*I2hBB}9TqvP65UoSNGezkc%{~~D-45ph1uDlc9Gz3U5>o3NvuD6
z4S+m36=eJ4=XF!dfUAn4t5RRxkE?!=V~4~}+ZkMW$x7YYMQazYTVjvAxC-EHRlycU
zj!v`zS>gO<0AJpRG6mLJ1XR;1VHm9f*x9O~B4CkL@l<#gXR^WUcl9fYDpQ<rj>VyL
z+*y$-vpC^rQ9lQEKgC?fls|12^L4cgv-!+_OyL8lh~@1gyxV^19Duty8)8|ZgF~QB
z&K-7o`q{aa^-nNpYz*3mRaRHyimIwZTxLJIA#=8h&daoxQ`m&d@bqH|LYk<5uCZve
zMRLV>*U9n2;=OkURbI4Kw`TF`#cMF$=f%TC7AEQ-&V_(@TL;<_19hcUyhhHVG{-=W
zV=~)oRia%G%dy~5QfMqcMhTZh01zh#)JSBLfr4hZ_zRT-GU4V8ocVhyYYgA;sZEC|
zEy3`0f(s)UzT3DXy8&hD`;rB+RtuH6;YOkJ7hIFDC@gI00`t__8xBraT0o>Uy!ZvN
zAc`bD@YQo>E}LfVJ))%Yj@&V$r1GDB5{kh8Qo=ReE7q-q_kwFPm@oJe;wDFHb}=eo
z6S|2dnd2_%z>=}s7_J?kpxR^v>(>$2Gnhr-aB914z1l!-tHwl1e^gllt3=>7>sR2A
z9#y{w9>ZPj@Y*4?nwA#}o4X-1VekIRpQ(JkJ~!c%S@F`XCx4^uEzO8CTOG3d6xQ!8
zkj^VjQ}lzE79xoJ-^|GMgUJg>WIXK<c^ScYcwvxURP_>kf5}BHC9sBKe^z(a@L8h+
zhv6*F%AS2-7Q*J%t;D`VhN4o!46)$?K_7?l*{VZ1s?t!kmQ)>Z1z6U0bVFcGM4af5
zsdFX=yYULr<|GFv{6OU^u~wit>=)L9J?8G$r>Jsd^2Vf%sesVi;=a*y)8w<Pa;1}^
z{yd+$%2dXom=)^_3E_nrhE{-_jhO>W#x}!M^O2~}q2nN7d~c896buyqu(%>Bdih@S
z-91y9D6BWATW=k8YIvG896No<!f6(o3ou38bC{a7TpH1KWfI6Lt);Jns7erhZFupe
zIC4!A;Iz4zK7z{9p^^=!m589PXOkR?5(WQRj4=FOq|?Z=Rh)nvhIUXYkPtuPYs1BN
z+#PTpJxA3GJ!J604hz(~MP8h^tC|7zr^g3)v)eEuF(gLBNe-$bcQHCjs!_Fr2ad{i
zu?jjC&o&uxf-X=Ufw}<uBp;y|hw=)+x`?Qbe7JVfgIAU+bD`w*OD>auovUdW&E=74
z5J$E`8X@sUxO4<&T2;th@&ME00T%5&?)R#A=7Pn>-I~&22^SHZ5coahOh>e9=!IY5
z^l%=qta34%Kd&$_0wKM5Nc00^VYE;K>Vig+em3`@UJFptbTr-*PTL%On@n%s!fB*_
zvm4b14fc1RtZX31gR4l{x_{Ndh}do3^i8EHbG+yGn`h5@`!ZuUcG$$mJZ5E~_*nvP
z?Vc0zNL1D>UAxw_KVk2tWOGiEXVX?whrkIpQ)ac`m;p?<JPu3;&~f%s)UV<Q&JGda
zy$6#M-&}90J{NG4m<v6?wc1v#P$YsY88(|$nLWiXr1F${Vk8?V06_8@0CYBx4$ux;
zSu=5K%EqkKXYIcTUaY5H;24I}6o|Jm0oztP&;_b!IK9e|dTQeBceD;dYW&Ya+UBUW
z(dN~wmMmEX>2?Qwi{zD|A<Kfzok#e!nW&6yER5m8Z7)`l^%|oa`wZW2PaF~5*$nUb
zg`vt0_N}mN)v9Hy&G3zO+pNU*LE!jmfc!vvc7?-2jT<*CTe)7DLEi>Tzsm3guSmnQ
z#A8*3mT3nAet~4y3!XcWZ_fi%@S~)!2~>2tifw|`C{3k+JwI`GzfB6+Ny5l8r$W!8
zK!OAto@zMZ)u04g4Byt(5R4L}S2uZbYqc^0^HhUZ3BKH14HG5`zHaoFPXW6jl$1-D
z5Dvg&r%nnr#&0a{*?L)MyYIlPW2n4_#C`XbDqM+))p9_rU?;<dv!TXUd8f#3lM-=d
z&9${x?B7F(<rsYPi-63yA+&aQosc^AgXRYW_?W}39OF<wO@5ufWy_)+X8qkL{|s`0
z&rc(?ZX}r4+nsg94+b$etYG0$j$u45$~AJ_3D&gIZSgoYjZEK`8@V3@Y2m=R)drhz
zfja{1wvBE8a}IS6^$48=f)=(rY)?pPA9Ak5+Jbary@5AQ-L%lI)b!ndh8zDP0Hc19
zbxZOIp}Oy647jd!Q2j-HGR&d?sDNPL`sT&iFaY=gxo{LiCtwQnh6{f!5z%C{P%|lb
zB=*q)xTGL}iyma~y$pmfbf`L0a8Fdm@%@7?aSZJ081}-;!mPN2@I>?5ms%{7&c8A{
zkBM_;Pg7Q27pOKaklMNxorFz(-VyHRdiCqD7Ocg!I%J=e6uBu@S>z%Nr`E<{)Aql4
znY=$uF|e&s3+HS`2rixBkD#F03j)jrMhhKh2d>x@sL(v!rfpkRZZl`cjQ*~s=a|uo
z{))U=Z7bvGJN4nm?ktzZ^~I;Iomv6ncm-Aq^N}lgV_KU72f-%*kUUQ4JEq{-92poO
z{Xn&60>f0T0D0U=!h#mIz#7$39VJ$k|5X#W?+R-M2V~$a6%;}bZRCer<;{GNw`e|O
zbX67g2k4oU!J!>Gp}7jU)~J&sjTC9EG#Kt|S(x-XP@pmR=a)H1z$`-Vo*^i<b=7UC
zDn}B=-s%OAkQW)4{;wNmu&)#kl-1<&Z%}S0%F#aDlP4v8pD#)q5Re5$M~hVMxmL6h
zOc52=FN<dBa$^D~xcLSGng$zWrxc|&V&~`_NLRm5_?}ahf=ASWIx*V^%+kC6jLDOf
z(=CN9F>w(|=98(@yKPXIb6s)~+lP*s*3&%6BXX;sG6*)cZ^s@u9dsNAa5xBabARej
z-&~=xfI@2^L*34W^9WFc3U7I!l-9Knh>(d*JF{|r3J_1H;hp2PO#QEMvAjamQx~!~
zhim8=M;<;*I+A-V4lz`GTz^pXld+gBtYFlqAc-0HVm{=H$tD3vvynUdx@*eltmz6M
zAzV2)^>5TdI3kYx)i~HEE;Ti7TdtDH4B{7Lwm3%ossE2)?+bW@ig*6>2-LwM;ds@B
z8{-i+6zAm0Q*g??dc9`ldXJinnOyxuxCT&D!>daSe?Qj(-G6Z5;o1z(dtNBY#fC}M
z?Mm3OX{Y&kq7SRd28|guI3#TOiV$Tw2V&RI+yBEwME!YqMmt{_I1Oj)C^^)acWP5c
zmNNLM5a>5~mWR3L=)^0CpVIy{aE{MLrtdsqPK*r;h*3^IMWC1w90&t4S2Naubtq^?
zRUoc@8OKncF4KPxP|XsdSXUg@5|q+T{SeVJ_p*AyxF<d#b)UD2ch8m7$Z<~`e)HkK
z0nVuC0^hc05X%E}8g#LA4Sxcb5sr)l)Hx3KFbSn`(wsrF^K)~aZ&SA3TXA>QefxW&
zVGPh+`{{6!+_9xq(Xe%4l|^-CH?i*@<`*1jo(sY~Uoi~#<%HYWO1KRp)b{i>j!cqv
z)Fv*a(l_XvrjUfb)6jRS7PofqBd4}ip*8M@bH@)4m+-&F`T5Gi8$(c~d#oF)O5MQp
zsojdc;S#>J(lqH5Jhia^|BL&HwbTrgYFG>Wr<;&`5r6DGzYOzn6B@EWmA{Pd1r6M4
z+=fd*{Qk7jaUl+pTm-JT7a)N*fGo9A)l0Yq5a0k5u#rXqw}V1F0%jABcudel*kMIz
z7$-=>9#LCh7`J`IoSJc*VKQ>cbPm&%!KZ7!G<qp!Y6k-71Vjbkme>ol`EHJ!FFf^-
zE(m)gHplKXuV1T);v1kd77V9W2h3hE+1z;S53I~oC7@Ht@bDqwLlCVbCnP5%%igfF
z7v#G%Jd)J>f}0uwK|GbbWq&S*djRLS91XezEsW0gDGqov4Kki%gV1-NLLtN<K4|P0
zn<MsE1VNmW@Ozvs;2aCN15c;0D%nfSM%Rq0-Id|K4jo-j`6!6_OzV!*vTF<#&u$3T
z^7qy)-V_WDJ?mF6!@<RTj_z31?PGTM#06JguwJ)n$;u_GxP;DIyiv^aKzJ)@u#~P2
zrnm|D3#^S;6QZ6Uc8iI1^A&4SH=YLgb${l}cBqK<YeTL=GIPbn>Y5~y4an6QphM#Z
zi{ac;OMc0GEp8@f;l{R8SyxRO7i9q#wcjf}X#f1m`gJ9v=6An8`k(@$R$`@f4M7*3
zC4!c?7bmL2)sA4=1PDXxP<g60QGYAa0pngTC-&SkBcr%lKD57OVRpLO7#TE%sL+*H
z=*la+sj;Ux!8o|M>mW~ef}gUrL8u{E8`=ON+}ar~ZTGTXemeclVn*(-qBqoQU$Aq+
zk_8J9ieYx}s^}2qhqn;5cV8FcH*8tG$-HSL)t06~A?)9Ksxp|_39ek!F0L884-G$}
zJIRC+cJL<WP0tix#&)qP5D@F|T-HJGPP$-w1NbpZ)F)s@uhKUT#qnNxfd;)$N75^K
z0}T{jL11jp`3evL9`*$jp~Zr+O5IR|x=<q3mpB3uP|8bIuU+EWq)qWLl?S{M0;W%a
zHnP`9+-L`mT-vb>VY-xyfFYVVl2c!qmBT|hGyT%+H%QyAtao8sx+_760ybqbtQCs@
zJLtOf64J<giIsxpOl`+MG$?8(j2E3b0C+W>ekw*_t5)Nip&H)|rF3m@C)J=e0;?}h
zZWHDmGHtFm_|7@;!8=3Z$K2Kg@#-ubp^qX2(2jj~*YAu(2q18+o4hwp-Q<0!btN2|
z#i;fm7P**x>W3rq0?pf7g=kP@iQi^ih@P(+sKOGkG`+N~aptB2O(1a|Rh&<ls4r!g
zyE2!Brvf#>Uxu{t_nZa)cd^6pJ40Mk6t;>Vw8q+0IGMuH)Wwfn93D$YkRd_VZ%6&)
zEwv@_J;<9088RVB&W0qJ*$5`_dtfr{FNeus3($`@AiK?}g5mdSQghk?gB6H;XMS7G
z9}osE37I<9JT@fZ=o0Nc;diIydA&$y)*q8W%DI7jiCmM#rI$Oa<$JFXeEWY0b3UKP
zdPF%y11K^fcHuwbJ<j;CFm90a17ciR0|tDKznEXR^bo&q$~x?Wy)u|uGs!q=Tfkz~
ze)$T|5jKO)G&!LdQe3hJNA56f+XCeHwUz_Rvmz2UTcu#11<ZbdJ*ynva(Z=Bzq}F0
z+$@HR4W@PJ$x54;{96lhu<#IvLr3lV<?5l#3tN=TNy(FbFtr*rVUR_yRz}lR5DTfU
zf2@DJKYeraG!LrSl$Cqho-=)M5Lq1_fEo{@iq}c}o;H6^I)jtW<xQyZ?w*4WlvlcQ
z^RLdKa*&(ix(Eh+H<xTC=Q2|sGuu;h__XX^w<f`2(64ua*MeZ^xWZ-moCV8fnp=B}
zYN6EA^;q2@l9jV85`BIV3=8935Ze)OiG#>&&zcv_5+}`_H`QWrT;USIP#DcFj$E~5
zyV;;$;ZoR%l8ujVo*<h~?M^jq>fE;qv$@g#vGTOESKyAkysgoRiCg^!4GNs$r5N<f
z!@x%d8ENxPwpr9afn=+Cymp8or5~01K&7$87GgXXV$zN%N4<{C$P3#|Wh;5E9KX>m
zD*M9jE77;?nMn-lJAH`f*b%!&rA^GRzi{wE-UHLqKF8}=3^$l<w{{KPHja!Li38Qk
z&2>m)lhd{4R1KeIs~p@lK518Ez?3l_-Xpy&A#wBKqD_Vudx|W^0ppXi61K#|?ojrQ
z$Q+gJW<T4<JKV>tABHgRDoiMCQ`E+|VW5I3J$(EDaPuAa?aRvEJ01~mI!qWnOwkYH
zH~@C!C8-;zP%5%x7M*?=F*(Ii9SC2FZ^Wr%7A^8p-jmI5Bz`iHzQt`Q!0*e+iMw|l
zG#}YLxla=&0`05?YoO?p<zXstD>8X}%}lBxXG+6pCc+UvM})+Y@-W=<YY1>VKf&4(
zS5;U0r$v3Cbls~%Y`^a(FjFY=ut(3|sUzMwq?01krXDf|QkE)ypdpCDldLwCY2^i;
zCSs#Ez*ZL>QmA4qRf&a0q`*4PLE~URL#@*f<>jT103~fbZtx()ccbd1)8i8kW_l-#
z8|OWB<f!<m=@@-zfjX$b7IolusAz`@)WfB7Glnr2zaM8V2~b!|VBe)|j){yn7Y!;s
zc<eE9j{a%;Pg@m)P!AK_XZZ$soArQ+DXX@I-3@2jyK_0j2Dn3|2YF;dv)g7*T3+5B
zH#`r1?=ceEBi0tPFq?jt3(M0DX$WTefFo>9zGimfw9$N~e<PcG>rA)7OgHZ5*{zr5
zc3UAiF@?`}0-tYN{MXbv-?R99Bbt&O{^Ii;g!w+s=lk$TxsNvAP%78KvnBDDXXx~Q
z+KTzCsm;9$<~~}-B=oF!?x$JjK8MeJY!5l;i@DF{b02j<=7YuadILbVm37D^C6;Q$
z!3_v=&&S+<{1N(&n(oUwaUyj%`uLr@YkxlXmeT17nER;-<Hk<I-0z&4p<vpyxzEMi
zPtxXI#@ru2gt_<m(RZ=G!n)H!Vc*vH$X$Hy2aLen$Ndz&Y`a1|*doC#&^u^K@jfq0
zf_0y7CWFK`G@a%fdJHx+JFRVKuKfML@BUNZd5gEUy*Le9+fza8ryI9knn-GOo9VH$
zlM;6)W||KtO?GX~N;PE7nL*LVNW<<y6j?_Owk5mUEFbv$?p8-od0UvDVXm73UXf4s
ziYRPR><Mk7m$z>8b`x0LQ0DpX8(pm}$8sJJcQ!3PCwcM{%tv;BpWqmbOxrpguyxdH
z*gE|_k0}qLJ~q+!^mX0h(~2Qo)P~d=LuxW;a`!%#TWy7;!~_g1Hy#74|9M=VpT~8C
z@1i5b$K{D#l*M;ZI(CtDTzJsKV_xyN)<#1aQImRNTrPN=*EUgmH&!E*O|#cev2LPl
zzKNoHzzeCioLn-lmFFalGP#yerp>sfzI}!ZV+Q%b8=S`;X$%%>2AlB=?}CUu!s%8f
zPF1&k>7ZNVz;kt<FtUVheZ!YIf!T<oy~oV%8e-p=$`*Z7vfwJ@8CyE{*Mb|0PuRzg
zudp3N6P0gqN26s}aVstBT@NR#EY50uP8zU}I)0#5D&(#gv<MyjhHNg<SN8|!b&P^h
z&c&T6*+6>~o1S46+x40<Y=GrzlhobG+YbCxIs3=>=_5^pJUkErt2+20vLty77~<yL
zXVA#FlnF|=hQgqOmp$HN`@)H*H1LxQCEJRJLu++~N_SMhV%<d+T;wR!q<9@TmD0xh
zRAo!bmOY#HfGJzzzNoLe34)EapPuhO;N=AGJmFjp48&s|sL)b$84)e+Lp4?vPsp~@
z{TI&lQzEFWKyyHFio{v$>bY@3^xmy&Qp_jPCU)&SZeq_tqvLl^P<k{JhGqXU{)2YF
zO3}m*(D{`G(ys|TmRZv(knZ(8^tH<OXPE8yfqr9gj_R&DmVMEjlIrifUAg&KNOSAE
z2M<UlRvrP(Ss0b6N9C2pJS6JaJtTxG`(yTQPBI_b?bFfO!*dKK9FH)#9M)_Bqgoed
z=2^+*P@XwYVoE6Uww@WUlFI?ZGe5ol+mjKweUbsdx<6rG&S}#}=L^i9NiDiFo36Wu
zWlvPg$bG#=4ry(w@v<`zI1M*aRkN{2?AZ7trmV#1eTQ~>4fhD0>@x*nsV1^?<KWRr
zM>Dpi?Tl6KOwRS~YZ~k^eK_EV`Ch2}o+gr=^%7b^uZ$x-;;&p!Ny<2wK8clHuZ*5P
zan@wBKZ7Q?GF}61Xg<whQa&rsboE++tFLmW7uoDP5}lR=;NAtU!@8L#xJO0LRN6Ha
z+|z#cxQ`HGyFy_kic#%{A?PY<17h;p?mEqpcb~pTrA&`Ja(WDP^Bg)jeQKs<`Ld<U
z%|8uuAJt*Hy;iUfIK9sXr|d>)RB}yLYlI^4I>3Az;{OKR8ntz(aezb*9P!tEM4FUX
zxauf7+@VUqFn~rNh!EDG|1XkZ?8Tyk#>0D4a}fS0S2f9lErzi}_PQU2nQb^-r#=8I
z)C%=~1%G)EyM^4AuDd^-fW@jmJ0TdNF5*f2TR66%eju`5;$X@RDJTqPnrGOe;;K_}
zC!`J?I?)}q`wU6ZYS+Q+p)8D!Ps`xbeW)v>#b98#-aM0%cS!mEs^H_}6FAX4-g|r6
zHL7(ifMf+sN(64Px)WG=6DxanFxglPr#7goc<a09liCh&<)!G8@wT{=M*Je_-RKit
zlm1Get!%{Sk0|jBn*Af!HLKly_>r1FuzODh{bUr>KHaAV*Ws!Gy{zP>?xRBz|47?=
zAqU$PRZ@br<0Yc-ng3M$dEZg>TiYxI$m(^JdLX;@JGDlFEi6f7eI4s}#P=-DLe~J%
zik#X9WYoTBd1=uYUV@@<Ez5Pt?WJvoYO%{8H=}BKS!98VW1IYYLoNMVVWIW`|Gxb8
z_t~QUTXC@UgMCN4Z|$d2uJKzs+~8aLjv^?MR#RVVO?_V$_0?*^v;<;vQlPdw=U{{H
z0`Tq@{)AB8c<uPfTek<CaOp6hf19?)`(0J^?O2t2h->C!x1Loosy_FMd_;Xa_2=R=
z_2-f_7WC4#Xw>huU_DeCac!EV-p6`QI4^WWK-^Y-tb!TJ;a1UCn4>bGyU-H!rkOi6
z!$}EY-F~lS3!Gn=Ap;!r`Cg$TIr2y6Y9^|dNKRJ}^{vrfp(T??0NTE@iFH22YTRdt
znpa#DTM@gW3d*9zLlBHRBc9_3s)05vjV1_JnPVaZ{Awmv&5Jp8V2B~7mX!-#DNADY
zjpT8&R-vmZ$y%CfXH6@7%RJh>`@<Da1xTl#AJWe^9d=QL;Zz<sKq$(cz8NUGg>F2e
z<gGY#%5>dt=dks#s>og+z4Q91MThcCN7iplvuwTDTWsn+nb|0v*G=qgGQ6GSKe6W$
zOLJT!XO~1xoYZ^nM2yEKb@F4aPsQzkAuc~0qUzg&ydCjzYBJd<m*%FNhMcfFD&_1l
z%R{IwdM@)%*?oFl$|V!oxF<KY^lrCROpge5RR%2@(bv>IdRlfUfVqc-`b}%!cg2W7
zCfBgwah5=6;pVYsg}>WwplrJhtQkz!X;k6wIOuwITK!J4d&rg>U;Q4;f463gr^9wM
zTg%Bt|1Bq-HNH}N))W5~T>6zdoR=s^@90n4KW+Ah**vv_al<>~ohP@yJGH<62eQfX
zyUcXHA-J)e#Sk2E`{)@kP9EOBx}fi-cKy?4DlWQ}lDd(a&!bRz4O0KK8Om=!FMOD9
z{b!{Fsi%3kKoa66gsvrraNIA=Ly>=dICEGF<A&zz1t#gJ`C36gtR>kj_J_@=twRdp
zLs6yMRH-K()qU|Y^VAr<e(R2nmYeP`0(zT#!e-5wV{uNazYSBIcB`m0UNp{Mc)BY*
zW=@o1@XSd}$T$v0HG0)0Q_PmgJ-he$`|Prue=a1t^+|Fzv(i0!H<=XSv&COAqz#`s
zWyCNTYiwHG&g2_7%WeFGElFM$gKrBL!I1XDf$Kh3%=+VnRRV1H(cz=G*j2d=H<j~&
zCc0kH2xF=`VvGo-z0MVecn!$DEmeb<;edsC{OYfzq2B)rE?y*9j`h)q_n$T)m?u#F
zwI!5429*B@MN3d4F5))<|9vNZhv_m3fhu3(;i9|vP*uZ~Vru>b)SPT3L{nb`+J3|O
zo1QvY^Or4dC<_f~#ZH$rbqQ5J;!Q<s1+V<0;3fGN-m{Wc9u>E8-rBD#D13wWs}7nu
zPP<M6njI2Jmp}gm8qJ?JK4CWdsWR-?Tqwx+P7HZMU6QGV>3yTqtbF_S)4I4??sO0`
zQxZ32nsZX83>h+gir*w<)g|FP_CW*>kNfsaQ4<Ub)Iu%9nRi48!9tvO?bmFXYCDo`
zVK;u<v4KMdBF8|DD5!-{$ng}=1fGICwnc>?2&^irf3wi_rtPB#+1KqJaT;>$X2U|)
z7YJw~KKNsYvCuX94_BCwl;k7jdiDc5ewgVP2+Of{FaB_CC{jDel8hmR5}Ku5Fbkyu
zt!qf&UE@i%YR8h!vHE|}EEw);-DCAjXcqF>vI73N=@NeG+C!T9@YYG&0~hWT(6eXq
z`fJ9V^z8|Il@S+&0N<H&Jk0|=GA^7*&O9BrEp%p-a^#ed=rumBuenwu7X)D_cc(oe
zL@cj~x?ZQUx1RB;$l>Fs4|kr)?Au4ikI(jrFK!+9^;P@idJ3LYKeFKnI=)Mn6&Eyq
zjBmhDY+HLelSTHac^SD`wuwhhA3OYW-Vr-+C1)_GC-?CNEq!+%T`u)qOOONUNlPlF
zWR-5&@8pXYCr{qLf1+Q*hW-1sRK7oIJa%%Yn9vWpX}24~j)?W!c9;%KiW+74PCQoE
zm=~qnwk~u|@Z699MgKvq|NiIq%^o>C%O}Uj)aJ1v3laK^`4sTz5!>DjAy{Uz0OR9V
zVi-&`R)|MgYvF=uxO0qJ<F_zcC{3t6qX&n<&!SVZ{sX<gJO}mlx#E!g@aW?lt-@_E
ze0guYekeOP+b`B_lQM3L;I}Sh)dti0HS40b$Ih7(WjSz4*gkE-mT~3|qecxH8b3Wb
zNXZBkc7#PP3^L7`J3r8S+NP)(mf`&b&y=*F{buUCo_ERM{bi^A)+O~Dtur?Q(U~4M
z9HQ~O^El^?VK*_@<xm$HHpO}DmT`Z|rlfdf#8F|^?BKb6<_S~c&zwq3NZGzIJUCLx
zJSN2Wdu$zPZt2{M*)W@{KRm|zR;7Pk@<pwkFIj6n`|9x<!yaC*H?Mb_TA!n{>cuxd
z=Y1;ZbEt;G%80MP@sZ0`-Ts(>K0SSX!R^yc=JJHfJwrUZ2`@>0;*j+#-j_hzUKsAH
zF3_4^I<qn9l;U+;m^p61>>*~>n0=cMCE`pNi`0VM-_RTE8(0>U>ffc`=-~L{k;*~x
z5gLng#tBQrJ+r4rdYYN88JKUqV#sNfJK$E@;kbSAmSv*h{)mW7?_=fyD*qh9%mikE
z9(W4-k&R=$SrS`=cN#rG3zstwSCwbr_5&yP+&#H%)7-#yiXSrzp1uL0{$@R`oP7WB
z)3#5k`?F8?9kO0M1$b&c?|FsE#xsW_Vvj15uL-jz4WH}AIhgVn@JuiSN3#Oer%o5D
zvvSPFb>Jwk(74?7==Wfui5R5yJIFWE%UrDuHh3BIpzWc7=hAcHQe(Alk6f2B<%pSV
ze|?4-=z{kW2R0mXaxZ9Emcd`GRb6U}GRr8|=ohjzIVa)Tp{R&?==Dszj7;;J6%q(p
z4o~L&UQ(%-5MsvLJ#>5^?x23cdqf54Cs=>Zf7w#pfWQ;aUba>1NY(Lw;|90HIjoe>
zqQO=1^-I_(l@dN^33v+LC^eMzGi6njZ4Xi%yMdB^88-pWg>cWU=bGXHWQVMelHFxJ
z-uR%|DD{!Pf|H3W>{m;%J|AHs_!avXh))^r-%$r|c}BbDl0G9!l_VN$bxG&|y~A2?
z%7`4roh48&>=^O8O(;x&TLfH@^fUhY@{_EuvJ`QC>KAAHPS$^lq5z4uQ6&T%awHz)
z*KlK?tRE}s_wJCIO8O{i4{J~2b$@8^%GvIR(Xuapw>kNnvCFtqA77^*`Q<{oYu&2j
z`gT*OJBv0ROj)yjyE6TQuwYieB0uxcG3yTa!K7*D<yTb0L>;UA${Mo9h-}k|IbEwq
z_THA-={LGjWo(&WB-<MZf(Z4Fi>&WJ8)e%wm?W?~cC<RwSX<IJ!$9gIzyfY9C%Zhb
z_NDNU=_1=Tz^A3;$ZYuxzzlks!H1eSQfCCFQey;g0RtG~DW%LA7&<6u0AjlYp9swj
zKH86FSHfG5o@Pn5k%e74N%}<+J&_O}7!HXPf%hr3k==4x&lmA!x|_C`SJRtG8}VRx
zt|8t%w&BM-1P9GlW!U)vt+-L%XdpFoguB8^eEONHAohiuWLI7G`MD+%?!APe;Rf8B
zM+|UXF%)#a7mm~u4;sq%PjHlB{Cwom5nD1{zJEDEI$>OeCeNUy6=#~uF3g`AzDUD(
z+fa)H>5qkoD2I-8x?)S=AJIZuuCXOgD0{x4JU6qeM8|g<3$718>C{|6y`Pg0+&9*J
zG@}1o=i=0)leTKze3YM?ITd}OQWv)0nRo}!=@!`l{N=fs`{6k+8`xg_dhT;4Fn+Bc
zDA)WUrAYtkrS;~-jfOJfUK=lugb9(M(J{fD9T<g9@pK5^p2qqlH~InAfCgbRv$1|5
z<&-VWeTkZKsIBqL%ELQOnD$RhVzw(RbNUL|i$GUQv*#=bTx8kL8uKD&E?vFtar<)*
z@1HTAMgQXC#~d*qP1=2Jh0<lM;In9M=q&S>Jw5?oXKmv6ME{Xjx*Epfmrr&0gq|fE
zI~YD_;ZLs$^XJZ)A7u8Qy&)!b_kklT71o|_p-v)$8;JmGq<F;Ap(bKHn4rC)XW;M=
zeP}l#m8-tS4cQw`ug^s!wv9v9_u4Ql!mUybya!77LnE+ls3ng6{DS4=BV!{_4$NM5
z;2}5@M=#m9Ep2O7R5r>QhO-IvbcRfjtVulhm0@_+Cpf*~6|M>uB82h8x8(eZIX{Q9
zlvvb5XUIB^O*C)m)AYP_L|uC7@D@ZArk!9Dsu_NN>qt{X(*JsZY%jU*b>5`FLcQqB
zrnsB~rh*1>tc-<?grl#^LSgtd9m@5DHY`_{6Ftj)yuXhtUW{iL(_iK_NY@#DKQ5k%
zpD||aH1B?j9*)v4@;{OE{KKag5&(1>YRy$O6oP!9xpKwLwbz>ay|}shT5}_~$%F@-
z<aCE)LMD0o&wyZsh>wsw4237qMBoI(QAg<M0=y+18YB&1^G?tpe=JTpPX6A(*K{14
zXQTq@@bT3-F{v4q+dLHf{Jdt3F?SfA_wMzvW51-tg!;xSw;v08-TNkXF~b?!SPLrA
z=K0@Ixmn7%=0eUF)HqnZ)l33$rn2XX=`-t8D7NA`a!OKKsBfF|gu@8Ri$27Wv*GPP
z$)GM&f9oojQ1dhAzM$umRNv<KB45@heUcPTEmpy(YsL;}Ne{3WI4aBd3>JTFPgw{&
zFY}Kz*pWffb(voWG#Ug)`=KYc4m21Q&$-LnL2;twGx&*0gCs=BpfIpB{#J96@&*aI
z12PkZ-StAM%4rNOkkha`qT~|~P{dWEF;Vhq&=J@KIYZ<|R6N(yUFEju>tPv|$xf50
z1wi7EJXj+zXcq(q>AOGLc}rA>)0imW7~PaEVLqLxcD~^Q(l>Fk_r}xncxQ8$A!BPT
zR1B~3=L>sQL~ht>Hhg%=yI=OayZq)KWa*3KFUXRX3bMrS$1(Y6_6;Z#60MX8!?oeG
z>AemAupe+hfXCy=4Ioe-ZO#=B1+(=+;$sQ+mbOzWzTeeIR9k-Lzp)N=2ia7Fy=zI(
z<Nc}o4=z(y5<K4m`@&yGG!)S?akBsDky@zZ&$CMNB}lqM32)*B2;CEo_{v{i%|U!e
zA*pyr6<^q_Gv8H6&V2C2HNHT7rD4mLk&5?LDme!slvsXq$xyU_Z?7eU5H)39zf-Ho
zeD6`20&jfJZZ1^?!)^E%UOmc4){R=+P;<Unk$CAP&p(}xv_}5lQC|VjrR=oMrepQ+
ztz$keQDgml%vy8ltojTQ%)<I}1SH&EA8lUpnzvDDt<~0~Z^*kva4WlcC2nt;LMxbO
z%?GV?;UTjY`kU*HKJn`Pv12zC!|VOAVSxx8U3BY_5E>D(d8;XQ%et7gD}G$O))M<(
zSRF8P)dX{k5&gR>i<d50jL1tr&7J#Gm>CQKKctEwpY@^&-%%sWXAXzzSx=Ug$vJ}q
zkU>=?SRxrP;?6RH(Za^XFncXlgF>`Do5AKhrxqH2#QoA-?zcjQ-`C3cyo}n&uuTS2
zWq0aNn@*5}|Af^2OBbr@@EW@fZ5YnSs1=Quiz?z*FL>p^t4*zV380a`bk-TpUxJyg
z;aX?bLHpTBXL#0G*J+_Z-ps*hIDd*d^yMxNe=%EN!|vl4|0C%P4m3-kQd05QIJZ_0
z1Jly3Vs%F5BTQ*RJ|z1@z~@lSydeC8aN@ko-8-@xquNUoaniMf_b*F0K4%<tEeWxL
z9nNXd!>>p<-CEjxZ5nw~3qU!vBpPz%h1BXJY*`cKUAfkn;R%>r&O-e{JZAV6E1SU*
z)JkZTn&B_*x=Tl`?c91$()3l0w3Kk17}phP0N?R55azX*C%so-_mfPPKh_u<OEa`q
zusZ8;MBi#&7xT5Xo1q18{mjPxBtQRS>>%kM4C@8VA5Vg{s2-AtuM;Zz^vtlCz61CH
ztz&u~hBgUdXkl}KfS=%Xks$$LW|83m+BXz6*2;ebk6lJ%gD-Nm|93JSXGgg5whAZR
z)?#kFgS_Gw)KBYS$+v*_AhP_cimx5-8R^JNc0|M`-0-iKAn;W*0&lH@*}zuCTFJgI
zhjSl1ETY;Ok0lALHtzPX*u+;l>iTNf9rjH(fyO|)8m+6+PxvnkI<3V#e8O)2je0B%
z;A?(^DrJ%LAu#fpC5-&Nfii8y9{8kjkKprjsYMPl+$zcNE6<>fY%IW9Q6v6Yf;~%X
zr2FSkqZ#fZX85WAs&<+ud{q|0&Z-f15We%RiVSt~F^^^@<|EQN&o(g(`8I~}j3@Gp
zh^P*#GAImGWn<V&DV{IMLy1@Xupk^YM`&d>@-lH+86#hz>oy>5Yb5KS%p1vhF|v;0
zwNFLHEvOq^3dOkMu~gRTHgZZ}HYD>*>Bw}BXWC6c+Suaxa=b-YZvHg`U(e&~J-!&4
zh_g-|=O$}E%~i)W<7pt@O%XIiUDk@Hr>o86=HT%mt{HCDkPZ2l)TvaD=gZa{cDj<A
z)EVF2;~V$ZnOT#6yYv#iJmcwz8*X=ec){waKZaWyWM*|$1phGy&9qSiFrRS<UL++_
zi+F49qMz7f>?35MmRIoQ-N#7n!&r3+HgHS+;nVr1QUi73-&y@H)4#Y>wdACesE7-1
zHS!HbHDr|C1`wXJpIPow%Pk@Oz;bW2vfQ%}JrL#IXc7TRy5Zg(i&4G~)5_xR%@5;u
z??)Tlz4>A1v@w)DS2B!xhTm(*d<vULhJW4BuHU`f-Q^CI#vNE4Uc-o1`ZM108h(0D
zov#O+@;IR6{p^}P{0Cv@xWOCyL7%~eMCYj9dqyg*y^oB`J}yj6&kH_jMjX>b<GTYV
zuI-EtpS9J(da{Ya{OyZl<4rh2ZH&`=*KL6tL{FM1tO{7}=VPidx>rYp=j*@pFd}wI
zP|89;e(tEk;)i*?rB0t%r{^$C6^qJ<Fl8w3!dw~L<~ozJGLJ-Ki{YuC$Tn;L17#b_
z74;qx{%E_zLn_%ef2~lxHh9S>_-j;;d@hbUs2JY+@(Z~0ryA545Iv>4j63<JL~O1z
zu3tChi$&#I4Lb;+*Q8Z;)8^l5yAg)!Zrc10^%?SQ4yseZlU?Pvc|O0*|Jq*vk9{<h
z>`2Z+;e6EbS33Zk-Cf%8={YvVVOaDxm1C93R9=dY+MNv>6x)NRZ;?~6#BYH_V-@;a
zJ*`PjVK5k<I^EN4h^b%p<TDn-Enj*7b;3X9g>S#i2Tdi_w=|?<{POoBH3cy;z=plB
zvSD8;4<hIgxUgR&jn$n?&LObE{M`jSLKI!>D&qs^*Gn`F{ppwH@@z;NSM#pWNcn|y
zsbCuNXS>KQMG+d8HQP!(`M0IiBDkcoxS}OEqMtu<w!1xqIyhbMEJa~x@OK;LNKZ;`
zhe8`_qFoQOwR;YY{nZOruE>3m^dFQSt2sx>(@8q_4}A!0z%N<;?eIT8_2!IV2QEIj
z`m5bwj|xpnQh^UR92K#wts)dRDz%F|bK#-sMek(iIE(8xVSJ?ThG^5ysK`AB(gS?<
zSuVd6l1KGPZjKnpEqge%J~#IAbmgeOkTNGO*xNKcFmT+U!8=lhTe{R14C;Q5pM5UO
z8`q*z4!Q)s^(Topnq4pkjb>UEI4wBaitCqmIU6??zWb8%WMn9?W-z?i%=z99OXZWr
z<uRL6|Ms1EV$#)?UucIOgIW7aNu-85LQ`}+l!RKD)BS;oAUfQJY&#vI_GYye=uMdu
zmmb~im(nptdGuJw_xt`lD`RFZ?HjVPilG&|gS@A8*AmlC?~j}1x7qStgLRz*!{*y_
zQ+y|zrUcCP4)k8NeY(Xkv`cFwdne{jxnVBROJP?PYo_K?@8)tdKK-LKjg<pWN2vR^
z<O1ibUDRDp09)cjUlsKMHFFa6%{Zq7)s~jAC76{wdD<UlFy)P<W}I8nKDAPf*zS4o
zmAvwY9<$J_m|glpCFWA}Vvqzi8I8LHRbH{CjIIFrn50WgLfYp>StYeT6h0*yv^DB2
zT>GDY4b=phQZi>!ttvL=q6smj<g4$-yhA@__D#OwP6Nr1e^Gq~7BxR9X}~3D@k+^e
zsft=ou1juGV?2YsN0!%!>-sAIJW9#nSBtA_pa~?UWU!IelqJRT5R#w<Lk&}*2lGP>
zg{a{Z|GMgn4l=n=ir_VZwY8RStqDK8`SMv8QM@UIORcTNdGkiYM=B>PhQimfJHcb%
z$VG5$w2>_^{>rOCsV~Z))4WUpZxCO0UHIY~y3@08@zeiUD7SF+2WcnYzU9=G0VuSb
zTC7DM3iu=}(e^HC1nZ4YS3fSWei^Mk1q^jddFNlWbvG}&kZdj?$2Ge9Sxk)sZQY@~
z&e#vADHH9%YuEu@10T=+Aff%ICB0PW05l#5uIzH9162yQ7&2xDjdbf{GF<C-7<5)Y
zTgD%4X=lsYf@e}iAa{T6%{uM=I*wCP|Hd`ysn9HhDcFqLs~bBY@^*M5mXbz#-i7~`
zrKI<~sxP)i2CBM4f3NB;s=D((RP~Rol=*M-`2W(s&+}fQ<|WF&PXGMd;|$ytvv4%d
zS+&5_=@Df0S-3pl#m`y0P7;Nj#^x<n4c}2Kqj>Qzr_{<QjbG}W)AYu*)h;OfM8Xkp
z0CPB%oF;MCh!&VaceR053Fm6@K;z6Bb5A6Ed3#B12r<pBSoVT~9j3x1-!2!`!%62Y
z47uU}0}!X?kl0#C@oEiCV#5c{hbQGHl2aT+MpXBVs;M=tBI935Y?`PBpraA|=Ci7`
zaYmPc?~LG=q%EF{oT2I_AN8lMa$PR}oI*^-_SAwWPJxqCHMy=P(wveUP@KKuA`L>m
zytu&PxymXi%K!OCs`0TZ^?f0Mf>y`Ucaxr<7pcsrTylhFfK1i*!9A=y9tLm2D-3Et
z2u(Fk>5lFS8am9|r@x{<Dn*A<IVb-le^B>w9H<C_MLk1=DquTSI`M{j(6AQQneD(4
zGsliq3=MNxHOQin!Xu~v52X9H>@pus9E+Es%F}(PgoH0!0VbpGRAws}B0@LsSrBK|
zM>9BLTrCkV!3g4EArU5+fAoQ!T*folgQyEx?V=?VFQeFewTu*x5~bB9<N`@o6NT(l
zI|dWaa%m4<D(XgNW;JySC3M3~HN|sb_vfF2k^V85Ogge4VVO8FG+@fyxyzP^S$wMs
z3%Bf8u-B};Cg4ekj1t7xKSlk#rC_6u6yU+>N4sQ4^~Xmd{NDO#8s}C;eFSQpY|NzE
z8PpJusry;OY*t&aJ{bMAxSzEpn$oQJJxF7=b)P<J>~_smYP1i~D|jac`b48otdV$=
zJ>tCgTWs;JRr0krnfeG}+4WN`YOGM{(k^39eJsd0dhJTaz-m>;_U(wL=fA5q{_(8T
z1bPpJD#Pk+9^PM4=5b@{;}ig=rpTiaM>ZXUZhO-Y5w4K~PqKhY)Iem~(@ZDvzlgW|
z{i!E7c86TNmVTg2!`oa(+=5~eRN^m=y){ziCzdG=e{NJ^;$CDHIeUo5DjFa~Nsag$
zTOJI9_o@x;_ByH!!Rd#J@Rw`~5Upwgd6H0MX(PgMtSkGT^%6?%Z`>or?@Gm|TThO&
zfZqd65Zs}acjWkvn;!S0t;UOKyG{We%}dvJwOisv6FqY5>gLrK2x?xsQ}ffNbTzSH
zmSQBwbHG4~cy*O3n*jcPnbnN2oMw)_fzcUOzcVwNm?^&_)e5uV<>`Z35!#BXcgS=H
z*2)y;2vgE_2<^G<{spQF<Pnhi^12q&rVN>9p{1}HU8)<hX4<X?u+hbriaJ*JemAlJ
zdF=?TM3Bh+juZ~J{VQ~fn}NLNW+EAg9o;UY7Yt_>HRXD$e`u5bC!!S)g?ADa8d*Hk
zsLhH1zTyO9>RgH5{No`K7L-nSj4ZVMBF`su2o~&4hDXJny2d+|&pUOEck0pSP8HT?
zx{|83m(xj0`7^^)X#cr3xGGiS;AvhW>3++A{-=D+U3dlV1-MTt2Xj8)EW*S{$^%K6
zGtPb5%mK=m$1HX!%xd<5!P)?k9UNyLT&#e<;Lc|*-2ONRPH6_Uyv*K<v+9SBoYlgY
zmGvI(7iK@r2`ChU1@cvg8zXX7?pSx&{u$fHT*T<~Ek`z-wl6-6{lRlhqD%zoJP+@p
z(}bJu5zUY}grXxrBxs0ixTM-3F&7AS?YJOZ;W@b0(hhhGt`5emI{E+y88W^;PIf2U
z4i4VPQ4KqD*Q^YA$f;}oV6A{e7vpe49m;;8o`zgC7U3vYO8R)H=6W&9RsN-@3Vl7A
zdQO8uRuuofcqL4i*t7$%%szPh_6mi4EgCwzFA4JVFdJ5S1VyL9Hw#H?+pIVUGzGIh
zN7AnkrEjbHM_bueU^N2P5HEiZIF4a`RhHQ+-K+)yb!IjMhN0>p8;1I_ia;)$zh(Q9
z1oMA8%m3-U`it}W#q;>Tz3?W;Ks*UIq%43{ERYlNiaURE?4o3|{?|~vHaGRZ@`;9i
zszRL|4gk-DzJ5a{!wT3EY&D+U7k^@<g$>p9Uo}4Ntck8T_8jlie}RRD>P{@&=iSr9
zd>IUZF#3QiI;ytz=~=31qDoE9uxe{92JegPYn>sWtBzF*Z_<lZGO>zJ;Wik~Pii8z
zl3Ew{6C_9t$3z1+{2Cj`fo~wEqPolp-*crU*b~D*il%DthRAJ41&%m6fYJe_TB210
zG=-WPx?vM2R}~a>Q0xBnFCM4YTeCSJ8{e}9g)Z>2j8r?z06c8_W!}$a@pe(5eh~Gi
z;EG6<-yS2qEwmv{xT8S4dOFfjkrqqr8)YagIgUYt+JryK?T1lzn(k-XF3~6|l3|FU
zz_-&5ShwrtB42)-`)b7u$~Y9$z!jRHNTTi(icIDuYNC1^Pq*T1eZI_=qh;%Z`~Bmm
z*Er5FC%wf{Z&Qq&d-#nQp<HVs?1<U3CEa`?)w5Tm!a7%>u43zu;eLJ1<EKT&OjX)8
z6~?EX_PlHc=j3n`-iloj4+KDIdg4q&Q>gnNSa}AuE7bvhLJp2n-FNR1F{DGyUs+vN
zxp7BUd8X0=_zCK_{K9r3_xl_{LD}}a4VleLsGPB<`>}VwrskYIn>wU+P4^#qqH-t|
z4wJ%HP7MU+6q_hAeXa4VvUB?2Q{D=z24`UaC*T}+5)L!C^@?mX#T)xfjoY7<wB?kN
z%V1^v#dF?&dav6TMnWU_1;+T3&zq-Q0)&DJcDz*$3Z=_A34Y*pR!p8bd*;IV%a$#$
z7#hult%;%Ef=%0g++qIpd=~8Jzpj3$=Cr`Yi~JO|y;Q<jP(Pp+_WnHM2kACEphAt8
z&&A{%Qa(SM_860N1=xjMp#&4pZq7_RX5Jh3#RF<*Gqli#`Y`+%Kwq__TFQSk%lIc_
z@NahuUJxDu#Snj4<RY*gPQbz|c`bl_3b}*kz|~4u*Pm9rJ;CST4VXxKXi+wU_MC;b
zx2QgK)$wg>P&~1*u8So^Xfr25Z8aja*-C^AqXEWhz~0=UZ8`!*9zw?$n!g2E08h!^
zE$zXRYe0n@t-u{F`c(dX2AMS!gZi258w+nkLopc4zQcaefwDH?AO@)O=UsuLMtB4a
zRP?8CytO5>)t1b}p|H~BqdWY1Dy$-Qctssq+GVkCw573NX>wpSibaWES{U(fWSor$
z?j<D@Lk)%(wd8122SD`#HL7>OO7#r>FaWy?IH{Nt8nl+=2+-&kpg}6Qs#P4(pdLs`
zZIFW|8Wjq`C0gOP^KWc%Wfnske5E0#lz*QNhaIWjeoX54^VIDP>vo4ZeP6#$J|_sc
zGb-%FXlIWa?J*l@BA4ZkFtMSXWa1FQFtSO-#Q-Clp1?PFL#hzJI&yoAIbx*-9K0cx
zjKDWoH7j`eWOI|T<Cr*Inb9)DHEc{+=gJGk;A0^t=i~z5pdSTtcWXU1t+<xb1XdpS
zg5L{lmZ<+8vpew;=#ah`VQ?Z41}9<!6Rik?6=(`)pxII@!eA&S<Y~$M3rFfIhBJk=
z>5yDi*OVFwhR6IaKB?WskNI7Encu~ab7eLOM{QCz2Njqk9LCKY2`60&uwKoY$+d<I
z=U;qB2Lf#LmAnZ^0|wuFQAhLco3yK%Bmd3dm-Rke)`kQ7Cmx=8INV;Jto5nP4eONc
z<hw5v9XqLx;g0ek;Y`pu(Rb+Gk;g*(=1uEj%<I-_&{Sul`TU(EgfPEMBeX|1Cz^Cf
z2Mmx&!XZ)rO5-+AvwnHN&Hx8a-VqqQClCcD9Rk2AGQo5N`1DCy#T(bfn%Az=D!!ss
ze3n=I1Ql!KU#CBgjy@=UQsvK}8hDQyfa${}(+-zRZJ;G~_)IwQFzSvw=Aoz`0Hz<p
znr1vfv$d)D{!m25j^vd8wPi-l>&@T8jh{=nn&B0*!`P}{qVoax9S;RYFz?l|?A4*b
zswqM^KF@c|xGHnpf+q!!;|}`i!Mj7!#(k;;$V%uo&kGARq`WEG3BmOWQVNB7@ugWs
z*BUidr%fE-(z8{#U&yo&jxL2Nc7{cdzgLO1fa5G%2QU9<$X;T`vxxZh@#~Y|P!{RA
z!8_9XK;ufsMg0a;eoedCIa*#ZA5ft7w9Xi=W!&&=tWKLF&IN$RbEqoL#n$FzVg|oV
z_*1GA%@&tOZeE^XJ{|1~x={;sqn3{9exJ)Kd(K?4a0dJ_{vmcz39FgTVeQ7z*TE#i
zTa8Ci=S*jq#&w2S+0HPH?+nuz&oFSFhBGb~RT1=q8?JHKyA4IXHP}0tqkX!chYzq<
zg1v}_U{{$V*v;n%b}$|3A|Hj);U)0vKnn$^xtEvlpew;+MimJcwYRMU|M5Z0r=|pE
zHo*#C7hd!&j8p!dw9Rl=Kf*#mWB3;TJHzLv7DY%~5L}v`JH$}M9wa<20CNo3->WC0
zc4sQtKH2_<<|UC>$$O>Oy2%^U^L8EIcG8|z5<^D&yHEF=5Iu3{l%4h`_Z&|>Z@M|)
za8r1?)#=mC*)wv&jtTH7cbziQy_2c!>GlZ3X}A%h)-@(YN5#ZM2K!B(=0D!w60&{%
zwyp3LiD!AnF;lkhiCVv9%VuTQ<dn&&Q|;&a`!9get2cMMz6s+_4u#y1YT0Q><;Ir<
zfc$W2@D`{s#)eJ+4(jxx8X39g=D11waO@m*C#9$F_JpH_Vbb_<5VX7ESOF1<`z1qW
zhhK6{P;?t{tgl;e?@;(~meT3#akaq-$hbgKRJf2^mC7{|z1@~9nx@>n{N%+m({JrB
zGF|(gKK%z+ZaNFm@kz1i<^wS^M|5^-0$&J0(YJz*oXY$L?#0dlc&9a)fofq!XM%P5
z>g|!Y=SQUX*rF_lQ_Rn?NqY~QUVonl#HhZ$V+L6+Hx&~0ByHMf&WM`jHNk6!lL9r&
z3;H_N&)w5AV6^L)9SM_^9*u>O8P~nxw&#iyAbkXoFZ9tV^sODGI6@eg&V1}e$5=O!
zjbT3vwdhA3EA`QM?%kH;H5<0><{q3Li-&ob`snm6!yqnIe{})n|Fr4D-4}wxY<}hM
zhXG-b_<p^J2dUC6bDRSF7tIe)R^1XHv46!Li@_}Rw7U?sd()ad<^y|t#*FfsK4|#Z
zxVXtm&&I;o%(Gt4%=-SJpUCp|DI8(*s4|#?N_I2~QGTAD1MjSJ$!;`uSit0|fQVRi
zXwOOW?vz=xwkg*h3cDx#u&WIoMF6A41_5rzt^*0mPoInvJT_mOqa<xh+_2M}mN;|N
zC@;UsSWgk_sVV6l_<A~EJ>mN77WoV<R<nOnR0VGU^L162d1}?Utc|_Cdnhi{Hx8Nf
z4QvN0;Ew*P8aaYqufob09-Myi%b2tu;`qwkNQ>E>a@2IM<8dZbY4byaL5c2}Q{d0(
zI(^K99;Q~0`;&ydoJ=>3{kM4R*lkLQ-ISajJ9FZUP#^yQ_;dQ;J!Z6fblUD6J9cbV
zuK1?SayPko292}mdxnB(dV|Ak1FWga)R-#U(T{Y{IKgXkPIhwCu01KUT_P2)z)5iL
z4`j!=8?E>ZCOLyy>8q?Xv;D3c6PWJiu>5_8wkGdXn9YKb69<?lcx>GgptNrxc%+<|
zavNT1;c$I~ze+a!AsfbXzZZB;MbY4u?`ghVLof`zSk$A~4{}4Xi{;P~7t5uT&35_|
zK}m?huCKVhY2kapu+|^u;@rb>uwa;Ukyd{8uyiZ-fSCx^T6467uq}pNA>dw?GCgmX
zR;xolZ?}<_Gp&WV<oL)v=HwkgKK+?#@|IT0|IH!O3oa%J@W*t30%xMtA=3+FDLySz
z>2*)=p6orx!#sJ$=GYTtP7b`s-7(j7WJ(AtWomTO?VaX}S<&i?nOf|Nnflq?(hX=&
z@WuR`@K0aNXzq(iFbYQq74H()O4<w8$|`Ui!Z$c$;<MEovkI~tlK9tRcgr7X+6S!g
zk8oz3W~3iKupi-y(~SJ!D@hNK=m+?|m+S#JG)YTTKWT~Tr<X;axE~KQ7DkkK85*r#
zhBi2SR2DID66vce@HExD40R)zp4B!nr$em#eWugA40%ydNzKd9XuMClLvWhJgK_N<
zq;E+&tCyioBA_qI!fVxwebs^4@PajOs>k56Q`72DbWC&Y;c0N$;c10q8QhMFj&U!;
z+R|U{g*A)43nMa>y(^MaO&9&*hedGj!iebjUs4w(?KNetk0|jj^s1u_SvO-0oC~M;
zd-nX%(#+~y=;bwbuJ16DQ|c7%TUZ+=1SL*|s2x6qyM9x$=f-5<nn;XFgiGNg?o#-Z
zf6}h~>vrUr-nb{0coc?>R3<F)bT@U0_RbFD9))3k-d){SOrBsG85U;sC>)I_7%*G=
z(-pS-qYG=$A~;j7z%q{p=0R`#tl~-O;ym2Fw1?+F?smvMK}H5QIw+}Sjq7-Bq_;qN
zo8mmZCHiv!@)WkDU8uyktvDSP+JE*zI<ohX)rUU-7lQWE37PgDl(ipE;>Vw*B2l%Y
z4YF!ye2fS%qWTq`fWgpNiH!yb*jj*RX}!%yXIWpZv+z~!ji3L~S!8a9%)GO;(N}mc
zYkfs>3nXiO#m~JZHk|hrv%Cv+So@0fhRDPFiXZ#P@w}^SC%VdZ@~+~?llYN$6;MDM
zWH#8^Rn`YxWfyr@L($Vvt)rBTo;uFwbFdWsbfm<;&1ool8Ol5P2%U7)x)_QchH4!Q
zMgKyz?&YF;j@m?qqHm$RYjC=g$&+`j33}FqcdQBe)r5Cz9(py;+Nqy-pB#CgX!%|I
zv5kF4U%j^@I5c1xQ_(rvs7)hnME7XpKc<nE^EF@2dk7!VgA#2lUUO7d=FFjICD-Nf
zFq<<U?LKMSVL7@@%Xz=m6X-XJShv7(be)!KTVOfg0zTRnaN%3PMcV={=s&se0nloU
zfL2?FK%4j$sB~7!md;3IC$oX7&n@b7!*-#H3%UuOHrJ&`X0JP7zf4>|X8o{;vFj#O
zYAk}k?r!`j#=hmzYhr2%WG6CN?JTegpepUvvbV|R@{3yz*&nFX+wb2Q3bL_P>3i|z
z^|Z&wyb}AYSC&CCIlOUu+CI~r&e4r6tbzCey4)8Bbo--1rcMnA7^RFs3uFTxJXg$#
z37Ry)H*g59;{K}L6WadNHsO;U&A~Q4p0#~{iZbw&FvEX(@Fa5|_v{Dv4jw+Sb6Z%z
z4&~?>A<=tO%s?{}>b8I{RgLHE$qtp&Q_J3?ZFg<ay>CC+X??3GlJU_+h$pq1ondAL
z<M_bd8EM;Q-Q`U0>a|8r?u>F1)Upp>KD_;qA`rpuA?yB<YCmMPZ&SyIY!}8oLrr;@
z&p&<uJWt(+tZqJae#nyW#R<K>d;h}|bemefv_m8%JLAbCv2n=?jb^P{{?bJ^Z*I_{
zS>`t54?nzjF#GJ@ZJ~it%87HrPR}thfK2<UPHT91*UWdOuh0z#_3#tk_nIHHzJGvX
z1PFW|)XvpeD^`<QRTuR|W$AYb37p2GZCi3h{H%It_3i#k_Z8Y(o$b{1pA|HD#>@@7
zf-Rkg2!nR*_W@opYlU)DM$9_%f%Onb5b??xNtLKQxB(ITQhQ-Bwdb|Y!c_2Sh<^y@
zqF<5H3lyz0P&`Zy+4<!6+K|GhHJ|E<8S~CA+y@7*l-g%mb0JkU_?)BWDZdKK#f9U;
zdyX}+daqHil&&l5@7qCGEKa}L5n&gYEgGo=QVE`0?d*{Kni{+|`0zSkLrs^x;Kag1
zs57Gh6v~kOCkkYvcCO2+i$hlRSvAVCSRDHbyqCKGu3OK_@IA9boBV#*HnTAeRQB#e
za7R^J-vJs*+3(vx6<Fm?b1JJmDLr6P-o5*~vyLC%GrVOhk3o2bfEC=PJLGVO&$;8f
z;yJHzQhavj;QNAh$qf|N3cJPKNDeu=!*N05#`^klz}Ygi?yg$#iEZ2`8t{<^G#h5@
zKPmSS>OOHiWq8YG69*4as1~qO_r$MWvq_nCO;|W5XmNnqWBi((fy%v@JV+v@;x2xr
zby0t+&C38w_g&{k=3}W^s4;h_jMgiMx5d3`kR#q<4Fs|m>re;b;P!;HpH1(a6B}As
zb952TsAaNr*>OSc<9%iVVup=X?VeK1Biqyh?wipM6H{>V%*`Xd3H@S}AEE`1P1DxK
zn6__<Ox_b8GIOUT_pFdIe$ckz<_0|nbn27hnKM&4>L>gk(%u6siez0MXB@f*rxlfP
z6lR=hqB*ZQV$N9vRDz-+h~$h&7Lip1QB)L=3<9E{qM~BXE(Xk))>YTEyQb<n#oqnD
zJ-B=JoO|xQzvuZsyD~E!s;jHM`l{*+?^_v>ALp+Mjtp~K;kv8POFL@<<9g&`Fz|6P
zO)Y;0x+ut=20ix)Db(CE`fea;jb7;>%H^?7r0XwI5-fI!(K*;PcoN!$#><BI`7B!K
zU-Vc@;;m??jCMIY6##0+bg{s_lOzaO%_>BV(vAhU)_BH}b)XJWi(_5aE;LJG*Ve`y
ziaP2*983W@W$Z0*@5wxD#<mD0(ih@QN_Ib)n^v~DVsok4CN{+@b!D1oHJxh;O?DTB
zb!EM&V}i>%r*(_X*0XU(V~@rjaw3kV-?7frF~%jqDONlle{@|<LX8iOo8w*Pi^4BS
z6J*jf@d;9P|Ff-ow(Z$gXa=q6yESNA(1C%b=oA2YdSlb($xuUf)u{N8*q~@{6c$w+
zwI?on<vml8O@O7#8Dr|NFOewFbmE(Sf^85^xV@r4ujm!!8RZq_A--yPbm`i%6+eq_
z3hs-&xY1J_nA@L8a>*@eu2`8{&nSqI=8{V060I9ZM$70Nx{onFE+?Pl#19RB^ZFHd
z<Q%UL_wrg3=+CDd$GEp@a(gJ-QURZ}cV1a!iQ2!B_-p8HLE1>BHcIj!&Z4l??a$u5
zhhK7?iHeMf_E9hKsXTS6q_R3|M|{){{@68USNMwEj_Q6Rry{pjQa|lyNSs}B5#$wc
zKT$$i$*$a7ej~eO74uYZvodElFJN*)e0O-LCy$>7y0E$_Pxzun<?`U-AI=mOmu6-r
ztl15~V_C?WHL=L|B%X4D68FgI2Oab9`a{WuPtpte=Gt`b;hdf9z8#r+wr3<EeIcuX
zNsS2D?5pnWIc*#tEptv}M%TcNx|+mXzI1>8<sa|NsyE4fGWzXzk6yp9|DgD6i!_lK
zjF+3o>(9I959SrWMK568*QRD}P1&55#;?oF*sx7~>q5odor#(2()km2XlpigP3Wdj
zwc=y+*eOegFVFGHTf-;HaAV+_$iP6AZ$|iTajl3<jn!)+f_+qY$n1*&_q2$<O($oS
z{$abyD|YY7&)*&9;Sm<@k2EUVEeLON_1T`cHFfK@bUtxMX7WyT8M`+#AuQNC+!bcG
zP4aAY#b$C-?tRME#oa$3P@8s9>_3@tlS&u!#iW7&EBTY6?q^*LIfccheUlu*^cV`e
z$&|!D5^TRn4u3)%d%W^h@udcyG+NPTvK8@>e$la_yCQ59gNG)TsOy0?a|#O(H>l*t
z^s(S(a`2PF^`O|+kJySsK*MREZ5d+7!bLw98whhz#JeL?Fp+E*AJ!iIE;*=I1X5+*
z&J>{RN8JJT>H6eEbxi!09G)~;Q9(8_*Xfqlc!Q38j*DM^d`%#xzHCl*=GIJg>DFL3
zp3eP9d}TQ~nOk?N_om~$Jx`5wUghiUtKAp2I@?+8>>c3i$0xCIhnT_G^=y*osLTIs
zo|OT<zS<-<_7F1!r=%JTfP-Y6^3%_3!Zju+uV`(t`meFzu_81ukjFSL$Hk;KO&8@K
zqV|MLd?E^Oym+JFHk^%JiG1v0KVRfyPZ&SN-2Bv(C&hbr=4A8h?3jhWL2`>OUnnjt
z&fFaznF+swEF=QikWh{1buC_k&jIf@n?1a{cxS$P`;Nq<bbj{>CM9-lN{HHXWw5jU
zP0opLLdyjpB`vrsDSdnHt&~_{?7XNwdhz_?yrnyN&+VRR*{U5GTVV%?ipbL*xy0mn
zugF=T9_8RNbN&&(gW-I6<leYYRm9pDKR@qnd%U#HQyKq?+R($O$t^+ph>U+EIg8#I
zgL2FBQd6_|um)ybOiXf&Iv{*!B~RMkdo=3l09n)^$3$jS4K<OCDzkeGg={ZKpGyvW
ze206jac@mUL7q6Cw=H2FL&~Tx8yp%Q6RLJk$g1MWd~3QyHoSB}18xiuxVw@q<du|&
zTOHDhMRNRODBq>Dr=Ja))aN%h(vv|3CUk2fe4mUYQ;3qj7q8`z#Hq;q2?08p{fZ%C
zm`?8F-kwn0T_d_+2@(2>8|jLETTZ)%iNDwU;*H-Zi-wEhi^o2dZV^i|VDnDopM;j%
zYhUcZkQM+h{_dT)*fC&(>_Z#@df;>1_ap=D`i_1F<r+jbKfv8TNgtEV%18UEo|GZf
zhBTtuE2t)JRqX17RWL@!mM0X(lsOZPsTEe0^wzpaCLk^>+)Ew5E*Vix;+WdGBPknA
zpCxdQ$cRTUh~|PxbED#EzF4c=N7MqiuJCNwF=yz;VWgEz@e}}CcBny=E~U|==u`4X
z>>IH>Qho%NouY13tzSvCYJWjaRY^fuK$iBzRi@0#rC_>x&{*d_z_%KA$n~NV8XfGb
zb7AY43+sTV^iT)l$#x-gnMjtjFcf-<SW=bW&cVc9sl=fsGZOq*LS^Kh6ltl!%JPDY
z?b-b5dL|)e?YeNaUr-5=h4FOuFve0w+Mi}@^A86d#ft?&tx9e`sd+2~vR#bw^1%b=
z%OVT>4*~o!Ti?m5IG@;%xYd~aVoTz(<BFCL71C`#(LId+l1P6~)$D`Iu4*qEM#gT-
z+?|@WqnO{sW_qWFhN&WAqN9)v0L4E}7p<&2fn}az0`hIFnxf$Q#^L!m469p<2|r-g
zQ81^P#$$R|BS;@yK7Z|jB<DvWdoKm%omBbs_79&wPy3;Vo6A~%cYfbYW=Gzh)O_`!
z+#r`NJau3bBa>poRD%zX{-E9PK)Gy9Q3X$AtjoH9&{b;VE7<gsn1{C;N#7@ulFz^+
zgcDhuFeH~xyynT>p|UtHNM2!pPll&@;)H2kde=>TQe2pkoyV{DWD;Z^L8}(~d2GpC
ztz9{p2{>?k?LKuDiGsQ)I8j$nP_ip~-I`3^Tox3uCLY?NNrmNrn_gXDmV`PLxADsR
zf9~Xon<2LI^r2933q3nbdPo3c>9AXL7$iPS*nb5FGjVXgl4M??nXK^|{V~B`e@yVd
z(&Uc|Jp{`eq{~go0r<P_1Ds2+R6e=_$dPFmh7F%KYw+MJvmWv{443(o96nT3a-gbk
zwX2KoYB!+TiD6X^zex~3iukLJ($|lbH*PW!r4?}%>hgVCGE4az<8L?2gi0#eUU^t`
zD5?@G$%~i9HcXtrWUgA7z7oU=u@PSU#2aJBT$sTGdq=HsRk>uW*t1$Ya|T1!-%&1F
zzW>7c{RfU6+rMn~tmVrW;hD4rS=|FZccGN5whq}7Vse>SY<ss8rojXQkk_?PzGD?O
z2A^b#@1j5MscU!(?&w`{Z&Wn}S;r2RhI{VQDr}+~o-nv(S+&#NY3W9aeg?mGmnpg#
zSj!a2(Y-?FOzH-B&RrX=RZjka^A@>e?|0BDCKycXderrX-+6$C1BJ6K>GF~c14<}{
zltp)>SpIsfgJ36yq`amX&?)=2mmX7X-H^T^T}zZNS;eoQ&P&K!mzPJ@%Kg%O(|!2_
z7IX+A@YOHu_p#r{#;V3U&7b89IKE`Edcuv<H^>n<2j_~^MROzJ{RxG?srL=q`?UDi
zSY%8)0(^N#Y8LJq;S%lw)f09o;&8-a2V!PQdx&1(BMdd3Kzhxmz3^AWK8tT4H2~x%
zy&I^8C4)%A|60I6+Q86GW5ip@7fpj0aQPEr5H6LS2U6W#W~HA`=yLVEWmUJscw&2p
zPGvWwCvV-FmYkNRA^{E5lf9dH;LurhMM0Q<KHvC&Iqo{E2$?}<od?lwUi^%8%%oGY
z4ROhM@z~_J?_;%giOj@HGTN==!${H&a2`v+=zW1$-FhS?F64spLf+wHIa<0&wm93r
z=7Q=L{Z;ws4O^3XEPH?1?AN9t5do1t>x@XgEGubuY<9%;pG>_=TyyL<8@(RZT}Imm
z_w7$DRMh5aU(z8Qjobr1g6gj@kGBj9F)0z2{qbLq0ODkUfIFieO4#c=9e6{y9eggC
z!w}h5Yc}mPb98fVX^lF2M|@%iueetPtPsVE^pK_L{%UGEe-`Z$!LM^=*0N&~n9g@(
z;k0uUWyAayCz-AJe$B?n)DS8$Rosi+xi{eeUT!O*Muc+0CWM%rB3+*!N7CbKp+uRM
zx?w{q@7Odda?{$)(Ob-Fg+9#psc2I*=r}!<ul8I!RHk*K&zXpQvB%D<9yN_o9%nN?
zT;F_l@6l6cL+=Lp1cZAhm>m<kq{pSlrpK5)dg!;;GjHWivmJzC9NDNY%=a;|-^V11
zORtRgIHFh_WyMg9Umsu`O;^!A7dyXp)~*5V?{RkfmyGq>lXfIE%lqqwW1`oTlZXN@
zZ5DP>(hG{W7o?PfQK13uy7igsGZQm`UvLN1XB*OzQ_~>scpi9i*RyjHn2C+D%@La;
zQX-6k*fHyviNDBV<}7ix4+Qq5NWh>tckCSS%OsN9U&tuzGkOZS$`p1VHDP>N;)XaU
zcQA<;f;d^h&@)t`{6eBHun&P%43|`N{ke(9@Q*}U(5PALa1fOOZ#9aYkigjASR~Vb
z$VlZm<q9_P7;}`R9TzDVvx&!;N(>FrCI9-)%UiF&2f&NWGCWyXhE>U1@MLB2=U&bR
zG(spiG7OPz0uDk5@1RR?=##<9eD?U>Ajb@zax5KYc!zMZ#nGNVj_Bg#k7Uj{V);=L
zifPcB441+L7>(CSr<P0*8j>a}qez#;gG>>dv?PIcVdzn7I1br-Qo|Ipg|r6jLTo91
zTs$`)pZgg+B7*K`R<M2~NnDl$&?Ls4jS$atV9V)&S&7Vo>oU+>%uyzgE=dQ`Qi)5V
zQ84P#aPS=&^Wjhf-mfi!Q(I%(O^lQW_wOz$!0ejt&io>DW^bo5Ka8!Vtrt@3F~oX}
zEM+oN;N!pDMLlfrWH^S5FHd^Um%LLh^((%7qM~G9-tKr9s=%4x7Ze)fr$#`ohf=U=
zXu=%T+@RIxYR>J`Hz^)E@2_Tk|NPL)68`$RdF=P8$*HNT^kh*>o;f#}eeE^4qKnwX
zO0kLUFFDEdA7V>8qNVp0MEmdJv94-6NSTnFupvQ9+tiRY?Dx<jF)CQ7S}LnQ%lsmI
z*Q`MMi_=7}V3=83AsBw8l^FQ4AJ~cSw*XAL$bf9aMDd<gxEuT?Q@BT;+<G*xYM&9Q
z1FA-=dYPgs8ag&EI&58-dhntKKtii(9zHo(6y{yR<LXBb8Qi$6dQp)*W{&`aU%SZ^
zs|-NsXX^VM#?dqto%0eo0m>jOR=#NN5{su|Sn%N}<@v_K6Q}r@Z<u9^T|!*d4uOUH
zLH4k12T!u@&@pVz&YaAwEF)srFooTmxhX3f0KB8G(ALA|uXJ?Q-T=sPdFihG>gwFU
z6@hC*L&AAFR#Z2Wh_x&%5*SyZMxo;GiRWeO*KSz5MnxIe(=4Fvwt;w8rxlw3+UDsa
z#bV-2ZYe((-#SyEZR#zXpTGJR9BEIXP9FWnp51!9r25#<yQU%j!4dv(M#3=Jo`kH(
zU7?R2n65bFSZJSWq$qnite1@P{=M+JGgZ_csk5Y07@mZY<b;iL!)elTOoK_iV6J#q
zPn?uD#mEdN@PWW$7<{>?rfzGa*^P$rY+Q9nxo55sF>PoPsh?@ftFns+BA4#qEt_9#
zvTX6%WdYOGQz297!8&z_$drQ7ZX(58L^9$@_xEI~YFkqFx@;|N?Za$blN_6%8b8Bv
z3_`7k3)Y&`_y;hlE_9)6^ipP+>~1wP|F3T%D(_cuP6TU}^aArpMy0cuQ!+pdeESan
zdjGFYZsrIzn}U-wQGj@%o&Lh1`U_FU<U7a3nN^rf`rm0XWo^*|q`!>zC+(DiTSJqZ
zIQLpL)HV>8KL<mn=D}b^>>H?kZ3(msk<@{j+3GYk;ps@QbcplgB}Y;IC+RhfqmsDf
z%P#I;J$}Y=x0%@dcb0$qe{WPH6ik7f^cDRN3b+jAd+56`&DY<D5QRqf-JhrXh^MdX
zuQ^#qRz!tq6i*DA<W2qOYlJ}hPWf~FJ<^d^SQ(HX;CX&xKs)|0>St}Ep{H-zYw_^w
z!qT#`La*N9x!%5>o>~z)x6@GgVn{?X7+<;uf4G4LfX7l|f;}6U#@>P-Q7t+_6wb$+
zPU3l4q{Z(&;U-p$dVWr($ht8HAi^q{Vicm_H!^nMC&d+K<s>Khr(wb5{tHs90cpuW
zD*vRY`BqS9g}$KLxZit<{*<Heq1B2$G!p-36<#-n->JIvQ=<v-{L<$OX?UyHRtG4w
zP0uxo4BJ_9{930`EU3$)J5ix+b#I$1G^kFj(WbgTt2C(YpLN<)CsryWs_{LFMV*9+
zC|L22<{A}?^&uU9AA<6mQ2alRAt^<?bnj2A8p)U!hy)N{Krj^V$&VIBYZRr?sC9lc
zs!fK|r(v4c`kQYV;O^(qGh~-b!aY{|hkJSY?JNu6r#djW)}j2Y&krzpA;9~cTx?;9
z*usBEI*S1n%^sq^SI6}CA#ihv^?)mB+fNH#k{N$i<PU=vf8C>audmNTu|DtrS)ZSO
zAENy6@;P9FJdA!Y=h(#Pu%yIrZR#n8^ms|5*>Jkx$SNi?D>E%uy|*xA`Kkb4Pmh3|
zW&ZlQzK?dOIPD|SB{n~OL!;-*=I&UH7Wl)U;h#@0uOp8%ipO<$?{aiXmcB<C>pnJD
z{<`?8OGSx7Prm&_qW<TNPml#7ddte2#)WBcxxTi4)s$EK^8Z-ZCx2EIef#D1%|>J?
zG&d|s1Y931EqdWSpzmSD??dM3d-lui?;E2UkHSM|Lb__mK=De&zPd-?p+HUUUpW7O
zS3Ie^v-p^;mv>Z9p!RB7LDg9`FeM|i_=DG(>_GP%_@s=c45Dp$+(+A981_ZGu2JdZ
zyXOo@y`I!%Wo4&lsmpeUdWh#&1V#8`7RexWKmFD3$k%4SRZcH{mmtG%1VTD)k(>r`
z)NFY__)X*6LGKj0zrRD9--o<FNZ1w)4$JUmgIuAD6<_KWncJAyP^2F<VmFbof8PHf
zN9?0VIq0JYIe+%iL-SAil8)A)sE6iaSx4(o*hBNbmG)N)jrp^z$2pJWiYMRhJt5xv
zM1SuI@!lumy(!HvFyJR(y0E0|&l|CJ5j~yfXd#B|5u*C*H9*$W{2E7aGdl6+?Js}p
z#I(1h#fN|CM6PMUT)EJIVc||B6ZB&li@e5Wok+$)B{r#>I;Y5mfTk+!<^iWDs0PYB
z1O21y;*6%ekdZI+2y|-m0M8b6?kjOvS42bS?h<wGZ~CG9L>$T={^L-t_;V;blG0BS
z#KRg$$%>z0j6#If_)l~^nGVCnbUNM&0C<=+a80@3Ds-3QyP+^ia!eR6#av-1Qd3%E
zMzy}(KrQjzl30&z5S^R|x3nHRhFId8B?XYMBUIlY+z-6sOG*MKZ<8VZ8ZSgt;|!6w
z5#TAi2y7;Y!S*od6KSu1p0r%hDoL4!zAz;BHIAQz#e%Ws6Ef#ybo@C+QAgEBnG_jO
zA0_ySqfM@K0%HTPe(_2R`6ne3SX{{j<~N+d2W>4Q<L40dVkS{W)r;x)IpT`+6UrpL
z^@Z9V5ewzZ#X|XVxU9bwYKaZ3jMnNaf$M=C)VsN8<bfHBW#a;rZR<pM53y|CgW5WQ
z;QZSSWbR)rO!|vW+^M;VN1%yEG&eCFPme0acO->^IW;3@CdUO^Mb2?jh>EdCNP9-%
zim3-i!WybRLfebxMv%?Hz%3WMXV6E|;iK3?(vwxn*X%7~%#f0gFnj``n;~63_SYZk
z#g3!K3@x#SH5<_1z%;aeA>JMT$>)<vvET`7-fytM6L8bJk}0s$pDrK$7z<d^78jiS
z^P*y0gup^vv|YTYSbq^+V<;Y3`OhP`4MHPy5OMK3=mo2~$<>N{#wK12WbH&-e1)3p
z)c30ie5XPVF+gVhUBZX}w2cUSlns7jF?{BdDGod^U%hJG?GKHH1AWwJ+M#E|khcw|
zj~uDs0d%)(=%w@SkJSn<N{N|rvCqE!2Xc#!R_*t4DdydLJ^Yrc6}t#<v*#_ZIkS{M
zeW0fBu=@Od_t}d*mLm8*6NCd4?1P}pL`n$2@vqVeBFa9=l`ATRwsOMAqmp9PzTsQ<
zK29TDHxVO{3cz<v@--Vot^#}5T{~hYdJM`<q`@QWu@)QwnvLFw(VjSpNNAr4vwfTv
z@R$2CC8c7l<Aah})R2!)j!#e>@Nn9*SWQj(_Yuj+UX1?AXM+C8ZAJ09JJn@p_LZ-3
zE#^B1FLrl;C37~`a4mGJ#o)7+#H=U4cj`Y-h*H1OFT{dZJS9UBkVbl`e%^NA<c<sx
zDQo9fW>a)vN}!tdTV;V97ezfCx*to4UaFqa%k3khHg1g3Mp`h5+x8^psg1V|C)Sce
z;i{CB3<r`k@%o1;(~YJ5ejk+JyUr)k7e<|g!uX=N!mi|~DIGh$U}8flhyazEO1TT-
z4%-ST;Ke8q5~T&Sl~PCq?Zu507NdG29YHoRDae^?+q7(ej5yH4)Quj(t){r8z2qU*
z(CNq!dWhSAwGE=l-(gVFB{m&}El`g=8i(LPj2NruA_zSa!Ec<|f8a2`-~|&L;1#$`
zy<}y<H9k*9Y(8K7iL_CDnRdAwH5g$_N5D!UTOGP8#69?QKhs@X;i*YC>X!3x;Y+oh
zkfeN;SCXH*Gi2!m?|F0PV^;Hz&L$VK$oXspp?45OfK<T-%832#<b$icJv(XsP}jcd
zfg|@{wBr*~6VtYUphLE4<M$i2!mV_c%tY^Wr||v)B(^)937afFiG!B<kq^qGq>Y<^
zX(~%k*|IrRd*Srm{m;~o@2;40hToi!5+AFgpg~MZTCX)efXGK9$sXaPl+=YQ>mQ&9
zQ-=Hl+vtC=VCpcP_yBz2*-$UW!f*uH_`xkmaHb>e{;;0rkW%;wXf`c<FcFaw-I;I2
zRf)yj2v?F)n7mVDFs^4$7=g-~GE@h6M;(g_n}U8CC7$<#O@N@F;Wt2B-JKyiY^ikE
zN|Np)CZNYo&e9c0YIH@?npsL+k*?_XA`In|!*xGM@^wE*g=xc;LO-E@Q$L|!6aI=f
z*#4+f{wOJZr<1(Hd0Qn3L!R((vW~>liDU!~qv6=9kD&2%9Wt?olW_h=Ll9;ms~OO>
z^Wb<;lCk)&6C$4H0Z&K#9E(dx+Yj$C-b}mxf{k{&u3dogsQLiVUu;EA&bp>Ed?%?9
z|LUvh%-(*?=;j0Sd&pSk+V7o|Izye|?}jq{+Z-baNE<pi>n%RX0H~-nklctSFkA{|
z@*3SSazL*C_7-2>{w~E9N+u*DB^&n)*Bz4_)#XWbH+8F&zvm^fg6j7pP|kvx?ud9^
z$G!cZ&(i_DloZc_KcM+p`FPfDjrc5G;9Gp_p_3|`++<D3WDN@YtZ9f*3NP8KcNpPo
z(<7PfROVdMd8JSxq&HRIO+IS?hh(56+RPd<<T6p;AQH2t(57@;Fi19qwwOmvmQhmx
z*81M@y5oGi*G$t(eXB=Q+8EI^D*v<Kr?UK#g2Mc~eh*BSyDfKew>N5XX7MEB`VgIi
zBu%FTrAdhRjEAHe2|SC?0SdEz_t7cX?NYz-G!81l^Re4g`$jzAX4jel2PtD@?BPSa
zB_!<;Y4HTn7e4T?-LFR`KlxpDBd}`LY?XVWe~g#5HiXHq$UA#R_0a2FuPa)|@|g6f
zT%(aq+u79EfK)$qPup4JW}Wpr%^R<d0l>yY5I~(2W+U|vo({O|29ehk|3GI7dbHOJ
z@ujPkcBHlQ+ZtHSTBBD^(bhFRoO{?I^HU6PHT^@<E!sfR2p>hGU`iaoAM)2Rq06^p
z#G9TFPl?x)6NtqhDn-Jksd6zH9R$l@=kK%ViT|NA46^@`+oY+paP;*1Q<B%Wz>Rs7
zcxwJUka0^4jXFwP<beVwe@;@RBuA)UqW^^?CH$-w>PN@}brvrrZ-f@oH-c^qK$(Sx
z=AXnxXqc{P8Yff|SIKT-D9u4y<QF!TxawC3U_gEGT9Qg?rK!RTJ2`!WXPglWZ7&w8
z|2bCtX&^qbX&l`{mgq~_Nxq^6H%PAL$5+JR6~dg}2{)9O^?iqF6qWaJ?izwx-jOwk
zza1%D>yHC?4g{oD3O$M^1q$`ABqBM|C<s8QP_G;!R{G-U_dqD_{NmXQ@!&;eB(A$e
zypXCONW?gtOULvj15yG@8}SkmJ0eg-!r`t;$R0!qO#u8*v8L!MGmu@>4REZ1bj5ST
zmtmECg7lSdSo>`Dv&3h)_%HF<tY;?sp3Zw5|8&peoTu?m=R8%IM}K~+EZCJ<SQwV+
z9~>It>zfsk!z<bu_z;P*V0UIwVdzf(pwKnGK3Nfac!g1Pk$8O9uEOH59k@Qy+czs5
z*N?ZoPwSNVyGf%)Ffq*Eomo&EvNJF!WR169ws>Ex`RAry;&X}%!gk`mHGbaWbA(BT
zVp)aF$M9@@S#7^G^~AMeS?zE>v#=;66J<sC`0C3tH+n!%D)YrUhh_!_hM>;b5xKmg
ztzjYRmM7LZWM@!7bDi^0XCq%67q2f0-HGehh~?z+piGg|dFbgFv7<qG>M5aP$VTZ_
z-H4?cr0K>=kjgt=>O#K29}fEUROwbxK=c=m#&t2e5x}|?ud^c)q;|rMM!C*H=q;zy
z^x~-7dQCz{k=If>O1BaSxHpKs{9oinHyJo1bfE}!U3pVC8R%lZ02izLSuVT~`f6xb
zQDjKYzyGR#Mb62EdPB&LP=8-SZ9y0+#qVH^ZpKqVDc8*qp}ll7h*pA$<$H}32PSAB
zn!P2%AV0!2AT{ge;MX7kl<4Ld*6!O|Q{%pO;X?OS*X4Q%rc*=_rV>$vb+dulf&;+Z
zrc&K(8@X=YPm-9gQdi-svWG@@>b4~2i_}#&2{5+8MPV5J7)GKBBIq_{0X8H)JyoNZ
zXG9H3r1qjX>!uQW2@v~Cq*Sf*+J?O!TFq7*v%0z8+HAOP?m$gbxllv=B>^v`!9oq9
z!GS>8Tv9Yjq6$#@+^ZNsrgU{-NHs!L|NLRxTz;}xemmV%<?Zs$WMD6QhFqpr%3I=(
z-u8^K&g>-`au5o1*65O-q2-3)+UoS;yc%^)alq1a{^1VhMeO`zUDaLZFX|r)ae0j8
z*QE2(B;m2LI4@`4UjHngr1i-glK7OuoUF<nK{ck6{Ja*;Q!UuzeOPO(o7X7mj^KXb
z>L`tFEN)FbFZB=}D1Rs@J$6P_7g+4-9T4okDlfEX)23vso)Ue7Lsvu^;l97MFr9Z(
zl5=1Bfo_GRapV+gFrFApL68&<cfAi%k9o?Q)Zp4k>T>^@%vfj9e6es7soHcVE**jO
z(P$DQIZN6|zZXU;-=#HHzfo1L*|!ExJIP`~G$Dbi#lB%~aR^1&A?o7Mx1^Wp4rpE)
zc2lzKzVs^%Q{J5PX{6Pp@px>{8_mahDsNEF2|rlg|J+;`{e`H@q-!ImOd9{g6tOm9
z9nBHcV2(->&zo>P8YgS?GDw3VgVY<!@=sBt-u>k?8S+DuAwPh$l*D|N+CZ)Kl?zu-
zHJq39{46~pT>Yx~ruM#_{kzipU(P@q4*Vd^hAspgl%)SxY5rfxdL?_x_7(H}Sf9|v
z3#Y39>2w(lAu9ZNm^NlZ;nQw6g%+CA)K_^M`*(PWZr?;u3c@Kwk)=V1#0NO;IXR6K
z2P7S?mnoVInW7;W@5l!F=lp<3X>nN7*%;OnaFR^;`$>K4r`(cGN9%iPsHgZ?&`o$M
zu_v$`i*VeVV9KJ&ryA;-Pb7;crqFcuHdQDaNQ*IO@%2Qu{G|z<b?4rVdv_F}bQX<L
z-icu@Z{L|;yfqN~J~cr%WQx!|vb|e#i;##nU3+IM^Ywd=lcUv&nw8$+?or|fGjv~+
z&n|bh?Mi#|?;-X3iIb!=ah5tDTH(Zr6As5~9q{3J+`+-&grnmLd|-|E|E}Dq7a1s-
z`$>9=OpxnZf1~1R8Z4Bdfjf{PdGIomc4SBZ$hG+W*BKCK(E(L-fSL}V1KdEag&O^U
zH4i)%x8%|^os%#^K8sGABx<TQ#6@$43{hTQ2G5p=mVc98B2{u>kQ~YO$r`-DeKK0U
zNb|P>;&o2SGy6sovyt{p63u8X21*q`XVTNU&&r;}rq5jL;1rBCFo=d~{wj-_36D02
zCH<s9RbFUpuPDmsfHV5CFV%mm9(3pr0h(oGhLY6Q!+iiO-85yYzN)qLsO-O@rioR>
zs~x)e?QR?0?@Dr24kp9qYL))*tzy%4ZxGqczWQzUfnH;=)9H14_A=%$0^){hbld|8
zg6VBZ3P_HwD9^b3N?MJ?+Dw;pT|#>ay-5l{dH=~{pufCa7>~<KuPEV}7-|2Ra^Egb
zMbd4G=5Ls%xcbN?3F-e<Y9(B*mtRh=%f6~Qy1ZCVEii*Qk+=gmr(sbEVe6p%lCA@C
zob-Pq?WG&DTCQvHa0jW@&>qNhJ$aoBx~`~18NY~3PyOYJv#-Q2L*=^YX0im-6o}+C
zxbv`{Ea4vTP;0Jfg!;#lpYKT1b+bqfhU92v2)KDL?cIa&p09iTZ!8Jlu8zgk&*h{Y
z9J_zJ{4_5AH|_*nPkKKziF&*Bj^gP`-3;Z`EvIs>s?IK}q*72P3};U2sT0E1#)qy4
zb;5WAmxRb+ZP3?1BwdL9S-MJh^#5jD5bAH&KU((4g!a8-ORn19Q50kPCdOC=Ahf^N
zT8-jtao&>C;5n|iyM?z+WBf=voFjWMJKoeYHGFFx-CRQuHQf7;L=9*y9doe^f@n_4
zq~Bp#`RpPV|IcQgEF1cQK~VG1{tTk+jg`;K51-n`+wEffqr-z8)sEpg`O&;xIAgc1
z+~v6%-FUtn^4N!57W+~8>J|!lHSWxT0k0Tp!Vc)eU^8x_d|!L$+7^C%2ICtS6lkZm
z3(75w<HtuaQ?}H)zE>OT*E2pkCvrnGo=&lo>z4lvAtk4!Ub;KL8`YzY3ga|%#yjaW
z;Z|48%_L=G#7*Ksxm>6goUnf<9V4C~7GcW9OiyfTxIhRg@_jXE#0_t+-%*rR2p51t
zQ2iE=)f423YQo9IJKMgKBGu!Ta_YbQnx^^l-s^8S+)>ofzPcc^`)%A<)1X<5gdAf>
z<ECl){~e8u&*qQ-&22y%wIfDA;}U(H<A62?+zWV(etIGTEfWC{MbXbRzOpIn7#yXN
zYcle@sU5i>S5z6?zFna)uDz%!Lpi?^qo|O*A%dYs(X&pxxm%rh^MJZPZ=PN!-YnPy
z0H&u#v7ydKqnKVt;xxul8A5zUcE<jUnvBgEl^HB`$dKV!IF238IGK@(zeaR*MoVqZ
zQkPaOlUs4H!;>!fyR8*)DpFgu7Vao-C|YP*7)T6U4OSQw7&J%>BwZxaB>s|9ElgT;
zZ!x5WU5ls|=`FHb)V8Q^L8L9DZKN}$;nGs+KIv&gL&NV3Z4D<GMj2Kbo-({^_<|Y5
z%w(Jye<qAcV{(}T%x8828^b2E73>N2lB}I<n#@k-B-<v-lU2*^$vzoLjZ{X%jYb=}
z82KAT8f`F2Gdg5cYgE@#(o){Ccgx8w16r1~ywdWk+(6FATZ1zuRK8KZL;g_yD<|i)
z+(2$Rx0^f7UE}VwGHlhdRl8PwTgA6J-m1Q}rnOh=pw^pOSGB&>`gZGITYon0Y~0Pb
zxA7cf2jexy>Bgsx?;1Zde%Yo)8@^4qHWS)RZ<EyKe4FcS?zJ7;c1GKIZSC7Sw{>f~
zvaN61kha&`Hne@(_Sd#w+y36psNIxy4(&YJ1+=@>?w-kDlQ|}vO+F~5DKZo#iVDTs
z_7mGrYrn9)NBh<7^V^?ke@khl9HUHEW+=}nFDq{=?<rq(FzL{%LvV-a4(mH?>aeB5
z?hXYVDmxtNaH7MN4tG0BJ1RR`cAVMKqhnadwH@O-W_8T%Skm!i#~(WW*zp(B{-z^M
z7nm+G-DR3*dd~EQ=^eB7W@<Cutg~5vvr%S~&Fsw<nz@**FiS8?Guv*KWtMODz^q9n
zS1D8~RaaF{Re#lR)mYUe)k4*Bm5(Y=6{d<+WvQxF=T!Gpk5#W!zalZHNi9_?)#hqj
z^*r?wwYxf09jo4;-lM*(zOBBm{-YDuN!iJ!Q=d+QI*sTwuG5rGzMX<PMRtnml-wz&
zQ$eTVPKP_4>~yBnD-EZy(Dc#_)C||yYNlx%G_D$NO^7B&vtF}NlcuTE9MhcAT+m$A
z+|=CHJk|W9Y0|dPDzw(xZrWbje%e9W;aYp`N^Piit#*TUi*}bbPg}07)*jW?Y0qh&
zYJb&!(f-a$`Ifvf--YkbkK`xw^LR(zm3Qa8`B*-Q-^1_YkMpPbdj2lo$Uo;_@xSn&
z%{g;R^P%RW&BvP0F<)rzYaU{rY`)!mw|SBIUh{+I$IZ{0Uox*ZzhnN${HgiR=Kp2U
z!a`=Dw&-Kg-(sZ26pI-ajuuNSJS@B|0xd!<k}bAc<XKc(9Je@camC`M#a)X>79T7P
zER8JNTk@8jEqhuHwj60W(bC>>iRDVm5X&`|-&<x{?zKE-dCKyNWrO8?%O5S@TYiG~
zM{31cDXdgh=2o4pdRYyy8fG=xYP{7HD+eogt5sH^RtZ)ctWvCYTNPSWTb;J5w`#C@
zZ1u|OS3qnuS+}ret&OcstWB-8*4EbDt@~IHv7TT()!N>AiS<hBAnP^Oan>8GQ>?dI
z@3P)wU1+`6y3+cf^-=4S)>o|WTK{PM!J62#uran#*>tw)V>8rdoXupL*)|R~t~M)e
zd~Jel*4o6`B-w1T*<!QZCeLQC%^{mpHs@`Au(@q>-{!H+k2bGu-jlV6mpPtaUkHc8
z#Da7F=hejcIs&vmdfjur#Z&b{rgp^61;bT+{THrq3(37vv$-hkoEGSaX>&IFIIE@y
zu3oYv<mipY!W*>@wN!hOaT)JvGgL)w@AM`Z<K(f@T*HwnJmgwV#R-1l3ns|jBYK5;
zieuR=z$zVQH)U)pEKm{kgpV-bb5zz95aUCLqzAFoBDUzdGDyyecmq(?Z;<mhlp4JO
z8=46<>Pd&vp};BXu33Hh*|U<<7cZ2~A2`r!{w$u`ia_&Lq!L&s6K+w($nn0*r)%rF
zGeyU$cO6up%JFg8gy7?lA#<%%oU*#Oq^iohWa(1x)oyOZtE+k9-{HR<Gp3eaOkThA
z3DZ=ay`2{<^(w5>UQ2y&P<15fVEksyqQr%ZRUB~?hA^}@JDYY7TNvgX>L><_9uKbx
ztDQr-n<7$=I5rJoIMV51!&^O^H2?n#PTJ+vqt#E;+^0VbT8cjVm}mn<qXCJEQl2|f
zaHbsLW{SpW8x0~3hRSimR*XIPaO7Z3Rgur^9BuqS1_x)acU|P7eo5~sJ8LXF*iprf
zjau%AJZ5cDoZ1I&p=+CoWb-R{h3F2J6M^9miL_>KqAWDr+4ReWH&y2y4p7M^ZTwK?
z`1<Uq5LIwQ9B8Pxzhm0|6M*+W0ON94iRWR(;SY#Le>j_Vz?0IG8+>-kOYL#Oj)35_
zOSx70gR0h}z&u^+W5?7aW<`an;3*yn=zZmtWuKm4{qkw>l>_~Vl%WGyPI<7nw7SZ>
zbjgy{UT#ZEybkijyTic}99xZJ-Z)l_W5(jkh#YO!8YBZuBizV0bTl=GJ^KG3a5-GC
z7TihTZmD#eT|VMZT9$8|EIdaB0AFYd3pc<o{~H9)2>J`d31j2{Hes8EntekR5Nftr
zsNoUO_&}(OPG7uK1flksKZEDSYxc^yhymCh++4M=2*C|9t8R1%&+UpL&*b|^k3S45
z|CEE8zl#B6;2uPv1`=@ZUj?A1x&OInClp$}!fltM+RCyk@{X+@b|!6(9L_E&;}d5v
zi`V&jj#axkZYx;KFY3;q!KRRYUEcu@6&Cak!l2%AmIJa@PL%TUnQcd|@N-`?-piK8
zu2N54nNv}byW?bGNm5b~{~1|X;Fb_(N32*mS!MId0VpyY+>%G(?uTEpn-In-9+0+f
zcP%G6Et%)4#m4pMSj0oj)&LlvT}K@fXkRTy2R-OPT4^gtE2YD#LvMLbdBz?%k&pt?
zuFsj1NLA=aBIR7nGlq7o(NJWv%HUd)bs%HmXI{RwI`vTM0RX3LUY6#%Woa#4ZVG6#
zw?ZC6RjdaMPq2%dmoOjWHu`kb+2}euk^WB3&ZFTmc2V=9#S`(T<4-4?_7G24v)n%9
z7gzWZm3*Z~f$u(^`};bdY?X6=uCLD@=m&u?Vf%GqxBv|#GF6^&jtScuk&&m$%gV0Z
ztPO8qIwvl6o2KIK9j^VjiSM(SS)Ldj9-`)Y%E^dXSU=yu`dN<k^OdMK@t1+2dy@8f
zjd-p{>}#^I4gg*$Z2a`7o(PJJBPyLa9U!x&ht@8SUb5DWc*(1x4zAsANe-DJNtH`K
zl6E9rWMNBRu*GSsQw?2cN^B7-E5sv~mt9Q5V;8Pl6f3H)nB%d>qH5=fZ>wPE)9|Rp
zagO>EamN#m#nmnnPjqI{z`sQ)pWZ6Fe2O3Wit$*r#CL(Z$Bg@kfbDqm!Hc66L95I7
z`#&=^E|aPTtD&~7$Z|Q+BIRW$hD^CeOBl`J_uRgmoT6&g57Vm0&2$TPa@Ah6WA^OM
z*_E#@$%^pv^jfos=Wd)l{L5y(XBy+47zr{;E>FJPZGi}P0y$U}npIx8Co{jeFnC@X
z9~u!H6QmBH!Ac^#{uJhewzD2tjGQ@pgzeEqclH)%?8)V)#{0R=Rr`iy><HzTOlCrI
zD}v7=pz6OP0RA7uY14>te`3vZ!K4qO-E)Z{Mo8^zSO<(rd6e?h#mqys{G7K;h@V%)
zD)qF*7}qtYZ{}vlhUD?}Z<x{*i}xV?98Plm*#Fv-XwfLZIXzZeP$5PEaAZ6D?%f`K
zBqJY3JPmrtbHmyBAsP9*Hm7gj#>el;UcVbbYR^EJSrDHWyOV$Ll}=%~gL2}Hh@u^!
zTNw^S@lt$N;gdLNxbQJd?YgXx098OlR9K9byOLIySF5U8o=aP#XxGjb=}qEED~)pN
zQ6_X#)aI?KjGbFfY|=)aXK0JW<v~kT3+n=|#A`X_Y&n<FBvDRr$*$a;zH@gbpO~4Q
zRIWb3))vNjc`Wjs!gEE*ziJQ$i*fG-PMKZcl;M=OZqeRkYFBu1u|+#-jy>8z+ZYWe
zLVrm^HC&({EE<|oz()V|pYwjB_f_W_Ku~!D3w)P`TOp4@NgaIU957PBup#Plkyzx{
z|3(G!8cZO+{x3uzoV|Rlyk7HI&ZWsoD^$^5u2{TQuJD=)9Q<7~<-DTIL!+fGGR3Z1
z4fpT()kw(87ZI*m?r!#hs#~h6$bAueV2E{rAvVBI<r*BeELxlGws;%3XU7Aj1t~y0
zcV7N0f=Y>EB7p8b+wRjKd({zWztP*oZ|6b55$)vX@3~aWT_tNk8W8<GpwVqz<XpD=
ze`TV%mVN5jL)d~V*C0q&vY1JaObZTD&GQLxi_vah?U@EP+va5x&)w@FFod0{VYwt=
zk#oU<g0zbY;jZtlt#0@a*5qYz+MOQD(w2N9oPm7yk5c}6;o=7*96AZ#Bfn)Lo$EmR
zVj7uG`i@4vn+P=L*AyHZ$^=IR#d@p#qEk|$ct3>p#AOw%+pp$Mb|5t%M;E%@#@H0(
zx0<?+W4X&)t4fck&*v?h&vTziI}Q0&Lqdt=Hhs@N7o$&Jydge3sRgn{Ci-<klLX1I
zOI*f|bvumNM37*m@=->8UiBm+wOpmfb_cU4&c|(zdX7)ku{ho~lHs<UV*<AXWt6D$
za(A6g5!EhjyWVB#Y!$arV{%oDlGzB`%peWIU|9LLp;5hjkKQ7Np|O5v++_`S-ldwh
z-K51pI-9sBJV3QNI4Uqs%OTe`At_!R7{0YCn0I<oaE>{Ym7PXn<dGXA)#IH)2D|aD
zeHmv!5qG51oLSeG%o8`K?D6Wz$fR{qd@k+8Y)nnvn5NFlj(5%C3+8aoYmS^d=X_+q
z0B5H;b84KP^QR31LbHpDv$FH@vO>JQLqh_1<E;Q#Z6(A5Jc7fbw~VwxM~WHvVhB%n
z5YVfLd}y8d$SEuA7K@DKg@uJ#mFlX(pry97^W1FMUpbxm4op?e{9MMTFV>#9ta>u%
z*uYr}eHXZCFV16%_vG#_Q18nLT+VZWQKZG!ckd9vDYPNxdL%F`VqPHje>7!ZU=h=v
zvi-4^0v&FD(w-Ok7}k}0Oh@9zBKC4dMR}c?o-&;0UU?&iCob%S821(Pp>nOFl&|Yf
z{fHdckphCvIs*ovr8Ct)oE(W}A!*5AyFunOwU3Kt*2ab*w>K<O#IEP2Z2K;4E*1)N
z5PIH@go7lEn+S~XZ9=$oTZjJvnve_vvI^OaXuiz<1K<#=!GH3Rnvf@Aj@Z8vkviy!
zNNfHgB6aviL|XG7iAXt^nessdp3h~HP0Cf<{kIpXa(3_Blec?~e*}_OBd{D=CTH*d
zf&iN$p%q*ZLMOP0w=)1-1h^!EV@Nh2SGjG1lX97N(doM4!UG42eeCCZ`z*tdTpFc3
zn3tBG!*lyO2wqrNA7<fIpT@jsnhD_89Wq+oG!2WlcnwGOQ2g7Tq+Jx-4!bD?Y%mn6
z3?yYX?3C#5;^$(0aTb99CTLVdjB(@T#swP4RYDFi*N|Rli7&{NyGMSMjn+7>bXy`W
z)@oudBS?V*HM1M^%G>AXnuEOAzaqSc-%uWWRCNyvl?2+7St`R!-~m80tKKJ>XLO+Q
zw*E)2lZ-JSlIOFCk!k;#1d>47{sUda)9J{yYbsF+{fm$f(69(p-hIc|Q7O;K=CAc%
z78$iEWv$jv7^=xGNT^nGPy{K+ko{H8*#elId%W{Rb)%{ZZnD2==b5fCZb@3MA@h7y
z<3E)ivn6s1)aFc=sAU_(<>td~q>UES1MmYa!OIJ1^=0G?bHB+D%a<84x{RJ?xQW;q
z6(~7hWMvHhRSfUb!&vqZ$Hyc&84ivI`Il2zn5wJ~($+j2XGj~|t|T^>WEYBq7dox>
z2DgK<s%CrsK7QpzCNdx(Awccwxw|%w2NHG4j_=cVs~)@F?K*hOBufyePko~uN0ulL
zrsZXqs;hRaUd0;&!<bwqt+^BXt4`J}uX1qU9QzS@d@xxGoE)JG%%~)>9}v!o!EGXc
zvf%Vsf!8QPe<<ExcTGj4-(8~}M^5u{oTF{%$5d36=hUc=7kRrlxG$wFZzaRc+OlQy
z7B2OeVYj%b5=fANlX^3XYP%!1+&`+Z3yWoPHf>4Wq2}PQ8KU9tEthkhE2a>M))-*;
zPdK`AnTGpr)5(d1#U(3gyWI@8PUr!75+f5wgTUg^RXQCJa=`ps_ki)Ns0ux#{`%W{
z(2FU6Ni*gHZDsH1w{n>%WRGHMA!H=D$yDj@vn9_@yuuNa^dp<4E)EEF15eF3*bAo9
z!NGz%;O02cEns0gh};F5>*0rp-VWEmgzD_PZ&fYNJwAA(mMoUji83x8efJ#lt`+0{
zyC|-I(U1clHRE}T951q+IBL><V(yTUAh*0p@%MTI7&;U$ZDmL<Ra~F?gUom{ptJy@
zEGJvPX<+q1JzYi&Kui<1%eiBPyX({WY3Yo<YsiY<uvTm%Y5c<=R@}9PA}bP{Ysu)O
zwg{ER@<7x3DwX&JC&mQu+kkXSBC$noV#Da;YpzWG{;VyP>hsmhr%qh5e5##uam8{G
zOVaW9jisNUPA%n$oTI4z9Y20T<l?_S1M?`J0SX18?tMxBjA-#0ocN5k`e!s;Tf*dh
zdxpofsY^WYj3V(Fy~SrN!!r=bN^H9x9v~tZrGtg}uV2Q8(U2u%AbK}9Bs=}JTya?(
z10}auK;o7#qz?-`;a^0!|9g7me>3sxbtsdYBppr4fhJn|;L(M{jgsOIKLYUp5H`yF
zrMvU;uoB+t0mOqj>@SYBgX|ZE`MGE-Co#MBmToUp@7)pM1Dj6AsCmmLsO%0nUD8%O
zPzFYB&CcDEb1jXZFN+9|j0sU2e-Q_Y7{c03MC26^pz{W;F%Ab?f&L0G(iq|65Tyq^
zO6rFIM`MJ4j^%}uhWAf8blb_(L+tyVbtmqrn<g3#w>w8#z<`Am#};cB%o(OOj>em>
zB!9;;R-6~#{onA0@xuR(Wqer=IecD(9KI=H8Ou20+5t=gK%Hvav<cdK63a=h{sw8z
zMoM%(VYd|mas-&92te+F;durj%Zhgbki|-Ys->u=MKlu}Cdl;qfplZA!&Owjk#hxr
zUInzg9C4T@AYdM%z?~Mi7GHi7LlG^0qn!s%^mB9KuXShgi>vn>Ro^_geE3$L3T#sN
zhA8B@jr|C4UM)ab=PucIGXcq)?3lGnJr_V6UWeb)q(+9P_^2K1R!w$?*O_yn?yr6U
z3-b$N^>x4pF6y0}TZI-{NW35$`Dw}G=vSP_I9n);1zMdr;SI-R2XPoB3Qb47OiU9S
zLwWYcviqc!ig2Fy=l-Z2zKW?CmOG@ss$bwx=b;$%)w1gaNAfDwIXl;{+s$(#hR9<w
zrSV?@a8lT`Rm>C82sjZ>EG&xreRg;OPGp)TmFf|29xGP_75z5^oH!r@C?Dk3oW85N
z<X7SB?(M&FSxImirpNDB_y#&e7#SmHV&Te?hqo&C)zlvKq+ABS*n1gLwteYmC7JpP
z`2#D+;%-==^rkI)3<fJnr&}Y5{NTC#L;GM@i??$eq+Ysud+sWJL1$*gsY4OS=|N<s
z1c8X?o?vv3_0^BW1aVc+Bg16_e0&#pdgL4q&~_QajHtP`?1P$f){ujkeKsS@I$lG~
z7%s;TDzJ;95nGw#Pc(|g-EyQ8ZxqX0g7TD?UVP=rJLKy9D4QA>w%o@zt1ML8Z5%VH
z`n<;rHK3f@h(y<&L4;$2ty>cILNBo|BE99@8Pb+Hx+f>2M4h_rCr$9iF!h)PzI~ne
z2?(g2gYj!l)90|`5uf|gc|qYAby#px{2D$VRZ7{Kk({b7&WT!_%b%ugIE2e}Lm1&K
zSl`ZWyHt5o#g$e}yR0_OA<lAa?pVdZr^HOoeU<MPvz0jI`>+SZlUn65#`{UD?HC8V
zoSc+vxeHM+p@GDWj3Nq-*wP-sL?E`wSO6=U{!eeO4&L4-czgF17FO=_Ep~VJ^>$xT
zD4KDU&o3RnRO?l-4AUeQ#{a=H{})r5yT7l;%6!}ev+)P{734}_c{46*z$g_(`@s&=
zSBBN_eWuwobfQ#r0Z$f9LuleITr(dW?I!eq=G_iMs5`X0J5~ytFz_Q}T*OWEq(T^m
zw|kEL5P}J?C7Ov?hWX&G|JWT3u?P%`f?DKk6FO;N68-HAD)8I9qbGYm5xv5_2Q!>W
zIcaT9G}MF`ahp1jfq=0hh0HZth?%YMst9UT$cU@r1qjEUL5?!Wyhh|}D&t5}Atb2|
zEY^#u;!!e#9%Z<>xX@@&ux>;MN04dsM$Z`c@$c>Mi-vA=!iKs7!950KK2uKT!xl8Z
zOvI3%&j6$l+k;%vj|4MxI15}oCIDmtDmuv@;4qWKW5{z1hNXNK*)$yQxC>I-=_O44
zUc{>}k)m>)`cf(NqFyf%<=qMWl_y^TJ5Z%)2O`7dAsoQwe?7G;??{#EL$^cbQ)Wi2
zw9}sIg?Y1b%RzN*LAbY9Ksdy<J76RpuqX4@c&u~_wqNO-QM8nw+nc+xxT<rCXb6wy
zI+so%Ewr3_h`YP9YUU-!AF(7vsCPSd2bssb<&vVlagTH7cmFWyiG6)|NNzej%3O@b
z*o3s#a4^0;7%JyJ9j?2O%8$!n{NjWB7N{2l6%@qt<D!^ZsfQPQQgaPVe9YSTwd&yD
zi~{az2jM$8mk=8rp@vB*pC~!JzUnm^(vB?X{T1z`>TQnwfZb~tJ5?e?_H6G4<eV_Y
zcg~+LwxtYZyvJZcNwDl&ZQ!-?%5?Q8mxb2rdE`#NTE`qn*_N5DRs=@hms<$K<RTx5
zNX6pCkwE#32C?p#BZa}}+=+ku;eus}75F(@axrolSLp8U=gX0w<fRKqUyZ2rFP1@&
zVSDD@{*x^H=6I}td!gG-YF-doe}b7u#MRFwotVvBvgUO#7fvLi8w7zckz}%b72@IB
zodT$gI1S7frvY0C#{jvw)gdc1WS?9c_?1})9`y+IGXLB&Jl7N)r5l2n8exi*jz%__
z@#eLmDPihKPC?_BKo`lGMYyx2X6;69Uw&alxqqR%SV?QzhFEhV<ty=!1I(M_$ZWD{
zzJ{BI46Z~rtv=(`JrxqTI?Kcc9}lI{o_KI{g|d`v(5y`mduLl=$*!WxVtxqg7v|zJ
zoBWIjvHoPHoH&Te)d9ADaqF`Qv8mVNnZnfcZJF4Kh^(m`!nh&qLs*FIBnI>_%^EOI
z)PNZESCw<*+$3M;faU7oH7P0Kyg%ZT5_V=L7Gc3Wi+rzqRdf7CiWWqM6H=UyzfuVX
z9r`#sPDs>}8rjXn!;XDabR*{-aB#lb!Anrd0i~VK$zaD{d~7_Eo}0d@P<?K{$Lz^V
zm(6u_%PaO2*NQGjudD#VAsHhFRskyC7K+9jNN<fqgO$R0ST3^C^3`dnV%KrXtC46l
z>l_A#Bk~Jgk)9?e#5slp!FmMS1G=gvC-2}f)lU=8QSIa@fvyX*^}U$#1N(PWsH=)Y
zJeLK9+VL~{;7%_xO@j(PC+^rOL_)nPu1=OK%06j~=X=~8qIPufv0cdDoy}C{<mD8q
zIi#%g-~u(q`pi+uzUG8cXKwyCS$!ava8Od7Y+_hMQm}f4U%?3;65E9WB|!Vsj>xOC
zHl`M0&~~9K+4Yg(NvqW}0`ji$L_q=O4oa{`cEqeaXH!Zp>_r$3@Z7xCU^onK>W=kS
z(^A$rH+9Qy-j5hCi7^}`olGU&xuV=vN7bBg%U;6;>*j=<k_)ZSD2OAcbDIOnuW`ge
zBOr;9BQCPi;({F|>hp!p{khV;xw|Tfowx;$!kYOsk#L2@aRCL``Ikm1QJ6WVuG6xG
zNnv}6RmHn=YBy+4$-1X3aha}~cF^Tr3KlzEJCG6VVX_b-=sWrCV2+rBNRcxUn@L=3
zj^kkD^P)c7oh?_&8&xpv#fNZ%cQCFAe(q2_e)|q3@Pi{6<W<WxBJ=Uj&A?69&tG~V
z$$LkPo=Z8>O@cjc7wL@-LRVyvaU2{0YdJrSg!A{)a3%+d1>8L_)T%C2m0dn^z<Xt}
z_V#P$xYN|CKB9%uU?T0r1?t17v3;K)GC3fS`uK^WJGK1i^UR9iz+fLWhuE3<a;TaX
z#QqcJJ5GX{F2SCEIhs`DYuA5)iD@Imj8DcKznIt~@`Yp(ERO9o<DlrR?h-4Gq1{<d
zb)~$dZf{<sPp<aiL*}HjUGW$o&-WWaO}Hi(VLAzyM3G+7D8cEhTnPgpmj}Uyg1~+i
ziyaP0Mr}Ufm3**F64PFeA_FLIBikfqyCkwrV(tsv(oByZ$#p8hYV=AxQ<S=W+ir}_
zHot)rhqUc^R2&#Ed5$KS=}Crs;YzHyz(k40WWaWSDl4M^p~TSz&9HlKMNm2)Haj~r
zgA-%#oHg7Z2F1|^A%G*k2%U>O0f*th?Pp_Az!}Vx*3{rE?ZR_gg50+*Rnu<syHS~F
zU4Mq=Y4z$5R8?ExrnKU@G{zUvWnA}U&{J|UvO@!8H|RLgQ{I!9U@@~o&H)dVwE2up
z=BF9=X^Sm9)?yCKeU4o3@HeIxai`XwlrVa`JXWJ%2uY{&#i=h7;F`a2lZ0ic^|K+G
zzk<JL58d)u`QA{cMJq(^pZNNu;~N@`LNmo2yu+1+C&VorSKo9*RCdTBji-wKbbty_
z>Wcn^kJlO_-<wQsG|}Tbb6?02^ba_+%fu1J`D;wL&DcF$CsVPy6P?4v1m_R_1os?A
z*w<(V8M468&=|vQxnujbZYkjU$scm>G+3CCZgNgqGe^0R)g2L3$Q1kih+qZ)JT%8)
z4XlPN2NuCJ(*6Y*pdtgP;sxc?v|QQVLs#yrhz&MIeQ0kB8)~EF=7>x4xuU`ZS`;Uy
z%}bCrk7OOr9pj@JTb}fMD*edampmseq|doeQayqrmqXm;T;}e?gk4ZZtg*5@e@|(t
z{~nK(0YP3~c|jFCmmsL+!a@P7I;>s}u-?JWF4G9&%>LbOW-Os2^(iOldSnmQOY1nL
zxMaYLRZUuP^`Ob+pr}T3M=FpBuyU`H)5=xO&K0YU@Z2JoSBUU4Vqd*lbhyh@NH-S)
z0$HJloLdL((#JOehld3K=`itbuU?aojmnWra!|K$;W=R9=JeQ*pP<nm!EgUFni(qx
z3s5aLKnY28S<TY1Q!gFB=>J({pJ;*QtH}jl2%v;@@pTTHv=-bPoXl9{N9OEK`q$l1
zJv)4+{>I^X1GUfqHHgXU1!qn#P1Q?I`7g1$N{py^V#CjCwiQk1h=Y6#9z8>HQOvLI
zjvX>4B#~W_i;_dquN>}8ECx))*u@lHvpqW>J3~|mmhR>Z2`(A=tu3K}F@mQOm6Q{v
zkjUW;CY);4QLpn_u7ni^qfr$I6~Gu0vBJd(ZzNXj+a|)|F3#IsIFdrU!2M~a;U@Sm
zm~XGOCUHdeT?*_N*n~oyp8#X?>lZ0ktl7f}CzbDai?NPY0m!Y|BM$EbvV^f<jZF?f
zd(#@)mIErHv#(3oM13=HB0#N(b<O3G|584G%f=8HR`(opq;MD5Gg31|A}KCK+yi}w
zoq;(~NH|7Npwd0WNDT$L$q9}{CpTHMhX<X@!9ph3W5^uW9N|pPf-Rd1x_}!@SdlM}
zOTl+Yr{Xi0Bbrf-gOT{F;DmaThLW*!;Mna#FU@c)FQ_epn=*+lqj=5zW5!wyH$U@`
zPrdq^2^wY!bj3i72|784gvz;#ahZ`JDj$8|2DivJbQ1C}By=!1?zpCQw6)NVL)VCN
zxiB8pIXOp{C*f9(jsu+SENojqn$d-OLzcdQvL=v9&Tu9N<MUqZZ3I`^4SaTW<=|83
zWL-~Ncbnwq$U#-~ME52U6O=hy3EbiB!UVkAX)p+j`b0d|p3M-CUBz;>HH=}cNoP)E
zP9QPQN%Vaaj?E@R0Sg*ThccYBoPY?i4CAU@AB<xXt>FULUJ1-pBA3AyhQN%M5@ZRr
zfWB{wNwY1+5RWA!kKYR5^F+Pl=%#<Hkvw}ViVzHx&D#fPt1gNfPIv_5P3}Za_CEBp
zf<Z$MW$^-7g&2!=WR6tG^`FXLNXwBYM~XXq@)Q%rOmT6}ks=8DJ8XbkHO-Y7i%|&1
zq!?=nJoPi07We;dE*9d;yy6U6959$|aM8e^#mGPY(c=GO?@i#WD6anR>gweVFw6{O
zSOjDlPyyK&MMOneB#Nj=kPzHi#03o!qlPF^B&<pdE^*fwMMI)7xFnAnR8-==1qmV|
zAQBwOXkbJ{`u(2M-FKO}0|RRE<o~>VKj&A~wRLsXsZ*!6zNeVu>|oQy{sglfR0v(p
z{oUp`r!(}GDY4^m3!v@Lub@TvkBH52n4L^pXdnE(YdeKsxSdUrJ=oN<^+OIdn0B_<
zbhL+=Bb~RfA7&09t#;1$OjFy~l-WaZFEzcL#^EbG|465$Inw>UInwrn4%F~RN*w1J
z{Qk!@a;`89Y#-Cl)-#1}0clvCRmT)MFPr`KedL|KVRDZPKTF6?G0oCtCgqk*QicgF
zAe@xvo>AMp;iW!yN7R?pnbI<|kJCBaMExC$`3dv}w3d4V9TmBm!>|vAI&!}yUC&b2
zNqtM5=aQ@Uh2cMx7la=Yo)EsMiG*LiKDBozXgXa<D<5^S!izOg#G}He)#+(-g7UBM
za8(kX{<`#A(#S*7PO?eci?o@VNZL|W5<Z*Ad;i+>v^QgphNQji5rtpYCcN9wbWO+}
z8h(|uX=&Hl1pgeM?OfV=+}@?l*Pg<ydBcjl*cBZbzAy45L*Z9WY4{TI1sM~*1-%UY
z4XTXpO*fT2rKSTW6n>y#V_78fC?Szc&Joaakl2;Nt(XTmUBiz>W+kMuOXOD#<c=^$
zt85ebRx6^cYY68awCglfZeD{txW@F4?T27Ol!3_88pvM4J0feVQ}|h028$g27D(iJ
zHi>-S6^ZPxO14|n=SUrB-_p_ahIjf3&&GV)1fFe@=2PKM;nfoS#r`Zj{i^BWtTJuv
zL6}E|AK0T!CnX<$`X74;ePch$AmO>eW`J`febF4#%Q-uI#krI+hEMD?^6-%I#}V*|
z5WE4e3V(Emq;8i(YkB51VVEJ}O~oJng^IPV;7!Sk*1<&b(8cU)+h_HM(igrNZqxGk
zT+79GmW11#?a296rViA=ImQIYxo-9sl=E+(2kA#2!YnsUow?+FF8mUiEiet#0P33M
zCSek4t8zbS>w9K4Oqc(z;w9z23sc*zwDZFuX``jQODTL_N*fhAF#MRlxoKMGse_!H
zhCGq}S!Am8o%B)khf)8B9+U3d4uyB5|GE)B(R=no*N}cf<n%VmQFNUO)62d9e@sG_
z-V$zco6@J=1JUogb;2!n2}F3eZCGwk;(4P?f7>Vwd431y9qRo})4}#I2a$F+@^GXr
z<C*PEeLEa`J$T}8=skQinRjRi-yKG|wR6gm{iWtW;Tv0I3dlnzyUDb7p5p!l(%;YY
zP(Pk0&ye&bZSwRtO-temNu18;Ut+(O_r8L>P6|JjcX1C2KX-fcKAkWR#QnZ-qf(+{
zy%2tGU%>sAaFf3GIfR=?_|q{@!yJe?P|IVJl!^Nh_Zu)*W3IxS7H$-BUJpNqq|7!+
zx!H?IcQWQg%(F2Ic`l^73VMutDDm49zj3%p%GX`N{d&w-F<&A4=g_;*67ogayVpR|
zp=P8L_pk2v2s;3`14)B=akq2-1@{%0|HM3>ya}BZZg(F+ul-H9#TyfT?)?CBIOd6j
zc?Ex=W#%~VT-?qLxA;Zj=YD-m57Q;=z2Qb7_Y>2}`w3wvAHNNLtuUKlHYUsh!a&L!
z!XJA;%0I$GHIVX^@K!Ad{t*7_Ksmn@^U5;pFF<079=SQD4=^jCm!Vf;dSCfU__QVx
z-W5uCZ*NU_R`|A7v<GFW<z9<&$|=j*<|7FwZJY9OHbH-&eK$oecS81bLMM-CIA(A9
zg*E2K@bH0VG_+dk1M`WP9>Kg7S_6%MPKwP_FfWT~6z2D1I@jD2es1mxw~*#0N!J-n
zn;R6HhvEKyxKT)D<S68vj15Ij-i{nXPP$`_b;pJ~+=<4uz0jlY!B1#XOcOAF5mu_)
zjOA%sX3988Wafd!u{%s>m6^8@{$kV5y@s@J$G+0+<9-iQo;}z!b|1x*K2Bt`(38ZM
z{6uNBr92p;>bRy*#xL$o#-%?y&b~@G$&=(qNb)Gp75RN3ej>{cN6txFWu}=si}(7q
z@t}J8Ubo;b`4Rer@Ec?L1NZXmL_a@;@K@9KUL1{;wR|SV<%4{bF{9>NbaTmrJXc8a
zA|yI`cL<$B^aDGD^hEdgg8umn-unxaqQ7o|&T*tt8D>I<5oQ7RgCWr$==bOobd0V2
z0(yX34}C_)$0y;pzv<?-MF$c6=K}hTb(o%pZ-lOOq-|}A(>ixQ^k(v-I=$$JGCmi*
z`9Sy-{lhIZfh#(Ri~*ATh$;Exx%Mc`Q9MKP)d+nA9(VqVe$keAZOK>L_`QY_E}{8^
zPv~^?sJDnKI+jp7-r)%PS<$ny%SLo7%Ftz8lFqy2A<>m3FG6MJ0QUuW?iT8?#OwzR
zhFU_6q3=LVpbk(cNa~{ul5qRkfxP?8lw%QkpoH(H?oDX_eJQ_A^s&9L_mFT(wM)O5
zZDTrXx`An}>9#S=F`MAtUDIt#nr+hg*lm7exsk|_F7BIVs58QxsPr20{5AByPG+dx
z2lr0qVCZP<2SZ24_M@G4raN?yvj%ew=1_B>(i(H1+u9uHuQCS~+=Px$65SK;Fz5T|
z4qK>W$e5i6JEP1Hs2g-L)CFp#=1Hc$Q)osyCz%#%{uSMHr|Bd_di&X_jH8yCk+jzn
zkuM$WKh23y2l7#pl~$DIBc%O^rky-PO}m*ohS1wv+XsvXHH4bl*WkUMo9^!6lr43u
z{QNodL}j$e0@~w1+V8)hRowUI{`{ytJIm4U55)cs?!SXhh0ezR0L<~^yE}f{Ok3w;
z`06zCUFTzD$}6S_Syaz?3myCe<U7y#HpqU6Y)PmuZ6|pbd7o_J-Q@k0#+YXMp7O4{
zr=#OACHcZ?IZ0XViYP}ZOQi*SF((z5ztlle4^kIZ$cyfolae}0Na|`=B=z`pXlE_s
z!z02c`AB(3_$Lp!AJV^0H75vf<s;#@uT4KBjeG<T3m+$>ye#}&6A7PJAq%e|7mvg2
zsdG{?FGYPwTM%A#R&d{!wkUi^T;&n!L;7^B>y3=9q%Nfn9b~K2mGtGbJ!b>5L&}Bx
z*rmuC+8gb>m%S8uBKiRC?tb*Y^yBV5xXCkH5jT167-SL8wL6VPZnaJG$-%e{Lw}Ly
zo)2X`Q`(e1^CSB0-ymb;nP(EFKl%&t+(Fo{K!2%+*&6cDUrxmAj%<wE8oJCr`ra;S
zNuBeqY5fIWcN>J2Zto}^^rNV}<as~9-WwSs<?}`Og{0wpir&&W&i`2a@5X;BrsOlO
zC)<`h9*=&~U!H@Xyswl6azo!=>PE^}-c!=%Swf6)_d#Fi?aW6euSI73lYXxrWxg3%
znxbEL-Lzrlp)2)rU{)W~lRl;weL_wjL)$zUI$HaYyXiX~Cr(X$#3elI68fi0O!Ju9
z#%4Rr9?<?!Tl$Y9ptk09(*bIQ+kZ#A31(mCXXN!q%uQSse(BuEJIydHo!?^q5IPfj
zko%>khj|J6DD<t{F;77ku$WIlui$@^n$4X%F)ucadH)h;3GLuA>UKX<;9QA*HI{zo
zJk!L9p4rhkglEdLN1LW*BXda;@tbBknkOj7r^5H0i?Ba~?sFu10`8i}pJ7TIbRwq%
zaa?%$3V7ly<{Ikp%rQLc45$x$eKP%eC+Ze5Plof<ooC7OphlX`Ow*F*b<}$MlCY=1
z4?Qu@*Lk;6`evDb>jo9Z)CjX5B)Zx`kodU~g`Z#^8Q<@ZDPbkdAgBluy-LV6r-$E5
zh`G0B-Uqau4yKDc4C;YyFbMNRvv1lw(KL6bnzr$Mb2Xzd%?Z~W9lE8sc~@z?W;{dm
zMIp&wnQdSm%yLWo60=9_w=bqpncD^ZN9K8sqz-3L2Sd>Xr;(1#CpAWnK2JZe+|)$}
z>w*kv3>^Tq7t=l8bcXhUTE+IRm_p(%l-x_0ecS`gF+%p|CWV~Z2i;oQ>~Qoz9dn8u
zQvJ|8WST*R$m5ft70_uy=9ln7FB6z@)5nyDkI6mmGS)l;x)M4cx(>P?dJei5TEhFa
zGbTI|ItiKqJp(O<UWC32jf9SZ`a<VH6SK^dv5$aGfrdd3LcfKMjp<%Yp{dX{&=t_7
zP?T<m@I&mSP#s9pl60Pc?toYg)wuU#-Uf+T2}$0ruR`)%d8Rz)TIjCW6#E0veb95z
zG)SH;&k~aNl6MmGX-NEq20^z#$$P&bdNlXngXDb&<gq7yi8+xl6NvW_rVGXQX)}4>
zs^(b2o&`;T#z9G$AC3JmNc<0vX)Nv5z^}&4iRq`9Tsp6M5pu=hhEV`6+l)0+q29P1
zYled7@N>*X{H(c(pJRS!9t0oZ=a_fRDsZc*qz9_+6oE~hru0^w;6=yj;q<`X+vyDs
zbOwThoI$uB?HmmbbB5tE*_nd<GUqaIwlf=-yPUhR|Jiv0<m<NJGtM*MQs)iuE$3};
z1%0XGyytufe#Cr?<CHUccAU-hb&m6?^Ci6@m$BAoglTPx{?Fl~N)5qAjBOp;hEW=$
zc}qTRcY1qkd(&4t_6SC-o*iHZfP?HH@My-zo;}VU2Odwq?AhV8de4ruBf%fg%UgRY
z{js&D+tW#5tQ`xEXQbiSv+185JBe8h$6m-BhGQ?X7lA*vKL)2EEv&uDUIqT#J&oCn
zGu$(b<DTW71x|7&F}HD{dm(tSdog&adnq{6or&)pcMdp@IT**i&b<y?;4T1fc5epn
zaPI)`W@f~3?{n`1?{|L-E^#SO_jQ+&bl-R12iLl5!4J_}9rq)5BUsLQg5z#>DM@#W
zy9NBh{Q}(Keq|hwALx2MSl6oyHuIW+9X)17yhFT0z^A>HV1@Uoar|Px7;Nvi2Z#H^
z!BPGw@Is%`@PFoC3Et}83f|%03I5vu4S1iw5PZNV&;IZH-+>SMaGn1L|6y>kzZm?B
z{}=FSAKvhn`b)v*{pZ2g{MU?=DoPcBO;d1ps%5Gr*ecb}xT(Wa6Tpe7dGs&Vw86C%
zer-}^V7t_Q-~p)vzz(Sn;DIULD%CmF1?-;c4)#p-1be68mDIthgTX^mymRW%)S=+v
zsl&nkss7+msX^dLsguC5sd3=M)I{*y)Op~f6z`v!oSF<yNlgJSPF)OMlDY)EEJb@r
zO-)S&FHc<#PD@P#uS`*1sp+Zd;EdD^a3*ge?N_L-9aH?c@dgeaI>IzN>(a^RnG+^V
z9(S&J=DaheOfuVzM;H@^rm=)IrS$6U(OCMKVP=#$)0}56Hq*>(v%uVL7Mh3Y@t;R>
ztR$p!((t2N8<8iWX~L80nMS6S>0o-A!^~iFy!pO4%bah1Y<`A>x!&Ai?l*rlPns9Z
z8_0(!jzzvSHm%VidXdi2<^(g^j5U+YCFV*q*W6(4G!K}?<|%f!yop3f^4Wwss?QVK
zpqunIN0=ezMDqhP&Rk$FMH0<3H=4W5Z;?ZPF@H60nfFYY@sAumsI?g}VEBmEX6CSy
zj%#h6IO*7vTAPXy!;fw4w2R-~Get<fGSkT%Wcr)oW{eqcE;N^!>E;@9leyb0GLM=i
z=0)?iSsmx!H^pWjG_KC(U~{DTt~tq^VkVd$nxB}f&9&xN=GREY$IR1ce}6OY$8iEv
zLO<NjbfLFB${b@xm{ZN!W-{`1hM8|}Husp{o5#`JUN+0knmA6%G%(H0ex|EA#0)?J
ze~(^!BC_|V=I7=Y<`zB@_n`TcdDgsQ-Z3A<aSBXB)50)MX!@Fg$n25kbY%7vbGeym
zt~0lqd(j2{Y?hi=%?h(Nj#I~c$LwnkFx}0eh7piC*_>g{H9s;}m|18Ax0(CQAI$%l
z=ge#7?`EA@f5sW-P4P!7o~d|_;$+3k6t7gAt$3Z{&5C!Q)#IYG{09^lD?X*TOz};{
zRf-!FD-^d22Hsg`Tr@5yQY=+$rr26>f5lFUJrw&W9<Dg>th3I)FgQkWjN&B4X^Ph=
z-lO=a;xfgRisfS`U2uM|Q!wQz)>SM~Y^>Nqu}rbOVi(0;<0qeSR;sV!K*eE-qZH3n
zJWugr#c7JO6&IX0al#p?+ZFFod_eIb#YYvNP<%#lnc}O8Z=ZL;S?8rzDy~u7sJK~i
zi{f^{0;3pA`qBB53knq*DmGPYsn|}jqhdG3gB1HI9(4gm!4Sn^iX#+9E1s@6UhzD|
z$%>aKUVg#kv6Bj>E6!G&uXuyvt%`RmE>!%z;$p==UntLAqWHYx%ZhI*u25X9xL$FS
zVufPmMeuOJ4#7H&6}u@Oqc~Raa>bhzA69%>al=IuCylRb6a&RV#fFMa6<aE{Q|zeN
zP4S?M&OhtIy8RT7Q5>Z>UU7=zm5TEfZ&zHT_~(l*>ejvPGQ~F)S1E2#tWex8SkF@|
zQf#VN2KK1eNwJq=KgEHHLls9Tj!_(|c%I@EuxGugiqjS6DlSmGRq-ChMT(0RpHN&1
z_Nw=?;&R0`iklR-DDD(2EKqEy*g|oCuy<iM#e)?4DITRbL~)qn2*uHgrz?)X=tpN>
zRCu1^WW`GqFISwdI9qYP;th(oD&Bq3k1o8ZaG~O2#U+X_E3QynuUMhDL$H2<V(De$
zCSOp$wc`GYofLa0_E9`saiHQciYF*CYC;Ez`tEPabm>7FBHdYP|JG~{J)z`!Z!l#F
zOdWIz)`#fZi%92xzl(zoBJaC5=%V*DMR$<;__k~g`hw(d@6ac%H9qqKl7{GBPRx}N
zPrB+7VdNtEqoZ2no?~l`yLZ@3<L(`{(zttr^{Baa=wt_=Eq6eJJrKRIGg_U2hySnm
zIE)pf&i4jIcP>FDl`?8D@Y#RtuKA3(zV>fEHEo-mww;}}otn0dNZXD{+xn+%2c>PD
z(l+Kagj1Rij?Kek^Pt%55}W(SX3N-Y9GgY4$*hH@(;pMAYu+a|yTxYv*lZn}%(`f}
zlGrSWO=;W2=hSKBUrJ7ugPYe)+e9|0TeHfvtvqd8o3^b;+g?rEmZoigPHg+!1E;jv
z=XS-L6q%pEWv(KlR_xOh8RcSU^b1ZB+-ok2c++FV)tu4LzNGW-v^$I@rG4x<_F(Ke
ziIMl^j0&$|Bz!yLH5q#^Wn3uZ&kD1R36}z=gqgM0PJ5@D)5q!Wut&fd<BWCAbEY^`
zo$1b8XMuC8bC0vgS?oN)OxerM+s-OyJ+oq4oE@xb$?Sl$&vI%AvlVk*Vmdd(=7QLi
zS`v4uv&diNy|Y032G?2ZY+*J{`Uz_bZR@D7V7H_88E(hetcXGsU08Ib+Jd6lMYk6H
zzGz9&n?>uRloPYKV{~7_43a$YJ7>oxb7y)l9D{qKfw9TFlHPBL%*I7g&KegsZrQk7
z?A9kXnO~8xjfJnooEe+f#3nOL>i%kMZi`LkGSxkPMw8LeeUmtyCd}T5fBIhdT<-6T
zO=hU{esOHROv@Ah*Q5KU`$y%}v|VJD-5t4?Eiz8qx*juOZR@i8*tV@}Jm#g^r3T16
zQriMT;lo^uU|smUHDmrx%-{53Mr9!L3n%cLfEg^o4q%DeOVr+4?XA_`QSBYoUYFS{
z>l_U#XOz8coU#>~pVTg0m}ldiqA<2>R2g${WzqX~i{o)u7L^FIW@QVJ`z6dzjD@>b
zU@xRUXi9I=jyW&O9NZMJj5#mM?Avs(GqYfpIkxPOm*dik88HcYC3rw;nuJmNIJC+*
zMSAFN%<J@HmQBJ>0^2a}Cb7;1+odi54`BAqGRHR=JXBrA!AV8*QE|DZ*jq+y!8WOx
zV3}gO6f@Ms7OWa$E^e(-f^AZBz%s>l%+E;-LFNG4ETSBexti>Gx9pi3(ZY@;{76dK
zGv}mj%)!gtByP+Y$G(rGZSN*Fr+(T-uORc1#$!HSV!#`$1u`F>I>2FWJ~cx9n3<1K
zlNtFqywrt0U*_avx4RNInJ<^PZ7f<~59an~*qQb-x0idkJJXx(pW`nIrlx|_kkshZ
z`hvv;m38{mxvb9Hb-PgGhcjb1j5(@P^T@s5n@5=gT*}Pb>&%I*Vzz3d*=)9$?XZ5}
z6k2*6cT#Eq`y0d@WZzVCrhQ$_S@vx;XWKW_oMT^8bFO_$&3O_(H6e<Rsqry2KBmUU
z)cBYhA5-IF&a*EwLqEwXXILqfGJ74^f&KV!tQ9U9V1Et{l8~th_8M@e6^@u?=YzAY
zaKRia+%eZ)3(l*~xAuD6TiF}HGP?jAV1Ee?;*^l2b`v;@o%@o`jo@5*yS_TVIGj1v
zGvSuW%w%54JnnVOG2YF*>ch<bEnzPAW#(2_(4(w3o9I<4%?|sHmdgN3zo6y$u9`FL
z-_@LD-&1q8U8&|AOaD)}xptMB^CUjyqVX{YS>j`Ad`yjxsqry2KBmUUoM->0<#`)#
z(aPQqmf2gu0rnPfkoZ!DcY`zSo!~6?VoDhb7tXPFfO9!LC1qHjGAKhk@51bIU(+8B
z8_KNiD0pnF{XNgP)ZRz9R(2s+#)%23vj@S>vUZc|Y3~IGuscMax(J-ft`vFRZ^1eC
zesC^(OY+y&A8~JG7lUP-&y;lj01jfmgrxH*ILkf;&asbx(w}+uPuK=93QkL#M2g%0
z!Kamd0xYvngB|P=u(LfC>}mfD4zN#wGucxsDgOnW{WUmXjn?D<`@Wik?0Pk4a{54O
zdY0Xw=4^JI%KaSsftqvehicBV#HS`TKBmUU)cBYhA5-IFYJ5zMk2%k-Rt|UuywENK
zFJ@nml)!UfnSB-<AYtHxzk)MaS(mqd37pO9y41^y;5^3Hy;#SP+3yj|=8t79V+!-^
z)6HC3!A<B?_s|X=Lb^P`eETwH!rwM4-6J&bt=#@<ma)rF--TTQVh(bTR&$&?P|ca{
zQEJX|2dg>T9iZkM_eeG8x`Wi5Xa7NtTG>rtnf(mxU_S*rvm067<|A;B{TDdS?FUX^
z=cBw?IXKH!fV0`VEd25@IG4SY`T4FA_g40Eu*_}+2iPs(Ap0dalijwG+IDb`tm(pc
zP3RT-&^CskCyX+uo3mN*xWr6jjo=zqd~Rk1=3dr49%e;CC9r#}zD+B4sG4Oi;~z?8
zfcsrF2e~JyInF&n&6(~nHD|fQ)tv1fujU;0I5p?8|3c!=vpdO6D;t7k_A79J-2o1A
z8ShXcL%<0xD|4xtF0&A+S*{Pxc3H_y%|S)sO<WJ0$J|!Cq^C#v4WUmNf&7y{(m4+a
zcnSLSbhi#6Te)??GPfbv!EFF`wxT!mbPK=%ZVDXaeg_=qHUcNQrQmsPWAFmE2%PB_
zg0tKbaJDOb>m0WpIM*!(^GI-aAKY8H&A>8Odf)+W6L65*5}fI_0B5=Tf^*#FApL{%
z%5H1y1Kd{Npjy3MTSB&S+ks`Wql~xf1a_9yWZtd}9N@MA2e}7=<J_*`ME0!6+jRpk
zaNC13-TlE?Xz%iN2Y_>2bV%N=12}Jw`Q~J;=T`10HOt(QY7XFhK-8*EQ*)d<M$MV-
zXf<cKjJe^D+3pY2oWp(}xu5HvqUJoeC%I|m_5#b;`y=nx9USBy3XXF}fD_z4;7s=*
zaF*K_oXrkDd7s|kT=x(#Pi>(UkQzD#si9Gj0{R3gpiPhhx&$epNst11ME(@s!CiVm
zN#R{kdO%6xJy3c-Nnr&jJzxG5*5EEuR8m+EiUgGuHh>~MC4~<_k(`o3y-0hm+5(Vi
zQcC?nk!Mm$hk+u?q?87NBFChB27@BQq<oG9MSkrn<zw*`X&@;d1BxV&lurUh3P{Ss
zK#>5F^6{Xweo6U6u;x6UjIZ#Eq&yN7UXhef1BFi{<<X$<h@|`jQ20YqJ_VGOe5dgP
zjIdhEI1B17E=`VsWPUku!PaC-L~$5#VZ<qv<uV2rD4os;+_Uzb<uVwT9yu<3aoIoZ
zVw-d^?PNcLe;0qm^=tng|2O`<vZuknU-mTki`difdv-KDB>NfsKeC_U5&u!{?vULN
zgnJDChyBNKd(3~_*v1v+Qv7QA{hC<Wzu%BX_1}G@oB#J1Pmw3){@8Cp9%}kMPVOXs
z`F?-$^Z)+r=l}hWpZCXmTW2AANuKeZ^_F_idCz+<c+0%MdM|n}c`tjfc&~b|d9QnK
zcyD@dd2f4v^Oo}`Xe+$Gdn>(ny;a_O-fHiCZ;khXx7J(dt@l3kHh3R-8@+#co4k*`
za_<vwv-eNgqvCz${ma|pZS^X>&%JH@2m5yKOK%7N#J<xDed9a6^<CfdeLwJ1et}=d
zuggb13Vr^so4qY1egnUu{~f>7Z{#=joA^!ref(yAbH9bZuiw&d<+t|R_+@@uzn#CI
zzrTL~`(Qfw9sL9SPJU;<i{I7n=6Cmd_&xnzesBLE|6sq5e~91LKh*E%AI9Ig9pU%)
zkMxi72lxa1LH=O>Xn%<RUH=&WSbwO09Dnw9y#IZFw10wsB0FnN@<;gJ^GEt8v%lsC
z{we+#{tE6i|8)Nh|4jcZf2=>wAMa1_&t`0Pu793?zCX#ofIT=r<nQ7x@~8Me@-Oy(
z>|erP$6e<C#GmT_)W6)n!k;GlbNs9P>HgLJ4FBi;On;U?+n?jl_2>E5_}BXL{a^4`
zbHDT#_}BY4_&54D`M>gS_HSW7&ux3m{ndH@>+pMiPQR}TkN++YkJpZ)t8;R79)7}q
z(tnCwN=syqlK(7wl%8XU(hL4F|F8aw{!9ML{ww~g>{fc+f5U&%f6IT{|C_(uf5%_p
z|J`5dzw58^-}6`d@B3@~5B#<MI{!m|ga47g(f^0P$^Y0d_doGB`~UPS{7?PQ{D1jd
z{H=Z^-;vzrf8lTEE0R0>ul${U$aI|(*uV|Ezz>2TWt@gPofnP$jy0u0LGYcRG-%}g
zG-whu4fY9|1<ivN!M;JupjFU1XcLqLZG(0J+Calf^WJ}5OU%~}lU7)@9d@TBejDxZ
zRBeg>nRY0x@D}6|8e)T~W~l$4=Et3IWHo;DpCorpO;K<{aAGh#I4Kwrd@mRooE(e_
zz8{PUP6<W_^!Fu|gg7b~5DermEe8ij2SbAI2FC=)2E&5mgQ3B3#wppveolJ*l1<Q-
zbWfbPY|nDBB|Az!Bh<#Un=Pp@`vyM=rUpL^E)T8<rt!C#R|Z!F(}Syn8NttknZc}J
zHh-i!H<%Y(6Y&32!7qaAf?oy;f}4X|0%mMWo)6GgN=_h``v(UE?Sl?M$Kb%AQ_wl+
z5_AoE1U-Xp0s3mmLgNK@26qK_2fya7HQ{>&y@P{-gM&W7Awl2Z(4b#%SkON>GB`Xy
zmn)fWO1)#fq26)cFz<Np1n)#|xOb8_!aKt|(>u!>>y7iqdlS5~y@}pAgdR`mlf6;i
z_r1~H54<tnDc-5xY2N91LyJ1&lng|ZbV?3qKG~M^H$B`5-Vyw%=#k!0-T-f)H^>{z
zAB+ykn}erPty67N`={EcI;Og&dZc=#4odY&^-c9l9l_s>o}4--b$;rHsf$uSO8q!>
zY3e7bpQf%z{Va7=>S`YA@U*_1ap`RjvIp}wr-#_S_E6i;9v0kT**{s*hnZz?Cj&l*
zkzYwK_PaMi9cW^k+I?&@+uXL`e^Xo9R<<?!c*`tbU$Xnz{p|s^z3pH-+5>~rg4;-;
zDOxfcS4p9iy^)=4XWPYgwcXh7+r##>y#i+LOE^bL7>_XQM_`|Dfvscf+Ip;S)VD>p
z*p}D^>>Fl$SiFN13@HR>ed82wr`+<-Ia&8y_8MFFa>XkYrzuA6SE~Ig#p#MyE6z~-
zIp`F#5&-@lEP$sAm@#h5x{J%|SXWDVm^Ri28P65Zw~PLlXgmM!Yc;p+N>|*io><%7
z=$q66|I@wCKGn3qU5|jO>45f9dzt;o*Bbfc(*$!zI^U`m=uY^L_q%!ZKyvk;)J^kf
zrv8&bfp<*xe$5+Mz5k;R&8NA>`l|Po-%fgf;P&8-xQFUirH5iob=SR=^h1R$%(YHC
zrz30b2RZ$mqnsg}S&?=3Go7=YNvynI=1g;Du=akPbCYvBtM3mu4>^yr{{D>fqVu}5
zoE7-B&PJ!gsdRQ)k6xuA{Z~u+s*dzQ2hrahWrx^dc7z>mPq*Xkd3LhB#9nTv+u3%$
zy}{mU@3sr=@9kpyXS>8cZ(p`=+7))SU2iwp3R`J+@Q2_9ZjoE+Hgj9M`@5ao9&R62
z;0C(KxF@(H-7)T&?%A9onc`mNPIG6tb2%q+lY6^+4}T#3ko&0ng!_!U%w5HKj~!m2
z*TU=M^`oT6c;|Ujyvw|4-VAT9cb#{Wce{6w_W*w~zSw(;@%O8YwO2Bh{*19QbGhEr
z!5QE)!I|K*!CBzaU@Z7tFb;e^7!SS>OaPY!?6C3v8cdX)&U-OHWAR=J&IMl%&I4Zw
z&Iex&CV{U77l5w^7lLmDKLp<lCWCJU7lCgFQ^3CkKLVEr7lZEvKL%F>mw<l{E(KQx
zm+`cxgP(BPNAfond^Y$gxHPyNd@i^Gd_I^)s275tS>{g3;g#GiA&*ya_hK*|d?~mZ
zx0iz%oDPya{v3QYm<hfX%mQBzW`l18bHF!)x!_yDJn-${8t`wywczq#KKM@X3vfkn
z9r*X)m*C1^fw6u|%S^Q2$}(H+x3*|vej8g4EVG4RTl5X<%XgxzzaL-Cu)ds`wEh9M
z0odL)1Ura+VoUv7N%LJ!9$IgeZ34b$n}Vx3BWS(%E%VXd8rvNFz_tL_+I_)wwk5dU
zwgNx2%t3n_(4?*Rku3u^+P2_7Y&&q1WhCf*Y?&|i$~n(%y-zGN$lhklOtJS*+Yzj=
z2ZCX6Gr2OsEnoxN8Ej~~fZws`EPg59;;?=rSwr?4+a6#O+Y@YRdx2f}YMb@Da*o>i
z-EAMR8{ZwWeh=Fh?8&!8tl!J_1AE)UK+(Ugf1mIaNI8I%nAcB67XDY%TAiQ{ql=@^
z%zL59o{Wt7u1N)T8E*_gSMLqakK(=_qmO}T?gyc3f1mq8#v+5z;}1sj9?gAyMka&N
z>ieLF|A6}<#wkam;~#=nK8E{ZMlD0o`1_)xpTd0!W0>!v{~wCRek%737||TVXrLeZ
z`)S-aWPEchV}rxc=1+&i&OpvF?}>@tj}&AM7Y+YNaIAL}IL;dYj`s$F6TCs-*&cJa
zX#Pio=XgU<Vvl8XF@`ZwkDx!cQy3fd3`l_y{as+o;BK%LBM+a^{b<Hb-Galhw+Vg_
z92az#@di5=-~jeWQ0u8Ksjg_Cm#7vhI|z6tI|6L#8q+N`-x=gC_KN)Vc}Hc8$Yf-;
zw<CnqFGT-keMeAs<9O_=DC0bp>;htiL-Xah>$t0H#&AOBc5|20(rM$I<&1a#=%Jsp
zLt>1%9k;WvbAC%*P9szsM|KuDDNcK#qeo#K-U>HIQukB)k$%r;&kcIFtjrYf6f|)3
z{Z^(m>&)%gm)8;PyBjit{jZ!D9KcDzqd6gXJSPK3+S54!IG&S#lQ{8r5hwj#wtus$
z-G1&6S*2jKVcDT(*rD<)drh7*pPPlGaGH77{+!wV9h~mF#u?-O!d>8;<=*K2(V5^r
z;{M5*j<jCt%yM6FmpRwDFS#!{3*1-T<<9l)-`x+K+r6j#vz_~x*}KgikGAx<y^{WY
zoxRonFi5eY>X;T<g8Q)#r33HRoj2^w>9s@H`*L_{L~0}_)6Pp>$Z51GoI<;V(`QpT
zbvBLDX45t9-j4JrRjm!j{Uhl(zSNkduPKr{mmNa5t*1QX<m4sB*r|2~E4h|I-$%^;
z<G{*(Qd*yLo?6Ojm6p?2T27~EIgQnFI$O)>YAvVPT28;za=Kp2=>{#QJ0xvJxI;8;
z-#gr6UZ1}1DqLrKvrRpEym_Y3yV1Lqy+BsSc)ba`%{iFU^oKZu&1iIhW6jylan5Px
zJm(DO8gqp+-}xW&JLgH~N%MDSnX}BSbY68{HSf}oEMX6eHFY>+$y|f`vAfx%+)pWy
zdS0>j9n;=x?6owVy*6H%Imp}3+t2jz+IyV*@_KlDVUn0`lvnRZ-o>Uaxw?scQ&Oh4
z;pZUJzE9pLQTUm@hPHiFaJ(_W6TwrOdkJxhzNv!`C!Zy3YCf%tl;LLH%xU55%bQ8A
z=@B$7;Z53)_hU*#N`rLcT%3%YqIXK)AM1_ao;2}47PE&tzP7Uu-jiR0ANe{K<v+|h
z-Z{ZJ(HZWX<ctVrq^>6ij%9s^@}W;b0<_>Kb%#6%P7O{qO_<@~OOhJy3_`fH<uYEj
z3;UrQW_*6ejtog-g1jSdR+re9vWEaSM*c_J2W967ygJ&BhBbe~&Jyvl-glAPVrzr%
ziL`4tnNxvV%>df==Vq}}<TN*rAd5PiXVD`MHg72>{Y^P(o%207=_BQ&&xDhl*1}2b
z?}Ue(<KXzg&M>sZ)0~m^410z%$xg5noD1v}JH@$>mhgM$hxQM4gYzqQygS}`O<Tq5
z+A7}BR`IU3if!5|zLHkKR4~%R7D%hGb!Zi9Z9{jxyV14~{<Lj`Kka_PpY|x>PkXfR
zr#(UV(+(H@v?qBzy?*uw(t7MT-u}CGJbmc*>;!tPbL<b{oFCiEq*d9Uc)#*)wO4yj
zdQaL}(jM$=sR=trYQoNyGPm=XVVhyELGJEnuSGr`VCT!(Tl))UmAcyN<kYSGrJTC8
z3*^+Ty<Se;+8gB5t-VoB-P)Vv)UEv${liiA=G4H{Kzj=^ZG^oQxi-??CZ}%g?Z~(D
z>>bFs3+<h9>ek*Rr*7@ta_ZLpT29^Cd*sxu{f(TuwfD-YTYI0Jy0r_DgIC)7Q=GcB
z52UV7T`&8B=nv$Se8eHW=%p%6f916!wN0I@T=jkUbc8uW+t)-m=xB3}a?!c&I(o13
zY3Du6ByC+6pqU(NE~WjPVJ_45ezi)ZpKBYOscnBYZKjo(OHWv4<{`y9vvb2?R|h?p
z^kn|JymP3`pUOPy-nKU+i^u~xFT9?W-R!f)o%C$+a6MZ*miETQ`Cu`lv&F~;JvYo8
zoVq9HhNHXWL~tfva@IFF#oJ9!@gA<Hc!%mK-qCW3mz^t73dt$n=q@>-8{H*mZ=<{9
zRBd#ZoR^L6l9RCQ&mA{;lKD(=o8nGE$5X7USfbciv4vupV*B&Yn0&6&MRB0wXvGT^
zXDHsP_^{$K#np;i&Oi73b8TJ462-=fEfmWX+beca?4{UOvHwLAFB@kED;}dbOmVp4
zNX5~Lrz)PQI9~A_>Phscy~R2jQ>3WJF5Q3`+X7tv-*9!}_lVwRPjDe+a1V4RbSrcd
zv;dk9&4p${(;?Zv(V88LRrh2`YjD`Vq^1||6i;=F?o-Fa=A)5WFZQp8wlDGO&5q5@
zEc$U@I0hL-oz(BwZuEX*_PcohZikmnXg_256C=%7+@s4`cF$jBZ+RiR;<^#(#s6x$
zir%)=Y38(c_U9WUJvb|IIJ=WeF^@r8Xa<d}Hh(jQICBYq9lvJG<TT?avpJ=NegHF>
z(^*E3{I;{wS%d!u`Q8XKK$D!$NLhX-@Ou=WZ8F#6?2MkmoKJ~utTRP3Yzy4R*fQrC
z+aBs-dy$uwwy$%Y?eCP^!FH(aZ-+ZYc9gR}-xC>Y&mpxL_Cn}lG~+AnOzxYJ))c3i
zy~ZxEH`_byy>^j(*gkHbvP<oY_I115uCi;{X-M_6V&FLY2%5R<L2?{fL*Q(O+KbeE
z9lMDfN4_8Gm|5a(X0rpzG4lkS$25E|#daE|Qn6g|KK4F4&c5oKQoLHxQIzkYI?gSE
zq$&0X6iXe(bL3y#=c-E=#g>Ym;(>~RgfyYpjr^;C!$u6TZ&bWfT{@}#dA0vW?Jp=k
zqAq<Dn<zF{_m31`mK7XFzI^F8oz+G5XgN+d4Oyya6{o20mx}*Vm!B$jP&`1ft>RQc
z^OoB0R&1dz+nCdEoHE7wibnBZL35+p4^%u^v5#VJ#ZH2}yWmIa(%7yhwZ`l&cbqno
z{_`WBzX{($c6)QO(K+EiMrUX3EZ4o|j^)f!c3a#(-5L+q)-uwpkTzl}2+3@!Sx*Zb
z$S-?V^*X}bM2Ki^b^j_Yaevy+NMcEgl=k>p)b^q_#|mK?tAVsK))pJnvS?qlw&8XZ
zZEF;^vCe0N>`Mq~c|)1Y-9U@`j4`{mHcHj7_uO%sD|S*mS@CeiHi{Q0o*+nVN_g3^
z?l?!N%gt*4sp2rjk&68k4^nKa*jRC>Vw6q`wFinV1zGugl$1|ZdjoYJqc~ad2<5kH
zl}`%Q{=B-kSNwzGNcOcm&Pj^<s>{)ey%Zl-Oewyv*jLbG^Keh*<s7HIJ|*JkBDMEd
z%;xID)J1vQ+@kgxINV_+mNbh6BW`!Ps>=jLZ7(tZKcg-UnStcniux7@i{0ri$aw~E
z>FA}WW0&(q)FAqe=s1Zqd`HS<>A<B!HH2vJhO;<A^%)7auX281xEXE+vsYTup<y|v
zDx%F|*AviAL$Py4Meq}K@2U2kin<HIX(RS$E0@Z+vyjsnoFR9neQPwI6M|iwUQS=9
zzcZLo<Zx${b1LTq&v7nvF6N}*mCj7(8qNxib#8X<bnfN6;KR=2d}Zri&J0Ft7EkG_
zMSs>UHgk4xfwSEjXO#_D4{zu^o~&Px(pXu;AnXF$&w0uoMH)|$#-j9!M&O)dPq*WV
z(-42wHssq}y1sF_y_^(vl|xd50{n-_iU;m@+tFawx`#8^vhv}KvaEfO{(3@ea;{_r
z<ayRn8b<3Nq(Cdsds#1eo;!&lYb8<Wj)eHLeV#qv)Fxk1r(G)^s(7m6A&LhGnmg2f
zj^YXGa--Ud6o)F7DPEyCN^zthUuu{1k5+7|$bTK+@*TxrDK=CrP;91{Qru6mk79j6
zzWpxvMc5pit@h)?M%ZU*n8y^`s{56pw1wXbnvLr6vHEsZyjsyw_jO@0VYaHvIK`V3
zJ1Op~$p280S|dU8mEulyX&ZLL{YZ6rUU7%IFIM|^)!tgMiDFB|LdCym4tuG6ilEu1
zcK*kKG<zzxS1eXMO7UPpvsUegDW0r&kYaa1Q>pd|ih*Jq!KWWyG92G((!gxvd2Ixr
zzTs*1@1#RCW*j3ky%}i$zc>|yUT?2N>a^ipmg8KcE)VkGERORhX9xHZt1FIkqqsjk
z=IJxDQf!H?&pF3<r*=n9sT>ubR!HQ^{URZpc`7shsP<zNUr;<#k)1H4`IXvbOd+`k
zpDua2an`fSs>rea$giPDwdgEV^1Syo{%k>WmD)!t4po<j)h=TezR;&AvmB12-<EJx
zzCAH{$y54N9WiiP&-@pYtEWCoc^}o7!L@3C-8g?)qvNS-k*R%=m^mxHc8IqjSe&XX
z=wC3n&g=C?*E_x5<a*QU&8|1U-VOE2>+LKoC~Q_Zq;OK<^un79mlSTO@6|7=-?V<q
z`UC5qQ-6N_N9(UDvPJESh83M&G`VPc(G5ili~h_B=@*M$FIrx-s%ULddC_M@+lp;*
zVR6Iaro}Cb+ZA^#?p55kxPS5B;-SSC7f&s|vUq0kb;Y+9KT!No@iWECia#qUDd|`;
zq-1=_f|3VHo+x><WKDyhLAwS=H5l9A@&=0<Jl|kd!;TFvX?S_V=?!N$e5m1@4OcW=
z-Ee*Bu+q~@CzoDQdQIt_r4N@bD_vc>zI10JuTkAbEgJP`)Thy~Mq?YD(`as^2O2%m
z=$S?<8f|J^+PGumfsKbXp4Rx8#*~qB7~d5=+_ZL%fco=&hq}(8rqt=DKArFxh|fTL
zIypz0?>I;4T9W4s=Jc{<X1m1WJGji+J{Zz^c8Q%$qj0@x5^gX}!)>M+_TJ%Y^Bm^$
z&<oHq=&#U=&|1Q*gVsYILK|@V2-*n!1KI?A43$HlgzKHf;cDj*=uzk~=yB)^XnVNY
zn;Ne2eim-<u7YNVmEIg^E;J9C5Ap9A-d*9_-a^7X0R1*xm8uhNNYy2;_mS&za=lq|
z+=B0uwq&lP71SCk<Gv$iCx{hMBXie1!!LQOa^9+(w<_nY%6Y4D-l}|eZ-GRuq_?Ov
z+o3O^9ne?MPAKGmU-&+%<3JX2ArJDQ07^jxP#vf)R1YeI>O)0PF;oJ5hi?a$LXDut
zP!p&rv=7t_Y7Vu4_Jw#?hj(>&SEmhB2DOFSLGsPx{h<S(_D~0ivTzQBC=X`L3!E-I
zuPf9I>JIgQdP2RR-jIC9_)Lgz8#`kmPJ%n*p$X90&_w7Q=v?SL=zM4rbOCfB^h0Pe
zbP+TK`Vn+7^ke7}=u+r1Xd&n1?}r|MnE!R2!R=XSDfB$_D)bukI<y}85ZYi0*nLpI
zihKd<@dd2L7qAvzKwnY7I(z}E@CB^F7q9|f!1{ZErHoj6FJR@pfOYo*R^1C&b1y)z
zEnvO9fYtT_*4hhLX)j=%y@2({0#?@xY!|32)D7wm^?-Upy-Wezx*Bd>4Y#g_TUW!a
ztKrtw-gV(-?{VhsE;9Ats!}M^wkqLN{=X#LYTCew!l7N^-tOUc(*x>BJ7vYhTuq!O
zp{Jm~Kue&fp=Y3Hp_<!eCGE13c3DZgtc0Ui(JoifE?3bmSJ5t4(JoifE?3bmSHaO+
z;pnY!^j0`}D;&KQj@}AKZ-t|`!qHpd=&f+{RycYq9K98e-U>%=g`>B^(Oco@t#I^K
zIC?7_y%mn$3P*2+qqoA*TX)N4v-$U=InZ2a9&`<KEi@lm$QQfshaP}_3oWL%d<2rw
z+GEh;(5Hm^0uznFTK;LwhXUyE@Jr-MC32<Gn-PBM&4gwn73V;*mxT2<Z$8AD9W}Pi
zyMvm$i+`MYoN#|azR*&UF_ozW;g_lFsjCyH%@wh{5eZpgnj`sIP#gPE(!G&%SL0u^
zY^k6oDyWGHYNCRgsGue)sEG<{qQYz@t$#ul(5KL6&^FTk0@@CJ3GINsf_6e-SWfMf
zQ#<9<PC2zxPVJOaJLS|)Iki(x?UYkH<<w3&wNp;*lv6w9)J{3IQ%>!aJ40yai;>We
zK#xL?L61XE;Qk8q0rXF(0{Q~??csXwN8wWMV(3z6I&?KOJFK8BRL~YGXbTmzg$mk2
zg?C$6PFra1{fYj*VV1OByNi-qOG)v40_Y#mCg@|R9Qq_&OC5d2n&Q5c!I{*^W7I+=
zwXjax(taWTLBV}@=FNNXM5GwC@))ICN$FNnx|Nh}C8b+Q>8_)6*HOCbDBX3G?m9|$
z9i_XD(p^XCuA_9<QM&6W-F1}iI!bpPrMr&OT}SDzqjc9%y6Y(2b(HQpN_QQlyN=Rb
zN9nHHE$<HrcRE*6vhb)g9l9Et0sS1B39+Xg$><>&JtU(?O;u7;mDE%vHC0JXRZ>$s
zsi~dR)J})@q_%caTRW+(N@}Z;+FD3$Eu^*<decl(+C+tSCFWI_({Z~Rnn5kigl1E_
zbD+7<JZL`j3+OujjqNtt#vQC)KW<v5_%}-0M+NPpA|><f|9?&VZ>b4s8JnpkX?J&p
zi=ws{{tx>d?h2P6+g?Jpy@bSz+9W3w2+s^H->7QJzXhDlKX6{bzcH4Fo9$+Z{=w2e
zSo#M`|KO&=3bz2_`wDK|aFtukzXFy(4NM!iMY!2*2^|FugeHaWdk==M@m1|Q{EtU5
z|36X!HISV@f}9#J5kK70e#pFfJo9~?`99BlpJ%?G^}H_$`7cuWR~)~MsZ%X<9n+q(
z<0(#*rwG-ZryvV7zr{RFo+x>3$c_SWEhNP+N%6~cj%t@;?Lws}ukGZ2J5M54=@Mvz
zR_;>=p!Yjuf3~LnyYT&5zE$n=@P8qcr!ozBmdGUdU!>f(;o{gIF^^&4>}5V05~C`q
zF&SIEm$r*bc8JKYzL}Win(ZH@keyB@wW_?4Jg-P*VZEE^<LY{so0NA2G>zR)Kf}Bd
z^D2`<O4m!(!K@3_W3I$;H<0%jHQ(0TH~h#uh<2B;xe_XC>?ry2yrJ|Y$D!8_W0W==
zUB|(tf@dF#J9BpUZNab7J3d_Doq);zfD&${HzF(#ev5=j#VJ%0YO{tIjyWQ%#FsTy
ze9K8gd@Ez$a(vm<h0m(kCyBRSe27<}z8m6vCBCch-Jq$~BX{eGzl9Lxq+Cw!ZYT9k
z<Zdmw+v1&s8Rc*pZE+}}<@vlHuIn`odGjP^oAu3o@62$AcNXEs@&@D49M49Rc5$u1
zMefQ?9q$bM&m{FI+!k*f_v3lu+2I4;Ir`S`k^3_#%}h$0B_(`6(I<=V`gHs#?pl1e
z;Jby<#~C~;^90F>#9v7WDVq(HX(oQQZzbGu1}UG(d!5De$3o-K0mkDtfn1V*Z(_J6
z&gH6{bmSc*#CmxOB^IS2C6V~7<-Y?@<`mT^{;%cx{5R5Q%rTg!m{NNh=4||~H!0@&
zn%mnjZ^yh3b0Ov*`F_u0!aPCPrP!aNPx@w4bNm<Jnry7Yd`cT;S-LWp(v`WCuFR!$
zWiF*Fb0}S%A<(t7oC0@lxWc`W|HFM0VpQdRN==o7tNbNU)ifPxJ!UkT*PUoyccOXS
ziKcZYn%14()0FJ9aNrBji{VY)YnX39Z=qeSWaRNK{;Qz(pw-a(&>H9iXf3o3S`U2)
zZGb+4HbVb^HbEal<<KY4X6T<#1;i|__c_F@u=fSDJ>29sfS4`!nLYPQA!elc-`!38
z|L!KgDYOsNF}%rVM%rh-*dG85ga$!_A?D%zArLdu{xQ(85VF8O4jKj>57FBE6QSYI
zNze%Bd(cRTxn_S9^nGYFbY{5GKMNWQjf2KR6QHx9iO_=ZQ~!GC2IxlUrtnj=m*vLu
zmxn9;)zC(0E7GRAi%4j`jwk&sp?45^C!u!|dPknn5`Sk_n4LAm%%5KLtU#o*cQbS=
z^gHN5=nqKj$UnmBIjtd0e;ZQTubQu5pYWp^^5z7LzD+@Zjvg@E6cmP^2lc~$1;xmh
z67Cy>Uj+@rPuMSC7Z>KD@clF>!YoFDlptpsAZI*$CGKWiE5#L!v99Dq-Rp(h;uzc1
zPeMz`FS*-H>XoK$PzRf&Q4dqnsUN;WoR0~mPmoa5;s#CelQ^gHq^%l1Aa2GL9SWb1
z@uA1k6ibL%=w<qd3hxBu@bK^hB=~!=1QZ$f9+K-lB-cVD*GJ5YM*S8&19dVCI-d4?
z0_KU~XT&b2XV^jtl}O4hq_P&t_!+S`AsM%bWJGo+z10Zha3bX+>A1xddqYh_(r!uG
zElInav|Ez)wpeOcdS{u&9y|NIahxk2k2wLqiS(zEw!MEnTw)d#EgFXGsmH2Xd05GB
zbGSi&|6o-h&lUbNkE1xrx@z_7f3vGyNUNj-+AorG06rzKnKCGc`|QGv>eFS>F}OFt
zXB*l`L(`CwsR-ACYw4MCF5)I3Hs=qK6Fj~N9|_+^VkCFll2mzu)I@pOr;;3esriVX
zTSExDkXd`)>5|_SvJ?L@;ujL~pW#E{yWx}J-@~Qyp8xkQN^=Qiu;~BZn=4nZ4_CrX
z%fiRPP4M?hwXF?T2+xL};<6rE7QRO*tpeAB<?_#P|J@fdn~PQC_{y?Xs*mjN&@1u@
zw^JV4>X;+{Uwf%+$&x+cUEfqz!$lc+^G&7s-;fTx{<i5KK50B8<dX1H)+V>ey|#?E
z;fPQ1S@PfTCVP^{@a3e(4*wj-i~DMPjI^D!`<^8GwZkHP=nv6P4E<@&C2o;Vj<dLF
z51RCyiEqr!h4^m{-(g<ARu|8gzV{t)1$O%ST1ETD0>OL#&tLM6QEldbRjEl@->21m
z^VNo?rlm$buh4%RT}AvSgu;bM8gh>dK58zcj?u0N4`P0(y`c1itCRz_fMQ=onp@}_
zSB7hFiQLvmjQ{jimD|7V{AkZ8{iC+RZ~JMrOP|{99NtOo-5FjP$KYQ7)0TQyGjY#K
zFuV^f*sxlmm;P&PY)@Pge`Z^`1jComi+;=RC1PWXLgqyej-f|UEYIlndBbKo(g)Ra
zq0jGGZ8Q7CXik#L9$lo9C%wJ7YR*Hrkv5{wV|3xk_~Ywd;YRW<QsV76-Q6ZgnQu2f
z;YD}z^e!uoq_;O$&C)o2=enfYlpTkSYn{5p$a|&VS@vPn>e6scRX3??8dr_=Exhw;
zt!H_I#xfeNRVF1+&F{QAuIF0op8A%JbtG4p@pzSzVmH}dT{YKp)#Uy&T2a+p{Cn^J
zPrmbC{=H@V-}5w?hpP3J%7j$SA?rTllWWWEGjs1GWX47MIqoaMFVW1{b;EDH-iwZs
z3Lj#RCP+^#`<iOF*r!nCipLq!hvw0B;#mb9fiuU;%wU!1dwpAT|GKwHQYKnLwT)lX
zyU2Scm+BVZ+&k}4{*pZG%B<;~MW_3AFSt*+EGfl3EBh#K;lE-tPYFxvN!oEJ9rp^y
zLvVi8EBswmmv8z$YH^u-WphexpB24Re(skRSmm9w#_@SagZ~xvEM<dS%2Ug@*I3UQ
zi|_5szeaTITkpNAojH~hB9fBKTChgJD0RawMiRBHlCKpmGjkj+BO$)M#4L))X4%mm
z@Si!QXpyTJ->=wPZLPN1qg);nzQSA;K9`>TZ^&t(QcAFeq?6TdSd}Die5n}RiX7Qy
z3MkX<*cOq_itz66@%%Mb+x#Tq5?<H5vEoYE$g_mkg|cRMlNkBUJ?e?Gl8{y#{)^{I
z*~pI9y5Z+|7iR0}ReH>{22WX5vZf^KQS9A|5{>2FC%EM0=&VOqvyu|~0CVc0dYE*H
zNcmK~a!Mh{_SN@Xo#Zmxr}lPuRm!G@D@uEpA+j_NxUf8$Q>Y=iEN8-Qp^Uesdl9~3
z5!VTAKf1!l6I*=$u9#9UQ8`65tZqBtYVnhrk7mA@*^+y4-QA_JWL9()ZJ{#%xH41o
zw4E#sk@mxgTze=PnVWDmEnnwUDGQNwl7qU@TwnOb?sAgrpFA@$Yw+FeJLZ-`!uh$b
zxoJmtS+XN?U<X2NMv|G558tY}4tD?iDtYS2fAe)Tof(@qt>UA%tZk%uF|oxZryPY{
z;x*+Qb!+yu56PrKjj}El-N$)v%N)y&Oo(0E;KzF<gzyErIQ0?ADMk7JNe@b2>1QaX
zq@BN(MV|%_vY%fs<oK<b1odt1NuEo-R*D~Q`=O2`Rtu-X_4KZBoIrL;;C2}y*5WR0
zNVxbDSv85S@O9SNE0PjUT*YJ`OnlKxFHGz;o7sF#jHCuOgntSbldEbYmzq=BJD-RH
zMV{0yer<Sv_bIWP`)gj++T|Xl7p)QS)^Ac{yO}r4)Tlf{<aPY0L`ElO?3^h{wRI6a
zF49Bd0J}A!z6O3yo}>~qlkRR4*y{k&PbW`h#XOq*tBcm)Wy|}l<V&;c^2MaAi@t4Z
z)@=>e<Y_f{e^bu2*b%dPS@-X#fxUWRnU9z6d&xf$RKIfhGxx4~=sj>rOUzovk@8E*
z5Lp+?+x+86<a3()Yngm*utIL5a^Vl6a=r52eS_svJ^jplR^*qgQC1K6?Yo4W2G^gI
z4_AIkn%*Ciw_K{ePwjHes+#s^$e1<sZD~y<9h-b*N+zFfl-86b-|T8i$CUnjJ!^NY
z{gQe`_))&tnb6g3=%oe3tPDSoCA^GbNk5~VXFt1od~wMw$?V+a51+WQ;z-ZWvt{Su
z>y&M&tTl;NjqB#9CUl&gL=X+@L%G2h{e^I%!>lH*tYfZEWObAS(tKGpq^*ROljnLR
zW^|Xqn%pxXvTeD2W44dlJ5_Uu9pt?dzl<$$$(Vb`XPNl_rM8@Ybl2|?UW<PrwXVBA
zF_&t1B%ZXj@Xjc9Bx{p>z2V;@*KEwRyEw+0Y~Pyg=*Tm}KQQz109>{p9HDu6ohM66
zd_GQVekQ*50r=tjE_~0PMYX>~+$p@n{BWAw<GUW(7JkNRFZx+7SEglC6f_IreHnR3
zJ1XCuUY8ZE25aqGa19AW&IM8?dw#|JpL~O|lyB42aK)i=^{^Vk*6bW>_3e00jZdmM
z_AY$BX1;cja^jVqwMrZ!GowA!tk=OOa?0MY_ec7pJTnv7e3#65MA9|tB}hT$Z+6fZ
zF>fLqo12R`FY%0jwqO2`ad`4XTAO6gD!qd2HDOe#ElP6xQNA&lj2U*{LutC?Gw1Sh
z?(`;ZM^QdD(!bCe;bPG)y}UWsG}7%-_QxcnX`)23Mfd7xiuwp~Pv?ZOLVETg@y%~i
zQ=Fa>Ka~(`FmH}R=H@HA<|6+L*31!^F!^oK3`3H3xICPR&TVv@6qUf#OuS^~I|(g5
zl#7&Pbd^L#IGJ~U1&Q@B`%R)ZOP5mkD!=qy60xe8cWyEjF3j*r^3=GDQfZAirSm}^
zGDa`Ha3CC~tE_Qe(i~0h(tUQ-98|e4VCI>fJ#uj_A<;NQH_2J8Onjn{xwtF8+>ll8
zC}Y}NJlj~w`MH3*?W*g>v)`Gtb9qKn^2lTQos*d>_>(U^(9$cJ5z^HuLZwS1D|}97
zXtz;+R8E_fuNr;RR}HeSc8}p*s&G~;)4t4ppG;X*Pc_}%BQI?M)k9Txp;RJ1rvz1+
z6_FQqb|GQX^9)s<Tbz?hQTAPu3+g?ok!aq+B=dpUp?7W1ry1=!Mz*hLtGln|@B>2W
z9AtJ}vCHg>n%k;sV{u52c9pKP#FkxBNvqTFP2*T<P{Oi8mbA*aq_QPpb~@QHBRhP5
zQ*4tnWbE6GbxYwv<-_=d#V%&kIANK-=rPwsH|bhS`-vrdBXe6V*DoS>>!5kkLn4)A
zU+>&#@2|#OLTg<Lk1f@i_l<<u1eay>!P02%Je+~++sv3RhL-Wf<(Sl<rtyT<Wjeo{
z6wvV&e$Ao~VAI{t>QSa`)8VC@k``N6zbbx+>7V6W-P(*f`ux{E`JJn}#yW5xBfnZ*
zxm=Jf338%$%DJn4!<UYCb)|VX&CQg5S{vXyYo*!wt${;!Ay1>06ie#Qc9oNVw;ye1
zP3|-EON@l)bHjf9JE_s6JdyVs(;TUDWI0+JA;mX~2c&O|d-F_A(4KLt?k*t+A4{A}
z_{2sXNxVqnRZA70rAbKaS$vXl&9XI*wel5&l~mJfs#3a9-gsUfJv=Low3Rw~F?|#5
zQI@=j-0-7az;TLsa-GDBLL_&4XeLs^(>HmMCkHx))X^03>Z>HZc=x*M&g7aO>#Q<X
zNOIQG^wk<)f}fmw{X`J|wP>5ML_>a32kI&{o^!?e3uTy<W>$#o-ACzXX898<?rCtW
z7xgyDDV+>o>FiaU<BV%gGI?%9x+j;UtopXhoXPjWxbkYnNrZ3Cq>gyja_UIdNeX#B
zBZBPyU0Z;R5;9j|#)@qp{l0bF<LR47J#tZJ@hGb1QlW-6YK^N#5q_MLvfj`J)2$~-
zH#Zc|NzUQaOV1rDFEGAMk65Bqvg$K8k$5zdI4aj|=N;l_CvOm^f{$D^xBkeV5Lx5M
zOlpa5%_cd|ytPOz_5;EDGN<}!A_tP*o^)mIHQBQuc4-mR0XCI*)M3>2_(q^S6W4fe
zMV8hnql_9Zo=kaW^>9_f?M~M5luX-f9?#pah!WA1quSyts&Ng|9%^^-=8K{@^2SnT
zx^6G$9g=pW<yd3A^O)QoED4#IHRpp-Z!8@sPuVxHigkOwF{nJ)kh@jP2cnrpSGZV1
zY!3g*yrF2b>#0k)K1l=V+);Py-inmlg!cDWB&CdJ<t%h8&%-w)wCZ-Twvmn<pCV4T
zgygYVW>QY1kfT#%>LzWIT@P88@R!_XQpob$y_K&}W&*`hbYsSabfY@jl<k&lPo!?-
zn#_&vK0itMBqrl&y@(m`CF{t(G&0EtXM}|0o_F3NvQK+pOublD5fhoU7T>LmXVA~N
z&neF+D6Scv7bko6;ZmwoPrbsLL(I|Q&oe6FopgVg#QYDNb>U3Dxyd`esO2PUNy~WO
zf6I=@=-uP8iQ1QzIpy^j<<~;|nfF|ulo5HYkp7F3lo6urgIvT8n%uHa0`H|s%CfUS
z`J#FfHH>z%0+Pc-qsempCalqWs#J(~XhwF*D3(q6pOW1o^M|OdYxHJ{iQbnbQ7N}{
zsl|0dD9xitvh+@A>N~SDrM8dG8;&RP)$MG(JuNMenOV6>G`7k_+Y#-9T2?8fv(+2m
zd8v8PXZXI3a+t{N^c&^PKwihFZ)F9UxCw7c8<W79em7s8<!TUB6W^1(#QB$Rlo!VH
zi=tD<qY8L5?vXW5Z}H}dMgjL`^RKSb#{Ez9Hli75iAC$ZeX8a%-@TTse92}nFOd)u
zHUIvLy-YM6joOAcled<BIQL5GFxT~)yOR=!)3T&S_*9ZQU*uVp*vaF2dX9X(*2;6a
zIn7@-*?L^I=9Wn_*Ty^(^WNe6`M5JTWd6IPW$Ub)w0hkeBP9qAB&{%(*Gbs?DOGpP
zZcpNy)JtN@)AGd1<CX~}Ek1L%Yg_mhwWPmfCZcAJ&aSm2)$B5rry_CUXH!bqZG%2g
zd4g5(-Cdb?&keaJvLZL;-rb2rfot-XCEwEA?Uiofaahue*ElmAoImwlCyj2M>31Rt
zd~L42EAiugpd!-vq7*YbXsbRU^2se>o+Dp3&wHU;eaMfm6Q<96#Npt+(L6mZi;+aH
zh*!8K4xk1pUys|vl*#h&ez;}@bG$kp;clJms$e$w4O;h5SrN~~g<m%${b43OX?1W{
zG;+x}i>-v7FH73wdM0-X7w2-G+~v9?;dgEFPVeb2tL);P#Ja;OUw)7zYa~^b2k{D6
z_&4s+6QerN+{g&?x45jzNXFXdF#Lkp($k3y<K5s4X_eZeXX-g)ll(+iMq5o>vdvts
zA;phs&J(pK<4Q)5XuPq8hg-7C>h;WclXT?EAndflU-o6am*FY=7|&&Ls%1l|>34N>
zov?QMC`egq>a9#l>Gu-8S(M~3?OMf>#MAYQG`GaLN#vmR7!tAOQi+n~E#Lp&C~uON
zj`l;uc~!ZS`24%fq`c!i#Qc-Z3E4T>UG2rG<kTB!)i{fkopxf+u2br7jkxFLG6{+M
zH&kX-`;6>7Bv0dHwqA^Tvt}xEMNWHVT2?vxW@10(SayfXe*BuQn%;`{TA5!y@Pu?P
z8PC6@?`wL>-nj32gi&*f;qBx-t)oyPX?u1Y<@zU77BRBoonpP39;`BwNVqNML{Fi_
zN@ROdNBPqv+?uG&BAyVwN%qlTgClFcqWPzq{d0XHj*Q%*JZ0)C(>~HG!v)L)F~>t5
zre>#;6(>g<Ql0%Nc<dD&d!|RNdMEQr(zm>tq?9ec^%*O)<~l|pkj0<y%bjn2E{aP@
zXZ7Kk^5MyAbobX6)K4OBvrf_{PyTvlR8GnV@lG&(FL^iig4NtEcK6iWn3=aCU455W
zUQi!dHI<f5)JdMbU~&0LoLJf<Z5$WIScz-Cyd@=A-7n#yn46W;tB2YH7xWIUJxwQy
zwFi&+rh;bIO`N8-lIrQx2juLrsvcr@E>R67{0`^G(xB$r*<Ff>KXbib==xS(IVYiZ
zHT#~VQq|1xW>uf)J|nMaqcYNbIa>}SoF)94J(drjQ8~L@Bo972B&{qd6s=wBSX0VJ
zMx7ZxSFQH5>T}w=;{E)2udS;*oBkkaaXJH6+qiolZg(ZW_bKPZ4D?R;J^%S8@vfmY
zXw0t-B6T8tC6iSA?(E3IFE00tFK#(|xRTjINhb-VEkSg1dKUO6?ap1E^dwe>lcO{k
z1E)j6f0;d5(T*(UiRFsM;gLPTbbp&Tq)km_O?GZbLH^gZhKn9Zc42LyAAB(mC8yZq
zU0K+kNFvgTICsF9UQg7fT|bep+lEh3zHhT$C+RF^L@w)kiy3(>!Cc1Jd_}Y$C~Mwf
zIWgG55KE<0{O!jYB}?+W-I;OE$6nR1f58JX3%S>MN@C{L#y5~JdUtvW=HsROgoom@
z+F7f<xTSe3^Tdn<%(!K2)JPT=Yud3+Bz6fG*Ou5;sz%F<OVZP@^1GR@y+y0OU*?R%
zwUtQP8I2`;GyDtp?=fE8#7eKMS^QP`#HhI#zsKOn&CK7()8al1n|u*Flgmc&KEnpg
z)hBx(BtrI;s?}Ogp+;%S6Et<nsS>BrqQo+JNGD#eHX2A$W{H`Oown5MlMYhNl2r!P
z{Hi)oy7H?*1|+LL5^LA|fq#Y{q}P<zk<qJ5t3EgHeFJ7o-a=kv;$?#IkBzlBF`uca
zm8|2)|0YJWIgBDBp4Xb{C&{KuY4<fnFBPsyvXV&ZES*5T^0uk;Txt?K+eDJ4%PiYH
zpPl@(;tqeWiFUomVd7PK^0zb-i}tgFu<?%L$URfT_(;FDMteS~seiHmU383Sye|JX
zEqzvWmrgX1SL$GgJTATRnM=nn=l`@P6JGZc(Z1JUdpjNJ|2a#v*F@!4UFHKz;HDDR
z*kuKjJr6SHDSZOv@Nf7!(zj8#B0u$8N%8lVl-p#UyEI3dd0Dcch_`(R{}TNlZ~psF
z?DUT8JkZjpfFC?ch?0?6S$g}1><!sW>)edaS4udM*)4Q$f_|gv+jy_sG*tt69j?vO
z3+9H5?nIU)He#)ZxR=pzB==Ry?6Rd-O_dbCp%wkADJS>Zy4R4yD(yJ&ufeP$r{(?P
zcf?kktD5A9HPzb0-McX83AzHEoJb|d^3Ct1(MV7=@NY!p%j7Owe~Da?dbQ-GOe(dp
z(L=l*-WvV|>5taKo1r^L7yPp&cRnlavp&}NaG)e~y+>ybm><Rbh?BVa`qw0SZ1SzN
zSdJ$vE~@d0d=M>;|BEKAJ@`I$mE^N-X$x|eYCUPz`W#i#9<!49Hm%<{4`<0w(Uj1@
zqU=Xf0Zk{Twf&pk*4wkyiRuMT9Y!<Qa*CC6UvUUezc(lUPpwzlojcxL*Kfrm_nnQN
z3WLj%R5b4HAd^NEPjo!WG->}0^*Nal!tRo*(Lbs&Qr0~>QA=cGyIS6nJ9%n6GRRIM
zDS>Ra+S;qfrTyjWa|%fjB5!$eP@AVo86qQOR1o(a+LvsRxQUjTD*>atAsKXbT;pRW
z2kBk>jPq+z>e*{XNlivA1)W63+kX))Hj#nxQ&qmz=DlhT6RsgunQw@`8pau9NxSAX
zlRe|fnx7l_P>(C}htXN2J>vhW>15_9WmZVqnzpxw@!968D>3@@b^6mMlQ*OneUf@b
z<4LaSe3<y;Gc%#%+L|mplI#?rcaw6~H<Wc6&aHrZa*?+z=~;8k4EGVfYKbzEsnsk%
z4arM-N&M<<4w;a{`KmqcWy_2*pedv|25CbX)_hexDU+L<n&Z{vQ?2v}h?GwEV3~Mn
zshe@C(MIc*?`0-$RVOW9s2kEx>lxW!%w)DF>&-*-c?}zV74=;>LnT(^x~G`Mmoc}H
zKk6~NCG2UMwF#g7Z9|@>+Mce1%Cm)*#%9!Jg!8h>pvEVZs81_Gug=5&>1fEmoY8`u
zx>9b-;ox-eU07%b(yAo4k29n5IHTh)!&AB20m)Zw@?KT@v&@`D-r%{8rMb6qS1mn}
zHZMm6(h94FsGdeX7d?{|&nPl({ZMzCvEz*NhALLwrM5`-M%*9X#r)+G=E7eIZ^ADB
zLn*z^8dCTo`%HAcXJ)zaraG_wu0HDx_@g8of}6~w>q)clTAf>8uKr7T;{8c%onOnT
z<HRS|WUXAzo~eG3@7$TDEajKxKKM$wq)n7gA`b}>bE>XA5To`NrIQYyD|NJWYOj=N
z2|Pze<C3E!4*xA%+h?i9vRy}tq!L}ooH%~;j#YKz+#K=TT0bp$Lav!VKDo%`Xj^WK
z+TF>>H0pE6abY4?nV;Iu+zbDZ6{V7vyrPl6nUxnW(&6N7Nr^r0l3s0|j8>yHpBq+E
zjyOS6B&ArcYU$}|m8AZ1Bktmk9La9*U3}X(ik!tOTk|ES+@m`ns@8SB(1~00B^dgz
zoZ6{UM*4l^DsD*vduT?_(b7wE98b^b>vHo_{Q>!Erh2HFU8=^9?%}39HC}Tn)qRvt
zlhb0H70iU7hO5m;i?4jSB?_gSrQEEtR$Ym;Bk|9qRXZDTlbqDp>*q~-ci)h1%=3ks
z*N~5<NgIv)sacWtN&ObZ_QE(7qu&LWyWL&=^vf7>vaXW8S@kNSlve#0C@JYEsoinW
z?jDGL`#2?1B-KLGiCL`n(np{fbiyz9%P+M^a5q8PRr8mpRJ)W{r1iAdcTCEnTDV;}
z^pn`+zgX6;H9dOONPA*7ocDrXAIgr;y~tnrVu`NG5@Lneqwl(NS83WLC7&Iyn!Qi*
zWs+DkgFEy(0^Kos+fKBcPNW^n_Q+Lqmgu6LmM3;KTjbo;>L%$g($A<>tpBP&UMSyE
z<&tu)dQn?kQ9lvctA?okebx9$+15UV-Gx-$2yV#i>)&+@I8?L_X{YpR8C?#$_RhlZ
zdv>vsPs~W7$V^Tqw(ugocTS3FU2ZRTTShG`t|L8Ntu2f1Pt~f0Wit2wwf7z1QB-Z)
zXJ*dqq>)Y%(i2L0GMgSchTeM#3R#i>fsjBFO6UX#AcA5+DN3^dN)?sfn-m2>M4Et7
zM5<I3<-gCfyJ3Uqi|_w_*Y$qa|L<IxoINvh=FFMrxu5&F&+P7hutXS9(eM6o>w=Fz
z&RCwv)oxke+uAEeR>Y4gWXUebr##IJokm!E7s8$LNbpR(vAs{_Oq-6R`+JJ)M!YwB
z&OhgJ;Jf(z@^R!uPyNnD(X_4g;9WVF6LxC7cC=z)WMskR99kUz^cOwpONeQ<(x>nB
zpRG0Hu+=6>%M#C936G#}P^QvTzY)^hkBWET-{~7h$r>drhyUX?pBg>IJ%a6#y(1D4
ztG1j#vEHMn_gAnknmY#8AZD7sYtn2@q`+8@LfcN}vc=DFkIm<^)Sj|h0O|={EOYnb
z(?L(XEG<|$R{2)+!-D-ll<Ron=n4O&EPE~D>DKZ?{zakON5wt1v_{DAl{k>R@`-ai
ztwDTt4ctP^dZJ%8X!_?Xd)m?eP8~GiHR8AmbF9}N?Y1x;q1{>MSZtcNMGKqiXDXV{
zXS*x<P$5d#ZnKvE9p6O`aTR*ZUijQ$(T??=Q(4SR{>d(A+{M0jR5II>0r$f4JT>mg
z(Wf0HTC{!PK5jC<xAq%H!s5`*9Vj*8)AYDv>nw`ZUTj-<)-ttYwYT!T=2?&a|NH$X
zM&KVK>pwZEfxh+isaX6s&HU5-|E8(`<R<u|u=^(>lg$~Pcrx4U88kO2;*R(`j=u_i
z`wzUw5yzf2w_`r1Ev}k-_C(v)!5&19|0O=zT!T#!N-%y`4BEW;8!+BNOAqlk-*R5@
z^g)Fu5Uf$e+QdK7$*l*K{|Dw^R@L@J*MjfxeEcN2?FiWJ`DD4GiY-RTnmr(TUKVJF
z`9#5S@ExBh<GVev-e_$FO7&U1|3rK?8~Aqyzr*w{6m$B1PkOfeGRFBSamIT5pZ|-`
zk6UJ?FVM_m8J$&NtgsOCcY~T|t&h_)>XyD>F8`SIJM^B?ss**h78)zG^_MR^6Ifvz
zev=UIEy@UO@ilKZ#{g?2sBp|v-#mdQ&7QiGCFi1T75njoO+Ec++gjL(=()J!YWOGq
z@Ivi9C`&$6qV4AT|HS%P$3pC9+4rwhwSU<i#9ZhiRu9J5K6#B#-bYvP(~G!|)$rsa
zo{+>S1e?c%dLuCC8JL{tR{2$eP2km%*5aAV3NITEG~dU^+r_h&wy%osga=X$u23)v
zJW=zkJ+p1}e^(huYJMj06YKcmZan~ooE6uBF*x-!94WsOmWzGzy`}o8|0;gBjM(L`
zK5cJ%_&+&=^*G$c%lP~ZzM0j+$txh@(={IC!`rRL+y1v;BR-#FTl-gKjNh8S+*Y1r
zmumojwd*s~i*fl^R%(3~$=sZIZ!0E>|MX}3-HQJ(K8xoO(TbVf<0OxDIrCksc<*3c
z52@Gxu4W~ktUQ5M@T)19XPaw2FYfbSd~(H#RMx?)*c)r@v;M~!pYkjj#Wulf%(G(u
z7P?a#SD^<vp&juVO+;AB=eb4*#KpV$_<L+U;u*s0u(X|+hdczk{Q=LSZA1-yzd6R|
z4)#9r4A)i8m?*O&W`;JdW7cyr&S1{7_M>!M@JzIiSrJjTxy$%90NY&fY3DR=r<{#)
z$EWS{v^uL*iT}2D(sI|I!TKw<`hR!#E4KCb@65fmGDeJ}=&Sf%I6F(<pSYsGZ|&dP
zYCZdtM_ak(ll9N`9-o5|^T<MDHUFkEEY0#V|Gu*2jV&(W2$4-2tUHP_>clfhus@8;
z&$f5hX0Hmx$NO0A0>={Wm}hNl&nQ~0aPYtNraV3#dVDzf0%oyr2JuOw3Q@(p*JCez
zeAKg+D$Z((qs%_|r{e_+GBcq+ZF<%UT*)SQ{eE*)v-M$Yv8a+2+rm8)5zzL$Hf8j5
z=d+ADp5xhRZrAFMIMRF{#rGsWFpr=0Zazzk6?<9!PWCt;6!ui-)P?w6&R0+`*r_KX
zUR$)z#UGW*5BPt+Abu4&9HW3yv%FBkz45`Ut6;>4Ox6wmPyQF96OPzg4WnY#vqeda
zPdL7(`5ykd!oK#yt3JcuPJGY88q{8Sv<><BTpV!<*|Ye3*WO3(*wn8_jqP6W4?0q4
z9Vc+q`bXm*6+9Y?eXb+co<}QRVIhzC@45@<q4*5G;4tD^&747S7t{()Y~{sxFKPw*
z#DA=>VEbPDFK5_heqpUQU*+R>Hb?%=C=e?Wj7U8FOy9eLwfU1dBFhokjhIIhd(bCf
z|GUQWKieDYv*iETR{tkkqx%C3fmN7e1HMPv`W@!NQt&4@6)|GEtH<fRh)?1evt5b1
zjZeE<>gXM9eSD;t0sTv+fNf@t)$%L|S*^K7{B8)n%zNOB;u~&-rHOB!5uYa$XA^6D
z0{^eiU~c1|tj(XR1`6O?JjK<UGZJJ~VxEh#dC?l_c8~q*GE~aF<TX2O&xH(G)LX}g
z-qF#Ij}+JQ7vqCIh`a+^afQOm%p*fJ=Cgnw(XYo-HewmC$LGiXmS1~A3s=z-`g^?n
ze^cpcJn+A-{}}Hhh%Ewp7vU)n^Di<i64ruR@mzrTvsj4PgTRu??~%A3Si@yY3pVwr
zv3X~?ZchKrYfDwde`dQPtNg*dMU?3rmhT)xSy&g<(iZXEb#Yjj<rywfNiXt!;nfci
zGj{<o{IJG%>zR8dEDg_k3BD_~3T5ctqX~F-4e|K;qY34$oGl-p*Q|Q<qt~EX9->ik
zweBbWm;3)Y+gj|4_hOs)|M*q$-Q)UyU9ue?^WL}zh?S3DmQg$YxW-y~oTXc9(67Uf
zR=`@LAFX&?XDwkw#MV1t=%*j`72|{b#T|Hv1+yQ7Dl5g_k3XG2-xIr6s1p@m<>T{&
zGDFWbi}9&YU-4bVmj3FUB`zR3SkGnN6ZiHp4vMXR!x5g=Hn^Mckn%Pv?qjZpEselF
z;$A}+vAiUvYe8Cw7OGX#s%v3dgcha6XtA16OVE<E6fI4wrPbByYtL!vT0^ao)<MhG
za<p8nzm})vYX#astxzl0hG@gI;o3-Tv^G{N)h1|V+GK5t_M$dbdr6zdBsLyTHU_Xj
z7Q}+_lu{^uU9B3cj^ED-12>Iekt_<n5yN8PB|0<W*V7VMB1@7gNzPKV)JSR~6-q@?
zu{2y-AT5;EOB<w((q?Ikv|ZXI?UwdPd!^5%ebRpEfOJs$Li$oVEFF=KOJ}6-q_fgF
z>Adv4^n-Lkx+Gneew40A*QHz1&(dw_j&xVLC*7AGNWVzGO25gK<q$baj+T?;OgUTb
zE%%l4<$-dMJXA3$S;~3kf^tc@tXx&DD|eJ%l!waiT;dAnT;&ejmq+p_o~F)I=c|j<
zch&dQ57fo#QuRZ1nYuz<rLNYTH6JYyBN3zpYgM%xTDTUeMQd@IuElGKTC$d^)zoTh
z^|S_BZ>^s;KpUhLX@j+)T8TD78>NlW#%bfViP|Kz(3i>hMOThlVFP~W(hjq24#*Up
z@T(rqcskXUx#78A4<JEhJd5lNmR|+GedotoVD_OO?!z*+oULG=u#@Z*yUXrLhosZe
zRaukWmC4FfWtuWwc~yB`nXSxI7AlLB50oX!QsqNst8z#=tbE6}@$GyE-^q9J-Fy$<
z%RlG)_<nwXALL)~FZm&Un198O@T2@|evE&^kMnQ&34W8`QeD(=wY}O^9jJ~|OVzpR
z8g+}hP2H~URClXi;+iC_DXql_$y!IP6aH7iHHxbU6n25LqFo%nN?n6-l$okE)|xP;
zHP_nXh^|@>=BQ<AS<GGQqxHd+%djUIW5F;MNf?zCSQ2o}r(juku_VE^oLMq#s|ibi
zZ56Xr*w#Xp2K!piYQny@vRcwkX)mh_+d9C~g<Y}6u&kr38LaC#Yk`sbj<tkkU0`is
zT~}CJ>8f;<b%bp_V4X0g8tV?Ls?45;WreU8U|Z3w2ka|}^@NROGGS-g%miEO&3eg0
z<)JJKBYcQuV-!!YVvJaOHVW4~kd4Num9jCyzSvk;*n6y0SQwiqY>Z8Ul`UgaU}-DZ
zi^AI2RE+Q%HVtFEjZN1AF=8*%`1YiAGpsd?i5EOi$9?;nEK|}tquvpoDrUQ|1!J=r
z9=2DmY}wug+bdyI4X`*IEghFN^miAm0BxYJ5>tR7Kn|2%#u>a>0!DVQG(;LI4U<aH
zn($cRou|ckVYJFUP;MYMl$*+J<#uv=xue`kenIXb=g0%(!SXP9y}Uu*C~uNC%Uk5F
z@;1dmaa5d?N{X}Mu4KY$Um|OLPg$XCQno4El^x0#$`R$Pa!$FZ{02{b#GSbx_ve8;
zl!ue2M)Mfng16+Ycx&E<x8?14d)|R}<R;#WXYp*F!+Y~Syf4q?{dgIl%-`g*_#FN=
z|A;T=EBRsElTGSo*zi_$hk983O8r{>PQ9VtRBx%b)qCm#^;h*bgT2AQ;An6%R5Cal
zTnw%TH-oz&!0^7|1H)p&QZdr7qN_@OWwbIz8LNy_N|o`-1Z5(&NW3=Is`7?1Q@Nqs
zR3GA96^xl>wB!PK<59Yf_UPjXK8nAJzRgn~;4JP2FN3$Ciow?qfIAh8zd-mvFc3F@
z)sUcxNd8hy$y3<9lpr;eT1$yiTd4!;I!SA#x`eI^=}x^%=(+^xx>x!T*m^+vh_H1T
z?%y$KCGho}w1%*Ct#lFhb3N|pPeA5tK-kT|*jv(8VC)@f8{zAA882z4tjdYfE;&U`
zk?z8F_Dc8oKGk3PLyc5p<#wvB&XPN;bJTa_t=b#f8}d$JZE`(1A3q~BQ0c{VC0ogs
zsw(+PzElm~utBPB_|b4hdJg;f0Kuj+rp!=YXPWY+@-cH%K2g@OaAl*ilf@`|l)Wrj
z*{|$psj!bPS(@^da)i}VzE+O0I?A`oWmZr5Nx9D2D7UyH>%d*P2g~PPJdhRg5FW}#
z@anue8wCrBV5507k7Hwb0<Xm;s2kPq;cFMv`|J~O=h<HMcZ0_Ep-+x{Fdq(SY9t@Y
z416@7#x(v4pTWFgQE##;u&P<i7nU`L`SB0<N6a7gwVZ{*##XYbnw{ndPn4Mh;fe%X
z>Cfz8FQZ`_W0WyWhTV*14zQhZ%ntTbit8S)jAtBnG=UkEiLfRG$5#WAip35Khv&Lt
z?T&@RHiEH72o?!ZITZUwVo?x{qp=pORYg2D!sFwyXu!@yw9$@r!m)X*80)!+C0z25
zVwfVuN=ZzXOww?aUzA>9s<c@8kZG`+kC`2Oe<$j9OS`fDLOO)?VIZm<V)I3mVJ}P-
zHo_#>hyiO&_FxXc&qSukb>+J7if{S1%wBy-eT~^`uWN6h&oXRVW?b$i_hPb~C+A_`
zLb(t%gXO`rox_J_G6{ZkgDJ{Q1)pA3AHt(#EHx0-&ogJ`d*yrVaZy1(5aTal<Zdaq
zFp77SJ1E~*?qmHxd4SRVMfn9I{j2gTYJOLKXR;Vp+*5@s%oR*PWe(iHHQZ|l?trx;
zEXf6ygc0Z7+?(0)D!dA_2Vd~TRzL2?RI)0KN5HBK!lzLa!x6h+TZzn>C-EfIr}8wc
zYr@*>)GyR8n3H-$J;EH-W9l)K&!}gxzN}ux`kH!;RZ{P&cTxTgw&;lK^Z|0*1zz8i
z?lEsLp8KeIfEdN)0=WS8b4WP^TRN&7#TZBONahJH6U8b66WcR4AWUCe+Xy}aJs8DD
z!KPp3ui_fs=5I3(K9A31DiH4hQ-D6M%pC~i&g_6fUd#zd<jq`wMpalPAd)Y01_B1a
zj%2AG-GS#Ze4Gs+%N&5dI<g|N&jDng0}%f`*$dzRm02xBD=&N_nKzcYU^PChKA24v
z))VZ;mpuoD<Hs@)yZpg&gjMH}Rre>WPK5_l!*`ig$5N9lJdZ3qk1TvJIH%5rke$~d
zJFf?(kidG7wKo8JNMa={84T)q)&@%o+5Z664ND4n!2mW4OB$PqrHDLY0NccNpy#`Q
z0=3wFb`Cv1&n}?P7uhxR_B#6+y}gYkh1f_jdmy>8e&k1a<VUGeEvYdpl$uIS!A68n
z<&jSfmS#vFup#7G^~kdt0EO4G5+LtJ?72zWgrhb~o3W4ZxIFT>JTT*f*ed)kkNmCy
zQ2Yq?0ZYdEoOBLbg(v1oH>8^=3x6Ce@Ecpfk68)%W`FX{{^XT;<dyw_&h=Oa`8oMH
z))_IpAvjNCxiQO?o5{^k-%@VLGUQfrE7Y`=+p=zm@a<R<qI`Rnj7Z-RObH9?DtD2)
zutA9WJy4%1XMz_AukI!Hll!qQ<l9+b<oPUH9wZOKTKIX6Tr3x(EWEuV7}PM7N5~_v
z9x0DR3*+Q*C{K_lU_D8G1?|s}Uq!FLB5;-i@&S|&%12RuNxscYinkKTvK6CJ3+viS
z6V!B6dZKJndSN|Tnao;(ZM?)h!IP)6c8E1IfFf@yz;bZr*{rYfw(>UC?<nuE1hA5M
zEKr%R%x7N80%ZXr%OYhFb5q_|-pAG@$`Ty=q4FWCsw`KQqh_VD634DmR<TxyT%WLk
z%BRYwXnC!&7F#zdo6y=8WeaNyKE4%uZd0}~qp}mxtsSD<9<(N+TY~Z>qFY}?x36%<
zBZzTs$}z;ac8GD`qW@=<@30l@2(1bH>rMFQto)!{V7`Qc?u3GUknLP%VTg%8v1%gk
z!B&Bb-pbF)ZIlH%_EGLCcTpA?*@rOFpD;3!FtQKW*Ke#f7}!JXBk<Bi`9pbxh$m3f
zANiAvvI6X^j68~?ED$t=5VQ}s=k}-(INFCh@k*?KyKom4PiX4R-MAaJdLTyoB1U^*
zE$}sw`*0tW1<D2y%Jw0Y)xrM!Q6GqC9)@Th!m5D_hN4EqbbrM3aFhiG_aO|{5#OU(
zYeHfd9*0;TMtIzt@VF08;VIZ(pmHBV<wV5!A;82EUV^oV_6~^lV^}3VmX8Huj^pE)
z6EEeZD39mkQJ%mjV$U*O#)k1pd=iTQ%bbkz6g~yz7r_*U5>pt;7xTqvZ7Kf{>#ck%
z*vK}%4M@F%??9B;!}nmlkMCo#VBue)e3&1``UpS56l7xfhCXCtUn8m<<HvyD-|%k`
zua0x%FBDJhkfEJGesz-HM4R{cuS{0m)GAm<s*x;KZJ=hL+)K@6irQZti0C;;odm?6
ztWISb#bP`4b@eS42R1g3wMXvzE^Ds7ufEUn)g|f@)QH?9A6dyN)>K`su4c_BH)*1-
zRo9}tPF;t6HmVz0BsldJ<_Au_m3dI+;)e`zI|~QL-odJiToGIMsC$@?x>x-i<$dZt
z7On1A51@QdJ&3Z1jRESH$SGsgL+T+G1$KUzH3UQd3j2td>8c)8zeZU^&H(ir^*GAk
zs^6mh6Y2?+PpT(bsCr60jk1WV0busup?p?7i}uf{=UBRW9(>OaeD4BltX@<vqCc0^
zOQ;bMI6(bTy@K*j>QCsyRrM;$A|?l`*VXH2;f8vHHA1Fv6ZJo<KjZ3dtG99XJL(<O
zh`1eq3<6r9dLMi;8hr9s^j}1BSMZkKQU8bf2abBAK4Osu$sjR5gJMvy<_48T8w_Bc
zG2p~Mvd-X-cF2nDHT=S{<_Iq7NUW(pli3#hiABL8oRK3Yt60E6usGnI#wt-%_JF=%
zkI3tQ#fKuaFSG_HWD}LJgp%gqMKL=9*|r;$9KkFjkac^oSc>09ir+~TziZjV?*<gV
z8&dpkLh-vfS`C0E6o^Gd3=c*R1UGf0DDH+FMl3b3_+hUwY!~WLRYdeCyc3)?4OxE-
z{>New>@^N?TtxRYite>-qWg0c-5XJKZ%WZ!hC<RBSJ{TO#drvgtFg|A@ewS8^+&zn
zyB=&X8;UCt@!k`xU;@TOM15aY#wMfhQ?P`x7qJAfshGVFWi!|u>^~Q}O9Ygc<!EOG
zTZ1e31WN?_lx;*$1y?Y#omgCnF(iR8oCI$;1>TTKyrBW{h9<-tniFq`V0W;@3k?VD
z+{fYrMZ*<*+D&q2VPF#8;NL#T_yUpf#h_lWb2lkjs>!O7>XC-*uO;)7T1l-~F!I3G
z*b|u`%AKT4>|>G&(N2+6gky`P5>^fR+i=v3kjAlSsZ^TG;-o3k6y{94Bmul+0o0R)
zU?<5o?4%K~lcuDqgh9F6fR+V2v4eiM4XtgLwxgfBq+KYB+#pTln<yjS#QIAKc^WjT
zL)b@T3yp}iq)A7muhGsi=@_;O29qX~KGb|KeUI`F(hoTHBG^nA^3qGFL1v0RUz4t(
zd|kSZo(q1HK>Q|*_)SydH;%+_5-9iZmOW+sE;(_XG?B5gKnwD2=i7m;0)GwA!gjK7
zXdt_Q=DYcBAiF?hcW7gK5!D1PSAjydA2H?tKY-W<r401~sl%a{9b%D$*WplnzG5+i
z+B%_jBB6FoLhU+)+Vu&w(+Ra36KXfJp!O|(8)v`6@1j=%!43R34vgTBR9ECn0?pl3
zU)7&gCQPrQMyWB(UyW5`SqL)jB&?Iw`q<h)Z3|>+r?$gU?bR+orLI8#aJ9Q?0+xvw
zpsW4Ve$0g;K_Vi-I93zN)FhUoig-|86}eesiU-ZqS?VktJ4c<1_1o$@tg^`H;j=RP
zjIgH`;f^1nj2|IOG~tLJA&4JgM+{+yOxO`f*rCAVd~l@T{#6M(RKku};{LF9oIxkl
zs6wa_N8G<5asL#;i#n76=)jC9R)<hSC)B7zsNqkj0aYAJBB4eQp++#}1fhf))d)3`
z2sLUEYCK1H;YS$ZM~Dy&pZ^3s6TTfoUM*7|5J>*a$)8p7=UC$YKJZ&NR-ZBeoqRP8
znoLd9h&-Snd2AiZ22!M!@Y_1@(w<n0%s?lftV2HOPu?g|mXJt(7))70HS)tG^1wQj
zE2L1a(2%?_5#G23t%;05CqLAotM5UL$Qx29Z_vpDtC0sLlJC`lCUqM72oFqz2cAXw
z9Q-gvXznPBd_srsT|rqWqjkvl{3*joArF+u0~0Aftw;H3Bza>Jd1Dpw#wz5EwaE{4
z$~meiIZ6&|M4Zc=59Py<r3&Wd&WA&7Nh?=d#;_X1zp4}e(zxJX)ro&;#J}8$f5j93
zN+$jlPy8#H_?MCRmyxnv5B?T^i>30}d^Xl|`CP0;{#%ps-!Q&_FF<bp0sjDJ7ktgY
zm+&Ph3)W`f%lI<vzk;v8dKF)V^;*6b{<)5?1J~OMPS=o-#UASVc9u@a;tOQijj})!
zUqX{~LK6p|$rq>>2;xf!l1>QXO9+xq2ogXD;z$VML<mxe5F~^U#F-Gpg%HG*5X7Df
z1ZlwU0zuLVL41KAzoRS=B%Kh%mk=bK5X1opl8AbN8tKFkeF-Dd2_pgs9UO@#IuR~}
z5H7e7F1V_*)!8^|E)XHzP}xwKd6G&XG|MWiGN}Y!q!L6Kf($_{!4P5yVRebiR3|Q@
z5tpe>Tn0Rq4WtZImg~#)p&&Jo8!&guMjhpJIh{FEPMRt=k{huo%1o=uP2?shH<g<L
z-9?rv%gyB$s1dnp66LB@<<@d*)U=V?uwcqt!zpi#rMxv>?jUzy{*=AiQT7@rca}Rd
zU&>)+xvSh2=j|qUM+?u(&$FsR&1Ug(PZ?^3Y?4h-sYGt;Drd=A%${ZeoS=5+ASV@b
z0WNYMxetrO3{+p{A?M1u%#*TUZ@ItRA2mYf@_{x!fF)2y9D;eOfh>gb;u@3}M`PZq
zi0PCahfsEGkcY@aP$Om;LZGP+W7Xvnxdc5KE)U1KMAjT4kCI0*Cwa6y8hscekHxt}
z1|1@o%HwgY$fHB#iSk6$m&s+QnS^XwmS2-+<9g@FD{;N6<h8iob@Dol+j?Z#@$z<g
zKd$<Kd=W?8k$*$`4;2G4K~3>u9>};cBdCNZz+1|@LzJdU2W%C2cL>z|Oyt@o#e{M%
zr5B43`Y*Ck=)cGjM8+Xu#%(^bk_GAl=B6%G7cvLTk1T=)CNhx}%*4Hi%tGWNp_noG
z0OiH%V#GR;n@BW!5~+Tqe#8<fPYG3*tIM&Em`MpzSE?&n7-cRol(`tykJXRCz{T8(
zrhcM+0<Qk4iVR)-O#KW;iHydGjAjFvxnSUqhAW0Eh*2_om25PT?6MkJWDT-KU$VbM
zvb^WW@_fnK8j!U)lC}BC!rHva+Puixe8}4BlC?D?#l%m}lrveFENm;>qJ|3FiXhvH
zB-=_Q+lnIFQpvWW$+n`%wyKkD)v;)(!nRV#wqi*mG+S6GSy(Jt7$*yhBMXZq3zNvg
z;z)&wg>4OoHwvqYB`qe5Y%7v%D+;zXhDFO`VPQ#RVX<Ukab#h!WMN5UVR59|G$hp~
zkyIN$Qf(4RwP`4yk<YNYq}_y(ZAFr8MZvc0ShQlV*s~<e7CE5o2y06seJ554g3X1J
z&Bc+;#gf(&MwS;vmKRHw7e%^HtdgZ<VTM3hUK&N77_z@;ia#zCf1D})xKR8tQvC6!
z{6CQ5PXNUqSBgIY6n|VP{<zr0p9GuulR)uDr}(2&{BfiBQ=8&XZHhm&DgHE~_!CU=
zCy3&Yk>Za(#UCTZAAgEJwJHA8rub8v;!iU9j{*L(fYl?<sY#wwk36Rmc}_j@oGLWe
zSdV<hKt5BCe5OA6OcnUd3bY`+C7ry*fxN|uyv5GOTkOeOYLU0pBX4n{{NJFiSJ$J3
z4e*>=6cgMjCRC=F;6X9LlVU<uiUy6zyQ-0QnIl60MFv-j3}W7E8EJL0GDUe2_iU;%
z6-Xm=I~_CJ)1asc^)7_eyEM#qzs4dl=lwcr-c)9xER?)z${b}5%5#;utP-huuB7V4
zkgAtVs-7dMdR~|*Ux=0$Deq$c_muZg77AY&X3v2)%3@_P%9uw-n?mi2R6bIcp$|gy
zGhohg1^OnGKUY%z?3LA+xr!wHFA)0QXE@fZ|E<GZRtV;@pp=jnn5=A8Hlr*Q!CIsU
zRwG5wU(A4_O`!{hkS>^}?8V$y2&sc1nEUzyJro+DD`|vYq!H?v2m2bW38gTEltNiK
zp`1iNPbsI+^V7;{Y!%vJHPQ}~Ni|fU8veji@NC2dsElF;C6=^9Z_*BfNIOh{c6bf5
zaMz(A20=l*jk3@VLrFUfSMDkIP!<ZJGbxBsHVR@WDTtn=AjU#LL{_6bf`S;!kph6r
zNn8StlA$A37tdl~=1eGv;iMpXb32atF47U*NJn(0`4|lfq8s*i=kCl%3Stl`h~YL0
zVmK*?)k#4NB?ZwJ3St0wrce-rNI^^?1u=*e#2``-V@W}DChgFZw8L1A1!oZoVh~T{
zNtpRd=E>-%P!PjOK@2r3h@^o@D(010DrT0qAZObOB`l7VFdtIFf=LNWg%Y-lMc~Pa
z-B6YGKnaT=C9Eoxu>B|>P!C}4N9bWLq=!Y59+pIUm;>oyl}QhagC2Gi`+u!|jk5?n
ztOoS3Z%}g_s#p!EVkcNt(!(N15Az{COeH<co%Apl(!=aX4~rl@EC71gB^)c1uy`n8
zKca_Mpoc|}9+pIUSOn=|HAxSvN_v=|m^sJw3Oy{C^srRuVRum$N?05zVJ@VERVF1Y
zPW>H9SOh6y!K8#qkgX)<V~`Cpt4exU1nFT_Ne>gVlH!>WndQQ4I5Ipj6B<W3XMf5$
z<0$8hqii#tvdu)wHd83itce)ziy0g-$7G&YilMA>Amxf;e$<GJP|S_iqMR_7vcWjY
z2ID9j>`&QX9OZ%Wlm{kK23VUiz&y(F22$o`q-?Dg<z@pZ<EllOl94i^7|MuZC?o1e
zxljy6q+Wz~U4eH~SpgwkAR%1=Azd3ny4K>!9&8n}71fltfOG|fbP+(hxhRX7iwMFv
zg)puqVO%I-Tn)mw0-C?@SKbB26%fWLz_`UIi@A)}cv5I7$^zqB5ylk|#wmnx1%z=C
zgmIk+;|d7lTF@LvHRUrPT>&ATq6nlbAfziGq-#k?S3pP?MMxJxNGAd5wqs9$bZrRf
zS`*S05Yj1xbOnTT5j4lyj_|Gq;hjI`JHN)U0`J-o-gO1uonZOONuXW<;avgYT?FA>
zOPVY3CDdz1b0wLCcL9WV8H9HYl^>NKStCNdXqqv}q#2W{G-HxUsFy*gmr1DClTa^%
zP){b*i==sz3_`u?gnF4YZ{kPuCYgkKGR>Q0(!5Cs&6{Kr>ZKFvWf1B$C)CR%)XN~$
z3!*ucJ~W5YnC4Kb(i}=A;b3#Z!A!!zOv1rPnn}qd9OQ(98H9sjG?S9a1AvA-2n`z&
z8b%WuW)d38goc@fh8Z-U5=NL<oiNdl(6AxRr})x*N(N!#^Mr|+gozo1iIK#xJcwbr
z6T|W#hLuGOOC^R?j~G^6Vps-ZSapeE8Hizd5X0&~8Gc)0SRE+CZ%YiTJu$5I#IPz8
z!|Fl|s|zu#F2u096T_-c3`--1l|>9oC5Dwn3`-@3)rA;V7h+glh+#FL4F5UG@CQ<c
zpUs787)x1wES{VCoDHI^K8N!8SjyyMZB)SCl*1=b4xdapd@AMeX_UR!q3k`IGWJ-?
z(qq*?HG&PIEIo%Z^H_^+C+2Q?Q%;^hIe98&<8>(N*dgj{VJ3<<4is-p6mL3HylF}^
zFD9CKaiW<Q6UCcwnt3r%qzR`;<4TdH2}K%5iZqod(wJ!G#hzwfOcZHcY39X5GcQeP
z=EX#jrW-{X6Ga+ViZmvQG~pC!f+^CNDAKsl%!?DvyqGB7xYEpvi6TuCiZmvQG;S1W
z!YR@?)69#BB28zCG)-yd#Y8hNt`u)f6mP=mnFddaI+ZBu*wg%riK0$tiaK^;vV;ww
zSr`*V9TP>JaEdxjh{=klvAh|y4X7L5#AJPl$#x`l;|1cgeM#M@OB~if9JVg08{!E@
zAMyd2d_W=}kjV!)`G7_~;6OfLM?PRrK43>aU{5|ElMkrm0|xQ|m3+WJKA?~fC}i0j
zmc0bCgG>2R@TL!;U1`)aJL;J|^~?^jv=PP9@f1HDNvF+tO5_weZB2@w&r|$#qxks(
z>9nP!(?Wm7GJ$m3iKNgvkU~416xvwmvr%k1DYUWBP-9RQ^Ezb|b;WbSBI=6gl2S>V
z?QV&{;(3jiDGrY(ZFU?*U`JA7Gb%)2@kB;Vio<RchhHEiwv?1uS5jhQNr|0EN~|ks
zu+vF{bs!CPI%%-eNrR0g4R$(duw@j<by8nbE%97DqwzASuhU6=bs)ucIw`KPq`1bC
z;yRraR|isDV=eJt%yUd9t#vx7tkX$lbs&{>I;pI&q_R#Ym32C)tYxIKIuLizNnh<j
z%IeF+BPI}!m_V9pEb)j5q)-ecg`yKF6x~Rh7)shiS5hUqkSY;Hs)P%v64gnS5YKCN
zVl_yW=uE1_5NKc-tT(A&*-*b;U}H$9a3KvWi`0s$q*e?gwIY+0uo6-$Mvz)DmQ)E7
z=@Gq1i3lSlVt_2PuF<4Kgpm>vK^jCDX%HPqeF!7nA&hi~s-!!NAeAAE^o20e6o!zd
zFcjL=O!RY({0`Rd$&0aGC9lELB0|CH4Fzi>dM=(8ae<Dti)E4eFqG7XA@VW#8|))A
zh|cnN@>y&ZPmxq5C1M0=4Pm4;j3$*Kj8ulIq%VY#vJghBt(f?lLQKt`m|9!nXwJmN
zf{2T0#KpXci?tvY=0*G~h?rMf;#{qXZ3Pj-YD(P7K-|iiSXB@)DUCQ(D6uDB;!XC%
zo7xg%3L=)&pIA~0Vo6@akL-yb6%#+2O!?px;zSy8q9S5L(})d8#D@Hc4Yea4)P{J_
zG~z*(hzCt09^^+nXc{pfKVm=u#DIc{0r?RFYEBGj8ZjVGVnEY~0R<2Pnnnz$88M(~
z#DH261M(vV<U|Z;8ZjV0VnBn5`>4cyDiQaYM%>4VxX(1=KGTT%1QYj}M%>4axDTGx
z!?Sum#C@g__nAuEryX&hHpG3V5%&oo?lX<Jj~{U#AL2gEiTijG_i0Dmr--<ZAF-Zk
z#CrUQ^#tR&<d)Fh#nX3<@jP-b_8dKf*9gxd_k&6=o-~<6kzf)%mG>e&mG_bj8>&N*
zpe{v%Iur@&QY4r}EXJLfNDMKNIAS7k#6boT2Z<vN5=R^)m*x?Sf8ro%#6b#a9-%fd
zk$%KPVu*>v5fh0c4l;;1NE~sHT$&d!+HjCGnir@|Or#&FQPoI?8cqsSU(%k!Np-45
zdQ%_Lo5D$H$|0pGl9Z-sQkq7Q(ln4XrjevBMU%QzjdZ1v#B@A}<H*Er+7pZMC;sA3
z{3Ve1OH1M}ocK#VF_+53Sptcb1QH+dCqB}Xm`DM!k3ixbEs1f25aaMC#!-d1MtkBH
zfy6BQiCN?kv&biAQJFYJd*T!x#31~MLA1mZ<PNMMo*=Kp>f;%57uJN7uTG?VnV;{d
zL$SFo#pXK18YVD_nZNIV<LL}JH#?`GuwXzw;|&|P?8tnxN(%FsZ=b@P{>(SeRGg34
z3=)Hvgs5(ZCp)A^;&TAzmxPii<FAVN?`f{~`9&}FxofbGENfbJzmlZM^Gkg$qUyXX
zNk&KA-k?S~E3&W3bd$j$$^ez7G)0#9{0@3MJ=&(me_`NQe<apoX~TN4B36K;IR_6~
z<gmJ8(L-z+<DRel;N7=Z{IIS^_uM$%=z#I3Ro}mHaek@Ca=lc!j=wJR6<LyH*U_*2
z^xMeYt-D=mF?;Ay!^2v7rSh&yDmpc8Ds@un#0?&DMgwDI-NS%4b{<Y$a*B#`3iE^0
zO#^d`p1QlJ);t^=4le9v${&)OmzQI7L2IaW@Gx}jYZ_XdV+_#o1WqUJ=;3Lu2u{x_
zEY9tnn`J7_Eyy<p=>cN1;^Af4+%b0m&SDxcFgL$XaC!qh(7Tc`-WVTm)ajMsT`68S
z#wY0U2}x;5X&HJCo6dIXU_G6Khi8Y90jB)ooUGvVg2I6Xh33=gdaU_$Vda~}34=RW
z&)6ZSa7b=eP7zKW9249mUN4nGZ3jqFnNljbFw{H9rIN%}ee`j&jxFBwcXv2my<|pc
zm&k%sYisOGFY3R2OKjVW-#oVunVv3HPhYd(e4{&;KO3>5_(144YhGva{Z`kutof{A
zwf+ZtHmY^F;TP%dMc$=TbJs-epB4B~p<j(wgMwBWPyg1=BzJg!>D^}0>aa%d#ZCF*
z(yU8=ymY=xy*j&JJ=Ofdh=d<X9Dchwcyfcek9H~TW-a|DZ{BOUlX4=)Pu!mAxpVL5
zwLDL39d|RRQt_ErLqFVi|F`0iVHfW=_Z#!Uj(1{~zj)>Si%Y}2Mw#xvHOOt_`L+vM
zTzKKv3(g-z&s&-keB}7d%X>$@*ScxLM^(-@)LwP`rtgHYFZ3Ih-RNLu<Ix?rd5qju
za_jSLgJcChuxQ+``ndaaD+8PnDm;76zMKF2fdj>}kDeZNqu$A@Eyu>5*5eI!uy$3|
zB#GD1tLdTE_qtT()wj5KV9mI=f~=x}vBhLMu~`KJ$i@OZB<T^i(+&71<Jp6HxP<{h
zJXKHD6X(az*UMrp2WJ)L*&G{ZwkTVJN^cO0eaM~zs&gmZ!P*1GPInfqx`;Dz_=!Oe
z7w_G8h#vGVY}i;u_cmLOt7wqyB_>`^OpP(xng{$x88?n8_H$k?xiO}jzVt@lPk#O0
zK43$eQo{==J>PFX&uiKh|5xoB=HDIgQ`eFD<zI5ARV{LKFKDu4d79gU$W?Pz`tF$i
zQ@5FH*%wZ&Rv$9HZ})uU@Q3Gz2Xtw<ILGJ5lKQ=>&&=PmC#B!`5WDFOuAKh1OTB=h
z%_c>98G5{*+Aq|7QM)SRM}Ml9@<s6YsTPlS{_;-h-aob^<@4kH-tzNp`$Uib$9>4`
z!@4oGf)B^1S$(+IKl0&37!pB7)W7oK4!M2ua|(qYC;m%6UYO;W)^P2Hsvk6Lw!!()
zf}19X4zI0z>*TU%m*%_jAC=Ya(8;Cp7rb87?@MOR{C2ac#IgJ5Ez5>nIGf%g^o{G=
zqtds{JKlHA^!jbCPfT6swyWyT*<Ei|jxT84Wx?{v@5<jq1|Dp2?sV4I-c#bcuk0}^
zWAWSJZJoWZ&pc_W)u>&-m+qY%Uv2X6!{zsS*J<+6z`{$fUg~+!b=}VK*{@gGRDJBZ
z%U^}QcWAvle8JGyy65b;?p?gGL0RM}yOuA#`qGS;cZN0$>U(T)@z9gb-Q%Zro|>@f
z+pN9K-mbZ8*OdgvuWl{!yEAq3w;y+zTI&q|V0h^2YRhBy4BWN3_4pcgzd3GN(q@+3
zIoI&Qr3cM^Tq<?JNOjPigz=Nx$(VZf67Q-D*Z3Qk(Z=dUR(FDf_tA6oNb7qzc%a2c
zi;H5&$A=ch7FiIQ96hCcU%4#m@xG>9Q|uGF#uXP8#blXc`oza(<rM0*MdyNelAfR&
z=f};Du{~M<!rvSXD0o&ckGBE0#=CPDIXCwV{JQ0d_F3NbdL(bGbWsly-Kffabg!{b
zN56_u7C}T}!)mRW5y@KKe7TpNGHlU=Fs;C6^_l9Y<{y1sSz6Y*`n=io75~#;d|$FZ
zq_5$`r}1kBY`GI%BP-#DX4wNOUEI;f`M&yYQr^fZUb}x>{oU#xPY3TF<Z|$h;!~eK
ze`ZrkQ2MZo!#+6}&Vv^%z13pp<cJy0V-LGMJpKHT{5CzD8#Qi_Uuor))Y+?Qp0FR}
z`p~~*&Daqi<=**y?x#*(QMbl)x34p&`+2W@9^(eE*wjjkBVLX^xB5=T5@|){xzTaW
z{7!~$*zw1(*W2wVTU9#wg`0KOv|CV;5EVOO-Kk)Ek3m26tJ3|;%kSx3qNg;gx9-a^
zpKqxf+Bd7i>`l4FAMFaLJ?7Q3J2v_s=Y#c9wI86Wy#=Q7y4_fEj-7M<-mw1Vvk}$1
zJqc6e_Ep3QZ@n@G9bCh?b53EdaQ5inX8BpMR#M^U;bq+r+_7+QQE_nVoZ_Jch5d~+
z^;B`BqlYm(D<U{v*OP;-dzza7W;8A+3^ole?psipJ3J>lcyLipa6x`viLsHME{;_^
zYFiHpPR}zH6$K{*w;kLoFE=Z=ZDH;JQ(;L(rW4%2+*Wakz@sEHuR#P$d5nqic$;j+
z#BncGyjTm5`YU2%;ZeBc$Dml@lI!TT%-v2b-@)4LM#GA8^0RS`olSYU*+i5;nzF%)
zFr*e5_OEEr)bte#b}nvp@X+-=$y?{YSW*;zeCUO(9rq;N-*C-u-jyx`k96`2tFmPO
zSqbyuKQFsv2smt5ylm1sp9yh+0rtI)oUU}&dyQVuqx}%CmpYHw^-9gsQJ*a9dXZi7
zQIoIf!3%C)-O=mLELY#x@7?Uu_w&N!O(S1f?Bx~wUNfm({QQ}>U({1SEL%`{(a-+D
zUD~!-oBh?Qyo*27{?smHXN&qXy+7XH=VV!fZ@d5TRzSmQH81Bb@U7PW<EEas?>LX&
z)ynwWrWMOWYWMo-%8BD|e{*$4;Kw@}26hZ6opY_5$8~++_j#|Mi`I_3{L&TE=g)uG
z;;qO@>rT{78SkL4|D@qtzu(xjbZpY9=a=2L!e<%avs6#Cf*F7?TnE>&z6TKc*fO0V
zFx(=H@?UbD9Ne^kVBSN2Ue7Ra6q(*$uVHOYmb`o|%?%wolmHc0CK`*&8dwByvk)#>
z*8P3|YR|%fCUlrUG)9loBj$(AuU=Nw(yTyG+fK#}%rYg!^hqKfC8#@il$Y*lJ&_`p
zmy|y-sz|ZB8?UN|ybE(R`sr0r0Y`GTI#R2)Et<u|$HW^GZP0en^e?MCSI2nn!;mQx
z2JHW~WZ~-785PiW%#oZAwx7Pb;ihhXJ3Z}Jc}0RT;R)y<wC#60U}Mi#XOv%>H49i)
zXNdpI^?vCW@07{U4IZ|~Y5Rq@cP6%RUh-q}HJckum~`dNq%|#1x;CqI|GUbste^1U
zvnD@v&uM#mQS(8rUL*X^-92_~OWV!`4`zM5q}`{Dm+yY_?4>zQmFsQ@A7Na?ZpTiY
z)YN@S=?(jy&759&XYak4i$=^I?6J4W&ARmp9NR|ZMGb4IKl~xn$)o<U)WJ)%lI-92
z)&Ai|)7Ko&Iy8Nx^{*w5KivE4b?4r?<2)~SXKbffY38WW6P(5l8JxWT_r|6>xd(jT
z&W>8o^M7<}f5Ls%f{c~pcW!Jl_WiI{Y<RL#d$Z}Sto`%U>tiQgKmEq5_pi4-nsw^s
zcdM0b0osBTaw{q9*?QI554$gKx+*KQBy7QZ#ZL^G{$B<_f<q?hNiYp-9%xL_lk}8w
zyu4%d(A^A<mVCOlEGZr`5<<b-Z7O9?yM{S=rlF?7^3>GD!xM--#8jLU+@`RPDL;3(
zIahQg1LmrS7N3%sYK%{-2*~1WFkd?-hjhSZ?}EboT$9mFcM+AElU)Z>esJ@Gq8ua4
zT~s+Z`8LQd=mk(MK@vTnNJJ`2Vw#g}bk|+QPL59Y9ZLr0Aok=JTMtw`|K`AdNo#-l
z@p8KxX=P4MkB(&foGo};X?SkV%RS1@l$@Ixuz8%v{q)eLTFB2Y&YIZ6(Djzx(ye!R
zOj(|TA76as+OeH6SC4A@zS*@p(Q*2Otu7CJ2W~tUSYyd9mk~!#D{EiuRd-ZapWbs*
zCcpE-$)mF$&6(r8_(I;x>(?BA<#yfPdr~iZ#@|o=CE?qRKOdiV^t-LCzwp03bo`Xa
z=JxEXaqj&F{c>XBxg#H+n03IRr17xOrek*BnAoA}5A_~3nfCtidTTuO?@mvhdr5Cm
z=c}KbJ05bo@?f6Fy$z#gZ@P76%(~I9#n$e4u5R?zoXGxx&z<?6uRe13Xo-IB`_Ixh
zxHg{>pZiH!k4DP<zBlW5<XUn04UE(bO8$XBVS4rXRjoi}r_2YDaPsKXA;xMMF_s$+
zbp?p!!378IEsDXsr~ZQ8-Qbv6)>JBc&`8p}4SGwxye;6dw*bx}WU|=;j<b4|gK>51
z2?54coSwRyK;ox!?I*w#T$`|$a&6=7lkLBo866yV%g(U3<%QhqDZxYZDAC;@jwD+T
zo*y{hzs!pMMOile!W)qfcd>R2;i`q+4Crc!8wgh(mOx-RE}J4%c>vPoziGI*0!%*@
z$Dcxq?INeVlj_~#TJi^ld!~5xbUQ!$noq{Nle-iRckVmYW%R83_kKS%F=Wk~i6y_>
zZIPD~w75~=p;~u){o3c$=u0~XEVRFM+UJe@=o4G7)!cG^<k3%eA8YfwVY>anM@JjQ
z^OkG$jR%v@_lW<<@vPgsIk`1EZQS#r_q|Eq#I9`}<n{ff?Bf{`i?$65dc8|#yCus<
zM9y@dZ`a_<jB!41e1H1U`$Ox7E%5H}*{R0el3qDABw_ZdExn?OKX-Mwa&xW{IQ>{&
z?JM4&mEGDqx5tX@ixwVjFy_*nl_9zmalYH-DeG@|zfkJ-anmko9@%y0#lNz9Ox2~1
zMfK*cm_Bx*&+t3*PMsa|QsdRP7bf&=YAogJ0MnnylBADY@LvYQvg@D1#$!2i{<t#;
z=~mg(UNJh^h?!jXw|VDibViQ(Sp2LEA1XhP8=)W#JvZPzQ`2>C58TvfT$)>pbElrG
z`LjOS<`5_2Ks|qc-q?Pu19Z{B_yBtrbkShEGqHSVrNQ{1S|PRsv)-r~fQOs%@R77&
zd_XN13Tj`JnqYelmi{P<W3ur-9s3m0zIj+@p{70B7+`MGHbg=Q<fRhJKE*drZq=-D
z(C9JmU79ib*2NDl1s+Y?m$vV<51XxA=C-Rw%MLZp)C=t=EqQ6*tfl*nFQ57D^W-Dl
z@_h#<ciXY%*Nk8K{$_V3t*W-6B(qMycPHXrs2OqICu5lD`>)k^L-t*q_4Sm^->qBO
zd_z_5u!OT`+TE?@Kk)F62@58Dc{HW8ce~cvV`p3+JnGULm7Se_?o_%rpv_C`n%vG?
zeJ6Fu%=qWuKX~;>%@2ORv3|{$Z^;FdcN}WIpx5-1Mf2^--nAc-@XOst-TU_+`hL%4
zkJRST8D+B~y~gd&`=jK=O@F+W{nf~xFLf|=ZMG`;)72)!=4<Q1N<#JfmxouMyUY2=
zo6k3FK7ZHYVHt*AsS8SFN4-?m9^XBKu~d2hw7nw?xbS~kTasP>ByQOl<O{mb<Blmt
z$MQFt1amAmIMwJv>>|yWXiPDtBpEaQWR6XPP8=Q7E%_zy87%bVsVk`k`>K8Q6mytf
z|J(G3v&PpO`%0c$`uT?oll984ciWeBvg@^9-#ht5mCs-Kfvxg8@awv1?zgursL?>4
zvB=@OO{12lzMppXH>VSKe+rrM&g!^tV&<*uGud@ho!y@<eSP9LyMDeqeMW-cgD(3f
z9;q^NTCJ`}4El?1okI2Wy4wPaUcKetv2l&Awci}II?XTb_80lzo{0~?6lPpFb(Zhh
z2Xixa{5<W5dLc8X<%ybgmrv=v|95Riv-Yn<ENOhM^~9*ft4H+8yLe_^kEVBX4&CS(
z^IF##_XBs04887oz2)B42|v#{^YOyaU#I6DO1W`#&$!glKgHe*Z*il>)J^Ziu3HsS
c)H`VVYsW)#iXT?4+%Tf)yMJ^UfC-TQ1JKV!x&QzG

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.ttf b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.ttf
new file mode 100644
index 0000000000000000000000000000000000000000..5d65c93242fc3776b379ab98bb5e6e33af4b25df
GIT binary patch
literal 291424
zcmdSCdw^B*{{R1aueDlxs;Q>y%yij%&#jqinx<yD-=>;wRHlnebeSlMB7~tZ2<arz
zNEAW{VGu^bAcPP?2$Pb~Ax8+A{d>IjdrvwJKF;^^`~LCmoJY_1TI+qkzTWS(cEpHC
zQ~vTKci@1rgQo{4Jtf`*Zpx6tvBQUYb9%4jdYDLZ($K=eLoWI9iVMU|S}fu|H?-)O
zu}{p~UL|hpA~7;<=-6WiUiR}f9mH$BMx@X2$BgaNWlE#>D@05s@s*r3d+MCUefD(~
z3C|JfHu<D;=Z4MVhCM}!SMj|4$#YJb?N3<MU1a=L!km4|)U)SABI1(X0-nd6GVA=4
zZ+^dTXOZ*L#W||=jOkOS)qU@yrugl{^KLV^QSagg$8tTF>+~73=aw#+yyc*XlOz%>
zo^{4aQ{zUg+(vqvxt=(CYU!N1k2+`Je+B--r%#<d{p{8IeirB10+INEbIv$>?(IJg
zJ4>9`NdIV=bJp}ZU4Fc!72yl<Kb|rZb)8_hhgaM*rBR>nrLMb|JMvb&r0=ZGn_kns
z=7qS~?zi}@D^4^7$x(aTYrdgKD|p^LZg%Xx28#X(EY~~yy;S05w$zC|uSas!3pHZI
zb+Vm}JP~J+Q%s<vt(wWw#kAvY{ebIwuH$$m;{51D)3k99C>(f<ge4q_IA2G6&53Co
z7IUjUHT#`%BuwlNOOa4ZPT$DS&LkP>43QjX9-0pEa1qzH%Sh7^ew760WbXO!Gu#O4
zcs?$s)6r~6gJhl!cd{ctxgDjU(_QL24I&4fHj?f%lJ-tt8DQSV-B&V+E8QF`Nlpt%
zb$WBZnRGQRBCnDD027n}?gSa&^nngh{{u9PS;Dg?rMbCS8aq9tk5gab-8kZKNUN^I
zn=R5dS{^Oa|IfH1Bmb(!nJX<1*O}Jak!T&(QjR~Z&;O3JKlHEd@jpR(X`4maEXk&0
z<O|yGD0Cleg`E)L-T-?~`rsZ6?YaK$a64;T*S5E|`M={vuj3<MMEipFhuS`&{o>Ei
z{_?*k%RMC;PbcE~BXS(=i+_ggquNjZlV_zU+JChV{~qnr|6A@Ojz2)h$&p0Ii;kH;
zL&wtZ(SA0Qa^E3&&Q0j?pyTbof-&<q{JTx0Q!P&K$gj0yTF3Q~(0?+c<6OsjY`p83
z|NBI~|3kkzU;GulBOmL0@*9y~O|!_W%rDF_k+)$ByaPYjYsrnyJ<X&Y3XBo;8=H%C
zKB`6MCDR{X0Ch)+e2-?DPLZ#4&Z;Fkcj^4~C%EHeXmoDV`R#8JIrL}#+-`pzM|9p?
z!hEnq3S#b_C{PDFpZ*C>DP?4?{ZAtQIy?vKJp6wFo!5^<=l8!t=l<X0<k~ey+aTJW
z?WHSyr<eBGSieoA&n6!3r`kWYuO{$Z-OtmfUzZ%SLsFb>=zz#hXQ*UHsl#*DAEzg4
zV;}0Ew$BZbL1qAJ(LW^L%!s^Z&Zmy)Cr%l8sEGED{`3)rz7hE(+CMtu);{nqd`g;2
zn4=FvxcNM%PeP+;ThTW)FVQxbNgi^fjgxi6dZ=sRTakm&`uH(gFLg{+<Y)6U^ZX8}
z3ysZD;xo_XI@eOqcfy0LqZQ~rNivJc`(pZw)z+v$W9W3mJ@r#dT6Es89qa#{HaT4X
ze-*B_-v2_Q<5tIRKhQDSjIuP79*pVlqjZRT#oC;7*ygFrJXywkqU*EHsk(NuMzJ2+
z^$$Dd@Y>d!zN72c4Lno3Cj(nU*9o1c4^oe6>+F|&=Oy~b>5*TYm5~E(QsjVH1FXAl
z-N*r_3h?iyMgHlGCB0%PaGGPMr8DomN4viz?VK*sjkt4ljdoH=GfNscV{q4}PrQTO
z(~fZSqzV15FZGsg_A&Q2lMdQ%oQ4ud9<rS;CCfa`brJDrNSEj{($h3FevO+vy%UW~
z!zvo4BlefNuc6!*lh@ND-)dRhZjm3|u9PPm?ZExJBYUIN+E_0|eso^q{>sRg(Q==P
zznS<iL8qXFXkoNIzSKH#Kj(T6`Z2l#EsN|`%+|<{pmp}8)|+!S@t%dwL}#G!qzh47
z1v|#=P53Orw}^bH_3LiudN=wy`WpU!gb$&Ld{OuA5?BB&i6^$cy2s*o5cfI|2kqki
z%=J%P??=BuXOlPOq{z?iqu8}~Mh<urBR_g4pkvU{_<4=z%4QkqoyNV>A_wX;jQm)q
z0qUVHe(#FxRos6{wl@zy)K8rho`ujvv;}_3@dMGmq5b2(AliSl5B&+zex-fuZ$SUh
z{@0Frel^xtHsgK?RNsWJW2im(18jlUVtf+qSK3ei4DGv0ZQuJpRr;*<+rPzsQJ2wr
z{~Pu6Z*}>1^HJ+h$2Rq2zJ!Mu-$~5N*~~rJ(l^E!v@7dEwVX#E?jXm*$J!p~#u$&H
ztDqXj!PuBiLNAC>j82GgnyiWZD7Qrp5a*W~uNlIa8ywTV-2Wu9SBcJ%#msZMH`ICZ
z7Um)5Nq3q!?zG4ucP4wteC+5oJX21OaSD2E<cH|I8JkZJ&zZVU(mAt(80V05jLw-i
z<NsXg<1QiYTX26M$?mbJraeSjxR0T_#_1fbJVkiTkBuvh`e2W$`x@3f_Nnd)aaqqs
zI<MnT^Q8GvG>@9D&fjx*rgM2e<~fZkRa&}NQLa10gZj~Ot>nJuNBJlI_r`dLYfZb>
zKA(jD%UOHRwR`1g{mhKj5A&n$8Ke1D+g$UY=_;BRMQ!fRfX$)yfisNw)b{v^_4y~t
z{gVV(uUlht42Y77*3uV0<y;Q|wI5jbSQDaq?C83H9pKi-p3(jBSe~_&TsI9HMD3q5
zST}Z|UetecY^?!KSQ;I+x%*%@lb@(fulAwt&(&`3KtIL)aO1^y)h5wBKy7|hHJ_yG
z3`C1bL-W;~wxN%km$5I>2$x2_(qiQrfxlXo;=h&>?5MX1t2UOBP8s^M&Z?btWZkH3
zMIE~AOAhB<^H6J3YhIL8$#h?$&#j~#6C?wMKoD9$Q%Hn%kPX@%si6KcoI=We6ZO~-
zJ5c@SM(-yw{(Dh>*{reoxVxyoD1R^hmQIRvjK=FrI2vz?v_ccP-#Hp@8gZr^&d2|l
z-`KoSJBQ@BZ^{TWPDV$0gZcao?7wUo!CW%}?G8h6cZZ=d_fV5AouQklMyt^g(jiK<
zba2Dcq0SEJ5VrywA;De~uCJMZ?QnoL29cWXrdWnSE*u9r5Q^$pX<*`IycsL4qxv$o
zX^mtn#FydBXCJjm#<O=E&HU2N`C3LpJMximL|it`M~VB<Xxz1FL>2!X73}t~bFX;N
z1d^OL=zCX6XSW}9OWQ{K^N;L#QyG(SjK@O8?{~0+>jJK4+wpAP#lG)=`#tX850haA
z&oj}J$#-X-9h5Zl75!?83^!jfr@ST&nTzV1x3R%@GQX3~{|%ham|JS;#n`DWi<aj|
zD4Uiq%0y`yEvJ_Ce`aXRPr@Jhjn<Ra)n7q9YF$Pt|35gBiq*fiL2Wx|Tl@~sUUMd;
zZB&c4)nB3Q_`jj%Z-%FjXg~QQqJ2mE&mZ9KVSSx1McTLi2<>nGYtAH&KY~82{kWEB
zU)KKoXJ|kF9S(hsd2u9~7d?~Gb1B+G$Ab1%vz_Z+j79B-gpKwQ+C$g$Xj|`PZ>4Ri
zZD^QVwXJk5XY83h%pF=U<j2{>T*G){oaZ~|GoPqEz<oD^^_O+rUBf+1Gep?hbSE+w
zk*-rC4)a#p;eOJcd!w*lG~L;7M4CFLqG^84x_u{ejHY=aehRQ(2<HyQeKGb+eKZUn
z_RDCrGjn5XtYOO}N6YOJm$o@&J#4?w*WJdEAKb1s9_%AqUz*+txVtjPX#M;Y`AOq2
z-(t6PjOBkC&u{1Xd{pxpYbPg-JRXC6QlRPZOv|fv!MqVIzqXCmua;BeCM|_MZZh^l
zSF@Bk`BUbMZ&>&0Q|DhZmj+lDwn~bLu;v=phu_wiJl2?e)`WjsV;Gy=VQ6$6xt+D6
zk}!X^MwF6PDeF_Iw2F}y({!{8w1qU*kN%J*TcsU@xcC1?xKpH!xrDr)!`Z}TkzdRW
zl<5iyn)}c*;Y4_l>rK){Ud3IEy>$yZ30uHHpN7|Xz9Oov%xd&pX+ilDOcmqc0@^l1
z;>@MkSJPN`W=W#4X|^{#NmJ84UXo-lXGt@8RwnIbBlY-n<P+XJwU_6xeFk7Ba6g*I
zOHd7iO~iYrM#iNtUre7kiL-|Kq&bnara}+;^>M80*|aUlQ<1Bq_eo3BgXYnA7D|xx
z+DF^%7yM45KjfjaqvvkTSey0yEf?ZrG)Mb@+G^cEpSc#!QLvk1*KJYtt9}MULr}X)
zait`3Y%QF<we)r}cG_{4Jqo%oW(T9ArOja-Ev?-7k`}ve6;<n}75-XbLx=R9cbVjH
z-I6raUQ{%HsZL{g@Q8c0&uX<x>{%OBNp*9ufApMZ0Bv{$Z7>2`u#9;0JgEiozsNf9
zuGGT@%V7>_0hy4c>duyqkPM-iyA!JDeWmtV{Up1Ya+Km+DFNoGWNd34vtyiOiS9Yo
z4N?10Dx@XEGanxZ+hK|#%jgUF;>$kiA^Rea>oxavuQ?Sih1qZ&Tn{h6T~I~&(nTTz
zU@Tk#&%t_l1%|_T7zn*!7R)?CkHb9<Cc!9p5blGcW88%*^I-{G4CjN5w_W5j+|8ga
zXj~f4M&Rvegtwv5u=k)hgX#~UdAt61Xu6uFrgIJ47E^WK3wOf{PzIW|rln}Pv`nhc
zf<9Mx-yB&9wdH<E?P#uf*BveIpg(ZeKC9K4_&J4epQA3st`BQ%d4I3d@Ou)>h3QaR
z=R<M#1%2Kx#x%yQ&|gLV5#vIXKhbm5vzb>!-&r%>gkGgz9Z13lVsMFMN8fAfeOGwX
z&3&I0P^7N>81um~bJXYm^q282@GkbA@$d4V@%niec{g|~yxaV3-nrf)?;P)DufJE|
z4e$nfgS<j-us6gT>J9VG^Gf{>{P+D2z4_i#yk>XFTOImuK;p<jJz<Y24Wywok_2fi
zO{A$bljhPw5-C$MW1y9Hqj#%!lmCfV9*CFL(uR2~Bw=BH#_X9coCiy$WJx>bwholF
zqvS{@$(7E`<9U)VUA>jwE#4}BCxz=JePy(qAUDWrc|(4ZgYvT+l3yfZnwmDIwF#QA
z>0^4EzNWu9!JKHOnv=|QGtFFQt~JZd_1^9N8vj23Zf}jZ%)8TE<yCr*c~1ly1X}pj
zGD7b6cl#gvJN%FQwf<-R9{($UpL2%)xj)%2amJg5<}B|*Z=S!)-|MgQKlQ)x7J65C
z=LeQZH|Z(2$^+(XZ?Si^cd2)oSLR*fzZY;>kG}9X`uBQQcvl9>1J`?Zc-MIgyvzM6
z#{NX<E|cYWxj^R0g>t^!EVod?RkB51lUL2qK*K=uKw=;%&?=A|XdP%7XcK58Uc<*|
z>S`K0Al1}Tft1Ka@{GJGpUAi7B2#9rp`5pw3iF)VVRo6%%~$4o^OO12Y2|cx205dh
zVrQZ=!#UMC-8t8p=Un70aISN%cW!iUc5ZcUcPgAmoF|-(&NI%l&KBoQ=VND=8}Bx9
zo4R4Qy_@ZJcJtl7?m&02JJmhMy}-T5UF0rym%6vP_qi4BbMEWzo9;XAd+z)0hwex2
zPA}ladyTvnUQ4f&*UjtY9p_E-rg$gO*Ot+$cX;=Ck9d!JPkPUJZ+h>0ySy*FZ@ll?
z3~DpH&B!)IZN{`IZgWDLRc%(cc`_IXHVP&NQ-T@64#D2R;lZ)NlY(aiFArW5ydii?
z@TZUo)eSWcH4i0++JsU<?LwVHJwpRRgG0kZBSWJ@$Au<@P6$m3O%2TqT^PC~bY<w;
z&<&y6LU)JOhc<=Y4t*H<B=k+_K&U1h2)78g3<txh;kM!2a9+4;xL3G;xG+3Cd}jFk
z@WtV)!b`&C;oHJ%!gq)739k!35PmrPXm~^Tsg$NEi7DZf)ReX<IVodOj!&7Ka#hN*
zR43I>ZIs$1wRvjG)L?3d)M2S5sngR!8LKlM$#^{Dsf=ecUd(tUV@un{ZBNZ?nmH!(
z^PG&F-oJP?5x(ycMoF#=kg4?cDtU_*|5vnyuQRL7gS7B#=2NrBd}$7tgXWNv6m8)m
zXN)t!nM@1Ma?Wr{oeP~ZXQ5N>tZ-J*!ne`F4?B-LPdZQ2!Y?{oo$XFFpAj{38@rq^
z(ZV^jaL-r^&yBY50$O;9d#!tiyUu;cecs*rZ!IidoY%lh@DjaNUar^O>+KbLle`nX
zv%IC=a&NVFulE3BY=c+jz2R;1KK1r^Uwi+eg@@9@$I!y#54W%%j1RU5hJ)$B_Q5W}
ze!(%p;^3@cS#U}4I$C&jNJ37iUZ_bZDbz9)4yA_Lhq{D%g$9O(g^mgpg~r5McuMHR
z(5a!a(50b;q3c2`Lbr$3h8_#O7<xDKQK&lfuh0*)aFcLSxOF&83wH{4p@n;f`_RHe
z!*jxO!xx6j!dJ&y_%2%bK3e#p@cM9Nw1rz7ZsDSou_-6e!b@W<+?W<lKHS37(puBP
z4`)1<u`#2H7Jiu)PKdSeo}AR2UcX4Jg=yp?|3t2hoE*Dm<@onMk;`j1C5p_BoWb9x
z^S?7-c4Ss$W@Lu?jP#34a^F&yH_{v7Zu5q@FX|Q7oghc?I(i+vOfSt#^#YLtk?$g`
zc{Qv|H4j*yxbCUBD{@t2VdTol6_Lv#>mv6@9*mSmE{M#JJRDgcc`WjH<cV6pf2Lpb
z5cwh>Sc$*rx_9T^>b>v(nP0vCX<Lz9<b=QX?3%ah!d*Mmt$%jCziZ~M({{bN>+M}r
zcb&LvYV7V)yPo0Mlkm8`^V{E_FRXR%#!lMv)}A+ak3>uL?q|%NpRNDwp*?YX;`h|s
zQ+H1sPwMY+_AsG-R`b~h#COxK8$R3gSryl3es<PpM}0PB_wL=hc7G(Ydo8@Ud*kk#
zc9-og-MMt<*qwuS4%*p&XWyOF?9MUO-&C*o<m*q??0DtfrSFc5=D{#i*Em6D+~v+T
z=La_ddznA1tHZpb(4)K=-l^U!?{set;{_{%d*?>~j=I%V`^PKwF0gLa>S$SFS7)(`
zFCg4au&UPgk?Jky$!fUWdzf)}xMq*^^Lw}Vy0_JP*W1Bp-N$%6=>6;+sv~v0It}Y2
z)M-&C2~$OBX|bX8ew|>QaGlgT>2=!H=}~7?ouWD?*O^u4+&bj9PML_G>mTmZexX0c
zFY!<ReaikUe~y2V-t|{Q1yuRl{R6CqNvwjs0>ls)5f~RJ4ot)~S$(3%t2=Naf5VY~
z0>$<!5N#3rx84biI?@-{g_eK6TYD9th5!9eARNfz&i~W)RA33#4Azi;r@xk&dQG5(
z_n1G~Tj=ld{^3;y60wy&_OtwUfd>9(-ksicf!2PeU*cWmKkGl|Kkr?L-P0XArf1YD
z8-ZPRJeJu+Y?||9HqCd~X{(}k&8@Q9e^>5jU#`~88}hjvFjrx{{e=DY3l>}i>#8aC
zTbrl_*Bcv7Ex0GJ;ih86orDE9-G9%Vg%x+5+HvN7vjN+xxBM!7q(+W54cK=zld-0`
z9BUF~oN2*Xd6G;ptz?QxkrI<CQ%#zj%HC{}3CV2JNlrJpa)#+Fb4(XG$8?iY(@W-?
zesYm1kOgLlTxJU8Vlz~JG*8LpW|&-IhI0yYl^H4jFh#P+jFQFX7+J~*PB|wHE7;91
zH^-Y2(eHw8GbhV^W{%v>`2kj;JZ9#}6MT#ExVccC;(Xz0bD30`%jFrfKwji~mlw<;
zd4=<$*G;)>HOu8q&NkjME97l+qkL#?lilWC*=rt<FXU^pUiO>E<Qwy-zfR`LgJ!Pm
zFt<xTCa^LyK<+RzWE*cr-Z3lXU9(EwGdIh2PC-U-3UQ{%lSj=3GRx%1^}Kl)X&TA1
z?3iCNi_O#KMY9Ea;&t<e*=pW2Z<)8vHuH{o&oSmD^R9W{U*IqHul1J&0x^rU4c2K(
ze}#Xee}#Xwe_bFHNDX8JG6U@b9ReK#odbD+u7U1>o`K$hg22E)Vc?iRQDAgn3?p|u
zV|RjksyoX$&OI4>bb@odGs&6aT<#QMpN?_HI^&#Uo$<~ISTXalUoLVkcCK(roT<)<
z&PmQRXS#E;a|$->Ol+LfuyST&%bwxP!PYs`Im<cQnd_W`ZF?Se&t=Xf&ZW)*_ZctQ
zt@2vB&w8!g=e*YL^IjWwlNWSf@>1N*UaI@5m*KwdWw~#7?cA+id-qMRgZq}3?Y`}G
zWEIW9-gy`MwTt_{m*;-q<+~qxUELjCH}@m2yZf=%!~MkT=~jEauy=d=^Zkqbi~Y;}
zEB!_O68{>`9-8pJC0UA1OF7MSl(X3TpKH3yd7LR-$+tuc&CznT87)i97`cY`JJ<4U
z?{#LpEaOb*M$UL{;=ARQW{RxijH}XIBpWzGdeW51M$UwuGgr#<W}$30SIf(0iF|6-
z$}V${e8!pBm%M}g);x~ISZR8gYdG^We8cAOF42{N#^W7f9Vs+E->?Q`h>7Eju`chP
z>hT_?KHt5@%ZVmkPBIxX&9s&2CR0u}S#k>JSTjs}naR7%OUyvI)C`g}oQ2(KPL;dN
zX>vDbW@|Z*y2qR@_nI@Lf^)EkIAeR*oF|WP&bHp1FYog`^#^9Pd}Qw6o%|a4#M~*>
z<}TT3?v_1foqWan&VA-#`KNir`O4Yn{L}f``NrArT!|I?4`;D+wX?*z##!ndaK6WG
zHLl~je9c|QSsAr&S7YJc?%d(5aRY9gTc5p41Ggd8ZGv;BbC+|EbFXusv(CBSdB9C{
zlbmPR&vbFSy4~FFZV#;9Ue0sQ^H{|%Ih&oAomZS!oiCg(oges0yvB*Rb=`VyvfC0X
zIo-{3^PSh6*PS=8px<=fa^7~fxx?L~oOhk~u&Cd6K5#yCb~qoo$GYR4Pn>FJr}L?^
z%h~OG=In94b^hh{cl)>n&Ufxm=UVn(SMi1V7WWMIbaxIG_l54!?l5<R>$_vwnJs5$
zc8l|lJJ&teEyYT2;x==evma~WJcuoSx3iXg*m>^xSneIM-8;D<c4{5mT&D{A{z-On
zPq_2k`R-Znaqc*`*zN63VTZTg+2p+7eC(d>o{5#Nd)8~cyFB)+>`is|dO5bj9p19Q
zb$*q1H+!_}vE<ic$=~C*^)F);@9Z!1ANKF{H~5eHm0n-(aes^drvDcE<#$-C_xj%l
z_`F{CyN>I4fn}Tz@FxQ+MgO=V{tCxn+Tt7_O4Pnd#SPxYXqv^t($kYK#lH*9u=si(
zyHWAfuE?}_YCY)M+>ZM<pzST*ZD<FJzYWc{L@ln4xWQY5>RJ!pIVg6s;@ynq0>8-c
z`lG#|H}3P$J{JE2w6DciYgh9G{)ecB0dGE9VBsu9*xL!KCPzMSg2lTL#kNtrThU1t
zweVP5qxheoQ!HLNT4LdRMc6G0>#uOqBAhHl@m8XmHh8z77h0kg<3+f^--)iaaHb)m
z^#z{Bal6I8552?U-;J)Z_;;c)eC%Y=b^>oTs{X)JzxoUUEzo-`9yYn$Yw@*wng)0a
z(RCJo7ka<N`v>}f#j8Xgv;-1S>_x@bv>vkfAEOV$BizqI*INP&&_^x)XQ<`_JS~Ur
zD!{uA)ifZW_4$Ow*S@yF;+LRLTD+^!jqo&SJ&QhL!B!Hff=$p3UWm~beKE!e^raZ1
z(arD*X#aRMhStv(cpc7%H)3e~TVv=iY~GA<1Ns)c3#;Hg3$~cZ_83~P+Fw5eO=m|8
zjr*e*pQBoj$^p>+2iR~T)vy~5g4UxFfjt(}5Y_NtnxcE*OWazYUs+5T-3MQDzc>1g
z#q>w_Ta4EIw-$2(`Y-qa|5MQ)Exwjd^8w~8^e6ZQ_qFIDi@6^C)nc^lH5Q}osrd$M
zOEEYV9p|i_Q8XNDXcQgytff&j4&zzmXtYiY`WS0$6d8jCVl+eJEW$38wb#-dt!I&A
z(fTnG(RhoDLp5Hd1yH}yIv$TUijjmSSY!g)I7Tb9iACoRZI37^sOAZDF2Rnrq@tPz
z=)8h$ZAn8l4UkjO<QUm#ON-81*x!~AN_$7!d^Xx9Mkh3Ak<(H2r{qG|B4?nQKczEh
zo<QcHnh&K5q+8@1G$Tegw5>%-(aadVQ04+f=S1upOFy)|Mdw8997_SJWdm7&c8oCu
z&9TU3sFp`51T6!|#i-_6848+L&_0VrZg~pLx5(va*BHZ4Ed$6EX!jVy(H=2Ipgk?Z
zcw`@A8HsA&1%2mWw7)7v(AOf1P%X1E3i?}QF<KDg7<7O|mZAe=Xg?fek#bbatQ5mw
zi>yGkj+BX@<p)`gYT1<ILCd3*z)_ay*w(S6JPBG(&^3u&nB`<t^9{OYup_g~LA9Kq
zYZvyl<rH*`Mb{AQZOhrHmIrhVzy`O>L&sZm?#Cv#XrIw?g02(nrYsktS{@K>(-UG`
zifZ{m*9Po*i}snx7O6s~#LzxaV$n53=eQ`^_fE9vy1~0-i?;7Hi>@tZdJJt}ts~I2
zg#D;R+i`|P*Ai@ai?-vb7F|!U=`Gq`vn;x{VB=eEKu@>mI)lw`(RQC>k+;z^W88?I
zWzqG9y|G2xbgo6$67~(2d(m?(x^A$KuxQ(rTG$l}`-&*h_2UBE%6icD16@Pde_OPD
zwVgoM8TM3`N71qvjnQi?@;!Q;g*~^JWfpedVpdz!24SCW(ffK0x|XsJvuHnj&f@Th
zZxN!XjmS557QO$5MaocZ17!ecy@T3c{NBN$ZK(ANvJI`}Cfx5>MD^VmE7A8XY7?04
zF;=1PThvA{AH=vB)pi247mSuixdlG8$S8DIj0AL#MYPR7kCBIdX;GWYd=*36>3~JF
ze`#GSIdIS-*P}nhn1CL#h|U4O#%P2Ion(<`(PRs!8{)LIsBPu6vhe#G;TxeSW+OVt
zBFCUb7QPn|XSBt<h>n3`(qlY2<inYWdowy2bX;vgX%9u~*kK$gTE`A$b56%iy*g)r
z_UVt&QkaLEI&<ic&PBMXCx^Co7U158E(Gm=-=gK9^+6ptD`FV*MvKuhuCi#GJG7so
zZR^}>F(0AyRla!=z8@8*!s1_wK5X$x+j+#|Yh68V@vlWIE&ej}2}>Y=J_*!iAP#*R
zsHZ?ZRNDi5^3Asx;!sb4hA92od6WCgQLQ5gB%zvD2xwbreL)}@{m>F<gYK{dnxk4C
z2xvQNor1ptt+x0#qB|}A6)62y@vlbdw~9~wx^!_R5JHV5kcv8%Kn98jC6I}FmOwkS
zjwR3m^(}#pDD|QQI-}H!5@0O2buEFeD0QR+=#OrFOQ0tjZwd59>EDW;e!Gn=fdaIN
zB`^?eYSEKymwI%=_#c9%L0jDPZN6QJqUYdlmL)JA)iSilPcfQp(KB_vtr3^J2Tnlq
zErBVh=C3dJOHfT40@KmKmcS|KR7+q6Iv36Xbzcx;HhNJE4NISkaw>Xxj9DmcrZ~r;
zSH?IQT?mV~uX$c<(J|>Ru{e{^Yb=iDd8vip9Ef`@+(y{`=pAqmZpOWPuf@^w-e=MA
z?XH6d@iQM~yeN+5>mhg+x7NdR79G>>^YAkF&qQCbIA!Ro7Uwc_3%rJ(OVHOXI_BN2
z@Fw@qN8hpN9N{vjMA5X~k1-YfFvf`};~>gO=*}3^*vAUc549X#9K_>(6m0<XE0=NW
zB|r<@)T@^Wj3=!puN8E{eFK^c-Ee=3c86ZLze0P%ak#%lX%CNf(0D!Cz@zRpUXT1K
z?lUO)i;|3<WpS&}vty99z7JEhe)TLSisoghMeEzs{3)%0F|26ad(2Hy+MvrV?j}^r
zpafxs#eE6AF-8h{lf~VPu8fh2uC{0!>RD2h4D@!3wxM@Nj4YJCq_}UO^ra|_Gw%V5
zwzKzOjP_`SMcdwcC`JeLVT-=m^&W|ljXq{^-$oyg!JOl5u(;dMCu8KGTEEn#_9;*6
zPN7{r&7aZ*G*6)Y%hP-)d7yED`vI!qm3(;DqJ7YNFGg2%yT#psYFtV;_|&3()Y}!K
zJG#f>evEz|qX)Xz;(mgD5u+#iwZ*MQzlqTc{g*}izV}^>-Xd)VS^RnEP>Vkw9R|ah
z|Cxu{jI{WdpvPEz=885&7XM0gjK#kS9dGd$p~nIJ-d}>AVDXott1SM7DE&wA%g`q+
zez{1{w+QJ30~Xz*2N|P^5O<Jqs^~sD*w7-R7i?tFJ$JB$MNUH#ExJz)hAnaynqtwt
zW-#3%=c4puMfaCM`l2G|q4YmR_m{yg7NH)3^a(}xYC(+)WFbo1E4pV3(%y<(jcUB0
z`><dSi%?fVjTdxJ7Nq?Yxdx@p6y2W%`&r~#w7*67XTbuCT!#*@=w2;2(870>5~SS~
z-M0k`Epj6|*rNNe;1G-4gwi(@-IE3B8;Yz%=_88n&w`p)(6h;)<`2x7sI~{_Sz&O3
zMfVoL<1Kn#7(BtkI~@L%9g94PYCgb}p_(@6Ibu-L14Ew-mRR`CSb|e6M%&^<i#(5>
zWZ|8V1ZP?F95FcC!h0eKo^Fws(K9SY+d|U@`4rXkfcHrfywoDQ(90~mW0K$ki=Oud
zFSqdCNrD;|=ow#7+Y)pS6x4PC`4-i-0p3qZP{#o1d0y~(i~g%f!Q~dy1HHjwG`?Fb
zdX^eoZPBy!;B6K?s|((4kplD%i=NvB*H~l#dZ$It@Pc<)WFUICMbGnsT7Hm0sFoS@
zY%h4PMG8?ZGw3;AQ2PYPVDx^Ap7{kIu!#1x2Q7O37u0$Iq0a>$vglc0@L`J#Lm#o2
zdgywK3`ZZe=ow+~F^lMU)H(${FAQouf}DsxVbOE4p!P+OlTht{pl4=5?Q<a0(5EbV
zeinS%BGb`lEP9p}tg^_-=(83*Qwu(4kyFs;EqcZl++>j%=nED-ZwtO?k(uaA7Cn0l
zZnnrJ=*t#8e+s^0kxS86Ek@gDi$&i{1Yfi0*+%eni@u`>zG2aGj^I{{zN-knY0)!}
z;9C}bZxMXkqURsMZ5Dlp5q!s@XCc9NE&5I)_?|`2MS|Nc`hFw$zD3VSf*)A)T}ALi
zi=KG|cUbh@Merkwo__>Cw&;6|;3pP63kg<R^xZ~qr^S?_pIY=?M{t+LoR99d=y`we
zGmE(u-D45W*XI_q8r^FV&C3@S-rGv>ON+h_2!3VZU9JT8S@hjN@Shgm?@I7%i)eno
zvGC4Ug8MC^dDnRXcn>T=oeMzUAq2m(@NQUw2Q2#DAo#t7_r((Y!J_XFf<Ib#hb+N^
z7SX)?WHHoLh^Rvb8=JC*90=eh&QKiG#eF4O4;tbA2butlag%<i2{gw|+@T~$#=Q(}
z32kuSfQBIj_aQVDGO?XB%`9lg{gr5Y=!Bd459LB<{E&}O7wC?=KH39%;)gm6^@9Gm
z>0_Y+7=WKdbRZ1I-3lEB!|_9%gpPudxF1D}U^ITnQ)mnvhdTqEU~x8}Cs>@P&`B2E
z$A_j^bUz;|fvJQgub~s+6x?0W88DNyo<mOs`nc}(Lv!Fv++Uz)!P&TJtI%9H2X_rh
z{|=o;Jay4hI3G848oB`H;Z8&6!-cr>&@#9LcVF~Upsif$BD4^$A<oy(rEo3xsf*Bc
za071YBD4aiZ|7ZfHQdJiW6|5;ZroZQYvDose1cZML%6?1AGWytQSC$E_CXnAimPq%
zn8o=Heca*>MJwS6;vr8Vt?MUoUxjY8=$S}J>m6L`E~NDiE^|mo>m6LJ%PNbjb@Qyn
zrCvf>@8BMdK5ucgFKn{7BT#J*(DRAVOBQ!5x*1+3Ki8wLz^k}#Mm101yn||;g6`u(
z%%zH}?e>Pn)ppwoZ*spe`WC#6yBVr=4SGHide7pvK)1vD#7|v^K7bE#(*~iBEP7rL
z`q<*qKSJ6b;GU0G!!F#}D05oqGu$C`kHzhPer|Dd(Y^2m@oW8k318u+4MO`YdX5$P
zCooUB^U!ZBuJ+k~S={4LZC7x|p$9B(G5UkW?T!9uai^dM;V0611pOI)!L4m_$f9Re
zp<gZT*=UW$JyRqcumr9_n^<)38*U2JtG5_!ZqYq(m^xLwyU-*^#$ATCw0H~9*3gFg
zjGJ)K;$4o0A%**lgK(-v_s`+B7LPg)cd`VoL#b26uR^;(9_K$E+SL-EkA-_eFXFrc
zWt=D;?HlfE(fx3^AN1$`^=P5R--r&ic#Op`{aDexbeQq1c=w=lEWYMZ>kItL(78Z<
z{r2dEa1n0J@5L5>AzB7kaX%lu8kXSJyp&t~Rp@ON|9*6h#eV?33n+(AzYS|Xz<&tU
z@__#^y3XQjo;3{kPoV0L=l&z;dUzB!gexun22}l_{^RIV7N5SFLc1$I{WOJkRy^u5
zCDEd104ZUMo&luLj*3ToDb$hT)Av(yEdJMMk;UJFj)pP#c@rHA$K&3Fo&b|^zlKt0
zivKpc6qey;tfV>?e-G+g{4dZ(7N2pJ+SuYV_EMWz{CCji7N4@FCR_aNXiJN~7Y$nc
z-Dn4k|2ay(Q2bBP5{qArPJ`*(-@#`@t%140qfIhaTm0`(+9Bf+{4icK9s}yn{|Tl4
zWsn!2v6@i@&*J_SebM3{Kwq}_-=nWs0xn8DDgpA_HUTKJA3;yG1gNLXrj~#~sc*&q
z0j2ITDU+T9<<M?9tj~J(lhX@&<6a^{mZCVs^9$jBK?C&JUr75GkGTb{Aw4Cqj8_Jy
z!fAwkGP*6zKDtus78O5a%#sO}CUSYD6t;On>WVvMa>q(uZimBzXBJkN5-yx<ZnRIq
z<z|P6RJa*K#uTSb2rmjR8a{1Ncu080)M*u7MpSt)ebIzY;R+dBJd?l26{l1bOlWo3
zIeo%}Uc}>RJOsh}q6x%sYAgmcdaKi~c&d|qbhyH8TU0!{xT37ERYgJJgjOjj;lUME
zMa30Wg{@L1Ou(0aIH%<J!kJ02JO{|L-=61jHkPr)6$Py-WWu6F8t2&Jw3LdnMT=T3
zq8zd7N~!wY4I{t5Q4qU9O%Mk)F}Tu{6%iSdmeNXZq@|>#kk1K)q+K`r=&{9v$!W@j
zj+ply`1sLrI+%y~BCdmZ+-)09ZW=Ff9Uk}6V=lf5&S@J=O3<55R%+{J`dA*W6Bp=E
zA+~rlTgjN>3ZsRo(7n1ele6U_PB?DF9UsZ#m&JSdrKu17;3DAP$8|PKJkRZ)%?RjQ
zVkZ}Ht5py^70srHFtX|t!wPyMUiA%%UrjGsBNA5#jL5nrBJ~Jck5N^>l7xvpem*cF
z8sN7fVH!1q1tJMEL>dnR{5IJn(zJ|BheevBEn353k;HV^D3XLG6E1nZNK3-BB0sI;
zpqx`O;tApou4ZLSg5AuB3z&KElR|najFyzmPz?te^$Cy#1yBrgU?C7bwGy_%US<S=
zF!X>Tm;q&gzjQQX1WW_U*LEVz1@hc>4Up%y+h89f)`QlN4~2l=O#EizHxs{^_|3#`
zCVsQ<n}y#j{AP`SX)qtkVI6D{X@|QV?sl7C2OJP-9}nr!2gboHkq(6IK-doW?|}bo
z@}Et<vsXX`Y=&w$DAF+jvY-Hpfp|L-Zw~S15N{6g<`8cV@#ZXmRj?kmz&_!p+OQB-
zLnTm$o%Y%fB6E|_To?u=Pzp<7EmXmF*e}vK4#Lm_ieLtm!3wB=%}_1UMIZ@sMe^{Q
zw_hZ`3bq68uEf(d3_R=B46>mRCc<1;4C`PMP|j`#M7qaAI#AB;<6xFZ58OR)_fYo&
zSOx1vdgj9jm<IEq9M%Ex_1pmm`1ms(h_4rM^cn}m(Tg~G5l64}BE9E|^htm$D1c&^
z0}Ej_RKix+8~b213C)FJPy(f}6xKo&Y=`}POd1DaARqnlSC9Za8$ezM%!hIyuLH>I
z0Q?L%ATp4=4kWJw`@lFLuLH^Jz*Vpww!l6PxIAbL`7i?TS6I$L)*+E0%^;gYsvb}T
zGoTDsKm}}uYB(q|j64k|p5eqZoOp&$gZV&Q!`Hzk*Z~Jbj*5qL=mX<m7A$}@B1f-=
zO4tf}MTkm9Btb3=gAyo(rLY#NV7tgj!i^-{NWzUI+$h40BHSp#jUwDA!i^%_F<C%<
zjv+rq9+2lE@?1nhMbm(=qX|2ju%ih(ny{k@JGu;3h>XGS82paG?-<HArW}ZG4DpSj
zd}9uXjE#qMpnPM;!7Nw+t6)8Bf!%OOWLz`IhC-MKb73*8flaUj4(LCv&I^IoupRb`
z6vsgrdO(rL1oAq8yiOpm6G~wztcA@`4F~z4Gy$@p0E%G_EaU@Z(mR3lPS^<BU>_eL
zdq8><cf%o(N#t`9`J7Y;6M=kABHSdxO(NVR!c8LFWWr4*+~j;10n_+knJ^`BKz>Vl
zKoQJ<GFSl>uo=i_$w59iB%f2WfP79RpHs=_)P=AbDq$<^jUH~wiAfx0;{PPVP2<`0
zu*k{ruwUeqEh00Bb0*<WohEV`I%|Q*>>eVglgHDufq2f?Ei$J<<jhi$vxWiJb3KuB
z;()T9yNZ`0P)dHzPv9eK?q5J$^YAkdoj;2YtNTDXA5?RF5&5_n|7D9sF5%v#<3uiN
z2J85Uutel?(!YYVufX4xg>ZnED62)TBJQi!h%6$me~{Kcwu>z0{?%C`OGs<UHeQmH
z!fuhJ#C2^kY!SI`hR8DfFWV<lPWt7<cRlGZ=ic&-A~%$atXKgRuvz5BO}yL~0qcSA
zD~WIAAwCpt2H8*u6JahahBYELbA2<{x8wuQZ{hkDz2^BXJilclY=eCww|dYT@O$eB
zm<IEq9M-`W*bRq7RyTuez~60@?Y4zLnQyCvt*|%xA)nlygyzC9z|ZaYxg9^Z<L7q#
z+#wK#9<UawfM<79^RYVN)~o>TuOZBu&3v?83JZbzcX>cQ?n;MMKpyW-0OGqFKX>Ej
zZo;me1(f5SEFkaq66Rj=es3X6gt@R7*1$&C#>a_!d0~X#`w9QRYLN$*@}YV$AE}e(
zL!0?Py$>I#Cjt3g&$CB~`!V8rY(F0u5=Z46K0YUnCo1{yob;b0EpE%kYCbe1%+n=&
zY>xk`0+DA4`>ZPQKTEi07s6^F?6X^8ujor8d5-j+%Y|W30;RAN)<P9*hy5bY$3Yl+
zKoQJ<GFSl>uo<f1ARo9VKo%50G0cI5uo^01E9{MZ0H1{B!Z0X-QdkOWp$fLcem;<o
zgD~`fBA5YXumUPzGgQMtKA=y4EGU3tm;(!8HB`b@*lRzo-<*Wz!Z0X-QdkOWp$e)+
zUy{koVJLtSD1+5d1>4~uA6632D?OkXN?`?5!gkotNA(FnI<FSN99Rk!uod?6L4O>C
zp$8Pf3?Q8?#Ipr|TQ);A929vi0kWU~ieU~cgw;?9TVb#LfxzoYXf6zc5-5eGuokLd
zJM8C21aT0C9#8}`pbS<(1#E_DILMC-5+Dl-pcv-BLRbxzuod=-yeW_bxiAb$pcIzE
zTBw5Uu%90&#6cK(KoQJ<GFSl>uo<f1pvc<^kOc)$40B*1tcFV13VWj;L&~-=iob0o
zPzI}^3aUlk5eP#8lt3x00OELOI~?Rk6G_kmilG!%KqYL4{rs3B0dk=T=D<>@fUU5f
z4<-{J7mE0SMGx2~^1&)N$d4`N0Qvrq>klhnhscfuNQZGS1Li|D91!^^4q8Jl6hbjD
z4}4Sx<**hu!dBP~r15b)P_~cP18IMJNaT|RBGn$K;%6uRKPBv^mHhUdbazdIx%{9b
z3wrQljuE_sS;vnzngMy)I|~T=MLz83B`^8;atrK$eLxyt#Y1bzhCV<V`^sUB$Ulka
zpG!r)_5l4R3{@ig3xM$7l8=8C!yH&B@?8<k5IK+p<mmu;I>5aHd*PtS_oVv+@%)$$
zq;)V32!D|92N%Ktk)L?}b0O^Jl!SDC+02hY4sl8{mmhniixCgDiZS!yfEZ_;7<Vl{
z=x7aSonn|F#!rB1F@aLRUmW4$@Kd)+OubpK0Lp>z^)|vb*awHi)Ncma&__%>VdA%o
zX+YWyHUa(`LP9Q-i)lO&4v1+I4;B1CV-}E)W<A6-kApc-2E@^PFB}xpVgwK_k^Cj@
z7n4*1JH#Y&KN){5r-^ALFkeh-(rr!rZ5G06s1y?<o#1AEd_mlyGFS?0#e@rCoEY}o
zCS@yB1L>t!iAjqG;!5iS>%^oNKoRWYWisvz;%!SFvWT-?YuL|`(t3VSF$^|}$>x5?
ziLiwaehHUDo;sC@$;|@N=)4$K0b%mULmv0?;~)&VKs@=yKs@;iVFgscW`01im5*8a
zi0Q$-p5&z`_j?ubV~A`Zy*~KwOWJ+$+i#ng{%ge)ED$qbhM0i~FiXs!cxVlT8AM#{
zi_D-(Ak3icVhYLEVB%+QWQME~GZa6=2s4a(!%1^E=?y2|;e<J=6c)m6K8_)sqsw6p
z5XaG*#Ec-F5yUfsI7Z-S<TyAWX4F<O$IRk~4C!!?4``<GvCJGkj2Q-tVH@n@hYKFy
zXB_o6u9_b&EZ~O=SwKAF2|pfx$AzH>kgwy2=Q#WxR{{7xj<|~xARh{WFvaDt5q682
z5D(;WLN3gQHL#r@I;6ui;QII-{NSM(Y~hCv3!oCXH;H&B6$0^1;(Br)KBOTpQ}8oo
z6L4?J0Wl?{QIZZ^PmP0oD1pVWTg-`sJ8=dO&xuvAPs~Y#n}+}C+r*r_P|PWmXU2Rn
zGYiC=%JpgFah9@I%<M8Trx!xCm@_5<Vdmrmai3WNtHqoZ2djX4XRi}8cLd=7oN4?J
zfwG^wRm^#7;Gme&SwPz7<NtygfP3CBAg+0(uoTup6_AH{`^C&B{`q0(0YyN#`DL&I
zDqt(@6?36L666B@E<!KbFXm#xUrhKiv`m$F%6MKzJY~dFMm%K|uo<d>Fqh!>68v6*
z-%Id&34SlZ?<M%X1izQy_Y(YGa!|~r36KQ^Pz<GFF6#s1fbw3p04VQe>tPE}PnR7M
zv!I!n%LS4k7lr}xT|s<T5Z@KVcLniXF$WgHYN&**uvg5L#C;`kUrF3o68DwFeI;>U
zN!$yGdto*d!bF%4<zlW%hdwY42!9pfuUZ9!zl!iz5&o(}Vipm85#bjRe$hmj3yWb5
zY=mvFPs~3&Xbt%=0;a)ySS4n0g_x@+idjNDONeKQx`}5A@hl;pYw&kXIjn<CumcW=
zSsD-NK$xY3SxT6tgjq_Mr5j-z>=SdX2d&`{KQ?Iw*+7`<2y-1_uH*hP?l0s1GVU+q
z{xa?_Bd%q{wQM771L7(tuJYE94<le2%olTgF5u^S{4B@Ma{MgE&vN`M$Io*7EH8(3
zunBg+0WmkkLpt<<aWD%Oz$#b|TVS`C6-&k3*bKIbxv5;tO57`H-<8#{U(71PuUZ4^
zVH4o*<}x7M&Gd&`NavQ;kPUiW!GC-$4(L<2(r0d60c*vqo&lv|ZX^ENi2JsKVs1}>
zjbiR76tjl#Ye;Ji@vk9YYYvFHlXUM~FXpZ)J}@D!wZyqL7q*MJXD%#&a=_m`_`7El
zY=hlm*w2~!3ZMuGzmB-qtrK&957;c`0rK;}J~0oj=0mqxVjdzd4`l&i9y%oE;bwrp
zhe_+<y`mqWm`7H?T7IOoSj?j%pc)Q}d5o}+5%#gAd>oex_^(_DJb$7@%m(uL<TNoG
z@w1V8Pm$i!tsxt>h<Rp}n5ulJfGQx(s{LY~6-WZYu{SjA4b8JNpbS=sVV`H7N1sPG
zk=_gB=>^LEBKKaR{4ebg!+yxTTq)+2bSM|Yp2o0;F|Ts})q`TT#6c2pf6Fi^2IAkc
z7Krz?9xw;Eew}CRJIov8{SExTQ3!gE^04<XZxH_*_<Lg`Yz6Yd{=;mIhcHmat;1j<
z5a-qfumaXW6>NjOa7fIX2|%9T>;c607U{l48gCQF+v~+_qpaKZiFt?k-pvNWzSkP2
z0r71YXa-r(2a14a+e=|FtOnxQz8QAFetvM{K@t!K+uyuT-0xTN1E6t$zYlYPJbbu`
zA5`&d$5P-qcD})`Hy^DM^Km{9_b0^j$$T-@VJH`~vk<u6xkb#U-1`*WRRSBu?2d<Z
zVm_M)+r;ddBj$7NeO@MJZ-tmI5&*wn>=5&10W1*nRTiuevyW%{$iqL$<3EY(>sfF>
z%r|p^JntvY{rkjxyAZaE`Bx7p2mF5547Q0mz_aiB0PY`%`^RxGA9jd2C_q{Vi-7ok
znk(k#QZc_2i#gO9){FU-Jl0GU6Nwi`O2jcU#Bmmj;}(m<uK}Do!^H86#0l`<xs1z&
zgW}X(FHXHOaq8#8YH{Lc!5ZLx{3h5dPQw+j5vs*$<UtmUfH_bOyz*?cL!1Nw;!Yr)
z1ma0p3dEDJ9S(`pBo4BHa7~D_3HO_lkEVq%5lFu&X*44*%@)D|ahi{Vz2dZ(2J>O9
zIEna6tPm$@fjG(WPz*Dm6gI&@aawK_rxku%?G~qX510#^VZS(STEh-;g6U8Mi-B;V
zIKXd+ctXS<BAzhM!~4WZ83BYzB|oWUumY-JE0E{Z{o<r~kObLK0QgNKUujEW4Xg*!
zN!tc{;gC4#36KswfHcxeU@j~ar!D?6$x~)7j05gvRsi?2xR-^$EaGWLn05=G5;ntj
zaoY2|{e0lMLu(*>hsAI}oa~9P7WRwNu?Q-Fcyh9UICItmW$Hw}I?aG8UVFv^esfm=
z&vFUdISk~vGii6;B2JfPFbqhy3t_tKhJ)hd5jGFMd9#2#vJY|ci(#!eT?Mj$>#jWS
zS_b8y&o;tVak?eJI9M!BcjD<@0&@Vr-M5L;gL^&5S5N%)#7{5c??s+^9TcbcW^wuq
z1C%|B)0cerD})uWPn`Y*Ksp7vutl5!Ghn+o1Gzu2LYzUwIS4J}x{$Dg2{)uQsN!!Z
z&xg)}DshID0r!Rz*Kp$gGmi3v|IVz`ks=ZPU8Ztz`HrBGG?C`Qzf;6}qvA?7bFH3W
zXWh8pgxC$y8@yxgH{l8Km@76&9G9kXlb#!-e#}L%geRmy^eKZe_O!`iSJT6;W-(W8
z=e))#jWhB(nY2Lny#6LF(e0jT8V8D;CN+1i$!zDfYv;8OuLxZ*Wr`U&*(v{Z)(Im|
zJn@Gqy?fW(^2COktIgRP#EJY&IR-J))Ro3EuC@gAHN*9fC_!Vr(O63mD^f$f(NJ$}
z5dG(G>r<FYN$8{n*8&D&_i{To4di9!n9Q_>#%-F{G%YhNuqWXkjT*LW;Ke8Zyyc-S
ztFm6oGDr34)A{tg{Mj{^JBxpvyK*H(q-IBww?5=8QNohN??L|O`rROzWI&>s$?UX&
z`plGMuAY!2vSsTyEDkQAwo`CvE#`FzI?bCkbOOzTu4<Z_*QHz6{I(qokD@yAlf2^w
zWW=`!HA`+EZjw28V%I5yyLIl8KV<Crefo}d7B_0!uTzWcw!whsC%4T@=`yTSqPent
zTHA0<adC$XT2pfPFEZsiD<mjAYs*nj>#*JtwftK@sg!!;ukqoWCP#BxCpE|En%~dK
z>(U}IkYmzP8<Oo7<h6UEZzlCSeQa)*adZ0hpO!KzxqDhl?+(f1hh_Co8Z{=q!?+8_
zjJ~)yCogq!Vw*PIMs=QkMq0~>B~)*;jz>_(@sccEYjgIOJ-A^sSK3<{KmS&LX_<Ll
z`jJEaTSaDM<<X_%b8^O=Gpu9l_Jz5vTICkDZ|y8@d&~vn#?2p{bzY0kMZJ3+(}~V(
zG!Nz*^1y!u;cw)?wj$#&I*w{vJC3gBN84CimjAMHG-oNzQ<~>BPvh^AW<|{}AAf8b
zIg96CHV>0OmhRqY-yih9PB%IlW2ucaD{BsZ`Y9>hF#p$B+ZWRIX}^{4zij&r^qYFI
zejTKwVM?0Y`Oo`9*R-yAjT;&>d(b)KJ9jy5?tq~uhesy&Xy3MfPVxy8o3)Lf^>yl;
z!`&i3Wpaz4?H2Xw%_*(frr*lh`r%)s({>sDH|l2tIjn7sdgM`CNZX39o3`qB<NKto
z(b3jCkIbd<zmdy!mY45z7XR|guX9a8&Hh-L{I|&#Gx{_BMw-$1h(~7)oimIi@Lwi-
zgz$~|1SvLO{Kste+c<lIiAsA)VrtvW?m?r&zHwe-rhre6o}N0bNp5mhyJg9F$He#Q
zb5u&W^8j;q&B#vU`lZL}W)|th^V^U=o0sb70I%~W13bD^)KwpK?KG<Y4R4*fbn>ht
zb)&9&F_$f8Uei3cX_^~oK607&-0d%Xaoeqo+?wxA{hC8HrKah$2W`F#J&$mQ%m0_7
z*^P}9))J!So2|va?#FJ8&I|VwPl`<X)AIdRkDBKO(kzyH{#|rjw(aZ3+P>k|4a^s`
zP}EPWSXraxY8o_&dHqcHrt}J(-nyqXGHI-8LAQ+=dE3l-P3n2|8rM5z^%b7)yI$8x
zqbKEiuJ3!4{o^)$gTcOSOzN+5ze(!VyJynMpMF}I)U$W5q;Fzn(7COtobab*h_%2U
zE!MGSjn_7cw{27hhi#cg|5k#;yd3`JPV(<&rUm)eJV)MeZ-G~*!D1_9bmP+evR-@W
z=7X1Xo8Rkm?W<07O}L18p(#JiI6U|M#mw-8V5KppbZuxEZMWZM0K0-^M%S&hRG)Rh
zj2}3AREG|uW)G~@L8C?ug7{9w7Znv<cx=ax<1aj>=%V6I7oUC7iKm}_;z?)6)`MK?
ztf91!zcVZ98e2Q+8!+nGOU2gN7PUPqwz_sO%?~f9)!il!Y1eMZ#Qf32N(=fFI*Xfk
z9^Jd=xNa>!GGk`swU5@#QO;`WroLp$(Y3ADN}Hn95d-QsyF?8vt(#WVjURP2X2xl|
zLz_<T>s1=_PsWio#Cn>U<Ju)vE6@)_=YZ~sOr7InwPjl77Z2^$IRDr_;o7>KGbM3U
z`{o%9TQ=!EYwk>~x|wrpK5o@%K->D=$DcX4wrUsL+bXS%U+1*C4Py0*p@6NJB$I2)
z^B*I#kruGg5q8#*olh&eQFLHwMK`9Rb;@mgc(DC`LG}Y`ZfT`kV`k)6`6m=+_3v7K
z=Y^w3^y=HU7h|JYr%}CzO-ii!<*TnuN$1?$wmOHVVXM@m?mPcB@3+*9wLGHce;fOD
z4&6Yu`HV4|y_U3r+EyE+9bt4%)3xgG42ylx$<$VR%#xwQ2AvT93a;8;rdh$oUB;yy
z+b*YLgXFa4$0m2mXp!3Q*u0)+v_CprklD6lqgLt7$MqSU(tl!nr%uy@ZByGcYSFk+
z-Sm3l4n5PehIS2Rx1W^UD%84BbMB@ljT_u<c=r??a|SDijVkRBki6PfaJ6jiAC`@e
zUnz@;_8>pHdZl$uX`a@2%OmFJN1TND^MBpX)8W+DF~r&Uw>UkG)BD3Xt#!hO!Su)m
z#7WIW7acX^q7L7Ty7-FnUfsL*S#nwY@-=31&9agaBTCHdn%mbbrwoywC_^6UHIRbZ
zGW<tR`in(xgBnV)X32B&ew%*Xr(ak#s!?JiuVGTdk;^wRZEfu~y&L~Gxh$`SIYHbo
z>88lJe?Q&kS`*FxuqI*?Y?As&vJ-4=&U9DNT#}-TMH?DU_ZKV{N9Oj3e5bi~hY@hE
zJpYD{ena1@*R<Y{3y1Kx$A9Ib<JEJYD2QuN$MYM+^`%sA<eieAe@dR|T=PbkQ@VCN
z85c8iR@;&3=_A|LY>)O6_GL~sWljEV?Qk@o&JiVv4bHz<I}$WVf-M@BMr?g=#;tf;
zpr&qKqFw&_8(rLETct*({-gJ<=~=%;L$7}GdigisvwqEh_(U#R)bDGKF@5JH=7mCe
ziSueU)>K~JGA|g+Ysp&(?HdQlcXRUH=(oP{-{e~ta+^(RyX(JYuK80h+|sLIazn3S
ztA@RAdSS0wvpi#P+qQ!<me)+&8?Cc+GH{5r>+(C`Slj-`IQY%tvGWF20v3Ylq~k$r
zSLbS<JANn4fJtGvnUv<~CS3E2*-%q$(k7V4=TE2^J|DmBvGul@L#zlHzwN%8Xq7jS
zx`(%_zs*#-?`B6$&0~v_ViQuVAKNojN+PKyvS&=9EKQ<*bSJ_2963tD6^gpzaD{QH
z&8WMvZrybw<_9wSVLi5J-k2G;q3O<+tZPH&vKCLLc5mB!!7?YUUATXG*W8)COQx6B
z^TI>olGB@w>Jy4jY}YM3s<=@~W>WL1ZPI6-U9&r{b=p}injKfaeVe32$~b_zr3JrD
zY{96zpte>UXc-$EQO1DY2uRaEEVM^~tU;!RcpZvZkHEGXw1|n(f;Bi?ST!$#(R<n?
zT5LOgrv=g)=QR&#L65LD(o)$r8#6d%P#Z7)>}6h?L1`U_<+V!dee_XnyN%Co*DNbO
zCEV3{YTbyIZPEu!>RB*taC+(BkymtlwMj$flyutgDcZ30f9#9@s0FR<V{Hu0dW%@*
zj@TEswboB`SIjb=oIhb;+x9~z=j9A-Jvc4gtzZA#q>jycWsHwc8#uLJzo`S$f{9bw
zj2JLrMDs=^;Z{_YBbnssP_)j|eyj7CUG`h9Vr%su*Lj1(+qM6XxHk`Q?5OUARaa`M
z7qwby?NV#srB-ihbx-fxboZ>D@$6&Ij6GiPZU)Bo7<;^77TeftZ4AT#0%UU_EFplI
zf#ikV0TP2TB;YT`Bp)F_z`(GCc+~HAs_Jg7?g{UEe|&jwX!&<bS5>E~&N+3q>ITib
zL31+Tv}?;s(A<k5L^SF{DaKM$sjn_DaojJ^kx5%xe92*T{i1JsJ(d~UUMP=5>?>GU
zktHQm==PO;nUQ{HcH#1=smm9#J)s>>oL?A>WN!C`LG*>?ZJW^-jFV{p0^dJr1pUe#
z+cZw&{_$$V@?!s}Gw`H^1`^Y{FZPF7H?=!bq+5|{Wvva<B(X&O$mV=;ZeO*&s~)i_
zjc>Ov4%J5n^G6^5SiYL6J2MNHPfs3S$Yy5`)_mEvky`3-B+kam!+lsc*rn_i1@{9Z
zG+6fBN1MQB*cEap`V8rk=1GeWT^6%I49MpO1HxaTJ}oagm}Kgsnze;G9AhvgcrKZr
z_x3IgC2F2%PcRxke3;#JQ%kh4G#q!@Z){KH<0l*ULz_siRuu<mI}AR&3$;UJAA{7#
zprMbFx(+g=A#TVL<V&O%3f?lhK^zNr?gBew$>Mur(`NCs&YyPSZ<c=}hyg?}fC!$6
zg%re4CitAtJk9Yz37$1t?_<Qd_#awdK@3c&UYT@(^Q{R6W(HNvYEYNGQjdftN9T)Q
z^ll$ZF8d<MP^6R|+g9vNeSDXrEnZ(P#S-nUsq*e4#|v9tR*w}5G5jkH%@%UCNYWXd
ze5NZtkeV#oI*W<upvTs|&|6)o2Anr^q<xi{lCQnh-RbR~SSZZ(N7+-Qa-mc#mP?J5
zOeE;GT0`L;=mU%@SwL8P2J?MLrLAOw`VN&!kv{*%rECMg6y$V*Yz{f^LJWC1v0xY!
z+>Y3~hp$<OXKuyOv#oaV)|FVYrx*fTI~=ZDf2{FUmKrIBgN=_;w_q5zJg<BMtAOT5
z&b;i5-aEZB;-pN=&xT#qF03RTEA+zQ5fUms``pU5+`vFC-`~$(Y`B%NN;+LGrzs^6
zzqk6e)k(_>_&pEy;Dq{nQUPrGJ*+em6~t;fux12%f`r4bHd#TuhAw0irLIVOcSkI^
z;wf#eQ+M$1^R4z9t+srb{k-8VZ5c@_=e4ehIf`SB3^o#J6485gfjN?d(=~=Opr}w>
z%{CIo&*Zda@&86^bnJ2X=iX#{*B^c8?0ZhkD4%KE{DrSJp8LDyJBVKB7x-Q``em>Y
z*=b+e*A<{bN0988tV4m?I3qsx<@|8Mwc=@OaoD?^IcKOcl~*$7za8vWZfe2W;^T)2
z<0VM$2h~}*z$(y3C)R_5mL(U~V$5_}z(3A+)xECIABk_0hJuBK_$OM_LXgubCaErJ
zGPaNjS=Cth(ssxtjuj3$l2{t7&v{c@hjwqrLeCB0fAW3o#o0u)QcMrta8#`KfyPH^
z+2fC-D=mJE*Qe{u|HtFSq+?ammULpI`nIGIXxmbbz_=|*tJ<OMOZMVSylUQ-Lf&zn
zyq>*9Uy=I0Bx#~jl*BZtL8_)<(14`I!2<n<7K+7%L;d{+>F>e*YF}TquUgeK4OQbf
zMd}9qL!ahWw<rP7jP$#^)m75O$#gr1+!VUlAR=MGfM5)Z#fq)%;o`!F<?Z02!2{9>
zNk`-q3N4XSEDe%_LdOewYJ#w0Y#H$Rpr12+q2tlQh;1!Yw+xYXS4>VuT6RIjtCW4k
zCzU^kevzGrdUxewHX7db7M4|YJkqDOu$TB4GnSjwF-rAGr@Leg+@++zeo3Z|Gtk#z
z4&lS-!Z7_9rXTB~MH`ZWPeO$vZC*&eE_|ZFVZQ34E~w|~qy>Ut4<5)g5`98XWY^il
z^J!I&Dov9T`)`^K_2k=kgc7PA6-y4DKg6;|C5rEH+&%ab`nlFdu8&M#QS0yVCoL|-
zK+u$sQHS#}b&qm4k6moa=#IQU+7WVv+&xo1_Ts_XKugO#He0dQ_@3B*e(<&Tpf3Y@
zU&6%K!p-^y_eGKv5Oy2#kv(Y%qX)z#$cqL$2{4mPfZay3mPxY>S#5&CY4*(EHTn7U
zbTSq9#IoLCUp^EaTB?j4NX|!xBb(gOj5pL@2t|f>IP-}kkx0Pj^twA++d`TCM0&g!
zEQAjE0tKhX)#+#prU%pM@d~;CFDk}#vvLdiv&(WCBC9`S77Oc98QI7fiSP!sVbu`d
zwBxS}e@Pb-e1!J$6wB0c@a8@u=}E(x!O}NZ@^0SYx#QHSOw1W>5Bf%&JwwZtr*5*p
z<~1k3RL<FLH`twm=9B2(Z`q6B6noW`Ezi8`^^9ykL|+eVLqhqW&51Y_@NHoa68x_V
zJ?+8?7!p~t4UIzf@FT#tpnb%XJ^8@O?H$(SR_FD{*l^?dkzypqwlv&}d1wU;?}RY`
z{c5%m>HXSBMc`XdwZvdKn#=$n`?E)9$*$7oZJ&GOeeA^_<#rYdJ99s3aIZD#<;sir
z-PG?X1MDCp`2>W_Q@sTtjGwd<KfDHRywi^sXXu1sN%2)_>XN~LqT5d%J^j`Jd%GRx
zpSIC^Hnq80ZH_ia{{yE!SZ#GWY>o~`FMII^xh?tpw#*Os-z~WxG~8dzEES7OnJ<dD
zg}n=ROumS<r|oTNOVMel@9ifMDI+8oNia8h?!YX#dC&de^kP5Nyaj{B#}U+f?0UzW
z-rd{o@36IYx2E6m=6Ak(z!`Mf+I(#Vru=lbzv9RL-@W?tJ^o&N3hbddUY%y=(Z3#?
z738jvCaI?WX<DC%I3Vj2twO94d_u3$<A6y6oWU{8Kv<Xc_F%Fr;^=P8726$u`{;59
zyfUqxw#i36*j=d2eYU0LgksCaBJ5wEO)up#%b8~z9sSGwSPkfB9{=;#=x4KCNbjev
z<*C}K*)BvoM7Ilh$qZ|)`SVYIik*1++q+ob$%`6aKZ(mjc|3#lZY56?w>TV03jbdR
z&zSH9t$p5v@6+(23E!gO!zR36!^<Xow}$tdaJ`?KOt}8LlPbQNpg0ZfJ%cRz(hsz8
z-KOCqYJ2R%1?xQ;e(MJKDHHxSt^KP^_~$hIP8FyASXH_e9Gq^Tx4B>ckM_O0)bH_r
z>G(Y+{2#RT_nGjoX!!jq&VOH}Yr(<ks{TI3wXCLa!`j2p1B$ruL+%b4wW1qrjqVj%
ztJaFx3vJlFbicEU?~V>=93)5FPZL*CWn^AHC#?`CHS${`xFv%i7Z;*PL|6udi5C9C
zUL2Trhhokm0$v_N;EO*M><qd)e64BUMB_OvCg%CUYOs_FJ05?WoZ5;f67TYQ+gi4D
z`IM53k^u=<e}T@1F+Mvq$J6TgT1ncs8Z6XOkpx4R6!20DuP{ja&{SxMJ{S!|+>TAd
z$k5r&oj6^<yqpkSXh$JR!r(*UDFcHTpa&+;HdtvhGS(th&p23r`7WEU(D*PLVgLTS
zXP#lU#&sXv%&t1h0t3eyuaHp~Z+jc<O+FUun=!{b_@2!uAxpQ0&uMs>aHzQODdDa>
z5f@a|XSd1SE{!c**Gcnk_hJT#uk>OzEBH%i?g~B^@i&Y)?*gwc@}ZK3Db(T`f+-+-
zxy{o~w$7#yA>m%5!C$p)+xI9^Xn1^SOJVV7{n+9Nj_^x+Cg*0S_S}8<hv)3<F?VjV
zx3mpr^j(X?+XqAJkxD+BY%Grq5BJY56R)!DTwSENCyd+5=}}_iFZ~L5->QdVh=7wx
z*WuXDj`8+9wutjQfoG`hD{qgOBfduko;TsdV+1~F!VhZrki;ntYloHExA5PcWYe;r
z2?ahx4IgA<#FKdcjd%$-^`GYLYP7doekr~Wx$raIZ_)yYS0~rSGbWsPj%c4Z;nY8Y
zPnvMz)dC+j;l!&2UN+&xQv}{`!ig>dA5!tv1jQ|B_#i8Y@$+#JPZsS*)b<?L`&ra+
zCB=EQXn(83GrT?VaDksPw2xVdR}1`AIu3dguNL^7Do*|6>ws|L)k*v%UXA`@<L?Bo
zL^K8BleAcmrYHnmK9e3MI3*cN$-7RPL_4>^z|RgAf!GMJ2-3m5+@C|d(<eQh#3xgT
zHBsZTGA3sE_`pI}u&1-}Ej3!J#ghoRBJOsmM7{}Pjm1>BRWc9e4kz8dZq6GG>*i<L
z_+L-sl>1;aUuP6|>2PG&%MCcKCxPcpIIRPL_nUB92Ld0`aF2rcE)Cy9wN$m=rTG@^
zC$;wHl+9LJe*!O?aJ_wzaLf<w@7Gv|ESvNg$fo(x_0Y3$oHFQyHpnuXA!tIF4LbMq
z@wuvLHvAgqitNZnyG9^5%!Qd2V@RgnHPMDm(PgfPlX-I^=|rI`(&}st_H;Wpjy6-2
z7Dr30RtU7V++?+dgT7eTWu8z|_!;pL@QeL?-L~<0%QHmX5)RpqxHQmD;Dc<p<U1h~
zUIqRf^gtXWacd;S0R>S%N=m{e&!lc+IfK(2eD_=q_#pd(h$3m>Yg&PvpmSO){<h$6
z8~&2zo$OT<VL~TOGN=d-6+Q7{-Fx9kz!{VN!GR$DUl3v?yafSpOG}Twu(I;P3+xAT
z_RH{p%Z&)d!m%Ih-;c4b{s%_>eZF=P|3^HM?vMfvwqao`81Rh1SAPP0meWkM&rAGi
z;72$Q7kE+PF965Ao1mq@hb6uWyvo<8z{>(BySwGbR@wssACm3G@6y^8_@rz<iT1y?
z5-$|^h{P9H6PADHb13jZ%VV4ul~+@&1#=bBE$2;Z-N=jJ&*fSh@ffE#!3bRpr)BQR
zkdDB2fwKf69fg%*I?~nQb)>w+PC~_02<+tiEuQ{}<RqXuq!Syn(*75H>z92-Y@y=e
zv_*6P<|5Cok?YZe`*>+R;yeX>4}%^f*QpU7WIHtZXv9lwJC~1G?@Y{fCx1_dYO{-d
zfS5kgnFT(@Zd?5>f4_%f{WN?JOKa_aspGa=na%QB(H~R$L6+wIu|ht4pU*YDzu+j-
z?_wP4bLb<c@0IYqU%|Y9waNYibJc0twc)NZYS^8ikB#pt3Sfe%7<`Fb(w&$)+EGsI
z91*!YS|Dr3XwU&Uk*Y_BZdiHu(9=w5-0+b@lQ43;bnwtC{^0aCByE(x<of`pb@Vwy
zDWrmCz-gTdd`QK?I}q2X;e+fRRc1rSq4OBUG0}T48}dCyJZZvdy^Hpf8{kD1hwdhH
zBGG=2Nw=bY3VcXwuj*C;A7lr$wPSow3AoS=&nb8F{*xVsbg2Wp|0Fw%c*ca2>=W(t
zCY;74@S+JPJ|Xa76Hc;B;AIp3Dh(eu;rjb0H9UbEuStfA_YATFe7vIn#6JW+qP3@S
zk!~dLTQ|T@nQ+pXMEh5naMGCsey4_`KYXtfPC66l$@he@U&JHC_xiQ(QNKtB5%}x*
z_pFxU>bI3gQIk4sNn6U6yVU(6BRTXFsV>Knok9DZ?-#NxwLC}X6BQwAcsH!ZB!y!5
zOaC3mU-APbHHn|$pStm^h-dVc(sLy33yuQfR)lvuh;1egHC9M^FL^V#(Z65~u!F~z
zr*|yIQWW|4vaRzw5W|6w&p7PQWrr6oddtE^ZQo8i2X>AhsJxPgJ=XV394lQnw;MsF
zY=6&?pLx<ZH@<xG%4)Xps~*q~F|T0PL*N-cSP1v4RA}PxIu%rZ7U?ifoX|+ql$KLX
z(<I#n7B;jXX`52b{rZ74ha)OamWV6t)}>R2hK3H`xs`q3H%~v!SYux>SXr+1^wgG%
z7oXm@?~Yx0o*;0Fy&J)i6B8E?`l;Xj*hlZQ_JOvBc+~%~-vzF5h0*5%pT{s}fOG}w
zvB*BrJxcJ$A=iY$&_y6B9Wzbwya&}d-ksC%u-k8Pc8`yh`)O*{2KFXelSyB?qt{c5
zkIZ!S-m{M;M33?%z9z;){O-eiU8{UyEw1trfzv(|?bUrKaN5rTFR~@hclyC+K`#yG
z`<dn+XAO#Z&ZFd^W>uA8a{4Zi?pSV!PNIKgmmv#2ML5_&JEAM>G5A!)CuxB}D3&3X
z7wJ4k`ELwlU?&C^ioxltmhx&uZ_miifqW|B?(pE8F^;9p1ErxL6efMP+QB=vt1-Qc
z*X<q;c>4WPSzvp#&}k_v_HrIf!9FBIhBX<om+M{vpETjb`vpFv;*b@H71r=QY*D-i
zG&SObY*ESt;9P#wdmz8*J)Bpm&lgSKE8%-2GkBaY@2^kx7bi{)C)ptIJTu}n*8-o^
za1X@`YxsT^lJ7C&do&#J#auRv_Y7(8NtoU<$U<Bv+>O2W2Us&Don!Qn9jnJ+>C!od
zh%2PHbZ{KL>w2(Gy7`JB%X|Q9C;(S!5-rHS$5)S<{V|;HXFQ^h`<7*@m2hyef1Eqo
zvoll;B=ej1w%^n_T)OYk)Z+D9uec|8BTPD>Xl;kHx95_Ox0sCAx(?hG%>H5HPWH~x
zqnis?@43T?(BxcksTKo$={(})>jA6<^EAl<oL*tfyO+<qz*Rb~#rJ6K6Q=fqEWp=8
z81^IMdrH8euZiCU?{(`tugPMl)A1~wd9Y*Y9H|-ug}k9t4#^T1xGfKpA`_Y9ww|xv
zb}U5E(YM{kVsrKno<9A-<;K5am>4&YljiFU<Hfj>QcqrsXG}P)L(x8O!f71}ylBEn
zM-lk22`3#z;AIm|GF;&OCY*Sqz&Dw2(rE-fZo>8cOq%e&)Y`wog#TQ_uQ%cUs^KS1
zxZeII4Np+qxz=7iUkG{<uNM6rq4t=|t>C>Br(SIG7wMc=E(p$fahl+qmu6q&B9fno
zeDJOK+k@FxE#J^3ps#bIH~+AP`Le4A=DYlU$H`M7tld|h?Im`rn{^6tzuocnKQP9+
zFJ7@c=<^KtR11%Yvwzk)kDWWJY7R}Oczykv<LpUG68$xFbQ<zPleiwA9(cdh6%Ten
z#CCX>XUsA9%-+=#l(KbtuA}i!fBcxXwx8u|`#HY0jceG58`u1^{9G*B^Er}x<XO%e
z1g@{`go3eSP6e*cHBL9yB>!FTT)wA7f7ap|X2fYviS~IDPJ2h-!vYua<ox}x-tzau
zhKMurZ^6U-20X)zIK5xA&zo?1zrcr0ILSbP52-k09pczEe2}#gZ<D`EYg@D*QQPzW
z&>j?cQQ(N0L_`wrC&l)XOvZE2S>V)O;FBht`Xlfm6~`GFvF#c@$ikf0W^pz);w9j}
z0@uW^kgXfMHf1@iuGXeZ6FuLD<PqWpxx7lk=48PxOJd)NsB`jJP*jVMViYNYJa*_k
zuq;W>gbO*ho}iw8OQxpC4lN1yf34_QxOd&fs`D)@q~_wX>L=7}-1ou(A##GpdEY~N
zRJM%d(m92`)6Noiz}duBIg2qUSV6W5k7Dtwk>bexs;jBgE0@-fE*2^I>(V{9PfhGm
z9=_5~$-sL@B6q%cZLNf9!aHh^`L{ymM{!=#^3Y^#|N4Ds1&2#=X(i(NRja3<l+d$B
zQ-)}LEre?np~-Cb{B_%kR`!9`i?;MHMHcd}*fD#<j&gbDjq_vMI~qT-FFPyy@7fcL
z9NL=;U7hKx?7w^O-h1}<-oE|fJ=^fhJJH`8(chHixH{YaW6l)xS<GY?X7UWh_R8!j
zirekxwh_`+e3*H%K}PUdL_Zny6-u_I^BM*3)%<E;zMcJHaJVbk>g()^`kd3Fi7nxk
zH|7u32KG#*uXeVz-(zd>R4<-6ajaZyj42N<70cOO_gwnnKj(Dcxw=hpVeYLsQEi-E
zB-gDz5prciY@CJT6iS1-1Ux}K@ryXGOWC<{I#F^*k=7XxKH6PE^56MeKGAB2EjV9R
z?mqvz($<kAx`I8*^E<5L*mFGq9F7Eoe!C8yHsZ<;we~p^PI6Ver(nXrtl>2iPI6nc
zFPZRv*YK(lx7sv()QBs;)$j=oPf*^9h7U4@^Aa)Mu!h&Q_UDwMwWQ&<2pm3c<i8m3
z+YIdy<)*bqZm@xFOB#NMhNC|k-3ks)H_+SMuUoY5oz}ibzpvwWn{d*T1pV$c;fosn
zY7M8~SLs@CaJs6$kHu78?PLFexVC<9Bh7M>pc6pC5ZNY8DO__QCPHUMvMgq>gEH7b
zt*{=n;Tx0+a|Wwhe8R56vjp~Bi0?VFpA7I%<iD!%PkwwF#wT6hp-c=BR=76*XU&;Y
zrU9}0d#Ahnp*AN{f6C1%K?8-byWQ(Z_{KjV@`Aq6R}JLi0eihCgAAd>E>nh(Yar<B
zcC^fQb+b)crVz%<&-DMv<NqeXGvBZBq5sbrQ58_k4_;K^Qi-fcAs{JGN+2ncQ=rWt
zr&1QrVBO(Kdrw;WB+bOxVU)K>0h{KZD7I^kTk9z_(@aAimrT6bE>cEN-GYdnM`A)9
zk()T6aT<?`ERxTrNAmtxzg0<<<Fnb}fvZRQmIBG8>fpA)Fj7js-#TCI8Hx_&kM?fb
zo2(y-^!qxjZ0mI5XMdJ0Wd<qzDzWQuS5l;36*JjFZthUcmuedx^0_aI#LJm7Wn(2W
zex8r@chyaU;6G&Z_)p?X3|bb}X_`IG_ZP=uT~_fD;fU2ZkM@+q6-Q3~o77p6!FTH=
zCy3a$c6gmcoW38HKl0R56dX}pjf5iGn22h0;BOb`PjzU-nV058=nk}cbDZiV7g2`_
zmJ>?sD&domC6w4j$u1%ea&3Ya7chntug#lRo_NBX=2b$-ieDyr_0F|y-?qGcM>w9E
z+&eUOWF~$4^mJ{LKlpgJ3$&ZV*%Y(@4<IkH!%<>6Zi~pSdMFPJc%0+=G`$NsN?ZmA
zJk5lUgL0Stne!}x=S(>9T!Bv*@XsjEXgGWue9n;TrQC<R?(?7)^=C?%k~rym)K7sA
zvQ3;v7r4Hs<0UrA^*wse?Ake&(KhSPu@`gJjX4(H@^;LzA!!WHNZONCmtrAl&cpZ{
zhTVenQazDO%rRxXiwGCuUl~5f!uLyaEV6#oL^6~H;WG`Tf!G-BDJ>e>lu-7zx2<g6
zd}o_2GOxu$JJZt#N9qTs(y`$7t;^fC&9$6=rZ=2GV%g&!*VyR9B&QwEE8}yP<TOpt
zKEd3t#nVQd&!uReGvPFs0-rG9B)0`#GvOq+1zs}YBwqwxHQ}@-1U{(Y3CfEz;!@YA
zwMg<=w6AOJfh(k62)v-<s3k;lTi~|{eDzmYyDu2<+YIfUTyBf@x9d3CliU{g9U6{)
zYIGyHE%?zO>xA8m^85ODe%}Dj%i0-4uF3TxFVDa;L2~m9<hEDFbM%16lOz=Dj4WwG
ze05RApBg(rc}k`@djt0d^EO1osi}Y0S0{4bw$7IIGXPWNP+PdW-P0QPj(?r!0zw|<
zHhC15X-)|YX5x`9DG#A4AUV*m)^65l_Bu&3o|nhhCRsO#cSG~W+T=K=rNDD0oYs!O
zt0tV*j=%>^_%AhluL-BMEZR?)a9XnhFPU&!QvxpteDz=GaAZ9R95z|>KW}-!GQjyN
zE_CJmO5lSm%hxRNTO(cqPPX5<)sP9V0)GxZ-ShN*&d0QRW-_jBeJ)1+CyJu8!5c#%
zgd|%?*AnsEZTRbfTyo-ssLCZ_fu*>2k+(r!U&<YownR+|p$Hcx-l->?IWBh`u4KM9
ztfk*cVRK1m$cHfa#!EjRDIf{&`>+#y1=RT_m(e)Vf=&s`Lwug+U=P@8z|#U>eFpd(
z%|8?Ea}xh5@GZ2rC0>yDv%qH*@F0oTB>rpQajpZ1_moWU$NbCo69R{>N%0imDH5+s
zypH$?<Pc(>VW~j>2Q3frJzZMuv-}phej(s<sxBe@Q0wn$bA*J@8N%=eCSVW4;cVS#
z31jZzN_DE!7i=r76q6B8o2M=Aoj^ty&;FBYYAYorcJ-@TskOt91IYV}*ze|ej^C%Z
z8~1RXUaj97tc4daCp9`>NE%m(##pUb3zl!9Z_Tx)^uFl_TW--n{wEC<U&MQncgYs`
zn)x)JqnzbovBqG>N8TgmF3<5jtRV4(30LC<X^$G)mk^gn_ImVBiKBl`J-6ilAfHaH
zx<#?f&?9BtBDF@Bw9jbSk}K9f_@lr0<a<s`uou7lWh6^}X3MRz&*#{<_2U=|#(;I0
zu{>fK<^1CuJH+)Sflo2`awPr*@DJJEcB|!EJoaP``dx(6M6};yIjhoyaxt~{4_eL=
z--3)xu$c8ei5DCt<WPQ-?*slEIc1A%m*IOQe2-#Mehk@4dYB<+L++0C_}5vS2pOU!
z$;Tlgh=iZ93w(<-Xpt#I`qLDH%N#})ib>HjK)*p5pw-&tD+5DUnDRjHh+I0thJF;i
zbo9$=Iw;Ww!ZpTaPm$9y%|0P$KseV;1wN?as|m^<1r1dElY*yn89;UsI_HuM8&=-~
z*`VVIBhKv*qWy#kCmAE~f{J7PQY8-+-@}CekJh7w_fxbV)Y?P#7}^iAj4pc&cnLVk
zo@I<TfV+na7I>yG0=w-#-hb$aii7u`^boT5;538wYw@%Z=Q3Ng&zW!<m%s}qob*P4
z*GxFcV1bv6xV2Nm$Ba0qr)WQ+;R(tw)!Gj-Kc|D}Kk1F4eO+sRPAPLeP~f)+eDx(x
z2htk_ew(4am+OZDzuka4xPB<`J2V{q(da|^A?Qha$k;D#cM;#KYTu)IAl*seujAjd
zVjlh-@9TivrWlsjs?w*a8i{ThrV3DM@sSerf*5#_0wl(5FfDWj<e%bNTuU6SifH8q
zLXr4XIHM@bmx$OF(lKan(kX||uf|xGfH9aQI7&y?AXP0WI07uNZL%`jA4yP#Zf0|=
zSA0IW;&@vi-8XVob;R*l&{?dP$CC#~s4j@lJ5m`>iO<YgjGpms|L5&9rRW(jI-<on
zYd35yMOcO=ELv7;lO)z@AtW#5g;6|+(1ya&f<k9;@~DZE9$BpD^w!T&%E}z!pZY<Y
zG46FEtBE+zX-3~BV~H_#BqvL5bPVj9$>wMG_t$sD;(K5v86qpm3&KiL%OC5l?n@+g
z4VU`*N~PXj)+($dYTj~Rsa!SNN2=vYua?dHX;?=vx4f>1Qdj;0tE3O71&oQR;_8Gr
zi{UdY3>yv_QT){pv+9(p!!w4&z@;dnl#JujbFPQ_;`ufQ9CqGRC7fP2{o2=BEPG-d
z{av-5_&_e=NMFwDzi9o}cuk$_hqv&(V&pYO+{l~iTz?bojeEP!^+tggEa&9=6GR*6
zA_C`ok<+Y?=cdzo(&A#8EO+aBXT{1PFRfTdWapu^quVQg-@uqsb*jVdZ7c5_ORI_O
z!OCPd7w5iO9LFj$ryaVMH`U{BZ7I%QGDf?F*2vI~$*RZG7f`K}Q)-^OkbUeEoVQm6
zT`j-i^gwI_<xhjx2z-y!e`lefeTef|fltWxkU{KCTm}hz&;pGc?;nG{V0;hPmsOnf
zasGbNBk;RikAOZ6J>%EVBaGjJzRqP7<x>9z?=KxFA!98+=D$Pu`#4V(c+P~=`A*;y
z8t$Q-Yz^OM`H6gw8Q)|1q4xgw@bQWF3~KL5nBFsJ`5}*uq54oql`kPT;5v1uWyms~
z*`St%9qWSZ;E?E?ySn8k*vPSJgbkdmO)>DG7_3c1<qU5*EI$dG;V3UxH{53<MkLN?
zTF8uWtRXkt#;f`LNp&e(8|;h3B89#}BoGax5`BGdiH%<}S=(8QgyJEN2m2SDA^%m`
zsNWk6hEvs4teh`JV}*tBMw$IP`L25UCzIL1Ldxq21|qq7K0Vnhe7Te({t8?)oyV%D
zxte0=HRj%fwT0Yq4c}*Zab0|mq_GEU$k-mV=knWwHFA&PJtg4KV^)8G-@Tdp>c#KY
zEPsX*fS$9S!knDOVOYyqmtk%C=|UE?<Zd&lP_V6&CQ1=*sB{8}KrwIam<cQXQf{<}
zx_Q!)!he&FN_Ic0Q86$$3j3{|%MRzSo`Oh@iYeyVEHc{loc1iGxj#SGa)_t3A6zcU
z#CA$`uMqusZad!tbV?<C4Dxy%JZ;4J-Vp6`CY<y!ffr0T>0<(~nQ+>(0xvQ6k<{Pi
z`ij7-#`fI*Ch$=mSK7G#Ch##GXTRmVMc@-g+&ZTH?g<nAN)5lxgkPuOuQcI$`x`Yp
zLA3(3_JgdSuP;Go(ho&{>eL>qVRE%kapL?}v|OX^ZJDH^uOOq>i!4Q|*GqW2)Z(C|
zIf?2pWXlWlwMF?V6i+E)c_2ejZ$ORb5&kW6?E#}_i~U)3%H<EWccT6P6<rbK2!`?y
z6J7@l1mY;}cP!^o9LZRnK(`X`@tspHQ~nwpNV85h)lQHpyZV52JwhrL(h-O~MB0<6
zumG<JMn@4pWZ_UFesF%9HbwlH%PI7^VhH+axzX7@Rc@}Vz#P6zOsWr4TU?DP6j~5#
zQn`%l3-9B5B+X!NSqD#;aI*J^_H`r9^#y?!G(15x(%P$by$}?w7x~^Cl6w;cAo06v
z@ibjerQ&>ViuO4ZPJ2+`HHq`u0{s2N_i67#XT^Kg;%Ot!-!IzdOgOz?;58FY_EUim
zYIs5E;(J8J|K_EiYQIZ+MBsI;J!&9u+q=LE5{Ko5{Wb4@UCfK+SG@lm=X+n^6DFMc
zBk(~LhfF~20wd1%Y#uVfh?gwC;(j3V;Ww0j!<rt_Gm`@(kpt^WWLQJ7QoEm4{Xmps
zP8^@St>p0`50E$)d<qsnk_mJ&sB)gK$BqYrd2tM)I9B}(M5^*6Lrqax>&DZ+cQ%(E
z+ggZi@<%4#n7_qW4bNtlQg6!NKCvS;b!ezuXTgC;@8}d9J%>j}_KhdJ!JV6y=f-hg
z!{P37c+1?><oi!dzHD3h)YglffsSzZ_~gVi>HNHo5$rBh$LJoFTS;q`Zh2`cY$SIx
z%2UYQY|O%=5^d&UM$Ltc$dkEFAtPg%O7b0>3mL80BD3lK?ZZ7($0$1*v1xUTthat}
zDHu@;8HIw|-l7*W!a9OYj_m0;_ZgzPnriGwwVg|K=v(+6Np(8MQSv<b)WfpEDEVeZ
zt{`Owcro8z!G#M#zf!BtA-qScc|`@1cToh5*BcM=Ds)u&kr%&0VYag<$Yw`9wvZ@C
zrxwEcXAxDyc&)f+AyW*s&o(Lpqty)ITvUya7C}7bYH(|-z`<Kxhi&v%vIbrX>-F+A
zYvKY7U1kIDH9^-0kb8l)1cm#{ij6>{K*-gQ#@`|jL`G#NGH1(@dET{gM*y^kdOf`d
z)-7vCHeS8T-g)cBRqkl*k7LjOzgQDt?0U^>@;_Pvgx7>@v%;TCHV@S<;Ffj)vOkJ}
z3ttKC{Upbzl$Uy3CJCo54`U5;E6*sQ_%P<b{uQ@(*kTtA%`U&@QEO!&Ihh@<zU-b|
zlRbfO#qT_Mk_Dzx#hnwouXZQ%VIOMIGJi*JEEtF)SY7OI#4uotw7+jv=kkJ<A1l5m
z%Ffy`MRtscqH)x!c5Rx)hh(;xR?<>Lc{0*c#IB}TNAf+2QwJ|WYb;X6jR9&2+T=nU
z)w@hp%BTh{6)1C}co%!oP@_yMLCbj;#b-PPdiKMc25p<DPc{n~!KbfPna!v(G+i4J
zAsV6px;kKTZP64`cpr``I7Z>czyu?w;6HI-r;xv1KCLudmAU5&G+b%t5rx3Im}>8l
zxj{6!hS-e2z(t#=GO07_%;#;2xfZX8(MTqT*}2Nji8RWUwzO1+7Q*q&%%!7rhQEDo
z>s|ifSzebnh&BBY%y$g(P*S6*zN$WWHByCgpNYqrIEDyO<OPz&$?#0+Kz0nGXJBTs
zFP!dPitVWn9GoxY7cOx|lb3h-$!yT+zAP9|&mW(mj$w|1tDj_lkN&h_jx=pp%2j=S
zDkNwtRNmxMSbh8ig$N7UCsau_!{e6DAS1NG&$J|a#fqb-CiQ7mKGp9Ea0IBlvz9Q2
zba*l>`h7vcYH(o?RZV62NUYnJFZbN>%Fd|U7nDVZXEV96&DO=OGh2ea)5ZCbwyvu}
z9%rB)_{*W>cqFm2p9UBY9*XT+?Cu&{no4deg(AKR?K${3lw(+zX^dH`@zUhKmql&$
zHL0gZpC!jC2tk%MJ4i=WT+WapBAxrR&4@VS$eHJ#h$IF6iCp|;e4?!fi=4^B9|%%K
zVhZ@D=qzT8AyM4rsiK!fW;1G4JzkyI8*+6;T-nA?v|y66;nHY)mtJ2Fb&5ZJek7NI
z0BdChW0^fp3py(ZTF@Tl`?D#&<^oLD7+ymo6Nez9se=N2%(h4o7%1pM%t_FNn6RLW
zDX>P}sC;ew55<~UcWJ&ql<bUjw8cVTSR2%B-jki}?`dhd(VEGf|Haw@&Z2(v_pv7^
zMtWnLp>db0)*qZvI5TR4*Isa3vKf+Okvo^HI}|J}%*<ljT5-t<*8PvG$MXXt<F%Rg
z#<vw)Y;146dhv8NH-G8fAG7ymt9{OR<Z!As(w6nr4$fw?3&$s?FJH*8@qxZ!F^^g;
z$XBWJ_<K$pMZ1xHETkhv7EryB|J%~qR1%UO1bNkVRafSbP}zy?g*-0_xzQX!tTf!F
znZa3Q4y@;=I5XI-|Ar-Ho+qu&c9U&apC_`<=`%!U0kuXT2@hRDs`EwWaz0xSga$SX
z**Kc<1^%nPyB@VEtkgQuKUyCw9qS+5KTS@6!ECMdV+CiHA|A7C^`X>d(O?!e!>Q)>
ziE6EagOIT0e;aG87w0bR79FXf>3rAN_YmZ@6`25t3YDH!QrzHYmG&$zVh;u}lR5mQ
z@u=bs)g^PB`m&Zjjxll6sg>cMc&gj~;fzJZzHMyJNRO4JT(xX$I5Jp1Qr>b+?C25;
z1f9Otcvn8yolQnt>xwlwv1g=M`&etgGe5JpdS@)^abu{{sF=8^Xm43+?`lP`ZP1l)
z4<FfFxOsWZvolHQAyjvToyFKI`n_FE_7{ERg4xD7vu%U+LOw343ZiN^G**hkl<d@0
ze_Kd*zYm^7E?M~YBgWcUzIZx6-d8T9Hf=5L-!>AiMiZIE&HD<u;ZkroI$qu5^ySC$
zwXqIc=R_POSUlCsT&`%a_joW8iMu>UV}2|_j3tG!e8@Z&X?$F77SGbD1d^Q2E!1xj
zhf3B)KSn^c$UAvu!!>fg!bFw_X(a^+N8%e=$*g}GJTNdG9S)Xjxx(Is#Z)rd7aqCj
z(!ydrQ7HF~XD4?${jsASS3D949`6lCU9QWjp7cmAKGA9G7^`8Fxc!LN!tr4o5!l(a
z+u|-bD`48Nppgh{!(WkyO=A+ZVrhO->(7eddIoosHapB!k<*ggw53$LY-^>o<+72H
zvC-j3W-8I2NmbX*N^<UsIsE_RiKUA!T2iM6^RoH^&Pf9}kA?NoG*!lxYYYdXvy>SE
z@ok<LiX<iLFxd<!H?vbz4wWZ1s&T5u_TucgNjvat+qSa2j3c9Zdi&m-{qO&N`8g`%
zO>0K6^sY`TS1FHRhmPwyzf?DxRt@hR(VA@7XE8f;UyQMzR8h|*uXKsRP9<yWf&L<X
zoK}~JEu`BvwAey9iWx+G8w>fW{!gKbA$QMQ)wiW|b!8y4B|h3`vxR54Cc>F{Jp#!)
zK$5rB84KNiJe2d{wuIcs;Af*f$9<k^W;z(n&K({ZJ35DZ6VmZ<lD{|Ea+yZ$_{-R$
zKk`@IuKAhid5t~{YcYk<o>FDm1?iJsmnwo5<P24*62eTzF_UqeM5yARh~Fj(31x&R
zL`Mg4DuT@id~z*?NUr_9WSQ!*b=-DgYD5!#4gXpii2FOf3mT;L8ZZ}-=E8bKRgMK;
zAtj9JiHURXUF32K>E}Jw4Q#GIMShN&AG|R+c<EBPvV3H4`l94~u#gUvlfIc+!ng11
zi7T9m+2ivwSHLeBK7<-!*|EaX4%hxG&h_N5uAQq@UK_UuG}LNCO09XlbxkLRHt8>;
zXgqNPTq{s<_X0%@dEwXhgD;8<KH@JTrct%1o2sc&Lb+Wq7P7R%Rm0kr_O*8TUGFj!
z*L}Oo-_^Qzsmts3w76Z}&+MA_rnAKmd*{>1;dFX9`E=vjP$`@C&hI)B^!W#p$w8kF
z!K@11fvA))Cv=|G>=7Gr6`Yksm2Ke<EF&IWe6oYrl(`I}%tIl+$r?#<=``XfMjVGC
ztlyPG$6CH3NgW|ku1az`w8~Qx7vk#J#n5AyUO!yzF8gDivS&J0+Lz7jE5)ZgC2x<v
z++D5Ta7iqlibPWh=h4HxN6G=O>xRzGT)CX<?7YF{4U~`c9zJ>s9_q1hcq|gfPJ!QK
z3;S>IRG;ODx+|MzSFbiM&k{P5r4SV{-IVT5*WA)_r9$Ik;nLu{DGWm#iA??l54%?0
z4*{1*DX{Y7+mFRH7f3kHwwymiyj8^ZS-8#NWojRr?jUG7-s;MRII#(HqKC@;@rk0-
z4B5r#3?~A%NxXsSU|MQTmIN7KtJ)an%*KNjQ>3lQWN@(zw|$Ozc)aarX*@j6_$hd>
zu2sj=bTBQ_>AYx2*;?OFT1214$TDDvVtJ8sS{O>ztC%F~BTcEU4x!mvBF4Cm$#ng}
z8VsndVrc6Q{6A!lBF4Rd4Ttzw$hH}E+!u(^JPXSxEiRIaWZG0?G)*_7)-(QvmG`Wy
zyobH`v5z&}pZN^!X(txV0PLw9FePdCA<E!Xoo7kb%Pr5i*$UsIUm~wDnWQM|itKOX
zO?E>2?uLJi{Kg{hCsQ|CNS)hPmX=nw%3DXC=c>W;&$COk&|bV99v60yk6nvImfK42
zk-lWLieH#YE8kMo7wQ|o@q{ioq9PKAu^isAg=MyEImy~jo^1U3B=(DS^=pk)_FjxX
z3?4h6TY#E0Ke>sx?ONDO6Bwxr*)>*d6Vf@z&g!z*`KN$}#Uw@=yEvOvKplpA<y5@`
z`fQMl-*ic25Z6fZ=rXWwBh}b|EA9y`^<~G3{#{!F(G|ur(~-t!13_EN-|hFkiPLjn
zps|`Bk3<r|;z(k0Yb$$yqo=j2HFI?0j-HUu>*@+AkLYw(5TkOAT@T+%5}KG+X-!VG
zZuXJJO3u%n;Nog6V__i23IH9*<S1;)#L1IjVp{Kmm;f0zAg(tNVFQI4-RCS0B@gag
z8moH39atG^v}>3mU;_bLN4LxEim>ctZ+TOz<6jydT7I(#e5G4a9$Hpf{oS4JP8ae}
z1+QSZ5e)MXSNDw0`zU{yp&6x+bNh<)-jbc^hXb<(_lh^vNtUFu@%myx`PBJ&VKL(G
zom7ZUS<B1S_cm!`8@b}Rw}Bg#<b{Qxqki@gSyyx&p@_L4_9SkFgFbH3!eqKaVU)@|
z*8C~IgM>X?Hm_U0Dl;FR%vVN-dwl`Vz&oB^Sz-6Qtu)&k%uVn8{6Ol`Kw`939cXbZ
zf4OnL@|mw)^m%JyXrVB=e;k%@Zc}&+d#(9iUwyCXGEM9-5wTwL&#inG4vqV<k(gx$
zaf>~8kHJgV<a0OfS(5u_AWUph#89TJxHFHOFI3Bl#35N?Nci+XCkTO8^>9iNs}`$`
z>V{Azdk_AK`aAsOsCwq%m>0H0{N<(?a@o1qcX0bmJeliXi6?Lc4P5exWxAFoxy^aQ
zQ4v%yz;@Bi2lU5Hm(w7plaFzW9HV9_Y|?(D(@V^<AwH3>1KJ!xbe9-r3x)*qGrxp{
zjL2Q`u6t6;#q}^0cqf7@=oT?@){?Fu+!s^=G-1#cI5*KW2IIJu2Oa78Djy!*x}%T#
z$+sWP<Y;8ggXYQvm%S7xj#J2e>bg&os7)F~t#ndy$p9-L-(aG`1fA%`xiN{(=Fxrf
zMN-yI2B!^C1(n1v<tb8TSkfYH3!z*v;kTjhiMz*|gtC6EknX}%FCN0KP;QClU6C$#
zq+7dXh@6>*>xVprIfF}6zj4TT8If>qveoCCeX~uLDt&jK1@Bks;Km5Z#n=vOBJOOE
znYLuN5@up@<dEIXU>!C1+~n0sD8qmuReQ1+kt^iII1D!uxeK#=9H|`px%qCQkHZ2&
zxvD~kx`Ll4wRjlWU44(sco;s9=#iX9@*|6#>cJ^QoUBRp6E}<aF}f~{j&2m;rhHvr
z()@;+Eno2wlQsL5rR|<`ToyBXmcJs|FZCaTpu0bUx;6R&x{%O-$ZkQLgYE}+fU^h*
z4X(lY4d-Am18VncBbGtjus!$s+d6tWthUw%Uw^72+F@&f6881LWT1L9_fW(A^}s~1
z@6!B3AdiUEmiIo9ZBnxu{g3BV+TQx<ln$rril_4(tqe&|Zu*x-^0cFtCtCzA)I+KJ
zL-WPr{GkE3xA6Diz@F|ebzfYrwSJ{_*qNF?K8r(YO8v_oKYqON%t*aHLi!%%415}E
zA%ZjN+N#|8YS1~gI9VsrCv~o=im~cXrUL&Ysf0ummM@hL8>2|nl8F#pE>;*C^}w0o
zf)NjO6Eg!xwp1!xjts;GbFAlUANtU@8{f&)0=^*5p2dXMn<(PUeZ@SCT&Whv4F`{3
zbzQ6N7CY;<yVE0u(rC)1&cznxZy=-XQ1J`8)ubtgLTWR*dLucw&amZ9kPKVZDJjar
z#z#u~S&f?{jz)}`7<(S<codZ`Q69Jj)t@}m%vu-m(WD6rY3=ZzovzoX*^N^p_38f_
zzI<D6@3zZ_U#EWf?cz2o%UZWB;&0<Q>$b+*K4Q(x9i5y!I+wA2;S2ibk6_RYk)r3=
zMc5bJy5_!7%ms$0)~|!0kusOg-*gp&*eT5xJ`y8bY>wl8sBmY<9h>q&T-u^LoVX#%
z+ES{qM8l2yqSU^C{>^>SNv*Fcy)WVlW}@K#bzgpRenIWaBKt7tV%U>S{LXlyfj$p<
z3TI}!<k94e6Sc`GY8Dn^xhG-uB*k65bX=3PWK_SRGM?!Ib?7=Rm0aE+cTb*;_D`j+
z<2P$bx^)@&n}`)hf48V|Rt5xMN1nx2RoOAAJ9aELJH$yV9o@J(B%%Rm8imF{U6mT{
z+Uvel$0}ENAxKPDe;M^(_7lT3V9%>vmAv>a@DDF+Kv*}V;WR}b>+_6<pdM+pYYhe1
z{hqnt(9V(ECU4Lm4s=F?U2LGdZBw$<ey82m5h=$TFM?lz_bV-!%P!;j^a9*p_b`a-
zi0PgrvA#*CWPC0~Z&Wt|u1Zobv#+qZuU627YUa-OAFdY)g^LR8MR#GQueRCuckg>2
zYstkY(I;54*fVSU)MN?L8OvFcm)IG!!sw=Gx+O{Ix3uSI<&z0QtuQ+>ikqBJO2LC8
z5<ed?M`in{?9<8_^s3;=&-9~9|LeW)ZMbi|Hy@iK9>^?ytRuRoZCbDAUm$(0V9?i$
zb7MmcgL+T3>VcsMVd2XtpkJ`ILsHf823l&gtO}|NNgU&ZiI|RZ7rMeNp0Evdcse3o
zrDWe!&i(sc=Vo8DS+BFVCP%iG3P-|$-|J#G9*4%Z!~T`f<4dHj*2IVSSzdUc)DSSK
zhjF_%tUt0&Cz%}Wep15p@U-sU<q^`zT02`aJqBloqL2+o#&w-PFP$F3A472l1-;g&
zjC)zHUsSa%#ZTJ0mn?<NPg)IW#e!FhI{`@Q8v8B$GN!)s8;0q$Xmrw;MzGdl^IgLz
zzNh<cC<kGYav7kdY*P2XzVgq~v5d1)THfnlm8YtTT2g^1@5sYF*0~_>EM*O_+j%NM
z<018mJhHW)Qx0Pf20^Ji)t)rjtz;kvq#uP!A&J#swIUf#mLfG5f{s)q%ZbM1`4Tjy
z+SpckO%a86h)fpRvx4qx?qHAs?o$lufp93mj01z$V=!#+z;A@Ke;xPhJr-xqIs3ct
zf6I+?2=~7J*zU(8v8$#=C><9BjA3kUjIE@{uU|l}({Ykyr+V5FH@S-aOxhdSW1wTw
zKkoIB2S;Abn)=9{9;AwiB7b=V;2_IG<ixSy*x{*UZ*<SMdU`s7=};&g?C9xv_Tp%7
za_X=%H@TxYc}diI^0Lg1v1nh~>rMAX$97~cJ86wxGFjX)nG@qd9)e;8Uy556)tPFN
z$40(H=L!+UDD+C<BcQVgofY|6P(9((6-lZ;Kq$)0bH&M(e5O<hN88)ou0$|9(-%oh
zUg|vgN)~MVc%pvkuE{a$O)b_?ZP)11EB8<$5@=3#P;sweP3_|aqzv_s{JxCeI{?{+
z+qv``_nhy0;?EzQ!wq{jTxd886Ny{B%uxJR2r^CFWq9!S`Yo!CMQ2K3Ct{!utx@vj
z(dmY^oH*U^pe)X((I0-gnP#|!($F)#k0IPx=;(CV>>aI@C)7I)U2P-!ordg1_140M
zd+m*eI?c|5r}gOir*3bP%7JlSRb7Cpts^^Ilg#Af3Sopo#?-viWL+0`!`Qo+q5IB{
z)1`pD`i+6^zg=1Gz@?FNW1!;fTOJ6>3j+rmG4;Yg-dC#c$-cv7wpQcy0(UObnNgAI
z6<Lz$29R3a<ZJW)(VstFp=%X80v)Ay{@G*fk{c4E$>eC_hQ^;hCg_7$ex7F&(&^K*
zkM*0>jLegwaA~cJiYK(c#UAJ+lMhe3f>mAKRjBH8>~H#Kik_eIn+w0Dova6^Q=Re}
z!&@{p4r9x&eu(Q;G1y|X%91)Km$Ro^{)7X_0$VS+uEhCYsG@?^3pq;bl5VvlMV0)_
z8R-pZp*Tmi%Q$v(#~lfz3f%9AkE#z-Xa`Fy*&HpO!w6pXbXUyPvs@k6<f|<7Wm?(}
zCSvifv}aG3C+(KQQ5c)wIXW7v7lPfTKMi}LDfkI3Er@&gB<4A(+X^;{FV*Bfh4A_0
zY*VDEIMGsI9@(LcvQ@Xj!lfWBu+OYDz<!0@vA+5Bq|x*WcJn)|$q!@yM0H(yBVC0b
zPt|xQ(xs;<;fRQ42+VSL?yF4X+(VW8ba+eV+HKW6Q`ul?EX}5(eZ7@Xbs!%(njelJ
zJF>JeF&u6D4)iLc56_$XAlGP<Uc&o8Yf;#yYaTWGSKX`p)?UvS(qp9{<$^C>nb{f`
z%M6UVa}yP2j}A{PlqfTEIDa&fAE<^Zy?xQf=g<c@McG%;2g96658irx5cR{sc_GUw
zf=y_!R4<5R9C61u->ryF!G+}OP>ICbn_s(Q`;Muha(*VXH7h99ovegj{lrr@+eZ(U
z4W#NB>aY55c?w-5uEm}~KjZq^x<KGI)vQ%LWop2-upE$0leh|1x~3B6h=0_=PK2%r
zGeRwhZk~DKzJbjqT2AfQvE#K*-BLNS$w12T!BP9o=pug4zG`Rl%1>df8$~4)>VY4W
zI!h*HoHB@Js@_9Vmg*^yahdil*(!<8L8IXp-s9&%DY{k)K;6D0fBE(Jzsp~_BhR*>
z%<s|0`<L%pZrsc6owMIX{LYGcQRk46{1hZo0TnK_>bgxHC0!;^JdeVosK9VAm%{K(
zXKyldH(S99LzEOuej{N$8a3ozut079WI8>$zo!1}PDeeSXu7*Q6LsUF=<Y~9AHhFo
z_0k89T>8Kzy}g$_aOsf;F0GyljvZTGJTevvjU8EBJ~kHoWG)iP(Lce*Ly*@W!MOS?
zuU6%?Oqka#X3}b;FIegQ;G2euF4Nh(g|l=jy6nP#2?IH$Nz#I##6nWks7NzSO&*`~
z_#DCK3O>`q?#1+^XhwKh#kDHFwuXo=aFyS~9(!VCe%@bQt|dnhy&v&KQcrk$mxd^o
zzb6=tA3n_PYTVE6x~V0Y-#irSaNN{lPi2CU!qRXYas2J6eEekNewpWIJpn&yUV&VM
zbj&Jm5&3`c`@A2tQSk!dSZg8ZeDC2jyMuC-gIca~lUL{h%Y!m;K82T&Af!bhJoV%t
zqF@n9V-r*n6tn;rR8vEJ$n`tAmMo*fElpxmivh)%$#cp4ypc5THD1%rQ<~pNbcz~C
zW4N@NU*io*sbjZ(7h~USc}86?@?Hsjc{Gh$rkm<5nhrBfI&+>5_qeQ1OL8j{P&NRY
z2-rk<3r||gAmB77<qQZnkADk9K>SniPuRPN(Byxi&<??)dhx7^f17|(JRQj%BT+fO
z!eaY<sZ5I(l-_tru0!{gCoZ@`o2P*mHI@y<5gbCz=?=@3IuBBz(F;uLyhuGm5k*MH
z5gLt+^Jp5g9z&4by7e@B^z`Y*ji>n@Kq?bzR^eU;g>tUwF1;^uoPPhL0nbPrS?BBo
z-2o-r=Os>y=V8kGmv~X)BzNwlyYwVJEOAr^U`OeG7KxW7&c{vnph$d3;^KGp_fMMI
z-=?)6QE}v`f_@r4X!#Pa4Ka+n^oXv8o0cT|)9ETzNvu5K<EE20nFPc+mDr!~b@RMb
zH^sRLix}PKsa20N#BPXiHo0ZLN|)}1+iyZV2j=2vq=%Og5m)c=n>^L&@%N#4oVdsn
z@$(tb>pHrBPtv8I#))-8waIb!8CLyXb)86^Q6G<PNjOU@1K%TADk5Zs{wS_87Oq;d
zHuUhM4}Myev8MHmRXCa8v-GO2Cn&+}-CFFd<1c1yEu9a)UHs`TEr<%{g(zEm<H+f8
z+-%tR^qYt89shx`o;hm7QtpFdXJXy)|K_>lG(O6)M%oX?zZOp$amul#@1uRrgrmNK
z#0w@Ixz`e}nQ+uska)?2Q=L5V{;CnD`U(;sHR6;@E%6BrN9|myc_Q&aR^>U<VqBE_
zF5X|)+MiQqsScLJZ;^O6(aV6}W@ulcI#{y(?K+P3sFN!3J2aeX`KolII#{4H=x6R1
z>V(Meoz}ibzpvwWoA6g@?e8_=sBbRc^J)#J-&g5M_00{x551~@Iu9P$UCPh}A5>Si
zyu4Z$8pcWw6oqQ8^w4Pu;+%d4PKcn)x+FW9YE2^LMU5w>^HPP&4cg~qIVR;rtu{re
zh(la{sFAC}RHnz`Qe3gI7KAzQ`UAbwR2agEl%_1@f9WYSgL$pUxt0Q^)`_S^GFfDv
zOkKW^<ry`4nFuy*NCd;)pqO;TTw@RYBi}3hzxf`*e`8M5tXIeRoC`c>!f7r9UNzy!
z|Cjin3IC;r?=|7H_QiW9OgQZ=ftO4;?NNaj2nT<f!~cF0{<!8Elua52cr;1%8fs7~
zpE-}fL*f<qzNpWrh`I$@eMaECKBL67`i#JNeMW(6^%+B}9?K7@o}z5O2P=`@zX^3n
zzhl4$Ef3OO*6TC!_Qv{*>hnbwGkg#A8%2Fa{65uZG{j3v1xg>U)VVO;v)COBZPh5o
z7D%5CtYwOq<adNpJw|9MaZ!VD<#%e?#l{~qAMZb%2_~T9<sk*JK9oAUhHyI5D+`dB
zcKia3b0_|r?p(KHCeTItZ}vmTnil=cFYS!FtT9?$$YW*Y-p3l<ZtdC09&h{>7ge8s
z5wF8<r13w;`1?9^kB78ut@lRN^9sK&4?Ut2D2$i>T&<sF9O*B9<cp0fURvB_8$GPl
z&VTLj>E}N8IdvTTPI5ch=`b#E3hWjd7wU$~anjw%lnzQ~L4Lm`?k%x`Z)EhdV3VGp
zACttKSoxfg+8^ScY0?zpeEeS6rLEj*O>UW{B$~jv&tIWlWT^g?_w6zFefKr~t^d&7
zyVdLVb~oKyh<UMmkM|$34RSnmm#*Cc%P?#;{{=eNK<7@JY^8CmY2I{Qa;<$hL-t`S
z#hAF5!|M3_N5Alg7j*?)wyuzCC*4!R21c$P!T)bOt^PLMC5yOHtuJ&ptDQWLpeQBK
zInWm?G?5OSwo>KNXI*XpzTU}x?2zYwI#Q9lnD{g<RUw@o+AYJs9RAhWHyW>GTN`(=
zzd3!Hb>Des<22M<>X)2T^utXw;cI&v`r)u_e4~rr2T3*E;7O-9Iur8_c*MDOCp*9L
zZK8<c#tN77Fu=zSEf~L<$Jnj-%?|wrA-RO~aZ3Xh#w`wz*ozpgu%e35jutS`RM3&~
z=l}jo>~9<Y^}au0xx+91=<w;!eO=S(`CWH*9MjPcaX%FA2NLc<`GM6Rp-S`nWW33u
z1vw@zI^#xgWT&Hi7ksO<Z^Z#VjQ>J}Hva2E(IZ|{^axuodSr28Vv)U?{<qPXymBd@
zU%GPg)#?Yfb!K-PtG4Z&nc3Oac&2T4<9i2N3Jb?3CXUSITMis($<G~`m^ijjXgSE|
z6LBC)FCP;XW8mi{<t%6$)%{L#wshL+mBlEc&0&dhD?Zt`#G0ZTBgk_`7GR1E>%?Eu
z?dhN%A@c=BHN|Rhj0GWarWyZ?8jOBcn>;q3dGpxFLnE8soS8p1@m*VX{>p{-zGL53
z2b*ks-m!JxJKno+<$TumUFs{OobovMOI7!EOGQTStG*xA-jRtQ`ZUE@(Oi(XkLu8q
z=91-zYEI}yL>pZ2at2gx<A6adh3FmK0u>1QdvA8b%v8SUrUl|U-O;rB=EkpTL%w`H
zjU+?gVC|I6JutCc+I-^TYW3n1n@h_R18&=?>jzHkEN`jBVzn*hohJsar#1H97}G7v
zyRpWVLHI|kH_&ks_&MM&<GB44#{sMOS2^Cc7H0=J-fqHQ0O8iVll>fQHQ(Xw-AC5G
z|I5G&(EdJ#pG1%Jy}<8wr@i2CsCTaYC;IstdXI8Iya!AZ5RW<A1wAwa-l^5_k-}Kl
zL-pCByeKuojQp3z+-#w33O_7WS1_j5i}DwA8%&AMCdm#;s2A1^Duh92OOwXwLJ&0!
zLF9d=pq>meh^CbpCd1PLKdx@A_hhGbRm#gDoBJ*80dHs2k5nvIC0?I$S%>QGWZ2Cd
ziE&RV?5;X9^UyV~SjbjK4pxpI-P;rP*>7~T=c;>d_rwZ;0|(uidTt9TSc+wKbr<S&
zQk=pla;d;QESiO^$%m%L*q*`Ku**2vJRc{;XLJEAaV@<EE1N!vsz6CTcJjJW)lOmA
z5&4fn5!*mQl=5hKBsq;At{E?RW28@28qcAX$JuPp*ulxtMN<eF?itGYGh@ry(*C@)
z#d>pbystmd-96sh7w_#=6l-kuqsslmmn`H1)y@62tr43&-Zz;U-8~$R7AH@lSl&>r
zu*rTy>vXwP*fG2Hja&0US|=3Gwo9>Lo%C3Cn<>(?R+`*sdi4rQ!vJIB<RG?2$8t<N
z`AZO_G8(rAYa^pImz5I6J_WZlOAId+A9H6jNtbO~`&&Dr<=KJOmXCJz#B-7U```5N
zret{A;j8QK_^X+lUvbCw{;T0Iq4_IGTX!$aYubI&8%1<L5}m=?hvvxVriL|5a)5kI
z6h%N0(H4u3KO-x6m9JDaep0)A*yLsrb0%~BM82B`MR;?e@@U+ji+PClBd;7z)i2M7
zP*h{6Ck1AdoH{sM9O_Ng#>bqAiG3r5*;=8qD_a_fg{moE&~sCFpv&1Aji-H~fsxr_
z{lIkk)aZ0&I^voi8yQ0%MPBCTFh~8Ct5rRyDOX0{$!96L8KV<f(is`Qujj5)+<pR-
zNPr7x@L4s06BSAZD)6ghOeRLZk8DAH)m<VDL(Dm_e<oY2=5v{eo#pD`+{n;Gro80N
zdi=e<Lbg^5O~l3q4m!R0@qBI6X>(5T-1cbbSPIG0igKNzP=32Ra5O^&#L@Q>;$8j@
z=ZcDD*}Nv@rqoXty2VTEK9Qk7X>(DGj&!ZO7!f>nhJdM2EJY|I8RA571zvk>N%q>4
z{&1T=-;<dePGn{d*4?#<@gO^4A3U^BaQ0Nw+h=>u=3{wZdzZ5Vc|#+6r+Y8E>`0L@
z=tj5P5<hhOcrIRvdmUY4<B`LB93!i{*sn2fQLI)Ix4D2l0A_pi8uuS!g?hE~KSjX^
zpBq^MJQ$yc;=eVAB#uo8f7JuP*>S~YRU)ZKCA4C5+>hw>ZNt0fKRSNj=@XTaVm8}&
ziXDpWDIF+py5VR8hY8_F`W1Mi7n*-b*KZ{k&?#<QXJO1$j_bE%$rgSjT19G&Czb1q
zbAuKBBS)>zY6Z7PM75Q9Yx^crsfm5H+Fts*x908%bSZzTbOn0c`o|{Ek#fvk**-C`
zz2a_!J=Gl(6FaJ;rlK#XpUZOaL;JCEq~?2pI7v0KMTTuksl?qA|4<rDc0S5LLM)8#
zR*$>j3{|G{Y=7@%NB1Q{-B#;O4mxt-H|wjvQVN*kl%Ad2R7p#(^elUoA{RkQxCnSS
zr%qL&z0o~UAq1R~--jYlL|qi|sRyUD6lbt4`GVcyVlg;UX!hgygrb-vSK%fPvR999
zR$8LLhit8HZL!&UrWSYhI`f-L-2=6eP{-B>tSzzaV==6QeTC3W=4fT-RMGxmTP~B`
zy<-_m0%PmM*s@p?KD}Cq9Gku#<bjOq{Y^vRfSwpCv_71Qu(rXMxorz#qTod)faX>Y
z1aWH1eDFQbTH6Mb!MG<Gs`VbYHu;fvAGdXMuwS_Hh1S+n?HyO$)M#ZF;U#?DcPTqD
z?|Ec^oA#OPoUZT0iSThzQ%dv$vcMAOQh+k@MZ^bbq$De-e!aM<OS?S+`m=Cic_7XV
zY7Dd(lI6rr=2l|KaM8z?PsrEh!Rkp~8?xm#cPE{Y)YgwG?`=F^FQF<M7zkfZcC4no
z7qz*12C97#lF1m<@35x)7OldJG*9RwX-a~+z)GiT4LHT}HG>T(1Tum{NFsltBR{Yy
z{+O?jj<nixS;t#D;+2Wg;%i=YQ#F~s^!V|@{tq9Rzx}p57eObALnM3C95hN3oh4cI
zRiPg^&yq|*mM2N0Zu}LRQXI4nVIAmJO^U2iB~b~V$p_X89zKB2<O{3fGezi(8~Ax%
z#=p{?XOyNcxjL2eqR2Was)W}%NW$CB9yl2Y7dPcM*J6R(P)~1vFz5<L6F&AAx0Z&S
z!GzDB^ab<2aBtGvl^jeJYq5?PXZnaKY>igu`jg}RnKqkexf&UAOU~b4f+E^wwV!OU
zbw%^RNHXBExBBDd7^HyE!&@+yUSo7@lWwK&f0d6CN5xuL*B>vGMT|1QeElLDrC-fT
z>917!`zjTv#m9L?eD$wh86Q#6ID1^h_shn)NqQtTcoyhy0sSc&P{ip_>;mOqxbWA7
zCuGMXo<-b0Y3g-718tY2FC3U8aTOomHJr^V?d46GE~c=P?)H`L?i;r$tw$kDg8_%P
z!{h3AhN{zrj=|~0#Nnr|Y`f|UdvCVilG-{u*cS0B%8hnnz=~xG`YYMnefZs7=2h9W
zBcvgWYla?~Bdmr5kj75*hGfMj5eXqR_5cM<88vn8>W{Oj?CgQsO?PC*wiS}|QEQ8`
zJ6AtY9u8JN%HF+n&3y7Tx6fX=m<=Y!ZbT95#htI)Hgin~MjWvwP{9!AhJqf|a)C7=
z&QiiZEMz}Ljo=?BPZVFXPE!6ps~Swol~pz8mvs#sn9Y?I4)(LCFOy1nbH()J-hpDZ
zBarYH`}&-zxnt9_m(L_#McRYSzkh6G|77yi{8VhX5S-aEw}hP>fsFkI`X18#yG;>n
z`f3(B7;##x5xG7@B$FCZ#}@@v%}}*TG84Jpx{clZ7^JVq74~>TV|*n%f0O;>+^K5B
zYi+sNfukz3RL~c?OE#tFfk~gg&L^8rEf=ViB-Vl&0YkftgeusE=pOwyV(*EK*f#B|
zg={v*8(VDlQlePy>VBigf2%XG>7xG3)+{uu$W$hI-B7W(v}54L&56moX6|_l$tt>Q
zWEXO#Zjm;uqqJgS!$P!1R6C0{<xlB*@&Dh<s6Tu{&xSgETL1h6=Aw0VLFvI<bRu2{
zV`BXw{BOH9rl!D(rjQgVGWg7q02WN=3~ZH10pltVnZBr|AE`wxJfVZaft}o>PFqAQ
zu?{MjRPaI#f^*C2brdpx^p4Mb<}D{}hu-;tFTUkY+h?5Y02@ty>+c(%YMe>Jd;+@`
z=H#=OlM>EXn29j&yKWmulhTkjM0hl9RjJSEt4`O7R5?dy5*ikjw{79}IBj*&`hvXT
zra66$k#%nQ@`(r*nH?wQ4upTdZhXSk{l;$J>+b*PpRn@6;h`JEO6w|?3a(IZ+NX4$
z|E03yXy0YiiP2X~Jo1?GCtN=&g5Q4@b2H5MNgHtu${}isr_%SW8VO71MDjNl@t5p)
zeTW(!!s$fl5^Br<6i&WF_z6qZi?DtA=<HAXg`0U?>_?Ye>-6<_9?BKs$vMSpvp$Z0
zN<7|^ws(cQU!N`?KT^HOXY(yPU;paF!oo~+c=G1y`s`5;ipB&2sd&s&FD@^}hX-r%
z!I9f9y6+9;;bGXCu&0)IJv6$n!=#t!r{uGAD3Qi^^(c&q;KxE$jnL}ah(jUQ7mnWI
z?+GU|n@3W`g-eF|wndjxnW53nNG_D=k9Ee+<YQ%DDAwUjkL{nHJUW|>2QQ0lnM{=9
zzBXq#RY^pSV9(Ej{#D%T5rbuHOt+n0Am;N7;(mldh3e}GnMyiy(lW?(RkEv#+kc7w
zS73P)Tx*JH>8qNJ$!d3~=R~ixGvOIl9Ge-qbW3k^bl(`6m<H=ShIH=Wdlfb~lj$tR
zD&^}+V*?}J{)#_YboNXgUwnS}lKGs!7Z#=+L0e0re=0MwYdFlF&8M9`$(+BO-`2Rk
zzppsa=?WD_QcyV+%Mf@pohzMk_3@S0PdlpLP($7552s2;qSi2Fs*CWweteSI7WgEj
zvll~vodyRWq(IQMC1BP<CCB;FE-o{nYbSm7Pq}iNN37k^j4z!%JhFWtpg10~+89eG
zyL)_2W#+QQYNR7x-&(%o{u2rdR1#hGk*yUEV*}@(i4HB6GDAVTFBIvh<=uUI7aY!b
z@6eFHxICQr)L)+cYc9`;r`y0I`cS3Fv;v!IRy4^YBdZX~6|o6Yg{cG_#nw^j1z|`f
z#z7VtI^to+1*LU{^b<!Qh&l=4k|pRTaBf|(wbIp-3*M2>jn2d{isL7Gw_aXjE$wV%
zIvoqgKKg``UAST<wYV@7+24P-Hnp?mT?>~@_S|#p%$19I>;8T0%e{xI_NAR$riZ~s
za4MlZ=3R6@l5#l!ha<}ntSNBzIgVc?aa5Q9&g~x@f0@K_F9C3VPUrZw0vGoLtv-vj
z!tdc!1TOF4<iFd(+utnT1LGy$!{tB6sjdw52gZ99r~5n=f!8F?`5<o(6FqN#E44=*
z^>b|5nnHW=yEn*ti^Tg07w@@2yodWG--eh=_zd=th5l|jrc0l}YXv?}_&tCL|2Z~-
z(Z_JF^f7GYd-x3$g-PxMP%LE5w_9JWzTY|_@!xX%evVW7A&LKt<FC=$4@&%}9Dgmx
ze~AA4rSdN7|Mm3t*WnrUb1nXQiF5xt#c*M*6WyRb^7aBpES$v45=VcOw}K7@XgTl4
zH$Wk^KWlJM2*3Lyv^V-%?v=m0kq?H(Tj%4lvnBq1oj$`7U*xz>pNhmMIj+;EEb$4B
z3;Iz1f6M#d*3^G9uJ_;Q6S^1gQrCkKhbM>Q)c?o%@3uAd{|_X-w*POD_}c!zS>ne2
zV;-%;m|x_eTAs&G@);KMy9UP$14n<@{d~ObYsb3=*T!q|b=@n+h50h!hVfz#kx#3A
z?Rb@(#Mg{h>5=%F@hVY?uNg1<TRz_Qwc}lbi}C&v{T$=#8OI1(&lV&Pfex#{s}$Qw
zo-p8LiT?)i)=v063vhG15l^)B41V}K;CYMtG@+mlf6tGA{}BBI&iB{765q(@NALe6
zAD5ev#b4X+z&|1JO&pi&8Tfl7p5nM%&%oa;@g&E^dZvB!44+?*oL@1Ig#RnYBbI;Q
z?X~#@_cZz-@8#p7_GTP246*^YJ|^0;`}liAKM8+W;-?J#q4k;O^A%y892fHfo~HQu
zya*p>KeO}q3!LUf;AM%^J}S|?C<n~*0z63bq8u>K3vdhi1N>^DGDgMUzpf8e><jBZ
zQva0$Y?${`=QIBx@fyc<KJx{MmpQKUna@kS#Bnh%M29(|1N#4`90w=H?>6ItKEK2K
zUV&Hv$!~G1=QwZwU%>ww^9UUBD9_~)-TC=2-pS_&&)+Ye&(m{Sr}X?z`5f!db_w+l
ze4OM>p5zU+uyT35igl|!C%KciV!Vdu^!?rP`y_wzR*aiJFRH(<JtsMow_^N;=RZXM
zz5+U+|JW~iE{~{x??)?6k2TLh4f?kF9I?dbtY74GA)63Ac{l$a_3K)`z6Bo#WyEvq
ztky5{b4eNb9N%wo@^J}1t<&Y-)bF>n%jb)Dvrd=qtH0l($mhhzbh>;;`#!Bl@M%W;
zOsC5~@#mn6?T`6B5qw;uj1|k8)=ATINg44R=h}1DAB%l}w-a4Hr}oQshhg97biwkW
z{mkj6?jLQv5LMLgx5TO6a$o3l`L+6e?K$laoi5@z(bXrvPy0lt%TKiLtIuh_=yVa!
zY20r$>>HgfSU!?2=I1J1_;abpW+0O;$J-r_I`r6faDSoSdNh1N*KeWs;x1;{KCuCw
zHsQLS{O|_&gB##)*Z_aPgi}nt=>H=d;13ybidmNJt0o-rtr9PpaKyJtyrAPIJ-^Ou
zL~o)SaH88)oSq9NoaiR-#0GfUgcIFF`-eBcAKU<c!v^>R5?^~BsWZ;s<T-`<|1#Ns
zBToGnc*4|P$I~X9`Y+l)yaE2;2KXB`z#lN-H1Fd5k8FTHWW?z{HQBx(ampFYS!w-W
zE7m{GJGA~Oz9PrxQQ!;mT=o@?(|84*kmn;h$8F{NLf~oH{>!{Q(Lvx3OZ-b~@COa;
zD~9vn8zla9v@aX*2PFPe;CY@?BHsVV2KYk~e*x`leEo~|Rf$tA&K%t*EBlH2Vmbf#
zD)23wZlZlb;%m=|H*bK;^CN25onv+DviAO$i}vz7OZ2~4(4Pf0{?o$gFYpE6a(^i;
zoX!GIY=EatIMH9Ue|Q7@!42>?Y=A!?aqe^B>*s{*e}(s7;IxkfzQ8KH|Kc1?;}z%V
zI)fn>>rLR)Uf>JBX}kib^(OGd26)<p(|ASuhd00<+yH;W2KWOeoc5h~|05gV4;gX3
zenk6%2`4@*@Tv)?btv$X5$ARZf#19VF6|PMZnWM+`<Ki1MVv=I%jb)<aFTboa{3FL
z=r8aE;6#6c6a59A*Z@zPaH79x|L_L*gB##)*Z_aPgcJS6`ybf=f5?b)`iu4jiDy@f
z3SuJhp36BMu3<H~zkqZ45MFR_+@u%KbE1>^xvn43bE22|xvnRy|6JD>=sD5P{C!<-
zSpT`MKdk>;*CW<{uIm%@T-7J^@#}iU`p<R!0?#?U&HY#PhLP1G#X(_wLT+6n`5?zR
z-3iC<63*#9#Mh^IPINavU(n<m-plE3ey+>u^`GnVnw}Hg&EMDM_WI9t`Mv&gU5>B+
zT$ktcT$Shg_;tCy{&QWv<2k3hx&Nx1FJisJ?}PD)eQ*r}U*P*2xW*4?z6HO~`2syx
z`GWpj=MVH;<q!IEolmU)T;~_`T;&(~_jSIp{&Sswtp8l+BkMoc`3XH&`HBAfI$v4;
zxz1nkT;nhL_c@<|o2kCKna6~c;ZHPq17hU&h#5SIdPD+cuOJ!*CjV~y?MCdE0}%>T
zFrV^TyJfYZl>9_F7Q#7@r#L{kv2aJjg@VCcR`w?!%q>S_)2R((!aUh@;?o_)1LgcR
z^A`*bi;NDHVXA>1vkUcXUV^78i-<vt)T#M<FA(AQDeQ5I2cS4d5g9=F3Mu$SQHULG
z9C$C_+feIxYIy(%lSZ_Qh;9j>zEl)7Sb5Y-q&k&VY|2%;7Uy>Cm|NV{`0<C^duR3z
z(OrBL{W7#?rqWS8P{q%3U*RHq8u1G`(PQ1qt4A|GDcqyR*iwqW6s035%7x-eWvvWz
zTq!OU%BMyDWxUbdCxfAuu4u5ZeLP!QzHIbQv-{GU7RDFgtLlg&vZ&~8bGbU~?fIz#
zV<PfmW=n0RyCaw^M&Uc8n8sb~?dWgETHmG~+a`)1i$o)ly2gX<k-C-%qM8W&M04!G
zKPXRr!e&G4*~#}D-|?osoEB}X+m&|Z(}+*?Tj(l5n4=J-WyjwD)}87eMVV_yftDBl
zix7wair?GWuiw<xW*xqEZ1N?$yM5+Wn<xK!`4yLa@M9ex_Y7T9O(jG1<eewN{lT88
z+?_AKddH2Y8t;8(=t{gA{HJeq8ucZ9t`v~5XknWzcH3<npJJOVKLhTNIJKQ(&s%<`
zyhCC?=KbEoUSs*K@*xBUbfDji_j_P4%4%I~k9Q^5&tAjI_j~{_?M3|WcUT#1LuyQ@
z?&e0h1zZeJL%l9*J<xx-_nr?lzJ=fX9!ey=#Tter$}*w~-UChkNy{U!Sy<tPl?z19
z0CHaj1`%%HaQ56a$)0+)`<vA7OO#ReO=}A8xPb-f6~O)la`2(mr+{4}Fh0NMSdsk^
zW`OGF)6J@Dq9`vAruy~LXxjBCLJF0T-|o@FR9iAzmuJE<OclTTX=M{T#m7?@<JkcF
zINF`CdeFZGt=%7j7CZQNQySJpAG~j$Qe_|H?H<<J?FIG$jy<Sh)b5iUdxM4@1@;M!
zJ)mKCC^hz1*4^mKBkN!fY1koUihWc0SF|f=*kREA8BY6~*THVkup5*K_IK80eD~!7
z!#w|neaP|=*bKX1YnF2%<0LT8qCf@8^~ksZ9^K&j-^9HMd|OwQKd$#ATV7;YvUbU`
z_SLd%NtXA0i5+ioY$r~erD;o=(54INlD0{Ay3lE9sY542X`#>pEh#YV0BusB(;xc)
z0~9EK;LlE5hAk|e;l~j9|2_A<MY5c<Y@dI@dGhhod-tAu?%D4-Vx-pW2{)T}PTQk7
z;X^%@Hb;X~J0*6fe5odsPXX<GNb|($pGirlcqWB*Sy~)Lc5m=zqxR{Y=H^JFS@@9F
z)P!esi&I)>gTsamDy;q&=<yatkIFdJ6R5;uDJ8%X>vTl>u4@#Y{zk($84b#GEV6S&
z8WHpTsIb7EV^K4@)F(+OkV-DGV_sAcpB~R87M(()%yj-TIiW&A%&T~J;RS=y>Wi3X
zCT+oHHV|u1m9?S4qnpxpw|U}C4fHgO>!ZSEX&l`$=3nPHXbimGElpTog2+E$2rt>1
zgSN>TbHryg@)777n&O_eZtaxL)6ih8lJKx3y<h2)tM2eJJjiDYi{{^nYPzL_aol@d
z|L=;YPuxLUK7DEai_-g*?DaFgUz#z!wPeQ6;H4ido-upr+8GnhUlCR`{{ug&1JY3G
z=`CeysVDlRj0F`S?T30g((MNeLqiFa<)B(iynG(@J?4i2<lYMoC@E-QO|o1{^P@_(
z5R`gHF~TaH`b4<FW4G4S8ni?FvkjlcaJA8d<^l`D<Kl)~xTdbA)?D2lsxj2mnjUWz
ztE#FEVy`yfi$p<6Me{OhqUyY)G<0<uQdM#lAn7b@UO0e(;3>_E)D#l-yzp6weWJv0
zUiFCfEh{9(Q!;2e>&)`Lw(<H<cfuHL^!?jurYNjbL?iW1b2U!58>;In-n?d>kRPSz
z+@XKXVzTXsdzg?(s#L-+qZz5Z9m~*{PqrV&Hw4!8k)NC4dKlHZYha9noqM;*x>qQM
zRfA^MEX)d@D17Ve-1f0J8a(HAZR+jm>zTvJ_**P3lO0`~GL8eyZRse<IvSgD2A}^<
zXYj>JahTQ!XA8!}w_)tmgM6BFM^Vuor2(r8BlUT~4CGx$*>t2QQ$;r_OGP91@{!v@
zD5i>25cq!pO<VM#ycUWJiU}FD58hJORO@g$Ypd!EbydPG^L4kpTIYAXbbSR#=-Kb>
z(0SSydz&|mPqm&px#N4!qU72IQQ?TUwWSq9mgevqc6OI^B&su~K|Jm#@|A9pIaV>F
zTqDR&P|Go#Gows+s%zK6GP#I<&~a>jdY9||l!MIYMJIac>}-(T(SqL+$iRz2Ti|*0
zl#@r9@|0DWD?LWx6Iew#;Gwjzr<Rp6(~8e_nuGR=`YKng*Vwrjoani$XM;JKY-=<&
z);g=|D;xoH*C!r&%jjLBZxOZ~3ONPstrfcL*!_ZLRdYXT&Z14jty;kuI$U^6uoZqm
zKO~p_jF{6t;AC2JtBjKbSv?7jx}F^b=qLgdYh(;-QsN#~`~+1nflf+Wu@bYTa~YJt
z$14>i@QLFli@(u1fgrB^xYBuoamuv>qd}Dg9FPj>jao`XglwX!yMsc>sS^cVyuBSe
zkWw!==w2q2wJ~Qr95ip<_?C_H=3qGCaQGOSYRz@Vs?qj(567k7);8rIoPNv9pns~(
z#&2<W>f1-nPJ4x^%313-RJ)o3PZ7eN3N*W_85S#y4)f8Q18#=n+$hKKXpa5O9k}_Z
zgngnpEokln>>C^C{RCJPRYoV=Q0E@9Ac^H#7&V}BDvndzSQac!)DQ-=+UK8n^!D6J
z_KruNdHy}O4zG;dDqJ8$PvO79cM9(i8VbLrA9_y+K0^!Ev8Z3JWWB2Es4kmY0Um-9
zYocfL>cuBJJ{9+vMI{=(0-T|s$E;-Y(IEkzu7|_1$ZkW4Cd<&__PNNWRBo`RZ+W!0
zEtiN6`KMAB_r2+=L^3lR8{cI}WcCD`(r6%faV!)KdYtFQ61z6HO<8otO}$yvy=428
zc+oO&W>K^4%ebUE7hd<5pBkl9ylP;T_L%`Y&qN8w%r?U2f)%9Cby}!S85FmWUORiA
zu|hZW!FRr`jxOR|FZJBmevdGI>WY_p4tKn@a6;yb%i3u%s=W_m)9c%Wt#sOt@ypAA
zZ?~EsDy12(k8i3n>0&ESiO*C&O@QsdE6NeZZJ-q1+lR*PAc{bOac(_!FuO9j#S%%T
z8;xF&w5h`GvyOk`fhQ)#yRg#(EsX|gr(a!ol<#t)55(NXi!t7)dR9={wCj%-+KRM`
z)!oZai^#dFe3!B@o@Nh<Nk<|UvFx5+S=qQ0MINVL9`A-N)+Ps-S<(JtqaSIP#(wBs
zMSF<oVISzh0IiXC@v8wQ8HUvDGP~0G-bcUr{r5aPj?x&)_8@wq9&RF_u$z@$c~Xl0
zdUKa|1FeJ1->H_l1v`Vz#w#4D6J8uvkpuF|s2y<!O>TW%mBDVc)mnpQ;qZ}z2B*Ok
zY3noSD&H)M)q(!}_NULGvK`|$4lnE<bjkF!wvLHXBL*_8q@IW*r%_J?a(PacaiUWD
zL%P2W_BS{%`@0LcvoINGV|xqM4c!lVn~?c^nZl^<EshI1Jzw5~gw7C|L8l5v1_f;n
zY?-WcqwtV7Zgf{$t!Z=h|NG9FPF-&N$QPQ<G3YCA)K)ZEgdczMo$vf)p=x>y*rTQe
zWBO0fCiSK9sdY6ZH9}pZV(*(BZ@01D3?z%SUsWrL@NO-{Td71S`G1JVQoUONImalc
z5uv&o$U>G*p@HYJq<6hd9N#!NxUq0xa&U0+_8acI?}i(0yzjmng^gpQ6@{NxY#1Nk
zP$4u{j28B8)8BCLszX&<w^m(y@apTTwgK<8z;kh(kXcDzGJxiwE!8U8(iu3JtSu22
zqiRd!Go)%uj1v$yAnj;&<tr=mb#DfdpQQRP(0karB40&Juys{xcbD-asW>K+()Ex;
zI)xvR1PTBrykP}Z9w9M`R|;>pr~EzJhk|eG>i5R#j|f#dt*iU&kp~|f%j>j4{i!QB
zFGOAx)tgahs%(}LkujZ+*L;y@Dc9Pq!i=dxadq*GF@)KBAG!Oz_sa9doUh>gY)nh~
zs0n8-OMJFv_K;+hvNv<hO@1SP8=X_+M^Q*78}asvJTy`De>S~VI5opYF<<xWvqd8T
z_JMZrb&dE@HWsJKUCYLy>h<IRq_%dX2axf_tHKm(^HfQ5jW*vbeEU<v;)eEJ6Uq4a
zj{NjUPye9-(RBFNj?7HHcXQ5uWpi#TNCEo^{8C$m@fab^-Di-Y>VD!}m8u}qKB6MB
zw5zB_54GZ>m2&b`DIb+UOSCfFxoa#MA3vvKAm1~5C@;KyMZD|R_RLI&JhB3-SVZIF
zb`aHxqVXxdgEERa^XMe*FV(n`EFKs<D@%MNyE+y&_6!|@P%Ie+-Y;nE;5Sb28=s1s
zGG0^61F>3=&@~t>*D`9*(Ti7ir)Iy{NlY$CY7$DgqgFN9%93qKs?l$5+BWANYaX1f
z`N@wAvjdUd#<}pt!vp&_wX|;DZ`i%V9h%y5Xya(3b5}5z+;Zdc^7RWb30Kh1@4#5?
z(3_QN5@i*K%F6l_mq#nJYj83HR6=V_5*<B1u+~)Hhg)Q%@saikRg@dYGyz^jgS*Pb
zeFs;Jm#wTEFyD9i$c591#Po$DBNG!NBO5jt-hO-Gq<Gi=-f&0D*6TKvRuE%-bde`~
z7cl0~EXmSGT4t5YtEcBACyum}7~3L~jLMqRIWrh#%p@a%<z{doAJT^;1HV@=YvtxZ
zcWnHp54^u?LwtOD`!9YlJ>A>)i(jBY+^(6PxmGI*i|zh+wC!9jTZP|HEn4hP()Ij;
zUzV|ePb%<sg5&ir(9!*vPh72udImZ=0eY96FNAlZDz2$g?I#PgL82xbgVJuR2+F1p
z53*3LJyv1YMkXS!(I9*~;c-;eR@FKh4BZ`Wzxl|!MDafjR=eArUK)xu<~A5=F4KzD
zHoqg6(P;}m1H(9cqo@@HXZu1=$6UrC+sUucyhXD0_4<%N#3wM_1G)tEiQ=s&lPT&x
zDb{A~l#$IA$Bw<iBQZ2*H`^;@<0*wo_+CNWLo(eeg`I<!F0^JAFB=?sLtxI;8S2|&
z{NYb(7RKU(&bb9cY~lLl<r}vobHQB>@94%uTc$$p9lO~&kquPCbRVm{ZpHQLR)2&^
zmDP5_PA~u-&`v^rIiMpdb&#cVohoG(*YzR_p(>!<(%`l(H6~Yj`oh}C6;)o>f=y0&
zLLrYQ7`z@op2lGC$rbV0cvDln_~+CZ<O?JmtqXd|3r{iK4cZ0xrWU;5a?l%{n^R7L
zpFxu)4~B?)<(<y0JQ}fFo0RlgsvJm>Ogf>qo`$Qi{AK}88B%p4%m{22HbLd}RMu4+
zY&NUG8bJT`4p|I*?tFvYV2ZZ&3!hK+4joFCsK5$Gh9-Q|5NX0UNwSN{2JMZQqaEW?
z=2#{hRH{2c<A?o9ECF;TQJoD`2a5~ylC=z)wdJea4<X48GPb3CL{l@%)0$m*@rXK+
z7ln(G5NSzpwf|KHE|>}@WqC_>ord|wTx##0GU;DDVj3q|FkJeJ4F9C>(HKdimMUr6
zIQvDp5SalyO}pEXbaZU%58j*YZHSoJe%9$+9ZS8(k9TBgi*wo`o9Qy`ZLnL906=?s
z8Fnl1i#>8NGPa{Q+o*IO_=j79sA1uFUDn|L9r@s#>~T4bMJPTyb=Ns;KQOxxbD^%W
zXRr(@$e>z>Z^Rq0#S{xs{0M&>=l|j|!x^{r{bcI{&TJ;CMXr4p!)2Smd&ZKEPqiIu
zxsI=%o-U);V(pjLIF#v<tSCL#t(e9M0R|QS#g&iL$}0X9&pwNFBO03)AtS(zM`YPq
zOjJ~?m4rI);mv*gr09}bO>S527Ew0<)D+qP)WM=uiGths-h&5^y!c`~zjGXZ;~n{y
zaCcAFpkMgOmAiLed5$GHp6Q*>*bc;U%@N>3tz&8de-Efsbp}~+0-RQsg}fFKmxWa8
zOZG2t2_e@as?-P40+l-spttMR;fv=|skw`X<szm%GqpmncDlEJrl#<nnps0?`G&>C
z>z10Em#$w}ykR*dHcwAYO&8|2EH1+01iNQv0?&nPE84SVnuv;Ct_yRoO|id;R1cEa
z*t6Q4g?i;uH!0>AlX^4hwVy;CQ=_w9XRy>o?3*UtP4(_dQ<cMAbu9{&f0frXy?e)E
zC42<Bkhg$TW{i(?c;R>2E^xLyopINl-hNbTw-C20Di(_4^i&JiV!ghG%HbX>e47=-
zMNJ6Mk^s7`Q}vcIex*_@9opAQjkl}8SE<$&-UPBD4;I-kT$3T|iFz-gHwsnZCDH;@
zb<a>S-s`Sg5j<#!l05vOiNeq5*dfhPTpiP1hc#%|yuH+hE7PJRQer9~s%Kyf#68KA
zR*7*?Zw5N`u7$_17PG73ng>Qkx;g1pY8^{z6+)-v2^PVXd;=+buMKnbvF}m5G|Q<F
z#pr1c`1ker>XE#m7k?RNF8GIDkGuYwb6`%&&iFGs?Y~QwCgDuCI)t-ZM^QWF?J^fg
zk$XN><eu*)Kz9*9;zvNAq*6;o_!vI(cq$K_@fDP7?h)ovz(s`NFb_Pn0bdbZhj8`a
zI*IEH{eTW;ah;{yraY_%cvk*)A3m_DtuY!a>@n-#=*1WM>!16$wo<H3$NmaOe&q$<
z0)}cC-tPi+oh{?N469{Emzt79jmx0GNkX4kKGYEtxf}SVB_oWGrxILIIDiOCTQk7?
z{|~DXfg3KWf9^Rs2B5|T{)>$_1ldIKfHZ1>mH0=b+E1!ht4@PQ1$cadI0^Ix&;Zqb
zqTw9}CDcnXNRnPH*y|3g^y>`|)C=Fv?1-NsKHy3ZMQfk^x2kyb^f7|?a3)Yi9utzi
zZ^it4n!Tm-D~m=-WrY~6BXvXadQohO_y%=!qQ%gIhRFlNXX>FHp>PAqE|wODdAv)4
zbhJJ~A@RiI$~vC;J1&$qd6|3u2lAetT^$nd#$1}AflC`ya@Ap#co>qai&W65QKA$o
zl&$PDHl}sG@Whiem9>@C_N46$j(DNd^xV_P%F`KAQS6cRR4={{_*n0PWwF+CqjDE@
zADn=mE0aA@l(B@&d9aJIO-;|k<15UA|F#1rPSspVBWfnTNBYl6;K;3J2uLyu@qY<v
zk{3h;s2T{*xpOK?H+Q*_>cQ1-B51ixBU8UA^iqOQs&Z%k(o@33<Wh7~mmG9$vTpe1
z10R}z8jjeD61}*l@IEQN%6tUB!nhM^2iCG-s)-Dx>{;ETswTqsD37m_&xUG~bB=9b
zpGcpS>uHk39pV^QqN-3Y;oMv^H#KZ3J}!rB1WfgHL~Rh~D4uyq+=kZd73dlDWwfF$
zkwhyji36IkWET;w;LBi%7V?BrVIa;K^)6vTj`OStKzorQZzk6e@r6h5PLpO$4bL*4
znaUT46C4L$&`bR`b<lEn^%B`LOge!=yQC42cMP3(Xm?o`f3&jlqa&LPkmWE7$xbA<
zJjRm7Sjc}8SX&phEaIZ_V0fbOE^=pa!9X4p`a~s0NI>v{B1(#Y5fv|aDK2yYMMK>!
z1L5q_WdnoUa}wxnc5R&`ze&%0?Xw@RZC|)-!{!^drJ3)<3-`~SOW`~jwGy(CukuHr
z+{XM3EDkIGuCc52B+Kf^t1*S+B;KUX@LF(Fie6Cf)oNhQ#&{{2Becm#XSDMa9n7f{
zt@BE{hLTMZ%D3%w9DAt8=rZbz9%Ju2j$Lv0%8SF5C^Hrrk4DEM_ZRM)c=1Jy8+fh-
zp69XVO`12B%7QYDUP||1tcup0a<(ZxOx=kr((04fo4U!OpS@Je(+v%mR~{xhkQuPr
zCpKg$89x&TpY9trpm_lrpY}iW(Z?U@uC?PATTT0ek6pG8lya*(*VL4A-zsbp`VTpB
zK3~ppsPOEUNFoTDKFsH8%*VZ!ZpyM%RJ!559?lmi3x%?5Xcsy8{?CWji|&xz`sH$I
zgon}b+9(gFXR^1uF)r$xC~+!j04k?a>48T%%#7tyB#!lm#f~ZSYRs-kBe=I~z#BD*
zcm0aTn4W%`VoU|_e{P!>`|_|h8tr+^CVwkvfa3B`;wtid7VRkVS$1mvSsvxzn9;I;
zx6NQ4e_L+L)0zcfVH@pYg&Y5EIW7X8Lly5RR);cPf47vE!ojxDq*XX9x;!42cv!S1
zM`WMOUy%hPe#RCCu?K@7_%MRdqz@n`25V%~#E^?c^{++n1H$j=@?)qjJ9349yBzJc
zvOJl!m{65uIc>&NHYHVKRx@eDXG+E@=kO7o5yde&gYO6M-(e0e#w%xJ`b3O??&Gn8
zHo?!}Ir!VIWIpLv<@?}c>Vz+e`<RlFkBP<kS&RWCC-I(kz=`ga_`mi!_B;1Qp|*zP
zi%JUKBKS25yhnm3;Y0og&J<Mw%Y=LUE>?-((fEtILP!~+YCYIueS<tTF}90&$|zX^
zR_MvxzfU?wfbnvw)Q;+IWX6!+8&$86A3?Q^jaoh5^Cf{Klr*yo{)0E97cU=g$vGOW
zgMs#mw6nrJm57b!n?eIy+7r#`m^<(2Fg*4zm))~9QC(@My|Lb0p*J>lW}1B7?ycS3
zyGFwYCkID5J%Prp3*?JJ1Vi{W&R<wC--sHwkoc5Z@vpd79r<I!m?3!&!jh~a-br=m
z$xM?^k3iltR~eORV;N5&m;pR53V-1rhF?fdcKD(#t(}3c>EwJ*#P5srPQ(MD*aqQb
zoi7{l_ZW1w9l2;{&?KZ?4u`w&b)U-)qQcn`{Bu9XUf%ae9k;4mbN)_VZt@sY=fz=R
z%k#oXYDOwTCN7D6cvb^6=Qa77lJ=oKQ?2++83;6Iiu#giN{&O4*rby<`J1GC%|QWb
zWKp)}(Ho4uYLl_9(jgq!WW4^%6?WshFFf|C-4&L^Nd7a0TXuiym{60MY7`I{BD$s;
z1V3VQ=?8#vjWpu#aW<)0?S4@<&SI(rr9rRcxtaBvB-1Zwlsv*uS}<jP(AdetW5t!q
zvhi3)5|9Wad=L~OcNE|?6T^(d$ccs>P_vNGLT*x~Fc-I5Clw{6uY9Pn&eu>;UEwf0
zI;I+%Q@5m=8>c$(8(<B-y2ghddSm*Q^cw|Xz=tBZcj!}n+duyC?R_cz9inLQ4HQ;C
zi~nf;2JFjUVg4I6cgs>sovtKo)htU1pc1hJm?Y27B-P74L4F%p$HZ0J7=FoPR-BQ^
z<Gxg{xf$3YzfK3PK3w~7b>KRt$|^Qn%Ey$feKi{sNNN%lEMY?^Sdy)ZO7S!9R5V!M
zow+5`T_235+#EmVMpN2tl+ou&MFaKCEw{8Z*9W30kBma2J8fz-GYlK59dZAKpZ)BG
z{<x!>5NK^$>hU)aTB{uiA0gJ4;D2fG_bfG8=`Vy^`~%veI`glUgGnX%*>dOfmQakZ
zvHtM~-+zJYHs=NJfAE9v+aI_sxL+{-_$mDN<HGNr!+#)OyrU8Hd>reSRC$h+u&(Yi
zbwN*ncCqG+s}cw0eN?FvAaz8bUKa)pTBuM{4msZp?4?=A=d!#Fypmg>@S^YKcD8l<
zhTO6I%%%++ru|*sj>Os7_*8c=l4xm<4$K>zp`A8MlRI;6TiR&Z<#w6Td#9<dPG{)M
zMZ2R2nbJJKgTzYU%Aw{)l<`h=9>u<JvQc==V6OM$3?%a!6L;ddm*g9lvoDQ8y)gV%
z=$VFK?M=76wW>mA2pDb>PTm>WnRfKrzg{ri8Qqa~^x3|SVS!(;afv^Kd_zqc$j7u0
zSH|lB-d(CMTeAAs$2+)~<c5>;Fv$r(`7R{Yv`pj2X2M+T#0xNTo`b1SHKU8+m0WYZ
zKbG>?8)&CnnvCxEKYXBFI9W`By@fyXy*-S*U5ham<zA{Nly+{Ic5ayOT#DL~tKtN#
z5;+T#sKn28d9FQz-^+YSZhBIj|15mN77O|6`#RxO$vZ}x?T%_kMUBDWstI-1*z0P*
zvZ`H%Dtn~qO`pZEFKr8Jb=Xoy+svK@l)b-02PI9W2M_4sG`W|2n+&fcFMZ@a#~22r
zeL>%?#GW|CXi15wOTLfw)}}b`(gY4f-VLOCK)R`WfK&=4<x&_nHyWLl2EEl=QBz+n
zT(Yv4@-G(*l@&<03?!!Rn=Y7y>pCy(T-v70Wf9|vz&4Q3{u;E6Sun}6mbR@DZBx(B
zTIsAW6|5zlh*1rAACCnwdWSBA$a%fMO~xjzR~Y`lK#jRdSKUzE^ZuK)6&0ec)?M2(
z-&>13eX*iKC!Bn|snhN5Y<j$4y20Aj*KG?-`QP;}|FqxM-PdKMx>xF6E$ZiZhWV8G
z;&_H3(Ycgi$ov_QX|~~&cde|vOE~$|Qw7r}J|W3!QO{&GjuG?svUSyK*7o^ZZ(ZRD
zz-p2{MYUm>uEIPh!@{#G&~|8vs3|z@@zqJu&fe3k=m?)+zw>x2yb`RIdC_|%AK?1$
z<+*jF&s4Cz%==RxyH9v}MY!&A=t+2|0cTr5qtK7rF*hyx!A^=lMbCsdejn2OhfF7B
zU5li&i?SE%6>p@fsqq5X#LuaxLcLS~oAeTDYEM~+VQ3=`&{CM)69pr1GrFT5+vvxD
z8Ib3JcaCkqCn_&XnvLAGDuHL@@vK%{dvK*gQ2p#4>VP%C@LrMc<O!Z~>J84_*oriB
z$aaTKo2BLqJkKjYDlH|lLE9Aubk<f^YD3l&$d8AcQVqI$D(rbra<tVQ=-3d=#4Dcj
z+3T8&zEnbR22<1ZjrGRHr*D`xG=!zzvh{|^BS&WH8p0zxyQ$8;XYvLiZ2wJd)#$|3
z7^>}88-8P`!V+Ljj9BMCur)!w5282dvJ;F4t)EL<wg}LFWKEWKF6CCNn@c;qa^K3F
z@p=&9EkuOSQQ7<2@Y0{*eMNqbGMQ5B=O9_WCYLtPQO&#fk$nzlp|D^L`%=>#O)H63
zlgqgBScTS>-q?Q6J<*s}`>g`meSA;<1n(~DS$T#%z5XmYO|8wN9e&$2cVBa#JXg#Y
zFJ!pYQg4IP<<Y9REzYB@WVA*8JUwtLYn8IMlqBoAd9>oAr{2j%F=sq>tY{>_Jk$=*
zKXM${SR85=LD>#3&7(y&C)1+Tz0UJ!Ij32hM@u@?hu<#5^DVR8fk5|cOFq46QyR?R
zA#;2v-8P&sU)I-+bzpX+_#TV}zDwv98)ZIlhP60>Zwa_t&bGoyV(d|_Nf7@dt4h)+
ziV`kpL>0*V7+wjt%+Z+UTEgB<o4i8rig2=cR3J!3BES=LA>oJ8*w#j2)b%ROpB13p
z(8zdpFUJn_hczP^Ug?xa(V3Z>17Q>of#}5snf?*zGJbW1%4$cb$_>|Gc<@TqbBQ|<
zc1k4sdTFyKQrm(Z4LNsau=?2JH9ak^gk{jZ*hYQxA|q!TJpQdlOI!E3(8Y{PZl8bn
z+>zmPhXYtY;0QX`Pccp>c&U;%E5&0~9F=kL;$(`lyjet8Aj9PK#feOb2Sf5>F67lC
zlY!K-b^IN0cZgzYx-VXZ<1jM~*KTcH7zl+17P^`fiDqi%;c1_0eO5U6Z`=2j_kf{O
zV|>jicUGZBX^GYONbY&?zvHAku?$7xd>Y7?3W6}H!V_j`%q(FRwIWC)$O*ILmznK+
z!+YNx$@sfwn!oXUYwLXcJ@0wWI@X>ZjF}*>D{km(ihxfu8=mUQfEq|A_X*(KGMwsp
zOYj`Qk#louwNJD|wx%^#$@@u4sZ>2rQtAiu&=)TN<f?2YQR;#Fd)Q9+iQxzcDT!pv
z$5<H*I#MW~XQpHiYKBS1tdAM9%HbXAc0jU?RFOQmvyGw-D7?>(wBamU+7mIlYs@v)
zkf+|@Ks$qoV`Xe?<*~=~b-qx-xqX+vZ|kS4D)(!3_Rd|C9b=I?r=##AF*RH<JvA|X
zR-Mygc<Y@Py=|HBG>pkVNqEvyavu7mYkp7oVEBW611u?-cx7^?crTHkigP=DZjAGn
zvVJmI*&fhiPTV^TH=N+gpEVLmOzdn=Pc{x(;?9=d+Q&XvJ(Tfe8uF2?=p}RRFzucu
z$JzC!mdv@GS%>j#zlYY7_WZk;9+qb7o5$#XAbuS>Q<#2V{U#>E>c9&VY<{c`Jh&mM
zy9z<^vyf$!SF4=8D(jab72RiR?!r=Ou&|Z*A>L`g@{xRbt=!s4PdM!HL?Sn`YdHL`
zD`IcF$s3P*DZiFqPklz>p&0X*SNk+SVsoGzHiXE*FJ1vp4MN{i@=niSt#AuIp>P8=
zw^ok6lKq0tj^Gj0sf_xrmhd~WWEB1@r`8I{K_!VmmW`{zP-XO2)m7_+H^gOmbz-ri
z##p~uI6tsyQ-B*fO{uZ_HY;pexNh*!;P~`mCdRm|5Km%WcKALv$-C~1QVjWQSUa*l
zy`VR_ObyqfXhnDyEzO2m$Fy}MDFXjQ2u;%Y3|8)5QAd5Z;HLqTQK5|V6Q5wR7He^e
z76AR~D}^3LU)V3AhwYbNGkOXNl#kANdabsnG<Q|qARriOlTvI+%l0#mj*(4GRP~ox
z(v-XUx~%D^C*N`Y87*pYa`I#6N^64oojz}sTh)}es#?}N@pQr;^E!!r^d#DwgsV!1
zEAAKZkzWLGX4jCvgxNLZFCoV(*QG_!!|8HXRav4UcD-EcH94!X;gttg?l)auA!&7{
zW28!BuB6koi&rrEdyTwRBDY$$M5I`j=dE&*TR(4=Hq8S!-L&$74`k)7l5O6!sabgJ
zisj`imW#AI;D+i3GkaF}DZ_~YV@!Y#m*;}6hYix9pwE33KdAb}`p+v;RmlZa?0?b(
z6n?CI>itKCYAiK6y|Kn>pBh6hsH@UgZTD1d6;A$FWHuI?jZALaT3K<JrGkEj)(eaF
zu=q~w!`9R8-eRSt*v_WB2}A{6uw7mAe}t3A3O^z{8_#s&pAUlu>QqglOv_dy<tMO;
z=q)KN47cKWWPp~4YJriZfhayQHIPh<pHSX8f>6Z4gDd|&qWk&fS5Ex<zq9vNt}bbv
zz;oN$d{4=kQn4+GK}duXSd}y9d%C22PfCvB`JNPQmboy=6H);P7Q~gT?l`oe6nGr(
zBT1HZnrm=*+2^a~d!9B1z|xlP?qcr!hh8fTu)H4z54rkJ7YKMOSwOTl1_?)VnrGIm
zx2h7U*_#r}D^r?OJy5!%IN619Nj1Os1fBbU+#`;k!wAZAL3s{J4wy>=gK=EDaSh@+
zh$|^s6SxxPO-p!W$!SsKfc`CU14^#ByFy=Ki2MJx(1CW)c<g<mC|25s{<83aiB<(N
zkgdr{@UnkU?k90J<bFy42N0hchTvp2#NrN*s*#BEE&)MN^g)hAJirKu;t)$L4$-pq
zTx?k%JxK{*dkof?w8Lo?d4@M>Exarc*{&(<aR&lpu}-E@62Cn|Frr>~Z$)4zaQb+J
zEt>V3k3CZ1cAhpS(U=aq^^X(&$^SD9zR`4=Tu+s6sANvL1hQA=bh)0q)`goWo^f!V
z-BYv}<=%gm+w-x$1MMs25rCbSu}!`v2=F#eL-HJ=h{;iWCkoq)a{2f<;1kdV1ZG<j
zA+YS}Gy3-_apz<HPUjii``RhvvG-IYGV8kciLhn7o`eCl){CI>8r6$g>OZD@xV4zd
z>5I@q5rOkBWmL-47Dk}_?7>^GmLAmyUnYB0&Eo|5jIr-XZ&N)yq#lr6U_hQ8Wy(=4
z#0tq{N*XFZtIT{qtbRsm?1ub5>ql>{yL_GS4ZR=w!ZjFkTyv?+lO^$}Ql7+uRe(AP
zi3LX~!V~2Y9!dtMS#c{u&f1c*4oO3$DmmPzz_=(o`FV!4%@H};gUP*iyay9qKj0&;
z5Ba^;(u6uSi6#J0t8sAtkKKw<OF5fT2-WNs;&OP1{O*zpD_qCq-6;0<5_A#M+HSCt
zQlq}LbZ^Vm3*@~m`yOczE0hUyq$pEU`1~S8Hdbcpjvf2NCs=@k9FJs&F9~Fad)MaM
zmHCTQo(Zi7Z{h{ih-bn!howiHvQgrcvYTBmRY)Z-FzoPp;f0FnbCMIga_Nc2@sPh`
zV6e^EV(qcDInBo&x8Jab>Y!3v!kOXW8C(5si&Os?#%Nfb6jp(!dd<8{gOWp5#Zd9+
z*7!~+)e#9y5}V`OhXzY-T1UPlebM%*r;ZF(+iG<98NB<6r=J#1em6Q9#s9xsz&DD<
zVn_G9QvE_5i$wlvI7D?HlPO85Hc0tk<Dn&_fFA`yEVxqAiIt5Do|*F0&`-T}Huf(?
zBRq1+?N2|A%+SY_Q7%tlR2ZibwB-WMPL~&|j#kxn@p=qF&H=^ACZ(VI+DuW3{Z(o#
z>qrjLeptAV1i2Cj<jnD{U2O)3L04_9jvYOE&qJviTdl6Dp(=Rv-gy$~3$~Qa)@)x8
z#9z<bn(@&#zj{3r?U+v+=7ShB-aAfsM~*F9<uYERqM9EbkogP6w0R`SDf902;uIuY
z9$PMrRcyl8*2F8YcO?6h+3t{OWOrgw#ox0y{VP}lvO5psinIUVp}!J;2#aG`^8uM^
zHWN$StWmSU%b4b0mhvJex~R!7YH)&g5v646GpD>ft=Ww2JjD?thuV?q^VcT72uR>i
zax{g%Qz}g1;pIi~favu5owzLiRhcp3<XO|nR4O@r7OfA<k-_@du#R2w`bZVTSaSa9
zQ!{zlFk<{DX{TzgN&*dz#1~<pJe}riC3BG#TAo}Z_Q``JT7w_5f&4^p^%AYI+(zc(
zpxj2HH4B5c60MQHvcw-vz7W53pX#UnF}v^c?0d|YLj6Ug9Fqk3o$wy!FJS&`iht|%
zIRR;`GMs%Megyo^eJ=RE<a0@o&qao7>lAo5^TmjWHUB|aMJ{F<5!x*>&dVar>Yg}`
zylbTCFpkp+CP}sRDC?5WCq1p{#HSdOLZm;mDg?|@G5N6pDzeBkGI`5fmc$rCaXlO`
zN4aR$WVX6>u|MQW^@VJ4pQWjLKHJ<Kbs8ESqrq&Szs3@5Z5*8q4xXL0Mm(l;C^u~K
zgbcp!#awbU7pkofM&gcG&R4G$D=MohZmctj+KS3*eRaLXWl3GQxqW#cc+l9C_BHpo
zjpJSJM57UrQ`CP#KfT+Lkvfd*sm+?(Wn7dUj8SoM0{ViWnPWQCBtCU99g$`(WiSFi
z<e#V_E{V^6eD=d%QwJJwFbq-@iZVQ@+8qMV47Le(rV&yYVc0|7NvnV$xEcEw8E$DU
z+VygO07{;lLrhJlWDZo<2BYBeo}X7PE|;Q*U*tTqv9{J>emF4~_2??9Dzse#Wf1XA
zfxZ@xr=>3t=u3M%>Arx|<8k6=zffh+iU*)a{p^A-?A_2ZJ(zdx9vWq!f~OcHxa`S+
zM0~K>Zf_opCkB%Cv%`r*B$7ykU!I!-?V`pU_QqRqCZz@X-I(Ss8PjFeR#i+(QYKEk
zI!@~AaS&WH%$MVuK|GR5-op_9G-tj?MREpN%VQFb@~1HF_OiPub)i!s(H@5UKIyOI
z9Op=s;!#p0Mh^iBUwICR#Q20g4nozUg4Y0oR-{>3vb@$g!dAb_Z|-cg1e%=|n=3t>
znA+-yWn7J;VOP{}TSGqT>vn|_OUdM(O|><lHoL=xvXF`BnAhse8=7*X(O_pPTpt?u
zg$7zZ^JD&eOVsS|cl+nkeHZ6UHr>Ihpwkx;{?rh++R_0>W2}If<5<`nbwm&rAs!mR
ze*OjM*n)ki)FhT%S?kF-*}kS|j#Qt%jE-n;QlyFw`k)1LRc@&_5a?aX$ybZtSy$)u
zTN?aMqtWR%G%p?Ay!qP2L}KyU&6^J|H6O5KmxhNITN@f$7l((JvdAygY=Cm~9dr{k
zsBtH?MzFNp>iW|WInr$@`<pU&WN$F3X*E#O=p0liPfG-IdBdFt+b4tj4;~aQ-ComZ
zJ@w~<cpoJ<{}g!fsWBiah_7PBN95%r@*;jl@1xup?q%gCGhxq@h{+G2?lvuaaeXDE
zv7nZJq<_!GL|Zb{;hb+hZ>)8;t0~yMG3M-b+_=<z{_=FNH4}4h%I3WJsdRjCaWSr~
zAl-!3gA#s#@wKWsgwk--@fG8PvNfqDo=@T$^{_*EwBH9Dk#2Py6u{5Q7RP+pO6EDc
zEt!Cl#QFQV{h=}Mc%rqdK04Cg+#RZqgDjh-Qs?$&Hh23wbDa~>p{<5YVrOGG7PbW)
zb^8nspCu4!a-SV-cC-v7v*UK1X?7qr-s)mB35h8D5o=uo$)UuxBm-`}*_{AB<jhn$
zM?@K&TKd5Tr{62_nGA<&sPHDx1My9YBM0&*tVzya<V#a^O>9>oTKLr~|F&^s;kUQZ
z!BV&J=pNzv!rhl06{`07HaEFDz<o6i?3o{8d|@?jR+510jgE(aiHpl}unyxQ8OYC*
zQOu2adMVaHEoitMv%o)Hl<)LEbNizs-qA#+r?bUqw>gX>4Z^;k*ER&KiH%+U=+G8J
zF1phl$!6NJ+A2eJQW!pbuuAW2o66-Ex<S$+>%aC(&`lWi0@g-w*Bku_8XMRhc{55Q
zxDhtyvbsnZwOZ>*ktzBnt>8*8kH(uPc4h~6G|iej8r|uTT{QTE!TQ8_t})m>n+~+L
zhFv*ph1Kmdgl7&eoptk4qQ$qZ!DDTm=`^{_)tE^(JJ;pCB-4>gc!SZbkD_HM(926$
z52Jd<OR~h*n-TJVB(6Xdfge-=pkmIT2OExkyh~?`^|us$A{_4=jhJ+sZoTG;fx~By
zUU}U;J4qIi{`Ly+7r<M4H0R2)NYeS&d*5;JRkO6~@_2KQ?X@ag^Poc#I(bcyi5gP(
zRc)xH2*1e1;t3CH4s&Sf00*`u1c`+*-;mA0y0#1Yw#~hP!Inr{Q^$0wc{1CW4Wx(s
zy^FQ6MA)0`Gep`f;Y^dQvB!WD?6ICHr>=1#7avYLT`j}0^n_jKnj4G`wR(i>TiPNm
z;Yci1_+~6_YjWA^tnJ<;6|08-9k_T2xTr;RM4_b^F-33^C8toeQ%^9?<z=)K!(4er
z7FDOF408Bj;BAl-`A7k0Zd>G`k{MH~tNhuOv($73{cUY^gFBn%OdXA$bjT(XQ`QS&
zY6i6>KyAWSZ*aPs=%w&bx{1-!beBv^nN3|@nb0setZ%VA%&D~@{{o4492y67Xttsh
zcSxiChq_B-U8__^b{19LDwmhmkh{L#9kR+-e>CdHPr2N*=N1PB7BW_AW?^7pF=xLg
z5eg-fp%67VEty*ra{d+CJ;U7io+pnw<$Cg29j92FriRUrbXUqGqEr?RBR?_!R6c7h
z1fYXaDHX+$mG?6Bz!t81ua@R(3mYF51bix+De5vc{;DZFv^8fd47!_sX$&+BE$4AM
z1bvbIAl8E>|AG2UumcuBaA3J3zm2Zj^40+9GXbk~HMDF!G&gtcQgdqY+PS$yTU!p&
zdJN8!J~KZ^>jRzzD^19NXH}_MR~gTe6ddN*CZ2^{J!mqJb)-|s`pZKHa~lH}3okL%
z<yPQc0B_O=-vti-(Yi}Z-+2?U=47bLIp22vSnEvQ8|avbIQ#6E7U?dzY^m-7+Y+@b
zNp}$|btBByjDVTc02h_I(FU?TCHacKkFme^;QmvXPo-`gjFj{HZ~wjc{o8fcXkV)E
zTj5y8NVvX~-(xK8c=zwvyC-UBY+3yN-|Y8E<f3Xz=<WX}eo;n`_K4ePbVuy=FkQoT
ze?0ETPdQ!MvkSd_^KDjZ+k9W|Le_p~DZfznlJD=xFZ_&O$XtRf*)#GBvYFB%V;B%~
zFel2U>qr>?O%%=Es2!g^s>O%0nTkoL_jjg<Rbm*v-v{Cnzu^3S4*bHW?nH?r)+sWq
zSd-@QMbd>()d@SXoVTk&S*Xe`k!`$`m9H($%`Nyb#An_#x$&}@czouvjgxPhi66LN
z%a*-+w`{op^v!LZk#%gH^+)tq**YD>Fba9q)|p#}U#Rc<yVyE?Z<vgwqoGb_>!guY
z?#YfNT)p-ymf9AlMtsTExQlF^_Km5~$mn=XwRPSHelZ7IXM?P7NyEYTPQVQ)fQ0B+
z<!hNYrgaXe!BG7>m^WvWc@s%TY$2C%pV1Yx1meuRai)ip*%_EOn+H=9StJ&b-eg&Q
z686mqvv0=a8A<jHn-K+85eSCLU2M*r-jqS{=htD%%ssqExU+E6We*GH%VEoSdblm~
zKG-rNklKCnNF-Zk4Q^HQg-jP5u!gxyrVHN$>TxHgkSeANJ84O0s83_L;GiEjT+Yr%
zx4WaA?U@cO(g&M`sY5pzUD=sj=a!x(;=9y08g>h0!Z>gU82}u<gmD|8c}V8JBtJ23
zIpIfE?;WRA@8{<K>Bd8Yht3{5bj$s_=sl8tkM~TlwQ{e%5B`xkSZ{5xn4~vJIxfQy
zFo8i(Sd@mvYZ#JpO9=^*N(=RsY3NX5Rh<?GR@jMiIT7&>-cEak%^PY6wzbx{Q?aNu
z?`-q=b5Xn2GwVNVPq1e;)w6RX6dd0xRQf_KJt1R9M_;z^?#eo=agW(zZJqA&hcDfm
z-Q3-jUb<#_)6F~EF(3FTh2LZRmAYj(3}wAzq*(8ef|QtzG`(WIqY_g&liu+J(>p%N
zChx}!UckG`^$zvfugyouQ^9;DlCumx6J$7Zy_x$=TCTZ05f5dZn;b2f&LH@R*OeYg
zz-Myq((Zc)7#DFxU3H~=1h}wcEx|{ywr4ZF!n67$ayUnTo9$Ix?_hfYf8W9Wo&oOu
z!1WG>JEFO7{}nWMug)It=PJf%)U2CZ_@^7L83N5+d-MIfWu4+A*D=^Qf*2=Xv)y>F
z?4vunu1>2~F<D<m{k?p2sVz4yEnUBuOfFrwv~=T^)B$Vz^4RFsjKz}KIy$!8PC6}@
zTh#MHu?8hlT7Q(J$(H-*$Wv2$dLP}5+iN_wQ@>E<7S&Tz^0dn;sl7J6y$&DU;02Sh
z5+7ZlYhxUG?hQ-b7i`}gZp*}&-0GN4H*edvWsQ%HdN(b~oI@JU`uHgG(P8hc_0h#&
z!$$|JN_8^6ULRdYdy$VW5wnM!b^FMm2}K3LOI|u>%Sdx>BgEMJV9SP#3pB}nbaycs
zro@4y6u$Ll$Fqf0p;qjl)58lxt6s(YbGpCCKljK5!p(&{E_+0<?r(xj>p=FpWIx;m
z%~CmaBFVJ%Mpo{h`-l4GIy%}R;uPPUD>s|(+|moTEceY(-L>_6bL)-#ALE<z&2itH
z1MZX%^UZl7d$@0|-J-L4e1^#8>&_zIT-vwI0^i&$_ow7$+jH<TUeXTdWMd%N6QnbS
z+&4#k6O{T(lAK;|Mz86cv&Q<<<eTdnjnwNF?!4~c(BbW4SKoAGx9Xew=hOJ+)_dRj
zzPW0}H|P3?`Q`@F(N@(r*E*>9=6dVkn+s)|>>lo$8<>Z0Zl<04=7!>JQx2Vbag_Py
zZg1&|q{5Lzrtqa$+!6FR>a0Ef65rfW=q*Kl-m;of#pmr*^@Tc~@q9{NE4W;dIg@Yh
zf8FrlT0DL;ymQ9EokUJvSBvWEE%wgs5SG2cWLL=8-rbolJgE5R>RqO4XKp4>^c2~2
z-SXMDY-K(yLDRqb2hDFZPr&E6Zm-=+INP9$!ky1Tah3N+bGayf4Eb0*pO43I42Wvn
zp*Jv|!7Fg18X;l=)SHPqE5?{wCVhLRsjEk*3Uzcuv+X;cpR*1{o8!^+#*xK?Og~^_
zDd{nMC4--?_wWp2#z*kpsP0M}jYDT*0eXlAoruLpaTPV2p>Jr>pOa3#HOdl0O(BCd
zKnIL4!%l51r`PI>=6S8H;z)(9O`7e?LiW~M3t#!YGHH7Df}lmdSjn@CvvBC}5_Kwe
zpxc<mp)Gp$?h4y(Tg8<0><`^4WD8%pRroDolU{(KOT6n*@o~h#67UsBilkJx6%MT8
zilEflGAz#|I-n~Hjp-c4Q+r26ePhUPi!?PhTQ`T!?TwG;y!JrE*PtDaX0x=oF9*BY
z;*pTW=XYDD5?O0<IOWSEW69Pg6$3QJ<mv|DeJp3LXpGX)8{}2-0^ejwVtg256UJy@
z^u(Ocx>yeN@Zf3B@uaw76up871{;(`dm|ri)Jww+pOco*b{wN>p;0ATn@Wc(oKi6<
zXl8`-P&4jBSSRW`jr2DJtzkyAQse1MyjWzfaNg%`z4ddXH{xF5OSm_xyB_!H@$WBj
z6*Qf~g63!92SG(jmsiQ7QI<Uh02NYXRV&$&vmT=o`M<rjb;G2;rA4dvx1@xH@qvl`
zp&>_aix5LW9K2^j*sb|*kq$FbC3`w)N?BVNE%s5qvUnryrKeQ-TbhIEHhfEY$k^b-
ze!L!Y!I*`wVa!q8jR5HJFXjR`?iPNGcSLnJG5Ad~e07`Vzcv4gp51_-`Xj%0b(`>G
z&A(!2aTxvWm-IJ{pvfTH;@84+7$M<R3mD<GGnPj)U&qI9yRGxmOS|sfcW>(GQTz$_
zci{ftEB8Yuk?!xr0VmtVxV!VVF5H~DcOU+QapL*H<G4SnyA1$6{(Y9g@f@66A^7bK
zemlYO{ASG;gn*F2NC<ai?i1nBnUtKZ`M<xgZy%m1-2;2%PU$;eK?h?x1+w-#0b8?h
z=T~;^!fou?UlCtD-F@O0i|?!W*VElsaa-|yRTnGw(HlsQLvJ!$AYXOy|9nzN(VJ;b
zUqKCm(~a*qe;%6`8z1I%H^WiC=BMb%{vhwat~tr(5Z4?MGQ!)SXVQ8h^1$)GCJuD0
zu`O)1hT9q&Gjz=yLXJL4_C;(s(%00KjoR3=469cNudIHq3~vrZ{0zeP?pj>LZ5Y2n
z%p<mU2kuk)T}$byh-T3?VS<o<NzBu?ghJ=4OZdX-x1~J*TLQNcZfq=m1;Z8bE2J-7
z^YgvY%>IinY;C>p;{BQE-k-nRKRD`%+G}d;QP1dLKYRb=>Z}kKe}L7cIadNkH0q$p
zpVGAZOM~O%gF8C2+0Li-e*evH{{G(RdEdI|qHmo?<8Q<FP0IISI`Z$+ZbYsWqG{;w
za@UToY_@9$p7NCR%_w^geSdj%pO6$k4TqWoG)Y<Pbdr*vrJ~c77z>5V@w5EGo;^pk
zJLXOe&Ec*zz9%T(lWCbhfoe?Pdo14~XHH*m!3#&{#OLPz{0P41lirsD<($9{5^$D>
z-bXq-MG1NLAv(oHF||5Yvj)#1KE=alF_u_C+_?j(6x_=~9W!}zJg{m&e=#zk)oH5{
zn}I=7jgJE(gBG7%7mh~5I=jzuw12ZF8H+jV+_pMlt59ci*EwUcq-S&goHvn}Nq6U}
zb=A4<^h_e*rF0}|zTKEFAGbPRas~04kcf>VZJx$$z%_zc8N&gqw?~V~qPgTIW+zhY
z<RD|&Z3sZq6>|usiw8MaK8d624DYm4;p47b-7R$BY%?lG$r4(kZ+@1YWSu3at^306
zFT7iO!JpqjbKSaHsri`rYkY@jlBk=}B&t7b-Tf!+D}P4j2+r^97B;-bbJ1$zr7!OO
zqV!y`=(&37$vXCA3!bcHPv5;;=n_6wm^$?p;j@Jv8cS5zDZE$wJZuT8Jbp<#!uUz-
z5OeO#If$j}V@LXX_dBkro2|Rtxxcr6Uf7x1mzi{4b<j1L*_T58DESaSB77ast5u&T
zd12Y}92R{ZiGlh~Tg>w5>W3e$zKZ^t7b~l-s(#{$>Z__w{fXmMevVCjjwEmSb2{lc
z>>u_p2R+fjo~S&PJsHn5Tz|cRKVAAndP`*W7<`aVVh0RkA4s~Dnq_<fua$j}F?^!t
zNx%l^hzDC^l`NP}dJ94+P`4<`j(?Ryo*+5sHI>L!BSL)GpY8Vs{h5AmXjA7KgIh9v
zK5wjNyeHNiG1l+g(zD$+>gaNJ#QP@t;?1#IgR5;)*z62=T=ljnF3x&Kp)1imopV|&
zjqawFq1NcA!<2B3ZAmzHSQ}#v9*@6es3kS*G({c3o}`m-NO`3nVSU!L(8?q7998Zs
zO<J;7z>X1jAxe?t0qQ^qZ&~?$e%FRXe0*nnYF_-_sjy)4_AYl1ZpqsV-RvEpW#JM=
z%X(zB$kdESL)p`PmHQy5>Jqpd``^~x+c=FAokMOxKS!<Uhak(Z#q;#KYlQ|Tzu=qJ
z4np^h>L@o$uRAPY>qz&1n!)+~hXt7Vfa8Ag!J_-GrTc*c>Yep5z$rT4BjZ4IV4c9h
zA%5CeRt%{?2ENEb@s!3DVTxQQltn6%^cs5gv4+~KDjWQHl;m&RoZR1?-qam%$5LUt
zwoBHlAKyPZ;m*fmsm9P$KJ94kk0tusVv&fwSg(fMz-CH{Phl{mmmnGiZb2l-lB>*+
z72;EKryjsa8F6YLE986OS;qbRUL2A(AGzQKanIZ-6m6z^msdZJ=N^)tOZQ548m*3P
z`I0?d;!~#{Af`+*=<|54e6P%t8P~<#=?gCIniKc12a8P3-Ol7yE#mMe$kxR(iX|O+
zC3*D#I=4j`gAP`$G-rz;@V+dx?cDj@Y*vzhkZ1Th=0S3BSJ89jQK*to_H*&tPVBi%
zG6u}_-1N?!Lfh?lE|-wfbAboJ&gAl1{DN0P8Uw%h`-kQV?`C+wXOhMIUKPI<<O?wT
z;_tiX3aC3P$$Np$q0zdngWsdVhYIhO@e3KR+$+zl2){??gx&O5Jf~&#f5hj+dzim^
z92vXP=2ack)BsIxCq^kGJfs?jy+yWR7Rk)r%rzXx-v*i1RUTwrn?NHc2+0T6RYOfU
zICAy&e17}YBO_OzozI_r^+@OL4T;2t-JQ~PG&zy;`tuv2=>cb_$!~4TWRtG2rOi83
zonEF?jx8-MTMo_69a>KJ$0pw}(Eo;sXmsKY{R0SRPB-Q@wji|U2|4@C=KhvkpQV1x
z;RPNjM_k222lC~W2wO2GP_!S|AmT&GGZ@eGsSBUl@rhUy$Ig0T=28sAq(Z+&v01RO
zW3EsxUUTZ3-xeNBdm38@LNVV=EaH3Z2`>v58=JD>NJrSb{ry8;oCwtTg-+oK@jtNM
zAw<c#S$FX^<Tyt0LkCx^SWwU#eEm`U=EiTBG;)U0xI4<2R~p%<Sq5vyHO*l3&6cmy
zcb*}HP%v$c_Ah4_a^(r7;j+-A^bR_cjL%%XdO5MN!{_VRm`I?+v9Dt?F*rXz=x>kN
zY_aytS)p_&(bwd))#E>#(Am^6l}b%@G|AV@;)V^2_IOt))D^dPea0V*m}mR?-e9h+
zh5rV8OSn*65g&n;%uj}TFkdHrC<B-Z{#fA8t_N0l1tZG1<$3<(>n5K!HPflVm2!KK
z#|Zq;sXQtT#4G<&XqBqsW9E5Q2haw-hopX9krdtFF;j<a`?65CeDnU8UFV2iyscK(
zJ=UeG6)ybA^72oFp7TdW&M$m+_vMd1diidwfv9N!hguOo48GUPx_k6uyb1jDVk{br
zMT1fDygaJU$9st%2Z!WI^UqLa1FT#lL=k1U(dmv}O@gggC%(yR{LwdC@ho~~7S~qH
z3LTp;7xFC9)~2=Op->2^R-sfKp;)O;;K~U4IhRfNuF=knIcf7+&CTxcP?x{c-eL-y
zO?8%rq%UX=q>rq{#jZ@B$!0Scsw{@)Xrk9)?yoi1RoB#3H5ignYs70dtVI+~&;d_R
z0#6puXfL=U>KKAe(dHz(hzER$iA5Mpk59bX1fA)m^`{yWCR(|5CZIC2walv0Nn^Li
zF5Xt7>%uzL2;U0yrre%Xk3W<*wc<ENV<PTtaMiUXg$qjuZLlT#6Y-%Ihs)AkTi23q
zOBsz_8LS($ebDI_L8rXF_#$RQWlI{@%m&%Wh&&L}p}O@%3)F9n=0aDZS2|@#f1|Lv
zO0%b%C2DQceyo)G9D^H`O>X$gx#g`>Zc88>4p`PsNa&f`w0V9ak!eLg7)=KC47Q37
zBF4C=IUh3^!f3h7p1>y$n@b3vX4xlVsvT@Dv=6P=hg8ie#3(ijF6ChqJAuEYFc&&i
zLx<-$uaW9Otl>5AX3+sj=F}PxNp(i05`87v_bf$TI_x0(2D2T50!!hxS%qWMZ+YXu
z<e^7)Y`$ejHaW66);v@t+Qxi+lfI6rW>>UMG;UAZM(xc(YtzWSjYHS&?rGip#@^Uw
zzdyZuz~r+y>wS)ptL|8O*WJ6{_`z#O+RwRVZhY@}Fdp_sHjk&bjVB$R<oC9^T1OKd
z=S`>b=e}iW>XON@-8}Dd2whg!?cT;@);`Mie`fXjIMwwDhR2Ia@F?T#1hQUbjLzay
zs0fe1CC($A370AG62j+31)qf3a`E+-;&Tv8f}bcswWzCib`4#6WNGT^E$Lv-bRyYa
zC0fV)*`dblSj-tQh^DjC4Ow&8Yw`5#80p@>luK?ntJOE=4kkCJ-64BbgQ>x5tqn%z
z4{zQ1&lh#K%wIM#c<xBBIn)%H?n`YRi~^s}&)X9HiI#<daLdwF8%KBbdW^<tt64B7
zFE!S=qAeD3d{Ye)^gI;r1a<i|@0K+kDZ-_CTg%GAmlg3-RRZiiDhVZ>BV)dEhz<OY
zwkB;mFd&dBm5C?ztOF6#31ku~yn)Ko8kYob#I*r%Dkej<<Z{&LoBibUM7~fT*-r?v
z#DYI;wNGs^ZrW~JvhKsrrtNi0=Qy_5_d0@mjr&gQx@6a*_z#y8Cr${iOE7)dGK2-C
zu9`+%{S)v}5KX90VOINPOVh7aGE7wCRhq3-wG6W*+oo3Pk}ZPR$UQ(kv*q%Oo%&pi
zA6C{PPyq?3|7y+N+8Rr(uG;d$$3OhRcQiiOxQa7UXT{>%3f~n?r%vwQ4<1N;V9<LB
zXGNR9vzO(Sk}OPhWNM96%1lJ<NX99`kZqLmME)EHt9Z+0H9z%3Reb!6$|0ZSOqKQ8
zEl>rL+0UhBdjd6%ptHL-)HmNU-jNJOqaD3xoz*LvaHcC}4*8swIzw+qq9<w=`h709
zz3|z7NKM!ml#AL3N>l0_NPY%&{Ka%sdR~Jhckw=yWDhA%a!5ny>Nt0@xn<`3&iu9}
z(0`-5HE12}3S=7Q!@CW^(F?{$_f19;-ffl!TdXHMyUE$GH5O(2fbeSveht8|a*nJF
zyXsj0Uh#lqk<@=?Ef!Vw<l5Wpqk|XCrJ85<_BDD2$2SakL{sCy`ID1-hP?+S7Uqei
z0WWyB@JYP87M~<~Dtoh9JBYs%)(%#a<aRAvVLeuuZ!GG_AmxOR&Bv-k<!rOU-fw*D
zW8W7|2X<Vv=Yaa&k26|V)}!pbQaJ{;jiFaDkE%KXnzj6nS>eJLpLs?!U47vt&++F|
zAC*e1w_mM-_ZO@;r&ka8&M`yuQ}nbt`8l<9sDN~?9O@{8KiE)raYN4qGpUx@y*+)~
znl{-|f!>+%jehHvZ}~1zsGzxV*<x9kn_M(5UhuzOB=NF!5Cd!-HlKDKBnO*HuoABX
zf~2KWSBffi@Y+t?m%vZ$g>17cPaHY&glKyH`BNwV^FNifK-|oPoxaw4q`pcj+JaZH
z=b2|$h&}M{lkep&e7`7WR>rl|y~T4zVExLcROrC18P2mWk8by!XN=jr{uM{tq#>7^
zba{dqVN>A)@re$clwf=)gZCKJ3a@1}Q--7BguLSN35;Fp$bW$q=G07mWGP<4VG`cJ
z>cJ`XK%DO0cfJ2J4<7C!<bAvF`4@&(_?UzzF{TP=xu@Gd(wOi@o)5?|h<&m0b<tGV
zceT9!yYU>aT63msZqjnAi=u82>DAH!eraxq1h5&AMA5TPbQ-jpeIkE5{gsVHF%zhZ
zPY8AEQG<pKI?vv}=+_12-~MJ@Wu;b^oo<`X=(LrUI??pvS!ca?>f{k?duO}#@JBy-
zn0+`Rtr5DEgOhDPEk4SKLzQ6CJc=a=d02?g@CvsiQ{*wz0d2T`Xs`kXd*r$vjIKg=
z`@J`J>niF*(@WRe@?Bl7x1Boq@^$IUvu`7vgZM%Z_`-TQ>ndW4sg*leUT4mFzIXSA
zXmrEw-k#mmwr+P%uD3Ur@9i~2C-#ku?AZ_wZ@6H1WZy*enx(0Yn>KBnTEdu!|7(FW
zBjn@hxnXg>2{PNT3rMLUtC!9~GMp%NIc-XRqS<e?EcAyX1DjK$11+gk%YbMyC&sdw
z4K23!3x;?o5}-XS!k@ndJ@pzP2a>4jCM|<hxmCrBs(Z*@2^Zd9$?6f9p)7^rpFjdO
zsaW_e0JSN?d<jKKyrpOH)N-{s2~$7MZW?GYZQCm&@%*KR!Ds^-ZkY3LSe_@G%`X>z
z>r4$qZ2xqrjM0nlv<Gb!75l1dX)c7%M&Pp^v6>}$E@it(U1Mpss(|Gg7d&`YL*Ypf
z9Y-|@1{Kvfl0^;^71>`SWapBH9youXBi)*9X%|hV_(-;6#{Q)be^{`@0%5XyL*SR+
z61~W6RC4U3lDI0S)zQg0c1Em|lMRGA8}XB4Q94h?c0>_3WnKXsn&ze!PSA7g!!3XS
znNchZUY^(xnM?S+;l?gcHtJ~VoM|226`J%820cw7Z>JY|)84LmLn3f~qu*t<xzNYZ
z9clGN2AZ8o_b#i)W^b_9T5DXPOej2%c4J(uUn}B4Cdg=|M}#CY)|(Tr?#0hul=Ny?
z5uRBQj$VCrVIQ8k5qp*NB8&P=DQ30aGpRQ!QC=k|uO5`gJOw0KSn!5ER0^4{<=&?I
zaEc^x_W^@<;Jh)xQ~2IQSJ#9PF8u5*SMxsc&=V=UNy)h@qa2l8QKT8(3yD0W+}o1s
zN)JAAw6E4$i*E3>Ju8obCnYzxq!yAd$+8oxDt=0=hn}M3xt6`pPsc+2bXFdw4eW7>
zF_-o!v9at=2h+I8!-NXVj4Dd1DXFE2w4oTY$m@m6_uLz-sHxCZnX9_4>Of&49exYm
zw)<Z*27IipN{jUvaWc7(c<H4$GMI5a_1muv_IU?=Ut{Zz4Tmf)6MS1rtu(0|k-A3G
z#!>;21;-}DWU|C)nB1bMh6|%7&l&1_vQI{Q;(a@95)7NLv<oMMv|NX&_UJwDiB$pV
zH4XZ}JMTIAo|alNaT=<cQH@JjY)HA?sfNYE|1JE_c3ZQ{)ok02sbKB@h=0C=xzwv`
zUp5zY=<4|3-2u(9ewS-XYrXpe?@Us~C$t4k9)15uh3yylI{p4m-$jK-Kg!+-J4qva
z3h%7uHJ-?Nl`?@<bg5#V^8&D<ui^*Z0v$L3-$iszzmiU4=Pl&!)aGpAm%l39^zwf#
z3&U407d~}0>Mk?;Qfn5Yx_`&Z^?JYNkE<)|z(d7w@mtFM(GvK}3Orr{|E>aWFM&U=
zz>_8LpD6IwVtCOwyNcnW`rbYnzUm{pS$R%I^T$8Gq|B>Yfp^IF1Lp;8g95+uH1LBZ
z@VIjSH6`$^3jB}^XXBCa7Sl7l0pF$Lx=i`rb@KPvxK#KJCGc~V`)?|N?^58m$Z+<4
z8Lu%t!>jy$@-wUk&@0{qYd)?yN0yJ0dZALCDh~OnWi7M~Iz~m6AZnni(0+su9#mKj
zC>3-g9mx+Kd>nZj{O`ntd2dK^HiY1Gpd=01WY#L~2;qZmqb8Tv5QPKc?Qlfc0**Sn
z$zZJtSbASoTogaZv^Ww0mwx|#vOPpI$|+kc)fH3qR^j`S*8+4cQm;<&BbZ+$G^5Mq
z`AK$wIzP3DF1byrSTh02ZsVW$*$VjeAW_JN%i|GMQvEmT#KWTw)Gd-n9jFo^RRu(D
zmp+$=zf+(B6p{%{jTeMk|8AYhTln^>@X^md{`l7m58Rs(T;pGhP82>b*~S-L1iug;
zKcoNOvV9s7{+;bpJ}=rw9G)aNMhpoox-nlDvbS4MGgZ=O%1ohRF58TF1C{jgfCgw~
zQ<x)hm1bP|`2y0n@mIFW)R%}>7Va^8g0GmAAQ-#|F|6;iL4kV~MM69cj<P+|)1ObF
z0}FX>ddPE=9?K_#Gx?sD)LA{dcD*@MA#5#o-}FShJ%vYN{?TLy&;Wng?CLoAp)mjF
z8D0`X^PgV@JiTfr-wxpahrzc9Id(tu`7k_kcu2?*9wlE8?N1JmmcWU>aClz{{J#`<
zR)TZC4c-4~_TD}r&YnNJ>La~HfoFs`@gp|=Vt4{@8b7UH8uwRL{0pBa_`oOGxIe?5
z>lf<ybJxH_#c;-_`TfxnIE|0P`-<Sti^QinyuAqiNs;J_!;>X&;wK#5S^_7$aClaR
zga5#%q`)(Rk<XuvpZGDqzeBoz0`M0YU+3_+{2buL$oMpeUn#+HcpUg4{>|YBi|(({
z5})SqYg9PyCqB*Lhh#V#C(!}H!KVpMe3Hfsy>50jz;xP>TD!K)hos78Dw9PSUYrk-
z6+{(tYM8wZ{s<o#)hQ)z$!m6SzDb2I6&|Vhv#@818KrPx+i1O`vF`tJM_Ps1=QO%a
zH4Vfbi7Cbdt}2Ox2qu@`WNlzvk?k3VtDBX%-!9Fa`NtTIeU8ysNEnj$2K;7(6Aq7-
zz=;MpytM>QG{E6m1#Tw)n*v`DM&vySIMF1(zfZZJ{B=Zo9G)zJtM|tVj<uoj_lxg_
zWuR0!Dq9=XhB^ToLar-JQVQN_tOO+pB-uK(sh++z^7N$vE%o%3nNw1c;nVp3s_Ls6
zf*F`t^=^HY-r_V>pT-p^2vx3h&{kEkR}@WFqpND!Xe#y$N^1z;Ag#&g*;++~4u#La
zXQ;q4LWjg>oa9SX;4OfEkF;v+r^ApF7T6Dplqj>()b7A!rP09#UImIiQzVn@D~i06
z&TGNnsKzK&jiO+Q5m$=LQ`Q2VzN6?nYqkT|DCOHwzrm0hJy%1nNjM@WCXPI@vhu_e
z!Y#uU6ZmgK;kp-J6mIFKlwQcepX2glMx$R~^Y&}*XY-x{O^+7ALma+}tao9E;fdcL
zmEd0md<UaB4v$Ol9|1ni_#lV3OYl{|TNo{Jc#^}BL8#IELL^$}@T_z{e=pG}hxbYM
z_u>Bk))K$t@D2$+zUtGw%+`m)Gn)Guze$4MRA7CaY80T1ri=Lv@(38eA^nT24~ML4
z!PsS`jHHO_gWw)^cWrDX9(32&TJ)T2IO72)xW=iI=2o}FFo5&lWA5D|?Q=f1R%y)S
z<9(Uo_KR#SqC&q!gJuyvS=|30489;>@tCahmB2GXzaj&R?@s_uGLYgBPqH=r5_?Wa
z^8kN7!O>AYs^jo};r!Lh+4IfhcU9mE0`e@R=e(%GbysR$(fpc^r{w;OP{qchgA90*
ztu;MArccs)nGE26ht5&*y#&7ZDs07{V_XP0KnqlQi<a#q)f-QK0zK2W1iXdxF3MBa
zGTn-@9Vk11u2jLY0zVW-A>ETsSwP3KAuAXACy@7KFIu@V`y^Dy%NP2D`u`Z)ynFZ6
zM`Rwco8j-v9Dl-A8Gqt#Mzb8AmEq7);BN;0I6Nb4m1VSuBx1n7B0Z-|c}_9hFBHMq
z-s1Q7odzD4;j3m5{$b_$3j(5`eBA)2y~UrCRqpqd+@BHh3LO<cCjmIu1>xUi<EP*T
zY+NDF#?Sn|MetBDoY6JEKUxB(J<Z|q5;*Bj9Nu06C;7$U$zr(Hpul^I;S6v5{yqin
zBmcB=zs%G5_=%VB`#Y5TX}+Wjarl*|fgdb^la9pizorDfRe>K;;4~hRJ#;_mNWdrC
zACNV$J<_W$<L?RRupvZ1-Xhx`W!9uBi}?v6BlGLfISu}ayx%-4%A$N~QvT|bU{tC5
z8CW^8^d>oe9EpGOQ<Bmrrc=fAF_x@Neo)G5=UGuyOSF^fzB$M<9n;%|e9I<(wzJdI
zL@wv;Lz&JFj~A}{Co3vG=56jCyt;F+`eRK7yQ3#L7~0iCF6UHtav-?9oBa5K!xlAv
z-Lv$Ev*r>_UvI?w5o5qVUjT2gLL*epcb9Q;6(d|@bh23)m?w|N9gDR_(p7lPc?&pw
zK+dpHEzAfaA*@t}usB3<-`RbA!j)hC@P}V4+-$WDZP?H_@P-K%`=uD{0U^agz&swZ
zM?|e$*n^7S{|sY2PFjRi!HjzCP+tZb8($OBtzwLCsd-wwa;tQNMp^_p`;bDXf)X<s
z&Uzy?l^54qhI65HgD3V%f5_Za+iJ=-b`2UsdqzqlDa1!;pX{N1Ua^32>h;C@yck~0
z7xs{hmhLa!S9@rGO7OVQDDe@W2z)7Uwm)gj;ZvcwQW!aJidSE%sG#~B)B~x<;eFxK
zoAfCsut?QHaP|dyDRneO&K%P~={Rm@TJq+z(=Ga9(T>_qJXM_#IoCE4cXV#+56H2T
zvlpTPW+w!#y>fg7_Cl=Bs!L9sHy}q(F1ayiZna4|fH0#(reu8fFnxgYi&lj%5Z@uY
zg2Qi@;E>~DBjdAQm+;@L$d5+G-#I)h6vK(na(JH%hnzqRM}aR0ZHit|49^H{l05L?
ze&WCM9LRBc4&zhu-^WXym%#T(Ua(jU8}AF!cuj1)JVrx&kHe!vF`UNB;e86+Ofek=
zzC{Bql0Cl^z97^~aEbwuyyMTwD$ntiJSQX6v-x2>+D{{9B;BujLHISsD`@6H?@OS&
zl&XhFL12~YR8AwulIqA-RkRNyw0J7&jw2GxDxxR@B~ej5LiywvY*e0fO7zw$NVO)>
zO_PP0a9jpeN-4S|Jkm4o++d9vZJzGFnzQPXfwtBo-u|7#sg2#S>Sa$RY_q3E3{l&H
zxz^=yhpHxbH8^{_3tto_sgawrxi`G6+7)c^1-hGEz#q5`Y;eN&H`x00X<lXP<AToz
z@g@bnMe_%S*R}8k&8rgJS8{(w^D4uu3;JF0a}t0<zmwi;f)%51@G=jgidQ-h1O1a>
zl#<Cvhokz*$dLg?$y%aj7j?MOU#STP^PbT^G6z3))h;JRzplFK%fpp#zWVAnPkfo^
zhsD4ceSVY8-!HVX`LBhCis4LN^ZTPEaKa;p$4lU(&v1Bq37qy5hbK$mWFK&NYcafN
zoLxomDARxV{XIo+J6l%{?<<CDhm_~PsRaIJ1%6=({3->0c?n#-|6&C$`{ww2GeRq)
z1CCG9uQ<Ge?#HTb1Yf5ZWE`2yl3%qfoTa9i$i86mlT$(=orIzOFtUdS!S9lYBx-#X
zb8}%MEH#_G^85>VjM5zJ2umDX^7O=-Y?b<hHx-91yXJf1CNl~VN=_dhH+?{S9<oS@
zVZQFTDWdi`%D6UmDzyw?$6zsLWF{AdQpf7O&Uz-dZ8%N5Hm+J}ZgiNvOlJGi0edBd
zStYuDfas;-W{K~rbX^QDruPS!oaXnl^^u>$<TQt?bnO#?1LgVhIz!78KgH<uMQK0n
zW&3F@JR}ss*?!{pM@!(eZ#cZ2!+8vmJ^%mV&)2+6&o6_Ais9_}{QhVOoSx6&?Im!M
z8yudM;jm*7yHwyA%_~IL(tC-n`TZU8{ot$LVf&B6;~dW8k!<|mk=8}S@WbPj#6LK^
zPbh}dcsM*O!!aJjH5GV9^Jlit!r-^X@C4wmLVuEc;NZ7jHN&(l5~}9FP?TH8YzOQx
z#GokWp7QId4<yAg<et|&MoPLh)dzqtO39JQJLGdN<eG9%E9sISUg7zY=bZD4;mYsJ
zIg`J*hBW5=6BsM$IFzqLo|@C=>lF8`r^AQ*+ymuZ@pIkCceSabQH~wWu8g*99^e@}
z{mU)Me$g~<ijQV9<0;#Y&(224$&4}NAop7!_dUp>Rx$=9*WG%O|2QJd4U&Ya2EM2@
z1J9Qr?H#AaA*aYQ?Pr+c+IvT5fD9$ICYDiz;@*jDD<R#rV<aMo!W-)Mhx+Uzp*_Q$
zJ4U0?(Oq5f?wW5@bQ>bbbE>u0UDaqgw<#Q%*gHJDcOr5i*VU1y@sn@;4`Lg}?^A0j
zpD_mpc@`KUWxkLXojSnD*)Vp%%q#<m&Z1H}w*~Wa;<FW>t%!*;-338MI&Q!w1hpk+
z>)^<*6y9WQt!pxw4OUZiI_c=JuDo@4Au-Y3w8KzceQ~8BIFMb~&=e`WTQuc|n}+vI
z-Ej}m!0NJS1Py3m<tbdYEOSH6nxt-eeC3OD0LTId=~YUGicy?hIqXZAJQhon<48kd
zjQn$tRaIPE8BGeW7K}KE<(KidOnwn)XiDCQh0;V&^Fhf5RXw>USe^=<`QU!q8d#Zi
zxR*EcAdjsV5C`@iWe2Jl>&VO5b-)<11bN0Csd<-r!$wy_ox>`!WV_py<U4b8;4!`K
z!U}IAPr55g!~0VR79M!gpFjW<udk#$1n_X$PZZayWN|%~=P5jmxm6%TN|L!{m{oHs
z37=|SCDbYNtZ>n{Mbou~3$ac?Jln~hRjYbc%d$Gur^y;}4c<<<CoH2PXF*L2q#5di
zk9_#Oh4($1P3fAKg=Y#A%hw!v$2;UXu$WgR#gZ^5DX#-_0$-HoNIv;W=EEny3G64(
zzZO^zsWtz~{3a3$L}rY7I#}gtoX;VrjBz)dT$cR;5|=BsvtNE-c5QNEXMcZZcYptj
z7hUv|$i%);<fw;2;}?vM?wg2QwmiRSVPVt!G9NqT2V?B;2}^S!A8sY{`SQG(-vY;V
zYMxfvdZ{^66kjH8#Pg=wGL#jd=I&HI`r$|arLVTZpffbo_7M61B)Qn!yqNq6=w5m^
z`7JBSZz=swe!xoRH$+Wo(AJkR7A<t|S{1L7+g#ln#XFO7xOm@lwdW-9LgJ6K{sCJ=
z`pFAN3lF2u#bd(l2Mz#jpF3~>W02MoV<20Y=P4uG9?#63mVS#<w<+FEG)y`4c%L}{
z{zO##l_T#b1PJ$olI6KV?%+L$Xy83KJs>=X_ta`wf4FsXhg2Ul&&<c0=xyMTlsm+^
zDv$TmOi|MZ8_0o!Ez$SASGe<AH{S7!<&Qr(|E9OTi{|OV`^Z+RBwI|@E!gj*LufT^
ztG^bHh(SEH4ql)MoR9(rSuGD<m!yXApIUGmdSeZ)R5>7uD_Nj)t;g>q#pw_ZUER<{
zEpXVOZCwS*u-FC!eV#i*D5}IQPQC3!S32D#%+bHEbe=UB3=W?4|Izjy@Nr#L{`kE2
zrl^dj_uiW{qtT2;qb^HUu_arUWm|UK6W7E}?DROj0s#_-I6X_2&=!b+KpH6|^xsnQ
z3GferADdn3vXlS;mKNff|M%Sc-pt6dP1yhbm5kq;JMZ0l?z!ilcF#Sxd}Gg9Bhl!{
zSv^8acTw|QO`*HHfJ^b`W9m@PY@xWiC#W77Q3r8fSX~aO$Iw4HmJR*;9>Z@pc*kYH
zuea_QTM~jTAG6EmC*|zpXP43$$%JPkuH+%p;Y!vY^WC8bh+Brk2AN&ZBX&<pwP5L<
z?+f0RNxm(axh>c?-~CZ_puDd4rmL3qX#f0YZO^i+Zt7iE4yZp$W8VSTR)c?}>+7HL
z6syyC-9CL9Z;<>Xypojk;7Z;*+T=vq6D1>#uqVhqO`$Z!V#$g!wiP{vRw3x@pPJ9f
zY46yi_c{%Ui5>kE@@#N=^_za1Neq>`hZ5<F)%s|*<nP%s7K@E->G7AcQN8-&eaUsD
z(bcO*OY4&R7#;lx9Xi!I++R@seYQTwbyTJUt0a;iBG!1oL(K4rZc$xLBHtxTiY3A2
zvNMy#7Si@8e)@ulUK0fxz>6ra6?vignx+Y~NasOXV7D#ZFom6&=B1mageQ)jyl+bQ
zaAh;s6{Xc|jv67U0cl$e(j`2yK3)`ICCJ)Z3nB-wmjk1xcot{`X{Cro9Fi8v@*qU*
z1RLMqA$%X(Gx!z{84l2kw2{#ZMF;_o_8J`j0Ns#w{rBjG@88ZaAIDpu9|HPJG$efN
z*xx53)=5T7i*yT)f8lSyKk4eH-{Dl()d|a7n;?BiP?;EA(5_6*E6F!Yelo_VDZERT
zw6s$fvjTh6gm?aVS;v~eSae{veY^)6e2-{4ve^(B%w>m@<^#ham%__yIuDm)r1KyK
z=wa|4QPqaCKi2|o8#Lq@)iuPj6$)SCe~=YFP&h$OX9LnaCtgYvLmM6GoEX{>k2T^b
z_WI-SF3Rc+($T>IWkuRsEFKu7`>!?lEh($6rL{#TY+qxzuJWCoEnds<E!h5{J^qE=
zP4j1kx{JNB%6YrLa9r@@=R!ij8t}0k<Iv&i`Va6Xq7!d|-Wt|~<j~nVe>z#Wu`>BU
zn=)0Hl^W=$JUt6V+u=A$^o#f@`Bm(gy`;60-<-;bkI^c46jzE%NaOtkcq5OOr}>fs
zJyH-J4qImd@wz1Re{7Y<+_5h@XW1yw#z?!+UpV-{Lzz~uUDu{{*@MN^o`KY@sR7Sy
z(co)#Y1?qVROX=v4;Eg2S+H-i+eGokrgYC`U;XN3J!!T2Mo~;}s{HC@@>%kD|CfP_
zOq~LKq^l!NyQZtx=RQ9pn(yu)+l>1VeYm6bAM(lSPmzkBCBu@}0=U6O`^R}UFN65|
zo&&k@(28h0w_){AI+_f4`ur2A9mW0oqLEZjWN4i}lHBPIh5XC5`u%R7!?QgUnH!G{
znAEMyvYC+#SzBDMfvyEOYWl_*xGi7RCTUO6=~}$SW4SFd4@R6M;z6*wK^u-him)nl
zNY5ae-`=KC_up{G+tnIuI_kTYRG{}1F3w$pkcs!WdwWavYkvlC_?&?a^sn&o@c6sD
zP_Eu0!&wBrU3E{w8GN@qdyA9N9{KAO{fPXxh(8C$DPD%J)e|LAP6=kamxl$~%g#4g
z$YitnSbj1%T{L)FTpHv|@U)dbb>F-4qUrx!R!V8qH{hrZ`=-jzIbBr$1RDT60QyBO
z2ltXWQl|@|1eyZ`1J5l%w6C21#Oz4gO@kd=nBGi<#Jo00gU+zQt!>q|Sj^@Yv)>?W
zylX?VrP&ziDC^aln?zCP?o3VIF$F#IzRu0<6I;tQ{&cdQU9(?+`$amhJQmP-!M{FH
z8=IQ0%AaR3np%pj#P>zIB*siYe93PaznfBY<}<89lCDf6(=5krJwxlmvScTzPI(oa
z$dW;Z^@t$Jc`zh{aJ1m{n!E<LuIaN6b`{jw?42L=ZP2$K(ITaVaQ&sX-g;@}qOn!r
zqR9O(9sv!JE*q`uSaQ&CecskRQWy<HJ<;A+9x-gkH!ioy|4-3V6eVTHRpD9@K)FP_
zrR-vj%I#yNY_=pUqksS7z%|z#xVp4Jr=l#BgqE%j&6m{KuCA>5OPY@VT&dfA&aPd$
zi3!P9obKwHF8ZXEe4d=F*RF<a*#KPYL3fZWtu@JV28~4NnWBSGf13DAfB>iY08z5~
z*s)`444AQ%^T=p{lwf=VaZt#~Pkf{1DOobM^&Nkl|B;W3YiL|&rt}dxk?YMA)&!MD
z*lCV>3OI%AJ;_d|xAoXJB()<y+k4%0g_I<|%r@9?p7l$#-CzqY>1Csh#K*6(mpY7^
z2EA==>@9k{`d!!JKc%n2J=7rDL#~ZJv}b}>4!Bj-aJwWrNCtyRZL<70jnrG?Rs+!t
zNj6$D!ciq0*9ykP<0l?wP|$JRbw~*Fq(fkiiCY*f?z$zs1dh7y!@Wc<hWWZB+^F%;
za#f?oLjtE=c=EkMzL=jMh{T5Gb6uHCv9mKR+;in)*3?+8IG(m#9EwE)m>J~fL0mBI
zEZ}*yRq`cq>WzLY$}h%kDvB>8FE5P+@o4g3^4;%*6;fuFLMFB!J8|?_1_$~v*peZ@
zmJ5+Y5ltt7C+muD0=~Dt4-@m7WvwKOL5X;5^y}91x2!%ktUxi)O;BKK;K>jW{m}Vd
zuYm7F>iCgGK%M8*EgHVw#J!>1u5rLxa4~99{JP*VijJzR;nFVOQc>1}hJ{y3+a^;T
zGv}0hwglHWbAH4VJ2anuw6!lA>bB0rc8I>n_@3pf4=fM1BYlCb#gz^o$alHSn`7{D
z5#F#iodnDdK)pxd-b*ayC1yt5>4t$N=S5xCac?PQ!b2%AOWQ8Fl}cG7xPOu&NipUm
zgq4E<>#-1G``#Ok>yI7VV7_5@@3ygcd~92PS8s0@KKhH!eF?_V?(<@kd$1LEMdHZ(
z>X}umW>(KrU-TG+pMnM!?Hye*0`<8ogI@0o-#bd6(?&f>&c;EV;AR6UJy1iH$Rvt|
z<zYKNJytyQf!lL^(V?}uCS*CyXNgWf`N^-?*Yp?0Ql=B{48+3;S?@XR{(vQM{h%p#
z^^f9m^r^vDyo3ifaskS4)WmR4wh$0Pya_XoH~}9C6Xsw9B@uWDtmHC+AA=8rHmVSr
zqKsmg+`{u8vxFRp>HgT388c$3G|g(Ww>@cdwH~A0o@YyHYkDlVc9p2PKos4cP*f7X
zE8M5_^#w_Sjz@M8#q(I0jtBjN<?{&Db?PNDrA|*IN$PV&iLRo#!egpvc({F3k6ThS
zJIeAxiWN&EEcBMoUXkgT*<J3TEFbOu_R+Rae!69(5axM4Ld*9}P3)hFvOFL8t^?(w
zlI8<CkG$^}{w2hGaGj~quUb8&9|R;sG#SRZ@z~V~zB#1KuqC^*>%J(`w|R6CX^Z56
z(&9=U4Wu)Lg2A&(6&vm)@X%>*H0t$6BG=;M^+h6|J|@nl0)bTH=LCXonP>(4a^45@
z=WE0Vm_GX&=qv%h{YC}KGibDYs&v+7d0oHt17bgHJkoE;yUk@`67Zj_=hm1$b{x?m
z#0Dv@EbA@Ne3yq67X0Z^Sp^nua}qOlE>eYSe7U9(U&kaE<8?qQ*+351<+T|4C9|nc
zdCw4q$(|fL=<U?{g${kCk+ObM;ohVt27!ej`QeDqk)0|tI@o$qEJ(;%`c@x%=vbIZ
z-{JY(rydfzT$w_y(@FlHT1Q@biOXOX*TQ&#yKciRfnHvSV?IrizuYcg%nN9Jjdoc#
z&VIiDdyXxz)#rSERgdqEc&1^d+d8JYZ@Q@qIvP!Jc^-&GHpjmr&+*>sEqs0;7MbQg
zx9^ZEk(F~>f$TmWdzM$7;C3JMS{j>H#A-nIYN_d7OL|xzAMPWecpbujqee?90#_e<
z?_KwruGMng>cs2Eq0n-@$}EmC8d#ywdE<6MQVS%cyTc|RkS_@_a%yPcSfnedc%)!b
zDmYraBymlH43SKOe3Da%t5{d;*m3N!$CCNAgOM19Ip%N282g2z=d4|O&T?~dxFbKB
zG9U0oqO_u<tSwog0sbTWk+dm_OH}w{0QAcF{i*mP7rIhJ2StL8n51RlS}3QI{$jiB
z$1Q!?>_GERn+NnKuQ3UqIj>Zzd}g4xcL3uqRR0R(x}ZmR>$EA0rMm9ZIC3O~xV29F
zPMKv~O3|qdjl19J9JCrom)^^F<!hSEEzTBiycqF#4W6dfCaXhpj%fO6YGZq8ReF8<
zK-{d>+#m^ld*z={Kl!*mFFpyeULp^wbb9(~T-|A0*+Jqk2`fAQX}hW!E0iCu{17WU
zq~EG=egmza)mHMCXz6tug{)p=6lZ=(TFGw$St&jX(%QM7l5B=H%ukAWP(sY2CC@4>
zjb3xjv2TxQ{(R*%Q{SdoN%-nuvxI>6yz1`7Hj8YO)v;gKJf8(^DOv(q+*%N`h!1&C
zXnn60zf(RPvUs^4h1<U5L8e@v<VB{`YQ*PAlOQi1dF`+(RTYqZ@wI(eCGyBIwdwDB
z@0_qi#k-0J3%9-n2i~UhU^u;uztj2f9wbYOa1^bs7s!X#j(CMdcHNR_OPSd)yAIqF
zGs=K<b)K)mfEk5VBFHm}x1_u+<j*t8s}IB!$ZzhXOa|-#Z%qC(Irg+h;TcV0CVYC=
z-l`GP@ek?3zSBDQM&?W(qyCXkfYt~6kZOziw`4`S9>e@BC{c-NApL^IpH@zY!I4Dc
zCm@lZ#*HV{wNb^{nWV$>Q6<@Sk|&LZQ22WOUHM~6ylJ~HY@-2N>`;4%4HB1a|Aanx
zkmZutzpR@tnM+G7kw&J%ERi}hUuqMR56+BHB8ClX_$1hw^Oy|cx*xDjXLEBuAdKRr
zjzEt4Lzw?2)rQ5mUt&YmaZlKO2L2_TO3U!724&HXA+9Nr*MRn;Q>+ZbG!zDAEx~O<
z$o<Iz?Yp~c7S#U|8AD&-E(45a4s=d=@*-HjT|@^<JiT=~=lhj-^e}Ndo_m+5nKA%@
zn&t5IQ)JCE3O~~%NAuoO=FRhr#7xJJx3-UN>{*&S&lhd_@RBv?dJYc<a4C=fk|?se
zuZi}esO3C`B${b8uo+n6nG4CsMX4g`>HwEzD}p7k@M1$M6_VG{Qf`~(zJ^pE_wK#y
z*wIm~&|k~<@s+8gM`@n5VxCbvX+U-EV*D<dXZ8FGe5|#Ai|1URIpzYSSRY|496XkX
z=-?UPUMuG)pz)`;E<V$g+$hn-SyR|lyS2ZTAmyJHr%sta018o(q%2OJa+D^Wpc+Jf
z#?T+n$@H>hm8woJT<@pzj%Z~HG5|Oxy5Wit_yU&umw5Y#Y@b|M?C~SF*J7_<jgHCJ
zggj-9KF1}}tiEo>v*j5XM6|9%+2yUWO}j{|{h>MLCYR$K$vn9nMbk5C$quLEop*Mn
z)#A_4;8ME|qeN?A--5nM!bGRb3)fX|uf;*3oZ_IU9Qiw_{P%bs`72;oA<qM^4>6Ok
z;5oj3JumO!mSX_nbH@PzioPs9UelK|vcAmqL3*F-%d}?=?I?O8-v14IpX=51K7TGl
zdNrP-^8Xeqweo(ZZ%gni{I@vDWMU6I$;XuWcE%{goE(Mt3^Ka&yx6qXol_0U)H}#B
zm_LL4L_AuNcGZWO{lxcqh1qjatnE?uI_?GRW_*uy)H3d#K};r2Qp2xgE%Ma%inoQ5
zDr1=`AULr`Qq<}gN5Zk6k_`picCi-lFp3bL@xA<tPM66Sw<CvCW*|N`XA8GGoIQS9
zpylS^aG@g{n@&W}ny~qkHpJ`s{E+~TD>7yDo{n<B+aB@i{bjemJLQ@jaHk`IHb=(d
z9*At6b2MF~4cI&Z;T~_q6!BQ>{>n2ZXP2i9D--N2OPn1K9_+{bPS#`A&fwip4gnw^
z2ag4-dodK(7{xx~xNbSsvS5Y57!D82=kxQlnlPU?`H<w>?lZ|(ePYG_vC%z~al~;h
zBPZEKrsPPzb2w%&#D+WbBT33YmjnYyfaII%aZXF(%<Hl7+y^0HRfJ+uxcsD1FyDPa
zetGDiaKn~nmlduBt`9#3x(d{N9ZS3j_2coB=v74rCZ7T6U1)(Fadc7yD-QR-$wrCp
zO(U_%P{BUiaZX=5jvxqh4Fw%#`_^@t)#HQS$&h7rHtp^hiAToAhP;w=gm@kKW}gRK
z>AKJ9jO)0BBhFKZHcwv1jo>$mE@<#+K;2_Us^eONn$q&i`EY+UaxgUJ8OuaE^x=Wr
zOy4qpw|7N)OZT?JI||F9Lvu*yx5XLoxs6CSush^0IGvlqvDuX~DakNgO!TL0;6xNN
zM*htf_|9vQqe~=YUC*a1S891>tqB?xVY$Aug*;27?VIFh*c!WXoO-gzR(Ii)5qy98
z`eVzM{pkWpR2wX9m+cWsm2aMR*$;=k<6ch?%M^mjRsEyz9N-GqaeD?nqC{!7$y|cM
zYU(Qj+*8b@NzGqGb~HmOW#!Sq1IA~@PbPLnM?E9)bhb0%jd(_k!kX`DgMs++qCYyY
zrnNn^#TJQ2!-+OiN-$rsrqz}j&U8%X0kf#;0X_UX)0OgdsLwD@xy?k!R4n#KDl3;n
zB|NuIeg4*TCeW<{b1kY9d#(gW206D=V+);w3;r2n(c?@8Y@%~K6dB5SLOm-|o>V62
z=rC$5F7TsedsnPDI2lcO77Pw!xHskTS<}Pq?aMn|2cpqv*zWelY}m(y@c_@oxfHY(
zQj1|+qK!7H&GqEkY@H0@C8Ql2B;B=YbGVdxU3hn4Ak?NFId|u_;uU9=w(YtU5*pf9
zCvf;J;4liG;XvJMxFnXj-qy2-t>qc&Npi$gJxn5ak+VL=Bm!k*%G4x6o^gVj9AJls
z(S~3e{aSd0q%eO9%42RdE&xt+tSSeM-k3ew;VVp}G80{%Y_PpQSe`YQ%(0LsQm};D
z2g+uDQ4fw1bSFcu7PS)r7QHwlBi<d%^jRg_Xer#Ab_f&3gxME#`#iDVd4hq6wJqie
zMt}m)Q9HwdANGH)PDgQy5Q#TLh}2h_pJgLNdHX-3ip$(iv9?J5xiD({+%zlvGC7Ga
zFu?OG8<l0QUh$MBd>Z`8-f7TSo!&NQCfzc)$+yZ_@OKPr9Hai&NT-+1{>aRYBtd3E
z+~p!72`7?)%1bHl27`0iT922=C^MdOgThv>JTOHaQ_f_iIBqlYQpwu*lGy7;o2GV1
zD~@3@iVg1Rlg?=U!oGc9Xgo&=ZGm1T&=IxOrL?s~2dyvDaLrRWxRs6t2?|m}gNqMt
z-S>qr>=Sm?&l+X>FN6ohJS^Kds7>yhhsMl9i5mIANSygoFlY$o13P^-QQL%oqXm@-
zz4**lU9>YD^mwzLWzo&OiP5~Ty^vJb&T9?kQgMgPX}8S>6Q)oxk}f6_-o?1+uKrLU
zJJ<^eU4tz`utkWTp5-oSMm`b1<^yakbbg(zEG5ryR%>F6z)7jE*BCq@zfA`7takaN
z){rSwh%$)m5x>XnF#=Hgx?n=MsfIh~ldFUf);$hFzr9xVJpYcfSPx=vE573lFr39&
zrSh_1!da~6;<@YDb5lY<^(XOie7}Kx$M4`B=i)v5j`wixDSHpk2|pGuM>(EDIZiTV
z<?X8P<J{0Oy#G#637xt51L1OE2wdn?XM(Q!LH$h7ABeY|?m6+C+H)(a*WnDx8&KQH
zXY8><*PQIA7IsK1*i8K}${RL5d+6{p8xw0E-MsnHwSX&+dQ6M!k<}<(4=4x1Ox{sn
zKa}zYxrW5XXAU2tb5S=|AHdmHd!c!}l`|>#ir<($@y%Jhm&1EP?LBB~Dt=lBq7)$K
zPd<}!@2r@gJpmmYXHxR^x`5ed!O!XBSUU9u{s7P--H}7Q6?YV!*UGF}ru`5nq8^px
z6G5Oi{GBr?<6Wmdk#cYEjMa}2A6H7;sJA%vCa>3TTiG}3jQYC+rF@gRDUYi^>QwsK
zhkkN+>-~h!8@@S$H;%ji!C91)2flt5WysDC%(REB^|L6u;_Nuhy#!e)(9Iyjl_2X|
zX`?RaofiE@G3BBzSZ8`MA3VYVVF&g=>a=6vc9%1oZ51fkBA!6m@>-b}WwY$L@rJSk
z!dg}~Q7en$xx?(;$y%8gZOpT>sajbKW$W3yD{5s0yt|1#hae*vmIR*TZA{n7qP2Ht
zYGosWU-b)V6JTCdD~qD+MOH>$cHXzNa7gtp!s~c$wpJFze(q1PvNg3bPjx`pq58iZ
zFIB)zJf%8?69!-8c#+GzD4S)^0WY<(0bwmG1775^D4sja-UVJ7o||W7R6lPchIZGp
zcYznVtblhnvFCsnxh#R_cpJcrTo$dp3%tl>Bb8sPegO``@S;42vKLty@FJI`t0Ss^
zseX>*MJ@|gzO4EbD+6Ar4D#0ly<&%OC+x@|^rQxlXkD42R9&Qu@~sw%1W@EsP0@s2
z^jvhX-Q{W@jN*!%xr0%6H0s7j@9SCJ)wQbR^OaV0b*=94&G$}D_Vi3n_5uc+$&G(3
z!rP#!g#ZDqSDX~;!NZ#b$RBd3LT@aZKXeuZi&MWKxW}ZXmbT`~m8c4JdGXII`s2hZ
z0oV9hUG>vm;7USo6hn{_D(R@++J*%l^vfen?b(@~0k17$9vVDrbdA{`w_nyjyd&-p
zxgEW86C*ApOLuOT+XWuiqTLibh0eXS4|T?d?x9suD`<hk@+vtp^lY(4HuESV5!PKv
z$=gxiT&bKP`b=@&GaAi1!`ou*9;Y>E7z&N$yj=-Lz#B-r(`9`+QOvuX#bKx0=5UyM
zq9LO%?GCn^^qo;}HVC%~jeQijI?V8H!ud>Cd|V1O9mqoKlw1`emoWu-NO+K(a<rhs
zS1D-$L&ID!gi9p-<cpLr?{M_ZE05jww*LM{=d|k7#-6|aVshhq)6ncOR>0Xj+K*sW
z35YmV>upe;sCB}a4j7{VFB{WC6h&1r+0bIN!Tx!+wAM3fO?cd)sLSj%<jk+#t8H^P
zd2&&kgX72TjJo{(R(<FTTY4nP9PSMG3o$$4B?h?GV=TSk?F1Rwv?oy{jhT%>MvGZS
zKt>SyIAn|S0FoWaTuN-FL?iGleQj>R)w#SQ(`(KcLbmpdCf3<Eiq-mv)mIGoG%@|*
zZMoIG0grKctFgB$GS(L;#O?ELU&)styQY9~+XTEBKy7>#<s|61gP+!tY5lmF!UO8Y
z)}@ls6Zd>VNQ5)4Rw=t`Y9hJ0KQlYKp^I#-giOa_%%3tlThe^0-bY~aQHru=3|^5L
zS8kL<m~lmE{gX0AvJ4~SV3QAJUSd}zWuv=pR#C#A=fdTbBkT2q?D2xnkKRX}{<I_2
zV|KeNW@os`5lH(Ze!V4-az?t1YD;^-o$?xu-jv(dVNjd8<IZ%z@`lS}wcAW~=W{-r
z(_wH%?6ff&bT5x@3-Cwd8&rDOxPa=!qeOW@^oB4=LFyLtrcAy+ZY}XM$XVDAg)}wV
zN>4^znwZ1t^R}03W1PnrCyIVJ2ORF)_$&TQ6qcU%$BReV-?J*$xvCe5e+1P?^~2!x
zKZ56^@r-t-yt&Oucyd1Ah&c6nXT-5)JQCR)UN*ieo1Gb777kr`)A-fHG|y>W^23l1
zN<BK(F|Zn@B0@uCIaw~Ai$uof?7Xtgq2a5?Z@Mys>SnUpRpZNeJ?ZLSRR5wn0%&UI
zx7VcvKjJ}F)#Tuz{oYv2i%(O`=S?KMJ_-c{Ji+R<s!yRFS`m<ER(+d?vZa#1OERp=
zm6aTcl%RH_o=AMzjb(kz7xcrr?(CZ*S?*E2A?y(E<MLh5LcWm=p@rV_ZZ6;DGB3(z
z*>j}#@aMdEcP%R;y@!`Y@!Vnd?qscuo||W7ke%{#F_f)m?~>lb-!0(XP3$?+dw5x*
z)&}W4avQaGN$=rhBdX)7Um)iK*L#%bjze3ZGSYi^Sz1+r-g6zwNbligLDkLBd#H@`
z9$w}b4k6#=S4FM%DuxpezHegR-^;$c@O>-$ek;aCto{u;+dHKsCN@8*hgL|*Z`O)T
zKSqo^k07O$cmaZo_RmrYRzhldx^dDOEpY1I+p?vl$<iz~Sw42_HMbse-{cY3CK90)
z;mFh*!lRYBJ$s1XkdAmG+OuE;!z}ijcHLRfS_m_h?>!HpH5*zZ{lLap4DH`>V^Weh
zAf{`Tb4<fq!&q$;ksRPFEW<Qi3in3_I^5C3c5iMtI@}Qrj%G`%SC`QCqli=u_{*)L
zWnH){XcE+3XM5$heMKNp6##CINS#<A^MX#<S}|ZFMaV3(Hz&0%o5c0l5zI?8Uv_GL
zky+UriuA3{WR}}|&0$A&u-xfMnR<JLL%!bmo}Tps!LVzY(KI!(Y|3sP8bgl>AGZM?
zbPgJ|sz-~25fZnw1D1O3Xy~y)l;ekUIG46?O>w?I80?$Ndo86=bFjl}rY^dRYs-D>
zdOYg}Rwau8J)48n&Mew#g%*IZL<=h5oM)iqLS2&kNM^saA?t8KaD3vfyB?>C7v>hW
zFYq}{^-VLnA*fZTPgqi4V?71I_2@nKuu66;e2CXU_<kqw9bzz19WAJXu+K9lza_jY
zXKej3J3A1L46e!Mmb(W`5r5b4z@Xna`9aSt@)Go}1M>R=A;*}(JUKGDLO;3wYql_r
zIrZZh!wdC;@WQkrT$=z3Mb$`j_&blbgEAVm7xuqr|Ni$-Pd@m;%G_g*)$pNu0QDdW
zN3KVrI9PMhT-Z;~R_6F~&FFIq&zUj1XqIu@kxE+k#mQ%1-CG=YPPK;2Zts3`v@9G-
zrMsQ>V25C<{3O(yfwx(K|AVMc&plkIkMwEY4_e6<<aIKvG{~nswa|Nf4zoB5`7Eo#
ze(CCqZ~mtX_jeJvk38~7<!?_cyR_EE1lrIrm^tkrY>iVT>L~1ggmv-54YctsJn!fE
zkpK_PC3=r=s=?|3@erN~o1d>`lVRffD=B9d!`<o5pemfd(j&PiE<lX1MwH@XsnNJ7
zs?`!f@!a(EbCtP!P03W;xa;AEcNycUr0L#TKWMJe8XAX(;NoLIaB<#7e2-&Ifgwlx
zv1?~a6%HP3mo&PwaS_!zYVxI>(S_vE%G|fN$JQl|p()I3qU}$Dw#m+NqBVt^G@4d*
zPNJ;H)petvWmlH`{?f{9cABo!*^WY?qob=!I20UMS1PUR^9TCoaUBSrH9ayiIXN-{
zIV1BE;;*z{L7`}x>9n(lW)-RLi}?vZ-kMqlL-}A7u3cY#I5OCsN~99q)ICF}Cz<Sx
zS?>5zEEMvf4KGeE{|fp>r@hk&XGUO=GQ&mWHb`2iz)hUElG#Jw>9|aIp1Jl;iVQr@
zOOJgbN7zq0ip37>V0vN2+0Lo;)OA9^^oXJ4^*Jp1wD9HWG3xNx^p{48#*4QqxL7!B
zbr_pww9Pd<(7ZMR4{5+i+=X~6aVZ?$1YD4OsUPFC7%TE2P9=H&ZsFnRaL${Ko^#3C
z?yl9z1e+plK_tB!GJpL3`+qqUpm05v17p5Z$^$2a6$e_QR&|hMv=hz2BpIC>;YUdf
z-XxjMYd&}&ho9ZN^pqyJjtt_n9ShMx=b$g(iuihy1!ra;8eiovIXb)^SHjzuO*t~d
z!l6)T(&loStQNh?T<Y|8#%zAysM%sQTdjJRwJYQAPSVy*z-z+j?gx%^pi&Mi8G4l4
zo6cXdvRJ05`PL)Crpxi<=7ojIhuM31^z#n9XJ(YGmiyU^_b6V5A`HRHYTL5djrPY|
zHtvtdV~O1h!l6Bfe){@IK0osMPY*#S5UOvW_Ulj|8Gn3UDsxha;6#m!0&K3k<xsKN
z)FQSRn~Ue(L`3?f=<;}cdGt#PpKTH@7yYO+#MX;B&uWYarFlT+EybCTDMzt06d6Lh
zgXshem299dYPTW8r*>M>S!)mYG))>w*V2^Tl*7hgNv+fPcdfc9-HO{LO@g5Na%3D?
zRKj2Wa%hrWD|62m^Uk9Cd4^A7B3A-dH{+Ki{Ye9(Sw%CK?VDy$=|IhNt`yOea)%wX
z3LTY`4KYY`3Yik$qr38=OQKqHv(#kJgbrVL`6bCF6ZAAw6JYznw^kb?4oAee`jzi5
zm?JhgKfuNLn4AZgjNsy2BOzE2jn7)+dI{wku%2|f5k@B7Vr~%;OCLXok-1-RZg+Qj
zJe}_Cm0#SC?xH_V^mhSuH#0s=^g}X>%zed8Lv*C%n5PqrthE!2oS%I}=y?7G;qno|
zyD(h&=>i~<bza~v!eb*)n+ecr5iLMGk79y}I%%Ah@%CU2lF8=*J{i4|#ai3_1l<lH
zK6F5J8Hyc3kL<P^J9{?m5}htv&J_=@OfH*R*P^!Mv_@xJAt4+ZNSFGX?M`#sxXm>^
z^Vx{SwZ@<?Yy9Q_;LBjX?2{(pKnTM3#b+9e?xzh-a^RtrPU@8a5I;DKK-GQ|A9SMy
z6N9IbWF0_9$cyEbRR)BlQ}`Y&9M!!JSk;DR{O``3Mcp*FUv14g2Pd7$u5M?<>-Biu
z!XdjOD!g=I!EE0;)4n|Gn$H%pDc>ztK0ah4bckQY$dd$7B-dNlgAKy7(ZLRvH#Y<$
zxh>!7Fa%SHkloXoF+&q}W|yT?qa7|s+gNi;A)PK5nwJ|~B)gccBI9X5#uNEsXf}}B
zg~p6*Q657~$e<I3I8vUWReu(vCyyrQp-60CmdCMNqP2dAo)3&nyOIUBCuP*^-_RtQ
zJ0!2e4et;{_Vx|Qp$@0jR60=U3Yner{+sRXnPLvG5l+T|6UwbdYl$2y6mJK83N%FN
zMmQ`K6-e=7eq0G>AvRDv=15s%W}Amd*d>cB0^##9tjv4b`$F-ah*^}rq|JpAk*Igs
z-b-8oXGA#U>R6UeF3Y+-9sNOrsWl$34Oy)(x)PKx81W?Vjh~R#V~v;e8iLG)j}0Fu
zV4yi=0~~5x2_6%{LoU0T+luhwNA{VheK4DC3*@7=sNQOX!07K6E`MW{x|KYQTFtb^
z?KRH5K{P@cs(vkO13rqX5!I|}lRR3DzE?)kQ&{9BQQHlHM^_!bPsuC{WejnoCQ$Mj
zy7mKL3J0e_T?RnQ%-F)tH@*d0(HIb-2o#b`q^)HvFl#^{`qwrlKjzE!?E)U5aevrf
zNZ4}*6HH34Gg0&goJWdk4f0cZo2+_`*5NIUEZe=t>T+4}@rF_^SGd*LYEJ&T*%or7
zo$4m9%^b$LZ5{qVHfU^~(K%ZEX<wU2XX5EwlG*O%Lf-9Rf9~HoOokRgG8irLoXUXb
zZDzDhbBbm^jgMmO>Cjy^F14xL5Mh|vuQMZFAiv+>F?ul8n7Bih;PlYfpAQ7h#($&n
zfR76_aKE$>^TWubIY|!#KBR|fIjaDNV?07j`?|J!!eI|Sv-`zg2b|6TeJbx1rYldf
z`l>%ry{>u?^_js1g7WARv@|fpsmVUI;Ob(7RCCUvW(*3%f2}dE)6;6vv^Ck<_UnC}
zQMuXIHOPP?I(@?G%2U3sxI;Lh00DX?Tpa?gxJ^T?l6)Y$j1DlTy>C2g1W6-)0$__=
z2FeBmbQC+ppU$4yuRi<m71tl026lv(DsNu*?&q&=M^pf7<B;k(v_X;-bAx(@Pm_!(
z>PE3&pc#5=PkO&u(rEO}U;!iD!tTm_esM-k>z;s9^kNQ#*iPyY-luV;7;MTk7GlIr
zBTM<)n*kx6U<iJI658!gyo-J%K0)~-0684^VB-io<no6p%Q{376OTY|);Ec^Tx8T|
zD@4l0{bpn!*=KP&0_fXxyDix3h;W(+z6!z!zDncBak&{V+E}!OLU+`z0w?#d5QiXr
zsDTnWG$aVQ)(!~PHH$VziftYfBSmVsff6~Ngn#LOZ1+49>d$(;+5V7n_4|B&EPayP
z7)hs>WnC`FkMu~^Ip3Ae6bhL%+}NOljOzEoKGx5mitWF`NH7hGWUL&e1dgPr7<`C~
zj1yTv0(2BIH&ke~h>$??6~}DINKjaf(+-6|9uG%moeopU!$hmsk+x_HvV8r$@KVI=
z=AzYN9^3wsB3>z{>F>!O$M8ckj$|A6IM9i6IM<kg1no|xVIYyHH)C9AhdbGh^qn%G
zVGj>Q?8r`NCrI9m^@f^^dtGDfaE#2jQbkW^Qf!{P-{91{JdRl4_Xm1RwykSZKxBKg
z()F!Y<4yKVHs7w$iV3h;uns~<BflI+hC(acKS$^>&`hbJM^1Pm(`c95XwzAA))p&R
zGl;W464FR#iE2;yIYyI4$Wk}jNwT#wns-cY$njlll!(n}nYai4WQZV<N(w*-RajAi
z=E-n^=MBTbwi6I{tDnH+BtN(IXn4Yt&83nlk16OjP4=hy963wWY__D`#*o`IB^+{F
zN5dY-RIS+=wC4sqreVFQt<{L+#YShyksHPw(hG-FZ%7Wvyg`{0GI$%QN-a|jshNZx
zno6X^>T#vMm^ot^!dyaF5!=uwI}HuO$A^2e1^vd=tDTl6LzBf27Y?oLzjn2H!-ln2
z`&@#0T0<^;z>x&rHj1AI?F=`<A^Xy6cvB29rELRXFo1EIPzi0gVVG0QGfJAl6r?+P
zyY?BqUf=$8t)jUbAPm0vxqv_TYURm{CB)l@O(kqW`^~CEWBYOtKa=;g%aM<lj#yeP
z%gSXJ>`VDXPkPt+L=gAw-FqJsG~5RL8|t*HCf`b(m;f?HO<<~|8B@3{sbQ#!_f2V&
zJCCF&a&#JnbLRK?jglp?E@hQW{vESN{3g-lBUtX*z56cuRGz$U^XBUqo~fVf0h3uZ
z*9emwrB=f;;g{UAO@KrL_Rd{dNDss?K!zI}W(+zy8k43oFajfu0|p7jAZyxx_93rN
zZF3wvd+!DQklO7ME`Q{oy9<TxNB+6k-CaaAO{zDAvjC58G5yJrY&Ceu(SQINxplLA
z$3?XRqfxFo8YulugDq>2))}3xmZlbs)2G$kus_?>qEl=1+W4-+dS4{>rX;PF1gFIy
zjNIyO_qcMdTPsh6azP`}q#L+OGMXUW^R3x(lxV_^E%feNulVb&w+WZ`ets?f=QKuR
zGA^x#El2TJw3iHV#N>gkMQPUOctCX8Z_f3*JNiQT<<6oZ;S9uDT}i)i`SHlgo=A7Z
z9C43YTmiq)=L=fCg$58;37`exmrO#JXmm+F$RU8ur^viTk?FL%i%z>#;|@!!<)Twc
z7Ip2r4ZAPe{mSm=pNByTLmshXf)90nA9eHCF%SZW9Zw&{lY);uSG`U3W7W5WuQ2}!
z&xc9R(atT!>p(-LD`BaQtt%LW8=}M3>z~sZO_r86Yg53O{BgRseD2!z-f){%Gtq*P
zpuROhC*Lf74t7ASW@nznsc3y4+e#Q!hM=U-TqQ$UFRLqN(6SXgmTxK|&gCXy!}PiG
zBBCMnTg!t%l2KBxAMfh7S@-YDX!SZt+onzL+HJM<<(u1D^pZ{g>r&R;jx#IYh80Jw
z%f7Ah$57UtEsYrUhJYjO)}sd!x3Q#$a2EuJp)A^@!K%T!sCQ&OI53g;o<Z`i5rg%B
z;gU~{f+=YaRE!vHvh0*<t28{S_hgIflh;fhjGocz5?{Mu{JP5AnM|)U!c3$8zYFu{
zN(U#e{yQ)iuN$w}&j_=qvO|uHLH^PT9NDsL#UEI10!4D>O;$H8>$d`{L<C-3$pQ~B
zF~*noi=>od(Y7HlsElBX55{|<*r5L<{ct=I^Ns{!0~se~XxJ52Ukt~CC)*c-v>hV@
z)}39JB&&8!Anb`_gypqL5MW?2=anNJnS^Ntm>fuw1f)I@fQ>S)?j9h8iNGcrW;O{q
z1(>dMDxUy!rCdVYJhxt_hEKp}C!au2IJ9kja-_qV34`aEo$GweBamej8NhtoBK|9=
zwS6(Xa`X{{Hw5jHoKOTMacCs!V+XO*23RMP58U!q(yo#foaA#(4$U4CmZ*Ac=8;v*
zJQ|<$P9R3G(-w_LmXw2eH#~)?)HJ_&#Ng8FeQnP0udSBldVR{H4I9myCgVfx&SbFi
z*~#f&>CFdPo0BP8XeN6`bth~hzJ^79NM#KxLu*(sRY=vwII$Q!@dXGQC&r4{2d8uk
zI>%Pa8qB|B!@Uw7Kp_J35e_MF0xu~ys0n;j^r*fip2OfEtyo@zgV1RIu;^Jq3-5Tw
zFBHUW_-%2VF6EwR7j&Y3*)q8<zu0`*=l(-}PK0iCyRbt11o}hkHP6Ccf+EA>J+Xrp
zGlj{ZMLdNizUP(^xZhKOQqti_mIAmsopg=I1O7xpxZR%Y4h2gH{!f;Iq3)!8G93=3
z)1h!0^^0g{o$#hO0*cSD=pM$e>oMxj0vrK?pKpughe3fKC(C4D<Kl$UOXrx8>qF<%
zLEnxd#a+WX%eIw65wmG<<wU-xyD)(-7SqtmNoTjGoZAyC6k_<Sn;y=MhRTlN=}EVH
za(XzsEL?UDPfzLfu31VkM<0gEWc5z$cmD+}$(t0(Des>|46-ar>pMF6jw@10knMzt
z89MQR@1mt0{`@>4*uJ<Ydzf+pptIPkfULvpIojRF--X$Rr#kQy?Fr2?IqU@a%QFO9
zq|}5DPzbj1@#Kq$wN(>R?BDG;JGv|}5z8c#1LFh9wNq#3SNNyBg-|TP3T9_7*sV#1
zcKQ90s3#T<=Z3S>XB+nI(RBpZyWN3^D;x;rM)NE7nfC*(Jc#di;@c4|RXZhJwp;2r
zXbh5RXWD~6kb}e0N{g%>qd&x5X=e&zp`l?=z)={_k@-Mb0Ob(HBn8(gey_Uj<4{~+
z=waBN&khN~?s2WIIn+1X*}E<>XHK|Mom$OZHwc2=B}iLrYkG8Tx&@6bW$Rp3@@JBB
zc6%;wiCMPj+L~hBUiH-&V)PH{0rtpV1+UKmWsK!K>8I)+^+?Ou8}0R{P(iX34ba<o
zFDc`M6{XZCIun+jqH(9))8z6a_1Vk%N{LSJS)^i+N0L6z-+%x8S01~!sCOCEZLYS$
zUB|9`;DHB@O_nEx_$}eF5dOcV@^AQhY;hm#sx?X<WDW1seL#L(CaEdEKZl#FZ6n|#
zI4Q3t!AUs>PYvVq_rK%e2I$^@>jSS(3!^p2UYJG}K*FsZdt-H=oi5dd3S2hYfnigf
z8ZP}wxFw$(L1hEYcp1&`l~u0dhwuyGH-Rg`oy3)PkJV0%BT7nimj(ss-^le_x0WfJ
zmE9+Bijp->VeR%?ox?qX&@-&hPb?I&3!!;y8ZK)6D?bpPJZ|XA_}gu3V_WqXAD&R_
z^g1kjjca;04#Lw97wT}|w7toon<@AEJgc&u!0%x7yErTMD0)OE5IqYY1K&5mGp+K>
zVies&>ocU+krSADL1K|acof)|^J2mjV95iN>7GcMv1b&nI-ULN@n|fzqH9fWFw{TW
zxi&fCSRU}&W5xmhctj{>M~!comQ^m_p-qi$>M1RZq?^v(ruI8GyQIqNYO8*m+ppOH
zxB}Jp3BM8V14r%xq}V+Ri9nJ66hpyf0__xOV@#Q}q$pq{zf24;(z-U%bU25l5!m`=
zq=INbw2_?bNJn*vKi6t&b+lUCmR5~<X1YzI_2s7u)^4M(*<p-C)w+EbJ2j5>@tsY&
z^EHwn=tDj2cka=)m)8`Wt-1@OruJz0z-P0w{bACZd#ZP0&i(?k&IsH-sL)oBXe-!2
zTk>|FI<Y0_iA2K_W-2h#W+j=O%k)_<=%FWi_!ALO7w8%sTaTA07?iROD0iK;yS#jd
z?7kU6CpnzfoS?Hgkz?A5CAVZP@f|!PI-*LrZ;6d3k`l|WW)y_=nifr$(OJ+mA9bff
z;kEi!Yjaz{IJrJNxS^;o=v$lGn)C&OCvRJ8Xv=59^HCIwcA>JTRU>>%5MJ4cvjE&@
zR}8ywNY8m!MeezD;_$js%l>n~H7{(9x#o=e%K6QiRq3317oV#NpD!S8QO1Rw0Hlt-
zI-e&g*CeZXPlIa6V&puZQ!lxPh`&?dFr{~*jD_6Y7z6FlFL7Ln&NH|Y{kJo21G?ty
zpGg7P*;f++%9N#vOVkfJknC&PJ?)Tm>iK?2S|kgEhi;cN;>|ZmHXFo&d9-6fqj%{i
zv~9))c>pxepmf@kb})gU0d=WFJ>&s-w4*HE<6#9KGO^V0QQy~1bU?ZwS#D-|y^dxG
z<<Td+(5#`EPCX7W_laFLK#9kZ11o}Gb@-6nCka9t0@XnHAr42`%<0*7T#3^WpCBpY
zCqCgUCauL}l(I%pco-N3QYy-6w7}}1{M)U`D3%DK&imTDvG1wdyp_LB;_n@EgXc})
z57$qtI}PU;;%d=w?X{I1*S+>yw>ICc{T2TD^Zl>A_L`8$;}89Vb_yKnfFnD&au_*0
zWO_M+%;EYaSL?{Lz_b2@q3H1_kuY>`!c!Q(@oZaad?VAKm6ejg18IZ^4fGBBRv86I
zh~zQbp({i&i;#P3ba?o9W@aFz8|c@i2WQgZ%bPnBZg(Qzbh&W#2F-`e$&u`q_K}S3
zWihxS5&2Cjs!~^fjlM+KcsHXj$$AEd`u1<RdvcN^wy}}iZ=5rtC!iEkSIH`;K2TO8
zxCKG)G(H4B{h}CebWi?my3&}^GsOGpO1bW6E)XpckEOCW`i<1|7+>&Lr$zz>q@tC4
zGWb`*M3CseB>Pp+HanWnQ)@+^y7J4&^1;ZBrkLxHCvLhtSRM-A<@LLV)U9f-D7<$2
z?Uk#JWioFFv65N{RDSZuKMMZJPx>pb3bD$o`|t}J=TYEBBfblxl!gw<e1qgY$`DJ;
z5KAPoM=D!%J_ArYK*lP7O=L?)Gf)@;kurTJWr!?7TKu6&KyC}>Wl@%`mBep4?ww`6
zec9Y|=wRdgczUBhHy8-F+tqj6ab)Gn-OZA%N3;dZCcnko5j!Rvz2uy&nXyin)wbM-
z)X(GE$^|jI`)rf#kU`&`$aj2a8UbVK8tsPQ^Uq;5_bP>Y&!F{ThGI;^Y)q+R8hnU8
z1$?M8G+rirNQ<KRO5;o8*p4fWG0o{BuA~9deJ79*1OhlcH`27j2EByT6NA8sI}vpb
zB23&~?CA!PGa3h#$H#j!`sKZX(7W7u*>rfntGr9N>MG%CciDZeu(?~4>(<<02y{jJ
zp#mdTr+;D;Bp-_%X=>AEHBE=ppxFd$o8Ll)#_QQ?<=p{w{wD9Xt{2pe9eGZ~h!kRc
zv#%FgPn_uuZMd_uyAWCm;*Rp~ELLKau|=my4>m)s7eu6{42AmE7S2gd`PVwLp^>qP
z5x-^PUx#Kd*xOWCdw6Q%(0WL*J-SqI&f&gr&;EmLS6)$hxoq4EdS&{i@JHyI<+{Ep
zPuhAH8f6%*Q4;Zz)=pze{FTO0$xFsbm}VmVLXwM~OyjDIH0hgscRf4Zk_j(ahAG?W
zYX=eVVa2~;@*bk!PJ<*w&pTf|Fl}x1819(<gwYZX`tzR2$imQ;^P0vE8-k{fSN>#)
zB}S%(Y=!Qke$NJ%c|vP&w~lMu{AORs?Ov1U+`8cROrvbZ>GsD4c3Azk7T}-jNI!)B
z8Lel5lCw$Fu~C;`N>)zFD9yQ7qjpNthO|@4Ny;gnYo}(YG)o3HX{Ok4o&9U=nN0hJ
z;=)igGPKaWHo3yLw#{db1?GnrgpqaUT7?H}`zz|*y8POUS598IuGGAJ3+&Q02Aig`
zSs!1u5~C_03nJwOyb6+LpE6VB2%>r~>RZl<*(hiFQBFY8Lny9_G!7bBf}QLenw=z%
zDL)ih7L+dlah}lVz?L9kWGw`F=a49anV!%$AU`KYci0}EKDV_mH!8gQ=6u`KWYci|
zkq;gH>ZMcT+Mw&w>BzF_;W_({zsl&*Q2iZpzF&nApj>Rs({TnaLyIclPoPJFj(7`E
z8TEo>2;CcSrQgUVB0fSrAqqqeEcof2C3w);r)V$Rb?h@N!TcfpoYr$UufpH4JMl*m
z2;vd7R6h4U{m;{D(`9_Va_#E1tIPQOi)4><cr}JrpV8Mee(pqs^(BOH_$~V4tlP;;
z_(kK~TGSWxq1G3`3l9^dBS}OW59$s5s*DSX4C);%;S_6qqD&gmTECt@gujP`mmZ?)
zjYIQ;J%ek9o;Yye5H7eK{8zv%suY-;FwbjeRLXL_PCa#~dAtxUa}jsf;v*_r2O2jM
zF+Bg!jBxWqm6wE<gvTeeGnG|h7s(a!*<r|l9}h;mMyY2UZM*C>xEiELSu{yRGHHP;
zX$J&@9arK^bR{i;qz}m=I;V<T=S<&|cZV3TMS?jH@SVpuLnRs>{%Gg=5%7@p*}xaS
z=+2c&Irq_VO<`Okr0m(ruCB=rd)M?)VSTx?rxR#HEaV34A8Ua<h!qNjZX1zA`&4y8
zQFuhyxuNntz4*ZsTk#rlcFFHyFAmndmwu<cxY9Dzn`C>pwYWYfT!UA!mm9mc=ubz_
zsQ(XZo6ZC*Bhq9eX3u>J9I^y5*9<mUM%4=%A!SppE~Df*I8H)qoC_@%SPX6Fe-_Gs
zfMsS<<S1n$Pq-YzT`wcn90p(($nV8<6RyL!ZU=EVfrrIQFN@uz!Wmqs^#nId!{NWp
zaC_i1`;CRap6-W-PxAvCB|&@Ieae-Ooc5>r)BZwx(2%=E3bQd?Uj2!{$8<Lv(@Eh|
zG^Fw~(UYFpz@8Zwz9T<_JZe&!Ju^|Q$n{*wo|zQL>Q?FroK(*m_RNIvqWp{>^<>yH
z<2X>0!*hfD%>R|2A((@wtY>ObJ?*EgXG&1&!Tw%}KSNTAw{-<;tNsj~S--&QnXEnY
z0sf3g>z_)$oF~C^7JFue@J0C<YK!BL@6DsR!`oURywp%n{G@s~epc4{MSVXRhrF%n
z+B4J^$KlESnqJg*{>;hn)Sn5W9tVSGW%buGet-qc_i5qF4KSZf8yub)-Y-Z+<nB|S
zhk7J<THUZj`c&H$eju+LoSK`n>0eh4o+Z<gEwA(RN!@I=)3IO(Zi7Jb;0|1XL@CW`
zWhXuzR)F2bbWCkyQ0wA({s}f;uU0ngUnJlB_Zg?7rM|hp@<#ps^w|VxA82iC#%lD$
z>0pA74Z0XnZHGUv2R<4<{CO0j0wyQx6*@34lCG4YifP`mpWxe%K6>!cN4I}w|7Y+&
z)gd^9-w4+N=S$a{BEmNW$Nv2oL0TU;Ec{T6qAl9POB78jVpyrcS`F4|utalY<?Xkx
zJbIM<dwBZj9n*K<|D)4)5CKSlbtPb(!JQGBn2MIObPY>rQo}u({aG}Zi#B`+j2GJ@
zk#_nB`;|N3>65D0gtLVYA@j|ps*6;AVe>4a`T+X$doiK?j_MMX7XRMH`Vdj=2Ml@0
zV>|i)Nsc~{ryp0Q5oU!_+-?-?K|%OUrCa#Mqi=uvqx(O#_ftpuJJp^2c#QD1s1Ein
z>L7ej@B!g^L@0F%C5=5ouM6MU&)+`sDY9MI8ND(LZO|b;!?ne_4?@{B+yDwN#lboL
zu6G?LupYSm%G;0RBI-!4@@tIFTduPX8fiEYs!sR@tB}`r<n}8o-($mFtCMKU2+=6R
zDbGUY8aW-gkrDMYh>7M`BjMpdA3G<$%1?!FJoJwJANk1scRYmVXs@D0_z&?Rj7zuD
z(jxf}wNe5(GgBOOYoP|yunBBYBj4o}uu+%A92FkC?7<_stU8-Rjqk2pa{b%iemxtr
z6mWhJ`g1K$t{mf5kBpI(Tomw`WMMOjY$MXpTWidNv_;Zr>pFVAi#*~*m=a+)c*zkC
z(@)nub=I+!uL|}R+gH#{<yR|GSMIxU-<9kiz~ooGF8o3GAXrs9Xi*Q=L>2+*$K+LD
zkqZslH2D=NT|^wL2}|Qjc!IK~u`QT`@4yx_t%}bi*u6bU_piHru7Gc#FQ;5Vf|xUY
z)itnJT$mp}V)NriwfO;l0$zY<%?5sgR!d==#w6TWd7tnNaE{6kF?Zss3y~#<{DQ=%
zYd#~{cgiwv(e?uFJaeJLoC}kF6+s6hNa2hiC~)I$>KaNYY}^bqr<jow$8rNsX{5}!
zJmQ+it8xV@4lkhMSHQg-#TyXB<s;iW)oqb<-WMCrdCuL?H|JF+whyKziUFi`s~ip%
zZH{sv8chlB%;dYX;W2-3_`=>{bJ%0@cP)#ZbFdsQ^an~S+j}<j2X2W4!kL8MpOs3{
zY$27&3=r-{t82v7$jPG>53u>1$J&<}GK=s~J9AS$RN_?1DnIQf1?nQFT1wuBPG`Mi
z?FHx{JCAGqbuom)bLD)Fi=$E$9Q=1`swWugThkdG^K=dRi_VeMS*8As{r=3%xt)no
zlcV6xlsoml;>v7s!(bS>%r<OvI=4iVsp<2UZ@Ob|`SPJvAy2Wd13_fO<1*EAgaeXO
zl>l`%t`1S`0FM}uSA&@Op$JR3@A*a)K1jPPK}3C;TazxmL2pb?512zuM!geX+wgVe
zLmKHkQ5>G?JAC+(;nL=@gho7|Zum-Yc&m?!>!faI14NHaGC9G=B<Yf6E0$7<J!LpY
z1^YeIo=@!3wrJGa=J%fSy*c5*;KWqr`?id&Jt@Bb&8unLVBLz_k;_0ULZ0G#2fjau
zd<R+)+rp?{)pv+(u<P1bpId9Bi?jE@aCjats{|evwmWG>!t>IXgl|@U{E<%zLsx7R
zB0_ZI)#^9?N{b7EY7TW>hPreNZV@%WN`|y_veT}^<~cEOtg5;~{KJVh@!}ICn?zL$
zY_Wes>{1M>N$s>S*^k2`A;~3MH+sm6z;g<d5km|yA%BO34I1iT446z0#7+>uP`1U8
zhd{?1Q*04RLgr^qT|!r6q!?>zb+whfd8e;1o}S+1D$Mp|L;g-nDZKtbN4wo@4d^ZL
za$IL<+H49KUK!as;6H0FH@|8o=_+J=rnCHc;g8p57D~YY4wR;T<!~O;AH=(1qj#yM
z6z(p|yHm{%ijv^2W^yA_U^MLo;@KKnP?7-`Y&59+LO9|Vu<tg2fUTZ#(I5!n!jRCN
zWRpXO{XaJ0J<~Vr?Csro!}LmAPkdgjk<y1pCoau&cimZeQFvO@oVj3R^ny%tYiY}s
zlap6&DbclA{S+uFR~jr1P6?YepJ{FFD3-FV`o{_HlppuE$OqjFCPuVL`#EWK0I&%q
zEb)O%oI*$Cmx5#B9$|0gfqTqCt6FGXbMqxP<H=<8XX2P>#=8*(BXX=WKYaq7rbM)~
zWKTq+OF~W6CCzW#yoPGg&)wt^_TDogI4ZxKxTo>};aO0n0MEJ_JhY2L<nScRVBX2H
zU>Ala@2NZ}?73%BaF_{_HI+Y--tv~<!4#0;(O^j$+epezK`2!IxaQ_dZ<?$8w?}YH
z-XrX(Jb2G!<(I6^Z1qd<0elydg7ig*YNjvJ49H5>LCN|i7G$VxclA+ez4$BnIT9G8
zS8AF?;i<|w!b8G)=jflxE|eqR$`jJ8_%q1yq-uc8)5XzDbo|U>>L6lI%8B-re9(OB
z6|F~bMkPG8aQ6ixBNyDguyFVJBO~YEy)b&=`h0%<g`=Yv(e<Ly&UwlNHs6`!*O|eC
z_iWjG&%r@lH*djpQ*Og$D^^^#K9^fh*A2N%(cy(c*9JP2eM47q!*G=PD&m|?juQ<=
zo;WMp1q_($u>v&QIL}lU51Yf;b>in%p149heBzEl@oOtjEL%4w9%eY}L_Nd68SU(+
zI5HWxC6I}|Q+S(NxMdL81K#{M;ym?dn`)FwLK!Ww=i_0CzjER|!b|@pzqeEP1C33#
z`W1}LchF8P$D^#5fg=&9Xivzprurpg<tjBxUPk>?-fKG3o8_$h@^<0Rm1d=e_x=38
zsO?VB#W3iH_mQwibb<DwLP;8CZQ)$>H~&qFQ~#--%JaORR0rqV{2fi$s=Rin()DxY
z-JO*-yw2$GE1=g!eU+Il>nn^yOl&;CTKvwNzhh`dyKeNAzt_;$rEluml$W<xnuR}$
zN)7M(ub)%<qH4POC-L9K51_xz^?12DyRVZ7R}nxuWWUykWqL+jF?!<XBC_eUhzCbc
zJT%jfU_)N7l$NrHO9|HNZ9EKs7B(qOCD!mDHn`p%=MiY6bAcMe@c!#GXbRsb8pW&=
zR`|wp+ap~zwST@)*)FO|TOyS!W`wVKd;OcO3G3*=Ro9OXl@ImpetO-Bp9w#m|Jv1W
z160Y0z#2=+dE)UIj&oi0HSrzdqp-%v9y6kl?6DSHX?p>>my=k`2_^l)B8u)qrf{Oe
zyFEGNR(q$`?<j6Ao^#gffGx9n#Z-J~_?nT;AA8{D?%Dj6_dj(Ibr5g)DRi?Z(Qle<
zv|2)xPkI-ZC}^Q(>N`Nq0f}#}A#q9B$&+TA_Evi;X!GQTW44fPR^4KBS)+M>Tfo}Y
zq(v$^&jDYHJ>>M}V|JZJR5!O7%x$jDd?}Eb^VpmjucIR#Xs+CQ&K|TVs=BLxg68-T
z#@JZTbuaI}IF&5qrVd}dfJQ<CE+HuqTLotJj`NlGzyFH&zkgWWlg;+fKP|}jw!U(_
za{Q_zJ9i$z2ki=~dEsW&Ul0STUc`&Ng3~C>TaP(Ag_{w-a_u8bFT%6Jf8yDMj@h*M
zml(C6Dxr?=*Xp3(Xg-qNRsR0YPRE_X&5v9wK(CV961DU`zL$l0<h6Z-<+Y{nQ^HQ<
zwSAi9wWaSK_!K@Q{skvO>{Oj4K><aX9%c8kvT4;Oxoo32h`gNrcrGZgG!J<0dno%3
zD}xsU5Yf9k#4h1Q@#lCh-cUA*GHPRhm!UsK<P5$A&nbQnP8;YE_B7bFmtk%F8{eS%
zwBnqQ6F-i3(<&xvQPzugOK4ZCi(H0hs!xf7s>j*)AbnRED}PYkQvDo$-!x6%H{mSb
zm&Ko;j${p{v&BB)>xi+|>58?o8`0Lscw4oy^U>A|;(y_}Y_050v0HdR!g)Bla;@xc
zu_TI88_N1>WnV@c`^5hTWnHzh4_D2?WuOF|ZoNQx0tmj(Rdd2o(5Ftfz@LLX8ms<6
z3<z(6V#q&F`O2q|Lw^TWg)T>w>`~Ph6wPIjyzGPA%Z^m!P+&=*QOemB?5+oQd3Hyk
zar~%viXxy00u`)4;$)vu<x%oZl)MuqP?1nVfiYA{2WJIf8xDdyjj>;1C|!?Is%0~-
z^wdsVcjBoY-0#Ib{dN%7gD9im!HaNDi@R6gN=E&)<Q8l2IW>lJH<mZ<_-*u2{eLNM
ztiQ3{b4@On$?9_E%`TVO>UK5B-}}vOx7qA*S>@}3TyB%E3%uNEldl72kH>6wJDV(S
zw*`p?v-0<yPMgh1pYxGX+kp@S=lL$1!)|xjT$Pud_>NMiaIFKs;a5jxU#;vhmyKS)
zbNg#$*EmrDDsoo7v$S6P=0NB+BQT*liuo~&`LT4Jsg2fmM5y#&^v;$ic0C{tzV~eG
z)E27i#E+;}N#vJo)NyDBOv_WVkBA?+e8;;%yh8PDV!NtGLUK*WO{}ot3~F9k$L!It
z*#3&^RXp<rwEx1H+h-N8cwm<}xZ=sPsouxY{>SC^soDlG#~zs#KQjI99jyJYq5Z4s
z?c<z0v=4`9Pvqztap+aoE2wLw*rj@kcoNpRP*=mwUDkhAAR7RzKnDV)taQw(V3H7S
zX?R$px~C4_bFlXs^)=$2n{Mjfx)pUVfM0w}T8_FYp9$@472r3b8q|nCTUx`%HotH4
zvi<7);>(8)CD*TKeHasmRL_GyIiOcB^+nN6du3IZ{7_a57iD-_<cA`~V9XT{V#kwN
z+A1#VXZL<BZp9&+%jWTGW~Xs2<HFkP7avzaO9XeJHfft-qyOvVHp%z3q)leOPI*%y
zkKSODcBm&y4fo>X7Kg>*)vX%m*O>`43w#|E=TvtAXM8V6ZCqj4--XP>bKADznRCT&
zsqRG{sHODEEOAD!c;Q|MhHtUF>5u_(y^wp@|A6mu9r&JM?LvO3J_<fgxrJ!gJjqWv
zA_e%R+(Kru)v<)noqAIHaK?`K&=meO>jisyL>zRr_k|6i&d!h_+}G~n{aKHCkBdKq
zPDAx_e>5L|%6r$!>P;Y9o?;zuTqj;6x<VlrF6+d>vt}|K9hn(gi4m&X#HUpskmgQN
z7sXf5IZ@`?R!bW2nYFq(T_zIA;IdYHdUClT7>x!E%O_FSEb96+=<@IMw+5J$U!JiE
zSBq}1*DYQx+A?F})Am>~5Qszqfg<Iz6{?>U`&4To&-faImf?`W#9f5g6%os3WB7=D
z$_fGN*CXO*RU0JAAwj(4RPV*}`8Yn}XB*xVt21ct3CL)E7P0asW-w-f{+nE|&^c+1
zf}z+TRL&2jQlU^X`3ycG+>3qbU?80i1k=iu#*o^1PW6Pe;(y%Ep<pr@#ODS1Dn8eE
ziZR_&J3{rtVz26K@G8m^#t&`aJ`0KIyA<EeQmD4;t)5s%bJuvrigY4kZ@(J*Gwsr5
z!5ZxFc;ap({i3=aQ|**4gC={rx>zg<ugkn`l>;?B*00tZ3}y-ZFvaT;t5=KNs+*z9
zD0{B3PlH(jT39TkVS?gnqsw<?vaMl`G5L>V96n<AU`NLweac>k!%H9Pvsk?yba)Z?
z_&-{Iab%=OA0|^#|I^T}X~$4c8M2V1D4Ty`^*XVndJTFP#Ss%G$mZtuHAGqvF*(le
z)f;zB;v<%#Pjno|hrx9OcFCWmBkVoOqemIah;vgE2t{DgHgl3ABk(4@eb2TlFW$5L
zO7VLScOQ-51N^TPM<G-Gf>zm{^#<plEK_NL3!p%JP^DZb7E$306Ck|@#Zi(V-8Z4G
z1@U>vkoBmG@|1C&c)Hi;nDkh-S$zJ2)cW<Q3y2o}Q;ey`CHR{d280F-6tSA7-GQZs
z*ndpi&-!fxzHX55MHypwYkW@80*{EkYdN?Kd)J-6YvW#g#M1GOC!+XZOq+qbx68PD
zD|K9R<@P-nU%73M_~g;<ha>m^W>g4%{6of{I207aPFel<>?VZK76-&2>zFHX17pJN
z4QyE~F+R+>G7FhTz1slW2c*@&1dS^7j&?&4|D<~9%w?Kw^*t)<z&dAYj8uFQ+>`id
z1Zx1*=fr7MNeW<&5#J)am}Z0&!Gxf|JIV_Io+pmwi;iBcsIiBF;`DrG+?KT`1+U8s
z$Ei^LXUzG{l3AYfwC9hEeMnO!`!Y*1<ZSm96HaSpysNn*=CO*sqQM>axKn<!I4{{P
zCL@eFq57}lq-s?1$ndm6YBP9}J!LJ+*a3h5PlSNc+JiyISYDh|U;$iAF3LOza*^%5
ztA4anRqd*NO`bh<zoiu^N$HH}U9$%d&Q_{pQ)B2pV0bT{-&lKI*|`GC7~$`<#J%z0
z?Cil8#=Z_yq54sAShY)h8F1ECT4gm0a{OtKDfv)%Lulq1ad^!XYvWJCBdW)-ro-{B
z_%5wAF3C8X&>D!hXwPr8`nyJjM+UT^s5#KuX)5?)#VE^54;`}d7v#Qv5wt+NNy+O#
z{tcd+77c5OvpMYv3KK1ltQ;F#8OQF*%HO1ce7;}m5qu7ZA2V2}-d**o4zNDk!C{m>
zb16@eYfgqKd-1?4<Fn)cIYn!#)w_YG1JzI9>Ba956{^`gz!%;-fLC6*@7!}qX7hKx
z1`45gf>zK9aWYQ1G&d=_lIAAEwbCZu$Nw*kVT1_hcUMQz?mNJIh#OKw0_TQ049<a9
zUYMGKZuH4&P_?%Dv<SOYrF!#cj4o!XN!1h8Cs9^J*>70c)zuc&&DHOttc<c(*w`Gc
znpHch-(d5L^c}uCg=@@!6nY}}-mu+DpvJwe108{gZ*FMcZwDl+*<g`+bg6g|4GYzW
zF*hz0{~*`J$A=<IfmzH~E$N&*KNoZzvW;@6Wjm`+>}8cm1CqspDp41M3mlO0auQrE
z7;8R4#MKwUMZ17x$bz~2f-jLE*lc#AU3<=Gb0h@d{`c$qST(0Q0+P2eUP5_0Y3^bj
zkFurVcu4e5UQM=Thm3Yt3-T<RS}eMtt^eD(tRoS0>M~iIMW-1vg1Uw3zf{Aj8&RK=
z)n~5N$5#Vs9j0ER+m#MlOb$=$W^a%xZHm|iexP?novw7mt#fobZI))uv=Pa2h3c2#
zI~joQM4_LWG=&8;pgm7p`NNAZ(sS2WW2)<`p9ZFh&dAQ8*cbGuM2sM8FJG`yP`x@e
zb^GlA4K%m18d5z~{Vr%}0JQW2R<^O~Qhl`gMU-Vx_NrXgg0d%2whU#6TEn|z)d0?5
z`Vz{LDEkpBJ6N4i-Bo=*%AoJR`A7bo>eH&{kp+o8SGg1o3)Rnq2dt{`0M1Kjc}K^2
zXUWln)i+(KhdB8N&42KL%HPVO-{J5HJyL%@4|rLBGw3fUs?N(~@34+|8AuSkj3yav
z2)cgd1uI{<9i7LkkeAn2oAK`Rc!>7tD$zT%azJ}r>9w#OCtO6Y7gSGOaKWFSc%p~f
zXyesZ)pOOyu`gsq#<7h#a+K^P+<p<k8Elv{6cs^f3rx7D_*N?8oBz>5f+QZx0_HFZ
zY%#l*e#`!>aDg|~tZq(w`bxr#&1yGKnjKc_um0JCq>i&|TRMY5m&4%-20MX=2XR*D
z9;^YivT;Y|67-P99oiOjEgp$fEEH@1i~cU<OIMM`lH0nFKNw4Vm+eq|CnZ^^{-0_}
zb#e8pke4-?(THcBDh1O9d4{w$B5|Hgt!KFFJkf4aYjuWJ|Mw>PBdrddtxa5`0cBRo
zqD%NH)-t%>O@TAC#}ca<HBA744hFHZEwS$xM~?hrU!v>a`R8?Zo_GF1(Y1VJXlP`)
zH{ob$aU@hyb%QvddPKSiV@YvTQKlDAG&!xYQ9c21ci^33;9GE|*lM0Nq^?CbS}3~S
z+1c-TqfswDFUVK%tFc?UD<`5JPb}u~M3pPrUJpCvxb!>VUTK@#QY71qtZkAm)Hb=?
zsO?6}h%{NoZ)CmYkT-&?ozbX&$JVR&v9==-@j0c*55A}Gx@(j#XnVO>R()0q%l-D&
z`n|Njq%}9X)f)R-jP08~<_w3Ou5kGG__%N{PP}UWjydS@1OgsUP`QFXo&ndGRj0%?
zxv?6<+8W!|?Vg=|NXBs;*OzwR@@WOd%9YwyaJ_V#Dfjs)#~DEpjreYCyF7CB)+rg^
zUzBkz?Mz<RSNXbvW98a_Yd+3|Yd+3g6FA-YI%)njSZlY)c;2ycUvyr<^$G>Q=I_{F
zm6R_vTu;FV6+r~V6x#Gdwh&!Q;91mPN|Z)%@sz`bP7vS@WNt0Bpq%o9(oVuC?)|u?
ziT+5{4q&O5+!Yi|1mn?&yqPtVvJpw|(-ab}n9pVKH8110?luEbJf1ve-|g)+m<&l>
zxephM{cdI0lq>j%LOXr(Tp=Hqf<u}cboOH#^#S*%!)Fp)xsjI6m*E%_Qc3w%98lVP
zdSc>f<({?A>F4ABi|s4(b-9pB$s|;tuE!@Pj@Kxt-v4u%#0g^kfU+lWUCn?#lbyx<
zl(>>+N&7=62#kL7(6}L)jZ+s*T2C`ndv~jM=eJ(6HGR_9Nav1@c5K~RsVKNmt_?WB
zIt(akDNN*ZB%c|<r9Bl)pl?8RTJk|G%y#wmfvul7d7droO|D#--1~rnALR;|MED7N
z1iO?5Os#;4JcF%_>L~|kqXtPjJGcvT0~06R-?{CQZJm47SFV}eBleIbKU%!5cm=C-
zpZIY>kgluM*}^bSTIuQQB<Z<*VDq(`2ezso=-AyQemuE*cXEYTSQw-_EB}Q!<9i$6
zYz3q=JI_>S5*$f^^RnJ^XB9X*E~nriu`0n2dw&C*Z?#SZ&ht9<<YhREU8_k?V)#^5
zqypgLp5>+Rf!Z*_v=^H!e#%a(;I+Ki!c#zhcZ<Q~O&I1!t-*}kg|>pa)nG75!%`;d
z3OmSYg|>lr<SV`#ZQGew`yXkWpJJp~ElLmH)oQSK6K(UO%jJIRI;GY&G(0F~!yQSv
zzxPU$Xp>H*IMsM?p9*Dfrd{f^yNEmzq@_`wTQ9Eu1{^SzWHHCA(b}EbT*4l3+gqJY
z%j>s5$@=x(z32Azw3*rxI)16)<9_Lj|G&bfVCr5epRtEL_EwK}lHWR7JX&CF>(=DR
z{=OdK*v;&cV6ZWNymSeqi=Amv(8$<)BkPYi0qrKFd!iFF<{oKLy2T#)=4IP9Uc>xB
zGujUPX=j+5{@IS(M*qy5Lb2}d7<bi+vTyz0(Vm&L2QLh3k8Em%>(D(}o<^GMoYT}7
z1cdUAtrwf&DO%B#i^p?KD|Bn6^|$t2cM$HPXcED)aJz#Z{?UGMjb+iwL-QpYx0O%P
zuPa7xd*mPL7jaUy3enInD}`<@T16<YxOi*oq<(cmGkLY4V@kh{K+g=bh-tSRB}hjP
z(s(J-gyuGtQMy~onNas_Gp`K=eAIC&MVk#4f6}mSxi!?$y0ptr7ezR%P166%-kZQz
zSzP_&&oa;RWFr9#h=3SW5D~+@H#dQ}lI;SDfUJsEy(A$-LV{U9s8#D;L`CaX>w?x+
z+^V&1wN_CP_kAf<L<B^t5z#`5iafvXIWy04Ljq`R-?#twfAg6$`<XLm&YW4F$#^q<
zNU!~SWS!ft`rx-bGkFzs?aOrSt>~heNPD^{Y%kD7F9YpF7k7QN1kcOL-m5P(&WP^&
z4NgmC%|N99jx-PL-*dknnGGQ>QTtcnJm^NV0#bGmP8&NqX_9XW())q~UYC684Z7$b
zBM*R0Pqei=iRwrt95j4Dt})6QFlf*KYm|{YVE8k3Y%uGFp6SPW&b`x&Bf94e+B+*Z
zFE2N1??HLpe{~osi2=TnFx*P)J>O)$gcSsR1xWe}vj??vB2Ta+ZKS{YgI@ZNRXssx
zFY?1afawi0uOo7g9b=EQ2M!)Q5Z0LW9jl5bjx5OPiCxRAf+KJC^hF`54b~UUIHy=-
zmV&;0xSc!F?X-7I@<%k%?2cZ)_Q#e~!8;*7p?N}liZJ@;@7G-vrRCv2ilr5a?)&8%
z@%|^C*#F2=@UPf&yY1Dd&tBbf59~vCqYSqi<IAtXD;i%8*@dnr8fa|eceqk$2=nQb
z;Zx6^I{ai|9CIwVGT`8Y2f#X3YRpkTIXsq?+pk}4R*Z&Kl+EXxW<B&5jjX{p%ycp=
z^(EJJZ~DxmZ*=hyJ3hy8>I+BI9`iPiRFPkvhkmg~`S*+d`iLEC^?b9mbk^~&&<U&I
zjx-L{mf-A)UV-;coYLjWpLVkOEEvo2{cuIi8PW5Q1A2^|;NX8VWFN8ryphJyX3jnX
z`W#whOfb6Vbj>!8She>%z<DHaUb81Sq5F>s;XE%fum4Us$Go%mD&VX#3ef+?gU$i`
zzexFTKX~Wy&mbTF$dI>Ddcj3kR%!a{eGNg29C|*YHx@Jf;HEA*fc{a4d?}5VF{mX?
z7TT|CoC6{iIR_LU++|>&uG!BAT`=4m3#@?ya(dza%N%ZIrl+MD=j=RY9|fM=+Kwmf
zPYI<a1*3nNmE9w6pfh1?j{^?5c>lQx<LJZ8?5;W8!RMkw`wZA8$0A0v{1D!2_XsbT
z9me}iVqV@(czY1D8L!808pY{<zcRo3(Ve7z8g}{Ry~(|p-)Z1Co>>LI>442!GSZTR
zo(Sl{9G6cRL6kdSaOxE8#tvDWpH6edE)z;CjE_>7d&f{CEiFA0JI4F>8$eSK+`H-p
z!A=-&;smch0vzo?y+(%Pn-Y5S-3vcRpG=iS{KKe%{K=cZ<i=e#ZH@}3Gq`h<+XP2&
zy2r@{_I-b++?IA2`mYS9Q`RlY?P#azw2w-^G`v|lL%H#KhJLPcXX0JtMatbpUySeW
zWcqBaw^=CN2*@(WDYvd=m?tT>p=FxY%8lC>rlMIFTDnQ^FzJGBMXWI|P;PV%QKj5?
z16Z7=+@_Wg3zb`FgT(8~ZE4M7n{wkdHmgp#9c`JlSh>@*xIJFE)3si<S5~GLvu{-4
zUCccDRprjs;^~{D8};gyvA=TbT5bm2X9CT-q4mrdtK25sie}WSd&YvYhB@;aYinjU
z=fxt?$Pj`thVi_Ts)p&+c@yV1HCNAW${Sr@+0Zzrp)uK9U6nUzW^?nL!-fu>H*a2k
zl9J_DHq0J+@Q}QDwaqj0CR8_7H_k<}L_>XZ-q_^q>b$onHncQWR=<-k?YxP}`lh_`
zjSZy@byczaNGx)ANqOnG!(}W*BJNO%MEJPUigvm3C}v7^V^eKIeV)udej+)r89lS1
zxw4^tZeBD$l0UrY@Y%^()eX%v^6P4+$MOsFiwfeAqMb`o_-mW;l6lRI$*Stv$;MfE
z4KsGdgWCGM=9$%blk01VBNLm!7-X-n8rsm9*MOMDyvl}_`sT*k>Zbh8Svfx0QkPer
zpEn9gJ7j9}{5jQ=W`Z(i=EQ~>&GV9t)p-c0tF5fAZ$jBE^;Ia1h?zKgOy0OT)%7y*
z7@1&5p2w<ael$Oik*U0dCOJ1*TbG<(S1lVanU^RzJ}=pPSe_!Msj{(lPIFU!Q*B*-
zLu1X*afvYs$xaki)i$BN(_4rkXqjYv-rFS;^F~j6C$F?*;^>J(@}`cSG-}-BNqJLC
zCQK+9J85*q#Jq76^2)}IEgwB;^tiF`CGtwfo|t#+=&|KP@~R<Bs95!xa~i9gn)1Nc
z+SzmJYOAaA^CnhTcV6MV8AwX(Xqr=9Sv#Y)GOsRKU(=GTsUDIyr@C==Z4(I&Hx`&U
zyB1By{+fol)s6MF^)-3(A+32WP1Pg<%{wtazjMw^tV=e{MC}(;H#SU!ByrEGE2(P+
zVhBiHGH}*RtZuBGfwZIXwnPIo<b16WZ<y6+Gx5!19{%@q1YaaY@ST+Bj)mNDgqCPk
z$TuDDCgtJg>wK*V`Kq<qu=BLhTD?|@*hb(bnB=%B#0+Bm%?LjXyIw<aTbBOvk;224
z&pBr!?qDu)9;j+Yt~_l5@HfFUYI6YzTLReYnclI$FdLz`xdmz(H2T`PQmf9}2e?Ci
z<e7++^-Se>q-nsV*#@l+*kVW-;d&pAx|Jh*9Ci%CdA*!6-=Tg^nSLDn6)EX=E-TN^
zGllEXgt}1;h{r+c<AKEsiGZfVQTqnek~mtAy3@B}lsX?@9v2~YHfl5r_$bW`gw_G;
zbjDZ+UlCsSiX(MV3T>U$C0yS;;Gxz`!ZdR$R-qIstr6wrp}ZM@KTHm4xz^OKBtMhk
zqgIx!IuR}@F|zb}w9ZhJ*2rbbJme;Rv>+$ZR*Sq%sO=A-W;{x30oU@->iK}96jtg9
zdnT#PkpDTLU=r#hc@{_}adZao%wxV$ZDk5-B}gdfCz&Q`rn(S^scs%;CZaEmfqxw1
zCrJq~k4eEmJ+-}5k(`jp3sII@u18H0a+L(WI>70GL}$?RNCI%TMLQlgwaj6#Q@PWG
zx=<_3K`gZcNp>A<YPA})-Z<nR(~gp$CY|x93Rp<55a#LNk0&9r&rm<6{$9fUWwbUC
zy`6d(`Qc;jF%_;!Xwh+yu}O%Xir5MGE5Q}~Nr<B!OWd6RSO$A6WPoyvX19z>Adb?X
z2>V#XP#WTPHK+=tv06J5wQodd6aJ`oP&?M5zsvzANIt8${uALM?tcFk&Vw9DtX|$G
zmWoPXp8-<|tkiz>;CKt{8k9qHl4Lf54&tS!ae|&jd5B7?3$?A(NEBa#(n!-b0weX;
z8idV980l7$R+3v!3lK%Sll=T2Br_AaPEE)wd&vT(r~&OJby6^9)uEN@5GpB_8ieGv
zqtF`Ur*y<QiFY(+*K}HrpZgHBX9qv$S_GQ-gku2K9tUA8I~eaj9s(X8ik2M;9UDbH
z(zb=rw!@&Ei_udK$JZZ6LSib=14cp;M`Im!Ec(K6kfU*U8Q^%x-b6^;Wc1#t_>X!g
zYSXlnw3D@;X!mL_XwPZC*QV=+Zfcdf&@KGOc}Gvv)AbBJQ_s@7=-GOX-c|3WEyjxu
zd*NH&9+0x{^q!il@2&UJ_tAUneYBTQ!{_zB+Kc+WdOv+XJx}jXUu5eC>I3wF`a$|2
z{a}3HbcnW1AEF<s=j%iDh#u8r_*^os7izC*FKe&pMcS+SF#I3;;d-%tn0~l^1pYVj
zQToyP2)#rv)ywp9y+TjuBek{qD1EekjDD;>Mn6uQp^w$a>Erd|wYRj_wKwn@NsT^1
zpNOxpChJr5srm`}iTX7CB>iOlC)$<T{rV~TsrqSnuVlJjsaNUM`V75BpQ+dCr|Yxy
zI(@dbUa!ahu$ZHtp*QMHdb8f5&&59|I8%F9ds}-)pO3dk7U+2YQU95KwtkL&uKsiV
zJpFupv2~$-k$$m$iT(?Hp?;~pNWToP{$HUl);`m()c&krrT<dDTE9lWR@<Oor(duC
zO8Yzh!@~{wuk{<X(;*?V&^zk%oAjHtdi@rCiGHhooBkX9cKx^d@ANzLrTU$CYWQyb
z9&L$!ul{@eKK*|5ksbOUaOLI!{g3*C`a`;oml&ZNus&_lAJHGx|D->r|5<-r|BL>F
z{-nN4e@cH^e@0)9*MPp(SLn~_&+9MfFX}JheVJGESMmN2X}-Do>)Jg14gF31E&Xl%
z9sOPXui9VrmHOZG_w@JmRr&||YW+ifjsB6oR$r&B)7R@C>l^e>^o{!8wKMfk_0RNH
z{d0Yjwg7$jr`pf7v-B_Y&H9)6S9oV*i@sHF)BmY&)4$fg(QeiLpnt1x*T2(u=q@ho
z>IOcY!b{T@UITE9H2hzM41BYeiT8oK7}?q{j2xpYz9Z~z>}BK{J+Qt$TRYe2sr}s8
z8y8#mF?!>F<@Gi8HToI*8F@y3V}IiS<3MA8G0-^37-Sr53^ooih8Txxtwz4~m@(9d
z7*Qi;6lk9qaeT8?q<yMwGKS&CWwCLXakz1WainpSakMc4Uze8}Wk$JCfjxqe#wcU7
zag1@SF~&H~7;B6(#v8|Dmt~?c$(U?RF{T<P7$+LjjFXI$ji2D1gHw&ujHEH$s5GjK
zYGVd=6J{E<#_7f^qt2LZ)Ef=P9ODdp0nlVL8!dRNV4iWNG2d8V{1jL3e`cI*oMW78
z{M<OtIN!LyxX`%BxESAQ{=!&jT#6SIE;BASt}qrGR~lCtzcj8kt}(7PuER?TzcOyX
ziwZXyHyJk@w-`%|TaDX{-x#+Wzcqem++i#=?lkVgcYya8_Zq)9?lbN;{$M;{{Ly&O
zc*uCzc*J-V-vmBp{MmTi_>1v`@uacLc*=O%c*a<6JZr2lo->{|UNBxXUNT-bUNK%Z
zUNc@d-Z0)Y-ZI`c-Z9?A*Ssr@zZvft?;ES|742%{Lt~Bck+IfTXRJ3qHZ~Za7#oeh
z8=q>wHa;_2jn9ou#uvtB<4fZ!yiKsh*lM&H|1`E4UmM>T-x}ME?~ENdoYYL+G)&VJ
zre)fuW2TwuW`>z*W|>{gY%|B~YIZZbn|qnLW)HKcxwqNN+{f%~_A&dK`<ngC{meYG
zzqvo&>^;yNU=B17G6&&1+`;A{<`DBxGv6F)M$D)gGYibPS!foS!_47kv3VHwhmJ6h
z#JS?p<_NRIEH%r_a<jrrm?O<m=4kU6^H_5X{%h4(a~uvOjyETm6U|BHWOIr+)jYvG
z(VS+UWS(sP#5~13)jZ8in$yinv&yVCXP7nSOtaQJ-JE6CnX}D$v%#EWo?$kcO=h#%
zV$L<^nP-~w%?0L9&9ls(nP;2lnCF^5H_tQAH!m<RG%qqQHZL)MVJ<W;H5ZwenU|Ya
zn2XIT&8y5`npd0GnAe)unb(`YGH)<{ZQf|!WZrDvVlFXnHE%P2W8QB5*8H7$hq=_e
z)4a>P+q}oT*ZjSCpLxIe2lD~*kLH8sL*~QgBj%&#pUlV1Kbw!6e=(mhpEQ@5Pnl1f
z&zQ^2XU!GnbLR8r3+9XFOXkbwE9R@_Yv$|b8|ItlTjty5JLbFQU(J=~-^};S_sv!2
z2j*(?LvxM!k-64fXRbFtHaD1`m>bQ%o1dDWnXTsM<|gwCbF=xS`IY$(bBnpvY%~99
zZZp3&zcIfxx0~OYJ4_d^1?s{OrVs+}iU>!fiFA>Hca^h57m+P;L|4&GbQgPxT+u`H
z6nl$aVjt04^bvi<zM`MlPvnXIVt;XfI8Y1_1I0mNkT_Tj7Kex-;!u$<hKh)YikK)6
zaZxCW#4s^j6pO>e;o=B!q&P|(Ek=kEQ7Xzrxu_5cF;a{Yqs1}eSTRN%C&r3#V!SwB
zOb`>rBr#b`5mUtp;zTh`oFq;bKM|*hQ^jc_DW;1`Q6;Ly3{fLyidu2Hm?i4OY*8;7
z#2j&kXcSGNS+t0`VxBlt%ohv9PsLf{XX0#ejyPBRT%0G)7Z->N#YN&`af$eaSST(P
zi^OH(a&d)NEUpw+iC>DV#Wmtuah<qc{7T#)el2bkH;J3YEn<ndRoo_iBW@SJ6~7aA
zh^69AahJGT+#~K4zZdt3`^6u`1LBY3LGh4ySUe(d){4#XT%2vte<bXMbC%w?;nr9D
zNjxV0EFKqs5l@IG#WL}fcv?IomWyY_3h|tHUc4Y)6fcRF#Vg`f@tSyDydmBcZ;7|X
zJK|mOSFuw3O}r=G7puevVzu~CtPvlHwPKxEj}tOFv+JkbjXl%f;MUP?xU*|%4{MKT
z4{8r-%e7~<C$uNEJGHyCuHs|d?EItHAU+Wr#ox7Ow2QS;@u~O>cQvx`nB)k&Q+FD6
zQcuM_$&EOjI1gXPUZh<jTE*vLllVex7GH|5#6QFqu~oE*e~NA5Yw?ZvR=ZSe*A{Av
z#CKwcaJ2(0O|vcCGAz>)mSx$NgEyVi@pOHrm1T9YvaKAetJTfwZtZ2|T0N|u*4|bx
zYagq()yL{<?Q8Y3_OtS={?`810oH-m0BfLikTu9U*cxmdVhynlweqc@R>X>0F{{9e
zTZLAUHOv}r6<dc{hg(NjM_NZ&M_VJT606iIv&yXsD`AbaMp>ir?~#wS##qN$W36%4
zc<Xp;f;G{aWKFiFSW~SNtP`zi)=AdM)=#WctW&MitfV#Fs<f)CYHNm7W6iW`t<$Yp
zR-HB5s<#@fIo26gqt#?JTP@aHYo2wcHQ!ob{nR?k`k8gMb&hqe^>gby>wN11>q6@y
z>tgE?>lfBS>r!ixb(wX!b%nLqy3)GJ`lWTXb&Ykcb)9v+^(*TJ>(|ze)=k#U)-Bc&
z>sISF>o?Zz)^DxfS$9}Vtvju|th=pytb48BTlZP_TYs<~u>NR0Xgy>-Y&~K<YW>N2
z%=)wSxb+w73F}E~ne~+QwDpX&+<MkpVLfL(Z@pl>XuV{;Y`tQ=YQ1K?ZoOf>X}x8=
zZM|c?YyH()Y5mQ5&wAflWqn|+wm!7hSRYwyt##IV>tkz!^@+97`n&b1^_kUbeQs^C
zzOXi1Us_*T|FE`LTdg+hpVl_(YwH{9TWh=ZowdVqZOzv4?SyFy+p=xjvD55yJHyVj
zv+$4Svh5tZtKH4+ZtrF1+CA)^_TF|cdmp>E-N){0?`!w7_p|ft{`UU%0rr9R0DGW)
zkUhvg*dA;jVh^zowe#(vcEpa_F}uKy+l6+KJ<J|%7u$!~hucTkN7_f(N82Op61&tc
zv&-!YJAvcCQTAy282eazjD4Iv)*fe%w~x0c*c0tZ_GEjCJ=H$JKGB|LpJbnG|HMAU
zKGi<WPTJG$O1sLgwrAKi_Ds7LceZEQb@pt#-fpnx*k{;{c9Y#~x8NK5dG?w1e0zcY
zQ~NCYXZG3lIrh2s&+YT<^X&`l3+;>Si|tG7U)T%nOYKGWW%lLv74~BLO8YANm-f~6
zHTJdkb@ui4uk0J_U)wj@H`zC9H`%vnH``0>TkYHI-`Ka?zqNm7-(fGc@3il-@3!x;
z@3nt#-)G-%|G|F1{-gb%{gC~z{fPaj{U`e|`_J~{_FwEL>?iGI_EYxL_A~Z!`&oO1
z{ha;0{eu0X{gVB%{fhmn{hIx{{f7Of{g(Z<{f_;v{a1UX{WtqP`+a+r{eivO{?J}y
ze`K%4$;)4GqI02kt-a1(uU%k&Y;UkXu{YX(w?DN%vs>-Y?M?O<_GbG_`z!k&_7?4N
zd#l}sbC(s`R-DMR+5fb+*<ah=*x%aQ?eFXzw(Dq)?ih~g2*+}49Atfg|788Bga5~j
zdt?2ztF>$JKMhLoWqwk-L%UtO%1Og(x;JXSb<&*-?N{0jPNtKEXX3M+9H%Ru@aXRB
z<>Wd&oSt~Pv6r)t)7$Ce^mX=i`Z@bKdD@?x{?7i+0nUNW0B4|c5bj2o;f=VJ+DFd8
z&S2*dX9#Z0|4qAGdrx~``#}3pTcxem);RgjP$%L<otRVL#GOK?$QkAgcZ!|EoWq?X
zoFkp1oTHr)PKi_MlsV;2g_CebI-{J?&N0rh&KT!7XRI@hz9e-fI1`;o&SYnbGu1i4
zInkNsoaCJB{KPrMIn_DMNjlS=N~g-Hc4jy=&P=D)Io+A%)H$=AdZ)pe<DB6%I!#Wq
z)8fo^<~e6N^PL6GPo1-zpE+kc=Q!s&KX=Y^&UY?wE_5z(E_N<)e&H;1E_D_;mpPX^
zS2&BEE1j#HUpiMi*ErWY*E!cazjAJHe(l`o+~nNs+~O>8Zgp;RexohZo^ncNCo3Bp
z>g|&0jn#9jotFCANVKe+>}W+vMA<QA$CX{A?BU8TQFfWKE2Lej@|UXor7C}EkyFx8
z(@<YMi_%4+3C<UZR&crqUXPdgBSo2Im9>qPEwg9TRiBwrR@Km)ti*vvvt3@91koy$
zDm7Ap;Kqhzvt1!$D^%4gxM~>{es)EjqP|p7U#jqwD(cG=^<|3sGDUq^ky8;+AFYTo
zH&Bas=ExAWBU6gQky*?h8KOEC$)vhR;=>{Z5w33}T3nDhD!?GAjHyy%C1TX{WTQR0
zxwfvV+8HhDMrqJq37NJ`)u^n*868lFqRTRmNyUrzxK$e#sM;08?J>zp9Lv~ad@7Nu
zRE$AABzixKDyBd&u0Sy?t{4`N*<%@%q%JYs9vea#FO=Bgs$y|PNPM_6PFAYRxS1{W
zHOa=7*>%YlE;|w}kE$xFMk-Tfma8($RW-^L)^dfloN0|j<0^e&%o;bdp;3uWxvD|A
z!dk9URVb`VAkh=-36ePz{F+273Ki}`RaT+GR;aKQR@f6cSLVd_+%M#UBC)7qWsxed
zNL8b_!k*-p6p6}UBv&OAsS=7LnrKmxJz2`dWF_;HS>~<DjX0|6GPwhODv>Ma)&PHp
z$;K)#R(7f6cZK3-MUgXEij*}u;9rFzze3Sfq3Ehmd`v{_sWpwsxz+Ym$%v@|Bhsf<
z)mG!suC~cOk<(<J7(~j#hkIxg5eda;NYpgOmoY7+lSM0vJ^pcyNOU;&3^YFz2zib<
zNyVXLSmCLHN|cn9C<RoaWVM9312JIkz*gKT@f4-%fTb#bsmfof@|O;ClHm@S;CxVc
zsuhN-=8p`^tPGftQR&ytuJWZJS`ksDMiO?l48~bBEAeWn>8kyFl8>c|>{3N`sX|cd
z=?$-QDYDBH*=56=>VRx$Iwd5D!pxcwnKdcJLERMCH6e0iQK{*QSkq<B401~9Vyd)a
z)w;1#F_Sc1t(53mSvN`xF;$EzQ#C3pb!sJr>B`Qpk||^5nWv|ggw|KhSfJ`zP?$BV
zrm?!Z9%sK*wUu_A?BjJzyr@I9B(4G_)_#6fdV%6+f#PFa@iAUt*E1@aJyC4e`}}|`
zs(Sj0P*D{x&a6+)X~6M#!yNqEm<CzzE)5-YUM1z;IPK|wPf3=m`pM26t&p7?Hq#9X
z6upH7RzuL4%T;a4m2{M=R28aLp0HMw+Kr*w6%Ml-{n|w<3Kee(6}Cc!tuSFXajwj!
z_RUhr1wp&1tVOE8q5`|w#|$ONwL&t5xkzCyQgjw8>BN`ZEmCw^RJUl6%CLo%VM_=6
zRN6ug8jv!j*yZp5zo*ueq*kCLr3_mF{#7XQD-?YdioOa(Um|MHlge<OWW>CH5$W@M
zWjJ3d!}&oZNl~;ys<LQBLJ^TrVgu<~!1yv2r1V25LnQ{qoCD3yghgUfjL{twLkqc6
zMPh|4R<ONr$(C55%pa5E9O5OTV`}`16>@t;V#QLtVp0T<PAc7)6b1O1jj-jY74zC%
z4t|lCY<Jj-4zI!S@1&^n<B?=#a|eQ7(NV1M7RhFd6{&KIxdD*Qi}(Dh{9+|{Qh*|{
zVTupKRDFgiI`ASkmp@F=fqz^h{fdrZs@!3!{=-!H!xX=Vsd9&@a;3J9#D=SKhO2Uh
zt8#{`a)v9s!xi4)3h!`*cetw8aD`tEm%yv)Rjle$?6r?7r&!@vauJiGUL;l`<D+uI
zi}oCD&Ny|31#@aG!#enz+0|^0&QGR|W>F;v3t)b-%jiIADVV!qell~kC*AqUbTxC$
zPiBqw<rTriQA}i|D_T)D+;^2wCfVJ*bg?qe6-TU@L|I9XmZV2ZGKCi0-@&{Yv?N2c
zsJQ@TXBCm3bdsbbJnUr^(uEN}>bnYjSE273=DUi0SE=tR_g#MdN_~8#KE6^PUn${J
zGX~Vprze3FT|z@I2(M9uX9c6MERDutif0Y#5fDSMU5M2YIT{0b9TLfbj~ptsO@p6@
zr$BKV(-ps-1%5pXP|viwCc4y=pA<8I&MK*!GczeltDBS7$mHzVN$xHM5W9*wxFOb1
zFQy^NtU&annQ)2GSl3y{Cg;paVhu8TdR5XmuEiMJVw_NmB|$CCY>e@>=7gCI*2LPH
z*-3L!vc;J!QJLds)|zE7<C|(_F(t(rTz+#yeM3{0Dv>>DD3KiyC*{f_mnRTesxX;T
z6~LYx<?&KxjGJ9uBXL<tuIzNw!>XamT2<9`%}J+PRdoR(Op3&1GgP&fsyd6STE|tD
zM3<Hs^)1GkwHWoezGfpT+r*V^MrB)6W#^!xl`!yH4Mc*>tvYOhoE=39<U9a&VFptt
zE2Jo5Pa0@p2c}IPE6C+lFiX)PbE@LmlcPLd$_%E1qq>DLa7b>u#2iR8M-vfNZm{L3
znNX|ngqou!BCPBXFGtfvgq0oqtn6URDSIL!N7qED!l&lC3AM6Hs7Xaat&J0E=9o}R
zsf3zMB%%s`RN;>)d@)5I*3?WlW}Ixtlt1SARsNWlU(pv+^c5(41qz>9dM4DYE1?$C
z2{oros5xh%K;cu1?1Y+YCgdC?nviokY(6ObafLsj{0ZfkD<Gs(^u`svafM$k-4bg4
zmQYK&gqqDH)O;?X=5q--ct;az37Al`pM)HQqlqGq4#lU0DpwB9i1+-84mF!g$R#b}
zy>?acaxjc0<X{L};gy3S{9Za$AGLN&sA*H8OvM)~zR1Z+G*PVZ6f1h<WCGy|PqAu8
zIa!F}VI$f8B?^yP5++I%9<?+~lz8bBo)U$pMAa)IS278_E5Y(4Cm+#-oP0pOc`$~}
zlLFX0Xv5~o2W+{DNJQi`FroI^5^4#Wz#bdpjjD2@UO5V{oYX`UQRR=Sa-yo7s46F>
z^2faVDqc>4qKTNwA5;0&epN!P>Jl+UM@-R)-7}`EK;bR$@T%}(DxKPwN~pD3qCl04
z|FS3Zdw5iOwK7boHBdrr043DMP(rPV5^61!P@7c=wPs7mNgVj^^%qqywHKLC+f@m*
zYD=h%kwk@}M^2)n2{{=C9wiTQ5{PhxPfo7kSM`yTYxq@t<m4LtO8M1RR6?!75^_rl
z@rvKH79oAAc90Tk@st>*<WEjM5wFUZlWO=?`EpVXzba2osv+mfueLH0YKtNvC#}(h
z+S5&_J>7(y#G)T6y5uAle#M{R3g2)=FSbOO?lP5LPFB(Hlsu?i*M!=2O{krngj&=j
z<Rlj96@ImQkdUiDY$+@J358$nWhc}YPa>iCkx+b)liz4UZT%!lyl{oTMA5Idf)aB1
zg)x@Pfz5IQoAn56?)Q-b*=~`7VHN4g`iAD}y6W0w7vGg%nVds>Ks=WRyU^lMGMypC
zckzZ=fAmBuC0%N-I-z!S5^6^$kx<%3tvwTR!wFnb+DNVO6KWeZp*B7fY9}F~*8T~#
z2cA%C*@W8IOO)}R4y2%*D5U)zNK8fGu1Ey#L?}&J$Xy<CW1{WjDG#}^APB<Q&D@Gh
ztrm$(tp=N06E?RtY{|{I)MD@#@d5+3n$(hOy22$}FfL~dNGn@19xYLMXaPcPgb+WE
zY~{F|H6TW|c09^_ho7~4BrdflY?f-+icYC5;a7A@Z3#b18Ei$9oQ1%zXp*xI_*MBa
z?&a{S@?)xeIqQhT<tPJNl`lsX_!Xbzr~*GrIc!yaWSFdR1QUMAB{^S13Pp*WpTVyv
ziIk}v-qI`{Df74`=WIx;sFQQHNL(%S<7%NDSA8I^7OrvG=OgiA)q2H#>%pa3PmbqE
zqgt!jZ!Ne~nv#g5tt8^LBwSvcY7sepN8)mvj>P473R}g?@f3dUd6Bs68L*=gcbQty
zQHY0I&Bx>NP$Cjn`%7`PzZ6%;3vsFIBXK#Gg01)@byOrS$4c0$73J6nziLG}Ho~u3
zu|V;wz~>iSs=jLTCobos$fMe`K=H4@=O0{No>D0Ta!!goO4{U{6n-V`a!ifH<(LXv
z@lKAR@GEJTV<`Me+Tu#u<s25_iYB#dA6FY!aXDv2yeeNF>cFqcR~uPzwILN(8(ML-
zp%s^7ZX~WYwBl+*D_*Fiz0j9-wY3#jTUl|nl@(W8S@A+8?S;Oy!=<<-XUHf;wW8YQ
zimUCcxY|yNt8JvX+MbEakqwfps3}&9Z3^*lt1Y&8ajBHLVztSDG^Jje5+#w|mIY+m
zmq<CfAw;#PoQ*=Nm1N1$9)8s#ay15-jwvaRc|E8s=9MSM3`n=ap^lW|YGjP7kuk3J
zkK=O20x4ImEXSxwJW;^s1d#IlrbgyvEE+Ac=`*SPh$F40bhhWzx6Dq%`Efown&&mJ
zBcpjHHuKq;J_BE8DOc@Wm9DAwOqs3;C*AeZSxsMG$%Oc-OD0rh%}JAG&QXOndxf%t
z3MGdsl$^3q>7qh89Tm#yWTEVog>phJlwDj{gI5MSs0?zbGRP^*kS;2N(@`0mPL{z=
zSq3NMGB_cZfdSPa-jPiuz)qK(gDZ_0#|}bIX$U)|k;us<aZ@5jO^IlHjL74#ScP26
z!Y<92QCri}SY3t9AxeTTM_EP1FfWpRsX7qOssQ0Upv7=3F5{&tfS;FJi07^!E06;(
zY|k(8707`%HcYBi*b+~L9C%|Da^Qu{stC5ECn}G&V$oQ{Zo#6cs6<+&PO=%5Z>qLx
z^P3xIiIV)LN>NInj6gYo3IYiNBMFQmFq*(I1db&zhQM(I#u6AuU_6222}~d`k-#JZ
zlL<^AFqOaw1WqI{4IsTl?sJk$Zge(PW|xF^Iw?YKbv9LIm3UJ}<jhbvJs64HG;FF&
zE8*=<#8Ly|;s+&!6C0k9z!?ji@xWOWIEM#L;*i2XEK*M5k#v>@cuNDkr2*bj#;fj!
zAe&X<Wu}WF3J={C@tn9W;$x3cW?UMnuBxr8OTwLA=5r}@m4qYYR%cUXm*8Frh0CiY
za7lVGi}9UA2;%9E3Arl#rl{}>sYq=Kc@qVRvns+(p>C!y60a$`1ou-Au9y`twlrXD
zX+Tn`#~bXJ2aJVo_ArzMj4flvs;eu00?dPDTDrgjXLjfg3%uzgefok6Eq;y|6_hTo
zwWvTe3=xve3PE0O@sk%*LuH4qxCD6uGGkOxhwi$-PFF_^<nnnOK4hQ>U)+OZ22{yA
zXFvmo4jR0=VqxL4C}46KGub<A@Y3S60c3}6(5S39LGzf0t?_{81yq@Id7Fk^o}^Ku
zA`|HkhpyEqJjfiv6HtQ*7~zpy>mIcQL5s(O7LRj7$XhoGE83G#rH}PWPao?sO41Q8
z^vjP2?2iYe#5w;sU&_b%Eif)s%Ex(#v&My`TwUiuDP2=;^!NmpW29G-UKYqS)`DJW
zc~HahfWPGdwdDb|<&s*DTh=&2lg5{Q0(?OyDh~?8g3~LoA}BCWFi?gn0nSi^w1v!b
zc`wLEP{>rsTS9)O!hp&`4^^}RGe)o2Lc*FZFAKqy9l9^X5ndC@hU3)i#Qh;3M^Qj}
z5mDBq2A{FxUc>Y{e3!4dT+HRjn?)*+E*E)D+%NKz76sH5d38ows!94}UnC~`A~88t
zB;<7@B+i-~772AdiII4UC5<mBA*gH0JtYLl>Xv)z9S8BA$ig`+NKhO&sc%uXXhlUJ
zB^Atnb$<y7()bEfkTPJR-_pn*FrdO?08ZbD%jxn`6T5r{gswIrBFn$sM5*KjCwBSi
zL${qM{fS{VaRr8lN)76g2xLk2Z+R1na8L8Zq)Tuu3gMC+#a=7pUI1aUE1GA*N}EI%
z7*r~{FXcONvg)+}>o%U8<02J8lWBay2A4yJe6Z8_oX^XEqdsz~vo}gc2Y#?oD5vIQ
zKMEg>Gbh+-eE0_kv?iVZ!DSuSLU1g@6Kdhcp&Or#QSf*QuyG;?D~%5Y$&YhESQ(S$
zX&Hs!bdW3@5VEg{@sJiSC?TQAq4GnF@2;|jf^xX3bh6ddG96jEpbCL6hYtb+KT9lj
zr;t!NJr##NA+H7C^hFvwRY6)`x@mXH$KVS(cBq0-U*>67%1`TwKZ@|g7fx?h2d5`f
zaQaP+T`C^~4v0NuJh;nR;3U}(4d{&p^u_{uV*$OffZkX@FAwkvZ$K{(vMMy7Hx|$v
z3+Rmm^hN@DBLROS0lkrc-bg?%&l6>7*y6&Jkz^vy&ZG(sXpaQ6M*?0)0^0pKB2Wah
zM*`X-0qudd#kQBv)nNgZ#X;r#K8xjjz~JJ5GHh{q?c&eZvA7TLmV^=n<oI)N+TQXp
z$cZ;I!k=u?K9`>W8(Us!{=kf7e?YoF8Y46yG8jm)(dA>P2qg$8OAt9($=P^<r3qsf
zJaRFPK1@qiShQkApO*_(MDu!;Y+9}&o>r@fmy1<6<XRO8c&Q2vQ+;M7PTrBGi*!{r
z%p?7mc}7ch6TR^QcaG;)aoK0IVCTLG7enf(3?zjY11sEF?5?Yx(F{))_V80l5{pcx
zV!L|Tyaeep=i{Ou6_{RKPfKKW%~r0gIe5dT-owluFJty}T)>-E-K-*Wl-G;SB0mlq
zBu(t`qU82T6OQG1`-C0LQG}>n1`3nA4ARAXr3}njN~d^BPQ_iyBKZqfc8G9zbHb#<
zpNY1uZ9vn)oq;EzW+&O{Q8wM93=T=z^nkMIK4s*Rlp&p@4Cy?|;Pfa%LPgp1RLZ8e
zqilMJGUWFtLw?>hsj6>~TTbjC%E+O3Mo!5y=_1NF9Z|;VBxUTBlyO3)j9ej}kvGgU
z@_RfZx1x-kk}~WHHF9gRgD4}1qKur9GU+19I2}>O=_F<Bl$3Eori@%6%E%k0jQk#D
z<W`iCvr9u`)r{)dwTvcdLkpp`ZD>rgFfx$^O-U9yKUvU_WMK=1ENr5XHCkHONFg7#
zQpmz)3R&1rA#1F(u%$x2@zOe8S`(x-QCgFvHCb9yq%~DqCrIl=X<?&<kV(O`r%PX@
zw4~tL&;yiYhO}y=g$_)Cm}HQ3y0m6V3(A55p?JtbrzZ=ljI24*Izw8G(rS_x^a>?u
zk=9&k&65^19mUO;)&jP8CoWbd_hMt}1R|#PW@GZ4FA}SWWLB$5JTPQdt63@BSu_CP
z3a7-$EJ)g1zogA|NTQi>hl}GgJq^Z4ln!IJ(qeGi^P%F(#)^uT#s(%XS{&=bC}u;Y
zHzynCi@MrIK4pqUN{Z|`co`1&r$7e0#iFXAzD9cF9(61tPh?=rExd@lWDh^@C&T6w
z8e~>mjPhm>!sS+BELxZ$7l|{VCaL4#^{&RMbaWhcG;wKBc}9T5a$_<o&*kBl8<A0Y
zG626UEm{~!2P*DCGqZSflJ2HV(o@Qv#hp!gR5{#Iz{6)HSkTE@sLRk1uXZtcGKURH
zMNhOKoyM!#^wyrlgj2I*V`Ia-7T%2of>=8HX%OQSh4Ks>_i!bSLU|V|HVkFsO}1o>
z%2_B+0dQ|urNe0e$5$ylij#$9e1`-0WF3m+sVwgCO8+o<8XGH;cYd&WE9)4M=T`8`
z^QxF^xkyZ%HpJwYSn$gel$bo#j>P00F4*$qASUl*!7ooUV)Bj;=#i(Q1rhm;6>Q$X
zCdno@%M)Dky9C&w*r*>H<2hjgW|iLlHontRVFjVExC)Dh!U|PbVJJ+V$rWJcDQBDP
zO3vZ_#_ph)VJiEuQ1;;}Y<MWFScMgb!b((FNhqvTg_VZF%2Zexh4JA|0j9Cs@4%Xb
ziVcq33!;i$QDzqjRHPs(kA+}+Y=c<Jm;yh9I}FmwMk|mP@8Fk>rgrk-=k5txHoDr$
zhs>~$!Ip=e1?tGWKpmOmwP{%*mLQ7ynBpH+B0f)Jiho#=1YwFIb*NqtQ(~hI(F@ce
zdVxBAEl|g=1?sr9KpmYH$m0%3wW^UiCM{6Mqy=#$O4y|H%T`CA1x20^4kv-kks``&
zO3PPu3nJ2AquPXgkx)t&?odhycqpYOvXm<x%EjUuN>>(&W0_EK=%qeg>?XQGaULZU
z$CQNPiWN?ZV;K#_6@=orJE^#$P<iYQl}CQBJa)H>^U9;RaCzkS%42sZAJJA6q6OX4
zuOF^S_;qJ@5Ql>z#7UajtyB%W70;t6)lWliFAce+G)I(5jzorKG|j=RJ)Z`ptorGJ
zhgEk(%3`7-fd}&OAD&#if~CVH|7pWE_|Af%*K3c(t5rH)L^>UiUJ^6#75DjY--~yh
zbi4`i5a9dx)>+3l+HIOnuTuf`(tBwJUX~gHcTA7LU5Hnu47?as4p^aAAbccVj?(c~
z)L4Wx>dkO3&=&wM)E6S;R{b`(AJZQPd_rFa__Y2s;Bx&9z_;|b0axlP0YA_`2K+?-
z6tGoq1>A%ek953p^sT1j6(c-mM6VbD;!|;ibT{x%*Nq-{wMfUyMEwB|F+e9?Ac`VQ
zp@CZCt)ZheftQBL04t0Nz>&sCz~hYL0LK~Q04Ep|0H+vJ08cVbLf%u1QvgphP6LK2
zqY7|_F#~X>f&V^;7l!Hq=NNe77jFzT0nRh#0iJ7|i(Ka$=L24Bo~jvmqb8~8c%`Ni
zupaM=3%pA+2XL;5|5A?^Y32i7VqSvSOU+9GFEcL(yvn=^@M`mFz#GgP0B<pG0ldxp
z4d5N-9e{V5cLOdn!B2WC2Jl1kL%_A>TELG@aFSky0c<tFNxTUIPU1BfyoZdJV7><2
zZhnUse(?ur3JWkp;6G^Mm6zUtc*_N_SQG<3CEf$XJ0F^kS2}V42U&vvCs-2zPq0n^
zoMV9-^u7h)jn<8Tc&`HRH`Z?f@m2*O-l_n+*SZ(*J_}Mu?^OUkXgvt{r1c~qUZ?<E
zZY>8~VXXjs&3aAK@nwHDU@r&HisLK(et`QqM`$L#x~~DObuPopZidz$q5B~Y-}eLJ
z`+mTK@W0S>eA$06;2{ob<s9nd14i-x8FhTiUjSH$|JSMGd;Vd7#SZF>Z~6}hJjyu=
za0LEao{sPOD*z`t69MskK47g=3y81t0qY&q-)VFj0h^s>z`4#`z%!jQ0T(#v5BN&|
zEWop!vjNX_&ILTr0l)CI{sn*+ITrz5f|^kOC6l48HzAqji7}J3-j(wk>$D;GC~=lH
zp)T1>Z%yLgmhy|*WM|-QnSOx!#0jN&^!7G1fdH0Fyg0L;@)^(yJ+-`0KKeg|d*gkD
z{WYs(T1B1~DVs1UPdjSt#N+a`F%yrSn5RvfG~rl!EmGnWc$uLWQcItOH)i(1JKWM|
z<9|c+#_M|0=imjJK6q(Q`qJ=zOkcdZCw=r1&c5^l-z+?At9`|A8^aw0b-^%$VONGd
z8TMtkKf^)v$g-Z#u$<vEhI1HR#PCLj4={Y5;cA9kX3v^E%gA8Zm0?eYeHrf0a1g_M
zhH-|6F&xoUyP(=gFg%9gScVfAPGLBW;VBHKGn~QjbhH!R4FAE9UJ%zI<tAFt!hhUy
z@S=vs|84!hKU7!skahe%a4C3jJIoT88)2@8xf*6M%p#aeU@m~kgyhl-#u2>iI07#@
zj>l__r$Mp>;&i+v$+j3MZ6~7aW0d`{v@=zF<_P6qsO(L6+y;2EPDcBnO}ZR$;IsiJ
z512bJa#U{3po`vpd<y!j_tT%h{e?7?nWeo7YBc@D|7vqSUa`!@OO<*0K+F?jcw_P?
z%nov4AA`3ed&5k@3z5_D5@bEzd|aTPi`N`aMxI4Te--|E<ITq2_`4ZzGUg)nU9j)h
zAIAHNPva%USMgfnd-@v0Z=g8=Fx2DC!(;ewJW@Z5m~HwFL*TVTF2%^edxkx^q>GHc
z2s_!>Uw_&d1cU!R0$ScP4%4qPM(C}0d2kF~BAlRS8z<-kG3HkprvuwX#vGWrcq{Nc
z;}ZCL16Q-&8}9;MjW+<7;Jv?l@V4Khc*k!!-t2oF@AIv~TYMO4@c^lf*~&fywM7QT
zOuZ+ET+i-o4qs<{jPM+G|ANA`h4>!{x^@{s{Si(dXLul|X=B*R@DAfDq}i8a9flV&
z)EQ<n{53(~BuegLn5)xlt~ZA-;*flX{TK>{hcL7$rRI`b+sYv{+tRg-43}`o5O%L%
z_ix$#9K(k=WH`gU8TR4uPZ+*zbO8-nI%XgGp&YW1c@p82xeN`4%^dqJ!+&td&ln!e
z@F0c<Fg%N(_7=NuW7wBNwi$7hvOmKv3^j(s2x`}{`w)gx84hPy$Z!Zj)SVz+umql-
z#%hKy1NJBUE2gZt9<f<?+YIBXKK_5q%*2aDtF`rbVRJM7+O+L>XErURFAns3<5Aof
zr)Vpwk7%2b61@@cu@0npJogpqm5Zo9BF*(kLA~)V#HaSef#^R|5K29g`r}u!@5w%g
zcS85ao1o}rc<Zw#dKUT@dfNoN-gydo*n38m{uNRlh7{EE#y}TrK#%(hGimN^;HqZa
z20r&;IE3L;hDR~%&#-~vc!Fq6N?*h9Xb!o7-9KYEmf;kJM=&g6cmTtm4975(c>1#2
zX4sD)-ama9_)lSXHx56UVI#w%S>CQ-Imu%83JxE{@DB{97<U1~M27ov$Vi59h7T}w
z7=Fm`FoIfGh6@bLO7ZW8NE)R)XR~_*!?08z$ssJ;cng%$cOv0>0mtSLl+vyb<&YYN
z++URZKg}WCje+3CNnDFz<kq7Ewe19#Pg{N(+*z38p#^CU%0_C#zY<@TmoFc~DSGng
zh<PC9f?Y6=9E6vb<9KCxghua+)63oy;KF)>he~iBHrAjFdosko=SJ*ChM#i?{-ZiV
zb}-z+A^izH)3zLI1yFT5X1JPu?!V0}#tY2(cx(AEyr!JMyU7#qF7hdO|M+ygbUYWY
z8J~xji!a9u#Z`EdcnRJdz6b9LKZ=#`@2~=XQGXpT0Y8EFf7c@SMyz+YAmuj({^1*5
z>&-H{>yP3U-hOy-cQ7zj;dR|2q`lfWLVv<2MZPD1;~u=8I~FhHPBU!%bgWrtAWwJ1
z*BOnpe#YCkXVV`rUVt}l7ZXMp8}Xy?w(X4wzs;BixD+qfK8ROpml-Sc1YV+j6aVXb
zrLh|L*CWNJ`gwR$b_L%1?T+_kx0}$`cwzT8_EWwU@KKJ{e(J$U@tCo~q?wN9eu{SN
z!|-s1r!XvLco0GD7IvS`a6E@x$L?%~V;Jtw@EnFGFq}eAyOrG|8TMk>li^+rf5osn
z!!(Ay89EFHFdWXX3qkF6hF`mV;9kh?aW3{4v|n(VM;IQ!;pe&37k*Dr+sGlGaqLir
z7c$g2e4UGRv$mB(su^C-a0tVF86L{82SM#ShC4Xq0CzA-DdCV647YRmgX|v7?mUKj
zGwjDOi{X<@VVvE~1hsAKK7?Tb!$Ayl7?v^|Mo?SJ?jspaWmv>8N>FQKcMU_EVSj>8
zJ+N#7Vt3L8+BVdoKf$N2eG2;neu|!0$MnSNFwh2&7kx8QuQ$$v*6D9t3wINT+=utA
zb-cg59q<#QH{f*?{?y4&O%Gx0hq-<~tV9Q6c3lK`1pceQD7@D`32Er3>vuA|jG*>M
zb|1s=Ifm02ngq4)*iCB+q8{+6u21zuxL3dZ+vzc>$?~DcPQbgVUU?sK{)Ggw=SH}u
zFdV}n53rloEZ9Y3SjccFL)LGPH!gdEOXU@Vh84qqu`#iWkc&TXheu7#Sj+C$HT}so
zyq>xOI`uGU%wWZUxrs4KY_K16+R{d(CDLEdoR)c7W@F~LnF}))XI`7xnz<t@Evt9d
zsI2;|3$kv=T9&n;i|CTwrB|1JUCO(h-eqx@hr6uGHnIn0kIg<UyD|HM>}#`^W<Qp_
zEc?am*R$WvUX{HzyEXf(>}@$lPF7C$oL)Koat_QHoD<JEEN4VcB4<p_+?=y=&da$Z
z=c=3=bMDHyKj-P3=X1X5+O_N8uA{on=z4Y6yShH!_06tpy4l?h>{i;Xs@vJ!?&-Fo
z+p6w^yPw(p?CuwIU)cTr?r(Nq*?o2Q^|@nnPs?r0Ju~<6+$FgW<UXIfI(L2Ujvk^%
zMvuNdVm*fU7~7+&$LT#5^|-6Y<2|14v9iafJ#%{w?pfY*Y|nFhKHU>M(vQ?~^rN&q
z{b-mG*oVo`57%<_BRFOVV#*Oyj+h~OiME$sig4_G>IwX}14GQko4;pbw?-HDx#&H+
zgokQ9-1XYt?gp)wyG`p2ccHsldlvQznCD=ghj{_!MVPfnvkqoG%*QYr5cUboMwq|D
zd<yd!Oe@Ui?t1+}ceVZy%)>B`z&r}`HOx2eYH^mkO8ng2AkK$b=(dSVVHUw$2D2FE
zN|;;Sx5ZMVy9?%Sca@XwZg4U{>m8uF6;y9xiu<~4&<AOlucv8wF#E$l81@ht>=fg_
zJ{Veo`z>nKidwazR;{R2D{9q>TD9)37SO0|+Sf4Oz<dj{9p*cj9Wbujh9y;-uEQ8G
zCX9fwU~Cu%CJiPXCIcoDCJUwuOg2moOjnq_v@|^zrUy(<n7v_o!R!Om8>SCTUzmMi
zP*)vw)lpZyKg|9x2f!Q%GXQ2F%t0`NU=D@>FZ4rTzz_XUn0%Bs6ea=_g^9rwz{Ft+
zVUkEQ9i|ed3Z@!n222giOqg1j(_v=8)WOV#sfTHRnFDhMOe0JaOfyUi%v_jxFlWNd
zhgkr#6sHGw!rTROH_X!rdj@7X%nF!SVP1oI9cDeu$1oeTG@J*d;XfFp8Q_rt9vR>f
z#)>opJTkx|13WUoBLh4#z$2U-q#59m0UjCPkpUiIUYllsM+SIgfJX*+WPnFFUr57$
zJ4nNSJ4iEz!bD)AFfo_{m^l8I-$F?5r7(+NE`wPNb0y4G?k0i%zK*k(Oh{EOOwhO5
zAgQagzV247KO~VPbSR`Z>VBieU<%Mru|ut0h&+FRc>?B1m}M|e!8{G~3{2<!vJL&R
z4gInW{jv=by$bzu75e2W^vhM~m#fe(SD|07Lcd%EiQWo{-U^A{3W?qdiQWo{-U^A{
z3W?qdiQWo{-U^A{3W?qdiQWo{-U^A{3W?qdiQWo{-U^A{3W?qdiQWo{-U^A{3W?qd
ziQc+fDO>1n(l3Qs1ale8<uF&kEQVR?exu(Ba~I6rFb`tnd<ceCYmdM@3iBn>;hckJ
z42I!;YgjNg%u(*Q&?{}wD{bN;_e*gJ49=;<r7(+NE`wPNb0y4G?ly4?TJBbNqj(hQ
z{sjGko(dh)=3MQ5>s*7j8jsdosq_tL$jw?GXuiH^jRD|vAvE2Ei0@ptY(`6LMoVl)
zOKe6<Y(`6LMoVl)OKjFQ0oNBWn_<3$`3hzmaDNT+4a~PN+hM+g*#YCat!SNAv`#Bp
zrxmT!iq>gG>$IYETG2YKXq{HHPAgic6|K{X)@eoSw4!xd(K@YYomPDm`uT&<&=0{p
z4D$%gqcD#n{1upwV7`Fa4D&U@zj4=#7I(Rr3o{?)0+<V77P_0!7dE3WY(`($jJ~iL
zePOe>$!$en=p+7w@xFUVTd&;(r`Cc~Yr(0t;M7`hYAram7MxlOPOU{7eWmI4zTm-h
zw8$f9g*LRpI_^sY+#MRU8nnFyZ7<L&ZD^H8z}+@*w+-BF19#iN-8OJ{9k{y=++7Fm
zt^;@1fxGL#-F4vZI&gO#xVsMAT?g*219#VfyX(N+b>QwgaCaTJyAIr42kx!|ch`Zt
z>%iT0;O;tbcinDff0VmJKM$ORjOrJ_TnKX!%*8O5z%0dBekaUbFnHk~E!BpWYC}u4
zp{3f;Qf+9d9cZZ?XsI1K>WS9cf!5lA)@nm*wV}0^qP3QywU&x=wO;5Go5gvs&xd^h
z!Y+il2(5Gp%tEy8r7(+NE`wPNb0y4G?iRG<MsbTK(3*L8mAe=E$7b}8%?|Ci|NkxV
zzojLpXKX?%QNO#@y+`&v7ym#QzGcvDFG07x1dS*AWG43{+MPZGt=Pku>3(RO<F*>D
z?j~as48{io<AZ_m!NB-nI__pO4JKX7H8b2*W{&$$vnxzDt-smV-DLKIDTOJAsdqmV
z_qng(<U3vKij>=savM^1#d$fP*&Qy#A<U11&dWrZAEL|;QRasz^TSYi-y-EdfaM=5
ze}64~r_|}%ATvjE%&suqv?xk}E?|0dP#Tp;w06f?D1~ML<F~;0txwUOVcfG+c;?>y
z2K0Y}l0cQuf&Q44TWAA7aW8a#c&2`@`{5qeYR_o+zmQ6>PJ=%4bQ0vBwA{ZVL^oQn
zk6}QvpSLhW!m5f|jMi2k_-+abr;u@7wAxT;I9_51;|Z{}mkqDHY}$nt*JF&!5NB(S
zI0xojEmQm)_Ia?+*Bof+OeY<7223XQN_2ArXjhQwHpIT}C!z@bE^wKYDztVax`Y^m
zk>ohcYsX@hHUV=T9U+@h_OS@Zo*m-0Ag)b}b61M-u#bm-g8QDB<hI&(yYB&`#L$LR
zn>fV;*pu8g#Ntd9v8}*Cv27~06|tK*-zpX3<y%iN$hVneHz>Ni*j0$#z*sXu-Fjf&
zf)uU5+zRS$2KG-u-C9t$MNEV(DSRG%aST#Z`KTX4*E0^PxkuS1uDK<qyW2%2(p8}b
zGca?UiJ7#C(9H-TU#pfbl8B!U>@wXJQ4RkLlsMD9OPtQN{s7cZ2R8#un+OwPKj)Gu
zcD<ip=3R@}Er{KM)khL#1tkzAl>a@XAl_^MPlNp7*fvN<5}2o>UX>`n3Z@!!fEfs@
z0hOR%)VgaFm8(+lP#q}6dMX7RlQ@VIUd&o;FJr3K-#9_*W1Oh<GN!>k8TL=KT;o*O
z3lVpX=3uX{k8u<1n_=GpdnxQc;$GH+Nb@+-E{FSBj7dK(Hr;v-QWJ*h*iY$?U6!HP
zOBss2l%d#58H&A>q1Zzis*i%X0zD_qT;#4auX9_?hhea)GQUJib#+%+%V65$)T#Gq
z(=hW|f|=J6%)FLhrnLk!ttH|qaP}EU;Bzo9y4Q=>V7~$L7G_uPVde2Y;#a|Z0J9qA
zLzp!%AHl4JSqHNo=3|%*FrUC|g!wznr!b$vw8DH2vkB%4n9VTQ#TEaA!LG3Q8s;1K
zQ>z;ccFQg7o?E#v*pardpKf7y+3E$e56ocqdJ8+!7WRv+GMI9h3YY{8_TjBjFxZ*4
zj)6HA2D-pH4rVOOI2iOc>v)(6FcV=W!Aypk0)xF~>jan+VWz=McQ;y<FjX+sFf(9k
zU}nP9!d&fsX<Y+zEzET=*SlY0w)3tgtash_tkp0ZVYWis>>NTGdZiq1k$O8)??CDu
zNWHy-)RccmD9w&ea`O1S6Fym%P1;%90COYEy)gH|`~ezU#!I*}rJdlkwn0l<?dh`j
zaX;yVHr>YRTT8PsN4K%tWM{emw7a<fuydeay29Vh{m$<0ey%x4@i}7K5c{Q_4Lb)K
zq$~7HH|QCGSjxKzp=}h38Dj=f!r__jHkD%=$5CoZ`7L~#fW1x2u+!lp9GS2QPZ#&E
z$nzOeaS4<Pt+;_Pey%8`lD2Yw8+n6J%%KqT8DcPEF~+XQnI*=cH_FjtvltIOJi+}4
z8vFyL0ZGSw0L}FQG}lsSu1~NpD#tC13}}<FFynw>JnZA$uaLVHBf}P8XoIHQ0xWBx
z8NWjAPoWvNkY<GL_C~8o(8HdVm)dcQmLtY!-GRFwaQ6f5R^aXj+}o7aZWEPSPl20#
zqFT!pGho*st`_4d;WqAE4=K^^$-ZYSbWbKu)mq&){B3eK@ZaBYD$v2t{i1_F3Ziq>
zoqzwELye{AmEgdjdxl_bVu1sjz=KvupRsf!$K>C048pr1W*cTB-L>xE%w~5j;987K
zDL>@(Qf%rtMM`qzaUXKuhQ{!G+dQl&fm))~k7)x1-!dJl+)h#$OR;N@I-PlM7H(56
zK>jSG{KCE8ec%0y`!{zv)${+}58PY^9^CVPujVY(>)rPtP0zcJxSvA4-(%NWcO}WJ
z`z1ow!#wYP04}WpTo2gl(y8Eo^$$85Kb#_~U&z(QF?7F!e=^4X2K?Y&hduKDwLjJ^
zA>HHN`eTvm-V^AX9}DMy10Klw+u8{CFPeacT;_g>v&k*w=brI4B;rfNEc<V$$@ihr
zec2na-N#fuHC7`=qrT&Ze;>5}a$0B~jE9(?Xc$jZeiSBSQi3UrM^JC<^kS7XXCZ!*
z`&aDi@6iwC)7bl0z?E=gtly(-KUyNl-v8%+R7csG9aoiF620%sont#{4aUY?Lp!f@
zKSthFFpraQmwGtJFJstViZ;gV3h4o1f6SvGjf1OL0=58>dlhhQ!Pxkoy9OaLYz^i3
zpZ>L%_J21$JTlVw$i492UD}@EN9!KyE<x)panDmZ;HQ}jwL9BhcnG0;2WG(<PAmB5
z-VwOH5HB9Pt@sgiU&6fTZv4H3+;GX19YO(#!HB}JHJICXm^KuMF{ra2=JVgLwXyqz
z)f}M<uP%J_!1qIbozviML?7Yuu(}Ym{`gma?ncl~TH<Ymcee<^^KUc@>1pmJ*cZw}
z_<qQ*b8W2ZoB^!8aO1G&9%H8*9sc|}(>;tm`f<8mJU7YEdbZE?Z>aNXZfB}NPg)J{
z5s{Rr^E$6q?YzfxPp)N8Udd%(J>HH}xJ~whex0{-dvyOZv!eD?{Ad0DC+qy=f0oDp
zJ*Ck;)E@twASKTnLjE8o)s;GCruryl5JKY|{F~ixF*C!h8~m+jKh04b_kP^b1jI;8
z_nJES;hsXfpIT?o7}~*HN9`)`3LJa9*coh>{RewHA76hcO7Mg^w5Rzys|(fB`|;f3
z$E)-AqR*pYS9WK0ra9fe_Xp`?Df77a{dg~FbN`|24meEMJ=`i4uX{=2VIcYKf9}2Q
zLw;<(>~R5IVM*E3vSgh)mVWAi?dlv_$9K3I{I6(d;tljt2d#|oPTQGtt=Ejjm(v{k
z#^2p~Al_j~Feciyz!?QrsT+2&lGxKG`IpiKJIC(xK$M|%#V!izX1dXC)3+L!MXtj7
ze&r9Ht?em!;P4|PSFl&P&-%On-SNFmE;!hi@PzseP9;HG8+}jWZiOD%rlo<W-@tVb
z@T_!ib06)v#rBjQFP$grOdC#I!5b=zWSvZCch}3&vHiV9;t&ezweCMqF7bwLyk@xn
zM08eop5AW6^k?wkWgE_v=sXH{_asuK_dZ8RhY}qsdM76^;T~X0JM5gs=Lqqq{V#<J
zb~u*nx!R*L9JA+c$SU!slb^)B%M_uR2c)o7?kRMFE)<NkTfpOO{wRW1EL5AI@5`V2
zsOM7t_sOPqk$jRZ%wgLh)f7i9FL%DMvqgRi-QACK(XQw!^o6#L*Ofubqwj=fi0D69
zk@E;eD|5|Vjh@eYs^A4_I-(#$?)AA}?~anxc&|*)?j&}%bxh@gC;6$Nsko&tq&s8)
zZXoQ*N;2TQ`&Q>|u>11c(KJ{)3SS}}inV#Kb}{V5*@iERo=b6#B?@lJ*9+fK=iy%a
zr~n6A6z5{nuV_C2do0_76uWjo9)CwENG>oJM|-&Rl_KWo(88e=fnNqo3a9v&0hb0D
z#C?ALL66@UAm!TJ?v)F=-lI6w_G4a2tR_i?)MIp2d2G5Vfv^Qgu@>Rfhe(P)r&AO8
zb6>|f`(}^BUMShP2cv!%rI&i{&h4;VBZt=l8{9v+4}z+lRxX`m`e89r0!g3jS^hnd
z{oP~2ZSH^Zw^P6TUij$r0ByC&eG_mu`-VY_avr)pC4Zid_G}d#aFSj5G>?<>5S3uJ
zmK<v!&t6HaK?A(IMeu_Y&^YatiW76W`<H=Pg9z*U5c=GZn_f%`{V=v|4S73pdZl#|
z{bL31!Ht;R>$?9$3;du8(|$a?@0F&R9pq1y&s1Lr$@e_S*O+^lh4|<35V}t3+m6?h
z(9gc~?;-lsWLfY^zF2#7AL>WsODZAc3-+^QoYX%%r~6NYxcC~J|A;^Mb*xGK`!OBz
zrG0(&jBcE&@puLuvj$_EKU48@gRX!x9nFpWnKIFhTTOmW8qe3`><)Sz*f+bMbd)<t
zy|WAR(lq33bN@**a>Uab7WjkNdARJI^HWGFC&ScroZbt?i6cgSlub7eUk7h<>8y!n
z)d<}rTY}fwUIv<B;S8MXiunuD(Hv$q^3plxdQVqN3V`!vo*``oF8cDEf1WLU0qiV1
zND+3Wj*a0Mb`RMpL<La2ytu&Sg#`8wld~ZIf2k{F9Nl#t+$#{Dg;wX=pRkv6dW?6}
z*W4vCx74-Xy<YckGBgZ>ey4J*3CDKs#vJ()_Yc^4xeHQuwL6Jvc^xHFPh6pJEe`VY
z7$9d~??di!XOZIIy4r0<9TvOi%CtN;-{yXW(_YNaQl-+@O)_Z+LiTCpLH($8ck{YX
zwoaUT-h(?qAcND0C*S|4#y@(4GM8RS?f9osrOv}TPP&UwHLE`m<#bxoF0ywX^)J%Z
zIbuJ?-?j2X*b&SgI-l1;PUtIp4R?QNJnCR)A}n{_o`=+~a+ClD+P~S3u?YJnz|`TK
z#oO@@Q`m7znL_F9PwCDoMg_WSf>kB=D5Cb0j@DqbX4w4*Mfi70)xij_`VmS)`i&T0
z*29s-vrEw-<&4AcmvleITTK%N+23D;i!l;b`UR9=t>EuI$hgiRS_)rJac<Crxs2xC
zAk(JO6>hoqxH^}J_9@%@<qm^~+kMx)1aoeU*GZBCX9YRDoo_ES#egrwN%`w4Ew>SM
ze+3%rGjLkg%;%E(D*k+*m$ALw;ohX<E)C?wD^>Bx@n^&i?*|F!82;gf1ClsCWmUBJ
z5)JD7F}pnl?fhxjdB)8i`r*3-Z^l7$la$j+FGi+Jg}aJNP1)WD9^-^f?KZaI`#BrF
zZ+Nb&cE1DMsWQWu1Zec@?Co4ZKJn56&7QC$#HUk8<#QvHK7|<cTR9%JqR-N+MnCqi
z6WzCG#h@<jBunYEZ^QKoc(pTDzrV{U?g2Ze+BpPVk#Y_WvNp>GEx6eQ4dd@Kv@16!
z1xt3==TU)n_gX~mTWH>XU^w-z-5t%0cAX;}OS9G8x3c>YQt=*SI4`+r_l50k?Pp^u
zr9i*(+st!?Ipy^_PTx!AVhbFm6Ed$?Do%wpVHi(1r*uQ^uU9Vmh79+1)!dR~kmXQ)
zVX=$dG<;#{|1e^%ksiO*{5W#BZv@_*sD2T8HytxijF8Yubgy@jy!*>Jm!Y>Vhm0-f
zo%fAM@hPM%m=EU4y>s^>guaa(^9Ny`M~UykMhh~I$GI(idhw+IueT7_Tc!Z)wfkK?
z@bmybJ@Luwu^IfTc(FDj6uYytH}>c|{_WFoaQjd-2Oh4`-yZ!^r68;cQnC+8@$Kxv
zOUJwV`LgRvGx(4Blll$8j5kDYClay?eJXpB($rshX#Y3Z=sRmt>F8Kvcru@w_Fwl=
zi+cQozTfCeB=3->%-WEWVnZ@OW1||)14=M^M%d2blmh9M#tG7UF0>KllNxU)tcY3e
zrGz^qCqZb))kn?BS0XK8_0Lp^yOK7Pr*7Va@^$D$8@(7rPz{(C(i@h%1*|Z3K(&`o
zrto~<)AqCkMpV?~Mf3)n*O0k{2m0ze51+cd&U0r_jX#{T(ptfztUx=ATYMSf=)2d?
z2_k+iW}8Z*L4TqRIFwpE<)`K^+|zuVp%mfUM;*ljuNrBPDN~L%-d8$-T=DLeqBsZ*
z71N=Uw7d5s%sk(woilnL48IO%#a@OV&qf=etas5ybWTG5F9j=t@c7O>fK~~?FDr1u
zwGaKD6Xf9$k848hNFmq}Bpa@sT1JK=W<AC?YH^-XxSx69fsH=s_Z|;#5KAtU<9&yd
z>F*tKiCEwID;9|*)SjtG)M~~HWU2cGxK-I+4HOo{(695}FXNFSw2ln0d9j__pggEG
zX)W9bg6z|t>X)7#@J4&!rM*}0&H}lqN1zShVvUD3lzk6x1X7s@Rd*{wvrbxNbn-*V
z;Ad!rYnN_!x(=lT63|EO+pm;J7_)3GyrQaF82w?-eyI69G7r_5c*f`U^u2@EkC>00
zwmXVR9l^Ymp4~YeSoJFH0DjWFfmJxS#~XtzgWcg<h5bOx%;e8~kW*}OU%+l5&1To5
zEg|(D4ru4Wd|UTMXt_@@`+EVJlGd~IEws|-?i-Yv=XPqg;pbLg5&J#CD>h_%d;*4)
zIYrPmzKd=>gnlGn<P9){B6sh^E0jSZrA0ReA;2r!=+kgms@v1LGSu4}-90@Xe>@xO
zY5pOnjhC#Yd%3hh2fh&^Lw?kG3y+-`Jy-`)Aid&Dad?vvv0Jg8!TcQl6n;_)`uW_H
zUSsA_#MQG-Imgh7wUHE$GTI<J{&*-8{*S{9NG9IgL>*sbKG9jy^QiBC<VK{dz2c4R
zU(9px>k;s;FU4cu6RjeDpmj5iU*III5a}M|J-9&==o>HLzhDD1-7H|a*cnYHtKCpS
zQ0UEQLZLr~Q`VEUg1Vt8-QbbZO&ymK?vWj**wav1Glt&0FQieyH=k>&O^}LdBu(bu
zltz2YbIUy~w$pSd5wC9hJr?PFZ2_GbqQ;xCwRy80nth;^Sqt%Q^#;g1wLHyd@V*X9
z80l@lMx7F|Q-mB_ae|Dzo@`PdqlCe@+fkdP&LG+&{ywxQ`st1GEVaK#b85A!fQ+gU
znQ3|pHTPx|klwKT@+qwve`IZFX22Yi=e@(*Q`wQ9IZH3u{J<Y+2+G>={fi%n)X#?2
zhHQGZrg1p+=e1#K=#S?kjziKyTEl(9!;TkuR(WpF_yK=MzMfm<*;Gn9=1q7W7oNEV
zI8$BNXTrX>`(a1YnVPa=pVzZ_*Nu8T-;E&-LI%8EsPwg$wqr~?hlcwT#d_`H*;HBw
zxjG07Qc;f&e7knJZ=sd=&)bRUT%yCR=3x!<luCuhQDuWm;l6<}kYxg=;=B6=bx%$C
zeRM@?&L8F@jRL9Zke7H%bGJXghpV)}r_MM73GNvCu2Exd9gI6t17DFk-=+L&9M~*p
zd=g`DgSLGMGA5P7D2HA*@9>AY)yMe5>xBL{A1WQBZyHMXbul#2D-`9fQ3==r=4%l4
z0C@7Qdncr3CH8oEJp$i4x>bSQ;5X2_$Iyv*kQeg0!5a?)eAMe8U2^3T1e2>PM!t}?
zNsaV;o)o7_9{Ey3y!5-aQKt|1FT^`_lbCN<bwm#|$r{4S`aqq4x$nSFvv<bB)X)m^
zZiK7~G~=FA=zfjdG}4g{L*3+RKx&|%odXxqBY(kc)e8yRsZs;npL9+WT94M1SV3aO
zt7doz^KMza9;`RHmh@fe$B3tUSsw&4g*dF|0!o=T;2OWH!{>y1c8>y>siocuF!}W&
zxw*%q&<}0r@bdBbg)c3N8cz@Mh(Q@U=ZZv&T7LMyQQvr#miHkPtv_H6>EZd|w#RQp
zgOZ=HB!qGAuJsg_ly(EIPIr;QxIK5cP0@a9C_I%)FD1f%B%ZY&Gr}}@rQyqL{$br4
z+Nt0ZIUbdH_PX7RV~NG>P`Z!b*{`!&p<eHGtRJ9{{ZUfwzxe*nO8Ft-yIx^*j?ujt
zwEJ@uaKv|q^RU!E4xPm-E7VENt1*JLNsWZCckx9}7UlAEyVph?<3zeOl4nvTNN&7)
zG;l#8JO9c3r_SS3W28jNFiBI;Rzd&pPlnU56NEh;&~R25Pbg2yY>4OVPe8_A;kBo~
zYGohoD?#GjS3OK&{mo^p<dz#OQ$QDgj=$9X=4WMIa5^-G2mC?FYxwrp*JvM4--f=V
z_e%cPY{@5<19cOO>qT|LU9isk#qLT?%^B1Rc)2c0U!XlgE#+$`v`Ghd!4&@}kJ2_?
zA4dq*SYBvHw0RudInI+JCCx19JE!^{Ay^II_kHomT;HRZA1i6NZ4^%KB|GEC7?5(u
zYUdQY3z044$vY%pX@kyNXLlIAc<l9l&F5Pk>N!fatKD}GOM5$z&Gs?UALuLeQCexf
z9M%J#WRbjv*YfVutY_aP&4ZZjge#<l<k>Z^HHkm8>I~$ZRy?>bw$q;Wu4KPs+V?b+
z%Eox$^|)P}1MDfrJxRAa&hH71JxF778j|;pzi*=GPI?39{Feb~9XVeKP^r4(Mi$}}
z--B3$rQG52b_)rQmx_A=&CM~gKz{si_&UHxxdKU+IIsrxQ$qfNJ6ZBZmfB60>u|4B
zmGj+Hf8b**Yr@o^T>8JRo%}EY(Jibk7zbZespu<qbt?<5$Gwc`MfmOjYkK~o)(`!h
zUbl6h0Ds@cc^%<-5G(Tk$KIR3RaN}`<8x-tf`EuC2q=pvpez@}eHU=gJuNd65my95
z+|ArFH>_;4vQpd3HY?k+%q=S`vodojEi<z+E3>|3`G3#*-U}DR!k)g*_j!KLpZnr{
z=FFLyGiT0cKHDrukLzuO<+T~dov_XKx#t7<_#O5l2WBvMxRT@9`|*OD#e2WMI(j4@
z=BobJ|3CxU3;DO}<jq<3ZTtiEf^>(JfInWhpQa(tT5X?EU&NKrR_Pr}IbdmAX$Wt`
zhl*J?^$4B9)2^lG`>D~w<KmSx82LSk-QL`zzQ2{R!`Vx8*`*rGxjpAz#rYxFt0yqh
ztH&(fAe{&vH{#lJpvaT(-{`x0WEetvN9@vC*7nRZtPWqjcMgQk;QQxPYOE)aSwe9K
zmac2cf2>Ax7gkz_lEMQjqk(uR+)L>tnM(uS6s0kL9r9^|zf6qQ)xQhy0PpCJF6Pha
z1J_I6zm}T1ca-YYwf?dqIze@KOWp^+D9u-z4PR`m#ESXSH?<$*IQqMZZf_2(NH@*%
zO|{j<mbB7ezbQzmbBDcE@p5V(oq(4r>{BJaRBvwIBRFYEoB7696h{3q;tu*g?4I@R
zN#hx%NBy>y=0g8Di?p5@$L{#jH;gM<t{tZ2({JiW=rdZ!aNF|wYtve0xz9=p_3|r5
z$ZpSTsXSuasJ-}}b|KPpE)n|oVT3*?$@KqRz&+Q5{L3Hyz+g~QFvi&R2q@+}XrHH+
z322A^hTW0=9gVB`C-+M7?6*W}(|+z+Ww@E?!wZ7&v>R|enBVcnxBqk)(h)Nc*czum
z4<=d&Eu+1%koGk&H{>LG=Sk>%wUAEp><G?H;2ur?j^`>{CN+@VpxO$gVA+)JGtJAq
zA>=xWf1GP;*v<FJW&X6MmoF71{zD`B<xBRSvv(gx4a@ao@AV5D%kgRbe4b}Ss4{=&
zaSo5BTA93mFAekrjzD`?q@u=p&+lz+OOP7)KcexK*3MUdamRw|Rg#uUOQ}o<5@Pqc
zRp(v>_lMSlCxh<n{saA-F6+-KxpLH_@gV{&!SNn?4&Wcf@k^}4tw_FlvwM!%E6u~l
zy(2Evcr|~}S{%L?jj}Fcf9!I_`<$XL=(SWwQD&vrQF;5LPci?_;6F~oKKxT_O3=XE
z)pv6RXgXzj+key3nin@Zaejm29lAZ(dKD|yeR)!t+;2{QpPGLq@i@b?bNp6cDErKU
ztHMBK-cp$Nub{LHcRsD-p-sL0zXtD9Y9ahpaTmPqeq$(^b9CH25ti*I`WbPi@9MD(
ze2eh5fNxx7!{_Hk|Eoym1foRzqiz+{pfY#UZ3rHrtpbnipe#A9^Ln++vK-J|H*f}e
z$C)2t)SzS*KkWQUv^um_?;T5|qr0a-C(-uyt6Gco@<7jB$=@pTTo+Dr?l4N#{s#B1
zVOWE#%f9fK$;Hv+h41UWg7>(u;xzOkT@?M7FQ?Q`sYhXSUt@o(;aS^Uek6vwuS1@0
z@;)J?=q9{ZXguD(^XbrgrJ`eLYR}s$)HLFqDFW%H+nG<O$7!%`1$Z%ksGAS>yl~D^
z>O=bSEecDfQeJ=y6tBzk=0CsBfhUxqd}@z>vuC<1z!FL*2HXa1c;UbDD`m>o=EC_d
zbmhF(Lqc%r5(!qCuY~KCMqMz3-mUk`^gdOU68?gBgYrxC4Bs6y;qCEx@^jGVnby54
z>H$y&IhH&2V$p{#J=B8w;XV5Hgo`b+GU<KyHpJbi?QtAb-&_B0^BmoMMpK?o8(i=X
z!MqZQ)Spy9|0UVL|H@bkdes%FtqcX1B>$5D`ho6My0*{5qw_qh<KNB=!`WH<>s@Us
z{3|cdN_`d;CNCRVtL&*hJFh&=ZFaf;f#`+hQ=DH$MKN5H<?$%OZvBF@%`oE(<@F+#
zpQZLF=SDnyZVmjGo8b$8``k)|^>-+>)H#e2{^h$Sx}tmf#NkQlS3kgey$AXTKGzL#
z+LO+eX6J68Z+$PXZ^IoQ_U5L4t;{?2UMYLTSh-$%M*X6qb!RMDw_geMfvz-_M7zuJ
z@<XKXP%6hBkfZW{Xq}SuWw{P}C#8~)zNf8mT_bNEd|S4%_oBw~D=kHo;{F5A@#J?u
zV|m@UY>jZ=O5e?UhqA|t^P?7}HTtD&j>?^B%hWA%P~$)^Uxk0_SNLA=g)Da|C7f4l
z<a>PTV!CxW{j?|vbKZ4%mANyt8ov3mX?4kNN??g7$-`IKdR(pIeSc*${>d3?q-TTw
z$==59%s#a8Q$@v*dN>23{JX9wwKvYa6Aa{6nYUA}jkrH@xj1hD7kPBwhpksaakzUK
zSy#3$=ii{BH*<cf3&)ht?>+}LRq)0yT*~=ZNT=SBb*vREO@TLjo<~|=)jPMiQ<1Vr
z&E&O=MXs~n>!oE?E`+?^np{xoS6KF6?IB$U_t*d77pO<5w~xB7<IQS*?|r{Po^YV2
z6v2JL_1RzjwdKwjdS%@i$Y$zQ$Wp8PSD<uDyNmiOD*CG%;(ENNB$S9!14SadSn*m$
zKr=|hwX!?ERHDGYND_PAb$yrf{zxmj_r&uVy=`$`x<83%t8=6N)%4gk%Y#&PYftco
z<GDbu8+`NQT=QSOV+luPkz$_?yZ3d+*%=Y-ZF%2(=Y?B(cP8;@W}puKb%5^Ze%eIz
zoJ5rE;qC5Nt+TlQ&`-bdhIx!Ab5^Mnue>O^N2PN8uS#T|(|f7nPq%aVKfEpcx#fgA
zTs}qR&&%icwr%B0_^Xs0sQ@*U&g=j49H3CGb?ANysaC4XAx!D4>HXsVFp`g)ZjPco
zIi<NZEkb&iDUtQn>Hp?zOLq_Ryd$ozX3xU@Q<dsrrIq^!L*x-<``tyCuJ!R!i=~{c
z_PzJqmtN7bT7J|eC0BzzRm-iRvxW6u2&YRVL8WTr`<_ZPZRX_rJxIFI=kA_EYN=Gg
zo<!hHdf&!<u!$<%vr#AWr5>D>=yIA)z0ZzPJQ^7(xI~A(a9udlmmJegr58^5&s}lz
zVJ}V6m!;=h=^nuylo_gUM@V-a%D#cWQ!liVS4w!YUv!xjN>BZcKzpQjNFr+0o*O9d
zJF2+8TI=H2F?bDRrhBhRH#N}%<IRP#1KnXyKgT<E-_H|!&`SY`CwK9T-Rsps<^DV+
zcy+9jtEh*E_k*LH#EheI{g+nu^Pt(yC0YI=P|`>BJNA@D&ag*kWUnlDkBSP!+O-Wx
z?cUGPhnt@NWEJK9J8|#{Z`Aq9jIo|Px5K0HXy2W8jK!yTUvA+OU8$h^e!fXjhcZ&a
z_nJ5Scls`Dh;QJJ*@-^)o-W7x&KcGtljqR|(wt#hKZe}&WFyWqpBj|+K}ET|we%kG
z9yhte-g+Y^C=TVEhNniarpFU|M^U`=;>~?AN0#HIw-USNVoLb`)Baam;G#L}#oW;5
zuCEpH;y)?oV$=UgQUBy6^hZti<s_5O9m>tjcJ~a94Qjcg|M%g)OuxN|-V=blhu!74
z@9E1|-8Cy$_DN_Dy2gLWpM0LdCkRh4zAFabyn6?Xl_=>f{#SeMt7jjSnStPyBHkh{
z%1`diRB{B*!KkY5AD;z#c$Tc(Vw?J=xKOyP7hAWI*Lr~TJg&JN#uK%UgFQYG#@?R5
zm%XLIQ+*ic&*-(;;D4XsJ52Y(W6u3OIk)^c+PMNb<IR8mQLi8Oj7opOk;jF+tLCwq
zLfm_Ux<{?|agMsDE*Q(->)k`If>J$PTVG*Yp{xu3VNPI~YxpK1&OM$HUI}wwcgp~;
zBq)=o!jp3Rq<e*lJT@1vm90lPnyNUrZ>(3J!V||LUjO3{v1i~}3S~$?*+2MK*|yN>
zJZUfFRr||YLFU3Q;_bm`+w#v?{yhdmKRt%`7>k*Ym?4Q)h;p|HYomEkB{Vr*t&*pN
zHi5rhL_O!S%%2Yra=*vY>w4~`?_b$7-2)keC)64RX4F)+X1;~~?+SyHy5|Hw<85EO
ztzW=H4(sPY8yu{NkCeO#&%>5K_e58CD7&|ePI95u_P*IK<__L`c#Freeg-?UdUWzK
z9I;}b3GCr5-u%8t4{yZ!9N*Xrh0%T+FL<rQ#xC&zTqtQJ;&r?H6_tADBDsrmr}pwh
zedNFI-ij9~pY?o1l;YOzag$QNocpbneRrU)v#j;s^;zkemHSZ&zM6t@wpH%?;yqtr
z<%*Y6c^k8AZM?CSJ>rfP%q632(|V12RP1kYcb4%D{6T>zN3YR@g!QcFnyEQ1&Q{~U
zlzQ|W!jqu1Z5W5#4Z1ywxo9sVhWneNeNH3w{z^PoiN-|Bj+z<DIEhiuMYx08&Uy=>
zeOk{%`4|<^VV}2*uL1blf)(A<eVsNNZO4kzR21i>Dt+{Qlb*L;3F<Ff>VNI+mo4kh
z&)l{3YK&+{U01z(fuE=D<(}xzOZ$6Qy>~C4+pBAqkFVT0*1_m;WbI>he^VKh=J|7f
zU)giw%a@QtThq2Tp$;QX&p`tHp<RCPeY-xX$^=W(c<BOp$#>kNHokY%rIyM3w@ymr
z<L=Vz><bvh!X5NVqcT#(ovO5#mgcH#sO+ew&gJfd=jGR0kXsWv?^0zW@Fbhi>)&!q
zHQzprD;}?8*|PA?v;_3MuTK~?-By`a$2^{G?sC2T5joxOQSX!Zi@W{2Z?iHbmaS#U
znXI`>d)QkBwOotua^8q|t)13_#OsUFP5sYMNrwOP0sU3vc(ejq&GUy4-c2Y*UA0CG
z$>hE8fAXkXCmymj7Omp;XX}t|pLp!kd<OrQfxg~CuX+yu+py2VM#P>t_ZsZ;RmgD=
z*0WyUwe#FPKJhOi#y1uE2Xks)$A08`@!b4#1?T1<%}L1G&rr%9{McjuXT1f~P_Mz)
zI*fi+x6Yt-7sP6v*sB-gT*qqd6Gz|)T;GXfiH7agFTC;Yrz}15$@wR(K&?n?M0)l!
z_gw+HSLSFdM_V^~98IU-3fTWyZTZjE#ygk%pDp#@SsLFDC<IjDmJQfP+PjCjrWE{Z
zor)SU-|9Y|Yx$(}xams2ZLD_p#PN(*OLOWG&<kn`xaRh;dgg+VYTYsVyCM8@r@$Tc
z4!4@p^zJiyJ(<3nMy$ZU@EzP`TnxI`Rf7v)7f=24Zi@s~l^*A!HLpvf->$TO9fy~4
zCwt8{-+RGA*74r<;Tdz6=G4z~f%ZWiwB3QLctYLF+%3Zx_g$bL@$2!lMm+6RdVi$%
zeC-V-e1n?szx4Y5rcgzC;Qze(qrKmUY|*^;KFsoPf05xnO)ZGk^8)n0heF&v2wGCf
zJJQbsYB=sG!6zOuK4+fiHhFZTC#vkhO;@DKqwXs@%zJqD979-B7h`!v?_HOIpYY7#
z(vkdQ-`BnR7s$-*;27aRtdnxrOj8=>dTD)EU)7$WGv^lI>|4m=ljjzclybPFeQx&p
zqtD$8ujOvGO0YMbK9=<VBfhani*tQVA4~tro|VS`b;!4U+^O*nAS+A%Jgv5`G{ze$
zwbH#YsMmYvo&dEbo_nG+&Kp9D=&Prpp&vRoMz;^r>o;%~Ka75mt8CDzOIIgwpV*z+
zJ5lzpq<zYHW;m}|w@;b)vS(#Wy3m<NE<ieX@8wR3cU#H__0>Po5h^Mhx|{AHC1sRN
z<BkU{%|sgguHhH){29XKL^{z<j1%iLbmE)@r-_r~Bs-~2Q>U5J!fEBSaoRf_oz6~%
zlj&qR1Duggt~1sd@8mi8PJuJgDRhdQDb6%!hBM2V?aXoJISZVH&LU^Av&32IEOUy5
zA?9OdV?9w{M2aZPQi{RX)nY|Md_N}+x@m%FESjKiB#C775|>ED*VCGcbkWSHY6KaH
zMwZdlC^RM+MaB$cjj`5v(Rj&t*?7fx)!1TeH+C4W8#|3Rj5m$9j9tdt#yiHl#(T#5
z#y;Z{<5T0Xam4t{_}n;Zd|`ZP95=o)P8cVR?~NafAC1$-PsSPJXX6*+U&gP-Z?d+G
zmQ7@$Y$k`xk#dwABlG1%IY~}c*(yhUroK>Ls^jV#byA&H|59hw@1|iY(=;v9-wZPw
zn@!AC*1gth>pts#>jCQ_Yn`>;dc=Cndcu0rdddlMLY?|(iAX2PY2Y++;+@7$qLbpd
zoHQrhY3{UiT03o>4o)X$lrzqm;9TuYawa=do$1a@=Nji)XRb5fxz4#BC5#agUvxDw
zDs1CBmwp&+^M|Dvh_8ACVRmY;sE&ERHNgpLV=i(CwEVjG_FcH>iP48~cn^<>$Hf!k
z8F4@y6hDbG#%|+~@r`t34Yf!uRmEz#TA^-HcdC2UT6Ld#NIk69t4GvkwOhTXJ~dx6
zx0qYaZRU1!hxxj>(|p5x(|pU^Wxj2`W4>$dHs3S%nD3h(m>-&Z&5z7|=EvrK^OX6$
zRn3aG`dgP-6Ro+{JZqJ;(R$T-&DvsZvvyeT;+YJm8&S8AbOt(?;#d{WsGp*~rVHE^
z<s$!+)<(3W6qeJ)=_-WN!|9J4mpQ{kfHU055jC9A&S*Tj1U*T#g+N<0L#sT2UsF8u
zK~UCD_%#D<1&QXMt*)X4XsbxH1Z}Mqtw3Kdiq@d7&7zI5&Dbg0gSK{w3{6*}3n=RY
z(H+#aPxM5~eJXl^vc3>~KwT$9U*j9&8!-^H^^3R^ZR&_CKvlKHP*7I1xDvFLD29Q)
znu)7GW5b1}vymbjv^GkNkW=MUk%JcAEk>dh_lqL5SbuR1o_V5}jaHi{uGRD<=77Q;
z5c4#JiR(0tiR(dSkBP;gv?s(8O>JT+T6m)<MjO8-mOJ&)VmGjTuOfB_I%tzR=y@)@
zw+~5~hBFB90qCiEv<p|zHm{(E?Uc1W*9YTzRkW%NibHN=pL9^)?Vtjbfw~$(fro%|
zAan!n5F(nQWhWa`jH$*nV>(LHJy!S5L%O}tS|vSDc9NO0o9rw5$^LSnyi{H(hsj(y
zK~9#_<csnp`Lf(3Uy-lM&GI$nuL4w{s;Yui4K*B8yNuNOfO<l0Qm?5kYO8ujy{`_d
zBkGv?4L$Xo8Dxf=5oUce#*AlAO*E6to@Oue60^72$LwqNGy9tZ%z<XMIl{~_N1D0j
zD08$q#vE&oGZ&hR%-hX7%)89H%}340%?;*zcqf~zS3tv?t*zF3)*kCa>r?AH>y-7q
z^`mvh`o;Ry`pvFl``ZC_pk37tva8v_c6GakUC(~de#l;Duh%UND*8r^SF_c%YL1$#
z=BfE=fw~S?46`lJQn#wx)OYHXbrxrJ(Pp03k_G6EAMiQ)qmDDpYs?j>+r8E=xJwPY
zjvZpxwZrUscvDgMua7<u1&&)!G&0~5F(QoCMlDVEMpL7^(c4Hj`Wgcecd7Bb(VpCO
zE#K7r<gO2cyY4g|0dL)9JWAgB7~bDrV*~i>5o05H>+{Ajyw4Z$M!yDU{uUhe74X>a
zjm_Y(r;XRhU$;p78QY{K(~a%2g=}H`1lrkYoH5_DB8)$*##XZIXSu99<RI%V>mIq;
zxz)K<Zqw8zJIH(?<U}<>xYS5B(rBRaRlX66-tdyq(EiFkVRS~iP;jv2La3Y6Ey7W^
ztEWYPdPcn<;?>J)n@CcxtDT~`dP}_}T7o{_6|K}B^}cAMK2&=}JN2<TE;^{M)k)Du
zeQySc0cNmSQ{<a<%=)6xj5cG$OtYccP+S8FN)WTnL^DOqF`Jrg!~*MO>vQzAFRY)%
zGy2Voo!0NRBi=-v0?f(g47jFdnX`m#&NhpMW8P@qBtk$@w~M-<syjp&DC;f}Za!o_
zDk4B%kBb=4*ap$S@pA&u6Q%GcUok){<3$zF%WTlbwdz_SK{s=RKWJyJ@B{tK!*kD9
z^MwgIS|Dt79jHkme=Inu{`ui&qUQz!Yv5;sHlmOs8b1S4IR<GP<EJ2v6M<T5wIGjE
z(c{zbbHF>(QAR&;De~rtBH${>64R(@Bnf3C8_k3?vW*!CFEMTuma)!wL^z<Er-dK-
z{x-z#Fm?dnF?Ivr14s3PY(9oC=tWqXMuY(xv4M`PDg41d(}j}lWqb6BkIj!o6>FJw
zv#8?S;@pZlOVG9yrW_$h2r2Vq9?}-dLc~m#lX=}lAG%E#=ttiPrA{fVUbW7mM@jq|
zL8^Zyg4E~gbEG(?P!GuXFVS+}tMAc@r`2hMe^x&Oe^I}nb^oRQg_izR{fe01)$c;;
zX2m;IrV_!>1T5ii+NOhd?Qi-613*dDKuKtEGsFxLer8>>uBZZiAq-c;&2V9nsvI)`
zRAuWvjhG}8vJ148E`rQvW;4XMG+O~%gWCM8cdU0rp!L4>z6h}PT6+=x#QFqy+&T{Y
z*7{adwSKaGLijh(VgQ~q6rAHH@ar?i84&`F=V!$H0vTn>0$Bk1*{ybimOfA)pp6@w
zjYTc!GEGEn@WlS2IylT2JljljCTehvc@1cKg}DOHaJPB4sA=A7-YYC{ykCR@_X!p?
zz=3KAKX9QsA`qM?L{tMesw=93BZY||aKL(?BWZNt8yJe_GsOf_<^<F=KujWiP9S|w
zfc&o|u7nOyTeN|+s)HTLLhx%3ttM1-gl1D$Tm|hWOmv2Z6E22Bc11wT(NvvBsvb|O
zZiyZci@nSm;@6rKo<|DLBZW_f&gl|UNayWH=N+IaG!?^0?VX@KG!xTBb7)XQMIZcH
zkp3r#%kgW$UNAvS!>^UN4!=q45fj8Fu@yDn4ld9}yd{pH=AVf#Q0HUfTh#WX_yM*3
z5x*AHMvBBQMz9#iew4?4)Y52UbP<I{H=`T05#6Wq*rz5NHyIC!DePGt*t0r;3qLQW
zgY&+Ol$(rA$n}cx3exBvm&YEL2hI3xT-E(9kNvI_xcK`>11%YN#5jVhx+mrt-x;S6
z*8Op^=HIvq{a8$A-yF}rIi9^TkG*m{xN`?FKz5d$#URM=Oz1paWEU}3c9-1|-%Iuq
zL*ym$62$bCeZ}RF@cl$HNcsMvIVAl+XiE5r%j94=SX>RMKMe81<#6alx>t{o<K#Fo
zn0-438hO4LDX*4S19d;ol|`}$VcpvYLW7!y@Ju-qI7`k#33KIKgcryK!0Y9WDE}t8
z0=0q`fxGOIyAXa`et`Hd<&Pp;g{b;sq)Jt7fNfP*#0*qdA)Kv702ir6q8GG{Wug}J
z<mI9tWX(<BBDX8>a_G!=iZSYLbvN)Hb&qHYt>j)&U#(WFMIE(9t$}2@Pu(Y~s|VGC
zxcabq7<nI2kBA29arHQ2HmD8A`=okOTms4UjF_mNRnMa2=hgGLx=C$9X|JkRMPKOS
zo00N0^_oak+aTTgLAt$;(zJAIs@{ck8w2UK2X}lQGOoJX3mMlBGVWv4{}c5ou0lIP
zX`26yBL53gN7WZ1j9jn=x!`D6JI6&FWa8H%R@*(es`+Aw`a%7Ou;z}V)lcdtgf)*G
zO&%FR9+^%aIU3s6Z=yFeu(L>``DHcrhdKv|r@3YX>?et^0`II1JIX{@bI@pV(9vcU
zvkGD~A02H5npH)CS<S2_(#TCi%<5)!T&)Qi9R?X)2dMdLx*2MQBCNS=B)RNpa#<I&
zzX-(Fhcu6aG>;as&;?@<qh)#oWO_Wpng@?24|YMmCyL(W#MR6c$oe?)<5A?tqs<m(
z3#8Xvc{I6lI^_Hm@WkonbfA{@{*d<9imK)ua}GG>Tyw4nH0PP~5T0+&M|gpG9a1hd
z7m8`-_2%^=0b1rFgcqBO5ncjKVJbC+spdL!9ZFkoJ_6iqZiY7Un)w<y^;UB$q{Qpy
z>%ce7H$^hE@OKe@&wLN~zWKgTu*9%KAFQztAyxL8d%?j!GCzX6+GoOkp*;12g|;8|
z)dBMq$~<HKDx_82stasvH5SQMCu<18BdoDPS>vsVke*jt*Ms9PvX%;mve?hM#aby+
zppD%t`os3UU-YmZv>p`s*2C7rh|#u5KCF@_MK|jy>nYKlwn<m(dFy$EU$9<4nwPDY
zMPumHuZnQ!)SE?3S}x(R5VweU=-69DLv1VK>g(3)BGlSxy@BwX)|(>Hddu2{@Y~kg
z2y59`&w3X&Ws<eq+AW$uJAY4PLPOt!G+Jf`TOU{-BCI86J?kTDAHpA7AEW&J)_#N!
zSO-Lmb<jG5u$HU!pxJ+l@L}sP%0FTq5gFEJ(D%Zj?|mV<SjVhmsLz+ymx$34xSsWu
zbpqk9t*=psZ>(<+)-pNDI%%Cm3Ex@Yi7Z$Orx5>x^#h*nN9#x2{j_x&F<Nfdg9QO!
zp!GBK$wcUrzoPzHk_SU?`5p0pSbrebIqRHgY#X*A!fj<MplMqo(YB#^CP63uN(_Sj
z=m)E~ii0m4I|0xo1E@8P7gD^6fBjSV>CR|ECR_MH2f@!DXO5^!sazBOg({G|{`iGb
zLWjZE5D06cDt<BaIn<%dPJp#t9iAMmSth{ht|^i!zf&o{n^AtZ@sZ!1D8Dl)zq?X?
z_du!j;1jBkp9L8ng&JtxG=NgPI&2vIYlL4oQpMrA_8v8WL~nvKt+Td*)t`i8GJaZn
zO@SQO(!CX>ds`pr-kH)pi_*OtrMrZOq&J?jkLZi`&^oRo20_Lrh#_J;;<dh8Q%n|9
z@g!Q_*Me5C0BxeBewbJ&7NPEo@rw~l@QV~nF?t^(ZW4DP{VMof65x4x9OXPAHsT4M
z!7o8PD_%xTwXTpVw&52{jiDJdh6B(W4nl8eNxh*H^@gt08+uT0ND!y-OVd6al=Cxw
zq3~z~L!Yj0)DUsdBtoEnhr;5k4~s7e@mf2tZZtPqiw5+1w1V~5ON1Mj7?+4B*nz!~
z5|$vsmm0&7Cfg`PIg^Y@$XjGg7qRfa%|OgdW3EUv<{67bim}*OEP|+)G=*NW2Humk
z&`z5BXeU|JPP);n5(m%SODI`uCw}nXy@t}Z7+X-!?Z$S5wQbN!+nWf(-UPmDz)pjY
zYB$noYaxqTODp38<3p6Q*Vv1zT7zk&J$;Dz-1r>fqsCF>JqB$i4tD96h=FB_I)7_?
zi||R~Bx<hpo2Jxn;;7$rqka=W{iZ2xj}Tc);=AP3by{hQRn+%z-Yw=9@K()#ZTP~r
ziFo)xwu77RFn55nYmQt4zOkK<YML+Cg@^1d$e3N`F32``$`G$Pbv*oKyG3L2>v(v4
z_J|~MZ5O$AI=Oaha_x5H+8xQYGsv~OkZX7MaP9BSA9457=1-`V=HRyZn+YCap0k2s
zFKKRG!wRz^L~Zi)x>ge_Nkmx5R<ekO#oY|p-0Fy{ovgm#Ed8v0$kpE(46bw;xPQEL
zg_R9nre%Q38fT3Y)hG$lAqnP+*6>VSFIrey9(1&{ZPtbIpu2U4bqDg^Wvv3<ZQUbk
zYl|LzR*L7yd)koigp<pJld~j}kA#zhgp+q9k#|V)j{4*s3Oz0qIkoQJfV{&Z??|TZ
z4{FC9T;v*c$u&}_`)5-3Z$W<1juwCmJfn$dN3P)_*Jwws5kam2uQ-0`<QkFW8d0<f
zV#qaO$u*jhYqTNP=uCbQP970Xj*y5x{|suT`*sq0wWJ+TpZ(cnf4114ld1cMqTf~*
z9ccl$*jH2FlWC0@Z3kqs$F`$2(8B12e%lVc^eUjX3|#D!?bs(H*c%O63F+*IQM3|b
z*$<ns2ezZF(1Nx?CVOK#dgH4oO<N2u_Cpu^>aQb4+YK#fH@MgXW7z}K+4tJPCv^yE
zbPr5N4?K+U5%j|r+UJh2wkKTZdnXXqp3!#fdl9rSTCfKi?1AaDPdm^)ZOq=-jJ>fg
zdt+Vp#<uK-F4`P*Rj$evS=6~|m{ZMZuu`?=Rl}SCZ%eBZZ_Bl!5%sTz)V~~4>t7A2
ze>v2@YEb`5qyE*L`d1qDujbUhQmKEX(%P+Qt~6JQmgb%2oxoM*DxkK1ThsoHGuN1F
zVB0@rK7_k#ea$u>HXlY<Yi+jqnE4peKVd!reA0Xp_`LZ%`sWMg3()m8L#N9mXQ=}3
z`WBHv&JqUBvIAkwO~S}cGRRH*!A;&lyyhTb<RBU3AYtSn8RQ`K$Uy?gK?2D^s*;05
zlY<12gH$622_^@rVrmZ3$@~c%B!e6z3>@Tlgf$1rAO{H}2gx7@@dpP<N4(}58PpKN
z$RjeyBkGYm1W->5BwvUoU#LdD5NzFP-HBYQz!5U++IDSGi(Uflv#cv>(@Ri?UV<ie
zq#Y@m+R=8jXir_HA$1vtx=cgrGSE}SL|ULyc9b3ALFyzsi5j#<17wEG5J9v_Tgoh%
zC7RGOZ6LeKt_XLN-N4<ol`3Tq*%L9^R&7RGwSnv{dn2Zg>?5LRx5m?MO{U$NCI`p?
zB7)YdAFbE=a*!M(!f3-vd6~Qn_q|+Rff9zwp`wBIW{Wg=m4vrKX3K1NskChyEOTUz
zsKQZzKzO@zVUy~yfNFBI94%5X0yRd|lw;*sQHxe^h#W7+BS!nVLg5>qAez!5j>b6E
zL=jE9xDoB*M2uTa5-wWD(X@_jIYmxEj2>l(hEIK(Xeg)4>8QyJIRp37R&%txMqVQV
z<!m_{b+}f}!M(Hv9WCd{`N*s7=xBMJybkdT<wC?<4{KV=o8_H&-n--mJnxh8c|7k6
z@&&Zpi?FiO<QDlBo_d!&hFquRZz%t)vSA52s*b1$iyI??Dq4Zx((aB{-P8bF)pmC@
zy!*ppYiFx$gh!|mB0>9qVU5E73mZXO90o?*R>LY;W33U@t+m!#;g9i=```o9mPiYX
z#61AZLfa!T7%_PW;dRzJ$U1GC7#uxmY&~i{D$;4E#8{78k0Xs9Nr|*JSQ|tfEte!(
zE~(bj*3;0y_1KDIJ!3rsUHw@L7P|GE^&E0(izXEo%}dbCwFVwwpRi9rMoF=PG@4Gj
zj3q@jA}xlI{?bW#ok@9Nq_$3^wg6IFxYX1ZLTal+Y6~T`wI{V@(qj@Xhs)t2PHNhU
z_jp4!Z6%Pl8k4qKlD3+Vwk*<CB5A7$X{#Y=tDVP(s%fhQX)BpNLN|rQkiwElVJ0ao
zg%p-d3NuJyDfGf5gSKX%H)^U%rY|OrwAGlj)daM4tw@w}Kw-^DVacSh6jE3+DXbYO
zEQMa1OnPn7>9q-`*Cw4_n@stM{6w^;?<S74)tI!^1hnNR5>*vdMKr@`kw3x#ptff8
z?<A{8&|C~@E`>CgOkYnNDX$4BFPW6rgnpl7m7{VnLZB(H6(vs+=`WG;ryAu?5amxb
z%AZuqp9tFj^(lYqQT_x|{?w!V38wt1<|BWa`pBQAls_)Y9~b3Mb;_T%ls|1Lf7(+1
zWKsS^QT{|y{-jd=L{R>uQvO6x{<Nk1X-oOjmhz`L`;U$Ovqp4a&uPt`(}6vwDtk@`
z_MEyLYwW;2W3$h6V4vy8K2sNc<_VObdrJm;i$8lyAbX3SPj9Kh-qMD>r2~6QAnkwK
zdeM3jCA@^5(}psk24zBR%7mJf3AHE_8c-T^Veg7%?{Z6qdXx;olni>@>oNN3q*|<&
z;GHd1OTlTh-_C^*?qYb<wD&HW-n&*9@4i_y#+dglh`C+efw1=E#j3m1T?nsIt3*|L
z^@8cuOQKh=IlX!T^y<~YNcmcne4n}>=^s!JAgn!naTq-ZzftSdI)pKfjxx2kud#Ym
zJ%&1HpP!8}%O_Ab?fDC)=dX%-3L{sI>Hn(_|KD@S>-PV>fU&G-jAg-7LSJBW^@@50
zVeJuYLyurAJ%SN>1QcazzhE@|g00j}jD1DZI~a|zuXj*G?IR4PkFXAXgf5JOeTdSu
zr!bnHLaFwv1E}Xgbr3Z_qz>V#_8rF3ci5a>Lj|wlQPBc(Bffx_QIDV`({~s`-(e(u
zhb`bc{1&5dC*eViga`3QgthN5hQ7mibw-^*SbGqI=s|4a<3Ws}2eB4Ch{^CE!m3f{
z;6Y3_VFEyxGfV?|l!PC#p`MF@ku&W<jHd@N#Pl;U-bFuRb@~y5I3DA`gIFEuYnU}e
zDm{pi^dQFjco5_1L2O75VhlZqVelZ<gPy59h>`Rlwx9<wk{-lJdJvQ8K@6hruoiuX
z$tHfdi}oN!n(1aUjQlk>o1>oEgBVW_VvO5^NFSJCVO&|X#K`iiu-P`l6P7|xSSUSV
zQS^khgePpfNWjdA9q=l>4o_GDJz)*t3406SUDhs){b+w!HTuI6=?`m0f0#f0VYTTG
zOMyS^1El}Z`Ve=~{;)>yhkb;YeejAkf>&(6Xh45h0{vm3^oLpWht;4ztQ!4ce)NYW
z&>vP0{;)5RS9`+J;0gN*H9P@-SOWcF&FBwHpg*iN{b3F04-3~L=XhT24~wEdtR?(m
zKOw9=VJY;4Rih`YHa%e}*6;9yCD0QVMNgOkx0NA6ZD~u<fc~%q`okK~AErko^_&qY
z#)522Sa^CQG=(<jc-ovPv^i5~ZKl!MOsBQkf_7$W$nY?X;OH?X_qb9Lt;&hC74`UN
zDl9@hHrj?Z;aFOODYOPtXbq01HJCy>FpYL#IxWDqv;gyH<4vUHmP%`_4Q;cDw7A;P
zQc9&olthati5Af~+CoW`NF&JaE(5<?DhkNy>XXwIkkj=cr|Yd}_TZ`>t%y}C!RZRf
z=@P){Rw1lME)vM&6nR`P^0*lCxJKl01suPKQ1^q!6_Cd%@VIpd>#>a9m?^X#Va?+%
zA&)B{k5lAv1>|uF<Z+jh#}$yr_2d{wta=Wdu7I3QDb48$$mt5m>3WgV6_C?4A*V|q
zr!&CmwjibEbbZL_dXv)?kkcu0x&m^#1deg`Bfo1zeiwo9&JU4S^SeIecb9?R?HBp#
z0JvTO`CS3|T>|-CFOHRjk?VEmSjlkmyL#kzL&)zk)mQ2(kwvbT$Pts_95HFY5tHHM
zdPB(dhLh`EMXoo5Tu+kgHRia<5OTeS<a)z7ZW7LMli}oglH(@BIc^foag*WXdKu(;
zL&)`dkn0U6*Be5v7s)Y{(HukR!ZDNv977pSKG=hNa5(wkaPq;%97!2YK4_8;4j~_m
z<4DSIvmUtNFml68a>GP&!{OwHlH71Ox#19wr^JybHY86BCpXOGcuE+@Q-+Wy4kb?<
zPM$b~Jh3q~teVuYYEZ+fNewH98kR*3s{=Kx_SCR!YFO>5VcFEMYEr`*KnuSwHLL-&
z@cUB3>Q4=;KQ*k{)UXCq!x~HtYcMseE2v?0q=w~C!^)wCWl_V*p@wBq!x~HtYcMse
z!PKxi(ZcUc3x6Ul{E?>i8Ya`KPsY5dH^kMn>T_w&C)1Ko_VEIaq7C1aHhgp1@GWV>
zx1#mlj@J7~TI|WR(vz+FR)V;iR(dWi^JI_TPLJJ;qD|hEHhD{0<LxMQ{2+B+71@+G
z{**V_lsAJYZ@O{hC7UBJfgE|sro4&g$V)aQO*|z{FeOb_N}2#lnyQpE*&KPP!jYG3
zN}6Dfykv9ar5i_HvMFgUr=-cIqzR^^$)==<r=*FZq{*hFsm76)K#sg*Q{Dt~<RzPu
zrYj{)HYH7UN}6~|njnt6WK+@%qNM4@k(X?ayaZF;WK-V6b527oN}Z~dI#oFSl1-^I
zh*HN-50;1t9EHiI)XApQiKo=*N=;VJ#tISeZNR$`LQOW5n(RP&H?E{UJBHqk_S9i*
z>agwU-Ow`_L)ix;`+&hdAlU~@_5p`|z@L4<kA0vD`+y(&Ko#}@$v$AQ57_Jj7W;tB
zKA_kK6e-&TWj~D3!S&{P=uMBncjd5Veymv)*31vGG>fuyKILZs{j@_Wkeu32+nVxo
zDCK8$%Fiq5r=3SXE&R{;Euf$FI(lgR>7iXt4{b91vrWWudT5j3Lrp?hkLxU?)YbEZ
zwba$~l3LO?dxb{=>-ictP!7+hZ+0#vZ~#5AL&`{CJtLzv<#2V%;VbEhokve>Fg>x!
z^u%6APi!!Ku*>O#^`{SZIeoCp>4QzC4|X|yunQ^4UG%=T^vH8PN8<*1UzgMS>Q9gB
za(Y~o>2Xb_$8|Y9uKx76CVS++9_Lt2U+Z#uS(nqx>Q680a(Y>l>1AC`FY9u8Sr^jF
z>QCLlMgQtBdRA|s9<hLW!~*(Mlc`56pod~AJrtMHLvcBM6I1D%xQt$j!SqTrp;w|B
zy%G)SmC*AwFBOgGl^8^?#1#0zhKN!0evO3p>q>Dg{S?*c1IwYeq5-`X)99@jPEXi$
zdMjqqTQP@TiER2KM$i)xM^D5AseN6u>4}J=CnAA9h&cKn2GIKuN54ZH{SFQ2cbG{p
zLmd4Jar7xnp-*8dd{?)jo_EQ6fDg!Zz$fKK%ofoetWoe_y^Nac*&@~8$J#D(=zW+<
z@52<iSAK*v+6OU6eku>+s-8vCfS!n%^fkoM*D#x2hB$f|8qmKGN6$hWwYDPaYl@m$
z6>4gIsiOr^7mK7W=1><4p)S^wT38+GUy;<j`cmiWO>HZZ8df*zRyK93AZk^S)TA8h
zP%+e=!l*Y@q2AP&8dD^-r18{}dQwZOL;a`<^`j!{M~i3=E~ZZ8P$!y1ZK#;qkU?!I
zoZ3)7>Op;|2NhEfs!Bbmn0in+^`K&EK;hJY>QMuVq6QRB4X6h-pkiu3wWt9VQv<3;
z4XBtJP<LuT#ngZ<p#~IA4JeQrP%$;2aB4u4sry*eeX3ITDW>idNZqHHx=%56pD5}+
z#ngTLsQX~19_H$WQuisQ?z5D-Pe1BDeW?2sQ}?My-KUtkPdIg-Q0hKCsQc8S?$eLD
z&m`(T;naGHsr7_Y>xsg=<X-T->)Cf*Fdun@=*&5IS(uAF4qkda)8u+eg6laeZwY7R
zE%VWa+EEg;rzB`cNzk5>;CgB?HK>UsQ4>j_CXzxO<Z9|5DbztysDq5<I6~@qI!G((
zAcY)9XiH6G95s<7Y9cArL{g}OTumJ$g*wPsjtivv=pd~)F3^^m$T)hVV(EvPK@Zdz
z`kvzHb&93GX*B&!@$@w1($mzKo~A^4ny#UzX(D}0v*=w)q<1Nnex+H|bZSz^k<@Pb
zQ;Uh9{t`j`r9SnSUesSq>M!}!TxwHisZXt>KJ}3Z>LXWC6DgqfQJ;E8FKQgo)Houj
zanz-*(VzN7eQFjF)GYF-S>#i*s7;-sKXr<l)F2|LLG;25a(|JD8RS((N6aCwCc4t|
zbtyex?)e?<D4W|;Hn*eJus|3BJAlcd)$k?P%r3nKim;sNg?Xay=)&CbVoP3jQNH+9
zyHBtV=p1Zay<1o<$m4iO(zciZahVta%XNyFgINr>h<n63@f2n$>=3)fexx)8^zR%c
z+B0tm?i2vYA1M+bf!m2Lm^*Q~$iaNhsbVhXKin$r6%UK2A$eaH?_oxRzF!D*hd|sl
z3Nk(&<#fetiy>m9$j6L|d19HkO{^B{F+<`Nu~Y293<z&MLxjS7lMv_&O(5Sph;Fd4
zuMoMS0JAXWi(+xRSR)?6i0iB34e`D>1f9a_G$boZ49w_1FiI@yJ>Zfk@$!J41ER#K
zf&F_%8L^(HH!*`H6sZ%TF?1CDF~@V1m?&mID_Jg9inZcV%+c5^-V`5*PdxRvL^X~*
zCt>bpCxJPRnCCfKTrFlo&$vO{A@0LmkLSc|u<}0?So_Ckw&7(6gU=utx=Lr!Lkz_1
z(lMBkIt$v&jp9ymKW2tJFSdwXVy`&t$>U%)O*pio6wF@9!0gjYG1qmhm?W+d*K=0M
z1DHwj0!EkL79U}ri2FW%@MA<^c8LpmO(wLTL6~Ja4)a!KV|L04_#hq>8^nv4XY!8N
zhjD0ko+_BtqG#Qt!h4Y=E)j!8Hs-rb7T01f%gy3$@sM~@yac`JUGcH_TpZ2L&MUHp
z5JwQl5etbki1Ua`h%1P964&OWP0F#>6E_lHA?_sZAs!?iBc3Aus?j!cvM1%*LBv|b
zFk%$35iyaNMr=uJPt458nK04rK^#iVC(a?RAl^@WmbjC+pZLwl{DKMg9~vE#=uZqL
z)*(g^V~Fv@WMcZL!t5NUH8GRen|K*<1Tl{|g*b<}gm_Ed*wNX}J;eKo>xmnP&k|oI
zZXxa@zC-*VuOKJS*-t!7JWf1GJWc#nqn{w!`I9FU`UMhe5JQReiLu1SL>I9+u`RK4
z0S<oMh`osei9?9PiKB>l#6sdU;_QOLk@<cLh)ak!5^p1}BCaK_BR)>tNPKakzVBw@
z4&pB29^yXYC&Z(~6U0-*Gm}8WerGjSsY7%Tdk{wwXA@TvpCaxe9-A~af0Vx<+QdL&
z4Pq#<J~5WqnCK!lpEMz7qJLXr58`FSQN$wRJmQVSdx(z`Uz{|_mFmBfxQBR<c#L?8
z_^ZYMlNdw{CB^{L0uqVo#J0ptVlU!A;!xs9Vji&w*fd}kaRG4|@fPAL;{C)&i5rP8
z6So1=19lPj5)Ttk5Kj~T&=}}PtU-(*HUc&abP<~q+Y&nyyAgX62NH)6hZ9Flnml4s
zU>>oMIE^@)xPZ8Xcq8#P;ws|WNs}i|3S39rNZd@^MchX`N<2k8tFfvdvDS>-!h)(%
z#74wKVj8g}u{|-9*n`-YI0$lB;$O?|f9j|pLG)TsEQ<QKg$&HX(zX6OSbp^?R?@&P
z@4KG$e_o6M9YjCx-$4bvN3X}#@8jPUGN3Q$`u#n$kXK^vE!<itL+f6KhZ@~9sTku%
zcZ}8_4Qi1Wk5SC~_b`lk{~ks%@87`yyg9vcz5Kd$0X_Kt$`u2)f_~?J2es~uHDa(g
zYNL$*;92-W&--c=KC2{DSP~jj5*k(#8dwtQQ4;D{5^7!&(kmyqyFqww^c_%2co)yH
zz3156b4>Oe8+nd;j8do9tJn20$aAzk$BsB+w}kMPo}<fijQ1R)JjYPaG1zm2&zAXg
z-$wqhUp(ivP*d)_5bj?R(!7arVP{H0-;{(tD+%o@3B6Mi+Ex;J(Hp9JKPV--?mfhn
z#1+J4#D&B;#2LgQV!p<|O=WJ{#CjswPkP@80Z#Vc7dBu`>i%)@m<HQ3AC~uQScS`B
z3Eu;IP21kvU>9op^A!Bk!tgVKF|R+$h&NnDOQRz^(F2X4#z-R%v-D>f3yfvPEygP2
ze)yd?!qdDBGwDAt4#G?P4d&XO#e!9>VHkDy;tk;#ndm+@utrv&8@G6l`Yq{m{m%69
zHqeawx|R(JzUR}D!ylOc7bv6LvO>nYkE*ffc#4ul22Bi_$B-SgBxqI8<3XE)_5>Yu
zm+U=OYwSJ`4s#!Cj`18vd5)T5P=nf;p5uPc@wEF`Cx~}Ybpq?uujBH>we%b(dXAc|
zP)40ap5t=Qah>P*j_3G`=Xl0*^xPw4i2FRmQ%*=;xpPhDC_iMi=lGQ8xY2Xm<!;50
z-R|?yM(%bBjddSm*1F?k9u-Cde{+>aJ#(Rfzc8^!ODy(a$wHhTQsD}GEgJnn+flIj
z6FCyn9(I2Z_*AfN-f2io00uK0?C5Y5!%+-3X1FoK{@Axc8eM^;jF?@*h}p;bIDZ<m
z!zYc5xh!T2^0}Ya<;jP$7<Y@LBD4;CKN$Xrk)ZB<2nRwQ=z06G&J^tA5$O~GW1Jbl
zIA;Mc$(aUhRwm_a#6&u?fHBTIV4O2Yr(rl3I;5vW_?TSq>$G+9m_8pE?TiJ+I9LUR
z_ACI#ITL{iP9d-jV{$=BL6A|Nc6AoxN+dDbS%h#5G1ggva2&CGj%CcDG1^(m92#St
zVqhFGR~XTcq8+@x8ehMguct<9VLg#c@6BO~aV4Qix+KQUFNu4mBy_+VGO%BVJFfw$
z;Iz>>j6}wPLPVf}xiL<hkp>*dYni;JQ$c!p((8A@`y2X+-DRxt#>rHKkT+Vd(nvEh
zjfHZN{6VFw_G*#21nWf}wP!iD)6E&;9QE7iccx0qDl@8l;Gc{)-X0#q-tbWktAOu4
zE}n%Ca2q^tyWtZ%2yfMKjM1GIzk>8_BTz!>sC*|wzRhEn+{5D{iG2kSzgT|2;}ZEE
zk4xpdJT8-16^ZM`IzM)bVSXH$A4lfLk@<0CejJ$}N9M<|Snk4#`Fu&rkh)c3^h{_c
zLEZ#RlA1~~<n_QTozfXCmjf3`O%aRbjld;R)521z>0+6@0a$!K-O5`LABhnvUH&b=
z40$s!3-hgYX)A$?<sHDK@^;`dNW0ebFZPE|bp)uT5T49=@Z+w4k8v&hs!zfDw;8_N
zUGS~$gG4zhPC%-h5oa-y<!(>N1+-6=Jiy~3`7w`+<slxI$o)Jnm5~2Pw@e=7u~_Fv
zyJSe@$C3GQWPTi(A4lfLk@<0CejJPChiuQg@f495i__1$3Ya190%qx}Xv4L@MRGN8
zvAiF+L~1HrD(?j@llK9O;UkWK<c)`?H63ly5fs)7Ufs(;V<Y9`xW{z)5Yk0rq)*>t
z129280Zfut0GrAOff@1vV3vFoxJa%CE|!k~m&%8M%j9Fgir&`Kh>yhRp)UC;V1|4W
zn1vbfx}0Z$izU`Rp`2%cTArC0WkfpIyd~Vm%f;nOxDtu+M_t-$zy!G&m?Vb*o5~k~
z8S)k2BDo2;SYk~lc+uadfWv%~8S+yev*b}87fI-R>`}*fTp~Z`aj87Q<1+aLkHr}O
zbW;HG<Bc*uj?9naV$A>7@yw4S^W(_;I2L0RRrjbZz=?7vaEjc9CyK<Vt8M|Tb;k1|
z4d~zv;3A22&nWdR;1an5xJ<qY#Oz+Y`L^_a4}>>=Bxm8xf<J#5dcjKQRQIDFYyfw8
z8UFU2@PvOL_Nxx8Tcqm9V~lFgV}@$SW0va5W3I~NagplG<6_l?$0aI*$EB(hkIPgR
zkHzvU)F@J(0LI84fC=(@V3Irz%#dFKvoK;Tom|xxI9i?rE|T8>7t2$?CGuO~Qu#G-
znfwk|5#60Ze5Cvt7$biIX2{dPEUdNArTq)ISpEuJDt`ekgYUwHafpr>L+Oj2F<gwn
zh{rTB2V(@wG2(M4MqnPqxW`i%kst?FJ^3_|suzzj3ic1)ScdA(V;0tH=<{6Fm&Zk_
zH;;=|e;${pK0Gc}m+-hu_2aQv{(;&=%5%UNiM>=%@3X)x1$zgjbpwu83b;tY3*jtQ
z7I2BeJWgjRR1`dkGJ(bLZE?RUE$PAix<RH41pgZjsgef{I1T#r0#yYmBb7feM%4f&
zsOrEZsr81Y$`6>K9AK8J3CvZsfn!xIU>;TuNT)yr0T-!2;9?aFT%xpWU8(|r%TzUB
z1@A^-g%a)?28>Z!0%s_UfZ;Cnfs0fGaIwOSb(9khgnZCaSw$h7p(24<m3q1cNExYO
zfiWrxn4l7YNm#X`pDqTNp`w9VstGVxr2xmOWMCdv-sq=`2QE^LfQzBM>!*tYE>+MW
z@pK8m;)|x6!F<n=>M|Z<)F2)+)TKOTVTF&IZie!>NDbj}v4YJFdRn5c;Bl$CoX2JA
zN*;?<Q`9C>r2}JB8Zbkp0<*Adhkmw!z|pEDaFJ>bT&!9Hm#7xNrK%ZlnQ8^B;B7%G
zKxxn^P#QD}lmLAKB|w`%3D6}_0yGJf06n7O5<Wt_mV&y313)bSbqR-nTKee{_5roz
ztGI;2h}T?Lmv9uQIjAn-7*KOhUBVHd=A62O0Jrw+)pfl+06a~%Qb(ZXXS$Wz0W~kv
zt&|DWd`!1b7og^0x_vqUHUIjvl6&H+<_5at9ze|rbjbsNnhWTXdjmBG&?WZ)>fWzQ
z?gzYZod@HprWalEAfTodUGi1HTs0J^sYI7N45%qYmwY);Q->~D!MellY9UeD4#R({
zjtS|3{~(_jTnj03|9jHt7+9S8-zR1$V(?#5PG6j3?As@%3u4mB#I#0CqmmdIk}UL2
zWvj75Z7tT<=)EBy)az+5uR-q*`6%WzVEqi{G(3s93{PVY!!ww{umL&lL&}G+R^~Cp
zKaaTQtmlQSb4pCtGbJwYyHBs+@%dr(TLnL?gS)^F>)3cl?AhV-!)iD^&*B0<ta@Yp
zuoCXPA9nYs@Q3w275=aSsG=X9TN>*yZ{^~5pFCh5G!L1dn4g-5%_HV#=I7>7^9%Es
z`K5W>{K`CGer<kZerujIztj6vnm?F7>UH#($MUoJi}^3}SFD3QYyNKjft9e>g20lN
z!U7Y^vMtB*v#MDBR)7^~Rkeb!!(}k$z0|O3TD7d&RvjzE3bpED&1|?8Vb#N|+(;|R
zind~`23D-q&}wAGVMoja%#mqgC0a>Xi=Tp(_^DQ!)znJ2nqg&a3#+Bo%4%)3vD#Yg
ztoBw1t0U&pbha|AOe@RkVs*8;S>3H3R!^&!b&1v6>SJAQ4YB%S^?rYAfHly%)EZ<B
z#`^s$tShad)-dZTYq*t-c{n-NNGsPGWsSDRz&0Ci<yjM~e5(LE8eVM`T9d3IYqB-P
znrcn6rdu<tnbs`p8f&(7tu==`ch0vKSl3w#t?My|c(Jv_T8bGw#ny7`2J1%aCToRt
zGv@N#YTahtZmq=n|2y^Sf2{q#Sn5BY_WvvNej!@-rEncSpT^Ip=VvRR=JP4}d>VdP
zuj}D{k*{Iy(N?{J2kUoU*R!cH3kf^eU>4Fln0>SxvyS%Ybvam-vscfN)~j$ZGaCER
zVD{0cn0s_Y&w;kS(Cch4?+AO%VBXO;n00g#vyJrrlRscqGuF;vCiBmjXY?=3GWt!=
zTgD8db9#*oR>&wl!-(^Xj2eF!ZwgscVhy&RUDK{**EX-geC1HgRt~en?Fh_Nu8(=j
zQJAG1V>hs4ZD<2E&WJ<*>w02E{m|PB%lE@n^u&KhKODxM_@C*Ax)<IBegqA%`Yh24
zbK(B8^!NuT@;rL9HlcQ**dws7-OuiC53mQ?m)e8u!S-eL<@QkfN_&V6c^`ZRDLUI3
zcBY+Wcd@(L-R$mm54)$`+wNocvM&)v@Cg~MrGD@U{Od10mB??#{OS`UgU<&4fK+;)
ze|IVwd`i@_XWFyuYwX$fwe}o)u07A5Z!fT~vlrUe+l%bQ_7Z!kz05AQm)kekH`+JZ
zE9{%?TkJdSyKH!DgLl}_R)YJYmW}K<JKj#P8{19nL_5h&wo~jhyQ%H6p|1w76Q;e|
zUSqGd@55OX(x=<a?B;e0yQSUAZf&=*+uH5yj&>)zy$xM1cmeihtmK}xNIeRv2b-6f
zmzzV(E6kzhmF6(>Dsy;6JKXZojo?gZl16ZQ_>*ODN0FvRn;p!KW+$_=nPFy{S!Nfr
ztJ$r>8oc7Or*%rX{j4u_248qTYuwqu-CBzP?26nRd+fB7tz>K2Mz)ph?0Y5l{0wf1
zIRU^wVDK5R{DRX(UCdgqBSU1UtSiH0xQvkXWPKSaqhz#<kqu<5Y$zMaI2kV!WMkRH
zzRJEECFs=%!cZuo7Uo7K$|RXAQ>06#$~4(jrrYq`2M6o95{8L1*i9R2?EGXE=`RB?
zzEM>M$!aoKR+lv-?89njv2OzQCzVx&QSDc>Tg5&nsm4p#lxjBdTH+j{JANL+^N9<H
z*AW*IuLl~{FcJWK9Ows{_JhZ`4#r*do~<bo?IEJ21%y3U?MC@1X5s!%(02ac*J|$m
zGhOj7^~B0bqkmEh{7*}ty60(ue{KPtrvvI8CFINt*gZOR*<WStp8rNIP>ueN%iRj~
zK-B6#shd`ynOd7{KeI;#d$A8Xf6sQv(26uykG^WYV#R6+VBcfk>$tzVQ2vVx7*lor
zR7z<%6c~ZkTd_uCjJY>A+8Uj)3amHB-A5Q>jC_o|&oJf~3o-V-!dPkCgVFc(*dhH{
zjK6Qe*8_HAx2%I0F+Xmc!X8(DV7mf;$dOP;tyoAX7bIU>th?$adt)`#5IJ0q!m6i2
z?9nqD>y?(s8|7_sm0T;=$;ahJtVr4{cVHFL9=Q)IkB-U{@{~M-T~DO)!+!X+RG5lV
zjZ~saQ!Oz9m#KQFzG{#fsz#_W*tMic%}{gHLaaDiffeBQU?ul@tjm5DYpu6n<@7<U
z)j5lG!Vy@p(iSZ})XX!Bu-b4ARuC@3D%q9hJ?8yb9k{{VXug6ysouf*ko~Zwe}JtF
zU#|I@oekV#j{t79bAa3Ik-+VCE^voE3i!G`8o1NO3>)(ed#sjp=9~67;9K^1;4V84
z__jR(_>P?qeAg}j?zSfa-?Og<?y(Dj@7t4rAJ|2}5ADgoz4jE~NA^_UK6@JQV|zMq
zzdZwYd(ECH;nhX`W&yX_*8sQKvw_>~Yk@oLIY{-oJy*haiW<(t*=E#nKF;2>7XaU~
zuS47}d!d9E5p}#C_>R2@_^!PexZ7R=e9vAA++!~TzHb);Kd_erKeTTE?zL|Oeq`SS
z+-I)<er(?i+;86^q*Y(S6KzFGc&n`_2~Et3mI1&R83=3ueM4HYG6>jERs%MY!N53K
z9T+cb028!+B5PTzQ04(y2Y67101wGf;3u*!@KXtYw0T&D1CPiE;AgTP@N-!ocvMCL
zzmV`jo5!F@OY=(^13WGp0Kby4z!MUdp!v0gzu5dn#sR;T@F1HfB|OFEcd{|?lxzY#
zXWxlh3HvT!b(sXLA(MeMC3F_6mUIDY>oH`jj!XlF$fm$hnGQ^r&4DS{c~M%avL(<Z
zTLIH#YhY8^2AD3}0-MQpK&^jE>mf~3K(qr8EoQdWmWA~@-dYuWm7y=JhemcfG}*!6
zG2MlORW|)#PsG{HK=YU3JOI{5CN%fv_&&ttI1hv^k_A1!1-=$B1m{&@nRJ0x-xA-B
zxB}-vuv5B1$8Uu%Nesn#HCQd(pz*iHcO|aGc`$64?$H0+U`^LBoL7fM(*xE(TYPik
zDxBAVebW=RK|6ebVmK%)+Z<%V?};PyesDqfaPd`&PQa07XJD?G0UTv!0!N!!z%eF#
zxcFK{SKv6a8<g0dur7weCQ7qAB6KBeqoy`WfJMIsSl?a?jD+Q3!MYy;yUAs@M>yKP
z!oI{#)%FHvE`S0sX8~^=-vdg420D#esGb{udtyd_be7}mK{py%YNHus9j(wRgGHt-
zv%hO0I5%ni7vnn`^=upyGcjWDH6lF=2qPS<m!Uq#nZFo{6*BjTHAa0S+Q>0Rsi#fo
z=a@AyRNRBO9E1%gi7{6pRkWdJ78y<qP<qn3zky;Hx^xTQGD*T$kT~ZCdbb{#@xxu9
zfkWSq6xc%w^@@Yv9bYX1&%pdwtf9@oPIFzclUE<Ck{u+6V@0damxRE#Ka`(f9cVW_
zN&#y_VuqT)xYbt7HQA0mT-Tw5tHc4UP(3EjVs+?pV<=XH-eTlnMd;JUXsqgd!C0Wb
zXJIVHy3L)&3cYUAxCJ|1>@{x1D$OItJ?3lH7~>&$_U@K_pe;Qw=Rv-IE>~G!*bYWi
z4H3Z>bbsq9soZy-20DZAZKu47zv{%iQI7ZPMHgr3p{4mY4D~e1F)aPYBxFsHK2w+>
zgt((<4~aILCIr^*F2qQ#gwgjUy#I*6$iBC=e#U-sx}6TPoqlIKUCDMD$#xpUcDj!3
zw1n++Gu!D_w$p8Fr+anTuyDJvY|CtK!mkfmHy^P}%q7^Tdzo2`-CS=sS79y?zT|;-
z-VAAfF|hNu(aPu|hCm1CDaK&`+^eu_ezvh(Tx;BDyd)mu-Yp+<AKU#{$Ni2tz#SkC
zqLeCFF$-S<R>q#h*Cf72iv(a*YEA3}q`xzggw>=mqB+-*w!}J8to$<5%(hr%Cczb0
zSFZl_N3B+3-jr_ByY+K`r(KS^p+!N@kTvMro$WsOVD-!PE3CavaV4MBz?Givw9bv_
zT`1Z8WY{IR9-d6^z6*)KvNUa?|6uQdC2S3p>#4<H@F_^AlJlPCK%DD0+5w!$fcIcj
zWxWsPrvCyx24IKZOQ4DM!Oq3~jQ;qJ%|LshqrVJdNR02GeIQf70V43z?+*OH9%c{2
zP7E{cneYhcblGf!81!br)&2%NK65c6Lth)MpAk={zc{aVdqx~A|E}^0J#z%KIz$cu
zX+D6NCHjgqyMu4*P&BUgL%#+kV^tt_)kNR^S!~1(&Eeu1@S-HK6?$X~@jfZ(LsHV`
z+)dz1Qqm8al8h)#NtoXW8Zs^c#dk4!Lrc8M7^GLu8~J)CKchgeem5qfCp>OkjkW8?
zj62jQHOhFGy<#_e#YgNF2iPlqVXydI_X@az!9Ap(?iEt6@%{{70XwRW%Lq-MGFsE8
zY^do|cGmPMyK4HBeKmc`{+d4J0IXzgE3eSKN9N+`yUS6Kp_j_hkXqy9)u5cI5___m
z^W{u@>t>a_&fH{fl8beJkW2KNkW2NOkjr$N%VK!g7Ru$|yA9<Hm?sw}Z^XPj%&Ee6
z(o*CK@TydKGdOZnc?;(HHIujE`*bbjZTLoAD|tKS?zNFC@vXY{@(##{&hk!tuP#&G
zg|CSXl&iqk2Fbg@+s4X!z~A!Zz2I>Z<!XGru28PQ7wn4UT71QBio6eBvYRIF$Jgv;
z$OrI6yIJx<eARBYd<b8*n<Ljb^PG9|VP}D}K(6N(iXOq6hL%O%peZCBQtAxmR%lx5
z#6C5cRCPJ%bfCy){~8Ml>MF*OipFzCp$X{cY53ZZ?&Af}OnQpx=s($F2K)PU<Ve@E
z59)7GtrSbpXClQiNWvIV3@N4e#?X5fLvm?JW_@0v4;B7X?MMB){SBN&^8@#{)b+Yq
zId)`jL1Dp!{4(o|!??~kjO&c?l^dkjxg=yKIMz8mkI?<6`-u+Yzpg&kaz}^$%QY|b
zC%a1Hh20kZT-9*o>Up8Z5cQcfjMM;E729eOq-2;ST-mmN6B|3g&1)eIbM*jMKUbnp
zOvKvyb0RPyMF0AT5m-1|Ao8$axCsC4_0JXUQ<zz+LHDiKHr$tS^_9yu{4y%y>-#tD
z?%sCwyqb@@=BbnTAG}&gL(1UUH-G)xtR1~CKhg8fsUO&9+qkNhRMoIhskuv8Np-1d
z*OWs#rPg-Uv~l8BGjMS3q@vuy{HToViMgq@Ts3sGQ!^lQa^Z;V{3&De@^VwFp)|z$
z*R%(Y$(~x2n_AC>-Tf~$18UZCM?_`h78Z>iH8v-^Xly}#YNV^4zN~82@mwA_b^`8_
zJz?V5{LxVvom}-ps-~u;rlqC2_%|e^YMLuGt*I-mX|q<%S`Bdx^Qr8m1H8BMuUTur
z^a<JdMY%aq83lzC3ku!0bGee;w~H&etZx`Kz<b95xrI~4=HyPot)r5nx~94288N;M
zWLQGYGpY&1`^$NTA)b8n>Fxu2-X2lIe_zAtH^mHYTyXIDM%ywbjo<QWa^E4p)!H&;
zd4|z2W8<37vQ8g=ZsyjaT`?bRgrW5FCEvcf@wv>{@o!(1)#km-cQR^B3YoWb?8YW<
z-BJJ1!th3yTpjsj>Y?BIWy=8%uK%ffqBSk+ft1DXe0j&0e=PfKaEEp~Rvhf{%gm-n
zr~ChQYVx8^tIlm#{q9)*QQo~bkG(!OVg7YnhS%D*^NlvO_HUkhDza+PCo5tedGqJr
zie|+f`?*K>wGVB*C+YDeCmuYuKCaF+**~wmy86qX^<C5Riz|QqBIu#Sd)Mbiy}$3a
z<2z?P(7Rjaxw@ZaIx7M`8na-|mE)$3%zArxm)Qeft2t}?^zYwz?P{se2kx8ut84Dh
ze3kWrz-Vh-b>~m{LwD^ey7PlW*L>IEz&E|-Bp-66*?ypQ%W@3EY~+e{#dyzM#=<&d
zii#$-PDv@qnKUuEh@_L8Q!s%vR<EXEoHPAgHVzUzq61!Gy-2gAtGO$Eb=qpz!eme8
zoWeYxyeV#q@+GK@PRU3^dal>d40QQ>YoPpGLAumx`c5YLiS3Hl=he+<SLFSm;ncdW
z5I5xn>jFtHNolV1mPx6;<bnR9=FSzW%3U{1|L)q$UF*La^USZGSE=_>pLzC`Ev|a7
z|GjmJPeiP!l9~V0gs(4~<vRYavBeE01=J|$`takes{hjX$-6d$ZC(EL<+q8)-U+<q
zsokj$`VDP7<LqZM>J9F-E;sb6=^aNjye<Fr*ISI6AMLli(}_bL5AINJYWM3K*Rh8^
z*m7J<jr;o5oj?0o*F5t+^!TNo9v}4X>6SbHc(qx+xo_Oc@UXt+YW#2SL+(E8N^M!D
z52v;A_Tdp1)rZqTNMspJ{;CfT7&|&Yw@~-v^uO%KYjXlxWj_B>gNHJ^zZ7(C&8ckv
z0XJ`0dEl|cYCX2+pIg{=z@^n{zhic2^83TL-S+V-+0z5Ac%#?CDPJ7U=oxeC$t_JX
zUb}bSn2pOj_BnZ7%NMF|Z}7v&%TCo!E9gCV&Et#immf8*|8~zKhjKm)S)6vohGBOM
zS$B7Q-=L6_w;jlClhv=@yEO&{tmu07k;l)BYS;DAiG^RT`0}c^gJ0M-f8;H7H#MAd
z<oKSL2X?<GXRMie^A)*UPlgn|+-YIsgMPi1typ$b(mhi%BggDrS2XoN&=qM*2Q6*7
z>EoQ8-S2L_efx=~0eil`FZ}e<S3Z7v@X|J)m=Dc}c`Ekt<ku%|f2H^QMt;8qY<jrQ
z9eziG;|tfn?e53(jKOHB0j@wz{OopcZ@B8{vxd5B{7IK_=C~$#yAwM2XjiVQvG*Ju
zyuPQ87EMZGAD=oYd6I`iv!k~tNh=pNDNUO_Haodo(v+e}lag|>lSZc{=j0Z;+Um+h
zn$28IU8$>6Rww!9)(qiKa)T9AwwI^*Ft;u{#@-jyqgMS7d+qO^6VhQ=^Ovh0b4BWE
zG%!P5b>>ve{mM#N2oZQA+HAb3vFLT`h7qn7)9zak=M;oK^-05nt3S9!tzX!?;k|cu
zR1t^X`F#3Y(PQlW&!%mh@apNrMmbH7b{{#R>ane(gMPN|Z<aS}ah)AsJ@x5RUmc3t
zadow~Z!J3b?9fj(wTR4^c5K=+Z^xTa_pSfF=e9)&HwDdkulm_TL#O2T85We)rBi;@
z4JTUO`DE+;Rjv*`8!>(3oSBb~J^lNtX9Mdr`Tp7~s<gZ7iqGo2S#$0Lk=(NCx`Z1N
zk34mH$iv1HwO1vkbPqoe^U~HorrpwS>%u4JExPhlyN&(UOmEsGdFBfTqpH-r`s;CZ
zuXy+P1Fpe|i@SGt;oWQBc(r}Zn4AH3ZW>$k==OSTuU&C?>&p@Q%*n2K);O@L{vI}!
zclmb@9}!1_KDS@I;c!C3%geK=xo?)`6CtkJXmscrL4$G&$Lh|W7}Y&LC)ul11k|kK
zy%069aPp+0sNT6nQws{mr?z&r)HwrcrpD(aM5Vc0&7-_2-9><BbSWr|%AQ;_rl4@_
zjNFk?lPBdy73AklPt9^==)9_CTW^-AjJ)hglcJhN^_@H-Z){Ff-@>sIvJ0n|)pVjd
zxyve=uK7_jw_XDY)}oXrrs1@?mnY6$R`y{%dens!8;>4^M=oWGWgfYmtBt$b=_Lug
z)y|q$l$$>i&p0SMZ|q1aN>G|cLMuX(depGLQiGOeJh5imx=Y^Pee(6@n^!NHJ}G|R
z)Gsy<e7)JvFMS(+?}@<^-@i0GuI|Hc9X2pm@Q25~wClZRuY2tJ7eW`L)UQ`%#QTS;
z{uHv&RWPjolsd}>&D?%t>v`8a^Vns_#FwE~^KV^IYfgQ$b;RjAg2Qe(b87IIHwv3?
znswv4I(4ER=x+2&TYcM)OI$4<S-7V5eLqA*4es0X`H_2`%sY0p?X!N-+j@4qE#&F9
zMju$%>EkQ@SXnPKw)OF`Yr<m3Ki#d?kEes?Z@(n<w@ptx9^H1t*C+PxyZfVWZmR$E
z*39|?>&?6C+skX7bWQv`@0KHp&igkkJCXgy&_{Z%Y<&F-``fpe@9%o?naq{Hf46D<
zoMulBee7p1`&<b2InR~uWoBT6@h<2(-g7X*P+v`F3J7-+TKR&yPA*<ry(n{-Yp838
zZ6YXK{auZ`#Yv-1n5Vd@Q>T)lg35GZDLE4-fw_4UE-76RVHZkSI58U)CKF9^HF5oa
z&6{~Vl-nQ2&5{{ru5Gd;Wcig#xX)vk?PeWIC88P^4KtQ7%9cslVoHm2h3sSbC2dM>
z2^V!GB`umLMFvGhWX4jFdqzfDUibIc@AbN`dA;U2=gc|hIj`sWp7;0j{m%2KF;$r>
z87lMB@(8+kk-zNlA?s-R>CNdVo^%H~N(urGUwu|~DC9y3^_`+p=XDoHt3XO6z+B<w
z&@#{fHj)H?Bdv3Cu+!Am)P{8z(Y83{-ZBeQn0-bmIWf593B9PIg7g(_V;@pWuXhdA
zj6y;jOQR3SavfOb8+6Rkb~{JD)@xli>b;$v{5jJ|xs2-NmM^&sq(wy3P5kv2d5yXo
zM9N;-SJtgf-2a-pztZukn4R(DbIH`|#HlN`Z``R)oMQW(Vp7p^?D6*DdMCG#sjN$7
z8!y|OZ_4Z$$iYjR)%+X{7YlH-4(%sOBqxjrdD-Dp^P49!ileh52+g*mX67L{C$*r}
zQI61b|290~*LK5*G7OzEbK9hUgqViw5hl)J0*#UT9{4`G%09srDF|rPa@9g)?2Spp
z$3;fyx6Ig(xdC@%^C+vU(X?0M&Ycojg`^An8f$IiPO7dG*sYH;sUx58X(?FpHZJLH
zSNiXhZ=F~^&yJS-hh7h83q&EBFABZZU#vRgex7*IN13i#_}}nvE*bPM0}xL`>Op$I
zH285KYyjy&1`E98!URZM5H}xBn;;P=0uls-Jl(#i5xEp=MGYeFB8M)7rlN$UfY_1b
zaH`^lP(Ly)VE5-(QEbkD(Mt#zZ3A6HSlj4pAoI=!%omFnwglMp4GE<MkYRC1l-G#C
zV_nEJMf;F2Dh$k>*CdRWT}uh^22iDgAUZgV=c(ocQz`|PfW&y6aCo6j^c_^-duZYO
zfvBbbFz|oM+BdHTH;x!F@c7w>6q%loJd_nX=cp&6o6gRVuZt&4S}GGUN@EAJk~{^s
zyu+Su;G#7dLBh+?r(O@YH);;CFt<ByROsST5*tLPWp~uF6;_qq5RGPap{fpgo9$Kg
z^UXClkni!7l|7r2BXa6R(9!D3$Eh4M-<yVmOSLEU-|IZ79eaF)^}J#IT{+IKeaY(f
zLIQ2^65Dsa?@VGpywsU>N0@FCrA&-%8cA|d={KLXJ#zA~dF4{*dDo%b0m#9$?TyH$
z`{J*s3J4Q5d$a$1*ByH`CQZv^6WdH<h^ii_VA0)&u6Q`kqC*pXS1fD9?31+v{$O}o
zqbB`FO$h;fE~kSlb!;y92Lw`uRx(xipu(b<KuF*Tt}dE<%g~&^;UK#Lh($p2G_WtP
zsEGE0JRo;L+%^Ug!I-i}V59{hM`&R#z+-71IKx0BOX1<z$9n<BEBPk`FkXiLVK*L$
zf2_5?fho}1bL^dqwPDUv=jRz3iod+W3N|~w2zYCt7zwTBEq4VP1lf=xQ-LYR;L|_M
zXVJPqg%=NR<}VGnD+kC9&~+Z?z+DmM9l`uK%ABWKa6l09A0`g}3e!L2_zy%eRy{f2
zP}*Twzcln_vXqy2Z}zYZspP=su-zj5heTttCMRavlawkmb?NWN9fGJUPFXA5Hy-!?
z;P)(MpfR{e=v|jgI!&XqVR%h_?;h6WruGdpf+<3+vn*?Ev|}Yy+p6E|seKmLBVIxc
zSmRoI^NjSw{tm6G^(&<M1}Kk7YQ@*0Rvh2FZDZN_X!Q&UCU)&TQoKxhU)Su(U1q9<
z(k@q?*=*HIeHN*ceX-tqb@(kY;n$<ND20^vAd}b9R~YY_b3Mzi7Z<VC#t!6MP=XL@
zy;}#9t4E|g62vbNHyaTsW(C@*O|dGcabf1U<tcGVGP}72&w64H+f;Chbo_~M0{SYz
z^dCqB0*WvEmthzw_MO}KlFnqtcLSHsPkRcXVEm$FCK{4kRKvj{AjbTX{FDTHXkj24
z1{ox`V<xRtW@-BD8ZFs`I`Jl!`bYy5vuFq&-T~2=L2=s!TtHql0=y>Y1M;GZphgy;
zfn2GgfD>p70Y_iZ5-bn^a;J1q+XYJD;Dtd&0bB4p6?_6gnKy<4j+UTL=v?0*@a+Ry
zoWUHypXXfcB0(Y$oq!O~Y*WtccV4w!Vukt3<!<A|SKN*iz4SV%&a~#fJ1u)8OWi$$
ztb7lDLet__DbR|8G}cljuobPccJ|d4m`6iHrVcH2oqP0W3Uo`0FqsLh$y8_Mn(5L4
zEqkn$8}s*$$RSajug=AS+Nb`BmFpO6;iA;{Q>^PgwC8yZO_m?_tbFMonlRksOFCIs
zd8=Ept7CwqJ}4h^Kw`bsDHUUG+nYg(YN572K3`s5%iekH<E;ZZ-c>i3DW!L|4q`<%
zDfUL!>9&3Fy}NCe_~}d{SHakCxqGuAJ#EYMU)J${)SovO)-)T`v32k&NrCAaYD1QB
zkjCB^P3OcZa}CF9$MgylkT?iD1^VUg3Bn18DL`8;&wxY!-?=5E*mudTMF!~s$$VKD
z3dSu|FbH6d3kJ6Y7M)WUMzAhyz{^sRzB9-1O&YQdffg=u?t#-0Y($J|>V20Vn8WcB
zwW;1!2Lmw`l9!D8s!Oj*{q&+l*qZp)*n?R^{cBV9R!;D~V}*M6rfXcAo(8l{v`00P
z4L?399jPZh+Th;OJ?&G3u#L*Byjz|r>z4PYh27X${n~mr<r~r*G;x>ni!A;1pWKu`
z!l%ng6PF`;`+s|o-tVb)g|+6EoT1uC{^|2FN6z2#s1n>th~8qjPqO43LbXuoaLWb1
zBh^dVT}<K36ER$y+lhVW{9P;4a>@Ho{E9O4Dpiq{+MU0uqhV)~LDV(}=aIAO*%H0F
z59z68dDEkbo{wFNMnCpPGjk8wa*jv!Z=En&M{2?5>LhRQ+rueW3O+uQ%RGn*wjH|<
H{s8$K@VVub

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.woff b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Bold/SourceSansPro-Bold.woff
new file mode 100644
index 0000000000000000000000000000000000000000..d1d40f840f8671981fa6930ddfa8510b3cf148c3
GIT binary patch
literal 117872
zcmZU319W6T)957GaAO-A+tzNJjcwbuv9axJoQ-XJW80kAn&@S}@BQz+bKX5ueXDCq
zw{J~XcTc&=iHQNg0002kxIF;v^ZvzA9{>(O|HS^kOX!D^C;+VeA6@Jpm=Nl8iYQ5n
zf6^oX02B%U00;YvJ#VJCi0G$IwFUqHToV9*=nFUr@f4SrQv!f#A_D*tSfBQkTfLTh
z#FbQp0ATr4008y^0Klgi1d64VQ(|QKlq3Gsuki``dPplZMm7fa002VPr+zH}fI~Nm
z?~L8Z)%lZ$O8%3F<{yAXA#$7Ao7n&W6i=TI1Mvw?P#RgBW(H37pT1Ol^1%Fqj}HKZ
znYD*00Kl0B0DPDMz<=UrukbUQn-~~>%9MWcaQp+<r42OmPvR$S`?F8{31o172rA|_
z&hDT7c>@4n2><{>^%&jpCu=*SPd=(o8WP?oO&dl!bKb_l{nKagPqF{V62mrvJK7r9
zm;k^yKS_|p006v@)9*8oy`7UY0F3Xmj~5OANCEO6B^>P?O+IBQUq2ZYKS7n{F$eE+
z%s$mY5^~g~W#}RC-2-4DfS(k=EFAXjfA3x<@0{<0Fg6g^pS-Z2rvFI*+`)|WjrH}r
zt}po^Acmv-4nM}Z9Rt2m`TO7k3TB~>{&7L40OA1f02=`0e`Nr0|2zkC0zd%3{>hup
z8m#vBjP~@*52E+>^lT&K;p|~YVY3J1ub+*N(~V0@)4{?^Z>9UA!pm<1clW1$_x!&4
z5S(lOu!e^p=fsA@z{Wlb+Q$}Tk^xhMgC7S-9U+|k$G3$v7w0U_`p~0fe9qQQGTH6{
zbdEJE-k5&v(DZa}hxE@&z?6!W)u?5B-Tp5^(}EA1_-6g^&e&t@(W^+c7;d!w(mJit
zfeFgo@HtbxaS{$4#vvOUk)b`sbN5JTDZX!tbA4K!@-kR=$l9M=Y-bcr3XeFM4JM_-
zrZq<k!#2qbi?gQm#RR*IpMQ=?7iMt(ibn!z1vAJrD1;ql7)LXuQmOjsS)U8nBpS0R
z7K%9se7utE@@fBgNo$IjNwUuAcxJMNuY}wg)GSCC&YUWi-agy)#5is(8N{S!1y7v>
zA)#r@@xFTa@1Hki-7iyCs0F5y^U}DTs(0@I#nfSQ0}CovQ}a3vkdqQV@@%uw3NJ9r
zah*=R>Bye$H)pt>r<ANyOI?>Ca3j5fu{TJkM%3B7nvv%|ENs{KeRIhQUQFz2QcnsT
zRQq4wX|l)drjL7kd6~kTob{H2ii8P@Q(szb<(5L9sPhqt&mJNA-&)ojCnGz1(*$mg
zB*BNU+1;ugx|9p7wq4xOngAYuf*It&w*?lOcIbXmSVFvQ|B6#xk2P1A@3pxy!wjys
zx?B!t5t(Xw8+vOf;aPLJ+yXhF)$PQ^U4Z!`amhUfbEh|DHMZ||$z}C^$UHgm<M?%5
zLh`?y8qwTO_HG&QOBH=(o>dz2=bE@98!olvxfgiD@6uwxn1P<%bQUe&C@~F7qDCl{
z>vu(xEcw_BcgLfH$hRDFN_UP)X)~FjeriEDFf+QejgIyO8#)kJbO&Nzv^H<EcI!_5
z@V}HT>1v%-UJ7Y_ss-ZCGljre*hC~=2w%o7*k*zZ%0c-*?i$um&f^phXJIl#`^l5*
zD`&NX{5}xft~WM-Vt*qTQYYgG8Zcnkf)FK5%mexO_ZDKI$9rEE5OXiTZZzj~T?H1`
z|K{}qiIZP&*fW}uZ}LTNTmQX(EYB(ML+LEZzp?+gj*(oq=?o({8J8)f6au>*-1u#F
z!|`Xnd9rzSrDH%n#+i4*PN#Chv2kY0-)o7(vGLI2cjtst=J=O0nPg$<uSYd{sGSpS
z)hVb-<T}Ugvs*J1Seb*f%TbisVsssUJyWkXES@St@0fj_Obhmru^fmvi^JKB;Z00C
z(Z%Hwh@?Is6^mS!Z#ld_cHaGzUUs#9*->c~AD5>+YE-3octi8rs5LLR8VHz}XWjU<
zHNyES>pE)XrEpg-c@X_<$8~1lfhGt;RQ9U~)qG)puAYvaMw+hQ(3ESKwSl~>zn8a)
zDcCZa!F8s_?WcHZhT~d`yo`Jn2=c|tyNvq)*NI^$cvE%Pd+Q>!JWsY4*q@ebkvk__
zMf^=COH>iL@xzz**>1*ensi;$1kA1n+I{JLW1)E5Sxd?E_uh;{gN9h=kqJ(+W7-;A
zBSJ<?B?4{%b!pML;JRk)2AK(U$xLxb+rxaLDC-RTs<s^7^fK3X^|j8t)2?o0qGb8N
zSiP^cH!L0K&KTB+-f&vmF6x+1>U)-U$n9{o54nM98+wS#B~Ls4JwpM%z3}uzPIm|&
z+%S(E)0MyH_P7HLcW=V8_AO_Quj2KP?yh?vu6UomQ1k`=uHT;TQBK3;l72sI8qL+A
z_o)h9HD~g&m7f+!@;h7fbk>tgRtR^xL7H98O?1t}Zl8WLwi?Ko%zE)Fm~=AMht=L|
z0=7P5NeHk)CmxO)<HtWsj^2;I@*hw-Zs|#G`4PY67_UhJm2Gkjh(ucVI&2PLyX=yH
zv~qsAmiRx%KYVLBBOCone7Vn^`2xDZTwUnIm5zoNmTZ=~9La}u`#RofsN;%nL6ws@
z`e^4%P#3UG+`LH|4c*^8S)qqeUX{>Z(R?{GUavSlw636m>fg5(2uO79eDp(pW_0m4
zNzn{!6JMOFuG=mAv_<tXcjD*a>L3Cwc3Smy_VD%;OUAzo<b2o3Q(oo!)6~E$uJFN~
zk$<kW98$O@snmFWJkkDqF^y%1=tKJA=9I;C@Md6?V3`@&Rh>9oXf#lD94niQPoVZS
z{24n|H=gdSL<rtl*R)WXvPIJobvzktd66?EVG184S=3dV;4>HE{iKtC{Svp0G+hfY
zqOD_;<UY-auKude)DQswgkdZMoAiTvUnqbjuJr>-kR$$KwQDwYt}CM181DRQA?q>C
zmh4LRyOXpR^^&hrQMR3USCL()>%8x6VTAL=dkkk59)^ph+TRiL{3s<=3D_h>frNTf
zvQ>nTxC<y@wsUqp9-$>5+8vs6;Q)W(UQ_k}o;UGz2&WXjSB9F_oICIQ&vDWlsb=#s
z_+LNMz%iy(T>{x+3|Vk&ia>C7b9#m21x|cA5&1_ZEOylnO(Cr|DGu_1=XY&gs2~6c
zpjn;uaFAopEzqf=xUE0JLL1f@Sy*r$X?LAGbgMeqqWxej+=Vyt{styM><9BqDv{c+
zm0-IITua&lt2dy&7X=y)ZN#_PWC`Pim2<Put@fnXNoUw&7KvK92l>%FZ%+C_A4)y?
z1m+|prb+pvX$7Vy6x^;0hJ2CP(&+?Q=xq;wSt5G!Q*?PpszGcghm>!gtX2qIdGU97
zmAfAEZ6XzW@E@AYsnL@p^fIi7t=#y1{g8W@#{V6jvY@tuGwc@hq|T~>>y$n2JRh`m
z`k-@%_?(kael6k^jq-|-9NMUR+C;v{oWRf}dwKKiq$@$_9-?XDR`K`|@1>)jTXdAI
zn5r3ay?cG{!7j-o)8?6D*+e?JQ)hA7-u8gpFdr|<RcrnNC9VecjJ)x=QRMJav5Mp9
zQ~+r6Jc;<tC&hS;t%0CWB7~si6kqBr9rv&5OG;PMf>$^4X;b=|VSCs^fsui<r5)5U
zLqg^I%0<(QK>j7!a7ySkW8pjFd@kV-&f?%c^APiFCbJ>sIA<0?l=u>b2cx?dA!~dW
z95-q8q4awc>mJ@kHk)@>di@>o#joU90mt>$_<_WWG}-CacY^-SGbrIZ!sp0=iGE<t
zMOY#^w3yJ?cin04(m)~lNJ+tw#AHQqn~yE;W)V&CqpNe+1dQw>S250+2O$fzjSxbJ
z+Z~3RDXHWRF;AMyO2Oatg`?PalImh_6S}pJly@S3dsIE|*xvb)8|mXhW?DO<F&*Xb
z8Pa=AE#`&m<{zB@CN$2nmE~PnQzsAOY$aao0l8+Ue*XDWOn<;5)-`80JA>L)J8-Nq
zFaU00K3l_$rgi(9*MVPDvv$)VmT#wO+R++P(_9cs3hykrOwe`K74v!;mS5<@%?eSM
zmITurtTPY68Nmg!$401JxQnUb94_cLY{OUe^izrjgAz&E(UP-l)MI^dVGJ)<WFA?~
zCF+KT5~-X+$?}kfS@Bhn_o#>B4*_Vr)_|W2rjDs67k}VZdE%^S3%`FH{V_#gG)55n
zDfMPI`jMOT<AZTjeKORq{(QNFJpoKq{%nDe<RA{gMz~G*cZaTk7Inf7p;J8m0C%#@
zjmuOF=SqGzcW?QHPOFw9@sI}}<YoXjVQY*!knT^NLfe?wW875eR>tkNHWzr+FT8EY
zCuqKj*Beo7c4_~wI~pxSy1xvVa6rOxT=<p=&T!Jf8cetsfou9A+e86#J3qO;%1Yj8
z?RJS|3KvW-(YfQl!!U;0*#&GtZ=epj3iDsUJ;;WZZ%>s0n)?KIAh~##b5Mauq0l~1
zlZf!aTND#7<R39&l)WO@HJQ#MlnqcRR~t*Ezv7T^58Lr{V7_j<t0(QBl1x+1KSC0B
zDh9h_w9?r_g@wIWduAEG@lp@Xi2i4N95n(_gKdiJ-+Os=QEju<WW(F^uU$Lja=pP`
ztJq*}--BcUKy)J6x6phA+h&G;evFoSe~ZiYk9<bi5$yXQ*__UNuEWL~dquE2dF$wo
z4Wrjx;`JmT+O-2|y*G95U4p#cyZp9^K;pVnr{b!{VojV6<WwPvKjK=#B3px{TBF8V
z18G|$%3DLMT4PRI1MphIGh2UY`S>H<2Gq`Zm5jASueAp8wnnzMhI+NezIgaUdxV90
z1dDq_4SNJqdPJ0XgqV569Qni{-S^hwx&K;v&JemY;yQg!&wcu}^^`1lpxLTpo5;J*
z;31=%ymTN#O-5c6oRq+#sOk9=>6qNd+c+vll6g|xi;;+wz`JYe9`g9cS@>+1wRoUw
zBr<Cx`npySabSk4cwtu`J$e@uq)o!!8O|Be=|Dv>oWpf?-WkLxq2m#diZi7A=ODW?
zviVMRb6soT!I&kwzm|)_Q_C*ZvqV5()XUS#4sFaMystw-0d6)<j4cmL7#j}W6v0Y^
zo~W31_WpRtS*eYEBg<B*xo~YR`3b}6hbt_Z>ou93LRK-I5h*V>y-ZQ7bD}PbQ1RH$
zzww=p@-d?x&l<i<TKA$pYTb*kn(AX#qLpPXjqw}{i>pd6Kmb90zjLANl1AHitWy@9
zJS*pd!(-j{@u~)^a|W*g!upbPZm*5a+Q-V^h1!tCc^*x(Q(IE&1exaKrb&)f)ivAn
z6r0wjwZsom4t^%}Dv=-f-N#wA6VBPj9BzyMjh6qk-HkT)xYb>KmwKD~;(6$jl2q(P
zB`nJEW%39Mt1v}8L73BUn!<SIyaWYKcSIXS!*}Z=2K%gVIHJ+JVj2a3%rj}0)^WD8
zav_pRt1JQI#J7J@>q4x*dHp4EjLM?h5(<I_M-GI+W<o*w8;7_O_w`vGW>6mLKprev
z9^rl(c4Hd4p9yM?37WPRjnW=W?FyUmDtv=0iBzL*P*!%7nhT@kh%PJf)`8V_Sf_;u
z=`fxz+Uy2DXZWiJGvkp;M-FHD57V^2#U?xx1Evo39U3cVW-&Fv2bRwo0jgmb7Lv39
z$xCIH3lRbQ3%Ul?wVW$!XB!W`FTYuPGz2-Qn%vLM2V8gIFOTPrrgBvfDtzN66l4~<
z796z01z#xmv@^@-75YLOPFLyAa~_1e3Ve`vwt^!gcJs4JD}wPNDDo?TWNi^$hK1O)
z6f`>)Kiyl^NjbtMe!4ev(M(2^w+X{S19v>5P-QEE=iZQQpJiG~PzfuL=FEU!?@d66
zZ$Q01L`O=Zn-Zpo{KBLV7I}>_k%d3p2t_k&$%k`>_qF#8$uZNCZL-Zk6n>>Xk0g5(
za&1s*P5E6)UV;fejvhs7x`~5^Do2vefj+l3tlTdM@EjNsu5Z0H$V7kR30LB=o)yps
z{b1C7xXg>IIg9JT535TLYgY`}W(|>R53+VB_66Wi&W!)$f~8dJJLW1to$QxsC3oAc
z;sb_WS(A5shh^ML?s&+w2Qu#Do5I!yq7s6HxxT}SzoJ&*pj8H^u9crhKd6#-$icpR
zAa^A%|IB*t+{?WBc=)yI2uLA?0XP3>&siZVLH;*I{m;jVwf%*$De?5q#;0A|L#>+I
zWiVSO<A;sUSU!oX(fSOxYo0BB`%N|8+Akg@XiK}xNJX?G8T}eKRoBg-o5_0ppq1qc
zLgufgea>lcO8H`XK-OnKOLe_gFV-W}qh`kUJq!HkB87(ZrfH57IS31;^TLgW)Q1_c
zF#pu&m33<Yj#w!-em8!9d-r(E@6Uh&I(7*Jh1g!K`|mFD+4Bf4QjPNTDqpvbQCy<-
zNL-1&^qcWL8P0>(*lKb{(PX_q7+sjSW%AP5(Y9eML>PM9Qe+&|bhuw|5P_Hevdr;V
z<(u?DsxQ%)u{OmHVaWktpRUvo85rd;uLG;)maL9V?i4+lJHv7?zE?lLzTG}gZSrfq
zJ?(BByIBQ6Gj{#ih$-~mn{-)s^>!L^J^TVSX6R8d()z7wIA$5A-O%kUyfdJ;tH+)I
z{wx;4r@U)faJqvMad0LJt1glR-JYR6ODCN7nphx2!e8y0XLE4ad<V}vRPYMx9feqa
z0KHaJ8-=KcBd?M%r&WR`Au{P(qXg|uWLbWjIW13QSH7TKD8$HF9o5q}sj-Z@)-$-?
zxNH+Q?)j>e`n8q4o37VByZ)zFOuEu*LG$FsRZX8tW;K~!F)QGo#uWUO9`k!2r*nUE
zHI<-jS{pnl%|+zIeNE8Eo7d0Gh#)>aVaI6g*fEDjOsvPzVlG{ptl*bMcgM!pVMBf@
zI75i<=-HWtk~S6p4VH=Ke<7o@*0f=IjTCfSHMP$gO8H7@o1ICJ@Ep~ZoOveqJog@j
zR|QT}Dn#QgXR@HIB{Q!)F)tKEly*o-KRxSJrIDBXu3|Hn?A6wqH+9FFSg`p%ovUEy
zC*IBf*NKeunZFmKXqms4AfLL@LRf2cX0uz2$dow~$kpVKMnF^Mr!4(ZMk7~>I91NT
zSSrByhmf%hEPOt#&{EQ}@msWJqN>hF@nNB|n`0St>wMz+i74THi9eKrNIz8`O42MB
zjXB)`TS5dV+6Y&UT;?~+0$ch?h7diuys*-rKk4&x+PD@Z6KuH@4YSqwGc-KrUppHz
zVj^hfeM3%=`<?xFc!sbE%qnDAbSbe*Zl!0qQJvG%+a|R)jJs@Wzc*`?^3u&}Rm=`s
zFCJMhVS!RQK{;=r7$4tqkOlPH9Y?texCMGqV~DJ0`k?18a?j)<&uA0R?1Qr2xf2=P
zbEB}fc;Q>~iW9yfCFyC%V#lmo?E~DU)?OJ~hfLm%aoP^kZSd-w5Tc_JkcO`;43bC&
z-w9i|9uVsp);A-UKrw`k#AgJXCA5OXYlPq?<TX#93O^!5F;AKb%Q8eW&$SdSbB)-w
zx%S+!Jw2pJ_|DvDZh(!Ge&WeIbyb1UMTTE#i;YR9z%WF#JBo>P;>+A<1BZ>Y*4$(R
zCxP^^`SRopmrj9WoA}rRTW7wDXQn`L^|2X9d<`+`0>?@$li4(je+P9fks+M_AYpZm
zA)S9OVXdCwSLe3kS|mes=kDy<DMMoC4$E35LuBVc-Rc@cX6IhrTB=SAFk7ua?{=9}
zTlb}S%xuf?`FyR)-)9)3;j&HWfnRO8>oP(F0pq^^6-ID2_7Tk|F!#c&6mzPKBzz%^
z?Bu8GJxMN<ygUSTMY!?|S(znnBYQSa#t)r|{4UeE?@s2WqHIfsn&z<djmeulBQOM}
zg)vM&#c?X<q~~!cj=#-0haZFDqCsIYpkR7XLN+J>LLmy8dH_E8OLAW+o2rRD&6qGv
zsG3J0%~cJ}O&HB}Da~zK*;UJGoUDyxwX3nb7fTsL`h5KOi3p|(MY))gm=RTZqw^w9
zn>oKuV}R|dgqux%D94-<?{T#b{Io5UB~nmBYOiMyhG$~3XDGX8YNKbYi)ZdV$R7ce
zR0)dE0p;#_$~S?-0jNM1n<Y;5HfyfYH&jS3LDukf|NS*aE4)WGZc=cRbVyn6AlP{f
zdkI{{qeL0Q8{rJQQ!vF>d$SG(m-Z@;KVPo>qBCTcQn#F)FJ|q;88@e3t&cjWFl4t<
zALCif99ze)iBPFDkg?KO<5@gl66czPm354m%i6)Hex5|~y<TH0W{>rtH+3l2$acy)
z0>^3{FsZU%IBeSH;cWR!Z|fA=zFwbw?$IMmc%4SccYrhXJYa^Wu{GpfOP!cDP9^5F
z$l%&k{zhOdmANu%j#tc_?J<6o!GCU}SD&_UcF2^;z0xD5S~IKrP@8*DsV_>aG18Y(
z&jQUoK=@EM28P(sPGD^%e!3D)Z+$>D++v5+{ww@riieu+!)=l2?n5{9*Pwx9T0#~+
zQV52DOd4i!XtIHeI)>B`Nv&fAs`$`^gUdRB+d%dX(%3zKoEukM;kEoH2hM*o;Cc4J
z+46r=q2}6R_U*gRWc8($8~I?}`}_7!d)5{VZ;bVWTF~uw>U5;oR>x+vr-ESC#2${F
z#xO8`PHL(ho+2=67b!n|fJl}#(l5(2UY}rsrq>}u=GBp{{i)v^ao>2Vq;)_~(n-ob
z^bn<+XoB{gEJN<Ki>>=f$^tCOIJKlmK4T*{C4L))p0-z5Q#Nq8q2o!|9P&DLHp2WD
zm1bmjToZ~Pw+-$4w^iA|qlV5WCv#}nz3CY2U^Z;JcS9bLR}<&bCn+EktnMrZs%!!6
zAd$41WKDWiiax&%X|JYbAcAxD6D`p5dTAN~m7)M|a7&z1ayrHq(+_;(Td!4{%Ija}
z%qM7|D{SH%0cu4aFS)yzn*k>;^aiPccAHwD98lnTY4&Y*Dj%9mS{UhPTsC3CZwP+6
zcM;Do!&zTtXZLoIiYV=&2JIJ<2Dz1>k7R_kd&nF5Oy&^P>=7UwHsA*lZqaNro?Cu-
zsRzEGt`{JUtMUyPX%C?}5y(xLxtsb9IfY9XGF~zJ4pSZqdeg+a-?4_173c0rx#EJ7
zMOdb*uj$*_-ekWW96zFROZde}Sb<1=P238*CGB(H8RBDsL{E|YiSP9Bt#?G>)<qvb
z_mSV^zOC&HBp1U2&GL6g<u4IlJoL0}Kq=vo-?d3`Gswb7s+glK627Ih6tgu+#&GRs
zOt(<r?1o#3?Pa1%5Lc1Qm@AUTw>+@b{tYAB<(V#|KuZWel}OASmmsO4l(D!WPHt&p
zYm|&-+uba%knt@<dlZndgCh=VK{6LpLQWs>kzmaf8u?bmIAIw<lGy^r)=vEke>Y@0
zs~F!g98b(C6K;gm7JkC2j3l>ZhOPTgAoy;`TwpN|T=+{gCWp9!$hx}b{QP%jhdpx#
zB{Xtrf+Td#_!Jfw1<iG1%^|k$8V-r(+)79XgEDy-(mu-QoI$EAGV&Vh_?m+a-&GvG
znzPSAEeuW+uuId<vk}NktyecRaYym&s?N3*<DG=BNuOpS&3s>{S)FzkCv{l+%m;Wf
z1Lp-Y6Z&juZgCu(!qY<QzN@qFqO=a;7FMiqHUk6&HWTIzXl{W`oJKQ0)*V)7qJB_1
z9GRQ3;^+)y7wJrpIitCSyK=Hl3$L?-n$m-Ec5SEK#`!vEFDQJb#)n^aZD)|i!M&+2
zIL=KlcS#*$E$r%1eFl7_UovEXlow8`Th{#m2fgWl-L9gbaYA^^M}7js2ZPd<OCVD{
z7OAw5G}hzSZ1P@A9xZL6HlcObw%NO0R|h#DVm(|5*$Gg^;Q+|KXRosk<Jqq~AmdPe
zOg{(FJh+iZQ3vBT*m=xfkNr5f@fm)oeCTeu0xVM3>gy1o0lI!#hkKw^A|N;7R8)}l
z*L6`#=N&C8j9{c!>bv31j+=wiF;Ox3JEmIdyU{K$mJG=SnGAKj16y*-EnA~V@$@b#
zw-9Y)xg4IvKDG^2yi)^;W=-r|ig|z6_q9CU7r1kh_?Lzf5yEM=>#i7!JBT|Y!2$>-
z^<i2b^nT~4d{U;6H}-6QjWZ%3{`kT{ECUk?UDAk0o5;6Epkg>*;TZW%Qq=&>L$`D2
zmjWOI?9lWEs&w89d731W1XCtq5>sKQLoh)QVZVbbou^`8>m7d8)wBB@REq%gEf4}$
zX*v|OxHy(fT9QaAEkz)niQ0$8fCeNT2zmGG%hzKm*r6FUROzB>^6e*2*}glrZw3^&
z$xO8OWaF|vuuikhWaBaru(z}FeSvHt!M`k|VIybNQ87zu$>}8bB-As8Qfu&Ks0<)8
zB>H}`)ds7W!x`(V6{N>U>*SiI*1%4X7_erbwJy_}6T)iEcvFqo%0x;m=cI^exI$}6
z_Ej~M1#ei0!+K2%03!*pjW_$5<}i$;<)YXx4YNct=dO$KDD)F-6F1SroATz!R#RkC
z&AoVp^No(BD?TUB@>+#v54%JWt+@$Q8}Vj+UN4vpk{JhQO4&NzX(d#G?{a(J+Oayx
zW>D_xM8xN4TSf^bt0kS`I|DM$0`96rpyytSAqX>K+^u<b{v1c87DqaD373xT4EJQ7
zF6!c9U9X6ngOklU+$WMI$0X+BKCj$bfT0_8=MO4GykXEsAD$7Je{J~T-5}~kCQNx9
zGdD>=E`WOZ<=jRwFV>yXLN5`Qb%0mYEQ2kLeA9wwt#FX<dUE=if&eqjEr)>(r&gll
zt8?w&V2oXzVp<v13e-zn9UDjeME9j*(?qnjf%YHGncB-Fn=);4`$G)Zwlf<PNDtv|
znHQWM4iX)_cQt=Q(YXGcCi;!;54$MAa1MA$*k$y!kZzKCE}{4GUlV>l9~EKPW3T|*
z;MLELlDkIg7`Z_&F+o=Ht5)}^W2|DbE{sdax5=cw*xk-TL7b}0k3?)Fra(e{?BK1-
zE4%-@Ra|qeZu01AtVZPhOXk7CdIYkREx{}24zdlDd9DYhSWXscmAA&(791M3WoJko
z%UUuN@ET#g)3mi`SOEzvCkr1-xkJ0E4nvHq#8yI@N{b7WsCeh7RqAK|B<TR>%T|EW
zqdU%~3klAI2V6YWmXK}!j;K2FjVwCS-02Ken#l|$+R~|NHezb>40*I=93`~WYO~2I
zYqKgz<-oGCbD-tug0suQgEResW?Pe`cw3AkfsR@unvPs+PF3}4y6x}vpPb6)lAMaR
z1$gBT`I%JBb22JkbLUBvz=txUV}?;$XSD?lXU+rmw)PY2w$K}%4J8-E4JnVHi%Oo<
zi-HdEM-?6EN2Se@mvV+YaVnxYQWdq?f+RWMOj$XQdz8zw>IB6zhb1Sc+A~S_cf;&g
zmDsuRBnHpM6CBTM7Kv)LPH8)Nidj6B>gi17^65+!wYl~rlsiHb8_()8pwB4Jo$mrN
z$iI%kN1i=Nps+%mNEM+Vmg;m)T&4fmXcX$sK}9%Mo}*B%OcSUyDt2eFKz4^?Vg#zN
zR0L(!!TRX3<M{koN$M)i$m%Mz7SmIe`Jt!qP*7cl`Ma9>Wo}93>nvvy1TeGg7f@?7
z;Lc{D?~dSr7*u760?Kh@^3iLgBFMuR5|pPG6I4blBKm__LPUEsE2n%qBbR&&G%LG5
zJ{pC%`?`>KCw1@xlzhSjYP>;y6LaBuQ}symE#V3Dt>zQ*lP8e$Qzk4D{1cNeNE<t&
zrz}3Fmuv>KD?>ZJ9IbaQJR#%x=@Ap7nk_v{H8odTrUc|VfaKA2p~?RJDx{_2Hpg+G
zwp!H|>PkgwQF7wDS`?MPQ3h=u%aZX>Mp)=GioIIx8HPw@bo~3ofJeciz^^ptw;#>M
z9pgg%on2Ardx2-nd->h$hw>Dq6Ld1XMTziqpBv>zsxcCi;TJIUkhSc;);72D|K|wg
zAF{aBL8kYfI&qfcY27CeGeP*XpZJ>>S#<EonH(Ejetq|hde}sc#2&GL7Y)L9;ukCg
z@LXDoFESzf+PRWS#PnVaGNE@_*A`I5CZR<uaoMbq7Kr;Mj3v);xvb2e6Nc$<(V%=5
z>!}57lBr$sfqV{YKm&ML9opQ<?)h)_!8IAH$mY;R3_HfkP|$j24##&TSJPGa32rC<
zrtex0D65F)D^nKG&c=Ru+0*H7p{`&bDKh4(2pcQ47D#u-&~v)LiAjl<JV9Pg0{^_T
zS7+>@oAEhk{2`}Ku5AB5XS2?@hmMDE*`d$c)zVn{)a^VvA&ptBQcDK>FZ>(C6pR~G
z6j&Q%6hs@}HpSaiq!ro_)>;K}E_!4i?AxR|l$@K>nw(?PIGn4~T%B{%2%WprHt+n?
z67GJd8Q#UEDc*%)i^oR%k%-;-xGYONhRrgbDlQplmzIk>7MTh=7MhAU7Mt4P<7Mge
zk32KKi%2WID@((^!>zh~ZM=iBtxKI<Gvt}$HEf%0H*A~pavzZuCE8);CGq)2LGD9C
zLEsZ|#OFuk6OekAeV6RMc5KzL<1GhLm4*iWkX8XHNRxvkrP)EE(y|~GX&n&4mdCpo
z2tsfr6v%jeF}-ETGb?ELlm&Y=NF-GdMj&4B4c7}jn!%MXn#2`0`q%QAFI&v=4>rQx
zdg$pdhR}0>FLhYc#I<M^sI?mwn%9)m&btpY@FOEGQmm1e=C1qOn<Q+h%SCL>%gJm=
zH+7VALc6Xr`G%=8hK6d>yN0QAuDc1-54%vavcO5%A6^AWyaea8w%F&PJ7?0)Y(q7-
z(~`TUGtaxKbE3P8)8y)-x>Bi;T5@U;Yv0wvwSFvxt;sGKL3ojF1W#Chu|{hSvW0fh
zI<|Fq)k27(xnPeb;oyv>cBMr?ZV!SA-;hlV^ZGFt<|RB9&MP`r0RF;P8HRf%+(2<s
zBR99R%P{MZHgb4NHiGsT%;PX+A>vSNZtTElf$orM;q1_EVePPFj_)vK4(<?Z{?kFu
zg4qGdoZsQmoRrP<wqDtuk8J;~XPESw&w=O|%G%hkNUJ9KE&HO+_Cc-<>1Cz+7{wtM
z=-`lh410~hPcBexl^_u|p5EQ?>!~9)K@3BXtdjWRt50AF2v0tPn9S7fH+Nj(ME6WC
z$-u3-guEXrdyRI9-+P2${0ED9K+1aiEzvkRHS}j)l#aZprZ6+IY$rdM;+QvA!{zyk
zzQ^DOOUoLLeTi#|0hTL2HiwHxf?jtT$~R^!5pzkuHf;~Ks%|V&<vXe1U^72Pi(p!k
zBBwtiE<JtO`bNlU9;hs$IXUwY7eeVN$H$2c(tjiS(QY1+;)3SbRucxwy7nDpAfgRh
z#N<#yJqYa_2<<F#*lys}l5wzCc42*6_NB&u-rO-9o5(!UNEg8M17`F35{d)iAig!f
zHfFPIYB#Ap;7i!EjgYD5n5fK|r+q1&Gg*Li&Xo<F(@|d#L)U~)HD?#24M7nNwd-T9
zdLfU&ZX?!aYy16`3BJ_*T;9-Cg_j22|F0j}iPiq+7_9aDo~Q|r50}hzKw}MCpR6b*
zrXKI_$?MD(g&Z|po-8e)pd<mH8qdlnpn!d~H9XK?+U)tgt(i%^v)dU&LPBK-QE&$p
zGJ+8018@{UUitjf3LW4C@C76S(m!$d4^{v?*dYKO9O@GUKEd}BK5NauM?UM#KJCK~
zL6i~$06o*$|IaGmbGAHuJkYvd1^AaMw!|O{RKLQoyP$kKoEHz9SC%4S(JX65HX#+M
zEG<E<q!*bgPetCN8i@K64;P|tNAjQ;mMD)#VyhOWrou?_E-Jx<iCX+igu~(IL@*hS
z3u?luF{}%6g4!>1ZW0q^`e0=p5*OvlUu=^1D6_J`&fJa4UM?zj_eitDDyqpUO7{!O
zl?w_R3u+_&vt^|xW#vPb^u`V8mSqKELWe21rRl4siJqmoapd`mWxr|4il8iuIZg@*
zPbiI}OOt3yGfqn5HA}PGU{^3LOBhay0!h52O_U|smE}fe6i6H8c}dLFq8Aj;7gRbI
z1V=E`G*nb&?iG9Ec#B!e3USLyC@hN*Pl|noa>6po8hOgvL2w=liU%qxjSKP<3#!=*
zN^ieD;HO!QAQb??Gv|i&k^g%f@pP<RnMa*HMq>Y}Wi2d>^Na`)U4)5qgKA@>yn{Mo
zz@2+@WH0n9Z&^jQS41&E`r|5Si!fpw8O+g29eYT3&Pu_|9r5s<ZC<1}3)n*(z_Xnw
zbMykdF|I-0_a5Jz2&NFu1chh=>mdG)k)297rzcW^d+cEW!fS~4yjXzFGAaJE`7j^i
zH9QLNg7&LVTz{;`dzn7nZ|n{AA?nR*=sGBxKI}~iG4_z!XsuUP=_xovD1*;}%>R8@
z(zG)8@6^PJV{<o7nt9=5&Q~;+*QA&&`Z(Grdt-^59i|OaEW4e(L~u@H>WA%3y!*JO
z8}mJtjFBg6`oh@(ja|5yHNTTm`Xan3N9MJiXZAjcphC$e*x(;Ix1sv1Z0&t=%b6oG
zq~~xaABYI0+>5B;R^Nrz2zQX#KPwZ)Sp>-PSs-UKzSH=}o}oKamhzP`l}*&>SEz$x
zmP(v)YYwNRc5iYVc0%p6RcBMS$dyrz&#!qyBP`S{`k2xB>y>g2ffHf>RE(|s6%{~@
zC5#@Ib6I80dQO{A(Bd9bdN*Vc`?U5q%t_k7axQ&_&Xm^7W7H4o*r0Zj7#_mjvc26=
z?ZR?xePPkUdT+pW7TXPZ57E$!r~zx%?E3ZHtjnWYW5ADS$tkX$PgFMd_11$`ymdqh
z{EJ0lrb3FsQR)W%5k+-)ahPmKx@c}!$ZxqV*S+q`%{Qjusq+zFY8J%M>-mSgOE7on
zsc<mvHzY^gJrNC~23*5^%opUx>&5sQ94o2$X0n8ZM8m5232a&${>fudrUQl-2`jFP
z@v{I`uJx4TS-|?+GNlJ7(e6EP?y2gE0i<PYGuR$)7GC?)E`P}+Cv_~}ke{VWTFggf
zsLVH-eQ~7jf#Rk*a>)Ju@WTo1p0hNsHr{rB-B_=YuP9gYJ#V=3g?mD06HN}s($XvT
z<pX|>HAq_l8!(Mk@)_Z0|A})tqqPT9n>EwsR}!xXR@Tdjh0qrRihr-+;yRkF%swRc
z9A`vYwLZ0+Z;wc{L4Qh)KRwJLm(ej&Za^Uf<P8fPQ%-UEPls6#B7`MXuke%XmpMx7
zixP_O-919z@iCK=6SYq;`BYCU+&V}*{^o-2@Jbk2|8e|R1hYQ5eti#5a%5P~?8VGF
z?D->`d%hE1srl-GOFURp{9(|e;1$c}JgpMArEWFw$Lv)ki?{bZ{NX1YvRWNCHHdoQ
ziLFtVXv~|#F+t1wTMSDUIq7dkC5=g0hMTZYUqatld0CTMD~^acJw&lR*tRcBTukUH
z;V0AkgFb6^r?2{%;6n|tLx@6lnBYJ0e*3iZE;;zelC$3at#}3b85XAN-gjo=ZzLs!
z#YV>cQEziZ%+w!r7C;S$oya$*k-(_Hh?IbEqz6VY6j*L@b^=m7XI%(GmY=v#9OKI!
zqJ`-5chcieen`*Ee0GRULIwcwe`c8AISKz`?-Re$$2Prfb1U`;eWR|||LgnKr6WJX
zT<fU+p(iaSDLU3OK1zzE`GMvL{;B;d9`ySoZoHy>L7v&}<Yf4}*8k-Ji3`d8{`Asd
z@B0V;x1wz^;i-Y_Y_zx7w5WtnC)1O~8SVuCj~b933Qj;sz%K$jA93R^xSpmQvJJk9
zKP~?u<8M|ef*~g)HBDr20DU*>wWjl^&xEoT{W+afPSt+4I+1Xi&}!8PHHfgX2dX*4
zucwgk`tQ-OU5GmqUmYH_U}Fx1YzH6T&cQX8{dKtF9<K@gD1&gJ)B|LegM_&gtu*>>
zy`!)%4{H$IZrC>kFP|?ubNk}eZv*a$bR*jYR{aUC-a#!8+<tXpFu9&czN&%R0$UJX
z-Pk{(^$@Sv>~7f&y_1Cz_{WKdmdtj2o@8J_cQ$aoeoOvVH*YM<A3=P+>%m_@w{twe
z!6^)9rd}TJm{&iPN42BZ#X$9Lvl>{~7}3jjrjH{y;F#Xnl{<{z*sY$+`x2_5#LhGF
zUcf89;cPSsg&v;aPXyl*+dc-8VvH-_u;Uj)9Wl5?<4q#NMMC_)>FXn?x`$Tph|KN5
zgr-8{e|GMXowVGsPj9HOd*1u#?R^yxn?uw)pl_(sVQSfezI^Uib8o%EOsw?vo?pC)
z3<o(n2n-K!)zun>!xq5U7aO);SB+YeAW0TCM)yb-DY=rAQ0fgJIbdpQLytU&t~2J>
zvxL90mbRMUEdH3N9NS*!;CAM!uZQw**}yS;qyfssUT@O7^9*#k#3^+zLlA^9yMMzn
zoVtR-#{2s_08G^Y4HbW^bv=Sd?0|=%8rCRrOyB!w)G^^eX05O5*NW`97mr4UJrMmV
z52KoY4rA`WF|L97>W<H^^Fx=G$FGQRzqO9Nd|%&s!9+dOs@AO0hdU)!So=+4a{uSM
zSy~RxAxu92F!Y&vE(|lxtc)^0)2IO!9?{G4D|NbI3?tz=>3B~E1H1v;;<#RjCtcjI
zP%Yg_&@0yI9_lkg_8_xB-safJbSMOH#?h?;yN3n5LTe=mmhRgG*u^!HS+!*^b}@>5
zj9QqP3tAgfApiPzgvC3O34}YId8m5?q8%LH$Oe7fqbq)zVRfV!`3c5-Tst8mZ#g!7
zc!wC0kbU%<tO9(Gk~1l-+;}}zAE%qYk=4K7MYp63;bHhFtq$64ac^{phH?;$>>q}>
za(>Amw1jMNWFFJs*7%m=H%EULY})$X>H4L`tK`1@=BdLA)4|m~f;Z_F;kLU3j6bdC
z+YSCU>Z5z8`s3nn2+|tcEtq#!`6+nAF9v|`M*rE+*6Uc?U}@p4o$Y4LWKUdV?T7AT
z*qO0Ebp?QqGV|Vlncf-Uo-R*8=G-P)TPhqGvVxeSUCxfcr=BG_8pDnic|(|EZNm0$
z=r|nGXgerUyx(`c+YL9X7Yp$A)I%Ps8jY}Tmxml|uX02pP%iKLwRhNS_ivGGwtxdv
zm?-v8R@;ZfrnTY!L%+9kF+`7qfeC+-ra4fTYQ~$1l&mo1G@CXhlXIKz<c$#h5-ehV
zw24D_o9s+e%W>Iki2Oh7z?UDSo(3IAyv+Z&+&@au3e-iuOAMGPQXdKSJHx7Kp#K7M
zUf-aX#UoljZn+DTD%_Fn-`Lqr(3Pv+nYBOWuj`{3o_c>jujumfCjG1<yY71L#y6bk
z;qO9`<oPu}JxpT|a~;}i=1m#zO=DpYg`8P>AJ>7@-A_O|iQ_ZOa5S=`{tb+zPn~n~
zJJt=;b(Gz!F&ulY_W&giwveDq^0(BvOD^$AQ{6nMdP}rdvUuUD>(Exf<K*ceq#3>M
zE+feCPXs0i1_tF2`6YFtx-cR7tvtMRMw8CdtTPD@>Li_c@^htqWz+Z>(W>oUtqU;^
z*j`UahP=a1hDK5+?@<E%PN1tBUjE8tr|ix7>I14J=H`&-f%M@jPAIA$^fHG_uW6$5
zGj%BiK*>{$tgV#Lz4Lc9o_!p)@@a)vOiaeQ#Kbh=d1*teKcqu^o?AHjwBoIkN}Gux
z+HF~LI)RUb*PcWL4+7oyCHh#qy9n;4&`9}e!e%&TD6L40CbVX)Q%bW`{XXJV3I3M_
zG12rUlxD3HN&<;uU?#!XM_7hY)y9lity5B{Bl*EJhSIl4Z@KDYKdN?p6Qxj$PQID)
zzhU2II&`ljwz%3-RzFWM>GTca41obmFRHG0mqOaTgz*@zaWB}`j|Dx8%{;+E+S_fU
zy!xDcFZJ|}=tZxR{gopu3bPds)64=?=G$JAa=(x%hHbtv3}32#J08xd#AFG-T+&4y
z!e26Sco>pfpO`=f)g?=D9(EG+-OAEiuK7e}J<=!)cWvT#h*k*mI^4x;?t5f~cV&M8
zZXAp6+pEUZPxiO)Voi)Z*P;5f;ST8PP_jgBZF-A#Xl-p2?cR6R6OA5=bqJz-LEr1>
zo_s3_{lLjL>tXs$4Cr4fw^`$8Uj4Ti#;{{<TDI=^To{+13wlqrdD*;ry<o@nBW^yW
zdcEJHBrD}-GlZXT&P;}iw6CL`w@EgvG0a>jiFna{uQ!+DoYAco@nQ`4Wu9wQ6M!eA
zK({&t?>mBdz6HrzgV3!1g|RRa5m~yILc5=_g#_n3Kgd%b(Y6;p3Q5=Bg$wGd{cs%l
zQ?Tbu-b)W&NOnIfR~TZme<Co<EuZvd8<}ATMd*iiLB6OsFR`BUINZ80S()f?4A><B
zCuI8-!WrHc1nm`!>~<DxyF3Gr1Ku*L1(9wq{Esj(4lXxGtf(IRiar7DKE~x9guF0u
z=8?ZiU}=FEPkLDV{^ppXU;tg-Dx1?vn>F0wTFRISF0n<TVN-llr!>yB7Zcn2&Qq@`
z?n{1VW0DW0hwM#}9yc0b&uh9r-MSM;2r5*Xkj@n3zP|T6VC&Bh8AcIgp>Zt1xd1PQ
zY?4UAedp&d4kN6~LuRY$Ju9^0?sBkB<%`-Iy;hEC`jG4$P0^%eBtxf}Ptn-66}#}=
zlKK8TLQ%iFI3KSFuD5uE;4RR9V>ZVUSMhq)99>ZSyn5h&-tvon`0-`e_bH3wbxAz-
zdU6lI%@;2GmLnjhlXL##<&}A|%l_g3ETiUffiNNN@)Uf$6ZYxF&u+<Kn~3*bcI9(#
zT&M}@z9zAn6K_Hrl4gTrm_)AxA8u{d@6ZxgxSrIiV~N$)@ykeCHq|57=+Me*+&k6C
z^l;tJdxPq6LS1!NW<zjlvp$)fkUQtm=cwShLn3mKWZ=wfk{Dr@^lKd{RvTirsJStS
zuFvCxJ2<}5E|Vo-<crX1m(3A!<ki+>0fl>{&BNsFNNLpeRK<}ztB<8h?&?CkFadY6
zLY_>WsI>!iEM%4N$uM~Jv4lQeb4=}6wU5lV!D2;go>zHb6TjEhfbHS<>jE#u!{x_t
z&V}vgUhC+9_xk!aOyddZ3fu4kfXUJDXQ)R4fS1Zt6Az0wTZU%JVnBiRr3wLu8q$g|
zObHG@y?~e?D`{jWSbqpNbRQWN{E_ywoZeKA)#~Q`DDv`k*XZvQ+4V_IPLq-1b?K|(
zVazigp$|G$U>%x&C3MX-RaAocDcl`@Eb7%41*Y&<k9qjZ&Z`Uj8$d<bkikF?OfMBU
zX@34Zp|Q3sYkzAXt|JzkqF1XjIx9Be%*#M*QDt(=Ujj$ZIRh_4V>62>iPp+auD0vN
zoXzNQ0?b;*OIwT}{PNof#X=vxslC(^NM<@YIkR0DrUT6PA@sCRd1RMGcWfBze$meg
zh8{Decu#6Y8@A!32%o6=i^EoY%zRV-bEpb}4#dk7-lp2=uH)6N_n>%5yHMogN%!U`
z$`}4bJn3{9O3n&F{_Mp3_UG@v`Bq$kxV_Czj3ZL)x?gcK^`mDa=$50fMJ1=4?$A&b
zy@-g%nSU>@us2)(J>b~j%CV6|!g_u0vv2#=DxB43Ggpjun#kF{w&>y}bI_Z{-0S}V
zj~!)h2nkbWRUby;TX^A$mX?EPAj;SoNVgl&LY4}sMtdT8?u+#erXMGu)b)OWptL-F
z4_SSm{%Et^uta-Oc-9kq!Kt|04)-v*3^llfWV_~jeCJz^{-ME~M#&MyXn{nYN47GK
zO+?V<Af@%Ph(}`-+K;w5Hf!iN*=|&##HRCB0&FbPKqqbA=q=O0hF{wJ=0}<!93e1n
z+QwL}y6*+0f&rm#jKRwt*-#%0YtAlJIY<u11@@kq_I#YqDrj=iVsG#cWu1JK#6BaZ
zFM|+KtuF)ex#B0YB#u~VyW)Jcee%K^Ws5L%SsYi8+9@#1Ck+c<>wgTO{;;0N1OD*p
z&6J*SFQQgbn>vwbsSMO(l-uXLA4IpQD)x0MC6T31pXOLL=E<W(1C@E=it?lKHA={d
zLzyTaP;-+-3s2iuh2uQzO?jU*%L&5f(0&l$9he<x)$DDrVPry$1$B>AjAXL26E%r$
zTQNiYoXnPg>cr@x40NqDzvK>Ul!fesWv9hK7*KoI<nto*n8!aX(Z<k?AwDb;Sl<DZ
z6CbXVsMi2A=u2U@!%M1}mJup?O}TF7$JDcB`%_#iw^WSTc?iC)`=J97pu8Zsc>MZv
z`E@q3bHqR1F2(t?H*|6YNh^jppjT)7gW4ccmr2pmnN&0^<0V&cqzE8%M|X7LpV(nZ
z!oVJa>~QrPC)||n0Cz!;=z7!lv`n}0?W2@!zB1Oyc@8`11CY>gd9!fe`nmUmH_C>f
z^?bzSzu5;K(vy@0arrmH6K0PaQ^X=JUI-^93frgO%#|!w^0snkZa6wxZu~iZJ>G+U
zAmVNM=y4z?LjTUn>R3%hBNU_3*@e@wS$3%L=u{^R)jsbGO1!z4QMPn8b9j5Ahv4rY
zC#Y(=-^k7!?IPMmNR_fEo3K2jo*oL*oXNmN6x3Msn`!&9EpPK$Qx_9st?#mnq<=c^
z20oDcr1<N5r-*Dl)$f?Eh8eOG*mer@eO<eE>MN@2>u6OL9_NI<EawrKJ`We=b}fMt
zZi5Inv9He&=4Z=}8xk_BsU3eAzc{a!-%UhR$y51nxKCe%v}uk67X@6S<k6Q+b7-0c
z<WWsF@sXTzDcYjUjHxX6>8&$ooiS#6od3PIYWMVN@8QgP{#$je)8W1I*gfpE1_v2G
zAP;sn3s`NYAMzpU-DwwrCnpSuixs+#UyYb7ij%uWt;98u^obkhmeDy3JcnT+!5<h<
ztZ~|QexWdMqDi%RfUBC=^j;@8U!!x;P1HprlnB#^6g*s=XGJ~UvKT!=f*dsO*=^Fe
zV;1I`!;y+f4y-)Z(e*1G+znhQHJg*LR1q)CAnK?=LR^MMlw`NX6%w5z{$lR`wHULo
zU`2{bR6FoI@^a|IgVTuL!O#~mrwY8Y*nCo<JCR(kmt$H=t~<7|Pi#`r#C+CasV){#
zF2{Ezy(%Uqr(M_DbDQ10nXlgMe6{nb^mW{d5P<mg0}2tfVkrs=S96v;Vbh~f3tl&a
zd`IneM~<JvVu!wB#VE&pI}y3bbS!lA3JHt2)6iH<0<D;Pr#QL#^cz~06r?&*`qexs
zX$c(G&9nl5#8^AV71s8L62F0cM(P$wU)5}}7An->Zl9{7PMbBg^ESi@LS{l!b!mP6
zYem;L0&2`yi58jnpD*!>$4pVgER=)c>efO@-NNSsFu2X&YL|u=`Y^I$Ciy%^<fR&a
zgBw#waDHW=6-%oKAx00VdE6N#tS1*FK;mt^6fZgBZkR3tS<s36_PlhJn6IyfY|aLi
zS{_|>;eL_5yFLfqtfYbp_2q9mlU5)5x&h6RL+JrWL0Z2gdy-FjS_SU@P_~WhvRXZ4
zwi7+i+g*KTyV$T@iB~X>BfC;lW_OR2#W_-h*Y6X}mg@kt402PES1@^+94NIMKo5#N
zC%(g=y?U4b)R<szAIIxE+S<Mf<#xSA>3vr~uBb1%9-q(JUvSsLZmL!aW3^M)C#ni_
z<w<xm6v3}*U7AJ9$7aZUc6n3$OmH&_iH)j0w``9oyyj24s6N<%>0=ae=cmNvEjYpv
z&-M+%&Yi{~D2hAp>VND-A2)@Yv6rvR6FCpF&S2A@l)3r1ZNka;s(b>LXZCIw3o&;*
zo1My;39hbsYQbv<C%j==drxi49jqymGE(jLN4|vOW06mME8K@Ur_=sE1MrJdj^HC-
ztVm$*p^^}<5NgNmf|T{&%|7jSSqMQs(Ebr6{!JKc(b+o$0Umb6;V+|ewFZ4kb3<{K
zq!O97p}<{AW7qeJx^k!OZHcp#`0!MdZhcO)%mDsZ<THb@I;YyMot2TYoZI!WsUJUW
ztBV}$9M*oP5w6i63~7o5+qYJCZ~x_K-_?@t+wSV>@(B`(+d@;<`cvVe@euOXz#s)E
zHv4l3-d2f1L$1a--J!u>wPF@7ql(8Ba%6ttA1|k}rB@=r&Xla0Pe#v7Pj1xq!Ps1k
zj?A+}Hfxe=3k5&MIqHt;YPL$9bX&YUy}7yBDO`&=waPh()c72%m8JW?_;{!AOoOgV
zxI4Dfv2EM7I<{>)>DX4swr$(CZ9U-=PQU;Ae={d@&2=B&2fJ$3TDx}by^wq@Y@Qga
z1<IcVioa0BF4gn+;}tEr022shq9D{C9gF2!T4IvV6y6017C%Epin9le8XBmyGpK<Y
z;$JO>McpcPsP24kc1$$MvIBEFJvqK2^=o}<<5-Jn#bfOHNbbc^T)`1(2RMIc`+a5L
z+mn8{R*b1q$3~f8zczKidZc!NTIcGr)>>8EmNi!VNF{u-C%|=Sifsua&Fl?%fo!!M
zq=>WnjF>l?E9%@pLJk@|#vp-@q&LArXrdFw%@Jm(H9Ud_@oVqERcb|t;8kr!hv{M}
zR$hx7u~-Qw(wpapP>^{n2ftzB9tHimOREFSAi5VU)_zK!KuIEo085D4p%lUoSCwHP
z%E)u9#A)pu_nuC4TF+lfK!Pc|Z>~9qi{tV&jAKB**2%Vs>2i-;gp@HZ7aW^Ild9cp
zXJGPcLz5&0aVXw^L~$I)U<Z2l*g^jy=96mS!UD9eYrHF3yHQ@U>zYP$vwTvO=8tb&
z)wv^*QF{t}=}>1&k|mud^OC%JREi(ow}463lp}#c5V#gts$hVr+AbdyDXAQxamf+l
zNIdJtcp?mgNH!@Cbi`Ejty8n;Oj=ofR-_BIk(~$BwM=KWJGFj@;Zjj_cYVl%RDxN5
z`~_k!%zc)FE)rH44u7oi{xxWpF<KNATO)1gP*zXZ#A84^FyfCpHKAEdj}Tuxw_p|d
z^w^hy<vS~_%YpZ)>+HF7RFVNrp;Rqw{*}|mX2!4p?noPe1Y1nYAGD3RXKquzj}id7
zN|EWJZmq!-^G(e2`|y~NrB=A|MkyW`zd@p;O-!>{i2fpZw}3AdCK}6^Rq4d>{;F*M
z-j}rc%tDYD=X((aK;&n4!>LY?lpl8MYc7%~B8fVqhXGYl@s*%j>ST;C&P9(RdWe>*
zJ$7+Z-Z~n8jErXdw%wV*U3Q9$u>wH?B|b}`sS6ZyQ}x~p*E~scTh1`wCw5eSa&`Uw
z_vl-Rye1-%l`+O<r2-M+5rNI7Z@!V`RV#=O9n+FR9XnR>>}uUNcL?r*?CfDjm^@8d
zXsdo*vEeP`SL!4p`6RV>Daw<>p+6DZQAAbSQ9RJ6G@Ca=C#Bk~_9Vl*N-(w3UYvL<
zDcfVwE4G`r8@TKT`}O@sck}V6$jrr>J!?<)QVq1BPn$Mvv?^BW+?Abxcbb2*%W?!I
z|Gk@Sg*m>&Kk8&oPP`mxK};29GeI;M%1K=#H|>(8b!e%w=up9iUkg>~fJ%scM?Y#5
zBf*MLC2cagDdn05_ww4LtaxC$Fmt4N0<Wk)1d-px!-(?WU3xRjR6J7nw8ZI`>V!6@
zq@vG%p1Vm`ochl@L)daniYIuX?uXnet&Znwm2`xX3}vU5u;vnqwDtv~v7r<m_<nzh
zrk3zNjmu8IMRlz7Qv&fbh84W)bANM=Vs$J`@a9RWqbyy46?@z*gq>T{g@2vr17d}?
zQDv*c2CmZeX0MtHFb2PIbYtOi$XUBMP|Z8TG%4{Tsp7kxu!av>113tN%f!+i^ztMb
z8-$2K>`1i$42V80qqK4yT(Ci>oRClhum3rJb!jUx)Ni5BiP8jaguqYX^>JO8K0~)J
z<UjA8zRbYM3k)7r*Re(s;qm2fT|BB|=Q!sR=104h20+g?EoL*WPfcg##I=YO>S8hM
zn}EuX{>Aw*i^eU~kWorc$2wN(RSB?0imq@}mhhfi)*8!yb7J@<{i#vVyFr_SrC5{b
z1XtU<?e;J&+;_xwH`7pF>`VL5Uf7Y=b@Xb!;E3m)GNZEG1$p-gI~&kxTP5(oKBuGb
z)ZFh}#9az)*i4`j<NvEo8=&Ib%&}ys9Q$K8kP-u~HT))BJ38ZzdNHNbQR&N(>l}8^
zah;pk42u3w7{-rP06y}bl?pNI8S--T&z;XV7SN*F0(VSmcmAMLKa5;SQu2e|q-rSD
zOD8jgm6$3<$TNdKX`fnq0i6kNJeFXd@iLZRhG?1)mQ-!SU*qYhFX%21cuoF~c%=-B
znVA~$v&Z_5584fK<gv%mIy5=&sy;es>ae{9FZZvtCYPll^CnIzuP(0k(@^XXZ65O#
zZ+g<8mBz_aVwf7{mA%0lR8Ff#%EJj7Ab$@rkTVH7-Xqk4Cdb&<GYb&6AMQ}WQSFVM
z<b6R{{IyOe+V*xkLV9f+ng_<Z1Fr6c334EP=q%utTivkLeV4xv`$U!2<IB}RK#kmW
z!Pnw0-L|XRLlCunvbw2qSRDwsSj?Jm*2pt^PG?%zP=6mEYF#(O;lRG$&Gus9#lRX5
zaF`nV(cb2BN8SPO``Wu0itOhw1}5Kx+iDn&2yHcDj!?{JKhu&Qepr)8J@~0|5Hf-g
zC4-ltD_R7Qk`fsT8W_WI#`0<4^Ln!19-U>epH6wOpW>4Hp7(6J0PP+cCQnQYZ#5M<
zGUcWKSBFCC_O9o}lXly-f7iasRVr#KYVKCPcOPqtZ*L3Ny=yhTSGt=s^34@zDWMDc
zY&Qp*!jNF`lU`W?!9$f}$|$=5J{kvHN0t${5;@k2In(fdt-nv%;9aoC9-2-MY8gL~
zk4&j@8^;hi_9V#s5P*&m->8736M#WCS^f^~#1rbrj^&iXi8<L9{1HRSt9nAO&fDkb
z>pR!OEoz7_zEX`@{TPx|0!~DgmZKJat)RXtWVCs{Ep!el&-sypgm*0Rmu#bT776Ns
zGd?cM3>}f^2*_e~g(b5P5cczFu7%z|mv0!10g-V(isIn%&b7HyyYS}z34LkkgEsg6
zJmJsv_HC$$?JyP`mrhN~i7rBG0c;A~70_=I2FKuKRk-U&<?~Bx-%acO%YkS;x(~b$
z{D)e2wNc2K__jPMGn9)RGlCnYv*U@uIXC0p;ZdpF6-4&c%?2e82C`O^B$ZiV`{Oye
zyVIwkRtd&eTbFF+ioKr;kMGyh5|7K^+qQ6s;|*>TSue&DT@~F6=4{CU#r9Zfd}#nG
z`b=_i#T>Y)=%w`NwNqV49F>yZRX>@r4wgwZSDndKJLH;c<flL#SSvOm6^TmZ<bhEH
zc;KC6Omz@L3RDDa8}RgY<H=bO20m{3Msh|+zr(O(>Up;DA*H+;^}&3Gmv>p1;4D%d
z;z^e_y2swk!+l3#moxqhv352kEX-N^G|xV%yBVu^AlEfzw^e?WzJ@ucnoCGz$OH8h
z@*JL*Z}nHXdHm>EV1xpRf@D`@7x6v#5qLk4i(6rrc0nQ1$;zQ8mRCVye?1H!qhpRc
zfq4B4GNL_pdjVW1^=#K3(!gsuV){Qn<Bf%p<%r~@zWN<;MKBODEP2X-ZleHr<pw^Z
z9wp+_aFSV?`%}WbegO^pjpKKQ;xZOq%1`47(g5ESM-<b?LtZifuR#FH1b-Z*tX#j}
z?VC6?7!}MSg}C$@#wHMHKNzp6KF3rfSfr}Uut;eLd#k&NNnTvGqv|iKMvu3}#{T8C
z#<!ks_43uyM|OYBKQ|-kfw{ktU|Pd_LY*M{^zIx4IC3xFtUKS8!=KKd=(h^h1p?ca
z2a98<D7$gI6#ohTNPf<pD7UmVV?jMZy~xLDY;o-Pk!mm4=?kV=kUc3xK!^;$bwHH-
zm`FY^46TxA>Zy&+6snKrXaWQ?<#aqB|M)JWzl7T;r_qbGl9H%f-nqEEZsAbNq>^r|
zZm<3O*uuVB!w&9q!#^4$|4jy9xjKdPd~b?)UXMFOSS%)*UHmlKx|iV{e1%bZP5&O$
zfjlC4(aM!IiWZZNxr_LVz0TVJ@&FUZ-j~&%V#6rX#~t8Ht@bHj@9%6p1;g)H?{{ki
z39a)4;k#q`ac#UPZ2*bdH$AiS9W^|x{}K3QRdFo-yt?Iu)a3A}4v9Fh^~y<fl-6}?
z$2=kl_)#0A8$4%;8i&>OjCQEKY<UFTpN82hUrnq4{RKPXUda=W2&-qzTX+&*3XgD)
z04VDC(?$4chwdp>REs2>qZCKT0L!nuI0k+UKlX6+lmAz-HS)&P#)N{j|ANL6-ADnu
z1$a*ovNaQh%Y01!akq`hJ;Y{GRJq06{7r+H4rA7<GO|BSRby6r9;Vb<cinnKY{h%M
z4VRKx37tw-m))kAzfZzhoctUJvmM6lH-0}`#OXPH7QwVmX(vNX<o%?@CBl5kEpgFI
zN-kk;o`jVEyI<Np2VrihlI(XU{Eo|C_5`*<-rsM$F#teW-*VQT)XK{3z^s^O@$GqZ
zEeecp690@V<vTXNYQvv#`3%Lrp%<4A$qo@-B{!9uSW==5rh~@&WfO({mEjlk)UpP@
zOOh~Z+A&AR{kiR1?x*WF%zMJxMtP=|Tyh+rpPu<M*4Ss*38&}lZ&}q>`#?@n{%DQ6
zx_`t=1Mg8WV=b?NN|c+nq6Rw#`&Tb%;q)Bj8INTZOCQ~N6iaW0UTLNhs($Z(ju<c5
z{r^5<jz`AufLg*;LD&dhh1$S(^z(m9F9XaH^K1JlKz;8#7ANzO8=uRX26;&V{ba0E
z^ZDAHmAtz+rVpQ0MymSW<J1fAm--_rm64U2f(u{72{XZprl?d~_X&*xNwQ5dLc7#z
z^ug6Mz?_VWz~r|K&y$5tg5e8p_FhEC6&Tig#l*tSMxA-C>yXhO^d+?{gJJhKbBkpW
z<LB`qth?RjAS>>b)A~xof&j1Yuy$#!#k=1Uf0O%FMSyqPRXwYKUy$DeTDbIi|4v{S
zccFWg|M||T>D#KhH~cgWkyStpmK_Qa<hKbMFBFcU4~JTYsGcQ&=jjfOaZ~)lIz0y7
zvg?dBm4PS(KZnn&OtJ0lNdE0yfR;|FL+=R)aT3|xJ>0&OQd+T$`i|n`>Y3aV7eO*Q
zT07;Px5c$mbF0!w8tt_tP`oA8a{yDvDurwq)+zWB(F6d<H9+j|bBKg{tpgW?bw@kh
z6SM1Dx9o25apX>`g1fb>Ij>?{5V@oB0l!A~)+>qtA%4_1kRu^sjyiP*h7klpdZ`}h
zo{=*!HA23Qv9s{2PvUJSTtYCIs_4vIRT8|h#|lCkQ+IR+OO0YnH1F7*6X9C24pgaD
z{8^3Zr~b=2N$&7+r9MfsxpGVB-QCCCA`y~xmD}UbSjK||{Oce@nvNXk81h#&)?Vgz
zI|3)JC%i`Wf~WPrhc*2EtY*tBoincQsUD&Kmw%_BwG59QT*MvZ4m`OBM~M6X0p8{-
z)Te0Hyy!o8XP$BG>FTmm+QB3mD@~vv)f3Ybx&iBE1OzSFkDmq@^Zy5zapc9b$^!bR
zH|FQN!*9_&Oh%8wkmsNFPh)sR>d|Q3Rk<!vOvndYSG%~6l?V%->Fityg*x-2v#G=E
zW1M>hyICDQ?zIAk@DwcsYcAfSbzckbBrL60J~x`XwzNfuw^TRvh|hY5?!^Q71&0-j
zJzp<Xxkb0Q?S9?>@CS-3*$iBT>0j?wY$8EZm-8eS^D<C(8K_O;ef9X&ue>Fzq&cN}
zD?5GWq%|x(Rtx;@3EA+(p#c5{tmN6cxFG|=O#2~viTzVcVRCRHW~L49UbiC%fwICl
z+<aeUx?C>T3l`_gQ)mW;RjG%s6LjNAe3}18c7!4j>r*A<NsZ!<1l&gXh6iYq`r!k+
z;TLvebwIbdPTP9>{v&lneEHE5gnUv7Tt;-@BMAKxJ7t)j+VgQ{r{+$AYs#jPXC~#O
zhP^I##SEAmCwCq;FZgUG*Ef$V{h~v-D^j7nbS<s_%HpoMo;Nx>*SJnm`D$lZy_I$(
zhRgu-%PYeam-H3C-)z%uX8WI2BuCD5R4v<Vtzs*Ci@zjl6{f0_l&>!Zen|C{J=_BL
z8v}jUBE!i1z&te%RF9~Ru(vw*)>cBvb5CzEfQ<l+yT3#K+58?*U|l~vAJ;4eCBVM^
z{}*;2NPyx0XgMAafY&zUf2c+!p%l)}V!@NkTa+t^{2y`>UO@oD*{iH`EhMvxKWGr|
zup%!1QL5NbhhbGrd?gO2oFW*>3RgwlORx}l^UzmZg)@xTkE~&p`1?8<d`)IxWfuSA
zE?_Zy51)1a>+>KK_T|wsV|_*T)0KgK`lGi4=OxJ5RpFmKMrUsH7c_p|Z2y@cu1(1+
zuF`r+t}b*bMe4M2g?I0-S~^{UB#?*I=7&-8k<%0o-dRuq|2$k?;3Wozt4OAf$!x#j
zF`iB)FP-&!^<*DkyW#Vs@M@fQp57w2H!1PbTVl8`DN2FMcT1*wvC7-|3XR*5S<qrc
z=Zj6Zs{(iTON(t`=jLjzMS3G5E-&9LEIv2VOD|z69;e4iUqB-yWZZR+lOM*=oTjI}
z@o`N2>Bo2u)gaaJUL`s~N2$-;%$c+U0~XU5VMVS(_W+Le*{)!^esAfoH~if?lC6sy
zhsU<-B$AETzJpAZut<@Ilrz{X+sqkuHXasryY|aa7b{;C&p{jN?cUp~W<>wMyB71F
zPWhYOCsrp6!(OpJe3=}gJha#sx_zGMWiGb|RC2c$hAlJkw_kR?Ji)tP`qq=zge0mn
zyzkV$=3F*a7;U{Gc*-b6X#(2Vu9|?dbecG#fAYZ#C>rVw?xMVhOt?hp{liO=QVI<W
zPxgZcayr5L(2PB(1k{Tjp$h74j7dn9a|7Pt^xjE|IPOVG9%YY1KmMxBXdY2a9rt_5
z2zP5HU-EzKP<`Y~%}Rc70@5UXAb^uayS;yUbD6&RUw|g(hmXYL3G*>y5fFUxBH+-W
zzh5;fqEcia-F+MUoskSbXf2I*&lu6T4kqSMt;*6vUdNGg^wEJSVY={*l`&5US*N44
zp8^XxsJ4QS$3aO5alO+sRRZUebV4HIf~(|da?WwS8+YKoJel_+B0H(S?W4JZn|u>R
z%ACheZ(7*?nT;+^pP><p9(&(^@4fZHq>~eTRpKdu$|x#qoAfa@Fdmqb3V#HO21An0
z_Ri1p2L<5>eAB|ZhQ^j7`=J}ECzbK$YBc~9p>>(H#6?vDF`JW8*9cI!CMsQq91=c^
zo3ie@u56`A@isODcpn3u+*WXMrjOi@L8pELCRc3JcZ3y)96$F?K=&8&4Q94$7P6Bz
z771=wjXim4w<_@r3!Rkfzf62C6zB0Qap>DR?chQe>RH?BoBoEa0t8IhPp#Psa|}Q7
zvyDDHIfz_qc*Aud<&!rW2L{oJL64>z_;<BlXD-bbrFEf?HJM~}@C^wnX!13%^R1d3
zrwOw{J!D7d;l1r~(Hp2(xy};nVW;Rr5q`6KL_m+2+;8;w-Y4ZI+v;&ARe1!@TRT*E
zzSOjDdxPXl9t#>icF@fmCnXI}<L`EM^6Y<<v4gtilS<~66>`RjJ+5Z$fg1A;d7`iC
zP8Al#62&c00tl%8gD@X>U|WR0kfwMJ2JiUBNpXcRis+$_a5@t1inpS?T+uF^G0`Cl
z%IY~()r$wec72R#bBrrarw5q&5TmBGObHXyCQtA$lnve=*eP4)KyK%xt&y!K{Na0=
z(2A$vkOW#aW_e=U(2S;~IYqadt%K)lip`9`O?F<>`SB1ZOGDy~)6H&YyVaWV6Z14k
zP;8de?#*>BZf3pqqUiynotvg3B^Gsj5&X1QY=C2gKeVUP0V44#ncq)O@q@{+hcULh
z;dHL1Zc6_jo>CL1ynrJJb)$;d5B{K4HKOha0;b~DO7Nr6BCkv_zX2Wjs#emaOiFvm
zsm!Yf+Lssj1Z1ZtGT(-204v+{>GW)(o}}T>jNp6dCmgXQINF~S_LHH8qQ*2hf66;X
z&2PK$=uur;yy+E$KFN*UUuQc<Ht_8uJ;U99Z1|(?-KduaP|l)40uh)9sKKTJO1L{g
zFRxS!X4)9yUi!<<f_mU<ctd&V?_tMSQ1r!f(q3=l3F801umr+&(q27}q=HucV4_@}
z^hS&ie7@OC!s9BjU-#orEd?$c|0}H%?fM5;BkEAqd^A3;L{6<$mDY@rY=zF#@kn-O
zBxQ3FoN4^9$mGHf&j1jy-Oy}riFv1p#(0=ZD)9>h0{+`I?!k!u9~-wrCeCtUySC<T
zxlz4T6zQ9%X;nEr(op-}VBF@>LPxHypCJFPWJ*D+saUzc|E)g8hjsL=;tYub%$M#+
zE2X}$9@+=ih{#0Hm@Cyc+tFbGuZWHUvY;MHm&#(F$k;}y{uznhXs%^<Dw*}v<*B((
zMSfU$z3_kr3)q@vUdw_8o#8V+y%{<8Ru8)`6FLI-W|l3{s)t6~_YiY4x@<(Oj<0G(
zOD6B1uCB+`UtX~-z0$LWO4OGNP%$z}?SEXe0=OY=5gw7>tfSoJnl)`~Vy>^2h)rfk
zG4FI2EO*TL8Q!LFqWRUFsfoU9$V9vNsoFwupWL%%C3Vbwns0JVjvJFe{d-!Wb~~0w
zvZ2tn6UDKSbA?)u3f^iEeJ<>G{8u?YpVE4UrV{nn95s@GFD|m5y;U|+`BI)FSjZnp
zRheM9d3Lhj3^pG~UFVEIe9glxsUU|q;!j?nPPe>8YsBgJsYjN5%02&6aUg{)_k*I}
z=qv83;k)eaA{M0FMAFsEIyW32P9ppkvDK0|r6rNv+F`V_c-X%#O2^W8cvdR>xuQJK
z$IZPT(`fcuxYWGrfPfq*J?)YZ3a=VGU}9ZRWWB`op|gVY6yLXf5Y4~C;HtOSCt!8p
zZ~TaXS?I~%F=qZ33AQG^y&=>`=ioGf;<D=mjDP~*iOo{{4}YVN*d-huaPQ6O|1tz-
zeu?l4)jc%zuq4`rg~#7I-<ZzMTFJY{<ArAbMeV~_63RCUpkRnVv___PGr&hhx;NAZ
zw;kf^_mSsCfEN-FEIv&ZSfq*v^o6L^4Spo|8%o|O{uNJ<G{F`15!}wJAs|(jJ2_db
z(|2oH^l>BjMZG6#`T-)dD<7yc2$0qsTriMbxIZT0rc_<iC}La~9W5|hpxD|XT51j!
ztOTiH5dVEJT}qV`G}n@MKr&K8zue$4ZS-pwstVUfXVS>{c}q7XAVEhFG|bM%dpFOq
zyUv2=G{$Ulb~f1-@%5_ww-;@fB1BrvrYb&W6z1wu&IPc_`UTP5e%_n^lKtY~#fqbQ
zY=T{OWc=EHqf;iBf%eaP*Prmbvyls}=ryK$;z(S@n+e*7O5ArF7b&$%c7)Ww%_NTX
zH+BRScIOH<e1B=KFJY$}DW!fEkoGbbkPZ*Q2c=h(T;r@XYU&c;7FF{~2Yww_<;;xT
zC&+pkAZ<_On*STj)=W!QNT3`~1gXb#F+^Ed&x6g>#N%jOD@slLD=)@c)qL6!4^OsX
zbJaJ4js+!3cfESEqO!5Rn&XV-Eh2KCN9UDvH8Rqpe{ebY?od^KkTC>0CSz8UC6Png
zi=h+LA%rknuvSUMKA-ERC4PgQJA=(vivF(Ddd7oU`;ipF<YiXSJ-M8^!-HLov+fI;
z^5p?FV`a$0PDq_n-K>+Kr(o@DwaHfKYVU2RKz8V2*8OyLB-(8@-0}W>&%{fzvh81H
zjngL(<D*yQ-`enqNM$`XD&}?5s+O8?I?j?6x57FFxjOkz4WV?ZNWKidx}Ifi#ouyf
zIH#2Mioehp?A4NAq=dn~;{lj}wxQMdI1=|j3LMWAUeoc@apS+U?<uB7o>LNoj}ZQF
zO-vu3imNo=;_OM8m)+zL*`#LeJ4`zBNRV;+)+^C8&uq~FsQkYh{hf1<n^6v_!hq-(
zrd^?AUC`XAXM%+3{dy2qo#Zu{Knt^$-oLXD?}6hs%xBm4;!QTs)xO57Dv{n%LjGg3
z?F<~oFWx!3yN8ZXuOJEk%sH~>yx$TRjV~>|e$Lc*Ij1=I^J6)3`R*8WC5Nj)ct*#2
z58bMvt8sAE|C)xn0lVb{Py?IEaw!yGYKSmgXWyXiu)J1=Tu0RVb0KzInj^a;`Q>*E
z096tinOT8hD-7cscb+2{S^y!XpYAMGqU{56Y`C>ZkY;rGF!oKv2i?f^;vsFhnF8k|
zHmA{gZtJu7hm-23ZiDkZ`<AzmneVeD8HkSB?*m!%(bop91b^Q4cHF+;;3Al6<23I7
zZ|P*y>JS6rtmLt!Fn>dT3VSmsuq^repU6_>Djm5?ec&H)$b6U`y|7C9<2b?Zp#R}j
zaGvWGeft4GDWXWeuQDp_C8q)q6KASaDRdWjT&N0MJ7uWJ>+vqb+|iWgmkt37Io!{I
zsUJ5#rRE;)r$kFfd&@=OZ)p!Mp<p5iagF!Ywv01n;3VxS7_TRxkFT8z0sfNFI=0ua
z5|cH@fzsSiXn%O1_HMY_>E9YSD90iRfUYp>GyLRlmOaxud<i`t(=baXu}=}lgF~@1
zPZ8-uf6k0K0IvOELydEC;oz&J_=0-O&d0m}QYZKesP^zntXs{!Sp%V?Z)ss#kEN-U
z(fCoaFR~-CeqblK2mc`Pw_GZ()yahM*x`SfE-m37X`(}ZHb?m1ANU{KLd2&P`TR!&
zXLh;zCN)tWUM?WiSK|LAQCOZm|B6gqoqbc9pP;!3Z8NVG9u&tNfLl^=7@Qds1{Wp!
zAgGG8-Vm8AP{%l~=-2Iop;4k7`Lp#;kD8?Rspd4s7NNOjAU;&u1bW7h`!=UDWXnil
zAy1NTCSU(O2ic9YIf%A#V*&?7Y|L$hEG~7C%n}D0E^fL3B%k^>hU527LJ7yKxWmQ9
z{b#!u_R}oqoz3k@B@7oO?hs{hkYE#1LGeF7q(o8W_@@?GAaFL<5aHxG4FW-Dxr~g1
zdfEMr1#E%_ACek(y;m;uw-+~CoxKOg_uoGabKRa<8d;XvwwISx|9ul9cDdv1i(LFm
z@ZO89*h#Sw`8_)?xEFl(%$_FKRU;K{n4R9<Z(Kxi$dk&RY!oS5GFfYqS)*m17&%>3
z=}OMTB*2M?Xj(e^<S`4S8(g@P67DU|IHk6W<VIfc1{ngJMy|_<=&P3TP*HJFa^*~j
zs0*u^`oSeP=E@{iY7;g0x;Ok^GeRuUT5Ebjkn1#1{_WzQ6MX~TsZM%^DOLy)bAM&^
zaF~J^R+99Ej9N;Gh%%WoMBRvPRr!!tzL5*8kjBwp_*@c?`FWCL9cfHLQO$$2bHEXH
zbg*m+{foHnK<4z_WwaT|5>Hy{hCEy(&omb(qC3virU-pT)Fso+6Q#{4W=h>3A}z0n
zG@s?iiyF7~dv@WCzs%<-a2YRleaupSoUr}eq<uOKq@TG0dD}|-RI+Gurs^ce`AO6=
zV!SPqJgBo0SM~y?IphCuY}Ibw!pZrS>TO!y)yuJ!z;%1kuGhMp&|rZ;AimNg=u=|8
zt=BDZ!6?EA)=;*HpSgVe0}#yHM60k~Y;FQfSf&%8)ynTCs?@#2Dao@%H?2V}%?l}!
zF3Nj~^C03EN-nlZM6iJ;y%nZNb4sp9YpSySQ2&$5bys4T*~=MN>k70JKj-a~R|;Z#
zL>KlTkPF_S9Lu)pw+kv{wYC#q(wWz@!LzdJpkyD+$h{s)mtv!rW2HVFZubbmgzxPI
z{Ul;rL=AQ+h7qgaJh%&mXi>k%{sQDTkJ7c2O6lq0Jf0&CzCSydj(=1Xc!-k+ZKlaY
z$DTFBPnM!&4(c*K9YK0E#^yOrvFOh*z>OA=Y_igS+hv1i!fia6uXpwD^MU?ljD_^#
zkLZDUY#QL%pvY0jp_Dcx6ubNhMMD{02Q@ESK}0V$lKzVxIw8%lm=B>KV{ILduTzC4
zZ#c5tTwFZWWG%E9dNL!jKt66BSFWSBt8KfOW7A?`zhAM)I>yH3x-Xb+n}DFE>0+iC
zhjpdl>As+M^E`7Lnk&53<3v2Bqo$tU-+bVPwKSM_sPKdSEKSJbfeHGXPsYkxt3Ugh
z^)!DGk#qxOOcdL~bmmj-7i~dNKQV}m(bRCRN#qDX)~miDPc`XS&=?N7R^fSAZj1{P
z#gu}5y_vg|UFV$*mfUkAq0H;_swb3pm_R@^0?YtJIe)D|XPBvqKv{2#7E7PxSI2Lz
zbg4;Pxe|ok-v;o9QE~Uh+4sdU_hM)oBo{c9q}JjiLk=@H_U;whd~WAm(+~UoS=#xW
zl(1s*pYq9l>Bsh8h#9?_8)j{RPhrC!%_kQqt84MASylv`8XfaClr#w?AJmN$8MQ8H
z5F1tu_f86{p-yJL{+!HRpA{6z>kj0V_uQ=z(kUx-?M;lB2ys{E*SmZu!rMTbuseKB
z`Z1ce-t%UqcTZopp#<=|7sS#PdQ~!I>oD&UBc()?-xqlOO}`hTcHo+oz93d0q}LTP
zcNX7RJQNN%z|tCU1F|ea(N6Oz@~<aJHbu-X{nJ)cbe-_YRQTGh+T+(!XlyP<<^Kq`
z6?qYtKpRK-wKeO&WgR!{yY2tT6iNSGA!~W653;dX*Rw&tQ%fb(i3gDg=LUlI*Iad0
z?O3|%SolilCqK#Ec*F{GeK;jTla=+IMc;a{m>fZ%G3jkaZJQ}&9$g3@-i)x5gp*OO
z`6*_@2CG?$Iz}_rpkG?W)Z_=>LyE^aw5mKR-da4@g(KGE+>)Qhs{2SvWIcN}Of))s
zwZd+_vE0?bJ^f&`fb2s}UTOX{m7Vy&*MQbcaCI8grrPUccv5X*i@1ii7_e3I-`E>z
z<l<^8#p;VhXXCg=p0lmbqRDWABT%@|ntg;A4_Z5{l82?1Nusl$n7+BIdlZ&R11`O>
zNh^)6d-TM`t2s0qKdR0ST2Px`a+8>uU%E*QvDY%J1<Iwhj#30RfzXh%)P4dHTaL&u
z4bn3r#gwYCM}IBr*3ES-u~^b(aLl6bc7mI_anrcaRG&8e8sTNef;J}`qI&hb=~`-2
zN9$S>OQa6v{<&##S(nVBIDJKyS%fD`=Xq)erW^{h)SgWK#n4%neD4KS<4cY7_eVo(
zP!rXg)<-sK#Db=^azsQUbxMs@7|YV>WC+MV1P%+hJR^PV`diqzxmA66-FaP6)X7gI
z;U=*praP{C!D$6uo0XW}4vSU~iu>|OxEy+)i_liUw3a5(d5}|JjE>@{*$d$R_Is*4
zWJm(XP0&7H{QPMDxMmdYOrKF$hKIf|S_=JSO$#BRD^4=a0UMIP^k2Vhf71A9iyHp5
zfnyA-$uC|1Mx-`uaGS$fSxa2ck%B1aQK{L!#e`%u&~+7@&Jky>moj49>lepo1QCH>
zj+W!x{_+<-U9oo>9e+dXe1i+@!G3Nt=5!bKC_%Bh>6Dk%%F%DB3=jW|!0bb4=vVx4
zY!<SAAdOSVo$wGk&&<gk@5eD1f*594L9__8B|^RDwe0%BX=){dx3OKD&w7R_7NW&x
zECC2&;MNw_>MbLq=NTdH-5k~z=gQ!fO*e(oc6?E8g9S1Gqa}_^`H%<Zv+>JNo7O_^
zZ5os;*YmK|*WB7C$U78r2BNpf81@JX)_r)Sq&aiuD~M;{-hgE)eyh!nzTd`0#X7ZY
zDldcuw|by&UXmI;&#*##5R=rKY#=Lk93yTFlxCtNk|UW0ydMP?8b?%Xl)b{`*EJ~o
zxa+r=^?W&d^tr58kZ>(q4<m;SOz5H8W9{raPhda7_e1mNvnZzpcFv|Di#EW|zu%@s
zsF&0;66LJcgzx=ixd<kvV{!hOY&`*Gj&zz$_|!f%2&Z)oobGwxN&MgR)-WiGZ7>*B
zU4A5m<BD7UdCv8zyGgWE)Mz~Gqc;l9V15j=eJ+uqlXl{WEU=F~j$_XS+$SSjdyywm
zE$La%+nY2!x~Y|5E~9E3@4T8P?oU|9<o=nH7s*g9W58G1k;x7b&`q=DK1GisPM<>t
zw46-tRCCmp3_?3qN9T%6=-tv6%7KcsDoWvNlAggifV0cuU@0|J2RL-%kfQ<*($STI
zDJg9x&*~s;rrlR7rZEUyd;C?@-#keN-C#=fI6MLxLb;%3!mOb%Xsa&{fnxuT+Z=W9
zeAND#wKTvQ8}M2Yy1;3z3FT*JGGp0YhPF6iwot+@oi3|xRW<gf0wtrxXwYBig%V_(
z<PKkTZgpv^@8XxdMM;(my+w(O>5|hJbHnS*@UVM9k^-;NqQE;XZ{X3xOc0;y^m-fB
zz2CvVeRIJfpWNwN#1pZy@=xk7Ju&Ti2m2V2<$y}Tp)1NLAFi(-ZeEgpgHeLl^8~lm
zX7(Yzauk9sx)wRmxJTcdVfJIXb%TAfNQ$H|)zU_6n`2@M5Jp7}Q`+1gY!<*9(VJe}
zEz1^16ne)aGzBDnDYAzfV6LwE^IMeva$6nyvGSXzGF3T|gl3QzEl7KzSqi2tsDX0C
z?JXb&0W=F!!xkCyn$@Bt!J4x63H!=;-9deenZwYPju`F2eI=)H;|M=$-l!+(jwQD?
z8^Mhyn_s)@;8M3z__n-Vm0Q)qd^W|dbG>MJ9k`kHIwcZ4K`;mWXe8ad&JtCjVNpZz
ztl4*=O{+H`98G2HKe8}N+(Ps*U)r2#0}a)1pn=B;Pr37R$}eu6igq=HLtuN1_G+pG
zmFUx|c4}6tT;*13<H){JY5pjC?!WI0?o-Ew_rBz;ZNS`oy4F(O4hx)^!{<A-P4%5~
zEGIP}Q~#TN{`6rWi<nyEW+Uabp^YDNpUcfgs}Vis>+LyJ%IKaD%uaqCX|1VOrzrHJ
zq_}-;MjXT7S{4l}of1Wxr;@0Fg2$lTJg(jGV{5LikRzkQt!P?J<ZI|5D(dW_l?-CB
zMe;jz_7rrpy2pwtNxdoBzuk@R`-;O%fZ+jM!f07;TTjdUfZwH|z2-L3IfHS)LJSw`
z#t#7(dzE0Mi{MY27{~am|I@BwZQtkx`s*5k5?3m*3I?Mh*9p0*A6u68oROye;#~HX
zU8=vtQF?8If>k6kF{Xc=9Zbo*q}}{w)RAL7=q@L{%wg^l?i$rpnJ26I_uSzDD^j)O
z2B*-bM`Q5wV3r=u^!LDCol-zKAyFl}yif{1Ua1)@2FvE26`6$DMb&Zo`v63Et&lq5
zg2}MkLu(UQ7)z1o@Q7OwOg#%)Kb^H5D<!H6ZvwZ7=FNte_h%cM--_Nzkq-Ov+j*p(
z2FF{#8l?~S7|!sbeKJekxw?c`AkNJN;onS6_Kzz31drdpQqW-{U=Zgu(|d=|m$_ZN
zN)uGEw9wKBn1@3D$~4v=D2gx<Uu=n%>T3d~r8O(o&VD@zDI8X9IBB?DoXczTv7lOq
zZ_AnB(bcMiLS-a7hUJTCbxP?ZND|<XUPFn_*$+2I@FV;}VtAm-r7Ouz+(bhZIdf-u
zqw`YJ1glx0ucS3HL>D`&umW#oPO9(1g4L|o$Fg~mJs^%-Yy4oN_A8GbXcn+BSAi{U
z=l6guEorPTcT9t!&C>9_*7yaD-V$clA$zShc~qfo$6er7ehi~H&|`buZ006zSAE`V
zdtGnZDq(*txy4=iE^3p+V%{as7Nu6|;kaQj>0G6OEd9%dO6<M>r%ZI^BX!@y$3up{
z_m2Pu;9-OTYn4K#qPCoyHDI4Fs7?}oNnrld`*}&PEO|1eWBUoq=v3N)XExmE1gGQ{
zyMP??_yl*7N|;Vx79nb7oizgE1Ki<<=Q5J1C#nb#54C)0D7LE<N$AGj=Prn0*$;_Y
zbDCYld&HMKi2=d-rZKF43|+AaS7XijCQ}6<lRQ?o^v_IRlr68iHwyY|kx_!i5Fy4<
zg4BreFS~Ifb<DIl2>Kf1VZDVX7jDEMIi3pRWq2@X^{P!XR+HpUYef-(#FUU%iz;Z?
zM%Sq0^Dn1%0=%or<oEAR;};WdzV^<;k+*(*aSBsP+DzP#*^SAD@r_M>T3Gn&tLtqp
zv_#*1Sea1*ayCzepf7gV!+|lm>R--86{XcRr*9_ft8M6XJ~kUyp>K+@Zk;=e=Aq{(
zFyfYZ!pX7;ltlV+h))F<O+UUfEt#r+Z)$(e796jZieEHE7a-;**~l_`Qq&hXvU9R*
zmPOkcw~r^A3<0VdP}N98O_=PD*UN9><ta;tC0W<OkWVL`z;{(981Cg(33r1v9P``@
z+IMD9JpVMH!D|>Bh`DJ9`v@8DX)5)XIO!9IxO<-0ihp8!cI3mY(YXFDr{$M7(UY$-
zt~HWJ!hsn(<A7U_WJ!@M9XE5-*wkgmo1mcJ`J_HpD%QD{^|Gem%2{JUyQ6ot@tr98
zrpAX@OOot{mTCS*O6iFizOt1WzEZY0yQCr{LgjwTsXo@AWycYrc&ZPuv5Wya-}-U<
z7VYXLB|#6<Ghmg{4E$^GGlNwyDPgWCPyxOqLKSJTexdH?1yy*8jmJ8S3~2+uFkN{$
zb+P4rIp&9XIKt7NqFMe&MLGYwjIz>Ny;9rcCCf|wiBp0>(IL{Em=Dv`ln_q?UR()Z
zET+B&FdAnjwPrf<*f0J@6g$1#t}^z2Rz$%9n;7%Cnp_;mWjfE~#S{9Pnc>$C8nb0}
zI1wTu${*^IWa9NTW{EW#6T*E%$d(6A;0JfC#$H{4Y|N^i)JJv>Zg;$D*ym}=rDcmE
zccXipL71&lxGxPTx}?_Hf081)n0|7fzNY&GYtL!6t}~DnYzL`1EQD*-Z5cj@tiZfZ
z_;8pY4p3HSuC8xA<etdNs!63xR8~gXC<pAr!yfU)xWng7j;jT3RJ&08tZ)7f*p+q>
z7I0S?up^_FF$vNi$F5Ri?zb9#7G68kiS@KG;vI2Lj!vawuFt0B9&uNKhiDnQ5@G*6
z3lfcEaMytdheLXYqq1W!BKYd7SA_MO|HpUC>K9|A$olH`?PJ!adIT)*v*70ATnkw1
z6Wocb;rN>PnNf<)`dekpn(;+H<*QbQLs3I0H{YE_vFEPQkKi(U^!1LGXW(KD5M$e}
zna-jW($=c=-TPA4(tlS?uE?Exr*oQ&$4AYgV=@IkL$?3lD-yTMieb97w!KdW$AA?U
zfH_`9&rXGxK&EMQpa2tx<d)8*`ril{G+0z2YW)7yVAQ-K@v%d5^LaDBwg=(m<CEPg
zZV%?VRqq9reeUITqHbRNx{UL3ebgxnE=7&C26rJ_Xx3GbU{;peE=_tW^^N7u=UDGH
z4;cFM(VjEb5L51xQRr5KRw%4FfHo0NCc>Yh!rY>?5(m?1YGq7~qlBzgk;GI+!mUhW
zZDEI4y+XBI;(`snxjLmdBlOIq+saU`x2s?uWmY~w*4bGZr3XT46+}>)oh38eRbt%Y
zHjQm#0|)EfQ3s8&TZKvSJAK%(S*i?k%(~&wlZOsdqs;RH92B~mGmhfzXL@6$xuP?2
zEfz2o7l>^n^$WN`d;8Y<uH05tuu&oZaru5LvWf6o;pe~Xp7-4IKE~omE3j^EoVGHn
zNyb)xXOr)nZNf`**qIV*UlP)w6(alj;bKQ<_exi;^9tY6K>rB2VTm;;^A~&cUT_mK
zLhpFLU@M2^-V7NMNrD=5?nwYv!q(I|8Cw}PJoGJHWC<s)&oS0Du{&JLN)ki?mp}|u
zKEYmgr{LAyqTh4&l2_}+gM8OgKE^~Oas@nhv=SEk#5FW8hdoTf!lOj%DcP9a_`nw-
zhz1Gbi^?G9leB4awmK!2!L~wo9pUsmGSzh4Mqi4;Ky8h=v9G6Y>&H8r%kjj?>R?QX
zI>J77@R<mspN@{amb#&D;xG^Lb+i5o?)QdK8~ZZqJcjbT->9g?w~1K~gN=*}xKb`n
zru;e!u*})KX%M=T1eJsjuV&+WuY*%?kS02mWt<T5BcGLa@ikfWn8k-^Ev0V1d#~^`
zctxvI7+Ar-kR&XvE-@<!ayxYue&ZtkfaOh{?YjJhC&QPwe<>K$OSLganl6A#XKGTs
zLtq#yQgk|h;l-$;zK4>tbJJnyWz|s&Ra|ssJqS`7{gwRLA<^TM-_Q|nW02DMcT$5M
z2s7_nw}a^7g_Z4+O)gX#?KyGrb2D&dzvzpKqZl<>ak{u(nw{{WT%u;W7Wuxx-plJP
zv{ol^V}8AF;z(H4lPEr%<WQbwp79%J2E<7|uTS{EY|5c%w285MRQQ1^{oJRZ)CqwV
zyT6N|A}s|ZuPQ6{hM(YT)A!y5O%8!(Zf3)KBra~XMraj|Dh`(YFK=u=*w^1S%&7tr
z^JEG#Slr0QG4w{xoQ8IK?r9O7R(w?)Uz3%Ek{yFOcjfXgOSld=2=zG&xc0}o21f2e
zC5jJA=1u#Z`p*;F^T(FV*4s8u@00Lq>($q@So+Rx>(R5<8v0EN5_xm5Z@TGKf>1Zp
z_RAsQb>>xRRl?MJKH-mT@md3^v}Rc$<#~ks;z(@y1)F?`2THlQ%mO@~n92BfW__CS
zSGe#MRX@;<+l1kLLm9KKquM_T8<uVm_)Nv4k!vE?E$v;}tp$h8m-F|qXf0<M1rpm%
z0m4{N>sj^n2n??!n;=TJ`x{R#0=ZX6uTq7)<!KWkz)r5fpxslx4|PoZLC!G7nck$k
zE9oxv_0&cV&k(g+`~h~_A?}bIu5jA5*O4}2hj?QhV={Izp8}imRJDx}TxJ^_d^?kA
zkvbS;d&@8NDGGH^YwSq3B<7vIa<5HOf#8<feLW2|^#Rg(tCsELp9RCw!85qSf=xdq
zjR@C&xESRr8<-}VO5yz=hacR9s@9qi*u@k$Hsd1joY;c<a0Ssakk##ekaEQOw$D^a
zOWu1wAo<Owa=^AHFLwyla@X1qH&3BDscMpBV?3zb&x#F%VFKH4wvH1bx-)JL8V%M#
zedXfB;N2CrKKDgFJOYN{+#wBb{~<_>VdRx|M7Y~D!NI~WZTopw*Z>{suE-1dDz6#4
zFZHY=I}0)xRd7nb-K*~MX$n`nbic?yB@l|y#<0JI^aql0hMJD)o<d1xcG#(Q*|Um_
z=4T5-O4ZNQ3(tlv8+ac?HapaBZu*W>i%vlg44!PeL~&9BqZHoD+R?=3d1l0?j#B%?
zYUAs1A)cSa?c=5Sd_s1E%-QpGfn@uZH6iEc!ojrj1m!V(vfaz<dv2QmYDS{;J(EC)
z^s>u{Atb)BDQ3DjgbDQP*3YOrL)mC3tSMu9RxgQT4GtCdDn4iRQMPRX`zdqz7ydix
z$Km2zlekxmbNtJtNRK+?Q+;y}(cs>RyT4H1%!4w-AC93EqOaC)v*Bk6EM3$cUkq@!
zhHZ$gN&Dc*z{}ZnUtBl_hV3wdWHL-Y=;4^7H?oh0&`Z<?;z0(Cd9IN=8k}=OpD5%W
zwnbOy_id(U9wxsOsNTT+)$lu|P<;xoFY7B{`p9V#ACu<J54SYZv%pq|f`et0bo>Fi
zbo>o2oO(LWeU9s<*uF$Iso{f&kf+~~*F@tD)!|$%==GEdms!K;9Ohi+$Rh-jFNZ@&
z*lYBtzwGm=L^TtgTjEM`C<>0?BHWf}iz5U-ZOq~K$zs|=nI5bE1zqJ66`S&iGSfSA
z7Y^kgvyX-R1u_Ur{P6;}OE~a7aEFil#W{#d{Gl2;`oo-y5@@bICS>Uqgq!@)SSrq$
ziWqTZel&UT5p7bl#}(Q55&b9WBO1*dh;>~GzjgW1c*Xy)MR)WjKPK`P1ku&EO*}IT
z#W^`k$t@7c3*Q^`AnYd|O9I5w>>{<+OPU#OI4ILZD+Jl3v*<Eu&WS^2MX!wya=iDy
zu*9&w6*EiSEr7i2*7>p6pEl2*?*_6*QuK>!)~fy~@s`=JCcs}WtX;hSxTwM)yox^D
zBhRzIU1<9EAY4c9GX|xK??sWpDD;3p=h)|xj;77J)_LsI!v@4DdSG`o+=z@!QL;#W
z>K=x`$MD9wKi+k+dMlt<d3Vk0>e&DLr5Jmy2oL_re#{-i`ji~dol*rZ)h+!6hP&Q|
z#6g@-QFr{qn}Qi2e^kXzvVzvtL@qZ@j9LpR#<lr%2W-3yfeTSk>qR=R?QVHi)*6aW
z-b7ucD|&PmAb)JFf5s)<WgGH)-M#Au^Ra6|#F^>i#~pY!Og9*@Noe-@BGLC4t(qxG
zxxCuI(kTTyrtzk^``&n{8lm-UNu6hw>$!xopS<e^w@64BOGU1Ks%iItiITF)zx0=7
zQ#fwYI@8WGC3=nO)5r2Hbz{=f=85I^y~1S1=hNbGlZ}Ud%m%@G^U^<|2#Ec49!Vb^
zY8FIsy#=$;9^!fp$KCvjaspKwhA+RFLt)DS#jg5FPr~h+CR$Bz)@KAONoGk`U$C&E
zW;{3dr<%+l!tY7ujHUV8?`4p(;pvE>761Lko+UenBjHpl^+GV=R^ICJmCQo$w&b3?
zaLaM4^_sIsRAb^&@7D+&At?iMNxVLp*AQtWz7UOAT=er}biw6aZ?o1dm+}1B8dvw~
zGUD7ufNM47A~y>o<D!;#zN_x_C~V}~SWQk2o`}-$$#mq|Tx?E`E(ueJB8djPt#lGQ
z7bmv+v;cgUYrwA5M+=->`oAj=W0oT{5mc2zv*K)e=tyX@@-{v)3*=vhJk`8sEeB<p
zIccZp%uwm>&QK9|S5>=emmPHMo#h7+PmkBEgfMv<oy|Zm>s))y&if$|l2f>_V}YTj
zl7N+Wp&paA5SB7enesv$EJ9+ap7|>k6=!JU;B?dlu7(R5hDrPI!!$y#FwML?<kZIy
zFGdzJa|X=*-=k+R7YtRO^(w3qlR|4I7WB!nV^6@G`=JbxOP2Jfuocn~Z-5st;o%|7
zED@C~u9P()iz``x;HCaMgk5()Ae`nBgHxW0=T90HX9L9D15^#Ku!9}+H+R2w+Mz|j
zo-MIX1^GLHfzJ0Io!Z^{k1u@)UI^bW=-4dJ!3^tf=-1qP-`D8@->=MnU4*A&J^3i^
zPgvK}E7I4~B^%^9c#>}5^9a|Bl@Lh=&Ju}OaSJrpb0uP67wd8&(l&;;f=X{*{wbQ;
zZei~yzsDUrb^P5kmzQoD`qXG`C$w)CCn8O|ck?CadhA5{@<*|RgjRXINwdmni=MBx
z_T2uaKx%IgrvoS9bN;$M1oErI%0?sQz~$r|PLj&!Pjq9+AliAd3oODgwJ7ZK3m%#j
zwq*yyator0%D6itIDz#VDtSwn1a+=|No3~d=YXWpw|(lFurTFPv*ZM+-G~L<)P(E|
z*$@Q7bw(k}lv(p;t)Zn*nP7}`HgZ+YuVv48En4QJc|r&b=<n9sl3Gnyji;<|A4}V}
zaH#06?mG;7Bf1kQ)T3Rh;43~+pw^%FH@jEGY;a=FvX4&Y=eD)GCX@X36}u8gHLdO2
zWL$Eo#QJ4TPUP^fe<@I<LNC2qrT-Ss9`hZIL1b)|=~u4;0RpfYFy7+5RC8pYSNs}2
za~;F!yt?bDUAoKE?rIMll7OW5c}P)i@0Q9}peU>6nRczgpBLKEi2(kUCO!BgW*-kP
zg==p1sgV^@*-?-w=3!p&X$K)WfKyLVsV6gJ+}BmBvxQ7~8@o~6qA`#6!|>=<`z#z|
zG2pj*+Q@2SJqix(@P_NY=#KF$*cAI9xOk=f;tc>|`q{^nQEz99fcN*c!V^#Ppl%9%
z3&X>%)O1yM<#nQ2{SZ-y4EIob+O@8Gk_Fgn&^(?IghOhlNAdO|tqhDFxmJT@SFLW+
zE-MnfX+eVGtSoaQ+i$Ap;6&rMy8cA=(ShQ`?$N~*{kgvd+w;FwNmd^dbeHJgYyM0^
z_`b;T#&IZKR`ZCc#Wr#Lyo{Oc?;swIS>&g}PNpf52uPaR4eBnTzaWW$p(6&30+&_I
zr!m4wQxo5zSsw|v<Fs*X(ki%_Qw(EZty5e{^XjlYi*KkiB`t9@4^$4iDJ{$?YnLlk
z8tloR2>p80G`|if0qdA2OY>;GT1UMv=_>i9tKRBNV<~a`i2H^*j$R+pY|Q5Ur_M?}
z0pH5#(jWDqeO;pl&H~+8GO_Gw?e`DPjloINE|xvnb&O-WRgtq7lhLg^iH=%6H%irr
zu)*fqJi45JwRsbY;H}OJzajw?fy6YKtbBs;pSIBkpQ&ORi`?QU^Gj=pe^bUI*QU-=
zh?Fgj6$s}V>s2=X7h`W3Tesf@4K@uo^iLYbh8Y@WW^S0%Ff-!~Gcz+Y-7qsV-!L=X
zFm9iHrTw&8?FU<yWgX4WwvMdv%p5-fj--3r$`}AqZDad`OsHHAsc$Mj+tLC{^85;Z
z$fUEvjPtPIlYuZE$xdjqeK|{5B6{Zsopob<(-g-~Rlr-9B*Q?%dKvSHks^GaKm>d7
z%zE3L8OOLWR#VfD8M@q0QX*1^PrH=yq9JBJmS2AU-yjDo(_FPE$8$(umQESGe)2dD
z@Z$ehl{JT*L&YoU{-(znP?XjRLI2Bf&SlfeJ$S;kQpY7$n8EESdb)^hjt$<ZTcy5o
zWs6SPy`-IY7KMHI0y00lJiWX1E@fGgs?*kULu`E+*#<!*m&pk<WMlN<PtUJr9Wh!h
z3sRfWHY&jx^85O&ESp3NrDl^qvh~8JY1L;3#(jTO@&x;Sg%WL$s#nfkH_fF<yA;X!
zTtTy8WK{P&arwe*c_r~g#;}yb5i!Da{-cO=?6)Q!1K?4K!lp6w)XF1OV>Q+Z>C}t_
zBm11VQYb{~qy|wr60eLn&Jkz5-rp|oMsW-EAz6SIr0*g?^>KIw?1zP`qM)rNgJ#w9
zX|o1-UP_U|PuSO_U~R^FEafJ6%cYzcFxtskJilf-6Y&!%GbuorV9L$&nq?$FKA9KI
zwoT$v?tx5v+i?gQ2Vnn}!&fgyw9f1OVj>}7flt!Rf#jgB%pbXCsr9>`0-|R!acvYX
z7hVg;PyFF`Wl5I-h4i92lzr9;LU*04eAw)%ZQSu6n(5&13gKez?CLd@;={FrYEcfN
zX70W0IX3cGHYMj$C-%(c-MjR;!c>X~+{_v4+f183jii?xr|-dnod<us!e&F$gp+Am
zlE7}q!qtug?!%gk%44}Qek2u%)F`wE-0F)*_u4?|<e|)a&K4y;9U;RODd&p{PxnHB
ztu-=<Ovj^4r+(Wc9UpaRhU9S*W$F~FT<-|xeNyYl;~DaOF-N-u_sC&znlLf$?5JUk
zGb;d?BF?#PVXE8{cIG%L3&W0#)W^bLr-#<)t=+&<B*M#GWv9)Giz0tlk=?752^=b7
zH+RDIDiJ7QxQ~5p_C3s6cIv6y6+R^Q2L=YKm4+Xq&}fItuey20tb(R)HrkS%UooDv
zg;?=7NfE0}aXS)i8lTuLFP0B8xNn<1|LD8hJDmp5is&Z(4l7Ebes+n!J2DQX2czEa
ztaclGX)}zB!P|V+1gakRqX#EKzFoY&u2%`(4Gy*f%{qy~o<mPJ7)6(@b`q_wC?RCj
zFdOJhqD{Pf;~9E9m=gRPe~g+SLw_%k<X!C`CYmX$=9l5kT!IR5eL%S)ywUXs!nT<x
ztD7j-evR7amXey{rD5al|92e3^~gikU86t}AScR&AXU;aV2)yl>QbZ}*6_!OCH^r-
z%6Zp^=?%9DIdE)C%(I^siwXsWV2o3ac_^6PM&qi~FGWAD%}x9QoT>$^N}vwEhaQ$H
zI7|(*rHX4wvcVnWIhJ;9>pVmb)=9q^O61-rfSD-9)jzgoXktgqNN!|204Sr9aFv2#
zSDrm%QFMIVd}bE$FVfqC*6UoA@RonerfN*+I?#OrI#|vKV(BhJxLvJJpHYz=Di%mP
z@wUWx+z4!cj{mcu^4p~TsQODxO<Vj^{Iz|yFW4k6pGh(NG?GI75Mn8=P)!hH(wsO*
z7%f>?ZKwn$y__7=b0yp?x9hFWd!om8C(?~5S)fuV^Uu=Pp1M_T1>fP9g5gSl+Z}#q
zB2-mvjKL>J%#kdN8i8GGhRN^LshZYY?7?GN?9#yjUrzeMp~@{i_$4CkDCHHqc{=*~
z%0ZY?dHg>mk>{uAO+KxC0&#Hk3gEyX34cwC_t!nEE-&iB`hpP4w(r@~`~CEV=12Eg
zrk8C`EFkSf!Xb`hrmy4l*M1QjrJ78!i;+Qg8Hox)N*<lYYGju5zwr-~e$mK(8~P0+
zSU<%<!jrsO_Y*d6Y^E){%aW7lM0+NVYacfwUR}0uT&~!5KPa9qMkg~4j~u4tR$j!#
zVRQ((upU!k-Ee<dL@nXocp@G?KbN%>D&Aqzq|WHQEgMTnBvi$YNb<AlC<JzK-O{{R
zOpip}I#biBkq(~glrUa&4(_==3tQ3nKaVyWy3Vs<!eLZiPKWU&ft$Q?BRmsKJ0z;%
zU2V>;H@UFy*Qf7f?_U%2oGOP=C10|5@>Wp3f3Ya83=ELBG1%@R8uI7v{jeVS>pxwt
z5YJW9%U(6I=1IF$r(Cl(Os3qtxDrl*DHoX;26G3ZoUb_>X0SG-Ns>Z5o$VLlr9li@
z-_KFGlMAo$9!iqYe0PZMu$wudB>;txrm$+HmDo52Gp=A&OuBH+J{1T>gNW+M3KM}~
zr!{wlj%C71C};N?+Ig4akVpRcS$tdb7@*Dt3W@_)`x#RGP1nY}Edo1FW*+?CQh(?;
zcr6AvtNe4JRFxk?vO!cs3KpbRG|Yvx#>gQpY9)7S-G^%F`1yI;C+t?w{*B@+^1zl(
zc8|k{P<Law7w7Tu^(2V=_i`+qp*hhqbLEUnc^B%68Cz_NIroL30&@PX-M7Vk1whn(
zxom18t`yH8pJG;HK-Yb;7_@55f2zUJtj*KYh~*mgbkUqCoYA9>m2yYo&FvrmWoet$
z%AIbYf|BPXU3wv_SDmQ3T;1TQ*A<HeP8{6%@8F0Cxx9WcaWn61B!RTfGXL;0IjYsZ
zoyovX<3x|M+lcDR+f7l8m{Pp*aH_#tAdh(8bc7>uN0GSTfAI9p6t`yW41NmTfT{G1
zU7$&!wi$OGxU>932;@Ujp>$^R#~!fe-&Wz|j{pHgCGHbw(}46{@`#^Yk~IRtwLL0j
zA8;$N6W{-(2JEz5@IwjE?ezPE>EGGBZ?2j##oAn{-^w(<;X!$0@2fj~{{)%vhgfOB
zF`Rn&Rfsp}?LqEvxnpLv)%XH5QHH*RZ_d{q#3H`1`nLOP7!}_+pnCjwYJch<Lq4}1
z8{Lb?XruPP|2@(V#b)RY#%4IM>~%s^P{Kdiy@uc)<Rn+Ap~N?QN8MNd`JOuAO}}EF
zz>mGW#cYv^7EQme06Qd+dP^yGyJhk&rPLXEE0Oob7&N_1@ruJxlKT=gc+b)q{`ofM
zq@8&J;2BC?0C4<ohc)z1#EkWP^DQ5Y5wK0=zpc_E(4Ny&DYvmjkp)ygIByqUhaG;#
zA$M-3w__yAe{OiZvyEW1V!ST+cUUkJ=L!r5(GF{R0Z`mitqH(mhh+*^tUEaWqqQQw
za10~a-r-wgb2<v+1%4@f!roAo3M_MO0pOp{1MIH7hlwn5iQ2v>r8@4*D&qzG00Dd1
z(eDuN+2|;&cd$3G)K_NjsLzkzJz_&%y^NnLq1+s|(Yv+}`A4mayc4U4wkUT_wEX2m
zw#9ErCtl6s0De1{_gzdxlpc)oG-gRi?*Buv?-1X69lTBF%jgIC2Af;<-1Ti5zI(o_
zNmYqo#r4Y$0{KaTU}E@`gIZ6EUA{-~_MpMx)gyv3<<<ZW3~>S=I&YEV+@JaCedEJ3
zgf8n0uE^Q!_l9~NS@lK_ehJG8rsY~@+!{D4rrL$&2RN61jkT~%a{Mu;Y!g<i`pU`v
zLf``UeDJ<~aI=5yfbH^+_b;9vz&*srcK>Aq2u|K`Gu;Z(5Q6wmDrs|iq`Y%7{lWTV
z-WJ7XgvQR7W_KC(A^dJ}bL9L0HXa2)?JN`5=4fi}GN9Jn=&n7U@vF~whNbP_DWbY<
zCs|*PyTi8!*NN?k0~bg$;}Npy?M3$-8AyF!@+iphRDhXxTS9cEc=sgZZE!RZs=7u;
zr?n32-JwF2?gN+{RsVC)*UogmD4wy$w5K*#A?*3iYWd1*_1XMj;sx#4PK$fye)Ycv
zqY0{h;O~vz8`NH|5I2?$N`F|f*1+8ssht+d9lPXSJIvj4Y~KzjUn|n-p5dD)I6&4e
zJnARSfDxLfFU}aAJ>-Cds5{4i51M=2?%vxrh5t5*e~;?-9!*0&CGjDc|5ZlanzGM@
zA~bG&{``NhJAQ*b1UCM_Fg(v@cB4K0f)BvM<`-Tu(I@?1W$e=PRv?mloZi==$$1Be
z>a*D7nI37S6!)e@=^f-piFcDp{fXCG*x-WLqx-!lc~1bMbMPNl#G$XC(_JDn_kcZp
zSnmKp^6u{dj@qA$NxdkF?-;!k4GtmtWLh&JtDenK);f3tNQgubSw{b7Es8-r*uI%i
zzL8L$YVhx-5kGSg^1uEAz0D2(Z^7Tp&dvX&nRxPHJL1^>eTLh?ALzijO6(0J+333g
zk=<yM-Ly#Wa75nxA4I@^ys3%1Y|#I6|3V@!QLv<UU`3xf2N==T_=G2~{=jrd{C`3~
z?T*=Pk=bcs-+Qk_jQzvw%^hPzvewy*lAK~+f-(p<egEBc>({@B3hCP2aoTB@3>KR6
zkXU#Dsc``&XpXnr$6qqVj#t>Sdwi0?E$lgz@21CMo+5|N_#;B~9_B=&LLn2v=&=S_
zQxi59okGqzQ!^LdZVMjUG{=Dj;FuC{OSR)?it2QaOEQ=va=O-v8}LSRY-htebL8fl
zGX-{VXWV%**#Aq!J$Xa!@gFH?BEtV&W(@ZKCmwIJ<Mb?4!~W&Cv^ugD^$Vn%zuG-!
zLt#+FZwaAEq<#WQGD<RNNBch2;u$tng0VZ6&9^zGo?`_ZKVTNdX9r@%hIMm3{fuSP
zi1F|F3S;c##h;LR4D8bywPYO^ul<d*7j@F``skOkgn~#bkIanXAvpKwzxmEdiWo;)
zzwm!!Y#?TdwyhWTrB>%V8%jS#06TtewEe-~VdhqUTMAvDhs29`I7!`m7nIIk%i1-k
zyQK0Y+`}T-2s_!VGyms%myx4$3HtC*n`_{zX@b=(5c2mu6X-mvo2r>@v#u|{vNwFM
zI(zHK3(O|nB)th()C;4FIM)Vh0UPMoTiRs8I<eEJkg%870UL)K#DmTG0Ai1qMzngH
zf@pE$b6g}n|Ir`XV`$&CLS~Qb?i7558A4YZ2d+0*e2!uIBbOJHz45*fj{};8KD~R5
z$%rUNH1lJZw6PXQlwvfV2XPXkTTKA%jX>4q`ku<CT4^6pFNT%pm)rZ48Q){j>wd^y
zvuv*&<6A7D<AL>6_vl>Yqx?U@!|Nn?kL!U??jua3=g`Ozo6#JpG)Z6lhJSJF18avK
z9ji{g^=nT-@j^Z5%HtmMit!zmi>nl-9W|dv-#$M9c`6grhU*?Psq+<*mH+4G2ZVG#
z(A75h2AvR%JlWo|yn(F+<op0@$=J^Vm@J*$WQM){Pm{}$XtpZnz!o+$D2j#Sx?>#c
zZywNmW5jDtz1!@ap~MSMUu-)WI?UCy(6xfdzq9+{UOkKqCTgf^c&>vJVJx?H@`K)>
zVq0D%aNWxzJ*q`JDWsT5Rm}YI*)K4pyx%EzmuC)jKBr-p5dLD{k01f(8=k=`j~~{;
zLHoBM(RYJYasEI;(p4Ko(6?1sIM>LNb_KMHYD5tHDkYpN%RtS6%*nrgBTB<z)WU3y
zupQbx(epzi%0S!yiSfTJ{nqcUeg?3Adwu2EW7td{bH1YZM}5+I@Y1eyQrw2?RD{>i
zt-=;(?@)n#81gu-@|uO@_kFg-L#9m=6fZSRjF(IM-H=b-I{#E2{e1Os<%@hB>Ru6l
z&KKoHX!h9iP{!}|TGg=xs2lNYFv&~6sk212lpk|zosbxA1Ua*sKrye_j=98bHs9E$
zwyju?zPDZxFM*h&F&|kSeQ@?5bt+u%c`yipB}F_;wiHD<3<oUX?s^Fwy?hagT|!CM
zhfX}WQO%4O&G1rGMSC6L6&(~K@QvV{nm`wTM-UX^DlQTk77zG_=4&ejP5*NtBy6S%
zgDMWM%R#+chMn3CC)yO_a6tU^-EjfV&X<2vdv*1*LN0Xh5-{%6dF_TYML93Dyy3n6
ziFE%`&f@9&Hm@v3|B23f4;f8Qfug%?csIE+NAhG=m$?3yeS?0hZ?mZ}5u)n)>}GNw
z_Rib*=uiE<2Xiw{o}O1<3M4$WF{G8GT;RT<bu^;#x;C0Y;e@5FvXyaQe?4@}i+!cq
zb%f<{sQ630QfqaWoQ?S<9MEEY@m0d9Q+lal*UK0}pKLsQz4)+TmcaqL-9S^#5r!!{
zxJhP+SZjS`_)Gv>lU&m-@Xlnspg0au+j>ZCE0Jg^xE*c14D|FnoT5NXjJ2Q<PwRzH
zZ(+U0eWJmY{nF{!y+NS`@}1CA&7rP*rtaQ#FZ)s<z6;N@*-CDV`3^Vru}fQH?n9%C
z>;TcT`Ejp#{*ldr>PBasZDnB-#D~DMU&~=aL6hwS4H_!<W^eaK;s1!y8`*v#7WU#f
z8FhoaY=wD2U$%bE(v__<@W{r3#&aRdn3iN|*EHwyh!t!jN2fI!!ulj)N}{9BZ$Ly(
zO&~5x=Ck+dP`7CWEmgS6b^Ornsrh&nXnwO1=#hrdJxNb>8`UMi^Hee_Ol(u8bnARa
zEYjg&jJSF@VCJgv5a1tU8Sxjmf=b=5InIDq0sG=WzEg;h?4shEtup8Z|B_0(LLs(n
z(#36eW0$NM?QIzZy9*Qq%hbu{oO;fA-?IN8BEdPVnE2^6F3C@Y^Ci3VUlWZpP3U@I
zwJltX+x9Y_X&43Awp!ap{S>{~FCV-HYlqWjbAZ`&Xg(Ta%t3W9#P&pd#p<Td6gk1V
z@k``!wtk&-ROt=la{xTA-*+73BcZ&3<dQ?ign)*`TmCn%fh2Lz-z&&UOwFq~hi$c&
z8H4QJWefe3-~X5Q<D6`DA*+)aay)yBxd~l3@0NW#bB7{nhqcVZlhLC)r@2PYV+!yb
zvCqEW6pYGVj&!NDBpEtQelu@3rtk_|Vw+BQqi{suPtKlNV>I};h31~7W4+eGrRclD
z-w-}jNiHpTEDWv8-9Z-!%3TKw(Vbh#@GK{o8XlpxnRp$ftP5Uj4$PBlh5fFFte6sC
z3h-~#wtv%AjmZkzpe6bmS{S^plu@=-wCJ|pZ%T8#o{&T$2RQP;iudU6>Tg1qm!leQ
zNS^~U@cu|sP}lKGX(pBG1L=!t<ky2D%KIG4X{xMCX&4yEE$ry&VkLb>1dZ`+&K7wc
zZU#k^`qHAXABm?3p4;A<B%0U}(O2_iKfD6B=+OV`{Dm0-qx;xs6s~&?PNZmatto{Y
z!_}M)g5F6F*Y<+(APeg3!Jl{oNgL_2G2PvB?zHMnKqYEbWC%9xtZ^)oWVT6E#-aG`
z5V*DMqkJ~!y6G=CP~!5rj9G1t(6}w;)JzOPub~qqZ;DvMcr>Le|G`Cp=*iybZy<nx
z8RJbwZhw*=%?)v^3ixin@m-xWEvil^HVz$@CGuycY`pPu^@AW_iMEO#eByQu@DAuf
z@-+ChzdRf7>v3sdkn}T0_^Z`#usbU3sYrSjG%fxcudCk{mD3Wx*p3zErHCFiGR;+i
zo}p$FJD5`*kiAteXId+lZ-uWP^ty{I{Wj;;@SE($Q{WyJNs(OT)(UbQE_Br%qDEyK
zeDmacfAz14fKozWZFwH?Zv7k?Y|S<0XabElkp$Dcu^iJg&FA1K;`26D6XHc81yzuE
z0zJ)SI;4%*v=@)^AP731!iH<+B<{L!+wSOjw{cHs?ErUlS<OcG8Tl`PkjUk{6m$|%
zoVjp30#ZkZnl;o<uwDELHK`oOC*Sl)ymLki9pt4AcpGuaEE^hu{-ltSYInp9+$#mJ
zd=Ax(OV-o4T3>+cw3>05!YAJ$uapuok7(Ilw*0T>d!DV^(+o??pUAgk-{iLU6yo?W
z`E6+_)kqO(wYIC=hsl9BO!N)Msmu{g^}v|mE64dc?-t2b4OG--&9oB+*0?rSzg!|+
z9;Uix*W1C~-a$F_ZKs(fb$zE9zLh+nl{h*umu6U8Vg!A(8oT@wH1GHjKM_;GZl|W}
zad5X^K~H-CpPv7k0Q0)xFlqE=nGj_mQ^j4JrCM6_HLyN6xyOOE0_=h2ev#5sxF;kA
z@bU@>ZCR-b6NaDLo!T$!QpC!VSy=Kxnv6B5C_UILH}!bE{k^%G=2wt)V^kV5iK(#}
zK;f+`p-Uy+ESCworN$$9F&!p9U^_Q<RzS2Oul((&{bM`)-ISi<E3@sqtEK0dVO{Ut
z4gRne5v)E_jRjg8JST3ZB3Gcu!1E&U!Np&wrmB9}Lpc2A!Mxv&n4LkPQe_1=!V!nx
z<*&<*s*nAtb+Hk4&>nUAF!*iMiTzIraXmW`4TlAo`u<}k56Ot2V>t14j^MC-_o}<_
zqw{ms&N}$iappDQVP3_8Wvx+kEA+?7T>puK^mM*8Z~b~1rf_@;Sv+~0(23)J@eZO}
z(k!ZQ|K@b(pVhF<J)dYMe>y(R&M|v}NB|(as^C-U>;~L1jlp^s#qjx+2R9{3p{dC|
zasLF}<QL#(paf+~ywGq2#z8c}L3He0$QW+;pYo!$-l_+0+BQ#DH(EW>1&@5a%dmqA
zy%dGFo|;YObDc!oGz+f>%8c|+$yhIT?>@z^zBXCg522|mg6Y|Vl0qwqjYr)+CC3Fe
z1O)Y|5vp22fgT)lprep&t?@8%%CZ>{Z6YYsMuX9$JvX}Z+_jlx05?}ruyGLg*ZSc2
zwLn7|UsJ1l{cg^{z_9{3n({FUN^I=EE!twsRr!((0Q%DNadLwBowE?fxeJn%%ZpA}
zn_j(YOIC8mG1qeHoI#xX9<If1|NT%=CXC_6D^5s_5!o5M-tq~0;~Cj21o8Mjj4!Gv
zT-W*r$GNOHKUq&Bh7Y*{m@~GO^%?hcnzEEe|3nr#;_&y~AV(SbAivJ}%;s>m7(Dnw
z4O*q&1{>kDaAv%XCH?eF49;_HK&zm|rLzc%J6)P*Gz#YJ&b41tu}oe!U36B>@*U{9
zK6tUSm{cnz?r>l_Vu-d_M;?1ti`-VD88rds`uB3WA~EjAcNukeFl*P<1Nq1LctqE+
zgn!TTSIDrgTx!?*M6XvRA5t_Nl~IOVc^|4*Fw_pd9F?!bd9}hYWXxc&<KtrUaxk5j
zg?MsU0NyP@?-|d2KCXH{GkYuzb~EJ0l<ZTdSQ;KrO2*=xMr`kLZg9(@Pxz0Hyj_&q
zvN>_e=TPJ1;$Ej2Y7}&^6i8}Ql}5jhSC~>;7~Bm<3>JqN;e?GzsZ$*|LI?gcwNDTr
z`Z~u0D6Src@xJ7%^BvJnRsxf6;e~rLM!(~X1`LqdvQOCP>L!v81czD;RsKt1qrhn5
zV$^;cQeU)BkCP*=I1?|c%Z5x|DYmv-(x5Yq=KA)qLi=E`BXewCh3mum?;APm0*5yP
zy}VbJB#^@U^4D@uE%e;v5zHFf;PgQ-drb`sU-ap*R+wa6ol71$W$RK}iqJ@UU4p?w
zx0oD@=qmo*e3uN82Rwmfe^Lrm`D0I%eNk<8)l5s+<X2u~?{V4S1!F<l?Aov?fDoKJ
zXZ{OJM{q3q?x|SD@GWPs5R}rS+I$avP4kFN3d5Xp=qO=gG^4Db8sQ%1WUXs2=}KCq
zeO+wi>96e2S%)0-45CVX2ehIk`DcGcsRe%Vz5B1Jss+8XB(`J^-G_b5Vj`6S3X_Rl
zndz#Lx1kiwb%^hXFl|ScUpX3p-9)ty5R_IFYj8W)MeN@g7j6yc#VzX^Hy0|+dq@a!
zmxA@@-9<!)02a3cXYCPyF_sxc0;dRAk00~y8W%VilrX`#Th<xzb9WfLERl3bev0Xs
z2U>mB-YfB>Pu=%Qot;kT7sEW`>GtYw$9_azo~KuvsW~RnF_@mq7<5=8(&b@PvE}dw
zUVeC7q+VfizY-2f_B4G|e1~*I$5RATig=LSQP+8$`>eV7y!sUR!Y!VfaG{r!`Fs{^
zfJ9AG=JN>ZcB}T@Ml`_NiWekx#-f+S#e)MC8`p&pq)g6~O6Px}S<#v$;gXX!TBbmY
zI*vIsjG+96gmS%SNfia9M~hLT3gGzxuCmu4H^=V%S(bFy_>qb(eE4`SmSe_Nw^1M(
zR1xn%IR;k><da*2e4MpO=ZG%DW(!$ju<+MNo4wpo<+?rh#)#!MCA<UbaZod9LaEDu
zr5+jc3eb_c{nc&?zO5#OPJ{X1>yPFtY=eFgofrHkYk?Ez`gT8Zl&wl|%!mlT_5-mk
zi2bfEga`RLFVHK~9ciSAs$9B=rrA+-?@G?CYod3rGz3f|OS>?2JEue_LpfCvQV$12
zD%y4PFfWXKkD=6Tm13k@xva})sb2#9Egt>imY2Oj$q8@!jA;DJrO7eeQ$P0^S~pL|
zo0v<Ov<b_b37PZfsOY!TJkrKlzaZ8(G^tz-H2(e>W~c0Uj#0-egX!X3D&d%Mdj^za
zk{d3#T!!Z?zZr{nSnq8AnRNUkoGQZJhPznM&24*!T&1dp(Gg%aBKFle_oGO5tg^Ab
zXCSVY_gX9qHuL6#{X`eU317p`*sdXoMy)gK#QevB_@~@x;0cNB#xCv##CO`)@Q<&2
z^4Q)b*nbtQH(~1zu%5~DIh;L_ZefkvE@=;aEwAt=Y4eQyrD*Psx{^9eTj8=6Sa`f(
zK%YBux#eDhq5oW`r~t?>KT;lSRRQpCRbHA)(l8W^?-dGjZBNJz>}wM1l!wvA7QvEl
zlFb%Jnf;C;3i{$Q$T6BSy6&P(7CRQ+TxgI)OK7nQbTxm|dtUyTf-)z;wX?sGY;X?j
zD7!PC8{XwZUNc&vlQZ0u4gGGdv$}4n_PC0*)-2_;wgex9RX@yf4-PwZ5@V#x^q7#b
zt6L!c=vKx;8d~|;&UhxNO-e0yc+|Y*&xsWjZu->goh-fEG;y#HypcV&u!`}Yq-YCa
z_p-)$PG<Y0k5xyPZ-*6I6rHt%<xf7`Jy6a*4-TK`nCV7%O&M)>d<E|3g>W!mM6AEv
z;MIcQK7XFb+e>g!Gi&||)ZmrzxJu*Sl6Oi(K+_(mx_j`>z|YG!(egyF$ZVQ8nrlyp
z$tyS80YV6bCT)jwvSf|uuPmxNPrUv3CJUhS2@V!bhKy#I!-U1HwYrOhTiwbV#rrQA
z;hMZz;}5bz2}Ly-Rvnr9kDM*xbDMD|RxkKQL~yjvir|}V`f7*=I3$;j;qzdN3klJQ
zuip2Aksa~p+Ze8)0DN6%85$uLdyvM1;5v2qP*5?p0lb(fdB24_ai_R3t?d~K76;)O
z(SLN5{y9lTV5sIy=UQa}u$0Tldw%_cy4@HWC>(ZDz>D$w{#Y1J+GbV{!Q8bweYY-i
z?0bU3E;aA8g^9Z+GD9&?U7O2>pg2%g{C$#46xOUOVBVvkBHvvOjpo>GozSaJ`+RmB
z$Y3)ABI-DJ97+vIiZi8S#*K~<zpC71`J9&tcvpeUU4h8fyOK+qQNrazdir~fZ`f>M
zSm8P?y4{_k(c$n&m}7e5>?ob#k!JT_FA|249LejL^Ucc^akN|{Lhd8q^R2`-sJOWw
zOGbMHG8TUwh3^o?Z0ww#%TCa#?7FP_0Gw<sVKw7T(2n$YDCosN*$#8gL2{S*iq!Z(
zr3vqiph|a9wNkUQ*%$QbDRi(){Lwl#A@a(iN#qvpEt}+b^x4~q55w&Mp}H72YrK@E
zS%ki^w00eS_5%7;c7IJ&*ehMp(-}*l9K4HTdm(U^`~35K5bTb*2FEdUdGL9di~dik
ztB@Ju`YuvWf5U~6tNj`Nn}I3}>;|t-Jo}uBd8fpaKqQqh_j_yCk?Yy0lZ)#eMYQim
zzb+`h5jJpkcL38}LRc2DlN14K-|=sY1EeW*jr7O}oMv5Mf&;Umd=)x-p`GQtbUf>O
zsc2I}78fa*8FJ&tw@)7Pz`*;FQ*t7RHhHO9@Xt;t@K^C5#m5K?o^tY9TEgP6s5R9f
zdvz&)$dut%&qX8ti1i;X(@1F&1xR1$fez{%D7-s2hbf9_B+l3#FwG}yR<26$e-dFC
zWb|zH#c_WMh%zA#H5eYhg_a>FpsUt?Kd+C*j?z}MCj;(4rGApCn{nV1P9<5}f(7%8
zc&*eq{|Uq98aNhv%1PtLhqFwy#lWLIgzZjF1*+wL^b1+2w3@ao`_946HdklsY-s$<
zznOGgpf@s)ca!6AWqO1txqdcr%%hvEB_Zan84U~uR2}s@*9fy-^XiPb#wH;O)2=2^
zkX15zBR&M?V<r5=&}U7ogyAktIBzHQ)h{yRC4?Iqo*i@5|Gjs;Ji3&u)P%cOST$hk
zwA{V#q|wzxh|!K>Zdc>ANTd4{rW8W^4LM(KCO@$in;OMwPrMuJ%H#l_PEVPpcui^8
zETcHV-3NFxvVfy42mWFhvO@ml&~y}D3G7zuYSy(7!J4tCeGTca@L73@^)YSfPr_yZ
z<hy=c&G3e-|46i59Cl31&yDky^0shayy*$;lA>1o2$*X#td*TlK2ttm8Ed#eMG=^=
zv&usoj4EaVyO4!n9#h9HqpJN898Jf@95PW0L!{^r8QmFnJl7C|2T~C^x4cC~s0B~`
zt(0w7K0RNcelmvchA_Pcb`W{r$gQ0>+6k9!o9(@1YR`9p1YX82yG~OwJ+=<cYqLK|
z-X+ck_g%g>0q7V1)3%YfJR3wz>+KEd&4;`HP8479a-<pg;sf?8D$_0fp3DDy5v+jc
zU1Q*cVL_i>d149p#>O-@!NSnzXP!}(^p2HvYOc7V+S)x^j3B-s?=Jw;!hgQFyml-t
z0okr{^eQWj6;`6_f@ztp*##10m}^?!`vmtq4}m`%v}sNA);j7zc7xV7KyvT2`tBh6
z;gjpF6SjSpv=;gzyKLS->`ClQZLL)vTaSDHr`+S#Ip3`}qUYW>WEfjSLecdv_wS!?
zvFq3T2w(8rWq7Y(Wn+|GM9Lo;sV6<$@6)NgPE}}m;mhr__S`4wd+ld~-AY$~e*{Qk
zcIm9AU*92d8y%ju)z?!4N=p+~)uI$!p-IDKC7J-)!-VS=zdf>p`Ch7)n<h?~1TP8f
z>^gLm>BTw<Ol$Oh#;Sj>wU%=rt*#u_o6qV~x#n=xlBbX88a(?Q-A(2Ro+ZdLvkW-1
zvg;Hnj<fonVKq0VP0G{QOnB~Q`Kn#W)6lFp;igf|r#JS6ebl0#_(C7K7o~@Fv)O0!
z-x~qhvu&v@8fK_eBt@bo()4ONZylOX@`L5vDv=glvGb?Kx(VB!t>v9%_BG&S581h)
z9^rBElP2nt7#n1naP2JWXdU|dKhq4}->R&yTN%8zMSJIXCn4LwL1BJfJB%tC6OjG5
zr4^8RomG*Ub8*Sk#x4+I>1?(v@B2Y!51g@n63WDZAaI$vYo*NJpET70>79=n!)r}=
zExz-l>)JQU-Y*7$WWhi-i^Qi~p<p>cWuur-eW+k51#iTU>HrN1XG5z)X~FQ3YTdc|
zq<_eV^V3nUP{ps7D=w|mtfE9>q!LS&!`8rNP4F?{ig%zJsYk2cF4JMV#7cy1^ZdM!
z)c+=g4ptLzeH@I;NQcwKjDq{x^2r`3y=7^A>HFov92}5ZnSFNU!e`0!0{#(<pY6S<
z?ZRETC1LeiIhEa|o6=kKm3@7$@ItTKm3>qxW|X|-lw=*dib?qxQE4uKMZ>wD`tm<_
z{vMX*KX1M@U#%oUdS&9nal+GjfAaKBo9M9847w$i5l2vtCX@|qPr>>FtH2bL9r=vZ
zZ-QOTyG`vU?fmQ6;|Oa%w3+1k{*wsu+V<Ugui3=NlV^k3#2uWBg^yPHn<(VHi6{sp
zf#3{yhv$Dk1mp@VQ4u=KJ?$rcWZ+8q$sKT|L~v((!<*rj#|_4&Sc=QmNz?fWEwn?n
zLS-IJ)OQzW2+Ej0kQ}K{+x>xP(yETk-?6&@WA-|lPE~ClWAjbb;rAN$q%%?m*W@L8
zWL2w*0=uBo@jedB!^9L9Y|<|`=<z}WyLGA_Wdr(-1X3=uJZ4P#L5$o7O;DGXKDYlx
z-+j__^+J1Yr>C@0)k?~e1;tgDTl*$9;nrF(_~Kvknz+F^pj@@Jlg=1qxAdMWPCn{M
z4-1v(rc~f%%W=1VQe;eLQz=SEuSK8YYJQtDq<N`&LPi}L<Dzoc$@>mwDPU9~KSp=>
zcLAY{ww|qxe_!y?l!3ly#h$M0!9DWj9_f#C@{Z>HX`aI0=@&y8Ink%;V`+rDpE+vM
zBXh``K0}x48zP{HuluAH<}#aKI1-?CLwx$lSGt%Ki{weIbqWlL2?6gjf}jY^OQYD|
z(s0N5YlDn@V&?Vr%Pibvd*-P1_;vNud**Wy4ow=Nud^V<&aCv)A5iV4%!d~nI+#Iy
zfg#U-*#(lA@Xs#yPPh{Q9J2+%sTUf$ScYD_bk@zwkVq<tzwTl$&&&%Xh0cD2vNWcZ
ztjVsja2yNqMV=Uws?HKiVePt;006QU=Lto!_yUofERnfGN!7ArvxY!<F(4C<_J4`J
zyN~{|pG+srzK<aqS8!t|`OPMtHPLf|rmm-TYo!a?0T@POn%L$(7jw;5QKSaA_O_$@
z?H=*FHn^#P#^t2zb;$NK*TRKkqIDMDCNnBQ_aK*=-0#`0am8NbwEAJit(<8EZS=Ss
zADY_uvM`KGGv9SjqQ9HH+^g8>K<l+y>?dbBfj{yUzr4+8;w5(t32S1;Hdsy$Mw+i}
zY9JtKF<+-$WLeB=Tic`|tJ4A`g9@_H&3Yjk{aB$U3p{(RRq>e+f(p{l+O9ohigvEE
z<b9snbZm9sH?KddJme%?f0cy3XgRplawzE!?05do$~{V)W2nA-VPxqHa;Q_x=H8sp
zHn5#?Om*0clU4?A%^i6pyAq*!?s((0qrMO6VJ3-oro}p_&3FC+&0G`>G1-uvh``yH
z{swC1Krg9TkfD=pm7cEsS;m;-1|ixU#mSV`3vmU8**HvP3`r1LSUd%zJzjRacV!CH
zDiJ1)RWIrOOlFIB?WlhI$<J4mmVuwUzHZB5an<_JyNQ6R_4HPlrqGZ(*Xh+`=JGw)
z#K__S7#S?p!Crya=*c|)2WTy{LuE%0LpJQ@YD~ESS<=e4Q0RLASse(i-lq{`y$tpD
zWM^(4XtQw263n+$AlET<9q=SI{LT|jm_mNtf(X^s4}k3s4d%VUr#$eN*q8Cxsh@=5
z9R<V>FCjZ9Jt&#a`)FbOC+J>3p8D0ix(=_-dEqEVva+M_{5DFm{qxCl&mopW?~C^V
znnc6`xmWLsvIq&4gfWQ|mNlyOSL#l4O|zCkqi+FMbBc#P2*PCnIWpDN(4)oCoIXO4
z3y~HtRJd^dRrRvk(b=|>U!Si_Xs%?bTH+Y$=;(XD@JObf(~KuY$=t1fA!MQQh-b&D
zPG4@2t0or;hnsj~TJXNbul&&Ba*LP(F<SAt{=59GfFTf8YFRhI%kMt-KYdg_kD6&p
zqaB>V@WGxB(u-5euMEt3z9L}7p)^_biFVD4vkF>^W?xgQGZuZRNJI4*bGDCzLC}oH
z00x`D@7r)be0{rI(G41H)&16`;^YVURvv9#aM!c^Bm>F0sVgc`bL8R*+p1o_i=vkl
z-a@g5vl4z|yL7I3OtEc*W;7E0R*!q`Ck^z{*?p{mYQ~u}!8>`;m()mg!&QlIV5=$_
zL5p<z#>a|Y$Ftp+T9sS7p`|TDFkzdq!EQn@40(wIU!<?JdjSOQ&%qE@8m>m^kpN5e
z2xwq6KEmtZ+ckkT3vf)k$;R{_uMr0ALItc=OSNR-ewi4RrDOk@zS^K!&M7V|)FZgE
zj&ggwqgCYdeF`-%Np)2W=KKPSF16)@hx<k2lF~g}uKzFRJ@E<T<%SkKeP&z68m%Rk
z9%AK9|AP9WydLW9USgU{pNAb0jQU_aX=E;5%Gcga@qX@G*5Cb5U<ko;mf39%+R}yS
zZBC5p9v=bg)<XXtA3c)Ns*vipDCqKP4&)vg5v#7r(%fR&gZ3$orgjv+e;H|8Qj>2e
zHAgTSoNx$))@P}XP#ga0f<=r<gj0^WduoweNopBsgsb=$^XS`etXofg&}0A6v5f>Y
zU?-vd(iGggSrh95LCzpZFLMHKWF5?@Iq6?fUXkDeG3bBDZG6SHAsa)kk8F*AJLkEd
zTiQ_WpR0TECAY@LzO3qVr?TzFkcjOK;+_cz_3lKoe2AT?E_}+~NUlbT&;$m>_d-YO
z9=w$a_`+Lf9*bKQN`PtU8w&g83hr)ZM^Ur+|KfE5AuIqv<XZRGgkH7%7OD4At&Ij|
z6NL|4R&eVF$zc!HA6|xhnl%WeRLcvS&&-3%0L-(O@U2K5%uK#-JSg!(-IMV49H$~x
zNPnhB`~k51Ce%ATo3K$UDPdLg!E=onYQkkV>X&wTaibK#*e>mOs;aUm!4Xr|?Dq~M
zuAwZFuH^dA6Z&HvQBP`aDITg#FMEXY`YtCIJO*B6Az#vlo8CWNITTe!r@kW4$HqB$
zJdKYv2OWKnxyfA|BPg{y-Kdu4ck17!9IgsXJOZ^+BX^F(nSMq1Q~iW1QZ>ftD`@^Z
zZe-P-ry){Y9ghgYuQ@NBZB_l?n^lAlMez|BY+eLvAqt;M|IQ2>vR>9LgQ1LAN!GA-
zE2W|1me1k%?qg3{|1wpLUQ5l@>~Xt_DQ4M_13wWTA}M!&h_u>R&$;=zYBa+i$wSW0
zo8a;+-hlj6=gtG~6>sj|)Bt7KdWcCuy{V!UA%osP7RP-bV0cz_@LZ$hy1|Egr~V3i
z_ZZa%N@&3&^jh?M(6fH&Gl8$)9Vr0WG_>#v-v_`uXRHF2!y7N96k8@;14IZsD$4Gh
zpMP1F0F%XbBU5I09j*l{i{+33kSzkA2Z<*KD1|@&Jb$5B-9*A@Rc*v9oi(?xX2wD&
z{x>8ib=p^}s1UtOQSp!oubZDNEF$1EB732aN7eb%pPA#0Mj}FFpu!L(AoZGp`I-WG
zk`#eplN^Si8v&u(fUTIwsgyJnoFU3Ga@RV$igv5Qxiy!*vdVg==45p-7|uf^+oHMX
znEVHW*I|X5w|GW-9#dwVJN9|Is<CKiw&Cht)n$_j<?{5GC!A*KL6I@42^)y12OYz*
zm~>FD)P-CCngSdTU0-X6Z2t3&_GXp%T%q0dSlD<|YR^3^_tT~Qigy@-Y_R1<AOvIN
z`;*;+UL)bp_8hUmuR>x*y4hgpo_7LbMnMc6E_lS(W2m0Izs}Ums2_>K29_xF);o+x
zm%cp&{Os?#@xR{(m&=X0v$NJCwiP08wm1<wN8}w~e!u%}QL!$F473%0H<u+rW({5N
z)?UPPut(a~rc797{GHH^sU2ZM#*WN!X+;rm9Hc>`N8KQ?fBt^oPW~=1>Y{HO_S++C
zO$m)^`1cn_y%}XWAE@8nRN^mt>PY$&x&L~Ky(Z5<2NUu|R3BJDgw8bO{Fq(JBSQ=o
zUUgbF*fiPIie)nw3J!lL?KAG@T2N&ZvPDmnxbY8iCyOzM1Ot*1F>KN5HY6WniFOX-
z@Hg458kZpz^~D+oka)n59w3uC%_(*g3bq+z3N@7<j|S;fmpHoCN`#tA=|{OspX3H6
z?Ta(BUcL%-jl~L>Ik*8>tZL?%Hh)}ut#N`vIOo~et<s{*vwkYu3S^2kljQ5lY(?z!
z$BBdGa6rQ|63y7f4{g<CUZvbAOI&}{fFcDdlsWp%f3N<;PucRF7UwiCM9tv@Wk)!=
zAlEwd6*K9yEFb+><?_$^Vi1=|G8@46jlx+3uJV*DZJ<ijP7&M#-IU*mqy=0zb*K7`
z=Q4&t6I|8U1HZeCe=^molfEUG$8qjx;sxoNI)My;jh80fXN2K9GduP%+14<%%)40S
z;}p)zs6-V;wrUVSC6d&vF86mY5U|+9lqVyJ7bSULzo2U#OZ<>*xuNu1(cQqkVlTI@
zoJ!z~@o$|);?s#JA|&#ojS6yr>^<tAh$Dlo3t-}EC}h&P^d}{D&L3|#=P>YP<cnOB
z<Dp&1J_|p1LygC`UlhK}n3z=SJ!4C#go2d+s_E=LV~199O&p3Rke0P=9{Pd&B)N*Z
zv|&ys;iDU)XlTUT<|e<1Ij(IJ^NWeHeb}fum2GQYl2t=4)FuCqewo0rR?D#dv?$Ui
ze<^?+<Rv6!7f<vD`m+1KS0bYg>oFMXD-9&?7_0t}GWrAz>ugl)nVtY&>i`E0OfP4(
zi-Cs+7m$+g>)}V3M@17aPIkroaE@S}nbE&|ggX!jbm^NoXSZT`=__ZsU;l7kyAda8
z-Rk)9YJ{hZl^KB-8p3`MHM|j$pC2vuGqm-0jEKNatRt?iC_V&(5V=B`${&#aChp`<
z_#{R+2a#tC|05>X^Z1zXojy{DSuqf3<4766_kCudZ%P2V`}wbTr23W24A`KTl6Qub
z^E#(gO|4za4x=QEnLdWz5nTjZ2Bkst^|40oATd9}NB8Q2tu0;NuFlG4a?7a0)M$kZ
zLAg(d_$Z4uh4*mG+It`b$sv7DgO3Q^6Z&Lg4qI3}21-Cna%9PYpN7r3t-WPC)P>fO
z9p?B!4mInBVj`ebcg^<hZ7ndLEoV-&Mj4CXO43EB-2EhFYwSKJr~j1!08}A}MYdf=
zN8{Pt)mTMq0$#7IdY1?eo^N2vtuY6V?Ukw4<en<T9^n@$WaRk+{M|N()6?}M8Ft7H
zXbj`aaobB0c6+jJbfvJ6tI0Y_0>nF^$Nd}Nd%ohJlg+)&5F(a8!4I+3y4r7-(e6g&
z%3g+y?G>(X`9CFrGc8-^RjoTx>^mQ^{{LbFNpm2!<DM?939Vt<C#?lEd6G{JYako*
zBL`*w=Gun2y@D_LPU_6a{+!g9HmOC*@mPz#0rJ^lCc}Z*pC>yMa@6e$IMkSTV(HQg
z8KNR1F=bj8FJnp`-4h6%<PR&pNFNlF7^z<N<nEE$Sz3L8c$#a0kvz>+9>+oIA^2;-
z@$Q!1W)6Qt-G&t%cp8amYj0r#+Xv0Z2re?lU>w`(3XRp$viarQUq^?lS8QaBy|tql
zoNU`G+_1Is$%po=OON}7i<54k3dM*XQ;NBeKk&CgQz|1GqovGG=~ZapVlvb^eK5@&
zL%2|yeL9tG!yim6YYR#%NKw1IuR>@UP6e864(9jWt`0bH=C<`<KcRQZH#c%j*36x0
zEd@=c1-HF%w525N6#LB5<+)85B&Tsj*A+u<Q;ofgenz=pjHQ%VCo-u8YeEALR-T|>
znBzNJn3Lt@&^Lz!U1zr&g$QJV_{Q|)$n1V#bz-`;z_`|pv{PO>KDkr#CjohwMd~kF
zRj<+r!jO-2PAX*i6W}EbPuHIe9U@l@Y&hK96S$b=1A8NLAsH8Se9IY!><5Grst%Hg
z6aG=#N>L_IE4}gIO&A&9z$7;EBI1;tQK&P&0WL|hHcNQ|xpqXWr`b#D8#UIWO4qVt
zD9$D5_svlE>`iMwv(EZIiXZ<j%e>C3m~}B?9C7nK#E9Sh7jZOz#_{Pk8K&UikRnAV
z@7%a_JZdRoEC}|tK<0AcHXGIXx|b;QeYVQss4hnO_y9vUwlQsQ_v9OQv7r7SPs~?T
z26gHrfSh1#3e#;RE3KPU6&zeS*M?n{UPjk`4fV>)#;Q$+8Ig9OQx4^idpSAL?>;__
z+VjvGTn@nX{ZW>ADVqAo-MZO1N+@REx&PF{V?t&~vYDlv$fG^`ygp;;`%wiK@PUwg
zhxy)CY>oWahvIKZZpP$MVPm7Zt!y!e4i}G?v(pirFA?N<9e<<kw;rMfo@f#1I8B-w
zI^xE(fC1x_D0Aj8#j*QT*x00H7zRNB%8Cgj<9~vvT%u2bSzYEXv)B=(F~w3J-Ontx
zw$lbmMV#1GuWBr|6Ncgf4L5%v`I4@Cv3HtxtUdlVOsC?wMAS1+w*Kxru46ae$N`w6
z@8u7q#No%&m*(B4jiXZ&hwdA_XB9L4a`+)1ZwF+~2hZKbE&F>H-1e7fx59~mZ2jls
zS9YiQRqS$@a;1xS)iTp3qV~saE751hTQQJxd!d8Dj{SJ$;c*hHx+UUpND1WqCF-$D
zX(l487qqRRcTY;elthanpe_9NJBP!)K#lXY6%jc@Yn<{jXZw`Yl!nQ>2W7Cn^Y3}C
z=Eg9E$6WU~$mq9q!nt`7jqRY-e)Q0*8AbAVZ!QJ@$5A*iv}FJGRK$vMi<hA1xl=Cl
z@e<T@%G<n*qi0aP@HwM>u2R=qmYllG-AFqc`3ShuDt+1r*I>u3NC3)X(gADsGJ*<6
zJjaILL&gmBnX%k<fbt{j&gSmMtj$f!9z_3Zr4VL=2TexB1;I(j38iZKTYlf(dzw1e
zLQ*;6tq0K@&7Z6Ygp_~Dr*J%8C^m2+O=Lbmp57KD{#@oL75H(UY0%KENvgLUhlx5u
zW2rSQ$!LOZ)|8a)W6szPbiK?EjoW3aGSS&IribkO_&tlZ=Q(7Re%NU;fz{w#Utb&v
zMoMK!R#ju@gVSxbrj=;nDO`#X7K7Ohq-OQF*Qze$)UB{Rdo*m5S)u2hguqXS^a~Y$
zZ3pW73x)aHo*L<uS>!3uaaFy7Pr%u3Gc|X94N`5H>6Xu7VHga60MvP#!xFT#%8uC7
z+Oe$|CK3`)j3j9<B}mg&RyJwooHnh7qS~P20d7>Pe?(FmBOW=~OgqzAGJwGR0BXzR
zHq&?QCzuYi`Awcsk-j+}$x{TAc9C`I;ua0B)P~KfO)Dk?;4)FSxxRx>Do4j{M0wk}
ztE-?F^K8yG<cIW2K!lO!2-6(Tpl{tH#sl&pjpxX|==C$JMJLgx$1YI{DZL9<z-n3&
z{Q^%-D>W(##-&rUY(6d&*PerM=+D3Zv`h|9x*wtuoCPti_4p8aid^5XUGZM7xIg~n
z?1%bufK;D(2oUUjVY&3bZG8yM@~AxUKYjER&TNvm48K8P7?D}V%}n<^oYBJM&**w=
z`gELg4@n7){Bnl!N8Zi8RHI)zk*_LS!2KjzJDJa{S!=zmKpHz3-pAw6Yozw6Z!<EO
z8a)aaQ(5J0FwGyBJgNp|9Mi+o%te4P*IKCf>~tHurcAgVDvLeN2Y-A_-OOaSz)WX`
zg<CuOPXirhoocsMUA7({cD;$kkE+L2*nuV!B_{0cKWSG_5Y0>r7dR9Q9i;FGoWkEP
z6E%tp`@~bjG({dCKiq|WMvxp3FKC!@s%jxDthW14YV`ff>1~PUvQAVfAzyAUk&-jc
zwaQP-h>*3s>lx#J+5*qI05eg#u+mXH4dg3Z(|xYk872+IG+i558fHH9fm5n91j#U<
ztU^}h8r!qmB^#$WHybff*6vrj%`^w?>XG$dd3aP%7Uim(jS~Sy+uGrR=rYlEgdBzD
zHs;S&Wm70GX^WCVD79e(9zTdH!3Lf(qvke{nnoqgCm|?{YdLi&(d}4Llrp#H;W@s~
z2(+T(d)d{IYVGtzVvxy_Rc}+1ymo~DwPNk`v1V>N#-57zx4A9HwQednLa$P$Zt9^H
z613qQ`Zp6V>X_2T@i+w4FtdYt0Y@s7G+g-dyuOwGqyd=O@j(LGfUn7ZAWu=2F3=lF
zcumMVLx@JfqGqlH9eu9AW9lSM*nK<Ca{WtrB~K_pVXQmG-2zGP9xyf?*IZbcQO(zT
z;lv$E_`2YX^He&zaT{#2Vkd7O)Ze`T*!hg~%2KY?u~L6w#;LG&@YZiqiRjNQ!H-Ox
zxYfYf4qSveA}r;>S;SW;#C9+l(kR<qS=gGkE&8EKGiNvwb8I>lIH$s!q07^`3pa-X
zM_+(DklJl<xodHQvyCtlJ<hn~fS)Cn7izEQk_JfYY<#$xHhvE@UdhbVCjOxXX7-!y
zub@-2j0dtRdKQa0)b=NoR{J1f*tO<APHi`e?|aRV;=EQqZ_)h-wU;kbu@1B}qR6b;
z-Ri(d*~A<o>w1E<6C7ISuoLVV;uuERX>GsoOaml=1^+L~-m<H%CTQ0U5Fo)VxCD0y
z5ZpbuySuwD+}+*X-QC^Y-QAr9i_P=yG4?*^%NgVRfoXkrRdv_w>;4qC-|MJ^krR=X
zUuD#^5o^%d`g=KM6)EN3E^v(SN{d|0X{1fCHjfJJYX~poA+jplph_|c?|if$8#8+B
zl17dy>|jrENljufnvrbha}<j$cnyIsi!H2Sqh3lUqs-~EhxDGzFq|5#f=|uQ(@~hy
zB7)wTl_QjDxcuWlgga&9Mon$3so19su81o3K5SIDIEgK^#mw=m<OcpO{_RxkrtY$q
z&>vV#|Ij1xlvCgB*blGM_wlnzSSQ#b|E}DY*U#HqYUtmuNeAA2-fuKAVpp>ofJYh&
z(uQDV*TPDG1|2KQ?zEvHEl3i3GWsc+01kc)z(@fl$9I!q*N_fGMXXDVAcmhj6qUfB
z#(|#W@xUnLjfXM5zoB-HXNK5^9^GP*WO`$n!A;Z=T(gI_hTXAcenSK)_~=O7Se(C{
z(r#q8MBiZUN`Dka<$mt)^bJyoR0YXQ#Dg!7en5F9eX#|{D0Iqe8PV<=J@1Ba$}zMS
z+?GM@bL7%L?2EvcKeM#xO_uvVEt6n(&dwq;ZSCHwJ_5WvydNku2@<zMP6NEN30)y?
z5Ru=>{I&z^7%jXZA!U8zk+%rfZg+kng(kest2|u?Z_ioia@$jXOtR+s*#H8!ztd1U
zp0m1K?wu{)dMC6+eVXq(g+>3<DsHL0<yeHg;E4Ebk5~77tPB?PZk7;4P3g%SUvN#i
z>or3sPS9}f%pYaX3(5ZGBkP@sde=GJnqT5`btD<^Y2^f>Pq)B#IR5Hqvt2u5+?ecA
z44epJcZ3Y0_$IgxmIPkOw0`gOdXtcHT=k)Y2fQ}H<DBrIcfq~&PgZO-Qan?`qM>^Y
zB;QucRsz<1yX@b9j&Kci?iwSwKgW_}o1VjTF2d0fv~9iUTtJY}u(O`su9Y^r1HT%Z
z8rAZvVtsk;-b3e^D5kpm8sk~0&C;#Z7G&LC&mr>jAvnth^&dk$c>&`ZUJdksr*LS5
z4%a3m3wHm9i)X4gce~g9b!SKP@J!AfI++<Akx|c^YYgdYQ8CbcPWoyNElgW{oRv%e
zbKe=;J8ege%k|IIs8t33dPAPgXe6LkW_KUnLBhNtY6hYEmK%LW${{Z&aQRu^%Acot
zpm4_pl281=#rljCtqidd^<Dv&r_pg!@PbSzmnfViFQAuEN>(}rDyaM0Tlub6s^$_*
z7nbTwL!aK~jnAk_VsQR!&Bhs1=849&_>lgSb8#V_mB=N!Njo>XMBCEyBmgD!)KaBX
zX-oZVOqv`8A2&*9eSPr6_>y!!I5Ehch)(=usmDYpC!Gx21e;ibS6V;lpJTdkh&{xf
z;Hn4_bQ+GGKI9!qI?>Fg7l5_wMrQykf8Zls<Z8EdN-?g{+vr(ki<I-a+Ge<W)kA&M
z)9(|WoY)g)5txu`xY7aiHmv?!L`cE8;%pl8G$Ng!?rsB?KXiHYdup6y9`;E>yClW7
zUvEWn%#xeO7k7nrsh%JG5uKHOzz2=bP*3Pz{@{i75)W`_H0&qpBz3mYndV<7y=1x!
zzJzvvTguHm{RsRCG!n%{4g5H*^y5D6KjF0HWi~<A&<g~vO41tPP^c?OOgy|U1>>7{
z!hP09ef_>_;rV{MG_F|ud)9d0lO{urYkLl;c<WhqVa#%e*h<_^-O99~;IOEK?cw4~
zvf_;o0h|`q`wrL3rb@V4p1S(mpv4^~{?C<6U!9;Bnsd1>Wz0TEw2eRmT_8DrU+?SZ
zO#C|xAQ!)P?lfvzc^73%>CE~4K$~d0L1~C`vxCC3^L9w(yjtjU)bo%6L*r0vHsARr
zShAo=XkW0FNx2i5yaH+a=z%kU$-ng^L@L|1YBize`cJ!oNb-0#)<i+@#ajvON@jz@
z->QfHf~mBKd52izQ)=z%Z{N!4Hxy1hX8hq!k_NYvT_Q>M@;N!@&R>#c0%Hf~>t~p2
zN-Zm$>>8$XVa>7~YPaB;(f#~Swe@mclK&BG5IxwvL*JvF9CtuI+?TwIGbZbVM&LF|
zjYGYNg7J#n82o5s>jd3@?~dE+dV73_fM3=Ltv+^@=R8OCF}U_<UePD%Fd^QwlKdt3
zqPRm42U!-K)afI}82m4;K<VLZIO1$PLByLKovMAA9MRe6xD9+tmBTX8Y3cDy6fr7-
zbG%k{4KIzx#HzGQHIJSkT&N-vz&wF-BNOKh?oQt_w3;Vm44XpzLT)UxDPu(b?!VH=
z$ma^6%_6wszJ~O=z9_|tLOsf-@Ar&m(JU{S7H~yqv$Y}r94G~v1OodSL$s;0_IK4&
zT<A_R4xi(2?hUirLnl<sG5-h<dP)DCkL_%$m@~mSMFnHLAM}}lOxSL{4<01S1k>Xo
z_Dq?8ZC~+JN&9*3Om|}Q2uuoG_;~4B&E%8=73s%L#oW*zLe%ZK)rEE!ad_{(Lz`G!
z6M6U;q=cuxSd`skOkHPHPS$_<_Z7angL~FIRjIKY6B;HSU5BbQ;A|%?41F+ts)3~S
ztMLo*tBSx)X$BG2>#)4lRB_M=Q(7hXb~bvjuxiTn6_QP#Q8*YqUZ3pUfQSA4$u`u<
z&00K~o7_qNA}*`urehCWNB8NYh3h|_%C>B#Fv7${R}!A#nv5}Oh}{&(>Q7H5E@lHQ
zbu9NbKwS>Q`LnkUz_;E^_CvbLNgs>pUv<w|aGt61)nd&<N4*=!x4C_f4xJf7dJ^=f
zBp<d3zeO``7YO&J&TvDplH}D@M_86k%^!=ZyE(aHoLU_|a#L(L&~GcZb|4*nmo(r+
zsr34vo)G~VGt#_edBd;O{G5WCS?5ITY4_|M?y@T_`d(_XSzv@_wz|e7&P_C$c%*&Q
zuvcqDz4AAyq^eoQB*Uva9FU6|ee=>-zfI+7SvrFAHK(oK)%C3gkIO5hNXTxEh4ghd
z+rYd<C-g&|(3*nka)qjw4Q6}2(G?$+$>vW-!<s>AD}Pv;da<wJ0y*}Vrs!Y%k^3cW
zu3MoR)rWWO0;i5KUZ3Mu4avzbHk<ni@*0CAb*GoWRFE9R>L*Mr1sh}h;Y=(EO;Ua>
zBZx}d8xlU23J4T|LsTk9qJG;&Lnll(0)m_Cv|Q;<P&EtFujD1URGuc3&%RdE(R75h
zO=IEn6h94q(IvfJZmfy&BTO-7-U&})xeMAvWf0OKcjFB;`?TuulaqBD2lQz9{g1?;
zC|xD2r~VmmmVKQ^H`Dp$m1^8Q!A-wW|0A2-R3bIYH&<$#R68cdI!#a#Pfu_;_`6X-
zn}EL!PANLvm!E~@KlXnAOi&qfJ|fP;C7Hn-#^3LC&veIwRRYyp`m?5rWKvXVC$(5_
zzdJoF($$R?Nb-+DhI7=WD6;AyvUy-U82Je<!9tVsR!8`fn2cayYk#nR;Rw<6WXSW_
z$sS%ND`&n17SzbEF<dUKKx(WVWb(P=02pTCo!jO%L9%Mu3hQuJLK_B-4ae~(9t^YC
z5_R;*1QRQ`MRZQ?Wa%;%jhT={(U&ta-DBO!M;O~ZKg}dI#?=i9u?7P>9&syKgHB9f
zC-r=%8^hiz6saMg_@`B=W|tRQawSYKSY$Y)d~Mlu)wg~xaI-giZMx>g!1e+u_;~y$
z-yt?IXS@*_bYmtf_iYb|L<!}u!J<NBD|=%9AWV`d6o$jjN+uFc2?H+JG9>0F;^S%V
z4;I4q&{ep8Ftc4&vUKQ3s;QF&o;UG#>_&-`J*+Iy+MH#xy=~#0S8vNnB2-5gLMe3^
zMOM4?siaD>=UsL<yDu^7OF>R<?S5E5S8r@)YJ3)DtpK`t+uL=nnO2>6G)87Ys?N)o
z?b{E&)WMunZC=if+opf;pM;j8jhiFLtf~&i)A3qkg$^%D9o?pBameX2erUj-<FYK6
zId2@;k%uoKM-h9x$5v!|C*9nB+b7;%WsI8Ykt^|yzDagB&@OTS=Ury>k_IWfu=|`9
z8vNE+IOODnrf+lEKR8UU>%A%!suLVcUw#SqzuHSn;m+HAT(29-BfMZ}ZF7Nh!P`(3
zkFuJ4U1IYeeN;0UDPuf~#Ah1Fs^DyLJMP9k8LQy@%T;5-mIC8Otk8M-2qCv~>~KyK
z+9hP%#hbC}y1Evt#Z6b~JZ8xkbRfLuEc({~#d3^a^FF5g7u(+c)}YuWgo)X%io{@<
zs<Liqp#TY4v&eG_Sh#W7zqFIRK>=PoG?#q~Q${QT=TgBTfjj65GVdg$SJ>VZ=HAfB
zrBSK1*2|>GqmLWb=1$LjwI-=0&!!!oOHi?kR?E5G3nEXJ*PGcvON_--`Ot04)AzDl
zK-I6K+Q^KSSMyTZIvNWsDX#J&r8>70OWFqw?hpOOLLpY_aY@n+o%+MqCeJgLc=avw
zx7&Pzx1RM)#1<KHl-bJKm!vgByI!C_bl}?^7kC>@28Q8IU)`@Fz~CC69>VMx%x(tK
z-S;Ql7r1(JSbV*pBDu&O-J*a>Rcl|xvk!Sd5$B9C>{>fOp!1wDKhf|HcIAWR=34)`
zo{Y)_(%ovJy_5{;EFN<XPj<gqrDtt5?D-A}`XW4crA2Bcf2Te#3NQdqo@W<Is<pn(
zgeWnUr&xV!FA#L?eB^f&JH^-ALf4^zipy@}X!t2avb(C!sII@co66p9=Rh-dwx;ge
zjjgM#7S}G}4yKDW{TH9<P|HDXIW-s>VWLQ39tha1@|~^q!l-t6&Sqk$bs2HEeR*$-
zEo{rr4l*g<{kJ#T02^i@yE7GNnmCiB>8V?qtS<m3bWG&UWV-FbdmBn{`xfqkyW)O3
z=kV3p1SAhQ3{pBJEaZ(*AaNT&Wq!^T^9-KT^M3YC+gBvDqHHy1rvulwSud;Uumjz3
z%Zr^)Y7a_Lu>Uo})%AjZ=vDwbP92SnbzH8|uQN#TPEzr;&RJ~$vo84Okd)7Uqknlh
zYx&!EJ3b!+D0yGLxgnmDzVyOb!sXP-6OG4b966(y0JGFQ-nZNdjvuGFUCs`gy9T!)
zUnU=1ll>3slf&-ff&9qiH25Rep_hj&+S4A!M5Uz2OhjQYzCixvkD(Fg?bWrE!F`>E
zL-N0ca{>LoXmVQDx(A1;dB*a=vB=%0Gel{ASG(crZ6}0P{0Z2qAQH7gLp3_K02>;;
z1{?#sZ+dE_CpxZ|yWabDh%Sc-4(-^?%$d_vjk(jr5UpSFv~||K-9A39gMh9r;Uri6
z+Rx$;LLI)@P4IU3b3|NY>Lal~pMTmL=9~DU7kST3JaVAr;bfXzt?wj5FLhqh+84@`
z(Mul|!`P?FQyxFkTW!A0mBv4(ahBm784!HFFxcDDTLt@0{90FuCx_EzS_xzNsVZf9
z<q46hfH`UC?>x#EBFuNuIo$5c5%^xzUUeQvz2^2YU0s*J$%*HZ&GEW+d$GH>$%h>a
zyV>DBnBw%vi(jvOwaSei8FhJex)nLTba_Sh_>eHh&7F4g0@~f}G}ygaaTDwZ4(F>_
zW@vJ<HapuBCw?;Sq$bsiNeIeygl1i?3Q3G&Vn<>^vA}kuq+Y{{zAYDvzA>FT7G*Ev
zpjd<j)<ztD{6j?)2KW1*^#q`HBfR7t#cd?8Ih=>JiEdKu>OSVcll%okq!sFh<g*Hs
zy{h@GZPzg^-?oNwxIiD~@PYM_<mp6~RX@vy#4IpICiuD$=#*k|j&9!FSPUdiYSvaf
zK7njj_eT%Z_bzYa$!_z_=9rqYN;n{QAEvfyV)}EehJ)M8R5(aR2PX_i20sB}F?ObO
zdjL7SQLkz;%=ex@-tOuft-U=Wdj3e&_x+>&9K@&HHR9faYx=gA&~nBaQaf*tTdAyX
z!a1CGgHuJB$B-siVOcOj^Si$@pT(Aq0X<dfg<H?1xE!<5t$e;US1b4DG~di2yjvN5
zNcxjw)jSFKamxon{UDeVTxM(r{akh(d1m_rUHGD@Qu;b>t^mbGw$sviBT<Yo^@6#q
z#FF_=x&<>$o(ydsYO;>@I^we?tii8yVX`WcCpEDfF{!Iy)SeSlQewt>)pLailwTYe
zfR5)Ly10Q$3=6IglWP8|wekJT%zX+?;3{o0tkWL9Ou$J|QChInUf5zk;imuKRu~f|
z_ste+r+GbgS#Nne1_4xRf@ZeZG`Y9*vGlw0>+}uB)U;KMM-~Bum#+<r{NP+ug>)#S
zEO!n%5&11eQ*Ufal1Q0AZAnbs$<0=~Ul>cErje|ZwzBVlko^mKhuyO%3^tpkl93yp
zY=-0%xfkgE1?tZ2ta%&%<Pq+rOX@_$flXZk@%od<E~|`eG7-!Y5*i-mCw8BlzLQIg
zbIA^N7OvUuKfx#(H2<d1a@(||yFaBe8?RR>FezKcmOnf8r%<n_N^VhxOT>G{8hTTl
zIp&Ap8$YW)+}cSGZ3}4DTLB*m4-iDGWpP$&M47Y0@|Ivy<MI}r=i6Jc16bKPG^Te0
zK;Eb(f*Yj|P}w!#<!&_WH39Y4)(YUJgbk&|EzP7(ml8^2N+cEq$p}F~w@*+Eij!Z*
z9bXH$MvpNwa|qiwtx31QBE+2P8$HG=dN=pd+MS`T35LkL_Z|)x9d@&fiI1_%Yv>yM
z!~2UH^&hXu0p-C_oU6GxD*Fkn%EZ+dIIiP8^+n*l2|EFa1nE%u5+Lt>0f7knSef2U
ziMb<e7<_G{9P#wKIj643hpN$c-7&o?e{2uloC{BTCvx*Hzj#Ci--B&^_naCZY^_f+
z;#00JAzv?TRuOELX`H<<RdoUnAak@Z;6%%Rc$c^OXKDGvcb1>pA_Uy<=*NTad&t)A
ztWfW_Tb4gUs^Cq|<=O_ykdoZqhGbzXFjyKyJErWeNY&h~5CsY>sp`MtIhfv%8`Y6G
z$F6s>5e0z>IaqkwP3Z!g8A8b^Qi>UgBN$lRegrk|5z0r=va|0t9LBxOwNAv-d!BL<
zr4cwr>gwS8eX##7w`rH%&9`|Yc|eDv1Rv6upmvxMhPTTT*UNE7E03LTD}mqN#6CYO
z|KQIa-?$fE0=~Xq#C`~MPo@wQbPHT_bi67|Xn|#z1S)w;cz8T(dePGv+PaR<qZQlu
z8Om#F7e-z?PmeaOQ9W2Z{Ko*?3Mcd9;e#Yb?S`YlxRkRLJ5~mri^-fuyUQg&g5Q^g
zHQlC-IO}T7-2fD87>H_KnuULejCDLc>!DHF4T>Fr!>O@?zVRl1AyXt;Moo{N=($0n
z0wbWD>K?f%`H#%rN%Wo!M=zhTVm0!ZUA#OD`QCtN%iRx4fv}%7L*Iw$1MzY2VFac^
z1xj2@`uLj*g!Ri1xqNWb=UNE4r)T7%>eDfBwSfTPehLP;gjD?>z5MUXew{69$=Zc1
z7`!ZgXlCpXs3stH-%dJ-px?}19*cnMPS^w3XOq7F>wmPWW9zR*y0v2Jk7k)0eL+Wk
zQ7%qiNJ2!)WEr?j(4?$uO)VHDl8+nVhmZ9K;Ic}J#PEn#I+H|~gyR1UrB98ptVs>T
zh9u?S<;|;aUH{bhQ$PvF)4o({!=!&35~$C$BP;jQ?*XBE%aTOiu9RMDc+CsdinBI4
zw(Eg(Eg34=79<=bD*RFoHywJT!`Lxm3$bGzG@Y*(Ww883p3<K6%rbC|+ub|g$1Hy8
z<N;}EhOPsk%3q4VESN`~fdQ$7^kQ2IUZZo#!%1D1@r5?8_U6CVv&D-Up<rtU=GZk9
zY028Vl={#@V#Z?O)fK}$xvE($@X8=7yLuT%%>O};aK18nlK&zz=`kL;0WXtfH^A7%
z>d_feXWlr*RFhe4@r)~PC_L*C_>TC=I7^pa=6!o(22dMeC@Y#mp?#c4*Qsj9l`L36
zpxxC)VtiQBJ+qbcA+-OhK87(c2)uE%cndItKZneRbpSuLwwK8lEMFl#-l0$Pb#mX%
zJPS7Caf3y$Z(@A1LCib;|Ahhhcefswn`#Cw>D%mYJcFMxyLf24@UB7s4e{Fs;mZ>>
z=u0_aS?!LW+5k^_4`6&n;_k1o=&UEZ>RZ5<V*@axL(H#3t_N7_aL5$LDnezWetOnF
zbntI9M_6KSA1nr6xtOB~6OqHoTp|27^Tn-?R^Ts6!6`9FsD{JmnIt-pl88psT!d9e
zHS(5M;!`ir8Z^9zZ^NO5W5)Ar>l%3<Y)SN_Z=@@@Ef+KjCzV^VPVx1FR}1gps|40o
z@D#hJsw>?NAZVKSS30MTK3i0ncP22BFZ$#STpk&4@ZCFVuQrLqi;h#~<ktrs*b4!B
z0FdkrtqJw-A+t@LgFGic>})d<Jdb5CDkEV&)}-mCcJ*QKFzO=rXw}aeG(kl=IU=n=
zi11}JUYN4|-B;}b;9A;ayNiyOjh4s-**g#_@i^Vr8|~P8^oD5Am%!&7OPeqK+~Kdy
z@8?&tP8o8|?Fb-_9f&#TS$xMXtlu3%bNa?j@rcd&gC0xUa2Y7Hj3Jx)m@mTh^=zje
zvr;GT=!Nxg&t^k{k!+tt{rN=i%t6D#FNj!MgniituJR9>@cr$iSKH&Z1Yg=kP5u80
z(7X)3yiRRwSQ*~%Q{=kV@OG3}=%tGVrrRYE`=;<(q?~<AHc_~#E3wI$kD+B(-&Zd1
z$m(7Ew2})%1x}ljFePZi_Sa6A<Wt(pSAJXdpU11hu3RuVfb<*B?)2mDpLzuv_wIa7
zLHRI)<XojyzT@Q(mDxAu6-`$Me5NX_EbPVYaUZ>xS}Re}mPsYMoK=zDD;()JUc<Bl
zb$z@#V5_=ETpLA9Pdsa4<$tGP)rp%WEe=l3;+AkKEyyHb3<?Z$ctYU)SFSnhyD_xh
zA`v}L3fG*B?{`*G+CMk!_JD)xdxI2_T0IK{b;-~;#K}iRQ$ETo%j1kF?56r|QJtt8
zQ7ep_qf0G;P}+VC(}pD{p$(MuvR{1u++UgG%7wg!H)RfQdF>8-IBT3VcLjew?CJ53
z!`x=sbfSR5uGIb1UxR?%zdtfL1aT9-Ylw@)0~Mk}3D<V8W`y-?fqLOD65wkgP1B6p
z3F9}TCOnUJsGnfT9>e@5iCyfhMoesS-*2bkB%zaY#ktBt03YKdFtZ`}LG5}J{g`$*
zdRq@X--?H={)ugmUIvkKO6KK!U(MJWgE|`iMHECG480B<S-qA86(`yL&ounX*;^XJ
zGC1FsnLO|hQ?<XqJD*%h(P&>H{}a6r44H}!^Gg1PJB=}bA$a2HJ69fjtdQXyyDNtb
z!tQs+vi`Qwe<Ou!8mphtBsgq$!P9N%8oN16-qz*g7~s{S{p7aQFQ*9te}k_jsP=!Z
zL4MOpTc@1b0|j*zII~SNTnYl~Viq<>s8-f&4GC0z1T2qJ1TJ*)TFKxEAudyz(0khh
zw$?kRc#NaWXsfEWnkp|x`FLEai*1f&0ahv%PQ6M$G%8N@q!t)$WH~LTV$AiEXSe2+
zfK+Kcfg2a4SvN__qJQ>b9Sd=1toKxi-a&MWm7o7!4%n=|ea#xF4FWc6NRKQa@t`MB
zN6!cHOW3U(a@M!^Xm}6}ceB`-A4ObP$RS#_%A`W=TeDTeiZCa2AAhCE4I*{k(~431
z#R|}A)o2@2zU%OAe47yjFUflA8w+~nrfRmI0U7^4lbvS3f1!}*ojr*Bf6|56%>1g4
zs1bIMi^R-4b=&ms{%xAR?Y^6P;TIz~UK+a(NI3E)_8<&dgl7nV=a+6?0DJy$NCbu%
z=g8OZIt&8=Ykr}b8v^A^tvEDXY9vqp%-v%DidyIu8rM=yv+LZ*2{={Q{+%&B4Rxa(
zOCnxoX`|&_b{c*R>PQ{4Ib-e2_C`3$JKMfsg{=M<pX^cyp)qn`YkCaREVXdNZ;zT-
zM_-ZZ*r+c1+hPTUm|E|->Z268S&^{)9RK>lA@`~E|B^G@vmU-|MyE;dw)oqr!~+Pp
z^Y(w=-h1Q*0Sv<<<bdZhc#TF|1Nr|{j0B7wf&rg#yMr8FYta9t{41vo?Y9l(AQho!
zx5!;PFpT%ufGGl59$Sh3W{tb>%U6i2*e~|{FDUMS!cM_F6a&b=eG*sVq><h&_0#?X
z2qf$4)+B34ACY0|v9n3-pKJXUOiY?Iu`knrWv0e4UtTj^fwGfhD^_he2u2Td9j%{w
zTa39AeM}kE(eh<J^52KQ<<KpSjab$jBUtw+F#={B(ooq1T8T1+6Q@3Y2n<MX3y`f2
zpD&;86A$*8uGQ^_Gs#6GRV(;;W&65q4??y+?v){+Fey@Ry7*cB6EK5f)=+CnHCm$|
zn?hC1TA&W1Zgxi=bH2ii`i-Ai&WU-}h!FgQpyU!Eluz8wv9D#dt>kD%l%rBMd70cQ
z<=(M7^3s)?>$x8rE|HnY7|H(q?VbeRWg2U+hhlXKpLSNaf(CmCCdF6DfJG115TVMD
z;aSn8R-RBK+$WjlSD8#cYr4awb|=5VQnPV<Q<&RrRPO75Yp_djQR5?cA=!#f2Eo0E
z`Ssr8A>s85Xf*x$z%|F)cR4Oaj7dd{**wlt8THa&VGhv7;>*H9FhPTVPx?R?KWfpw
zoTBP~=@4ClhCz`p_As1=&Z7T%{;u)c&Y2LKwNIRsS;JoKokldvn&e4CemM;N{twt5
zA&`qpvpnaLq3mqdi4fgRbVLZltxr9;cGLJstY%Y+=4A@$(z`&|tE+Dx-R}y!?*>Hv
zoto=t7}`7e-C^R%f8_aC)$%5uq=?Z4iXl-7xi<*QaR=A|8e4nq!-v?CzA8K#i<85<
zu$C0G_OJdsRRCvgp{fl*tnPRHG2?E2?Ov3URE$1TY`zbxvH^T*rhmQohto6NcR&OJ
z`9tCGc#yNWVTB7OfGrDdgam8`g!0Lq9+0L&@#?z4)Mj=b!t0~zw0j%7+3Gh|SFbHD
zKhOC>RErEfNBc++p<#2|7#e=M9?bN$wZ6W#I>CZpZbbjQ)X}q|jJeh^uw&{bZJL?G
z8j$?y<e_1<q1g3J4h+7Qvn-hR;imhkEE2nQsN`yB^K<baNYPyIPAQ7poz?A$b;SkZ
z6(mJ?%{X%huPx(19AQgT-#Rc-P<xn{7GJ5zv-eC;BXpvJm07|akk=?WBZZ*@X9=7e
z#HeSk!!dnP?)<!?lcUKnq@h0yZi#aEc7S>{xZUymkpgzowf0(3$vC%kJnE2lGi@R^
z(IRvaGXfR4P9KGrC!hERw38@j=)kY-9ZEU@Zuwh#-lnB{H{Og!SGnKgU3a8Z4(`0V
zRt`A+c>nlB+B%l`4C+os-18{WjKCRw?fsERLjQBUp`r*G%IdEJUqTh%ZE@7p9>UwH
z2Nt=(x9fCtO1{sAhx{Z)S}VxTO={GJ*<#N6Rq4OspPrp<PQNj6SJXSJ>YRR~VXvt3
zTj7xoN`&c)iX!ufS0j#pB(Cb4745|%!i{*^YG#za9rn-gV2?vxzVhtaK;HlvcdB7&
z4CDz{8YbvYMLCWP9Oq17@ET(pXBG)+HxonA8h4BnbA%5tSs}1EkJ>$&$qiVC;+lbN
zN1XVv?&UZf)w~?4a-i4gv9X=mb52&p&O1?4d>1dM15xnz>^;Jwq$v#XmodGrzG8oC
zd;8-6%}D;HZWaX7jE7*9LzeKno-&kiy6|*eF`L;I%e9jewN2GBQ!Bd3q)%}X;256g
z?0{Y?Spuay)p~IM?(XF;8FtjU5yb0oD+<KP3AjYofhW6+00L=w=p#c{(2h<Xu)sFs
zm4WMdwa{<8lp)?K+B|<fKLEdEP>BF+v5t-BW85e1qn+9+1*YfkW``M!r-$8Z7v)3O
z8VkQl!ek6X**=S|_`1W>B5~a9yMIa3($Eu6J>Y#op}<YMqZwkJ?Bbe_SGB_CHpj8R
zHwto2=eNL*`Pi}5&nK^a4u3D=3l~WqZ{v?(qz@6#AKYy%09K;NgO<a#z#i|1Zbg-B
zH6;~{OIxD0wyeb{1;+J?TDxcDbr+@O?b%9ie97s@AVKc>Qs!SXJJcPZFsn6P8<u$j
zCft+f^>j!4GF~n*eII-x$7aFH>BoWK9f(s0+<D97I$oN^k%5H!2hY=z#?cV>G5NY%
z*$TMX(iTSDZz`bg5D8-8>NyZ*MxTJhC4-1`^|b{nTGQo>r?a(Z=jPUkXsh5$g0bN&
zP8H_v#cjDWxaBF{=hopErtYce4zlX?^@7hBOzo&o>T5C{Lc5cS25W=7Hu#Jnxl*5N
zuJ9%c(#tuy_ApZD$|7e6yvyjy8>~FLpFdwb(caoJ7ek^@N2#?=vj?4L%4SR2U2iTC
z$rkA(B--b!Zxf9(xNkM~xTjX*mNv~*ngkKn5B#4AXuO`=N9qRkk6zCeL&uDCUdN0Q
z12nzxrpcQYydJeu$jv%FU3@V{3-M2eq+BEh%1&0U5TaI*HWxnqt?JT>6yF=T+zT13
zA{z;_&#tMU>nz?;bN@NdOX?7z-E*{a<=@te1D^x^ZpCYC{K+uaFK>X{{+wL+!Ru!m
zhlo`gs8_S&i~gwxd~;)Vd7a$(8)tJ#u8pIXHiV2z0tT&mp5hkDzdQCz1Xysf0@!Q*
z`ndK>UBb9MH@a++sPq)&SC!YWb+)^*x#J3uT{$~CC(){WWLV66<VY6_gcOhGpPk}R
zWRmVQXKJv0IdR8y4h}Ic%YKBc*f<rewfvkKQ<bShDy6<+u2^}Q(D#~PRh#2jzknG@
z-Lb6pIvCKn?*K_8C+@?%Hgeh2SeACuJ%rDDgLfh$f9U_Sj|j1PHcTA1m*_dH0L51l
zR@1=Q<O#%$Wp_6DEafUvuSY-$ruXIx!#-P^GdG?2otBAIwPYP@;I_W3Xzk~iWQ|x!
zL|&Dw6+T!tc_E*7Ty%twR3oySmeHWcYa%ivj5~>OjrY8M65Uz9M>rc%j-;CzImtIn
zP_K&Ai>~<fp*VjVJ%M6PMc-6&Y<-}s%ol#V_z2A7if=teekO~2gCQ+w;9J%NjMFAB
z(cx#2xw+;*ab1(OS%#dd{xx+K4oB;N4*|s0hUme1#4`cAE4mc&`OP7-ZI-OXIHE-k
zpF-`)6h!=Awh8dqyxx0i?~FC!jU2EVf6awWk23`dh=AOL-%KntrnrF_4(cMJMptu&
zxqsB`$CtnrlxHkVbgfr~p5zdAQ-wXruz!yK*^XHk6BYsgAjlFoM#spt{~NKg_Ikp@
zC=qk~*vH#VZl6zeYrPu9OZIv2S2_A@f_kx1q#d5n1i36`6K{M~^K7ts{9x(b@_11N
zW1kV!UM$U+`Y4g-9a&LFAXk=1yWl>*wxV8P*7->FLSRMxz6*`AHP#l=RhzZ+J2?zN
ze{o&y72<Y2$$X<3g*!2U>Z|37drZLjh?EPSd~Te8H0AJj%Z4*|5Uese&;N|alGGBT
zGGGuJ(OHH0`tRoe1clDn^z-+A&-+yYMzyg+l#?#%>_3CS^@Yqo_w~Hl4hr4A^GGcn
ziNv^B6z(kuJ5&GCP{1-X{soyhE7AnSbASXX=S0ZRX0<smr0USmpx;ASsqwCI=U~LE
zEdTm^W4-K8n6F6m!xNEdZ9pMq3jc7T0&x8Kg(rnp(*{lNxA9XRRKvf*HO%OZsw$ZJ
zP=9omL>RSL!n#;$mO}hnmpQzo>PFw~Se1+0$+@v^lhtG#@H=az?ByhQQ47mE*o?{p
z{TiWam6OpycOcpC0rH5&z0c*hP7O{|V834!eAg-Fj3s2*vv^g)Dr5fY30dr##E|1}
zWyavk-snC3{gn9+Q&IzrY>sP=&7r|TsUVB#%Z)GRZ@B9VI!9;p9T|t)^e)Koe1~bo
z=*z&$7SvhlBa@<{;^MDLY7-!j;eUyj=n7$Z5w_m<6ooQ(E5eO6In-Or|6LqWS@1ko
z3<*{upVg~Pwe5u4#jst#^SqvF#6E3$$LlQ@(Q}q@SqnGnTxRnu@_QZ%5TaoJt(G46
zK=6ueOs&1CvFpo3)zqG1z(U0BjtXFO@70n1cZO3}Q-@U%znCcJDuwWHDjMl!;aJDn
z;W_rLRxwPuwKp*=_0qg<-62}iS{%+~S>`?r)@^I|A=vO;;^ey(^-I2C&OW!$hnz^o
zeys<-m-Ue(am9)%Sf+2}FIXIE>Cg)Vw(;>fmcyyDtWZP1*@ii!$?HEidBID9H`8^#
z*rV5*=nEWzO<sH=H=esdh(&qsN$Bv`n;UW5e!`}5@pXPStkZa~5}azXRsS~<7Zdu`
zyfdtr-S3Tjl%>M`3o(Or3$_vWL(**mgvr#H9WWrxE8Uy?@OR6N^GH@u<{QN%kk7!+
zhWKGWMK|lDzB|YZ{m_1+&m5Z;hl-tLEY%Bk>&Hv~8*QUCtb^Xgt1)+TZ=lGpt$$hv
zEM{HAzHL81CrC=ZvzIJ15mrP>DWgV3$U0Jx4Z7347Qd;FA->3Rs`fM!aR#Gerx>)Y
zZO>uiHhJW4I}!B5mR#^skOne_W?ywD1E29W==DMrUkK8@E@g7H<|CN-Kx3OoAp&XH
z&j`#TN?djt*Ul2eT=^UJVnCf5{{tV*9Q*$DGz?hvuTHNZeSRNrSw|-%o^WajhLmxr
z`^z86Mweljv8n4mpQ?9M-M0c5uu{+E0yF+SZy7tJYT4hZx`}D_i|ET7D-y0yJ4wT1
zd)<9fEq@2#?{~kbZPPZ|2^J$rQEg(>EoC*N%(aY8#$raJhs~y~K*-$bXka=FvyNBg
z_iTBus7KFsB}&rSme6)siT884;CIRD^!ivO4pQ~z;6-D_wS^YEg4&J?b;xM-Fl;36
zl;i=39g+Qf9XXS1@*yJ3x85y!z-XWNoLx#BeP{qRG>X=53<qR!b!%2}ug<To_S^Ms
zxo=5(tmVriClIAQS~eowMMW|)O8Al>UweI-TK{`^tMUjOn=!U<5EkbzmN-`|RU#|j
zv()~ae-S9-%3Mh~3&lJLvoIPlDDCurBjp|T20u{5(vUS`2cB)=)tW%pjgIux-!t9M
zD&NR<RX^>oy$W?7&NPR9T7F<%l9~>hq>$@8-o;G{3|%Bt4(#*k<Ew_Km0V;%EuVZr
z^0u**-(Sb}_qSi8bj$sj!wFupj<-aXY4(Iy#nX=GGyKhdS~au~$q;ANc+0>aEBP(t
zJEO7Xp&Mezp5>G-(kRBy$d%(&`Ro)nxi%q|<Myp>rK(+9x@tMvoa){tG5y)GVkbbC
z-u|d+fWP)q6_dl+64CFMuyYsU%9~9>Ip_E_xv`u3irv7z1F0*}QJA=P@3;W;DcRhB
zisT~h$5+kFk{2olpDXG-1^X~SZ2rCxH`M9t^d@@F0(L=gV+$O(G{8SS!Za>f?NL4x
zZwnV5H~y;*7P?}FYg?Gnsid;6VbxR+s}j<c<Za<qJDTQvmA-xpi;A;=KR_QkWp(Yt
z!bUhwdQ~oEVCEDo8vn;e8#P{&mBwT=Oqs9aw{~7f=imj>g-;EIHRE^rEgc~PDd7$i
zixT541M7Yv2$RHs>O0)c%Bc#dl=(G|;_-xeBYjrBYU?53)m3KT)+cQTCP4ZR7E&jG
zc(&YsgRM}Q#D`>w&m7$<@J6!NF~esj-6&4&-tpu(Y(;jfQGbi;m{0Zd%N2fMMxc=0
zC5y8Fki7y;JGQH*rL87IB$Ep_rTQH~-bR<YxG)3`31V@sf?gq7x0OozhUmxAh4f%(
zkRrjS{gzR<3j(Da>-h8S;4SAh$*cU1mWJ3>AZzF=b)vU#rv>SFYYr)kkY(~wXs}?&
zp<Em>xu%Ie@uZgbCruX-$yAy^&>HO~4gVPDK&iqJA|GNYxfn9JOe?Aj=D?$Xdr&U7
zw4Arz0qZkH(KEFgw;*h!cTN3Pn_nX$>RaffemDV(duXLs1%bh)oU~Pxd_C5Ex|~E*
zl&oRi>Y)_1StBn?0A7kuyS|&`w`y;3y852|>(=6!n0wyiN9v0668ekvoN6A?4>XnR
zF8^1m?#VlsgVt`OjH7Cw?aw3wi=Cj454X0hVg?^whwkoPf;)yHdh*b&iKmv(r;5#9
z+jsXBiJphEXogOX&`0yIPv2^W4xIfz_P94dLPm1sp12NI5xEexq>na?-^A?Z5Dh9P
zoj%5+az0wez6SO}Pi~MSazCQDZAnzYI8&n3Ntw(sjtSiw)m|C0E+Ohs@;M&7HF1<y
z1xVy2!wro!HYu&Blz)Ebz6QRAW@ueUss2XbSVhIsHbE$;XbKy?uyPNt?oL4nAkWXO
z%r};qumtBVAwPkPEs`<MI4xUFglYSmRn|X`+#LPLhQe>t&TQuR@ZF`NzKl*8Fey#n
zHvMY>I#VRP_$gsa*|y2w#BZUF26a8iWH7Dq%v*X=UBL@~xh!+~__&r;kEhz@%Q!Av
zLxz`mHuR%k(0!N)X_!4E(h%d^0OD2CTeTei`S=ckfx9voH;}G6Zftr{5fRJqbX;mN
zX4_fMYrq>xtG#p4n!_pXtY7BF+EgOD;Fn%0SJv;t6a-02sIs882I{23NM}o|AJMPj
zNvjX5T9g$0JG2k46-wh#@S~~BomC9oc4YCk1<*vj%>ABpsTW~wR!{RJL3<PLEh(ZL
zV!YO}ZP>IPEavV`^j9)a2yele{iC|-s3)V+PVfK@P1Mj!JWj++C0w}2%J~7obt~;=
zLFiMcsYmxPmh~jQFP{QM&7w<s;r4yw6Ad}@?SV!U))13_p($81x20BU!uR*(suo}S
z?Q30G+JYVzk7M<<g=6(syq=e#y}i6z6#Iwj20$Zsxz?xm*W{0u?Z%<Q2lhWUm&KnU
zSzvA88xvR~$W76qgMXWkQ$&5#!!D^8vy|wnD?w)`?74);d?c}>kXro5J_wVY1rKh-
z#9xPwO{6pLY*?X*bNL#y2t<R%j~9+yy&1WahReuQd_gy##BK6kk4h{WOr$4irK`@<
zVCZpGJmJa}JQh*{Q<pC{N1E5h(+O1v4TBxVTTMd*7vmfsiJ>h_Sr2OS9D%b4ccwQT
zp`rc;xh)R$OJ%T*Lz&hJdAy0(qpOGk0=Yhey9nt@h9I~e-e^>ve`0fa^h)l^C7d`Y
zXH(jwtl!6O<4>COqr0_uZi+TJC6aAuuepxruuzy%An?6#Trv0TH4&SCM;RsU=%*NK
z1gAnoQ5%Zbf}s@6PQ)zwPyTRYQ%{2~7@K4fAwfQZLG3Aha9k{Q2&BzzXlKKgi9*l7
z(kWY4$y_{x*Xw3d{rjfCt>j-^02aFEF!27w(h9Gvm&p)LI=3s~oN9QKYoEiUC!F6_
z(tGL9lDWIh;klJl%6;(w8K??E+x3M8I5?LQ2;2G-qj-@=8K(x1r=3miS!$`vvr6UN
zSq7rbV8|eO*Bvy##7{0-OOUMrnp=vUgk{=v^ziNipzY~2fyAxWzo9nagfE;o#K31$
znx86LEaI0~TDDI6HYr-k&VBHkoG*QEbp@rAxl7a2VnaHUDCWW}obTqC)w9=|ui5Q9
z=N@sPr|siSehqLol4wd}f5`7D<KpcI&IM{bb3bqJI3koYQ(biPJ>R=w&c+r3N~As9
zkK=X~hyD0JB$zc`kK|AH(kf|lHT#YojWYamtukkGJ2;ghM%6l%by)Cg)2z_%JLt=v
zll?;FY0gmY^Y$O2XE{UgXq$vIkmk`37E)MX*Wr)`dKLII*5xaeL6PQ-BEbyocCXAZ
zmGjpO3XIJ~6xr_pZw4WXy6@c5!3xj;>MSpLCx9VNdG|%cw_E-ho9aCtT907$3g}h}
z5Z!`4cjPVAoFMHIYp>IC%=u6(hItXb@Ab0%16M>ktDT&Oc8NP6O&i)tCi<HfZEtm<
zYZwp=CPz;mb%D>^y2~#rhbJ^GeZHDz@x~*tTkDJiWa+#)a9S>x(Vb*rQ&tNtyj&12
zr`>+@ARL^f9#Zvr(_}@UEn_aH9r^IUqt6U;MXZ%@rw#}{=~D=%1EejK064|(jx+V7
z#_nILr?UWA3k3n&giq~@=JHvr<Hsg4PCe`dp4z?(&J$qrzq=jk(lD`=188BgvF)VB
zOd}R{dGpf}V*AE^QBI#{FuMI77{))w_$!hwa&7N6VbN}EMJN;8oS`zR<o5CqVEO3m
z%mDZdZKSZHD=Ab@@CxV48r+r*uR|gn$PT8YcIW(IbQ4N>u5K|THM0_t2FYVREcHjq
zX^+e9<Qs>?(pWP^FgwCer-tHOXq;CCpU6KGkSjE;)>078-zv#hDEb9#Hwo|78D^dC
zzvGywV%9_+G^4^%_t`YZoG&rbjAb#5)*t~d(fXlcf`NgSu)6bbuwYN{ev^M_eChVK
zqNTxE#{Upp9D{!J9$_AFZTf$;rJ{S1=l2`5U)UJ!w|hMFQebP;>^IY(Dxm-W-O&7V
z^aFhGr_PF#kEg#b6P!c_{?3;7TYU;W-2Gx#k7t0c19;H0Vjr#(dRy=T2ckl_Y5bn?
z&|J24V@+r8Q?7|XCuKYLB95O-Fa!@?ZVUwI@70)O?jJ4Z_VM|^KFLAuZFUyr(uhbW
zl+=*z8syC%X=wx$rdqz>du4p|^N_i4=mCf}fuVy%s}Z>Uj7l2r7MJ2t=3KaGfln(f
ze}kDpMdtKuCsDND#mxQDJ#+|nGFssS{wYWpn>Q~TAz;4&nh_?kxRA$<Ha|>+xx9iK
z9X3zC40{UKn`V!}36}dE_6uM#^IPF1{NQEFl-YLXUl=hNYrq8{@ybcWmt6IkeGWz3
z%Kl#C!W>%pX6`1;8{e4$-}}{62+becI(~}gm5B*SxN&0MSR&LfnwJE;bGY>FN}Mvc
z#!&Aw!EhM;_`xgmQguwmUh(=D$KcN*O(k_o#Hq;dGHeEVQfFO?5ytYYrXGQ07umO?
zL2~Qv+IC?7dBWX`z+tyHL(>i4-W=9gy_+Mk8V(q-G62ANtV;+(yV4<!GF;hU=uaMm
zy~Hb%yv!LaDOcQ2P=}+rR<XPMnP=%zlCc`IN_8`=2fNCR-#GNS@f0R${Ntb_OMk`h
z6$Pq|rLW!54p|`8oOBHQ&+V8gTg{b`uRt^3YTZf<z&q@xg|lm*j#l$(7LFJ>C%jnY
zc7`}rUuzX1YzwB;Rorsr4-16Li77`wW*c&2RXq~!)g3x<l3Q^5h4h}2RP6o?`c8V1
zV!4%B5dz<t#1LqIDZ{kZsZ{bff{iyM&$mE}c3d(#dZ@{X+{A?S*Nr;0IMD9fkWAu2
z(%*`Ox8Ev6lw<0*$ZDGG-+uPR#w_uQu*d14<P+6ag(-nP8#|$0H3u8NaWT1+H*HzD
zxZ9|kxsX;Wmv2?*S6Zqy8LeV!uv9U!G?fkwImQQY`TfMZ7XUDyCJe*+K1?Bw!jgFJ
zEziLs&7p#qe@<+ymMbxJJa=x}GCxmEWw1LOO{6lJ7*Ek;DKm(nP!?*bWwTyLHoQQ{
z0#ndRTng8PqSwj9ku#}P2|}PEnsn8}n$#7Wf^x_&>s39>qPu4+>YB(3-f}LLnwPH}
zRWs+}y@C%ICFD%_j@-ApoG2#OSQB)N!IbvW4Fodcpq5nlbMu>ctDGmMlTMO~)JtDf
zCn}@bFT8XF#mx4}O!o~5zYT#Ule0bu{6_Up&AKLs)nK1#B1_hp$1h+kw7C-eeg27~
zhOseAciV4;LcEHlqR5C{SYoj$`?rmGj<<m<9gpBFIzVQF%dsxGS^_-71dVMC@;ONm
z@_X3LVf^gLOo0Ma6Z3|<{mBuk-Z$2)$ttX~<lTk-vC-gJJD)w_ar|yFM{F&oUn!4+
z`#i3WcHQ);53l=-88aJBC-dKi!#ct%B*MynVs$E3K&j3qN*W|W?+BrOuqH;>c~g9=
zKld0W!P%ZIcZF`vKIg`+dN!?z+#rj-=9+@GL#5fA@xVRMn%)aaY{4wx9J`C6`Pb|_
z7)fPk7m}{;rb2B;8{+~i!CEvxn#eeIZ$#lXoY=zi@aK*Bm2}zNl_SJGXs}Xg?@SKz
zA?y6`Hgh;|hVsD-y;(XGc89oyfGg7M?{bX|y@!q7_O<@D^~=^!myHpy9t6g*z8;9i
z$-3P02!_f9wZf|>Cq1OLVhh(%kTG9FUA)uqj`rm*PFFF%`XFQiT&Y~%0t`6RCs)Xj
z^_LUR&Z^uNQ^mVK6OsJEyCtKThN8vPJO4vMza5Gt5|GV}$drr7{cR6-42ug9520nI
zF+5Dsj`rz~lz$R*o>pX*s{K&%dE_I@kO0K$-ddwD1yG?zff<tmE5yp6fZcGADtkfp
zRZG<O&J4-aL34zdL*gh6nHQPD{+4XEPNmE0ZaKB~$+p43imZNYl}<!+^-6v#y{V~r
zpBVH6Z)K&Rl^fE&t&ewkPT&;A?H}?7&;fCxCxk-1n37DXe?YElHmTJy1k3X6@Q334
zT3^tVY>7eLs0lSfNUliszw#5x3VJ6?%X{k!^?0i9kqwA-_GCG@5Mlh3DT|TrIR{(N
z-?fK1)YT)GchN821~y%I1;Auvq^Bi`A+=L)BN0a(`y_T2`^<W;WH#ODA?gg?{C_B&
zemLj2VA}3AKw<KE`rI0yR=uo#I5_7~qg-kyPgdSJs^$A0ZB<?Q7#%=t{q!K2=|T?K
z#)4~yn%w)h-DAE#ve1khYtDV8?|5t1R^rxves@=e?G@f-pI2w}lv!VYUBLX>15Fj5
z{ZS!+=m@p*W29&Ihg*`2Won@rb-X<X_X0cosgR+sBb0Vh(xT1mrpoiLpaMBT)rS}3
zLDioGV$03qQ?kU)ieA{()2>JByAToHY3%Tiujbq*;w(q!hU$k&#T;oeSN+T`YW$4>
z@yXe5#}X##lx-%{S(Wemvmok3#-Lm{=6)=P3?;@d@ZSg^N$FOQx#L#r9|511c)I|P
zv;y-S0~QhR??Npr^spF@PAHo*^%no4{b-8H4IDvGroTB63Di8qPXR?LU;SId)^|gr
zJ01(F%$f_YYj+n7l+%Pq9vGcd3+IHr$8R03II<mZxb)*hxb`hi(xpj)!Pws$pNM{h
zh)aZfIGb2<IJGgpcBZ}z9cW1|8+Uw&5l$be#SuxNOIKbTr>cJtaVo=o4>MS`Obt4;
zG?0)mFmPbvK{;DfrLn&F@tu=}Z{=58&c-q;<J_`J(IM5{;>4j?W3fhT?DNFnT>;qi
z_SMFnFJ_AKhg9e6)siD)re)zGQ}DWc=~K&P)Mr$1zcxjGFarpCVbVw5a-!zIXxdgz
z8w!thhCO6|9{&w5ul$(#F(2k*&LX>n@WLcAP=Gi?7XWw^o;yKP%#6+1Frj;Ur%SKJ
z_ip6+N6n=Q64&Xqe{G_oEs9>#Lf>o=nLhpfYymryo8^!jD?y2z8YAl-Ige6inxIi_
zRM)|}lzzWB?5tJW)#zqLHQE+J`Ca-NFc8gq(_;hh({4ilVb!HzDgYlrMOSDuPClzy
zL4uKh=99u^ujFQ#i@`0Oa7bqZ(%g5f&^UX7-jwrpFB2Yf97M4I7gouiK9_#us54V3
z!XWq=EQ)JAYTk^ssn2jdK8y$U>0??S?%Y0WWi$0%U4hO^lt9q{-Lyd1S(=cL9{8j@
zzqI#EzX`y#VTYn@mX=ZB8MtHS=f2KijIe78TUMBEu1h<>I~)^%f699u4NNyd4Ry7j
z{>xMMJTk3)YGHonerO{41m4lA0`~U!4Ux<{!vKElrQl%zQbVz-`|uyXO(n4ty60}s
zWCL>-ibmqUiZIVYDify{%%9&T{+#Xp`Q;jJE#{~5vW3;gG%%?Wg_NDMzJ1bE0J}u+
zQ0`>TuTea1J=)tPz+b2Y?Ofg3y7jI4Ye}#Fym*3iVH@f3SiXylu1uCq^;ZmXS^-Xl
zN=W)!6+RjL&*dH(T$6|pqJG+ufvt(Lbkta?K=INqP0qc8@GnEht3u3#I&+xH`$g%w
zorT3sAh{>YAT~hv?H06h$<*d*z`p3B!4ilFg84<3)|AKWZ-b%xd549Q+t!9Uj_t?|
zl6le<#5Ku0c0bgQz-T62@3d{Um=s<gA?(-xeREGcMWCGG1uV&!|1ZA2F*vg*$~NhA
z)M0mQ+qP}nw(X>2n_p}@Uu@g9ZF_oV-m99adiAPK)j7ZJkA2Tx`_{U9uk{&6&#P=p
zUr)t`E|J3*iIwAtiFe-Lb-Fb+UHrT3tb@OsoYGMiSic0%=waM6wh><0(V6~{T;i>p
z?z&MznXPAtu!CNt8-B%{pRx|Pv(a)z8oeB8MT)Oe{yrJvOr|NR6E997=ABc~yI9~N
znPon(PaWpNYieCik0x>9hyCG;(PP(5-#2wxv-@Ik55tDL){10I8wVny>p@v84MkBm
z<y4O{KCBXwmV$ZS1be(D@RNDpFV&GX+163jWLk2QNU^+CCF0FnHwO~Wq0R7RRZ2_v
z7<e0^qVXJJEya4-Jvg-%I{6zjAUoi@2-kWjC(?zj&8HO?zoKk(hcR?+w07QVBrF$N
zYW3^wfxlqg1ao1zX<@lJ?XhCQHYki+ZP&Tn5}tDl%eiCnL|eH8vHwjwnY{kkt7I+%
zyAGM$rUOSxg!iGNyXHc+$-ToO($h6DCM^2z^daauBJ3&?K#?apVN;V^-2y&xE~JOT
zOsF_cC}`Fg%3RQ=f`v*s;L~+%%AG6PU?1u^dr<7{CLvz8AX){oT{!?QOfRZ`tfM)P
zDAPPLLii<u6irstsO!r|ttC(q8P9?3X}RRB0oTsRY{Z&{_-_nu`zMAQ<H*|hkGA9U
zK4ixN<lzapSTNl1X9~#YivB49CGXNvSqtt60T3mcPA&ioIKVI_ZPqpbw4ebA&&wrx
zjGrbN(?#R*R)bV8m@qxGJoUykR}Azq54th9S+(ji+2MhFtUeEjGN@4+e62v+habZ=
zr$1$;z5)&P?q2YubPhv=%|x=OnMBN=vQ2}0cz&m&&fB0|VPszgkuWp;4567YmAU#$
zNirvi`sMH3?O#c_FA5*dc7-a3*9f0aucg&ZTQ2S{`?bp$bmG7?Pl;=&_A`>?sbfT<
z+Vlnn#EB5<H;1Zm#L{N~R43B3dg>Ukx=#j|?)~_+bKJ7J|L>~dz7M64nEcRsqnw4u
zyRw<rnq@n=POE9CfvGB0pKn01M#J)6Ffb%$-3TVxtLsylo><d&!lu0k3;_y|E{DOj
zJUVfMPboriAadMh+7TaymL0BfrzoHB_o1u<CzUFe!QJUQTvq_$2lsDqdGXntBe(`p
zC>z8!4I-M1)&<m~#106+TA@>#Y4n$O6xw@)rn*$v!LSuo>^lI7_QMkeTDF3y4=QIK
z{q-f+wDAW4^leaVXwWu@`tbfsRN+7fpCrekh*(Y6t~rNjnX1R-+j=(VYHfD&@b3rW
zBv2xYX!wHtr2Iv4XTvoiJDZ9e6!50CQpn#k%Ms7YR|s(q$(lonFS!Uos}g7Qsb|i5
z)gUdwpm?n&(TD|*usjhi{hyiC?Ty;9>^VkhQWpp1jsBpGQ<iDzbHBxCId|L|g{6Wu
zW-nncn<c98v%=Zf1uv^hCy?@-F67|0L1W;PR9<9hQ};({sNt&-9ApnxsE-DsJ@@o0
z&F?fjQFZO%$P&tZPW^bUUzhF8mX60=Ln;h<t`UBE^K#lg{A-*t+q6aJJA1F63;AbL
zASG4Ym4537@d<iu_IPky(*mK=E(J}js4^H=VY@peMlC)*seSiSez<QXK_IBIAU-ws
z@shDx8eDx~B2+Q0VmIG-bNh(!vRZl)AF2vqXTPV$(>+Cpbhq7oINhUCwd74fEIiW8
z3T_)z@^*;)2;wTr3!kr5Hs*4D;U@zfkK`9MiSiP$v2cEjZl4FY;}v;GL`WkkSU-<|
z{I;*1JX-<s!Ub7}sbq9p)oxr&7y~fNI}E`$tjT*l27zH}*1zNcXg5%5AndWMUexea
zGFCMWB@;<voCO9=_Mi$LL~?hxXHZZ4925(aTIH^OXpMiC{Z{PlYT#?ML7~8)-aiIL
z2aC-w*ag=6+S5w2w468@FD8%X${Lq3@6^RO=W(htX-Ff0p0OksbuoKHxbOS}Fh=E~
zNrF?_smp6tjTx}0QaGiq25Qx4H!OcE-Bs)f!uQ)@)ymkHPdvoi6C_)I1yIU*D<V@p
z8F*AlE2Qvlt*6*9*y^^c)}Kyr0yqL<qg-^GRhum4-x7V<RFfAqTj@&tZ2_Zb0mPlZ
za3g54=A-xJwSX9cOiZBot~;i^50%O)aaZPcTXwgv9}QS=!q(u(Z8@)k^oX2l9@IuK
zR8ExM1W7ew61u*Zq`q8yha>A!QX(09CWqzy@AJNURogz$CSmW-m+jqmX^fDckUh@%
z@oZp;vUC;YIh7b%$x;)iS~BS!#+Jak9UZJENb0{dtqeA3l>s<N!(gh0k4oBCTMfsy
zZ_2pszUNEl$)2*HvV<82?2A{5N+;F_F-6W349W3;dg?J}IHAg51Ub{fYS}q<LrsYx
zX*RFf-#L1R_Bd_k+q?YghYtHjX4{)<b90_go54#<KL#N?L+C)fKQg~juZ)#$X6wHU
z4~il`WN^!MrWfJoecXEsC#kI)#UTLIvNW$OXIN$pZJbq-HVeeAcr0%Pt;;_Rs{Ba+
z7|)w$7B_89S6WoDp-u!aTzcS*lAyNViLKh<n$}I=CC5t@-@fNuH+4^R)uG=exCJ(h
z#FZkrz#2(807@CAd38}pJbrv;iDOpwP>lUNWtqOLWN%Av)~_8S1hL_@{3->8GmP5S
zK+wo-ym}wCEj8$1{SPeC$%x2~=o7UYSFtbRZP&5{xww>H32~I>SWjus+Q8#r9yuOx
zq`8unZ2Akx6+XqMpx;5p8w8IQ;^Cjvn;Tp+ax-qX%cY+|@BM|R{<E!%0=ASkb;!sq
zVJ!?xR^7W2RfCol|0co(q|V45FN?s=vDS!4qdi-u2+#dFXGWV7=<wMh3RuP^DS=(F
zFN5C(VS*oHI7Dh{!mdH&QBh;a<Ne6otUS6s%+~M8+>RxN$~(Ms8>h9?SJUQEngT|1
z3)fplZqCf7GA^RM2Hs_9kIX@Jr!-Tg#3EUCWgi@wkH(Qcs0AD+<<IDO5P!Lc|KR>@
zMwHBlC$_4kMAVVzV)d~nVB%vs*~>iSfxPx+DoWpEl{?i*2x3cf@VQ%y7pl9TY8#0R
z4Xv(`&bB*q(anVZXMx7<m*;MNaDcU=-Qrui$4xi&lLPcv0Nt;XypP#B{v3~UN4)Uj
z4DFPD==hx%$^{Vu<+7?u86+vC1=OvDH_kjV{O=8lksTrC^CS4a4hFQR`2dcB4txlt
z9gql?98NKcd-V%h#7T#KPiExauNn)y^+2a(KK`~QK(Cx2_Gj@&0z>r>_s)*F7y24Y
z+gv>>=uEPsM6$1=WW^7F|F(q94+3xFcjfXLg)w3NqwqOVz6K~`6D+=mW|&d7+(WFH
z14*VG`uc?n^MEhN?LXTB1OzZSpj1~(t6rA9h2@ZR3Xkg3R4A?3ABA@8h>3SG>dLi6
zIumWXHsR21a9ZyZwgt0x350a3HWg7rjcQ1BVOpYpc;FN%m0v%^Uz<g5a|LoFYYyM=
z+LX|Dt<(!m;i#C#N#!RQziWBi4=lvNU4&J-36<kn1zYT^(>2?8_&sjo&v*mOD(LRE
zH1|ZdN!rnI8}V*g*wL9Wd4)SF)W$7-wEUCssQ+G?dOEd~$nD0vbr$Y6Z2R6hg_7J|
zzqP!B_SpJCfipHW&3R>W_Hmyw95|RXo=gcrkVK40`lpwlG2G6rShGLRaP0J-TFdTI
zl2ak?pXwR}u``WU_{QJeqHq4GjO3lpv2VxnVek<j>cpEL({vz(%EA1WiPsE9T81Px
z5sZ@M%7M#Ib=jrnm$+EAmR2?xAqapbGizbX#}r4eeHt1Ech(dyC$Qawie~P;+o&Y3
zhR^tf1ua|_%uS?)L2Mu6Pp2zc_UkXJBoQ_`PCg5cX$d#5kC<0sn0uv0*+X7}!FQZ{
zXvDpeTznk9&EY#oFCQX4q>N;?Y-B6hfn#MAG!J)O9{D=BAAIH=<V!i&F=mQo)p^wm
zZ?lmZs*qz{DfZl>grubK*9s+l?O*}s6Iijrj-9J_B1fNIP0@K2v1I5jVt;ox_~*|)
z_o#K=^?mQRA~0uTM2;1y$1M@y{LeoMl`5po8nxTjk{f0rTv;{0NZvB*MHocbmT4Nu
z2W0dcLw=hn0U`H!gfOdkHyGmWw$ZbY6R(_g3%cG#qq1zNwNKQSi&-p67GoNTx{J|A
z3Q4o3v=eD;+vTn12DN<36YIZBjLnQ|1VEkb<8vMk&%~?>6>O=IN(Co?5N94VkBC;s
zE{+bdLVx&pE)UNdVz<2qvPp(ZPwyAN5V-C4s^5Q!HfxwT0yM9>&IkSxidUEv(K`b)
z@xAmPeo}|SHy+D<ob0o0BA8ouE{H9z3d7CJV+}Si!}CM8jZWODJ5Vp3mz^vto!3iD
zHA%Pre^=)Z)r>nb?O9b}I_9HjtM(3a&Dm9Z##_RGqA|&V?@~Kd6(6beC3Xq>S$`21
zH!z3UDONQvhDh8scHV<j`(lg0WviB^Hz*&01{+IO)|lD0qq3oFE9U~Y^j$YOFLj}l
zIO+U>Mn2wv+q;5($|?mI7(Jo0r^!wIQ%EFBJF(R=CaYnoEZ^%4YuuA{o@cNRDMw6;
z6*yu0cW6E~d@s#Kimi`K@4butrW>bkf;x}xG}kNswzbVfiaIo<%%&+jGQ-=Kvm=+w
zJo{r|U!U^nCdw11AsU^4JaSrNNa`BRcdB7m^EoiBwTOA2$F@jd#g94FW_b@06E@rD
zp9@?dfSnDmoACqRB!NkP3q(WWkTO*aBw=?ZhD?zVfOTs4^m~4SXE3j{*VPX}E&9zy
zOVnzpgP!@QasB%hSWAZvYelOMnF5+8)kwYTdSN5V%dc^grV0b|5?QZs&7Ku>TdNkQ
zn&Q01Y7s_r1emrE_0yf>2BfUt<$=J-P3Vs=t2MCzAcCp~m9Pdy;Z2I;h8ZuR1W^LZ
zZ^CFqif5Xg>5MQ|%vn+~;nrueu`<F4#~QH3=8n6if$fY82M8<hRO4xbDxrEIr8%d?
zh<z?js^Wnk_f;F!Kb|22N)}wsOd}WamvWv8`{N%)19j{y>!PGZ+SpK{XhZ|23Ymau
zoiZ_xrb<er^#l;J1L0I&aF!noQF<#IF=X6mDiiJD{Ip%9p4Z9!Vr;1ArfvZX9SewV
za+*=eQV;1Yj~t7(rHav+b^^m_9!{FYHI7ZnJ0+d~E90(-PRg#lg&%p5UerN!Lriyc
z&{M}4Q{QmjKgmb;_(TFlu%eS`rM@#5upkw2+IUP-b5(3kkb}UDKz&bK1!QD5$=R{#
zvBSWk`~P)uvsW@`SPp^V-?I;-bUxCu;+MwzBQhjdt$1?`J$ZGY(HNtSGak25;Gw5W
zi^K_*s54e=(Bdy`1f!ZBA(7?yW43})y<xjW42mJLag)mC5Od?YM@7lj7v8H?ohr+U
z2PbvLMU<UVqIv!L<5n<;+t$>d9U*}z`3&&B#VeQY8rv4z*<L4Yr^5~LL-Z9*X1iu2
zQy%c%bV<fp?tU?>C@xdE*LqoAU3lG#q}ww_`Y6btD~L~tX5&Q`fZQ5L>wl1{UMfSW
z;ro4X-2P8hUD-wWwz_l=#ux&#Vgm(vzgdj|9uc!v$ypICTa$9Y2&}Uc!EC5~Zmn9@
z#^>4H=OB$Y=fOQerp@T(fb<b^P+9M(FQhAK|DCvz6T^oCN2t6tHJ4UlY0I;REci-L
zD$9MDlS9#V?l@t#Xalgfm)-JX!cp-&7{Yfqk?mFIzyWtFgcmo&T`x=!ecu7Plx=D5
z3H+6^3_RCgzE%kU`%zR-$Nw!=r&lL>J*QVWhuB?y2RJFeI+0oWH-E}zz=KNp7<Ban
z&doy^I3{)z*}SdWdQ>faq=HRXZeM#h&-aZ1Ny&Fvnc06k*7|t^V|5Ig8=diilwc>F
zR;frT1RY;i-<cd90IQ;QdeD0G$BxR(1W7FfQSW2c0g1oNb+zs6MTSaF#j3=MmS#f7
zS8)q_#08QFPIeK;4I2+@y#Ni{X5cq+6)2#F!559!XRz8Py|-iiO5Fr>d0HrAY`5i~
zP}-uyfVH(aD+{k4txzOI2bL&wk`TD_Bw*%kN9@p5&zFnihU^)vXMJ39-@^|DB^|<M
z;@ufkkj`%!?6=@?`G@xSJS`*?2Mv-PqZ65tBAcuLo2?Z%sTnuCb~d`@G`d=o(MFeK
zTRC>RORDR>Rdp{J56LuWN0UmHmCCj`JnJy00C-3zXI4L0&)w~dLzYCM%6ZJvJdzK6
z^D9o&Kcc`b9?xrhZ+<ByS*L5rLRk9>iC0+u?;|u)2gj-wx?<>xwqmFFKhdx}m7h(x
zNcJ)q@NSiMtI3#fm8tc+UA?<q{x&aIJV>F>r<zN6I5@nF-~}tXHk{0-ciL@kPjROM
zi^<oi)bHhQq+d)?1|-#Xlv%F94ARraz{;kIR_~@e+zUnTj-eMihpXT=->#z9Q_sT`
zLss`kLtN@RHBvUJkLVjuDO1p4+AiTm6(Cl}5!YBw?FwNYf1(>P=cd!{U|Vm&QQYHx
za`(#KXxA*Rn3Pp-i(8@=_EH*82thOj{#!rpbepm7x^s_KNQ=WLQkdIiEhM%}m_5#E
zcO1mvOtHuoaSBE+a?Lg?Z6~T_iEnilL^<|!lafQ3>o22bC`;JJ<7Q08^bncg(`@xd
zvo;qW%O=0hQM#c(EYA{$?IAE%?;!>)h09sis%~%VgSlvt&xv4qIvq3DQYx+Ja2BJP
za&$PRZvSNvw@W?eVT1+4(Rim9h1PjFH`yg2sAZ8#Y&Wc$#Kd>Vdj~(zpRZ|CqFzMH
zf|&H1zfbnwAfj^m!MLzvlMv839l>6JN;1W>zjf^9R}r$mj*<(6GUDFH92>hgxK2Mt
z*)aGrj(ualp<0G#uGm<bm6cuxa7+xROgJNW{Mei(lC@;mA=g@cK&VeHDA=WBX}mna
z)4r5zs5jdnzBXORJ_@)HM;wynIqkb|)gI5!rEa`0+nUaoQ+8f!ccNI|7EA-T_m<&s
z&|~V`f_A5`b7}u@w&ZuH*U=tZo*7oXnKRu!)!wYBtPf6E9p@8uDUt!%l**Qs{sEWJ
z%W9~(yV7*X74YhjCl;66{pSz&%i`zp-{59AjQKGl`)`iw<5W+gw3{Y&G1`(syM!ho
zCAgTwCAj6>|4hPSVXcO!ti+k3s3uGyWgtvE@|vEz%a&XnD|#g?RUGHv?q>g5K~i2}
zC{7CD6`^r^`felgg^A~6bWTd|B2~NtR_$+RKa}xC;>xUV#`T^KA_g;$AL80f#G~h@
zF2tSg#S0o*y)osI?`%9+(bCp`IyS~^$W?usL+{;jsL;^vG`JrZk9kEMfYsO~UgPY&
zhKb%EIBq{sSI;2WE8Ss`LgfrB3#ziu2Yq7+x))d|>zSEI@sIw|3}zL&ZuN`L(RH{*
zC!r;|onwd)gPjc{@R)I=n!m&Dc<fvMaQPdDvbDCV1&^u!BWxRf7Zu8jATw`XFE`L0
zmx+RR+V1TB<B3OfJ&-DsZOBjWH1xUp2F!}2QsXw$@sNn>tI=Rk&m3@+Cqq;zqc-`O
z)O?D&R7~_TkEl97fLgRVFbBJP?170;SY~Dsa!koR2@QW7j>+CDV!u?!-2Z}+O$uVc
zNIi*2$UPa&J^8H#M%GB3ISX!&nG(!Y-g8S~5rX2|<*AT?UYKrbA)3T|ojQ-G0>?W?
z=uN9{p}J2uojPd2&Z&ngcW(`sIZ*$Ix&OGwtPQMWlp{(_)&T07=+>+;7f=;L3t*y2
zF|j`Xkz?wc_jWPa+Ifi@e-yMlE0A+xNQ5>$5YUJ_WQtUUPf0$K`kWQ__Rw+7Sr}8p
zD3=9vY^>5=FD@p&w7fa;PJ`s=e?A&N&U~4C9LgPE#sFXYKa<stx7D6VdrZtt<6%47
zQo8dD6_~-EI#`YQL5aOw2ILn9W17o~nXYZ$y>i|b^5lFhkMvBx!M{rAYhk*hYP4K&
zC?dK8bs8ErY@Lz6(ZUJ9wAvMK8=8xdbt)(%oWqY^RxX=kvv?=JaA|V73cMjd{Mx)B
z^DRJ^8G2l>x2PYGe}L<qLy4Dqgc|z&9zQf>K@izb4>4~H;B^PSK{&q=d;Zo7;tOjm
zr<yf6v5Q*HKlzj|;fpIg@^A*9>)Cd*_niCzFC!kCDGwR27?49`ifMp~h9nE)8ba^e
zIv3G>U)J39sML_N^?bUY<)PArL=(_^e}@CFS*`N)&!!G-af*C0rkjcCnD@&ft$oDp
z;qHU<K*ut0rzFHm0aSAIg!@D8`+**Adc$|`X}`6UGNYn{nd`mSU@2GBK$L?00|!F>
zpEK_hQZn9;9?I;@W@>t7T8H^I#`aO3$pNWMGj11#zVw<qrjM-9E!Ow=*om%70`iz_
zy@uY1Lm_{^^ZNa74v%#H!Lhh$GqBTSB4%Fg+HtQKP27&N-u>1}N&r|`vr2W#Zk1hU
zK$8aMnIqKdY_Z7K=0l`U%z1@M14W9LG);QM&CE@eW<(79X9a=~OPSVR#Q@o_op5t4
zF}fD33vAcwYz-Mb%5I%3-n#GNPqGy}e?0!09lkvTd}tOBJW!c*)T$#@BA`>AC;+v!
zJ?v*#F{T*iB1`mT9`*`6w!?YGfO|qGm(jx~O7k|(gPY4iIRW1NOcTAHgV6Vj-4frI
z)+rv7G-_#lnP@hD*`PQB;U0kUx_29NRN<A5IQM6p@(dDQ1U&~&>xk=^s=HH|{eHSu
zd>_XlWAYhFXVuu@VI0;-X2?<zO3`p!5c)!@oquKP2Px=c^%}~b`!7%ijYYOZwe<W)
znJ;&{DKCAc;X=9O%u`tew7)w`RgTQc_AQdV>eSKO*%p?Qq7YztTT<&@gJH{<|BMZ;
zIh7?FogpHP;A{Y#fz1Pf@zRWlBfkdKfh1X@&I)UA6IDc3w^YJH@b$iPKdtl#TXSX&
zF7wwn2T|<aB^rDbNTCj$PHe9Tek)RHb}Ku<o0MTSDZ{~iCE?n@1amDN8U=10UGWQ?
zN$JU7Y;0hRMB$B)K~`3y>J=xky}=l*_7z`=v+t}lY9!D`70n$+s@b#}>7A-iXVf;&
z%&zo2t4?3`L4re*#0Ocbg<^XT_ZZS;H$l>Z;9>M`0ue9Xkl`qrXRR9-Qrib=rwo&J
z=6~iGA(RD2LZ9MXvU@&6Z0#-e7G_{8FM5x4ne&RU{;C?8cu^?1;8KEFQy!IFhFp`>
z#~z&W8sCz;SXwAk!TfA@{j~qXhmMI`^)V9fz+5=;uFFLc3mrBQx1PHRp@C-}bPai$
z87$qv>GiLRUz)y#>9*5KWl5zU5b_S%0E6F8C@TTu*D>u2&ZqV|D#jb`RlOBezz%#Z
zJX`FpkX2Mq1UaYlFEVjQ0)D3p<TmT{Gf5=4P3BdM;_0!){}W4s+%Mov6Z%Adf*Q<Q
zkD{sHUrEjJaLVbU4>$P1FxqXhE?cmt#bh#+<RIB38(_t~#Zdu4y@7p6HQ)l#Ty|iU
z@IfQ=ct~@V5)QOxk84IDQi8<7%FO36ZzPd~uF_~;#ANQCX|AHO?=`mV&$vx$C)sb-
zMKtg8>!M}Sfd$t(bRdR&X84TX2<$8M7_|xAtAC7eRC0P`*0S%l2~Br`;rW8FC&ui7
zPbIFoL7hMs)AY2b>gEyv>)v%svD;YP>bf7gLl3I)Qz$|`i-m{POSiD;YPf^-6|9=Z
zzQSV9oW+Vj%SOlGa4?7u@m$>RQD`-E%kx6EQ~8eUolz$@g&PuE__(Uyjt9**GrIby
zI`hY(HI#s{Cfpqw`{xPtqT5m9c%=IqOL?XCY5}EW#WztePJmEw>!e=SVwyp$(c3vu
z*ya~nF7%+9TvdU5R3e+#ZI@SQUBw+>*Ne*RfENJa%}V)FN)R&gQYeYvp+s^qz(e$`
ziaX$SjnhjTZ&+V_XGVT7xm%!cqp+Vqj5?4I<REqU??<+d$G!2PobCl?E82AxxBIpD
zAseiz>lKwg*bC_Pc@Tl@4i7%nN;~+w72T-2*AXv?bo}<6b5M!WIkay_Jq%yaHjBi!
zva1mH1QRX_=?L8l$8)ubD--zcW%Q>&D(V+JxXiXwOU?BS&;0ze_S~}DD9=1tsw@kO
zj1DKgJq8>d)`(qh#Ak@NEc|dg!lu{mk{5!DP|KqrRPzC=PLt=Oic;$aG923>aKN)f
zD}!xTYL$%zjrDOzT~FRTA3{<p(@OqQ7gRJ)QFwur(2%%2-rL~fv0`*~`TB%(8`G=P
zZy%py%sd5>y_28m@kfS)h(3}TZnsFV-6^TyUK1XYu;tuYoJE&3i4P&+h=#5oneS67
z_qObZSSwsNgv~woflDsQ`!Yp&9G;m*ifpf9tLR{6YJ7%w+x;Q6iN_Jf$8tp1uU($*
zw<7IfInXV>9haY_l`(NtA(4V~QWC!Wy6<&y_!nv<JT+u{y3Z9J3%|Ws*5f7bYsx*`
zRHZW!K#zTOmxBev4WdN+0|>y!A3v<R&6tG>Npr5eIhu+skJ2M>zf}Tmvh}_skD~83
z^hUZ9pP9DA>6(TXZOH^a_5hlu6tRhmU^U+nxxdPZLLqeh%sUd@IkfY1M+mWgIkZI5
zg4t7SZCpfbWyiVYDr8ms>=8j1Sdd5FjwZCcwfxq%C0)Ca2WM?mHie?pMX%E4iRnJH
zLa=Tky95he+Mr)h;+(5H4v((+{_$<y-z?h&UMmR)xx6|zcODxx&b&O;DZVAj8=PrP
zYqIN9#tHSBHO&!FK)~Po_bG5myndD~@$9zLyFiKSmljMrtvZ&o@lrLe%)^83dh?@^
znQW6RbC&zgtx$)IpQ!L1x@5za>hQ4hO#4e%z5MVW7=ZwsY6DNyWORzzyw=5Zc#e+N
ztrnunEcr!^jVE=b9^^*0bLO3hDX$s5V_2!K;ufU}Qp(Oz>WmE!d)xH%2hPH%>BTgt
zGpgsywQ--tFL37J(6sLOJwm+R@#x??Wij1O`VpX?CkvkzxamF4Y4CIB_1SZ0joM<$
zByg6`#r>C@3T`#G_vCFBS8RX(NiArOpkE+QZaH}UN+=1;mVUR?*uD~bU=7#!1EF}N
zAG}4PCTmG>Hys1Ii2p4Sct}Kl?tS%Ktm~1E+n$nHO@CZYst7YP-@R5l=*L>NiLcG+
zGx-*@uT75rzhiUizzpQ*c5Y$T$&b8%K@5T`UQ{(vE%y!6x#*H0*)SLbv}TG=#Jy}Y
z2L%#aNQ<HAI6VRFd{SGGJ@O7()Zr=1-+XQ0b2M(ny=ASELLb|&@RJn;iR@y$@E+&0
z81OYXV>E)Tm^KfTFWFw1&IMvCZehMeQiri8DXnxp&nb+bTY{eYey4JvqLRI*gmVGi
zGF_k!;3QY1<mX0?8j>3%@=Nmvsfej6dsoC&FHyOFTN3`bAyE7wOvA4h3V)|es>}Jn
z8epMvz{^0oRS7%F>iZM>-lq+pBl>f%n8PQEocCGm&p^#==gfxQEBRWOYi{5PdK*TT
zs9yQMK?sv&Ta6TB|2PNMT$!GA%cms>JDH2gV(rK5-R1Rs@5f&?q+uTKPB;7$6sY^Y
zvN3Ri=o3O5GtdwwRy+f;JY+(vV@j9a@VMfO5ZCW7cA@y(NvUiIx<hDgH6b$)yDkgV
zz&_WjwHNT=$nV%aHOgoI#Y^DYreflWYou$e)^InMNURugr!5ykiAP6Z=)7ac!Hz-d
z$zw#m*xV{NF5tw$?Dbi8bT{tADg5VK_xNrStpk^~Y{~d;wYT11yRhUN7uuIea6iiT
z<d*3+9A>aWfXZHVG6)Dr0_8MaFidx=_6?w8iW%gyK<z}^G;8#yVk`#<qyXI_Pun}}
zsqeB#>?}9dsMrkVZkvc_UKXjB_a61@NF7cy!-^dNT&c`Wtq%_wg?2M+rNf?c5Oc>4
zFQi4+&qF?+t~-vMMKjmLtHoFy;a%Pzhklu<a*4~i9PX}vy$ik9;Z?tyb3d$(#?jPY
z^$~3%vvtKhr&{&=nT-lDcw|lfP}0=%)!kX4*rMhg>YnCW*;f#z6_MCb7W;h6bcU|g
zsOU&NZFxJL18qROFb@WYgH%AMdZvMfzRF6E8;*#)z(*dfcQciSgLko*!s23e90&;n
z&tC_LFhwbA`6(-T7fITYm-5OC=+0z<xCJ7}!1yoOC)}AHs#Av+oGpLPd{_hMAF8Hg
z9zO$8!iZIiF)^mKij6GNy}vlmq(VDI8-!N!Fe#Qg62+`(0ple)OvIu4{fu<Dgo!7%
zxvTlE!Qr2q>@uXycA?CWBW|-kg1!{pwdpMhyS(V=U0h84#^xxrQC^Q1fPVjLSSqw3
zx(9_jDOc8*D{+B)F2$+Qu3+I(JhpOqo02@X{Q;#j<_{$~12Z4IQ&%=;;fY;uUh5cV
z=9a@ZY0!;OgYVGr-bKe2&8z3Bo*hypa1+-K52DtnmVN`apI8#l;QQ%ALlZCHuuHCY
zKRvtYThURsk2Qu3D9HD2AJ-&oNHHh*YqPl->c_An1_h5)h(N4<==+GOKZ-u8AR=X`
znqa>W-@bU`Iwr6)1|C40bs)lu7WC>9Tou0fBsk|j9&Ep028E3OtP>3yYFK6GE-Yvh
z>^XBu@y50J!<s{;mtRH!ity?!!^_A9f5;=*)q72-`<iWF5bPB~2VFA1Yft%Da}%_i
z<-8F3_wlh;-iJlFBa>{lpzrM4g+olROc^S>#6vt=+dHvtf(noD@`Nx>g|N9q#Rm27
zp0S=j04B=Su0vs)JE=};^oPZ@a__5jNiE8{P_(XHpHYf|59%dywO|U0!LEn;-V+P0
z|HG<m@~kx~cwDFj27Ee~gyt-TKv8BZ<DG^-#A-^T;-%mQ{<qjLySuoRn~@Qlk0fvE
zxENkKuo(<bmsI<iFGTO;oN6XCx(wtyob`1;UTc&l*3}l{>#;CQ7g<`owC;&OHe3;^
z-+i{t_5SL&yEwy>`F{URt@p5j?w#5$`?%Pr1eCVp^mY<;ERm1;T$juB6H@AR7KecE
z%huAog8NDuqd#s5CygX6U-9TL-%B0BFIagBkRAtC|3*AQFz25Zo$1j8a=qw`;I-V^
zq}7=|3DLNpTBAy#^GZsm{YhxPvU}#@_~K3CsUhJJ;9M+RVSs^eqZd$BJII-HQCYei
zMa&>?GFSun{G&3rPm*@F>%dTCJX>#O2!x&)u*)q<Y`=N>Y95A$=R2hJ=Y(O|<}S8h
z2#LcYal_vthe)CN2Dm2WoiPse{E(Pkp$<q$eQ+#>>B#BWDMgM-NPCPA3~_l@@e%=6
zAZe8FYQsBAZ7C~I`A*uu3lA9LvXx^*3qZ~#6h%b{!l+?BNMRIQ8$=iJ*w7mRzp7o~
z6u9~c6u06q9F4OmE}Y)~BImdX<!n=ibxbecj`Btod$Zwn=N0toiAz3B$TxH`Ts0-S
z8a@$sWIOW{WBn|dv{X<~-^M30=f4?y=_yFLl~CCf1rzj_OCl_A2obFAC1q3`1ivxd
zCrlNfr$xo+<kd_UYCrA@Zj8K0c}nYWZSmTh$qOIb*g46S-gXmso0Rmt>|mif3VN98
zI}$=d3eCp-c)|~s@tn22^YK3uk@A+Dkzo5mq6<U4uPJofB&XV^d!hCW+L%5MN7-}=
zFzyf0&zE%y@5MF8?J;X--c3ViKB%JkawjlNbnq#>V_RT*hGk?JHBuywRShZ0BTmee
zptP0rF$xScf@aszcnzIdTv(uJH0T~j!AG9rapHB3TU^ypIxdGqD&^8M;d$ws8JL+C
zGc&Wu9>YF(9oXaUh_&|==n9NG41PzzMpwA=j=UzLr=IAab}~=u=#U;k_~zq*qG2Af
z#{ogN)2h$mhY3gMx_LMuzv&@67Bv6dK>B%91l9QjGlaJ9MDcL4VT7pW-;%1aG1|)M
zY<VSysP?x74P8cVI^2AC!wnfnq~wG=O^>Tk$KGUuS4ho>{w(KW^}C(6mo~#j5Wt#6
z&a9+<4X)df^q~+kxL)F!{NtInX$KR4&7W>?BhCdz=nTz@<zKl6o@uh{zE~BdCQzY|
zI>sXNo+uFk=(ljNbcH)9FyO!X#@!k|ay((@N|o|hoAAisdZk0L^xoj8=RqxLhyS3~
zI=5bnE4cS+t)#+8XiTr{FIGX&v`%ux%Z|(ifMgHsg#YTmjt9-S<ra=@=QVC<>j<gp
zLIf|5<ZSzzKZ%jJdMgz>ACrOy=;{F3$v0~LUKUzi!9-p%T7S(IwW=$<?lVo#II~R*
z&cZq62xtzLN4Kf~7|jMWIJrY+TW4q2?NT4_>sskOy{{m9q;z_uzDM_1r(0*mj=NwT
zG{U%s_s{UJ6vEC!TaGn0cC-<%^xu9B6yaZWoA~(IqHpp%^M+M~w(yOg&X~<8xkqMJ
zJCf`#)BS~2FBk!tF!7HW2gy6hrwj$Ih?02VU4G+3Qht-i`;Q+E+X$K|DWN5t0|MTD
zKvLgo)KuA?rEqD0W@8P($9CFtDQBOO$EhKB<QVRg3<?g`;a^~rPNL?qX%E=;oZR+@
ze!ra**xX^;m{0j<XL|j7RlqB$12eC5r`vtw-t~PcC)2C^7>E?&_&^{bPA2hA1!uyM
za_Bz%z~;S>I#+q~v=jRs%XJ~^And$)+3nN3e0(okSu-9gXq!5Y^Xm|_1X2RzGMEJ)
zY`Y-$Mr=~HP*6(XHRoqW1>PjMIT7zN34N@w&Cqe)O_r(4*PAw`4)3!JF|Cx@6{U!w
zZwNEIzQdJFRaNt=;a+1ovt|RqP5<sxX>XBB+6X6$e3c@h?T3sy05RDIg*1dol^HaE
zR#pW__Wb?!a;tYO$BNf>u;=}?Ck6lexx6boyGy03u%db@S-5Y5bS`-6SL&^gGD9(1
zsk)URF*#RV)dpGqImc>a-Q0x0IxoYmkRJ6>;IRd6g58jvMO6pxz309|4Vx-l-UUTk
z2{-izE{6N+J?<ZA6*I&RYdE@gpmzDFWK#pG9<$^)%*BeUBOeV`*J$D*A>YkZ%y~_f
zFaK(VIJA#$*p27AduQrGs?}r}%9&Q!HQhFe2w?)(pI0z$TX(Yl<IL$uf*LmT2T!3z
z#H`dMsQANiS%F=uS<mT#0U;@KACq&M91X!UOiel(Eq?b`*QH`fswSth>jR*I>@}T}
zCJdL-vYT>O6>>+=Qb*Qn)C1hQTK;Fv(L1W_F^<u@5mtGlu1-<SOUHet{HMG*PlPsk
zgrhm~7%YDH^77Oe@P6O4jk{gIA1m%~RS~BMtV8MpTMnepGeWP*hmsU4j@liZuv2U^
z!Fl-8wn1;3uG>@E6tLFVGU+?BWedzuT2qAl$$HEq1&}L~gDf$S%*&JJB5DfA<l^H|
ziUf-5_Ko8WoGPOvS6imb!6NV}Xz?EB#C~rl*E}q%u&3(I>EPkw`nJ63Dt&`l4?yQ}
zFLJb0o0`(zv}FCkMX^!pf{yw+Dsr!FHKjJu%PV`jRJgQQa~%Y}iP#WfqobQ|0IL)=
zs%6+^eA}pHy#WNnQVp=O-Vhyx?>)L{7>m-&Kso9wv-x*LBcn1OGt_71e=>adHY*eh
z4OrrW6N;ug?TVv6qU8qZ<Dy%X6Q+)u_3C)K<y;Im2XyB|&F;X0&tcS<(%wgh8BnX$
z^p^-WvHA)Nj-{8E&VjBrN?8^g^U}Q8YYk*g8I96zN@>Y@39Qa~aM=)renM#!apEf6
zHI{tz3WE)|>QwzoAY2z<zq0LcO;M&Jv7T8SxM3!(+RGn=QS!hoT1`ACs8`D?Lx+FF
zK5Emzp-$YCmu{<?0pAji;J}{bL)3Z~@)^@6RrAzF1~z`D{#H4S(M7v5aH{^cScRc$
zt6aLtfi(rtS*+35{%h$6puv)ow*ZWZqA7H@--CXeeqU?mN%wWKX|*C5g83Z#+WK77
z+QRvyN=gSWUo9LYOyv$+#5q?S=>-rgDOFuUa;{0MDk)MyX5u#bbbowP*{Voxk};cP
z8r011EJlsgRCCrqlmczE%I$y!(UR6YFzB}RJi0AEphreU)n-PLR`K>qpk+QLx<;DF
zF9l&byZqjdtkQYRwdbL}nfE88zgvggU_X*Eg7>Pb99EU(T5LYI^SI-a&2|nkD(@AC
zd(5&?H6rVFz?YupVr)_)^(i!~#!3EgY+7D=8k{Y~oFfFZlBY-x_Sipkm!;N9cUG@-
zbT<CmaNUPj+4ShPh6HUoTT%@5)N2+~?WE|+)o_^;o$gVT&RnoH<by8Lo^Evh;_A}z
zX4HNi?q1n~P1DqgNx@WL&I4=$l05b)y;^2#8^`33!{S}<CGwhjaa=I%)RldTzP=H5
zQ1sm;u<0x)bg8G{^Xxb}EG7Q1W?cHlv3~;PMVsT8C1^oBgRBQo95G`SSowAuAWt5q
z`{)}*e<i2rc*K9+d+bW|v?q4mN5&&<h^*%)mmaq1l=JN3S1g7*bLQ#FV23}^S!ps#
z<F`EQe<Y8E*lMxUVBqZ5_LCR&10gxfoW;on|4v*&tlzf>*%2Xefwye@N{Ir%WJ7gC
zZVcxFe1*`tn%z|_Ih===%|%&8rAeWCGjeF?D6`Kf&~@~im{C1(%f})K;m~zz@T*Q(
z4dPZuuvC*wyayAk)TY*MT?k~F8*N(*h0YrzgdGV0<uYipr2TEI$uvnsRq-&iVGk4P
z-VUMW&#xExL{|;;*iV1CeGtvT_s6mJ^f`t<?P+@QQe>Gf0X6FzT{0qL`~1nmK0ZJG
zI%pVHZ*46aI{yrWH<CibT0eM{*`?R3N#lF2P(6sCmO5cT@Vm#^Ois1W@NRhLe|@hl
zjDXTZ_}m1H;aU3Dw%;LTB0)eRRQs8lh8*FMXguKd3U&5SQOSCG9OWP#**Fux?p1Ct
zB09-h&ye=ZI=MZpke?z^X9v-(i?SjD1}#zBrX{AqCUE^drU3!a?#WjATg;Bs^*@g?
zj*FZszfp3(WqwTjq%0Wp#ch>}PjjRsgtAj!tjrFnb%He1O`G`H`kpDAjYW7o`8a;-
zUTLxN=e(4S#7Fg>?WkSf#*Vr)5jt{RQ>^W0pl%7#G96BXR{-htAv4GI7;aP3h6yuQ
zzr<w-v{~hD)og{RxL%1qP}7<}5m-sLTUSbvhtl%=&nS-nLbF8=mjhMz$Ff9tv^-qr
zsd>o^m-s1;@Y7kB1Q#+fnng%+u#zZ~+wYx1<YU^Xlq_~jv~u(B4(f0x&xT}5>%jhl
zZZyQ_evkb5Q#gHw7ziW@k8Knje$kO<`9C5n=_l-4bi@7We{No@2TD#T*1i#>7M-?0
z+(D^_NaR@z&>?1yH=o-p+^+YobRABGgcz^DQ~z2C_~s&@cnTo-gy4DRL;hNuIW7dt
zm8QjiVFJ7P3&qp{9_XU05Mi^04`=2LOVhGzQ@9iCMvu>WO(-_xj^MDm17<u9iZ@o5
zc?W%9{<#evW(7%i(*$TnJRz^y&e?_I)(P<)2D>Tc>d5Vhx<S=$7^Kpi#I=(*!F@qT
zoq)6}pl0pmYKg|Vr#-un-4aUa?1wC^lY5bmy!iJ1;j%Tq4L))w<t~u1-KRBjv+nWv
z1!WhvN9W_Bio<EU&+p8;|Ch6L8GG&g;it?xB0)$KLsp3Fc%zIkA$S6?;dSc3@9I*x
zS=NqT9KNK>L+CO)=!&uJk@Vi(nHiJ*sqUh=RXrrw#3#Mp1}U`*z7A&Axc#7;mBS4o
zwExq$W+E9-F2wcW)#H`Q#@#SFgtIXfIL*ycb?C-vZDg}e#Sy>wGJwW_9cs#<T5x-!
z;NYpv^QPa)*ynmb2Ib@8{iK1cr;)v$rhW54@FB<)G<z~jdcgUDgI5;c=J%{%rMn)d
zR_+j4*H&<~)%K6KF-hj_ma=9SYiO(rui>cd8V<P6WJ}5M2*o;wCF%QgL??t)CtNl-
zcXDPevny$(Uk{N(;R`uelbB4+%Chs99$7F*ekT33FtoTtwy^b96#YXq6{(u@d@!91
z4;x}b30yV?S*o5_m2(SYIZeb!BgE{b!+ngD?*Lb}yx`nXag>E};IWo7hy05(zewuD
ztxiNQ%5mtvUC^m)``#f>if0Gy@WbKJdWtS$wK8pLoN00~O0N9Wf`hJt!uD8OTJJW|
z(UVjEJV^AtIFgkFqNe&1(=0WjscG9bO^qOe#Rcd}rRHSx;c2y$o8M69avA}Lff{Cx
zBTDw{va))TrFT!V1!flyEr;(nTmHt%)W%>Dc(uKT&a9i@tsygOOgz-GiapQ-oUPi?
znu7*EJ4qnq(3}rpWQev97E=%WHo1U&Wi9-h5~dXwT=_eTT*%geG5Me@ghi38{rCEx
zlx||bkS_wb+x2m|_|~an;`-oAyRsHC$Zxnpj7n&#x$0?GcsV-vl93s~@efD~^Je7u
z;X63RP_Nj<IJ6`*WCM;N%Qzd@>G+3dsLm`wJ%KlNVC==dt*%%EpGr&4XD+JVFn22N
zAC6OhzA|5dH%+ELlMuS;mbaU|uEeY&&!@DNH02$nRJ>H?SjIZyA2^lm&M^0wyC3Pg
zyo1+2+k3~5O+;18MHY<Qt9{>b*iSK?l3UDLTCD&f#MwSB2$%AE80`aL+AykgE1B*U
z+k#G@7LivNO3EvE&l-MTMW)JUx#>g@nLc-nO*cuuVYc8a$C7&Lr3Kzn%B4;(d!iuD
zpr<77-sKqOct`2+zxGsivqlUBo|@W1F|KQ|D??CMF3I$=<J-V_P&fjAe??^lWv2bO
z(m0AEPW_X;T&otA1C^k+Yfe!zfmRCq>`>o3Fd2E)jY~PT><YM7ziNRdqQjqLn2pHZ
z9l%+_@CBD~pgW8-Q8!zWvzI+pCX|dfKsuoQs<Gz{0Ow6uPvGhhy|61qdXT7voaMAE
zLz)WEep`;au#-u%AkjdmlQ6XWC#9Qc;)@$)=TQBwHVfUS+H$cyv^$=FPPRndz_YR(
z=lbV-R6@0Q{OcOb2u+%i1OF|&tbE&(Nz+rZ@zm^F6%qV|N!IBl2fX_S)pJ<1c+@?W
z=79OEe=D!uD_&b(*tR>U^|(?G`cDvup6elND+6Gb*}BD(@5Bf&nr0nnMzwrlz2EB9
zoiyV2<w@&u&o{P}R%kp{B1l=RNLeCTUaVPOB5GNzYFRSHSEGAYB7j+}fLS7uQLK@1
zywWH>-Y9wAD6!rs_3kV_>@0cgEV1k?_52_{{UCY$AhG=*^$j~h;X&=h#1(6n`$y6=
zPEnGopfc;i8m)b8^6II!r1K)H;?hX(eU&fpJ{0UO6%6M<Ka`#Mo{88AJH-RuEyyv(
zIjI1rpyL;1d0{<ed3j2Xikgs2(}Jp)&f~%|eq;ka49f&z^j*bJhIx7VQH)FGe%6jK
z8HWZ8P178wRnx30*QLu0gOJOd2AWO-w^Ti|oN=0M+j(AzuIG6{jqe-QPLg&aS=JeI
z30FUVAS~;Ed_OE(pLjtOE9rSOi)?_PNJKPSuW+LDRC(oyq!QzX^1L)#fBKXo&?)nr
z`?$R)nAWjQO8bm4wY@L7+R+8rN?Oyh<WlVxh}AGFW9upfG!E6;JbH?n2#Xp^i*gO+
zVp`HM%{a7uZdvxZdiICpIWUNIXJ+C#a*%Up+`lU+8JN$$tvnVt_@#L8itN=Jse4zi
z)^WyC<JAw?x&yj(oOgcg`7}&2EOXz})Xoq_G7;=E%_d0KFEEZ*)y`2?G^|1LKE%iR
z>?!5EZlEoxTj?xm*ab$ju3Afxu3G{wU0)cLm`LUsiROI{t+rp5+`66v@jegCx?flt
z?vl1Yt`Pj*0Ql}8u>1e$_?Pz8N}F}yzlF6}R<!_3U;Fm~-Ej4V^a6$VK2XAY-%96w
zTCo#Q<Fl`|4Icl09~JgH2s}@qB~2hm-7u1<+I>$7KTr6N6k(Zhf)qiKvZ54GmGj&<
zB6li7Sc-(HhH)~DJ8?U<BZORFs^dS>vg2;F#{cgxipsG32#V^U1WAgjsQNLAn!gd0
zWt9=-<z>|&8J1;LF>PmMH31=*7M0<}85Y&SDVi2l(ZDr}n!p&&)5^%|w$tj+Y|qoG
z*sixzI^k0KT|!v;8T>#vh6Vcg5G;d21yL-cN{1nUe!c`Lz_8q+IFhknx?zHKSo?mW
zxkoUP8aSXhPTkxmSy2fb(mbzh?iB@C0|!-SfvdKmS+1)#v7Jw=*ZzU<92a2)F&tMx
ziLxA*Q4LcZ*MB2vTQ4Fis#~u@0Jg1{G3{5a*8!op9v9&y0!e1sUb{tVx?cNLZd>m=
zYTd7!cwY~x-Jkn<-$*|ZK=}WK-T&)9L;gS4c@D^rUqL;8p(xXK1feLBX8NG0GH(dO
z$P-5L!~R)f8irA%tn7tRWxxCpCyyUU5T{H(P!y*~UYHZ7%6ecNAy1sBAE5+XIF3-H
zZrqJf<$U}iFOBPqATLkblO!)onj0gp$h@O0Eln6JFD=hFvn(x3SvxDO$bQ2#FOC22
z?9wzZOI}(tugH4hJSk0_YC9<hTzQ_9rEa~QROEa?pqt0_hM-%f?TVsXB+U+?TV>vo
zrkN*<7N=QeoSLRtq^usLS!KVXs+-3Trl?z{AF8TbBrpEEpjnTsE9Qxlz?J{Johufp
zn@=lNIiK+CCvp8T>}P5Fvh1fx^Hc2SnfJ6UCkf-#EoT|$wk@YA>sKx3+3&dSC-KAC
z?q})8y6&gR%UkZ}S<k#LCyCQtFK2*j-<Q+W?XMR(L~f7}L4HsW?<Rl^*E(*)Wr+3q
z<OEP>TNG&Hv})S|5Klu+sjK`+ESW$pQqFwJXgrocBUa7*`U{y-u~N8<@sLuvT(L^D
zit{n0p#!DToP<hiuw1pFjiu6p#!73rZK<IP&f1&^Yki=Ybv{=i(UeBh#ui3vZEOix
zS9NJ^2g$WII^|kdv3X&O;I%fs^;B2$d2tP5v*vQ*oEwOJff&j;u^VGwSb%+rKFm3F
zD{G&hn0bL*!Z~?5WnbKod5L|@IsHmIQ=}EE>+=SO&TPCArhwKqGDz!CHm-g3ORa5e
zvD%^PT>Bb=t!;GD)}dm3;|kubZG7{}q2_(#8WbVJv<<^F!vx52lwsBd9*_B|fEcWR
zJgD%eNCEXw!5~irRm-p}l>6d$tmnjj_Dx|4_a(-(=hVIKO@3;}1xk(Q<oVW3adXEd
z&b8<CJMT?itoH>{&fCOsSJ=i#%vfo}yU+%%i-T67h~Y%!D+Afl5YnwNH!{L-r-R<X
z3!~|vwchJmn%&+ldYJ0=8|@qs5oQ6$S^?8tK2e4tHDdu6ZsZsGLnq$H2^rt}V2$s6
zJKx7Co!|R#_gCca?_v8WOg00?GbEyfKP6CqAwlr}<q3bq|ICqp=c-@iaXo+WOZET4
z5ERM_!Vp#3_eJ98ixWl?mYe5C5)}Xc@Cd&^nsJ=4!n%H(phVkooT$e8jw&}-@E28n
zsbK_FUg3XLFUPTp+<ZyOiu`iR@`}7-P0NacYR@yP+&ocCtNb$446D2%RZXjcD%Z91
z+yYt7^ZbhcRc`ci1t72tOAY>?_yaH~)-VMaReKz1>HqiZFiFueC{j_?GOBV}TGua-
zVO=+@umP?cl<2sw8`bzcaqZ*^!E^1E8pUw!7Anbd?N>TYweRFh(YEiETUEF37HiqI
z?^k<WdF|wh;d<?r{cr3kkmG&dtFY^O-!0Me{U(FL1?kiL7u7E3M;ovILLY#^zpc_^
z5@_S2<@Wnq_yg-Uhd)f-picx}F=@Hu3eL`Re0}S-`nls84DW4ZnD@49+WQJd?`>?k
z>$d8eI9{1?v?xxIvaBdxmGjgjPJuMtBwmGe^)OC}w)HSxjrSErUY;NrMM0TiFj-!a
zq9|EGmE%xFUV$W8ML~sSaZz50rfE?@jpvbNMxH2|WmcJKvS~(<s_Op~b_KF5msu6I
z&Bqxfy3WV{VC=1fB59g_(Oq;|Y=K1=hsE8U#ht<3-Q9h0cXxMpcV}>CaCdh-JkR@n
z=fsJ)_r~q&Kc?$flU0$OU7cN-l{u}<`v(8d3@;RhL^<(80G@I68&L$q3Wk0J<2nS2
z6vOgQc`3#<IL2`XP`XZIOAq${_dE}>XzG)`LO!hp;kuvIZG46P&9Pfe6v?sQj3Ujk
zSI;=XanKG+)4E$rS=qYZ`pc?yuaWZ{ik^@E2WCH{{Hi@~@Ljh+6xV&f{3O>yuSAu{
z1vKyT$RuC8_A8bkWJnKf&t%X4CFU<#_%46qz`lTgc^*o#1fCj!Gz>tg7NC7MkuVKy
z<>DyEuyB+)BsYM`e<aP&A-L;`b{z#WCcIZvgv2b5je-dEVq0p?1og=zyh+U*#Zk8E
z|3wldL@9z1zyHgw&lh4fS;X}tw)cNjpGaC+B<&sb*I?}{Zm&UW{cz?97ZgdR5d(Qi
z=5Yr`Ak&zIJy0=UB}DH32mjjgPaB7{UQV66`GT;W`elc(oqNTK(wzoX57M1`gpxFz
z1{4=HocpAjR-J}4A66g!Wtm`#9V&%liBg`Dny`|zR)!lq7WW;{p0@pV^yCpE>(#i9
zD;@<pmQF(mqaxzr+P*nn!0>lFyFGgZAJiI{-Pe`dTh<wm*u8plZ|>C0%=5x0g7uNT
zoRzT0XBiL5a5wE#rBvqn>m`2{ha5x!jJ}`ysUa|yhx{ACWsVKBoyRZxB}P_F^_n6t
zDeqL8i9v=PZOdr96SInrv15icydf6kiZd<+bm%D*LYab<&i3MCpqYuAcQ#djx<GQ`
zm$`rFTJIWcR8nVAtS-;vgUa4HIxIokX3-6n6F;S9;U$M0>Lqr8TB}0clL1$|0}Wik
zNkw*T6yZs&ELv6UDFJjWS_m)ZMRm##JE@6%=7&pDsMfo+JgD37pMKCIyAh?}=y-v2
zflNT=9P0IkoI?q+b$I?(TrHYgU6b}jA#U%kk_U6wVrO;L*$!ZC{ZBh%BmQ5lQ$Ykx
z+ZW5T4{68M#;k$l{gkXZ<2r-eaaI#WjmUaPpc~a8x`39))yz~+uO&}fYg6_58CC*A
z!Inpc!xZZs+?~YUbWd%nTMeq@Cn3(8*@2wZsw~>f!y<5QjP7qF4&4ErHB&^)nyYuT
zh`Mm{qId^|k7LjHU8vi%tw`Q2=KagsN`|&%k$bYQ6?Z9bXIrO1ni%NMbU(eVcQQWS
zdfYi`bIQiP9i&>7mlSHw5U~H`q6wuw{DTNZ=L-Ye)L^X1{_F|kI&;%7wM8J61Q`vO
z2o9sV4zq4X=7O0X#?MPrTrwrD%%#x!jfBoG!%Ai9FD_j8cIFIZ{>Au$AJZaY!UWPu
z&Wx(s(W}ytQJTp2A<LLajuZ>50?IqVB!Pl44yi~Ty?Bm3Mwb@C5R3aRkyLbi6@*)w
z&Pqg~nvK!7QjO3GuPAHKE~&aA+JW3FI7Sb|jL4#I<Pstz9r8=gmuDAOI-h9^TI;f%
zBbha;?|J-iWu)uvEc3?EFO0ApQ+{8=hrf7FrYM2aOX@&fjZz=d)rYXbmEM5aVub2J
zpd|OSu$jTL@gVoH9}miI_(rn93r+P<>vH<-VnRMb<}T#P-!v9CU@TN%EC6n219;$c
z;W$-qvRh&3%c1o?M`INIx}W%1IdIu#)&KAp!|P(;vIwm&E2_U5cBkiy@OBbfpElya
z)L)bKwEB7+ti36j$xngJhUGr&`w}=c6Hd5*qo3UUbKj=&C~eC3zle{!`~pF^Yi5nK
zE|mR!+l#IaKkUlXUz*$O&j+Xn<CEE|zf%9x`ajnJm_UL%L6Z7xcui598c0hXc+M^x
zkDIKtlIJ(T^7~rpT}gxVPEykK@|cstuRP2@hFspRtPRIC@0D)k#<Xomo$<yV_8sx)
zv@foTQBQ<rRGp*uN~_rXt5<ci6L$0GDy3}(NnxjUF%NbznlyINVZ`VSYoh)uECxi#
zo;<EeLKb(4v+7#bkR7OZN;B%J)^~Tmm8{u2_U@EW08Y$NFCP1urRJVhmCPa9<#>*>
zPN{E7d~My01z>PI5sH@;b~AV$5r3PODoc4H<D7;vvYT?(#Z&EvD!8m@_I8B>(gs1G
zh;-rsG3lyZD^ifH-Q3b%(~w;mkJ?9N<6z6md#&uku3-Ui@%mmVl-16;BQ~$;?ogBa
z+1#{!BVnA9=~*U{*Ru5Jz^)^1hqjgljbrYyuMoTF_@S?6Zn1yb)%~MnMR^F;$^w1z
zI?l_jkj6k;_3e*_P0G3|ob-F5(1Gi_*JoNZ{}PL^4y#a2)&XhdfqUWzUpa5)0+zI*
z#<^PZJ9G8pM)HJp;v*C7D6e?o0(lHPg_@zpr8tVl!X<UZL%Fxoy?Qxv8;%BMMijLv
z&LrmwvcL+mR;74P%28d)QeDd9&l9?$_*v=I3nRz#x(IsW!?<L<24Cba{uix~u4u8p
z%^wj?MvZ-;Nn+%n(~q%_k9ez85AQ*}Lv+8iAiSyzlCwQASHP$%eY0toWa~y)jy9YX
zu2(znNq$Ei#`D1D{+5Wl@r+hl{6+pMnqS&IZ%fy;-l1R6;!FO;V7>>sKo`a;*Q*I{
z`{YPcSkHK0lvCq_^Yxyd&CO+A#)+p?r^Y|@>f?}aCP`(b0}>)K{3a(wfw!3`cL3da
zbS0MOjM!w)#ihIdLez`>7S@;3pMVoWD{n}OUqHgSdhUzy^}lW3s$|bYmM8QMVJUxc
zLgTghg`|AqBDrnGH~*<R(_~+r>@TOac<vn?oZx%uIeV7^KKB;VmRp=+*SEQ@RsA2Z
z?Ez8I@h>AQoWHJ$Olq$pRh@nf`Gd_U(B(;PUF`_*#RGGeinLQ7#i)D<5X3Geu%FhH
zh1=!!>cOKT#+`nF@ql5KsSWhD{s`xNya2_iwznR4M{=&o;(b(NS})bWSJu#X>Cc|d
z+RCs#usr~R9@yeuA66ya7>YFQx)z2Cyo{b(<{s`$T=S;0g@SOwh54A3IWQ!ebq5KX
z7vdWV_4*>gALPsa3rc?0`=b7G!XAE7%i{|};D!oMhM3Q<{iil9JCzbA+!0&UImQZ^
zq;&*~`aiTl)!#~6knKa!6y!zCfqHyy<)4Uw)~pG{yhcbzn{X7;k*i90GXeK$IA;VD
zHODOm-S^U#nI4s1ct*6IhQe~@e>!Z=a{Di+_fLKKQuWTC2}CS-HHSlboqpnCl7xS2
zKWQH6l<)j$4ReU0n-*d@q=WgF)*wakzBrIvSVoGVf<6fKr~=C&Iofsn-;OZc9sItc
z%-q-{(-ECGJ4Y$EJU?z-tS=<HoDA(CS|@aRUdz5epN}7C3(f~1_|U;YOtD>OG~@i$
zzkE=kUQpEbu#YTAga(wvpEjzQ3Hj;IDrY%ZUC^e0P84Xb%U>Gv;AlE<70kz(DZ~X#
z$-oQp9O45RWT3<a_U?Ysfg9n&HGgH*f$IH(K_>vkyYnH)yB)^$(f;`NBEkD%@2c8V
z%QCWz4ui+i{WGWsVh@5X4UF!y^o26Wo%ZA7kuiMzk?TO%4W8deCpP?dOHxGpSRora
z>IOrs`HPa1E%})}N}1NG*UkIc1zwf*9c@q`$v;_Zc1st{+>0km4xN<l+K(&mlgLxW
zN}rF}l{H_-?TT9;N7j|s6xNiuE6^>K>YW$80ShDqXbsI*8o%D2o>yK-ySzMJNqL^0
zuCoFJV^zcrLYPAwL*PTCLa0M5LvTWhklT>mkzbIZk%N#$kcW^-k&BRxkq?m3k&`-_
zQODe+W3*O6&PCS0A>g>pmqfNruRFebxV9;|4d?!Jzja_db}Vu;-wLW;@bba6==tKL
z^ZDL`M@P8TfrZkoKs>rig;&Z6*1hjlqtWxrfO-%js?zTGxIJoVOr;Vx#V)wLb`2Ti
zJ{F(T5|_A4?k<0q(<dBt`ngOpvLkk#P}k;qN5&u$Qx&<5dq>`%3r>{$2P_Tyum=sU
zSFKgABJPiap}V(dyPu;v9waqO?@NyXHvPq}Q9<(n@SykQmt=P`+MKX;@q$pNc_^O&
zy_OV1abM-jzF9ac_27djlg;d6umrTQt`tl4SiWjg^1NHBj=(R(Mm439Ld@XD_*5)Q
z8AImqZ#vL}y0@2R8G{x}98+WU3Trl*Yf~yl=;SgEP4a<FI$wgW+?~MwId@Q&>QI){
zx&Lx={tYTa<;L!{<KO+{NYcL?sV={#P+Pp;-QSlv^^<}?8TMcPn>m>(I#r#4Ku_z)
z$K)ii^VnbX_x)4nF`tVWcrd}<$gAO0MZZO{lCa5Mtnhw$9y;i(+!`p#TA;_<XUA=W
z#dSu)g8?o<v9r}s+UiO0VA4MISN4w_C$Me#UG#VQNgq2;^~HU3{f1|QG~UG4u<@eC
z@Ne)kO}2HQw1XC=`@3v2ZhBTwY>E%ty-fDSxuR7}34K7z;2vH71@`nrVQsXW8lzhp
zmo`i!#xqYAZD876X1(%2`{HM)K0p1O1ZLxO_4E>FJx>?A!O|^#A#v6!*(7PRro3lw
zs(ajW0g$OAo`ibRGeyr-<{DsQKKv0<$^Ay%!a02NaIHLRZ?>e|cgI6i+#?_-GwG=%
z<3!4GamT|+mJoVu@88&8EOGParV8Ty%KO@b0kg3bxG=dv`xE2^%f&527=5tamceEN
z=2rbx-R3)#4V2R+cK9Zk<R&t3Gd0I~6XI3}ym9j<+$P*<H#<fTWODcKWWI$HY__l5
zOFq<Wkl<{ydr(=6`v_tG2gPmQ0{T^Kt$wPTI?%#>pDL>`-7lI?nft;(#U8Cfi?ihW
z^%SlS8hq)Kb5f1YS>EsW&qI^%Z4!7$AIQ3BqTl=f{G{%?6QxAQOj-%qw0SAeE)r8+
zkLu)y;*hHwO=5jiN<Hzr;DRiJldlrzT*vGR2VfSdpk^y2z<3$>DZZ2!&2*R+&G`pO
zuBKa^?QuYD`PpKDvaGgNw1hVR6_USM=7}pW=bV(6V{D{JaV^xaxYZhA%C=C07Kru=
z1Oqj4EvY6enlfM-ZL~ASo~t?vdjvvR+7n)F2|Xg`lyA^zR~f!shkie#1}|=c`%y)C
z<6>x-+1ZF+MKeqdUjGq{f~cC&9%7v~b@<G|rtE8^l%g7dnQeq`6rG~@d4U=HS>nfo
zm%}ZLs#E`(Ej(`0f%i-P8UF*s|11!(|GR;tJ%isooC2e_y)p0$J&FwD55{kw<*xyh
z-e)mn)MJ@V2kJ0`J8!KzRQy^lO!vM)oAj=KdLt#r4abN2TtKCMC_a;K`S_-27tHf~
zT+{^?5c-o+wp6m^dqSx~nQWPK2UJ9Ay~%u`W>97289%!f#<y;p7DtB^_qfPzHVf=?
zPX82kfVS$(##*GnhM6))%Gp$j4M{pIdT)WvZw*-1-U=JiRanH{yh~y(SlZsQOOke2
zyk2AecZVwHZJp^YvdD$>OG&JuWRy$-{q}7D+dK)|qa%q1>9$p5lqiEtr4I5KbGS;S
zUad=wz{kbV<F(6BSIgtuEi&s>wkMCv>!Ypbl?y)ay7`#)11W%BqVCDo!`YoAVj^b<
z8`h%Q@KUsGkl;wOhIE5CbC7Z;%N28i7B{NSWji0=vS+EJ8=11arU%UuO`9Tv@1X2y
zmB@?XhFzpxob(s`Ap5P}T6Mfwn<}TZDnb;E!43EEKK{BK@$AwDbX1hHHSI&aXX46@
z6qRA<La1j5gEHztBx{r(qcEE0C*2afjTu}F>*?PT#<D93uroBvL_PX{-oG@MSNGwH
zr1y6YLaCotC+#6wRxjv0*W8it<Q>D6mV%TzdRoM3Fcex=vqw>(6f1$37cm5>Wo4G_
zCu*1qedc}?i=W^^_Ne10$Vx^D@c84%(EMvFoiE`A(~2bx7SoE6nPo{Yh#P@zo7gSv
zt36dU(5CLTlc8B%PWzWa%V)Q?{bF!vIQvUFVL10}!7Z%KX`HnEGnV(}uMXy@lb#Qb
zFOqll=BQ<vGYi~)p*Lq_2+E2lixf)CU79r8LQ;wTF0$qe6k2n>rI3o0Db~Me&48p=
zxq}|a|NhWZ9c>6zq&8L!zN=;9ZBn#Q{EX@0$x@?OgFT)oQQI)TKI`cr17IzfKijG#
zaAZd-vQ2#lpAbG{{9IQ1JidN>d;xR$3O@-xhoSuA&sI;T^nVsG*ESl@{01Ax2iXzK
zL5(2J$IQfB!rF=-_if1vQ$;n-5gK8DIEtryG42uu#ljs8xjkyvU*0j=LXMnkxDRvO
z1Gg&NiBBVL3^%j4OzjG^17o)g_f=Drmu?-I8C=vlT7`y7g_ft`bFx76BV-S;q#be1
zkTORitA(U1M^BuMX}~4p8*<k|)s^}in)g(fV8o9)19csh>bknK@U~?umuMXSp`{v^
z*bHK$qGeMcZ8a=$ox~|}JCLT2^7MQAL}lNvQ>gZ3t3lA2Q~S{Q*80ntm&X+D&jyh*
zS&voRA<{E3kM+zU?6Dq?u^~OmL9DW^O1H8hBkw;zyz3yrHzaR}tcQc&H`tRsgtWbK
zv;%0?TlH(8n%TDM$rqb$Xq#xn-Yp(%ktY-Eiyhlsz~EjdHtVCX$K*yI;+w#0KX1?E
ztNrUr*P!*A`s=dyAnz;UE9e7hT=bS|Yhihz*}0JwHv`Ad*wA<@^i=AV=Y@~yEZV7?
zXg0>hz7_LA(pgV>v}Z*jNMPm%cBb&=ArsnA5eyr-)L@Azg*0H+)+jZ=eg<13F>x!j
z9$C3)zL}+B;Lfze!~zerlUYN0j`y<j)wa?l9S^W6KTS?U0$t<&#Ta^^$HfFYP^2Hp
zMFBftsGr_N13QXzK+Huv-M47K)I~V`uknDYi*&l*!O)Y7u0}BWkfDpjs&CYw{-Xj{
zz+`{jqsOj})~+t!PaWBxx?=G<s`0u)3Ob4kpE<B~H0N{$m~`ZsbYZ=7Kfqh26IQ-_
z`opX)LfZUNMTXk!0!0FW3?rd=WI&+g_xMve1s>&O9Eyr4c5GV4&x7OOI}Rf)qdbPg
z+dBg;<5}6e765P}rK9#s;7k7Yygwasku>6bZ`*5F&D~)eM`P{RtviWdta^~hU-5Ad
zGDAHSlI2h`PX%nvHKPN;6dJY2XJo%=7ft@g2Nx>##aknpm%7p2jJK&k+&P#B-VrD;
z77Yfqu3Tc{E%>}OGMrg>pD3~#<Up*cS8)voqR&?-iw*OUyVYy`CPFv-R<BinkGOXj
zqSH6JB<vv>H8U$MmS4h@hBm`+T+{<Ep$|WkC0*d?z_`X&m5Vs_cI*0l6c`8(pDJEw
zN<f|Gg_ZwyB*T#^&82^qq;%}Skv5U1i<RT(fTSs`Jni@eqQtw29QYIFweA5QX5@oa
zQTOfQiscKds)n&`!hj(fx@x+yZQ=k;m?fGiSs)@GT)(Jfza-V4pAyx9v-rV(-Sxh#
z#z8fn*Qq~<baPWrwE`^G($pRvwva%xCpll_7zULV?}{(3TDrThp33|<z3vqtD5vhT
zPP>l&FhCqV;zEJhU3zmgiWlyNDSIGCcQU95kGiB#JT*=xLT)z%i*``OG1tms?MYn2
zFY7L**d^X+>x@w*sk-c8wTN9;ydZ!s;zV}Imx*5X+^<od65353w3D1InODg1#w;o!
z8*ytmMfU1RMoqWmnH1|9q5&&8hDv41U8kQPdfqq`NKXloiLeg2?Pasf`6$d(DOd?U
zG&88J((U&p<7ip4RflM61KO&2)K!^z=trn-8SA;uN8r!NJbBb^GTzy|vm1wF&m<5s
zh=StjY!cpvt^|}x^pgf}sGj53RQqk3I8x6<Hx@-)qwhKOsoX(FZMRAt-N$?FX@X7i
zIi|PbPAv3Ye*0s(vt!Sy<+nwsOfmO4xQiidoQO3u5l?Bi97@j&8)L6V`!9!m<>C24
z_3?MCht5oW6i3%3%TWm=?<sHw#ypBE!)>I8q~#t7_qp7r&d;d#ugOpF_2CJ59CLQO
z<Js9n>CN%3c&*Wq`F$qZ_t?4C)pEs?vlq#V=dT?x9Z9xMX)-Xwz8@;(J+zlxS_7cR
zsRiBip9#AYbtcms5olIwgpUDfNFHRzg-BIuLkjAa@~(+#A}1|ycy?G9(SH`j>Q90N
zCDTMFc7}SF<tNe;OSJv0Mjh%kr5tVyXVDglX=aKIDR=cxuq)o!T?yQePg*C;(h_C|
zVOo1S*z0LEMTcf7T0>}Tw&nKAjv$mOb>0;}bAukLaHKmG1uzNH78uS6P^PQpMyYfL
zyCR(2F$t4idU7URh;iI>ltUlAG37cZGuNjlU^<X_`jAYcADYyiaB>NXTuOFMGQ~;1
z`Zc*>pY@F<c%Q>35iphQSSEdSU=}KR@J1Y;|02kn=X@EGIEGIu&7pp*mS{t0CxwsN
z`^EVBU?Q=En!xEN|5peM%uAx+cZ|^K<lv)k1VCmS*-Y?Ys@#G4=zWeW63?gv0w7=(
zpju+*bz&nypVfjO<m0iUjdma=^E@VlNsVII>Q781t4d61kYSNHIihS3b{cEHOIW5s
zusA|(m&Ao1HNu$KFwFP#_Z4`(F+6sE#JcDCG{+G|xyyPy?J%A&RIfr=ujURCqjbnd
zXj%_*DCf$H+rw1<{PV<|t6G`kag1ZDpz^Y@-PyZa#Iozf3Hq(M)p7`^UTo5yRL$k|
zU9v;4s`eRP&3L`=;ZWe&pQp&(u+>Y%n^^WOfXDiv%M8bQ4DC(k!OVJmzR!(;?+hXh
zObc{yDjlBX(%I40<aS!$0W<Og|GhEIoFkAXH_rq>T4~rBNu#qTx1Yi!_;!23Bu;eN
zp7{i)CJAeb+mXIMV{lv`Ru7FM#+cq5f*Y2UDg`_kf(5Rfy2d*hdrENWJaJ36kBoA*
zbNW~n^*&QxQQiEYq&zaLr=>1>Gx_=gn4YbeJhqh9Go<Anc@_W~(?3iTs`1Sp)xDx3
z7_JY$=K)`)2$)3c4h=YbGiVv{M9^op9DZEj8g-_+nIzOb{XOXQJ_UUdVNWr-`8}@e
zcuXc3E2LUv4gPgkAh^9$9bc^=NyQ6_@?q5W#+Kc*Ge_%2PT9KBT5I8`|9ifwLLMuW
zUNbvd96id74CuYXj*}Y{0-Z8h_;SdQ+TB)^tSwxYKE6C2kde9f(Q!fV6}PO2AxmZE
zy$)MH5>f#qV(K3S2h!%=9MW<4AlUMtx}T>+W?|TT&UwhuAs*_l-VmNC?_aJ@!(LsF
zHDE?fR0)1@et-nMMZPh2ui}7Tos8Lo+8WJ2>MTL`deq6ETGF^pqa{?GWm?Ze=OWd<
zR}o&XIhq&F+OHR!Ds=1E=26h~y$3$tr1ABW2l>aaJRyx;uu*PRGL=$j+;#(;MEtS=
z?y~58{LP-%(+>d^IFODzc5s|6xmACk3o`AFVtWMQ6}wme#bXjb@vscbs6aq5gkmn1
zLR6{@C6;)eDWOzRKz%C9tTcxd`ca!)slQoaYw3Vl9Y<+pSrJDm>=9IJ9d23E@y&A%
zxo%)ujZtlisZ;97ex<90)(T5w2aZV)sKu#c&60Ly=)ORzrCOp@qtdr*f2Db%vMBA0
zr7iEgzU^cknuQFB>H7-Aj^FIx52P~q{^LJ9N{aw)e9_ue9n}hNG4d=XJ;%4Xn|2-p
zUHJBmB>)N;WX`3G%+^-6Pk^(5*V`lwJk8B-gK-b|Wrh!agh@(co<Mt3r&CN|-5cDO
z%Zqe&{dM=nMrJelB1!Fm#<Pa`fbmv!P-BPl_}2CZ(EE1m7bkh&wr8ilCq}Rc+bDgc
zz3)q;YqtRI)lwrV*B<7iD<8`ERSt|3=`s+lu{MG$<4XGe%!TrW&m;XU*p)tM-1sZ3
zYOkCZCas}4c2nftm6ENghla+!s<Qhr31ICyjT9HzexFYaW8#~zY8J6{4oiMc<nz*A
zMQSfnq+R$<`X*i{Bu-^gQ5;R{QBD$uy%;`0floMpC|RMu+$dR*uXt&3VW2a=*i2C8
zZ5}T;#xOn<qkj&ZJ{u9n2$?WrU`@C_7fSLlF$rTpiKKnk5imQE<JdGi29a&w&m$P|
z28m~M=#edJGtMIvaD&M+cJRohy&2{aLVJVSIlB1Bv9Xy}4r5xI=vaQ>V+qaPk2GPE
zXwS8a6eS?GlH_%3`~@7dUnh_*UKh?7f(UcKWRNb=HryBtC8gh>kS@Vg(io~?P8J|Q
zHnLx`{zRoiAfYl^yA*2)E3_q%qoH`W71fa-U(%#-oJJ@2yL5_9^KM~qLPn%R+5%22
z`6zwuRG0Q;Y4R(=^}`DTI__n(2$xgU|7N^{OC(o@!?YA)NB<)U3~~O?XjxIDfp{5l
z%smAeG1U3F%gIs;Eeo;zI-dY4J$eZh6wbJYa((VJ{#XkmSoLM$ww-G|W6>EVr-Fc=
zSD8zOmAkcg^puUp_Q~io7Cf*j!^nxXR89uGNiEugMawKhmaN(iX117=ddgSgEpAyB
zS}$wu^aO@x)olIGD%!2ni&>^08(GwrTQC6EL3^z!K}PDzdGTLo?fHGKt{g|XX}E47
zHRS(~Bh|uOGT^uVXH<hUAb@?8(#kMs9TU$;J0z&K>Kfh)D7in-_}?*I&o1SoLm7hv
z(AMAMOg%p?yvbiOFXN554j`qNhF<J$8Hj}haGv-umnmS`Rb77E#!B7>n(A4SF`d<A
zclJsS)dyG9Pftj2q{sb_T;UP_^^XT*_)eaij4V!`m;RliBsUf7UF_`Txnl%z0PjlQ
zh#_nls4F!b`!5GAK>y0SW~FVad%cP^Dri{!Je+-5EzUE+`tptL51`(V_op}U`%+^H
zFt&gl7`OI6H~&$MB+G~wF~uU1j0Oh$Rz%$v^L^vpIxghHnBVxY3P>--Vc2KwPJ0gb
zxp^eTlC&ZN?&!j;_LX&L<C|FW>1yZE&`#UYgP#1#PxTozj_oui0IBAcR8Q3sJ?th+
zByBkFkrJsq;j*rD;3yopp^<&^hyn&h)90Q83dDqzl$4e?&i&HRykYbfSsHYYw{bPu
zpHeAesT-Xg51toiq4!*oW`pE^<uH%pO@mNo@1(IQ3{x3pxs4gHVMO{cS1he&lKM9z
zci?QG*mjVeFfu5NOm?qRq2zE8minNUzNOW->2yf3EppgmlxC3>3|OUea?*!z*cQio
z+FZfc-_g?>M66LZu&8hKA7TZqM)If*0rvIK<|CwGveDYXXMruqG1a<EtR{t*w2qZ+
zynDD_HkdCG+sgH4NteHk__ykaDReuR0U`>EdptEi7BimM^>c`d;Nup2Eo6god7i8W
zHX>fxG)gf(D1}FXQNPW+z<3kvZWy;GKkZXw#saSO@hVVzz1C}Dwa%RTZGf4C{Xg*E
zjUxTD>PzWK%dDkkCl$<R=FIu|4H(KjW1oR?CaO#ubBCb9M3o{{kF!GA*>lGgX%W!Z
z(j#B+d4W4wZd=(|0SdShQ-#R|$Di}R;l4X!mXXMIfHi<Ko3<s^wLwHuMKVP)wS5L<
z4_&+40;WQ3Pa$L_ew%=(w4@}qK$Nd$oXp--&rKVbV;CD|GSyM57r?H?WY92G6Cc;R
z8@b){P_0W}%2%B;mrC=T&p;lCSzU)Y^ylz7R%MQ<!Ye%!7|%5-@J9v1_7u81W8=aW
zv$ek)D5c$-BaxXc7Mmk(Yr_)hW!kYK*eK<0(RBKG|Ci)MG~4YyLlm9dlYx*+zA(Ue
z#Q)L)^H-)ox=1=LQ6Fqbm&i+!VBZIcH~AIAwqk!-NK**RM&yB4dlaKL|DadT8h=a?
zQ(d3R=!bmaRablme^9Tk4IB2?q28-Ybn+zRgQ(}m8$2maXMQ=(biOk>+p}OUxB+f~
zK<y~tmX~(``>zQ<?cS<Qr1j+?Cc{i$<GZf?-`kXzsrPA4I82mNoY^R?*}vSf(VsVQ
zM7!If{S&4T%kUw~2;jjtd$5LmCb3QkeBi5P<zvK)eUa#pg?mge!1Z;pPfI@{u=%)<
zBYpF>Fxb!{{dTq>*pQ@s<F<Yl2VxZma1;kYnfM=l8e@8?lHu)jLheNpdl^&^q^97g
zr@nv8^$d4yZd~F$Rw1;;-Ad8Nur_edK)zK=gLv`#QcA56*Q}>m@+^fwp^Z;|C)17Y
zjb1i;(8l)WErGMk8W2g{@HQx`gd|0vEAWN)=**Zu;2}RR#&C)#dCPkvPB_SITg+Sb
zj@wXM*KrEX*OC#kAFT>LJ@g#@<g!7@c+T-Tv(XpgehN%EhJx8hf3U%C!N80qj~1ww
z&@bby74|5~xNDx|_7W+ov@ty8*J#XTwl!dz+wzhtk>CQHkoQ(6YrPg$8S`X+{Vj*s
z5>O!@g2PJ!+|KqOE`S*t>9)YM>;U`92xqFyHfvksANr*^fd~!#9G;Ww?pRY;S5zc+
zqp3#M)T!GBz!gTORQ1Ur)Su}yJeB4Bz!5p2i;+SsvqNQx@;+05rG|uIz3QObm|?yt
zAxoTf0t1NCLyA9q_^z+2D$y=8*YwWSEwz49@%k^K=1q?)=1av`VAZ<C#@~#p4NZPz
zBw4^LR~^}#((=tS%7}6<L~1le$xOacJs@rqwS!h`eG8S7=QYRq@Z{O)onlEzprh)P
zr0UTmjc2`Q0<n>k_aX2*Cg}l@!lp(Z>&bV|KOa?55`vvUh<A6o>wYI)NmXmJ{*8=0
z70#yOv%nP7tWL`WJ_Z;UHO~1(gh2>>wXC;=uJe2xc{n+yo3rFK+3ASm62zm2Wlq>l
zwpzxoT`S=PwcBJo8Rkd$Kw!GBzL60X2MwE1AswTiJV8PGS7S$V_JV}dbjzc3RpWfc
zeYFa5%M-;Y?w6TFhr5jDhcxB4)mfznpM{fC-g(9g$4M?P-Y)MYg+=ObR?{i3ZGlSH
z^n`ct-vp^jm2LRv*?O2P9T_v2XgT$f1k~q~JGb0COC`{s$^oS8zuiU7FSvimbkz#L
zypm$PWP<zq?vvRO<L&r<?c%R<cq0g``XNV}E!I5rc2WEb_i&gC?Jtnnas`r&TRT;Q
zVbW14Avfn|7J!z=q>I?qm9QI{Uhrs?Aoi64>F-oeV7X7E6zh~j@*WuF`P1kf-~2<m
z-;4>IuqJCa^t`-lkz9LRmn@iRCcA6yuKf8+H*~UW=%k}PO@{kK?5^{Aig8HPY5V@u
zpH#U483B|U6T=X<qfRQcBo)WTkhY~sF?26i0WI75LluiQz=R__T>WXM7S&kXx5dUN
zp{+Hu*qgCm6f91jxG1fz4hM>8gHC5R4o^Hq4UE(UxCyH!FYTw#9!v?2K~o2YpacDc
zXODP&xnrbU57)ec)?U=L$4i~8i&M`JJ{^gKAaLA|^Sv-1H`|FW0gt^5YA`*xz(3b=
zD0s>niJf`N6oWLt19lt{0jV4%zOk27IpRfH5fRDqQ2||Tm9a$jIi4Z+d1Iq{AA!hK
zvioIL8q`UM>G_8e<9%Wo_RT!^se|s58#O#b;(;=}xD)%?jWEPvSF}G8Fnb58K7ZD3
zM?XYePn$YFG^1oUiaKY_Tm+E8l)kAdJW$dd$kp{0NKN(YEcF+^9jU@|Fqz03yY8l5
z?3g@R*vy!IL>1dImzW(pab{|=h0Dez-*Uk`AjK8?5nCYJhwsd}vN}h@A<d4F!oUb0
zGdOjeY{_rGR_-B(%;8Nd=zC}~8S1Z7oR0M5(VJll_zD|$jX|a6XRQ&ReH)b#2GZnJ
z^Da*A^&C>*batwbg?4R45y2BCiZ6h&1^BnC#{@K0r91Z#_P%O2Fy_;Da>rOYE=2?r
z#9lk5(spR^!@+OWsx9v0G}CetS=5@6&lM&RfD(g3gDqeOO~x|D=E;LzsJzUaF0y#_
ze|sls*XbuS#1dQWs*+U})fS$K9UF2k%Fj<{qFDo~{_IA`ju%>^Sq`GiHI*5cTqq$l
zBl_L1yqhTMw}Ih$c{>-?{$@LmQ{pH-({OEXW|uVcG=#UC-al!duZnrd)qMBWyeNaH
zRT5Yx|C-ZB8?^h&yO%-=48rgGIp^LeTi;rL2QdPR2F0%5{G%;@y@Y2VITkP~bM|OE
zuA^S_a>EZ44fX8UcmKS4&cVd;`eetbWS@nb-7z=2`*c=H#irI*ST=G6mj^|N?P;uu
zQ{&OoT#9;05T|t>-6hvtwfc<59e)+9+Xf-s#gk)1q>rP3c=R+k2@n6R?4}<R4qZzk
zvmdURVQ{TEzluShjXyhci1z`#I@jzvmIqx|P9)1*=&b~Sir)I_{5yQE)=9E3z4h+c
zR(*)adqUJy^o;&OshyIB67)1iXQYlxjINM4sgt8}uGk*8Win}etAO5w%tpye@tz6O
z%Jp1bCs%(d&WIsD3rs*9JCPI6hZ<lM#vXu#0Ek<%#Y7gNsIS4ulnaOPpip(%@bK#<
zP{eu!oO}?jXGya*UW6{BIde#6T%GKl6GjgAAs6^4zJ~y8ViD~_7q53_5*ZhGcO=Ap
zl--!R7Y3A54!~B<eHO1pJkph~l}FEhBh%E1Qj&I9qFww6pGr&)Uf5iX#)88BsWw+M
zp`a%tT{?7nT``j5Ld-3!)#uv-V)j`}F>vmTjE?i&F%H1hr1^~ZJ<-<*n}9FLyId%h
zw`A5^K;co<2RbQN&q@!5UuM4cXXfZIgxc;rrEkdfGyqNO$&-PaZIT)?sjHs2z*Ff+
zEyu+|xYhZg{b+_dE};m+2p}Y`_O*yYF@0ufA!v-o_PIWYYfPe=ksj;Xv%m%)W}Q-C
z+%FL6(n<EU)C76fx5hZDiv8P@gTOtaBPUau={cfjpwn7aSKiO=pRVdVuD=Jr$`%CB
zgk3cgJHn3J<~8h6IUDW|-&VN-9)4M>kNU6BQr7L)Z^$`q(Uc<@pX1t`+z<vr2*efc
zmEKyprxdqEspv=O+%{LWMo?CPbi(p?u`TaO`C1wZs989}#kkwjGYPaW`Z`v(JSe#`
zuY*AqsDIm_6Rw@I3_D3UhQZFlGJ=HvZfyO|H9x98`k4{Zn{C>xd1L`)=!`A3eyC<@
z!ntk-)C#>@<C<Z+5VNLS-2PxM!`@Zn9^x$ts!f#>RVzonvi9J~1HYgX=!S#!ZBQ$(
zOWcActqO<x=*9|@WE^0s^BphBXn4DstNT<J%2-^@jXa!Zk3-PbKvnuQ3Bst}Ic@<I
z5G5z7kN_*$g6{h#$ZHBn3_K!*xKnHob@qwW;R7g*qqyb!TuM`)HR;@=>TXAH45iQ)
z`e#Nk;uO#L&*;Q*Y+(E!X-D$NQ7rq_5Ov9fr+gZ#h=fJ+=TGKF6ry@fHG6c`SM@A>
zO%8-K37L89-XzI2F8Wy<$19xQ-v^3Ln2$zQrN>|9U6fPxLO<*qs2pwGldR?SEey=O
z8{LpXHU$L)`vV(>Sz3}5NqbJxMM7zzAp-1gr+aY^9?l6G>(;r6Rk;}oOSyd@v+|5p
zg%6ASq3t!UhI5R_LHSE!Gr{xFp3l-E4qrO0R)+SX?0*8>e2*$=d)I^me9(TaVYM_J
z;D%Rvc77KCjZZ5z3iGG;Z@V<E(@ld<TI`ok#ZF#Zw4LWw12W8#j~v6r-u?y)7Om{d
zO^nU`m?3d6T?WXBQ)S__J*=3h=iXKP$&)xNAViMpRqS)@#9Ov3O|;|=NvrUIkeBKm
zuz}l|iD>|BoZiQzJ<PaSYc8k_nm(+lyh35MD@GuVU~%#LK~?o1b)>{vo1E)u4RY(m
z!KS!bDFKkJ*P3d3I2cz4;)m<dlMO4!6mzK)g5Q)l-WxQbie9)NL$YeM5Z}pyz-0p7
zEHo=RvgalA9jM<s7F&=cU3po&v%<1A`YN?L9D--Y?puiJ8Ha5c<DBpsOlG!tXr^=b
zB0kq4U1zPksBq>#w`g>=n+Dmx)8s@z2~gc$y7|(xhy|N49J~@3KMWJebw@-@nCY^g
za}ffz@2S%I$=~>i1+V<Lgfk3=wNho>P~G)^`t@xJKyNU%oa7wYbm4Yt8{u-LawQHG
z3kqtf@2Q)(GuO4IZ2>WnP9PlIbi$Tqr8r6n+Jp9ZrplcU;-e8#MITdO`2E#F?~Ab5
zRz~F#0l%+WLe}kt*{FU+S$d0R51Kj~580yB9Q1YgIAIH&W|TCf%0$VBo&|?=G^LlH
z6E4H~5Tt*6y23^q8AV`kn0Mg`2AxGbqcb46Vl6L6+wcAbj*3+kK<W!<oKb<9_xG>*
zox2yt(pYcPB_!-tC8m|?eQnD6{$@$9SfEZQ=}I2?#kGVUa3dQlo&BaX-Lv((DqpOP
zWFMN12(_dGqK9l%9$$GwUN>lCXS8iq3O=_;C$Ny0<keW~WwN!xbS6x626h#NunTt~
z1om#ath~18`=>+cg)#Rs&91|G-d{(pq*0Fk^aBBhVtcR{5huHkG4IfcT`I=omwEl#
zF2ldkN>w<aNF%>#(E(Fr<A$VOC3bgpR*Ac)?#B2TL5dfi{h@u(3t)pED(Boz6)>WY
z!Na=d^YrXVV!>_3daW})7l!ld;v~iVeX5jJC^^FkH+BfaPlOz_WsE?hEBI7ur3&qZ
zSdooBE_l+d_=p*!(a&u}qg>QK9yC~oruHnJfUWb}YJOMkPZGfRsp1pF4HpbZd+*Kd
zb#s)nwToHprL3k>QX;Mu91u5lRHB!zQ&Ez~sw%Wv=R{)Uj#iUt3vxeay!~4`(LNa8
zS3J8YT1ZhZLD|DnaO+7sP7{uRviBRNso2m~59Sk$<HoFmd6YSqM3G*Nv^2ed?h2R#
zk)6qd&2>he`GLn~?2I}%yj{KZxWTu<ge@^SZJoqfLU)c5MLTK<^-hh$0L`QncjRk$
zewL-ngV?ypB#Yg}wmWQ4;kY3d1}P&P=9CqV3V@Dq&!Z<e$bZ~U3$M8@xWi!;qQj%-
z+nP0@w!4kcAmQ<l(O_s(>QK;b5}VhWD`R4ksF{#`YA4j}$D>O>uRi;?sci<(V*KUG
z+gYUDV`!jgYEkh+FF-I8bwAA4coJne?krttVkDJVS+1T-^@b4rLE0<-_btBN&mG}V
zK+{Hrvva3u6yU<4^;Nv`f|=$nQ+XpOtTC>_!AO(C+J(c!IwL-}oym6N)}uCES!vpA
z^R>YVpVFi&a~pLa)kW7)MK{vXIdsj<P)t&Ik@6fZh3E3QwWrNL&>Sr#)~=9^)~SPB
zDFqEny{J-aQ@w^Q%4lA<09=&YAuvBe8!H#Skg>b<*9cGFw~TM}nd6J9o@*546hY?o
z+K7e2H$Jev)0x6;o(zFbN*mMwgd|Ph``uytRdR+t?s9wdnD(L*!I6V_Ic#Huiq4Iq
ztho*)uev)%4~R4V75nV?3ggwt><nr>chhZtEU#iXXy4@oPKLaJHNk5&+SpF<%Bb{%
zhSNx4q4Q%Ts_JfZx8u3{ngNf1l-BIQ5QD^Crh}*UuKozQmXwu?D`Ze4&Bf@~snq~u
z2GrM5P6xp_QmqR#+=bb(U2Kp;um&QxIG@Pj%6A-2`J`sivActod(H~;N2>MPHRpVV
zCuL)=o7V}IcfQ4>;J`3#2R|_T(E*|D_*DGm78ZJBq7tIcFM|(|E;?VasB2;^+JCEB
znjNIx-iwZhwa#tsa88o$dbcC~C^98Jj|~?F=9cQt<!hw2a`bwdFh?pu&l9Kl)>#h?
zn8*=9Z~d8wKUk($<&x6j6)2hy>&Vcm?Dsd=^*9sXBdd*DoY7A7;o8TLCxS|3qsh`9
zH3KE*oO_@q25RhB)QD``{6#Z%p>#&3+nd!#=J1D%-;PU(`QeVJmzOxn%p;vAIPP41
zsIDPe9wq1pWzG~FQjAE7i}#f;!CnD_Sr6k3i{$bJ5YJoCaL`dv!){U~=yx{Z$^PVt
z-Dfn(C>1zMld%g3m@b}k-l*#lI<$ZJ7_KI!F&Gs6frn#2YL{t9IC2CgVax=)Iqqk2
zx9hfx`GIH?y1OGNSa0_+MYp5>XTv?6`Ndr<ZnOO{g_`kLH4RD3smMm7dNQM&6Z?=*
z2TocfK)SLpY3iPJX_>k{MJMnKMve*BZ((4dTq$@~nZ{9Yg5`jkek?IFvzv`J0>#AF
zYmqJ{Ya3BTenQ?qF$|w95&K+fqwEVu826Y^cK_~Om<4>X?J~t@F6}GIjL89?dOx=X
z%C^xb+gq8lJ}{<hdzpw6!W_P#yW<?78>tQ9@l$ZhT%DucU_$=y_uxWCjK;eLH71St
zStKy)adT~z(MO0$7aqLAU9a@ROpw8{_6JY3_?UK^Q^OHYc@#5fg;QmzCDr083@z`?
zxWyh0)e<M}_h=Zz!?2>J*$olVbmNhJd1%w}3Gu@lcgI|04SuKb#Wqc$>MoP@t|k*q
zz;Su?sNsat5&4DPwBBTGKFOoiGU6RmRwUi5Cg&GM$(x+;AP`su12=KDP~GOLDj>>M
z^><YJsNZ^p!iwS*E`hDBzcLfwdAe?Ti9VQS$j-80`$~uWV2ixvfXff=@9w{lwsf@S
z{RPjpQ3q2TNpD&AfEsy2rY-g<jdLnC$->gp2?-7boxa{sCp_c*^b6<p;;SNv@PF|@
zE=}Kt0#01(N|Vq&bK9%^@Jzd}rs^ktO3op6c)bW$avQuIMS<6_ir!Kgx+MDIWOBD{
z%?%h1#EZl1V=3I=F>*P`?q`dSAn=^iYC`4eT8^tYJyKBK)=k4rlG~LQ(@shfH3+|m
zRa#USpN=JJ@p2Ay3f+Opd}XW5?46tF5czI=`7`D!2sVlweXLhEoizIPNc$4`Xsyp#
zi?(`?9rimO;6*4X>g9&)u}Ns`?L&}Ts;tk7n!EPr&@-5$yHS(L&_jEA)5<zefXRW`
zw2l6zkUj9~xak4!CO)uLHfK=W7EUod52bIY@J{xzdWP(%<4~Guj7Q32Ik}lvE6Cly
zm4mw$K<-%;14rAm&?US)KAl*nwXhUB`2soRXa9w1uXb}*V5R<gF7(gg5Or-V-o&%?
zbBvWgJVA!p65?4EB(I3yR2-=6#xADcvfQ2iSJ*??&{)mhvz0z8$2t#HfxE?Qb=MLR
z{x$bsx@~Jz%`-@@R__hM9D1FUhFo?#Ty*NFEU#}pR#*}&NMex)sZ$k&P@Q;d%|T&(
ztKJQ4nb;XMYm@rlt6i<qmmN+<vQx$~gi_JogyX#u!J9;gS~O1Bk}d@3Z4#r}Tq0qN
zZk-4dlSh|Tn6-2F-cO87n|bmj?@at~2Y3-|VuD#2B>d{wUol~z#=i=8y3^$W*0Tz+
z1Jv{7&2Ry`(vMI|E2@8p9AY4wjGzj69<+h=(0^U>z2;t?qYccCTOkM?YAm+gjb4!K
z=<Z8j9@}Tm*$t?Dd9?1{6yIu@L5J^GI8ua(Dvd~V>n3-*7yXa#>#h^l7{*|tDi;L>
z`T;kJ<Y83<g>g0E<J00bIHdkVPepTaTn9ot)I0B{6AXP|W2@utEwCXM<ehuejb%^Q
zHszE;)u~?Bh;n5O+4SS(?po-0jv%xN`^@=XIe?44B7V)2Yz#Iwv27|6?Q!vr@=G7-
zMjfS4IySIuz;;gUmWneeZr^I%wdJ7C&u-7v_{jR#Fzm?DYe?0(z7;NMFw8uPQzs(<
zdtT?;=!00gVWk=^;^@l*djBfpJC{)=pw;0*+e)*=uZE|U5NBg)(*un6>|Rl_7mhMf
z+wyi-IqtnhEb?K>H96+8EEP>2s7D3pR3I#s8b%NMz{Jv=FiyiP40V+BGP}$G)T^7f
zYwX(Odh-(<DdXx&kp*7e+65%1`dh|+bx^_@heW2yHoZ~G*D5qY_w-JtPcoUMT8OJ#
zwuYC!E-tZk7rwdC44uqU<1KS`D<j3{XY7MJU=tAS9(wX%?PL#W*Dl_!Bah8+!txh;
z4;da+y%C%<T~d)~V9H3@Ba!lD@Jff^IgmeFMO^8+Q2L-F-@BYF<IL<H4B!mDa%1Ax
z@%(A~((F%=ee^EBeD!$!F^Ujur_}qV#RVYZ5k($}3Ol4wQw-12Bcg4~4id$ibdgie
zNX+Med``D1=D87@TyvDE{Oc2p0%Vxf19(c$#l5KC9^cLMvd5<kDH_>5V;lb>C1{Vu
zb-}fME|f1hefRC7b!p<r*D@^#7t_1zBd?UA75g;n?P|wlMNhkkiW4V^d>2{8m)RJ;
z^uHAn+0F^!QI{jZVbuy*Zt+r+Vwj{FN-+$Sm(*1`=xPpYLY~$^B8suu$ZYvgWj^vW
zM|~<d<e>R+rTU(@u~$WBlG6x3VT+Jg$=R)A0*i<;UCkvx`~b4Ubseqa;+SMxFl9{J
zt1dCVfNf5H*{igjh4Ckv!5}^l-JSikbcwPe<?IsaISPOm&4I%icx}T)WcAS<T#Zc_
zk=Lmuz2@%lta|3)(;TRC!iY@`yb>a<Jo$>2+)MM1J@^nOzL^GxOxulc+8^rLxml=J
zx@$e_P_J3ob5Ux_KRAhnp&EsFnog}Prf67sBjv%~)ztRI*S1mdzi54TFe!B9=#W-H
zo+h+ALfv)CHj|qJ|6)?p9bUfuP%R`FTPRq@87B^DH}3N4F10`Wm7ZFif1igj_9n+@
z1GYO18Og<qk)E`}6W1LHBdhaf)U`aufi{snM7GH`*3#5`EOXlJI}+(`Nnya&1zQhP
zn92J@Lhbh80ke{Kav=#DQ69tetneGNc3JYi>C=N|C4<Y(&N<!5f%}sH>N@Axkcu2&
zOTUBZ{<^-8LgLklgU1P~aoI?7G_E-C+`(6hevA{=^6?CJ+EMM@a|Heeb7rD9uOD=T
zMuN|d;F0^Zd|1`Hf)TU1_lvjh=2xX}bZ~u#5AREHMW>aPMEXi~wU(gN3JX>vP^Unn
zWhT*B9{iaoeu#mb7-^h^-EdK~o;Z0??7c%iqvoMFtJ_T0S2$gaKFoid1QM?#4H)E8
zCM1m*lb)yyJ`Lrg42gBU1~=se4YdmkgDYyB64indwFVM33KDe=W7U#lwH9MF8e?@H
zl-2x{wR-c);D#k>ZYJe}rtO7h4GSh&_a{CGN7a!>`O-)A6Nlv!N9{C+xim+$mB+1S
z4$2P>+K9I@QMW39Tgk~ge%d=Fyj$6<TUG5_#f@7{-dp)D4Wh*f!&WNgQ@6HvtL$H=
z!mZO*>1n$!k6!ON-rHGE2k#BuC%i9s?@b>lKRvz?1ajoK4u4C@;i?QT+g@p=sf_xy
zQ`r35Dgv}K(ad?C^Hs{!vX-U(cg)Y3Vf-+SYqIQM<k8~nPy`1(d;!cJj6wRpVv@R8
zjL8Go`!zlvTq)oVB+DoR7iFc38M|R;4ITRB&gC}aHJ0|D?l(B3`q1W}RGp58Tf7bK
zqWz4b%Bp8&=h&36EjlEyfF7bh!EF6RU+IYnVMavxC}yG~;S302mxuXiuA`&C;QDMN
z_uXBP0b8c+!OmB>E7My}tq*I?$l|S9xk;b7oD;N)SPw1Tn%0XRPWqmUc?zS<E6(RM
zpL6C_JD64Sn3vr^I=?LAEE}mC=Np%uK)RfkNoS2l<~2&@b*yL9?x6LWtW)Dp?eO04
z9gcUl>bmR==N(de=ftDK`u5~Am`JmY&Cf8*-{s#Zx1u4!I)&(mA+tu^UEftdz?@+`
z*yyk!`~~_LGTDf@5Nj@dZQy45V74F(1cu|P(R8TYswn{SYnQn5IA;oowF%*w2IfE9
zVk%k=r5eu#@UHK$o@1-jZtWwih$2bV)onwGlrcnW)#&^kIs$adSA#I5Yk7vqX71p{
zSDnu}6{0I>6lx0zCP)-j*@6tt{Om^-w%DRP?z*20PQjuXF~eX-R$RgpA#1<rt88Up
zj8Sy@wUn!1CSGw)_S-30GAp@U2P6=m@|E8c!<}$p_6_8pifM??WDXi;)^FJ<Jwj@X
zU@dNyRwtvjag<&>$zu0n)RHWpw&y*qtF@f7d1L9r1x$Z9*#<O}7zJ6zmw!}d;dY?%
z{n>U|>G(}>V@U|v?$^RW#_d1xb?6`<zv>qy=j6CE>?(iLu%Zag*tx-;3a!$~2M!tO
zNC|_Ac)r4DK0n2t20LJIgeip-c8}RrbN$n-mxxu8z#%o2Okx&GV&1Ct$E+&Y#8W0~
zfuds8&2s8&r5x{Q=zr1l4$!&u-rI0(+je_u+qP}nwr$%ub$e>}u5IJgwod)^`TgH-
zCfPgL$zZKnnM^V}*Yy_mH6Z^vnq1otQ@i%u5>g`1w-w)D#J(lICW&iCu5N9nZjbI>
z6xYhczB01znPZ4*mn_#BbBXfflisp<CGRts-(+Enxhs`cPXTE8L2$qC@~i%y`#uf0
z7kD@Di@3S(dlv})M?@S69wnrlh*t_$C8V85fCi2TjtH3mmJpOiA+~#lrdLPnT2{BP
z+$p|#&RxfOF?;$X-Xj&TRPa&YIA${arSmImz}_~hR|4Bb*Ld=h``EqhW?y9?<dTST
z4E8>R1Zuam5bJNjdl3|5r|#tejGjTp8HCdI781vTn+JJau1nfAx`*#!-HVvRdC-_1
zp&M@1=(hTK)R<1e;k%8??3{ssI|HXT?X2Ix%PY?AX`Acu%{C(MH;dZEv!Yv4-wLci
zol>`}hungUcZYjZ^Ss-dxxwkzbHp2I*%INEL)zlU)fasgyaSv=s(2zhmryw<vx>xl
zC4RNZwm-LCMc3y#e0>*aaD9lw);QAP!ayC!qjnE)(N4`QX*t7rHK*q8oH$+)t}Chc
zImUMI&Y=n9+o`>sxPaX<J6?sug$Ack-!dVibU-WC#II#$#_gtBtY$mHO-z|fAReGe
z$vI+8`QZ3L=?nAEhLyfO0ke9)Yo5E}lbliUZw(}47BHq9ix^-XYZ>G<=Pr~YJ(E?E
z2+{3WUS&7hd#RNxs)mRwXtd<|iUtO3ABgubC!^RrD#=LS;iNR`NJ@suz40j+s1B_t
zu%>1hr$Y-iVdg&&;_)jab8e+l#N7arVWn`@i9~tqXsK{x!U-b-X-BFu&Rk_YF)ut3
zaL#m?`MhWmY8s===#E&Azhaq_juL{~Np+AzdZ!pJzFA!mJAC^D5|Z}$5_nP8p~;m`
zv76iSR9YKhoc9mlqle)7|AI(Kfla8eB?|-GBPQ;gd2@U097uNz_Ua{kJw-f8@xTK6
zP5;D(kEv$Cq^&dKitlD(*5dk{QgA-cCn$bO1q8netSbrQR~DR7O0Fn8sc?FOKg=;a
z$$-5zf59#Cbw(V>UzuJm(1*U|e2qwd*Y&v^Gkn4tGZL|~iT(C^kZkA|21_@Dj%7+t
z6;9T4nry@y(#k&~-nsu(Pz|mQM5u(mL0n41_{_@Na|Q*qejaanVZ_I|yZOfWOm64o
z-?bYrx_g;}{9xA`cYyc-8Ef!bkJb0GOFG{6?jHY56vNcOa*B5~R_^0U6oIfXo<+Y3
zo`TIB@^QJ8hh#U8!D;SD#eBthoFwK!ErNq@PNICqEQ2&>l};?))`4*6n#+@9<gvMZ
z>)K6EwM~hB1{}uOsmP9UCdwsQgnL9B6`z`5%58`&9LWPLoCjJ`9%RZqQprVBfR~~$
zB73fDs`QyC_auSf#_L>#nk12z;CpV0rifXXn2o2z$5!kuE$ZfQsW3ePtZI<xSeNW5
zjuP+1nVn7O<gYvQ3VkY`hdJ+$;;k4nhYHBNqWY~d^v#+p^#sxtco3#aSW|Kwh(C};
z!^-$TVQYS@bIZi?4OYN%!f?yi{0ZF0xM@(OZ&`6%JXvP!yd<Gg!he4C))AC>1<^Hd
ziu<&*R9SJ{VY3a$By?MWR<g(w#q<Y{Iqi0Ev`DMoud>#d=DXy~Hy&lOciC*8=sn2v
z8&#RE%kufB!hA4#ZBo~S+VNKM9%b@OS|Ij)O!J8wQ@oRl@^qY9Nm~Kam3)AD2$niI
z?#wKoqH?5~`wP^Jh+-TGd+>FS8P8%I3VR?6g?b=MnWpTN*i1P*Uzr%a5)H;;?97?l
zeB8^K;N*1?nLf7D`;Tn;I49rv6%(^wxk=4bvR3S+OKeI9bB2jK4~=OM-Jxd`oslk$
zj2D1LYxquEYtpk(7w}%6c9Dr55dBxBbwWM9O$zp;FV(=Q=-85J<eX_Ep|KBPUp6d%
z_AZP&`wpcC4DbZg1CsUAPlqY@sMnXpY}GtE_sBT_M0-?jOuJ=nggJV2Zp0gRN?wR`
zZkBzRq;FQ=lgbg#M0EXB36IuCpPVi$6wXv~y~GRl)-9g2V&^cQ#HN-q9?5q;qI(CI
zX=?ZF*tA1XYL~UIYZkfjO5!%gWZ6$4c1HTP+g&2A|DM}#PgAnnuoV0(WZHUY?VbJ*
zm_zKCD2P|Yd)@sv_MQC1@`?AF1Y0ga|MRw5sCP{CuiiBdIJ)7}En^^&2$(nED(7)l
z==z!rWdo8*2Osd=R;z8i>bSaYw6NQR$^G9#tmo|?fV<5uY`4qU%CSnXZ#l-h=M)vv
z@v5XTwm4hHINpM@3#vDkAbgS5Gqd2A&=)d%L=f*hR79?p6m0-uM|ANR+M_SDbRzCK
zl~>Ksp0iXU*iu%uxnwfgT|IU3U>5yZ?ve(pWVvawikXrjjZbftE&QSZ{mZNC1LJl#
zRGG4@!YupKbXkSOSk(Zp0{rnSOqF1O%05_C`D%n*!Ym6Pzd?2x_ImlmNe&Ii+)2HN
zqJ1hZ*V!}F{FQ@5?iR6!BGXMO4>GOCxZa`1<o4mqSP!pP!BzzBp??RVQu!3*7-1^p
zIH9p}yM87br$8d2=cdFx(+S}{WSz178)|%<B^|G=5h_>37@8_m*eqGWuV${330=?i
zp<|)7kz<kdF^v9E^;RT*c9v(%heaUV4HVT$<#ljM$U`XJ>{6{<GwpDitJ0G3*#+3W
z<(PF*(fXzLqPIYPxIQl@!Gd{A#c9@OZiwdh-jJQQ{N9MkN0HA&TzAy_pV#5zQvI5o
zw-(1)k-#b9p}=_p??cR2FthpjZW2KD6H+;KI?OjVUMLjXhfZF_UCf^1T-5ZOEKinS
ztfEl3;+*yVj5{xPCz3a>ibbia*%f0VYsR947WED9Fw=tKoHtKF{^W2xtTWQLk^cBo
z#ufTiSufgHuY7X+teUr3StGfAL9IKWrA{1Euf(Q9tNvnMkK+`=^jv&<3?4u8gyRC^
zzP1xRty8WoX)#5qlE)R&VXca1K2FXE^To#%k;E3x=XLkxjNkrrvwJU)fJmSc((5ad
zKuE*oUi3KqV5?vb_2axWUo>m>70=mMzaT@!HyWlOVZ1px%abLXMF3(gI^+w<_>;-M
zv%0K2W^dr;7OOiH>q9XZI}~a_VJM5Xf=IHIRMa$E#DX+^OaxEK)&b${cwLDM`KZt(
zr2<Lqc(>(vH|}`X?(1YXZ>p~=JK%-!`#O%7B-U40NfK;o*ko!rMbX$&=#WSjZR0{I
zs)sOadS0g}xl#~a$*z*a!@=x&=Q-edXML+Dr^83V#RKuJSU}kIUl7uRr$G4PK?zn|
z3^H?tf{}JR!P)UkRXg$v(W0&Z?#mwV;hs=279ujZCze8@Kvag;7rO6+4?n5!KfK*S
z@Luxbe+Yer6HUUuMv$Y@v2d8sW#%C!8*qO8;&5%+ngckCI84GTU6P*nbKu>Fh?d7#
zghREHWyCV3h(auxb;=$#->H!pR*{Ueb*xY|Y9y%J2KXf%ymk0fnIc}!rq~7_0=BTJ
zjE>u*Uv#hP!~=hQiKpIwUQyWFyL%K5ZXXc{w)o8PMS4z>KTVN4+|RUS%4dIN$aiXS
zpIOz@7`aatC>fuT^}lopbYLHh2(Gh^rm$4qLOjbkKg-Qz*;8;dXKF7g%W%m2s@>w{
zD0rcBgdNK=<a}Kioz`wk_s!FZVB|T2nE4q2aM+et8nSH5_X4g2TaI$PCpnBJIrx6<
z4r%sQwOuFeNj;U4Y&Xf%BI45Cf2;2>F+=Dt8WhB)I7N<mVkZ>JCPGKDiOHu+F+*FG
zPip<F_FOP2A7}N(HJE6xP=2V^Vum#n?x83kby2kXt!MIk+wk}HhH6({mAiz>6@B@}
zwp@$PXYEFp8AEWB!ZW}I<~pTBI4&`zf|EI-Uvq&9rl41^&E#ib;Ha-T9z$?m#rz-A
z+p5VA+~ll3(+1osOU_*ZgXPP0e*KI`fP*SJtHbkJ*D}Onm+uzk@|6mI*^o*BVjFC)
zlwI$-2dwG(wueUA&EC89+RFpzAT8wEUiKkQ;v2MoFitzl)a#jl$I2VJe=SA_f$hF`
z1N>^p)hB!3FW(o0K9;SWBadpk;nQ`=ZV;c9fjs6^YLRqkPUUbSvo$7Y9ys^M!FZC(
zNW)R0OUE@Pv6q|D_X@=lSZmqE&y2ILm|GG6kaAqaE}V6#B54TDwqgko+i{^d;nHaY
z4yd9Dl=YNIoSUKvY&R7kl36sfA9TXhCs`GjU`{5V^#1bDEBbmD+j+B84ogs4y#m%o
zM4e*~c#@1A0D%F^6SieeToyqCfKz79N*cFc(CkM!9y1c)!Xt@zAY%leV>pGGEpTEk
z{EKIfB_@xsTB{ByhI7yy!c|7$6a_gM)5maE-lZW8av=^9paPI#Xt-Zb+(xmQ-f)=N
zGBP)<#u?Ei_k%#^0u(s*D@;nA@>$)JM(7vX^YO|#B{c3%_vbgVXO{8uaPulCvNc>>
zg<OMH=K7=`>yh7989%Fozu08Ie-{R@E%uq88Nfc)YrU<4eA<M6v4vc<infWjSyTTY
zZu4#JU~gBEe|Y@*;=$R*+{VmaBAqAI7BQd|OAt%2g0HPb<3r~wD?80P&2oI#ebjCD
zWAkP^d}ujkt1VvqC6Z1vmMoIanRsM!G)ERr!NppI!1}7q1r|jti6CSQl`N7-0Hq8n
zWKArI4<<z<$p>Z?NEC-u3KMJ_{{;m$PArKBb)Vq;Up=hgL!{D;Q9pUEr7^2Wrr0qf
zQAF3uBFdG)Ffe-7{xI>rZ3m5O4+xUOvR36B?R6B_269UinYo#C!|o-G^Tl&zW$8ab
z^enO&RfUsqi)Njs-0+}mo2EI3t?TU7*toTgTh7Y|r82E8cC}7Zu5&*caByYI(_&I(
z&a)PeGpcstv@Ena><(RjY2Edk&|w?KA#YH}!cJjRWqZwr{CUIXeT_fbNwfLWR$zJa
z%e`>qiik%tgm%+*dZWm_(wJupK?AwX?homeq?!|qqK(Any!KzZ!h!e}6E?fibtmh_
zgDcM#;{km4;=D=>-S$QK)|3_;Qu#|(9yw@z-e63HwJi5?<x9?icp3NjypmLv@S&OJ
z2UgpY%~zTYaQC3{#^WLS))+OLj5TuW2AM177Q?wHJtGa8;S$uYjXH#S1Cv!MczM5`
zDf@;^H3yHiW}LQ@OEvfno9FDet0%+t=I36&BF^?_1?$G$D~9Eb-C<?MfoS6{?O>-D
zT55`6RqCBQv^Lu7Du`|#=*>^S63*rO?d`wFzkjRMpZjpM*S~**A5i`4@vkT8o4rv<
z*}ZwG-XOe%RE>zDdlUIe9Jx&b4j3YYP9S`eSPsuY<K)ABp!}4Y-lGQn`Xf-wB(MDT
zp%tKBk~v9s%=|+%1xs_lfc}--S4t4D9#Zs9`xQOHn2jAUy*q~m-(CKwbH*{utT!7w
z!;~Q+dkEEx^@H^wyMsZ&V7|f5V#g+{lVx>bxUrGdDqn5~y4d<5pkkhsFNqd7!13wm
z;SoXct6k)gB$tF+OB^xD&)j@=E3Em@uf=$|UES~L4q%*Y!DIzchiqkCJ0Da>Y&CBv
z1Eiz2zWpe5)Yg>-aw8iU9SB_F&?uZxY^38rM$|z#sCRH93fkDBwN6y|O6E1=jfUlr
zUwVyCI(+ZVKV7>KL}(V0x!@Yspsacht$Ge}wOszP`H;0s8GcL2TEq4qqiRT<PUA_^
zw*}fBV>-Wu3i)?*JCkR8k#uwywoDeI8N&-Jk$eO%h{Ll>{_w5I9!-&*-22=CgMzQn
zGlj?>ksucU^H?Do5dBCg{C{GQ@)JA%(LyqS?#*Prfa+6gz5x9{Ve_U^Bw+StvRDA}
z*?6W9^i^{@8~vXE3(%b?U}zl91wXcBqKxFynHs-0IKZ&b<!m0#!k;lsWBDG!(4lV}
zj`#&^dzZVmKb%h9YTHQOe-n`L@Rzqz=8M)Pot0P|HJO!I9u<YPNFLt4p*lz}RS1n*
zB$OE~%^_gzob{DvcSyH)(gWF|t@*Ix!)SuQ_Yr203Zc)(Vx{$kWp!nDtx#QY(_N9a
z5`Edd<b0~Wn|C#`pt+xWz6;Eoqq^5834Pg%p*57uA<Q|k`;X3%I(5B!buGrSjo=f6
zQV+FiJ<hU?%1ir-xT(*D+ZRNe5Eqnz{M9SP)%qnnZMDQIUzy)V^Y&T2k-ynForf07
z{c7NcT4#@SUGzVLf{&ZTBmehZWH&8nH?3q8I>(7TSIV>ys2S2=E71l@*20xoSPI7h
zEsvc%jdTQSuVuX!<k$vaQd<C&#8Sw11Br5`APlL;>h_|~j>n7J3FLJUdLw|<oihxF
zyK0X#$34L;B5rLD$$c#zf209mwZ3OF*~Nh}lnHiM;@ki*Z4fzPxQ=l~8sY|P{1y<B
zC5ik6wVw!f*ERD^EQBYF#DX$}GWk9xF(DtEDT?#}W!zPNi+=1hB#ze@&tI+^yjJ;;
z<C_vk63GO{^j$!7j64MQU&Su6$exu*q7kGaD=?<;|1>dJBLa`@0768!IIb9yiNCP>
z+I7W8Dmn6yFOsMk7&0g=bWhWCYJPGk8?g~UQWFvdLt@aJ%*dif(OaDWBO^ku0R$yI
zIaE)%mkzOd0C0ZS0L*KPf>=EW(7tOh@>+At3lJe-kBu-pGHUyC;(lg##B<+(Mxfpg
z;J$58=B<H7tR4l>+%|v^tk5F*SZk5l%A!2$I{Xv<uL{N8kDWatqU^TedM;N7l>lQD
zV18&+kQNdOPipiescDnQ`144iX^D)S$ZATb$c*sKl(bB#d20gyJ7!M$S<7@@A^viM
zDg+1$aLc3vetqBdZr0vKAsPC$+ae?#9L5Qsr~-<t>ZsT7F!OwS+5G@+!D<nIJT;$-
z`9H0cBWB$!YqxSbMUjWSkd^VrEc|z@<uHgw5u6U|9yVKM353hiU+^Cd8slo11p-Ii
zFN4ESyaltQ9m5_&RfkcgS{TWUrW8)XT@l9YTZ-Df*=&;`FS#1wD%`17s?&(eAzy<|
z>VC2SeTMRUIs$!wf@Oi#7V0E|#S!jg+;`e&!6A=j@qFAF^~+?Kf1A^2i}|M#+(D=l
zbnNEHPnHCCG}5obRhV0Zn>a7g9{McQmAX`hNH0R>1t026J;@&Y#}fW?H89*0?wz<j
zy@bzpkHIdr?oF2)|B%+t4(~ypJw1?{^fl>DMTh*_L#P|?yKA7Ea=O-k1*Bb6ic~;_
zKx5KTVi+FEf06bsy5<FdnaPit^H87MN61D@t!0IKg1w9MWq#!D(xzg4;ZCmi9R;5Q
z%DJCUif2kA2lNxd5^beNg?^=mqQj{o0m9LxVmSgiUbhP)9vmdcPYmGFbab>*zUT3@
zS)03+1mMGq032|_!^0G`n4M;Z2;dX=%Pv%4DAZ-)Pz_8sTKxUQ&>-gaI!DkW#yW%`
zJUqC0^FK17?mY&!C#58$!WNa4iy45(d0`^LM7m?HeRuWW>)s1Ilfv2RjN+^`4{%oM
z!qrwA>=zsCmm6?!R%&t7MF2Rf4FvNI1WW(FTxlR!X`o=ML5H^y18C1Tu(Q@|velG_
zw^SP~v(@OqSJxTUT58hbtVD;qMZkZ{<9<Qoe&uiTZ=9RFwpS4jO6h#|`tffZ9tfb_
zLi2p6x&O1dx?SDeb7<(<HTKzUZj{jRt|`zlfT6TIduM;pJaKowr@TDWSRb!%i`yk}
z)23&T+HpOUOXiroKlabaIJ{qQ@sheX|9hWIHZ8aiE1CUHCa1CRNG|8>W!2S9CdIOU
zpRB8Y?cpVrY%aI(lP9rCF2$D2ejt}iW(CkQ@MUC>If(1(Czp08{8vn41(9q%c0?|f
zZ6@W?H!0)ng`LD9wFAdnZX|sESSG*uNiLOVR<%f@LK#|8$0&79R>hLY{bJRml6_f2
z!BaavW7(9j5ckXPnHv9D9lx~*up`Yu|9RDjYhGv!F~bOo&Z5WyD#tR%1p13*j{X0{
zkBtKq{{IO!P_=;dmV1Wx<~h3WasdW`ui}qM`?m@0-lo?28a4AXzNSaJ*Y%@67vBo<
z@;)UWTd4&l_bxGuy~9=|bbb+wy)u?Oq3oy|l9nt*asMS=O0SQE&YRXR)-S~q`%Rw(
z5&EXhcT@ZIP`bWm!6+IzCiaxLy2XrlNg7GX*pt^hq%NUCrr}xvhAcmdoq27_a5v>J
zV{!E&VAkc$ThM^T?+R&ER+rQ%Zio$a6~QU4??k|6x`s_<MOKR^^+!o+v6xM#KJiU#
z%;VFaRBxI-2_|?-BzQ(tiSzB_3*Ye;dB!T%G)A4Q57DG)7NKCOL>bXE3X&6)p~R>f
zXG!yF;H-Ij2K!&7y|tk0pP&KYY%|oS=A$t!hY$Yji)r66*LsFXlMytEkieigrHXco
z|LDdcA{dA}C_k!pkpcYUcEDt6(O+0_70-BTUW1M0_r0ivI)18Mf7Mr3UL}~745I`?
zz8|fz=XTAg%e}&3l)=xdK$u_sq4`S9J3y39E1=;I-9=^`FWNnY1G93AV@5><z%!s4
z6TY*_dM+%LKngc<O_ueqjWfEGwPR{s*>Serq#i!CL69fzjDC4sBy8b3Zec53A#33h
zzc6hK9zLgIA2LosV;?gB_xfR)fU`pnbqlYxwq2G|1D9IHw&vrDb5=>oIgYF<EY(S6
zm68haT{<io^?e-oxn)6J&N@Yg2glJC6M=@GcA2At1V=dkTi7oI4G9h+4Mjy-m>h@#
zl1)@7DEJA6_FrC5@Zcw5nf+t7ru@l41M?Xbv|KI@@CW&AtW!297#1Y^fxNS>Q5qE(
zJwsnUr1>4MTcrP(OfOOY&zNOc;QyRuQ6O=dqNq@qAL>2fNs}KP-_^^5ZV<~LKDzZc
zFV<m%qom~dZwdLoQ<|HY>TZVs%hN(~PE%+E?O>7gzof&D$z${=Rg$H~iI8y0Op?Py
z99X880wI@Xi4kAO2#I5IDC=S*=uxV0_klt*5FG<VCIMKc^#MVkWX>va8<iqGs)cnn
z3OZ^Pao&q;Jyz8Vu3}ajb*xva**jEnFKp$j=L_;~RwZ?h*{*L`7Hr#ein0?7)P08^
z%)<;!eOu%iz~<vsWG6|f5;I9-d~ahNCefTL$P&_cq&1EGm|R+=rcOC@*U7^`Ds+ru
zghHiYOlmgE+VfG`61Ak<$``-g#46J2&5mq_*$MwlN7z0HS$n>KE)w2^{Ku0u3!112
zi3RqzzV%AQ4wCO@ywBrK-)gt=GyKP|KB#(q9(6o|%JnoIwo2gQCZ;aw4|^){!*|Yp
z$Jy+eQ{tIB(vScc1aM(ea&MN^ImdLFQY%#e60tF~?W#WsZc{b7PhcszNdy?^MVA7$
z9`N?aPTHrI?a`^FT9u!;;d88#*jl;%3Mu$3zxTp%N^q}t2<slOD<vOMEf!8jYGLTu
zbcGPy$FBPRrIkRvjdz|95Ljxl$NVK$=N#7=mu(m2=FWL&H0!+`(Tj1Mxz;p<1b*iQ
zPCU|d&mzK`R*+A)e-hmNm`F+z{4Bw<{5q(6g1~gIYPn#N%$2U~Pyryg%jNJr%pn?O
zl6MJmT<ub+QGKOhyI@<_owRM3+$MPH=J31R40Nek)T0`NABjpS7fi$OE6=p(h;#26
zHPOFKSMbGjjCTo-(Y+Qw7?#nf)UNhdnQj}T@Y%X>V({Lq=tbll<yjoAb4-CoF{M&2
znGUoXsrj?6|Kc?$vvZe42r>gb;~Yi1ZCfmw6}@cDVc7|;zHVIb&Ua>Z^R|`X|GV}I
zi?jUlXG#wk${r|k@K&t@?*|ObZqq!ux_G?E9kS(rQ`D`~hX%epz9qx-YoNa_V?><D
z<cG4_6=_h?QEG;!+c6Uk#Jb}Y?)bi3(e`EX0MST8rkM~dMhH_8Vhw2O{np8)S;F|X
z5!?tPQSDf5`%c|a^=8|1p?&e!|4xTRGeH)OFs8!58#Kqx={hD2*=z%A8(@E90R}ix
zD66--+}&q~hucwB57f8fAn!QyhbMm%S6%0L5*GXb#>Wcai($fet2T=YPz<PM0yi5G
z(1nsW;HfiRlCBIwto?v)P{I{OV?2)pg_B?GJK{whIMK|Egtg<X?wfB}aYMh~QRR=s
zc;eseoA^fE+}W&siQl!AP=aF&a#I}$=EmdRvGT)vtcvJk!kmthWx}u+vQLGCHHd1a
z$U1P<gw!&IBI89LIMLUQ<n1{Y4elIxB0C(Y_$CP8``s}`Rx!rdAsg`1g&#HGtN_f{
z5X@AWjCGb)2_p_Hb7PyGnCeER+i?*$F&^?psyzt}_ANdxPBEFF%K><;!=GUdVCeuF
zO;}t*7Tb_KMznZ$=y$b04IBtVdz>hv2dcSoumB~NON00vCxQHtAC&st1BcPT$niIt
zbmXy6E=EF(0cB0#Y9oBx&|kXr8oE9QAC#kbg=Cz;j2{}aTaV7py7?<UxIYh^cj&(<
zxu5WWwCV2s+lIR}1@Q8zr^jaV74$q8qW}0=6{Yw-z4YVh@;}dxTLUHH!vGe(Lq)+m
z1-Ve@0LU&NDnOtHzlvW-zKQPmCqn!eLb^Ysgg?vTt)c|zuRl!T2qVLuScIq__3luB
zzO;{>4&0v8(f-{onj4agdaa#_GI(9>=`wU(?Wr;^-R$u)YF(V!GVsFUi+bJ&Pl!9T
zedr;%y9Q25gyA4hiUTIs36&^Hl(ylL{or<;TqHo}V^Yog-uh-st~0a~jo;q|8+yKj
z1rz%1g9SNyJ>-ggDI(SAQAR`)g8r?T4p<kSV~nY|%nQ+vycae?@>HhCqCQU4-+f6b
zhUhgRat-kA1N@v|qkqx9F8xri_h$<n_DDg<D|292rR}mK%Zsxt`L$!yOVTWVZA7*f
z=UFmvN5&VYoYHkh))nWR(tAhd7oVK6c_;9z@IwKi69!>=neuj(iwr?VAtDhTKc`(n
z0`Yo>@2CJ<lrdYQ@dGK_+0>KzPr8R*gz-4S4Dt<@47v<n3_=c`Tqc<$EH+-#YrWJ`
z=!<n{JoVe|Qx4r|oe2BPIA?7++LKhtk?SjT$9r<z@$WAVy+jJ21Q7Ypa`(l0;@@fS
zY7vt1%liiXBe~O4ynMgxoC}?;)6q}>YMcdGR{l~#w!-?I9$Zh`S!c1_oTCkbc4cT~
z4nrPW9CgPCT|Nkx3IAY7Oa<0CfX8xqyfy8W`apGp@Uy4pqeUOHKK|p~GW#L~1)dYo
z>NvthSJV6L9a6PE$%DM=sn)VOHbjvZPVZ`hQxmFkn>mjCSR81y^hBZPE$U#ZxvYcL
z`Y0cMa4`)>`K^A!zSV*5aowM{DaMzpAx?5F0*Pt_BU`b$|K$cp>+P1Wz1UE<dbIuo
zH~I(>zUXXb1_m`xXi)F%k<ZS$*md`4&)Wm3aB~NW>T@@w&)Z0;fR!E9<3+MRQ8=M>
z>b|?|`{2{&;IATb%fyhXAH0Y|Z-<2+wHROL-YBCm64gYHUOYK!#al-WHa2%S?_`Mr
z81{5vU+oLL*d1Jcc5FE~$j)AyQAcym3^gy&Te3gLcVKpaaNr0?sAKD#foWX`%9mj%
zDUi`k{YS*5<{Wb<QU%Qzi_Hj$(T}3J2bupeGeF)B!Lf(16(MnpmOmil33{_ft31Ud
z+e8*wJfCIqviASl;QzHmyI~%KI<~I&12a`MkK8ez2Mhu0$In+VCW+yV@-LSx(k0$w
zvX(wBd3-~8707JVC81+1w+1dT{Qal*dWk;ux0Z$aH2>O1n=%91Pwf_ig7MZWV(bwY
z@^b96va#4(6dP8;iEB#n@d&qCi|}ZrP72|5z%Z4TN}=v_m~zA!_hCW@o5|mVFaexn
zs!Y_PxCnOO8O{XKBy!R|hV;~EWtGJRWo~H&?8>NYDi*V%nk8Agj2>rA`3bKMnzo}N
z-i)^U^;{SKd^dl6XMcT1e|;x^eOLc{4}X1k|NI|&*+N1AX656-i5ShN_Sxtx%Resg
z9+i0>?4Fc49|%N?VsGx>76*H9e-r=!El(^}zDVjj@~TpGh9;Xqm}=Z3Hj|cV<-GZU
zDU%UjbGnnMbSLvPS2?p|W;X;COcn>?2Mi`F;FR=_VXNBUZk&5*PTIdU5zQDg+?+PN
z2($U{JKs`*(4X%bPR-C8=9WBbC+^Q$X@2&hedzZXW1GAZUlJg7U0}K{(Ct?!j*H}f
z>ty<WWd!2V1AFNHub{+QK<&M1Lt)wf_p{0wC9sB6zr0>f&Sz&UTbGj|BEqHcjheF~
z(DJ*YUnJh;kuHKWJ@Vrr%fp3-RTW)JS>vDdnFSq)YRCh#-&5+C>66;)bUbE#cxj8y
z^X4Xq^S18RvN>vV#?4ULw*1!kIXZKuE-=})`a&tw<d#ibU~=pUi;qCyh)TD~EWQKS
zI}+1;3wP47$t)$8)Dr|Hms}J1i5U{7KF^pPK9i{)vR<ICY=;VS{DSXLCwv{S6@F*r
zU56R_%KE=${H*A&%DNsiikP)snDve)jO8Z0_t4icoUhT`uhCqu(HyT+f6^Y;Xl~c3
zKUtS+G^guS$7^4+-QBep%;!(7*!zz?N&i`78$S4z(M7}0Xr=7CRL!3tz`6e(gPE+N
zhQ6FqU)gznzTT#4rdQSme>&Y1)UCx{>VdM7k#c&?mtza$(D^j`s3?nAVgrh+y*k2P
zQ#WnP=#CPa7ivf;v@T`nj`A@(J0fmqFM1qqA<bDX8is+bjmDY8iMx|#=laEx{Zb%M
zN{^vp%t8)*j#5&Gd2TEmGq5FEDHGmVS}7CX`R|gF{#`1v)AN!B;T)y#diS_IcT&zP
zBd3X;!%WxycgL2hdq>r&v&!;OdGe$jct#G*5-~fvwMq#)`G#`gFVqd`l$^&?shIrO
zQ>lo2*3<D@%-PbC(p#w6{1jfF_=iibX_q^&*&-8OOodPIJ-pCnBzmECpgow-7^E4I
z_7BX^3#2-scKAJt&@Lo<p?2UsgwX!SZ(>q*Tza$7vYPf(@QnLCW&4luC;_iKO3bgr
z{sP_r8G5h|#>3!5SV4O54$i~kL>Xavhz_Vjl%EpF4&KA2#7V(Ahz{n%=)`K_I<O9q
zLz=|ef1!F*{CmYQ?GAYAH|R^WYxM-kJ-gW#s|iadZ%?FY9sYZ0tF#vmV_r|vuQ?LT
z=jbmd60+^3DDOPmE=Hk@XyAfKAgdrf3$k0i!+dh{!0gf8>oDnoiIJJ1sj<1iC}AUp
zPO3|+e_S8oVr5yu$V}0uIJq$>%+o_WI`HejiVtO;HHfo!w=&+UP=7fr8dMviUViiK
z?lk%$fgy?`{Xo+OB3$(?{`b{E1uR5tgsjBm1T95vg{{Tq1ujNzhOWlu1~2!^4quPY
z4^)KI1XYE_1y+XE23Lp22U3F40#k#-15ts&fzY5&K<GAc?LV+v+X>tM&R2Q$_1!BP
zCav~+xlsK-A|E!Zm14CYxEF4>vy~E!0)J2lcx-m#rA#MO3b`zHla*XASd3p<t;WmQ
zZn*4r>#ZiM`F@ZH_+0M$OIa?M^m-lc2P=6#hy;9I&-=?cg^3=7{C=;`2df2v4V96Z
z?V+Wqe`0HLyMvSO1*#qs(f+%Y+dq9j99CTgrkm^(oA%rmSGekdf<nPzQ0Nr8p^{3)
z!;$Ee`oW@7$z_sh6nf#ZT1`h|X_N;4u|K9!sg>*g@9rzrD)d7}3~mAfz6Ev#y1x8h
zH`fJlKU0R~vRnQKBrUJk`E<Hmu^T8P5*~-eX1*0FrBXhf$!4(=EGCm)tJz|{9WJNS
zdbQSKu^S{J5ueBDcDxlPqfxir?sl>hBB79P(B6FVPdc9t=I?UFHBTB`NfsGktu>|b
zzfR~sC)}Sf-Q3f6WP0^k(pO(Ckaqo`Sm0wpa|g>U4#pP;ojf3BC6KVhQUNeyj5?e8
zOT;rGYtED-!kG%-%q8Va=9)4ic+lz>j`(xamGD_#JEXt5=U083@1~hk`I=D!IJ%Sm
zn5_}16|Nn=6b%wNSK@dQ`11Ma@K1XAAV6hM>7?TbWZ{Zw=8ACPN_gl9gzbow>4=S~
z@-Dddo5q@E!kcu$n}yCDlggc<&Yi)|ov@;per0yf^YC82+up68zDpzg-a#+@U_ILG
zd>-D_7n$JLb|lzSA~<l$|0|WhZ<W8Nm4D!+|5r?Z-%Ni`P5;1c=daw(zTM8A9)Bj{
zo`_rhs!P~4vkG;L=F|^PS?p1bA$hgtH1|q#c%SzSYTjLvFB;+WsAX!&E4-~KYR>wg
zdTV1I{-r6RL}Sc$w$qB)8d{F^qHX7NLl*m_`6gbDO|@-HZDUL8%*rOjre%(8vw8jM
zC3x!`#=5bNv5Z~TuQv47rqy+N=Lx=*r!>8~gs;xg<yZI>J3jUa@l7mTn*-Z!xrV47
z3Qw;w=+`2u)X*kH{BvOuOPF6pzg$DF85!uHasaIjw3pEDgF%i|c+jJRQI0gZ&?k>;
zk_t91e)EwOtR>*JmLfddbK??)GG5xcj`t_}E=3*i^td66SXpDj?BRw~;YOU|hGah^
zH@t@>Kw(tEOwx+c%&9KmgylS@9dz3R7YNvOh%|~(G^!;KEtMjCIR6}{rJT;PO|nb2
z{lUnHvHj*SKj#QR8Ih<Z#c&qzA-<Npz)DN{Vj#XW3v_P2Pr&-Xg$NS(kbRWDj^EDK
zSQ;%%W{2|=dWcGbHlPy~GNfiMB%MNp@{T&K`v;Clh^y1iDDvM77Op<NJ=hT6T?%##
z-VVPutRDl^{F-jgK)y!^kRlwhB);zCZv|Gt-{8OV{0fynDOsM<Pt9bT#$VKFasnKl
z_DFrMbZ;&+u8yKWeuLcZ`40J^|2|HjNqtuR_Du^uSL`#o7FR_|6Jt|SSwfDBrx0H}
z@OxRFAF=Fm-$9h1EP2@Q>BHw^^lo?GEx_Yr@$P-zHNfxT^0s*VIxX2?`Zj)?K7F5`
zH98GpH8lc*Q4GgnEdniJLSAITjA=x<XhiRFLK=0#$Z$e^85Oy+<V98(b-6R{MyVgw
zxwH30A{@22GxJ5=9aZ4-O(y)y@_|%v5aSzG|M07KGT|xZQ&wP?;i>xb=MVPHQ^b#}
z=Z?Ws+b8HJ;M3$Y<&)*};Zx?b`V;q4;#1>Op|$|N8RlY+vS+DvL!ZZ%@~T^}W%F6k
zr=4#l-*)!T$;RYW-1*b44WYW*YwPEn|FvQLKFzCjU3&c<&Z~A^TKxg{t9M<7!(WJ3
zaeLRDogq0WoSv+lBb|1!-ZY(~&33uoyv-w?c9Gr`o};dInckePBcFDO-VC3k_jZNe
zg7+gxPeK1g$fF2PN&n1<JdI9LEVL6IoD&|56CQ#S9^@0Av+nymVX@rXKjQVOBP>pX
z%}#?ZGqihNtRvVAL)Z*Iau}Oo6uW*1yM6?_ei*xc6x(44+hGLTVHn$C6#Hff`-YoL
zoJcBOv}sC+Fe|2)8S&GU|7{WkE-?&?DkhO6CW%HSkwPZvIxu!f1pks0i%uX~_La$W
zJb_flA4KGkl1bGc25?xxr0WksdT7C<?2o{8|1g$jAejF_a(|SeNYocA{ECh?USF)~
z4^Mu7L6x>EnDs$1am4V?u*}&vQdX=?RwPYUqGd`j4lh)j3(Jie^@$l4z6nOI31_+q
z<5v?zZ4-iB6TwvzFn$wqp7Lj#FNm<McMU(&g=DwviGWCnj5)J~Gi%J6p^9ygT&om)
z1EPf!T+F(qie1r&A6Jfv)*wZWc?|3IC>P$SGW({hPK{H*%#mk$<FNS}N*tsk0cAsO
zE&F1+HE-erR}#8yvsSC@0UG^ZGWDiy^G)YCm5#&|tzm>56IxdJ0}^>7HXggWTGt)*
zb>Ezm!d3f@4evu7T=LZo%Z{0mu_tzQ`vxcHlDLc<+u$u*R6SFbTqo*^=6F7Coe}Js
zitGM8-&DK-iOD42SQ*BM7_Kz7%LOm`3`ZQBs*~`oL{eDc-Wr%?dS^&Cva<%sS-1x`
zT@SWBbJiJwRR}Wv&5OQ?a_4O2sefiw$3V3*$zXe9mE8gV%@1z2##LKv?ri_B``K*e
z)8b-({<Dq$<QK>N>ClI??~i12?)hy3#j2jrVqCul2{KaduaBZ1Scp_^$Q?i8q%3DW
zVLOh1X{iLYbWCXXU@k(`ST&nvZ?l|gTc839;@?*{<W$9Ab)(f-ch%SO?Lx{po7h;*
zkh;^a1iq{U+H%=_UV@xm0-htN7{9%q<F{TQ!j)UX8PCEQu|9PqOn=N=x1Z-5sSrVL
zB!~q%2qk6)bma(2vq#|@tYU|_cn9Y3({!=jBYMoF*BJ1qngPUnAmh-OVUwml?aW(L
zK7+sZ)Yk>JkgpR#0o!{<TvWUm`6(q&oi(~#!#ij3`;I;govAukuU{YuQ{L35UZh}Z
zyaSz${<fB@s|$4vcD95(BQuRUc&MYp-JAmS@iGVZ?aX!YHV1F*O!o0Q2kyJi2I-_=
z`_MA&L{H7iQA#nEOa&fAvp&dRznYhUR$VA*f{}Vr%0Y>uzcN=SD-XH&&ba)Jxa6L4
zk3Ho(@)r?i&jj)pf%6xI@)rm47nz7eyK-oOlFGLK;1=4r;fj8jd<z+U7F>ssct;XM
z85af|w1D4M{gEI)qxxi&f*3PAoKVb)e`QvA9-&y*sO#5qPSXt=Jyh>NPng_x=E$G3
zdD7;EE;jV!?}iEG7~G89<C7_Ez*t?dEIj&ylWi?m8|JR9aZwz?K6iXtS^EceN(W3p
z;}k|OO4waJqBzpR8x5+_XG0VSM0iRn_;}xu$i?i~8tvUbt_ldMkvwGYV#IHno}|BC
z_P3;(>V0z^h;XlhPGP6?_kk7C#~0nm1svMj`lBJf$>RQE2(cx4)3^Oqi2hT+ttQsf
zuWut}UGXtVZ1NH_S#t|sD3Cqp*$Q+hF?1W{b?l%lt1K%j2R7ad#evnFGwh`%hy~dV
z;hGT(SeUmayt!=Q6(E}id}BGrzS+HwnR7CE5KolZXY!>W?v+vNU@WUrobk1wggM*-
zO_w6Hl!<o9-%=`DL|3t;kh!H1xuuw<HA#=rDUbdnQr2Y2rjo{z;W&4nrdW`Uov{b9
zGpS)yM)7p}&h#0>=7Z}^p(l4{Ty&-pwjHCj?W?t(L$#iRwf~lC|Iug-$TkIoC!^C@
zs`Jh&?+xG5RFm;*vD}S!Mkzc?`!)sar;wr);HCXLw6v?$<K$Wgbhtl(X4Q(g(z(>+
zK6DI?X$`lG)6^{j9wo2msvl{trTA|Js>uHBs-k=tOyv4#!Eef6+tDo@@sEi3UE9d6
z38*!C+0J~%#ijH1|FfJ1jZ13f9pki`4T(#O=N<Aq`*DlQvgf6Hj_&dFyhMG!g)*^(
zOJI#3xuY_nPLRM=c<_p4YRMeM(U9@VZEVRM#WkSy3TA4}ro^$Z@k(xN&8Nh5!1an|
zYRjs?@zC+o-Xdswc=S}{jkE})f-Jsz3H>uLy7K6_;@zookoP-k<P2-dweLQ*@N3K?
z`Zx@85LVMLzim*s%_?b~70YI-AWQS2_vV&of!@Qht?Qf6rJVcAVrOYk-&{`R5?%;4
z@=;2msRq-(4Pp6QL51(U@9Ed|=Py`5=;41~_P{?8>L-E$Apn6`nVLB`JJ{I+fr*OC
zssiDdcsbhw;aE7E*#P0#8oAm7;Q;+`!~AT(Kp;Oy!Ts=YsQ>Q_KmSLjGr<K_3?4^!
zgSW;8EU~s9dXtj(1v_PghM6E_N5eNGp;169*0!03uKUTZ`Z07=2SJ#SF8}q}4LYp!
z*~DJ$_{_w4?7sM3uZIvpk$;AeeM2NW;7h(Od_#r4fkx9H6eG?1u%)7C(=7!Av$_>3
zQDH%<qM_q0Gg*p&L(QS7;iD^Qrp|%J4Mrab(K#mDFzGvJo5Q_Ieis+HMnXCfVGITS
z8|y1LM9iFo4_|JC<5RNs%i;Fgy5u8dj`Lw>)rEdShK245M0!AZRlqQrqhi%=HdUHE
z*<VyL=>%wC{Gsu`gRmBn5u+xGp(!BOBcnjBmK3Z2>+cLCs-i-@9fu<*7%)qz{G$s|
z1Nw)2S{h8(kbom^WX7UN6HXJfQc7D5IvRTY4+uXfJFs{%1fGz@ieNEwyRSJ#iu?f!
zm+cx{rsNbB$Xx_iP*%v4@Z`8zQ?uj}km2tN2o*yZaEJws=zJXTel$!$Cnwx%c3$w<
z3>{nJkH4<J!SXzX5aOmS=A={+I5Gffa*#k;?0Hv-TFk`M{*EJ_5F7<k7PpC2QZuE7
zFi6F8ha6C4Kt`cd@K9D7Vz5e7mN)UAMbLYbu`Oy2I<Od;WIT@7gsogsM{?XdqVZC%
zH7>jX^yp@CwYAq!=K=1Or(oZ~!?hd3NN;|o4k}kgg4I%(i^1LX5c<W|509bEnJw|Z
zXk|Sd<7`PNbFRWR`9~M#?s8h;L%FHZAnfqe-OkRUD|XF2$ll-c^*seHMUrGP1fL!*
zy0L+)`w9k!>ek$2TI`WsxB<P!8+Xv$l(YE{D;=A<UmLP<--boQ&kr{O4>5KH-H0qS
z+rGxN4|Q4FIr+BD<nm=b2K-vpy`<&bA9w8v3CkQjwVNYEdVM{Q>+Ab*O2k3C@Z2D2
z82k2S8tHL4nwiM1PJ@-np(dgGD#08l@p9rOiCC4?-(VBFG7e=?-06|aQaW7y1U`Ep
z0cJLvOB!D<`l6{xn?Pbp>q^K;nJ6$}Ex_vi#tjIHB*yFo1s80#SP?Um<PT-aM2lQp
z%5hmpij_B-W`&WyMM_Aw8Go{j_=0#G(N%^7MZe~=X3WN)@F`SMy9+CUO@}0YTcFy|
z5mX}70hPclk;maAXEjLXQi1SD>A~6{OtBLc2g3*E%W`EW1DAO_l>=!gSp3WQH;|ek
zf|aKB09G$O8faJFgy?&&%2XADK@<NVxrx>m&snkQStL#5LsVhm%H;W+#5I~6v3LyT
zu+64>5dzpz^MO;Cy25To+wg)W?6`sHmh!3rq%z>E$R?AvGCmf-ikIpzm=$mxFf|V9
zdf5wlZ04B;qy*2MA&3s&<?vE!Tdoe_sHWn93ERS>+%@})cE26@&o=L7Z>_CuqGsS?
zk9;)kf8Svx4>Jbx1w<Q7+zw#Le<M!cz)&^4;(yn^9%O0RLTEHWtOl^euP!<PKoM89
z>=EE<RlfB<v&(V%ENAb1c=A{W<s18AeD_h=Tp5f$@%!xcIv?dp<pO2+Fo`DuJ|c1K
z8xN11B+eV%+L~=n;v@aJrXM0#s3&`4=j+|5b1M(e^;p;o9k?>};T#-FcIT>#ORur}
zNX#a2y0F}OGGuP%yF-lS=xr$XFdzcfdoT3L9d6@wuNT7<7U``CxU`ZQ*9r$ZYd+W6
zV&XL7iz`$y>7>naJ*!6R5s|pIG~zRR9G^i>TEK(M*E!m5VXvzyl+DSfovqqM1aLb?
zE|#k7F}GSc*u+1Zac(XZ@{c}&y1b%?`K$E~Svo3kN@#3T1rBgp#p@OASN|N?cTvTd
z5Yu3<CwT@E!tk&L0x97zNM0GhVwW-Zr@-FQ^#dU|1KYomiofz&SjA%Aj&&2ZDd3zE
zi1b<}9SHQYQe0_hlxCgCR&ZG;jk!W#{u{IW3!w`{M?m48eiH}w-nW3;_|;XCO9I)Z
zRFTDYZp2;AL2^AZ|MW51wOY*wY>v`Qu1<(F`6bzBKutWaTjX&C0!g+1)b09LNmIqD
zdT4(4rT?wB-HpjShibxmdjc8jpj9R>7~{cqxC@fHg-h;Jp4~O0ZY~zDg_5#qX_wa4
z(F9!sSwUd;#c}t6ec@~z2Q%aLh7j+)Z~zdi{jc=4UyO&Y%6v2DHihL9vob?(`E7xn
zy#Sw2pU+YiNXJg0?PQ`y-$RYU#-9meDINXF@Hs%w4@tq*S0(%Reiuzkh-bcHK4=o(
za_icxi}mhmK@)n5jz`O4gJOvfh8txsI(<AJ@dj-!({+o3oo!41aFVX;A-_}@V~0ht
z(D{)Cu27STTIF}rWZ6mf2VK+I9W8F=2Y!XDuQVn<w~~V|ZVqH93@Wnf@Mk}o%~W;m
zm1387#s0ik!e#B~M|x)NcNVI*pvDOF6B$GXHMBdWGF6T|fh>(9*nVM9YX9`Xos<%s
zKX3#O^fO34Gvr#ly+Se2U->sLs8H+@PF<8Aq>|}9<_bn;NiSZAD1bTiUn0RYsUZtX
zN1B+CgCt!^Ca*I(iaa!c+3{R^Z~+Uxa-c0;uizjl2R3RD&+Wg6sN~=8M5vP%-x7sX
z9^)d%1q|z$o|EZU+=q<qmxaRoA$dW%CMa>kQ;D_d6XS-GuhcStFFD_t;_Ev84)Xi`
zv<!=_oM9Gl-mXpXgdEhF_MZ9+Htp5CTpzyqu@ys`Nz&9o`mo+S1$4PO8vAvw&q)6x
zMitbw#|t}aQ16yN7Jm8yPM)gMC0~ZUB~Ts-fuQ_z+V&R^<);fw%7u3gOB{Ot7jCY1
zyw#o}&o2y;q(4k(=rYI*emtn2_LyoHE05SI$tHt{7P_00-U~-Ait8Vy|02u0-*uX<
zqd=}p{dMe7ERUXIwd^d}tO6ouHvONXRg!K`!neDo{1$vVZ+7%uE`~uCKPf@vP-R1_
zy+@JsgSX^Y_T4GVE*{K17H8tN33|7T-jcff3DAH4Jq_wVGB9AXrFGflaX<N?UWiV_
zM+VX0LfQZ(TTKEj>h&#8Nsx?;xV$%T!T*8r3dKhp2}Tp6Qw|lxYrw`sh$F%I!m2AQ
z6rA7^HB+9Nck$}CA47zXh5tStpDqK|z!uF5B5lCjjII?+ccxDJAc;6yu%e&QvRC%Z
z9=oR^nZxErn-d|Qa==atiET;m_XQ=<ScAeEL#yJ$l1yUSE1E&GfVrfR*v#(8fERxo
zyxN?urg71}hFZDV%(zFjlc{H6Cv@;pdcmpeE<^YZ-MIqk`iN>p-OXOA5aaLng@b2X
zKg)6Geyl`(lInxvW3Io2`}%jlMyXe_+{TYsZ3kDGyR$9O!@i$yUitDK(fN>|?$3#~
zl`;|OrGv_@m7;07#qZeMMokg*U^M(y+XyLf#oco`zo_P^*T>yO(hlJ*lh4K{+9mx@
zn*0}<K)}_yhm1|M`Z4khMBnqn$zS73t@tqHzcQ;}yhcNEv)#4Q!Ljuxex3SZbc1}#
z@UL~O<G6ZGY!4$z&qtr<7nzjfQKm}^Rpe>^nm%}6((6ksKc`^BZJ6;AjMryd_OGq$
zE9KW!oSOLCZBy*XScmZs7A1A$9keQLn`}2GTghQ}`(mxib_?1Dq~}8CS|N(A43#r6
zT3&9Sm-L8z&M-hW&*MG}tlq!j1X1)mfjQRPA~PBw9YG01x-TQ31!a(54py5Hal(@5
zak=J?aOb%vg5WS}14r=RtbPm42}R~99I!~vZ_(l8aEZB#Wh(=lphHQcA!;aOGJl+W
z3Yw>=rr!NlHC@iaqtB5FX$cH3Rf4X^Q!q&x<m82j9n<S{@B{?H$#Xl)fe;iV0aEZ-
z1X>f4fNenK&aU^=P{2Ci4lj)!AbE^kztZBrDKdQW1!DZzbVEl2`tpmuBby;m*LtmY
zJm*1$-j!2EoCke=i$x}T?M|UDj?l*Ymvq;55MIz3SK%17xxVc1o_!Rnoqg1*yz4r-
z(B`o9VjZuv<!spUl_@Q4gmdw-Y&-n6Q$My&z_uCPw$Xd_Tc&yXm7w(yzp|76y~6Mi
zd%}W0;q#I}?{WTaKWpW;hUYf^&rV1zO(YY>wN}?>|1iO$qQzi0z+)I(ZJ<&(CUIf0
zzI<56{WSnFzxk{+pccV%jos!+1?k$SR)TLYTKy%$E!4wJMT5QDOVPX36nUMpXnXby
z9AK1uHU^ou=C=x|4gOc}gxEUIToXOaOOTZx>Vf~gg&~OR$3=52o({+qJIFSuWz88$
zbpneiS@JJ*)ZI+TgyWYJASgO@Yypo`1!A9-5uuc3pCVFNu^3T^ikwdj37GE4vxXA*
z{|ku(cKas}A!mjJvh?&J7+cH1*Z}`WH-yB0$+a=R=Gt<Agx}tad$`nzH0+JC;@ODD
z%$FXdeBdYpx)rbhB(bU3STsm~9$juiq$1&XvfObM4nl#M+;K(txnG8)AFz>2*8e^*
zUmnwc=J+2lt?W>>)>ALM*L^ehOcgOrt7B!ae#(X!$-F7**|RiCR=j`r_2xA5+GVbS
zj|1T>hS`=N(<|Ns>7TOhmpnb0vtH#*oBk5E)7|D?ucnUT)`O>SMt@bDt8(#sYY+t+
zQ48uXx_6AH?7%(J+Q49XCDxzWuJ>;GE%M<gGh*k{jN2*pHOC6g7AH@L-MXvDVX3xQ
zIpA_ix&D&Qw(pw?{A{cB;t$;)HO6iJ{d|{|dz;c7`R6oMyI-%yn9jY)^6Az)Bzkjp
z_4wV#Yu2|0ls;Xx#~h&SJH|Y#I{Hd)oKS0jNb+z(hTl5M{L`hD+i*Pp)w}1GP1B#!
zzwZ8{(%GZ-y<P8;9RdrnM-WUOK%-Egy!!tchJQac<eor^%O3!Pp&P1#f${Q>H-WKS
z4F{_Od8;n4{HG%pMpT`&z~|y&zeVotb!0<fqt@wGhgZ#@M6L@S&IN2St85|^4{@M8
zhzrpn21G(?G>8rHkWviN#zDR_k(L~Y39%pnQY%18d?*_!1tWF_@;3=7OZsFW-&Dkh
zEA?d|pLC=p4jCgyHs&v+#R^f7^EHcQU2!%OwaxsW7$psaJnz3X*KJ87@$RCtofle)
zbvLJuQwhwR{SC`5voU4Yu$%%I+RFPb8is})9jSEV#S7o?md3lq?qAorZeFjnOn9-1
z5ob~NW%D|6m~vo}c;T)57aF)sm%Z!i?`2okMvB^1*U$g>q4hYO{cuh5Y3iq9>nGV<
zVeg~NlueDb=N{;`-Flkh@XVxShIUlo7EAB`Ydz00Y^y2R__Zb`<gmED&*x^WN<VzY
zz<kNwi_etR6G$CJjjq=|WnP-_J>=W=%6?PtETh!3o`OZAznlmv&tljmSJ$2OXl!@E
zTTYv_#L4~zwG22-Epd*k{NV2tacqHGwGfR1LbTF9cTW)(qCOzB?Ux9c`#=3`>Gy|Q
z@`4-(^yT%48>%Rwfbl;T1z1CxT?~g^VGr07fRx|lIFR6E*gR=uym9KJFL~{#65IJ#
z;{PCr#T)EDblA+Cq_j_Wzjx=+%}0o8k2k0Wg`DWS`rXt0*oUyd7`S3VwcF({b&03%
zF|WP5S$LA>`T5S~S4}B5qElNQe4(#L1s5)>y|jCoVbYq0k)eG%-0Pc?EKcdY#fB8b
zJzn7+^)1QbGrVng%DaPk9bIFuF6kO?f2h^#oUy0<tF_y9>Cf49dE8;eF@&Pgo)x+q
zcA{*n&1bjl$(nOi;by!qyli<%|ETkoojbD=YZtAiO<z6&<C(VE(vUc1t<A0G$<sUv
zCxpkn+TpNLyTkRmVE)!MUtU*^zn!@L_2;f4@#<N@Zx<JKjd?dbGNna%wM$iWR`J{2
a<~fVMt`^V4<OKI!fgtE#0L9>+NB{s$c%y*;

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.eot b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.eot
new file mode 100644
index 0000000000000000000000000000000000000000..ba7f8d95152f3640ec58f2755a75bedcdecf18c8
GIT binary patch
literal 113255
zcmaf)RZtvHxb}BhY!`QTTYPc%#cgqSf<u7dA;I0<-8Fd71a}B-Ap{E!K?6aOlmEH+
zs?OEdGu86EzkX)sVy3I!nzru-0(iQB0Hl8hG5`QT!axCmkU>aD$Us0c@SgxsL);?)
zEdO<p{u}*Qihuyx|5}lHL%ILj|68a5I)K*zZ-6Jj2Jq@1r~|M9xB=e$>mmMWum8c=
z0PTMf`+tnfznJGg#S5VSPx1UmIsPNu{;|9OE&%Lb4Fib%o2T>t6xjbN4*w{xfByfm
zKL27o|4VZLgaLy8c-Mcf&j0-WW9<G#T>iOQ|F5IKzmXt-55WJ=MeyHs|Nr+20Lbbn
zBL43a0stV8gCQ_n1{f|6tmGh^IgX$3Gq#^}wDI<e^kcT^F6DpCugP`vB?*r7ts8E~
zU(Lc$S)CgH`+|U_PFR>leZ0_i%qIJ0g)16vPAyjFmBwVqs6b;woCf+#%z6Tz6#i;R
z{tcuuGFW~w`{cKF-hbfwMo9RR^QXQ(%pb2pHDswgK09+-VT3l5_(h}O;CB3=;YlVS
zlL<(r=Bu$~X6VbLH5TAF8G=L#P`#g;z;Sg@+0po!tci0IOY*bDH`5K`nSH(J{+)}-
ztEtV0qw<ecJaV!?IHSuJ5+ven@ku39%imd=_A?hR@RwdPJx4{<$k=(`cuR<>cn2kv
z*p8kUBFwCwbnq=0iUbHDkw;afjoUt`bw}a)^Ha2$^H=O;&v6Msy;H9lVUorxy1x}s
zyU&3sU+;6fg5x|S>2WdVF<78#uf=i)f@vM6yNYOMtob~<aH{03r6*F}ylOME)sO=j
z${pfUrH+qITNPZkG($uTg*P?2(M^HWTZ?(I7^pJa-hhV~PAU*t_C)xI#Z{qya!7<9
zDXer>avXg>6&aVUIVuPpl)F=mmTvJ4@=gr}Eo_yT@^BSpc}E(@K$(Jmfn`EVZlCE4
zOziVZF_iBRz-uH(!=>1%&fvzb3z~y3wP?uR{rCp19<61g6jE3n#kDB5RB7U?sX_10
z!{1#Eeh-Hw=`wD7e;&3W(jVp@Z$HR*)K%E*uL}8d^;fPUl3>95Tl~=zOmN=T8i#{p
z%Oq**BAoA6yvmG}=Jm;~!Q|k(%!-lRGMsMBKv?bL!&tN1<#&c-L($(K=+e96rF0`2
ziYgQ|L<`)BR2(?Gss3nS`G3VpcVbTUTxDN1zO^L%Gwp6@9_4z>A&+7yc*(>#Kdle(
zg7&=eUk?vMX`~+{V|L0Y<&CdCnA?kbr4cJ;XBVSl6dh%2Yo^t0##1`Op~?QqcrF)-
zh1Js^4TQ{DN@Rwd%B6Dufw3q4UcOW2_`v3?#}7-7d_|Ve(BZXH2f2K`PewY97aK<(
zMsv9x&1*&@L_hIr=x}Ur3rpkCs7&9fy4PnKO*m0vB|=(+w(i!uyo1z`cvIgV<IN)<
zZkh`AUZm}p2U|zw3XX}b*YTeC@Yj$fFx9)!gL~W0Wl>{4$*z(VQDXIg*s4WD6N<U{
zt%rFFl}p5iZiY4CvgID&O*<r+C<M}Wu`}AZF{Air$!ZE<^V!(fLc$L6Y|SL8E(oF0
z^EB!w8^>fr?cEw`fw*rtvmc%!@S&Ta2nQRh3A6N$b;2c1DV#?lY6&N69){T=l33}G
zEO7`N|Frx4*m+_CVKs~(a0RzP8Wv!NEqCy8vkuJ5XljdM#teK}XdW7rLoUzh(84)X
zxBrmQ(_KtE^?isf-bS)(Yc7<E+0Bxlq|HoVs=+(7_ah?>F1#~+_tHYrPWlR|s@$FN
z><)RmSc{k%r8-?9DvW!(5gcelBW^&m{Q>)Qq2#*Lfs!0Z8;MrgDIe8v%U}9=5ubQ^
zq@sqV<l=^6C#13F8w$~(<n4_|H}kCH66@#DJ<GJ#3v!Ua$&i@+?q-;r%|k|rrA)PR
z=L;fsIbB22nbG1CeX)X0bAg*)>Ef#e3^VIWj4rS1pDj!EMH|`eCz0vWD>At|C}HYe
zb~|ANUly;c7Z8}u{G9FenP5G8vXXYNR6j!jIv9PG^R>2d6;%<Q7r6Lh16FW!t|Z-i
z2ztN{#|SGiWoKB)O%bW}G1()MISF;wh!+p#(S7yC+9kSR<^!2|NbwcLxAz0v*!TuK
zDN=uysc??NZ&_TphlDrfzA(KH^2<S9;Z%5~lT86IECVC`coxbmZu`WNC{MfY47!DF
z^NUFXlb6h$qk^)>7z8lyt^DvQTzFFXM=U-ugf#Dk>;YNOY?P1?uS|3OXz6J!atVEv
zu@CXQDEfFZHLuaMc~WD2y5|xKn?4jGLb@j@=D6kB%k3iKammiq0;y@YO>LV9hY@=n
zE>;l%oJx0zP&ebQ^Fqn@>p>V42XgFMp{#ZCIp6luJJYOpYpFHej4oIL8NFJ@WL)U|
zSPmFgUWR`U@v3><v1lerxAJc$7omx#bn49grtVo9_L}+1i5G%5sgI0);o|jOR4LxF
zkk{Sev_i8c&hq;CCtN~N;9K&f@wB2~)DAe@q3%=`L_0S<5Qgc+DdDgJu?pb9NF<!d
z)+X~Ib{Xw!Fnm9M;U7*jLT&-fA&QGlL#>ixA-sKm_JfQ;37fj>3zBm;NP4zR)#1$s
zTLE7{DQyGtZtDjc1x6V%3HKy24=JprwS7NUtb&md%c36WGBf$5J;_H;W2-d=CoX3s
zbV6(CliEv{H3b10DjKW3%8(e?67#Pg!4VWOF2powWT%`EqMQ41q%wC5KZ!S(PJ5WL
z6GmUzMN9YNV;veqI49o!4e;+|I(H;>eyY_tXyG-WbT5rHeOlK4aFlP@KD%%9(;uV9
zvC45`e~4XXZ=$Hw?K~58lv~E`KCpAqe#p1OYXXHkt5sgKai!PPfzO;yjKflb^J)tt
z;FBSf%H#n^u;ojTp&Dyo+T@nhbULryORj&4){)_92=j(ps4^5q@@{cp4hYaEJw2mF
z!rP|Ajq=D_R`5=`_YmnOCbk?b2IY{lRv1U%{~&|^)XT&V==9m9DpFk1<=&k`yJ}h?
z$Tjav+-Ecn$FHC_n<rp5IoKI;K>I0(pXj<B0n(RKh-{oo(}SstJ>5s6+GbhfCd<e)
zJyQ%temCRaPj;m);m&>S=Td$V?vtICQ&BxQiBzgvK*&R>`~@)fqSap&<ZQw;GG{Bs
zzJRlTtA9f>hdA@?2n~o?(Tjem)pN;M*cu>UwGlZN(q4axGMi^H?-CPL_HMGaX}y8I
zW~B`xBTz+t`PReiP_+d6unSS-GTchRvCg4$z595;2z*@P7be;zleG9DPSc!dHG{?e
z27SznJ0>(Vvrf&O&E*5(?^A6_azVK@szbCC1r<z`#N>MBbhz!pel=?<h1M&76(hWL
zRMBLFU~aEprp9@UBIBR=A8DT64e2<Sx_xjLrd0OZaY`0Uh<PWw&&ehpvz)axW&{d7
z{6{7wX|gLJ+SS;A=*>sj1lh(s;8oJ(Odfb@-ulUN*1O3-g0}ZrJ=MiF5qJDbmP|n{
zqIAM!P%utY_iJ#6x<gwGn+3hJJ9r(@2N`CNpvsS)ZhHVvvwj%H)~cmghGAB@<zPjE
z;t(J2Wk<>0(c!X>l?fT`gn@!JDfjKwv3av@XWc4YMBLBdhv2FJpM7~v8|PZ9K}#4V
zS$5-}O_;#XY??^Q*^ro*ENGpgbW1X;qm4GJarkvsZdZUZNI;e6-6SeAiq=HOiXkfc
z*U(Nuf!#@GXIkrP?o-YnJ7n|RdpCl}4=s8FL{HKod-<`%5FJvN-x0mdx2Y^zWGH+;
zR-8Ak37Rn|-87J9h7qay12f%uc(-ki-PO!h%`(<<6vnnBq<Bi8b)Ge{=3?bVE#aKV
z!-%K3z(L~!F{gP{Q9IJU`psE&w=_4K{YlF@NK-7{f!TBNn{Cq5E8J6*?ym8BJOg0v
zXN;KOW~<h<42;aARCF|Kus7~1rBc7xq17HO`b-Gj1H#)!!MCVO9$oHtG={Tg-&S5e
zq<x4Nrg{Dsz$a5V0w;aw68%lmo-tah2z(sV?}zk%@GEmr{u-|Bh!AlI2dtOKooyHp
z_Tze~NLJL&+Q#wxS*WJ?Qz$IOUn95}9kqm5%rPU30x{q~z!WSUa#31;6j4OZOF*ox
zoz2q9dfU@4J*221ZbWaW^fc@~rUc<XtgcnPJ6L=botJKGFsRo;L8%17+t&ubIdln#
zQrRFEj*KQ^k7SECkO|JqbMZ7bCved|^VgmMl4@qHcn;a3h|DoDMm|qZ3elGiir$M|
z=D?Rd6s`XC3_&9sF0X+umKXRm7(@r>AQtpJRxdJzeW&7YqHO794R09M)VpN9PnOkC
zYm2O038a-(YzyBF`a%T&7laaKM%q4J1hA9BH$qhTpz`slM|@Orzo)u+T_!GVlgE7a
zMp6Y23eFPEl2%w{-{-#gd4fH?KPtG#;cQ>lHz+9Ky5`wC`^!8SBGcffcZ&U`L9{XC
zzd4ZybeB+Xl~>yn$7Wl6s5yQU%}Dn$(TsM3;lkx#{8Nrh+;0K1_N_6@h$u7DSnpR{
z?f~*mfS>~={-`|N5DC892^YII57U#^Rk!K41mkUvv->IeJKYcwKZTeAx!KQSI!(E4
z$^6<!bP2yY)>T4wq8A-ndTd&f*yzG`Fs4pl|A`6*-o)oBI8IzVvYT7m3VO}wf2gyz
zkP|B*DMOay-lmeY-^Gfz<e^_x3b=C`pN>}M%(P30=V3{E`bxWli5LBf;m*aeqE49`
zA7Mey`HOX&+07BhWvhTc#;1vs$7v&72Ev$4?tjcFe!m}oOxJbBiS^><fjn)KZiQaJ
zyGo^lOTf^Ad%!SBfKA1u61?sHm1Qc;!yv(cSLX|O-8^O0uAK6<{;l*wiWX;Zc$Za~
zPj>H|@w1^uj3E+-2f4rfA|Qy$lOsh6{SvSj?CJOzZMjBJJx<;o)KY6MrM4V=+)r89
zif97V{Zg2<FiL4d)?`IKZT*v=E3tccNgVE2Ccjx>u00YkGSo)v!<NLAI=*NmlkyTg
zqVw8@ff0)AZcL8v?oTI>jyoPxvir88{lSZPtEI_Ab}FZp4Vll54;|0&dguFC&}LYF
zoT*;cP>K(2c{;uXv@tFWqjd6?H}jJ3SE;<-u!Mur6_oauCNz)UR{K?PhnAsm7U{`k
zWb~9k_}}<`CCZGdN;7hY7_XrbMqr8JfPJ-L^_jTt2`@Rv*=1b=bf1Fw02mgZQmo^C
zbu>OfCu}gmVVW7o({Go;lj+8k+e&6n(kXJ@{=Nfkf8hP>pajdtJGWi7{Fw!05{wBB
z+v7vb^lv@^<%Of^*6s$U?SeKFUNO$nUwd@y)%*Gqf*HgjbdurkAyFTZaBEBlWxDXh
z?8!a>cLK5+M`&g}KW)Y%f`Vdi2jAomhAY}3s&3m=IPC9Hac7k;$&lu#G-XpT7~`>i
z-jRqA!`~yX;hwX7PSiN!mQ&}%L2HJq$m0LP?d$K#GPDj-S|HHwCuf3Ttz?U1tSpwD
z&6-(S0}hjXYmdm9wv}Xf1QuFlTUczdGAj|{V@s|I{7p%BH`%yVLe@!Lw+GcN;F!bo
zgs?gF*=j;7G7>diX|fd4pQ>kH#`_&DWHp!Ocw)kNDbJT*xGK%&9}Q!^GpF!bY-v`N
zwU(PuU(t?QnFE_}=XPbq=YJ+iqPmvI5%S|E*V(huiztReLKv8C=_4TJy~Q|Tp^8Xn
zT9h)wr6Qyq0~lJmU3+D=r@|@(q^GgLkn$Zae#-Gf!V8<g?}ZbEm6yTi1L<CMB^xRX
zso?B@5xKO8b_@FSWQ*%8%$;w|^_@<JpddjhO0KZ3jZk_6wEnMHgHAmeM{zuP#OhIi
zc(8i~-70pB_v@FeoPN)Ak4!^XF3~z%Z?fp(4biad+pby^EVy!Ir+A{)X1BzWt<mwK
zVRE8Zy?$lV6q<0V>3rQCD&4_X5c0sO2=NbfxN%DUMx;m^+i%vyD8)6cg-Xq=UvgZT
z_Y*F`g2VDM;rTywIzKnxYK=wKW`RM;Kq_G#DS$4eYXw1cNl&5jv;c~93?6-Nb4M~h
z7_wUOrkAt=Ga6B3@g{`B7JpzrX%7Vu7UUVO8ru5REg07(R}h7#9sebzpwF`)GSfEq
z9QxWWB)7Iw8>vy%pnBO_jdheDHQXVoTg5!R0)fvfvqJ5c);0=4kg9#m?I=n7=7&{{
z`G6F$U>uMYtMGepoXz?B=F1Fjg77xO8EVEKqt`{B4Ty>dqmFEyB`yyS42HXd!pJe%
z1b)&QJe!|?52k3|w|;DD%6KGVvhmr@G7u(Xs1eDV_Kq_4m@Bcf%bqG=`PHKA#E^$J
z-OmDRm0kEn8M%hK(;{_GGc8PYu;4o{sLdezy}$X#EZ8qJ4exQ4Gfq{&2AwlqI+Qdr
zQ3zXpYR`fvRTTyQfO*Q~ulus<%GNByGWsNm)s%1lG4oF4pm5-Am%8aGQ8go`U1O}=
zQc~@ub#66`gP<M{Et<^?E<{@(mx)*{+*WMvEgA`RZ$gC=$c3SiOqUx+)NwQ(F-ozL
z8x3YNVFm<jq2a${%5`!3MWhdL2=}A<Wi`5Ix6MqY@{X!C(xPR)jH<L5p9?F%@~Xv%
zgw)&vodNPo(5}97S8+CFQdWUaPmxsMb%LmCI?ssX_B5V;@GQk&WC_a_IJF*dyVGTM
zj4fBmZm-ngfr}i|ivjIwuE7s9mfnV&db~L%>pvQqC^|JDlc&1bzYs7Dq3hQ=%Xe5u
zqo}710au!YF7fLF2_>7*>wW`7iy*Y3R<y=G93foM*Qn9<8s7mE0+*PzTR2)Jb9Z<-
z*bB<R=Q?Xx2%g|{0Z2)ybS*AiQ4b5ZPkM%$mXv)Q6<r<BXCcm|&JunceHq9DxXh6}
z#?r7~&qPU*QY+3ehw@8vF(cH<C(-pwLkWWz$;B>{Lof&Oi{Ze5Ry0ZqcIz-jMubCc
zn1X3}1j+;{vi0yRl*8ron{s{YP(@N{c%BThvfP2KN<C(bKZsVfe;oJzs=^K_Z{}|k
zYR=yd*yvkQOW$}tnoN!o-#9_3ADOno%wNlAwrCrKqFEBGCcmm#vsUt??>da2RPqe$
zT~;t8OUJSl$k1TZhce|isrGQ-GjAv3XJvx7rvSsge-|yX7EGs(iL6%nBbIL`|DAfb
znZB+q{&TOj`^5P14Dd&Porf$E=s5|?@{)DRwFT03OOpEcWhT@+wC2rM=gp7j&0nW=
z@l32?GM-7;o)Ky4lfJ81qmVGfIZseTt3{^nci=o@3zJ($L92;YWK9@jz0}Z|<3tR*
zB9?PYD%<7o1>{(qB6TH?R7->cU61Dorz0TQTuLQ&prpS1eveHl2V&@DZdkSd7=F`p
zE~>-82du-r@ZbFx$S3NRd-#>oT0`T4`R~b&DSmMl=k>)Yvwd4?`Ia7Z!e{CC7oXUW
znvwORp)Ev2M<1QXD|28bOEuM7;k$cGqL)~HbaE8c5ze%qDZc&ZpZda&PQ|m$9+1=8
zF`%xBdH>Zz=;qay0K4YO^-%aMriaEO(+VlD!cthaQD$&valNeeTD*|UQ$x>DfUv9<
zfzT3UAyGi^W1Yw3YC*bT_1;eT=?%YL08K`0X|;rJ#M2=c_&LRVOx{)S(RTOp1?0Y9
z4k;r05!S|`FWT!-`c|vp#EWC(V}1xhqi7elM8ftFGCE<ES}1iFG-+Aav7<8LW8-kr
zlKc+2D4s0ABtatnBazYNU6WPQ+$I`Um%@)yH-6vFa9a)SEbVY3hmP2`-*O^Go#=SM
z4k4G#<@3)BfJioSEJxi-bv!`gN=#Kf4%jk7T-B+FqHy=4p_Z%`o-H@9mToDb{<ri>
ziQC|_r=p#~UZQ$K@D;6HyqNjX%DB7-9S}wfs;jw}3OU)X_brxDT+B=6_Tc_jkETS0
zo=|ZVrFPTU$(kcPUZ@2oCJ}GcpbxiJZ)tDE6=_+JIdAD#EojYir^OR@=Uxg5n@qyp
zLxFWHCFHW6Hl-U~Q{<LmQ?0x|?6~JoSs8CTef$GdUPgKf$&uY$qx_n;tqDE|HQ}?*
z!sKeU{P-io_^f#9VLJ5~$#_4sln9L+wvI<YMFR^(Y<}k}nW(U24-+<WwsMN3TdVF5
z!#g!-B=V?B&J_bo>sg}8{LskyY>D$3k?12*yB%Lbyl(3de6;4Ukbyl#Cx9-M{aJaT
zSUoBSu$t<{>DNR;`tEKJSvhsn>)FO-FZ&~Gds-M@LewLSkPoK(n^LJPYR!1qTFas&
zH?huASt3g|`ey#>)Jv+|NEbk)66z4o7%F?x&y5{nK4|R_D@%%kG9J(rc7w+4a+J6L
zK|{fEo#jJLokOf{$f>xq3@6=YpI@mgWC`F5>u<O)CcuTN!<^Z7lr6A-R_`?rnu^RL
z-+iA0Qu7{mR#=~dEP+u6b^c-x_mNKz_+67XE6Q432C)+@(a`f&SkeY#rZfwkNqAHU
z2C^-kcPs*pN?GJbXO)j~)P#O@Nd^wIaCgQX@glavB|sBVmdR&FWcW7uTq#Swl$e%v
zNR?j39~UDAH5@)&Wz<GVI}zMNN{ZEDIY2Wcg7_oP&3ijOU6NoJR!^JBFW(RpXYJk2
znMwG|^fvykt1{cQdK3;;MmM1|QVL(Y@I9-dO-pX>Swxr!@Z@j|G4oUE=}4Gpz2PuY
z%65X)#zMrm>pRNN<vZ7WH)f41NTs1p*KBi%Lf7`Cu!U}(d5=c2n*Gu3;q3A|CpAQ!
zk>sT!!l1=XLpS+L<9*pr8Pg0jCg!)Cn*Z`F6_y+z`W0K`xX2uLuZ$AER9xloWAqPx
z6k(CnE+-D{Z*Z_=x0L0>pjW;*Z|P=brmDGY;?I8CejzS?;)0T^v3XYL4PJJBAY0F1
zuAmRJwM!i6`+7zYS*WJI)jeRW!pkH=_k(A&72PYmTbi0EN^Kar1&=Z50=9smokzcD
zu%|H$)^6Il`CQ1rn*5yk&Zz0ATD)=TI<%V!=>+)-o;nMZ=01G4RK|AxH3=&E%Elwe
z#SH8N_0&N~5z>Ed^{wPk9@zqy?B&_8fAf)}Dpux5vQSYDP7s?A&atC_EerWJMJ(x3
zCO&cnhjZ;+CuvCc(OKLSbLZs)H61i?hOi&LGD94y9bUI!qaEMfB9HMLVZxiNNC7TC
z8TEI+RzVd%Cl@KgNbS46mSs_R?Um}gZxR|1T2S}Coj*`~?w@1@hyz1LY?<8CyQpGL
zY3#(6xZ9~R2j_{_@ZsQQb*snK-$a*t1T$U{+A3|T8mj4;&wu128Q(`6O_0*yegt6)
z&^^;3$bOR5A`jz}hR7)anL{`)4QQ*A2GB3b{|2mqOhM*IuRg1dVR3!>9-DPS*BbSD
z<6-h5!TT0NvYI^E%Y3K?{|g`WuREJitL+MRB`hgLk@Zz`fqbinqA&2*s5nWd%xXTh
zRCtI7*Ju+Plag#l`eQRy@nK3cZf?coHEsvFBWZubd!>s4b2sX}0iT(bx5Zz31-*>k
z2*)Q`85!#PkY5{#yda%y^+u=G?{(0%7~W9RB+>))9k(5g<X$)bOcjiuaW4X3pSql>
z-}s#AjVV*D2*tY(1($n$@&F=5|NV1=Q6lpPC1311g#@U0OF$Y94h^YBV_&N*u5Zr8
zP#a!M=IbyJG*H)wtP@-fGOIBHF(AXfjkBHwr&uJ}kmQrU{Z3sA$|);E)-aK&D=je{
z6bwx%B`8J7E%vJ7Et<R@GCj=I0v5lOSxRbAUlQ)dO8$+JXX6mz>WdC?H(jU%_Be@6
zi|Ja;Ls57TzS0a$cG+&2-2$8~%VlwZ?fLJzV4!^@I#e6U1>8bwS-<O$h%~s#9RiBo
z<{xlIhC>ORZ{Zx5XGp|^mPAVCR`-wN65m7fx{zqelb^#8gu!~2-;q?1(Xm=+QKX68
zh5REFx%P=hqhNY-#qB79mLEqgV^E+R(mcOD;67T+nqxgw{q#F5^AogW`(Oh|?Lzxb
zNq?HfbZSkIb!rV)7cQHWV0|5b=I}Q_Vr@p(dB{0$vA6&_vp=uzp#O9d=EkpFI{i5C
zhpp6eN{=9OfMCl}Va-0o&#J!>iO(#0)2DmakJfouPauRcW9P%@MdYak9m9OtKy6N`
z4gY@WV*m1Tfh@%{9;G{+Z-6v^86L){P%V>_P1b}$HfqQ=vJ|})(|g)?C|8bQSM#$Z
zBU*11aU*jerw$Mcwp&)DsSJ{xL|ah2mP>tmZFVI~9_ky*7Ml=@y=sQ*386vL2IpcF
zoaieozgB+yDdE{il|P%Gn;*9zi2R)Q8{3tt>G!0Rt->T4)R);gT~$ZmL&E84$bI;m
zcDeB{N4NtWY>Fkf8um{3Im_E=cxqCF9u=L<elhrwY$VOZ<IOfNnkGrjDAlhkzy2U=
zCg%Y(EH<b%h(m)n`e+RqYLImAm+}bvbj#CoZ5^j#N-Js$RUBFOw2dpR*h?w)Vbv<Q
zS#&lf$a0tAwBawK+=$${7`hBGE^klo>=Vlwa56Y+kyVFrR324Nt<p?oFG+v53EG+S
zhb@pD(_p%R$GGCcPiBReoz8+uF*Y=IE(Is$-d)^QeLO$q8QutYkPnRM!Yd(SC1~N?
zmmU3xrAMxo048_i=Wup+xt#0#hF4qm8Z{)7ALUidCVnKrm`@t=Ulg(kB-u2iPoeQh
znMlc}#Ux~-p`$1XkTysM5izkXw;xF|w4X^@VOtweCY>sM1|)kFx&<Dmt$vV}oO!Et
z`lT$%<`!-KuXN$ec(R&PC^%6bd@OfDk~)?C!zp+Bl)t)=6w|``$6S+gx(PV}VKU*e
zEIFRa@wT${vqn?d^9#ft6w^;sVjEjXL`n0Yb@g#?EaVV7n2{r65Pw%qYCuz3L<A&-
zw1tjM+(`mcwhS3CRDx;^^+cs1{lOB)_9HDnoC+%nGnL#?#eTv*%W7_!?4jo1Zh9PX
z4ap2Lq-dU(d4*z(!H!J~)@46(oAW5f=&8qTu)K8;)bhhC?wO?GhY*S!>6ro9%J5KU
za=g0SIMKX_wg;LANI{e`AB|Ppq-1`YPI@h)LZs439q^Bo<EGveOwjhXg6xvzUjb(1
z`^oCbTIg+MpUJ&zQO*V}M;WX62V4|3jMyXA07pnsjH^OUOBBr{Y>m|%2&4HZ8K<xY
zv>Idvfc}1UiagyUd?XpAyg@l8xrF{gCOt$+^m6NTd{DE+BK1O!m8sY^bQjG5QY;?A
z2XLWDMy4f0o7lWKyvBu@{^^`^4{_GZixQ%{(C7qzWJ&Q|X~|;x>|r)_Na#ko`*l;L
z#rBYwi(nHe-!xWN=g%(68RC3*nSQ2GhqM$$A#*onFfM{2YnE`6ztbrV8(o9zdX9=c
z7+CQe*RhG{P7n`*v^EivfUHvu;lV}=j0401L9#$!efE?_ntXvK*Fv>QqI#o$FK>k<
ze?OZ>dY32%w@n#Ic9Ug$i~^-$v(;5-B{r!vjCAxA&_SIZfVwR+AU^46{Uhuxj*G7$
zCePO@z@`qF9Db(Gj{*hWoL8hLSbXWWP!|L>b%x<IdA3eiXYWFj<`_GkORc3{%Mk<j
z_d-2xw#Au<J1Q?>Bo(47MYIvrS_?u7)-1$Rk?{1m8lO%6<v^Mhd6DW=uHLH|`tcUs
zsmp8=Hip!_o-bOj-URPXUpM95WM3*++p1jn_3Hm1`6O7{NkA%&9iR86$B&9H?aT(+
z_>@Z`y2RC~;r33hH1(nHHK$zLT7@8-LNllQfWJ=R%nSP3MnW`=)lsebFT$yWSHVSh
z<(!O$P+7DhBb83dOisSpZGZX;0f%a8Yw#zo_%JXX^A4j?fikj%2A--Qit$Eh%@dUU
zj}r0oWD|adPde*JIz5qW&gBFq`yx-DaJQ=rrZMK6|Ao2#aS!PdI4~JYp{nFD$y(cu
zISEC+j@vJf-}E<DCn4kub}ZKd;0h6p=UWquy=m!B4EA$x-w3I<q~%6BH^5A1^c1e&
z1o3}F!$YvDPnBZ32<&{^JTgsBu(z|Bb@`eBZjYNUjmtA8ef=Szbt%BpLx9)GN(}_B
zOw@xCp*80*^{+QMB|$LfFtZTUE;b?KDMGozszUmmgy&1dD+;N<)=w8Rd3BlRek;0o
zO&nt%&GAO^7es3y82ph}uu@A6VQqsIqSh}X!x%h7xr|p~+2bV(cs?D@`<KdMl5!=c
zcU7Z%yV2436!p=Yb}*u)l#X$NZic3#7aU4O{)h|7Yx6$@v|NvV%bbPtYqg0BX`y!x
zA6g#$`iSfnE{HI5s=-q5ZNOpYdaRQvv9mE7Cg1Tl=G?b!lgY!uGfJ4g1?+9*M^WX!
z`=|v6&~%z&6mb@7y6!Uykg)}~eRN5eD`kpayX&sb4Bv3pxL8{^{~=$Ace>d<SlK+H
zlDgNtrdvy;Kw-HeuUrj$35`4z<qxm%4Y>}YbqKRpSd|%8&ckY!1x_lQG0;6M?Ic7m
zNYD`pEO|IhlEH-d;h@0G4=8%<Nq2yY)8_!0tuUup%2-}P(Q02^h<pJFf3=Me(mb9l
ziTZqejgW2~+uK_Ffke4}fspxXYzV4tU<6s3^I#5LL`O^?%_0$UiJC5`+qzgqi%<ZH
zB9M+>Bb8^jcAMz(F4Pu@AbeT}^4j}%dV3Ws<S!zVw-wzg7xYIWg|68t26|ah8otaI
zf{Vmaq(8wXEuHfYP}73Ye9_!1n(nD)m#z-b@mCQ|^2TBFtlmY07hkE4;MaOo<FLjT
z*GOweEDPe=6^{nv9t{p4P2wn#Fi}k@fpL9h1yBM|qiyJdLsKv`Is@F{5he8@Ojx=+
zxLUMe>A)x^%q70$PFgFO$IuAyBt^7wakI3ZtXD7*>IUVoc=GU>VjYx^Ry>3Z#ETov
zN85f1`eX}6=Z-dh#o#JovYaJY$JrP@n?~-LVz(-Mdl~P|Fpt~YO%i^6jnK)AwbUkw
z70Ry!cQ*0Ikj;PFyD6xYoGvA0A#+WyupcA{X9=~n)d-d3cTFS$vW~PS-dAWc9ml#n
z)H65v<<kWla^+(9VebDVWqOi|z-H~l!ewYP60Ku-QNA-k!D6<IFjb-ll08s`zJqDT
zq8E8jC-uzVN1;hr=SPF`m_Z$9{A@X6`;_^}x0KGBPzL(IJzC^ZE}YF-_QD;L5&mL_
z9Ca%vaI%ELO_=x~`TjB=<6wN5jP9lHUSB_@4z6*l>0MNn=$rgRuz<oJ2VSlsH-{kF
zqjBbg=mgo>4liox&bP(E&%&o`3#)Ns0{hM*#+O%c3gnrwGF`1$JC)DN(FvogWNu7`
z%D#AmuRql!Zroab?U<a(w$sR|(^N-zk|B%H!$V#fCl+%yis%NsEh)fu5~^#V6Q{I$
zZK#?!Am*WGEtiVV5)1pJ)O*U-h#~1^P7j+c;n6F@1}a8|Zs{uXL`Pw&qYtg}LgTgF
z-=3$7R>3}J`whuhh(X$!Ol0EXWAHyRFCa_L;RP6eM|!0qC=xdyqTX)WELrY6Z(S(t
z!O@OR*ASvU_3kJ@Xqk@NV#BtScOSKJy-lNJ-`<{c0+U0G__^vY+b*y5q!RW>WV+df
zA{Ld9qJ9{03o^9pK=`f2S_xpXMqH%ohg=U<OXa9T%odH~(O=vzhqWc1tWSz})ME=|
zc_j$hnFA9BYmne?G~gM1a+(3l02keII$eV*3fC}NI13Kh7_dN=(q4x^UVVVmU(qFc
z09s#DWrUeknM4s|y;m*BC`CSb8Z(*VpBd4C|84C8XH=2IZj=uZrd;^>BjGazOI4l2
zDx|@VH^(N7nb{kCDoxQl(YjUIhUk~kt+G(okl_Y^8JCxj?8sd%VVvNiP3v@l=dDMl
zywAJ)BVr~myP?YWUg=Dhz2d8P^m=q8+H+YenO|^~W=lpz4*#I%m*IIYop`lX)XC<z
zeaplsr%a+N&)i!oadlLnZHS-bGa+$9SNb@domlBUZf;qTiKk8l&BF?LRfHSKj;xDE
z7^7|*yu?oUExhFDOenlA-on;(h$EdtSy#qmzTc|}6fcT({JvWgp|WF%LKETm)Ciw1
z>neu%D~obc%DeCnj6H%*>7rtzgh}s8QFAf=sNq7YfeEB8cH7*yLAB19;HelUCi45y
zJn(!Wj^2IyMdt%XA8MhM+6pN;_>n=d3UNQhD@XJ_yK<=;0)X({J<hh7VZa+C>|SN_
zmz7ivw`pk9w`LhSeSd!hK~`C!jr;!A=C@;m8S<Zb@~^jA(=db9j&}omL-=C5Joim+
z-DxqlZJ8*N<;OBo_n=oC3u_*|;R265NN|U&xzIj@bRNjsEH*ypv)0QOD7N*-q`L4m
z>@eet=n;A%dQ>kyL9$vwS?0ss4|qnTNP}~oPvqPJ?}j;VMwuqV{e*_dW0AKib2A6J
z57zo7tQ+QH&y$dTy{|Y#H7qam%VN{iPO;NWYwP0#aYjE_qH7sdtD>DAv3jI%zF!T<
zI1?3v#I&<+00n~RP?1GYS$gUgUP;!PJ9MS7>yY=Jr**@Vw3|m%X>HU=g)<1(QShq;
z)Mn?GgKHD@bH{fQ-^Rxdv_^cKPS-O>bq-nO>uH7`+*<R+iQz!!u!SKnyh6<*H1yg|
zC=$u@qT7oas9|N+RQackgtD~tJD>p}iBDkz*+~;sc#`D<CRhBh^t{h<R$D%9UEjk{
zh4g`MwR*93NSR@w@3=xTzW3zAX(X!8ylvjDX)o}l$+8mo(hGf17_moxNPF<*xGry(
z;ADsW47;g{QP`6`6(zS~xltBq3u_PGl&T-EZ=a!*&t0OLV}$f=D{kZb0-us2A7OUL
zGd4RuC!jzo@aC6Iiy$am=8Scy!nM@*#4F6dUww*S2ua;GsE(?cAQn__VO05+qNwXv
zpz{iz$YG<PP;Z1dAz_B=zDiIYOLjmixis&R<9rvM$mEAd=IBZon_3k3=P~8E+|n1F
zAqP#+jD=Iab}Qu$gnAb&%T=CN98~O}3Jy3=uRHTEs1T<POqAJ4EzQVDN10SWpqvFW
z^ISUeKt9@)bPt(Z{v23!Yr#WA(3u^pb}{GdXCamAtiDZ^F0F;xj*Nvk_x&crP9dnp
zBoh!*ww38K3w!}S#cP-~s2mjJl2+{0;9ti|_g(VFNq|q3Uml{vuu?m^e_Um9!V~9d
z;oZ+psPoEbKN2GM%6oi50ITzAu58gVq!HBZRU4;h*Ocf-4-ZI6Jr$!CI0rWGotjQ<
z6meL3H)pz3Py_;#)TgtGRjf&?>K43tciZxY=@JH80mmek1O?;@GMl&2NmSjO%Hb>J
zq1mHmogq;_>#oVh$P@YVC{infRY>^Bq0)~W5s*P=J#dWHltWt3Ae}yGZ<{N7YW-xt
zhRBa&cYI+C7P@Vj<`3Ny7P1q1SU<oRxBwH{(eT3}C7pX)H%?!JLFqDKe}NZU4$M>{
zO5;Efj=YDT@)Tdp+VlI(S6@nF;=H6~InE$*E8ym{*&x%}?l~6z;n|2~OQ=B{ar$d9
zd5)dF`{o^<RteFgdH^f6{hKaslBIAlP8(R!Gc;>gKTVQen_MhInCTh@vgU>UN-U>W
z9PHPZ*H)hOoTi={*gGCJwH*v^Gv)mE9qV5qOvhH3M6wtrvQ%?kuEvc75Zu{*H=Q$3
z>K$1aQI0f<NF}Yo9W2>&QShRn^T|nIOm~%8c^Im!D-DFHz?8>^ZNtb({mba4)fR4U
z?LNums4}1=S``aX0nz-Vo)&CS+9;(Rv_gpVX&8w5k>)bTklD}<?hQvS4sZC@mQDL#
zq6c|*dP}s9pF?pUqJ#6%CRp{z9)sP#4+Nu}fTmBiDEYHOI<BM_m{pq`d^>wN4;aGX
z_p$K4ik)7`=&b5YAGd(ylm%?}g^rmc|B8M04{hu>QTv5zt%StjWQ!9Z=50Pdwb~`@
zC#~G@x%lYr9kP!aE1cq5hnm*_dbZ9Xt1j2SWwqMNB{mz@yi0|O_|W87NObVT$Fixl
z6QB_C`HnRYQyo6nSmvdL$|$ggmf`g_b^+cz7_*6Lquo*6SxfkBtwO0hw~Qzhe@7b;
zV|5BEc_W+PvV=3Xgc3&33lua9de0#Zm!@RI&yVylS;xgpej9DjslaH#rOn#wtI8H^
zkb`2&Fp!#YO_*pX`_=C#8JTr#r%2x=tmjB)fUv>7+<+Rd$uxv>I(6dJ+&fF4oYzUV
zqwYm$6IpilPuKZNMLORd^8LD~kxWHy!VC_=bOGGzCg8z_R<CNdnm|iMF`W`TIOOu&
z7Ks_Wh)$;@p1m{b^EMP?z`axVDRYHAxl$%)X(-N4!sPcY7OBlsdIG<0orf4R^fLr6
zzuSP;=nvg1Ls|u(A9hxiWr|m&^BRr}9qaw0&9^TZXT2J)<%=FCFt&W(GAuRCUusEv
z9jl4$;44|Rj`AzvZ-hn7$*<1>9xT5&-dN~S0SDo4(vwdOy{mU;)mF(7N;<M>-!F3E
zdfR0%IPNZG$zFP!bMs8je))=^yY#^5bMz%+yIcj|1Mt}UyD%w!sKs(a=#A6qSB=)K
zX~QhVrr^bnnqa3CL($hl726++=SE6#b^YL%tGtK;OK^%o!>3>uVq#jdP+vH{$;pK;
z$6?`dQA|7f@lnWc)t)a-r$=$zU!bpHOfutD6PKNdfnDz8mZw9Tl+M)|tsL1g5b<Fx
zr;E%|d4{cErINy0iXMk6e1u1`)v3*IR?(YL|M)A>)jBg?dL)-@e{8=>8I}YsW&MR;
zJGdQCFUA*Y6VT^sEcSoPtjgin<4=rE&(BWuJ~}?o+MWx{StaW#j>9QT-5XjzOg|c3
zAX9JYREm`#U4nfee!1{Bf76<JG5acjyinrn9DqXk=$hB0VxHW$-{~;}Tn>@r@zpf4
zuhO8>Fa@=_(5ZefnSN-rxhs1RMB(Sg+vkGC#ABN8v0d}bgr}{r!{IE`)d@#YAGVr!
zQuz9jTtZAe-gg~O%a7D}AyKzhcbWsi&?R<`*EtMV?LC}d2fBas8H|1aXF8rCv(*S{
zXiKqCV#PPJeuAMIV-CDD$xl{l)`))^xhk%ywQVLps2<XNnZwCc`<G6f*&x|4nLAYx
zu^fjO+i~2K(nY?f&b1*y)yg#F8{EYrFDyUtO<GWk9yVZHR^vTv!?Muq6UZuOe#h8P
znrDaBkUKHfS&2MYYxs<s`jV!RBxLg{p%Uabk!`>9%O@cGO5r``w6qW{!`uM1l&R+M
z0Vu%6T)2Jfz`+OrHMI2TZNL0=`HMQ(UykC}5mkbdw2I132m-0P85hlp))4o~T`L%G
zWOKRGIxPI~vm)NlKV4~mo99d%I^=?532&g#xmMii{w#k5;lvc9UrJdulx;gEq29#_
zZ6B{mU`L6|9ofii8N-vR{U65z(7j&uYPG@X6Nhir2_9oTlUX@6J5YbSFO^$?S-1Ib
zCN|E?PcZDxX0Px2m7=LX_M=t?Z$YSFF!2`(0MR=~$w)!+#rH=^m-&{@bYmZf*iou%
z?0&RQ8sm>W@|`k}6XRuQ%<UaCfA_%F=Fn9ii?0d5^?e4@I$KfCkk@6y1^XGEXe=4c
zqD2v2DQdV$pl>as60+g<)NjdWNxGV*hA^nk7@`hl^>7X_ViKV-F*0xsAH_efF-?*s
zrkfeEkL5z3c!_izOvw0epWixu@hY|JC7Y0r+b-smp~4po@-^OI@`9GGJP*=4MQ~VY
zN&F-WJ$#|#6(M=z&En;mTa?%)%y#${&$u~M>X%x=3oE@XPRUeWm~^{fe=--OlEFkW
zT;P2E9rk;skn+zi#m=EhPD*4Xg{A{?zw4#XUUOzyd*LO)TnToj`-dL`HI77W=j-q8
zaDR|0y!%+4hrZMwb~H{;2vcUYOxy)|wb`$K<(i`=K?^MRe^NSBpI0*(2`=+gFuA2i
zyvh{r@!8(+ys}d7V)T}rVP;o#0#^_ykrjJZBm5t-vB@5Ij4?APq2VB|8U@L4h?fwk
zhzYoUv=gDg(M<GsAl-)<a|G!61UxJq+8-mOZnz*WZZEjK^>wI^VQCKI`_)baK7?QB
zTgAI6FibFz0K}dM9ld_TyC4+djqy!WXWx|)*(bAWM5P}^!(WybKlo+N>_yKB*vKuY
zWvD<^Itx+Zu9x=IM;V!^!8He>MFQrzj5J5$i8+**u|qpDu)(g?yeFNJK$L?8RF4c&
z82*q;`mf@B$Yp;xm+Z_MT8Qw`R~LRW(Gg}<m*P*Z)DXZ0akv)-$)_@08rV-kkNzrf
z+rD{aDyihd8}#6D3E&4}UDKv_C2-^%#`I?y0knh5Wz<L3wCQP+2-bxQ{@+N}OfR;4
zp19&3tqlcPo@2sE93?;5Y_Ky#;@)1uT6(4<eM*h7v{3^$w+`Me$+xYqPmMSk>y1u|
zWD__>NF9)sO!GFgET-BT^A1YIGRwu9@xK|)C&Qf*iq4+i8+WuQ-V=8hl^khlPltUn
zD|x9ZeN>>wqqX9HGOWYNjAr(vJo5U=2CEMp4%QgSSyT>5%i+{F>B!mWAQyzc_KY+<
z!OJ;>i6`X5b|BXo(D&DgOTG=wgn&yp{OE9cRb$SzzO)GN{;tlTcr}78?9VJZb_T@b
z_`F9|iS0pW?GpP*K4qGdrBQzSF)nKQP|LE1dlTWPl`YgUg`=2gMbF@jR|2_LvQ_&v
zI?9tW7Mjc9%S2?8(`sp<o&eB|vt@Kw<9J8yksxM0E?VuO8>%K9c&;ztGd8}7hNRS&
zsf5n#6x@#$GMC-|r9NGH%|wI~{st}ivtA!+E(fN@36{<7_BfheHZGa7k{B+}jz!5?
z{{+IQ&ZVg{ZhgapQZtyC<<v+PX8yW$CFgru{P4i_jw2+s3`bUr%q09t?&FJEd6Pm!
zL|@a7>}H|2@c{>fsP(tg=xIx?HG^tpe4VoxXQWqaT7jXaWp$=!;iz=@1B(tXVZgA+
zDiXT}RxFQp=P^@x<QRjRDw8&3{JpVYeYAlBTB;rJkuWYvRfjA}!?-Xd4+_fFt%VHx
z=a3<Fkw57fh{@z-jo??Z>wdHcH-kSrKZKSE5gXZyX<mzn*62bnN4oOko6QcYayYkR
zDW-!t%f}Pk)fxY)B=EhHNKGc7L07<%bDJGqV~&sXSA$2|jyVhiOp*sHAjTP}M-3Dn
z`f7hulbO*K-E5C6-Kv6SMI+^4mhW}IDStDo6+pyM#e>r7YB1nz<ZL}9hpUwUK=E5;
zCp#Vj`68>vbBH-UmH5K3?A8gFHJYldnR<6xei`MP+(s;Y2DVe&WaY(Ae7a@&6tP~O
zJ^}n}YU-5q!7!v6Z$~eEWr7``nmka4vTbY?a!N~vgtz!9fb4Lo|1xyWD*_;y?(|L#
z=whTr$bj2X`K#ba`5IIMe3H`p&N!C0zKD8%UZL37(4?34pw&E_01RLCG!UN(Pl0H|
z4r?5yJ}AmT?@-)B?xr^mm#YcjTQH3caTjjdricR7T%qzilYjr2$e>f(cV8mCsWT2!
z2JrcKUySY7|1#p!3LOcLS(4j&_Q(17S$pb4{B{O6)rCmb_(zCz)lgFP11HYmNq?@w
zWsQzO4GNEIoooh@muaIqedGZvz9o?^JdpnZsW|AjC&3uTfrb;MzEto6GrXX{N3p5n
zy3!WUwYyXQ@Z$n+If$pmSJb|y++PwrNk5qcRWO<xd7-5$AwjiozfYmc-_3oy_meNg
zQa<(O=!mYNgP7eEw<5j=O2&7>OGwp_rxbq$jYh>N;_TxKs|)4z?#07}4V|m7S*<Qn
zUPS(o!d+ms)U)>uzjISa9@UnP`auWjZ(QQjpz<SH0uNd)RQ%h{wbDw3@xsQGaZ>gJ
z4;r&mjKJPk?n7s)FV<J8kaAy~WogM_6j#S{o1ckO@;e{&$Go`@l*QyhS0uww2$H3X
zFi^uYb)rq{uobv;??JsDFKAlKchkonPw<$Ban_4<9WDiDdB+sioF^x$#%U^`xhhyQ
zF+JlE-wLC+n1kf+GAHhH%j>mb2D1k{FGE74CeX=5Fq+yHhgs?pC8=G1L`&GwMU8h5
zd9%GoeT6WaKH}T9h!q!|X)x(-?+oN=v(7SK!n>w+D3Nf|@lQ&6TB=!<+ZpF;w60F?
zu{}rwuQkmekAwDX-YPA$wYHYpxHzsU#LSmMZzpf-(ysuX50>pPlbR%c>hqAgxGs)L
z-E)IYGMVXKaUfaxh&7|^XRY+<FNm+zl?G5?6W}DG)J5Vw^J?q@#mKrZst?kxm2jim
zhDE-PZywpF4SK!5*-SdVMvk~O3LxKgxZd@oV)ab!8dHRXg6a!d%Hk7Y^4$oeYdR=Y
zU>>hHNF+{A*8d71LY_{F_b*SwFdwyEt%CvVk`3Ogw@$$Xjs0bBGg9ebCB4dta$f~_
zIZ{FY9#?0G{t!}y0?M>|DQ!D+x!v)&R(VJGDr8vACW1W|lSd4YR>{F0)6#+QxkckO
zY>y!AH1wGk-A+$c(%Ax<TKNH6-iRYf9ZKp2c;{G5N3Cva8nz=*$qJ@+@vFn;LrCgR
z46+Bz`0P}Fn;a%VPtxq9lR(h37sXfn-Jj_=*&(pf2SzIjNGA$O5d^f;LmH+`SyC^+
z1fXW+A<wjZJU#$B9&vB6)z-v^lxb^ir_>C_M%sE1k+Q_zo;;s_$e$m_0T9!ALXRf$
z=h4W;?IwnI0=^S%W8~umQ4Tn^+@Hm4$K%@wXjoej%>)IvCLe!B>PHrP-(YSD^QoOU
z=yh8AGlsc0LigcxMrVI881U}P-tEI{(~kkEK=3uKq3OrIelH!r=2{0qmSQ^h-@BMq
zJ!#&R_lQl{+zIliGV9VBOV8gSAWoay1RwV1WpK_+8j+8qh6_}T>P*|4Ah`I|-LUU_
z=CDksq^XrDwzoO4rd@lADVPz5pJr6-#MKP?F)GI_Bza*uu%4ogesh*{(3L8WI`&(=
zrPuW!^iF?;@)qQ$rxc37vNzg=!P%zWb*$s1@nR`?buGYk8PJTO7}pzM)8V9><G?zm
znEMG63#@;=fe&F{#5>ZNQLR+qa#{s1v0dXGv(ZS-9>7s!UbvLLQ(lKq2*(|e8NCj9
zmM^tU;ErvP!LHKN8;`eqh>l%p-cE0k<eBQM!w8I$q$#jfi=`!<*D+k(hlMrSjPPal
z(%Q5!s~mM1dd8sR$@17#&Sj#JWkwL7V1d|11^jm6Vq-EAE0YO-B2IS#bo6}1!zn~B
zL&braNuMb`ya9+@hGRnX9_OE$^alsOztZrfAV03h40fjXOlFq^exo5>_LJYl(bg3u
zoTYgaNjExYuZ|D?@L^s4#-9Cq+=K7p{A+$iOyy4)#*wHrKljA-g7K9VnzhJeaEnON
zmZ0dD1I+x^&_*<2CFHbCpCXiTK=^Hw6dr9+X+R1BlsYWk^!+`7aM;kh7LG{R=ds(4
z*?>z)Ogy>qo+YgpensBMI3N=INAfF>It?1i3_H{~{}XVfku4%n8A)`mts!Tca5mDO
zP&qF{&AmlxRy)eG-?*wAz|Ff>j-(hW-!?9LVH)`x!948V6>CZt%9b2Hcs=jZlV@Gq
zijIjCSUcms4*OEC0?_vG_i=xrDN~EkWLjv^{JX%Ak(0MH+*H9JvON{Ncki=>y^F54
zXv?fr0+`kq4Y1CW$Z70(zoXJ>8uC)yf~D7dPjfEMh|qtsy73get^0D>i6eb#Q{$w)
zWATfPPM743s})ve9*bGTByqW6*Um3#mCh%(aJO-KyS&`9%=}!5^I+;<*QcP@=MIGh
zRHs}-piz;d&hpm;L(Fj3HR4=UHuFNxPU;e4^L&W{S%cWb#I&baX}0I)XF&axNcxUr
zmKxI13<?7Rmnq^J$70sMk%eQY4*ov?Xh4_0`j^B#O2iL3);OF$qZ7YIf5}|0OwD6y
z8op$#sIaDd1(|3rTMXKe!kcN+3U}CD94l0lc<Nj$f?5e}W+N^@EHW4p3G2Eeg4cdq
z;n0l$1fhfIK{o2@W!lpr1wFql6FC5R7QhJIiy@n8A{ZgDTE)Cd^5Rqs+X4_KIfFrX
zrp5-~yV3Au8`_ou0!G3wz3(&+!LN9=czIS1Hj%K3k+8R7g;P@W%>#h}mr#&~4AtoX
zrdn!q>+&1H<2hjGJA+^Vd4`myKx4$Gl0qF82#iY8IIL1A#{()J*Q}W0w%I*RNdzIw
zF)ETZLs;~RRU;)(ifxP<iL`+Yw><HaGbGzHJ9Co_wlixECz6g1Di&~f^b*u3K9bI4
z1i-wAQ*bQy2vwNb1%_re!bP$O@d@c_Kw3=i%p9oCVl9ZY!8c<p+8|?x5<Tb#nf8%8
zJ4Ue*hekVqG29a$m6HUXV(Kdm8WLz^XPqJ&I24|2YHBnh<QU+LS+)U&*@Zw*z=F2X
zb{z)VX^MyoJk%cSWsuVb%3`L3@RBxQA!^F}?xIo=%n@rMMw=oW)Q~YjR>oDHxl$=j
zE2Qn|;|MV^^BC45YR+aXF&PjII&xg9A7iYi5*cgZHpY@_6I65sLwc2t0~Zj$QUj(Y
zpbQo%u99i=K>5VP<w2MTJ~zxQT$8TOlS+27Ghjl9JxClv8nX2PH>MHh%eW4Vj?*Q}
z!-#a)AbvWmI5+?(Cg-PcPB=5HjWi5zPpwhV8*j2&$2xGll9gnR-0D)Kk;0ax;!{WA
zxqWKv5LJ#4L8#CMoTCCmvatXXR<Z^8`d=8)9XSW1Lro6LfM5{sQy_|foe+Q_b`(g|
zHvA?+N=-HdNQ(j!sE7eJ!<fP5rXVLOjpbU6S||#8GNDg#-btivw3@x%kT4xWRO<*F
zA%@7<Qf&c5RV_0B(OZBazIqTSbIcRslp+6GGM0^{f)4>BGP)S~B#ff~NUQUV<IfU|
z^oi(Hqec<VysFBBWaRIyHk;ffqzAg}$v^vT*gHF}S|iZ9BA~j2s{B;)u)cQbdPW3%
zIDHr#XGKf&;f_MGfe#`Mqw%hu127M`_W|g0Pw*b@D?YtA{j<UN*-2jm=!)S!2k<}A
zheD?L@d|*rl?a!^L155aJVYS!N5CLYhW?Zls4G4Jht5FjwW7Zm=u6t|zq%kPF(v05
zh_%v561icCk^pB577`>Jz`CjPQtrARR_{`6(6wn;qX?j?RWU)T9rK97=tcKE$^n1_
zq+P*7lkm!ZM8OJSNPQ%S%mG!Xp~EjRfU8C!`RMelcOB)?VUmX#N&UMa7$FsM?i|82
zl{HMkMukYwDiEe16T?5AXbp#Xrz;^<;{mZrQjL(%GckElrcMSX@<x@A=%?xec$|!(
z)_{Q;U+r4hSY5Xi<9E#zz)05j!o6&QMI1Cjb0;<+z$T+uVX*gOfnMb~sO||!do)q;
zfXfPPw3VaTv^x}BHcY!@sHo@sa3c4|!#7)xc0Vd$i(IY=)yWJxqzw=n@+*BQVnVDZ
zkvN)-&mf-&#KWh0K1otGWUwR<ri{*_Ns0;QsGACd1%|+SPdPao1;%tQh4X~_dpUu$
z$N&M)^zxm7^XQ0hKw};sRNCI*e(F+`Br^%}7=T%A9U*~!7lQzFFieEpB`oXUKvdab
z9(h2*CP3^4u`*BsK|taG3I?)%iCPEv>X*pKlJR<|aW9K2o5BU7R>cFfdyT@MQ|sk8
z@Lv+Jp`7ii!m_ZoXF*h00+MZV^l@Y}wQP!H9>Ahifa%0`{06`>=0PJXn1)7tm>GHG
zJkut1onP4?<i$kNZN|lhec7rBYbY5#1`;W~6eM2wpW<e%0|^r6Q#(n~A(|D021vl7
zw9rNq)aZaBD3SNu2!sMf(h{dEp9uNKR32n`LGj1l9g1=Z(#9v5zH9NZCJ0Sh?Wlx|
z&c~QS7|KxyS7MopY;mm29dO9-booF6@XIF_m|AIM1z(k@RdH1%B9?|(sX(GV<gJjW
zBh-jeVTh(l;sD9L8hmsE4~@Jzk<iAPDzJ?r!Vy$Q;x>!SK*1G>swC)+gc}fb=O88`
z>V<(P5g?-U6reysUkI`waI+z`0^SthrUsp)G6-x|;_wmBMgva)P+dkB02jlu454UL
zH$OC?m{Z|H14!dWlrcu_C~zQXRbu|ql%G`spAV$w^^g!bAghAN3V<sN1{7<K7N~Gx
zpo9tzC<90<fP8}z1%N!D2EZ?a7y)Pnz&Jq6gBl5FF(7}hst~7KAyQ=AmoIO;%K3mV
zfmHC_%W8KGc=~!b=wBNGefAiuH~GWSs#C$A>iggNIZIM9{;$)$zw`c*-t9<Ffq>!9
zEc!>lo@a8Cl)O3VcT4-}&M#8<Xy+dpymQvR+4ftZ&ewOps(Q2RwxVeOPWruD>pMez
z9!ZTL5!&XR_3*v4j*fzLB(OA$NCJ9%keXxsdqRR|7Iy4Xo>0e`C^skE${<xEOhOOu
zc}WOTfimqWVb$Q211-6-p(woG)=QFU021Pkl01X}+7h@aPS;tR@|D?}@@Uze`4>W6
z)%Mkyu?iamyQ^lwF6z?sCGM>O&&I~#xgJ_ITW1M%l2nq+uvIQcmc-de#MqkBuuK67
zk)bRNN&^EeiG|;)*qCI3T}7j)vTcab!ur_ZpRKkyO+c>d3cUHT)#g&zUCg37g1z+E
zT}(CG2(LYt0ksFcl(`wcR&!Amb6qtb=h!FdypC1G(>YkwWgg{R%-)c#Mpr1>)MdVy
z8jQEBYhivM`KZcgS4Gmsz|F31N%i#DrcWECBOFj#VBV8D627PDV-h+LQxFUcu!=Bg
z9jyY~1|BkRjh4GO_5cfjfutw(ZKhhk1tRH5qE#bBL5U#3Fo3^+7*@$>uminVZR2Jd
zGogQ{L&WsrPZ~1~)GY^%e{UM<dE6_Rh+$mle+u-gHEW?}%J+w^R@e58w5@aOpF%-4
zu&z4G2OqHeAB?RZhDJ*;yA`%dFh0uGbulrFcpd#Q4G_hU<SIdt@HvYSHZZ9U9vDIp
z&dU&)zn=L~j?ALq8vyxO!#*%^yTr>S+~;ADf$jx3Wtigk$#2}3wn#9;jcn~_t>Ib)
zm~7Kzc7w5%h3nTCLrGm)X?**iTWEbm{-uqGnisje^{($TW4n~vX7JikU~YOo5eJ^=
zw^?UgBci`w*6OlXid*TtrPf;RXegU$y@fMP>uj55Xk*Nd7Qz!axxQ;sOmzyvK=!C7
zxAdS3q%_eiLRUA@wyln5Z%cVz=Ga$)v*@vLY%RPG^7vTj#0{_I`UmCcB|-eY2@u~)
zy{}8!?fv~O2#YIfmx7&Rm=N8{5#01WqV`c=U6gQ1!P!RyzTV5#7x53KSInI|U=>~x
z7Jx+r9eargl#?^eSdq?>qO?yj43}1L4<m_u?13KEY-xZY-dR?N;WqO|fCNDUVAn+b
z07sh6TXBRl<J4NkjCYOK?ARoZ6ly!OB!v_7OHF^lErhZ)f(f)BFQb4;jEiM>2qqAu
zp)iaAA3z91SE*p&3``KotAJ44js;!9u;eI|ycA9!a<jqz2PX*F0yz(lS%9*~(4rVE
zJ$xffzYhm>fM1+_QbW(Qy;5SHsYh|pGwLrQJ4A0b_B7(`7$JZcVlnaLEZx6hk+2R0
zDm%x>+OP|P5pz^eaL6tmmA(lcSk}saEVZ|HmuqcUy_z0&NO^FrL;X?fT*DAzp}Ly$
zrf=gZ*HXP}VbrKsQv6^9S(g$pqRe=Zb*MXu090Am*ae_>6oRxI7U{)kkl}nm_R1Ey
zmFj#RCKv*x0H+)A3yB3lFg50K(Dg{~Hi&OF)bIV~h8FWcL<qPT1i`%J0D&|j(>6FI
zdIZm+-o9p;R7WbNDcC;I4&l@UWzkjioFK7^jpn(uj^0^(?NH_#RG<YonM5SzP0JqL
z=j?+n(zKSIl!US^(6mmJ>9viMF7uUCNr<;#3uwxD09irc+h`wvDV{o3cI9TDK!H8W
zpcl+izsPFt{DwdV`5*9|G`fgEx%m<BQ?HQsEeZ74^&3?I299e0qz@3-GI)l<@8XC|
z34S4r1HK_uwc?z+;)ePMiW(q4@d}0SrI(TooFNeomN*&`TE&+w2ss}L^y+vWDF$Yg
zf%`yWFGzSG$!?Y~cLs>k7x&#O?EtJ$h6l8>9@{4cK#{_IfZ3$g%cB?gLdy=KBEO!N
z{qeyc3gIBp?iJ5NNBBanUkbH;6!wl4*P{tILa05aE7SPY9*3=5LDaXaPWp*7Dh0i8
zaBm4t7LgoI;bm3{!hVW-;alF!c5LU&dp0HW5oX9PVm4peR`9G5<~Gat-`@(x;lFz*
z;xjX5FuX)8#Q}-dVbH|yF!W+Ym~U|-W*fXo8G%C*OE79;2?XI^sb>NCm-__GPwQqi
zwY?1iYhb}w3?8<u4%o)xOS1o84cT!oyRx@jf7xp;J{uz>48oBl0I3yeA%7=jtOW20
zpq>Fn1>ioe)!7j5Qw^7&Q;3WAakc7k6?N(k%Yp^!z<_##*RZb3EBnyZ*i!aSdCOR7
z2dY3_m(esbB2hm&7RW`iDk8=<Um4=xHbOm-ls|b(-PmBSv?cY(2`9H<hHT!u4Plt;
zvi&lw?75Rf;`s(i=8}O{7}&4cq_5hpfx8mQfP6FSMM0CJU<WQn!%z%)&yEfE?eJIj
z{z8z{BYD$GJ0XZV^g*8b(FQFVbTi`9x9qe*{8|`G7KRb@y%0jijqf;Ug7~J;zcNlj
zTxrOQ!2qCN7zMn~`96~P6VCdn<V2{RK`05Lc*H2>qIj2%3o#rOzDePLuzZkGrm`<m
zX-zT#2@Q@#*48)>ONGD#OoHfRg$aoj43xGHi=oLk$@bHu)x9DoTf`t{RWeOg{6nCg
z=AA4aF3XX=iWY7N0LX;2P%-&LsDv;j401Q|@F4(ka3HEL1AB`)7harF8M`MEUBtDY
z0t)En1`N6BFAq}>97zOvh@4Zuzk5G0Q0+-}3gFAvvT!XUB1!VoY-w992hrLR)2<sr
z5D@HX)5fBFFgKF;7MZ+_IslFnd4X$~MV1B|)s01%(1<leAJ9}m2M<wXU?A~P1ptbo
z04P00lwKSQEa~C`RTmfmHAD|=R9s#6QD;rW(*Z?LEZJX#KWKR(6g-)6czGZYI$`9A
zA>_-A2=n}c6df`CLH&P_OOP()ih%c#7UJ|_42}5+RN&*&nz%E_LI{r`2xwk;^7up_
zbrtuNPXYttLg3sr87ly<gh&L9Dj+N25CE|u5u-eWRSgmdm>v>Tmj1lN*#KBDPHu<P
zkQ@B#s31p|oh$3=>Ife-=UYElQjm-Ml)T_^lrQ_`f2f{w)hdU(LR2H<s0#yiP`~>W
zEBR<wxs;*kGt~#`)><R>veEc0C8JgJN1w_$ei2JQ2+F#*(Tx2DI72bIkI&W6#6N2I
zVsV{;a<6}=Z>$`8gY(uyk|MGkpCm7!`qx9>D#&=59fi$~f#j+U>2NV=b_VYi&kbck
zaSHHgE`%9YgXO10e5TpK`qN}ZQPYnUMKv3%dFuTlJzfilZGd<~c$N|(>hIaCUiyfp
zHf^BGa*Prp+-k6Z-%fz0Yi&24sagYkVgi_(Owg9-PznOw+RO#I(N+S@HFg4=OU}pP
zhGY`Mr9x>ob%}J52SQgkWb=9I0+FOVEY^CZc@(539ZCX`>>=@oB@+u7l*Nz(Ye+nT
zN14yiASzQ7BWxpqC^eV_At*Ru7;qFm0>!|3gANdNOh^h5fU*!2BYqq!^9T%p^-MSq
zNx{HQ3>j__bGPib2|Ham;$2lN1mHE6(360~;3j?a)5PN_L%GxSW6u+~Apr82b#X5q
zs(gr`J4t{7L<m%P8gpej$-j0}wt7lTgtEeo&*Q4Thr$seS$L*f!PmIAhZGrj8v_V=
zDNZW-PYDvdIH9Y7_og=itN?e`LN3i@BFT&ZTAUBY;+z~sdA}{`N$ZLNa6bVxaB)#*
zksuGlgMvEF10w4%J3N(1p#S9NgWro98$}i%4^^7k+QOGz<Sx4|!Kks5DP@DL+`V>&
z&jGXy2*^s>126#+Xl5lf!!+wK6%z<5rP(ljRaR6aO)R{aCIzQEQ{+Np8msX`*?<mE
zWE_Jz#TulgFqIT&>tmyBxjttHL@Ev19fL$j(=VBp2MU5>&`OQXG;BFR6W^-6*sMl?
zL<Ut<y{+zyOkQFSKX`&+?+|y+9LKNsh(3<72hY|ZvCgw-e$|L<1weITzFk;cZ&ntz
zQSF>k%neuJqN8DIsA?e<eL3u555X0T<tq$US;fA05)Ddj>F?Y)=&#M^7vmgaTw{m`
z6bj!Pxp9cnNK1R%{zpY)P!4DcCEhp2_{q-RgT1ElISC|rJG+H9h=4{;lGSnx=3qH1
z%I0kk3V@<2G{S0V9b4)Gfrsk?frVf?0YXgb<_MIVLG91hY;DS#Ag9wHmIG8W<OW4_
zkR1S*DvuICJYRAFXuA*#*4Thl1hD|k3MybPyX`qdhM4zYB!soJk^|u8jWi7Fq?U_Q
zO-if-2I(;zd#OtkfUhdE_cG!&3`BKEfC>o9xJP>c!FL*P+A=I5CYA1y`sDY|%IHy>
z0^)+;if8eloH9G29Y-{`5{0}IE@BsDfLh+gHO7*j=4puPl7!LSB{lP*OkYD#xbG4v
zSZN%wLJr_6E+1VLTLE}g#K5|fDM(u;D23G`i=5$sbVL>f$tF-i*hrv-(VIu5d^!69
z>XO3e`ia}3MqpiNj0=kNg5tuoFfZsBTM*lt!prioRv3~jqfC)yEJ+f|J9I3W{R<^W
zp}@s~Lo5pL(Bg(9Mhr&Fvna(9!4l#^7(zePpvobh)mS17S&IZg=?HL?KdBJPKS)F2
z+x07D9%=BfDeNawGPJ0NZI2C>1saG$Ic1tG3Lt3=#;x$oO;^J)_*V?YqOKW_a=2zJ
z%FLR~t{IHZ1{u=ylNU!6$pLvW@IZ*d4X3E95Cu+>422&C0z@E097^?922+q*2pp7W
z2%4}&$Z5epIoxmU^QhhmnFItZEPHw{<xam-8#%Hi{CA>iKL9#)U>B0C0-2G34)m`d
z>OOcBA=88D=)u@jVDdmu1%-uvW3`wE1c6?G;yfCJ&?1P7qM|2@$Hb;%;|=^eAXZdB
z5zKS}3PUJ~+M^%{JSd_xRAmu69TfmVPel>6G*KI)6GTqVAbtj?A4^k@y))4p=$eSo
z&S)1;1P@BY>5(N(kmd}sq5<|$@D36)Ks44U28*G9X!ZyO=wE<u<?$s<KLFS(@C~^?
z0MUi`7ZJQA<v9Vbu;vV^herxdBM>(X6|&+kD%vkh+Ani%h|mHPJ0)CO8xZp&W5@aj
z*{UIo8Q5hzONLAl3V}YTDy<xtxuC<fwF$<m88`$ZDXFUl1R_Qg4(hsLq}EI~=w^x3
z@TL^N6$~xdCYp#4o6ThgCrC7!VXTyE3ZjDn>OzA7>WDUpox!wDwxOce#4ITiU%J?;
zoYvM*^+8oRv#I^ZO~_DY;Zag*3NOfU%o9Y$&?ebJK$~HB6KtTM22%yo8EDZo(Q&4l
zB=8Bq%mQ#WsivWXjU13E=%6XQkx}IW+is*q(~*Zom#7Yri@^#Z*(-377z=G8FchE!
zXi-i^v{R9-E&PoF+9Y5y-^kFSoQ-I{k)W6KjST%9ONtV3peP*+prGG~px@CX_^Amr
z$`f%wa<d0i45Ru+AVd}oK}9(jjTBu_M%3X!xvrqx2v8Ml2-Hv#+(?J*$j9u_kFC&;
zun!)sVyBE^r;K90#siV#5nd{Ig^Z_&SgGO`DtLv8`4B3!A{fyKhq#18V?rVDArSD8
zh-+hF8Zg+0WMo5+1U@`Mr;Lbc^TaO_3*<nFG9jgVh!hvNfjJ%_OE6Qw7jw|OJn#r$
zy}%=<GKEFPP_9XkH#Eo^u`&js!pEo}en9XgB#RuNC(v>MY5;NpXt;6#X?Su0X;2Xr
zKuJ^;%7J2#s2sFch8EP$OHK>PX^_s{HyANOL9Qr2RxyPECX)tBNt&G(UodB`veTm)
z@nZ?DrPHH?6~3T65>7IV1vVz759DEyPl1L|C(NLNA=-eD*<%D&WsDIi7BEC03VlF!
ze*=N|7C2D;0%j8dmOF%^Qw*ai*Vand2!#p;7ybNRd4iyMJxUMPCxOVXffc9;vKWv`
zB>C|fIL?St46=d8qzQ3crf7K}j}ipL79`OqBSJyw<|PQn^OdrGTbP#?M%2wIzG6fO
zQpB-nS*C5aa}pze<|IZ$3dJDwen~NUHFSY6z)EQbAPhMm!&8X}zEmY3ya57I3&46Z
z<6Wu7yX8d9wc?y?UbzH=rBb9EiUx78LID=@a9_3Vkqv&+5`Qapn5hMb=#p`?K)|k~
zC|f-Sm)9OFkiBQ9;>0Hqnxy#)z&O$VObZ1dc~8Vl0m{*pTfE|6xk!|O#+~X&IZ){W
zbD{SH$@<u)WKI!go@wh$IXTT^qz<@^i379Y$pfj5CldU6)A>1q;&MUHsZiz1oj@Px
z;&U^=>Qy&+$bdJ*$1dVXgaeTZrFa?w93TyCxSSFcmT-O$EmQ%Gd`}3T0G5C=od!?_
z?4ara$C&wCNlP*Cy9=fqSPB#Yu1G|VrL!Kw**e*5XndvskgriD%X*ogZc{d+a@m0?
zYZOw|FjCa|O4L9~*Z7sGbd{}qCV>oTAjYH=LRJd)1%<aR0+JR9JcWauAz-+OSRjHH
z2(8P5QMGVY5U^gvED@p>4rGOc!Zm<zXoc(I)y=5dx!91sQChjR5v-%wxwRazmvW4{
zZhea*SN#Kp93fzn2Usj)F3QO6GcGI2*EW)6#iE&UYMF6trd(Q&$_6J<7=exC7=evR
zcOYVHUr;d?N(?|OL3xl6C)n!*kUGI!8Fr;1u7LH#cVq(<{L6L7!~};R>m(>%AYs;~
z3JTQ0i1DB%P5RW$f|*QMiIl~Q%w;y}wJ|wcqp8v;eLHM*98`TDD19BStrB9>qD0~J
zaG-r1SU!#$8%MsQM3|=0tW#*#TSkdP#?kw9Xp<D$HH#jJ7h};a<IyEB+C45k65QH1
zc=SoOHjhmgM;(i!lSR?MShPusZ5qWkjb*0MyPHDq4uN$=NHS9-6x72NBfS_BGh)Dz
zo>U1Lv0zBf)sC73#WF^+(<Eya1dK*U(lK9=hDzZWsa29HRdf+5iiAqNF;t7N5h{dF
zC1UL=S6Mjdh{8}qlnT&|kR!PXiU&b4Li{EuV2O$mf?|RAOjT4PcCaIK)*dp2!@^s)
zu!bE=7>6mI1P^L^o+KtBA^@==yiowN+Bx&u-@H)+QQD}1uf~}f<{pj+g#ubJyr|1s
zwHY};wa5joJpg7f<sRLPQRu8<k6^<TI|MC5yj`aoEHEHa*Dl^Q0=1@4vW#s&Ohss6
z5G!7gy2Bon3>JaCBBKym6#yb$lg7&vVb~)rg|J1c2ZhshISXKj3A$jY2(V5}5i&QX
z{*>Xr%Kj073DgcH0JV2ua||tkxq)mABfBP2D#wNaE49IZKm!6>KrMJ_KI57Jd3MGH
zD*-GE=80fl&kZOty8JK?SuE@WfWUENAyleWKq^k(Kri!R6>7@F3A7z57|u)q8825z
ziiJ`JVgP;_jsoz^aPu&+#IPA>9g|L2IT2k_DGXSJPljWF)q##BD>^cjF^d|5F;<jO
zjwMQ%#gL&GsP`5q-m9U+Y*ZacV#g&D*#cYuWMwGM3{W&kV#Pe^iv!?qBVeVu%Ndfv
z7`>n(Mk;m;P?J|qXvN(GV!MNeEK!Jy9aOk6LWwwH!H7mGI^qnU7j?mk6=_ozXNp*{
zOLG)(CSt*;HY(5sju52GaVhB1x<ckCQ6~$S>Kz4|jI$e<p=SG7p-Kgc{-vqm6Wfbj
zM?D0bzfwZy^&}I&Qb1INNhJU&mmR7`wGou|)rw8Q{G^HvYE6`?hKy$Pg-T4CYLW>)
zsYS=tDBitNimtY>SCh~c87e;1W9>>%N?$^Zm0T)Pf*v@fB3?G7Av?t=-FT%Ew~A56
z@k%?RYEmSTl_?I@DM67>MO2aiQl!~h4z5N>0;*CG1JtBShp9=l@k%eP)T3$(ePYaM
zQh_#wDM+fNN&<3JB}pYF>PW@iNf&^XB$EB&GR$dGYDoc7Nb-fA0&9+hBNpV@N;a?s
zDH6X_r1+d76$#U%;W~EP-810#Ovk6XW|cQj+V<5roxFl4Z&L}{;e_o+hr47;QAUDx
zbx@yL0@+bn8!H^Xs-TW1&$9Q^aChm3p+0|?&Qpo<jzs$btUs_*hJ31{S5^BA&irep
zVAAs)I+b+DkIXYBiySgfgN8}xgEHJy7>!j21q1^@Xo_3tI0}WFfQ>5T1beXHDmD6#
zu`l$LGj0OB8UpT+;3{x51@LK8KuT4}3k`<=>%edh)eZsS&Olim^pJ3%75vZ=*KPvH
zE-D%T8Cs+u7buf)C|2Mt_HF{mQ$R`yGz6hrfU#US2PIp8vL4(8nYtt>YXkF6L(Ktn
zT4)QQO#yxlz(%UK0U8yk2-_jRRG<_EPYnTiM6Ezav<d>D>rfG)?7&7g%miptKwTF4
zOdN-W1rG3_pg}@o|Ec;|Ek9X;knpfuCW}H26OSoiw}D`^{bmYC_K)4D0|B+{(jx{4
zFj1!l3M{}uLx3Q0IMwhF8Z+FHcye~V8xOT2@ak9$9JydHb!G#I^AH?6*nr?L5E|NI
z1BY_(97L}H!|kan`V%yZVn_%L2GEuK>y^{NW<;;&Rp2>E0t0KnKyS%t4jxj#VD4H2
ziVV`I(B_pxlQgO?*%GNAC57qjEH6%_h3^HSVrwl65!Gl|h=7HJcnDZ1uq9+Xs1)Nv
zZ^Bmx;V8XWOg~kGz%^ko>R3oQiV~qYg<(vE{3n=|gu|G?l^QX5;+e@-6vC>ora$F{
z6TL`NF)i=tAOG=gKlrsz{3vhzg(Xv9XHx7j*4eP)Z}t>iQ($IN>@k&1fwI4_r~hGf
zf3T#V_7wl@DgW418~Y0B{=%_;VMpKCTO~FIbuPmlOR&btb{m0q8-kky8~w1XpKL0d
z+X{I0(<r^PQa~zs+LyM7X&sU?i?`en+xzch+b6txA9s&zPVwvlZywss<IlHv@=e}5
zQ2WM8NIx|ruYKbrFpfB8ayaL{-Zx*jjmOR7a09GsztBze%`1ntgF~7jq-8`jx7rO0
zE!3_fI_g&z)s(IyDj}szu9d`PC`%bp2^yb4D^$=*jPw$%NQ8{ptd+%MQ7eebP?j-i
z61tgXC2=S+lDLehgpMCXBxO?su}LsX6;TNr??Ed5h)Bxh0!L$-R}F}%Tt#t%X>E-w
zsZ{`x%1{XzRREEb^b)SU1g;b$t|H2SNcP$ZRAK^G5nTd%`h@_}DwsBw*b{=2odnjM
z1ljkAABD++V7WjiIUXce9TL?e`<o#&?1a}ILTleNdLhjohO<Yc+)?Vk6nf@p@EyAp
zAo+_n2eD?vs8RV<+rWY+asn(PU_2vb6cYTZf?ttg8!urSIbj=aVH-^zm*rC>(y5Z^
za&lkJ;Tsa1m*rC>(y7UQF?4Kw(J29uHu;7+C33Ft$eC-jmbyto=Ox-Os?oT=Y;Fq$
zcT77Tw*+^tz>brw2<|^d9d*_PfPr9GBWw!|n?@a0*|6#&u)jC6Vb_7141<<wXcxCq
zNJRoR8B(i1B(!5o07VV{W>`~i*i%Osu*Fm2!xaaxy5(?TiZ$3D8O#`B^lUD$7qHOr
zI9z17!t6@AVWpk0J`l49#Fu*w3v1YDyt#&eRm?PR9Wc@(o3Qz<_OShJZo}q9iHG-y
zSbq?-EI){?n0(nb8{9Lp?3A#`z0Aw7(AkIi31-9nt(z&478X;a%q*vTLdtZGg_P+4
zeU#}OVYMb-Ww?^Q%U=(&knsB{0uuWv0xQg<3745j5ng2>;hQN%!zNOMB;xzvnUnxN
zR#`-Q6T?=-@S<MJI1u7_5mznqe=FdwWRHTt3#ZH@mp%?w#`zr7Pmx{3`5effBHD@a
zHxuMhQ9eacW8{t(l)C3as{)Lb-cg010KoV|8U-5;pnR)t2g>Fke5maE<x(%cRIPpT
zuE*aa!u#SEFQ_Hl^XIW=pFIv%N2EtAQF~!y=j2q+pRdxr(2DwmcuO9WMdc1D61^x#
zKJ;G+9?so$>$fkg$bif$*iuvDXRXHsqMi)HUs<sfOs^Xd@<*mvFDUi`#60ud2w@}L
z8ewawt|n4GepQ5oq0oRLikkW51dI<wf%@yxz`7`+5m7}EXo@I=SE7Ny?Ftkvq@y#@
z(zDUq7h;93d81i8(78O&A)aW#%#XXLWVrx(D~W81+;&qVj?a$SZ-Hcr%+zsN2`Ss3
zTbA_}NQ)t<ZY*@S7e;pDlO>T96s5dwQr<hI?vV*EbceAb0%aZ00K|#QQ6h3mBud;w
ziBjT3u&9wJjT6}g&&BY78;j<lxV{lidjb-3*bz=cVku-Xnj%9{5o9rq#gN8i7DE{F
zQ4DgCA**2$8ktHVjA~H~Z~};98k9pCBN7_IqC-+KL@|z6qNv<a3}n<u9<_-B+C>oD
zU>|;rvG?fI+xLN6{ue8M#-(rmoDXdff$fe*;-)!DA-IhV{RZK`pgBA99!x_lK$wO`
zrXi7-F$|2sJET^_bV?JyF_<KV=)y>DGEKk3$+!4wPW-{oLzSZ!FnR+?p6obH7@to-
zay49s1)~)Bk<wk@KdK|J84v>W20%i9{(w*)(M|*VyCi;NQxEXe!~8o*A>r-?Jr>;r
z<AFO*K%z;5%n92L1nixGJ2UR2<XZG!vrsAS!Ua7O*#zT(J4)6Pb5JL2I1{pOxSVdq
z?j{92*gCOsE-d15;<}$(RPxm7rw1w3X>Cp`NNz5v7%8<%pBq%GQMF30EyW69wMG<+
zsvzZcPzRS)lx`<bThP_Okkw;wA<~QrV1x=_6@g3~Fe!m_3ScXFL$kth2rvv%4+bdF
z+DSx_7vXbcf^;5DfWyfc4!0nhV<e0RTfYd!NF)&QVrCvlCK}oJAXNMjEg+f3NTkoa
z^7@osUsn5YsMcp@V5BV0Ov^}j+d~5U(ijtS;^JGu&8ZX^<55eTAmf%rM?gSU;1nR~
zo#@0)&iEm-lfDJ?Uo*YiA7K)A$eb{%XD};@cP>C#IS7e{IXFR4NWExlgyiywWfaxJ
zf@XJ^#n?O&Xm_aD-@9nS>=9E1$?sj7D7gzRT*93Ps?DRyw$-2*T*PVG;AgY$W5#s}
z@WA_ga&Q}2fy!5*J9E&j=pUeJgu2qVITqZ~I<-uXyU>KRp41~}XNz-e?o%_KK!Xfu
zGMKE+Xunc(Q$0m%Zf!_uC;+YHMHVrgg-98R*;$;7?5_GYc2-3jJ1kALbdA%2orPG2
z+p>Cz7^N1&Z8V*`>c>m<9(0PcIoC>J<}nl}<(_w@bSRj_2t+A}LgNsFS5QR>=Gvh3
zFLftkd}tp>nTa3-QT!`Ui8G?$5sFYou@Pua#H~+kVND<mL7^3IWqx8jU@Bm8q0W*?
z5Uo9&&XlP}A~<sxgH$DD2aXELBB4rp)KKi|#c|GJ5CHO2n1gFwZ<*4=0gC31Vj7i-
z%A1N+&>$+YgbI~o5d_I0Bm$9bD`xz}HLZ1!XK6R)BEgj>)Z(XwN6U#x<0%mofh3HF
z@{moCqvmyT&&w)!oIA;qrL(%FjZ<``71GD)RaCtiQhtYNLRgbP2$6C)`WJl;zBLUS
zkc~{n;KtELuyPRawH>rU2sp&j#Dn5NktpbvBuD}kI{Q?8q@XRNr%)wcK$noy%k|`0
zc~+i9H<WA70oEw47Gcp41Mv}rwbkL*1=m^Bmf|jHOf-QSPjzu#h@lK~EPa#@WhNO_
z%&A6JlPlqOjJiyt%XvJ+55?6%cI>h%EQRYkC6}VgDP*Emz96{{BGB9@it0KFB()S;
zir&38(uyZx0d6WPK$e<{O*^KAlWNJQRNP6eG}-cKva0ezDv|{xf@v>gl6@vxl6pxE
zB;*o%Xavf@#2(2zlu%g|7)9BllxVp$RGAg-iWMi+nDR)k<P`Y^?t5^0C_UPqy^dr~
zV^St!5sQ~ey_1}0BJs&k=agEl7Vt|_lH0^e;AsoWWVH0OW?F<TI~IhCW#y-G+$Aj}
zUm+CIGeVJQq+cnFl$Huq<sczR)>4v`goq=sV4#j2u#TrkY{q0pRdPu*ax&U7U>O&9
z<w0;Vj2V;+#s*r$AQ;bhWO_1a86S96AR3Cg1VTX(z(+tLlnA2&E|A>VX_LXd157t4
z8X<<e15x3<_|zS22Acy%!KtqXL@orc0%Kt!I7{d!juXrYZ-kCOufzmpIkf{QC{z~y
z3%Uhr0_VYbAfPBN7!-41C74)1R;Vr%6wdQ+=R@W@tQ-1i>2;Nn1Oh4)0$o!5Rh@Zy
zr@G5Jzj}r}XWdH&LIM#6XTbPL{46jjj4?&v3tzt;C*j@3Rd-~aZx5fVgf}Q`3OQ=e
z3S;wb9Znpo>C9I%!bj!d^pwEl+FX=o1o%G|Ka+%3im52dmcITI?r^@6aOqkdnbwtr
zL6=yn|Eg|Xv(!;!Z^GO6Pqo7004Y8C$Ijtj#j`7!ug^Yj3b+mQx8@%&g;r$C!z&CL
z6(db$)6^LGRl?NbWcI~LlKZpd@Y~8&E$~ks%gM4CsfWm;(wzAo2@6-y0+E1*P-FcD
zDM&F4AV-4!Av5^Qp2b@BDyK2v9jg8d&7|Zqw(KQaGvTOFZ9*Gr9TtIaToYx%nF79Q
z%}%Zj#lci72t`;+O2dGxIjTaHQo#HuKv{FD#fryuQxuwm1JY^Z3Z5eL(Y8$y%`{8N
zWB5vA1ra;dhJkg}Q|c#m{Pkk>d-ala9(DJ4K>e?@%0w`&;(YYH`O653Sm3lNUo?77
z8Hsq$oco_s+T-s6rhH!)2Q##-cPyWIO3o-{(FRP;ZCx)m7uJ;3a+9?vT@iMb&7tKO
zmm2I7(%!ukDpi$mdBz&(Okvh8B_9@;j475!D+;g}FslkYAe6>lV?Ad7UZoJRN1lu#
zN-&8Cf}RMI2M7T~1twVz2+-4B;LyRvdHRk<6rVQ2V_C4n2thNXsae`HCN`&Zja8nf
zHIDgV8$Tq_ZI&UUOyx)#3%tmA1{pVam=2)8P$b!)$@3v-3+Odh1O}#vg(O5iL_<3u
z6!d^>!@@0(3>bK1#|PkwFJ+Do!RVaAh6uPYBKW}Y#f5|@BQMSTN@oaILqK|!gc*pY
z4aOl1gHkQAhU~I)fCRJ6+DV|+C}*WAlsTD&jp=YK%D&ap8^Y%orspOINvitiTCYW&
zB^tew3Dx8QJ=~9XH*!73F64Wil`oKrh)@9+$}SVY*hT8Zg^aN{EU4ebg55pKA5mqX
z;9{VEQcCz5etD5Pt9VEUKo$j2QR@+*-Pn5ytp$}K1|R?kY7PM?rT75?t-uCd7%o!b
zUyZV>3uRmjLj1v3UR|<60cV=%I_Vn49)JuwGgvf=0D@AQ!Q>zVn!dm^6WS0u{KYDb
z<_)keg-abcuWD?j(~HKh3Eeod2~Cn_pB1GE2zq>6N{}IocNEj=Dsl<(_ci8MX<J6s
z<}^tAcrHk;TZp)!L8P3z5fKR>xQs%~Pt_L@fHnV>M>)xf!U~fOyjg>-B1U~2tjU?8
zA-fR}v=lr=oIFIlIZ0s>yp8*)5k2eFmyVa;<&}_NhpAmeO(*JyofVLMOD8o4rd3{V
zSQQm=cBh?Q96}H8V+ym~rBz`e=J|lB#H!P}_r|{!Se?77&*;{*m5ESurK%CRtqA|1
zCJZ~)VE@C;249)S1S83bvH4bBD=?$pVjBV%jdsR!w|ilFGvZW-)@A^+Fa?=_EPMfD
zU<(@nShxbMoY3!x`w^4nM91<FB!*8to_qoTKt1dL^*wC>WfI8Jw>dEYa-D+!_$b#_
zlw{)`@Q~^Nyc{QhD#ED3K6X%Q2ZS*IEec$(0#|SXRZKpr;Cgtlz$^$3+1FTsA5oSo
zbUuKRj2|l$X7oByi6WAWvhdKcyeQ0}+Ki#jQy=wFp?+&E{|chN!mB&*t2*>m%lazW
z`YNov6;DqETOWd`nb4}i^eWA|6>z-@wp|LU-MXQF%7YW-K&#%O!Q4>*_Y@Qd??isU
z(K~Q7-`ram&pqcR8p~^bqT6);%=en)Gw0a(%HTHYNWPNJIC0F4KE{kR;yb3yCvwaH
zxjF#8o19)v5bm^J?lgNXrG8eDr<UWK*~Ff!`8{;Do)z0K0v(5eK6}8CJ>c`4buldy
zuxBzdO@N<<XSQLQt`1_U)Rt>BmSBQpAQH*zo|4DcC68#ulK#E$t-r8W@9Zu6djY22
z!v}9*_Se{1boK*XJ%FK~uvg{mEqQwZmR`dLA7Jpu*jRD)16+N8+D&WR0Q72X0lt`r
zP5Rqho}nzBr6mne);&b(EkXY$@dJ~4?UQ=DdIR+`2AGu*kTrS(<B*~=XD^pe<U}S*
z<-o@9E33ssl0{?{n(96MlNVGyA?OT`LV6klg1-X+Nw}=C35~Ki8KYw#2XJYp!3!2)
z@OOo$ToX}M<``)87q#aXw@NBn5fv@bATRna3>*XaQVk$VPlu5!3nE$&m;V<9I|Kke
z^i?KW3QuvmO7XiX$-623-CahiuNu5VVx|R|C}Kgy<p~IHD3>JuQ7v|{M6S)6X#=@5
z(vFO}h+Oc>Xf7E{65*8AyfT^_hErPZ%50U{O*OkIg)6d|L%S)1yS+e37gYThR7i>u
zE&#L+E^1ADfNM?;0An1g0lGUt0sL_Q8?+N-1LKcclUJHj@s2Z|m7f5W{RYqc0&IOS
z6CbP%Qy;6%OHh>77PpI4uv1tYic*ML%Qrr3+}gknWzT>V3(){t7S76gC}lmhVLjJj
zJ-1;!(703P61!lS4zElN7o>{UB#PH6T3o87Yr|SIx**~a@hq-X0b!&h%Ta1eQDR8l
zU<%1t4n<f9Wm>AmAT8LfS!zH-DnN0m0a+!8JEe#&B>{gVk%ylFY99gBd*8bCYlXj7
zxODMrnQs=kcJXVyy{&UIwXXVhwaT|kT@UoN*k?iF5WhYukUlHydb=d`b@b4i3m2G3
znFwQ(2+ETP@)HO)69^A@6i|whXG1upnao2`)*-EWA*?zfuFfH^kVy0sa`m6d)Hai<
z@grHRjcJlKq=%}gNc08}wN^XUgy&Ifop4*~)o-lDwxd?s)3+0xXweWylwfI5fdxhd
zD7YUMg_9I0u@oy_C{_$mvuL4J!fI<ziq*jtuke#C5R)uClPwg3E+Bg>oO>v6J(VjS
z${dKPu84CevN@D_9LmKGWmtx?`o=P`hBEtxGNr>AWFd^TfVNNs9z}idNdpu_+fLyp
zyem}qgMkC~Po9-h$@5b3SU+dhb`~F|Eo%k#m6sd@&>}A|qH}s6udM|+zzxd!OuQBM
zdL6GcNlZ6{!doT-LUs8}1ZGMhDv9Sp7J8|wIA(Eh=zxSv4oN=e%@WKwU)MZ#$!$F5
z7MyYQijeL@UnQf;fC=MY40yJ$@HZ$9hBf_VNFcR!0n!b7>Efi&??F(92sQ2+qah9k
zHSPzY4yLW+HM#Pt5kG?7*n6PutkFhbYK#Kfs^u0vwOxSMDY31zu5)91z_1GTta!H_
zt7>Au^mC#T3e77%q=*KoBN6u6q?M~n#73@~pmKl|MI|wzwo<oGN?7(9NpJkusq(c8
zd2eM9mEefkN0dCEB{}OiN<^82ilQA#Yuc8`)y(-o8c@*&hdOiDy0G-ir#%r>wx*V`
zG$d0=>f~c-lRzyssf0!+wsM@+oklyRof=d!P!UbN12jI7jzzIv+O{alM8Ee?Y`^gW
z|GMo%w*?gy(!;xsh+Be)1!@tjR#B`r6vuLF^*3QW1vDM{0X?Us;na|ldW1Xj5>G+o
zBy}EMsy6_s33>rIktT%H(4VG+_%JtPBz04lBZQ!+Z6d>Hz$}BEqQn#B28Lju*q3>0
z9hg;Qr3A1fg1VAx0M#v62(b@{nG#XMm&$+ja>}3Ru$o5xQ6N!qaonf;MrN6+lHFph
zB^=pOeHCQ^+!meOw^0_|^U|N&h-n#ejZdETDp55*AEe0C-ZJlSOaPs(_s``^91JVA
zqHy(cJSP5iaRy!eoR@bnDI;5NHgT3fWzQ3m<*o`tiAUMQO$X2gDFs02!Oq>QrjK*C
znXIG7bV*3=n<;3DK~|cV3c=7HOzIk`cUVed*VdWzx6>xFROYOmO6ZKDHiT;XQ)@tl
z2<j0lElzb?omNm{lIz6f(dsk|xQUpT6&b5I<5&tuMH=dVLM2+zfD$c10hbZkX>n})
zpg`j<NeFMTXoL?#jPwGzhsS7w5(Ghn#d{`dYxD{5N*3`la#vsmJc<q<DtCl!+;?pQ
zGRBRfWu~%xjI<<KC9bqxi5OS^7-<@Wh!(T*vQd(Tp&QTx*MaJ!AYxyKMjCxVM(Dae
z#fOPPfFElzEK6~N4Kqu|qmo5JoRo8tMD2JFf?>}x!ChuZvB?%gYlT|fb<@<ZyoRZL
z|4D6&;TI1-uPkpOSr>k8K3AQ5-B|rqK!ts9ESfdu6rmW&L}3V}mtkAhZW(%s)}*jA
zU?C@)rRUHEY5;`Z37|$WOW#C_UvPt{P?iG)7-q7-M6ulVmXw(+^gC`ANb|i?MhDDZ
zQ3zDyvJLK_H1-5z#p4_KxdxfIcKm^)k$bRq5$xGheO{aiGi^ep75gFpDbL-=PRCk;
zJpnlkjbsRVwy4-csjT{wP?|s=++)tB1y)0b@fJgrPk9Qbix8O#{N^D05FSY~Q$!m*
zi;#;Cd6I9U<e67eO!6)$-8@W??QcHG42Cai$qo)Rd*Zy1(sI&6VFE_zIU)E;e3Bn;
z%#!O@l-X8tDWB;xO6GedKtpcKspHIgMS0rGI#hG{B&mFnbF&126F@Qs{RRjJmh3q$
z0C?oGxCaJVR*n;*pnECf0O5wk9i_6eQj$pEn^*&adr=zS@mU~5mE#HxAf=Z$^y{c1
zoojJUtCpBG8JSB}3cCUtrn7<o6G*`d14$tlV*tSsGa7*vqb^|!BL<Ba!5qYT0B&jk
zm1u$yqX>|JNU~@^B3yJJ3@_j#j#}&>gDpT29xf^fvK9vj<P@X`$P`5g6pA83EX6!R
z31Yqh7X@9y7h;(~7Sfzfv?%2Y+AhPO83E7*P;>&&Isx$=0AC!1V3A8g<XjbObY7i=
z+C{-u;-I{P#2qDjnLs8CqX~mD1VOR_AkEPbY=DR~WE>c$2L>s@L4m+fZLlaaCJGJm
z1qR^3L4oKNc<(LXM%bO8kJ4ho76jsi3JDwpIFe1UCW$S95%P3G4TRW)M9Ex)FNsG4
zIFKj^%PiYVtUx@Q;R<p=p%EfTK?O2cVG3eI!2qER;E0(8aDkx<V1}s!FpAL{KmutW
zU>Hfa=nzamkOO>%&;c?#L;<`!bOBg7d;+j%xByN>`!FLw&9DOa#*hk;p5O`s+@qmY
zqccDYT!l~saKdl^n9Pt1A+`WqOS$}A;dy`qqO*Vp#9wm)6AH`#V3B>=1)?e-15l&5
z2Qasg23WYz1qiQj1Zbqt0&Ua)n>}X$3Hj!9E70>{m?S!8G|OS*2|s~iR0*|nNr^Vq
z#Q08=ZD%H(Pbop8vKxStaAl^M=3--42@M$};;s{Sza+%-B@N<9$(u>K1HxqV@<Uq^
zaH!&&i4)T#7qmAyCk#hZb=Ne=OV)PSq{nS3yIeYCyO?&Xl408PpF?>vYKR@CRG1e4
zli?pzYLjVEyORM`McRlMXaLNbm;pL%AOyJ+Km#((0BB1L0^ciu1r)VF6cRD`&P(|e
zd3-^jT@Ym+8L57A&}0@Aqhsvr7lE9JzA$Gr_Br+eigP2nrNV_&$$=>Z=ca8UBHP#D
zl`TI4DKB{saHX9uI`>mc&+(d3kYvX?u8>0|A+r{%Z>}BFf(N?EVUwc~2%T0+|56B#
z7(_voC4hy-Ja||CWVPCJoI7nE?hsCEivuZC$tqdF8?g4hMaYyAL`eu)S3Z<X<!Xl|
zl<}f37|3N@#|jjzF1%lka12x&$b%GZ$h7VUr+ZkA5)pN!jDR4svR5GWVmLU|PHMs_
z%ny!PFtHr6GC(nJn&85dhiQ`&!#X-iNMV1^VyQxhHiKT31(<_Z)Jipdb@ORP#t5Lu
z!oqNcsVZnLuU#r=E-3h^pt!cOrh?+F3YrUxiz;X?FF2VZ@k7Ch6}5|Pj7atJFBHup
zyikZo9JESY0{O^-Mu@Z~Y(6EN(t&d@gyN)L3|hEMwj!AAGS_INUl_|=TI?Z~hV<|N
zb2E<6=FmeEv*O{U;`zf?$F5|&bbZonx<=cCg~be68Ip#pUI@lU!3o4-BQ&qpj9GQ`
zh?Sv;fO;5+HQ|VXEGZC5g(4duq(QtCh-o1Rg@go%bpVkA3gnJ_262IAxG``;!yF3R
zkppfVV{#vZSMWF()6Ix!I^Ch+jL5A)NNRu6L*Z&+VI040f+R(v`dSNh??jS9bq&Z1
zT0v5Zv<1p40xhD{wvj-G?cGtj@t`3`(H_<FiRNJrIpB3GlpwCF=gudJPn=IN9~Jc?
z7_ZB)>+8Z9jx~t~fb(G+^#;bfATUFkI>~1w&=F4rTIb#(g*tI^@O0E?S8=*o#L?!C
z#b%?I&&uQ3h$L*d1GE88l>jAM%$dgo&O;C1U{cSej@yH+C8yadjJfXE!^l<@zqF~$
zt>m~zXomgT17V1c_8f_wbga0c(n8l+ovCvX<DRp0rB%4$iQQ>=!59hdb=bR!9vxD{
ztaxxLlp^KqY)riIVoYsG0}j#Qj<qB`Edh^#duh<=V-=I2CvdQdIP*C3k<l($G3hVe
z%XG%cD(E#tfCpo`TN)1O!#g_6dXbf4hIV}I6;C{hP!uvfeE|jHRec$%zO-I0parV?
zq?+>z79{KNMcSQvC5fUIh_};TK%^9CC0D^fWQ%8t#3C@nB9O^^UWok!G{Y1}%mIHM
zCl;who1#%HXq0(0N-&xw5dAcyHMGo>0%9hVf)EFa69F^fh0gGWwActm0&D~%H8uha
zUrm657!zP1p-C_o>M1Z6>j47_*!g;rT6|jI!hX0gy-)vHa}~$^zBA8HpD8v^4IvmB
z)qS5lQjhidB$D$v@O=B9be}%J8x;Rb(3XuoA58V0jK+Isw=+H=Nn&W$d%iQnJ<ZJV
zXQFYQO!f*h%FlPEeP^~gpKSEJGtHhi<{Vk(d?Uk&;~r(~@}gz-ct06dd8RV9cvqQY
zJSGgX&mpEz&ju4Hv%FE1nAyx_D;vEGwT-prTVrF{l-S*v%62v%EFd#x?~fTnMq?<v
zfKHt+0Xks_Pt<6os?=++R9LfSVO$>jXwVc7SnZ3V^qP2ybxh7H0U0|W)-a6JKu7$y
z*yr1#j-we#8jR7qHR$8am*_Ov^l7~aWbvlpfg~b`N!2iikOQ5oKI2@?|GasgXv}Fh
zyCOiwvUtZP9@5z%W+?u^G3|80g=(spN>^?gaA)M9(91YH+LGW^6kI8MRLWb3lWF?L
z&O(C6$7YA>5-uO$08aQlD;ofzrm0d8>?7`M<h@r(fEhB(-`&7mp(ags4AACKdBmw>
z*jh^%%y)tVpPey}GY?*nm60nh%bz52l_@`cm@sSvUnzDju|m}w-`|A_l_Q`}Ql>_w
zTw{vX2Ze0Ip}>2C|2xlUqEuHVa4p~Vg&+)RT>g7@07XE$zp_6fL*RL}aIwNa*1Rx`
zrjE@y=D&<6AfPLPpxO<>Vk8RvHyd5+cov*K$0FG|!2=Wx#yqwhSV*^@SF~w`shgTO
z3B|u$N~La31;|pxOU82ov|&QtEp4t(>X|wUOG2Tf*m2_R!pSo(I$%|TY!x0L#_<hv
zJS*>AXe1z}MOYv`{-~nbZO)BEWh)=!r`1kMm`|^T&j^VDp?%)VmGwr$_<qGjgQPup
z9f)gVpvzUrscbfsk7Xxqy&HNAN}~20Lu_8(rkYmtGa%ao$X-TLH088jb9f0ktYhdh
zp>kD#l<aXJe@01F#n|fTTz?Br0<t3Ov!uG6V)E{*PFj=o0GAQy`V@>|w}l|Ja*@G*
zDIBssP%?(3T3Bu&rh$?Na_U&ijT4j(>3Di|5iX^y1=Onpho>2ED=wi?7f|W)Pyp=!
zY%MoL2^L*lWriVjb=!6A1WT$L#g(*;-&#wSS7>%d{UtbHF0sof!w)u8WqY!qH)4Wu
zE?b;FIdx&&B!1&6f<h?Ww#I{}LsvR!AsZGIyD}^gWyGc^us%T}5=bN>h0*K_5(dzu
ziF8n76%@ClIStmYfN)*tSINJYROR+vRQH!;I?2=y-+cEL-dgJSqB(-&6WQI8ask;V
z-E||Z4kx*)?32WA4RJNtuCIQB=3P?g2U$Pw&4KrvaO0;FIsyDUHP8=nf3vP$TI}n!
z->mj0ARpZDhcz5Za7DpaC7(X)1Co#XK#1IC{q81ntB)Rr?3dj=HRw=%w;_BtQaz!@
zt~z;J!yI>UBUcqFAYTe`{rv8MJt4%m8qI2_y-LB)E`GT3DA<i$7^;Wwh|debNV~XH
zQH0TdAK5_w^1$+pI5bBF7=h67aP_)MyIY`B>GlVX2QDqRF52Ce<)`14dVTps)eR3u
z^D(KX--dR5!G_H+<E`4|Aj47Em(%L|G-*$Q%62ld!VECx3@|gZfk^VYlat46Qzfb#
zjMo+a<fSAT$z{N2LqO)O9yzNp%Qf_N$vQXUkjmCjT^{Dm$DM>+oXSC!q>%-`-PT@4
zk+Oqv?YN-B4sc<C*YLp3(*%Wx4ZPfJ_hb8bv{9nWIWfhaEH5@O{4fQ4JhirzWg8h-
zRNQO?W7~7JrGO@cx0#~t4%@&F?DuO6JK4a`Cc`l{z>8Vf6={QEnq=H2;%mq7$Hpfy
zrMKV1E*p{jFaXbI@WN9on9|1!IoQ<Oz(DWeyzk+lMsl$p4-37t!H2Zfhd1!nZM*`J
z{4<Mbf@yadpTlEV3~hs7-@_BH;jeY@7(vhzSe3(;o&)KI6&l3LlbwdmVlVz;0EG3H
z0sy*t7@6A}nL^4Kz(Lt#0>m!NxbT|ia>59NsKb)l+CgIL=RPquim@Xun}PW=oL>$i
z;Qk^cDDR<0-Tj&JK24eM#)~_e)ZU!pHp0znXg+Z#aBRMBiwNwoe|S`gN(D`Y_=P<A
z#oKDj8HzHIjdY7$(#v-VgjP0LI$(uno-zH2)|Iy*x0(A$V|OutAc$Nj9Wy%X9VZN!
zOsOyM%^8i6A*ooC8M(n%Z28^mu=S)Hj)tkUShwz==o)(R++#qdRg+xQ*IkEA%3<a!
z31x#!UQuHU5Nvy5S$fuJospx=vuAUASbAry$U$@`Rw0w8<}#Ba9m;;%12DIi8Ei&a
zD?iHzySBgrz-~ZhuyTtB3^f9u_H&jcfef%JR+;2Y9vL%%4O7YSJ?JwCCY=kE)OLQ(
zP}|5@#-M7Q@`C$9fo*jve&Fya37pOpe9Vu?vZqD?Q?@;s=V~)Mlf1NReU^iAn$-V5
zOr7QqQ?RogM&44<eq}7=PFgz$%VehPyDQfyFDWH`Dr3J2kb<!Jh5{eEk|Sd$Fv&77
z{2@tjwRYQN<hYrPrPkGKjMTJDCA8o>VqwdJnF{uO1S9f=Uj)u>c;m^(Xk%DcXdkGN
zmEc>ZJ1p-F`*cb`xF-~X3PgsQ+Im=JiG{tyctl!sTxcec-LVd|Bq<e5#vQy_^gx_-
zC$)7v%ZF$OLwT|WyFyqC!4=M84%6bc2Wk)G(bB^}QVM1uom`}4V-_I*tlV-c#t3i`
zyATfvv<#2Ii|k~idqGM^g-J;DhbbP=kaV}yxFe<C11BXd-Qt$u%2GXr1Vn~4A(OI!
zl9u-x7z4pdhVsCkH*0>zC_}{u>KW(7kE<S>;LGunKV0xn0mc?m<k3v@A>g_H<u_MG
zH%)Y&lpm5lY<leALEcVT9m$Fs@f<vyT`j@H_Z;W})4XnUIZLF~%c*_RxyNoD-W`s)
z$=6h-T=c@`T=uN!InKL@$%`Bboi{0ox(5CYAI*~+#x>1zCyYD1y@6e5y)#lq{7tMU
ze1__c1WiVb+#B#T;x~qCjLkWfb1DX4Oz)E5CKOJDo;Ack1d3=z%K}Li><P9gOU_P8
zz@2!cyd>)EBWw_y;XTBPM2)P5^4OfhG(;cBN(nkv&(-Eaq(j>lbKJMNZba;j0SO{D
z1Yk?7t}zutA%l~Hio@`aup2>b?aoNgQtPp;=-{EAF_saDA+!cK#&rvmvPYdIw3iO?
zvICaJhXiY1`x0z7V?wq!GxkQUAH+t}>tl4Zpe=}7mcRsK<6Ao=(DB6BFR9l>zC)?a
zj=;F8<Nr$MNOc(_1fQ|T9tc+*K^?{s+Z)NO!c=+w8p=bB8A@v^vGa41%vxu1E@QJ8
z23FNt!D#9<v~W(8feA@yRgIXCl~~{C@~moat}58Q7~HmL?JlIanRE%)J97&@3?Lb@
z9Ar2^W+1;IEy7!bNec!N1ShCp!6act!5aa01FZ%y2p9@D7?2S_Enqr8+JJN@yaP<&
zTb9jue13rQ0?q<l4JZgNp}y+;tNnkSevPI+Xc6r%t7W3x6(U#}iEmM)O4nJKkxFV-
zqf3j|H@W@?_?M%`1J5Ptmc1HgAPDip?T4I{Tk)yjrk9Sq=-O5()K94&Yn=l76ZX5;
zE2qC}MaZsI7M169%IPcE_d~w;dlU6#-5n0d!8&Tu^$rfbI8N}*qsu0KRA~C3UkwyH
z7Nf&Zr`!M*`-jR3RSPI~1qy~OaTgrG+y$vVEc50)3{pubbrmXx18G4X=WNcyWM{5B
z!M$e5TY5~dDq`GUXI-8)8r*wp&AYc!++u5tBDRR!J7Z+=L@&1T*)y~*q8&@L;plVF
zQ=^WldXMYfpr*3=OK8&2>8EE=Jm7LSXF|+^YxslBoB+~n;o|0FonB6PB{H$g`<;eY
z+{PuGTSENHxi0KqO85(tH^Q+vn@Na<M6wo5#fYNO#+jjvI<R2C<dgFxT77}B#}ZeM
zlb{ytv<>WRGY7Qek9BHC9ITcWTU*H3M)0=*l-3Mok%7nl3Ngp+N=KOVuNC(elojT9
zu@=CKAj~>RG=_<GMiG%SgNIdc;V7pZGCSENEY%I0fLdEaWSn;axC$}H24?bxTU>NC
zQMK%XXzEmP#4~vVXrma}M<n5<hQ@7tfpUBD&AS7N<AB)B=Ej&w>xOV-oQ=RFi*3f6
zR-|*S4p!zv%4at)rgLu?f-N<Pv~p;04M+|F@tbg&ef@#fnUv4a@n7?@I1xn-2Jh7X
zGn{gqYfo@Mb#=-!TD-G><t@cSVxAe4sm0|<28Uv&g{DD`51;CkF`@G47Btd?QuVnj
z`j=KApve6XJzg^1^nAB{&Xax=X@TH8%Ua6Z)Hh!mhX;Y`*oGB^t!TKd9SRP<%Qj1s
z%aa&V0>*d)<lv=k@fKOcRRp?<ailnuQ77>tazFq&Gqri5uM`Jr_61*JM316ku+!IS
zwpLXN7B=PTD;hd>tbA3}CM4B*1yP3X)qe`U4PCk0io4AnxrPd!h~2916$X(zR67-M
zje8V475FE@#q5gKMAw+1Fsw*t;bT!13WME>ZwkFa{Y#@2QJ~K(m24}3j-~7h)I_@k
z-V!u>^-8u1%>4S4AQd<KdX~H^uIliyPKt#5-BS4lLIEODh=RRhVj@i<e*B$TT}5=e
z-AlR+GWR-`BpVsm@G*r3?Daekpy+G%|EoTb-%aOHJOJAL&r<z^L@SP^c*AS>QRuj7
z?_JfMSZ~sUsZzJ7GyNx&H-k0RF3dLNHPxLsZtgd$E0Eo!Z&ay()W$2ST-azo71W|g
zYvl>xVl@pK;X18_H?EJpN^}jXg{Ty+VAa#-Rleb=d)HK^K-}Zcfs80Wr0vqRK+yr$
zrqeiS+U3(~%XpCE(x8BA>b=vL@NVob=`xsMyjAX*NU+(^RbW?mUMlYvzOkj=27U(Q
zufT~wUEqFV*M#?0{re(V5hM%r4%Jil<^C#gHy|*T4h7f)Rs&T75dt%#_#jlNbRhow
z6Icz~y%hL^`q;(K_#N02q4xr%0;&QAVifJp0f>Q)fg_%9DDXGuokYzY@&ycH3-AW0
zr7!}o&U#mb7cdGHD_8|U9Q3an?%}^moPTp>-6|~o1pAnk@B7|1@EVKVbH2-bwgOLA
z6shO-@YAJTkD~F9O02Wq40=>0>xTMThJIczt2l`d%$L)<DJM$9{)LcpzE6jGR<ZYF
zZ~6uFbZ@6GkE$a--cLYd9XW^n0gC@^9?}YQ%8z~L6aI}o9SL;Ho9Sd8&CAn7A4Um&
z@CbiS9_<Kp%83131OH~8ssXxX5XYJan~O-En4hJJkDLyl2s+VyEM*-y8$Nh*qWaUX
zu3&HLuhB?1Os5|!VAktLF0gL8XZ3go{c!qA0_l`ecO(mgoSvSa0+*HuHVg;njrLWQ
z88{a{?)DM|(<rC){sH}V`hD-yENkp*xAvFolebK^pRrD#*QcmHoifC}zB&JEJmOzT
z*pVTgcz<Jlh`031JLL=(9OC1e`zojx3=4;a-Z)p)nMkzV@4dfOJGy0^{Y38m#`xyG
z%B5}00^9wr`l-kLoB9Fc>CAJ4Llgia{i9;(&9m$m2lgZAM{lNAR|uvk7~%WNx6>?F
zgi{m@4PMXfbjwxx5?cP_y?EK_lnCJz#Dg7gTy}aT9Ct_^kD0Fc&$F;pIG8vA*P<94
zIc49MW1~3VX!U=uUYIA<gq`*W3IK9x!+ltD?}>O>LZ?g<>cVbYMfckeuWFqVhJRqy
zKd#*{zN|m#DFr|13+OFFqElDxPKWl_jtTW)?@2xAen+fuytlikb1(Ac#~I~e$3HkF
zer4S0r1VQJ>I=#I%kazIN*?Y3r2MaWeMsn*E!5Q?^K9iIAEIAZQKWy%rwoPUp-_VW
zgKCc|$h{JW9a9m1Kkj9*dL;!qj<Ekf?oLp8C4Tjh!Thh>iy(AMPwJ(C`4{l+yv~Um
zny~-!t#Ubk(JikIn*YFgIlkzY8Pqm?`LS~id(kK}sABi>4|5oM(J1NG0Pmqv{bNr5
zE4(w$J0A+}8Jmg2GI`iWgggAE{M1-jFJVw0JLt^2Z5v%nskb+w*G5izc+R>N?8BPf
zj`VyrSXZA8?!KTlu+4R{@WX-E(|T<P9DQ3}OOK|y+6OrL&~<+==$5;-h`-yOzP0@l
z^ER*Ry?0T4cSNenn6K)&>K!ZSl|YaMU)C9^3a_G6;3|5rsK2d!S4636(n>zO+)2s$
zCGq84C;0ede4nCKYcGj6#rcgTH$<s+R~m0_WT;bgN^;98OYsk5BTLaMi<DlMjan_@
zPKignp}J3xv{ol0{SuKGU8nj2^vW(h(Jgl@sP{y$?7zdk3*yT4JJFF#EHv*%d|5-o
zy$cV@_{C=*_2oZtS;;;!-LYA-hq+bfJ*^XTr02DwZaCs7wW;h+VzMVYWsGD0wJR@-
zSi&tx9rgArI{o~vELL1s{J#uW`%$IgOy|WT6>R55YdK*?y^gZzs%zNkE{dkQ7B`ju
zip)y!lw~o>fVpzg$@D9SEksYDVR?Uqx)k}!4Uy<qTPcB#DoR;i++wPt1k1O_(uJqG
zK#}Om<8~WpP>E%(fHsyYKk>Q&BhiyJ(g2S_$u80ebStv%0Ea@juB8ZcE@JFxheC-i
znaFsUg*SHN`V~668XwTFE2bg+3Pjyk4(M2@s}|sQPt9FF8_=QaxkmIXF6e;Xg^t}z
z8PKt-z9Tvn{d9z9LY{7?jOb8h&>+r*eO&^H=v5`!aXkz2x&af=pbgRpj&-74_7Tpn
z8>_(_>wvng56+<N(eQ3{c3m>t`gM<8d|H$`gx6z%xz{yy))$>X%dwkNXJ3uifKGLI
z-4R*}I)nFBp*hqIx&T@i9YTwsuugRv-F5`$T9wcsPIXt^Guji{lzea>wnJ<LAEha~
zgde6$OrRg6sY|pMk1furFbmS_rNK+J44Pt4FkK9qb`PW)a+5Veuw3c`)v<x+Sv6Eb
zm6HF-R_#yW2<l>2Ks@RYRrG=7R|p~LrOP_qYK&lc)zwwPrDOsKs=`2WJCnBa-9kL-
zomC5fax;^$t!X;SDua}j2U0euL<5kWOgrmK<m&^fFaYOJ0;q9M{1l{c|KHJVwEy6A
z!|DH_DTq`5F?iTB#M5s_iC}70QPN7GI#yBk)qJS}UfB}IbcgRqqEu3sY1MwJB}>Ta
zO{?yf>~(U@u}g9?=jQk2rQWh|j+6ntWaI<>Z11L(rT@95A%D%9l-HO1LVFgCr4c|t
z^L)3noloz3Y)2$z`<W%HckgMMD~&IG#V^mkSzI$$IeX?wLEd>~txZa0=cr}7^UEvN
zYUeK;H7<L8An-t|@l_py$_j7qPee<cyZ1!5P5EWv&E!k3gGvx<?{P#o9$k83Q1efF
zjL_F9bnnS)dUDH7n_Nq$cgvmAmS3FT{JL~pq0W4=@TR?z%ZhmQDp9<2tTuz^?{uBk
zOP>bI`p=EjLr2WHcf7m|xpPmN9?OqY%Ur{Z*FzAZTsneKE*!F@ri_?zJI-{IhZ8Uv
zf|m|GUhCn@DXMQGTsq=Vz8tczrj8Qf{}QM0<(GjqL5B@9pF@}Mx(-`iHQ&sc!1<O^
zFWk|F?p4CgqRWsfzh;h?a;X6{D7%$t6JeHesT(!(Un<e2fz|S>vTb%=X;f623DwH9
zxv+Y<R8*UytCd&tT8g<;<20N_EUyZhn=Gqi1WF=R%PnGPPOe#4(`#zwmxVX(o>@cl
zKs55oKusOf%PJ~p2A)|+GgLJ4%A=bMr<PcR*bO|kb0#I|<*-SZ+oP7xjKF0awh@yW
z)N<MQn4qJU#r(wO9JXO*G-KtkjG4oamcaI6t}a^z37kl|Y-~)!May7KGNBhOk%^6H
zxojk6b0X!jEt!Rjmdf<X^jx+969FiBY+WWb;pDQLF_{k~h?K@;JeCjBDG>5mhnOY9
z$!2n8DjrJ|S(u1<EdESr!O3SbWL6GK6N#F5IV=mNB2aQz+?d#dlEA8969*-Lq{@sO
zmN1hCs5vZN%*DaUX98!U4od~8fJ7XYLgoV-<gi?s1aFeS{$Y8(OBd4%?ebXHnN4q!
z!FFJ+zDo;PiZ=Ny45lkv<gl|aPj8aSoW^5(mMJDwTjaCTF@WDChB=Ye`7Gj03L50I
z5ilKVlEA)YU9L+sGZfajEcVRywaH*|Vvg4(fb>ptT#BWLrnAVPY)>ORk}zUondDw9
zNlQGLNQefr$z`G?fu2m}h&?mOn#4&3o;w5LB&>1R2E+@P<FL9VL5@2caXhSX+36C(
z#~qCrnzlIXDv8Epj>eQmQI0zkq618E**}QNF~?voAVS9-ft*DxemeqjEK70ONQq-D
z$7Qrea@=-Wq9RLi*a?ZFTaM2hPcqzg6QTjjaoHn?TC2xo&LBRo9fi1y0=#xfVrrG+
zu|X5suN{dvn`L<H7sS}B$7JdyHC{U#F$tx3>}SN2E5~KJAZV{0lBkS@c<fq4_N&KY
zJ|xLrI~EZvYVp}2h}~C?z}6vHryYPCK+R4&8j%x4IIL>K2UOy)c!*mm#bUl7Jf{_n
z>`fw^R#YN+RN}D}i6c{r!a^lcJ}Vb{{E6{cUx}qpipmr~)jlgIF)WF3S-OZ1rNv<8
zAQ>(zD{%*exU5vft)<0aDH7C|6@jEga$Hs}_svq`vS|>?mlc)BjD)zX3}R`L;<CDl
zGe?Ta>_W;sRx_e1k>avb5`>Qxfy_e!JXQ}8Hqhd-trK*I6_}`jq&TdY#3T^nvb7S{
zhZTkxjU#xh4kCFQ#bW{?Zf_Nhj73?zR%GHUP2#Z6hy^!_$(&4SyjBEJ17`7AwG&Qn
z6`I(KQ+TXtM6H{}Vw)4h&MP`11O{<gSBYISio(Vq_|7X1#nB4?FNn)y6GSRPR$M?t
zAt5N>^4;FyF16=Vtl=un;{n}RmbUQP>iUkQJQ+H^qp6Poj;qAGZw5}UyeN3jc2F#-
zuM%#y#G%u{=U3did%$z0UHr={-Oq@Y4dtEPV3%O>y6sFvlU{e7XNhP}Cl1$yN>=lB
z=^zz1o=aU8f=adHP1VjmNbue>gpgI|e9jf^JQ<APU31ORoGYt%06Gp1MGqV9+XAZB
zix*V^%$4O4)ks!g@s{dV6&>CaU6O@*ULoBQg1Z-!Cr*W55?I;evXHAu<pti*R#5WP
z=-?G@yji*<g+-^02Up!HgT=F}o}93GQ*^NoYp*M=rXf-J;FRq$O;!h%*JUBfQt$$F
z848<^Cr++<b(_Ey+G6O&Jfj)HPHp92XA0CFGK}F`<IH)SIm$fV8N*<d&;(?m4TQr$
zDV2CDR%xI!g+XSWLpWqqG|rjAqehwII90~dpkE5m8V#lJsKnAnUkcjV2}SU%(W8vK
z6}B{%mx84&E9Ky<$)nws{h3~9Br?CChIW9Fcq$~cCCkC;6`(F&3d@>k3&B~dP3tlc
ztFfhVo`6(H(!5>@m>L5GV5lLWC6tcyElnt_*g~LNNoiO;2ih5m!BH)u%&ZlYw865b
z3dmYdSu+K24K_-_Sp!VjSSmcwRLR?%)JB#jTtQU5rukSZM6@DVT-&;>6@_4_381X3
z6{9rB6@t4ai!!iREYqZ%6|Xc0iNRf~N;@a1sFpg@X=c0%xEgMgf~Ho3*%&>NG|!QO
zr;9%m*=0NU(ZI_q@%Q0nkr-BH(?UiHj;%k)!Bb(Ot(E*4WYAnj3c1=E*>izj4Gg4U
zEcK`3EAjWmpuCI)N7^U|z*#Ft$r`H4TS3NIEu6Ftvik*wtrSFHDQisgHjs7p(uPI?
z{hA6yU@m>6k(@9UN@(&URM#TVLL&pSW|HzS7P!)sMgr&>Ey%!;HqhZC0c))dtjIv8
z#)6wNa47>o_<RLhv{^Gv0;^gOjEA6E6Hkcv3pr^i9|2qjf@t^(Av7^r<AGGRnX&K`
z;Axs40ccG$W8f`ipnN_8knIizKp{KC(a6cb1!t4yJ_3S`2DVxg?V4@J-l%L;r1AHu
zB+wc@s$@xMP9J*wiVi{dulSf3jlD+(hq1Tz!qA2`^;tBRjlDruf_pDNSL;cGGCx(L
zKuw(AsU*^rHuc=Jrm}PTpmi2!8+z<CCL4N=Ede8MUG|Pqx2uJs)NSe_w9E~?bnP8u
zZ&1TQaNE>W(7rbHoHT!py>G20qi<64Ku~S#a#+h$pX!2(Ei|f&f@@K-NoE&+Zfhrs
zx?Z88%+k7VQbNnBx*u0fWX)0A)OcAc7kac-5@POJ>cJ3Q`kF$s+Aig)#Pk4F$K7(Q
zr3<>u|Foi5yOo7w%w5Fztk_ihhsX(}5rVQ#S-Q(2wT@IYnytd@1Jf+;0a%;rSVF0<
zShD`*7j=g2633^?l3mlAj^0D>VHq?r_9cY)$}&;+!w^X>-e3^m7z5e_0W<;twE*0A
zLtOr|{0t@6;~|BBH!?k7IOkL~c{#+)3*teeye6nxoc{Flcd^}oqF2A0o$JY+4y(s#
zETMvfuh1QL=}CRBB>tqb{wQ$Z5wQIxk7UPFC%?-FrmnT)FS;<4Yf3t4D+Em)?4)tv
zW3JS^&W7US-3odae>i9GvvO|%zlwt$)_LQDhe=(aO^l-<&qbQx0Rnt)Hfg(VGYP8x
z%e>AS0(?N5IZ0S0CC%CPM5k8_aZ?dwyGtd_r%kOdA7jnr&2*H(U}H))VHFJ->nRy+
zXQ>X#$!N^>)LYKf#~tpu8(0!;)X#qsrh7j>s--uL%ASlHwdn#T{WQDdE||<`m<~n`
zJ`EES4FDnqj*MkPpm-R&($$1hP$=cEf$PK^U002REKMog!o2^J7_i{d(=Z_*>QQFz
z*y%nRXq(jleGmkz!bU^WluRM_WI}rQt#nU!W!Kj4;St{Mrx=DnESf>@p&Jptgj_ZF
z3!P}NJ#YJx3vCPt1&<Y8G))nO!Jw(uh(ply-Z|=-paS9omV#}ePn8jlg$nJpkyFya
z>4K1z*57mrkO9#MK+Y)y=!7d^f&?K_U3|h{BqWRpuCy$emTnHA<d9S)9HOi60}1x6
zSjj63d^#$LowT|nzH<t|`Kcx?AFjsiopm6WhcGMwnvvJkJFVzV0zB^Ln|`F@4S|m@
z;51%}o``uGOZ0zJ%~B(!Q-a#HNKvfL0x&t=3>Eyk<++su;bFvguQvt97@*Oj!#10n
zX3Cy40eDp*`H}`w=^}-=<y`PVfm5MGYH$U&2Du5Oyf2<0I-oob>RvCBfNxULDHL$5
zln_dsa1Ik{bQD)9XyHu9Xa-Iw|C!YU@ZRkNkp|{s@5+PO-~)%ts<`VqqXyH!fqi(?
z9Jtqu@Ztdm9x5SrEXF;ZDi;3{21PnH(Na|=H;gUd4phVDkSoe+)qMc)Zscc;y{g|i
z2O_|gSAtNf<qjnZ=FVK6i<Eyk$hV4B_RcTmjysIi{m?pch028gW<!mpA3ELsjqP+1
zTF7rhyW%+>uvoE1Q1-iQpS9=p#^jjOY}%%?d98bbwg2P7-O%fANRP;U3gWdb#`owW
z`bK@R6eFF(S$gV|UOt`Jg4uxxE%kF553CeGI@&F2o#|vP?vl2uDsLJbm0@%FR#PFc
z2K*%=*E+|gYGLWlPV?Vw;hR7ZAv1`X?&;6yreugKxr4qE#p<&Xs(gy?<z3)D=mdEw
zJeq>7g9MJqC1}z3c_4h63ao`>XAA^j!I^O$r$>UU<Gm`l@gv?tj&8XiD#-0N4GQn^
zfxgA4?}NjQ*)j&Ag5=&Sl5m_=A$(q(Iad^L1)@<XD*KKITq_2J(9_4zC<hEeroC$2
zHE~euuwoif^UIHqH1xN{jYZVy)q+IobVOo_!BkfJLOI0D#E_^2UC|qXapJJ)wjtE-
z4_wCm1G*K9n1D$ZDp0frm_Dm$bh|>SKXko{FQ0av{sxl37!7UtUezjU0<R;7dk9Rd
ziN#^?^QyuQPoY5y<Xf)UJX7Gr>=kBCz|1fJnI1jNZ#kwqP{QZ9%kR#62EyP*JmX7=
zN=H~ryTU;G3Ri8MbP5hvJ82Ll4Ak+Mcq!BmvtnSy(Ny_A0o38R9u2FVbA$Y)2Wde`
zS7QSB8t+LcHArzw^&Q3e6tff<;()0`3+^X{#~!W^L$99;hGQ%w5IhkmbpyKyJ36n}
z<b7&}8eSh~OF5wS;NPiV+aqjWa3XOvY}Q=(OVtSFDJ&lGlFBeEC}3}W0wZk%X)-r=
z$j!G1)7tevFCnrRy99P25L)?uB@)6d*~Ji8=drcg@;9JMTakKj?c-grl#2^bS|o$O
z%j2%sAmOHk29f~7VWl6;VWnG}K`V3*X*nD9weJq)Y>9;SM;Ks?Ml#TdT+kyW5(12u
z-hO7k7?4o}BlfRL*5PM%hY&-ed4`b!Z50~EVUBl}{8w@X2U8i@sst)ANpLPa5Oz;0
zIY8`gkkQ@B?Wz6nVn1{EGPa9|^$*Brv%n=)XT?lcICj@X=%AyZJ~Rc$fITlGm1-A0
z&V)dZ87-!IC|6kJA?bFwuJ$!T;~G%f^^48aMu9-hZtXbhMW>`gjZtkInth2WIJ7Hn
zS`K2(l)Y}dWvYPYja=@eq^QtBeABrPul7hNXDh$t^FMxh-+v7r#DXbSU#fhUxuE3B
zL%)z4r5Vk?>9s5mB9dB~Tf4LI`3$<1pO9W-VcXi8UyCP-mQ%aaOBXeGPC*uK4~RQ$
z%m(+sdJ>V7&!CZ!{GUl>=*>(zsouj7N?jWYYO|M5r%`jh0qb&tsW^&3;>NwUmmmYu
znB^fdzx&TwlqtvL>I#HBIKDP1mqCN4*T3NUH4zCxWJiaMsEO;7^e6qkgf64SOY(0>
z-$qbeL&TAS`t?GF9Dd-Q@lf(<2vLd#ZN+B@!TPxm2B_}i9gF`4g;PO6j8-u}=rA%P
zG!CKM_}<kWmZXlsts)c|q=lbYg?D+shA5HuxL)KRVS;xVPdxk2q~cwn>C>l({j6oj
z;VS2m0Ne&Vixo>Lj?`6wQf&p{H3tD93RPkb_b9>zt%T83rBS+RH`hE>8b}^c$|7ol
z@yz)=BLvV3V${BI=cz?;kC@3RkT_^nnISh2y|vijFNV;iEex!jA$gKX!xj%zDa%1R
zQ)(k)k*Rmshg)1II6^CpNu<Up0Wdk710q98onp0MqXgp;<1BB6t5&iQ;yv$&i`g)P
zg)rT*2W+~ISn3g<RPd!$I-w}imDPl`SmO0YNM1&1moN(_HuaM|E02ys%^>VNbl)l^
zXN#tq7FOE3o4%~U625Y@ptb$O;{c3&0>R6JN&>MFJiX<OJUp@Ke)QZ0HYpF8H|#0r
zYucz3N>Sd`HARBW<%eUbuID3gO_LMxC2bP)cN8d@s(xsI&D%~(jkVw#1&D7Vn(K=%
zSrrWqVoMo)9Yvys%o){VbS&RTNbe(Lj`w{*pNmpyR#yPsF=I)%snZvC3-VmCU}dh`
zH*BytBgJYdWUk&0-<plSn=O&dXS1&W<-ZJcLL4Pa0nXa2k(--|nQxa$Wb?wln3<LJ
z%s`-R4=pew=8=Gf=}7S@60X8p!i5i+7=`XeCX7)@kXMpJ0v2H7do9FCm`%__5F7%o
z@eX2T(LWjTh|XX%au!+;iwi@_d?paVe=iiI3oq2UJ5kdTsOmu|xt24?R`W)O0!$*f
z9~wUcV<%}(L)s?sr70S`_R;13-bPR22%~^PRDV1nn|<@Jh&a!*@1wa4^id8~B93L)
z1SKm3Xu=aW_dAMj{790_A%(U}bp&STYy(BrJJ6_-ssL~ath0g%e5K`KYJ^Auvg93v
z_syb=0wh_G?9QRZw&b(kf`fgR#ty2$Q!U9c2u#(PI|$ZFgES%?yw98&p%6bvg-Q>?
z9DJnlU|G$UBC~|J=E|GgKo<6)FKG=%l0+*Wb*5g^I({v0V~$e-!B5M`yIerIs9+2#
zlU>eNP~MiGh!ZR!qrT#?Cs@?euyM4Vw?~qYIC8}f>8Sy3+9M~_iZ0c3s0Cdu;PwyL
zL3Bj*bxNkn7asY4so!*Amm9klP9v|BDd79c5z<Q<N6W;y{k)=>9LLcy-k^dg@5_tA
zQ<CsKM_6|kL>JlQi!ZuKs#qToz)7tAif55g^AU(~0ugqJ5hV@&S3}V`_SL*ZJR@KN
zkUd3~W{bNi{AURHQ)#Y5yh8Ocs%JAVCVCVo!po)P&|$k=O0;@}NYfcTwz29SqA=4I
zDo)xaf%YE!a}l18H=!kNU_DqW2#>ZW5*|%f*pmcZ2YfW16&eL=*$&{8p{~gWSq!;x
zn{=#MQv1Vy2Nk;_g5eKw<K1awO*+-L5`%p4{G4P)d<D)%z-x2MbXWp0Az_o`U1g9A
zKrj}1FfT1}nxJ|`(yB=h6b5^p)y+q{cZfD3_wYEfUQU3|jg~yXIUEb?WI#zMKx+Hd
z2m&0{m`3pf=SFQOLaWyt<7_QbIlbt;c)2t{;ss*`PUL7Hl!fTA^)WIk7d??3g2vaB
z+kqk}F`8s}zft(u6{7l<7KCla<o1g^ibb-}(jhcAfojx$5P%R;u}1W%swD}G+JpnZ
zp#aSgQn>&iuW8FjR+D?Q@C6h5a;7sxr0i%bv7^c8j|AC-iLGUq<K!+0Dp<!HNZu2C
z4>I7UlU9w=lS4*=hcd9tZmn3pjein`_NU8qr~}?L<zk5O;9=t=P->Z*31S73k$E67
zU|#(_VttNdwjU4(XF7nd%|KMKg?BHooo3Dkr<je(KS_CB^k{)qeA;z*BErS``c?@+
z#6o5vF4{b<n23lrk6R@o2JNHLDA<9MX#aE^L}8qH)a?-5XC9F{L}Qu9$eA0yp4^W+
zlPK^Rbua-W#(tk+9<Vn~CyXP-=|iH)jv(T~K3rmm#;%XorJIYGQ^R>k>5^UBt7Q5l
zxZqn;8p-h()v@{FOhN><K6sTA9GP?@mRrewQBULh4ZgBGn4^Tg|G~{VS3BEs<vhwN
z!rU9_u(EU~oUn~r&s@3axMq&_$f$l|-v{PKH2S2!Ztah;fyWCbM@-GnKlTRK7r#x(
zCZg9u5hOwx!^Na$q<=*?=%tUF2_hu-6d9Y6X{B}igsCMlFaShj`mp>Ve^+Q$6s>&s
zA=*w5E9#q_#pE+vAAq($#WPE6WcKliR|E{-+3v&(AX!<7cD4%qLJ+t$#K-)!6SVO@
z1Q*zkxEe(taIu;^5eu`40ypOQB+<3eP{e)3J)PUJ(Nv1_%$Ow(H<-dwHf9t~bY99S
zRSp4%aA}}Y-_6`4#6};D7_2}5L)igz^i~6VqU6HvKe`#k^v7e?HlWvxp=5eBWO*!)
z5ra=386!j`Q^)rw>V>!T?dlHn+*S#jZT&f$q!Tv%kq|(qjot`lDIjcH-b>TLga*SM
zig3Bwkt9vi1}K|^CQAqo<N}efgw3RZkx0-&X4tU0AXt_>+$)F~C6Db4#57XJoPlK{
zMM75Iw1(gl<@C)C5;px2Gr32;U|6J&Pk+uL2_x2jdl}d+az3D{F0k(qeJO&Tzl~Au
z9TRMoGBjQf$K_KE1<Wbf#z@B!mn}B<biwG>f!JkrFg;i4JoOn&aK;41>=~@clYA<=
zPvkh}>`sq&!$M9RIpp)@o=*|^pTvF`HYrsewIiA740!u{e6}Kw$C10D7^maST@eX$
z(ftRb$ooCBGCdxV*i(64ceAnX?YY2w?0-g_Lxk*l#265O-H_**GF>s%Ep~__Ph|Jr
zj{Et!M~w_$jw2L6IGQC9Z_(B=Z>KQJ%a)IBV_v7Xrc}l5@h7Ivij#||)^p}s{Po<9
zy7fMzEaj-{a(A!EJv0kBjI&|`Lb0i}Nd%mz=3L3Xu)1aH^@oDCQdS33EiQX#C*^Bi
z^n|6!hQ61q=CwrpNJYU!$F9g3#p676O#Pq9sm!=v+oM+vUi+J{@O8FG#bDooo-x+Z
z$<DX|SZOm08*NUT>dO_4A`^+W(?PzVu&ntqa~o~d<4s@*7FS%Ry6Ppy3o)qoA+9%p
zBK|^kGTNLm*DL~P4Pg(-hTmW$PNi$+e(F~HmP`B~l4KBAo7+ou1+(qbw%fA-q{m~G
zi_+Mj5>gi@)m`*?Hq#t#1|Bp7hzjws$&%5}jLeCx3GsKb++{c$K(z70gVB`{;xzt2
z*>*%j;F=j0P^bVNQJLqT9O3$a)%x9zVwE>w25pSCrwVjdTMEaX)dFWL3zU!8`M*N}
zqwU?oBweJ?)fFKcD+?Wpic0&A_wE#;>n03=<|{F)h3RuWVlGfS5M%>|*KTqq6PD!s
z`2>G8{~11#75G#jk}N0GM?hFznti%SG5lQxVi2T$c}}g0x&q9_8+k?!hq`)Y29|L5
z<8t*WKfozoUc^qyN41Y^E$)V~IP}@l!{mLPK(!N(K5Pyp>&*sEKQ#GFrMV*4C5OTG
zTSPoXVL*A+nN8(y9vbwSLEglyq7ODP2jX$#iRgx*IP~1~Ks20rdTt;*PCtffAmmCu
zX)zHtB_7Wu9+}x&#H@UNi9Ir+4{$b`2lY)$PA9|T{IdstQn3cn@zPmXi#X`)vRS;f
zg>tm10jM{cv~-xVmmV1-qlQmL0TixoKBe@+1tMDN9mfphv4TILMA^kanr%uuP3(c`
zzFH_fhAAihJ;6wRQrZrA<C+KH8j@&GDXAVvYvVrNUvRQOvXH778}=e#f4JblK_nAW
zhKdLfcC2TkCQo&VT1oG7Zh72IKc7>`qqUxpV{&Z`1;+(Q+H4_C9rMnV+ZYS>IjIOb
zbi(DvNDqwb@g%V3r9eH&JBI6e-d+u2^p}j@w@F0}{E|%>;_o$>#F%(D;YmE(<g#d<
zJ*5+cD?-U@<w{_StRhwKIByb@17hsS)!Byf0@K9*LRjgqWa1P9qmgoP3h~j%(p8rV
z#89kEj*cOy9g{Ppf-d_LtiejkufP(n*Gs~(B|YjGGEQdEgrax%MGVUubXzS{Zt7n6
z(xedM1j%>0&|`gM+96euNDm!87DWtyw_73_sOwp;3lf2KN#|uUMP#saa|%Ww0y;Y|
zX}w{d*ouT}X{Uo;4xu8Eh|wmdakt@E<F)ld?j2ax*V#cq@<7@Zj$1B*z@4yK!PBo}
zuvNp=1TfL9qnC1#QNYI50LbD&Eix}OV{F}6*|P(N0fzFg2how(;bzE}d4_o`HwFqR
zXn>T3xA7DFUlPz_+vlydr=y8Tt*lhI&TMuok7p>EYnM%1SS^MOs70QC82Vo)(wUcj
zJi5jqr3qaO$Z0>H)<ZP*Z#|Sv5=SUN$4lD^n%ca2D%b#NuUUzRH<sM$tZkpdfOmel
zrqoj2Tey4pP~H``RIIr=XmGl$xP!$9_gIXgN@_FctRlLUHHBit6R08xgPP6iHYZeN
zO<?inGAc(@z(ydF#1-oVN{&QZFCRFe^IPq4j+m$zSfh@u#Rs6J!#2`|U{d5eVL%uu
zadE7mY!JIal%YrvxT?rd?+9F=VkkI-E|)NrN<fz@SPCxy3ybCghL8g3Qn5q$0dwR4
z;m?3BJ`htVXaL)gJx#_a4k-W2k$r%1j{w?7m9vI`S+17p)3@`cC--hd&C@MTza12&
z6gsk20Y*xl#hPhPLF?@;A#{6`hVwUZOo_xtP}U%~51N(LWz6kQ=mF^Ub3J4uig}5j
z>1e4GXWZ+dwr8f1PPOxP#IGj12YD)G2rAPRi0{jhDrE|P%Z-=pZxxkK%e9iLuXAKd
zAO|(j)0hyj=NS}=4d0gr)CvG!mlnTmash+qg&qKUsH(=3%?=n8B1I5CZ4D<xiXeX4
zR!t~3d|iq3y>5p*CNBB66cQtg=iE_$7a<c43V%zG9=59@!iV=tTo_vA(8@l^H>Ju%
zXpu^f8*w|A*ID2xQQK}Pa(yo`3c=DbLmXCQIeTZcyfTzoHHy4~b=0k*OQkB{R8Eq#
zXZkR+{K(dkGtr`*@Tud?zOC88cTW3fE8@yKAxc@BpI?C!&!K_K>3LS|nVfo?cys1d
zp<a;9W+@F4GZMOy02@KHgBhIf5<$fL{tV8MyoWKz6QMJ;QH|rX0DfJwkp2aavp|$X
zaR&awW|uUr@ANKW7dn6Dm4c`)K)_hvPfNx3iY1}fg9I+O{+v#|T}q4?D1yMMJeh3w
zH|jKiW>s$d^av?)=i^S+14IN;fJd$Eq?!@(?yD(!47DEYvu6)YcvW@^3NKrv!TBl`
zF$nwWTBqyYpRfec2RnqiF~T$g?W(P(Bi14^Sa&L^aG%#8(%0`pQ4SrbqVNcLHKn6g
zNdwZPNfbDK1?pnF5PqhLR1>;rb9E9W!-{@O(8!w%&PZPQFIb`y2S<g*v_gsxh09a|
zjQ4@S1F(j_Vbi0KjQ3&Ep2LkJwCw5Fb|6F3oH2zaBe3Hczov){uh4QUuD)dpgH<_!
zu2Vt>k<fJcNE8L01Exw+^3)W{?NU08mHjLTxQF&CA>heP;9?NH+&J7`5x2N>jVvZL
zlJz#Mw^;5LVxTnS3SGPx0NJ#5i^Pa59yZR+&EpRxf>b$rZRc0eu4q+wkZ`)Y#`FJ5
zyQnaO4D=OlPZ2r-ZkLlKogAayzU^<2o`n<2b9nkVu|9#pKk>|wRaN|Y=|KK{#P6PX
zc3?ea<{fEOe~@*pDGgiIlWP{Q>Y)VevqSs`uB{o^%wROzR|vKX6Zo`*Zeo~7#&5YV
z`Bhg8oyyYO`Cq8gPhr)xg@WwFn*GE?>`?&#Mb0Bad0Sc(paBn^L&dzhh?6m^2;k&u
zxao5RYiY!RhW;L-VNqXZ^7j!>eyeqjE6zb(FVI@0o)U5c2|;wEfoUk>L<Nu8IwkrE
z5@9B-1=*1<rbl50qdm9nsAWLOLmf-p>-bvG^>zl?E}A_%ql`M2!cLkVIga19A=s`U
zvcjt-b`u1_`GBS2XdMwl437puDOflAL2*$*pR_avskrES_0b?m&$LmTbUpf@3<5Ko
zhdhin7#S)1hhlHksaaU9=)agCIIB3V84`Q-E{2#TDG!tiKzoTMD*>h93t-Qu2PD3^
ztG11ES8g<>B^0vR>f@wN7d5|3UIhH4T;XHypO~>k0Hq`o!aLciYQ%Eb8QyI{fDp;x
zGHq3DxaCf!nr1Y~Bh<?v2Yxlj{sKhW6OAiCdckpUMnQB)krmyv@K_O#*g4i%5Ls*-
zS|$jd>>RWv2*d0h^hpvWB{-ZRsBvqXwLB4Q2$Z+v4pFAPOyna8PNB)d4VL8^Yt<F6
zR_PMpWll~p>49>UnsuKh0)V-obip!ETLPIcvPVeR5gfL{a17+O{+Gg4af^C%%08$x
zL~XTqZ-i(EfKrT*eCar~1ltBMCAhnI2me#Y?Y)IY1p)vLS|)RTxLW@8*j!5Ogh}tW
zaruQp7z!!(;|<>9iJTs&A_vj5=r9pc&^ydPB8#AQAZS73Fywe>MlUet&`3nzFy(+i
zL-#P`hE1~fN2~!40oYp|hpYdaoN}+wmB>QY&Q0U$iJX4LR={YIoOWuxPzVMH>j_P9
zFStp0eG{OwR#qVUqJ<XQ31Mps_K9>DMN)6g@rIxhZ{b0M7^+*jWI~aX4_CMVm5Wsa
zS!F?VV=XO~vvQ#Qt}1zMHTti_aWgi6S#C#qsggMMHlMj}75AvDaklC0mgOR5vb~UF
zTwAo*YLvFbvfO9cw7QoR=+V~}AhMdaP8!zG-q0fLFHMIieIFumEOKp;w!~?Um|)lC
zvo&)|0YC{~_c&PAgRUTl9@4=7g+@o7$mFULWfnaIF>|!B>e3A`CHx=L+oBCJjJbNz
zTV;h4P+4v05^%)Xk4P*JoL;^sZyR|4P=&q!1_u}@LTq+u)7!Vfp5`liagZ|efdc^Y
z?L4}B%XUF;6yD?-jUG?Iv;)k5sl&<qbD=-ZPaLs&54PC*cdG;Xc#HAsFK2OMFXR;k
zh*X?Oki=oN1v+BNB@6-9Swk-ZY{D0&QIQUy>{t7n9=wpm<Qz0mHkzPJ1F`_vV-xhJ
z3FIfDk*fO&l?@KKwi?+*j)gTA8HY!6pUJafARgT4u`n%YqMcZ_&lq0KyJ2`(Ce4NU
zF+m;ZYU}aqRgAruGho%%;2l=ggiR-ar-Yun*XFy?ZE4Gqt5|bF-(ObH3?gdqE9!Z!
zUyePK6qv2FLM$1T@tf8iT~wW`&H&{YU-N?bzwA_YG*#2wM24pUB%6m~#irCFMsf#&
zXsd=^z0ZvD10VEBpuVoAKd~V~iknS;0tpI(g+Br!wFe{q1S0AVrTK{oh^e))NN|go
zWjfLwRu8;$6A<Lg(i~*->7r;$>FSH8r~pWV!khUl3^FMWjQ9v9QXL6PmzJQeGl?J)
z!u-&*Q=8C`9u)M4J-e6z1VeJBKtQ>Fh%3uLX+#AawOL!Gbm)a_0@4|I_o<7-4gZ&t
z^#Uxs`7$N{WlmTSwWKloEI-?2H44h}(OGLqy`Tf3dNsW31o5>#xOA0%$8snCO$vm!
zgOh~=`Gg$Brr6;riq#S)4?oK>X-ZJR#Q0kmkQL9h=vrd}SZkBSYwZA>+E&oIt92$+
z-Z7jPFUAkq7y}a73^|}(_G$WWl&)n5V;89<BR%vOhzL>Bq+?V7ghY*~-qJCOKTdQV
z3ZAyp;FIAF7dx}yI7>Td8zm#^Fser8sE?o_p1NCHry_|P%<|BRf~0=S;1f!8)&@Q5
zK;Ttda?fa*xwpV&f&m1`(jT}%u*An>06w0k9>EWKLyVxZLbYh@JZTOscn04wX&ag4
z6MWrSfNNrVLK~d_-(5=+dX`5voC0Eb3Qt$CvF!eSvwH|&*MrmF?T49^CFhY~QbPfC
zI3`USXuTp`ecjbAr!Sm4KUxBB_AN&`5LdzwanKqlGy!gXEbEF{!@Ym8L}}|ro=(9?
z#W^^+(FZM$=R+0mIv5I=yrnLgDTMh*LlOX8Cz0D$)C1Ur_33ZucMdc$7t_?kz#_Rw
za>kJ0i3Kp|6gHFq5wh8^7$HQwJH$eO>S_kTZW9pfb#}V|)dSuJNV&BG{Qw_s2uu`t
zcu0Zik|u!@q)7z`g%yoA9Tkt|E;3+CqURJ~a5<{+O4^E);sIi*gNL*h*al0!YJWr3
zkxBIOtuFz9PqRz0=wzuSg)onkl>;95{IrOL7C>^XJLw5EK`Fy+FN(#|$xKpT{RO^p
z*bW_rx&w&1rUt-ZM`MUk+8EvuOe5gj7(?dmh*5ZKKn4?TP60(|4heP)Gsm|(1{<>$
z%6#%a7RrAJAhghfT7nyxH|(uHk9mbS23sk-tpd|Xx1gIv&Z+ydKSB0NMG4p$#y*5<
z{m~-dS{q86f*$k-821DM^alg>ghgl$KCD^vp|-IYcJ|SOmN4k1-ItaD4If$#phCGA
za+N3qB%=;?X$W=39GKD&r;Iq$8R0la91iXfP&{GOfYssgeVW_EVa71BZ9%+C%y$RA
z)87SB{g<bxWz-$UBnEQ;5E)bn>Fa?ix_Syl6{?<)1T)a~H5X-(K;0p%1u8RJxGy)G
zq2!y#P^nK<6uXvoI{&7DX+!0Ee3x;U02&qmttz{p9-A>fv11o;!#2H;TS%6GgDv=z
z7Xcqr1@MQwVa0fZfTOVph&qTAs2E5F$_g-Bez(^`kq9vY*0q<SOf<Y*NSA^DID>$3
zb^Q>c31bfMLe)i2HNu&4vgAlQ1TCZ+Q6T6Lw*OfOg2Ej^WTacmL(~k33?HzKt+0m`
zY>XZdhZUjfo*CE99^gmUr0FZEu$S<4QCBGjsDZXV1AAMaIBJLkl=Bem3D*cXj?SrE
zEOfS=<%ueFA?$nG=dy^79SMAtNMC(`)DYYvy3h$Fx&At5ils;&TN3+Sw0oH&;q%!q
z@nAg#L?Pddo*~IcB)%TIWi=7(k&N!pzQpsUfQBGx==U5>@j2>XgWVK;tnr6W^+a&*
zDva;sx$TFPHCNm@L1|IJVW8P|V5x&*$<bWdm*WjnFbxR>f1%N@0&y~qqB(yJDjGU6
zLBs>9fEqcN8pl`ffLgRGvaRostH?~j;laIp**~0G7+?YT?KJLH)S);_peLe_qR=|d
zf1<HwB9B=>T4SQJiUNCbuSlg=;+jPV*F;i~#1#msv{8?^6A(UE?;q{1bpwuxM>>FN
zC#S3)u?2@}-LW%hg&QDQ%8!L|5@7hcayiK~gybXMkb5{>9RV7NP@oSh3GKtoDvKV+
zF`%4c6|G(!u`hr3tRHMbY~Tj~uTUpAEE&`7np_T!+T(;H-bdE}tIo<2bP|=vC)dCu
z!0-#`8{Tzb738=9CpFAJ#=*CUWC%kx3-bsOl{gT}fl9cbN}!|^gb0H|ppLiliqCN9
zYuHabP~;$$kYGJ={{(iaK?9yYNEgy;>w(czRcVox6SO-yP~QL;@2CbwzfcUA2G^n7
ztB{zcG=2a@K)S!7YmDJs+M&{f_t2DYuSl7-p4eFwY`aW@K&U690N_XZK29_SpR@$-
zM=A=b^f&J_S-yx1GyT9X=(V?#4qgGF$m0-MC<%fzB9bXqpq61w+^xAdJ2*<HwU@)E
z3KLxDwyzgVpn!-p!Olv(B@NkZqC!QL@KC9x^vHUov>CiZBXa1sV=wN$ymv<kq)^}#
z2mm#RrP?{o1|S!OqWY`_K4F1FhQv^^MCX9-Wnd||5$`~WC6A!fW4R~3YF3a?^*H8Y
zs(l_G*@jEF3+-LdtRk3hm$E8=TFvy5mYt0Z7^?slcn*|%MlQ|HHy`HQ51<5i%c^&Z
znIN$*exoXsv}ygAk9wS-1o0m2F}7t-^<?H<tCu^&pTGs*U4N0wv$z}8S=BBE!ef#>
z23Q@Ok@Sf(i1pT!Nbzeb=Tm(k!Zrg!RGVt<=sHo?(Qs8rlz?Cdnl_<IJyo|EaAD@q
zeK7?#mW=y6n)>@my$B1XxEi-(EIMt}UE<ADu%}W6nge-_b%XI-9Ecq{Rfi$RKhMHQ
z2^fHUJciFl<1>fs0q_oY@FWg2okgHmIY#QD*%ksc+aRAnpvH$UUFNz7;|_!tg0>~?
z?@(*?W&&_{JeBZDnYC>JKuB@fV%K681nw8{OsLq_E)M&sGjcWX@vjM^?ix+@vyTl-
z0d9$dpZy(b`Z(~002Yr{IFcW8r6dB$#jogOa|S@*X9(0nboDPAiUX6WvDgLXI*e8>
zm4Q-XIuYQ-BBPt@|6Lda4XuP_1>R4>@K6uaPZVp!>mlWK!K#v&nFfNes}&D{XPVA8
z>&Bw>843D4QG0>o$>88RpL_?1J8>j&Q{B6=_e#1n`i@79hvKZ1RwKxDoBn5V^p?R1
zM`=r%!|4L%{!krD6JWH-nC@!$AKx*itaw&3-JP_n18tmgyHl;8T!{uc3yT2?B*h;K
zQHZtDqm6r9<Btb%l&ks)>yL)^E%^GS+(dEwVqw><J3rzfWEMMxuuEPGun5&kK1fr^
zpEA&=0b9vu7Z_W~<4nRqzy#s9)@*^>nkK&()G(FIT?CF}jt66R2E&hcgi&=Cd+T?j
z(NvVEbe&?Mz<&1t4O@K2$Y%mhQ}1x5%c7x%2RoaaVs<~xHWX+bfaAi#Hvn+3n%;QT
zMc6<SFQE7ubEsSbKBp;(!GhG_5ub=KoNnB24gQZKZLo9C|0xwiUVt~~K5!6~!03xa
za%|q*Y{5RnHekY;U<nLWY9pWFh7;0I)^d789}i`lRx%3r$b+*Ez9Jlo*rq-D3a-V#
ztuvs*b0H;VP$_y{L<KEb%9r_QFWQ?JDec`5PavT_&>SVHXqOz<hU!{;K*<)(_@HAt
zK-n{p4R5)Swp1S2LN6Ji8<Nva1X)cz&yP|a9(+dZ!oa!<Ht&E5h?K_Q((_OV#0mOc
z&?Ha_LRb)gntKP{(}}RKZ2(9tb_q)hdG0U!3%(2Gh7JZ2t)91SX`m=mSSy*a%3NgR
zN34sFv1h!coo!~5M7~6>1josXDZ+3Ve+m-nzb(#3>^n4g5Kd3Ik>YkOSp|MTSRj{E
zjLao+#SpME!NYAiXuw-cn+$a*068rNgEq${uJJY+eE`QpiIBmmyM3USoFoaaFvrk@
zq-x25D?#Z5iqj-;7p&IFG6=^B3D-?t3zg9~jly<eE?zJR883XpJWiBk(n(?ybes&P
zByxpLZeZ?Gk-Y7UAD1|4G>oOMv;^TJEZyv&P*Q2=$o$TC<ZwrDx-V?&Z(_2SiB#ow
zK*B(73_&>Tq~MRQ;&ZMk0nL5t7TiqZ1Sl+L&{u*wNAqAn@ne3g=vm^ij1xzxn@m92
zU&gp){vMA%x-uI{3+UZSKnKQ^#MgSD-?z8~z%g?Fhz|LR62bz>cr4rV5Mde#hz@k-
z>ZPT4O>o)O@{RwINsj?}vU1EE))O6oej?Nb*);NPKexYr{0CzPoStao&7_{iBIUy!
z{av`re(*ByumID&VuF&d$<j#v(w)9|m`@WXA<d7hIMwt6+&1{(3unhEG=@Fc!h(_m
z7pXW%&iKda2oC`e2KD}WdV^B~rVRy9iR``+-+$%N?idsDknx;a;^L$O$lZU>pPihV
zjjfal{_%(gegj;PNZMWQEzZquAr{iWT^$2TJL$Jmn%foAV_j_M;6OG$MP9ECkLMu3
zK%BQHTDZ7itR7d3u$nzG00tUwHzzS+gh2FpV74X=!EYR-SUUl!fcP2SM2LDEZQ?VC
zAe(2+LCf!MLgN1*%zly-5sc{dtVuTh8AszmAjHxen){h_NTgPZ?Mys2F3Ip#AH$OU
zxN#ds$@_ScL*awr0hBndJPg%@zfC)?0hx_E4~i&4tR>rrQj+O|dvWgeTa7#^#QT%>
zxn$g`0_ch$mvNwpZ6HseJwai74iL>q0C*7vC@$hNwnR@LnV;LWk%hn{wd1ZC1e8Kv
zzZyXfa54^PK(-Ro&`gx~K3)ShLFb^EHCh{bRvxjOq+c_E%+^2MNFf{86_y+&_^FPV
zhyjM|f%frvlc}}FO+jEi76vr!4+w1HcN+H*^8yLAwVw60KyKIu(pqVxEpcI$vq~af
zKsksSy?$Ge*l6~t!2n%n%8{ln(y_Mm7f~<_(Ox}_C@(`(V*42ig{s5VL32}MAgkE8
zQvg5|H171|^InG64@e96-aUr^2;ThlmRM3dft7($VTv-%OAy9oKoz7cJtMZK!|ncY
z`w1>Uw~gB#j>Ul<0c8V3q~n^8(lOXT0{$E71U4~^0A6@33TECWyMP~}W~xC`nX!ZW
zr{DOTkwXkZKLQSB9#2SEwSo%4x>*thYlP7kA_U;+SV7Oe{#TF20lZ4_8j&^=Un`mA
zc`(u0!ziMKm8jHVXBpYwy}5qi537NxE1@uEUw%(%e2$d490_~7gqI^(Ra9CD$m0h|
zwjxWMNhkqwW;L;82`s!u4rrVND6HwlHy*;Y2prcf5<=!r0lv}ha)hfS9!WYWC^Gs+
z;~DKHguWD7cto)POwNpyz*H<53yr+{v;%DBF3l=1il|lx?G@6;irf;0#>gPBwMt_Q
zqlgDnN=05NR^Uwr9`Bj|BolfT3;DrYB9+n%Trfb%m0E)+s)vT!4Qq)kmpf^%QzTmO
z!D`)?#tbFSM<Zw`V6bw<J!DsO8(_{~X^}ycpIl&1_3FDmbT|PB>n2dq-YV3QH_s|Z
zBxKE|Ff6LxOO#JYTE;*a1FxjPx6rawHrN3ZK-Z!Q?>Sb1F??H+i&NhSk7cbCPBSG)
zK2s%7BNAjM8rRNddc<9<WX#urON#K?YJ7Y^^^?-n$cjWe1&?-4sZBtVumcg0-@(=1
zVL?DL`6dLGG$z@U3`NCd)VQn(c2l6LcN8;WIw~6iSU94jy?Jf<yq;dZm_H>fw+jrg
zbIdBjUPtgX-`a1}%t9S!8IUv$3f`=^#8E#vz;wpQ!f41*g|btm|CJm`e!3z8Z)kA5
zE+(k4S$PY4q3q0BFoDoQ8X(7hKo(r%F$9uO=0r^2u{%^*At7jSi`a<2tDOk~h^V;`
zpl1q`Jm$NlUOSHc^-IH=1W`ia{Hzo!%?J`DF2do4-^xsE2!Hs4i8Lng3V_#F496g9
z2M_6t5U9}eWl|&YRL6>OJWi@WP9HATukWNvaE!cDide}K!pVx_@JMP2PWcU50#ybS
z{#I35gaC^ZK?#Z3<V;S_Mj%s`%kfSNfI6;N!pd^Mf^J13Q<1Q#gi!3k(abYf)@LWE
zA`KE_7cxO^N?#~XhD=H1B%G6>tVR%UNPQ8N|BoAlLW#ntupJj9O5CtHK6wyKR^snx
zbehieZEE}UTW<`PfFao#&qR#|jyfiHsM4RrFfrmM-<FVV0;yQ5?~#(8c~sULB8_~e
z!g#@N>EQ5Qf_{@YtCOJS0`BAy_UFOk%mFzyb9XF2)QLGzJ_wF{K(ilY^mx<w*l4p5
zlVekAm_+<=OV~ao67yDD_{DASQ4h6>hbF8?o`OJ8&{M#H6max{5VL`lOIVN(ua7;U
z0@@DGQ%V?#f+u3Q>#0M)L-mNbXp<V8v$s}baKb0dr8}hS?fgmn^We}?kKwumpnr-K
z1Kz_Cv!FFV|Ha0^SP3?i^L^yt9EP6O8VcTkIF*Cqh(qW+wu%r;L?<n`xb#YmL*fyr
z%p|jFB_~9P(9(7O5&|42GNx-bGk{(Uhq*G1WL3d6u6$VvmKgA<PtOo1Kp~L4C_$19
zkcG;rAI@cQq3%jduu;GtfkK3h5hP@*IH|dKd~t}d#}&=&WKF{q$|_|U$E;bpe+|7f
zXo=k)F9Zq_{7Fs_QY-f`A>Mr@8ly>&D<NM=9JKM=Li*&xyVKc@P#OVxKWWeF_N{WC
ziOX=5_MsB?krbc_NMaH|+*VBo%y~_Ygw?ZqBZ*MWh_kSoQyWZz_+E15X8ABesUh(y
zg1~T<t3{A|)Pd0X!=XI0p7op!S>dX})s<0sH9#RKBp;pvPe|7LGDI~=BVqCKimu@d
zBS^#w0ng%B4GV|@yED`zqH?01juJNbN1U_+<zh?LGgYJvA=|1M;}LOR{6ml(Q<G?&
zw+qMd<ZzLMF}X}SQ=JA!0E`2shsPG7b5JJm%={)4=O5mD8gkDvnh!QdK51p%OGh_>
zd9A+-62<J42ARqcG|o{%;54cn1ksmANv&y67e2&-p9z4KICFKpTXMms)Rgjq4=-j-
zx$<$tJfZ}l&6AC6jGEdWTG~L9Wa1=~tx4q!qzU^c5nP;Vk1bL{dt~DRv9^d(4Awq1
zO2MIR7;+~dAh3)$MH!#YxeucbY<yzKC=t5uGD*RYs^p|6FrHIM2m~hPjRKsgs<l@j
zebauSszNW+U?hS(PD&_&%edKu2(kT=DOnOB`A690)h)6x-o=1rx{=|1NeDtH#gm2-
zQL+fyl@cSdkY|WI6-ob2+?<a-Xv@XL(Crl$OzbcNz9N!1Q4#S7VhC`?93{jN@{Buc
z07O<W;H7Yh>|xT?!W^-OEh_{|qYgvH9ke_Uh|Y~ns~21hLBdMTIl&Y`M~jMzE;-}N
zipp}OUA5APDfqa|lz~y75Oj4!&RPPvN1{g+<~;~e;?2(}2a2k3DuD?ILygqJ9pMgw
zr-a6xh@iJ7>E8n_!J+{AJL<eCvdL906a=j%@Mu%1;V~_WhO35ZAcLeS*C_CyJ5y67
zCjG8K^#le%Ln9cR{C-R+1~D_V#WVe)raZC2$PWb>QQJI(I$D5377*zA0SeediIajQ
z(1#*t1V-Tw2~7xaLL4G&!bZ{sy!(G3l<*;7dD%fJXM~r%DQPbgqhy&CDQ*=MmQpx*
zR9=*{hmQCAwuKUT+@Dej^b(50?Sd*F{1LfJa7GZ;q)%2VK%|VdK|7SU3V=+4x`#xh
zb`dwO;o0Ui&MCNkP}Qi6rE9P#I;{|ti^*_GU}ey76Tqg80%0IZ_}(9g#<&B@B)344
zz0?AbOgmHIC><j&2nn_tE+*MH-L1_BrlJ9Cjqm`w{(KG&d{ND7S@YJ0afvA)EDkos
z&r3rooTYjPzwrE`K?nj+R?woBAVZy{h*yFFRaGlqBa~?}(y+q8SjZRWFo`RDE8v(k
zxlg#8A3b)^NUnlWUdz(@OpDz|bq7@oq=jr!q51v;*!IvUo>;ELMODFSH>-g9rEl}C
z4u8rLb5;?KP$2-p;1Ia7Bk0mMYaTqJ4|aG`Q5y9|q+|c#^MNH5*w$3R1r;qyN8nY^
zl(jm%;t1Sb#epTqF)kd%Vsea)@|by&m3l!ga1&2~nbP%)f5=`@Uieft>ER#Iz{;L6
z0dU}|o<c=~1R<IA0xt%$qe35d+D%ray}5Xt2V{{N885c3hM|no)hsKTq7ep;48YBJ
zDFSeBiLB2MClKjlO&Tp>Y7ro->F0=*St>#3d1RfY&PqH<)HOpIsV{~~77(Fn6OGLp
z>PnNJJ<Pp|rc`BDs1{ARH@=EbNBL?;R&wCWVvrszD*=&2CUxN?%D>k${UW>UIIj?<
z0MP<ox0z52hTic{!zR*<c?tTt5NPkE7Y;C0fK<>Kf4tSmO}Rk5C{QdCL4v6(CrJ~;
zMnQ<EC^{Q5Btrpg1Wkp=7Yttu3Q~dz9SCG@&I%+hDiq?4V-@3YU?d1+Fx0~k_^47B
z35MJ)&xDomJp)nJ;OXs$N5$?1{EASpLsV$+dxXU>G7}PEDUku98zR^7AklH1p$z0y
z@-X+7*n!jtDOjpaAQ<9iXDJ(;7%wP24#t&)kfCvqj5y$hAeFI-HTES-99Gj&IYW!W
zK$Z{7pMH~ulFHGd&%(3Nr^8+R5rRQ%?kZ8L)H$#+W9GFWDuodf1@<LYu1A*(rc;<H
z^6*1`S;{8JscohGaI{?kai@j(2GdZT83hH9D%=cd9>~O`+cB2;4Jrdoqd-8~>AD9}
zE|P6vF7PHOdeRql5y}%z{%0}iHXxxTIj(|vOaBtcjHATz1!0)c-$67tn}Hby1cK<g
z$9S07H%_oz#SF?I5S@50^`JB1cp|HCgm+a>vBVQ9Ad=tepd<=0vJ|_M2rQ%u7PC!a
zGWT?U?awsSV1B2tS-+y<p_)|`)pR4V7jBsK5?$xF+b0C|KtI<>1^Ez8qL5)Qj)+Lb
zu|QrmdrvPL5iZ7SS9mk5PwYxFfikOyKaj5cIU8EYi5VvUiC{ce)`-XeU`WGV&_IIJ
z!9WBF@{0;Uz<98huiO8z1{S0a<GG9w`Rv6U`+Q&?%?xrN3MeT$kbpE47~y<~2za7s
z(IzI-s@wpfWxzn#fNmR1sqx?@Qc^2eC&a)uW;sHOhC`s>GKqN+5)M+SOz7<zB`T#R
zo&Fs~#;GMv%DA$&l^9(;0T(H1XJatHbpDz46Yq-Zmzf}2qs%@&M>U30V?hE+O70|a
zZUp8eGqkeoN#<f8yhN>nn*vvy<ijo|Wz0I#Nl?Wl2F;sN@iQQ_#9TmCcIRnA)Th#7
zG1WJbw`#?8_@udp9<WqBIZWk=BGN=wxdP%5T%xOW@)}^n!MzVubs%JC0&)67L9m27
z=OdAHs!FmUxRbMWRIq9c82G>>YvCY*8l4J^C?B3OPZS91nv$6{%2H4Fi&#Jvglss@
z7%XonjIuF@Zig8!6x=N}+(u}D9;l>&P9q5j1E`7&LZuLh0ft~Qf?}8m(r8<X2F6G`
zfI!HB0R(tNf?l|g&QQ*y?SV|fWQXeItYRlo#qW(&O^iurib}7<(Z*`XUmY2k!lUst
zCQiaM)zWna)PSQ^$;s8zufWqZ(?&stYLpE)x8F^Ml%VT9elJ`!j9?QM8%GIfEc3v_
zJ47YGj)2ynDuIkr=Y*moajWvlV1$FLKv%P*&yDr)BV^nspD#7$FW(_9RqJ9SC3+Me
z@`wtL?7{K;Di9OwfQMx-URm0e3YZolu=N477G?)8!w&+3!)dXhwOvHDVk8HnE5<`Y
zSSDweg@bs+#RNgpT78jAV&g|$0?E*iUIw2TVI2I?Dgz5C1Y0igquh8V24OX&MPsE1
zyTc$YEL<E=wcdd6^Nl^3cs;D!t}ERgpYD$wQ~P%@jZA3WOmgit_^mI5mvkW!Xmk=)
z*hhD}J5Bqb2-*&c@UY!n5n<hXfO;VosAxDH+1Hv=1%kj&6URACGP>*iSHnWFZ7>Mu
z+N1|UM6xxe)<HWBKM@<lD`7LfyeJr#r>bV9nCKDG?Fzy+9LaiEzbpn;*7DD#0x>?G
zCvNwKB$yMas=Eo5Jj=$lvePPX(G~~hSTY2PODufdhCOVRXSd=$&=ib-C(HrU*-?%&
zRvf5B1=V=0Lg@qCg@y;^Z6FH2kt?s^qMy%6io06Sl^b!$kSA<Md0YmTrT1;Jl%f<v
z7f#}|l-8pV5C+#7l-5@Yu6t=VSb48UvdU%B;$SBqN5gLhA>M|_LlM|69H@t5vSGsE
zVAzw4l?cQ}hTgo*>_FUk0HAQ$ebwM&{M<01Uv5kkgZWGuxHJPDdEhHqv?<f>FxkOP
za#Zuw>YA?s3P*H9b+lK&Mlir^$)j|Qa?k+4fyIgF)&h<|&#>e(!kr>pB=TR`xo|{?
zou#hBOWrzr9pUX&37V^=VwLqqh+4fusH^z^2CUy3xmJozft@Wn)<U!{&Hz@P6#+Q_
zzi?9*R5=ugMF>5u>$PRnwEq-~F+GJ&cImSnf`Vsh<Q_oKxY@0777Awzy>f{Vzy-+^
z4R#Y1IE&$65IcaF@jw~?u;DIB189s@v<Wo>xWu6HzPav?2z^9tF&-T_&nlBaW-Fu^
zWw!E^HFN<Nfx`m$ltB>ONE||Qnw5YVM}Z?bjtDaaTq|_ED=y@QSZ<T!%;QCtnHnpV
z&n#?+yv3o&;@^qOyt<edtSiufNDK}U1kn&}nvIokN-bDD{RukQ8jkQod|q{!bz!$A
z^~(MfpNEG?0EOUq0#AbMLk&d+hDxa_O{DW|%j!*}`Y~gKN4)nK7uhdfHKfJp3|`P~
z)=n421|S0lQ3neG5xN*wHINFK30uJj*P=bp8G(brT1Grf@&@(uyCcopky)0Z@JsUi
zqZkaKJR@2Wl3KXLF@TmD%(EGn_YiP3uAZv~YH}2jR8S1m2MP5d4vHEo)U4O)M{(U#
zOQVK-ex5hHatrR$RBH?#sKKKsk+UNjHXb4Ly)UlmX;!BzAsc7H3h#8VnC?iDy^Jju
z0X)2yOH9dvvHTM9;6WI{sch!vaP3KyOA`EFj_#C(o3ZeqRsx*6gl-z8Pu=9u{3pK^
z*kA_W$V!_&DsjVJyiqtYwTpfI#Ac1&Wtwd8`x$wjC1;263IwUi{AO)Pxdi(m88bNM
zFoZNqyi6?WueAaZrUX0#5b-?HA-*WX-_b!yIuQC~*7{n8Bs;t%3df@=sd<w<*WL({
z+`}G)Ut|trYId(|Bt(eTpQ97`3&ZBxt@R>%PyCHOHY{3V&|P|ZGYJ?njEH6BqLURi
z+N+2*V;Im$dJfHv4S*o+y#xIdiFwaLCH7FVg<vUw7tRcF*2pusPMG5zv6%U7S5?re
z(kw1neG1bs%zzMGRExqI)mk>#hmTr?&(@OCr>Jz9wB#&q!P1LG{ll3-UOFKOWA_22
zDO&~j;hYV-?27GZ|8^&nOzW|D$MDS%vqnl<wJsJ&#6fbnGm4$cc9Rr>cagfOiOh!7
zfGxOJ!xK3?vdm=>-iOo#W6Tdakup6T8JEkiwRA6BEeI5IzyBxM-2-ckqS0y^4iqjp
z6yVNvMV+Ug(%N}IsMjbWiSxN;?a_b=$Qv<H@f3YSj1@%7Ps%zI8%Yahe7k-vtTQV>
zj>g2LK!UGUh78yg5)5Q^=C9kM0F?S6dn)7z3TzShjusVZ|My>*k)%!QAL>xr%R&~=
zMl{irOus4t@FJvSwm#p+h2)6z!4HBVCsrWXIxXpRAjlD@ZD9`5g|_PPz)^3~ZoRYm
zSV-7j%ZWW|0`?xJS<qAw4|dm;buw>cWVw@#wlgSznmOKYR|s8zV4Gz>DR>)4y5B*R
zCOt3X$4mX11usa70~M1T|5HbJnu~HlRWKuDXUuF!ZW`b2StcrGA2@bNgBYMvnkJ%?
z>5YB4AG_?niy*Bh5mX`xd2)3#HLJ!8T;t=H2!h%E1=3|$0(NkZ%xg(P;{hto2ZE-j
zxw%R%g-Oq|NsOV+$rHL0waW<;kvkQf_2xp($vkN$17wi-2nQ1TFI$oEpRcm^S05AE
zcbB4sd{^s9GwlrmP*G~@m9L>|maIA<YnHW!f?=1ibdx}>YGwVuBjT^+dXQt{tL1!1
z56Biopy8hv!z&&X><a^Q%G8cSDnHATA+1Ve30yBg46=0q!gfZaL|8F|LK;+r5AgPn
ziT?raEl0%jfcAbz#N&YTU7P|*l;ePs`jG?;Pe^cTdPnbp6o8{<1y2E7PvvZym?hD(
zj+L@%Yjt3~NGz$7O+kAG47`R!LN5KWnx~UfE<}7^3S^Q@uh{shR7oV6Rx$BjC}h@9
zl<<y1u|YHcBS1_7Up#v+0?B2nW#XjcRJ<C>)8a+8NWi@1>wpnvq{qfhqOKJ*R@owY
zxZbnjg8G>Q_CuWbkJeKle#FSt7ZzY;AlpxtGCnsNV7kQ4cio<eti6Eql8}H$6H>h9
zJhlU9+&~>+HDM~o++!HHz8Gt8&5MYT!drvtE-F)U4nT5de;_4Q!yys+o@Ij!;XNBA
z(biZvE$G<}13G2vIzrbO44uP?$=g$%A(h5hpJ13yl`H*KN4lAnv#wh41HT1Saj98T
zodA5q4}WV2D=}dWVh5&bh<>4Eo^S%+$}yx?(b5>W%#Y3$EKn4ds$})6L$nNt5(H6k
zJ@O(RXAHPtO^F;1aw63-8x=%TkwucDDUJbs?PX%m3N93xaNrlfj6`>cj);4}FQP=t
zfMH37jKO{Ed|dKTDI@k=GX$U#MLLo-OfO$8d2(6D2tS{@Z^#lOhctm5<h-&3fiUKg
z5%TbdIDn3k>Wxm)VZ$UuS7!oT&hl8?K=Od`NvCNu=J-6NI1+|+lF4xbkF$X;XIU(Z
z^Qiw*m4Yfp7KKi<zGnbr_;x|TXEfW~_;7c;>lHwQb%)aLIvIAIv-F*xQwR?}97uDW
zJyR(aOe_3oX#_<d4$Gnt!hAS3dDBR%x}0gmCUK`6@DL*pvR%+A5Fj694RW1gpb<&%
z?uQA`qde`8EbQd-K4d~+7t6-6Pg5Z<eUk2RNQA-WK-M|dDWMde4$NMi{$8D}UY(gu
zDG$Ir$VOhBJsXga{lm<Gm$;eN$&n!{(<sm&#gKmM%=ZW#>FJ!ebD^PB3?n}ZF<jjY
zIg1EstLWQXe$5(j(nk0?2oNSns%DSHH84w&DZdxi4FU1s2U*BV*b}ZroqAV_?CKlw
zFcV(LAgiqT*W*%6a)*!(vxTasGBc*OyMY?7#=e@VU@9FczYbx`zu}TvTr-cNw#jO3
z$=lQqs@ot==F1GQgGGmJxwFT&vrV_NC2os?3fz<aOO-N5A27QB>4R*RXA&wZ^2JN?
z7y!oEp6v~?SsmKF1#@hH8(S<A!VH!jvewQn&dmnK%yv*fQLy2z#>v)ENtVKHh)PgJ
z0kG-$ArThCuuMY&BVo%*`y(8Xiblhqhc$Y4$M1^9*_?I3wo3);;5O>?wjJwVWqv?G
zio>y2*}&J?o7UNl$SDrEG{`ko*)_;14!AVQ?A0B@)znwY$U1ESZHE}dT!7gYZ#$43
zfvi>?qgv3I&=}6%8pL38wSHIQhz-HG?Jm}}W$LHQ!l%q)ID^E24i>6>nPbwLCH{{~
zw$u`6a6QaHw8UKj*2h3-G|>}RQvq~aM%%4~ye%e#rO2k+J)k;H@~6RGjv{KBmjL{0
z0@~?tWmI@EDB?P!Ea57T1hW{(Rt8a_DM%gnnB7UkXak0_w{Kk%YKcPMhUf^ZmBy-$
zmmO$KP&*y0FvW21DgP_6ga&}zbk8eVvdKT@M?dBL7(t>WhX)hBNs(zv8TN}xgi-i#
z7r4IXQ4`K(a<iTjz)08&jYD~~{2(F<UIb`yp<{fhp*$z{N_{Jik!cwksHW;L+^Ga@
z02UTDe~X;Qz7!ZAMaLxF1*RVe%jtQ9tUH1wu$5CM2!v!2eLN?GC`4=n9HDm$LMF`r
z$`ZAdw0!9qwc8w(gNj*m`TzbcRr?$KQMqrGj291^)awtoSP&r)_wLW30O(7>0Stg?
z3oWW7nT_oNR=mfs;N;9$F8mPIAxTn`8K>OaD`Vr_sS(RSd%8vbeJ-JK4uK$Dh!t_W
z^vD`7T~y=Y;OsDmCCLNJU8}JGO4w=5uECya2Q5XpjPZ1$JFCjLox(;T5e6cvcmnuP
zYB3mq#A3=a4hR;6umk1OV&?e$7c=Hwk(PhLWWN-$v%On>`=s?2v-5PI$;xGHX_1bf
zo<sRhlPXp~Z~!P;_7575ISKVtXVErb3ifJ<M9XBy;VBZLGuR2@wL}iXY2@o!@1{K%
z0aH((cp}hIsJ@<l$_Z>Tre8fIy*`c3xlY6efsodD8s*OyG2&#E5aLU!@B8y~=|gjj
z4Y57Mutg?8&}i9c92=Z|dSW08q31+}p}Ff)#)b9MvG+;@Z3GD8d|l0%3{0UB(AZL4
znFU%{mqKU>F~aS(w9JjNUAnf~^e7^Qw#XTg^h>KYn(}5u9(`6S_RIE~Kwb$UnF|^J
zcxnbPZp{k9tL%t`uxS#n7J@FbB4;$`fw{7gE^}zo!lGry%f%*|pic8oC&gOKVeaRw
z!V9tk{bl>WEdhWBr(^P2<=dpFx<D9`nP<Ml^m5jJz&LE#Iq-5F{|f{2fnq*klLMT?
z(;SOAFdt$i8P(-7JwHr0;6XhvfmcAupm0bb+sEfb>@az^814*4gEhtSSBcuT=Z)5D
z2NMRFP%PcjO3th~DY)2d5<K2Vh{>}jP$(4IsH<?_hVK^Xm3FNbOA$>YurTqdE;U${
zpLoOt%Ck_KY()izFO^jd-8EXnw3@QL*{rDPlIf1Mzk64~2?%IZ2bjxtxn1Ejftlza
zBG5~1g}mRW3qYN5M2osHUL}_mYuR<#5aQu&Z1OINCOn;1Brjd&E~mcqGL;9{)F~NG
z5s9pcLYsC?%>G9(pJ9b~2EhgH18K6_6K!TNyq1CtbL9dFwD;R$+7k$>W}7pYgFR46
zHYq(Y7uhzNL!~L%^A{w9<bfhiFs}gt8JV(`la0EupKPxL6=aN+);g>naW@_<&5289
zR$pPTQXm$|xCO~CIkw5;OyYJH5;BJ)Cxg0Uv0s2N*Z{1N0SV59brke|0%|PY6~X#g
z3{%if+izGfFz~I11JT}`8dGSLWUz4AZs4+#$|XtIgh8+==`3{cR1(`kS7e}-&0u6j
z@>ifK$-paydY}_f2p%T_yG3#q#5M2`r!#%Kw)w2Up7hLcErb*ajHeq4Ef=JP<pKf$
zy?}-?t%<M}s=QZ|fP(2wdJ+l@5p%^=EHDI%WpGe|dVu1AT!C0s1-8#8BvL`GL^|Lm
zsd=9J?OqXQNHO@}G0Sjkv!;&%8^dZvid!f1v2|zz3kKB3736}JqBlTRl4@gE_IMz2
zzK1+*`IQ5JhecZVD<#$cVHDtdAzYy}9$|Igu6PT>Xzd^xdd@{v%G!O}Hxc`FMYKIW
zY&g&*6<0FP5n?zUStm8ZdQyu#C6=x-tbEvf87{G!5vjmw6!l=UCIZ{iO(|v35?V%q
z_c5U|(z1^;1fiIrh9?%10<)_Ww@};`O(_$NjSVe8MPu!8utDGun}_)L1pIboRge-}
zM-gk!2Pp!UrbrwMS%U02+^HTwfDjT<IMI3lsTi|5+=V;TF7zwmsfVWk5X-C)SXDb1
z#G^o<anJ8U{Jm{(;6=qQURtDB;s{o{z*vkjs>c(O&TG&KCzHbE7l03fqPmmSuB*Wn
z$YH)3gKjj#U~&zjU|2<qQ`|<NsHX)(o|}vlFz`8S?G1n_pANaZ2vmhOV>rL|IhE;f
z=Ae+d4f|O5P6*uGeWEUDX-qOJJ(sawLN_8nkc0_gYPfK14=bCfI9@Z@%vzJU*a-H!
zAVl;S{x;0Au;h+8vkV7*yh^OHCJ6c4mm}s`*OJ_cyGZ~VRy?8ejAnD<5o+NEIkWkY
zmI+S6*zC=zIQo`nAodoAcnn4vRsT2bZMpAlml(G8_Cyno<q!(w#+M-0Lq0>GnE>!u
z5@o6jQH`q;eRx_N7{(Z9frB)?%#UH2cA$;aaPA6Y7ck70s*CPWDRBtK8Kgp+fp>1A
zz`VBIF5;F>A2ePQgx7EN)}X+_f3WC!7j3fPEoUgig)E9yl;0Qqu4?-z!*hpFHX$=0
z#<3t*kj(K3Jt|!N0f2<}rEp15gD(x23%Ba|Ks4<Vtx#uRyxmMwPaFflw8IKH<{I_(
zZCeSl7%K{4Jo#RNxDo}K3(5px48R?7C2#6d5GcHi_)Rj&%&j}*#lD+U^?X8atC*JP
zfb=p+k-~T>l~V5AkYl7D%bgh}Fk+lJLgW0V5%wQJT?1=>1)CHfT?C-;c(VhPFf5;G
zEt-HZW#sSdNTF(;IE7iIib4SAP7z^98B6)GEaKp~G{}ZU4-;F&wKj_oO2~b-0N&X;
z(v~TQ{4$oT7N>Eg#E>RM8yNVKa?o0ILcvX_2+5Et(A@?)N;0!?0EVta#m$IDoJZDu
zgZN{$6b7tKF?0gPC##x-jtLHZt*&C@iwtR$R=w45)rL2QM0}|-=P?~A_ThZD%tl2`
z4kNW*lhz=iD}xl~bsiNN{=OAa>kc4LXJzgOd;oBC#>bq@v$$Cl_BRY{;>E-E;S)>7
zo<_wu=+`TmT%j{38M%)m-j)f`j1Iht0EGT=Vc(%7#p(e<WQPj%Q9xxvT_PfKKX+(2
zJs@mL>}H7$7Y4&hZO6UrIhH2<hG{5D14jhnXZ4Ta|Jgo6^dn}Z6AM_k3mDNRLBT;g
zR&c+uBS$aCFv*ja1)IOumq3qM;KyeYwx|lCimeM8E}w!yG4A&|%^hJ`8Gua2oN_3~
z8v-PEz!pc>z}+82-G*1kjTqQ5h_PLU5aLd>%**Ez7q(0%=iDBacq|_yAa|>=$hDz2
z-=q*s0P$^SU8Sd(50_R)#g^&xG0@^b1L{L^DaWKYE&?TQWgt_EQNj5Znnm#xD*TXG
zod!iZJjg8wX`Isrdh}twL>bqgn+I{s<3YOM!g1;gxP{YeHHDJHKO_<-!W-n0iB}B>
zu@Vd_UjY6h*iUR0zd}Va4>IN@CaCB>Y=RDO2@LNM@CPsu@s~8v-NbO@8)NL5+DD{B
z&DhOwn;w-<<PKy?A{fluMg*n5@)ohD&JGOHmG-b0pM)I8|JG$LZAQvm<1hC{Zh|q0
zW=rHb30i44>g`A6H7%)A&?2@!_`;hp74tl-QB)^RXU<XbPbM%}=an-)0RKa;?CWIB
zUQ_MQ$FR<TU!^h2f;BsgJ1M=aZf1_PR3r$?tEH*qN@vh#H2aVijyb2@J@5xK8<3y*
zILPg{i(r$&0mbghOi}^L+}izWOv4l(DZ5OmTOo@oP^^Sn8naa|WV$vO0aAzJQw4;(
zG%)y$crtMla}GTH&So;=Fqbr+cROH%qUVvYh3=XaY2iRz9)lz2RX=nwkm>hU+#8;Q
zTK?gaIx{qJJ?=1_;1)v(0n}L&0FPY|9z+Nb92B3ZI|6>^@s~L{%`!I}0q$v#Z+@5e
zxrga8v$u!5UEfo5$7n@({8?JChLrD7f@v28m8*MfGgxPxGdgsc5qJ@_+*zQTPs%L3
z&(;Bo6EGr>_zt6{qo&<Mb0&s3Qgw}>WX%f@S3L_WuLlWzAR+%OeJ&yPzfL|GK!p4N
zZNhP+4^hw=d6A1lr9W#fhHn5MOnx3CE1<xv4-f=Jp7~>a$6RfKKnpetXAXspEuf4{
zZI|zIj%*a<@UMj|cZVx>19~O1D|$2xgHl<&_LFE0>@9r`K{Nw=Go34)QqVKzUf~{H
zwK;_<*v@Wlm5V!w@zJNj2UqZHskGPY4Ac9=uofx41-LToz5o<#b=9T3rj|hi;>COm
z*iL-fRiEZ{)5_+|;_EIsB0F1TuGFz^JaPI=V;iJ*{H}|79@%*m_p{cmhjek}U|EXu
z6txF7i^GO08pH=ZGQUTPS&Fap^6XjFf}UKN)mhsw)X}rsU*D39=?#GzApLtCi=@#)
zD}t#~GP@rQU448}MLpmfi6j*am}>;6s^#QHSEx-R^xdP#|HTRW91Z8<nx3vi(LX_7
z7gZFegY$5`&@P_c2{3z@ZLnZS^MRm0cFKDRnys=3G^SYu>s7bg#TqMAAJ5{nSWpqG
zMo$U?2240u_}N1H0&@Ogo2Kg1{k`bND%3j3Hv*5Sz<jN3lK2ucK(N6CWp3GUv8gE_
zmFD#MV~K5t%t&IL6@l7Uo4mRN8G4TM0%?g`{#-o*{CR+Mm3mui;oIS04a&b6hs}&t
z^NlUH%`sI{-u;#n*6B80_T0h@g!Z~(1bM5ZnQJx~!r<KBU6KdNKs4vJ29&ZM#ktdB
zUY7qtk@obCKL9}-ieoi;=Cnu-Xh9GUN{F`V3g&Ye;r_G^5^6C)lHf*yllitDe66m)
z9R@e&`;d#fD8x((pT`sFnFgh0A_Z`9Zs;V3{3m%lYRq2)<A+Uhk{96k10%~^E3ga7
zT(+SvLna=VPpl`rk8&4c@j-5J5Jqw*+Y|;j&?Az<m@-h}XSX5pN+ljoe+UFAYr%7~
z_`QpZGq(y7D07;_gyNSnQIK?Z1C!1NA)KN=IuU|Oqw}FpRWW9@B=4o5kmj-YwU>Dq
zQoCr(YAtDKSrBn2bLf-3DwI^f4(|KV#z>*G-Gm$EYGy(A0;&JhNxJ}9u>FUQP6#Wc
z@Xztj0st)-{XiJ#SZA7JhlzM2bw$woJGfMx2BGpwof-5r4fOPzwqckNK1WMdK;qRF
z`}q1T6Q!c5;yY~ez>b{HcIQ>0deGV!uYA|JS>sj=fCMV({IMgYSBuNpQBYuwSGyHN
zh~|evFgQRMU*2D}l@f5xGz~dw#26UCpIb{zWbX2XvX*wS*`3BPNRMPKOYHsC@U|hx
zZqLCYc2#z0UjBRAI)_wDt7HDKDu5I}5MPjI*oNpbBxdM6shLGCVT~WjDJ4Ny1%j3S
zQG-;JgRceQs(8Z>E%fD&@YQ7ddWALo&dLf$$kQ)7wmWKd-Vv5t#DN^8tW^5+*%f8X
zG;k{{f7aS-*<{QLkZ2f)A~{N8sS#R3uPI%2o|3d;igd}Ik&q)v)8Sgprvb`$`X_5T
zm-yIlE2(kQ_Gtp*a7a$VNjG8n07|z<u%fo;$4tT-WMNeK*`n>MKF3YUrb?%$`PG25
z5zkg%kM?{zqN5pA*VI)5Cm=z;t9V9omUHzd+OqqzNUaNbGMmJEC#pQ$ne3-O4A@#n
zw_#<R8gQ^TAY>J%wIJ_fMsQ|C{D9;Y(3&HZsGlhC=Y4Xie5)pi<tYYo>1+ta8vh)@
zU}0`)UB@PhPX!StzeGU&M?mj(O`;|r?a}rk=#MkXTBJzpVLM#J1-0MXo%qNcv>C%h
zHesHI1jMs)6Txf}6pbPkNs=V^B`*J<(W#3t5mmS0`P*g<n<N<l{2)h$Xd|q7Z|yOj
z9AEq0E|0}XU|5*I_VgW6Ymmt`xp#MlWD4C3;*_NCPm{)cvBcIvm59v&xgOcWD*)4O
zN0SsrXZ7-lZWx=T0Neq~XwZ^)Qg1v&pRoV3@=9CfE&G|~yXmQ=VBTsO27cxW42YsN
zXiw?WLsi?FUgopUjhl-AFFYw;Z?bru8L@_&XLf_y;#vC|9;5Pi)wa9;T&MO$S%!Gq
zBN^Q#P+cty<w=QYK-Wtu<@8dxLmA*z2k$0=E}m#O5=Q`9jka<BwUtQ6S0DzZssUn0
zb|rlCdALSKNejs#Qy`gg)M|)8@4kO?un|n}PVCwMicy^C!2JB4R+JQIH6C5#OYwf;
zqutM16HWncOcYYnXy%J~8Mz>4Dwsgc4+-m>l%*#Z#rLgrWDx>eOl6(i#$6Mp+<qRo
z(P-sOEH9z~)@m~YsE%>CvT4Y&p35np3(6p}6`VAS3yBr2JlP^J&{F9dH6jNXuyQ^g
zT|iEA18Q`!;2Km(Th`}`19psDZu-GcuMS5bJrIbV5PJFcs^a4-N24r!z4zZP3h4s4
zhz0>IQ~f)v_-vnQw^K0|pP@B%-Pj5h&*I4Oet!%!j4esv_Gbt&A^|Bc(Pz<~&JBpf
zW!f>@P;j70-a&P+4vxV(i70aLdnXA4s8pbo#Q^L~M-^b;#`%K^3%f|%Ttn)>Ogw3}
z*8f{qOzw0-AUks1=rc&m5jZdEj8%QU6f3qN>~ZcDL+*Re;G#zgJ|$reSyAk9(4lIa
zcs-*w6c7m~OflO4&V-~XkG>pB6sb&$2VxNxz%5Bmo*W~TClD#j73VzAx)rCh<JjD0
z0ZExi=Lrsn4KN1m<OJ>i{UV0ct(}^#Qm6leTtr@C!<W#kZe=b#jZ5xrR%Y&+1o+0R
z1C;aS<|WW)TevjEaq;(C3#>^jmNDAoz!KxK9Tb6xjiKiN05G$&#OS<HXmlb5ql&Nv
zi=jXM$famFKUApgi8YC_y4w$^y&wfMiRD*ILq?CMO_5tjKN-k$@O+!_fvoe%{q;^q
z8*wqj=#8Kceg0~ElT2N|G`);nzv=4C$ZIhx84n7>34v81b$m(Vrg4WrJ8_R##~<c?
z;-4QcrfZj~)#aNU3J3;wf3?f)-Q4bhh~hX_h|{k_?r7;m2v&D+lLQ)ncAL|{?;@Z8
zMYhE{p0Pa_X{qLt^2uV6!`dv`Y)@JrB4XNQAAu7QGS63JZ$SHw;lBFi-Oa%Q{WdAT
zKQnSU(7@4B#wGZ~2m#oEDL)75JcI<H9xZIEE|vWmeOAU{H(tY&%3NaDijGBbm<C?J
z?3u+2NBMLq97oouiwtDk)ezIIP&$AV3%Btk{~KuHK}-@ocVULGECul~@voBjKIn<5
z&TqR4i!&D`9_1w-zU<r0EhV&8Tt%_daxLpVvTsGCMk1U<A}QE`u@=0-$ZfFRF$s+d
z7gAp-A~}ntOgXNpLjc-GrC4M~9?GqM>mKF7#cmn-hFOxQx;ch;u>b|6Z6H>zX@&t8
z`H3WdccfimIK0+-uSv8DATY%SqEbbQgu>jobXnVn#7Jj+^eLjUOpM`OBf&)p9VJ1T
zCeniu5=o%wyf+E(A&He@*4AM&Au=q<IRT7dDFMJuuz|sRQ9_S4=nvmwkzXCz5X&t7
z8o(Au?DJy~2-uG-^`R>a_SFSZmrb#fD-X__(6KVf<ckmxC?RnsfvVgkAq`T=7hZpK
z-h5~Ho&6ZD)Y5>vhjJ=D4MP?<j03e9uoe@OyFrF4Gk}ob4Y`)kQB@-xu~QhrnF97w
z&6xW4fX0ws(clA1-|7H+tLm8#fl7CUWX~y7V3Wd_*_#`7=+?XL=Xx$j-_6qP$^!?L
zEn7Do&DA3nKnwCzhUeWs#`208ixePBV#OMfjLRD_$TkYDSf-IfWr#y9G=ArWBsjfO
zO%zxu{8KWppcs^NW<E{krp2Y?Q$DZ^&*eyPK^CX?0E?MaQN&4jlr#?HV;U*^o??P~
z(Q1EcwEA*9%S{n}w1Dr_Hoi)?zccrVeu^P(xtX9gC|C5z8YK#j91@z?4{4D}sSEXP
z$%<&OquKC5@GEj6Y-@6WJQJo<Wb`CzDKu)rqr_Dy;=tt2*_6S)gc1RQ4FQdkdlU{|
zgPfG}s{qz05(|vB&7tWMMo4|eJJ_v^6IzU-!Pe`AC3u*U86|}Ekp_bHNC`5N;cYlr
z?cah+iI+TOK7S)3;Ugj9;ntI}h&~{G+C^OPXFr27qZu}rIFH`KnS=D4$vnugD-dL4
z#@md2eMK2~p;ec>KWFT1BJ<`ngCI6XCxYtF{V}bDX<f|mqj&=KsL8(iDnF(^Y9J%B
z_<eFzKgp6;^oZ&8#t6Yn(mFtcaAjxpYzD9&2!l|EtAJ<y{|(}=Y$;`FfS_IGlt_V8
zF7?}3X38^xD!a+1Rbso+J^4~gZmm51vch<1=d;Z-W4`stWkXw~F4g+Pk@}FD6e&lB
zWm4<tvYT8@5-H+t#c7mm2<KR}4y0t(=`Sl3SGM6Zj9)KSK_>`DbZhRng8`xSUyXJC
zszARfl&?q?FZVz+|D!-Uk;>9IF_MVm1Wb<%cUKKuYR3g5IiZ2^l!?8@0TwGfY*M5e
z@cWQKFAt_iz$!qw-;otRq=S>GLM@2OT(O-b8YD?KXKAv8VU#!oM`(;J1-91QLKcD$
z#)rbUnb$;Xdx$=b&ax*`E|n~T#DTJJq;i88Knv;5F6VGqsbW&K1K}jgot6Z0q3+=S
zrGXrx(L$LMR1i-^R=Jb54F}{-%osQZ$z@tO*aO@iQQlY%cIM-cHKG_zj71+NPqjY=
zn^7ueRlWFL+FaO6&@y*3Ijg`8V$WutCq}PCA{Z*4myQAIF2Amr@6Na@0u@+&GGYNH
zc)V?GI&Eo--)sPja6gz@T*@$WcPd>rk1QV`%@=K)%O}|jSQfRW488F)7PlTk_vt=g
zVqb>}Y?+{ZwQK-uT)bw>r8=3M^Y}H|No$+E05|fi?4reaq6T8YZ>$%x2>4~R0JO{l
z!xVyr+;atk4<z;vh%8XK>!>(C26uzOA~Yn;UEv>msa@2=Hl;Yx9nq9LR`@sO4F8Rs
z&ED_o7E(o0mDT6H_lLmbd-c?ZO5by4rJghNff>BihI4lqoyN_WAsh^EDIjGA{}+J}
z#h5@sWf~yKEkci|paBDh2R-aUHJPf3pjZiqcp#qZcj7}h6Mn#Jv6+D6At-UsjT2X%
zQS1da)lYUnezFV$*`Zq7NSN@az7WoP1x$2$ptJ@cKXU|51(|IiqaO>&9XJjp00FzK
z_iEg2IGOCFgoRB$=r0_Md(ae+3K=k`)8q5tS<<joV1TRp3mh?yNS}{`&6lL#&(03<
zQ}oB(K};rDzc`tAH1mt%@ydw0emWEy`fNGwGCd7;v~ODJa0fGul{D-_L_yz-9ZS;T
zcGO1~6jm-kSl>j9-fGWu>bvpUrW-TAf;8-abJ<zVd{|73=mOFw5hlhq%fIrv?bFap
zdioye#|wcT<jCPyHcocR1-Q^*;hMuzy$*0mH5@Y#!I>;elWdd-V9;O@>bwcfCnWkd
z;=tjy2NOS0Ydz<6?;nH08>xjn&_<3r?E;Dn*?+t~1TtUL+#SwB1@}}DP+3`;?Z%x@
z-A?MUFK#XkZfp?iI-q>hm8Xc34UVD+2$yk3${u8&?E>A%UbATQIu|z|q2hs{bq3DO
zpF@$KA}%)~+(0eOC6D#gP4Y76fNd=w!(ot+VgDNg#H~@HwT>*OP-lJ5&(@PLTWxZ3
zY9g1U&qC)kjdx{m9nyzDIz~>n{ZET>k9K)sFWM&v=1G1#8e_J!S7+=f^e#<<-}=BL
zdfDdrD+M{P18O7^m9P4o25ia9*VuMGI}Y{=p`z4?OlcE!^W&vWZa!GqXLGp^B0#)@
z%dQU)-nUu~l4LrS1TFu_sR`v4^~NLlZ@IDafJvdIUguj2jB>5>vq=HS%px}RQpw2o
zdau>Gg18PRZjWU!D3iiKha)io-Z~H%0jMY#(0rb064;Q54JMpEwSul7CI6$b%UgqR
zAZlc*l#jbd8JGk)BNl^Y{uhE0UK)TmcNkQMb1gaj>LDXA^=wW*e4QC250TU{SGj0(
ztO|<`LDGi1WD*p?Hr#-TMnT*e*5;Rx){yO_O&1*soRpjZZi22>rcVS^+}5r7<ZD}F
z83NpqzN7Q#a6!eTtr=g^2Cx7@Y@1B6zy!-|!_DKrHedh*Qug+o_<v&t^wzHhpt|t}
z@bJuoZ7K&eNk#D(bV?5LV|;ckreemiXp9Hp%V@QsfnzrmZch&FO)jqi>Y;dC(YzH@
zGNxnhO*4r8^e+eVw}{(4JweQ1>@MYszm!vs9Rh}%&9jNI()u(9kzcG-;EZM^h@wS)
zQ^5Z^hf3d#&@VPlPhOiNuNf+iBGG5ZJ*Qqw;-2Xt-OZSAE+JRBtz$e@Im(pFxj8w&
z>K;D0_9rI~z7gKf&ot*6<vGTLoZ}QULV1+>+DrAz)`6~XHO_Iar#Q`I40>~ow!s-7
zF7G`V?&xWffAFeXH8y%UYeoUl&o0K*`a$Lj7w%1h0A@g$ztisluEw`0l-MqGg_7_h
zOx}ZKIDeljy_yL^zYFV5C*<9-WG2**Gc-N$WqWiwF6%b*1Ntp~kDKp!5h!O7`_Wtz
z2ApHCke0Emv7WK+V?YcG!mh5ug~KHrXVVzsa8_-`z@f5R8IQ4xc%bu@_^GID^l20q
z>&HW{arBOw1Sp9eHnVf(1Olh$9&96Hw6LHs*^Q<j21HsI%yxm*qgI&Jd4p)LPkR~#
z%R$@%?LIV9Jb*w_I73q{X3pW!X$=ZP)B`l}(N4nLr(SEqRf0BDqCx1SQ`S%jC>J^U
z;-dK2OT}_Ow}D=d+ksHy>dbLyQyc?=67Hsu;e(js;>?KfW4Gowp_xzj;321KV~a>A
zPB&`IaelxG(mSPEyx|s}S;IW`x3Xi45E%wun2yw40)MJ{ODS_MW-{Ulk{hYuH6+Iq
z3fVQhA+8g3go2d?!+V2(7Xr4&2LTs&59G(wi(N6n3nqxcB~x5W{G4tgdqW_OazJj6
zNdR3(Ocpo^VVneNY4IV3;)g>@!7-R&vjx`t-Z_2p3zBNV2tGyI*q;R9g(x!y&IMGR
z0Jlge?Jf~P#UN){R0*c+po^1~7~n_*vpIE8A-aeaqYrwbXF~z#4ttf|)_M6npXw)b
z1+owb)XS3H1WerhySSp>Lgfu<x9Kx;XappZCMG~7oX8;Jhdjx7%BYp*VF8r$2$Oyw
zE*ozTl{ex7P57xc6zfl0$PCq#c57j`C|)Cjfrl`PPsH*OPI^N*@oR82@Jew4C$xKQ
z6c5DoBvRgn3Ki{5g0wdPb>iQzD9@k2a-+jIx6~Wl@H>NmhJ2NzXAVY!=~_nw%maPd
zuPTNgga9O{HW9!uBT_iFxy2Ucw-0f;#9eA*&{FF7@Fi`zi^+d0qTpEGb^uo%-&~ap
ze2Nl=;`{S+c1D;V2^^;yi;*P#42#p`1mdtiEwt0mBL$<;)Y1r<86no{W<e;y@IVzX
zQ3O~!W;nlvq5f$WYOyBmRv+R%Qm5sdoKN&D)9oKE*$)P;?g`=+Q%}3*wG6s@kb0z0
z1~r6#-Fi!TsQPI)VERbWBEmxoW=2dUakiC{AU+8V)#|W?86b!KcG^^8I@LxJw_VBu
ze`>nTQ%}f7-ehFv96Dff@xn6q@b&A!5C;qe3Jha;Ey&BkQ;|MENMxN$PLE_rZ~|r9
zt6vXw#7CG2GQoHW7l0dR?1h47sFJUk2r4GRgQIcG%`gyYY3c`hl^A>gD5|MSB?wSD
zqs$Bf<O{OrKD=37v1V($X+op|bVz<cR-oH#nLsDW!w?ey5ZXXk--U(%{lA=dy2)qo
zX;J|q3PwtpcWf9y7S;bMP8QPgIIINO2qaJpK{hvLT$+*JXU!nEfFpn>H}&<@3zMuC
zuQH=ZTMm4rd;FAS9Crhq5b{|L0Pr!fbdM$S9I<u@x6q|*;VVL5A@c-Y=S2kQa2sA&
zfp)lt;`z*0km_PqO{$MnFevFu8Uwkg34%ooNU$j!4|a?Qzmm)kB(cD0HP>s<f(q`s
zxramOQNlP4C_j8~E{epx&*=bv0u@`VqWy@s#4#rah=r)A6L`VX9GmbI`~g-28T^pD
zVAuGH)qvdE09_UtVi6DF;uj82rzlzA8bn%3`3IHWS(jjim9Nv$6vMg~)GItxQx#E8
z{1vaLUj{U<g~#LpE<jmp1gmIv;YjsCIlqXUYt^{D;g$iBI~%V=E0IfQKpx1&P1*TL
z*@jd+ZwY0U!(HQC-WKV22)BXztE{)Q4X;1Lhh162ys}T6ZW5%2w}haQ6{6RScMF=v
z*PrP}$k1vgQA~i{27WK$&7}urwdZsS$;SlXeQdKwLgvGt3Q55b%hG%)U{4!xoy}Mh
zf&nUFFly@d)LVP;SIz+)s5$q)Jxd0wgh+QOs3tExjf5;Gs81=f6Xu)3m2G53aDyr-
ze~$%%l2ud}!2PZ?Ul@#K`{1%~f{JKG*S#fD4xNC&jwMilHM?Zvn2)Nf-Z%3UQUa!o
ztpa|j(za<e7HYUdOJtt*oT!@)V}PGQl8nJc2Z8}1F!WUD+8m)I3LCHX$QlR~AV5cQ
zs6~3{B3*K*Sw<Q=&h^#r>^~)M#8qUcUB{bgY=7f8H#=lC@ZBT}5eo7FvIPWa?;k1`
zw+!`5G=3Q=tCS{BC{_kb<7LK-U4a}u3rJM(wIE-R3P%Z&VQLC!jRY?R(wKtaMTr2Z
zm>l#Yol&#vAtVblA#ukl3v3H|7;F<Dgl^>iU{UEC*sM2C4$LG&2I-($VT6ca`&k7<
ziowSk!q;J&*k(-{Ek6nv_l0^c6b4yhi5*c)l=89la`?F5)kU&Mur_d_kh8h<D8qM4
zES1}MTjGxsqAO`U0{B^UdGFvKO2JnprpUBdcp4DVKM)C%xt2YGMSqtj;dXM&%V;ua
zO&3R*f|>BA8i2i)iw?~O2Hj4>Z~^J=&z)8pS&Z~Ek6@e<Oe>5@?kSO|_37-Z0Jr|u
zav=<cVEN!3#>b`A9^1)F84!3WQW8N4*2wneKAufJoPCqUGY4BB`v71QhO&qp>v9A@
z_jG~Y-}1<JM}f43-nBZ)p5Lo&rDtym5CM4*(5VV+F6NqdU#iwn{kRYT**?4i03v<Q
ztg|lT<bKzmOwGtk4X5v{`DD)Q!T=kPO{UOXM&Ce&F<2~+?B}8F69Of*Vxq)t-cJW<
zLBLGT1Ou)<dTht+`B(&5bAFDETWF!(N}7uhll6Za+&yslmXDs9xurg7P0+5_s1mm8
zmd=W4K>S_qgG@*^kT+wTMH0eI$05{(M^HVAN2P*1fwlz7y1;^7b5$VFk~u(gAxD@)
zIFT9yjt-)0y)1x=%}bw(`@neM3QNdLqAYi>Dg9o`a)z98DVZjP%J$+{#jT_qPfmD{
zr15{UyH{I|pUwie>jjiJHw!&bH&F$|5RrdI1i^s|9xt-qK&8H5#mfcrYwYK`Z$sdu
z3oi7_M}?kGdms2<)=7x8C}FyXK|y`gf1vA7D~TDpBq((#sErL+CFYde_$fS|1m7}R
zmIO9duU7oR7^2o}N6W%(c*AR{wU_39KU;*{Met*HcXgiO%ZBy{78;E`7TcXg&Aq!!
z=#hv%3$@;*dzu>3W*NBh_d7|ro?-{qh_KN}$vT%jVU$zq>xcuHB#;gP93xX2atK^W
zAbb8$R{}U~(S<WkaccH?_#eZd33<aud$@p4AQC5lM%i&vC`Bh>Jvv1R!f|A{zo!;M
z`pB}9K-q4b;g=MroGrJ*$FW!q?Iyzj4IhdNF-6ewpK>2*2L+RWS(V9$OGiJvIRtbe
z^u}SK&}SByU@{2|f5zELA%(n3!U?VnweENZM{lg%7&5+)0oN!d(mkv4ED)XAKFyet
zj1Y+sHoA;Ty*eW6d$Lui(G>n>t&~OmK1f7~Aw5)2xO=ixM0x!eye$*^Q>Ku}b~qZ1
zAlM#sH;u-QAav<2Ys5gK(VLWJYS`05t|G%|fbK;)66c*8`l#4#3=OTADk(v~edi~D
zf_TR=g-F0G<=$}k0cS+X6-aOOx{bgz|7J!-*~AP!qwsxT#)+W8*#=VhqQ#IiwGh9<
zqs8`j{L^k5YteQ)@0$5}KO`;&5PCjC_2wgE5(s}n=U`y3o=@wvZe8uEOy_6973PhA
zViueMBc0JmRJ2%gG7J5U3g$BPLk9xbbm9i+am;BofAs(oZDCX#?e(wP?oFRpfj;#x
zdM!cS29(Cnz{Zb&N+y`weP(mICkLJkx@y5U1aZ6$V%n`#e@mPRTk7&*svzn-?SHz@
z?ukFiAP<Q?dORKAeDatDMu_w~u6YVW;cfqbaMV8a@W3k$A^<gDrWw-0xu)ZhbK}vO
z_&jRUM;qj0rn`%U=iPRzvN!La5tvnV6y4>BW_ci}x4aZVB>A_2(`+Xp6N-<eVPwQ(
z;z#f|$?zEt2stoO<_U*X#0gkGgyW2DlPQVE0N|{S_RAxOma(4Y08sYDb@3IwEXX-Q
zz2;5|Vdu~=AkbNrZMAehwX0tM{vA`<hKGI+Km~&~fV66Vu#zd;;)O<?h1SBO`i&?!
z&t1EL$%6X?u*H|YxbJ;3Uc-v|yWFJxw!x0-=xl<!Z!D|fzDGgT)e<gZ+v~7SGw~7&
z(-Z^6AA<OxLQDb&CBT%`0UaF$U<t;PSY3XY+-j+2E4Qrib)ZTqr=*=qL&2`3R@!oD
z+VtMtRR!M{g~F3JU?R6Z#iwEYOkD^BNE|3J+RZTLYzUrP!!7~fp|RYQ-YP1+LMTFl
zq_nUS-8sizJd1?_mq(O7N$<ogV~}RQhtU|rdOkQrxTS<mBG#Kp2AB>qz9qfriZ0yu
z>4YwnQa!mBJ8;U6D|>cmosVA5)LVcl)o}=IanQDpcWn4}E(Hi%Fr(GxvnuXWtP_)#
zxfe`ukC@|8e#enwRn3_oZ?lN^3kvz_Kp^fQMqXj~&gbUcf}XHJz|J9nJa13)p;1|N
zdw`Cv1(n(Bqe37tbGNiMKB;~(eTYYB`O{o*9Zvk^@QQ|96n&slo}Wvk)4}i{venbz
z#89JyRFF>|Nb7YRP-qmQ#;|Z=zL11J-|R|`{u7sqrZ#t-76po@Rb24AB$WH_4a1~$
zVAIiG!WTM<sWt7OA^FQV|5h!Nxkn{Tu2)pt38H!7o)zdQ<K+QbU-V`GCEz4QQhfcx
z^DS}&YN=a=b)DhsD9Li;%LlVTiOu3`J-983D8ovYw;0$YyA<`4E)N<Tp94l#3`m%f
zcAm3ziHSL@z!OaIs}oA%M`ME}1ZPOtGxFDPachF=ILv==bs><Pi4!j?20y!=ByEg_
zB&ot1$itNi2MX0BH7HOw$I}<xd0CQ82O{(t#G<^iwosW`78CQsN`e)Tz>uI|bSfZG
zK>gKm{-%?Xra$+rWD`&OhwETz>Em=|=!h#YLUV=ju_;x6a9Y}GHBm*62q1b?^jIo$
z1F!f_g0_OH=J%;J6A%?-C1r#1%Qo;boyNouZ%1C*bZ=)pie?zamO$B}iNFc+somM)
zB!pmUUW?4v6}mJCfoz2Yr$GRzqRq2jP9~uD!@>`DS?O;za1Yr6dRs6mC{W-OPwcpW
zXuD2;h%Gz}GC2DJ844c8%+u}U<?hTq$mQRO#4myp;si^<g7Yh29w9{9xJg_Spe^1`
zx3`CGu?TEEVrygEJ82OIRP-#0Nq9O=8s>=F@k}x$A<*4d@koje<iuzGj7A~Unhh60
z!XU6%<|pKOdCykK_z)<e0V8g5uADLFWlQP;z5xIdb<iOVhLU%v4%w5|m)0OS2vDR`
zZ0YQDDG+Xn?a4^EiCo{JX>py4aL8hN`{XGfM2Lcg2hG=<p-s>x;CJGtO=YZcwmi(A
zM-XJO?c1eY>fuT_c1k9Mt&Lr5DJGv+$ki%Rfn{s!AZK^1)oR3i>;i&bPS06=cT^}3
z<qFH@cpt7jJi4FKPN3pwHyD0d=RYKoW%(sH;6c6QLyOAX?{j8*K<<Fy2_F7E?4_l=
zgI5wKn|q8#a3BU{PmBeq9>B{A1*y=mkfuX)4gEgRA@1p4gZR$$E7XZVR1yPUi(%BA
zmliJ*IbCwLR*$NOv8Rv}OzZlW04!s;0~dj`NYJjw0<uuRV2UFPL2$|n&&h$vxq$86
zmyp&!h0?|V1@Otg5CGV~O2aYZnxMW><$Jg~Ka>U_gbJ306jHrP0H_<wt^mzvN>Ru3
zyQ0lXQZF82ApxGdmBdF+&kA;{vLsGuG$^C<pGCZ<s1R~O!5!JPLStzUCBoM~76kT%
zncwCL*Te2khkP?v<VQ8PlE4B0V9`q^h@s?`p6VejH5l~H33d=I16a5^!YD2Gn7Ycm
zpp0>V<nN|bFBsG_F!g418&hU&EC?cv)&^ukeq4o=4O?FKg6kn01bbNg7}AGcZC4&5
z>nJY4n9)1iuscXzw`auS9d4#5Dj+bQ%8;`2LPIJ3A(;ueG6z;6j&y$tTIGyLb0*j(
zV`i2O0L>5&_8^2`Ae(Wn=7G6_aXazOt|)gt?CR_w>)Rdgc^5bh{y*W#6^1xw4!puZ
zGlKjpvV8EJLU7{og7_RFi&W5%94|5?3h`H%1+eqpotx$4yZ8Z+9rCjIg{u8YH24r4
z9emhN882!3MfegiN_GQ47x6!^QyimD{eqe~7t~kU{uazaSHo0{FxYloiFah~)rX-h
z0{%rN-a!j8rK++>@!$?V0+B-W=@tO8w0Z(Z2?L%pgsx-`q|Ot^kUM)YNy{K|Hei`-
zf!H}hM@a*OIYMKy2MA*`{}tEZrp6raeh!vFk~UEuFzx(@2g$+XGk_plAyz<`c*B`k
z!bA~=WRisB5drXkkQkOR`<~+$1j#|?5{R>iCW<iXo*<D7Vc7J5i3Du$hU_4VzIVz9
zMM@}<5d-qY1S)7$hzlB|Mr0%qu=5vvRX@&&$@t>>X}vZ(0{Q2FFOWj)5qYrw7iMmc
z1BiH))`BzeLvnZ>DCOvcK0}!T^Xrl9L|X(mOB9aK#Lo21MOo1h$_t=iY_GUgeq&@s
zKfnq?f&qnj4tcr4dvOVJgf;lSv~LDM@CMyvf<S%g6R^u<R8+2c{2#D=uW|4_5S#Jn
zhEI^vwuMt9P>xkpnc<ch_Ep|N03X0;51S}W?ib&SL=3JY+baq%>C5m<pMAosQyU|$
z5SW}{!TcdJD1)jZqGZ_9pVco&s_R6_-WqY6fMR5J&0TSlAV&yHvt_MFAOarQNDduL
z6G(T#yQoj=6#T;=MZXA4)&hZ|n3)}L6b%%_$Q`~D#)vz5`9Rh-CPYi2GMIy~u9OUf
zF)~y_XYA_qFmZ*E+cO0!K>!xYBElWF4Ob@18&)1*WSB^qMzv?=22VT`amB9-lR}G-
zSxU2$10xL_logzq88L{$5(t3!fJh7kW$NGf{RAq&Bwx5wP(TQ+gjCX*H>DCbf11pl
zHFUl~0LE>ERHzW>`UE;0U}pp?H$28i3<k(;SDG+D9OqmnLjZOKP?<yF)enbAwo&Wh
z&{>@X$U@m-uZITej7|5$kt$7bm=Z6tOdp_FA}3YNs|K=#FoFQf&H0XUp#ja9KjfA>
zV0@cwkniip4+W`5nLd1(!fZ|&0|o!v;H6a6W&98&|2vCiOnf=h3=u1CW1<rp*=4~5
zC6b4P&|KUY3qrX9gs^YN07QWaU5mmE>AHgiLYO0kBf>)`Ap(L0FgFGwQaj^SRu7Os
z%5!EPWCYY0361mYjxW(3pn--fpJbJKh`a)rQ6=g+uTc~sbtp4D$cg-mu+*}JyLYJ5
zBL<k0!NI4hk5E9!QRV78f0?)&a2UZr!1E)P7(YHpCmReI9m0YPRe=7yFFulSY`lcZ
zrXdKGF1-2?2^_aE=+NX!!-X1vj>ys|IADS%m$SlT+blBr5$?O1t5%uyan1>ymdh=8
zIW?62?Y;b?8!BVL&?Qv8d9l#o8`LTx?e!LM0B6hKVh=u{EFGf}*v*?5N0(CvN@p4p
zZIoz&23dfln$-db6A2Q=(`g4%+-N!Okp{yI;!t8eCnq(6X~fiv9A^<kq*ce_TG?cd
zhfh01W`c|y-s>YhxFSrWYa?Dm52v_45SDOCeBhWXp~0D<D<?yx9W$sBJJGe_Vp$R1
zsggP!Jm?KSFabuilEQvETb!DVV`eyCs0f00vchJigo~~RI!g&yxE(DhCsN>cjG&T{
zz~o6mFUJFp5&~bX2L@UWpLC<9gQF@J>eW#ppzV1F1SIIyA1E%!Q5+^Ipym{Ckt;#i
zbWu6_0;*0(A!Q!qwYwOGV?W}=0~x|F5J*?-s0iWl0)j&`et8PoaI?G~R>1UoaJM)Y
zEKW>LTy?SyFrK#I3EPDp+wydZ;lTRx=tqOTVgC-5Q}Tm>&s9Z?*Vb*cHml4EHi13J
z&LCJBO?=|1`1@Ifz#oVVSgOQdg`Nn&&ZG<I`;zD;%t1f8z<#{}(s3bu#ZfP342;&)
z25d&~uScq*lix~-!}jBElFb}cAK^ukKPIr2!2aPD()5sr)tyvi2*0sq4ICvtI7oER
zcBF8XJ3-Q;3-%L<E|v7qcgV)CKI{Wz7y`%c3Jka4K(@b>8EhTlu{B<vq|sAPsZCLi
z%IrSrL4XpeScDa3O07z_^kBYO9F>LzpyPn$p$OuxE0g*I7Nbp&G#xb<CGya4S*kZY
z$4Z#cbM{(65%R_fYPALHAeD5Z8#HePf_H>b3w%LLi=}SJC0YZeBFKb}_5sd6Ay++R
zk+Km$Y^9b!vmw&1lyb;)3G8N5>}Two8DtvsAY?jWk+k$7i%w00W-hl~hSVBXXs!vj
z4de<!J?y~JZ!}=moU467Qv-5AAd0}brH&_s0gG@!^8uuSqc5lDq><<#IiMnSf@EX;
z8b#Mp4z;>q@WS2@6IyGB-MpS;Q957maA#0w=&K}q37fGPqN!QU8b_r5jT5|VziYy0
zC~cjVNDhj~2|h-A14b;ePQnRkwFR{xkYNPKx>14&0Lj0E5=kIues0%#wCwCs$kmy&
zA=)r~0uANNl8xWI#4Q~(FBH?hS(qUrdm+tGLR74WNx=!uvK^lUBx7Vb5(rGGfa>@G
zBZA?=SMx)-ixudVUyNSMhXtP$3+KIhD6`<0CBvYvLQ3n0K3CYZCBvq?txQ}wqRbYw
zf<bhly5ZU=niRWgf=IT@U}r)M*5%RE5=M2VP)Kw*Y}d6QG?ddg4mjuAAjZ}gAdqiT
z06gBCZJ$FH!p6#gdwTdefDlO~v@sKkp=yt$Yz`h=EM-z>N$PoHEV4ja$R=UZvrm_6
zPnqaSd(e>4aP0@7DkZ~&2aTF^p?cxpRpP`MAULZGko_g2`AOVgF7PBsTsf)WPHAB5
z^_c~L;uMjuD7b`W0JIwcmUvJalCvXI!hqD3nKRpj!<G)0SkHKSKUK_JOxMeLo<TD@
zP`P02_Tv=-!P09o3J_(T0kapkv;;eEHR!N#Rk=WHO3ae$8N|ue$%_XuATlYW6Ek3#
z=Sxij!1P(z^29jln}ibMgJ><TdRVo&xc)yk$_AtGk=o(_;I%>!ONwYo6dDO~U?zlP
zW(wnbfP^ID^96@80~fY}0(c7x@wQ>4-%Ftk)XR+o`lV1AQ;G?Zj7t@E&?|GGpp?S}
zmGbyh6#`+Qr0JR`hfSeZ4ugR=JjObR2s%~UmGcirN7uo@Ss%D$dh}hW%F+ge8t~8x
zBzwf?AFV^ny@W7=dQEzX5;~r6psDL*q_<QgQ^2MPoDO=DXMGBOq9R%z2uePjsR|@X
z2-?jviBBI~Avt`W&e)km)_f=@<z1mRk~N&MrwC6R?CkF?PKrlCK?!uq34liy5xF!}
zLlP5Tm=u<$+QcI{8G@Oq!h&vyP=n((5ZcZdQY}LTr1QsO=mz4_k0!Px()3CR?+=M4
z&z4T{Y6Z=yJ+%Qt{WCmJz#xUCVkm@xBFENA9~x_9$%F@TG5pVCN=A60g{hRJ)#4^l
z{}S5!NPj&fliT&{X5J+9<<bLMW)mo97Rh=8tlh1;sU;5cOo#?~r$&y`Gqv~L)Zf3T
zpm%hdhN@JK@me*sI{R}?^qBSe2|QOJB?LX1g#R`IkhI_uLeK`ZY$^_Tu8(nCAT0>Q
zY4n(fDh_zAQTSMis~)a|xs%h35VfdXRXI=d#d4xblBlYEUM%{=^w5aEugEEWDIArN
ztW^m_JU<{3zNQ{5E3F$=9I|&}7DrK`l3)4w6}>!F0C>C__n?KPr4d9wbj1_^x;c2f
zSjdu(7B6R|;-Ep1m2|zBkV`L+t9xFQ{SJ=3HktnMju%0a4vhv?%LOsBLNT%J*3+{F
z4V^Q~2mHT-oh6EnXjFI!M1~qF=xb$FVI5L|bFt_J<HT1{8R-Xlm?y<OWObzPgwB|-
zP{CO&?rf;)u%@pqQsokgJF%cDC=`WYPy@N|nar9yaYhDBHg}}5CegFZ|7zZicWzVW
zC7<>3_8FuWV<T0WmF_y@c6EQTYGk+=HBJ2_44*pKH1wLPD@^>C^;Bv^kQ6B(9e9xd
zFh--KDmwJ1=inr52uKQ_he3b;#fWaiZVd<SB|(f+oJoPa2@}Dwo)QI_2E3+1N_hUF
zkwcC<=l=Pq<bE=MsliVw!IBp_EDR3pzh%7CauCgj9TS{6;WP-T!tG<)%dS2dZxP4!
zr3i&2bjOL4@KDv5Qa6M^BW3?MTd^Fm?cpZ#k``Y0v>>4Bihpg}!D4Z^EMTZ%oF6?m
z$6yD`%$nUZxYcB}T&Mi$avoq|>4=%3vEvCx!zghaY^uA`htPn2${IXaA5lTuuFe3d
zEqFQEg2)cAP%_dI4}+7@h5{n3i~>a7X*#AVI`d`fb|?NByPSOjkcoe;(BOq*O1A$H
zc*2~hBg>GAnNj#a$kbq5C%}QE0D9!mY$9Lga1i#g5~nQ^Y|G1F=>#WVi<6+y@1gdc
z{JEgTGHdNUoI-^UgAV|LURH6aH9zfq3K+-d;P-zFwXGR$BY)Y*6*&i`1;B&|O*pQ^
zHU@=n?wU_ZX+N~RoF%dK5I+)3$Hu;%(6c0EK!F6bqSSeuK5gjBvmR}^fqxya&Rvb+
ze0V1igu6geU(ARGohWBxI?SQ)j6)XE&p>SwE)qwOzI~Hpg^(y*!9jXdXb7-x{5w~M
z&pu)Hkbrbn|DbQqp_50H_@a~V4H)-euEp+sM}~{01L1e9Y5<6g|5(%sSBn8v<8+}O
z5MWF`Y+n?G{Ze*ddGKoFgk$<0Fsk9@9K!L?mmxwx?bhx&&<E1a`trfqHw$jt{;rIE
zCfl?Funil)l1C!%*pvXOcu^gw4ncs(3grp3yE;|%=&{5h8~<3;;gQrBd7+TaMu%d!
zteC6V%w$P}p+{r70YwbIjv;_Y6RV=ERj~>|9EJ_h%TdHb!_}A5z(kKsfa5A2s8oBC
z#QYbm5jSG%K-ZRvx2wLkk~I`{8bbj=h*253CB<fS8Hod6!Ik(U(U}lJYaFDHM-4?C
zMNVNm+%RB}05!d%oy$$4uL^NGP*|G!uo4p|*0^3L%QIazlNNzsK!|Ffno3*&Cur*o
zivDGA1P-$@dIoZL_qmH);I$hHA}fWjEBAvrHy>>?SA+#d3zb0on8`%-J{qB(h@pwo
zR8m@QG71T4-Ng&Lh`FO^H9xyO4=H1;Oxnc%L?tAF!yM)kooyK4;7<uaWSAw1y4?g(
z97e>VSrGw(MpQXIFI=G=E*st^aBQ0nQNxi>Y_{!?B9k#wkvyX?*b0Sa{rJbz(lYs*
zM^sr9c*2Dkj$?3AFq7+pP{D!3YACxt2S`|&9;iWBw3I<mZux-?%O`oZHwO@A%beiu
zS%!4-HWXMiN+e2=Mh?d0fR6*{-Z$pLg-_EBM4Lp94L8MH8(`n_zTBCg7lS{LYtW!_
zlUhc4&7jVC0F~woC%dwTz%(Yp3*PFrWJsi@HNExRmIA?~QQ`$iEmfEdo0m@!9HYg$
zso{X(tR$&!&KqZ{`r1Q7gir}C?s!xro=vEk;y^?%!yQn1G)|yz#!!<+LXWNmTr@Ee
zRwhtlL<2jc2a9QA1Y5bBTZ<vyuS~Is7+u7QBMA{jOvBIsHZoO+BDJ7BMTP)lfN;!F
z;2;zO_h)VROGpNsMN-~hgtP^P)kJVEL!wEmm>MQv)M6K14G@zlh9OZwgFzY)Lk$^L
z66HewF}-LCn5Ro#iWGTDw!*F2MrNs-QLVHk+xy7aIJy^0z7YM_j3V8x57nuRE9wHN
z$O1$q%7kUW`9S{-%SDWYo|}}EYVo|m43!iqzHT^n7s{z*_-xjh*472(Q@EspsJl_c
z1u@AbASsp?VMUZ+!dN>YVbB$3uZ_|gA*v~znbel)8wHiTLjpxG<huYsNW)Fl1te*q
z+09`=OTeH}j8KnhpcI=lwwx3`jzdtsdn%KRSp_EKC+VLQ%FT?84^fnYoB@%BDi;XN
zBYT~nj9E7Y=|R0n4imI{3H4rbQ=Pg;GF~6^fi?^dqND(OL5QRhaA4P&B}2;shl8Ks
zZutqK7zQXB0ThLC;6_+TB9NpXVPnt*O$-~DfdWz>B%ym9TcH>gPZ)~>E<iDdjPT%!
zV-_<F@Q54)3b9?XrEX(f$c+iP0m*<!5-mLaR0W_A-){g;^b!3hhy)Vh<>N}dUr881
z9-#q(43>sISS0w;Ef92=U0Q>4goteQuWH1U*hE;?z>U2>Z0`?%dY%`6g{xeZjrOjs
zS9jv>dWLr(+OPSbM0_rHzyw%%cZmfh6+)+6)Pj;go}l067z-6H<dG3DGa1i?L+8Zk
z;zdK}%8WLVlfqr+wiq>p0yX7B4H-?Ns*@T`&QT;iPXP~9j5^WwGIdI-8A*prlqd{3
z?n=Svihw~O!2~8di#7NP94JCR00^G&L^tQi&`(ED@o<3^MOV&*$_RM`o+pTq4h8Zc
zy6aA23Iv6BvqVZ8ZSiyXjxd1jBaje^Fmfhr$fFCQ7%;ccg;H;P;xC6aEGFjYJa4bn
zV_q`g*moId0K+0@VWVJk38vxLP8Mtqp+-asJ;XVtASxG(R)D>+VF+&=1~I#+#^Mst
z0n<`M3xHwv&_wpg!H-503L;1hw(S8D0vc1qvcx3FP=#0!uo^tGxD;F&j~lKLW}p&g
z<U+%CDtgCYB%X~F#z?BRDcrWUy{KLg)+KDT)ur{AyUwBaW=PnVZMx`G0NF{oFYdWl
z$|aI!8k!vVP_-f<B|T4Q$l!4~l3DDbd(#|7_r_TlsL5Hms@<kGWO6mDi4Z6Yn4ut7
zWI%-m(of0n8b<>nsA~cL$q^056xmH3x+;e$v9X3pzeL9~KM?YMzJ|sDfKa0W_6cBx
zj@ngTd6mibP-YFN2(W!ZL1s4T)DU<ci1aWVo*bNpVo~w81(K*GsZrRXdj2YMZZUVy
z@g7S5!c_@)30;Q4z36PA-d1LTqVN|-2{#rTf+YeQLLtaZ@T!M`%}CMg!C1^)Ha!R-
zLNnPD+{2{QUGg1K{=jw-K26JkBt&}3&^~u$gjm=GPPNSW(yP$~nyj@xLUa{tAxt@6
zM8qY;DI@T-E2r^1B22&`$&BDblN}k920b^9i8LBSC@?9GAgv7eRt&$|!eojFT@jQA
zAn_E0vTW9D(h}&B9K>E=nh8yj7rZ@@olpHe6Dir_P0cb-f8{XfLr>(9WWal(h>cI)
zK8yG8Gy34)T|LO#D>Nu7BfWIV@BmgEwKzKj4sYgl3enhpZ6X}R4kJgmFI_0fyeW5T
zMmTSU6o(p`IRykc`blkr9uXi8sM<<i>B1YC*Sgk0l~ox^tgPU>+<v4%ANEDjc_HYe
zD`RmG<w8Os%8feZK)c(QP-t`&?LBZ=V>M>6D*mSizMpaWr^#S6aCI_UsniL;Xofw`
zEGv2eNCWuPd%zCRSPclI0TIC><%kc;gj9$d#j;%lvdiY=1Ee+ELxg4obRm00CkG)g
zKZDJCE_!GnlJFws`Bry?QF}#(H1+AkI+ysXKIg%WEL>$uh?3JJ%XvMi*V@V<-cmrM
z903nC5ow7bOlU&ztPmzD{D54&Aqf==1C83(SC6f({dQWEgv)iwI*np(_n*}_NlCR8
zm`-wI>lx;82O_Woejneo@ja-R-;)+9@He#?USFYPFN#VD<UeI&Q6r(Hs-=hNj7ZRz
zO`KeKo<U}*5D?Npd-|@U9ZzKkcDu{{Uow8%BKh3O80&$s9M46*j~b32t{C@kCD9zE
z=<5`^+~K<MEn&01qTD^a`_<3WzDiFJ|JA}Me>gfZPofP}gMc1~asToJCY>o9#6?06
z*6<AeNA=;dr7Q_ux`7Y=%*r;^_KRxx!!s<R!BE1$L-dRVhw7#x2k(iYpawzNZJzly
zAxu61iJ~+p21$w?0ioE63EEO=BeV|!ZekVzK|4z`BzA$~8<?W}T6T`2)QdPYWfvTD
zi-vFo=K$Cx3Q<6gLj^irF8np^X{m~%92QCpTjG%#Bam1oBoWA9rm+x}V<2m0s0?jd
z6$jQ9Z9(zK-=QhUfs^bB&gMky=HAkVI&|4Q6P^5!hcaYY$ckY(pcE!2G<1SV$oc@3
z<Y73E-gR0V>$X|-q>e=GJ+t;^e37ob;b$V^-`fWXNOAIWx8J2!^f*p_352IM#)(dC
z1B4TrS>e;0WG%ll8C21@Lg`Y-gGdb9^f_Vl0C`T>cB;Vr`x8^dG;L<bdr2dkz$Eur
zPW;ZB5+8eyUzroNS~smalfX6mK8xM72IUEBqP+r{Igl$fi<a61mD<RWb8|9X+5*1#
zIn9+10*kyh5t$~@1a071m(g3hwzY{cv2@3Aci59Z5iBHepG5+oH|$A*V_tS7xLg5B
zx1>cE1sEhE<u7K07?ZJe`6~KUc)2LVmdj>Q>~(1n35Fu&qOBM>UU!I$#ku~}RfSWK
zBbZQkXf!?bIl*-ff{Hn|EqNx;1iXckc@?*dYZsFl2S{-jeR(tR61qo0<WMRDc)XaU
zwdq<*f;hq2x!ejwR!G6hPA&dgPNF-g*U{OKBbHESxYtqYaBrtRkVFXqbHxv98Sx3@
zq+KmdCS*rM^mvn#tJLX4iBSqJzqb!cgn);`VCGnX0gg{=xSM@HF)gkjKuLP&cqs^c
zV@N_P#9;`Flk)5xUz;$li+YMkESEU0{CtR~KiRj(QY<ik6KkZIQ%NI9h!7HVHugrK
zJ|T~gF4JIH$UH1Am?_N&3NjKRXI9pd6aPurWLse5JVR&X)pknlG$~3-g@s=vCK5Ye
zNw!pc-x%lP=NNpuc#E)muLPF=!O9+{1moN7X@ch&Skp;P)DuhVsV9>=B}usM9@G^i
z(<ZhM*_VCUh5*X~VoD)65;qHQ0=OB>;v-t(TguHuHUZAy?9I<yCU#_}TRQ8XPOfE?
zc`^^|Fd>}LtTy-a57oxzR2!)iWZR{J2!aqsj1n+B)Dk>IRK#G~1k+%g08?CS;TM29
z2-zh<lQ>MT6LzU5njMC^eV(l;4c^;kM<U=g46}pIUKg@D#m4X1n>8ep3Q6i+9C0il
z7LsAUs`al??+CsQd;~KvoDgdu4{5%t`ZrW~GYxQ9xmNe5wP23dW=cUtAz?TYTa^1h
z{LFEZfB4GCuoOLUC1LYc9Oi(MQ3Y;`5r{U|sTe-9n6A1zay-_vGHreC916R15!!NP
z&;Q%0>e-dK|8i!?O^nR0gxy!Y%8(rfR}s|t!}tzmVJ22}Q$Q1sa0X<uf^ZG;yodqE
z3w7D$nnGwwBF>dV2R}seG-u9*N;b(TFeJ%ZW*ZuJJHlEo@GTlhI8=7FX#j)3fu*|&
z0DwU_b2{3xltA#Pw$EGsh=gr8Y}%ldks2Fvqvj>s9G_z|{T_=J-7Y~FNX4lQ1oy0a
zT(gsn``xW#gH~{75Fmg}Q&pa0z%mnlRwT<M+$$d~`K|oCat^``kVXWfrbQ5f@xr=f
z@lpQ=E{`7j5JQ6MSVnfSjI$Qall;>3#hFiRW>fA-Tn^FfN`EH0X^_5hIkj~TLWj7v
z1$icM1W&|RH}P6{wwZY_k#rXUcGr_R5j+l>Qm>Lp4K$_T*ah|KUQ2OoC8=QM3?-Rl
zj9iQ0-_@k$-Gfq@<}j9R?O!kVQkmu?mTm2k1Y6;q@LGN}#5MCvj9V?aIqj*Di%`20
z!Xnu4kjTP<7dRnq_|lS&1-UiP^c*~`HR>-d>O%AgVm6m>w;Wm5Avrf45HLb?fGjxy
z5nKjpc}T2In$V#&5#t6XS#4o%leK51M|I`AOiojyjn&Y~j8EjgzSQC~tZ#%oEARF~
z!pJ<rBJ6!4Y#t68(=hlhg2**zpCG8kxMmy-i@ERUEezi67z+IvHD7!FR0$3VFKH4R
z0z(kpXJftzyFpi|h~OaVEuDm?G9{C;w25{s_N3M{9leH^R)V!v8s-eGQ5>)F0+qkK
zETLl*E#0N3u3(e)1WS_D;9@3mK@Qy!t7;|!2r%CkZ9q-bk2zd?x$LsK+TlW^-@i(h
z58o&|coQh^T|8(3Ec#F~T)bxdaVaj8lVC9ZZ~AdeL@s`84n4ZXNx)QGQ8P|>lYJE-
zW^2F;-WOF6NLfIL+%{Z@uS@Z`>?R((2GU6%H3j4~O+8N=!hjtUlYo;H9PBEJ*M)pe
zr$8Fi3}a*9Q0$=RHMKwyVB+2+avH{|@KEA-lOXM&SF}WK5drcTfw*-VAzE|KG!KPq
ziBSNVo&0{p&W>ObKUT~yR-*;XO3j@hh{<&beDne@d<Zo;M1*b|9A&?Wuw#t&eeIf&
zL<u`}WYXo_=+5|!CDLjEyCMMt1j`w^|6aoxH$tlKePl?(omu8aPibV-LQ=`dt5M|0
zS&a%lH6%C-1!Yn-4-!I=0<(Z({vt3%Mof&p)|hGrr6(_OL>1YfZwo3n@eR%MKM>15
zRLtBB3)n7ps+q++d(eV*QWJq|cyM_H*wEpyMW7o=4BqwzodL9$Yys-a_MuM5C|-A)
zbq0U>)8oy8t*YIcs30Imj3{gFx(|XpK`^6&*J}>JMV<CeRiU%Q-bhjCH@=udZm9FO
z>WFNw`dmy#L_lz=_&)hDrShC8U<j{PP!O2D4nx@U*J&|Ih-=$uO-o$sKj6@`V?dm-
z<SVl)NjXs1{8i!x8wF;`&-!a<Q(nk9VEE24CoJ4w98P{7j`L=x3=nt`!m1TG*qat3
zTClVRO!<JyIE1DR+f?nVa4ojI4ysi<>@-U>MU?f3tA0$YSHm!OUr)B;u&hIRiMBEm
z*HwJiAwTXjPe}-6m^UM2QI_mwS^Q&|<+M%CZid0aQ^x(U*nze#nq&e(1Q-GHA(#f}
zZTQLZa(5;@u%v5QhO@Y5SWmO42m-jN*A4e|#|H*Qc1We<H^lYd_VRzZw+(hTmuQQ~
z{x4!9%>ndm0da!7F|l?4@-LKtDs&M#72frGUI(jaGQmjCh_GQ=wqof8*bQ$4EtHD2
zSxw1c?wKy~^v;-chgum4!nM`DOAF1GMmMt?^mx1QGgVtfVk4{or=f7BoU4<i2bOTI
zvw2uMzq4~PLE;Ju5TBT<XJiGCRMb>CX0P_mv;bgL3G7%iob9cNwH0)C*8GZq?hIYG
zzu3sGP49G$EO)}+fbbZOPLq7GtGFRCjKHW0mLjA;iN<C9AR&b*XT>5jsrqoXu?`{^
zpLB4&_Ev!PK|zKtBfOMOi`Y-+)i_f8FA~w#`DXmKvx%bL?YG|)z{9RbLt$d`wA%3&
zc9d`!5VTo^uapGeN`ARZN>gzhVb+S)Pvu-E8ELR6xP7FzGFa+0PXW_yT4{2>K?&X<
z_Ioq8_`$KB>TffV5gR~ykK(yKea;*wt8W%6drB{&_#ge@c6Cjidd0t8wT|_duE|W5
z5xs$r_S^TMuLR2AJXX-@g2lFMDP&n^{vk#iS_~hr-2sdqaI`-5hNrj(;UXy$8IO$b
zVzS4mmn&Si*nDVj`EzZKx$j+tR|8hQiZ?VhteG+n+qX!|u~{H`uoz~PCP?XhulE#2
zB>QT9;1s_BTvb7s`X*K5bNnOo#&GyFO<qVj%E$>+)G(rR$2J@Ixn!(`5+{0-NQysD
zi`7{}@ZBEf!z0KosqKXyHK@E84?vY?ECo>~(QAlMP&E1B&H*5UgU8PBr606FsJ$rN
zAD1QfgH7C&p7pv5?*`igo}~0Mm^D7UAFE0r;vOnR3HH*>X=sPBAJTb+B?v`MqXfC%
z6HYdWdg2ND!TC%z3e6~@5y4T7KIu;Au!=~#a1&pOvJFp$k8cA(s@=+^vou|<AlxCm
z@e3fKbXI>bFA}<gk<T!ZhZWG~uRfb?4W|eJZF?BVXwWis6B;eelAJn?Jm7M^r(?Ii
zmtZlG#H%uu<=iv69id1wY};t33mQElajAKXf)5)cf=^qK$p0P16y`JDzVa6Ens}80
z5=R1`RYX37G*gb(@%602?5XXel8!$yg*^RyVTgvHE87@Vbe%_d760iL$<T+2YtqX8
zh77)ab4J1q77;r35(|m?0CWZD5NGTr6hBz1APXAt%fpKOT>u!hKf>3hj36Kcc!LNL
z4;nB4;uBQ0=z#8SPN4X!QBYJ3-1VLTbQX0WNNjAbahMcbt*mI@CNdT6HCdxFH6yuz
zvtrm-qkLLI(%}yx*+gK{hy~HFtyP~u406dE^Mx`n9Lz1sIE_UU@NRe`oEwYA&8|eF
zZsPD6Ir7^)c;o<O6tgQDH#@}L3mrj7Ixo==*d2#sshdMTFVZU}1X*gfK}XT53Ep41
zNpz{fmqeyL7xsBSgVG@p*pn9<5eNXuickUFkJs3U0Av9_ZrV*Bwp^GGsqN+Uj&M2m
z%w;R=IpoN?E<i99j91k#bwSvkJJK*1{6WRgKx4H!gKWd`W%=(!!rrK-VG#j0c6XGJ
z0Am5DhC9+#3YqG;`9LWIiQB<>c)Bl|ue&yM*Lt<CqEtyP)E=&0?GW!~52n7sjA*9(
z@6k;Q7^3f2-A{9wch~+L#<aW3M!K!3nhBx|L*2;=0tz4o^B7C;^7TJhO=@@Ztn)J+
zFdPahCz1wZv$g~DdClXal7;XkS#!O7E^w4JNA)hAIQkbl@I1Xiw#l#%^A@V%Q9_j4
z7QpGUgumOAo>nI&I=6o`yBtUN;PWeDC^Bz#7X~6CbeLTv1jZsGo3QZYC^>BuC$d6=
zD)l&af9L!Op-J%mq8qNDEM}J=mH&2r_qb4vBf?$d&p+n`g{7iOilFkgK3K96KUqql
z@7-o~$5LlI{eu8j#~s3wz_ij>7g9E;087?AyYrmr#D~PVc>Xc-!$e3@Q<Vh(bi3&e
z{QM#t-Iu6W=Ok<q@{9Q}H<A28MTqS4tWedAoIA~~DH~&BAoK-0P|uD+@<em+p%HrT
zfFA(gi*kUm{6BJKayQrLu=sp5E!o!&4$#}Uh2p_iGY5oTlS{bGWTDx_=qCPR4l*>r
z{yxL7PYRI3f}omguTB6&ChoIf4-2pC5p12ucX9CJm*$=3?q%q~nR3H`$#o!RY_h;-
z{Ikzlcco3S*r-?(_JP8wgeF6TV7er-pj&2puwn)<aU1FJ8jPFJSbrVgLIPboMaF}~
zL^6nKC9<xsm3_VkQegjV61T!Ga0@Gv1@i*Cdh1{@A2}5n4GB}S(ZJ&^C*J08{;pR#
zX#G#<z{ZAjgxg4NJy}k|V)jT#T$QE4!qgbTXpSRHb_#kXElDMiNFI>^Lg%M*7{qP5
zDvHzRo*#qBbJJ*D@R>=H_hn9gqe7!<Bv6Eo+v7Q_1VDfaG5x)2t%&|Eb&i)wqocX9
zBx7P=NP11DUJ8NzMQKw}znoVxdjHS}k-nssL>n(bY1Dr&cre<DNZC<v0>7^qNwUo}
zkf)Y5DWgDwjd{3W6NoGQmn%q-0}eahv#NM#%5|?s^_Q(uMM6=Xcg4kf^6Wj~S@4Bh
z%0XmPSz(|v&PT2mlt#TKlo!ql71<9<gNJo9D^nq4i6~+HmLpG`k-5{n9LF4%YoH^N
zi_+T3GKdY0aKzic$_|_K{aQCMsE}+z1yOEnu?rfKn*z-OUDaQB%QKjWW0KFsdw9zh
zL6@fDMKV{JC80Bih5-gtZy5-}5(!#U__Nv|m)N91F5NJdzaNt;v33ADWT<_;WZA%F
z?5T`{Dyso+4TK6$?5<=x(Z*MX`+1M>siPG5I|n}Ib}O8nI%w;dRDJ>VAsNHbWB}qS
zI$}mq_(v4zG~tHhxHSX0ZJ+vOyj}gMhzYDgdLh?C<s9@i4oQ=kJ58sJo|!K~{Fq6e
zS%>x%y#dFB9-+Vz_R~|g`@87Tl^^<G2(y?Qq&2vCe}8=q@8K_4yv!!A6nP*zZ?}Mf
zZw)H%f$|_%RTZEFSFK5W#pVetvStv+^tJ?C7u^;0`B%W_wLrjep0M2nM02S`xbT_g
zKsz!<vOAzvgo?x7fUd9zk)dv<ysD9ky`o(Vw+g?7L2h6ov8NVBZXwe>`jl`v1CBZ(
zhm{(k)3MrNozYEI<Km-{t$E6E1V8%Ip1vyJP}LT&0L5@Z=a!O)2%9SiOqPTMco!3*
z`YF{N1y_?!S+FxmoC`K^^jE$RNRDPq!C?e)=23FO#8#YMII#PN>~F>$FO2Opxt#O|
z4i8}pROYPlW!GHR?UH3kDyVpRVG?8<VTb8;H6u`q>S4&AVORplt_icskV3pcaW#<1
zbnKIr-sHT9Wp043AH@uKUwV>kJIc0WgirIt33PVHlR~iaXX8jgVa#MgSA2i&!6NtJ
znR4>`_h>G@I<(rYTZmkMXqbFB>)yGAT!be6{&<yK4?L<8(b03>m=0!SEr1b16UW$|
z!TA&j_vU>y(=e<yf;NS$X~!9HOEMTYAnU$D_(5r1?I$qh9h?(-_nDBG3D5{qGD2L~
z>Ss$_SAzMmF0K|YCpa0^GPErC|I1~l8Bq3Yth2OA*{E{x-fNNK(?s%@3-SZ}vEds<
zTdV|PQ+@I<G`JQ)6NIqMmbNTnxMZ}jAM7;x|8t35VPQ6US_6V5e~uM_|KONIg-N(T
zE|w|?iNmH*%$xTgdt~I2TTle>{q>C~ROlO+OPHc;;5*tNPcUHSR<bc~h1EQ|71n&W
zwrjH&`gZ$nhWZ}q_U`nAe3B_winYQWgxW;L?lt+Lsa_W2v?y%KS+g6cX<7Ntel)ZM
zY<~vF%#@V5qLJib{qI2mDYTXb8R&hO1DMEOyaTCL%fjn<51-fM_MFlhdL=&09XFb@
zKQR@H;%z%q1SGR(7r<0FoFn8wIfR7b;CIpu;kfRA0p8+25k}A`T)TBi&-r$CCM0gc
ziMbz;9m@)Zyxx#CExlFnZi}Vp4CX-8IWt4ZX*m<td`FYN7fRo!x>j@Q`}#(8R9SYt
z2_!vbk{{M1Q0b0bR=#4b8u1+1t~&ZUH|Ue55zl9QL}&waQ>Av`3NRpS*FxON9Mm(A
zpvPwA1<#j=;t+!M;(0xfshNr}#d*JuVL1DP4Df}ThnwLB-nD(VD$STz&XS5>lChN9
z2H8#L3Vs6m3WWf$T+=L+L~Xe%DH6a~1UO7}wwk~?1M0kgACIa5Tw3sY-Ogk47F|MP
zU;&;#c{?SRc-HUOo}d&==gfO-U<rmu&FluJ@~@$O)*r`~{^^JaMTYmudX`5Qs;?z6
zIRTWm0JI4*8peyD!FDTpED3KY3}*)%u0I^il>+us9{57R@8aPLD=xoE*p0!0g|=M(
zXB$Q5twOmo4=4k(f_xhJ!h8Fw#P+#9pl=qb$R$_Eji68>d-f+GKw{VkZHb5uM6MwL
zxZzVoheHc=2X%u!W`Hs~XEByTB1C0qX@In_kG}GRHF;v;dzmq0PL7>z54&s`@oe3w
znfgFL39VN1VRz=nv>{Y|tq>o|KVw)~NOOgX^|horhI4ia1)AzlQ)9U|^(mCjxgL|$
zsiBcP=VqkL;gqx|vm{}BXsue$p>(9-+><#F4gvjCJUe)(Ra62%iEdEQlcO<K!akFC
z3763#m7Q<kVm3jrNh2Vb`7%RoG24s%B6?^`8|`%>LY}xL7{=a<k$2AkpCSkh%=i@$
zzCT5;>eNJk;qn=GH|{w_DfUe(_5oiu<|7HX?WYFp1i|<~)P+;<f8B^%J+l%)cIGzI
zl%N9cih0Nz=o&oBwTItzQ%uwi><t!k>>4G$KpV0cS;XMfF305lP#q41;9}4#5giSn
z8Uq$3VIj5!kGn@&l7YHFi2C+3oF2kbSdoFc4;E0OHNnEeXq^-QU_hV0opv!bbf&#^
zb4^$m#m6_C@99LkXD=`C0O~T}06K3HbCD!heAB1zZ)<VHwQnbJd`JURh(Jxk^?b{g
z8jE5cNcOVGEL?A*v3;>+_351vt&w=J8GQQf{O9ie$+83BL~0tN@Uy}$q~)E&=_9(*
zc+_l~i}v)<p@t_RSemsYLM4U?(@g_lrMyF=Ca<j^S$PEoM5#P@G65b8>Vq)IumGTB
zNaAy_coRA?qhOgq)&fAW1bxXURD!EIKZ8W>a-<l&7jmJ=_>AoSp^NZpxe5X%20#NE
z%fYPSumq&-scqjAAJEnx2D1>M8-}Mffwb}NYPvcdiBh`~6S?E`a2?T7tclzKA5**R
zS2#?`p*UGwq}4fRxv=hKDIAIPhTVx)MCU89wj>yMaR(=8>}*2~PpQ|?VA9)AXfvsx
zurb)?;y|hos4+8ooC}?_F%AYz5Ipl|Cm~#kEIAX(2fHgk$0hL=7wkMB53$O16*x^N
zjFeDkVk(i!PT&<gaRh!w43~-rcDb?+-Qshih&y%H)|`K?4kntoXfsRN^p7$t$Py`)
zyhQL-l4$Ty+u1d&X}7C3B@Kz<bOcs>znQM-fuWx_C+f^G<$-*?w^)7@`DI<6PF$5<
z)dbr}Yp2s@LK^5}w`g(cJg^46RhBH#X7-H$0S!ov&XDlk{ItNTsqzy?cQpwo$P>xr
z<T50=!_(PzmY?%rwPAUEh3NWw6nQ?sWjHEmQsJ+(6ZwE-mD>{7!Pfea#qr8oBLxF4
z`t}P(%6)^g*x#-AKEF#kp;-`7KLD{W<e^YDRAd3<RR<uSxG@{y<!^vMIY4UvmyDCa
zYQO}GLnKu=iZ$a`j1yxEw0kF-Rt*7nD_VyU>P5wXC9zEnH29-KM=2iG4;Je-GCjyG
zpQ9Hkzqf!{u8V6VWr)DdlnHa<Wb!i&L<&<ZkR&1x;oy72Xm;oUvdgVy;|AHOrKD?t
zljasO2tgZ#K0+bN*_{A1zNC@$vo0^I8_#x(1hN6zUWCWdzzmr$3xDM-<R(WeEGI_)
z*;%P*;)@Lpj}SoxncXQam)igYjtB&k00uAiS-`0p@z~1FA21e{f{u*hFaN4Eh-yyq
z%rWoFg&@tM;#`tn27h~bN7lJaz&CtJDU&Wq3j*pfN6m3$#LN)h_B3n|W7<Uht*v}*
zmBY+(2-4JEk@UveI()PYBxjrtv|1Hpd0@j@Fr?q==%#B(sN;9kWL|)OxX;V{`r412
z983~|FIKVHbURsc3AGq6`2m2}M?j+0!ZG4PTt2Y?DNo?Sb_zDkMF3k!D=lJObP!)F
zN{V=}ORkWxgjq&P-|M?Tw#<@=5w~GybIBg0;<VX`G=4z4&9EdpacfrGscf_{OtLt|
z1Ue`vw*w{Xy=->-J>&eNVf@Mct+4yj+ML=If-z91HZ8o2COhAIXR<4Ukx($%{uqXh
zgzw-D$h12_#8As>$PqEf>@@*vvnLx>_vxEI&(We{1D31gL+f!af@700yC)-1@>9Sm
z?M^BHJeXyK2Sc(6Nehg&<4H^43L3%r50QSbMcj+uLWYZV5De@PMW+%oKk}5*q{7wS
zR!NWrj=bq%zCzw4!~~6d>-UYjPohP#K>P*zf?4?f0o!NPc&Iy~cbGq52H^u>o=aPy
z1zUP|!B^RSf}+GYCC-7v=a0~{3gp&iAoG~RLyK^<Ay!6+rjlB5QPNog*P%=w)($Od
ztcV0vV9mzz(<4?}cccLN*un$;8Z<=hs>c*GBhlfe%sS)p0}4osBDHFhAXCr>xB4Y@
zt>;98Ov3HSKx0aD2{s@s4NO!bm6x<P$_x|+$%B!w58DA1;c)PY%Zai)MLM2os*D$L
zXwM!)t%<yM6u16R-<ifpx$56kN05_qKepM{_UUp$Hq1dC<K_R#5%BoFx<lX#26*`P
zgZbS?us?{39xay%a#tbm1Co|DAn`c;yHCTfD#i>@1jjcs55)WnrGY}0I{ACd0Dg^R
zLKF|VLS&oOr$&~Ses|&rly@aQk_q;RDDd`2XJ<g_HE1aLK~j<72EqNJ_CS8g%6J0c
zr6m#cx*+j;BO7fWx=8tI+ykQ9u}^N!=;HmOXU_1k*yzt>)Irr2Dzr{kb~-0nVlJ%v
z&Xx4Dubk<2kIoR7FC`0rFbG_eNV0aI%|d_mC}r4xZpYbUxcQ4SBCtmp70&a#^E~nH
znTxkzRPtu1(T|96b|?f5<Kl=Y#kri3u0a;V-e*mUrDiS%Hvx+i6A`tSzhOM9w%oF@
zqlXYBa{^)-LOjVX!Dh@Z1m8><Lh2AIPIgH5_AF}{1jJeyLp;cJ8z`n10%#K&m<vD&
z9?jj`ub4nAH(L7c<0U3=AT5Usskq<pk8#KBMf<4ZxXMEQM=(A~!0==S)Z1rs0R1UJ
zF}*ZN;WC;7VJPyO%RSIi7bN_o>Tn^njtRNXSr;yAi<4unH*pkSN14|&KJp{*6$qjT
z3R?zH3YKBIZhFb%X5xAvh?i<`@}WC(_i?(`xMWSn_1BZD(qo3WPx4@eKMM^c*<{Kc
zaq!#jBToc^+5LaQ(7LqZ6A2_l0Jjyu(Gmr><8I;Rjg4Tj@+_Z>adCkFm5m|_XzS9m
zjesxOHFpZYo!^`SDe}wL+?rt9SLm-5%K_`GyId#CSx#-F1n_0c`d7N0{vuQ4?1f!&
z|4`cfI=LVEF4>AlCOF3Ig42?BQ$G42kHFd+us&#mhc{5p5&|XBc!(8hj-^)BO_GsL
z?QcW#0?VwsULZoMYfQ)oki%e}O2I)PWJ6$(BGDNXM$)=Ntm^QI#<YkwiCzhjo{JUe
zOFLT5*LiLFB)=^x<0<BI3Onetp>YL#+20Q>K6*<x5I7={MSD5L?O&|#O`Iq=tO8PS
zNCI-0I{q)trHqIeM%lZOij4~E74dMR0ZAP&CR6yc>)>%Mw#}<}O!3_a`rQ*r6STrT
zX5#^i<FMhtW)D2sWO1vGzyKlyf%yhd?@5Z_5#~Xo2_a+x^qFJHvdZ53X9^yZhy+@{
zMt^4kUXoYdzskak<ZWACP<(}2;qXRyWlnNjSOR#YjHXSGhR7B-2Q7nO;B+!oI9ODV
zvq}R}Awyz18Japn20^(qFr@~=*sL!IG3dzlWs!daB`9)Ig(WZRvH2++oz)HCTHTqF
z6bLbpog^Vx5>H8?VL&H!kr^?7867dRBO72(2*>*@DC{qz4&2tm-oPA4%^3X__|&Wv
zsV^JjC1xUPVZ9jdP)N-Cl29aJG=}1&TcRHaXBj_yFRxP^_TDGAzX3XA1b!N|WskB(
z2c=LVP#@hR2{gtQxTe}s&A3o71o73c=_H6Z2ObtZ$$-=-6hn$Oz1hafUJfQmz_tc{
zHejOt+JqvaxO3A<D54HdwmV5iH&Pq09^!zN%(96$P%LoGjnv5pESwPN6ehrhd?*lU
zWp^4n2CzDAldOH9p?`c{$`i~9;WJ-=%>|jYh=eprsz!FN&>m(tpP)ihLdv+{j9Og4
zCZVqN%1afXt$Q)R*e!!2AOVYG5N(!1ithH<)F>ldvhj3I5)U%$F@UQ_ppm@SdHMn6
zoNLjUECN^PBN6MUHH~^Q>4SA8c*Ap6gV(p{^HFD0p9`DN@rY*h9wBT4FI+KV4Ms~6
z70tp8I8QW$#c$c+g#<Zzvi6JI?XuwSLG_|1F59F|d>N^L`oRYhyZUx1^D*!(Elxsh
zB_N98)X@VUGFc1x%vcpn$4*rlOeVH};x$=Ywvn3AqhNJ@iQoSt%6pf<YR+-_E~4iu
z>Ogbv{DEM=q({<S-ICKoK`T;-sD(_QlSog!cm&m`HJf-nHVM_r`*bXI6e?i6y51-)
z8sTF0Wz0{Y9$8GL<miN>((hQOoG`E_Wv-ZorkFy2V2Tf9XI>{sw;K}&@(sfI2!)l+
zu-cY21<$YmDV`Dg`2&%pi-5AS^4h{^8ocr}_!mH$Z(0h8DC`LuheGr##6QuvKwt;X
z&gCQsV%*5tOzx*wX4KhX;-#hWSSQJcKzA&R!;n})NUma29wwNvAdp(zO0rsmREPG{
zK7`33NklmC1Ay}g49{Op2h1D8h{DPv{4B{D%0#3r)!aSW*SL}BsX~v2M_pXScsSo5
z{J_eMKL9o!5YKP}Nitq+EDA?LL>+h;kv5jshc!c5`N0nv^hv*R*Z>E30nC-O&`oU2
z55R%rDDiVsx87ljNyV`bS%T;xAs!~#w3VbQg!a1N^Fz$|c=vL*NVGVZig~ib1f~yw
zd{{hik7cM8=)mIpY_IQ3Ddu#f(2!eBm~ZGBYkHJM?+_x9CmO+!*MaO2Owmij!zY%V
znXQFS%G}?AWn*=tDuK@ok%@By4xb@QfX5_f@yi$>=EBw)v!ZDB6yVJ#N_6fGxe+i+
zJwb+<q~_|lvP4c(5C$^04N`P<rWtJvh&frq%Bg2iEi^zWB6AF5w+<P3es-J<uiB9r
z*gpj@IyX)Oa^)}zY@wr=%_JDyl@?5?eL~+*rC@%$$)uFaOG)$zO<6B*F|?3#DJ0>T
ziR*3Dyu6`KjTYz~cC^E=+ncIeBj5D={O8*$FBOo7czR@O!U2t-Jb>n>plHK`0a|yv
zN5g=9XR!lALs#bzLqSmk?B}aFsb@JuBrAvn?VKC4p}?i4F+5OnFoCIQh(p*(Cjj9w
zim;&uZJfgr>76kn8vr33u?O7#hZQ6ivk4i4cm@;)lA+`rfDi=4&b5*5Xma!@t_EbG
z%gow_PysEqFL>PwIG7JVaD(x1w$ZonzR?WaW)`~$EW4Mf1f;kYw%W~H=R>zWdquY5
z^6RFCXUGWJezzm;Ghu^l8+jhtNDso+=LN3Am(w{m^xu(?T}V17;vzq{M9=pW^1k}v
z%vs6@U<hoOHwAwX0>AyN;%U?&GN{RH=zBY9&8c>Gs?Jrjw03tP&0##qwruEHxQ3v<
zoel$XkFu_1tF(nM?_hg?fgk(K?H4!@zZ)3}Mx(%@AR$&Hg8P!Aei+^&TrH!5{X`-H
zQI*3wI*#HVl;IYulkUYOEr;_$?#qr*vM9D{IuTR~8hB|oJ|B{>svC2<pY1EyFiIyi
z0NdwBSvLw-4fg45%&ilDgCnD@gCG;9Mvwd$fZ}fflMyM2QPXdOBYQP8#=h&^)yPVJ
zzJw4t*FLn^7|0kxz74%*@Y_|bG&X>cehp5)N4gjeUEx;z(&dybBq(_`J7}+hNQ|tK
zlIXH)SPjL6>mwdyR-BJM_?({P(vXCrSs#i?MeZuam{PhP%LnYVm{QR|YQT~cc;es^
zSQYf@6ylTpZ_2KRy2hw`0Hfdqeq=T!*$fiK82rW{Fi@`1*N;*2n}EjMS%Sz?Uc_qE
z8o=K?P6ucG7uhi3o1iqN(@0aw(P&J-yJh9&r56Z>OG<P>$)Y*H6Vb$w?Nm4n9yl&y
zA*T0VfZ;GoPb@jG#E|L$ns1OucB=L&oHHS^KVBNN#j72aIv8R2HIz2CP;sJQ2Npt}
zXh_=Pv+0415Fx_x^l{>K+Y?q~zCEa{Eq}eoyL(Qk95H_!k(>IProQ?AAd}6_ZS32*
z!-SHE8Jspj&a+A@_N590%~Sn7hG;k*1l7fB@UP{Rj#=W1CbNf`9|VR@J>R5$WeD_m
zaFgl+O<=6~T}Z=UGJ~wPoH$I<Tspj(bRoly6*r_9sZ@b?mDg8rqbe9AL|;egeFw<)
z(<Wk7XiO!*CXjc`pzEr+>me3uBn!kvD8iJ~pa}?pZUjk?$zc1Yk)Typ>fk73x}QwU
zGn>3j(mI?ta2+G7Ge$y9k}k~mL$o^yJmAZw{|b=m2a-rd_=Yi2kT<VOkaA!Q4<S2Q
zUz<RB(SLZQ)ewuBPg+V-6AAh^Og`Wz2!oRdjd}!bov5a>XMfZlw_}`0dps9~Al)(4
zqU3D&P75Ou|8<jqWY!_!61kb55SAgRI_j+Lv~K$-1l4v3sd1bR%O($ek3CvJFA0;$
zg-^m5_==ZTK?@j++mkrWKOrRbXA0upA@ep_Z3g(1@#K;?<>ZiAF5Ey*xJ<1#XAdog
zhm{ZtbkUC<Q6wRJO`19lo+K(kK^XDr7SLC5wn<spImCcJnMz0dd~~W0eknZ|H~*s^
z(p<W!4Gl*wCF35@Tezj;i6H|fkz`?1JS@)4AQELUnMfd%AG66?o)n@49XmQyZ%5k2
z%0M_VqiT>r+EZ>1#Jk6WQLOLxK%V%{m51#S#FSwNL`N2KE3CBGbuY+4XSm;m@PwLQ
z@)LIK4x)Jw&xG6|1`b{K#50{5>aDc@frI5MZ37@mOe^6Lyg$Wc3Q16;N}{456e7gA
z5l{L78c|)~VEYR5zJ1#y$Ef@e1?;<h@RUOMR{7|S(Pt9|SlvPAo1jbmAz`xmz;Foi
zZa&Q}qClZ1SoVIp4Yu0#dKat(R1h=l2tkD#5#4nZ6fonemI2GH5qO<Q4J0H36olpa
z66gU08yhX?aV3xlVfiw+I;Hc;5mf81TCTG4gcV_fMSEsueUVS57fcPjB_jO<h=M(@
zRoaehq7+k<*SG?X)H{Z(;$nd=Txen`f3;18-pKoaT1JGga49y92eE}6fBHZ*(yx>c
z^EOqPfc3ZfoR5g2MC<VyGU9#Z`AlkM;LvA^hE57JDgl06&$gopcTdg<p#8EXjUZkS
zFw&TvbW_VkiP8lO<#*5}7VU%x6l*jJf)|{Vau}S!AfSj8s20tB5nn1YKh@Y7StWCQ
z&!rdEFi>&;N(nLu5Kwd?gTTFjb2t>-#2P0^VkE~?^PM4}d%ysJqz5hhffNP%S(QLk
zRhuz##U^8gf;@nQ9goCU(U4Qm6;xypiVp6UWl5n)^#ywx+#E3q8KqDdn=ed2dHV;f
zB%j!;I6)FJ@0h<3&!iP!aic8Xqu}RnF*xU!jH9?!zp<xqMj9bG%wFF3uc(;z6MVhB
zLB@>|B1&X1_^ysyvnJ_vsb>3Zv1>#WrLU+ip)D)bX<WB$V{S<#2D>Pc8ePK$EwV_7
zVFc<UNtXUJvGI1%Z)gS`@Cmi7L9-x?N(%JSRM;o3h$03e(!PS7YdefdFq`NTj2PP}
zY|DtC><xmKWEU!0`CZ9vQ%PN<+&txl`oIq)Bs1hEFaQZw5}u973<?Ca!Eqt@apZuW
zL>a|eh@^KN?{Ws8kdRt8ksc6+0~e9KvWmDG(-p)=;Kz`R*N}+=0+GCg`{?kH)NfL5
zh?n4rpfX*LAM3Z}zO}rir7fdz5{PLCy9*0utkRGn!NzcwsHJI)BzXJjE`~0aQ{noT
zzBi<r_Kf3aum{HaMsc&%BgR3Id4CSi@W2X;;^*zAHhmisEjwJ&z~eZy>2d<2!5c9d
z#iUy_rg5B9^$_t;Wl1tdaaqyL2mlP?r_hA~d{FedV{gLvnd(gn0Q=Qf`XoedtF@hX
zdfP?uGt%S4hH>f%ei1SxL4059R8&rK0{D^Q_-GW<P>At-oa@E$BhsV9Mnu8`kVc5U
zIHW>SW?nCw^XQ5K_=Jj1BnEVQ6IVo4zm=tG)5Np2LzLZ@6|l`}CrQ9x3qP_-fr75e
z<5QrPuFHfq*_;SY?#L@j(tLvv3q2-2!1cMJ6UFee(8J7$n1m(xUm*puI09XXi(o?P
zp0#gEHi=Ld!q3jl)k{~h)L#masgvLd(%==sk1Wp$20_7RW|UV4J~@dM!H+AC?AaB;
zj}`8#qbV8Vl0sQW?NhEi0ZSQE8wBVRjCnPNwy7*@6rBB&viyWF;^aM))pn{$=ebJg
ziua06u|!VtBzyp-{1Pim@;)7SB6L)&ZTwKGj;M^(5`b?Mqj&<1^M4BCCy|3S<9cOD
zB!i7w*Rb9W!30-OY&5V)t|h`DJi+)3Qx{+#QS6WzQ86rs6A~TgW6=;lIA9Zn8lVvu
z8D*Fw61T|`(9xZqL`()t1B5QMQORAQcNpXmpi|bigG{@T`++W{EjOsJP$<H>WOE#D
zxGrSyP@W4Z89~TOiVAs8Dhz0eay(u586rl@e6?JX;G#POFg+_y0U=2sZM#ZxF2KfV
zJ(Xi2k4xGBkBpszXR8TBz{W*BGLy8j*R4!Oa)Zx`3$l*JbOF2w>H|l71@^oRDIwM~
zqqTBed0W#)*5g^Zwo+99aUb#~eR9eoI=C@fzCcl0Kx(x>zR7h}RRGMA3eC_TZ&vql
zV%>p**fQ(G6_&$qkd#5O0>>E^<2GD$w{$ilc#>TYirLf(2m)wE+`8B)oq<(B+=_jb
z0LmOPkTA@E8PE!mckPXZv`FO{H-{9Sf;a&Cgu(bK3pS7TXh^%9T`O`>R+1r8r?jp^
zBmo!vV2NSbxEnMJT|0u@=LKnS02}jKGvRt!x;sjO=|sCshiq541oB3?3lIP=yub<G
z)ukO<JY8xo`6>$7LI&U;Kp^hW=>TOH02KjE!qxq5tM#%))&*rMEz+&cslVLdw^b?D
z{J(lhHE?$R^rEa---thqxH?tIcjusr?b&rd=uuqLm-XegGa#o}=_*uu>I<%g(<Mz0
z!$)q6xm(DztT)KJ`&|T8T8g*L$cOkX&aYt^x8C@}SmtV9BCFw5wySYaRM7Lo@KefJ
z1suZsL-13|Nrhn#!A~g9#LpKYg)=;RMg>&WP}xjy7De?qVE!peB{=FIx{&|P3l0y#
z4<lw44pK@{07J;b!2y_AaDE7Q<v5(SgMb#mAoMsjfu|{<$HLrv%5gk(XJ(3zgXT4I
zA}J5ql&x^(+&CPHxHlC#>Ji;kXHp;BRKHZ~)W1~Cz~mEB^->?B)U%X_`eX5pH;vEC
zeCkD`LCrJTv^XM_S0?oX_+1KYFbNpI2-)Po@M7L=H5tg*b()YSCM5i|eKjhP-TkRV
zQ=ufl6q72FpiqM+QEC>=>o-lq)`$b%H7tRt*MJ`-c-29s<ZnNPR#wv6zU5gCLunX6
z{DIREKPyGggF;{v4==ZaHMmy&4W-tyPmrN#rX#%yenyy|E-G2(c&ma`CcoI$4ht$V
zraW<`x>J`hv1^ivNPnQMpwf`sJ_?@*8b3n(dN1HI$H9OwR18Q70Z2QFUJ2zAmv$bB
zQuF0A;DJ!Ga074$_9|Bhmz37t4B90(4Su*V1B{(Yr{j>_VFw+^=Y#;=0DO5xN1$Ro
zJ~M|v80ESDh0OIUrw+7NRS(pd{h9|>yUx_h+s;-txCx`%YhsUpd;AGLrl2>O=wK?Y
zTjK)oDv3R_G}l<h(;7^9cyLh=hpMf7gFSEpdkEZZWoc~M{yj3eEUJV|lGPPT!nUod
zRuV?S`imZgG&jrodMx&8TUvv__uxbz&J^+R$-*#1Bmqa%h(~8)5v8~US6}}~B^Kc;
zkaDJtN?MUZoh2r5(y^&)1F5?@q0tL2e>6Yc?X9*W4M0`V*aoE^Ls^AT>Y4%22VlVf
zUMo!#E9g-y(7Oyv66)Oo>@El@$x-VpX2BKH5iJI*SmtqQK+m}LG%aC#)xh6(sv46z
zlwzuCs3}M)st8gE14T|g#;cO(-rA|Eq0dr=;p>vwYjd+q+!kw#wDw3nzL}q)U0=8q
zq9PWJ>C$_u+(AkfODvTEVG4+Q*Fq*#+cjhk@I~u*)h~-*c1p3+$vK0w%DHN~*toVS
zP<91$nkS%4xh9*1s0`TWcmk4*%5HRJumWx#w=|OA2&U6^;A2g)Zg|xmbfHa&Q)j_>
zEx4@$X*QP+xRuVWW*(^<9Py2W(EM|Ma8iKkYBIAD6?r+>2}$;#;BOC9LC|p|tG&Go
zH>+o(`7`BjXi(e$@u2VkWB@s^i`+_;SzZxZgpZ-W^THDVH&$Upt(=Yt5WmkEX8S5X
z=1wsv7XTr@<Hke6SE0J2o@fbHkQnl@AuEvFBt7>^TvPP)w!X7=4QExTG;a<5o-H0*
zavS_SQ=fp%HsE&HRsnX@H~4+pXMW+ov+hUQc{e)@^v<V-{%6i-S^>Y4#RL3<J=nMx
z^**0FPeT5u!IXvl4-cjUfeZPbmSw+r24Xk{=7)%^gtf$RZOvlY&w~YJZDt6HFb&4V
zVhe4m65Xcw+oh>UvWZ6QnZm%I9M~pz1a8}I$kY;O#<J~W+7QVl++(saQLJWl@Wgcp
zC6O=tm)Vo}lGg~r+40lR>~u&;6eScU)3&s;a4oVqFznfUMT2lMdkL;z5TI379Kpa7
zMOC%cpqj4LSB;b$P^E6VwJM?aip1wAL1s<iiE(>PMIiS33=InlG_X-#=@5tz5jvi`
zFuSIXAnB0ZEB~RR5Nrq!7jg)}F<b5f1Su?O8qPGdPhwO_55f)Qnq@SNZ+azH8ZgkG
zMA|ax{UJ16aXOZ~krnp$sQOas4t+Y7qjH#Llyf;HhwGw(YHY=S?YW@cG-yfb#EC+F
z+)+x?&ZPXM^(*%&hB%|5YHDtDO0c&VLr|Z{08g$i&^^p1&h(MFJvDb-fp1+}|C2^3
za1#D#*Y`o2)fEd*m)M%Xl@^xpmk&d2ij1&?hX%x>q^odKLWhm<a9;G%*ET(4R`o2Z
z-4Mt%qdsf*NTCODhJ!Sv)k3IItT7_r&Jtal<5d?}n?>g86{?sd1hcNx&!t^GNjGRf
zxx4fFh;LWUq@tro8Z0_!87cv|#>5*b*2}<NaG9Iltqnr-)hJ)ESsd;VpuBF8L12S}
zPidD=Yr<#(06QtAo=YN?pfBMi1ftFi?JyEm=H`zzu~*=Zk!{2!zWT0(=|rLQWD7#@
zzR-81e6IH3lTuc++O;p}waKzN10C{}%!PeH?_|cAxQAq}Xj;*^Rm}qqkmafZRI>&_
zHNtA{;>h@SAHTY5hPBlLK_zX1?tOHv4`{0U$Vy3J{8A|}%2=<OEUF5dji92$2uWg^
zQgpDPLeN0uB3$&Vd#ex^?nb;rvCT<Sa02j?pTkquQpb>vTddnv+%e4&u13LmJdIwG
z<LfG5O7<IPf!A7wIHC;pkRnHDXo<ejqg;jir5p`(TKZdRQwc0lD7mQDQj)|bQo2(A
z5~7lZsd#Bh$ydpK5|9$!QrmYPl%kY^m4ubu950$VOo>-1LinOyI$UaA@J(>AFcId0
z61#+6J%o&@Z%J_x*?Of#?UE5F2o8E~)4|BA@Nx}lE8lAs;1W8}MJZAaEhvLq3m9&j
zWTlNWvDwK=t+BU|TiE3_XblE&+M;_Re2hkNz(_!s`77+Up#oe>YCu8e?T5!=Op5{z
zww9?4C51AuMvKk6Nmhwcl_+5J2Pctbg#S;iQcg@Xh0y=9LIh8##H;i*!no4c1lDTU
zkDVVK9=MzqW6>)0EQJXm-U{`h5E$fkS1riCS}0Pk%7j}Soio+O?ZjdkswyIZyD~r8
z&v!Yh1*sO%nzhwFNbY5=vJ~u-<wY}Q%Dzgp3-(4CDj`1WJ~-=QidM&5!Z=Beg2^1;
zlxTfj&yE@r_0X>qY@*wsOB5*~?zdQ*n&Mvbvbw?HYB9<Cm@u{!?7r+)7K%?gja`MU
zd2~_^27w*iN&+_gHWkaz{P&w`dC#$G^gPQY*Q#D?LZrQ)b+&qvU3|LUs;jqKm!V?V
zt#b_jaw}boQzIC?)XjMFp<|-9V7$B@j3$>hV>J+u0}g<M=&~%XH2~bKQvq{nS@?BE
zVxR#UFcMr>0?Z1<#!qYB<xoK?zaj0=yVwN2e3uK<*C!QXZ5QAL6Pz)dnZ@A(-hjR+
zk<khedx<R%AU`n2l++H;g%X_=c)!psGiw*^YysPd83N_!2pl<lE|`Dj%5Eo9!mr#)
zM&x7<eHkuhXffZxvx7m_SNe7WB+_Y26=~O%*;JswB-T3ltxN3;URtq+%=BPVN?=$M
zD;a{%dQ8|er#!G<AlQthe~1dvf97p|R<Qn8c}u~L166HT`Ao#U)R?eq<2O>OK@?#m
zs)()48<dpJj-0Z|ytIPi_u_|*9x|e)iVPfzCS<4?02SBP`B7!@BTE}`hv{YVp;;6G
z!$aMch@}?6PBk>XXwHHOg8ftU@^(N5%@9mVq2!=$Ckv;YAGbL+qw(OdZ!Hg2lL{|+
zxV`VgU)mO|$xw&Umx4kQv?z_Os72!(MixW{%;igFmz9}Jc7lnMDrE#zXbTC9>}V5M
zC9i~l5#(nz#@;I8%D|GlmBx|>?*&}r?ty_Bij?%cY-3@G<6t$$02HddR7{L%td0Tf
zXEMnZY`NdLVZV#x7VtarO72^OVn8KD09!hHab+Fqq~YS}B$t3-LH{zB$%bCw;sZD4
zZ)tvktWqHzOT!0^K&07Rt+$%Wl?^HaL9<FV2>dxkgVu*HXwed#1uz0uC8;xPf=s58
z$;d|^&}uPJQ9^|=VT7&*G33@L-<=*H7cu@9I+i{hrXNyf;7US?a_Up+n&$u->0PLB
zHTsG*PK{8lg`AiAEdXYrEHtKFOdt+lBSBH+r6t;J7z4+W%wg>pcuSqa()b38x?PIW
zhNEdNsxp?DmpK;jPF6$sfFt0p?lvbeBc6<uUP91OHQ7XwXc>jX*N6nQa6N{2@WrY5
zG`TP;GQ@Hpf@v=n;i2tM<Bo8sBSw5g(sAN)I&h*lVLWlhNiFb1vy3xMZ4Wx+L*=1h
zZ-P|;VWfHl&*BF)ILG)!a0HHu;2GSo>OM_gnpE*{?x$}G4M!bk4IcbSKtREu^_rD_
z7`6+h1HP`!!P1M9xH`<`Y3$HkgI6eotuw1WVOY*(F-rx*wa~R`<vaXZk_)X;R8R74
zIMU4v1Gp+$nqzH(dE<U1o{}v;Ezy<jrABhyM?i#V(zXZHDsV1EnKm{!xCE+LAJe)>
z`9*2vcCs8&lvZQ+0OBT64p;8SaprA2l^#t1FHQcoD<){wLtEHc_f}zp!Mef<#vHfR
z9K6D$us&K{1nvX{zGyV*S{J?vno5IJ6O6ac8tFkY;FGW0V1Y?4&9}Nmv&_kCNn1@V
z>HW7DL0O`p$WoA#NToCfIi?9#Vc;YS0~I6%+~Q?|MbgqSWs^D)ICs@6j&&=VH!Dia
z4kFE`fKxm~LU7DkoTQw=3LwUpc|7UOP3U6z_nc+>q7VeEmIur`Y~vT9ys$J|v>EFW
zrdj8cg(%RQNVL~MIWRJ%V}=v{RH)!onCQ$Cw&D6S%%!kS8+!UIm^=fi8aSCO@^X~w
z36%H+5~Le~nTxftyMW*;8)1FgKr5NTp?rJzZ=p@l`A>LAqbhpBiZG9yM}>UCJS8~%
ziY9)BrQi`pXdudx<S3Z#SYP!hYb3dfCIiUBxxGVE6wutX1}K-jgoU9+69L~f?oiu_
z2igLNw~?r_3MiQ!_Lv$do86AZguo#kLv#eF!J_nqQA8-BZ*(t_fc6wa^f*ZQZy1I+
zSkWz@_=nmu2t5eC5v<dKA}DU4upz+9aS8{HTv^C4A?73T%xn-4fRDmIsCWn>pk+m=
z55WY!`q9WnX$8_bi18eHAdCO(<LSjSkmvX~_l+-&#)FGw!6C(C`kT>)h6nA4^GRxP
zU#|K8hvK!qbfj_GcZjN(@fr3&8{R%t7!1K!N5>omKPdPEyHAEY!0JH*;aH#JKYaG_
zB6fs`CX=;0QQwCIPYF1Ep*EHj&Ru6!S)hsJ=c<q3PXZDFK|C{nKwIjE{~i(|Rl<+O
z1n`hTBYUV4oAth8hATKk&yH=p<}u^PAkW1(HF2PojUZ4<2oxSh^2Ba;`~(j<cX|WP
znnMdb0$YLmd7X>__@I=7MO69TtfRF~UmpT?NbqrUg`(a!NvRf(6<dp=HG@}pj~k^8
zu~eX9<YOzWM4WKLY?@DH9}w`m2W0@nodjkek#brbV$^KAmdF0k@h3cFOH52(<*@JB
z{O94HCHznz`4l@PSfEb(D05I#gdZgj@JxPr!bA2wiUz(#4+2Gs1UI2Tn|?c%H%bK0
zLWes#AVuB<ICyk;`M{9^DXAb*3`lvD2))G)j5?GJ9zq2r13BI%ER+f-3=9~Q3P&UI
z`N{x2lk*CafZSM~;&Sxj20ZwbFTnVhy%~fI{M9*m&QP!)@IghvK<*w=G|q9M$0r+|
z26a)(hee&_d|A-PfAY9S!?eyp9L9B7(5Jy3;D34kCug4D-cT6+ObG@9&yYEIet#jr
zI(7p!ykLX@AW!i*dBAWD=L32HfEXs(I!q_%=ba|!$Q%hjT=_H6`N0FuFyI;bIp;|L
zV*&+B=kuSadl~Ph%Vr%B13yd|<s23Pq-LTU3~XVS<_Js#n;2&R#ssSVFlKL#Q9hnx
z(7~C86LJhMWP?5)a6lpfm@~;baRW0A3N?_&4mrRCO~o)9jC9}}pqFg9zj&ukd6Are
z--$kN@w)g&0npxD5N15Y&FRzdH(0^(o#rMC2OAb)n}`!GEv}Ank2oNsJ3w3*&Ar8$
z2xp;?27H;OVgSc8D$IqrInr90YYfd0fHMSdiN4jRbLQD?6IxqFdJVL!GVl$9D-qGG
zy9QU_{KO4O$lhrAj`IPTrK8P3ibNteG~Y9EO^`4OZjrJkqUIKjID>!9&^5}8?q5Q3
zCK$eN0lH?b8s==FpT+|W^)O&);ebO(^61plf+Hoad0DV##hG$oJisxrhHDE%DG34z
z8&1Yqj5$Oj4l98W41?k_r_9i^07iP4Co|Z=iGVX=jf*qX-}&svzKjJ5(s0ob3-M}a
z`C@SIlwuB#5js%Vi~@{IH4!=<XqOj0%~+NXXM%uIaOlBYJ*If*z!`QYV;5BX#AUVT
z1Po)s3I-=kqC>z0kOq(i<phuj7xZZau{(eVcf<(dGKW6|4r7~)qZ&NTb9osEVWEd6
z8<`4a8H=Vw8Rl#$kVbkK>}SE5#vDv>GNi~eVhw0Ftlq;jO=&J}NI?uL8`xlvB*y{A
zAuuvT<ptK~ME=6b2s#@KZ^&8(>TxD_nHpmGy2j}mrfX@k#(S6s67)nSG$u&Tz)dSP
z+}JZM%m<tHYr&d@P{R0Uv4VqpjqWly#ZiKz3ntl^STGQ5xq^&yI^e9wBR$N_G$7S;
z943$$gT^xnAz8cz4~#*ZG9d8`1c-w+$lkRdxrSc+*rs6;HyfKG4GIzlVZc#fz7pn3
zZ7CvKX-)$5R~F}oWp{{L?_ootu|d$FNE8k(D5DWvLbJ+b7Y<fqf(A=OL@To*JC24%
zL+gL(M03azQAkaQ#4#Jq@-2+FvdE#ur}c}uFV6_#dJGqK)!`W~i;`j*MnOC`{ReW>
z%0Y#I$RI0c2}L5q%0QG2FI>A)g=G^0*yzbfmB3#Tp$as>2#2Urqsnb6Ag>$1h&ALE
zf*{eXrxL14gDvQ_;`+<%D+smn-plVVz^@{Ng*leISIK`x>=$HQp$k@x2!L`51RbME
zHwhzzJL3#^LU+gw6RJQ!o3eaKv?e^C(sPNFB>;et7OL$Ma(qK|c8tz1gR+7e6T!7$
zkXJLJAq9PPTtF|hp`hVcyemV2aj&SJ`k~!b+p0@cevQlQZeL<@`o{_z;T}Vv+V&1?
zlHMh;Y2F0~$_WUo5HW#QMrebG%FyIOq6WUk1;NX)1=ueU2VWEw{OsZki8*G<l5iNn
z>0&{qDE5$PfX-;aVq}O2gI$C6RSwF7UcQ20<%A0g_hDu0t~3eYgc~-H&@Ts>aCqjX
z0gh@2NWt`vP>pJ3F6Ut5Xnd3upB_R*8WfKQ#>H<E44rjD&y0g%sx|5f2#6dFAa6lN
z2qbGH36O$HRnXWGYBmG1us&NrQ#i*0M_A`N%O;8(=wKY`Gj4(q*@1k{9N_yDY(l{O
zWkaT*oqU<yHFHHc8hC<2A=T|=SIA35ogqa*E2G1(1CUX5=;YYGbaL_a_PQ68@JJ3<
zAQZq>qM%mQbGj<yK|rgOz^j#l;8y6G%DDNC4K7oN7U5MxprBRCkf$+$R}YxYCCIIy
zV41a%9pwP5vY2qHgF#iODG_%!iVwKWHjJT|!?xA{E#ZQ9K|m+)qWqz;p;&0nfCVP`
zT3V76w&<**7s$#!bJ-$uJlMPuvKwyzbTxvOvNF_DEkaV&-~w>~)nv4OU>K`>*H~Z?
zV++bu2}-LeKsU07NUG?wk1a%C<^B#;*kiCETyTEuMv14gA`17M3@fOqpcjPgA0=$0
zs96vIVM`zakvq_XY?a?>%NSNu_ilJTO0Ofo`ULi*!WZ^b@s3KtNLe`wD3GBE3hx<I
z<0$#MIzr{r7cKC)ZeNF4NWuZAPS#)Buuu1HawrBDDAVpN9w7`kQDF=E+;b?1FoKA;
z^t4!Dxsa4r69MrRx*EXf+&!Fo3^j#@vQQK}{3=l}nm&0MIUr<P0|+AJ>?S{=BGgz&
zt&8CRvW^g-rMYp2Kd4}L?wPH#IbOIxPeSCNcSm6&J#b}D(v?QV#D1(GhzjyG`EaR%
zyX7VjKRfsL_zM-yc}1K>B9pP~M01XUv_sgn#7{;h`Od@WMoemyEnz$S)qeS^`}2Dh
z^LrHZh;~L{8Vp?2W)Y*<YZC!}S409qR)|RoW)-*gR#}$t`Ue*9|07`Z#(eINX54!K
z)jv{IKU9@3RFTW2f`zP0$BStif#X~S^<1S2a~G=N%L1`ApPQGH3>bN1QJ4w|fWEKL
zey`9{XUeTYf~ut^90J5nY+Hp8s`YHCc0N6$FyzCGz&%)LeOPGyU?6eRCZi4?RRvEQ
zNgW|QAXNkE1aKeUy$xXCEgS_1zf;%hIfdS}SNN?RK;th)pn2;zU1@y2u&aKsvI}S5
z5kwEZ9zoBs8iD6bae={=sNhyqh{J*tv<ubo$n8n0m{Q4Ah_LGF^+!`12F}2?MxQH8
zJ~faBFBFd!6Fd{O(~4~iwb6=bMcS;ppbP^Fu8%!*y{MtG5+<y=UfeAQYnl$%qmn>-
zI<p-!vfVSXy)&}CGoT)pGQBZmx>0|WAyyK6CH*dcdM@siG1EF2<ti89oeOZzg*azI
zTr;6A8PJakC_jYc8^Yun!)grGMFeW1gf&n?8mJ)cR1j{e2scFp6QaZmqQnKF#08?q
z|3<I&ieJpieraF4(!Wa%7c{TVYEjeT*m(+5$YT~1;UWI6qQ|85N<*Ur>qef~UoKm{
z@C*=*EDvj4QZ}~Zf>dn`X!!00v>c`i)&YlB30nTE5v75t0Bui;>~!&N6S2^vX`sS_
z)TZ3X8Iy3FwI*h8CT4IV;C3cva3bS6Oxf(nMjc(yWUg>?6Xl%DdD_EpyEoU?`UG#k
z4fUD6qqf}hGd6qkHhc3fTk{|dIGGbd=3M$NXIdhcGL%M48PtAf;j2e1!tlu+85S(+
z^TLf0=aj>o!Xc757aXBOA8ef=_IAmkt0z|5mQHbE9O|kwB*5;{i{(SO?Bv!dtyTd+
z<!Z|7H{1S3tZ~|iEVYD(vu2<FGwv+Rf+0;iO<Q_z2<tQ%er#u3=%K<G0@BO}2VTRT
z$IgXsviRiZZN#M0?%_F~n~Qfu)0RQ8Wj@;+6jq+5lw!5HNGD$GrW{WzNg|J<C8txx
zytgk6stuFIoHV`sSttxN1{_V?4UvR|WLtQk`3-}&K)JmX2sJ$c&3qY#j!PK~8p$9O
z$-%NSDcHFIIkaZ`iE;vPE<kdn%c@sTQaisBj?NNY!(|RliUP*<nTtP@B!IE`HVabC
z4z_nQ_z}ZoY;X+#9-6S#Ul_C(An0Xqor4(=<l&Yc8&?V0oVHHU6>@fJjyQP5#}5Zt
z2#%(*qVdp9j1`JJ`f9$-Xd1)%YU~VPRPqHwI|ofiYO75YkU7OwcNJ1VsUKBE^;BOc
z;-w}kQeveh3Rb7uwLEuus)Nm1o>iIR_nfmlcfo~Z!G&<aRl@~U2b`!p<-z4!-Y>mX
zvh`NW)mm>=N4-@Z^;jpBf_Ye%m5F$tdX@U+E9J^pJCv(WD*EeHr&_8y)%B_FwS2jq
zOu0c!brwO@WG*xNSFtX+ig8${3++*2tysj`=)_ob?j`xLWAS3g;>GW!i{AGLdl$Xd
zFMBFpq&Sz-rSGLn-ujolwJ&<yA?jZAQoZA)dlKSPs#m8}uTH66ol?CzaEGOObxQQ+
zmFeNzRZeR_8;XD&RPBYLwX|1uiulc88K`3Z#ICsIb;m1?B_oVUNkh`H08X(Zijl(k
z)DljhuejxT!@G%pTqn5YdABRgrCn^FJ36^D0Z46Dxt1+67IxVEwt~|##g=7@B+C{F
zmMilY_S&P&s*f_NJ84m-UZYICMs2IJZC$1=^ErOTt$S#$&7!)@xpkRxnA)jrs_!zZ
zyv2FTHC%0s%C7S&yEf(7v%JYyX;P_8s+B6mCRK_|tJIlSsV%jGZ3X^P?vl+$t(~-2
z=FwkeT)xV=e3feXDy%C?t~A%GRWC@@PnA_VRqsPe@icE}&mxyzMO{IwFJ`GNHQ|v<
z!6KC+HB^Y#x~(gu(Y>QQYF!xAx$%~G$^E9MF{w@?Qo=^70UGq(l}*_<vS*D-Z5ou$
zGS1ZO+Otr$uvJr8sxt}}5h}k)AZ+8)5bzf`klDKrU}PAxIf}|xRto9V6C(>mW<ug9
zNLxxqqySP_Dl-Kd$VHYZESIvC9fG2=Udxn4>W<4)1?q-1Q5IUHGDDhvoT?-V2(;ZI
z&ghU#i*cnxovHpZhBQ<8(xKvYK52^8bqT{ds&e&NUaYIsi&e#Hz5!M!N|!XK7Fm8)
zE|SH~PNqz@nJ{Q8FlZ*HR3z$rol+C4`f4nlrd5Q>vYA;@sS>M-Rd-6Uv8yq$s}V7w
zAV;dixlW04n-b+VCCX$=l0>;AOOiynBrB3axg;x+Lb)f%6)M2yFsDf>=A~04s-Bfl
zSZNxF!mSCW5cMjgC0JQAye#|GDe$xG!?dcy9JnFfRsz6Qfo02qk;sA@)mX`c5T*xu
z+N#0bS%U%vG{OX_Yz#F%1=Tr(sm|$DgcKGMpsavWtObCr0?K;AX^m4AS9LEcS0soQ
zR5jS4E@yppf?X>k>(&*Ns=1woD!ipya7wR1Vyng=tn(VR;+0-<tvuygdJPp<>3ado
zDXCQfD!k=SdCH#imC5AQ#bF}6%($l{SDaS|6pHc+-18dT^BUOm8rE2mUR<=ixo3HD
z&hq7%<;#o9miLz}?yg&1T(&y7YISnd>gA{&o7G0C0cX%ixakzJBBrEM_1Z=hg;sT>
zvmT^Wgeoye3#+$+6Wv{~opZ1kV|eWzsxeQB!xVtJ#kovfg)wqLSYnn8n3AD|imbVS
z>Y7yQdQ{^jOmTHgT`FgC6<q}VGy;W2DI%=mwE1^a)!k2AOix#JJaLw!II^Iw#Q}3V
z?qHLFMaeo5JaH_{nz*?1f@r`+{OTPHr@xvUaNsH;^iah0-d;hh^idHxjR)~4ArDk3
zF;y2qPZ+%GK@-9!r1plPb4F0BR-|EZSmK3hj1a4fMC{>h4@)D`Uz$VW$n**68Lok3
zdCh)lXf92}b7(ZBlZfFl4@##I%_Kf?O=(J}YXi~_pe`w)^NMRx%_mR+RO-#|D0YMh
zkyZS1NmdvYNe@b<4R75iNySsy(yZEQRe~)diP4Rqsio(66;j&LjB6J-g$BYeGfF2?
z3nHjH6;*v%i@M66AfP&Ss@kAj^^&(Hr>-9$Rg2J&D{{`m_jC%}_<jsDN~(GVWk9Xb
zi;Igv7YKBR6X2a4iciWsHed*aTm?FdPv;|T<5^FufnKz5>Hu``I)WX24$Fsf12$ou
zFvvtQC=7)|Ct%3zGBgaELob1yu*xuHz%x7<XbSiRMnPZoPqLFNAX(EYBh|9XOYHB_
z0Lv)FZK9IvDEcw1y*>k=(=6lFg(U`9Y@s!}Dd-1?5H&vDYbo<tWtdB}esiPJQ5}=$
zq>%>^*X0y-`9&RmQAaAmUXLvw(!L;SJSq+#u11=VrEg=Qo<xrr6B`zehWyGe(gS!J
zeCvSo(<~q=)}{EUi|ssFi)CT#I!U0DF-{66?c?G5dO-ctGat5Jc2Ad$*!gxIpEgIE
zQ?=6K+8(ae$jdcyD$NxUX0AO^tB(`v<HXvy?5%)!*|Ak|8zZr(&1+Sbbii3w`81=D
z$<0L1po@wC1mG0+CP~mU#LTV(XcuJUCTs;;Qz&Y1{T~c!CiUN{w)#y|eI_+QD7I0B
zAT=q5pHkmRu%B#cdDH4-1x%?Y5;HT&m_aauUC}yjE&!U1>b|Nem9av!ub6$dRe3pH
zG#H6T!WxZ-6@DjFdsRGtK1?RT!zCKmvLf2{5~INQ*=cRdo1S*ma`R*XRx1N7_-M_|
zU`2|sXT)~bayx6e9H(hKaMyA-O;TXluH+dOW4&u~dPG{{GfNH-qIv2RPdyo>hobbb
z@!9_^Quc@d^bHSIMJ6M!zZgFKlqn2yg;hO5s*B?{A$kre-hwfew>}{oeIzS7_}Z`o
z5*1j)g*&jH&g?QqUAB8R+ZM8Hu~+k?1c@irUl&vQ3hP_hR*DemaFdx)rsR6O_9aj$
zj7jc#vadg+2Q!D{lI#+<ndIOsy^aj>#|0e%w~H@ha%zgUi_4=>vRqij#nckUEO*YH
z{FVod_B-am-6)6F=)Nj+R^rAim4e1J()BqNwygLXJXXh?A6l2%-fxRrIo+k4?$CXa
z4Tgi{(C`{7h8e4d87MG8dD#L=qUN2gCsFbAR=xrpXZWKNzeN&P_Bo%LwD)v?79yLS
zYm7vRhbVq(K%j$)L+CjqGXmX^%nz7tHF^-!a6iu`8-S{6oKZEvyxKHk2k}@P(V6OH
zxK4cqZNZ%b4co~8Qw`X!Z3basVfC}#Sp&s|ffQG0Y%pplsP_r-WgilWMMujbhi7g?
z6&^@Za)L!ig3k;et>W}WEy8Hg-0p5DwBm#Wu|TN!QYJzn4z4ux8Atl#X+~id662K?
z?5DRSIi)0G%9;)eBwI)IFeg2MHA)#CP|7NPPE)dWlapkezM$fP@=8=uvY?EW1U!)s
zDrjkPLeEM5a?kTnev#wMqMjt+=_h8nHZ9BA4iNOWDkZ5)EXsjqNLQ62q`4I*bW)j6
zS1ne2tF~vy@;pA2QS_UR<m_`M!-;u8!5p9hsSq2<%}}2?j5F5hrp_xg+dPP>Y(c^6
zb)(knN35_;E7VIcL`yJ4Ls=>viqmy)BB_Fdhjt_mjVLM2i*u7I5-6MfA6l5ss|3Q6
zybEvG%Xf+r(v9JnqX5``<GW^;EG*i*aG*UYp$Rmlc1#OHYtqUaCbbJddlN!3VDBp6
zpP4aTM=w~QfNs;@ivog=@Su;Tf@INl&=6IZ5vn32ZAS3GCr?#^(GD91i>li-l^y(t
zvCQ+sD^Aj+<ynC0m#RzK>!e6<41^y54de(hdD?+GjxhlHkqnkh&s2+ojS?G%;14>g
z!PZrJrfo3#4DmUh&e+XfBezUF1+WyYShzCQ(fzE}cGRVWJ84TQ#le=!7c*1yQD&wu
zUzakC5Y;6z>NFRuQZr0wrJ#Tqe-9AJi!6m2$&xHcNmeZKD5iN7OFW7lgCs&R$kFU_
zC`JsCc$bYovM7ZbOG(d!w4Cz8A(sS2NJ&D{5>T~<LKhH{pida8RMy610zyjESY$Y;
zkdlQGT2F<9jCKUDWSB7_B~s9aS#U<AhETMIP_>3a6A;RR0vT_C>n89P84FP%l}geX
zLJ1`&yuvm*;#e|En2^fUYFcM;nm8WqB9MH?Mj#)mjEI6wkV(1;CqFL-=1~0OpPBRX
zq<%t&q*{7IC#3*-Mu((odQYdN@bv8+l!KDWa%xUXNy+XtBI7gmW^oKj@SKbZ$i$q3
zNy<2!qY23%oRLY)ES%X%$>5y1$;ud<v<b_AoRGw%^h!!fPb8%>0R=ev$5Uh_JK|I0
zB`$I^S!)cXa#6CW8XeGZE~s8&MusQgfWcLbu@?e`RyvELaFuDYRPTg5lCU~8oLn*m
zC~#=1OjNcNNvmAuBa~My2$~=^7{5(w@$TxgX;l`mxj57g*XFk_!%-l{X{aej<F06}
z;Q(;sffJ^73|j$45waqw6-gqjgjHCI%n?!5Q4<wa$RejLN=mA;fCpBixi2<3!UYf$
z0Kc=2ouCg5Xc0(?xshGME095D$SCOrKi=tlg{gETo+Keh0#`c+w?anVJr!J(da)VQ
zFxZ(6P(z9P1i?r@VVx-TOHkgd!0pqamn$G6gKM(^IZwNOw-r?*deUnrwwk19%$3tO
zG3vyC?eyn|>2!=$5~OWDWpz{$5b3l?xrOT$;Z0a8*rpdGyGdPEX3|p=<BN+3r9mKa
z*@blFE29vIE}@Q7G0I{&PEwW`;0{$<nGX(CQB16f>NQJ6LYz#bS4}1i96=DHGE$7m
zHYgNT3>0-4k<IQCAnGkGg;^9@$yHTl7OPcNwS~)T_`ncxlqW!TYQXF$nX6F{zEN%6
zMP*c5D^XG97LQI<4MnJPl`v6hfhtBA92#=G@S8Kl>hzWny(J=YsQaUpgImTx9I5MW
zIb{Z@@YO>aq~lcNYMBjIEpl0n!K&#-t02`@8mv|o)(jCxVhtBbVN`Y?(ROmIF(~XY
zD5T?6g~b(x#Vv)z#*NDB3yM;1Qj>C&!cvmL^(BO*ll^^N6|Ys;VCKO}>uR+pP;{ZI
z>W4%S^OKLKCm$+FCzG>EIaPVBGBU}mN#?O8n8g&8jc1i97CF{=Dq9~hjCxeGvly0J
z7Q$5u)X0#QQh6?rkf0UQ87`2JpcT?tbcC7(5sN_^I=d~3xf?pJxSS~{g1N^p$Ae{A
zwxkwRV*GeAU-Z1(MFj{pn}SiN$|7VkeB@E=V-({*nZ#J;yW&L(SsTNTAF6wJBm+G>
zT|s+wbPr|$8s5gG&;i2=#{jt3hNFrNahT0PJE7=bTk3ZSBT%H>(h&LGgTpXM62JqK
zr=S1;0001IuZ;T8e(@G&#*9Yp#UUoA7{UQ4$~`q4>m8oM8L13U+PKh|{HZ->MS;5q
z0FOK}w<zL1C7m(2yD1~Lqzu~<&rA{*HbN{^5=oK1PMfzmxHYFC$?fzaQ%0vmWC&=4
zK)e&@w~M(2I06Q=^usp!4Sq23V9m_e6UI$vZ=j(F3=zhd%_b%(9!ZCwU0D4Cp@9Z1
z#@&SYiG)%Qg`orp_OrUO3{vGD`>Qi{JhF-muya{IV+Ej|W8_JeJRnBv6~S-gIk`IN
zr_n<9k|G|Yd*DoUVw0DO=i&+TI{4ZJ!OPot?1dWf+UDj4@^zJ`Wa+%WdVsl;KozjS
z03drO*e$`-f_3&>lpyAfL-&C(qUr?%jHbX-0<i7tluq5EfvQ=(fp2_Wd`qUmIfr2>
zFT<#cL2z>EiQ%uqt?>JF_)|h(d~zZNt_Gv4K<X@EJhsGTHv|DepW;Oa$QiqjxM~{{
zL^Y_`Y?`EBMaY>8@#Rbo26AsQ<0%EA4jF<(f2ORznoN!|0w&!su^W})?W%ZD5DY<R
zp}Fj7NtQRde<X9;^|Aeh?=dzTk?_!c>u3+=#onmVR8YrUh+VMkG>I)4u&TMoxAsNo
z);3ZwwNEUJfN@VHRh$GGTo8+LXo%l}&4N@B5t*Tsc<zQOjo}<toO%ulQF#ok{G&-o
zmio?;b>q|Jb|laWW9F9b!?)1{ME4xL`P|cFrib&W*7MLZ%SVPd;0}_2i*T;a_(eGP
zx5_OQ1Gy?)kjhyZ6+giMhiUnW(YP`RXJ%sjpyV3BMu8wJn-^N-H(@ci+T)7qd9NgT
zmnPO&Ncnt(GeHJm0}*Hxy7mnyV$$(Qb~pa1qBN|8^3YLlO0(rIYH1uzM6FXW#LiyP
z_@tyDSgoNDrR2;6?8o+PUHc29%oz5qL5G>mi~+k3J=w0Y`BMy~3vr%j*QTCUR_U-C
zSZ!x(bxk-U7ll{WvL$;OwEX5o#$x;e&qUrnonh9TODgI?qaB_ilNN2FP`%EPC=-=t
zxGAvaZio}zw5pG3i!NL+S))_ox}p1u+#-&wC-OfVoIG-N48u~jZfWk)QI5dSi(1f2
zy|JbjQTlzQnk@)2N=+l*?o5yCxPO7=4x#wY)(n&sDek~sGN|@<FfD?pI`gX6QD6<8
zB5v5H_Cy@1o!frvT$(}r)`5FM)RWy8YQyjb^fou5(1GFF&sBgD?DYU{5VCh$V&TvI
z(b=So;{oq(M_U&ZO$a!m4bUeX^F?0|aP)314KG+~src<r(x7+5@4Z+<5N|fvlw5bk
zTUy=y;VIEH=pyC@w|~IrWdvlr90&U2DekpzQ6bQ-1o~be%B8nrSm1iVh*j8n%!BMd
z4QBo+tKSs5fM`VxmZJtQCe2`G$0A?rZ|kIFsC`}Ps}wcpc|#GOJo?=(RA>>m1N$Gs
zM}(U@han~e@y|EBHz5+>lLW7#5)XPfUY``O+7cD9EO?cn7M|Tu1<fRVh$<mk19e&N
z-pM1;&~LrRM*4{B1pr*KQ)m>;vEoiN9W(1?xW{(lLJ`EQWHHz!OE@eY#LhDq;Ddu`
zDm@JDjw%QlNMx{crCXrmpdH`}FdqX|ifeh9Gf~@&eEg#mS0;#9DhzxeGR(SgLfZUs
zwbP>W4-t0Gt@<gf?#}8<j=~(QN;{Idp2@GD3XK+(IBF{Qja|#@EI85tR7PBg2>|E(
zVA7nW17#Uj*&;<2+{p<Pv>E}u0jsQHdQ-?0nS66KWgs!uMEh`qA{5mC?Lu&rj1O4`
zBxF_#r0dx_CT3LFTR3TiJ76=!aT|btU$e`Uue0KlizbC;a$s4`3Z2vWM#+uyOb~Sl
zVm9t}Gp0Nc-?UA9JPoiqK;roIRF}DhoHpbaBn8$gAQ0?W&;vM-98=2)Tl1BHgE*TH
zxqt%wfXbo+!T2A3%@}YBDx?EUh{4aR{qc1r=D(xIl1d3A8qQg1%Tu`fAvnEQcn(Et
z9RshNvQ`0P;$|Y&H*XNaP{8~;f!%gYj5`h|VdN(>j1WsTl*r<P(s9FhNt*1rr<b&1
z--~Q<OZH8>tq~}K-K;@3MG=&SfaS`)1ZD%~2J<%W%vXNwcu=&I8C3-sn;*Ad09A@9
zyOFUg#araU!%k6;WD!Y?t69*)CxWUwa_xN(mUvIs8&F_uR-qi=c5KlEqY*qq$%)to
ziiY^mP9`+1Z6R5(g>KA85kABN8{2Ti(nV2Ftr92T4r6qL5L$)d8{tKeYb8cFWp&Nr
z0#p-1BFw-##@Ll=Upz^(!~t!AjTyvsV)%~9HX`%paE4_$;lC=}h>nQ)Ff$|tTA^yw
zwr~pq#1iS9jx)x|cEkvsy0F6C>Y25xgq5!pr5i&b$PdSW#`yduY;F9R2_efRyo}6H
z=2s!;V7(5_&;@m{*do@z6>jNpM|C?#1^jKGw(e-UW+IJxAvztMYZkfUko_CPc;m<)
zXirRWa-&LcQ5ws903p^|C|d!E#Tzw@#2Fu$gKx}Qa$z44q!az^*SsiZvuqr9swu>%
zL4=i&3|>G~R741wDCT@hrR_0F(nT2PO=ienevIa~PtzS;hgJhjsN50i?czC@DO*Sy
zCaiBtEY(>4FPioXuObqV44<Z~0j^RQ+++HfVm2F&no~J2d5j3&H8A^nZ;&YHd!Ml>
z0OPwjCAQ!>`DyBVBJ3bJ0JR|*s5hi;#8E?XNg=!DIyFRbjv`e4|Ii53BpPw1**755
zy$FW^SoAnoH~z@p*kUmTe`Ol8RApg1;6^aFr|j{*8n+7|fvlxUdB*WF3reY)ssV-I
zL#)6W3^Hf4a^SQM!W?&-Wj&rZ#e=ruqhKka^3iH6APNi$2kGsz2s2P_!&`EQx4sow
zv-C`F#VElod2WTO?Vy6;{9{+>G`l9sbSgc<1*F914_7(3W>?XUqTxbu-BTm9mDxY{
zXvV3|;(o(z6tf|(sa>n9;(0}5=ALX%D%cPzrIUeDXNaTy;v)I$_=N`^hcj_07|k!D
zo8f7F%RmLbP<<fBLM()T4oGBxpq9iJe7e8L=T-Rz<SV+@jmr3?5>=*Fb^X_8`e=|_
zjBSX8PbX5afQ})6{AZ3sKq$v5qHMT84deuJhYCWFo~PRJYlJgL_}&@!kMwK%&1R~O
zHHCIKamV}VYJ*^$+gBgw@J$R)jq-9O@U<fgu2>TRdtWBHB(@A9Zsi4L`y*S^I4Wk;
z?8Z=m;B(kxfIXp!g~!PHB@9bpwr4)rHDju7g`nnUA<gzm)K6+o(5d;5fnHlY!rs0;
zu@-F_J2net=k=G2Uq(A_@AKWho*nU;G*OL3jYd_UkB%`I*Wd>hPyi5lf`OU{(10#P
zKP>ifCcq;BT?6n|2Q>?fWiikpgYYqj>U$BtVICpwBc;Y5ZTcuN9NLClPzifcDr=C5
zq5+`FT7<<yS1?&2u=4~$wrG+G29~9zO5K2$Zt+44WyZa}J!~6ZyqI=lTy7ZWRXTx=
zyhJ$on_|&D^k6E)En(bFSo;KjI&-kG5E*+0kGtsFbfuag!=m&Skjq`MWfdQf)edtO
zOcw_2OMN-uby2XrUW%^by+MTst1fz0Ku4XXxVPbR<p3NB5JTNt;=$mj5|l=4qR6~T
z+N0(HX2K_psr$mF-R7Hg4(8?qCb{@;N@i>8d`VV=w#g=f2{^Hx3U_#DU|`H&CqgC1
zq9J&wRon+lcZcnP5toCZ<VjU-J<{}uTFOzdkdQTTfMpC`YV=i2e@+Q)EL$Al-5NPX
ztdnaq)V9+yl)6ELAb{nXvxtz(VyPjDA6BN8@#|PI@*woKhZ3-b1|%x-tft97^)C$F
zNhRab;XH93m<xM@#EUVZqdRPYBa%rVM>nWLSxCN7uz)>3T3$&)@dJ6EtmVl!Xnm0^
z;oQ5{UgsmjYh7j=alYvn5knCK(+M2;K;ZTyG*p@Gd))5ku98DGT)L)#q4gp;((yC^
z3aiOL3r{xyE(uUXNoWTg(T)R2Sjx;IrZu2KosP5-?(@GE>$s2sHX|p;Wq;%MxD#|W
zln*RZzNeAh3e9a4HuY+DVUbW-bOBj>bq7$?eIxb)y)x|reKLtK@5cg~Cc$5jfdvz7
z!u5~HYn4R5Al^@pSD|Q9&OyCY>i4HY*qwk$w*dtP@E9Q6#fr64P*9Qc@E4cZKrMw(
z3!|i4yNVnBNCzy34#@}{g9o*Ak0`N~-?$b?&cp-Xi$gh)8HQLIW5<spI>dn2lIyXo
zgdD3J=DCEmq&?-pLWT|EZW+j*oL=-PA{lowMUdGrMS)bl2Hy!Quo@j>)Tzi(p@0F3
z4x#LA&YLo#PbAMWwPuabh}k&BHKIx6?rQ2(hlAe#&A6tjz`Zf$Pm8F~Jk9@U5h{)q
z%@#nj$^fW#VXlHd!^Sb?Q^%_-aR%!%QSw0ToIpQ=aTEOj-C=sOY$JKwJaQC~l%eMB
zJG)g{eq8l|r{iNT%fnAF#7F`6$XMCFE4v7cg8r?|Ns4`+zLy?H0=Ozkj)=UONoDTw
zXGW&$6yF9IATzoE4zGr@vE3t~JhJM>n{W=qJe>6Mv_etwg4ECfp9v3d>w+R6%E6X_
zfND;`Z2TXQlSp4#@p`}}^vrLA2$#VmDfK(@&IKGHn^DMMtm$`HN^qnejZsOU*d-7b
zE)WAj9G>?8CtV;=@VP5e<=}6Rkiz1TP|FJ?q7YZ_(>*0j7Sj_<LsAmM5OQ{~rlbJv
zsv@p{;FNQ{IS@l7O~C&1|8my73~K;>qX+pV4_g!dtc~>*A*PY#D})B9La+ozNdS1f
zsxA1E!=#RmV46e!P!h@vQptZH=8&fqEqZ;4fB~ft>&^-dM_F_mjwc=2v#|m*wIj5u
z2=u%%k3&>-PANt78yJXK)3h%J$0kA6{RaGpHL;no3UxHcPCSiYYi&n5<RK3tw5<iD
zNJs@}dI?Oq5EV9{5}OETLxJoc+sfC!-uFa!)#u{I@QNOQIGuK@6T2Q#W=pIFq(r=(
zYTO|+ImBIDIGJp=6#!7P;7=_vaEuLc<24bM$bmVulP6J4@rxqr9YYnx$ErUWu0f%C
zoESgK-q2<WNC@512~JUsC}cn;ivR&;F(DKCXRl5=p<!*|3$K2SmLO!z8wU>O`y4NJ
zMOMnnLrfvsGWiywSyf;P&pk}jHH`lyWyKvfwi?@97Lg^mY_y1KleaFl4N2l#WleyF
zt>+(>a?d^5R#}FkXxQ16Y(>%L5aVk4GMkyzHqB{xwyhLiGHUx|AZ0^lS!2i~vX;r0
z1t}*}AJWorV-Fh)1;rZ0Bn7+%)UL(w0Exa>v;b%!n~hlowhBlx*e@WN+tMLLKc24v
z#@=ci;nesIfbA&)Mp<{BCkF6$gTq8#i@JCt9D0};>?MWGQ5gnfhDgwlOk;uxS8`;H
zqyWzuu2li7jOzEwr-D4uG^$N%(77T9V&m~lx^g4TNf}ofER}#p<A_;ZHAdY3LxHPy
zJ|h@6`9=vM*+OlJd<!0L6hmlQNKxIHV25Zli4G;0GoPd93M(e+H;`fq@LPQ)X3({e
zESXw>F*&cXfXEsLHL9sxrOjgZdTq7G+-;W82Szt#VU`j=$vtS=T8iA7vSl&51~4XR
zVy$VdlF#<rU&wF-w{&|_=f4C`MGtFE@R-m)<5Cx?U|!8=YJnCbG1iF?br7GV>PBU@
z`4UFcrW62u4qTvV^F%Y0KrQU^1k%@5mJb8@MY3GFLq@7~aTi;JudKZ5E0ovJSkn~V
zkw=K1{1%qKp;C3xqV(R`E}4WPfL$~oA{o$qjwdz(C{oFRM7siM&ngP7er+SdhAYuT
zQH=ArCdLZQs8`foQ#KhlAq~^h*vUiZ1z~&pcr0mMq@Ka<i>^gXQrBHvSvi8!P|tMq
zZKG~emm6umF3yUSDGeABL5lL9k>cnaj$ia)K4n`#uzUDOmf9OquO#DGNoaCmo7em9
ztpLj15MbKzUbq$JSRY5W)mGK*rncRoE%rDxGznuawFOy@KPZElyo!pnmNNGs4ge<B
z?-}*(HPe_UT=(tzpU@i>H!<WMaSy^4TyVD6(1Ny<y{8FdTrx4m-mpN;%ss}@AmWRS
zI<dmvu^9n%lCh+FErPJm?Dy@$REE`(Hrg_6;l?*dGg)I;)ltVz5rDGn!6Zcvc3Zk;
zJn>~N0iZQYPlQTy@+c08ztC|Biq#ri`eMT*ZVxOU90wbbzk4M2kDGw^-zYa2Cg*jM
zSwU^v{JnpcGDGrr-RJnw(_<l(U##`K(L0!@l_(Yy0K1z`6)(~ig0kY$?5QiMIe@jl
zw+c;)mn(t~nZjDt9+_vnX!aHcL=ZrN5l`uT#EYq7I}aK~q+b2YGUTA3v(X+JPD<+C
zoB4}-j$;j&7%;;`2PnAW7#bF&m*BL(`slHsn+E*qXf;5F*x+~WdzVgW@&JW7i%1dZ
z7Uaq?CL7KSZw-V4b$E;sEcuYsQ~DXOyzo#43YzdU%U)T)Lv(Qp$Z~+Gheo7H2O)gh
z#T&)wxpy`3wK+K|#%rq(Fw(zDfE`5R`|xnwJ%F|_5J;xVdd1rxuQ{QXC4syF@d5-^
z`^(|7iOB(HY*J+BdZkg@q(Rh5q&N&yrbwEpMRCoFaPteoMSg<+y7zs&mC+ans{_1M
zYm+lxf}FFR18huCQSooB6Ym6(U&6!@RCM*n`gutNk=r7#gkvSV@j`by)(_fk?oNNo
zGcLB!C5K`!DmU>5ychyzD)nP7CxRpi=pjjtYI`1BJqhu*8_~^q0}R8jfxk=AK)$GI
z37^ZE8v>^9(d0^l!6+&->qSEto))0=+1|^Q<<!FvI_#qeF$4=jwPG3yX=(`65{rG*
z*BN=&f+>YK)i%Q<v9UBZQg~x=IbkUxUwDqaJ5(B=KKwJ2>@vR4xs*h&lBjF}S#ZF~
zP{Zhc5lq+69ChgB+x3xbwS1L@%t9`KEtzrv9H#ZbDaLdJG36vzb0(wxoR$k#Cy6<G
zT2~nfg1Bc=Bf=MXv?{o}EpU(weM@R~JSHbZM+i>vjY^!p3>L}5u$E%9ZQ6Pe9zb{f
zVnhv1eJ{HkNTSc1Nr!(mG9vU1WxO$k@&va7@2qjTZK!KkdGQu!TH~yVh$(jTD+H|t
zuweED+(?Q3pkHHmcbMOZP>MGau%PK_xsBKs!jwySqPXOBF1aiL8rARAsa;6LFh+>0
z(E@ZvUV*@)V9jaWFDFadoJU(hG?dDDM*vEgVa(WD!gUl|+%Wxd#cfKa=*z&>{)kzh
zgds^`(`9GW6cWP(rmTYSE0{862YWTf6nfh|GU1CD6JSRaS+I_ICj_A4%}f{0?=XpO
z0N^mF{#bi}5_h*a;Kdxy@;H0R1rIi3mI4~*j=G^h$H<>)(&?DMmnRSox4K)(L!+s2
z0*EG9pg&U1fIz4GOC;}^fAPfl*Km3%vL5_Nzqny7ZE*Z8lJx<62eNEdkcLWdWke)z
za30;FQF@Xkncw}T5E;;{mao#_g~4NKR}l|F93<4ZmmIKCZU*4P8IlB|Pr`MYjDRPF
z<e-x>Yu<+n9o&4#?J(AjK%8TwsL2_y;xjXp5)0G{r%{g)Eht^$#l%2^Gs9R0?bw6z
zp8ZiPfk)?08^e6jnS`bV?B99|rSH9;QZ2JUf`M=hj}qBIWIM=-H>IqI-T+OlFCP#g
zU0l?{QK)0OybQtkAuEp&FcFA*0a>5dhH`~<A6ga=xqS>5@@>1!(kySRv5F@UZ0u*;
zDg$R^<BU`|XLx#2gMNuH<;J~0A=SN(1O~NUBd%2*$T~xGA?dj?qC0MV?s5&u7%450
z?ekOTRESgi&k-soJ?D>@v*&-A{rTFrR_czj4I0=yZOj9VVCwZqNxOM*94dH#%>c*<
z2m!<E%V~+T7^<Ru;S7ySta$H4#Ui?hFs%xxkNdEtR1YJ`G##gBL%>@?!fZB-2g87l
zTKjMTob8zBiet3!I4q<*>_p=cyKQ~^9FAI&#=)Pmk>vn}?ev7UG^AdjYatb3ODvi8
zC#QB8egScCv#`xlHXX{GQt`4yhFXD;P`?dv2T4!Yt||{EBN115>gUEldNf@!ESJe^
zc|i-vYQ8P+4N$283(Tv@5UTz|xpe~Rq!pSekIj<n>D2zOFg-L`n}_AiM4G9jk{4>Z
zoKlyX{gb)|)ClbeWg%cJuDWa`hag6R7~Lo_|CR%wl8KG9An0W6C;`a;E|BZx!!=_B
zoTz|X)i_eq07GJCBG3`9fHYkYsnFwE{vumR(M*D*PK1mxk=33uVyc+bTP$fyYY0Fa
zQOuLXS1f{XeQc<QVPK^v`(1zn-q3@d4<4#_HFbWDW@_<-M~U`$=57jjwsPEANsKnZ
z^b@RvuuAiXE5K-ciyc@WWSd74w74spA|zFTPl-$l=g!V){Fb0|N=U>NtW<-0vMF51
zHpDE3v>|`PWSBQqZL*QVj|O`YnjGE8HazV>Qg^C0WZDJZZr()xNZp6j&n~O83nDCP
z+w&sKK#;91keRteS3y;msFny>s6<Dbs6gF3nR=@n1xU_uN5VaFG266K)o;7qDl4&!
z8e)ZoOFm*rW*+hh`%Lc5dgKKAT32Ert!Y%Ti<$OOSe&;&(lI++E+ga$RCbP(O+e0l
zOQ@8QB-*=Zbwz^&ra}l^IY5|=tfY@(>!J8ZNXUX#GIRvF!kE<W)Wd0tB@8LwL5Ej{
z$YN>M*q_w||9?HBG#OcvAiw<v)(M+e@IBrDl^8)sL&Jf2p*4e&m(Crnh6Pjn>wN&I
zZ+K|Mx1}KwphszvQ0`D*FpO~kp24A-%$WOIj6!2D#MS0!hVq>yd2vM={J?L(@ir21
z;AzbU0YB^D2+*+1aXsbIb=qk8I2!*!BT66PfkasnXn<xgW8&>Zj{(JXVJo#&leq8D
z+b-mMLcke<nYz@HLV7zf5;@=VB@~*Ixq(qVkf+146$FhG8X&m_l5Yq`)d7O%R+^Kn
zk}%vA{{cX;t}Apu3Cx-WbZ%2tVoaEdy2+w2YK<K!GIVMhBd<7k;v8ryi=a+>3>Y5)
ze3L#3_qHP@$TaYr_8oCRCFI^I``|gmT2um%Jxjs;#><GZ%uN9h!X_^`DMQ%^9|RK1
zH4EVUp+on^+KGROO*s6qD+8dDArN0`+BSFy#PWDp)RFC|;DayWHlpbIP^4S4jZtpJ
zwF2H$9q&Y&kp_!JfBE9-l2L-CZVsOIo@IQ~hk51J{$^YHI3;R%gpNCMPb96WADxkR
zM)YA{2O?A8j0i15cNKnr@~SSP;-3ZuSJe!#v%Q`OX?xaJw_)&)xC;CHF_MB?(?VdH
zvDq2>(}P3mQ)Q{d1ywMG5>P;YeWWh~j~XgQ*s139JhI&uS#eAu$Iq0(#<Iwff)g3I
zGt2PasDYM*3Cx{v9L4wfiJn^w0m=vPVlx=Y9O+nr3Z^iP8Y)KTAWCp;@&*2-krjet
zvN3CkW)#PFwNYa5RJdKbvdGuG2=iF<jvWBI-%iLq<%h3tIqqb`>VaigOym+@+sgua
z@Z?vt+*`b_MXvPD#Bh0m86(2ghldPx9VLgRz6~Nu!%`DIq6(*SC{8Cp{kSGG!F@Qa
zO5+&XE1(sG!T9^2iT&dWI#i>^8`drKSDS9(#O2n>*@<}mkv{j7E2MDwjVtZXH0nH#
z5CaWOYE_GUg9g|Zs1H~Go|M8o44MQw>BR_+7!8+~UMftrXP93bHk!y93uTwV8F}Jd
ziyk0twJh`&Mp9wXbY3ErP2Um3Wh+H7@gorz{R|lH-s(k2aF0-(-68=>F>Z%LWVXRf
zDVlcCGJ=`Yq3SywSX(1@3J}QreRfdRS70o@ITph%tae<}+nJ{n?~A!hF2^`cI|CwO
z3>nkHGF38cO354+#0cQd!aHDdMBu+Y*`iY+QrJwq+=tzt$4f(q1O-1(99~zH_u80y
zM%kut32fE8CB**n+0iNLu^0u-2+0d6sDp8B02uMog5ARM$Si4qppgYG@o(kAo^Tk*
zO0QroE7$@C6dcF3(lIDxYaIdD66P|^6M!o&W4F`n0NR<h(srG<feQmB6UG$H1qF&U
z4vCUujgb&`67D=N#X*orFm(ZHJ%P7K11L(Y>FJspQO<}0Pe$(}h9`-xa~%0XJVrcF
zoWWrY_})d4(v4c|A&Q&$`+@OA+@oC}6G9J$QCcp5p|U}ft;{kdjm3y5+AV@y`j~&n
z%mB3l;n0<Z@`(ouFBAEm3qbNjZQw6YIdE<avrP~_hzb&^^a&=$h`xj#H-W0MLn&Uu
zoasdz5&}tIuE_3_rk4VLm;8w|_u&KFVYGh$W=%81WK+Etiouj4{Z@I?HgYAC7YF6k
ziSNr%fERfzs34k$_=0LgDVr!L*`_*aIxkooAsDs1@iQ4`Bm=pU7o(n>fIlXd$!fM8
zx~OL7mJ9%tLdj4OX+oRMpa4qnawItxM(rpE(Se>xOSUaE_O|8xkZE|DR3d_I<O?r!
zQ<?C0dnRKTPq$vQXaR%z<Wm_|o>rhVtR2e&COwT#>L&v+cBTcqXw!B<SJMK*U>G6*
z40NWnj44|~AFjAOop*2N8y6c>xU&?*Xy7Jz2S6YyB%r>SM%4`ihro|p1;B@=@4Z=S
zz^;eD2A2FK!&mnh2y4s8N&E(e1#UB${X_KJuxL`wm@Q$gAvGAOY(NXFE|h|W@J>GH
z6Zs{OU!?F(Vypq2Y8b>T<M2jtk@z3nbyRDq2?z-Bs6*p15(a;lgBW0*5x9ckO?)gU
zg2ERFy<qglv77O{0n7%1#$WDMMf-&FRnKmrcj_1jGIW-<i07l+sklK`DX`U+6nQ|W
ztNPzVVl);`D{0NtshJ+r>BUBgYa-wC3`Sgm^xlF`F=<3Z*%_f3WLBWch(SQfw>lCU
zA*pJka7$EH*hOuA;cegg?e4z!vW&yF*WgvGpysjor_?k(ftjL#ytf3vVwF-wa3KOL
z<e=#vVnkBO##4M_aQ@e0e1|H!5}<?_XJk#WnD<SpNe~n%YS{Nd+$PYI1^6Ih@x!f)
zNnb}73<USR&wB(;g?<jomAM5xQO1%$Zl3tTcZRht@jA{y)0H2o@LnbL@Y|4Uw7^kD
zG?x43tbzq62FcXfsE8AdSs`l`T%!hxt}p=ku@kSJL$;CV^VY%+ZLiTg(=Fw`%lQqP
zVGHzayfcvyT2G<ia!THJze@4IJv??)gGQS@yj%q`?6<QwA?mOYDbi@{Q(e`5buc30
zulF%m>cfjFR}QI~pV%!~7K^szko+7I{d}1#gG!`j$%q9<al;}=gb&<cxH7xnvpA(&
zh5PDXa^Z&R5J|dZTEcjwG@BV`_$AkQK}@0K7Wr=rMS6HX^YN|bqUJ%ZrhKkZ&_+{*
zWc;la*nyfqjAnZdI;BUXNLK_)gRoLaTeB1DKWLM76{sLm97zFzcSBLIK}St-qcmwy
zD0?FSOr2In!nIJa6#ZZsWTFf_G_A22;!SRg<3ECGj_al)LKe|522MOk+Q7961kd<1
z5oGK()PP*u2$m#BL+&TMn<J+!1m!W~Cyzv14oV%zoLf!JMHa9^46qZ|{fzm4(I!E$
z`e3>l`n71G+8XIVgB19^;vw|d08dzRM924mW3W#%-m|WVstC9;gz~Qj#6lz)FQ$oN
zAV7!ibw!2*ROfPji1MjHi5zl5*lXEM{aRLpnNFDH0&EQ(mF7<H0HXt0ghj}&1Vv0g
zCcqAk4L{QDp}@wl3rUpDA;0i+l_jZ<i~vdQ5iPnqF_$qe2YV?`Vtj?^AeRV08)+Ci
z8-gj|?|x3)e+Zy2eDFl^?W%#Klst{((JM|ZXPKLU2){Be`W$a-Wlq8vt)~m)srE7{
z^q;s^umwZ|0Ru{_2!)?6Z!CJ3sEtGp5k_o<Y@aSg;BN?w#rda*6QfX%G$JkAIIjST
z2f|cGD<Jt0iDWk!Runh*uYHiR1=vGV@|<}Bgrn|IfH--A2SWvMj=M7#Zd^h)E4(%m
zT2#NZ&=th$a%t{1O;vJ0*I4I3!R;VO5;nzwEFpix6uvRUsYCEJ3DcaWQ@zVk3SRqN
zJ{KC0AAp>@g6SHayW5gw`~@5w1l$g@0wf400?rY})ntb<(f=91HbsyRa3wLtI~D3H
zR$pj*as+(fHnI3+3i=IRqa%~?>pM@n@GtHR4O)9mvDlMs3Mbea&8=YY#pTara@n&L
zDM?6AW}w2zR)9f)prHIn8m5S(hj4C{rYHO0F)LwIP@2Bqq-Y44Kw4v=ma6ekY9cO|
zIs)La6E^!QV12SAD!0fsE5?yV5@Za-9sFL<eEI^!nq<_XI6blk3`@*i=!_rY*yGk;
z(V-MrldT#i2Q;LcysCP$z%oA)>OegTXhKVN4F^a$XZ%r#4Q%kyMM8cNNB8v<WQ~x|
z=;4tm^ZZ=}fXN<F!$sbc7CEi@)D$IZ3-$R$GPVFLaS615W18MBBl(O{5?9Q<95NOR
zKbhq)qyRcBGC&hjp>^PCQpG(LjVlO5lPRf?kQDM<a#GZ`3B>3Hk)YAZ-B!-OK08@m
z8FNd8{p<)HNuUiFJkSP;oF|JtIR%e?N_x963)6N+a6}M;E+tId4pc^18MZ|WL{N&+
zB#$oj1a_Bbhd;7X{xMe`^7|D(rj904v@wz}$Hk&L%L_yieHgGuanNuhFZaA9ma#aA
zEz8M_Ic8&`%b55}^8jm7X7?gU2|m3rhNcK+gk6r{?${M-VXIh;#FmkohQ^CyDblET
z=VM1iATVzW+)Ek^2q|tH1VZY~#~Z%DII%a&J$_zHOz*tM%NUFePLVniiMF=vYhgj|
zB%;n((V3H?3^^qUcCnc~&xm5U&>%YW^?h(nbQH;oJhWx5<PYJo(NY^8yeT`aJ}vIm
z@t?Jmbbg380Lc=*ZA(89*GG|7L|k!I<T|^<v<%~lucZa;Idg!M9+z%JBeLO$g?AjL
zyz*NlJpm)uReWA`L-M@rrf98s6ApOkKN(Pj2+4e_4OWpETZ-F+jZW4J6`BGjUGtm&
zZ43`4Bm%%Lymh)xZ`-KfMq{6?V1r9S3!P{=oTL%BO2hx!pkz{|>#_~OcMhxFrmJ04
zPYUJ5jc$*R@Gpp07H~ExXmG_+MAh3XC_T3}1gaqENgp!Q%`oo{h~Rm`?Z(US?a>()
z{>e?NXGbF6T~<^zh?Pf@FeW4#KQ9|&a8Vi|L5_$*3=U(>xmsMOy=SMh3%r*I7dD2l
zwm*rK85y@owEPXX4dj^zamoRhd|MmMwvd8&j$8vVnRgD`RAx~TS4SD;QH^UH@03R(
zm#Xpj<d3WnAz|x&4h#S!FsXwPTW=C(hlRw&V_B}$T4V+Ure-6Ns{cR6<Rt>P=C^)x
zHu1^DOo_vuOCyn`-o#nM!~@HS=p43q4NJ}22LQSV;n`ZpGK61Xdc9(7p&T|y+6-ha
zLJet@ER5p4SYx~}%%QX(ZloW9l)T`a30M%m6+09=ks&VzC|?Wb*x~%jSmgXZ$gmHV
zEB3+R1XF5G5JWXhfRuR#ET;e3WC!5_tUXB18`&C(5E=_9A}p9*U5yKa=11imO#tTq
zxTmOKAP=&<tB%t9>KWo{@?&*{RW#$;8d>Rw9rf2V^*TU@qm<6p5zJI_aS=hmo{;Vy
zvxd`iH8H)Y^CP#4U=H8{qZ8}3$OXlw3Jz`9OS*f11o$_^lpRcM47uwqhqt77dFsEG
zJ{T7@QNu4hNew+(&a(hDhVlDU9<EXZrPs76vcf<ih{HIRJ|*&*jF=Kb#~BY4x}c2O
zs_T<^GAYG!{|%p->by&Ka)XV4#!RR@#;0$Dbli{he|(A(YjBAyfLw<!tH3;uP7E;L
z07J$ixYWhEWQb*~;6u)(eLEgY3`^x|Eu2<vK1`T7?FIQDd&K*JeX3wzQ^nO*_emU}
zdr&!S+r`RoUjS=lb|S~c*@hd(6w8(v#MlRMh??WCpA*p5IaJJZs}MMeg_<pd9n{bW
zs!j!r;f2YbfZwa-ZqUPms2}(w&QRuYKifqzLvrvC^Gx&ME!f=DlhQb(LHb0}1`el4
z(3Aqf2=FwzCf5UpXrde7_PcE#jI3M=R(Jn#qS`pOJFeb_sa!*hX{(MsZ%{tlZwW_4
zsf^j4#^(?Or{u?;&XXpy?!iCeDs~DfimH)*yw_7p$D>r(*V}3E7h-7|(&G{=4<5v1
zZ$a!5%p0jE@HajuR7r3*AWRf^JsM$Og5Xdx(Dw0#-#~^}NdlmJDGfA{&$@D4GX|G&
zvxA&+gy)7*?DzU|Wd?0{{ZOTB3$%}HO`es8hCA*JGBejq9PPQ=D5YI;O~KJg`JYq@
z%@6!U3mG~et>_G5-o9x9lRg6fb#1d$oiE>Wxl-VB&YYfcHl7$7@(SjEKf43wG+HPu
zkJUY_@hXggv@CxwM1;_VL2Ih`n-*RkmR|yHUpnV2$T*W|hGc>|L4-?i>H_$Y<Hh`q
zMwhD&1;~o5Tv|zQaSWxZ%NSbX=sQngIG5I`T?+H74bFGDWx2DHnPj`WEbT%-LU3lw
z4$151t~at|hxBfxspGk0APdWXCTMy|3JXB%w@E@7Ifh@W%}T$x_&f0)v$EH9l0<^~
zf9dd`={VY3+^$6s^URoL80vkRuEMS$nN_ADv1oA}V-e+9&1vyE!O*WjS{itb(lZ)?
zp=r8>dP0a4wB7z*%>waT>9qJv*nLa5CUBD{Q~@Rm!C~<_l+z+7_d_I`+#hhPTT#q|
zL^K)eHVDKx-1p+V09S49vR17gc^CgVpplqlfW;uOjU%wS2}@SYc0>qrDvx#fUZ~Y&
z3Ls69VbzNnLOxfg28z8k@oF)<PSjr59jm3D0{s({Wx_3|e`O6;R5_M;udaYeFa;q>
zYZYEq;Ghc|kgzP-Pqc_Fo6JM~18?hf!e;y+Zti!m&q9u_XMB%iOM!fB(a+Cobye^h
zw=*OsvLfrJ=?buKz5@n)9C}2`Waa<rozPCw1##wonwC*OfnrpkoyNPCIf|+niVbbB
zZc|PYBa5^hU#AT!N_<y;5Edx`;JGoh_$FLXrCUjtfkL8vtd0pbLT_Zqy0ZXc!z1x3
zr7qGONLXCrx)ZQz_*zHIPYvEbiKmHL;urWKtVdUn<LRe?#r;o@9#SHBozw)apSn24
zvu=TU3jsBCcgb!;I(Kn#qN3DagG*up>UtBAag{r_VGRrV=de490}A6`Bg<69LM&d=
z_D6VZP{L)JML3C37RIXdOiBi4Sh7)JDYm-f4&o+){pSEzLfaOF^8%a|AVK%>JIrp2
z2uyTRT}hUvK(X~_M1go@v~9c`bXv~T9^0(6Ir74$<tjMlEHIthmsvG+GFe-V{Nf1M
zOLa7o<thwn#f9tpGCEt5y92+pmt<bk*h8c_`F;hWXvC^8_pHx2KdJ5y%#q9hPT2|I
zIdy=O_ea*OUGFJ!NS4A_P$tlU+TbQ~Y+clAin33^v04EZ!KqqQfQ-9nNQNZ=M;aU+
z8PyzAmo3uJU=`rRjxq2k@&)n1LI4S?BGeBJ8213frn=3I_<CK4KRxYBH6d8Af_!_u
zirS`eE?+-5vxssRw<r+nHXu_#xF`slkZ<u_t!H084Ln7Ik~Z(~AZm--r=^0Ko{7Yu
zOgMhfNiv}mS_G~4wSXfkZhr48CA}Hw8OoJarWnqYl1Kr_mjc)G2T_O)2tq>$0(2Ix
zqr&H^;l*s?R2u+_>uP%7i@}V^qCP_^6mgayV9oKR!SiB?5v!zd8V^FaF@R>F2sGn6
z7OlDr6&L3v`wx+Uh$Q7!)s#UJz?vvxLn9?vtI&(mz7|}55f0Hzf`PI<f8Hjrc0hVn
zDMcf2h&F{>>Ej>wwciXk+w*V&f;65P4F`v8rLBgG9Ys7Fe=8*zt=_wehp7T6jAxME
z!AuuZlnLMqm;=zePf#lb(h!6fb_Fe#0;@~MdmbE?Afk*Ez~CPvc0su#<+mZB3&{37
zq{%}h(tifqKPSm(^|KHyWWdSjm@{q!L_`(3XF`*Ux@MrmX3*zOYF1PEprIa!17r~>
zme@KR$igJhucXu{RNrZB_m5XWcIc-pVSvb}gWHkOU$EY*`}#`-`ndD3qppxYXyy!`
zM-RY2E=XMslh8W=#9J%&VrXAqz9%DGR$~yiSVt`U=6cZC3j(Mgxi=_}MBGaq&KD*1
z%&3y4Xv$0xd6Hu4LaP{t+8TQvoIxP$qrHh;{Ig&-8W9}qWl;GvOrJGofYGnn9B+VA
zt%pAFExy9lD20uaOBy*XxP%2Drqf8kLr3EcI|B8YuVzJEvalKGM2885GiqHR?i4zH
zKu{$=pp8ukNZ`obM=`U|ieukno4iPZRvd{lb;F>%?VyGJnB<GZYDC(Oq{R+Zima=$
z#H(|Hc(81Ui<V|ICVIdP0ltQjASE<d4~HY59!D-1N1M#BdW5UiU4B(PSzlpki-?Z4
zqP!ZWbYfHEBH1W|SkXO`Fe?R^Kj3k6E)<6`ALLXPJ4XkP45w}ZfX;)r1r1==?4v2|
zET9*p1!+Kz!*WT#g=5RjqY-Aqn3K$qIq&I_k$GX<GT7EKRB=L~iGtO9W}-ZH0BsN;
zGVqP+mW;$BdtlKai%3)zvz?~~<Rl81hDxP@zpOh&V!k65YFQ&dy^0d?Vj_2TGAGu}
z8uvg`Or&JF3|+<XE0}U13D)JETr%2$PZV5rD9=Yp93K8u6aWyrGy<bSLm87s`sfU(
zucA0MC5y{utyKG&L}o+};9l`}Q4?y;(ZG6~yaX-Mn!v}qqo|&sFvDL3%Ons8KHTZy
zD0R#EPovE&afRMN68S*)V?=&-_i8AxW<_jD!RA?H2EIo(7K#UQ_=s?7*hyG~kAYya
zfhaVn*>dJU!)jSa8r~EQvj<qr3D|?WS_Q;|{yfUWKI5w*NKqU_1c&KOc%sX^xFALi
z>XT?pbmDvirVhm15TRUFM=b{u-jiMBPdwusQnsHLUdRAxGT4WIZbV=d%+!QpREg$y
zgr_2)ILms^2jvtOD&?B?(P_W7Eg(ess}yPsuNhST<o${^!&B?)CRSP&(bfZ8Fk*TR
z2)7CCc%8Z?O3z#4A<s9!KNKsS5K|;5k3{n4@ws}*m)8C*%3|V{OM(_D-vep8t4Lac
z%3=`CpzD?J2OU&e31!&<c7`aS8{nn(Ac`txsiNW6BTdb8P}5;nn-z=b>YaTvB?haV
zT+k*NJcN<vF=aEB*xQLH-7teOx_Yc+i<?Iqf@EnyH~IM*j}XQNs8{wF2q?vXW;VkL
zg@JBKb?$2{gZejMjOJNlQ6Q9%#HCH_yBEU~_7&%0Q5DQO*YU2Gm2L<$vef!pGtA%s
z=gqa*S;orJ0Q9V6tTdksYKWNJ$&x6j-+ZZ+@$n!h01||Pfi{|W$fT-b5}l<nV=ir%
zq4<=A0NIT!5q^~xll+ja-)S~GaRj=8+=0(USGaFl*d9DUfN4E{R#4$D0_>S`8TrFv
zGP#tOL=WuHUsn)WrVL>s7Ro~O2yk^!st6uZ1Ou9b_)DP2(*IV6mp8#8%rH8eKrJkk
zLi&p(Sbp9J@(PZk;lta33<5g<$=eS<kV9GA4Yx2I+X-J9!z2w-9jtFr<F%`1GoZI^
zkxSO`Ecgo6IG^BOV+uRjDrpn?73a}@B7HV^IvO}wq~9Lcj}hwVR9EFT$hjQkRvn+W
z?(XCIRJKN(K{~YE_rg9^a*+Dh<WH$X+Yoh)7?u2>pWU!@m$XFzBOv`~d3t~-9f##j
zqujT$StH%?qd;E$5dA!cSVR7?dn>U~fPo!t)Vnw;N3t!CtvYB$%O`(v9O*)X=ociR
l-HVn8)x1(Wa#?ebw+)v2w=@kHK$2TD0>`J10F%YY;~>$5L0bR-

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.otf b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.otf
new file mode 100644
index 0000000000000000000000000000000000000000..bdcfb27a4fd5374021f41a0af62ea7a9e8a5e3b5
GIT binary patch
literal 229588
zcmdSCcVHFO);_$aWKMeTWzL+05YkRgOF}@!v;!y-By<ZLLV!q`DKs1Qu86&3?-dml
z3!-8}1$!5y=@rYhdsX<Jwbz`Jc;9>9@B97!`_N~eHGB5#z4lsrcAYtCnKrFOB#Ko+
z6Z0DCTbtX>W1be;q5&a9urV04&O9RiA|aY431!n&O|28h|8>u^BXIpGA#$?EH#G-O
z{l{4=g<5=&5Zb2kQ(9Vot{8ELP}`3dikdmTb$Y|;|GKzbsHI5mpgAqARlZ|Beg9S=
zlqm?9*VYy4z2KmI)j}j}5u)bU#qFU5G4HNihHLwPn#Bl+JtJWj;*Y@jh{at4%dcIM
zI9sU3E+NcWU7_W@jw>iBWdaUHcc`m9-&m80^9O~9&+F~!A2{&1@In6yT(^XRqZ(yS
zyzsPjbCVAGS!mjq2oZ0^W`7;#{bTlj9NnY6jB`z>6pDYiPy1m1cS1y8h3jLYdt^#{
zO&%Rr2r)&_QD|zcvRXtTqw`c~E)Hi_juk$o2%&LNnx<>2s?QVZugHLOlK<+P8d}7m
z!a8t3{q}%CIVveo`9`{^>`^ZRS<ne~P#%li)k_xvIwpx;TULcboMOwG7%9%OWqnwj
zC^1^xYlj;mL+r9;hnOdRx8-P&tIW3L7!j}Z+j5-9QNrmbD65sL?C?a9tBqnAO2ump
zwycO)ZL%$^B2JrS%Npc1Th>L4){XKhdJIalU0Y_$iZJz=wycUoebAOQF-bq&mi1wA
zqC~I$rX6mGvZ!&k><}BHI&3*w1dLK!juF|$F}55hd`39^1kEz;u)`BYAm$~OQLgNm
zKWteM>9J|HtcuLo5?j_FA8gCINR4f6?CD+6*Rg2vfaUXeJr#8H$z#B(U(hqZ-D+LY
zKhWOQZ%yoO>*?$5=?e|CFR(@}9vJ8yQ&qKW*)n&CqPg38x~fVmtYsYoi>;~c{q22A
z5iQu$Jzz~n-M8Lp?HTNAYk$|xY_*2E`>iQ`JyY8k4R(h5d~T1=GnVSvSdKu~ak<jI
zj!P{K%`@8j`a62MEsi~<m4va2dj{Hix|dpBx5quYW^7kzNqf)0LU(7!e4o48UE>dU
zYW`!Awjv$<R>&IY3oU5x3iU0qdKUg~#qQ{~1{Swl)4My!2(1IK1#a(NP}S3C_25dM
z)z&lEJ<!+D-tYeJ)|(O<?6jKP)&xZTk9Hhb(c3<4F*K9*YwcM$uq@QqZXuwvqpiKW
zA9)XUFF<ajOzXr+R!eVtH%Fet5h|>(t-Nlp+mead_fj&UrJ;__(EQGJ_E*RX)*oqw
z2F6&nI{j^Z9lZnn?*5KWcTeA<s+Qm+JCXmP(SnYClz09h83e8gbzAS$w^|ch-?h+Y
zPi(EQW=@<op=J6sYi9k_sr8emO>AzpTBcf!Et8ujPMg>=8D~MOe)4SV@QIU~Dy(+Y
z9~7*8d2e5Pf4>F0c69Z2cC;^WTdnQw|GmK0LPRBV^!K*6bu8>?vpPfFiv~lB+AFNy
z_P(x;eyTarSukQ(2V5u57xgS{@9Xa9USzF61+@nI+o=i+{14;1|GQ;cJ45}8QTmnb
zeLbzHN%CRptnVB^!l)otXh>Yt+TPc(5OF7pM$v;tafRp;9b%DKEC$eo`h-V#fr^Oi
z8zu)3S}zvhzWJgZax3oc$9?Uh3v7vrqFc1#Y9G?2V@O_GfGeY9`U40bBdYM<GWnky
zF~X_2<(*x)Rw{E`2CW8gmnEhm{eGZNEX9#h3nKMysqbW@(1lRT%7!*QVi2*~M7xzE
z+{4dtPb*?}OD(4$PLE7=5#o0uybtAeqtsOTu_$4aXb>%shNT#}pYN{xxBL077Tnh?
zW=LK8p+9L!HXTZP3epLOj78~sPzthGH_B$g@)XmJ&Zh>scR{lyNQ>euL}({coG(+W
z##xQ<ivVKR{2ypJygU|CBcFwU0a$=ML4G7_EJ0Wg^8CN`c84rCd5>zzbexed*>|mw
zxL$DX-N?5Jx%J6B`5uzVDucL_bnC#q{V4PQP2HP<+{nuoyz0hrf}JYW_y2G8aR9Zv
z7aB}MdDvz{^^YvN5a}$FcB9gA4DuD~A@rx3OLdmYLKdd7g)P&HCuS1PTV(oFSB6ra
z^tTk~dHnZ!MYV-s4b$xJ`G&O#p>~Ck9@X{vIFg=2&llBzAZ&Xim^?EE{CDg0qb%fw
zUR)(VP~GkXlh+o(do8$s(!XgkRFeN@qXkHXS`SKjKI{{&A^g<P(@IZuy?kOOidH<+
z7M?FU$C+#+W<r_<kG7zWO~cihxH=X8)r-kEpNMCXp0*Z*SZM895ZWZ~m?&kw7Q{7*
zKO1~Fu2LMbc005hs*UYpIZEG$(0=?!PY3z21J6q@EJ5{ifh>P3B(m=RxrZ&(BThAZ
zZ@;V+ZAg6~(1ujWf8DV7Ab1h-Aw8*P_CXJ_Ww^~5da~#q(vr$TzU4NFt}jAv)SmVs
zMS5NrA#4T0s0F3kO7%9}3Xn$sZ#Ccje^qB%WtsYMFFz$KrA9sQ8@EYAJyR#V)QM2m
zm|GC4um34@5$>mWWI0ZEBFzFY@4&cIs5D>Fg-HI0N7pbTM%FT16R|SfP<}(481bte
zBRr2l;Q#th(O2rH=+7Fr8_(*8=qKw}>R0JE8Sm&z_4D*W{d#?zeyCorH|ULelisWc
z_3`=yeVM-8_{jLs_*g$te;TtY4Z1}M1GAK9Xb>ynM7&7AEHp_ZixiP6(nLCDB$*;h
zWQ!b;EAsTK^&9nTjL-GU9PuJw6bMr|;X0Qn6h&f$D8?M81RZdxC==x<Yb7db6*>+t
zx)SO_s`YF28}#dp9VpotaWI;Jqr{bBt#}hNo!`X2#Gm31aX?8^3Y2`sR4nBnWvp_r
zGEO;4nXiPDHl<xzpsZ0YQ7%<3*Kam%HSRI)&~Mc*)o)YI)gRX%)1Po8I5LgxXdv!0
zb{U@;pBSGScN)8mJ;v9@KDEc#YaDCLQ)eiNN}qm`euA;n_|mx7_`>)~KSw`TU*Wh2
zU0j{GQQWWe>lf%3>Zj?a>#OurjrSdz@__itc*?k2KTAK`ahc<C{T6+VeujRgu@PP9
z(V|uyE9Qum;skLLs`mBb29)qRu|>QtUQ@<95*-<iEJwB@&ynNEcjP(>97#e?d<?GM
zj>_N=+hL_cG2c5`JS(<|&&5BLla*D<#VF@Z%7e-#<r8J6vRC<9`C0j0`Af}HYt=^e
zNOhKaw7OV5PVH8gswb!?t7oWd)XUYY)$7$8)tl7^)phC<>Qm~o>T~KAb({K`x>JkS
zlC(6<(#o_7&8r2pgS7^&Sqo`{+Dh$Y?L6%QZMAljc8~U;wn=+K+orv%y{~<!eXM<|
z?a&>1yq=_I>bZKAUZaoEXX;1mbM-dVwM*gETl9PMb^3aJgT6`MrhlmK)W6cd(|;^z
zESOkuM8TATsRgqNjw-mWU~Rz$(_to=S*FV@Hp|Vi=0vmAY%_bzGtG<5E6p3s-<^sx
z#+l;GaOOA*oGxdn)9b8r);pV>6P-smk95v-&UPN<JjNMvb~sORp6Wc?d5QB%=S|K#
zoR2tPaK7#Q*!j8hJLgZ%{g%VZv~n%eDzrvg9?Nf4TVt$oR+BZ+I^J4gonoD9U1VKm
z-DKTr-C^Bj-D}-%J#0N{J!w7dN^@noELWjxq|5D^>YC#^)^)Dy(n7V+C`>9$EzBs)
zEi?<u3nvuLD{L=v7OyQ{SG>OX>Eh>#Hy6KJyk%s{$m2@VN~V_Vbr-wG{-N(baNq!H
zgN5gy9*xLau~EDQkN+S&yhd58JOB^Bu6&{FQU0O)r2MA*sb)(LPf@3;v(;na;ZC(j
zU9O&_u2RoYFH^5luY-qgf`=bg*Q*=UXW-$@>Q?mwb-O0u;S?=fD}smJ@Nk{&;Q{I4
zGvMKiv`e&Gw0pIOwCA<0fAg@=qxA$mS<lk*bdO%EkJV@C$LRC*K7F-*g}zq5TfZOA
z*pvE3{Z0KH{R@4M{;mE4JUkvAZh?nqL_BPm@n)uJnIp_H(`O!HPBmwlo#ra@B6AHq
zyw)k4sx#J^>dbcLIxT0Rv&`vpj&U|PCpZstPH|4PJv`Sr-+7#KmGd;`InFiCtDHAG
z?{q%q-0XbM`Kfce^9ScI@NlY?ZRJ}QJX~e@;Nd#!Ab5DZ)oTq{Ct0hk3vCbI4iDc0
z4?ko*Vm&TBoEh=(6j!V3D0q0a?co%7I49!a1x5Mr@WaKA6+czH5gvX89!|DByvJSW
z9`lE=Jq#xg|99Y$0}Ji*LxzWweBjLe@i=xJ=)tiY|MdV}2RaXQ99S%`A9COr?Jbh@
zBlJnyJNg7|Go9hQ3UCwjO1)e!(Tns#-ErWj13w<vE5!b-!2KK((p~#+KXC4Wa}Jz+
z;H(3uAGr6xeFq*mu>8Qv11BDM_`o9v9y_r9z!TxP|Bb&IEyPy=pcbh9a>tk3zx?pO
z#ij5sMhdYLn&7x+=LtJc+W85|^l#^fJ3DqR*|}}!+dD%$=kE;Jp-=C87S}ca>p5iT
zxc8i}ysK4+J#X#Vw(AJ+athsz)^qnGyC2#Uy(fN8?4FoC(YO+~N8N)4b@%?=A0fSK
zc3!#rh20x*e*Esf-G}X-yKC33ox462V%MF(=3P(ix@Om^UCVc@-qE_Fc}L@paXSv)
z0n6@~y8XNDSAG8N=eK_H>U*o-n<jNo&{FSLO|-aIsPCx1XvrE@GvS3Gdey_ghv|#;
z<Md9wTkpm5LaVkyUn-AMCMo<+U#_oY8GW@Zi+$FIUi=K)cMWh|IQDSXufUbHz|H!@
zcn%|$9UkZ3W&I6(tNxz;37*z{cwT?g|E2#KC8G4G#Hi$`%&2S(RS3BZzMI0M%qT0W
zFlt29$f(g#lcT0YEsW}nS{em?qgG*w*JDKLw9#ZtHRc)J|DLnaY4jQ=Q>d{Pz)G;O
z(fGjl3B6%9dciRcq~Mt3nC6(}I2zKi6cap$WXF6Qf#Lrgv-r#*J;Fx{aZDZ_3+GLY
zzlVm;9Psep|2ZtjD1`j~dOYR02%{N{hK$>cJJC|#>d4d|Gmh2IF?Q<b>yJCKFjo4^
z7-f_?5{%vYZTcEVzENV#)6X@YGd3B|>nCB{Q;Ts-og9@-!nkY>MrKE2OtZos)BK2W
z+I4bVbE8;myeIAxugTHPn_{o{NjVpzx8E^-`vW7m0~lSUVf<DgM{r{?hNBVO6BxsV
zFp6u#2(I0DU+KdrZVip&l>3w?F}4~j{t^d?{o-&XK}=QBMXQn_rYl)unvyAIDA{7R
zk|*XWE-_Cj6d|QZ9H&%>V-%<8QmRC^;t@THSM(}AF{spt<;oawqH>5hSvgdkp#;V0
zN|QK6883cSo)%{+6U14{L}ijVS2;qQuS^l=DU-zoN{d*nOcR$Wv&2=((c%hajxtaD
zqHGX1DGS9tO0T$CSwy2k@tAUgctSZ*tXEDFPb;U1XOz>$M&(TLta66fteh`iRL&Ex
zV&CBn<ub8Vxk7AHt`u)6SBbZktHsC4O=6dFxA;=IUwkFLRUQ%FV+Y|o<x%5aOg0`+
z2E-@I&EgO=V5^jRaf`B8yrWzr-c_y@?<v=b_m%6#2g(g%vXU&0SN!5pWu@p;+~RU&
zwm3pb63;1TiI<cMlxLL9$`*_#-ca6Dwkq3{x0JV)ca(RP_f<uCNqJBC&^W`mz_`S?
z)Zws4qy-qA<{DQSR~u&;7aD6EPDi1m*iqsrb(A|Q9bSjuQSGR8)H%jF4s|p*nj9^T
zDUKr@Q}N`^z_UABJ5K9VXKD*E9-XbuQIApQs%NTGFg~5CwyM+A>FNyiD2!rG#Q5c8
z^%V6ib)Fhh=c{e%0<~RTs4l`7wgY3FB^c#&VJzFD_F}AayxOPss{`sF#<t5a?m1mO
zRXt5TLwi=w(KhP2+H-oIwn@*|p4SVs7j#p5Nq1>4>xJ5Dda?F~K1zF2FV(i{W!g5q
zTzgBe(B9T7(Tln<-gyt>SD*Hw?$<uj1KP)Wwf2c#qkXE^YM<$&wa@iBZM!}O<K3~w
ziN?vsDaM(`*~WRsMaIQqijpd3Dmh}7k}H-dm7-4xh^0!cSf<p8vz5cdIm+SULgh$t
zkup_Wth9<tl<8uPGDBRd%oJBE$B1jN_jIi?SKO-{FCJG;7EfaDW`nXyJf)l}HYsO|
z=aqBB%gTk~73CuFg>t9ZsoW)YEBA<hU>EJ5%6g0#A6G^z7mIO<A`VqlQLkvCLD5B{
z5+#}xLo_Q65mchZcqK+mP-4YIB~Bcs#EbdL2+^h#iv`L^(XNz;g~}+gNGTPIl`_$x
zl#5f92639wC~j3c#BIuP;&x?;xI^g_cPd@tE~Q)Ct@MZol|k{4vQ#{*EEDUL<>C=#
zh4>JAVjn4M#iz<G;xpw|@wsxF*sk0zb|`m<J<7e}Yvm!aPkC5;qpVZER`;pjsNbsJ
zso$$-V-$P7dVzYOdXajux?257{Tbs{MN>7}k&9BVmE+sB7~$Tm-lE>BIkadk4s(|T
zEfJ&JWc4=ncJ(gxZuK7ZUiCipel1JOR-eUu#-~+lHCnAU8l&DZ>L&GhjEY}UUshjH
zUsYdIzf%99{(_yp{ptZNMvK*Qv|NmmM`(U6puVoYp}vU`^fvV^^=<VXZK8IV`kwke
zM${jwAE_U!pQxW|)3q7u=jwKKhx&!OQ{AQRR`;m?RDaOMX$NVCsy}Mu)k`q{Iv2Z)
zTeKdnTkFM$`y}mfZGtvQGqhIB%&x%9><0B+Z9rS9EypN5RZG`0FdxfQAHZ1t4)spV
z!<K0)FmkWN*u6?~Vy0HEdDM*<-*3Q7?g{M#?L@6lo2gCHW@%%!xtQTSqQ0QMsD7sP
zYsX`hPIJ~v^xJjJSur=I+3T4YE8L=A>R4lJ)bGF??Q)Fd@5D&{E@Px|I(l)hagOn@
zakufLvEF!GKUiOHY%#VOZ(+XtF8b;(jh`LZBBlARs;Ro;QmhZ)Uol20^iOl*VA(*k
zg>?W4Ild``4CtqTix@gadRQfpFm4AIGYksHxRIdKxT1ui)98WvW^7yQSAxqJ`c2?+
zhVc%Vc9j7+;;MuU=;wi{uLrPKDKNv9(60x3fI5Va1CIg5LS6<wh+%vLKA2(9XqR*X
zjE})|51^k2K9qsA6oI*&K(C3V9pEU2el-|l8-ji#_!tI_@X)tP7@vdZGW5&9^B7oP
z5tuCs^uGctEdnbG68g1Z${Wyc0H4H=BgT^<1I7;US_alMgdlqXI;C+l!?*{03&Xer
zd@IAa4Q#`}I9ZUN0DUc(;sH9vrE7pA6MPp#$CzB)%`m8Zln0=n1HPAG>;&J((9Z|o
z&(I$SKfrKgfiYer7?jsT4C6EK!@xR(j{-l!a3p{qWf;4`qz9l=IcQb^=xe}~2jC!k
zKEW`ku06>x=7Bdb^mD;a0nZ?>=fKZ0Fjf*`Bk%%H1H5SCVDM%elfW<8I1>Ca@G3y{
z<24&(pDn-}zzX0^8<hT58$W`#*|-w?7VsW$9q>K_V=*B<ut9dE`uZ_I`Fvu7(*D%O
zUNG5_@Do7w55O1>yZyi};5UHmNH_rOVJL}Ux*t%|z+VFYfK2xMnxR<WeZaQ}9}E7D
zp^O86&rrzr|70jffqwvgLHrQ-SB635BRv465Bxju2jok@e=?NI!GAFnD*JwhLjEMZ
z0gNq$0+B$^Ir>fsx(|J*1U>iYOC=}`^r;e9q!;L08K`6EV<oW2FVNRA(!tRTECmbn
zy^IWSECX8x0(~(f3mnhD#(}_imyrpEeWi_OfRk)wgOeH9I1oyTjXZEFgW3=BhlC4E
zIsw#{U>waT1XCUWwJR7~Gm5~J2Oy3E=h&zK=Q60>!uXrv1jFCb=Uw0e8&zPFfhB%{
zu{py7wisCQ7YgY|@B*Y0fQ<!#F+IZv9>KuYfWWwgQ3D>yzy^uHIEFC>jJAM4Z6d}s
zj6=X>3~CcG&S4x1rm_Lz3~;55AlS_ir-P|HgeHK>0N`C7)|+%650I_^)me<l8Bc=)
z3~?s7+QtMhl>xweKmy}N#zgRF8<W6w41wnn^BBevV5+--I3G;)l`sW3m?6#sQ<({q
zfpH9R0r*fGE#P{FSPgElLG`eaAua<`nF+IiW`?*5Og17M4N&<3aRr#lMwkOoc?k1>
z!x-|}re}$;0ibdM)F)vU##jg@y#eYoFe791f~lMU^<5ZWGZulTGN=#1c$?7=rt$#P
z2Ve}&H~~C^L2W<A<P54aR8D~U3CyM#CxNLvfFPe9W#cq3l^>wK0pofG)tO@%Vk3C2
z4XOk47}SSQ8z(_^Z$5+i4W-Qn`F8<>`WB_#2Kkq41W;ds`6z?@xR^nG3C8dY^5by~
z>Q6AHXOO=-8PvC6jL*0d+|8hV24j8(`MsAR-Uc6U<7#jpgZdlHjTz+A0S5IYm^U!)
z1}|k$zkzuKgM7D~fmyM@yh1|uA1fgf9s$UI0QDi5e>2Fx<R^go8O*5|kAhd(NC98W
z5I=+0Ffiv9%B2j<zJ;=uL1Pfi(-{;_=K%Gk^fsde)x%8;6_=FP88k*z$Oi-pf0H3r
zfyoDidVuT>(D+LsTNB8KWM4qM0}kUF$nP=)@q0F|1;5XrF@f@djqAW4GH8sTd}QN#
zF!>3f@q$9-A>06b!N7*JP<Gl#2Jc}A^7&pHe(*mSH0Dyiwn2XSi6N+dk*x`C;5UZ2
z9Q?bD+2B7Jg4%$;Y$Ra_oy`!>fpZvG-4JRngT_{B9z(eRT+2|N0yi?S?Jm?Q4CNW{
zkql)scq%Xp`Qdp~p@(`j<d?z60`y#M0mB~zvayQih(I=0Q8u+3GVH4M092<x11|?o
zfDD_dsE_K&kYOhkzE{tHybpX1K=tpR;L8BA2W+5TWdoH)y_%s=8LwlI&sF%3K)zLP
zWGJ74Zvv=3?gu}}FirzM%rKC*x{hIxt=2P)OTdpaj7z~!FdPo>1^~8nM1!9JU?)c`
znEU}4&|4)t!cLAvFzU6s4dGXS$wq)98%(+a4)PV*3vlFsKV~=zz@IQ28DJ_8;2=Mf
zO#$O7@OFlAHFyWZI17w=OE4}3quvq>*jGapCpes7h2ba!s|-gm7!e4L60pv2l!Bue
zj&iWUa8!a}7lOkJhFu5_JPTS3!%+=}jR+3ZM=g%wr~}6{9Am+#-vnCy)>0UbL&2#G
zM*}#GK`YrB?5J6Y9|RWxBO#-1Yos?o>)_fbhGPbp%20;zS>Or=t*L8x4mIfRI0_tK
zIOc*$zk?Az4@`Ljj&^V}!?6e)VmKCq2Y^9<<drtMz$e?Fdr{{kjsu@*qZ16D5!9LB
zvu!K{p97qSaMJk#20fG7MGW;A@Wl+3bY9I+DeX&un{e+q@GZbykn!AWcQaHf?>!89
zzO{RS2N35(FrF8JN_ss6JO`QVu!%v>wDvsk3c`;EzsgWofnQ^&r-QcuuOrT>;5Qib
z%xhbLZ3tfhewRUQgoZXng7W&%MhN_|jrm|a2NG@I9X1wV9xDI`&QT6M8i<GdC^!K?
zz0&a9>d8PRWY|^D0`NSMo%B4Q3i6d;4^RX73vewk2J+Y7vA|5o{{+JyI{ZNC>hOUM
z+f%wa^do4`f}x*84!Dn@Z3Oq*K;E<;Mj-prT8sqgvYJ8m)=57?K7ePKK(^P>Hc1qK
zuV82|fT;`w6S#_@y#&76h6{WRLwgx~t&KwPS_b)$){-QO!8bF=hx#oxMuAb62-=%q
z)FlZ#XZrmN^0WScjWY0q4D!AHkd1Qi!wlNl)z{gm06)gi-UhF?fi_2flA*l=-eAKG
zCi}vcRHt;Z9RYsTNk4)QAe{iJUpnbQ@B@?<pnU|U`w0QyJqFc5{e2tN;13wuCtym8
zPy>9ypgOAWv{4J*!_Ynh@3k=+{3S#C9Q>7yI`Fp)Z9Dio8)LvfFsSb9KiU{8L_s6N
zH~~DKVVnq_08B*tk9Mfw2!?SgxP@V$ttgnnFwO=~Wf<pzXE2QOz%v2Vd*dSTQ4C`>
z_&SDh5*YP|V5|afU>KJPVHym9d`t&}=IAD#Q375X6egZi0?o6{M20|qW)g$u+-4?2
zECFXRXr5|X4ABR6F=(!7j$q&=J7J<86KH;EqAn8f0;Vug{|Gd{G<^&KJD8{w1e&Xv
zlolY)0mJtMnzNbkH$hworgQ<Chnb@p0=6<KU4Z6fCj3Vb7lYw50?p6NLm1)`@Hhs|
z&&)#^Vhy;SL31^;fgvsh!|w!|x0y{0aW%M^LGv&($Pm|nQ8x%QCo@qu2;y2W>Ii}6
zXC~<i(AuO)`T@%EVDbk*YlY@)2F)$ZISg7aG>>9n4@a0sGsFfk=>aIKz?3&Y>xd@h
z2PmkM<~)YLb8Che3i)C_Lp%>|V_;86n4Jt-M>M+_*e4QZH$%Jv?qMk83(6Z1Uw|n;
z0Q*V8JdGiCf=_2)k4czkFlfEcJd=TaCt*@r0Il(v<V%3&KPLGJ5dQ>|ZvgC136q`y
zK>Pr{oS~2nuV5&n!B;XAO78{+t)-f48ML-;-o&7_I`d|RI23#fgVycLTN$Drd>ez-
z@XXs8q5*sdgVys*DnEdibA?G|254>1yqkenafL}`256nnq&fkJX7GIsTJtmSX9%im
z4=`x`&m_A50(H)Oh(T+C=EDpz0lbc(#DX7Th>74w8MH=dKE@FAJd#ZTS}!!oj)0gC
zeu6>kWG2-`K(v9W{sFXRW>TF4!~*cs3|c=kpJCu-Rbf8MptUq}BSS0%KgXaoHFFa~
zECN5zpfxu01%_A*evv`zZRTc%=m5XOptU#iWrjEv{0f8CpUhVo;xzDU4268Og+cog
z=Iabv+c4i?&>n^PCWF>F%&iRCt1!1QXwAcXi$VJq=GzQf|1jTS&>n{QE`!!W%=Z|y
zr(wR&pmh=R0|xDHm>)7|jl}$jL3<VE#|&EYFh60?-i7%ogVsOH&lt3iVSdh_wGeYV
zgZ4Je9SmhT_zMQ@b(lLD$_nr<2Ces-yBW%j;5`gMdhKN>Yr$VK1nKe>1N*kZ{0D>f
z1I(`(*vl2>J_hX#nBOq4zbnjd8G`ivj)6U2VSdjLq&u|>0QP}}No@f@dkE%_4D1aH
z^Ct%F8<;;cuwN|9Ul_E9VE)R$9<nfhV+hjacZLF6Igzwe!5AB5b*g{^GSYNL12K@#
z2FC(Pkk1Dv11XS^zcUrcfQ+=A*+35DOToE70pu&e7T|*XC%6zO!PtrN90imj{914s
zPz4$GcX|LX;y@3l52%G42ObU7Ar5Tl90QDlj5_8#6sSj>EN}zR3^@-x0how5u!-|9
z;0VZ%f~NpSA`WzNP6cK{E(XtLs852AVyI7pk73X}-Z_^+^LghyAcT9Nt8+fE2y!)e
zG0=g$Hi3@=P{(Pm@9YJRhx`?|59o&sUpWVWLCE{TsNc?INGAro99RJvHg&E9PJmnl
zJ`p$xvLCz(I2H22;L`y3N`oz&=KvQY&DX)JflCk$TR7JMS3-s@oL2#`xB4D<EpQXU
zr-N?>?to18xD$8)aXtq>2s{M&pWufX+Bh)PAwW9_jAx9Xkxw3Ds6T?&GqmyG$AKr1
z4s>#otv5hE7yJ~1)<m3ScR+*foMd-ELmT2Gy8{~8aw9_{+dRk6U>7IZ9ncO3KhMyp
zF1*0dCV|Nx0Ig3rUt(yj;Fp0{pwH#tSAo|cUk@go0QFrk*%Y98yc2CHK_kDt$<WAe
zTY+r|PXWILybU=WOtuDSeZu)ZL(2qz0DOq_VQc3{z{il`1Lvm<S}$;Z#?Vkdoa7Hc
zTLIn<?1WqaMw{l`4cQ6a!_dmXdl{Ms{3Y-e(kJ`<1Na&;eBj*2pmi+gHvrlx?F8_5
z42|mS4-9Q4nEVQ8)4)G5v{~R^7}{9yuMBN2_&4Bp<h2g`FW?Wz<dZ)cv{vQ(i=p*{
z_cOHPg|Hk9$Hm}O2F-n~GyrzhF92sSXbx<_rUd<Va5j(wc@;R9p`QWH2MQ35=f*M_
z`k7!0a3LJefmO($`Li{Wp~L1@6~nOx44V>+jbI<($NG;Bu4Xt;$E-SF4AMLcjOT=)
z!@t(S44MyHhXCUcemS^_VLSyM&(QHKTByeanoC=Fo(cM0;9iD7I+DEr<8<%<0DX-z
z@JYbQkV)TD7{)o^RlvCj4}dQOE`m(DT*ff21K-3j?gQV-FzyH64xk(c>a9h30LDXL
zDi2^h48E6Pkj``uU_1e)c(`t?13v;h3K_5-XBba{DIVBZ4}O|qpsu>$cY=X>>VlsM
zI&A66V$d3Z%VN+PfD3*k=t$268xaiDeV3bId<&k!Ft&h?1g0X+HgGF22l5Nxqkv-}
zzYd1Y2*%ss)xf2Y@vIc83}X-2U>IM4lNbh`v%(aHfoHEUm0`RK&R`fQYhez<_yC;C
zFunwv3}Y9#oMG$*qh1h<FTnE{#&+-mpdI0#;5DLr0BwT~pA@fU7(asHhvIdJgXgvQ
zF#z^6eg~ue6+;&T&uZ~T;5o>Dfj2XZpTMs$jGw`;G8`Hhb|g5U@5p2TWi}3gk7GDs
zr;;>=Ljl9y1mhPlY*&IZ(K?VDesiOLrnMjU7+@^qi-dqm5-QU91NZ*{cA(DwfxQ3F
z(YAp1BR_)UQfwI<2Q0z88*n48(Z2(a3Li^<KPp1US7wTm`5%7@fUcD1M^}sd=o%$I
zx)vXDMUU40ob$&M`O!W9Iyx%9<CmoT&J$B!FA&N#=cF1Bt3nacB2i?Bd{HFIgjbBl
zEG>v#n`z=G%tz>B&1K?b>~>#(8T|F)7QElH4s+z^uut<k_Od?0KH%4w6aKCU#euhj
zGw^nBky563@osQ~GD&GwW-IfQC3q+JB;^d{e0=wGxpJLyJKhX_MA?9EV_w1gs~_Y0
zn6H%Y@CDSLs!$zjqMD)Rt3_&=>cO`%2dho$;qq&ld3c9(0AE9$hBxt6t5@QEyW8-V
z;5zkjd<V4|@A<uhxB0$Mzr>q}KdXP@eZyG1hnJ-lYNeV7Zw?-Uub~dtrfRdbdD<ep
z!#998?oQRt(k|7m!FN%2Y7c0SX-{h}Xs_YRnfJBNwB6c1?MLl*?SLMur|CKR2z-&@
z)9di%T~MEbFQksu+wo06KfcskrJt=|gtzam!`paw>kr{;wP*Fs`s?_P=3{(G^OgR+
z{;R$pZ{;UNWkflnilZu`{84pL<D!C5lcHus9TT-6YDrXI)QYH8QD;Y86m@yjby2rO
z-5>Qx)H6{pM!gpGR@A3aUq*cw^-I)WhGIC3L?gq<H;Rlh!*7f+nvF?Dt1-t|h&S^4
zjHSj&cmw!+V-4Q-U5huy?=v33+kej)FB@+f?-@Jjoj>DGhvtZNq~QHvr(-1E0S?G_
zf5$r}JEl91cC<N;bM!ivIZkq%;W*#1#&NadM#tTbha8VPo^@<?Y;nBp_{g!t@ulNC
z$1jdQqqXRm=)~x}=)&mIXis!)^dZsB(UYQEqi03Wjb0et6+IArLiDN8XGgDzzBc-%
z=zF8rML!w+T=dJ)Z$y6({dx4B=x?HbivA-;jfsg#j>(EKV~S%cV*D{<V(Mci#I(fB
zh&d)^LClhvzL*s;t76WMxhUrHnCoJ0iMc!Gp_s>Go{iZY^LorXF(1c#5%X2d_c6c5
z?2nC#jgL)>&5d=%j*6{{t%*H2wkh`T*r~CzW9P*#itUaaj6E^-^w{%aFNwV>_Qu%T
zWABT7Bz8mWrr1|vx5mC7`%&!YvAbgT#_o&#F80^h199<j>2c1uQE`E|gX4m6EpfBr
zLUG5%b;S+FofLOo+?u%S<8F_;Kkm`EXX0Lp+Zy*_+!t|Q$Nd!dSG*CQ6rUaMiZ6@z
z$JfM<i=PxfEq-2nNBr^eE91|OKQDew{5A1w<L`=pIDSL?3-Mdxx5mF4|6%-R@w?;q
z#eX0FWBhONe<mmij)a(mxP*j+^n}cWoCGt$l`txyJi(pdO&FcfkT5x6M#9{LB?-$C
zPES~qa9zSp3AZKOo$x@yV+l_tJe{y9VROQ33EL7rNcbq>lZ2fKyA!@l_$J}|gkKZ>
zmGD=hNQ_F1PfSb9O>`xeC)Os8OPr86Epc9AXW|KoXC_{ecz5DMiH|2fo47gg^~84)
zKTiB2@vFq|6Ms$IpA?l8pOluAo8(Fwl~k2flXP%WQ_|r{Q<G*V%}ZL8)SWb#bYjx!
zN#`Y9l5|zljY+pB-Iw%8(uSl>Nv|YrO?p4+v!vZg`;vZ4`d6}&9G#q$oS9sZJR-R~
z*_T|Gd}#9c<jKj?laEerOFl07_~hlurzD@1d|~os$=4>|oP1aEgURcYpGkf(c}w!!
z$sZ-}Nd7YUyX0Sz|4PwQ;!;vma#F06k`#AJb;?00jVXtv9GNmJWp2vCl&+M4loL`;
zOF1`Xb;^|~H>BK_a&OAIlqXZ3OL;lv&6M|2K26z`@^#7&DZi(RR7YxJYDQ{)YEf!g
zsyB6X>bTTk>Jh2aQjbcVpW2byo4PFZ<kT}$FG#&K^_tY1QtwQCAoa1-r&C`@eJ%B^
z)DKg)r|wPtHudM!Khw0d*tC?i>@;WE$h69|K-$=}hO~)kQ_^Op9h=sk)|u9ywleM1
zv~$ufPP-!Q`m|fq?n!$%?TNIFX)mR{k@jxdCuuv={*m_2wBOPWq#Nl8>FMct>4oW~
z>7Ml3^h45{(<i03rq4+ar7uqJNne_NQu-O`=clhpzdC(w`W@-_r$3thRQmJjThc#F
z-=4lVeP8;|8EQsMMsh}0hM7^EQIX-#7?V+-F(IQRV@Ad?84EI&Wb|dM$T%b8;*4uD
zZp(NuV?)N~jBOd8WbDoOHsj}vKQpz=*vyp7>`Yf?S*AC0bmq9sU}j6^tjxKY3p2Yi
z2Qp8{JT3Fw%+;A!X5Nr_Tjsr)>oT9rd@l3l%r`UN%ltHRSLWB5KV<%%C9)h@iCGz0
z`B_C-6<PkQF<JFl6S7*eW@Ux47H9QjEzLS9>x``Pv({u?owYXWuB?Z%p2*sm^-9)T
zSs!M7k@a=f4_Uuwi)=@BVs=J$es)oIS++m>pzOx%!?KUeo|Qc}dtr80_CWRt*{5Zn
zo4q>w%Iq7mZ_B<n`_b%YvR};JlKpn}N7*~G_htW>{jVG)Cpsr7Co`uYXGBhUjxVP!
z=g^$-Ig@jy=Nz5WmUCRr@j1(LPRThd=fa%Ja<0v}Ip?mN2XofvY|MEn=Z&0qb3V!0
znX@nF=bS%twcOa;l-%rGXYR<{%G^Ni!MVZQBXXzZ9+SH;w<~vP?kTxv<zAS3S?;yD
zH|O4!`(W<++>N=f<ZjJ<KliiT-MRa6f6V<?o{|@xmz0;A=gKR|bLZ9OjmsOKcVyn2
zytce0d4qYU<eiguao&}AYxC~Rdob_Gyyx?_<h_&kS>Bg<|IGVWzM3DKpPpZkKQiB)
zKRUl5|M2|Q{5kod{NwWb@>k}cntxvYrTN$9-<*F}{)74J^PkCoF@H<`+xZ{m@5ui$
z|GWHO^8YH(3*rh=3vvpqf|3GvL3P1F@@w7}`JLz7g0_N11xpHg3i=C{6`W9TO2O#`
zXBV7baB;z<1y>eaTX18+Ed_TJ+*9yC!McL=1se*UEqK0QOToJZI}7#|{AQ|VoS9}8
zm?fqcUjR3oE#_=|1KedUGfy?oH!nADG;cNUHy<}QnOn^F&F$v5=C4lOnc&RA_rPUN
zzw;n`C)(<qi!XrtoToU?bzbVc9^d~y<lNwV(fOwHL+4KCH_ksS-Ab|YtPz&mI>-uI
z)2w5y#a55C+&a~|*t!Z|{oZeFuwJy@v_7<UTHjcIxT0K1t{hjPtK3!XI>;4tO~IGH
zZLTiYGS{iD^IVs?u6Nz;deHTx>jl>vuJ>KrUEjKXEz}AV3JVHL3cZD63!4jD3TGF#
z6?PRaEj*#{^uh}ZuPnT&@Seg)3!g1~rSR>-PYU-GepmQ=kyeyYlvQLExr=Ix>WdC9
znqD-wsIzEk(J4je7F}9&ebF674;4LG^nB5_qK}I96n$Ux`v_%3%80xX#UrXl)QxBy
zam0w3BSIrOM)Z$3X~fwhE*Wv{h+9Y8H)6wxmqu(I@!^QQBYqt5SFxiwr8uv6L~&*D
znBu15$;H!(k1k$V+*`b|_{`!9i!Up_uK4!i2jy4GFBWepey8};;xCH#7Vj(mrTCAL
z%E*|JNh5PcI!6|dEFW1tvT5Xuk?kY<MxHwI{E?TBym91RBiD_5dgMzZw~hRG<nEE*
zjr_etD@iEHDsh#RmsFRGE16i*T5?RuqLSlFPAECE<l>U6OKvH-uVj76b0x2pyj${l
z$yX&mmi#r!F)C$L{-}|oJfp^pY8o|p)T~kSM|F-`I%?IZ^G01Z>V{Ewj(T|1Q=>MI
z+B)i^QM*QcJL<PmwKTpov(zdrD-Dz$QaYh@YU$CX3rl-TSC*btdSU6MrB|2URC;IW
z1Er6aK3)1^>6X%WOTQ@nru5IU*s_c=SDCx);IbpiW|Yk>TU<6!c52zhWjB=FUADe#
zW7*4PTgyHw+gY}+?5DE*<<aFS<<4?<d0ly9`K0n`<wut<Ebl2_UcRdQyz<M+uP?u+
z{K@hc%ik>jpnQAzm*qc{|52e=#8+fiSQVuewH3jNBP))oSWwYfF;H=G#n~0BE3T@z
zx#Hf6M=PGMc&p;mioF#-Rs5?`R2r4>m8q54m1gCL%CbsNWliNll?{~>DkoP?tDI9g
zuX15!XJudI^2(Dd&!{}Fa&_eumDg3?TzO~Z{gsbYK3Tc3a&zUD%C{;%sQj#QSLHt{
zzpwnI@=v$wj&>)y)7`ml%RSOv;r6@7xa-{$+%4`o?soU_?q%+i+^4%QbYJDZ#eKi~
z5%=TnXWh@cUv+PFzwiFo{e}B0_xJ8!-TSMes^Y8Cs&cDbRpnK_s=BH}tHxJNu9{wT
zbX8l`aaG4xEw4JY>cXnatJYTCS@l5GlU19lUa8tz^?ud%s=Za;R{dJF-xKAD_hfkT
zJw=`}{LI>D&p1!ebA)G_=P1v7Plu=1v&?g{=S<H9o=ZK~cy99C>3P8OnCEHF3!c|J
zZ+SlSZ1?Q-eCzqyE4(q@WN)5#gty#V<2~3r!Q0}U;|+N`z5U)3y=Qwb^<Lw>&3mtR
zz4saKE8eZ%kG)@bzw!R$J>ZM>CHZoFE?<Su?>orX=$qtg_092xe2aZOzNNmCd}sL1
z_pR|=?OW@+!}p+Xy>FB672i9)k9}YGzVdzV`_;GKALWntr}=aJF8?ThmA}Sc@1Njr
z@z3#h_?P-m^{@6{@4wT(&cDh3y8jdZUjHuvC6FA*3zP+_15JUJz_Edj!1BQ9fi;2a
z1NR2j2Q~+`1-1vi4*XKBRL56mRToy5R(q<)R0pe%sGe3mvwD3^Nli_CSE#M8r@MZB
zU;EPb!R`)^x3LN2ZLaq)`IrJsHB6(K>X{munk6;xeGPnH1K-zBQ{S_wr@MU#qIkSP
zy20aZrYIg?z%TFf)HH_L@Dpc^Z5@4WgIx<d+m|=Cg`isFf}Vj;8-9~*ph=!{Y|hiu
z+yw1I1I_YEGnb`VmZdpzo4lccRc>IF8~FAHR=JT?Ze*1kS>?u>=7`GPW-k>Sng_-Y
zsW)EcGk$nJ_+dZa_#rKQl(5GWsP*_gR7#Jx&Oc!&0jZdev-8zYm>=q!IMC6#pnW2j
zW8&XaZVbx!ja-n%`iT+skZa>%e@oWm^|Pn^Tqb{Dk~Hq5ux^OZFbV0)B*SqzWj~w9
z&$bD$Z34c@G67kL;ONOi=>)1}8UZdwfU^yZZs9VtEFSD$6zUu7>I@B1W*%>oSH^E-
z4>WQvO`J;;Yum(WHE~)^q?X4U;F#6Emc>1N-7<|P*0hO}YT^jZoD^3sRO6{q@2O#h
zz0K8}UNxs)&1qC~8r99MGJ5O3S+knb_V~PPp&HJjhPAD0o)%8r<CS5E$f?$Fsx|U%
zZ%xf~>E7vVn(4CoOz*=F<4ymcR^sZ?M8<{9YMJVo8bIFWX0}pu&2+8^(<63iW;L5x
ziDp)!navaQ%v{tLTG~ESmUHG%IcF~DXvgmXcJ$Ad*Jlr1k-3ewZ|6*dY`oy;IWn0!
z!)vOyxz08W#r1ecQ@w@%NE=i;Ux<qz8rI@)+VxyB>bX6r=XzC7MTZ-y=pZh7z1>9d
z6Vbr;HSm26d|yLtXxQ@+q#MxUuvJI1|2(yAQv0@{qP9s-wnd7wAnaLhvxoEa1Q*B_
zr(Isb4_Z>|*)Ge{9=T2G+Q2F|u*wa5dxQND+YbS&+{h|7*0x7fMvKEf4^}T4Qg4yW
zXVLI{@a+2+4Qc74ggu@b+2Sl7x>IW8<9zDadA^3lXmL7ZmF(bhNF&+LVk4{H*wDdB
z+2mdzBl((+`&;60EIZ22Me<iKS=86w-i=>~T+q?hDec@T)$D}!G6_G|%kX`iou94c
zXEO!ZOaXtlOhDcitm_UJ7nO>O5^jT7g+N_*h<^OHucvo$dk>ea=YKw7TuJTT&Td@o
z#;J)5A)h{PvwZqMq#?3o)vEnHk>{<6m2P4eH*th!*4?gh%?*7+MX0Xr3l{;+5f{9g
z)2QY&s)PM9djG!}xth{O^TPMka27TGfpBtYfMgZ-c{#ZnPOgSks^cnEQ#&Y~K4?3g
zA4F=02LGp(_!*W>G1?(+I%T_yGrM8oTGd=TXxH9|U7A_VX4a*db!lc@g5G7aomnQ!
zxooJM%fju@3VD6S&=nNj+bmlXZ*!0{4YJ3Bbt`2uD~CTBXouL1brctlBQ-oeS>I4y
z*-q8e6nK2qR2e{ape(enTHfcA9R;pQ<N3Jv@Kwv_%vUGtgirbqQDhV6ldi-WnFk~r
zf1m9+*>!k)(sLlr*7jKqXIsPB)=<?(6wbDe6RVL9@YQfeb!1UQv9H-@oL?Q+6zO@7
zua=8h%UaiRwzXW^TF$nXv#sT9YdND@E?+I@SIZWx<&0`MBiWdGe4{z((VX;XPI@#a
zJ(?36&54cX#71*sqgnaUoTlt$kQggp$6D9fw&tYkI8An{PxcueU%kBMl_NNhuWt0h
zxeM|C+zvW)E}T0+JTTE6nkefOSXLMCQ0>Brd@8`<8VHde5ef?rLfs)Uy0<YX1#ffX
z=&(?aX#5D+aeR%o5WuAn{<m`v*|~>?=Z+uC#n2CthH|%iN`%Qr6ig4Pon~XRoo~H2
zEcnAhby%nk3w2?kAuKe7g>XR{!s#@G(`g8&(|~mB?$jL$D-guhVSN)$Y%PcSCz%EH
zP!yBK@^+p+&MMqbxkH`!-!=;O5;%v&?fd;~M|9ue^7zB$@uNJQ{q*a=?$AP{Qs3FT
zIMmQS5E>uq>XM%F*9Dq;@gvJU-E$D!JP?|;7(5Z~JUrCf8=4gAn!g})#Ngz?Ssg81
z9n_mo>6p5>r?q2IS7=&ja5~>RWpPL2;*Kf(9prp}eVxo_pr^a1-%gxm{Nyo(QR)#P
z>`yy&8E&UKTpo(nzKCxQQCa3g*+o>A1?`;!p?210B?9q3ev5e^)PcN~P)RyvNu+)a
zjopLGJ9@Y{y&Zjvd-|z31EIk|PM~*jN892K$UR-iP2R)Lj$iiv9>44eLDf<Tsi&Pc
z%XaxFa~VKFxCC~-GThE@xI7dsT+rb+|EHK7hSopmp_T+BJC-0%=7K!J3VNtr!8O_2
z1U=NQ;EdW8kQ`wKJ+ki!@?0>;1GFFy>Vw>;26=iF<k3%%$MHe#O@m%e)5~f4SQj7b
z(#W|ta_&Ap^Vw&7pU=LJb@8z-eon>Dsql;@$ODQX&%}Z}CJOR+Dd^`^czPD(fl^R*
z%-*0JqF|EBX$CmWAfE;KOb){lg*6MXW&uu<X9__ckpy}A5aixF$m5eBk57WKH}eL0
zq7meNJ}5gUZ?MMBmQ4`kjAW06YxWsu%cGN^oF3tt?Hs-)`wVYT_8A~fO!gT#v!k%q
zJTnRMz#z!;%3vKATK3Q0U>)CH$GOYC6oGtu9lJyJm)@XUn(zke`F5Ul1nc>Bo_qxB
zId`6e1nc?sdRE>eXBI&Z^;q7Z>~%qW=Ak|cRgt<z5Orf9>UBYK92@k=;Y^U1P=Y+K
z2{!OGFDLD_ljg)^7w!#u`OM2ndpT(@CoR_?yg@lJfG&JZcJ>J5`+R&KuS5iSmJsxD
zwmw#=k<a|Bgx^+z18X@7FEs>t0uc0bMt)X;R~Ujk)(`RwBglj8AW!pyJogXs&^yRu
z?jWx|1bH41l!FqK!LG@yJTD&wdHo^CGl3w_jf2gcyBy?sgL2G<+u56PFoQr&MUMP%
z##+mfAI`XZa^#1~&S$*75ai)~P%bmz8e0%!VDcuf4+MF59<1g1B1cWQ#`(!1AI>;G
zIpo6`=OBlCsET~X)7l`<S%Y$z<qh)cT98-Qf^yJ>$AXoRgD#wL*++9KqwShydy`|z
z@f98f_9icX1$p@^$aDB0521r{(1n<sCQl%Payo&<JWeynY4WmRkmvHjAeT1C#gwBo
zJY056JCM_?XFYkkAC%*IbU&0dh#U^0#}`D;t;a7N;PKZshq`+P+B@4jLJ`5;7V4F8
zcxdadt(HBAJkYgp4;1cKkP6ocUJnfNTs_Eh^<a>naGtjW<w^ny&5Z|7`GUNP7338t
z{NWsAj>edY7Z-y(`w8+YOt6tn-q2*L3U4<@#O7c`3=TzT91@#`M2rHtu*h#n#Nad%
z8WueP*@A#5ZxFc#M9u(_GeG1F5IKX02Vf-3=Md?Tfb24HUHT;;J4u{jkjs(k!?C5q
z0<zo0b?LW&m&}PXvW_RfE2IHlwg|}f2!X7VY>#lpI?473XRLwjd~wDa$nF+roS%;#
zIGk~QKF&{ex1NA(ph0W{*(BqP^OH?7&Nx5WB;$<p^YF+M=hQQRIAb~Hz!_&O#~e7b
zhy5h5+2kk$7g!ZJ3h@MZ@)zLASb(c)fTuhG`Sf`L@<AiAEenAYl-(OHP_-orUk_Ve
zK82n@y~n-)fp6rAQb6`-xXud6{>BrKjS7gJF9%nifULeCHdv!QaL2iwAdeTZ{~$Ht
zb%Fq|69jk-HXs{LPe2Y9K%A#+89V{mp@2Af*@fVY{UN&$oUuP-7lN~}Eg*1_ctRhL
z11Vf*$H<`*&cc>~V8?Edips$hu5%rcgDISGos^x9Cm=f=5I-lfo52~EQ+6{rV^amV
zj>usb0$BrI?+oy&LqHC+aE<emYuPyC{CEu_z)K1NUWy3tQUrE(q`JHm5#XhW053&=
zZ13`#M1WTz0=x<l;8lnKuR?&ral>^|j^sQ6UY-c>@<f1FA_BZJ5a1<&0MEYzvMWGk
z<HFX3Gl#&I<+YH29AqIHPc)^#*LkWQu&1l2eBml2`vaV_XXHo<wUBFs?EP@YnaYtq
zDkHn3(Px(l0%svxUQd80F9BXW4{#?E;7%mK>u~|uQ=>AnuVmZq3CJ!C)xhiS@1q2L
zUT+Qk#TmDUkNuK*y9c|l<m)CLSk}Y57>k`!T8KY!!$QYW4(ab$E(7|p!PYIMcKY)*
zQo>)w;Ygf8uT7lMfSnOBWh7Z<M3T%%3X~BEl#yha5lNg8Niri6WDY$Ls0hTAvSgVu
zNit<AP|74w%93TuByq|l$&^WuDWlt=gh7-pkxUkXOqG}t1yh<tGD!%WA_SQrm@2+U
zj<S8t@^J=H6~SN6q87o2ApjFSMF^y45rNeB`>^H4ME=DYHQKmFPoK{(`y-HjCR6dt
z{>WD=+bWQ}y;=50zGm4Uf#_KT$=tniectCq2Zr%CrZ;qK2o0c2{p}s@fxad6?*6t0
zpb=;Snt>oN9+&`31P%iZ2POeW0F!|hU<z;~FcoM8rUBD|8Nf_n7BCx_1Jv`X5(HjB
zfiP@c31_^p1R*@`p_}Z5El9j-13@k>^|zsrv<ZwzkZ2z`BKaaxAR^U7q|p(HO3wFE
z*;%5}OQ|7}UPC0khDdr1l%Bm;Op<*Y?HO|dv~6rl*g0kin=^D<V_W-zj?T^yiD6R=
z+f9}+<RTQV4=v}xIlMGw>xWJ|EK%mXzYL){Z06>0+RcA6GjBmt#9?N(ccdvaZ04bT
zX@s&xB9?22Sgs+WMMK1LjS<VC!L#pej99LbOki(Whp%GXCgah@HKbvC*K`)vXlMsJ
z9NS0f^FB5Q!RU78;oa<T)H?FPus!Wa{D@*cDim#QgY5NJ2w@`*Ux7t%xULSZ!6GnH
zSBI^_+U3GXH*ATB6&oqT@Jg&54@<Fl+WzJ+*dE&ewuP{^7_q6JROkJ25{A_d#HS~k
zHqJrPdBYNjD1gBRBJrwZI9kMufru9alp}Aeb82uCr7=02<K(b4q^f~xj^%9*L~I*~
zs2`v^Tf%j;C2Zc7zZJP9oM6kaI%@CK)9u5ze>gMRuMcP27^#z(b=c)<ij<})V!x({
zdQB1anxuMRleEzNavwjEPNe2HMRLJ}#?GZVl1t>_N5jNdv9S}0S4}$bhJX0hYRZ^*
z|HJXCBU)8Qa>e+_&a0YI<F^1v_?!J&!=8~2kugcadja9QYa*J~kS>exXYsHDI={0&
z9HEYq=NASzh~62nCA>Bej#d-Vr^YTF;*s9d!!Dj4cJcJTsmQMwP{d&_w%<6Q(C|Yq
z-#egy|LAkOVTJeYN(ZSHv1PfN>LL<74G5!`5h9Y*(%uK5^zpVv<XXf|VejG2NJ*O`
zehiWo`8@>^!X+K{wgLqYD<HqKfWX<|xWnFGpx|L~rM{zw@``94jMNMH81kzPxOq<4
z>qD<OAXFw(7pe4hluYx$VjQOp6`9_C;JB!!kqR4bYV0uHv_Lf4w*bkl3;QnYUO=+<
z7$DIe1_j8Y+{wV%L@d68<bDR2w=^IeF^I!tI?U?8!QOy?G=)yF$$_KX=Ky1?14nyb
z0unYnaKxSm$^CRB-(%+k66H6{p!Q9}LgelUt?Ks=&PRM`J9N@QI}Ssqlqyyx?DVlX
z5s|`A1(qlxVYaVuN4Q?n+63zs@P=zB)+Zui;kru86XAGvtwkz!-GgM0cOZqIH!M+v
z?}&7MSg44EMfAh=mYuRMqMt9KpD&`HFQT6>qMt9KpX?^3HGC2MWUs|x5&e7-{d^Jq
zJQ4eOBKmnE`gtPyc_R9GBKpaplgtBa9CkUR#EUteh^n55s-B1`JrPyI!zQe9L{#-e
zRP{tujWl*x_y}iL8&Rt+QjqYIg$ZQDfOQdFu;O8>8Xlfv{uoKGe&}jMgYdAEmN~-r
z%E6{AdU)VP>mA{%SmLnr2zPRrSw=JscWnrZXcg(4u;dZGw|VGlM3*3G5bDC;OzlVK
z09j6*`tc`r+i^k@CmiLxslQE5n?N*c>Tjb-6OMAu)ZfNarv5fLW5VfjylB&f>ntqj
zSw;=-@q_LC^mkZ?iIFQ<IPJ%dawjEy{2<QIQ-#IO_JspsS^n|j@Co7!zlPKB<;5%T
z!VP8A-o1c!WFd6fLNETfZnu4#l*9MT$9pkL+6U}Q_Sx`@SlX3}&?Wq3SDHD84TjA{
zX)>@h8Zny<5*v;LX*vkfc*JZzNVWkXu?ZmzQ#5>LXG*6~pa%|vh`+_$6_OG=Z*ab?
z%Y0iGu&vAdur3f-m-)6XU|W~@5nbkob(#M+UF@^4E;tSAGC!ird|o$L(A^_v_rzou
z$x;`Rq+O&yx{yG2kt}r~iS0s?v<nGCc8Q#^F7lLhA(8DulC%rf1?c@aH!<lVS?WTP
z)I|!U3kjr)WT^{DtP4p}7ZQeaiJY-6@|1NUk#!-dr*FZ+_O1?@LI|w`9Eg?+M|1!<
zqQ$}y&nJ#(sc^(39Y;*lahxcRn5sj@WF1FL*Kx#z9mmP?h)Fx-De`!vJWiFzR(YHz
zkJIIGhCI%c$64|?TOKi$M+#h}=1aLv9=W>V3B}cg^0-JI@pvHw9W#!{$>S1v!~={F
zGy^!|S;P^|368z;c)UFJ$z#7f;&H;&L3vy%kIUo{4GqFq$m2?Rq?Xdh3&B2K_Vw{f
zn@?_hczn&Cc6)S+JKOD%7$r_OR-^lXEDMNtNFd{_4?4E>;N1*)E!=+4-F6E?qTPl-
zT!Gf5adPuuAN~S3CU14V&W=9nrhK0InqK@tbiCjoPwE!*;AJ)v<uW3ORt!OM1;-;_
z5ycrV4#|aXq`<35^4$PjlZ!(>Z#7R@7Sh{$NWm)?VnK4T$txFPaVD3SymI{&XS65}
zqODR8tz&|u0$#bD?Zf+fo%qY!?Z*#>I`Nhy{(yC#lxZW2!tgdnU(a$Wc62X9tsPi_
zL_E+NHGiN3uf}vNMDPGvyAyv_y`wGENxAsso(0yVYWfG!I#H{Sgcc084M-ile(DJj
z-o8Md*LgyHeLc$tX{8M+`Q#b(4Rl^Dw-E3Wn=EOyd>_JBTkXRiA`dO%TdL*aEM9lx
zC=Ipp+5*0v4OlI=50HwqLXF&k!pm>+tX6J4`S1xsXV1#^?nUjCtw(MFfM^Q<B-j3Z
z(o-HEFaP@F%lkMZhk@iGx=+5hf$Aw2bbaz|44lz=A*hiOtCoZ}@yRhnwEP$rskR_Y
zE;@sTE_vPdC2}BQ_=YaYT?)L|KNKPt>-`vIMN*df`!U*zgpje2PK}!f)Fgz}fEbbG
zg0~+7u}FyAc=BUB773AM^<!KX38AWo#OsGbqy_vKr$yqBF%YM5SO~A9`*~vu6uHEE
zg?^06!?*Lcq2KGX?ZW$qevHxCPP{ef=dD3MZw>n8`!gP1cm>h31(N>bg;%(pz2ak|
z^46c9xBmRR^#`)`<UK&YZ^$^j9q7lnI;<z}4ElLz(C_0y^Io8z_X7RA_vGijCqM5t
z`Fa1y&-+Jyx!{b-$hY%uk)L;jK#|ONJIK#(b;3n3uU(U*7>UPM!ZnJn*>zEhe~;!F
z9?h<56wR(<QvCZJwqxnaFz4bS3M(VUp?m1m&R>duzhYM|x-zVS(W$MB6o>Aq8OleB
zf4^eqLsy19cXVp!BgMbpW9LIxhCO4Ht^Ev1ap)fG<AzHr#mE&b(uc1|k(H4m=ix;T
z_N`L1BT%S};Niy5<Eh1%tgYQm-9a~v$ZQ$)+2@h9D%gy79^4-O2@I>F-wIg+Xrb|)
zK;IIpXQ5TUpl5!&)w-g8puMZ#n%Lde)7RV6M@_QT(QV;{K5IIfdz`i6#kzLf-o2oz
zr_bual|HKt-5%Q5_I`I`Pwxsj<gu{v;i;gbPaXsRTMnZZ4-E8<sj6DGY?(VminuXC
zsw%CpmURp)wx*&3?OTehgFW2?*5puEyH&#FC~@26X$^JvTT}XalsD+tIgY_ETkcSF
z{GvvkGFLeVfBWrM{5r-#_zP>R@HeL(R)5Fes5(;X)K1f`#@~J2qpSG63a4IyzYTp6
z{-*0@{re~dzdaEj<&CP3nucGRxHoEB)Xt~__}z$3{Qcwyji(*D<8=Ja!v@FR=*;L`
z{CdN&(JQ0Rj6Mgy)9^uzGiF@O%$WHx%VJK6`3%3WkQ!SSduZ&W*w)x%W9P>X#GZ}c
zQn)&HUF?q7J@~DJk#YTTC*v0pHpIPy-$U3H_X~avL5(ks_ry2H9~XaZ{Koi?;y+8U
z62>G<#4i}kO*jv~S#ZDn&4M2ieoxdB6B2V0S0!Gaczxog#MhEylQNT*CcTsNb<(fN
zYH~($Ve+`-tCOEdemVL5<j+$^r;JNE3t#l#o$_eP6RFXuN8>B~`_n{PVp?iiC~bAx
zwzQAacBU7kk4$e&KRo@Y^hN0pr$3YaGQN)An!Y=IAHIqAWE`0>ka1bYl^J(uJf87v
z#^;#@nMY-wn0b2U8u>l@-I)($zMlD3=4Y8Zvof<rWR1>hz<2A*v(C<X3}2^zlC?MM
zo2);x)$AC2nQmp5W>;kgvP0Py;_LJKvme9P=Wk|zFTXiY$f?L_$eD_7%opY?$r;Ew
zH|Jt}Uw#$7FuwucnBSgrZ_b-JZ{@t7^Lx&L+?d>~+`Qbex#Mz=%so1{J+~KMlV6y7
zxBQ0usoeK+Kgr#Z`)6KMUTj`*UUgn`-Vu4Nc}K}_#{2SC<gLm(GjDa?J$X;%y_dH;
zZ-0JVerCQ4Ux^=*KOz6f{F(W4^B3iJ<)4A?!>`T1Gynel=kwpn-<!WL|7Uy+o>WkT
zZ@~iv^#zCHFaFLbIHq7h!EyNZ`vQFTeGR_(URUr~!KQ*&3bqw|Snzql?t*_5d|&WO
z!5?O#nQs=EHTYZ4Q_Z8yd1i;%i*LP8z+VJjgD<@wGdIicyuUENF@MJ21~#1W`1{Y9
z&OB#{b2Ps7uE*a5p6Bd!p6I;5d4=-^=dJiV!1p=V;cM^bov%8#IX}Q(eBOgEzJIh-
zeDQ5r#a5X$+B(=e+?s7IwEC<QtTU_&tt+e>t=p`7tcR@i*3;JW*2~uG)?3!+);{Z3
zm+ne&<>AZkQkTb7>pH~M>^jUf!!_U4?ON(O&2^FMYS(S9hg^@io^U<wdeQZ|>s{BU
zt{twgT>o_a>iP@cfJfsi@a)2(!qP$yz5@>y9#J@>@aV!&;ljctzxJMzv1!BYFW>6C
z*qD6Fv%Q=0zJL9bUu%DjTKxY1L)mwLMUia({+gj@uv<rD9MqW|#)vuRoYR^yAW9Me
zQ4tX&2$B>9MM1@gN=6Vc0|Fu-K?Nj;Ie<zq>#D2Pu#LN~26ylO-gm$EzV|-&Tc)ck
zo;r0>ozrL8L-k}wwqSJZ!d?nN&vwaD3!9|ZmqIV>%QG4*-e($Ww^}jSX1)2+)kU8^
zCs!3bF`AUhE}v*SxVu6aerN1^BVJBM6Ft(AtRZ%S9%(O(rvD^@Ot2T$5Q)%{j8@;(
z6<SUBMn;j54?hw5`ICpn!boA%gf2oWHBVCf<mGv>r_$9<*VxT#Y`0n{2h1)1vO`Ut
ziuWGbbMl0OsHZmw`huu)A7Q94^h-ZtXe9I}+46UXN(w5K4=yk3t>)!1hr{+ARd35-
zgMEWSb}GGn4#q@;MDIPJo?{_i5VtPhhz~SpcZn}rt&Sp-RL0(%`ec=S#ERQ==Ax4O
zk1n0}u}@PA2PBrOZQU%De4U6q_v@nK<w;S|iAf$&P8;1loHj<gCz4^R#AsUN9<|ZQ
zgBC@(C#j_e7O|BiS4`TNJr?-!GuJv<8l{-92^Vq`3YAZy7R*x%t2Yl?)<wZL3U=}j
zSMR<%qb74SvFup!Fd@d*+Q-bts#B17Yo^!Lt?9i;Ove#oV%qHOzlL4l;b65y>9;j3
zG(heBE4$-(WKfKfCwu+mMEb0ejDE58`Nn7Jv7YSdA%`YTRtN^Bi>5C!ORY1yvA?E3
z!4or$F*{5=Qkdtla<j$e6?71{9FHvbD<jCfjzh%6tl605<p(dY&Ide?B`6Z&j^%_J
z1?95igO_hys#uugdd1&}Cz*As=fz}#niPx^3MB%+%x>B=(+h+*B88)b0*Nr8ZV};(
z_~OIY;)@m6O;ZQ$HQKq9Eet-j)k(3*)pz}NBdPq#;hebZifhXg$I}6pvpK<WKARMq
zJbau3DgK<>M08%WVPc{);9Npi!m`7~Jo)4&ufLOWIbBVXg!MCsT9_zt-DJ7dTq$%O
z|2xIFk<UMqj^*ha*QTnouCbTw7NiYQ3R5WB$%Qq-I?`4!Ad@L}-SCs&FO5HQK~3C+
zh4YE7Ad_ryUmIYj6eRN=5`7}8x=)aw>gk+Finx@u%Tp&Rg+79)hcH2y{Jjt9MN#X8
z_$y)8BnUbK*&wl?^J>i|RyyhWqIzPaAYJc#C-i$WcRLGR1*3&SCoMGM4K*FBg<`Ue
z?5!5|5*u>mcC%E>YYc>$@>-3znCRP;_n*4lZjzZ%u$VWoaBwkG&T+o@QcbRo5^hQa
z{jAwvDA1#{Tm0KAGJ=fi`AU!qZF&wAMhPQ+8%WxyD|LsP-6Oh$y?Xz}i`+>9E9fqt
zJY3BeAIhgYkh}cUuu!9IE7`(brzntJT>aK>Gm<iSFG$5;j=ykvRk1QB=6voxwRsr3
zap!g)4<$XpgGv8I1wt2LEGum^Bn{=lelnTZlnOSa4+$z49*g-$qDI5}<cGL;$D^QP
zqcCxv(3|KBuh{~+BJw(q^rjmav?y@=B8BkdQB!wgx)R}wx23PSH`$@`&fJ>qok_Rk
zOUIt#7K~dT?s_yqk#s7eFw|&gE;}gL)X_w-=$dPB0L7NG>j_8EfMNtEuxC>QG3m^X
zrZ^GiC$GF3k$GM1P{6LSSnX@B9JM0#TK=V^CvmYMyOPvpl3gxdyFHbB!&x#SfwVUo
zBX$=g^w{&mIVlsWu@iOWczHr(RD1$Cs`BvI<PznPKs>mFC|cqXwP}+lEsFF=P)lbx
zEgB!JE(m6`Lyx7LrVx5vMW^$6#+ifxjqFtMfWa(ZBPMiS4k-eiqZTpfj2+gqQW1IS
zCx2dc_C}uCB9FCLWxjE)QqUjQg0eNAiGE>*i~U)3<~26MZr+8lN?|O8(@&I@QuvHg
z^OqtMld}}%CKqQdUF~AK*689|_Ebz_RFX0y(ZznX?S@%u8wsDW`&=Mdp*pa9kCok`
zAd^K3KJ$3ind^$1<|)(m8f`OYGlOG1)+#o7dbs)+@rTmFFCM(87bXt34YxgH^F+w#
z_+Cs{O$0kZyhMogU$Sj+z+y@qd<uOEeG8_N*p5@hlZ9B{#akEqE$I|2_Al@+3@BVe
z%jqu2t1ewAdZH+HO|^A&b9Y!Dza=qrZ^)idBNG<~vvo$ih@A417Z=1{ysTbRz&dZx
z($gXH?-LQxEqhRZ@$?p#M0NT#HhHa8!W^a0PGAO5W-$EY03xSnjYJj+kz(y$ofQ!)
zjY!^^ZrDoa)U52&scAW9Z71wkuivoAe}i(fU@d=l?>6a4+Ah2|V9H{XNs})xe{??e
z*r`Ny&mHFGi<HjphmU%yoh@1K*hHU9rIg*ZBY1b9a`TqMg&WkrlGbVONh%jl#&Qu4
z+0g9)d;OKBb|jmdOw6YU=99%M3E1cMc9Et^fB#*<f$C!u*uDG1LJlb7qqdpEtJC`Y
zDzs)7Z}9YYQw9d@*}FsSGoB3&KeX$x^6L4hXBp~BB4Zy28}E{h55yIMjCVce8I`Cw
z6BCt54`((zb(h8Z`3k<jc(zAO@~LCTPeiEwV@~aeQ+|AW>-RLT^P6MTzm*E(Dbhz5
z2&2Wd&r5FJSJaqZ9>2`o(Q<>)1qU`ICMiBunU&<YeBqq=LK}gh)GktTGvZq61I6ip
zQ)H-WpT`!(QacyZAR|YiQ2bwno0re$_!5;t!3#~ty6N|1pDuH<*Q+?$r+@gi(f^Ha
z%hS_@E@bSYC9JggSbk!)qIh}ouol##bjQO{vBqVKqn{C9q>_D_t&+W7tCGs6sJydO
z23gNZ>T|0*vQH$gPWA0I8Q!?Q$}B@Idu^{Bdib{il(SUojxuS%n4$-@&k83Bx`Jr&
zq>*ZVft~rpAa!97n-LZn8&5f*g`d3ScFOf~^~&@4)=!n?SG9t~h9W9RICxR&FsI^E
zkeXC#1&QM)sUR`CQQ&7UUOm^&sMN#!(p2TtS(I0+`Io{-`IUp2(P@e_>ywm21=>;$
z6&2vA@ZA#Nx`R^VJt~97ha~Kw%$)S&WR4Ch*$H1x%r|u(DI`)_pE!z7iEy~0yc`vq
zy-&SrKkKr~Z-=*%cPHi*<X$CzI;5P0l##XN2932OyvC|V_LWjuJ2C0`xs=Eom*kC$
zATL!VQD=&8DTriXrqIbqFcsGdDRQ#*ljL)r)5KX8HiE9Yk5DEjAw(>ZeI=4I`!Pdj
z+X$>$dh<la#WF=oK%8$JN#Q*Ad%G*FoHs5BFp6-r54Tkc-Fg}e<JA0-Q>0ZG>9&`2
zP><pZ151LgQ8Io*5RoOqb+%R$F+m6t^A9pzEiI`T(PnMTIajhqbvkc-sgk#IN?)j4
z;by;lr<&iWA~uFjDtV!p{Mj^)T`cB9+*N!+WaOy?&&W-iJUll!M|n~bDo==_MIN-s
zlNLqNBHpl;l#pVf<QacgMQ%!nKEGL5D7SD-J)07lcs5#{?{>v+rNZ7}gSC;A%u@Y&
z%b@rvS^JRez9Xx(QprB1YK5w+3Hiz=ky@e3a`QkcRLN@nIq4qNHWg2P@srnPUwxXY
zChIk4*b!pN88a;eIi=2KL@r24CQF5$&CR=g99a7;uHM#4PruMGe>GoCxwXEEx2)ut
z2#tp*!mwWamP|jMaw0YIQl~I+^y-uAPON_?Oz-$gEG#DVWG1=C4yCf&IPVR<&Rgs#
z<@C7VbIR-V5HhagKrxvi+-9W%RHUng{Axh?4UV+-liy2AuR5(JGc_YACmSl*+6ti4
zvLfh5Y^jJw7Bw6Bxv(z2?!N1lTmAQHXGO%Ep9ddH{N&~lc2SoUDT%RX&Lz36-Q>H;
z$<2tTycxVaJBUr(7k(^C$<Nq7Ic&C3ka!yTMF`LgVu$l&{B_dz7C$sPMa4H#*xOQ?
zPdbt1!W;IrnAYh-R*_J)zgS2RYS>^>GfK=ejkTh2Dqb^Pcd>b9b#+#HQBl^aY17Ot
z7pwV#^mEq=R-Ie2*k;X=rD<yl)#r4bHb<U46C0IuD$ZlAgR7^rTB_M@IDzaE7ak}H
zyGAFoKoAL9^ctm!cu3J}ap3GAQ!Um}ZeT*Lv(LpX6B{jVd`pH1N7)9kU`DE`=wZ$d
z6bnwmZaS^qbXu8)n&s8PXEFJxNo8}IM@%Ob65&I0DwSTha6F~#J9lqWdTiaFvPC_H
z^t?u-Y-+^GLvhN(dqQ^YSGN%OZF{|xD;zu)IIHIi9oc@wd~~x{4cYik{8Z@6XGL5+
z|5T9_kmwsjPmuS14^PEx`_1NB;WUMmtJbe~abNF9+N=0cA<-N!S?ITBrI%M&n4gi?
zJkpD!Yal(vWbDUAGLcN^RVPeT3*E%E&1P~<hY|^Cdwn`3&+Qk^6xz~F4NaD3AI^%*
zS7ckojo)h&Xv600it^p0aQE_e2{e*M+p74(PQ-MgKg;`V;`r6k?qvB5vb>z`3~_lX
zY9!}XZ^T4emq+)q)$mKSPhmPG6%lf>{DtJzWtZtQSFIbUmR_Y@9H!t&-@(T3J+l9}
zlAlj}DuoVV5`O*Gvn!QW9<CPjFwgg^B*CS`xx#=9CB0Lg&99}T#h=QatzK6Vwtjx$
zgp-sqRV8HSJXCxcdtDGsTDaC?h0$eG_QHkCQ~AoublZ8eEKP-9)N{2&sbAjmiPM%?
zOqgVL?vkB))l$|x<CgVjr8F(ptW0?==2Bj$+HxQ36cpg)N@c35q~eF6YQDzsDQPc$
z`HgfHeAz~^FppfOnyD!}NGz-t4zj@-_c3CAuV7I?6lYYt-xCr<&U0Es)m-wEM;_f9
zc8I)EZ4cPBL%DIwk!oADphH$1<;dw#Kf2eFG9sZ^FIclZ3(k1vEBOeO>{91NoGdB-
zv+6g$Dzc@F?5$#opKIDa6Oku$;S&f$1zIQK)Qz+jCJvdl-qKv1X2M>$Sa7ObN!nEo
z6^8FuH`|JLZ`-{sP$Ag-CUhX<jjD9JOnpXr>`-gkiiO_(Q^pD+rBqm}>5xMLa+&it
ziBXA&{G#a~PfLxCJ4Kc71NQ7yvRwSkA!n@VN;i*nMzPlHiBlI(oK<EYb6mAYEg1RC
zcbKj)xnzIc=wyz3t=sW4=g*${a#%e=;_S4^*I6koQ<3et25C1uAIj2taWYR~qUOZ_
zs<B?%ubLs4%8y)Nd4gf?noNQa4=TWxYX#WZRDiA13b4ai{@cFmiN%UE=SYjgMtqYc
zp=`SP87I5A(j#ZOa{0#9ron1iYLQ?tO=T8xos7CpdR#ZCc}iA2nNRswjUh1=6Wu2n
z?{1r)S#nezDv@cfMkJrTrl_BCwu_OlfSxOBIqC61azDk{(sKRAG3tSWtDKDbjp9j7
z`i2!tZ5_u_CUHIHT+VgH6_5CJE^b>kZjAAX{V7b^yE?DlY9u|<+*&?#S!!NlMAF%K
zHSglJalMVgE^<@cR-+&Z<*&viB&dS-lYe<pOZBi0Q_BS%QxnG(tJSji#4_xDRfF=<
zMNh{Bwd`qDE-QO~am|XP8A_@o>h%&1(n4X?+a9Ey(JkFED=LV7fcpBSy!bTb<BO)F
zMy^~uS1qm5=v7e~977Lb8AUo$&&h6SDQOwe6%$LLjD0B<+{qVK)=)<Vveg$)9!XU0
zKeRhITrInG>=7*{<5a|&lij7*DB<M=Pm`YzRzY+fA1`@oWbVf1j*l8SR58S3)bg=L
z(xrZnC=cte(p(tbd||JOkM>gWKGE))4tI#|m6fE6K}`*DtC2meF{~lw;+&i_@nkw@
zH%KiUt|2kRkF&S3Fbe&ReNBFq$lhNO=>MO-9!-A^kWAjm%AQ)^lSq^OD#+YYGQ5Jx
zdq(cmipUj;@m)XtMk(%O<9Aet?bfreFj<)VTTjwWt=Xvi;-*QrBWj^q{QHp`MRm&N
ze!2tamlG~fP3}^KCve{EK}zW!!LghStRxyOq@ILSlKt7lxsoBewWRokD3#okKNjwh
zabmK9fbNkUp{$Rz5-inJpG^~w3u4I#AxBR3lit}>rF15{RK!C*(!Q{<KKDlXi`;2~
zDqKB()iM_grHfE5C&s@~lT9#LHiGJgox2PfCKw2vDkc%G@cQYi)Pl1-aN6tvO6xVp
zPp?-yEMnJWWVn|pr8}ZycSS0niA&FJrQ)97cS=V78)g0-VW=_SKXBzIqNx9mh*B%7
zG2vuaZ*sC4VZ`HsL~8VZH7^|xxkct=lfmWGLS9RPwP4yKe<<wvZ#E*hiYHJI4HMku
zWDYUNraIzavWvSWBCR!(NGBC9w6B^&^r$#cvYSYVA2BevMR@a@vgf3gYEkoXxvc8x
znX45q6gM`Vw_dl=ZH@gYkCf0bt-iKr*;*?T7d`16Y8cl<P%cYma|Sg}$c`s6^BThk
zVls~;vogm5PIjVE#oy*m2$7ByL6;cTYL=2wRm}ru5ZXxopfvMN-s)7V!)iWTq|x)2
zlPRP(F(lT+iteY3+GM5(z3Gv&60AvY!H`T*r|SxRg?7{sIF(jyM`zua{%c2VhEs&8
zR3U67^rd|ApoV8J3(tv^;}5EO3pOnTO_ap(-)dDqtr*!+7pN7(I*fJNx!spqF~||l
z;kk+z%W5A=)^mcDME0>nQkHo3N?cUXwrHahCG26>bqCffjm_p7tLKo3Dk}FWv{sAR
zJEqT22=8i|x(}5IJDP`3!ueW7WDf~X){%7+s1Z{pw4Xrdw@z61P~b^>HC1wB=*j8y
zl(Z%G#C{Cng-$}JG1L^WMzDV>v?ZPB3Wg9LF4n_<3?S<{*;6vWStXXew^2!mze@J>
z1O39YRQ^S4RroR^=}gahcBZ)JP?q;5ZRMFe*`%;TC*qX6Ej`^=Yk2v|3#>($%aH^{
zVtmB2eMZ~U*e*L3Zd|0WJndFT4JM*PhOemnK}y(0p@hoVFU4exP{LAabtP#cOGzHv
zPfU%niR>t<stAdr#ljepNXy7FA&)Lrx~)_rEoG=;Ht_+O_*_IfkYG8HJgj;XX4EW|
z^bear&7=y=2tz?{;`Dw&MjEN)Q_$@hf<z&N@bW9+nNhilZ0lI6IBj1=6{qL`D$RIo
zql#0iU?}Iy*STw^RPyqx;^Sm&=qoBXhYqBI$tCeIGH_23yHG48Q#m4|dVaxvdM=4d
z#j_9gCS{f>PecW6KdFu^We>VJ9&l0$;w2LWk(zhcczN(24BS5)tvy0=xmtRb39tR1
z{*zCX$gCLqiJDZ}jWrfl2rHf#lXmKI-EkIm#F!Xoy?Fd6Yq(%67+VY*Pnl0LmF*mV
z%61)9UK^aOwrtP~5{H$9-O5uC%dryvy5C)5Uq!<2^1`iXid&QAkI1;X@?n}GR6I>+
z9?vczmn4EYB}=`D+sTxZXO5>(ePP$yVAHh<ihxpLLAT)zm9^<Mj8O50kH|D_>&`8$
z`>{*^r?u0`<dccVlYh2eLR-(1NV7?GjzQ)PtLsE|!~6ziCcpBb+k8U(l%|fJlPuKZ
zg$`76;7NhX+atxpz%`wZ_alK6jz!|b8tL9Q>?rZx{&agI<x5rkbd@Z<b1o;-jOF-T
zqD~_na}7vf>B=(MYch)`gH<Fjo6>JX;&W5XS8BLQe!mu{CXh1rtx)!ul)a@7KN;Ri
z@}-J$ySry%4<#x0AKV>$P|c4PzKYE(SG(9N=WYDkmibj;X4O*Q)KW0I#khH8_HWe4
zqoU1ABm({8uz`~CLG;|vL&u)AwvQ(BIG(Ag5fKH)lWu;Mn)x35G(kairLgk-_o@`+
z)o2OtVUTfaOD(k^s7a$Liez!#%FV73$<&6B7I!8s#faCENAgZf9w~kKY^wUHz?ys5
zo9?96`m1cH*ft|~GpSNp9XoHWCgGBdtPB#TBCj~QlyxgM*eE^yL-%>9y{EE)$0LHH
zl@w+}v%lpsnK#L>8zQotr`Ax7xSEWk;LZrBBxbXZv6P(H+~x`Y*I%*zsN@%~dNxjJ
zZLw+28g<q>HX}CvWRj8(sn#61&Bwc?P!eLp@!eF?bWTbY3#r^zyKXX(<3|Zu;vLRw
zf>tQIEILbc)MUtLVTeQ+(zuxP$~zafpDwT3Ty<BIe3u_7c!+npIS1P*hg+ViQ4@pF
zf`LRZd}v7w(ocu(i#Ot5sR;dkvUY)2(&z%|&e~m!%3O8VCR2+qxA${=#;(hO3Di&;
zZoS9UP9c1I7%$mVb|^RLVnlRARK!VMKAbM`j`-udb*FkxqTA5({yJxhR0bhW$y35m
z$&y^-!pTDR8r@g<YuhVAo9-;%Vm6W1kt-^aS4#>xO)bf5uB~nA-fSn9%5%e0@^2|`
zr7T+>uFef-@9ngDNWYM5HDNN{9I{*Gkj=~ApDX>S=1WPRa-PI-@5va_XV!bcVChmP
zTPyY6dX_AsXpsG!9ImB8V96a`epa%~BmVsPsQ7&KS;@H2RkrgL^V4k~hZ;$JV~pl(
zU=MopYHGLO*)ifl!bzW%UMqd5U7B9GT=BUwh@7NXE<Ev~gtD(#u%v`?AW7suTq?}n
zuQm^7*X`WkFi**AHp&b952|=C6_v#J3excj$)jhwMl<qDMRz_dz-O<Yav^VUpXzBf
zywwJ0TN?#0nZ1*pSI#e03L^f5ikRecS<jDT^I2(EZ+}pb9(})4V$`E=XQ4;$tJAY=
zjDjV+x2AwNFw`K?UPQKO%5QO!>&MO)9y_u#=#bIzQue@BkNumJ-E8O5n+a-pf1XXH
zA&kfn^wm6*+jK^hyFlJ_X0N!}sHu!@R<rs?8OuwExY&NwfQ7b{dP<20l>x^UkbaaT
zrw6ggVJ9MDDeqjZdd{=e5~179ePkFrUA#{iCUo1!PLq&s6!&itSCxp&)hb_owF~Dj
z`VneWa3`m!`dGnhI^+_+T!t4FY1DFlUbaQ~Zwi9zPd|LTK1M)Ki`jF{sfJ-Er>8~e
zNy0dyP-#YzO%>EC$?x?$^FMIWeAd>X@~tEB6&!0cUZVvw!Izkg7E7C4ix@#cqD6wD
z$<>7;I|(gFYqAlg5m$MWP0<e<vGk15STRraA_``&Y<}m%-5I;z>Dk4mY`dt;&pusp
zR=rouzZ|II>8)gtpg%+yq7a4>{lTPTkdd^ZkrEuqqilk2<Ff<_1t%4@MUM?hbEVLc
z7g)c$R_>Ze4?dI2;z=UaKkxIxgd(DF=M^Ry8|eL_+Ik&p#fvhR%J+(!$~0;=O!A{l
zW2C)(_^P6EfbR_wPbC39L?xBH%5t7FYo*grwbUcd!$50wA@81wG)ILc^4sFW)FM>C
z&*!9BWadqVI2VhEGf%QqUdp9>m1e02t<8r9`tJ=;F5`0<Qb3KkB#$fMPmtSm33sc6
z0Dk%Wl>?0Un}=>1@QIqGa?-PT=`#{6-WL-WdS1y(WS^qM>zy2IO^CfpN;w-jLG{MC
zlP6+gx14Zw-Qu;`?W9+nnhz=0sH+SvQ#o$QGkTF_-R~K-cwUUUy8WsFugRdIYl-Lu
zFHElC_!@>xDie`OlsAtfZXB<9<-yd|@|&}$QH@&1c=?8nZw9iJ;y150B=(&`5tApn
zw`@m_nr<;-;?kJnMQU>sK7rn}CVE6u3!?i*daX*$h4&?-|HFY)a2Ye9kI-K&^{aHC
z))6`B(qNY(D0{K|sgO@&-8I8MQ7TkII+G5)uL<4NeDYS+3-SvU6d7VvK%@n9lCf#Z
zSLb*?tvW}U2Zf(|Q+E$uL^Ua%a*#;18!1xx?&KxU@;2lzbzn*KXrW9pY#C2%IjJYT
z7vhCU)#7k+fuo?CrWyJ7BPDwDdAeo^uXuPh=S69{gI%)G<!kI^+P%34Me-(ddS5cS
zxkhl-)QtK0XEepDv6Q`yr9)TSJy%h3!3%TALKS~NMWOm4f>P^!s;QlMzskjxnz*|>
zBXoWF`K5?|%VfM1HSkokr}wpdHuI)L^oDmY|DrMc#Fxy!M`k_aZ)?V#qoD9B*9<7<
zS9p2v3-dMdp3Uw!5x;{EGIDU*WMic;NvF8##9Le07+qe<UP#S6Td91aHOwyOUlQ?4
zzE<{{D!5v8K=vt(XGtm5Fy^|GrCQLDbsh|zzA2r)sjy03Lsn6KMgpl~?B|g{(O6R;
zFFI^XEJkc)rJ2@QWLcJVCa<P?u$DH`g|x{ceX>M6RcUK)YmqqrWUjeKajpSREjEcN
zo@(^62Hwx(6zxg~7y4!Mn%l&d;VHuk$fO%Qxs=ajxA{>Vi}0Y<tR*F+UkP(YGg(Aw
z=BsB6(W@ohYejssSaX`nL|XpV<lAzf4z(PpqU}-iI@HN!>qxCdKTt(h=hC|fo?glh
z86}p+$0Vn?L{n^7+H{8DD{bAItm#=-`c%o+^YzU8Y*7xcIWR-Qr<d2t;wO=0!&)&V
zBZf2CWfEdo$?_o;WWfz$-EuhnR0gCwJq%4ta~Q!mo2<wd@o}+RkGgwq^`&wOudPI8
zY55{g)#ZH^B&MYqy(E}kMrL|Y@rPf2TSZQD$-G|?C7I5C6&h6V*BN0TDHZWT=pS2|
zSH*NEiXMqb5r2jvPPL|{r4PYDo^a-91g{RG_84C6^N8I=brtF_K>5|z3Tn-akD)Ta
zd=KK0YmobxCo@NjYnn&N$#kAxef6iulBL>rE>EmSQTwH-oGjpvQW1DhHCca`;Wh2Z
zSQV{fOcqr&kCI6HrY>wWlAhX>s+Kk_rQ|=`z_*O2*_CLjtWKEH2{cDp3Zu<PdIn4o
zgL7bZwZU#MM?^FoDRW!`nyBm|qfP&r1}44}XkM`lhRM|?JZAFR(KJrXZI&i*VjhS<
z3$HN91FnL3!ecMPylRVlFoe@)?Y+im^H&wpY*mIRh7Qg1bsaiNU7Gkwr?ZYW4f9FR
zBuyv-ZZb3%6iT6E%-|MudbPnm=!_7d0y<+Ps0Jz-ohiU==uGW|`@kJW#{#$q9ZNAy
z7p-H*)6`Nrn^-)6j)yLu01p|^lwgmcvz13UqZ8bgW;WG1D#9V?oDgfXkk&Ffbb-&I
z6K_ZpA!~C4)<Y*pmnNgqxu&B{2OCQh`28g+`b)QH8zexxR_x5aplQz907?d1XbvvG
znr3YSyrE5VD}pxJupVf_E1K^LZVc8lpy|LoL6c*#uE0iM7ud}VGX|_X-~wz0CV}-}
z(2Bu0U;<zcSOPSm7+u|XAR6ESXGWWL*A?uRwlu#iOVhF?fF`$Qck7@F*u6CC7ue9h
z#Gxk<0!cq@UTsPLDTskKDKFcS64(|J+Q}+NT)^~$#I+602P_F-AO^gE$d=UCabTt~
zlI>z<l1M^(ZVhd&+$10h5;}wt&0|he7D5ur-~?!bFUdZ@3X=W65l9a7#8w@e7hIC9
z3qN2x;Ljis*a>ao-W{N+#3gxd*uY2*Q!p{Wik21HwB#S&0Qk@bEt8;dr^uHNiXwEg
zwOMLkLz@Hk6Bu34#JS9N&=l6p32nk^<{_9jVBUcdXwEO_bb`)E=uCjlX6X3S&DJJg
zrTI>EazL}2(!`rO6dQhnNKc!fQY43HJw#5RNgzc#AUX+A8ASIWdH_)!M6?=#=r8E<
z&>aBXY0$NT?q<-;Y`RCGn+DxVZ6<r&X0Qsd6Tq(0?h1PWYz^2Zh*h9@;KlwB2SNM{
zl7$p5&@+TyH_*Ildefk13cU@`3xZxO^x~nH0=<jS%Y$AS^y;AZ4Xs+C)h}o@1g&PG
zl?Pgdq17q0x{6i}-~etGxYgiX!3BfM0e2hR2XKFZ?*M)r_-yc%;NPLO6s;}M+7Ye2
z(0UJAUqb65w7!eh4QTxpZKP<^4{au(%~G_nMH_Fl*^f4fXmbf|iqPgE+I)qS=5^}}
z=`2XyAPs^v3es#yuR(ef(wAu432i5$trgmCL)!$jJ&U%N(Y6?E-=ggg=<7qj6ZE@7
ze-!lRLEjeoUeG@Z{e0-xLjN;8P-qu|c8}2RDcaSe-CGz8fWbBx+=Q$LWFsM)1KBFb
zwm^0evJ%K%LiP>qTcN!I?f0O4EZV1|{Y}V+LOv7njgaqxJQnhF$QvO43PW8Oc7ovq
z7%qdM6AX94FcOAmVVDoYMs(oNp*uQ^Lx+Xvum&CS(4ib1o}t5MbmY)+3ObshqZ2xA
zN5>QBn2wGm=vae}-_WTYI`v1VIp}1MPJ7WQ5}hufQ!zR{MW^rRq=8~G6jPzt3q=ML
zx1gwl;s=!7pqvV&4U{2Jra@T=<!Ah2fL})87c2bYk6$wI%L}NaP>qGk0jgZ6zQAY;
zjJ&mZ%4xc2n(db+)unk@X$n=E&6Fk(rMW^oFGc6|=<JWqAJO?QbkRqb9_TU_U6!DW
zBf5m3ODwu%qswh{5zzG)be({%E73I=U6atQ6S|E=w+ZMLjc%XOeFD1gM)&*Z(G@-R
zX%i*(sD-f}j2FV#1jc4CwubRW7$1f4IT+`_xD>|E(Nm0`GtkouJ@=#MA@oc|&m#1!
zK~D{ObwRJ8=(Pa7)}vP-dPSnw4fLu<Z$tDRh~6gX?T+5z=zSi&@1c(befpx$BJ}Y@
zpGfq%fj;-qrxASw^zDJZ6VTTbeeKbAEBfw3-$eAiiN0^qPlA5K&~Fj?Z9u;e^fy5N
z81#=v{}lAUi2ltOumS_(Ft9xaDlyO+0|PKH2?Ot7kRb+*!Js)9v<ibfFz7V~>te7H
zgNI}A2@F1qA#E|FCx%SH5GxGv#E>)$slt%=7}^R$hhnHHhI(OW0*2nk&<_~a8pB3l
zm_3Fa#<1%c_6EbH8197On=srH!~HNk1;bxpL|cqdVMJeyn1B%rF~S-noH1fMMjXb7
zRE)TR5l=A^7-@i!y)kkUMlQohXN-J@QA04w9;4haDjK78FnS6`AHnE{7_$IlPGPJF
zV;5qqHOAUttS!biV%!vrOTc&u#`nPZc#OY{33`~Y9usOYu{|bEz{E|M=#PnMm{^TT
z6ENvGCgosKEhc@z<c^p;4wKJf@(WCnV#*>+S&S+9m~sbGo@2@fOzncHc9^;wQ%f+7
z!?X}gOTe^ZOxMM9J50~PjMkVj8Z(Yz#tY1BhnZtAGX^uSVCFl_>V#R#G3yX!m11@;
z%-)RIWtjaPzjns2v+?UP{OW*Tz3^)oe!YZWZ{gQx__YahT4Rne=1j$$0L(dxIgc^t
zJ?83QZb!@=in$J$yBBlMV(xv+>y3HSF>ej#?ZmuP%)5hmUogK9=9^*uPRzfA`L$Ru
z3=15v;29Qt!NOKp*aHjaVWBe?9>KyiEWD3Jt+7ZSi#lM@NGvkNB6lo0h(-BWREb6J
zVA2*Q?O|dF69r6ufr%O>ePJ>hCKfPpfQbuCVqkI(CKq8+3zK@7yoAXgSlk1Phhp(m
zEWU)r=~(;&OB7f#0!!v%$$TtXh$XAA#2-tdu_Ome8nL7qOLt)DeJq=SWwWs?9?LRe
zY5-F;Oc%iP7)-0MT#n_3usj-OtzagH**ch=hFLDmZexWUE4;BH1S_6mr4?3I!+a{t
zEn#j4b6=Q;!8{S>88EMe`6pQD!omm^Q(<8Z3qM#KgvEJSRKwyMEIYz-A}k$Y841fv
zu&jXPYgl!HRbN<5hSe%qZG%-TtggfA1FU&icY$>`SdWMGa#*{=`Y5a`v5E>F##l86
zt8B2!7OQq*)oHA%z$yZpZm?Md8wc2U!sZBUa$s`@Heaw>hShVhdOKDZV)X~u_JHkJ
z*sg@FFKkm_*AaGuVK)zUKCn9ryL+(v6ZQjP?*aQFtm%L?URZM%Yd*q34u{EbSPzFI
za43Mo7p(1rwd=5UH`eB1?Qd9Th;@^(&I#*cv91B@yJP)atPjTen{aFkM_V`+VMBLp
z*pCewIC;Y9D4Z_AsRB+Pu~CJM<FRoKHXgvnTx@&;XCBUz;p_<KLvTI;=Quc*g9@da
z24a&9HU(l+EH-6hQ#CeyhKm|56X3E2F5z&=gUeUAa&T3{br4)9!*wBCH^X&1Tw~x`
z3D+iUZja5qv3VXg+hMaGHs@jUeQbV@%>vvwxOIWsWVkJdn=9OQ!7UPQSK(Fzx9@Oo
z3wI;9&w=|2xNn2|1-LiDqa!>f!DAIX0^xBQ9^c?;0MCK&oCZ%bcy5GeC_LlgnG4Ss
z*doQ2G1#&UTee|KDz@ChmiO@L0Ivn`@`6_?yz1bsg10HWUEv)D?<{yfhPQyN-LZ8V
zwr;@IU~J9BRt<cH!)Gph+~5-dpLF<C!RH%%yTNxBd^f>25x$M^>j=M@@H+*+&+z{R
z{;u$MgMT3W_rpIK{sr(ahW}mozkxqNfCvFH1aw2d5Clv?z;pyGMt~Cnwj$sF0?r}e
z4gx+Qpb6VpY*S%de{7qAZ6?^Z3fp|K?EtnVVp}e@J-{}CZOzy|9@{5k`&4W{gzZPM
z{RslwB2bCIg$P`XzyJgWA}|<%M-ccLf#0!17du*EM{Dfpj2*qPV<dLW!;YKSQHmXJ
zuv3JcYV4eko%^w~6gxj6Xaa(g5cC#7pAoEwU|R$`A~*-ZHxOKn;Ck#5VHby8o3X0^
zyPC0Egx#&NTaDeu*gYM)*JF1Ec4s1_9YO{p#2g`&*rSg<tFh-a_GqwoF!nCS-g5{Q
zA+#q#tq_`v&`N~K5ax`qlL)(qu;<vP#y%_T^TfU|>^p#cN!XW+ebw04h<&fHzZLcy
zVgDfPkHG#D*dLAkFR}j%4h+PB1vs!02f}dR01o8iKp_siz=2N)pN8-#gkM5<F2Wxm
z{1L*RBfJR*b#d?@4j#tA%Q$!&2jAgPdmNgELk>6;fJ3D?+!u$PaX0{nBXFcOj<m-S
z3mjR8BaS$-9Y;>%ND7X2z)^b~b->Y$IC=m_6L2&YN3Y@N7aZ%3W5zh<gJZEcR*r}f
zh;T+kF^<b{d?k+i;&?hv=;Fi%oCv~+e4OlzlOu3)IZj@}$)`9eAaVpEZ4l{=$X$p`
zLF5@k-b7?6BEKMtM^qa`^+42cM4d)-AY!^AW)@=X5R-tIM8u>c<}zZgBjycaG>C1D
z*tv+^i`YwuEkIl=#PNtzAx@3B0f<|QI9tSdA}$kgO^D|Z-xKkch_^=kdc<!)ydUCY
z5Pu%=MTozL_y!~xA)zx81|nfF5~d<yEfPGDum=fMNcezLeQ@e9PE{hY3lam7n2Mw>
zND4$!7?Q3c=`ND)BdH0e`{MLsoc71*Qk<^E=}$QQ2a-7?|AOTHNFImexkxrgvLljr
zAo(Pcqmdkk<jY9TMshWhKWNPbDY{5$hm@g6nTeE@NI8I%TSyflRgTnwNDW6S!5Mv=
z>5MaDaK;2@cHm3|&Q#&-YMc$l*<_r(i?amhy5QU_oJ+yEESxLHxu-by8_sva`Dr-6
z1n1Y`yf@D8!}&+JpumM)xNrj(XX0WKF8;u!Ye@4$T0PPlk@gm8?~z83PVE&O(v6Wm
z1nE<eJ_G3sk-h@ytC79|>CQ-ZL%IjjYmxpA=|7OcBclT{W+B5287q;o1{rS1@Il57
zWb8-AIb`G^;~p{^k?{vE>*BH!m;2%JR9rU0<qfzTg3G6IxeS*-AXAFW?#P^m%xGlB
zAu}0SI>_39tUJi=gY41Bo`-BpWV;|c7}+t%&OvrAvWt;@3)v5mU61T0T;Xv=jVpt3
zWhSnyz?I#&5`!z3aittren(DQ<ot>pTjXp;&MxG{ASVMk_mJ}nIe+15cU+Cd)ofh7
zgWNXAwLtD_<gP{T7UV`E_Y87#kXwe_N67shc@pGxLf$~+O-9~w<T)WP5PAEM7lXV@
z$g4zNJ@O^UH%9(q<gY@$JM#A;{~+>@BR>oIA8@S`u8qbu8(a&)wS%~J64z32tqRv(
zqW~yqg@X1d=z)UKC|HaFM-*&FK`IJvpl}Wf_n|Nxg%K!>LE(E8%|g)u6g8lz8O5DY
z+y})IQEY<Z4JZyq@l_N*M)4<H=W)Fot{=noEL^{X>z{C=4Q_14jbPk3j~k`9QI8wn
zakB?*4#&;uxVZv1{c!UDZl>U7E^a=;%{RCypu`v@b5Y`mlHDkYLCIy5awr{u(q$<1
zMQJKZn^4vhW#dq`2xaR~wjE{RD2qecWt3H->=kZN!;}KI#^csP+_J+hZ`?Y7TdBBp
z7Pr3O)>o9zM7cZ43s6q;nwOxw9OZwaf<Z-FRCGp#3o6`D;fIQIsK`P^4l3TD;v*_P
zqvCf|c1Gm@RE|OANmNFm@-?bjqe_XYp{SaHs#T~8MO8Ses!&yps{6Rz6Sw=|_8i>y
z!|gq|oq*d(xLuFiA8`9mREtn8MztQQWvK3g>M^KJMfF)!SE2eX?uc<`Fz#63&NkdR
zhCA<YcRubO#@&;+dkJ^{#62<Ynd07B+;hY|Z`@1Ay*%9Sj{9D?pM?A8a6cdSU*JJ|
zJXnqgEAZeP9+cyO1`mJ5!$WxZ0+0IQkrf{0;ZYeLx5wiRczhg>@8R)7JZXg|3OrHa
z$q+mlh9`6J#1>EN@gxLKlJImop6<ZYcsy-H&0N%kq2>i@C!uyDYTx7896Z~DXK8rW
zgy$3Sd@-Ke;kh%O`{Q{yp2y>P7M@q&c|Bez@nRuf*x<!hym)}Rp{SdPx;dy@jyfCE
zd7>^5bz!JGfx1(uyMVeJ)ZIYcUDQ28-8<9~)a#;Niu!J-ABg%fsGo`YMW|nidVADw
zLcK5QccDHU^^vGgLj8Hv7oxr#_4iT#0`+fD|2yiN(ZHfX9}NmL^h3iaG)zImTr}9A
zVKW;1(69#$htUv&hEz0MMne%AD$#Ho4R_FR4~-qs=!V8DG=9d*4tO~NFL&Z)5?*HG
z<!ij^fLHzS${nxH<JD`t{spgH@j4A}<ajd}Z*1}A5Z-*p+ZlN4hqp<1n~b+F@XiSD
z9Pw@o-d)7|^>`nQ_owjwIX>|CFd82M@gW8u;_%@SK6b;$rTBOrA3xx?p7?DcemjQW
z?&4E-d|HA}d+;d*pK|f(Gd?fDXD58#h0jm$xdvZm<BJ)-IN{57d^w6Qsrb@}-%as*
zDZX~YR~vi{#8&~|%<-)n-w%VxK*B-ZLE{U}do<ah=|282#UD2ybb+uPLKcK)XzqdL
zo@nlk=Duj2i)L>$pF#6o{OE`u)A7RzKlb6r2mIL`f9}Jdm+{v?{Iv*wousBl1`8R)
zFx13M!=IUT3=_gIM;NA@(UCAZ3Pz_7qqBt331D>2GCH-4s1+j`!id%|q98_;&xjr{
zx~7coUPkwKhF!?8I~g{ZVG|hk8N>cy#CDAMEh8~tB;y##8b%VvNa7huKBG5+(Obpn
ztz-0j8NFae?<AvliqX5m=oK@1PncF>rj;|(DwSy^Fx&)&o6K+)4Cl#k-VC>c;SMoe
zBEw}fTnWQHWVkmB_XoqbWBAStKY-!KGyEKecVPG}48M!vPta=^hA(9Jdkp^@!~bB~
zbY|N0XWEQo+RSF!EM?lPX4-6G+W0VS_A+gvnKoHWn<A#o4W>;s)8-!2rjcp$jgjgy
zQW+!d!brz4(m9ND1tVR<NH;T5Uq%|nNKZ1-6h@lCNQ)Th9Y#u+wo0aLZ>H@crmY{-
zHiT)L!L%)8+CFC5eq!`lM!zqkKbFy7!06jD`db<OFh>74qo2&^r!o5ZjD7{9-^l1U
zGwmcyyB<ut!A!eZOuNNQyVXp)O-#E$rd=4*E|zI`k!e@Lw0p%E3}Xz;7z0PfU<YHc
zk1@E;7}PKZe=#xxM%J5=O<-gT7@0jIb7f?Q7+De{%VT7Z8QE8+y*|^vH`9I$(|!)q
z-jQh^%(Oquv_H$V&tcl%W!isa<ZT%F3`U;H$iFa#qZq?kjG;MW=*$@IVhmFl!^@0e
zA!GQAF|1<@8yLe^jNx0x@B?G`k?HUY(_#ACkYdfn8%)D3^1edUV5o6!>ecKlCTRXB
zzehS=`$FBv^19!p4()=R)X2@=%qH~C&QCmB;8*l#sW;texyD99o$$7@WP{)(r{05J
z#DLKIIpGiK9&VvZYNt9{tD?byvsBWekV?&oO6}bg_1g^Qq^_KF4t0FZzD-<6R~5-7
zp|^!l`nx5dQTkHbiZnbB4N^(pP)|3ekzQ_#8dq~t;Yua-C~WFZZ`H<=-dqkRji!MW
z)L%P5C7l{V8dOB8l9KV!<g|+3qHB!CtE85kv_v(GlZMmrj#iRm71~)u)ruNJIq5fH
z^zFJ^nzMK5cr;Ln2IdyYTf&LQ{YN<QxR!8Y>Tu;Ezj*dQc$C_^jNQ4#EyzhZZ9!7;
z1~pN~y{1cFr1-BW<)!Zg8R_O>H26a8Y|=(4JxnfZr%PgLMdK+HD0uEYBl`w&Qn#Ns
zm&E;<sF0J^`H{^Wx%ouYkCR%5Jl9luFd>>FB4TeyW9w|2y3_cRuEO`t<Gts(PM~+-
zE)TbsxIXGizSF>4DKX{@Vw*f<=gDYJRyCKCdZ>sU$B^aJ34J+XxjrhXCy}X`OwDpp
zkV<-9MaFZo%;nU}yQfN)*`Jf{B(*Af9jkQ-KKxvkLk6m3TYs3BOXyEtCGA1Bar0Hu
zU_WBXQ5P9m4)smlN_|sv{vUi(r589R>j^n}N7R-221IJTH6~Ut?`lNv=;hx-@p_JI
zqU+_PKG8HjMSCOM;*~6_8N;nu^V0!Y>zgBu;qth-)MbwBrZt|5j?=yh{VM6LySBcZ
z?tdKV$&s}+#DRJ=uc1>TgE*<bwv4(sKcu~xt+BA65wfyO?F(<ZAR09$GUlWwxZsux
zX;QCh@&A#%*C^;^bgfwSv}xvS>h8SVg1TH>u(FL>Or36edUJ)jr!QPo2MuKf{f7T@
z#JBV=^~0LaF?o;4^v9wh^x>I`c~>i1N>}PfqEytUN0zygZopHz0m28#2$ggY$>*3O
zngt@V!0?@zOwxE!=c0i^lFv%-6+RYp%eQ8E=lEP1NRp^`k(9V_OkC5DX`J*5N80{u
z*o#7?QwVvZVv;qwH&rbsvLwxn)1J)4w4wAb`6X+isykUhBb>N=;;DK~j&ib(e@8~j
z{v@sQsl$xyqoqprXDO|I{R6!bCE?sZv6G9g8>{wkkBbawJY{ol5-rpG)AZ|*$1b!%
zPQEtU;myAqWLD9_jB^C%88SKZOV&RfWoF0&X-`+P7pnGN9isBl1|JdLR>e?H9eRiL
zGg342#}|1Q&gW;)8yR<nAs47q$j^62)8(UR2Sk_lV3sjMMM5vgKfiFe*k=Gsm-esX
z3zhN_ZyoF#hqBUt`q9nKNoO=8sTa)8p0uqUwV+|hDUP(uB<7hi@~?OCsyix~a7-m5
zkGX%%l0xx6CaMK!#-B-avJ?V26ap=G^ndqpfJ~F8IejP0vU9A75F~fvNC!Ie|EgC@
z>-8gg%hr4s7&f%`&w77PI)|cjx`DP|o$E>2vgW_Ljv?J2(w%bRXo<GZyv)X{Ay*Bk
zk7A}u_I=XdwKDTk{%7hf8+0|Ds-IW?0YK&h?$2(z6wrdhbuxwSfu{2<k;eaTS4c0V
zt6M~JI*pi(R0}SY4AJ;5mml3}s8uPAsv_IPC4xB{DPFtTX5~`q{v)Jo9?0YFM&F5g
zK;wg>Cq_?=o08nKqhKbMZsq8I#589pM@~>bkJc5rG)QiCd0ml#rpL1-6q&x03{7jf
z?BluWb9c^G>xBu=g-K#zlW<sGFaAgtv&2SNtkJ6$(x^Av)@os^n6|JX$+w#aN@U+2
z)wyt)A*Do|{i%SgD>3+9OAbA;ek%LpyCJa`6XVZiq~oi_`F$g_t_;l&qt0I|qk$6x
zvsz*!o2O~L;;kP_YKfJctfMiK*EUR@vQq2d)?2tOr-9l1vW0%1h(sd$gNSe04j(Yf
zipEb$Pm_h*|Ab=hAdx$@!I(||doZSU$Upvn!ZE-7TR5iBTJT?>Ix4tdB2({BFHJ3*
z+(^&CLF&Svpo+a#6@D!>Gq2PCS8(_$`r!h7(mz0LKY@+q{^8gzO=d&24@5t!g@X%&
zn%oAeq_pHhc1ywXCYvEz{+{(+I|(Hb&r)q~S~rFJ$?30V|BKh3Xfhb0D%z_0@V5l;
zNPD`qLO_vlik^}p3O4N<>N&NWL|%F!`x?y2-cJ;^EuddoaplMwO0(#n>6BzSZcx$F
zwvEfu(k%LLHJeiIzLaFp-`79T4s1RUe2~2!%gMgKq|}KPQ}WbUyO~6PQOUmEpj3$#
z<>b>M2TGS{*>|$6N?TU^olf@}5sSuhWLfbP&XG>nok|e3Rg?nJGMg6aLn~@24`ts5
zW!lmaTDn6EwZyZL@^?x;-_x;wkeC+A`Sxc-vF!c7Vv1!yN?R78ODF#Ee<M`d&i^U@
zH%j%hm{KV^>d|64s<xeDOD|d))mXc>g-Cse_D#Hs-Y!!b^@l$tQs40S?{#QN)IUqn
z!mgl&JUMEQc>k7Fk{<Ms57GMfoIM&5NqwHTDqX41bAHy9to`cH|N7#@kM5*UZ0~Ak
zv4kFS?MAdf*+mOw8gwy{^rFBXAsD)F|0c)zY4Pdh-{|yHv=h3vpwvs%`Fw-C7q{t-
zY<eL3F-Wz)X_Z{|=j+Vtx5L$D;jH;~M|%^ciR1a~?P{~_ECp`|)yu!pZYU9#YNf>e
zTFkrtjm!GmrCy7Yo6D|fUkwx1$p_JqThR9B!1h|yeW|J_qQlmZXrBkNKL)8}%|iPo
zKkb~;=yvA4xL8PbJeX7{`vC1b|EFZJO7<HlGi>%RrIo5GXk(IpXUzlI+yA%kiKu1G
z<>~G&^phe5tXp!x$<vC{k#T2^9o!joSnGVd-`n$mvvQ`T<s6^AzG1%V@J$=`IsEIZ
zBWl^(e?B~7)FKj-L3B_5mWu1N=iyBRN1c^PqSjT59)pk1wDL0XYeC#Mf_DKi(>mfO
zk^`zB@|6pIMk&*3dQOPnpVSwgiX?LKk|UyQb27?+=xC!#-lu5%<&T>E|B0*C_}|H%
zN+luEY9y6}Xe3QB4FV&rMzuUh#_wdwaG}4P2HzG7BFVoA>c#W`|Bu)nN6)eLiO&D0
z9N$?xd2PvE3U-UaC$*0YWp}BYpjO7G)6;7?N>3@=zn8W&eEdSy@~U|rJ>lARAB%o=
zG=Ls&?enAWKcCa+Io3Yk&i?tlixLXqO4F??^!PiM$@2dm<6yd67Cnl-iJ)qQhXJKd
zeSi8Xwv6&Ay#;{66;eT86Nz?givC_LBUj}!Tdx+>Ub{-Y?X<PisyMAuLYJ1q`L*D7
z^f&G?3D*)5GPaEBD5UqFVv3E?Eo0HrPn5jS(rqn+L=!vOJ>8&4@;euxl4(Bws92!-
zN2@tS0r&Iw&>X7dkYJ(f6V=pjT(MT^k(X(UL@k|9rTlaW)kdOPTmie&KqLC<QnN}<
zoK#aOU8D7HYNO>;WJSxc+A^(+-^U_4p`ULCKbDi|A|YB#(*E?KG<qtf(X<Mk+7>#s
zf1(p)uWxB5ID^I=PzS-cwW2s;F0a1C3W3C(l1vHZ$2uGGg=zg*QZ`EXBr&F+bNCO{
zj2xtE`dOkS!1qZP%3RgsRV0CK9T^|NwRoUvUl`K~ccw2ATV_lZ4`<qv{y9K#i&&{{
zXB#v=CMAz$mZU!?b8_Hhk-jP#fkbzlzSSaD<6}=so;N*~Et{mRVn0b+XOgzkt$ex6
z(w_>tOD9nzi=0%-HBg|&(T_4bCX>tVJeD2y*S3i8r!8LjYg_bf0W<CR(RW(u6A{08
zEVIzo*+8pAX=?<~`8QCow)FCq;N4@{8Eu7hTA@-~;pc`oP_VXCNg$CY{;f(mts*=3
zRSR6L=6a$@-;C4#@M_W@N`Fw6Jd6{1HT9$Xxa4nYb%L($M4jwW%a^5O!u_USw6c2*
zU6D{qn`D2W6fvC&@98~M-J7}^(|#+8XweN4eWQnpdcBWuX&IqMQ{OQ9<3jc@&bq17
z5Y;!bnyM`?sQ)vCKdl%=MMFA)L07beb~OIEhiZLOJNYQu-*2={zb1qKl)nG1_}_S%
zwlpVQOF!Qg`_@tVsr?*QOIum9Bklh^Wo&sba<q&sr%v|K|DX3Q@;A})wvYagIqlqj
zN+<uCUJFcq3g0D^tI$bap<Lxk4^>k~-6{XM<}FPJD4%NKQs4aUn!0O#zx(rJB~&S_
z|DAj5`e;?Lx~jqA?7T5-n)!kl8rl2zm&epH&%SZv(*74^-vJlZvHcGryO{eDVz^lo
zcXM~K#l&9XQ)9#41r?$wDi&<mMX<B>9<ev<SWrMLR0R<WA_&qH!CkP#-jZm}U5DiT
zzjJp{Fy_7A|MT&q?wvDd+L<$F&Ya?|@7zcw#>J0GH>-xnr}|&hv7hLP#;P|+ikUe!
zT+dFGexeG92|5qy@+Y=WGtg)EF+T&Hlm*qE;afa=YOQg~5RW2yRaVykiO)#1S)41Y
zs>to%iMCd`wy7Fkjsn>3DCP^lCMOzf5YKGN(y%5iaC@d7&G)H^;dE(;+G(JKKY^T9
z21?tkw1XAH=x9Vb2|OB0DWb8wK{S@q|4THMv9<-~$70Iu^&qr^9LG&NASo~c%T2rg
z3mTExWmu^)pP!-(j~9FedAB4`R}GHSA1J2*qyPU2Vd-+V8_el7mt(4zNyA^J(?IBP
z{!A1i_D7%FZ=kPI^Pf}KziVcOzh+gb4Ml?6SXDkBiXc}}UlT;HnhIQlW0h_d9gZ*k
z*+k;s6cO?gsd2AwBdn8E9fZxC`MW91zgBuG|J=Pa3*3LR^@3|HDj>UJUbLt5G{*9-
zND--K(jMl@0U&fhN%O|YG_uyln#DhjR7c^?n-yOXpu@qof_4R)#Ww(c#Xc_G;wDXh
zt72NfB{2Ntd&a7CV%3yG3f~|cSwD^8qS5qs_X~X0q+f#DW*_SfBUweCZO$uvqJ8Qf
z*DhS&;G}B6-hTV9XfK_K%Da4ey6;InqEDUn?h@Wc$Nu$0``UGLywj!{9*t0?O-=~t
zrtLY<r&-tT;b*+{UVYDc=8Q2dsjA#MrbBdtb0+TunrkRDQ-n5j47ZE?;&f8yHx$-$
z8E-mgNcqJ$rpyh6)$AwC8QBMAj}DNZTywr(O#itp#>rjaujzQb@b|~=S<G<AKzgdD
zdN`)@WyDQj|E^z;HNqAyZB{IQ>qxpQX|J<lMi1SqXA-L)?5U#qQ%?@;trg?CkMQn1
zXw=SVU;SWD)zDK{CKTvwN;<5*RZX{oK5Zh+;FC3yyB#>=>x6W84hB>aAMT<rg)MMR
z8<bt@-<bxfoo0X<%Ag>A#GMz0{fVRJRU=`>cKEQNwjbHmDHb1|N2sEhKf^Jy84w6i
zVr#AOpUd4Os0rz60tHw<qNQTGN}ngdD>$I6DHbqR-E_HX7=7+oUXK`J@$wSN=@n;l
za(Kms6?oHFRgE}P_#N++B8uHHPsdiDQ6%0(RH8T6x%hk2cA?3qxu{wA%=wOaHO`cu
zi^Sgm^R%YL?_22=<S~5TMSJ!XiLdav6sHTs>Q}<GWPD!_e!S5N|J*VhO!<{?MbQY|
zF`tJ@=pxs6S_Xf-SSr`kS{DDcsGptiwxd3rO3{P+De?4J5G`ot541j6nn2%Td&G0e
zWdYnXCMiH1q^yIJr3}()qNYMj<vN&nw$26=e%gj<jO78<g0y**P4O#V{kY{<nv7A_
zV0M1e9qtC?FFYr^m%PX9C!C9Sg7PeDPxC&uPQSsw`dJ3yWV~Z#PqauX&Y-464)h!D
zSqI@q@$Q}#elYrMsNr#3#(C<jl{KwOzk*9<SFazMbxWisdikpsr5Z;z^if-qmg}b>
zY@2fJdTCP;$K*M56r3vjn#Gs4!j~O<@n62}V5{_kBBkDVrHd~iv~nToj(HlEJOD-F
zO=CySZ}OF8H<qot@!d`K4Q@d%t+RmJ#;;a%E3F&yJq5J<6_?W9`$(_3?Ds9FKSf&|
zN6=Om^b+s}fcpRnKwh*2)CKJ=N^YTKHw6CoG})JAH=wSl-42!AfZ11}>~c!)YO)__
z8{dKW_OmU;Tc9Yg>BGg+KJst{HzYdhPU`Ql4a>@2M$0}OgqGIZ0rerf@5>j)mil0$
zw&b@8w8gI#wtAancjaDz2Km%pK3`bOFE(XZ|DaFg!CXYM-E7Kf<Y}@+*Hqviz-X*W
zdh)c?Y$EYbIAzEmdWvNd87=iX2s0JoeGAw@Ag&VpE8B<;%~S;TE!obf&t5`iUxqMg
zzq2V^rxFSlQYQ;fAzi5pP7De&i%)snkvb%(sphkEI6l{?lgMfrn80s)AGL5am-f(z
zPiZUJIg;x9g!=V8MliL(X}44mR49k$@!L(oZ3nqdkmir<#}rH}>fB{jx^x-&legj4
zj|h|_FLAtZGW*n7-P4R-@VOi{)Xg(s?%MV941uny1v?{_9?&`Yv6k296L`+iP33w=
zWB*LkJUI?WT}y3TxDXX-G(|{Zy1zeHT#|QqNq>99I3n+8#lQBv#9ueg;B{jzUN_Fv
z7uZK~OgsMSQ5YwjEgGIe!_5Oy#4uMtjB^D@m@AjlU9dd6cLBk@7tUvk=01P)+}$k3
z17;RL;sFseP!4M#L`lCvhfst=cZgX`K=Eu8C!qLLQ#sZR)$>xG1Oi}M5_y<=B#DW3
zfSG3pphP=BB^cx6ZT#{bC7q9=&!YgjCz;gA{&-a}0&=bqkY|j5JZl#xFV`$agEubS
z3gkmdLiv0YC)F3$$|0Jrk|#FfO^A?1sbrUE77J0Hfbv4rHXmYJK@^^F-upC*Mx6r?
zeVef!;g|*rwWa#PR(ZQdl<V{Ps(J3c`ErxD4iezFuZf(Do6evJ6<>i5Lq(=*YSSl!
z#~>uq$0|geQCh2c?%XM$3`iAAt&J%N#W!ntYrkR%mc&qZbGsPv5MP2Zd<hQmB{=B{
zz#K_Dm`o0W80K<C`LAFbCf4=sNKL4hh-#*?#TAS9|J4QK#q=k=P^SMh4KVjU{oeGS
zw5VtmUxZjD{q(<p69K%B13zI?f3nSFUJ`XmL^r0Lrq5Eh@dhkdUp}GYAI6=QN+m)h
ztF2&8c<>w}ou4o)fsYmch_No{b)XBn9qR)4m~Nm1+#Mt_W>4>lk>N`XVvLVBlwC31
z2Ch5V|CtUysgoeaSN;(oKI0`P>vF%PuL!>ApfEF^#Uwt9W<HCiJyr^v{pU_j0Bl4G
z85AO+`j^+5#ar^HPlZK6^Ow$16#E7-;lz>H^LzD_<oG}14U2_8TpoDq^0}kO<MltQ
z*LxxgkngnNLp-(pPfkkGi-oKSZPg6+-ItPf{v`c-w}I&#hkN__d+VI0ONhT`Ulx7O
zVVLy6(0fLK9j4Q*I4m|9psUd?_LCB?kNsm6@y}8N-EfoU1zj5xAZxF^3vPs$%t(0q
z->3TYO}G2p+kc`jy#4Q3LmI^>A&nw=NTV2QNTW$U`K4KS^Njp^L<c{|SVVLPmbx{p
z?%oA)rj|nfetAK#KAFyk0A3=R_@il}@@Q(pqbX+NYZmAx)lvlO%pn1C?=1L-Qp0qd
zZoL)BTD-OI-09%>y;0#+|L>7azb|P-j`OXGd+WRGLfO<xsuj-}A7ZZbkyssB2D`%-
z&N!4$V`MYf1-{%RJA8OVc73E^`7!8YJ05-$sl}>5sxG9Q5s%?zck*RHJobNh*%f0c
zL=GyFmUEE+ikV6<q&zK&#mCqVAYRUA2%nG9u3`9U{+>_9@(OE&CdC+9jp(jPVNp?r
zpVeZ(IuBL0oTbhUR>gG0LOg_~F{S})Hkg|I+i`7k9?@g3@(kO6)nMNh{y<LFu-h5G
zK1s_i3%c!R3%XtY<ryKOV!fntPtoififx4t%B0zzr&$=~VB(Go)_E)Y+MMDrdB+8u
z3-LvZa4t;G6(3cHxX32a#RkH00kj%l6imB}x#Amqf5kRXt{W;SJ2k#&7Id%Ua&etQ
z8MDJJKAQ9Y<ASmlMa5*7#oxy9{Q{<~Hzso`e=#?c-8JR==cRM;9X%a&jz6T=&xlq&
zH=r0zeKb;tPzyz4Q^=Sy5Z!V?8?Rlx=rrQe{qBmmbPx9+Qp;=CB#xk_f<SqRXMuF;
zJs$rdfQsy0fjD;xgT-_H&{Xj+^jg6q{<)S<<*!0~(drm-kC~e*KHxq1-G!Hfqu<}d
zIr<}4aCH1vkgTJ$&b^83vXv1jvwuQi<GmHGrOX3WPraDyKyNtH3Ifxb#$O}%pSY9u
z{}JDP$BxzOLiAJp$N6|^`=0=-VsquW<>S3$H7YJ5Yb3X#RanbztcIK9BP_GbY$XMA
zYN4tEjl3RIBo<ZPEQp0Z9+G%{56+ZApCgi3<U(!ncV%iT;OinuJY6{qoFEv_v8O9j
zpu}ofHXs_cN-V@I{5>MIQ?NoaXkua#^|?MUi8r$l%@loyW^QytGezI=W|k|>Eac7H
z=*F8_h-Qj9@MadG8L{ZgO_l&oWx<@vfG?Nq4)RXltORTY?!cB83~UANz;+Ye#ov`U
zw!C0qi?0N11<Qdgz7oe)7`4f=1T+{d6deEM6tJC6f2<(e2xK=~09pP(AiLRuBipJV
z+sKjS59G);0@+Ouj%=gSwSi|Wv-2^Rid6G<GMDpFHsYgn=c8=IM;WY)5@W?E-T5e&
z^HFx=qg<|_a-U$Cg{>Kk#Y3+a)2;!^!tgN`@-bfLV=Uxj<V%9Tl`&rDV?52rSjfkC
z+B!xT_PJ%F8*o8LjLY>b>U_;Rg$7^uO__vQb20Lf3U+*`&USpPutLYMs@o}}bulW#
zb++T<busb*S2pqyqkzxfIy;kPE_P&LUps8cn`%4kNqkHa%8Xv9di;m&UaF<w0y7WF
zf_6Dp+n6k}J7ap^I);4ys)O~J$8`q^AnbUIv}>YCeDj_ijrc0(FE!3e>*J7Oa0A$}
zN#tw#G3js6H0-aA8u9fXu?6|ThJhPY0~h)I)I-<9FF9$E0T1D~kQsvvQpz1K{?EZX
ztt5m8^1FlxL5Q%f1}DW&hd9A2rNC5>B4*nm29x;6NUHmoieHSFiCjJrkBmtI06%--
z?Eie7Y29;N!vOcn<7ET>S$6^G8j_<M$Bhs$f%tj%<E|3Ru>5omU7wnP>z7v8cpEpb
z`uK{enjJ`=zIM(eH9`^F)isH~aeQ+03%;HI49BgVWpMW53S%O`9lt!DRCP?SWYK`d
z%nw>RS79**R7*p(-RjAc$BZhIa9%C3gx^Cew)&_%+XUs$do>^Onh1$ft|q49748N0
zeo0qM8A&`ERdk8+1ZRNBPCA>IX{j8Dsk1km95RJomW!CYUQiyD**lR_I!vB^{i`ih
ziM^~tRP3P6;R3irqQ1)V_u|Ws!LNiF*R5%^OO$tD#OL{XE0$AQiM~+(!o#A@;bBpG
zA}ne%Ygp6~Y%>DmZbnp`3Px4kENk#^cPa?cE95g=M!<YSMhF>!kkx193q=weh;XkX
z@$PgZ5ae5gXD1C-j1KW<Cw89e_p*3wqYdd|_z2;9==Vf(BY~ag@`6&}Ms{KWu$?k0
zN`$f!s&WCfc;T%P0_$eEZVTfsCQzHdvO(zVydqoxM<@hDUz3;zByp@JYvLv$Y9F@>
zyN#eC?SnLXxBVQv`JS+1Ay48FWZZPXK#{ar3j688F%_HV*eP^W8dUKgupOftAZOZt
z0yIK)=nW0ww8X8;ieO!q2qQB3<psJz`)!)tmJ*F3yP68f6M&dF$kRW&0p_2~(4e($
zCH-UJbZjdl+UG>iJ21l}n#<X-C2{<1?t=YsAZ#;}X=n=hnfj!NX|CnqaIXbmB;Rwn
zF4%LI5vbP4wbbaaCjF>Mj4lWKg2R6Fr#HxqW3>)FpX_2xVqrNjrR~vt_{O)RPb0e&
zllZtCl$j$NWSs%57irPtEZXH?5vmYS;=S}gYhvjpqD}F&GY_-lU>z`BcxSoCTV<0x
zdQ0WZ_qNH~yrg&5eDmaOt$0v)t0-)>@M8_-Q`k=UT1Y*l@mx|GUn1tXek+KNjk)qp
zOw4`GjIv$9j2?p-0g{V)B}*XcEde9|pVpNRHQ)tYN+?-RyVjS8ukigLt13skmFvJj
zdE+q-XOq0GJs5$zc2`&~LaZx+iGB&UJ6w$j%hfofBG%zrkdewi`^j4&)$z|<SmTlH
z@v*wR`8`?fLjV<JH7f)c);N-OxQg5G@M}0Pgs@ifGZ)r=E)g^NWZZW}JCN0`x^h`9
z$9P5gufY3lozAkZTPHMH5!8UmD&>~Ufs{L^M6>|YAM%!uo5RTR{plKKk+@9tP?4$T
z1YI2(AiG}$SBbwxr*4ViW%2tBVn}Yl#qlxva~TL1I_9ufA659MK_LV2x=^hFYu;&3
zzi=OeXAhMa9yRGqs><)gnb}D?R+Bbs=%dRw%uz?@P2I0YY|SmIxnYZr$7!i1)WT!@
zwuMeJ&^X$v+A(2+?@%rK$j!Am_I?CdSSudB4AJ4^iz&2#e$ItOWJr*v=<=ze;|ABL
zt3z(+tQm!rL;$|Chv-^#R}ul_zD)$s^%wSOr(Q$ajn)^A?H1Es$AntwDr@$#0exav
zlcj0ZUr9f3{zg$zS^9xiyf@Rp5+83opPH%5kM*c+a2g`vk3z*mBr9zz6rx-lK_N(U
zP+B%kwloKCMst1pe@%1nmZ<m!7|b`oERHG1^*vNMF2I%J`rnaZi(L4?rU8|plM0Cd
z^{e+V{|3ab{s-Pt+m_&Gt4k&#MuPtHFH<c%M4d*s)&mh+w(l|ooKo>K+N!%aejqw-
zkKu7ldKT%l)V$h5_Ae`mum;aC?@RRlGslmB#D8*9qJBDU*L*Ms1PpZ%{k)aL#&D*%
zke^qR(!~=S1@YjHT$OktOc0OII$<!FqIldI;#&MIZsOh_HtEG*XZfn)mxTsR)lN~u
zKsiwh;kA`ri<!W%i(|+HhDcy|%y~5cAo%kGWd)A648VkNm<+&#14g_;TFzDx_Ej;6
z<^6%gSKlPw0q7MDdIz969Q58vg|(IgrK%UK(5-R!|6+$4SM7L}U+hpP-%hDy{Fxlf
zj??>gQGdR&wx+OWW$@xX)XU)2?x9v5D%Dqbb2(e)<y_$a<7Unl%Iuq2O-1Q|uL|oc
z`#e!mJTL=Sf^<lioztDq7QRZ~PzVaqK?fq19+38@sKi%yx1GLpP5YqD;m!y29(#TY
ziPuIQ3cnl^Icr+D{=`{T*yx`^`{=6oc5Bn}#`tT~49S5PXLxCc`;F__*JppkaQz4m
zl~@`x=JJ&EWux1Dy-#2U2p_iQUZ<}w6cd^V9k~2aiX*9ya`Qf02&c{nZkoMWQG_r9
z#1dWwLpn}&M|jCLMJ(AFls+NAQX`We!ge<|-8ytrOpw0{(mcPMQEWi4X|EYiuiX!S
zp%v#B_RXx$zUb7FeW5SiVv?6T{uX^UC*{y+FMac-6B}#A1ZE(weXNpp_#|Hs-|^cH
zkJXRwtD1N!Zf1&(8;Gan!$kc085oK0QN*h$%Cuz;50KksIzKU=<*K79m^K?3-m=D8
z-*@)ln!_9RZ>TyaO|@jsjK#Bc{bxp`8fYJVm5E^T-*j<Yz`kjRxRJSRFAVxyhPvg>
z(T{2c!%sE^)5K$eq1n^vXqMS4kFabC=7N7mqccILFFkS81z2UYDO~hY%8DR+{S3P)
z6ux8)71^s;q6IIUS3F;7-U2xu1+SQ!WqJcNgdmZfPGetl8~FV+N0a-bn#KyepC<b1
zG`fj!d++zw#j)d3*lmB<Ts}=Uc|qs*K~wq&PM`+_eivy2Z92^C=fceXjACZ*qR=S{
zAu?SzyQffqsUv?30MIyBK!v#~VEjGcQ~CBTjs{ng>t;Vl1CTW10XGX^@m8pq!Sa&^
z0$_9(05gMjK}t&i$ZUWlSV8bEU~vN)F8>2&IL^tzCaCy%uZ+A~Ml0NDyVG(JzY`n~
z?kX<>*UfAB%fO0%0=|OBfq$5Q<#NF>-Yez8gegcuWAo8glG4<AWmBTq>3&WEx-=O9
z0mpr~mBI4UI~<YI{daH`r{EMUH=n#36ah;asIEO(wN8A>obI3cZ<xI-4{0f`-gfm_
zR~!64;ZFhn$o(zJanLy6U(BX;lIHOX#BK>@d&eM`VrU5%TA_6o%~usNofnj2(VYWM
z(qtSmi4O-02nx-^e?C+HTiPMtQr<pb&kx-=r=UicgMmr@{wW^kth#Z3e;)rg;l!b+
zONaHS=%_ScO|RBtYQ^+wj|6DLH+1AN@hA9>^wf%liay-QSHPb`oECkB^Hy>#>(%EO
z5vF~4qHOKgV6|Af62^Z4O7}LQd-eGwDiqoyh31;tq{Qcy(I_7XDulVCMwqL$3a3^z
zr&in4K;09~@hg*Kt55{^LL0a_Rhgx?J|y%Tzr&Y#l+bm4_d!h50hg>UCj5OAA~Zg|
zd|^-Hu@gE8v=|rkcaA62%CZkA-a4X?!LkoXKIfZIaccQaT471#Nbu>i7xqtq#Nj*X
zf+b49!mk?k)EC#;?<A^kIfhfI5%bN$)2mz%=uG#)grZ<#JcUx$+lnlA&)L)F3=aR9
zWiKX-BgTwnbNNQh1@IG^VL1rt{sDyhT*&rMl7#Z!G1N;wfMZ|rm$}Oo<wv;B3^kSy
z;+(dAe!)A{k?in!kbHullvTMgCH!k(^US|`v7eQ%czVTGXJB9#@bY>X>@uB=ca!Er
zxGYMioq_hrH|bEJHOhOH+i*4cftvIu`&PFMq`5l%6sz9B=a~25!3V1P4mdR<YI?-f
zs!Z&$e*{&_OY%DIwzFl`xN(E_KmxARxC#4))%vXoskm6#uIJSk50b9ki;JD>9&1=V
zd-cqjTK37%9~<kPmeVN-2iE2i2a^(8vxR!4Sv4*;CNM!q4$q$=<6+&dPuZ704VW~}
z$FSP0L_nq?f7a0W`D}|CW*`?OdbN|0^~{8^R!fQBKcCWls0}dHCUSf0P<4y$;L-Rg
zy>g^{fo0PGp-iD+)n+*L;OY&3MI-Z_2~W<d?{Q)0I+=T1CqoVXj6Du@<3mgAJ!uF6
zbbor){<?`K-EyFPL7Kdbh{G`kzYD6VqrInk>gr6ra%rW3M(%r%N*`%W9&zn@^zj?)
ztzV&DoTci@V$|%53oS^mXDS|XzOrL-V*I{1T}(v4z#bmMS@Qq`re&SPRc)9TB@i^G
z0fC^u=;t{BPeaSqi!Z3Umd?&puS-BoZ{PUS0f^~cVLq%c7(ZU49~F5(ahBUJJVq|k
z@47vC`@}@5VmQ#1MsNqZ^`|+in4}qR!-KD~JtlRk&OUMPh}WcAv`C<v=ur<?F^Mmc
z!;D(iyw56i7(8{t7(=wD>fqt99SOQyX*@ThLoe5+!$$2rIKeR1Lp3TU#s8AdsaDX{
zXP0PNhCQxQi!&W4>YQf6<c%TI4RKMY4j$7T+u=WB;#mK|2G)#yuGw^SYuNUKl>#E8
zjj_5%7tdY2JUqH%|9%ray$myt7*F8Bq`q44%ZZ~%tfxPjR57t$yZwER`xs_UoIQ4~
zZzZSYAdcUaNUi~a_S8snkT=sr!5E%muq<xD20N~8K@JjLk|;+w6L$QhVP!4VzmE?v
z>yemZ@qclhTh5&kn`JKGZ&G3;UZeun_fuub>FV>_kHv1;w0!wSy%@>O=jYB^>#u7v
zqHhDkY8dt@O(9jrf6c_oABCdwXfxD9Q!&|JKYffuMNJ!W+xE(>nlQucHM7<P8K_8I
zb7{Zs^>p6Dx9=NcnB=LN5`EtPDjWcjC-zx#@{PRH9(6bJO$KV>1MerS7ivmQhong1
zm!J&loJ@5x?B!2x^286H7b3Nie(#Ds%Xb@6_p3T=i}639JG6J}mK}x}F{(ui<}IG1
zn>=UxjU|R*AwP~+-5cLAslKlJfSD798p8UiLZgm_B<a!<$93LkU^lpDu4+?uUHV$L
zB16+<Ky=Q018sh#S{<}{{ygn>gIl%HJ28RwN{Ocard8A$%1H!ky?T24$@4tP<piHm
z^M~o$4?vR3xWk18@m2OE54HHP&DbNci7^Mx#e~oGKV}F|QH2fn-q}}IuO&T)Y}bG8
zfYF_`jqmlRkMtnby%O>{v|0uH$RIEpb7+6({4d!9qWUYIRS%PQ9*&LE-fJ7(&~4zX
ziNo~a9;$uEqPEBA&YhU*HEisJHfYt;{hC_5R}?$xC(i-n+Yj^IdSn<U=8+c?=U&x0
z1-<S5H{?_TJ?s`VqWj}EwWhYr;WpF4F`{-W-nHLsUAx~O31e4Z)wJ=#z+w&;7{ouK
zFHKR4k6p(p13UjTjVH?ze`8K=-Rok8PJt!KU!10qfiw%xIW5^p$7V}aKDXJ4HSn5z
zn}8-g(>}47wwN431$m*PmHJjJ+o-s1D74pjg!>PM)gx4q!$<G&(6Nuct;_1M`Zq!E
ziHDCx8CEt#>f7O7O>{%NwjLd9nAle}F6qk5RNY332Kiqj``^>@l~>DX16$}gbhs~4
zTRKHcbOaiwP@dxh>X@hB3r>B4uG06Hs2%pVnO5dGP<W6gH}zn|F{lt&cXzU5|8kra
z=od6bSFcwNw6LG%T)TJn$c*WS49fl;a@bYJs#dGZny?>#Ym9V#PK}uV1$+7;r!dC>
z)<gc9?2`%C5@y7X%{I`Fa%aWubj!S9bH>i|;cllfb0X)(Hl!^)k8qpPE~;@|W(@Pz
zb~)*tqrdR+l==I@!neimi$@Zw{X@3-jL}Y<?>|-V<PDw%m9RSwy^UDEk1t>OJ#Ro>
zk2FJcWK`&J-Oe3L7j88iNL6hM9KT_L&eLPuPeTmJ-X0O2x(VZvMAmS?O|@}LNbpWw
z)bVM<BMseq5A4uETjO#sQX!jT&xvv8FP=(GK4UmLDB7*Bw*Q2oz4T7Tpd5QheE!Jf
z<;-1pEnQncpz7;AX8PY#;%1(SJe#0jS`GILcwsk(cPCGS^sIauq!<&OD@%h!&c%3#
z0lSlr0<`QHyk5SzGy?S<%cW7ef}?OPO~}JBNb^k&W*Q)|Q!vDuqtG3m9tvS~hE22q
z*P+{Nj)~@&Pq$ErQ4M0mgT$AJlRsW!6BUnMs$z18uR?1wThJ?WCR@|3n7wKah5bP`
zG2_l9`QB^i=9%;vsd2czqNVJhCOvFi#^~fxC#tU9y=Koot-P*f=@!TBlP7POqH8;B
zgu7e9z=Dg>`%WA*gpLm#89JmA8%9o=@&0=b?AsX<x&MF>5!3yQGyF&D&=V)TCZZ=B
zA<pbb$cwjMl3WZ1`WfYFHnFK{u0>ZA?RsOHs=TT_(45eMp0{MH9JkD$y<xg;(716!
zy-tq4V_1-&85X#6&#q0|_n+A8JISyF&O_%hyEvI0XgKSsIk0!#`fY~U<RVyRw)}IZ
zBmFMzViU9E3=Tr+$TaneJcZIvD4^w^-pH6h2k2h{tG!CWfLvndGuc$RIUY3V7(Bp(
zG?$W&rz9Hs?LIjsUw1JnDlP`0``35Ip)#B7C1?SU36=(2OtN&vZv|Ly1x`skniOwX
zRugV4``?N}RyXtKmXFcXN0BgCBNLKO4!&C3-OJZwp#Eau$jJ7(z5~Y$84i&`G%Etq
za|lR@ai>C$>Cy<kjr_+6?1RgPc}|{eN4EuIhRi{Pb)$YxFV*55`<EPoMj%o+g%*AZ
zzx2c)S9a`LCUPy!R&_4jto8^R?>jFjc<lnE%GP~LLX|4=M$`%2w{HDb!yL>X-Fqji
zp(FH4&Be5vd`9Q4`h!CMus7YL={FI({w57opIw%=><SVphD_W$bmt^$#}0j6AkS{Y
zhN=gw?Y*`aGBC~xn-M!JjJ2UdU$;>^`3qDnDAVH#{cwq@UFo0Y9Df@ZYUsO=N>2<3
z4_mY8gn?qNutgAfJuWd1SoF-g!ot<!q)j6ytr@R_jf{O$*2*A8vQ}i@l)lynXKI>s
zN(JpZ=Ul$GJ9O#dJqGr><C1`BO9FLHH>6Te%?%h-P7r8fJ2sJqO4LQU*JY^bQ(P{(
z2#Aqi8mat%W(?v<zCHB>QC+f4ij}D3%`I7mBWk21o=A%@tYM<M(NWK0oD95<9EF?%
z(DsOz-=jr(=x7Q*6Lw0sd-L+8I}GAht|q$-HQC|C$hU+gL5<%f<}bI+MYMiORNsz|
zIdfp!iiLai+pnoM222hfqpQ}dGdHB{MINctHl0(m2ePz~2XZWZ!aR5axUXoaDs@+U
zY=QQV)=|~<@PRh5`A8&q!!a*rTEBii6FQ(e(!aJ(wZCAd{utbnDm+?1OV$@D4l7Y#
z<hrD<;Faw*bI7nZT9-oKSNd(~nvOmPE?kHS&o$g&?ZGz;tmoBNii+$|z84Qt0Jh-^
zM(udzYN4WsL(04VFHM|YeAU-y*OB3d5uU0pj^9Q0x*xWG-TDyyoXe_Z^XDu>w#=ZY
zRKp?1`QcHEqmax{dG$=p<d=k_6eq}kQ75VNKRAEOPG`AtCO@5{@SPnmcRsTztXHNS
zuBehIi1pIYXu$y8*Wx)dme_P(a-Y9xlS+F#)`{%#yWS}zD91N|wx1qM{?3nhZWS?n
z1C+zJo2!*v>B?nZoPbL+Z8x26sTM=16K?<EtP`8&$bY~j2|sv$Xe(Q(QF5*4(KPm%
zqg6ZLG#gy<Kbg*F%;a|GXKpyWAJbax7VI!o&xc+ce$ue!Stjy4u--pG^hzEY)uXPq
zp?B*>4ZRB=Jc-IU7pG5VeY!nc;W&KcurA+enW_lJOV#yGla;$s5Z58mf)cTSwgYXA
z>m<VawpPE)#?xo7STftNwWn(Brj2Vh>du9F)MS;t>$h<8jzQKRxHyHiU{Q`@0qmx_
zlbznFk=){{ax>pj<(B$B9o~L=$C+&jNEo%<d&i({gCDTNUzey^M?|5h3pV=0suC*B
z=IQ{4{Z(!vQ&Gg`_>Hlf;sC#8=%!&?hTLEgUl*ybQ^c0I&2h^2O+z;h+cYE>-;32u
zr{L+zw$2~2V90_&5G#VtEQmA4ccyJ$f2($CWT~0;wllYB@79=YiQ8g<e8<ooUfYMi
zV0$@|0rH%^8LHIXk+CVdE!&qZ-(=X4!JTN=&d`1D)uHY<gA=Q<3M_pW^z1x;*>&Wz
z>dy4DeP@rIH4076JTWVB_VMnd|GKG~TC?j2TT_)Y^-9W>KGozPcf|cA2=|xAY`x<p
zX&4<I<JdIP{T>*D{i^@iwKv-R$Ii!Smq;Ts?d67Nkx}PI&APC42iNbfl%#%r=G@gw
z<HGy(9qd_uv|;>ezt!X6Dk1;t>sVHVv~$C#v*Y3!OQtWKRtZWct!DP@RdaM%hr*A9
z=?-t1?LTqSq@U3Ls<u;(Zs3gb#u>*Rb%RYj4!3H2is)O@Z4`V9S>>eq+0~p3Qfo<U
zoWWG}`_M5deo))y13XxzZouTo;g6X4L%27<3&0vO2c#6!4rx^1m?n6ks@DT~=+rqq
zo^=QGC$uS(O3*+P(_I9OX@VM?s7EHNsV+EwA+yBRNIf?+5;v%A`$0Wix*3|NxmKC#
z;_xo3e%O51*4`#$(@?hyMuudUOs|Z5G&`~%Z}wmH(d@r3bSvm@U^Tl@cd(*;)GPrG
zE%x;3MTd1%jBpF=^U><IOI5>3UE1)X-0-)An)EsTk}LHstu)#Zp&FdVW0P%sL_cTQ
zU%Gko@l7PI*n#a(86p+>y|6Vx6d`9@YYcE9+f)d1lrIcfA9wO7qUq$5@-Qbmr2+F{
z(>+>sHqge8L-+1EaA?M^X;Wv+oIG_e<Q^v_Oii=Qez=1=KQR$vI^3sUVNX<+2=IRS
zM1W!@QUQwhH&;vsSlXP6B|K-_PPuvJi`PSGx1jhLnBW%*TszBfMU=<&_oRYlc<4xJ
zbEHTS1u--F1%xp=sIVER3V?T@NqjDUVM`sAA(hpU?MplM5S)$$WsZZ4n~A_Xd^8<Q
z;@l@3mO8M#YCI`83T1J4C|^kpVnqtL=T^93R)icJz!?%2+>eJ7qAF&G$?)VZ_k(I!
z)bRZ-|Ha;-h8YR}qQp&6>ddfIhhdZQkw;QkdcM$H1Xl?-+x$U8EY9V;Bor7#df5GJ
zi+Sra@iIV4_gTJ%A2`QYh--|3aFL}RT*3LLi}2?_hN|z(3hYaAwtNMra9+ZlxD;Ts
z<#YIjD?MrrCypxSsp;ai$-*OxqegrPzi>aBhlMllQg(IB;#f5L5+oJIm3@9n3<aKd
z&DoSbhi8rJoG2XMfBXdW#bfW}w2-%$5!b47ap@MMylLL)ceUTtF+)9hQm3<EBfL?>
zU^$R@&YY5n$wT*?yrp|^g|K`LZKLAS>>#&cEj5phr@eqDL~HiIalZ6t%|d#jzP2QL
z=~YN)IZQ_jOB<_#)qRb=@R2yIbJ`?uWl1=cCEn}tFLV)q`*K9y>LvZ{>(BDmR{Sg8
zN^IJep+FE>Q(}7gB=of?f>t%5WJU_jFyo~pbPw9_*aMi*JvAlqNbo&51WMMhU}#xG
zeV}GN5}YKU5*|$wN`j%~9c327ji}>oM4fOW>KwIeEgx*af$(aQP_mPDO*M-V02u;^
z2mnN~O7bZ;^h$X%Nhn#0H<LkTG13(<LtOzB=?bU_V+iz3cre*ydoW2TImI7LmYc<6
z9C8?kJO;=Rd5K0mX3UI<zHr_rx?4A&;r$I9BxZP~9^a!r_M5i<cvR^AqenxhkM^B5
z-Os>Bt-PIJO1Me%FpjCFG#v)}T@`!hC;=UZ6VzF=n2+)Zl;@*MH+EWWpP?4wJ{Jfm
z^<&0C_*_`kLv!UVc!8|XXS>t6_h!4Pyy-m~kAH-!Xz0OJP%svO$3=Bv1k60FO)2QO
zsRyvMr!xp`wT;_)Of-x8gVEpq!RYY*VDvaF7@$xy?7zmXK0^1v>I453Y=Z<<ydCFt
zzKD^05wBwrt<)jjFk0<EuvFad0!ww8{LC#+0}#+dIdmkTw^%;neisq0ir>Zm0NxAW
zeH>WvyWr!qdR-{UKTD0^=$V~$oC_?f67G7TcwGQ5_qs?ZS<k&L-0|0Fvv_ndIx=`M
zI&yR|#(VTIh(__cINHhPb#XM5dtDqoZ1cJ}8p^#c!h?SVa45VkxOscjTS`ni3$KeL
z5aW%?z<aDR@ZP8lyw^*t#JF1Vx>&BfEGa}np4{u=y8J^$uZxJXm!)owV*X-pgcv(9
zY~*fomA;)LTsV6)>Nw2d*Z-svuMbzAl&lUG`K%7@_%Djn52%j*{wY{q-b%t}Y<TFI
zo<q-M=6a^*-wP1Z_G8CKE2fIhiN!0DXf)0MBL^`mFvjl%@tJYAyp(S{;NS*giN$y(
zNivDQ04$$F{Q{sDyX8$_mH@Gb$uMAUq|?7l2&Mp_8w#!m9M=ouC3$5&?~StC(4Q9o
zDCSsRd@lsZE3n;A2sV*eyoYv8Hi^$rZsO(7Q2jYm$)Ro>0xT-AcxDPsH+4x7@9hCl
z-X0EhZx6s82S1QkgGW8$JnA0jQIEl+Xb$d+bELgdIGp041B!cR;TQ*95YM#+Asbnx
zxt$}_Hap7OIc`*PvC%YKN4c$I26yyDjy7Bxxu37C`ViP_a%W#|mC6edSg0P}BFm7!
zJoOj1+O?H(qem+Ma-l1&H>8isEHz}RYBhY!uo}{ZNDaAJCp))?x5|wj;Wwk<HjTw5
z86o;4mD39AfsaUgG`>QxJvze$2|m2Ch>i5A;Pe0imny^vtQdn4@e*itE{*5Wr%dE;
zg1h|`O4E>kF7rp)_EM=DPIClav4&kK7ogDxGkdLAiDbCy;}Z2NqJ0HBuIw*>Xdl{k
zN3VTtUo-mpu9}TTWHElvX!Bke$7vHK=QDCwR!YakmuITTU2{si;@Whb7Ha5t4m+;y
zK_fJB)9liwYHP?xsv~_U>SG|zUHe#hh(l}@c}NcXT}?g|!iLaV73E}?wi=|y4elTd
zV8>MNg=Kut)6|KY<z&d34Exi!$n!dRBFo|(h^*{m*LFx?u9r2ANN0Y%BXiJ}4zEHE
z*K<i&ujjtJ!g|*m^s$ya*=x=9hiYoMf$X19BP}&#_77Og4f+SJ4INp_Ma;e-Yp7+7
z$i6PMT%_lb9IGMR<rNdPETk5Y{jXFhq!nsvupX1pT1(AZu*Qze*~5d`FVWM}*6gVx
zvk&fno}9JRxFu`m$XY*erG|^4<oa|KEyV_idkyRVrg(DOjDPFm1N%ztv>{mfIna5X
zd=4}}Lw0~1<RY*oCb$SZ6T&C*GHL)@4{GoO{7q5!nQ%?|Ly5IhAvh1!H%kixouBi_
znqq<cIf8tYR+pO~(JA6)JQJd`lnmB+#fVgyhq#pDwK@`eKvR|SsAt@T_n%#LTOyw5
z{yboRFb*bA4={==7)1s~aRs9|fl)9=`dDyU6NFffFnipXAr{nzU2uDJ7wl?1(ltKK
zbT0glojbqAnT>Wu{@9I$tSf>&t~9MISZ=E1k$7e1W!<v}`SjJVZh7^#^1y8`FCULQ
zpR1)$nx3!6zUlcL)9Nt~^GdsD2KL*L>TRG(t4Y0vKGBoo>bSJ)I`QSXgwd`&M|G(g
zVA$GAwRT6ynh>4%@P3?o+a~=6bT&A(hmrPC%;%6I(T4`2`4aW{71@g}>cu@^r~?wn
z=>WB;)Ix1!I#2d>FXn_C(xT5~s@IWPx)rww`1%>sJY_3bGp*-J|7FAUPE(*6cnQm@
zqA53N$}Mz`=Mw*>@F9XAeA4ksi^~SFp!LOWCz7=X_wPHOkZPQ0*6+TmI?$@?);@T%
z7&NeNyY!#3y$s^R>V7TTuurtGo@z-B`qf#Qj@?rqKT6B|b)VtV(9;8d)Yci=qp9Ah
zGemx^rD|sHH0RSL<eQIY`BJE1PNwWQ6Q;fDv%mgMed8VdqsUQ<WtONm4WP<*^ucOz
zN+vURb6ksvB&$<&%&7sA)%Ip}kTkVq;Ilye{h7Oi=r>_D58CNpAQm)3WK6hz6tobW
z#^A1V=o0P1ZSNK>#nbRMjPQ#B>t(MkB=axW7j3PVy#nR3XKD2D)x@@}Z?J(aRa4*K
z#Dc53(x)GH^U9{-%M7$s&4w@Y>f8+q(=CGBA<*7b;P4&7({2qoTq0p@Ot-|Xa-BsQ
zap3(89g14fXM>(prJjN~mTE|q#H|TUu6%#iy^;bSV5y$%yhHXAqkdbYp{8;}gwVx=
zXiICW?x<NWd9#WPK7(@V>V{2Qw7}o6yQ^x$&Yc?$>QchJn;bN(3t(ePm#Cc924!`>
zCbv@zy(bljGffIrk~gNH$NB@4Qgq}cY`Z5cGcH)MNEa}741xvCr13&?#EGrNiD{ke
zfw}gCCP%#XoLp0=)&Xh*8VX`xd9iQZS!GT`QIqMb-qfYr@1P+wtDMC;9%Ef9IU!o@
zvx~HpFXx$((dM1hF7UdTBReQd8p4;<cYj^Jq}>lZ(LOSznDt`bft{<C957@%E}c4m
z<y4(`#l6Sb?1GCi=>}3~mVVt$Ego5W`QYkg-BAB2Lp`*eqrEOo=jk|eT21fLzOI&i
zd3)$@f%<#1_s+wD`}1I|2TB~8<NY)!Yh=KI0Quip&ZH}#Rs~{+JS#|ZXm9Yk5QFiG
zYT2y$82^O1+aeOyP~&ybYdy^>9jETRRE2jTN3k{gYCfwogGqYP+q_h@jlS7Vb?F-|
zxvE!ITgK{nX~mG%hkXk4P75Jb+TVl@ZJFQ{gzaN@6{82w*jWVr7jj2>c$exzXLf%~
zmRp1#OrRiTW$f~lWtFnoE=T6*(uTEV&0aJi!GKNDwqG`VOrKr6RA5f{p$@b6=+e&M
z^u2OBhe=C;1Dy)e967Xp-7Z5AMlfg2vbnk`^R`7iTTOO9lf8jjWU~8w2)(H}OLJ@;
z>XWZ`+9f!r-=x`QG46YCuO1+SB#CRkTS5EXmTSMoc38HdQd=u8*(gsJeIBs>Ja7C-
z5Fjv}EZW0-=&lM(r9I_C5r#do8kurMAEZp)+A@Ipu}tR49^+x-D_r_Jaw^Iyq{ao*
zx)?fv3m`x&fSQ`FefWYpXp84%PQ0aWHB)t@*~Weyv`pWpyUQ}YoZhxH-O*)0#xui_
zHQDF1;;opK$ClC{Y2Cop!;t;EiX+qK)}t0HaQdhu`y?13^USgiE|3<S<qq7$mt6B5
z=o;&$IhC^eT!c1ra%igq`u3qcBcR!OeLnlv@q^qBA^M!^$oSz0dcXqa+or4$Yx>yh
z{shB?+1mpBw3B8{9SbhFCMZ|FpXGeBh$a=mR^=gG1dkAKNIJjjS-|WzDZKppv8aoj
zmp4AwkX7wf2fUo^bc7jyXZpO)?|N1n;qS<CP3$Gk#*<^mwQJ?ko3-!*YdpF-G6o5@
zk=xXxVI<Wsgs$4VSG)J-@pXH2&!fA$w)7Z)MdxfPJcV{<IbSX8S3nbQL8o3zKCZcT
zDn3PjYxTL#>sbFvtlw1cJH=X9%&1EfHT3zd$8?kywx!DKJ3NioYuldL)yigH)5>rI
zo3-4le>a`@)YB*IVe;yzMSBfx)EmaGn$%azKDz=38BD9w!YlH>uGz;IQ~Nw>4;zy6
zSh+&=%JVBOth`W(bZhA|Sf^;IZik2Lqh`H(GFZnfb*vrS;R>XY`$tnRUek9wt?JWp
z$Pcx(>_>8HNxEhFJi4s8cjVN`i?LnUN9@xMoxWeH#}R3|rTvG~b+x=PL+C7wmTzW!
zh=H@p7Gs7`p4T?#kVvf!HNlMM!38iEJ@p;TCb0srr+mi|CdivIgb!^7UtWI~0s+0i
zMi~Y*!z=`Az+SnDy%L`Uhxu<gqW6gIsjX2>vGW9TSV5GTH`+)x(dUvl--Dz3q!{Ra
z;)#E!RKPdX3KZiZ><yND6Pydu!6z1%$w_mOMOiEuBspylmgpglESg(Z)Cie~#eyj?
z2&1L~ge?1?<qHmqga!HPC%Pg0SILVS?V%Bfmz4@x>XR~*ycW(n-lVrc^%RKt970tF
z;mJJqq1FD9`0y$MtJLKnkeh%e!wPf{jW339mqCafoChqmZ6LstA=`62Z$VNaB?40h
zFs1ByBA732iWbw26v~0JjV^+C(a3T<H%Vf8@<<6kw!qTP=p!k>8&l2E;+148@U>(B
zKTc-t*~9^;mCR~Ub5y&cR7>8%!&QGUd^EyheK_3oor!!Ya?<k<&4fn%AhBM2Qf^@#
zcnQIRvauP8Ta-{DZs-%XOxt-(d*tBm^K0~C=E4Nk4=V;v=&J=pQ!e7#L%?<5@-2ee
zV_7~d^wNll(%1ydB#q^b7TKV!%W(@6IZP>^pQ?mdp#om6EXFNN;ZwdCLpgx57zEAO
zeY%0(RfAHOuf%mA7-TC4icnsjYb(bxTnCO!j$<s3+qr;a!Qgq^&gV303Pb|)2+7ep
z3C}SJG<FZo=C^yL>^aK#G?+n)&oN?Z!h`Hn160STM+(+aUy}$I?U}q*k?osxY|qiP
zqCGT+mlW_4WmM16BQx(2iXfC{(GA{>8@wruDT|Nk0V>`=sf3@o6-qIp2dJOL>qqht
z)q5s!>blBDl+%cgaOew-fJ{tl#8Nnk<xByIr8NSH{T2lhds~guS%qr%qFxHTmX*Zb
zR&!#VaUcE5Hgjfd)KN&hEyf{|r)}c+F17;M=qJt!Qoup@{KaAZ3NU|c4sK;ulCcIZ
zwNBt4LSLG~cPuB6I4UYv_IA(q;Sg35iKButh_`z-4inNFAp7`^<wO!fH+V0@l`ddj
zL-@RAcnjUFKvqf#q1=i<nBELbZwRotV9;U8<WjCAE_daK#PzP$ISu9eZ@nw#^cPpm
zsSOr0%3;$KSk_qCvZ!I5&$m^SJO2klqH<M0`53J<%q)5Ft-4LQ7-q=r`Ni;ixu!-u
z!zr~dis=ujSSh_FH$^GSMk!L$i)S$5w>ZHzMOeF6O3DUV!vQREZ4>JL_Zue_nk8>#
z!#1}ePqEbnpFTq$33N*Vz$6CR0FpR>EY}7LJu`jV%-x5y5qo#X{j3*nfoF7FF~qNr
zmXqvtUeCIb>nk-g<v7$Vt!BIK?&7PI8Mh-o;*$2V_t8#ZI+47+oS;1U2%UiegRR!7
z3bn9okri6yoXXm&xQn;z3|*9x(*h?A7#z}C@a_Mzz+$PYGGS#q{0=8|PQ{tUI2`Pi
zG!SezjpRTTcwyW-UdSmMmvno|!y_QSq2qoY2Q479g8%F4KE_JbvRg62@y&l*)pihZ
zqK2!mLe=wA<sQXcvgaCraI|pWrU3{kN3-+;C)yLc<A$bBidztPAkcYwG~eb3xF_y&
zk$dpE!7g<q@y;F?9rwnGvciXxrzU!dDs;`3bvur3AA4FSF7}Dty)PlyAnx-SzD_l5
zMbMHtI&p=I-`vQ-_}6Dx;PfF&4Ln2`sQ5wRx#Dw)Wf?P~<pJJ2_84N@{f?N7oyvy*
zYbeivdAy&ZkWlD)J-A;QRey~Gu&E?of==QhbP{P?Cn3m^MvUfEKEw(SLN5ULP5Khx
z`2fET@O*&B1AHQ&u|88k?gF(|DmXs|^u5ObeqU?TU3TF+;Qy)^p~nh7>vm|MbYbs%
zUAT!Zbd_DOH=;SM-Y=_w?J-HIu=BkNywBZamwi$Nn$3Slv+;c4f3e}QZkO+YDZ@x1
zKy}54@u%By9gYz*5MtyrrjqMIA;h=O6=Q|{bHvCyb(<sO8)&>0&$fTUqgL>Mrj8gZ
z^zMrBUH3waynkC(Q8nf4nF^G_!PEyRgWb`!U>|fX*d1M49n8BnT0XK#68BbCh|5M<
z>nek?@XbbCtKF@{wK~{JTw;zpKdO`_I06526FIzz9<n27d9}NZ)&7sBAT`l)S}8eO
zK8Du7mhb`lZ^569Y6%p95=B^*Lkh%6R(Ul5qMstKMh=oJ(@Hl0>>$9vOyn0FNReDQ
zkRrKG0`m=^ukeav(U(rFCCE*vo`hq`f~)x?t4PXW--)D=J*78xrJDiSfJ4qtwanp=
zifGCqt)l6q{*oAQm19jPonnJkXv5OHKpbO*o(^a(qmJQ(aI~jnDOJ$c0a}0paUcg(
zWYxEzSZhC^9s|^eEHNB4Wd>!9wMwmWK!NC6*(!^UtqfUoM6gwG^=*U`a6~Xpz-TO$
zWn$^fxApjf{jJ^%cbg0g1l9xb9fkvyEy<;CQ2!O$Ridv4I`f$A)V4sJ&!ev=S^W9h
z$S`0~%FBsy9463c71t&k-^y~a#zE4XW_+crm1Zl*Cffi5IUpBICL6I<sE)-tX0+T<
zR_hLLWF|816rlJ$i7wWNrHWGK)Xc%=l%ahm-US*lnUk?Yfbq?EWu;6UbesY@CfO?P
z`6b)rJ$%4YolFMaqYB<a1z6(aLYX4{l>^3NO;6^lmCTnb`HipAKoqajSSl|J^7`Yx
zvC4xZzTxuVs1U2{GOjgNZd3?XF5cTmdgI1dPA-RmFCUi+%VU`4{ZilvtSk2pL)bTO
z_VJaIKMTt04@EiY3&iPMSMJwT5+{NU_<;*d#|{;bT28kD+(Zhs3N>K<^i6>{Dp@%I
zMkE7%q$?_nNJfoO$((N}hrsq^EMyC1A$@pV>p?(LfjA*qISj`0s(!rccwW_;SABON
zU}29WTMCqgeM-*+2!~+eyk%79jQqXo6L@tiGvA)P&|4L^d~e`5?c|w()92~mBq$5?
z2xzRV-G+v<_xI2!z4$weAD{e=iF)%DJd*szUs=J27+aZS1Xj<-HyV#E!0hXT@%iq-
z_<VgZzCJ#DYTj{sU!Mxxev{AposLmDeGlvN?gZc+2YP-8d=UNHL%`E#dU;{a*XLdT
z`}m;$2YlX4QTiXk*Z=KtK!yUbTQB8A=vEKi@Ad<_->n|H-=!DtzV$?KUtRu0=(d`l
z2=1$GCqkEc))S#iFWZR_Ru9D5N+DKTW443gpBo#;8?&AbUFz9r_kT2sU9r60o1ZyN
zuL+7khNN>`!`V7xUk2pqd9cq-x{?%rmB(G{dVIpg!@Jk7+otCl$_4Y68Ff=<><qsb
zN&h}TUmAW?2f(>=1@4y*CijkX)3J}gt;210Z?UE~e!xRP$Tf}Yunai4e3^MQJ1%j0
zwS$I5jZ`g{^zPDAw?^i^c}n|>lhA%%1_>FW8SgSlc$YEP5U$GG+M@hJPd2By!ODk=
zc5|y01?wV?H9M7@D`0IVhs?B&S}9+cO2ae6LbRHIRtsz3sy#stsf)PSvovQm`O*;A
zc`9hOFiHQ6u3U4gQ)$3^=mI#p)J2-a1(~S=c}g!+4<`6#h^dv)=Ap`HG_^8XO$~Oj
z)FFxgXFTGuxWjGGQ#zRX@&ll`?w92?{W&CkVTD&Zs940rmn=`BQ5n6GM3WuxC)xqO
z$qx7njS*Ip7-cMYHjgjajW|#h`+Dm;Zd{{4z~f8`Orfb6UOZ|HP=&byRhlbM<-5FA
z40~)rWAJF6?*a$PkJc-eE%BzlCi*BteB+8Zcs&s|xc}UtV>)Xam3Yvn`Z0<Fs}&Th
z1JLdN0C`9@x0N~zo49jqXJHn1l~t;Zv{u`a`r!sxW%>3@YhP@T-BLvvU3rDB$mP2t
z{?<jl{oXqNpIfNVmwx})f;(@aZ0U>O7|Y{QQS}VST!qcx297tZ!WII;i{U-VTwmf4
zNq|VmAjoWHKqLXe+(K}-ENLr!;PtDmWwF<XzE`&_ZpE>IWKE{nRQj|6Ha5nxe5O!V
zJT{dESLlv-9oe0hzc({w&>u$jwykNYc-AOCHX!?!BP*K(@(?)v4=VuGV|<4yV}PlZ
zTL|K%U^e$n6}|y3z1;vF0^b0Chs|~GX_<u$a7oz!9Nr22gQ17XGz5W;3i@-B1@<sk
zU{7-e_I#I_mgTVXs7SI<GK2G(3Ia34xbK7(@_miyUthvktU_$YlmbQZJaZ<e#PSO2
z(VQmBf9S!f6V7h~`fCz5jiMp#!7{AnSOI(A)Kvb22*b7a$qiMi4*_4eN?z@^m9H{6
zHIY}TR-SxluynRyGUiS^WCS)3O2wn&9+)DHG5Su5cGuzapc$hFB3A4)S1^ykU>;)&
zE+vQuU7<anW}GhPV8+I{vewjio+OU-;Wb?`bJmV>=D|ad6=Wx&;epn01GX{fE?6Hy
z@nnf`1(+Vp^q`a*1?Cj-RPuMi9>PU_S~3i1#u>p2P9-OC?R^DBx;US;kbj^3x9{&1
z?5N>%|4^b&U|OQ{r05CvHx}%;KOtI-Mdz81WjuA4#F_5JkYZg22cGGyL&3nwBL^%u
zhyf)Rm~$sAnM9M6xJdOgQuu@6M0p?g{Kn@|Nq9@Tm_c>;=LmUwTj|{+!VVrJ>fO&E
z9wds_8OiHFifY2^Kt$UKNjY7bp32SZ^O{3n+e_YAx8fP`;c619&4U8TR_!NVt!yvw
zmqy-cJT}(Ph+QU3RSrbuEBbu10DU$r6OQv!5bqBQ&+&J^PclxM#U#9DnDLsClq8J?
z(bnh1Gm}ufH-l;*^fZbKQJjFsj--Q}dO!3`vXN8qhYDtLYF+^s|8mrf1_F5lZmIm`
zv3vtDo&QGGs9T<_%j$Zi5?)R!)OD*s;QbZWFy9QWfDxot#t;rw#uyF;vu`=Ihq-`e
z4|48sk{^%#74GnN@RRO)6<S9%E3Ln+hqu$`aYFjdPCO96P%{vsoirD;6Xt?;qFpmN
zDW7x&DIeYgQjT^_!pqM?9-SlorY9^-C-YF;sB_DRI%kZibJ}jHb+2HQpI-pj1Z4WF
zILcEnh{V1Dz&|}9i7_BCY>)o}^6r%hKp&Oul=Pbeu~&Y@PMKyFV=JL&H!7iLv6axX
znB}aAb>qZW#>R<Ru529Ju8Hxn?iv-cO`UUA9$y18=$m5kjf?b*^T9u`cTfnbLZM5B
zKYyDQ|8PMvIr_K44=cXeQcZ;?zW1>brzENoL??y0?+|R_Cp4WBE~cj2UVJnDMnWH~
zB%xAP>N#7b>lJ8ch;TlC5}4!lVlgY&1)=jmFS${mmn=>%4>-LH0liGfzsNx{-7%8;
z!HDR<nPQf^jZku?@CxpnDXJt;N>X7$N>RQkC8k)+EkTVZB{Y;%$b%A4NNx!z<Vi`A
z5F&Bm`SY}#4DmVSBs0XM=QV^|Y%^7nLds<8&(mge>H4{mLl`-TQGux;wYKcnz;d!a
zhqcMUb2+YO9Mr@?pOt~4(p<}qwt)PH7Hdf3E!(~RTX`SL_Ex+lNCsRsUi{B3u~wE{
zGch<T=)%<8e*%4CWFK30y~hp9>izE~-u7m7YT7?HQH!@w#yF|Hl%6)tDn{Q8#WdxH
zVw&!T+GbR|dyl!(MQBD3V?FQQ0|7kR2m)x2Bhf!CjZ4&bH}YB=d996QwH}2ATGoOb
z?&jIZ;oeqWJrCr7(OBi-yXYYV;(Jl3o)?Ac_oB+GKRz64*|i-_9R_jSn*!o^d^kzi
zAyBYDOA5rtkVgt3jy#4ma-U6^0pdW}&*yk?(~OXG0Z*g&Ttj*adZ^FK7AK)BT@eMJ
z8ByD0MD=Gz)VD!WGfoWu*g_3#Jx&e(4Zx9;0{|BBwk|7z;)mPX$cdp0a27<y4MO_g
z7QL+ee<6C?;v$HP8-)A{YumU?K)kycgU(%yLEl}BLEr79OpkcCW{|SB%lYEeEL+>g
zWuoGHwH|pWwWyJGX=|1(ZCPz6^jQ%cTc=I3iH`Sz(QaNa+PxQyb{}`MVi;mw-Q|3B
z8}ZfcmLwbzID70)M{w0qcw=kU7YlntIjwm~TAzFyUp1n<)CkwIzBQ!Ie9K#~<pEg6
zVW)E>77q2s1_kgXe1SjINDXN^U)m2B4d9DPH5g=JEm-fI4`IgHfCWYSIM$O2FQ#7M
zK!5V)|FSh-^KZ-he?iHIq@c`7P5v9o2IUtTfL)ToV!>lEOE%v9peB0o;DU9USXaK#
zk9uLDA6&pf|Nf;r@3F1c!BjugQ`q@~FL|w+)>`84os7z2KiFtn>_^{l3>&eJkMQ%K
zbM-=0Rrva&I8=QN%O<`q5y}$(9)~4<6o(~#U63U7M3}PnJg+$Y#oRO};?L&9X4~xk
zVD<;2zxbwC>YR1=?Ki0R0MANJ{^<0)-f6=F_6Ep3;PYJa+<d=8bfewpG|jy7VU?&#
zyng$35|7rR9@xH_L0mhU&EqM>4J)%(o>-Aq>DOI1?@|pdwW$4oIkC@bH)JjJVnbG|
zsLAiM^-c|8|Hdt&hQTuGcUa*?CGAcQ(_Wq!)?lB$(cWJ1ueJ19`lT1=&aPT<LZ8j*
zIx?vmw@9n^u;=TkhJu+}0;g!F&kr2q1An7hRO1p&gj;+e;s9|=*A?{1il=0!r4g6d
z2>hC;qM4cOqT0!gb+uURWqpx@><!4R8NpXFwG_rQ$TU2cs_6&zdEWQtkLT-EWk=W-
z5nWy+7N2}@s_IVPZ6i00V4=+E>xeG*<8MY4AFsN8#LvThw0)NLncq|IbXH<%^eZ{r
zXVAYK=o7rIr^zR1mw<Rm+;Tom_M|2Drr#V)vZv;pI)c96{s8eO00m=Z`}E%&(qYrM
zmzJtL)#F$lT%S5hr3>XzG{S!7D~FlX0)buS2gUZ}#BFvQXn~v!V;&D-4)%pTEl+cx
ze5%Y1kND+=ItA4d<{)mgJ)OvKphfaE@Zb;pPO_)|C_gXfw3X(_DKyrex>02ZT1BxE
z+Mh$OC2~)7pt^GYOl&;-vd6Cxa{hbAV+BBKwSNI{0tYNR<>t_QiK-;<>oUv*s#r$i
z+I9<+95-Ha2X3X1-;WU<GD*IKgX@fq-ZKDn2Gl-B&QIN+>impLyI;{0Ie)tZ%H}82
z%OrtPC2Ar+z>5L?GpB5B<PwOMD-)ebu*sF;2@(!Ur9EL8VV{%kuwNdo!Fy$CZ~l9J
zy2CU4E_;)-P5z8m4u|AXczk?sF<8FEKEXZ(qZ}fS(xhyjL<8CxRf^?<x4;T`;d~Sh
zl1J^6`b&6vdsm^ZJlXo{2f$lpfVGv6sa9CJth~{Qant4Jn=nn#{l{&Q_~Y7Ti7QYs
zN1w?(@p^W~rXbA##2Lk~$X#;UyXq?aoK7RMdG4YplLL};k3;gK2Wc=-{_5LAW-!2l
zV+38#F8y9@F1@3npGggS@{41eH|{@zC;Rq=zl-2h1V;kr115S=ypV_fwnN@G`A6C&
zuoAUDbD7_II;-NxI`|EoVyraLOTCf#s`B78DbLXCCWnpLyXoUf)U$L8Hr(M;`?8T1
zp^_6EFK87W_0uUz2;vXj^q)e6*0F>A#<rUX!$~y}Un`HoTC=bwj%}$GKD`(`Vz0X{
zC`Z`0phJY=8f%D+u_~yDmH~x5{pY5G1qRYPx2;*bkse5k7Oq&Ln>1%j&S*n3@(d6X
z1Xb;%@R{de{Ja9`gYAi#uS-tL;NcORPLuMS<?5!v+<x*1>?gl^l}paQ^uN$f3GVZf
zKH-LJ%Oq9TtJfz#);V1ioSyw6<i$JxV%kWrh1Di_`TbJmu9}v}O%S`+cop_1Mp8@S
zFgseBtZ6SqVjXr$@UKnFU5DJozp5WeE!0lAK}B8x`;|<2GO{XdJs+egjEScqQHH%#
zX%{)dF1`}MsJKO`899R4El0u=&Q{iN!qkAVx&@2YtX*Ib2hMJ*61Ohi8M0yz23En1
zq@pVe&#LP54_+c$VPbOjb~ovLACS|6bFjQljGBQEbhBMmFtz5d#vOvFNzZiIKD{S3
zc1|dwq4_klNZbXF{9+BMa<5R8wfa(fM^<HR$1GB5<!M!zs$*AH1$MLcj#On?ZZD?N
zvcv3&CLaMY9ywCyb+7JG11;6Bew%d;){DCyws#aKHE?8ImexR`Wi4y)dlTxiL=UHs
zVxEB)$$9CdnbYAfoDAJThAm1>)LL*l33`gUM&|?VGfi|D0dd-JGb7SrucTUY_x@sn
zuK-Qq`@qs3MLQ*U-&|A5u$tB~V18v;&)hY6)I)F-<ql|aCwx)W_>5(vf3M1-;7l5f
zRAdVgIvJkd3#%aSA=P@EhIpQuYUi1Y0l^FQvV_hwT3uYaT|>c7;hTGTWUB^!N3oA!
zc(IrYB?MYPZb!Z$`>3h*BU&RN%2W$%!V<v$0{DxgTQqRz@WhWWSTCua_VRiW$}S$R
zrf(mk68r33EkxKuu-%uE+!b~#%RtCKz{&p;cz;hr2rq%P{IP?t&u~M$r|S6er2Q9>
z$v&$cGi))igPrJ*nzdZgp#^i)bscypewbm%0F_%x=Gc3ns^5b0M)J4G@p(af>c1_P
z9d3)UvKjcBp~bIh4EZv9`VwK*zWdgNb(>>g->JpPbO`CpcuMVW9mQBSXv6PF-Pll<
z_c2p-evQC!&9h(P?L?jZEdoZj=v<9Q2icG0qCB_<(v8aX`O2~3YNo9_n0-?{&HeTa
z#O`1xR8Q0}1rI}VPBr@|OH->~bjj@tM}9TXM{KzoOohfE1s@W%!*}`@^9cB=BKch_
z_)6aADfKi#*L(x^1yIQ~>Wws%BZ_IKS==QL4bnWgn+%)z?`mIWRfqa6TY}uR*9Ea{
zskxZ0JFYtvwf2PW|55fHa8VxH-#7&KS+coq44XA(HxFy?8e{Jo6)Ru`1VK~;DT*Kp
ziYSOZ_O7Vd5fzoHQ~?2%ZUqDZjV&5u)FhsV47vG#=UFVd_xF3>_y76aT$icmIWu$S
zoS8Y_^ZLq+4hBtRy9r*?mIrUy5^kxP9x_^?iChzLV$D%->0bZ_=7IiRiJ91upM+}f
z7oNMCX>iF@xXg5(Z>?udhSX5M)dq^b$xb5p^S+95GS^>DUf^-gfJmYj+{eWY)I**5
z7ee1IU;!AePide*9q>M?>BpXC{H57HJdhCX+m&vq>Rh$74tI}D@&B5`?32G-8zv5q
z)}4;U`%7rms8Yv3D(CapLK<H~TdFmY`CRfOlS`c8Fqb^$vgGM0Xr|ZK&~T-3o^`{7
zz9v8fv2T4AKmdh70EHVggSh~TGzuWibZK@KCT}HXp`^qrS$)g4gpTk@lUB<+s^QW1
z@+l3v(Fi_$v0e<COY~KTY}VQm9rVFv8#~F;Fm;sDEGz_M%B_(lR<=B9rhL?PVa?4#
zK+rN_+sTA2=k#wb&F)}e4%OrUVtZX>E!}5f3@tH+YDB%Ao7_Vcc~E5GbuRev4;f58
z$jgJKl<cUYG}ZMKi$5UHHR+IeAzb36L*fBwb0%c?j~ft9oCHL%mDj8zn{Zp$K@$`-
z9xJoHnq^AWSfDxBZrA41H-MDrUrXVjvwu?>h;MzI2ifpN`!v?dFo?dP<)v&nebEQr
z36`VC5<<d8OKVG%^l7$tzi;j4a3OI}<qJQT4OO8*M}rRSwAdi!X?BuF)7N+%O6}la
zlO7RqJX*hd$GUaf4VsMyDioUB?Mp*91?jE4W_I*9jAKEI1}(D*91H}I1r<y47v443
z9B)Z)0ZpMEPif-cCJ(|)?jW8!Lbs*~JE3ci5JK2c1<MxH9^m%XR0@HFYgA(vLszwx
z3@;<EQioL5fkG(lM!lL{76z`v2Ao6}L~PxZ0knv^pa!XFtz<pu%ys%!ar^AiUD5h&
zJAYWW)1WEgJNpxPXD|DBXMgfvJ3Dh`Zxm1YQZH0IXN8qi_#A(*Ld6*f;8aZFn~<UK
zG?vWnQg)Rlg!08j8<lH+P|OyVY+rh4eirupW`P*VRMn{o$L1Yh`t|xP${lNWtlP2P
z91U!^N#Rfd{;r`c#3{`eM{s)M$&NA=ogoO>Nkw1GL3XmA0Ox>{NJCWXOwd%vX&ONJ
zipMM;Ga2Yb{aL=^f}mcDQ<+U8ZZ_x=I25Vk+C(a?<_r-u!8>S_f<D<-jW}&OS+U^m
zH6dKF2!>*jJE73`?&`1AH^57%X}?x$N~8k~th7?H(R2oE`w`r{8GmrkN&U86KdjsF
zo|^+jnt_{L0NrqLTS$$RG#!kJ5!5BPN!c&+iROv^GJD*>o+XETv)Cu()NHTneI+HV
zH#Q@=-|6}BtG-s3$oxU2@0Dy4_|jW6it^V2x!`*fFb3VZ>V_~VH%3*hhVB+v3yqD(
z=tcj6+&^NiETT6G&Fu%A?t}w--p>MAzq?HXMbCxp?F`?t0RVRdFd~eubBG@d=#buA
zr!%%~K|%1ptQ#1rjoiCw%Py|ht$<!Pf61Pkvkm+s6q<^?P!xZ9S9{||MSU%2gAx%u
z*$hRy%V!s7K|J@yx~G|#&_OlO;cK+mup5fzzg9jI**QV|#`x7IjZc@j79eH(Lks8w
z*_8KwTgzkl&<M%|^<LxHI|WLwZu7wAz2Lt^nZ|)1$Om5IT(s-bnF|>%na$qq1p|Kr
z6m6gC*VH8E!uuV-CT@V94FH6T7JyuifNiAKiw)|28|qq{eiYsnzA9@0=`pp|ESJ`5
z;i|p178<Z2l{FS<l=KOFp87DGplJ(T7IM6yMd?8)foZ+TrdfAn*MFk$<{^{StBmT9
zG!dS>6G7@Ns5+yRtP>reQSh7UA@pPem(E-6x5OQ71jQ|j3O?1H1~vo4)<|}PO=eFO
z4~6Gswg1e4n8*ZpH6M06=zYNFXJ*wbUQnllkzQO4vyj!WRS1tPtw$#}Kj>3>k)<j%
zzn2TL&i3>=Z4BZDN^~^@5>*RZqt0(l)4$F0gdk-0)nu=v?%(CG4pZl>Sp&JgyDzX<
zKKNb3MCDdQY>Fvuxs^~EkHBdrB18=YjZw-7+<y2k8Ka=7M3C&XzQKmz4Q#%Zcoz-)
zKUos>=JL)U+Y?kFSB|ZTyHzIAWO{{$;n{)2#@JEJ8r~?TrXx8-rG|o%4)dYL4S8>H
zz()2w<B$lm0<l&eSD&E62dgzMAB>85uqh78CI$AN1*&{8^%tn@Nr)Pp)JAMw*Rrj6
zkZ)jkwF`~CzBwJ%Bx4U-%=fTl>|vV3B|J2>Yv^55<eM!Lk%8oWJl=Gy$OEA!PgQ9a
zw}WZfMFs5nQhHrrnpH_>;8}GJdY<a%U+7zEIp981+S<;ypJ9j~=hA)D?P%h*m>nk$
zEG=s`Z&~mfyOrk5W<L9u1G}eVQ){7fwgGBo`>EB`!mxM4-aWeF^volv`r6cS?bs)F
zLx&oG97|I~wLgb?w1}(%KJCg%&8wHt>ghi16S2kkGoQumyG1^JAzueLz^)vxxGB_1
zL$s09R{<aL-&vq=^xVPR-9MXih+8>CAEF8ZZX4ohKJ^zV_ck{w@$z;bHpoYtSA}g_
zp|_v4u)mkVg_$UZaud^e7;_$~bRiQIs8L}{`<!gx7n6J2tj-Xs-L-qu<{gHRyOTsk
zpNp|U8IUDSXf8I7obo#=4na(1;)W_)AX;*0-QS)96?Xdh22@zm^N?N>O1N~}sZu!S
zUJWVHtFuAh7}eV}i|Q(`QW{x0y9)MWb<=WzZ0Iz%A20JK!H-4FG!t_DQR}KoP+`Xg
zNq~uz97DDH_ioy}-LUNLdQmavY|OG`J#s-1a)D;30>FV^Xw}rf;~e|Q0)V{K3BDBB
zfKI)DxLNxQyC3a-vg?sKbrLiK>-*G5!7Ni5+A_4|@|NbBox{Ty&GpiUuiCU}wLvpw
z=@5nHz?yw~)*aNV%MJ&oJfk0eHLbowx69De9r6_}tS(!Z0c4(i?gwV=oAZn<YIa$8
zN{jZLKajXD4pL#Q<LaR^bj-I*3htup$`&toTRJ<0Ly|3v4~Y*+=uC^7br#fHFjjMK
zlOz0*WynydaX2;#R~f?qsn^gJoMRy{5&#2%-n59LG6mOvEvOHujFCXq9e4?v2xV)c
z4Di&aq`vcL>VsYCb5#QhyP8G-863zoj^*TtNnHil%PQ(7tiPpLbS7r`Y5lJcWN>in
z7fhJr9<pezVbdK2Sq)%T%1y%+hkWNoxa&Lg>HsX+-nYLcv$&Z3hoTJYhbadAq5Xcw
z4Om%b>1Bl{qr(HD3@lga?-vm63$UW5i{`?O*+6;96Q@qX`?)e^cysnI=V7A^>NM3_
z%HnW~<SS45YHrG^FzNf%_hG&=h^GtqVqHR^L8e!#$qirk3SSpYmQdp-qb}#kkV+bQ
z4}&4`i~}ls@wA3k<s7W0-|O1ZW^Tof0PhZ{>VvUoNp}Qw928Y6Y}O^F<OKN&Ey#&h
zt7sJ4J{o?*)qrattJ}(Z34XS=Zu9%YWHqNMk;dEu0xEz;I{`>S97!+4tF%c)@nd9&
zF7;?$WCo{)hVcU5qCgD_sOe`F)dCWC97IXe7q!sphPAC`jfXq=&Gk0KJ1UNyJR6y&
zugG<53uDx40{P&5<m&O0yX&X9MMljtcsVL&C*~~7$I=^(cd~)xb(>n30u!*h`u7Uj
zcOS-RAX+wm#v#P}boq&y!{>7l(=9c$;C3jWF@vkg>vwL3w%q-&FA4g!rP_h^a%`fk
z^2)08A*>NIa~cXva#!%&2vK>x28=-rd(Lx!Q8Lqh9?b`*&&Xd4>z27HfMubhDT<B4
zV`0cu?GTsKxw$FF%YiaE7`*);iQYwE{a>P}t^gu44GEOKx<!rBrcnz%9}t=9B}}Aw
zTC%wNBd~a<jeEq*$2xhrPB(0MVGQE?Ru1C(k_Yj9YYgK1k_Yjvrcz~k+Ie8VS0&o9
zA#9`FIIEClTegH5mf9#*?K>hvrA`s4)58HGh9m_e5`{3dmygC@G<at!{O8SD<f893
z0kH>RrY^n$+4^$tmCP!AQq1B7(FO#hIqfz5#5g^(Xx@hnWrJVz;h@S0Eb~4bj{3;|
z7SoVrOZR`VIPi2)b>LIY^#TcJ9P4lZ2|HEP9BvLvk7K;4GgV{--M-i<kbv~r2;!^t
zEy5JCs?r?7=~!__+Uo;`{m-|)*aiUxH#yh(KGaT$nKlj+H(6N2K3Ux|q@B6u(D$K!
zzVr0qt2b?0WzY->fgC%uX766eF^#L#<SwT6WhzvWGuA-I+b)GPN=6_6zOB_gM4M|`
zO>==TJ(t=FWPUf5Okkt_F(`$ZTcR7l<J2IsyB9h3Q%a5D7_GTPRyll<Cx{7vx&v$f
zkFuIgl4^L7j|H||D;t5}9?G#K{zx-@!1o1XP>3Vg05%wx``;!uVJ78&n^=dL$g8ls
zuo(v14H$3O&AS2$6`~_p799tTtGgLi_ekUF9?4gCGn!BWW!1bNRtO|yXQ8_OQ!wKe
zn6XgRe?tkqt>D(C#U3eGvzNv<eZ`?&P3e^)eSgHUX#K7o>(|28+`In{@L#tr4c#21
zA3fK#lb>N4Yrkw-s8gs5M0-d|aQd<|b4~QO6s_ouD~*;7^1J8XCL_a4Xr~B46bPDE
zDn<)Sxxu*{g>+bVUa8ar@TS#fr^riN%rG2Y^mQsA?t74b34oFVg)s<>15C~m>TKNF
zX>BEpP7???7;p-j827Ux=jf4LCkQ7#C49qwLJP!?H~X@WH~S|wD%OSVR6G($P4fXb
zI{!A!ufiW}z9JE#v?m)%D@T`7rxI#bWdVJFcbAUtvJt~(2gRwpl|O8mB%W|O>UVtE
z*XuVcx4*M5If)%)6@gY)n#lwXQ?e$oFTbTgMHc~nq)v*7<TQjiO~fCtV!8;>W&)x7
z@8y!E8O>D`vAN|m7XZJ_*j&X$LEQ$_1dc0&w!xbHZ8DaFx%2~=3lxtevSmZHrGjSB
zPU@q0u(vexu1?lLxQ!Xeb&w^p4zdV3NQ!$}@TE0hs~0se5%MOg64vHe8l@VlgvBut
zOiTQkVpRWRqC5QpkF5q#I{#-S;#ke+cJHFFyVRNUhwnyFm1c57v%r`2;;D(zOXAiU
zy8<&l%11|>7vF&w-wLcLc+s7lWFb8lr+a#QFIvvQjF`_`9$2y+2BuRrG&LtI&G|S8
z;GF|9xF79+%9i*7)E?(UUKAngcq?Tc&x2D8<xbwvl<FKPPy-=Q&`yO^+@M6koLs%;
zhj4vR$hI>}4E?E{Li1BLsTDC12X`IQ@7}m!{Wb&I+`KY;6M%d@gU0(AY!Qo~Gl$4B
zHVkEiz>a&Y(>q-(2TL0;ynI_VJ0bPa($M-ocU5e=px(o01=n*dWN7pi+${3J$lat;
zzCl}I<wCM7hh*XV)m&Q6=3=wHWgPm&uJ5m1U&+G{8*{mF*qt%#7k4BcI(PbO&4K^t
zkm?5DhP15c{&q1iaoJ2DfG3GC?x05WLLABZV1>HdhE$|c%T)G-K)s}KJfmOzIE8~S
zh+~wtSE`3_u_S$Y*G&2nl-$5^Sey#;TuCE=ezRK9OPJ6+#6M*IGCzog;Haf1Lr#o+
z%gxYsaK-AuwksY8#iZDOYJc>BlTa29&ObQsfbUJFXokh-4qkoAbsq~^_u+~R?wdxv
zQ)DdRd<F9ndd#xJB**iWHN^i45zKXYc@o`8GbQWN%-dO|unkoZ4gU}fMyVih695JP
z4X5i6x={0N#E<IzkH!Eiz^iY$EJi(6?&MPWrP4bpXd*?(_(x<}bu8KgV3B_*ji~8g
zs!4^-6%3mzwF?{%lMyb{RTY4U;wY0+wV3Y!p0_l0EqTawHNu{|s?K45f#(at#8$1K
z$dD?H%Ll7r9*l;Auo;}7j3PAW{}#*>$mIwageUTQr19(*1noh@pq~!aT^cX)z(Wnn
z^6R>T=T$zTr534o7u}<|m743c8~T<0!Oyrf{B-Qq?ga)-?Dv_Y51rGcTv|&l4p=5`
zjoooFBAA<jOV$inWzO0x=^ox*H~IREQfEueb!I+iuoe4U$G-lRLo6YLkJZ?#kDnKo
z{C2`{%_YTUfUcv%NI)#nLpY)Q(jAv#)FY$(GP(cKB|G@~TAC{Y&}41dgVI^F&8<Y!
zRmAan_R*Lk1NBfo|KZLGvVaki!@g8#tPkcf!xi?;RVJE0m12c6dv+eR)QB#t5LDA<
z(B>6uH-_o$0=&l<Sa)UTP2cZg765mjL|TPrvp9(?C(t*xB$|I)A1nBTtyqYfgSI2&
zW><0juFXH}(c{m$&nZz`d;QAmHzV`<^s$=Qy3LIVwT8=$9J~^WOU@=_W}bB$J;uw;
z!JrZQ;{te$mbPWEZG!qzXt9)e#o|oWwwu(d1O{$MsJ0^iRC0zP%Oi6^%JL(n&F1Wy
zd1U(O%<HjLCmxs&7J`QQjCHfK$+Rt+QDS~OtL*XvUB$Gl{+61GZnmR(PTTJgWe0?o
z(JnSqdgxl*8$zEUX9ivdXP-$-zj)BgeWHWgcsI+%38C@lb(!@ufNeH>QrhiH=i^gi
z4Jjk?M-@&s*Hn1B&kREJ4TRc|qKZu~R?()a60x|^P{%47PvbMn%kE?hVdL3&#{u6P
z)V6Rz_5PJ+ic*QS;2Ah`>BJT0_GDh~&DtuFc~ja6vG)_zs+bKuP~kqMJCp~+<<OC0
zSQ%6Goiux*y=AJi;zDf7*)09N1cza*nF&*}DQvPqy;rn_#2-;i*B;W3;&btW%9d8B
zOw;btHozPoPUYEB;Z3ShHN7wFrcI}*4SKMnUsY`QG}bwctun`FT$5t2StJrX5jT%i
z+2R~yN<N(|GEJzU?RW_hnu4@qnu!h84qsbdN{vg)`S%X7ucdKhomE+0mNgJq665Uq
z3^mZqMln&xl9K$6d3*T<%$yk&a27lWEs$agP?vV0ru1{8vaA8j)@kjm)t&}6pNbUO
zN6#Nm($~kxZQ7=9N!)hMK=WCVV$woS|CxGq5O9}{TsOU3LlHHlVrip+4)@5KtTW3i
zD>H|nYio!8xb|Ta@wMlE1*UhM1szmPddJ)<vkOh74mX*V;O(|<otJ^ygUKchOdbIy
z_n$P!cCuv}n0!7JOs<XvlUsntlZ`x{{f@_`bO&s`!};vZ`FzdD=d-EeXqnHZGyrDu
z03)xX!Rrp-^$YOYrGeMpMqUGROGO7psyH&Wk=L0<UT;WI;Zw;Kyq<*5t-M3(JC*!{
z``O>e!;&#smDSbY^%yqVzIQ(Zxi*S930}`X=IuQnygnHaV*smUUSBS!=<-s|>wCH2
zwd2~EE9V%nPnIYyACEhp%z52^QZ3nLY)RUI*f7gksbX?~yPu13TDzARr?nYvdMNT4
z+)<vvoBuI`JHDI2lQ4sy@EJUU&*0Xi`~4|@HDosI4m0mNiH@jJVzTv>@l&n3GLueh
z66<bI?@`%4E2i=%n6*ENQSz*XJ(14&36HZQF`})6^UxaA_dvYcO<PVwdF@2@eBO?j
z#(IRYHUB+tdtIlo`IK5@dg?Cihn2SEqUeSdiciVpE7Xj3Jrv~`;>%}<bQ3d#FF#KF
z!z#11rc(2ptWU!SyfA*i$UE%Qe)jl)M0`NiIeb9J_w>8T^qW!<W<(MH1~<$Id_!)-
zH=K$QN8%eysUN09KmHxNXxkaghz`KG!<?|1#=3>Eb>`~X#yOGB=fv)jD!2FF5oi34
z6&FP=X_6Zx4G$C5qzVtmmQc_DT;Kw`d;ox#g4mKO8P1N&p&GDiQpP>Vq5fdEy<^`7
zIkfC0mqYjEQ4E<FX6^tvwCvp|M!l0mW8N*3F4X1?4ECk~!5UV<MUgy|TnO30`0vcV
zVlx>|Ww^xHRzSf}6njvIGqturF{Uu=eV_hxlguC6<_(UdC*qCcDVbHe-v?Y}W*aSs
z{xHGY$>pL$v$)vgsH~0Vr9ULOjni38pTfSew1$pCoiiN<4VmIRc&Ov~1b4$sJB9Ow
zq8YC-IcZE0-F}Q|gBT=Zek|%Kb%i#3qQ0NPjuMp2xroD>1sptcFlPT5s7LF)*4caO
zm@_0Th|Dd(1-hy939g!#gFLg}sxetxcQ0b5vwc?t&odmLNebF<gWZA?<JF6PisNxn
zdoSv%v!`_FjBv6;r=5#)H@Mj;TrU>Lq#$@#N<K{~HI=8W9E0xlg9muhVL9SDGjo_U
z*U8O5)3=n}c&v|42%2}Ca#eA2oT5kSvBjBpV7u77=Q!!GF#J%Y?eBP-^x=l937N+e
zu~H^??>=pUH8?BP+;}Iucb&u<=t_>}8TH><(M=`pJ4Q`s-NV=><5I|aC&KY%O{&YD
zKekVwc$OZk5>D}OxvxgvVrH!ejczwG(J9S~E{WrP#@qJPwSDwGobWUi$x<Wj;L}!T
z@9GLKCSAFa=rGP{p{uK#B_MFwRqdb&mu}|AW@g41e)6dD?x`Cy)#ZCjnWJ{sD7En2
zMzNd<w1Z~nK75pZHNQ4vIMeSi*v@kFpRNyJWuS?K*Az+aUEVN@HobbYFWEOYt;qCp
z?&<V+19M&dy;UFmOt(X)=kr$-?y;AAZzAwVekh**;e+_=zaL0xO5!!M5;j<S?`%fN
z1Km~s*csmQ7tQgA3OciS%Z81cEjQYGxlURDoI+HzApH04DIxo-5gN%9B^^(E2H8K?
z_}`a))HT#Wq=!vyRro*N(-9PD8EA2zz7RFA`^o87Q8Oa}$1P`~PMkMr4#)YO@bUKZ
zcem8cm=on6gO`&>By+OZ5Y$lR4c=km@#M2GNv)V9gw?A7td}6odWevaa?5oBAPWuj
zS$q{>7<!UZs0#3bXw=)=pEtUA&I!5Eui4b=(ptIQw5oXe40jSfY^wHl&iT{}hG`cR
zbLP$tbk&dbxsde-^~haB-3-Ho1FSjgWzW9SwJ)}Pg>l^@6`|XF#H!e1`nSo%Fq8Xc
zFQws?cv;yDX-O*n8!)p2cuKxB^bgbA4EfjNKTOH;ve^S^xQ$$v=Va6886sIVC9Mjz
zAJZ0*=aREKFOq+tp$2Os*EoP|{<9%Fp;$6EP0lu>F~wwomwfWyG&I}nQ89gj>RMy|
zZ|_P_D*IM0C}*G`a^#|9H=kFasVe+$5C!C#CQ2>M5-C6{wal$=i312n@y}s$`ZtOn
z<P7|q`^}$$g8Cc5+n8ZK((D`a`4pr5hEgYeV?I)VSdm-mX>6%yZhcR=B|N#<g9%7`
z<Qce~TH*a^0xdMdN^GUQnwfU%mP7jZ@eWSIhi6W^YEVyP7MEcS_?hit7Fx;ga=o9R
zo+uSHq)A2Z(%7;*(|V^ro13v^jc5>cO0FTDAs|t~VM)7tu{L_vhIKz%!8C?|S-4XN
zAm4Nvgw?Qvjrg;<X*H}dZ#F`E>6ij=rta7mJL{-(9CfN7jpfv1ioQ(e#9FfvIyNGm
zwXOkf;k%mDrPS;ZYNESzNWKv|8sS8((ShaE00p{>V~9zoW1ZbuCy)ZmB1^2>PSGOk
zOxIQTwOeIOsYZ&HM%KMzBb~|oukFkn+{zNEE|cm~EzUk(ejBR#Vw6cv^%LxtohUL~
z+m>0XD-4dAu?NR17xo-DQ&hS-^O~+`--&F?sMP7gK=*mA4a0WYkJ4#gxi4`a^@F7Y
zpcYGiIOslmbh!O6UF*1cl`=gIebB#dEq|<ebsBwK6slrRy)oPl&nnSreu|HbE7@q7
z2`Jvt8yCmLmF~>Ct$X8fYJjDy^9dn)pZ{2c?HY$sy0QCxE`$PQbVle>?{TBHI@s#Q
zF7vmu^v9vvY}T{xPt#pgWwwj;)Ls?nP~D%3@yNJA4@9%4h~k>}XUN3&1@{qDjk73u
zMPR(-g!d)sqBc)*ohbY}q*0zUo7ZSA^`&I2!-O!CJTtPC`f6`JxY;W{dh)Xu2_Y%1
z1H#`boP=;-Ivx*kdEqvxi$dM%Z_}T`Op3`_C6!XEH8f7#$`kpKW)b~bgmegyR%;a4
z4qC0+N>*#gidwBgvF&T{Dv(*RR@)ULl++5fY{wPWnG{+i-&#^mZOemi;dbp)T(~A4
zJsx-1vSu26w)i`pYv97!ODy}Qvwt0YsH4y7yTSf>R+3kFHtfXWBL>awOVMXz3&@(C
zLZolq*`v`p7taOxpRr8HQk-_TKVhwJ=U_Y1bC3U_K-gH0^XJT%2%9GQI1_a4K6CBu
zJr14mwsf41(<j%&Ykm;#o9bEznI=+PcCDGzWPrA|ZebsxXZ<j3j5N$uV3w^X15B*b
z+cDGzs{KH4|4H5l{!@p4hct{tIHam9djB?w!dWS#c65W(zDCo4-A*15;Ia6rrd=p1
zt;0JbS^Q!dLkOF38SD)d7V_{$k;cX%4Gor|K`y9oH?;VIw|L~AC5?^!!aM%Gp{;9j
zpAzqrS?~ro6v-n0+pE<TnyHAw<fP3Lf)Tmw`wZ%!dorS!nGCn}v2(FZouRmRKIu@J
z{zjbh#G&>xy=)Cz>1#!im2zueoU_H&&(y|X7kal_@T~&O*-_UN%d}}e{@JaP|2n0j
zcKF*$UZI$JI~-8JfiL5)Y>a<aiw=AZkF@#gE53f&Xx2HkZhNZfvrEaTX3zKn-<HZg
z!K(ix6{h&5zp}M;+mrv=jyDAFN>Yo|i<xG84bnEqf^E+931q=10)5xCZu>>K=#IJ$
z=$B4w^CgXuv<}2clT(JhCk_IpLCQ!PnLH#k2pMUZO+C~l2pHS2q-U4u)a73jP193f
z7fWB}i94QYuf`oe6Kj~4q*&lPckxX9aOcYp@22P6K6gCCKgw_}UUA09<M?EK#~#CQ
zdf(*U_pfmGViT4`{u$Kn5;fvY(RW4Et%ywXME2Pq+9Fck7OIOcJiIsdd|v~z6pEOW
zmfGbjubc~-HpMGoJlL(LTe0-jnUb@)=S`0$lqX)lSdw6d2c5UHzum9Gs`|8dRjby$
z2Ov)Dr}qcEF~m0NGp^|Qv%-?v+M>~2I*%RO$1wbwHt|NHaL!7RBDmBjj_imydQ6u#
z=fF(MAwptXZOKXHsol$i7A+0+GpH-2?xkc=YL{*C`YN^0q4AeB>93_vv{z~8ui0#m
z-AjRHvz^);ez$XP)$f4xjZxtd9wf73n4qqtx2b@DvnX{-wYYHkdCoPtfm*z)d#f!;
zx|o_0aBTJggUeBc|DL7059to=KY04+@nuU7TSmt#4lndP;GwsfF~`CARKTeaL+V0B
z^s;@c{dECLLgsq=MH~&V^!8B9I~Bj=qMiotF_JL9frJnJr|;(d&rG*C$@?z4rtv)q
z@;SZ#D5|NEwn9-%I(snsgu(l)B5?7Nu=%*mOf0{Xl#qIS|BB!PhBL8>!;8HSy6O9k
zv2N44z_!|;elC5Ix{-GPtTMTS@~iauHO={d^r4v_qcRetIV7oAf%cj3bM}>&FYGRN
zFnlXqMI;uQdrFyq+GCW}+*!7mBT4Mr%hVxfS`O{arCygUE?p(dVj7uFQ}Z;nVNyHx
zt@e7s{&RVTMd=Fv>5~@&9eptS5>9~*w48=wPaa8QpW{(#FV=L#VCyN1<0=ms;>lSt
zMF?{PJW9-x`4L`v_UTae1s-!|hIPwyEWMZ<9Uo)4NkIFK+mrmW^-sw33651Aao3?^
z)7e4*Vhv}9*)r<JzM!eR+7ddfb(?phuq^F)Wz@m2xse86)<ZGNYu=Lixb|HbkVT*I
zPYBDQud*yIT_II5_06FE@+X)DX!A1nL}wTlrYIJAIEOjw0kQsR4V>3z!_3f8AL@O-
z1N4Z`$Bl7tUVgUfpdo=qDkck|GX24R5k7jR7|A|u!wDIbKJ`lKg;VjTjPy_2cGmZj
z{^^s4IM5x=J|lBBlDT0w`i`w;9@M%O4ds=VQ<&Dv|3von<R5QFMXZ>6(BQ{Jg_{>Z
znqlbS%w<L{wa=q*L8j-V5qR>QEgYvA3Th?<;E7t6{KwPW-oim@ulO;qzi^DkDeRFq
zPQktwj>>;5#2?>Iye}+a?G-&IRSDN}wY)T%;3>Fx4HJip>UpXuq4W(dWbfOk)ay1B
zNnaK7XI1MSm~9r-3!$AVK}$d(^(loPLIAlHGB<E%T`8*))K7RdI$Cb_ov1#KVxhNa
zj{GQV<35!-3w8e$dQ)-@%2ugeAE?l(*&3uZ-a!81J(c>=VVW({jWH_qOi`V$>L;pq
zh^JYX(((eS;|<eG52)k;f=Fj;JK0uZt7vkq?C0kQ>)nKXX*001fd(-*?YYz2b{^yb
z4c9DPyf#2@Gwtx@1=!jm@BK=hbTqK-E7p>=YS)$xWSy$o(Z3d3_KCR(END!QnVcFN
zQ=1J{sryijXnL!L9E}g)JF3*(aGYg#-IS)(nB|D-m!j#9HMF79tTTu=+fXHq4MLQT
z$#9ZtimRvLQiP(9(3c%vJbt-j(0E*1EWWxdWAWAAbhsH;quYuWN9(@82HYPp9IQok
zkczbeFQ|WwS#OoP?}qEr7p11jQZutPDm5REf&xc*T%rql;9u&VG8}LGT}0%SA^cY^
z?FA?;VlDlf8kh0dUoWS_MX>-S@BLz0ji+5^Emf25wH3p}R~!r2y}l8ibxA1ydyiKO
zQ0iuu=|g(POQp~^C{=WxOk!bICcjDHX+_#qNW7IgT-<!CyV!%x;^%~C@UUq#nehC-
zJQ0QkR87LI#il}}AX;W$)F2(II2DbAdv~1n^#jlNj$IX?_<eF*skZlXPmjkv8dB4f
zOeIYo>hn5td5d3Bl<HA3IVWonoyn=_xOhv{uzjKiF@)cf0cO0TgtO$rzkABm+)Oup
zm`YBmXl@5Ii$veIWNLq2F^R3!`l{$FkoQrET9oKa=Js>mGE>Fo4j)QTw<HTR^U0Oy
zRL#Fzs*Y0s3Q_YnP}=@2H*qKVamI!Wi$|1<yOp6}#ho)B2;*GMNFtM@49=vR)LQ)O
ze4`e~_q;;GIQz<r%y5IfOAOWrEQ&at6qAw~X<)XPIk?xgsgF?93Tf0<L5@NiYpXaY
zcrBbY&5k@owo(e$M&?FjAIvkyW!I#LDUp+oecz0A!yOi$+^MJwCJA-jP+XROp1O+G
z1sHUy0R-pHTFoD{m6G8}ADtPU8=Y;wnQg^x&ZaU~?E|5lS}15JYe9F4*$RN(Pby%O
z1k~tALB)*WfyjAGmgO5RS0vodr2dyJ$h4MbRybAx?ZC7tSqs$UVcMIU&hg*x<52PS
z*Y@L1LieoyS*EnaKJZc)vQ{ytTv<!~wABBevN~zu<S8CL-x&t6H9*R@NMIJXA1gI~
zKFyeCV>NkxFN4~LCaCghOb&gQj|YxH6gi7`RtGniaqs&YCinH{)%Se~=u4<!^R@IH
z?_-g@{T$zJ=wpSJ#-RDSry27njGF8ZpVHrPKo~M!oWcSVX!v!h?F}xph7_8S8w=E)
z5RYbE+nRPF;lkH0846Et_aFy-8|!kMpEM~cf1Mn&#5dZIdP#B4)9&;bJvIc>)@%^#
z^`tX>vE1M>SaI|t=@}$F?qU3s+NQ|zly#~zMf5&dz+O$2lU$^i-9<T}^eqxzkzk`*
zC%qk}GK$_?sqcmFR_RE09$oC029b=Xc-34er?6v~_v^qjo&km}pvcV+G{0}gwOmgY
zI$lf{7vha1<Ou%hjv2C%i;-|Kii?qrSl!_wHN*1W2$_M}<Bbk412L~}L2_*5lH+mB
zOgj7qQX>%)VI!mlQtTi%kn|RN@;4||^%jJlBf)GSJUy$1srrJ@!(6H+KvW>jN|qJq
z8nWVX&D%nr){0Aujj|wnm}6H%UOAfQ=$FxES(d#R@9sQgEn?Q^tW{jt5_$BvUc(AF
z^*WGT^&isZqvVgIi<}DS0^z<o4_)$Fb9ob7zC5n6mnF<w6P|G#4$UTzGJl3a%=}?e
z+3*Ei$h`Xq&aq@!%Jh{(8Oq=H3=`+y8LF(5w3Kaz&BbgR7SOB$h{}$%wwP7cN6;3*
zBf!IDif&TUyevy_`~ySre!-4#efoQE)^vgDqup~UpE>~cmgkLeLuKvcx${JICCei7
z{&8^Mxm;8C9mM@c=@)15iAtV7I0+Y$`2M?*&!O-?R4MSFxJKh|pbm{KJXWsB_)hH3
zytSIYyP*Sl5*pi|$tU6y)uUXLjHSb#<(faycs={N?lVqW0d||r`>S)vuiP$2^NR`3
z3o9pkfP9!>&#4b9K%wxUazxX)PpfXuD%U)wtD)Mmg5zi73>3&F*is{=Q7#GeTH&r|
zN}CECfoiUo@t09Avtoh+PvSf{_;C24Bf4Yz51ibyecig9miw<DMs4uc1$tXIH+zGo
zEPP}5W;jhf-WIfQ^8!8V$jsV6zI^|-Beget&^Kr#A2EW;afQ$D^AW1|ddLkjxv@`0
zZt`3_&z4>$_%U%M1^z`o0I>0?(bOH|`6~eN^7dlIovntcI}}q_`q+=f(PGx6l?F{6
z-4ky?wOLtImEuA=3;G0I)oAXWk-pU4t^cxyR?<ecvPSw6o{29~;DvbaAt1wF^k5s`
z|5W1f1NCB!fw*5q8wV(%8RcPhW{JnJIB&s&KV_Rris&me=j7i~JqPDqa;j=75#|%l
zPdo>!&Rkw1_rUtM1*r7ufhcFx+hEP2jmEjgHo9WL-ctSg)&kD;9VlMJ%Dkm|nrh5k
zk5!Md9%)$4h`t72NV)Z$g~ni>X%QeJ$O7(4ol#Tf8T_hBkVs128>V(J>OaXc4avA%
zlbyjGfk0d$<Uxa?hfm2?dCK$F6@lI;Pvj%hybyXHss9Smc2l{^eIWG~!~{~^<!)Tb
z9UWj$R^fTU8pyHozeXTvTZ5)}3T!g|CNce<3Z9APh&0#u4^<u%$ybH<R5fzbC~}>;
zL2wU{RZt~;hO)a^ihO$67~%<~W5@)FgN@(D)2>T)L0}#TlCyfg($e8vb{Mg7|1Chu
z!c%gB3S~f=3rNF`6evn|7?7W08z|%rm_DyDJ4Sl#&3FYHh7#0LNh6-kOJ{8dDQHb!
zc1GEDvf_ijOLOr-(0)&<xDYMF7VsKxG?rng9vL+*=*7R0$?rT-rgWxA_Nan?7GvJf
zM)7H?#p4RvQlXhnomCoNPf-)OT!lc*7+>V_3G}#PMh=Bn49n5jhw(BVVZ2ZnFBM;=
zMQl*$j&@;~O_5m0QDEh(0fADlR~z8SQbBDC6Du^k<$4jk-cz}raRAXiX4m5igp|5k
zp>g4D&qI+zyyZFggeWleqqgpnNl^vj_@Y=6ik0$W#xaiqXFn?V14S<Ts9-S)YEH}3
zfSU#fq(hD>{v%jA)B`^tDEo=5y_AOCHQy+!9t1%*4tk)u+ZrH?Wzre09p5qTC=`M!
z*MEVd%~q($TOVj{qRfldQe0axUlxE5j?&?y*g}z9&va5Ayd}_A8!2@Qeq2rMC(e+f
z!P?E-=lKnpy!lSW4nV;J9V63_L_-Vjey8%04r6;mni@O3Y`v_+lY$TW@IP}t+O*`1
z^d#;FbS2O6f#&&2kTI9H{uy?y%m;h;uC?cZ=0#X*RcGl4Hm;Xp*tq`S8`sOQN^}Ab
zTPPgwNR!!O)Q(Swmbe5;^Ghr;tLY98vyg`Cq?WIKqd{ds`JTy!t2aENCy!N}on;>h
z8(y}R44TD54q2abu^ev&N09TrIYkQ3#B2n6W4-7E9vByt|8gNVWPTKa<FIpz;F$2l
zbRDGIEbR=B{U`kpF^tYB_WSH~o2FwL>wz6{Zf&&z8z(+45I2wan$n-eY$f*0DFtvf
z>qtwA+3x}y()K$%J|6t4Ck;2OFV?az$KQYx%$HY70je5T|COM2QQ?2`;Jc_ACIfiS
zSq9!eu)D3P|L|$geD2t%7&L!+@a=5SudS$+<&8$2Z12(+A6b!K*bM4ycsFG7X7^w&
zCQvwU>#oUvHC7RZ*6y18pPSSCX;RoQ@%SG3r%3@H8xYCo3~zYhf3>>+%`W`Ev|2Au
zw$oe%X=zknA3Q0f9<YupGE`@eC1oEoyiK`UP0jyl^Y(kv8b^(AW<3fM`hWO%EF7*{
zJlGA@V)p~h8%+LxOD7u*`>!>zq^<>5TIyw`g+4N!w^A|ekD0O<tH~rGgWJ<bsAd>X
zG-|T4i5*B~-9=BnAskm>>miH66P22bp(>mDa9J<$Y!G|Lx&D|(CUQH+>wO`BKV->T
z)B+ecHoSl)By1>N!kMr}^jm|-23`+|vefo8#{QH$3#3TjO3j}r{5vzLA3I+BFLQr2
z*S&ZuUqm0D129qE$#@p@rjK)cxbD<PwkL|DuEiF&YTgu{s>S*Dcd#fl_1vaVXnuda
zEB{)h?nk@mA<>p&PAKdT`$Q({Qeva7T)G%I@0{g@Y(<Rw#8X4`Er(9(HT25tn|_8O
ze??kQY_Oxw+1+Q9?UWM<u9mKo6q@>rZdZM8t??M#?5L^_RJ>wipQI{`sD;BQy!Jb)
zMsOYP-`(U7fo6ECCW(Z^cPARVxpLSC;dyyY<Ykaa{JXsU%pQD}n!G;+`Sqit5NUQ(
zoQD|0qPvw?JgKFN_W_#UEL8g{zvN!U)O2Qc!~mash2pNS_2rIw)}nuZriKV%Rkc*C
z{52z^Hs{=Y&qzxKfS+wH+_S84aEynOZrWTgJ9n?Wr+qAEI4Zo(X8RTE8;)HtZ;S^o
zKTwPAcwz{n&5a+&SRmC0N()Va+sgs^QneS`a^LIq-;N|WQFr5UWgANIz_K~w^uPMZ
zF=e|!<KVS%gaNOnpK<{AlJr+Ad~!Fgbi6<2=~n+Y9yCJHTb4?LjAuXSsfLzOlT<uC
z9`vp&Hpo-xzE0svO_U#>3>}ajJE}f9DGKJ3>ZQna(|3nQti3#)UdsFPk2O;uZ5%2!
zcRNE+lySZKZiD%A2iw(4@zpODKi15{cIEf0s<nh;BsA7I7ipn%I2=z~QSB$hmV~bU
zQhbty^Z+d5z+Y9;FId4Z#rynV2dT$#vU9RhQ-|VzOHUiELe_hN+SHkBLG7oh?^9;*
zd5ylGTuwn<e~J?q8tc9V3G+p`H(;%$aP?>fo1*oVi@qx;lQ~~3BAqtYA4kFb3?_wb
zYbX_y_O6`V;GDVuY6DgF4D<8(M=O<@H=V_}x@Ckw@-JF36Cd$7rY)^ffyPoYxyeuA
zm_7Dhu)`yb6D}6QDW$XM1DM9X;_(I{IU@*Jmy1Y)>&ZJfcv-4n7!YwfCMqfOxS{NP
zW(u{?(dB_GN69|3cONmrAr4O=DW@;HtYrPGC(^&xSuR*G+iMEWU~uyyf^?k!CEbQ^
zfAWvw{X80M(A>j_rL)05P9zn!xc_?@c|!a@l#?eC%5g2d;p@<G=7)}J(Q#%&$HtFF
zX|D3Un^Gtqll7r|Q5Gu1WHr=)*p(++Ojg5eJDv5x+RhkSpo-`0KEpp*W;YtE{m|C0
zXsWiMC3zJ7^LUdUaRv21&OGTdlvgBTG0113$^0y|!dk>dAPgR4V6M|7Om*-VIroq=
z7go(j=cHF8t>ee%rpF~MOah#v^7UmrN^K#12VIb-p|zY}_SEbJibroKQnpe%V_Q&L
zaWf&bhY&#et0bxIFtlN`d8iAFo`#IX`nHe`a_blawC)e7(;Lv+O^s#}y5Q_Sol{v;
z1rrTzy`@j37F^$KFwg#Rs!J23=pHI#5@eh4s28ZAaot5@B8&i>3J5p=rkPTT@gzk)
z6^3ITY$O%#w|0P_zOp6qMX3c^V8z@{0>V%ko6paCyf@Hr>jD@F*3^M-umF}l0OL;3
z%%w&^%W3@Z5@htJJ>wyoy9k;C5Be%=fTctB_mz*67g|}(nES0keO9$A^oB>EG~<R0
z*|PV6CWihB)xNlP56|iB`rcumOqk+5bCyBlT+qKhqDHBSkt~!cXL8RZ>F-{0WbIf_
zkLfdlLpN^?H3W@Sgdd1r3y2dR*7?SpK$v!SWpkB0|LU&&Ij-QPLE754ev@)S=p3iu
zrCYWvw_G}w5LPydbuN}RyfT%I8#C!&xLmz|_R3>}bZ{_Rt6Z+CkElRI=bTmfYqRls
z8*k}o3cI4%EZD8^nZ0cJmd#<7AvTKD5r@}A>E*+8TyBs#E+34i?5Ct@W~Z7;)6xYt
zTJqwk4WsM56b}z+@nAiN`k|d1*6$u%N%*zLKgRIGVFR~kanhiMVol(9FFdcT!OP21
z?4~maVQt42u(84uR>HOHH*i`U)b>~T5~3YW4F~_)8u2ho8g;NiL?ik#|IRNj^1sJR
zurF-}bu{qnl8-J)6u5#ITZMauNoE@w)d=_D+<j$l=AkQi)fYKopTofk_u1iQ2%F2V
zA36#jY)gKZ(i8f&MLI6}3TcxZ3S3oO&+!fl=zA?~Dqx!gDBfDGhyRIC;QZo+I;wVv
zJvS6fUlk$r_t!l1_t(WNQNXr0jbY*`D59v|bh?1Y5AJx{?E_Dbe_WA#v{cnEvfx->
zXqr|<z00UKF!GMkUTsh7sqNQTQmpdjngXYuy82d4e=JCUxz&=zD%)?hzVxGxdb88o
zvYP_6-~OzOzR;0Hm)orUHp`ns;ilDob(dkxLdU*%Hk8^UK6j9+1RM4ELOK*=T2Mt_
zRnS*>#}L)Dg2oH<^|rfLc_dpcP!W`!rqAq!eh&?1hm^gxPEYz-M@<GW1R4M4?s)nd
z_)upFFmjJBHYL|9+^>5Qf<aE88O6;vEAiJbWHkrq);~{M{x=yz!w=)EU&^h)C4gj(
z!;&JAGXHTYRzsursiY^ytPJ!FBtFfPhR(})=aug|FXNp*X)e@Rj6pl{McwQT@)>!@
z>wFF_y2nwVYy@gtlZqGfCf(05m7zWCsUz26Pu0{r;}ra%@^NZ_?bzva@#5IH5VmZ%
zAvGzrI8jOGYoSEE`W-$vG!$=*=ue6Oyn?W}`HJy@9sF@RIWr*4+|N$f!7%uPq;A^%
zRXZ{ws?4cveG|484)l?i_g4Ym5p(CP%7O~+;z3O_xKr&d!vhyG01lR_fed;Q{>8(w
zR3_vgc&`OLxo6L#ZgZF^;qjGMrOwILd*o=dq~dUCyHpB?+`@&GdUezWDFV;QX^Yuv
zQ5_`}rdUwBTMo2k)-BE9)grt@969(wyh^<x^sXb1gKS@FA!z}KMr(n#&GFCdakRw}
zm4VDOsP#hlsqdwD6`;=mZm@UFzJu%Gp8nzf@xQJvKP-xm?neJP<!P1(+=OwO*d-k4
zYy^<b*6fR1cU-To4y6`0`E(Gn_#1e`P|usxvl56=dnrQOXQE4+b(VBc`FdU6^gg<J
zebd^!<ky>dXx%oOC#KZu;6NCqy$Ou7N+osJ`nZHX*U{(Sm9P#R<LvebV4T5Os>7P@
zqq%3y=Z{7c!p&ki9LBg#!5I}WRrs*V7-wH%MElg^(nFd8{WusCab7W;qd3f&FJ2s(
zHLZnMw#4{(^U63ftD+HAaGS-vk{%-~g1d(M%Xt>>^0?wz*PGfQun>IDrl3rH1a}U<
zC#VbIeFZpl9pF-?*N`^=LZ>%{_^=Xt(G0fB3f|o{^<QXdd^!1uKvucKy}lm-wCker
z46@#ZW1jUu`62YHh)6^TONufJ<!L?&$(@k=0Lha>Z_t<m>ds#>L+E-*QQ8sq0j@5F
ziw=s@XX7F->3__b*bYA73#=&sp`2ISPVTC=pLrz4TYgy^ch$2@Pli7pku42w`+|Lg
z*A8p>zQ>P+yBN1VWer{9Xk|w+O`E^OSqTkl|0|xBHtp7rwE$9?Irk8sgX7Q|ys=es
z7xAvUe(Fkk{SP;^UB=^vi!83*e)iKf$Sh`IJGd*t9fSMsSID~9G`ott!Tk~N++w2z
zrtIs%gaK)ex8Ne)nfWT732>Kk2YiuxEe=KSzM<EwnEc|4M{5lan6-fACg1D)&o?*m
zD~jE@8`Rb-WC?p`crCeCYX;L2@m{iz6=29lPG8_2zHIa6m4G2z4iBZswR;b*JEXsN
zCy4+e)jgG&xzAs>1{dgWL~NSW2gqcT-ZMKByuJiLh@2DY$%gkAWgTn_>C;sP3MgO;
zgg1NhFF)3&o&D&>Y&5?ygVV!sX7zg)AbR`{ckS5r{!_lDNiTp)CcV&}h&&V>O?$<~
zLB76`K_?6VDf`bPj#yUzLMxwRfArjd+(Pe;DVZ8bd$1QkG?><q!#w~FLOQ59MwvZz
zRMO`UQt__Mq}K)ZxnVSB>0vy4Z;%#|Tv`m~(jw9*Er3(jvJ%rbSNSx>Z`^1n-yWDa
zn=$7H-m<@ntsiS|c`ffl#w!bjM@cAk#N{RLg5#CRy;!0b8Lw;(Tv6r#udGcy!th?=
ztv*S8*J>8#iadm-d<b2EC$L1UO!Vt#V6CdDm6DnazsS_`NLgZ};#Fjgfr{EtH}9Ri
zWTOFR2k``CvT_-j3=%4YOQ>|CgnBELLv|i*SoJmc{x%uMJ%cBNnbh(<rMIvJ9@f{5
z9^yTv2rffb$TDQ<h5{OQ?OC2FwWuXK5Z0n8b>QEaLW)0nC4q}$o{@bXvwzvAJ%g{Z
zLa1d=v@|Y9`6Ok5_2_By!LvlM&4x<p)4QQT$F~EYYzdsjhc|sA(7z;0#rfTPjvUwT
z+`3^ckgE0`z)o^)>#{JQlZ~72-6H@V<2{2XEO!ka{q-9D#v*fZ9z4c-(-EK-sR8Sh
zp`t-m{7Pa9RKy){6(1!mWrGxKtDx=ymM%@D!H`WdHrY~OlP#^m(?}VcY%s0A!S1nD
zMr<;h4L4{&3AMjVnIg6|+RWX>vHOUCI{Jd#E|XG`aqQ5pDE+qW8`g6~ExzMD;X7U#
z-|?QDRIwFzX+;^}`q&D^d2D}h!VVf+)UXBqZBiop<M#<O;d@~!lzZ+5s|n_Q*iZMC
z<~-ENyP^^63%g=4cEz+AnF0C0`r659E2VaK>7j~}xDWO$5C+%i=Hvz<ZgAR8N5Bnv
z$M*GbL)Mf;lq2~C_rms)#np<3O6m);V(~H#JXwKPwKui}aUfNMe|Q9mT|+B?Ny>{n
z65#cJ>Rpq^_1kx>U%wTPV0n{8Xz~%@4!BrXsxN@5e#SdB+>FU?x2ud>#0X3qz*22|
zFDy5*P$T};6fh-t<aO6TX^wnTiTQ^~2>;{_V8?Yq1OMb+SGJ`ckN^L1E6=@?J63k3
zMvL&|`=d8DtQ9_WL@K2P$)@6E8Ug1QHlhabE{fFl0!+U&_#Ka7;u81ZIZHUy%;NYZ
z=Y!+Mkl3sTvRRrUT<Eb@p&o5qGE!6ctT)9M0%i?Ssi1T10Ql8trVd>gx-euecU(Rl
zdUW|wD^fS>CQwJV1@GVv0sQI?eYr1c--!tBnsdM>!hfG%Is391kkP`x!FGIe=HOSp
zwc*^$+ZK=kJE3`J%Q!4kuv4=|a1AOmZsmK6iEr68G#|_Gdu%51@NN~h9zC%+UjHDO
zi;GUx)Cu6JgOizNrti8n{+8UtfVNfyWy<MR!rg>hn#U$wX)8A2a~QudiSL;3S^P8%
zid#HAfSd>uGgBZvfk%a>EtyEb%M-i^;7C*xI1-ioBH$*{&#I!NXLx_o7e}-QX^X6<
zWwF{yewUK*-*+#OZN)?pQc8xO8pjYgR+9`twU`U4WTT+cB>G8zAbRZoqG@fFo^MeF
zz~8TbuEm-1wZ-&l0d&Y2q1uw{W9O3$Df2D{C9XJJ+-%;CIT0R5E@q#;cBIsNsIYXh
zzoYl8sd0{J9_i-!2?ZC5b%iriN5EZVfc*q3kA1U_!p8k+lBdH=D_y_RvA-e1OZrZm
z7<D?~{62qQ*IDx%eJz)sS`i(kyTIPyNMM4?x$M}eQ?XHoIQxvLSu^1x3q+(4Prcfn
zpQ&E1MvNFU+6rZ&afPf*4E~ihW{rn%lW<T)EBcqAxY6io#nggYrd=y3O|^x=*ur@X
zT+5g<tgJylnNl~5ayOvLL|6-6OFWj_g`3;|p;WiTe6%b!rMybBgr-uX8?2o$$7B6E
zfCp(v^~>{LbWca;H@BMPJJrcDWxC?bnZ&4c{q?gR6Z?1Simuxk)a~KeYJHUk76LSd
znjfmM=B{gAAk^eR&a<0#$s;2Su!E#)N0Jh*>K=Tb(PosL-|Xp@NmCUu=aLSk=&zig
zH*M;y+3YjCu^F$VZ!Wq|w0HI#XEpug8Bc?ogTgJo!0Vx2J$M7Tz*Y{sXF(|ycnO!%
zv_jDMA!=m7V7dX!-qoxU{%gCG?E3=TFHyh9le_mHi28c7@PqIA>Avs)SE{>$(s_As
zy*0gmi-v<6zM<OJ&kFJS!K{B~M{mCsp$iOqsFi{ON&)J!gzZRLpg0_Jd{3gjG<DXP
zQ4TXlkDd{I%FEzxukc97@qD6JTZI<T?5ote#5BKx0^#Tz8LIucs^m49jLmNEXun|g
z90Ps3r8uinA9sFfz%fH|hT@Eu%W**2eAc2bo5hAc?2ny&V}W+W^psy#7?RJWMxNK-
zI6u?I#&xD0hE9W_v&U2WmKgh%IEvX#(~sj2Mo(SM)7jsn=%|vJu@-LZvlVQTxq4*i
z6=~oVi|n##cWBa0yE2H^4ctg7zjp7&wDa~S`8ZU>9=nj7qpKR1*Q(1fyS{dDvoHF=
zmCeq7%Jh-C{?+5*C9kQ7qf1(=qvNA;b!l;@vhrg+oIDqKy8FVF&6BOvj&z96PK!Ht
z@tC33w<N$u=P=!Sw556|47Ao)$i2Wcy@D3Np>qlC){gRwFDks4n0fQUw2r$BE*{gD
zc<L9hqkv5M1ISV|wEI1#>@sk48)i~$_e=VvWAWz<tn1n__Jj5AbM_w%Ft|D@=AKDg
zPz1*vqeqz()!-rK$(;$bx!}mEO;w7%!Y1H!`z6%dH#nHZesD1Jd*@&VUbg?>Vix@d
z{9IoZMyt4k8C#{$Tu-2i_YP*#YNNM7bd|=FJ0xgt2_ZjI$L+ACDs0j_k93&tKFcy;
znj+?G?EXZ3UbN5buB_eCLwJe2n7YDC&8J9G%AMs^MZ@nbmVA7)*E3JXB^un)6y9DQ
zOK0gP`ksmZiQ4TCdJC_!{he6HRj|hf=Q}-@oz6ycr!#u_k<%Hyl%39ymZajp-#eYr
z&u}dxa~xdeOIsU!$mk{aA?qz?!RrjU4Q^+>rLFKQ<Jk><WgBQ^0X#^8;kSjOr{Dq>
z3{9vtt%X|{)gW=LmTGcY4eU4|#d2S<*K(rtI=B8ccY|OSb?X`&sw`xOs^8qP{+i&7
zB#yqQ_}%DE)yN6bs*R4dO=pd3n3?QO#p@Z}sVv}5WtNV++O|4s<3x@7QX|=&s%0E-
zYMba-6L)4YxD~I|CRM6~pF<mXVc-XM)R0rE#Wvg#!$J0jsIQZK9qy{$c~P}#aH2Yr
zWw@~Ie2VT`@EM~M)$RkQ3zAo#zo^UFclezXm47#b!_GNQaH5*C#ADPuA1V)zY2hAI
zb=~6pxewJ{)jQ{@HnQ*3i6@3j;jwA(or;Z&edjy1IQG0Dedqa1-4l-!0~&m%0__d1
zYvxSXS?`~FA<XDI<zwrzb<PZ({jx<y->J#)@~{>q%@DY~Os<<uD@4h#4nsLvGSFz1
zWYF5le`tO~nQ0=D*WykE$$7u!rA(w%!v*TDLMj?jNt%AV5&Uk9!sC%#=S$0Z8$TG+
ze@60XW9h~!sdl2s?$C7#Q_=N9D*0!qNY~Gc^<PMM`6fzVX|Jf%_`{NJh;#<tCX*4F
z#TpLbGOc(Ww?brAGOf%Cv@$Crt!(0ND8p$T22zpwPf~dsDmGCj6~7y!EGHH40?T<5
zGO29h&q(H^@)D{DPAS_7O4&|MDSn2EY$vA_7rRj+voTW2MuJk7!YK^}p`k`PuYt~{
zOE?EMfXb#aKSO^LLpg=Nfx@Q$qz^S!p)z%$ATCs<?ICDuDpMBvvlz<hLY|7IaJmM9
ztbv@Wfgoxir)ecfT4|){2TqVVCy2IRqM}Qt=kn?M0<+ihc-#bG6e%+hUcRGMulPvQ
z_TNO>E|0VT;wbVz*vH!$dZ8-El=c*w-QexecF;-NIib=oAQV+(Qfd3oNan=y5-Mpr
zrxs`%81M1&c#j9cG@esTyFoJKw>;i-kdJrAXz{R^sH#vg2Prb0W?nM=LHfju#Ja}X
zh_rnv`_j!f3HzM)O^cWoY152Z2<$U>Nftu?(<taWA)aXzB?4<FjZh4S(C9B2(x_W9
zd?+p8P~Q8R$2HCGxtN#KT6l3i@j>34v*UIfHbHB+wC{LalCHu!y1OOQ2?cDNmUM;6
zqL{_gr~57#VX$E?TIzNiD(&rr0LMwQ77WLxIZFB}o1R`aJ%gYki!f<(FCIxaYw(Oy
z`1;QccGC}-TJ-yy?Bc4kQ6USDardTZ|Cz^WsMxC~Gq4sl{Rt4*Ak>gSwU<mmom~-4
z6bU%R&F<WV%a7&v<xFp2jf8@F3oX^AC|_hu0hoxX(}Yf_=O!64seLACvUpY0i^yct
zfR)iV6DQyrvddyS@%f9Tdzoa}Pz1%OUnVf6EXh8L?Lu}t{sB!dQIBkV1I^7fLzH-|
zz4Rj|PZ`LDwVnE?xiVy_@5*`lZjMENyt!O_|3XyoqQi#s35pYbv!W*GnW|?m{xSFa
zkrG5Tk)CFAavV5C1>{T)%(*}sVGWNG2O5bJp?V9+AdN6m%rij43eaFmt_5b)9DP5E
z%`Z35Wowq99Jg@6^mzgMVisGv&Q(l55x*c8oAZ#5>XTl$RZA8?%DOJF@8}Rf$NMR)
z1U8I$DAtn)Z+scJ)WDxDz$=!TAaS@fx{8+FHO<YVomW6-9xW2$)?}@VgFDRmPStE4
zfTi!zymLR}hGm`m8hdvgTXaPlF-$ptEt=O$u}+x#pf4@r?pjPE87g@@E_rf0K0@-k
zv~?HJPHK1R#P%zSq!AODr{KJ0>gE}i>jam_fFItk7=xNh&iS8Ywr|4h@yDlAqq`3<
z?AKJR`Q2V*X2@<d)T!k6H|a%X<>_Nvw{#jk1RVZex{^VC<>_LTFEe>Sx$wO7!cWh~
zob6~}2FzR^EiV6+x6Ut~Fu~Jr80sh~{*p8y+w^o1@xJ_|aoV9yrGLC@xrNiHAqM(}
zb<v(Ywsq@XLui^}ZRoOfL3-!e`(uL)PY+(J=I6Sg%c7{y^JSLfkLS*)!B7m6Ze&mw
znUo<$Qbv{w@G=H|EzUP=6}kK45{q?D#+<>5Y5}@tXmMhxEIt=xZ|CVh26Rp5Jb0F6
znu6Cs82&Nf!L!`Ux37AgoO0A)eNy4Q&m$sU7aM&vHSzS)fRmOn+(B^Kk*WHA;~mFX
zr_8&s*iZl*yWmsHXX<9p^PA#2Ju=3}(qpE=Eg?JL8YrAz7m;O3?GY@fJ(hgF^f@)n
zV&(RP2U-|9OuL+XazfOadFc6RNd}<$Y4dotP1$ya&*Vun&%CmvZ8mH(&MS%>e}+!r
zDH-xj*V7yB4Qzm#hJQvV#=(?c9O4*0Yw6Ul*9l86tw;>X7zxx@46=`8D5UfEP4`Oc
z%zi_Sa^V_n+8(q0%=VbCHwoLlxB2Yw#`RXSGT|{A8ZWrACE+fsoL9Phy<P}Q2~Q16
znLtaLO%^7wC1K9tF5xcdU}efm<jg?&SbPL1!fM(9?P&+vFBYy+quodL9Nu#R*2q5p
zJ%PIyU1g1$VRdN853ln)fk$Z9VntB+l2CuNwfw}2gDVbA{-fDQ0kIg|6>1hPw?|rx
zh87JLP(J~i?IFcj!Jes>`z)Im;*EMCG0RUaJ2Qn;_()*)9YRHCE{&?POrt2zEDAL#
zFOvlc0JMFsh-2sNX_gYuf6o=_!y+9PGxMnrUZuN$>vxI^>64c(g?&7{gBHv)Y|c}V
zg-yL@nsVD2xJLR%on3ZHAAX5?sn}MUAf5tU)~J;cbMVkngMWe|WN~1qmwu94+VvYr
zX_uq-uUvY_a4JD@Ajs#Sv%c>zo94}nY#-s|^RO5Lk1))G!KfV@9eL~of}?NuRAfk=
zHtaKD^JK*lzxn$-^}|Qmv}I<Q*7ptjE@>yszgSrse=+sgiSUKMyzQ;@^INzK&Tec0
zloSA>*-Bq+Qn9+aZ`1L@%d{}xtnmM%?MuL-IJUND7<-0Hn^Bnz%ZxJ(;*!L;#0?cu
zjQcKv3W6Xipok#5in1t*xZ{SX$f_(N3M%`epaO!RxNC4pG@7_1#-(O%;q`xe(8POh
z@_qMz{^yS=x~ICTy1MGrsj5@wyayj%N79?h#ubb6fF`*=p4SrJTg>cOxpHf;YOK$k
z@tnKFHI{KHf?@6wvbo@CW%VgyT<TS1ly!REd16)_RwI8M37N!Z#jE<tnrhEf8&3X8
zFh%UXdQbAcoqP7|<ks##5W7#+Sas@hT2yNIUaqbbM!a#W!hlpc&Tif)k7S>em0XNu
zMZ}7b0A)b@$^-oB4+aBESA+%nDN(xpnWc9$(2CzePAL}pWfT@=q~{;Y@^^Dv>gR=x
zapX?AQ88oj!JNcB`;!v5n1lnH_NY#aPo%C{=Ci=p4#U=g%#a>ZmG2>&rOPU8=XnJ9
zEz@jmWJsqe5?O0!-ND;Nr|ylclb^n)J4jXm`*caG9L;hKroydeWNU@i|F%&fpWsp|
z*{WzfRB(kOuclBUS-3XDCp>z~wzZn@In4Tf@f%W9^7|LG=_o`-{jn$=D6Aww>hHzX
zjZa_@2&(4QFxn9lW~><KHUpR#Qp3OG3$00ouo9j989MvGZum;#)|4=@>tZ&=sG`=z
z9ptoKr?hes#{)}CVeX*oe;SENXWm;B&MQ`kbFxztQdPx!eH?+yUPo3)_=q$_;Cp>5
zM$KE~w`8g2#44X8H<jDcK;LCtjCg$!<Al*@hlV+<D*M<lo`Jr8fL>cy1e^fbP3a$m
zUrBZ=>RyRsE--<IbHg)Le~f{Ji$VhZxeemz<H$kGX*THoPtx7XXVbbli`Ok-V#J36
zmV#ct8#mda%jwDYb945mrEweVm=TviwnbO3o+vC%I~)~sh@(R!0seszJlQtu`kWP3
zULciFKz0*Xq#Q}iQ0>{f0aD@kYG&Ko)my?;i+qCJ1Na(L>pv(%Yf?(ql?rpu>m8wW
zMSET?K6&oE<H5NHIM02Hc4sM*5|fT)B}J`B(`27u4lY}KV6JM+e0L{@@}Q!X-0{`N
z!j~!oLP9;geD<aIYL?Dt0*(|dFGXc;YfZ|@3jMGl15j>iT3lQr7hcS)i-?E~S1n$Z
za)Kk)KbH6ZX|`l-U#D2cxs+N<#;3bBgAq^Hnw%Dv*O6}M<X*^Ja6B#ZFh8PQnKBR>
zT_N`NS%#tN6q!}Qk=aw|Jjuum$Lq)$rRB=NF9GP#5rg$A&~M=iV5-=Tj`rz^R`q#m
zM@BOsqS0Ee0_W<&{m{X9jg;5K1;i@(F|$RS+^2wAG1tXEAmeoLJUT9<FER%I<ODAW
z_F_2L3+8_>|H%!%CxIxofpD+kl?5MI^vO#(RbXwo4h3VGCUF-s@HrWP6@ll3WsZCW
zD&}9rNx%yVI0?FzB$Oj(wWxt4D4KFh8`EGdN}iy;v#Cv#Pt?*iOCY_C%8AU5%A8DW
zOkwF}La#)JFdh+s%ND8DVl1uU!kw6y_`R|F(dNngQq#ZOD4A@dVI)L;9}x<&tsL0T
zz(2GmQOr>q;sn@BSfH-K`*-Q;DugL@<+UQBM9NyYRkJDb&OM_nJ(68@G9x%3Nps``
z7PSj9r>U$bxec-{cE9Kb1_2L$8Z0$C3jvoPD(4Sf#u5z^DJFL9$oIUgA?3p}d`*f1
zQLR16%1YtaBw6%|tW;#C#K-UFf(w|nQ4!HARm(zCUasb7_i4;z$(sUZbYgD6DSS*c
z*?dyia=NmTM}*j{D9=1nlD#S;uo!NV$Z<@jc64ZzZ)DIKUrbnQG9y#hWKJhT`6g;d
zk1;_mtNeVFE}2WpG$-4wT$_-Tyeng0HYjMn&#q;`%Fs2dSAbXoAU5auye<x=yWI%u
zx_}|=T33VVf0zMA;0YLzf!m3$lx50Wd$m0(dv@}-GGTfZ8H$$UiMyqt;rF-G>-x-F
zv?_Edm%4!2pO(J+h^i)g{<N(eT`JxXwsGBR<@g+{mzs@biW$L$r#UiIJTYeRk~u2b
zNhzH`wp6^VB)*lxqxEDk3LQzdD1ND`xW|$Eb0q7QVojRv@4Hve4|;radeZ&ejKs7|
zF4m0+mpJ-(&G1>g>)=vN&^#t6w;()U6;Is3B?>NH%r7WO%UHv6iEff*e)`F+wKJ9g
zi}Z{Zb0fGZcI3Yh<Bywi65I|uHF{m!Pz<3>U(re6<dD9_yoo3E)Ha?(<UvG2pXlI8
zdJw?(`Z#T{K295avNae9L$xD|$zT*vPQEUO`ylN|MdP{ho44)C$B(yj8aDi#QzKX0
z&duj&Nm=&M!ouvub6k8DgRrI&Wi3gr6`r|4qHc&T|E_4d!~|sLho1yu*WUDOu4!yx
z(ZmKOH9H}{SXsRKL{PS-;i6m7xG_wc&w{-RRr42y2l{a1F1xwbPhf(4!WYa{&fU8(
z)kiaFA|$aTiitDN+_`h+Ohf&dnby`bXHLQ!v5*})zEPXfG>%wz4^4r!(f9Q=*S?p>
zM8d2Gs19QJg2>+_zwE8K_zUo!jw~SEl;`sEYR_bccpcXimU-p5XHVK;Cby4#F-;<$
z6xm%eAlz<JKWv7M<kCUPDW3C3PIb&WK2PH@<J7|XCG|Ko1Iiuot|rl!jLs10)bE#E
zlmB+cSZmo#k8XpHg%c-J3N9;?ViPwcYDo8LXi3rj;)qib`KO4j)IDMTUUzPVczg^4
zK%R%cinp!Ux?;J~)??f_PauG8BJ-U~8%oGkoS!Xdfok&t;}$W5i2aCFDYa@KRwWdM
zK!eFuGC)eK=v4+{eKKew9psEdRy6+ZQj#nsyZO{OMjb&O@acxr2MqmEpMsp1eh>7#
zD-nvTRk`O1xjBW*+{KFm=BS3uf|tCN99djSeZ?E&H|^c4+`Vb{=3Ve|QU=suA~|s8
z@{fRE4_uVNm6b4si)J33rlKZ&deLu#xJm07xAT&XQJW$ol@XgFHb-ct$1wBiCA4qq
z!@i_Fum>(Tk!MXpY*JY80!zS}{a9Rg^?-){D6u`@R`(FlI8Yv}{9RnRtqfvcuS(Np
zfr~=jHyDy<lHAzLu)~2TDouSd-4EGqHT-?H1yHub`VXcWCADa=BJ653+}Dj-7Q6Gt
z6==A{?*-Fv@^|wmXrzfw+$FLE?hqI!F}nas#EuI<eQDa6R#&4+Kd^RP0w=$j$Vcs3
zzI2zb%6#r<YPO17XU_zP$Hp+ze~<)X>)I_cXyz2vim<Ia!Z>IH%5SdOe`sAc59|n2
z7`UN*d@(u{c;&VCN&CDddGZ;Nq#1a;dv?Xf?&hYnCWmZYv14VtS&eoxvw7F9&AU~A
ztp`3vr{fQsj%sGMx-i})E1DlEN&D7Oiac@r^QLW;xu?#U$zuf0g+BAW1Krmn@79E<
zgw^q@%*u*G4*R7o*=LqO#EgeHq8lUcFW4G^Mps3z-Lx^9i+_P=c~3z^7lz7whXXQW
ztdd%mTHbWh$h${|Q4=Olyq7SE(FfNj#kSG%;Ii{&#O{*OX)>CQ`asdI|D@=bdWzn%
zY0DNRu_zPEwY0l<L(=-Bbq5W}0Q~-)jufv;i%EstL>jO?a7O^QMm!ZHaZj=%bo=t{
zp@wqp67g6>NaQcyiZ^bGjs26}uaThzHK)kf>%s>OWHxrbDs7Eoo45*FR2Nu((Rzg=
z84BR>J#;8TGe-hVCi*dS0HT?DB>GChsG2LMMv=IQG;V;nABkhE0IXxXp7FdsO@fQZ
zb%64pRfH8YSNz3W7Q>4zwaim&OkvJ$6emw-;39#?#Ml5~c{LH772f6jOk0TV8s8=x
zPGQyYsG58h&(&2!Bd&dT|04RC3R3GK;_ucoj#nkO$za71@eh?tZFX~Xf|%O2!!l)p
zWW<_T3kHBNpjWr9fY@Cyg7aQ#p-rYH!~`daE47A-12~o6Cf-K}ZCl37!_hU?1IHDs
zNat0rnJRHqmq^-~p$De`-SPyfM$AcCjf3+%+&2_V7au1@aFFIpi?H2WM7BeGwuo+L
zCX0O$KOAzk;)yYgN3-MsU8jg7ougg@)niqca1@CumDQdnTWSDY&~%l|z6@y?F;JA`
zrDkPfPK}$#oYRgJ-`dU;+BA+CPrJ_{-4{!?4Q4XEmmQd+vKlrP2Jf=k@lUyg^NJ~6
zWi5@x71hU6BYbl>+DGEK#3u~kD+8#Fg3vNbKQ`=*ljl!fAXrwTJzusIJUYZ(J~>6a
zdFQ5GyOi-8_iWs)xo~o{_y<4hobG(vwikaF!+2huE<qD}@l8ArP25zn!Zn4XHexbq
zq+-p+H5=Dz=!ElRf_QV(=Ew*ooH1G|ZjccYrx0iVF=%;yHUK8x{7WRRVImo9RB{hC
zUl*^-3rT$2WDxqR<V;*ydfo{`l1fL9{f*j4LRWaL^iXx1_8U0sz?zptSd<g!mBp16
zFFxs<W53-@?#E9Jq21w4G<XOqI#o#>9?<s0C=BBN^U}L_$Y3a^rNK2sBj!TR^9<v)
zaPCqE)fkVw%Hs){N$GI6SW1J%87W!Ghtmv+d09{K!Nc)K@|91<)$|xSck#T1nu57Z
z?$PX&GF8=4FK72apCx`A9j6~PWU|CRbXiD<zoEN$+<Io-ElFfRw4b-K`}Jvr0qfh%
zv!F+f8$Pfgvr73?(w$sW08Q%YgJezXLCK&4&M(N9N@4~EQ~9g7c4tXWez|j@sjr7m
z;KFD_xu-Tway%v@IBiK;iK+L=IXU**4CQ-%nf;Z7nuQLcGCEC3Xa5MpRpW5H4`T*?
zN2O)=n&y-lk?I!tvnyn~;wJBtYdf^fpyRRkK~l}xxL?gKmW>myDPDHmBgv3-DQoQj
zY9H4u`LQ}^Y63?Gw0&Hd#Cn~bM^Dvg5KY7_?Imbb0On!V6%mo(w9+MpeEmJKQ67jr
zus&5YW(Bi-`KItlWfu$k{!n_1#8mhLQz@Z?2QpW1|A0BIzbE~ysI#Qc989r~OPNuU
zKF-W6{*JG^wz;04B3FxvqKQwg7|Ul>T>5Yi3b3tjwVg!1qi*D?dK7{_mv3of8S-g;
ziESx#oX5n#TnBoS-w}yIYg^W8%TK;TOKVFZD+j#~C9b8^we}=5nVz17VzyDQN@~Qx
zsb&*T;%--`@+3ZwC-H9;WX}=F(<<*i103c;X8enk|A&*~3bLf47=K8h8aj;CYMcrj
zq?divH{K1y!G*5lza;n;3E)IgEg~)vKI&FkYd<(Ca;BH@*U%BkN#G_ZjaY;b!(uY7
zmP~FjB45^Phn$m#LmG`Uh9j+aePFly)4RSvQA4CLj0`tb%?%-~XUIdT*7E|)DD(;C
ztK#)Z%Y2a(XC-9K9|gavNUJ?_l9*N);Rw;Wp4>er4>=7tZadDZ<)O9{)cCbnolg(q
zMSD&+eR$Jp{#6_CEgYYdf0qaH0u)65wmAM>zr7oV5?WEfKNjPK`}K)Ss<JA`qBBNh
z%>`{|KF9Ox(nfv4e<I;?KH<g)k_k<=76=#XwaX#P`m@Ma?}p(BM_-g}L44KTY7*2|
zRG)fz?se(qcf%C7Ypd>X@_*j5D;X0M61{f0X3sAS8Bk3ZLla<nb`X=8oRW|Y%|!26
zPK&+fy85IX3*hE?GxA)w?9wHd00+d^)3#t!MP~JfMu|o>wd#6#c_i5{mEVm-J<B5(
ztCRFC(h_;CtxhNTT8HwzWJHz$?XX@B(~D1!d7`A-TWx*RNUpEr9~A@!!hc!CyC18_
zw|oDRH>jt+k;vX!G60fReLL;voBr9mVbi4gFX>;h3)FZWCrd^+St3LDlmMKnQr|>9
zu2rAC&dJ|LUURFk@$_Ep@27dOqqyXp>Tq&o_(ASa5wkzoFTqvSbL1Fkh#(j3aDL=t
z&Bh9a^P>El@bL9M@<`U9J(;SqL*8@w=Pth9?qIAN$&XbZ`j2QEKkdItP!A5V(8VRB
zxeQc8Qfu7K6M2nG4IpR!tiN3Mgm0$vWfw~PvRzYoweYv=q;j1{u$RXi<@7427LELE
zm|Ct2P~$60h+jo%*{L=X=6j2b`=iu<B=eotn#@yS^2bi2=2!o{_<x*6`PBT=7yRQi
z-aySidBq>iIO>n`-`Q3Hg~Rqg%6k`y^8RW2X?gD=QQkjoQC>{j=Q{&UN7P78|54Z*
zn9A{|eEBpRgH8AQzgO~a+W-Xd2HtP}Ac)lSWFU63e>Ui&)@62TZ8qp8rDdUhxEj^}
z2EHS&B!k-+PxlRK?TprDob}1?X_d1j%R>Dl+}0Yp-<Oa^dR6hT<~lJ$9}|;l*ZX}t
z-IkhYVEtuw-u98EqTTF8r(faOtK5ppid;uaJh5Cf%Mp~&Hs*8n{1EJ=N=jP!G5^oV
zm(u+_Pi)qY{PzO%&Ob4vz=|vDgz#D;B0jIMVw?>ab2^dCo=9iYiBkxK^7;fvwIj(@
zDejH5J%#033(?O6XLx-es_0Dz6czz5w?BUMb1R~~;U@&Y++5)uryuPDL^#>hr*EIu
z{Q@(qSumBjD#gY!QIVCFawI!2WvNeKu+NgT;B1bxw)>AbnLV7L8VSjC!ivadf_;Fm
znw(c3)nc=<P)ak~k$Ck~VxsLXJPM`m1;j)FC{nLmR9Vh!lMrP&@wx?Y($<l57&8GN
z-1?N-4);VykrE#?jJb%1xB#To%Z4Z+S&~qt6ZNv;mw<I23hl)g>Uou_3i(1+g~an}
zTcN!e_*y-$uLBadmD`Iiw-<AbFSi$8uIG0|<;It*a-*K#F*N8ydb0jws}nhzeN0=k
z&zK0rbbYhaiS(?3|2*xZo5C9H=b{>N97i+_WOO+YIk$<+s96IY&0G=FZ?wkz*&W)Y
zwgDUX8~m~H!8+)o{6xNC2v^rtA2m%p0td-hER&VuzVsW0a#Mci`*wF-N}bU$t&ItJ
z2ze}lHQhX7q?X^WK4o<qD@5`&o;Q6+gT3`btw5j1kx#T-pGba_dbi^<>f>&H%m}K|
zT3i%qEnX=ulHIK%r;zukWDvAxr(Yn`Zadc-ov7DdZjc|)Hj*BS7gw(XhGW##F9%Jr
zo9qG+wA`oEYu4GJs@`KJS`26!efMtFg%i0PL<R?JYtFjdSIK=^B`u0s?x(7&^K;Hr
z6hPp>IWBgc@1R17hB1mMb5CBg=Ps3%=bcquIps3mZlTk7PPQ$gX~HGF2R|snweUXL
zc}+MM0JKho*S{(iagruHl*U9x#jaI_tnvb;<uc+eT?+K}V-3WyNqFKGIR#Uv0Iat9
zy@lrLax!o5FH|vQW`Mgpm*>bF$<9warFw8?0=16V6uB{yD_m%Qc&3V~hV-GPlzs5s
zQ*LLIV%qHT+dr0Ed{I~uYG24vlhDZ{20{WDLi;u7&O;gS^Baq=%P;*(`#}RO?KwQQ
z$?uad=ffPaoAUSF=c^LpV`Fz|cGtnl(Q=%UP)XpIRKdY0=gU*@cidfR8D&3Xb;M>E
z8bnQDVs<5NNLI-<e)9<WM+X2F{Egy*m@NHA4~P`$*mqlELSlkrLLhcspS(ULI++@h
z7pBx~`a##`BaG}Zv~@NS7&<;IdIQf){b8N82iKm6pg41!N!vGTTbqqiUiJQ6em{k_
zS7-y9TiI=55<t#DD~v9}PHY=_)Z99GmV|^t%}{=yuE9k{B-*;G!iRSW1S}7c@2+kn
z`TpI=`?`&-(GaM86>(Yn>jmN4?@6a-y=LIK!Xw#7IqwQ4C~#TGeAS!<xlg!U36Z_N
zMx;cpeBp3r#Nf$OXdewtlPnAI4P6?VGut#VJ~944ydh=cF5BHz*=VyB&$3S)%SjIy
z-`l0X%`ouF^$|&=Hj$i95*8C<?JV+zNZS=%D}Gsd=OQ;-JkEZI+qbHLHhFb3xtO?^
zxSdLDFSg)6jkbBG7%sf}VWH@VfBk@sG?h*zxDrPVT}ECgVq>>#gW8c~=eC{O;xskY
zH}W2+T5fpRRdaFcwyj;Oq?08vv9U24SuOEx5+2e*ZdkcWajKZkCDRz~q^4Ftui@6c
zm>!~u;2*Nu0BxC&WB`6UBS6ul#p7voZpkTnkfcM-P7`T*u{%^!<}z(1=4;C!x>}_m
z=_C<+i{dhGE?hxRV_GMU(@qpq{`QkXYXTrifbPs8ms7AXoXcn@j%%GLp(t>!JNoO<
zG+nW<NLMT>nx@bd>x$nMV=zCm);$oW>mG=-4%Q0oP_1?AQ0>rG{N*#)R_hj333D#!
z9P02Kc5Xp9-0Da6lAUx0tPO)`Fj(CnD8cO|@X0}fx$1Usr7{e@M^-`sau_j#i<K$F
znwrrSbS1p3nbIlTvvxStYX3Xzm-^B6Z>XATXnPB^{y@^+l4x))`e<6AZp1BNQIT%=
zEqzs^#MKuWUFf?|$pm|*=-o_(ZiH_5yAkkMjV}VED%QS_rk%s}S+#<k*2zibJ2`6K
zs4l|OMR<z4^SC+xZn8rARHFNWR`MTbji)2AsCuLubq+UQ+bbwCQWT)ioQ}t{@VHT}
zJ8~X(({+;-txqNIz96UZd|gz5w)UFvT7fp}y69SzLi>yObS<M3wEiHO>c|wd-cx96
zwOOsTs3ejCj??C2V)F8p;sL~#wl_)dN5sgiHLEoXX_ra{P{nuj>v^=hVT^d$J@*H5
zZrXd8o*h*3?Xhl#@PIA;@D443SJT58htp@3n|gYB&R;awuywl_FO{8Hbpgh%ts>Gh
z6mPgeQsF)(6y4RsY-TxtQ+q=vI(9UT0-x}CIQNOeT@-(zZ)vX+)WA^Y5J+YU$)+mO
z>5PaN2Pz)lISWl7ZBNOafTAgrm0lYHqn2oL!<l{A2TCiIHv+4_t=Bjmi`o@+*wCr<
zs5ov-K%Bp-_eA@tP9^?lINAKDOWOQP!fNeTP$P*_z>;GKc>*P$Cvg1>KkrW%P;r`K
zGBKM-Gz|n=IZ8~2byV3v)f1^^3N=F$_koju_rf!P&yEHxXO5@^gWF1q6-hKMyt3y^
zVCmOG@qy9KR4gW6t@`Qv%_$I+>2v<AD*~J)6z7tTxx(K|MOoTn@}2aLn0=)pf~TY(
z+~A&3V;AczB6-@&PHjJz@IQBJFI%g_bT;ROkbdFd-%$H(gjyD+ZT=XsQroN;r*56D
z%_5G%^m_O_&%zEfjyOUGNJfuppPv=R;WQ#n`yAL@5Ad2Q6#I-XRsT!>l1}_PTc?97
z%;t+oAqCPf?X{Y;8l&e`B(lncJk?&?r?!*ImyH1sM+F|<`&CFfz4-Zs2vDl`dLsg_
z!Ex6?UMU1G3ez@KLCOHIHVAEa7<ehFTydOq0Bq^N(?oolkFHQeBVz+k2BQdCVwtw#
z7$WWxfsibP5j~RJg$aEaz(j<k5ZlWcdgRB<MnLAe^#zDy7@d!|xMTfXN`%tG5m)D4
z-E}SZ>hY_)uDV<^DsG;4dFSP0__y=&yk@z1BoRDQq$DJyq^(K_SrN86FnIs!L{8pG
z;75dtlzj=QX<_k*j|dFX#~VgwKzfJtX=$t4;sf>Zqit`|Gm7MWd(%_H;zO6OiU<nW
zhdr29-Y$7xLP~mDTtM)?)dxBG8uK@;z4^4{rkYPPo=<~&{@Lh`Z(4hy{I+uN-k^Z}
z;fb8qs9j3JzLd1Ey`d|@!coUnsH3^zZF*XfvR7aC(B*A)M;RU49Y)<zW@_5X_~oIi
zQ1^YSlQ_Ad;WEDNd-tZLuG)+A;X#4>@qQV4pIV~(6ZrntO(DaDzy-Gx9nej2l4`5S
zB4J<BQ4~lD)ktWMbgOwX(Wje<WGi)3`nM(X#+>J^z1Set*^v8c+DA{5x}0Jm{gRZ4
z0GYBFs1Dj|q^I;>=|<-S2nOh??v<Kc*E#Xn3(J7G^xFmCpOE`d;^s+*II92c7f6Zr
z<w;4~)DGiNd#O}Nzt#Iq)n01nCe_V6Eu`InqaxDH1d57oCaTesH+{j+ky1T5%>*@R
z?*e~B=lWJS1E>u;*LFwJv6To&S+XPmTM1&S=1H1%=SjLJPtiKJ=RzR51Dm(2&aJyz
zH|vaWUxR3g_L8EPTGvo2+*dDJqMHiv5^V)R{VUo<OLf!qxV&HUu)MlyKyA^}c2AJD
zBTw1TEgmWCMruXfbc?o0;mhg1dcJ<_>SmR+HQYSitbXd&<Juzh#IiC`fVSvPTNzMk
zEEV;@A!Bj!0Ag$B$B?abh@vQYAhDh9$H??01C6Ox)Lmz<C`j%@zOi4zkVI<n#}Aoq
z0N;ugqAsXZPqi+SZ?keyPo0CJWM}sAv#PV%o-RAN@}11(wXWxTt9rXmAG4N|X>0EZ
zXPpwoYHJlKiTg4Sg(QS-h~2bt1GgpXKx$s%iX)~o`~%%wl&*<^@F}C4RUx!)5FODr
z4_E7Y-4pIUDO##MuQ+=st*As<v?6Uu@bXnl{gcC!wr=Ge-^4Cm5#+ht5ZOLyTRNsh
zm|HHoPq!$Dz0)Wvav`Eo&=W%RpmNa-C@90^^@<a<FTWy@>H4%K)?S7vmJUSHUJ{vh
zEb$Otzbe|O9jmyvyWzxb<&mhg@HBEnx;!o{MCt11XTJu=+I#doc|xhEitYgerd}n&
zfO64O>ZK?d{l>{+H2g17%MWpuc&UR+vqd@Vcles<6QU-guQ-hw?b1AouL~dFlQ@Wa
zqKd=;>BX{DY9UW~bUrALy8c04)D;E`aiAI+2da4^6(-b+27tBom1?i#Jvu40sTbvI
zuUu2}eDA}fL+U@d-rq%o7fz@JqM=X<I33}HdQoP%G%x)`!4Ynn*gIgMi@mZ9+EmZw
zm(+_Efy+}x2`N!u$IFXJS3tvcEq(?ASQ!oCiIWClVgdZ-htWsF_|ZqrKF|>`h<mDO
zAjUWi{B&-h!}UX%4#!ZQj;Cb$zdUVg_QX<=1DYLBF2Q^SAn*@XkoClJF03-1&P4^H
zPu$CIdl1b(u%he5#k7Os9{Jh|O}+Y;ZD)+=u+pda2h^%zbh)B*9dqYkQr3}uzK$9>
zlxrmN<p(7d`!ch$4~AN6O5>PU-i1>a`-ZtkX=25vqI~x+R!#MGvjmA(5*wiv8HPbx
zsi>%^aLmbZ#KrrlqoZSm_u>j%nExwYM(0)uz3W7Uq@z^#)d#0Jt>0-&fTAoX{f?4u
zDy)+FEruT)F6|W4LY1^<5w%glxT~k@5UNCt?*Bv%siSo>6;EH!IXZ+&n3>dKv|8u(
z6VE2{)I3M}OUNee<9kBd=PvLmL<_W+Ne8uqw5_ZiC@VJ&%E@yUGto5Q)3Wk(kAT{w
z$87o}J7u(wSMr%N$~Tr9(O#!~etP+n&nbC6?FGAp`#&|8poTrQ_kRGN1nktO_4*IE
zDI`D1C;v+KJz1~rMaSu1p93bY{}?ab9e_&dA*FQ2XM_N9WWb~v=imULR*~xmoXt5$
z!Qys-M=Ho`(KotjWB&!PT%T!^wo_ZC+<HY1@|m+2VQ9M#xxC1ewp^cpHzL!SlS1-U
zO<S&QYLpKEV)E6wwxm8%o&0oS#hMBusxBbY3*<$pQnQ+f0D*Kt4W$98S{DbHN7_w~
zO<aUp>A}x$0^G6awv^nFuGd+UP0~WDo+TwW)E>I4{|Rx9RNIj%Rr-|r>r>?+)qlX8
zYnv({y}=kPC7;*imWr0?hToUw(jK!g@s;uT=d}9=0QBF2bSH1B<yyd>{|5MTZBxnP
z^0nx_t|e|IWIFx;{HLj%JfB#pr!39QS<lIHT-Gv<aVPAbtH@};fD8rXl($-@b8Lf6
zr`>qm^n9ITJ9*BNg7WGe+}xdvSG2G9RMk}9oMUjfo<DajW51)o>4^$yEfq!UnXGNQ
z52UH&%_mcx>Q!e_PE>5=T(>j6F;Oc6Rr37#LFJQFGlLh*-oVLp?Ta#sjL@fhOumAq
z%+oro$DdBgPW$FAG{3%q<CuA{e-bI~9xE!`!FlXveAfmB*sJUV(=*p{9#M?jj$^J+
zzt-(4%q&JHk;5kF1I3d|DCNo6oI`znz`<>w0emT65JSa}1%>5teD#+``}^Ce?EDX9
zMRTaUQ(S=?Y#sFrj>Wo}WRrS4wVbBb!Lt@sLJ@0)t_dKDZ4ioY;6bWJ<e<IQQ(d!G
zQ6AM;BPEC%R3n<m$B~XJ6lJ?T$Xwgi*bs!PsYS`*n%~gohqdSJ0g{DH>bF3x;TyRO
zjf|{=YeclY_S$mwC->5}oWIo^E|C{e3*7=_`5sw{yw%gCR4bb*Yqi$@KSm~tg}?P*
z-z;i0dfEahkNC?L`R%8~T76TzL`wXnq^#9S(L&@vWIOdM@m5DhG%X6zS~ZdpjS-=I
z7RMHO$S3LLxmscCsEJZp1f0UhC&d@WSH{QTub3{4m;76tA>uyMB+qwi|JkPYY@_rZ
z+qkEF`+IxZf3B@kT$Bqh8VH1feuB}0m4a-+J)wbcpm2^bR9I_ZY+z;JZV+yeZlDt>
zL`spTC{Pq8+9Nt6x-ELq?#p(4+YM+pzFkDSxOS!Oeq%Z?9OJ<hGB?B{#8brq;(YOC
z@f*o^l5oj($xX>y!*+(948JvWG2CjHVOV2$)$pF-?}n|0??1Es%<;3(&k8^L;j<^7
zy^wa24v;!ZH%e3CR=EQ9G+Ne<^=4PIJK1<Pi9N(>+Y8$dZ@;PizV_Me@3sH=bF0sz
zKi~8Dh0ou~Ol6#`hitNJfo!#`O7^mYyhEQ3-*p(<VQq)p4re=D@6giWrw*?>N;<ah
zsO}iuF|}hx$D<t!I!QbEbPDbi-|1kdQ=N)CHFf&F(~m~OjeLz(7;P}xW%OJwlY7d`
z<=5o5<#)fZ_+sW4SzjDi7${^4V}+MuhvJ^`XU3dyH{+4UV~zccHyQ6YPBlJl+-!W)
z_-Er^jo+AvO*)#Gn5a#<m~=Dw#$=euNRv4xdreYJGEDB8{L@rwDl;`RH8&k@YHzyC
zG}tu5w8*sF^o(h}X{%XBGh?$JW<$-!nN2jaGjlRqVCHS+XSUKT!fc&cnpwTs8zrNZ
zD^*GhWq0KWrJZu6GF4ftyrukE`ASJu0+pdkt?HucuNtHpsT!~HQ3a{OR0maQsw1k4
zs{5)Js#hwls<pGUv!b(k=Wd;QcJAAGTxW;Q&YkCX4)469^WM&fI%jsy>0I0Sht9uu
z{->HzcTk(DE!1DC`=|%0t<|&C{_2hDZR&&SG(e-BRX3?`s~@O!ns%DcH42SdW2xz<
z8Kar5an=NAVl|1Hd`+RIRC7jiL-V8NnMTKnx%ONq&XnUgOYSSKH#d@-%DHo%+)8dM
zw}(sRvbkeiAy>+s=FW2s+-2^2?iWsLE;8?EZenh3-p#zXxs|z%`AGAz=8op>=7HwX
z=DW=In;$mMGcPkgYktA}lKFM>JLdPzUs@Pgd}blDkXx8r^tG_E7-uol!p&l_MWDrM
zix`V-7V#DbEYd8pE%GdiEGjL|S=3wHw)ojXYw@m&L6?qQOuA^geA8uc7n?4lx=iZg
z&}D8H&n|vlg1dxuiRu#5WpkIfE_=G{?~>W&XqS>MHC?WDx!2{VF3-EX?(z>yp{3Z8
zwKTCbx9n+YWjV}pyrqNXJWC(T5X*4O^_E*L_gEgZJZyQ?@)Y!tPFtS0thc;mdE4@y
z<u8^mEnB-vx*Byg?P}4rd)J;_`=(t@zLInUzA2JNB#%n_F1v>*brNIwkpztxSSvAP
zEd(PjJeEX&t}C2fu-U2DDg~wb_yh&{EJ?+wiwwA&xqt2Bg7%^d760NH<45rary1;H
zzbUy;X=~U0Ye?q$-xvVvo&%Q@wr&kDvHqg*;^m_9K#RlN+P=(?byLPpQn7#H?*5Bg
z7(F;J_c!3ctRmyU_8p&y<KquM-AV*o-*SWLIq|5&^BW<-P5VLp<_Y}#SXn%Q*&J)p
zn_AI<Z+a7!Yic)m#&sO-wL5#`?!9VwjHM!bTPuzwt0NQ_DsnC!hbGUsJfCx!Nju^a
zG!Yk=n5giWNR@wZVh$3Gf*9CIx({ao5o==Cs6xWM)U68fsPy?w8aCP$K9r8nUy$UW
zq6XdJw2=0?MVh7Mna7TE8~ZRe8{D1xspdNEJ>twQwPO}nTv%SC+6Ci;L31t<;j6l9
zw@w^i?Rko$Yb37j9>K0?9rjwo13gYH_y2-Z>sEHj=dOx9TV4ATF@>m_iijET`iDas
z$qb@Z)0)0#?O{8?k{kFq<!^ut;j{|tRuc*BH_mCm!13jzpGIpkxE1hhUN1+%FC#mk
z*718y+C_!4M`~4F^$9X4iK8lsyNgGViwfP7oRX0dlH%tZ671)f9Gpo)rI~F}zJ6^{
z8Jr9Xl<9b#=KkGR&!!iR$l-dQU}mSxNV}jsUv~UzZE2v#2~E)%rqpF@4pz?WfRR0V
zHoMgMb3e~#>ikMV#w#Z|&Ko#xLQa{B#>tMEe)fBh$13*C_VXF%ltoKZ2JF_X@L-B#
z(j)wp%K}ze0a5OOsH>DE9(bqZ!o}N<Z8FCk;vAA^9Vk{F&&a7Q$XyYTqsgyivOH&{
zPgQk+XWbz;ye|cCr$f&LJ1O0lES_XHFYTziX1)XCQGC(&6223T`Xnw@kbr){$bh4*
zHSMNmpA?<Hypwa<$+)cb@tmQW;d8uXE$6hBIfZu*CCAlbsGnc|pI}X_>2-$vOP2?Z
z!BV!R>iFT)s<SBz`%?2*Iwpqp=h%N!Vffz_7>JizuV29$w~*K3aZ>it05w~aSA26D
zXTOb^w|+%XfQx^#t%?OyCCMTz?4M~Cuasm>@|i~|=jvW6N#~xWaN$Ya;pwGbK{gNr
z$;-1o0|(7;@5Zswzd<4!=eXGo28C~0;1rl`JF@=syjp))&9xm?e>|z?kEuERD;GY6
zUJ+f$vnLJlWv(QZRNR8!d8<6$kIgu|ajSw%ejvG95;$S%Jnw-Rm7-$}joY|UVwc#E
zg;+s`<d?+a*Z6J6CK3_UNPbcOiyY_^IwvnB4f`r`ZYs0ZWUNlnO!Q-Rg~bJjD(x4A
zIz(%{fpGq}V?adu!_QO`*}J!Rck!MwV8_JI+2tBP_cBc|{Z))(qm_(}cr-m4HFu30
z@sdUsMHWUBk03`)t;M$VXoPE&D`M9attpHw9)(ydF$=A`6m@ZnU5orTTc8L}!Xn>(
zm8;hnW#9V_@Q2KTba@xb4`vq4$bk#x{H(IGjmj5en|T+?6TTXM%B94+&4u!e!GF3?
zCasF$S!0geP}UWmgbQV-$u5EO=E0vYTqsxST_~T+E2%ijJ@)*5>5vaDl*`JF9x7MW
zXZWk<UhFm=^z~8q122Up#lue(DQ-fK;$eXLIuNR^lU?GHb(dpG009a`&lfa~IU#;Q
z;)=*;ShB}BuOI88q`R(b_w|<apa(p<;&jUM_ip3>(_73!O1gFXo`=%dH8Gpkt0E$I
zAL4X^A+7(Aj80!zr(tcpvkS|M57iXquky>|U{{jkIy1>m)nlN0Ki5O96)Ru|#_p+z
zFWFszId8Y)ZkKq+7p)xM4V^K+S&PR~UHF)Y(GjC@P7&4|b|vgmU!pS|fdg;dsxe`s
zSMl)?&8sg*G>=96Kryrm{u5N~fAu~z^7YriQe%04%pb8bc%Tf7P+qy`55*qt?-hIW
zN<G{kN<DvS^zhm|n3G}st0>)7oN`im!tJ2V7ESa*rYtroa)oj=`AY4ujhVY)wYRT}
z|Gm+eJ2pos&Q=~do`>m-RqV`R0^?TfPEaN$?I}aPe8wi$ZTSM_{Nmu!H5wNB&EpiQ
zi3iftR~!fmT(L4BAaNyZa6*jJ+TsF(+Tv1ChX|0Nr<C{Zwk|9fW-Io~kJfNF7cyyt
zes1Tnk|^4F#Cm4R6`CUHnLFW?hE=q2Gv}SmtmwrK<5lAqSDlXLoG+{SS_Q<d+`U(M
zFll$$R(-8DxUHCvT7~enBC{eCwP%jx73)9Y_$k_jeBt82$P~X{0YUvfD)VTM$Jj~s
z=)<riC_?eGlutK_cRT^~e0Zswc@?|lQdC#(SmA^BfhPd=hq~&o|AY4dmbj^n9^EE&
zx8*LRmsIYvNGd-Nt`@WK%z6FRHg24FMr?@l1l5F)(zCJnWwY(1EorBcZI===IIX!J
zaYugJd=KOZrybPtYqp#CyKG>H+LGb;Yfgp(&dGMIT3%wF1$1$9?7&ORNvN8=c;IAS
zqcSThBV5mkcIr9NT>k)vNKKN5+a6~XPPrs-#_S1>XA?0|$}UsSN3F6`l8@&2CobEt
zffw6Wr{`AWXae(@u?sxytd(}DOHOFm)e$5~O#)g{ugZ&@rBK%x1<gjWylf-3ogwtO
zc#xW{+FzA_TbUV^LHeuXLYFHYe0=fVgr!S%c=OOYSU=&d4bt+Wlj+A)btDj;X(i=F
z`RRG8+Dw17^Ti(1oje>IHRnPX<c?I?IeN`?hj|@)Y2D@Z7r_sjaSE}f^;_nFuIn)R
z7%jP)`aK{!$?7j3uo2RK@f*w5r5q_vJQ%Y!Q3IQTUBSLPma4vXo$@6&oFyAF6{R~1
zlPZ+O?rAn#HEZ0N@(syR{>qThH3697m$V_V>b;e<IYxU8;5?j&fAEX;T>|+@{a<@3
zd;N!}GFjWK?y{4avv$eC>8j~V^2^q8kgTx9#$;>rU~T-}%XI6Qd#&-{;y&>KiN}=L
zhm)$eXkd;xAlA{xPRU-3P-DTMcVQ#*S*l(mWy2yG$nf*zn|fjK9a02zAE-W)&tLt3
z1%i#`50ICBZV6p*YW->e`JB_vXm_jHz9--_3&l_4tE+FST06BHVt3)~I*t^JsbHPm
zl))<5T4v<-!r^aKFya`<T*^vK$W+Dc+PGmCS*BhP+{2X{PpuhCl4V1)x{AjWYvxzi
z1t|`yux4q>>ap3}1v+2=oyD+S;0AG@)>^dB`0t?69*c3ZzMuT>0Bek_x0=khSCsEw
zNal`&)TAEjY~nxF+1S5eItEJ=1-s{yxf511WIWD5{*wiLg_He3xBCzoOAf$@sC{Dv
z>8PG?(Ma2kclA)9ZLg3&JJx*cN^Y~^HhLdMf7GAuQT&Lx$etnd0pVfTOiz+EWK}a=
z#oG?dC)t-<`(XY1iN`)8@(W*>-dEqV|K3;MYcz`9S08J?W5TxCu!;rz6VO4<Ggd6L
zw88*;fWuJ}<%<cm-M^c$$l0BDt$Zx|L`tEmKF4jA1?@j0h4$t0sHfhcGQZGn(WGLb
z?TLl<`4gmf5*HxZ?772ZPk^Dbo82;36>%p)ieGkB)ikQEopk8Iv2-vdUT-oMI9A1q
z+UMop^OG-}Dvpt`0HzaJOIf|Qnz3rOvEbC%>UpOC!R2m0qrklpE`gT>q~#q?PdjoX
zJ<!u5AaDsMJDix4U8KC=aAM5(ne(U2PxC(-%<mP7jJ2kh=m{}7rtQkWT45a7BcaDy
zyD{v2(Jj6H)W!#~7dHH0IJ>BPWu@xn^Jh4%?>+Ko+L=mw4y866@u2n!_j!A&TsgRG
zAhOz;=0|y>%xQbO??!2`3?#$EWDeY1%7_QB7zN}r>dMi<0IR*P&>nzIO0S!Jzz&BF
z|C;vV*n?6MT47Xw>tGFmFNu<`z-A|ct5&Gx6||G~L2rC3peH-0Jo|-wZg`9yav*a7
zav@yOcP&*JvO87;ZeOPQ(rUbgUAD^+e||BsdOL<|Vcx!^Y%cHw6Bgtb<)fOmApc?v
zN0y4W?%TX$ud;s0y&glyPJ~?j^0Xf{Uy<30^E;0oEmfU6I0q(tSUK+{0x{|Oya9*i
zUB4`Y)-Iifwd?l^k^ty;$vK~IdONsNF;)i!A+L#r{Sl@Ku<9T0p+gmPmh^907(#ki
z5$_AmHGJ;@Mw8t!gK5&P94}_;rSe}Q>9Sx;wfyHuwgrp%260PHS=LEa(w+_L_jBxq
zh~wCGY{VfC>G{j8N8iuLr3}YT9e9ast|vi&eeO@bI&yC+4=xuuP(eO>a)mGtr=A<0
z2rhXky`=J{@^|Z6Dzcrvc<vkxV0`oPim>@;IyHaFc-NUg=$!<R81hZ!EZb2I&ckh;
za!+`0?lT#ef`)l7Rk9yQU#2-fF+M{Tw|nD;onS$WgT8d&`hW#dhJ{})DZ5Hd*bsIl
zPE&~WN;SKIP7Wb6$&c!m7P9BQ{8<ZihjeqWIQBlXsHiBUNJT_1cq-~S{u%8wW2TR%
z8)g{zmafJcfXr<jsaP^E;kX+oe@4vJ@B={}!vVybh|46diTJ^_<UOqhkZ<?FWQRb{
zq9gGmOQF=(9z?{?sx0-TenbL~B11Us+jc~FZ5TD*%e8ifefr*Ow~0{Idb}N#jCe$>
zq9IihQ>*9^-%^Q6<{Z(a{Vw!KD61$+VI1#--hHV2G3j2#EsbjmGh?XFFxpN@nQZH`
zLp3s}2EiLB`xvT9Z;TrC;@l@h$-6w@rMKjQTE=g<BH*_!g2&DMfY6D_GM@Tir+n)Q
zAPF&*H+$Sy>wB@_0<mruz8B1n6kK~RXowWx`@+$YqF1*8TBzw)PlXG8Bg2+*2godj
zY-*-g0HoVc=*Jw&JG{40)pBN5zi+45+1NVg9{1p30bL6(xS{7J5o6|t$HJsps_^jG
z4QsgsTV~6S9h-Kj4kbl7rE%48Sw4(rVs}P37zEy6vw?BgNDqk5tJxi4tG0%y9Gn(T
z_2y@PV#)WdvPnA?%>%z!e|^O8*7ont82(}Vmxl~*Z9hF_xQaQeM0^#WxJ?`lb3Jtx
zxiCsHmm2!nV29y%i%o-;=1>?rH3`q%C1)XbC;$zZ|N0set#z;8X_w(se7zQMCmfiJ
zoT9W!)r;!!aEZgU8jCkZZH$IO-oVG^#9RZ#gz0s!Fx{RNTSQEohS_!sun)gIPple*
z$FGt-Eh4f8<w}2khG8|J&(Bmg&SANaE0;NgNzcnaP^S8^a>Cc!IeJGN8xgx=g_3r=
z)sJ-0z^T^oIhC(D5-;wtX3h*-l}zy~88SU%Ah3RkV~FAf8Df_)06%1Br4ga*lpShz
zA#8_$5UWR<l{fGt^RL*j0DAuj5Bmq=Yy%Gu`|ufbG=VrPVW*)8KQa^}P2RvW4nOR;
zRj|=~1Vt*c3n@=NB{@=JC-orD`8+N|BrF9WNhJxd5a#?l!pJu9_C-tuxdy}rA2fOT
zGT(&7Kx~)-r>uH}kxJeO`#%sy!u<jExU*>b6BRoZJ(LfulxARu^E8Zh6ur6yzNzU~
z$J20>o`&uIpy3+OaC+Y11fGUx_wP4l22aCzpy8Q}Tj2$s`;Z@B!S~|ACzH-`ER>wq
z5Fa%QgV|vVEAQSbtFHULYy$1LhnqIvF~D856z<(|Zfp30>>}>HUQ(lO0|&!g%cOY%
zF*toTyW#{#=WQ4<=3CW*g-O}|dbIM~3g0G`Y_wNcgs*Ddnk`$_a;rdWyAuFke<tVP
zuNB-+a0&jB*54xaFU61PJeIagzONQ0Xa|WBj30<E5@vta{>%dz5E>-<B`!VS+e{f#
zh&%d`ShxmT2l>!+^Hu(<{8lf+#&qT3u#8oQCcZW8Cni1UD#)5h-8~UmgjV|E^kc$s
z+67jv&XOLB7L0N6OsVwMOmk<(=GAyX<VP1N4j<jS?;saM&Z;BUhp7Ss_hqxihpd{R
zR$Nb)HtITt^2`Wk%U`v~pEQCOJ<%0DROctXkg`IOgxAc#Yuc6Fc*2o)R=_S9;p=Db
z;d3xQP-8crnQ^qz=c<Z5keOMOn1!8p%;cDfv*8r}j&|j62_%bI*qDU?&;Bl%bGbEW
z44H!sfmeuj<R$j`BRCwxgw-N<d4y#qS*PvC$bBxVfix^uvxg2I%*b4R(0|$T<-UFg
zmmkK?!)as!Bjcw&oy%a%quT}(k(y((c@ODq$)VBLRkEA#!#5B|X_44oJ&PPHWff;5
zn~Bq)eT-~+@#3N|4SR$x%~P|<WT%=fb5WB?WXBLGyE--|ic7Fzw(i`$IZl<y($WW*
zGzUwe3@)$TC6({pe+78gSyFi>iIcLTy~a-f1w?$92I_MI))71|kPq{OmyPX(p+gAo
zIogQM0m}BA5p<3n58W~canLXfVc65ZsezW&1X?VEFKU*~)I<G{F;IM)$fGA*u6siS
zV`_&C9y^r^EG|vC3lW*a;?hgaM@y=za$H7_^>%jPWG%!;KU{tI;mW`ETfDZ9m>T1?
z{m2}4eo&eI2-Xotuq*S`EDs*u<{guz6BJdE4Ez1!`Khy1QIR}%-#47u61SD-?#WU1
zsa$?fwlrzZWmQGSiOQ{<`!>cWX633N2s_JnmZzLio_0Pw6ygIX=1go#IKS_T@LQ)r
zlb*wJ2@vq<hkyzn8tNaA1XOqrGDty^N@$XptfU@_LrHiXn&j`l9M5^wco`2Yns;p3
zp(WnS{JlKLYc&^H$FQ5y)a;sw58iUwtWC|@9oL0f+H~GUOnSMP`e=V=dg9XhJM$=6
z@sgarL_ERzFHz5z6k4<`YV43_D~k3PA3d+EbvZJ6i-v71%{^Vjw)#Zqh6$-P1|hWY
zebllL;?hVC=I?KsR1{Sd6KWKAiiNwx^rP_@Fd-)yc9&XKJ~#ASxe=@PekFg#&R0vI
z^tyC5C}c9(F+$49wZqiBT#jE-m=Z7c2lADah5F8;JeGzvNny`Udfx?9X>Z=?&m~>g
z!4eV)qk`wsy~db7WyFuUL;bE2zdQH={tFh+i|opK%2cPO>^?-WR_7~}%U3A)B(pX$
zoFBsQRGy!H97;cSQ2Oz3ovE}x;ajeet#M(BHl&0uR{AXu4TLp6WU`8a7$$T3&b>)0
zR@)Ojze~*;-y=K3Y>0M5Gf=Xmp>3iY(?)7aI*;Q;Hw+yMIV3DR9Y_~757`a~b}@S)
zHMjbb^7Wt#w1f4?C39UgMfS|`6Q|Q^RadLL#*TDeNG06NN!P^e>BP)}Gs?T8s;I$)
zN&cShngR!45*H<wsLmJq%(3_I`<9zy-ymis6v{z4uFUS#__z$!gHop<-%g)Cdi1<3
z02I#$K=G+_9?w)VOjF<;sK;GWdbw35X4@>Qg!yeIRU_H)WVwXyYGoO=FZF2BNkUnu
z$s4QrgLt9_2RN1iB=CMP1?cOQg`GzqW{QN>t{fs}#q;`;6Y8A{m_v{TWz;k5LaFQn
z+NT6)pQBIvom&k7)CJ=|A>+|E)+FoSapqa0qAN4+jJc#=f6Jw8c~aKN66M1or@k38
zGsN3PlRJ~i$UnZXT6O+Zz#Qj=zBU|t8J^Br9QxOp4^^{6Xoz^7U+@NBRlkK<S2$ue
z1hC5V^JZt#p&)VVj-wiO>)P-w;i}mSLPvOTlc_N<pjiG)Dq{U=l}AKQ6*hdfEmGEq
z^u-Xg0$~nQ&kye542SF1On>&;yc@*3+5WctAxoBT`awIFwA&Pl@j67!GSMU$v`cnK
z*(@HUe?7muK##9)b-?Pg^&7E_*AAv5_3FV_up{GLJmGSiJQcGaH>jMv=%esPBVX=y
z$R9d_wC)cL>)$^pSj(a>W0B78my#K$r7bPP>b91!QP6`ok;)h=u?-y&>bBf1*aeea
zNXhcT&_WwBf|tT7f_!(S_yZ41l97?I?~tlGecsq%o^H;Ztf2VNg=5^@qs+XZfEB)A
zPiHnBC136PY3OE#rC!No4W|1+#xKOrv>fIj4ubkyq<~>nJGO2D06$AlXj=x0S)<B3
z#P=?1)#3s-b8HL2_)uQTFTGNf9qf~?DJ@|N7R@;_T7@mpXzW>p6}qD$-F@9^#k-@i
zVlDTs9&AUe(Sdptw>O;1uT|E%=MUSUStL1~6yWI@8Ze8K?HIu{vD5;ZGbQW!p_qW7
z$cxrd$%t!0GO0yW7NMvr&#ybm0VuB@pBQcjNRyPUBE>+9jJhDIWOr<OZ55(5dWD{Y
z_XiKAoULi7I(g>6+FPcU{s7994yR^@G2|O8xHF}C&{8sqwMVskKvKd|E}~v*RL{ag
zg<hP```~0)p1H^y5^iFxM*`IB2XL@%ZOC9pjvU&@@2SV0me$`|Si;`<&~K|tSh`g4
z_Qh?8F{IXasbVz;1;99_kQM2E(uFEw#qa7{H84ui)wgnhkYXj%BD|beuH3#YLK8Nb
ziQZ3mG}TSS?;|?0-$!)h!#L4pFZEHgCtB~%R<rK~iIIX(Y;CF{1u#H_70G4sdX_M7
zRd-riar<@&dsa%kLyb!Avt_SOJ}DDs)DY_`5&Ov&Q_L<(hFep1p?XmXcA5`}TFq)l
z*0qilvqR9lSvk9Q9cClRIyK8nsUgwU{3+39U#r2nt7^zXvIH#nzQo#f!74Y^WdFhk
z94Q|nk=-Td?y;Eqw~>yINPi{H$3A~ZRofs)pQK1niQAFDh3U_Y*N3YXVj7`+!NyrA
zezCK>APy2TY;uTBSc3ID8KH*UX#o5T+`G?aURASK$yzmgEdmHUtQJz!6D$XBm#7b4
zn?-zWgg>{43P_QZ<likF%#v@_B#Io8g5Tj8l7-jc#16NAIuHEE1u20C`;1T)n)D_x
z0XAXDH0c~xTOe%UVZ~U;Av5ZT{Uw&Hl@{M;i`7D~sCl8RF|h)G$ITKVcr(118gfI~
zCT-ePqoT#&auJH=yaF=lD3^F|--81`7-GqmobkaWjNieKLmXQNKQ8CTK#cjt^l|V&
zA`3$wyakK;jWDxM^rsye_5<#mo8&qxX~|zUb?QRDAz101k?tgUQnU~>nOLmChSjmr
zKl0q;s`hax`<w`#v$u<uIm~qMo-oHb{<tf*XcqghV(H|m4vWW4c1bR9=G^UB@>vN^
z3T3n`qKU00>#JEh{VJI#mB@elPTRs-!*vSWB=Hxx!mwtc>i`3Lc4(^=wbfb;!)1il
zY6v@7yePyyY<iU8Eb<v_Zj6Ktyt!#7wsD4DA<L}=OXLOE_W@pr^_V_OQ!<w+IL<2a
zGy9W{vloExpqU`EU_*F7`^gvCJn{sK)x#Cgw`4=ge<LZ+S>C+;PBmL1Bt7axtWo(r
z65qmVCM{)lvdr1^q+Q@${BDo;dlC_PIFyZ~lNz-rnuQRN1h<G-$c&qXH(SV}yJQi5
zHW80I=v<}}2Ri=2D}7aK*YSH3mH?$#UBeRi7_GPsaRLUGU8Lat<NK%_J&3Wjj?8B4
z#Ij^E4Xe_nq?el2?-;_@v&#p0!oiDxVcjBbxrFGthq6~)O4fve&iEd3xD25b3x|%6
zj9F17pwrk*jan<r!nSah#pc4OnO}Y0Wx3)ChW*Dkt0A|*rg;Jn12N^Ikk$DihNx}s
z^GX;tR#d}cVRIr=gDJXorG(WRlTZV_F$qZI1W057NJPf(SYM0T=)}YgnfxB-Jozq!
z=Zv5l1sPXDKV#F^WvN&Qh|jXmjS?TNxVz$!{L%#$=Dn4?eK5-(aFQ|7g?-U9v&o9f
ztr24&FJ-Aii<;F#*i5>`BiOJ!6goLtNpebz*ehgc<Hu%)!lqtZ)2CF#?h#)iST%hG
zvo~)W>WyNAWDJB1W7s>q_lLgCD3O}MY=#wkFWj(U5st?(7q+f!VIx8h!95WR-~b*-
zg5?eCZ(?fx7G2PO`ghi>2f=tLCl2K-oPKVHR`8BHY_}a4orV>y7Nf~o2&-6<u69A?
za15I1c3OW7iidqh<IJ5Ju>rJe5H(pw)rKtOL1k)osd8EPibeCF9&=Fs8)(n70-x3I
z3Tv=M;3TLO2n@^xB7@0-IR@5(0R~>Ub`Z=FzQA=ces9LT1mV7bGZ=;IPl&&P5QDH6
z&j)?D4#Cw}@U?-dptHd`!E6JOKp-*_m>38J9faS%e{Y}?^b%^3{wu)@VXdIIK~F&+
z;ctT8!ma`h;(MVEGX!r1qXgvrP2sP&e=nFJvJuQMutd=4)6dZ7aYp_$L1*C%fhqD#
z5?&FsH)s@?3M&LM{$7}cdh*}%{~?G52@F35180Hek2d4m?bE=w;l~gzu;APC|1wPY
z%k+GI{BHsM#rK&$921xeCGT6&e^YS%6`>j7DZ)F%O>B!3jKKX=gr4~Q@?$^qef^=o
zr}KUOZ$Y5{{qy^O=xKqchmSPD)5YHfo?ianLqE|peK}Sr>#xE91D+QDF7Pz^cVWN4
zSx>(_4gY)KY5M;)>_i!V5%_WPY2e4p{}lMK^dEtzvvK(D9fF|-VYtfBXBcn)m!ac-
zlU~$GF!W=<I5Ye>rulLGX)v%6^x?<s$DkkY{FwjmL#Mw?3x0um{%tTYfByvan(;|6
z6uf=^OwV85zQ2$AMueXc-Xh?)z^d(;pgXPz`nVY%c@fW#J_himkwO`Md+T}B2%b*~
z-oJl?tC>*z{yopLJ_bGS;`!I#1d&8ALeJZH{`TJm)4xk68uve!A>{d{vp|V3;=}!D
zToK;C*7H-Ir~XASuth%b+W!pi|H;RpjVJwo3*hTKZ~qwd{GI3Ve;2^}dH(-tFt88|
z1pVpzK;NIw1)~fEs52jj0D3k1I3MwJ3VQ3NzqaBTf4@P{O;{x8hcw*`y5K5%|D!=4
zK|ekSUxJqTy1W;3L?83*&_;9p1oog2L*Yz3@BBVT*!%rIcsel{i8A-=>0=6Lgb%3K
z`)7Lk;Be2=Kq*2d@;QS?{}GUHDnc6_n)Cgn{}$9m-v=Ww2Gyva(I@jEU#}$a5xzan
z=-WgjOhKQO;=WiQL68g01!9BG1=gsSMr4Ixi#cruu6~%4XQK|Y@$GF_Q{n9Q6!%{s
zbpJC>pN3Dz2c@3xe=^?rcKk0x*Z(Trhj#zi{(p7F_|>l?grA|k_%ZqxZS__#=EGQj
zD->ca@(sT8!<t9<J9y<}{O0Fqp0DzAC*~;3hx+-CU&s70w<!eQ^3O02%+arVl!9;g
zc|yOwX%h71*E;CG5eA1*&LFhywD->q8s0w_jzhq_YfyvVj=1O7Ls#DaY|s~dJy0-B
z_z-F3c;{)fV<yT`gO;QMYoQq5@Io*Fp`$@R+}{?6g~u>AnIPXpfw4h1!Bo&>Z(#$*
z^*;r}^mOw;@R>oLz{a3l&|i2Q>G~p#RPY`DjDH{h4!(SS+2Z%V@MZCN_4)Zc;`a~q
z_oFel+q{2;?-1#~<-+^d2Iukn9Ij_@^#G6M!^d^jI>fI-{4|uwe|IZ>>+oBP>+AQg
zL<a9)BfLU;{KB`1Xa#-;BR&{ce_Y4Ef5HdhYVf1g?_Z(Ke$ltvYy5tR-@oDd4A*L;
z;RC-`!8!)-cx~_$<z7U&XkSqf$_qhx%W(BUd=3I%FGoB_+lz#_e}~YBGCs_+A_ip;
z#9c=pp<hJN$Q${8*gF$AJErvSpE|YNtlcfLi!7Z*ge)Q<!bD^th%F*aCW8<WM3`8{
zHkb&q5(Z<8of*6FH?fSt5J4<si7kjAJ6c4eNhZ|$eV(eiw{G|CEtvJK`+0un)Ty(d
z=RD^*OVuTg^DxiG+=09al^WOGE8OS~#_dI(Ey7%cxe#*_&xI~AV?8hY68geB2lEWf
zUt*q$xlg!O$i2<<^fH9oh}%Uxy8v?<=DC<V;RjOQ5dNqKDgOu$RYS^G!drD9_+tRH
zJ^b(~<}l0;pm$<(CFW-_iTl^k%g~20txz5nKCO;~ccFy$HrEtBuQS!7F16n4P)~Vv
zS)aT}U!!kp|65F(T}S^eH(QturZ==lOrtOdGcK$%gXvT4%~{Zw(swami0N;b^PzRn
zDbR_r`Af`cF&%|@YD}ja_|ee!i1TBK*L=$T$J~p#8uQU`t&sNZVaU3X=#nBQ&qc-~
zC*7_laJz;TZfDcT_CTMW$1@@EE3^l6dMr0%d771(GEWlS+8W<3Wqc5sISv0~%ushc
zaUYNU71Pdbk128OYC5_S$DYW$WFCbK)ci<X=<*_~MZRJ-llhB#G5NcRFb|VXk{`*F
z<WbTU`8|<mBFnchM&oK|Ix(*Z+|l&!(WXetbt?XT5z~wKCtpfe;zrtu{IJ_lh9l4`
z#z;Qm`sp0k5AspwjGA}R%_R?#u8`yfa=yXd(e!sj=RiNO%^925(|7JLO(DnLX_~73
z(Vu4!`OOmJMk9MB?u-w#Z!gis8B2AJt>XfEfL(@O!~B>sjY9X?)qaZk6*QXmycxfr
zsQ=b>Ic}CYBWY{;UC?334{7&OokQm5=*^A;pE6Ik?-MuUEqQN{mnX@iq}z*UgGqyY
zIq#v5+=%<_jI}ROu9qkmrk1NU{t}vq|AYpjM@ibE%Lpx}3=PP?=vh)XcSdz1x|P(S
z%t_+Bca?h5`jE8a@XU#NyT2m*c*^)Wvh8!m-p@@Js4cVw)CTGU$+K;t?y-G)+t%#t
z`~sctD|90K+l(p2Y=i#v6Y6h!%$=cr;!pinAO8+<oDzR~8^A{rZ<JnJ?j;XxFn4i2
zBHj!-M}W>%xA?lpawCx;z1{idaHo?wMClIVxx@6q&w<XJ=0MC{pxv?W0_`5#cXx`J
zTNRs~oO>|u!Q7d;5c<Gu>vlBT`b*8W4X)Pu(R;$};q;-dzNC#HW4;^c^rlUElU{Gq
z?~TscoB9&-aMQ?qZpL92sd+PP_6%tVeU9GLhj=eC;}{zbaS3m4GlxLk&}Ftt#TCVQ
z7IB}YaVKf0Y1dL`Ys?PLZLB~23jO6*W-F*2>s{^W<2$-V$llLQXY|6M&YL`!x$@Vv
z-FBGoLVu-?cIAFl)SsOPSyQsuAHe-$Xm4mgo(F2~XdCnF9pun!q_LMd)cG5-?{3q|
zd78B^(ZS!P9!clNAiD_Jl29ks0OGPpdD0|h%hDjzNy{l^t(^{w{p?i8uhx^)RZT=a
zN?j_QUgtF_)~w<+skr{74dQk<SlXfzxzRm(tF%!<(pEK*wBzPeZ)9NI!owrNCxu9P
zNBE}zxpy+Yjxs+J-YP`GZ{M2^A&x=>4+|eBq`WNrTpbCYS0W3qAs1!*9%u((!k^L}
z*?#u~_m=r)#D_hVM`#ZjN42dVqc6pM&UuS|Ep3H9B7Kkh?X^zGkG&MRO@Cv&-rXLE
zyXXVr{vPA+PZ^UB#ZCIU#4CM7((Q}fCtdp&=2ffBc3D0VKfU5~g>TboO23k}c#N_8
ze8yEtQ`SniMt|{0N7{Ib>Iq{RtHwGN=r5gcYh+p`{fD}4C+Rbm^wTycy{!Hsy#B2*
zZg;{QO+1npsV_-yIQI6qN&T>HuW`Id{jQ1gzcbH8&QV_N`$;=}LLNJ#pKLAZ;77_U
zb%ET_@=M!DACYoO+@z)HwWP0ZVBDL?`1CaL`vqj$hm4o6B6HW8LCi%vF-Gm=tU%W0
z#+W{gF#{PB^2eAtj4^W<Yh)a`-fV0CgjwAfagyomoP-=bi7_Rz_lV7&n0+BJw=tih
zCx43he`Y(VQ|#y8Kip5zAx<a1C&Kq9(4S^dH)m7VzsEcR+6VeQ_xCeC--mq<^x6wB
zheNBOKS6)x`LEUN;9Q6~0bZVf4)Z7GZDYgl;PIx;SlV|m>qrwBJEJuFIeke}(ms%N
zk>}7e59NM}>1Y0EdYC)H)y_fK?}ZO~!w0{BB#)<K62`2@+{$ce)|wJ$D($cb@vp(Y
zBPMH5PN`|(^fE1J`@TxQ4R3G;;Z9mHwb8WCG^M21Pur~wJ{Si-^u^p4igdAlnEjzv
zDf$WaW{{ZjtTEJxwSmtuhedY!V-!aGjEL=>FohbKG2u@WatD~s-kqki+tln%U)$Yn
zXG+~JnElal60<+g_cuM_`_5`c&pP9;GyS@~xOu}gTxZe{olr>hxl;Q6qbaxKSz_)M
zKNI~^s1&`VyXx^J@cl^IpeOYrYg4Qzq2IQ&H<_P0zcVe+!Ft&f&_PdNY&gMeBc^+v
z=?S%gI>q)KF@?lkD7hCuZQKrKA0aydIr6pH+WKYyZ8i!$Q0JUthg3hLt=dDy$e#0|
zw;-KMnyJXN7A7zsvVQ&{Yv$bZOy-)uf@VQ7AH50s6ZAIpAoO=+4bnCI1#~9#2MB2v
zJ`cSQ9Rp2<4u%eZ&W6rPndCS;8kzzf2T8bR<NHaNkH&O4<_*w|&^1sLZ?kX(_FbU9
zki;eNya3$?y$VVA`Osal`8DR_ki?TFNms&3IyXW0$EMiDztDTo#gL>eX$eWWq)cKy
z2g!4x!=SsNq}<fScLTYf3Q2uP9BKQpsr$tJEZok68bUpx<o=h~PlA&2RyI$LpG#Qr
zo7B0~=i$&PP?G;s3?+wOjUm@czry6wb=A)Bio*@F09?K?)|><N$8BFT5<H%tV@}~`
z%?11%bC3BG_y9l0yla+%UzrNyI89kYcbwKvYh#`5o$ayrMS966XZnM~oMGT_WTNBj
z<?IFS@9dAuROeLeXE85uoLSB+TyAo1#{P)&DEPSZ1h~Li04`)4bDY<l*TE&u67W4|
z6}ZOv7%X$jz;&$AIL_zJKbUE98Ebts4{I}w%Z_bkn}K}e1?<F5gJZX&4jj9K-2p%S
znS(lZce}gs>`-(B&kkn<_v~KiYo6VYk=C;Z*aN^(Xg!`C!}@_|f5y(TwTIio!6WUF
z#4v$A>ez|QiXA)2P6DT(VL0|=dop;6Jq7%w{Uvxl8i}<R*bBgm-6M>3$GhW=;~woE
z4Nh^V7|%V~JsCXRJsmvLJrkVa&fw{6cQ!be^-IUS+`SyU!o32##=Qo-!My>z*}Vn4
z&Ako0!@Uc9!lgdlS6ph+ecyc_T<$IhSGm-ryT)A$mbuiVyUwL1-7noQ!42*PaFhG3
zaXfyY>-k_KuMybRYYX=9wgY$Zb^)LC-T~KppBsly2Ni?e{qEo>e-wC_e;9bOPi^?W
z_NRf@`qzRt_&0*L_<sOz^KS?5^vSb-kADyNCm*i!|Ifc4obS&E|K|S<eA0(E{DuBP
z@EQLZ@MZsH<7A35MPTbpYp{I=9?x{h>}K4|pv<x0ahbWsg`+#++JR@CGNoXbOjmH5
z%r@Y*nQg)CGL$OQGt&#)A+rOxV`fLNe+FL3?3~#d+$BSqGrMMX1qWpYfrB%H!6BL9
z;K7-L!3mjTz~eH<fhS}pgHtk;KQlEm6+AU_DtLP4bnuMK8Q@tN`a|ZN%sJq>nRCJO
zGv|ZTGSpXQdS*I!QRX6W1|^aHE7Zu2D}LB`!}c7>O3~40PMvHHJa+0aCzu73$DcaI
zY&0Hz*!*O~$FFHl&+pF2znj_L9A=I(lg;Vod^5{jVXil~oBPe9<{9&fc?X})!J~$B
zG=ns3D^hA~T9^)ITeGA2iP_T}z^Rm@&57oh=GSJnxzgNV?l6BgkC|u9tH=jQuN5`j
zgj74Cv-BgLy;#c_YbKZ}<_t5<%rRG)8~HrdeDgS`TNWcxl6<zJjhYg=li3c5w7VH$
z4l+M8$C#7MnMk6!=C|f1a~E>xZ)irZnfK6A{5{4F?`TF39W}b6nX&)D`*k#r9=z|t
z9nJdDqxS9Sbcsvvv6j&q-`ks=4Ev>KoSA4&<`Y@d%_Zh)bF;bIJZPRkYQAok#rgM5
zv1!8!L{CP}J<Q(bVDocxtoemG+gxZaHNP{rAQc}nPns9Z8-{T}%N&>z)7Erh>>OZ*
zn0?G>bGVtrn0t=7$jmd>m|M}?9ySZii{?%9K^!K-O5IkbtLe>1J`@Rjh&jR>hwS|o
za{Ds#d-Dfm?_bPQ=I`b$M)4?}2BsOhVK>%^2AW~W>@ns@WcI1%Tr<O5ZmvZWxX(Od
z7MhpL60<xG(-5t2Yc%m4%&zRU?Pm@(<IM@?G;^MrX?|m_Gq<7Z{nb2eUN&!=6=vo5
z@sm&W$0{DBc)TKC&By&L#c7JO6fal2M)BsO`<`;Nf2ZPn#m5yFDK1uAs<>Klz2Zi}
zz&m>UDaQmwip>?<Dt1)trntRgU&R56gA|7yee{VZ2m2_FQ=FoBzT)MIw<<oUxJdCG
z#j*)gPC7C8PB7ysHc~86Y^m5zu~f0UVlTyh6Q_<pIx|plnBxA5hbbPVI9c&@#q$+s
zDPA%8xMRm>u2;NO@lM726dzQ4RB?ggBE^>!U!Q!^(UUXpD1M;0R&kx;mx>z&8yLl4
z%4sJ~ZO}xqnPO|j_KIB;dnoo%+(~ga#UUqQG#H_{zv5`cv5H43PE?$%I92fs#dA-Z
zI$=tK>58)y=P6#Lc&*~iinlA?t2kfrk&`9eClsGid{J?+;u6JWiYpaAR$Q-GaSFWJ
zV3T0OmWq88_fednc&_5riuWtNsJQx+<EBh(WE2C%CW_4zTPwC#?4sC1v5(?Tr<{27
z$&GeX+(+>+#fgfiDo#_Jr+B^M-HMN#a!Q{a8ZA;>thiKhwc>ikje?Cm#UjPlilt!R
z#@j3QQ`}8)nBqvq(Td{~Cn!!<JQdur@i~gq73U~kp?Iz0t%`Rm&R2X?aUs~R@r#OY
zDt@5&vErAC-w8Hppx8{Yonkkzf0I6nJ1Op_I7D%T;{J-G6~`(bsW|bJ(~df&34cce
zPE|ZZkuP`SGF@?&;ylHx6t7jh`IOU6KBdX+it`npP<&BwiQ-Dd^@^JWn>J8veinZ?
z-n64)H^uE0`zj7l9Hcl*aUaD46~{0RTS&(4AIfwYL7E}mS(5tEYz`x#<a%>3V;Y!-
z=oF372%0hu8}sk);-G^_c{c}L^q$t}4$>Y!md!z5ko;{P`h;aylXU@!Lv$}E=EjI8
zU3G~tauNN}Q7y9m*ipl79=6r6n};1V?B-x&TCNK^**0j)+oHj4hu+vzRz%?8|CJ{W
za|LPh%|X$fOOQ#;nKc;r>|b`b)kSf8b=&HktZi!6HYsa6JZl@Bwe6F&4bIwj%G$Qi
z+E~*NPT6YD*c=p_JH=+N*z6XY?PIfLY!<~Ps}>s1U`)7fs{yguCpNpsX2;lM)kXc4
z#Abuol)g>)wz9G#@iZr=%E4PT%GyLWsaxBMtgS3-Tb{Ko$=Y7Z+7@PQk0iD>x56o%
z+FY-AwIb^ixXe*x){6anMP|9!nf-!O1UH+@BHr|vac#wHXlvs6XWAWRlhQxxkA0bY
zPGRPKF0;Z*m<eCcd`;%w3z-+n{Byneh6R@fP6;b(9i8q@A7_9w*cs`JcE&jqoXO6q
z&N<F>XO44)bFFi$bGI|!d6bp17oFFgrOrxL#lCblS&y8NyEg10iP?cQFEO2~V)KgF
zlvWaVX|w3L%6sPu9UEL{x$`BfX);b&+r)N^#tPd#GTk1rxjynybaK%&wFO19imolX
zx9EwY#YHQlm=m+OM|5Ap3X-I_<)qkT?M&~5V{mUVEH+tJ()%wXvt?0~vzAR-wr|-d
zb{i0ztgndQmcmzJ&WO!RVv`jnb$=-~zllxOGSxj!qt)2xzEvDgD^_phdG=oTT<&j-
zO;)J%etvAeNY9h!uSEB)yG8ZXx=Uo1-W<7?-ff)DjXYMuIyZ8V3Y{Ank9DaonW3_d
z)VTq^c*0tXU?cdvBXj=kS-%;;ipnt77Y-zyfE6skZNU<?m#Dp?+B>SfhuV9ny%DQf
z*4YbG&M1A+IHgN8Kbaa`SZAY5ksn)nSSf38rBQkN#NoIrjcSBdv(np<`z5STOn|$W
zU~j^B(3;Vt3u|7MHMmp3Qr5gIt8df6o~(jd*4WZM&&8z!D`Mhv8n{j7eDS09W6&z&
z7#X4au&%Qkt8C(b3fPHtHwkqD*d=okxDBgsmNmYq;I8U&44hQN7!}uRW+qQMD0a%s
zz+S4@CBq6ep#>|4n4=*CJ7s2rrHWlxpOX-RtO0hqn|esrYSQa&>6IGM!uG}g7;4!w
z$7gM<!OPktZmbx`PanwI-c4*y)2xkALDnUW$9lYkfHyev!+LyX8;7;|%xHba%6t@?
ztjNdyr7bjlS(A_5Zc5x_y<Ea}vS@*QS=+zJ&amZfKX;Hj!<*$F@82DqlL;~-GGj9<
z8_aJ|(QrV+vl_nMs243hh!w;AS))3<fZV&+Jjfd0LRQ{hVNGl)t5s_`N%^JO2<r!q
zyf@~$Q!+#C-_;y$7ppnLzM|$#`?{L5?5k?dwlAwW$G)cKTnV2!HVTia;W0HlriRDV
z@R%ANQ^RA<wJ)+lKgB9%SgDm#dpWqRy$tNhn+KM-F9wH;&&;v*5^x45)Gcw(17~rf
z$r7({#~e;TSh%7J-`Xp2?_jS2OYIflQ2QHjxV;9PVXp>f+TVe*?Qg+3jCKQceUXz7
ztl}Qe3gcO<s?K8V?;6%J?_@N2gw@Pv7*7_{_m-KJ=3_>c3bToG@=<*<E>N$-?YnBu
zuy3n5)5=+lDdhScHD_DKf9~hlrE1QV@YKstOL$BTkE!7?H9V$<$JFqc8Xj}5eM9T>
zI!e*OUJsVqYr&!R_uz1ON*&$|&agLvGwrS5EOu3;>^FdO>@DD2=8^0Mqn-C+b$Or}
z42O+mRrfG>Y=XU)G|uEinxt_%SZePB<vfG58GARG9oesyRQ~`D=j@E6cPBX0-UZI)
z<f5c>4_K(R{)~GEJ0C2y_k%<2|AE6f%PR3a2+p(*fwS!cpp0jp{R_6C%!0GhCXwRy
zuRQ5s9|cS8li;@Y39zR<9Nf`90uHs0gEKfoEiwNMob^38-~(;Rp`40}IAEokGdNi)
z_cQHkHD}osYR<MFsyWB5Qgf~)JT0l=F^5~iV`_Lz4UeheF*Q7<hR2+1mnjD<08i$0
zi*--83n@_t`!rZ;p8|)9ANb%oaE5&roM~SGXW3`KIre#QF7xYt>|@C4_h?r0C$N`s
zD(mdi%^Z5c)#y~W(hu%Kx;)By`yy7tUpMc#yK7!MxP#R!bq7Udaet!baCa{?k8y{o
zIl~>I=1g}_HD|d))tv3_q2?TSxSDhAN93r3{TM8@<>0pVbFe3;9HlgCz~S}_@ECVD
z@L0PJoMFqrnRY!mi}Sw1FQ0&O>}OyhzN^5!gZ&yT<!rFT{3STt{sWw0H-IzkMsT+5
z>B4ud7!?Q5H%6c*9A=I*li2Y%!<^3^!6oeYT*D5`AKCY~pB)L6!0x_Unhx$rHA`LQ
zKeX6TcW*U^y9cXzjC-J(Gu-{voav5Ia~9_|#s6$~KQ-sL2dO#Nen)OP*bpq`+?3>d
z6FA&uzC(?S0FQOqnaj*@S%t{VbbWA^%T6wF8E}s4fpb~g>XMA~NWT$`DWj2pM>48R
zMgpFJK0V!Sh|dmgBe2wM25#$a0rs?_H|*#(0EhBUpQOGec#PWuJkD(nPIg;@C%Hx7
z47Uk5(=7pKxiYrSb{m6p++wgm+qi9T@8GrtOI;a(hq~;5kxF}T1}9e}wynY0?p7e<
zgN({<N9;p6<AKjQm98^BJGfoIQnx3#t-C$gQ+AUnT`4$}6EBkPcHl8?Z}2#`7dYAN
z1D?b=8p%&La3<Qjlx`bvHt!2a>9z&u)|+n*)pqXS9;RlgJ4Vf+?jdRpXO~;};uv?F
znls$7YR+_-bK^eC{h6AxIRhy7bKIY+IoI8h+;njJfu(L=aHzWjINaS8JjNXj9?Kaa
zDbG&eOm`qS%iS5A&DkF*&n{qr)<P>FHgpPNL!%%D^a)}>n;-^s31UE#AO`e^!ZEys
zyNrSo!@Ho2fD*%dpp1SJ!xB(NzQQqlfV)UhiD4xu5>#SX4T|)X7(N6=a!L%1Bkj3z
z4?w0#Ee!@mo=GkJ1Qb~&wKNPAIVSb9Cnz#Z>Sqs7<X25G@5@t>1`_i=phyCV`Cw3_
zfW*8%C=x(oJ^+;7FEJkkR-flXc`E!OF^>U-S0v^mK;aXKc`PVAA~F9A6#kHye-6q{
zzSHtfW>_6%o(1h7F0J-~WPLet!Pe^3h+;qD!i-ZW<uVQzC>zg#+_U$ca@iA?zIiSK
zap{(Iv8{TUE^?m1zsbLu6AicefAIe(XBzxF<V=HqH)k5|<wV1Ma-PBeGv^r|@E_#v
z208tJzlV5!zyC095BU!p+j6}*lV{caZXs0q_Xpyr`n!#I3;!M>6-hDw$9W6#P~Gog
zawqvK^!tln`1gok`1e=8;E!@!=XTDLEbyN47J5&6&v?&zi@fK&=e-xa7rnoGFL^I}
zuXwL|i@n#p*S$BqH@&yKCEnZKJKnqAQtv%)nfJc;f%l=e+*{$T^j3MRy*1ui?<4PH
z?-Q@g`_x<KeI{pAymIdg?@RA1kI%_^-*_9mjov@JP2RWOcV6gou-3P}>wCWM2Y$wH
z;5YOe`HlT1epA1Qvn?h57Jf5-OTW3_!f)xf@>~0D{I>p9emj3_zde7N)zR<dm-?Ok
zE`C?Po4*a`V7B#p_}ls0`#t?$es8~zzk}b`-_h^q_xE@5clHPPyZ8hBUH#qspZJ6P
z-TlG-9{v!2s6Wgf?(gaE<&W_9_V@Ak^+)>q`TP3^_&@c>`Um<4akA!Mf3$yyKgK_l
z^EE&7f9{X-5BHDokMzg;NBKwl6ZreCiT<(vB<5x(_>=t;{VD!QoWc2pKh;0QKh;0Y
zKi&VOe};dif0lo?e~$kv|6Kn(|9m;0<6q!U_b>D>@-Oyh_%r=k{%n7aKi9v+zto@S
zU*=!#|Hi+<ztX?T|E+(u|2zL0|M#5dxvt*aUzPX255E`Y^xG=&_&o)9ylxy_m6NOT
z@T2}?{^OiddP2@9`A>01>1j?VJ?k&>pYxyhU+`b_|L(uUX{A^ESN+BQYyRv08~&UA
zTmBONZT}trU4N<np1;h0-~Yh>&|mJa@K^b({Wbnt|0Dln{}aE=|I}aSf99|EKljW1
zFZ?h4ulx$1Kg9Mo_#63l^CtgW|2scqxy}h};09jc2SJcAPP6Zv=Z)Rcn&v@+V9TI+
z(8Bvw&?;yhv<cb<TLtZct%LSKhoEE7DJTs(2VDZRfo2uvz5lqLSg0Q+y|8jW+<~6>
zWAwwrwI}{-`l0l~-y@IE5VttTjP(E2{P-OlS%n|{$H-l4QxqH+92ATS4h}{KhXiAS
zLxaPDp9bTCp9f<D#`}^Ad<+SO2E&5k!Jffh!H8h*V4q-L{*3T|U}UhLaY{bsJSU@m
z$;Z%_*^xML*_d*%C7Vjh@wGPVW=qzat%I|JbAn$5=LY8m=Lf$IrUe%S(}N3xi-L=T
z8Ntk8Rxmr56U+@R3HXk3a9MD9@SEU@;F{p~0V}p8&je^IB?pqrZoxJ|_h8$gN3dP6
zeb6)L74#1J20I3Q0`%3A+l?387~B-x9NfZPNBs8-`Ug7&I|l=TU4ntZuEB1>PlCb0
z9>JghU9M!hY3}Xojr8{O_V*6(4)hN4MtKK&qrLIoQQpzs1n(GcqIaw}$ve(F9^Vu3
zeW-Vs_fv1I_cL#t_jB)X?+EY6g1$waaY}}vNjfEiSWmVkgH2!eSZ{Z4u(yXd#2e}j
z^M-qSdVBFVkcD#ac&1~fbEaFSd!|RGccyQqUuLJwfXu+mZkgRPhhz@T9G^Kc^NY+W
znbR`A%$%7yJM*i|d6{2lF34O+vJR;YG>tiNyAyvyIl%5>2ijfjZuTd^4VLqhB?DMl
z2ESv%=P>gt>Bsw(El>wq+19p=ZELr(?d;aJz2(bMoZ~IEooyG})poPn*zR^)+rw@b
z91&bc46V_UIk-v;%{d#nz3pjx+1|Df=Y9Ly9c{mWmHUzsIV<6K_~ASP=Y$*BhPIJy
z%>G7GTV#uEiQR&8!^{thH_6*b2+pR)Dc(rE6<%|)?g^YVw(hx#=P91A7`abV`vr>A
z6)#l0NbzFODP|`CyccW$Pd8x2xF!28F1usBE%jkKar)n~+i#2K*}MNuw4MKct>(I#
zbj4cr#JY|~Kcp7;uO5BcRM7%!o&i<S0qvRgEPM9%n)wvc1oLM)KdKh!9{VpJcMIx)
z<mz9kn-<Va{l|g^-ab{wHE&GS@sBaIkmefetKQ>&7a0M9>w_EO5vot65sE$4nnx)a
zhnloAmpWaX9_+dA<m~1QaYpdYitM`|<xFy>u=9SFbG~yCd+(P!S3B3U`+lc$pYtI5
z?+cvgomZSU*@0i~taa8q70!3oV^nFz_|=}Vst04xPK<X$><GKR9c{<jBke>x*-o`*
z@R!Wf?JPUbUS+SfH{09oy>`BR#6Dr4u`k-ic8OhPSK5#5dRt*Pxz=sq7P-y&`{s^r
zH+OrtuRDMpxMA)-?t$(Ycbt2aJBhbQPIb?6&v!3!=kT7$)$aA~t?r%feeQ$qqwWHC
zk-L=lJvMnwymsF9-fq<NIB&9ds&|%mzITx~$GhCS+PmJn)w|QX&ztW(&iwl&=GyNt
zmo8_n%v!GZWH26F5F7<Q6&wvN3?_h22giWV1QWq$gJZ!(0Viy{=Yr#8r1PE+&{(_|
zf)l_OgUR6EgA>7*f+^t3!AamN!O7sO!7sqY!Bp_I;1uxn;8gI9;56{f;B@e<;FsW%
z;0*BX;7stH;4D&mGB}&JeI$S9fKLU#0v877f=>tMfzJfz<LlYr*Os+YayX5<C&=Rk
z+&v#m2VV#-#O=l4BHj*?JYEdG6wCl$4rYR{1hc?bgW2HXU=H|NFc*A1xCDG7xD<Rd
zm<PTUTm~))E(hNZegnP}Tw$!=-m((ycd)Eh`yDNsnBU1Z21{)durvCG^}E<2u&XTw
zyV(+O8@mPA-8KWa75&6E_pc?+cWp~>Dc`BF-g~w+xXiWz-?ywsdmr%4EbDz}+kwmN
z*5C@;9$aZVfU7KP(B5h^Y3r@ArQllLL$=;WwhQ>NWhUr-Vp%Wt%J_zg^**(%Abaa9
zE5+Vtwg<T0ZU=_JHRQ?!zX!LlJ;7$S7q}&Fsan6e?E|)uJ!HS7?F+WDJA$okKd={H
zud;q`yEC|h9RT*>+mP1pYX^cm@*NlJ_p`f!{rO&@^+o@-{%yijAoT!JW8Q8uv+%#A
z)fxs3nOzJ)Gw+8cdnhtyZ<7fcG2a-9uHGM>KaBgv%sz&px$lIo{ZsCnFc%q)9=|i1
z_gL<mGBeo|t$qM{_|Ld6VxF=WI{q$b<>R<7X4WzSjej6I`p>y9VGgr5`v0zI?1yu|
z1v8p`m<{ZP{(c1a&6wZp%iQ26X!A$HVdIf=tb1aj_ag;a!$rg21DxOu0gv&9f)jan
z)uQna2Pb)~;iCEP1s?B>K#AR#*~K{KM16z7*nZC3XvcsUn9<(^whwLwJ23O`nca_N
z-qa@;guPSnvtYkq2bphhasdwDj0CNo>6Ph?26~2Sp>l$NG&vDqGnbe?nR(7|cfMET
zuPit#V@4)3v(23$WG)l^m;D_<IgR6S5~Gy&spJ$8I~<xX$6di)BQuUSWUe<iIqjWJ
z&e6_9_s<^sIVU8>nd@;o8awZAsml@g>g34DA}7P!Ug+qNUx!lR=1A;*rYrI97@fI6
z@0OjJ2Bd-pj=tZ)bY!2o3+M8Bpndm2W^n$MHwK6Drr=(@A$S0929B{u@&@2U-u#=w
z8-J(prr(S94gM}?H+O{WQZU=FoKQ2IP<e{8CQqBM&F#c+gn8Fq%xeE8-tN1^8RuT+
zUf~?={?`4obFBM-`xj?A(t4pY(|y)m<XrB);J)Bo;lAX)>0If)?SAN7?>*^Ha&BW~
z?>c(`+S0>z8sqy4d#%4J$grd8n08u&T{(xcE#=#R687iqwOu&-GAJ`TGln<QCTC9O
zZM0K)3+)WvK0AlE&d%p;v*{Xkb7y+gs<wvX{+W0jUs}vE))dK|%LyUeR#G4G=Hwa1
z*mLYf?BrS|eQQ|#$AO*wq_)21{b{MErCLwlYCZj2>uG}4(<H5@3$>nRX+8Z$>*-3Z
zr>nG{ZjiW{;f~O_eQ%J*x;|sw1-Q=gW|_u}cymn?@3-EyoCUHv$Lo*ZZ=9WZTYnd4
zPrk=6!r9kMa`tnMFq56}&L!qNXP)y{bC2_w^O$+tS>!A-?>H|xFPV24N1osei!}{-
z$C9-M_Y-%W$+(|WBaOXcZ%fnNYw5M;%W|E(QnQoS)$3{oc-=kT{POyGyYZHpMJi}s
zz0<tYO(Sx3HRq<JPOsycgG~D=d80<*XT}=(_K<-0uY*Sez8w|&__>zU;mN*{-^@IE
z7cs-ll+0=8Y)#1|*Ng}nm+&V2$NMEUBDF!haV`!;PBA)V@Avgab1yBrJCes?^<ZLM
zS0B8`z6U=xHrr7D`#T3X2Ra8iqnv}C(ZNNTE6IUl+25gl7*mh{?f6OCArFGXgTqZL
zR(Q^4ML_(G$A?Q_E~T)&I1lBp;`3`xWXQ8)rHquU5uwlI3;}M;{P(hdl9MCw>R3A#
z*8Bq}OXP|5_C{`ttrJfVqF=+wycPJB;oI2!<~v1vgW&;WQBU&}dgRXLHRYr?l#^CC
zhrmf|l#|MZlbnviNu2M5hn)T3_&uHd(Grhv#@O+8yfeifYmaqKvZvZpos;Pa_d36@
z|7TY_zjG(L6P=f}SG=OV;w|kJ?`p63MtjA#(koaBMtax=(kpC3dc|_v%w6fOwe5sI
zZ71PR+g13}4iWyedkKHq1BE~BDB(|gu(zYPoBf&e9(xR>-`h@P3_Zji%cym{{RN!!
zOM8~|Dtor~JMUV1q4${gn4Ky8!OoJFu(PEl>>R0cJC_x<i|i%H-LCdh<kL2Gp1gZ&
zFJo1yx4m56y0yQNw{Gnf^46`rQr^0?SIJwq_P6rZt-V^_y0yP!d>CS{$qdU3v%g2C
zjkeb!*T&fE<gHtKJ@Rd`y#X0_vb|B>y0tgSTetRRdF$5RB5&Q=Tji}=`v-aJ*8Wl6
zy0y2-TetRh<lr=WM~1g<?VXt`Ggr#FAjSiEOFrU|evDETX0Y<w9@?i4Rj&Fed^*~U
z*Zy@J9JH4?Ub*N5cLk%@iS+ZnW{UQ%lh91|HD}U)#+$RWzh9^l>0<4JGqmr|qR(_N
za~KIr&0M5-Pfl()oa$iYl99|`QE&~F^;20#-Q50$WD$8F?+dSFXE*(B@%H*|@hE+_
zcmn;6i}zl|jNUCqHt2i9tih>!^4@TCm%I_23zxj>o4m!_N8jQdq;K(#)VFxY%3Hjg
zT!~^x-r|k!k~egtyX4*5=q`DyHo8mRmyPa{H(|S<aLm*xrd;tG#qR_iPqC3=iDFB|
zc8aBn-A^1p^#rGv;xNUriYF^xq<F33{fdhemnnXE;t407U>hlxD7I8=r&y}kU9p#9
zKgEHHgHJi`tYhq+iu)+;uQ*C^jN(|u!xfKGoTzv_?Iils<|1FLAiPLXk5jq<E4B@A
z`R{Ob;&Mc#sSn;x9o!1t2we+Z4P61vgXTappy`mD-{{DR#mZ;0q&GO6UsBVph)lj=
zp!b=+v3Y%DHZF?I_ym6AI9%g5+4LixCd?IxuVK?JUH0iZvg^cd9e3Y;(wj4;Kkk_c
zxJQ@s{HW(2B+VwAit9t5=l`SW0!G{BPFts=(~WPC^yOWNL7Yx*?(BoEFou<zG1;}7
zwyD*dBGzxZv4V3wK5m7^v63^6P-EitoCjIsS%4IOiMJ}=aXxTX^Ik<czq3f`8)BB<
z7=GV5<8+;;#5Rgoh$PJ-O=*s8$vV;Hww<%UmO|ah+XD6@`Z?Fzfvg$5V+XSfvZqsI
zdpX_gNT=M6BJ3RU`;I+~?~6<zhi!4;ODUvsJadcF(U+%j?)nmYg}uh!X#a@o-S&R_
zu=6PGX&k=R!8chzb1r9)9Nr)imzipBpziN-*2r<J+RqkubG8*;_?6;W>hl&2)mgDv
zv8DQ7qWG@jrJOl)%qRMElDfRF_=Vysb-zyS=cxT*#io33iL}(-T(PTSTS4;=eOj*e
zwTfRVz9;Bp)ILM)?bUvl+P74^NnM^&oUZt?;$LNV#cASv1$I!EuLYe_#m0(1Q}+#O
zKSZ&G;?LFnMYYdT`^T(WI8JlLhJt3J+P78v1#0i8I8?Ex;x>xy1<fmJFXnWa;}qKk
z##z*F(doE1;q*3dDmn-L%V<*mNpX0jL8YFxecZRAo^>FcsjH%9Jw9b+^i<YH_tDkS
zqU`$Ut!9aHCqAN8((Uv5)JybN>3Q47z3ZEJ&9sDlzjo~Lb(g+E4;gItv?J*otD{~K
z^#tzD!GBAh4b&%xk=t@R4Y#;|P^*S>-VXgsu!G{>iv1L~R+MjdInH>+;ezG@wU1NW
zSzRtv`w5DBDUMX^t+<V1OU1^DLlhmwnSy-zSyE}OSRzQt=y%QmYHzOY`zj7q9HZDz
zx$f7>GmhHtQuk8DOBF|Qa@}!;2y(t(QW>n+Rq=O<zT#toCe6d!*xm8JmBz39>@-q)
zKgBdx_f{9>Z8KBt)o?hHO!`P$LGzv3yQqD++Q+DUm7?~AxCcf3qKH*WhkaowQ4g^@
z9R<xY!Dl)?(+#`4M?}k_$A~VINWHhEcAjbUj69R?&d4Yzr}Mh8o>28Yfl+3Z*^@KT
z5)U1YFYF0!p(tO)f@cKfyDs3{>Jpvxi_RIWQkSlRPe1zfGEMV%&dnO<{2z_x@g`s|
zr=K&>8SL!IY;lxxm~%Mq10L_3?3~UUfzzBB&LzAPc#U(T^GDtayx(~ke4J1V*_)V_
z+MQU(8-g31wM=XSXDPeh$sR?MXqUpdM)oP#$yiI=kK^-AaG`U!9YI|8vwP7b-oI#X
zTRU&siKOx+Zwbm?20y|{+-K;nN3^ps!nwlEBc-bdt2-Qo(mf8!G0;BY9G2bbc+oC%
zrs;0S?a6+JoleTj*cDlCZztR%+)0QR*%yg?-_GvIz4j5#cGH@CEuFSg?4@|9;tq;E
z1kJ^2AE!86T`o}kR$WFYc2Yc1k$*WL&XIy<rrLK>+(NO5;t)lvI7iTIQe3YtZ57)o
z_Eh9w9q_X;Y)j1T)qb|(u3;Noiq(FWpmT>}OLaLdg#Vp81<m{F^141PRr@DupQQFh
zp{%#9RF{1f$12{UxRoHOOZ=@An}waR_fhw|)a5?4cT;<7wST7gvf@4J{;=k!v$~w4
zE<aQI$7+wlwo!Xy#clQJt7_j)(Ni3%xQ*i0imqZ8LB3ij`5dG6Pu1R4@ToHv$huAy
zX~4T<j?-1}sc}yomGaS&`HHOQ=A?nhj@9^ngEdHpvme)BpR6vwch+OS&G`a+nOzsh
z`JK2wRr*x-RE+J>>3N?qK9Svnw^4?e=&giAu3WEj;zB{47a*I}<!;4;)Lp*P=kRtG
z=*(19xw7ER1xr(Dl~$5tgOOh&dHX4P=P5~Vv4)?nF-}(dNW~%QBC`_5Ia_gr;x>w1
z6ji=GK48IgO;u+Gyp?DEgUQvmJDXD;)r`>wq(%+zW;sv(QRh*YBGCpSL-Tfa?Fesm
za9^gP!QcjaHhiV=*v3aTp4#~Q#<LpFYkXDXvc}&vY0#u?lMzj(G@0JynkG*)S>4oY
zTGX_4)Amh=H9fxRyrvH}U0P&|x)<$VbY#)gqUl9f72RI+2ya3^U-U}Rn?*~DmKT*3
zl^1<eY>S%|H!E&k+`hO=agXAD#RH267w=g-viS7kbBd=G&nUjU_}bz-i|;F5P`s$P
zyriV0N6Cnii6vK*+*$Hy$>Nd^wg|T9vc-@sCTwx;7I$y)%oa<V^=NiRvvZqGZ#Jvh
zea#j(TheS<vz5*FZ+>L+sm;%5eo6Bio8RAjQS)WZS2q8yh1a4{i*_ygwiwW2{}vNk
zOlfgNi~CzFZ1H@H4_cJBY}c}H%aJX|w4BlM`Ic+h0s4vA+8M;RPj`m~o2~hp>#qF6
z&~ALW_9uMdb&wg%lfgXc@9e?Xv4`M39NLq0GV7ggGTs?-uFLyVxS<y8X<G1)7Oled
zrggZ<w8h?^f4z7b^BL$_Xc6=r^gOg2KP#Y>&?;y(Zfl^m&_~e6&?itC^eO)$GoOD*
zc>sD4dI)+L+5l|~Kjj}_R(Zb;*YgiA>%CcFg*O|T1I>lzL6<={h0lAp<L^%Bu5eYR
zVYoiih`ioLuFJ@Ex#qYX|5er=4&&>BrXy6!eGg38GunamlD-h%;iXh%l&XwUl~JlP
zN>xUw%4#cx`G)v5KpUZdK%1a%q3@tDtZ)qEKo)W#5AvY^%0LaEhEOA@G1LTV3Kc=c
zPzkgp5`rG%w18SdeEZKq&N?zK$!N6|gf7M&0wWhhSslvibb?AD8ArN6T_MIPXB!Ba
z>F{Mmhq`e1wxUCQurluOpIa49Z>SHn1JoDV5$Xr^hsNUv2`)Q&&IITfXd-khGzsF%
ziq7%S3D9KdL}&_h5_B^33ur2I3Un%T8pK@7`6YA)bS88bbh`<hJD@wEyPyTQJq0a<
zo`GJ1WWM$av=UkcF&c2nz+vazVc*?h*WF>y-C@VwVZYr`J(fCRr`=(n-C>uV?~g*%
z5&P>7yXy{n>kd2X4*Tj3yXp>m>JB^Ve4!Mgj@U(a*h6>NL3h|c=bNQaUkJ^beRBtH
zErVOj;MOv@wG3`8gImkI%foW-Vcs;IY8t~;&7oZ1s(@2hn|5$)r|>)F(B9a0Fh1Pr
zn;q$={gI3p66P`Jap-T*6VQ{;0_Z8I`hHnKzpS8NR?sgi;ON!#%hmMD)%45N^vl)s
z%hmMD)%45NaCA8wT@FW=!_nn%bU7Sd4o8>6(dBS-IUHRMN0-CV<#2R499<4am&4KJ
zaCA8wT@FW=!_nn%bU7Sd4o8>6(dBS-d97SF3qP}=InZ3_66jKB9>g~c;0zzm@Zk*K
znU6$#0D2I52;$3|eBHX-*?`HnHm&8W-aZsSgTn8SD;3C<3jRSV^kzV_OyJFi=0J0y
zdC+Ch<>4mp23qc>aGCd)@H6B~1@fgLb4B=F=1SV>AX;)sENetMZZKOR_1e)A{KpTH
zaxE>kqz1XNfmYZ+D{P<@HqZ(iXoU^5!UkGlgIPyhpF!)P&!KYY8{*yoZG`>-ZGygq
zzJtQBjFu^*Wy)xoGFqmLmMNoU%4nG~TBeMaDWhe|Xqhrvri_*;qh-oynKD|YjFu^L
zM$pISBb^_B9)uo(9)=#p{qN9+&}YzkXanvW`QNS6!uPz>p);ZB(1p;fa0C5d1N~qF
z{a^$AU<3VNgLj?Q=r{C*p59;3pPHql_3|2OYdN*WcL<=5ppT(Xpfc#wa5-(Xmc7HR
zsfVLzmFH*){=Y6<qkX9>|00M~qd#p)e`-q0RM0ZdQNtC~a0NA7K@C?>!xhx<8fthA
zHN1uzUPBG9p@!E`!)vJFHPrALYIqGbyoMTHLk+K?hSyNTYpCHh)bJW=cnvkYh8kW&
z4X>ew*HFW2sNpr#@S0kAe?+*^nMUoxqt0~bLg*ssVrT|*J7YQj;sgITh5wt<S{1Zb
z1+7&<YgN!%6|~kyT5BV%wb7xRwAe;kY$GjJL5o$;V$afI&(dPgdgq%``osor8s-I<
z({Z~Hx`>vV0nMU?XG3$KxzIf5GU#%~=IiJiH<+fh=AcXiQ%WD%Kp)wVX^cky|6AhU
zr6r_ilyjCK>U+0DeJ|u|5%imfyoc$nf8mSkHtv&*e)wO8ezYBX=`HM}@N;_}|F&5c
zK55rM--Pe*?}6{wjnF^Bcic?4!EFHX9R;^hxQe&2oAHizGj|J9?6wP^blXEipkdII
z@N@4^%oII*XWZg&lUo99fj(*l-DcQ$hFkU-a<4IIeomU7lji57`FSe6Pf5=wJwFa#
z%>Ou6_TA8Q$5$JCwZT_QQfY~Q$#1b~ifdC`i*c2h8k!PZ8{*n9o1?nLST|o8-gI|a
z7ja36TxDyZ7_FQ$NrK)z$p5saeoy#$9ZOZWJp3>C@>HfF&k~sg|BICSF<cybnw*z{
zvtRYY@Ex>3X)&2$eUi0{OWH^Dtf}Fxs%*HNEr}r=PcF8~ypi}WVs7nlI;knAl+HD6
zJpQi&>E6xzHRd$T3rriNbhk`H%tlaSR$?7@HF=Lw^KHGY!>{-+%}wMivAN<aHFuPJ
zdEQ7ylKs$Y_h%#+B_l8{8%TR!+((A1dA6Qs72W~i67N9FgVf(LZ**7|+=Yb6#4%Lh
zt6Y7I!W<n|@U$EaY$T)4euR@a4kS;bxF5|E3AZYKl7w3;PYAa`pMDnSD|xz_r|UJ=
z#^i1-;n(A%jF`*F-Oa?ln%pfXh4tRSm{AU2H9kJqYWkE9*R>jllsw5<xt84bj^aN^
zk0zfJD8WQD$4O|?F0LDJk-IX}&>PS5qli87x6V6;GEEHE@$~QB@mlIn$o)~|As17*
z#KhCjHD!6aHXA+)yPT)%c)HFsAcak-6eK4Sei=TbZulZxDt!8B1!v*L6Z27&>uA!S
z038!PL-@7cvE-Wkd&lult5Ggj=fzWjFY&QfQlZA8IHV?$C(F&2_E7!@<uLxI?x&^`
z=eBy<ahN|h&FvAGvv_tT@0MMK`*oPtW8Q{&JLaEx8*Dy)9>woM>`yZ${jjk){<CmR
z8XK~nQp{S)9;~J8!CJ~5tflP1TFM@*q3q#|fG(xyG;rsHOWfavW$uH}YDT`#;mVS5
zmHz}(IZj7<5C3s{T6hPV*BxkHcc5wAfu?nb_hh)#dx}<m7J5Fs)O#88Rp_<weea!c
zh4(JcmqPDB%b@q651<dB<<JUfCA11!4XuIJLLWgNL!Urp(5KKk=rd?NR6!bFL*GCf
zppD^be+#G?v?bIWY5}!`T0yO$Hc*f7QhyK3A<$507&IK(6WR+J0qqU#1MLeT3;g|{
z{h<ROdYgX`GzvNx8Vwx+je!n@4ugIQjfIX1-}jG(CP2qP6QN_FNzif772yj1O6V%+
zx6sw$3bdES#`E6{m-)+}wa`~co2o7%q4^4)jJNpy0^b|)y%FDE6!0zKH>Uh-tR`gP
z_@cA|k<Q*V(6!J#(4V0HLt;nIBdnU!YU1?2K}!3T^A)rSzp5s0HfR)X3`!^;r}43&
zs|Tz)1x+xUhMxq*;b%PkD%c|YI%pPtW;maZ3u{t5T@e&vGK0s*dVH+sY<na8F~7&P
zLR`@t8%d79uZVY39Ac9`6W`+V8}7=9y}~pi59PR4;I~}kX&Sykn2+$KDTpsx^D~Wc
zU7S-%=?e`X5cadIE4ma<KH>=@m&RB^$R=KHtk~ckh&&!euNobG5=+9*kW-%^!9GEP
zJ%a@M%9MD~_$4F6SIGXayaU2N6Y?uYh>r+e#t5;V7%GsM>xgAJ5^^n}S0W+TiG)Ok
zC!^MA<Z&YHBPqGg6ni7d)qbYEw?A|M@g0bH5I!U6UEv*V+IkaAk#`L55l_TCmS@K?
zu1ehYuA60*{GONYEn=smF}rJJVFkbP@H74WgWZ7w7a<E@oeDbtJG<IDAJH0Edruj2
z6rUO>rw+>CK6|I`Al$R=-bT2ya~y6$D?uxwW;TS&!R3rlc^6?5ALWI8<av*8!l%L)
zkQ~XKtdQwN3epl~*(Vk7BIohQN6kL$9r~{@_YSysF>fQtZV<dnT=$Wuh2gv5LU}v-
zfAOLY9-<a*`Clx%ayFwE9QA7WT(}w@U#7O@;S%9n?uA|rKcSXZfos9C@ZJB0x<Ybu
zp+m=4&Zh3NGpkqZ&N_6|^N@3H^6cNyR2h?!LE)c%s9c7(<mAo|73Y6OJn;MrW^ev?
zuxWS~(qe__#9WB`aD_a9FIMp6q5q7s)F+qW2h4@^3SW!ECHEiDcjzNo_xSNY%Rmw_
zI#ToO4&<j9=^@o=BgrV4go!!2gt$cFy}@dKoi5Us(en*(33f*QItBXyJxT5V?_KP)
z{105(v#QglDZg+rvS&r*swl*T8dvnCe$iu>NRO2<Eqp>Kd?txQ?xQDaJ_C27W#V6T
z&G0oO9p@}SPF=wD>tp*W;#`l0uq=Eh`}`e=;a`1K?&&{%eyFi>e$17A{Iu$x0xi62
zcn2+cM|fKtihGrww7r^%dn(d!f&N48n~_tv0H3ivaY>%D0?j2DzK4eRI=}Y_jV<z7
z4YFUaV`nt8%FcAE@m;%fQ_?S&e+#br#hM&*Tk)TsYh}X|<K|p7@m=^neWi@^K!({?
zQ-0s`(tl;vzD)_TbHbV<#h+`oq^4Z*!QOnnHY+i1&Q;TB6qj1wK<mWZv+d@@pAHk3
zn)uMg>R##qt?ePo%s*-nO4=ZM{V1h=L)%(P-BwlzvWab`C47VOt|#}V?s~Y^PFtPZ
zHe!vUQe8=mn{!dFI*-EPBb$@Le|nhz(Nh2YKfT?4#Qe*<rFFg9<UFb_k-E=4$+zX!
z3dKGDF5e~mQ13r94bj&)YsHTll-R`Gv<dIypEW?nF-~%+TLF;KKmUrt>zG<a|B2UH
zbX9`&Z&oYw!+xK;n#SABjhD4tbc4EIh07x)O)jmMAF|Z-%3qR;n$7A;UA3)ij;H=l
z;X&oJq#o;6`%!vHZ6|T0b0M);c2D|<woIip1PL3ym5$-Zutz;Fm$Re<^+_u#RpCA$
zJ+exvQ|lWAXNy((b$xPE7r#G5TT41<`vv<`O>M2=)*5@6{xjQk``on1>}&SYxYnZ8
zu$L2liTQk8%JF0R37<@24`0RB$YfaOT29Te-ep|yTh4hmC#S1e1z57VdR&r5%_jBy
zobVUs>Tpqbv-)lh7V)jDV)D_HFC1{C*5O)_+Y0hm!8;P1r$er6qOCm4Z^FljZ3&~x
zi-lWHW3MCRxL)%IH;|6(hw%mkcA?Zdc&(AvXM~O;BQ<vOqrEp~v&#*8-?DQ^&B&L;
z_(W6WvC23qvjV-SRcTdr@1j`5F_wkv>y>*6hZNPCC?L%=u^4jkN*(20@}G|laLLV%
zq^0AF_&<qKNL=b?Qo?WG*=XdVwhPZ9a=EK6_FQf1Zj`P+ROdHw$0z6A`6c6KMxJD2
zD$e?QF|j44tg=yZUD?4VEtS+-qnPuB3uJ^@U3=c6Scy;M4X0!16BV2sspiV{kt#9s
zhZR~DcBkdi^rIau*{PNsW_e6K)DcoC7L=}114&fbdPp3qm}wuH!=&b__{=$^<VfVm
z=?&_<9;@Aws%W|C)N}Dy@1FLPviIWs&R%9$X7Qyd*F0<ZQkIi)JeAaxtW0f+_fh06
z)Ip3nBa`65O-b9TZ3pJ*b(UI$z75~fTN~;+4sVc<+JhQ<8zgg^B%L3_)cW;Q-f8s6
z^=tE6Pf8L#oGTBj#JYD(N#!&Jbww|b_2l*0eV69?{=NxM=h<2fPtTGo@)7=(9uvDn
z?g{2NgxD4(uC<vtZYBkhxYVWQ>=j0;)&C65S8_-@*1gT^(Gv=nK76>adwpH=+qyoX
zqdj#>y_B+7yW$vrlf;>8+sH*Ex!SUFJAZvGRhwP0%i3F?B(A!c;kVhb$<1+y_N_X%
zQ(e+2<OjabYPR9ZY`Gf8E5-%16wP5xr*|6gzWl$>wPi}XD3B{o4%Tv|TDKOT|MbVK
zsPmJx{Z@Q)pg>!Zqa4rvfY~cFm#aN`smY`^+0%>kht#S?E(RoacHGao*4b8~K9joH
zk{Zfsn01cihx3@s{nIgqtI~J>M0<b~lrJJiKj9!5gR1KAb*QmI<*K<PX!JVc55HpO
zyE@v-s}h2o<xWSXwW=)dBwBSGG&e%SH|y9DTuq6-!d}T=m6WPFFq=XiYRFjX%gh%I
zAf?Nj+T%^vXD)YDlS{j>Z}l0qQh{Eufl@5dfAN)8a5?+Q`^c1DPl9n4JbP*F=(?#q
zSN%ry9P+y^uH9HFgkR$(XGTS1lX+_`Ba8U2-^Cj=*(>}qYt32u=d6`&QEqC=Q~i0Z
zavJ}k_cA}O^A+BNSEL{98=thrzEFcRVoTqXz4_>>U54k&DAAs3zu>_c;e1wZ=7%4I
z_lJ{oUBbxjJab}^|M6;9cxx&yPCN2MdM#($!lls+RkgMInQ`0~-Wtj`Zn(ma;oUF8
z=c}K?M*eb$RxcbceTvhjIrr~lt80(0Aq_98ml}Lj`zSjyHsrLt{L^<e7yeSKDb;wY
z)j8IMx8mFKTh;2ht{#4XeAOu_*?li~MRi!cyg?E_%a>tHxLC)jH3cKdoAFnUOGXc3
z(U}91d4;UK5MNrW$&RpD?O&70^HU|^i1)OwNPqd7^+1vP=u*;Kb)@>L^86)<qz>a&
z<q@;snGxwzq^t8{`jpFPC#O3~;KyRjrd3Oz<5Zp|O0Ff($=o`KM*ON$KFTwrSuNvL
zwv0=|nbb-guZ+VgN3M#VSIt=xuBuu4%%Ex*Qd3Pz%gbZ<X9k9>(MBgSv_8Xmsk!DG
z;Y(3GNf<)OI~*pwKXT`5KYE2zsP*O4{rlO{MJ@0^HF{JWJT{u;-)8UH!0G4=(G{(M
zh&`^UHt5cBwIO$%Fq^WTq!-_t5NRE+MT%1tq8>7quXzwYmo~A*am(qhdhCfN;iAxW
zML0^nFRd3bWZ319mFP$}7H(GAk&8R(%Snhh9D5B?57Aw+{w3Us?+SLg+5ZyGt*z%#
z6VW(ThTi&B_;MWI4{KB-3+s}Iwsg{02@pxFxJLN8L0#fdKk0WF3d)wMF;O!SpG!T8
zY-^?U&8afls1+R9Flv)3`<Yu;jVtRC=Yw`4R<6xFFC`}xzwae7FOnM7#S}hMU9W;~
zH2<^&qd_%S5xkvkyPT}Za;>gFroyJyooRR3hg(Muqk0l=Sw70ekP4l$BCRgXt+#1!
zm)(s>18qdB#WB^8_c*rPoJaJ-yxgSI`&;UU8BlbW<UD*5&Gc#d=4+Hle(&ok<Ez3a
zl2DxQTf*~&aNN_9B0iRdZ<Fu$6Rj1EN^2*ahWkU|;}AQh+JX;AEOO>GmDjsc?<?^3
zUVJr-_HmNi>P)TO7OAJvKZiv1zdipGw1e3@^)zjjwECtUvi5rMdE9orNvn4@hFUCX
zo+v06YM2GaQ8%b12_C2TImg*)-K9S*mCbX)0qJ;alCe>*igy5XJWq%GaqaoKV3bzc
zjUKr)H)bYzsabv`zJ3@}N4!`XAa~x^ek?n=vXZ3QLOOr=kP)7qp5q3__GH9NWr<V$
zSq&iNtb1$e`?Q^wl64KuO%?ecdra@D;Qy<1_?$hPqn^<^YNUyh`<Sc9n{q;q^KxMe
z+X(SwHdgf_HKDWd=IByeCNsBuKZW9|-AAENxFwRBk(QFkDUar8Igw_gbFlDlx%yyk
zO+BL5S1{+1(;r{+V@(JAG>*T&*-2ZUuX3@H_j&lKj3zoy(ixJ<Li%IU(s_KlR$D5n
z!|K`~bq0zQ3TPF1J-J&{zPO)eeG`(I1-Z!X=ft_M)}YK!r}Ii!b_MjDi_EW^CfY&1
zpF+{q?xRqsl$+>8fsP>jvotLwzqT@eNNWIb|MIG)mUY=C9;g0B*`zGmvy}g|=T&`|
zC&>e2-}~C?x>gc?l(^@cvYL{(B;1*pk$c`<w`6ZZx#zQZeiO%#*QQCNhHr~hx|AQ#
z+bBye?YPy|MRfQ0swU3lF=l%8D;HnNLjfzRNV$|nhLteN@GU~pmHDqp<`cPDEPh<A
zbvRPmK=yp4X4EZ`f(=YO#%u4}5U-L+PmE=3rHsTg7I8(IQT{|iRq_|#=1ae-e#lR@
z=kT;A+|HFqKWvhM%w?jUTWg+@6bNxkRMyCad+JWl3dma-xjvPx(IjMLGd;Fx9Tm<)
zUa)XwQhU@+L(*NvS%LRBFU41jluL?mSrh&trK>%ram)K<Z=v;x-piZnghc<1qwd64
z7m-}Vv>qMtEwsPqxZ{L@o|-e^W7tHOPezPXKI7F5wBMSplq^p5JLQ*z&vR`h=Plw(
zWp;KRow(N3WcOLVlFCIqylD|h49rS9<vHH3F6KxQM^7cR<h-^^Yn^nH_R95pE%&$K
zKjQeJRcvmkeb%0$z8HQ)OReVzcZwOO#-5GXkYs!xgOQ4_=EP6(j6BYlCw3D5Z)(gr
zQ_pK@cF~iXn`o1OS!Y_e%!}h+bkhjA!q-wMA38>SKJ!&-;Gb|pGbyo11!-e#xp+mF
z9+8~SlrL$=7hL60iyP=|oYJI4_&$@K%)FWTR*s_+@0(>3tH>9{suASxWK?~gxD?h*
zlc$?!MkQ1}7oCRFqLE#4TZb5tUf=gh`XOeb5z2}~Jd(ggDH$B+cBA;DHbwfA%UsW<
z)i*_QV)JuFigFe)%OAua%NprtdAZ3-5JF`8uxKUZEs|NfkIqWFjI44JF{5_jGX0`R
zJ#wkqgPb`f_N=_s+@v%MiLY?Gr8SB|siw<S=()x$`Ia-E>(MRr($<OBDdA4Wm-vcu
z`=Pdu>bv9%jUs7l@fEH0q-7UAL{iF5fvkM>PIw@RG~dLJ)P<g%%YRazyGTwDPc>S9
zed0>{rJZGUHRcc*i>qEqJ63)2{aqww>O0NF&nB_*rhBFH9q`o?_+J~h$)f!H7OESK
zKQ-=zPbINeHD!dNp829|)n|2gA%>JRR?doNVZtrhn$Go&l<(?ON%tr5m86lFQOG3r
z{CEnx=KN@n&)pWZu?jCdFaO#QOTVn1P}qN^mWw>)_jzp_`OY?%@IWfYNb?X~pWXKA
zul&*{{^}wl62Cu$3CD=WDqjn)a@C!evOPS@eZ(ufDOp`u?FG`Pl4$IJeofzwuBc8p
z*^t$DlP6*(+Bs4#)<M*DQQA+wJvyzMU(=+g`?G1E=vJ?xUA-2*S@~;SaNT*NoR!6d
zmT%SFuPHC($>Ll*oK?60mj@#$9R8MZY6)NR!7uiuyqCg>4OWr=W`;5bvcsM`Wf4A|
ziv@QXcV!-y8mr^y8OFSVJev+5*%K~~xG%d}z{C2T_o011Avd4ob`yvp;&(m0m9$Fb
z9EhBY&Iakqk?x-160IJ|E<-HuScMmP_Bt-BbF#5;pUF>yP@+SK&LYxDX97}Zk$cW>
zl2Xn^Y-wqp|0KGrT>Hq~Dl$;D@J(pq@1yOK54qru<n-3M9CyU>L(au;hD&4!rRLmL
zj<Y1BhEI<JGRkj?#y(Q7<x~bKM=kZCW+V;5H_Xw~PSx3y+KOkolsPFkIgZvb2wHWF
zs2m@DWkvDdPTnN>6uwPlVdb_?{QTHvQrD7Bu65F``C41fPt7@tS}cvZ^|G2mCM~V`
z*$~O6yxdd?{KM2-(hiz#m0m{O+!rOxzCmiG0uED7k49uT@?Cn?7l{uk3;p3eRs>Rd
zTebl4j3|3wtA)68V_wu#v-h<I-V6`b%`wt-m5x^4pUmkdoJJA3n5>edxJ$w)@1wV>
z9Fl$@s|&Ioq<tciNwjQtyz1N}8FQ*ldude15jUhy;Sgtm_Dttn^TWDzeXeBW6n!iS
zM|q`9p{&&Pcp9y7&cpSatk0Knp>VIrp1x5JvRlYGnO7ORKNEk6#utSV?#k!+v;-%D
zUf}~04PoJt2sK)9i{}iaNImDSbPY+~*^`k|Wc<%jQs238F&9d0QsR1Ekqpt6j?a=w
zd6e`tS<U^u_QdkTCuO6|kv2nnq@-B1mM;4sv{d3Zmj<D<r{Pj8c}!|PwLZWsE8&J*
zxVqWmQv=H3bqi6WuSh4Ye{3mTw#N8>@P}3FyRzObBR=(>(nvNh6H&V*QiK?jxn@1)
z3F(woR=rOTk^Qdq=_i%#)$e{)_L+a5;!z&twCCJOL8RwebhEYTHv)5<2(M;Wv7?yT
zLy$F$#e~rQ7R8j4MCwX?pi^qC=<J~)8O`EV?vJY5rOVI#4|AuojxYC0Z21!Fhl#&x
zEcvxw_4yCr(n{lyQK7oGsG>xWH$Tp$W9}D7_(&dVB5}Dny+uu@+|xOb-kNTONP5Ms
zqndrhrNqoWipuxAleAUh&8`nesh|O5Q>K5eAdWlY^i$`z#3h}J*oU|>a#eR}Y)kW7
zm-O;RK?%!AtJUahoI+zZu21zmT6}to=T9UlFgnZIj0<p+GhF4_Q(F?toAPC1#_(wW
z^>KRAQuZKZWPKdlYw|r^8Q)Fs=*(7X{UItto9KInHA|KxC$*b#f3DNl1geh>StHUR
zb&9rnztulU%9P(0)%&mgiRNkpnog8Ecqo2LJa6w;;>qz>I@X*7OuOdnw4!o%;zA8X
z@-emk4bQBCBg)wePF6?wzXslS*PUNx+*#g~xS|+&Cic`?5c7w><HBhdNsC=y`6B6C
zqThk?ebdLWJ;yHa&?rZ_@iW!|N6Nl1S7-cHH)gg;&PS-vnjz99I*F%91B_zTm6bUD
zTpqGfbxZaWvMwo0RCmOub(ngPXRY~Zp4Ysas9y4%s@zbkvYVNeHTfQLnqA~x8+VAW
zbZ+4ewB{@q)TUc?X2tk3D7%`U%FUMWO^xfiDZlBKTE_n$$Uk99&V(<MGtHa$KX1LV
zwN!0O$%<;COC)>rxTNO3QB1fMtjC;0OZ?@V?3UNq{^FZ_%Xf?9%LUPSd5t33qvv^6
zzfo;$BfaMfe2Y|0X=FJWuj8JaA&bv6ir&tizMQ*|-9GvZwvEJ4pp?drctm#Vk6JSE
zV`_0KK4lM3{xjg;;;TwpH9rbO-)qvfxJGE2^0lT-XbF6&3Hx&DRNh&Ya}oc<(*QqY
zK}8npcbnobK*9AH)pZ4<UKJ(RG$je-+fS=l6Kam%R=lqw`vDp1h3`OVZEWBhwEPdX
z*kxT7>0HD*WI6q^T)!*Dzy4xto%>?c4_Tr@aVeL}3U|TYS}=r+rkr<`i}sa%BQDH_
zBZ)8arM6xkg-(!I^7i}^_aDmC{=Jl373#k=Cz6xWtY=91;xb~Z%T-xsAdf2Pwsnc6
z?tYM5x&xi3bIP~M7e;!3j6UhzlDfxSz0YVhKL0r*SDpDOKV<cHj0~@H>h15yR@G(F
z<FSqgaA2Ve{|`p)^sVSkDcLQM9e@q&oZOckkqZTm-FT1qg*Xn~YoU+A3Gi(>y?qt2
ztRk+mSl6l{p4uJ}WAw%OdcJ=pJ@5y;YFfSffjL;DXD<I*12ON!QlUO?cKvXb(6ny*
z64fOL*U7i>((j5zUYjE8<veau#=P?=lzwI8Es`_Y*tZrNTvo4kPRAi3W3EkRd-@iR
zxP8Bia#9xBDme|gUdMvP{7;Cui<ZWzyYH7q<<Lp(rQPX))OV#z#%YM$ZB`Cc;@>AF
zOva8#gN!lOGxH@Nej^RLJbYVHhOm)??A|9c{5sTndcP>wlG<CIBen`8A?pxGLG7zi
zjpY1Qs)st?if+$31mim>J#(g%9`mXsitnFB5>sK5cFdk>Nc)K1AV|B^&z{rLbiL(%
z39b7pMZ6u22G89*D7P0AzY`t4%t;CDcZ{O^gKjP!e8;_5Lf3w!eQTXg(fRVCC?w;X
z)N|a!ksrESQ+uq54{|1>M;&sM<35!Naf)#~vi{fribjB%#(^Z^JX7;8;q|KA>&Rb<
z^P|%jiQmmJl|#Q#erZVE$(*nb<<F&*&P~p>KDMO2a$%6tRa&7wIv1so?{+4AAd`|V
zy7Eix@w4#7T&k2l{?{6DOa6z1xTtS-?DA&5=}>jElV;Qd67JNmex`du-QuaAukhNm
z|3u%@T~J+llX<?DFPpbIwLUA^TmuRF20bR9`%?)b|5Eb>{U-{MhbjI|d9J}qACR3z
z$?JUP#ZL>eelwPP*(18ChM;+ma_bd&&V_Gs^On@}{P9tx4YDUbiB@RzOogq^D*up^
z>|}9{=e6(xUBl+I8SWz$E1y%l1v$#8GEScThA&&b!1sAB#U}qF`WmjX3ciMuXm!0P
zY4{uHIoYAW{2TImcg!WyOC+A~Ce6`eefm)N+azLI;^}k?C+?L^=I8P@n(7wS?{SHw
z%W<D@m2!&qSe2(5E&L{D86tkImqtSEr2MD3R@+fWrDSAQ{Y&zbgvivLYc&p6=ZU!;
zZc3KKpk=Id61{Sb#bvMRTo0Edy>t+A5zq0GlBS>5ZkN$PM+`YDR-$q>8Q)x1W6F}5
zU?N|&rCe4IlRn=xKGh?wyB?DB{&gB}&}p>IE9WtaIeMz?7_IzkdblR-7X?f5S~-%`
zJ^7Jyz%m<6y{VA$khSJ&Fk8CpGqGsezB)yi_q4j3s5TgN^43Qx)sfC0E4ft{VU6xl
zDsgX0+DNs4bg=xqq@P6g!YxzPU-d5eF~s?aN6hL&)%-;H^rP61yfK&>d1%|hYtcsD
zL`&k0xH<PtXhMCFdz$#Ft4ZiMH-$(2f-%citm!A!UTt|I)U#S2ol@Elo-{U*_))B_
zVp~ZZk73O<J{MMPjM0PL^gBXF5x#=aIr|={uJ0y6>2JCG*TzLjplZ$T(UU0WV2SC^
zI#zc*J+#pD=c&%|s|{cO2Zhe$N;;J;>HjJNx>H8c{_A_~MgS?@*7B_jjV+qVsP+_{
zkAz?EOGhiUK+TshuIhddtL978Chf<?GybbSve$^cldqU)e<_EPV$BELF)C|+`c8l1
zX5~{aT$51*TV+kXb&aW2^Dr4NvT0P~??1{p8f{$7vwTf$X~Y|~_5PF`sKa<wwMJ6m
z^<h%CRef%ri|R)3Lbc}>t3)d~QjS5FqlYxed5Fg6!sBPoS0!6ZV&UIGz~rP^YOGW_
zuU~*qLTP@*_g9Ha{Y+9(4JEEuX34}QJ&P|^)v1ToFS$DURw+>@&8fNwMIX=2XDaLQ
z%y?D$;Ad?*26Q9YmuyVww`M-oT%<34&?>1Xw7L4pzx<X@YiruRtCVXb0h#~h>vG~+
z%f<Wf^8LppHGTV0@|}*RQjX%4UgC*0G8x6Pxk?ADWM{pAZ$*k@E#uy1_3=uH>21uV
zS(#4`zUI7yp7E0v6>=g}?N=pvR__|Fnh#lfNxRlF&Vr+-%8%rv1>dRE_!GI>82&6+
zhe^BYTgKA=H!z0k*D7P4)tN$)SL&uDvPa>RqjUX>?^-4tAilKs=^7I6Ams5+Hoo|)
zWyw9Jd|y*9dWxJl%EcbJK196p8Ba0mer0=Ub{y8cy(=+PDnqrAGULAw-_Jp^k6gow
zPPI|g>j8VL(f;G}q!`aSs1eTjMWumT*VkvguP%wlr?>LFl8@}1C+|UgQ%lb+6h!6^
zWvs@$N*P!=p?tJ?jzf5se#bNw1GO&xSw)Ze?^|hyC<nC33w0T3Xve#vDC2N4?sAG5
zT+cZuIa4E=YP^e5ng3Fmsl}?X#N3<kbS*)Cw8zo8*dHzWf8&VjDOu}Ul1P@e(l5Xj
zl*Tngq`E*2&;KQl=ySsLIu=)xfl6ny6WOCDn^hX>N@#Xum00T0d%EF!DO6CdMtMuV
zaj7wv^L-=9agDO6nvzJ)IP1*{?)$9Gzbv^7FNI{C{Ek=-RXXuqHKrQts;c)YF36m`
z+Sby@_uv;tUUTxWO3*xq{55PnE&gd7!;_TnE?on^OLd$X`m{{;Si>ihNc20PQuDVV
z8K0&;7KAslULJi3R8E$^&w9?wiSN3Y@&>u=Nz275``h6(%xFba*2<%=i0X4B_T$k>
zbKDp6V`aYZmB?&)sx_s0MPa|V#@|HBK9><g=0DxDE?Y#lWbDYg*J4S@lSl^aTqr;k
zt3Ju!A*tt?7I;K*EhUatS>m-8+~o_^oQqC;6w1Zsxux=6V+7(a_S>^YkJUb;ucMD8
zJ(!xUTE@!lC~t>w(w=tQihY<2wa_IBrMao#1V|-)vAV>wrGzuMGG=HYpQ%15?HKLo
ziAOninZEMxWOrX(C}DI)H=Z4*gZ#JIvu6UI%5f!awTWFgqzi6xf-N}{R72sjEmMP^
z<Wc^2Wg^$Y@7pIKvOJq}sDq7Ge4n$j^3B#rC$ChF>Q+sd5%b1G<ty?{oG(;<Qs|!g
z(=-b{V?`ml>N49-{1!H~2i4kp^4|wYdRrtF1(ou?vY7Pm!l_nvW#+9bP)X0rt;<Dx
zk>(C~EBa>F=B`=EY-*XrAxPe@jZ&??zN_R`rE_K1`rPN%mXc7K6VYmzyQfQ=Jg?o<
z7|K`;Vy;e~Tg&&EUdQ%?gbe43%*DI|%5l$HnQ2oK3;DeZ*RJKf>J!{Y@5giA1>f?H
zLTy)eeABsIIdYPVSjzbtxxDovv#j^9Es^yPT-g=jX?83}E8{;OYEC42t}(?rM$P`y
zPqSQwT+X@2tuEtPt^A)0h41g(`svuJw?}!+X^YgO<W;^2C*RkLcly&Msy?po^CXvp
zyjXOtH_xTcH|)pAKC-N_M*r|EvxjIz=6lZRS!;gF5b7hse48Z1S3PA-hB<-O%SUyo
zi=3Z?D<n3tN2>@?ib)=FzLPZTYi7qs>5I9ZCw(E>!ICd~RvK68n?_~-`Ma9Y)2J6#
z@+ozm)O)2zb-Shg?xN4X7maE8eVAwQx@6_JXf+uFb1CO+qS-F2ORY1*SQy2d>yLz$
zc9btK^1np#G~u7R#2Cd^3GJ3INj?XZ4tS7t{dqhU-LyI5-GRj2R7h==g8dKQc0x;+
z`Btt?vC%G_*mIRP6j#@8R{397lTtg~ku{u5fKz2XTWnH4-T4o=3g~qB>pgnabK0{O
zF+cx`T3gKQ{5nFcV)pzMK3)xPPPspVOWIc%F-XXdnb|KR)Fa{D;nmFWWo9Cy?J8Cr
zmP&8=ce}`;yn`<~jFdIf7({cCf6YUyPBd%o%c7J2(U<$Fp%o(cC|{&s2a$e}xJTv8
z-KoZ^D<(D7g6c$~56S6g`QnPmG|?aB43wOtmD9NLt#>iega4ba@Pq%f(rNo>t3+*#
zj$0A^Te_4)#st-<qLD&cRln4n%+I2+LtC3S?4z<rcN$uBu_&bMf2Q=x$Y+8)i`H1<
zJt&Dac9H)T(JQ*gUCz}Br^y>+@-~^|Nsu#w)u)i8RChD}0?Trl)kztm*$C@>vdaZU
zm#*tldy#g+OqexF?KSbZ8~cjfllsv+d7?g5uhH^UQ$I)|nRW1#5=t+N>MC_cfwSuJ
ze{ki|_b{R~|6g_A0aeA-c70~%%pH0cka_`;4s+?Ks04fO1shjDL=h0MU>6lNw!|bR
zmPCyv_LgYuv6n=R8hec;_8x0ujQ>6lV(=~B`+sZw-&)`AEQWK>v~%Y^&))mlXXO69
z#{QMQDGnpND}Mgo{{K_!|FsJIpLy@N-+Q3YL=>;XGalvN&ae)zPD780ngBm<m09^G
zVf*)IB*uh@{^iXX-hOuCn0NQ0(U;G$l&`7dA6MmBL9zCxek?~}Tw{O5z7$<=v6=qH
zMG8y7*0_p2%6}6Uh^+n-oVg!}5rH-Ss$TiXM5N(KFQIqER^bdid%Xg$PJ)krdp)$`
zT!_Dl`?IpV4#pW*!m~V1cjX<&@NNF@tvH%~Yp?NIY!ko#{`c;yzx)4ltMdIR-y8P_
zT>1CEH+SuAMP6ykzv|nDZ)-b@yYbHW%8$Vv5nCTZpC5ibOxz#550T%Gv0TS*obSz3
zd-E%vO`yLId-UyJ-FbWQxA*7j+b(L*+>^LJ@ASX>>fIy$-K#geAgYEpSX{m*KHI->
zP;C8gDkW$)ks)u-@$U7@`w>f1u#fnx|9&b&V!Gz5`Dy-IH7!sJ(n7Q_EkcXbOj?W<
zrzL1fT1~CCR#$sZOV#RW^|iKIrk17UXnnO@El<nW3baD4SR1Gf)`n=qv=Q1UtyCMU
zm1z^SiQ4<xByF-bg-L7-{sxpczH`%;8KFD<@i!={u|QUx1wosJuuvAp!ttzQB%Zj`
z@eORzEQZChILTJBlftF?QbVawDw2w&A<}&5OKFp|S=u6fFKv@{N_(We(mrXw^n>)H
zbU->N9g=>M4ogR+W728qqV$V&NxCduk*-R=O4p<t(oN}>bX&SFJ(7Nt9!pQ8r_wX&
zx%5K%UHU_MDOZvG<S;p0j+4{nOu3ibTh5aU<RW>HVpcMgE6O$HhH_K6tK3(fD8DOz
zDzCW270$WJt+)pd<zYNYovY4M7pM!>uhd2AVs)vyOkJU_QrD>8Xm*;r=7T%os~NQb
zt-2Phg=*nil%{LZTC5hYC2BRaT3Q_~MeC*Y(fVoqwIXeRHb^VchHAsLk=kf&j5bai
zk2CaUGCVs@-;1N+`8`Xx5!TEGb)g-erEy@6%n9?wF8Br<S3E!Lj_=R(z}!Vs){OPR
z=dgmUWUJUZc8;BAPuVl+h;%`^D{HcoGC`T7Oi`vP)0K~vS;}1HOJ#wwNLivRRhB8+
zl_Sbg<rlt#@8rAqZoY@_<@@-4{saG!AK(Z1A^sCT%#ZM+{AYfQALl3dNq&l-=4bd>
z{*XUX?bTqljoL{qP)Dn!>Kt{gx=r1o?o@ZHd)32uPm<P%*5VGyT05;he%s<big)27
z;sRI2d2#$2buI3r%v7y`)(}%AO|&*RqLbF0S!?N926NJ~wQRg|8Sy0JUNGE?INX(0
zSYq&=&m*#)Vu?d+*|B)URzsG6*eYg;h^;SK65?wUtAY61&T2}#rTwfnV(TDF6>-HH
zAhM3L#)z)dtSRo?FRU3N>l$l`=(^2XNq42YtQ}(O1#6Fcs<AGJsw%82BFm3;Lu`e!
z?uf5A)&nt?&P1GLGBaYW7wahxk_WL2+~FfE6L;|}E5;pb!-nHM7qAhyYo%<Yh%Yt@
z5%v`;6%oe9i5O$!5oIgbL`2#u_P&TVHVJolEt`USyn{{Ed~nC6(f#c~>&94XxF@d2
zJRP6g35rZf>wtc1WU3L_i7mJ{-y_5J%T?ZN?}+WTxU1qjCULZMTGlY$J%|FF17nq#
z0t^9ipfwFwaAPsJvje1o(jaNDRD!dKj1}2=LEJCgt+yE{r^xl>Msh2;wcJK-C%2co
z$=&5Fxt}~h9xQK?H_Kb(t@8KsHhH_eL$Ok<6&uA?u~VFsbVTiBiq@}`RmxUnhq6=I
zrTnBEQ!Xi&mFvn&Wa?{f$33|h_u>9Lm@+k-NARY+8E?*8@Rqz4Z_V5Aw!9rT^PW6|
zXYwrGi)ZuRJcsw;Wqbnvl+Wa|`R9B&U&&YVqxej=s^24qx2wC<qw3G<3H2BCf%;H=
zq&`-ksV~$&)RzWJgO$PBU}LZ~*ct2%4hBbqlfm2YwPBHAv0<sW(}<$GN?&D!GEy0(
zj8;mOG0IqF9JWZj7S^iri84cZpgdIn#48Wnvp083&PO&Lr}xnYV;std^XVAdT=fO6
z=zy!Z8r%$34ITz>d{##M_#g|6z+7)uU2<oBl9yCNauJa)#Yl~%7E-L#N@|O~_R<Ea
zHsR}+^jR$=d|d*3-7hTzx*n946S}UzCwNj?4TQZcttE8bAYI2Nx(T1@9bof4VC?rm
z*+<fLpzITA2O;cE8ULi+vMR?)d*lQ;L3)bl*)KigKdN5RUuvitDYsU2b*9`wovnT$
zZ`VH2K9P5ec$4eMdH5os0;MO@l}sg53Q+QtJgFM;VY3uyxMjF4y@&nWfnifIq4A;e
zG1HV!m2a7~vQF8^f|V`GZWf{JQ}(lX<$!X4B_cu&vn1tb<ru4}oKQ}(WaW%<lhsk~
zDEC=Q<q@}LZMg$?W_jF|`>;ap$Nkw*9>@dPaKumu8^ObQ6dT23cuh7|-J)Jawp~-7
zvvuOLXZzJx295oQF<J8gd<e{`VSE@f@DY3p)A$GcL*|B<`jk~gT+L)2h^^VolP}`S
znHM5#CG$s=t!4q5g=URhl$jMFi-c(D%PbKwBM==Um61$F<cwlgh@R2R0ufY-_dP}#
z!#E;oEHfzM5Kjt@uLdj?iv<>r+;za(2@6MT7_o<#<Cnn8{@6DZivm6l$69<xsR~9m
zA?Ks9Xh6?coTD{sk7ILLG1hayCR}osBA6mYN^wk<%+e6F-<LjMs<c>I#x%sux6A_B
zzZ?B~rM+1HBpt!}C@|Fm?0g+<#0yhJj4%l?V!&FHotYI7G?poHZMin`;tW5-EY->C
zN6b?DSo;KHmJ!=B<8n{ACzIt|IT!mD%7y3|AP=DJ99cAjNywxJOi>;x4;fegL{7<A
zs)N_BFgxX{aus`AS1=B+{0-c>N6I7I#V5)Ww4W=_v3{XowjIp>JMQ!!${*-?rMzOY
zxUKk16|OJ`XaSX3aRb-zSzB>D+rzC9N%n{&+;Q&4-IxWh%JG-!pcp)`)suTNm7+@H
zA&4r2$ZGUNaIhC*E0)>uI39=oM4p6o4MdxT`jh$-vr&(!$C$NxQay?GMfD=qH`SY1
z-&5}~TlJ~>6z!LYMQgmzs=$t?%nf?y8FPo`d5)eJU@0!=%lXKXBgzrP(sAWD?r|s&
zWmTYN!k8;iu?=$q#`I>6z?q>K!EipD*#K{*<9&Y4KW8p{E}zR(VBQO+0Dr8QB{0Z=
zIRl5Bm<6!NmDvK1+?WF}sVcJrE_pC}AfY#+NtWu;=g<{5k+XgjpZzdmYebfa(tZ@B
z{h$L}ST|^aDy$}0%N2i_%neIzs2g`y7Ye5;>j9PH!QO+?@nq@XFfXVb5!<;G+kGjv
z6OjkiSP_(GApXC!i1S>E^IVGafzX~h8${8bOwnEkiXnz|r<hNHiil%FSUi+eSJo0s
z0%buz))`9z<w8F;7)ufxhozYEq95DJc46dufCV+#0d^T9zrwCz%-7jHjP^eJ4WoUG
zC4p4Q0QN$1V0|c?aw(e<rJ7O$RwOl&8bOta%*v(A8Yq1zEn<Txzv@tar2vaJupz+T
zE!cCbv=v8vFMW@FMBe36-sM6eAHr6VeYuo<DZuh$*avDE>&wz*Y!&&KD?N}NqAjv=
zpg?hKg-&KeC`0>FhW4f0%%$Ay3yiMA+RE?A@39Wx@_Nud4dezaM{X=PMt?K88B3F!
z%gxc#N^ZqEgXvqdIIw*i77xa62gQVib&@;E9a$mRzdQQV<#gyHk=s4xK5`${kup33
z$~=!{%Khd3Sc`1Wl8fbHv_;OhgOVDI_E32!*2CmsIKyapG}>e3u~?6nKfw7vl&51<
zP!qVyLHQushvehvzac+nX2nhMVVR0asfl$hr6GFSDLv3OD?PEEpiE%RpgJZq7wF}w
ztTh<tLly|e0ir`Y&tkom&y~-y{zCbJ#Xz0RW!}m>Wgc@?<}35TFAJ0f%u)GT`5If7
zC`)kcGG!U_S5_)3(X(1vjbqm+Yglve*E-f;`A+!`XWpP}z}BtGR-A2{vW>NZF5iwl
zcPKlUN!bmKYYmRuhqDQei%|}P<9dVRe#RA#f$1ETlVG~mV7fCH|3&2&Y=ug~*#rvq
zA{4Y!epRk955htx!oqA+JvV`rca%FUK-53jD$vnQ`AvC@w!p}2<*D)%ZGn{8gp^){
zl(B@A*-&9GSqmt!Ke3NMO?%}p<u!OuV5b-AC>d=92wDa86h~X&sF83qn_F^A^awP~
z<~H1x6>xiQ&!P!a-MAxn#8zi8wFj8m6>EXAvD}@zqb;!3hp;xAuvUi(^g_Q6IK4VJ
z-H!!86Z)e^FuNC+Js53)#My+zI#@oOwIDpU=TTt%>V(R@2$i#W0#CsH0-Li5n`6QD
z1A*=(yaa2(`Bvckk<6Bl;-jDiM)T1?&r)8B_82|}?Xi3u_AKLNtb~u}<5@7&<^;4S
z@`-4_54|v$^ul1im@mfJmhxp-Z|B=t5!BNT;Po!P3tX{}@5A~>{v(To8b6HoQGOKb
zWBeFXP>~%6|D50_z%3{FN#OV?ehRF0nxl>(R<%H-b{2KkIsOpme8&G^vg)W-#X3|C
zWsz!%nuc~yHHRr`AGHt5SNp03VAB5Tc%c6TbrREvmo3zf)z4TIl-XR?29@wa)<peU
z{hH;eOVlOk5tT|FYLqpsk@}7L4Qou5N<(#nx&iHt>PGCdMcu+eps=?wPblo|%$e#K
zPt=P$Sr8QWE>=xcj@Y_S-N)S3{pt^B|ET`R!qfxmL9`F4htL*08Ll2ig&Cn9QID`t
zX!WD49`yRp*hlcEgL+&&fwo}LaP^dW8tpUc8Jz#DdKT?->N)18o>woREjTtDIv?LC
zq+U`l;ry4?%PdvB0`2Ds?RSkeP_L`kF`gUh4fF^$4p(ofx6!_%-oY5|s&~;A{OqgV
zSMTEt57Y;&KI(>t=>JXq4e#!;`WRP#qCP>7;P7zN6VK3o4s96*ZTSbrFIe3H8s-)H
z|5E?LQLok4EW{ugB<5*Q3<}oVpt3N70V*^C`uG;>04-^O8rf2_Vm6vJbfq;ZsJ={Q
z+wdb6@r}D8B{`T`#R5Ho#R{)9W=q_RztoDw6@6A<Ucu8Ia2{+>S=eInCkMinm^%cu
zw<CNVCoCbT!JSzovABs?JdRkrW+fI+Ar`MkEZ&e<ya~?g4Ts1F3(x?I1#!7Gak(Sv
z8L?Ey;)%V2uw8gb0bunoyb}5~2_8TMen(;vN;V2?E;v4kIKEaTj(?9hzCLk$BjR`&
zen|_w%a*Ja?uXF38tVY24`FGnFZzY{b!G#g7hH+;U04Yli+dut--DI02^jlCEdK0$
zEWT_K=JNg7hio?Xp92>r1U}44oM#nVi+8XNO9=apZNW%|Vlc7YSR6<<#6dTlgL*g*
z^^i#FA%)aKLsAb-NIitGCs?9|ql5E2$Knou!vWgbQF3BI&=YRZ;_j&ad{F&GpkF9;
zM=4&a!2-wwNkS#qjCo4UrRL0tny>}-L{*4(dnq0Jn59CTr${QovBgpes|Gi22zrJ}
zqgl9ADotQf(nM(@vm<p919dVVUdoryDDjmvN`2BOjmTpOf{(WuXBHa80&d<8oNcGH
z6XV<??Lk}A2}z>%L>sjy)`un3Y;dfOU>{LA)F<tdBpsJd;5;X#lh`VBOp@^Z&~sI~
ziuSM4uQ>KPG))j{)EnqQm5MRnlkTB?U%HQx3zZW?Dkq3kP9st|)}(S`s19+HU1S&L
zN{S~*RIlKba{S%NcLHGr3LD^z?FMS^;d_ATd--1AyTD~9IA#06Z33OE!Y?}jra8zD
zGC$#)p<m#2Fx)dB6rpx7{GXp$1Yx&M*d0sQU4yVYnXtPqVRtHFcLT!i#&59u5r2%U
zKjBX?DuLq${*wQN^S@RdP&)}scTzo6FII(+y{a0fMldfmQjG-C>1rI-@oHUcO;KC1
zV70Z{8b`HJJF-CdcWLP9qMCtaf(dkD0()YDSTMn8Rs%lOc$PqXP*)XoS_9&P#_CLU
zCXSu0&cXU~^$S)-RQJePnQb8K@g&^wA(ZhUWQigi@gW59A?(lzJ7mHRKf(?L8Rw28
zMFkK@*r5`31W^UxK@~tWp@tWshKVYGdQ<@<5MCrx9S{x72xG~F8qtIr$%Godgc|V3
zu^0(8{0TJzs4}QVs8O9zBau+UlThP5!V4e52p>X(DCGP)j7H?PPFXEeHQ-12%qgE$
z%I6@e06dVlj;t=#0nwDJCipWo&?BmWdX%xrR1+jf&5*ar$kHBIi~1m%ax$56(wDMP
zqFTX7c^E*oLUqc+M9RQqsu&WeVyH*iXhb${!`VdL5KVa)4VQf%dPMb*K-EJuWngv6
zKqKW|GP$A+;8R_|o+1y8$iqu$Uq&`22p=A8QCmbK18<`(+|p#qKwqjh5-1NP%0nYn
ztaYejji8)Nq@47kob;lctVP)vP4$PDlBHy^`lP>H_#i%*Ig<)=;X~lR)OhQ^jAS9C
z#ezwTX<TTrVA5h5X)zblVzH#f;z^6ek`{|6EfzysEQadeD*QA48B5}`_$;jF@HtqE
zinu0K#G!mXpO0#P5nqI>3+-m$OZXDBg@QBi6?_HuU&U8py@s#BdIR6U!uUqMk%g1K
zt4H`^3CDdWOC@~q2EOb?TVRSeVM;1tiWM;BC-e&(@g^KeB^>c497!b{u_hd`Asn$K
z9I+!Du_qjHARKWd9C0EXvE%|rQutHgNGjooH*n+?+5$&X2}isMM^Xt#tbil2=oi?L
zN@~%YkRp|k!kRF`hSZ`hp@Ti4gCn7XlR8VCg`?&G7g7yX44Anf#{hl-90NCU4BW{v
zh&1>bd|8~q&)~;ulcEVGMWd0T2_{A31w1LBYE+i%%5~u>rN}AFi7HcTIaN+&c2u7x
z%Jt>?ER3qu0J)*u5bZ{CBVfF!SY^41+!Q^cZjGb5H9&45w?I!zxg|4F4I4}~Y$VmN
z(Q;e4E%TyE)`BWoAGw3vfq76pE6bhaPPlGoxeLzFRqo0Hgu~6E<sLGe3)w82;aiD1
z*FnyZGnggK4A{T{&q94F<_GNMY&n}nVOFX)bCz@D9Ogn5v76ji?u#Dbe7VCf@5f@O
zI`+fdRRQy(8o4^v$l;jFDq=cS%6?QS8{~m9To0Og@Pp4jm<7ruatTH<L>_``i3-|J
z9xlW2kw?fQFou!xC|pZa(|&TPJO;;#n%YkuCyzsanOugR@u;k2`6GE2-tTOAHQw(U
zc>~_>MtLLd+a^@p(eh6D0N(XM`8tkzBEQ7>|5Oa93N^)*Iivc<ETQ730ClMb_fr}v
zZLw9<;C^uY(@}Su6*JmBm7Xj_IKr%&aD-7Qh`K|<EZjWQCiB(#%u)SP{gPQ>&SU{x
zF;R~sV0P{+)B>U^@y9I6BD5E)i@|uJLXl`jB~)FmE@!b+t@x`e)s@&s%&z#VtJT%e
z+oFDnp!&t6eye^99WLfuG<BW2j(Mx!si@Y~_3C;YCF&Xz>YB|glytbY;kMy6m`Y~T
zDMno>E`ul{eJB>aDE?e2@<J){yeQg2DB7$k+Pq~EZB;4S+$h>SDB9d9+Uk*e;w`7k
z>A3qMw!+`|qawB<D7GRgwrWvqMNw=;Q*0>|TTv8S!4z956kD8Pt0u*kiCn{KvWT!i
ziZByJm`V{ALlI`82$LwnV#tv(A-2Fy6jdhjWx^=7A}O|_5L+V=d7}_vi4<Wbim(`p
zFcU>sB1KpXIXLym!Eq%A$D14+S8{Ob$rt5|$OPfzgi&loQfx&bwk+W8S}K-s|E&}&
zw5<_siRAT|6ko(#AjMn^#hi(JpD>END2hB2MP3wnKqe(a$zUlIdC9~)I>nzt{9{l2
zV@LdBPy7={{NqbrfFJRXk@&}f_{T{6<3RjlPy7>4{F6ZZ6Hok;K>QO+{1Z$3<4F8d
zm-weH@lRdipZdf<0mMK4#6NMwKfc62al}8q#6NY3f9ewd)Fu9@LHT1q{y@D`=G3Ol
zNutcLrOZj9%<-i8$0W)b1LaH-<;;7OGoHv9FdJn{DrJimWs41Ei$$euv7~INL)nr<
z*<wR3fI;1)Zo(NhBXjByCpZx&R3T1qCQfi6PN+_7(15Zlh_cI_n88TQ;6ThEbmj{3
z?PO)5@;+vMCMlDEG{VEvG3z}A?wWA&{K&~m!W{TVEEMzLAEW0}WhUCf)vKn=R%W9;
zN14NH$>DP#hcAL0zIbx@tjXbX#q9Z)IP(H!A@=`D`3h~}_61=^9eATGRu-d;xpkaV
zIDetaa%Ba^ApAcA<}p`cY{CU}AQ#Y5`37@Yq2vYnzzbZDW6Qn3jhNl?!|c`;Y!$v>
zyz;&BJ=($@tV!-*HF5{N#H=XJDLg_y@(7cZ{g@5&Bd5?0vtd7Bgu*X$AivO+{6ZZw
zV<&Jn;TrmpYbYycm2(*9dF4DtenGi_t-?pFMm}OZIfx1z#9vtgo|m`=$5G6wM3Rr_
zMn0l1`G^Vd5$|DM?mpZ^U$}{n(H1_UKlzBk$}{B|+QLn=BR4UulAGvHZlVjhiIH#<
zQQIi5;U-23<AMdkO_ZSMWO#~!@Dw@b(uA8BOm3nZx8RroBTvzhJViU2q0!(bI%0n(
z?!-*wCi;?_7+lFs3??@*klaLnauYq^CVFFLM7W8*<R&JNo9Ih!qA$6Lk>n=Yk&oy?
zK4K)tf~yEO(U-^aILrmc^LUI?xQW5!Ci<7ViR6SyVy>AbVzzl3D!1+M!=lI!b0<H{
zNPbu%{IEUn%=W?+Gr|@70d3)j1;7tGfc8Q4AZCMvD`sEG6^kQR%!*vGD&&eq!4*4>
z{ZFVTa24T-Rfj8f3O%Rcja7#?b{6Lpu2=}UV(#RMspN_|kt=3Tu9yY6Vj<*;dBYXE
zfn$Xq77ah_7Djj*u2=}UVsYe(g^(*&gIuuya>YEwY&zbraK((|iY3Aody2O3!=lI!
zvnM~S3i)AC>MQtRA>@Y{$q$oYUP;W|ARA;BK(1H_xncq2iivqj@f?ZFau7BgRhb1A
zohr}1RC(%Dd6w6lF;sKnlfsfn)n-j_xCbgmG2c`^#}rAmWdT);(NrtOQ+-&AD#IMA
z33aLob*c&bQcYN14aQJ47)NzrGSz{(ROuB^{T59%TP>>43aIX?MU_%CRYZ|g5k*o(
z)Q4)JNMfX(gm+%RyGbmckj_X*mrqF7ijc0Qc-jYB#mq&Z@)?jWpO7vTNH+&<F^dsO
z7^e`%H7AS<AdCwljLWCF3?F47FfN}kP65U(MqA8lw8YaxOVJh>*McxEpD<1#jLRpC
z3nh%}Kp2-#7}t#EI|7yUK)QTFIz<skmrqESPe|9CkS?E)E}W1ql#osW((S~a0_j>2
z(zPU{%O|8$2<h?(=|XANvkl>05aFE<W<XEiSb=w~2=BarcV}6iat^4MPk5J4co#}|
z*PP}}JPGxh(!5DJ;hitxT^iwCedU&Ni!~tBi=f$)becV>MzbgBgnDU&dg+9EJqY#E
z2=!z_y)c?XNh8#&PN<hob12?4hmuaHC(|5CI?bW@(;P}Vp<X>gy);6-hJ<?QgnDU&
zdVVyYl1=j|jc7il8qKGq6Am^c984!1OeY)+qgj=7!a+_rm_|4lOtUKK+#6`vozSp8
zp<x7}VLG9qOlX)+XqZNGE5U?`)d>^52@UJh+=?g7t)vkqb|p+qCrnHuObq)s6@CUO
zER_^iT~b(eNMRXBVbvjpWvEo)w<CqsniN($Qdq4?VYMZN)s_^ND=Dl_q_8@X!s<i{
zs|zWt6jE3kDXa`qSSl&33{qGsDXdPUusV^#>O>0bJ*x0islqRy3O|zz?=Xt0`Y1e0
z^#kiqRecuK^HEgEM^O!Lq8h#z)$p-Y!zWM;pF}l$4XWO2Q}v!n6?+s_=~1eW8p8Th
zm7YbFc@)*;CaTGMQB598HF*+M<F$!(ENK44OnhTSd}AiQ=}3Ijgyvt&H2-2t^Dk!N
zn-H3RF%#2-5Ysr){7YkE8XIC7J7O9$&A(XE{EL~G#*yY<%ryVfgyvt&#5A3WY0Shl
zj>I%(Vww<Q8f#)2Gck<=&A-^v{EM0R#*yY<%)~T}iD}HlG)}}cA;dKHH2-2Irs+sb
z(}d<<%ryVvNPJ@^z6qhH9I6oO*b(bk(kzUbSf?Ygj)j;qVf|<>#!ReZCe{fd)@e*i
z7EeRqc?b_uvhJj0tCEs!PwqxH(zCru!`2}UYak6<hun=wFqS*zfJ{|}L{)}NRR*UV
z&?pD2C<iPk2P`QEEGP#oDF<Y#GE~X|1Lc59Ibfh1P$&l!ifoR^UcxlQ^it@iW$>;v
z8kq%+%#ucC0WPgiTsnsM)0*7cG;(XBi8*75ITPU3y5q?U;nsE~{&Xb%>_%>FDY><9
zp|Ol5w{{%)v{vNPP9>i<5-x2Rn@T=yB>A*c$)_zN))mhVo8ZQZCzTS(q3uEpT$3Ey
zX~e^0$e|rg3~Wt)Y#RBo(Zs;9<j2+^9(E)i?nZuWDfzJu<i|#mA3KixSO;=qr;-zE
zMNaHga$={F6B|iR>{N1M%ZSN!@?aB*&ufwgJB>WpspP?0k?%T{eAh_wT_eeNol3r|
z75T1_#Q!zPah*zD>r`@Cr;^KRMK0@9a#<tEWt~bc>r`@C%gAN5BJH4)zuKLg)oG+7
z#*&U0OP*>Z>4>r9Pz)l6qCGhjoynURMBYRvawR&FD-lMnggv<uf#gbvXE@ul>f}mv
zAXj1_Jg_v@i`=hFxL@7aNb)J{$pgzEw<3VtioxVoq>~d?LT<%Saw|rWD`6%-q9-{K
zLF7dABPU`6IT1nRM1+tB5kwwDTXG+Q$ae@L-ywi}hoR&$1d+cGM4rMx@)QQayPAP<
z&X&Kx`YU-c)@$UocydHISiRt2ZNbRJlOy)<vG%YGavuhf`!G;GDWAeV!h`4_{~}+)
zR^dbhkP|VKyoMn18b*-I5JWCR0Qn0+<SYb{YAYtarjSyzB&F7hG@2c0F<;VR8fh^%
z(qc_Xg}IXc@+IZf>W$_S6{RmJtVX1*45Y2>NLBfglF~>+`ICC`Al+n1x~UZ@CSOuX
zeMu!XC6(k#`pA;>Q8DSG2~-bGBu%7|CMqH|G=<cVL~6*B)KF{EK`luKO(7j*OFC!@
z=^#(iK~qQpd6EM1CIw_91>{Kzs0k^cDWrg0NC8bD1>{W%XbLHy#-xCzkOFE>3doZb
zkPRuIDWrfrNdXNY?W2<Ru_f&@g|v?iX`d;ieWsB1F_QL~LfXfIv=5%$!_#~2q<yB4
z_L)T5r!{GxmZW{AkoNH=?K6e6k0)s#chWvhNc*^u_GwMpr--zVC#jw(q<TC_^%(K2
zax-}E;(5FVct*J=dyk&VtB>cC`@p3aPo0b>CKyl8>Ag?S=}jgks6$MUOiWOlm>`*$
zpf)kVcv3M=q(ma#Q6gftvj0D6kQ~w=Cek1=q(R~<X^=viN2o<gqz@^Ph<B8Tc$TDp
zB@L288pK2zB<76<5wnK1NQv|zH>w)>P(#Rp>P_BLFu6|E$ZyIfzbTlUrYv%rLdj_g
zC#PvRIZXxRF%2VkDV*G;YUC>oBc<a^8b>B|(}q-x7wH!-(l0)wUz(AA;iO;kNV!xY
z&Ei9<#E0~V7wM56q(t&befW^>Xhw>|j}(U&DUPb7HQJEA@F8X4Mam+VltmsXiz=ik
z+K{GjCI#U|3ZfZ3V_6SRmD{qqc&^-@H6-V&Jvm?HPkAI0H`gX^PA1hbmN6#b#{xeb
zPie?GnOXUT`Tg=3uh*biJLZv5Qkcs;vJ12NGLKwyaUR$iG6w%7@VW(_@Q_}M{~b{N
zPeMzy@l#d&roX<znEUT~sryrdWoTKWvgfvvCeJH%zmBdevLu<TbxVU9W~ay=D$~sd
zt1tt6n$iSW;`7?-t@ZFqJzih>jPk;Rl45Deda@#xkFq%n4_sui+G5fDDxHkGxTn{O
zEm>vQRsYk@))ALFesTA{++<#<^Gdx`xsRWY^AuT<Wrq<T-FZ1|Z;Q^io6Z_^-0){j
z-S+KJB^84jJ&6XXwC4tAIW5IhMRzvfg@v<C$E>2_tin8Fs<|M`<f1!?Zq3=c-hjfM
z=DdM9xw%;;dz=luR?dcYz0HG)vrOJPp2TU-t({%UJB+DWg~d6&ax%=tIr(`eU)@`5
zR-9emY;Kp+4_7hwE6B;qHm0WNK5n+AXj62wNvD5lZnn|7DLO`vj)_Z(OG?wbR~l^l
zwiTDNa&~E3($Ab%oRwir%`Ys-FD$>Du1A(%F6ixMaY19-iYvCwDjb-TkyV6C8zYPj
zqxDkBzw!-|RHl?l_6+@2a;YS-HOs$k+^*@TUQSl014};i?--hYena)$sYQKvZi{S{
z_R?kNz^SQHVCvfWSL#2xxqj%b;)DLD)_%<7=gseJTf4qqwZ4aX)USE8-cPAcMQ){&
za@K|&nCY{;(6f5;{=REW7hbkD%Wc12`m}MlI=KE<Q4@c<G4sY>ldp8Fle~BO`6e%h
z#{61h_446>2`O`4?@?OMTzV>Z?ngP}vqHv<+nMgNd;bqLUCwSF{m|F8_~LZ`Wj{WD
zSv)N0`tv59BNy%ZB4XwHx4*u=G{|+h`T1x49k*O*HNWY#Zhu^}TNFNbX_oQW=@~co
z5BsV`qk6BaUa6-|w?5T-?5J*i24~hkl-^)OyB*HM_LMyOVMl*iK@Kb!{f9pKIenDg
zb|4Fv9<!e2bv<~nc-HX?!ynW+cemN7$P0S3!2;2)s+uJ6>UuTZzv8tnmAUpVE-t7M
z6_uY+R1jHAp%a;r-;ZL<+gXxca|_*oUoxISsDqEt+m|Qm@p|mM=y`fs<eP&t3UezR
z8&w`rl>;g@B@+8kJbMRn8{Mj61d4@jC(ddwuEdci20d83cI1A#??S||sjBW)9yt!;
zgcL6k(RyrRgsF0PAb*t6qnTnkds@kZk)8FW4|=cr<Eo|i=9Z;~ZV5fUZZp?)%5AUd
zmi6+U_Pf(*n11v3oGAfC)=v2im#j>3d=a{4_G*t^Q}1-1!B+fa)BKwwrmro!h7S4j
z$`J34%@$|5-zurwGjK-UzI_RO#`sxGO}TyHOvgIjgBp(ybv1PVI<b$x(}LDj$Bg(+
zFXao6@sr+Uyxrj^iTnTB7MI6Q_xa4zqt!o*_<uZy%5zvZCBBox(Mc6K-1EPc!?6e?
zf{d{Ll*4Uvvh%VEMIOig$2|Tr!#b(nhRp$s>NVbM_j>+AvsK%VR)2PGMYw&FJ$bLo
zYPD@|U*#uWC+yXd88gm&Z!WR!@<X$-f!8jjHueAH{?4$}9dl3jUOTmJ%lqRJH#+VK
z_${;3!z$7FEjrF$IborED%9st)5{k!PPk2s?y|c3%(TUy2e-0wyFcTcxn}*=-iMt!
zSWj>G=dzX0dL=hpUQl>r`i&lk95(JAllgJgt%0L1-~8GCt0SA_A@c`))Fo@zeYfH*
zDP^JOEt*Z9KKa9lF9y}~?R|1_@t|{dU7{y-m=v@1Ove7kpV!#4=XQ+s&yN;(KAH6W
znQuEzs(Fzw8sh&=wUv?k3if>8VoY_5m)2XCw47;i*&(=a>7nvGE|ogsPPNr-MDSDE
z$(Ve06|VwCYWx=|qm9ywD$)rFo~>u;p%t%@;6871w74jOa(qxxWYHUhrbJJ8yRTdp
z_V>Q#9CPG9>>5>ER1}e6j>wLV%*ZO#Yl*@6@;E(4H_eNh7g70W0SN!a(SU;g+boZ+
z1a1xX<}9#l;^K3n+1WN3ZgslHZ?V0u`-))%aChBx)W1f*cUcxBBC)|W*M1nvnmwG>
zQ%@MYU~G_<@BYoj!1MEtf2=GmYY{kiR$ayG!cSLA4*2ypoc%6(ZNF_#!mDS*{MtCP
zpY8Qs*>=y>g>kvVCc5su_02Ee+`3@g+u#1sC&lN#>w0l(f^X{J>x0)F3g*TIOCL4e
zJt5>nyHQ6S|Gdz3U|!4acJ&*i<k_yioj7YvjkA{h9scwxSvzXz@|-8H=6q-48un;p
z7t7??U9PzP=sda~i%hg#95OBZ@;6V?mPo6r%n6Tb?0L?A^RB-Jf82Uk*_zS`-5w^d
zZ9TsvCM<I3#`8u?=l*y4RPA#3=2v>h@QID<Y&<;jhi$d}duOzrwKb=B`5y0DBd1^5
zwZ-c+AE1}2eE?N$-oR9D=LbtJv&(i@4V$K23JL7|k1#d*$9HkUO|OER4y|F=A*(P)
zBzw5Aab8Abg{ZK0cCFZ8Y*#p-sMy#dt9Vd;VP8`XJy9HK?Q9Cp2r)+Mdc3h>&+=0M
zGaBR<8qEWWd*>JC49Utg4k*ep=I7;>nCk1P;#kGGR>dL4)Le5>kuk>DYCzB2oD5^D
z!km8Q!jgBDjxnYDT*V~<kK)R84HzupZ%mBF%lHaR96kBnH~U6M{X1dvMn~Z-{|$=o
zyyaxQX8EvV-|kQ`?D~U?v+^?W9y^$Gb23RNK{RDT72%e?kzxNy22Dy`HGlWw=7)~l
z-xt4q-uop*!KVjZ+um+p-1E)%Jm=o-Sa7VpXHeB82QEpN5&vz)4TJYl!{Qa=H@c6F
z^6|FpdF+DiQ@6Exe)l#5T_<-Ky61x$rNh^)=yaXka988+>BjjF@9ygPWTu11$Il*i
z?EOPw{MKO~EOvD@e$`lN9X)Tx<M;K%Wo7fLEcngK*s)d94Vgc$$-Vw-t?w-Sb~mj%
z!|mGx+2_hq&UE?fGw*uUYTV43?@_Jqw~bsLKd~FLr@86n)>SM0YW2Kx`|Rn@Pu=~{
z=i6QNeA;=J&c4^#`MzFoHTUDo;o7ljlW&`U=(?=wXQAUao~@lQ#!BC`uHI*_9&BAY
zDsD~J70)Z+vkdTAs>fD<8GtZYht{ch4Ip%{taJt<aEox4|E<=^!iVN<<lXhIdYXZw
z$@DgQ^@`KUlB>s?(+wIlhyWE)CQcTWQBVYMdn34HS@-hzcY78Vm@!}i(Fi?E51AJ<
zFR(1&&1nUKRvu(jL54XdB0G+Bl#uSwQLeg6#f234ZA<wlMHMP`cjN)O-$I0|$y2Y2
z4kVIOMItqC)wFR$bVRf%wi4Pdn0mPCd&#ED%lsye?RVfz$(P@JllBhUjy#sNXy=8y
zn;+_yk5iNWkXOZ+V*UX-2yOd3_TJK?`9<aT#*MvKBoFkOvB@*_`jayGy#a&w+3dXb
z`R>@3c1vzGS^Is;*zvcYj9=UAoI~T9&wr`%!KSe<);GM<C9Bor1x@-pxDNHY{Pg6#
zZLK=wznJ;$lGfifSh@GpOE+fQRH?l=c&KRsdmK4wd?Tlcr4KB7G`9KRi~Y}LEEqa#
zfb;%_4{O)Sw{8`Z8#cI^{^zghHqLcVCJtDlm1Ms9vDU8-8hvDa$*R$7t#3_v%+X#a
zHeUYhiQU|s-I47hr5VFVjI|jxa6tTlR}IWhat?ZYo*A}@=iPE_bJl6*{Iu0$c5i7o
z>g%B9Y)HIP>wEKO83*R7_eYJpf8mqq&+oT7o^gKK!fGYkfVL2Yyh0TAXt8F)vMwtd
zt;z5&37Y>^@ju)${eKw%2@M&i$00N->OfP19;YX~#mgrqXWh|Y{idF-B}<C4jDk?;
z_DY?yi$%SxT=O7v;oH*G-q{6+J<wd7Wo%iPZO+RXQeG=MPyln)S&L4HO*BO(y$i_V
zY6xEo8>>{nX0QChyd1O1QMVVJnvF$UbDptDeo>YQ;V!zYY&=pj^LqkROHf4jD-ulg
zrZCOQG&$)GVkc`G%XTFNS>T?$;)(+mm;d6x|0rwk+`8HNK~kBG&Ff>C?w9gESL$7!
zJ*|7$#gfZ2yuTmq{5;jak>>Z?`!mONH*|Vrv2^<r9#NKS<;fS{zISqW#NFfCkEiy0
z6Kg$n>~{M<Jqos5_Nl&PkNwc&7nBX}_pCiUD7)93gb81CJ9m86>)EsI7GKMqwrTC@
z4<6U<wJ-6eOZ4;j-(${f`R(+S<G*Zg@sro%L1QL{HnC(sk9O+Q|M#=wE+6~$?978!
zB@G7qHyXM3!ML^ozt(x(aLU)G>#TLrf4MMe&JDe3^3Qkd+8uGc{bH{3v(3Y2ZGCic
z<i-&nMb>I}xpw&7tkAwb?_Ipgzd82wc!~b(>iX2p4oxOT=d3I1USE0M`(d(kP6aN1
zf;;sg75_k>AU$wiKm|})DDxmBY@FM-ji`u>h&LZN+!Y{}GZz}TmuMP!551e-#bBLY
z)<`OQQD4&B40<#D?YV%*ZUQ)qP|0QrIL_$#7K{TcE(kELYV$956G;58we~-NDYQ0W
zFV)(n$LHGoG9%m=^~l1ozuC2%`w7N@dYBllFGrEB8|V4V^D3)A|Duda<H8G34|l8>
z8tAI2-WcfmhBrW0&Toj|&2gE;RBs7Lm;Z|s7rz73{}RXlg($WNo%ltfThn{-iwgHm
zbnW4IW!63Sw1pEo77elMJ;{E=%;(QuogC-4_S4vs-=8+k&GKDb-{(lpr#=73K0o5d
z?tWidKDyxkNnZHb?e}VIyE5$fcY9B^d}WwwdFb`=`q8}ET7Ao*_$%F`ms?+QT$q(p
zqy3hB%iNxgKNY#5g|F+?8=0rmLKf^8?E7)Y^wvvO4h@~*G|wXCaN211Pp)2g{q>;Q
zLG#_(u0P+PbKD2#2gb}=v#n=X@edAGw;#??e5Rhvt##XNec7Y^bGonEx!}v=DI;&p
zUhSt#Ay+!zoVe+MTenijZyR+?a?Y$hH~NFUBLkLN7uA`wYU-$Q?n9o;J%4HB<Obh7
z{xYU_BU35g2$)_cOOif%{{J!<mL2|yHvYCV=Z(GyO0TdzEfteZB{P%jUX@;1o9s|y
z{%w9%K@Pn=kelEjSsMNr-0S>%(`MZoebVoyyQTGh>8w7Y(jhjc0zGeD?x;SjEqu`d
ztdM2E7d7IQndQMNHR3<46=I8#^+HcSJl>Rx|C(mRe^kqXgW4OdhS;8kr7zmzm`wam
z#Xg0!Z!Xpu=xKv<^eaDSWr~Cm$V(-5IAnUGDN~DlKWS6N+ikn=mIdo)O>lm_c<$_#
z)BpVGM%p5GKD=A^k==*=wQ1}0myb8cBuvSzy{xR~M9+O2e|I;3+HB@R$LL*suH5+j
zUh}AygQqy0+H-v8&XdJ%55~;1ZLt3JjbDPyFRYJtn%wH?Eyw0BlaCBr+nYcCZfe7g
zGcxuZSf299gS*N7KVC6Q*%GindD(<ECDWqM-@EhGj#VwIT=bl$3{A86qsz>TJJM?0
z+b1o%?`{#e)H>wXj~3Nl|N4(E<D=RRUw`aw`rK*eGvm4k{@HSJ#KATbV*JN_cwtT>
z%MJUx58Cuyjm)*5A6cK%WWj=#TR%Cu|De~cHIF^&uROhD^7=;+-=5o_J-<}8)=OpW
z?@!NQDwSRUZJ&q$F8rVNmSl&2GPf!PWH;UY?|~^M>$fj73E}uQ;8c@6sf#32tSP~i
z6b)PXAH(rd|A1lo-Iw33?s|3FiHAA0&V99F+`kBi4_<ZNw8nbai%pZ;|K2rAD-C-8
zy<11eXC839w(aH*Yx19edM_?u(!%8dOXl4(FYEOrJMVgC%^}jPjO4@@v-5}T-;yWa
z(Va4u4sW~s_ks5(2Y;|yU9xrMzEe$h?CZFETyE>gVP!2&{`|qIxZRIyA9*r!OXs;~
zCU(et^<`1P7JZ__4^z$@%}(|0*8R879CtQJ7<cOnePO>$|J#{OKU@AX$|<-{iL`Lt
z?F*d>)?1IWKD8p?^LgjD)m&5ONlDJG!odaFh|dxNYe*JO6JOT+b<mtfGpnwx_qG4y
z$9pnzd{-yNy}Vsx#={Z!>i-yBEucZO-4AvJ|1$RYkU3u*Z}a04_urPBQk{n-n#N%g
G<o^JrS;n9M

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.ttf
new file mode 100644
index 0000000000000000000000000000000000000000..44486cdc6702b42d1ed03b02779d6f47520a0e4e
GIT binary patch
literal 293956
zcmdSC4Sd#P|Ns9!KA%sYbJePKv$k$_p6Bjr)oN?4w(eK0TIpsg+A6guLI@#LhLD61
zhOh`B3}NmrL&znB5W-RtLI@$-@A*EDbIEmaUB18X<M(*{|2;f=9p~{mZr;cJ&G|Va
zMnqckmnYdnhfEwkJ9yO7;vKyc-w}lqM~%Gs`au=q9g`{2E^%bx@Db;Kaq&6ghS!O>
z&y6e|Kk<jmw7bMjn<vI;J96R?LofX0%5LIyS}HPN%J_*{IY)i??ivwOO?qX=oHTRZ
z@&S8#i-hNi^qGFlne)RYrP)74N>=f_>#_5WJIOCyl_zrKX5yTF+|1MG)z^zlexxBW
z$IU(a*vAHB<2)-(oC(wB%$_-`@dqC^C+q+``^>?k$&zLze4fwev^giuUvSg0&8LYt
zi6X(0xu+a6Gv>I$H1gZX=V>R+TrjWkBhER5uONK*<e4YUj!n$DQ=FH}MPifZopSp8
z+kPrKO`NyM|1g<%+U$8Z9`oBJ#4jZLk)n0yGztzYS=V<)ivd4KV|O<`@@A97U#y;c
zVqL$wZ84{~<R^{AiNqi~YHw@ZHx#LY=lx<%iTZ1#$e+M<>cihxO01kIjiS$+kRA0x
zjTmvACT0as#98K0VmZvJnJzgd72l?fT-S3Q$14-(Cnu7pO?yb;(D70r;re>#>v~@;
zF)hPlZq=t|m$MQHlltXSDp>8PdyGtR`b(~J9NI#rn6J^}`Mex=0BR-V3`2L}|1Mkt
z6+G_~)xKz3=}IefbS{#~j!UksB*8J#!feBi4$|H1Cwv!~U^Yq*r<-J%z0$*^Nf7_;
z*f2qUlwtBy{Z{i0?s}Qv4wMN_Dg-0pCq&{*CI0Qw(M*s;;v8n)l33?8Ni_eE=IS<g
zW2ctq{{e0viD|%@D#3$wruB9xT89lRmSnBZ{~@FPG`zOQe}neYHjD6pgiWCS0PQyx
z{RZBIFX1=*Mq57_jC&k(<MX!-?W}DbZSP`j^M8R}gx}}&zeM_i_J@W(q5a~o(Ejqj
zC&wKhNhgoA{)}8l`{G}ree|!mNv1~nulC`8Mf>#smTO4kPtb94C^}yL6FQdu4ee(m
zDfiXV&p8)uPWv$4{)e>qJK^1y(ysx=Sxm#2)^U9(&Opi1G21|7yz7|%`?UJgu*?_O
z`Ik81`rX(y;Sgfv$ND{y`Q^v@THLR}=kO!&S@P^N>4ZYWZ$iUdr1Mb&%u7Q|b3UIC
znWF~jJSFw@KcI=mudmlRtAWVerSsQc;09!HWNy>>?eCHJSK-`||2Yk#^X61(4}+ra
zVJOt^i_E7wr~U~}0r8k?|DF0e^`njt`+o-Wy3XwlMCNy$<Npfgex3gh#YvXl^uI_O
zMB4K!8OBO^Si}#1`fIy}^+@|E{VhGB2Y9CLrIOChCWkQTP72z*eutAKIg0s~zO1&?
zOB`*i^<ev4j!dMF#F!&^-m!k2=~4fS_7i6aY2Fm+A7kkw3U<}+iS&;UZtVk4!dl`@
zWsW`w@y3Dehhc4}NLjEY(guSWgGt!e>X7wN?YfnDMC;?(NS(N5HEs4J?#CqntxZ^b
zr<wG}uArL-1*~Zk&{J5GCu758%5F8$Os@YGcN^&RyI&-XhEv){=KVv)yVm31B=v8F
zi`IKX{r{OVesv!))HJ5Pbd3H;UHvG-qhtL?W7vyiQqJg}$9%_JIfl==M(ez)YbR?I
z>tSU5(|ydrwJlzH>ND1XDUp3od&$&wBC@}EU9xqrL;DSO?j)T))b05CubfTwUzw4>
zy6e2e=MvnyA9}0)3n!bl?k(fZPQtb(&l>7+E$JlDmzqd_<5PyOWfa6YIk?{!-#ozD
zlt8@E($-0rarDU^W)tJOP6kB!&30+*JSYR5r=^#vB3w3Mn#fRnruk_entmj09~($Z
z<3{3Z9KU{h#9heRKCu3K%Hc-J^3VEx&Wn700eu#o%^a&V?6WSy|04XylctvY0H1&6
z^L}(+{r9d@zYo5rKEBX8anI)S8Tg-po{ARL?^etr=A%XR-&1E_MCxrHpTFhvUUU!o
zJYf{wtFVtDkA2RUr28uAQorte(mRv%=Am=(Uk7Se3D2o}*WmsQUL%d@I_owfji2y)
zhc=>J+$F><Cyn#abJ3pIrlg4Lj;#O1Ex>OR&o-hP(GBPvo-0?#6wj;Q2j6=O(FN#P
z=zMf^{cgp*OS*dj;{Af(#XP$Zy#QT|_8|;J`iAz8{{fNyqkZTvi1aJ%TYm%kM?PfI
zAHG5h(OP&vsyoqdqNx8*@H%XdvLn(*wV(bK+IOL$@BQDZ_Vd5Z|DY}-_5L^N=?``J
zKe0u}8e=;${@$d`Zf1OcCoSb?$$}wKCZGkZ3tvkCV=5@;z&;(j=qpj4LD$3Aa5|h6
z)w9qGq8yFRk8-BaABC|;nqO$T@)e)I;Iry3^r`yYN@Q#oGS`h^FRAn7V&-_}NjF`5
zH@*HxH&vQAUD;2s;F+Rfl_79ubl!~4rw8XuJtyhj+L1=iHr5B7GcO?gkuuDkN!lmi
z-Ygy6AgXEgm$0j8j9|WNI7cxDM(okF*vso&t@A6|O3yFuCD^x`IMw9SV2|3QHfp{)
ze;>;;oy%KtBG$4smSoNqzB`HWJxQ8J$~7PVQ=@DmJa$F67C-WCm_MA(lwk(@iX+vI
zX#J!{>xcPK&x{e<b#JaVXugWt0%kw%u=F;%=U{)}v|(-D%h<VFnt^fdk!F$oM{k}1
z_8x?Fqlt4i{;UtQZx7vzvzA8A*pYRCeSq^3`x?&2lxYHcpZ?BQ=npW7_PmX-Uq-?w
zI-lU@aAqX$Nd9T;VX%k1dqnmedOm00Yz+OBbGq{}X|vv9d(0nfQX4hj9y}``59~4@
zvLC6$e=Te6Yn1CX%7sSCl}NY-jwO5p{n$ro-ny4jKA{XT*suF6t($vn-RRy*>rl@m
zQQOnCo+9<3c}L@OCdzUb5q~CS{Fb@xTh`uhB@Nm`OK1n#pwGHMM%10@w3j?{Dto>k
z*b@=n2}lasj{Va>>Ms+`gIo<43H#US_l%~g=?5L3ex&Kz{Mz$bZD@z~HJ_7ifIWxL
zp6l<Wml2&e8s?BJcfCwE$#O)5yGiG6$tFxOT8#FE!MOXv;HZ1BX~Eg5h4eA^q4%MA
z)P+(jUEHvAX|zqc#8gD;C-RwiLrgYxwU0Iek-B~+i#Ew3zbx|4V$YdHeW^~DCi1OJ
zLz_qRHrnh(@=(5I-;_<d7t1u(h9g|!J9o(u(22cFheOh`X`Vyc=S0$O$Rnc8ZtCna
z>1pob{%H~WmqpS6I&$CDkul!OZO+{Lt)#Lq9A@6(xt^7OqV2k&AHb80(R4mfu;bZ0
z%AJyf`w{#vfl)A)=YB+cIZb)?KJ(C9<S|kvn`fB&)=7eSfx9o=gMUChlF$DOoQ=#a
z4J3015G{+A=TNk42N@*Ek#cHT|2vbTVS4{r*hoETUHvDhN3F{UXa4OwDekPIcT&;%
z*EWc@!$fV1f5Ek%*|%yNHK1+vpU`&vzbA`1@bAT^k7z&nGa`LQ`_G@?-oyGjL8fZo
z`ZKh@{jWKKH2w_wu=e8yB7Ir=^IxI;{9kbBYs`zfe)n_oQTnI0$H8$|!)J%{rtOE_
zBYlMS&~-G@)=x8*qGQgy%edCIVn3o|kI$KrI>8?2O6G0G8|(F8rx<_T52*i#tiPqK
z$&>NZv99Ur7}0!lnD@!od7N|AF6nl#pJ<pK(R{Vv9-60)D{YIXS-Z<wS2a()D@|hm
z;*pQG@yU^W!W7o3DdtD^FUj~dk+u!vhq~^l`LmYfM%tYG4(?yHum2|EW)SBX(otKq
zzBIq#xP$m<{cvv|N#h;r_p_+|c|6y7j`BvvenUHbiH)i3Pm(kr!f1K5E|@nW<=3{+
zF{0(vw8<-yUt7lN&#ZgLvOc}Q{QU}Z+IH5<H<)vGbC2`@^T_AS+dG(Re_vy=Sxfq{
zCj4=YS<V`>oV7;Rkz1sT^8or+Ys4v%YEEGuJ%u&Jy1PcTJDLNko#iX`$zP!lN;gQ3
zhWY<~yi)cMXJYS3^!pPTPfMwrbE)f_&>1iqZsPMptj|@rhp?}`5FHM?-~o7&=jTT>
zWG+Hy(U)hjhk1Z=+m!k``gk)lh4wAr9_d)tPMc@0$ste8yO?{Cm)U1d=JUytD|bp)
zxx0RsIUM)>^n)z=!Kt7&o{17i_M#o6wd|HSa~kb1g!Dhd-3#Ro%A`oV=^<@t`<w{Z
z*WYRe;ZI&s+C}m{TT;j`H_~o<=m*p24>{;zVE1CVXm3b3gn_tQfvP@h3Qf2h_!cd+
zZpNdHqhX4o?qpPHB1hJjHsIz<s&|j1y3M43u~y)A#GQurW{=aLz403-U8A4vbNein
zaH)*zkUsMYWw3rG58V?gx}Qs7>_2sgU&FHo9T0t{`%fi>eMv@SA0J1*A43~-r(X1K
ziu)w?w{4x(Qfh9Hc=ljDoD<oDp2*s8qI6bu&y()Z4w9qpUZ|q}O2cOj)6NaaXvLYu
zJo1wyIgKQrHk)AX;m(XRr@A4sKcuaK(1N+A9NvY<SyE18PKy^`wsU{JojY?r^Gwg0
zi(nb(d2}^A0Pn%0@G5f+vupjSa5mfl%x3j`M_m6g%!auz5yr#0!1uQY6^rYSfs^5Q
z(0DIJKhHs*igGo|H=gyCa3k1sTh;Ht-4}8|)6#Tafhu?dH2!+HH>y9O{{T(rP&8kS
ztNE;khoY)(4X=C%mw@K2c_~^hEtBfYpwE>O;5+w&<)$v``tkWR(E89c4s{=Q$ma(C
zbMQM48bfzz_<R=bQ=p-||Elw%&o!=wZK!jt&*^YFG}wQ-P;&aK2v$c}gz_hHubN6<
z5&h0uTzt|{PbBVrF}OrB@x_I|%Xn0OpPsGXoBtFILDG?s|Lrg1o#UP7J>%c$KjRJZ
z7JJuw72axpi+85C%sa!o*&FN?ctgCQ-Y~Dw8}5zpMtViwS>6Kweg8fG18<@CG+(p3
z*w%>t8;}?*Xd+EHyENlm(n8`m;kII?Ya{W@X9<!h?WDbQ@NV#K^=|Y(_ErXBnLm>#
zYe>S(j47NZ(j;9vu^MGa7v|D#l(jqkJd5*IPv*m3%y+%Lo4i}RRsMDg*G~q@;WAaO
zmr8k^k+xrckpuFp)SK2O$#gV96E*`(e>2bwHdD>fW~MpD%r>*k)#fU5jk(sl&0pi+
z>)++A@viaiFqeAO-lN{*fo6fWeyxm=`~02$NB%bdLw~LRslUtr(%<8p;(z8(_sg6k
zO>=Xax5zu!-{J4}*ZH6LpL<KaOTDuLS4ba5{H=1oIo(_CUG81rUFem2=lkylT-KG(
z{ipnUyo<d{0xJX8dbfL5drQ2F{2JzsX^j8rGDXgjb7hg7EjP<8lyH@7l2_#wGcwRT
z5FbbgBnCPJ+66iW+6R&XEyQd7C{0~UV+W*`S}Kq-SuD@U8}hMyYZjYwb0y_mZK}+3
zW}DezJ~LmMAI#6@H>ZP>=L~ZWcS@XT&K&0i=Va$h=Uiv8v&6aDxz@SCx!JkZxy`9^
z9(Epgo^qaXo^>`kZ#W-0JKR{eh1=Q<yItK(x2K!y4s?gQ!`+$g8SXjmVt1Ll++E?W
zcJFno+~?fa+&A2}-FMyh+z;Fj-R)k$i}hM~ZN2thme<GY=S}vec{99Y=xf)|s<(Uh
zdJlV#c~5%Jd2e{{c{{w%y>GnllZGXYN*bF~oHQY+Bx!2Ws-()KCxd}ti(o=9IhY>o
z7VIA!6`UA6CU{ElqTrRm>w~uhe-4>Y<50^`e5hS0DU=-Q66zW18yXTC9vT%I8#+8R
zIaC^&8agU8Gjx1tQRw{8C84WA*N0Yz?h36BZ3w*;`XKai=$p{KP+d3>ZX0eN4u(_0
zox<7SUg6&1e&NC4!tki@so}H3=Y=l~UlCpzUL9T&zAJopcwPAZ@I&E8!cT;sPHvr?
zkQ`1<N$!-~BY8sdl;r8jmnL76;-vT~EmB&g#HX}R38r*QDM~3znVlL+uS|b9{jv0?
z)1OU$G5w$En>w}ZbVBFWohNkutVeo}{=a&4^}OFBjFN12YcuKXHS#7c{#~SnuQrwD
z0b2M~^NHDIzA*dDesjP{jI?mEGr=i!rqjZ6ol~3z&LXGWS?a8GDx6ic@M>E4A?GpY
zN#`H5@Qco7XRA}oYeX&FmTsb(N(=X(h5JTZcz&dXm(apjxL3KiyX)Ks-RIrSe`sOx
zV!UQvoR{Er@Up!;ufJE~9pxSEo#w6ZuJbCrd%XJ@V^4TB-s|2L?-OsA_qF#OEj*GI
z9#0D&d9a23U~I5$FdR$^b`9nP2L&etOM-KQ<-se0SJT3kA-4FTCZSfL#8CTCIFu6V
z8p;Xv3k?kwg+_;pLldGcJR@{;=!8&t=z`GF(AA-e&~2f$p+`e6hTaK%7^)3@7y6MF
zZWT@pcMOMV;jC~DE!;OefEFGZo)?}UUKB15Umk7YJ89v2Y2gRM>%-NN7H)g6g^QCX
zCQqe>S43O5B`w_UU<=Pm?MMqhl>TV?Q|UFd@XNGtT(pIE^+@T_?^lVoFpYfZpZcrn
zkBxpFbf~|&>o2O~mZ<)u$eMI={mJ#Gz)AIU>yNKz#o@`I`lH-8)#Z)##<*L&BKJl8
z#OEwv_u%#Lx_jNc&R(jQqTi*|e_#I@>*Z#+--g6>cio-!m)0+>zoh=+`U~sV)!$eD
zK>dRHbLtn?KUBZI{?Yo!>K|_i`&asTzR2gfkO#eYZ{J<J`@O#ktNx#K64`+z{Jm?(
zxjPo^*rsm%v*W!T$L~0C#~VA|+A(v-(K}{FeV^X(49}i~$E?rqe}A^L!M&5c!mc-W
zy|HsFx<GwDW%m4Z{ihG^irE#rtI4j$yJC3KbeFS>3H8&uPv0lK8+Tm)>4r~h_<ZW8
zr+qs5(-}K=?%c7H9m&qM@Z!#=cHX$NeCLAgE4EMEK79MI?Sr=u+)mAIpHTZvZN<l5
zf4pYfKi^sL&ZLM9hMBs~2{Pke=WKC)bmQC{^=Dlz@<yYhy*b_q-dyiwZyw`ie&iY7
z0PrN@R#(FxZ-K|IME|f>N6HfYbQ-Jp5`1rjRo3s1e|y*Qq!MoP9%39Gtl2+?`r{|>
zHE*-`j<=1`x`*+)-}}Wo&`272jhZ)#Yt*(;B3l)uy~V~=|3<+^;YKNq(i(MYl;3Dv
zqvA%#Hk#Y$%tqMTs9eO)_7C=HztErHm-*}j|M<tB>(BEStDj#9>@NKpf2+Tb)i9A&
zuwQ@_0%HP`0wsZIxTb4Jbc(tINAouv`X^9gKLsK!V*gg3z_>$0@ww3QN8g4|0b2Nv
ze*)n^20s74-cJRtU^l~V$iKs1%S^o{(AIm@pYAR7cX*e1)qw=|N+0<dewRQq|5NV{
z@9IEDzq4QFUFtvUKj%O1En?r3$3CWSWLGwZec2RtX4BZyoE_cMe9t~@Rb*dtt5o{$
z$bIrkWOwtre8%^2m$G~Nnf=?Z?BMFzUA1QamK52+^=A*KJGjT$!_8zDcMLnY+5Wrc
zG<I=U>psrhXP#hh)n9&-0aC~J^36Ddwc&e@c<$^IWRhtsN18;=eH~<mNtQCs*fUM4
zoM1BLC=-&CxI;OayZ2K}PnpNr{tVMc7MOmrkaPE9Qy@#s2)WP{%6Vp_{KTEkMW#qD
zHlsLQUTVh5Wt_^FnQ^k*jF%N=lB_f(Qo(8bIy1$T$&cJItmf|EUNcW_Gso$!P#)!;
z;&HQ39y5#NX>)=6gL{b@?jN2pOXNj!nY>_@$v=5#^)<6nHk<3@4RgJ`X)5F`&aEGq
z)v}ZG<!*Dod@f&`^|F_n^>550{yLd25AZ(kHgg-dN+RXlEZlD9$QE;>yv<F>J7$%<
z%QvK3xj7nV;^b6r93J83e=fHT*K)HlmTxPbH5bcEX1V!?dC_cQKk=G*-E1~*m^aN^
zW{Y{-yz3bAl6l9x=P&V>`&aqb1Om|=X%f5B_I`zbgMYDqxqo#a6i5lA2RaA31iA&f
z2YLp21$qba0(}Gh0|kMhfx^J}Kyl#kzywC_k&N9^_XKyYGub_s{b;E(#W~8E;aubt
zvp=2SOmrqWM>t11Q`yBVWdE|*InTM+DRX8zM?1$jvz*z^vCeVqVUK5zb0WK(li16i
z;>=^ObE<QibGkF%IfK3JS?qf*bk27!aF)2wc<tO8uf6-M*TH?x>*zl3CAk~Cp!<@S
z>~8c@+*iDG_cbrWeckKgZuYvmZ+P9@H@!^vEw4MPXb<)~@34Q(ao_WLx$k?q?gw6P
zcbnJ8{m{#EKl1Y3kG;Nbt=EtJZhwEFzt}&|zsSGDU*=!oU&(!5EAHglNr`DMCz|eZ
zn#q+jxz9Vx^p#7vvs%ji&E?!5U1283m1d$`WsZ=m&5?2qcT6{!qvS@u^SO!pt##Zh
zRhz}~ggH;1H09ipoG;IrOXPX(!8V%9<z;h)d}7wh4(<^@HTTLFeE0LMd5j%nwaGVE
za))T7z&L#8<jPRv@f}VheLq2ln}CckF*1^Oe~L^K-kWL4JFc;Ev`Ld=OuEc6on*G@
zEXSG*InH#EIi{-|Z@S6(W~f|XhRGUpyxhS%LwA}J<t{T<)^hiCH+N(AaIaWp&X5PW
zyL!l+B@degvfi96@9{qM`=(Mp<h#+2%o_RF+#$8*PT9`)PP@!H`O-Wnd$_~<$~^3R
z>Fja7a=v!HarQcwu#3ISS?*l!T;W{ltZ?=@Kd^5#uH(AA&E3ekDYCz<WQTj3bGx&~
z4Y)CGQ_e2U+~(|V<D5I3JDt0odz^cnb<Tax{ceJr=sd%DCdcjV_Hpyve0IJ4oadb9
z*%iO!Y;<0B{^`8peC~YV{K#A4bxyt8*lpsrbKA2^PIG&?xz4N3YtHNJpx<!bbl!5d
zxTD<B&O6S#?5N*!-giE5wmBcVN4Q5iA3L?qcIOjkhqKf9)Y;{H>wM=9b_cix&iC#}
z=PJ%$m-2@CCifKgWOp7r?nUllZjn32_1%e_%&y~Pc8l}2JKsIiUBE8AmD|RR=RDTd
zd4RqAUCvt0VQ0B#vvcpx-aX3=aZ>B%W;-?P@1Nu(_qcnmyU;z&o$O9>OWgkM3{H6K
zoej<l&PVR)?y2n3^~`#ecc;ghm9wdyUN2&=aJzR+;A+3dyNfg0wd~~AvXj5t@8n;|
zD&Esy>ObV)<3Hg)=2v?Iy~q4b{u}<AoR{Bbt={eb5a9KCJ?}cM;{~qaet<ve>{9d(
z_h%yEC`?=214M}IZ&GlB$Bhbi0}(uSdfXC3@b5&^Ex!7*Z&W<pS9G>`x_i*IxeNZ+
zqg^fDYP6fh--2dZJl%0|>!WzfP+jZ6I|F6ktavx0*}x5$HyG^){c)d#4zT#|qXR9z
z?snBC@IOE`4tNXE0t<I3!r4w(HM!b>sTS`Bl)a7O-HIM%(H$OZYXtvebcV%SiI!Qo
zUlC4=!ul)Rv<No~5xkpF%^SR1&_$NWj&U(=@VBFt7Vb1ew7$U8G;Xu_-0sQk7XL1E
zjm5tMjpDOU=H4@cSBYvk@HDJGgFsvKZj1LQdXL4|@@XF6Ek)N^{2l0h7Vk3jev4O)
zK41wXpzIeFU-Np<;(vrb1P|k%fv&d%nxT(a{7+G}13WE<o+`k*8r3`?p!NB<#n-;}
zgvBpIpR{<FqEEp;$m?1384G(Qks8<lec**C1JM_wj6q+DayYsX{t4PYUWuahvk6{<
zv*Gn9n*Qb}-=o~fMz|h*6W)PU@UDfun8?;BTCdt)KLE{VTNF+E!ziDjT93*;(EbPP
z;Y4a-C+r8UN2MNiSxj?O<AZ69?uIXLYkhucF=2EMe2ss9^c#yAjPAAY?yd0dLj*Gw
z{SJO4{7m#Gi?8KVJAm(6g#D$kzZ7#7dcb0?MSrvKo(2bAi_!K}yMeu>7@UfZbJorX
z8jm$Jf{uIE(g>OcYia~J3~dyJKE@gwfo}$cwbs%Gjj;%)RMuWgJlez}N1#okB%rYt
znS^S(N?V|QBXxWv+9FCK8fW3xN@7|@>43Jf==`DW5g{2>n?UCh_R*FURPz9xSJ+!y
zQc=wV<OH-`luWd}MdvN{-<A+cdq>**Bs3{X78<n3$*6`?vLS4dQ&6=}=?Q8R$UIc-
zP;wy6B4?oKQTm{rEV2OY9Hk%1T%hQj$iBuh2<>XoIgx#ir2y5kfh<A0M;U?ku*ij|
zmPaWBEd$7TsM@WJ1ho~k&$1)8JdNgB<RY|plp<8i0CF*!7iAQhA7u>M*CLEZ&M}s;
zsP<iu%TVpFN-+$y$TC#Rtc-)f7FmuKL>Z3`vB(N^XcX;-!z{8A)iNt3Fx(;)sMe7(
z4Yd3q*P&WAWeR9{lrk7?iHvO>OUjd=<pf=mIE7h`Mb&Q5HG>nGWge>K1YNt>Ut5kt
zCs=e1VZUuT9o6!Ht^w@9E$5;~T6FGbPj1mZqvZr$Cpb-67NJ@m5N*?`Q7%BW{Ge+C
z`+AG^ndug(L1#qKK2T=SHALsQ2-^3Kw&=QHj)|h}JIkVLi<uoo+gIxdBHur0`4w%)
zITl?@*uz`29Z#_6dcvOGqU|-;qU#EKe9QId$rfE_*z;So-RD{4E%ekVH=w6kbiLth
zY|%EIZ_%}cbA#m`^h}Gc8=NC7+I9;poQj2WMTE%uaSm=}J!t!Zt|6SiE!w`?PN3@y
zXDZ7hXnB;D=#>`v0lnJ7nOn>?7Ea${DlNJP;hb(!fBg))mU0fWXg_?;;_%44YSBHS
z(Kb-j|8<L$quK__5YT!D-G3RaYem~o>lb7T+Q5yt-?oVAJ5g>z-?iwTz-*1O3VqL_
zdj#`-l$%j)C(!+Z(efy_z$X?Nhwg|Hhwie7w)tmKdZAxfbkD`RpB8PWeHPLFrFE_J
zfc+M^7X3L&DSE&nItTm~r3G8)M2kF&wzF`%Ax?XX?yZ~-7T&25C(mM@LWfyoJX&nw
z-CuDIxA2~&I1`|R{1}f8b~w{;Z$zhqj;T#3?V)HLJB%Ym>)4@e&dIo`SLYPaKK&88
z0M5ltojLSJXEAQ-$)W9?CAjyXOF{eJx9CdH`k)S+iYRm%=LU<>GOn^{n>)0hqHXKk
zYB3+8t3mr?9a?4aFF+r%_~h+8Z1J_O9<%sYq16`u8uW2XAb>sz)MX$B{RdD_fhMT7
z2l&|SXgyL-f#xXv+Ia*2>rkyD2qdCvD+IKyw7wwF4*kFqNJ6(+0`aJp2Ljs8TBqPw
zptTnN26Vf{zZj+8D*ojt{Z{d*UzaYf1VX5>1X57P5=ci0paeRjo+Z!)ZDa{_Lw!r2
zJ4(GMfu1P!q68QVZevTJH%c8T0s5oc)Dq~6###dXQTn%{x8H6{OP~O4WeE&LTU+!d
z+oc}eFyTj_sn7{GecM&LLGQuc3`^ihRLjs6{}MFQqIc>p<Iu(Sz*IEX5}1LieFO0?
zLp5&*%tnV>0>_~<ErB`cd^iKteNL2<(8W<SE`2V-3Ft*p=AyKj;!H*_iE=Eu6qezy
zHZQm6m~^kOI7gvZS{$``g@xZSh<g>RChlPLcDNfi<KDf;;%IsAwdnYE*TDmXS%@-T
z6i4lP5T3=Y_3)fU$F%!Ayo~>;=szt^Ir@slxe(n1uM*~b^fil)d3Q6sf&ba)+ZLT8
zT;`Mrn%8?#W}+WNIT~dgL^uZB9%UBiSb+eaDTfyWvA7>Wn*sgGW!!pk&=xoK>Lmc<
zN$bh$09m-NN3)?1?oZG>=!g4Dv_DM7{Vhs+c(jA2>(K@tb+74q*r&M9px76o9eSF@
ztwB$ZLf-lvn4<NocQFyvmK7GQZ%^%0Is#)@(Yp7Tn<6Bk*IC>RsFpzqLWRYB3B4go
zGJ2!M-H6^4B?YatXdCKXQiOE$HjB2QcYBl!l)j|6ucP#(2#hoDev7uV_dt}cXq83V
z-g_`gH}oNkezWU693>Nd)Z)H{J{E;J$9ux!Zb6@n(gW4{r7pEkd0KZ0?dqw0N)D(^
zp#95JJCt6aX@UDbs_~Uvc*mlB(0eyZZ*;50-G*vfN+0;dqJ7lc5hV}ZWpO`3KZ}x&
z?zXreqn}6Vi+*i!Yte6_^h3Y1Xy5m~kJ4WxX_&=77aeKw7otTlius>;C~2(4KOY@$
z@tG@<iY@*n=md*@DSD*EUxrQw`n`VzI@RK@Kv!A(MJWA8@ypRCE&fW8pl=cK2?i{B
zMh`MZ6(Q{)<5baecCfic$S>H!qG#@4TZ^2CCRp^G8Vp<HG&I?wXU$-mMb1R&$BLdW
zgY-p3&O+&bik>fnIToQFg7gVR&uT$U3uGxu+beoz3)0?-T#jnGpy#k)zD203pr#9Y
zCJWMjid>1(W{RHAf`cq_6*}0W=d)meMXpANSoEwG9BPqkP}*J5b6c>`A~&GJEqV?M
zj<Cp$D1AfGGg*+np~y`reMHgoSx{{Sy_*cGePB*SwLL)Z3WKE<JzE5)SoFRyIMu>;
zIQ%O+7I_j?JHV8qnm6b@Vo>t~L!S(mS%h&LoM|!I7Drp;dGr_y-w8=@u0`(=gC|+|
zo=AcxTX>IIf~Q!FwuR;m@(HT>0pBM{@B)kMKrgiL9g_r?SoFRxc#(zgog}Dff!^^2
zwJkx<KtXLMkZ)0K8{qpX3F;UC`3}9-!oM9L!Rst0AHCjUG`(9adY2lkwCLS>aJ5D6
z>VmgfqyW9$qW5;eH5M6y-eJ)@yx^S{8H(Oz(fhohmLK>9p9Hncpm%%0dn{6jYMDXr
z`GVRfK!&6DS@g~?c)vxouRUPV`@f*p3kZEK_@G7a0)r1(qzHZ3Vw#}qEiwvy#G-eE
z!AC8k<5BAr^u92t^$2n_`nW~!$%5J!L5@MS|AF3_1+~wC%tD{G=>1vn9~PO7K4a0l
zv|x=zjzyof=$%^dIg1>JK5x-Gw%`Vf%t2qU=zUx8MT;DdzGTt6x8O#LoR7Y2(fg<1
zKP_?r`ijM98*Q@a_Y%QZEqb>Re9fZYQ3PMN=sibpvqitJ2)<#_JCER-7X98L_?AWQ
zKZ08<`W;5_ZHwN81mCgfcN)QWEqX5!+-lM9H-hh3^o}I>zD2bCKd|VXM{t`(zq<&2
zXwmzR;71ny9wYd%Mejm_wHEzuBe>mS7NDP4^t+DW4vRS(-D%PL{@|w;b1S;bB5K!X
z7E_7twusvDxrOg-CHRF!zYhq0Y2mwE3GT7zcLTw%EPTH!!LKc%_I_jGJ6{RzweT*y
z1a)2jz6X||&IO>~Aq2m-@ZGQk_gVCNgWwMqzAu*Gj~4w7A^4Mp?~o<9-@@-*B>1z%
zP*)+64jJ~?lr`i)05@rdVxTeZOVB3J0{3NT9JItu{-IV7kDIhZiO>%BHE4TC!hJm&
zhGg6a&=ly*-bwS!fG+sogm#52+|++48+sB3J3={-hr2174}A$k9ftbBVBGYvPyq}f
zOaeL-hU4yl7QraOP$!|$Fc$YCXfYg47;FknfXTSi(Nc@^1Ul8?JdGY@(Q|xghDFcw
zp)#0BTx<;;4aec`jn0AN$?G}v1fY-WSwA!nPR0E>dK#RLo3;wghcj^3q4e+2S)|h#
zT>xj}rcOiWz`3|n(S@)GcQ3RY&c{6vy#Qz{m%0cog)2$(RdfYhg+Fx>x*D#>O<ja4
zfckdcK`UW3{zss<!CknuKGwnmg!ve)f(LPbi#}v=2cz1Dz#V`x#uQiE<WY<BJ^Gl%
z9f?-M<D`R4A+75tabJo)Wzjp4kk&i6)LlsH9bD#+kk&i6T9-8zSL^0ki%Y$PwBErz
z41M0>YG2r3amS$A9-#LVp_eS~M06v(j6K()|Abd?-;AnF;Jl4$or0d@L(HX$tL^r>
z#npD(3~%7y5`7ci!rcbdx(2<U2)%1@+oD_HJ<_MHL+`@}xM_pXhZemr2z_L6=^r6&
z4{*;$YhefOOq4k-^eOHTy368rLqD^)+30Tgob<K+zJM=r(*~hE7QM#`eFe-@?z!kU
z7FYZ1cNTXts_hEyBy^v}EkS>@xc$+eEba_+Km1Hy52L@pueh~M4p{WAD)gJhJsqvH
zxTlJQ1D3#*Xe*1JeZ#GRdi9p0@fJM;hpAJ=yAw@>cDT#Y_7-mm+7XiQXWWE?7Vjc7
z49WO24#FuGJwJy#Sv=}IoMj1IjZ&wIUxVgAFYbRlw6`Td9}D+|ex!LZ$~aLx+BZDV
zqUYi8AQ+7QwP>Nme+nIG@feF?`mv&C=`iD2@$N?FS$wro>kIq~(fNSAephr6EXJ+&
zo@eowqUCTY{<-Moa0PC)Wu?Vmg|4>v_n~Vn{{85kKskK+ZCLF9|3OsC1O7wkI*YG1
zYaH+&M>QPJ{fE)@@Ca@QS6loiPz{IrkD*UneEMoK?XLLr(`4FN@u<t>1dHAQB!?|}
z2arrVDjw-2Q%8zV-%svg@xMlkE&e9-aF{@tH_(YN1@{JYDon@yDoULx{#)n@xCS?4
zCB?D$yHMZae~z}W_>8lZmKL9}m(t4Ozm3LQe9D^A&f;%H+gtqIXwc&CM7vr1&rte>
z;(vmcS^Qdb7R<(f8?O*`1m*^hHc79v_}`<nL;AynVZ5e43e=zfGfMwU#}=QlnqC9X
z;{FYN(c<qzU$*!^p#QW4T$FlL0@&Lr4k)u<kDg!&P*0s(TLK29z7_vRl)CFone-m0
z2kq8_^;z$Jdh~<-xUUewqzDe_{7U>^(Exq+SMvVVV{Sp~$WIAe!&e3;z=_0tGIA`<
zJgiz87neL}%oU~8rv9R8DNK4?8jCw)diQF++zy9_A75By%J|@9;?Xr3mzx<LQRSwO
zm{5{h8eSG&Hfq+g@QCo7nX{_A^oa6c_OjBfaFt9fIi9~Kl_Xacly*4ioLySlk90gu
zhbRPJR!RydL{mT`URl2ps8Qx&;VQRNamnE&Rpo^pstO8AJ0vHEhga1UmsHghc1SKQ
zC6s^AQY>C{d}7q*05<zwc^+d^nOIU)(4k67mo3vYCzhlpSCubY)?pdth<>h?nt$;y
z@~<8RQ4eZ@G^mN;)uz0d#E{hF4(gGboSKZCrG@0(IP<WHCBv~axwJdm`)<7a=s4ZX
zL%b2!%{=B7_UW43Mq;`><`qO;ycJwlG@w&k^>m5`WTvT09%>X5=vF1Rcr;ttgpw+w
zg{jiBy0qa$I!-1<-T{lP@5R3$vWtH?#)m<$7*@bWi6yN4L$A~~hs+#$Nj7X|6)OaK
zyO#mGc}KqtD(Q_epo(8$tw>A}?B(Z%3q_hRvYN&LpJRz1yHTWBfk^XA*eTMY3`jeU
z8LcI8TM@T)Htfgf6(Vh80sn+VSSON58i{;vS0U0qA8JK9Y!T^L!wng6gJHlODgn|B
zS2F7qz-~r3ekt={Dd3+{4TMSIS*k!HWCQ7>mcas80c)WKYGJ=fS{!6R0T3=dpV8_8
zGe@UfMr9kIe4Vki^E8+b%V7;rf1R<n^By=Ll0n!E!e$UQgRmKd%^++BVKWGuLD&q!
zcJZJi<iZ%31xrM_76S3Q60a-qx~>7@btPU`;&t<Yc$wIoiOreVoLM5$JrO8tcgotG
zGIU=6l(jo$?Op?0VJ|aD43JNcRj?j5!A>|JlGO$>p%A74He{`Yb-esY+S#O?P1@O{
zolV-=q@7LL*`%FK+C53TXBhIK80J7ZR6rGMgj(1yk`o6RPyi(`50=7OsDZ5_z4nUa
zVrOsC=uH~EtAI3mlSXgS=(AfSPaqMpp$N)=@OgyKBYYm=^9Y|u`20A?fC7=exclPn
ztL_q*2TOUeGX}zt55+JC%7OIyRl!E61=8zJ8vQeXH2RZ9f70l`RAj&;UIe9`26lv8
z7z49lA*=-IbKnNp2K#tPG#1ie01$W3Tv!6DU_EStop3;8a2u!*DJT@Z#F8OA8;YGn
zv2$oSVCPWm9EzPoYXLilVdpUH9996>ISf08Vdt<)sD`buSEMio!jKPy8(uClVt3?n
zN=7D%6lDVW7EOcsupHLFQ?Ld0h>Y??Mw8!Y@*7Qlqe*8p`Hfx*<Ttt+HUsG%CP2D}
zWkV5^!2+ld8AI4HgdIcJF@zmU*s+8iOW3i59ZT4;gdMvA)<O+z6&XjJjib)SQ7_|m
z0(CZ?IvbDe<FS1_wvWg5;xJSKc@*y#IXn(Bpa4o>8|)LA5DRHA044!(CoC74h~Gr~
zCgL}7E-ZmnupTzSPB<VksSRX8Axs0}Pa^)LHSiQ{fjuHec+e4YVGPWIg|HIV!zS3t
zKdpX1q$EwGl<=j5FC}~_;Y$f$O86=BU@1_xDU@x>X4uWk#W6scr{+U3%z<*KfGXI?
z3&%<=>=!vI4l<wsN_gp*xYLO{ow(D9JDs@Gi94OR(}_2oc+-hDgLpHDH-mUHh&N*%
zEQLyuGVGgK1ZA)QR=`@QfvvEYi^>=XLp~J494LnhsDh193;VgejDrj)fD$e(%S2|Q
z$0h=K9Y>waA&uknMNU9Zpq@|MD>8S#$jRh$a*fC-Yk>NlH(%sb;+#gf)6?L9$o!Qe
zXYlOIr}#32=L>jtwz7{GtciQ>I$j=Z18aGq8eL49i?@iJmnl+?4dvK#exb+(xgr-1
z0P<Z@EpicQTpSC#`G){t>3q=__vBL2TQ&*E?=tkVJtE8Z@dZk`$Q1>!kuOKEcf~@H
ztFZB^6(U!ch+N~r0+E$%V5i8nt9ZdK41~RY43KZde32VS<HlUT@5Whtu|eEbTSRWg
zwwouxTv!6czj-}u0@AzrfXFRvAQNhV^ls((ts7t)>=UVsg)|_o%1J<4m84ZkT9t&Y
zB&|x)swAz|ZGf~^kAYdR5LUuEAlz;HL~i$>Bjf_%ZYSLBgu9(^w-fI64ZM6#m^Fl1
zLzp#$SwomLgjur+*7HJo8VmrQ-7yV_cV`>G|4!oES;&j&wAo#WkO3=U4G?#2CJ=XR
zB~<aUdPl(TZv5`?fOPJ8ikA*6famwpHuq9D_fj|O;(+wlQQzxIU>+~8FXyH8wIUBp
z;stehkh~uv+(V@C@O;?Hi|IAIkUobO5Q+CFpQ{sL9WR{||A~A!z>DTf_+p6XPm})B
zyLp*#BQKe+7pa*h@+>?zK;-#sD1tIr04rcE)Bx!|zn2%$V;~HqyP+87Ksi)E6>NlB
z*w4%AagYH8Py+K{DO5r=Y=+&@7ugfhY$$><SO6<vE!4nP*vpIVF%X7)D26#u4i!)Z
z8=)5V^CEm4WIzFwz&uzAl~4_vVYlcPTJmxtWJ3{@!2(zTYoP|V!d_m6jDaxZLov*O
za;ShR*a*8tULo8o8BhdsU@5GHjZhoeQp+aN*;D{!P!5$)1GTVU<kdtVpI1v@0aQRW
zY=!;2%pV6CPyi(`50(Pyyhga!HpA}d%l?UIHWWb_EPxfT7HVKC?B&M*F%X7)D26#u
z4i!)Z8=)5Vi@XsB8BhQvFb|eOB~-&^*lmAE@Ma>K4Mk7}3t$DTg&Nojdqv)gfiUDl
zG0cH-sDLWi2(_@E7Z>9o0}7x7=D|{^glgCfyG7m>NQ7)Cf-+bDD_||uz*gAH4<2G5
z0|@ud99Rl#VI%D3hY&H40Yxwe%ApcS<K5cG%Z{=&j21u{ltU%dKrQU&M-$lcUOtq-
z0;qs$*b4ha-cN*lDB;HyjQ0=l+s1hQki0)+9Dle9s$c``;l~wW$c0(30G7i}Al}EZ
z!1IrJ{xLRx%vk?;9+1w*6+pTlW824DU^g5Psf`2Ds;vgnuf=csT-e5!ykp=ge(%1N
zA8(Yvoam1?i1R7=d`dc>lJ{pZBD;zIc^d5JOI^Z$QOOTCCh>!fd{`jz6>+{I&R5w`
z0L4%S^PpVh>qH>Wud(5qX;3S&m-u_pZ|C#HFVDYQCGtHs?IX>7`0v{<@&oDquod?5
zLytAE9yS1J{j>nEW&d1}pL1a&5bu{Q+=O83uLEEb5dJ_JKlo?^)!dArb>vmQO^n$j
zhBvN^%m1UtD-hEt2Kekx5)&wa&0=E8#57KX4B&H<N-<3d+q4Gw+;q2?W?RKHCtmYa
zunsoB7T6=Eg$HdQ6AFQ}<A~o<U<?qy<$f`(pv_7^<2Q+EI|~+yNk{|y5_5q(+pPdT
zx5w7@WiSuQVGHc!2NnxpDG(-UKHwK5OmLqVz7;XyIH(qrjIAm8Pz-a#q)r3Er*#Bu
zO&b7{U~lxt6kEk~;(4bfK-|vc*%>=KlRoEOlQ9?2F0rr{aC3$=-B$8r3DW5yK-jFO
z#AGiQ)059V*Ne#^Y_CLEB_<bJa%=hV1NQeJ4(B`5XFo5cU~@ip^sNBG_pO1=!1KO5
z@5l3g8ITXfFoz#K%oj6&v<4NyRxyLo!Q@}CQOppY56ysmVuqFRqXo(|ocu<3utm&B
z{6=DDQ3(*XXaOvR3Nf5-%&0by2BbfFJukcD!Ww>@P{5B85&`$PNiYjYhqH(ozXVnS
z<tSbOl~4sWu$dQQu;=i6D1xoL5Q9!2{fQg-Q3B~45r#ed7@>rhSr+ocgE2rlB|G7O
zn9??Y9i{k{?&Svv=+tbO2J?Y@ro}=U41i*o3#(ugkj^yHIf{IaBHmHtb5uF3h0U;^
zmtta|Bg}ynPz}VHF#s0Ade|eTY?YXqlVCYi!EP}}cLee~dW)E27KoWO4X|mpKq8Rm
z>>?=R#|nf!7Wc8(eQYIQ-*I8!^KpDWPCsMM9LjQhrkE3me<E>C#LklhYQ>zqPRuEU
zIki~KX{2>p3G5Sd`cq=&Pl63%&KLlz_<;do&LqvVVqu<`1u=l%*`#?k;m^T+&K5D}
zt`W1aP|PCy7ZGj|=`EfmhW)-d4|n+-*a~~aoKG6(WApj>K>YK0c78cjKox8R>^y(J
zm<!?{0}7xF7QhNv3pGHv3#-K}!G8(<OYpx4y-1bk7j1>TVlIw>Fyuoq%mLzDOxTMF
zdof`zChWz8y@arr5cU$nUP9PQ2zyC6R6rGMgjz97v1Vxv5N|2*E+yWjVIbb6#JiMu
zmzD$ZmMw&pK;18+elMF3%Yk~kjC#Cm3+xfI+ym-xc`l3r>Tr22>=$!+9ArQNl)yY#
z3YAa|n_;h*E3o4V^1Px7HUjalApVtcK>RC-e<ks+oCn0elK58=|H{p<+x`G%MIxFF
zMNkF{U<Is&8rTYZ`SD;JKLAOCjr{n7@?AsuuGs+FV4s+kv9J>kh`F{6WI`cKgZZ!=
zh;uD*t|iX3#JP?**QLP#m;`fSiJ0rL<9h749y_kbj_a}GdhDpczXJaX{44OUz`sKM
zvG0Z$2tz&;!yG7w3aEmOP%GxfN-;N$fmyH+Rswe2gk3jb*G<^93cFTe*DCB<g<Y$#
zYZZ2_S_SK26YPWoVs35&nNSGR?2kfjA?&S1Vk#41r5Mh5W;M@Nlg{dDF}GpoZP`!&
z*m@i3+#U-ZVJTqq?Q6wwt}|;$dkyKWA)Py7fHd#OfIUFGJ6G_s$Shb0gyFnq)@~4U
z_j*9@nFi#056|x<t$TUCu29T<u|PieQ8)J!=KlR+9w7Y(NdE!Se;^-<pakXs&#Rt-
zO=2D-jR&j6JVdyM$me0wdw3^5HX__3iGcgjC9n#3{@6mmwrbL=CcSFHRhNr-oUo6R
z#uM1`1nE9m1`B{PJ-JrQQ*nTOPtO(e55oLo7Laz02fM{Q%d_W5=XstzPd?9Y5VL_W
zFXRI0y;ua~_u@QQ3Kc+{7i(ZE>=pBpKq6#|*|<W?%N=39n199rdA)+|oASlHN*=G`
z|Jo8UuTKKf*i4+w<nzWHSOCO-qY|oMBh<oPF`O67n*~q~HLzdITf}{9o0u)6x1|Es
z0nfH<f!%OG%-eC02Kg`s$^aYQrYvu-0`hr#18jvoqCa*q@3eso7y!jE3l_j~sD$-m
z-X+a<=K}e#pEvJ?p_(7&l)+PCK3K~SoQS(^1#A}cVIq{nO5oXtg!xeYcfx)#AH@P`
zux~dX6~Q!^2TPy=i1QKYf3#7|$N5kzrnUsu!2vPb3xH>z!~xGgSqgi^?C1!D*_j9{
z0KZQw#O#WN8rU!9GxGYZO3dyu*eB-mVyG1J1!;b<SIn1`e@_gM&R3-O^%z(S#QkO-
zY!R~;|GgW;e47nC`)(4D*7xYXI9MTueYp97w0<DokJ$GUaekT$8^!ET1oGRzT+Gj;
z|4R&z-mlnnfM*Bxh+*$-ewz;!Py@Tg)bYGNLmbHz$Hc%UahzG=xO2tvI>H8Vd^7+t
zW5j8UHYpINX`(o>Y2q}C6{k7zo9`E=#Z%(MEfuHb09Y$dtNE}F@NcyV_KMSnwA&D-
z4gPI5!#;81Nh_W>@nx_Ch|AvFi6?y9Hjod~pd8k~MsX50z;1C8Ghq^}6sKJrqycHQ
zBW$}GaoQ8V{T$dLPKS;_xQ>MDm;sZ-Nty-o#R-l9><NV-8w#KjYQ+g-Yw}Vc&lGG;
zAzsQ_AbiRJaZ;ZWC(Q%mrOkyk;-tp_cBe0Z_2P6QZ}#m@=U5<q=WXI-pc&;*0i?}$
zQclKB*e6aG;&&lV7t-uf2qi$;T~-2lcd3Sruod=*(^a4iWWWF@hFP!xmh&|-X?G{h
z?mX*`fA<R51mx9&^m~wQ7Wrl2&)LAq+AB^rX=cX(X=GCmJqutBY!fFZ3`^mFIK3vp
zI&pGiVJ=hx@p}&d!t|~J^666qYsJYUTpn@q$SaSu^7e?6p9t8IzYuD~=}VZt#jpf6
z0%7_Iw1Etm4}|NFef`T|oj3z{K7eNfNPEB>Aguu_0GkI?!zOVC5`SO;@N7^=Ae}+v
zF=!=h6K8N3D#a<thAMG}WCC%A=EDJTh7qsOgH_@TF96~V-zUz9BEW``<UbNE;&T!H
zqvpXLaYkd$=$+ymMqXpmV5>M|mx?nk7D!{<7IDURgyld!oJ*X;+W=uEWc~*Vc{WWN
zNvTlD&Ps84kD!ILl6c|YDH0i8Qq5tn!{fsL^<+?K)I-!mq|u<#$HilAc|v0NXj-=F
z`-C)&x`-C{xHOAA<@_Ig+UlUI^+8vgs4Kf?ua?Oz)04AIY9O!IV3V5Q=5;nL1EpqL
z-3nty<$8Vkcs+-HIrQxF&NC&8ot3}M?YHE(<6fA4)>(Cz@7i6LV_w@$Qp`mze<e99
zC`n71)KH41YIM^>O3_k1T52hx#cHk|&DG-x(SHKBDFv#QxGXKa7BUd^%kJ4a(5rI~
z(>b-daa;Flo!U7y@Ji@~P^)m9*CPD>N7Fwl9rVp$bIPn)c_;Pldr}?$>z&``ZQQ7~
zxiSUY(y*<ybd+>{6Y}5d_z6kF0ErlrmZdeECh>fFT$qpd*?OksaS1h^giC9(S5DB0
zZ{r8zgC@RBb0^j9mD8tpZl`XBC)P3L`J9RUlY3?j7@anBTHfNBlSYpnJNvXFrcaxE
znzN!+r-9vij&I>L9aorLl$~hK?w8Xy`?r0AhYswk<uH=V|23?Gvr3YsZ$lZHX#F)g
zq=tX*C)Lsf+gcv9vO~nmMk)Ls;Bp5!y>i+n1bUd%l;)Tm<YS+_gyzOf7&K>Wx6E-T
z3?48wseAjOU9-mYNlMB+EGxSx+@tf+u{|cAS3G`kNmkErpN=W%!;c;~=$H|mI;ZA#
z&(S`h^_)vRH=(9`H(2-|dom*_TAQs7)?wR7-E}@#Wos&K$ryLq=pzn0oj->;E7smT
z?%X4~7cN`0XbE*fp5`O+Y|7W1|Giyp%X#Fb<ENp8W9V*vq+PW&`9CU0S~EF5IlfnX
zDt}Kg=hVIT^UtQIvtq<+BflQ0ZK3&YiS+kj|Lc4sqtNEoGLqLXzmU^MBkJD&z1=&}
z?wx-x<9}`U){&ZR=$%hU3aw)Ma|)%UcT>jS`$Ew9*Ur#8wRf+Ubcks~P8yflz4(+N
zDSfljoA+opG$*GxKa`Yrc<<D~Z7zE^Jm+AaXr7SNqEGv@hF%fh>fYgXdy>1^x^i+N
zZ8Yj{)YTJM+R!phuvKR}Z8zR<+N|S^ca%0qMjJC%ua>F&J!PWlIcZYe>&}Y0uT1OT
z=9%7guSDBO?jv89QUBljhD~$IM4dToy@&We0A5P`I9^4H#{UoXu6;;*PC`oOyr9wU
zi+M}~Th8q_plyC?@7zi8-G;{=-?ek<ki*PNbv?TtmLInH=(rh7KC%2p<ge^(qyxRt
zUkvoflF?X0G`3S|<lj7xtPKGoHIBHNL|wL=y-cq_>r^)oKV_n8T26oUtD`oYO8q@%
zM*UKEf;r-%&Cx!-3A-BoUjF|$n%(HgVND@f6QU*`8yRi?MWmA?NBw2_exJ8=(r+fM
zqSo{8qvNve-!$6(%{M<GZK*oD`n8MpmPol;2Tek+K_;)Y_Ke&<d8q;Z&AHC0Ovo*#
z%vv0q5bMRp$1a>bF2?n87v?R@_1plZzAa^V3jdku^qu1~PsqHsZk?HQEsnbDqy5O~
zj{U7=>R;L)t^Ge+u%k^HtL+nO+our@+bS*oV0}Wb9!9&(L7R{KY9uC(Kl1C5o~M@1
zTAFiWu9=9PH(!!-TyEXnI`8VbFq`?IH8aG)dG|l|RCXzhDP13ekv2PYCeZ1(bIu@E
zi5^bF@?gdcI&O5AE~AedH0Zd)x^y}0xIvjCdv)yCYh-3rW3x-o8$W*0<Q`d*7mXW#
zUTOBIP9u*QH1O!c^z=eqB}R6Nt`AMA$L5m2J9vN9(+}+l>}8^}Rx@S-JyY2kJfWed
zMONJAydKytGU9Zxo$_Sf)Pl6sg3>;7k3MqZ<Rhm$E827)-6wZUPP@7TrfA5Bk$I6i
zo65g;sdd(emuaH5q-qnT9x}+<sYg3)vnPe!C9A*Jty<bqZ`3=sq~dB4akXP!>dw5B
z{x3C`z<S%chijKy-5xY|0+HDvvfPgOmumc>``CfqoA)UhoYGL&$peqfO_<cDZF2Lt
z7CC)870n*pP^p7w7j^n5p=;liK%bJciW=&E<QbFm8fSKE<Q4dhwQuO$5~j{uNTN(@
zDCfV8;uc!Y7Fy0f>8vejgcgxO*pjUfn~ms@Y`)DlM&chD!`Epg^^oRxHRp(dDaD0%
zO~2)=lgCb&F!p3;MeEEFy~a*!S@(&Fulv%J4lWpytK+OI^X)gZNiR9LPPA9U+8@#)
zzxNLQpTcDP1ZIo0kC@k<)<}-{bs>(fcDlxOYM74c&snCSDWba{UpGG?6Lhs<Ox*A@
zyXB<L=ryFMWl~1M^n~nAiJ`p1y7!-z+C4a`N8Yg3;ZALi>X?%jAL=(DHn)4f^zQw$
z+oiT^)3i&Ijv0Ar=>=KsyQlR@O77J?F}Ypqn2gv^m%Oyjg}svOJl~N*9-u7(lrUP)
zu9naJ)AI4sEafqg-sMMDywu*w@u@98dC}Cq=!_mQ;<rb6I+?NGgEZUyo~Ey9`hS|H
zo({C%`t;V;q!}6ax=iT~kRfkZEHf-;^5C?IiCyx;$@yIqi_-=l8Jje0?s#*4-J<@*
z+41q&#r@5Nb?1$rJB*SsLg`~JHt>J8X(-pf^{{_C3jE%XPw3_=+FZTdUcXP_?wfCx
z9^a}%Yp+$umd78lnd$GA{<He^o7LYO%@S>xMZ{sJM4O-a_w$X{+KK<u+KIMFqJ~Jc
z6Lo`SdOC@hM7q=yEMvUG8|hqsu=WtUQ(b#f3AndicI5EJZ5n$`6Pr#QGc`6b)@$6V
z$?)Q(vyN%pBF2kp88eeo-PC7JpFYR;HnZz)%00olnBXt#G^!K-)ty0h3_$++F4E2i
z*C0pjbPg#=bcOj3Yfzj<iL*sx^h7HC31+o8iM0i4?e<ErOXy(J%jKA53(~^0c;=yL
zrOgsrc+KNuCzm|@%(Sv*9pb#^?PF({iDuy1gl<Vm-4fQ;JyZAKgNeO@!Cr|EYPaD3
zea&AVVt0$*`^NvoZru!6Gg;ny|G~KU4KI`)5f^OfwM=O-Y4Qto=IY1OMx>{YNPE2Q
z<hn?mbtms{$-A)(Z|EPMR)BX%o&CORvhxX38oLaW#Y^{$J|{Z*7%^FDfJtTun&kNI
zrnK%wb6ee==BOMeaYWDGc8?@1>#%vyd?y`PhYz0QTWOB1r18P2^^YB&(>XP-=~qiD
za%>tshg3@fb|f(2CQ=sN4beM!&ix_dHxXAT;_`8Yap}IZQ*U-WkyYCdbRNWl*fzc;
z2j%9bGpD=W&6(rcJ~#02D^@jb+d0^EbW%9w=>Da}h3t@u+oldm9XPR9LQZVa(BdOn
zCS<0>huidR+vTLGb?@{`>M}Grd`V2(VCRIcX}YFNpq#%t8`*<(l5-krwwac**&*c&
zs7F9r|7pQJ3S~ETx~XpzSy!4xt3r#J5Gh<UT*(oaZdFnvE^U^E;|oX6Kx)fg@c}KY
zU0i?Px#%(6bV(T%b^}8vILYI>WEJ&nm(p)cey~@1eDhGxl>Q^bgJYAEa-5CNl_aq%
zpPE1D=)%<D9eNgZ&lsB3erSD1CK$Sq^q{;C(60Y}?*6k@Z8&#pJ84lmL|W(f9oC<o
zyIW;X8kpLt;E1g3!uDO`vyzhYGZNZ%&QDJ1n~;`V9Gfy^#(;q{hNh$>^l6>gA!m5k
zu7y22B(=#)O4jzs!oK%tk2X}%!S;yJ>gWG5bg=rP4fN;j(NwRKBAqOb_K2fBT2l0w
zgWWDZQui$>PGZE>6c-zBiuiw+d++#2k1Acb>usr9p%q%4q)zIj&MkFNE9X3;(FAF7
z#%Y`|W^LmL#@K*uOt^5DWdoTdXR}~tb{CdSCVF9E4J>e3mIVyPB*U`cX?@SBsyC^n
z!S{Fn`S>yJ*3;E*SDmUl=hR8ngm<(k<pLCzg%l2t`pQ$y4Bp?Kd~SSfPc}OhY1qKJ
z3$6CVCc?d=;ZP;%U2@!a$M~7KMA*M^;o`_>FtZqq)q=i2X(4;`GMWd4&%@_14`jtT
zpsqWq=j!7$?l0U`EQjU7{-W9N@=m+(F3jK2!lET+J`Ix<C#tDw*63i8G-2i|9hy$`
zP43P1?<)D3QhTKF$WnYf5Q^;mJZqR9^$#R_9P!!H6BB3V;*p7igKa&{drx?rL+&t3
z?p|}JMra%izl?wi<*N`Vht*L?!<aq_Ieq$UNx8*UG@1u#h{9|+JHf2*N;A>UhXUeP
zhrtZEkq2E5F&HwOXXoY?clk2Tu0U|%+&T94sm8U{!_D?-$LY2C+9_xuh0O?i67(HL
zO@(8qRRW5UEmF!uy>F7jb~4%xU_>MqAF&KTL*I{|KM#I8VA&7sJorPmq<<2hj_^-A
z@tWk{=tjqb=y(vHh47i+Ycu>E&D9Ft(Xt|o6&M(fM(T@LWf+vSv_Z*hht179&cO4a
z$yvD;j*)Zy&L#fJF}2xm3cIVJWVEX%=ITy`%JY5hc>8;<aQcG9*}kr%v#l#pK7Hs=
zZ05wMr!Ukwk;_eVhWeuM(X_W*JlG!X^mng**BL8DdPjT>t*KCNe_MllKA)Z`blV%J
zorArp>0EbnQ)|HO3lC4mCi?^IBc0(~U}$`ND3A+x*6w!(60Vrv+UUx9QV8$Cnpnqw
z9_M@bs7iOqKy|uHrAl8D#--i>UMqI610=PBeB!u7{L;k<2?M3zlq43Mw4`lz=lZ%e
zzNfObyq+&6$NInuuZRwuJze_(%PdYN`)Y5YeK(ID{+04EtdI`<d?`Dl_fGE&<R@m9
zmSh8VU5m8VSh;*6q2#u$ucy1C(Qf=>KdAYY-C<vMDAeu4#=!4wetk2=f3E|)b6ll{
zR3Phq537*G46UA4{HkDIk666;RY*it_b0{H<}&mk;!CtSo4eZ*-Rl!>>WeQL{YF#c
zl(n&3P(l~~bN5keT<?{bpC4d;3^p2RlF@r~iTRORN!K>cgPKC=B^5`v(J*cokTx0@
z*=SOB&-wxDV<+DJ$>Xm&p*&g(Gt1xCzWw8CUkqBIUz<-`zK(u%=r$Uu<7~G~$UvmB
zY9fiZGREj2`ksOGdV6z&-QL>db&L!tS6%$y?oMT@fy6W)yYdSz{~l0h;}Wy4k4&rs
zJ1s{p;Kg_!v9tkc<NWv$iy!a(r2F8t3$G;d1&=1qEQAd$X2GrLL=;gMGZ}h_!>O7M
zU($BDw6U@wVIr&fk?D@)T48n9dL9S3_58r_Jo~{?e4v!iR@8OAT6+sEcf4S@>R!Zn
z-F5aJeXjM@zWsPH;hm3IXe&A}Dt$ZB2(;}eM_}BJq>im=`;m85?WWj{QV#wc{oBso
zvt18WVIk~2^|EdodrwE<z*Jw~)PaKf+B?|icJ~eT%2!<@nL9H%ab`BQK!Q5ESPrP#
z3HrIdSz*6NKfTb0U!<;_I<8jd6Vk;C5e|z8L}XY%R%{d}7b|XPCw4AEND>NNkw`3b
zMIte2h>uv@c-JQuyt5*REwscqID^k4<N{f_xX*?bOmtsvV5LZEVm3A(Q*Kpt#op;e
zbn1)B!y~~o6vff0=Pbm-{zLCzHdR}UMMzyFU97^s!Pib)A9I~<ELn$cZ_&qm9uH~c
zx-p$O+boTIoNb_k3v?hgrV*nO`j~=uVvBU*ozTZ<0||Ysu{zui2M<mKQd|yKoK`vs
zX!;m?Swm<wE0waDsM0j|m_Z@?;s>A>3#BX+>c6<gY$lCN@Wj&?t5dhv{9p40?0A@w
zXv#=jalR)eN;o7)LSb5Zma`#Wr^DURJKw{8aI}A@Wu>8^JXIqHAF~9Z|K5v!l=OZ`
z!`=3~fux178})GFl0A>O%6Ur~L=<)-gY3YGO0(b@%|<?9HTv@4>3AkGpDz~Oy=k|9
zFyr^-rc(WD!Bo#sq(9dcPI>&*Y`|BTcO*l@{zyLJ3VJ%5ntjoHZwN<`h;Pu<oeesB
zTpdj<-e@rv9!%50gIT&Uu0`br^l6{vE{L~*ZnGHKZgj|^#%P2$s~L-icr96b+VM&{
zmEb*Gr-G7*Lq7SqNDv4I;7?N3X#2{Zmc@JTjb_`zj!yT0qdPm1U~N;4_uoHX`(>d7
zA!+9xXUi)3_a$Uc<Mt?ZcT3r`UC)H<p@Rjaine(jpgWzlMNf%mcA%#nIBnB;R>&xH
z4R82);=6m7H*(Na;<PGatB$j$*<kJQ#mQ6-CvyLuG~yo^WHbV^(64%Xl-{qM)Cp|K
zo$XN<K6L10tFN`8)!TaV!26-PJegRD$5#@}UGvj?L3#N&emD9o<%W%BnNx!FCDpsp
zjq#Hv<AIl>6VD{SGZ~$jC5m_0Ax0C~wnnEnzx?1zQ@g#Psk3=?|DI+i3{CA#%X?pP
z#Zq%eGtia=bp3~M94F^vtVg_?i{qW2HO67FUyRqDAv(6>KOe?;dh~rIZ8tg{bvcNL
z3-p>K9?fDWdT+-}bn@PNz|_RPstl(L7ACt-w=lK8`E|!;Tf5tcy5omm_oidZZT|L#
zwr<B<?MK(SGj9C<x?lYI`QE(8lk+{F`sdgj;PV{Bc}4CFX#%V3pQa^>XbG}*(MrTh
z!8`OCJvM8M)67U_T!eJo8FX|uxtp`qj@G|Fba`tJmVvwF$o@~XMe-wGZfu-Y8pjI>
z_QTq*BFnMpN`$pt{AFUQK<lCxoqaXvSZ{~Y`>AV&sy1u3L(wj=fws~PMW$fbp-_nH
z`)to9axL=g*7<zxfq4roZafyldbvVA7mLMik1$vdx548kd`WAcG~v56JZ-`Y8a`;k
zyEQy(!gp)<fC;}*!$(Z`nubrP_-2J-Of<a2I-Yq#8`squKBTtCehgV})9_n%z;89-
z4{GgiH{tKo@H<tU`eRk;ma=oYf!^kReN6k_3)S!Oe(Ct#Cj1et{XHi9LmGasiu2!B
z>6)^0x~jjAxwmfSl?m8C15kp_s5?YP+~`JPqhFG|s#bWoXg@S#2h;u3?R<x{Lh&GZ
zLgy<o{?K{-JnT*4bM9v$J!2SL+8#%M4nK}p%G}GPMeeXC(<AL(f13-jI)@Om6E6h2
zd@f%{p{B?3d^MkQCnNsmM;|3eeEU?d&(~gPbt>~Rv<KsYsS3B2kzd+lxl0|F)GPII
zNjHeDV@XRa=kP8tCmSD_3&sZ#YeXk#fsrmrVIb$h0`1cH+KzTYSdp2w6Q34K%nq?+
zYsN-YLq($1xSho&-``NJeV83(e_s3XkAB1=wTHfRIlJuzY|nKytY02O@~KaO)L6TG
zEY|BVw|n?rjVpteCJm2hc$RSNY#fmhGxi!Ny%9@6pVhkX03VtEd}QhWBw{~^d*m^5
z#8dK^#T;Jge4fMmG+ui!*B#*VX-*PSFv+@17H=4mo<&>}DG}GLt?}rlk+GHiiMbQQ
zcVBjJb>G^RHyt{C>hMi(c*93>4eY~R$%$-n6(LUh7t6a!-R!Q>;i2NipUyAMPFx8~
z62^Ue^9aRiVcg(iSj!ofe+Jk6!nPi!*eBq0CbioSQC(V&BPNRTI)TTjuC9jD-V}J!
zgcENO_=E|sYIs@V<Ubv>Qu{{!yA!M;`&pq_Ck-#LBIiZae<Pj&PW_MKIlIx`X8D!)
zK4ijoc)v*tARZ0xAll*gOnBUc(|APtqzR|~34FqY7c_j(gcFYz?XxDFc!|IVOgPa+
z;AIuZIR|l98eT#w8}VY%f8xcW{gB$8kBel9z|#i&_nb!y{1%Dt;_Zod3;b3?`=3~e
zM+^LR1O6Q=@o0hHsp8a6&Z7w@9t}Ek9*O>9;~(G5v!}41B6@6!G`;GaM6wpnI0E=K
zaY!<@lINfHO_Mx~c7R1t^rblOi^w}Vz;<y@EBDSs5gMcNia7VkNFMp7^vFQ4_GLBF
z%<7E#JHuTbm#@7a95FlFCHaQp3iY`KOEj#PN40Ukoa$N2^`GSH3mgXHjkD(%a9T$K
zPnvL=e}NB}aGHOCmo+@BASO-2*V#$K^JzVb_7htBr<Ek`ja2ch38!@-+NTM}yzrP7
zYXY`tEnf2y5iJ+sVPoK56rCYlMdanC^G<=!QCaf?lrcwxoVOW0GBh{bSWZV{*o^CZ
zG<D%{{({>!RdM5l)YQ@H4|F&$6&h!^xje<mrp9Tj4dN{78+HZi!sNu>QObO+B6I_D
zmSjs}jv?m}KL;8Kyu_9yukoAk0`UI>`4|DOc@@^Q3j*LKRX)~vK6Sebd4S;)<-Few
zIq&-xg__YiRv;VbY}SO=M!YuT)rVKo^2zN$r%N)j2vakCLQw@SI3FsWDE`sek|Olt
zP9Hp{k-ZeCx3Ypzy$!spJ;t8QHr|5&4b<Eev&Wu%-t(|_H*xr|e3GwScyEX|(*0nd
z&l(m+ivf=deDi0(eVlHheNy6I0X}G@wI%Sh#D4-jU?tut@Ii@R1m4WosKB!Vr^?Wl
zzqZmI5O`U(7r#quUEmY4{WRKt#Y#L-;6oDMi)v%%`8*1|WVw&?pxkEO^6!{0k8WMR
zBoCt4ZsI}2TgbXDJ-_gTB4QJZSFn^<q(^ey?v379*y$x53v47e;U%T2dr&G>p!F{>
zW)E&(Rr@+1`%1BoKj$>1vp%gwvA>T)4kK0(?QwPjzRni4HEP65Y*~|sMm)n7xjfvD
z-~9rgOSpaUoH*UlCgsN$a1(42oRsiMc5d_k5WX2^h(*-!brvzS*Kpi)@eFhE_7zk6
z5{vNuSRfC+z~`8rpR#A^ckw&w=aAo~?`8148sZp!hyH#UbJV8C;MVOZqbA)3`ZVwz
zMV4*_HZF2>lNpcpk^_52#2F8#$hI-;vqLOItKH!%H$EKx66>wK>e1>jJ6Zeend%K+
zTK+k@C}^X+kkbq&bD|m5;nr|kp8_wdIQRzQE;YQwu2*HWQsB?QxsX2xA<gnRMm)ld
zIIVNheu7E91U^&X`%B<y6~`JuyrkBCovj$2PyH0_%Ub)2seOs9Xluv#oD6WG3nJc;
z_n&qG=}yp{(SIQ`=-eytxCtkjC-9^RC;lMtv<WBvAn-vGPBKj3SrdM}hL4$WqMK+x
zq2U#Z*VOP5+r!5z`cHgAv>(#i(|Ac268J4U;J2D^(vd{_+f6v>NCLl8!_gnU*9j*b
zNt{K@{URPAzBizKkNQQrhrnOXzh||SH@}D5#XksnoUja7UZ_eSX$9ByD&2NOMsMs#
zzF)|S)c7sZt5l=|NEhuOyoT^fe~0l(rtS#jyO8vK{9PA5E8sJFO8>X$T$-|{hRJnI
zMsOcCns6C2$an@9XuBf4!zt!v`>tM|>0j#Q!IxLBO!Y5DVu*F!gs5YY3Xj$N3<YdD
zJ8S<@cFb-hP84q8ftS+<;>Yqgtx()6J5t<;uv>-@_FDTZih(WekJKI<0bLOv1hyRp
z59z{*{E$kOI!>=sMQE8`KCTviLW7RPX{2kK!lp|!a6%G9g|ED#E17*bp>mCeJ%9C<
z_1wGvl)YJ=Nlz7vx889_;n1CX-}r8RBwbLN?t9^j9za*o*I~pJUT^IKeFydU*h^?&
zLhs6PZL0@zFUR{yQL(}zNX{8LGV59w{B}r=AqOo*TZmcFqjyAF3frf~9WRe(Q%$zn
zmbTGyarjaJ$h}Rect@`z=uG=6V{Q2dPHZ2IO#DKOk@&@jFlOSXf{$#)RsJGy+MlAm
zx<3U@d_>@BDHDgme?dbH=lhA)0qimqubs4v>6TR)ny2p$-F|VNG&(Nv$&ybVQ;PaZ
z@pVCtpOU03KVhf=t}@nGDg->cM?^&!qPnk156At}SFI$~XyZV2Pbt$E?sB-AaquW@
ziB5(F5gqrk^061Lso}=+*RD@`yGHyzpWO~C4Rh9oeM`9#;ryC1(1^|$kA@R}6!?S*
zCpjVTvWi2lAeLFf*V%x04(M#eOKd>O58zzZ({mu}={fj){qrNH?`7~kk}o_CnfKSt
z+s7IFF&a*CMBqsiPU8^xgocMHo>{{WQRy1~95cSI;fR0cdZu_zS$j^!^qdlNa=q~c
z_UMgRM`@j#gvjg@GQ>CP+(g7T5?@6CE8m?VtR0aFKo<KRtg9ZlS)*t{R(o#KQ{yLi
z>@?UY@e=Z|i_?;1r5_zT*;@=v^i{{4`PI?J2b{B&{l^Zz?2d!i1|GcTRG_@%$i{{u
z!Ra#M2ZJp`e;O;ExvF*pd+Q5cdT{9tp37EJ^Q9osB?uks8E$LwaJo-0=$?c__e0z?
z=qT_*$a>xmUuTdQynV&gzQo%2dI&<dGd?E+9J-zOUGU{jeK%f$D_@|q5q2@1HB~Es
zkWF+NBDvEJPRv8F$b5#7ZGH^;-knF||AffxJMUzpdF%I<mcBPo`)3Rj{XIf4+<d)}
z{gw2Yxoz>d38!@^+9ypo@gaeyO*rW@0v|Ntq|XREYr;w13w*$Y->BguCY<yi(SFQ?
z)4mY+gb9CzhCknglRhEZUu(iYqv1E1aJ~I=HM~MG@ml*5o8$8@=uG@uJb#GVV=j+?
zA5#o{LH8roS;^&s;5MK%zNOlL;Ms!gZO5z!F#An-jbZkYb-=CRV8+ny&C&IC!x@d8
zPLH&?e9aZ4Na*qQzU+7+mDa64o@mh5%p&vG?%5iFKX+m}<8+Pms0JaC5AZhYD0srK
zs$o3qd;sLLaE%G^cBWn%1U0f(D5q^phCno1Y_iX`I=Xsu-P<P%G$yiAD2KA)E?e#G
zJa<5@{kQS8|1G}ujceS98~4Q9_}N;t=X0n%ht|Hp^|fD7Ko1R9*8(`Y@;m;!-Ez-C
z@xgPp;&EogY0ruFNfS<cOW=b7$CD8E&Yur^9PMe#Q}p~gJZ{42`J#Q&gwyi{K4`*8
zMhd*F;yB+T-d@8?mY>twm%mGEU$h@m+w*=B-2|Q%IQ9Z!=Xw9h;z=?a<HJ(~PJ3G5
z6DFMcBk;0{qd$nj*YFbS;d`+FUTnlOz-!>DQOpbM<T%L&5QF-Nh(N8&l95LVz8n4U
z6o^oAiX*dN7g8RO2!<hl2b~hgT_d7QNSo#sDtI+`s3@|teQK^TG3w|(nQ;8>4UuvD
z$A8Rb;k$^4ykj<dkus0JHGsYzM_)Z$ZuICG*)jq~*W+{vd;uP31=6)4cL9A?xV@4`
zym-{;^&In5)y^E>c)`%|={O~_z2N%88wU?vue|04cmJ-T!L@St>%Td(ygY<wj6rss
zh7RBd<+PY+7ij^mZM6W3&V@F_<$p8iMUl`V3!6?7lp`)8NQD1KXzN46Q7-w_qyjJi
z$|yj9G+Um&VzG}g_AiZBoGu>-W#ZS&-}Bnku5&X7&o$Lv+IYER;OGn28r$r*zc>*Z
zjpaV@m+N;Q>0i9%#^>G!zIz;fUq;_ky8aTTo`<*XxzJy5@<Tt#wtk+kv@jn@0GK!@
zg~5S^CS%ZF^khZ~53G3fbOH8ycfQ@->g#kT0-e6xM8ciVr8_nb#4j5xZA`{`24)@h
zrqxDU&(yiSyRVq=clZ;YT8HwQ1L<mf-`ywA+_#>@_Mo+}d4hcmYrzWY?wkcB^X&A+
zAy+mQ@&!u$fEl(S$CrfD5P(F?*miv59)zrRw)oomx;LiCjQ5xJ#yP940t?B-=dK>X
z-sJfw);8=lXj0g-z0Ah<>{dKx#Fg)B?fVS)!^)R6JY~Q?qL3e2JilVXU#sC66aGyN
zFPQM3Y51@S|FMRTYj}n7YBaoL`3>hGd|b+JHN2{|e;T~Yso^(EyaP7Pj~MV57}`H>
z^=a*IGvFVw#x?v74M%@8x~1%#ZlJfRU)CAzdv|Hyqu<x@7n$(=TKgB9@R)|bM8oO#
zRl26^oUZEcV=WGDmf1fc9&P~9)3>WUw3l{PZ+$)p=b;&_7t(0RJ{bqkjDs^Y!Q#-2
zZxC-ik5w(+J!0v_UK2rw#952nPe3te75<L+iRxbwIuIow@hHT)+$8haR83K0w<W8n
zCD2ZJN&R){N?C*qINZ&i_QFThoTV@2vhKb}pm`{isn1?=j)!nIwPjj6S%Wc)3FGCw
z^CvuRa0Z&+pR1I5mKj^-Y^^+~<$+}<&-oEqp}K)YKq-L`cP(=Y^#RAZRn3|JUgbEQ
z=|}my2;R-{cN7P<s9X3=xm`T&nNIo0RG~^E6lwuFBN2j_GxGLC#@BF#NBVzu>cFes
z(Bw;o(<`B9?Cj9cQb*`Oxv)6UZLR$y>q!sw#zz9-$e!}#da!(DcWi&OsfCRlsQ601
z_|5o8W!IL(u;F5HI5Kf)FxZux%6I#mqwer<qR>B=O1P@Q9+@ll-PQdYq%)9=`U&wR
zChXHO_7|Klaa;l4ka&i0tluW=Q_3$3Tl#SWuG9f!z}|LI?IK>T1y(;h{&`?KB;P*8
z&EdPCpop6y3zdk2B)>@qW`Qd12uVn@Bl77yc$eX{r};(o3dloBp~&N%kSLULM(H)&
zyY+`t&vx%#|M<tZOFx@flIdsTxyDncil>f*Qql2)mC+N^(Z!y^Y$`UM?Vf*}=b(Xx
z>(G}#6Yv5`Kc%>c0Jl~2<7|xFG~kpxVYeS-u*IT1&spQLK;SWHOCbECoOcPl&x8~2
z75KOT|B&)=4KGO?IcLf)<+qk3=tjRgspR<Y^7v=oPl1<MKj+m0=s$AQ@En0>Sb^(%
z^qeT>ItW_7TAgd@n%sV_$?w<+52f(5H(|C7$!qwG!la3hdGSiKujWxAve%H%Ci0Ec
z$X^lDB*Mq(OfM1)xnE69XhS^|KIPCLw3JHHipWrDOl*7WTQ^o#mTcDGZoeUx+HvQN
zLq{fKz5auTil<KH8ZZ9ia4>}oH_UHOeloFkT%EJe@i~idn)b40Z7z*?%!u>36z%&=
zIL)QN$4xlNZ-G}#ILU8;XG}QB8G#o}IIRhRmo&V>ke_G3?R@TO&3%r`Y0<u_wI`hP
z41uQ%_|sfY3;bq@chPeU_zMi}zscpdXn&gl{~VX!0>4AU(NB$TB)>stlAp{5yBg&g
zmT4T2XcPJwMCRY=5u1`Baruc;5#;B2>>ZCRVHJi1r8qgUrbuTMT%P#Lh{{X2jexi|
zWw_BoBX({BKc`|A;OCUFD>=KCgLqYPu(iw6g1Fcnk`bd>e@oB>3oc~j@71(K$VgW#
z+}+%$Y?q(tOT~ISRWbP^k*O$o$mgu9+Wfps(vRl}@^u>Hbc;zl9mhFc1>R@EX&ni?
zV8Uq~3A|*&f283XCY;u_Xg_YkY5fX3W5Q{D2|Ok6%^%@x`?&Q+;BoZdW>4Og<@=2C
zRgi-xaas>yzJ7`K8u1KpvJ<aw`b~I&g%E$iD3XQe@&zr=Q#qQ9&)c4(kzb3V@hDr4
zPONIg1x1BZ#0AMJ2hNSEtU}BMp;$>m4<m1~$TH?uN26pirTTGEWJ>pwqUVZe5lKeB
zV#?w~UmvWJFc&-t$~??vHhjRK5nU%sJZc_eYcb$4fp2~nxR>Uhe8y<sC-E-<PtzWk
zcuL|=0B@tSgv2Wn{|#^p*9pXPGN$Ka?q&ONfm??0Yo90HBJrxk=MigxoJGuK0xd{4
zzl-nf<Yw9O7;+iCSQE4A>`3FDzPF7LU*y}=qb-Du&j&pt1X~%G5U4VQ6PihxH6$9|
zldR@E?)7jy=xTMfU{CgRi)=$|$@GK=k@$Y^kgB6vyNx-AyswBG_twRQJe!{G*t@zO
zZPyc81K-75bkjLQ(zb9HNP+1=uBzo7=vRGRExlj*!B!k+*Vk#J_#&Q*{7$)6{u+R`
zR<NJK3^|sVGdfgLYzfvp-)9vQuEtl>zBIPaARe6T`RE_}0s80A^HTmV@{-glV-)|4
zOd+j$7UTO*jHaSxX0BVmbmFa_IR2{R7+#Gj$jtoVwJ$`UXOWj#v;GOjlHy~G-#RGA
z@-%aEy@_z>O%|+pKE|inb<l%EdpqJ-9_Dc@Q=4JSPdH6P`*q73Rhm%Vr+hxG?>7>!
z+Wa-v{igMK5>MGPs0i?FzW({=$SFF)VutT!@I8ue*+hSz!SDNY8@SvR+wm--OoM4x
z=ovg@ogrNrdt;Kp_l~^*ue+XW`hkJ;X!ywbQ23xB<MfF{waSKTPoqp)?FU-wDbWQ7
zf?sf1LsoaYJ;vTH#!oocO9ft1argp}tBUcf_<IEp$C`MYKZnk`^c?U7@q82B%ODd}
zTp?K_+K(ICbDc%tDHX@seVqTUz}KaoOl$FR-cNy-wDyoShW5~_by;J;Gr&pKOk=!%
zg?pD%=+Ad(MK#>R`$@Xh&-u6@!!WL1xo5WGF(b}pv}oUF!bw&NJY~X3XB2qFgp<q_
zIQE|2ALV~EeAI*!Jw^L*4X-fdvTAsVb#glJ{&SsCw6ALIpJu<~I-tOBmN@0g{oH`R
zz|j8ZTsIW$Z!_U!+Y$I38jk*G^da34<D&gz>KExU;(G<{d-VIHD+&B%{CigDl22fK
z7h#`G;57SERpQiTgz8q}^JHU}7VQEwfDrhQ0wl!kFpbiCOS)#8)CkDtN%jXy7bR;0
zS!?q02_i;@PO)^x70IyXm>91f6k~P!Ts$Vm$15hJtX|f!Z=%#U)Dxmy;N(iEoDlE-
z#`kZ1BfZt6_cguMl&AY^DMx7{G#fcIL{&<9dM5Gy$PncPGiAP?S<`{i;uFXa&dd+g
zo&h5xx;$--LdQ-+$DX%bqtfLP)jY)co$|`MDXvnU?$y(J2pSQc_7Zrd2w-82qB=QK
z{0v{gXS3Whr|Q}waeNyCifwBYiZr1h$!gz3JTb99KXTe1JT_EVD)v}wf5&<<!@cn_
z7*F<=M^6VwZwr?bZg-*_mao71-PA~Bx0WzHH8DE7#d0z;dV5{^^moX1!p|a4D-Pv<
zL0cKpYv%m{DpAxkW#<Gyr-DW&DxX6Z40Zg*_#0l7Zrj3tS|WJ4kj*#QXIk1^y(v#J
zPwQc)oN!N5A=@5ugq>+`I3M-cB3CVJpCS&vhIODgxITF^-)9CsWx@@74fG&=Pqa7i
z1>mG-3OogIO?<o`@&NSHaK4Y_8IN-4Y5i%{=ISheMz1fOA%xdgR4pMpfo>_H^=9(>
zYUer7)}$Nqtz`(pN#Q`}bT#Mqj>pu5dtY`e5$l7YlPiq*Ep(={Tr}jhD}6I3$9PpB
z<ltA<#&eyWBdQ`viRtEid@0ke=CXn~3}m3?8=OXd$S&k@gLe^bv#;MSXg3Afbu*WN
zqW!pRPcrQ^muUhoS-#Gn1D)IO9MVZ{=e(Tb3dss;PdW*Hmw2l9eDi7OB>L~ewgsGI
z9?$FM{q5)NW0rsCzr%6PqXph)!b!#md|boBlpn6)2T6kR=bQ0$4M#pXAD?(mNqbJk
z^qdl|3Zonn)ZkF!%2#j}(fC-5tnIOFi(iTSPAa5`6~(!=Q@%s&0M?Z7ToNw}gO`O7
zk(0;hW4vWWzBBl?P*}RZfvg7zrZYt6i105|H*DaQ4e!k^^hW)aP&OONSMs4iG?>W_
zjjvyIIyIT~1mi)Ddb8sWzi-UzDMmucU{9nFj}`O%kz{FYZ_S}tPe0$6u7;D<e8%4$
z>G3Cq(vhLG4|EiH>g0zR;PW&ob5Odmu8_a3;Roe9*@~~z^>q9>6;u0?<=^=FA)WQO
z;W-)0*Jyog)*$m2t;5>$E0)(-?#FzndGk@rIm(-F((>kIB!qrS3D7hJL_Iw6J=6Xs
zJ3MN$Kw?s~T?^*Giq}@WirAh<EK&STS?c6<q%us!(lG47S~fj-k#)lj8FwaG_liiW
z*VF2KlxhFNT;oGLvHqdry3DMnZ2JQsBj~~N>-qXGa=P|P+wN98X2kiv5bgU+IO%o*
zPnmGi?F3#i;j~``jyNg3Kiuym@PeuR&$RZ#2K;fZ3ySum2K-B$uLykHh+9M2b8a-@
zdo=tS6TYJ1e`Lb-_Sb88h3XY(?Mp1i*B7TJ*EL0ds?;9qXcczA|HL^miFE|+f@)z&
z2d=(?j8?!1zC|mDyf!v|dhC$aK(Yjif?bqaDhifR6f@=et1+E^)I8vELqo%=%Zwbq
z+yJ=6zQF!CSuI7HPynHVdI;GP)k7#`Lr&osgM7$L`c~4g=@^S6=vD?XHmV!?=g<hX
zD2uw<4KfHyAFQsVN^(SL|3qp3koF}iJcwwhUTGaM3}FgYaAmwNg%O$SIe5ClzP2VC
z^b2Po?yN8FV0Cz7J*rYsh`4RFQC{sq?i0k%k$>rJe4oS^^h2?KOn9#m=Q@OFUp3*R
zLkK*j;S^8y=NevOLBW@xpnaV0&ockrUUs$MV_Wc;5$F3;wC^+Fv=0SdkvOk!z@HD>
z0iEqEzvR!~ipPvNf4*qnXTs_E0<V~GvcC$vWW@PCkvMz#Gd~4A`S0?5BJirQJwFo*
zJSA~>df2OZ|EpqNEZ^t-=Q!X00v|Ww)E|MDR2+H*>L(a+PXAuW1tXrZe4qQ2s*nr+
zrF;|C-4Q*j(@RU$yRAfquLygQ{6?Ly>pAgCT;BzZB1t;&N>%D;eT%X}biNqaqD^~!
z@VLU-!56rGq7p}mB+962rL^0!dnXc+;njR{$=^Pld}a6DgA>WbQsh<L_e|{R9o;t&
zE61FSMdxDC!Gz13Dmx;RM}{gJ<B>>g>SS_PW;Puebms%RGINvfzIEdA<<vrGa96%P
z*p?4>=f`1n$#sL=&~bVFCD?SR{?gql2a}dC-KtYpkV)=xl+2L3+?XjyN%H0*Oe#Oq
z3oxlAI=2*HGWtr%QC(kvX`Mx|sdtrm{iXO^lx?ZMWc}mMZ20@s0!%^wMqL3WjGOea
zU1VE<S4rb-vW~RQ%4CQX54<5OpM}TsQsfwwP^9|uev6BroxH%vqD66K!t(AGoLY^I
zR!ix@3al0Ma@*LtFX8Cq73O$pJt|nkD|=0Rf+vDj3T#r8*i(yqePZ`fnm5Ml-~A=z
zj-jU8PUUK}x+dJ-ruB#dhKv>N%$4mhR?9qWu<w&K{dz4q%h@gKL#I?7)0deFe0`9M
zf?OB0VJH<rh&Dng9F~lN5xgdOKs2gP8SLUNtN_D32{!yKl5kDs0bjCBnLaWk>m>u9
z`Sy-g`)Ci4Y=0DMA%wHqbJa2KR3(PXF$X#=A_ge_#lkBiQ>=i)U~>?|qzHj9Um4_q
zN%D6T2}7qsdD7OG1pInD4w%Pjq_`}Ex^8FfgS!X33w9-btTej&)qmj#789ApU?g(-
z-IE6^-a;g{m~@1P)&^K?A(5Y*+BoI(=40LnRp))Wsk=ARos1>O)XDcd;wCUw5BhS;
zvly$eD^V>Rk)7BG|C4d_O{Ou6s(duk2p=h(e?>`NDnq80<W2F4yvAB<x;2GYS!0=n
zWvgu-yFstDrj_L7W!4<y1MCN*A+6AwR*_e&u_o#de-)>uBJ_Re=jb=r&g!au$%)pP
zoxYewkccP%CZ=1YWg?NBZ-0afaKaGV7sI4r0TB>FEP+fcBBZomPIr=zouB)WKTe0S
z4yH#MN=Xop8S4^zveP+l&glvSiv?wCkjVHV4-x4N6_uXsLODRCT4zR|k5a|cCx)la
z&czq~rKSA7=gj{%4-!HCJJ$N2Vg94Kzi6l0tyt-5oguQ3X%>62CDnLISw>o%B|l!+
zABp?MqS4`u*PE<{<0Wr4usWREKaogGZlI9zusg(!4ojtg&pqUep=j|G*?suh?BBe=
zK8n7zK-bW;X<4L1=QSk~(j`%~1e}o0V2Jdf{X}~)V=3`da0i;8j4f8J4}GT{NR?*Q
zPb>0Mx{HBsU7}s)rO;I^3(%0=uU3ylNNYTnvaw)dpeGO*5BA+O*XnN%MP*6mw5Jq`
zjb?qF?a7Vo(1a&78egdThQdB)Fd6gT84Oi?krSh$LUYB{9V{>9Vq?BcZnVEA7j;F*
zB#iwzu(=Dl(_cjdOut^YrtU=HCK|X6ii+-xyg<eQJgNbq1|*2-Rt92C9kKugiD0og
zNd${kOH4|rE#xpxscUshZ9pp6ti>9DZiXU(iZVUM!n<;Y+RdI&OIK58Yj5q>h7gxe
z?3%estrv(Q&i{O|Guv;oPB%9F+*CG@)8T1lUimjp2im{Jla;<z>zuO2y{m`((5M7!
zB9n<ICwiU-sOr_L1x<n)P3Sl#XhKX((1g2kWw4K_7{sOHec1H8GuYZ`?`V$t!P9mq
zY5mfr1C5Q-N<%q&@v~b?TPv16?Ay;^Zv-)Ank`Z)DEi*ehp$_Z)JSf+CrLy!QT!#v
zoEY^13g6b_OHdtIgmZtpydDV!rsFFI8fu?Zlu&hbAirl6O6I}0FsprGcyz@Pb`Lo{
zC-ye?v<)7dh{Wg4OiY}fjkDy+zBMtATCGbh&h%MM8)eE+O~Q8K-FPpm{{26e9j~Cm
z<qpwV<9o6hRJgR0;MsnXLIXAbmbt;1XB}+lYdCw@tT?-1%*MIe8gIYdTx}n3Pn?Ye
zi<mRg8Pqu=>%2MMUT|L?aPRg$)xWzMR1~({usYW_5emgND*by$qtVg5{iBQa+QkKa
zSZMEQ-gVsP8ubNYbD|pg-1_Riy|VwxUtq2EBllF(j-^JoegAE+Yf@|zWf+ikgVelc
ztT17@aN)!>jQLC9l}04aMf}#AK05TMHxb}SWQbBlMNL!2Z!*;wX8%)Ot%e)eymJKw
z9)sc7zVh<9o&$NM+0ohRaHBAB)YB32dm1McE3Tv~h6bWICe>;!D~{Ocp6q?q3Lo*V
z`KU7#ciWq7x#rGhUtgfRqt`ijVj(>nEY0?{x|**U8V3_CW6!-EbQsX<Ib34LU7-1a
zzCnz)6|Yo@QRGgbzMq^+q4kMs<tT*4%asd$!tdFmsxsru1B&Rj!T-tZ8tSD2q3LX>
zIFraPN1}mhBr`HJKD;zBvosQ&jKs5h9q!~%%%2InYz^(>v1mEc+2b2_dXmX#c08NT
z^m}~6VQ4Fiug%w+$0YMXx0~4u@E0<83@MM1W)7zyjD&JRiJg)}ZIgMRV2!G(P8Tf6
z3>9r|X@Qbz$M4YjN_l@S9-WAeEX_<T4vh~DW+J13XmqU*o9Yi_)1FkgtGBxB=m`(|
zJpGw8Mi5OVJ%|wK>5P=4vGMi>n=730$A*$_zTaq`e$9Df=~>QH7Ng3^naWwRe5Ulh
zM*NWkqtwr#t?4tR?KEjhH%u6_=GR6dVydu?lI3IbspRa@^2))(yRxH$qk-($)MEWa
zMP|;<OrM#F%$+@X>N0J@Fjt%ZiSw5gXFQ)isya<Ta(o=LM13RImboGe1=*!3+MIGv
z+eFn=b*}U%Wt;|c+Cl2@;q{G;3H3zC!nwxB9xK+q#}A(h_C;D*RBizU$MiGAPFf`I
z8GOo+<doBd7-^iIjq8baOS`-_Cjh^#tR*P<gs`BC3<A<ZH6NNB!89|*MtXfI{YC?1
zA-io`iWyrACz9dBuK4_{!h*YU{ksQ)@v*f`b|S*27f49Aqo~%6XJRm<$SWtl9`KKK
zdltt}29mMq6QiRiXHeBSGq)eI+E&iix=vilqS4q>L7%@kn_53h{1fzH|Bm$-#o6Ol
zRd=~0eNcUG8>$FekdIcS3f+bvJU$|FlzjDqLgHje6jD!?>VDixArgSknl975ihc19
z(IXTr)Ra0ph&xd}4LZb8n;86qY~z2>D=n-jv=_<8MG*|bkN-k)b9D>VRo|CdJuV($
zO<}N9gv*0FDZ5LDaSg}pk@Dz@Kkca?Y(Cd>cqP!^as6KfjyR&TXQ#$b&&B(Em9Ah<
zX{m7hiq7_1$G_%BV2=VDW`x&_^+WB`YGPi(1V)jUcIl_1lMIy|rvkwa?vWEUn4GZn
zyC4-r79x#LL}PN5a%k98NS3%H0u1P2LRNmrf+vSY!~XXe3Jbrp&C}5|T6MeJT@6mR
z`@1uP@m+)LqqU3CQLNl3v)1<c^T~ME;LK>)2mLKR+e0@eD3(s}%AfH$8PM+^+KH>+
z1SpOU!Uvg^@uf7jF3B}XwHA_|d=(yW7^(moz-Ysktl>@~_3SU|PeAC)L_txRUmS(G
zxK{_x$IUE<j?I_-Bf+4{-_h^O?2pIyWqkb|es=(6vP%m`4;A}|Q|Y08$FaS`*A7JD
z?Gvr71L^cYYwJXNJTh?Y@ZMt!<JtV-zP`ixEXnj$*onUkp6b?bx|3yfb@}%PDzC%f
z!vzMFz$8N;IsH`g9}S+D@>9=F2H%F0y{Hk^JyD%{BEIp(4_=$n{4dEoJ9cpmiwAuq
zee!Xf0V9^H)O{nplKRQ#5{d{ZU7`*th5I1APl`9;N+RJVE{Gx}O_uO<)>|Y@QNbn~
zgef}MV0CyAj}ZP>7UL1Z?~-F7J1fSLw_L4`MOt9=u_Wm<i^6r9F?oB#YZCnxhSxZl
zgD||tfeDsDmKQZ4Rb_ou-R!#U0JpKgZZlHd7&|0JW;C^kLH{izBSR#qh5ZNCRx2X$
zB)_{vOz8z2&lT()l7(apRbxu!&9xq+l0Z7gJsaykUSIz)`@ui{W6l5duhSlG!tYpN
zmu-b+pxsL;gK2dlN><CQ*OWFYs!@=CnoL>bf3)M3{MHWW<z4W_k%wAjEXAuvQ)?4x
z1M69eNyb0;qoEA^@Q3VjV;nM~AXtizU5l8O+eq(`@pP*2jYC_=%HL66sBiox7(Q~U
z3s~{=A3XR!8yoZN?EHM~E%UUdtefwzJ;lmAK068%n`SAhJE6!9aQnBg#s)FcHe>_o
z*C$W~DY`y^>Km$8D)=QP{5mmwCk^VjC~Z!pVW6^!k2bd5>mxe|kEw8bjU@YJvd=x8
z5A{c!(_`t}x@~N*_UmxGDV^{KdS53AS$k@^7>ag<)4sy6PqEglvGCaCCwsdiKBqgN
zd{3t?=6v&a;M-~VX~NLDwn|fdCrK9u=i8JGKxZ+s)(QhVS;|D_yNlDD*T{m|UF*0H
zgqMK{;?5ViU?y3rBCdI*L&@!Pll^^N{uV3<H8R&ZkaoKpTU{MpoxN<jl#CTxoBzA^
z&Vm0FA-W?&-yX2FcDvf#?VTu`fMvpcFRd6$2Sy|JiS#RDBo|1Wpc&;jlW^1+C{h={
zxG=o#3AH+#oUOf|*jQ1%e=#WSNAkHT_+TGJyq1<z5hT_UG_V#)A)REp0xi3u-{%Sd
z>yxD0d9W6XCCC{m<+cizL&hRH2MK*dH;Zy}V#-A&Em7jqV;>TS26i?vUQBjo{7coq
zK-{x9>*;YuKVAD7!rpKB>*C%aSPxgf(dG?y40b0yso~hvQd3g_H;A259{pbaVq<rC
zcfNXHgi`y6hWO7t*l+dsF6;YEmt$g=$+&dS`uexwA325H#4KxwOL`K|iR#|JIv>Ar
z->TGTkYa_X0qz1JNRAw;<3%En{G(*C3Gzrxhol^7r()&Nnxy=cAYLg4&uhNRf#Si*
z(nzn|RwHs&|ATJm85o}1$PElFz*nY3_K2%{v@0G~*;%^jfnNMev0^!w#d!f^tjIBL
zwIu4a(qlB_GBB<S+9;GFNKCU4LsGza1=DE4BBpyjg*q<6H^^Qntc`B8C$})^2f_(N
z<xhJl#8m1BoTX@s+&FIK&l=*pv--_M+PJ^?fpf_MjZ6*Q&<D*G2)@7gT}%bbJ?j3F
zK^XdYbxv`CPW4z*B!{9}*U9b{MQ2lZC7)&&hMj;uEN+=hpdHn7r8_60@@8GK3W!`I
z`X0IV0^9gN^}CmJSE$ed>9nTY=!v6RuFnzoXjd_jQ`B%r)40(!s^7|Fys$|)N!jL;
z^*&zdrq<~oUH)83>U5y|Q93oZBC@UxyWPvDm@X0$wj7F>CcB)`f(lNhxpuXy)7-X<
zE7H;lh86NGH5#vN8W!W|&ngP8nljwqbl=Jb?Qi%2CZVSr{L^(RpI%G!0`*JIAt`ud
zr=codF7BBWd0;Jkmy$g|wF6Kjk**=>z1NKVie+Kg?3m`<x3eVz?#mX<uIUf!teE-_
z=JG}G6`yXczJx9$G$5ilaSgh=-A+~kE|<YEIIrQ{i{E9^&n6id1HV8w%tCB^?|a(A
z?G4t(y=(7l54YhB*xOHiW4_|?)aP(viOW0A-^!SB$|V40$X2<g?vFosE~TwaQb3I=
z?}as8takk@r^ihThHr&s6J~TWK~No(j>7s>A~CgIP+!OPHnVv1-tp;ujkSMo+~<hQ
zoSB|JI~$42o}DI(5c}KxD=YhJ_Z~ZN;27zB6bJn-^xY2~;MBA3xv1=~+RokD2;3L}
zIWmQmqtmF)i}jIseX=+iA{L{fY=F}csM1?LGM7xw9Vzz=gjx50efrZst9>U_ba%u%
zJL4U6=I+UjJEAnMGc(bKrs-FXzh%0qVcy=z&NSM614{$N<$h=d6zgA6?ttuW!ORqN
zt4Uo&iU<kxh{5w^yz`Qq7^H8EhaONSZ6hBU$tfFuN1TnaDTyMzc#YxJgV#LR@-W=*
zK4-hN5hriwl+{`ll@duU7N$$P=iWd+j?>e)ukmeX_9S4i{O|I~<y>z0WO+~J<Z?E*
ze5&+xez6#2><-0WT+AK0%vyUH3l<k^*Zl*F&z_tZKRFXqzVQtuHgj@(;v_sJ|A4Ks
zc@g?uGxm#9*XS>?CTT3<>Iro{wqtx$Em-UzlEV%zQ>B?qlcXiwkp)!@cVv+O^)EZb
zEm>@&=07$t#B~eN7tBR{U+UB*@J+oh7E24~lmCx>QT!K241L+fZUkLI`d+<61pWo^
z8^H(3`Pn3;6$#{aP8)K0Qe7a@*r3_+sv`ypX^fARr>h_iT_`4rCDqQzC-yAfJs__Z
zV<Q)9I@9Akn_|?_*OmI+sdo*B94t4Ah-rX$v1uEULdHZ9DmuTrcsGRxEaZxI+nLr)
z=)(|>#*5F4+OeYFf%bmAo02#0M?X8^*^t`KC3HU0?C2f?l6Dnd)lqZ=CO7B$vHgS5
z4rh<MEAH=PV}~zmU$i%LMoN*|<KR~$10KWNb%0Z9=hRC`0jhl^ybToj4!O%$6G;SG
z&kVhwQyiBAG7BD8L&f!KSnKakEtG<jg?mrja$?W$<mB)k_JfYtaC&T^{d1rG^fQHA
zj`AaU?R)mdt^KOA0!gD7*9>r}3wR}YcCe<TOeH;+Bq>?INEbrC5XMcOIow`Fhj*Nt
zgeT`0vRfx_KC%9$J$r^GCp+T9>G6g3NB`z;YW|rI4CHc%&Y?T%cJVvvruF*_QpE03
zhVzTAi(epq1}dqxbh_?OTs)uRbW5RM6n1hRSwR>#Fw$01x@U<W?qqn?AG*J8q|)8j
z=4<I}i~APFp5;w;?qFfC(K^}KbaeOPkT3A8@3iB&zrFDN2lN;f8D?C^fB4y6c%_Kz
z5Dm;anb}QmjCh;f>khY)W|j?Vo(|=@)gv<U?&9moro(+OS@b2Y*B_JoXS=?T)w7qM
zx=AY#{URAdnhj;(3C)YVF~YuW?knA+W9~26K+Jv_L$9}ZXjn+=d+qzuSwndaP}CH<
zA8<t7>-tK+04}4djXPZlNL|FTewG&jK0@`;*eAtBfJ@p%fV^Ihf(&i!;E3f;wI_8p
zE8XyS9xZV@70x88#fmIdWF=BFF6bylhbyA3uGNy(i~4GO2aqN#bTrzd!rm_Koe*VO
zP@_ji(N8iT_Z?t!G#%df&iXnXI(X##2N5^_ogA~}8b6Hx6>Gmk@afsp2S1<6-M(va
zlFLi(Q~fQ*R?xlWm&o13DnM_<HBmw<6B?MXP|?YlG?HHWhq#9}{2iqOBj+vTi4+bF
zWbL392nAs!5toBx5}}{4j_Sr}sH3~L^Rn}qa#w6H9vh5xmD8WRth2YLBRsn9=$qP~
z?VBFVbSU%H*cB`Bss3QFe=5FmMXWlnbYupn`?C9|`Y<rEl|RkC3po+BEUGhB7bC0l
zBXLe7+oFxfYpB(CC|*|VOFjlV+G|}WHvo)jyvQQ6Wfsc84QDXr>n%l{$xK^En=ihw
zFF1U_(No<&!h*G*WXAfO(eZr)d-vOBn$A6U=DGV3Vn-2(++WiM@1T@tmyj|fdMV-p
zh4eU2M4rA&oF&?s-RgM%S@i-(U+W19BV}&*3*);IHI%#1?{AFgJo=Kq<->0gpZ4(;
z$uOI=UTN*pDTlV7IOV`3uby(ypD-hlKdkl4hPYsU+@UUZzvRj#T-(^t)X}nVmacJZ
zYij7|qFWpZ#4V2K_3y<UjjRFv@4+pO3-h%f@;9-$c<qPyElxAo<%7CpuJbV%=ay8G
zHZDz2pITmlMv~cuQFLR3LcUa7Qz$d0UVz%cjD-CRU4q!B-;n72`-4}sc01^X#KTIC
zu0fO+B+k})Sev*YvGyy_91%7a_7*O$wR*LexMPyejtcLO;2jR^o=VkfxKYyTdDpv-
z&b0;F8`^u?=8nAU9c=Ew&`=2ff3Wtq?+|;s7qXb_Vg?Jl&Nt0U6W0((a}hQa(w4;T
zroBLHRmg!>zKfxCMyrfp%~;VzG5gT`XzfXPQDe<3L+3tmU@jr=Y&@eYaEhgO^Fv&(
z3c_ik#pl$;R7sVNYv{s4M;-=>-z9xmoQ24sl?0ju8i#GziGO6r^P{i66pEIJu3E7k
z#SPksfy}|<KCDGeK2>aL`3QA<d9$b36I{;cimv2Xy3*KuIGuHQeFL5YEvbkc1&V+!
zuMHF^-mxovd&1}R6)T{d6>$!)2dxvjt>6;ga@8X1#JUr%EwU>LgBw|BRKF_Xhq!XX
zc_a@+aS_>7YwV-j8DoFJ4qd_$J8!bWvdtRS<twp=0=gb8eGqlJ0cJr&MbTOy4VKqS
z7U412F~VM8cfR(>fw_swQcu1kRUD6JcMnH;3R8V-p?qq3Y#|>S>Wp-EbQf2OxrOm^
zPwhWIJIa&!pt%pyl(~H$)GRaVgE-vMugjwa7NpPlXx~(!Cpxw_A06pWbmV<=1GCEq
zj<DXI^7ujyzl|P5I){RVg|X>V<=S7P5Ac1nccKpweg5hKRCQh=YNLbuLblVrP;zZz
z)lq&vamX<3Sc*&m50t^V2!>ZHUy)Aqra#$p?7-@*N~*C0k!sJ_Yd+4{RAc4x5fiay
zuFB5WHqlQ+LZYsnsh^h!{-*l7s@IGn+DV29f0;1p>iw+fp_2weR($B_qkr|9u|3hT
zwL)~H&?kwx=fJT&Z(wXbd)17IoFkW48mG`v{Et~|n>N;?JcVB!wuqj1K(PyyA&Aok
z(N5Ke$aX>Z1(C6tWDDgY5zm9B18)xZ=Mc$wLBdMaw$?Xx4*whbqqRP^ikihY*B%<U
zbD(x5`}1rg)kVUn$07H>0y=d->mAT53P=vK-MYE}U%!I=tDZ&ZJS6xG*-KUJMV0h=
zv_FMygcZ&Igs=x@A6Tu1Za97FhS1=iet&<=<%;$D1L8H{4hG$>V9=32@zB|iee%Lb
z&pvb_zYtlu>ENClcgN$qZ`^b6rj-b@1l%6K-{S@+fIe<fPGT%+%S%+<ppH}4Edrf&
zg42Vf#4v>!iArzLVi1Ni3Q#4#04Z(4;7zJMDQx%$mP%s25ASJFQ+^A1g!nwDSILp5
zD8%4jBhv672>gY~VlVvs`rO>=p6-DzXE>fne|~Y757F#_;KI3c?CrHv?Cn#HGkcD<
zG)=Wtic@Q=hbiv=^xAyw6y-G1n16#YCl$y+?9PNT%X8|&sHf3mz*B@1jbK+?1fD}3
zpu4b;v|Q*qtH33efG`s<ZQ?~_1PPNaP=K5~M1>4qiDINWh$6D;P4s-jn+Y+z<>GPf
zd<6l|&dq7`_-M<*efP!WHRL>B`h!FqjU>hk$;Bn*pph7}^)ifk%JQ%3x{#R$`ueUL
zZJqP5?f_F~n~Df~rS5P@5RfpO=*t9@MSd*#RYo`oM?s_s{F}r-T67Bj2|E_;EXrvR
zalv#tA_<<tzcSDq-)~!qS-;43qAe{@(099~w+*S+Kfl9D+>Y$DaQS+pSb;R^V7FQ(
zRoY8erC#(}mlwkJB&a~~0z#W=AQ@qf6ZqZ6#<F5vTDo{~89#%4fKv=hQ+;{`5(>Go
z5zG5IPQPC<;BkpVpI|d|$CYfK6!_-vfuEu~%p{(c?Gb&-7U+&Zi4RH~mC0C{?v#;u
zR^oizba#uy%MusAyQbk2ruJ8B_>hVth6(i3@RH>Nyv9U7?kOd@_Ug6@$=Y<f>WL!f
zVG{tiha{ntkS4zBh_wlMOjdGYZ%(}0@k&8WGFA--PzYyYQ}|~rTk?_ANWS~(g9kAY
zM?x|6h9KMsl$mj>Gvgbk@*{K)keDNsdt*~{x1glS0F4p*6SdM6R4s>2v7xRJsZ;1<
z(X9nWAEt<SCBGdKWcaB|xM9hn5abqWZvB;J-)h{NisOzNEc=SfN0J;e6JqE+URg-p
z*Z9<OLxX+a;h!!ySnc~JMMd?&JbUBI%jX7b?@?Y;yW;-xb%Sh!Dy;MMg?hD=^Pt$+
zKk0u{jx+s@b=WIwU+{JYJZ8ixM_ab<GvSnbE}oMz;mF;Vc*TUjR>LzUoND%o=M+ph
zYBWfE*o32Iip0k?yu!z+;%d%29~aM^7tgP1?VnZ}ss5IH&dm~!6TJ-h3-tEvCsdb9
zw!h7Qe}ihaO8gEDM}IWBQC%)^Uxle(R9jts?=J0o^!qygA`_09>$3feO?XVhU!vjk
z`zl?j=DOkcp&t#PR>V`Vr%>+t1L~@-^Xlr62>P8~bWRi1B3k*Hrrcwf3_PIqPC4j3
zP&mjoCeoXr3t}&)_^zh?jfi*14N6KR2_f<l$U4mT0ykQ7X9zFHPPzz12^;tJmN@FS
zB&)>;Wyw&=mzFnE$f||c-(yJn6166(!OVSkjGviHgei$eFEqjI=F~6nZ5cm}{qq>#
zKm2dLPw+SPPmDpsQQPtP7I+`SX-LCq9t2)6;UCxVk_rEjhHsc~TKD2P<0hQ;mB2G5
zoc5={Q-p(;!4G122mEREwJ>#ELuwK@C(_xc;#^->9=$k%FJe4%^kPMwNQG)1*zED!
zP(uMY`B!+INRAuoL;}AazbD#Loyd>zI+3^|%ko*O>nNYIPWnEcvxs_-AJK5CxpXJh
zPT2en<cx*tMDq4jlj%-bCsO_V2o6Z<^Qb1%ouW=89!qs14RMfic=~va(TRu!L|ZyL
zkTyeB3R>?J2kFvEL&lvUQ4n$+MeDUPkPos|^dGB%eUtQBSSqnTlq!QG6Sx(6a0qe|
zzEb}8ar{m9#@px<k}>$tS0Q5>_4B*5<>@j;kD($3mg1<$dsv|>x}C@ACT`rheevUX
z9DalJZn`6?5u>T9`&(M7wtFJ!GUUa@9pOBjh%_3Q{5*Y8$RvCC>u0}S+s%$&wb-y&
zR!(1hTX~t~zw#A~i~3FXs@ur!hQCoUi{F!DgC&Cgrg73;&^A~(={(2p48<KPR!G2{
zex9qlze+#$TtJU7^?Xjqp4E+h!eWVcF+P45#J^Qqq*d$1)>GZLzI&s3G2_&^)yy{c
zF|z8)O6^m{V|VXUuL|7x9!8AG@&P_3c)aBp>CRw^vZuMk{}d}|UvC4}DX;64TW!E4
z&C*H+)-Rv^%F%0`L03ap(0L8rqQWj8yK)Twuf0+GZMrkp2CuT(7rKMih7&W<yMzvX
zAAPZ6ep_{VOZ%bTAAQdYUmohE@^k$sF&_1fomNio3Jh0F{wuMEYj0qo+S}NhmzP-;
z|2#`eydQF&(GO9Zh}J<4{jghhzHLVD0}f@Bp`j~?V!=0x4)6=QX~}<iqxLnTiL(3R
z$K^b<^0AXb$EXe&`!#;ERln^>E-QW9x`Y#lMv7$+@=Dxyj9p;GV52^3)RX_-ci6jX
zpZV+;*qJg5u&&b5?`yx6`h5_;MR)btU?sskpf|Wri~sHC^HALUvGQi+ozQKaSogCQ
z<dAgH*)}|I0W+oG1Vt7VL<T^X66Gn(&kF8CH?@&_K7?0_oFxgH1vg?MDx^;Yi7?kT
z(ILv-tB>VZ%7I!XP+rL&yZY~@u3Sl_R<4{{Ro}4HgI6}z?zV<2i`ndAC2VE)G+tR-
zJ!MVKpBf)KIooGFdD7Z9dva|2)O^y)&+}MS&?ae|q_H#0H0Jd#(6~pp{??tJ^e9&1
zFO3#a#DGE!#M+_=7_t^oC<1vUiQ|&4Plxnwj5UhfL_}F}iy&Dm`FoUP^01+s?_J+m
z-?zTL5t}(N_Up!5U-Z^Do;ljUj@I7Yc;w6*-#UGAve)`+>L>V;ay$4=N%xgp;(lMX
zXJi@({0sR<X;qM|EeOqqd}c|GP!Eehi->Q*2~bXg%7yG697?KFC?lnpPxN^T_j<BX
zPa1bl&79kv_C#}@d!GoF5*|!afB#C^?@pA03k{y(rH%69&4&gC4&A(1-dGy;G%QSd
zN0tr^R!__)lk+F4gNK$zypy!&!FiR6@+Rt&7c$v;9Ze0E;7@^vIc}TbIA9h3BaSz3
z#VtSOc#8@D2?)5|{qsMCt>%C8_MHP;pMQ+wepKK_f8_7-J;Cp>r#)e}t9Qfw82x-V
zwO0;{=Uk*Oh#0dNbkqdwj#@pSOGF}_$No`ckZ3J+VrDuqUo?xthberp=OH=N_#pC)
zi_A5uWeCfmlr2Itr8P?Ve$w$Q6E~obwi~WGK<q*_&Wo^4vwo|*VdDv^fDs>G%N7oL
z6!;xHU5=o;sjJD+8usP~ts{H8`xD(tQ%f)sclygo-;^UVePUwzviZc=;!VYCt~wFz
z@i$U6f@0<J#cot=J&`VlT6>DSiicphP%Qg4*OX@H86n)6^nBtb7R^#t=R1?eB<ORL
zC2N!ZKT2WAU~J^2Ml}kYPAO;Fx1~}A>G5iHTJoNb3TlWX9dZ@$A}Lg}k>aA^n;904
zV4hSZSH6u3iiX*~?(%9SF;@wf`&Tw1)rG$P<FE>{*Zce9?u7+^cUx*G*3lX4bB|6l
zg~it&R^C)TJQerkX7fWEp@x<#*GhY;fk<}hmZ>LQi7MOzw&|uww%8ra2HTGxIr_e%
z1)<~GHrLp{VBLf)`^}W8TRW2b>lQJ2t_MK*O0C?fLu9d7+}uIyn^Fd8JLAM|<!(`|
z1WFbA2ZnMe!%KY|-eNx9+Ay%IX`>}nm?_vA9_|bTdfgMRecj87p2+cQZyr7Ik5^9J
z@ccV><u4;UHQfpJeQxg@*DWQN@K~HjJrdY@xGiB2>$(MNoIDp~+ZOAZI!bF^zXOOO
zf#9uIT`Zbk0KOLCspt897!)0{!V05`UwxtSV#;6Y^SV+KnPa!Pr%%SSNvfyWJCf@O
z4eu|{%{xOW@7fVxvh08_e=xsmG~;lka;1<LIn${*Usu@ejwkxOzT)U&e(=y_bm7>p
za3$O4be>&KjHbb<h%Zy!?Du1?ik2%?EwwH#TGy2>K(9sKI3y%_&HF6kHa+sRbz}S@
zu0=I?_klVTy%6IZK%6?&ea!2Hh!PX3gIGF1J;_)+raMD_UsxRuk7u#6EAz?xzF0Ig
z9xF@^j<*M0-bB}Ji_>ugVCL6(CUteRwV{22C%gxHhCN=&pJvL8vYzSp28Ls_h?u2_
z7?`)<JVJN3ns#knCYn^yxVMfH%HW^J2vyTQ`ErwdFE*l73}2FBeuuO0iQ1vE#ED1A
zDYmhz=ltI0o?NVNt{g7yJ=5=*oSW@tyBi12?k!Wketa<2>3<{;Nw`~`ZEbdYc<{i)
z$Q?Ib5yuXlpO0Q~(`}X9c+zXLJG<jOzC}KkRqV4bWA5m7c+*(w>g4G6UkZCMd3-72
zz$bH1DLO{j`p8W|vfoMZ`qJgbt1luroMPF8>lf*ZR%;^Xj>qDjb)|9DZcQE-TAqCP
zw%=X5IN9pY^wvJZo)el&UO75~X!agxzvM@H4EwADJEc$8gX_%d#<d178%}Ygjghrm
z_>s0oSgU>{D=t>DSNg4VXZdg(npES!>R|Bt)2FWw4z3RLWFv0nmx?=*MG$htrTmh)
zBRT0g`sByRbEN!5c;?FG<tt~x7vCM6y=HCgnpsjQ5qtl%1qpZPcTU|Ob)FEt&uVO>
z2-T$RjKmcrD}AVv-B220j;_|$pksW9-E;XDj;3r=jbw{vmR*~_Ww?U?ba}q|8+Ch7
zkMEbdc^|n7`eZ3hQr7ieVD>PJLR&fyeNSX7k<C+m7lHM&k2BQ9ek<4x1cV(nT$*AE
zqOVL@sn>S!SX_9S&8E9reXU+6TeI2@G&VGZ7FPGBnlc-Ot|BTKG<ip77o+W=&d^%1
z2eZBsaZg6xP(Hc4(z3U0vXt1jZx;^3G|o<p^M_aiZp#UEoN{66wg7qP=DUucL5#!V
zfOM<y7NiM^wM^9?D4!Y}CgtMg6SYbr2t0|OJMynKcQxw{wY#0!=*q#!BS&7=(A30!
z;hA4-u`M*UTyxFE8hf4S=Q?D&4|ASI#<yu-)kXJ2ghvN`QTsu$I}t7cC?iblDbi9Y
zYBhpaVVx7)1brm~vzKDG5R@%VZ0fyy!UmTj7P7vcDRxF85hoUryVK!pZ4J1ynMTFG
zm<|=45PizS%AeLApPjXP`oe4v7MI&atE*5ND0GDqxO^`}^oO3x?|Jm-H^0iWf-ZpT
z(!ZrPqqoo}gsL^*Ji@7tt!I+Sf7hNYj`VKy6f=?5hQfUFMoVvgtZ)9_J8l^8q^^42
zjiuB7a{2UaFSvaM{R)C7zZ*Px5n85+-jclf>d<-e1#oZ%Sxl11jaN~(J_4GHtQ<9F
z&JUWaQmBCU;<WIHg=BZ>U+@poiFo<cw!EAdWf{_0I={V*BG!h6J$mK?m*O_|Jh1o{
z#IvLp2E*N%p>Sa&8FNQ^<34uZA9d$rZf_#*b@#a4VR!HNK+u;RjU_6Pj(}wP?QJ%D
zAU|JBOqUbQ4PCpc*%>G2{hi@L$X|$dDGf`F%$*#GCyKZcTbBb|PiIenf6$$qnysl$
z*V5-rtu0L2wb3U})n`QXi6}TAB9>We;lM;ZK5?MXFJAj+S5{_cmzN!}+0&DgXJ=!v
z*|U?Ar)OgeR~|Za?%bh6S7K(oIGdEPhvNFVw9dM1luG1Uw_q+v5(!S<45SUSL_5d9
zXGyq@Ndiy;owQaXq$ds~n1nE*M5NfomZELM{%fp=-SPge)(vOZ^OxAyo&&oO^Z6Ws
z*0!i)YQnXA_+<LrH_kPl`}*b6jSHDG$CkVNUfXmdb_#UEy^ycJ0bRY&)AyNIX5Frk
z1~hO2s!7$(qvF)^mZZU>9uTw#(v-*!Pdi^6W;D&+>Jgf|II4zNnC*=r@aEigv5}Qz
zYBw&%V9JXE0||FWZ!s1qCOom3huQn4PfzvUck|S97UJPlbaZ4a@?@a2Qb^AY_<e<i
z{<|_biHdWa7juELg&vi2iS<F20J82;kJYGDbry*Fr0Ws&g<e~UVk@L@zA)bhfec}&
zviu4Rgqh}8OLi$+s6<EC^1)Kf?TnUs$JTJvc0{L7Pt2T}3@=$5ScCtv#nGcvk%gZA
zxlCfd5<Ye!J72^Yn8gqM;iDLXSN9X|RE2{}2J&+>@Db2DqF&Rg5^ILSiD;ovH4S-P
z9*d0R-oC`v-=W}0g-Aq4dj{)+Ri_%~*WbL`@8w59>c<57@y}dVYx!dG4r-l4)&&P%
zqN<Xb#~}Qv6u}D#Oq3+@p>u>Fbd8YzIr<!=v+ZxRg5NvCDQ|Vr>D%w|hKKez&O9f7
zC=Y$hKOFIts)OEWA=Gy4%*f62uIamHr_RihEu8YI){s|q1J3A_S9OY3G~zoD<q_4+
zu5~$9dP<cV_VWLO?5UT&SI?fh`))mZ>b*jKH*e0eA7PH#5a)w2vVm^=w?!MHG;`|n
zRj1GyR~89x!JJ5y!jgix6GdJq!AX=4ppvL`AaZciy)dMaL9Lb2u2L>5f_H~2Ru=+y
zPj39(->$!|;e|&&@P++vZ}^mh9cE*m+B3hceX8~m4|fq^jZI>nZpS=ja3;g-_;~+y
z`+~eHLhpawR*sTd5;eq?=vtK;9Z7l!4J{4(UL)*glVs53OV8%!6~~~N$a4)}elRnz
z;?%LxpwhU%L1Ap~fwcoi8k##C`+c7KZhQD$EIxU7@Fijix(nHaWA`y-_~K`+S6&^c
zRE8t2$?K=@eU0^9m>_1UKsG#x`5EPTTy(2ESM2Iyv5XQ+WZ9D>r$~exUdgIdLB#Pe
zY`Q`R5w+Cxi!gb#XNv1paxV$P0gNVOECB=f7KIuQCRaTXZ)-Kv73pqoXgJ=`(B2(!
zW(J#GA<u4i#MgFWPj<Ph!8Pv)Pn?+8`?Aq!cywYexo5pC)E^5^rc#sP_(0IHakOu8
zWVp9CG&Z}Ez4P{Le?L_g>)+hNUWc(}kbh&+ZFCL)0<l^c=INlL9;GoU{8))f;4tEl
zU^WyX)ee;tbN)au7n>i9#wYgXOLIM0Pc9U$B;4L)If$xgt>KUPqj_(4q|Ff>IxsPI
zVmcD@4Y|5|`e)O*(Ns@!i#w3$@vnk6?8Tfk;7*bNdOD`tXfF{zN_v-Spef6DBJPMv
zuLv8y@HrFrC7-jD8Qa*dtXOkor==J;7co7Of>?4SLQ1Ivv)S(A?s9Cd(mOnQ-~?pI
zr`Y7dLGNgKbn4ZkyF266zRs!faG~Pp896b>n#+eK<DTqHe&|r3q3N1^I0y#VlaZlr
zM?7B*k5-S=8ds)*m6Wg5xj3|#h6W26IVaDj4uoH6oIOYTC}&78)isv$*k3t$dZtWy
z5fYfgJIam|Hfk!Z1HUB(0oxCa42DW|m(hZR)^C$CRHQxpFHiO4vf}M4hqFU}bl|vR
z+iPPT{)C&(tnB0+E8)PvRN}_xhlW;_P-G(SYFW8_DlmQV?Z;2#s($BiIzA9`^vv9F
z*wH(+o=ndd10Vm`HLpIJ6gmKSKl=?%j1^QnGOfhA`06_OWn>?st^u(Q+Kd!VLvef*
zc3l!v%#HAJ6Jn+EFg~GG!cgb4BCJ@QX*N(fwVa*opZ7+64uAi2a$`2LQ1oY)PgbDq
z*cj`Z>i3W3!<mQQ%c9e#rdD4vRP>hz$70#p{vPF*=Pr*;A0M4MJKx80hqCNDlXpxh
z!SZrp<1CyaWS6HL=@_JCQaKC2Zci{A=>^W-&+#h+ZuxJHb9)NMuafOyr$&2j1K{}8
zz-{&ftm<UP|1s7~JKagD2)rV2Zc}@Lx4%I?2YyLBhwBa;ze(Vhr*)h^N8lBSb3V!2
z-zuMTn*Z*9;CFpioA$fc$=?;vCtN(|I`N#%-(dmFDSt}-353DftS=(<7XAMf@G*ho
zd}y=Y4Vd~#zH*~K<Hf?Cv7?^@qfq`C{(}_u5s6@%^(ET#|6bzn<oLZDr}k$2KCS(y
zWc#=A_All5kI?=y<t@~I7`|-Qm*F$&|5p6v0_Xh?Q5+fiL-Rhsu*c=NLKKT9@vOjM
z;jt(OIUQ^-;PjEtC;Aw1NuN#fml*vzFP80h^7qj5KhMWyv!IQMK95Qq&jha1N6^z|
zd4l6QeFWWXmjB|opbtI&-Ms(Jb^SNu#{L`qPcO!^h@RAcBd+?5@O*18?`QMY{#%0*
z-_n0;K;m2aj|eVWC(Wk*(>y+f`6c|X`M5B{a(>M?W*9j7!{U6rEnCNH!VTj!`PB^L
zHQ|QwvOnYfY}q<q_9qhGGG6w2iEkM%d#%Kc^M&!UYxsCuwvKlTF2?%{wD<7!+yd%g
zJzK;&ft!vs^Ytw7ti+!N-}@){T9cN}=a|+r@J9r`LAXXA;51&eM^KT?s?i7dcK$^?
z-@44l)oJ-2pD(%JfzM0)I~<qm8Th2czs_;Fo`H`_{Hq)n>zVf5J$!zhe16q_68<va
zDOfGu!`tH%tOv}6V)S>u7@w)@*@&z2i|1Ia{CE8<$)6+oNzboIoK8$OtLP7{&&T+D
z`RS$_;9_1jLH}>_c@h590n1bTcLh#-M&MbA(?0zs(O)@io)_R>5cr01UVZ}nedrI`
zm-)OfF)kW!oxfJ>3oDH`r5v_=m-kc73&wj$;@{%9#%HVtCI0Um*Z7R}fW*aoX>@?p
z!9K<FU&-5R`*aJ=>4RLZr>)J1O_2Q7dV>N(F#3u5W!8Q^za)>6Tpro+={%lEpZ^M<
zC&lNGOG&;?>GN^<Ijui9CpCGKBza?@7LRJ*|B(Fro%ke4e3gIx5Bzib{s&E;W8D1n
zzt_J1Uitak`1dh>{`sf)=Rd;t_ks>W9woUvqF=upt*HN7KL<7Vx8>)EXMWmx3#Uu7
z{NzEcUq9jFCO!_jh)=C}(fVcl9IKz6t9_1fHC)E~E%>xX7c2A!LDz=U@^h>qoi5g!
z)Zf=WCq9<6O1j9;F)t0r<@f)Ke=g}_eIEZl#@$e&^&$DVMj7kU4xdZPh|etr(B)NP
zABd4DZ&&+eeM;LmI$ij{<$C$9wtw{Xg1{5?`wh>fe#?EK(?#Q34cExeX@6+zg=PTH
zC%RrOKc{`7)8&QybE3-?@^jiRN#YxPW^U)76J3Ht7rAeAx*$4Ctd}jHt90R?*XglU
z=&>!(XSjZ={2Kb+S^7QuysqCu??sHc#CvzZV<ueJlONgve_#jv6+7VfoA8v@pI7dH
zKWM}$c3SqoV8Rh=EAfm8N35;HQ##JxPqF996`Vd*spoT_H>aDx=Z!e0o4|W_z+)zy
z=qB1fv;+RY4)`l}!0(qhKacSKUnTm_Vzge6ix0mq@4vw3jX3YWz<YPVV<w#XFWNt}
z1OC7c_$zk6?>FHz@8bEd+yQ^kh||4rvVBV8BjkfMoWH7fwQxG*3FmaU8uYQ*=fyc_
z6LC>!PwQXcy#lu^;M~+|z+<xgchUZ5hUY&d@o#SV-3JWqpE0z5g~Y#)_P;UU_e=a|
z_}ykJ(Lwa*l{?@M>d$B0eEo~|1&RMRp2HMc{{qiQ{4wAePB($4B);{Wc*733JU^no
z$<xp?liKs2C)(GYXRFMi@*nmDr@uJo&I70QN&D*wPG^Dl?tsTkIITm`{-GW42X??;
zu>*d;#JL}b&&!Q+A0>GIInMhp@OhTt{oi^{ui_j{{FdXqJ>(_vTjTkik5}NmJK!-B
zPU98rAKC$bU<dpaJK*=5a9VHT`LEmof6$2Y^&{G+OgQmjffr0TtwVuljJQ>|Kiseb
zF6|Q19zyF)Jm-0`{Z_k2m7V7F=QyXou!qb8r}ZY<(|#9t?+$p(gcJQm`-gVGAJ_qZ
z#SZxWCY<Omp8v`n@CS`Jr@v^Ql6e2-u!8tYJm)N5Z|BHC!1ot$zMctB**T8&sOtsz
zoYTqtxvn43_f`Es|Gus#Z2!5gFKqw&y56w;=equ|{pY$KvHj<|K0%)oea++3^@{C3
z*Yyj0&gpIbzN$B@ZVppi6`oIW%Vs|ZZCuD*;GFJ+Cpk`3k5SYs=7oQc)7|(vm(Kd<
zobJZYxs<-d=UiGFK3C<n`ukjJU*dBvy)W@Om*SWBoJ(`V=R|j7|G8AZ#OGYP>z{MF
z8^6z`Jpa6c^$x!fo-g*nId)XXIo%1T^$MJ?ca<;Tdm3NRKiByKKIe2de_!Vl+kdX}
z3;JB;7y9#czOnu1I{(=IbDfWD|GCaj=yR2y=)bS?mF+**`3pYR_>2C1&S&6y+O@gJ
z<Ii&NH<~;HGX6&QG)kux_pnn|1VuD?@ajSF!e+!hc(^0fj~onf=W9Z~qudVRD9BJ;
zA-`Pj(s5@9-njN`YB@yFXU<DRpG9|FXv!SRc}Hg!{y+>`^>Ua^pqs4mSeaH!5>bd4
ztwZw*Um|MqlUQ%$)uCK_Q7wleQ>Ye~c4r`B34B}g4-nnUT4l6MFg0Hes!=q-;#?91
zaM;jQhbdy_@KsN|*Os0>I;2L^3>}_M+kNR&4hAIhA+E4T5c@!JlcxEpi>T4#qeLW)
zs8d3>hEt4FL^x>7@v69Eib8IAxQ34c4Q%YpT)=B{#Y5?p;Yi=yvC5x>Rx_)|eCg5H
zQZ<BdrM|9~uFej7OMG-=l!tC8$4;cjGJz&%rQf#;q(Yw&Lx=i>bpOE?zo+yiVNDqm
zokThvxyyV=r;GcLxB+^uv(opKFMWxJx6OZJ{J@|7f6ToJVB=+(Kc4rSv}vbl+9plX
z+*flqN!zqZ?@sSy+RjWnGo9%i3@|X9gUI1>Gc1DO`2$20MEQB(;;4WJGQ%pMA|far
z=&tCxg0hIZuD9+w>HqV*@ApWW&Va7_`|m)T^vO5h@B2RQ^FH_cJhbnbt_k=4p7bE{
z%WXP3{R;OMvcRhGO0}7l&?%)g#v)XxA1}yILB=>u?#V41YBmgCHW6Zt4ep8SH-(rz
zdGV&)@{POOYd*Q5eNSer-`g9WxO}+BKNOv~YWmW)!R}i={-v{Wr*K}BUEQI3f;}(A
zaFP;UTwS#R!U4R0grN#A;B>;0;2Z{j7yPXPCM5-4*kihfF?Itma};x-u_H!U$ThG<
z`__gKd+b+x-U;|dd~z?mjRs`fd{)HAwQx8NN1_QqZkXka8yiA-`<~l>P0#yxDZ>uw
zC2+=8ifrH?Tm1!lR<{Gb2|c2<@_pnLz!|Le4&-?nt=_p#_WT#>zCic59F_U**H_~n
z=Q11J0<hmg9$v8eIA8|_jIZx+bw6XbBddn$_8XKKzBWdY{D}3W!qTO=jrZqLS{frI
z!**=Fds^fx;#psn2G}XmA31mDb2tI)^U@Gol75Hl#>8B4-KQ}Bc0T{03ah{guDeLe
zvg`PDZ&9y1AFwMp>?RdP*S(#?-mJpj0N70&_9hi}oz%(h(#J5Cx2^-bS%sY@jj%_g
zZ{WI^3cDEizK`Sk&^oYlRoJD{9Q%kqitk<^U|8GVvS)NR!e2-^)$-cPITTo1Q5=Jg
z&GIa6C5fn|))7o3Ye%Oo{y2LkTI+K=JW^Ilx4EM(<XEi!2KOW%`w8wzCI4|xN=o33
ziHYl-W{>+V)1$S?M9{&WscLdX-EC>y)8laa;NWDduYd-ZI1Q?_Ty_$c8fwG}4o~Nt
zmpv=!P@!8%oL-VJ*Jp89jp*2-Wn!1zg>s<fbOk<rio=T=^W?xT1p{BfV_r5{oMW~5
zjg8JAe_~y<&S&d3WTkAz9(JSLF7WUy&Mm*%^R$v0q9UIBJQ+QdN8@-RH|PC$Q_$JC
zF<(38w1~%5Tis!M29Gmz+kAD9OY6^1+o|&Mt}{Pu;4oieWq$9%cK%Gs{Ag#dncj)!
zSMj`c=10#fo!_l^+?6HsqsOhC9-j9ydr0?f_&^<yV#{l&wLxw6BP$&BBpj&XRx?kE
zq3Tv5ol2YpXb`d(Qq2Lr6M$qB&3^Qvd$OF;M-_r7iNsO50jgUJfuO}{vzkneQnKWI
zM~$T=5Ha=-^-3$@a9w?!$yzPHzBgE9-e7K&Vv^VI50=cO0iJGkE^-!yHWzs-^0`oL
zM^O=rPBPFY5+_NO(<GEWA+ly-m{klqQu!9c6eu-!&CD*dgj|io{l-YZVSRVWTuSG~
z9@3kd(9+V2;WuI$RoAVV9rz*q=-SzM=twL0+l}~y8LOq{!c@?PmhnoNWa2bDoiPwq
zEK7AIIx9}atmU)vHj!mq9gd0o#uQs&?<{`q>aLv|TdzIux{J3jZQuTS9HswSb84dF
z;QrC!@!=jWhiF{tnSG2Kf76+LsahI=ppuXyIxZc+xb4Wz*+iO>r0RBZTDx}cSnKsb
zd7^ackk-P2AF4Y*IxW?S^@vg1!l<i?GZFYdh(b3;ltP47feKz`{dqIBz72Lqi>bDu
z-dxM(W@=}O&oqYZtmC1Yx;oP%-{>^B^2;L~i(9sLAAhLx8;`KawsZZGJ~=f$NwSsZ
zpq}3c?x4l!eTZdrBbF;~`iispnvgvP4G8&kJPV%TeGdAMIGaz^1jOlO(Njg#wWq8<
zI??QZRyjeN!(Uls(Y4`>ZI*wV^6ENqT?X214o4{{b4fI4^GSZj%g6x{B?)P~v?niS
zrmuc-qTb%zTvt_JZLYD_+M}%@%lxj*I~OdW)~LPKT4Oevs_L4X?e!C1-hJOGn@_oq
z?Yq+*v{Xsbf?mJD-5$A@*@{2AH`4Cjpht{Ns<H&#cj9<^q4*X0A%%pY76ru*@4_jD
zuP8W*QKnW*r>$>-0ErSn9|8JG00RUVC;@0_l@VWR?eGjmt;mpk#TL597CMA;3}+B%
z^(cvtDzDJFKuYFA<zlQu0`J279i2PK;<GSbH{zAfTg_1pCb(6WaV#3mKsj-9$`Bi7
z$_n75Q~3fYrPmu64j^#WP_3_O4h4eNJ!dYQx!W2HgqqzA4b{N7#nNnE9yT>MTlvy7
zIBl(=K-1X4g|o(*0-@GsSA$p>tF3N$huLPa)K!_P&1O@rD-(U1Q2%r^<EpL3f>c`q
z?#JKn3RsL-vg+~`qtA_&fa{*e+yP59ea_d5yd%i_cn9dyi~5D&e$XxmPgFIXtVlX*
zZ{^g6)`y(HtjLxP>jh11c=GX6K8zkyA3Ei+FYo#A?xmG`*%>TV`~|b}pXZ8qvhLzn
z=?Ao-OCo1M0&SG^>6LSuHQLY?TJ%X3qoFKCv1=&9nW|hI)x|MV>T*NtBR7)cNu?)l
zYRfaVnSJ{8o!QjR-at>%xo7)qetB-DkXi7h!{-cS<_o^g_TEjAjXO-~TyI-zQ?T7X
zJg~91r>i^Y=?SMCso_}H<|aek(s*_@hw~YnALoHTtCqcA!Hu;!i5kP=ges-!iTrmu
zM?ptwk)+J$Lukgai5yasQSJ)LT-c~zSv2YmQ@`3NUZi&vKh||_=MC&`6unsPI@ozb
z@ieTb;8{|hYM|+F0l;W%XLI18Vw|JEy+@OZa%%GWxF-qk=9ECE#i_C#gFL6R2h^8=
zWQktqR(X<>C<LR<t;>B@mM+|53x!)blc}x;$y@CW%P;JH>UEe$2}2?Jl^F{05{ku3
zGZ=Fcz7Kg*%e!0~vz!C30W@UGUy->D=L4vWEb{?6%OWZl5N$;;r_z0{%w(NyEcu&5
z!I163i<bDTf??XA>ZA@e*sa*0V6hF#236;%Y|*=(P`991mp;&s2^sO!X^>$@QcE?C
zO=YXCEbVz}|4YBv_mwkoGumA8#=_M);K+mTyHGbnp72Rz5_w37=aC!{CrO1wvhexC
z9E=sji8mCr=0z|eO3nJ7Mwhv%p}yYXu$h`$t!#SfQ;psxvp<?K8LH;1>mrkV2cJBj
zN{#G3vUAh^f=#BwwY68&S~vK-3*$Zm_BXGAB43XhD9{%cR617cmB`n-`Sk|=xd#NI
z))WCAsyJ^U{bEYNgQg(Mh|x$xspv!XS7^_Pn!i-T1$z;=k*ny%IHS)GGw?oC+QM>}
z*_-TMb5l*TIS@0O|8>{porcVX+rR7FWU8v#q&GM{VfOpt_YWUtt;hdua1wh2HP)n$
zfrhKGzJBezm8{}uWUFaxqTi&bB1_dzl<Gc0ZYlaURg)#(5%FiL!)t{(gF;}UAr52m
z;W(84;cg?N?V7VrJMAp?FZ8?k^BZov?S@(U#Wrm}RnN}X@7cb6kG^=T{?uY|U)8l2
zUv!mW?_R@I7hQa9)jr@Jwmv++T3wSB=yGRqn&q`x>QqhcB%Dvt<cRB0<tXww${jRO
zvIf*nn%fF0dM!aqL*1H(q#3S~5g!;6YYm>G))lYdU0NLn>P~_lnkw(I0XspUhHMUA
z9YyHscqaRYmfl#;&cWcKEjbvE6q=V<w5rOUTkOC4?nF<>Tvf#)$0_`XF+dm88!_iP
zjlL>oD_elzG(zJRr#NV~v}#7YQvF}5=u)fjOPV?UTUq@6*6%MW)5g^CRN{Z*`Ym{7
zBebb9-=cg<Mx!3t*yc~BLO|LR#nVJ>NV3yNuAA}ns&0;T`T4-UR6M?ik7B0wkw;2K
z0=<~@ckDOmgM2Jb?Sy#6IOMY0oY#WWKvI(~p$CT*)oiGht>86Oni3<B&opZ0#=n1)
zMbGP68ATKCUHR9awX}WLj#H)C$>MM9>B;u)xsI0cp~-;(S`$5&y<fzb$QE*+ME<Vb
zTXsGw#qtqaH|-^&O;wUrjEvDbEuER)wK0sb6%OuQ+OcED3j5*`c=B&->B$axbi=*H
zN2%}<jZxTZE%F$970y&aIVT^XEDb6~w6b)WGMdXT*oM)ZUojMnf$0L^K}PVPlDgmW
zcF`!Pk~dP<TA``bp#vH96cBc!uok(jAT=00)4I_-t;7(a^KiczJ2ROHZq6;ASp|V*
zsXcv1+bp`Q9vmDxb2^@wJ;T(Q?h41QxN7R`LqTso(9yQznx$>mY)4fp!WnFcofxkR
z{%KY6%kFb+#IgmT0ZJ=ktvQ~4j4J)p5iw9B$$K~7BV+?;l0QZ&EjFW4!Q3pZt&}Fs
z_U)fY=x<qCx~)1jzNcs4z*H<YbzmSh-tKg^kEfF2)s$X(!))=ZB&x^GosDIeuUa@k
zy)?`f9&+|`&<FKi+NRJ)g#_1n9Lb_gD+eZ;F;SUzIs*p>JQrs~++w3ajO)WzQTe=|
zHR+XRN9^5~-M9atk)_b!_ReP>J9KCs?M-3cF<;Zl=G<hP6^iAq-*$~`9LACe`ON->
zYVksnkzN^)^SHQ;%<C2jco)Gj3=e4TYRoI9)rCC?%~72%ssXO7kI?l=OQG(g&Con4
zx?|_7Mmw}z<0sm~+ELeluuXVlhz8kHO|5keM*9X!)Ze^q-kY~=dyxI?CoR39&h5it
zUv9)yZ5Y#6nf<xw>{wM*@pIralV7Mp1J^Bu-i3B}*yVYDo8~Q%AH!%2Gvs+;tfap{
zAHkkdy)YFrN!wGUnzNm3F1|>1>?;ukBARqzc0va&J5+|&gf?^~<TfM%Z;Qic&m~jy
z=WHC<<4wE9k~`0<gFg84s&n_XPX{uw(@bsKui3VA&5pK?K;9ENboSI$SH!|y=}wvp
z>@W69u0u5|b1SXYw~CzR%34<7vlh(wcltDBAMsgL&y=gOXdBQ?7PniJy>Mdfbl-=)
zjUQS^I-^XsH)&Q@I%@@!8SP}Mb0zQf*nY#!P8`E`Ixmr5uUnG7>ap3~ZoAE+ydLkC
z`77q+$DD5Bx(Qsh*iY5q9lJqy5%3PR=SIbT(pKgedB1S2LV22gtW-3kt>opDM^z(Y
ze3jN}%8DFIG5DQGWsYFIaGos1hDdj&4mox^*PXj|D=hmH?{D-rngh`cdvGf;@6Dyk
zv?fuYRDX<=>gFv&lf%7yj--oFj<OvZrP@`yLZ)bQJjy*$g63?XIoNjK<%%Yz=q5&r
z6Jdp{&k74$c%?+G1|fmC#vn@}%rw}f&Jv1SY@0f>`-}g~t`Kt~CJ6de<s-QQAi-%O
z;1O6bnuk;CTU4P@XtNOhG_sC_Mj`PvA?-?7Gc?9h7T`tq7Jg{a*z`5N@B6&n+xz{C
za|^B>o4nN>oePC8d|`H&c0W)n_PaEyKM4EzHUMb9kCP8l*rNJ_utiH`(*OU~C_<->
z*KCm%{}6dw_BEKL(pQq#7HG~`pFYglggtT+>y+X{nuU5jo*}QgY^6&7NVk)5o9DO{
zzKH<&CIIKQn|=Z~e;>zrJA+*d`XD<4HX-;9w==X;;uW-Bs(A~Ku|nNcFVQG#+eE)%
zVP>S3j@2k;#_Jw=1dqdfi5~l;NBF)PRb+7~0V>5-k6}pE(nXM>Q0vJxE!;U``v`KB
z8<@#%b+e=?x*xvz=54RMvOwG*IJjKcHoLTSY3CUGukov{8h?{DF`Dh()NUW`pBU=K
z*tFWPq95*<GP;w<9MQ;943hjd&3wNo+E1yZ5hp<PkfJ4BaOc(*g<U*r1AEhkvlf@n
zsVZJvb&e^seC^`mRXf_+c3i!6@!I8#blQdIoO9vvA76LH71t3yX$^H!2V|sM+uyQ*
zpvepky`m$E@HCbB$;f6PPc0A%Gn{wa(hoBd^GbO#qyC%U+;uh;f~~1Hn`<^U_jWhf
zOifkwHFj6stsus``ww9Acjdh=&WyriAsHf(<3%w>(qDd{AAonUo6hqaPHfATs+SZ~
zQ46jXatJr9uyn&zEtMHQ@@r9NnCfHc*ejsldQAta;BOk`QkITht`%MjE-fnkE1oy9
zp@eKA3$C7|D7p|rHK010P=11&smSp=-?_wcZF-iOd^uZuhULT@t6@iWV;%Z*?<}_?
z<+zx(8ZtR?`;Dr})o>Cg4`B7Ph`!*5PWbELt*nE#R>QRzijR>`kPaG)I;;Um66&HD
z#`OeC;FYRgwc~qv%rVTrN6prI__|i1xWDixhhJk%gY4B813XBv=e375-Zu=>mdW9Y
z*A(3NDU4r+Gf^A$eZb!mGb;NoNvck=BtX$dfVL9AAOQwT0K)_rE&<3~49JEEqX@ZN
z+E4>%fiU?BP3@NfrDd=AJv4ec25$)iO%an4G($(ig`SBn%6J#$t5(3uP)sR`*D<_O
zRi=5o&SMo9@VbE4EqL96*R6QnN?BsvDA52P(|;o>g3fsb(5_K>#bh#ABaZ)GT*T%!
z#|-ujk3OWYmQ3yGza}mc4_7f(cosM_^Ytd5>WZ@76>C+2crCq4bn6suJ4Lyo(!^#U
zj~It&j$2CfrJ)s$k`#}n?9rkt@0;52=%Y$3WlfCb1q>ShD84ez<13x0;a27^3J~c9
z)+Id=WohD6LW8T}G!ei%@{S*+FrD0;nIvil_zp7ZC}E37z_^OrEp**74}e<vw1NGq
z|J2m0#9O?%sYJ~q4_39MPabngj(7O0KFQ}wy1@$eWDpu~*<33mj9d<i^E8TY3C|$e
zBE-+A3zreEr2Q(AhPv}&->6*5U&f{2BB+RR(4y4@pL(5$39OBDd}>nWI}k+`;SORk
z7}d(^Mrk|dlhpiJ6@64Rr}0r_EI=#ZRk4-wB--9?#hhYTDXJYKcBnGu(s+it0Sygq
zx3}p;0S&mj;|5pVqo2{6-AO+-mO2S7o}p|Vbsp~k)vWb)X>3i~JI7!PEA{J%`luNd
zja$eAjG7`Kgj_@XD`zh8D9Gn#>%>mLI7BE!rGL`jo&pYiy4NZDwnE-k1O+Ox4@xx>
z&Qj%WQk;OQF<g(V_bE<I9v&6$%nHJwiM;Rxb6vOx^*AGHl-<&7Z`kpp6$HTG+N>Z6
z9#W?V!N>4T%qNY0UoyYfNI(Wuh;X?KiYC)5<|B(LJ|7g`f?7c$f?AG<00<erq$b7%
z*{i{CXwJ}}`4mg(NDgmHA5r3BsAGuv+Cr}(G`5K;)7OYe4UX}BPHXxF=uiz6^rX#D
zrY8Wj2%2EE*jb<_D~(%;rG=Y}9_CWwX-kY&pd_RwZPILyEAZULwe?$NHBfuH#$Sk|
zP(OR4+;`OgElyONF=9uO_nmYe>Tu6#oR{iHhYE5!g2WS>ieFz^VjbJa0Z*)65I99a
zut;6tcjRwsMf{<R-^l`B8&9dIqTVv(1{Bz!j2U6~hh^?i=4mo3b<L<eUjt*Q{O*xR
z+rl}+1H0jB8ck;B(0dgHTglNBSm*%5Hg@fJ!|dj(cV@Y>DKc@|;Lz!l&<whwnHpl#
zI6u3JCD3a9iypD~8#b0&XSAa4fL7P+D6~Zb&s>Mr2@XwBBkIRn3oKGTJ9z>`B$M=G
z(OZ-}Oa=5*EbAl-B^l-Bdv^vuxodl)ugTC9YS^~?$;;ln?KjYt4?WyE8Hr4`K3u#d
z`<vfj+`xAO@NLF8eY&&D@m=9dk~s=zZ?yhKj7=0Bt4CHqH6JDA^|atK*kHOAK&WhX
zH7}bjXhP&Nf$yO@D%HMfU}0<7_=yR!e~j&~cQ+c$F4HMHKmXvKUG<IzgV|<U-ucOQ
zje}+$Xvz6}xt0gm5*z%8Bjxp`93MgLvOjYA8N+-gFdxra`l(=u8vT$W1CJVK4-^%p
zhJeJSWlv>yc-^QPjr4bOYa?r%s4JsuJi5f?ANIKw<12~r$pg_SyEMi}(IwFhg0ggY
z?_lgB;r!*EACX{)h)qjxv}YHO@eRdW3(eS7MME_O`5u3qf_&A6;zPnWQR)lDtdZ-*
zeG+d2Jy0IS|G}#y@|*M%h{&CxbtL>>km0l&G`onE`rnc3#2_@NVjZueg);De<J_m>
zg~=W?-<)QxNt@SN%ciBqaF62H`l}P7q-X4rc4s(ecK9vM_6VI_kjPiBcVNA3(1c^i
z&_E_A_zdCsFU^%&i<5P7r&8-oYmKt6CR9m}m5&xQ%yUJFW-)F-vyI%RS%W!LaUc1d
z;^RathprPbn|3*t(+7QHACC|GPPq=bL>@JlC@K5vc<u&|`QZN88(n~te^1Tn&_Bxm
z7Jfa{T9N&FN!_1I;OD9EJ{gYhvj>oAP)(jV%%K~9|A+KFl;G>oq{T_Ak~^_FDbBAb
zmseye+2tC9P;nqZNU;fX|2HW-C7sn!@C_-XR9V}sHwr#NK_n3aq}q3=cxPv>^Zzcj
z<-&<(kHcEm*xcdo-`*Rj4lHL<(>X7dg!N>@*74!+Tx65!eYah4`*NgCUsYXGwW+?o
zs<t`1V^cig@88zlw{J8&?(P`J$(?9t^qfnua*JSs&*4mt4H74&#gt?osGaiCWTWu!
zMKN3Q#zfW5^-9N48|D|_`VaIA?zJbQ4Cid%g(RJg+iv(oyjeU(g=te!Tg21o%}pj>
zzh|(kv-h;K2l|JG4zQQZ-fS?@g~?bvaaU_sxRJSHp-{B=j<!Suhi7>2G<F!{uk6vK
zja}3Gg&d(c1i48Owrg5s*&nc%s4*`1`sy}T#Jw!ALD%F8%i4~1Pp#s(Qd5?s6q(xO
zkfj_a(t%pUljL0CVFsOx@=fUc5nRHjPt~?;ur@XtT`V(IGxf(Bchd`Z9y!)kZEKtD
z|88+_*Rdn3(<?5vA2d$q=bz#<8UT$l`1W+tU8o_M(z>uzj8W6TssFObu%z=v4Z0-P
z4rqiTYlFPil!-v&rpz9Sev*I9$2GSkAQ5O0Aw;*7P8L)p^s~BF=sc7U%)&{WsG`ss
zvVoEO18p5V7!8Z*6dC0L$4Ctd8|&X4YYH}3RaZ6CH^zrtnN2gBGOnR`qsa_dbEql$
z?p>E}nb~qV)9p{TNb^;x!SkMc^1Q(me5WnR{j0j?@ek9-9B|S_`UvJfr{(*$lDDC>
zb8eIX(UOv<1p*XG0KEk0EdgjKlkJ>W&-dL#_t+%zeNpaE)?3KVSMq&D{Fr*X1UNoB
z@L3zM7r-m^@3rG~iZo+k@^DOvd|xERAq$MMeP#UeY+r$3>?MI<vqagxz&B3cR7-ER
z1_S=avALPK@kSg?ur?wEy{5_U7)jJx8ZEU|#wxR^$r|>1%<Z!?v+ZV&Kh)e<-vIpc
z&l4l|KoegeQ>`N&xaRriuL;B*wN(pxXY%h(wYkhySQh$(7KVQ^FIAacwp0Hu>15JE
zl|q~E<viupa(k(J1fNaLsL{y1cka8oZ?5m^eRtlw_xh2!k?Wb^g(vXuh2o$83ID|U
zN3b96!TML`^lE!lTg=LwUW!DDoL=gBq2=_d`6aI<r}qcBl~g!16>+u&ts4i%3jKXO
z>Exg{9A4^f-PrC;Mw9)4{FKQZ?)KPB_F!`|-k)fVMC`V_)7u#642Js}40XNTp?nm9
zaly-81l}B)FQ$SIYjY}%RgjO2>^zD{lAU6KEl`I&PFxN>x{%Y0#7fHQr6XDtDb_Ed
zX0*W^ssHS}{N`cy(o?a$Sx27(=@>4&ZFltBi?5J;B^mLe^c~2}p9A?uV}_x(v^?IQ
zU=7?_oI!TvufGPAw=CR~<k_bP1I33ZuZK=->UA#8m1qvsVT?wuSpCFDh|D>WEH3T?
z*&>l$u#FAKJgH55XywNJ?4>f2<otr;6|_RN@LRR49(h}9<J6iA$s1oov<wK-J`an1
zuI2NJ;=E+vl7y%IU9ykG46rj1F_Kv!->BH9>`P5Px3hlh{>8;p2AlJd`iAO;s;U}`
zr!K$M+|p22Yc`pxEq>>_p2w`NPlxr=ykv1+ert<ak4+|M<tLz(b@F$CHF-NNF7CQ+
z&wKCXsFC*%;bQ~v@ff~aQa4@p-e~yHrmtkc)4EXiF6ys=Q-PSLx>xdG_iEm5b>0je
zrD}uG6)<kF)UwplyJ{M1Y$k(YPLewEo8P;+=wcrjyK(IQ$}}&<FqQ~vkIRUD6`IGl
zIGwDe`DU5s$;PeInQ_fgt~FEs0jDOQo_f{bge>g?=v~6#<)*Js?`4apoKk16Gt@aY
z?A^CXLN!3Vt=m)Bhu;Q<KiNw^_Vs(c{k|U;UEga=rPEe#zxzi&a`$_!>2#{`dt5Hj
zUinwdr=+*(N#;X-NF~#j=A&d4$Qi0OFh`6P{d5*z!T;=~FMX-#0tb}!f&bw80MsCv
z9=?m`8gcUH)$s_A23C@6YN}C8*x^~%(1zZ)_#^fbEfDo$r@fCJum8oLlj47q9`XtP
zw~s&9g@;oO{*vd)zR&e&Nn}ufcVNF%@jcEnCz}581MH3ufGD7c;hCn@Eb8gM1bw^<
z&!Al994g^H3H>yWi0)UF`N=An)(PZ9L~K+eU798+inLRA7&-w_FBfUA#~P3xMA@q$
z@KGByxDdZ40_}%9DD)Y*C}{@dRTDkw$b;X;VYEB4{9PRPDBxaMybj})^x{$eNd)i4
z@Q%E31xgTByDH;InXSYKz$Y<>jan-=QKlm~%Ira{6n2x3u_>v!!@KQ(FE<+TX6@1z
z$x(2pM$-;oZam`XXp!!=N1K~dww8pyX^=&88|&RkUvtu7Pd#(jOoL5yTyAcde&B)G
zrsnX-?p|seVQHGai&Zx?vvx}ZtcB#x)6U#YTDrNp`1NKeo<tXBto!|ZjVRa)ezdxc
z_s21boQaCu?DeQY(VP{^Coh|ln+@(Sbmhgx?=3<(22t)MqJ&P&pNG1S?Bk$28}vDu
z-YaBJsm(%pe!`<fvWHyf!EVyAqN0f<DNopIY)`$-*3!85jK#q*d#i2nalKy87Iwe!
zjrn#%)eA)sJD)3b?>qS(SMwoGvd7n-rJ%93`Phq#AKiRpt1?&2m$nzj?F)F`iSn^E
z+?M8JBV+&?RRV#EKB{<x2@C7zW8ZrG^L!LjHAjw=j0Bj+w82|-QW9e^!KbLszGBB~
zzDZHgL3qqWJ~oZYgdHGaF2vs;=Xp*ZC8==h@QEYEt;^?}v%GcYvVp-F@P$v#Y~DIM
zx(n6wi64N+N?R}nGbEVnHR(#?<gm!UCOIv-$&f@7zQq!aqa@pzkEIHPxVSixn#y@R
zxvA8|z-9et0<yBmUizdZ(i>0oMJ+V2-w@XXeu)2*Y^AZSjYMhdRGxQDr!*-PA~M4T
zKPH@r{1_E0i;H`dQS4d5D3;a?fzxIS`15<9>jbpbk=>Wt(>2+C44hA#{1N(#k<$$2
zyo$~!B@!OXRFQ4{P<E?7<mhi5TdMl*bG4iMTDxsA=casm>tHxExMT`?JDXkGw)f9%
za#}haVgK-{BO6Z{4q%+X6YRH7VVo}T&9%AK+DI$Zw9;glb#krIC!1rE*4WMGLi!o`
zU4&LfW+*9TYjdsPXAw~d_Cjj5r`2%w;^H~gk)G*9YQ8s!-U3-)d(bj5;A;<Ct>Jc)
zuWws7oF-3pZq9o{qo)iGoPtJ2#3{F(<?ck=-ti7M%@H#t9tm8MKSAbF70tBdFa!^a
zS+E)+rJ4eMbjnb~9!T$^v&YnLkT_S08N&rNw>qZgR_|M3H|)JFyAht0#F4w_=6Xj)
z9)0wy=CQtbA=FTG{rSFFDwS5{_)}E>h(-yW-p^2$LDnmtqPp`kJV$VhrDiq8eghfY
zrn^*`iJW$;$=`~!5t+~+e?{d99H_>Yb0Ia?fuG3tg(4{&3sj~BLKl-1-2^Bd#D{5<
zo88Zi<C4RcvXh;1ufeu$6lLLJ6Pdlpzm8e`b<jBLT$!M?!Jqbp`db%gXBR*78AE8U
zW9J@E_uN0%R1N8?Jd>C0-MFLM9*z{hB=x7N_U>)pdulL!^X(VDb613PA58oPy%~1T
zPdJXK#wV?htOJ$qu?pE!y2t1|w%|SD93yc+qEOgFGF_I%!(gr1!m>S&%xg=>w!u(j
z<MwR(gezw63=Ax8c;UxYixc5~M=-brEox8MxbakK;?ZSw&TZ=7zRlCz<qgtWB94oC
zJLK2Q@U_KxCf%o{PvLJ~({S~tm|s1uHJidGc<dE;0e@}6@BffK4jp#AylZWD$}wOb
zf%@z7u3fI?W|!*%{Lt$)i_)COMmg8o&+$)j=1Ox|{ioHKJckHIDM45Kt@LT^u@F35
zYTosU6hXenNE1k^TtdtESL!a121i{wh*-&=L~B&S2g%Y=d9#vt&5)7IrA3dqc|!wi
zA4jCN4pu|!MulVFdQ;T~Q~e~HEnGe@R1n5cwrA6OmsBYNG55CV`I!Zha$Jr`&tP5_
zP|0Rx$DKsW5U0<`x;{p91$~?(ilSMOq-%IqY%STcR;4b^Er)H&_!k$STim#O?zzji
zJjY@^5HdYvba3(ePyfUPFz5<?efC}HNvWFkak`>?@)N#K{vB&#G=@+S2<NVd$D`(_
z890n<JidaZ|G&1p(UZ{e8m#Z{B;VS1VhdcFP25}Ha!ky9{aj_u5~o~c%^E))_hv82
z7P&OUZzc1a7dak<pT$pp7QneZBs~Y7O!g4`FQ@^9$C6&iz7HBXQJ%84Q#Ee1HVdC9
zL&;MnojZ)mF^h{YExxCAQZH+Nt|O#!V?9atvrC6KO}<K=GLc{%CqYs`>G)x3o-%QG
zB17mDGWTAi06uuf9gB}VB6PrMY?x{G(AdQnk6mA)1_Cd{hq(>Re$4S<0#berouWm{
z`;`@~^)NyDmheI`RH~~ci-wCJ(!wZb83R=Ee&I79e>Qn>C?KOh_KEF#>RRdywU)Z}
z=0YcuejDq|c9-dVVC?6u)8X)R>uuBHhN{`>)=2S#Vy!T?w@bHRUuI9Zn@g3OQrn#T
zIfzue(l}NNGvLTC$uy_+hXu~wj`gqCbl{U};*>^SFE5I){Kc}+@{r|A)(A2f_;DtY
zxZoQ_c;t<5TzoEB^}^Wuvd=xopIZ-G?-=mhzBaE{Hn=ow%VLr9U5b&NEU(uo=k=1E
zjPu9fzjW4E;mRamNF5+p2(J{Sh{Hl}gS-+Qr^y<Z<7&uf5b*}e>wT5j1j@=8rSlRz
z?6B+A!V?#gQA9zA^#c_DNH!8Q1Q|bDbw5(pT8`9fn31akXaKnui3X5sk!S#UZMnGR
zy07NVkabHr0;FA`X=EZkU!Ijqkw~lxFn!`$B!u@_;9JSa-Hi8}5zkxzd@G7{m1N}p
zcj6X&5$ZRf!bkIeJ9NQ<HAg;xeB8QZ<Sz_g7{vMs`hE%g?teB9S0hp_3?j&}jmJIq
zYLSpDXFzxq{ZL{dkI_&;YZ1r*ii32nJ*yoccXgm7v?VJKd@oY%sYY2tP%{1lDm9SS
zz%y>iHToB1+#WSV!TU}g4{1sE1Zt1`UxV9w@|cLXqqU{#1A@<yZ>b7%3~088%qq3b
zA*bJJ0NFdJ0krwcyG7eRrRkvL$`b)QV!;r=q@oLkvQ9vPmWzERbtByP>jWh(-&9NN
zVr^W4vk9z#GOq}_ugPPon1+1RYrScd9xhf=h=o&^5{CtwloReKVP06iJTO}kj^MNK
zrX42^N3cZgk$a?I+dA<GzH5jU#e81+@8;ktMmnTk33@4#aV6msdw^6Yz5&n!7COl;
z(1urwA5_RdP5U`U{_e6wTH=1BqL{$fOvsz0ti_|yAgXj8t__fW<dQwrFf`>XR3#qe
zAVC9f6|Mc6IO>OX-*^gC`m%`BsjCQI^S-sxUW_@ayINUy*<q$Fv&^|QKm{Ravyy2i
zLOY&!e;3D^l>|B^8PtU-y5v-p5La;2fU|JItxp@(Qm+!KI#PVKSQRE*5v<~TN~{z4
z#ZK%MlQ$&he4>0>S^*_g+~g`M(XB-wTGpnS%rln2GbpaqxVB4k1?SN6XeqZ!so<gH
z=_~$HkwGgn0~k!)jRcP|?VRsUQ*>r=QYKCWX~<bheu8ZjD}n!M{oGk?aZ7oV$eks+
zBnBibQR2uUP@!Y})}JEu-@slm#Nm31lCNOgm9%BO!JfFo9_tB)dL6CZW3@*<XpF<*
zF?h;oi1++doK@cDLe@lxW3V-H6nlXNwnd>$*{Qt#XiJ@N@bgd_Dw4qX)*+3bwiOMY
zT+NPdRiCDkHnuN3w0$>e(TK0@-umD(uy%`oXq^g$rdnBT(e;er{mOXk8jqA0OdF59
z6SOdo<_3qG9ZF&y)O#@|T2^wVQGmyaR~ln89~(SLn!ZotBMtZqw=HyisAQD)T=lkR
zo=H}*he}2|lYItwGh?m42E3gpZ&w?w<{QW3F$A(gC`XqvOGS>Z6}zN7lUL;JT4l5f
zst{sH&D$*?mqHD23dVVDVyfO{Hq^J6Mt8jL)?FiYE%gROIQw_pdJ(A;7uwrwwv^+-
z;>+hYCz|p9xxadl(``TI@;l7MCG03-8FWmnf=6j+7R4Zhc260*R9}#GOp78u*NL^z
z&iU|cdAwx`TWC$pg|?Dx8*`rnb`$;0^Pk8j*1rrwp`3*6c!h;Sc|p>1$O}46%ai?I
zkQuZSG%^p3>ln2}#afehMv2LgkNW>*j*y%YiUcAA!I35Vx62tS9!(-1!p2#xE$DOx
zZMAG%YKr##b*V(sv@2Ec+G3ujCQr=fEuiqZ#Mk}3SYI0=uap-X1U6qiFLu2=BWsA~
z3aePC*R*Xp@91aiPDatdMK+Q&P%%j16GPvhe<B|lMoIL_b4<AphjL7bUcr(8r`*?{
zk&l+a|A4=Fo*%z1AYUi^@|5rNIKS>maepxD7o}U(oE++VMZO~L6XE`Qij^6SIfg1)
z3Y>o*z7qT`d`h>dKBWZtlvMbiRCq7<HAz%YjJ<%I*o<x?PNv8lp&|mW=_E%X=PfeR
z?FC05AA<#SE-K*k;$4JWp5zCoc)5trP<j#-5-v@OrH0QaW~n8`V%f|nsfaevQgW^@
ze9p3~Bia%eT+aJqZd+ZGE${E1$uv7+IZv=R;qdou?Fe?YS{uDF$HIy|+F|k)wsh_}
z<hF#u$U1Fv)}z27rOMXT8>)?UmZo}pi`UxH-ZS2o+c6XxceV|-`q~q%P0jnKLxmV<
zP1lcF9~VeB<9yTz_ViZWjS4>GNSjvgSHs6K=pjtEz&XG)-t}+}K(j~fJ;-_ra}bVd
zxPqpfXFdvg56Bs|6qTcx7M;O^2bRl%&G=RZVHC<M;9lx1LwZ0HGT@Pi$s4$foJ^GR
zZwm8cvy|w9iua&>5pxhR#u(4Wg>MT921dB#cGuR_7@L~*WOk-{4F-drMG`f&fLQjV
zceeEaBC%F!5tS@k$e#0ySAQ&<jp1kKaTAk9EG?4f;L~Rv&Mr)hwBFs>AxR@mEysU+
z@aeO!<)HU<bg+OuF%XRnBy6_CKrA|tuorqdb3Hw|&Yn+qc7lB2+o2j#i~KBFKfGLT
zQ7|o2o_0n<!?aABangq4l&(d`DpR~2z$k7hf@-5cbI13OBK>Am*8x<LfK}eL;%YBP
zFA;1nUmjYh0gn7(`BOr-K%yLo<1S3IL=CMGBS3X~dWU@uVl8cOZAGR52NDIpoSy0S
z+FG;DW`{lA6B>lp*6j`~XMNd*`R1NjXvl33&&8vA&uB8+6Ml;~7-{PY4SCylg~QqA
zaMt8*ABzX`nOIX|zBPzdnC=VYvx(;1zF1;^@5rTHjzG=$hKMJWkj(BrUxPmwv3pbb
zVx7mCJU#CjjJneS3ig1nqHh}e5@@;($m&+GENfcp(euObcoW@L12J^|iBq3iU8lT)
zmHkhro_F4<`_DUXzb75ESb}MfCxdXR>Bv3zeB>kd+;e2qKXS(8<bh$IZ}`CETdu))
z7<P+}JtSR?r>I#5at8kTqk-hdXej%hGMW@GH>r0U$a>>>RJ1Hm*f-yDaodP%`1*17
zo$eY(<MAiP@jOJt*cUN>FZQ%dL9#8bJ<m%d<t36*qRYH`8+I+#C?yk|s(91Wly2st
zMlz2|B0h<>8u97Z&BX@><Kv!ed}VmonX!pedR;xvhdZV(K7A=xm`n$<ZQTdAr+1%v
zcE4nxupGwb!rFWeW6NoImO&ayP^XPeqkl1qqp-q*GM8xLb}iv2h%r*sQ9EBP$XIxJ
zkdcqTYB#h3#InfI9V4$daR@bo|L4)+u0&(fJKx(kYinQV%}t~%{kiy<w=J@(H#wQ}
zZ0z!OMs2~~Ia7l(V9EP3!+B3OWEr*u+ML;ZtG6qh#-@+;%{Cj1?nFMA9M3w5{y>K8
zIjr{v_}<kxo@@}VH%qdwV6AX2N*X6+zv}4+D?xu(<2@N3wa}~^K@-F;DRLg{rgGI#
z?ISrQ7nZdbf5e*hEH4*dc@jx~CYSmCJiDWK@#y`(e%LkTa<ozXawpc{F^n&&osp1D
z^z}xktpQH+a8}ZUago23G-9esp}3ZaiIn)*IM%H=m{5`h_DXa(muQT8=6k%ksC{-Q
znDw^V*zg~k92sw7I`3~Cm^U@F_?z+oNAtna*=DPU<);48WNzu$)YY}6fGSeDc8vck
zprHUHxVocc_xyS@I7XgfoIN5vwLEGKjZ2l*LnuElS3?2k<1rFVPID4Mikd0Ar9TuO
zUvBT(<jyn~e8GW?hxxX|mQMF|jmKKzzNWqb|Fo}W$`qZyXny~V+hZ|r&f)fKJUACg
zopyR=Q{Fey9LWWSr(@}Tr(#rXpp`FUEzDZ(mu%IqHxtCSfNkOmqEJpP>PS%GcF=;&
ztT#SjXi1G_i;uHAd#93C!^-V9UOhUMo4)?0cO%N8*Cl|rCxN#ZxZ;HFRE0Ol-k9~C
zcT_ioJPonxLwGXf3X-6S>xQ_X@!|70rwOVBOc4w48@$VNysAQlS5hVX3JI+op+P?b
zu{lY6ATyA*tgH_GXL`O6umw|&a2~ycV#(30v&rdiu*LmWUw)1S!hPN8zLrF{xo5)D
zJ{*eXY>`frE4wl3?@k3x2Io{RGLUL<riUZWOgvC$F!^Jhf!3jni=E}&7;Ycw$$Aq3
zXYr|_PJdg_ZFWtxx!Z#9m+9ib(WAgoeJO3p-Y5-2r8!T;)x4axC>K&>s!`mHs?y=y
zG#8O_z9WjZDf^=|S5jc*XMrhy&Geun0UGk<=3PWyAwgd8rPF-5iD-6fe-O0C^6~V(
z{mqds|L}D2b5U=X!{Zq_Yd+d0=u06y;<x$|S?J)t8(AK_Mrnu~9_~R@Tn<!;#)n7=
zatKP~Bb|N{`c|O?t_sSY>FJ){>FHiqIP7wU!<wkP?xvfsy6Wbe4?hzM1VZ$)X1qa-
zMo%(cA-73_ABCq!jFk8!vOqXx5<L>9Itq<bz>e~>ar9~VO!N>FR-(xaQDZ?*nz<(L
z16@teS5;X<Sx+EG@21s>NXyYg@k!TEWb(j>|M<)C6zjnsZ@G?SK>_siBIv0BPgix3
zlS+S)&qvZ<=py9URFG}PSvn2dtiE$|kN5Ql4!qvmv$?Z>db%G!ru6nJH^1+`kKVoc
z%I)d#Yi_>z^2=|&S?D38hW-h>rbZh{1+S5Z#=~yJYv_F0!=P}k3&6F?^^SWlNki$7
zTwLYAH1RnySopsAAJ#ci(}(6_y+iQ{cYAX8;I0GFiG2m=91oP}9GP61&H+16);XkV
z1C(a`9l}^&0v=GhvWfnd<sm*F=bsN^&Ax**t2Ru)H6wWR!?^x$!lUmsIFcjT;<N0n
zJ(CGbIgiFzh+f3Ar_3}qvbCS)W0^)ufWC~LVp<*Lzks5M`W2hYgZ&($$ma=ZtaL}0
z)7#L@?BLMM%#gFS)rp^Sx;y-)H(hz<o8ENztLoM+8+!|Qkt%;qGIpT_(~dX_IV46+
z6##T{e4X|-MSaDNrdnELAc;@c&Wi7D+B|%3^L}vU6ABfqubAcs!v)JLCdlZr31N#T
zi%;Zd-+aySmlH|WpP!vPb2NbcEo_Zh*cuLPSIOK8t#M>_TdL7&wgz$6at>6wyZ^NB
zf(!QTJ9KDY|Hw%Hz{rT{_IJMXcKR8;;?SYXFF$k$8E%SgF|>|tvHsKlD%;|A+UUh<
z&9<0c$F|U(_qVVurY@L^_YEY3ZL#x=$k^^Y_WAuC{iiO?guBPv0-1Ez8QT(bTb4UZ
zY>WF~Tg<|?m{fEd*|y+Kis-Pp4ubmC%?S&y0Q^5@PV5loM0%9W3F}5{5avXWFej3O
zvA%h$!RSdAg2{<?M4CWjO{<@QJuw8m%c>h!W+vMcd}bgi{733-srhhX(*cFc*O(5~
z#x<6M(>?o<0{e&JX`>%`<*Tl7S7$qhf`>R)?}P0y1lwUi8HsE=RNz=K7qrxjzqP4A
zh-~WewAo_$(AXwxvxoIeJr4V!bFQm<vByjNvjhC|DRc(~FURVGmjjny#`w*U0`lgR
zWgy1CR<(AVP_>@j{qCC&L${u};VpOVqvy!FHJ(F;uB7t;PmhBZ>)~1JRGuXJ?m4EA
zH-<rw6P<=7>LIm)osj~G)TIiw5yxlYNh~>GBece!gl7ZQvm?%w-_jRtpA3XMhQb4B
zkKVtO+_m4|Jr(cT*5_{>S$Q#@Ie4}`mJg0E6u<0q_hsCJ2WF$m^A2P;_xMv=FPhnN
z<E}PY-aLbGR~weWZW+c-I>S(@&QQVKN_7VEp`1i#VBh09!{dC?2|VBtX&NWn*7_-c
zA$f7+<~H0<K?w{L!G<+VKPUB5$d(3oRJ2c>H{DtoNDRYKv16!h0tG5i7$5B9110RF
zt=ru`p41o$aN)ulf}dbbSGZo_1nv9)xTrSlt`T|z-wXJB5C6OuwDwJ*H^9*?Xzk&@
zg4RA{aJ0!P!c@{?nBD!Jn`BzM^Av@qpXJY);^T;7oKNvJ+mAI<WYS&h`oGrmGQL*-
z7nhk_EbYDEg1w6Wt7pOz%$PoU<f9+H_r4<^9Sw|~Ju`K1)PMMGGiQ$l_&N*!7xiaR
zt#z4X)*lUNo0a}A@_^Kx*#Gs@F7khUN|RAkGgYOlii$&8ooyv=jN*I>U6K7p=SR5z
zOEyv~{a^37rNsLc8ROosPj}q#^tRp^E}zcX*>U=rXXi`g6ZyX0yN>T`eLRo{u1r{A
zRHQSM`o2&<Q|{oTd0)68t@yrRP}9f@f1&SdxO<K7YqZzf9<mN2(&TFIVXW2D6>ejW
z<WOv20rJY5EQGMJWO)VRe-3qs$p59rSLCB1>&;Xo|7ZfN)c0kiRl&;FaNn2VFY|qU
zI?p~-JagpJzkkv>;cDq<!JZVl{yQMQW)!Y0%dhoDR_XitpZ9y&<Grm@3s$R}<t9H@
zZ+7N3=kwe8P`yHyWmGS}((kq2=>LX(FEe}(s^81n<CPr~v2Em-(EMJ;X;WhB<y*<`
z6%~H3v*7nScvkyDkAK7#D+I?D;^{NbA>IfY`7&sv(xzH(Ca>!Ea-_!E$?w%i40G>Y
zZ@F%4vUB#vx8J>A^LxDqey=X*PpaJ^`@PnC-ceMYRs3Fq*mc71RfpF>*~S<w@q4BD
zo+MkOoAZoU^?Ru%{0ZG&t=)>-tI_3epa!($_8KekdS!>hu};P76)dE~CWC9XD>Bs9
z;>rw1UD-si&QKpnbceXt>ve<E?c;sz-nO8#_}EZqFw^QWJ5lX}oL=~+_`U90*YBla
z=zqfR^-5^UUp+I-{a)exyeDJp4fy-g9?82Uxv2TQMt87$B6B8mm_l%Lv*!0A`a0OY
zx!{j2T(WTBEj!~hAEp~Y%=)vs*Fy%XJ$W@F3@)QJPOPiom~ytjITd!J<b~Ib#0-Ww
zF?wO+9!=UkWZj3mM@)1Nu+~^LKlMz}NkkXMnp5peZ)^#-Is=i(``WF;apv{7{axvi
z{m?1+xXSu#U&3{V6ZPHRhxqJ87(>)>2@G3w<!0w$e(1t2k>V)nwqu@8qmOSDM(I&F
zTKOoUNnxY~eJp3x8%rE?7uQKk62fO<=1;K8_w6g*@J$r~bnj{1)5!TMyLV~k3^k^p
zPTdaV7+D?ql6xPN>U!&>gnaMM?n7bi8}><Ugjsq3t&yaQLSMQ}x({+XhEq(k!snrA
zkVllJKxqaD5wdH9qe7lZbjTn)j+#g|I7(;s{^}-QEad2D5B58<f$fF4-7Vo*&|(NV
zLm?-|^h9j9JCn}1<Gp@&sx`ZPQ!wA2?d%O}ljq}WUmc(`XXWDy(fC4?i!7QckVOe6
z3Ph9#*w~=Z)sP{UvzrZYAo7GZ#7#@E^IblmfW<IV)kp(HFsIMa9@w6e@%2S@M0}uG
zSG>pPPKDd0o)QEy-4^x<-AAMcu|CvmUBZ}ouk|cLv-Q&(^*i;A>=XCy*>f-HjJTHV
z#I;ew)ws@x-}mE{>3Z1_-7yJK9PE6O!*mzwohSN>P%ST;OxS<t3+B68qEUTyGkU2U
z$+QjZ^u?ULN#=68$mhaz!x+zFpiAvulpBP5VUu*1ZIT_1XhdIS3-}z~P=S3S>g-K1
zSBuM+Z5vp|tuS7Ui=B&cMGe;iV8m~X7jQg-U5IBy4Tm}WumWFwo$fK+mFPte`0>ZY
zwX3gV7wWFWt`RW$?0))8$6%F>>i(I12IdywP7fI2t`O@+|7XXi-}I)|OD`S0bLdXr
zU3cRnT%X7FFR0f;50S4g;4qYJSNPIP!#9n3?!L=+=MX-^IB|dW23#LC+yH<Pzi}hL
zaUXUqhu_HIHxeB8Pw1XU#Yz`OLhC^0yjTZ15}J7F`Qc%FSH1@J#?A6~e#jnTE$e(I
zXiKoS{jir>o$!1AQ2N7(u9Lo2dR^5gPjp??&864XT%cY@Paxf`y@T0;-8C2d;V5gN
zC)1pM$iAXpS2`ye-}}Y=_`LY|Ft4|A9E~u&?z8ML))Ksta(-~HxbE$&hFuG(OzX7)
zFuq=L+JX{Uy2AlUiO%m1$}q6_6K`({w7K1BdY^W?+X9pzKzX6pv6olLPA$i^15q>+
z`~KAhoQC7qNj>ak>4J*uPz#r?lY01ttk}2eU{9<*io4PMU^n2~gb$k%?%}QEul>;(
zE&G3T{`o)J-*U!}emXLo=<Dw8OAL>QXDzO7VYSltaR-_oq8NOB4muaDHlqK|(B$M$
zuCKSZ@BRb-a{cu`!2O=T=%VNM(^#XcTXa8AzYjA|e4ln+7Y{l?H0|Qw&EYQh%inA{
z;|JGY|1b3YeXD1&Ch3b9y#sSVgb{Zj=LGzPm_N<NL7`^+?EB;;m)xP>lRYjW*9pCY
z&eDBD{hqSMqEdqVJ)W<SYw}-w@q>3{rDFEaAH?@U^7A^7f^v+qrsU_*VLLZ}GHNOS
z8|1Ew;+1OPkVB4_7b%VH13$<`5aA~g+(*=ga(@8*aep6*Ues8@^h4H~+P?m@JK?VO
z1OlFFyt$)i-rbSOI2+t{bC=oXG3Ry`=6kZqj?A`PN3PaT+tr@imgz`l2|t)8&KG|X
zwi}ICn<v>6qR%8w<|Ffh#%sbW^=H6%<+|>)h@zb&R)aU!CI1AC(qWTN>+_m|epkX>
z<qib!E8%MMwRz38t)0$ba}B0p_O|)%5Tk4F!sswYKDv5eE>_r?^JZC>+3s#|W-=Xa
z)D1=Cg2ugJbwArGJ%Ke;^&mMxTby+#dBt*U1FIV-{_g$yGynV^@x48()w<iIf5-QT
z9%*%Gzkvpt_VoRy{^dW@yv?}xwv*qx3ioEt;_v!dopN(Yr`_8q-`&9PZpGcHf7PD8
zzCIRaUoCbYe~~>~gy)gz`q&5ASva$AhD|AJ3bK}id60-9MqJ1_h<zJlH^+NVZ8)>G
zqxN9KsXehN_CfEyc*c3&xh<LaKJN~?Uw-v|_72>y4jfs&pX^b^{X~fkVUQ|CN2s{H
zNWwtq9btEe)!2=^JY&HYvp!n&_P19}(yuL2f7Mjg``?dW$G=qi9Gh;Z@*Fu+q3k)w
z;9yfyX=|WMh$9>n+N6AQ{NU*{5-Ms)=@&E-%K5g^ND4F({)-RCL1S|8F{$I?W5cM7
z4?JKL<CEW!9+qBx6!}6&5Tl&pyPtAI=tR{qSZSjBIuJ~miy}4(kAfP=CRYQLF-ij~
zKlhK2K9rwo<c$$wUlJdj@_YU90sIcUA-~h#>FkTg(}}_9!9;tsp~)KSiMG#s<1I*{
zi6n-mh7#GRxv?eH&-MgU0k6dz4Tjo+9!q1qI1vq|TRd^EC+hPi2QzIOZH;l4E8A)d
zIl7x&5tqBw=SvM{+WYNIF_*8i)kgFz!9ROHdlvSl9y5z5D<SWM3i}2CM30CXW%+`p
zf9%R_AI<L_i?)vJ>}uO0{p;}n>vVQ6_V#bh*^7((8K7&H;(Nvj9;WOXP!|@<fW@Lk
zqe@Y<i|D^SeY?e8qWuIp2wfgyyc;^h<+z{Ga5;mX0XXzzX%%{M)Nmz-U&)|Ti0h>{
zaJabsN?lRCezD~G%jtUHz>WJK20VauRlWCegaj7NF>Ed6P;C%HjX|HK_H%TcRziMZ
z6$RcnTPr}tM3D+4w^H0+ORX}OtKlErfK5^Fb6E=At;6nYcqJbn%eb7;RH)hDS5)!;
zS{iwyBc8~3+6Mi>R3hz2_Jtw?xooyOpsC}KPuNUN(gPR-$yiM)@dT(Q$Rz23?D4BH
zO-#X$-``NLH2@;?6Mjg$>DG%Ml&;Gjhf|WS-M9KQ?t8U-UwEzom8BiYx}i(Dqz8{*
z1rdNx{HssnzRI<V48VHQ*%`>Up{}g-_s17-t;FT&ZY~$=VBLuAT`p0{!%6fYHa2DU
zDH1k@f$lqg=+IN?v@B>LHgQjqL7tL(DkBi`TJ+=~8l&7>sz1f=DNA3vr~lBQ<NMp%
zWFbuV#Qd3^%l)-@wQ^|>yyEkZXN!mV{F$B0dU36WS1TR4BD~_-YqGQ%WPJkHi)+`x
z>mBUl#ls3-p+l(GDzhrV>m6Bk4c}vW_`rTAJtVyqdSDDWOlmYtv+a-J*otB`l1oNZ
zV2Oi{shv_M5{!GfyC#m$hPk^&1i!WPr1FGMpHxtlOgTM_<hE?pv5QA8-PzT(^U{%#
zOLld2?Yd;7_rRvMwoM0m<=2tuXs5@Y8*5GWw}hJ$uEN+zKG1IWd4}q;%U8_LUA`le
z*>U;Y{1waDWODx8(UEiK5{bEUM@G+`PwsQ)X0oZtPFJuc)@<9<KRWNUCR>6;p=Ef;
zV<PH)F2w{j2BC(a$7rTJ0q&Tt2k*K7BetXz(Reis#MCCkDQ1&ZniPB0xewj!&&M5(
zc-}uVl<w$AzlJHF!_GB((!O9vu<@b~MUt%nnyUjf3*I4pg|B%xJafz7-`x;`N&IwU
zQJb--pgH)(llaSrzo=uxQRr&ja&_PwvPKIW){fU4n3(t`^=wK44U`T|Ht*U@a>^d1
z`aGhb5-Qqp7mtx2mBb%hnfq33oO%X~$6^!oIuY|1Xwn6LARlu$V)^)7Ak*BG$%GTG
zl*Qp;!``mxwzlam^nnns5l6DWHQb+SfxHX1_9q>KU-h<H{MAd7lV^q+Wd9sGEJ*vM
z4?;h8^V6Yj%)Nya0nC635n16MZvciwJ;?^l7yA<!A%0-QHPk$5170bo2X(UeC!%B#
z?gJQQ(xM^(xDf4TswNGdhQxbOVX{D_G{O$snWr=Tf!k)X9)l+{T`(GEvNHxFI|Owq
zzp7*Tix(CyE<SbB*^fVd_Dv*j*l8H^M?rXlx+}0|gBWiLKZ6*H4r9?_l(3fY+!P?9
zORcc&s4}y1Lck}B9Xf?Es7vv+>%})kwjq791NWkPcHy-HbD@={dp@k|$2(eAIqi=8
zu35%yDmB-WHnX1zHKnl5l;0BUbp$O5r^98lXC0Bgtf#Zd+t}LVXt6hEyrBkf{Qs=Q
z$7xPSq{(KpG&kTlU_2b_us6m`7Dq#awboG|3tIxN2Gbg3ahc%(zODwotT<P-2{Hrq
z7%_L+zQocZ{2f_l6gC#@Oo>+!Yok>rC6&(MX{+4GSF~~^wJl%C)I4h^^hJMn%uf5*
z*KQ8fyR6}SSF6ou4mNjU?aNl(WJd-=bTH*`G)C&peLcMcjg29@6Vrp{<pB-f02;Q!
zzZXF@`eVo<5uxv6l<UT=C*kTN>Yz%}G(UQ!xzW75crVmpB~(w2!CHLs>N7^Ya<wua
z5kiVp%yVeZ?83ry$e+n%vc9!bWBJW9o0hVD-MKtyJGXiUs`}pm8MIAzI%cvF;}`OM
z67PfsOBSIxCr6Ap&sUB1YBTmKRih#sk*wRW&dsTM5}&nUE_6C(hSM<B*`DPztgV-b
zY{TVDO-{JyS!6ELY2s>15-4R^TufCX<7pUVFK3~$TW7C5r7(8UySB|;wmlQ+n+hd*
zt0d>fU~a<QIo0Nho29x!%(ty28*2$qo;5yp^=bX-E$45{EQajcudt<EUbC;+mkl<>
z@67DJVfnxZFCK1RzI=A{^s!Jh>WxiL#FxgB4rlzyOFZ549RmkvlZ69s+d1?4g@m)Y
zBgaf0|N9))K<9v`osM;JT)r%QU%DT2Ue=upT#l)@B)s)<x(60ytZu<O+6#j3DO`i_
z8R7Vh<5PjpS>Q7Zd}gsL2&Z!#rzH62PmWVX4A{|M4@iZuUk9sZ7V9j<>IEaOU+x?_
z`^^hu=P#uEU8A9BdlgKkus!B$a%RVqEwOsZ)Dt(`!q#Na9vIp)IQaTq-HECFh48q?
z5nbqwcOVhD*`4w=hFW3^mu_CU^{n3H+_|FzdxwLGR&U%AYWGGLhT}l(g9G`N_Nfdt
zK5bvQdSU$Zkw8;Z#%}$2-%SpSH&bvWV!$f}F}{U70XH<_I~AKp?y;xkGRp<VG=Qc-
zfJM_`+0vddiq<DIT2Y~p^jJExK(7sWr31-isFDs!Mk>i5oBZm;E5WHj7G389f65i0
zKk}cPkq{0)6aNWA>{#)^igU}dW&0jSx8sd1-7Q<`y|cUJdS~Ez%k@w9-q!aJ{`K9~
z`}EUKv#Q%*7mb0c)Y@>s1H8NJ+c>>g3(vILA6~96Q>SK{R8+^85d+JJoa=RRS9l2p
zmdI^EJ>r$pl2&7m%8Ot>qSG4H^)`O0<*pWUi`igq`TWECj_z##Qaf|a&Zd@9ZHvWY
zQuXowyyX_6eLeLDW<SB$1WzQ*hNE1zOtsO;!Ad@uR_p+Ae!3NMkn+q)YT9(IoQu#&
zdpD<a%E^c1pe%-x?iJi1U#EM;%6+M+E^j(r81eTmWDYD$^bHMdT^X65nOKpk&AyIs
zbkJm|>(9efx3E+)9uF5UP36*j5A$B`sH0{9M^|ei$bJrO4yA-uehvd32aHnVag{QO
zCA(KfBeAi)`OeL*tUVW+-?MW**6+-Owwqcf4vY++F%^lsa(3rA`%XF6>*|a|3BSDm
zGW!GYTZ6S%^RFwgt7R}L1ttiKqHZYRjskmByHv=HmA4;$>szkgIJ9@yuDwH2_2Fv|
zUq5pCsk;wgDfxQdhv(I4XKN~+R$AJKo&)O$D@cB0s&h|LT#;^6KY_A9Xa%8@+32uO
z&bGoPfAh7k9ha&{Zy)~HD9uwm_a08;D*h{;TiRX|X=ZpLaZzOirO#MlQ@{QC*QM(5
z4{ZFQxIg6~zlik>Y8Cwc!u6#bUHI)WL-bzrWLp&4JmIQ$gDcojG&0w-cRU)K+~3o?
z;L6y#<6HNyEPLA<U-yW2g)jZaGbSU6mRz&zoc;UGHJh&)e8ELFlEBFy`C4o};l7fc
zej1U=*?>I4%eSJoTB4E%)t%xyO08(Vvh>HLB|PX`-#Y%EKl_=w9_WQtjkR6tZPFg4
z6~W^7L!T|;4C4EK;QJJOzX4jH%oF70)4s3mCqXZ;m_xAwnWi{4+XT1U=g#fwYwb;@
zwpn9?rk#ntY%e>#_^$9^hE75V{1ovFlUC8Nf@Ui4qiq#=SXvDT>e~l5CRSKbv&hHZ
zAj4#w@tP-kqitnL|GhmQ`_itv!Cij;`zMjSVL0VOD(={OFs>?X?k5@-mPza%fkEtz
zrC&(Z#o-Bgeo`9u@#-#6a9D94dAT*DYMVr!pO(!`^TSymKEFonOPnFbOsW1<Eq_OT
zQ~H#T#R}blx>Pjr>ilR%hq6UJy{&0w@0k%p^uXRtl7s_#>C@w<rwz=YmoVx-9z4iu
zj{hf$<t9@p%O%H;Ut&qNB`vGUTKy7pv1(nMD&|r_AR6h)b19V~6g3v(Zos%no+#ta
zFccDR3hQI2-0Ed3+de;F(AUf_JxVVa=GQKW?M?m$<Lta3u`BsIS~H3Ft#W}sSfOjE
zeD)+9LUGKH93b1Xl=}+}w=@@?#h~i6wr<>&@7^`i+B&kUdwTo!Y5bU?lV=VOADD<l
zCJqb_pE((wJb&N5v(MhQ?|hl}e;+tAL)$(vS1iqG0msK~P`IKvf1}7wvjpb{WPvOL
z9>~lW{QjP~%)XryBV!Xgr0T}VKwEM+-uy*m&E~pQ-S(gq243pmb5-jmJ1K|2sndu~
zE~E@<Mr2zZ164`J+QXK0;vG0P-chYUDufj&IR}KOm|9Cm;0|tguK9y|MrBO>YU?@9
z^lX<`L87;NCT*R_TD+!4b6ft<sf4xt7kqu|u(54oZ?A&V-n|oT#$>3<Fl3~dqL8Qm
z2Annkr>ZVhL5Uh?s$deLyow0yZJ<;E5S|c1<>;;!UKSvn+iEMHOwDxrM)EiBI=p}R
z@Ypc$-O$>X?BCSzy=R|grhT1q-cJ&I^HacghnC+b_ny_Tt&L9jAH-=f(Xqt^Ob3B!
z>Z9Y5-Q9#=UOEm-pON4|;8h*gdJuS3hu;jJ5orr<&EyL8=zuo@r?<_G^NYPZyeZdc
zG@VPwM?EOK4Li$}4EFk3+rn0twV}qf!4+)t1iB-(s59^IM8p12qpQvlOa}v~dPMsl
zl{RpOyc#lF?TI0akM-t7KIMn8T0}9Wy(u33AiMK}?6HZ7A~^(?fvf+(J)PP;<(S%f
z_f-5w6q2Hz16*#CoblmcC+s63a#(BIrh<P72jdZU4_Y_-@|#SK{PISYDSjh8(AwD8
zI*?}B;x{)g=lQ&dz(0>M)Wd5d(@F(3l`7(-w<shd=L45jV!HqS<?W<+H#p2o+dctq
z_1pB8H2!BMlB^6=tCMcS^Mcy>^NQyM#esCL0yto+Q%t<PPm7IbqdIv1R622l(?5cL
zmX5_LN*Gc7rLbO@2S)vyFJ3I5g^a$|wqbU9dP8%ap~hTOn7{DUEj6ZUgV9v8fHD6%
zxs=5J%&ffwyAAoNV~fAY<Mj=g%xC!8sj^KjVWh2{ESWWc#%5$x%Zvy!rD&C;b7B@p
zA+J%hl)p3Mov7YqlVOk%*0SnMFn7e<8d$?Ux9^_ZU`1gjYwg(1+wa*kS7*l`wz^qX
z_g|McMI3O8UA|iU)3wcsmX<{GwU`2|H643D=Fy<7f5kksVQXW9KL~WldzPXUmsTxG
zZ~O4QJ4fr?Fuk1S(H-}Gk&WKuEqL+&O~ucB5!8lxrt#|mJhK+w8yOLDcCv;lO$|_d
zl!~v-pzbU>mtRdMu)7%@z-B>Pnz@TbcCh#p=I>ztXS}2Mx(Uos*q{F)MGcSP`9@<v
z_sZ&9*MW!2;NMcOkCwr|qr&55@S`fcs|@}j6`m}Ee^-TP%izaVcuyJpdn$ZDfup_}
z>}nO>p?l@eKUL@TI~AT+t_R+~jV_uB9xgcn{0(JrhkE^GW$+#qeuV<(<5BPyGjhBE
z-(};{kEq|fO8Fiimj=J442~Y3^12-^gAb_izgOV=`3hcRMvhnI`Pg0h)iz$i9-b=Q
zDGKGu>W4;orTR4WPu0UlqoZ6@{b2)i8QPEV<-?~{3n&$UBOQv)#vFymM|@7)nP<ur
z$QcoaQ-Ysm&UI2kANn=QTb6ww-h*1t^%nRiw!u#kPJ1j4tKFO~9#{Pr-)>7aM+2_f
zTW%ra#60A8ILzs~Cid^LI|K8AW+1%_`>7gU+>4ZX$##M^FFDPg^BVdNHA$e%JMoUZ
zM~dxD9$yj9sFD2~qzQ?r1^G0nV;Ajz^^Cm{O(V>#78_78k%MT^_~-VU_4ZWp_i*kX
zeDQOi`$h5dN9I`Tu0JQ1il3Hk=eNF<;^<=hv_F5v_h*<r%lD^%)BX|gB*8IaSeNWi
zn6E<@053VH%(%i-()?yeVacGnGjfBR&?{&~+b~DsC=|aC=N%}1gHQSDQeP%NpC$P%
zLwHAA24($TgCB>S1n1Aq-Iqd$DV^z&y*cCPK`MK5uD<&ERs&mE>(WW2lgUW&taNua
zJp*M5cv)FpCf^k1|2W4>g8Bbk1iWk2N4_4wzrf+!8JsN~{#(Eaj{+WMQI1FQ9eh`!
zeJSA4GC1)S0Us!XKd!<%WjOiD{vgry#K?`t0p{lSU%|eEk4J@fuoljTX#Az{1mHA&
zte;ee>#M8YE#`^)-p9v{lpW&FtVY~-4Ln>1r}>EMqh)X!pMVdP!H=r&t}-~$m$*Jz
z1}8ou;Mp=b;YGkZ6*%S(pOXsjU>n5z`S^(si|h09^~-=iOg#`~cwD&;;Qz+?v$*~e
z8Qx9zDS^MC<ofUGi9d_$FDrrHrzid_;8!ScK28O1;Lijn{z&76TwVcxJc@l4)au_>
za1qTtBkDQOUQ#&6QE<N+Zk1EQlya(#B13{>7_rx=vpwgH=p9+&QVW}*zN<m~bK-@J
z=f8xPP2UuBHTo<j#O}-)FvH}CMP?q7)f;JcIE+THLyeB~+tqpBD9>B?&S+nJnbTL8
zb*cN}MZPZtJX!{)^%rnt_LW>u>o4G)D%?lDITgOhI@JC6BHu6K`T_NN^5qfT33##u
z{u53Y0v;zg)&=92TBO6UsnlvlC$a2>f!D&VXp&51O+m}TyBOXbMch{P0%phyh#a#r
z>)#=l7NL4$JgrlG!`G+6D;V_|3K^^0)Mzx-+8ihJ5Z0O+;@#C%s6^$k_yf5{dx^J@
zcpYf`k9;kj<ZBdV36;0NwFg`Ycn3?!yv2p<HFz5EA3_!ez*}IO!VlumBtwOzCYOBU
z76zsDNk~s2ZBj`#BpZvO^`zrk@fn>>qzH=ze^dOEqWP5dAUxDo(Kra+Qp(V!9*f~7
z^r8(17T}nio#o!iKeB5RRXg!7Q@r+<zhu{L*@9`J2hE@H@-XLpU*Yo(=>DG1dmi}M
zPy!DN`06hKcW^w3>!ULKn}Bz5+7a-$42L_Exh3L#0^TLVj{{!IX;8qE0*+{>PWOmJ
zG%nzs^7Z1m#9IY?K)!w$*MCzY9w*>=89u+7!@OvH1iVA{_ngP1R@-#XV|{Fzm+GWE
zrV;li9z(o?=Tq@x9N-<frV^Fv&GDX8OY@RH<ZH599Sv#liPV6d6sDFgSz!XMp+zv8
zMEhEdDJzeae7#@bIDLw*L6l`>+Ve5^XL0>kIed|czLg~JO5q(WrOLZfcmi;ecT0Hg
zd-z&D&F>S|-6ZbM;RkVl0Uu;rS1+Kw0QnC8s|sI~^AKr|l)#al|F61V@auD>aPV^j
zACDg6d=Fn^x_``=q~~&eFFq&vTyj5S0^dVU+A109@536^YjU7s2WhTN%9b~B-HPEU
zq+?MIy`Jk)JarNKg<dHuj<W42rh>RKcn(sAk>!SrVeFe=cZ=_grCWUW|DyQljX2=y
z`1L}^zPC+$oa;f@(`k;sX9WJ(n1VmRiB<)?Q-Pz$C;ZMTyn~IY^7xnhK3|jX)27^q
zmBIt86izfRt{*6all&I&xB|zz!AGpZReAwFf62!wuJ2T@&y`(YN=K#lQRs-|fQyg+
z>wNqHO<ya6m*{<fle`z#m*{<f)A$8EUUnbi6$0K>1}AwX;K?#L>buJDzA`xBO<b?(
zl{q|@<fMRiuozz#F)!jF0-i6u57&DH{E`#E-%ti8eMnq?Ss9%4ApyTah0}Nx{E$8b
zeVOkMj0<)~cJ-%{U-H2ZNgcs%QtS-b9i~}Unm<#V0u!BJtFT5|Pgsh(QLLh#`!q$B
z9Pz17hKX*-0aaQfdxd*JmAfS5`;q<>Gsa3XzOjQu{*=DiVWo^<D><iQdOM5l9qwrz
zaB-(|X2IVRq4y)ZzT^6JVsv)-o|$Fmual<yh<7q9T+VJ6-iLPgk|&=v&2%zX>fGYD
z4(*@pEWXr+=OfO5Umpi=pgx4^+47TkEh&Xwi8as}auc|PsAoqV5{M57-9%`J4bTpQ
zoWtidTQY)J2(Ko~rmug;+Yht-KY8@gUl#9(Mo-<nn_|B_3OmaFUW9;YjMyh>=>xFf
zQku{IBpMU-Xwd04aE?V4)+qU(^d+$tq(dPlP_83U5Q2QtT8jPp;gbIL#hU7k8|wQq
z@$`CO6Gy{Xqs#2GL|fYX>%-?wm4{Hk+r?a<yH+8s7qnTrw>eLg;ibGFP4ZZVm+qxB
z?Rgm<mu<H$&MQBl!ug)$IBcW6ikz@^oqAGVu41ZDzIM>{C^8*{q$b^oYMIiyNBH_u
zHB;(stZM#>1D}E=)kay4^J7-L3L%j&tN}J2FN9r%okKw-X0p5`5m8Km4mqv@Q6KCF
zrB9tcqy$aQJ{+?2xMa(KnbnAtY$Ib{qyq?EkX3mBcq_LZ1pG!BPBQo3IM0QK#qsY_
zWyZg8o-W|nDkX5@eF8q9z#$tDw^8AX3}-fF*<A|nU|w05$l-e8xpW`MZn_WWP0HuX
zW%o<qd!%cK_zT%O-xA~175TUXoOqppN6X+eUI8Ca;XaDvsPOH&-}3P$F^^LCBF+lZ
zJjDG;7K{6Is`ts2UEjg<e15oIe?90+zTWUH_AJKBbi1*4V}K_$-9s)xqfwp4Z<Y8_
z1NOS$Dioh<gvRa%&56`=I{iUePfjEbh2i6A#6IVgSQb+PJ0+?U@nRlY5-gQn-?`vQ
zwdA~sHZuzQR9|S$Cx@rD`Fa<-XZG1I+_vCI4w%BOPKPbiY6-ZTt23{6MK*0Jewj^W
zHg$Vv`!8&o>GS0i4&X?{kO<e`=4&&c`zc==4{(auk_z9h`!UDqTKJ;wr!qWOc72EL
zryQpq=yRp_NdOLgPK{kPY8<;l=hkpakqCI+I5(usG1A${!WWssWED}~SUq0pQ)<S+
zJ!AAs;n|N~xhqVOt}CznX`B8ZCMNzN`%|J35$__}e2&jQz`}g~YvJKCIMJ-QK3WDR
z{YAjzW$>daysHdOdr4fMEQ1p-5O8D&l#GY`@B-db0{@jn`i_9(kX*_2w5|d^Pzu+#
zsPGHR;N+(e*Pl}c->kwfDuZj+pRdAm6hBn2?_gn02Lhj@Pl@~I>3Xc{GW<IfZ%iXE
z8xoFE3oE?eGGV|n7T#T4f>ox@d6Zp9ePa~QHkf!t^ikpE+|4}_@2R&sYSXiMuNIHA
z2D6?R%JkaF%?;jd3wj*2%-OwTXl;bDd!{o~Z|!jke>d?4%u705`WXBeYOL}knup@C
z7V*-OI*VnarXzJikfZ1@<?O5pp!#DuGvv3`pLDDrO4Y{_UZ<}q=I|zbmg?f~DX=PN
z9b+ZAeVyRL>YC9UG<eA#0G#BuxSp?>dLNS80<O_|j&PyEm9-b~RoY|UmG{^VPNQq#
zVO9#KJtnS?mceN+33!))V?-1$r2GG~xWA73>MP*kGC18|Tpuli)BOd!s|-$ZM8G>0
zIBZ$ODOGrf?(0PB@^gvS#r1jRdOl9#5dt0;a5?r!<Nuym7u|ny{G@UH1Kd|9-~(lF
z8jpZ?DsYSkF-#TSp*zm^UK%{O6rKQ_&W_1GZ|J{HWLe9*uOjLxE2%t20}q~}lOoon
z!ww|fl=qm&d(ujALL1sM#Y0Kb!JZ~R6wj5!5od>zDML=F;5<*6ymd+BOkREUA5(@O
zlJ5M+he&IFZx*-^xh0gZL%RKm^L1n;5Mw+>)vz!MIw8@5cXR>{(f~HSQV*c?xYGZ}
z+Is*<R#kc9bzh~9Rb9Edx^m9Bx;j_q?&+TC3Eh(!X2?ShA{Yl`7DO=Zhy*c!f}jqH
zC@e6nBA74-*j-&$7j<=A6K3&as{g-p?|W6%)5FO3|8}7JRo#B?zI)F-_uP}up5@cC
z8wcRBvng}>_L<44>Fttk2iy_T$+3jxvQOkIl{m&gHB8Jn|J^vN8(xF5+tkT8fX87)
zw#cVdJK#k2DWqeRr3#U;t{rWp1tr==uI2sJ06*<p0w*c2Zxv}ZSg^8vG{6|UPP=t6
zHrX5Z?j5S^91DhPyUVrZ_WHN9Tf3rjXN~AO+ji{t*{Xd}BprqW)Le9W$CjmC03+bA
z2XoM44v}WABRQ+e$!4IOtZs~wq#&|UspN`r<ab2%W3m2Nd(uMMF-MBIAUtru_6=$*
z_!z}QUZ)2SQ?e=9_Ce6jH^sWG?UwEykG-3G*!_#n<*mNWnFQR8?TO(ooqj^2vE(+7
zR2OsBRH%NPq^tQ;p7C?%HyoTo`9I9(Ab2?PrL;6D?>euIrZ?p==zjz@2p)l?I$(v#
zp^R1dN9y)0zsV8q?&)xJN1V%Jq^-NXO*^617BlR{x@K{wfaO8bkw6w(R(6eC<hcpU
zrdM4v`-9NYc0%H$h;`wuZ3W!iXmJ9&NZM<GUVlY#w*&CtIw)N5P~7A-R)43l&C=<y
zs=5E&CfOUWdb>_LCTTMX*$c1fm-m<Ht)NQain(oGN49HxCpm&_c{*;(6TY7x#Jse~
zy&zMAbr6*enp{hLf|syq51ap!q?@geV|^fbaUXW_C~Wxtt@Gk&_NH*n9e6wWnGgpD
z6SXZ800*S^etQ3>>;K4XTL;tw1@>G$Rhap=d+$}|Kz1%2*_ALSK{M$)Xrnww(#h+%
zu3pV$SCS#s(8Y&TjogFlcn+Bia*Cov77Mxtssh}nY=FX#p0cs%*F_1EFfK&KuRXH&
zL`TI9J9cbX*s<fcwc7uQ%$+l?$cW?cSD(80j5E$Z|BN#(7Go!WVT>KRVR<g3%hhq+
zFXJ2gGgz<grmxnz^=kS_kxiK>lkk<w7YY=X(C|U}_!*yolavEaQg#D~AY6;Ogp*WV
z$XLJ?uD{fgUQ-?m=>v6K--sAotoMC<KT;q>1Fq}bPg{2+`E3b*bMj0>j4$9ybP+oh
zbg=~1Jp$N9a4oQ_>d(B01li|KP6BGrO-|AngpLlTH!e2|{6(cH^x5!-TL+J(tx(w5
z35O9sNAEKQK&3*!;@g+e3n1_$Fj<)^&LF%;$b-;2abKZM)yw+|HFeR#TOU*h)RFR&
z(%FcaW3Ix+Pcuc1p@1#m&<AYkV~?_n>wmlFBg|j;*KcPgp7_!vAA^w7Xbh0k8axJl
zCtgC0`WL^E_DfFm+znoI4iQu2mmKBipc|hk?+U$J*pSGkM7E<St_Db^bfqXAqT(c%
z($$4DAPgEM(-?~&Ckad&mWoi45XQr88H}mkCK-1wF7B*fPQO1mu)7uv)^-mpR`<|{
zJyoWeoYT~Qs@X6(xk1C+nz{P@b82s8A(vaIc%->G$s;~{)pJ-+Bj5`EHO%SXFel`W
z0?rk&o{px*>=gbK$1rnID^0`)61+*ruSkb9UlZx_kaPvU%uwbawjPt?pHTpYna{p-
z%jCqSiODUOo_$Pn;M_O8VSY-(I_rPZOwGUHP3IoaP>vU@y%Yic$fz22&r|4L6|5$h
z(rM|!l`2kCq>~%C&<$Kb<PLCw<W`FFOLO0`k_>5uXCZ3@<=JnB@gYe}`a)Bv&qQf!
ztGjC<Q(wq*;n(t`_V{olGL*25<|fs~WVsfh1Qk)l$V6)8q)|ON96E0?K3nv7inH;>
z^FqVGrI)kE3BLLSei)d9b3{6fb)ncPn`*o24LI0xPWi-;5x;p7w(^e@G9`4H2GAmk
zh@l)l!f%J{mO`>4d;I$FDa2};P7*@(z2$XLRP6orGciOu-;g7N-eSZ_jZt<tM!AkI
zwCWlt!cgcMI-n26K9bjmv<|e2WHsVmhQw9!TnZr@jZVaTuvLU?h_DYn5aiy)IF56i
zDZu`VapW4~_`kp%l6U_e?uhuuEb%s#SA;_}?7xRc>{H9H43+qFv5(jA8DbsSkFX9s
z;Bq#-EN9W=;b}K05l|FALE15JmJPZ|x?7PapCX_F4bGmTv4mqdJ5c|_S?P^cKjh=g
zxqEMzncgMoW^OeEtMSBe)I4?|8<Wql2LB^}2mb>fpu0hTB;<Ntk-QkUUF8P_LWB})
ztlK(%!AAbUHc>l^Vz<Ozr-(<|*%XmV90SGRAtEP)tN}<PPMO4kLV75vsyaO^3I_H0
zb8UU?W{ahxt*f(3&!V$!bM^O}=?wnih_1c8{pb_@8hdiG5E&bth}XyapE&x$Rb}=D
zZz*3=&Z!131h~PfA$<yXmulLHWVhMo?mUstu{6#J6?Ui=+%<7y6k|Z=7;*ii&7{ap
z8<%W^UY**Arjhqy5Lfb1NZ|P>;{2)RtJpVjPJPMu5Wa??Byte<Lo`G}0h}kOJdN-K
zhn^}=>x_&7CT*;L<ITJ8A29o^+D@&Z+ZG@7jL$61)I4J`TX(mvLu(C~tM~1`dGXi3
zX4WgCc4<)?8@%pc{^h#Cn08UJM_*O{<*$DYIHX`p|198;Y+~OjWS?W?L4mV`&P%em
z2puCyLKKWZ`r2+;U)v%($Qir@*VjlvNoB=&XyqS9&PXN03;ELghN+3d^vF<VLx0M@
zr?`ApGM*pvR~Nd%u>rrokj-ZX;Bl8KRo$V*T4KbYX`d)XhZE%UDfk<bJ1kAU;}p~u
ztALg0#7dCgBt0ekw|it7jME){ArL%6dNoOBuzDamiT!p{n_4sS<TAg2yFC84KP7i3
zF0Fq<()}U1FLo&_Hh7}nN>4!7BmD02EV+8M7^5Ts)~=>T;S^RbkyNXf!@2__Rd^)Q
zB$$A0k7G;q%65CAybhvlM0I(cawQ^EMwdOyJC{seuOD)y-l*-+nLUo#CwAY1o&Vfn
zcf{7Fkv2+_BO<VZ;Hd&$Pz-QOPVja6qj@e6CMZ&`8IUyt|7lks){FMEB1ckbPlkOB
zRuWmZ4eFwyx6`ES&~;iY<_?puhxwP^-t91SqiA85T7!tMc6Wbz^Lw{}-+XHF+S=&m
zoLSz>>-g=490OXlhWC|e7r0i?u8%j?r@^y|`?-Inj{GX|eGNYeSZD!@Cpd1+DHM7g
z@7@XvNNHG|HqZn*DapS=#UsZA4It@SjytR|wVY`}ZD6kn+f6;TthMW(ckWMXV!O6|
z$}!p1Hm8gBvYWnj(M8`vVew&fgcAhySdod=47}}z9i_o*$qvI!`Xv)$E{~Fruniti
zBtHo5n)Jj*Irj^=U#yx9Eo2EKibZke>o{ESSjfu<2AA7WZIWhr)28M6Yw7o0mmNBE
z+1zE<Tyq)I)uyESU!>_;ZCZlQ(p3Eun>A<d+jpjB!v=BP3>crt&+fr_k^qdmR1<WX
zbT&?tQ*a~V92BPr@gKyww~1YVqnq{uj*mUdKVHE}0eOF%gch6&oL)=;$)CpiY)uWx
zy1m#uw~k@FiiU*tBE|CrDh8OKvXbDJDSQm<4!hKn_2)L0-P<N7JPFgv^BRpgF;zHp
zXe_7E{DcRqa#|&Q4DW7{1=r28RYnqLrefQnS?V!cvg)+A&K5J?v*p1ppWLF%l|3n9
zcnG$?!~1%mp#yAH4cM;p5|W1jj8P)0*S<~ob&<3{ry1FjP#Q(RT7kIq!Q+qeQOu&u
zcylBKdEy(ex1?!4mfof$ylxy#en(`+baE=#l!RNk95Q1mvOqKD{3{=4Y)5v}fY&>)
zDZ687a&~5BBYSf8Yo_o}JUtpWPi0DZ6o%z|@KqR(8eCIf({jE}mTGz+icAhJJ|glj
zBuy`^1<_|J8Y^_W1QlXn){jgIEg%2s@<wHB8>eY(lXRF!x)X*c^M^mg_+EKTCdsx`
z6<css!sC&j3vxBVCXDthA5cbdU>A)7j+iHofX)Kc;bl*O-uRpFk;z??)-)v<MJsB>
zJ`?hc6_Nt+2ZCo1(W@3^G|Jh4v$g^?9ylCg5uPjUtc4?!d&+}5J=xw`e0IC`M?Y-e
zG8r9qr9)dKb9nl!@!9jHgK1B>*Squd+TwDbqZ|kkeI)(oAGu6nR|T7q+Uo+B*NGQR
zg&PJ+#<nI+KSrJ}z!8P-0q2d`kc3JaYoV7UFH)>`Q<2;1VImpMy|(RD%ga}GU2|r6
z*LWy2zN<33vNAijyxev8%3ne#y5QA~klc&*?>~5O|Ne_;F5qt1gINDH@uTaY-`uzI
z(3^7+?!`283d~c>SviP#6Ji1}I$%2$_ayRzC2tP);L85DoPK-%q_?~w)xL8_ZGtfL
z+u#1aVR0li6f*wp(O7Z6e73%PEC9*J!l#}4@B@bK)jvy7%qP~=53i$rt$Pi20Gy-*
zcanPm4Egk;oz~00(H@Lq??s^<piIM|7F~Ks!7kFalg?3(MRK!y{@If9BscW?T&V%C
z(bLhbGwTgrr*UG`9W|{`yyp?n?f6(aH4-st5CNs>u!mihf<}Wvuo#3q?+=pwNqaXM
z$j`^Xc|7nQ#7khWG^Dw8=SmZ=gk4Bj5$v*`H`xpnTP`iriP7E)XGbYtnqkX4-A8o#
zwEhyM`>2GccXs^nN7|hWa>|d;G_-@~%!GK#k1b2JUHg=rADD~q1u;Xn1YZy_w^rTi
z$#o!{VyaYsk{-u7M%jc$72arFw05(04Ds6FV7T-k{I+yhJ+9LbUS!-FR%-dI1|6+g
zdwZ?;d9{4KZduyZXSesY{v5xb@KdafoC^Z;A^%_rbNZu1ylfP@`-Uy=6x^)XGP%ZX
zZ}PSt;F(9}ZArr|&chha!4rAh2H{U(gK=gzq8RwralKtrJT|_%DSPYdWcHW6YG`t9
zW@c~=8{DAH4Q_ZdKgBrB!!Oe3*ufDtBCOW!tS07>^uT0Ijt%&Bavp>7qmgW3`Ib_>
zn0Q1Vpx`529ML<HPi0yTD<;)eRwDkF|7S&>*i!b^|6yZdMx_5~Oyrlp6z4Gad6E1W
ze{WNMTQ_<q=@Fcw)B&ac74rC6x<EEp;;>sOfrmksJ7M={=ZmgwBO|T*JvNbj$2*8m
z<C|RU1ITN%$G<4=@zCnk^4|X~Zx`~NpX58V3ps)0KH-y=SN&MXeXA?%H<()|{5ZgW
zbu{>|bu(<PPm`+^S~U)B&SOz(L1gV%xvPCfBlxT1e>)1Mmh)EZk5ZQ7z`U{>Tf+#6
zHBiI&3xg{RG(=QM>8*v5o36xE5|i1Et5UXyUW;>?7MWrNl|#Fc+UISTU%v9xQ<DOJ
zm$DOsle5z^1MDA%&N^%8^q%lQJUJRQ*V3gtqWBcK4D05CefO2qN8+d+2VRRf7{WaT
z8;L#&y-_nOj>zbs2CawHm}*y&nRs13jLDUDHrBp<VrGZ7{-kzCS7i2_iHWmkLLuZv
zLPh!r`}gIgrRDm;{kwPXCmsm@V6!u~;^#U&SL^DLbR{HqqIt?rBR!W5(jmawh<vXx
zVi_7#UHu6%HaQL2Zd-TWT+ACS5Ru#U7F*kEu-bn}Z_N}prtg}pLOxbAUtj$yJ~VEx
z{HXK^9Pt&>qN-mW$6BpCtri~2BnAu5OFh$VuvC8JxAk$FcL2X01@3k?t^4b^^`@*s
zHZ){F=UOeY?zaK86ukv;@4~i2vO_oaDEU7qE@<H5H^W5w?sqT$Jgt6V_M^F<|C~Us
z(m{6lI^dpHy?d?fA`53H<3L3nC&4w4w59_>lfH*MqR7tIiB+UrJ0$Tw2F{8!7ev=c
zi%fY!Nt5iwXKD-LO7d_V&mkgJ<>k*&EG^~JB>9K5ah!$v`<gokBvR>6_~yl>SD?Im
z<1_@QU*q4&^>^PSd5ZLRD_nn<f$zc^*-lQw(}a&qY`AO(>WLj?B<_{Zhw`5a8-oWk
zBkq=Tc|9s4|0@xNG@Wr22CXFa5NY{ePN`>P-%{r`hhJW=hup2f_M;!vhW#(A+Y9u^
zd$k|J97%rl00-z~TQkQ~_%|N|CMps;@ffuJJ-8B)qf?C}NC(%`^x;lTV^w8-UaTse
zZzpKeXbIUjBKPcCK8Z%{t&4ogPE@M#rNU@P_Pql0@Tjg-sPoIEoM<lFy4}`FWw@Bq
zOiCeyWlE+=$`HlCCKPgll0#HhCWHggAj#@Ml9pQ(gdH92Jw4_wt|5fb+)xo}wA~I%
zQ%6YaQUh%uKh-tsvQE}&`km8CP+lm#Ty0zf%o9-sdaMp<7HDsgrxf2?JT{MW8CVNF
zdts3>hb_+m%)ca|>AOO$0N9qX4~Xyf!M?j@EbFwu&3!-`V5LGJQ9>u)Dvm(XegWIp
z=dB?%j{`dRzi5)PCHG0v>kaR0KYDLlYHIJmi5d1L+V5Uxn{MXwumgs&?6%I!tf_~h
z_<s%0q9TrLvJ|!hS~iZqq^lvT3SI4>yu??7#^R`H$@f9$I0EB$wcpW__T!GTE?<5y
zrD3r~?vL-~9(<7KixF`BHrCjyI)5!(*PVXNJPcxuNoOH)FVI=&#7LoK=N1prh+6pi
zKMqa++V{rpgEd~JsY;F%*h5-IujkwEx_Bc|%C5C3RIVbWlael_HHpgSh+5Korhu~@
zn2+m3JXyCBn|LDR0jkX;GE0cuoC042mYzftNa*_b;#zIsT>H_ZYc+xm{DnQ1eIMg$
z(MPU3;adHsh?O()5m9U_MOs>9xpxh>`+zm$&o5TEIx=a3@%76>A$i+v#OS_+7p|B0
zNJfKg?6crwp90ME`aC;r^>w&U*e=mdK2p?<JRZ~z?{ms$0eK4%o1#C&*MFxW`{(7j
zZrN85diXmV_x)CS2i_z2=%ma?3;q3lcwX?)6xT-YY3TK}zv0gdew&^b_a%wn#(kpw
zCyn+Y&WEc>kH!7`(n#t)t$LTT-(+<|ljJrj?Bn1&%(50A9v8fFC}kDNt7^bm!rq!H
z&p!nk_j!nC;%!Mh5#XP~u&+_3JE0-$=X8d6*Fk)G9NE-8JnuS5ks_6@qKzSO7@j0Z
zj0C$$31TEZ>7ytpqK1bCFI5Dch6OYU+l7bad@VMfahknxo5^Yk6}<h!_E5&*o{#oM
zyB1BkfV=Fljm`MCY&Ud8D~>*IB;_hO;`1JNc%;h_uRtFX@^<@1+%Dwds^xnVVZSjl
z<MAydOM4S0yKd5$=?k#;SyK*sK41?d>W8f+|3ciFbtm%J+f`XlXarB*@M}9o<buL;
zP_%+bW+vuOmQR{@s{-w%%!ZQtg1vh$be9$~rSb7nablb&v%BW)Z@-43uqMyB;KBoE
zTyViT06O*tEO9E5x!RikPV0Qno4)fD{RFxRYY2H-iKCJrZhG$pi6K{weWaqd7@%H2
z9VT>sJ3nU{`i^y6$od-03J*+N2lx_tLuCx73l~bE?o<RTJ+HqUubnj=DwQLn&TM2y
zB|edHhDNsK?UlZF<*R#_ro8D=$eD>I?TNu)WW&a-X-PfH=j;IdZ^PJfP1))cu{gq(
zD`*JeqOj#s91fj>l+R6xy=mw+!0jQse}!jvUOV)LHTSv6{hqjMu9B~rlQX5vXv9>^
zgvMOS;I>k9BIg>+mgl^cxvsRg><s7Q_E4{3#NZ5A!bx{;$rCY$O8(4<N!>Zw9~y|k
zlNKI8DxU9*YU4IMO4pr`P3<$;-4s9UHt=}_`DQds7rv1MfNDLmM=26f!Iu)uMaUK_
zaf>f@8H?0cf46VbroTNPF?F}qa8o~<tv_A6>6z>8!*;8eG$*8EdOz?h+=TTyKi4K5
zQ9L+}n1%43F=A|18ShELP~_MKtQ#6j)bB)o=O&JPe|on!>Y6I`rv2vek}uVpG_&xJ
zx-5y_@I=8K=m&7!6-O9}_Fct6Q%~>e^gG(St?|)hYBJ*lo=B=OjQw%o3DvcEB~rMM
zr(*oH5!PqI53;)p{XSt&tG~9$ug=p^fOv7~cFlGM6=NOgg{m(ywl$NVb!E&YkGGuY
zWqk|L#og}wcqlPgsq{^_+Qz$lWBVsIT{7zrIE!Yxt*~Xt6WY2pT1z`?gSp(GH@HBk
zkM$rq^{rSBLvz2c<3gM30T}>eCf`QchSn@x|8|WvGL)?Uo?Td~g-x2dt1mpeGF=!t
zc=78tlI^u0uzMJ=i{L#IO>N>SJl;iy$`L@1PL8N*gr5j~p!!jMB9I3><@6v;+hd5=
zCF;;P2Y3-Q4o~4yC|nEG3h77HC`nKHwyY%R|6h``Wsk)dvjz&T%xGw7kI~^aSi^2p
zUvXCJ@s)G&k}aHTFO53m1HM3Erpp#BdtIquUx&szobZ*xmZcF})aPnfcRKwEm$w|X
zv!uP`iWHJzTcFqS*KEuYblE!1m2jd=xKsc<J_>krz>}tdOLEQ6=84+W5Kt9XhI5m6
zsbFIb6h55t{CBE?fD8B;9BV{m;EZT#s`0DDYVlNE3eEg4SIup_I5t>z73Q63ppvH?
zcS^4L$if~sivFgMUNJJdl}Vn^Kcd%a{r3S!(F9c5Jmd)qRPv1-7+<=0)=%>h^<l}+
z+XO#GnIm84o82nUbb-_61!Jj>sMMmmKA~Rh3tP6l(5%qJ-vwBF4X~qk6_j_a<3pRK
z9Kn4mMP#Yeh;L1q)U`!qx4iJe7IsUs0ICE(*gvvMr6`~u1wSIst*M+BMlLF3CS2tL
z%EXlVu?^py6Y5sor8T<4K6@%XR*d^Lm*=<J0}-#OSv|Hd?sxk_4o|X>_e7?LeCeRu
z8*;9N#n9@1qP8vh#<YwrAQDRgk6LTT25?mOVQeR@9ZQjH>Xt?LR~k(iquH=#ka4+k
ztiLgwHG^cIZom!v<QBFUbz@Hle|t!ERD4Hm*wYaUi|?pAhT5>J)IP{|p*HN<xbIqi
zUk%TFPC5_Y-^9P;@2JswHlD-Z@!YlYbGQ#RTF*l}?n67OuJZm8s^6l<X%^4lL{??^
zi~WJUijfv-Z5>Y1q9xeEADZ<`{~+D)a`#F58ux8OUC(yuD)e@W8k)74nHsNyd1&R)
zOD=wNyL0oyr=R}F67AyX>UF50sXPxU0Lo>On>lq7L3&CJP4sfex%9~Cr$4;ex&6_L
zF9GsV&8zpImexLS9<QW^=DE_-x#M?=8k+AxT`lD~aBO%p#Wazgl?<I2gIvXnYG|ID
zlg`N<AI0B-^80e2RmZTqmFK|kKqE*!kYc<OpB~4#-pQp`qQ#V8sg?7=*He|yY=5}|
zn&%d#qhn!%%VsEdTV008Xl%NW3&sOO!F-`j(_YMmhWznR4znTt;ytLJxeufK->IKT
z8Tsk7pbYV#sQ4CITRd}Qu)WP1=q-lZ2S?7$h2s99P`22vX)EM|LxFfOSD22CMo@2~
zyUeog@K|(O<je}OYuF~WN7CyiG3=YUT(%R}U#U%KBQG1#7H2oJaem))qm7=e@wS;p
zTN3we;m_h=m!GBkrg+<2qb-BBS^n&NqpgT%#eEwZZFHY_??R(3)@WO7v`w%P)fd&L
zW6U__<@d(Wc9gemYP6-;Vbu-n$GDHSfS6l=IaKfDZJQfyq19=&Nk#VoE~qt2a`8@F
zf2H~t0T;O~jyksE{64@%Zlh;wybW-X+mg6%3x5`HX}NETw*fA4TL#b0@@D}Txvhw2
z#eINF%YEX#fQ#G~!?U6daFN?4R+;LHEF|F4xR0rh@;1OlZcCx|`3<Z03Ao5@f%*?r
z@8oTO3$@{V4dD#h#ExKhIk3kdcYzN+!Px@G9H=`t3@g>ag+!=p6$l@l-nw;qYTLG{
zXg(i}<?~$^oqg7Y7oK(YMWxM4OPe+=E#aNmM+iz&{R;IQ+raG#&F{Lmk>ZizO=Rif
zLf_HtfwZ;E%1NEYSbrTlKtFN(8ppU@;MJf#Rz@x7%H}S1PK>%K=z+1MK2H$yggjre
zl{2$hXFSxKG({a#@!>gptm3;jl9=ev*`w)zGZajYkGad00e=<mCYaUm?j(3dVWBu-
z4#!Ag3NlV7H<=6d7zr<&gesJj;*=8Ca6;D9-b0ELy8D)LluGr{Pv;jLDRa^1&yEk4
zsxiMkj?$o`iQY`m8ubQB_Gqaq6$teC!ogrD5%;=-eb%5SWax|ahH{3sLaZ<4>!G!V
z{)24+>^mTDEnwtY1!_%3oD$5CO;WHnr2Z9wKQgO>@4_NUVS!pMIuT5vzZ3>Zh-`4t
z{lP=`%nuEH<Wh~McrbAMh3vswXD{9=!)*%h4?<r9&CAK&-VMU9xFZnM$eF|{u&xDG
z<dcLqwn}0DRNml7S@OY9CL4BydVJ>R?&>u7O;DUz?GYJ1`Di?AHaMOb*sp6h1q(iJ
zF$D3C>c{?(&0;<K-~~e?BRTbi6@46ow(^njB0(4#t*cwv4=oawPQOlF0{QCmGuvF*
zv2ZYLa-r;4dQ6+D4%e)qoW~!FM(lBiHs5t{Uv*o*%iNXeFw8B+X9nE)u(gy4h0+%1
z&=ALY=ujBJ&j9Q{#oi(NG1-i%$}hR@lS7_Ctv{^pai_e`FjF|=?pBv}Y}u5khBGVM
zcb7<xA{fwq3gCnr;&myhOz%mc&<`k(k~^sC=Ymr&3WJe=097|2LUk$$GFc885iGn;
zX5wz<f-4d7ghLjYNVa&yR}5P-9+%$|NcUFeJI%I^V9XXN>h0EOpDSGK@@Gx%u(dzg
zW%9=Dk*Y~!O86YnK4Ud+ay!j>jj0fFCcLI!nj%)0*XQ&GzZ7$uon}Luzu+Pbprne)
zbEV3rwBCMYrcIT(NNGfv=*Mh`#qYw^f>~9$c26F+A_w(Xbqy(qlavP>w5AbXJk}k|
znEG1QJecpBC0uxtmX((GYkbM)7ZYO11sd@6o>=`PX#ICj$q(L<%4AZRXdn>XJbLZ+
zm1{=r!*86NdgBPu$QYhK+Iart{NRopJ)28p(wprgZ=9NZ<FI}7nw9O>((|d+zp8Ek
z#qI=^U55)~JSM}rV8^(IP`BIaa*<<D8)^-@Ty~oa(?CCg)winNiGEDro#cL+p&W8U
zQ-Y)TbKWswhybg6+!T7eLABQ8c3XPg#VaG7aW}KsY`u|ihR*6$kk&feB)wOh@vMWl
z?Zow0(mTZ&FSo@}E_|HdN4$@?kDjgZHsXCmTN3we;m;E9)4Xqrw-N6n+A?@{mOo3p
zk7z66S#clnKF#~YdlwpQF+3~Ui1!iqO@JHzqVyl)jF;P}2JcbcM!b)>FU2JAK4*wC
zUTzDhZUyf{ZN&SC`y%WxOOnTx?)4ld0eqk2-`~f-d+~jVe}4<sOIlq8-*&Nj7@J(I
z80G5j#!n|Q02zS|Ld!%}c!mRwVrZ!a8iGb*Zl#RaTP%kx$e%BD+TQ)H`FBml-WQWz
zJ2n=c4@G9{zhMv7w_I}#XwM+tcPZW{YKT#85(#g!;B8^-R=H9b-e$wwI?yJpYZSLb
zVkg;Kyx5qQb-AS*UNMcTCxbTx1`_sYG+*vbkA}C7^=Au(@eTdML)8r!!-Ji!xW`}W
zl-f#Zf8K9=5eKTb{>fM>8s>QH2b>P7r(hlE!x#xFD*TW~gGnZP4jM-zzFP4i0afF6
zN&|bIat3%S^U1`hHDpe>Mi%Bqyg6&gh4gEb5~;j0<oDZSCfnYn&3m2psMk;Qis17)
zz^4u8Hock7CxQ?iMICrELBc3QfJ+i$;wd(G*|`^9aCSLAzu{e3n%^Y{FSx9@V;kA<
zsm~hv?8L6YI`X-YXAEVc6o<T8o)d}nmX=h*gG}|gd+zxX^;fy3d<(QrKs4Up5XTuB
zA;E=V{nqx^+Rq?kPu+Vj@8qWPKZ`yHzE=Rg0X`-UTlC?9ou0<@is1})grutfPHpJ-
z`l^fR%$POYlk$&moS$*TyLKOO%o4DdE9K>3U%(nS+4nAO+1u55Vd*g&a*D}wA$WIk
zXcKHWr$i9Pc*vuM<Z9qsBcgJ!_H?cGG|lFrhw59t{N)BrRIfol@W7E_tR|mWc#RF#
z=-xW9;CP=I^X|ZXChRWSWdeSBj!TWoEqDqhn75{et!YEpfrw>;FV7B#gT7vSBF_@_
z?|6z4QUS~3KaBpmgcb|^k?)U~2U)BkXY->Q76!S366gf?JdtO`Yh1<jw!xb8@!1>S
zH*;v7hWnlG+*|+CzpuQx@s2Xyq2*&1_yZfbz(PP~u=WI>;y<+D$H#GhugIN*@zDOE
z=Ln`+;5N|^Vk=Q^i+_ThkB_P88OcY75IiW_AR16Km|T_$Rh|YnEc?{nEgOb)k~*|C
zuq`Y}IvT+9J9a!@-}1a?&U4^<-#dWI^XOKF(N!1^)!`Q7pz#RU(|80;BYG#G#oygX
zY@sB(7@WK<tCqAw6Sw6gNy8`n;vWA(=-K)frr#Zy4I=rEq$0e&6L?Lvr5t#hLOHD1
zVT9Ebz22l6!e6dcwEB<aOwsKw&Loqwbe&BOPEQXGPEE1HzG0y8wn3k7aJf_gI`{9}
zytHS}(&l}bqo5n-aXhd#Fj)m?6O5HzPAm;kPR_N6bTd3Gb@1j5dz|Uv@Wz>o`uk^S
zW<ztKQn2T~@9oG0&^MJFz87=qR3-VTPWBVZ5Elm4QQvers4zeB-6Hmhz6Z!Eu827x
ziey_+d^$ubL$6Zy=?C%@KUZ6}P)TWJ_A4{SfsoPO-qjIg|8)8mn(UU-?-<Hx!$V6s
z1rqzNG`M>;>byorYc1e#8Q?%Z`w76GC`%W9h(e)&6UIyDO0$#`d20x$h*7O6mp%Bl
zz+lo*PF*s0&c@kuO2t`%O}8f(ERJ?P{?J1|-4YKFez~yb8v!5E7s1;CZ=<*Bae^5z
zCJ|>!zOg>E#9`s19Z6Ww*zdg3^E!tYuOw<c>mJT-_C}oJfn+M~tM&MMdtf;5MQ5A=
zTizE+bX$A7YRTLdb~xxw_Vz_QK6kfUZ|Ms;dy_u1*BLY0{cfYp*rj!w3YjWc6dJP$
zQ&|C=^uSaxUNy!{xxJ|dlLdPYmM_yShuPG1xbyXuO8t8N+yLfEbgq|UH`gHGxo$j1
zN&||`BJAdISx|VvTFE~er0<1?Q;spCD`K;S`-~&b<S;vI&CFN+c05}0b$9zp(c^!s
z%x55@vDG@>cpBb80;1Tj%3dWcqYS+@jx{&Eb#kWD+@<a^bxw`nM62}E=wuZC|5Ty7
z-Rx%A6Nho$knLE|uvYI-5_L%gCjSx=YRG4%2Oc4`dQ=Tk#XT!AyVm!%xb`$F3mx1$
zk<xeR)OthP@W61J5oPE)_34p4i#0?BONbaArSbh&i2Pkc|D{~(TVCwV_u~H-#rm}2
zrfnR~lz)ym0OHDM=h3dF`bP>~H_DlFss543k_#_a1xnSm9z4xawq0}8%s`v5L)~s@
z>z}&%nwgO{bEmr9+&02){?WHDFnX+3kMV+Me{h+}Z?*bOm(jW$$C#!tCh}brW1_LZ
zL!ZA*@FtXhz;Z&BBcz?Jc3L~towkn3#9?;xy{z*pXSTOD>%6M|r+dYG`_T7B^xe*B
zv<CB}bBxpiidu)<q?O$BRLRIvu@I7~OSZlre}nZs{}Xm|gzczA>mMy+L^2-?3<?T=
z2=vy2(Ncv)qFLmR*pA+5t(7%*VShR>9ICEHcucxyk?T^nzQDbQ3g^a(Rm2~HsNI<9
z-+z#~ka*SV=$(m;REv6zwb&g?Z5joiT}oA|o&JQaJ7w&ft$jXX?kmK%x5eBpC&pLC
zKH9F{4@H9?wVuTe<R1SN{3M4*S*X+%9Dn$-ilOShg^h-3bYOE30>~4<M7lANK7P2M
z*fyMr;RChK`b%No&p7f{jV?c?b`;#TDMzdr2^V6?Sjw8fhP3+GvxkN(u3d|XiHxIE
z8!3;Z?lzHvi{yr&^eoO6g)1c**Qy|~iI-PULlQ^K+Cm603_Uuvvo|&93l)rBquZXW
z_NQDygUeK6hj(s`*WlIC9q;OzsFWvqI^#xK1>}LlJ104e0u4@r_+i=!^kz5Ks}p-u
z_!HAgQiUPDqWBB(6eK;!D=9{W1P3O04G}ZSL*B5CA06M|h?V+WX{&mys8@sQvWBhJ
z7(619?C_qI=t$CGF%4W@PlwFC2uS~+$v9dXA)h4p{bP*%fD2WLCp)4z@5$c|d=_6I
z3r0(0BCkLpzX(ns#Nj1;j)Xl`r*8%o#Y*Jv5!5{%7)tg!6IE{nWKxp8ryj^Sk|w8P
z@bG<YW{*7#zR;c;OT=m^r#oGCb{IN~RYO<YXnndT=rZLoM#O4BSN;R_1@Iam{)Zq)
znbAlmXOs6Asop3GnV@Rm=ONU5z<$bnz=7mJVw#X?Jd??n{myQ^xyx>!p2n8#$w|r5
zL`PQA1U%V7{RO-ae%h+PvW<XA2_9NYs$DX6bN!O+SI04X4#y=O$7O6$x>5<%Ie?7x
zl4#?=Q^KO@I)uS032VkN$SQ46T148W4aF0@6ahuD*i!%+-=@P%usp2^leroSe$=>!
zG*S1AEM&WT>;{v|8p^obj!VXn$1;%V?d<JpgEf9^c)*b!i}b}}eV%AElI{<9D{YQW
zU;eM@WYVo^b6G6jc1?HM)0gt}wC6kgW>?Z<)aZ1k&Yqq~(h>KWSs)e&M8d&9?9UO0
zwTG$guHHU?3+qz`ASZz57QVNL3J}f^*FtokROCH;O_VLIcp2(#<uSE&z(0^3b3`LK
z^z!T*r)>V&fv-LlP3Qg#eM1k7wLhfZjeTO|Cq11Y2K*4ersEh$R8FXLDBf$u>~xy(
zQyf!w*i9yf!(_78-^3>BpQW)%t3OlyO?55$BR?~rys|V>!f>M2q&lOV!o*c!ffPk9
zNi;e^QN_C)CR=B>uB*e*GnVX<-}yI<rl3~)JShBocmJr=qr6{%(MG^X$T{>zIv+?@
zqax>Ow2LefbQ*~&fE{uh_CMZE5f<R>2xOYWGnXBj**8G&s(<~i!=JfjYOA~shgEmr
z9Y*|z{Xny#_sCG9DcDOxjI7+R4tvJh+SEF2yS|4VPDR<x^~(&MQcewOE!J}t_#fm^
z)<N_^Yf8S?YMhn=v1wJi(9(`kifW!gv=Dj|4Wqw$0Yw|<#Yzqy*$Ssaz)o3w3a3;e
ztI9>K#+naIIUE&#e{RefGDjTvjVgwOSsA-;#2KC$B&@La{+IZzjB^6xw19IJV<fzz
zcPnER`WT{G#2d9>q8L$QFaT>or?FKzDn_D&iuBqBCL-@1=p^(`c-Q|wx#$sJHR*IF
zQN~ujCbQXOGM8hA9jUQ+yq31x)3tbfEafOol>5iW`^ys?|I3WA?RYPpvpg;fGvr(p
zowKr+5~z{FW{4%C&<i?1jB<e{5@?825&-xaYm%3QOHxE<95(2R`Et-1TQ1-bDS7zu
z>b4iGnx)1W%h*@J2#E95Vy+#0xN*kPdB;ds$6-WVADweT8$q=av@&-GE>ET9#F37C
z@;Rpnc#<#aJI{_*Y4y}WZRe7SSQh29Lj`AZ-Zj49#F1Byf)}_c8kG+_cG-~GzI!vG
zZyj-ez4CD6UQ^FlwMs{wz-!g-Fuop~b;O1MSMehvJP2@zM&RS3mM%fD9Hr(N0wlrV
z8m+jxx^(6?Tbe|WiGgw5fTZ?Czsk?4!%UC<Q{2`@d+&rZLm@Nd#BP(1S2`Jp5g@f)
z<G5GI4${Pt&`I>I!H{?*2YGVo-Wi^7dJ&=L_Ga9sV4rEI5-MAL=76KGuL~XmrjXk-
z&JOol5+<w5;&628dhA|XwBK%s8w|b1&YrFgoz7_U+0#{m4ak7%d36lKB0FJY?5!B4
zkuiwaPQoPGQpD7fV<cx@1fdy4#3ZyHJm}9VsvzD~N#%=e<z2f9ww`W7kR2W?-j|p5
z?k(Oo)|S=k>HS6QubT8V;Q3hV`(@ob$8dTFy_?=iDaq+OCD${8fSLe33dG^e(weLq
zoLjnMAcrHynsAH}W>?wanSrl89Zi9n)IW=Tj`x$iGKlxL!-uG4{<0%KKkvzHUa&-Z
zB5RHGD{r`RY{;ka4UJw&2=U;70}t}UhG2R#;!3^-n9jbEKAW@Z0bwN$nb1)bJ*Q7C
z?-Yt9HPtycvh#P3r!5+LZlGw_*iyqg7gILLmZGtIYVY1p(NF!eA3E){5Ai)f^Gsq)
zCe@bKG09$P4LH-9lB$-<cxXZ5g_;ZDZX5z6z(JYDM@MBcX**+d5Z1)Na8mJ+wOw@9
zbi$|Ui%gz*{&Xs&2_)Ff_unyDDox&X_e`}q!{M%FRgA~E7Vl)I+{Spc*dgsQOG=6^
zg*hdal$8tZv8o-4Ys!k#BGnq$gu~q3-RTOq>krpz5N0(HYs;fon}?WISJZ_)HdgzH
zJ=^QdIzCcAS{mmtvH?at92bb+d}Xp6WuUMjtloD2EkC~RD7!iEn_}?S<VcP=+R<NF
zeGsx4`Cd_M89B-UU=60Pxx0~n@P^_TO#0r;sMT*w`I4FPFuVC!V1B@#5A=lXaf>?@
zP7DVr-8+_pUhyUNO@1<yrS$|W=rOF51czl|-6t1y9za?xIn=R|zBto4vt{PpGdJDD
z=5D-^kG06U(cin#pYRjIf{U@@_N#F#>!uso>IYOmQ+<rx%5_pA2e7!0cqV<N>Q&2D
zgoFNq;esRDZlk%Q+uUaF3j8eDpQ?>S3w<5!x>UQ7=FkRyyPxAgxFJjOc{HgH@ze+#
z;TY!w6C#ucl=8=iHabRVpZMgUA)*Yuf`KF6dJRhO{6k!0Nun@V=er^ao9VLJu->Rw
z>y2$gBbS(MiKwBwSKZm&_1ARBkq@!H58ESl{Qu$lPeVCJD4nnv{dq^C$B1;)YRFL6
zv3~Wt@W~II9c9xd4pjrPM6)B&z>ZBK;si-@Ap+(CA)~xX<S0ooPB9{$v8qGeu*e8~
z-bo~?%QEMN{+?7N9ls=gb^YAGBU<sXL;gGI*lFeex5xgm(0S=I{{Gl~SI6tlzc+SN
z(8ifj!g)&(;Uv3qNfl5>C0m(LldMSGANRAxm27Y%BXS!Yhjf3nnK*`X_B?c?3Qvr?
zqGdlxtWqum9VD@)Gusg7;*aFi9}cs_?sR`I5F|6erPW<qV`C|2Azz3O0&G}y*=~vR
zEU=c+%7G*NL;+ou2Wt41EY@Ift!G+OH9-8EP#OSHNOBYk0b-6$st_RV2nqqPM<p=V
zYc&GfVxvii)#9sv77Br~RaOX$(YS-E7hwy27F#L3cHDA-T|RC<C@?9ZXrGaqxC`H@
zC_AMycgTUi4*X3?$4Z|G!J7irC|k$kS;<AK$>lxZ8ADm0f+LlY>}i?XE5_Bj!qSK}
zY_rBmx$&aKlrk6!(eAX_xpO{(NkzT&PuJ$ZZnOTQ$v9jr4r492Jfpe-a*?oYkxZ)C
zw#s85&Ck};V$HaJp7b<iO$RWDbZue>m@z?aMdKPZA^*i%J}a&SR@tS19aek_o>xBb
zaU`Sx)fc35`8bFpmThx5I1=xb2C`WiYeE_VPM?Lpt@YEToD>OEi5yBK<i3Uwi}-T)
zJulxUsS@k~c-uX|i6eQ+k}t6Ec%`gF<V#QJ)T+f<8$0#k-b}~}okFj24J4BR{ICbi
zft<&i3!2TroY#{Jn6ueXB%6(dFb&Mjr8*D1PX^du;T}Moo;TAb9Rs4lQI(%dlnRN0
z7=Rz5(pf*Q4$kw+)y{N!haResP%u{I@k69pGN7K6SDH<an=BU7czQZt^9(tr(-S7E
z)ijZwb_{vObC)_(ev8GQayrv=O`n&Ua14b)!;Z<!Y{X)o%}hFmL!lwZL}tcfi8?Id
zg4bIJTa+uuoz)|V+4vPC%)`p*D(irZBz5s=HKRQr!-l5#mQL_|6dg}O7?XVfh|w3B
z{2`3tGiA%890F8(nq0QTeUIY=5zj)T!(D0IMe)TM;b#Jlp&=V&HC%B-DfODdfrj!;
z+J2bd<B$3`We2K>u?=I1&66YfsXm1EB(nXyVR`<Nv$QGCpgT5@i&tX7bgeM8yW^a*
zv`J5)&s$E1v!Ot4rhoplj&m@s3IOp1=_V}FUIhkn%t{jmO}9Lem!CYLi9m>IV2XH3
z)L3LCg7|>h1u#1jC8*X6+#R6_gYp*+dZZIOK@F?u#W1^ot-n;&sL!54;>W(ibh3ZZ
zm4`cB|Ddt`14ksa-^+T7?)`&?K0{gKAN41v^RARX=kQLH{loqNL!YrS>(js`hSnFF
zTExyCf>!-PWo~kQ#*@vBtOdyThMAF!NbZKDX)u7N6M_L{r?8-v=0p`7=q_4wimIj@
z)x=Ww@wrlB6#T4VO(>9ze!ls^4}S1%AKI~G^z>*<9^=x=J#YWehd%WF{6vn8e=IN+
z3QYw*R(~=#k$?Z%IoMR2l{v_PA19xKnrIKVBWmSwlLSu34vmvS{%M?K3nSb0x-pu*
z`N3O0+A_M2z57Fq<=Ljj&_0!~uX5PJckP$Jn~LgkWn6MbnUjx;DoPV<>6p`E6vP*i
zet;6nP;Lc$Lkr;y{UwMi-I>Id#-GBK@C{!6ASIO3g-|J4u8c4+=St=Ru0#Nz9?)5B
zZYGdQW>r}&vuPyJK0eIY@OXQ&wp_?8xeB(Te{xHAy<TVR`_FZ68jDn2g}_QzV0`az
zO4Dv`Z|iAGYlrtu1T%r0D{$t{0tAc>OM8C%fp93DE)XpoUHuXJqVzUkP6QbvMI{wt
z$wih{k!yrB*ks2c-jI$>S_#S+MKcVOfOC>m@qF7;9(hvf>22>A8?26Bok0e8U;jd~
zoE~??tr?fUYz=$nW2}E_S2x?-y{mrSL2YDY1*Z6si0*>(q@cZQwoCQ<r9N}n6;z*x
zJz-w`0Q-jYUTE737;P`L@X>PXCI3Vgl@7kcX(jv^CkbL?Gk1{AR7hg9k&&~tp}U}r
z5kPO`Zr$sMb{QRgxkQ_D=S;7zbJG@k(qQg{n!<1ER_hO4@6y_%Lua(<$2vA|`uAbY
zz}W{o^)+p~J)G;U)qb5_>_-_4HQ;)L{SdUd9r9FF^#KLP<m@F)9P?8s5O|gb!46Ra
z>cce}BGeFRX=tXAlWBZE-O*3^qaIa-fMvjM;3H*{15`l2yYa^mr}&1(r>y)5iOB&O
z22WtM-C;puA*`hZY5%Jbl|=G9$gL%Pe-Y*isCh-4HsbVXS&fX1wRP)9dVOPUhEKbC
z`%C?=>2iCzqdh}Y7oOG??b3E>tvy{)gEP^CF#ZvL$&vSOE_F%sjMdxB8mUW?>Mu^8
zA7Wp2U3>fwXQ?|cKODX7q8mP9KmRPIIroarkTvTx)^(bYFP$i;&!l~;(EGCLQU#`R
z`m83zn)Lp0;E7YFBQfw+v=8aj(%~lstkB~c!<AGvbdBO_z>gEKqq9%!+7jQjbOw<A
zh)#f09RzmTxcsE!XTgOteodQpWwc$ZUvnO4wGZ6Yp*iw4<wVe?wMLIIt+j+LEr)_7
zWG?vJ1)Y2<kUxzIHQNsX!}P$C1SrbA3LH#?2Jn4qU`{g*oN$2nM3VYUvQ3Xz8<87F
z!i;Gz(_SGeX5)$#zswtS;XaD(7SxR(M-<qKD{%>=7tP=r#}8@P$womCCP)&kpi{;}
zG{RAeSxT^;l9N0CftnZGrE;!7PO#BE$k}M4-*4{9RsUVnnf{MO{9D<*b7CI<R#r~C
zS<^4gzkZW#P%6Pi%<<tDUWjT(BHH8lmmEpG@WKl$VF<eH(P3gG0VOD7*iQj38*C~8
z<ob}e%qh+w!H2pz1<_*eA_I5;R!BP+=L5hahM5KMH<2$>gKs28kkT=LE3ZX}(+P=l
zkywn-!JvjqkjX~k99KSsmN#s8ZF+GitQ{MJ%gx4A^5M3{Nxy$`qyAxbcS(D%IabRI
zq$g6gKT0zf4HxSFJ<Me{4X+)39P=Sep!L5)nbEq{Z*{`%!TKwfd0IK*3`lim;xnQ(
z^P`2T8;KTL)fn!h^Q;|zu>))T{9amnT6e+|T5s~bp>-zi!h<`*xRY!|SaE#`iZ%<p
z%t8)i8?QjsVSz;Gz;E~!gw*t3jQ{m#>XgQ)xm45HQ8oT0J~t8D<f(<`Lld64$nZpT
zccL1PX}XP-4tAxh?}PQ&jpv{LMV5<d5Y7IBmtJDw`VUg|Z?jze+hh0(tvPuk|5UmI
zE0)6k;JQSzNTg|hq=`(@cIe>%Nn_YqNUthPfhOICE4eQaqeS0{QBvXRktN))qPbB_
z-oz^r7Ngpga9@zcL=pk)dI(0(&u{O`4nZ>S)f_o8yR<Z<Q`-k^uAH+s?zTnTJ*CUp
zd6%4VT4FNS>$EQi3sX~RZGAcA@DBI7@3dRY{#5VS%ts0ZitLwh*$XIVpj~^tvi7Io
z3Tb5&T1Jy2-i7d$Fj(31MDd7AN#IJH7M=6Nxe#|qe0~vET66kL!14eH#C^&882W##
zCv;bCM!7o;tbyweVwov*tRA{{!g*l*#>;GTH5g;YX04ZRN`AyNQ@V|@haYC_pZpj4
zKgM1g)(%HBuc=NX+Irgc-MYl|1hzme=y^+fPusAr`$mMZ0Sw3$euRAu=W9ZBu>u7-
z7`sXTnzE1J=*g3cID48eMP@^m0aYUjhB!EqbC5-xV|ftSo5J#61#P3bCopeqYdsuU
zw&80{j2dyxsF{PhGV0vYfX`c9DvTs&T?I!en5d=f+c$X%hI1bD%q1>4TUT7Ua(?!T
zl}g(=XKB*DY+oQUedfsP-)=X4WTyUmZ&-V_m?!1F_#XJw;U=HzB|P@F(D~N$j#Trs
z(~0LHT1`kye5$uWt!U@c-lo40)uua%f)l0A;!1pK1#>4p6{;M{UtGl!$`{!zikJe$
zuYxZ*ajjfqsqm}D?dNs0ElnqTqSi-eKIQc1l97@t<yjbrjAfiA!-2P2)3)d9zcN~?
zmE?>k5;(nU`^Mg+C8dR8Ijyzj{o%aNmGx)r@qv)1U@e&aro1KXj+J74{ecX@hIm)v
zv3|jM*G85pnLBD?LGu(;vVjt31cM3Zk^Y}K+aojM6Vulhwha1xgIkK_<XmsToN{~e
z_Pl34%O)<nxm)V!x$*eV&(aoFuG%pBs+DrvnfujgU(V@MAOD>;<Vi<!I$CT78!F{)
zCwZ@t=~T`})trr7#DepBlywndW|#+=o+w<2e7K03(~1*CCR$HBn|3ng9}{@)0_-Sj
z50n}>p~M1bv1>uCu#Ne7#q_AgF+VrIto`}SU7cGe=h*At?uqKBC$-xqo;dxXm!^hB
z(%LM7WsQ|kVR5Ii{?bbdzWyG0wGLq~ou%x{Q&1;5g)|&riRKVZqR~=z#ZLJ%?N$04
z(Iwi0BmokJBIgzb&6uFiuh37)R<-H*&lrr7#OITn%BxPpzm<FNFEBF@W|~=j<@9U2
zm?>Y$&*#g9FTH<9Wyk!E^3Go|dtx-!W;2-my|vTF$bB8_5x}pnV=j)S{JoCGwC=q%
zbD<T%c==o~UXcrq_{=u6(roCjG#i>79XB*PJ2<5hpAXH6`-wK@_08+>@8j&~(Kq4W
z=cX&u^Z5Dd`1n0Dm6`dO%JeTVW?tWukGTz)LE3(<1d=UQO)P4TTI~NW8V7zjcSmC&
z>P}9ogcINV_$)j3=&FhxW#3P0^7W{+3C9uMMd#6dfR78DNCRU}x!N{a8}SBgJIdrq
z$18CWwDM$epfQmCiB2iH@_N7cOlKIhP*`yuBuV_E9HnBAaN2+b*&4Aa{Fr%7ZtHL$
zIJ`BR_{vxO^P4x%`#+r0j;1wi*qWNo<!3YY(fo(m)YRn60AK6X-K&38{U6AcYRC&R
z)LMZ=akP3?V)wBN2I{wVN%tS$h3Am>PJRwCK}f{5{yW9Es_i7N@;LGiT%TZ<<59#<
zvuEhl#K*7xQF9}IH+lZVxNp~@>UL!u@-b#=@b&U?HXB+;$``zqO7Mm<of&13Vi-(6
zx4H>EXO=U%l>SDfvZtaqaZXf%Sb!k_KaT4-u321XfgBFNp*0mntBXB+zJyBv1fbS-
zag@mF=@!@ZFLQX#pAhrResf~OohLN#6<{6fVx#L%uWKr;YoQpoapX+<HD8yh)n6dK
zi`Hc?Uzb_-K3W#}o)=HJ2N7&oyJ<#JHr<1@lV0NY%wRW&ey-*B%(A2MJ@l?Wp3u)Y
zzh{O$EZ>s=o@n?z(<)>U;^VnOzUK?_J=D)%PukDints|&+Rq$Q`XQVY_cX_RDSub<
z9^_6}2Y5dsW{==Q5i5G#9Q$F*cz$=ncoz6Q^Xy~tJ@hWd?}1WNo|kynJUiCX&&lVt
zp)oI-`=3twu7$=u^e!#G=frs}teLyG=fv?e??DbM)D@vUyJ7X$@|Z{YycXCeTgFWE
zBBpENkC^+Sm={jA8um58kUZ#YI88FD3zR+m_qT8}zx6Q)G8Cv!N;yh3NrjGyY*V5q
zO7TnklN{T~VTja`f>82Z3NjAP4dq*u4^V-fbbsC>_Mu1+aEM?2cG4|pSJDU6|Ezpk
zpP@kP3mKm$PgwUEu@;z8P<4=fQ%ZyD_CS|ME-WBSm>QjkdQ6B;M5+YC`D!j@g>3)!
z$RiVvJaX{qv8VAr^#Q)+o9ukRc)d+32>ViM45mZeS5zHBzBL=(MLA(KXd|l`j5#pp
zz>)(S&gtnp?@ZtM9{T;BLzxe}Kl6bPWZwUQ%w4qLYK-*&##+KBqR|12w*yNdG^KWY
zBCiRm6-jCb;Xe^Th1e#rTL~t{^)C*;-{J829P*XM`Bkse;q^M4UUpFVgw6oVCy=?V
z#I8pMomZ<~&tN}BTTt~m%==j>s(TLHi4MPS#mxlM!x$%>vo_3=9NbCkqo*t9_%f^#
zu^E}o$JjUP%j|*g-f+Wr58pp||J+hhQ$*^I^?mSX(FehdoE&I9YOIoD6|F5ukFy63
zi>K%A$65mxL3AR<&<);TEe`_5RVnt`914o<*u-$Y^X4~yhlX{>9Se8NZAfd<8~&3P
z@D=yj92#*hLF$e@z&jMZ&E2t3{{}~iMxTU#Mr6*E$JtbyygW)0ll>SFj@t!E=#!C?
z<b8ple_;<?^U1N#d}i#E*U;OTYJ|CAt9w7zr2&!Vxvs>3_c4^`<=#mnw{N(8exjf$
zPT;xg>W3b@{`v>ywV42Hmq7?fTTgpN=)b9MfFKNJ>>A>y47d^>Mf@gl(}Ii67od-+
zlpxIopw0#3M3S3+bmMt9@BJC;*f_#J)c?G3;+nDB$FAYO_<O?;*}u--1ztD>yy^n!
zAt{r1Sduk(j)NACmt;&zH^E@(fTO(#@$e#c0a=C(jBWAe5>cByYRdLa`ddCT=JLBd
z{y;v-ufcqR<9b+i8{S<9u0PLl{rLv2gMMJ|!+W!Ze&h?N9*pWu>}~aTvj;#aVDM3c
ze7;Ni8C&Jt)dVsw9s@TdVP>>zQSkyEUJ7|7hUgfvKv*lvn54nq+ky9#%0T#TJPsH*
z`F?s_RYTtt$Aq`Sx&TEVmCh0dLQ?&WLET5rG6pGvxhr0x+GeInFO!DG_hmHQ!BiRk
zw+Ux&Y9!<>B?AT&*veP^ky^&(%GT-!lant0WHeE(viJ7J`wS!fsg053;=3jWjbWb+
z(H{Z$={haGh}oG6T3xyEXll05x2->#D(8~P0gcHUvzKbs@&LIVfPQRS-6T2K&yd~r
zLNrLKIP?rZ$5}-=MH>0;<Q!@zV>CrlwFHL{!evx_fC2b*Yzv`PAsH>iH;9t+k8Cad
zWl_zxnQ@I5yqDqPm3|nWETXd2mQrG~hgrjA|9C#?-<&(+RngfqOB1_|ftkR<yxAA;
z>MP7;3d_TRXrRs1UfVU`Dwh1ABX{h0>)F-mi_S_0cTJM{A8S}%J(HExHW*OW=HjBi
zQEn`<3JIeSjqF6ru2{OW{XHF>j+C>zr@PbFpEA019ePt|!r5)??)3J*Uq7bVwp2ZI
z-8BRGmC=w!8k3~$oBHv+TEKU_C$W0BR8W^eWe88(WW0lZMUC_;7LvGeNJA^idT*Vx
zTz{puO`}ok)DMk(Z$CTg&kWZ;+~e=T|I&*uUCh_civ`OfcY;m=y~SEW9U{FJc@uQf
z4y*)x`c`jbe}Y`r4J?+an(V6z39#u9M<hX*hya9&MGfK=uvygjW&h1j*rWANJo`g-
z^=m3f=`veEMdxqVzsU{LOtpLUMri~3*RP{x=wEOpB$`t_#DHlxdtrP1(bq_SKHecc
zaD16?%?4aM0zV$VDyiC_j8M)tE4(V#R;d!_7`d4W`#fptpakF;N110yT;bX(_+b!c
zRZYS`&y6sRoB?VZx8Z{vv5wkaZ8s9gI8s)7tlu}daPYKp#FsJ$T$8UGo(%N%#k+QF
zhyAo{^!700(6)+mY4N}(Hiu@1`rw@&m+a4tTsK=vOkyrs@QS~eZoyoN$h^JwtUKAh
zp|K0qGpUs+Dh{hDXM!M2T#|H*EhNOl0zqsAI~+%edLmac3lv9LnX0LRuo@7uZDsFV
zc+-Ju^}w4JHoWP;!11RvT6N;GiRr77<>Hb0H`t@Pj^rg{6PG5{+OEpp*UiqpZf}LI
zZJI}Q?b=)g@mBL}kM7Z~j&!k-(RS)S&EtLHfwTHMX-d+A4iesyg_SC|V|=Uv%_p$M
z!BX|#GE?#y_D}T<&lp*|hP7vpO%orKT>ZH;AsO*(P=U&t?6#OVCA1~i1axT9$H3v}
zV<u)fmZfewa>shvKRuIVJ@pro&(t??ypCZ!n;YXnmQ%o=j|Zt_D}h**!C^M_Onrep
z@=S{L7-=Ng`d^4|c}3$vB6MXuFmECxrRrd;RR0V0ldJ!^mrwMO`oc5G`fquknbps$
zw?Y3%zFXvWEO<&n{ERv>qK>@u?`T4M@9Kl<bEV_*eRS#&@2PE<P`Gh7R0<#7Lci*J
z(2g804<j?%UvbjJpz~et6-DK3)?x@9F0m6_kE$&gM1N;buH1IT<m45%t*qQi*IQR+
zu03OD=!|P;X0ADNXz0vqX3G2KlF7M!<<jZ12#-H~aqyx$&phy+i-w0Ude4C~@4RSm
zAiwX;J9gZ#uTa=`!;T$q-j_ckI&<d8@R>7FT!%-`oQcp}DF>8*i54qQqi@>f$+Ls}
z35YbHR;oS{Fa<J`(oY7Ck4qmtzGFoC^}un@WLhH0k*P}PXCq)nb}sTqlVMu{n%GM0
zW(~V(L{e8@dPc(En)kLfFja8j4t{?mfT!q@<MYza`g8JwL((;PPiFNiSeu{VJ;X1I
zH59xqSpsORcp=O1clE1#>sM*&uNL!Eo}*0M>z@=Jdcx0&IB4++E|vU~(r>k0?s`zV
z_V~3*|7Wl?OK})H2pIfAh5@~m@CL&Pv5I;lAByw~>7{4XRe}$}LAhVRf#68l{gr35
z0j50m=<$!RwDR!K@i)=9fTv#pJ}a=G7Lpx^#}wNXQY3ahZsD)|$xA=yK*ghYck@{R
zj}xCJc!+*T8c{wG*V@{*zFp~l@c6aTwUY9VGwRRPpXKjaK%Kqkqz?cl?akAzssAFk
z6@g|T#m&>Lfp80>(o*I4bCT`&FFT~GO2=;*O-abCA*s->I->3aH|=fq+gg}_ggoIm
zMs8w)_m2pVH-3Hto5}Q}#j9`vIdpoHp6%<KO$|gwts4LNll7Qno4zz$zipJg<f_8m
zEmk?W>BjNs(4pET-#_E{*CgBipIr9_j43qgE=DuQ-$xn;Kxg$=(n0Acah{IG+tlEq
z)%x4K8}b9mDTk(S>A)q!{lk}?xy@}|e#cC-_U5VG58ZoYs93%Ep2yCi^<gT{>VLE6
zrAH7!LU>MiNNWpk0`3g}d?Z;_7&T2LuUdrh&|yl-bjp}=U1G$M912+j`l6=I=(GgW
zt`1vgs7*UDf^@{rXw;DmSoB({x5H?(bUU*-lo6S6bUPD$`DIJ}{6sBjBRCJN{u%n|
z_hbExurkT#r5xdLvhz|fD8hOH>m2F)DJc@S9CJy@@gMizyLj)tG0oV-#F(ZwG10+R
z*h>9q{pif~H@)SC8{TpgpZ_)#IDAZc2-w_8t1VTBk!`bYH3r#JFR;Du#;wE~v(K>$
zaBo!4WnTOytq)U;qmTO<ebBz3{b<qWSoOaCpm8gEioJU;mQ3!0-Y4m(5A-<*ZQwBp
z6{j@U^6xeF3FOc{#&hV>-@Q^ubsP4&UVlKfT^-~17}0hkZ(C4pmD{dG(uX;9H}3N>
z1Ss(P{uOQS=WW48+m+G)@>l;9_eEOT#?baZXd4!7n1LO-g43k$op6SsIEmh^o7G9S
z&wpOLLnrM<+{qC<n^4^>zqcxls_J;JP9MA!b6EXPe7}!>_tAHiz5Zv_X{%U4{jNd!
zex@{mdeh%VAF;-m-Y6}yyQ#jHzSL;D3Gcc^ysOdnDruN~O!_|V%QV{VmXhp^(r?jL
zZM1y?^Zpm<MYIhz+P)_(uo>XKUSDXmJ+kU$<e{wBuP`7chvU~*i|i`iwnN+pIhXi5
zH~T%X#sPUIhckH&(&K)}p;yD}_U)>t6&zk74f~R+y`iNap@tEma!&&D!=S{+;B|$3
z)%+9EzTvghb`w7R1OH^kr!IVYRP_(w1<B@q6RuRV%M0b+2nY{&PN@8r@M)fZ3gho9
z_<Iu9J-Fs^J%H;0+~1GS=i)PQnit_p7TzmxB@5wea3xK_A=0n4=&4$L$6MQ5<BMB$
zS^qEXt^K#W_acMUYUr_AGW=?@cFNyJ>1woDd*tgL(JsFCSgriK(PlA;zgxx(Hk-j{
zHFp@TR-?ggO^NSkAn?{|HJdCKTTN#CGg&XO($#FX*1rpXZM0Y{>>7*7Vm9Mf{agz*
zn9LUTX?lvDuAkSq?+`jcm3Nc1{_OgG#gpKS*y`oj8w1!I>+MV3gfSA>ehRTMyl?1j
z(&!!4`{<e1N^t8_6PBK6lj2g6@{H;B+}owcURAx8p1Buw5(8@T-|wb+dAuez-Ka+A
z&Z+G&Df<QEGq~@|7|%OSJsx_*kbK*aG@7`N;xJdgg7Lih)Z?LNOp&+eq{oui@@Ia8
z@$Bd0q1;`R2Zu~)IKcFQ)b=@P@EPM5unXAgIfy^Fljs#>LitpXBdj=l7?ewTpsR+v
zDM1k7%$XYQM0)s?-Fd~fD?(Rku99}W^{xKPVP0da7fHudx2R`N(jSN2sr$R-{2k|q
zFVS2gJ$L!#u6_Hczh!9xwPU{x-7jUj<Tf>#>)_+Fkn#&#inbbev%%GXHZtf^2!l|9
zab=KDf~n{GqJEFbVVA0`+Zl1uH?v*-CQU&9l@6&r#juTk(s&ACqEc*iv-AbkC)FEZ
ztUGZWd|s45@5FIXfRU0sXpJ(Cba9LBc)(+}xYPsc{tW*dZ^K9F3-&&H(61Ss#C1|L
zG(qovy|i0(J?OHCRiQXsj#<zfT#x9F-AL2UR$nLmNOgl6+Od=4EMI&)a0Ba-e#G;-
z<J^$@#aYSqeM%qrp5${rTN+lq7qs7|qFl%8VBd-PQEIFnz}f^@BM1S29+QYkiVsCB
zQb~>6NKOFRs4hvC=%6(0O7*+jED^8S?2TC3+{l+g^E*o#QN2%k?iIfWd=h_8$)HXS
zMa^uQwWF3qZ@|{hrX^E!NE&gasvcX+Z8EuIHcyq_Lhrdm`kd;BdVzfEPM8m0LvrTe
znNpkc;j%xb6Do(T>Y^@}O67D#H56ph=WL;zt1VP0gxaXM5%2$e^naUr20Y^_`zJR=
z4zCjF7631r#{g{p^DLaSc`WU0Ug`-ANT0Ju^1Y#w!QnIa=H=XYpal!6ew?Yoo<a%(
z;)P5tCkeN1_<Yg=j2SR=I7!dJR=*^DMK!3d;JK61G)kM%+KDp|aN<Y$O4A}D0e*|B
zBj6cCeP$tPkv5t(Ul%qZopV$puJxQMwT$e5-R-v9-0qLz$A-_+qQ_?QwEkeI$j5O|
z`l{-7b%wvEp-Gc>JzptWrC0jW^Z3j9`W~hF&iE{S74H@w<tvBJ6TrbO(qEy=KXL6E
zbdcUkNe$JUJExEv67l`*PXDrYX2If%OCxdQT}i=HHirOm2NI>R)hAHTdb9fAN&0Qj
z!&CIzK1o_v>G7!EYKf`yQX-0eq4t$lk4Q<?CE&r7xHJldCCNeuN$Nz5XmtoE4G)*-
zM_J(HKq@&fkc7At@VEm3w<jRh-~*uJXQ(gxzwSR-ttRQm>hoFcUaxelkVqB^$wVRS
zcDda2Bl^D!=gybFFOolXtEK@5nGfMij#6gFa4EZUNE)ymb>E90%=taiXI0-&U&NoG
zT<@GB$@MH7&?G9X1|m{CJ{@;8sLakiZQ%S@<41b-cK_RK_@Ob-**Au>4}7_Z?{86l
z%De$7K*20>g(szuqf@qoJ`?=Z3tb_N(Xr=$EBd-fdJ5;>rjzu=M<zk<cJjVb{KN~N
zFFkd+>$KBcm!q$rNMXn&e?38Fg6L&ry_#WWkiyRn-U)aN0)_`<81@l7_{ku)26^;I
z0E12po5S?%vxat_fA;VWY2aS>Q5$~HM-ebRSBB|H_Zqpj(Ox@Qhv%F>aN4W!BYpO5
z{@ZQ%5pX>l<9e_3ub}6YEs{n>$76HT@-4*AWW=b!aAT0p$N3N$ipK||t*3@Gz>kR5
zLxZo|CDN0i;~PN78(7dv9gHvkGSb~1-~>F>LeixtISp4RI)BGkp`OS}zk$w}u#@C<
z+EwZxIc8F14TT~?&n=arDYM5VskKIzLn_aN#;krr(7~)$J0&w^s}BOlrlmh&|5HD0
z(4KJFm1ppPwgS$|4&=l4Sr%rr%YLUcrs=k$@=aDMX;N03&<C%6TPmtb(yt-8i?NUm
zkYK1}?Z#Lz6tAgYt=1V`PE#=|75(lsvsfMWnGh14;H;PF8_xC$AJ?Z>^{7qsMc^yx
zn43CX2TBi<U3Gi$(o2gk&gbSahmYajjg5P`774NvGy+ul6HeG0FD(`?{p9>->E2I+
zzuk_rM%%PeH1l;lhTTM}1SGk`gLuW=(&*_qKAyj@hg7#nhh;c11>P}AK%<aa*0$27
z8}I0L#H;L~ME6XO%iuLfo!*QOS{l6jGxe8HGw><Qh%}&36`_^nyru@-q9e}$hmBW(
zDpf~DM@Qm;K)ha;D%orW+@jkZ#6#%ouGNg{0H1S1k1pewo@^~N587OU&H!lK6n)^y
zx#HY+a~E8o^r1%|cLByWj7Nc+vYll3;n4$l>dALpZ~>y!@Lqc6i&$y$&4A{G&p~-c
z_)*iI=CD^@i|6tGC+D$Tv<7#rZblyzt3qqr^o`JCu?{@>$y^Tj@RijPYL9(Df^4o*
zz4Qx?BbTgJRYz9uL|X}Mzv692RyC?iR-Zu|#EO@`&tY@-s#mpyF%q0ft0*G$NK7F1
zo@!Sq3M_s`>UOr(vf+?<qP+dbajnB@wWy<Qp<p^iaDGUtsrF0%E%$|^4Y)0Qq$%?j
z&*mkPp<&a}W{IJfExbRerbj)3ls2Jp*w7{V;^V@sDNibmOJs>X>9{DO3VVh|7EGlp
zo=}vJ&2F{p_D;3=eHh&Tet(}?Ey7<@jT4&ov6w4Xl5<F8VZ!`GZX9Q{ob4U*huvno
z*>1>wBb7{yTbxyo!_l4S?BQ$hnboxFV)R9xHI)2B&?nv(=O{&IoK|__)oz=sYs4S+
zn!7CR4ny|YbjlVD^tC$&(IqrHohIJre?V^(g5GGYU4?|bkZwp<|MSyN<2JzM%~=1}
zu6`U4R_s&cKZKc71VLE5HT(M?pK-=J-w8ZBXEmU@bM@=M9~i)2`U%IWvsYcJ_pUyM
zwhY>SB)3`7_9?WDqwNR0ZFx1QdH@&#y%pM?=WVZF-Kn~M^_^&g%<@uQ+^70y)dR?!
z&+n_hfsgSS(1OVZEl~CVS%DR6np&<{Qt2l`UL`sJdQh)(A`s#PfzQ>~GFM<3dZ)S4
zUZOq!+U%{_=ihPQz&mi3zIn9=_kIfS6BVeq2A@+PkPA>D<vCOt3BC6BpTG6i7e4f%
z_zF72dv>kbRrjwxh+RL&X$7pcxL<hVsz7Gw6eUa+ULT5Ivl@RPe_ir#rp#J&2gMY-
zkV{lAQbfVVO-GfU*9L7QTC?4s&$?o5Qd`WG&FA|Z4oBYMbhv)HH0$#FU9(HNk$5tS
z`1fRdM2zpKlv1t0cH9YzK1M^lQj@OB4RQ?xFg%=90<#2O35tSJpw#$ZO5sb8{~ss;
zKV<nH=MvYwDsncy$2nYn1e&x5>qvQyoAi+H8l-eWz;46NoQ_AvC3Bait)soe@=QLH
z?e=uSG9VQ+INj<)QWWvF-$XC8Uq~BGXDH+G6iTL@`Znh|&tH4(^XE7ZJb&@U&r8uH
z>9&(Y6*@9i>eVZxjjFe+H)4H-zc8%|C1nzx^u#0)vqb(r<QCY0E2$xfX>9dKYn6!f
zp>2i7<O~r<QFwx~MM$4>zAE@bmxY=wF6Bz^zX)>CE$T00?DYP!vJOq&hlolu3x~pR
z(O^h4<AZ4t$A~i)#7FQl=g9-e?5|vUP#%=@RbCL||6}hv;Oi)^y?1tJch%)0_a=8^
zuzYoOC0lj^R=e2P*v7K4G4<M#ZDCn5DlR|>y%S0Z2?R(e2`!WmS_r*E2p!^33>aJh
zVT`~6o3h{koSD75vLzQDdEd+TzI%Uj=IoR+XU?4Iv$Npq%$38I)%p)g9@RLP_gf3^
zz9;2jh2%klaOw|sk_W^QT6J{7@)$Lyw7iLKPVCyd_scL{ftx>lHtWgUUfsL*3Y(qF
zV<^g1mBsyFkM`_#PMencIxUN1@@Jj9Q(4puX}rKM1K$pph01%fEP^^g<9+odA`$?7
z=3qxbbjK-_&X^f7yuL6`m&g5@DeI8F%Z7dD7lCg>FZ^;)dO`P7WuP3?+JIVhrX?}b
z&(2h#7uD5}Y8<D_;K)g(`%Ll6q0*Os?vq*1;%#MBAV_~P>c!>O2=uzNQa=vmFp$n^
zLH+}gCcV){Lvnf}gWijw?=sN2IJ$t4-jAU-8R>0yyxdG@w)9ywI?hFlW?=;lYs%&3
z=n;K~4eSq1u||jR>>W$+xsiq0-Lrf3lG;ArFGb%D*X;qiZjD49eECt;p`|=}i)~jj
z9Es(%aB&`^Ihi2Rhx=7~nxE*kW5-_W<J`8Wx_zEbzr!^~s?R@!5x-s+h>Ss+r=VJ2
zl9zW$Qk9Zz++_4%bahrC<lx`HK<65{Nx@W>dO?S$#nc1QNk=MK3elHJk|)VSM|M_r
z3yzV;3_Pm*sN5aO%9=c7O8+B{c+VG%ZwK}5G0hj>2S|NTaC4Gc_oXXfcbsc?z#!Be
z^Z4xWTN7dB8n$q7m8=@P@Vp&s;DN{Vn>w}MF(>*G^KH^06YHlFj8Ckt;4vMtqs!^2
zm!XlUYK{Dns8qcIuc1>TTr;4mylTK=Sv@zu+MF=th$Dtf?zL(Ny@g<UKgT-EyVfeE
zNneT!ufp=m0u7V>IXbO<P&K1Zo}k;|1gL5sJ><yAM-Dkso-i;m)cjlD`Sbf$*ttid
z!!^BB@O);7=X9Q-?waS3Xt;cy6GM-SXrB8HT0V?<9s{0F(L8sk$vg5))rwYM(?fhy
zB0k@T4V>@u-DluD?CU65zijn_TzcWePDlJIQ4m>bedxB~KqP8=U9aHzSy_>ayC#Oa
z6A$Rpcd*WqJJjxm9WiqsbJ)<F{@rPjO_#}w*11T#M@PLdhG9r>$1>S1BaWZj=Jf7;
z2aiad_|x&atg?pM*<EtFnxnzRh@pyyl_<A!tfAmx5VyEH>lj#oSbK5a)w|-fU{7zn
z^@97LkPh-7Xs4Ff7t2|4@X($^2K39y&XW6vaENH$ydf1+M@DfzGpDB<QNT9jQ;+h$
z*t&&zE8i2H{jV|V%k4sQ*gn074CtHPt*bRAghPsR=k_hF96=pH@1FL^!Y<vq^yY8P
zm>%zOSd-9M_d)MPGbuHiquxn1CaR~R;-j03)o8B$W`{j;UhEj&@rYR2{YLcZgRi+^
zv6gl`ZWwUlsCRe)D`(_DT&O)VNAG%&9;y9^yO4GdydSUYb})iaT@H1ZG>oFxhG`T*
zyDeDPMBBwo_&XFMjxJoPwkgIs5nO5RjHPV~Yf{s&Wea#=Yj{DyaDS@;Y42^m)yQdw
zd{@Wj?bk`Zj~jL3Isc`6Q=TdB;e6AGiH<eXf{@<M8?n#Q!eU;_YoG4{%Z7c?dA?_&
zoQLy?`hNOUD1F|N%A1m<>PyWixzQDSbcc;v^iM8DX)cocUHwve^c%X5`_poK+b^YK
zk=#5?wIxw=)To>RIT;Ndh{x9n=p5d4NscPRXLS33p&c2ekJQjr{QWy+)E8H;v~GO|
z4^Nr6f0sT(?48Ay8)|8~_v@a%qw1L6a_k9SWDUW5Y#%;<mx|_yMtbztGrb8-Gtt4Y
z=`PC=z)5~|XVGBz?*sPqMxoD7$4$@h*wAj~SeZ9=Y@Qrzb{iVIQw|;Ow?Sh=xH+-=
zpb_0u`s}-JpOo$+26ex11T{uIdPrsKI$m!+f%fQj=6NjDGt88!KJ$R;$KZEp!O-qj
zo}GuEoo96)T5wmW`Dxb_J<)aGh#o2ZMvsQVj2PJULfsbGBe+e%#bc^}nSlOt7~0Q1
ztfQT^?WCi$vQ8sY-8ONTPp42rRb;`SqsxyTbc{3yjTzL%8sUr@J$jTg!s;?;j5(oq
zWo7UEr)2jX)HSUqzTB49bx>bgOESHcXv5Ee%&3n`zM~V&G<WXfs0}BEsI#R}DsKep
zF$ks>0YBpC!ADF!V(^jDEG@P3?9uz}HyT!{YNactj31HGYw+M+DI>-+AG}9xO+_0?
zJ$>-rI=um-+GpJ+WAr^F_pA|Hup|EH$c6cj@+LQp6KG%j8IGUa*$cO^q_jH{>NaTg
z$gLv7nmA%{<gY}C_9Vv|$KyOj7FO@5t={qLue@VK(=1Xfk^>#`;Xy}esecd-D7xdi
z4ei%8K2c8Tn^UmwL1ku%%<7rjbDz;z@*kPg)6T<e7wH{^^lC%tCGU6FWw29v)M0g{
zK~B5$&|a1V=`~K8I%3E4#$z&v^cu0pZ~@M`Wujg5>j>!;wS`nq=pq(sVurk=bdKI0
zAAlr>qfX=cD!nbjE3_TX<N6Jofa`RJ=l1S)N2va`tIJV$$e@7(%#mhxR(h6wV*9F$
z@Bg6B8jJ5V?4}H;0Vjru@njja+p(opsa0t?{ieu?@vi-bHjF-~)GQfc_skh73(V2`
zpfIvBs1R8HD9y%DnjMxyIL%}^v`-TS5lZuh0}dLwW12mwAUI9GEPCm(ps#OHvp)zX
z7pC*sG>X4N>Gxu0bnoR{&`AlDrF84f1K<hfi#tgF^1(I=B^!k^VBnx3bZ!!hmY-lf
za0L1(yq{<c6GgNZYYfCYCf|nKM+%w~81TP`XN`m}hoKoH!E8J!+yoUm8BRY7bkEed
z427}rZQnm>cLy!g290CS#P~+zDfo8T;Tp%6C`7Zy({VTODH_id7l|u0o@Mm4Mk^eN
zXISML$8C1jOpW6RvNd1hSRJ?M22A{fG*Yogj)fjc{os4nYK`ODLh>+;Lto`eja$Yv
zd4|UEep@n(Z8XW3wYy`CwktI58jslZ8c#7|&RC778oeDlpGN7X8&T&3jb~c9&aE2H
zGGeL!P&k<Forc9I3NM6_lh#M$rqMHPjK(eCWg3@8x3t5`>X)x>s9C(EDK{F)kL*V<
z$}pB&QdPg8I=6ClV^j6A#@s1&3+o$}*Eb}Zs;hEGEoo|6K4I+Gl`B`~B`8?l!un-n
z_t`IZWlhtP+*#F))eS2UEM8yNlsi4KtUC9#%KGMph1IX;DLc0^QP-F|v!Q-g_2TB*
zL_;($5{*nODKDKdQ3W7>c#qNk@S0ItacFfzV@-Wst_nS~l8{Jb;*$ENh4pnSa`W>d
zdE<*FE=w$}u5VhDS6j0nnpc=tR1k|4bx2gRQq!25$Zcv!R8=oaG%U@nU$m=?*VN@U
zEve3(Q&&S`sBD5X5WTKyY<)v+J$xE+7uGk|H8s>!H|BLNznO{V+T8NI+{p;qp(LAD
zFRz}x1e~!1E9)0EtxPmj=fa`3W?^+*BhqfJt3qnTOy!hmxigkm*QvnMRDk_*eQD+A
z<>%!xF&&r4BvvG9Y7+};t5u05a^oe3<R+RX<Z5;r7dF%^Z)(hItf|ebZ&*BbMtqtk
zvJ*#DHI2ycf@Ts33MWyQ`&vn5?v%>cb4yDqr&R8jJ9o<L$us86&YfE_YgWnh*;6Vi
zb7#!TEt@gDe9G)8Gp6Gyo?9~gu-vIrrkC%RTMZ3D#;R8>Z>Vl;%!OQQmMyQXsjkY)
zt*ox@Jj1z*5R}BxxV(B{&7zuxxwVP9#m$Mu)%)cxuWndY(@46*g#{rlt3lE6^Wypy
z)eUtub&GRXLq&6&8>>kLnsyR?UgwgjtW7j7LGF*QZm6$>CUJGDEvan+VJJv$B0v{c
zRyWivLf9$z#7;e$#nnawF3wwQEHRo4dd)3@t2ZMUeE4`Ygva1oVpJjC0;3vuC1N)s
zUNtre8}U5FsKdoT^`N+%VS@dt;4_NpH^F@ZI{vXZUQPczBax(*$1#_|Zy!!^CAexr
ztXyLj=r_VN7%KpYS{&5tnBVE3unexbxxK+nz0r(N3ytdBKA;_XMx087tYa=`B1}C~
zU5xOxaBo1q^N?%G{Y2!j90##y01H#_<Ez+Xc8ITH%|N^g<51?c5&RREB*%dEOwjaQ
zBAnV1glgiv*CBtokUoXZ!*I9=94rHOOF@sqEP`t-s4ifNg?K8$<S2&FMSH<%I8V8t
zM&*`(X@V4}G^i{|B1_>`k2HU1iPv!6sRT(==HQ9SQ<YyOFr^zR^*W?G7O6FGnko+A
zq)W|+Nxan{ZX@#iL-cPZQlpa2Makv?PS#XO=l4t}o1p2-!NF|gN69SEL6Ybq&{@fH
zqui<xR94VM@K4%HdP{jB2~*yD$yB1&OvCdGrce43P@dL~0@cYKb&IrxOm2v?_UZcE
zB%oah&?9|c07!fWb&ND14%r?8n@VN^?Do=WL|&*Amcy6If%Ll;HkI09l->-)pSA-h
zK~6f8Q5C3A3qq6^Kt8^PsG37HmTES=(od~RCF*r9>KHxaiQ9>}z-FUFXF$hh!*?!x
zXW?Ih*EMFtuY%*wfJ-h~ycuvU=NMBMC%VKrY58>HFxXS!OJPXb)!-`7#%f~~a^C>g
zM*OLEP&wA1zAT3%NI$DM|CPW<x_e*3xzHm;)sNfATCot+7r`t9RVu$aNW2;LVx&WS
zl4dr550a(d?gTZ9;t-dV7b;uTE|LFYq(*IO11M5`T@1I?aHCd~w3YPMZv}{>-D!T_
z57L=R&Ql}es#<b9b5xIVQ*BbvJJq6;YT>FlRxJqWYe%k&5ud`5<P_a0G?=Eha`5x+
zMkCt6&%F$e7Eb&P$J}5fx~+Zi#=^c3@)#8DSTwcyh)0cXAsXFrXrzl#RVLy^pr1lz
zDxgRQLKUYN2SJUd;iiS@P_CJ%RI|X$Y$)iVP|tZ#v-!Bs{s`kp<5uHY<7wkIV}ZaY
zb`4yMENtQ6KA04dD$+!{$Pk%=Zes2tx*8XWZlXJ02k!wj`%d&UJkd+^7JWot(a-oh
zviOYXZ#;(=#s`W)B3BF+L+~Q$Ffm+=5F^DXv5y!n_Qlt3_7h`7o*0W;)AL0XFV4n9
zq4A>eyzvjrtX>e~jO}8)C>9gMMDY{chrGWyKui)PqEwXO{Cfp13pmhNhZE#e#6e=J
zm?jQ37K!O%hL|Z1F<v!ZGF~=r$JZBTiAubsH%A;Q=8AdZFfm^oE{+gK8W$UPh@-^O
z;uw(-3&cWEC91_Du~;k-HR4#YRMd)P#)qO#)QjcfIME;)MU!Y2E5u5%%6P+g&3Ij`
z#+^dPixb3&;%DL{@pEyqI0aw8IZd1{&Jbscv&7lr96=v3K3`lQejzRt7a5<3i;cgD
zOT;h5rQ%okYS0GpYw;U#x$%+lsklP?R$Pf&n`+S6Ei-DxRpM%+PW(>%UR)!t71xRD
z#UI2U@$&YK;wEvkxCQU{{T_D?-6n1qcc7AdFaC@JKX;11h`R(XIK>T~XdE#AY!vs3
z`@~<x{o-%p0r8-CNIWba!8?bKiO0ngxE*PmcuG7io)OQA=fvN|^SJxu1$;$`n!Xj{
zC1a&{S-c`%6|afc#T(+E#y`ax@h|bFcuTx3-VtlXyW&0ZzE~$dFg_3;iuGcH*eEuM
zkBn8~WATY-5ub|9#__1cCm267P86SsE#h<0D!ve3imjqed?mgX+r)O`8spF68}Y69
zPJAysyksp*)3i)!+PG!HHB-z~GtF3UrsE3lOf$<k$ILdnm|e|oW_L5k?1B07Nyf=$
zPvaD`m)YCwWA-)snf=WHCO*4u=9+`eA?8qXm^s`Wfr<Pm>}riR_cix3#~3YUo^ii9
z){L0>X4EV&HkvWB&@3`OHa45%%<*QiIl-K0{>1z#F4;K1oP-+&N^wI$xmjVx%>&KJ
zxRv4{bE-MbJlLF$n*wH<hnTa>N^`b3$2`=WYtAzdGv}L!n@5;Onn#&Oo5z?5bAh?g
ztTL<3Mdo6>XIo<)Yc4fw&1GhtS#K^kk24$0MzhImHdmM{%~iN%<9PD~^F;G!=1Jzy
z@qY3t=Begs=IQ1c=9%VM=Go>s=DFs1=K1CY<}b_(aYM(&<|XDY%}dQ+nU|TrHh*JY
zZeC&j7B_WVWnOLm&iuW3jd`tkoq4_a2lJ2S4d#vJP3Fz!E#{xhTg}_d+s!-7KjRJ3
zznFKKcboT^_u}o*znb^sozVx(2hE4fhs{UKN6p8~$IU0qC(WnKr_E=~XU*r#znjmS
z|1e)LUo>AbUp8McUo~ID8`E!?|1{U&gF$baZ<%kK@0e@Ncg^?A_sw<Y2j++7dUJ!h
z(cFX=!av4I^iRwd+>N){{LI{fd(c|VFK~O^R<q6g3b)T~Gq;=H;KsY}%<oOlGAv=4
zmSsuH#*HPem13n@X;!+GVP#rbR<_l}>S}efx?4F`538ru%j#|QvHDv5tp3&jYoImA
z%C!btL#(0JFuZ#`!WwCfvi7k?Tl-r3S!1w%IM#|-`Bu~_uwquBRb-9BOG?Go1Z$%8
z6YHne{?-B3B&)<KwaTn=tHO#~2U?S@Db_*ORBM`bur=M9Va>D-v1VD7)@*Bzb*MGh
znr9tm&9@G>j<Aljj<Sxnj<FKf0&AgFWmQ{?ti{$6tHwIkT58o=%d9%9-db)QXEj)j
zR+H6it*};FtE|=5@zx2}iPq1oldPXxCtIgjr&_03r(0)OXIf`jXItl3=UV4k=UW$8
zzpyT}F0wARF0p=TU26Txy3G2u^&9JQ>k8|))|J*(*45VUtlwMLSl3$DS=U>Cu>NS>
zVBKilWZi7tV*Saw)w<2P-MYj2vvsHS7wazTZtEWFUh6*Vuh#w6->e6$2d#&!hpk7f
zN3F-K$E_!<C#|Qfr>$qKXRYU~zgy2+|FB-LUbJ4aUbbGbUbSAcUbo(`{%NhT{$;&s
zy=A>^y<@Gl-nHJd-nZ6SA6Oq+>#YseMr)Jxk@d0liPd6#YHhYYv$j~DTdmd?)|b{+
ztIhh#`r6uNZMVL$zO}xyzPE5BR|;uLOG;@=N4hdarph##E;D4N%)*`C_(q8ACcDcV
z*+ce}y<~6MNA{KdWPdq84wQprt{g0f$f0tW94<%5k#dyWM~=qs?tXHN#FmSUNL+y>
z3uH_d$|5;Vj+e!9f}ALSB7Z9JvbUThOJu1mljX8P#^r%>vYa9hl2he0d9a)=XULiI
z5IIX$%Gq*`JXFq=^W<T2zC2tWA&-<t$)n{lG9eepg|bRk%SCdrTq0}av2v-bmCIxu
zZX{nWkCP3uQ8vkDxk9d#tK@2VygWgkD1RnTl0TOx%Twg3@-%t6JVTx-&yr`$bL6@5
zJbAvnK>k8rC@+#1%S+@h<)!jh@-q2r`5Sq;yh8p~UMa7VSIghY-^**{wemW7z5Ijx
zqr5@hC~uNC%Uk51<gM~HdAqzr{#o8B|03^_cguU^y%Nj%I1iJ96~~^~h3JianZ7uI
z*I)is-Y@?qACM2qhvdWZ5&5WmOg=83kWb2|<kRvQ`K)|S{#`yV{~=$HFUptX%kmZZ
zs(ekpF5i&<lxyU_<eTy>`L=vVu9fe~_vHI>o%}$4h@C3>9{oV$7VJh}hnrlk#mP3?
zxW~BHxXZZPc*1znc*uCzxXHNL=pxq}cN%|@8{|g0Nq&U)qR%o)<;U_9tP5rs`x}#t
zqp&vG4R1~#V9+V+Q;o;4vU;{`k)O)V@-w+belA<(7xGKFRkq2m<kxbW+%CT{&XeEb
z{pj=Mck+9Q+cs^S_pya-+LkSC+jeZ%PO($%G&>#Nn#i=X>}<P>-PP`9ceiuw9(GT=
zm)+a$WB0ZD+5PPS_CR}(oof%ahuA~yVfJu)ggw$8W$$B;w)e&N7sg=!XRIBu^X;fz
zV8`r2yT~4AkGG5M3HC($C-zV6{p|znNp^`{YM0sNc7+|c540!SQ|yE6srEGcV0*ef
z!=7m$V$ZTG?b-Gm`%rtXJ<mSOo^Ky+A7LM9A7vkHA7dx%1@=O_%C5E-*^BKZc8z_k
zz0|I?m)Ui8y}jH%&Tg<9?Iyd~USY4aSJ|uW<Lwjd6YZbbC)q!@Pqt67Pqk08Pq)vo
z&$Q37&$iF8&$Z99&$lnIe_>x}Uu0iwUt<5#zSRDeeVP4h`#1LG_7(PT?JMo8?5pkH
z*}u21v9GnSv#+=RVE@s+!M@SH$-ddX#r~6ht9_e&yM2fKXZue3FZNyb-S$29z4m?f
zU+w$tzu6Di584me58IE}kJ^vfkK0e!Pufq}PutJf&)Uz~f485v|6#vizi7W?zihu^
zziPi`ziz)_|I=P$|I2>Ue#?H_e#c&GziYo|zi+RzKd?Wv*V`NHjrJz{Bl~0f6T8L!
z)ZT1=W^b`Sw_EKm>@V%DcANc`{k6T#-fn+me`|kde{Xw^;RwfcEJr%F<2bI9;-orh
zPP&ufWI9<+w$sJw>U49uJ2_4dr>E1)>FxA!`a1ob{>}hrpfkwHbp|^_oT1JzXSg%M
z8R?92_Hjl#`#SqMW1Ku^tP^qa@%7CDC*~A7Mb0>9yi<%*=M$ZuI6rmvcMfnSIVDc1
zQ|6RA6}TbcKxeWu#W~2C>P&MEcBVTsoSDuc&Mc?WneEJR4t3@_^PIz+`Oe|a5zdj$
zQO?oMF;2o+;4E~ioN8y0v)EbU)HugFOPyM0nN#P~JIkHpoCc@SX>yvK70ya$m9yG8
z-Z{ZJ(fOHklJj%tWakv;ROdA3bmt7`Oy?};Z08*3T<1LJeCGn^7tV#wMb5>}CC)FM
zOPyaimpQ+7e&by3T;crIxzf4Hx!SnO`JHjK^LytS=UV4F=X&Q4&L5o{oEx2+oSU6n
zoIg3YI=4BuJ9jvLcJ6fkf}5c3cJ6WRb?$Ti>fG=A&3V9i(0Ryt*m=Zx)OpN#+<C%z
z(s{~x+Ihx#)_KnPyYsyB59bBvMdu~wW#<*=Rp&M5b>|J|pUxWRU(TD(Th80gJI-3?
zUFSXLeP<o+Pk0b}EoT^)IUhJ58mBw!oej=LXOr`h^Re@Z)8c&UY<50#wm6?Vt<D$D
zm&OCmR;LXo=btjR8ebZ1&R5RY&NgSe^NsVZ^PTg(<GF?_Toa$ll&<YM*dzVS*kau0
zx|pI4G6ox$8ox4riK*a)m=NAzTyI?Brr?(4D~&(6scss+q;Z9t?q;}|ZWcbb*#-Bv
zbaT7AIc^WPCk~JIcKf(}-F|L=cYr(49pvU3e{~1DL)@Y6Fn72+!X1fo;$_AK#v0>&
zcOQ4OyRW++-YWPPZisl(c*}Ulc-MH_SZloJ=DB0th@0<5-2yk}7P>|5ICs2T>`rhe
zx<7G$>hA9z;7)Q&+)}s9Eq5#2xO<>G*`4AZ<W6;`xd*$`-5Kso_YilMTj|br=eUQu
zbKQCFVeWkQaQ6uJNcSlBX!jU5;Vy6&x>atqyU1PaE^%wzW8I~0t-H*vbL-vZ?s0B|
z+vqmA&F%_!rMt>q?H=!*;GXFI%st8dxqGsEihHVintQr?hI^)amV35)j(e_qo_oG~
zf%^;hLiZx~V)qjFm+qzRuiVSrU%S6?FL$qSf9qc9Ugcix{?7fqdyRXod!6x!@u*v}
zEU~bmzRoFG&``ai+HJ0@iR71+lbv5t647>4+c9kyX?wi3OSE04?Fwa=>iDHPeyNUM
zTI810FRrhvUP|F2`EiaH$*<sWk!Y+y#g7!Fmo2PmSlGO5QEm0Aw6d!Dro=+*T{Jo6
z3lm^khtjD=D&X8upJ;L_ly8O3S_Nk<ts)s+bEmm4)!dhAI;EQXGR=LN=DtjGUsmK+
z1l;FW<g+x8i&*-BA#M+BmmIdlqRxRKuA`B3%6lX>E>aNT{6_MN3(_YC6cm?Hoocj1
zPF|2`aHcfX)K*oyQ&iq449Y96!j|bAm6f<t0uGUMS^7ck>EfPtU4{iZcLgzLT4Et~
zV4P`5E)l9!PD4Hv`D7HGOo0|$ffiUy3oI6OrZXwUU3|PVJw!5AsHnws#$uY0*m!q_
z%2eizCCzn<6AjJFY7@<zb|k+%UuRJlQkhP(T&G#Cvr(?8mTRiz%xfe+ro$IT?HNnz
z8?@?_>l~D8s^vOVg{G<%5;eh@rGzspnUnmALQT6+r&Xw_6>4gQ6;36`O0V2e`h}cO
zB$}^9S)>yz(%C4kaAqe{isUP21lK7P=@g0-nf#(6XO7Z~Ia=rEu+H0a8n7#sIi~}8
zYLzSJ(tv!&slqBR)^@3qcZHT`MUgv4sgyk@kY9ynze4j>q4}!Na*Riuxr-YTE2^Ej
zN)U4cL8Q*Ds;S2QTuq~M7>7weEbvr`kN3%FCgNJq(5U%LFKvFiN|s+y?8}d1MDoXT
z%|P)pgV5)wo6r(Ugd04aP>I&E65RlmXk9H~=|BxwI<U2LO8kaWSHMyozf{LB)$vQm
zxruOvjB`9Rc)AqE>*9}$OJ5iWA#GtYcTQDO8}ch6I@L(rsaDR|cIHOBTD5f5$#_bR
zrJC(h&336KQ0liEe&y0^mua@k#<|r2+i2;ulEe$s7l+tf+%7pZHwDh(5WCTQ)zTGl
zOP9VRh^e@X>ePyL=|)TC5^Cvclt$O6yir)FsTNe3&QV#ZTcbEk)plN$3K=a=Kel~J
zD1BXw1v;Mvg&9j1H&j>GVVk$AW}#E7>Ub?PFKdx4MXNxobuzwAy+F&eK+7?v<rph)
z>X?*@9xrz4lJbBq>U<^}Ld{jIIK3{hydFE@^~;x3yY(vHne`o1UajSRKkc{wej{0~
z^QS6zeub*su$gagp!qE<u<L`$T&{CduC=3FhpN!I@|Crs)M*Iiu5g^wkj!0vMWL2W
zp{7=-sTIbZMvj%<xMQ&tazbd`bkri9U{Qh7l%$MCkaLA#nsSk*T%`Fd*4l};-J6x_
zH0x^7tQx~+ZVa0{kf&}fRHp$g(+#`o9`NipYg$t)kdkf;n*;e(X!a{Ke-)a)3e8_U
z-&v^|!<9-9D+58Ku1q$Dt5svTI`AYd%CAsOS$;)aGZEKn1MNDV>7^att{$Q>)M`-7
zF;MKxSR|^{7}Y@ww2&)RBwEO71>1L5Vu=>2_)*o*!CwhFs{6laA(vMqTCCJ7s#E~s
zRHGYJs(@z}BW%@cMg4MDonIuX${n`m!!Ph6%}0^uqlhaI!f8H=HQgdrY|$c}ZZQ`C
z!ukIGvrfNQ>zz`dNOYW*!#JIvahea@!%mG)be!e`A2d?WnvZch-Elhq<8=Dtw7kdZ
zbjRs*RcjxKj@Rjo*XfMc>5SLujMsF>Yr5k#-SL|4c%85Dn!f5TL09LiSm&qMFCU#w
zv8J!}BC2}5NVG)x=c@rP%5%K6=;%c@%+WOrYw_H~Sd%p+FOf2ZRh1A{z`R7}lt63A
znX6%5B7KUl-Fb;rJ#x)UWK2owE1bD`FN-TIzoKk>5-Xuds=E2%qGdi7gRhl9S_z+*
zgwIQ&9WOYlgK;x>NrZUOV*!fJO+;S8O;97@Q!lGf7<&BtBvz2b3X|BlBvzcnN|RW5
z5=-W<G)b>CNv||XuaxNN5d-p<<R^|0nW3&1j4#%VX9T^lN{#wq^5+)RXCR7XGfC7D
z)f<C&Edr^Ij}RT&q0Y~zQ=p}d;Yu=}1<8CCAfG9<jdXq~FCiC!oLy48d`Uu<RyQT=
z0~5=ZCAhj2K<z4)<1ko#otzIZs{-D$mjIJfFt4+xCYCQxU=FfuK~=&$xY?ZEY|g8}
zl%R%2Hs;J4Yu1u_yRv5SvV=7|(d^Dqq^y}sYOFGtnT<6nnUdl(PQR(XuD&rtr^pW}
zNRbh!lg2U#^A#dPC#GWR1o$CaKlmZjW-O~-tZ3N@&g=r@!(L38wX3RYn-Xrd&g${-
zu*ehV%8=C>%IZ?iYAt6~F<n|_)-{`}YS8O*eys*%wvjX2gv>VU%q~Yp7sBAtt|t~$
zY+Yds)aWQupvD2P3)7f8l_AX$Kcs*cMlfvhMM0RK!3@oZim8+5hiv`ehfHHW*sE)p
z0=wkw5SSf_=lpnt8#mah*Np2~cwCQB;}LG`;IDeqc!V1}Jac0QTMgOc5!JiKOEo<`
z){X0#Ra_4$;(Bfz*CWTco=U~_Xd<4k>E~<uQB5zZ`NN!=`NoKo?Wlf^`p-Ik)Q_+E
zi)#J~G`#{%PftDLdejxylj*n~Q^xg}GhU$S=}C56k2T|JjFKN$V>&E8X!<ctKdztS
z`dQ6@5Ki+O)BMIXeLZ!H>+xG$PwC=%G!xh3xwszB#Z~8>AJ<dBxE}q)RVSPuFY@`&
za*FG8Rp$(U|5@{)M{{vCrG>v=uG(L9hWT;T8N$|dRcDB2Kb+2wo;$|%uqj@q{fo6+
z)L<n)UaaX9Ykt&V0`8hlu`Wk7Sjdm7wW|DhiKe5cgz*whM^6poB|1GlMU0ndIwd+^
z5jB&E<NgiSCpGxUkE_84^qV_l*gPnJ&7C%E9(=%7vxs;^4FltPtu3ynpmD6RG2MKf
zPQIUxrmF@u`SE=HoUhZ#*XiWzbfP+b)Q_+I)gUN89@X)qI=)`7itAZjJgWJKYCf@g
z#(WiMx&=O6?LJP2)9X@kJy(kt=ydV*MHSztqr>Z&VO-CF;(7rnt`~;ldQKGAbD_9i
ztcvS7TU-s|Ab-EU=zQt5$hcmvitAZhTrZ5oD>Of95S<@agJICo`k)4ZaM$$I;2O_5
zKWcD|XPqB4xJJFw&w42;u4iF!wIl_9EpM8OP<yIZkm7ps6d$McPYpiduhUn9YCP-o
z)u0;BIz2V0hMwzZy_6BxOB8W6Xw8r7HQl&g(~YY^Eb5`=OATW2tmQLa(;Kh(#gYi~
zU8cjU!7A#V)(5@n8rQ3?alNt=*OQvK8pI;Jrmt5I;%XL%C1p)NuIcNw?6_XyiO01(
z;#v-B@QZrwhxgqz{SwW;UJ8n<=@<G~P6syY4Qy^lU~~HsDNyAWDHvCgny9O9s;;fB
zNn|FmyoHJ7BnS9&daw&^?j=(hl7FV()h2sSgwooj*Q(=sMJKLTbmDQ{+UU7wTrD_3
zD!NtEbNskoMvd!*&$wPmi0iq3T(5!0^;|Zt7xv<1yru&!C?^hSeFqv-5#SZ^0FQ^l
zl!fr}5RQR%l1_OD$AlnoXPl)KQ>_}l5X;&En@bZmmmX{-&6sM%@La?b4A^>5OV|QU
zOO;?ujTjJCm1HcxM8}~C2$d0Bl5tci$JD3+KB}~1`7C!lb1NT-sn!#==2Nwnc-DNX
z))LRGWw2SxU~8V#C<M=%CpGH8vra$CwH(hn{ise~jXEMR)yu%v>8oA^&pLh8tKeCu
zuX+_ck5f60V8E}Wq{eIT(VVF98J;yKkun{_pPI!YWxll3m<?eycWTTQiRp=cOi#39
zx(>wj#5Jbsd?Z$^ORqRtdcbt)ss0>cbZHeQOAD9|QxZ|Ul|=lK1m^o`%~Ab#B&Pc5
zNKEyou(iMHPw~t(FA`HV19rZmU8W~=<l@uT<MEi<l!(Oi`ch1<FU9osLQJ*wk(e4w
z!Pat8ZB!(t`byZk6jk4dXI+Y_Z^W}M#R4s_f~35F>HO-&pO_ktB91Q40xiFSr2K&S
zaY~gAs4*$xXl+wtQao#ISAA+ErutOaT6U@r#j~!Jst?7p*7lgzb~T2DyXHx++Q;<5
zRZNXp;jhzIn>u*b>Fb58m|l>I=>@HrUeLm~%~U@0f>ul~XvGS(wihO~T`z6L^ioz#
zFJ;B_QdX=`YkOf*+kt6msS$D{rkA;5dYKEitf|!Xa#Bn$BgORcOicA`&}7X`v7T&`
zi%(lGvBio@mDUyOMFxZ^^~02Cjr5l+pwmf>RJ|Kqbcw3bD70E@mg?>CtV=}A#-P(t
zt>sa_29-tq^i-b#?bbB(mQqajj4|Ca#`OAeOpREe<+_wr9~Ftk3wWOZTAtU~z_N_y
z=NCEjMpRzJRaRpv+so^km!)9;IFFI0mGz9IH7&tnKBK9N@FJGRYF6lQjWw%OxJK-B
z*D17`UbIpH@dB3$sMA`WqS9Qh6K(PnWrPwXL?=q9N>pK#D2Jm&Ih;zAQI#kM<U|?c
z#OnPt7@;%>(P<E>(oh(s!Qm(k4yV#!RHeZIISmfTX`n-ONp@sY3b0d^<bb8H;20tD
z6o#l%7)6{gMVkUKX$nOBV?@n$q7`Z`3%fLJQO)A!hUzLT4p9)i8Olvm6yqZGteOtE
zb5j6!?$Dyx7FYhNDZn#Nx8ToJKU$zVUfBM#qF10g-sm{hq{3EoDpbcCtxz2=Y;Fo*
zD}M6T)>bq>8gZI2DJm*aR;in4LgpK*?V7x%hNZG3uW_L)B~V77oInMEIDrEROeQde
zz(EA25|~EdU;@(#%pfq6z##-?5vU|Eo4_0bhZ2}eU><?P2+RjaEm7;7gsFwj#)VlW
zp_NYZP)nVS3o}amp(A3Z>60EzL@gRNE=(!m<xcog0pj2X1q6x(&q#nq12h((MFBcK
zKuJQH0*OeYBqN2E26RgUx}^c#Ql_iVhaj3=;zy=~BAO1J74cCV7fDi&P-Gk$sjjN2
ztxW(=ElWx%bd-cW)KX{T!pz`Y3AwAICBPKF7{w$}Vg&wl#)PnnWKmQk6RBul6zU`j
z0%uf&i$b4FVIqD}WCrI`;I4%g2(~m3Y-zw!sV^I>m<NJI+w4;)3j|xng4IV?k^wLd
zR$=J?3(&0485TUI9+>1WIM9-e5v7Du)v*@sh=L(TvbaG|hg*`ti>aWpLPuPJI02hc
z%BV|cU0|o`Ee67pG7fJtkVjJ8gKY+6$=_!{0f#mk{JdgfkrYuN<T4hrzuDl2#cl)G
z4xOOUQL%&O3lB@<fy@giGpXt{4P(BhQK2FdwI41WtI>22IYcMm1_Lmnqn6fvZVQ4E
zj|C+j<APA9ZZuVtCy`2>?x&tQ-4~SNBUYG9KNg5T7O)cI_%o7PJ|kHIGumtU44-hu
zjIfsL<2*>EOS=<2Ne0W&(`!vH3v?QDLEp7J$YFUP-|~Rl@_^fN#jP(bdj^q7;ln-w
zy`U162MJ=r=_gnbBp5U>Xbg1#?4br>3t8ssTu_ogA#<Tl2_+*H23!{Ur1C2;V)T<O
zB&w<Eun@4U(0L*D@QY9t9EWBU=ZBIsiUQV)h_lSacw-&s8Wz;z6?`q_Vopb$EYgm2
zxX4Fwz9<>ADB!Nh&ojbOPEzM2Rboz3CFZnO33VI^fivcWRYD(6Vj_OSlER0S;MAqv
zIVCu#?3Vk@J2v8dl?6I32v8iLRJSNvenmx~B^4}xeSQf6Quqi{5Hb*AvZN6|5I}`5
z0PMb#lvCBACdQHi2pw&LM@I5=6NOR-oES@n51n?R@P~!P#2FYLN;Sw!JkTXoztu@7
zqCMYNlg!{)6x@|Kiv3c?xd5W(R5UGtl`@+SFz8TpUMh)VXVotOZrgZpj)PQiO{DM+
z8!(qP`CzB;KA#@}TYZG;y*CO*8-B2nD2L{4KXRXfJtx>Hy!i(NttRdN0kaQoCODnp
zyc*!xbmP4-a-K;J4t4}#rSPU8J!4-GR@xl3TShL}9V81Ig#6UVbf^_BC?TcEru0LC
z@1~=MoU%Eqw6oRNyZ})$k%izXn>PZ3XVzG(P9dO1{U#1;LVgJVO{z3js)Ddd?WWbK
zB!#4+V}&YkP3k<YN+rYk>W?IR^#$sW>VWz>1vFXISfxr*zy`5Tj5~Lg3+yB(T?2lj
z0l(3J-)O*ZG~hQH@XH;%rW^3fovd~Z_>BhqMgx8$0l$%e-$)?eNWgC-;5QQR%i~0q
z8kV>)WF(!ysu$3Nb`E%t1iVKASw{lilVe1X2zZYKyhj4wgVq+yUP-Br3%D!}GMB8g
znBE5hE)F=u5|>{t$?-ZS_W|9KP=J7)<QSZmw~`dpz?%h;9Bk4$S26$=w*1tR9W$o=
z0qe=$7_I@6K}U*(t|WzuP=J85II)wFSccnH8qs&*K~2U{hiS?Ri)O5-^J>BhZ=SD`
zP19BQ(`*&~YO)GM%~cVAr>baSs#h(<&O5?nDy*u0CAEL)$2C_s(seGtvwd9qWgXXy
zmHS2<45_6w5EPH-Sb=9SUR%AW2@je4z*iwDDk_-v?czuC1Eellje~xaU}|+8O_3Q}
zrm>9WxUQ$pr_2w2#H<B4fVZ@|Nqc7NN8dYxp0UxOc;W}&OD&%?Vq2b<PZ(i|!bPt#
zkega%P#DXVBCupBoR%%2TDlZP$ro5wh;ck-hgrvSI?A@D9z_d04Oc!bOEBtlw!r5M
zh~jKPz}bQ%XM`!v5KeK1a6V^1ea;Y2bGD#8XA5@VY(a=K#P>Nvd|oxFs;gH^PK*#|
zglL%&s$`}x;*7%)XB<v(#;D?q12SiXg=9vLVVTjhFEhe5XM`%wuqxERrO60!Mu_H&
zP{o<Th%*jHoN+kC8Ka6b4#=Dl7UGN^!<^Bx&l%yGGeR@#8>$vnFRNiP2?wnZO4~t;
zNfvr0vd~hJh00GBT1c|6ghCb;QOKI2EG(qZ6P8lQ!eR<pSWY2py0WmOLQgZ5b%?TN
zDXUUhvz0YRS%)fXuCnGS>o8?up@oPk#dH>^r-jN=itC^qpdgEswOCoGz~qQQ23f}{
zYpJr(Sdb$c9<osB$wE^`)^cSXr>q8LH7X133I%Ca)(T~<R2Et~@>{K}<JsbsxM-PL
zi;e0Xh^SthjjDaVNVFo7Uabf5ppagzN2S0sr~|+ePDPVNkZ?GE35WBLKr!PC7yGCC
zEf^EgZ5ZRa6$9?9MiW;yT~;(V)H8GW#nDVAu?$UmQ=(zDtgUI_U8ZQHq{vy0o8NGL
z3T)u9SXR~7EmjX|jXD}pJ2J4<5?(|dvd1&8C&T6)8bsDhjOt_%+|^QHG`}!SO%fNO
znWTz?i@F-BQc-ajY2?)M)gA!?tA)vYwJ(onwGf%Fb_VdQQp+!lq=FRJpd}gHJ1M*|
zo!TjlXK-cH4>}z#DbV4)5=`h+F7#pOh@ZQt+L^-wrRFEUAeH*7WptOGqJ&+uL_<UU
z%4S}T1%YTPKT{{hAqv$VIL_fJ8indCRCFBD#`SB7#X4r8+6BP5T^$a)0qkF;>1at7
zmhl-5&{KIRQoFJ^$E%*lsomIUkvj8(#aorfh}yTpv)ZqUs*;OD^=?B{y@`cqwGS3m
zyV{YcI>QB9?HokanJhf3-HfO@;{$%wu4q9-y<-KN7qCgQ31@u*rrt|{9rDdj`bK$7
zSb$NbzrKz4w6t46$StPbVj;Ie?N%6aQ+sj+7<sDECS!@^T;CWEk{PF?j|)W~uieIn
z+={hZamcMiyOo68O0`>Q$gNDfm6027?i64c%k>VTiEH0r%e^39iz}bSMG6%u$XDA!
zuzj&XEtO9}(uFGw!m2_mPzUeutO`x9<l~vECu~*ddL<t^!%7BQZJ!nBE%O4sWsd8;
zRf?E`Xzrt0ewc|QWg6A;!;~a&(;Vqd^@6BY8@-8Mpf}MA^!96k-hM66+pPt9>$E^^
zcR;Ikj`TKZf!-!9h-p>AB3&|Vy#-oO<SXHLQpjwjqKs2mKB`*~QO}EYnb1=t6q1!Y
z6cP#^3hApX#fpVuvATxBm4*CRC$t}GX_7C-iLa2K&k6Z4Cn3LLO_TgsM?-!EAwRB8
z+OH^-9^;|(=-E$?@g4m9^vExq9zFZ%F&>IXycLCbLG?`L562{ud1pNE!$uMO6wi$7
zriO7X^L(V53`4jdhH$0L5#1z5BID8;mt)kPN1ake-GbnOo9>9x#dt+Lj@zvS?$4z!
zh2a)jx&X`k8c!#}6vAyPZmkly5$RY!x=PH%TimAszZLg73ET;BH{e@%*ID2l?KVTu
z?NorhMQ_8z%~JaTkBTVpLfk54;>M_QzzR_T_XBZrl)zn4)8Wz}nt&fKjt4wfoC}w0
z#I?Zh7Y_hFBpv~LOgskogm@Y7Rq-0&8nFiO9kCv8qxcxGMYI5J#*Ie;w;bVSUfg1Y
z%Z%t2BS5?=4wr6bH^3gawMgJ*qQQXsn&1;R5alCGp^04MuAu`AiJOMX04vN2zyr+#
z0S`702ApBe0Gwsc0zA|_6!38KaKt^zJPPm_^B7R5GOGX=nTr6Im`ecb%sRm3Chi@^
z9Yc+PE6tUFCz~fD)@k?#rD>jJ9c`Gnqb6Yp+)}d;u+FM8B<`hI4!FWv0k|5s{Yu<C
zb2fa>v(5v&!1@K?CDtW?ms*zsUSZ*uVca+KJHTtL>i}=CZUDRqU&j!*MF#SuyJ7&}
zwcZ6>XRQNVZ$XlDD-2+Z1xeyg7)TPg!F&n0&DsX|t@Ryl^Ti*~qA#4`{+BeszOpYM
z?s5Svmc@XN$~OUV&xav!OGh@~D0>v(EPEE<JbNDCavRd1`z-*kw66rjeHDP$*?$1U
zT@`@1s{-&=`&Pi)ZD<|cR{?mJeHY-v_QQa<p#ty;`w76O?56-<v|ls?-t5l;?Ctgj
z9Ow=N9OVAQu<+JBzK4jn<S)R@Zl*C9u7lu*_xl0yem~$yd>2mO&HjA=_jQpgcZ{0{
zn2+yP3cSl-09c4`nhLznKMt_iMV|3a|3tw3-TeV4xsw1(-3q`;w-ONV=L6QbHGp_K
zAF$3v{@n(*0kFw!0$ky)09@s+0zBSDeZX7#Cjy@2o&<QZdotjuF64!`^-l*p(>)XL
zY~+OMFPSvsLkpT&9-lVb=(})rL#?qNUP@eQ%&JW^(PfhoVd%zeveR(4%s@a<Ijb}m
z_sb}EfjeA!;06WtWTI8*Y2=3D(f2)j;eLf7hFvnhBG-tN&6=HS>_5Ho;9O%`<<!bt
zWB%+}Q|Y=$MM2_bhTaIRo^0GPL*G16PY%9=(HFPtsV5gV(DcJid+I3#_s8_dt$XT;
zZo(NrH}EaR9kxa*!><{BPf$pPX$-qC?8&e{!yybu(S6Dyk6}5(`3#pcJd@#-4DV$4
z48yeyzg)I-*-|r&VHbuy8TMy5gyATLc?@F=Cor7USaW=}8E1G9!|4oXF+7yve1=Cc
zT)=P<L;9#I?ganAkZuSU&~ghUXyfZ*E^gE?aIet+3$8-vL*-^~;El-t^)SDOxf13#
zFqgty1am&j*)XTW(0A+Uvf>DCcASKp9B1OT#$%w_5`F@gNwRIVDI4t!Kf6(FU#;x)
zENzd{wvLzn1}?V&oecDfpqH9CY}i4=rwv~;BKLs(mb`KH=?_WNSN|uToAn&sWuIZZ
z0B#KN+<&w=4Yye4;HJu4F#_X+DDIftAESdD+#)#>w?rNRvjDe1*5SU#z8DvrjJq7q
z$DNH?xT$f3xElW>a2Mkd_}>hZgV1+~dvLenJqYy}Zc=;!w<W$Q-osspEx7Bj6%_j7
zp2L~^KNO+A7f0Z3!!+Dsn5I*qG_yFR^Ua<}=@PTQc+4CEGYY&tX6BhOakV)CX}pPh
z2q&0vd=5QNj4-E(R&y5Oo)3QC#EpYTnN{GhFI+I1K`O_h$6tXP1W(0nfxp1bfLGua
zz(2zEPq^vtJ{sMi6w#w%+yrQxWTMZ+-Jaxf4&y28{+9V6TujDKAa~;glXT%{43FoK
z*Kw?&46_;b<nU`4zQyoDj4}jnz$E%h*yUY@Uoc$H?pHB>BIEZl%oG^e89!q@hv9IB
zeF+-hux~5ln;3q{@EwA<xs<}3&G<mZZ(+PU!)w^(afYWee39YbXrzX_PPYOMVwbN7
ziXjZs86M8=+Zdn2um{5<+5LIO&t?2$+$<?X4#QM}#&*W{Vf-}4a~YN~9K&!VLwueL
z;a_4r8{csiBHP4R<C)kq=%-N^&!v7+%>2J*mf!}WwZ@0IF>?#X-`_$<Qg*0W`{}x+
zYSv6>Cf6)u3qm$QN1IT)4&wTi1-<_b>elt*dSi{a86i}y+OJ)mdI9y7YTkajc6}|r
z*LA5U?))5r`#n)tP(vo+j?QVQ8yi%uP&ENhCn9`L_)TD+dEmCyJQZ%ben6^*`A5h(
zi{T)KQy9h=4q!NtVS-@=LE|*Wk6<{CUCv;9DZ>L9PGdNh;Yfx(8KyHVWhfY)LlC!+
z5+}VGb|HwIq27rZjOVcXREA{?4`mo*tviKvMlgO0yANS_A;W3r&7f0C(D;^JCNUh&
z@N$MW!v_f(VI3Zc*@+PSm_F;XNMk(4Fs#*M*@bl*ceYY3=tRTOl96v;g2wlZ4`X~C
z<A*Z7o*~x-U4vA;$TIswG7~vRqX`$e1dX)>pUQn|1n>-u<xsLT)?}kvy?>E(o=SU)
z{AiR(y&%SWFqs%Hj=~MgG2Es+i7yhTE4*g`!@PmJL?PzF7PtqQAkAE%GX!z>7Quh9
z3sDoeJ&fRbcERY<5Klhv<XX67U|x%lUx}0dZRR4}w48@Kl_!WvxGQ-YZbF`i8;`4S
zyYX_|V|*g+Dn1+c5?_j&hkuWoh5v-xgYN@;2(g~PZNR6BmvHCr+qm6#6K1tvitS<(
zrn8QC8~5;b!%e#bajR|yZqtpJMdAwFlUs_gn?U;^gnR?=32~G;8MN-i{kR#p7k55p
zrvuI2;tg{VQu$JRiMwwb=#O|rdlgeW2{+uHi+Gos7a^s~5cf*+TJuK4x(#>J-j94t
zFdq@~a0l)4xNmk1;97AiZk7EQH`;E&y|Ld~rg=J2UdzuE?|wW{jOUY~Z$uimnfF^M
zC<Vj&n97b}9>ci|^BImNXq?6P5ezHX<ur!hvCCwJgBdPkcp$@R1dVeTFJjo0VFtre
zh9<-F2^!xr+`=w>8TMy5hM_~y*p9Er3o(%K6BthP`oJZd@#6`Kn;7<Fmu3(8FK#Ai
zyvr`HvF{MZKVf_c<Ii}Qtr{P)%T$K*8D7V*A3>x}^m{Sv<_!fNVfS0u<qpP2Fy5Q-
z&ltYQ@K$!ekNFwOE+?|f;f#OGxQg3{@pOj!u<y%^@5@j!EMqv5;Q)pf!(jxC_ZdHw
z@lP2aPVn(nk6|vpb8CPaD#UPtk00^)f>4N_n6LE2EHG#dpf6$rLceaFiB>1myaISF
zyZlyc0e*w{0`Nt%E8yki{`io`vF?yeb0Eg_12N+qjZt(F;7{=RfXTR*eKx|-PvFjP
zf@cuqd4Uj<*yT?Q4`KJu8E#>ha~N{F^4J@Xy&Xzx$PVq8YRU4@j?KgUsD65{aQxGm
zVlCs-7?!dN%}Rtgf#GC^_<$~4hB4&!?V<6HozAK9%)r3R;6K<{SS`rGpURoWj`*T2
z!+Q<!=pT9hbRk-_31~xUc95JKn3LrO=MJ|mWl~B!^`-Rr>Bpouq@SFAZu&*(m!-F)
zf1i<((KlmqMqS3~8CPUHlCdFEW@csf&K#Ioo_TEMMVa?xzMW-ejmnyybxc-6*6CT7
zW!;!{f7T;e&t<)o^+wj)S?jV|vRbpg&Nj0%vb$yX&K{UOEPHfzEPF!sr0jV1wCokx
zCuX0TeRlRG*;i)YoP9_3W7*GSw|42$WptOxT^4n@w9Cz19_aE)m-o6lU59lo?ON6K
zq^^JJ`c&7qyN&L)s@qB3PVaVZw>!GM(rrz*wcS3<nVxe@PD9SBoL}VpKIhJyXL8o&
ze3<in57{HFNB<tt9^-pV?@`sGuE(W4?(FeIkLP;4*Q2#(|DMsF(|R7-^X#6__1uI@
znty5x5c?a$!~rmquxgSfCK@^7Cq^cG3gI&eK9k^6C`ydcq7?2GFmbH-nsSBV%2lX!
zLf-CS#c!8zjM2l}Wc2d37`?r3jlRGOy-$rNVLt`)G|V$F&%!(hvkqZCfcX$+J<JBU
zZG_nb^AXI)FrUD*z<la$5_fr@io0R%fw>pvKA3GV+r3ZaiQam7inm3c26L|0CeMR8
zALas>i(oE>xyE}=-iUBF!`$MncT>GBZW?&K0bI9$>sIEtzt@KLKwum%j9i!@cpeQK
zYr^=pgM+U-IQYIp3UbwgT(uxqEyz_1a@B%dwd^hz#@C>?4Q4ycH!$DAd<XMAjOVop
z14h7@Fcyr2v0)q-7bXQJ6($WP9VP=N6DA8L8>S0PceDqnG58XMz;__fKfs`!71S?L
zZ`BV5V=*xR26+|8t3Y1GV3;8=)Q=2<84iPfN?`3%pv@Fm{S=Ue!1||vJj587Jft@k
zCIXWW6NM>&iNO@YVC`C<1s4lps$i;N7QrlrSptLAPjM{FQW&g(;tLN#)WOulU^P@6
z2ZQxc(FoH7(+q>TmcUxMz^W*|_<)@Pm>Ug8+yrwo%q=jF!R>LFCt#j}c>#vzYcIik
z2(umry#cTLLq;ZKWI{$JWMo1{CS=6pSjfnPj7-SLgp7EH05UQmBNH+*AtMtqG9e=q
zGBP0}6EZR(Bi=`VjPO+hVUC4~z+k=DjKW}KZN^Za&h=WLtu4^j7HDe=w6z7=+9EIU
zT5;cZ4%U>?p;b9BLEUPDrfx9$Lt_Vf-?N5}1)gu%&`#SZKs_x)%XkLjJP7j;%)>B`
zz&r}`7|i1^o!84Y)XO&1%Qn=@HfZz))XNR1mm5$oH=tf_K)u|6dbt7hasxEF6&l?N
zjc$cTw?d;^q0z0-=vHWSD>S+l8r=$wZiPm-LZe%u(XG(vR%mo9G`bZU-3pCvg+{kR
zqg$cTt<dOJXml$yx^=f&b}qu42Xj8m1u(yWxe(?em>UfnnqfmTY-olp?m~-rH_SaS
z_rlx<^Etw8gS{QQH>UT!X~Q@$`+MJ`U1>wR(k9RJJb5<ExrQUpgE=4O0+@?nE{3_p
z`&RxAC3lUtR{qud4DCxB+Lt!>Qtx~BS16}LP?BqOTSKkmHlrU}z5XbP;gE76TDdde
z-+8;T4W+ORrLYa9unncK4W+ORrLYa9u+7*ETA#sef%zP!73OQu-UhQB<{OxAVZMX;
z9>()pP%<qjnHH2x3reO1CDVeEX+g=fpk!K5GA$^X7L-g2N~Q%R(}I#|LCLhBWLi)%
zEn+h2_+4n7?}oVt=3bclU><<`KVaU6`3z<Y%r>}h_cqC9?;W`UW;M*|FlWG=>up0l
z*oJzr4fS9f>cKYDgKhFEmgv{03uEM8F@EY6YOUApLR#w}t#y#rI!J3Bq_qyxS_f&Z
zgS6J6j5Zm<82~vfK&d>7l4wIoY~;E$+}m!TRYQI1j{1~|l4(Q9JPQf8LBeg2a2q7t
z1_`%8!W$vsjgat0NO&V8yb%)K2nlb5gf~LM8zJG1knl!Gcq1gd5fa`A32%giH$uW2
zA>oaX@J2{@BP6^L65a?2Z-j(5Lc$w&tNW9^?c!8O7dk3VhdBf0OqjD^&W5=Wefdo=
zH^bZla~It1hPemkUYPq}9srGhz`PHGe4@m*qr|qO#M)3|Z78v)QDRS{#GaNX8$(bh
zw#idrp9cGMxSauWCQ9mTm~&CW=fRv0a{<gnFc-sIg1-4G)Q#U6nJCTuar^cV)RAqd
zBir0`jOhP=N&HVK391>bhSYWMI#u_)Hw+8)24A5-ZT+kF4#tM6PNMfi__Y`x?TcN&
z9_AA7bMxn3i`n8mYHo)4+I!R72D2UJ8}Cia^|o0lFsVk4mFBItvW;$57Z`kP!s_om
zY7K-bg(-)r^FEiiW2Pt(+O@L1Z>=scT`?Xt30mEN!4GapKeT)4Nb_@~`8m@39BF<Y
zO7ByoXCpmZ$ImuWcM6?qj6$eB2-OFndLosc2v7WG8<}v;gljfjiBhW31+J-ZO-*vN
zXB77=6t1&3EUb%INC{jeC6J9#d3Tfnpu83Be|V&RtM~aH=4#J)_}>spa+`+s%x{yR
z|J2I;J6wd>j6H7?n*Flvd2eDANF_#dt51?Rxr9R~zf61=E^rMnpF)^UKy63e@Iz-|
zZY|_*(8s08lZ-y{=P)N5BjhQtPlbJ&(Fd*c2sagW8caG?VuiH<ylcpOn{t4+RTiP%
z1(-#lLUTvrOUh~JNe;%ib~<{3S=0l=WgF6-3ioN=2Ka4(Uz?oat&uZfAHw0*%Gq9v
za|>D+S5s(1s8$X!3-)ZU4Zf`yflWj2b1>o&jhWzS7M^FrhvKc*K7PDS<b!zI*!MHd
zm+!j)zFU}TI=I_}_*)R71(aLB-L;^;0o<)a3R`3)Y{lWrhK-P$IDO;~uA7(!<=p42
zm2+;(1>P5OA^5C94i;hLxCA3<3$EMXLQgG5s!YIt0jR5Rn`Jffw8+~G-+#zsIoF?n
z`vu@3pwvo~;QKkJOun0v@m1V)@ZAjG%|;4R_%@URaYFIeA_U213uGF^5Bs(m>4>`t
zzAd1>1w3y7cTXYyCb<|~gMV4$eW|(J(2h<ULQ#lKlnNxKXpkg)pLIrebFPtX&NIfC
zhZ%#-`LK_GeWa0N9u50k`2EW0V_pXLt6*OZ`v%xI!v2eqY2Jk}4<PIlz@J2)^y5+!
z_S4XsFigdIN;cL~O0bqvg0++qtfiD-Eu{o&C?#St%!Q~qDc1Sk8td0yi**mo2K0QN
zLo2&@>+MHicBCn&_89Xq^12BlubVLPx(Oq#n=sP4Nj~bmEgwfIKMnJoccFX{_RBD@
zdhg0Ny$|GD@P8ZT9hkK+@4~zX^FGWvm=9n+gjo->0cIo2CYX<4K8E=OrUm9xn9VSs
z!EAwPLmFSfd=0Y=X1lk+?h4ZlraMdyOb?izFuh=U!}Ng}?OkY>z%GR;gDHopfQiE#
z2s0UG3d}(;Q(@2+*ayQ*hnWF`+GZaDGYh5?W;V<mm_uRa!pws?3}!ye0`FaWAxsra
zHOwNI#V|`?YG5w)KCpiUa~aI9VSeL%fYHk<hP2=C*4k@fHo<H~YqPTpwa{yzvFL9R
z`U`~Kj?mi?`il-iQ~d3rFxxwc*)ctpmP4(xyaMJ*m|J0Phxs#FY~`=u&YX5a)BYN*
zw7nx=P9JY;C%l<Xnz!BQg8ZdAslYH+cd+W@WWdh!K5??W&)~b&>FRyubn`wlT!i=x
zzHRXRz{!G*89YL4L5MAegzs1IZG~$axnks)MjQcd1>J9TjBnYGLQ}}E@ze_HZAKb+
zXoYJV!nQJ<Oz(BX`3Rvn1qy}I{ER7X)|^sGUvPW}aX(ACVk`xpkKluziz#+N%nTXy
z72D)Yw8yhht7dzj=$7y^v{Rp;1^Wao*i&f1w&L4os{f)MVk_GIt#XF<7sT9(9^xa!
zZb1*R1r*xQVr~YNb!Z_sA@+x8AvaSCi8kEtwPvF|_FH?^N^Ul?<uq`0urW|hhnWF-
zGhrWskgD}=lM9W$vdYMk)kcn71bZ?3YS6C|ZS$6EX_fre7jDbKPDeU+*IK+b{9C=x
z`2P)d2Ris6X2-w59XkI{b~SIlpCz#A))vfBY)GILGH8MJnK$ze!mXQcqwm^b=h*ue
zqY{jYAen96I>2@4q1ycr*ALO!afo)o^@I1g_jj}${u8Z`@ee6bNwg$=+MtU#j|V<>
z9m2c`D^-SZ+xXjF!FfsA4TA21)*ayK3GXfM3Cs=tSN<S_dm)AE{#Rz6G#kAa;LF~#
z-UjISTE^CSYuE=nDR6t)`vg*254Z`i#e3`j1zDlx#t&m?{R=R5r=3~;X?LtctD1*)
z&hq{KC)(V`gxVnQ_8*H&@4BGf`LSsJXV8Jp|J|74VJ+0V1+B#g#$e2a@a%m+KG2H~
z;B)VPMqc)YOYc3*h4|;as^j_3@1gFXjwIc+_kWj#mI%EgB#+&J_GzkdNN1xFznApm
zXpQayTGZmbj@AA>`XPPlJzoc00~|g79!2{R1CjLq_x-Tb^1tB6HLJ7nH1bbcjJD^4
z9YxWR7BVfY%TQQo_!_FQ)Teomknx`KY0$IsVf!g)H%6HV&tpyRRkU<CX90*)7ts1G
z8eb2ZTQEXc>%E!uf0HQu-~R1b)BpYaKw_=<W3Ke?PixOpKnYLuZbC`k<lUfS;h9@c
zls((Ndx)s_81`!n?BMXvdn~|x7vCQ%(D)Jb-oXg*HT>T}Y+x#6ClLGf+;^&(RdS}&
zN$A}>XCnPp^wN9r!<roCwiF>e*Gduq#UJw9mEL*pqOP=XUF?n(nID)!z?FxS%BbI{
z+sHw3P8j%igdv<|bcduY#KYcv`_U{>{2{+x^+r0^^ak2s%su=55c=UbI@h3wvDlvH
z+QF#pUgS9qCn;1JB#Hi8a{W4&HRZZ5tq>#=`+<n}I+r!&dXLB9ES<hQw@t$u#SXF}
zia+FseC=^B?A`xEQut4g^S?CL|M*WYw|^u5^ls^%{`v#~c`Oln4t&~U!CE1?w|{Ey
z;=Rw$?;EKYui>l}{+K}#M(#!*?+&~%1BiYMC%M?I13<lh`=5%>ed<o*AHCMXs}flM
z#%g8zxc`->UG=v=lrGkCF*exqU&r~OocceO%a57sz2eX3V%K(Ox!$>~cTH#SeW8P_
zX}%oyPWmc6U)ny6Fc(C9M|Z!DaLMejhCp$>e}*aiJ8)I=0?zy#>`huKR~^>@s*yY8
zI<&sg;cRiIdc8N?>`B-kqpT?%jP^UMPrE8>j<?A$FCIaAAy*xA%`>>4=0K*k38Nb9
z<#=Dher`|l@$U@dJ?c~UUIvzCxLD^}2gzZ*%dh~yqc>c@>3XaJtofniI6sYD+mQ3K
zq+hT%c+Ys(a_AhuEZn@24L&k)!vTJwb+}&OwhjEX;T;K_r$f8)Ey_y5{@QyG)YhPP
zdA{S)W9oYd0<CBMpbbce_QUW71aLB;b@1I1-J2d-6GLj)%~yMGn9Z&;u=h=x1<9nr
z7(CO1wNpPzvjYA>s#L1jy;D@kQMZL#_KJIohgOs&(Lrm*iD?kfB^kB*Ip8=2E|^j3
zAC<KJf&M2d1>a@wY~=83=&b6wAnlH45dn9dQ4gfayHULU&{<gD9U*bv9e=;ybjc@4
zDLWbNc^~s_T4h7dd1VI}m6R{FG_Coh1=PcA*gfxxD(F#rgVQmn6Kyy-(#bEVBRf&H
z4V&|V-D&!9`f5jucB+ZPq>gcbJp`c?J8WG^0zRpv9DIkJ>~IL?(3jj!Ap?g{JE9zM
zdIK`wi`8yQl}5SY)C2mRyNAPs@I1WVnP*JIEPhDHwH@lckkq6=r+i7#%G9@dABEmR
z-JkD7)A320{IX>%AM^A*ZnY5m285>Cn#$`qc!LC~-NVHDpk?mUj?EwWf#oZ?y<^H~
z*RO0}dXy9Iz92tXCFZ?j<djZRKvt*)w4S^rx$lz0@9!Jl3ixf}_&hR1SRT1}e?yJY
zF72}uXb7l1)84Q1r$C#L0=2lbmPVYtgq~`{f5*s|ctbhvd71A;P3Sn^-hCar@2zY5
zvfi86YEK=xej9o3bj8v8+NT+mt#YB3oUvrP-F|&7B+cQ#Y3(iI)7lf;`!3lxS%HRd
z-P+@F+LLrT3In}Qj%>XTlle-=`5am??qHO{9PaA$P72;#|DW^g9vWSAz!gpo?&cRN
z-Q9%zZ}-NEI{s8ry>RD12W1700-gO4+3RR7w|nv=Nne`S(^KPz(5gj10WEg2-w#~(
z80*3zec5z}gn|*~9uxWT0{V0RFhy^D`02k9chCybjfm<`8bp22&SUsJkXT3g+I3Da
zqURaEw-qzr4QelMrx@TYI2{!pRV8)DA64t9K@SbR*^C{*4am_};5&rdDW#nqFq=Yq
z$T4-RPcvT{Z3km{WA}8!@(j4!Ik~V4_N_jHRN62u*oIuJ!Cbd5>#c>epLib`x#yE$
zI18Tqv2=Ldl>B*oL!$}ece9qRZWX+*;6`UgX~ahJ*4^|h6n^i1c!MVS^S(@?0a6&C
zJ7S8PUGcQ{y0&8)|Dn$`Ki=b?cMXD~^+WmUleWO0;OOYFsqWF<y!!3F4R7B@(dcRS
zKj`4u-d$L^xyyUcyVG03>k<a-&SOqY?Y~~_@~#ij!f8kNP_4z;Ht%gUL*>!hotSal
z;a%_19XI%SA47M)^q%W{4y(ci5Tkn1c&bx4Z5p`$SFk;;(Yr`PD!J?;M5kWKo-q}t
z<*AM6<cDyf)s#*G?bcb3h5O;2+kU$Zyr%(v1itntDcXJS@TX+hd3%GF_-Wh>V|cG{
zKee$#BJF1UJJO=w15|kCfR_0KT6+P#@Tex)!zM@noJ_kgJ0+}ikLwE6m#?rMNbNqx
zQdC>H<=?vF{KY4-2mRKLJ!XezMyO69U7i=CPFd*f=yXRH=wmkQ%$;+<{ZzY=D7Yq`
znFjcCRFA)NE3bG)Z?>EMDw)T(y>lQHO_%y%ZbvRt{yTH#$J^Q7{mfwJI7p30Qk-9S
zLx0YOMQgO`L<Y;#yC^i*eBFCN(edLT7QMq^cy}sy-1fsiuMSdQ2id=y%$+KMyE_?2
z>FC<(*8Va1)CZc5F@yT4H4wtJr26RhH2Q$M!EnyRdJ_L|-vqVRdM%QiRE)i7V{w}Y
z;s<Ginx;*syY^yF)Q_iP?<s^v(f!i=0|ghm9JCUx#>S-0+;#-CRbBRD=y=#`AUUWf
zfBlQJ6`|X(%Z*he(%jwEJV-+IQ!N;`ZuMT&^nP5cleTbA65*2e>nb9s7E4P6w;SvU
z4Gt52m!ZS9WoJr|jM8(GBeiY4Sl&2QhBE2}jZ9T#veSO%fSqY2T{IskCs4)j2cDOr
zlZyY<AGLX^)#!|p_f%)K3VOr*qa@H9bn?rBZYRqwXe*Lh%PWwfxS@4tlsoOiZ3c%*
zP82MuM*)RU>=269>cU{XjcYsYZm1Dx8cI!5+6C{LS}^CK@nJh|!s$I6dcX`wJ^7q_
zk78u{B<kj?$PxYD<x|F&d5`$9aK3L1{GWivJxM7d#9HrP;QL*F)QS-mOUFAE?)Q2R
z!C=RfOYm-@LT6q>yxtOeUjc9L>0hea$MGLKvst=5LcVEQUL>{sjIp@?XG+L7j8a<B
zutO5xD?Qg`Hx_A)O;Xqm64r?h+l5`s0yXKB-6R3;kUj^R9Ui+BqNI{M`x+3YyQ?-<
z)hfLM!2NkR=D!zjKNeJJh22mi-wygrpO;;?AAYDG$L1bSw+3i;-sO5sJGr!y#OuOg
z{t$wCc<5}P4d~nb9y7!ePW2~803m1ITMIvjag-FTYcMxEwf{O`cvl7Cw}#^fc#@+r
zY8_RLM8Un*D)7dd5NKWyw_^-39!*l^AS4N%jptx2)!m=DwGYz~t=)&{C>GrOmKr@R
zazdv(axltKBO9KBc@GEjz}y;g#JIi<a~?YV@fH49(*gWc(=RlNxb$%=7gq8<_dccG
zgy%^-L*lj&_0ccsc6z&sOG?SGvoZ*sfkFx$j4ImI<Pj==x}GLOBPM1R;3B!7qq*<Y
zLY|)t^NP6G72tC&G{4UDM+fc0bVP3VAv%f`a-%Vk!#zk2a@U3beQEv>9s%h3C3j9O
z=`vFHQx79=lozg9tbbhdc7B(~=K+1+yIktLR^ol+ySKM#HN|)FwbQqid%LF*{@w&@
z&u4mmqbam2Q=h1TyG3^Ru|8njhP(u6>r!VI8oTRXCp3L;*x}W$fL<s-2PjsNf|RKZ
z>w;becM&38n*SR9d?J{|B8<gShelEv(4H?zhTT*vn1XK?@sDfYHoZzlHBq;*J20YW
zEaZyT4Egt4s2#%T$M&t?&SAh$vgW{d4743Tzx4w~DbQR-)!g0k<fnib*QvZJ7d%6D
zd{%(o$_VOIQlfs$9qn-6#xm-dhj!7t4}IxDI;lu^J<bZegY#0jwTQJO3oaYIKZM3=
z4>E0fzwDnF_0hN&Z>l3E#=n~MVBEThmJ5`&V2t=rjQ*a*6HXZLsX4=Y5EzZ+{T?I4
zr(WH_=yzAYP+J_TcdReIo(E+`=PmS)+w9~#+IQVk8@tbRODcY#gEuWyivfFwo$^5U
zJEN>xV&zM*iSyn4Sn5dEFR!59bH2axzR~p5DmES<eXKpHy6Am`lG=hlw3BR|8r{cD
zA^#6~-vM7mv9>=u+d={%)CAH)FG)^9?<IsTT|h)7bPxyv(nLf+qy-hbVgVaAM8&R%
z2#SiRh=__^5D^tov7!8*_u11D5(r%HcklQ8&-tBq=giK`&d$Dl-kJRra_k5s6?V<>
zpDA=Gg!yttk8Ll!cFvT`s;U-@)I5e~;=t+**DVXR@gMpV3BH2eQgMIKG5qnF?_dP}
z2O=~BcPv~%o-v=C-=hnP2*hW~PTKwtu*$+H{tjwGlqQ}C_Ge;b<{H>rA&d?bKcgdB
z75+kaVgrR|GEO`n$SGbk4V*o*qj!hIbJ1xKE$XGEx20$i-0NTc1n3aQfJP`D2fri%
z7KQO(e{cVgk{C_l{^(_hvhmc9d3@r`dxa}XEMgEp(7vD72%Qz`O^}12Mv#U@D?#5p
zp2c}|c-lp>N+hDov|yQV@US~OWq+wXNX#i(5As{K5T;p3E5$#zaE+q4Yn7%iqz;Ms
zJPh4}A3hzwpAy&!`Qrb0z5Sd|hx#u11&t!`tfiFa>j~#wC?T9uW(vgfl^MW+K%<3^
zC?jLR*tx=IPUoM;C(up_TL0;^6<!w4S-h)$3=vs;;wSJNPdxLl=g5^Y-r-pMYM@oD
zbT1O$0leCT@(29SWLx3>7B@C*KTPf%e>u?liARx87-#G#d*Zp$=Ll_wN)xmER+wN*
zaHK=D5mq`>uV^Zqp5$EM8iAu%KG1sM+QsLF%8=qie~V4Q3oke?Z*A~%zo4E_eEA|z
z&MQ=y=J{-7pKW{u2f|wPG!N1BG2349r|{he%9Vyk1j_ysM_`O-tg>7937^vAQjo%f
z*oSsyHYKPFGhNIzPPnK)1Nt>++xvK9g2;xTz8g3r$AESYF6Y-ln7b{!OyRT_ty_4c
zaXrq@hL?nH^)9rlcaQHbx?2~p?lN3C$cs^1_Nse~SKf;=J45XtR$&2hp7glz@f#th
z_FyL;ltp?k)}<g~17748RSskzX4pef7RR@ST0y?ZU9rPXlxQwwUa>eEUf)Xxu-L=C
zptk@gPcPmF&-YvO=G)M00$T9!ozYu?r&6>B!soo$AbO5Cdxjj(dnB_AetripyzsMK
z$k`v_jm6VU;cK9l=n$f_2zR0-AY<m`hsp-76v~lQI5#hR#`{-v^uc#e;DOY_k3kdv
z6xuHOAs=8zAbRWj5O(<ahs4DohD&$|?iz7hA<UARtRF51M9LrYWFM}6il_`+*?Ur-
zvm@a^@CG(|cvea2z-aj`UEFivzR_dPkAbQu%7~)vp{#fm|Lgcopr3-b0bW@2SqIAe
zyN`jfmg|I`PIzu%tu0jM<URAASU3#%%T87^@TA$F-#z|Rs5d86{%1xm@EmyE6Q~Sh
zv);Qf<_*F;6~HiJx+jr=kspDwehQS3djUOs439vV-WI$8zeN=Mf64^f4#_-^QiK0b
zS@{eKlw@Osk5zcHvVJn8n;;rR_+r3I5{6w;hqw>Dm3&C(K)eg$4<b!?JPA*>E{f7N
z3CNrhuf5kBV-Fj`qj1n>G0!u+-|P?k)~E9cNKVnm0`+je@=Wmya$O5&Js;=Q$o(x?
za!05Z@{b0iZ&*NP3lS&t4rKQaQZAtJd36N43gdh@2S)=L$Dfd9P!~AjK{hLSewzVT
z#5jjO;Ugq{$DE8rk>Nc@f$<K>#ZWD#<c?4C<M9waX@4x4+z)?@CObL3pZa2j>j&-)
z_v~picphO~%=4woJP4jtpls+Gs6|RcPI>8LVC2L61F*6J*bu5$x|Ba^fEZr78YeB~
z>7=LMT9__-()R!HlP8XMQN3FvKE^#vBRR89c+V}sMbKiv);tY6A^ghZRiA=FWWMWg
z_?e>Vl4rk)mMr`~3`cPyq&<fs1;ITJKsP%Oz9KM$iNMvM7u#zYa|q(Y*ohjXH?O4-
zCt@zf13D!~h1SE-fHd=axxXoCmacH`|CxW}b=bLAS}V-4{+aeqY^Ct1pLqTs$cbee
zA{9znMde)t{N~^Dq0IdW9Ny!Hyomq45xs?x4$BYkflzDsQ}DQ#|LIV(_plT#V;+V4
zy-+0W3GD{`!`@Y(0R*oM`uq}Y-0#1BSp1gcg!jT<LUJLwO8T(1y@j7Hu2)D3N?k-+
z?T5aGC^T5(Jj-}AfAkj4Zwg!i(pgqBZbqKOa2*LoZAmM;WoKf@aBu!~BPeMv<{(6}
zZba%`*-uyGyUO%pw!-`m-aS<F_A@*=X9@J=)JH!(mufeGl3N3>5$+HcMO$*&lFtP0
zsqnKXx%{cmuvfoB)A4!-9P+OcFEsZn?S$|vywwl~49^Xv@f3;OfgFs0#~;J|-@uuD
zz=$K53l4Zk@V*ADcjwG6Ebbs~N?TrwI49{aUl8nvH<5#A7r7Q@ePu_|_eH-0l>JRN
zBJ~<(fpfebh2*DS2ka^H!uZrcxsqgNwLp9XOP(Bfx<slJ@-#rNReDzZ?T7jhY^ru(
zJ|UPBmhi?7?QsmlP83R>{A{73h5mTsQYh<$KNwY+%?$FI!UaN_otJ+q?2uC7y#;na
zYYt+;sdTFv@EHGqU(lN$)|*Peo0Ix=!^(y~sZa3!19=ms^i1$F5Yv1N@AKv-I7%fx
zDe<TVbcw(mJ#xZqU#}(P6+4b0jut3a_=wr^lRkebjeg6%MY3~&7cb8y0(0~@AJlKC
zjr{@Y`3a?kD~D-hAs$b;CoyFHm`2gtF{dwa7c$!innCIhv{1}lD&6&2nXMnbXY@gg
z;uMsWIY4=5z<<TAN*tPh3-I=9qAxBInx^d5bPQSoc4|WU3yi6(S(Uhm|G{X0fAU6!
z7jxex{|->VdY8JcK#!`t%ase`1hV(jKKO(xqiig86qNY@7vq9`pg0=8V-H%qhg#C&
zmj!o@h9B|>=<*2nmBL$pk%|lL81+xyQE_b%%f-W8EVUL}L!>F<UFC!4D|90{u!cR3
zFZ|_HRPNOdK(tb5&M%PvPaR3$d(o@n==bCo32|xoGvxmK_lQ(!K1F#3_)!tvwluAj
zz6>}QXP^t|oU&K>7Eccl=@UL%Qu>xlF6nvW3!jJNDm6Y8u37RwNQPaAdV3SRmAXv0
zJf<`N1{U{0`6s=6(3ZDSN@fdW2H<zhoU9K@<l-v(^RSNi4SyS)YXOY{6M(lzK<)d`
z%09Gp$ggXiq@7cpLW|yx^QXD~N+|Fj{hZ8u_YY&RaL-WxIRbv%@pFaKS=sf^4MMrn
z%}bPYL13NijTgRF%qv<Byk6pQ1NT@c9tC&*l~>H;Gr`sqB?T-yt>+xxhSc<9ZNS>&
zDjdoC*FLyU+zXynAR6*8Wx-CoCq(i^OGDJ%zjlqHwF9FUo(~Gdco+GIoW>8mJEI<u
z<FA)H49E^ogY-kco>`a!qO7N3A36SkTp2&4(1YOICoKF@jC%NdQRqpMT3$nIN5Ki<
zhX5BOt$HI8DpzD2O8r-Kd-x$B-vNa(m&o1YctfCxfBhPPmWn^(IR;}I!b^B72*Ptt
zFCEg-=x=#UYIA-i8mptB!Q<c6_=V<T{A;3*zlBH%(jBBI-k=+52c`W~EVWPl2`|kt
zokV+in^zO^O~%<z;ou*ftvPk8ffDGMNRLwVD1?3F3jQnl+Y$d`1b&_bIGG#>T)5DY
z{g?Xu6s0=!FAVd&=!-zvGdU7Ne<Qw>!PtpSSc>}(T`9abq1@9+1)f)^4!HCQPvLZQ
zF5HFe+Zmt%H;lW`^NZH~=Z<d=T@`ole`}581>Qq~wlLn9u`6WxhSw@x8rSqFAb_3R
z^)s9jO4rWml{&sEynI04<18pWZ(`^3{(^lg)zgP38=sb_`yME!F!qOC5d1I9Uf`Q3
zgdc|CZ&=}zBtZi*vnYMt0K0grK=^Nl;J?fftv*TBLZ?FhibC1N{|VVGVdo3WM{*nR
z9)BcSanduaZb?abTTWmm3voQ}9$!EoHlodt-;=OtoZ4OBqlhX)<k_{@+42qS&vO-0
z@*dH5kt<&CuMvq>+7IsZ__g@GCNmT`z6gHZ4#z!0CDP9E)$Gwuo_*^0je&;oB({b>
z;Xr=TBkXfojYi#~<T)<kbRp~$tRkk6V#!b0EbvWY89aPFEsX@D6IMPPYxx{0l>(BP
z`j_-4P{S=f*0K$gc4BCT8+R6Hf%jM>620h%`S1P2?9<2zTra!|df~V60(TmI_S9*S
z4wM)YD;7h(8jx=$yfKFYmSBLt@=2NS9tLQ>oIk2Zp6+4%B;LPN@&-B$pLx+fdM$fr
z`5ZmZKd*<}!1ME}1^QaFk+A>hkHi6sH5#^3A*?_!85+Uh-38A{g4ed0<-tN{OZwxD
z2Bc0Q|45NBqWxGTucQV~n(tl3PfdYmL@gk^TH(HgpYhVgKbaHDm7G(!1%H4160_u5
zCqF|x{l;HLRt$zo9z5IPebGu*q6OOZusO6RG-~}6IvXfe+9PWFdsDpBFScdb#Ts-{
z;-@;!$S=Lb5~*R@4+^n0;rL#wvHnzyza0git3NKR#1_31t+|iTaMV8v=^R`KO8;)4
zD(EfL|5IU6pi+s)y51SD=YTP)3H(@f89lT`HNjch_$Agq{S(E-<jQr5e1!hV1M1=)
zMf*S9Pis_=yGxY4F4&r9$xwUp;v<2t>%*IsQNYN@K(2DW2VV0%Ov&@Z2j}pvdM|xa
zm>Jl`g!FO*nB>=dpgVf^+61)I1Z~6f$q#Y^QUs}@ntI$xuU5jzfV>D^ql9w*tFk?5
zW3tb(o7!FvH%>+UVSJzz^6JD939HYOfw4WY<eBAAHv%q{7`J#rv(h7C40JhANJOZB
zC!dR#pP^DkQdQ9k-VOp7h%^h6mE`l>0X|TR{gu+c1aeOAh^tUT@sBI4WV9ueg&nI(
zMPa9Rxl)!UmnfCyR8oVYkB97;qIx_mUUDClIS}3gbR(IUjKbX~!k(%u+!tk_Rbrf=
z&7B_qEBxfcwKYE9eZ(5MfY^V9bvemB#Ru!*W&g)LC)@i``W@a(kskRyy=cd;k%<%w
z_A0z$ku>}T*eg;pPa*fth{lUtjDP)D8sz!t!LNvyV2q!5RL~RomAI=U&YkuMpV$xa
zy@cnUW}C%IPx6mIqy_e=WcvZW8U_3;b_@g0m8*<}{(pxI<!+UJoTa4@=qtu1#!Gwk
zh|wYX!oHRP43JW!KKhWb2B8rC1l#lPS{C?^qwKHA4=6<<jzX<_xlf_p4Unfemi`l@
z(x4n>-#(HSirhnqjl$wzkJ7K<C-cZB@#vJ;#A%(t9IH3~_&ToWw>mH)i1YLA2H1M|
zbo_m#xwt=it58w&BWUv!I^q9w3d$|6ir5c_;Ej0)_W;ic?hnsAgdsQ=zQ#1H1&q3s
zhZo(Ce}Bny@Opq}@<wSS4W8qJUX%WMB6ktR40srEP!dxknyP;mr6~S|b><XFw&KU$
z08XEx%D?Tj7Z>|)YyQ8u;nU=-rM(l6m&S4jxMI2SNgARqaFX-?kyD^K!FtN#5;{;M
zHaoz37}-p2NKa@`vPvtbK|QrmdM|#(@>Q>IfjutS@)7KBBt1SUZz|zVq-Tirh6ndk
z_~ze|ULL;+Kk<{_@8?5BBEC;->7-+IV(}Alz;g<XHt$CEgWu^D4e`Shsus#9?89cX
z_;>ymUc&u7NFVrv)NvN`>>-(BJ-#W>2=@V%k-ra|aVy4S^YJ_3FZXr=mB{i>;m>(1
zP`WfnSwSvy((-|q{e$E4ar8W*;w$%d5#@Ps?2TTeIr4Yn3(tJ<p8(I6vm7bv6~&iD
zu76LY;CYc4V*k_)=2Y-f0of7EKSd&ppLjf=S#cG-R(YoI49RK6v;aq>*K)_6m&NaE
zLB8xzjkxGQiQ;;3W_e+KKWPI}&R;hDqy<Yn30j9f7NB5^?1}eS^f}7v5JcMJImTli
z#>FVq^lGs;M-c&1L|-iF;=#KFX5izhoZ?D`(V#p>Z$?iFO5A1mr|>_S-DeK&(2LRa
zTgTy5{;#EjF@Z0KuoBPe7-r$XU63acY=M}dliYmp$(*E2;8fv#WxU+t*V_kb1aUT$
zQHm6v;-`p}l|5TMoxI3>l;kymMT`{_ML%9?wE0HSGsXSK`0<*>o`Xlh`;^Ao4wNna
zND4Y7^%PzY5TG`XD+=VV&@PJs`Y!&eMRQ?!(*qTtypUhc!;5h20B(7EcAcruO020*
zqz!@S`zr6MC6D(By(M=pntM9`L%yXzE%rpT8rbgPcN;i=>LXh?1aA;*b<o@a?9a3d
zsZCPzc!BU-9Ph_3ggpnu(#A+^!S^Fz?E%EAZo+?WeLUh_P+Ha~oaz&lZ?x@>fKTFs
zR*qmda#{5vR@TQz?GgV6axp7{vq4!7tqkvcIQd1q^K8klW1PHv_}L&<fiH*h{ZC!w
z*(vcqR12m5<)<IsTFGgzuOV#_<0yTVJ>g`3J^xI9_#Ktp*1vKl)Pq8;(AQfir__Hi
zA0zX~;$!vR@GRDYCy}wAbGX%7_{pHwH>mSh;6m8dQ+zV82{<m_lx8eKWdc|stx4MR
zB6wE}^dVF_aLv;_2IZsBVu<pD7Q7iO+1ay*Tshrq6fIwPR?|D{QDKpiGUkDCFLJ7M
zfARbt1kHc!$+W^WjB|d!WYM<p)I<h`t{h5<X1k>{qYevWi`Q<59#L1GqwKth_Y%q3
z0REJwMX$9YP*>U^{cN7r{7Lxruf|!?O)Ep*^+DU^<i}KzYX2YqO@)>&_EzYbB8BIY
ziaA$Vp}7C_tjhm$BPpX(7rX|M3BXkGXG==Pr!L+BcND+rz^{)%Rj-k<w!uFC1*5hT
z*7<Fyu@BbsFDUWO@ik%j&mt$h)FHGWH4nnF{{*$3J^s+~n_%IKWg^mcA3P3wg<AgG
zKIoyW!51Ay?$y&6M01h1=0U3tXx8|D$cy~<cJ9XreJOko_vh)?j;CJ)^1b^E{iDW8
zkIBhKfjW`sLlXTgJFW;%6a7(Qpd^x3qH$%fcR4~2{=fV={@MSwyW{iWQ}LcLbljuf
z+tTGuL?%$9@+5^kRqoUru+Kc%!KaNC_TIgF|5#geF|Ve~e}?ImUdaH&InT%HpM#QC
z{W<bp5q`Y?$d|Y}!8BPxCacM$PXZAmSn?GDS1SF{zXQt`V%5n#c-9E~eKO01pZB3(
z7o+ECC$NO!qa@Y%<*vV!mme4({*yB-Nxg>mQ^NRw6N%M<v$#W{GH<NHViXXoF7Jao
z;_ZjwT{8qxKI~0#=;0yxh0gzPO8wJX;J@eIG2UCDp$Qg0ffx_(?F>)g-yY~=ViVvO
z)XcmmQ7-h1q)));PyH<fpPkexT#CK-=2$$)jH1A!3gVjIe)PC7uCXmpme>{K&D`Un
zgX(~@O#&snBYA;P^)blIZQvN`fY?>f>zQC0BE3Z4m9yd*I(qzJ{M!wAeB}5gfwq8u
zf$>@A*}-UW9ekF%I4XrahC%v&B~Y73_c;E`IXQ+th5v=}Pn`-MAFnjV2eLBs@sC>2
zA`d%LT;7X#TiaV0jY9qN>R?3V>|yBVZylc_<AeJU`u+*u{WzjMf7IUUKx_i{hkYlw
z>rU|E!SVSrn8gI=o@9Iq<rn@}xJF6;{Bl9820t(MO5)ju_@JCUO-%{9n@~uwjl$RW
z@_|bQC?n506cu79pPTHax@m4rx0YMSt>-py)7=a=%WdQ~ahtg<+*WQ|x4qlZ&2c-q
zxo&@Vq&vzT=U(Vea3{I>?qqk0JI$T$&U9zHbKJS^Ja@jk&|Ty%c9*zI-DU1_w?G+c
z0rr4O#5*^WRSNXZH0(i9Q`J(nRUPQ2^;CV;0PkK)R~d-7^x+L`*{YFhteP0*jA)~w
zk!y4@rWjL=X~t}0wXw!{)_Bf%-q>ioXlypN8m}0y8rzK5jMt4fjP1so#t!2x;~nE&
zV~_EP@u~5d@wxGZ@ul&VvCsJ0IADBZ95lW+el(64KN&w8zZgf2Uya|4-;F<vKXnzI
zsvGErx``g9N9xgfte&JN>#2H%nP-kLzcBZiUz-QaL+1D9&*tyuG4n6WuuRLcY%9{L
zZq>IMSS{>3>^tqd?7QuI?ECDs_5=2V_QUog_M`S=ZnPWcCSfF!-4wTmTidPc)^{7a
znXb>xb{o4*-R5pfx3$~O?ck1f$Ga2Vi`=R1#qJDumV1eNse74wxx2u<!o3nLj8z&w
zJB#ndaS^{)2HuD$RTg$(G-7FDR0UNL^Tn0%2AryhACANOGpl3nqKE3K#^X6Wtk$VV
z)D!9>wO9S3jv8+p9~+0Xt1Fs|&1GhRxx!p&UT5B7-eImW?=tT*?>8SXA2c_aZ=3I!
zpIR?jo2{3vE!I}+73)=NoAsLYy7h*&-Fnm7VZCL&ZM|ddwBEILS?^i9t@o`x)(6&y
z)?w>MyS!c3?q?6SC)=0X^X*mk2Kz<(C3~~I#eT(p3-@HWT?u7`v^&5(8^?0EN4bk6
z!3$g!?V|pp_6CfjR<_&O?SiS2?ruNS80?;}qTFHb2vyM?<Bq|dYv7Z{SSXA|6O76u
z_%^~l?*(T4f^QSxR<vpg-0Gs50k@{9=D@8rss-@tS=AEwwMn%ywiw$~Tj17ql_Pki
zIs>zIscyioJ*o#r?o-thn6*#!26i1(eT+lKAvFNF^_w~yW9q7NfmK!1P+(T7IuE$j
zP@NC_YN9Rxjtx_SXCqY}aBZ|2u4m{OY6M33Z8Z|3_@SDH5$mTe#XV0}b1`c3)n$TT
zY927`9yMPuOkE*3rmh5*J*<`h(;iVv1>4jzjPM3kfH8hat#FetVpnl|FCgp&=weK&
zg7SQLZtoE@4R;{&qd=)CpiZ2@*lYxaZPQi!=Lg|@IgF~jV-mHEJ=#Tow*m{$2Ks6!
z6FdZ*1F5TUg;>=HBYUwi-I!s_G-jbSp;)2Lk7c|tT0sib9dsw%Rrk?-bw52opRLc+
z=j%~=qP|$q)X(bY^z-@!y-~lYH|dwmNHfYTYnC&k&5GtQVC`~Z>pkWp<_qRa=4SI{
zbBFn^`I-5-x!?Q~lzQBXw&JY>E6GZ;>XK3$TIp5~tEY9A)ywK_^|AU|{jC1h04vWL
zZjG=;TBEGd));H7HO?AuEwUC{H(EDaw_3MZ4_WK1_0~IhCNJ0<fy0~Zm+g1#o%Vb7
zr}hu_Vf#n>C;O=VoBfCVr&Gp>bfTQHPB|yqDeuHM6`YDrqI0ivpR?9^Kt>u^bjZBW
zoNHcY&NDAJ=bH=6h2|AFV_2;LZS#8b2J;8=uzd{ws$<Ojqowmfjk|as{m{ottV^wx
z=-VCkZ@6L%u2R*Bb*eelokTpV6#SAv1u5XUiK?~{r&5gsqoq+<FyClobTfJxjg3A=
zf8?EQJZ-cke_g|8bvOCz{ot?Lj0eG8w;K<UyFQF3xZ79{4*R*Wf!y_JV?Ungvv{W8
zf;WE$9=j1-_D5qAxa`lyOXRSdH9p1`ZR^IyR^3cDGkyW~Y%`8puiFX6-*$aFL-)0P
z_RV^reXD)D-sE2IUaz+ZzUg*)5?&-U*&MEX=16m-QNx^MPBLnO9-cF5Io~)3jgBZ6
z2OhQp6B^f;*D2S$(R^G*nNOI{sJiC!<`$K1zG`k$P0csVH&k<A$Xlv~xzl`CwKCr`
zcdIt$2j&6Q&ivN=UiCJAw4zjhE5@p%CRtUjBsIlKwbIljRxPWRx)eB6PtCO&TA6B|
z)yQh47TV9-UxM29*}tkM<k_oj_Fs;xUPqsztc$JLa8Av!<|xOSYZWNhy4t!%#R8{p
zRMmi2H>>Kvty@*Rb)WT+N&tqfQ)$4m^{R#&;YNWLwTdKXF@P->sxrWsxxkLg%*&Jp
z=FC%(z@E!h1Tbhm?t6i`Kv}?~g~~Cn06v+hUlY7kz7hCZpxqe2iuhW<jTDrSIer6j
zISpm&<7+}5Hw2V-l-iKUS)loBd|hzQ#%QCjIvaH-sA+(!AWbZzl98@VBg1H-w2^1b
zMtZ4nwX%)1#)HZQ-aM`%K>b^g|BCSn;11($z<0n?BOsmkBMp2}w%~{|fFll|t1GEU
zaL~re)NOTJ(8UMV2da#{+`d+oaj$c)N1rutTPsTs*Ta?86Z8a>oua28=VE;^&s(6P
z8<YV``azlIVe_!E>|>xQjc;wp^)FPk`K9?KO6)h$4@mj1F>*heKVlSrHh)I?SMyiE
z-%QN5L-PNQk^aN{137=0e<>})if3wCriy_sV5>;Wv0OasNDHw&RunL)JTM6(ZpB)$
zD#EH}VP`sM4ApTq-ilW?vC6gT0jnILYUHF_kY2#8#wyxsVl_d2bE^elOJG}sy~Ez2
z%G&SR@2V(!x4j$bPwY<s57-9)zq7wn<?LVVUy%M2xEO`|tOnlki;9K5b5zAa=lK;m
zzd=e_I$!65O5Qf#1}^O~cVUd{TlG~HXfq8|RdB_Asv>yISXBXh<`VSaQtMJx7W`%<
z?(;V5HdWcW!@5J+;Ca6(6Z|Jql>rZmQI)`lDyj(ZqN=JK_))Bi0Z*!?qQRG{tMcH4
ziNGdpwC8geib1s0MB?W}^f(HbC0II<SUM4UKxK6vbb%_W6{J>G>`WGmZ(C?LajHEu
zoNDR<XgSqYM`$|nY8Yf#0<;~$?Fq!~3yIs!K?gO}RA`>HuwGj5d;;-&0`Yu0bWfj}
zL2PeBY;OmRp^-YDINt$UL=!bzHH9WMRQ1NU8L42RItSloq=kuUCcZ7y75GjgT})Ij
zsF%_6t>6W%)Enw^^!y984}IRRzC&-nS4Ys>pYUx)t>j|$n-QbNlbR-wnwlG}jLvGR
z(beb*twbnm0x4^{agA}GnnC(%NBZgjUi`G04gUK)O1@ycfLa@kjVL2@H-U6F0UGj~
zI4jgQfz;Oly!>61fwm0zx$!y93O!CRelQLrEmS#OxH!&2Pgb)@p%;=uFC=YFAZ=a<
z9^Fp$*By07H4w7A6Lg=>y0aRmyXkJo@2PvLA^I$R7IOONKI$Au`o5|Oq<uft6cT>`
zG$wr2U_D3=Qd1!P&qw|+Jq-Gh(DraWUXNFUNZ})(nNLz9^+oz3K%w?gdYYbww9xzj
zXi_tgzC>RFI7iPx3zzH5kzS}50$!=FM*G+3mFN|;30!5n-j4K}dKdD))<3B{GuBK}
zBh4(c6<}+#3vvdS7a*Ny4hLLpE>=CEbu3qvp)apceIaqKQMDj(z|o;Q-=fBvx0$yA
z-frHm8bLd`LnWGbns=(I=4x{_<jY;=U8;h4uX!)d-f!NIx(}KUsx)(*xeht&&Go4J
zsQIWm3-ap;b&>g``6OC?+I$*kUoc-lYcHBFsy@)mH=*Q9=1VHe+yWWb7c%Zuv?emH
zk@*&6+*ruCow(w=kaQKy-H>#BA?ZFq|35K5#aU=cXid1_XmY`5^DA?os!m>5k-TsW
zteykll;4`)sv2Vd;H+@RSo4Va6Vk#X$C$sEzaTA~att|T0y$-4a>_B#!v0jfpotwr
z8R44c&A-j#kbA;A6JSSaq)l+pDzK+4q=k>BkdKbB%2;KPBiwY1Rn{t}CR^pL@+zA=
zHP)(NRlwOwkkr*7sjC7Cmu+mtS#d}UuT3Ja9YbF0gBF;8{3OWq+K}m~ss?nzG~|e6
zPk>~vi?nd!G33NPNco1U7x{5{D-#mGHo5X>a^*2rGpiZO3vV7n-rN|{emc1OENd2^
z$oxpi{L551Yo0X^y1?bu<=~$4t@%hVuofV_(7FO87g>wcEbB_^N>vxy=3=CmSWA#z
z3VmTF^@W+%T5By@d%$`SaFex3O@;RK68QDY*2|C;uUfAHzHYs)GN6sWh4eetJAm(6
z?<x}(*)GVR_pJ9ITXtK!!N=dX-iOrMW5JH0RE>b8_95)7kF3LJ^QiTQ(sl*A8eo09
zzRIvW*h7#WZjV!@J>DL#^6d-l$&jQM*;j)5FSeH{mvTA6zRtc$WkNH%L-m6te7EXu
z-)rBiCfWDf_ajFvl}WHs9#viK$Lz;cH(DxP?5FLgk$%R024$YNpI7yuVZW&2p<!=Q
zm1xJr!(QC1>OkXuS=AKF5oceuUsZATHv2WCU$<XZ4eU4U?MT0AzlpTS$%gh@urSl@
zx9zu8edy}%s7}z=ccP5Q&lr1`{T|XHMH|}h+k24y!2SU3e`tS*^hfqbD%IX=e~h%q
z*oM&a@kSy0Gy5~N|GE9S%CWzI?iUZ;Z=dRH@3;4(KVRElBS)lhL;D;1AkyF3-=YtP
z>_bS4d``B%x4%aVKiEI0T-XhVk$=QKg1h_4{s~wA+5Q<hBEuWPo;Zs1uh1<UK)3t@
z{THbo10Cis<o|8|jatX;<EoxxIEIRMOvePY99uPT9B85G(2u`S1EEVsz(y|PMyj%I
z6!gj{YETy{tzN`WzVgOhAxR68*~S<82)>c{=c;m)&Dg0G->S%qgya=DT^*i>val@5
z;hRPeL{&=eda%7Kz^_vg-+HjYE2#`h@hnR5CY0i>!lZZyO7TvV;$0}kyQ9@ac!-kl
z1vkJqg0eh{vb+N98Tr=6Hy)+x;Jo;fYCx(tz(3JnTfhg9j$;PCqRD1Lnv0BYK^fmV
zOvZPljL)Tv?@Af3;V<chyX>v{U_3<Mb=5#f`g&@Jx)AxI`&LpHLtm&$sb5*mQVTIA
zBKxbWMQSnnz69SiwG`iEwG4ClY3dqvE6T5e7p5NkFze9HBWeTg;0b)|sVCL*=&5K7
zS!xTuG1MEHKyUa6+QVLG56!7PbfEUoh1x@RY7h0)&-iAGM+fcvif<hJ8!^zWD;O13
z9q1FW(8c3m{UyQrOGmzF>J^NpMoU$LK9Cl$1beD@<1FJWl>(cv7fQk^MEY!F7|P@s
zQ_#*-V=C%SGiIrp@W#zX&Lzg>s-ZF8SgbOQCB_mJP3@!+w3F5FrL2LD(lks*$)%3c
zl|Gg_@Z&v)mPJR2fH&_Yw6@vUjDBu4wjwQdLJP4yk%sLF_?7{i4IZnvQAR9>T<R_@
zj9tciXlJ*v8)rq2X(4_;<a}v-iS$>-SE#!mI!ztes9z%oRx0}Zo$(#g-y7ef=c45_
zqLx#KT25DLIZ@Pd8qp4k)s=N+Rh1e~3$b1yS3Lf^+1d;aD_q!tXKV|&_Eu{vc={{W
zE8y?Kmn*_kwhgjPxN|l5%ie&b*=}uDsp2<7zVPe1@ScG~k!#n5|7WL4C-3%=cQ+>Q
zZb{zVhP=Byd3O$ZcW3hMZhqeVqxBQ6{<HN9dL?|^vHrCFM*GL@7}!q2(<|E5?F3bY
zoV}Xez)n{Qc7~k+PUo|m05-MT<7@}JkE(0;wfmx0KYNg>1^?X;<eY2gftQIS@KF+!
zrzB_$NpQJp2|v}9su|@$dt2<Z&Xfn;?3?YIQTJAR72s|5?W&4c_n=v=o+j^!C*MgT
zmq{XL$s`|1A_qw#@9>d#X!4F!@(vRe7l)c+0n{Szu*o~>&;qDV3m}_ZBY|8aixxm9
zS^&++FWS%!$Og}7pxTgYWRq*OA=gMI*MN^4-xP9<G;)m^v<zyJYt$y!XilyXPp;9C
z{33}wB8eO!6Eyz>dLy*$BUNi!1F58Ei}Y-hp6k#8s1CZVpxV<8$R@33!9UXyIbscT
zBE`0$P0-Bf3A$|qD!l+u?1OC5WE;|CGO5v^t&l=GtU+6$HtDcADX<MKhGw)FI*}Sv
zK#eb=HL)AANr&0+vcHNPu^yVyddMaP)+Pm}koMZpE7}=;s*h1p=r9Fz_!-ilgBqKO
zA0BD3EwVv@2ay(UX&X{tGOdkfq(g&rm_m!S9WB;$(qwbeWCCe2fi&5g)R;~CBf%VH
zj#9bQzbacZteL73wXn+8Z1`VV2K_IWse07K>QWbTEz!m5QWtZni&dsB)|k3jQ|e-k
zsf#tGF4l;;SR>lMRjiw=n^X(y7V8$kRn{s%v4~sIBCc<(wpPR1zt6f4R~OyQvF^9-
zM_M#E$9mX$808<a9szvRdKB<!>uJ@%dd7N2HKcymiTtGuJnoxS4*5$W_{%Fu3r|TT
zPst%qi3CsCfqda3iR2?W<RgjXBRS+FQRE|K$w$hOk3^G?lqVmFAs?wgK2ni<q>Lqe
zq=WSf_(%@<NFw;iUq}ld$sr#}Bp=BkABhAXX^ec~9XZq%6UixZ$SI=8Bg#@+EJyB8
zp4_1VxkE+!7W)>|S_Qt4<5Y1lb3u;*`~~nB#L{CBM~^{<lk6m`CQho8s@hVcsY{K<
zrAAYi8chQD$z)oiTDRBj;Zy3MJE)4ZOrvy;&QZ~{Pn+vpovRwqO0A*0=q^Zi)m_2k
z#bVXEyY7J;v0IzaZmpqv>0Zd`t$V8!+OTzL!)DNi&DQ;Of0aN>HiDLHk{+lBs_L|7
zwH~Yo<GSbQbJ4<3Jyg{Y54XzJ7if4cbe_(G-%9M<7(GIdP-QqXP!=BWQLs;CexSS_
zqsORB%u0<_mGn40PF1Ew9IG$X7a~VIUvco4PgIR)9j9XMYO+eDja-{Hazo5zO;tWx
z%Bi%J9X(yc>%p0aRQTCvs#<!Mo`s&w*0XUfv7l4+r5YX|Jy*{~A1>4La4oT>Q}ukk
z0CmNtPSscFE0DiPFG9|hu&lMdR^NjAy;ZNr{XVLn#{E8{pTW323yV8jZ`N<%uD9#`
zsP(h{6YU=}9ax2~Syfen^^I9VGt~swr462Hb~XFstk~eG@c0jd-JNIVAwAq2uIh<L
zSk)AdFf0YJI}FUi-3i-dwY^$Zu-DjYR3zq1?t)iL?2%@eox2CNfLJAIm_@k{>9zJ+
zNIbDn49=+3w;!?}QjKY?q}l82btogVE6MhHdp-1Rv0u_@zhv2u+mAyJm-!age!_l2
zCE8Egu-5IT?59vm?3ygtHP5N~)Wf5kgU&%nDy>!$N2?Mq>kuQ8h>HotzpBK%`oz2h
zVp~08TNJS^Q46+JBeum7+o}`W;)rdX=sii)!}KtWzTj3vzkgJ4E1kHNLELIh+{z?w
zWfQkd;#MYct1fY?198hDZnYwAWzlO`QwxUGB8FuV!)#($BVt$<G0Y%_HKIo*3%CX8
zM6Al9U#0<ZD}%U|3Ea92m^Tj?)|?oYMGR|149g;hH7ABOq6eoFJvdeA!AYbCrz$--
zo%ARA6HtQqaT*Y}GKgE5z^w>)cgvV%;Qfy@Baw~*wl$}(C(BF*&ebB$H6qSs(eKlM
zn3qY+%Od7w(g&1fjxa~44#d1RlsrD-pGo;sp7JM}@~1rIPZP?YWcmV9DSuKZe_|+q
zQYe37D1XXR{xqfhX-4_el=7z;<xgYEpT?9w6)1n&Q~tE4{Ao}5lS}zigYqYh@}~*q
zPcr3C6Uv`t%AfX>KkX@h+Ef0tB>gy`A87BSoVKK#7NneVq?{I{oOsSZwjj+oq?s0^
znU18Hc+d<a8>uCS)DlT*DNAaJ2&0xVq?UH1mKLOzvh)Ht_Otf0XyG|fPCLqkij)ae
zC=)7CCRC<Os7-0mnbcK>)D=g`kV452L&+d|=EL;cX>*CW6f-}|%w^y-;=}V{*1G`S
zHSy%7(v#N$bKuvi`j`j54mmfPHzO@xy_)8&=B-GtGFPc`^zg;d!<SAEUsHPcqUhnP
zirMouX!$PlZj`^rya#FV_SM0RI{1yb)?AA;=GM`sc>d~}519|6590rGFpv2N`X*k$
z7<vKAn2%vDt3G{!N$>?eg}R<E@EOc*rDAsLd7Kr$U{iCWxe;mc4z{9quqM5O2{J2+
zHpNGnN*`eha~o#EQt2s7#cbFP^iceTG4vN!rN7XJnX&iKns^OU={3~mhvrA<=U#I!
zdj7HbG0ut~u_pb9P3b{2;X(XLHAB3_K6o5uP9=kW#8~<flj%on20!9=n3ww=-o#{h
z6MsTl{D^7vBi1#Knn#fqZ(=mPi4DTMiD~pER;D*G1Kvc~Hs*176Enndp=!aKXh5UW
z@F~`UPtn3$ns^iI(wi7-MOc^tqffB{eTvbXp>g3&tbp<rt%@p(-o#{j6YGX~6YJ8O
zSc~4oG<p-O!<(3hnGx|OCexePjNZg#dJ~iBP0XM-F`9nF%Jd^<Soq>9;!RAp8e2^;
z7ueKlihhbWu`a!dX`VNco-jk^npJbmHopkVZ4>-qne>On(I1vVe^_()!?wa__6odW
zDe#KDhP3#@YQP`%2GZN@?U)S`uUPpouUHd$#Ukkyt3t0>CcI+1Q2sspJzPb+VzuEF
zdmlM_;2WzA-`Iy}Q@mpJ=oO2jSInkYtRlT)<>?iRpjWIOy<&;*ihYf`;t$J)KkOUy
z@F2Wm_2?CALa$godc|7OD^`PEv3QwH$Nh>|EQMaN=J1OBg0%R<GU*R1Pk&ey`ol8q
zzu*t6M}Jrf{b2^2SB8pnw4+rGdd2F|D^`PEF`1{7I1;VK0c|W;WfA!LXn9^p%hN~8
z)3Z4n(dNXH!nZlC%~p`%)nPHpe3LiFltJ5aGA+hz+KNqSAGW4tIF2@<k2ax?HsOV|
z2|a7D5v{={v;*7F4xB(sZ!+z-Y}#zCX`xM~-PM|wQZ_B33|d4Pw1~#j7RsPR8cu$f
z0DiYj<&)E;kkjRp)Ab>z>n+hfI4d(3walBq>GH|x>Vwm*LRw}q>XXNr<Z)+_$JHQ@
zt3w`_&$)~w^KS6CeDXLGJZ>%0GOy7a(L)a)Ej+Fld0akuoJk&+PaapFJZ>O)Tt0bR
zPtJGLGM@sc%O|HZP2qI;<aGJubZ3#%<&)DjB&VxSPG^AAZAMAqbbZL_dXv-Tlhc{x
zbou0T^*QU=kNmC<`CSrbK;J`M;dgz=?-Ic8K2(#;kHGcv$?x*X@9LA^oyB>RcyhfS
zoHrRpewR#sH-!8y*Zju(Ms+6FOXuv#FwUOT<m|~Xa=jtsdc(-|E+E$%LawLD^%`&v
zWeB-mZF0R~oI^?E9Lg|qJ<U0kVVpxr;~dH`a=lLEdPB(dx{&J)Bi9>3u9wRBlrfx7
z>B{+(nw(D=Mn2eud~g`~;4t#R2AowHMm}hf4-O$8tjk%IVOAoz;rZl-x#WiF<c7n@
z4K=ypFml5ooLi|&o>-eaF_GLbmvbxeoLd<}o;Z{|aTs~x5c0$ZC0O_)sA1XEu-a3@
zYDW#rp@!9t8kQ4g;SZpO)t4I90BTr$sbTe}hSi@MR#j?PgQ;N+riL|`8rHegusTq~
za;agBpoV2r!x}*i%ch1km>Sk#YFLA*VRfX1pF<0OGA;a(miP`cY1L;Umg+Ti5v}@B
zwC6Kv$!F4r&!P=Knl^l6+VIV2!?&Of-;&mQTUzfUX|ZS0O3$>D?0V`VTIr)`nP<`_
z&!SB}nl^c3+T<;0jkl%LiQxQ89_39W<xL*t%^=E~?wo(g<NQlG&cEbQ-qhp#OCBXn
zJxZDioPX&?NmG`RCYq8akMl2OIRBDINmGIIFL|7Q>CX9=JW85#C~5L2X(~|C<WbVp
zqoj$Vq{*YCiQ)W9InKZ2QQlPG{7W7sO*cxKJW861lr;4yY07i{C6AJ35G74_&cEbw
z{-pxtO&;Y<Jw`cHq11_{)G5PRm^@0IL6kZXGG(GBaxNy1QYVj6ryiwFH)^tohCn<-
zb!xJ4)MTqslRcZ>jq|9_j-?LUjykME9kw048yS#TaijrFE5o3bp=o7Uqyd*S5J?({
zAPtlu4MdOz%8&*$tqhwq;E)Dv(ttx6Fi8U@G1~%W->+QY^aIeF9)$18WzQnmvoh>i
z1Y~J0W$6OS&nS9phtOM_P087qlCv3nwQ-2N5O3{J%FhavpXbqAJD=WKc%kuKNN?>G
z^wUPtPrHJC+6;JU8>kiZ(`L|5yMlh&MU=V{JDde?tVAj`r-$}jO5j%X&|XD3ynr6s
z%PE1Q=#L#je{41-aAW#oTT%{Jpd3Dr{@D5S$Hvefn?Zl<74*l(&=b3Yp4dowVpq@;
zyMmtB40>W$&=b3elH5lhY;(%<R`kJMMIY=6`d}mJcU?ihYX<$U8T7lZpx-r;e%B1j
z|5o(4uAr}V1-+~*=w*$hmvsfbtQqvOuArB71--0`=w*$h?%<<;^?Z6(uc98Ykb1;I
z`cyNhM=Yd=Vg@}FXVXJ*4t*0d=$jZ!uf!mFB^uBxQJ!9jTJ%at4CmRZHoX!9>6Mrc
zAJ`Bzn%=LG@P3`AE~B5KJbhpz=&h(hZ^cY{D~8b%HjCbhOX#hbN3TR4{Sm|IiKs(Q
z#6)@`=F$^Uhn|Rf^g-02528Q44|V8ws6)R)4f-7}p_ic!{R?&IQ<zSl!VLJXZa_b8
z)wcuQqt^mHsy85VL_Aod;lX+yJ(tLl^6+DARU_zqm_hHubiG@@k22ze7^pwhpW&={
zB5KeRaS445b?9rDOD{tmdKqfazfgysg*w#Qrcqxrsi~Errq+i#S~PXBWa?rrb+K6L
zVm+vZRi*xwOwFs0U*{5wGMO4ySL#*{b*pG<Rms$(T<TD1)SjwSZz@B*sSh=#WNJwl
zQcLPVEvYK?qcYTwrcpmyOnYz%bt0EK(Nt<f1=NNNYD4kVhWb(u>P<bUfO=3l>Olq6
zgW{<N6;K0;rv{Wr4Jd^gP&_rD?$m$^r~y@`22?-|D3Kaa0X3j*)PM@80i8t+D4rTn
zS!zH9)PUlt0bNYp$ENO6j=E0)b)T}-eF~`i6j1j`q3%;a-6w*&4`TNay%$H_r+~W8
zGU`5ksr&S%?o&YBCy}~O0d=2v>OOJQeY#WksZ8CcFLj@()P3Tq^%PL+iKo_+f>`CA
z@V!esUT4H84_6%-m6wb7<ni#*OVr7glmu5YPH!pW^p;Z+w4)?wLrKt<lAsMGL0d|K
zE2+g)q$ZMHNE4CS%8O3WLB>%B$)XO@h&o8qFdbwH=Mh>{6B$oUB)yO(BC#YFh3O#U
zsDort2WjNjL1fmjH8qj(^hVXBA8Ix|P-E$Ps!Oj^P5PV0(BD*-o~BXsG}Wi4sUba0
zm(tTTnLegD^e#1|cc~`*N^_{`RHBZfsonIW7L!2zC4u@&67`p!)L$&>FO#UbRH4q2
zM6D!=`bYxxkqfAa<Wu`dqTbPy8b>NMjs$8P)u?OqqkfS@%_4!C#RO^=lc-r#p-$0{
zIz=UF5DC;EdNRhc6Qat?srHB~FR!}L^K~{oUtW|)8_MRkl+A6ZH7rz08Tdu&q2-@e
zR;SKA2dL^JW=)x(`iz+}>O!@7Lf*7V>JM?CV0F-O$ZV8_6i<Te%|^^(FEv;VhwVCD
z%|kT9b?SDtRy~Gjg;&(u>O+(?`uFRYqS~@<EUpv<*`JI^ghsHCJ0phT95n*5oHNwr
zh=aIZ-J$MRk3;sps@_3lgIq5b+Cy1fH3d?>G1}>ZsEZ+Lq?&}-iur1}x<TEk9zdkT
zMzu}tL?lF@pRvkB+(|4nh6a%F?NnD-+2^WJDj(4p3six+QLR=FV&?Tl^_qHDeGIL_
z?l2@bMGeU5Hy}kV?$!US6!m=n9{p3);Q{@6q!=~*cW)t*B@U$<LT6~N`axS6ttPA4
z&`VaRo75Wh5Mnhpsn^vmh23h{e_NG@R#O8yNi(eVL&PJZKF6qw)Fsd~u2MIvyAbp7
zlzItT#(N4YzgWkCpP@Ru1{u&+I;!q!0AfwY;+?y55I=IYx<%cM2$84NX0=`IR-gIn
zxQMEWhhCJ4D3%<=qMnV&*Kum9x>Q}s=#qO7QSuCCncr0JBVNS2P6Rv|35YWBLHFte
z{bwLzPRApDWiFyrR>BK$uUfC3MZC!lwFml-SEmf3TO|4>3y~+e>MS)#<st6nVs#l}
zTCP>Msr%HU>N#jmZ>bN|m+Gs$yb06nA%w#T#}iH=oJ}~Na4F$R!dnQ}jL4ok!hV2o
z1K~!(ZG<}s_Y&?WJWTk9K*t)9H+7T~O<0+*I$;W7ZNi3x*@Vpr+Y)vfF=FCmr#s<L
z!bybl2v-u`P530?Ho^}H4~?9ZKhgPHplcCE62=f#B}^bpBdkl9LD+col)MpcOTtcs
zy$A;r4kw&IIGu1F;ZnluCX5@C=iW|uH{k<>>j|GEe4cPK;Wok@gu5o>kC@<oNcb7y
z0mAPIe<u7xV1y!cCS5#nN<>-0iiB~5NrW{C>l6A2n-aDr?3j;3L|4LIgaZhN5Dp_8
zO*nyY3gJw`x%pE@PKsDaxRmf}!W#%z5w0OzOSq131L3oi<+_^)Um@I1xRY=X;U|P&
z5gsHwOn7uEa5&<az%o?{eT3Z!M-t8@yovBJ!tI3nr;eL6I#Lljgk=dU62=iG5!NKE
zPv|3TI(6cR$&sxIyAuv398EZla6aMHgtrquMELB~slKepZG<}s_Y&?WJWTk9z$l9_
znlO$q4KO>ZAz@>})`Xo1dlC*H97;Hna01~pz(!GX2p1AAC%leu72(~44-sx4e4cO%
zVB@Imgu4kpBRoj>GvVI?%SI4ZBupTz4cMftkFY6WYr>9%T?u;;4j>#tIE--g)Qg8t
zEjxj53gJw`xr7S|ml9r0cmv@o!ZlMbo;<beTEY#4n+UfP?jih&@G#*qf#o6yE6*M^
zCBIw>VQs>OgxQ463EL8OBJ57shj1X|u*Oeh_dj(sAwgt?sDkYLcclzSLh1FHz@lqf
zWk1Zqt6cy4at!Doa=&K+P3S$cN>`r8zbj=xUy%Nt8MIMXBL)|aEwmxJm*K}o4<}9L
zc+krc{n4NndHOJgb<Yf9XCqwq%wRI>o(YV?lauxAMOU*c=)wQLoH1Z4$k?9=6x}%n
zJV{o2E8y9G>|gvM|MRLHKPQ-)5=@N^rp^zh1_V>xgQ@nxRMTKeR#S4%gZN&c9big)
zXaBLS|Jc-j6c4YQukAm|ET#OHHSKbY_8%Spu|1C1Lm|Go|LF4{>-vu={$rf~7~?;}
zYs-2<+o)gtH~;_2=qdMOh)0Z!KP9}0dDZc*Z-44gF!e<+wI`U`5ln3frk)L?s@)At
zNv(D};Z1}q36~QtBAiD!n{XQ8B!Op)Wgc!~brI|**^NShll{-74Oo*xAEytqVS7%3
z<vkZx;R;y7x5Hi&+j|S_La{#&!$Yl%2qOmZ{V7IW!)G)%+QSz;z!++bG$tTge~z)x
zSZ-WrtTOI~=XnEs&07#rzsuMQKk*?%+aALrR?#qwYP<1-a7=FK{Wq{~R{k5;`H%9H
z<i9*KIo<%A@y?5EFyVdvS#tse5rAcNiYF^{UGHet_a6^alIZBk(es&dqL)Umie4AJ
zDSBu0S6<73WBK~t|Cs9DvC>%oakT#^7=s>E>Eu6t=s*7K9jiw33TD-^Rg<dv{CUm&
z$I1Sq;1$}ay4ZhQ;XkhRA9whVzxj_x{YU>bVuyJDWBu*KPAKwU@Eq;O-swL+=09%m
zAGdp>82h&OKd!bnPH{E8W7--oKkXr9)QGfJ36$7{8j;Gv&Mh^uGfOV=B2Wrv;A;^W
z3EWPB&EJr7A#GvzcZW{}Yw6uug!KSpn2vEJox*eq)AgCI&vYbqbI?W?Kw?JPc4egP
zVSn6{=DZSCMyCx<+l+eN{rdd%@Gs39ku0Rvg73$`KQR*6y$9*CkOx?;qH4O+vA;*M
zI}I?+oefyWT?m-&&ID{ysN`JaB)f9})7<%hb=-MUhUrnzA^k1F$K-=wr?oqQ<tG8A
zy5j)TT&#w|c;*AvaVG=TbEg2dV$LXFQZ!_ge_Y)qIFn46>Mlk)jj*P>6zMvIMQbc)
z4S}idGS(1S(=7n3LpVwqsSjZs0=}AXzgxJcMzpXVs3kjgSZaJQHC0+--hyD>6T#F+
zfs}z=JiNLFq=MT@Y8VZf2MkeV4MfMdb&PDl0X)}<=cE**m%qF`3tr!lJNDXG9mvyJ
zNTF`3tk%djIvI=fVtvGHY_>HQTT8KS<RNE{>$qLrA?{ZZ8zPRDX<lY_nO%_?c;ap0
zG3*5&)%nHny>;qI_yD)S^Y%7;Vte7OI)GWapVc2gea9%PA$812ZjOGF$6URW$Hf|Z
z4IqDs-o@im{SJ@I^jkbG*H|No^952L`^T_8j;xO(>*L7!II=#DtdAq><5-}#V-@`*
zP0Y|TDrpi6?bg%R0H$lfk{o>{V6K#O$LJM+i?v|H5`8t`QZ2Z!ObcEt*H-}+oQSvj
zdgLc#j!N3U4lqYw3z&<DYiaE!z$N--z-9VIz~zv3E$LtE2cPP2V9OMEGUvmOyAnRe
zHSnuG2Jhb{_;R<yx4H)s<tud%Qst;RhPf<nJRuh_KDqiM9vABmcwC}C=5eY1kjG^j
z@*m}v>%BY{NPUb;jz)bPSszE%$C34MWPKc2A4k^5u|U7a@w^Rpk&M|mx!+ZQIr>(>
zTsey|Tm!gR-wC)x-wn7_3l=WZcK|NecL5f_M=a}q>cZ377-P{M7}gVB-NC@Ik$N4j
zF-zZva><zMlWVL8tfwCVOxNcEHq!S3=IDC>bM-@ji}eG5OZ0<)%k=$#%k{&6#XYUZ
zk)MqDLuvUjz#RQ3U@l_frJW}Mm*}Sem+2<}MV?uhXGA%yv<z~a02kNK;Y>1SAf>gJ
z0PE>Zfa&^tz()F6z#P31aIt;?aEZp+PVk~L$AHiHBy;qqJm%`JcwDTZ^O2(V^SD%h
z$>TEpIgiWrJ{}7&1L|P_>f?#BK8~!9;}Wa@kbKt1k@az8eH;rgk17<k8E~@R1~^@B
z!5t-I-c?2bE1z+{C<8or4REo>DrmI&2H;Zt3gB}6Iw0bE@#I_6`#k{O{E>{qn*)FT
za!|od(5dbQ9jpg;c^>}uZSaKeQXiV_*tcY}J&$Q-TOM=FHazB<U3eU2cH(id*^$R3
zW@jFknmIf!Gdu9O+|1>%K!1ZCCF_HLY5E9YJ^dqKx;_AyqrV2s#hkHrN13ew$LQ|?
z7wbcSOY~vDrTRO-W%^sd<@yJ};_&V$@{{$ifNA;{z#RQEU@lf$NNc|XF42DgF4MmO
zE{E^Jhk1zhm_z9U${41`V#Z^pnuj@p6`1k41v4=BV&3C1%t(*}n>~0p$!1R;(@fYu
zcw#wbHy(4bVnhCqGW+nj*zCpQ60;wVOU>RqE;G;Kak<%-#{&H~dXub=1Ey*0uY!Ib
z1I#sH@1V7=fMZM(aIpz5guBGF0hgMH<aC!oMZukz7GME<TinG;Bt5uaSICqB;D5s)
zRVIJ~&V)X_&@6+J$z~*AnpqLBo>>7fU5nn($czBYF<ro1vl8GavkKrivohcWtR2v9
zz8MX;*enaU#Eb!4YKm-KW<~)nH_HPS^K8s&$WJz_1E!fGfpbjEfZ-}hfQ!upz$IoP
z;4(8F5b{B!vYCQ(j+qRYTdKROfs)B)O~5oW9k8C+5HKC<cI58T0CUV#z+AHd;3zW_
zaGaR|I00*K<nHPME;efeE`jzgcUK2+nF$>dcUKRv;I#2(5TA3hIhe;Zb0Cj7=Gi>v
zVvUc7H$!<`Y!2aZi3yt<__WkKm&ax1IXo^m&*QPcY=qt<n~ed}%xu6MGYc>mdw9sb
z4FDWtHV0g6HU(T_wgg;iHUnH{HUV62wg4>VX+bMMYtSjs8Z-*D0DS^2K$}1d&?V3U
zGzqi-J)-y)-bcPjL22P5K#_pb!pDFj{iKCGfFk*dZ{aiK3m29az5)~uDlO~>6z(Z4
zd=4m_Q(B1fwC8}X8=wI2G#RD#fWpsYl-d9aFOyN~1Sot=#-}r&@Gu#l4uHbHPS$b{
zoE2^$Eq4bLP9QD!2NW(KE%yQx4j?V}1{CU-miq#h+~+|!EBGQU4+Iokk(Mt29Ayp#
z6fBXJ&j%C?k(SQ^6zq_eO;~r>b1gPS>@fVYBqz2ze$in$I2Sw3`}xaA4lGXjh2;!I
z4t~LQ`rtq2zQb}lBPY91PD|v}4(8}sM2jQ3;ZCekTZ0ugvSZ}EvZ4l&4YF(GLx^g?
z3K~Q;Jc?+B#}UQw1Y#K0qsCn*c^_8GJdFIOk@uASw9-`%t635&QNs5wS;G_d#rn5m
zzE}xY!WS#qctz~p5%$G;IEl0<;fr-|>>t*`o$$pjAH{yL;-}az)&Ldv#eHjIEh1M=
ze^1Jfti9I9)+g4d)@Rn|))&^7)>qa(Yrplib-?<@I%s`s9kRZ&zPEmm-7Bpl)=#pY
z9+51+TEAJpTYq3B>@n*v>u;=u#a0BiwoNQCv2Dk8?FhS!9cf3|W$kiyH1@rWK@4t1
zyOLemu3}fUW9>M*8dlB5+X;3e;&PMi6g$;UvuoHj?OJwiyAJlrtcOV526jU`9c%J4
zu_8aq&bAxbjqN5_TieWTZnv;o+O6!?b{o5`-Og^0Xqt|8j@`-5wL9Bg?5=h<ySv@P
z?rEQ8_p*E2=h#E+K3K)y&+cyzu+O#!+Jmr;|6Kb#d#HWBeStm9&O<ct2z#VG${uZx
zvB$zTyU?CsPqZi5`Pk?1B72HG)t+WwY)`jm*fZ@}_H6qSdyajnJ=ea>p2z(>7uXB!
zE9^z~m5AV3VlTCqVQp`Ly~4iAzS_RVUTI&8XrAls8|)kHo3IbSEwT#$_5e6t>^~9r
z{}p^M3D?6hT+%1v_=))ZWHH!$A|{`R!_Ujg9<1xxg!t;sh^xjL9<1PbRpO};hlHJM
z5Qnq_@kehX?r5j1%)z>x-4Z1&>u?YojeThlfAlG$k3N?uXnUWmv_a$%_MAcF(ILbg
zeUEq}*_HAL;+nB~2C>Y)BGTx0#2Ni5k;{lNIxeeZutvs|7$Zg)85RFFURS!3R+XIy
zr;=0IsbXD<h~+rMD_3{oodm=xCm~Wf1#!x0P7SA~18tz<QT6fvI!Y{#4g*wJln%2%
ziT@5dJfD>KpP@sc!dt<QpdnV6qk1A5?mvr<e*+^=z(@N9^eztj2KI6KI{lpf&H(3Z
zXP`648SI?n40X<PhB%P-F-K9Nqm$!wa&n!{P8X-E)6MDb^l*APy`7%US;~kxs8dDi
z#~j4(=b$7G<opqqqhpT696>4B;oXz+I_9uSbS`n`IF~weoy(kg&gIU0XMwZOxx!iG
zT<I)!mN-kDWzKS^z**s3<y`Gt<E(V9b*^)6ac*_sv5k4ffwmIU2feKA)N$%M^_==n
z1E-;r?qoQbPPWs?@j1{}W7aCmxzkzgta0wbzZ8^j>@;zjI?bHsP79}{)5>Y>v~k)y
z9h|lfbh(&?*nzQ>JK3W2Xp|mg4Ytm)hFIrXL#^|y^Q{Z4Va4rx%Ud^MIzf{(V%ox=
ztYg}%Y;%m&&T4OUusT{fRwpah>TGqfx)$4mjbS@oXBOGz`fPVl$-7+R$_B31Qbl2}
z<fhnbr@3ySTk2N2wQl3wp|KBWOmoBp0R9bw&w%9@(->>vt3Vxy)p5F-uCC*Cf=<*)
zI$5XaRGp@4=$g8guC43ny1JgOuNycQIJcn%S&yI$6D?FmY-B^7t}}F|_USC0tsCja
z4m|fU*vk@SER?|>+gN26q08t<9fkRgaynX<*D<<+uBc%jmOqB|>)5kYms3XhKQL~^
z`<%3Sp@vOq&LzBza2}zTKcDFZgbN9;AY4RvC7@9rGXa3>0I{YWKkUYgc^BEoHB)0e
zRI0WCVb7JnT0ew1-2Vn`=l{M|bKA*u#Z&5urIkkiq!##}mOj-^&;n0x0iB=&%AOMX
zk`nA5DP8zmTD#|ePzyB2{Kw^Pv3ekS^`F#Di_uK&7n}&Idoeq-4?J-vcgWD<G*`dA
zYHhS@iUe?OckXb#cQF)w4+G{@-IGcwkwaw@)Kx}Jqdw-`n;NZ+j#vlQi}UWojj_fg
z%)HMw<{67H_rB7&$+#V}?+;+t^d~X@z8UWncpGcD_F~5TfN>bRT>Xs=3nC#$;vltZ
zLPGf<`C4P;Rae~$>#2t5VR|&yJx#$bJ#(>QX{o+i-=J6NHF~XHr#E0t(kA^1)*<cG
zd$9KCD}7KO)<?1Li8dp!OMYdux|w3uHXEARW^>HIbuzn~eawO8P;<CB7W<Y=GiRIg
z%tcspv=VE;Z^v5h2e2~xNvyWsjJ4Byv0CRCRthIz%}Q&G^iXSpH4W<x=V1-ua;%fR
z$-3RT8|wqtTN|v6*p+GrR)~BETlxrWW%zQfmz+Gn&CYPZmz@!STbz-ATb)sWuQ;Ot
zUv<U+ZgUV}W4-2#6G>;i?u-X~!?_S}yE6gsO=lwD4rdbJTTVXU+s<Ubcbtm=cREu5
z-*u(}?sBF9zUN#FxZ9Zy_`Wj(aE~(+@B?QS;D-)&DM#-v(eUb`e{%p|b}j|n;>-oy
z>Rbl+iZc(TUUe?l@SUQE^YL#J`nUl9UUwD(zTsSfyzR~+4KE`4cqQNtXEESg&Jw`4
zouz>9ILiQcI?DmybqWA?IV%9)bFKp1?OYA`zH<%W9%m)s2hO#CA3E15Z6|4XqU~f2
zZ?&DGp^4e4ItnmNmj$c=eM8$dbu?ftT^_KujsdKrD*)Ej6#?ssexfVetI+00x+>sa
z9SiuejsyHeR|EW1!yj#ZrsDxW*9m}M=tRITbrRrLIvH@Eh7a1>4^3KIU+Xl$1G)y_
zH@YU^K@CgL`c}hVY#q{d0Ke1lAY0#Sc#5qbbbY|Xx&h#E=N9xzIky5<(CL5`bp~K1
z4V}fVtbKr0WDeP`s<Q!ObtAwy-54-KHwDbZ4vgB)(#-*Vx&>giZVA{(w*qXeTLU)H
zZ2(38*7kjZQ-Bx;K#Z8xS}Y6uFFds}cvnLoSP!+G#?WL3fyZ=HF4o!fg*{QnX#$)d
zjQ>%vJ~}~jZ;H1@oP+;mVT<HKk8g%|NDRUMa<EJ~L#uC&H%gp~|Ix5hx<JQof%i)c
z#sBiKTDn5xZ;7`}oQMB0uwlAE|8Ip=UFYL}1z0rQVGXp#n<y^8|BA40dcZblgZEMl
z1BT^U11<PHafIFvE(jkk-c`{7aHQ1{aFmq;INIt2IL68a9BaXci+5Ob0UU32g%aBX
z*2PfRMA=Szq|SqF)W|^#u;^C<COK;WlVN$-u<nPzZt^*8kxq5ab<T3K#NI&U0x$qE
z3wY{yOHd{>(3#XiB{l%pL_~mgSKysOR~xzJ1}obBs#vQG7MWOPXKEq1*NFa$`5l20
zjbkAaBMt8;k|-d|aIjy7`6d2Es-ajRbGuq?BpIp32xGMQxCQ+jQ4>Se?Z_K}wBe>R
z=K_>UH6*ggaMJ*_zpVFW6vL3#ZM@+m9q&eB%nkHznVE^eRiJ@G-%nO4m}jnuIKBGN
zzJ1^sh=0W@+8pdP*9Cid^~O5cfqEF$w1&N32z>iJ{Rvirc9mHQSQ{D<Y6|mKFC*4u
zEB10-ixw_WA7PE^esv7%Lsu9>u_p97V+7WOK5mS`y3S{eh4PLIV+mGnZZlTO%1z@s
z>~*o*xE|{?KR0f-Ub4p;_rbGwo9+#5>1jP5^8HJ_%HHR=m{B!U0!Pq$15|pEw?7SV
z2jY!S6N-P=6YHk9fp;36o~4J8=F>3D$I*^q%M;U(HPQ0VM1&CXzQTBDjM+@3uzGh9
zW^y%*zOUi^M+Rp01EcjTc9fHG+RJhJi{o@2$7v+TX)MR-3XaoKj?=Xqr|UURH*lQp
zkhWprc4gbP)z*SvAF^%%a+g|5v1|8os{p&Y-e|2tED+xAfoCpnb^Fc0KHx?Rqq7<U
z9iWFAi+yx2z#jT}#tL<rakcTBdYHSne8Bx|Kg3Gz9qJ?Q0kIdYl);)=_!_V__Itcx
z;zx`~6xO9y!d^h~?vZq?CrwjLxstRwR+3`nmz8a`#ws%nuE4%>{bwY4bra&IWK3_9
z`v6Zn2Ythc0-qskK-(Ri-by*oI~&=1DRCa})WDe@URn2QP#0SE?hLyHC*saz7hXsN
zwk5a;`oZo4OF0^7*WZgl;8T!J!T&w10r)RZv>iB)0q?=+(t01P7ybo&jKWU8XF(I|
zjU9~p8vXEYn*q)uSKbz4Xw2_md>~W60TS?)X9s@ZobQ~EohC1FE`dit%H?qk(m>6M
z>-`OQd@e^shMXHC_lP@_x6sS3&&Y%2-$g$nkt4v>A$kZ<^BzQ&$Qf;Q1K*ZZD$e!=
zT?3P`DiHf>g0_EE8?aMzym|t>C|$h_J+hg4mzeY(G3iV0C-5~f>4;#Gks_Fc_)g%E
zaTYMXv(XD$;swS)Svzk`lD+(ld|Cf)Oa>*aGcLmF_5H@p=4f-Y@fNA#ZBoViq>7J7
z6~B=x{t~KyD;V5EM+jADS>^o&-VOGZc|a!!e(F@gPhCs!Q+E{n)LjHWbsxb`-B0jS
z_s3f1*7{tb9z6<o-%XE(3_V+qfz%qWF9PPw(AbsLTA(k%`)^k1E36l+7xWUL2fb9D
zgkC03LNAvw*9GvfEz&E%cWddZ5GPkhUyZmt#8lz!X_<N@cvY6Z796>ez7DZ|P4xA6
zYh5#a1KwQMLf?qky;k}ryuq%mz8UhNqrL@ivFoI7#XH6Z=vClr1NCj-ZR7Oq;BOQ3
z9pG`3^__U9-4wkV@3otz*WlfD)Ae0=zuioIH{NkKTi=8C+|AMV;$3%h^?i8X-8{Y4
zo$t=q_qz+-h57-$wdg@SX=qvG4T2$!A*GHYwnA{N18HgyvFaS)=>U~S`Wgoe>Y~OI
zi!S7zLK8vf*?0qy(0D#HlOA|4z#uD6%_hBHL5_4KX;9u!b(2~Onn_m6Aqmq|0i;wq
zA~$63Vn{BLWcHWE`cUCN6+h~k(i=F7@B;-Y2v#Y4W!%V7`BU;IPAas{xH{JvSLZro
zy!i%YrIto5aIE7JN9cWoP9%+AH91!Hvg3aD&5!%VDN}z@*G0dUGhBV={J8zd`a&B<
zR+O)dV>gI4b#+_$@|?&94)%bX-%K0Uo&9}%eGS8M64oTmOF%$~e0!_mSU8)nCSbwv
zH2m7i*OwaBm{qw_|2GHU5>@H(A76Oqp>7Xk6to_c@b{hbE3Na*H^0Yk(4D3>w2qm3
z?YDo<d8OAm2YcKyW0!NRm9Jc|tA>qEUA~N+G|#r2N_t3#tSY`r4*o<`Dm!S@)M=xp
zOiIbgn>;G3vah0KyOp9kT|8xY-lXZ{CQKNWRUWM&H?op5U~JxuX``|dec0vyY%8i#
zWiKNoXVjEw<3^7gkvDBz{-msAU!t5gD^>NM9x!equ97!#^0-N3QgS-@l48qcWoKn)
zXZiRU5?e0YmzCYfm))pIizY3G_|6aO?AiSTmy4`ax&N$*d6TA%8j+HdKV@?M6z_6A
zUxs(NI>FO&!Ib`iEA}5XW%{@gqo(50Dd{O)vVHT7wD18kY-P?j$}8kY>iLGD9)0NX
zZUcJUm{2itPpw(kqz$T{zxV0dTXLpexcSA5K12Sjym|VH9HUmwhSgu>{(Ru6OJ1I~
zJ?;GsFqD2h>$?{>Jk_b@g>PPv+v=T8J8~*cjh(-2+=d2k+?@2#l=#|bU6lN2*2jPL
z&C~twec+dF4egn^_hc^F@%7DL|GoT+LG9YSvT|?t-!5tN)vU-r4_~~v!>Z$3&AvB3
z@cx85t{r#fsCo;o*gUNAmTj-Ks{G-m%MT})oA$}dv<F}R_0MT@>g@lud;Dehy?lH6
zx}^v2-Ty$Hs+Z>ddecP}p8ulH>K^;f`(t19eGTt;U{uPxdu}+eZO%Qtx^_BV?Tb$C
z%Bc6pE}VDX_?aVf-yGI??tqsn&DlEZ$JbuENSmO6yDtC3clob;l!?(`w3RQo<(ElA
zw{M?z%dU?v{h{4QhkDM-_}G{2L;%}u+cgZUwy&lyE%4uGEUG$o+O)|nGc)r?Or4xD
zji{3`B7Y)rEU}Vd9JeBT4h|YTq8%P#VzSlT*VNbe&g?sVi!%I`M@*RzRyWhbsBnbJ
z>5zdk#OK6XR#{(Upa*7zFIrkHFITcaCyuYK{I6i8`jYPk4rf*K#d??%BMlN?(zAVy
zo2O@mqX+26y!>)ymbvw+SwCEMj_-jV#y;`Kmt_*4>pkB&uh|9n_Pe8M!NG);Wjamz
zW#YGk=lBl%KCYm~)ToO2UG87kqQY<WAH8*b^_N$Cd(I8&;T>hqdhG42dn1O{pMC6$
z*@=UCt{oNk&8+srYuzyE)mNL1UyvHHqQk+DKN!?5aYnZ*>sNKozqk4Lw2F82t+rt9
zlfL=ZU7+}7eu|HN>*wa%{(iB^Bx}$3o8qhYDbnMAI}Ld>?8|Cih=#LU1Za5pY0+?F
zAQD+dgHzFP|8Zj`jhZ5K-1wAqyk<mHi%w5JSL41;-JXj+zWQ)pWdCc|-}KSL4a;}m
zI_dbL*8R^eUuB2YuEAgT-*CeR8}nvGo%>qPMbr0vmeV8c`tLV4$a(3GJ!3blXy5z$
zE1Ex3VQY;eBL^R@lAYgc(CT%I@7C|vPkOV*=O2%FFLp`xx$DordC1z^>h_6_{r-lJ
z@>=EgO?<23z^Ij7jy<^U=;$_G9-2Jm>y=+$@Mg?2TNaGGuG$N==6!x(XWBh)KdWc2
zo^kEDqh9_#cG~kD7S-Py(R2CA<=3R&KBH6e*xhTV&G;z#-0Woomo<9fgAv=h-PUsJ
z)`N|rcK&!*{Ljlae(?C9WvxE3?wg(VSj}}AuTI{&vDbpy5r0O#aDVTcBR-F*JLQ2l
zJvyFm48lnD_mvgoC)vTh;j1eDY6)qagk;=#zNrCn0)db5jq=qG{0D(2`Dt|8)O6DL
zjHww@{T!Nv-Yi&FFKQ4fn>Q{mqe#)rX;Y`BkH||OlbtbQ)D&N9>0Gka#Mj7|b!X<C
z>EX47A)KT(SV3v2JUfiJb$(^sUD4euC%xD6!+s-T+nwL^`EvVx$<mD)R-CWuyyCfE
zVJQnC0&hgC4cF9HJr7?s+}CX8|7+gN<DuOCIBu3~GmT|3BsAJ2+cRUWP!iEZT4hO%
znTe?}qnWV`S!1HQQMXifX`xb)79xsJa#a+`P81Ot<o;6kjEuD0d;j{qUianoGUuE*
z=R4<lp6~Pie!ky%COtw!f~Azxys$B~_Bi4q-+p0A{7QsM(;pqYN_9{1hMUA(uOfl=
zB8q;eE!AsgSBVE^bjDdj#=dA=+1s3!oVQK*vb{1@C%BC_U7HJy=UV!A`QNBojKrs3
z93+)SX&%LdK9&2_<m$^@?}o9mwqVY@)?*T%y{tiMuk0rkUT$dMWx8NI@g^FlH5lR|
zWtQO5j(da+^AgiFnVF#(qurJxaL$BXRY=s<vz_y5-kp-q{>L|z@Uz3Cwhx%)Zb;+l
zYv~5&HR7ePdwX}!cBy`I4sz6vwq21|9rCcqe4Zy|Q+y$vd-;K?X~?nGk^+@_qz@E6
zV>dw6#z{;uoZe@)iM3%m#PefXH5WSlh^eqg-*Z9{QUE6%XbsF(8k;V>*|qVuOp2~Z
zRG_dp(Hr>9Y#$C6Z%^a;vDkYE%ODfsN)(o`n4*a%LXZ(&H1n$ozzk~^8&CG(da~H`
z02&qV!=d3>Oa_l&1z8H$BCw{SC3s5)nZv>B;~jk58FUKXflc=!vw7bu9lXU?TU?%y
zM}}W@4TxaI-<U`QT_X__!w!Fcu#-CK?}W{yjsl1L4T|3#vKh4e>$VN1CWy9e<<F%t
zso)s5k{NXBgir#ai3(H^IHi*^?B8V2A<L_2r5ScrPx{M^ic=5rIE(B3UKejJHypjw
zHz%dX(Yt2L9F5tTm8~%Ftl)>NZgJJ8;u%>7@{}U<)KsP1Yno;bE9OEhw~fBI!&?I%
z#4ZaDx{<Z5ORQUIhEX4cPaAkw;x0HXt9*Q9z|r#|+o*6~Yz7X8KW7WuKunDrItZCu
z;-@L3e^9|YI*@KtpJg+;I!$j%s+W>h#wlK}^mxU$c<J)_l<MjQ%ihq_lo#x|ZZm60
zfZ6}Rj_|+2t5?)b-Ftf)>XYi;9aXztvRZAkYIs7Q6Sg1n?qD2m)0U`-Iov~j=z58C
zYRQ4T26N;6(op`5)u+ba7hViC%y!Kh72%T)@EHynh+qalxEKOjN7M%(RGO}Ie1YR~
zz*+uVtwRGBO%;!HgIpnJaU^JpK^vh(B6DyUPI=OtpP%0ZP=S{Tjp<RmIRI{xf(s6Z
zRFwa2Cfl0~Har1Q9Y_n(Ow~wT$e%xHR!Gq4o7D5Bko9#u3@3DyP`U#hg@eGuS6`JK
z0zTD3{G_Os2&c;-=R@jefx8msK(oOBxRK;VH<FzL$ySG`LnIhXqiy<;>e;Kz2yK_t
zqa(a3U-Hi6<T!sv+mIUCh5JqK?hHUuLzYYbgkRMs=>LF@3EJ)+QZ3kF*NhmmwN=eB
z^Hqt<pJUl2;KNt>_?M&azfLMOSdYnkyEgZ(MZ|#~!GYX$uVihPkG3ep=0|+IwWimF
z<}j4LcCRchP^E47MPHG_R@TSU*E2WVw7ybyvb8$_tzdp<aUdaGY)JRe0UP<~@b^+X
zY|*jF6(e!!f$=`riZuh~D_AH8O@@~LI_Oj9PBeDq3lpDA2_AL)k!k09o8M8b(l%ct
z_AH0*f4b{=UfU@FCWT(AyG0ik7Ze<U4)yghsvNf_3+RuPlc-wxNakC)jScdr)10sE
zFD+OTdS1g$EWik1dY62PQkgQNKQywx>BO<oeur90W6aqFydpqbAPSKpQMkiC`}QT5
zD>m7bc|47@bKD<J8T20mkWfP!LWaOKM0p^=7&3&6r+6tKU?Dki)MP$w3Wp)EaF7rR
zb^EkI_$<lQGzQs^%$`b3Ww5gVv3<#08h$<7gUqA{e9aYQCma|#11mu^HZUO&mwpdq
z;im!jl|)Nh0&MPLv6*x-K@O4;4oaXUH<6k6wJZ*e0Nh<TB#l<Kpt9TnRCyqY_TmU5
z)nsByqY~sHS>YrUT52=Tn+9SJlPg+?nDq|}|5euZzJ0Ud{Zc*}{iTMg)XGXitZqw)
zapO1h+Tv92hG9o7=h;Z8e>iwL(oKBZpyb730aAz0ke-9g=;?b=s`IW^;!)j$90Sym
zh+>&f%H9QSYKt--$OP6lA#NXZHxJVA*p+A;mAw5`ZTy#n1Wd+jMofNgee96=u5yz%
zvxuWcWBM-(KGgqK+fr=*hsu!O{^%uZrNo|v$?x7f))3iNbG_m8V`-kX|2&(JviFgj
z=6A06vgWt*^(%5`K`l*(61yRi*|T2E<|lGJA5*X+cY@*z2b)9kf`8XF-P~rb{f@R|
zkJ_r{4rETva4ioS>9}QiM|N#Ak$!{kW`!8_95BPuMO;1s&eYL~<R1`716r6mUj!;i
zL@E#xXzZ3vIwH@|nY`ejx&nxWMG7_WE@2ao+yQNeT*Og3`8F{AM=O|wqByh;nz99W
ztSAI02V}BTA&x2TQ!rjA`al5V+2~(R6O#DXTKfl>0<As4-ichBF!X9;OPn@dZ%|Ua
zV%=+czcJny(h_cWE)pc!5I$8cRfR92KZi1HU!Wt*haE**1L2AU*#f#w;v9r4>|`LA
zTt}UVR8s*6g8zeI?su5}CC7guiY1psCz~je`iw5H%cF5S<l5u=l$_5-IdTFpo`+<D
zPmhj_zlc=NJ!!xj8zwPmb2F^eo-7}B|I?!}xVzNrjMQM0(g~(^Lvi1-qV|2YH_KkE
z9~VC&RrRITiilj73l&ruwYw27qgv(8(&)>!6qH|5963;@d)t04uA`e;@2r`A&wuW5
z$DJE8uLLfMlTVejsCEuhI?>Ve<-DJ{Mw;TLTaDIEhOv#l`tjLC?poZ3veG>Ri3qhL
zFBqmhinsWK6^U+F@28)swFv1>xTX%lG~1otMCZR(+#W7>-Ntb#mTI0tj4cb9e-Xu5
zk$Ck;XrxkrAf>T2<gj(l&>4MC8$viT4`BKR90r5J(*9!@hRgmGHolcJQ^T4;NEeko
zr4R)4v|=U_Qkm965ilUf{8s!_0Qb<;LL>oHkOm~1@3!99(-4+O@p+Q8zC%%&cNhwu
zwggS^hM1|0(A{F2KwZ=a{7jAl>Y{kiBa1OXtrRcj0LED0br%@%5~G9KDG&7gK#L20
zFo+jh1Ky{BzdfKWTtfw~mS7HhVlD&xr+|@-z=qdXo6|!iC<G$IVPZPf7W0%>dLfd?
z(&KuU`+NOd%OjCJ*)oTqs~!f#jQD$kTn_3Hdq>y(fE$7fUe#7y#lF!E=}uiCyWLPa
zg>#<e6_HvqPEuX##mz@9<jd*b)9(xtd^B_FibRaLR3=~gf+0Y!mkUPDuX`0`N7!9x
z$Muu;PTJPhdGBPh*};Nf?`xx<&3z-RwPRKc>k@`Z7t~9vdKbl+yt`Wg%j&Q2EUrG0
z<<9XRNKsx^_c>$H<CbCXF)^p3;<K_Us*XKxer*2&w^Y0C0o3xe##8tCX6nvn33hoc
zH)6+<_`ssDQuq6x#%^^`F0H1;R_0{eu@=f=>a0Bl<K+?YUhZB;aB1Oi6a=0E{dV=l
z3E{AhfVKjm1GE3%wI#UhPsOci4!Ipt`nE9y0X5Z;fB|=$a<~};nF)2Vlwd$GCM?xA
za{kF3byjW*c-LKZtfMtRvy1kG_>^^8{uk~LKTNYF5fK5T7~Ex-w=E%g_fbU6a_^**
zO!>1KGX1L->rwlZqJvg(%Bv1H#3y_TYV0VfNUrDh-EKVD5pa+g-KkjDlbxbhM2kA1
z_v~Sv6w}u+<%~&n1BqE*z4J{n&e!W){y@5NMOtBdNcy}Y5+(R@?cFu{^#{j_alN6T
zVP})i43=!OIu#NdmDhouX|K75qo5e?+P*1iOH?X9R4<2KSzelEm4vm<z5j5a?qz?u
z$F=9ZL9f&I)hYDfHYvO4JpY+Z-7Xq&x#1x#*J{ZCYkRtdvYA_)d=jQJ@*IO1OvR{w
hE@Et4V4hp1))v$faI!bIy&;%81}iNH9s^&1`~@J@{DlAj

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Regular/SourceSansPro-Regular.woff
new file mode 100644
index 0000000000000000000000000000000000000000..460ab12a638f6e6aa81b0a6d0e6066f318515e66
GIT binary patch
literal 119064
zcmZU)1yo#3%rLw_i@Up9ad#{3Qi{8~Ebd<1iWG<9TBNwUI}0stMHVlx*kV6@pZEOd
z`_4D#=FCnu$>i>4CX?J;Z#7w201N;CfSD%*;Jo$k0;B=30Nl4v|4)<rs3`-0>8*MD
zLiQh6ksEbOYbwaS;UEA278L+MM3|Q$mMJGK^Cr`v4FG`E2LRv(LXRW;<kZzP0WijI
za^?E~FtGSHEVSivnp%<on6gCxfN%)_5YZ2ZCNZmNvU9!hQNGF7djnIWjo&2}PG+tE
z09whLd;<W0&p2M>l-I(`<Bf(<_l<_>AHYzfO<23yH~|0*Z$lWkH*km7%jLH*b9a5y
zrTz_x_zzxR0dO{szSaN$f9@NZ69D#;VXFuSz}Cvl@{OnBjfU?ZAgyhn+rA;+aNBQV
z$~T}zjzH73b@K3e(=Px3Kw$&`$aQn9(G4A4EZ*oCBLDylf;XHYqK!1IlbO$(&aiK6
z|HDg()C}wAZ02MIfDuLo0N&#P0H{=`gj{8=F76%x7ztVcfFuS0Py!U)$-B9_S-tTx
zzI)@<d;{%li|45S`Hx`VlS}E=2%2Ds+yIc^!2g6VAQM9W>-`;GgkIJWUEs#v#z=2d
z!~Dbhz*v}Cnws`pUWmfMjm8ISzt#v`g;Fzy1QG*E0^l$HQ6YQ-BmqzXUV!)i@c@wj
zX%6EKfCIq%<G0>5&+Y4*=<8b?#_jLx+eRxS`a>8`m>ycRUNbetGNr7{f`qEPl@)@G
zs=f{0-J9L+`~LS;9Mt*hh>AMJPxu~>knk{kkFbDK1?Cen>J)%e2Ce#kbX&@FPs{5h
z9x2#6`QB0n+W5GEE>z)LHkwa7+TyhK@0vEhS#0C&eN>|Nuj?-B=?Q-Nh0~+3*)^Wg
zeP%^mjzO1GK6d{7(kq1N6voyff!}>Te9S~q2<7E7g25Nn;wOYQfOAQY_gs)IvuCSQ
zn!_xJkVHX)ySYU+VY&|JxK=sFQf$Ppm4l(>=wC53rPFX!@orycs!(6)b7|>ik~R5}
z?$SJ^)|#Yz+ik@Ocj(I<<L}SaXn`&KTNR<thE7u__InElR0rdJFJ#i)>3Kt{>eTy<
ztJ{OP<;+_T?%XS0dHbiMvSz)XL<&Vx@#@T9y`&HOe{-N{Yql7vWJUI=&V@gP?TIm%
z^?JjUAB~;F`+SM}f=l2SjmhvTVl_Ww{8)oP5qI*1(1^X&HY{$-Q&RaAWZ3AuE~qe?
zmw~o3^T{b7*J&DBs~zl*yej`^!*@-Y*hR6kq7urmV`#}R>)~`tnZ8UO>bl9FYJI|T
z*t3ku$DV(Fp33vHnKu9IoB*PBPiozVO<5<V{yvYautvz2ptM+bP?=@{;Spjg@n_hU
zB$a6Nd`8h6g<pAS#oc?&dd@n~bN&~}`N_G;SZF_$(R)mGx4R=~y_DUgQ77MJ_8!@j
zOSr!%nRl-X=K0I&a)1`pMb2z_R<P>l0G}25ZWAkR`LHcRU3G=~5z5kdR|VHK)e&ry
zhRE=@iYYVvisdAdYNXp%wPAxSSxlN0Yuuam%i=Nt<HF1<v*oVg(UC-$1H9SW%Q>om
zL*r0{jiBLbIEmi8Pn?;Dx5IT`+V4dP2Z$VJpR!8>F*MxeNd3jT_5-o9I+q)D<a<k4
zY@M&t>`3eZ*NW1CrWM#N#G;Z&+_J-SA8bju>5XGrLS`ztcoImxM-jxG*}mi~q8GTJ
zdOMq;X#OtH$e8)U`mBdwvAcZxnfl>?GZ^H<v(sC5PTt*gAZ+z>jw!livGqr(U%QY$
z`O#)_asK(*_Qf9i=i^PG(=AN@-q?!SCgD-{)ACEwM&7?0%@oNLN~_JU^!av5D<_I)
zj%5oif)+h76cj_M{^phW@R`cLICRz|aSUXkHdfgT0;xZaTJ!W*R9DCG=MFVzZivw!
zKyC%kGfiSk6U}zt6tB{z%5ql2Jd)Xjom2m{tSK0S+PcA;LdO&}jKeiCM&mId>fUcj
ze`Ib0uPzE*3Ll3-qWAOe#$AZ`KM%5kHmb+i8G2ETaM|M>-%z_rSsV;PF;BoWiYW3g
z&Nyn`nV?;nddz}pNRWYa5X{2^*bzduD&SMyXFsBAX=8TBeY(2^);%Rl>ZX~O`Vfpe
z6W*}+=W#6A7_Gp9CP1wi)sdz2)c-a*FlMIoB5PRyPW1iR@H*-H*rFeQ@aEMg#7fVl
zAW{$`h{Q2jhC@J}&?U95?%`*MG~^vb*Q3*?gT_xn#`7n*HSFhgr7(ghi745b3W=+K
zb5?yT$;jDbnPdRuOa9OxsfPfR;fd6PY05p~>C-(d{rj@EwpGfZ+QH#f@$k466>Imv
zSPDLrk!8~LmD|G$hc=a^bs3drLplx?bu=j_Nq1hJ{P29#xb+noailJo*$zHeR8oA%
zI|1Q(eo_(v<Dp^!|K(gHcb=#x<tx?l!nzR<*^42@@B2kj-wwBRQ6kSz){7sEvGJ<%
z&uY(a6^}^=;Rd(wU0sZkkGu~63+JLv>1M%NF}>WgWdTi9Mcws*97pWwBy?dvU?$>n
z6MigCB%JM_TZ(Od^Kb3!T-~U%<-U8Q>j-(+ka>=qK)Vj*kQ=#iUnvmcuPaMw)zW#G
zpMj8!Kaf|-1{sZh3i`aQxf)E=R%?B_=--9nuq>rj6YBf!6&L<BVk@Bq=#yhY^aK;c
zw!OL7RLxUuzlqTDCA-tRHc%d|e>rMtu2-C?67C>pfX^mAb?)ciAn><<-w_vK{uocS
z*w-BfIGzgtVFV*onw8m3JK@Pz7YhbW>-57BujRxEzSegJU4jFTzLA{v$D0(l7>?|f
zz9!|f<J0p=2FiYn798x?Bo|+WKLo2IZ8D(sOH6mH&aw6N?3IA)u!0;Ned!w`9S>$n
zCLa%Wh_@I=obQdW4-)Ib#3@&{_&zCk5I^6UC!j3icts{A!>JUqrbTu*&n=brA5<g>
zDq2}L2({nxDZQ`lcB=SzU&pYDz+@;q3V(X1*jP}XRpsg>B^K4?0Kz}Bu{Pyb>X!H3
zl=e3o?AAzG1nZqSU-3>{Cksh^*zf$_`Tf}x@hFI+gdQzH>s|M>1=zxt!cq9;b1S3T
z23L?)>nX{zkJ!ZsSLwYyRuH_MO0Z^;Js7o93W4!&N9VC!D1A{v*XDG7_bg#ZH?=|R
z#x?J}*Fr_~%PmYo*i4tzYN;dLjU~jgNxMBSarR|^9iyUIR0XRk+|WPEP4LgY22DD*
zc43^&bvN~^f$s<Z-*C_Gjd$X`s7+LaQ1VC1WC~C&`kc(<j=8(Ptw9%`r$ixW7LGqS
z575TNs(u}a@_M<rI^wqjU&xj*((|ZI9>$v&M}Dvlo9=gdI#XMOY1dY7KG+p+kK&HH
zTm^qxjCw5zdrhs!py{&{!uo!R+$#5>Wdrf_kNC%!XA7J)Y?_n7;TdQ&xwiKcU;ps0
z4%f?DHEw%R%)z5J-A&3NUnj$wmB^RJjjdZ55||*hyiWe-e0oU{yaw%F272bx8;4JB
z6w?^T`^QhOwOL|YpvTaLGdw2G!vvQb%uba3p)~ea6%C$5mn*`F^~`0J1cNeCib3`d
zAZ5*@&&rk`frPEZpDZF9hcl;`2lFej#jWu?&$RHC%t%|yqdL7|vsE7HCgQFXerr}Q
zW)aB*kMPGe+_?X^i;KHi`m~tt^=Qh#T(gnTN_X_mYDSzwadYJE{;rPWRcx`--`OzJ
z#?8c<b5v4`Q*H$51kF3D0K-2u2!CA{eJ!@J!!U5_g~=lC{Q-`-X^K#GU7JI>L%px$
zgEjo!E$)rt<4Bt1YjY20Mim9><<{4=rD?Iy+6xk31hN^b2inp3$GGn-wgl7j9N?nz
zMYyY17ifYegS&_yAut&6(VePC@V&`a*g4EvKkHt>h__k_xvXJsxHA%H8_DMjv@v(L
z?s_gT9Zse4#9?IAA^I}XTI5lf$9Vds8O1_7lZ)<Yxsy?cqOzSx>cv$H9OU_1>XN6C
z`DipI9Q%$9hF=c)vFD)pY|#+3G(<WLjWl~@U)Tp@GO8<S)@Yx4XB|e~qjP7vjUYGO
zSQM1Nj#U4B$y6a#rX`=4I}2?^`z%4%q-uf5<4$~hEG61VX&i#?ZO5qK(5WJSh;VG@
zA;PAxsPn~>T-$6>U8=Y?S*e3YztUOZ%YZF|Cx)*{fuiu$Qvd!5>Tk>poA@w^tlxBg
zOGkc$giRLTDeX&YU&yv1d{#q689(vAZY@5)1fOZ&vL$fyS6Zc&oBKz*eHZos66Y0C
z+oC*B8IdzqrMsLQeLo}hGKuLd>Yi3Nx$_5!7+&Y#<U$)Kjp@EOsDPF4VG=#Tw&zXX
zCKhRL=1cC?GBA31)xzU;2-{HdLkhNi@8dhmbYqjkQn$tKF~uUqO~nOpW&37ak#lp)
z9tXr+1xRtBftXha1J$9`JLqjV&Z;X;_-Y>?KN6jiKm%db26PH98vn}AmHzdsPo<9c
z_aQuF^I5gqzUgyu{YdD))rTlR2bQZ9<G?3ZF}R~RCrcnFdulNG0f8A0$j(Q#kuYLZ
zoGbvymHcRJAtySPT1%_Lh}hW4oWqxIblcVHpmZgczk034XS($6&PN9Mz{HQi)e~A{
zhV)<jJ+J$BFc$vrczht>bw#*Vv%%T<=RFqyt{cO(jR^&2n-lfnE<x$#Ik_Mt?g48@
zeBhO8b1vuMCn3q?6PnBMb60OtG^_D%VLvj8T^FdqOH1#c3#k7~Pw+McRL*$zL{8gM
zwuS$ejxjRzV{%(`TziC4d;Da37;}4Ub$g^kd*VrZC`o%vPWu;wzz~e<&<2oy`D9zd
zT6?%~dt7IGlz)5Dqi+a;Z*-Jzgq&~usBaj9Z)~}5q>XRlVPG=GO@9N4&zIj1*^&?o
zfs==<g8MI9_vzyM`t3%}slt0~zADD)zxP!>(9)Ggq@{3u()UxuIHC&-u#8Vs;GB{3
zXQ!Yc3+S1>d4F`}A$7XTT{hG+7MDAgaM>V^J~S^-wzO-Co3INFH>Be2j^U5(1~Sr*
z<_nyjb%*oI8~KK25RH7U+|TQdYlUcUt{V*9T5=@}HVDxB8MtKlm5Yf@`1?7y;7t0)
z40OqBATK1#@)W{I5h9~nqdDlYQj{?-+#HQ~Xm;>!<T@+0maKu&@A2F}dLhwzUDCQ}
z<d(5m&<G2%s+6{Sq#AQcmQ5;-f9-ZtPn__5&<px)a3d3_)BEd5Uw6_$=0}xh^H;v5
zU#psrU;tUspht=7Z@mr)f)g&ILI;oHgCpb4soExoGdBMr^2YKrLH~`-hPxjTOAV2~
z7KQX}PMm2RQ&d{hTW0uHwbz`pzB#qGtfjun@QHHh)=GaQ?LEqEnD)rC<n#XZzroZ$
z%js=)x*@LX8MrXn+><NBRZw8$EiLEz{IyCQZD|#;R45#O4q0D{#8#NB*d0Q#Q924)
zA2ZwIMkbO;*p<~Q4&$89w0BH)UQmlv&|KvToua%R$Nm}VNbNsP<rbgIvLzXg0E-!h
zNXUVOF`kURl8o}8jyS9izpoCHu8wvyhqN(=FvtN9;y_?-z+rHO(fLcr{x@brAdN=v
z=dh~k#0LSq@<W!~)N3HO^Qci91;)Wwkp!D7()>{rUrzQzt*(6jtdG{2<7HMt(?iz4
z#xA{;Q=7#4h<*D9y-@9FJUa#E(DdI`_Div$qD#hRbq)M0Yo{BxL66_L`}D;57+ZW!
z&xX8qQ7?`_hqDD*Xf;8}(;6yEJxf5t81YAX5yPA+R*iwErju3Hv;130|KdQ*ovnzt
z*xjPsikb+LSo)$LVA_t@9`h1HW_qR_J4K&%T^hdVX+@t_0j8PQ>JBL+1n`buJhp00
z1n3#l`9Y<v9Gkob17rh6xv_$xKZ8vM(A^j)uF5%Li%QZWxzzQlq?alM(Msoe(hor9
zHw`yU>4|d+9jdKhEK$t?-!xY&IzwnieKq7;VTu(gkqLc9mK9J>n=j31-&D{LN$m?9
zY(Ap20Cj&oCdK$y@|CXy4;r|`!H7B^Js0J4JmgGJM|G7)4Qoc6b4Tb5hq=2x4TO@;
z%ugu_ATj6+90?R-&kU-x(|PaKih!g3I?{DXAhG{R@4C%#1+(uIStB)uVUt6p1SF8;
zp0I0)aDGH&tW}>S+-lQxsUbbSV)mpjE9Sm*|H=9Ldi!P74e*Ty5!Uv#Gk=Am9P@u7
z`2XT~CwK17NA{M~6Npn_r=hP-ouKD%o>BHkr@+Y~Dld!mc|os2XVT8AI+C?7LYfHn
zE*Ej1a1K>W>yfp+Hb<^z8coAjmTSm4QLG0%GLbclWKF=_4}iA1MuUEWJNP^OY>7X1
zqzR=OO<65-e8*~Vb{uCV8%-Iv^DxmN84oM#j$(XCO5UR0q9Lw6U-2a#0L3i4@@N`K
z{RB4>p6YpvXr4;V>a1EQTSr))@qehiDBca)h}@em!qz+M^T#vgKEhd?TY2XQv$!yK
z;4Q_P`(D#$@7H(vobyq@R(!F~_gxj43B+hD*PC~=CXD3D2N0gDG>({A6mqVE>(qWb
z99cm=`Ehnf=i^D#Jv=>MKg@258a&_cZX9_#gd?!`RBj}e1pJxtT=xoaAMrYP2R~`<
zTQk;9-7=cEOw?)aeHzmp+TYXXN``ux1Q%G{vn)Q>#ehCMpG)vFjtbY6tuxmsM);Ca
zEK)v1=Tc~Mc+_@>Bp^!sFTo2IrTP$VgNz{-MIT?`5BB_ad8U-OH0ow~=Bv1>q7GYT
zp}3wRahE8#vD2T7_tZ+0*+1J)k^7VLth@ymYri$Ft^B#_c^YsTynn)HskjukO>bV+
z5B$NYqtY+y0IqEQM!M2xdlTq>7GkTT6`sfJL;|n>3o~_3ANu<2ub2}XE@C3(mSC7P
z32eqExSM#3;+b+I9-DpKnx96^MH!LJ;UsYLa!M4OYW}m7>DGU{mC;(uhV>;z_;u~<
z9(NSO6N7VJ4q3`Wd{27LsoDeRC7z@fmZ?ILDL~C?>9c{#;^*l_$#9Cy0|wT)1^-&T
z!t@s{Cs4Y7M|<Hcggdo(^JT6;!zEa*S9IK+mgYgUAFp&-w4bc#!w)+tgVp)XURerj
z&K$5n3ow(6sVexh@@o~7S_S%SH5+?{7<(l-dlgK~VrGfGf_*b}f_|#D(OB6*$!Bl3
zDunjM)b(Q-@|*Gycn#@6#zL&L1py{omVKU-SZIO;u^OGqcdjL#tmAA+RyuVl&C1HG
zMUWw}9n~~X0e#a#9qBxikS$7gQ+8r3(_&EMG3KC0$d1qmA(>5$Dwi<>VfnT4ydbtm
zR#wN1;f7_8bAv>yUWG8rf<eu~sN=6g$KM3dZ{5)RXJ}$zP&L#J;TghLtp#g`TiP6{
z>X$X__l3?cz0@zk$}exfsvmT$Vti&1-SJiG+P3Ccq*POR?tPhC?zQ1Q@$dG26=z_M
zaMu)bm-RMm-Bl#TVL4PUNEH!7I$PwJC&mO!@PHJQT|o9Jl7}jAjF2m;hRT18>?-o9
z(3FuhHu6)UG9!U~q<*1S1y0TyrB`dinR#bcWQ!EU)&exd!_PW>Z=12I!S1Ods=39(
zp;BxfDbpLzK{NdhG||N8q-+41Y2qhS9<^PbnHMlBcI%LvyyfXG^7P9QE2}%Qfy%9+
z$Db29$mVcb=ZfxNucflZi0-GXg4nV||D>!nvVG~^{<Idyme9Ssuy(?h+P%ZImctg;
zz5jD{jV-79&(F0CqeO6?PO-`LGQXkmW7(w5mfOSGT5U++C|=V=hvcoO&T`L1tTY<l
z&EONF_(IYhPGDHUxlINBY!y|^QZ((cqSp;o0ld08+=rT&&-1iZ_QcJ+c|zGAji!rw
ztU(g)wiPlwzs>b+kyxA4H-*L!$*fBfITYoHet?u0iRh20K^`$j(BuSYv<ftW6`GO<
z4TaN)NBA&=n*J_*pn^x+%9UwSiYZFRH;n0TJ=0Y*(`5zIb!OGyw$)@+CxtpMOLc#)
zD!8o0uT#g;_@4CDvYN6MjMdE^zl1t$MU9$6omb_(or<FPK$^lwbw;Rj&hYja;Y}I+
ze&Kk2sp)=EynY$Yeo3Bw1vk(TG-%onXsi*m;E$hr3oJ5#5qiE^?%wFM=9O^8i18Ti
zi2C!t)tI3164$&*&sW~1<hX<8;ydau_V+7Ryd|my(WnnS$Je?5?%{}v{?Ahn7i(Ww
z%sG{G?H3lyxVwp_Z0Wfh<M(UKc^z~og?{Bsu9McsYW*-%anM^6`nAs?CoqGg>J|&i
z-NCDSn866TT;nO@P4Z>623G6kx#u3j60{Fl)w(Vnv}_CUw~ezpyGM1dH|CxB_DPXn
zW-^HE6U{yh*^uaMjRZ7&NX?vLly(2b=G9XDOlGN+voc{zQpTC*J9U^Xdgf%(n7MR%
zz>y=k(kH83zhHdZP_X~QREAk^Y~WiX7lPmr`R&h181$x2GDiowla&}&$9=}pHW!S}
zFEOvPLLXROy?=2)UX7!^44WxrrsR@hMB<sLWa5`arJH%`;wg<#HMrGa%Z*F}J=e*+
zhw^qXCT{?Ag2ZwfPt}TiME~Oi&)%}Y%m1Ci^w)mnUB3j*)Ll4u(+&T8dD&KU<!-|Z
zz+2yMfL?EB%*DxWb!{g2X^7`e{~>bG8wGy_Db04G(uc+GViaW!QK)jq1?O6SH6@#7
z>IY`4Jh}07-VfTM?^({4w-1>pxGT9v9bolROf$dGW~)8*@bum**}<e)W|WtzXKxgI
z`?`(A%G@uduNpSm)O9aq`~EU%A=dT_qkdd(atl_lpcC^8^{Q&vVN>_LyDb9JpSeWB
z2p&R~7jq%$Co7MNdnGUjlJNo_wrVl+Fom*?LVZ^4H&am~ntpxzFf@<6duFiT<?lH(
zZ2Dr7;Vn6Sg}Fp${9xD(>VAg~t*3F1oO=YY7g8#S47;XKn9fJm+l*frVS~oZutO(I
z4J>x~d*OL^wg`b%SqeijIgdQ$JDe!Xi?rXn(OeYOg+IF(r3|j{!>+&5h6Obd4ppQK
z`{<emtU%~Gu4r(;4b)+@YaHk7hqf>Nx?zvl>%|yT+9E?1h9fxcWNOnkKGs1a?lH<G
z?0-3fMi~yo1DL-0K)7RQ%L@J|c@aa?rMc$nE?GNyo>i&$kM6Jq<%5&u9iTKpR^BDO
z3a$k&Y+sYW6!&qWsV}Tw+aVM&j-{`PdzjB^)N4CK>1C*3o1)zb^$WB|UlT(o=(m_S
z2}2s<Y}#n5TFwN!6zXqnWjrkki2}RXb8YlQyD<*3e{yi;DQoFeY(LR_ZM)@Z7>}mi
z6`Cud$4QAfkx$K;lBcR=P_etBOmA!9X;w($+1)I*Qwb`;xf4@yL8c6E!?2ar#LOBB
zl;_To9HXvfpSF*s%4vh)>HP48bT@J?w~W*+hD6pq2YHOf8FkvBimIS(o~O4m40bmX
z6jmmL9P^lf&nKrLy{@ajxG2F1{9_B$#Gz9rOT*>=`i;v|Lx0^;e}qRu5148zsEM&Z
ztWt=l9QYZRKU|wjMO|;5RDZZhLJNpu%L{^E8lEoZRc2n~AyZdcuWM=%j2GI~Ug#(z
zIgVLVKFPtDmsn?7o%4{R0j|CI0}_>?vtpHLQyv`eWIleWImz{))df@;W}uv%12?kM
z5LvO)v~3fPcUTL*#r(&0;Ocz*M+V@btqnJk(NJEg(KM|Gj(3a~Klhx}Ixn;(D?ESK
zdCq%Eq>K5SK5%ww^l{gD9%BkNfbpE~%nE;(2AE{$(uf^66sY`|tpa8^cVFFd90UMO
z=0bOSO2enfQSt9Y$;@xfD%vi<9E}7t%96?icPM#u{rEx#h7=u=>s}oTkbW<q8W_D1
zxt#VGtOeW$^Zs!)T1WI7{5+%rtUh7|!L<%=6w?1h^d9a$5^W^B8{T*`KWq_P?*cI{
zrAys)IOq_|AT#g=?2rm5h&_=J=l*h8+SUzW=0+5c^UruOzuNHzx*t)L(Y@g7WV~4H
z3KOVMoztp(_zL7nZ@cDcmM)vy#TJxgj;mH9k>4Y9V*Kjfgr#4f1o~z>*dwu4DEx?g
zM)mcvsa%?T&ik?_(GCI!u@EnY<Io*t7Q!9$h%chyh<xVF3(-5J0FzEF?I*EuV6mi)
z`F2QC-+@2Hh?GpyU8U6yG2QlhM7=8pvmuSlZD1=GKGJ0>V90aikf(8!L;)kn!pR4L
zUMzl}!rCFEwSOOcAn<Ks2-jdZB+a=f?6R^XT4e<arOa<)UpYPmGMO<!mBZdczPv*@
zQbHP;*TGgUt)tt%_fs8!@KBr46Q^@9-_TB}1|qpHw9-zgz#&~Ps1JnkL`HnEQ$~tg
z(8b0tZ=hpQ_#>~IJ(5vRs={dYK3jf3k*6U-%NE(vRHr!WYl2aMbw)kXG?f{5HctC8
zt1UT_!F&MYn6pZp{Br&`X+19leT9MArmBbyJ2@o(IWce?Iicm|AO{G~LRl@I_rg3^
zItO%FMnZ3z;+(pP8`Dw<qFw!_nqliNBvoW_q+Ij1c~&=QwEDWFN*jQtv7O{vO@;jt
zH>l=;9t^5Kh37P}$t2YNP<Ik^)6Qc-eoD)MnA;}E73vf`P`g8OPD3HJ(g>i(GC1<=
zL?1_?oyw#5jIucQ9;u4SozcFWlV8Tf1eYsvwy?Ay;7uw`dSYq;@x#is9Sp8TZ_%(u
z>@yx~!oewpElShJfF>D#S}BIhM9>U9of!7TyECUxg-JdPb|$IB+(W`LHrYIxbencU
zYbC=Xmosw@^kn$a-uY}iL=Ey?C>{;t5qP^sWy~ttHP{!#Mow;~sXo7ttW$B;hB`mC
z<`^zhZK`yD_D0w)o#!{`F>YhLbI$pFf%09#koxf`9D&M{)ZmG|QBO@o{vm&Pm+XNy
znoSzN-?;svm*j8v$4DN17a_(o{8zE79Mb$DQEk{?R-BveZ@bUz5kVPk58lQ5=b5yD
zq}}ckaiZFs*Hl6bjxcgl!icSlzb^k9C;oGnUUe<LJ<WCK!sE2QT-=9Hd)0E1YQb>l
zFqMZ!@HhLJQiJODWar`o^Nzf1r6W~)wqjumf)}Qa&TI!Tnf*-3U4>v&PwhdZWv%Q=
zWJ^U^u_mK1=z~_{LS>o}c(G~)tUR&fVZD^%LB1~_RA>LbBg75cNWGcMNLet8tyVvs
zt=v#KL&r&0N1d&Zxr(ox`Gd|vy4Ko)R$4W<s_G1EKe6QDxpeEny072SVlUT`=tgFw
z(~M)J)}CKmx0>breO;0N^O*wwC+A|4>f53m##WGumOtn$jRAaHWpTtd!R(>4r02oE
z&-?bAz_BChN@zpV6MaL;H~jpEP{w(2m)xC}k@B79X8B_^TcI2y1&BsVXQ4Pv4Ln~}
z4Hldb@T)z>^2_JS&#&`KGydMRfTEQIs!n6`Yd$9O%j1%-)9F@rQKw%Z(W;xv`CL7h
zqoo7tOv8eZTRHjFRe=L1gdjmnn9z`)Y=P>$X<{WcaunKV#Yv1OAUUnUBZ~=m2vAF^
zK%K8dtx6xPIUx(NTcU*!Sy@19>_0(se<B4M^AZJqTuJMx$j<F4ag;UDR{3b6aa&wh
zh5x<o!z1Xo7RmyD8XP#M>I>LlA{64ZGyoynr-atpV?p!XI08+Y8OaJsCB@ZQWyL?E
zmr_*Xms2nwE~tGznO94{2HRBK934);K~R<oAxirnq3OpQ(B>=5XIW2yXKmlipmL$G
zpgIxBV0AKu;Lqfx;+2U-;>=0&CZFX%Ch0a{mnxj2i-|^$l4DvSMc>3k?L6gC##vB9
zl_pqV|Gkj0CsW?{CrJY>ZxG+U&T4H(loun7UHNg)YH57YMiqi>5?A(Z6?sYE1mS9(
zUo<+S#nJa;Ga(JT;^2z>@4-wP5cZ`;h)ZeIOR-<#OEqNS_46!)J3>0DUAffUfH%Wy
zh9w4v`8ycg$hEw2N2hD`|1%4+_G_z)*5oB)`ZV9qaX=k$np|;^lG>j(A!6)QjR(1?
zv3FiKdOBbJ52ctt6Pg6&BLNz00W<wOmB>BA0tHP<R)02?C`j(59lWJgROw1`9(SA_
z`kobg`9pF6H|N`iVLe(pte(q#VuzGw?NYX{p3fcH1Y7kJ2Xwr9_MLZlO~oOuHR>0h
z3;T~K=z2~*pM<8D^(yMLpnFJ*guyM=D*D;VtQ~@fWpH8MT-I}x7tHH7728#`jg<yF
z42UHH$QV35BmY<^F3e9BQh560K{#?X1@a&raqkw$3#mL^@E|^LJ3!8hdN8b0CNTZb
zDP$DcoZGJS+f4LPbc2$feS?vnV1t&PVuN~9u0u;%qXTWNT`d2+PxaQdL#a#CqcyX|
zBPo;5qb}3Sqac&qqc?LC5|Wt$`JQPGNzVKPi6)dwimjAS+IhXGN<Bi#wVW+0AL>+A
zi#w8@jXsi`jXjc`-4PMy>JEuJwS~lHRzRvU2_eL_*H6t5c;}xP3v1>=AYt>4g--Jh
zkiXBEstm;rr!Z9@H9cJ*6FpgA<e^9~MPO*gX&xlqXYI(LYbQVrs;!Iw{iv)3)ljB`
zDk$?pWt3H+TFORHv@PEkSty+NN)(v=@_cT~Txdbu{5}`y?=Xc@aWt7+F*UJ2ZUUQ^
zNCK4?Qo@(z(;%M2<&Qk%yNw8Q@5~WEfOkI$<|rF*?64a)?DQ`g<~(+9=TXPTJe9cP
zE^NK_wl}GGGL}nuT9?y#Fs^<wfFyUl=8McT=FQD@=6209Kwi5kbGN(j3##B5)sOzg
z7{X*{%+7>oQ9Gx~9y}xU*K-QH*7Fa$+8~+TUvqT26UIszaRzESv1<}KF$N!hN3W^=
zwt(}e*@&2SeCLSM8t#nXX>jBWd@?|bXFBIipyK0C_~6BihS?boAG4vF8twlP6zwlH
z86zw+Sq%Fq@*|q~RH}*oxLyskv&*&s%p5zorX9n%ix2|N+DQZJY%PK8cDTR{I}c!|
zog?tKEh%u;78aOfs|ZxH;{;;ZiURL!X?U!!8$Y{>(C$6=jnZ6-04a{(9W8@P4eHaM
z^UepHZ`C?59#?vguz&?%Ah6&F=@LzpPOQ!$MLv2etGDUPeOFS7ES@;+56W|tz_4;C
ziF!6At+mT{!Q|BG-uVKmp=(=t^<Zq?dc*SImss(yuUxjF-_|>?DW>Q?AiUK_8L7+Y
zOL1bVc8kJ%nhX$Vx;R@g^&Q^eYFi_6E%*9nM&Kn%$mi*sV$z$5Ma}6TZL1L6Vd%?K
z+e<+68KM*sVH3=57r{(b>RvhK**B19YJr*Qi_ImIpT8J;E}8Z1=qR;Gc|2|q=jt{s
zIUK~Znle<?vj<dxOE7PfRl|z%C3gXmyV&LPT%qcu6A`ZLA_cYWDNQL}LD-J0RPLCR
zi;)Kb3xxwIWnsv0)U8j=d0d-@EjqWP@~%8%w7U6LS|HoZcV!@}rS~2Ms!<>#-6dIE
zebfwFURmZyESV^m0nXY-x<tYbN<*HG?<gFo6+UO`=3ZLDOsFB_!L-K?dvCwNTHp8S
z`k1dV3OPU=?&$TIQ}eP?#(}=V?z~}`3G?Nd%x$w`dU$NhtNM8jn4cjXx`NBi{2YvJ
zzpNG8d@fAo5o4G87`sEM+~6!I0E2GW-hj6XLMebM;4{GFt<Vegl^cKxa{xevg?|IF
zHwb!z<Tn_5t2=v}A9a#Dgb)!^V!pTK4DGiy5zB5#+%((2c-d3io3B&zlx>84(+3c8
zQ4)fLsash<S)ouM;aYeu@s?!?n{y>gX{^`8+*DDcG$)r%46X24k>fvNjy`(VP}%_l
zq=DcJ1p|=EDH}*=wT_8sUBVV^1=W;(3(C8s1dgzcIWCGP-;h`a!w7Cr@|*nfg@fSi
zQH1g3c_6H!&(Z!^pbGq6uvbf_s8iZu7h!Fes(OU-Tx>HZX8h%t_Ckn9a@5qS8Xq}D
ztBM|Np63UMGq7k2B2o99L$B0+0aFDeL<VAjs%+xFXEta)F6GpRA66kQvePfOfJ*m{
z_okRW=n&UQzEx8&D*c}mlrpH3*IKQXJ3v+WA;?VsE8PhsSW)wtKVgo=Y2ia)VK3xe
z)j)ck><#E0>jIn6f(}$}_PfxVUL`QuC0atI>=1&*E{kMxi4oL60HEhBz4KoRBCe6h
zhC8v>iKg>gb2VFl4~w;n=dIw3it%+uz!2DB_8Io(XvXK8du~qG0sF&!Pq61I&0)xK
zla0XjO5zjTBq;Yq*+z7<eca(CCCMke3Y5PyWg~2knol;6yuee&pQ<-)R(q9OV0q0R
zQJ8KwZED?^1zO)1oyWD18??6&8$7d>?(6&t(whZ3UuF0170+la+0D8hH0E84>~SAu
z-hi)o%Efy~Xf}1Z$q6|AT;>r?n|rxul?N~o-3fl&!m0jm#zWsRn_VpLPv6Bhh-Tex
zi=)Od9+X9T^05D&1;Za@eMF^1gtK*IFmn9g`{wHapPoDBi0>I+RxM4natC8JE)RVm
zzl<Y<G;EW>&}w{{!fz?00O>}p5_s<7P>tCFQT#Y#v~YJ^zVQ^2{LvlZgmgFk>&0p>
z69Fj|18bA3b4hkJe+cjHW#8$IIr);Ua>n~Q{vn-3q(t(rbv<NqsjHO|j^s>oTJAl-
zY`vF8v>S7Af)nD5l{wwTuDcKS)gzE2y3*YWGgg))C;9*JQlwS_tqt$HGl!VafhaeQ
zpSBM49CvY(?qyJYGy7T5z(b7q4RK0cyBNT<ogY6~|7!CNdnBlHV#=D~-l3n((aja2
z$Y+slpP&C--!K`K6vQ=2X?UE>J9U(*G3xN&e00Y=kx)aoBb^tz75jCF!>O7lN)g&d
z&^x!K)MF^<?zA<H40+JLxTx8<KI(@SH<t&m$JyAJJdM_Ast@MeJtE#e^k2*hjvdBb
zY>7biqS~<XrR|33`!WQun^Hx;XCPA<3q=HQn_DdvtVOO~U$Krgw!uC#SGI}(o@<o*
z$tpXdn%^%QU{E?s#nUJJVuA&$tgR#lbh<rSWabl{gbV;e%HFJ%uVuAm;|Jf}s#gwA
zQ1qE)QXWMLckZFL_@<h0`<R6o_V;*v$gX>E87Sns=iOK_ykOATo9Q;D#)%xzz)aZo
z>uo`~^Ad9R_}CwkwgSC3lWtLM#7G3kos6$28iHH?ne>=~^EDP{aDt5>iD2~W^ZBgL
zfdyZ%5O?Ny*B-;mqqorHLu~gWf9}ye%TLi~&hm=ZAq{Cbzw6$AhHktbYU?dFl0S5;
zLV9V=02v{Q$!K_m5q?W57cTh}@DK_zJO)pgL)f&`Kmi3}M4hQr&Se3Oiy113Pi{7i
z---<nKLn2#!Fp5HaTn`NY0tP7{1eYSczw)BL>L0p#g)<czc1j0!-e}nE;kKS^A<_1
z|L`t|;QX4Gy7YUQg{9eHB<mKeIhP`_AHBAiYtgGHEme7um8tcgZOPYY`41IGgnG;E
zg|9S}^u;BGHs<?q3{Y_?Y&Rx-cxyiNr)wQ~MTN<+iO|4aIBaBMcziKev)6*m-0b|U
zJe-SH*%I7Ek9d~T_4<7i31wLYso9|k1l9Em{FG$Pc`lAdpljhP_SaA9AkLrl?ozMh
zn5h~IbKDJAp*YXKlOu9tzlCNcgrhvSMyG{kCw~2sM*_Wo;UuC%6UAYs5SR~+C`oI2
zvhm4>9YQXmM81u1SZnz&d-`wRa(Y|Dsn;4w1fn$cunc`Q4*1a$NKJhJmOhx|lMc)f
zSlbX7-4M7o47aVn66lK(7*l=dh6t}Nev}CJ!PSWOUj7Llqp(sO2qdoW>PkCd<Uis-
z`Upkf1MeI$LvYh1$UOQmr}~IV`>aGpU5<L-vP}_;!(A{|w_70fsJHS-vhqm|-@ibl
zT_pf);TyAK(A*aSD$3DGEM3a(D(dbT7`Gmv1OQtdfHwyq<B;$>30<Qc>=bHa@2-PA
zr|6KU5ap1AN|((Fx>B4%cSBBm*aMBiSOs9M15aRn1{{ire{zL|Jk#FQVeWmzQ-952
z2{!B#eCY@=dUc-6<mSqX9J4&9Of3yj)<*f8|07oUmRNw@VqRio0S;?>!#*_L6Na?U
zS0tmMo6Um%oqIjJoGVeC)oEkjdrn4JYvH*I#<YI-fDB;RB(AGBU4{V;<SP&ZW=rH#
zpXw~q_QoVE+8hj=D^ZeFfS>8Ripw+Do(Io98=_!8IMRA4`sA9Ag6c4=mSHC$P)v#;
zN{p)QZsm$TqQMSRL@*jf2)9rC78jONpXdTSbDulz&3x{MZ-PMB=1YG|?2$2AWCP2T
z3YA*`w<gnek22E(sA^kKKu##jJ(=bZ^~olg4TcFZoC9D^mJz8mxbfCX8H85n5|v7d
zzslE%oQQTIxd+{yoj=z-{gr!nN0P!=n8*nMF?No(>O<B29Vo8Wf-KC}HZB<Zm4&A3
zmDDz_{IEGjH+dIV_(#bfbE$j9LwS(@KEsHjYF`rK2=Dcx+wAyQ#<GfWl+R1m&W|n&
zwsu{H8;>Ye6l2_|LUtZgkMpkbj!0|DiFl{=3EZV}ar$ZwK^42CL@2j$RxD=t8j(l(
zg+Ja3<!xI!96c|zH(~=N_|}bzeOzs1_-n?-A}1-fxqcQ>3=pZN*xVV7v)<;Xym_w#
z)ZM4UOyQvq&r>GIgqB(EkoHrm3ncDww)_uj#ThDlx>VLy=*2bWs#+H@#l1^VJ<YIO
zd$>0*{1MV~F8UFhg{pVX2Ac&KA247ab6+PbO5vX*asmf72p4tqP-_%22*Wkq{BiJg
ztUs}(l<M~_>d>iAtkF?Gw7by-FxVUZ>YVepvGDp`KK;-Me@<w@TcPv;>@$Vmm`%zU
z<rF2T=I1P)8)?wE=pbay)&}(*py|I8LyJ?+@4It*cb!g*PMhCn7)N@!0m@w53UA)d
z>XfE0P;9q1)jrUk0;WrxY+H<Cd^Fc)Vm>}d*@Em5(X}9H@6T4_zOAfySwo@)t&b|x
zfv8S=(q8e_gBwrro4Xz5gmk(_BPMBV#dWp~Ic=sSJOe9n6Tri?+LtKJZH5V6s21dF
z0;8VBDTxBLX*B)rpB}!v=v2=qnoU`d9Jb9UEi_QT4OhtVk2J&wzH6J6yW-TD%PiE+
zWFXz)G<k^hO!~Y_F(cW8pGP=M?FEb(4cI4v4l&Kgew;GLDSzRXpWViiHp7i%&{`gD
zSs8x2+dxOJ1}9;o8qZ#qR%Mez=FQ8g=UHD_4&5J87zeJA7#ySeWPTh`+yN5r4-ELj
zPzI8t_~K2`ypuzM_`s&zC@O?~*tLJ*$TA%!QOTnvu{t<HSw%j=h>mqQg#u_pYlLBa
zyfVb@9Q*F>8r8qB&Ao=ANMc5b{LPc%7BGc(pxpWj2g?D|<L>y5<bE5Y%UhD5T!j!Y
zn=2E_a;Rn+tnr1-^_2^--fRBLfx9Nu*}1AO*xlicmJ-#DQHrE3_zw2xmRu+)hL~yI
zDDB)RNF444P=o-02Y5_0It{PH|Ib-42iW4>;zY9YtNVE4Vm9yM**@v8clMgJ;8iej
z^+omViFiX!@EO*hV2dF%-DxxD;@7@|3U>MD{sg_G<-!ElUNbQi0)`?^@p+e$3u!c&
zF7P;uHGhWhl#b;1@W#+$vFI%pvx}k4x<i2bo}#*cksdAY$m2LvF)N9%67DO56L(bm
zv_lWJ(g(MaRvYSaq+u3r_}xve+3U=th!h1@ubida&3H?p>Xlim{OfdiHz3B!jjc-X
z2v^Px>48ukXL;_Xqg=k>#lGjL*tL$u=zD7uft<B_6OF}u(E1^3XvwD-<5&_<UZJwJ
zV5i`$#pV?O_Xnbw_B6Hw8YoLn^z6h5VVOe>d>99y&&t(X;2qumZJS4%hfj)BiE<Xr
z9-)7R08qy#V7Qf!ySKYli8NV4JWKR+-1+NJYp&0OpyVFgx+(fF!c%7{Hw1!XdTaHp
zQ-)d2WPBFQGxMvL<6?yTV0nF1{{*>V^*oPm@0{&2%w6>6=FUfIBb*g>%7^jA7Ws0-
zKHIVIe2aIt1d;QxH#l;i=mi-NQuH^Fe=W$mmbLTJX~oN6o$I#Es?}<(<(a?HGxEZ_
zj9WW2nANH|9Zm~qbSvFHpxkbbdAL8(gj{94Z{OtS(k`pnZvClNOS5(Zduv~4biadn
z-*2NqvsRqMA4vN9(%4x5i@AZI^-|Ay5qE<VU#S7-A95Wtj}sfE0WV{p{!oLG-zhFs
zmzBRdj<&;sN_BFY#GL7Tk~K`172%|a?p_jy(*WHDXpks9kJa6PRksf|7Hq*j-1pH$
z9a3E%aS;R>s%lHiO$})aYT@N^QatW^U^eb6tDp|Kx6?VbW1axX@4kl5x>Z*p7STX0
z7_H5Dy>>a+{%|Vp{gRYw8hY&kQ*nL+L=XCizr7FS;21ghc9efxp$Tx71m}Y^dmIm{
zfAM?mRCShm_v(v~EOfDgtpA=V6O7GAzy*Zq>-qiNI7KAgCbBG`=|ixfj56ePmbmcc
z)CF803V)P+PYxb<e;-^(iqiJpGj{5`_g92mfj$DT2`Q{-S>GltdA&J&-8NZe2%y9i
zv5VpQBUuGIK{71ED#sVJ^=<O0YQzv?5lvZBMDAsn?h12>*JIMTR(iN69cK8(<NJaa
ze$|KqcwVnQM_F!ge;RC}HFulII)Wd&9b6}CskR>MvVq{rXCG69(^2eDJoQmUj26J(
zMA1LukP0X~AKB-Fx45`O?|s1AizYq%5^yr%?-^kvlksD589x`E^WCTl=cUgC2Nrbx
zYmYe_haEkE=jZ1y^w%@pNOoC7x3d@BGs<plSqDLf!hRTIAzql~ep!b!WL#9jZqyhZ
z7*Gz$)HMoOf!{!Uvmq_-#rM+qm|UN|XQ)L7f_spNc4!WApZTd8nfmJlXQ-J2kLU7*
zc*jc>oV6zIa0S1{#R;-Bq?@BDb=9T}k#>gnvWk=ZSxM<J{B;-qY=26X<cGT%M0@?@
z{u@K&rK(!2^YuHz`0V}B>^^MI$suA8VM%ygp9l%h&YYhS3O9_CSlN3yd;!Zjd`HWE
zS$srG^sGwaL{dhzCDU|Xz_EGUIE$(xUyVDS(Wg)5E*Qalr||-i+cEy$&ex5+;|u$H
zV+4eB66m8#vKrT{nD>Q&Gu5&OnAS87hK~TbNMO}I^iPgDYCa`0{WrMCokj$)JQ?SZ
z(!ZqAsPc%kFth`f4VdO4=X}3#2FP0zzIqHxwzsCqThy}UK6#iqsh^IcO%IRUG9`5d
z1UdsRrvmwJ?^@0$Mb@$iRqt5VZVpOgo|HGED7e(YvjvatPL6E_;82aDr-Cf>gME4F
zXHT+Kq`h0EV*myWNqOPvcSf{%7LY*|*Kk;dO`~q?D!?roCIoLY^3wk1c-Z4^p}D!x
zhzf^LX&-+gOg(#c--dc+5AWOQuVU?Q6zzE@F=^rR_j`DQOU&ii3YBRe0K;jA*nij2
zmG4^i#_@+L9EEt%yVE*LWLHj1o+f5WA7`AVwlIPYvTS-E@RTst#*{^Fu#$X41}xQ{
zjFv(1_y)@wD@sX(*y7n=61JV45UWM9KGPP-L2yN}4b^s|CbsTJ#a%J3Pb)jif`t<n
z1ACR91D}F7?(UsQH%<y(Bl3EL>4LAv&XMZ<u~}Ojy?+BQB8-YFj5c_YJHx#B?<J$#
z=ZO4DH>nZO8~FVOKY3g48yC;N7_NW2Ny0;B4m2xtE7GZIFSu<UTgp~j_USi9A38SP
z0roh3dTGwoZZk(-lx<`kHtrlz7dBn0#=0}J6rd%Bafw>g6u^2>a20Kj^#ApHzcb5b
zvbVq1{cfcD>Z~eZPT16hEVi|tJ&>U*&Jz90-QNfCKjnQF!s;FGH~YUWy5HOW#2y$5
z-0|F=FbP`jOKw#=X8qy6kowKxlY*TGd9d-h!t|XCrX-U%@A7Ea49~C~B}ybcd^rmJ
zPt#9?i<PJ;@9ZV$nVPFpifph5^fF2;L>Yd2WUlpI^OuXcQ*2*I`P>#<HT(QQimFQ5
zf@wo#-1x+EvN%SyiOPormr9YXedGVGOHQI(|EG9d%~)koD<!jh?DKThvr`m5Rh{<a
zQ&p{pjSk}VFjH+?v`yLsUd)n0N69;+EMecj@+dCz1|r|03iP;+A*E3|<i-mpx^vLx
z`Ekal;m2*^-ySAw&#(_?KF{wd$JndZ7^F@{ow=Ww9`7tEQ1t2<iHRlDYs_6FW(gWI
z+Y%yuulYd$pzn1n$WQd6-`~9fPr5F60h7y;0WG=*RzSi*6n8R(A!Cf6!PRGeUBz)6
zs$^nr7=_+(Njx!|EI-*kl%?u}j*f%cD($-Li{tFxs#Q@VRQNd1#_>kVmha-#6-~>}
z_8)RAtm5_z;yIZ;KZOE@rA5R(UiEuO{=l%_o{#k5*-T;3ZB{n@qP#t4&tB)JPv%1W
z*r3hfTzi^0RPr_N>PE-0*2(Fdd)CY5V50O(n8^!&K2ctFt@?~t)}zMEgl$iv47GvM
zX#M?oSb=Ff(LNSj*Ab{584=S;9kw!0G3f6k>R##n`>D%5N3LpNRW_1=8@EnZn1tYQ
z7IYiO{WJZhnP!15z1`oF#`6dD1W+7q8+*@B4mQ?r9#r#LqowQldzR202xGY_vjYVG
zET2<poJ!NzPWCWotT}UL*}plYCm8WHk2rMlE6+eBmEB{DIjV`pqtrsI#}uhIK3`-p
zGmgt@@P4?np`npc*H_<`YX7RXw$X9%A@T<upK?AfeQMyhuz*M5dWFjh)pv-A5;*ME
zc2<ppqk#9g01j%S6G<4}D%AOi?8F!?H-TygaL{UW!hk>tO=N%KI6@i9!qF}mmBHic
zF+gkwMdyG!9N`l^PtK3{PHLpPN>i!>B#at;#jH>tYmSSICuesZ|N2JkxTHPUEL}a!
zIHCfuH<2*wPOTz~payQ52t~x(dctR6`gH@s^7K$yh(w3<FLtil4yXFbfH8ya1)rX0
zIo&li55*AGS}AWE|Ej*u3$KkauV%YiYi%NI9t(Z`Lw<$E3e}Q%M?QjL(7c>oSItg+
zTN=RJuv#WV*c(J7E*mtot+@GTybg7DbUaDFC&-Y}@2lw?3_LTj-GSM$#&?CxRx-Me
z8x6R%kGllkwLq^n$PA_T^axc+uMRpnDk>@JF7tP3i=n}uxeuY!6wA;a@}Jx7<<e&~
zC_S>4dmg(V#h9=hve_m5Nn1-aRheqeo7L8GdD>O{8fUvY>m4rjAoMnmdlRV`wLB{c
zel#{+q)mQ$565l~*~S5~L3&5}GGXstn}!@=UnVfV_gF+tQdH(O6AxkLqVBSxuKKG_
zf5a!fVVbO{YBw7%V%%H6^OZ>=W;-@a@!R`p@i@BG*=n(W=9e@2v-!Cv>B7kR%oXee
zGilcq8MQT4{+?>OSMR0mDgW+1worZkj{NxgaCUHCnCCVAiNB3E^PQm!oWQJ&SZCu7
zBG8Y`-ee0}6JOxZ$A_1sHas)IKatjmYWO1I4;hDU`dwK+4|^I+GHgpm4JB;%3IR%q
z18FM|0W6Y;=JToj!dHiX9rpQmHQ$f$FS(x|f)vR{F8YI|$ryb-QoK{pa>o{jF7xaI
z9m2`->WlS6qXGyoqyA!G*J4nuqJ7v1NEW*b#Vz|pB99eex0MC{k{I<XpN~&(c#m;d
zVJJXhVQ!6b)K{E0U^k1M-#4{zF&8t&n6s^s3x;eVR;NmF&_SlhG>gb!W&8fTf?@ak
z&TFHdIoMMIOpHUL#^ooaAcjZ7YlR1SB5+5!DthN<Yox}kG3lqQ_Kl@}%u`|b2C-5r
zg69TaU#AAq&i?ANAhQZs*GY?(DO9iN4+^QMUJSF}GE+~RJJqP`I$mA^c)3AK*6?^@
z8ggF@hZ0z5zHWhXCyh`}!yCtln`t1{%qpSNv!>H+E}4A_&Kmbf+=sO|4DU*5ZTx=G
z*;h+Y(5Z6gdOot+PV)MC=xh@dsH+(7xOasUn#RBo9hld}zrrB<_>kFV9+Q|)PAn#h
zpKxWBQCG~7rKke&Ks=A7#P;6<Z1MMzJJXV_49WwDP7rzFcpIXKh_r6WqG(l;tNuT#
z-ZH9=py?J)kYK^x-7UC7aF^ij?(P!Y-QC@SI|O%kCvXmK=ivVFyw7{TyY8$t|7K?O
zn%=c{RdrW&e8R7$@bId^KtOR4E`?BP%n&UHj4FrRJyyJzzMkII?t^{8H!S5!Yq7p>
z{?t=1#iE6d0a7$n-70CLLax`hnhY44T~E3O0e@_iV<v=qi!I1n{Gb_GmXO;12`$jh
zL}D>~MQ6TPI-8)4@}#xImLi>Q7?MD!w2P@|vEpq=A;B~3wJ64lMrJN;Y!di7HAc*7
zD=!^PC}MizUQ>Su;|$j)j<-#W$16Z39=0N@-e+aCI+(gmnv<d9O8tTn0N-Ca;)^S_
zEruA(B9AcbTZeFlRUv*}fLMeyP8|^?I*i7tsiqwYPXT#q`$g}sX|v<{+8TgicbJDS
z2wg)j)IfuSVa6eAEz2yxNmnq`mBvLdC;;(QeU5!YSWyJ=?%Fs^Yrqi+ir9=BhVU7l
za3j;uEmS=X3S9Y0y=Rrrni=8~RQL47^BU#7pG|nuhFlvkRbelFF0w7vMXUc!rZSmx
z42m<MJ6IE!_{0)Rs^TqI_9<oL?&E%SO1C}%CHK8zG93f{z^TpDXY%VP%uTVAMNkv3
zN$6W_?D3d=A2kzq*un{EI0|;@yMhC0pFKL^*WK5L4og9_%Y(ba5|kP3yGzjJOkzwt
z$5Oj8x0dXSoP<mGXETAY;=y&KS0YK8?O#L$3?3z-NKfOsl2e$7$KUHxs546i8{pIH
z=W%u<V&PPQdN%f1=BnzY8xSdtKl4Q=)0vj(m*k`;ASBm~I+oRPo0W8P^e<+pzwIZ$
zBM)tvy?_bZZJfDL(+%YJ?FsH5zufp=qr8N=^ibiVR5Ml13WroK;t|#=y7sQNc5a-Y
zixa;N3Z+6$=|()j1;r!Ja|?ak-AH%l6FMIm9xyy5>BBNqN=wTd{HcCOpei{i&fr{S
zfkG8D2g(WBOttX>s5Cu)y@t&zE#t!DN^n0Eci82Y6e?fbsQiiNES{HOtz9d>!$lMn
zEOtu7l~1~>$(!5mdFgDT&hMDqA`AcV-29qrp#Nfd%B2)Nzxp+uuoT}XM|R-%bc?Dy
z4G0V7$GD@zxLe(ZoOc=reotC2>rKE>-j(|gwVvL~>?vZ)&ng0h6`=(=5M)}r$>pQ!
zEIj>6&H@nXC(`fpkS_E~bw<fHo8hqK#ukM$_uquQQn{H9j#lbj^&+8>Qyve?=aIux
zujkfW1bgaTE~!qhi?p<>i@9_wZ@&8eE#9J%4Y1Fh^OphD^;Nmhrm_kMl4_6|!QW#4
zNo_QUGZN7*jX0{F?OlB(&V6WBf;k&5(gQYxdc_O46ye2dD4L!=IMQCakIEX|`7b5L
z<Ps6_3gG3Egz|D|9anfzH!Cvi2Ygjv-t#qGtSR%Oc6BmD-#<m<Da;hl@izR2f{>&P
z=QS-Y7Q2s=x<xXK8Llx-^;`uV{Ls!`d*Z<v;^V}Vn?0V)$%083&x&025cN-6u4ZSv
zyPkOsF4j2U4h%<&vF0gYU+ob+58E8wj7`7qptPI#^T@oXA&d8WIz#1m{)Q?G1$tH*
zQc>h{8GMtuXBG(r)bN#ftrq{OIh_WhIaT^}OsN6HHyr;W{S3uQ`Spk~oY70cm4xjl
zB+Ka3GC7pSBP^#)P@G(Bvfo^)Xw!#ij%HtN#?(9xW{K>I$be8TnrHa19di5&NU^O6
zc#qrDtCZ^S>yQowIUbTg;CHc;qlGmq*TCu4nBx3nY7K-<?pQq$=Tlh6FR-!+xqc>|
zUtu$|oA^lAjh9FJA|Z_%^rI_Brrvj|H=q>f#dk`9z#UbXeB3sQ5E+sMLMLbeq~b{I
zu0e=)jS%Jz-%64rkM-CKeHLQGR9>&DbmZGCQ+p`6$>V<|5YKoMQpp=O&K0}nfhB+q
zPF^+*Z@SfAiqP`Lh}b7>3ikCIr|)#@^c&__8`Q)P+$?5@S_GFl!|8ZYMmEdW0P6V3
zfT`P`iKf#SyZn1y2p<@}ezgtv?EkjKcn<e?7J^ob*lFpMp*;AuE_iAsXy>@^_(5-_
zCoSxz5|N(bt~<`_f=uHE*#rt@pg01}<0*7qtae`_M?L;{2wnM&$h5;>Tzxhsvs2l3
z=Jj4zLz{(ePj0pnN#@3Dj4%;BD8_=YFHwvuv79K^;=A^bNT~`VE>dW}k-e4*(It$d
zMawk=to%kSP3|PZt^CdUhx!Y~&2#j<&-+ux?Sq!@;eNlfSuw!VBE4W*$wAQmMnwCb
zPEGl=8zPCXyMy@rIB$D!UKV-8Vm&O{jI7ez<D_((S4^rv>17)+2$n>r+N{oNW3#^3
zg6j&-p7jCFG;<g(>iDIxJRPlebZuQfbPBx!1$XS@si$|tH=casHh3c52gkMkwk77+
z`I>W?r$EzBVl^>nrL82LYr5~Zvrr<fNfXY1LgScoQZhd;T){BsTxXSZ6~_rrKyq)U
zhh)8n@zdVf)sgvC{k)~S`*rToIviPe(uzJMo^_--O=@T<hV0?JjYbT9#VtT**)Q$#
z@ZMWTlx%h7Howck_SAIx?+SO{!6IWX;BRSG)~`}?8qA_T+P7&g)N93O%gMn2#Mlzg
zu4^<AgQ<xQUZmwe5(H6oQKG+ikTBWzmGoum=4#DE&XR9$H5+fYSd^LYwZGp<P>Nvq
zpScNcNK}CehDH-5DFj3LsX!QD|46<>Y6`(vent>qBC?e4H?M|)N#4~AlG(XdAf;RY
zl$ZX*(RXmN&GjN$01>zeEkFo-a|kx<5ii_PPd`I{?1|3EpUP(d&5{IE4GG1(o-AA`
z9$b}A_swQ#E6|B!eVmgSIcJPT;mfuZ6LG7l`NX`>{rUSM!)6sqw2)#B_1uE`>Lh9a
zA2s_Fg|>nV%`^qq=mdAa?u`|sQ?XUp7mwJ?tIMcfw!A*g&eyN%5pKS`p<If|IO~xl
z&>Atjd|k>63VvKctuJdS%VL<wNVrD{4X;|l<4$i)MgVuBT_MB^Tcbos)xdsVPShs<
z5u#n}Hg@_Q7uKXU#_fxZeDpZ{K=Xy;;qc`YT8&)+y)tS5lcpr(AhBjTy<f;>VLh|n
z+l51A{cVuLmeg!ckxqR2mWU|0{zGODcc7<YG!=H;`c}F$e~J8oRMAmEb^q)1nrwuG
zFGZ-LTMPfsgP&|8$zL$|It*iIrSCC(uwvf4kh|g<0{E~Wy(^N3ViIa1m~Ilopp%G#
z>mqmGK$*BoT!=OKTc{h&eb)edce`~#mm7gDWJ2G4fqJiLNuQPZcvrEg$X-Ud{bmyv
zce;ZT>~9E9z2P4}I0d!4c@Xa!>iO$K3gW9Bcb&3ynOJrV?j0}C56*sHmE9x|vHv=a
z9Se5d_%8;6yJ<iK;F`SxtDsvBvL2?1N|#!6@b?QHeF#Bj5cfg%E58!ov?t?}4yC~}
zI*msyPH|T?_<sTPpO^n101<#~L(|>rx<v8{=l>6OEa1JShKQACNrY%0F%%v4%jHi3
z$_0_1v}ivb$b}r3s8@6_P7x<%X<qoHKgOPu;|Ws8kJi#1Edv9KWn&WV_5t}1+1?Gf
zb|#`?2=)?;VuAETn<xh+y?b2a6G6476F5(0Yd<@?Tq}#%RT%v>y2=Obm$iM?BQkI<
zP!7V3-NNlg5-dBfnE&|+Wq1A&kSrivj&^tLiHs+Ym-5B)(%$C*XaR`oq(uc~kuw%%
zNtk7xxc_4jq5LB}g?}B?MN57j5(gInZ%Trd7T`|5bJL03>A>gx!kYcsc#eBl&zp$q
zB)ql7L!^duB(rWU>6#s03%8l2t7n%cnKZJztbO4(c*lXiq|KT8)DqNUlPaeW!=dHL
ziMYQWbD%kR>oUgXsvE<>6j_e*LHjEr9(Y4GM{fln@*37si=Kp}J4de|#?L-#5f@DV
z`8#kHy`bHs38DsWt=u@(0o8{Sf25VYknYbRJWsBC=$|$Kyuf|=lZ*c@C(}}Pj;V4F
zkGtA4)tg_@A;pV9r|ChK!1D{=rQw5)K2?Y>)`opC3ujWfsK6A82);bO<uy1TXLZR5
zfZE?T?Agcr$q<iMI9JLlV=vGF8K7^=k^DxEtn#o=L0O`Css0|{yndDJ{)Bx>^ZsOs
zYdf=CUj;8X@OQ6oF~R~siYHVbefK0EITNKWoZ!c`h4$aneZsBMoQz$0#Q4Wf8;9Lr
z<A?iKHEnTDXn7xtCf1p;)Xs_CMPOU17d6Y8X{yslaS9c(#dP>dHj2V+FmWBQ-u#>P
zI)~U?A&x}Z;uoiX5MS<Xh<K(k?rRB7j)l7bU&g{uYJvH9eUp!}3A4(?Wn3UP>T%YV
zC?{f`lu;NUX->65fAKl45P}dkFtr!kqFc=JNm%5Va;|-9Ou#xe)fJ&jlRCwwhL{l#
zW}C5ynWK279R=7B8>9{sEm?ka*b(p9E8J6x?MJIo03%}{nA7!!j~+nPj@1F{wn8^@
zYeJPLnpb<>IOCQ+#&#=a7N@S9pqM>o5tKl;MGe9Qi1XU-tBjd&>wC59qdhU?vX{=1
z&Ki5`$>bL%uene0&v-^UW#AX&TomQ#z*P<eqY+CIB|c(+Glo9rfbvo-FX0gma7HN@
z+#R8N<Sh@t?R4{kTO=0FO9%4=zXI@Hn}_nlUu%YT<6rrmw^fCHRpc)Nvqr8;OJ93K
zUe|NbQ%xuPl;Y@#$#N;g763&A&<3K1#RadT|75PjTkAv?Mx;iISRgyFV?XX0@CxmT
zXKsz!PxpAI#L3fl#04iM&x%4PG8;yCvl=1`ZR5%vtC$tSi<gAkh%?vL_%5MAz{K&y
zo$1~$i=Aofs*--ZmK-0!ANi#{w>P#o$GVmQrxdWvT<6~}<#*V|-RfO?9cCmI4>LuY
zZl&u2FE;<t3po7#t&ongJUEhov>@(2N$$6-&7z)(BwF2NSi?TfK`$Sq9e|Jx_d250
z(c3uo{S3=QT=Z(g*}3&dpuW@r%V#0j&#!zoSN1}%?;`dpuoQ@%@@%2&yWj$s((*U&
z0**t@w`NI)sOhW#MqMYDK|UT;Yczs{hOJaBopXQ)K4kN8XF;?&Pt>mdIF33DZT@*<
zek85m*5F?v)Y#6m<)7)zExSmo=jSwl%Y%j*x#&x%PY7s#kXv8%Krr$@6Y)7)INJ>E
zGiNB=_tbNdl*09dq-Wz8i6vfY2iW=Kf-DECQRpgl&rxXN1h1xRn3q55=JD_mAPP-7
zTHWJE;DuMibg0NNTbwlPZK#OuUD<W;*G9-)<O!QFLjuNxn|zpOQ~@I<qvqj+gpf?~
z)zu~l@YY&t^Tt~b!hYJ~0xx6m`NH}so=9G;1CyUS@FWCf7lY2wX6M*rbpEPQJ7%0|
z34)Jq79RFv(s5u2SyNW2CaO_`d<ne7_Swdw#{_g|V|=+<RDn%nUV@+8I3=0BU{L|R
z68oan)s@^*yf$IEe;7ORM&oVOh9kbED?u@$NCasdaGtR|tK6)ytbiS}jjA&}Xb%^@
z5ML{_cj1CP*m0KzNbAo!(w4X*^zjfl+p06so8|NVL(jL90}Jrm#&47pTHDSDuq(K_
zW-Q%2(NPp|S$(uQ=aQ2cW!-)i6edQzv&6nz6Z@Smpvx8O%T-%HVPO^hA1-J%^MZTq
z9y*9gm+L%tXT8Ib0M6d@p#B=;Rl)djNVSGY>$pNiq3Ml8vH1t_dH6{{xNb`@AP<RZ
z*&rtVgG}$)00Ib&$koghj^n_o1{D6UF2H-q?b8C@&^*W#|0@z6WW@i!>Cu3W$opjX
z4MhCq_CEq&^EeiE!*q|bJU^|`>c7@_bOL9_KfaiZk*P^86Nd;Pagag#%{07xcOuVw
z6@q%opzRMD;+2|4_1W1}AxN|#5UYBnfGv6`YDZu8duUNZ>T&$`ZY_t>?pj0bD%~~L
z#V$&lCJe9mPpQYRJ7q|XtXM>C#J``ku&TWv9E-wmOQS^p<{wwr<J(zZUf*+9XG2?y
zz_HMFq36YIENu4kk>rhU7Q`|e<JXV)p$P@?GlOUWECAkmWIz!k&d%4dU0SdOLOvZo
z4d|2mBg+#W@VDlAL<N~p2Omw;h*BQ8!4dyMK>tf_clTp#fZ0jejCWXYcgpN1J@q4A
z@TWA%E(I?RStMXn{_k@fk7I1j$?4%BugFncX4FzNYU<jUE4@L=U>&&QSf(O)TAtNJ
z)H-TWmhV6xdnet&M$~Gn2qm?g5rL(m%y^d9&Cq|30xn?(kE!(~#pmY(7LRc!$Aep5
z-5FRrbbM3zxu(}FkL!Z7CIcn0(**fP`qB{^c#Tt-#MuJjBb6O0Pk#78TVw90L+D5D
z7lMV|0C$}$)!qQAGv8%kEIPVZ+Nk%+C2|AD@90Mj_IdU9<P{EgZNwqE!;i4$!Vvp3
z{{5JPC&k#gooAoQan&yfZr=n_6l~kATr!k9m0T7J&lNoQJzdW$nWGi9JDpZ*?@BFJ
zw$^fXT%5|vN-xh<L@xV(&cf{Sya1kdrm3&GFTM}$eALPPuE$+vCel}$C9g5iL_^i#
zG6oT~Co^qPdpS}zHTttK`gHIswbjG+A6MIstLr4M*dw^L*a!?KFs`H9WN+ej7Yea)
z5gg0KbFMBsR90RPbhvHa%8P4c)0;B4&@!*%PC~Z{J^lS>F(m=}HDAw5=ncv<w$}8Z
z`0*UYa58LUekiG~njLPkWq;YvMbRv2`Cg)y@;nFspHa8R%CfDp%^gNpuid0?hwY={
z5*DRM3>y-2EoBKjaz=+UwAb2@P@S#_QR+efP6rbxoitwdl@**a^byic0;(PhPdMAs
z2<8`k@8}LWxsuFd1KwaS2fga|Z+d#83z^A$_^FBdOH{RyfL+GiRQ@N5NR{1=*zNkg
zoBWha(F^&cLP7NNo&Ds2`7?@`>O+2+WOySk3ztnMb#7h2>gg`^k``TNVP{fj=NH5U
zoc(5xR{=K+(3eE0I}Njn%##vpy})9UhsDjna~t$?pa?x8tKU&c`=~V2%(ErxRv+2}
zdrNlI+)JU7zq4=Ro!3^ztMkk59!swc^wx!S^Yw1@nBqD&^;p?;SLW8Sb!EW*GCF@H
zJpRU&1P6W|Jy}cI)|OV+alhAEc#J`%CKuet2>G+5B}J&8po<=JG&jxxt0Cy#0*85#
zja}u_)jUBnl0#QjA^t<;_eoj0MC>WUF$v>4cx(o{r%XTE(>U2aV6W5Hzk9leEqf!!
zy{h!1EVrSXi+c_TvYSTwTqkmH|K|R9hJW&$+nM$>DHQ(gw$diXD73dXsJ^|cuZx^D
z$<;bdIJ+E0=FUDUtfu2q;n$?lW}``5n?{9&;QO39%X@bqiH3d{{|wKn2W&uQ_-zvQ
z#Pi4LzIR2r1lC=(Nx;4MpuRcwo&LOh1BM8U77X3sY(Kt7L?Zl~tGhd<WTqstHce6z
zFlN(c&-HA+)?#t7DgRlO<3-C!cWpMz+Zu`JoR9k|?m683B>08vk;|h@qByWH#O3^D
z8!xaki*fdb_ZQg^<7pLwF=me$@<SQR<=5WmR#ETkno7noNLA5y79c$M&rm%XF)Ij}
zK3^mcm47;KJH=Tj5{3ENs8rH1*JmDMFQM1tzg*7_eI}3>pD%D`ufEEhwyk8tZ-byg
z%Ba4de;1wPC4X+B{d1Q3g@%t(6n~W&4#<qR@oH&_P|Mj2?ZV3s?v!L{?YXOUNlrd!
zv3_Wtw6*68u<-Zi-gCRy*!H+KRGc3C&^wM}4afKC%^m+YH`Obn7XY1?sW`QZSc3Oo
z8_?X>NJN%?9UOCu?ECJeyPuv|PVr6)zy<I=9A$cLgVD<Rh`kghj?lmrkso?3Bz+p!
zNO?O$ikS-r>Kp)z5^n@Dp>SQUWu27OY#Il~sr()w!{c{1Wegvb+ud4ql);*Wpr;#`
zq0i<}nCf}#t+Wm1)Bhe>Nv7j{m+CJ0F`iM@gFR(S`YH!^##|e0GEm>(G)&rB)+dg}
z!s%MYI3=|qi7Z58m8bJ7#36U?C)l5K1}h`(+Mv&_w2I#UQo~-bkZhPN!fVu#Aph5V
zg+lqsLAzx6$&YFPQM3SDaQhH5X*^!{tIp+BAh&t~Xrps1Gz7=Q?Xv$sH)XV`8_HLI
z-)ThluO6D>FRn!cC1vJr-)#VrR({(^gu03I<geuYAoyYE{OYVHT$&k6P6a2zl^7<I
zw~b6`Fjl`R#roUOl1p-5d}hqMMC$agWBYAicbvZ>>=XCYI=YhN&dmrv`v?aP710mR
zCyN-q6#B8jpnzadhBKU(>NVwvP6{&lD)a~Sftc6lSW`YeNBxZ&T4YQk^(FBLikSXv
zOSD2vN~$K7`R8t2N)sS^O6Qp5D{E(&hPQl6XavYA`jx^t6%4^wJ#P89Bvm(RpM3|_
zRV%+Du|mxkx|!fMt~o#R79Zzp7F)$TohM2||HeUYbNTUWfkU?Kv*D49a-~bTGwvCu
z+t)WI0AY=8^=|dDl9`E(t%Ze!*ZZ|?d!I^kDzl*u%X5DCJKnR3*wD=;)M{dJFYbTc
z6*_%+^<Hz<heto@$FzoTjz5%=*^*VA%x9{0*FIJhuYBeO-F+ylepnnj#Oaxu;hXhN
zB|TfKx6*8xT)XzQr}wGg*JKxsbVk0SKRE$qa}Wq8M}<dOmG2XFK|UBK7UTHzZX*7M
z`?z3<h?}=yP@{MF-h3xFkEDM$n8&G+7a`*_{>eGhnW*WWJb&Pb2`q;8i(PfDN%n^3
z^(5gXS63Wtt|N2M0%iICAjH3&nmrWgl8aj`RbrAvDD8uBc`G$2zH8Ry>@NSYIy9tv
zbB|f)3-49-nLK)^%6fd+>+N5Jdm0iKBo(Q0WJauW1k!;?UA%#4V9U^Sfi1Qu-!$v8
z+fP&PzvV6CY7ev9nELeLzRPEVrGYmT6OW3X(b^BHx(Bbg6Zt4Whw2GP^EzE&qO?a!
zz^};vt2|!;!DxL^zOWrLJvE=shTo_EwHwcGF>xgPKcbV%-xHaibSnHQIs3wZqlB}v
z=SY#a8m3jVSACfY2L!N%lY;6<`r4a-oGyi!_c+_CbBK%|eJHb}w9_yGemI82)(@m*
zls3m$A0^@gR8Y9PL=u^HG6qlc9#VJ#uKLOlx4IZhm3-3xol0=6t*YBx>&37f_wLCd
z(cV}IA3kecUxgnt|K7AX0W;{Z$o<HpcsjGlXQ_>ER-ivOcktX>aMrJ175A*vx`w{V
zD-u`oz~p4Xd8s13uiC$LBrcH*mt2x~(?>0&ek#&hKd8&C4W~sEAq-7?^g%l2Z|aO7
zzFvY_pAD3fb-h|)1PXkuqCN9B(P6^zK+(F(o~I>GgL3U>j}2UA&)_qyYf~NfYo&)h
zTt!aPrqD(r(A6#x0q$J+{0{+T0)ieY=SHXNbGnyXMa^?D&z@9sU@65<u<1EVpC1);
zSQ=9rRp=dtX-((5M0d(%V(i|!Dw&o+TSLR}Y3v61xFk4a^GqdD-J@v~&BZgx->3E}
zjas!WB7Jh?t=}80Pf%XvRG&%zKt3z|iUy{k3_9z6PiXRw@#z+dzUOLD2PpF1A?{Vy
zgI1EfX_ZT4eL6?U2O=90bB8w)wm2~=a4uVho|Q<ZAaeik%j&Dl`Z6DR@SUbyk3gQ$
z6Z!g?SCseoeF@HOSygY%h>rW4lfZhK^@?&jrgra0+_u-^)?@*9jhgnZ52Pz2Mmy<$
zsQpB1*lR)K;fU{df2<L?y@^R~Y?~zFEFtEP9)4y&<{9q%o4>1wzza;^8!9R0f6@0z
zGh+f<#BsjZPtt0FlRSqvpR7M6IePo;gZ9{QZ9^W8ZkH@H)rsLRzQS)!;{JdgDF|bV
zwg~!r4*m`b-GlbO@0tKQX;`?QGK6*NRxT^RXW_w!Q-XQ0C#25kN2#JBfB%`s$)(sp
z?o#q4Q-BA5B5_s^P|20s=nBal(v2c4OK-zFyl3_(&eh{tx&Nm@<0|&}lr236{b^xW
zv*rx?IOPFTdHo{h#HjC62G!xt^bd{lQ1eZ3SV!c8Hu7C@f2Gvfq$~J3S$@&paGMoB
zDkAD#;6<_SeqS|K!Wn=Pz(cj$oxdf+bgginl7dq9zCA3gAs%>&jmOvP6d2L1xmh)k
zTO0A%V9>tQHDr^K5tV(>IWIr^@uyGJ(ISJF8d2pfs#gC%;br%BsryUJ9rJNE=8X4c
z>#o(U(Dkb5%N4qbp^qBT510SZ{7;dQ`ClF7S(MIvGy~AmzU3!i%e}r#K#swb-hK*g
zX2+?7fB8@wnGhXF8sJf%_zvZq+gJa^E9_fZ`XByJNP%ucSo2EzOkc)eZ6p`I+Aq_P
zRI&eKFT!$<w<E(_3t>L58pKX(hN}-??1hHm$Z<5K>UsaU)4!-8;f!n0gSS@H^gv3%
z`sxQ;8L|lhW8%w4OuRy6;<qq~D(B<V&gJQFd?uZ7UVAAmiK?1v_6<S^#{cWz#h;;g
z6J716h)CpB6y!;}M}}9|mW+2Twthw@@Y?EqTf%nkP`vcfQ7N<PI(ViIK7aj-ZU?mg
z*%b+~s{{4fG%h9clK(?!pP?8%0CxlN;@i%{m$x7EU?CAH%>VO;gkp5D33eR5Jl*0y
zCHJWVzq0*Twg2OM1i*WZOlb)TE9CdQ!pME5=5tbJKfl-iuLnkHCWq!I^%J(@f)pS{
z(pgnct)nZ&A2&eCy&JT6wwc)!=Nh38nGU%iQ^VoqlRf$61_`JY(wW!|?2fn{oV(BL
zxHHv?k5~=@F8%o}9kLNKu#3)ekDjlp;s<t3JDioQu?`D>-d0*-M6Wh<3?WzXl37CJ
zpck7bUwiA6a4QeV6cS73EgRzfJz*Jjn)4;>=;nDVVHO*Q2PN}a=&%>EyP<d^;IL|~
z(QN#*=YdH!4Z!qZf3>lrSKmgxxqv{Mpf6qCJxA&)Lc&1V{4)tg+Om)uFfVe9;w=k%
z(XjE6*-@NWXFDAB@V@(ylzO#%rN8ZSD97hAlj&ki{>!0_<s>6A7OD4W7&5$^?4a&4
zvt(pF(N!n;t-wthMT4E?9W8nhS9rC+TzDemo0H#I45A18#45CrHt}!iUZ*cqDwF14
zGtwHcdGF-nMhxI%o*hMBDc5a?^cupezGmdyr@DR3(3ES&{Y*DTuar2Ic#(EQV>ope
zY72_Jd0jAskVS?VN`B*Y&-P+h<Xh~<XG43ct};Mgg1%*?12s}sT$Z37R@CK6-s83B
z+e1y4Ul-skR^tKA-q*KN{P8|6?O(sgpR}ePd&JIvK6+V_cu`P8k}P@sqA4eY+<m0v
zB5##UGQh|`M|}1p*Vmf7BA6Ds$ML%Z3dGzT19v_J|K8o%;4MeU_t&F`Y>5j|sREZ5
zlQ}G1ny{H|2AS`S#aTYze}5pvV-`zVTX|}?Ub?s-$YuBp3|X5%I-m{JX+%HZk-CuD
zacC|IWV6J#!3MU}?W}8TmAab;H^7yz`s@h=^MMajR)tX2yP^?r&xw(#B*WD2&!(jN
zGI@<&JC;u)wFch}F-VEhu_vq{w3*gLw8VRoI+?!LH{aGKv1WTo_iQN;?HP>))l4l3
zh@japl3f6}IRz<I;-rmh@1#0AI)#GsPuxI1ZO|8(W+vc3DsMChV8I3s_Q>a9_+55m
zDugd1@C;ZAvz>jl>aOZ?_#UvNq9ReFS+cUaqE$u%QWw@v<oE;1M<^=YIX|dfzlF19
zqv7R>JyTaiM~tRo+JZni!6DX!mpyZsa48RIVMwvxsLu70$L-2v-%^o$an^q`JCr!#
zA!HBPo1H1ukuOS1CTNF>TSGs3T6b|7p4>diur%@LI>K~LIgRSlHu#a?5a@nYOiP*<
zPen@BLyB&&1O@Y2MjZQTP7T0-!UJ15m!?atuu4keI+-9`BbP{>5bvAU@(Y*;8lr(y
z$097+JXkA`qzepvSr!`7OkreaX6DK$WuO!>L-Tp^VOrXvp&7%GL&sY_QS8{(O%5hv
zgmD56w~p5yC)skUZZu}346>d;P*CY{>v4`z-y3{6y#wg-0+XEm2vOa_p7q~V(-2yZ
zmCk_0^$0530sAa0#brHA)>Nvz28IL#&Z^>^YgJ=IrA$sli>>8C;};CZZkGwK>gAj9
z44fEpUHM@XNbv7zUoX_8$5vR8j?ZcuG`EIq`8rNN8;h=Tuy1bk<Qv=Is4gne&=UeR
z-+@(WO^xMSF@-J3%@ZzqulSRrEF`gKLr0}cvgfk4Ap7z_q~Pxy4h!NLbm}8%z9VV+
zgUF?INwn|#p>KYUUUEmaSGMz2zW0ZuwFbN$B}ysKUQGVr=-9$qXpA8L7n)cb!k=u2
zf?HMCOC-3bV2Y0RPZizBu6%Lt5mct?bO{h@J9p!m2t1+m0wxFT(M_2p-Sm){UV7rE
zwZwe3%U!lN`DL-uRnh3?dWCcSO#&I|I{^;d-t}!ObOVuB&E(`<pSoSGTzb*?lK9(8
zei-3wdR7?WRet<vn4id`=Aw+V8QpzYr%~sO!vLNrZE%Z}s2-!8zJ~nk1<UO8u<18_
zi?i2@r`xX;^RF+rw*9oQo-%@5czBK-uk=s1#`UwST^X0TmX$dK<<Zcw@*GX0#>Xw(
zuf;`ev&Z1AR&j|wN9?(L2|r8u&WGm8QJctT&h<?Hn&jG>^*T~bmef5QFKvcjVd>;(
z`=KbYavbCc9UFgsDz}4nU0k5s2;xu5g!SD!-!`39M(t#!g-b7OHSqi8&e^Q=+>?!e
zCJ4)P*3cg;8tGOx%U8ek+<@>AKG(!DS@LHvf3#Mlz^Ro_pgC){5a~VafQ}=YY$%rO
zm2$PtC2@cSM7z>{CD^S>(a1^9!v4J1t>i+nLo_R;xvOR|={f9@MCILrRdPa{k<>A$
z0rArq0u(<j*)J!MV3Jkz^NaUl?=W6ulOYF_1$u=YNO~(c!=n9trtFj^INtmXW;U&w
zQe4X%*RZeRB~7f7O98E<Ay%8djP%K-LYB#_ZUYXy1#&6=REX_sj__=Bx@WrB2pl<o
zZNsBV0@3E<Bt+jN?0v}g@UQRWkdWmtUZS^I9O?&;bflib7vemZFr3Z=LTOv3^%^r4
z8fa4fVk2e$75%$%GX2@w6t81pFK+#9_)p?Jm$KsQ;`>U=a8^`u1YJ!T8qLlg$jY)g
z1eCQe5Syx?Y^0f{dkl(FgTA22(ZP=nk#s*Q^El6nd~ko@-S-nkKck=E^R;aEbzI}~
zw%mPR^a@Sn*ikfkqYUQAgJxt;g?hw`ALe3ZUrG%;DZR^G&e%xmta=LS2h;UqD|fjw
z*4JEPlDbo47<_oQf|J*`V|ITTiL^s;uZA<N%SDx>gj$BkHkQ-ES>VCNmLRb+*u_C=
zRX0GbbCX)nHR-|wIoXMVlV2oc4$ZWAl*+;kM;e!Q{_t_5<KUzIaiL1gyKw*ZjAab^
zno%-3PEkAmbdF7M8%!38__ph`_EJ+8`R*6@r?0!M&12W`uU&kseRzj<X0*nwPrPyd
z?1xYJa2{bK1F`XI|86m>J64aU>?_D&408ejPNQaPpWK;dhzH}4Ad2G%CI3s?RC=SN
zW#(E8F_T3V89O)-DCULpi1KsuJvN7ia{`*H>A*l7-VU0j)~gJ|g#$KSI=G?52HUeY
zuIA9YT$pt>c++>F)n+4cCGUo1v}%LP*|Or}uO*4;_*rgi-S|=-d2SZ=L%<>t$z8c1
zu$0B*f+h&5Xj;v1=%z7r{p1y@$U^4ln;d`&PjuhupCqAgjnk3^AQ38wvbaQ<z?kf7
z)#8U;!>V0?gP!3(508xI+8*fQ{)+Uom=R(`4;b@KP&hrcUyqWCAValn6ZPO%zX!+q
zO$e}#;b#};<VLro$FI!_tj7a~#qjl*ovwyv(Kl?A1x`%b)$O$dP<ATfn0zIN`~1|X
z1~1X2lpN}tg#$12nU`MuRvj!G9h_-R58S!mx;X73?U12bhZ(GDw~rlD&-D(vJj@qM
zrJ6I;>lxE#COjdt0`KqT*t4u0i07cXGn-_hZ4TZ*fI1~h4OS!<-j*wV;e%gSqDg-`
zb>h40L?XifE;$0j;v%gWQVa^4cld+r)qlGyHk*HkQty2ZY$DrwM^o5uNk(w%fHp)t
z79TBnX<DDKNIsEgSFF+^!z`6zM8>z<gDc{-A?07Sp(xSsM<Waw;%iqpbL6-~@ke{9
z48Q(dGLo5060?vxs9Q~?l>2>M7Pb0Aqx;*~tW_mM&JCw}7L~Pz)z@qrLws4fUn5w<
zNwv(k<%Z@%meBC8CYCxE72O?W7*SN^vC?^KKU`{Q4M_4fzAjFH>(kQ%V)LK2j_B^M
zd|@IR>>A`AX}U*)4ohD0pRym7Cfj1+Z{;Btw_64qLf31T6_eMb4GRzb{{@QlRJEi^
zK~6fA*}p+!e)9(*__psLXTma|YTqZ8btqb!)k{>XJM!@siW>@!8;=Jf?TL7g#`V?L
z#QYOAF-dKUofq&bS5WnjcUcnJ3|Bt(Y{G;m|9#q*$+;p;CL*AhFDN{@K>fQm$izJ?
z(w$J~l?r}~C4}6TjMBFuA#U5a6-59R9qLT$-j>^xfm+Y1zHSR!o`L?QlYX`fvUa{;
z`=1x4i7D_wMJrwLDo$IOGMc1%?DevD@P%K!UfjYJRw(hX>j@@i^H=9C<2-jZIB!TE
z2i{3x0n9yJ6qIW@A@&j)7{6w}$3?vb5ktK^`{oEaB*c|uktO(-8J|!t{Pv#H5=CuR
zSC7h?oo)kB+pioZy=&lIwd=G#)x*M{uJiaFqc8tgs}3TeguF%WMQQF~u~Yr5<PC{(
z0}(R^61sCQuf8^C$A(*Nr~B+1{o=r^0&nJfga8*=$-j>IjXZd2uR8QfJRVa^<MI8$
z<R$&LFWZTS03RJUT`ki?Fsw#&qgi~v<U`_%9HV$^{HxL*A^gjjb!vn-xxefz#*HVw
z$QtiosA^@2CYZ2<eYhXCk(yLC?GUrcC_m;*ZEWBXQr`wlgrxISHC>v<2bANhIVE*J
zt3~oXyav7G&dsKn2?-YZkna=UOaMFxe^x#irzIVy`x5f|Ay-k4B=}}$3(Rl&;$qDd
zP9rPLbDF?u<>u<F)SJN;X@|}<Ao9iK2p{zTIo4ZKnPU1#IVS>Jvmg(Bx$VK8FNfEK
zr~QH_vxjIPenykLR8Sh@qh*Z)c5|`jT0vz&T`Lx+WwZTW@BBndtb{ohRy*n#L_|3i
z@f@kyfir?b3XJ(d%amC6mVw^~$T2F#)~`_bx8Ym#p|MQiS;7)raRV{CLW7`$_jEWd
zxZQGbNwguDW`LrTB>G6kS>aLBTn~Ho?^A}=ENM$1CqN&*W^%?<6&^bS0)=t42r0vp
zt}Ki|{*7bN(odZ#?@uJYG^lcS#kO1C`PeBr0Fv0%c6lq0^cSz&*py4++EbnTs(1A1
zv#z{^+0>rhS;*H(vn<u6ayz<6pwuX|a8}>R$O)!;cyP?UIT>-2?yrrD9Ct_qVe5bP
z9G}gm+68}~e3ja^wahp?sQo=6t31d~=*PF&{o{EbuF~pR)Rv|$R?(oeGrAV=rj_5-
z1KrZJTyLazdCyKX<dvH-ITWks=>_V+Ym;D7VPNW3Jh=Rgj<e%$anfY^Al9qeU=rMs
zpGQVf4ID1&oCsyCmyNaEvZ;>q!L_`Q2YWaZ^8Q#!A7RCU5zp2pg8vqtrm}3ZTLcfI
z8vO>ei~20&+g#fD7Yqa!qSku=lrk+tuFG2$6&>og{<JnXtKZ%9!dSKyLv8elPiUD2
z)bVkF(Qpc(yrtnDH5s%Fn)XbuL6I^pdb!0>)NQ<YNbz-twzyoa@2~&DKa`#V>1~$2
z@$x}xHy*Z9J}(Q>V5f{yJ23XueAofipERQ(h*g_4S(7u*RX501WcAy1J!3ZLm5+zz
z$(23f_Uw{w8h1D)VC+?>qm|{4Xeo);F{ZNi3LDz@1Uva4C=6+m#mf_E4Zl|5Cym1w
zC38j$%ek!^clIZS0bO}6{$6o&6GMdp4P0Kz&>}1SI-Xv8D?N>^16K2s(Y2^Y(h=^@
z#f<M<wSZLTQwpjx?+i#W=lI9FT<6%mFM9n#-Sq*6yHZ~Q(qh!83-ziB`i|$e(i&T6
zhnLX1IXM`#9sLw|Sa}=zBWFwWm}IFVj1$PC<qGa;TQVpS9#qe5GRZ`8uqvYOnsM|K
zutGN8xhzr7seMi@GyAc>80cCWArL(xlgZ|Sn$&V?H5XI@Gx^<?r80suWU$;+mvg9H
zfDkAc^{8V*3RiD8=&PntYGt`KQovc<th1@mvei|iSoWV!=K4yd*L1cA!WAhDhV<xB
zc#XNzfPY~_7IzB`N|S-^#@lP%gvaM%nT%t;WUCt)uTm>;y1+6W{mq?=#Zy}ezrQ<?
zFYdW@nU;wj-d)|P4&;HoM`uft<57pL&15SqHo+OEnG)GYcCc*ucm+Wg_zge#s>BDi
z1yOOYoRP}x*L=ozo)-2Dt%!t*@6wC>4zid9Uay5zBE_IcS?&e=*~+Uku_7WPQkXdA
zO3Ph^v(b)J^LXTSCS^w%ToSuO8H|j!DVVa}hsHKMKs&&;sab3on3h20<^bKBwSaev
zVZqmTIWkmCm!;`B0ym(xU@$Bx*+PhpOr+h&5P&6wETtFL&?*Y^SBOPTbcDBZZ~Lb4
zduLuZ$C8oN**UD{$V+R+_{_1K8@*|8)XH`fx_Gq7B+te1jsf!8J7L8fip~5Se-k~S
zo7|ZxYh<SWK8Ul?(zOkJoZ+(OsW(@kZDMFLxjuJ$+V+Q20p)LZnbCYiD^hJm<Roc^
zA4F8^?HvH<c*Exlx7Lhr-m9Btrxo^p<_xjRd%$ewHKZ>DWm^7!^X?emgiZHMl$%n1
ze`u5aRZMuad`vbb`zzh57dU)|3RWe$Euzmlt!dv!=9cbmH+93K&#Y+J=VM~9brSc~
zNw$t$qBofkhBQdD?1(W(anmizi)LnmX$ajwDsXAO)PCv*v!Z%d9=*c+y?TX#tC6D-
zg!(X}|Hz;gyy5F5kk;j7V~J2&E_>#p(SfhEGrB5k_f}e!HoJQdvZhM(9HS<es01xv
zNY~(TTP~oQW5baA1)$e3*4%bBt1BLzAP+fv2YCG5y;wae%IEJ{G+FHQNnb83yZ|Y6
z@RebXz`v6(1{O9iW)i{65reQtpzLb82%;Q_;XzxmLPhR1aFy}4$<FH?1|*EA(Y+=X
zZ_0QaDL$RzQB!U3^d<*9M^Q7l4W6C8osKo4n?`Uk4lZeFORWR<MCUcHR4dpEPtR>;
zSZ(y-I`R2@zL)nY6zL}ZvNni3vD#sYy1HsO;4p1{vAal7hCp)Pdo(U(Tc|EgLn_TD
z#;VEPWASPo?{uIOi&}|z(%}4nI?uO|b-Gb49pDlxr}IP#V<TSV%2~XE$cBVhb*tSg
ziuA$SJl*Q4G?wI-&%5BcZ<ruf6X|x7#N*&m6Nr5amBg*?{|ktF49vBx%ZwGaRyMq&
z_1>j<nzAjxBcd$#lTyd;Yi`eLh)<%3DAW!UyRmR5uxhK44ja-F2`Ujbg+r61<J=;p
zlB(f{F<p2pb|}7avqIpZ8sGR;F^OJKhG(XwCn24AlJ{^<bm3?Tz|$E$J{7ncC~oVB
zVtVw@0jgY~y)?rd8W*uOvL~ao&ka#v3nol>U8yVE;mq>Cb0_oqF>sjl+BeO>jC#}e
znMLB!n;-Ied@NWd0B!j-(f6PVE`n9-oQr;F+nlPX6~|c}w}05v6Q6GKiT60-%zas3
z{X)!R=+1gBNx~2zRW%iBBbWeJ(@%N14SKP)+4Kv!u2gBQndV8AGe!K@YpGwjff<WG
zl@?=F$+&M;`WHu$(NuY8_ZM*wgXO$dqnHqNFwcF9QXWaxdQeMu8u`kE_4-7MdS{lN
z8+j~4N~nzq@un2+3w8GmG<$;y8Y6?CTA&bfupr<kZY5%oH1VmaU7*w-(TuLqu}31q
z?c8eFV#p_H9cBFSdzk$u%6di)jDdrWH()QQq<Zb7#kzL=#MZc5$fEi+1Bm$crQE2A
z##2sy+_K{0XPvBdsSg8tO5@WrR&sBit5SAzjJZTvntH=%+8MFp->yIi2aEYkyes;v
zSv4Y&jI~}+S7lGqDzS%>9Tq;}Vz063hDlmm@GzV6&D!x<M~N-z&ApC3S6?eTm$I3f
zLBb#F-m6sNQBSEvp)GQwmFtF2%wXKb3O^3!%#_XS<|yE{WmR_M7sgb(+PEGrdO}JZ
zGX6X^A@(ub?XGtq1)fQV;;<d1uN)f0gEU{){)FTTgx^GwlBC25O{mD&qWdE|Fp?&s
zq2J}R3}{j3ECWc<qoK@9U1X{8Z+<Qmp88|y2$Fou)?f;GjvEZ{W7dZK*AYTspxZ(2
zB3|Z<(MMa?E)wIlj(qdZ^;=Q<l=4TbRt@&yFUkTEgJ@T0@%G%=*D20c;V*&SgShtN
zQ<%C(glhqL)jooDiZ6)Y0yZvD;*p9Mt=PG9PXRl8NPf4;$o`LWgg(g!J15cZQwBfq
zVW;$e^c@sgF-ss7kK1$M62dO(X1o+I{BreMOibbm8YxVMu*L5Sf{w1c_+n_32Rned
zQ&gOaJmZJ!l!e?NA%EZY=vqSr@1`%qlvDq5I#AMht!AK4M3|f1W`4`-L4xxJ9*Ti}
zUH+^fI2Z--(Z7KB!Z8MKx;C}LdBN+2p&fcdIDUpkHI2mg1M{pO&=Uk$mQ0!$7!oMM
zq<LYrNbx8HMnMSZzp3Yd$1)2Zwermn-Eiz`=!W_rJbR1<^ir||k#na+lL(kZGp0`C
z@O0Lqr9V5c5eTT;h4a5=;*r~8cRh>y{QGWUU|qOnPtlX2r6=fLv@*@gMKi<ak`eh3
zzfa53a}dd3{g`%Dku%VO41$7P`N{(Uph2kAD-CC@!_Hv)k}sT=sOH(7SBrI7P4fqr
zA0nTi0B&ZAD%KW#=NnBxseC<8b$VZSFD0iLpH+LsDLqOk_u7T!A1!<BNdJad4*}@(
zGQimz)O$lCE9Dp!wPIcl+QVzun2(gNcVX!8s*tb~_}!O~$gmyr+Gw3(bdb#dwD0RK
zbM`;alx+tnU){8QPp-ki-$$nEaidQ@a01YAM-*3jdyl^X?`+)qHT&h@kN|=!kt=Ez
zsxOMlz20*QC$B3Mk_EA&LBZxT9`-FRj9&CjfX3Gnesx{KO~^Z)nXBkqidu`gC{4E~
ztuT_L95PPZnw6MRfU(!_A>Kw&+;G#TZU$Us3A_it`h+4L4Gla~_-!hCk)l!hhE3c|
zqQ7Gd^H=~eyVyh)2v%b;GODibz>Kt^+_1+Ub1bRtqQ|!s-JM3e)vGc<W13yCvDn=u
zh5yZT$H8{$1AKiA!RG-+?p*q$s4G^PYk4rjkwOM93J)0pc^6;X93o!Moc>u5AWL6U
za}y=*5d%E+gLcP38BhUH2efeSFmdS=kM%q|vmkz2>cRCq5C4x{Zv6@YNu@DYg1(G@
zU!4O8{jIir0?3;jUn$Xgp}GCN1O##%P$$~lT*t$nuId1N$@?0z*B1nR>On6&{yl&<
zMbJa}>8|3#0O0ycIA7$xXqT?#)SgFMjL&Y-^rkS7hX}`$Gx(VswWx&nUsv6MuZnTd
zOZ$y{B!6CrYqp%<uKhK(zfOC?U6LMa<g*`Jr6<Srv(FjlY(xVU{0z>nm<q8aM4MEb
z|5xJ75BA&q`qkb=f3Vw%;ueSQBkri^no79PFenA;gL|}#;*puBm#jZv8srb>Pd#da
z_6ip#`Q@nLN9ZVLM5vW#pk~H^3AK-ye@qf&Bswj|5O*T;$stRcWscNetsJSie8?-v
zoZ-k<8qSD@m^tjw(MOjwExGAP6)#uf(Q#jA=-7^1Y|B|Gcfo!wxib2>2g+3qmZ}%M
z@7GZk^@UDk9mEvOc}AjFVqcAxW_r*u#mXmNNf7zjO@AJtL5eUPNHKl~*m)|Xcz{&I
z>cj;_!j=AtYct`B1VtaJV0+HAle{sZAK^US82lKeQ7V(>M5<)|QMMBWky`Idm2Zzc
zK7`2Ars$vZeEh3}Pd<M&4qjP)Swa!8zOoS^R8%2E|9j$dk7a+((*FBQ;gza6D9;2P
z9GT;|2jFv7;eLvBP`&Y5bf&TKay#~bVYZ0#*O<Q}nC_?Dg0{dqelw8=YkYQ{U5$)6
zYpRhl#KIDqj7{bmFWEslQ+HGRIEF~eNGwC#A|WPcl2g<WoK9k0Pz{{E`5}@y_hOZ~
z;fXtW+m*FMS^EWdx+mK~JAK;ibIT9mHF|h&!wW<1BFQSBn?(`>-J|2~yx^mTmkVP$
zlV4j{fa3g>G5;tN$+5-H=$N=w6XiFf<RK=RB1xk&?}DtOH7o2*{CVs~MeKJe;N6;<
z7mWWI#vc^HGHDh`rfQ3V;--z>P^h{21^&(N<%Pd~0uc54@%Xj6lBhn0WPsTr)C1?^
z@lB0wi;ZW;e96~GUUZueoa2F07Tmp-A@Ae&c2$~Ih^#afvt&1!NkUIwd&|Mc*nL6B
zhkqc?x~M+7z+6<jO*y{T_9~2um~ZywcL@S_Hveh|x}@U-Eg#5_=^6!_l42>4Mdabe
z#5w5jDE{cF3{5La+-I}ibVqy5B;j%*6{BMHh=>#=!*bg05t1?FHKgUt@X&cl+Vgg}
zkC2N>mXjx*6pOknqw}{NR1`VKPUVJY_@H~WeK#oQ*3R5yMu@+-y4vJIOS;&kMu<H>
zJKGh)N}IpqZ>D=?U`&s_&KU9PLG!c~wUJ*{<X~23?WNH~3Fh2s#gNlk8ey=wkXspb
zY(`TP5A@dh6-#1Cf5O8^%B1f*2%Z490)dzx*E_vOn9RM;7Y>5$I&mHvJH?s;kB4pP
z4~X8Tv*^4kKab3QT)Gx6GXfrJmBT7nLs5`-E9#~*QSHo)qEO(Qew(woLTg$^6icPG
zgpz8#Ntv>g+W#2#E29DA;0X%ib3CDy;rj#6;j;>o7EVrbwsFp#<0j=x$5Xe4hWXes
zbFmcx>Qu5+Pmcv17S0wPMpv5L{H<+sJuZ!-{8Fc4aAuPT4y5dvsLB&Ft&vXE0Wj^^
z`x8b{#dz;zQPp@(w|r4;(%0rsM*%Q?ugkaZGjazvt2Fj~jbU7~hz~aH9|8b>qx8p|
zWLP!7saKNXZ@=L5nxGX+c!?>nd@u!<-bZaSrWE7OV~pR0`6p^{CV$Kvr9s8#qyTwe
zdA*vMmcOQ|LbAi!;Fg=o(Y;}=r=cDjM3lQ{K>gv%xV0{CP}{At_sCA(Zp;(6;kCrn
z-ptwgJ(Gu^6SlMi-U$SsnDqBXMmJgzZJsr)V-8IuO%vz+5gA(Pna`=-PRkv?+*0&x
zx>yP-fZ!PneVz|BWf#V^VcW!2q56d+tYdiJ=V-y99EvrEvuS6TC{bmI^wY~;;KFP^
z(UYxQSh<QcNs6X2i=$-&oJvtpf$z|CcnI#F@8(O-(+6RVh@J=-ePzvBU;KLT*uK4i
zO8eZBJCo4R76VP7`5tkdwpCa7o0cVsp{^ZZCyCv8h=Anadz@6bix&j_1A%6;cE@w&
zG=`7ENB#4FbB~F^+hv4Dr_-0_T&FVWO{3zEXG1JHygZ^hk`b(sn4-mrggJS5XnJ>C
zj%X2C5}jeeXy|^8tnalMP2)ei_}Laa7Y=0*%TvJduDk?92Y++xJ85mempo_tJ3aY)
zyskT;8dDUC;VTj@=5H~ld@u7e(~MX@)wx(3Id`VJkz>T#rZ-y>+s-IfJ!FHr>pUtW
zf7Ih69-{V%)NP3k?O?LvlR-ALq~lD!K!AQkmY<wRuj!Uvbj-8l(i`h*wuHD?{{ebX
zTX>sTi&D%3StYlg$123HIPoC+6V{V1a;4m_2ySERr`vBp2?`#TbZht=<f_~0UJ$2r
z(Q%wN(P_u`+e4#)-a?g15oU|k!#a+uwB4dpKK--&U-pwCpwC*nn%-^UUm)MLci*p;
zbjP=e!_#t!5vbdq{ObGztpEIf0GB{$zq?=KG?;_>mrRrc;DDK2raP$%z3p<%0NqFJ
zw3SR|vVR&2!@_bbZFZFWc3R#n_`tkPc#P(5Wo@&`PBbQ>DF|TWyA_yfpUPulv3?^%
zxXx#)6vrSpk~F>=8Lwg`K4a8wR@oB%&}h!xwRkXX8XO(5;#o!J&|;1dAL#aX+CSm&
z2952yj*gZVclXjj&*c{#2?zon8}l8x=q33?f7lEjf7XD_GQoT@7Vs1JS(+W5m!&q~
zY?!+ZE;5TR@i?%sJ*Wn*>$9-AUq?KDMUxv#g9rjo%`F^XEt3Tk#(+OyS{4*@Ewb=Z
zacb}*FZst=6NBycn5Xh6KFu{6KHA#@-rzQ7NBTOoBiT`Ci*_Uvl+nlYCU<V+Va@GG
zGD2lOEhFKQO97Ci6q&hh=Q#%soa5}C%h=*xqwuU?^v1yn*=rD<#YS&}S&lyWQDQj~
z?s5+wotip2>^}J(=g6503ulfvkr=BN{hG&C+k8(<8^YXGlXPb>Z|?{5@fAVtSL@r`
zo$CG~zV7f>c1M&$iWXXrGpGKB$sUamy0BRv<o^8}2oWFzK$DzTOj?2n@NBmd=sfwE
z7dcT#)PAOA5ooXQ&m>kcaiWLNn}q5X7-J#fWjr3$g9D6NhZkhZC52q>8lPK?w8mCa
z`Yc2;Xf^kaO!zdePS--#2DLuzH4b`TpW8Q^Z(Hmb><Vt%Hscn@nocO^FQ5$=(O#(x
z$m^dkO4b*v(X2v&4&IiHECxRDRWL*(kwjoM7dXE9q|#W38(kWsF7BJ&;r+zwP4d=O
z{3p}cM4NKFwe8F^Pgd}&s(aEF1Pj!86dh#!N<!Rviw@Aj=%BtkUfQReyiZ}~wd&>C
zIdL=rTA8CUv{~9*$T<^fs#~4N5VE`+%XWIbUL7<dW2aiz-tI8QV+z4O5p`vCSP+Dd
z2ydu-dt{`=6msKvXk11EX<ezVOiJ$xLh?NqotF`!c^*w@sp-B<>1HS{%`}bAqpf=T
zq-Byh`4LSx+v8cWWn<oUd1_3x(&kC_g~o2U{Je}Qa_syIx(+;kxcrh!FB_)5uG9EE
zFeXo+YZ$*J?A>roeh?9FuWmXM8BsTjTkmBvam{DWUN;M+_-a9%ySw1Li;d+&8;<34
zmMYeUbhe0~6BSc{)`s}=VTf-7f0oF2x7!*kx>G%2ztQUnSn!Q6vL^jTb1-Q(+KfiG
z(bJ!CTH?L_VBV{But8tbp=@y^$Fjk4E~t|0XA1FQ9Uc2S-6@wn<<krDNd-2Bdji3%
zThHeKCa2?H(S0l)RM^sv0V9{LYc~02F->rLYH1)47+6ZB#bbJ8dU|AJY6{}_9~c}w
zGy;L!4h;?-fPno+ckVoXeCN)i2qQDB9lD?o1)A<z;+>zH)=>s-;v>BZkPg0Q0KW4a
zeWGN{qvsa_M%vd4VCNL4U7jxe=Y3f$2q*OID?0s!llYsb2{Hj&ENVx4hfh5;V3^vq
zFM9mD#}&uFbGWP+j~!f_(%a3-vO-Dux(M^@Ux2S>6hqrKlJVEaKBm1w2PaA~(kYkV
zecUH0QZK=qx#TW0mFkpcF6_pOesH`wezw17IvknxV*v|SJ2F9V?a%rh*`Uck{1N=V
z@_`}GjTe)shwg~4x2Mnh+iLJbOKLoQWz1Gx$C;`BS`5wnTYH6gEl}=TrESIsT_IwU
z=7V7Jt(XD>+)NX=Ej}4f<$b*iNoSYesPlDs`W9fRt@f1<3=HodbWh6USZ+UkqIdU@
zcifg9jRnW@?zO$~u`G>MWGDG1X>O~*=219!2}C=GoVBBx9}3&&#u`d}glun5;+>Ot
z`CS6EfAB<9YhutoaA8O>w*1yvyO}Np2^|AK#~0{ay&%m&&FPRj2W}QsiMA0Q`=dZ-
zV4#bSGj$=b|GxV)xlFNLArk~a=Z=^Q6FSRwli6LIS06krxibm!mc8UPbrrhJzLcwD
z?O@NvV}|lIBSQyAd@Q%j0_>|gkL|14kFKKr9aj=@-P&xARc%Yv|DoMeFTJ<6d+M5N
zYP+ZI73Xi&sS*53sG|;aJt-s3Sg#`O-P+7iqfwxfv@G1o1}7>?L6f2alo~F#(K7*1
zH9b=Ss^H2Gamy$bM`R@fs4Qd#aNOOu^2n!_UnRe4_5EMj{!aO))p!@~Ggbcix5}q0
z_nELqq<;|V=`yIN7&=OPa4bMSAA5MN2ufX(uFQA%u9vE+-jOz@-;2@>$Z6Rit~NcT
zk*>w4rjISPF;z3*?9f`TQ&4P|3m7jhEiA3dRa*6Si|NLfeB>S+7~Iu;z1Reesd!L5
zyC#%Qeo=Px3`ag+@)`!uDc|r)**&y;c^HpwgZk;EeMptrJQ84am%X2PA|#mGP#!e*
zB^D!)uPu2ZOwl7A<SN#eSZT;)%>=BciK}sUc+TWCw-;i1uT>+L?~%(jR<ADBtunYw
zvqrC_WAA)?N-sBzsoev62NrMY^|^ZoM#J;V9j>(BJs61$x&s-fdS!QLu&3nlxcWw>
z<5yf3Pp9K_eLas~1!aw)v}6Y15<Uz0#1#H)Da}QZuw*Arqr@>VYIisj{;_UfU|=!X
zHEN5S5-xW>Xf%g&PIt`S?*6FVmo!_w9co{3X`pX!+3U9y4OUxvB%0`r*i>ysN6==U
zLo&1obs~qHBo3go53O#&e-z{{uAs@WGw?g&nUT58nXmrYoUwuKN(ODN8sgXh6~)w6
zbPDN;ERDpi+1Z?bH18?(F71Um<kNU?N4L2*+B@`$-r3GTA=Ek4?@r~_ww}GCSe4s3
z7%;_$lf|75dFz?mU?J$hzx5Wa>OivK?k%iV6w^b_e8keOn<!31wREl@W$RNll!cG%
z2~yYuGHjRw-G>rv_3Yy=feF61x`W4?G?0u?L@!B0R<mBlwmp=TT&qdg@E@kazA3>R
z%DLmk7cK1(l#5ENwFix4&5HM3KJ9j7hJqJd=qk<$F7H6n&^CQ|$WcD|&OLh*1-q^k
z4P;zu+wgh2)SjW`aC9u|`1nW9e8uiCDIXpC@n28~<<UOg5+(lC&F3#Zd~nebv*F&z
z{P>95br)O_2NT{2p{2q(*T=iDMMgsCvYN)3{Qjx<V0z5#v#9Oqa(HDVHlDS|r}pKs
zfRz}BhSK)Fq&xPJd$F&)e`xOdV%DDP?(@e-(l+7Q<A?p_J-tJR#zHu;Gmd{Sc=?dv
z%uS_M4wVtl@#KfuGAtaT`tBfhR&jiS;zvXr{gvWWpF;6t?0!GRsSbeRXHZ*t@Jb}=
z&EYv3;e#B{i?}F{)BDe3&rwsH$_^C2h`smEHJm($;dzGBagyHuV)mQ^^u0fZ`z<mh
zfA87kz5Mw~{+zSL=bZWnLc*x<24bHG5&izvN|FBO0PhoV7s0PV6i2cKd&adkiZ``$
zz*~eb03JaCx)+fv*YoFphT-p~_znDiDSjir|I-YA2gP4n&A%(0F1(GrcY>fdA+#ZW
za~=II@FN3U^drOCI^4?fIKde`J18HNms0*9&L56*{*Zcau<Klln%aB#^S?~Xr9{7L
z;Ll?W|8)a@zQFKbHSp&%4F9>vAAbLPD4nWx^mANFKes<g>F0PO{W1@Iud0!LnUmoS
z^vfI!Z=hdhVffD*>i74;+bI4J#cyhY-&}n@4$yM7HI|p-((+2}YS%WmxAEt{k<!`L
zSYG@(hBuTKzn0+*<;8b0yrI1KOj@osX?dkMFYliKH_2wX{V&7pe<uM~$*dfYBSsI5
z8=n{MB6h*kB>VyV6C%DM;Sb<YUV;}mf121A+4E&nv|OF&C-wXRe2n2gsOJyhgAD&p
zJ%0f2W%z%I{Ne5PI$DpqT0JuSCcq=ej^2yd6+(Z5z4O}Uc2M39W%Rvv9A<PfT&OVI
z*U&z{PV2>vo@MpI?Wwe0?5tjXUx!;c9%ne|r%w_73%jKC0{B-%Tv9K;0sMWUT{cI{
zg;6tmE$?@vyb)m+`cXqa-O2E$8~W)EhJUZ2pDr={J5oNt?D95>zl^urMx65p$)J8!
z;G4k4TiJPnTbz#oPxJXGOy?tVb*$D-Wnn%qg(*MC_5Ql{_YpqdkUOqtcRa>_|3N;#
zkn1<F>!0Pn|A6HBjqLho`0wxK^ANfIQg;2*VtL{EBA<7{vYXh|!w7A7{buQPv<I$V
zLiwU%S8n5U{f3X%z!&kV3~|0luV2HjbH2z=uN$X1Ut}+?{$75dZoKAvkzK@oU%UP*
z#us*-|9(&1_|5quJHJ|Pc~{+d%{e2RY;yhP`s*kK<$Jl<4;WwG$@%ho-fwDrk=60#
zN4)>k+RO8Gd^wl*i+a9X&&zct?;rJixtjm}4Bk)b`EnKi{Sn?@>iKdRFSnETk9xjz
zHMxE>zrK+iTfpGEUd4syIX(t>?fwpqdz#>Wj!U0^M-%+kCiv}5@LME!gyS!3g5Oq;
z3r}%8CBg6Hcuayn!SP7FoG<*1%lQQ&=X3mdj*r#jvJQ@Wn&5s3E^z#gCityQ@Y|c<
zx74pkDE-G+z5DC%=Q%!BkIOnZ?rDPiCAh%xJDT9PHo<Rig5M&+BOHHO6Z|$wxt`#7
zgyB66>#xF<Z4^%uTzH=2V^?yy1@7<QxJSg%IPkf>4)?SBe+2jcq3-#2F#M^8_ug7}
z|3B;S+Zp~d!2eQ*-@@=ekQhp`2*+R61i!8Jd~6k-;&_VTe+3*1cXB+&@UH_N6Q1CB
zgyD_r#PgcqXEXe#fSY7tj-TITJzKzP)K<lX=Q%zGc<ufUj(eKmevV6@e@7Gi)+YGv
zP4HV7PVG1pzktyn1o|0H=x6vC;2W*e3$TuEtK#H-hK~VWyT60uo+h}T<I?Bf(FDJ>
z34VJM{1yow;rPp%;J4M|!V?^iNbsjPo|52qay-Uyss7=-CivMBJk0U)o9I0X_yB6F
z;==PB9|OF0e+S1sO>jTQrO&^k34Uu6{PrgJEfPG!@s~BhZ>z_JCpaEqc=}X{_+RpQ
z?Kt*uyf)89C@z%?N=z=`*SUO9`+di{>z+-nb9tf3`|sG~`mLK>zkQSIw@9u>)?I(u
zCf9GPzs}_aex1t=bEitguZqn>%9i7oB97PQxiG=mtlY-0vw4|cXR~wN?>ic<dp5c5
zXV;s(|Bg+r-@3{5+c&v>OT+a@!}XVKa{V^xb;5UkozL>DAC!n)i1&lzcy|rw{VYOp
z>9|m0;{w0V$A{YQJJwzIY;v8C7fs%O$0pZr-Q@c1n_Ry|ay_!{`pY)Cep~%@%6ER9
zk29kG*#z}JOQ540`roKF$m}Zaitw^L4<?%XQin{;UDw2Nz6RMD+|3LHv5aWiDsAF-
zros5ELy;*L@jlbNfcKei=E2t3TEg5rJidt!TH!FWgHT_Yb`(Zqq_pbIy(W2fLGC+Q
zi^UbH^OUhP?mqx49d2jdGS0|Y&RO-Mab`!u82&3B+eJKPb{+fGy~=2Lcd_bCQ`}XK
zwpgN(gkAK}oyMQQ&k(;!RzFQVY9v0Z1|Fxx%3=?BH}Y}n$KZ0y-I0l<7atsTn3aZr
zD>_~BhDO)&uXD}C=GH9HUjJml1@1~AeVe{h+tL>3UFoH+8^YS&XkX0Hs>`P>Gu(#`
z-#~K!q?`HB)iye@?R3mB23#{Nc~b!Rxs1DhCVcH{)V*!&yZuXV*iE0UgJ(Y_d>FZ)
zd}Q}4qWQ*@2+`Qg)e@5C6$ypKLmD%~FMe!$TWeeSvI#%#)H)_^obzLI{NlO%>dkwz
ztsiO2?n{sLyLtl?mzR4yL*a?5rY}tn7ViAO=g!C<Wczw|q0ht4&WQXHqOC<r`K1&e
z!4QQP@D_$sOmHL6w~Ck$7x{u8L7xQL<)|HK$CP%k5ti~=ylh_5`tc)w+V>j3hvCXS
z=vlbWiZ*a>5g-XczKruN!&-mQyzjNolK1^yNaOQl0<{!rkr*@ecldF%3v?4QWL&@R
zE87MAt;OJ)&*ATVru{SI8J7!r{2`f=NNL!_#^pc5xPAVqN9l-6G3FQh8~j?-N#pj*
zGaH!f+qq+l#JBN7`9#f)kvPM4Exl!0^jCy;eOVa52Zg`U(Vdo|3HE7W2(Jjw12)F7
zk3#vgwERAXNqEAsi-Zimo?>@!>|DUEpxCXF`(8n@+d1}Pz;313EgZXE$l<$W5jrBT
z$8O`;>B0zpNO%IU2*)l4e&0*^eclGx*&Mr6n8)vtg^85R>-Nw1tLSFo4b-Pv>O-Nc
zrFk~c&cL0BtSXBy7FUf<>pfBY)v(I#usDT`kV-njb{#zPIe6wx&7Y|fpUF(Tv{o&r
zo1-56^r$Kx^I7m$6*_y^kxaoeofd~%Md<uBw80hH2CW<JgngQB?zK2`^Dg|j*bb}h
zRuHxJ0+jV}jOa7;D6#%2Qg;O%_r#_TZlNrwa^Q>bnqR8*wlP(4xYOpNZ)^{@yG;do
zM#!Yi0fzzJ_Z+<cpUvO5E~EyTDERvrd+40-`TV@=13I6rbGWD)v+2dxDGiQ*ISsFq
z7fkN<rsb>k)aK=b*99cydmVJ=kJrjadv-(dc=?*VuSxm%`|8X0DtO(Mwer!|H5L!v
z_e*>~`Y+INT2KhBHnc2lqd#>=HR6_$?Sf_QR4iVdR-B6gu>j)b$$n&Fc0s-^Omrf#
z)OP@-RqplaZ6<?S-6_QD&bwOmR&S`Kf2dd369}|-w5ttDc6_r>p=r}}3K7BO@%ZY>
zqD2u_7VbsC%fbuS!9uIDh*+&WN0y;3P?VK>%|rl+WE#6zWW$nOruW-B%l$1Ouf_0&
zCgsBS%hWnZY3Ty;JE0hg>l;efxHldNbRVw+>=PQEZE$_t;2y7%-SDu-fJL#amz6Zs
z`;zaKH!<g*K%^S1c@KU~<x^L8?;Z|bd(QP2?_Alr^F^?g{%gj>MAz{{qvi2(&$>PP
z>^uH1@?99AblXpj3rB!%k_%{#NF74PDs^kuZIJ7Mxc&)jXOEsmb2G76&Q6hPQy@|x
zvMK!Y>GGzQK!G@f`*h%Ie9nx@-Db8})hca=Muq2RR5O*Yb_UG2>;BgEcJ)I~<mC3^
z>PXk}_ML^3_vfB?2#0o@?Ga@0sqsnFuz#QV=*!$-%P625n(obS+#{2xUho*s^E~Ey
z3oVm|=Tw0*vE2s*^E_VNL7Rtf8StV@A{)x^NS-;kFHNE<89+*`OWf(fG>jZDqRt_W
zhW4b<qGZa)COXVUW4oe5scAK+%;BJ4zp%D#_oCh(44YMkR!xgq(QY)FJ0`xc_uhls
z4&I9oyvgCyD+FOtCTnwKL-$})<u~_)vW_+x*w6%p-sgA|Y;P}BzDPdey!RJsKfDVq
zp)X2fW7qL0Mu1oy&_{s2I$(eR0~@h*{c1-lZ`XkB1lTUtL^rKHd4fkJrp|m8%H<fG
z1?X8f;Wu0hz;T#Gf1PJBeKVMHu|*?ek?84`)@ltD8!Mp3|7xmSrA%S;dwqs|#}<$6
zHTb-KqeH7z0>|}wqh__NHX04IYP2>}(C^ia9bY_SOy~6njdrbAF$Pn6d6&kd*S9Ow
zN{vRXvZupeA*}yOIBi!cp+b~;ujA3T*}eJ}s4}Ir#>n*+z1RNsM;u<gl3W*M#Ww2q
z@k(f)E+nRO(y}nq;wn-LM+0qbvb=$m5B|z{n`(RP(Sz@X98-56eB=xJ-o1Ba&pr4k
zPE>w}4fONP%A0VZ@@4WN?}~#iO%U$lIc>R5bCdp~=hPtHYdkE<#RDh`*YwgTQA0x0
zq_*6h5u2x9l*=S`_j-HcwtYKii>vc9rSzgZ6*y}ky-;%Jvb}Sm;a%!fzBd`v`Ldq!
zz;JI*cfsfE2_!6ua-@5kPTsyUo|(<tS?q=)@Xvr|wh+%kj4_OOjA0e?l~qG8?<7vj
z)%+<sAUF@M$-re2$*V=SXSqctpZe2o@c_ZB-rs$8?k4;e2zs&FeLQzlg~jBd^pF^6
zvOB3BA&cjcoY6T7ymzA2hFu1_rZF`gJP87RoD_>?{$z8B3_19iWP=vceDv9~a^XIc
zKM<sYjIsloyuqwp{mI@hT>$0a1B%#w*?_`gi~U)c0h;5W`;hi>U84_t(~*LYHndb7
zd>k-zvd9JEE_XPq>*p`jjRlX<@AI23yl91%$`>FVlo#qet=XU#`*F2{@-kMt=v|-Z
zT~Mr-K4?E`pzT3gQ*AV*8t-Z%1NVLD&@;a~@Wo^Bu)2;#+7j@{3BR|akuA(g)fgU#
z?<5sxBt4)k#=W@X4U|AM2qsYj$$C2N8lASI!(uV1jX?vRUioOJOQ-RK(`vb5LD?Rf
z>^uJ0xg^xc-V?j$4wXzzVz2O6H_{j={Ca}Q3yTOz<CXCH9rS+r`j{fb|CNj_RKA#M
z8dHz+fk*U#ce5-Joh*h6{ESD@t7YbevCl%fqfCQuF}pOnR-?un(P)0Oc6m;ozHsNa
zZF6dcVooNvIRp4Fm8Y+}4hK*EVsH}4Xe_n&LmO5?{d&+El8QKu5*yDq$)d<=k-($-
z(0Pl?+a{JKl;;K{0YEfZ+|q$D+Z<QOo7e_{YtA_R^fT}e$luCuZ+i8sZ<-~4@Z8SR
zWcXa!zMVVw$ttgsomQzFP+WWQMOVr9@0VY7(Z$y)4r~zDWDm%4XV5lFW3{wrtecH|
zT$1A%H08AnnmQkRsN}Y11$$ONN`tsH_X{&rBqQ$|6YCmTP^rn-#TA4s#<zgveC#sO
zfUcrsPNSo^g=(JH_gZ@+J-Y{ekWF+j8Y&rAa9E)*=a>86@|IYSU!zdq(8&u>HAauD
zg~rR7+H3{L^7z%2md5~YWxH}zV#)dcdzPPGdU}}^n|v-{e3os8cXpyBsh*DQl3{P=
zi(j@A2;R)z$lnI%tlg+svIs@N$KOu5FH}zMqg2eO9(ssT!YYBt?@svhE=r3H>Z2JQ
zEUY$*lq4W)L!_imKGwj@Mkrv~*xGXA_us(bbGrA8LelEB;)~8$*}1msG+}nK@|-y}
znJvtBS;vPa2L@>TV>(8BmaT;x&F9~BealR!;wv9GV|@wN&1CB-!=#>8juqF213+8p
z`2Lk$yLRotpIw15`8iW+vWrny?yWpb0xu!HUb8Y9d;d)en^Cl9<+3U@m!H1_s5y5X
zDYWf+VGL>!?&9&Zd3Sliv9TRln55F4spg2VaEfZ9W64+W)%J8VBA**O7Ek-O<yVg>
zV8YU?4)03Ny3*d`gG0xrqp{he>RhTj5V_*2sWZ>>xr*Md<gRO0c3iVFDe?@~5W9h1
zJ4&OYO`>w~6~OwCsf}ggnSm5smUPg1*GXpn2%GqaWX&R_3A25NCStNXS5{uFOpNdA
z88|W(iA)_CNQ`G~w(NK!E*{mXl^4%ezD%a-v9o6*FAy({)-=Mu6<$em9PMZ}gYz6m
z8-^s)u`umq4;*GDo!X=h)3_{PNMq5Spp#XT9pN`zcJHD4M^^lUJ9A%s<h=71mY2z5
z0lRg3w&f?21`sUQ{@gt>Tt<kmg-I-4q!eTHVrLzm;&?aUG)EG&xvQaE5wx;}Hb-VU
zjNA>fK4RHNjTy1!nJH>}Tq^PN#E1d13*1y|gZN9jV7s=(+@=qEj5`)wMbnNC<KO(;
z+Uw8lEC<~A5w%i2CR1oU`S9$RLQ(k?j5Cv;Q9$Z|?WNwutf{8QAmtWDX!!!vB8r(j
zLi*Ig7Ub!A$=S@~Fqt#V3Pj6n=Pgkhe5D1{GHzVm3%guCb3UF}IBR%dpDSe_i|;<C
z9pu5^D$YKTo%W_9r>m1Yui3G3&8}pZx9IercjnYpS40BcsT?UwoaB_JGL*3~R$ud2
zR#Xd#(DSks9T6O8M4BJGuDlKcII2-ui1L_bGUl1VluWX!k0YP2JC{NCD;sS#BYZAl
z$Lm*wFFQ?Uhr?`gR*xqOY<z_>c%V$T(lSt8CQ`!Ku@~B12&K{5mb5gT#PY~n9+!`K
zL^BPI;VrN{!jX+6Wj;11FcX<W)iHXA$j&4~j@e9Q=kC4LA^U@G>vVN$yx}zd@Ddrk
zx77>NwP75D>h}|&+PIyL=WI@)KFVg~LC3eW>NN3Hrzt~?c^k+kEtzVjm}(qJ6ORqX
z<+Qqz!q-r3Cc=>&yksA$d>3CKmWi!bcxlM0g-uMD$`qs=HZ;*xqG;5owQ-3;AT;u9
z>^d@UONIa!4phg6uhD+r=PK;%_bksZ+Ivi_t6Or5rO$k3woH0|ZT&ndI}YpTSF`>;
zPG@Ag7L^@Gag_eQv>L@=(%ABfwDQ-`%QIV8mI_~tUt40bOCOY3jXGawbxO=CwH4}(
z@DAxJRrpWxIIf#G&UF)BqMHDmuH9r4fWMXLEHGbZB&f_ig7_}+O(bv0I)mrWueINR
zxXehbJlI-YW?b+Pad>AkZlCZF?N_5x%dRxos+g$X!wn#<qH3ClGq7?ImnASWtry<j
zecNq2e*No3(r0{wtEC;YD@!Z8$MAoTUv<^^Er!@=rZAT^kM>Ut73yQdvV6E>ThifJ
z7?CV9E)d0~pUt!2&Nl{yT|T1?-_mx*^6FWN%EgMa)ali0mzS^Fl}zrsdTIIE)wFQ>
zg=d|0;mMy}f5jEoBOdFu3utzr32EM)CLN@cYnqszjIYcsB12^?<Cd(9hj85tDf`AZ
z*3Kk>U|Tyhn$}@sZ$WEP>l7WWW_$aqpfSFs{|I#c?xO3bGovub3i43sWQDKmU_a0R
zYC#3EpI_dzjWrLrTFSSOfU7C(l!}BIKJly=XBZ<N{P{JFb-U7Je3M2IS0NdT6|Ty#
zNdH{(CS!9GOZzA0jUg5rmNdq<jRZM<&1+V0J}JZL$zNtFU&Z-qj+${<0qUU-y=KGR
z#k$651w5KuD_=z`d2S05dzGvX+^Cgjb<$DFtSk<z7wC1f#35GZTco4$eMpW=849qR
zUnGYHZHa}dJ~^;On+930{?tp26#KSr)_7|fmbO)M#g>d4zk<athCNZkvOeJ73T~;^
zW1KK5UdOp40g`pVAOQyJfHDEf9N;Z%T}EUMa6?%0D8M{O_4@YoASw}G9<I&r;L#9C
zT_t&())KQRh2c2HvdAyMaRF*^5sr&++z!X>a9o1pQijx6I1&II)4y*OA^o^yBK7!d
zwOVcnS^j5s5tBm`k(=8dzF(#k)Y;U(V;6}A6d0EtCpJ=A-$bXnM=D)4XS_80m4VF@
zHQ~xY)h;|auC&ohOe>Tn32IB(SF^6Xb*k;*hpV=f1{=#yfM_JzSH`J*C5QHI=qtFc
z>2WKIjyrm_(l+5`^2h_kOo#N`UeQJLqEPQ!H@9f<pZZTrY+`S5<)>n;4}DmXOuewp
zB|hHeQGA5U2792aK6IRwwb=~A!a>op(n#Xm4oJqcPA>iOnTBTPg?__FDUW27YBnCV
z`o46*%7&JXk5002XPvo&4KcJl!@^E#>zHYpN2R7TCf=I}$w*Xe?xt7k+d(K(gvE|&
zE<y4RDAzh1E?qP65!BsLxxM}2kIOWUxMyR*k#!wj4(K~N)Vqbg^B`*DT?MnONu1O5
zJwhJ+;;|JfV}5G3UF-=!hqV1u`Rz-<LpQph>3qwL0#emVbCI2Alj7muoefG&Lv`uV
z#QgP>&tv<A`-}m9h)+j)qglJ_$9up4HapqG0>*SG-+=O@(B)0-2J5Eq=8?OlQx#kM
z@+F9w8$g^)ij6ibLt0o7o7lzPQ(c8%DDM_cV{>@2xp9ow>1U{Ztar2A4*>8r3Tsb@
z<r4PQo2^@%*j`<&tYD}C$zo-$w)VJ!>boWJTe%px(fC3}6q3)rh2>q9XIR7;u6-A1
z8)u^l4b{)BA3|)d^7WM!+_i%!;A;(>D&UE}X`Jetf|A&{e8O)cR<tuUpvVm;Ul|41
z=&&w)5%*)#Vw@=M9SJ2D&nge>1y$2%JTqT(xgcOGQ8alMyI{a>>E89?*=<+v&QN7j
zXoBc9CqXjk4yRi`f;NctkE`FI4exE5cc2#6>;W=1P|tPJmEl&Fk5`2>Rg_sWWjwbi
z(J+-Dg`y;rELnpE3cb61A6eVk>DI}0e(jFck6d>9j^{vHKJSyk$xvuA_{qwhndhDp
z+npBptpPgS=uF1%X1XLcqVW1}K^hixtOFTXOQ048xMn0a5$1;vS~xz#IIC?UBIdTx
z;($RyKN$q^e?|^<I6CDTyZYenPk(sdT8Bj|*O=6+yFc=}acDF5S@Ujp-g+Ni!GrIy
zBwVh9<vkF)>~FOFj6r!Opgc}V`{Cp_kqrz;V8er&rBK9lmSNOxXjLPWK0n`RS)+}5
zopp^iZk_|fz-)XHLYmn4lsp@Rg=iPq3csfLVNt5UVq@(M_pDJ$hN8ie5qecct|VkU
z`Y0hoDX-kWUKc9*dQqLk%b8B%Kj0{c{!Ow8v;<n9C;tz5IPInRi{y#_8@^7M*i-W2
zFG<MR|7G8&%7yWsfDTXNVBF*~sPMGV8R+>RJ46XzHHWgcKwe|<=xy1Mnbf!F9|iSo
zg6fQ*2Z<*rwa)$PzEX`m*}!)yu|ct#IaCRcNU7y9lqPr#r7RYGD_Wrp3fi{kYc?Bt
zpOW3@q<A058waR;;Q2aVA}80^#hJd2>Y}Kfpp)5r=A}LzvWF4kdOa)G>&4MO>+o|p
z-p6qGJ-(0R6GKkQ`vQFbqwo~+qb{^}OHs*f2%`k^<*nIUTDiSN6l?-K$6C5RR&9yx
zaDoWQH6v1_W?~{nGyAzONo>Dx!sxUZ+B=P1p8lP^UZr<6otVzMNJv;`CSVvZ2j)X_
z>bJi7ir21&+GPr5t75LBL!mNecFjd&p8g$$z5}Cyamb_wJ9oml@L8828O;UuP5cbB
zGdGGfdiJi5`N{QrVQTnmha<~e&ohpi_^zV7uC^$XQ7xpbs)f{5PnI7ffoT(AQ^?ur
z%1_2$v~RFG*L(Vz1N}ooNANQmSH>6XhQjEbQG2jE(24C4zdu}gWil3uv)pO;I-q}j
zjxJU699@h$A84?aapwE@8Il+m#`RM>a0Q;FM>g&&ER}W|6S*?YFZVsyFomp+YJgeT
zM(!(I#>`Wg>^}m@{qU5^+GgnNY_a3?RO{5=S{=Hdyy?V)-AYq(w*T9e{oN0qI5oY;
zjt{YY>|dg7)Jx~B4upie=>EKGP%|1O`Ip(K@c=!>Mf*C_Cc+u>M9{I(#K^+;x#`t7
zO;b!VS%i?0``$(2o*?rF#(_AdBedCrsp=WbQ)GY+`&pX*2oZw<Egf%&=zK<nQlahW
zj1Jk;b2D>k`%tt~tpUvF*M;A(cKP<1?U!S8C~g%N6p6ue9((MZ!35||t?@&r(D&d!
zao)zzm)`^Bp9g>6W|?!t1PIpwB?6S{fL;Rha^T;Z4d)0jCvv%K{T#^c$6?Yh=vfzB
zOR}AkgK#v%af;7@lv8XDB%z4K8IbYUEpP_QL<aL^HCqnd4)dI+b8LQQe!LU5CKx)w
z1-(`0v5dr2`cAz{(W20(b%ub)smadH%w{!CkKfqYp#}ca>#-5DS4S&It+GVD*L?4L
z*Lb5Am10q5i@)SFlU<{LY9Uuh#n3AYf<j|Ao%WKr4GW8kYTJA>er5~4y^*{{EKR<p
z)<*7m(}An|=KHQb@TPnA-#9WqawC@i<n!>~Pb&ZX4*Vz9e+c@++wrp-`1Go_<kO3}
zPcN4E^jiKEpWg51_ap-TsgNz{GYk)mmHPX7Qt?4oAh1#h4rg8QaJ=7JoKiai1*b`E
z_8H^R{#Y;+GMkDvSEo1U3-oE_?Y#wmF>I`kWk01cxo4V;Wlep0**Xugb&4KoP<z#<
zmk<o%JoV}&&UrM4-7>_CmTN*CpIBfgpTy66DY8Ff>9c^SVu#bLrQclnHJKkNUBb6u
z-ux|{H`CaKFr)Y9G}p+A)GpMd4(v?l!hL(GeW;VomNI1LV~dr_)$5x%Z6wRf2cX%4
zFeeThZ8{w^+q?JNd<Z`yX_9ojpnPSq@Pp0s+3+Mo%}0U&0RoK{R2|QLh*<xw>&Lq4
zNN8q5A?v6_QvICH?XYz$9a>&KIA|<}I<!iyLeZ*swilN)R&BdVqgE^R9^31_2c^0(
z6_5!Fg5GxdtE?K?qJs1OnT`B+d3OR%tzEzG&G%5&u>OO{oxqPrSlo1}_GY8vbFUbd
zy{m&tI9Te7Rp+;>ENVbTQM9$#y)A8e6_`9<*V@@?Qp@G@g3wjm_U3IBJAUWb&13Ii
zZC;4bea!o}*yiC^8@72PYx87{+m1B!%)@#J<x6c@s|!%MOI+~MrLSA&!pjE_wwv4K
z?UuIv2j&EsOn}q&eWe5NSB~K;e&%QHewVA?{j-Ywsm??yWpMR7e*9xczsrzHB|4u%
z)js?qy2rV^S$UWqQs8>XnpZ(9YyV;fb5fDNhJW~(&wZ|9hdN~Pz#pkR5a;jxHoUh5
z<+t!&Iu0{yBIfBEi8S=m<sai`NCj2)vpBbT{NMCF2_8@9gY>(bzSj<aKFr=L)qQUG
zUZ%dp)PsV1PU!ygo%r?dghl~!7`#J$Dg*KKpMiIDBSd|f^AHL5F%&^XG=aX1q#_uX
z$eT9emJK99F-Us{Z6)Akz=E`QFgZv;Lm3nQ6)W=7dqT)hH7H_^`6w-cz;n`dvdms$
z@5s=zC_JMC&&t5D{J1C=kJ2k4I2&Uc=aM9=as(zrz6cPLKv+yNqTk@Dm3_5P*g7}H
zQ-ZO}wd068KN@mn%))lTQgS3lQx<oAJY)ecp0}98Mq|Qcjd^r~IGi8uaKzolxW%0K
z>RmHhlbCVYsGYv=zFD0yFtWFoq>a$)rtiW^tr2JSS~2hPvAsk}*BC2bH+G2rDjJ0F
zhiDz;+1~FRG(S!=-)vPA-)!8(H#=YT&0b!9Y8ixMXq5Z$JE=@e-`5X+K0sxR2H)%^
zYZfgZvD=vR;VTdsD-22`mhu7m8s67oGFdzKA6*_CGY3t}kIG~+ytwzJFD+)}il0=V
zu~)~eH_<*mhW?#WHuuL~UVh)U6HBbD<YTY$_9yt6rvBKf4gIl|2y=gIE{}4Ja9dM<
z>{p%qG^Jvy^~4EA3FAE7PYHkGw4RNP{@Cj>Q*qM;)0oxzzM9!wn6rur+CJO-NrkS@
zpQtRYo^{sh(#&N8gEKHLd}L<Z((LG3nv8Wa%Kz;^g9e$AeRElf?<+Dh`H$xf<GMvI
zad3wjPK$z8%S1v<Nt~D%xU7F@0Pk7G&wNB5>W#+w!g@m3b7a&+0v(4RVYKx&rA+E~
zjp?onKpACCC|O?KSEXX#3Q)1qKmu)>Rv4e(2(peBjY<7qoA9NBNe)~t=HAu~Gdxt&
zI&bUyGfN)7r9U{fqWJbVRonW41yjT}S4=Gp2K<97YM(1-wC~v2KR;*F=PUtF`LvPY
zgJrUQ6^KkGd=%)kqhzD6_4?Q{s;&B33-!L%JiAVS=NX7Fp{&u@I$X6v;GZOBdxG*a
zmzU2{hI*!BiG^Mt<QB-dvp)UAfIAy77y?<fyKhI~n;@6vwiR9e(Sw5n2O-fB87X(1
z;mA$I!CdShW%P<;B<iI4geJ+fBw4lf+@%_N4YPmCncSsi`3A|zmB1~568Ei+aNp_!
zd+<&BU!55SO-k&<Tju9`M@Alg_{*BHzG%s>t=Rv0ZzPdO@p=49B)$>yvbaa88ZLa0
z<9UJ;kDOBx{2a`|NpvZay4@O@yN%T5-)hrxKw<1pLlc8f=xI@q6cr0*T3CN4%O*hG
zLEKD1>}hnpP7B=ky2L!)VA^CE6L7@fX$Oh3-JbRtw4RjP-yd9_on8L;$L0R{uHE~b
zh57HcDu!eV=j3Jkhj$gsfl%dhLVrTBe}8uWX};8Luf6a!YazDoxk;vhb<fXvj8BX(
zlYw|2+jQMyVq*{U#;)_c#v6NHLwRbR*ZQs<gZ|L)&P;Z~9x>;<1Iukc`I%yQBG7N~
z`L;uf+JnQxr;#Kc-3HtIT>s7;PGh&rNB61$oi|WfElul|#8Up4@KN|4q&Bi&LHRmJ
zUE?V+SHTr@e+$jj{YT*gP5iD^jW*!_q2IOLZiLVI?0C(xFz+;(ob{iRAEkpUrTIIj
zBCHG{I*zDe9QhdZF+Yl<war#DToQ<{^Z4g+7kHKq_y%XejaE9QM!#zuVq<iV#@MEX
zwT~sFYKK)raJV{Rzv@;+o4R8X&z3G97%GX2p-j)*n^*V{4%6Jrrx#`x$w)5HIqs`e
z7imY^wlu@(*h)fNXSb|dQ)nM2U5n2yeAZ21SYU+s9P`cP;nlOxUcK|1IMM@?Ob=Of
z(CPO(-yxF>)9d4JLzV(1?xXFBu0?4-`8|t~Mq0ceuDfL#;9>Ot(8^l|Zo^wxeSa(d
zvcBdkaA7ufPl>cYR(9^I++-zAe3fgf@x$<Jz9JWf$fLNPMW*3;77x+0RM$hoH(^Zf
zrg$1XTa~%-)A$+gr@S?pTk3_6>im@RqMvePdHI>;H>xIOO!~8*AR;%D{mjC7v`sem
zQ|3*uy_ugfZ-(4YxlsW8@atc{{Ln+93^)xPW*Xl=cJakyH`c^J$r>2{jPgTG_KU)}
zY(*2&9T-g-mqz0Et3ilwVKPenelhp^rHVk=gCE?vuie@%SLxfc#!?QPemmPWX1n@a
z;Mi}2(}BQr@YU1fa>cAN7^=LBug_m0+=*J&+bNoR`Z6|=Rs?JFUw4kFU>R`Y53n?+
z&vcV#Lj8B3naw0|UOgRRrSR-T0;`@5T0PW*f$n7x9T(iAU><qtOP9YHSNvq`t(k9r
zQ?xz6dgMWxADa91N)}wI4gGp;oA~wGm|w4nM)P6&K=`O^W8wh8{7i=&r7=omEaS9L
zv#S-Vy5zv-wh0Sa^PCf-W{0)S%o7)qMG-MVY;2(TPqIeB2s8dHp&vI`>Q#-FdR3#P
zUe#!+SN&T~xKfFX$0Ct><(jFtC4M3MJmvfB<28@mZE)O{fpfr@p00W1{txXIv=Tbn
zz-n#$ADb?)ul2+`WlEtv9{Lx}7jmdS-oBst|L%v&8)=;xMC3%0+CBEyEFo9UK*J-}
zkE$)?5ke}pgY2MokQ`dtBu*zU0wb`q&i58`-&=CVJ#Hian#b(}^6+$E6MKj?-s4rB
zc!%8KdSRQ0t1D<#yc2QVl7h<Hmo~}s$=z=o4YVBCvO8!eH`p<gcCD^9Fi4Q<!XHoE
zd}u?X#N~4;GF&v;C19A4lq-bxp=QNk=En8K;G2s%)fP^*ho1Q#=MHyx6QPKf!j-Z#
z7l?37b>i)UFS&s<M0-uGJkR`3eQ-Ie^DUgcqU>}f;V1NgXQ~|lQ<-E9c<4g=H`hPI
zI~5I%v`k0Fa@mSriw}@R4RUg8l$~j+H>iF>ENH6^tRIZ--h1;w5b33(%qcKP(Y&?7
zexNywu5O4KqG}wun>GYqs`c65rRq*KOFu}80Uzdy;%^X_1BK=Sv(Q@=mQPeRu~k8V
z*Bh%4uP3S(>)p&xL)FxuR$?mF*(+6fdKuo!q-o5?j1_2$5vqIHwxJ)bs)?VzAobIi
zc+m0|T3{`-AbK5sdzx5hmM2-`1S1V7OR1h<2h|e<n)uGDUch%2bKhB>T9J;(&3$K~
z#(pi2g6b(ubOqz~xGCfE^+YY^NRQ9oYY7&{R43lm5(S0F;K5Np&G}hXR=JF&jQX9T
z41Fq3Y%kD&wo4;iHlemb&qLf$1tv%ftXpBGYPJ-(JWWE{m_Bp=&b=T-6D!-^r4N4<
zR=btI2B-Y~sUTKW>|aF^ddz%`Y?^((WxX0400k8;m5e4*t({EyZeXhtBc%;ANqGr<
zL<0WIs~5ZPuA}npSH1kJUyUp9{dJViWWGxG?(D!{13H`e?W&si?bdvBmE1?yAob+s
ze!GS`zg^tuw_A$T44iD>yf!w~Vb{nztm@HSZ++F;NV~N|4i?V-U9Y-`h!Yo@lO|Kb
za$)6{XB%Ti_;>c7K1|zfKa}NpD*w=RRHoS&#o5e)L9}v@T{G)3R^DUQ+gb>P@1B*~
zTc)53No_8)E77$v(>b63UHei0C$c7%{gU}4>_h;GenG-F(L6dGJ^6pgGiW!$XaV^1
zf5AtHd4$TU9-;qxK0}oU;zW}*j#Va~&E_+y@VKB0_x*dWM8dQ^QF56gPMyvfF}X?!
zI}$|SBB);zN>IO8AJeV=>wZRt1}?1kJNnIrg^_wA2?Ohh<oRL0L)&Yl=3`2AI8N4H
zmE8CBH&lnAsp;S8eO`8-isB)_AEoy_R?`&;uOhl4p7#n@bs|)MA7}b|?Rs4a*D2k}
zbxJYxY#si0j`tEA2_&8v{t5WRrqM9k*~|hj@zm%=dN%0xG981SN5JWYvk=#VXX^Ce
z#Zp=(b&BP=t!sgCB4YY(EX3#g0%xt-yTVrQ;A+twahTe5rlO}XlQvo+d8e;8X7Thb
zb@{r3hE7++vbe__?ozu;+jINQbLjm6@H$P}Iv}zkag}ZFkSkl-^|}tT)n%||d&ZOb
zT|@qHTXHby&c=c|<DqGPDFST`^@A_|`NC}|g+`!HFQJ<oEN$8iCC_aLqea?Mr{S!J
zX`s3HDC1FU22j4AnaluQWZ|)M9n@SB<etUb;LbFdQAVp;>I{YznlA6gFa*#9?xNlU
ztV6m0Sp`r>7o!q4?7@%JWh`icj<Q$P+S;Pi?Mv@Y^vdOO84kr-Re<RCrFJKK01<Fd
zScaXIR<fS+h(}K(lZn7*_enJtM)X#}dHgG9T$fp#7zw^5*ChxeI_t@w9skOi*HY-M
zU0v8~jtzt(12K~+HV_F9#LT6hT)w9#pX>QpE=O$<G=|hN-HX<bX3!ndmiI#27@`D-
zicQgl5;PsaC_>DrHVSO+dinv>23VIk!Sb^p-0gxhvBCE8W;#HbUuIW<-HeIM5C@E|
zCbS;HFrZ*^2K^TrtC--Lr!t2huonEw)J(x;3TA9Zi#gik9|Wnb;P9?y+!^hHu_xjm
za+m}2(eVDGI*mEz(Yt)1WVe6Fm0b%2GR8ng?Z}QreZ_P{7h4GWpcbb4yv0n+m_HDS
z9qJvqwA<os9d8Rc{V_q~=yPj5zL43KC|25?w)o+qb1>{kd3B<0HwpdwbI_*SfmwwH
zNlUw-9$8Hpqoi{eYkl0ZBaL8X{`+a?oO9ZtbIv*BO!@SBU&`rBgE>`w;_YvL&wJkf
z_7kI?k)xB7N6Kz@`N-rQ*HF1{8~nLnxEkIvCiTE?LXAMFX=QrNs+L=zGi<g?^rM1m
zA!5h2J1<U-*vmJL<8KvOEuAMnKTacYBm7w?zYC2>*Wz{Wa}mHLzR$t3Xw)Jlbh0Sk
z<ZYy~xtfHviy_>PP0{HK=A#3H(Q#)cx~IH$EHZJh*WP3MWY_e?hgTw{$&@#fEF9mN
z+I!lW{epaot(~B5J_WSpYkrnKLW-{mFI2Rl>X46(61q%vMd4#sN4~$BHDhMnqE%L)
zb;qffdhq`?T<(r_#$5}&eY2+QVsCyTq3_Q}$6U$KT5o(Z?;P%S<-#Uk@4Q-T^XiN4
zbh+rv`1NJIH)+chgRbsC3OaqHZ`LSpam0$g_;|)f+MkZ>LxB2jLq=}LV++D2<0&Sq
z11@orHJXfkGU9h7TX?8wgj)sk0`wJp1x(riv3ON|VR5$dW31b^x?1`5V=_Umwrf6A
z#ILVhJo=$$KWU$`TaskIgN^u10)1h$Al(zYNgbGZ9l#HmL=4}!YKe2dj_U?cz}I<!
z{W@IE$2z0Vg&tQvY@QwRWn4)UF8@_$NxNdxMNe>GL9MlVbVY!}Mc?SG(cr}SssB`K
ztX*^6-P=np;BOY_|01*@FG{boT5Fr`X^CxMwf1dnwWci`zBO!Kabv8`Z149+$5*r6
zbB?sJ<n|4uo!GrSvU1qnJsz<}-MYR3&$PRBN*!LfXyMS!J0lTS-r{f$AD<5;PCuNU
zE4oLFp}e;|9Z4NH4X8>YgueiFp+P07K5)a5z(qDHhz2MXi7G{+wu7Amw%pt&w<g9i
zl}GWLdZ*$B`JUI_eD&y5e)`5+->{#|KQZ9jW5BlvDxe8;T0;aT?S_)i5Hhe@A7Z|O
zFwwwqh)yqVxE`ff4a8!>`C5dtx=96;c9Oh7tOLqu;sTbN2RsAo#G!wr7D`@|FJTE3
zA(v1jKAN%VY#yyC>M^*B^Vl2cE2R3Yv4W;&!kI1m!+BFEr?zK?!=6IIr<U8M@}Yr*
z)s`xUZ0V@CU9R>-a^B!j+K$g~4F|F#JsDTbYpZ-|DCbG~92)yX(vkG(k$|GWqlbY<
z9ksT_wNcuQe4gm2=AvyYB*_S1qC60%NH%vEYJMNwSCVt(H{K~v>-3-{25rclU$B$r
z<rkY*bmeq+ej=P%>i0q0!^LRoz#(I(+f$ydd@Ahfwm6+5XDo!1V*9E#JSub4&4m`K
zyZP5<Lp`l;D_1#KiRJ2P>HJtPZ<XqBK2i2ePxtgrPxsmb0lO^_s7;mE-+J3sSKW5o
zbzk*+y?*j(px1{^+XB5JrD{s4mQhNh60?27i0_PWP>fu4vNLH(Nc1Lym^_O3sme6C
ze!lm1>%ON@82lNhH&4!{c|nBLaIEr}eJC_}WW;mwmr-z?fG>AkPv(LWl;@{V9xc4R
zu%+3*lh6KUJ~}ZH8>Cy@k=xeedeM<1FLL#4%k@uB_rph>+Ii)+x8D1{w`{v|XKMVK
z+itu3^4o3`<q#r<{vF1eR#a#*)^O7JSR<nn2&R;9x#ONoQXq5)b}DjQFWPS4&%^)!
zWsb!3dGnFpq3DDo8{a#)b|gG;pae3<eRVQNIxmqqU>(S04nZj&rQiKP>odRy2wkZo
z-`RW!*T?DgLHPbH;WoHF(Sg_){mK8WG5Q|4B|eg=JdR)1Ga1uM$7pzWiNAYFQ(bF+
zg?^t_BP5fwrwE$*H(C_5e!k{%5?$=m&D)r?M@!q=(9G=M(9Fz`Ef}=HN80YLyXBTE
zue{}!>%PppwuE*o3ZT=rK)XnFC#BlJs3yB35NhRp+a{KYVX#1AXN{$zy_*z__H8=n
zNDJgI8Gfx^7z~v3zgEK>Eh!Lm@p$F)#o61hIr+<29QPMzCy$MK`C4O^j#rIqjgBph
zuFc2NzaKdN`~wHhJMTdM$VmUd$cXy2uX)XD$!GM6^Uk~c^7GESqPDge+F)(b@xQmW
zcrEGZ6=iL0F}*=Q@AzL`TTGolAMG26iEE49M?+(Ki_p(M)YX65%1odzp7f?u-A8xC
z=C`lr>ed$bLO-8Hc{JIuw&<t^E<!L-Z@QcSMEC!5Ik8JzPNYW3a>6id@WFDTM_f+C
z2P1t826>A!Uh>5!vUWt*6Q@27>xm(dy9{W&VLj1NwVmR1%ZKJm2gSOjgR*huU~|mA
zr-a{IIeqj!zy7j)+@8ydJhlOk9|2mzXh6DlXyh?pE^yb3|NW%`VWh6xnKVU;{;@fO
z(TRJe9)<NoZoa#)+~XqSXBX8$lCggR)3F?Q`30a~gZ$F5oY3DmY+IU&*0X!xaNBh-
zZqM9w$6W{DJxsPH@0p@?<_11J3T?3irBJRxcTYKGB!(8MLPOk)8)O0`xGt>|8_gR_
zjXw{}dX=*ywuDFD7tT(416@Obfs|9`S&6S5@)V|`-8=d`!I3>bji!&EX^s?q<BOFq
zxE+0I$Ka9KaQvJjnQc9u#L`7G`)*!Kviat#K(|u9+FFwthEQwM(M>8dC|_7+z)w+`
z;Za)X82ot%#u87{v4n4grDKVUn|?PROWZ<jFv(7xGaW1q#L6(3>>5f=WNm@+8W~RB
zSvQ;{3y$n~oDV3ZPT6<@b-IUsw?W(azAyy5+1pCKv%Ub=_tERUz`JjVa)YYc);{@f
zw6(kCmLwAqrs8^NYj3=jwY4`LthVXLbe-dOonQE;8#PVRpiLUvPGhTSY}>YTf)l&3
zZQHhO^TbY0Y)roMn>B0R%<~8A_3V4^8(W`C7|VC|$5*b-zo%z%meL>2OF_>J8(kG2
z2B$1sbm#mZuW!n4s#5`*Nh)37{+CV9sSb)w_7gmAN0XDs;=|UYsdUbRiaGBNhd11X
z0POZ2+<|*BwyZp_1!?R>(I;GC!$P*HLxr$9ZM^jH2A2V*@EVuEv<Z3J_BxrDU)Xu8
zRZ-3xw+VP1%uZfhmVl*gLsN7dCtcf3fro;%)Qd95H=|!5sR!YkKFFr`fss-zvuV$W
z`_@`7AuL+ydn@EYK~n%>DBV@ga5wR|YNhK)meI|x&)<nX>2hHUlN*p+<?t1E)}^z8
zv@AePe$}1x^ehhnSK{J4E$iafNiSDut5m+Ylfmbu47%EB&U(ImEP15lb@Y@7`}g?X
z#ATgKFJG_y8^H6lA+2sXt3<rhY5nMOXOK22DSTkMZB8~IuJxxRw{WjYG<UW-z9!4{
z`WEJ1#Vi1Jehoh}h%)U*qk0-d&nq!BweMJ>VOLW;e#h%bB4bP>i*qEv`uzZM9=bD(
zYgtLty-E~f?O4K*hjz}p66sKlGXwi;fmw&|bk6N?jV!}^xH?q--859QcBtAbHmFw1
zDSJ4t@@mBTBo=oJp4984I1t8`S#$sklmzISrd)!9VpTj^aT`qyI$hj?*;OtTE0$pV
z=T@#d%W015l<~1fpJoM%2HBEwBp3pkH&6ekXI1W1x-UgMqbW=a9x(q9ChJR<PLCxy
zVV3S69i+jmtq2%~$A*M`@xZ*b=FPCis@)Z9GFhXm*Z~s2S>!*%^WhSHAu64KRrX1S
z3M)ASZJ2*lX}{tXA%ba8>^{}OuvjqIc!Y+sh~Sip$)|jBSaZM6^O}z*4;!e5v7*$w
z3B^5_AnsGTaN=cN%zq2@6grOGTk70{xv?Sm@^U6DAf)CMia^x-d3whrFlfCksA0>!
z?WXI?(*&PA+rpS&@O3AaHr6(#VP4+dzO9<Lo?Cr{KZ=3hF56*_odasPu4qQ}vhH;y
zB9qz4KVG2u3!li>u=0zQp}_l17ox$;w@@e)wU<JuKe0T??E+Sg`eu$va1RR7BJIyW
z3b)QU?wycGM=ALpiJ$nf>@p(`lAa@*h4U>WUXrSdOSU7ffW(6b4X7VkIu}h(Z)`a6
ztP1q`isqvAOS@vw%-n~-0W0z)oUK5N<FQO^LXXM(+b1|rubG;ueid$?SR)JpUCjn<
z#1Rs=IuWFZtaHz@!^tKpL7fhu$c*^6K)8yj*t-j<-(H@HihtoImh*URM2Vw+xu0N$
z%(%P?-r^58RA#p<23l0!eV??v+Ll?dQKxv{;(fW_fI1IZ4+Hdd=szvwzjcF<XH0K*
zP>%#5Oqh?JoR+BQP}UAb;Mf^+b$9N6wN-3aOPSxcT!lJ0=rwU0oJJV7O<d$oQA6=Y
z3AF7^<#r0v3OD7)oz(^iF$IpCHa5SKz4laBu=}2?v~kDbsugf?|H0tHIf5UnBD?Jc
zA<N@#`ZA#5L%(wU(^Vai)%L*`RE38Yq#!6Uc>Lo;_V0K2CZgycOZbRf@J<v7*?va&
zRV5mgz`N<#kWCAj>*ubIEw+2yOJ!5YuK16O54bMfNpSE7U139aLDE+nJm=1R`iHb2
z%D26z#{oNUH80d0)c4N79pUb(g2xH8u9PjO#CQBf1MXP)P5l6M-e|g<8q-cy`aatg
z-s;Wfh_{2_M=z_5Ep|S|?_ICK9UaB)S(i&D4{*9=U9wj(CJ$6LWnEQwKraHp-yO(l
zz`(_ukLNFqy&2)13~U8p>z$iyt#CfdrLm)jAGH3A*IYS)k%1b|L6q(=HUmq<Q2XAR
z2_J}^1XWGlQY8;Qd1m3bhE>yUaY&;7(u;5-^Hqmle^(84@!X9#JE{B7vwA(BD1<&)
z!t*{R^*)_mFo!(A@!pDP9djG^WbxnqKFNM)xO|baT1AERvGfMcyB`f5X1?qSE#~pR
zFNkq2s#4w#jFKpO-<+$F@kDT$J;j#;6Im+9V&5uqMn-agy0*5U;K<jlL7Xn+sm~*N
z3{No1ljq~S%dO}8i^{!+xy>c(^BND&zR(VXZ!8$(x{EvvMo#B~It`eDyhEq-_e=1#
z^(UDk-eChG0rz4hbr{x?IH`=bQV-{`j^N(8$GwZn-y+MGwsu<{caXdINR*g9fEZdg
zbq~%t(697;-liCig|)@&cuEOqL3xEH6<9w{me{)q)WSlk6+8X?fe^Q*Z=Osk<qKc@
zJ3-T>C#SNU21o^Sr_R*ddw0ADk(ExXh0e*W8`yD*aUgAtqmll$S?+6Xw*;+)j0vz9
zV1QYSmg3@z`wb-#Rnaf~L{laKmCSe@R$M6J4yz=%2@>(s*mK?=s)qRr(n@~~wtw*4
zCkt&~x^K&lXF5@6V=MnQy}{DV!NgXbeRGd#wPKfpWl=ccT7MEV2W%$vY+%<3SxOeQ
z;cg);_c)+taRnp=ObKbL6?C4A&qa)@azw4!y$I|-HH}2R-9+qw?=uu~m*BfZnN~CH
z8hDSdTRlBLqTjBw^4GCl?;|n18X+?ytP>7j>^<(b|7_H0F3;`njKjz#&9L9zZGU-p
zD6qROdc2ZIoSq8?1x}&h`>W{3OK|RKUn+8;BweF30h|8XgxzNr@)n*b;4Nh?qNenM
z9q>X5tq;?!rA3jOU1qLc=Yub4w%yK)m$T(rt5I;A<l+ildNZ7#v4tdiAc>Vn&=`5j
zT?c5;;`XLoa&#FBT-VmNrbea~x`qN=Bvq|uA9zAET4=0kK)n#gMjjO`SQ2ou9APO_
zO}=sp#PRVQoaoQNv;D`p^$^N*4;xE=j&@D+`4o!qzj}_q<qIp;V`wf%mcq)%8tcM-
zMV%TT8egRT%2x|PSd<y5)(R#_txtCnwdY?To9Us78bihN>Dt7=0C+ewcAByL!b!&u
zH}2EOAeu#;q;JkuvCD-U2r3LRNU1KIOFbHT0m4;DR>8fzif1W;uqvbiJgLf<PaJ|a
zDj)T@IIT{?SI<+jM{KDu&xzVdj$A0d&aHUW(Hj5`{mA7L!vuMGkWQts;%V#Ek;K1b
zAIB~ZA0&B|_o-gE>e_#(ad6bOakpqc&WJNiuE39Vyh*w_8n>)g+WR$F!h%^Z&1Qm=
z&K1!;<TD#@It+A)36dXN6goCF1=yO?N53W+rWPd)kMvS)>vUJ;KPEhq{{ut64xn{u
z^~(o>y2im2Q!Syhhdzh8u+11J&e?)c!u!@FAf;0%1rnuA^rks@*|_l#kwPyj<KM3B
z?9^IIq1#|f|G}m0##6~ay_FcaGb)jxSr<)?ZT3-KW%<`GRS_MF(81Zsz3ic+kOJB(
zK5sL^tP!+!EnJElRJa84bx~UUVlS1^Id!-L((TUik+OlBF(~h>t%uPTAn~M7RqJD4
z?_EmV8p_YZj;e0QDwBuN<>twgVJE$#SexxWimFjUd!$Ero}>+$7@TV^rY=Nh(*PV9
zdIg=hCntssjI|P5K$(-sK3;}#6v-kxU!RE2G!(@YH(0U+EzL}S^)F<GfBI|6U0t-_
z;U0>!@q*S+!%7m*oa3e&1u|Kj)z6@={MTiv!)=jH>{4LhDZ#K(W#0af3D*+)^@7|!
z&ANwlVeR-noR!Vw($X%nQY8t{m<gJV{qXdZ`4M|{$S51iL#J8S6^rQ$Ecx`K2=~KA
z!*2l|NXc7s#temv<5CPOw8{iBi)s@pNy$^c)Oi)>$DJ5S0002)bTZnDZMe8-kQ8x`
z8viWLMBP{HNqJHo-LDM=m+7&851tj&#N@JDx^M@tGMA~+j_Y>PWNbP=z4rbpOK}Bm
zpUuS79U9g=)rpEs>4Xs2?U^!#j-+pxMqo-izU3jX39X-ytjApDe1pMS4nei1B|7rY
z&!-fba^EV~?9G_qL@AL}H!~oXHn^!p-Z-EVp-VKIVP=j$Igzl=88+RnW1Wm&TiQQu
zKe~|PIU+M|*kT&b(akre%N9)a?20CW%ij`X<K>l>2v>K~Wd~a3J-6~uS08n|{k}=0
zObj&4G=NF0qncdL$-%Q7{7T7{z<8`O0vQIrG%`xx`;Hm)mwecsc!w(HPZH0jLBByL
zTHeiOy?l}ktigT2=1#w{>Vp##=f-&{zEGm8_wVVf>RuqmxBDSFe_a=tJN*68y*<XR
z#N$K4K0iA#SBwnxdlJS-A660#T3jVe!cEz)=&}lFCBhcFX^raR^%nRB<E*_ZCekQ3
zKpZt(p(79cbPN)yL@~+;p8=<{--&o`cT$5?fWjh4y6cqj@OGH2VEGzX`0bs6urLhO
zPN&n9C_eXt3Zu@RBB%+l5Myy2jn9E#HhYXO$+VvjdVEQcg2W|lgOjx=39~BTTk}f2
zkc<BJ+<;~TD6f=*t}}Nnpb0x}TQ)7(6@2<#oqL5i&Gz>~hvs}{k7~-ocs9ywyiT1k
zS%NzCGjhklpC@A+j$Epya;7z@5#~v{r~lqXN%&=&)c<hBiQCTiinN&#&Kh5Y7k|pK
zEN0g_{e?vNty`AJ6t*t|?WK+Q%9Ksd0!yL~sZZI)Lxf~b#5Zec_TYRILU5aoP~w-L
z$ZZ}`$&k1M^Oe=q(3kI&>hE|yL0cWRZSV#Pr3<XIO~h1k-=R1{E;;`9?Vf;vS*(-k
z+q+vNCzt05wi%2WIO|7pv%ar;0kda;KU<TJUj&WF%P1;OgshS<O@`3X_4@_}^i2@6
z0cDL!23e7?Ci+mztqw@%Y1&%p_a3vyPJ<h2EL!Vq%uTV!G<#uU0#Ayf#xmRF$^I_c
zeR8q-d>FFVzpQ+~aU@XoF^Q9cn$J)y*vdYQC%@MZvn$+V&*Mni3{6l>JdR9og3a({
zm<dCh#MuI<+{741Y&5V|l!qFw9+m5s@M$BoZ(H$hlFp@qp9^1WbOQBo?)NEhTT1eI
zOMk3N{&+yLBsV~m%4FnoxjTL<IX^@yN_soUP)$~FNgA|vG6l9CrOkTSYVclHhK;Q(
zjG2leM?LlFs~Wizw=$tOE$2pQ@6ggZA>w95Bt^CZAI8Jb4cQD;@yjwYn>4;}uKO@c
zHag4eyeqhBJfg(A{mMXW$0cds1D+O`)}@!Nsq5;s8|8i7HVwIE{`V(5tB&?vG-$sw
z^APo;7vVa-C%xnVv8A*pMvGT<iok8g!scjv4P$6hTgtUn^liHwGEoY`vA?3ucyM=7
zEI9ij)IthEXx;Q4=^O_aIHN(t=3I=13DD>b>zJXp`^(1l^FpSJwbu2xk++H~kDbr^
z{;2!CmI2*K`0l-&rd=%((vqJ?uHK|*mh{TpWojX8H(0ctOMBJo(Hc~N-a(^XJ4D>A
zYS8bh(2U5jD`;yGB3W!5!m`%?W}`ic*<#dFy5(TS9p;^9j1%iD^_8{SIVu#-`a7WZ
zWxYRF7LsXJwlmO63gQ_~V2QOmkhk%?>^b9w7G_Mc0_OB5XVb58_SJUw6Wdn_aM{a6
z@W->x#>=M?Eews$1`1B(WCrO62T+j+Z*?YGKf7ZEUu_Z-U9Ty_I1nSdrlHz)VLCP_
zk!P))mU(Zaa6B<e16*rSj@>f&d@PIast34tRJY2?kS-^U9ZP_P*&p#<cPru`zaV04
zf+oX3RmD*$JU?aMn{9VaKF>m`Jv;nu*~=)#IKC^4y*1uJ?*U^I+hH)(5n5uSO0A52
zbxU6uMJscQh)8#irJkI!OhU<eQ7PamM`sIW=vB~;LcKC$k!xXzksXj{P2xT?UnIde
zv7UCUw_UEzzc)hwM@hq+yXsGwQ8G1lC9j!GCEvUUdbVK@zcto-7jbde8|4F?sL>h@
zCmQRJaCz2@rviJ6Qx9=Iem$<i+tRS?+f4YEVCz9H?IcyEvER4vv?guX-(60>H#EF$
zy*X|)ENyT&Jl1!JmbTb|3sUAWQrjcgdBu^CXN!N2X|45|Hr=Os$3+U)`c2{UJgqNv
zx+us+b~e7g&uAcRHqEhZuI+WqR`W@qt41jjx((s;+#ObVYs*D;IX(tAJik%RS0P)!
zu%BW8ozxfK%R&;SKCkxPXfQ+z;LF`SWxnlh5AWq<ZVG#>DuvMFt=654y69X+TOwCH
zZ|BA3B(vJqXE`5ruV7EG`t#SkaLB%koEntC$u`ecb(kxuh_k72hH;Zcn01=&+tScn
z=2B$wJVk+CgO*_3`P(&v{z!wg5&VR+VBH#rhr69HyTSgK9&{37q8Ery+7VSI`W{CJ
zmn=v7SzK*x49hsOXTSe`U1&4(Owj>0U$=Jat@b=A`T~k)W-4xi0SR}Egdy7H36%n7
zmL~7Z*5Avbh$$^03P&<mAKs@vNn0XGU9bC$cAL=z?QM&Rpl?o8at6$;u4n@2cgXlJ
z+=A*<vek#*s9YlvGC+Hr?X63ISP@$j6~1sSEALSFhG}LfbJW}M-bw|H?}<DU3ORW*
zPYoOb?6hf49`~Ps#6HpcDL6l==prOh<f1(_del#n6CQu0rtCWui6>9Yw64ST9@(=i
zQzgIh{s_SlPYodMeZweQojpvTfT^`%2iSWovnxo<IYtb@?y}9x&Bsfa)IeX(BZVYz
zurwKU7R3+ibTAoJF_2ZXOFN-yjB$HuhfHmyA5ctfvYKCGn0B^1_yfh+uV=f#K;N1a
z6IY!^3cSvVNZ{;xt=0lGB1TK)P@pGB`!1X5vDKYoiqBz3kMoj+F2?d#@<v{MXKr@n
zLEqp4A*D*yYu;q+h489!XpT9HuiC@F$jTro`|LX+>F$2<RUPL3H4Ob4J_clWl1uzw
zN5mP^H5}Ap1?=ARuXJJP(EMBYY#NDfOiDv|KWA9!;#{#8{#*oM6}{IxCDO63otHAr
zC?|_!ku$j`wJOHZW&*IcS95N<I+bk1WzN7Awe^6HzqMo+s>8t=8c)Dy1TK2@=|~fv
z{kwMkBN06IGv76AY0c`)4XrUq&|fcaQbt9)C^TEmwu|W#XG7yp>7GxXU)CJo-Q%vB
zC*jbm*UoPnFSN&vfwvd6ixu*U=p%w78^*+%fywsWVXodtl&L&L$MSK#!PBpZkk04s
zl|YvGTe^aq0;FLoc1Q`^I4Il}cR<U}`x!gxtbdVQbr4YHb@TSRRouznG0(nQmvu~B
zNOE-qMpIeQXryoZ41vsTn;sST82<9+BJIovtF#E({JSq~p$c$rp~CmV@S1D8Btb>}
zm5ZWPaK#!w{qsg4ZFR8S;M9^V;Y8g#kTIz;I0%|;e@oAya!(y%NUyr><@?(D0B1u%
zGgtUr0)+xp&*bEm0K6$R2vdh{)*(jXg=Ko$S3+7NP6;Jgr#tog18m}7uIK4s6~NCP
zP0N|`vq!>k6>k}9*&hCKa%LKlONH%)OFjY(^JhMrpAg-D>S8pouj`Y)oI}s|w?nL%
zYavk4-6_Es?ObOIySxmHk%<wJD5k8M6cw$7pI@s;Tbgh8&NVibCS0RCpAt{MS^>$B
zKB@~{zV=msgqRv#spoa70{IDwoB>`!R%Q1=GELjRN$^4_O&MPoMaJgfAHLm6L77^(
zn;2k*2`Gk58Wj&%&vw2wcu=f;M@b&Z#$J0{Z33s+viD&qzR=oyfXAGP5Q+!r`IVnu
z8U~XWu$gr<CyZa%xH98Y6Z1saiXwvdi1AlrX{!nWpgNEGJ_t#MG!v&K-mHPVrdEkh
zD2V00VwUju1MK!oaXAmsos15D(lujlp=I1nW&!ly6e2XeosfT?g=j8H)Q_(Fhs$$;
zABOE^4n5HEa$4T+^54b?a_r68kCuvb8X@qbw`3i7XnVQ_u8N_(eRel~zS=|%kv%qX
zX2xt$aBh<HWbHf({Nhi5)f%~?zdiMS{|EZu84A0bilO505=VU<__^MDHAd=+JXBR&
z6nsNRd|eSkzw+&4L;2NB;T0Q>ujlHN^zqA(ZFKv`+Ur}&^8*P)C51V($Fx$8KO#5k
zDtmm<#JFF%iDvVv8Vf7221GApcLSsBEv%f6cGdna>1fE8aA9mIRb?g8tyTEfNi*br
z_ls$NF9X;kDoCoLO@rT-3JGyq-dDOK0gPu2Wf$#nv@$G0_+i3v7E9Y8X6LW*VOCsj
zc=3{Ow>tCHeR-b#j~&R<pycCbVnfqQDE#%A@$=8+@>I_Lsy39aDm<(1ZXysuBCofB
ztQOhN;EmZMZ9KjB6{hX#D$DCcv8xRD+|Pql`NrI+@Pw(!-F0TH$6$IJ=k-WYL$EU>
z?#c9@1>um;UQl|ygReEBF$$*b=dDWm?@Z)&pe1IjdD+kkSW}Hw&!Iu!FZ*PwZaU=1
zQ@T5*-0}iR9WcB|+ubcUHxK09_3;u9zpW=-`Iio~JU^)-oSSpSv!Mk$S91H|N<?v~
zq5oPeWh-{F=HA~Z!^ZZXOam`|IHGDJZ)N2?%HWbeFyl=VaN>9C_lgGbk6cy%hdzM%
z`6?fIh$-XDdHX(9`+`U8MUC7XyQ{qn|CTY!&|~O>`keC~;L@G&kNr}s^Fg7NpCWRq
zIiW-LA1vu(94@ltr=S)eVGqHUYZG)=+O9p^yLF@~>0=)56eI5F|8A){B0g*5zX@{o
zuH2gSrimNHls<aT1T(~-@9N7_gye0%@dip%=kQYJ&8WqX)RmW|IMn>Rr<tG=u<ibn
zU%<HTO<FW2)m<d~kWg}71c|t+epZ>Y0i{OUnhw}+rq9WPmTT*nEmMF#J$&L6VJa+X
ze&`*h!Im;<3U)eO&}*B^*Z&<Jb+ocYgsDZ8H!wR3*+=xJeVyB_#nxoMu$6f=va@?t
z9)S1$3CZ~Rx`sO?b}7o4x!a6m$2*i{kMZaA{l6}{O>W>uE!iD`K|8MTTe%mq)$mI>
z^!1G^qnQks<-nzwC`$;E`p8*UI=xggh&aSDZ^`B!p0-ex-)D(QvtNT->x3(q)Ke|K
zDO*_AXDi(zID~EPP5@F*>jTR#KFf+7MimUkO%uU}p(}b^L&Gp_zoIW6Imr~_%ffdo
z=uYj&5*3N|So8`H)YQ_IV|L`xDVOH0>@k(xx8v{TdOFDCuL7vBHMgi-jJZ`Xg$Q6`
zN^(=v5|?XR6hY-0oOemp%C|m(%Z9b4Fix{~xM11Y#wTI&v`vAr4j&YovOcI!JP5Ln
zW&i~zzR4r|7chF~z!hbmH&nBb>t_h~&JWit(fm2Q_nYdE_tBS>LyoZzd;?byF5Xz3
zo<g5uaRbzEMb~olWJ7J!h)&_+=@PkM!M9{NeMv(p3LHa?(s!kW8j`9q)DoMhd(!g3
zUs0e6W*pj8v~bi=2<9Kj<r`9ZeoQ`SzS6x-oYGh#G&6TzLD#pE<>$s~YmU3{bbU$c
zT{6{foD4l}c79WUJJ;`*@LM!WSrRALH0AWRzp`Ync5w;%C5t{s9p;T@D5)kr%9b_V
z_3-1{TjWfiok)~cd=r%ydmjm%{k4uu#thBVCz}Gk9B$;#TZIzEG$yQPhDF>lv_`R2
z;16Qa6DWpV&fhSpKLYltNZ&#x(48K>nuYfmCc}rTJj^6;ZxB3d?{BBo@h)GV87%oG
z$pU>6G{xlKJrg28h5_E+z2kQ|gP{1os5-PGL|r{SBHwcA8cvDV9*Wsl{U5jc&k=A>
z5benN)IGKz_(!jByZEQTwpOC7=}jbsyJSvY88ajMtZ@Iocnsp)r1&ose;K;*Ipy38
zB*||-dq3pVDff<)>ba6k-C{`GLXXrX@A2U968=P$@c)S6S8g?{T-Jrd?}<2LAz7}N
z4cEh&>~O-s9D^<+H07b7%{Be%b+Dtl@g21;(Cx_z52YddwG)$@#L+pQOyTfKyY@G`
zZOV*+p1mN##*Y*%(fcG1KPZ<{Cm9BJ_dk0;qjSxBQ^UNvGTSWm23{Oh3{kB(2>Jc9
z>b@3lTZWlE!wo5<HB?j8OdjyGQRTIiLOpYL7V<ZV)L^?q^!h}*7;fKK-aQNaF{zA_
zO7<T~C=H}ZrAIwlafm{0cy)iIK#!xUTEWO~|C=r7=E(tE-R$VUmkjKY2SPDIIBJSX
zxKdnaL#M9!_5UR<Cz>B5DKAmCpkio>4!|+aH?USkzU*vi$>(odFU7SvJ(3hv#7U8+
zU9FL68>~Rqtb4=rbu7#$M_Y6`UM^Bgyge6Lr|HQ$bd~q>4%?MK+w%P4I$*bWPlX&e
zpNaNYon;OMFW=K22s{0$qEKPv7L~w5??^FbJx=!FZWvlC?0@QFzUXMrqXEAx*%k~`
zP8&J7S1WEsJ2EH_DA`;>#?9j5QDRL^cgxTP8Jf~Sm2aQ@1(rXt5g;(dG8#|}*?vv0
z8aY~iMjZ6^z<d96xu368k;qC{iZ<N|xVnS%^pf+RaawrrZxCq0F1c;Qk#tFwtSbyc
z2O@n{m$E~aNj>k+=G5h<M<;H{+5>%dZMyGpL80&A(P*ao(M0`OH=k|3a=MMYX{(7G
z2frAz|9LTJeieV^SU>~^x`%whH?4(57QFGhC!y04l~RN`KR18;LEwyX<6dhV;w2Nt
zwSr0AK$XzXinJWIl0DkW+R4~tCaZQ+sipws>lu$>@$c$-9ti+;&_D2b>ctC7eDvYc
zn^KoL&fYxzO+Cj@8+>p;t=p}5+~Q~1`0-~$Dyt2%P9UWOG4%Sm3$w~w*lmwz|LbR!
zkr6VetQ*Xbr_0Fm>HpJJK1I;F30sWaG|r7>GWCkoj_g>7jA6GbV`odFH&2a>T{TFV
z;r`}>TgbBa_m>Hl5C+Gs*Q2^*#^8)(SK9+s0romTOyiR@n+c5B6V8<nw0G>TKHNK9
zq$t@V6fQV%3*g8@-_td56%PHGCo{QTWqbegww8}i`_Jz((F`%fZ*g;aB|?J+ufkH-
zz3GQ;`n`rf<2K>B&&<tds@wCju$78^F@L=wU$qUTNE8pJ>R~!;_~&NWY{E^aY3pfK
zqUsp+*MsXjy0S&%QRxZ^VrMw>PqHzVx**y)DZV1%K<hwlp$PQRUa3it{!vZn7(3~z
zWME(Ki#&9~yRnBk-DGaOMQuT(%wE7V;`icAF&(IzrXJKLD=UcvVFUU!O^ljm1DlT8
zYYYRm0_QLFvrkX%;%PSh9X~%sLoq(9IS%}N*UU@5?e>cl&xG3o+qy$=?gRS{1l<3m
zL5N5|7)KpO>>)7em<At&f-Lqw6A9U_UDNL~SZV#=0?=7O$K~S&mq8-)=F@<}=_~kf
z8M2IAAM*dfhd!J8oMg(cO89pFr3Ufr;H|QsJYQX5;FL4i6-aP2tPSq={!qt>?<=RU
zkht$@mT?}WOo$7uHKk8D8FWf#1}`btMqSd$C5@<7gz&|w>b^AvyaxYud0%_`YvJV>
z^zyk>HF`05=hFJN$2rIfBxp?cIIynQHlG^xy#*pSpV5B4t4znl!vRrI0t5*p27?WP
z5crbm&~nAHIi+rYe{joxp%W*8VNIz};!%jECRr_-2P$vpnwAEINDjo>YCk`TA<3~1
zzV}WF5)3}N56o&A&7(Vm&uPk$p8WS4F0TKTUN;+v<7IO3WLw#8I8Pf=bM~S*VUj+T
zTs~Hwhqa}A;Kt{`jH3K0V*RUZPT$u}XZ7o^l~RatcwNnFjUE43fYGNaVL6@}(}Y6G
zp>#v+HnVdKQr_tF%rO%Hg}?=z?rc0#NB0W~VCYz`TVaJ2GlrOA4OP$*&iJEPi-B@%
zGr;n3`F0%35Pz0lkAdjwAQ7TSQuDG9h|(Z=FJz%Evz1DKjOU-=p;B1~&CRt&i$`=i
ziZZj<(W%TxthlG}2>$i7UOGI+Tnx%cdI_s0ox*uGS<2=ABH<|<BHcS&o-87e?xPk;
zVU>rb=G=r}hr#oQ*ei5qt<svczAc>T#Jj1x{Ys)rl{yGon0m1N(!$Hl8&7wK&9&No
zgkYO1J8KRc<v=h7kRuoyM+ed_xxt;@Z<)Iu8W|_|x1wc9^TH!YcW^w;HP3&Cl3pmv
z|3Yq|I1Kw!F6<=_mS5uu*-GOi=FVx`R^_KQDyZef#zr^C_{$4C0nW%nkt^1RNT*^(
zd-x0KsM*;~4LK7m!B;Z#EQtM>O_uej%%c@eoo?AH8UoPTQ87oI<<j_BrM5R^(g!z-
zvr}`c2<}(!yBbGX?*I4@+~-;`F1KD1FBop>)VD85@(Z#jib@ozAiu2m<Y2YH-*d}O
z5FVC%VgwxL{#&HR5EN8(CKTrPYII!U%J1RLopGHnWvp*RZ||)3$n?N2QMuYjL__Jf
zIJc<1_X8ePG6IaX6zerpcnDh|yR+UTmCi>%h?kp{6I%2A#LUcUt2#0ZFrx`%n!>+M
z-q{gOFv~N~hgl#-<MlRL7Y~K38sw&)RcQQc$zS|{W`1*ARV+6w=(_6Wm%`70l}B-L
z$sd&YQ?onFWCX9!d`;I;fDR0gw$4vK*~?)FC+=S|5BRDkYOn4G{Gi|WzMlsN`uqKg
zSws<3v|?~cp7fv8crj)p#kx^P=##%;!95P4jND;!srR?~CzzLy(@S(ov0z@E)9s-8
z>zdX=J4}4Ka&n?Vg`U(KG*hQ?|1xID>sY|MXCw<ZCR((YkTqf|B5Jy~OqEsIZYps=
zKW@TQ2b1)hm8`knvB?TvqW^U%TMG2UP?U&tuUK|q-Q*pO2hf=k9|uM~)7w|BzCH<|
zuM&V&K&4W|hZmjdaf3XKO7HS?GSWA4dU+DXk0;=A*+`f(bXeDM)8S+D+;<*A8X-VC
z)%n)*81u(cbGoBeMcQ?gsiK#2?RalIWOacM6qg3gBEBZnIla{;2~Cde9Dj&gn;dI;
z3W<aVr>Uty1M3v&b8%K>1UoVFE?3N8f;}EST7Pxn5CUENtq(utlXhB}5OEJ1IVDWt
zNUv(c#0B7)2KD1FDdCGSF-3i2ukKJJSL@OhFXT4Am?FO>34fFFnx77jJ{RkA<a4=B
z$auesXq0`*Ze&~jbGMP;+*W+4NnOOeBF`cGQi5KALe0&zIMER|f*X)>yGXvmT%p&n
z3@>`OJNt$oz-2!L%h#Z=aW4q>!z_(cd`$|2OXg_UsQkly&E6{KJmiI7F3Pq6QNEVl
zQuL98M$=NFzFC3Of9#S!pQ-&9ofUnbq>I2zGcyl=dhDsqoz}&r{RkgQ30KgrP{JV+
z#i68*8bMLyd55_Huqiv;wPH~B-{5oKbB@rlSl(-2XP5u;myV2C>tNhA8(-IIH+|^V
zf74dh<P6E*^b9;?U8OAW=ESfFFvz~b7OegZK@-bYcswLA|05`_tk5XHJv%&^ZsA;f
z`&CG@tW|r%uP?4bF@ZhP=8hjwq)?!c;aW_|J|x=qN64RKX4LK~2i3d19!K|h()8xk
zhzOhO8ytbJOVStan0f2QmUP3d8)!fLQXeqnL!+X6iSC$-P3rJy(D6b;xpwK+ktrWM
z<D)0$Ky<=kO62TJ5_y2^t_7Pcv+MyJF~ih^RGr$+&g;1)_;|)6;-5=kVILZv6QV4w
zOuV+x4@J@7T50{;W66i|4ZepqkpAv~e%<e)kXxOP3R`Uuj{G>>!KH8l==B0H-}zzs
zYF^r<y=-;f2LL)<+F@Fe^)nkoZ)uqB;(rmpcg6RMZQJ8zx6>fTPoFp_G946Y9fW;W
zU>*nn$lC1N@ucEiCz>quh(#@}B}^8&ckj~2FmOUS?l1d@RAP?=zZja3Zh)D6*|4nL
z?l)Wx*u}lbevj#LYntn6`#jUt4?}Ws!S-H|z6J-XqyV?Jf4M)RVaa7hRSis50j1^m
zFhB&H1cxVkUBLoNB+oO(_OJ6{EAP}0uGXSuX__r+)igLa2s=za*Qmsp64JIx!<z^Z
z@SN38R1c8))5bCr7KAg_&I6r|!&GJp=i6xGkSjV6+~3)4?SiB#9Q1WiXo*&-|2|=@
z!h|dGkaK_uCKmgF3uP2u>{vCbnEia(7?UpFl8PzC=R6Kr8eKAKrB`fzAFVlM%A9Gt
zxdjW)L5L$PFg>Lc7N-yFHMS)RZUUWdSFg7k!#h*jCzco$R+4nR6C<?=)F|p4_@&%G
zOc%%EjF#B6yh9o*N-ECj@*C#hmwt@xeX94)yUMA@g1Ko8vBKI2=eCldCt76`SBu}L
z7W~ECj2^B<Y4c7Nsf?F{Y&~An9r1&$hTnGZkG{v-3QsG#E&4C!+qbZ<myk(#78d33
z+Z}5Nnd#T)_Pc5pw*DA<dvu3O`U;r?NniM;8eK(8TdqV;;tg`?Sy0ve?cBq<q~(*a
z&zN(qs^6}Kk5MgwSq8LAd%b;okxiN!4;iw?8Lsot;|rDdT>F+Hz1l<^aVhrTY@efH
z&Y<@ZcWgK{D(liM1#$YO|N1)v<LG5@Ys$1(SFuD~ckc#Wwv^$}b4EbalJVA;w1)Ll
z9RJ?rpe<u8kEAl$W+-ak!PBbz^rS49$>B+MBoUhpsXb~`$1v^O%|>AqoxG{+L{c)p
z{G4Fb3*@4r^4N`lW&82hIGijot34$Ng~T5mZ4K0<qv-s%5{m{yOuk^R<vKJXD@RRE
zG{KP<V4pc?<;%Y-Wy-nOuNgYV4J5Nls0<)ekjW;DaaazxDL~e1r|Fp9b$Ou82hc^z
z$ViRv22*t9BHRnd`OCklQD;eqTtNp&9<ORe;hGg5Ym^@NQi?cKEB?Esz5nMIG38#l
zMyBOE^)(*OHzAH+Go@;ljbFwLhb%5M+lnx1B$)p(>E3AcNkUd}Ev}1*%tHl9xrC!W
zO|Hfg52n7uUHsh~)3!aFza7<vqe-P9SL7m3e>~(GVto`)g<U#t$LR}Qzh$xcS@4hb
zOdn-lY$~g+szl0MD7{|7mY(NrdwDQblOFl+1_x6_MZLsT+N62heFEeL^pEdrIOemb
z3M}E7uk-R|&7Mx{`K9LpI00V`-61>qb+wF}OTB)Q)^TiKqil-JkeNkluer~Rjt-ny
z%78a{ald^B(@R|}GjcZ6=5}uHfVy*!$|WBY*Bz1Yd3MA7VW)_U8A$^8`yZm%cKN_f
zp8~WG1|nQ5$rOh2oG4%c!XuQLxE6{St>buu*Bm@pTi(m(o#HkR@*Ir~WqcyK+fa(k
z*>ObDXUJ7=AaN}BvJ-;<DuI{58s8lTkrZ<t`-Uv#u_d3u#sPQukF1Vc9`T>Y{`vyF
zSd6oFKF70U6=8=aJ`xT)fVU!|?SE5fy!U^jG*2x~<xVtNY|31Wrm+^!314`@0ruQn
z@lxLdoE%m{2yK~R&jaaOaAWneSKULFv(Ri!?>P};u3WW{88jY~cKD(@B&`?Hv1ldW
zPCr$O`J$s4Y-r&ge&B;t$K&h>0=FJ5){wo5)iR8U_#t<*@p!m?WE1f>G9&`Pri}c}
z4BryGyPNXln^vV@|A<NjWMU9bK}C?WEIT#1&;g`a6_~a3yfjBkW%B5eOgb;p`<v+g
zA4$Xwq`DRP56&libOgUASOU^p#ScB-;abQT<337%74|q2x1^EFO`SMv?Wn%skw%+N
zQR3@IcdVw#{K0??Ip<|<io4RGqs_<JKhF(G%vTt?^Xy!#j59Pp{GXP`3%0GTqAQOb
z$A_WZ<15S@q_pA;M_J++HPl4h`*x+8WR3qKYh4*NM;28UXP?0>m?Y_f^<Xrmy6%@;
z#b|%bd|djy9<cAQ_?KvH6}&i7q$=2w`82S>;;><2lq>ZnMnco$sx7_D&2he5cMEuW
zM}_C>Uj57Ye!6FsK{U<x?skECxs#g3s0(tlPv3FM5LoiemDNChgC2yY_TC05x>aQj
z>so8ZSd(e6hAK(+)(Or>;@K)n55p8t?q_iH7}30%5=pOhJN1?N1n)+Z_1_BGRF2E>
z(BW&kUT`Ni1|z6hmGyrm?jNIXw;Rffic~3c%Lh0)0CQnKL_ynqp0Hg0yfcq_YPvE9
zbu(Nqu@EaUU|mdt2q)m}<<(3a#Lna6ks1M_zj4)VK}~o{=+ZzR=0;AhP-zAUY8zTY
z@UOP{oRK^d5>awUh~;-ktYe`^51OzrngnK~$_l*vQ~grpxtsfuz)Er_%g28i;cn$c
zH9&^mtW!W|(iKW2&Vn()E8#{=)zNQfqq~;!#V`JWr2~2vo^bQ`jw1z1HhfQwGe5t7
zXF9W2qA$p=dAj%it@0}bT{*GF#%4c8!&NLFtNQY_&awR$Z36fWit$pf6>x((AK6%6
z&;dj35UBZ}nN@jAXQU-slKXBp|KZz~?TglhD3$;Da%7Ytww7OJGwo^M^S}$QT)Pt<
zIF-9p-4JGE->3t*@0PCdWFbA0OVl{qk!RFdTLUa6&lZ;y1)$Cm$8qGawZ8vi<kv(N
z-3EwLrlp<k%^9@OK!@x#u})+JmPb`0ZSplW!|ZP;?^gRfZ-7&e!JSB_RHa>Of_DHa
zC+yuQ((kfy4cas}y-o`|Sxh+oVWL^^Uvl?#0>znz1R<J==jV2Yj8m+84%~S|HcnJO
z-?9@QS(mQe{K{h+;9hxNAUir99~^5A^=8gr+@o<JTU(e_XD@S}b%19XYk(hdt7tv3
zR4$d?RSxMwcVD_lKxDB1jL%S8DwWQZ8aS?pnT<Dv&5#pOd|BqP2vyqL2{R6Msu@Rf
zuqx4_kxRzpN_LMfPdxoMw^(>`HeXf}gn~ZN&f*{(JkaeFP_8pNE}O6*8P}jvp(7?8
z9a<b{jFVKS4Wm^jU@6#V;d?P*m`K|D$UpgmW_A><`iZ@ZC^n#2CEMWvi5lQB9Up+s
z#=)vi({S_MH`#+hZ}r98GRYcO8#%Q{cc1ha^mY60Syh?h!bUp$b7v~NnmyP3g=@`;
zE;G1=@dgy+PFee*8!1J6So}38ycs*FIso?8EGR~mA+p9zydBxTn(kbsBZvNM2nR{G
z`8p>6SJd?^3T(o6ON7l1^Y{!seJEne)M@iG*mtQWc1UMhu7h|*nuL&ME(BZ6#EpBV
z^JeqV=uRgr=4Z5sY|aMwnG!j^RulWrzCx~3X^><Ia_;pvb8;mxtaT&es9{n)s?7Vd
zOYahtM5gV`Er%@waRZJyBwP;ixOjuFVks&`KDOYj*VF48+MK9FX-6n1K7AhXA<cs1
zCs<_m;w6I0)}>MaF66ZP@j3bNd8s3^{XNUi!T%1wF2WOgZ&@_u%>Yy~)^dJ5#}g@v
z{)TOb{^0xmF6(>+(b==~u3m_$*XfrX?5&uQvG+?WG7^<D^%M+_IkRj_-`#uY5)Bz!
ztJ=DDNgrOr{h%6p`Gz#_k&>nR^Df)|mYP(aokg9@I40BlYV6DLu{ut+am^iMYJn-A
zR~Ew4G8UZqL7u4~2cRdVxQWtXr6Fmu9%@*4w{pq&&tBSqniCVk2&lAYuRJiHGQn4-
zGu2F43hx`Ceeu8VMdj{*`Fv(<NbL)QF3#v$j-tNCYIm8WE6z5$!W_8I`@z`G&3g9D
zLU10NKQml7{h=%*>%Tll`?U2jZ`GSZ7CJ1VBe*x@z$KZoWrA?#QWEl3<NJa^R#Ix?
z>RBroW$SwLZl-yI^~{OFkkpL4L?aC#V3XaA)QjAEq1)X@O6myr)N0#<m8ln70s;Qy
zp-9kiWx1u!`?Y1rqSft@x+wwId3jwVvC>4J)S^~}w4pQWfqszv&9Sq3GMI~I(Uf8L
z0bS!eiUNG)^Y(UC(apHtE`3=cXY$9w>)6co_LV><H;b8cu*<Jp5-LkQJx)t{4xI$L
zb8TEliW>+^YFzdq_qUvsr-FRKw0z^nFCV(F^~TeXv9Yu3iDlN+`|iWdgDy-KIMyu_
zb*+v);IuqgZTS}^BF)7iitCb|X!<1h?<>3S`#@JxL$EYJwgo})B)@G9dt77!BF#j=
z@D9t*zK9MCe+=bjYau{kNkI42omhl4n=lL@;;>t3HG<rh@S@*T>-qs?|GvO6qGqzr
zmWj1QXfhZv&$Jsv{dudwTYsAXj8R?QSKLw&LP3*71-c(dN`09SX$l>{@kEG7ZYR8R
z+%N*g{U9Q@??YB=3$|tb2zJIE6BAFxeki$O1uXL=Hj#BaZ?{wEhn?DA23rV?qvIYs
zJpb#~GVS>}|A%$Y-8rLCakom&88grSs^4r>!dX~I-~~!aG-Vz5YjR2PM`PyBvqU8b
z<PfxOKqqLU>Cm_bhe%gY8+RYi2X+7qSuHc-WNJE^1Vhzq{^?;fu*FmH2ttaaO=my8
zQ+IT)E3x#*qN%P&qo=6Y-;^p`I?p2eB)2Gnvt43=s1e>bug$UR%?wF6LY`Nnb&qF2
z&f+-Pj>j{Sz^lqm=E)9V=CV#$cUzRa?iCNVU|E`5`^~omC|VywOvGud9tg2y(|+k|
zteiG+5v@8>q6?Ht<9_Rsu@K95OJMDq@#Wv}PI?cE-_^~cmi89mf<==tX-dsJ8!2X+
zXye7#{)=W&LrbhVY=LbX_W__8a`yWno~LYm`);)RW#w9zGIkRHAb5hqW^zqP`zm|n
zlbb|`SMzvY=;BF)c`8CXblu^HFOevKfXK<e#vTqA-h4Mcb>cI!Jzi9T_hddrI)_cS
zOa5f%ZNtFba46#5cCJ0QNXkN{3Ye!}E)uHq5Ss<{<JQ;pkkK|neh4ZsDrerQJ8+pv
ztUYUa)lj(wAt5qkavxXh2P@CwR+f-=u1NnJjOEGwa|5jLUhjO1YWOaFtNpE~?e<n%
zdqO4PXI*@2UE<%wW<*!J8`9dfkH?|&$At#yV#v`y+8GQ1zAyS{q6+&w><-S?N)Vlc
zuQk$hL)7(?*+c1KNc*{&)*Ex&6P?kTs$=-4A?_KOJ_EnNqpg2-Ju~w`$4F`g?MK{q
zB*WHaNwb5Hl8ra(H9Sj+dFmI-&LxI$tb*AlB7cnH8ArxOVo*Z)N1sF-doBXoYhVRB
zJFqiQx^_2uA<)P{1MAgA-!{Vld9Z;bcA$paPNvt3AKM(jE~J{%N2~2`@NuUGk&B9F
ze83z#+{;r+FT6g(BV@I(ITr7d7;;i~B;9~G>1+Q<KGiYy=X5*8x|e{r*G}W%(~_U`
zp4+&o`=Oys6aH>@k+SK43knyFCeO2O-zbKEoGewrxT#4tWWnS-`xd7=L&&&~%WS8U
zvgsb16#eO{w*6fCALx!|_^5nwoKNJ8!3Q`*Rg3R*2h%)>KO#+JkbbU2bT9}xDio4(
zQdx^lqV1kL<s<dVYmeoqzhWqum8OzS^DMIB<HK8=kxK)DXDZ<kMF!iL-ixcIvd%3M
z${dabve>cpI6Hk7k+NCuy5jj!zZKNMgu;-;Zbb7qW~(k(+^#qXDucUgqzF&W5%L|W
z-7HlXL5E?_%-Xv#J<)?UXGeqPrgoG(^n>H@Tb7r8<7D-eqP}NqRE_XMpiw8E2z%Op
zwnKflo%WG2phPORo*Itzri^zN1qTr3Kp{sWq*d&@OR6C!kh{&c@SX4TNI6oNgKenh
z2agXQ1NWC@;5lEnjGUFPAsi5@748GNS~&8l8m1%GV9kOh3wsD5L@)2svuzlI;~m{I
z>@v_$e%O#(3XF4z`DC49fQlQ|=ec%lOF{M!A#e51kgA*f*tUo>(I52hVPYOMw8=eI
z^KIyWgUtb6DD&>iK0+6AH7c6smKvl(7Rc!YzZWC&iCQ*KRlzDPBnFq}H!R&2cgX}t
z$gmXkujJ+U(eHhT>W8No0a=*38rTGyI`{~tb=zWWWqgOj+jUcXz`gX>#({yrz<~kl
zdV-2x5NIb&&*_@jWJ-$xzL#nHxK$Vwn$ekGg98{!_-eiH(0@%u!t>o}P5x&LSr&^5
zn`dMK4)<T>x|3t)F&^^4ed&#ok$P6_>H%l{F|~T{QCuq53#0*&e^`zj$8}#{ueOOy
z0XajOf0D1uzk?&^%AF(cjJHO-Q}jFb%@fZK%^Ca6huo9a1t5@Sg>jK1u4m55$#SOL
z+K;z4fmA!JqRu~F^u`mfar$g@H*qJ+Q2Da@P;XzLYKqs60hn)<K7&7MV3<-DD?>=O
zk4c^JM8Da>ZZ_q}upq?KEGo);Wf&J~^m|USe$~%KY7&dJ_Jwc#EPfb%*O1{fAMw3y
ze=MzPei^pMMd;h$l?04&jEzeHJOCa|LxhO~W+Rj%<5udSnM5wQFL9iM$*5!BA%dmE
zje-rm!GKIi_`@9C<)`wFuGS)eO_UKohq;Z(vwLaTe_v}^8A0aB>C4#)ys#VK=*Z(~
zqe(X14Yz2GGM+$0m~x|5?%4h0&zcA;Lf)#ChCNL=(-`~<&^a`@2E8vvi;r4F3Sx{K
z*$h#TSt@-Qmr*9mfG4F1v!CJNOwKvEufV4Zx2ERC5TXjsOcq(<_c#lJKDr1SetAr*
zxdf&=+4#YuuM>lwZU<lIV217AKJ~galv-n)QK<?(voJJZ&tIMcv45kvHV^l!sWwf*
zNvAAQ^pcSeu3_?;WEi1F6_cHvi@5N4SrBAV3xN3GeMPSnqF*uJOWyoO(yj=456mXZ
zFsN}<s>Bv@TbxhXRZ)IYBC2`A=ir_g9x9|_6#ijHkY5zcO5Wb{i~r5j1M8$7sYvdv
zmdTT9%6#R@&&(Dlv`3EW=|v?Mx$3|Nn8qG$Z7r-v_b}zqk4jiT(p=w-OmyyPU%_c`
zE^;>Up8Zjl^6NlJAlxIoA$R4pzWCRHLVwD2+Q$HHUCSFp5&!E%z|u}VCQDB&_k@v-
z-;(m!8n>Dnp;Jv9_aJo3KiMacM1w6`+t5{}eWId0O~}%<cub=?ZM4);A7@=r#YCU*
z6!d;z)tpJe#EbRfp5mB-LY$;k_o|2MvwHL$KUX22t15ZY*xpW#9B`q#^X{|~+it!J
z7ptQ-%PY$VjNJP$Gz-g)cGMK8MBg?#<Gp`0oZvjvt$ex&j$35<2&xps*|ucY(1RC-
z8FQ{1@}FR9O5=hyUv~*!JFjkg((1mYn3?!86wYLJp%VFoj$8lb%Ymze(f*d?r`6<A
zJ9Ns%G&>0krQK^bYybnfEsW-`!qV-2>wV5yGUnmIFI}-|1&o<RWcC#J22X>oski5Z
zk~m3ov(dJ!FD?cuo$`rnR7LxQ)_$JcWJL+~6jM$4yaWt@lJvyrxx^9kzHEIj|JQ(1
zJ|2R6JR@_Oz54Iu*)QpY5m!8P0XCxSb@j>)8sEV~<|p<Aty-f{V3M;po%@U6hlH~X
z{5`S4B0*bj#ZN5qrU8pe6Fxm%#1$?0A9Jlfb~>ip=%1G@KK%{LKx3lZ29V3xJY8O>
z2kPFe2npA(P-&JAJpMT?&jn>MfeyLNl|LC-L@Gk_-9?HVN~aVRalOf1JQ+2i*9)w@
z6EZa1%)cbEFf_Rs85*6ytT~zSB=`&}+AF?C_7NAr5|;Y>woO${NDiJnX9~}re~D()
zD|(D(K!UGI-Zv|M$?+3jZG2_g0_FFF@MV4}Me|^fYn_FnMH!|;x&#b<zXV7ZC_*)c
zknLaSa;<<FmWge?b%_WOD=*!__(uk;bUN>sR>+91%N`0~deTEZn?=L9JwE=0pOu?;
zQ_BsAQOrKiXDGhlEXwp+9a-3!kJY@c_cA@_J5Rq3VyzCE(nErjqWkyd@AyeCiTrgj
z6l9emMc_KRMKea8>Zgum8k)|M@`7fW05(!p)KxgFxKq!~Rzu(Mz~h1_zP><Zl^4v&
zEidvB4rDrqHAE1y8&!Cej48hU10aQL<6Xd7oo%UFSUP2E`ntrPv1AP>ke=PIv!<-A
zi5y@hUT1hZx}fR2I!B{h|FYMrHE6cGT`zy#xQIp?h3&Q4)t*-ixNPX@Su(TE^r&ok
z)&#|x`_V&iK+ZaF{PFcPy}-+NODih?q89@w_LxaX_U5i@=j$WuNcb>^DVUu#7g2uc
z57iRM^}pn8`;5g<?<m~_cRGwS&Y{0RWFjSS;BmuOxKIDG9AE02zaEjzxaBTE9y8S<
zo0p@zp6_>lhy-Wk9=%@%N3ndo%AQsxj1~XEk_cix;GiL;XHngnW2mEk7sB!8`CkBF
zK%c(_`CX_kw=I0fX{rR??&K$Sbn<hzEF7m9&&b*5qE@@*W2vwY_byo*5d5o`)Kx@?
z92Z&>B}7FLII>~Gk>=_nzDeKCci-I!w<9z7T*PEfg5wYPaN1LRv>YE}d)f2Omg*h3
zBQFqT-|!s;LKLjR?{5h%jlA7ljn$h&6JZGcLl|G*EsV0WrNlPLVLJ@ZeD}Kb7*QF1
zk{&O6z2)(AdV=03(!FD2y}hHOcz>V{Y`ms75a?Z7=>m4{-o9$(mMtq+ZAUG+v5WD6
z4SD2NVl<X}rB#+2a<~~uQr@s+i!)n~E+0RmyL+70tZy<>37Z~!cS9}&u<4P*k3gNY
zD2*~mT0e0yiLC?J(&&H=LmF3~=zEB+iXY?LC)LccPltIGUm09$rAJD)YQJvW*b^~2
zI&__3{Q2Wo)5@+s{;s~9GTOJY(4xfl3k+VDLMSR!NT$O%LY?{Sr#ScNxP&qzJrd>|
z<pkau@^~`uxa{5=L%nISnmKFol;snrRLT>SHhNznTprMU>AB~AwK^GMGwRUh%Yi;Q
zMjfZzrz!Oja>}tX1CWwLPR?U<PI{j2@Zu+w@PO2d`Bnayb10O~Bm;w{pvwdc2Z8vw
zGh{CYA}PJir5j8aR^$C)f7<1V`2t?OS8eq~oUU}h;&&!2j-c0QH|msLb17F_BJ~L~
zRAn8|NsX+WN<u-3?X7G(SNqoec=Y3t^YX5)=GE-G9;hpob1uf+DqdIp;hD3RtlS%e
z#|>kT2J&vSo)H^Hcg${&dW`+fbRF-v<)*s+el%VQ==Fh0{OI4irgApwm(zq2w?P?T
zAaYLD%43$?LuWbGT>r_Dajius=*-&Dq3dZY{VF~ZhyTB7$z46Zfnb0cLIWJ83~$b9
zN$?l$Gh;$_?la>B7~1*ewqY>iHM4u`a7L|D32K9;-c#2YHAJOVXZyD-8wBS<0#1hm
z6u)0b#v}0m*R6YV_4}@(3;w?^;j4j6Yh)QpxK?K5cw<Clxo+e!Zw>O39g!B5YO_6f
zX0X&;b<uc_#@H!z7&P6Z7hg5rud!%_4vVHA-|({^oM!adY(C>@Zy!F#9JJYj=5uJf
z9A$HSv~T$+P8=6CFKy<OBkP<~jv(x8O>5H%T6<^L@P2&5BUpQpGw*WcofkF#%+FEu
z0PN*dr(iN#!N)Om+q90NE%v;sKufVwCKW1n&o91<Jx6|tZ;0UyUGe7Us))4oV4z<Z
zb#V?iu@?7HnZ+lGSX;|&?uPy;^3&D$t_W`b@d+d!j!^0)%C#<LkzJST-mx3IBkr0_
zbd4waYh|^<R@NsnD+WN%u4KAu+F;7A&lo)ugRjRdo>FqXCgF8E0lzBXw_ezRY$%A9
zbNtkW+1sP6%;}7WGG-|9%7X~wfslCx4oe|LJY0>4sOiN0{MBEoEguq#HifF#5X6#q
za8yi`W6@F~oygcyct5l>etU19)xBw1YB(oW2K%f1na`LF2s67O4D|HKS}7{bo*=PH
zg)gQKe_?c^E7Kc@l#G6(*O9JuXWU_f+g!o>Hy)Q9%!m$sQl}g4st%j9Nh56qBH1pC
zMj@_ANG0oe$zEtLE%I`IV#H4vl5k-<1+yMzVU++Sj<+G5tl%hqZfJ>^sCe92o6sn$
z1<<-|QJXCR9uaB0f6Kafe_FJfdoFHfBNi7(vj@$_flB`%KL>w5?gqM0Yo;WR_uy|Q
zd(2x4JR(`ke&L!xWS%CVQqOEEN>ro>WnT*QrCrWc%^w3XNyxiGPfkpmonr6)$21n7
zBMN$<BhyGF1~X1?w(9IOXv;N&E@`yAW(vE_Mb@{hpqm~RPD2iq;BDuC%TkaS2lKNU
z6x>VOa9EQ6HD-(RcJyJo7&Mg26{|s~UTx7i9Ajh9WlaT=t_*kPi6Z37mzwXfJ<@*k
zH@qBZQbB`gCECPWuHCPWarPw2u;I9h!tAbu_emzebTkc~<ZaRH-gkH==*SSAouSQ2
z8*$delgPGawKkx!Zd%7uHxSzO5pE?y9{T!l|I)nP<S>}swn)zH70+rw9LrG7rFH2v
zuo~Z}_lVg>%#%oXeDQcJ+a2<EX+&+H__u62?Nw;pR;#~5q0jm}8K0@6*cr6A(>|j@
zr7~+xrdV1`1}r#~2!&$Na47MYm}oO$!Qpm!_<6-Z$YJ1fEAsHUJ}cK+2wZ9wrB~9{
z)h#i^yK}W6*m{CJ`Gy#e6#&ZHSB~0)6FqOe8qXGf&G<77ZNFF8%wo-0x$b6w3sFf*
zq0ZUwwa(&nTHq=-gieRqEQ)5cqxmsB-2571^98>_e@FWOo{^o@F6&qFB(9EOD`{1=
zIWg?o%M#6YtzM<;6itn^j+gm&g`y+~0Uti8`I+tkVrrG&qS10;2e)%*i5=WlBh=1;
zbi&6&!cPJ0<Z0YWsj=aYl1#CG{G7ex+j}Uzn%{X~|5tAvJ&w1-esmX<VMIng1|eDw
zrxLA#qtb_I@4PVTYiKlrO4*?{;r*F7zM*-JK}!mP(86^Z_&>~cS%<k~C*P-dsySn;
z*;q*}OdUVXGt6ULncz}$IbmnISVd$zTSd9?xr?d%P%SGJwqj^h6uW}mg@!X?iHY#r
z91|&L<s5;2XLP)ma)rb7Yw5SlcYvoA<z&8-%I3IA^D#U+pv;LJqdA;dQYq{;#)`3c
zffp-tB5BP#{kQF+mjbo4)0wUXTK9B5pH3GFc)yrwB$I<#ha)?fOg1uNWw_csG}K)k
zmg3uEjMqcCbex^y{Aw)B_EG|A)KW8~Y8$yxYUBqr8TlAX3E-JUfR>yQ?X|WswpxNg
zq~c@4tJhJoDOSp3EXHqvA|Q>gR?Fb-7v(XQj&~T3a2nN-G|nmcctVhpYj;K(Hcvh=
z#LRcVQ#$H79dTE?r;Z4$Z%&kFMmww!EJgRwQYQ>~)i~$^*T>_0u*2u{Ssa^J!R}iz
z8EkgF7<<HQYSe0jvYbNy3HX^%jO+d;xKuK~sCYyqnxbowiH{+iPt`)a%dOL?EE;>(
zOu3|INYz7xK>RH>PVL8PfS*DA3y&EsF+<mm?5z!yToH)!;eL)`#f;AG*=ChUJ-Jjj
zM~9t$N5SLu=e*{y$K2NysoDaTkm&K~Y;J=&;x!N9{Vr?DY;#*hQL8dJ{PuXa!;mx>
zTt=-)*Qrt&?Ey!&Mri|L038t$$j)(JfWs7=gF5J)cPWK@gaYqc;rIabsX;8QvDqZ2
zng_Zv#j>WlX;aB=(i_5ff1~_Zk!;;seypL%E7feh2xvD*z72fd;N`c?y>r^}vT2!m
zUZxT5MrIl#q-asE&6l2QOLz4YV2H7$#0KT;8s0zN^X=E-8IU8*uR%ZO_DV05-+|)1
z{B}ovE8hXh+e}TxnjC)RiVGTj0Y#v1-~!4J&+Od!3>$2Krttoc0Mm{pJ_<~^Rv<zp
z4cR0gdQP9(%H$=}2_+-mvw0|MRX7SgWrxC^sc&4Cu@ifS;`02~t<Te|`L&0(ZF@+z
z%hG_88Lj3xwR@?_bk^};QyLbmO2?<UjI!B=A=Su-DFafrj5Us!T9h!;oN>}vDxmPh
zMo!!_mWe1rDSX4@ca2mkBM*FLyjB}$_$YA=@Nv%OJMK{`<D)!Ghnh}ax{*IgqSr=S
zgCE8}h-aB@20ScU^m?s3+M(V*I0(k90?gX#z{Qq6tW=d%QJ)<Te%6t9IrHLYn+GdH
zj7D~<7y?fJ6<e-GCvstN-v0Qlzj*8*z9IDQ<?z3iCAs4Ocu`?D5}8j`2X~aCU*+*U
zb3?RWQ*OYLzCSl$3mP+lbgo**H@qC0>IoJ@rl=!n^=6`}diWh_zK9m_P5eD3_LFFV
z)qN#oQpk?lSlU2ZtB69PqArhX$5)TvHh%r}c=EdIkkk+L0Pi;0|BE0b;R@L=hOAgm
zGvev{(QnWb_;zGw`Lx`}NYa_qT{XYJ?SS3ElHs%iO1;t2skdkxy3lXZ-I>Auc*)b*
zp~`d^X&p46Z+9~uh@#~SOCPFJBQ~1R&Ae*P2P#MnNb9+5i%<aRWK+u3(y+U0vsl89
zTh1Vf2-B_~h^6f2a|Y{bqgqfKHGTbOS?sB}LGKc@dfnf$5wRG-o<|)q2mF7u`Kw4l
zjAT<*W3VWuOhzlU7rgl6xLdddo`NWadXc1|DnKkj?U-rcKnA`~(80OKO?6D}C~1Iu
z;xMIgO%y)dqB<vcYUIPLDsuF!<i*WXk8N5>xbI&CcY@IWI_^(Ic4bfaaNGkIC!5X>
z!<`@(;9i08){R0;tG04oLnB8C*YH?+%+Hpu!D(7+aD2&M4jj`q+fa)DU&O0HiXSQD
zU=EV1rsHd1pGz=S5FU-<{oZW13m7EV!_eAvT%wV2mWrihFPgFancf!Sl6Ka{5zf=_
zfOyzWO8EI>nx<`zgijjGo~EeO7MT!mN)rO09#xczIWq!l5(8<`W(_pI1``5R8=nwp
zP`tzFeLM<y2T+#dJv$&Q!#jwKZJsYs4|o^3hlR*D{)%!)P3bu?%b*&-^He;WYE~7V
z^fla~SQ0Zi;>dDsubdQArIr1*sNI&NRe9fP&KL}(xISxfZk&oirQ-hP3xiYNvD^NS
z*;p@^>$2W=p0I<jZIQOMt!jfAQCZezl7Aj~4RS#}WiJM*NbBG}+ty4h;7VZQcf7yl
zQ*fm9Ao<pk9`pt|mEl4A7hju$fg^Pf>B;A%Jbl2^C(ZM}wK6~5PSTf3A)b$PE}HKM
z&qq)SKZzscNy%=3oHp4Tw3GYNAKPwu)Rl|aU{1l+x`)!~5M204OQ_)U7s3`xxZw8{
zLY90!63gdfkvuEcjdp?VlLPMWLdp3NeP2dlC_VtiOQDdmtwRFYYzW-NZuzt`wydE}
zP<~0&<k<HHLRI03?2y@NH4kOSii5sBaV$G*w%N?X*)g%tH&i&=nF(60!Hm<HrT6Tv
z+_2aeiPXiB+(gW3naGWZ^+=>o9L|kft#Q#BE&2VWsI_&M_68roFOq*nIkbPy-b&*!
zcE@Ys@0c55nEL?O<w*W*(?b00X>eBJ`QYp~{w?1-&-aVwBtMg`wq5jjg&b0E#yC(g
zr-Gjrw*=$C75Sc8s<EVzS~b#N9QDA~o>ab@C9It~>m+5y*XvF66p~$uaCWdXy1Da|
zlay&+$>XnPqxndvFy1}2t@9Lw*_p&|kn5q5w$9nJVq9>~idyo7<|;>K)-E<Hk4hv(
z&<t^_Jj^2NO1?hSL2n_wh|h~b?LzkMN=+f0JPILjJf*R8_cC`8-08Y|jUD$NAVScO
zU1jf%UW3O_RRjlu>9L|a6D)}S;cBoR>@j$ZT@wMtq@<gPZ13z|<U^;=iO;xD-RS&`
zN<R5a_`YO08Xz~4V>DWMog6$uk;r#dySYm3;io9kYyS3XdVTM~2Oqrgp$#jIK9j=i
zGp=0s@TVSn=%M?H!v#F_L})Y;84W$r{CZ)yc;D<g*wLyvG3XYqgTS?tPVN>dS>Q&F
zr-kEbrFfbbz|s7@2XFmc8+K3J_7KKJyh29p`C@arwWsi3fN#3cxpN}QER2@{X=JxW
zC66*`hPy*P-NVdz#=v++%9-Xf2pN8oUqRkYMp-Fd?dr!hcxVW-!e50{HoF&#v*KV4
z=2rBlI)>^P*M~aNgKJB<mF|+g92{A#Z#J74|M(sKibkyFE``?VLPJ~Y8AXSsLu1lp
zmG$kz;asTT4xPBM1O`T@wWGLxXEc({mZ&TonEo052DuTbn8y%1NrkE8Qj}JW91YOU
z4QelM2_LUvlo~kmLdElLPor#7?A7+08ojlli*pbGKG3~1UCj=ONn6extlFZ!sRZsG
z-K58>^qZQyb}M83>tHFqKc+fu7YRG676)lQPCS;XJ1p!1j4adl<L{DtPy&?zTNh1{
z_edc2WPqnmc#>Ko_<hL`3-MT1+!CW5xhBV_ks?M=M_7ZfRgCM5qNkA3I5&>FRN57*
z9chC_>$ZwPyIxT5z1ppG#QRRrs2iQDR{T?4(R1={t$I+|;fNMogM<H;U)JrXy6XVQ
z=AVLW?m#A>>-}g}^pZ9n3(|yOTS9~;MA{N!G$95F^TWvTgl?M9EhR+cs8JRkmxfO0
zbfXAg$80_2`4a>t2g+a?pvNIv^H{LK4cf96Pw?P*-PCCAE`ugitMGl=g4C==j2jxg
zy5ALOXbdm7UEP)LOLShJK5pt8J$;)lu2briHj^%HaHdQptGz#15sSf96&;zvxT&!y
zh>nov`(t||_*?FMNB?+|pgnhg{EjoO`K)8lNmy~}dD@6A?=&`5ibx=vDhVf|HhEt~
zXQSESvli~R3FPE*BvFw1VHPeGTp1oUB>{ImzsKQjfXm6pKB?DMT05KZ0G398V+{oC
z*UVUO`gl;GQLY>4P^xE*2TJ9W4|FOH+}Iislv$<GXUr<CQES_vV2xNx0dGmgM+NFn
zgYYlOUS?BAPzn{$BP}|ZX|>JBxWGPe$^$wkSAiH@ao6)GnmmRO?<;1w+u6iQkn09I
zQ|mN~5T_jB(aoLww1phplW@7<(s8|jQqs#u86TAqVkKd%!0IV=a%WdX<l(p2MO{N^
z9tb#Or@yb&6>9&a&}M(K41U&a-Z(r3KkL?QyFt-SrY>J$?<Ey*5fdMM@4dLPKc+ki
zKk5F=d+)u6Q--kH5wBy(hU^4-{fdo09uz`*KEfCz>7iaGL6mX?@DQXp7(GIK_jO2)
zm#Kg^kxx2?T4xcmRX(b<Qg$#18EiM(sX50cA0lg)EV(qhtS_o;G{EI%c_#g$X4yzE
zII>**BK}N8`G_SknCr<7XY79><7d=M&EM6T?WSO7haZLd04K2aziYwPpX-EeLV9Us
zp0^y~Q)g!0!nEzFO%dcNdKUdpYVi*Eivu7BWj_Qb=M&oA&bBD<KFAq`oVu15YXL{B
z6%e+fS^#PY6)T<Gf!}nb7U;hO`|EFnjKZimTcPc&8ULD`98Rq84MwIS!@kK_eK@{3
zRZAumdSh27zQFByu$j1S&z^7KLR^7k&BGsjfTPXBndT30q4|Rb{Drpp7;E#ppv5w%
zfL6CCl%)j8wz`9f5hTle>>-1EIJiV4D}Q(JSx+CgaHD+YMqcu61(8$FvUK@b3u-WU
zj!doh<om!fcPS1Wm{_^8PbD~d?e2opmGs(UUQ^{<yz8tJwxvc2E~jH{xHLMNRW{dV
zM1S4oz1v~61T(J2_-9Kcq>y>p4^+;fGP?XDXoc`cF3aST&l$hswmxs*T1pD;M*4TI
zxrlt5N}2a{%!%bY+~RME$6NZZ7pp0+W0}`Qsxm|9SV%83o(Ha9evW-|5M$h!u${Xi
z{aN#P<qnKrd=cZ%2Tu<^fiI0J>oLV8wc(V;)S=d^Qe(r=1qQ>uPjr|xb(Q|Q<&s`m
zfbsR)FutbHnRDXe8yAU)#5}3k-M~+Ox62WdeB92_a_c5sXg_Bo$?KkidMoEDIlQf9
zk6ANScd$@c*%R>BR+jqH6Yi2&38w}#j`b^iCBrGt_$E_lovbRayI^YKymeigQ%+K3
z19?v<Hg;nF<)3mGKRe$1gFmV~8OgCP-i7h5KBK4lX|?=|jCY;9r}Ox5@;a7ZmR4ro
zxAnYcG-r-W>O9v|yV_4lrej?L^V|HrRjkRW*4lo4GB&Q?)u~xImNvz0Ul@Ph87!n@
z6?ewBv?tccIn9QhpR{G|N1Fd?wAQ-P<Gxtvc-{KtuCz6yv;|=hv=@WXV!)jb<{ZhM
zh_7TTS%T)GHS0}O5}xi*j?Ia19qac@cU?ax>Wy*1lSBnsGg9!U|FLF!V0>tJ?CR3$
z-e912b-9|Jbd@X_udnDR`lj-D_?#Q`q|<cW(chk=EUmj}$;A2Vs+tpb2-!fv84!;C
zr!wNp#tW*GSzAxB*zMHb+chT^Bd?8ohy{<u$j=y*mY$Sw5x8``#XGpHS8_X#$b9Yw
z+WDA_roC5c;5^P?>Xr!AlN!_-NlZ;ntyTVZ`~mH8Ba`^@Px<2Nu@U8(;V&Qm+y|q5
z{aIxmHp?2jBBf;;jm-}}Xz}YG@DHF4VRX_*vRReT5&{p{i8;0!+E4kjfwzv4_dyHi
zP^&cOU{-?!qF2RUv#Z(F5ZJC9HeGuDHuzchF#LqZd!kq|q3$|<pAMUgUB#(lwe-#V
zHgs*6+ECs2uh@|qNNDT^OVBlVe8V>rd*eG$7ZIJlkc>HYT@JU^#ng%gr{}z7<h8T#
z+F5z+9L)aab>asZx9au1kHgPX_~5~h!OtsWU1L*ly)`uS@Oanw)Ogp}?`fZqan=B5
z^v;QavheuO$(Pg=E$yzQy+Gk+$`jvvY672na2nx*_{UjAu^A^TO3Zeo<I!VKmK#OT
zu8-8(c0L<%1)ZsKLVdZ`h?yllb6SIv-T8UHaM3X=%(ZYn?wDty^D+fe-kZXPnM(@C
z)kER>arxAnZw9AUt(poxno$m96}WE8j1`I#ImbZpQ9L?2GTy`5dU`X&$M}C>R|?39
z<{>WaqgCSyehi=1)4W|r9zVK?#bj=MM^vgWFZ53LY6=c&uS$EV;QnQNE_@1mtMDPX
z!xPP;xQ>?1Jbx0*w`&=?b56Wq^W3OF=J_O^FC}<Fl_peqcqG}x55rSl4u9j254}mk
zljJnhM^$^c55YYT_X%o71094#b}!>a(v^#(e~Zy`YR;Z#{O@xU?w*stS^#&>+Z)|{
zZC+AkUJ7lOA&8mwZ>(KLr+?4eWh-l!34AZyTY27}lV^hE8N-y`ynV?BEYG;yzWX?w
zgKcpBGzZQQ%QKE&<atuSCkmEl3}K$<Jf7!`HaLG<5YFT*IGP3FOv-Q~JWo5$XV1x#
zhCCsbXF|?%Ezk4QHhlhb4n9j+o+<o9TUnUpnVeJB6n^<b>$QZ}OUm=-1<P8>^GIbW
z=hlnod1GFl$wl)7<a#Zc{x_ayfaiI(4WIwFAU?~adLbnmgnkV)WFB;Owj=m7^bxyo
zdwgr@Fvle8u{6}ALGH0i7UDO_opVhE_=*ck-b-6M|8eVKv8V$NOZ`v^5U`is{=Q(B
zbF{(-H2>0injfKn(^)Y`?w#Gv&n)KLZu~uxMOx(JXIEmV+T5VsR7;r&)&2jy^wRK4
zFYSJ<@f!T6FmMKc5ARuUttpJ3#F<8e@A=*f@z(4}%htCPd=GCeL6>uCB3;8dK704w
z*}FeYe}8&!?*997_urqp@BZ8ah~@=ccLJ^zE~7(;u2B&#Mjh~Ef~UFVx5pA{7np$8
z{}qElQ49n`ey4c8<#&pHzv%Si-K{5y*S?JD&~r6XD=tKrV=GGwqgSBbZ<Dy{9nelx
z@cVX7)BS)a9cS%OPl2xzs_C6+d^y||vm3EJfbsX5Yw?pmy5^c6?SFja@yV5CMR_Hf
z2ZMi`k!YsoTH_$@D&Q`qJxo8xPwtn#o_u@+N$a$Tf3HVwG%u7LKkT&)6(tZ$Lg$Cq
zUi(9Ozw550cTFzIDzZy{-e`PenC+-x$^aA`ev$&@&?fI%+Wans$YFB+Gol_eZ`x#W
zmXs#N^t{9w<^+46Gw5IOlUF_4`07_1&t64K!>Av7VXf{yz~4P@T$lHNdvL`nc_;PX
zx#Z5N;gX^}4Bvgcx%Zi?uYQKN%`o7+mYsmj5ajdU8icuEuy9S<!1X9i%N>rNATWpl
zVH(V!R-v{VTp{(q@?AG<{SEG1-p?MIe_1|!RpZXaRqPilH;OU-4!#A6C<8nJ^kJH=
zlGz$O#zC9LYv$o5a5zue%*B>*xY}Px#qEx`Iqw+>wmoC)4!V88P%+K!;bMyMdKBFO
zWjBG>k1$?8BJ=ug*7uc2-zGnbr5MCM44Ltb&D-#kASs$O!fO)ULVkm%nRYdd)<XU&
zB7DWbPuoWpuX*;AgtQKLqI~b?yE~omcf_7D@GS7?sRG-_1f|l=AqFARwqOklQ$kBk
zjkU!)P|id_^kdRDv^}TLhci|1zfCz^nf{2sk`5UZmQ=A8j1A`8?)+eLcY4Gf9Eqo@
zHGGdN=`r+oXO_p(%WfI&HAVw=*!>X#KV7Fa5VJTlVVk=!6wgeQJZrk+nQ9@O?opWi
z2}fnHR_&=vGG)#53L@g)5EVI{^@SwNGyIm^!(xi8m=i<Iyy(e6DMleZBzf4piO1A_
z!b?ONh}!lScUPqa@;M$YviImuqa$TFw`p}HwaSNW(Q0t07!R&0oN#`8;>61EW@BhP
zv~<c6Na{SL$y{k|JroaV%pHT9dfeqoFmm9o4WB%@Hg?8I>F}lzy8O@9$WNr(q)=>5
zEG`R=jm6Kb<1s+zZxf^_o*XoFYQ>CGZ_;Z6-5H}>)u}dXQ%=26ul0A|r*0_LtgP+*
z_*Ff{bpsIvX%Mo0MK`?HO7KppH2oP;5~|3^_*5hNttka{qQ*~4s97rlcHKT{z4`*B
zMxhW?!gKxa?!X6wxq9<aQ_uwe$@?FiDa9E;h~&x5&~_uO^Uukp)aD=?B%i+N>+qk+
zUMMX&Cr$)dWit+O^0Cxx@!l%X<EZUc0e(6D{g?O)&8Oe~DZcoUE<AxJy5L0TA2h$G
zm}KxbPhUrt0DSd4S!U$N1X76fXl=MQ<M-A#zi<ip%h68q<k7X1*X+P+2gutfh|*}u
zoM^MwMOK9ob2EkYd1<DOze|y4lk!<r2244tW~R-^<Mzu_Qi8oTdxbj(w<`5+LrBcn
z9Et8g@6z4ds<A-E5^|4RRv!tuJW1V#^{{?gHTq51*te$3xpLXgr&mQL`aI@}m?VyO
z`aeEVNsUlx0eavc$gNP9GMfAd+8yA|r=DB8;`}_`sAP$!56?dH!-qp*=n4)|S_-Zh
zFb<Uma5W(<78@}95#PM@V>@fLogZ7e<YPN~j=ri;3aN93$1X}&%Lkg@#a~c$rq5~&
zpPd$zx~{F4O-x+2wTs?0iZ7@-l!Y#EubRSJRA10_X3JeUrB?NVO40+|)Bj0EiJFbM
zGbgtLez*(MbIU^_&NTl6o70Ez=bK9o8F7aKcjR9lqk2$!`nP157~$LSg3)acvw*gI
zE2Yw`PT&f(of%tS&Qma*g_m9U^M}&d)O;^}sJVpUlK^~HaeSn{OeA~~G{|Y9hV6JT
zbEvr#zjP>rO-71IzWG-u<fGxEn!yLx=sDpv5#vhpuM|$9`4<<f=u6F|htkdeU@&vj
zuM2C)@43$u<~k*1{G1T$7h)g$lSD_?^fSV#<S5Tacs^wZf#U-=!<53KtLd-i7Dz{-
z=@%g~+uzuJ`uYN1QGTh$bG@SGxE|GJ{~ZcicgJ}nBj??*Zr$zle*3!deJAwwov?3w
z{HhcC`cAxRyt;idou1rYtsFlA8^n)a)_ca?C+__88TI-ZpWb=m-DmXn6t`cyVZ$}s
zOQr4CY}jz^_TmZg@e}*&CyvMAULQDdJjQe?nI=l0w20c*<pubwhDSfFh0N+$$Q;Uz
zkYDy39U`AQx}l%^ThCG7NR~XoXjTC@%YkOfSu_*7fKBWbe1igC-%o_v2ZsnEZFx0F
zKU1chKNiB$Cr78q#^yWx!#;8qYr{98ZGH*g+IbstU6;pk5X}Gp=h!FRf~$FvqIn^!
zr~I7;RTlUX*hzj;%TJm)aBCeLbT8R=bYBbp2{?;0j0Vp@y?)PW0Hrb-z-JNMB`jxI
z$?wSrhlCnof93gQIv^h1zx9nWgj=6|;pk^^w)Jt}(T{OHeG}S_(}Je(8e!fouo-}0
z$ilw*<p;lIM3vf|f6M7H|7)O!{G^tjG;?69J6hm-kM1M;<T6fZzSDf0m9rGi*?WiF
zPx)&>pK_VaAeE19?F_ecfUN8~`VO%l{g+O1QRV2Z0~u1~aD|xQK^ElaaOWIM;6Q{s
zj#*{hKSn*?`1lRL>C%r9ih?&$r8cYacF#nnCpKVH1ow<I6U07tcC>lN0RF&T19!JX
z*X|Y94aNKR4xaVn6OMkH*mwN$<5vJqkpXWxo;!N)06(wzU&(HA5U@a^T$%vmnV`PI
zzogic9u*ayl{?R>ch}E3agEou_NMXp;I*ThpL^s$U%7U}!(Zfa<9*Y=!$-(VD9+ke
z!?{(<-FRn(Uo%(yg0ziC%|l$#h$$aW^^57gh%KZpD>O!@HJo*K+O-jla=0JD5j*2?
zF&(n1mBiI)G+On}e4*k^jEj0_%2QlxZSF}8rtOr@J=1@I`RV&uypyguaflZhFQq1A
zs~6nF6KPN+wsOoYCGjVZJhJSOM-qz0@Nh#hI6T~m*Wq=|gUy5ES6}~$Yp(gk^-@e&
z{0jOac@8ON$!cp&G~zXm<BVba>U((WZCp3Tui(=lZ(Pl6UikeigE0g!9^)`1&So&w
z1zdZqJ8V1-zlv|$ia89aJffm7Sd83*=w<Q+8bg=858|iME97N(|CprHkqEkj{2of%
ziPj4VmS%*s>sZ=SbR19HM+Weupog>oHuAZse}uIASXx+4yMXjS{OVspTC6Rt0crmX
zX?2#ybVXuE+sM1^V;J92;Z;qji2e1~rEgVaGd7U}@NEj+z~R-%0BS<HDs}j5c%S|`
zyg$a?1N0p^ntwstroRa9n|kT{iDVdmnfw4?BxIbfB+Kw;$kUKkk<+e+vTl{ilGDy7
zb^HYRF{I_>w9k+<zLNY0q}AlKr=i~em%I;Yy>i;SWGNmeFF{&KPJ3zEkHJG3($--+
zPy5bv8DGTGHgNjrn11KQe_(#s5mZ2RGzr$@4zNQnM*GpH&}%IoUP)PYCF+oQxSuBU
zOTr_~BL34+up6F=>`5itpV!0FKX9vrARQAj|G@n$uIFcV`3nFM`oIXA@>>Z{Q|u`U
ze_scGPs4o++>3DE3HP0lzZ;%U<qiyI@D<+kxR1^yd}sPzI={Av?|6Iqti8<tOX-W0
zdxpVgGnj1F9J||XTK+yj??$`L#P3_Aba<EUTcmWWnco`*yWL>4Svrk2o6+E~Wu*5L
ztY(YNW-(jOw3#jNW44`Tv#=jq^G8<rBmBvVud<r077P4po@#{zNVeh^Z0rg0?UM8D
z1t3<)VQaoUAFlLejIJ-83w@(U&@ZsQq^BH1_%;>8y?r;5fxBvt(Qhs#;MOOcw7@sk
z_HWF07CuG3cz$gk{pJypM<Ic*`Oqt9ey5aCfQ-)3^$C)H!*~eteGBlp=@|I%PYmfB
z`^Z4*u^NT_Cg5}JG4SEvm}8$RkT0h9v2T6``0QZ#Xps~L2h(gdupct(CrR%i;~R+P
zJB9S1yQ#cF={e^dFnloI*QsD`N|;YX3bhJM+(y)QpSR|`$VG~a$fi$zGI;K}6y6!+
zWpt}Bu>d^lhr_#d&xSqGvlM5Mcg{W6y?r}{x0Vc}CqZ_3P;nu8Sr4}#YRQ+b4@(QW
zR(TRkn3)6<rabYW&n!Af4eOmTH+{1>_!}99`LAq5@Rg%>_N4HYqIO27Rpbrytgr+*
zP;sF)FfV|I?l2D?G<Px%(7?;Q$&k-tbqhU0caA+LHSkE@aCjWyprUsK?jwr6VOsX(
zWHY*&9N=w<3cSf--r#E7NjCTPLY~XW&(Jl3b1@#l{DW(-j{FQhpmMhb7skpId*?9V
zJ<aNTGO43`K=#{Fa3R`j4@;r3Oi)KNb**MQ{2GK(IoTJpl8Rt-$DBZ9qfjB%crU5D
zGu>W|HRiWi{4uM>3-MBDIVX{RbT4`5BbQU*<x~tpx-V|QW4OZ}a=AkG4m?K8@jlY;
z&eVMNgx75LChWc%ErphI7I_675SCJ(x`k-e!OPLj)CY5>iBzLDp{y!oG6hvxfC)14
ziak<rYa*pmL_-fZV(|9>{5ynkWIZ-~!%RJ}T#ufJ8BgJ8+U~P<;3;B?^pIB^v7#$d
zF^B<+tH@*Hfh<^xx?xP!&WfpOZj<PAbptN4)bFH^PCxtZo8(Q@D|8|4g8Tt^%?9EO
zg`9AaH)mEv2+(gCIzXQ0=QA&U_Oh_Z*~>c}Ua!OM^*#ZY9iGWDpWW_jzod8^yUAPV
zP9ew2NiK}-M=x|2E6n5h0$j9k@)o>GkNnQ)^JU<{)nNY{7Un_B+fGgU5!244__GEQ
z>~IFxD#w>v14+`Kgt^O%qMH<Qj(}*8;C>0M5_T^D*ZL9Qc8t(jSMsH}+Gb4%MUsjG
zTs@`H0g^^%k^hkQrRlh3p+XkU5eqLkR_gT%y;=>N?#ZNkdeUGng?!#n$m<J9ZE!!x
z@e_n|{>$*wwOX29wm`t<@cYTjrBu39N~cOuuiNdVmjwR-7<ax&-ltk$`%D8J$O0G!
zvr2A5y^`P9M|$iBy^p{J-+Y>U4SiQQgMAa7b9yYNX8Uo|(r`D3MfIuMdiGoh7kT^6
z;Ei^;5Fh&*=x(Z)qxiyOv9v9QZ-=4qC}IFJ#YVlzd89#yz2GO=xc4fIdn*=zWj!{m
z3>)#Hd&sNjy0>j}p9`>lNutP4{x-*E0@KTgU5Yw3km%dJcLP0ofrdLd4L$P60C(=u
zLzpk(3{6iysc+++lj|Eu&m-Q0cDMjW8EAScr|E)y?N|U$+0(P_Lb%A+ZVcXOhYRs>
zqX))~e?)d9a;(gU+dC});A1jO_zQIIY!8eNvA$%oH{L#KkRCQfv=16wj(;8G_!4AB
z(S<NJE>aj@UD(M4c%)6Fldm%w-je97jJHS?<;lMz6Kex)s|~_DbhVnZKB>er7N464
zN~2pO)$vHf7BqxKY_mBW49+vaV`Jpc$iQP*cSv?#USNRO-i4qe8L%!LSFQ~@NkgG`
z1RR+>sVFiwyGo+x4@enR$iE>Y$3@Bcp}QuBmj+b)=59ey8Qo5EIZnz!Zx&l^qGLQV
z$i{Xq-(YO-VlZErR>Rpu-$3d)bGl+gT320PKKtzQ`%{G}$omB3T`uQkvq(Iz9rD^M
z%g-*C&wh65Yf}_1=(p?1n*h;`=EduP$p$u+U}c3s5uYIg#}^nrf5p$CTgiT8n8Wi_
zvb01Z)~wU0hC20PvWA~a>BmiOgWnQ&`f~v*gYnho2dFmvD$=tVP(8=9eFojCqT~|o
zk|?b84-E7tL!o4|NxJg+F3{4v-mpaT2c~mqC#!RK4v(o@^`L!0k~1P-ir)G4$@1in
z3a6dcf}sW&4*(2%8{JyniPH~0-3ecP{if4SE6Cq`gZpM^=X@jiQLE%{d9m<4{C{=|
znrn)|SOqZl&hyPsL*|`df3{Enet2`bg1SM<gKdt`2ft@La@KSW9hklw(khVluPp7r
zv;v(qeF)NOkoIF%ug^^T(MrIP(ivtI`3^mH>;*sKNj)n@`$o-RJ{qwMSJ(d{sT6HC
zs}R>j!r2Uk^&A;QJIL=iEIrpK^i+ViqIu1V7oPwqs~J2psEz^<WlAC10b~m=>M6qU
z>RcSJidx1joXK|iB5{VB!{$(J9n}N_fZYE+ysu7|(Jp{zL0Y-4d<KxMFv$l_Ipfv5
zt1lS!S{xRKA^+V>IyGc<)_kI<PiajEF<4o2Ccv^YSjKi(RHJP73HK#ydb?ZKAB_4f
zI%|h$$iJP<*yABjhqD(z!px4=%wYZm=8YoLUz{^1MUAtFs!!GY%WJPme0?p@<<jY=
zkXoMg$9&db5(vv~&;Q{UC!BEe&A>mWOo!0j)87I9sRRG~lJV5Z({6On^cNv52Wda!
zX*NiE9@2&&?J!GQI~_((0*Ao76{H=JY?kSb=<4a4AuR=IO(`Gx3VIT+kn%OJU^pHE
zSunz7LHl_}8d(+yUHssZZZ;=E<p9WoW|Ikl2ongbu7S3?3bXoB1+Gi;x95-Cv~%Z8
zh(KNw<b56q{3I#GtP`kI@^=YvroHqJuit+Adk;O7Tqn_V)3gIUKK%^xp-Cny2s@QY
z^2SBq=dm<puaA~rv%vjz^>Eko9Bz1a7oa4jp0#3nshNT%2U@c~Ud+1_8lp+K^Tnb^
z6vd+G6y3jCIpGcl-4iQS{mFFPYK^Cp{Stl$Nd~PWZv$t<=F0WCXCOcVP`Ay)s}icn
z|49aJVfas9pzXMQPry88ZOQFycu%r&e+DvX3$)|hm@*;@>7=sFuz5Ba8zL5+LetsN
zX+2cT<@G+T*?>t&p+vaZN8+&G_IpUr=a9A1nogo^FRH4!#(Bz-efy4_;@o-U%rlRW
zc$&^_r~A6Pm@nG&d1N{Il(1a(7nUN6bRvap1rZ*K%Eb3~IJlyxUc@+2N7j_S$Rk7?
z<k2F?E6(%7KXqGaven(X)AG+CZ-I{aEu>}TSLf?KRHzs^GF%7Z$f#P#v=vS@W3k;*
z;t1q+be+AMBSqe7MX|W%;^>)Yv|c27oI)z-Zb8*X521}70+*BX=mF$NEJBZDZe;8N
z8adJIbp8M?Gdz=lLxwkkqSY$4U-R1|f?8#_*6ik&Z9P_7>@2OheqLMb37>!CG1`Kc
zU7g=2SfF|tiOvNGVFfRg#gK`|&hE-{B)-Iv5{`4989mx+g4VsQ9kg;g=n6B|xsFeX
z9g7u2+E?4&&*g2feP|@Lq}2{<TeJ_pVL0Syy+HZ9pdIcK;(VsQhNy3ala=k~JKCs9
zu7S%2&jR0NV&wZ{oP5uZFw0jh!Y9qdMF?~kNypt$zZb9+(rwSixh?o+qRVJCilTzw
zFPq<*GrZ)JX*fea6`#t}e+Uf|b39LXa!mTLHr7IBd8^O|3xx+|1ZMc@23~$~;aQLW
z79w)Lu3%kYUbjAw&mU+#&(L9t#ZV8RE;JK?!O#*Zhb7%W#Y|a&dpg><=cAh<!wlO<
zVzIV6ai?OZ|M;=vgLB$Sm|C*LyKURg7w>Pca=aR7UgRXs<cH_m+Vc_Qwzm;4f?)Kd
z(8-FELnqxZw+Bw{^ekKE*?GmhPRQmoE+c*DUj#Fo(Fh<KoKDNVfXOV)QNd7<=Dev8
z-s3xY>}20A#VH$0r;xtzwr$}l@sjX)4CYlZ5A!qO5(YE75Lc)Vw`_D?SALRds{q=y
zcZ9c3Z4Yl(T<$+1LSA-n+2S5o2Dc|D{0_kRnl_xZsN+L%PJrNQ;e0~m+#<)>9XKb-
zaLxhFALBR|KLXBj6i4mh*@d+5-t6Df!rSHF6l>A?2ZG2ntpr*CUrq`N)(DrWoh0qn
ziGj4La#06}wwSs;XmW>mmDCZX1y;aFibNweuT_WSHu;`#J+teoA6~zYh={6H+Y7Z;
zcPQRbAL!wAHbj(0lg&)hfJHna;czk3{}Vz4a0sB<BK0TmEV3e{U6xw7Tlt>(Kzn;G
zD0y3CxmFR1IKn=U!Dvuq+Ma<#n>K~VmnF*JpJ{U_;uUrW+|CC2{2$>7hTGVO)8~JR
zXp3$)k!Z>p_PLD~vyf|h1}bjc=pI=crvre~p-gm{EGDOe(NS9C5QdO|Tug&7BE`)4
z9~@01XHUDV&COoyP$o82cd`|aqG0sIU9PytC=}U>$78-Ll0RV+Shj@UYV{{<eANTW
z=IaqJFe@&*kXB74y#N>Hfp9zdDu_U3*X$LF_>QjArDckOst6&?RRucBB@A5<J@Z61
zu@$RSVtlFMzf*7PLiIkSx+%Lzz0XZv@rnOYy)m!5TyL&1iF4|mI=!oRfqMJSjQ(-)
zdas81#+XOFhkJ#3SiSiICD&FwJj7mzl6<zz5a*D>qp^D;DfPgZ*&Ed?Op?z<C0SA?
z$)wF^)15b;JTh&7_9%p^3;F1}4$nu_#Y6FX7eiDgm)L1>hhmy~!{iDp=aVhiCTXl5
zt9CBykm+-Pem4tYWJW3GZ`Q%Jqz-;?Beg_BaCgHMhi6JZACJ$Gn!m8NaF32vBNkFn
z<O_woqChN>>T`-ntR;5}ZO^1`4aBV)S0>}qSmOcfO>ruW>~@88=Y9Na@;b<)ry0%#
zJ|itJ_Wf_*8>vLBLSC7NA7x&!Mk+5XCW>A+`{Q<vC!Gd{iTlkraap8{v%A<DU;1GD
zj3PDk&CH^*o$vVI3ZcDCOx9-Od}3h7*p9$X1qtK=CLyj$rqfAPTrdT4q|do_t+TPj
z=nj}W9l@ZZ(;RRc`S|iOj4w~KF|Ow$$#9O4k!z`zSqQ~v@WDGm+oraKwkycUh%&EC
zXR~RzjYv{@d`VASBZfkvCf>vFU~AOEGCrp=v)5ZG%PB6C>9(Wbwek0GCwV1tQt1`8
z$W8c~_P5yg!G&av^6-2>mcXTnKVzLxkMAme5dg6@$pX4epql_KD7(Pvulkk-+QIvz
z#l*+@wyFLA2KY5g#ABYQE0(xzmCVvnGORE-f{s+0R1^uDLzxF_7s@*x$~&X2JmWFT
z<HFiJuRN&G@JxB<4=sz&Ew2ZRIVkUZQbsol38Y6c-bW<9QuBV|W9J`85!TH7&<Y<E
z8T<a+8QO)rh$q?y;dEm`r{$T&`f^zv4)}c}L5v2iL3zdOu54$ryMXo`yA9e`RCycB
zTUn*EQkQhvJWCYy39~11UV7;W8ICI*wuGWW(kUR0K}Q<_AztSB$8LxAGI=}9FB2M~
zt<1*;mnP<x>7WgPP+MDwye*ssN$dyU3LZX|HNBV>JzLSdagi1n)mWTN0q!H;n?wD(
zLP}^9BQ%cB9|%i(VIYp*+bE7gY%hHjcT4`1u*c+sw)6y!BJ}?Q@KkBf0001Z0Zhsz
zSVVCU1n}9n|GQ@=xVyV2B9hREI~8~LOr}SuWcr8pLZWBf2HEu6nE_BB=Ma3~3_uH_
zn4vA$*rpXlIHJwJO#qEJrGrSs18rjjPqc$H>8D+UWRdofD!X)8j^%`oAWh4@EkH<H
zXo08Qv;|-LX#MacZQ$w*^aCz{dtIdkS*Dk^5HZWNqTL+Q=HDiO1#?FSQ5I;WZCnJV
zX$K9#YT89gaGds07hI>qniD*uBWQ51zAZqCC$u2JOQkI&d6l$&xS2MH^LpPqs}3Ev
zaUeRMaX}r_YYwe-dV;nU5wfs0rqj@AnU;x2q(IVkHs6{2&pk}EXE;59L2@|d@lDb0
zY3Q$`Yu1@3#ZfV0>=W7V^6@e(EbHr(ZI`(8b%=e4Cfg<dwa&SJJRa|MJ7wTzRUNwV
z-y`0+yylrrHg4f|5q##U=`4THVH0cnQOOBZ;}c)SFtg33HF2VfN%7?P?4)|~$pQ8R
z^X<V7Q+0Cw(#GV1=TF{OnjsX$lXb{-@LN7og?f1ZNoU^LkXNd8i;23Y?%%mv-2W=*
zK*c3CoTFLV&cwGIR^Ln9dCqIgFTBHzb%qk*emM@211yp2u<<!Mo7A^quFR(8GsREg
z`qfJ2>)y`SU?vsRVU>3#3f0!t)+fBZ@k<+pj4m&^>aAySzWn4c;-Ok7%aLLM8)7Bn
zt#Pecw3ek~hA)nvv&oNnpp)w8`kYj9tqQRjR~MIxzs_js67pSakQd`Q<N3p}=2Cy;
zlVe@#5x*+uPpcPmesw&X9Z%=wx#nudr`7bVoR`%Uw+lX=zTs!(^lZe|Ng3_CKH8KR
zb#-0eI=fV?t^Ibwyb4jQskgOTxtd$!n~iBuir&V~rG#oovrvf6p>=X^!q!Ibe8bn6
z2i^b)BapvHReifMx;1Hy?BClMG$u(tr}ntb07kpn?8Qdg=vMG8>68NXbWM>QHMFKo
zOcN^T2y1jBW8cenAsy2aaSO7LHKG$`$Q@3ml04P0M(SlZVq3!Um*8jUAJZ7Wo%|F$
zZqSrOcCh^|FYd^}e+_8{Yr=}O9ndb|>4onU2pzP{e~^ZDLlHQZZ;{&H2d;*^u)KmU
z2x<d+O9uA|{0qtQ2{JsR6RPOR0m2YJMBhG)AEGM6ozqL<n#c)DKES>L&W)xJ%^F@=
za`(uOQDxY$9@2eSJD|TMD?Te|Tc9o^{vIiK+(AzYoIlU>uqsX}Vz9FGYbm{iA6{j6
zu711YPI5;FCGG`o?thzxB%Z_T9@??QGj@p)xfZToxH<7wzs2T?jO5Sgk;49TK>hid
z%y_AXW{w!t>|h49)F~qtb=y}}dW9-WFC=eybt$>+E2F{s5@#j&{s8&%0AU2p;cUsY
z$YNpkwRiVD-eNhKf(3Sa@QoRH_n4lGoKX=ztPU`0=|WFg`j7-mNu3+mE5u(8On$yb
zOF5;#V6_?g#S$lzAz$_}Y3Z)!TR2bTj+<2E6{I;jTG0!fxWhWb@0g~zmvk<%6*Nqz
zIHz<b5v9nm33C?zH#ncc0w2M)<o45u{T=nfJ_+|AT1OqUElx0({52%|TODRv3F<yJ
zNlXo|m3XrB&&&60u*+14Poz$2In2iX%NiyE*5Rw$+Z#w*iS^_JmFar;`@q<RlXMP@
zexj@Dw`N95PKnk-@81if0DZ=3_WzyWcZ`(>#zrK@`4uf<v}jPd0k`}QHl%=p0001Z
z0c^`tz!(Go2EgyeY-?e*ooCx=_I}LBwv8>@wr4BX>}=z?d%u*(fBt$db@M;U-k79h
z%BMmqrcx@WN~)$>s;5S3rdDdF&OfhS>Zd^(rcoNFNt&ivn&;TGNXxWJ>$FMRv`hPR
zNXK+a=X6QebW8X2NYC_2@AOIE^h^H?$SHX&b2B@SXP^>FW{^@!E2FHP>}(gi+Rg6v
zu&2H3ovZC*U;EiVgY$<2@|Oc0<Y0$5H1jhga~zg=4tIodj&zix9izMoDypQiDypiM
zpH){wO|{fkM_u*Q*C30tAPY6jB8~E^#+qoVndXjloa3F~L?<~}3oW(MI%~DjRy*x=
z&@n@G(peW>vph?(G*4uhZo2ECr(SyNqpyDY8{m{&lP8_(G^abmK!Xf6#8ATwH^NAx
zj5a3gjWtezLPd&=H^D@cOwOvT$VyW(+*H#{H^Z6Ea<+4v>pbVXz=bYyu}fU)GMBr;
zm9BDiwz(#+xYl*9cY_<V(M@i4OSWW(TixdNjLe9P%9xCHhdVRYU1pl)Zuhv?eeU;w
z2R-Crk9agQJ?3#wcrxSir>Dfzp7E^bNMQ<6<oOhP!HZt<vRAz7HLrWao8I!acf9Mp
z{NjDH%`w+J^DVH@B8xL2<1^8cOtRE6%dN1|Dyy^F2R`(XkA31(pZVMu)>vy@)>&_Z
zjW*eAOD5ZDo9%Y^GE*}p(=sE|edTN4_||v6_k$n(<Y&M5HM8=R-~8?mfBKsscmNFJ
z0002^yV<O5+qP}nwj0%{t<<)e+O}<5v+n*A_y`~S#HT*<xi5U_tKfmJedAl-1(Ck@
zgCG6mXTOLMgax5NxR^nNSYnGKu6W{0AfZGOOCqUcl1m|_R8mVLt#s1M5ImPLh?Yra
zS!9(hcqF?Vat2R>mvYH1kG%59uYiIIDXfU1iYcyyl1eG9jIzopuY!sysjP~ss;RDq
znrf-7j=JipuYradX{?E+nrW_umRf18jkelpuY-;{>8y*cy6LWmo_gu6kG}fpFGQ#?
z;UWw$&>({iG1M@Th8tm|QAQhMtZ~MhV4_JTn_{YIri(JeOtZ{3$6WKwx4=S+EVjf_
z%PhCTN~^54##-yFx4}l6Y_`Q#(YD!chn;rWZI8Y7+3$dZ4ms?IqmDW5gp*D=?ToX|
zIq!mtF1hTAtFF23hMR7=?T)+dx$l989(nAEr$Llwo_pb?S6+MLt#{u0;8(x--5>t+
zm%shvU;h&X4*);_004mgwr$(CZQHhO+qP}nwr$(C>z@Du3WUId2r8K1LI^38(835S
zobV!uD3Zvch$@=sVu&f0*y4yQp7;_-D3QdHNGh4+Qb;M4)Y3>Ro%AxuD3i>x$SRxc
za>yx{-15jPpZp3asF1>nD5{v^N+_w6(#j~SoboEDsFKR6sH&RkYN)A}+UlsQp86V$
zy#;V2yV5Q=GalPxdu)%HnVFfHnVFfHnVA{K%*@Q#W@cu_HhX=}y|Hiqh<z_!sUoUM
zpITC6r!o~%D$}$i?mweT-Ly1man-au>yiDqBw@1cxGdw+{kSw`^X0fa=K~DYG`2Sw
z)jV}a7}YFsW(d_H^M*LpG=8)w)ja*gIMpn9<uKJE`x#l)G;T0i)jaJ$S=B6Q;fq1D
z9+;O+6DFFL|KZMMvy_d;Ws9757}n$1{%F?I)IDj|lf=16*0anz>Xzg9@v4^7^fT+0
zljOC_mb2_vY}ezs;cVB_v?FcTlcc3h*Rw1j_tSC0RM*pK#+CQeNy^s8lguB^Z^8V$
z-@kb_W>|5oVb@;-Tdqw2nzXiro2(pGtXncfQxTJED}EA+$5RTGF`m#Hj>S`nRB=8-
zB9hBj2$s?xkSmtSR|;3MKP1<8AXS(WQD_X7Dc83#RhUs(XbiV4)^|Z$ni62F4HPlY
z<;o=(Q>j~7LusszEjHCwURc_IbF7X|I@gwOoLj?std4I!)>gltUwyM$bvky;4ZuAA
z6T%MIiMB1s$GkutW}m!~w#`e(JVz{MpE#McEvnDFz&v7~`dVTw)QHjcdVxk|G+Yjq
zLunfsq_!&^*Sv&OX&YOpva3APyaHos8=bJWD_>i`gmGyb-?+4^eqF!%4x4V=hGv{@
z)Wmj}ZqfxBhyE=0CrA!)P!7IO4*5V%@2?QDhJI-X=Q&)AJ76#Sx}ccz0&U8D@=p6Y
zFQwxgsoH(wZ1cLPx#I%s%6;mU`}%K;=Q%>o3*e|LbbTaxtR(zZU>)1ZPNP6b9}w|O
zM{+oXaAU}c2s_+qr?dY=Z#-zJ^SqjBvwMRYs=W0=Jxf4<p3k<L&v2VZkgiWjpU;6E
z@qv2ZiSu?$!t**<?S0qI^L9ex^E%x95drr(Y#WKrqDOy<KoAdK{L3Hw8}8RQ;Vu9F
zj*+kTN=VY!9)H{tU4JON0$F}2f(qNd2;4kT{0RIq)4T}0qW_aT!p)bYAIC4ZtQ*HG
z*0didsP??2$j#-4q{u7L52yHB@UQl=A1lwz6DKdvD>E-E|68PPUY=j&erl2XR~X$Q
zuhcl*;%}j{x<!7a^Xge{zBKz;Uitq}H@dleU>N!(djG%jCqu7D%{arL%I#1?_dkD!
zQL=_!p^~zOL8a5;nr^-n^O}CSRnwYYv6l0iLABQ-$9Ap&499MXK{Ursfr2#0UWLPC
z`*xlLb^C6aMOFJwk%o2qUX{nC$M#<lY>(a2|0#R&Ww>8=%Wb+|cZzkqKS_RJf9q5K
zqH34pgO$g>(kDaj>rvr0(PZVN;R5$5_=a(l!y78A*C&K4pSaX<32oy(zP5Q&1?;#2
z!Fd@O=DsPN^1Ou7c^O;kx~aS(j8mi^EsT{XFD;ByW<N2Cl_O3wic?}<IfzxDZas)o
z;eJMvmBkA}l2fD`Op=u+D@>A8W;;-ll_UB(@u|eLupp~I)wm$1!u7y3ElUu^G^5Bc
z(KsznQTboRE=Q8(G^50_@i47G)A=x?!t)OOkAxSBfTNiFBLK~?{)-@reihXqied97
zf)xD<qJk8|#&3oR`n62mrq*7}|FfK5vuy5{zJWilTf_FasNebyPQ<=nLlDh=*n%L<
ze$c=$$$r!UMcuYvM^V*w*oI-<cF@Fe2}Z}q{|9XVRAJqLC-k95AcpgCKw*j#*e6l#
zc?Hh%GCIZAq4S0=2pZN)(>vAsKiK>=2iKK1;m0?SZ!g0sR)BNkHBG~{bj!6vcaaE9
z9hH(8r-(>|c{q0&)BkXqkz;804b3J3Xk28Us0gunJ}Wr^($%iiyeZPNX=Jmy1%i`Y
z_5X$wB}B<XVIlt|*Ox-9A&t6y!u0vi)F+xo4o+uJ<1JL@hRb`%#vqbu(iK6Hanw*j
zl4-(`0l+wJ=>SkFPz{s+zo1`x!FkiL_UpMz4_^qT^MKqirc0k#ai;T-+EJ!UuTYAn
z^Ptj_rc1w6^Sbk}7H}Q-FUbVc?2*WoN|p1K)rFO%wX@uz(YYP~4m2J2V`opOId3NQ
zoQVkF@wA#ksFhK`TZfiJ0VARgHV3vSKCq1+_TN|U?^$L&;}04ve7MrHvoDLD@is>f
z{;ozmy~uh}M7rywE2lFx+%5+)JN|_gK<!67Ob>&wI_BRBEq7|9={kKqEH$=nZqO2W
zP5YqKN)9pVY+pg<nVeH{iXS(s<q5MSQ<`-xq(w<17s?i_a&ZtJUz?r0`(RZIqzxt`
ze4YQNUYmWxttzS<^7WMk+_mx#_D-v{UGvyRt4TzuIcUjY#|DXgfcCmj&s5OO{$L|#
zXiBktJ9%VE8?$ybTiVx_q&Cc}MRC0fa4$W%-{N?A8p&qAjvHwgTCGWYbU&&L1O+FU
zHkc8>^p|S0@$az&=_WLP8@4v}y`E{uk`R|qcPY@qt;9t`ZLSlL*MMkmV$6@xHXVZ3
zynD4W2h2FFF<}WN8=zqMJE1$Yn_xXz+yt)=w|1vCOdHhtw4R;r<-P1hV`HY#Fw25x
zB-r{yf1GBshrO5Fm+7TLd9O*C`Ygn8H#hiqy*h^``?wf{3$^DLv13nASM4+blh*nJ
z4Xoa81yP)%qNni}+-{^@nl?C}R*QiZ9c3ds(&z)Zx5|gK_luqL5G_=c7g|Igo4u^h
z_g)Y7y1(V)zmC$aD@u#BX7Sh%IjO^`j(K6hX#F7o+nNluxnC`z-ezwbrMC*C6T>3|
zl0hKUHX%06NnO!0Blvl!OG>B3RX7#fei73KWLc|D`(gi%+|8Z^Ex4Lk3}9S>O`3!|
z`#Y<qe)6V#Vw@oYIcya-#hzw~UP$pEm?BU(&Mp<LtDnf;&*0jMA7=U3Es~Ccs|s^Z
z-BkrERJ%3yUZxpd=^bOUwojs=gnT6b27=oAb5>-@KYAG!lotN=@3$9MH(K8rOB$Q<
zy%X6DYsh^5-{mBm9n1?Rv9AnJ?9&0?BS*gZOr<G<&`Iio-HcHk(>8>${w}-wVTT&7
z{}Um#x0Tf#nw1;ApY3!=Zp%NK6<TPzmr9Q#U>^<i2{dmpU*WE)q!D$o5_M7LelCdn
zx883KwY%Il2)YVz{jc5_$G#mVKUEE0w_6VY{ZPHH2Cs{e`*UIjYM}OdzX|WAAouIQ
z4o>@-c4Ra(V4)vO%T9eUY%UbnasRjA>Dfs9MJ$8V9>hc2s*{Xq|NkPs9tw+ik#5<w
z(t2PHkL|B|y8KY9(|*+VxnBdQ7xjzS>lo?(DgB@CAT$8pgCKE3F0_^?RxPL%H#A4L
zt>;}%M(NAD%*w|`*+Xfg^j=EJ?aH{bB1S$MuMww@8%yJ9?MIb6nF&q%NmrtYr$c8V
z3eBsVQp_`cIc3+_qw+c?|N2e++@$@&rD|EbVM@fgeH_p}PK(+;Hi8hPaYHn4mD!L0
z-izBUMac3Yc}_#y2DB6DL3vg~&F0~ONZE$1^WZ@lLB^RW=GF5syUfC?x{4`Grvk@m
z&N=;EnXkR4sqn{d?kJ_}O8Z$H&nUm<<*G97=mh8CtlZ|jP4RSx;Yv<x>VtjZpp2ol
zwWv(OK{4s-eQT06JNx<Nud@R7<=pC@RZT;!s~>f8i~B}}fTi0<<!}~zm(KY7=7(b~
zt``flj;*8#3dR@NXdbJwlOy}iggu%%W@PsHr~V?$;!|LM?flZfjGM=2>8i>wl(i+w
z)NO*ddl9vvj@mn~rfu4$+HdKPWT7Ls4{wzUr@&Inh)(NpEtWxPmBB~CD1Uh$rb6b7
z;->jJvIh%|(<ZW{O~MmXofz*#;X(ye9L3t<rsV|krlMsHrDOT`vV#VBGF$dWCI$rc
zX^s?^O48s;(l+HpFN!feiZVTl)2|!6vgAei%^UTv*KINQ<flpLW-YFWAMQ8pu<lqf
zzn0G^XXB>+@Dwq!we!#M&(B2bbWfil{bQ7Xj1ZjaE8>d-F*lhpH@X(HZppT-h`&0&
zt+Bm3c+Lts>rr0@w-0wjJWOV_GZL=~){z4;9(h{3Z}pD@LY7_&u7(OcQ3SeC*E!!z
zc{-*>QzCjN`eU4%fG)QO`nGr1`B`UPQeB$=)Yp&ze>X)UCmoa&l@%~GB?`FDMtG3X
zTR>4}e#weY^;%kf_%B4YG+=3SJ@W-P!?f{)r3C~fU25dLn%w?d_Ptu}GHhj1{}_q_
zg999=Js>RY3m3_2H@W*y)`b?^`qV%Ljpa+<*w7^3YwyK}6yT+=h^E5w9J8U_ZKL{s
zf$cz8B_}@ymfwMTUoH##lql;BYRQ1MV*uA@`Azi`*jG=qIZBc)0|euWWtk8*DS^X`
z<{a#9_cu>&RWYv2D^wt=b+!(`$L2GV=jm!KL9L_hv?rQlLk{P&3e9G@7P_jIuG?Vl
ze9lgm1;`4N2?4SuyaCrG-sy|A?7J6-3%!kBTIYcerf&H&xk4e>Ai{i1D(t8dEqX)v
zEsKebMf&~GAV7uk|ALZV`Tj^4&X^<5>iK*TFkE1fsXrGA>i)^i$W5ofigdyhb&0cv
zCvF=>r}|G_Yc;>hTHzhSkrfq0Edcs_?iF8%q4u2V&jrn}&UWD#xDz+k$QC@V^GJ>;
zFe>(YR9eWg*4bXwK4=Ey-o~N|rhgi2$#MTLsQ*uX#d6Ia?<6cbw7TOlo$df(331ZD
zxnFgj=vM6UwnaF`(as1lAJanoTh|bI$)PxaOjuS5uaYhV>7)|fF*Vk0;@^f)JsbnR
zBh22}rqU9exwyorw7xv;Tx~9<x}FX1!P+EsdELr=yj)Hk=?E?a!T8et{yEKho7IBl
zXK)QvrCL<d@pOnTOa_-JO+0T>Hx~*pm{ZAdw7#NATRT&vxvh9@%KuH>iLGcc!9*@D
zU`7g3nD3YvOfL&2E^zRGK?`Dx`@7{ki!N9nFDk777|-6PAkS_D=V!;0-&K+i@ZhG#
zOxr5DoEDYa%3}+s4z?G@jv7MmMfyr*&4cFi^NAsH^NI7z0W>tfuWo!KQEN(6$9NGd
z3epyRyv3`svmM!m146m>y7%43#T8Dq&I3(IFfmIS^2UDIlDS98ROzv^@<YdI)nf`-
zx>(uEDVvJc+k|~d+tcW#%7)^GGFK&vm2!j2l8?+HF&=Vb%Z(<+`}51{D@nJv=Nk$4
z^Yd*^kYK#3xM3Jmm{S;Zm{b^5m{k~7STTG%ya)U%JUDy^ya@a-JPCX;yb1gfJPLeD
zXA9D}hjg6wYS^X7<}Vm5_l45v_L)tm4^OvtW%rRhM2~w%hEu0vcZ;2nnniD4Y|Gwn
z&bnWE4;lsLUKa{XuM+m;CLLP&Z>Zj5pE|XEKo%HKh@e`h^Yi|swJDua+zhku{?;vQ
zi0f2*URzw^I<=?bL*4*?%o%Zocyv$fHmSbd?SYhDB(6Go7yE&1AP<BfmG?&m=5a6b
z?>_Z5{mKMhM<Wj(uZ{pG4IEG^=DycnLrl7>edEHGLBLVpD~4oGD)PLrP06BAmqj?A
zA)U4qeMx`S>!Eoh3)K)%l+ku>DO3VnSWk+%X1qYHId#E3T~`1Dwn<&Nv<NNqDKQ=0
zO4f)e@|Q07kly{ZdDf8SGW+y+gW`s5_QtfTF$$TiW3xhVv+lQ$8xQ9n|J-{B%k>D$
z8eD!{9DX6?NL-kG_Wb)_6iNA)A~h9{<myY0`-g|J=K)eb5k>-6{IaLgMW<`BVCZO^
z_!yl9_MQfc{XV|tJQnkDgFsWvt^8UJHI#b<YYE%jrAnXIm*JzXs-3~&oJBgELpJPo
zC~Oxv90<TN7#nLXg`K_xHyX|JK-IwLX%g#Bz|}xkfb^-$bbrEUHxV=|sL3{_rmZ&>
zYG9+cS*o2Qg*~`1t>236gxN)5i5V_b&kE@`m&!IVWt2f}!$%Z@SE%zd#f`BFD%2in
zY?=s>IIny;<iQya+0CjWoh!s}1Ae-B3ACn}nwe#e2JUV)!{vLrBEp<?(kYS_Ed{T>
zbdQ9ULI7iFA~DsJSDL<=?5&Kg#mHw^71ujeE62zk@K$Bc!F*Yz|ACvJq*p**cFIdz
z)|rI)>VcbsG%5VlA+TwnMB<M3uKMT4jnAzoJz7&4U~y`T264?BijzwgKlW(1J&V=$
zhkMO;4O>VsTQKKs%*gE@lH2fr?exDc+duDhL7KJ^e{cUj?_opj1x@WCO66NT!({!=
zwd_m93JStHcL0{NbO;mizfkOs9Y8?k&idDMQx{yg|7*%BOp8JN#dF{2DcNFGX|R_4
zzn}lE2M1aHqMTHdOODUS<IC{WN4o?L+$X#qvMA&LFCta{gD3?GTFPqJw(V=7PO+HU
zW=t197`uG^SPILNa{5`o6(?x<Z-r`cj!m@gNEx(ZRis?yBnWTA0HxQ8;@M8K;`zW3
z$@NU@ivxDBod7%ZwH)i6Rc+xdnMz3_<^{s4>v?CDl{i~z5^PI#bT0KKi1HnzkVS%n
zLcw6oJS)nn%H}MHCR?4X@t5k(qF#Y;=8mK{JABXRd6he4nsxebx8ab-R3IhIzyDNI
z+_@SVWp_2<R#T5qfi!%EBEYI;b%fbuOdr3nv#R(TE2pUiq2(Im8poz7eSM&Xex<~T
z(3MC_<C=6o^TnraT95%r-U(g+?pOL5|Nj<{bf6Dd_^rs`<6r{#Mu#BF@Q2~oSMoCi
z)Bj3F4EoG-nE+iT5SN{G$4ZQqqD-GV<f$(QNADzL*pawkUkj*Iz>*7v*3Vx`_MzM_
zr^Verg2E9g<jN#lA(P4!%jL?YJHevT8%!69v_h(?F8JB3QGfN=wmLbcc_c*luv%hX
zas;Na$>^xPZf!&hY?-UDr(H~!+7f3%q4X8n5@|xQ^i|rDtV6-}<zEwWLecb<UlVsg
z;q;mCe>hgV?CQ?!kVY?NUQ416ry^wI8FcK*ur3g@J~<I<lI&VX$B5F)R_VfzGexRa
z>DRf|3VdD-Ki#?xceg&h-@~)q<a%+tzCGD_-MHfNY+8)#07+!%B<i2-JY779qbC0j
zV?tTh7+s6D58<6?)sk!xW)D&9<+!0u(qPBbyY3d?TJ<iM_P|qA)b=7<A?uK5@g0>v
zuM>FF-?52wh?8JI53$|rZ`34;wX1R1sKLZg8{To99^!7w6V5GffyczS*w6qQypmV%
zq$rKT7sI{6=v9!8qFG`B7=)3vzUnQ-*_y>hwV5H3Fp*nLf|{jXA?P*W{rJ{sQPYnt
zk~z>d1g3FblX3uORkNu3Qu{#6oqzhftZYrWv$s{88db4%J$DQVOsNWReHDk7US4k1
zai)%@*l!U)zVrny=8idifh?pHGM>Cn^eq@WnS4oiXx7XbP-xZ+Ow7yrAzU!5yM*o$
z-yJAx0JimCVE|e*<aIC<TfdsM8xZ@AjCHuI8-ex68rsUzlEFbUFl+T_@#biOH01?!
zdX;==us|x$o?YY$2*0}^g;7yDTOwCx>eiy(6_QF0bd|GMB-ftzF9TJgNVCD9F$a*`
z<PCYk|NEk^Hr5!fL}j8D`cTKp)2w8vgc%Cr#aydYi#d@jQP;SzIp^gmE5lN_aIsT`
z=fs9wY?uB4GAVq)@U^V=b$$Q*{Px53JM<LDJgUkc-kshq>HjQXZfrGO1PnDz46(sj
ztTnB1JY^^6;n!9Ed2CNroGz|)iPDUaNg#hN5aTMPS1Q`mls}+y!|;jI5pv?#zy{89
z4c@DAB|ne4)8EbAGj=G_436K^KUPmuT)TH>XK_;LY8M$T7g?Q0&dUK%PT)PoQuf5P
z!pfZptQS*moV>8MW@N4z-r>6!t8X;kk$tAS1*87d8*1pP*3{QuM7FP3yT)P#4lmcb
z#%B>47q6HBXlkGc>m|<NI{?)E6z7l~lU4l~=U^Qx)<bI-&K<*-JDaZ;-k#Igh>ao_
za-Qqh!z34Co}1ajnB%>k<HPzCL+Ir@Rqo}(#y-3NoZAq=cQ~J)Ilv>LJItwGe40La
znn7fnoraCI+PU_csaM+`aNAhez8!8%k!MrPt3A6snW2L&OqM5M&#A3`*mr@q0iNEe
zH;1>??jf6Zjkgt_A)Ytbx3y2W3DJAXoyC>K7MCU#>@2JR6C;zI@N=m*?pHp>i&*C#
zg1NXaLt?ZmNf&+TvEEh15P{i0nAyVH$Bf9s#SpAyQbVO?<kB*8cE;&J4zrk=$;mt6
z4e%<(3oXo*gAZn%rj|Hsd)c)lmpHF`-|ebgGjU|L6=uk&iNR|<zL|gz_PUy428#^9
zxhi4?4G++{YGTHa42rpmXZjZpnz;&R`k4%>xk_gS91TCa>S>0e3>&#htoz3d89XU+
z22BmrKY8x!YVYguA?nH@>WL-lswL_PDe5XI>PgM(YR&5jFzPBW>OuMBeS);kB(45q
z2eZBe8jIkD40a9NbS>Z*CB}<179d7gFPzq`cZe16Up!ymrWVp0+_4U-zr4JpR+Xwe
z({*62xPrL^bbgQzw!Y3he7UweTf!=R>kmu~wR9vT;w#+<-+L$X7@#SZE&wwqicaSZ
z3+peEDT+%J7gSUT=#1(}thVnKOu+?>_af$aF2Qvp+{fhs^*L)pw3nx9OXg2pY;Ev}
zO?Q;Khm{}Je)q;MaP7{1_g7rynPCt$fVgWzL(G-EC5@6SlX8j|IoZ#%gd~ZfACY2H
zOywLSgguZabW0RklEp@nbL=ZAO*r|<30|#gPu{?Xa^J6s>OUjaUnIRPT!TRwq_A!8
z3hoJ`+~ajUUjUIn917i*i*wlbC$dkt2GkPDU~Xsvn`p2G{2Ua)7MC*Uz?KygdKdvN
z;o^!JN{kfr%8T7d_V80GW#-evQxFJix{>b`vPh-QVrn(5p5G|{Wf_+B1F?YgEA9(o
zKK!XbfEj7jpt)|k_;PV3-Z{gMQLp;_59+>6YeL}6S2%Hd9kG)N4-po4{4x9BelEzp
zpnQT}Y3L#4D$N&V@+d;_k3As#Ri~gN%u8sxYRKnYV<7aSJu^64A9M>^^G@`-6bDxe
zEbKmg<ql^u$(>_X+60svTlJ2V<uw(%Pl~nCo3An&Ptn1`iOCa@w}1t-%?{+(A@pr7
zPv4jupeKLxO6J5-3v82Lo7N7!7*a;dz>q5<XOW+XI)S%WfmHms24Mlx0kb)QS+9$j
zhF2sPd_t2vAeeDCbl^FV@P3tvQ*-KfvOU@;+~ne<<;Iv{hh$tDy$bTUxEcw|h?RW|
zXTb)^KAT(67B2Db_`rEX!E>ERJye#`NZRpL5<xnsTlBdfP3hgXrQ~Kz`6(~L3tczV
zWzd;X*bCNVw2%o8Cqzu156P|OzDjPwlxj@Sc~B57Mgof6<ImfrYs5DsWBOPX{38OM
zXiw-4l&nfyvNzN&YP5m#?K$)B>?U+L{?4vkFGq3Uyf|;5FF3f>!XL`%7LR?D5^cVk
zC~gq;f1HD$_22-*0Fsd+&)>~|R2oWB!x~%CAwyfHd@6=!saHirjy1}P7#zcb7<_Du
zm_)0nDkv-IhsN^Evoa^^8<Fi{D`)~(Zm2v_czR%`sl6l163WYZZK}yOSbD}RVl}mn
zp2Y2`o{3cW;Tspj8<J8HB{bnZC2PokQt-tbo_6R=H4dirT3$n_RdnvZ;1b7&gs%94
zUYpc_0s@|GQO~W#Bx1*PEgX~aWPF!;SuKA@<l?OAp^Vrj5xs|E`cg}n=~c2`Mx6_F
zlbl0>_aQ&cQ}vky$Ki<Z{9Nj9;S3g0Jb`DYQ~hNVWOgm};KI`{G%Gg2H|fv3ybH^{
z5T*AgOUdUFVG=GiYLsF`Z(m>pBrc{;#@hlEuO6>;U>2sjBs+=CRP2?~<)@2ajXdXQ
zw=|lNYEC<q%d)d8?G6cE-mft+yl{B}b3Q9F;X%aWpH2Gck*|N~VEwI+eS?WELfU7-
zaC7`cX2=@WKZYK?Tmd(V5uqp_<K`eDt#HlTO_+Q7(GLFL4s0>|H=IExx0>1j3OB5+
zp5_~_w?AKU`-b9F!+n9-TV~3;FG+JS<jLYAPUZ&mLtS*XRUC6S&UarzRe{S4zw(LM
zj7H1x(V`Qm!LC+ny=PChL&`(a=~&gBI40Xk+>=DFj&p#R6CXyuu-XC%%nst1Oew5W
zuWsjKJ|@^GSlYw`juN;pDBSvY3=OU;Z|?Ng34B?08>Y0ypp3&kD`Ur*vk|1o3nrfu
zT=my#7cV95g~L`!^WaN7SXUPs!XqqrN&vtte}eZG)npS@@=^zE%&7gK$yfMM9h9)`
zL>rx^G*X$1!LEx!Y70$F(`)Wnr$=r1YtHVGU#jWQbDyn7OUg>0InKo3R_<8DL|97j
z&LFt~CyU0GIq(hZR&_rdU4YA9T1FM}DuiuRM5Pt^etupqBlnY)eF|437G#8{H)bc{
zxZD3o0X(bqSTp90%KqnKu(K+P36D?}tb(43>d!k}$lnGZxVOCfII&Pv&6BI}PX=3H
zj*t`z8|qC?Pc~9dWC9ex<}T>e&=|P8l)6mSO#6((u;cZ~h0}gd`FGXz(@JF@3sZ~x
z=F3zW=StdzeBya=D;celKzF&%@+}INUZZ43DEr^s-(T~5FqQM`A(7RsOV{NeG-8lm
zI<M$F6Hes(!4#eshF^bEHx`7A*e!!*VZ<Kwz^nf3r`3N}&Y+U;xf}Q0e9fssq#r5A
z_=u@VB!8m6X@}i$nRAb}*T4?zUaS6Kj*Xu;IGHlc9E~(WHu2J@X@qT*X{2eWZnCM_
zGW^{19*jE~aZY3<=169@cIen+J(P4ppY&zeTA5(mZ0&uHuOItEV17>@jIIz>I3zVh
zFk~^rG2}5sB3vkEgh}7UB8_?^NrzQ5{5$p8c)7x)iFPfWu6{W(gJGieP~V}jb+n`3
z6W}?tuCJU*qDig7r4nY*a0a$yP{pE|(+blvx1r~P0u%*$0ue5;F3DxMrYNU8r{t&1
zrx>!QINLd2IYl};I|MovI_o>mI)JV@cgn6nw;0#zCwVVsovP}z>Zs}zn*y7<E3hqx
zE~_q}C%7lcTkD7MM~hFcPvIxm=ThPr7HJHJd@6_8AZd){dUVHncBXq#VRo1uNoDHc
zWH)gGcAtgDm-*|bg~=dila;Zm!|HQMvvc)Tt<}WXXsuO-i*kD{!$?ABK)20>^Yx*|
zVn`M(!*j_+&UV6IcEed0e!Z9MDv4PIx>ui%NeBUbFI42U{_AB7VfCtLsvW<lSP{-c
z2$|<f1MlIh(!YyM?5AeAam49nVGpCv%ki4q_$e)t$(oj8DZ^j7-BM<$mdUwrZFv&L
zxjqDEsQ5&080$c_f{ZfyB8VvaA-351aX!n(eRrmIoKv)qb%<f+MbeHLil0w)Bu{p~
zGQD2_`zDoy^T4MIbfYSTNCdX?enuuzOAHrJ0GsR?QC1XgFi}<<?Lbjh3@O0>6B?~g
zHkd9GF47P&AFW??h%OsK(hxo&txvItE(;A{h+Lo6uL;Z;_C&6U6{0LkpJG2`;vPPF
z{-Luk;h9!_t<*KN^bEGOui=@o<QBl<7SZe$;^G!VM0sFKDjIE@Xt3URfemyUk<h;3
z?k)!F21~>HZG_s7)+;JZmrfUHgt?d2BS=h_MkZ;5K9|-jX-t>F1~9_DQ|sYJu4N@G
zYh>FPa(1rC;5v`WIx%v%ijplW1G@ump30Xtk~cC)hQ9lhO}izd1ipRskFMNduBMlb
zrDc@L+99NUeXkp6r1FH-T^y_qEX&UZLpRGyLvGvPkch^1KgrKQ<w)S=59XA=CCiP)
z4=4MZNIzDZ8&CeBlVs%tU~Z}p$U4_&2@&wN56s8h>j-o8i_qMq$BG^gZ;dskujNUQ
z`HmC$ekiWe79B-bl(B*iIcsHU0^YvTzqy>@t#j!8btqmt%qpm@p(gOXw)@(b(@U7x
z=PgCefPHM1)UM%ytjoTUrn~p!lUt?kZ?rqQX+fB=x~Wqo^Xf@%g7uNn=!^i3*FA!P
z1H9-+tcW-_D5AU|9Z{mZFdLGh{9v)y`(4o;D7AgqxMuS^X!qYJ=enjNeXkeiH=!38
z3DqgErXkC=sEc!57LTXPoG#O5?bHNqhy%TC9?7$<4`8*C4%P$Xv?#(v!@yRXzLzNE
z5bG_Inj1cX7QGzGeZ1wqzx$j_z`cT7NmEBJU8O$8h2ykXvqRnf@!u5gm#|uD2tvaV
z0-~HBkYstO@Zx0onULhAyPxx2zxU%Cci9)~{h}=O8A9HZadt?DS#8$-(^Z!!l(*nT
zQUiUCuh;^mhUaqs^c9QvG|aM1S(Buy*$M>1$ecmL$Q5I4rPunghNWrzkY?^G#D3*%
z8)umg>dW0KF=Vr|Nzh?Gt%E!!DXX!uF+FH_UnCF1zZdw2?@GAmqS&o=gUN~F!m~9c
z#TO{=#nJw*4QwdL!b%~KV@qR_4;{e6BkBH-=+N|rXs7q2J7@&1)HW8ogpDu2PQ=`Q
zufqOgLP=e$;gb@$kI5!R%yz-PyIx>MQrYcHPg@3L2PN&(>s*R5?fvr2Ox$LN<%m%@
zXytEg<`}b}(>~m9nF^J168c<pi4wrE%WOXS1%-t=>>oGT1`Ai@nTf#z*me<fe}y;|
zn0J8yj_7h!CT$W`D>07JTB7@$5UWO8i1$cxOu1&<*C<+<R|Oe`8I@0t&6GUdsmX;0
zobr9uAD|i2%hiygcTBsgf=;{VTe01OxjHWCor!A0hgABYP$Ae<M&x#FO+MEYI-B1j
zf?BYvG94<M6C2%E<dG^XWwnai)F(RS*qB8@hGE4z2PUHI6I&syljkO=BAe+qiA8QK
zS-Id1A_e$W&#dD&FKXrAStl}}8Wf!lv1crdnT$)pjMH9>TMq%|M&QKqx|c-gw#kCy
ze?g6dHVu^NtLnO_>y_trs?AXrEJ0PJkuXcR&3#WLP?@xpLFPHl(HENC0+`&$0{FFi
z%hVLR#ijBNEf;=n6x#0F7T6V>Tr#x8J1&JVm@Lvpf9c#C+alYjsn|LuNhOmmzTRdH
z*mN$zM|iV^c(bK~7C|V%mf3~@05x>zeUcYiz092}Lx~Sd)}sQf#7~jSIB{O0c{s(b
zveKJ3dutqXFeU;yW6~s(lF6&SoxKsUmQ0;;uy|aSpmgDhzlX<{u&nY$&@LP|FkU6=
zMs;m44eBD03(Z@CZNeuB5R+hLj?80jlf-PJD}a_Hy9`N3XWA~%i+B6PyYIU=CT~CY
zP|&&up0r9`x<ZajTz!V0uMP^1TGdBh^O3QgB5ytug+Eg0DHySgdn8jq@AU9G5|R*{
zwu*o)IP(p!Afk15QOCJvvwT-7vKkDAs$6wx?;qob;w@m-AspLF?%mH+-M2V9G%wP3
zGDAN7K8<VZ<?n~w_pdwOkH4mqe%i+Y-l)EOqJ06e{&>r<{jtFyv3`{MxVq5-w2+{r
z=Cc;T$f@5D^x!3f$!L+H{p%mHHYtZzXu%KrI8$Mvbnz(t2Wx&N_tC4uQ0Nj>_%GCe
zE%vdi!eZzWSo%-YXtZ~7)u24`Q8e&zIQG0YY<ci_e&hayGy8FE_ku&WskM6G#0Po1
z`oId8UFsg=8vKrYfvXNz8R~ouaT}qOy}S1nJhy>UW%=5X8OJZCcWEc%+NzZ1?D2`!
zfrn4ZMp0sS;Sq^j{7xozCvfjrDs!-pZgRP^4`R^~%b*h`1cNCe9hT+nuWf`ekv~BM
zdhTNg1}etFa9n>JLV)|P1rl`3F!9h|Satw~X2nU;ziQ1+(e?)lT(PWNPl6yFU6l&e
zF7XV35oq5~x{Vi=0g+CS_cnL^O&l1N0EWQ6NufmU(Teg_3P@w33S*_pg`HajN{dJP
zO~?z*EB5EZ^s!f!=!y<C7>fIL=TEgl0cTkCfF|TA>WSrItBj%%>}`m&+Ns%*r>dZG
z#fJtMTcd&*%EEFZ`+t5?(j0GxB>j3n)F=|o>`~Zzo)A`)R2$_QGGJwORGtGzaQoon
zna>B`AvA}6{m5jo6>?ywW61q+R-mFe|2!sh&Jz3LuFk(3R#I)Y$(Bf?N^}>+dSjdz
zUsS+{&R7n5F-Q5tv=yOa_tY3o;(cQCQ0*>rP{x=o;GOHJAoqhx?B0wulLjSdvfFNk
z<%2+E-07Fp;xpCDbJk{YcLKz1x~Ew#&%VafxyAk5>ljSWjo#xVLz@+aL=R99n_ND*
z$+?ozWbIyiYGu=drW?5R_+H-$-1M-SdzDO&DRxcYLu9MX7wd>W4@8sL4TVHw6%_o{
zv@HvgV^ipn&8rFe2O>T`%iif*7dU^9Me~*mTR$246Qy~nuu%8SL+W2K!7O5IC(p@I
zhi|4Qt#R`hhikfP4{-d5)uD!hRr<2%2t}tZW3j%#?eRPK>$K#nJ!LWn3K6wrl=?a~
z6Sq4I{NzG_oZIC0oUPqBK%rZaH^DznfxlrR6>glls@eaN!|tqiYR)4OOx(>XTs(VC
z^2ja}0*yhZS~0+lJ;JM@o&v$8rC@bHst4FJ%hdDcij3O5LOSGeMzyoRUZQ|j7PsI6
z5q2n)pVV^{)Oz}h|61_a9<bwmXP~@o-G80Z!it|jiX{|Cg2!(S_kBIUc#8dnvkQ_}
zqgI@^73zKJ1hqcy|0~9Fp&|2`OA2m=0g92W9}T(1rJj(3PtB;*jO$g=P?q%UG&}hR
zuSdiOht@d1+tXPz`S-5fT|P44GuT}R)w*$;%F1sY;eFgWjHCF(M&oQ&PwRbmuBzF7
zJT}Gx?U)GL2Ht9kTm5M3%;AIBMd$V<lLT#?)%i~&-tCGrr|)c<R~!Xx7cJ*Y>2CVn
zotIfqcVuo|Jy4zAqT0Tks0o`p#^n>Holvr))hiT~t#_!{5`u!R8BX{!E)J?)-glCu
z2G5ScL6)yHR#Zl7>ik^QVSjWs?6Iv@<-gUv_N%{y30yjPT)9v5VT(?7VGMV946A==
zZfBf<5jYxmM1HzC!n$9iX;+Ks;Z6>J&x_Pv`mM~(ais1in<Hyjg>=22?&BSFj^MTi
z>^>`a^Yx6W_Xi(v)g;{JYwhdd5;GGvYL;6pC9Bj<fy1XBFOY<nHA#asaaj?t4VUG?
z$lTv>x04rq91p}?CQUjZh6@m2sgov55L8z$l#--;HN9gTW)%wR_e^#*P1KPX$N-P)
zBC{{&Sx17gqD^(02L{VX4aw1DNRB)W;mM0H76jc$k2@(F^i2?Wv3%FF1I#A7a>Zy6
zB8$t%TRb>G5l`G@yaaRmr4~b&+C(v*4L-MGNj(TN6@uqZLekmsTM17jz=VQuQ>^(O
zL>q~`=H^%<+lVXs(eMY<^t3^Qnobkz)A<b8iyR2u;;+7x`sRqLadXEtRnexh3~613
zwgKlR)q$TQs-1i6FMM#Evd_vq4qY@qY+`M;SiAUOMkNTrT~T=!WH{uFs7kj4f%e|@
zZ@zE2y`R%b1RDwUIW^y`KEC};M9dLpo>~RQa8TuS*qvh^vzj{-gDbjHY&vTmB9OV)
zkF*BLgSIJypoc>>25xrnUp+xLvQTJANl<&HGk;7reFX}6BxprARy|F4;)$MFhB6zO
zFlce{#^I);#L2veVAQNWa;fXQ`SN?NluhfX@pyC{n}TraViW(P=OB<JO4VJY1-$D}
zu<qcdKxc_9;zo56otyO8w$d|Blgn22M2Xr~&lLT0Q$XzKIQOvmbrv)1w&zl?{+@!b
zcy~zsS-oUz;k`dF+sX2Nn#uOSSNv<6p>Xl{9X-AgP-T`NqA58XSk5sm=!R*bSrA7i
zan><2l6cZ*iM1(+Q)L?*+=X{4u(Wk#Sn!Cvpfa(vq<+h|D&(p(wV6OpMGX%(Z5$LX
zIfj=N1eeq$z@O9_s5U;eU|q(kb&%0B+C{-Q=T4k5zpLz^E;JuhcJe;xyP){2KLo9_
z5H$pktYb0d)}jpg?aF>eNUWgpmqIjbSz{FJgLFStlzx|p+ivv}DG5vTltW++Lg8Sh
zTox;0uUflnwWF?Jx0z{sN}7q?nHS~`2<BmDhZdr1d};*eh`!%QrKq6Yn2DV#eZp_Z
zSIii6K@;qRvqa(jEf%(hmTHZA8&%p?liL|rJC3FVY3yw>IO8N4E<CVXw}b^W)4!a7
zu}0{Yz|q9Id_ZV>H5dA2%Rt-gd$NAH_c%JA9gXxP)&Xax{zjvrobWYcn*o1S0tos6
zoJn+IoFIf*A#JH(zr5QTzOs9h)5P79W*-;I)J)vx2+rDWI-kp=%)WX3TateJ$j7AX
ztqhsg9VM)dj#S|4B|+88!R0B<AG!YgaGS-xVfQ*QZ?SA(3ivO128{H$HZ_>Gc6_(m
zrq2u^KLzp11!OZ@^I8}5P?<z`m&8c*`c#?35*e#~A$jp^+A*U+v7{&`rkFJo4!0UZ
zmEv6&L(Y>nb)_NoyrQd<aJQ#undgeyA+r@|)RZnhlhtOs+R@NRq@J?4T{xQ-B;jMz
zwJ5=tf&h9vma?e4#8NSDHJ~$Lat-%hVT%jvD&FQKT@vM?hRwPpBO&bLxT(pdsd~j|
zjZ5diQ0lDi;C1tj_DwYUrzq3HV(5Y353DQOqxB{V)vOSsLkF(uVJWLYd*jQUYSvyz
z2gdvAGP$A8-i=+~d_`3~$QT4bnQ+s{*CvD;ZJef~;}Zh*9;u66A{t8o&fFOetyL#e
zqs~r*LUwnCdy)AP#v7K*(5KU_uv@)n4l3=HyTqhA={M`k%@UtMGdt$y_cA?G&a{u1
zCbx0J*+alW-$|BLUKn^!`z{9zfC>MQs_W8;LN3g?TvF+#WuH<Eym<~mzcLC#Mw=tT
zo>m~y&C6^!t!+N+{uG^~=&f<Q&8st#D88irCG{As``c8<@MB1i*<L~h8_vG0UAJ)#
zrjD0C`T^aj5y^^VxIAFe^}3+y#R;F<{C=2-y0(mcNC86Gt8wx}?qQ<(7EuarAwf|<
ze`u&b)#>a+(v4$sK7WI<2P{Enhp=JQnTL+*Z0aQ1Ayd~Y<GlK2tV}1xsQY4y`Vxh_
zoSL!R20I1forCbTLQ`sc|L9>I*gbnwx>sSLgP(WLjg#yW+f-Iz-5GP|=B~ebXwG9b
zF)^<i?%a^+y?1r2gEle0A`%};-LH3@b-wALC{hj!W#wyQx*RAe4xuBg_=&VYVtH>t
zNbvK8ISb?mzaud`xohR#jkJudGQEo-@2G73@@=Q}e6@w<+F4;{k+()jzPHwz;WdzJ
zRRtlWxb_DPGwT6LU15m3BPh1aGvv_x<C8M7A?B74^?C6mLI({|ITpeED?heT+^>z&
zs=YbU$Gk4S{ID(Y9>f^?l+&K0#LE+eOu}XFL-c~U7$-Hjj?AgZa>pF8jv)X16~B83
z%|kNuOSUujE?t+>drk!=3J&;(f}k@Gh~_=6xTXuJD(0k3SpS$^{3E2|ADo@ogz_&1
zcO~<`%<4w;W$fmc-qxF~XIHmglXyD#x}*u13>FIp(5+hAbTx%TZ%XZC;B(mOQQ*>r
z>moD}<@9F`6ybB+>H?b43sv(bDkRB`xugUL7`CK>TutrrKNeekY|3Z%_55p@_VR=v
zpafkaM}2i!?_I;oh-dPini|;+_B1-aF9bz?1s@gs^pz3ppMEG?AxQJx!HF<CEpcQ^
zQ&ay*tua)R%;Z0-77e*lWQq>K%p5-$Jqudd+bO(ysk#SC!d{;+f@DSB)JO^EyeYY6
zF3T9DU13z1=w$Njo}cL6Lzbg!%l>!Ws)RQ}-P|f?%o}()Gz*ue^u{aS=D{)ex0GX>
zi-m;5%HwMpp)0NZ)j1xM@w9W|)R*C4Xk3<(%EgdP-@}DPbT8rEXKl@!QD^Xpx(7Zx
zx`Sk|bAVC)3LEs$b4-q;ZS{p&X;J6c05*lj10p)FCY>p~0(t0qVcvlz!u!!=P&Ygs
z3t=;9FT#>A(?A}6Bz&ZCYiA8u>a+Nb>98e)4SR=c%_NM6QGGMfxQt^r57{zsGT^QB
z7mi5Iqz}C8j&iiATlUl~bz?DR%2h6Tb3r~OtKP8cC;r=SDYpibXW|CUt}R!bRmL#0
zS;ll@_)Z}Lo&FvDvEkwi+r@mOX6=TG`}4?O(2L=+4*IL3Fj&P9gf|*mUOTRXuB;YQ
zmI>lJbWUaTD`C!(dCkhHji`KB8?UF9KPVVW3tBb7U}Hi{*-kwrSg22o&B+`#Iznnj
zK4gsLoxcO6M2wj^@evXQw7l+zWD)W@iwE5(5@;PdlV8GQh&R2H<N7?1R{?8_ztbX+
zt_kf}Z!i?4pi<a5vtu2eG;`BAMGR!s00Z~(IO%}0LB+}|^l9=#yzLF+;xWp<r6FsJ
zU1OC$tIib+Hj)U)t&MdWk#wXw$J>uMun`b~^6zNho-l^lq9iY!DU#$l-EcOQ5u;b`
zZffH838F25$hY4Z6iwO8=#Q_V%2vnUOcz+LYY7iGvYO9+3o_c*NUu!_Md5q+gUO}5
zuN8ja-zBImsnWkWGNN7J%`nb23#OB0G_vlx%l3^&6G;qR@#=Td#)-HxrlsiX=7SLj
zqo1(aJqU>+PfLucxnY>Xl7uI}ILF|~eP%n9arOpPp>N*O+WXXeNQw(##h}I{sM*au
zNrrvD%qwzSaY#;vQidFCZYwf}g;UD6$Uf>gM<cDYAe1YaiUPQ^5T9wf$Q|_gX-)LF
z_NrGWj5N%6hJ`Or{-7WOKys8P#?l;TF~>9WDENYyXK_g0Cx>l~=|BN4BZB}4t3a+h
zHcsIHA@mAc*eF2-#~BU$(x*yDZaiR_@FiRkgT?hP7jjtGFvP1LhipR?$wz5>CF1c&
zZUhdCDF-jM3^=w7On|JG3A|@r|6b*-Sh|T7YBM;rsp^M!@@-&Y$X8f!JHgRn5adz?
zy#1TN;Yb8)H*cdzwKJtf2dybGjXy`OqE5j|m0aO60V1WQYz2K<_?f$zp5TA`MJYf&
zaEI^j3OTL;8Bnfn#OtiY@VHhgi}EnAK0%WAyEv!x#qGk~H(@sprR(}PrYw1mX<%><
z*hb|kb%GH@*dyywoJ0IL42`4+PYnr9Cq!ytT{F@0ACh)#aYUIho9-v=yNZ<<CRg13
z)HZUw$GZneU%9R)T7<o9)PG2oVCq~!{px?Vr3$A59I}O2j%b{`pzGYpmOQIJtcPS2
zy${8ng`bg<qWL*bsmo^_kXwoq%EJ=UE6I}O(B!U6qImPa<6}TyTmInZpIF<c=cS{`
z4{yXU3BWSS01amkF_ITP5N=I-G=`Y?vOk?MRv#0jFBK6LdaM^GMF>n+G0(C0&0t5%
zH%#GEc}~-ZE5zd9f|GJ7Oj3PV4L<<&9dWyHR;XI2zyLArDQp;QU0PI6-@!+BhBM8>
z)*^5SMkiCAvDYHoko8NG^yudC%!*;?ND8@TZOX!-U@<+gkBA{5m?3uF^jCV<+_R<8
zrr;iPTwUUCY4pircUml&!xk2{!B4U4+Ww%(`+KD}5rS8(%ZZ`4M@ZXVZ*ldPk|5v#
zGDqFLTJ?4vB5L@d{=8U_Gn<UdC$0WW@Lhc-G+wDa=<_us-|Fw3P^O>&IWhgXnhI1Q
z<N1itn`E^%mBLF_jrUR>!HAyc+kgu~!K8v3B5hoa0QMZoS2Wo|n89<S`MD2#{Q#=s
z#79m+fl}R42K)en@Y_)~>XQ|OooXlV$|b|4e7?G216uYF6Hc^KwV6Bb5AjDdoyZl0
z2{UUVdpP7~_}zyygMnrvZ@)(A#9s@JO}w1k%BtE@rY3%xsqU&A?c>2KIW+Y4pE(Hx
zA=AQOv)HLFoRw!r0I}~M+UidA%7jiFP(oCe=#91U+dZTVi??fW3>D72g?Gx61wI0C
zM*RMK21aw8g?ufqukWrF$?rjPVOf@AH;hY7*f(~HQ##eC*ar%Thmj(m6&hB0INHN?
z7H1-*cKUae25+hPrdQ;Dkmz%dqF0^G2gJB2fs{WvXKxH|un(UU8udO)7ky|Mq%XK6
z?f40%K9Xb@Cg48o@)h$3GegyTbGBXMvTv)=-OBIA?4<9g!l9EURu6w!L>O;uo_?MS
zHreH&M8zs`md)Qf=cT3EQCN`;p}V8jW>+jZ_p<Ii!mt@9QNX$EGDNyKCf39PSot?x
zTav8TxUAcyRr)2#=g|eh@Op;VR+)w+!@HwK2)Ui&BC{Nh;+qoHP6sx=V*C2UVqpbl
z+1z9ubUQR^v7%`628wJLt5T;Lso{;*R~+fXM~{_1&%Qj><kin+yZ1Fv^=vk-wK2q1
z5@9-g>yePlu=Av7JXp?iB1w<JH7V`KY2}^w!Lh6CJ##}GZh!g-+q(A<4^Gq6mc(r}
z>s2<aDS_~U*_qdPc^!2M_Y7g>!gc_a+3-|!ffK!WS7!CH7wCyJ%v^;nyRu!bIE+KR
zKC7`A5xCnCt~w@<*){WUIldqDLRdU1dodsae_Wg<QrN3Bztzu<M75DxQ3S#zR$-Hv
zA^!wFcGheh+uYXWjr1`jSGbAxy?==ktIaGHP&R+i3PQvc(_)|IMh5hM7kq>e@-uZ|
zuqI|Z{jw$qO^&#WI8g5=h!|&QDG^+e7D^vXRv=!Ps-SFM>=t5Usxp9pCLd4r)`r8y
zRQ!=k>~8p)qgIqYSb059<Cc|pFm7s@2t#OqIfEa2`z_AZN~0)yI;~Ed>=$R@GY$na
z&;VtH08q!?@;g@S5b6YsTE!67vzk#cqACpX2p$^!X>HHf<!-4rv=sIlU{C#i&F)4H
zt<^bs;X9f2wd#Lj|1*%4y}&@9;Fvh_eue%?DUZ*R$omLZ6L&0%r-{~oX$7mIi5LV^
z={0z2CeJQ28P;NLGL75ud$a@V=ufn(4;r|+{pIACBw8ejYg{E3hTdtfiedUSIOnD4
z@b5=A&mzVp4xIfgM-=aXZ}^=)I&~k^2u@EJb3eHz_A1vN*!5Es48mle_2WaJd{8^U
zuYz=(yXkp7Pzo0@4szx9^lf>o_<KkI&F{v8#&e9_J4mgbynHzxd)hmm{%MX#Ru~kA
zV=dayuSsXuY*I<}naa_hF_Y3Cc=!l6Sx}5%N#D;AGQo|qSNI?EA~|z8llH$=+Ly2P
z*eIbLRo{Q9qkWOm;}IX<z07S&;H@<G1-+kisniR9EoNtjNZ>I1)sVqk7^##C#Xc#6
z#umebmM88?HOqMBzVEChg^Hp7L|9@Ex5$N#5kn$!RK2{rzFE(b<4#yYz(51xt>bY8
zrMq+7HBB-~J4Y~NC)d<@gtylxyTRD**5vWtqZ=ktR6~l&C{<fNM|?`y<`um{$~DxZ
zeU8Vai{p$tBYwTYoc)icqD`+({(XH%0#7%XfG~&-nnvrj0m(0G_XYL|y~^%4PSy%|
zXf18%Qu|0W{Ai=+6}9n)qK%}K=jhlI?D_!Avo3-3McV7GS8^k~i0(OO6RuxjuMab|
zhr%Rv&aIT<QjuL@jo<OBQ6R!trqa)7?bT)d=rDel9ITFt+&{ltU>l{`dN5uc0+5G~
zuCy{2LI9^X>(+H-MXVxFG5zaO$B)Cq?%I^`PC8EQvcy=2A#X@sb9KnqrLrz)jAQc(
z4x0JFOA7`Elbnk_)~x&<3ss+;sqee53zdqzq5^kkl~*g(B+S8C^)XHl1WWNct}vJ)
zi;V+qg^X*RfmvK^=HQ_aTG-upfkOFnvqt`t7;4Qfuzoz*wb^*&li3J=&cy(pnSOe&
z_o&~lTa(a`QzvVJU)@?E!cv)SHceL97Uno7>5OjZR>)4z%BE|FaBQ)w*`BVA&$=Fo
zbYAURr9VbbP!k#sL~aT@+)PhEMLkb%$=wznSCl#rzCq)oXC@ypbeP}8@WO<#dOYH>
za98hk3Stb~j1WQrY{lu$2#3}3dnt1ct)Ax7jHMWMx;UKP73j?_Z#R6nN7ayTo)MdG
zbUG43Wm~PX+z!L`%Run)la+#RN;$%Mm(Ir9V4tg^kxSz~ColN|jEv=Pox;Rl+CnP}
zKNwc&s3#TNNEM?O6w{GUlbCBynYpPdUmFhCpgpy-jdJhiq(|M4LRn4r4+acM>(yso
z8g9@|o%X^?RdtGAc=|of;Bshh_)Ziyl2{LN#PJ^-{~w;-0lJbW+8&N=JDGT5+qP}n
zc4lHH6Z6J4C$^p3m=oLfm*0Eu|J}ZQy84{zUbR-Q>OQNg_TI(K*664CmeZ(6s?&Qx
zN$uF##8s3&DXP|+YX{z*I*jUv8H=yU<OzDnK=wcPfi{8t-*oUM=@A1gxwFI6bt3Z4
z4ivWG#X7VfMSSr@Ga9l{eDJ?$sM6=v-<hY5acrf_m?%sgN(YnwY)y<2{G2U01thdj
zCoj<@Z*pV9BsCvuXF*UQ0{+TF4LhzsH_q8Srjbm$BuW{~NHbXJRyxElY3{gI2H>ku
z?0PsHpq9YC=sWlNu?ToZoc8J99mK?qTa^U92H2`^RH-&EH!l&l-qdTR*FRKQm2KFL
zwB-VC)wSt&H9k0u;(+g4htI9Jt-X+VaTNp}s}8cHHRO}m`FdX;E)p6!6<syWK}L@r
zY8UPb?&CffU<xO2&w)HsxXfT6a0PdjniSX(_Uj5r31ovFOD#w(r8=x-rTFTMU%5JO
zm3rKZ91SyUip1auER!&%a!f-AjdXQ`aJF`JLkw>OE`!We*{)-lo_yD%tc;zv(^T7B
z&U-_O2~5hn<kEjAMN_loP~9sfyG~VmpxDZOAlix*;sIMJ*~)*)+e$QM0z0vq$|&e<
zhj^-hB^QI!=bHlOzzq%Zc7nVIsTRg=<chPytrenmR%e!$fqIkm$CVaK6H}aT!jU5r
zKHmr5tFNy|9jfMvijFhhkM*~J7n$zV+ym?v^^ysM4Ej5>Zn}if1}UrwG;Nv*v$m=P
z^#%!!agWs>yyj`=sr(I^k7J<R)ZzPe1Zk=+I@6=tW2ppVDSR*T0cnCwA%IfN;}jk3
zTp;C|oURq`MP5#G2Yb_S%lhLgD6f^|MQcv;_POHQ#L(1cu%(Z7&qnR_=}z>u`7@;-
zemDF;|1}d!44i3yE7K3T7)a9-Ez}^_-L{(`FXv7+1ESiP<w4uMhkBJNw8|m8dW}x*
zExfEDje7fY9Nv+ddf#(g-;wV6Kmr`-k^CD-7#$&FCkXP0Q6T{{Qur5T5J+X1P-O^l
z<rrxtFbZY3Vr3|EWu&J)(578qoZxz#@SiI|)uR$|Rmt`)YK2(M*cX_-QwD$kUg*EA
zbl25h;Nx46*%ie$WVFm{tRm$eH2TNQJa`LiV?T=+?nnDaGCr7hZ)iTt7#>vm$JRc$
zcW-^KVBX%(`Y6hU3+*q?ckrTfg8?7NyS7dzun5sM_DIJ+497%~>ZGd1)Mj6bM<k&J
zQS1>HPk<Llc{+GN?>D<t3GveG#E*CyYVX{we@1B7b**QP8a}M&mJu0CYQQ#Pq$y+?
zR^~LKRfk<wGjC8wQ6F8}ER$(z&%;}N#akR(o+%UVwkRl>ObKm`w4)!o5UFv(9@B~T
zm0p(En3=xl1t+&9CZg02SJsUiS6-mf^|s1WCIgVGQ(R+=@gOTERny)eyi~+kj;*+o
zSgt`Jj_I(n&0nq&#;)$9SoJeFNML(ZF}&XLdI|}8*rU8c--d#cpYtNXkt2wL;|{<V
z*&!H^TJK%Ekl1^L5&~kDSN62M_%+N%wxr(P>~yZoW2s{j-L{(j9M4)AvI9fdqZRnm
zF8ASlS#ywd%P2lOKCNCgFkmD178{hwW_aT<u8H_6d((f&A;IKgOK&5d+i9LqZWf2%
zC!ds?o+x<4eIyosT?uumU(Nb9wJgoG>lor617Bk}7F*WTeUE2eqdzNvZtc^v89Wm#
z^b@zbptM%v7u+guHZo_P9MdJMbXoSUc5T)5IV}^9>%?xSf(Ek_-rlvxM{mXDs<ro(
z?*W0m#P{Lv#<dsjoi)pMuUoVD-lmSb@?9C6Pgq;?x-WO11%dyFU#LDa;vee;wlr^Y
z<lup0*ON?CRdAI9?R8|?FjNEIP?P<T&THRivavKXN^R-SA|Vx~pUD^sQRL!DaAQwn
zb!J{HXy<G{d2Fhyb07YKa?C=l8sVFW{y?c6!aL{p-Bwr`yQYFLUv2#IkX;AH+5)eX
z(=5*~{6Fjg7tskLR9J_qGL*%MEYhn*V98f1CnVR~@aetSvewyD2gP9+X&vSG`v%@p
zG}89vBW+N(g&WC-XUiuYuN+g$s0|5t6td-W*6ndS_<D?c8Fd|I4NUspn*rRtw8#^v
z7I)0t(`SmxtOs=LwDK#f<MES=c`0T9jm3&Yc^@p9I7Xy{gDWTRR-LmD+X2Z}sb_M(
z8rD7E8~z;l+Y(M&ULjsBGCf=Qsz^Pfi>e$wDZzJAY>M#20T+CX;tb<j@W<4yXe;6s
za<f&8H`uhbS`KW@RWRKMnwG)TJUm$K-={5WOL-;LjSsDJ9IL_`c9Q2@L@la-P#=Sp
z==_|t`>5mnqnDTC3+xy1W7#kUQ9%|rM5t#(19Z{;T4UtR7RG%OnSUK4{nwgk^*B*<
zSEpSdS9|^mUV?#$bKCcSm7?VQf3fVJk|k5<=H_K1-_21g_7Cs+sc;Zs55}a6Gt#gC
z%~0p(@m{3l1R+#_#4;{WBuV!OVo<PnAyQFL1Jd&-<Q&O-xXDk~YPiXTOb665+%$;@
z1K!F1{A8TD&07;$^h6=`Bq>?}QDtK0c}RG@b5QzPf<qXs7)g~zF3oCTGNLC#Hxsv%
zK?rHe5&ITsEK&=4IFXq%?RpvwH6|q%3ArBxN!Snv&>|9OOJzd|V-VF4z^r@92*+Fb
zQEUUmD-uIL&Ti=6U`nkV^Abw-h4w~k(!6~c1o}Yt(&(-5S!pUGk9mduf!zCK73_6~
z_1K`6kw>9)EWU8UI&i7;<eZ>&ZQcpznuCTzZK8q?i=KL5&-zvN%fx384?%>31NC_y
zI1B$x#2_nw5_>c`CaLs!Yuc^K=rxN0)Jtbons~n&O?ZL|<_C*P3YUItuUk8uObbnZ
zp626tcJ1M!wrxU7OdTJc<Yygam9T~u@sevNznvvN4pIXV{D=~XS-4%?7fH0XQnIm!
zSs}(98FX>RkGAZwB)-;`<;PJIKvl?^jxPKTEQ2Jh#RMkxm|uBx!DKoXb$|9rY=|}x
z`z3?Zkt`|W4mauz`x6q3l@WRPeN0TiLdh7z6bVxts<Dh5jwxOypNX{`0gfeYyZ|Ms
z4vbXI;kSxnUwI2jZk4tgc7jTr^iNyoQ|shBn*wrm_~NoGrOb9n^D;~2)ON&!vLhvc
zO-jQirFn<@xCgtQl>4x_8e)QLO`_|PZJ9%B>M3A8z*OdKs`a-IrTM3ZT8U3S+~tuq
zaY;o9gH`lMc|{&J*QK!fh*AaoG5oaL00F>{2<vWNwl11#JJz4?E`VUqI)0B$(KoCj
z%C3U;wunim*uf^Ly*zUvxnoxQ@{g|)nY%{Tg7)S<J#N@#d5?p_hdXWKv*f+W=jV71
z&<w9OlL6Qk-o2-OPk6?nJ*?gyZ`vNOS^bB7W595ts>2Lh^F*=+kdQ<GO!31~&90Pl
zzE=sD)j3hp@Ikjv-r9e*=)!%t=jcL=KPL2n1}t>kGc+yuJ{U|3<{|%s^;aU^m$R>q
z9chkR5;m`{bXOKXv-M|Ff{Q;Xe5K|&VSPn7dZC3yRCVN>*I0v#FF|swx@aQI{7wT#
zW&ReHd(1Hq0Po6bH=ChHx|%s{i7y6t5f*+EAkY1%Vm!|3{L+2pP#iKu_ZwHyAHQMI
zpLhZHfkLcKRu@C>n6_zHYUtor-3A=A=Chml&lwDYKUQ=_?LM}5#qoT<K|-U?!A%R+
zM;@7VRxBTJ&yF6s9qJg*;nnIGFJzOOYR_r;?6y}psZF-mpY#Zg$-FM8@k8(It6~o(
zz3^vjsa7EPtW@pbc-GXi#(BT21YO)S<@Yu%RuH~f@;H)sEm!IEEM4sx6dQW6t{vX-
zM{;QGAT>4DZ3LWSt9Q_s*L^Nm&9b~cFIs{t-%~>1tl>ChRqOIDn*FJ>ER5&a;Ir0+
zc}I)*OeCFt-+T$`ne!AR=d`dAu#&Y=tv7I6sJKiPiM_D>q{U52Wc^|>Mifdk7iKc_
zRJY{=F7tZC)VJ94I{goc)4Hc=js5zgg9ITj84ZigRv@}uXW>>M&J?)^LU~E1^A`G6
z(mg-Sv6lkhzM9f0Qs6#KlpS#Hj)Gd)p{!(o4lS6LTw!;1i>*19Tng+flUzC*HPT7N
zd`>x$A|qQTS`PS)6trDufh=*&l~!cTD?K8K&tOW!w_%z;ITznoGXa#M-T7rC8#kRe
zXRFQMz{{n~u&N6fwo73HN;#5Lv*!Ld1QG_h6mE=4&qzi90(njLk=lZ_|0%R3oqDHj
zhzI=LkPnF8m`HjW^KVtYOnXxvY<dBC3BDzH5uJqRgt-Gdg1!ZHe3KG5d>8%fU6fM{
z?61dF9~j`!m{}#4FEhf+l@`#oaGg$RyKeY16<n7x72c3R|118&?#H{G)j9KF1t>=|
zMOkujL$oJR0@<}yP>EBj6)a6tt^$>yEMtf!<9xJJo57?3sZa41@*?!T@$*y~_-jn}
zFB!_lWoCf<Ga<tA(>=dl3Gr$8MqPPAV7Z}5S-?;U%Vg#_%7<_u$(M5Aeum*aHU_Kl
zR~#GVxnM%kIrF}{PN)dwrOiHV78&P*PQ01@ti&y)y~ww8BD{BHOCpd;xrEi7a@;+2
zS_HQ7)egbTAUBxpZpJI8^lt2=fUivn`w!#NP-kEy!w<s>**}F7Zrt4bsg@e2GPmmO
zQBSo?i#U0<ZuFdI?)*?^P@BKZHp}qa^6~H9EjC5E)&Cag{XOAud1Y;I3%~q_$m>o8
zRnK|88xVgf{NruF;Pc79Js#hO%aJP&dKCFo7$8_6$uz6S55PU-dZN0A=;0}+Qa*PT
z2xrS(KKh1T6f7K>!qHm_Y{iUCCW3nG=Lv>b1t#Yb*}|ThcwO`IK{5V-5==HC`XO?S
z&U`o}4TFXn5@B|Cq9%rp8}Y;C0+Q5ZT0aJ&0OQ{Amb{=}uQR93i^}ze=*#sc;BXgw
zYA8HC8d(xbIYKVTMhIeZqHuBoJ;9QiWL`<iY+Y9c&_#)vS?ejvtsDkdFhASJ*PZ3<
zH}mD~7kKw9e0U=|wa1SWIR`U$G$Jy2@{ulA$~f$%7nAVfkM{BEBR2Uk(2Dv*vf3$#
z`LqLS_D`4;8yQvG3r8_QFfz^i6Vq?pSAb09nP58)WE*Yh8L20)A5D~Z0p%tYpC=zz
zb`E@^4o{z+|Gx2_X>fkPNfvo%MY0Ln&}|eMZHysRn)Dx<9w}S~)tZoggRBJQx*<1M
zDm|K><ual7Bh-AXyc7BS1~n(#>Ul_^cVcydUm`EKw;Yk?4WM#!5vC5f9pTqKyg4{E
zb*Yft*0BLz=7!u3jcR*R1P&a_>b#@3NS^+hpbn-hL}=zr6?vS@{bPws(YxF!*jDbM
zuGBKE<8p|()q5#DeL2ProZ7d*YK+$Lz}-*RZ_PM5yaPZwfO5McP;Gy-YM(77*1Dc4
zjRv&;b}d{VMbxDkUs3s+bmhdWWc{-=xHwxxmRpqmKuml5#E8Ermg*dq%p|fjEBpd8
zBk;^IMXk@4<~#|nJl|$nhCWDz$~}TZUm+RFy4Sj7`sX~|lv^g2wQ$_^W{mGCdru~X
z8g;%+(##)juAw0Pff08xWt^VMoVUTr`GRy~?`5JnyYvk1lO#&D&`nJfo5>aF6y6S3
z!*m<X;bFel0MyQI?l0~m1(PQP56ilakWH)(?7DU1r|6ZB@h^{U=BJ{y4Nhe8n7!ZL
zW`OYs?-F^H*c1A-LR4$XM+d@X>B!?`1!)yawzD2?{R9uj&vll9t7Bf3>Z?;pmNMeA
zQkH_;6Hb;fS*8Km*-_bqx!iljpC^VsVz-^p@SV_%w?v%<mF+ZS?KSwH9p$?70d<#c
z3g^a(jF*E-lwov0E;P{u9FIvONk|X!da@WoC|;;~(R$N#$k_ofseB0tb_;C~b1Weu
zMmk;+ioMU}0tq;FI-5advJgDjg=5j!fCU_(*dGhjc@m5^bUWe*WF`?zQ+N@7E^t-!
z`|zX^Ekyw-e8`O;K7I~a=D!IONGluj6K77rZ1dzy=(9+OeKwDlUXueTQvDN1lTzh|
zrA;HM6G*~8_MIXKu%z<LnfJ93%;(dutvjhxHxo$1e+HWO(4{^kSn?N1{X>D3OW>bS
zzZVZIZKq5np!7p>j51f>N4~r^S;hL9+pBBRX03&WV`;xXW*k94sa17Hw<OJ?O_GGl
zg8L&WT-r410~PiQ<x|)oFR(eoaI$t@2HuvnCu_S{3>*H~q|mJ%wOxxs-!6nfLmJz*
zFxvdsgu7iUj3Ko!y7<Jz`q8mNo0(RH&DLTnkaIE&Lwhh>YtYnU`TSMGeUcyvZIhmf
zY7+M6+&?ha;p{&J+?LZXSCFoKflrfwm@NNBM)dm*mTtAZ=z+Adr-MW;xk!_!fn+?#
zaZG0}v?0`RGGzj1E|q99cP^E9GDNQV2r_xD`4}>KE|pla=)>QhgF8|SytiTmaa;tE
zyAcC_@CcV<xXzuLhNxAzipqu}c-Bn#dDsd>S$Ud{GixG&h*v@IYr!5T|4e45hVqi4
zg|V@N%Sng^De%dIizer+B&^s{*fLS^<OeO!B$up)T;tC1>fxy2g0FMivRgZ-IFVz0
z=Xbu*xR;k$K4ngxo+o*s?sZ@^1k)_txM9q4!%kte+vb_yxD%Rn|FsD#iORl|Od~qe
z#a^!A@|7Vt^z<?)PusK(_CAb~vft%$>ecujb@(l-i0jjG78UapS*MBB7D%pYmw-_3
zNmY(J?J_8=da1~-P~8hU^YU@+X%|RO2L@X0ayCKmj4F%f_7CL!y3}SHW5P4FUZ17P
zS#iC7366?heZ6rDj>-Xdg4JOTan4&IP8TxX)pCtA7q_2Ojp6(@4|gc5BLav<f^V2y
zy`asld1T?-RdR7oV%!7=>2P|$Kj_(Nm03J4nLwJnc!6e@u*M))JtYoo?-D4$odWFE
zok6qTzrwYbLCci8&{~>*_=3q}GYM7M320I3*NWTCQ9r^on%nzKaj-3DMi7Yx8tUXi
zjlH#Ma5O?N@osxyD!;x+tH3-Z6ZIQyPc4@(+HcRpHkH~po3h4T;_p}NJF0y&rE@l$
zJ1YMAdMJuBB$Er$JUosPl>?hqEEUfqPd{oFR#<&YgfG)5pJcPTn$jwqhKg2feXD7F
zO~0BP951R*H`(nUw?0|Su}0h>l`%R4Bqt{)eV&gR(^DeA>eIdf9Tp{87{3ax)oMF)
z+;dNL`2*?pksNDyD|l}$;LcfM9{UdX#NzsPVcs8v4Pd;<W?NwFr)D|e?1N{QknKfh
zIY8_?7Lt@tr6F{g?I7z?dNts5E9+AFG>BRtbaCzIdzY~67JHZA?6@m-5JILz(u3=C
zU}%ND52h#@d81r2sejScxZC9*bbs2J1FH8*{)K#xD;Oj7!=W6Kd>0_$rWqhh<AYdb
z`c4Y}okNB9<s;5Ildi}Z)85&!r!SOAR8~mKQ?ggiR5THlI?J!nO=22N&-s&%PLRw9
z8%Th=@XY?U7v91<9P7)yR^<J(9uT~EE)5ABzL_Ea%;*&)e6|Gpa{HI-@vb^7i1~kJ
zP*D6G7#YZMGeh~gIw<J-Y>D?Jx08$Zi8~@l@y;6e|3@aimnB^t{h_bVc28{_bkWhC
zMw`Gr{Bn+*TBy&U;Aot(2>Y<;T-BODvb8p$r>`pB>1k$bNJU&~7}U`z195Neu?>7n
z6Aa+S=gNnty59|P$es;GKdkE$ILoxu2TwN!V|6nMgM~jQ++>*jnbSg%GlzRtvUA|3
zaAcQ|$SFOhJ8!OEucYa|Na-&6m#*k^>NxIFtE{8lwi=@w3C>VthgS7D^QWJ`Pt`~&
z5S_nSY36>?Wue=<YZe~<L50!Yp!R;vf;upN>of;({_FH!n7AqnZbcZ<Zo$&OJ^_oX
z<m%P<t^o2hEnv0i^Rzb9t?yQ_<XmJqk{Yh?+F|Cz-LrN*L9X<YQ4}GZs#DA<`XAQ7
zX5^2jtEk1UoYB$O7GAe-th``<H>Pl;%h-~FmMGK`=Kh+F!<v)&BBj5c8-&r<{S=)}
z;EXXF{+`=l3rw+i!<*<&Y7;M${6I!Q&l&n&R97w&cwslR!L%ih+Wm+LE|Ul{husKi
zf_i$%cQcA7?acIK%FjBqxb!|$*~`Cg_PA`$pz?eiC6V6+M0tebNE`eo!%UolNN;PC
zNg095J)iT=zX+LHBIukS$+;}?KN(D;;N`3+iz6pq-=hrcX)@Er&}B{kt8iy!0wurk
zhw^fr<v-`Tl?j@>TtVcI%+_CIH9Hac%c~VuCi9&85n0^_x~anGvQ{R;g^^NPc5JpS
z3cCe-c96)G|BQ9LwBV4>Mh6%sCTpaIR8;EEG=>KnZtJpq{A6i3!lUTp%C*ojvxJA1
zl<T9^&H(~}hBO+&LvSkf;XVh-yMKrTQ=`n4>se@8LZc{@>M_;qP%*PahQ`ZQy4B8O
zF|X?~`Ob4vue;Q$VxrjptG6UN)KIo^X_e_fTc!nvc_uX!pbht5OQOA2c!)Hl-&4X<
zZt5_Iu+R;L>}*K|Q2)}=Xh{5bjg^A8kT;-+k8GT^fKO2sfO;V9s*`hQH=j*t)2L{V
zR4#8Jhc%yyO+AcPy;6V-oxCHR$y5MKmU+!4FNLU+gJ(DYTa@P-q1f|xK;@hrINSx;
zCVO784TiE5YAD9sPaSHrc(?3}%`H@Y5Bo0&0thFzeHO?|v<$Gf4%>Sk9tR{HysAO%
zUjnR3p|A~*Ju_$8yE%S)@<}yPo>^|<?cnnlBkLA=Ke3T_{l9(7@rqNeCVIKfeXaV#
zo2DCN!zroGtleyTQO>B_Sq{av=OeWiddv>-&O@z6ddxL5t*pbCdmi_3&^H~@nnm#Q
zm?u$g9YwVBh|<ecn<-ku4XQ=FB%1=?Ug369eZvR7-A%Hs%^1O{j@?brtC|rSjhyA1
zzvY^pv|A6}e=D=}3b$Gu5<5GFI+(8jBRoqv*bDgORONsTO~phX(^HBEtOb14TG=kp
zhv5ZZsjdYj2P<mnu9~n!ym5U*it?wJ?@C=o1}ctnUA#WywEX6xify%}<j{sLOx)=N
z1WrucD|`RagX7gx&Nr>_rmdf|!^rR`5j)uA@Zy?NM&$fP2l3hbYO3{s8pCqgEX)~P
z7Q6ohu|L0iDPDCx^{*hNO9zUNYNutP6wMv63iQe`mPVTWTCJf;KcKl55aA49yvbaJ
z8|FSzXYq;oi9g_Dq2-8hmSNn*Ql%NzJWz*+P}%pNnX0ovuuU~~$6aC@IAy7_4qG(R
zLj2Dl!+k051pa&nv}~(B_^K9`&#fpeK0Ukx61RcZ(0BoPJMrxA8DTxM*J-C88eLBq
zZvdI?tgRddQ_++y%|qYJccCO?wwHR!9;Lm%WvoX%5RO>alwNm{oGD*uU*@ZUuv-{k
z6jG`Q7KGNPQjH;Ov{L9_=39ZV^Hpz*H-<FdF`!r`$rR5#gf-ke9jSc6cN(VsXc)wK
z_9>fC62~T-iCFYgs`0c3!dl=@$*tjTPt~6Mb;-Mv)v}BVq%(m;)=e9>CycZG2EDNA
zhOsl^viZ^gASMBZs!v44093>aqkY<^<+bw4&~hn|n@%<7r2_a!Ef;^Pr<|ivqX5Im
zj|D8`;jd`acAsuD(`+@<>@d@8H`8o0W1NfCy<DYoSV4DK3B!Mc*o<h?qP5R60e7|g
zHthITYeL50^!QfmLK9GH97^@S+Y#C9@*Kbs@yphP77ab<zsv&>rrtR}eg?jCf0=Xo
zo6{R=uWK%i)AJV>tG;T_ubqvz>2g2O9D(ZiY6&`?9+7@@irZ3I+b_&p>+lX(!z*NQ
z+3z<+0wul+7geX1YMcHck0kkB`Mr`b_L||PFc%?UX?&0EU{@Ody7(UJkQnE8boo3I
zM;P|&|BOsuuY{6w{8<Saq(sY-vLmmL9Gs?kQGoJQ`c|=9VF;E-X!%zY*&%U>*Jit0
z1L+z28W_?_xs*w5TTlgQE}zV<vLvRBZk|(I6}oOrW!NRJ(Qz4J?K#M%8vA_|nNy@@
zK#j7sE6A1CD@M~S8`Pkw|0PpZiiTZ22u0(ZA#-mI-a$k(R|~D(;}D8es@2<j35;rP
zGWn&kQH&YfWRk8CqZ&y><Qy+%M~=!UJ%|&zB1Ou<8WD@I3+BHvO32|7-n?O)&SJL@
zkDnnzta?1-@j$~j?(x9W<FEUYupLnS4ucG{R7j^KC>qX7HyZaqyHSe#ai3p%+i^?9
zXM&PO8%X>0nP!c=rX#LQAgTDktQ)>M+$%oZeC5<~fj6o(Lts%;`aJWoPRm^>R;5A;
zut7X)3d5!u;7Kt~>8?}I){?Y;^0LP(Z<e-CpR;Jx8Z(i{((O0#$7o6Kk-5eDbYNJc
zfj#5WWnZ!3P){LWG%HKFZ_3VE+hCKEqoB|)E)tN@nUu5_XdjWh>V)2ARZfb$oL8Ei
z#lVxXwh9Rj<D%xW!h(i`E+)W$NJdjq5W)m4hFFjl5*C7orG}xV$|K1m0)qp?Bgsqt
zWr3!Iq9h~qv|2hX(6~aiVoCW1@x7^?qn`s!a+Cd28x-qiBp-2&bALR-K8~$Ytx%cg
z7M}wr1mIUKL;Nor6lM5@`F}pBHGk>^x{UH~&8=muW$fowc9J#IHq(xQ`d%-gb-I^6
z_2q0)$=1!FxoHPE$j+L>w$u0NMrA0H>V77}1aExKkfh<7K?k3kBy<Jh?8gO$D4?~8
z{J-G9{{<^pBLaVa2MQ#rm+}GBN@-1{4;4V0u9JeTCIf4pS~h#NOb%N4nUoS;JRqyP
zbz^&zj;4<U4?K<~&1Q^>+%O|<561ia3?q9$n=nIkdU0N2kR%Hcw=^l|cP1GZu&X6Z
zfa^?W8mrt*JxWRzZENNnOozohM6F6k5)ni4x~WCvFljR>^T>I~c1S*wTnl?(JI~>{
zdg!peA&ywv4dUG}73l>^Hv^ua1&ssoueRkv)gGGvdsdp)gQ3NK>3b}buyU{b<#EL6
z04CeZY{)vEo9D;R!rst_LVrS+%s0ICu32T?*#k|<0mDFUY$~4h;u@FeZ-sW{(t!kA
zEFJsG52EX2&CVluDjrfnMh3Bkz>PbC9rB~r$wddupVBQV4?Kuj)_>Srxc><&`Yyh8
zBXCLbthR~h?Qtk49#8}GCL*-4bZt9=iEd+-{r=HPqF=|kj0*}bG&^9^i`Tfsw#R1L
zN4k4(?HkYdY=(DZ9j31|45C2ZctideZn$L?<x9y05bquZb>1hCkp?|V@-Dvg>m4C6
z->O;7n<jFn>Nu7T5Zz>R`t4_tj4&&>{&rgKP_0sXp<zE`U)7uV77E%Vdg$czKVSdl
zS_Ran?nfMsOezsd!SXLjw`_~`=om3IxK35{!*+^u4U5*hl-L`R)hyGg3{ai=+fV7c
zapuhEvtHVb%r(Lb9IA0jf<-f<Rw<nNWj$Qgv}*9=-7mX!lR*qN4Lj`;NxNxRAeIre
zXv1mM4ymzflKaMgVt)0y5g$-deSyPOa_)$90t({*648IH-bV0ET4uj)kyu$UmhS=G
z{J)%LQ~QQ~yncm43@hOD=h33h<O+istx7a#sc2P$Q?1zXd*Yq3iZ}e9ZWz0=IRjBB
zgJ$Vatj0)_;o@}|8of4&MHwQ5cHulo!;!5xe|McbBWuk!XG418E}xHw#L~fl##ob~
zkab$4r*v%-M(lRKs_Wn@a0dFg(5NamJ3KsQhK5?vmiII^Vxe!i07DZMKgut&yohtZ
ziS1(q3B|GDeAF7n1S$K}(m@-IiReNo>IgKL&&ihhp;i#qji?avqp%)_e}_?=?K%-e
z?m5#;4~MoAEbm%uSo6TX-B1IDqrC{Pc1`^vuWoEtJ|%Ac7E(cC_482g31!FO->?ZF
zdM=9^V8b1ckf+138gWbpht`Q{CCNE*R|Quyg`g5d?Kv~l4Cm}P<@ayxd7(P)srtnW
z68hgTN0c)~+oKu^(1jh;;VlhVtRR`IF`MWvEE9+CS!KsGIy2V{PqpGBuVdZi3|D#)
z8}3@ZpB-Z}!<GyXv<!WOegmKfXtdz*jaco1bC@vVJYe6{o9Z}`26wp7M)uUQW8nvs
zS<emQvYZ70!{2QB+k1{9zaqw7X;M)~L%5lUvHDcBKr4+2?Lz3kc~A6w_ui>S2=d6e
zf|%YlXEyF#T=W1-zWCn{oNw@d=NDS;P}V(sDr|XLk_MhW^!3?oKYu^Y1{>Uelt(JP
zO)W@~L}JX3l0;t{D*xCIWaZyi61q{84}lGY?f{`4_@ybJ>K_a+)f@Xjiu*)L4S<#m
zU<F<)NrKZiF^3@y4|(AbqrcaBzzp=Hyl=JPcO8%PZg<dJk*3vZZ;clt>gh}sW9sRA
zV`lX-$BKXI;ms67<`taP@`Zar-C*p(4$9xuaZw=+{q~~VV|E)?jif^RJ5;zE)T*0}
zGSGhir|NBIb-g*;1=g9y|KGeV1OMK<DZ}R8ygY+GYU!>tiCWYM6S65$??!YRyesb^
z)?{q@nb>>I6FV_QGIK<J4;Okx&z~eC%&K7dIz*2?0WOG<e;A+V{^*yxGr5jCWMC9!
zS#WGJ_L&hS1sPTXIx(q*DOU7r5iJEdR*XCmaRo`obnOu}1zE=oJ`sR|qhofTcmY)b
z7!XY2-`L(}d>tjCgV2%4D8z@4Dd*52d_G}Ys-Tv|EH)SdAS(8@wPXPk9wBF;yiRca
z{QZUfuKj2I(EUf}e@x?n^_L9VPt}wL;+<&^y>`1)gIC%|BEHiu85>Rxq~-Dy28x|=
zUYs`qyTHMx2tl+!l7JbWo)|B}8=Y-!Vln{*zu(WKH~LEFZ|Ci^Au~0)nu;LxGhmA<
zpUSA#I2EZuwY2RumWz#9I$#(VM%ET^6fp&nH%zc4{RruZcSb*`A=>*0SkDhPro5By
zsE?4ow`2fD)FIpbGv9{!Cowqate|$=0Y0X>euYnP`RW8O>av%5^YZ8*Wlk7_n<-vZ
zi0XCv818++FXM#=N+lmLM>DNOU7VJCg|NM|DFmu7jU$eYHcZdU-kf!D{%lPN(o0cj
zbYnQV(&gPxcLZ7=cYqGCu4egQ^#Nhz9x4pzVr~urGe>M#>*ERFU;}pC+&l1fK`UO}
zfTR1~3>xs&Qz_zPMs|6V?vCe;Yae@TFZ$j2{&fsc6}@I=Og0Dt;xX9c5Jm#yYCP&?
z6^A1m7%&SaMy&a2enO1S?$0?}p$!aqIdUxb{5sq2Uwm|G-rLK}T$$Fua7hobDAZqY
zI3;vsafEW@42-W~Z=Z&1ng0!tWh~5<)k}UR;Z}Ev-WM&0Ws1RNg2wvhOWJ`3JWcme
zv_f(2AZ>(8USk0IWWB(zc4$>5ndKVDBMRm+OrKW%uMht3JJ)`Q*RY1Y<89AeP2Dql
z)b|cc(B}T*1%g>}XszVaHG^z{?~uH?hg*TrNI?}k6MaGW5XZfaTbywB;jLD(N8`15
zzBVPG`rfwKkoH5T*)VskrTho(uq#Cg?n&`z%r%-V8}axhmBd)Md$na)lyW<z$m+ll
zwYF-W-c+bc_zBN`d>gyzzxYr=yhG}A^!(Ux4$x_?c(OkfWIc?j$x$k*z<CuO8AaT(
z$V_Th^Zcp>Is3FO7cGTx?>3sh2l;$ye{WZ_T>}8_0R}Ds22KG6&H)B)0RYbc1CIc}
zx4(EkJ{P;}e(y+}=0oRXWQO&b8?sAvju*EpY1S7C*|NZgr^0e?2cb!EVBmZHMvXt>
z=M6=9kp^RfZ9iNk{sFsb^OQ=?T;HVWu%89p(PXN#MT(oe`5}utk}5W<<BvNmW^2%-
z)b}Cl>Yz@%TNy6ee^ud)SkpXQwtPr40K}~?X(8B;H%;e8*fk3)-jySdN9`1Uhmao3
zTddJ_KFLo>u$m4CJy+P)3p6Jn#lITaUi!3O_za+)djAtBv=LN)D_>Jw45)ZiJ)r{C
zl<rl~&&v8}Z(;9nHbO=^7r9b*aROO<Q}T}>I6u%sa$!Kd-)Fr$^RzCfYc8&DN}Zn9
zg{p+!Gq0G`z)qdeS*7DO?;%J5y3ARaBG1`**vMt6&zdyC=-3I^5N7Glnz_Pd+8GEZ
zO;K1ia6`y*!~^d^Ad!`?6IuQGaJM9<_~&nAViH*k&wq{+6`pgC0}|3Ck9{Ap+k7XI
zJ>|T?U)c8*X9a}bV2=3P;7k2aC_47jc2x{2Wc{rfE{Z$u)ACt#Tv_xF$4%tNeReQc
zuv{)NJT5WZE-{=glfTQJml*Ds$=|20ml)2M$xfGk=G)sVPuPzi+A+89J5m8NsJ8rw
zOCvy|k0|BLn`Eu;zaZD{TQqi}sygOkQf*oL>FMfUHFN#qzlg_E4Zl0JIf^{dmeP`r
zFZr|VKpfj2X6}{bkPB_W@pYDmIjU-=?3g^zLUKZksDxLgjXcoaXJ&>aj2y%c!z^XE
zO2k63aCI=a{&3-MrP#ZDvSvQz3KlV7shY4-z@DNN)?lBSh(z~oh?U8PwHKAi#<f46
zQ!%_rN3?sL(;%Iq<y~$cmSj)Jd#7bJFmRgdIaIW5sCl%NAG@e79+V_b$U~-O(JcJn
zz_d{<<e*qn$)iVKlS#_DKbDRL#2ib91K5touCZr|3X85`W&lZizHxWw+*7VM5HtCv
zeAtQ~kUIn+jVKJltspyaA<-z)qOI@PA!jHx!mWrqlp!4`4#KUVJ4hkD_g_EAIPe+F
zM~bUjlOfY?cT^nS$07y2Z>X?8_j_~s0%aK>+L-o(65xdxAltb13ld~S7@*o<_R+p0
z&~1GC4G9xMHBfCV`%wv%A~g_gVEZ%))z2aN)B-yN(XEaI8dsPLv@5kls9oEcXUp*m
zN3RcLDQy8e7|XP0j-%cWGA~(@ET@=HN0M@_MQCrlo36$oOc;<tC}7KAUGs7q-9!BH
zbD$hiovU!EzY-$SLy}{%gU~{UjhxjM*qYq#5n|-nAjr)yCb@X9C@oThJ=+LtAPV+n
zA2okuZf~T$mZQ@<0u3vT(9gg4x3}v3P#};cP`)X2e<5A;0RPK2sX>K*7^5mPJHtx<
zw8quu_J$OvFvnD9cSn?`w<px+_XigxGeuWrb%mFuwZ+%v^@WzCvc%Tp^h8!<bR;(H
z5fr{oSox2X*KXYIzx$P4e13I{h03T`EaqwaCpg4zy;Pu{<w3~fezH`knHvBOg^0^x
zvXJhKPAQ+kVY-y<4Ua{y-D0ws>5k7~zuIED4Dg3WBINeiUC407X3%f**jvi+MJD3+
ze%xKm%1iJh7Vv+0+*{85RaX{~-WpPr+!Rxl-5Hd4D_DM?fbm~buA6$kwYEBP&DJ?6
z*By8)FYq;f2?+;<!eCPBg-9tE3`Jm483c(*Cl*VkQ0j-tX*V2<rcfFFr&5_htzM${
zKdmoQFEt1rHoOW9{1V(2?D!0LSzi^z|415=&uso5!fOTn_J`xe((PZuqG7Q(>=qj#
z(yAp>>FkzULE^Hh)mqIKn_=?0Ef*`zmfOEYCF63q+z&TGWi@LyTiuVgf+ZCJhOLd?
zw3h%nxPObKm%J$mg&E`nD=kU&|9ym9|1bM*?CLo%yZ9*VsjU=Dxx7=#^|hqAf#;Ec
z;E#n(>=U;Zj9*|a9WZB#JemAQ!aMvQeVQm&@&H#h8CT-}<53H5y6TAksI49}Sl;ok
zyau>yWtF|8RSg{6$h^-~iB^kL51ots7Clwwd=UKfeQyi+^Yl)H&Zyc>$N7tuJGzlO
z{F`<1uI(3mTZC*|Omw+V?ydh6&J;7jgfqbmZ1$*h_T<m(Y255_YX+GY7MC1PpT(Qa
z?b@lE6ymQf%%XR;gZ1{up=|@van4OAq8(+TJ!il_X~3>EU`HFU=WXy$++f$-U`O3x
z&wcBk{MN4h){eeFI`WRFd+oAo=p~El&uFblwA6-}gDNA6O0B7HX0fmypK0`*n?HUS
z#8V?y$%QY7c4p{VtNj`+^*My+X2_ED(VLmhOXe#WSvEks_NlrIjtPr(f-KugyXNZp
z=9cNDb*Oc#EW1XF+U0Y|mRYP-6I~No`waTOm@N&<s|+sV{7Vlh`Ze*N?IVjXh)eeT
z9ODw}IQX`EcAfHdkzJHt-lMQD`P9iF4N8QkBBEAs^!fB|A(u>ybTC;1Ep@c#uy6gp
zou~<5NBSe3XtH6C?pLG~ZC(B6A}HAkA*-!Kd3k2XB=cmwb@ZHWj|^P%+YlM>gPCwL
zMnyQnjHttmxg?Cpzr}d?_6tEmsYRG&l%iOYT_K4}c+J}AHv7(yaBGlhlp<-=3Za_I
zMEUWaou;InPclt23pWEG$baDa&tiYf5`#0L{FD;Mn<s?&T=0e{D(s1d`qawRz4|(W
z=z$a_iswi5Rrx%8Jy~I`w=|s@0>pQb6#ia=O;Ajeo<5Uu4i?TiXt(L@J0Sg0nQ}r2
zcr~2Ac>nTbM}Bk7-7<XL|6H@V4^;PWxH<v*8YV&scfyhUyivFoT!wr_{L1mqQ~97`
zeMmhvmunb%(xAx-bbQz$^S#i!I@7#3hy<$uyWa5|^vA3?jHgL{RQvKv2|88kF}{>g
zLrD>5S5{p>jg6y}0PgueEzS*Fb$DzcOHviyt@-v4@-z9gdTi$s@U!}KKW-Zmc5(Yy
z-hUn!t}%a^+)o|9&CM7e2eX+OL%=D8;j!g|7c!#)nX#km(a!2IJDgEQoUziJ(Vs>{
zZ>;!G6-QieOghnOM|5u-{7{HTEN{&H(6>hv`TY`!|FOQK<nBfLh1TBDcTdDWBz?#U
zZZkeqen|9eUOj|=NC$2iKK%Uv{}}i%{Yd&?{kZ#({iyuF|B(F9{7|gUMQnsSo2BYn
zXjwDhwWGS|)NfvY6!LB5Ujo?8G##x?T*RI}Y}*oRxWBY~%m!Q<)$Y=~*wm!f?%=)X
z)TGqz@x1udq&fbBdXaE&+u9nGhr#R0$U4w%74J^bJy>s*@6K62;B6J{PU1c2XqD~G
z>NxOimF!OQJ$P$X?9P2Vfc6p!NPs>F_mT=o56{tTC&R%w;>A1S#rlR|AMv6d@t$<v
z=7@-AUpGnAstvO`_cuECyH3;Yc(V=TG7jQ0e%m2j#u41wLEPG5+}a`B+7VpGL0rdS
zT*o0?#}VACLEI}IatRXYII)IFVd9MFZWiPZGlAC$Foc9q9O~!<(&#@lvI&&3e=dK;
z42lw-li|<_M#;S}n~lYj=>~v_?o%<V1;7pLmon=GK#}cRGOGk2ao^sJrWgtV-brr{
z(v(PgVnkjrF~({Ov;q(*ZqKMwwuLg@DaQ{OpN)!L{37JUi{(U9<RqIXg<=UpbhvTc
zS<oL?;1L_(<Qwp&8nEaapsE{?>>G$K8bApfP;*p1{`!H5*!ffmFrP_v${h)c7Rp+%
zSh}!9uNbM?{g!W$W~f89bVi6?wNkauANJ?YGS%*<%(94PyBy&r7*XL^chjwM4xB#l
zO06HVSV4=0b|Rvx%dX}CrrPi&+;RWGv}@FEk=w&y_(!hMuxYXG606#lkfc3?lx0fG
zrm#n<V9d^IUsLV2rLpRlb(FX4(6;8YkB3jOyk^xlJv{orq2W;H>{1w;mSq>TVTZ17
zrkd^iv$QdepGS8Xx2p8AcgHW8pigq*k6(-|Q+PCY3j6uIH$$2eo^AP2*hT^wyhwKy
z+#-Vuv^)7pozx7%ox7eV`;G<MwBRxnxxo5a&v=PTrpn~AdHEqowQM59&S+U@;D6(T
z>n*XBmg`%a|MU4-Z{gSG=6Gz{Bz*9X<@s>zLD>yJu|4(rGKFE&h;KHjU4aH0E(tI|
zGx(K<QewmtH|(q;Z!>N;hJ<aU46|@ZY=37VN>X1wli^^ym~5A;3J(_0Q#0sX&S-t5
zU0-w2)BNR1#x#>qU&)xf)vFA-s0`kG-g#Pxnpp^$C8QL$xtis_nk&kkUC0&3$`!sk
zc_6}Y$Wrq?=N6$D&R{Hr1KtlKZVqzc1WvO<=@+DGj|{wl@ciz&xE|qM<}xdc1k{ZK
zKX$;zV6j6d%zRr}HmH63>31|%1vgMH6Tk;HcZ|8I`LF;<g%9mjdfY=>Cvm$@zKre3
zx)(2>VDXbaKheF(Ak_K#+Uo=Ctd^JOYwGOnh<S&n>vajxM}|7N1R3IF_ikHRYT|77
zUR#+R;&k^swjT{s$sl%NWm`!e8dV~dqpg^8J@aRLQ6cCX7eSU?sc3>wy3tC&NuoZ}
zm#E72x%p4H{SUb1AF>a<6xsklq?r>z01y-a6b1nM06=CEv5qWSkUzznP561X?)YL~
zg<rzPAGw#Iq&^WuktTV8d(Dv7<xP?lC)6KI(omyD`{PO(aW5>YkHeI!nl-)JE-8AU
zBl{X{nDG;vE}Vc_+Xo#!*a9Ojfljy(&i?g?9e&xOI;`b+tGt6Iyi6PU>QE0I&9j1F
zj@iTGvg#)INnHp*&0{$IND&W>@PY_S9}Jj!-!(B1Fp){=pu=4!5?Av>8;rMr*m4k<
zdWztkvtj=!2GZVIxe6(DwcExTFp+LW-Mn_0uRUv&_fNXvGX#v+)q5jCQ{XNz_=go{
z!<WNFu)#y%wHD3;{g*L|p2VmWE=8faoP{MH4A_p#OerReIHs-2D(>$L>kMmZM|Qq5
zrM~5?6WoOcsCl_Hk*Z-!c(~UFg4s-wB@o*>LKAtWo|&Dt=~HqAFfX*3M~a2tJWC@s
zK{(b$cw;NS<7e@6wOsQtlEz!5Dx_66NG@WEptFm@vx~6Js{Y(ZCEW**O52bpnn{^R
zh2h<NnBhP>wa4tqO(%y=8pqM?x-g^-S@f?qgdE+NbJKk<o^KneZe6bS8m#u}uYO*r
zex}jxlWPcqOvI$K(%_p>*%`W~sU#QBX1y6}k5qh=@oNa&O(H|fB}jSRx3aI+=i*)+
zX!Cdg&!`r4qjRmwzH1vC)gEddqp1N7+)G`~R^HQGN()>ImXkkktD(Icj%WL7Bd#l4
z+S4r@2n>t*U)sv82&&h6+f9GO#-{T1K3h$J$Np*I8|AW|364#P;~VrknG}u9aNwhR
zjOz08I!AxIhB385h-Zr%zM(e#883;ic;_9%+?+mwrzz{5UEiENf^SIc9mL#{Nrh)=
z>z!EN0-(Zo#P^P3{+m&X=c((hvqALt?%qp@FT(N{HFUwnQ%F<a$kM&jl25zpUQR{i
z@CnYOThDDw-sh-i)L|%gKfIO^;BUXkU+X`sY&f=)xfxn#-B;JV^9-I&e>=X2T}yaA
zEw>i>4J_nU&k=>;BkrXY8>+Aa{vs`&Dys6I_B_yEe$c}YgzW#9*@J%XFyA`_2oeaG
zwVAo2i=({*2!xn~oEiw8ske(A2%e>jxh)8uow1t(2p-6{hRyd66a?)1Dui#{5RL!2
z!?(V}R63-Ps{YEzRS;@nIQ|q!63$VagEuq`8WaswfoT>KA-)4y7^qy%W^B=KBWRC#
zoOEiOCRmkP5|f)v`+nZDv-V0~z|jK#)7SfSBfKz*%xmI@2-LhGzm&)E6L@_9qr##L
z8p#Pz=x3qp;A<_4Dl1-S(2WpgsabWTFg}g&uQ=7l;ru%4`fvXfEO^qd*q|Y=TI&kt
z{U5&azY0h|2ZOm#;L%8l8BgHTY2CsW$wJiS6-Uq&JPq3d$*)n&yChq0{t__n;GmfD
zBq(|zLB)y`Hm5n*zje0qxk=b6`IxX@M)S_%WYWmMW~i;{tdcXU)^maRlpymVpcFx3
z2KjKwl9=7Jnc?xrL7su?muqMIdWt=goNI%%Lkfqq1w|}ZkNuT}CaQ?hV1#Z&&i)V9
z#|1oNco%;4ZUvz|VQR16qF3y67$stRQ+1_&l=^;!i-R*$?hdqs95EeEwVWw|kX0H_
z4Mg<<ba88Lan7AGLM{D#p{{Rd0mjF;K#NCn)Fi>0FMuGPkr)Xi%CA*9*kSe8eqA5x
zfYv(%M=*s@80C86i1Ke7^ZZsJY6=)K32Wg9eMEYR{JbPd1!x7>HS4NM4PKF^Rnm>9
zr}y_!l}sby8}{+RjNFGPbdGPOW2?}%sQ`Y*X?hyet(LN%8&LUgB5SpnfIGtOJe#=O
zH~(#3Hhoa(&QyIXf7`z&sNHj;385BLJMA+`$H#TwtmD5qWTXS2&o#EayWSrDx=-zF
z0S<Hl@n5Z@pP^D0uA1*OxiP<4CW|)1ZMar-S826PQ>&=~m6|%<1Nv7d4^0fLh{hjS
z(F2@s0`S=JK8u`N)CWe=sTcL^)!wy8v7`+7PZv66u5I2X4zm-hxdt{wO=ALsq=HqO
zHzh7Nzh^<VL4z#}59psW(+|oUkEobGDh^*6b5z8%^e9iem77pvg-whM*QgSfs5(+8
zGqp%H92I;RId>oJjeXoV6BVv3uYy#6y8nt&tsnk@rYezNN7m<L#H<BH4a+P+9pl>A
zxW^3PjFB$~hXKW?QNoN42FLzO9h7SyIyUIn-vx^>cTk1iAK{tc<jGgDxPEaWy1Z=#
z7?9$3`6TXUJ{-8e)uC;IS$oSs<ja+1dC;&T(Ft(q>CcR&ey;|Isnvm!jHMLPUnrGe
z>(V$m)rST~5zFb|g(z<}DlcTPfD@d?aNm`SFYeDnFgvu|Wp|FP4n9;5>#F&;b=BJg
zv4c53&L2|2IvE`G`j|Cy;x(wAvYF^sXE{uv-R|RjM$3Jj05T!!w`qrFN!S1UQa^R)
zR?1L$TQM=G@6s|V?XIn>ebFxM6LDJSqavawT{9f>I~)`H8j3A{<8&ZLJ~wZZ8QeL<
z%O3o-jnlKcc-NN*Ll4Zn`SL;-GsWp;5FBJ$bY}`H{1n~e1*!1!I}5aZXYyc68%mq*
z+u4rU>q6+Pyn2yMh4u$$v_{(Zm|N^`0jxZnm&GnUvt0ffB(tkns^isiJgbG|_26rh
z!QQdlgh?guv@3$tw!5NkDZw;f9>#FM;mtP<oq)_?ndr#?c7!Q==kK(QXk17xYh`Fa
zvM(|d{n1dh%!%0GXBBk47n4^RiL-R`?2)GQbT8fc8}sJ!yb|sW*ozyyF?96iFO_){
zIbk{E2&N@d$=c$p<8rzp<>BUZKBLo+hL-kPl{9(Kqwv~Hb<eVIMDw3AAv%Ib&$XT|
zsL5$r`W#1>FgGgE)z+@${}g@_C<HWX=4K-qo*BgRr`tK(JTuFP>#Z)%nv<yu?A2n(
ztyIq!@n;5>$q<d0sBtxr8VmVTpU;ATiD`F|6bI6qC9D1x`q5hm3a|AOqV?nn2NTZD
zoEbo!2h+VRpq<ByyeKYP^;Irw2@I@>N{4JgXt!re={LIh9i9yp*GtsP?ZMp=RsF~4
zOH+qzE6_7p74zSr;q+E1x53Q4@-=V_A<?r4XdbKCD|gy5cnWTE>Ui?RN>P+4>%zEU
z2MOtE9|JZm{gxW9a(I$kL43nk>VtonK<*~y@v0T$yqSYFM}LR20c>38U$N!qAj5rR
z1k0$$tCcBWe@lMkb-}8oOzq)cbUL*sZ1c<4SoGMrYeap}%$~B6u1%a)iycmUB0NQ+
z(Py`4v^e$8VRT1@-GKd*8Sp8f7mHraa6+{Ss9;$5G@+xB({~Hmykp<1;+bpbHBYTL
z0%%VSW`#6qMeG**5ws|j2bKdeAj|d!SnSThVgcHEG%u-5_9~J4MP7^N3^V=GZKS@o
z;|1_DV-+Ex_IHRDoBpmKA?sC0_uWpM2gB@)(Kr%Xub3^@QW=qw<Eg`m6T{6bUL+cs
z@p(44o^s9>Zdh!>@|pCl(fIfyG3ht5CN6i93JJYT+*E9(_0M+Jb?XV>Z3yE=D!-{v
zpb7VXzI**nAQ(rZynTi@;`~Qi3leV;^FtNXiS%m)vL7LkC|52Xd-(eK+zcy;fYIoW
zw_Y5~BRE@|7+)Aqsq--y=qiAZSs-e_B7y35wcf4!ctkGzoa{=LI`MW?d0OlrMD~|)
zLDMnY=wOrk7b-Q4-fiAnsq7=f{}+%6Z}#r;X*&#67@W3Wl90t^BG)*L&S5j<v!(Hv
zEEzxLY1qGs&$YDUxuy9bRrfk7oUZ4r5eY`uCceBrrNXiAQoB)hYk1tlsYas=3T`!`
zl#VI=ee^ZX<UTI{=*kQF%k4}}RHGi&Y4nl`0WWfL0&(56MP-}Z#7oW`o&E}Xt*_+N
z4#>G(?@FS2c554M`_L60bA#`6W$~tbB9VL`5H*RKv*Z05;Br`!J8a+I#^mscLFbtd
zPI6wo@HnetUK%uZ2kG>!=w}k2C$qloGVvYm_J*BnIDEnB0KNA;n#;;U;Llf%A2aue
zYHNL3n_2U2v+3y)U(+cj;yvv%2pu4<g|n^6M)~2!b*=Op5r>0zS*^VA)XRC98n}4I
zch}d>D~D1YPevT=8^ossSrIXCPypd*faE#~Ak<gPbP^B=36NF(W3I!J+Q`^Q5CLZ5
zu*fL{CWDcK-JwxL!|&ZCCML=_hp0@3IYyiSj2^0o2F8Yes>zR|0|z-oZGklylQSx3
zgv3%IrBa-vT^xgMZyW6>gQtl+k0JuSp-lljbcXpQqq35-))JWSN8}0{0Ry=rbq50}
zWMWXDE!CC^J1Ee0--f#ee|f@9hs{?nkG=IowD;7hnLp4r<ss`}aoxL1T|o6c&Gi%d
zxIJwDJKD~FZ*qA~NIj-MFwo?vXM*vLi$=6pJreX^@ktfx#V<2U9VTcNyd7V7)o1z2
z)}EDx!Oye<-TNAbZMwMp<GFEdvse?~?;F2Ro4ClhsrPaFwTaVsA9tTFm~__vSozMz
z*L&25d0iU42;K+1r>tEWpu1Y!sX8Z6eN$HDhaLMCrN<L0$8~vm^Y9bLaIBMp!Iu|v
z)d^!CyTlhLi<n<;dc5ci*otpd3m8yd;ErB)f8L`DO}lzDv)QGTsT9<XB}<p9rzXTZ
z-TLZJ?_u9I%w$?$#B$&2On$1nJ9p-ZWu=$LrRI$afs&mt9#`qR7`L*OI#O43)NS9=
z*D<l0@qFX{;i78@ZTBIx9ZU-6gq}Qqc-FCilMD;dsN4g>pK1I53_wy|Is!-7VThNo
zGjIgXL%i&P2|x#j|NigU1C7GSrj6|Aibk}aiZ6>pPo(pQ{+enL^blev(1k4W1b#G~
z%TAVGk+w|0SS5lo)!D%Xrn>&H9<tGpf{MBt4Vm>k9-qsm!#Y4qYE)KN38Qn#<9PxW
zjL2QKZt8|UOkNanO(KDi6)TW#GvAkw#e{W%wrus(Ri}vJSjgVP6%IDU=>01V|4lBp
zy?ryO(^aCbKJbvK-^k0v_%`j?7%8b2HSI9DnnviOSp+DX|Gj4Sib&k_Zk0pVd$6_=
zj+zlRzqS2wsqMRJ<(oBSryTGbmS5NUVi<S1$#i5vnbxA}I?VYsQC>?%MbFD{UX?Zb
zS#|oro;{lRFF6}87S?Wh?=`Q&<&7S-&#B-3$>qOm*H<@O54~gjK5^M<tMRJPgEZaw
z3;Un0XnJ`1>F(QVBL5_dfRysi6=9Yyya&du&#Uz=)B_E5YcpPhAkPPFnp5uSw0_Jc
ze7LkE{YrOz%7vv{DIQarylmdFtQMI5Ro{X=^{}^E1U|H!qg~P-znaQEBZ>6G^u=^}
z64--W-j1xuW<Ze>XcQQcV>t*a6-*A2NT?I0hS?4(!}j|P2dXk6%W~j(auCk}v%xGJ
zey$_{CHd%wQYPU*FtAkMF-Zze0YXlu6taw{AsCNPfU$x4Z>u3B{zI;f`8n5C03`hW
z+2n>DHe|bQ6<lTTOLm7dIRRM9fj%5q0CJ9Lj<IBr{sM-=fJi~g@o<IhDhLDuGllJn
z@MAlsv>h0!kgWf?W1%9Zf6wvXU|Pj$b(RY$sNLxxzhX6Uj!tuWyZ+4mtHK4znlWp&
zmhSHR@b&Qu^TM4DqW<0>4$Cax&-9*qZ`7yg=SyFg#_m<^uG8PnwRw8I-R)ZQ;_9>I
zk0*S^ZBVTmsP>~`gA2jsDyQa1>JfaS&VCl#ZR+KU!=w)@YbfVK&4?|pnYA;=>?=w#
z+ZH}|Qo*rBRy%ZaRDABvOw-@qQa6y7=rt;r6n5^p{|v`X&lBv^PhN|%7T(ZSYwgOw
zm~ME?@n|KTlXO>RL>@2Rx3}6S<@KHu<^VOOdB&U77duI_#X6@0!d(eWuWah3@)XNM
zc!77u@eQdf^pktCpEstg^FQ@|uYF7aEXH0yFntD%LV>j0|7RHfb=y#Q0-2Lm4-AHG
zs450lSA4t)j1@|FSQ99EhXKof8e(BY)m<v}R~yePc$${Mh`*OPp@n29S_hUYG*O4+
z05^w|Iv)yycu+jVhZqnGA|oX_#DxUN*+j&~Lw@HWmRN`laUc;=N<_|tPz-W54)L>)
z*8+$vYr{l-X-FNutS$%nW+0ZyNFTBCK7S%DR*Zsd@A_C6j*Z1+($&7&9qDLGjHp<F
zZ9S>A795XupysC+^%M&5H~Dj36(^tRIT(A_Pe^L-o3wAntCabXc-t#R4=!8_YRuos
zjHtzVeK>eg$G*t^#gd+no-<yp!1T|$m34SP69zBcdp_g^KU)<7&%Y8POjL`@oc`)X
z(atQ-HJ6vho#^}Km9X63W}|m61?~+xXkOyiHgbo{yQ`I`qaBqo*Y9pW8YM{T$~JVX
z`IbNOc0+GmKQv=APVZ=C)s{!~w?iKjU2SU0K*RlqF_cGBm~-ou`4!c|<#Vjk7hOv$
zjVk`qf3Agb*q62G)~S;ryb;=(HU2R@Un`cU$413&Am)nEcpyeA|8w_nuo(3bp>2;;
z!2JK|XG_06+)@<eY@n~GNBmGh83m00@hHJsvh2bYc7UB>S9_<KzsS*c?DXV!udBAS
zG$xOE#kxnm&)cp08#$!+vI2vsnB<_1#3QrbHl$oA##6^s#AWW}>h2$<)$!M8J7&B7
z>Lq^(Dyr5!P2cln$@7+y%B)&p`}yZPTawpMSHB?Dw4ThiyT)3z-R{AS8dYvWc=leG
zyHA6-wRh*f$s#7i9=O=G&#*H0N^{CSi)%rQrAMl-j<c^_(|?`VmYSNjKWlGy$#lP6
zDVtVZXi?V)9kW0%jFcYH9F{qCRgNUp?iBl0MQN^ICc(e3_(oUFla7k$6OY=Kyxh0A
zW?090m-0h1EguBb%wtjA9oJe%+*L{T4`urpdPeTh&D4Cc;sA%cl&NX{?HXtDaIeC0
h)21a2$vfK$o1ZQf_M=KKFYSjQ=wAR}P^|j^000u7%>4iW

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.eot b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.eot
new file mode 100644
index 0000000000000000000000000000000000000000..2f7a52c4543db833cabb85e75570767a452dba5b
GIT binary patch
literal 112905
zcmbSxRa6{J7ws?%FoO;n+}+(}7zTHDcL~9RXK;6ScL+}K;O-8A1PBgE@PvdUH{bto
z*SfE_YIRrDKKty`>%3HV^?~%D0Gi*S0D%8G2mk;8vCvUbL8w3=2nApS{09Kkw7vrY
zRw(~W|E>OOB`5&e|Hi)X2hsn=|F`i1bOEmbz5p+PEx`UCQ5Rqha0ht*n`!;SUi}ZT
z2fPG018n}S+yHj}+;IUq|G19-yxjh=z5XFS0E2&s*FQh!e=PTZUi<)V0Pnv$FF@j-
zlJ5USc>jku{bTw3i})Yc@1KqDe{61mC_wlh|K&eb*MEBdaUA|x-2NB+KSiN`moPv8
zAox#3_+Q-rpQi@^;JS)h|8Eum08~^*07`@`N`yR06_RNFJaO9J#Bs*i*4HQ6pV_vz
zT=12kCimH53Ie#-i*OLEWnrkUO;3FKO32b6D$1fhRctqDn>*L=0zuD%N7X8>oZd*l
zfY+9w{QW(tz#3tumvD<nFM3u&lJZ{B<4wZ{AY$j*-79!wAjpMk!QiMcO6Bv!%x`O)
z@DB40;Dai`np*G#Oky4FtCs&lmE)XZz^$y5FOPMU9Oclu?@>(GTGgt4-)DlspLQ%E
ze++J8hc%x_>YF~e=gwqfTG_0~tWRdGiCKXHC`87QWj1Fj({Xcu1r(1XC;*@Mh_LHB
z8Akp<@ZVuagH4Byuy05l0DhPjq3Ss`tjCazKN*Z#cI|f^luMb>6n}qDQV@Dl8Rz&a
zsWv6fMwf3>9P>kmnBEN1-!Oja^_hM{L==n)h4f-EBZS?%FNR~5#@=SAantAatLzWt
z6kwn-fl#O2@?$fjlp3RzTlPRnJEUV`kB3%)#lOzjWJ$H*NP;h)<i16J7A}2$ytEbo
z3;*E}&0D`I4lwwIcSdZ3;cX`3$cs;^FvWclCDp@C4lp;p)!<M?F#-l2=yy_SvCiuz
zbLrEzkwBMK!v2CI07`yhZ3<*`qEjxIn_Yq8z1GdnHqE)<34J6P*4p}9bOgCk^Tves
z&__(q<H&~UDDJZT3?0)bQAKNnQ>Kpo^am6A@ajP(RQAcIEk{L)3^<bEqfpkwr5X#|
zag?~R(-}`cb1qAJWw_S=V8Xkk%#PypBUX(;*`V#`#&w*FUD7uXbw5T5Pao}(K?%W=
zQTx0#L+LJ`<)>As5<jwpvVYj$mx`OYUxVQ;kUJLNiGy2<X1Ui<3CU6KygqqQ7r*0n
z;&era75zxpnku&*OY1Q28@b3wV0@rghhD0(=qoyu)p%rcA8eB<*XZmyZ{28oEnTAl
zb~GxI;Wo2>lJa+5mXmk3s5(a>42jl<SL2d5J<M+$|9IPvM})H87#Vy(qJo>CcLOgW
zt3gy)nJ(9FUq-T(2B3=JQ*OhmVb!k9NP$MbNE($)KIh?fZPzozbV{81D3&|zs~~)4
zyjo$9CGF*!owaRHf2C2@B!?X_px+}gnk`Vg&=rTshK7{q#T>Ww>i6wl7ly?53L4d~
z%ZUepuDN+lJ^R>Wp|ifKSp&lQI+MRWh>XAlwm2i$f0bm>aw`#viXZzR`W`a_r7cuf
z9{1Tg8$F-b*DD)oddecQh4aj@aIWAXHx7I_gcKa0*T0{`weiU`RREnhZR`_uA4`9*
zO4_W0=oKkazh*>W2+MF{(2fS67VL20i?C|x2qmy){jiD)F<Lmg{&IyPn(Of{&MB7n
zjb6Xg^<vFg^~(&o6J29>c?Cl~Fq)atvmO@N-6{r@PjuDi4Ax(E{=pZq&XO(Z;fdmK
zLS!r(cH+mAKo|l;rZ_C&8lc23!)Wm?FZdzfqw`_?vB5_eK%)}!@AHkAbEbaWyTjeV
zic1^PrS3Lzq4gxN?6Ulof@PY3Y>~>>b|(|H?JcnGkI~Nlx!LTYY1b>%->d|h?UOs#
z5ub709rsT8^whL`UYykE$gX>trm5#l<>R6=|MaU!Rln$4KU<f3NwlmfeZLJi3BJ7C
z<dL@DXrxrW@5@cCNP1nnzx2ENxi96O*s1C#2B=1a&VJtAw^Y>_$SyuQPLa9Uz-7Q4
z6T1g!6~IAjKIW~&OZ-Os11py<!p_X8D8D;NuA!A+*`eGAeamf&0z;e8!1i-jG;K3S
zTxb|M4h~xAj}>NAC^_rOUqCflA0T&aHJen3cuM>jpn2D;q+x$~?j#y9CEaGE!)!PH
z%M&s)LVl$E*Fu9x2Giy<r=TTC8-ICemPM?Ctkrw$AIPicgLI~yCHS=-?ujP?Lcex%
z-9+(A^%rhyE0oFiMLK`czO(R*2367klZU%RnTF>(;<GCz>30s$5l1%Jw;`tTll!#>
zg&igcC<RSv+LII!-)$Kmm0qgB8_;AP)^}Fn#UW;l{m*y%{L|R%sbf0jA2kvcDTwKo
z4l&X{y%c6mTvm~AFAeCe<y&-rUi6k9^ItwwtrTXm^XR7zod<YY8%)i;3ysfb4!!+!
z)`C1?kBzcq7LM6wb^w?K*uwn?Vm5|b>|_v|GSK-~5w}?Y=ycOHJg{RE1)5dsjPA49
zp9GK^8y0nNks6wevxl&eUx#H_FJ3&B(n_65qWM?2?Q6jN^t>!K?PEPvM7}O)w+SK-
zUsK)?tNI&}5@EN5j-0BVv~XA0ha<qwSFHUpHv50-&l+nEdOuJmt<w>FT-c0#;5(`h
zlTLc-=C5_!GwY@Vw%K4Gmw4QFu?k^TKPBC|OtJy^PFkQHE9wUm&XTnt`fO8WY>g^z
zI30BDh5S?MdxE4js#e33QMTG?ZLb{}?-xW?S=W}rdgfffo4-QFr&-M5jFf~eUw+#>
zuiX(H#A78N|Hil}d~NXE^wT`wE#vfDaGK&&Kl^hg*em3yQ6wviTXmwb)noFIN$;!g
zh$Vuw)z>(0qO{a^u<*~xfe(1;Q|NL|YG0h8^x?M6uhs6`!~AwxK}OklAy1;*j{pk6
zVIw`o4@aV<D481PAn#eX(ggaV_{P&KBH0<;n}h@b<!9@)$W>4|5Ya7pGm#7Tl7T8}
zgw=Ievm3u5bMH~Fo;Rx6S^K2`>dsrykl2H23=Deqi$o9J9Xg$wW2FkcCI@c-&WUxY
zuu)fcU#}eHFI_>1NWTrtk^14S@5P}fsu0}QzOE)~TT&nxD-8ZJL8L(fEj`bj*6$BR
zm)S{<5_xTQVBioDv}chT%$7cAjFYGc`_e(A_saXN;+`&+-CK%BaGI;GjPpwNVvFeU
z4gbST-iSn#3wbe3&pHGL@N+xX$Z^s7gMj7^UDSJC9e=+`!Po+#X{?k+n1IYcvm8s9
zg>}aIAKk+zXBRqAPOoL8S3=p#_^^gm3djdH1-Bc$tOZXhzc_PdgaFDU8cQ2HvEB9V
zlOTIicnzaAhW%G9O<W(u<wuQzfSE0lv4*(Qvxluf<QLH0751VYX`-zua0mQ3ZN_qN
z==Z?!K<~GlTLgVt$~I-37F@aCKfZeefpY6oDjNM)0}RoeS*VG0y#;>QH8X*>NFAt>
z5XW;nX8NfEnOfl{chxgGhv}HLm@Xc|=9xx<8{BEuy{OJLeoQXHHC1jt3-3^YAWStm
zwXt+fupK&YW;I1s)WsIlb81}3O*M=V?4$FbG-hc%yuh2+!GLYYWjfsXh8Yd-^jfZs
zinbF7JcJbW2uRXlVX3|N^A$?|^9pae@f0Rkj5*_yw?vk)V<J{MPGME(b#KU{l<p8^
z;n<JNooG-O%AW(QGkEAzD6GXP`?~%NY4VzN+zumZBKr_=&T!e8Dipd)<TT5dRD-=}
zDsAb_6~Y>@Ce09=<6d?@<g*)CA}}eda3RQ;%kSxD&q#XAi8oEA!U;Y~oC@S^b_lyf
zK2+|3vhS6}UbB)l?=K;v87BDW+b!M&bTE6GfwA{eegqWo<|?EgiRvdNHQ%;oa!dwq
ze5hUX;GF!z^C4~cY4*myg90C>7>oBS_CS`^X(+;=_4UtmjQ0%`JnXa**l%K&i?4^E
z=rg=hTIwYede68(Uza*FSyBj)L$Zw?RfL7*qgq5R(ZKzVT0Rf%jwl;Y-Rl0UR|SJN
zzJj9FT3{-UpC9hxPr~n%vgi!IGaGsmIpzkZ|5}Or@BUb;!0W&#a@GkD>|m#hipdpJ
z=ScX?s!>ge^JVp!HXP$Lt(#zEy{{o8+D8Wc>>BN7dg_y{3;@-j_D($_4D&FMWEn;D
znAr+DyAc+94@S2kAs5T<6+(M$6v35GG<Wk9VwQgG-lP-jH@3*LEKLnp-6cn+;}hA-
zS-mMv{p{mOE`?cO0A&QcsgMmGfcq#I@??v}4|01be$(V3h#b;@CSm;vlrzX-H$tE1
zR&=F7w@L6K+$BeAD24X(f1#^+mp}?_{X&Px=lfjpS)?>cq@cjBs(5AurK?ms1Cn||
z-vRpW5$cU4tCAxPjjwe-3Lb&)j&`Qa784A!sQ*Iy&OjBfunLI5w{eqMFK3^Oz-V_X
z(sUZZ0R`Q{n=#*f-X-^;qfT<Ns!-GYyp{%?S=MRZdr)_;jfqwk6Q&I{e;GA-XBkVs
zkras1x#=oRL9eYpqbxn`ZIsH`JQZM_M%t09dk~)E;+(iqFXR3s8JyY8VAz8#$@O~a
zr#-dw^&Un^MxXbD^N3-x6fJ8I(ac{7MFp!JISawVkDNbZ?)PWhI=|lx0n!fv(XFdB
zFUd5TA0&2nvwx<cmVPr=-v77Pe!hw{qq(Y{{mn)FZl=}&<@X-YoClv2lkw^EejKKt
zl?t3pZlqbSBl@o$Z?|>jN7w>t<UkY~qF@p7>Vq!Z8}+kGJ(sD-YZEjLjEW1j<-1qq
z*go&og~GlysUL{VMHhN<^lKf5d;}`HB0s3MJ@0c8=(1q%?_uUX?34uy8M268<mJ>-
zh+F{C^&ItRB_EQ$FYA9d&JcWgE%nebNz@~&klQ5LeutE)=q6G6jub=sj|+DEmiKJb
z(6htOldV!_p{a5i@)^RFw{I~5yj*3lza}2NdBdq5{&)haH-hT*{6X9L>9nlKW&*vj
z81eW*N*7<DUfw3SqhaR{qpW{<bz~O?NM^f(Df1#6+B|451%ns$ef}odeOP;}|6!ur
zRz2kBK4J&spjMOn;aafx1K%~V<tm_eizFYY$V83;GkVY6Ea%{jA@!2c*g|%l$r2ce
zhd7KYCsAkQXLKO*&bHaZ)6UMb8_Lzj8q+>Ao~Sih%;d=rs0IkTbgS#<*J_M{IM($&
zYbS|cvSA9RY54M5YlyP=@bw#$+d1~$$i|=SX~?K|li87vf)b<4%71;l+dVa7)!iRB
zwxvzk&mI2I_MU5MXmuh{8K2+pE0)xrh2mzfdT=Q@rYqBY5Hp^7?H7!MY3QBp-WIx^
zN0%3VX{YRt=HQxY2WyO#bma%`ivwM>;~p3MrL8+6mBnQK62D|0frXy<^E2jmO2<mo
z*N6C~3fPq<AQe{ap5Q3Avp*Rm^o<Q;d05o6`Fwijiev02)HafQI^DUBOUAFqmdgYb
z8LVg2hVbA^82CCw=)c(0d>xzk@R1sQt*ic+{v~I!yn^ZNh#VFh96dBGNyW97;&v_i
zi+8y=kT<rPy}^juIsCL!J@tsCmvh!3__1s7l(SNyo<XAHF9q1RjA4N(Ox?z$5_F#|
z%oo0Tu^(v=ypFAu$N7+P7IJm{9iyKF?_*9RYlLApGzB1uvRwPY38sL9(X9!?O{(;{
z)qD?0_oD3}UfD~<NLpYWmXuDWJJTwhE3k-)t>v8g)}cot7qBMvyRxKWUV7~}3eu&|
z+%}PKtAPX32emeck}y_^5b`1mS3*f$!w9HLc9_o?-=;dRO8hlOH3=XK-<e|xhoW<e
z3U1NU2~Vjq5<aUX!rDz2>k@}O!YT9@^K{8~DBlu^l3ofVoq{XZX)mE6UZg?jg*jO_
zBLl+WQq)tBb!B~_^AF{4&r174rvyf6$tI7#TDxi`zl*KbK)(+MYc0o$O9^!&?6H5F
zcm;qLd>FB>==?H<Cz&~P-TXaItOz|LmNAa)#;OlLR6a$v6*X<sZ$xc=(=n~RHf&DK
z-2%$RbabmNt?<@H@!cvV0fJnEfR9~a@55;FUTuQpH&)rKulQRuzi^ex2O2qx-9!GM
z8VuD5k65+|1Vz>G4$h_Sk3~H?Wqo6}Begk-3Y2o7oGIjzF{4HXs7Ea8l;X!3YzQjQ
z_W7EQ7_dwzU-)u2xAF0uU!%P-Po&{33N7sCCc2*E_%2oGYsLuK$Z4J}=0d9`6+1)6
zV0!cP(#b=d{h_~HjmSRBM-ew>yZuwfvee-MvL9(#zsD!mE96$ijmYjuuFO!v-d)ym
zbjL2~@E!CbkmR4-KQYVE`GULkHlp+JU8QXI<?zfl<_<T7mg<*VJnohN%1?_l(U`1@
zUg=Wv;i28#VE?HuK^kmK)l=k!NPeQznt%pnAXD#?e7#p_*(Y)xhWF&!z{Xjl1)z3#
z9{D2k6zpLoq^X*cYk$)20%g0UTZK4WJjElwGwvpe<-mS3i>@L(_6h&ngh60zN;ZnI
zzcJx)N4yJkN103XZw<3r<h)ELNd?(kj>>kKh;d_C8=7d|fN&)#h_L&~G=^qSt<&P`
zd%Jn(RDK#lwRDLq4MBCo4FRq66!pA%_gv50a6f=^+Gc9Bgk`A)g%m(*@6{1z%{R2w
z`zx4LH<zW5>r%JZU`&3TT!n3!mgVKPC?R~aDz(nmLqQ(GjD1U7ms+Yyn}=IrB&bMI
zfzLX~M-aP!l0ETdJ#3=))gN$`$tZ}H4G@n^1abKfvAg~9M;!8Yd{rD72T<eSF62l8
z)^&%_!~_BO`l$~tE!1?jDD^&#<mL3kj7|@7h+;j)*g|@;+BNu*UaU!bDM@)IaNOfM
zOM#l8QeXtIiw>&Qm4kNql38ip38+H!S0XstLE|7ckJ2a?R$65`IAMG^2-0_V7gG!K
z=tZDw7+Fm-L}TUV>=_EB4twGLuJVFm6AJx(Tw#HFDU4C3(MF^(@+72*0{AhOu)|VN
z$*qwBDt#Bc0>y**j()IJ;tA`S&%6zunQed%oHfrJxS^tQCvk5-lhzAQ&`Gtbv2f}L
zMYC-k<W?p{v%R<}rQe?MP@rgPNh~fKCT1p;heSizj|3sfqoCB5XLZVN{_!o(`a~fd
z@#6O3<kER6(s}XHMRU{6`E3+yn(B>BbxEH?a{$M~)p31neApl8o(9qiKh9zo&;8LC
zHdj7FR^IzFehoRg2so+_*{_$^)W>kFkEN<{K`pMuX<`olybiqmcqVA15fQXDfx#A4
z!}eEQ_j;!y+oYnIysW%aj?X2U#U<Kg>^EuT($R$b7a?aMXjob`mfx%x^3QiVUdok)
zH)Z~8k*j-slN%*(<^-bN{XOn~wksBrXpG_s_z_t_mg#xOb&9DF$SsxN3CXd^`=n5u
z`W{iV7t{#cFB#85zIfy^AlmKto&el5Rh6rrO^@v@ymTq}AXc?zg#Fa@Scl=Rz_{ir
zNU^Fh9Z60~0d2BK^dJVE*P|rGN-t8`^>+-soZR0|VJ@wS4mOXiCs}FHB6TZl9&-AQ
z!?2QTCw8b8IOUQrhJ%q!Z}rRzlI5=DDZ=Ks;E2gS?4QwZUdrGytD&M-^gc(_FEJ(`
zrZpstskwW_DR{X4z)krg@N+S+-YuhP=k3+&Bf3rM)Q{P}IxoAq5m#dUR0L%}#JPdo
zCKLW0OOp8gQt|rE&?a)gS{x3A`@p?NRHU!Og?e$sMJSQ`8w^|HUnb&wFG&b<#`O-n
zjDMdr{cd^ZKNuw&?rUNw=%oVciL8*5wP%6LvfD`F7373>2U2cEOZ~#Rd^DV4`Gi?I
z!e-ec8M})+Wx~QA)<`uV&OW}ErE^at{0E%a*U{+PokSk9=5UFePhKY5C_<^d&lu98
z-9LW(>Cmedm;Na@Hc_0zlOws?DY}xNR0Kj%6UK?qN>URZmUb~1*_QiEYLtPzHKWA@
zk<zUo%6F1kx=U9-?dzIQrpq<O!>rV7zl(WqH?VymCR1Bcf>nWk?CJeMD%j{=4b7I@
zIIc~V6Oca|sAyH0ip)-+3_ga$O<Ixkyi8kRT#<SFf^`_x!#t{I9_vsRp5kIz)H-F{
z#F2lOr5O)zNKa+gX5%c?NhIf)vaQhjdCEgcXX?G*TLkbaki_K_Xr)iWS%I(V?!Yrc
z2B~e_=!*YX$9L?LdgnB+R0x61r8C(KXeX<eD<}fA-xtJY?6WAmn*!VFH^2ACK;zV8
za<WoZrB=idj`uLj{Q|b704nsNaMKo1pom3bzFu~f93GL6(o=Gtie1wB6kih=OiOHm
zRForNUh)V?zwuXI5REQkhv>un!O+h?Rw=_Ok;6$5)j<Sr$1G2XcOF05NIwYQX{_vV
z3#u#b+z9Xyz9{Ef_7N+lh~kj1&?<IG7Lvc8^j`Do{yXo8xQ_CA>wLSvVvmq})K(mv
z$SX>F9tf$Cc>l6Q*{leFAY6EqA^X`u|F*qw>#E4>Bb!^3g(`|GqKi7)_sQaYw;qO{
zsT!1OeI@5S+_c1c=B~WL+9<oG%0(AbWuucLntwG3m))4?q;`pk)MGsw#>*T&8(D8D
z%4gcEo_kKE9tWNwN4*uHO0Q1HQCmr4JwbRXM+K+oY7dU)SL6@m|II#2|9K^P#2kGj
zyw%nTHm;QI5X+Br8&a_CWIJXP;>e=cJEb3}PJ=nq?WmLtDq96~$~nDFjUX1~!m7hW
zL`6nQSE(d9=E(7Bg%`ArZJYcEJgx1JYcK9BuAYZaJ66`em~H+hr|cpBlhS!%LIJFp
z+%p@4W|{HWr*YI!<)Z8qHQn1kw`x7+${B{5%F%TTe!C^-1OIv|;HAg{@byAOJVoY)
zVlWkPf4=)E<CTK8Xkf?uNO$^iM9Ur{ENhVGM9oM`79KV?yekUTT77HhYnEbDEp)+P
z&S-FBsGd$`N<4(`p@p_>BYqn)4YdPGlp8=O?`9B!rEnFvHK3K`8K<FE#3X$Or~+sX
zh*$6aepIP*oHNvkru}}DZCEZ!iW4GdFUG3pTvnubE#g@g^Ols+1szBj6(df0q%1om
z8a{__{5Q8ve%Oq5ik@CAw@&@v{}FY;bku%Y0}XxB`Xh<a2vN*w624drJ}4T-9~!Wr
zJj8HLu8oYb;zo~BS2BNA4Hm>;nHxziEJSq+EJKjbJ9yz68EewM;f~p5Kz@?Ng8qQ)
zON8m6s9|82O*iC<O`lGC0hWqLl+6$&A5}B9gYVDkGi<*(+=&bi*AG{Kh8ZuHczg-e
z(m-MKXeh%dg%jvq({>2;+%rkvtJmdzFp7A3`iesmit<=k-BLqKQfVC6k!(NQ7NQO5
zgLM9k`~K;n!$fd$lIGH)B9v27`$sQYq-~+O^4#^p53#tDpSMT_5vg|5pkK~De{)pf
zZ=j4%yvFlY`~wXho99Y2i_vwn%^}<al0Q{N_->XqonIsn0y$zh*JQe)8|Zbz^bV$b
z(<;3Zs#EhkiN_bt-LAAZ$@;px6kKXtp4Tnwbcq$~>&ffL>$wwuzi4{pnTh`rLqPsP
zKuHA{w=SQ-DVrY#(fKTJE+ZV}gff-Gl-VXU52==r9DDD1Aat0Dmxt-?E0;LAu7>Xh
z(2!GVXO9l+rWNx?etXz*#h(YKF`<lMhi}k8iO)_(XfV8<OB-uT^i-?!agzu~T3M&~
zbOY(n^^G!FH?6RSFl9x(YkV@&_RiA^C(;{_wbU&SS@7rNy<eI0R;R`vJt&LDFV*6`
zuqnr`tW=-DzX29i*GietH#0W8qWvW#gs)$u{>b!m0nBWr^QCOA9J8F4LN~r;B^=-O
zKwFTO$!*2c11Lo&D_}&UYW1B5H5NV8cb^6j+SV=gusYmb`V(*JjqJmFHdXXXj5dD~
z4Crs$U;RJ}k{A84JQJFQ0q@HtJLmr_U7sS&k5?A14`is{Eov1QQDJ4hHn@*a5TP)Y
z2NrBzITV}~hr4;B=Hd*a(+m6s`9~U4&p&5PnxXAS5F45go`gpg#o5LSwGAMfBUuRP
zV{9&YyDrg99ESWpcBRVDc?caDe~EiV_p;%!v#F_h;_dlQv_(@7Tvh5KvGV@aB(4i>
zWAWA{ks1-Vi|>krq)Zx43U_`3pxA#W_oyTP&XhB*^sVWzZIVONOl9a7kMyO|T8SSk
z{=L_;1@bjx`213I_C;EY4lS>noH<icEWRujwu*l6qvglSz>dY~CmVX<SOt~ElvN(i
zl%0=w4lj&Y?v|OXc5K|NeEHCS@AaS;G<WplRCwLimLcn{dc#fgP5pMmP5i~gz8P66
znLmUU91y=a*_>Q09L;^g&_!oTQNl+RDFQyXL7VF{%@{s5u>Zc0?buJBchx?pK*p(C
zoh^+PKb6!Zx)=R08ouOP+hBU^gvX}IVdd(PePvKiQkD%15GZaG$gVSJ$j;vw%-qd9
zR~pM<fN=Pfp4(R4sc>gabEF%saX9IvW|ryFsmnb_>0_c;&AfHgn<~q#5T7tQ@tsSU
z+shl}AkkCMbE^Z@rD<F1Y*WI;#`GiMb{b<QN<Y$E7-|te#_Eg`DrJ=_aHMfQk&{!b
z^4cooCdrWVGh(w`t3cDO>9l!<Sw|el@M8U;P7FG<9kR7y&;+f-FpMxXI$}5^95tLj
z+#~W3^c(yJOad?m{6aASGyx0&vjBL8XEMMI#EXr@Y9W)xlFYyDn|gybh~uwxJv$r|
zS;Fx=bHlO!CPD@~IK*Re!V>+NP&5en5?4^zIgdHmvsp7)OjIF>3fzkxh&hn^;Pkqc
z(687-N>u?M=XQH!o!Y$|^h9y%pi6_AUSU=@48*otC>x{x0yTl%+dC<pL6$yLpaPkV
zjv@4FMdgmNt^N@LaOy<nq8%c^$g|O<2_pozhthuUP*a2>IGd8d!+!ex@HonvLd8Nj
zIfavZIZ2cWp_6DC8(bY=LVRXqY+y(wf4^HcFGn6tg_0RjC-IOva>)>_i5(9i4LVG=
zdQjLDR@(KQlBH`)%xJ(Q&}h_d@-W$bMPHd7lEc6+uNS^8qlM`@8}tssV)E;mghmt@
z4?i-(IB0})>W5!)W%!j((QyKsj3zd+133s0+8*+;b3v{O=er&q!&|`>#!9XCF_}d=
zc>6xEawH`$suzTmcqx#U?yT$)XondK)Z#Do8P*p56I{?uK17VhBD_oG**USvOsV6E
zHp+tMPS^9}upm6ON2q*Pm3j9NdZ0g%k@}W-w=2I%#MC?CEs9xz=$rao&uQjvPr$zH
zf?U`!4zxRv)^iU3%%trG%Vv}QXI+v)jxE!0MubEWE)JzdcVq?-&6pV5{o~mMpz10`
zKyTpCrI=)_xUX@@>l&NpLHq<B@dbUa_Dw$zCDIe~)N{Bg{lzY|sJ#c^@HnP`=)bfN
zTmM2))3&)mK2qlf+0aF1;~4Q;jg3%HT`}`!w)^lYR$-}wgaMqQMg}%+Lj%Z`B%?Fi
z@uW*?68oYUS4sn{MuJD85MDLg#R(fGUNypc6pB#gsP|^M#zGs+c1;NI;h;Tp*q!3P
z%xb3}mB$hBZJ3)}(68~c0(DkOqg{RNrPUU}hGH|0+=-v7!SqB2Ah_Eq9TCR_UFWVM
zcj>3YLuT1<8)n<5?Z^$=Yt8*E<MDe_QWpO}Ks5|w;Z4oL_sP&jZ1Mz3zb>v=Vmz0y
z8FboODy<Sx{Chnov$eP|mneG33q18@Edo7snU&vceUs;F-gV(++OCU6cstTKhbvvp
zWj4(9Z+>c9mVX`_cj1o>fXqmfq_jXH!6_{Crt9PaA07A}QAU1EBvKYIzv0)=Jvg{>
z9_acMpEh4EHlvsr!u1|?s`?L0YXr*u*+qqGrBAG<f=AP*#e(r6C;g~UWYXinP=)>i
z9o#rls@^}E;J&rQg?H|id>^SQ``Bu~7HI+J>#6Jot2vTWH=Kw}4Beh}ts+>DdJTXf
zB`;a)g5F<G4Q8=jZANKvL!>6ITT5_@kg*86<0P%47-o}OQcz;AVvn<Xn$2p0v6rx#
zg7}y4C%hNHV${Cbv$B*KK&evEUVQ?KHoj_O6Rh-m>BDbQg+xEDlMv5V-q_kYNb4Cr
zQF5gU%eh#6^`(UDoOn1<KE3Eu--nRxo{_uq>o0iy!^ao{>q}DKV7q~(4k@SobKknm
zgAWz$(YmyEeY5)tSni{e#ZVUUzd)H^OG<uR5q@N0>o^kQL9G7rmPF6zrSw<ORdCky
ztn~sg2)d06D$EMG6rpR4>^Tt}Sd>*V3(VL;UYYDPT~q@ykJ8BdBbZ+J41--=Dt}>)
z>d3qJgUJ97x0Q&FT}GDMIC07%u0ml0iCsO<c<MK+J1a#p$#>cxvz80cgy{%0mUhmI
z-c9Y{<tZr{`lrxw&LYr+1?w#6`3yu1Fc-rqYO%xRboGSkjS+dK<ca1#+W~nYv(VB#
z`1(~l>&-L%Cz`m_b~xO><uBVtjC~tgV)*%DG+iF<_=(c!9ma$c4Zo5x>IuxH)WkF`
zbb^<S55*eE-IrQ{A}m=oLuBeu(E0&lto+O*>z>eE(JE&XXAg`=Bf@gOz}^R6zW<{O
zVwTR_Y~NG9&%$$Nq>T@qYs?4O7e!dqW|%x6DucCv<@RvawsUZOn1Or6QVfLjL5UC6
z;#qnfpU7P8Tv%qWp|e&tE=!(wVYf!YnxHGMB%WW77Vp4{t;HCAj$KKr#8WCn&npMx
zL@q=A9`-|dXs;t?$fqdFLZjf&NG3(Q<Pd~EEsC5N;1+NX0)wFBwAU~z<TBU=t&)lr
zJyoJCHj)6PgXD<07J?m@SH^!mjWQBZpSx?Vjg$i^@RBy#q`IXwE8r#WU|X(e?D!2w
zg+*~qlZHE_CC7A8pE$jzF3Cu)+@YrnvuU?#tVG#|d)7h5W{0bacjG#7$VPV=t{uo?
zbp;j765p+;-VJN<K`_|4$eo^mGoo7G&$hJ}e$dTEo~16m)W2!`NE@|^1#0fcN982l
z`q5G13}Ik6#K+9>W6`(!(O5E!@3Cs4q`$Qxtx(Qoz%XqWctD6ZGtDqS!e}IRc~}WM
z6639Gb}M~{!&drLR5V*hTQn|WN|xQDM^6d%)f9L4pi&jC;_EdOPah}(#lFingv96J
z66Ldq3lt%`;8U@?V{Xw`fh!i$MNB`+(JKg87v!C~Pomr0b9;!EG40;r@AYd3^<BjO
zW)RdUGj}?h>Js{B@`oEVZpF@euNBXmE7;QTo;s;cKa|Ok#Snk|mBVuKj-5@0LHios
z91`PoRb9dgEIb1~lsJ2{h2Qx)y+C3Q!Gp6VRRL?sZG3D|U6|-;i`_KafBz{5{Z!?!
zp=46^J4mRCACq-L@Cy?;gI5$TLX5y^pL!A>L7$Nbg7>)~@p8LwV$ud*B)RAeM#lG8
zFwb6~jLG71Cj=c+r7s>yNdAQXcsqu(ffn673|7GVkuD>;O%;oF^U+yWt2;<e<M)un
zJKc*|{;u{+4L%w}<Cjs2D2e%nLsze$fig>j42qS$3e=JTeHcbab89eP24C$-sRXVS
zv0eBh{=Ia7pDK&Qr)oui!?;60-P|gzZz?`fXxg7=cqR7u2G5Dg(A&Dc65^p41|XFk
z(`#h{lYTmFc;6C{Y^f|4z2IRO38!nD?rAIpe<RJ=D7ppCIwNR50Hd$hrh&zC%nsR1
z?FPM^oUnDJuy@QQgTn<O=lrRUZ=0h7d-Y1RJJZOQ2r2$@F68d<Ity9o3ym8i^h0Rl
z4PS1mp$;lVVT4mFz{^2f282#M7I|Hz;h6LyAVlS(m~qk<Sqx0sjcYcplH!V5?PvuB
zqs`((j8E^;j`-gZKHt<A82)B%Q8m<iX)aq8{o^?tK}vqcn23X)h|XqDf=XJi#}9?8
zt2Nd3n+c33wJ6Yr^Hwp3c@4ZoLKYh(y-6BVjBGyTTkKJ|*#?=?6q`hA(QZUmR`{7@
zuG;e+4!3wR_^BJ;<!Npyi8JSG5x>G7;ZU)fn2FEHanB)Ac5Kw;rleF6Yq86A{Z}(d
z9suST@HsFjC82mxE`(jbbFDU$6+J-mK+E{9C;qJaS?)u{?qA?z8hx;+6nQ!G{$E*Z
z=$5`%iIysL>;N~VFk=<xj-vu~V2nohyn%29yXcAKvV97oL8`Y?g#(j6Uf!egk`FG;
zp<Gn?R`(91=Th21DbD#0lkeqW;RSsuYX_EWZ0bUNq`GB19cwDfg!9%RXT8aN&$HNR
zL-^E}eVN26=dz5XVl&yX{jTxYm5C7`^XqBA;`N!kHoIBIi5H1c4-RUHdhym+z&#;e
z3kvJxN0e8=_}pC;!;7qCg~se`$32PGUJvCUNN*C+IEw6MY@{D(-N5LGd;XKoz+py4
z>lC@6S|6J2(_-YAATA~6rnBe%$ZHd6kgn>skBuJWkwIHJ8)akz8+%iUV-j%ASCF4h
zjF}Nk5G#;3OQkJvKVvlS>Q_EFoC;dhP)tYwvwy!L^+hcS!1UrK!M>)g71eRhkQ7>y
z`BPYT5a<UhwYVl-S56_@!!Kmea+rESi7Af3>-lSWfG<}y!(7iLDOstzP~oGz7qhe8
z>164ZkH^&VOws|khy@oPUC(}&H&6EJ-cqfVp1SWv#Rh-eYaorNvC%f_EEQT;$;87L
z!-cp!PgJ&V^#c7dWtN?jld}zjcQv<8gF>06K(!o8QHq{a-u5C|BN9{j@DzsQ*PAL)
z`bY;AADjO%R4UBM<jHXINg7~vuUh_#X>K%FfnyMtIE&es>RP+qs@>kepLnX+Gwu~j
zH-@HNYe$1yVmoo4Q+WS;NRx{xCf8wLx;&d*jml|ET)<S1)F(b+^ICb9wln1;5pyax
zaIAq!JQAZl0X(mPzY2P#gEVnzj6_pU5Srzm4)lzQl3PHSvu@0hv9f1mX!*aFpF8jo
ztVfIT;Kb+rscxO-Go1$U$A_$Bl$i6JI8Y;3g0Qt)RO*eg07=dnGiGbw3~f0&g5MK*
z7Q$b2B5ZSAdSbI|wCGAnA33AQWL=hq@DbU8T>Q^S(VXz-o7X03yha>J)|n3{T|tRV
z%S>Sz`Nwz(FTVVGwN{|R>cOEVL%9fPE}&D&A#ji@35~Y+TL`~o-#s$<c4zhz1i7bc
zb3;0q%iySa$gUFCa?AAO5Z#{ElJ}bE9D6-t%Ru<n$|X_ONz(LHW!7|4t=t#(NI5w0
zh)vrW3SXX98_T)mbMxc-WV*~%%#IFdw1jG>Wfbrgp^PL&NsQCESR83jVR%)?6jGK`
zo%nL$)6x2UYGuyNY4kEB%I%VF35^yr#I~K!T%RP$OjK^odO3t+NiaYF?WW>t2MP(K
zYo+jXa>-I-DFto8hrLiv#4DbD*x|@pCZrtSIi!(}<dw!BWzD|Cw2gwe*yGSQL`#T7
z$9iD)mD0aug$sfr%?;?L%(j!|MO{YnQR&Qu<>fIC2^GC|f+zL+Ev?_>Jqj@~#zO7?
zkbEqni0_I4GW!zvgl>_lzcWcP6tSu>;N`bhh>SSf441v~(ixqzW!7D9kHE(DwrYsk
z>V{sAr6OdNL|-w_#DTTRcw6%J^C?N9d4>3TMZ<N`byQSnsY6;+1a=dY>DjzbzJSl3
zb{(k+@ejjkBL>F=?yl4rS*4ec7X&axVe&wn(7!lq9=~V6Fety1zO6_DQ|xRCQPfV?
zp^a*Y2GTmN_mjn|$(w+ll~f1A1W~8ef=)#76&)XC9@f|s$|o)@qdgiDc&9hYsUo0u
zWb(TceN0(gp5&dYlumY_`$v(A%33W^9t3e}vtefa*HsSxie*vNXtrLuG;?Y;UXG%L
z=dcr<>h#4mk!1qz_hyLDu$9j#-{w`19vsUEexeEp<GWN&v&9DGtkq%S7qHtsOu>7a
z-^i|Nu&Z9pImX#F9=^TB7OezIAVwG_8!7V!ZJ?`^F>}jNl996|7@6o%=Bg1DbI!%&
zyy60jDx>ujMXA;I*0+f?GU?u3R69&&?qQ2@*E;#b>+<DFzM|m=tIpYN-U4Nt0R#=B
zwxMDr^7YM*urHaKlfFjAqmpm&{WJ2F92I>dwz1Rek$DP6;yQ)b&=vMlc@+Yb`y2Bb
z(c+O@yI`Q+L_aQ|+KR*<Rz9E>*&2!PN3t-LV5W8x4AtESP2nNBpR#*kHb{z&gtzYx
z5N#XavX(T2VGnAHl3z+sVhIs}{7zW7`_b6O#~0UAf(dm>@7zOW#YHYJ!!6gZ8$QKq
zWjj`lDU0tR%&Jl^hc2JHM<s*SwDIZbPM2kxx_IM!kuzH_TdN*II<S4t;>vyeOZGen
z-x0g)x{9+JNjh6{^D_stu&i;}6lY^R@hY$xJJOrII-1qKR2iC{AHph8sEYuL+Nxl}
zkCoe4K)diA=EL0&$jDO59$wy+<a>D3#yy=ivgfCw?eF&SvcsMRZ>X%m#xQ5Mg#qYh
zjQC;Py0>@}kKx9I@jP-jVAi{<bo`1Jg@EJ5g-mW@UPN;Itj@|&nZD4zJ7Gif)V%!}
zuK`25ptFZT;{6BX<I%N$d(udDq6Hd1Z;n5H^vst2jC{nt@>*uSK*r}tXjRyxlTRUy
z+yT@Vn$h-f21%VO$N2SeR1-Eg0i)NxQUkvaU#~R2MFRg^EWMgEHQ}ti$5l)kxVnN-
zTEp`FG*bCvLH84#PeD3@Xo(oidd`f2zE7#Yy3K!mDBCQ@RwkWOSXDR<Gay8<rX$lF
zeinoQ$4&zc)UO~+IlzP_<Y4qWOty=ve;))&sZXj?Q$=cqZB%da{{V^vtqAqd(G%Lf
z^4dk;M>Yl&I0+@cM{HiAw}rBNM=*1{eUUc9?n}{^(@7(e!@%y<!YuHdqyCgI)R{5K
zg0u>n@L4E9P-&**jv*XPUqiY;u;Z2GZ-PGvS`}`a5i@2~6(;gndC0XOFfbW-rTFNk
znY>UDXtI_}|6(TMg!U9vofnntwlQfV6_*(f<4FSB6ZV)0UODeYFvIvFZgQZ-47f+~
z0z8}3*gEE21axY0%bMPpoLkPC*RgVXuhEUm>xA-Efny6seXWKoynU6J8)F~UU;bo!
z%;A=wf9K<-LKY#iX+Qjn(l%{dl@+(EMF;PvT%~_yy4tQ&z|yaC5JX8zR^WAzs(%O>
ztE2ayM%IyZU7rL6N^yrLxE-H^lDIcVNg0G3NrWZI8u`?42L*zvFn>>_&3b0_RC_65
zg4(Ll-2Obh;~=r?C{jK{fS0EV59iUBd)nT*2Bl1UIK-kCtzghrCuh1Kk+~Qgx`CAP
zk>`hLIeWoVS9tDqLQ8iamCX+$N0u_@S+#1719rFeP5pjRleJMYq$pSRdC$KE*MbJi
z7OFK__|rhLJ<J^4%_dG_blyv8x%|32R$C=zfeTgNXn<gu+He9K)oDdnA_=826Wdo6
z{Rtyo_oKVKSUA}owxgq^H@`5?8ZVr*66;|7jlqbCDqQ?q?k8NsJe*Pfa;+4dS|=NP
zEZQ6=c6UZSU(bBqX`WsKUZGc_2%NBI?X6l0xY$Ylh?qPq{e+8EP*jQD>JT@!ds-ZH
z7X4f>_?o~3^?4jtTZ+x`L2OhN*xM!7{+C~>b-F!e?|A2{&v_=~jRzSpKP~-sspa7=
zT7jupEcHmFAHijx)C?W|V_fj32O=HT_nD0c;n`$L_neztA>!R+F@t!rp6kYTog$jH
z?JoDO3b~_)am!V@T!PgU0U_?uSHGp#KBbQRl(Ho38$lQ0`$)$6_ab|&?wc1;mu`S4
zcxVZB{K`e10&yc*0774?Byea<-6!XYxfgpO|8BccUfiTNx49bEI-&DbC=-hD?53vc
zh1JNnm8eiD24MH)K__>%OTOFw9ObzhBNNTr%wKaazKDqyrI?GP#t<*F?#s5FNHBOB
zS(PPpOyEzudRitDpwZV|X1;%oJEA5Pc^$Pju4=jd$%@J+1r(*Qft0LCQcDY*+>Gz;
z;?!3BSCuii=}5N$lqj=&bY|^Hj!oA4nf45{-lF_E;?jD98^+MCo_g?-)qv45I}5{P
z?A4zwLbM@+l??hkT-&yRlN$k`yhFT<O<!vV8i}9GFBWoIC)5HLi8eGmx~%<D9Af`~
zYp@JfDe$Ep0>^VxNOqbbZb80h9CtA~@_3Y(Pmq5u5vMukW;(Ty*~8304#Py5rABbq
zPoXby2;6b(IjvWCJ2vTUX%kIIYsc<Fk3<t<aAhN#vf{92!~T-}9-valhD}RQbiz1y
z8;UczE*y8I^2e|m#L9@$tB*fZ-kr?9Olu7I6D@}q`34%b0ZInSO}sbyh-cr<<AhVD
z(uU4`OgP62hH?~-u6B)t9oNRot4zMPRy~tIyPVr%Nc~C%^fQlku=C8GArKD43v!Q2
zUr=IpV{v-f7VjxOz9;Bma#xDh_Q%WH$@u(NY~{(KAi1OTa$Z?W6ed$L`{`3>*OvW{
zvAz4k`5*Z5<A0`o1KlY3UQi}O<m7@6+s8$$Ji7B*#WFK*?ADK~`5p?=Y~7_@C*Cu>
zZfz}2^K*Y;k=1xGvuD;=+oXfb!bI{HXG!bAv($}<nQNiHhv~6FB0p9aD)_|uXy4=O
zkV&l?y3A*+dSrgw6b_uP8+X3eYdvn_3pS*aqiw~SxF+<Yd`FdS{h(uu?Qu-O+-qeP
zq;dIHNiIk6gNAY%il8GAjuYpL0+faNxLEveu<^81w_(AT;mJ+W@$AO|ildyBvCSk$
z@`a_elB#pCSHBMnNJXRgAb47{pPc^=-mfuSM0~^3A}t<>&&1(_JX2s|gapE_o9pg}
zUZmbAusAY&KX<~yg8@w^pR(rz(POS(g_zlTNsiN;Y^W0|ogYJG7%_2!f!@0ijU)AY
zroSi<o;YDSGeYxqzcz6axsL-#41nr|4Zi>3PZrv&v;ap$`k-{b+IlxZ*#WWo80mq!
zce?q%Vmg#$($%RZfg>NXa+xo5;(2R2q;~l>HThL$9?U2xZ)JiwpQPU?%6Nn(R$``c
zd!<kC(5oGMpetqyjs`l7xEu+iwcTE0Uj{9SQ(Yda=U|F3Msrt4-REhW>4+Zjnv8jH
zFE_Hjuo#km3<2}mNo=)|#FQ%hc*{qqMybWh>*}po+2Z`$U0&=U^#Q9vYq6!>^)$C6
zRk(k)9f+d$3bBs1e3FhPt_PtOx%e(Tqzd2zX;gh?^<sRB8irJ3WoL044cp|8N6(an
zUe=Kohjo{*Yz7=$sC`ZSK-X-|D=xiu&N?%j512ISl<BV0ep0{PUH@%)Ow#;HuC-qk
z*KMf0RlQe+uM(9&+QN_<IpUIhK_$_aV-{~s`_9QlN1B+X6Nldm!f2-)i)rN?{u1Fv
z*ma?#6$Ww?riprpMAg!YpqQT^DmXHDouFQa!pNReQew6^fWmc?j<HZv3<X8}PR5gf
zYbSfFZSd0v1KZ$H+3RGbPBONXU-j41n~FfXjKHfMA28Q!9(xoVqaP{z%5|nQnyBTH
zw4AyU2k@@gXg>ixmHzVwVO!2ZYxih3pI+0WT!{WBmn<mw<Rg)!<1BF+%A+btRtr(^
zjpll<Ag&552DOv^<mf=ni>P~x#s!x0yH>&-d-tzR9uubCkrM2>dX(;4Sf&?)xF<c}
z=c)GhYR`^9-qKp7SRgjMifC$xw7O-P1u>UIPafX9wAY9Zbq2TZmeW>Rx}Nn>Cdv6b
z93BZqp2yRva3*`Sl2wR2DC!+`KtfUxtwDt}L6#&Wlo+a<UNu?T(<kZ4up!NsM}5s9
zD}G_kNG7YO3gt!W=LCLj{o&;Ek@6Mxxc$tan`#4i{fD=a8W|Nb4;a!?b&GA6UnKGc
zLIN0JkF@k=czh6M_zzyI8i=v&(?WFWHsFw)qU)4fAu$Fr`XY$le)}(`eEL54i?BNG
zq)lL1$iY_(&fzUq<d9ddSQoq)yVPlZKb&BVVbg;zzj%U>*2}dQ@RGvvRchS>@#c4m
ze#sQN(wskZHpFzsj5|OXs{J28y36pot$_a6=80|&xQ>;!I9QY#+$z~g>o+upm*xN{
zl8UK9Wk2jXSAMt5w89jBfBucZNI)&>2J2|F?_J<}9Y1BKykDt+z&m6eQ>}QW4Su@T
z2Q#PW@k;5OzS6eXvz+r-_^n2+0pn3G2*i%kGNE;tfPb<1_1m`kY$O_a?8fLsm7UXz
z*y`!8)lq~;&!35%D&;Nh6(Ro2Qvy_MP~J$jlIL;hC=jkqEFC)DKIfBFnnSDOMltO|
zzpjaTagqM3I^sR3GMK(W@*UV$!-AMVbN26dn&OReGl_0;3kg~%g_|CH%?CS=Bac<v
z*=-nor)GH>e?@*ORc?py8Q=)Sd1qHss=p2w2vx-e+(7B0$eYCpa%$uQ%bn<((R3Pu
z4Y2FsI?GdK?>8`1w*6aqG*ssW^uMJE)NSQ{SyFx;!E8@N%>TAei;icw=h6xtR=YhS
zc==je-L#{23fgvp>ipV+f!DiaPBQV{w<*uhijb&Jd_HKEN!Lw!uUeGfk`TXaEosD|
z&46!QM)7aledVk4-#KRY9>2ssqkgYi6%#cBA4)VmeZ95*J4wB)aHxa>4ROo(8kgB>
zAZRD>MPE|Ta}|y55jSc(n6w0SqR$BGndK1zjPxl_PC=Ksam35E+E|2Q4uDA{D6BxY
zV=tIcR$Auqe#{au5_GZNAFbUp9)6%vvu038ydLY2`H`MNg8ylVKj9aAn(mW*L??x{
zRcQBMiCnrSp&;|xx42sSJj)wFCkj4Qu(WWkHD|-b$Pl->{sXDZlBn$)TQ6QMUH_la
zro4S#G%jeU6spV1sCuu8OTbSQ3In1oDk}0g`?Wa~<6|%s2F#em(iT1_aI-EPMXqY~
z6f^P4GagUvz?_NFegA^ukE13z@8TDm^EKQuD68CDlFzNgIjyk-xj#~Y(z^R(IEU0I
zr=0e-8$?+V*+jSid(<;})b)Ezp*^3{r;{Mnj9U`j>RpSLX!L5oV@0h$k~7~E&QiqY
zwz}Hi?>226YCLYfc5)%)$U&tkDuG_xEb4MaRFR3Tz0;ak$gStT>5#u+?WX6dwCN%>
z_E(b1V`0XlZP^}-EvAAQ0Vs|>fs|C0N!j4Nw?zv}SBs?HF$QCZ*9WwtP_f|>2BPyF
zcq#7ak?Xmc9J)R$u35q2j*^^-2!r6ld6=VMjX`vEAK7$Ly}QtXqlF{fM*3~rw0muM
z2;rkbHRyFyu3>5y>HEX1c^E|pQaP9hIHAXmA~EQcf9`Z24<itUunj1uz_|CX&+sYM
z$9knmN7kc!?#Ipf5|zjUre$YpEluA2#Xw8-U_m8HwxeNe#_c32F5!ZOdyFshE*MQH
z`A>waeKTm6w{fZA^uHL&j11UWtfa;CY#cER;C#7UW-NFVC}11EFHKNM;@<5-Mq!@3
z$!}nzWcwGZ1)=60dyJn!W5k9>^{ULu9m8;#JUtL*_r9~Erm<t@%f@Mn5GP{4#D+Th
zv=VqmUb2Ww=NhH@i%%Q(my;*mCO3Q~7M(9OT#R-#>bauV?MJ}yD?+IZxa>aq(9;@5
z!$F<y`}kvMEoXGOenrGOU=H{9ct@f!uh%jWAT5~q0B$|GZ4(~Khq-i`k}TUX#Zx8_
z_FlOZ(N}+8kI}WiZ_VJO_}l__H0e0Rt*Ti1@NL&M!ro=qe(v>i?)+q0!*w*a<*ePX
zFKn<$AYAo)R4h%n2X=awHk)C5s4d+Phcm&BF}}*_nW^wbNuDYzz-f;umBnr>i>UGH
z;Ad+d`yKXDAx=Aa9I`7%+N+IjX);O8NPSVXM-6N}o*sQm%8%(P;4b?;%q8@U@tt%k
ziYShMJM9A99yYq}OQ<;)S}jks>56;1qUT$^{{w75lfRyd78y$MM5+dIjM$ZX`UV8z
zPsE)FAP4@ZFbFU<5nLv?ZFsQ0h4(~gWl4m)2#f`V{}{?VL{}dVD>Hz7KVifc%&dx<
zblh}S;MoRVjb}P^y2@g}!9V$jW7%VmVj5G#y=6n!Zm5)&M#-vRLI#FnSnZD|l=!=<
zkSY!uLJt^>m@IC2;ys(cipgF@Wt=J!9LJP}e}_V(LP02{=vo!>gM$L@w$WW5YJg!;
z`hox+G66PS;>091#v~YB^$5wA3`CE3wOB~|3#c^kZYVJ^PuNjA0`&X|KtN1kp0p>7
z_8ti%#=0$&+$8=`_eKu$fkIZsgoR)uOWm%5bAZJYY6vb$Y}Ug(MKlyp0AMz%w~8Y#
z@J(LS6x1-UVjD2DdiJV76hWRyRCyPVmI;n8D?<Slq*$wnZC4usr@~f<N~Wb~>Trjn
z`E984A|+K*$aNghBEp}CBTKwg{=jOA#63A#LUE+5Ggrx`n-0;jKBH!w&VWxmsB<jO
zjf(1xrb;d0(TO7x<t!kRmfbzAsVuWlua0XjSz%`4BSV=bc$E&C3CE703=R&ovEG4T
z`WtYSl9L2RBlT7rP4Z$(cv3jTND;EBdl4`|@GI;BUHM>vu@J!m*m1|FQWGw0=`awz
zoMq%<0n#;_cB~yP%K^sNSVcbo5b70ezrrmKhHiySyCE!0FZg3PL=`o`iU3Yu)QKTj
zdbTq)G(zc?Qx(T@CXwbAAtCILF-1_xh^!7FLS3krdL2G9(+8Y`zj*X7LGYB9m!uA{
zw7IFPG@6PMI-aH{V6l{C3Qzjh&mE%U87zuRLq>{>eR_6lG0-^=^kB|KGIyLJSghr{
zZGrIm?ipx}YGb8w1d7O#CmZ3jwwdiH!EHkj9$amJJ42zWX%uoyfI4mWaXO6ceZ{(u
zN1T^Y=n*-!=t&rL5>O*tjKmx13!coH6WAYD(WqIC8RfSXPt0w(2!xmR^uom%<@N!!
zLNwtZere$dcHNwSAGfnKezF83qqFKCC=6FeB7ulRtWJfZPTb*FWJU=(LFx+qL(GZa
z$D=m*n+F_Glb}c}CqbC|h7ph1v4<^4Vy>aYKr!Oz{}Bb`uB=|kqbL!xrQ=8hTj;c4
zACL`KMn`QfpCC%Ja4?(5P5?!@BebLSQLAdi0b231$!QB@4)6&mlQm9Pu;^-XtOk1{
z-D9FPQe)`_)bXrInXC2BB9_qU%Ge@Ju!6KTf;U@R984;kjXDtOtuPf-+&iJ-uX{-Q
z$itj0pLWa^!Une8QBYhw>qex?qEl<?qy1Dc!lHP82q=xEpHm2qhm)kif-U;cg2?|3
zTLq@<jBD$Y$`ItIF3@CpEo&&?F(c|@bC-bxqC-V&;Xqh6hK0uBb|&dnIDBS4iIb$P
zmK!Ua<tbn{<RvsqDEtHheJ+1=$)rK7O)l!M0DcPvDF}dmltB+5QPu4a=u(w%Y%mX>
zO!e4qkc0x>umb@kpHYI~iKv2_9Kji+L^KeH><+((pit^2aDqf78B7UU6EWYa6CskN
z>X4*}As(-sojWKlsw1%WBbONz^l`m|dFDDBZq;PiRwUBn8cPzX(Q@x<L^Cytif3y2
zB1#q#+MQCqlyV8zN-PS@D=5&E5Di+XFmLh(m@!%r94?_qqkd$jPswd%C`h29C`hIw
z8_H<mQ9?wmfwktFn7KCq-a_vSJFig*@BCiU+819Z5eN{wrBxUFy~V#Nw6@~gOIInN
zQ;|UhQ<M@`c|`Kzh$Ir>lhFw|#!g-k#8(_4S{5YCk`i)|K$P6hE8;6epAn%Uh;u=c
z12PUoGa&qf5e=>#z;P(}M{^!9WXPH^ETU=^*uBE77kH<IjTIoL!o!L%L}-@<7$30P
z1n3D6XQ5jOtSzCOgkUgUi?HB{{45KVg{}`EQz66-$Undo2PK+J8z7nl$e$WR1Pb7b
z0N^JBu+kEg%ZFu!<op6?CBo1Qt^{d7AY6fR22D^JP|ip+p@<Fu6GDZhEaF`TFI3V(
z0{(>%JeV3@tMX@sI9O4?f0;f@?T^3xSHUmI`RnSQ)%k0}ehq$a#Xe4WSoMd(UzdMJ
z&W|eMxeXAhJl@m_RJ<~!-(>h-<&xWKcFg%~wPVx1Q~Tw|rWNl5kMmTAs+{-fPZsP8
zQaQ(u1pM3M(~jzsQl;M7me&;fH`yHc;-`B!Evt^%wYlFtv+d_a%~WdfqHdmg1kkCc
zZGZKvPdy#zCV)Ze{Ze9=1^fXREg%!e{(9iHJhYCUY+*Q9X&AuEp=3g+kLWE52ozbD
zIK1WcBl?uQr}D}$Q^P$*AKn7E@TCbWfe(fv2B08h%2jF$&T~mMAp8ucgmNZj3u~>=
zSwjGt-ua=I1ANfPt-f?JeD!xEzhwr*0Kw|+J7V>B9pAXU$5!S2v9tz5PXf+*TwU&N
z`PQ&oO_ip^`tgp~pKRPrJ8b5BSQyW$KDHpdL^i}0?-yHG^`O&YAmMzQ5nL^sVlB7D
z++!oSwm<W%wiX)HM;Oaa+Y16j!LW!n_qZXLd~Zt}t?G8Q5&V{`QR#!YpNmk7>x#pB
zA*jFzUtHDpuBeiNxp35A4yd-H16^@!QTsWy7#;oSxQtdZwa=U0U-FXFqwAzDAVS4@
z8Q=NkKM|Pm*K{jy*ThB2Xge|Ma0Yu^zwJrc$KO=wJJ>=te_c9DU7Se05_FX##y&)z
zLNI`OZ*W-V>iYxhhdkD0*9BLv#OMi6XE(v4Xxy;Sd+%`@iw>^BxrXKyz_rk?W}Y>3
z<CV;v;{S$Ro3dYm4jl4z((EgZF=8vmAAAzZ>39|7fr!|V^KqB_Ei%VHFw-5pOhJ0W
z`5F}<sGJF6K7Vkj37y&@2w^RQ+uFZ7)3aT>@2353aba6s-~V%^u(rZlD|_3@S}BRe
znYW)DlKtvz@escBtK3~;!7Kq~Ev{2d3e$jw(Fkd1x*lk{q<uB-G*60JyBh~X<r<V-
zul)onWlJjPWJQ=TQGl3I3e;7Gfj_LqbN?3RGFQ6eiMR>QS>G5a`C3(9F`6!YGvd%-
z#UAwtOvcLyOyTbnu7oFEYKDA$$^g_O?n9V>Mz55!k<9BwQ_AJhDxLHe8aRDC>y|2C
zNL-kPlvKU~ZeE5)#^vzH*%dC2o0q3L!fsqX>*FN680n@UgvRiQS8(;KxkYVmQNto$
z<s344M9b0y*$*;B#)q8|(KV1GgCtWOy}+l|(86~D&Va}c=o{Nmg36i>kVqu-I~*kP
z8)1>o42wkA4PK@L04nI@vZMS%A}wp(xX4-Kv|5uBY$cIY#!NySZ(im}fDUJzH1a3H
zf4fsjE7Q_?>XAhrQ>@|=lm0XT8u2}I2!^q=mI4sXk>Gt0V?D=MG<_EIoO#r+zu}?U
ze-YI*1A5#*aMkJpi1jmOkAc8#=ti6fDVEd>f?3*9K)`~Ql%Ie?nR!a_f=crf>#L^T
zX-E)9{fGd8eU>ey=Yh1}BWrWPTTnj5;lm&a1qC(W0h&|BiO>msENk&6OD%kf((QfY
zD3qdS;5L^E_(!E4z02LaReqCR(jYD}l4&c?qCF)-beEB#k|tV6!cei&LC>!lNCI!p
zy+bc9Wk@HqVz-%AtB@7GmIX@ADSQ~$FqmP9q%w^0gf5$m;u#NPIb@2Bv71t{n`S?L
zGeeUZpcx_GIfhpGgoj%vO*VMok>k>Lo%Q<~1jF$LnLxsOL@=U_XzRU)8R$Zg@K1MP
zbdJ7#HQi9u9#UvUKAI7eo>!JEm(R_|Tcv4zGDAe_G}UOGlh?o(p$lgz1iuovffbRI
zvIx2l?dapb2x#08OK8f=K7}xN7y>|<L~uxYfPo><>4HkW?V4O-Ak{%4?i3aY7IR}J
z&5wcgen4pFv6a#Uhrq-V9}ie1h?oLEA&d*aA(a9FPRs#geyRauL<oQ(P!51Ddsb}m
z2<HG?2r{7to!~eJ6V};DU)f2%)TCGhQesGV^57_+Xo!fv)%kCdF<yj_TFTTc$Ra8a
zPnGO(kU`yqnjgqnSW&E>1!Wq+bC3CMut@3h-k6gY$W`(APfhZjq4M6AOXK7!wd}&^
z@9+n0D6z68(v35)yGvLV25WP-dnP<qN2re#l(3hI`{VBxtSZKFrv+mIG%Z#?8aOK)
zBK@!5i!~a=LNCUqo-Ec$9z0pz)_07OCpyL;`NTNH3ptH50!DHd7)s|M1Yn&x9xz*+
zh(-ztK_(@Z@fmF$(5#r&O`)BT>wUT#^_`fCvS({aJ`*>P>*Bo2miW2y+4z<rGYPNy
zL+^|KA^YOz$Z>i|Ua^<Bjd+m8yi{Q?5z1bNNMS0Q($M34#rZxJs(ol6M89)lU%RK&
z9+b#SkD7Rqhe(2FOoMf78_wxaV{<lywLKwK?i5we@Sb7&ZV;~YR9{QyZDcj1<O0tj
zM}TdR+}N2}E@KQ^AlbO}vJERZRxgZU9_|>%(@C<2L@3}gAx9#55puv_LVtwejdNUC
zN0=V4IfiQJgEevvl)>eA>C)Z=6&>LTYfpqAu4v*~=8s=PgeSSR5nS4ac&Wk+S5ex*
zTp<0;3_qGcm}=;E58V#;48x{X9K@L&cT*x5+f0Zh`0%b6kTP(tBwd-X;l;CTt^^T-
z*##~yWom&Q(-DCn^VwR<I|L%p(7mQ250_yA93ul|6O3eM_EUj{jWM<497SfsrUAJo
z*-wuSfnT88Ol|!l%h^|P2|Eb)(FC^;$@0+}7|@ht(N~+%1OOiBf>fT0vbr5My%}R;
zY@0-nu^bhm33rej3SWd21oYAnP+caZN4#z8zs4{m9&z{ubYqIyS}E?W7vg0m(UvCL
zw_rrCHtYt&FbTBpe#k|%Rg)SiMgVr5sa%B)iT-ikdM4>#hKcuR<i3a>3v@t&P2`{6
z59Y}NhRY-fCf-T%LA)CezN7ClRxlmeAbiTnSh&lAdEflgJN-0$hWK69`so|%6fWOT
zL<Uy+`M1_5Xa{Zd9AlUp=vSNQM9?p^dqMUHyvx#^h=9|onEdfIc>Ef43ZbV$YQz2>
zB-!8)^X`%2ApIC648!?A+zPS^fGn#70<sDKEa)kR0>N&QOccQP9trP?%ys}4L>?rE
z4q?@Q*#S<5)?;sg6(a<=kE;X%zk+k%774Nu!&o3aa6ti6;$-lsbe0M4P_ROlhGAfU
z@KW<b1HXd3^suXAe_()DvcvehmKXrKmLJh#7l0)vuP{h8<_tXSSb#C~8_P_Si3}Ij
zQl0&(l<(~(;GXY=loP<->X*-J42ayy85hM4s$aEG$UdxLk<ZnH%!+`bs+H@o$X!@z
zJoJoXHAz?+5LA^0qnel2e^UCR<7xXy)hBS{6SXHnC023uC#qjw`h=wbR|!GAA5xWf
z<PbNNYEBDPXt1vbYeH7sAfaEIp*a6lr^nRHp<WSCn?+I62u|L<p(k{+GEUC3nJ1qo
zGHYrV5L*&vgfc4_!hu;>w!u*#Om(ybSCZyTzXs^Sv+6#8qbEZ@W=tyvGg4?>Lb7l}
zrUh9L9kE;wp|lGBjUxhNoI)5;Bsvhdm?;4=TrMa@GV%#Hhm_BmEUXuyGFu1?<8dOp
zCSFh~W#LN_B}oaifKpe$n@Ay0O5>EerI`w+6x#w7WiA2Fz6Quu0tg(2ORJ8Ms!9<I
zfR|TAA?mEkL^utg7p4ewkgKarIKr58)0R3)%&b}vJroC3IUB+X1}6BV)P{GZ*$))1
zkf=Wp2O6F#dWQ-3NO-;y8Qz5CD2KvqB!HfhNC|{@f*HtXjq^x&f_e`vCgJ~zKakG_
zbdd2@X21ZLG9Ca?<R~u^W7y=r(i#61q%;0z@!|_JrjAL8*xH=aQAnt$u{;W^0TrYa
zsJXd97mm+&c%(f}BzTg+5Z&W`SjHu$n}UcZ&{0Ti9!sK$uz)2Cz}f4<JmYGph>WjC
zY8iy>uZI32A;q;QAomIh4Jm{jyM{~?F`$EpvvBhG09^os&M764{}5sT_DQx`6o{mI
z^i*!aQ@BndVNqAwfi_?r2b~XqS<sLfbFPRMbUFaDptb{@3aA|D22(R|is;PO4iE_v
zD6xUD>Ok1)6dXGi$Q(PUd$PZssL;}#lum8Z;4@T!3dPXxY9V6T;!GiKRZ9f?U@(|)
z0}1eeVKtZ7ObFs7FE(tmtZrwU+%}2^G-2SREG8pH{k|W_%#apt)R+;m9EGUqv8b@5
zbb?earht)-8Krsu?I1usHi4Q#!A=%UTTC{MxFls8YlLLNC}N3mPSjGbUN>-9l2q{t
zPdMgi$wxRtMb?5Ek<XPt=pmrW^oHIaq&Cp}A+#MhLr*}Nv|ilEoTOwdJhV_j7Bmos
zz+jE15(kh-r4!n3>qR1A%nNerQ$(aY%B)mU%6N`Jl{tk9s$3BXW{O`01mywI0n7u^
z<FJzGn)nVpjTW?Y2qFeZxe2MmgQNyH2T>pqo23!!h&D7)WA2B|&Qe)Z%vMvB`afki
zyU|U{bW>DjG-^5pY-qZMXr~uUDW5=T0?S3nR#?%}nK4SbWD*@I!6xysqofi|9Fkn2
z%t>;GGJtL!=P}F89I46xUSUJIKn7^^Sn-fe&Rej%j2!vGJCN6#2P;^?au^jfh3ZtY
znIx%Y65ShmZjHNllWtKFt%8qFCEH3W5TYc-SwSl>Pc8)^j8HJR1R|C&q&yx3OzacD
z=}2&lg_Mwk{*;HnT(Xp~e>5V&Kj2wQxs;?jNdn46!UF<O&Sge+3E&MS3<cLP%n7^0
zFr;k^!ED+YhMQ<+6@8C8Hrg45O;#DvWCiXan#B#tGEfAQ1bV<W;~7fTqnQ#)1QOte
zxDKH6)&!uSniz1P8W1eOKma&W+Ih}m)qmPV*zz{g!MW+U(jG~S=fqK{G=x{57LdeE
z*0_yG>4?%{@el;io)uWpe9-qyUZJKg`qLMuiAb<+3Re_d(zqy1bB_QS>M&QXkq679
zPYDl+OvgqV>}*7?rwH7}(4-R?LY3+=g&+p%7f8B=_E$pudgxxJx)*v^LjRS}zktdV
zt)jyi?z$IE)k5wHpxrzc94ixhJe5L4hs!D8pJfjO;#Qa@lhR_OdPBdBA>YkGijt@?
zR<#By`=G^olfg6}nhn8|LBQEywLTmPmQd(o4V4IiNkA|9L?2`5J!|MYsp<y&9W$_c
z3LbzDYsrv1Dv9h_0JH$pZzpMH@rdi;Dl8i<;Q)4K3x%yRak7O@3O(f1o#PTm?<PN0
zw8vkznC`Hx1F_*uXsjDCAWAlxjtrZ{r3hnBt+dBs0W2FJV-vO@F^StC5uj@jjRUo&
zXg2e!Fph$&8x~V0Hq!qvYNj={KYYo#G!WS;4D$x6RfRmkv<(If(khY-F(Png*-$`)
z%b?It9kiMamXkpM1voi?P7cwe*Lib8FQWn2C)n328DLKoTuc+DBOa^bV3{Kcv}p-u
zX7~a$K_$q<Eq^0Ms$w;&n2l?1<Y=~6BM=S0BSxxXHLCtbi7(PLbM!j^Vrv*D(8TI6
zbEL3y@GvgA!H3Qf{J}9<mJAn={38KO5GP>OOhy4!I+!)IuwdqKFmrgYOn^{nf_<?<
z4?`&*6Dc3FDIeOJJv&iN7|~4_(R_>%!$v)NDWW!#nj>hYh}tQlHjCUutyGBZ%0zb>
zksZNEj*C(w-qVQf3B-4jaU4LLN4^JDG)C7`h<d|BD4#{{AV;MT?w!O6i_}1d%@Cv6
zsh|s)s9t_(1T$V>5!t0et;tZUfhZb<N(QSV16(2R785>FSQ4I|;aDEy`T_Cs0qt*)
z5AF2;_W*tcf#Z<(3j?=^mf!j%w#Smwn(|s^qPIurj8HJ@%L6I`+tvpd5g9Fb5jtmE
z(HZJc3UtS=ATXP7{W>8gsWpLMl2MdqC@&r9e*+AfJPb0CJ*9+^29^hTATUJ!fWZ)g
z0|ZDxla>bq&>Smr1BDp<Cq!w8@!SkCfne%&SBb7dGcv)|`{Iv?@t5skB5qa&S6&Aq
zRSYb!I4SFh){`%g!CdNrU~&vP;=t{<nr0S&0}(6^aXd+;pv@%&k>E-f!G|ee+_!Nq
zYPwT3)LRJ<H@#fw<CQaDz1T>OU$BuHU}-f3ktmal5w@rfUxqkPI{<u22U?g&MiSgA
z2Ve;NpmG91%3a2#8t|0EHwX$*v4Zs!5R}TGdLs!&!2%2?&ZW-OPI~Tkn)2&&v<Of*
zM|cGrM0^>lS0^*X5}5PSVcgr$0!mRtCt)1}&<ZqiX@iEKET`-y0QE;f75-5$UZ`?_
zqfXqY9;Q_R++-^R%%dQQ)CDjh*wZ5dZMTA)*+PKjsB4mdtng_-RWa1!K^Zofa8rAs
z$qA%dZHKD`KwqPI%=ObYFZ69dUx`j#<b#R_qHaor<Ok1C9pgOU>qE{D!X28RE7tSE
zRfLSF3q;-$fW4M$P(1RVE6Mr7<XU~cm=zdRN(0%CjP_#WdnUv^jY6Kl5_Re%`EOG_
z#p-7CTO}eJJ!@h;YG*xayg6&|a@U~Mst42vTF0$GM<%Qp?Mnz7*8!QU1zu{w+#0Y!
zMyws<Rtk;FgVDKg=^C(XW~?3tEFOuA21l$6Y=$pZ#xG<Ny|yKKI3;@^mFbPko6+x;
zc0pH5&$(oJoRBy}l2!_+g@Okv>@<$1D&VUjdg|rP;FWNCm2iBeTpoeB69Yi{iG^eF
z6ALTt6AHoFCKPrUaYD%rC87dC!WIG`g@OE4*CK2I!%7lv1&yR$v?W`rdqfBw4`i4b
zR9lq9RzlEo+8}tA)iZcDshdkw&FgpCO+%>@=;SHUsEs>}AwxwYLue17u-TwbTQmq{
zK87eCL-HF#$c>@3*Pu^Q=vS$9E3L0Umjh^R3iJueT?*x=K$$e?7WC*5&}|Nx9)WIM
z3%q&-X&XZ%jiKKK(8mJkVtBL(%3TWOE`@ca(7TsH?-qem1xPg_q!hHn6(hR1k~3<=
zk(e$djM}jzXWHpBx<n}$w$h|)RuqgwC{i(Rfu&0E!BVX(RH_XXD#r?yXa!2Efl{k5
ziC2#bRyNY5c9KLyMk9r-NVNrlB14dvpt>d~ehG>S;W0qWCMW@r;>S?%U<lpe6B%$K
zV=FkA%XKJzfpVsJ2t!=_3#1qe$r40>ZlEH_vLDH1zA{h~x(bv8+x^K6&Hy&#i%<>o
zOf^Hw5-fr{5-eE4MD~v=9b4r?s4i4G(&a<3yr_4Cl4;p0%nOjsmV%^<6ds{wSdxI-
z7=uY7#Uh0j#v~LB7=hg`5&5VFj6FGQxil8R7`K}QP)I;n=EFnzFhm6dm@5CU5DNts
zm|e7sa|Aj?pZvjuxeC;gV*D_9pT&c!yjVI2@J|Ta5v&qfZyN-L3K0<^#TwlG`)L;C
z_}Da+@nGK%77g4DZUHSWF@k#u$zYrU2~8xsMNrB`qJG*%o-K&hE<+I|hA9=%MX*35
z|IZo-&{bl@e{5KeX~Br~E7l@R`bmrnZ3~i-Vg!L~Mx!udIV$!ekg|~?#k*q1E7+`R
z_9`^AV#Z5W#f_J-UtvsKr|49v5(ZwyR{2OMR6syU7AhE~E<dAU#vvZXh7g=mC-l9F
z3Oksf-D*bkVwk!emY5PE7{H2R$nC6E0c#Z##4%$OI~Q3mtXMa-ij#w}bTdfM%w2ZA
zv1h5xix#1nzV1v}<69MNt%&UPu^+G`jI@>wi>#3-HX})aD3UEP2F2P-2F2E`%vc_&
zNNJ053=`4WNIR2hQhY@!Pwh&R`!J~_zXHu@{DAQX&1eJQl$(L2N$UWVn=4T=M5RMu
zQjqCFlt?rwMY}?jNTX7V8Z{{30Vzy)yI=&0)k#W5I29?%(7{NpP~a+4rKu@Mv=Nk~
z@{LM2k*P$78k9}3sYSgNN=1@{r6Ldtl>e&*1xX>01t!Z=3Z#ns=}JZs!jy|sH7O$S
zsYWRZlwgKP5yqH+Qkv~BQjrt-l<MnJbtJ5?sX3YzCt<*(<IqM_i%fn}YRMx~NXO-Y
z0zb4MB#H2d6r*G#Qjuytr6BroAtVc$B7u8pudnC2x)<2NGg_1r4dVpFV(QC=9a(<R
zpw!|N8slOH%T}&-6c`3)RWCW!dZu+)$6Zy#5dgtnlm<J*0|xB~3>B;(EEqxp#nuoJ
zEI^<moy9OJWOW+3f|<~JKxdkeDbuP~%!u;EGHJ>4B=>m9F|&!2ngru-M4jKIoucva
zK_*r<^vKk&OpG29WqkuN2^HfhLp6Y0;>>~mB+Ao^G6=Givn5LO$WcU|7vU#>#7W=`
zy)qRNGM0(FAkecV_$2T{EXippMpEH({*X(RE7Ku2o|y`ivn529WT{=54177^h;n2q
z_a;N-buQ@8o<xd}EXWmUW<aGZ$TxCicLyd$rEX+#pypO29LkvzWD==cnHU@#%I2Gy
z8jx;eXl%@lN=c9=(NyvrpmVq$6z*yHKG&5#N!pNEohPX$Y@Rm^w<OPTGdf$6cBB?(
zO0?=kd4MUKeRU!{4hnY@g*&+6PW0f>B?;(2rfB3<A_$U1kVIZ$Nf1P-CVEH-Gt#Wg
z=N*}xN({{45HmDpyv`*B=5e09&Lr@(9KuedKp%jnZ}4=eic}RUBVPnch^1GV!5}G`
z(uFf?>&)V1B+p6<%;%e_S82MHc+;s@cDR*(>hOe-X(0_lk`Ue3gd{9p5Rw&WLS2G{
zI^q-|@&HL$5h<LIpD6|s&_RTwWuY+=tqGr&gv2Q!IuHJp#|{i67y!aRBn%~txQFGh
z$ax@@p+SzpgobfwP*8%<poxJi(0~PcJ6Nu0Rf^_t0IzRAE8MUJdOHADtBIA(3PQLc
zNLK_}nOw~P744BSxuHl`1S(~7dZt%B(<_?%0=+YnE1u*lhUt~g8UbGM{#Uf0E7MoX
z_UR(Ip-5K*DGK0wNLLNWR}IoDogd&Gr+fpYj{tOG;0PS407<+$p-MaO1WNt@eDpvB
z_q3QJ1)c){YWNHRW#BLb?|{G{UIPa$;4nqL1Gha8GMk9y?vx$iGD>Fw!$J+IgWxm-
z{R2U#&@>aB16*G;*QU~;t-RZn9kh_AZ7V06b!YUb5<lWp3D@x|1cf_k8$KmKkfhQC
zDjG(`%`1QAm4N1zW+9|#C(IdOTcT763QZt600gL0uSBR4ucA~4>V}bz$Y~kWnm}?%
zqz6-UjS0;wMsAUx&C)XqX;9kT5}-#wn`!L;l?rt?NbY9o8Pwe)PV-8jxusn)qd-q7
zx+h5UMyWERKu(4<XbTa$MCwhn_Tz=Zb>^DF=9(11iIhK+PdFy&$AW3{mBF-3fkrb<
zZf2Y=^G&L9<$5`CyKP*lcULRDtCin2m$YuK_9l|_YH2T3FeUKn0Uz0g0o&7n0cpSu
zj7UW4VWm7}z$r4|1$l4>EVuwH#Dq?yG_$FOlmg3uSLMJI%t(mpLrXfAX++Gp0$F)?
z5#S9@vBs>9s97EbCz&kolCC=-e|LVF)U(nIesT?R^A5+(k!4Ai9bY-bIO8~mm(C&L
z42)F{%MQAE=>zGO9YB^?W0kPO9kI6}0)PF6H0m^A5Rd4Gopg8-MfBqk%K~)v7=1#p
z!|Vx;g|x84?qiJ0zOcjSb&iFiRfg|3-%QnEyVDt#hQ?*qO0eAys}0$elU%iA)Bv)>
zMCe&zk+X`h%8u7zk)3~Gkazr@P9gFm=UV8G5*Wa&1!T`cV+Wlo$^n?mVUZkJY%(F)
zY^En)Sx%fESx)!sDbxRqr%(PeoiYT#DS`1G=9hL__q!<l?#elZ-IQ}K%%hkcSw}MJ
z%0F`1Mj_;~j4-kh?0~B;?$k%D!+}eB;8NBxk@LMQQWGpir2sV&oqJSDbt{6Sk&uF;
zAl9N%JJk}AiYSzc(L|(JDWxL01t}vDG^AG`r6g)<qDz4$%4>o-)o|$~5j3FZ1eX95
zB9yCX6s2>Br7D9Wl&TRFrBLKjm1d&7xhSO_0*d0?(UMkbisA>%2$Cj2`t+X9*BE7b
zxWoh4k|teOe%-{8X(GA@BbCTZhN(U6%1kDERG3eG1?X#f4Nqx4>?KoYw3d(V!*o~x
zW!=*S*kIKp#Cf9SW=_KfsUbgTq=Ls0pI1qVYK##m#0}^^Z)X)YG7FMAAr^K75l9YJ
zad>5A7mPMhcva3X_Qo#;h(*-|BIp?iyI?{tz2F<dunpnx4a~O&|AZp9V9-cQ`NcrC
znhY%=pr%v}E1HVsU@Kf~2ZKh)Sy;tN9^h3O+(Z)vz`6ps7iNZt(=eroj6^O4A05D>
zu27C96rmhORuTDifSkLqiV(IDK_y`oF03M_b`e*-gjZc*62PK_NKNZvlxmbBLS-R<
zW)y}2nMgPRl%c@Rb{r@Op}@`M4h993I2nZ~a5t+C6tb}4PGt@TWgKuk5aWTFM;r|m
zu;E^F94rvyftped0AvRo3_O_T7IPfIdN|-l@y7y!TNN^?2M4jo0st$DnN)GWn~#dt
z(eYcpt}11eVZenG;?F94S^d<-f>}y9F3l+5l}I=xJYm4L<^<prz@6y$v$>xZX(cgW
zlv0j)Ehy)aMjYp!aO7yCW}<W?GdOW*q7V|y$fZJBm_!xE$rDUr7Iv0rAQp7aB80?O
za{Uo6O%Vu?l}IAxv|-8`W-zKsV+z?0MfM6<sXN0AA}Z#J{iTYLnqq)$>H$xJ%uoa&
z$;ZJ=VOvDT6-7*8Ss23z`%4ui{9%MeRIyU2iUG9!6c`E7Nx)2DSy9UsW@^H~gH;MJ
zHB$qkMNSe_YSFbLR*4WssF-NjvkV&+V{=s-gqs&nW~+cAiCz+1mGT3MvXKFT;tH7f
z0L*=U%yL097#eaI7-mBQpGaVSq%bp#h8<mu1HySmPqK_@Efiupc?UtZD0UOd9s~qX
z^0|sFG72bpZzLRE;){s|D6k1Ag2PipH!{RGT?i~93Lvn75eRrDArF?D2DMF$0uGb2
zVE}^BMT!?-yXLzy1@a|))8tC-?Zh8U|G4A%Vqq)91sP`KL%_1uj_^G_)mSy*yx>9u
z2)2hZinel(Xvs*D;lkRNxIzn>q^g?q5@8Betxy_lH$e#?F1gPfX<KlT9pq7U7^)e3
z`~;$dm(SbcD5e71dTFeoj<J%8cpIml@U&&1qy!}-FkJ6zz83;QT;@Na<<P9DDh()Q
zt9@jygd=j)kEE)HAOsRMFaf$SmdHVMuG;TuTPa4kFHM`F8sBJXq(xQ=QVFk4x{#>!
zuYeN}nB1;}CPqn>36WaiLS$AB@R=eCqy`Usd?qF}Co81X+9#E56KOz)X$3yKboA1t
zbR+rXPDY;S$^)6v_)Iu{Cmprb(~C*OZ4|9g&`$9sRTm*`!J@pgqm#XPWGf5Xdhn17
z7@kxkwjzu*vY-qt!psMggl?zBA&r4IL?u@ySzpM=FKt!AMmVLB0f-ZXG!{xYGFdFv
ztCJ+yvwL;LZ`hnf51X`{BPGyqg#ICuiBlxw0m7+XB9XdGWk(s%A~?lWqynA9acBZ3
zXq;h^=a52b>684|Wci)M=0=dXFq85)hi|g;%A+Y<w*>s^T`JU$5<SbsP7W_ywkP`-
zRcZdG)l!hD`PBO;ceE{tY;=tYseYkG#Ny&mF(^bxz9s%8UKPuG7QQKbpg~87S2$C&
zFPsYU1Xlt&fk!~tAX6#>?q{VuudSo#>GgK&;B^NbK!;Q7t4-G^emQE{)G~E)GvkSy
zi*t_Ch#ACw;&5%mZ4tH4m%xPH?WsoG+h}USdtp(qs~A@7KK2|^RK-lUO#od4mv2kH
z)!)ME!F5WycUku=pA%$((P^?4L+c>*pM_VYS6p;?QL3(pf!aagI8{@+uIi|LRZ6N7
zRf?j?QKzVbY!2zGlyT}ebk`bb`kKm3KctzGb!j8QgYno|M}kj@CpeNFB-2q>#8zqu
zh=Pzo&Ygmo-AF9-5{e0OgSdiGK_8&zpsk?hBgn)kIlsU@k_=Pd3Fz$fNj>nKg6Aay
z*cArBCK<|jwQ#l+w60saS{E%=mV`=Tl(3YE{hSn~6zqyZVwJ&2%%vPdks(2dRRP?x
zh?sgx6Gusbk=V=Fs?e*Y%3OLCb`{zcBzPUBAr%pd#)MKrF~J*Hiuxih5kd%y{5w<s
z2DyVmK-=(bEH~;Jp@yOZR)He#0wl(vETEA9PDo4GNZ(A5Pa!0rkT6R3!#y}*E0CCg
zC`1ab1;7H+L0Mp^I4Z#)g#v|0=n6Fj$N-06EZ`kD4g>@@0gV8w?c}!hU<w!o&H^&)
zvD9nTXQ;L}8E*Yvcj1Ae)h<4(zM>wZ9;n{2{;0mWezAU{`Qe)pP-m_JSOU2^t1P{$
zDH6;|<pjw+uzp9C{e+jmshA}8GqGiqYD;<wg*^x!<a{&{7@(4{6$8}yRpR#50-8yb
zqtHl$*r()j^0q2S5K&K41m0CuB_8n(j$J|_rPXozME_^MNR|ol>LipbsC<yv6VuaE
z&@do)kgOB4(*y94G|tiy0&;p8D`f!9BSRU0X~T#}nL#*%(qZ!=nkresK|oB;L1627
z=VHYQ29U<-Gk`+_1kN?us|SFsoS;J@MGOfTuqU9vngarHOUa|JC1|)23gB*qYQciw
zjV#&<#vZE~hObsCv^=YGRO`x}U{SPBuo|%usdg$&Fr?nJo1%|g(d%kGQXyg^cwVnX
zRjU<%Vr&$#vkiGh!Ob)XtjIcMLE@MMR$v?v6F7XrwQvcUJ$8L|9YS8Jjw~)Z?jnvM
zm{jSND|<8sd*}j^A|!wlqTyl!{fMRBNO<p9QE79KsdYRP7ZeKVcPwEP&eAo+CN3#R
z&g-(G3Z<6HYnE&WT^VXEBqk?HA!vlKk}#7kJ>Yj`l^|@~<|{}uI+9R?)x8|10=g#V
zjp&ruCW&oE0R5}hle=UarXr_?g{(&kM{SID=!b5ESWFHr5@4oYkq%!$7(0OgVJm>t
z3z|{K4nKO}WNxktM@d2;bF`O@1wyDgrlkzhIS8|jBy9_gV@a5610xZ-ts9^a#xc?3
zHIye_#4{bVBPYj%kle!)wGbai!Som(Y+?0P4Xm)+x(&O5cOWi=(NavXx(`W3n8o@j
zgxpX~4Z-Rl7K*|&h}RPmvpG@`{$;B`u)wMbWFMLCj5BHzg!oem8M~%~kHZyNAD3GR
z;@Ex<G-+DBV~EO8;+QIGo&1g@U5?$OO2h^>rJCGeUK%-+=GNv@m@&+!F|>S))e*5?
zDmO<WKXdAm(};oJCfL~U0N6K`+2RcrK@$vg7zyv#{K>vf`=C)Jjb0*35WYmD8PJ&W
zsHcge*tms8egzYw@s5@+g+$=|HUl6iJ+I!Lzf>9hU-)cu2+&KDpN18M41@}ZeU^Zi
zi^P+1nymOr%Kr)B?}yBcJY{gSMS6^q@(9>eNl?p9Hd&^M^x}@3Xpc@K!{=}}Pi=-q
zK(#%m2zcdDcGVLjsu?0t*O?>#T(<oRMm2ep-9|<&+87{Czpwka;UI^M5Gu$M4q5;~
z$^C)d5n*zE;wR+e9Vpu|zC6Jw|HIRukov47KFtXPV1xoNA<NBC{_t)nDuwtYIFX-B
zfKa6BwlkO{$9vWx2^bsLI1p>{w3bwk8jaJC8#YcdQbxHkYoHLYuBpPaynFixq9iL$
z<6;_!aIredfKJhziy)7y+`W|;m*w~Xp)jrtg{OcBn-vbDcEl&FcVO;;<|}j6Iybul
zhZSREgT*S?AV7P;!EtjBw=nx(54EuSTMxBx`&SRCxXR+n;KeMIs!{w2U}}P?1sER*
zWgi|WshfT%-MrLsCZqUlr=;*iK-UL&(qor^%{lRsPLJ>~bb~qYfP+v1Fw_cQYVO1#
zcQh4Tuo|-H8bL>RpOia5k75KN_E@C~l>+D33nkwIM=bjus1LHr6cu98ahXJ}GKaC4
zTU_HoU~OX@9aT^VRbzqGLV#6PKq{_qDyaAkR|Er9U;wJ5U@EK-3aCTfRgv9SJG!Xr
zs;j06Q3!%m3?6DB9z_g?fkFU^l96);;dujmT)xxYe`d2!*lyAGW^)q@;;Rz~^%qdT
zaLZ6(6V?iBhID2oWN&_Bxw6K0N#GEa)%<C^&IHj?>qa8$LdA9TfS&r+bTQ4YPh~XE
zWe6wCtkWiE6A}Rg#DlXbAlOMdlKle@Kg*uLbI{E7HWF1|$X8sl%+9jSwvRZ)MnJ^b
zV=Y-?qY|<=Ws42EwgZ<|z;V^E7xio+y0!!c*1>_bunIP|13j&P(XFr=>ud$O+X$^K
zfbXTSTxo0qZ0&)<&1&cXewn}loU6=!I^85nf*K`4I##T;5}<B{Q7u`en=rPaj18{x
zJbEB{24XHFAY^#wohyjVoX5$<mLclL$a+s6;J0z_cg6N*62GR*S;D+qfIh73;ESn|
z91;g6AR4?xpmgA8C59QHG?`BXMJ6x7{5i$&OU`5&!L1#a?aMF6TQAGYFT$6BM|&?-
z&;a?P)zFvy)<&bOh4(^TO`I32U;tx)tKBBAX6;_}8nVAMWz@7(a%ijjM2B^h!OZWB
zd^|jH_XYEhE}d>aUDR>+Wns62zNX(DX>}v-=Xs|2-fO0Jn|qDsU}JfucwT9K7n$3I
z<_vJW%4QdvBYox~8F2J5;Zhj(j({H|E9`q#;1@K=KpDxNfDP#706oz(1KM8MA96n!
zcC!AwqLyJDt1dAr+C7n6VsFJWn*>FoYS<zz6I4#5wTLpT)hChnp!<m`A`y%nikLZS
zfDw;*03jcs0Lne-d@BC76>wV$vsS{mYavt>;+Yu!v0`9~u`#Hr>4j6#YL!GvRaYqu
zV<<VS4lRerzns&*pWYKKB@a%j9;lFjh>(Eg(13@JD<C`rIkMJpbO%V_45J_?BQXkt
zF#+;GGm=s+l0Yw#ATxGJFIG!j7UZ?U#w%RqVzu5ZR=IA)YngbhcCQ7lkZ@Y%`sJ>|
zxC4RLfe}%u0a5V^?(!AbG6H9{k}!E55Xv49`5q7)4hU+E2$$R_q1ajZ4Xpf(7Jg&)
zepGgkTzdwpU4v8jP}EM7^<PiamY=GvKVPivSCci=nW*Sc)C;BR9m~{TCs7=oV&rNt
z$klHnU!;w3$mz?ZXjmh($P*j->aw7R8~d3V`failAhH%&WGmvxTx}4p;W!%iXtkYD
zYgib|vlz<17|Sjc%P$nl?Gnln31visvg8F|YvB&c5r<_F12VONnS4Q+Rp6|wP^`Le
zjIj_#ReU2X`~Ok%9!4S%l%o_-+fw2@{0rA*frvyVxpoC3waauWHqRk7tegvX;4PB@
zAZvwrfkz4j+B(uWu%$`W2LpR6sYrgQQk0KUr7(oxX)Xuq*bQ5$4A_0d#>4*dr41r$
zw5Qi~BKVsRuap?wE1<}7{UL!eh&1a+zLN{m3`=NO98fY@vd2cswIH*VE*ij?C4tf^
zNGT;?b}J4|PC-dx%-LUa)dxd9kVyz&W~exS(yJt>I`Z*<H7sm9VrhRr0~kAJ?EbE5
zl_KnOemg!`Z(|!;Sf0g;8DEm*Xl<dLH1)er3fHXl1?VwVS;~*Jv8Ecav8v6h!iMU8
zY--XCCUiwMHFhE$W%g`&ei)pBU#U1%Gf{L(m*bR-){|ani0E@c+FMovh-Nbi%|v>i
zP+FL6RT;dYjV9=KLS;ATF|6$`D-T75YinSyH7xYSN~Uf`ne--7){Ca1dX9AMuPaeK
zgGw)Irky;o)1;k+sO5X4Gm=R;M!69U(jG)a(A#R-q1W{l@yUnp6%yanLExbkg=H1I
z&lo>dFVe7DMxhDgXeX%VgMh}k3fBOuK|6I#NZ}GnsZ!ww6Pr>dv&8A}nMOinvKy-s
zIDgoY%6Rx~j0V+!-&hUdjvJT_n_Y0%27YRtIxklR!}7gds>{gwFr2I?bAr)u`uGr4
zE!38XCn5ao*P1z%!I>_@H!ao%V2OqVw@9;jOIZF5Y|?<==AXT8+(oCn44G@k&p(s0
zWpCbJ1(PM7G>tVOnR$iaoL{>o2xl`LwpVQvU{#l{y&~!v*-u-MDdWsJFxI&0C}Nwk
z;-d~+M`}`2u7cZbdN0Hzjs_yMHuM_%d2P-k=_slq@j#8vEeEe!32DhqFFt8b<&h`^
zr{@PPX%D4wB)qmHWS3m<=AR)XlM?$*W>^``PH#2&*vly~c-3?yZzxIw4B&|DyRHPg
z!CFbj_Mzd7`H8to0V6t*<f})H%ec4_@AHCuY8jZg?0JhsRZzB70t8`{tes-H5HDfd
zan#>i9^PFGR(GSX^6Q|n%rf%j%TF`Sv=zE<w#`{t;`$+MI9cmqXmqc|!n~Mo3p-3&
zy2j%A=xP8UkgB_tQW5&<DS-{NnD~=LCu@f?QsMON0KJP{35J+h#$@%hv@XKng!N}?
zHwB_$yJhO?j@BFIjMJI77JNGRrT&k6uPuY>*19kbS5yb952&U^e_OX!Cs4Dh<Eaz?
zQh^RjBT_^@0CqAX7}~dCtO{6lxoIjmP7aQ60gp8UiO?6+{5wl`Ix&YwEI-V&@hS-q
zyFVyrHX3K+wKe)uy;G7V|EHd9%z1z}U#2`gIShi`!VT8=V>8`-);{ezbUw`h-eF0%
z)^oM8zVVrn=9_5|Wu&zb4fx7~SvwnW1W4fv(Tmm)@GQuYXH#0z^N_u7O|-=wOg45y
zjr4?^WAid`mSBO&E-nisr&?3=bUWnYourbR`DB)vfIRX}imasnP4JRSI{L0jS5c{C
zpE+hp&oVkm>60X!`7TM$NV;~aq@Ii;B>zkNmS@UVQZkYZmeXz6xix8iz;guRJbVa9
z`3w)E7>&=X6nobch&`}$fIM3)hg|Ux>jNbYmq%y>>NWQ!fJXwjb<2Ju;FANB$7o-j
z<o2R<$hfHe#}w}v`(V2mGi$Dp+SQ(IRGw|>b26cluxkJ@6Ip-}=?cIJX%E0RDF=WY
z$uB?#WU62b6i$s98l4j9<Fn9w!C(Nd5lesv$dUjA6l@?FR6>9YS`5Gk(d3{8{PxHI
zWjt~KP9CuUTpld|eU1<S8V5JPDboWm4Z|{E3xSMK23dGnS}`)mZ4Myt3>bI=&Kd#0
z4FD*@z!&P^Of0a_BnbsfDGq68Y+)d*K#*T@qCF`kq1F-%H2nr`{RR>~gF60$ZvKN(
zzJq@KgAsngoqu51F5t_TFl;w4Y&V!Sj(;GBmCypjQ1k<&q`(OgS|9^LqyQV|?X%^=
zpTHf(8GsW-HGpA?Wq>3~EC4=G@N{1d`sA;KX(Z=9Iw*hvyC-x3Bu-QV@=0_6bW3aj
zdPu+kT1yZBNhE#%FebnO(kF-lg!Y!7ABhxz3yE)lHpCUcHi&kBJjhJ|ZIOcj)Ef(C
zd^AJXz-~aN!$}x#9V{AILazv3d@=Gb{1yn?@H--@;p~eZ97Y_G5xO}i!60{^je~7#
zAGSMB#ZYle$7tp676!TaB#iCw@*6GSmNSdPkYabi?bpK~g2M1W0f*cO;Xv4F8St5b
z()3B@b1V^ZN<FK*JbS?=!p<X`YzXw~;yMit*4)#Zfqc}@GtC;S>uc$bE7aE&5{(ng
z^)<L-lTnRy1*1q+#8Y34bKSYF?TFXJeN#@xIANY^u5=nsz{+b`j1#*x+TTqj*@ZQV
zV-BMj$ql1PuLVsin83ZG83dd)s$CgI+cX}sF#N>(eil<q@F|?nf>eV(1XBF)vXbA5
zWW2l+W)I-&IqnsCWtxJXa~c5RWAPxx2eb53;dH{bF3z#=9>LYZl2cD*mtYx1K6b=7
zRIg}mpxuv@4ZQfa`EW8rXNII4rQzQ3VJ985l{SnT<cCVaR)z<Xo53G)1(uAV)5V%K
z)<Rx|8=m^pT-fLF@gam~pM{MIQ{D#pK?g1~GMqXho*p;yE9XO~dqA2KWWTqz;mBQz
zm)59>0esjDfoZGSin@)a(I1SYZ)@iUkaS`3dU^h<GtZ5ejkva*IP-?>TsRDib*9gP
zf$3zn6XNvnaRr2F^7TB~*O}ixW)ArzEjVAmHRT^8GQ&FZLMZQA80OzRDYQ~H3!)h(
z2M|3R8a09&D%*H5mT<6X!H34p1ZTlfvq2cab0&f@rbbN!Vz9~@2*nTz8VJR-l<4Ly
zT<(vVqP&M&s<0P@&cnAR3dS4gxS2vTej8Y*Vur|K%hKa5O$t&g#$A18=l6-uB>t9T
z9g~mgN}+fkJ?Eay7|i6fI<#{8k9f2Yd}J_c`8~(E?i0(~67z2Y(%Z}V7a*pdUmOcY
z!AY)RH&@cC7xL4q{zL2VfA#osdi)Z({1W;6ce(sJdHh?P{v6&v0tX+4D6Byn0hl~9
zT6J$wsf-0{DuK^JE|n%?SlkEF%`v1U%)0&$4Bk~ir-joZ2~>-z%*Zz)OY>B!DGgCq
zeCt5&DSnlZs@}be)`d7;fUKgc^?^y1`E5tCzKzN?sYx|h;w+Iz5t>rIpGp<M3bDjg
zI>!-ND}J=(SL>$bRjA~X1Xm`b#Tql3-R)hLL6a*-@#U3j)DcYtQ#GF2r804+lO~|z
z`;l+W!+D<IZD9a8{sm)-MdvMKGeD7>L{3$iF(eZWkl@F={ToZ~LU}oGZPrFzCvFj>
z^>ZS+=#|z<ZF--a`ZXayf{c?6E)2X@T+(l5WX#U>bq=w@bYvUtz%XL957DunGVHsS
zp%Yeu0)$Ko^8c-{*tM_h62og0G0j3G65ZfZg$6SNX#-CEa#AEhXA3A6i5Z!dVoap6
zW-ubsmiJ9;GGJF)fYuqGT9kLRN!G69?>-Mioo#7~@)|`#id-6{LGcePDOWQJR3}f8
zqUIE-@g*Z7ebXsoC&HOYgRIdEuu8G1ahVgKSMB(Lvb8S+X%rY}A?VL683@)8G|e!V
z*x~+U8pnsmTZhJ(!{SKc@dDxTKN5U~wwa#*Zpgks$%EX7q#fG}V0sw677iPw77iP&
z77h>qiw6qwiw6nhiw6o?g9iz~McihXOtKHqA!LIH2>M}3U_yM!y{iPwnIq5@;ReVM
z#zBF@+%Ae$w8$XY2fQZGf@EQFLlYwkUEiib1|%&S0T)b?z%F5uYy(j;Q6ftdMz95-
z$p!$Y%#g4JSjlz(YfP800B~fh0Cpxy*aGxqjesrF0u}(&j(S!AUreOH4??L}0hcPQ
z0jnyu09#72fHh@VU<y%GFag|E762hiy^et;Ut_l6R<YIet88_BDw`c@l}^V_vP=g~
zcQ~>6Gg~J6i`K?UKp6@r6e)%m>z*3zeikV4S?lAvIA{m;EOn{jNk^3ZZM3fT2R{0P
zSkWs{9cPuj(e1+yqj!lKNMXA;ZsW~5$Ta!<SDhSW>0V%;cq6g$grXim1C{{wyD6Vb
zFlXW{W-OS8TWDrXCHYQGL#4%vVc7NoQbw)~6(TIcPlpL%14^9~24DQ9+>M;zFZc`?
z3A!gK>T1FOA;TC0(!(l*diNdx0>YfEY(4r~`br(0CiYQ_QL^Ctxn^o~pi(#nFQfvr
zI>^Gy_@YOtF$`8X)rMqqrd1*^_ZbOU6eQL<PDwAK`1EN+d4uuqcui!&Cj+40xs#O~
zojp)QYMDlT7%@tzD=*3HLKwzwbP()DRK6A1FgsGf#()H9pUB)7FbWtRX?6g(0}X0R
zEQ)DZkdHKm=ES&<q$|YGZ1R4AG#81WQz(<+n)GiX_+gub=!cd-ityMl8~I<14f3rh
z;XyMCXp5oIJR#t#9uZ9Ed=WPfc;~v#NIN2QAD1>nlVec4n?vK@tQ8<Tf}}PA@VoB}
z@+1~Ww_2c4|29`5&&8;%gqV(;N3slwNu#2iYltCh`7%I!Ex@0nsWJd%K$^dzo7Cy<
zEK~*p^S!<a5Ze%d{;%;Lvjk3iCImXP)*vx0R3tcwSaeoR4_2ICAY%vUWkK}|>HFSA
zxWy*1@IZcvksCqKBzIUa#(VaMNtWQ4%QrF)WyIHJc{Mxm4D;)_J5h(&H^V_tAQPC{
zApC%SNzMtGIm+V>$<%fJ!wf`KaGpWZO@95x<R5mekk3C@1lQ+0n)~Do^Hb~>$*4-C
z)IVX$04^iR4}iOf3q;l0cxV$>P6DYRi6*FLl2*APQmA*yD}}JRrB$9DiL6eepJU)h
z7#N{)-O>zqUx#yqc`m8coeBJG5bs0o6Kq=`oBr5@-hpZxCNsJ;kaR=lAMhc<OAdJ0
z!_pD#P~!&}bHlzb(S3~+HsDVT$k@Y28w_9Ig{qiAHW(1-i_|Nk3i7A>dZXGNBKPMs
z-z@qEK%EbE$?}~B@k5!eK)Mk6TgROVbL*g->2V?cP9(i^m7K9Jy60ynxSi53ZQ^d$
zcw76N;Pz)?U7F@A{9J{3!^R(Y=Zl^$BR}E9mx>?c@k?yJ=C|Q-JER|R<L<?K%kf?S
z4_b4#H976z&U12G-yMkNgNmTDsCJF(cY)p$d6nZ%PPv^1uX&A#u<>^fHzALG3gD3b
z8G8|hJ+gjIQ4vH~DdB?A2LrQ#)}JQuB$#5bAW>%m&W&(KL`*>?VB_F%a$AAo7Y)*&
zs10O=c%lyqhOk$fJ@h20V@cvNVS^WJ0>rx~CK@pE@RF)o2;P~I)KAv!*)ZDDVW)dI
zbyD|ferHxa|EiuJ&uC%)D8`rb)NJTy@71eU^<^&prCWdQb)=kSoF^4DfBFD;_OJh3
z6A``R3<Ic7yJA%G4a5gR$%eeih6tp?YjzA1x0ij#-E;GmT(IzGiMU$lhiN#V^Vsm#
zNvZMfI+LECq0P^_;io9MN#PH=b`#d#D)7y$1>M-sA$Du9o&xiCwYj+P2j09{;4jB=
zTcKaJJTd9_++zCC;im34j}10<q<CwqpWMFfo3UIm-oPdC;gIO?(2JiQ@75P%aKVPO
z1&+Az(><&LPCPZQV8JuKg>m76cHXoFqLJaJnDEe>SP9Kw(?G&=&ej7Jh7gI=$PxE}
zD1jKkeq;jb&M*PJ3Wf#U=XOFdx}XpiQOcFaXeK-_p2hm4P8@Z~Eo~;MK)vCu)vOHm
z_DN(twTq}bPYhy=un#L@^fxz|B=6lb?Ss}*HHm_ThgtG#Q&^h(-0yCStY>EGq(t2@
z3*AI06L1i~3+SexVZ$URaL!O5`s)KEHvHoXEb%d5;SMDUWD_I|?6JhyOthpoIrL>5
z0vZCarB2~%;CX|0^(4{E%YeMG1xm-a8xREc&?MB8OtQ-qXl|QviAxiL6|&|fy2inH
zXm*FWtAiX`e%E10b+1jpi9_%V9iQ!vWiwh66Bd26b)#+0VY#BSDFhb=O=IN?n}$>v
zpYo=bbrjH${s_FmP`AtlSB=b93d0VKXCxL0*eaf841dgi7%}{hw7*tpXo+IL)d;DY
z#Y>w<Y4PPv$8gH^1-^lX?afet)D27tdb}Z~R@0>_lUD8*q+<T_Yo&VLU{}@-)~Rc)
z^84#Xu)SzEsjWhiXA}7wIrg8g(&}~kC@#M_2gjUYTz&NK$7PD;HXS2LUrpa}ULcBF
zaf6Ea$??fg++>*abI>8U7)pf}y{*epNcFYbCwLtb1*#B(UX3}BYxbnAKm_ZMvEeaE
z@Y+!!EsYrj?sF}KjK<=j!O&JPJ`Ka<5aF=+K>tF|D*PNjw@~}Z+|RAaypy%26D`UV
zx<Bf|HtbRj^q%9qva;v^{~e$$JLuDq)wreSF?P~G6G00D{|q$=1pX`|;a^-P&<~%m
z-0=Z+vy<nyH@HtZ;3!J_)}Mwc0MPmEN<MfNN6%TI^V<0We=KRz2^H!o3_pp&AH)a)
z=dlFtCFZ=TgfKEcit|G!rawbzQ@fM>y4>C?;V1f3DLoR0qQ>y~6DLP`9mh1)JI9l4
zNWsw;kqr#pUmV2nUqvNGbd9MQnj++GqQ^uj${dSP4Ury}^Wp9B2jUl`C#XF~q}CoU
zEM9Qqtv87WV|H=bhRO0fq1o~~+d>M1`(hVlsC-b748+r<J4jQI>!JTatF!4oJ2=)S
zrJ|!JpwB5!oTo}d?dO9hiRavpNzZ7{dX8qDdOC!3AlwnDF|QLKrgV(|=tKb@N7nPQ
zJK0u8ZAy%|j5TsQsi<V`U^9^$L8fd>G8fw|lTjE5LgLG_7yd3HKKSN~*QD~Wpk8Us
zM@h+YZN!wsp9yUfY#y?uM7K$VkqVHN5&A~Niw1tcC1gm4uE()fV-T(oZ;(<DX(B5j
zL@BG6o^F}aN?OKPq}lr9y*<9>(OW^+&a?4_a>!<4L?pR|t%YD8`D{Yub^vTUqBPn)
z4}Y3%i8||!+I6Qf{SVTZ5fu76$4!h=D59Nj<Ap`aP)-3M&)f^E%t1Qj6nqe~kIim*
zyPB5D@SMfLk}}2uPFTw^9R#9>$5H|D#gud_A1rvBXYVoB3~E`&-LV`oxh%8Xd@{;b
z$&yFn<SY<VP_W3bksE>ogeJshh>j4nA*3V-N3ejQB=I65ZG=?_hKY(j0vAL{0k#55
zf@%cB1zIskXB)$V9h!=OKLL<}y#)jakPHYCfG-d_KnVaQ07hdOO*#OQ1So%^*@*lN
z$Ktl)KG)&6|1qzD2tCT%|EKwn=$0}%a{2EWdLVqg{MX`7=f8O2X<#GyEK;ia!*8qq
zn4e7jDE5ob-?HA0yodU<Jc^RtZ@*6@{=xda?uU#|Lq1CO4|B20K8ZI<p>5Zve%+#O
zm&s?Z%cWH7?w<Mnh`J;U$;mkBU4Xd0uhq;wIle}?hmK<o_^%6n8SX{QQI76)0siI!
zCHaBjj^|~|H`f8L$=4?Ms=uY^vyko{$ACq=uk9VQ{^eVq-Eo4B(Ho@b^uFn--9>e_
z(i>6MqIya6fawy^zfXNqG-qgAtfrHi5i%rY@ys_qJd@d<^E0}U2kqEE8CPKjWu3-J
zT&44|&(kqxMfpgwoxX6>IrCywho1rrZtw+SdCw?dI{*wRU<U2q0b`(s;iGNeVI`hx
zrc+cgJn&#ZidfSnN(Yw?fr;iI8#j~)6w18>3AS1C9K{=EnIdiC!)x8PMtwm@vVl!h
zzJi!*QXdf`z5*#;D=(;~v1+GvP2=2qBd(xKph5J$2rMlE1*BO{HO(!jQ{Z>(j#W6~
z9a_a8K#0xK^N!aQ>hWLdl$TsY1PGzJTy;(<RdTgX8?0HCm(+6aTDi8*^RoEJo5_P+
zby8e~EKSth6gcg<mtEaa_|MkMBV1;40fRG}TCnixtTAP_fPe`M5CD$L&}mGKPt|!0
z%&5ArnB)jeEP((u0d$zoGH)3e7fS?nqp6v4_0A5ZX-knA;gIT)P%@}AIn@{)J{Zu*
zrBiK<42Pgt(@I$RR7zJB);xItt(*h>S#jK1tUHSkb!lNVq6GlW1=p@kcZ!LvKj8qk
z=oLUzgC6$7g9lS8i!QZGmtzaTx%>sL!OAjlwsZhhE1e2%AV^8jS9nmo-~k!%o~00L
zpzKdn05u{MDdBJ%2QL%V^4e+O{r!N3*ox%!rv|4&&R(>LX-JMwSg>sHj8Dr<G`=k-
z_6!=x6qA+m8>}TKC>k3&5fha!4b&E1<?05)g3#QeU~DV|QZZ@<iT~u~DZ^ktB<1~v
zxZhH)f7cV9vU0ZJxInEyxPqV^B<{nZy<OsRmBFY6**R&UwEc3CkDxZsrcUheG=mBi
z@^}|)4ipHe2xE*+>NpER#wRY26*j^rEHD<8Y*H~y0?KL1>&hsLQ<J(7f{V07?wmlO
zwE;O!5L`t0HDF*_!UA~A1tR6ix%)3~vgPyslS3R&odBWqaW}TWTSQ?uG{92ED4UjO
zF5V!UEsPcih$hRn1?WQ)R*nk!Lllfppucz`ZMYy*{s@|>U|nDtQL3B;LBA7if`Y`4
z#NOzEY!2lk7u*#QbSA857Kr3cv{VWzITLN9g6-Lfsw)D(>?GXi!C=5}ZR{utb0?E!
zNWoxWQQ%#mf2rl#m0~Gm2M`2bOCUOcE`TDpYC(xoOWS1p2T%p@1mH<8Y_g<c0-1q0
z(TEKa1Xcp*0}BHCqLh$7j}0N0m5Ce&+2r(+fLzRV2m}ZI1t@+%ZGeq+JSutIf)EjZ
zqOWm=CFo1pgA#9O(OLBT^Yq8)rK&0W8ZIWT*U*=u=B*RxK3q**=h<>{T8Cd{WTdq>
z{-?bLDRw^ENlHUkYnl`7abnj6kD=0(f%<ABB`R<A2_Ypb{r7@GN?l(xH__BK?ooYR
z-=6u978|q>5|$J6xLA={1r;SO^X{0bdj9nEP?gv(*MPF-+nMmPR$aYJK}F14mw=*F
zskcxdL2`QLfE<-9<JFKeHvg><H5+l&01jM(`HTi7N?dhtftN8ZQGg_=X`zh)jl;jb
zu|7u?4G0B=g+55UuNlI^00j2(MdhO1ZGZ*IkCP9wRHwI#U{>kRj<6=Woz-vXxtnrg
z^h%VBh4T;FAZaJ`pig+g0zrj-QM}r+p&<Z}u@{tv@>HRRST6GA*UEEoDp_Y*M$+aN
z%3o<JS|?e?qUGtyGf^s9M_JCI=5ypF=FRJKSY$3~{O;o=OE~ci2pog*n)6zy2@C{>
zt$tJ9S7qa-?s;1IJzgbCVCxIKT)TXxyw<+l7-Mj`+H#V%T;4gB+a-4+x*>u96MWBW
z60@G`39MYixfCiArF(9QV1bL5J8FcfW1FIwAYd!z@l2I0yQl$7xtMbnq)L``x+#GM
zGyKdblBKL{@L+!*9ig6WV6WnDfDSE?&x3_NXS7LO2X)`kE?)hi-d7TTgwx3-wGHKP
zNB*BrBv#PxD~Nn{i_bF-U^B^5`Fgr%7cd;)ysikjvS~EA26^#JB}y0d$V@J1dBeP{
z3-dy1Npg$j1?87MrWA7Jb(Ay8z=0VUam$(4G|1$sU_EKE%UXt4E2#l$1OrAcIJI%c
zB})$4IEq^5^+81?N)c@wMJ-;rTwO>N_+jwcN2)3*DqP;wR6^EysT|mZuwF}}uAy$H
zXoRUtowVp>tsSWn87ffsYHk^8QOdgOY9w%Id?MBt)YAl&FYhLt`ksqwX@W|WW3(xL
zTGn-jza>gt+9|&+e0r?s>P_I$y<ZZPU6$zhu|Z!Raab1r9nT7(e0{_KjYxP{#8}Dc
z^P>9~LD?&!c39pxlT&nQ^RiY<*<|jCO6*@vZy<;u{8kks5N*j~C*t+T7(ZTiIV?A(
zU8|DB6*)fOu+v#&>&qJUB=Yi9p_WkHd0if(lHydZ+^Y#cuVVJ6B}$*V)0QZHD^g-q
zpqGbJ7BI|4B&4Z-2X>__Q*3={2~z%kI!IXV@iQbPOI^!eNLa^PK#Y|t1#}liR>tiR
zqa{lbU5_IyqwZ=VRHnP4LL#@q(K-@Tsh!c?2?JZxS`t*F-P7>_T0jlz6Ff?mBD-2T
zN(##9h~X+xhU`$;Dp>u{sM#rDw__&BT?+2R%@Vt{ySp?=ScTW!ycDUAbY``8J==DZ
zYVDl)brNK<Xq;mO%O;7y*=Wlqr@dKf=!B@dCAa;P?A(6aKgs@SR@$(C3|(|uvhOFm
zEVWFn8fd1KD@$#Nijuk}-G!7Y-DWg|p;qZJj^znU#k&@@W<S?-5hz4JSJ!xB$tvc%
zArB<1cIo;&lA|5kK=MkfmqN>JeSEs~TQyg@JGi?`1gq`WtZ^qOb=YmEB=(~0lF~&_
zg4?0N#GHgKiGxWi61wXeNm{+%Aks>^ZjXkNRy%iEG?Jxys)2<w8y!*b!b-!HRpSXN
zx~f(fNl-?u*ij{BqOI`(B=0(^S|F05O1Q)lRu@%12q$|jP@x2spVj3MNn0IL!333F
zRdWzYQ9WBQ<du!pH3uZDN~>sMN`ke2!xC0$R?smeY;{jTi7L~ozYIxP{Z$BJO8V-Z
z0}@piR3T5AR_|4}O6e*KRkDR7tg@=8DJ6LIXB3oDx{9X2q?KjW=A=rMDJq=+l2+AL
zQAm1~532frl2oBqSOk)@ioQTe3YMx`qz0$aEO-*8*-W$vQ|XC>0I7^qYyec2=~w_M
zvg#^_;0l!`EE-zSw9_w)fG84a;H5^?;VEjc9}*VPR!Q+8ZIwlOVu)TPP}-4Exawv1
zZ;1*#)hT`^n}jX-Qo*5YwSNAR6<1Y)rF0G))oXf8mnWQ1hUK({HR_7KlL^V>*XmHS
zil+)qWGYox73nP9OtL>nzJ+d8XniCv+N!(hQWH`l`dCz6PlZcPod<<UN|k?wNjXOK
zHeSbq3I<uyx`Jz}x2au0K`O}8_j_avI?`CZ{sh74vY}(zzUgbBOErHq#SpRjv#NB6
zSv6e^KbzK0kCe}ESvt$`k<sF)|H7u<NwdO6Thm}%kOcHC8%hFzc_T_&*hfL+uWf-M
zS0yN-S`Q_AOu`gi3RXO!Hw1}Qb7Q^=Q-rnMNfL;YSxrh<q_{0f60;_xI+UV0Xxf+O
zf#p(#RCWU>pP^iyfMGs`Dym!7go#S|qwa+*DqjYLbG!ptbSX+Q{P8QCW&*TgQq^VQ
zVn~!Xn;l|Om*u@;NR)h<XJS&YW$@rgm8Uh9z@_q)y(<>1RsgjyE1f4wtO`<;vCIil
zqJ9=|DPuCTa3p1yH`jZ}<ttM1Pp+Sp3(8o8q5FvvkLHJW5@jQuDqKj`dG`fz15}$k
zi4v-2h8Gm7*-Q44B?acPmXx#^MfQ>9AI%Q!Br6E|z_5&{Ih}O25KNhg9hOu-#NADV
zb*s&8OXWJ#W{<WJ)d-vZu#UB9u}aA59ZhdmM_vrx9b|QBO~*@*I*M~eipc99n*ykg
zs0`XIM0Hk8TPh=|25F5BSzakMl37>AIg0|4Jh(}%x=8ZfCgM^@misjsNgh(1-|9&6
zqtj6Ik>y&=`J|62j%-enJf=yi`bhG{Ccr5p%lVp6q>m_-Hnl+>T1?W71bIQ}v6=|d
z+$NnUBTB@Z2B3{Ej%!|mG{5P;iU`u|=BlV8N+->ZP)3!tHYGtCRg!I9GBmA8t$4`N
zhm&@Zk)>27*W)8gNSlw0jV^X?;xaU;#M%^OX>U_g5s{@@X4K;&N-a&kMn;zVHz^q!
zTa?z!WNA>DyNJlr)+V&0BTM+2(};~JYc}@@8e62%Y7#WG`K;JT((UGo5Rs)VCjOx#
zO03NkVIxYbn{0%QEG}(M0yL%c&>{jftm(gy5v2rXu;3!fZ%rJ)M3sXy=>ZZ}oZHj{
zNq^HvP!T1)rmNs0N+8Wqz(ka#G^=chD_(02vLv^8wPwhYiZfWPktN(st~NxJT$&s<
zM3h%GTx^Lia%~l|C6w8Sn`BE1IhDr9mM!KYZ4oTDOafXWDu!e>(GgV%n}&#zD<)E!
zA})SpaiS+qrU@+(J6)IsG(^r>nf8d8#7u@6B3N56qhyI@?qTN163??6%#kdQ%n=wO
zS=%!7xe~-&!A)`{hqF2hku0f9h8H4O(KB|r63gVpMRFyVb2=-LEWgZG79rSqnVVRL
zV|HZ-u@1;NiB*VpY$i9$5bOlZzAQts)iAAChh_B2`oudJQvv0Ob}MFVRw39yn9A=e
zHS?BXYY^;7Okq|b*uj~PSchR!V7Rdk%Vfv`q&pUq7&S<CEoL>9A=zA*Rw_fXr!h*Y
z4#Zr*aZ(+GX^`beb}MEFsu1j{OlzsfVGT0iQ;yA~!9`9x7;`QKIP8i{JSoR!PGNkf
z9g3-#^!V&=<`4<-*+Pj$PmaPKAf}%kh?GEiK06tE$Yi+eE<|f3$75n6YL^|Bc#X8U
z><8i|DRJ0Bh#yOi%alNUE;|<S8tHM_w~4z)j=&ZnNgg{Hd-7=U*)fQ$M~=*-KoK50
z1PFyBc<h>@E>PpLzYw5@9f_Ei6gcdX#3-S~U^5eBe-(vXOSAZ_X~YIk;<AkpzJC>%
z*o;y9Rsc~4NAXyxiAO(*%uGR{{8j*w21EF)X(ABL;;@ep9y^M`<|X0WRxV;wPU5ir
zh`T$A%eRdo+*WN~Y#qgA9pL776^i4)>D*Qg9&JnFvmo$}UloC~!nD3C48^+&|1*fl
z26>&<p)D2V)2Hz$0P;=LfR~{1rPi>QVdAygXq1NV9P2ucd%P;T&ZEswKOLHhQV#~s
zv%DyHv38y;o-YWl+k~Yf&+fCicBh3$L%aEAR69ixE33(qxgjVh@~-XpM4(<}-KPm=
zj~g!KL`rn>!0AXOWnN8P+lZNq#>1=}e39VdUlBQHgAsg6xI7rk;#?cbd3;JcJOQ2W
z7DsOxPS!-Sr-?UG;>$VZ3DuC6TJd7(SS4K^9$l6RLoW|*fMQS)<h|1&Sj3fXwCspW
zY<ZS<xFwgovpRl-XfG8mj$u)a;{Db)O7`)R>j$Seo>AQu1DuP>6SDwRig{pm=_YpD
z$|JK-<yd$!x^aa@_l*}=JwM6jaoeKiq&&eF!cG<Ac3%q7UL{N6T8qokd^uho5{2;D
ze|cDR6b*s{%#*6XS8DQ5UkaceE5-20t$Bklg-8zv0{B&2@<3k-<lZj@aH;I^mRAbz
zUJ`|Ht6k!>t`*z7m6O7#PXt1ERl4!2>l)5`ycykNP)ftY;XEqRyediI$?4`yo)wn7
zABo{wqsi-|P*tq(8gzUL?!0`H!l^ciNjxe6XftIq^y;%mTRMQLRMQ4e4u1_41n{Vc
z(_T*szZwvkvV~9$3M}VBwKkT-@U2m&%$^ng(Ade_+|TBNwr0Up!JwRu6#^Oo?6__E
z=74b=DracBBZY5G7D6~y%+o-Q6}_|&5yG{GnesSRn9zF3>S}e5r}wfy1ypSi#Bi!<
zqC7_qWsN^1aH-<Yr<PfHOd2VfWz0AEM6;?DrZlIK!l6q*ksJy%v<@=ngQ(gS$lzDY
zLR&9TD*2&=js>l>>}AY15*iJN;8PK!%zg!aG_#NHterIe%P4Qwg*Im(upy+Veg#8m
zI%Z@HubNK>;8J;@jz0pB4J1tAK&CrH(EjGKMwij}GV*BiAAxL*FoW<YPSHd^1dgVK
zQ2Yy9Xk}&W1t+vB*{Feiv@wU^Rr^H)Ixs1%r=gIv3jb+aAAx2qCZq5yRMQAQ0_vI#
zERldz&7e#_0-&u1q4*Z~(?B-@*qUkv;9ql3QXmL!`m{u{yMbBYs*S+7W}Mbq8<DLM
z@pu&Nj4==|0)=e?0{f>#Mu>rU6cR#p#o$nB0Ury%ycUa*crrq1&MyL!nneWQQzK0i
zE?_v|(e}&)3Y%y-D`o<cYck?+DGahasayp($~w#^0@|!K6M<N@i19cSUa{mS0>zdw
zgy2_kWh_nwMOIn_;8A+Qu%Fb-u)rtvC@iQ6{dlV#f`3x7z&JnZN?62H!|HO24kfC4
z!V___2OAImQ^l91T;E)>%VMNYsa&!Gsjuootb3}^`k_l8q5oY4ktl!EhFC0z`(6#!
z83X>eShQ<ZbN)$dBZ2?3H*KW?AN506`w#gdWtNJtc--MPlv=C{*2=OTty|RXChK^A
zVEpSpKvq0fRvRi4_AKKPga2Vaw7K}=sITP}^RfL#<UV2mEGMvnfTSrU3$LWAFjC|l
z7%~V}41(VVK_!6femh=+)^s2ucH>zI2rV2cKoM%Sbw<5(`xivomt%WXwFLvKt4~fN
zGe{tZw;8L`CcoDjRoQ#Rnm~Yj+Mz=RoGZTq#OS=rG#Zn`1U}OrOtS?G>^e8M>*BtW
zQDHIlY^ep2W`RoJuNE0{;Bq15=l&H$FWM^N!C)eG1AEGY%bLoAh3v>}V?j0~njS4n
zfI8TF;mwmytvsk}+aBh&qaWlDa|%krK^`Q|vN@JKa$=qSOZ(nD+B_nr{KLTCu2;et
zG-QNhV3Tn1%&~EB!m4cfgqDihZN>Mx;`)gbY9<Z=O$+e;1GBTf>QexOwaK8RrHCS-
zTT4Q*g$`ubVd&Y%Li2rsco6{Nz)z7Dhcgplz!^7V5;~ALjlqSj)rj&@x&@#;f!J6A
z<0;M<0oE|qXzXxB4f2R7W@d`*DWmtgBL+kBoY8zLRUvT*@4;M5ZU-8ph()+-USk0e
z4j_zuQX*a7bJ}mT5e*`LfUWMh^1T4j*L7T4ge;Xr9J9q`NW`(yZGND^7TEPCe8WH?
zDl;09c$i(0_17ew&(7ySRx8lz73Eg5Dy>lq^gP1rp1Vv;ecr*Ng#dVkl+bWSQ4&y2
zK7xzCT}`4v2gsa<9g(-SxEj@f@7IHhVKE{`T-uDtqgaIaSDR)zErSY6Yi&&vfV1pk
z2vQ|e)tQM=uOSKGtw8KXbeswAMJ5tNO7p9TVz#n*7-fpay^F-BvdOeJL6{*k21j}A
zK&O@nRhK%Ae{yXH$Y3u=13YOPi1v1!>{rSFZ5}^F4$jKin_VZy&sR*LTV*|)9&Yu`
z>A}j~W`IMw05WA{1GLpJDLD#RV8f?oA2j7qW#EmB%pq<8PS&V3{0nnV3rEAaA7Pdb
z$v*`$iF!kfRmUHuwP}e%_5RJmDu7`fWG!*<6Kpu-r*)(A?IfH|FPXfXy$Gj@&@+)n
zrfX{_Bv8N*2ruE<ojdPlU-W~<$~F+VyaM<Iv%9io&XVn@&??fRLA%dDU4ouN0%dJ4
zFDSi}Rd5i)VgW_1a?-pt9E)T1A5s#%C&Q9ih7IyhI%Bt3C?D0<y{8wQ*28=ooHhsy
z6c}h|WE#=8BF=CV&LR>B*2OXIYOo31Toc;q#(R|RZYaZCG6q3xu3#c@XSf~Y)xt9s
z*(IzL7Z|ojEPIU~Jmp;%%OCMDe$j(OJUn9X{*Ff|(kASSm8+;!Bg>%oSXv#ZJFe8I
z>L08q`9n2@q5MN<u>+&CVS^G};uZT!Pi7qvF>2yCOSyxWEbxDvW_uN|gBlsQTb@*{
zDTQDZkUaTVF+FzTC+%#kUX~p?`v1A(NOS4-8w&N*4bRQ$F5j)xMPG%!pKjs)G|djh
zmtPkR9%t0EhInoSIJaZToq{{f(rW1BgN1Q~R66$(49rwG@_R8#hyQDTGQ5Ma+a^&6
zEz^aUr9V>VjYIgzkxi1rGrg5ApR>jE?F4Up(EA267;~9Tt``?jz-2G(DLNNw8?!}F
zkXD~dS%S*K)npn&I>8n!UkDjA>7=fIjr7!3;~T5+(7pF!SATK9f$$eN5mUMZNS&~u
z$>cB|2$vxGqZg9SYfY~AOx1SHn>X!vmU>PGJ=zs2%DRkxHyrBn#Y&#HN>2JAnRTW~
zIGxp3a|$aE+53ID2)to|4(UUxmq4D9#o){))h0D-zszG|<b?)Y8uy&ZKsJqJv1%(*
z%HeWP?@+SXNL@uR?hSuvTiUTL;mUb#7Z5xQ^RbH|SrLT~qjps}ZGASGslU`XK`xN~
zO{r<|MAcNK0zH1#>|fyBpV~N#NtDTces=?ZD!hxtkd8%&?VLLcK!;;mbr+`Q^{o$Z
zU_VX|pRmeu^<IFaO-5hj;sMt3vR*q>QKxW8<J*Yt0J|~AbL<mKh>_%6_fTbq=d-);
z$mgff&7bq(;rB6(K0Axk;B+eP_`4`YLdyPiI|vou+g(<K3K6p9AuL9D*hJlMaHgvl
zlXi&a-R|O#U$3f{{D%~^1}|Y_Nq(!hCM>!NqDp`nX;pJO3;qF?E1O_<T{E$YT&!x0
z@S!N5N{IG5p5sqJZZRt3Xo2W-TQrhzY9bZppNmM1wnOxSL6()gUN4y|aC4zevImeu
zuuV$g#<TqhC{&rmDF!v*Z-8PKq4h8r(#!O`i_lo;q6$e)WFmG;+`^DnS1M;PmIoJN
z`m}6WHx|aPDtaBScS}f_=TuI^oyMbOcI2Y^3PMrPItk-AzU@~GhS;X5rolF1DFP79
ztqB~9qU0%a)ph=tFW&=v3*JWsc(3Ef;-{A#x%(@!pf$awOKLM3HfLg4P**p~6J1^f
zO7CgFrlU~lqeHFbicCPEg`z3cA`d8;%hio}z&lpN<mLJj2sjRu+M`M5)8A_pdR&M~
zm}T=5BNGseUGm+>hlF}JX4)Vgy>2*o4ct6|{2tKzb=OC==mW-%H@c}!bgig(ir~B%
z0@#^Y{R)A=CG3M@s|Kn~$!?~FyVo8RZT7yu_w`xA3>g9uC;;7Jf^qb}OsTDFQNwTJ
z3e_W*TCjLpso@=)n<eno_+*w`KAN8b)9Ui;xO||&drx-Hd}V{^C15EV_ForssE6|S
zF^&r37Klek`lePSO`Ps-Fw=fVEPmy#d;#%7ufB<tg8Jwdmw7DC4|5RhjU7W^Rje^s
zI^y0kX!0g=r;?$gF38o9X8$ZqPsaKFDc0*Wh!M{)?96&Ugl?Fk=hcEyo013X!`jKh
zFoEd#RETiDJYcFh480fG2~T3))BBhjRpWxh9PcGJIb+vS$r83$&ml1}iOofkT!u9p
zv1uRQU8+yb1*Q``O+=2O4u<@4d<UJ2%|8NV5P==9oIA1*?1C#_Fv?EGbwxf20cOD8
zx0@sp1*x3IkBDc8YV_r5>2)QM42;r}x(<`e%HwQ$B8elSzRW2Jr(a9N8xtrsEjnFh
z%UFnYA7|s_Jrn(S*`8BlMhpPb)R0D<Gvm{o2+A)^Vp)J@Xe6x!h*lx-%%d*ssU3{0
z)!wzTA&$!l52Zwe&W;-Ouu;NT<!qqp?v1A#F|&<4Lb}ssC+`zLFYrLVrhudJPEz>`
z=Od^vg<p-Ho93pN$;&t<l3?j~+V@NG;mxM|Wr|E~;FVJ$DCk>;%_flQL8)QzL@EG{
z3p|DaG@`ooP592+(9uAbHBzQ(K%-JY1+%-8(wl@;4D`7Ouvv%`X47Lq4120(ja{j7
zgsaoUm_<#a!ba?L0>JX@@@Od+(E>jx`Nmq<FfBx@bY^lTigTXP02M4_7hi}G{Pd}D
z$TPF}yi#r&b1=ITN>oGT%W1u&W6;<OQxOEF6M`z9(SlI|-DYwKkPr{aBbPVZEIJHk
zvhJ&O74r$gZYGV{W7mvA^M+M$aMQIc){iCcIZGvR9P%wiLFA_nHLiqCB%BP2B?<l+
zZUCk%0J5l<(p;KPO9Nt9I1~e0c4lR-e{EEoLck~nyfKnD4Xk?Utuq3#7qP^$a4bNx
zzkfRMmM&2Q<I1W51W`0MTL>3pHJA#UeP5w?ml-5kQQn~{l$z~l(nYj>+^Z3C*|Fyx
zVg=fC6r3H^DV_z2tDDy<OcOW*QnQ|i)aC{WNf{NBZzSn5jTFp=ouVGau~7!~1;IF2
zq>(|mOqG`YRI-`l*vTZLF_jN0O4dLWih?r6{N%Ns2qF|nb=tBuU8OFgrYp&vO>E_T
zpf!q1C@9*M&WT7(s_L?m*0??(R7zXqZXB}2;!lo8;01H3AdHAQ63?7Fd0d*vVFX&5
zNXFd#TCbj~*5-*7iZXH{WEf8ww!>299l^*eaNEMov*NEUh?ZW91u-jOM9ylRA1YkD
z6{T-NWJTvIB-i^39r?`qPlQS2S*2MWyerdXqGX;yC{%J})tcN-74m7Nbu1AhdTWjX
z=92t!lRq1V-1BU8Yfg&kWUESiL`yJ9ow=ltL<Pt~H_QlJu~*Ju=eLfG$eA^x!B$l^
zykuA+W#kEQD6<|Yf*E6s;tPgSj(U}54o=NlFeVkZn0+|$P&qS|%E?Kv&FWVit-_7r
z@Z^z?kf+&Tkk#5Mb)<*_XYy!>V7dqd{H;KUY19aZAV!tZJxn5Cp4hbB?Iv}S-6pJk
z*Q#H-JLA?%F3m8!C$eRj8kE+zeo~R;XZ;d=)NGf@=!BDlYpb4<8?Ce49h`w9I$#Jn
z6(t8H_nm-k<f8S-eCGH!lWMbOl9)Q_1E}b=CsAhxXIU<Y7S=e5^>-j~-eLNt+A9pF
z7o><Gs4^}(G})B{Ph^E-BH0SVEv>f9uA4*jP0E1-IUwQms1ah44m(DH7Fht}JQxsf
zjt&$z0Rn7bbOnwG@J8-FFuD$KyQ46T^mgoEFAOf>B26{FiWk`l1G!+j_*feEav_ZJ
z*Buh}z0ftMK*ZC#kk)T5IZY_xBcQK-Vp;jTEq&oSri3Iq0p@+%6emEM%evOl(;OLm
zcZOTRcTq>I`XBQ`x^lRG6v~m}mX(OcQVju6EH&|V=zxnD#+Z~kKb8oCf#JUHmWFI8
z9gM}i;LSN1wDTKzsta&RlOYH_0~pdlbD-TG5$H*|upksPIdIVaYLxlj=v5Qx&k$B!
zTs`DK4T;tiwT-hE4Q*il$Mh~C|BaZh*jj?j^6=(}_ZRyl<~77#2~GL)d6#f8mvE!j
zms#9TXT`@*M1?K97<_&gJASwqcJ=z~xtCqjl8l=jsa8jFG6Jziasz)aBO2~QVqB&O
z3<>wS*xe&^lrI+e95IRov~!VZ8jX2JUJgS)cCX8eL*0&w#)n@`Py9nFsZr7Q*+9BU
za%hIY55~QRR|Fd}2~h88ab6`yI#sW-##K^HEAM68EoIy^J#-wHcQ;Qx3+5ffb`^RU
zjRwy+Sm~G<8P@JTkTj)JA4o85_7^q2rw7~)r71vc-`ql*-xtBLAEL%_H5TTMrV+}w
zm14gR5eDLr;D!yOGf_xrLk8BVXQIHrxYAYVG_URy5PAUB{ms$QNNG^Hw1BwZ^Fl2#
zqXo^rLaj~_sFVmLoycLv!f>-VxGz)CX@2%BtGQWLz##y!Pm(8!03W=fYOU6s&?BbK
z-ZPpDj8ij4k&ZPi(dMQmKv@(<S8j{<ex&8F7@Xi>$w|O<n3&5}?tBbM(S8@$S65#u
zTJY--udH39fXhG>I2-3hp83#6=(d8g(?N~Z*WS)u1eC_mrfm;2y%jOMX{u({ut20V
z)f;H-9&mTChHyx;m(2$~QEiQ=bD4lWfo%?OTk9fZhd8C<N`qU&QO72Y?_<Ogh<Eby
zR}Tu^8OsxNvw2-Dj#>sq`>5F)SQzEN&tFvr0T?eJ1zW+<=K{~rG$jn9^mg`!9~r+Q
zZxMD$Qp`cuo75G25vh||j4kPqHWiw6LH0?yjElaIn9#gsb2TCW*Gelclgo446C|{E
zL)d4NnqnEL8UjiGq>FSuNkK^ezaua(@LW%gUeS1YMP@7e3(jHj18VJxIB($1LH5w`
z`nxe$#2ElS+Cx8A5yOm5C)-O$s_=zj9K_;rv@N`v!V(7NKZA{<mYl$AIh?~eMW!Th
z%uc4;PloESKp%mzG2J%X&Wlattq8YCNhYjhFpWuMzb;-DP$@T(lr}@1Yx2o}_~3pn
z+^1Uw3RHO2!NmQ+#62><?yA(@cL^zJ4n`APw~s!%$Dhv2hgE&V9!=JmH1D&#CN$Zf
z9}I`e3^ObpkPE*f57sWx|1BbKOV`nhQ)c^^Vbs~D*-nbj8LZ{&AYDyj#<Q^MSxX+D
zziwPZody`nfX^yJ3|}fs%ghwFlTm$>i$LcUhI*v&68lh$&I4TZXftdmxanbGeXmEM
ztpv?t!pk9?tFp`fQa1GwP=AhUhg5@n!?F;m3dQk^;mLZgq>d=erQ3Oer-UkLXS9rX
zFzr2I7u#@@t+%oaMRS;Yxf23;!*T_f{g5e#jV9W%=mipcVDy1D(a8*)n%IXa{5_7l
zTOq_N45AILL5H|n?NUdPxY5W!Xk-J(=M1wlCB$=vnOPH3ImIlTf|(rPUM50Vj&qX(
zAi_sDekRd}O21r)XK|iW4j>JH)apUB>4C7Ekj~A>8RcALNr&e*ZL$Gj`P?>>d2Nd1
zka7SMuf~TvD_Sgh;bK2HU=1)!JtC?I9|vhV6LLZv2BHhhaafWYF(g(aCo>zrTCCJ%
zK#0|fG9=s)DH*dr24y5zqici=qKg^y*&}l)4KrkWOb$AO<tT=&*&`*yB*kK%OicYi
zgxHpb=$iu0=3UAC((JkP2#i7)RETIX6V(dCb}p1L&D$#!hGzDAJOa|jB-#T^1caEe
z^h$w4MW`PQ@kDl`;q3t0-k5~%L6w>A8;V>7-`QCA=kOkq9;h?0e+&|XCB{Xuid>2J
zZ%A|VqsnskA<oCcFqAJF;e(CH!j;7?MEg>`D5ZVH*6opW=>pwsJ6l_1A&2K2?Q$f;
z^MS0yC<7=23cz6e;J6sj@s`G&0AOg!1tb}cdekAVEQ$s~a=F{ICCjbL#8Am*bt&#I
zY*LakjUrAXINX05gNLyKMP3n>z(lHI4O-v|GGp2YnglB3RuPBiFl@3DL-T>-s=Hkq
z4%LIIp;?WM9*4F?E(5w_(DYV1>jEfUGnhVIn|YQx2C%GlZj3<n>>3-jlQ(L_(!!3b
z@;5joVUR`>oU9X_>DbTi0&|#x8M1=|@RN8~gs7b0P<^-5{=;<c8?aaXk{~mdZJuPz
zE{9#NVI&)7TYdS|tJTo<u|-*UE{%q`&bIAO<?)>`Jdr3bw{uLfp7?_Yxj7=VXe6BU
zj8?6uko6KWdht2w=V%h?CAB9Y=Yh@K>&ZUddZ5#Y(yM74m@5hr*aazJySx+(+}Z*o
z0^5mr9e08ogSMpE0?Q~Ucn^zxPvmZ$Q|24TXC`|gnmZOJX|h0p-ELv!2bc{WCOckg
z@hU)2@@Jt&wAR?>sKT|g>UpX+5Vf33!Z1|}%ageuA+v#VSr0(j-t$=#FuBC3jDjd!
z?`e#V7+mJGxl1RT0k)(ivJ(JvnooHO0FF+*#85y-63<Z?@DbBDn1Yx1<fr3?t^9Yd
zW`p|wj?_A)YaRP48~Ed{?i>}Fg2}<?a)n{BIF2LgQ~VAfEaXX4$$OA?MwaGM=G9Al
zsf;q;nERGA@gjJf1L?%kE~J|se5YqjkSxb~{b1Pg7H;N5?~!XU<i#qlNRZ%N+!jjI
zR2eE>ib~Ap&$Rf{ZTy?q)p{WVyrY~!BBGAOFVV&K2#2T9!s7ALI~kuxZe@(Y9VKu?
z01ny{AO%C1nBNiE^l%BfA^Y@kE9TZcikNXa5#W!qiU|f#Kuc^X1VH(;0@)Du`Z$!+
z5P|ME1=+oJ<0hR|@2;RMoSNI)Dg(IU>rBDL+;=}spz{vG=o^A>Y`R2c*edEdBFa(&
zQPXG(p?(#Gpfw#f>4#1^QxNRcu|zNqA+Fza?y8(QDOme<+^G)dsK$IO&1&TZHz8he
zGMJ;zkEMRJ-t(6HRwbsF*SwdjoO}L(kA?5zmRlH}d&xcKdiC$`UcD{r*Q*{}$6No6
zNPaZRZgzFMrr&9`EB+IY11ZSe;W)(NmOPq4#^`&N1mBIK&a_dy%Oi!ZoDE1~xRk`W
z+-D-WPE$S4K}weq^&;_ekQFKkDiEa1kR?fxA4KfR<SpN(n}s7kQ1l?dgwWZh<ABST
zwC>5<v;m!tx^=K1^v-QpW1Qh2f_H1NQ38~~>B?*@sT+>=%K)s91+tI9{^=i6Lu4}&
zVMTt#RtWb_aX5e)Ks6(M2JuXksBjo#QS5~sZdP@(fJzw#dRAApD$WNpKDAC824+X|
zJkqd_3QYJLnhOwc&FcWj{X?^>U6}#=lILRxOFs8e#a0-Jr%}g-2!~Hm$mKYSCsE8L
zD2b0z#1!a(Z&A+V*o?<f&VHk~jOpJ`nC&2wqgPFlXuFu^vSW|c$Im>+19|EK4uLUF
zcH6QQr6nF?sZFq;Y4aVKY8RH!rZVi2(8RwUIg?PDqryU+9UdVe%yDfNAdAd%wVEb2
z67ufMw_xw&Wvw6sb4%#VZ;!sk(4+{SM9U!X=HGDuMc36x2-_l{q!13Q()%b4_4m`2
zgosACDOZ)!B()hXJh=<QH8xVoNjl|!n`oTk)prsXXHg+;5AAIA_Uu~<TNOi<@iWK-
zA+jRm0=!cKov{~AW)Smqzg2fNYQ{Y7*52IMncAF7u)qEi%4m+<RX7x+2oa2Z>P!Bb
zC@!Yw`;kD9C)E)soAmGrV9uy(sDUI(X$fu4I$`QXn&glRi)mS>(EymKfxQy0hfu`8
z{*Yzi0qD4?5n<fS_7x1-Afzc!4q^|X<XO*D|NSe@Abc+}JIP4%#|g>M?pNGPpBv&A
znNb^Tn0v~iNnByiWp~}@y-+SHR60BO%stmRiKXYRkmPmIEBf=ox9iUi#w&T|J+CVN
zTnb;?b5wMbCszu&gOW%<A4jD&@a!Sj1`IBqcAWL&Ai`($DD%yeo}{!`jF&OZ^evU&
zPjT`u&Eu+%0%9i7-yd4k4x*2oL&sguABA6+$5F_0c-zNiaS9_Osg?z!M`B4UeA-qt
ztIy3KgPasxC0<dV^j|8juT9gP3hLKmGn6_aRKfsNyhB25UJ<5JGCwd|_(>{@A~&mj
zR25^@L44JDiUy}zJt850HpdM>WXe)4B%F4DCt)qaaF8-7!)XlOBNfDRRN5iU#BrF?
zB7wYeP|_j^x^RfdBo0ZvZZ_%LeuIzGGT6!rS+#W&Zk(<z7_wX)>q`aFdE8#4?fQdv
z>Qo8fvQ9Qx=#D)}+V!P0LV;DRb}gV#TOydRv`0Z$1gBb?sJlxlT1HpRS5tDnN&gjZ
zs^gKO<LFZV6_@~p1gMR`g>iOTg%wTme1VX@^{FEeH+{eCkWlut+zp^g2d)#}44x1x
zdFzx)=bowpl`um6n?%JC5FMk0M6n9Jld*{s5;~_RhY~Bgr!q$pC>kdug;FA#Cl0i&
zYFf|24F^iXfVw6fHX{6>ayF*(Fw?FmHuKNR)u2%!8cPR|syoEe0$y&vf#gYBk>ZP&
zh`=+x*5a;&ovToMX#wNAQk6a+L*YxbiHT7<!5b<x{qY`q%9BDm6u_R%%_~^R_`pBs
zl`T4n^y<(?FU}a-KBKJqj)bsQ@_e)EW6!TdmKn~crgf+$gwa>cIa#+<B19q{CE0aS
zW7N~+y`pd}OnxpW6*c5i{;hP9=`7(ffn-PITq|Psi%*SD%VZ@774<DITL3QU2(|L*
zWSOCD5D2tLH};jq_RS<w7WWk}W|Cbuh)ezEr?wsp;Dj`$0b=@~B!Mv*3XV1o009Dy
zaBap#K?{>!dxnFa+Y6ww(sc?K<Vd2t)|kELgo+RZv(Ip2L-Q_;x|I<gi_^g5P}DOX
zx9e~mL{h2C<wiBsy2{vHEAEpbl-buYvyQhd<gjw^Y2((8!hLo<R6ha-@ayP2G5<82
z^{fqw!8>6}Q}m<#yC7yU9hK&^&NAG@T2Dz7QZVWo-{$AhF>p6{%bC}J5h4^a3Ha3u
z`JOA5ORCbh1e~5qj_abQ&d!Tf3nWa|FDQZM;eZQusN+v{IW$q&Z!vGgRp(ay(REWv
zfQALoa`}aAb^`GAjVZh}_!mR=r0%#NUJaXXes<p1=CFc-PS&_}Q-qX5FfI|`FUEXk
z0+_<IZY~>4DOA`OVAdygwFrpGV3b*^0roNgUplv|DU1T15NZ`Ahv_b8)2kK(*4P_|
z#@)(R5)rNl5_BNz>LLUQ0Tg$Z^p?J@s>_T3g%P^TjcjFrqN3;E2*d^>xVNSgfRVNY
zK~-xmlvoE=vB2!AwKM(4<1viCQE*bOtpRX;Q;n^gz+$56H`0WqMcD;`d2CAHhRF&U
z74C{{S-;Aq<9AVX2rR(ZV~>g02{*TsaCbOYU|bYX?&Z#v)VNxLFx5&swZX#Xy!ze}
zKCZ@)L})FWH|wF-Eg>yrF<uO1BR4F??pi_)0?;*lor{J}@njY|LJ0@ks)EWXdw_%P
zy%SNrY&OGY*12sfOWIeTpd}7$6rksZ_@J@BCV*cuXH0rg9+u<Vn1Quv@`Uq6wOXMp
zZX{TKgVJZ=KJare{VtbJ(0wQd7z&|Rn5tF=1NFt_AE6&dg`jZp$cP>`s;H(QxGkkv
zeqUnrw3`Gh7s|wj*al-y%0~XaQG$qmzZ@+Rs*&)S>#xO_4?r^^5Qhe_D;<?RH&Lvz
z;zTWAEL!q~*G?{XnNqz6ev}pI6(pjHi;6WWTXYd>xP#m);>ylRe^nP8@Ifs=!EW~#
zK~ME@Z^{tyRRTuQKQJm_umr9$;QP!`lhhm>^Xo!A4aJh^ivCbA1D3Q6fYl0QoFH4c
zG~zUJ9KmeS6LvI0ot+ue<Q*^S@C>X4k^<_x7%JjD5jj3-1hl+$I4a_xsjv&jN!dWB
zjbh40IVGX6iGKQ$Tyvl;ERN2A*c={Jx87F=J5~B<G7?uHgYA`4+zg`=ZdZf_z%~aH
z;+`PyffZ^)leC9_c-wa_km2&en)q?i*K>#n0+ve3L$rI02`b3vqFBwFqvGG=Ei&nH
zmCH;R#pRSMj*39$L4sv1G1lkji{M>y+()Z#LGSH$VtIf-10%p+=b857nwwe+Ok3eB
z7-_gV{sAn{XjFlE5~_KrMS);&1F8C8k1RnLwNd}eq>_ewP^8=dE?(G8-=PIl7R@W=
zBG#kg`3Wv98YSy&ppyQQQI?S5+Pfp6$3~pxmQYD_dxTY)!?vCTmZA!v@3g*2Swr)I
zY)qA~Ej&lQB1@t07OZ#+i|jt--XD>Fy$_mUb~7$WEwKE^Oibkg(TBwz^`ZS^p$Or{
zKMDeGj%C3j)Y0?{I?!Kl*remfr-%=*L=KSP2T+E^A;XS=5sE{L-05B@;{l*M|DnZl
z+9+gt^xIZ&3#j7q=m=Bj4oRwjgarZ3{$URa1C<;?Bh&{UXq+kP1GIj6wxK|END%(T
ziKD1?faAbAmCQfIww?SlA##F?Tr;>^C7%q-)+4RJSf_4Y!P9r4nbnqU&C?Gn`1H$C
zJ@T*IwGponG7B~y-Us`D29WWZo2V0iE$JuqK)9q7W+LZL0N@dc*EcC1*~_VEa-@v{
z7thPFuHq1;;t&|1INQXe<kHc{`he{MO8lTYr_1Pa0hU)<UOkNd+e6MwN828@{0dGm
zg&aT|!WT3L3@GDfC>bh>o@JL04w#1kTW=`>K%tY{c}NljOoI)<3P^*hA`Y?vS{(Z#
z;sc~#2Kxr!ltIQ_V+a&M-jQ*%VyK=9U}W2bg!<InONgkUb(Da_M9EDNoq>3i1|kzV
zmb-BhT4tbu*(Lgy17p}hSg6QcxpocxM=&8U6Y<Ef$XZdSNO>k(7dKCeB>^c7tDJ2<
z_R6H0bZYbkHk`GmLPHxhqHmIlcUgc+v=h=Z#vNAu4cK|=9D!o!1-*87+9~P~$f8g>
zONq}gty9GSTudVQnrR_0Mcq+Omxcph-U+?j7L($s0V?YtqQsC@uo|(Y*q;QVQ#Kvt
zFuR}@{ArBf8bX+bC8fX{0DGV(y{sC=<zzGx!9LcA&|We4K>r0H$n4b(9O|e;Y(jiR
z;ap~$JbA%F1Wjv%M5oR<-c@RiO_2lMO*#@0qkw>~G6?F^z>w$goGKcD$Ip0<;Uc?x
zhDqwRs!Xm2P52WTkPaqH7LGQT(^FJ+JTa;Y?+2W!BsIM4F{w>P0ju|i^Rd@S`MluK
zp{-&9BVd24Zr)cRhr427O&t_ZCyV!P7r?xR94SJgcd3Lj)f`6083S>_seB4XV?Yr<
z%3v2ph6|iAq7}%P?_j`vi{J_y&Z%%j)pj7769CBR0`zO@)E^oKz;9Z4xohP>c0x!C
z56}c%atd<;zM$=<<C`~;39DUKZluT5l&>ul;jfSo{qWGe!hWls<43v;fF=mF;;C?t
zgXR9AFt`E$UYih(7)^Z#e)X}XVhsXbsaq)O)O`*NZLrxxu{*$K+%+_Cst`4=*2nOG
zvY<^N3*tIk--L>T8D>a|CklK<Q^*Q%P@emzJY9J8H%$?<>Qq$FWBcw{56{hbP8J7H
zXYd}flmN>xJsu5Hfdc@OEr1D3sJ$bsr9hd)y^!c?V1Y$~PNVm=mX@$Dv~e|t06IX$
zzpZTzE?b&)M8Dh!l;EKoz6b6*R^O226iVJ$K#1qtwE`1-*gMWhm8%dqtQ}F_3;<9`
z6hPk_Uj7_wsvt@m2jo5yz$#YSp{xWxMn4T8#F6O)Qn3X=0^{M<6<9}Z#v;A1jOwI+
zzhc(GegIU>@~tws8G>!~`eY}H#=Zv*3Ra`#(1bhDCxWtnd<j6nM48ob4H(+`Ej@ue
z%|g-{mdwr!_J9U3vxLEBc^()>hOGnQ>hLW5Ly+Jnke!-l{PTlyFSFn$wQr^rA80{r
zVRxI9;*>vppk4x-i@cjGSjUx|C_XFd^(7xqQV3eJJ+>`L6cQjO4%j{j|5@y&gw<%3
z0i4rs?t4{-JQ?)n>^s>~KUsQGg@@~owP~FUBLzdE^WwVOpH>|phH$6Fc+>#42Fw6H
z1UJR?btt(hAJb9zJ8Ms0i}-+b!9(OxFWyR<gfEN=&t&2gqNFjntV?DK6$BxUp=$d1
z5$LNt)Y}POcB4Y!9r8$w`|S~T+b=|00PfF<!<34gOH)1k%>Z$SAQoFAv#4F=OnU_3
z9yEIzD06SAI|iQ39=9k66?{To4OyZ|2{&U_cz?5@V7<Io09lyB9>q9_YF6h=lFv?n
z_=%VicKgxO0qzK2k@Mfx5#BMxW6%}q9G{5D9NQ%G4is_;O^;z?v1l*zKdtQCD@&D4
z!ir*iVb%r#m0f5ix0}p1n02un8h&T69Ao#JM8hEu)no<S2-_3jJ|rR}2N{rZYDT($
zo(G}GjvN^E3OG5=gR2L>c{ulCBn74|-p#x=SV9?n?4(IrB<cj*ag^O%LCt`NzNdOY
z$j8$1I0cE`Cys#o*z#y4+g-?`H8U}{M}DPDke((Y5e7)6!jC}kxmY#%th}yZ$)3!}
zPWU57v<ZMj#_Zb05yP1R!Qc&(Xp$kw`QI4Hu<@j`$m9-T0)_wsnrYO85kZ>)5rq2C
zA}_ZZW`xDE;x*YhoPhFkK)Z)Yxi{~S+o>sb@HFyIA*Ls1=Q-_^4RWzaDH)4h>$8Kj
zpUA?x4#g>oNw#~%VY9TeFg6?|U1w0EOXJQN(enk48B<4LoC<NpFpFRu>b7>X+dhPx
z9AHWAFT|5$KuMah(Gv3K{+21ghxqXDoenG`!H53rVd%DBdX9)7F+5Ht2SlF1HOQt1
z&Kfw1AB<CU{tCmH2Vl~E;te|4d<C<(G`MV4Echhq47hAn2Xu8x*?h;dB-kuEB`(Bb
zMJ`M^8u~+B@laU!>pz#o(ZVmb5CIzv%8*~*-0>vym`sHy$z3)xVoyoI2B6LVCD_Gi
z9pLu>0`z$UNizu{0pdlfGv#diQBe>I3<Vw(8*xRL$A7js2}oq*{oUL*h9@A7i$0+r
zfHe-i5e16m8EIx*6CGj8$Eo-T0&diaMFk8u2ROu+UsV7=1WYIO0HwePJ$v#UAS<7X
zL{gJa>p>KNILPS`Oo7@g<|h_GGtzLhpJc*VyoD;5L8lZTS+zk<Tubav4}^&oPye&R
z{0l|mR6Fddgq18n-h4Xm#f0)ikFGzIt<e~g@6y=x4pp0#)(R~gvK1cByxplT)I=<_
zd;(_?rDYH~U1)_&ev-3r_Af4pkj$s~Qz2;{gpc(eX$itp0&$pd${Qch@JHl}YOrL$
zU2a%F{lxc7!`pT%;SaVB>CbDz4Y6jwBnq4a25b`<|K-*S00d_aAcAC68W?l)#K7?2
zL1e`l_Q8ZHSU@B`0^TU=GL!x&d=bUCXut&!%m-OG0*g8j>IrsotYm5(8lYV$ZKk%Y
zDt8Opv^Y*M0SG-LLg0{T$fAL~O+R8$v*xuf0q#~<<XtBKe%(a)N*LgFD=!+_IwQ_N
z1gn6kxd>z|D)<Si{O#ol##(S1AHuj_mv`J~0tF=Ew^sqP66#zp_t=5#WJEydltf`p
zl1mH(_jz);B{}h(b-;@sM8BZNZeWbw7)pd45h20!5$n63q|3O3Q~d8GguY}EaJ3*r
z0$SeaNh%VyifQEI35eI?R{{umN8`bRHzE$-E~I<Jg@D9)gfUWByXvb3UcN~b=-FfM
z!Pu;74a<zbt)GMnNh9xPf#s4IO~l40uhK<{K!DZg#}SxNm^pd*Yh#FpC?U(h+ENd2
z*wm3Ii3spuwr4XF{D-YIG<a+(M!<LjY-k+5U|522QF71l$%RQ@h}#4FEj;&B2e&D(
z$z-wyFfxa`vm*RU_8vRcp*ACjEQ_-T#YJH-S2K(TU%>_q`*;ypOc6ds3)_0tM30<=
zORWeNYdE~afkJvN0f%&K;E_y0wm4bik<u+*_1qLDMCC;ed2&PrgA>$%Z&C7e1OTTc
z(bjKc`Y%k8EYi+Uw6#{xVopLnprh2h*BEe|g=ui{PiJu{0{4jFhmt6d7C*59P?d#t
zro<3HfJoVm*fbW1hN%tAmW)6LiFrtA_5HU2K!j-!gWwnQB1bBP2r5i!3=5=o%Ysj-
z!7T=6S-N823Mq$BC|)O_L?u4LF(OZ{(JJL(Z29<~w1<iV=!=0v+8BuZ-3yK}zk-72
z^1O03oF#<p43Ul!P!v%9T4peznjDF1Nf&FtsY;~_iv2P1Jh2ghCA3WukDRbe*jLW~
zZQy}i51#H*DUhfX25j+vcG+f;28%z23|e6lZP3*HFc;o*-~~s6lwTTo6sHHQhQ>-|
zWyjt&PzA%?gtrkuSY)L|1Kg6ISeCgfsRe|W2kR06QxGisdKyj+4oeKoEWfCy-zN*M
zBt(kER?o1MjACH655&x|rm-|d?TRXVd2;A4Pch0E!Vv**(FA1_9S5QR74LE&0>j}$
zk9qmakCC86xcX<Pt=Wa`&5(&Y(ZE2^qhvIIGA%8VNwhbBupV@Y>`3AC6sR!=j0+&h
zSnX6tqxQ@p8<k^8vN!pRT+R8;c&fKrky+bj{kE>8v>p)aS)rHqBt^_Ibe!-c=ZN&Q
z*r4XvH^4wNk0n0<+QavyFwtJPPp8+=VH583YzPp>fQ_3R6{y6Gz@7`^l*Bg+{g6Dc
zYZMUrQcRkZS#yFiJ;veJ@TWRA0)3%TH$|cDa4b;L(hFYGH7ys<#@QBM_A^mSk3Aq)
zIu%42%t;-|)&Xb?o2V;2y4wuq$FoPF<_ZiJR3xmD4-Bg)0^d|g2c{Q<L)TPQ0t=uB
z6Lr5tkpQ4-1~i5I(6!iK_Ns;cs+nW-BGM6i2{}p<&-V@H2nQP?rv&IVQotf|Tt1m0
zKr*$59b~g00E1`mV74beLjZ_~yt+xan;k@AhzL_4Ood73VAL@UL87V1nuP&e4Eyza
zzXAT?%A&#@42@InlHyY(4f*U@Gq@pu#yyx;czzWmk1Y?$R&dC5H&g}w;Nq+M#Z=su
z_^{x#B=@jpTPdM&6KA?YLtu+@Qc(nKP0hx(HBgG_8?8oRIj6WDWJzpk<oI6hhIoyG
zm=)Lb4-bzW^k0OQi{RKZ@C%s$CpZG5lAuYp*BEN_DoM$e?AfrylBfjf78RoSoQX*%
zFH%+V|7`JtyuMK(tw1Et?V#Qd=X&pePA)(M5X%X}4Uq*d3xAzoA4j-=Cl}I)p;sQq
z6u3maELDO7BU5XDM+1Z~Lv-lRbKvJ+@6;b;%`7D0D1-m7b~4c&=%pm$TjOSfqK4&Y
zbR^_%$f(L=(kzp<Av?-F^?knlbhDTS8G{0J9Qt-%A1KfRDS$`HrxgELsU(@<hDMnW
z$)&F;bHmJCK_@&mjuj#yt_VOF7Znx6F&S=H>sn^u{<m;kU>|8M+bv<2H^qSO+W2V#
zfDOX=(Jvsz4>$nGfGu((ig-u*dJ!G>A;_#z<SQ6azy9IuNh7HkgjR4YW+W+oDu`SZ
zjMRY_xgh9Ck_2E7ogf$tmt+6HHx#`^H|8nz^&>&y<AvdX>hOLH3&C^(=h>>f&4maJ
z4t>NsO5Vd0|1LV_<@Z%S+Ydpe*};+kqG8o-^qXEpSctC*fn_cGk|Z9ATgoisfB!Fz
zp`LjUcsLd)t1b|M_W}u+5&{obUbs+1X^t}@dBYFy<bD%4>%A8w>P&>fu;HnQKyr$G
z?vLRMOj08jt1KcA*hHLyV?Ft7d{=G~Ks5<sf`2$-f^B`{KOn$n8-l^C1qzXnQmJq(
zLGLN!_m#z-BOjx4m;-??HEUdEo$!*PbDMP$<TogJ!t(O7nR>Ax==VrU$kYI-G3l?|
zU~_brQXz6_{zo<Kx^-;3qzRP{3?m@~bNh&jLr7A4A<N#BLE{+Hr56S^2!@)2;o;&f
z(qd+iuw4QnkbO9qbWYLbCM*gJ#n^0>*i<8l@#wdjL+=f)2WKm>3dn9cmw7sPr1WwU
zVOw5zoeVAA2*x=1jb?C8MmAs4;#U!&;&+W2W>;<<#&`iEr!WP{il+gx%X^{mgDg3A
zSVz)Zt=|MN)Dk|@H7O(iL4k^|G+1N<zde5#oXTeJ+QZ4BNJNwcXTGN6h+zUVLR=(i
z0}@2+kxi;iBx#kf&C^Upr>Lzk7er|k)4e-$BANKZ))DER1?$?0`_heu8@V!G!V3$F
znGsRmE+M8CKyvJuOw7=y@b5`5>bd<S7hMx4U{X9FurV72n|j78&Z;GIM5n(~KoZdd
zqEzCb)JsPiRz*b)a1XMeiY22ZEm689N-7TGS|B-S=b});cF!fFn7uZEQ-o11A64Mc
z7?3!_<Pcm)9oHe87fG@x2a<^49lbd>z91xofFfOq1i_<80GYEu(}XnC)zk@WgGQF(
zD9tTm0Az$i(;!OpVH_k*0SVlISIbfcoKmu+tBfxvHhxZ&Z@8f#Tm#7Mdey(n=>>Mn
zWTR(?6wIA?3Egslzzl-t_~0;fFQ(klA%0PhLsJEHvB#!pXul;ap(9Ai(c~f<Aa-Yh
zmQakujDa1cET*SqWC?8uh)5lws36TCa^F!)C|HDSgXqJhg@O^8+`x5Dvq}+aXw{C0
zgG-Mm+F-7Zi2^z!!m2c>$+SgG69sg1Z7V>i5Jnx8STmO3uD{(QgcBZ=E2E9KD~F8g
zbBy5&n8S|Qf<NO9fvSYY^^PG^P?M*`o(w{!VvBv#46p>4v+=!vUw$e`3n1P~jmlL1
zD9)T3Qo5PoAH4o8AR`AqfJUJJ71FF>4lgjN3bBZ4s&hv&n4;1)O%%GuMja1`J4YBo
zav<j%AsrBL=J-U$AmQ!ci1b0hE5Q(mgRk(^gE^$w4d&iUDWs6dz5WzQDL<x8eEJ3(
zUj&LmRk`^|@lj)+#wLo5&>2Z$q70<B93?M-2Ea%hdRe?xNC%7^$d$?rq@+FRxI>pZ
z7Rt=EcEOaECO~8d(Q3-Dfmi!lt!f25DLlaVl9X)W@&qp*(u<fQ0;Ww0f+2{p&`BDe
zw4lc^o7dMR*b%<qMToHptUS#a&W+wY!rvyGE$RC^nnPvs&%oPc4jGK@f>9iRigH`e
zfW^1o;f&D^C7^euj2W9LWtR~$34h%n)(T)!ftKYI*#T-A63ZyKwM_Bp$2y`v#*h$r
z*<1`f!O<~cq#C>30m_-=0T|-$HbqP&D4})!8CS9aBwe~;dICo*kWc9f09>hZqNE9V
zn3F<+lbVqojTBslmjr~g=`3hrLv3e)jH16`<4nKZ1Mx2f942vDGGIn0ubL!JT`oY$
zp?H{WD#ZrbIBfm_+Fh(Ai4_GM8>Z6UDpTMf`QRcVA!qe5#1C@RYtw!rNd3xzr5U&o
z28MEqa#G!E6~K)Mnzx;XX4e>@1k=uf-cOgwZj(dKQt?m%W(`4x&VR`>!o|<4F%!%S
z>CteGP|gpya_|E+G0->wA%H{{8v}_tjVRMpqcl$78WcJe12V+vq7QLT33B0Wei;}t
zXm(Cyk;3O+#nzl9qxp-hsB7-IGw&S^$d(_tX?d8VLFP7L=v{(D9;2YQU;tT+0@X1a
z%6bkV_d?)5GVt&uEm=0}-{b{gwXVA@2CHwRo+mm3I?Wh6C=YPlvCNounH|WoJ$%;$
zoMP-7zAYgRIE>9UfSW_r1vV%~Gv*bjO6268lrxNELMWXGJy>L!W?>I-cI1pb6iFAw
ziW#^?fI^5C#Svei6hxScal$x-aclqm5k+?dgqsl+L=FL7#8sOP5tSm95N74MR67Ei
zO@YGFR9h&6J`z>ke_)WFxkUI+3=O>SZ>l4=U9zLiTh9rexizLhfvmIVGCwu|@QM+w
z@e=hX(0FFWPkZP6COzml$}3ZSML0?9I9c>XXwa&4GkfH<3WNpNG`>H!2lLjYBrGSw
z3&F75>OnPx8q;~{;T&`rwDE>o9^-xF<#wJkAu?tHt%+2)Hpmar3IQpIMj#$gnpwHz
zbQ|E|Ohp#V_`n&A82kJQdYE%dRX81H9beS4aubW~cp?`h{A#9B0~ROm(I^a`84C=?
zI80L8#zPpne{n&yFx2oHHHos9pemK|_VPFXB;yQ21|U!dX}y76sLXX5aE+MPm_ce2
zpT3iiQwkLu$i58%!?-mw$AB<2W{11@Uj*D?2w0I=V-U3K4uhh$o#G1yR;C;pP}-M?
zSUJ!?mc9`=WH55hd8FIJ+Gl1SfvDuO(ao@gdl*hOVd$I}$TZSJaBKzy6af!OP$c?=
zJZeu;Sk#`Njdi!^;6<1KSuu%krM_u-tP9U30J3jjM0|S${sbE&htdpLsip+<4xUvj
zL8P|EHrBSy6m6luIP@%&l;ACZbm2Y>1A30*=MkWlnA1`TQ=P*@tDR*yE__YYNt7Fz
zoeps)hT_Ggn4tAE%l!c`;JBwVn7y$%xir5eSZ@9*w0yv5NJWCcfN@~EE+g#h@rgR|
z1%iMUBRuKJZ*y*0s$Zed$tVPNJHgEqzY~th+QqU7v;TdzXpd!;(I81i5e&kC@ipvH
zxNSySnyGYSjs0*pzP!<oybC6StPv65Z8HP-`DP{gj}1J9=b$NC93T9=WWYF&z>@!u
z_=n5z5^Bg~B@BKuLIX(q<~;E-k`^wgOrir4RFst^is?iDXv1cKRy0btL<$*Di{=1K
zq%d0M4qJ*MCZ-Q2+KQKu<1&UOSuMg({QSiW+NW2nneb_A33=z9$=!*zB9c!8;W-FW
zbEgQho}?DE<tmwQ0d@z<IH-g{PsORx(^_UofIDG=3KpGAJO36;)|XrWse=R*DXB=_
z1&|g|2QdxhHZ4)^qIDwRaenCd0O9J5yIm8WsGz;9IKi1qOTrGCt4Ma5eIQAJf&8Kq
z2Mc!TfmhZeb)JJW5eIy*5jG9+5CBMq5GZh*?Z-%MaUACGGBoCB6tSW-6+pd!X)%0_
zrX2%AtX%L;o(?8r8u2a?WcjoVFx4NIIvly7Q4d2w0`PN5=v@9i0A`=#F&3C9RzT@r
z4A%0(BuhpWD2oskM}tzBVO3Q#M67^RfKHfI9Epy_NY;(PF)YYHrCkWvN#t{_z=R<}
zO_8s5hfz2*6A`%r38BG)L|@dr3CATZ0%|E0PCffbwj%bd%~(~~1bn_!sm8!)5O-4T
zvg8+o5nFJfy19oTBCJh8$zK%Tqvq8lR9%478F0E8*yEdq{Y5vTSDG6!9Aha1PpCA&
z@owGu+f+9`oqIWTHpk+#!{Q0iIR#kguF6x15n<va|DBm8`9Fq-$t?bO8_f~Q&Ola}
z%s8_uhhx+rImja~Vn+e~KmY<u6yG7!RbDy8EPz4sfNR!@f;1ll3`ggiqx#|WAWj5^
zhY%t+GFISW?-u=u<)m@IRL>y}DWgotP8nesA>6W083;j!Qb&r#Zqt#twF(spm$W1%
zb|%OZ4bDOJprD0@jTiIW0CK>7B<TglkO)#iDj$I1G3e{yn}_svUw#cZi5MSS5x|0C
zyOe=Y*@+xzFB*U%Mgp%3_3$RqV5_7km6<MgPoa-9Dtd(VK{8^?P0ZkTJUhmsy%P)%
z6DB&M@e-|eY{|YI5|yAnTF(>jiF;!TQ5xE%7PwHKc;$qVeQ+{3IcA&8#^SFgU^BTK
zmJXIE9jW6M0{dXt?Qlq_iz$gBcq7a$S|(DcY1p9_MXOr0;2s!;i42tlNVl@~9neMI
z6i<M!p~t6^p`B`LkC9A9J1z7E4fFt#F$OzJ!_ysP-K@aLR2V2k5Jjxk#bb(bLOHQ<
zFy1)c=M@sEz>zFY9eM+n2UN()g#iFA*^jg+^ksN7ASNT=vT^FDP_2l?4iTd0y0=ff
zq3$;aL7R3wQM?^Q?@RKQ9@yAdP#@IWbQ9y-A>k=Pf^CVv%Vnx5$+l<)J;glBGy|C$
zIrk(v-Us+JiVYv32M5+^z*k6^1HC+w1GOYYO-V@Ko5K&JnAN?s8VTt*)Bu9R05?w@
zRu^CrhhAK77;Dh61aOZK76S`s6!d{t9SA*kgWS^Bp-@0v7%q_?SC}OZZ&#^2OacJi
zH!~Aq2&Hb)ws^9=#)rEXLd+vq*-wysR2=SCD+Po`S8=LKLb}JKLc2q4<=5@50YHTB
zdX`}Xv4eBMCy3?YJW#6fbP}ZsPT&UZY(-HLq9jhb1@J1vNSErEf$*@{+c=<E)FXNx
zQF=T^g=<c30>n}n0D%oQrBHTph-VQ*BLK<-`31nSZi|sM+&nr|Mjg=sDXpN;iX&Cl
zZNv`MBTeEbEF{RNz?f_pgnX$D?NEA#0Vd%#FeubkB_o)g2-))hL*#}ww+|_hoy;T2
z#!|#Hm{FA*vLC2HtVseviR5!z5BdRy(1b5t&Kxl8{7M<LQS~V4qUEamx_am%#}@mF
z1AkQMP;PPol$4G%7`m4uiTV-Kil~8tG#$@MWy~|KSD{&+94xtjX>EI-F-M<o40v>*
zP0)EcGFK$cI|(FAHJQg7nMV=DvBE;mH#{QEvr5ikBCQ1>MQlO?72<r!Pf3{&MgoL-
z&Vh19&{D2}p6JKrVZq=Ze_~V^)Qb3~D6uZd%|h^lIj0`xh$6(sq)LCtdgsQ1Ix!l=
zbsaa1a85A@C>h}q>J7<_&I;#Jia!Bqp^-FNc*>CI2`cdM-04y`9cL`ek`pBNjJk2Q
zKXWaLFGB+(Tq&cMTo|v+WGC`c6^h6JRbWHOo#la#4~G)x%7AdF%Kg5h2KEIXVg(TL
z%uH)K0eg;fs9Z4YXg&CO5Nwwj%61HWuY>N7H4~~{&(gRPlCn2mXeCR8S<AB&t_b9{
zZ6mC-S;!hy0?JyakZHwBU^L2FJQA`HKm|&uP5_?R31PC*J(i^K3&2lMEXrgaC1l`|
zjD7Q3sXYOx3G4KNW4x<K;}bvwaH0ZD9)L{%_k~J1;im$Rfj$;pY0;%;t_=>7pf_g!
z1L8(;k_3$GfPu7g(~FKKQ)7-dxu=11=OJl77mAeI+>T`z1e9oGuy~b<w&MvU8Dy3U
zG=}?R)RazQNIqn6F;y%R#Xg50Njk5AAdd&4p3_f$Wi<BVr^L&~6yZPZ`yAap@J=%X
zcN9<yRL_yPvYJfi98h%}5X099z>_UQB^#2wN{5n&sIL;WWTH=7NisS*Ltx)!5h%<M
zw?j>x>8;S!soxmf<}lXpvU!w+n(|R4($QQwD3U2?t!$K5%s+mJp@v380{TkTk;0d^
zNqt^^BSV%4qyphf*aQs@FAW8BVnD`e0LJBk=>WNq@zESWUT`?*i{LAh);2+81?G6h
z$SNQg3Q>Tu-Klww>qrc3a+<9l!E}3Nn5{(RK>v-MI<su5u~W{*Jr*sJxOUR^QSf5|
zCoLd1>=TtN&N?+|=WeM|v9dZhCtE6(e;pP9GTC_$zJoJ~$%N04KphZ4gn(BPXEgd?
ze2Ikb7r`D~(6O=~Uz>ZOBoGNBqJdhm2|XPj^qBp%<3VPNzN1t=Rksm`R7S+{374Bp
z5TcXidIY9AbV7WU0zOLe)%(y2cNgD!Sk@bB$Sgdo4wk9EhZ`TooS(m_*or6Q{hmh0
zifT{Wi0KTtBV_%$%qdD%{Vsih<M^d3M3c5HF0r30_Yx}<AsQD1tWfFVh5pEjLA^jT
zQAb+E6{Sn?pbv@`4-y{CM9z~5Ko%%klt@}p1Kde~$f0P_A@lSTy@FsOC|^`aO+7;z
zg&c{YO+ZYdW}riXN1R4LuCXA~>@1P*3mUgVATnD+_TqF9fTHLGSm_z8MiBlFlG-17
z1b_yx1JWYO8uSSO^S}=X1(Z1Q2>=h^2fpQWF!BiiG<hPOC6QGPc?8yD$e#uT4LFP-
zh)+v_9QUr0IZ7udA~-xrNV+0O4Dcgxi78%$l7}D$1v05Fpv2C^0O=f6B&ZQE=71h$
z6iGz>CP<(Mr-bT3JxPr&0HF*_q^D^x*9OWf;H4#4ki?O(0q0p2m;;1g4lfZF6jZhk
zhYalO!r%zTd^@dYX9H(uX=hdqd?2j&ce1{z#_34fXkTMDa3VhVcb%Y!8{yRCjXTYz
zVIxztD0HVy+CgMt%0l&`kg@^FL6vP-O92?ohjgoI+p6l!s_MZ>6K5ANknrPw>&c6l
zH%MHrQWr38kYiU?4zNZWVc7b*wi=qUs(P>*#UWS*={*$nPBn@`w++%%Hpe-`uU!}`
zICpBxqY9zu1X~U)k&cRq4#8;9apG5*CSU5yVA^UpMMh%dnqxk&D_p9TovOA_(-;C}
zo~pID(-ZA7;EEJAN!g>SaA}MoGS;|^O);BkkBu^xTt+6C`LxICnO8;)F{NpW89YR*
zqpB^m#HUQ6aReJd$g)RC#at2OW^}woj_H&^pyIjUL8@i3WH?JlRtA_x10mMh8nucV
zvN{^ArdW%NHQK5wVF%%vqZKe4fK0)fLb7EdaUgDinHg$<4Nx@z%?#2L$lQO45Hm<3
zp{oN(Ab{DHY5KHT`m!0?t!hC9c0;-IbxZV$PCpYYXz2t<*$$kf5g%kbxa=@bvK)+?
zsw`0mL9!f+R9`m}a0qx#uu(Swm;~Gzq$NroA+pB3kl?)CR{9|p?1xw->d~d@#wF^s
zXcUCp8KmS()h|ye3Ai&!NXs762W=xw-;{(Zv{^OmhYuzGqh^qWE|9naRnXz&yu#pD
z*8_sGy<6vqEvbRkd0w-bUa-kNtoh;stt2}WC)Bk$lzA>%V=V&+afm_mW(cMZKr(oG
zBKnHJBAAd0m=u6?4l67Pgs4Hoh&hD-ubPJiB>J~Z5L!w@sj_`#@_k`4eOWUE1qn!Y
z5>KgSV<_S@(-~*jLo0rk$Re0HwUbVf$&zE4-XkIwKqp|B0dg?m#(9Lmtc`~RB>J|@
z5Lm;5sZxDr5<Okf{aG@^1h`mro<FH#TPV{RrLwOQ7dWyMc!{c+Cxawtv{1sWQgiZ!
z917?D<PptgIzEK(FIsw^K-^`m6`;;2@^NkX$rUnlfg|<?jWK2tSSc#a2bAX``3o&{
z{HR=6m8J)e0j*9`=)5i;4PS5dr*J^qfw+={&Rbvd!gNpn3}Ix1qng-uPMM*@PUtf&
zOCA2_$<5?%ZPSyg3y9Fu{1R1-?SP-X*QwK8jDR>v%p40ylv_-#X1V(tV6_ZKE4LYk
zI*VeZCJ!*&pWP>lc}_r#wljj#ybCbWJ#zj91xGdjO@^TE5Gpv^Jp*!@mP8wp19*W9
zkU5-%BNj-XIzYyiIS<g8hY-ZB(e}mq8C7EnX@kelrM#<!T+EL=Y|qrqqO6de2-QU(
z%FE6|c@@oKWhq*nXehR169;)Rk|Q;u8Px-1%OuSplXB!UhrS4tS_3e>QehaY$96{~
z8WaYm8idJo9LkVH(8G(L)kMS@2jvKjc=6JeuS|<*m5J3Rp;`Y4xW3tE$L}<&iMs}f
zc5>MbWQPe+yLl1X-hHKey%){4t|L<5jy&Z8_M=mv+66=WqPm{r%pO$*td)y$GbBl;
zOX#N$y_8-tL_2)jUj!(Tmy_5fV-1G|5miw`2u6hw2&vgnGi4;W*Iri?(j?LC`W_PH
zC`q!Jh(a*7xfxKTON$V;k8i$xTR!XB*FvA%B(_vGs<dvk4RS8tvn2|=iqixU1UJMY
zV=5?hNB2aKqsz9BrD|Crwg{n(H>+oCI`O;^r#@m5E->()R7ykL2H(0q^YqRte=!4N
z@=Dk06mx*W=2NxK0T1IM5Eb?Z;YT~rc%yFPQXr&9or|NP9Ecz|ROOUc!#4B9?rbvy
z0V3jvC|#@T1`u|KsqIKd2I0z=?@ULuTcfT*JJe?jwP36hLJ#y`%VS~Q>fqlzhanP$
zltYi1mY&^CeHA}l(2cDWys}cKQ=wS6L?f45+-f!ze^4TtEVR^a$jLwh)N=dOe?`qT
zU<*DiPz+J?7SnG`47gN{5`;W##kpz(#H1q`*Usw%x{1J0rI!ZBCN2=IS!vif9YG@u
zS|ZlIYm|KTOYK8l9#m6Op%xSp%2z(x+TbZr5c~J7D5=&mtDL_qZ;QkOgbt+ZvIPb&
z2MjUs4ioB+`GBsz5oxO@qL!5$Z?_8<`4PQh5hm5{x*DwBJ*KQL#^7uuk&L2L<q8(Q
z0*8pU^1WXO>(sBB69^fpF^$jF@Vh@NRLNyNeT9(8Fuvf<L|K?wLK(9e<nSc%lz?Vs
ztce96Ts+W!YY>p=WD}2IX1Mdoh(d!fi(qbjMT<^i2B2XmhdlTmgQVRocHF=JBo?>D
zzeURI!U9kWgEA|{3$8Z`YIHA{uht7uf>@(+CV)_BvO7*AnQsG1-W<Bn-4yZ#;82b3
z=WDVPi=Y^P%)#3rAO|uFH+(Zfj?)mVK3EpTiBdb4N8D()FPBlYh`~wm;_*rbkPu)c
zqJVCB_As1yPEO?!N+`h+SEvm=iY?)qjN3)8-hJAlfNFLaKGRqtBPMZ1mJtb8FMMNe
z1t*juuTWs4AbG#yjNuT9=hq8?5PoM5P3)THih>a3CQ>jsH!i(%FAXjOzj?N6Ae&k8
zEZt3Ec-{L82x9Wk2x-g$Su)%I6b__SV*6TB+!cH_c4P2d^Q{<^vI(iyi&X^Qy(;Oo
zWeX3fB9dY752-i>9;Ot=WcC4MJ!uTXdk7-L&O>Gk*iNZ%(w12m=As~kYFqrc6Ho}+
z=8jxt%@Oe2h0HAky;^Qu148`)5g|2f`RE}%){jEg9w2t*3S&TLmlRl0=|!=pMVGu0
z2;C$@Z!{UANG)MIu+k=<GjlF7I^mzmSb}P-o8Dzvd1O}V_1Z6r){ElTBK5-Tik0<5
zoS?p<UO6BX^F|b5mSe+rvoR+O_+A=Ep9U?Gx;D`0kkCZZ#nF6WM;bJ&BIN*sl<_lh
zi$O=G+8dr?t|J3?)|_eoh65a;P#u?|cEB8fk>eOfQ*mr}a(7}qYE9Mg{6=anMuzPs
zVQy`S(Qg%XO-2TQz927hJ(x|o9@&JbGvN@X){phH>x#J|HVoz?S}6M7)Sd!akdAiH
z#tolukWRypt%<-oK|{g8tZ2qT{yhX@=R!2IO=4qiwby0=lxre^URc4C%0KJHfCL`n
zu*zV-V(F_k^QL<KNP0&D#DBYlA|{JICM#`I_{r;IAP~sYEPmR;tr}duEz+%=K%Akt
zAI2HP`I)tDa-q|#p)0WO3lYXXVbeBR)re7GK?x=uB<-=M(CbX0LEL9bvEjCAk4L$}
zToZ`s6uEy?oFnoc<$20%{G@a04K@hIL@~|kDWdQ_YL}oL>;gn3W0MTil=`Pl*D)bX
zGi}4d#tVP&2w@Oh5|_zzgG{G}8C+sF5ks3@bdh?V`VF0?BE+y%$&TW9F66{*mF8rT
z2IN)2Ta)CC%Hi8s0%;l|PSGGt<M30Y&yN@)2moF*Km+C;w@LIh$df(@^#4wZ`3d11
ziO}NL|InWFo+SWm42gJeb(DE7i3R<=s9e04fsBdvXlfR3ConNY7Um(8p`8*H#x6jI
zS0M%yhQ6f23y+XsBO`nE55ihJ{X=N9jKjH#EX?8kSt{|x1-qcWUDFFink6S;hS`Fi
z3w5(uAP7W}6FF!qLQFi4FpEr=b2S5|Yy&;R3w?4r9S$@K0NjE}1iy@*&Lsh$Y+P)!
zq<fwH()c0?HOkqOfLZ{7BblH<5Cjy0hDizZSek%=gse`8MUoR}{2+KkP@zOG(x+h&
zE{ta~g9cK_OUT+dZT{MEXdvU&#mqY8s*aELj<_zOrJRx*x*B=8CB&3v+#lk2AbTe(
zwj;)<N|beBp`ES>n)vN$(bHKAMenLa8uiOE4xgd`@UY>m8e?$GAW~MtEcC<%=F;Bi
zw4Yiei~|h#zaAf{S7HWJh7q9DNxB75Fah}iX*9Ee_Z7zIOtp*_hGa73Ajd~a_*0VM
z_7lSd*ytZoKk5vAac?XIaDVJRV@<9(;ZZgo?E=njx_pn#x-3X(VBn#gr{nPy@RL_Y
zN++Szqh{%k7MF*y8Up9$dxtJe(xZ?)fpbd->x)?y4g9u&f_WZ%rytN}EbcH`B119<
zg}AnyBW6SMIux;k#9u53=r$n%;xSzbk>nE2gw}q3Wiel0QmR)+tnnBZ8o`Sg7)D`t
z4^zj)D)E2zXorZx@NyY$ab_?nH6$`hR;TbyuLvm}%~Vl1+}{Zsq=bd{%Rf}y8d1;2
z{-Jes>b=9>tQ76-+xcLc+(|T8AIyiY3>x$_a-i$-7Jv{vU28Pv(##DDRIrehCXz}|
z7?2lt?B-=KhHE^^Rwzn9f@onSBrBq2&NC3#XR{gUXfUH(z=J9f^WO4y6%j~GH!DMP
zP2(34=%|Vm0zJBf7&qs{@J=$YbVllv4TU@s`eha^W%g<Y?86UZ`nzHj@cxXhCwjr;
zciNmhQEQhsV1)`g&lQn`IxUe7*$V<ybo89e-8>uK1v<B@hM^$D*{7;o(Lc6}7!yUl
z4Ag)pb6~3|a<nmRo4Tb$n-KY}N)l|_blR#pB%DaNJ(GyzrArc}1%aQQjqj{DbR`@i
ziJwMg#Bu65Dr5mcI!FI$fXvOzSZ^**!10=adl;&P17O&Z^b~;{GYJAiEeJ&9)DIQf
z0El;fgH0F9x!MPU*nkp5Owl_e5C@al_zbw<4pn&s2MtDLFUG`2E2rojW{-CS#I{pB
zYb#$Osln3R^e7Ev^2zeih$99rK_e3KRUAhyvS>>84WdD7Ve!0XSrIW_+b5G9c$gs8
z%J%~_5>5Hu;g*}&m@4kV9(Gl1mq(3<B4Uxf#5g_CR)|HkQ+ub`UX><0Lp%_8TuiKn
zxDA<7{#NOpG=_kaG5|RIM;#0mc_I*9+K>ktIUo{XjUWy%Xvo2M1q_NE(oNumt6Cb%
zz?sbQ;K_1G(7sYt^$aBUUt`4VU;ss070_>G9O@}7(Lgy*IALkDCJRnITPQSuke1~@
zkXmKk!C?t7+p|R>aZ7Cxj;oy#M$%0Q6KK2Z0M`T1Xc@Z7fh=L{rv<YvL!o`YD3GZa
z)g{!Qg|cv2U6+nRY1Wqz1J2+D2z8*Ouuu#$A7eaZC>+a#k=li~biq>lL~43V%*doi
z5c+%r1h)2rsDLz8us7nO3H6*n7CpgkivpS=iotbg8(MVxlhI)yfwm--ggU4^5?lsl
z@P>ixT(5w*ko12NFcmiwL&-#5BlaH<be0}y#DN|o_@M)62s0xxC`5T6)!Z|o03LK9
z3Ug+pq#wdk=2-F0yL6s0k(UqPiE=Dj%}F?50=|KQK`QoHMDHN2e;)VbTm1#eUhu(u
zPWV}Al7?uU>f9U>xYZD(+0_E#!pRS)_>gKdL6%zY1nLK-<pnP!MjSPk@S|ZMF0l*&
z6_Ow?yitiHFQgq}=?4P~faJ^XvvJ2I^yj-Pe(X@r_RlqhFwxT|iJUK(TSPXahiEMZ
z!(O{<M^kFZ3|-3bjbftUiv&}3&iq^m+*o!C^7Kw}&lFQqZGlz*OLEDB_oOW=r2Ab~
zQ$e1;@L(IKX<ACc0ZyncEI!l)1_}+}{`)I-Wi*eb6`I9j<<+>bC^HG^QR$FsTpHyf
ziVP1x1o8lgo#6J5QG0Bb(w$VO*iW}Yc!k*z&3FS@U6lj1r11|nnod5nb|eAuT*ZbZ
z<IX1njp3r5o~;qg5W{Z=^@Yp{#%Mfx5ujYKdJ(hF+|*iPPG~s-l;*tHC*1R0U64Nb
zv!)ghO#$<!!d+*@0E8bwW4T&QBx6B6<0UX}L7;AN+okJ^3hMZ=%A;<lzIm#tL~ap7
zVtm6+5(GUWN~=s>0N&~Yj`Xx}uz4219T750OlJh$+!j0Wf?8Mz9fG|&K?V)c${1Y0
zLv#%2qy(lF;vkHvvq@2k7+f*BXdnRJh@K8Bsg(VU{ZY?SN?~JND++d|3Dhl#Y?z7T
z-AjywMNwmz;eEbkFz-!LWCH!ks)a*_69$y(p`(K0d+F7k<Rk#22x9J|K@t))Q~+Q_
zb*Qt;rM@ayF-{)rk=llA^pvbpB`z5Cudrkus|=JY(7)unOt)GzC_TFp?*O|89swqT
z2bwp17RYIDO$itoQfmF*mk{5OEd1UJ0vsw0S5Tjp_a-YtT2m1ocT5N%l<<wg7I4Q`
z9vRaJSSc>69(i)1)o(;Q>Su)VEfbUm;Ez(8udgf92M4S+Ue~lk<Y0k~guco$?K|qC
zq}jJ+$+O-cP|nkUmoh&aEnWF7njV{snM0F~P4;CfV}neF)S(8*xuONtTMk;G**8&C
z7U*unC9=5c8U~D*<gnR<sZ2u$O5tAA1S+3G*QUd(%Bw95fIJQ0E-pc(r$~uz$-Eus
zHDq)*Nnd+%tP$ZcTKE`{w>l=y`-5dzB4GL7GPwL9=L{!W0k(MQ0n==0uAmu7NdUn$
zD<(s((~v#dOw9}EXm*+}Pd6^k7^);=je;>Y0!_M9JSGiJHGOXMKd2C)FsNyXVt^hG
z?p5xFmER;W_>h7$$l*tV5=W}1a_$2bryW*(wJ|aUsz7Q?D%z!~=Ng)+qfjjaq)h-y
z?4%HD80@w49|)$}pDE$5BAY1EC*z*rEfGKgJqm-XC(&%BQ!=<?H-#~Vurjnd^V~K6
zoKTMdO7KUWmn*7C<(b8ZgglN!%-Efy5>YzJ<~-txtR^xFdhx`LU>vBOLxNVxzs14k
zI9-(V9|);{a`CgBea(2MgBhcAo>XpT<qR06SACC_<Hi#^oDq9EJ$Ykfr(qHUorC9u
zZq_NuTGU}<C8<Ie#1El(E72|xdsnSTVT7&>vT?pT)}mwt0U8>k7K&*E7!Z@-G+Q9O
zS}5p=pO8&2Wh0)UU*)k4m~)#^?+!t9&F1N;?8G@?f>%x=C8k_K=@(Dg#(~gzb@?`A
z!AL>%OEiSUCWL-7B(rZcE94#VkO5dZU;0Bsfn*;J??B&Y7<4<l$2n*%9ZlP97jOdB
zy+-IUcZmk;vJ{XrL?f2x&vT*B-{?p*Cb`jcHY<4v&Iwz4Rn(Mz2y=}Hc6`$(znWyp
z`arP?9iT_?`#WeGXFT;E?AQbpKe>T+h{&`a+FonN5B<BdfgrmErzPt7vvUM}g@?zt
z+zhh~TtQ@$<U-8H@u>PNCBnc^t~#U`d?r@{xKd<2@$R?mB65tOZkF8T;-%<afuYZk
zY`+gCds!#YEXW{cm}F2$5TpoYo{bnv?Fti<^F)Ink@?6pno>A;)L`r<D{;_p4Q;p=
z$s&}jH(0oxAKcI`Z(X;P<+<3zi|WLd0%EU0VacA#tPK%Lk0rRhRwO}z@;OT;dpBqj
z5;tIvIHl)F7No`oJg)J@=v1E?=J1$e2r4(Gg5g;dKDb1b@n-`0Ozim#X{dN?VI9|?
zVi98n?r|7IZ_ARVpuNpfAxek$8!=}q<9l9R5%)$d{Uw7N86IOhGqhr!lW}Kukmw&u
zK_tg{By?uE#d)$!(DpUkYP9zT1KS{KFg9O#$qBiG?z#2O?ZV>OD?Y<9YS<zT=tY@z
z*4<7XCfu+Poe;$(AJrg{oaV_ce7LsPW7Rj4S_!jUFiKAJrPg&Z@v24xBm5`h>akH#
zd^<JPcgF1%mpsP5joK>=&i1D(*77_H?gk`nAKltVZ@lYgApe4~wqW4k%o|ioI5b-8
zQXv8pr)e8cGu6CAwik2t!~uex*BsM>h_@TB$5e(4aE|Y5t`>!+=R*W(JBUBAu>Ck=
zl6@YoxE<3b%VjKNovns%;g~dxBP2Q+HC=8xp0ZA)yR8>WYwAi@{<FSQq7<PHGb6W9
z_YHMmfC6tDW`9nmwR1Z&v|^TwHvWC4?FZcY`Sm$@G*s>8E{+hSaiO2J+so@T^Hal;
zMf0z~xJ|Z1k;nHY)`@|Wl8lGrGo2tb=w8tu{UEDso(%0dj)6JPmkEO^7%Jn(sg3dM
zdU=iX(^O^5hBGrxr~)!tfl=mPS)&K~FngGTPz$Gm-sbK>g0-`SpNRFFLJ3T>q|$jy
z)U(VI4&0_JNhfAgqvzLT?1V?HUwsKF=CdaOf=}DjVIppxY4<p;5M=||4%BsYC9dl`
z(%er82&=ESmKA|bw+e$nExiP$aW*t2&~rD02HoMJ8TfLOhDAWUHN{e#1_&_zwt-I*
z1<3WZ^#rnb;-WC2B*adO(`1sOPUIG1qBW8@ys(`}>4*r%@b+w^LI!CB61b?19>cU6
z51Z1=o)Qw&2|VVX9o$qzU6KNgsg@Hb_sq&%N%9zhnMFFOCS<cXq-c6UhK|xvGD=WT
zJkU*KwvIK+Vhc(DX@{iBtH>^M0@l--VVY?8OfSxe)PssWhCZcu0#o@rR+-?@(D$hX
z%PDmjT`eAGsSA7D)yc;jP@g14_GeL5^+Jax2*EH)Sqw(1RzetT9@zkYn*zdY>bUjy
z0p`bQi8R<0cmwvlcu%cy59?fUT9mgN99J6@nxV-F*TIOwJsp~CTw+&=Lbr;BDDXs%
zrXA4yv^d$bnI>tLM_x;@p7woQU;N_6ZiOSp&3{k&PUwQ*c+5%yHE|JWvmJDrAe=s6
zkY+&>HG$jN=>cN|!E*Z=#$+t<>ZDdSI2@ch-aF`5>JV+|Hbyj86l@i7%IjbLDI|#w
zRoejA#j)-Bfym68cKRwt78)-UY`q;u6F7ZUq!j{ytZkK$Vp3*A?h-4^+5+`SsE&v-
zKY8RvvBbPVNx(}8kFA~pF3S`NP!Nd?+|+)84ImNFgFwYWIuYaDG%m6MfTPt+(~zV%
zwCPP*0KjB<xylc!O#`ScOi>4%9$+h)?-WGm@V?CnAVTC6gA_p3(XoTw_4G>5;0&?J
z1tX1B9~mu`qm@Vrl~4gwMFdp10HKY105to8iJEQ3u%Rl)o*$%^FQu=DwNiESGCR-{
zDMN~Zpp>Itljo%xW`^sY8cs{#B^$!90pz1dsewjNyXpZ9S_Kgp*+uFpy~otx@Yp64
z;9i};;Cjh{y^u~?lLIQ!dSJbp#?c&7N@J~c5JBb)3B^g)#HWD{0#nDu4A<509_4~^
z|95*G5^eAimipWqeImGrz}kpoAo0aa0C;r>dngIWJ{r>3BX5$@lOttB<A<8jEiu5n
z?nyk5k!K}jMZR}3N^;05`O^>fc#w5S+%8iHhzk%JA82Y<;4`d0+L*~1j&aoz4In%b
zBaCnnBaX}t>tV)nHEoHplcuytZ~*v5aRKtEoPOezq&8HLYE5v{NwFR^z&;ZpUPW;h
zHeV%<6ze^hKpgi4PK5;p0Em+io&xP!2h?P^0L&*TiHx3zR8NtynEc7I?2zZhC6_TA
zMAb`2sL8T94o~|#%O?j$u6M59C<tiYZDA0^nzk>;j=!WkQaX<j2jc)Go@7q&vPdil
z|BM63QYimL35VB`I}CE5320vtoBnhkFN-!1VX3E-=#k~L-9Y+o#nFT1ii9|g|7@={
z863oT0yY!C@kRKjBvJ|T_p+6#A}*+WD-f*BQrM%0r)KB?NK(xx4YCa~!Z}G6*b&n_
zG&am(2*l1syi+MjBZGgIZZr&x@OPDKVd6F<?9`}4Mogsx6Hwf7W<K#Z&e6J-Bu#t6
z(hR7Kk6aOLjUWdBCO^1=BE1uHYsam<%m{FI5|}?6ff0Cs7Wws+JVF?93OI)E^mO#J
z$eU8zU?GyH7D$&0BgzF1wUw0kiujxZC55S$t{#3{Jl;wpKz~lhnOdIME{G+CGD#`h
zYm^hq6tt*@(DCA@l<%MJW$6T)9&#S(c$aSM(-xKD(iW=s-cMG0^`}n18$eJTL=T4%
zKZr(cwAWpB+NMZP!bjd$3WVVNsF5)hMfPbrRG;0YfhO1)4zgKqO-i;R)et7o3NEAh
zk@0UGB52`9ebQwkcdE~Kd)n7O_Hg|kRiv`T>=pAMzGgq1Tn}4E6zSwPeaZWRpd!iv
zCDRG8Z`4UDoR_@o9f99@OyLsUWT)RTFFxNzw1mHD*q&Q!NUTy?TcEBReTW<hx-d#9
zc>0esq@pvp1BBHi+}pk)pcRew+*ZRn$OQ2Vl5U53&~e20IUKPidF#JMUWLhh@|r5>
zMeW&2C%pyo4oxl2Vtot~dN~nU<?d@bo4-`rUdc=WeF0(pVQr(M0F2y7HN@ryLttWs
zUYdS+Nl-4Z&SwXwxy*7>Bv=fkZQBe2>N@~(%MpW$Nrlvnb;SjNP^imPwmxIPY5e(q
zrarGn1VKJ#%2c>tJVU+H=-_0CU9<(A?iLA?B^^4c-+s?q8~J6P>)UJMDhXo?$+THY
z(K<)4Hd5-kCT{ttTJRtN4}4(3l{*CF_TDW`JeHAk<t*A-DCmKQe;SF6I^F5^5yK3?
zA>l1^qop(9Nz=ej)QgI$(~!@8jgkvx;&4rb3iGQwJSjMG@s9J};tlf<5Rtj+teKvE
zJrXrzk|-B(4;Qqv^s<hs^xM)v#T^+uxJ4X8V27^E5;p*xB}XJsu*O?cbB1l;Na8%s
zi(%)@0Kz`DTI1EU6XKKgrCv_{UjX9xK%urQNY=FU(coUE7XI~&XcxpAnax8p3fHF!
zf{e=jQPc%PcO|x)H`M8(fmGn626eIxkXCxI_qH&~8#&*g5A+61n0*EDf9!|7%Uyto
zq-D4%&{7x7NI;^P774ZF6!TrL#BC8ufCOo|Oo~T#tS;~7T*wB$L5{^@y+qp00@~CB
zW|E*D4VAae_DX<$renCu7|GnPe8Xkb^g)<@<T%^B5)(sV&PudQ36nr>jHShrLSkVK
zO>=tU)wilxSg6vJ%P;=Z4_@8}w5RP@I}Ac44h|wpoMQj3iKpN(0UtK&eVi4Ln>)mn
z2EK=WESd9s>=7;LguRAtz@z+t`H5Gi&9!I=EKLMf!)wd>!!DKzzA0FhDEX-Ao;<~@
zdp#{T>3_`pkJ&60!>U5CvAjMUAUHV#;lRkY&#Ww6*Gp;X#4(2Y)Z*NE=m#0-X-zNz
z`JL81`3U3J;*1k18SR_Cu^*{Pv78Md&-7rWGDdrCd<^3iO1sAy?V5)TnH$D?%hEPe
z88m6B*2u71$=PAAX<wbhzCWn2+@gX<%xZ(>78}Y`;!Fh4-Fl;%zrda+Iv9Jx2t7jC
zxjmXo5OPN|A=YI?P&<0e+CZj4P?{{$Eh06xU1S(bb^LLEJ#re}B9kX6{<LG9UQNxe
zajOaN;yI>m?D`OQmylq?)Td-x39)<&0}*m$U}*|@@C)0PSy`GA?zs@hy!U0$mrkRL
zJCI_2@?MN-`0^@&0Pfj)<4UT)q}Au0^%R_Mh3ivcMF{yq-<^tE&zT3(!|{a;;S)*@
z-d06n_QB&dpk2xT`n0pJ&J|iFBEI8AkwvcL=3oqaeiTriPZ2YOO6udugM9rX&2C-J
zZ=CX^c)Ti__nrl~oZRvpJLP&LdHG2?<`QR1MUlB83+ifcEMC$P#Hsj{`ZV*<97@vz
z{k6B}e18(bkvA6rQ9!Q0^xrFMVSxl>tGa6}I)BErO9U5BR#2ms!mHJam<iu7$1q{y
z!Td;qzO`u#3zG$qYAtqE$?@5VPdq<+O*@_ds;kL>&Bb;#vEmvB!>~HumtfRcMn*EK
zZY4Y|3=A>pQ9RfDis&bcGM9uCKbb65Z+GDE7+ZkQIGl|j4;CkqG6_{no)D(r*ZgJ~
zsC>X4@(;K~3|lqJ{8wk_8|`gB;+PF#rkg)+6lYcH$QQ$uy}z|BN9{{fcAdctp+=0S
zQqn89R@S%WV985c3|0*oFb{T!dYwsew>ku4EW2$o^Vj3ty#~4=Ys?>wh1l}p{u#wz
z2wfQSo=R()zY9@xx<WlPN4If?+(X6A!$GtL(1a%&-nL?5eH*c+Ei<Z+m|kn-UvdP$
zc6_so?mBs)rcr&xsJ`t$Rg}D6b{>X2@D2TpV7P&?is~_fgxrkTYA_{{ZsR(mf1c6*
z^V@YVFWM|L{!mCUJUklx<7ZEQzCdW2>Z)~3#|TjM0X)l?bPepSNcgH9NVg6l+Kds&
zWp_z5M-l3s$jHGAB)1TH1Ag2Tge*VT81K}miDiQLPbsh^s+d_|Xx6@q639S^T!#wn
zqNs13rKApx^@n6D=@5wq4+v(Sz~p!dm{Io$Ph|tkZ8TKm)=(Vz{-&*1U~bV2S?xea
zSE{McBrU0Wkw?Vz4*(oEjkREYKsh2IP^_7z;W&P;@bFjFu8+798W^MgL2Re{M_xdQ
zN^YfBW9=5~heIH{0$ZLr6kCT=C0<3iVd0|x(sW#IIuR>4i4>y>W-Z`6fa7v<JRW9(
zydKtr9~SL1Ew=!>X!(bKD?==ccH$4x0wLQ$h+{uu7|3InG?!KN;KiUrA(|Y=G#&m`
zD&pDJ-IP7fb8LZ)v)8zoFSpYM!>PPaPnj)$KAvYl0MGyh)phgQb*BJ6wBQ1~S<E3<
z7XYDH3}74p4K0uc0L!-khMS@T2xS+C!J*fZq0gQSXWZNdECL!2mH;HrlbDN&|Ly?d
zbx^Vx`YoB;jv<V_f(QiZF&1<Y3}%Rt%$Xi38c@sl1T-5k2xubk7(*%&4BbFd=)@|X
z)b~npH=@#*6Idt}PQDnjJvz*i((UlYhr}_0g?fbAzp8!>@B$Adx-(hoLYGn%;_qSR
z8gyll+lRzR$wL<@3W}74%8WIDzfS_FSUU2dyqd(Pk^x@`ogGg4@%X#5aH>;W=a&Es
zB6V|pb0KXy0`;Plw1)cNInfO}ueu<G7tad^?hc=)G?eRVQzP>ejXcmto$PRS`~xRK
z#Yto`B}lGn@M>fD7p-V(DJC0|ZJ_1}bR~xrw_<VF4ZPdW3qFUIfc|LSSsQ3sUJ%o1
zUxTs<Ba9YRjTL9}uOn+|t`LY7B(y6ko{BI-)$M;J3q69>312P=yJCcwNr}g70l-%Y
z*`N=bQ+oXzT;*I`a4$062#}~=s7NCy7<x_AEcw{YogRWghm(0T@zj<f;q;Jv089$o
z1;*%5uAQVA(w7ge*pNvg3Q~bp$*W3|7sd>O1}5+Rt-@KU0H{cs{BT1rI5Oqj0h`nU
z85f03cMafd!-!uN4*q7%f6S3cHtXPwlRJJ*J>f<MWD>$rt$>$4M@p{D2Ul3DRf9j#
zpgf>X-nlwMj#J+rjg)A4+ZT9$aXF!GB4mdbv3Nb*0YE3vqbt#oy;#H&&96@zE)b3y
z-ZP?vMb1|W;h7!-m{fX0z5S=(3P#tU5!_7IJqX;J<(zb;8;qW{kxAh?F4Plot(48!
z^K*{?OvA1VHRViIL9b#24aNeS@np;Y-ago#ZW-^3Xx+9{n2r#niWPyfglp4CnJ_rA
z&eDrKAc|mOu?P%na%C7iND36{L(+xGl{yJxNG4V;vJs&em=!=)^v<YtFw<sAC|jkw
z%N|63CGlV=E<^CB?w|Krf2P8zQ9!9O^ofW~i--2q$@N|i8o#_L;&=v;Lz^4W>!1=(
zaqg!SpNCWg{mYWc*tG9q=?ZM%`r>IZZ2L|^i+4d7m=p^+3TV)jm$qY2bJDMU8J~NG
zDG7W=B6j7~CS`e4wDmaV%&ID7B?{4D=*0Cy=_fcQ9YIbjvkmSUh{@}-2At?sr+x0?
z(P7ZkBP*wFsYIgDVci_t`E#IR5gk|Z!@xbH%f*ioN#USe3li^XXhw05%A-8n)>Klk
z$RoxE2gD3Tf|0}%a-954kd_uGFx)UgZ@q-8%7iXW8v!5?%ZJ^0Rv@IfP|ptX1pKC-
z>>)|be#$|~#ju|&GP4|?Q#*iZFrcb+x)Y!;kg-v&TdnN{cSZqrQIm{iY$Gg`JC+-!
z*HD%gz0$Jl0%BZOrWwl*BxE#%G?%<fhAz4dlpBXn_IAs=`N<{9-3?I8rbi?Yo2FDU
zvm1#fvg~u5C0NbZZUnvNK9+EXn|57(2cdP|o0G;T+fGyC6T{P`@riNiCJ_&=6OhVj
zdfEv(ye2j>%GW;zF$GR%S>V1{ovm_TXA&TTO<FYDpDh4Faw+U+G5tn(Dh1I8IFytF
zk^ltSa!<G-7_z@AiUX69XTy?!Dryc_1tMFF#IrD=<yTMgbSHNRMFhrU&{DWjjP%&-
z?W#eO>lTXuPgAc|u}+kv`I^_0>L%uF^n^_79f05_3(!_EowkXC_K0e?ST!4c$3XdB
zo53Csw*@1A)Beo(>)w6fm49jn+56%q4tDmhNue|w@nq095m#*L&!Ff#Q0r)O%?y``
zQ3}wBuO`6jfrk=mSvN0U{eV%#eOr1~5d*)RcYm&l_h_k!vbD25&`%kj%IazGd_KIM
zn_r?Z*LInwo1hL(kwA@s;W<@fP|lIw8T0A<d&l=}nxe#?@K!ciW(QGP7XE<#LN1?t
z5UWEixleyHVSM%%C%Jn8yWsqEZKDwfdH3_Cr>9{!cjD-n6AS4RHpqlDk<#-u_4w6d
zC^sNW^<Yw`TImvAt7-b#asqJH1WffUw%0gL5h`0KrQ>~?UbHTtV?hq|hp>#tnvK{I
zMp!KBzGyxXya}zsGc&A6l~2^&%=_g8f)0z0bK?zz$2|N$dxWQA7YFdX$gh__FQo^f
zbQRT>fzkkf$RbLyi$Mq|5ev2aQkx|Pcp}!L6zy>#GRRGePvD9R+7OnGfL|)HTwTCg
zjK%hexV&J63TcIhMr5wN0NHh$ZN@GiI$%_J3W<bfA68RUU^LcTAOK-$u|oifX3pYA
z(!`#A@jS9P9QLC<QYlH}UBu?jL~4<Y;CcSb+9aVBr@YEUkE;KPCaMKp4MNb3Zuh1=
zu>U4f639N_L<>;Qr&I|A7nf&**pF{^U3jn6@`j<Vz<s&g$-LZ*fDXG0mJJ5AXskQr
z+2uE()H_O13H;pidM>5L0s1OjyDv9EIEiIlPrgl@nwz6}QbWf&sbM}P8?3D;YVWdI
zjqDl}0GnQkDj|PV;Pf_#y;+_w4VOG)h>frnIKP!AN}kWqx7T0*T0!`HiF_|hMWy?h
zP2?XK`kP<h#bsBGlTqyhaLLQ7%sJ&$&2;A*g~AV)$^4wk@GA`&90)QN<qz)Yz9)uf
zh(7*$F<irDm~d>rK|Oqymd75s^5Rrf&`L@p&r!baVl~Xz&$c+6t%Habs;Eqc)yh>2
zA%vT512}`cCV29+^QJI8$!>wbYIka~N~n_n^C$m&1u$udv3sZf`m#Ik$71km;c79Z
z_hnt(K7Tc;yk0`7Y-0v~-V>7(w$`o_pFx?UAKWV4&s18qV%WwL+11@C{LJ8PlS3?m
z4j8<Qqw<`4MubOK0h;q*+*+X)338dLtCmFf*vJ>>xTEDB#D)#xm`-j7<4p534Be_K
zo)K7u%K-Y6w|7U!L>Z6o1Om}g{3keX+-4M@s&!9~*wyn*P{TaT=CvvcH$Zbj#WxxJ
z|B!Q*FlwGv2g<rK_-4<{l{R`@PHb=vRKqGcuDX>UWLm@Vf=7518-wHQDc}D2k`k5G
z$WCev%kC7c2OJOq;-7$u&mJllaw!%K8!U1a4gjihL1Qd)5FsX`fc5a)g3O2|TJ(t)
z7|UBoAdc*j`g?+CKp1Fw0pkGv*GHp?@L<O~zBpr8XW_kQ0s=(W(bzCVkKInm18N{z
zx()m?qO;~AbwFecKJaZ`%+YmZJw;7V>nnJkOlagd79wuEFa|vdlnx;OXP(ADE`|g;
zhDF9rKWC&l*&kHlvE5mlgR4Hhe^n6AcYAQ*>baiaDw^!LxwLT!-$6OFO>__qB`2K9
zQ9W_e#zqOYKeH~g%|<s`caIkNE9|~r*BEC5z&XmW&%DVw>md>lI;0GJc0>W5^#qvI
z6vr?!F6^Cw%E!m|dZAMk>6Y4K@BjomS=fNA^WSw~3)SL)9(r^Ee~MkbTG*WFMuP=2
zveMN3><v*~a@#g{-cQwZWbKc`5zu2j_!x|Xv6J|b$U~YijQ7!}q9IleK{o?UKn{^K
z=bU_|#~u^2*PX2}1rr=NomNCg^+DIPQ{dX8?%uNOrd&LZVcro}IViHDfK}V40CF*2
zo6&k8-Uz9J8_8=)W)=<S(*_yqC<ewH8R&m2EJ+^Aw`vd!|1)5+P-?pzgnjpBp5EaA
z*bt}?JkkB=L<4K29fL#v(uAJ=hyS#VKxP=g((<`@Q>JOOE31~wY1k2yil6u@au-hl
z?-eQZfs<UG-a{r+9O$0h_4fI>LC+Bj0|6C^w7hJ{ZWrl5Xbj;Ac^oEY^B8snUTjLR
z>DJlfcVHd#IIcI|)B^<=eQTBu5F>H);E+BFGu5eTx5kX#y7Xv+@Tw5E=69gvKj*Y~
za?)}^_sRjSKJA9@p*ge;LEq}-njO1cl7MSPk7?l3c$@fC0E_R=SxO8v;Q4}a`4h_H
zASjc~R|8dye9rIqJ?uy=4%e-Qv^t}Ay+w6&z<1F@=+2NKLE+Q9@187`LW@ArupHwX
zY}8?a;6oR9ZYnE)!D#|Y`ENiO%}A00)?ftYc+h4eC$pdo8B7Re4;Xbv5M=5$nlkJF
zVDgxweFXrwn&tq&^umOxyC&dFi0jU~?okP`3>A#uop&(67#(D>(Bbemo5mwmHWySS
zB&%J>1H#k-%uQKp+J%{~;%>ACUC#fbHd~}K|37bFhcmbRooC2NXmedwyTNK*+3MB=
zJ#V)EoM;Qe#{)nZiU$7;Kp+?t3;q+oTO~{oN{xXB3C)-fO@beI0~Pb(QnEi*{sb3C
zpg>vDJO%dlr+uhJ1OU`JQUZnOy#OdTvYGdEn;`5m=+0%o9moff<uVOE(GJKWI$Cl8
zq@9^)URwD;84m6{kx#Mo;D>kvn`qwZT;ETAlE!dCAMNODAl#0T1FB6RJkt>zZB*iU
z_OL`DX~+|B?))A1`JVPf80CEHhMB<We{2*csm5(6mkG$vnjnjLm3a^eGn8SJFYRN{
z0N@^ofE9j=2Z3YX&O%$R8wh|E=d3^ZB<>91*6V}v2TU=!;cjy032YfHUYq%9v)6<k
zJe+=@Dsmv5K;OizfSY1b!#uY%x2l*3$-!Q*5FDTQ=%4G(&~0rltZ&nf|FfNK6D5lH
zLy$WMvmN0*s?{(uiQCJ0Cn9sl^&l2_m1q{CfHCe01wK|B634|1bwVJ^X|1G0IxnPs
z*!|<p#1?KKG9I2XDxN>6VNGXn%CfR8cUCE3efC0wJ9gaY070h2?9Om{LR1>~8aIe{
z*)|zpdxr0jXlJs<@aIu-1#&<`+B*^%4=Qw&DVpF)JY*ecAQdVC#0Tw4|D`$yL!*(v
zAPAuq^{#>kJ&PpKN`#9l3P-_ixy2W7=9pZGmrjZnRr!Dfv+6+DC{MaNPja*fr^<@h
z_3m)NH)@*ug|RJyDhlkXrl>JkwRaGc4sk6CHbnu%hz8yF{qp7+!`V3!Li(YucBEE2
z-|@fZ0VB)+AZTrUeZxy3jcaVI6kb1gF`Lcxfc62$<ag?Nw+vjbBL#sRV$HmSe^HAu
zaS=eH7NO!I%7|H~c!--2u<0x=U}6>nZy49279qk{4>*RjKj9Wx(uT;vMY%ORBG*Y`
zM&c1_?+syJc#4!E&5gk~u!lsF#N+`1?7$!xN-^jqID9CgDp+~jA~)>`2tpl`*b;Gs
zJ8+T_APt?Eg@gb{S3DrR?u8_42q&%6DLArQl6S8WCc5zu%H0Jz&McBaAfT`W@yPEf
z#RV|{`MEuyrv*t2cR@}J>;Q2TCoO7}wnmT?l#uSHTFixV!z%kw_+IGR3VBF{L#DdL
zE#`B*KLg1*2o#LN8}LHKq+0;)f}L?iP*Otr9TD@C1(Xkq)(h$v0B}}4u3~a+;%N=m
ze^{w#(smSD5m1hbcw03(ri!QDQooPTz!-^2g2{|au#2U_jKZ#Uax6bKY9fz4hLTH6
z8Lu$0d8-8@R=}E+0mLmqDcA$LpkhxLu%h&*U}~uaA}mgq`~k|MNWN+bIwVz(C@ht3
zm85oopC-dtL+(&A9OvUo0JXkMjm%IUQw1YdQh@T9DF_)tPgldJauf&Rzev%LBuRWY
zZH%BiA%2so^E}cef;{5=BE~y7nu5sbRBwk|zSniq|Kx|qn6V_RtO+Oa<}~)$st*ov
zNQqcbsR-vWwk+h36y7!+3`r1>2n!tM3t#|cRKY=7lsR4(y+|rh5YmFhOdPMnTN*%-
zTo4}{1C_u7s}u0*BL2HZrYeK<Nk81-Mi~+Ct<p7NC=V5GkYRwJJXN|*X2YaiDlLZt
zpwbZJUYFih=?EAGD^|mrFRh}E5L={S6+q&}$UNnOTmnI1KAkuQ!3rWgD~1L3f`T%U
zK6a;(ogf-TFeMQv)L37tli$t~=88U`-LMxb6($#T_T&&aa<%;ej|D9n1$}beBF1<v
zbp=iEmxoH$2r9Hg!{FL(0IfJ$3C96?YaNEg9}Lh63k<X*8On{Kf17U$9EnZnD_=#2
zAXttb;O7C|1xEVVrs)$Z3enjH=^9&NcR^7|*;`_|+a0h2V>_*}mTiv06!D@#x<-H0
zQ>qGzM{3(16p+(LXgGe;Q=$rtXr-n%4KYh7D?nNfNIf9?<}#L61RtyHr}<G|^PP;?
zJL5r}FOkj1$mHiFC?VWWAhRnheqe&Td?g0R5es}JdZ0%1|A^Qa(ebnLKj4Cxwf|v4
z&~V2Vs)QN(MmkUygMq89k0SK1nhqx3Re?`393k%jD*5P*i3JyhXv-6d3hV${E*2&7
zdw9^RbgR;Wvw)O>x-ua-@XNH1Fo)pS1Z>bYKx359VhD5(hXrTYJI(Q_fiPNo$l*zx
zE{1HgNxsRPjJkjf%FQCacq@{Eu%jM#-!EiY8(t_WUMN1jW{`b!C;Z5A>n49U4gr;n
z(gR3trxr%ZwnMj>0hca-Ap$m$?u6C4Rl<U$sAR|e^8soI$aSEYt3?RbmKe6$3G^@=
zw`3&nU^-I3O3i@gl#tR2z;K$l#)QCd<$&e4OBTR#u4pS|1xuw+upMZU7;RV%rg7B~
z>x8K;9LKB^c(`;G5KewTuaJ9CNrU{7@B;G?m=uU7uza!zJfv`V%~%k5UnLKnI&GqP
zuYd<cIn%li^~c|w!QmV=I3PJ^0>B;j`QX5o8W2xlDmQIIR02J8DB6OGE`!c^4TdF8
zWOw1nG@$o{CW@yhJ=)JlTE1b+V%my{Bh0-Dve<p-%^#TKy18K?R!Qu)*~RSYi3?nk
zaGrzVP%lx^Q%nFvnuFnz<tSqJfW@_}9IQGclQSDB&U#5D1px%DIdqTe^oFM6BUChF
zTm&F8Wl{BlRI3ya+JfwCY6SL|4qC-~@euEqmbiD&nQ8*fN2(uh56+Yy)I@}qL8w1~
zoGU1_HPTYJZiQb`#P=G`^$R%&w?Oz!LH;+B$p<_l%DZ_;YLQ_2rn&}|=>$dC#_er8
zPezZBFtg-cs;^1CJSI}OaJh3i0YCcfs=Xi>{4g^}@tzW)C<$=1D^=Li45&wh;RzCO
zrm6C$R3AzPGE>p@l}KZVv@yl2v22_ZC|o#JxO7|Pl3Y1lfjb||8U)46y&%Vw(&5{S
zjg}^iNa>Jz^?<X?(03PN$YLQ4NU7Dq%;TKZcsvZ1X+G79jVue)#De%4Pw3zUc9aGL
z1nLdl2y#`b@&Jw`Yw{Vx-#pp|;zu7)0Nz!;@DAk1vK*$)rS@?Oo+YrzlEQ^7dGI9Z
zlh1sB`5GcnkR%UbnbX4zz$=F<kSBEfvA^S~+<3$*69QGUK}V=R8G$t~l!k-w;^9IM
z8d>6S#tbTjkcq0oH&#a_M#k^5BlPXiS61%mNR(<t!f)mAa|#0V%hEJV3F<B!u`DE?
zTslTrO385M$w4B5;ll(&IBNS!^q-QJ*~U_?#787!5nMP)AY%}?a6cd>60mY^C`sX9
z;X>M$46t&y$j}vok&^(8@rt2XI=F8`U}S_T2@U3Kg$(AenyzE)kY+V`3NS(V@VJ5b
zW%nH@Ec@0DfZ__^D`zM^!N6vPP^E~`>JOq3m>_o<T<$-!C;K{5z;U)9!{B7cF%Ek1
z7{`tURFBMo2EHXn7iN4NFur(!BkJ%QBbioXRS+kjuy8>7Dvy<-uy=<3BcuhJI>>MS
zDM!N;-;3lSlp|#Yn6bhMCDsm-T9aKmbmJaJ?<B;LZdeRdB7nq|sTkoD1*EM>BM2oj
zuy(@6dN|z-Zs4mGoX}B<4*`6s<wL4r40y_iDXU03LGfsdn9TfOAPgB8&_PxrNF@Pr
zD$;1GXZkhUrd5hAP6m$9eP9$SUnwjgJ8`=2YJ*Pz#JIw1bFs~0ENj9FLLiG;86Gfv
zFFv&#1t~^_6A3CDp!?J0B$!W>BmuxTrMT`dJh8?1ACQNwzgcQeR=`GoR3V6B-0HkY
zfsRi)ztBSrViG~&n*b*}+=n1Vqq0C;baBIs#o!)oj5-fV9TXAkknQtLfT7UoQ0guJ
z*)qU9nJqbfZ(CMd?$QyciVc1cI?@K8f;KZ^MoKy7z(IwK0qPDAlGw@swx3Z=A3$b7
zrrf~)^V_TdNYSVV{4$*2l+zFeuyR$7UuIk`I9)0LC_X@wgs;vtk~vhx3$Y1s`iB=C
zqzDU2D`Huyb|WV!C4aM4yrZYhVjfW;!>MxY<o!W4qq)enpi|+heM#l0NhoXB22hj;
z!|GkX2wRY3B03X{TK1e`)7JZ-33r$FLg_(2K(D$%C6qMJDkhClm7M}1b4|x(Dls*d
zTJ-|7p4Z(bs%qd(Uji$DX)~aRnv;A%?I!quC@p0d!7plm=9ou}g5xBhxOf79EAHa4
zZEdB9O6u3-i8XuLrlq}cn+#250XutABTO?j4M2ym`<^khnD9B68cdp^dY^JnB~Hzj
zN<1Wz7Yy&&-O_~ED@W1qIXo}9j_x(WOrjATpvrWj&jYyokO~>!#^Zyf;K8lq7lbdu
z4oY?}xo9Li=<6v2Qu~@nFWeXLa#2Lhm|sdq5+GX}Xy6~7aS1AK<G?=qn;(?}ehcBY
z5HSutC)e+@h7PACbP&SIjCAwDF~BOCMkMw3Gd~eFdmETd-{V8CwC!Y3B9CKF#g|3g
zcQ*~ZL+gTQz5{3|cSFm#hnXS9Xj7`VQmh4#Ej1V2Re=5z!E`#Yd!Z_%4M9seLD_;-
zldazl5rDK<{#)N32@>dLwO9e=Q6(byr!bd5;s2r>ih*4CA!-<QH;hgd0aCjX5}|~3
z^T#~D0P7X{A}TbYUtgV^A7A}W5dy4|EyInzpQFE#?i{5T;sXUeQz+>%Svd`Y%koBV
z`v<ie9L$`oA<@*q>Iwkv43rt=Udd+otp?1R4312p3R%SgB?_O_cz{e0X-F586=4P^
z<N<$}C-hIxAhF_t$To>9i;ssCjt8f%ErgB22x$qQVHc9oZ%)_`+uzz6sD>aewb^t&
zj5bnSC%{==^pfLK9^tSiVaT9!qz#*uWvCs;aM6)-Nz>CBCo_6&7(j#*(z3n%QaOsE
zS*pXekS-4(#o}A8APA7iH(q74>J>-ROc%i=nb1s7sM-=O<Z~IQK1KjA0f}O_);J0x
zXPn06nq3iUP(rW_#S*=8&WddqO$Z|#>e>Wj1P**U-i8BEb>xx!!=cntc#e2`%Li})
z?+=WhAwsx)Q`UW;^0m5s%MqRc9&-)ACOJ}Sx$`B;yvBgd2c>lHfx(mmCHL%fM{!zf
zg9Bl;%<1j_(fu;Kr#Jq0zJcm>z%pbNc{N(u3cWDxz^`_Oa_h`KRk^Hz`HV2jZX;C3
zsmvrsRu&-U#gm#s*<OWgg^6F+$D3h@8)FmGLd&iGNnUjNH>C7cyPZTGuvxc<$b7tj
zXBtfzZ(%*;*`p}6;xxeKA{HbV6%(;dD2JxNK1r4GQHsAuYAEeq?oLIFyUujR#ju9d
zM1Th%{ixuZIg4bj1IFw?lwuS53uV&kYB`CZwgI#-s`-Do3y%wlw<teejT6!pLbEoj
z#1^P<Ny3lo_cgMqe@0g>gX|hbtxy;f1T$WrVH|01x!2I#EU66$<4awJY19j(gu(y-
zGP=DV+Gq=3&y^JO{5YV3!_^XPSw$zzSEfbeRkbS&?0Cqif4HhR0RD!dZ_V;-1_Oz(
z4-O#6p{p8XAGayKQ5B>4`P9L5z(j#q$S!^TT8#|QG{5+ejUwL&7;&vLTumdU;1>i|
z##W#ZedAKR3=##9WH5Y0J~gYG6APj11wvn+7+&BIEBgv60)9_<j)+*1BaFh|455gT
zA_ynm>QQ;=cQS?v77#`vx!z86pTvwrbQbXAPeTGGS~v>wdIfy&ax3R@QKNl<@L6$v
zy;3vsZ5}qV@e8Cfd2Gn&JUUEU$SCuSv<a@jNCt)&irGLs%{4IM#heupY0wA%edRdh
z9BZ<gdMFKBDgf9HHoq2<w{ez)F$vJih&@lC5Qr2o1fnsuboZnKE3CV6XjHLPjCdO?
zOb|z?V=c5bz)|o-hW}zFM`V)d`boz>3ZKjX!C$?dx*jauTg1v34ns(U)EWVf@&KBo
zC5JyelorwsJ(VBQiYS~V2g2{}*7UzdM3iZJ1!RMR(A;vFb#WkoZJ|i@O`xC<5i5uj
zhHu$394S^Y1_DV7`imE`PK&;OEvsD&{FR*vwUUPpAa*y6TGBT-`Uo&Z0+`Z?3U5(>
zB3D0fz!W$=H^Joa-CRE!7LZx|!7vXqn0LD>y^8PeI<F)<v1~ZAHwVKZcQ9I>4l`K=
zHy!MgV=zB$^-BU&BF8a;C`;J5fl@cWg2O?~q;Dc=-c;TL9mIxf8b+v$_iRzxYpW=%
z?1pQRa!ROXic;r+D0!zHRfwrOJ<hSgiW#YdP?J~YIFnbD`2nC8VjxU-6z&KysG;B(
zNLL3`N!p=tjiHdbp>eq*zMNsufnY#_0!bkj4+)e6s$CTaX2EWBl;6a5S<{h#5I_it
zZ>hYPhS}y5uJgzxHVg?GgP>rDK!QCS@lv(zkQ7jr1$pAcZCDafnNLAO)N_Watrq9a
zqX0H;3u{9f%8|4QLu#a#?g$Yo0dcqh3?^71VnGss48pPrE)_wTL39IQn9tPgE+I)1
zGvx_LM?qTV%LtSdsa{D@xWSa%0zMHpfm3v*xPf+JHqu_<az#b;USC-O$(JhBsxr9j
zICnByHx;s<vFx;lKxr*V@_I#MkeWqJFq79mD=LpWz2V}k)OeJo9x@HhC51<cV0QKP
zZ?fUG((^v1LENNyJ21;^c^p`t;3mm!3JeAgJd$A@*}fGdf)R=u0yarVsAq1@uR{xb
zYJtI|3al=n_rd{uhi%q0Oq?naMi@B+cjXG&>o5z2M!XPeA&&M4Fl>imRjAOYd}uOP
zAbhpR(FgDZ)G^d206%CdYoVmq%9J3iVh@69gjMj=EfWHz#ZLzCNAd!q*$D-ZfxM=<
z4PC^4P&{8iW>!!Sass&OoVs8m%X)DLVAJWA&1$mB5fJE2f*3Cl!t^wwpv)wk0x!ba
zk*E?c6V9uPHl(L!CmE(M2x8$in*jk0klkVil7Xh~OaO=Ef@B0cJY%%ID@F)#jYQ{&
zP%uRkf&?ZfqEU7ZJ}9<hgL~Lo%%p6gegN4n5{s0cKfUuLi2lHUL=s5;l-e8N5%Vg0
zL}u)oEJm1NtCgr>SbvfnFc@KK0Vbn}cPMI*NK3#vH3-mhlFA*#o#h8n{Und-6Cj+t
z3XkAGz?cGYVeP{PgZf3|#x!XBs_7lb|5VU@^gV9@r0aO;3#Yi<;{tfnft)9>y2UH}
z;LHjZ*q}<72}KR085u=@NW!>?NLg%TnFsNVci`LcMq`9wtHdtS;|k2R_>M-8Sa-#P
zFrvr`hH@2#+7SvQJ!pBd;v95i7opH&72u4L!;0bC#lwS-K#(G@K(O+Mg`eR7i3#@f
zkP9IYc|Fe2`Uu^o`wL=7;A8q*HN+w>f(4Lh+-KSakOvlu+EtC3%mOL-^oinu+#i-9
zegOEL@$?X#3Nov!)DR(XcI$%*=h$|Y2I%88u1~L2x~Ro7kft{e)t)04^>@MyDMzn4
zW;F95C>g7&>kzl>QGDt?<B?`}UEQ@%;U~h$mG)%91d5y7OvzJ!Ns}kcW=5F}S<<DQ
z9UFm&QZty$WZVnWP@zTBVUWg<l#89CZkujpI7Ag*8WmLlY-V=yBVuyU3wD7NO0faw
z;t&QbD9kEa=JP2j!AXW*EvnOStZ0%TTIdcqk`IeN4Y-;5=?K$5_^j@+LAjuK%Kc0`
z`z=x#$=>^!+KQbpr^npW;b16NImb!7gsPYy8h_YO^J9*65LBah&`&;6(6Dl4LDO8J
z`GYNGk}7Hx!sWB;QCG+4oTa8F*%nw0UWg*DW2~L+09p?esKN>M1i^0+q1-=n`tTx!
z?9eQVWRS5O&O%XgAWxQT)gm_Gx)_F?&h*O0Mbm{}g@;}Ah)PC$)nYmYldu3}uOTB^
zBo;6n3_|pn1{(qwu}yMxQ-X0r*4C7FQ{`SGnD#_CFhM_G7zJLYnL?6{MW_lL&(^#O
z8hN5Qf$-fTLhfi0sccfRNuYFRf!u*7PN$H0%H)4Lw^Q|=^poB>&wo%hJMO!)LoaE0
zFr^1kUuRnx(am=41i~l4QOmbIYQV@VPuS7W$X2>RL7&FoB}g!m7IQSV+e!zO&jalW
zluoD@WjrM=F1zz=hCI}po1+jvpbZdcQG=20cqEVvDUiT{At@}xh*{xKN((#wB!=LO
z%7|Hg5{pD+mJgUsa=3nZRN&oo{w;xkkWk74Lpn3CmKHyCSnO~awXNEc&`>k>e2$=5
zK{$0oA1>amon?WIrDC3ETW&CIKPQK((;rZe{ckQ>=M@TOfn5rlgm7w)4HrPJgE*NY
zeXzRisge?g*};TJSEYBPlAsA0OlVfPTeeF?S0Pe+d0HaW8f#8-@#lh@SdNWJ$>zQI
zi$+>kx@CCIieg$F#{R)pat{Z3w9h1kp#Y2H*=jp!V7<Z|0O4|?1GX)LsuO56O-~v+
z6$5%fhR!)||HvXIYzrC({QUS#Uy+!oje}_p%NfzQ=P}DM+cbgQzbXPX>r8^*8Vw5~
zSuB6y9gS)M5mynK$za)2y3$LNu#q#qI0){+U<x1nSZ4^*84}Ftr$kQJE+H(81U*(K
zQaAhs;;SkSIM~-*MCSNX5Ca(B3)ufV<U}WJE3)qA9Hz6pm#)hU+rO_cQ??YYhin(*
zS=$tV-Um*2gzPt!atewW1D%*Io1*f9O}~t$Mv8W7heNVtH05|?f{J!(SfSYgh;Uts
z(4q2T4b!2(FdRuZjG+&Ei35V!B~D^JIh17_CjQDxB;1Y&r#_RS_<S4=M+Bi57_OX@
zV~%Ca#mJ*@(TXGDF~~%V7*l?l$bjUVPl*9HEZA~{pa3Xqmij&qh9ew@5N-z^(S;`o
z(Bz1)9$}<O$&~Vwmx^*9HWig8Sjpk2LHA_avEt&t4W=JzXKQ=nyA6sQmA=JizNxm8
zXtZSTQ{1y+Y>|#&EEGAKtL5;CIgm2YfO#lt7#v0*&L5=t80K=ctu<g}C=3k7+B+KM
zu=du@&K=<m-|MGiv1I!WGdqmBsMbJG#U;_nNH#zpRrtqk%H@}NJF&n|0cNbrK4S`J
zoC8q_ocg+(ISG9eY})ErqzafsU0CUL1Y1D5m5DfJAS>$Xb|fcsK<!o3tw<eE^R*XJ
z^hM-ok8<i;uw_nA2fY^#mn0(ZfO|%3jhM-!RS70p_g7M-gR*eY_LCP=Vwl)ak3x`9
z5l42#-EISzSPUdc;P%Zp0@2e%5GO0hSwu_7b7t34!yc)Fh0m6kI61TnsaT7K0iwJv
zr&=O*gAUDIO4NIn7<N+XUXX}zhW0L{v^NfulV*7!M=qNecS0H@Ty2h;G@3Fzj$V3*
zYfDM`4$@%J5rS(JF;mhZ`365(yryALo|39%!ASL(`Lv*~wT*z2VuON_?zon4(-Syb
z<+tm7h{KTUE5%Pr=!LTYW{}tObmY!03}2`zAj?~=mAUScl7OffUKA4#7CS`eNDI8u
zqR`_3m}^8Qzz+KVe2ur9*_)q-0zhx6+r4s}U*YtNY7b>^{?goSVV$s{wJes?4#~?{
zMKmx0$b|0ShJQ!MNZXDs;1rO{)V}F2jz#8%ZXB23nz7ZkjP4ZN$Qp$`Hu8g}kS_4!
zB>W;NveIN`i@YL@611E+BrwfxRSW`l<;Hl~6niv07}!A+-60y!<jv?SAsp8f*Po|s
z!o}I4$_#TK+W^PVAKyyU>eOo&sg}`79@XLR=&|@h6?H`o9XMr6Q{n*p5%E7=@+N{f
zkauYjGc3qWT^V5%jbMcq!fUhdwfg1R_qkvwgsAa-&_3WBXj99m#6YGK2?@2p4{b3u
z>Giim!jGO(DlII<U=~XqX-qJH#&fSMSol-0VsXN@hWV-K*WSXq64xw{cU63_<^^)V
z8ctr;ARtq2>ibeullVs>1;nt{mB=b1Lt*y_UP^HLsi5QeZl>c4KG8icDXjts_y<z+
z&tCdSQNg<`MnWBzV6~bd%L2M=0BeKnU^FOle3KuiJ3%Nj%<FTtYzkFAjkz#=lx@nn
z@mN!&xA@M}wnnPU(F&LFFbfW0L~FSX<$X;ehI?p~Y~}?7D%u5O;e3$+BBt0v4~<n)
z^b=Mj8<(K}S^%BNVk@K#@|Vc(1ubnOF|dXdC0TENyVitVH7k>P-V;n<@i82NWM_}}
zT4Pbg=+coXH`5vEk|oF_Z!X$gl>IxAh<s~8olz4-J;OHOP^Y&OZNN%-(8N-08EZ31
z<+-*#^rAK*Eo|dBA^V9C1F?^dJIyk3#2}=IS)B-YZh5f;kW7(Jhw>%xi^WJ$(xG1n
zOyk_<jtM#Wb~Dlv_zgLg*s#mVU{SUwCAbA_V(L{S;P@D?i>cL+ov;(I7gDb--vAwO
zx|fprANzUNQqE;rpZGVVne|>HCv$(aJ`kW8Igpg&gn9M;(Hnv>_5Gu;fVqrdo()l*
zL=o_f1x%VA_>z0tK$2>gq{j+0x3lO<kHuJo(Wt>B8fYzvd!@HF2eV&eeG1{^j=r9P
zZ_~O3o`>LEY<d7;Pk4R;4+(Iu&7v=8Fp4Z~m^V_5e=umh?bTGbdmHJgp!DyhgRoJY
zJkN!$9K8v;sUH(jgGof9NtY88B-Zf^@Nti4Y$3b``a^o6uMc)<^%Jl%Y(Dw`tK%Y$
z>=lg?uuvJE+7Cn&-JcqrT?H2K1Y9AWt^x7K@#9utP!XL;^D43+FryP#G9v`IP=mim
z>`@Xtt;@%N40tfcTxs%IE&5Dxn7TCgg%$5q>UkHxC6Xor6E^T_J~3R*M&)xk`W9E9
zOZK4a)pDHK8FX-MKFr#ZF11FTvt5s%po2O^lqf<BeS??L(q=TgpDw>~-$RG}0X9Ie
zsisZO&CJEtkQozvYayt4BLAt$HjX@l*au-?5cS%FYQ*~uChFdZK^*s^1oI?V(?&wR
zu!`aFxDqT42nr?1T8F<XOkq3LCkF2!mcDIzByXG9c1rlspq+#_gsD%HN5<eqg><>z
z+8clafEOE~sGYMLb0#6e&bOOV4<&T&itecaVvq|(^9o5(>0ZKFQX)ARXzeU}5e+($
za0EEyX!190W$BR{M*N&q$0LTtQBM`=ryuUQBqWW;QtDwQ)vNnKkM2cyH+qVPBECnz
zfn18xmmf?Y<pGYE!%83omK*wBML7r@zJxXr8qn_88urQxE%~TT!lF+v1?XC~bbA~^
z!V1VL!8dEpg$Iki+88uOHJHCdAWD)1wY`VKsR`~BKt2WJ5;7pNit>~NXK{z78pwr0
zh}mqfLVE#EG(`S3ag`*M6p<@8G@R2~sw>ZdM1^MnKJ9Q(Cqq=q!bS0@n6FzY1|^<k
z<&<<+M8M1j_d|Z0vqG^MWzko-ea#f1qCS;E1PXfhUTB8C8)+abwR0kw$PHA6e%O@c
zGKvin-0t@ifaqfHGE2NCxw3Q+MF_zCUsw>CM`vlF*b@;GomC%oM(`JCR*HPHprVZ*
zeQ1SzO8aEkZ8v$v_5=zas*-KN3<?e>3nzV4#FknU-Cv3%l~@*Ns{fi2$EMf(BjvV+
zawhlCqgQMUCg37i__G`48DgS9ecF&=*B5V_G%06SV2JW)n2kW=^XXK?{T(=1U<i&c
zeeD4w!~lW`Q51;3htl@U+!^ysathG3cXSKo^Cj9%Rw#j!Yiyu|#JnfP&gkIuR|Bva
z41tIMqiQP6zb!JG!2k@&?G-YB!$6*Hsz_k@fmm$4^t2Ov(#^#?J5Wx5ZNbF9$gJXH
zw<B3jrn`1$GrD?riNYv2<<p#5F>okC?q(bwRlII@_w(YZj4)$)NeF2ku}G*Gtr=w?
zx-#zu>T@kkv*xJVVVIVx^LD&tKsG2nJIgpP$30zQD3*6R&E)T^Oe971ynIk-VvH&{
zq2W}a(U2UoOLM*@<L2B<VQ~pC_Kz#FfN;*>=s5%thj5%N^jj|%ymEM2U``M)yE_#(
znTT!m7)}Ml(2D^~G=O<IgOm%G48#}2a2b^a@f^(;Vy|M&!6#r^oK^Rg%~XegF?grh
z>IPZ|W|1rn&CIV}zxdBk^PiP6L>?cm+*GXZ2$<tGL)xbVP{Q0SNb!)SxratQ$42Jj
zK%K7sE79-%Ah&x48-bZ?!?+ghDH4w}fw<L!sBI(W!M-XJqch<WEixCF+_-ng0auF#
zZE6)DRC|BaRTm)~a1}MM5~4mc&48x3=uQh+k!ZQ&>CTXz@SJ|`h*IT42LlQl+zXL$
zKL*PMKY<~ZhfL|pKH~#;FnJo;9ZUVc@{a&OudkSOc;Nk+P$rfwmx(n49LIXy$Z-O2
zl5s>&7r=)SUV=)gCWu30tO6zFd4&aYi+lluTu-T}(25O3A;Hu)FYcgpbgJVXOWG90
z_rR9BV$zD;#m5|k9(;4;qT<3A^ZBvQ@ABXb#U)y*3;0y7b?ay}HgMD}tSv%Hu0`u?
zY%R(T3mDd2z<Jjt4`EIxr9w&T9ol&SGy?y7!RHu`9VZh>q$|6k<mok*L25c}t0;c<
zr~qkE2(wanKMCN5rb!40&E5zegV;}t>Qvskb8}rcZx7D#_&=PA?ls(80$N#MM8?8;
z_X;PouGG!&Y^O13Rvj}(Ise)<-F=XcVe1FS%5FFPG8gM+BsYrr7~eZR4^|krbr0cT
zc5XiD3Jdob)F&iT9NUe{&!k!u`)F)1rPY9l2!0&1dyf#*7boD5twy0HE!<PpqG(to
zfF!Y4S>Mo)*nL^pnNaUV72(38p=6}^)#VeFf&=1IvZGYdBlv<qP9vESUlz@Z!CL))
z2p0d%5*I=ohzLwR)ZOTLB7^MyQ^WKssij-lN%Q_+Mv!Jh$DPYX*EPTgiXB?@btn$N
zP+Pk>%7zHCB7ST~syXtaLMOG0?kd3_<LLhZB^kUL$v;=bVleEcM3+!e6q#KuOoq^r
zMdQ%wOPoQE;Ry{iTofbV-9nAa_MjvBlp8s}-ILSu48Gg9MNhwVa$P#V1Cmyv5TM{S
zu%;nLOi!8Rc^|v3(~|HviKsWk|L_mya1h7LHS5UyvTgquO@AwZ6t+LI9}NS|8waL>
z#I_U!AH_1YJF0}cuC&_7S!?0wCT`cpBkZuoR&4M9;QUn-``lGRz};+He)<1{jH;;~
zU98*%u#0u83-F&9?}<oml4sJ$O%iA{0g~wrg{r`LR-xcOjz+(yv6$IUmXJc(BnUeW
z1Ukf}w*1~A6Gwvhw{mxdtHEuU5Q!_O`6=3w)eTf#`q7{<@wbAK1|=>c#1Y@5qP<!f
z`ttSqRlDb|0e}n%m`<a@5HKpD!fU>)^?a3muoAgGr(ESH=+1yCS)IW{^RQQ22lyh$
zC<gTy{%9)umS%OXaS-$tN~)xSh3Mk3{gL({WbVanod<5OsET)t01aBOyXH(tvt)eN
z0<GRR;)tTTU&NrP+0|`RyI9h4;2@ErSIGVGgU9eu%^fPVEItG<N<*8_<P+-37X3FY
z(iBuP>&}^3oV`_JnV<+I7Pl<K-2@{VUAO=yLQB^PG6NfqZyX|}aIBKQJkD&dY#&sp
zc7X|eUp!oB<V!JXeBB*~;OBt}&~CasrW3M?)L^U8=g+z5BfQ^9FJ5O1mz|lOfQ^ym
z+)7jK%}4kk+8Ocp*l?(IN@yjbkaO!o7o&h)M5I!=ig3|Znj$h6oP7lS)dwqrPrl*>
zsZX>^oYOR<IBtgZPPF!^&7<?>`-e^`T<^40eN0fkv{Q=<AFyE9RP2a%KYrX=)9R)p
zUuDea=eo`@ZZ}F_Iag-FlC5><_<&eo!3AYp5Cifahz}!9^*Gi&V_g;40ep6=Q%Kuz
z(ep|PF&H%Ne|zWhe&=X{Db0b3Fo7bFQuV*v%Yg3HYO;C-Qq=m#bNcaxhZL<a4?LM7
zr!irMBc`J3e?G`40T`j(B~g3_{QCs*T6r$cHl>E2TFhmUS$-P;?Ws^KpHo|Vy2YxM
zA_9%gg4*^{6#ywjYT^dl_Qa3T=gI7=U;Guqh?)7M<DNd_&?)a}2(7W5-0VmDtE@Xo
zsrPeoI*&`!?_?mn>JGM7+FaMBi>4HGs|z*kP}D=>ltyEME-<yMOKcBZStGKp?uKZO
z&AfwnZSHN|+alKrLUuER#0y?jiBvd{osgRh>J#_c)oT7=F~vl&V0^0#6qxZ~l*X_-
zf3c-&EQP?&MfUM;44mWQmvamEiah$yOLZqcHso;c!R5%3!5|WO<dnSq!9>8M!$E$R
zmN6lCFa{Po>b8MqK$8KP1I1sON@UGlLU~A6!<^H`12mJ08c-x&j#-dt4ble|$_5k8
zShsg!x<3XzDDTNc*n7#vV9u(N(K7y|rKhN{ESuB>g3eY!?mLEuI%~oJRpO#0hcyS8
zeKK}WD}X8&Kh5#6hUkdu+c81oZAJ^AsO^pG2o1rdr1@;o4ky?WRL!iEOP!iLWe_kT
z2Jn&3NWUp*)4??2-i1GVAZIVgV*D)as)h7hNsfKxj@}u}4YeDh2VC&&peP8PFKipF
zjU{8!VGkU3w!*}=c5US@Jfb)O7@&Xx;RoQ+gD;0<gIN#5-%5sy7IN1v6^3(~g<WNu
z&}Z8C1`T5yiXJxJOz_A1p&y5R=&UDYd=G;?2VOl0-H~I25~3*B?05QO)iy1;0u>h6
zJl6R}BgExfCMsfQ*&&o!TpsJiq)8RalIN`k`}*<W;4l|%7uURXBHVzi1I`nxW)r+^
zwRm#?O*Oqi2l%=;2WnyD^nVB*J%T$2Js)fb@aIp7Rp7ggr~Z#vZn_z<mIHvl6eN|-
z`U3#VSQzUV?=X15`_8r{v_|P+aKm>jdV?;1SO~JhR9x}u6--FS$7pY=-{C_t5-rPw
z*b2d<sTf;{5kKz3t%N*KNQXJM1iRA!CwP&EjMTIv*!eUQ?s6iQlVmdQy41!_N%(d<
zj-Y2pZ1OXN$P2@#6mwP5)~maU?nU4ev+YHtWLpUUR?KWgA<Ztn;0+&s7<?`+puPZM
z8T12fh4X<9nBJ!nD*h{E5(0~4t&EF4$XlY<Bt8e&u81Po<-^4r(&zi-%U$<|*H#z(
zH-HFR7IZ+iUuV>~=L;D?+QM`&x}Dq*^SjNl9X6q!Y*OX^@XnP2`0Rjp_dQ(p{pV(4
z+Fg?Ld)F|oju*OFeEN#yy;lM`rxsMK;<SS!2BsCS*Csink7j8U=#IQHoU$=KKK>xo
zg;FU++uoE{R<wQA!q^w`dc_}{dwmyTNV__+#|6uA?VXFY{k}oamS2WO9{sg6tMIWe
zRfqx!DYSDn<`fB90OXXQ*w0r_+LAM!mU=Mz9*<LHyNhvQ8nar|Sh4vFXS=HVrJx&=
zbOp$x<Wp|kmL{xNH~FoM_EDS*A@jNr+Sy;M^C!Re0^7aeqMAGJ<KyQeb??IU+6zPq
z%YzByvuf|y5_yJ`bLQ6`XNQX`Kp|}-ZUySa2%)Wwn4YNHJ0~r|E%Q1jXpIjwd7W9Q
z56l@+_P#wum_pK8S>grK&e<4?gA@V*j<yNGU|`}^HT(*=B*o^0+$HbQ5Tx|l0e~Z`
z$iNND$vok+`u2g0?62<hu*@uwVMI%KG12ws%Gfx486SdG+|~Y8HGlH3YRbfB#jlc{
zb|)SV-#FyUb6{KuJ&Ud!%{Foc2aq_3ivFbaajQ6w)4Ju#mRqY9K%4T;EV37v3UM&|
zv($0U4u;oixkvl%JHPg&hdr1b*T21&o6xpCY<^XPw~j$@oAf39rIxUnp%8alACE)u
ze3f$>Dg3Y%7Ys|NW7{+P%I&Am_m-#$2w0CeU7qsK>R`8#00HMsfK7Y!Cdyy54?6>3
z=_CX@;c7ZU#kwjYsC4wu<80mHA;ckeJ&mrhB_x+5HN`3GnN1fdtbN%#MryF+{zN>d
z(s6R(I6lI?dUr$6zz4FW(4q1((z-2r%N;m+kWWLBuzD|WTy(H!50;>4J^EANr2u>d
z9K_Fc%@cw<<49t(BwmG*uEkK|aT79J&QSSlg$tK~`*_*{oJ>YeR3-9={Nm-tc<7?1
z10<7@{c$|g@08zS4uY2hsVO<v-rQ;f>l0}9bG17H!-4NJP`JX|cQMm>J|`C)Z6CA+
zHXui@#M#m%{|Og!@q7wj7Qr2DF}~i*7H)^O0EiH$li>~kKG*BHlY{Jahormh<OKnE
zoR2POo10)AZwMs<^@8+x@wXXtN7mwJIBlgXfM83q=kYQ`YHYJb2>U$*D|f)~dPAAI
zf(cA%f&mS<9gE(fYVH<$Y7uQ-PL%B5T1M|Das7;OC%Hif-o!KS4z2y#-*2y{-_H?6
z20lvRhY}b9BPwQKz;AIDVceX~<wog^8GTtP_+a2<(fky7H%0mAV7gd9<EX(qbM$^p
zh<(*35i9-?2CaZE<2w-G>!3)iRTxN-`awa!eB?5rlG4}ck>4}q;|_6kj?tnnVE?Jn
zBo!ZZO<cVqnPfmNLbu4J5Fr(IjYq^d^NW-g@_>BINhRuKM7UM{_CYWy%70;{B6J8}
zdHf$Zl&LU1N&KE#9A88c3AKa9P%^>1g$lp{nF~I?GiWoD*!j!8>C$JIaa@axAG%jS
z^>u*hOBD2nF!P#UBy&T4)R?(h47ISrRK93<0%5<&IWr&+!b#+k+7R6&Bdz=+tmhRX
zfbrzA!!)$2Ba((g2;{5T;S>dMhnVuG(#hr!q?}(WeLKI<SAiRm-1MmKg%;KXN39Bf
zJ;6nflvAlAE3RoPqaHs(Ewm`Nt>A!3XO%g?7_rBdI+Mn6Bmi(@oz5O_wChREL|mO!
zR1|Koz+vg$r8}4IPGOf^mhO=5Zje%H=}wVu>F$v3kQR{cR6yVlh<LsC@t*TL^EC4~
z58roY=EvckMW%#YfSL%>E6UkYM~)zq*cHVaDTJlE!hURAqH&L)W*rlb1E4D2k_*^*
zzMcHQ*xdsUmRmHgI}O6xykyQmTn$b%btK6t9!4>b?9feC<@QC}x5|C7^BF9VFY)NO
zG||z)rqq)nr$9y)=DM87r8SC8<&Jq_T6%reB!xn_6`C|p#F<XFwLJbz?M?Wk1A!_A
zx{s#54kuw0GX=(w3Y&R8g#`LQ>is**rcPm%8TjLp1Ji}<%x94YLOGq8md_WeTIHx=
zL8CcT387^j6BOiiNJw(cWU6DTFgY?-nghlz(zMBJn>`CF@4^MoCeuo-y(lx(v!ZwU
z+o9jbwF<PAi%%9=P%ucstt@&Wkl%4C8kvvoM|pMEcyP*p&7nQ6svT8P@%`cGQOC*P
z$WZrp_uZ8&^L6Y`lj~M36#6f}kk|=V#MmetELQf(0WglKLBCKO+Xivh?84N_nX5kg
zvTj4hgd&+ZpD-u#m)P)#xwhY>=8uz_RN3%Di`jnXDPDzJ?3>F!6@c&TLWV^)uB_in
z;2}RBVErRDnUtIID$^&>_vtxi%hO0wdP3uaKjg&b%GXFs@^3j6E%-1RDk1NHc=Gi9
z+vsEjK87A5O>-?x81*a1es)Jjf~6|aWG!i!-zGC1p+mxBV7iCP`@K$3qf&$8;J+)T
zZ(t{id0MyQw*nDWp~?#V!AHcL%2gwqXtA7xFlx`cP7w)Df82XA+vf){Jm5x_;;wfR
zqSU2~@bwSvmr#uOjik}3se0arncPid98PacYKorKW6yZ@Pm~F^nQV>tP9Z#7H<3<K
zLnrU%-wFj*WpppU9_d0A=Ve&<zSj%}5<R1?^VK&-grxA`eM+GqQ@f+*6(UA0Eo!%s
zUKwpZFwRQQ334`VH>itm^(kpx`{VZ$iXC5Ufz8s@_*tR5{>8Us)5;jK+PrRihu)5;
zIbV+bU}`onsNW)shk(HYWtb^Vfnx>AHC3Eg)s`;3Q`Q5e^bAj}W8HxgqdC?;lVrI^
z&W0>d!M>PpoI+5ki?ni_6dkH|28|FIO9(S^l{S8)G+_p0QbE*gv^tIV|Mu7uXlI2r
zi(a~hZ8zzkPXCG%nVd3AnHZ=JbHaUk9P?Ni`!D6Bl<BzF9*xrZD^TxWbNc~{yFI4~
zj(+3*fXK<qyPr8&NNJz1Pt)Wjxt|S*-4rR$y&5U~Bc!B{c8$)hp91%#;Ya6;c)yS|
zZk+|y)3pp7#ffb^jQMvz;25S{s!Hq=r%RMbkH_eNWGT_>n!m`sm_SZR|G6@L(sIa2
zFiE2QB{W|D(lUMrEMa4N@Kt0~V=Cg`3b{Ax^#~(^g+Sjxm%E!oW#f;cdq6Y^x)+tg
z{7p6XE7;?h4FkAFj)uf2QMv~B!j1U3Lh^x~t|(fmGxbC6m+s_Pu@Wf~k5*jn7Gh`%
z9DLS{P0fohR@sKk2K#Sf?#)=y2J&K``D`efM6j6~ukWLdLyyP|3#Z@nQe*N`;tctF
zkehtNWF4679%ySAEPg#=e`^X>dOPn>RE-GB{@7A;PnCm$g9Y#+jbC6CqNLt6ER7oB
z5*|%1_i$m#3Kowa|6r4XES2Iz6m?wI(6#wK3**f?hz`v`iIV#Y1vtRlOPZxYmr_vK
z%Q%ux-Km=`+dKgje|o`2{`XNW@obQ?#qOG8`eg(4B9V01G8>3b^9B85CR*ljv{x2}
zA>lV3QO!IHYwMuCzae1|!9+MVkm3DK$CYq=IjE^vXqEns&&+8NPxE*k$@44w&vqxB
zmXoh1!OQaW3&TDdIJ7l*j~{B}m%mNShvR<mg8D#J%-Y%9uu=XNE6yc1<<Ng$dAj7v
za&jr=8N!D#D4s~%f5G}v<c}0Lzl%^mOaAY7sYLaO9s49((mtT8`96^Tmz8Ccp?KAL
zOc%KI$Kt98v3u;%!5*Z|_j6hL?SJmbhlN_#NpYmD&b!&o1byECI7sifl+c$43isyw
zsd?V~3SW?N$RKsY;iYGaTBL5TptH&poj!RP&p=uU=|%1`7&-WhV5=i2PH1*89%1@r
z1en1sI0-_aC@o-bjfYng%|)9Z6!;*N;!VFw%?4*UiZA9t1S-!<1*A|sPm#QVpHcJ&
zP`H+(N(NwJc^vcV857C8ij(?4>X1fB%nhNOvPTKF#{wsE51_gdq0iMhDjmLWUq~x%
z_08+wyaZl%PDxd&_t`w+RrA$<sS}!VI>_GEI-0YDG#@QT^&C;(aJRl~l#%S8G<5u)
z2o9ymG`2VvV%TIX;GMZ9-Hwc+x&cJX3|d>`U>;@)D#`zJOtrv}NRi{+RtP&|YJHpq
zF!G^BE!GD{FRavF7RZ7;34hgX+3UFuPnBJXQXD$|2XmK>mh%$5i@ITxN5PLeR#~JP
z`aNf6X^>rg$dzhpsIidMu~O@WQ1{hKiLLsHp``9@T5Imo>Y?8nLu-3XzaQ8~(nDTD
zxf<-DomltU_GNlG=}_v;l6qp%JmL+SHnC{~mz$qK&^NUxRGM8RBeCmdw`PoSN!0-b
zF~>hhH~wU1xviq^oUw}OSJGXw9fYhlc<X8#!pf&26Q&;AbJuzvo^jzPtCxYD_{KP0
zCSjeJ8zbt>&PdeO!20{<y(=Cfj$A+A4?XBz%NtT{#7DvYe-8FdzK_a=bAHfa|0aWx
zcV>0n)WcCcK_WxA!GlxrH~hjp_6*sZi&JgjmU@H3uP?(7vf1~*T;F`ZG9eM_g(u96
zyl<?uW-1m26I%A6b=r^~8t5@WW@o#I4v5`#l5MB|3DJ#S$Y9LJvqptjEg(^hfFv$K
zZO9tUp`oo1N-kg!QoO}LhYdCeM`2!)Gl!IzpdZd-O^rnV^^TCgox;#HYlq@1gNwwP
zVkJee#ICsFHtN5<QXYl4!LygwzgA%w8DmKVJ_^MlnNB45L6?l5ML*p|6l#zwVL&%y
zTTf!_mW2inq#e903>LJ#mxg#5r4Zjee8`vL?HGYVTDU;+aoOo`YQLVeLmcilbdq_o
z7_Qd%!%q5hn#T1Z1x6ZC8Ob~SY*+ar$omg+wY%;>7xfQY^qJR)eD^<z16WJOPka!}
zM<VBOB*}4g+X41e0zcwD7d*oTo=_jturIvdg2L$zM{rJyZq1}379tpB=5yR!RIO0O
ztEA~ymiiO&6K8-ocs>#`i$Q&cy5@Xx*S<%@_Ph^0Y8;>9?=WJ{L<_uOe#A8O5`8CT
z#Myrl@8F_Wt73otIL)BAULmb>ik>a{Jjr)V6u14r<0(a5CgQY2jqjlA+TlvhkAz+f
zhXqP(hX3IDGd9>z_$TTjKCEFAB|O*D3SAG4`+lG(l8biJ6OdA;W$r3xYdh?6fR7(N
z<@pWXXa&xqzGG|*ikv18jw7m)M)i|z7%%t)-3CO2#<za-5PE`a9*46fP=^rFG~;aG
zaOI<>Z`}Db77+qVmH%`xEKAh$e)%Rc@9|HLitA@Lw8poi5N#HKCz}oJ|Lvhg=-w4#
zZTo_6^YkFQGnjDi$}8~L`L?-agjf+&`wdKpRew%g<`2e7n`}L>fJsUf0z?~wny9Is
z2M<KVXdq;t9%X#(B(O^0bWoHwWP#`~WR_nveckT8Hv$oja*X}6Q1#Bdyy{Yne4;+?
zmFrw&#?NbO8(nkQrJ(_4mSV}FKXJQ9!3wrxY5-~6IfgsrJ^&`RnBtg-TKGP$;_yn=
zRr3m)6)u)3^)J)M8+6>_T(&4Cp*NXNX@jH&r$gNFD`DByUm`Z0^GDCN(+Dcz(5P>^
zW(m$8|BZ;(@sQue!o)S+b3z@3(GRktTNxv~TrtM2Y?q@;b;z5iQh%ymev{S`%$Qf!
z_$tEyidN0sBC6N2=Phf36(Lj3P<ohiUIyH1mUOp7hg$hgw3cU(N$d!E{XzEgI%-`F
zMLuDX!A<%1m%m8II!{AQV`3Hsh&|wI>716CF_R7xnGc!emM5BcCY!>#Z$Q1deZ+jG
z2v>n@4$FfKs+iU%u!}hO$nPN3w#d2#Zn$cbZ+8U!GoEFD0n+S>4~lUUlm6YL8xsmy
zb)nGRkQRWW+O47W*`~}jax?V;4;W@;{qsT&ZQoht-H&eLfVofzIzdGz`Mh;i*=zp*
znRj%NCd(pz|1IN@4byb@>ro2jb%~Pz-S#iLjM9n=$Ni<Tk_5`_hTRgwe3#341Ci&H
z05IX^;2yO3mMrC9(K`u7(-UFkTwV4y@y%D7Pe{AUr^a4A#-yv9+*Y`^*2(lEl5h7{
zGn3M8u^ROy{+#WSQz|e_+P`OO`1pSO3<;J!_Z?xzVc3w-p>64#I8nydFCvG1%>RL>
zW-iod&dzhA0Y&zdo#^`4&x2~&H5_y66>C|tMQ@_h??<8xE&!%eydm2!wHii4>28vN
z(RJ7K{-&9Co?WuX2wUt;(@K(KxFFda^E37Q2JgqB{{Xu=gnnUEo;K5JIjb@~ilYrc
zdgdRWAE+~im?1ReAZT&n!0<(03uN=%WEF+mUw^wSj#Xt^N(*`oOJ`o=K_sEqD;L+=
zSZ8AW*7cdAo7jUZ`;P_)dmubiIkvsk)P*1M2p0$Y7Lu&R1P?7Ad@n?UCnu<n!t<a0
zl+`CsOyGYoAZxjj36YDpxWy8WkD|3CfB&dUR6*gZRzaj_6J$7?#TIRH$Q%2xHyL6l
z=f$tlcpvR%aM8BV<#Fp|=)gDAAGEY7tKcsnm{iCgOJcTyvBVkV*_30c^LhGR4D)qN
zmy2TP{a+8&>g?!Az6M{3yZN<cHBBfq-mBsV>S3d!O`D9=Y9P0<Mf9HLo?AC?h;wbk
zM_I~>$w3Rh=x8Wza6%buHJPlczH=IF<*8m5Nl46h!VRnDxL=4hv2iZ{!~Jw~3j)3>
zQ2;`{98|af>b06wH=PhSOV54)6FoAL85xB|qw&B&8=z4^ml(znu5sl7jys9M+F;B5
zZ@Cz@Pq?6G;WmdW_(|7ctfdX}2D3QK0hIzMEzQ=9omnTqX>?SkkczuAJ9;1$bz?a}
zICSHNwY$egTi}MCZ38fj$i^X$n~(Yf84aKB<~7vMVD={yljCY}x9)E7M83QS?HN&i
zDE_2_&W_AIk9wtyl0fRZ3lymIETO0xb3cBiO#shU@AQiH8`l-@C`MRfu&z6~V#sw+
zS6AXHI3Ln}?L)es@x<0}&9JjV-@weWDW!(SElNKNAso$YyK#yYRLvE!17G>)PR>bk
z$u8t`Ty`20{C?HN%tYVmhuk)MnFdb0M6hux1Gd0`-%k0cg7mfpST1-Z<u-UEns`a1
ztm;-05_Vd7cb|16aAJhoi&$ZCK+vTB^dLi%iPO<XY0oJm8%!QxGm*CYpWHKKReABY
z24+^I`cEoV#}YP=Jm~JFSt{1gNNJvRqU!cxXl{8o(@}3VwNalh>vl7j`iJlK(p&uG
zKRKE-F+dm-Bwt2(?(9F-j0S;<SVOf6i}RD|9jbNJ?QwM5k$kD^y}V}#L9?%3G*p=1
z)!Lar^beU3%q}t9Hj6;JBjBpg)Uvymfe=i;+W-K=Lig8UPn$_V*EC^3B{CupgXR{x
zgd&F`4@;<p={e;e0(eCD2;<+&pYos;vv-!g&BUV;6->lLZr<|^r({$cel?7E2j@AK
z>Pi7%NG^^>`Rq3YC-Tid-dhnI%_=XEmFgH2`(z7Gt<o<hHqESmXL^qbIfenzuevZc
zA@-^b4<a_q2aYHj?n;r5pt%s75}z2O%1oJtexj1M=nM`~eLu>)NA^<sBhx%WRmZMN
z5Q|{}`$TJvw8|NcInpqzwcsZI0^Z!w+aG%=DEsJ}nyDs&GcAg(ZI|Y`s{E3&(R^?J
z<8>MlL=jRrDXolctctz+5(q$8JF^4r^v*)*qST`cfm6|%XwlKoap_R??=r&bkm;Ua
zFLT=ErRc0gQOU?Ba$;b%ScPmD6B|v55dB}2>FS)39IyEReEK42VuEltQ>P}yC)T=s
z>B~>L0ZjhkA1E6_S?F91HaGfZIhteu!2h179{~2LsLj2`&nP0<*t?y**lJ%94k+pQ
z$3<FvLKPJhEXXW<i2g?z3u}`vIAEv;hVsX$f}i%{95{*QT@o4TM|Zf16JQ%Fq)m>y
zRJMavj>W4;Z9xLzj@Zi)TwIFP-M|@v+@_Qc9nE9rp?$!fO&ytCy!yj@*CCAfw0|pA
z!Vc-#uvu?Kcprp_5uLTPuZAD|Qv0Zi%$d7w;d&>?`r6VVRQ2XZ6+hX#p3B?T7AHvR
zZb5x2kVGq%4(srPb7{sLN_#*KV+cRvZyp^>%46dntd>6qx|f6{q)j4Aoz(H0hyjva
z1>YyNc9G|USD3vUD-t^+I$1`54JacLTR(!Uep;q{=}Vh00LcRwj8YFl+%iN%3^%Qm
zE=<AWDO#8t3k<{on6d_*hHO1=@Gxpp;K12&@7m(r5MV~Wp^EC3oZ}&tz<E)Wo1Wsk
zBwz@dSkhNKZCrJVV%gi#veT%T+>>0?`GU#8jEJwg6pfbj|Gd}lYEVBLaJ|se>VoOZ
zyHKX~-H)T*RnKSO67eMssDXsaE^s{Oxdu7b+<tL1Kx;;HB5|*08=HNNFFDTs#K)1k
zXLjnY5DLNhnV5Mq3YVx0kDCfJDYai_Dqxv#woz~e^Ku4<UVyVQOg9DY%@~9fEqzf5
zYWj4U8z(Q1a$O&XSMz`>qphsPY4S|^-i3|fZBr<?Fzr^#A4Ncoe5SSR)SO#t(TG6|
zqXpss7v*u`fSS^CrUANl4i{w6k-kEjrQ~8hwwuS2ShD^w4Wl@%Y>xKkxn%p7#s2+J
zrvOfsMTHGCfMF>NBSTr3wBoqA!Ujqd;yv!S^`-)My{6&=qrd{)bv{QG=&_PvR*ktr
zBqndMh%F1T!#|cm;w-{X8KL2)aX^jiNR%j~V$|KxBp7CM$ICrBu?1!dI^`L9w-(3(
z_Pfku0A#^OJtc5A9aP>Jfk9{D!iNH5Mxc02;U8L{^I<RV+*pvy=6>M<On?#Wc_ecT
zE=5b`xBoop3Qwf6Yy5r{Ti*U`VHJa>VPswXe-3TXLi;Nf=IJ-~2f(5Ia-S%=T^}3i
z*CYM>>B9;J{(On}bq0BCM5DJ)S*gq@Hy}l-lf#Llo?MK#emh-HY(O?0VNfMMwpfdk
z5gD18^R|YvjM@;;#?DhM_W2auqfm(Ft!yQZUFH3N1k7oXP#EUlh)Qn{e4a}vcc|q;
z#-vEF7Qmz}yc2kEt1(f<;r7tQvmBj9a65{x=7&xo;Xw@S9Yt}FSOAuEayGw6k>qi1
zk;E;ir&U<EkTA8I_6Lx{{8wtl43U5&r`(J>M#!77zRL3GO0J5kE>0D4J9^v{+JgHo
zJJzU09s`ZbAa;2!1u<wPnk_cw*V~mdJ+DOct#X=FkSmH>Foj~866lP?L&26po_n3h
zC)kH5;I;Tj%sI@V2_g$F1AQ_9X;2aE&T3N1k=;cPg^4$|lJrSwGOilx<2ytZaXpAG
zV_hsPxKV20z8wuKM}_`}tl~c_Z`V3w8qjP+eFPzfMhx>iE}}2OZeAj*Z3jNjE#DH<
zvRq$iu*zJK-a;s<gR#>Zv`LosOyk;;1nPEnqyI2Gb^b8{aZ;TD64NR72yfFACL*z@
zbd8I$T`SayDJqM*!JABG<_!g!u$)yR33cDXq=ZY-{E+n>QwJyb*|0U$nNz&3b5*W9
zo;H<wo9V?z#tx->-~!3+234t;NOP(jt-<msSMZD4=a)7Va|wEf^8nb;L0N{~8DF$i
z^>1E1$r7%?ABz~Yvf)K>&x)2bFqa^S_GgMR=&IH%Hx|Wt;JLyMyb4fH$+<qbP#GE$
zNqzQ;$Dj(P&31HK1bGq|oC<}Z2ZwpkE2Sh^x$vq$>x%652$bL%xeT*uHY%q@6F2P9
z!VfnsmQob02TqpN`Fqr`BFdonz{%cJi$h0&3Ym$u>tb_SVzP|IjLnQ~SZIj2K;@yL
zipFo7!*ge00c~;+!@CXY;9H@Hn^KN!!7$6ii%af&b*ss3*CW0Ahc1k>6*_F;c$8t~
zDBI_D2P+hvP4;+FRXSas>IcJCE>pEcCdVAh&v@|-st?{I>G|$x#DBQC-}F`V>kL*!
z%a&qcL0YUiKnQfL#r#a_GSTH5-NUOr(rrSN{(H%&DcLbV#>RO7nt)X<rKqf2e-(L1
zN^^B>k)tY=PA_{ZheJ((o(C6LI)x4M{gnxM@pYKMP@b?)M>DD={*qH0Z55dFCZ=Mp
zf>2NDVVy)VB}Fe!m%5r%Pa6@b^;<Vz_g|u<9>Y{r4$)y4s@#}y%qv(DNT1t?L#uR@
zOn}bXxVwq^T-#`F08ucfF&fw+@H<Y(t)vE%cyjz+SpF{7Z}3@xwz{tvaPG55U-hA8
zx2mzyuF_~Fb*iWYs@cci3t{<0w{Jg}?4^}Ws;exF1spHBheV%+Jg8qs&Or2R-i-|*
z1C&4bh_ac#{<O|DLJ`MDxW(A7S6qCx#zYbeRsDCt$KHs;1hy_gS^vjaBI?I#^n2<G
z_{YFRh#OR{$A-&=yOJnQsej7sR8ESfMEQM;2OiTw#6l~2oJC+@^+XP$6bLBgeX;_S
z45>&|l3r?8Hg~x485-G85m*BW&o|!4W8)&opX9iB(f`d8ww2?;@0}e5N|4rjLPJ$a
zv5P_FF^&)f(}&NB=N*rFQwhYs@EUQAu$G8O+o`ZV=`=g#Dk_=!ZOZQIcNF1q-C{c&
zZmA7PzyDObd!OK$;y~&Qjfe>hzRB#ewi5zL6o5p%wp+Sv%$?ZZDoNiiO}9}w;Ua{!
zTDk^RPv3S{g`A8gzTMSH7g-}7IJFEkm*kBfndvF*<U>G8He_8YfDstAd_#1@PV}gK
zavk))mJhSk0ty3JfEDMips5UJ*RrYj53?1z3SE~pBfjf|t#$|oaTH4dqZtCdH?<<f
z#c<MRgIf_B6D04!C5kYyr(s%;^9ObB>T)3td!e2D^=t@Bs_JjFMYn|1{JF9GETkd2
zZ}-+ZUyxt+i<iV0oI=oE>Cr61>Kg@oPsDAfFj(H<o&c2}^4#??&2X-EqHIs-%NxCZ
z&#xnGnPPfXQd_?}5Kx5>+=A!Ir>T5)!vsqQa<o@^b2Q4>OI>rTu8#waCcP*gEs>La
z?Rlv|_1zJK9h#C*EzaOud?9+;TPuc>AEpkM#yLj9&$i2B)yaDCd`0*lcgwa1^9Eh!
z(up73(0iBSqLRMu3!vXg9_gOzqt}4K!cW+ZjW&;N9Yf9R#XN*-{Y6Zb1b@|F3EBB^
z{Sfo6o;CGF$!k%ysz0I=5AUPM)L-L0QWKO|3Td4jt!5ms&}d(vc1cbqa$dkc^QRzh
z=cMdHvoi_rD{{Y@w`L>ppSHd5{%~rAgoMn2;zutIB#-f&_L#ThZZ2ifHJqp#O2aKq
zdLV}H4QkyodY)&O{nr^fvMI8?Iqu=@8U6D4w<oekXgPwKI5#JG#b5hQtC<C;pgW2#
zX()5hF0ZY*R!xYJu3Fy8!>@`e=0eZbKGOlMa5HrV`ir?RbVz4opyMG#>P8D=W*=OR
zh#`E=u8;+dC_H&I0A=%rjUX;1rb{jelh1)cy@Xsag&-&9uj+@n!9L<)oZpbedNREL
zr?g~#9V%5P`(LX-DiXdd<sr+cu%L_`&l?HC-TF+i-})jfeDLKDQlDd}w2%BXrPO+<
z-P7n|1a<VA{R1HEJyINn?RsP(UK@m#=)u;)AfBeg8Qq*`;qW6OhD+Z<DOZ+n>q~P-
ztYLZV{J#J%ya*vKHy7V*8pVkX1U38oVF$H(Qi467(VMSqOMVJjv*}I;$ki>uW;lp%
zk;suy(e&jge!ydx42*QgP`k<@?D$E0kwH?cX}4vMWA*MS#OhX7Z;!3oWS-<_o}h_t
zDWPp@HS+$wmsL}yM`R1Yn>XA1%_Vnk0>SEUOmrmAfp42sqhnlTnmdB}2niZYhQR|2
z%F0D;mv8pJ*Rp_BLd)y37!2#&A94h>$w-l_FHcplGtW4F`0A<HWomJ5;3J>EI5|Mx
z*zm}u9Kh_yU<B&H#-dZl$8YQgPeG`2gDa~Bnvp^SS&nRS`X`&j9_J-D+i+c$jKzNK
zZSD4I_fah;QR7_PaUu=7pH!IRyM@;eBj$^v@;vU)NGOe5_mKWJia8Qvya~G8I4YCd
zL`MB6j*`pi7fEY_gX;M|dM}4v7o=kwCP0z9c?$&GJ(k92G&Ir1wC)5c2O6qiul5Jt
z<Aaxm^v&y3n1fm2wMdnoG77a0k;1HXQOz6rp7dRB$W(p5K1j$>gH;5#%Y}YAT@GDB
z%VIj`2{J8^**0M+NMs`@r;#)sCL)5tSIT?ks<`0W$%p>p+GACOZu)d8>c1n@u%a36
zlKMFS#vCB@pFcgKqB=L@I^!D31W9nfue17dHg5rMuACP&{bUlK0>oDk$Hh`_K+zj=
zaQ{JHyO#VPyMkWTTsce4(BHfUJgL7_9U%(VH1Y;M)m7#Z9|StTFt5Np6KfbEsC=%_
zJmAf)F%}<5(v@_#<G+3D_J+~R&VsTO7h?_uv|KWX1?C(MxTYLl3FxWSaZK-6&n8R=
zoVEtD-oIfUC^usU5{_!`5}s;@q4)bvzJ+hGt2@FnDgsR<H23uni-g+QjThq<zc*Ey
z)x(A0K`N~oNtpqF&9ahHO}HHMIWvFSu6*PSqr{2<VLMg|A&hj<tXiK7-+RJZY*~=7
z`~(eG9(7_!ZA5@Vn?i(=ecFa0oQ{&ZF}p<h3A1tz)<v93loci#hAH(W*Pm#EhByIH
zhWI7l`4-{Ap^^rz+z#aITd3FJ>ZfIdcJCupgXJ1z1I-%{eM5IV8O(e|pK;uRnN37B
zix5#}T_H1#iLr|_YLii?P4Cu`pFMklI?uTvn6xJbyzY3x>Xeea&vUojw_5jnoiDd;
z!in?599>hV;uub@VddVwF`t*w<T|W1ifi&#GpdO?uTIpQ0$Z<nE4zSxD=XaHfuFnG
za%CV|R{w2#3NMH|>JBVCGOSIkYz83d$UAu<(9IEN^PI<Bh<=~pUa;P|vjwY+nf=ys
z_cqe#dO7VU)lx3EgmvO;)r6EZ&u0-kn_@)Vkhf0Ge3nH5Ziq+?G~Z|zw?aJsw|G5D
zDPQ>CCXt!);MK7IsGIV%zn5hnT<f-9l_MUh*!w`V!CM@3zi9{%oFO9Jg?P8QqP^++
zj5<Np<7MscA5OZBNP78Gf@S(uhFWs1ju0(qS#jhCX<2c+XG2xSm1);N*3>stJ?uo9
z^RFDd)ZTP3EXir-zow*}2f-*n={yV}()Hmc)H_^($>On4qz8x?G7YJ^buHwTPQM%0
zI3_Jf^PG1@p~9YivTPQAg!ag~@!XHRryZ-bm*Xpr*X_EKKmsu;cC^lJttCpa{K_q6
z7<G5u=ilGQb3EaJmyne0&kzh$84+?c8uEjnHjVF9ea?}uD2=K35(KY^)3Hb(g1iJo
zYA-Y45n${}3Jl+;_2kC%^7Y`L*?ISWW^u*ON&I<a89`D+$9Z8gSsprC(2D8_K}o1I
zs(oyE$<CBxhr8h2EW8ho{UyJTRl6bdXZkY#H>`w5ZxU&bX@g~rHwGx*LLMV?<cEPY
zl7_%sR9rU>cJPb-WY+{tx(F&|P@5zDAy(p0#Znr~#eD!U`{0F`zuY5K!Y%SBM4-kT
zzHHF;#P)n}KljAv-^us<fSu2{+hvr1!QkJL%+}Uqb$n>KE!`RE?;nyf1i8xkn9k6z
zJ5DYcP9R3$^aG`5rea^0A#>wZ;NOxx=^tCsH(QrF31CHBdYM7;gwcvor1;9Nb>u=C
z5E{3Y50$C@uRIwanl-CHs>l+vAvw8o(9(NqWGp8(rXL!_T3~N7oLr}vPP~Ht!dPa1
zMINMI=}3-7*(N1JU%#jeLS=tpD~@e<SV2@)H#u?CXQmZzX50i<+dCzY|06`SS4M}=
zLA8(>#ODWhx#5R)X@Tl?sj)LKM%{l-$`TZ2Pm<VrKJP){DWOx5<Qdwad+$1xDHMjc
z@3>{YRIG5nKwI9C@Ns$&*6Z$JQ&tPAyX!V1^3oN6Gy7GH85Imm=$IKy&Nr1ApRIa?
ztF;%udB>wEU}v2@w<hMq(XNbf9B!TIe>Hrb0*Bb>A4PuPd3H1TufZ|+4PzUl{0F9x
z2xLtl35d%I34IXYz#<=vG`ah-ohg(S0bfI*tHuv)LdIiVN-^R|mnqZkR~V3_&T|MX
z=4N0ogQyIQQ&eHMrhDLcco`HkXj8Wdzr#hn{-uU|Ic0K)mO7B~<&y5euS`R_MD5uJ
zh3!|NP|=W@L)r^~D&v%QL>+~j;rs8+AP?awkBQ*N329Yx^y-CvM8ERZxr4W!h<ht$
zHu~B}3nlkiW3lJ(<o~EteJ9Lc6Nn6}dkmsa$DM>GtxOSRfo!L;w!q-5N2i2T`7ocG
z*FEG!=DDP%zf!ioFmr7H<`8P^7nir5)~70~EW77eKI^Wa--dH%%I6+bU-nCbHrcL{
z=$#eA0O8a@&9S7P9ma}Fly6`5TmK0^hwvjj@!8(>X*Hw9sBXpxOWgma1xK1kYp+cJ
zDq`t2ek8o#_6WjR+KHYopcXrRZKE>xF;$(<KcpZwRp~tc>d)arOrDc|L<mv<EIRoF
z@%zY4Nx4G3-YuFng>N~61*WLKmT_>B!;VL}y9Lx<@XAeJ3)FPMd4i<&WUPFFvD{cm
zzh)0d$rhUN3+<Sbq&r;@73rqNc)$2uz84W`=*(*06sX)Y1#js2b$6n!P9-N%Nm@|$
z%flCX@*6kF-}uL}B}>GP-#W!nfqqduOQw4kr4ii+5bPp8CWs~fNMGW2mC~XM00|iC
z3L1~fcQi74K8(15-zHQUd2u%}*T*|xa;2&<0lcwrUE<vc6v4HO-w)j^GUDCv<Ir#L
zXjH%{+&yDyZ+wi`Zt#g>#Q+-&Bpcwnx9^xDDd%AAvW@%re<Y+~Q{3GOD5zDW37Fn&
zSA5ASFJ((h*D!%BwhJwX0j9gZ4+E_Z;B0ZULn{+YPx-vGAziE?W_j8C+7q%xe>pvJ
zX#N^u!jEttNfP8%<T9?VQH0NXMO)M~MogL%Q+kE8jpTEIN}AMI$YlZ{UyLZjL}(_R
z{Cl87DL*bTuvI-&$lR{2D2pj!_gJi7z6p@QEfM}}+X>Cb$by(m=bFrVS#0#q?+-W4
zxsnw3Iw2{ebm$7+Vc`6T{CmP>p#_d07YM$hDbkRP0Vi@HTI-u4K4@CxqVTr~G0GC+
zsCy!6c1HZjiK$D@bZkG;T1~Q2(s&N4Lr-)<Is6A=&ccaf38R5Mw)j1R)8;<<OKdD3
zmwBgB%uq<`8wB)_b<GR7hsf)~@^g;pw3IZh8z#W%_u~V%zZ0w(zC!zRxkqbl6J%0S
z+8W`A^l8c`A8m{HJ%&8YIQ@xCm4XqFOui{bOYgOg-+CD>f>b)=vJ5==WLQfy5}_S0
zi!F?vy>}4akivG2oWK7nWCeJRFf##<pn-d>j8Vy!`t2vEy`|~#wcjkVbCIRO@?W*p
zm^GYV*%{)OrjwXc|Ln+@xy-Q(#+{aZcwr|B`fP!1Q>OaN{%>awM;dOsp>v4On*ZS2
z`RR?nhE*z=P+19>Ftua`7hGmRjfHtwrX>c(9x2n7=ks$^2ilW_fq30;)xp%`)4UE(
zWT9@#lPF{AC3Jb-R9wBRY2F!HOL?Et-Yw$`ik%)EWG4-X3muhK61YepF1<68Vk99C
zOCQx)Wo~}h$K(-98eUqT2TiY~(I?zfvUcZrzxhW0W4G@z{my4Odweplp+~Y;!|wDV
z$G|ji>+5`vcnK@n*CiRvKPaPJ&#u<vI7u7b;?3ARxjxyupxbezulHh2UfyFgZtt0^
zHo=m+7fh4MW#X_WoqLUPi4iS7s(e=YB+Lz8X=+2U3@^>gh<M>Xjh8J(F&^pL?85|!
z-TS5QNh(X!o+sUTpdxW;_lFRuPUhkX3)Yro{z?DMzCA|y98>5`?1yozp(pD!;Lr5R
z=oxCb$lY*LNsnokPMqd3FvUB=^n}>OF3kB@^HY*lQ!2Vm&a%}R;`mRRcnVnEip4Bf
z-9EPYn92s<!he6BuGtu{qbj6C@%4EuglI2cBC=LSj@t9R@9{VCOkoMGHiAl9SHjt8
zzDj4U$R(e|B~h^jSHNoaLb#kr;!-RV0-gSd-jN~{#TFMScg|9E5R@dyHJc~=I22p3
zeiwrCU(5uktX?R4eTir`Q&e+<h;w8|=ldS+6^8vok}+6-nh-Qbl*#W5>1e@5#k@RL
z{m!_|s=0vzON5C0VY)(c7zakaSrk~A5z2v6|3{bSMnVeQ*4c|iIDi#dNT>vqx<w9b
z=sE+DD5unYY<-HCA=egZ0<3Zr21D{-<b+?Ld^jl5tnf_P$HjoVd&a!<iwP_H(zC-g
zq8(ZjSE$V7G4tOs*a!<h-zEzlxs7F4e3UqakCkH_iza1}O+dCH+b5u%ay1K2wxav6
z2_6L>*v|5!-9oUNM)F8gcLl3pg1z|X$#08FeVLQXa`RrnK0+1)odQ>>$&?m$j-|(c
zDDTYIgVBhmu!%Q0Cb|T+>2Q(>E2mj_Jj!l&a0YmMs-t%&he&F5VMQQCKsTI|Sel(p
zAFANBJ;j|>oMF1v#8y-U(vPgnTGTe_A<SE6u}OhdJo(t}5@RutIxi6LB`}}25tUa5
z1y2Yv>S`Yq{Ju-Jv-ir4OduiTG%SY70rHMM2&B(zVPE}`3W=1T@VdOv3^qenEE&Tt
zAq&^>FS1m1H>3by5p0&o3$gp^svQUpr@U{s(t1qnHH0~T#R^o2BhwS0k+m=`hV<Mr
z=}Pk=?+giGB*3M66Jn4tr9y10KRRKcFvj9{J(3yfWEWAW-EP5A$Q04X6(Pv%d_CoO
z#J2Bu@mK}w;2P|ql^0);<QtJXLK*FjgfgVeo4>1o*f8}i^+)G3w@sQ9oBQEH8B?ZJ
zF1D|vFIvIvUJ0|mcP$8Cu${XI<*<ArX*avEA`dchxGIYm-bE6}zhP@NWAHEE$zpr^
z1Z`)A$~743|BfJHq#v5^rMO!_;hHrZvi#@0b_0E*|CYpDH`A7y)sXhBLc4y-$PsR&
zn;ton$756MO@DxW&S0a1oa4pfl9H7Pvq(~ZlNuj>z4t4labU=rY;JX2$T2m$m_=0n
z{S{730NJYFPZ7xodiAu7^0FVSs~*8%5XKFA{$px*(QhOWVUIUluS$i1U7pX!aU`=d
zt=Ws@))pCnR|;2Yu)!^4i(K`_Z#Q#zKbkJZ(Zk*-cJz}V4atUa%8*IU(<HaekUofp
zLGPqJGSBI&^{s|tVuCkG2@|TUa5DZxKp96*ILFvm1FE4XL-sN&l+s#Z`N#x2s<V#0
zA69<RzzuI!Dfe|8Krng%+j$+0+?R<K*oD|+t1>eF<IfJK>S99jFbP_LXahOd>6qcs
zL4JzJUNmn@tnNOtve0))ZfrhZ=_us5>&86wy*Q!_g#O`*{<g@8EC(wFm$il5ZqGqK
zrZ{sJ$SNIafS*0XJQHl`E=rjuhQgq)IiPn(O>&N#6jN^9g+rD&MZZDsrE%=d8AeI7
zJH?pvasIbUDZ6x|R{0+B$CwExL&C0x62g>Jpii#Gl{et?D{#qQXCVK1ct}%<8AV3(
z;64pAPgdB><mhWGd_LedbHvPdr@G}nF0hyqH#P0|ZR>bBF`uNY3C@0o-(E0fx)ejF
ze74^1qtT{ZL#F5j#4j?qUgM)$kV#r5p25s+an;9aGRL&zycAIjW`ZH(<)l#2^!48a
zMIT3nqib-lAa2W;XL3AQ3R5jzT1!5uVKc$_))wBR-|z#TqOXg^jG&^fpvC10lo68<
zxe-G#x$EVp=v4zw`fl~`SRq1VRXVvR(*zc@O)j0tutjQbB&g-ku&5@A?ca}d`PphT
z^#7Wo%eZWK*-f8_fmGLC6|9fZ_<G_Z{ex93fgiOWje1v~Hb7#+KOG}BfbR?ubF?EL
z4!2@3PDPV@e9Q4TL%3(N8Sh9QfVzwEZFTy$j)+!v^uYl#KAs|Y&}xd!f1j<y;Ow+`
znTbt=5xtQbDW{>xxPI3dSE9z&*NBgXFA-D3aS3x_M)=vONN;|3wl2CSo|kl4lBI3(
z(Nzp<(>=A($(n+Sjbvig+mMEecUbSmq0}B464p>tBy{Pk4*F9PX21u@dqgu4wr@zj
zKt}@)pFOO6Rz1hEYnWLH%Nggw3>#fzaLIm0%jh#Sg83hFl+$s|xz})-y3h+?X!FY~
zM6k#`oA!xgX52nskV^6?<=kVj$6l_H=DDv~|CqCARL`(-l?=(L=lMk>4_)0`9f&<>
zX2|gi4QXhMqbgi3b~t3fgdp!Yk2TmaPvVmLD&8(2+8=+*g{&+5FZ*dMyV3&xny<S>
zsbgZ0zo8w~fXvt~p1oGuJ;zb#K%hy{V?_tIX0VPAX?69+hxd@`MeG{Ab*Eu&1KVok
zp$;UIw%4Kr<%6dchXDQF^Oa)b*MSc*hApq7Hh&ZzO~MSZFtO?CgZg>UoHuOhKENM>
z?@ymD7B0S}e`{cEF#Stxx<i!TKqhG>(*1?4JHN84ufbc=?8vWg;wmV0<Kb_4;!hQ-
z`YcgXF6U>bZ$9O9r)3iGhugj@UH#sMpaAWJl!T#LEZ3fCj*nll>rbGQ&?>l$VM*oA
z=*R7Q7h`}Bw+iZa1Aji_S_}B=uzOO3OC@;)j-5MhE#W%$r-jHuZO=>w(zoo$`XuHH
ziaOBum#vH~G^ZL~FU!5z)c>f4uKjORMeXI|CTIyCET4A4zoxf$!--VWGJKmEU1#W%
ziBYa;s)y#O>5p!&XUpKGO<T^esLqSJvlE7*Fuz-!s7YM;Xfc&ZNdMk8Cq$$9XtOEf
ziI!M2ChUoyL<6|>5R=N=&$*jVM<w)Qr;b&R;Y^#1U{;<LEM~DZSICQAUGf&ZTD|+`
zms685j%`O<4JBXc78R<p0eZ?xG5!ysH{?0_(jHgxfTy~DeqeI!c_AU$fm;=8H&jgN
z0R$>{`2*6ykIj+cN{++8B4go!#E*0zrMG1tP?9%N5O8#-t&{5Bn8Uo_oHWgQ#S54O
zfHybmg>$*W2bQ2|)b}m^?j$!i0$a=fF=;OJ33A`b1WqlY1W}fZpnr)UpU86gNas@c
z3%c}QY%mrr)BO6g59~&sP|B}-_BvDfCZ{g!7@tsic!eM_Y)COWdTi*jfJ-JZysXuq
z`kc})a6mwD%=j-`L2Y>u=vI#h^GY*6I*1n4w{Z^x8*%BY%j(b^D=AOlxVhB0C({7}
z`i%h=zN$CW5L#=O`!CPi)-NzQV=fwG@&{<OZxR_0*TiLV&iU%Oujn>#7-WV77@Wl7
z>6Wj+P5%WIwqHh~Nf^doBv#c{Y)siCj-g8t`lO=zBp>zk)$|N#ygCoEL`keXimR(1
zs%ti?>rbm&N~-7L8r(SU_M3P(arYQXGQTTuw#ONm64%#r&KwvRP<D%bOI608ygtot
zKkjq!B*`2#GSMd!Mkg8PO5zyXlM^Nh5srIxJe@uX-rhIPTNS3Lwf8oh-EYeAxE|#c
zj*AeC3xC`&!_}q5C8n7n?=j@}{Vv64b+J3TIv9_+p=Ux~)yc2pZdI{8s_Jsx7xyWM
zgyVrdHe63#Ma^zy)l~;`Ij%d^RGVi*!A!B+pueum%XK<l8NNigZAMn>!)usX4quQx
zI&(7{YdvN!4J+%sBE%Dqvz?J-xBLX=vA3+ZH(S^9JBm9R4V|X8GpjdgGU>8v@fx){
ziqEu*t8FuB)AL%<%hIl0EBgG8=9QJKdf$&|ZYEmsnwBK92m_99+->zH<a%9^eiwS*
zYb%+V3`ogWYnqJfhw**a#5m#StN#?&`qlc}LR`jd@Mg_S8_Vin1O}Bn7(Pw~!=xbn
zHHEjuUL6ugZobva=M9$}+rvh&%PlA*3=%ay=eRA{Q;iOM7V700`T9Co(QGSQQQa+7
zzO33k>eW{gAOD?}Ar~U!W7R&GD<8{i1l62hX@Ax(Q!ju2N$=K{L-xFk$AQN}wH)>d
zp2}~*CoWpK>{v^p-|Cc?gh0USe$$aMh<)7<eM9V=i^;@arWZ45%IPJ%go1}TG<YLL
zzsmaEOyTp5wPMx8@>>RywWfMaQ_f~#b(5l=<z=VS9^HR|TZ?3)iN_yJPK+fPbBIf{
zvWJqN%xi1X<bmU3XTKMR*{F#~cX{JTb-NL+{N0^1cA`G0N~=Ci*mz&Il+t7<%D}cC
z(hMWR1C;UHMs@WWc?W5uxk9SgNMZrK^kv|gi@X2ha^_;@f4NFu*7%h8?*C{hiT%Z6
zdTi1?)8(7#b;fbnT(9!~LeNl{u?LwBW0;2~2gSXUbX`qrJi^}6He^&;x>jjbUzO+k
z*tGWuvxN&0%2W^4ndLwYyS;v@ZEtF7M;aw|O}GupIYp?To`GNumwl?5Tq;L26P{hF
zudNX$$Jvq5h129)qW_Y)BJ+(EGMR0@8CP)Bo`>t!Ip5UQT=1J24kY^e8*$vZ>mB}@
zY6|TPu-2}3C@}nKRcrUgi~rT6L#nAur_}4S(t8qp;xVzqF}bO^04uKw`6JcXsRbg5
zuS62FL=w~g07;DhFDprm!vBb46pqEc9uYT>@#@Ds@&irHFy&(^iCyD+T2Svn#D_w?
zLy(RikY{&Cg-8@)4+6mcF3H#w3pNs57a8%6_r@rHEYf`R=VF?qENE)y8bke>Lgzl4
zBvKPYbq!PEhDL6J<K-v1a2PM|Ev*cBtTad4IhyC*jVy~!Ww1_iG9A<~4jQ^7#f=+n
zzDvSv0_zo$ws1M6HC3zZ#mSD99PF8z1>2e##@)^V#>@yivD3UE9wX3CgKyrv4?W95
zfl@DY;axU~<w=x%>D>$p!O>7Tp-amfV`}yX-=#w-M^_~%C_7eru?SO?Lst|}ROzz1
z<ZT|CZtnBwgn0324RRfFlz|E&j!%c%V`=hY+pfLJEh?ZuH_pkvNcud39RD1sSXHyF
zroWmcjMe`YDmIhLg7p=v!afZqdPr1%wcSfjr-S(Ou`JW#1~pYE-2NSbHdLK9#ZsvS
zupES{b$sYnaqk8d1M69<h>F!34vA2t6<IKX{o)xb`$_bI4db4NS}2RYpy)Z^;ie6m
zrE8}Tit8B_^*Wek8S(Jukd-m+cG~M{Ct{x!2PUYi8{dePxoAlxTRnrStaAo13uWaj
zFegichvmy6uch89C%|WzVZhHZ=BNUUWH)%2(bTdOz!U_Sfq>jcl?D*4!LaRdb?qxA
zfuQNfA4P|Rr2_2(bW9!v3Aos7L1=E?C(4K)XR?hq`bE+ZzQ6j+MMZ8<JnR9WKCmFt
zvbk*Yw4%9;Qhb66z2I%DS5I>0i~OWT*~2|oyCZu!dAcnrcwHe@K+A%5C_IL=?XMAm
zIPh*U_JaR2BXMmz)9EBXas;$!;Q9RkhOcdaw-K;|eu5-Au2CEimn?sV0}7~BsW?<X
z0dwg@U<Xaevi7DgrKAfu&x(Zcvu~v>7Nc<=(?chf<$4;rIO@%nYd)qq)WiyVGb)%&
zq#E#*>CG@*o~iecM3byaQYWk)8UDJTraezrq%#TiVnG5Ct^9RGALxA;2>QTc`;ijq
zd*%~^V6AbqoH5jXJ>64?#Mi-8H-}7*c_PrvNTKznSk4FWyE+X!|J`B)&LYiJw6>wE
zoxLVmIOyuV`~hvozMBw9R#o(UlfYqpG1{V@;h(2-fm5oP+{8#*(+2O~dVG&K3`7=J
zX(3KHWx7VR43Ar`JfCck=*5^a^FnGAOq;*s>6J{r=xL&WIO7f#_q#y(98$9TT?90-
zd}8}uH-4UjChFSo_a=sHX+eZoV4X?FJmo7H1*y-c_1Y21H-B+TxnclHn%~Jogwm^?
zh>xoiy!A*+MJ%gE&%Ot!OK;7%7~hTrV`T5RpU#|535pLY+EXrkr*O~HcRp~n=@W?o
z@K-3O2y0ml*h39@prK`xtUg$wwghz0I7Wx@-p{#UAa*Akg|@FXhkC7P$49{}Fh~uZ
zzOy_AT_P})y=Vlbi3CC%UxHL&qKT&Pt@p(M22sjZL(Oq4^Oj@GwB`h`D`-WVXhaG$
zN(cJQ>soW}Z){a#-vsct@fz^cu-PpP;%<mB;A+t+p<7Yip~86)|3KQ>4IaH!Vw@mP
z<VZQwL(JAZ?0zQdKoc<VoQSatEB{NMnGo~+KShSJUqqqQ>D!J9P-UU-xSM_&1GorR
z;XspvcLuV>R9#vt)Lu?b6g@v^-x2qm^8t#fqCC`9+;#~tx5C#)F}LEbks>h(#0-o0
zLz}tCVoUmq)Q+18V<g|Pf-sZda0a%k-;P}=8IY7CljXD+-!@!GK@CEE*dwPEvXUF$
z?Qt+-Y7R}YSV07DzemV=0<oXjj;-_wpEH$$TP4bA7MPt?f2->m6RA#TubRv?A0cOQ
z%v2dzOfjKrWeaR<v$mvimP3`f&e@gz-2x_(&dvmnEHc>%lL$J9%Rr}cunmFQF<}|j
zo7p<Cu%yKTw=8R)(p;Mg#{xlkYMLWzY{rWF3KmmC<o|=QA(F8nT(>{1EFcY5{nSi8
zEL@*s6IH0vUZc)lRiV+gTIgISwG3sb<OpmazBgk_nbc`rZFKClplgWvWM4v{sjJ$K
z3Oy%erfZH9f!jzSKo@!U9kOvxSzlSxt|)RE4I1;ss9L)|T-AKW=G?lMo?Yy*yU=m_
z-X=23hSBcwVY1x~zj`mXiqTYw7dg?y!Ty*1@3FO4@)z%v*AtlIy>b9e30!gBEa3?4
zwxjJsVuW6?ZT^%WN-t93Jb$}TjGjG*+I9_8-=rZ2Jlwe!2=dG<z%{eZ!9x)%utI0~
z&U!~;b&DPwwO5?*E`vU58K^ZYlk>2waYv<=xB@T@!;Dxp@pT&2Yi@6vaBHN{TBY6@
zH}d-H(i}ZY>e6pq6~7rVQfd%6p4VM>@Pn;!PC$FU(C8im<HZ=vV3(I_B>``8ghd)_
z(;sKV@P7uQwwB5Ld%oi?rSal*CYp(qIxTcVkP{b?&`RX+7Ib|wglU-Z{*^YKvDYM}
zy&fM6e&yEoSTB(~xmna45>m1*b4a?)%1fW))(#O%n#TEFNAs^FgWDk`a=5IbUXq9P
zp!xBrTAfS?7W_e!4NA?_m?oy=ucEH}jkHQk6(E?c$Z{KUj3;Z>OoO*#qbAISUXHn3
zobxe4htkPBQT6H5s30Se07MW>BsgRzXJ><Jr+#doJ+n=bg(47a<$<dTibWw$*^6D{
z7pVXvSt(S2&8!sB!P{1b=-?qm1%z$5qJxbss-lsN&5WWN*fvkm71d@!5w7?y1}@Jc
zFB^<t{%7n1vkFb2!H<1y_KCgwwtN-C$)6drZ^*G~T_-xtSejOhw#(+GaHG*G7vWD&
z8UKaYmk(01q?2$X7M;cgqDzKmt4Q3i9o)Sc%ACU_)bh~2;V`LvxGzr4Rej_XKyzO8
zCaORuwUhy05d^AdckOT#Kd7nGavh8s`p+d(FzovjF-8?NMU3Lb+N<a4lQ^xJT_(<X
zN?#=~UcONrlX74EqDDaCc>t5L#z;uHk)UM}`%r0UoaHr)Edf-bD&q6B=W<0JsI)1K
z%=2Z~_yp4Q$BI`SwBvUO&G4uw-7~Shj3|7g9l-NjI~%j2V0bI9sCLbi$dUfeWk5&3
zKxZW?US}-%n*>8Shwc9aZ8nn0KuoAtYl3wSlJHMLMU4n8R6TWRs5ML~iM<lKq{<}L
zq#}BAK&2g+X!C`26)U4qk6lk1DuYD`XriSoRE8KT6;wJHDgvkT6YOf1h~)-lI41^~
zxX02e6C|iilaijQqk_z#Gb$wEFr`pwatf@V)m&oAC^l0VscjBY+eQ2aIZ|fEBZ}=3
zfs`15@X8H^#4LJ)W3dW!pwoOJswg#62&rlfOB)Eprvpw`o)ji`!ETb#=p-ZH6^{g9
zwCi-q#tLa*MhtMlHW(^{1t?&lj1(b))vicxJL<YoVyY};#fw#ib*BVa+P;gUaH|Vf
z(RTQ)5iBhcEGZ(zp~Z!v#UY`^xQ)u|LyAIXQIj%^&{B-hf{f5oswq&bqjE7-q7F+E
zF0czx!v=xFpaC>KmA)Kfd^p4^2{5{iDVSAml-SEHkx8~iCeaoVvNe_k29eq#MhFd!
zv_>=XG_=T;nG~_1^(@vsOBx?ijYHI-q4gxxJx3ZJQO#4}=M-_GWfqwgQIJ(o(>PLC
zM5qIqVj^g?TT%;7F_s}Fh@mJDiJ-nMK&%I6YL6QXfih0}CdD|x8vsm>Yp4omrGfVA
z_rFvB0U*oy3+%@y6VPKAR<#N&FCsqTIRwVnUKDRX!81{>R8R0?XXkpxgqETR%gMi#
z3Ic9~B&CahZyx{v00000W?T&V(0=h2X2y(0?!_S{rx?NkD9SxG9P1sP!x^azPujT9
znEa_dXGMX#2LO*eGPfw=J|&$oxVtGMx1<c)63<K$7dApHR1!&%zD}FBIk+{aA<6CZ
zB2z}EL}UnPgh0F#=eLWw1vml*wDiL^`3-(B@nFr&*AvD~XK$dP2n-R%n9U|8DIQ6O
zpj}w~1EGNiEymr1_=$yC2g1;T1bbQCSq3SBkA2medmdRu23R<(pRj_>PciZ&$dpta
zYy&L(p>|W|pgzMQAr&Ft`o~r&IdZOk0-r;#jiVl{gxXN?R;T8}bmdO~k9WRWb~cyC
z4$&FRnt?Ti006?icK_UvyhiK*dO;ndGB&IRkSM`!N@FaafoOH@<PzXEa?wlxGjRD#
z9G*ZyHGcvuKM;_aI|VkOrj~*P_C7iPwR`bdA1Q>3o2{#0229?oZ<&?XBu&HZ$vD~O
zbz>Gz^&%my>LCs#`Jg9|LlepQrE}(hfg>%loaB^4Fhyn*Hy`8&2_-mt%bxy19ok%J
zvy$)s>ncKK2#;P2zH~va^+>#dC7|#Mi7FCFl#EIru>U$mxacF|G)cD(DCt!-1j=I0
zEg>{1i$0Y;QN}=bO-b&<QCwsoBU;Cu6l{602aA+0$_bPLnxu<J<r0x{NQME3qYfO=
z6Jn6h<}d-Ezr1ZC^x8}SL_|)5VegJJUL(Xr+I+5im<g|t5s0`vCDdqm$$V&7a-du=
zJ=r&jF94g7<WLv3X)u(vXbW-~K%4$5ZWPy)*KJdKoV_iGyj?)cU{sALe=S0LiJ%<^
zF?J*Ktjz>K4?E1B3_M(DSd=XOV(XIx64TbuwOX$mh&vpnwVB_3bnhw-AWZQ?WU&;v
zu9QTo$uULixA4SyG$_3Gw^X7l5>k#coA^Z%G;gLj8zx5R49;wtnBB-AqUrS4O(j+o
z-k=K@`)>V;x?Q=BV|#&Li$G;9=67!NonC(=4e;rF9ZWI+N8u|fII-2UMi34HRBJX)
z5MDaMv=RX@Ff4SYGVFaJ{z^<`NP(3<8uA#qQ^V{Tt7+8WR7F=`Vx0t8v_cFZy9&ZR
zViiBEz)f-_nN;UO0I-qzo3QCL=*a{4CaLW*r=(`K!%nZ@Mtrq>voRUe-v6MyH753{
zWduyK3Wsh3DT1c<h%YsR3Qq=InRYSa1D_DuE0~hR{RKV45}_n<Gjcq-FmPfw4V=D(
z5D81c;chYpZ(_g#G{pon#t$0JGaiDN2GH=TPASk9M~*ZlBk>^|5C>C#ffP<ll~Qr9
z^}v$|mYG4;cH2O}eFP-;3Aq9z2qMusR5O6Y!oVTFfl2L6ZxO-l&V#9!vcF6R6hR<V
zPp1lY7{`YUpIWui<>-+RbDc7{IyUu;YCtaq^$X0TI>-8m{8q&s=vih~8<=AP>Vt{t
zfjl+w1f#J;!~ft_hMl$D%YO^YrUpR|Jt`DluR6o~kdJVP1)5?2XGf6wC~m#zFKG6G
zz_D6^zPJqxR1pk8wESM%FfHsU6s3#s00&^e*filsr$Ed>JzreP3>{PkqmxuUYo|2<
z8yG|>-4O<jiIYN17}!i^<BP~6t~~-gi_++!pZh0=zi>{DxIj31fwf`hzLv#+xHw2s
zRjIkT<9J8k`ynyZ%g^`{Rn@tMs8}aFK*Si#$(N<g0iLf>=s{uy8dK*AbJmVZmj%%X
zt=1lsj1yej4|td&CU#?PGG&mCBWY|fjV<f883}}XfLkMhQXsi!zW)S>NK+rr4onk)
z@)%z*0qPjx@c3oYmnosB-S)(VC^Ep{P{Q8vB!EGo1c2WH<rf+W3v${#u{cgRF=j>3
zA5l|%&RdDdW-_H^F);!DxA!|!GJenYF#}faWty}2`rcQy0JMlr+F_?Hu7tu-!Kda;
zH_Ksfd2%$WtKyb{A^@QP$Do@5WoRbAAyNC27%I6<L05(h(Z!4k@5K2&H!}*(p;*x+
zO^F~S-0YYb_KLU&s4haVKdUfdamS!LPDTS;1o5Dp#+K5B0V84t!f`RA%%eTCwF@~Q
zm~EV^R3sFA7Fc!eGY#k@EHD}XMI!K+<4F5!st~6DOhBtDUMuYY#9%|DEAiMsz=q;p
zI~;W^C+shbO-!_^IU(011%i1<LmV~3=&4HRu`X)dC$5X_>5}Os92l4E>1g<gMw$h*
z<aXn9<<+?O-|5;JjKg?fYAD;b30k(N;^HR;HOC3@w};vl2(jX>j5xsNI6)`Y4>Fu!
z3mXMIY;0V?X$Zh9Ym`lOjB)37*eMOLQ5KBQRhA?~WD$g>mbN@=f-+nmC!puVIMe_Q
zGPgY0oJ=ZkxCRl|0HgylB871ZxK~ga>ckj+6UebiFUcoY^Ind;r#Vy3GAix^O$u+o
z50o@VlwPfY8&N*B6&FsHHs&}fm2s2uE|EM&ZD$*N>Bze^?AAnbShGp^S+sCe&6R^4
z${1XXFC6$WaSAdjZ`DFx3PwJHW)_HPWb{MM&PZ)#$OTF}*b8`dy!H>}b`Z|;`mF{>
zj5;Zbgd6a19gb86M3yXbO>1$XV{e05<N|Y<70(De$ZDL`PcE)4=|=F(9``-K5>u86
z`wo~*>E%+SyFa0G*d}mq;>K1=+)IO}<~B8<cr$(5X9P2ZTa14}KW~EEI~R}cj>;H&
zDKg%&Q38`w3#=tG`DT3#>QIM9l>QRwcU-1BOZvWfjfRI@sF-VO_Av9%f`F^MO|pe+
z4K+<ro+ez`T*|Fzq_T}RPrXIR8M%!zQtkHsFIpdSXA_8R$ic>qia;?uBCJwDCbWY3
zZ~^q7=3D|LU|I#2I{AX#b6Kn85@bxwDE}#S8g^AmXX7Jfc}`$$*47sPq)1Ij-L3((
z;;?-6VVBaxj-GI(AJH|-fD+6J)8*s|*9;@p-9}5xD+U^|J1sBLitHp!#O1YEd*jtF
z-b#Y+cF$$wc#h&*c9>4x2x7H=eMWUMkC2ZRrrcUSLKVl#%CZOCd{1^XO|R%|v#huV
zLa+4P9S~NCD|!FlsU~7dm=EM1om*wm>mmanKWjBvy>P@|I!}urhS{JaZJjJ1404i{
zob4p?#5O3QcBBzr7E_|)?C2&x-yJe2%tW#f6^dro5CxOtbjLW6B>x<CRjIe9LRxK~
zWI0^*pHoD|cCH}SQmXaAw_JRdZYw|Q$y7#rZnvH37a4Sim6Hk|tUc;1R7GXZg>gw3
z{0@g(IrY}-02{<zJ=_C!u8>W8lW1GS=(}>mK|!C?@Fc$rbaML@_a6D;0z-MVmXS8n
z5h^o4!+BkCbIgmwiR7HX=gYUHKIWAEs*xpl;6)XY?tiiw5AqQ@ye&$I7Ql4@zrwHd
zOB30dER*55;e{U0oe>^gHwO93Ww}mJ)ifeGf+#x0hjd%8-ggA~{L&*|e$2dCO{gJp
zyM8;_-PBSvbExN>EXBuV#dJ2y5>fD6rMiEHE%KAN?1x@5B5ygL`)~Qk@U3un$-2T-
z5);B2kq){NXw1K(k3++mQ-z6^iQG2AC8r@0&iGCOcmdR#;c6oX^3F!Y#sQFm$J#*p
zaPNdEBVN5uKy#PuI8^0BpqN|$YJbcoRu|dc*5?($^~08UC@9A&S4A2nMJI<Yo611V
zT1p73S5P2>C=rlXE_7KjxCn{VP`#QJ2#y@Fzaq%ohzG6Gy#YjasYIpP<`s}1N6+~(
zhSP(*P(k7$tQQ3m2RleY$2@FoAQm;vg|qADnK?wosEOe4TY)<f#V9y7r5A&Pn}Vl2
z@#VqUt-|g`QT;kd+ICuQ0w7T_{;(SW88}af1*9OxXSSk9lhGf=CGwOv2Xhg|_uPbG
zz-aU=dxjYfGE#>I+59~jKlst&$d6?pb?D5xM96+&?0IHzW@-$=ILl>)H6w-Ccz2gs
zeWciSh_X7dpMG%|93Uv?wu1?%^asqn`UA3=cm&I2q)H_0Rtt&XpgsXPMO-UX@fE=B
z7fI2CmaKwaPz&4*wl9Ol&ytAhkEgJ7JX8}^x(Zs^20VcqiWW|6aYRSbAZeZcTdaz;
z6jf#T+^`M;+VRDHsp==RZIiuEIG$A64h{^Epd+T0wFm@+c*%wQj0CtwcM>)mv^XPQ
zr2+Y;bneLiSW5IIulvM%j$6^_BDZ`1W``4*UxenizF)=zA`%v2CoOsSjMoeR%p~l~
z5TK>mxTlxwPMW2#A``M7flN+~{17Zj$s)l3Ss<pSavUMck9tovA%&3CN&#-tWyZWY
zfuJh-*a-|=`u2JXsxh#%uWjf8E~V2MfJ^xJ-xofvVpX2vyE`uxIOfdad*h-Y?I60d
zXX$Ndm40hhJI*z2U?GG!x5N9fV7SmKu7$KlG9Cn?8L4ZhL2(ONyMkyz?9GNEJ)I&F
zUhXcdh2u^((wv)rQ%iQ_G|`C3FjFJg>FzToae`b$3hov&YBjiwXx_pqA{od}+>5@F
z9j0Y6o{m9|#jTlDM)UC$*Cm@OR@KF8{68_MU@@Wxr<LZYkHn*LG%*P=O&fFqX@(X|
z9%u3IDfmaLqWKJfW<Xh<eB*pA{r0!y(e6%>E-O_)r>G_(Ij#E3AEcGxr*4OckhlX*
zae&Jyyz6?KK$eyD-2uW2EkMKE02?fPAfGYSFSqq!1aol%pPo1vSJ<*U67;IGs2x%X
zg~TK_CN69S6RMD-q={6?^#X{c0(eFi{kQgIS>g%ufVJ!-k)}j*s6*AcnYxW&W2Ta(
z;sq<PSgkCHl6l-QpdBN2hL0rl{#y$^BXBscp&BNU`Y;nRQYO-wvGgQN8o)4Rg8WS5
zIzAw=<`qnc02X6XMnI^FJ_Zu!<gH2XWk(2;dVC##L~<v1vZVk|$0^b-NSIAuKwJxr
zECQbTI*J)>k<|P+-Lz4%0#cuCky!uN5HR~KWsq|wAOp53knXZV76W@PINw*q<a#A~
z=L|7sM5NXo!c=Y-ZZBpU!PR*orSi7_PCzhSK>k{R0T}Z0(%Cdq>d1Dmw=A`bicdzZ
z{k1S|ohcF$=b2G&G<Zm9ZBk5$c)n~1)W!G!9Yaa1>sCtAH6c(SWQ|1-A-Ey9`Pvc4
zJj9gn9_EU&fV@9xMMjNb^HxZL6s?C^H+QEKB3S?n%{{;_I+gPI&O>ZFNQ%f09#wxL
zY#i#o#LJ3jBq>btkjd;vjFwg=DDb2&L}5jb%majD4R3{0Uw~n)g>UEX0Hoa9iKV-X
z1zd(HcU<*0<pnr*MoK`atb$vz0uU}`Jozr{WTff{r0SOa?9jj>DzG`s(Qpcto=Qe+
z+-US=(K8=Pr5i|Svy*0);A{ONp@5e*JOueLtYFg1D2`-RzJuto+zLL}r7}Wc)Q$>r
z5b66;ZQ({u9Cs;Tx9Y0pj=5=)&w(17`b6B=SewrA2>_)K=~8d1P$;quI;5?J*+9eS
zmIL5UCNyC=>=tB#Rm9CPK6UtUlCx86U**GyiS&-C!KQ~>3`u+Cwo$}A2x2Qn*DVe*
zS7Le-w_(#$D==+cAABth2^U>JkMWQWNH~y43UrL*)J^Xty8#Z{k$~+!^aMxO8A?C^
zwg5y1pkQzxeqL!R`0F?CqQn#uO+{?AIL0amTlAxDb%4NKb;c>_I*^3@j@}(T9SJL~
zC@c_Qd;)k6M)wLaYIrVRr}YFa@KX?$8V5Lq@;nsez?b<;SxZRdK?p}&rVx}lR_ZOp
zveg6u);Lu?#ZH<NYB(EZ@jDut3f`Zb6O+Oxie&XU)fJJFJQ%vxfX^G<)(;@<k%3WM
zBPPa>3L5_Y7yCQvWfZMTgJzO9aI1I-aSF-{vBV`AY>dZfi*S`tn<G-Y@6jT#L3>nV
z<;v!VNCHx4sWxtf@LaA3GX}wnM~(X*VIWE#O@9k&q)&La(vDwL)yr&G3iib$PD~TW
zYG!t9Xdy74-<}cBU&nt+i!{%CIyJXExT`KSVPPytI<^b>e7}p&%MwZ@_nz5P0_lS5
zS(fIb<QV3R?p4CvPtI{c0!p&|?TZtku{0rOB}kA_U7!ewR=-nUtIPV==)n}L`p>9-
zq_X(hQWbpzg5A&o$|OG9_LTZg4~%UQzffYHs>8wr0BTMw)utsZB1nkH07@frTx8fl
zw;qf^*eNFMDZ32yh7jRqn_3NXNv}r*nD+O{DKicq9CrlCMe<>gBrWRnCK&X$?d)-)
z(~#>xhqZ{O9ttE<E<wyqY3(9mxnk#dIFdq=lT8dHDK=J0bBa0QL2yM$Sa{eQdp=7c
zq<yww=@XP1I4tu|V*eBDOI0X?D!CHzBH7@vc&xkzIS7*ULrNgQwe#8ONcsCn%?C8G
z4r??M4>k=mVOn)*XLh!i4;4D#L`M90aw7n>N*&;dfkyK1iP5WGxFf+aO(Q%-t~(B{
zr(qsfb0&uz5_ZvrI{sLoOf+hiK;oHNby7!4JhvrEoSmyH5!IZoY=uy9cFy!0iCWaa
zF3K+QT-Yg{-x+Pstr1sFn@3y-tv4hNl7<cPH3%Vzyf|MBLAJ(W&(a-qgEYfZ@P|aT
z*O(p=>RjIS!|(-3l!)&azvjvyCENO@pVf9D$B>2O5fHiEa24|!e~E8S2v^4wnNV3u
zD|5*E8*2Ki`c$%fov{<9#6;{!5{`K%w!sxYo2Z0tg$349O>6r${x)jdUr-PE%~scc
zXlk?;(DIImjkn1Qt$g2%4gp1^>);cC@{fzFCs`1z@z_#yc|AdEZRVm1YxaQ@EwPHF
zDGZB_a130G>hOq$)4!h%7MyAVvhx92X@&@Vc;_RhE*o8L5}De*pkq4naQ(9FBLU`i
ztQYHYs?u*~=yBl5xAuU~r0QllU+LRKDOkm5WHSlan``Y>a`x&aes-W8inZl(HJwB=
zKeZb<&Z}FqGW^J~K+Q(X*<++J1zJ~PlTv|4E|OB5Q7_>%!744!^2r$`;fBa@d-_-j
z8!WJf*$}fDy8QWH(=@;l>Ac%QT(Ielqf|#clM|2_#VklMDQyX}di+GWldQRLQE-(t
z6@zR6bb_u(<2y+U$;6;$!YB_F*pVT|)T@r+(4oNbsmOspBS#Hb9B(lsHvd(DBB15n
z*%k@7Y)}N8(1`>9P`>^L1TjK{z!KEeai5+?V04=ZVBx;M@jjGbP0-uD;)&WS<QCKw
z&N`ANBou@-2_wewblt-*d?zWkeFOj*S28fqR2MB~z?a_#IBZy<LLhtG;bjyVPU8$p
z9}V1DBfN=eL2b->K!B8-STuRLf^UVOff1T9l(+_OV9GI7yV&Ton6PALfRYprm&0Xj
zDpm8XmuO%jus>Q(t)vrA72ea%JdAe7#Abt9<Z*-(a0oEwZ8-Sh61m%|Mnsbas!85G
z%+XhPB9wl~N2+ir#KTjz^e!8mX+PBw20ykqSf<4WQKeVg4e1j~(}oz=0<Ad|s@QIA
zLfYKARtAY;`!SasFixm5R#F=bo0L)Na%R{`g){HVapl<+w7~EtGgf72(<RoCFELIG
zw#T_pXc~=w2DJvrMtLTZVBB7nx@xGlFwz;G&yU@M6!FLbJ&jLJ!cojTKCTJ5hpRQj
zX0e_6O3?}AR~I&rY~)Fe0d$eXC`F-Y&Qp5FxBE@jesM5vy<nH)sX;|uuS;x=@+}x3
zBv|G(HeboIwOvq<cR#6X#o~mRwB4vEJW&DRiJiBbQ+9WzD8zMq_CTt<2X~<47RpKJ
z;RFlkEfdrA326obnF<9eNT$@(rSM@wZq3jj{ZYMet6vsF4bX*uCp9CW9kmJI=W-4W
zWu;M$G;|%HK59$^HmVn(sY-d#BCX;(W?O7nG3{QWcm*+m2<Z<>WwBfRfw9)epk&mv
z*~gT;G^fpHZpQRuGMGFsyq&fJx>4oL=G)BrmIEA!17dKU>rrG&91CXy3V@+-vGMus
zOZtmSFA-q+m%<B8q^gx!V3-FZSET|D0=21EID!~Z&Ye4Ohi{>CSEyP|+Ho?jCnGO&
zn<1<rHknM~Es8Wvd?5Tq@@<yFT0v!ez1=AA#fuE%=8gd?T9DJ5+~p!8d?IsCP@14y
zL$4t<Op~IYM;iklLc?}iYkk%RIQ|rG@UA5rR~K;Hl!IL^AH+IJ8$`0zVoZ5@Dh_&1
zE8x<kC;~u~Q7vqbhmxiS1*%Jzi5s=2b?D?mo#0&u0$+lZ1<`UUO}Ja+KWH+7dP7=J
zYlF*uN-FeF{g03*M#>~4rjMwTmiM-pQgak2BC{mmavZBg#i_HvP-e>O%L0Z%*#R&i
z3MNr57N`)VxGJgLC`ssmRYNF%RV#~(x-{2WxEx)nr;Xew!3k+UiWCq|4b~INRg+eC
zio&!Z$Su)VWf`K`1!Y!uDCMnYvPo1!gfDm6oIt0pSn>w5j^P4>6nRlCdG(z(+oTDC
zfF2xA@Wz6&w<=_YK=!i-+a;N-sX;@ToW`uFuEb4-;v><gNc=*wFELc{<V@RQy{Fe#
zL%~{E?BV`gHJCgBfSs933~qwE$2Fz-%W9G`wmD`aj+Lx3&e20Ml<1);6{5mPa1Xef
zN=E%CU9$Te;IM53o@?Le^yHc-72)mqrRAOhWP&IBd+vm8x$Ga_WI@)~ts`xPg$zQ!
z$cpD{C?X600lFA7@;~AmGuR}90PVblWPu!G+Zv5!Od9{r3Rp1zWr@JXC>c<=tBR#E
z)m+J_)-GOomh8p(vGir0IG8K2vOMAJ6LlqsWAQ!ikyim6uCGb;G+NoyqY*DRxYroC
z*Td9e0$EX&Sl`AnE3^Dl1|U{g!2IvJdXGX1Nk<rhEcu~PxJVOq0v}H~mctx>li{fI
z1u-U)U#L)G#}vr~<P!wIWuaaU21axQ;mnX=k!DBu@|O%vKofa_ZLq<q3#{OQ$t$3H
z2Y_y~j%DmZ2{O|-DBRgr&RLM34SA3$)HrI)h8WtwGHa2ZI1)_A8!;n4&wbjXESimF
zgjlmA*O8eHxh%@c%pSGmX`cn3OkDc@fd!$<bI?Q}9ELX@?4AZCSk2QpyS3=Nkte7m
z{#PP)z$uV=o6X@4;oS;5MH}wO^_`%h=Q<KO0O_I){wbUgb4*3MMjkcW6hTq4=}97O
zpu{pFh{512%2d|vjn0pJ$BKkPFhM2;CLdN5!wRxb&&*%r7`flTv~4qx*rN|I&x#?)
z<*SS$m`U~ZkcgzLLxrG2=`1izfo0nDO22rvE^(296}#-=`bs`8@d2z~p{OxLNSoZT
zt}=V`(wOPXiu^Xv!^1+n$&0>~)<_uRCvJ_D-|KY-2G$*qw=I_hjd@skq9US__Y0QK
zmhlH7Uyr4Aj;a{Y_B@W;1VER}z@^4;VaZ;<L@PN=&SCwRI>2i=2#nzb;+ew2y%dJu
z$!Jb+$P8x#WHNM3tveM)4K@82k_ZrcfKZ^66fR$g8#yNn8~@EWux_4<OAVne6@Zom
z(G*F$5^k7IMA1P9kf+0e6K!~Ca9MXj{PMS=IBCNhp1$Dz#h<_++x!4*A<yKDF)&3W
z+z`-APxEeTASqV6f7Kw$stxW3=fqeBWw5kD@Ec&wZKRI31N(!B4AjbUJ?Y2)dgGRV
zqFrJ>J;9;Z@N&dWPMN``(hy?VOROJVQ!;M7^JUU$GfOzEi_R3=uq$LOFAr=c26c5I
z7Lw9PYIj^ZXO1Rz1O880WeF@GTMSSq28xegLoSat4+}sE^A36YIWIOsKot^(gY@p+
zt9}co7YmWbGe=~B&NahD2HFr?<6uN(bqk3_$I9nr#{+IOj}aXqLE3-@z;j1t;H)c<
ziD)BFCp@oHd-sx{IlUq4OVbqvvAA)^F#t)LUdCGE|H*WQ<S$d%f=go2NgV>hN#x#P
z5lx&mLtQsQW{3AEdR2AQoQ>i=)YMikDX?W>KF7b)J$x8bF=!A1dP_7HV=ZKi{|lso
z&CEs6)&RfEXOCST-l0!)qgOE-sXYQ|auo3&sMg5+l93FE6KdM0o#i!R^bs+>FuNg`
z_}Mez%(!D7lRuUQI8SbbOl6?-ny%tdbe-PMZC-RsiJ-=$ify>Tr}z?N=(|b)Jx5G7
zTZA-fJ-tW>NWhHiTEk)x;Q%=Zz;fz$gBN$RAb=boWr`lNUmxJMbsGJ8mF|-)7JTF|
zSK(FR>;M|tXVf4NfV?AExWgkie@VK@heSn>5>G$Bk%@*j^G2#`M?^nACs{05(a+-s
zLN@g6zl%BkV8L*Jt*GgTOm3KWAmBQd;wLfN4ZbO^48adZJh^fI>ju7zB(rWo9VqG{
zzHQk<Dhk73X-Lwv6kK!LDoY`2y%p*sD8kE&KjMU+3=p5dK-9O)tW|ZE0n$veZA#6S
z#j>&5mq)laj&$iCcVc}v!nvG=$ybJpIo^B;0Fk){_w2RW+cHteL5g3g5`FbUfS?>y
zDr(6EUmC3<DrJIqU+)>Q#%9hcMw6WYpVx<EDe(iK3E|%g>S-XTPM$XyA)W2mk1*Gj
zxW|<ydB<hw8q<~nVh+eQb|1xU!bN70E3C*}iwA4R9|JwYzO%4Os8RC3w&khOaYHfA
z#zE{a1@0sfi*;{;_$)g5irUyVKBj3UOe|vZv&NE_ber~JP9%5X_rb(sYwL<7(qR|4
zG$Uqc#l?}6u^t#`qP>^Ti>IdXlOZ+G8MC7+8<_XdR~dTs!zbmLSGTm&GwZIl85t*o
zAYKXgXrfMh8f3jdKzQw=wL6Z|L$xzQ;aoauwu_Jz3{feKjkX1d3fBRVD#|#vvP?g>
z9n%b&FYJAZCAFMATT|kU#O3f-h8oEBHRn(L%?SGp{-^?gyd<S%EjSYVE+JH7tR)E@
zO_ooH=UF94Pp8AVAu!M8iM3%~m{qY`NUTx^5D`D{HM~&Z#YjL9074-uh0;R{z7^lb
z>lPko4cJ9-Bu{p;O7vtLMuqz-cmPRc`Z?Lf0Q77jTq*;NR4$2v3+Gy!{pwez*lq#<
zEcs<A#a_3}_>E>|P@0DQgDzQ-8htYV*zpp+ZnXohsTxDk)GECDoaHNq9;~z8)m-zl
z0Wgbhy1dGkZjWttl8j5BSA6rl>&xBhQC@8}`cOvP9dP3=>u4;Eql1nY5LhO%k?NdU
zeWm_{-E>xttlx^w%s+hNs4Q9t3NZa6#pQD4V~`vTM+8s|33U5QSm34KcjUzw{!|JR
zELSayRNrsXA=219Aw|>}CNbJ8ItP#qNP_lR;8p!&X%%ZBn}!r79Z)?j7lmQ^u}VF0
zl!4fQ?5Q=sk&A|U0!5M@6#&d1Pq<*9eu3k_S84$X^Ppv4Hm(jto#$pAA}V{wk(h{t
zc%d$pvHHmgNwi5_6LvR_Xhu@0+aWbv<V7$DANSWx^)EJVzEJ_Hd@};EnZWUxz~{up
zj{e&&!}#Xpa?O51HqDnf%n>Eb=rBZ%|0MD%8=kJB5ul$1Nkc2xYM~H9QB|In;KH@-
zRJxlnFu#L9&4e-|inR>S6j_Po6zny&8V#s{SkK__Xf(?iWzQ_)OGXNtmq1@VbW`{y
z<X(9?6^yLCA;Ls0RE+GY5hQ6ju!Qq^e6$)$Im7W0&eCVAB4k23muEO51|4}8*s&aX
z#z1KbO+BUtCB(5r>Q=<<yQg%ajG_)KE6Nz;-@L|C3{liL#}UyN5Ru~)365MuhMMj`
z$HfYGzRl{MCA~$VY-SrWi;VgJA~<n|NZ3K<COMEp1T1mlwI5d_D$dK{Y%Me{HcVzx
zoKZNea|&Ac0fah}BLR$1zZyB-TPaKB>K?J<96CjC=!oM6><D&e1r}!x<IHg2Wzfno
z&V;K-IDN1Rud!;m5z%9<lzv$V9G?h++;9Y8FXqw9f_I8rAgaRJB%Z3<iPKESsLEKy
z>(XI6<n43hK`=UF(^2vWL$XJL)o`p_0=Q%-=%GQeVU_rPcB9zWVd&#W5f=+?P}wE2
zL4%Q_lB+Q^DI!*9O-*IZ`Z1XUt#r8MniQc7(I3fBR0d&)DkNOi4ED_f?sy9YF~<T_
z$AK%sLm1Pa>N#qXbl)?3erC9krOS-K$fBVzJ1)Me5={MLaWE{xzQEk^>Z=*h!2y9h
zq?Q2mIujS-fpK1fNYSGp@>XF=hNBTgqh)fbpCQ#Pwz#Baw_-p_hDG+YnW4GE;r@mU
zaI^qgF@hM>)}kTsAo(y_V>pU{`enl%G&KrOApT-h$`df{1&*=QDAi4ch2E?*&rQHK
zV@X9(j4ECW5SJD;kOel!DN876z2_9*hM{gF=&0*cMe5L47-;Sn3k8|i<PX4I*!6zk
z3>8P7-PYlVz?!v&qZTJ&hf6C5DjQ>RA~6LP?W7BVu*E4dNbBJvf?SL+v)4o2-DK?w
z&0;EJ&N9JeCw7HW3I&@rYTvxAMkR3Sc%reqmzM&NJDEDNwQbhd!%ReOBkPL&&R7dx
zGw#JkU4r;mY?@QTvyE42ZSXK(u!dM$d^<#>(3vp2yBs3(VzZ0lG{w^1r3DTQ(lgXA
zTWsky=|RB1&@UO3AeAmp$Hb3$*(y_<m8oXq&N_)N#;L|GL^V+G;O=USdESzN60A>_
zaTLF$UK=HBA+&^YECk2SRhA>PyIQzGrdNn@M2Ep?{UC6Vs!;qYd-NyxxX9tQFg-c|
zsal|Y)$G_CNZlR>kEtU#{v468J9<k$<v&alc$nk7dBqSgQml3fGx}?9@zrcNeOUIn
zEwYt2vDp+sq{`rY-ux^ShX+QeTVyOj&LfaWG)G*^km@=Mqm&<xN-ZqN1X>zav`sW$
z%|=OV9x|zCJw67mkA^xH=w(R+U#_LW;g-HD(LU8K=DfjWH_i56%ACg)RAL)Bezfuw
zoI!e<GxXeA7fr1*Ju`ZF4(PM>_{4tuz5Wy86V^F)G{g-Dz!aIyC>ufiYpK%Ne)hkn
z(Vv}5n3n=tB)OfNTW1yq@ifZoV&&&>A`P;9sP;2gmshVf*Ou4P5SV0YDoenS%KmDX
zwyAeuo(G}jzzZ1T7%zUto*?phOm7$ouum*yAR!h71no7gi)Mg%RKXhVDq4=VStcf)
zt*qc)YSPHe>`C*UguA2~?Rk+e2j4*$D~3e}1qt7MS-z56F<W;E8A;j^w!lsYlJ*--
zYhtOHSDh4A$u|pejZ)Q3ilkM+N||74sBS7^u;cK_=5EP0z{KD!wP~bw1*ZmB<Fp}1
z1P7!G>f|Y?)rzX-xi!`Vgd&Prus2nO_E@9W3c-d5?kQ5N2^a{+tdezJ7Od`!?)DTC
z^+J+D%%9&QSBv)xs?IgULcCVt-7egCaNW}F*tVKs?kic^R)m~eEb+NkhU_%CA}Ff4
zSkmT}t!JgHcgrI7Rh`a69>#OS2)4(Vq&WxF(M<){vG~&3O=x&>?`+ti0ifnAh+s4v
z&7&dXnLY+C*t#(l-uQ{^i8Tb}xT#COA}G{cBXnzrWG0AC46*z)o%vtC-$MLpgkoNB
zxgq4DJ1D%Fuw()NnXrQfj_Z$nwXJ}%y)+XT3hkq_5XBX1t!aoEr&}$n+ZwthM#Hg%
zjgzzYE!t_}8sz9)avTsLwNofdKhHBc)v*J%a_*S+Acf2>k&rMW@ILP&rx6&P#9p0^
zVelgTM(39n2-rg|e&$BhZuQyeCD(5OG|AAnV)$}Lrf!{sk}Kh+`Ou0B>tl9fXN}F&
zkCQ-1`<o&-&fx9B=WSgkn!_;W-<V}Y?lI6A<PWrVrv7~VIok>AFxXC8D@#SI1XW2A
z#!h7OTL6*=kQ}0mGDyVHP1fTgk|NQq${ct{if&{8W?1;birET>EC|jAFilgHt_Jj7
z5;c<9h0@syV*o-a4?zH+|3Q4%rTc+8?g?P7x&u&QYbew8X7j4Z?E#pS<1A5LW|3aU
z&xbJyUBiQn3YYFWi>bB++B>TBytpb$#J-&iJ6k{$FlSu0K~h-i7)*4|aveXCWXQd2
zwx#Te`FkhJ_MTi~48ld`4fP{3KQqud_@K}`jgcVRUqa8)Xc&PKRT4EEn9`gSX4;Vs
z!_s6FP+pN)4_Gu{kxwNAu%2AK;&sN$DEf|t8ou|Q%^151%C8f4rwLMw2wGHYkER2E
z=Dz$9U{y=g2SGwT*qTzI_;lD1>zV#}2~4ay>x8BT{K$;WZ;-Yvt>aF}Snh&igNdQ6
z%nSn6Z*PXr+3duTv?duCij&iaZ49Qsxcd>@g>VXVsRyH?M-#wnJgrzUh?rqLlg;@0
zN|=x{No?JjKX&zRuPYF1`S+z0((m57b2*8_)Je;Up8@!SnA-Z@02)G7y||w(MfPNS
z5+uHG&2HAtp@&7Z0fj#*a337wAbNNTUwbG388c#xLYyZWLTr5cR|2lH#4DXeGU~*}
zY74$;)n)0Y$Sm|Li7oeFnWH)9+W84Fb~Jq~$X8cVwl9RhSaZQ(e$0Y(*edEyB~iLX
z(pLCpJ`V)!5HoA$1u;kRLYLs8W_~7`K78RnLv^D($CUXJ7KaTvMvP;Uu*hTeYAF+t
z?~bq{?W*kGSOqL{&NXE0u060JO+F%tLkm*U%!X4DE%))AU3E^hb$5;1lxMIAAEIh6
zKxxGS(U-)KZiW(3D;g6NhKMUHz1uun5u_}pVrMutF${&tMI9s#I_Pwx8C|v_#-Py8
z0g?H!Zd4M0qz>vP$J0=BLe1ej#$u`_VD=LDC4)%(x8w_>&NLYmn4tFB<lcx{H?2d1
z{<RJYXAwI~{;enq3KeLPA>V|cTE?A<U|egG!vxf0!ISaHA#8U&nY8Vg#`<v*owtjh
ziX6zr;ltL>U9AcM0S32IfPlc(Vaxcu`Mu=d0V(PGBc*6PTGxcI@-*_(xgsEr@OyaW
zJT-UtyX?|)XueD3B*0ZMpSzQiGD>JVGPfmAQ7|g1b(sVO=pZ`kPKwgm)R}?vf*xSq
zjpJn;s!LSg*92Fk1Vb6Q;u+JL1<jtLYA2R(i2-$`ShnCAV%kr07ShHos{-=%5ip^6
z%`+AAU!b;Ob}Vg$fs`FlHMCSJB#8oUTV~<CrLH)XMuj8Rmy3&lO2@)4hln7SSg`ck
z-TnX`g^4_k+U_h`a9WLdoAzsVI@$QKszR5R1dJr_xJSz{l?aJ|wKLqfU_VKop$$n9
zi&~%WhAr@hpuNL&(50KDrZb^ub70!92tPY*2BF}D{8xK%vjPgHGYp@)cdt?K!)&+c
zrWgYYiKdfha0O0t*Z=?}N<H}U0Qp{EX6lVOt8PIXYov8Cy9>(M7a-F^p6D|uP6r0*
zMTfnF05CZc25Cfz5x534z{1*Zt7fYH7EWkN4A2)Z7jRPVtF>qlAeAT!WZpIh7R)Eq
z&<!RSz$uF(YESBT!o4<7mEqD|;3z*$rrPvAcDfe_q_C4bs*{{9S`^iJ$sE#6As;-Z
z<VbU40mV#6+{&?Oms{2KQ(;!{jD_j+5Ci2VJB*T(Z9vJGiVGL3QQaR;LS+@n8BIdd
z#7<K@joTizwLR#&Frxra7bFbsn)T?AlDVi}a}-+aQ;-Bc1;Zr>KipVB2sGuO{FY$a
zB!|ocuRmG^1Sbl<q~x#NMc5PVPe5MC4&>Eh`ct2V(_?bzVhCxVVGPdl^ziv6bg3}<
zCM4AA!i|_Mkn)ru)vx8B3AhLAw!Hc}|25Yv<K2=FUIU@=3v#ngjdwgk3G`y)EJ>XF
zFAnTP%_f2*rPQgQAt2>)x;brp{~%WtaPp!Ulu5lcfV1W&`eAD(+J8f|<^(;Q=I*Ap
zVP3W>Bk1Zn9v3tjW0C~2W((3uYujQ34W@AL!L;#ApOA-OnsDbzm<<s;qssq!&N6E^
z>o$Xv*Aau#(fFcpCss}=j86!H7?zd&`B8Tg%%5gCTS74G_2ZKrLu)VN0kM(Y{bV-m
z*}5)M^%)m1qCnQ@L_&3`=C2>fk8;WwDv*6*7Nc<h1y^7+!s&hl;*=Z^;Jg=LCSX8S
zyP1jvwzf|9Ob@7tmIqs-NoMf=Wk*OCz&2mo6IM<WRg}Rzs;2!D44-!_gj&@cuoR04
z)eRzf15!`(l*^ELGbT;AG-Q=>liu)yzDt)`nD~qA%|fUt;#WL==qqDuCM6u4PM}U8
zj-V@mBw@!E^{hb24^JU=;cV!Fi07Pk03mt%POjD`Ok7k}l`HZgT1&i7%GUr912D+u
zy1Y2R-h#Mi2^WUPW?(;Uh|G3<#ckJNC_++gY5g>`8&iw7O$Vu{mmLK_u!zy=SlQ0S
zG|&b-=Bn<4S_q?RX<7(?5v}+|hAWPBoqMdapg>|)#mU@&Ney?(O$t#;*c12!22VSa
z8}*q|Hsyez+u~p_b*3q}`J;t7#~k^+&!yvQSn^G(8V-jQhY9UcCwd7Ug<+@~ZeHqi
z;AKVCz5^VhYShmYH0!JN9z+O`ehHn}4G@h?J6}gdP;vw<*oSWS4C14hWP@*`JGKB$
zQNrF`C*Y7HhG5B9ip^P6nwnE-5oy+Cab69sx*<@wV0h%_<`z<tE`}E_O;My$BCvv>
zrXDe9G9C(Qh`=JJ2Uyx&tKq3?X^kslQsjoM)gH1bL_CBJEq-Fr#I}P{p4~8&HxCH9
z?(8Yqyg+y>m=!|=W{w>o1Of?B64fCHAj&5bk@>tUI=SAPj<vIDj9nOPOkWLVLLMTG
zbj0ef9vPc`dv7qo*SB3egI+{Muy45WtcwOSAPXAt0Wu+qQ*MRwpvnyw$Xgw3%9>Vn
z6_1W3`9{0u^Gr(EvjSm54!Q^fVJry>E#RD=SX`fCbqK%~xPtU!I=GxIf$~<473u}j
z99SFp4g5QtU1eVs^@4%LtT~-bBD&tQt5Mcs8oQi4nkXCV2Vduxe}W;{$=6@tsgkp+
zi9qL&qjHo0`3A459hkVw?mOPs2+Piv3+Ezv^y|vnL8QRisCKHFQzisU$^QUi0gE!;
zJm^syt<f5gGzzKjoOiQ>M7)N(tBH#<DIR3uSQ>Rd2|R^xOWM~tnw^>+d&`A8a=kD0
znJ%mL^_CWuuTzrOIv52zg3FIGvhPqJ0VC0!R9eJY8AK9u^RE*nm~En~@KapB;u*|#
z@ML2bjA0qscI*xDY)=>nhApnw_3*n`Tedlk&c)7|ZjXI5uSL=kt4xr@`5jeofKQ7y
zCC{Wmwc=rn?*WmlJ1^VU3WrJ+YUHV-ck(x4_Qr%Xol9zbU3lf-zP_40He69eo7-A>
zO7n5r`n1X-T6Mx<H7}WDLF6^Ve@9ti9#d8-qUfAs*vfQKRH(`bT!0P%J05*JWUM<c
z(4jyLjl3<#g`oKL7!cETeydS~1_9(G8X&lqc9zy0F9|5)vC~*?j)FM<Np!5YdM65Y
zrtK1Sa;|LBbpErC8Dno<=+7OZyd_AMY<AR&Zk(?OFrrLLDEFLX<~dYAI^}120AERZ
z1ej<O1VFmQ|9pC=<6FSW&kiXj8oG384n>2ff*Iy34v}b-*%Cj<DJ#KIRbE(L<q6_~
zsu7SOBy|A+9!hddsa0+S1r%1_T?8H&sv#yx>m)ud2{~*I53DxWjf1N?4BdxZ;+AW`
zxZs&9Crngaa3VC8xV)B=u5rtNQ-avHAF9xEebPA+b~CxlE;fH)m4_0H`D@tY6(4k$
zhwCS!OObIv*jA~_lWD1?x#dWw4_{uv6_(_|%}}NB!6k67s@7i$b}3{lfX#I*f6r$T
zub}N7($JG@B}i{|)G38yGaZ8|SOo50Jc1$5jFF%qfpitcBj`fWf&ri1i)SqSSQHeU
zfx2TA@VSbvZ!$OW1TQL)5afKgJaA#tbsS?v#Scz@cj+TrhZfIKRok+7(&($<nYrh!
UQv~2A6>x?aywoW;i-S-hBoVP3EC2ui

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.otf b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.otf
new file mode 100644
index 0000000000000000000000000000000000000000..fffdbafeb73c497ea3d84107162ba05e829c59ef
GIT binary patch
literal 232680
zcmdSCcVHFO);_$aWKMeTWzHla1X4~;OG3bwb^t|!gl>UD5+IUB3Qa-mT@maRd+!Am
z3pUg%Dt56V)q=e@@;z&>IVbVH_x`@`_x|^x&pc~p_Uyg(TD$L=oTh2hnnb)<BQ!Cu
zuC}?c%{=x=q4k|5gb36J0#?bB{?S4->=w#vr47v!$L~>3nTh+`gviPq-_RI1`O7m_
z3e~en2<_SNQ<|DPx^MeHs7uZgiYmr8Pp>=mj|)qMT3IH<L35g#E4;_u_WlV%C{qys
zyq3;j&v^&!uM{G_RfwwN7PSRiquyM32JY<#sutlw^vQ8E5Pk&CM=a{>U!HON{`-ZR
zk|=~Zt24N~$8jk|rA)xV=n8hWWuJHDZ#chCh}ipky8HSE9~EBc|2*znLcvjuFc06k
z>e;yo2mLHG?Q>iaZ$@W+6XFA74!j=OrG1QZO{jDg|L~ml{(*0Wh`b#4$3%9?nE0MN
zIxZDrilC#=)LeCzh(JQ;fQ2}MSvgL4m65m_V`!SLsj5CtsJ|is(n<cSZK!L4U=0qc
z-wYa*qLKuaucMpFSL(%d4>}1kO4%EJs)ud@bj%bzwyX+=fCuDtO%#g@ZCM`{CPIu6
zkJ#4@kuJWmWrvuj=(ZdwvXxd_juNrTYFmyGS;{%K9H*>RZnWiik*)b`IZ-5NN7{0d
zh}4c@8A`=!cASbLqBUD*6qgunr5#3te7Y^`B1&6}d@Fhs^0Py`!j=``)>qiFD&qCq
zZCMkO^^LZy4+|3^dLkn1>xL+c7_eoB*c@@aEk_E!5wztfk!f6F%Q3=h+-=Konq_=y
z%kjb=HE7F;!i@IWa*{}lK8j`JH#6Ff6ZuVzwsl5+)1%L~!)TCiv}Ii+M?Y5I-Ls;%
zec_^h%j@>I%joEpN556u+C9I`YF^RT-`3e@P3&sv?(OOB4feOSTB8>A_xFsgs93ga
znJY-aTrJ(56{E|nW$pcotf_5%ZM{noEYRK6Z%syBvEFX(9_Vdpd&k9WH3z%;tSP<S
zR&!ft`~2>X)~Rg^2ReeiUYFbJ9!CXq9EYTU2v;5ohkH$RjWgPM``Wv^EDk=UnS^nR
zy8BzYyOvrWm)kX_YFuY<aa(u)0#`@-e6Oq0Rps-$tNwGGwodJRR?zD24Ysy*274D<
z-3$It7HIFX`WLlX)4STq9?ktQ3m)%kt?2Hxx^bu1YUv*6>hEoD>vR2gLrw_}bXW~8
zYXXA)N0aui=xLj_2%1S#Hg_-RUl#0bvv8rKy``<I4`~l{wIVfArg`EdtEs20ivv&M
z0A*IlSRR+hWy#3wXDOQC(qMZ>aDGP{yDn%2YLBvl{bMa#oxYad_MZMeS6_RFtGjn$
zMN?ps9m)UDsI|Qh`JF#N27zyaUDn&R&DO-`cPupb6PwGdnG>f?XqrCFnprz_YVG7{
z6C0bYrm0qa)8vMU(<U}e##z9sojlt*V&de6GOG<m2^ni!-qYLG*Jr`5?VUXx?QN|t
z6q>gGo?&YNf|5D<dfHmr7qqun9l@@J1HpxDWmZpHZ)bZS6&>j;7_qY*u9N2ryO*~0
zcC~jcv{s<3S_6G;R0R6}hw)wi-7^1HxI<;Oxg*%O2u4}i*4y2T0w$|lM{P$x(nGni
zf<xlM=C<DU1qeG))QfI3vnxceXcr5`BGE4_bTDq=0m{O%cbM$Q)mqVt=jMwx$jx}V
z56`uUPOv2=iZ0QDyS<2)jzM{^6?aC-`1^5vtf;_$%jAD9gb2mvl23Nx-e{TPGHBJ0
zrz|lQ@%I6}VkwRkTL7_lNqr|HhE80ytW0RrEd~&(MYLI2!ZrLH&om=sm(+3!!gR|k
zq<1^=(k(g=FQu~(F?1kgFD&7L9mpQzkmm+bCz>D)OCua3$5)Q?f5ykpHQ~udF$4E{
zk$St-oa{Ul`xHDGx-t$q?nchYie1RB1#eJD7rMAAq~8hM79%bSvjA5+r2Z6JB~T@N
z!jI5Z|5thr&y$7t$df^!9~zT?C|6{W#kkguRR6bSpdC4)SQjBiOH9WZd6+%g42eq%
zr{0BhE09{ROp~7>nd~xvCrP(<Jlls{|8Gj<6r@I;w%}P8juY%ysTTZyE2aG?`#sQL
z8uG(78!DA#(FKTSnY0__mP3%YP&%PMm1io+lozrv<t=2HX4IoeIB$~ilg)-=p7f6x
zsFwbF$)fT?u!d>&&vZlD1W~?%h>yzqd>l#7p;|{JAOPDQ1t!mo1^?4JeaH)Wp$B)#
z4^+B4z~r@s@Lm(1pY(5<4CUm%*{Bt<P@6(A&xd_NC4}k&X@Vo_dabN86Gby>x`i4>
z=Qxus$4p4m;L#?Ov1zzF6L+WLzgjUF=MzyIslGMgiiI|?30E8B6BDJ(_X4;_;b()7
zz+DPM)^3AVL#44zEJyBpakUTsQSBf<wxhoEz!FqGTV?*KWgzSR-+S0XIpSDD&-Teu
z(Sq0)04<1>{MRL0t{{$WQco(Gy|Q&9&A8PWs#)|5X-Rn@-wxehh}5W+?L~}KUl$_&
z6}U$2DwS3$x1m;mH2Qxl`L6#}nfYgn^zSYAzqhl^(gJ-*iR;u#sed=T%q`eZ@74jI
zcHk=KkJ}q6Q~&AeLOf65$j%(^L^%ne`4GmpLZx|}E=1x7Ji3S3F|wD}H4!bZ8w%!c
zB1-&fhX~DYIG+E0RP>elN&3^qEymOOA^K|lGW~M>dgE<<seX<=pkJdOsvoA;>UDa(
z-k>+?0e!qaL0_gXH$E`78z1T?>Q7>}r$M&}VPN(Y2@Rq}jEEI+m>nmGM3E$tMT$rj
zX_zZzU>=nvvPF)5g?^oWrSYkLu_IRGiacQoCtRH`3Phn8A&SIE%)UmUb1o63$ZI(Y
zb_Kc`54tkybSm|$^lSC2jn9y+vEpDf8%K-F#0K%Y_+9)a{t$nOKgFPuqU0&Lim6!2
zLCQGgVC7KdXl1?<R9ciarBzv{T%@d5F41o=ZZhsPZq;wn*XuVcXX}sZkLZs%;vDJ5
z4m2ot8@r89jE{_ujoXYp#$MwqW53#M>@$ut=BYE3c%@fgrJrEzGCnu%GIknY=x6C?
z>nj`=pi`_7*NJ<SKK(rXeEk&tRDF$pvhkinQ|=XC7*7~?=x69>IxcoxqTi^m(@)b+
zH#VcwJw{ZE<HQ`XQk)=Gp(<P>u0;;77F)%u;uU4QBi@nb$Z%vjavWKXTt~Je&ygVX
z_($OC9ViSAu>)2*Ow1Fj#na*q@u~P;S*@&5E<`@BSMF1uRX$R7Df^VKl%JK~mA};-
zwOXxLk5Xr;$Eb_c<JB&8sd|FCT0Ko&r(U97p<bh2r{196r#`4YraqxQtv;h}Ro_rQ
zQFm#vT7s6MSz3u!rg=2KcCc2bHEKa^KwGJ;*3Qw+)7EO&Yj<k*Y0qk}X>VxnXzyv;
zwGXwAwa;{i9;+wl>3X(ap;zf+^_luH`dqyQWo<pYdZT`){-C~5-=sgQzoBo}cj;f~
z-|9c+)#pvjJ2G!d-qgHVc}M46owp%xlj$%M%nUQ%EHX>Yappv`*=#Yp&C|^b&CASd
z&EK7hGs>CdOmk*A^PKt4(N2%E##!rZbWU_0={(9g(>dFDwDVYJ(An-><viJWrt>1_
zWzOrJw>lqkKJR?X`JwYu=eN$EoChq2m2PEQrd42#wA_}@s<g&hhguERL~Dt)!aB)1
z+q%HI*t*`j$-33L-MY)V$9lke*m~T0GCw6hBj3s|$RC;S%AcA)C;zzov-8&%s0Btr
zLP2stT0wS!Sx{Oqp<rG?TcNXPL(zjp8;hPSdZuVg(Z7nej!YVPd~r(g)Z%@vBG<S-
z^#g;0gD4Fa>On1<kqu(AcoQD~L3((dvO&2Q9)4BXsq9t0RDM!^Q~pvjrH7}eQ`On(
zaqw`5+N~~ESE*~%v($^#%hjvl;p^ey2h@$~CiN+Jc#FDCeP7+733xb3%hU?tVHZ4H
zV|%z?diXSW_yX-B?MCe`?SAb!ZQDOQEc8e{PEXV`^c>x-SL@^SS^Ba1e7#p+t6!>b
z(C^UiK^=Qs->ko`zpd}o_v+v1KfuG|;o&BDct+U6h8b(7o0d7kEHS<2A?8$bmf2yh
zF)uLJ!NVJz!l^o=oypEjXSUOF7C1|sUgub6opXZoaOV`~RNKRIo%5Z?JJ&c*ah~N|
z=e*o`gY!1$BhD?(cby+QcQ}7={sIptTbWj_Wx>N0mKPqbu?~WV$6GyCzqQI*W1Vk%
z_!fBhPI&l!>mln=>EZOSho|H>=N}CZueCj#1P^D0J=|KD3lBd~^hnVYMVsN_m*L?=
z+rxWZ1+KAw3fseQ^6-Cy7Y#13&kq@Xo#esO55(fwIoOS37yj!8ItM!j+Xu0-h--%o
z9;>}cl76H<NqbwLplzWuoL2xYf?lqd>cx7YUZ6V$e;WL8aGwwdwgLBWNJzIIxMlF{
z!LtU>96V$2)WN$3?;gB&aQWcM!4n4`7<_2(k-?3FkA=eiH~wOb5MTI#YM}D-&pzMr
z`S$-7magv{Da0;lg5%y@C+u3a>m!os->&Vu+IKD9^~SEZb_I9M-xaj4KDp~@+}i|f
z<SRqReP@N_-OWPmeRJ;{yN?7fr>lF=dhU5>&;5HN_r~sx-W#<y5_e+us(aC(?m4jM
z1H^abuFLj3zh^Vfm+a}?bNHUQyLa#2wHqs)yKe)w?0#bRmAlvMUjEtI&ze7L{H*@7
zLq9wCGg$VssXM;iarvj;e0tMI|9W@ryVIl&3R>y|s)-i&QuS^17cEi4Dl5DYK(Bf@
z_;7uZe!SkHcj-N-Fa7e~QhAgzNuhuGa(yMs=&NO3?6Y3<;-?|5D}k#+p@*}6Dei0l
zZqOe<Jq%lRc$j~e_1E-m`n&o^sIB`^Uw_m8(Eo}M5qd;?L}EmGM5YiD*<gVG(e(&3
z!ip$}7!fftVob#3h$#^ZB03_LMnK<)HCTFf8{sl-G#FEjc}7?0=@1(oMvt+Y&WsHJ
zR;Z25#{0%k=nXT`3yyUl2FE1FG{-E*F_4a<kl;BaJLcmE4FBht#b*xb5kArt$K>Im
zaNfZ9=he`e10Me8KZoTQg)9HR9#1(gz-R`eA>(G_Hnh|?Inwn<jN|mPj9vP<`lF5v
zjFmnyMj4|WamF6~W__I_*C;mT>1P|y7|$Bd>8mjAsm3^_MvlrRVO%x`BeP>LrdeT+
zX@0~w?P@u$xlU{_-W7L?SLEpCb+J$Uq@0b>+wT~^{fQCWAVyay7{BGo5!^V8;b;W+
z7{+ixjN)1_f@?G0Q+hFqTSwzK<!<G1jIG9rzr{h~fH*>l6H}E`(X6D2=}Lx}rlgA*
zN~V~t<cPUSKGy0BL{KRd$17#xSj8zil?u_NxJ9?(5j~1m3@BA%xiVIqs2n0zD~E~G
zlz=!@X%HtV<HfJalj3w`f;dB&s7w-PD@TfRl_}yJWwJO=X%cIdY2spKmbhFwMqH}Q
zQRazXluhD#Wr4U;=@B<53u#m+9#KvZk0~dLjmj$Vq;iUQN;y?*R!$dBE2oJq%DLhN
z>=XP;Su0*sE*9IAOT`<?W#Ucca`BdOh4@gpUhG!x5T7geh%dx9%0uEi<q`3%^009i
zrW^Mv{o*6#25|@)ur*4pxKUXo-d3&@?<iM^ca^Kfd&)K9edSs)SxFR26rXrlSt&Xc
zm$*ckEsj(Y#52kn;zi{=<tb&0vK8Zr*Ob?lZOR+Uo61|t+sZr2d#a+msJyFeH%>Fo
zGcGdLI~?|iG!LWGY~ym{3gZmpd}E!%=_qg%If@;l9i@(PhsWV_R6431HI8wP!yI*v
z21k=)isLB9RMgxVsJpYZ<FyWTrnUg%(b?)8^;mVTdb&CV<I|~XvpP+kuFg=8#wg}Q
zj9*r(C#h$s^VFa^Uu{ua)i!m3x)5X7c8qZrW0cd0v23^6gR#yMwO8#^`_%!AZI@x(
zbE<l>dWw3Q_Oza*ZPv53XY?HHSv^;KPS4Yx*G=t3JzslCFVJ4mi?rADQQGVJXl<Kb
zqP?M)YH#Xg+FN=#dQlg~JMUur>eaUEKJ5eDuYIUjY9HxU+Q)je_K7}5`&6&dcIaa<
z-W_M0Xsk9)GEO(nG|n+DFfJ5Rlw>he$r7`aY_V7=7rlyKELEz-GNneGsT?lOQjQSk
zD@Tb7l&RuErCD60Oc(2v8DhOMQ(U1OE3U+z*j370ahI}0Jc_-g$CZ=BCS{FyLOEGH
ztDGsGQ_d1EDd&rql?%j9<u<WPxn1m0?i62Qckg>;BSwsmDr1xj#i5EK4#R#*t)huK
z>|NC>5u!mcM5E#m0VPt5SE9rOC0a~WV#MJ}teCHi5G_iPXjMjvHl<iBP)3P`%4o4j
zDG}{TsW@4w6Q?Nk;wGhC+^ifgZc!GCTa^xRo6;$6SGvR<O1HRA84&j?OT`1qGV!3Y
zTs)+#5Zkd=_kprOe2o3DPn4U)r^?M@hjNSfOu1F;RqhgBDff&0$^+tS<w5l;b-((x
z`i=Un`ki_vMzQCr=c(tb7pNDiYt^6BpD}J#G*zRW!U**$IlkS15$+A@jp|LBLyOd6
zFn5X5;xW2SRBu*qQEyl8Q14XlQtwvp(K575^=Zs!yjrDJrB!QVFzOwvKC3>5QSpoF
zOX|z&ztmUMFVrv9U$6stKpoVgv}i3$%f={qgyz%y>Z|H&>gyOmzoEXVzNNmcP1Fuo
z-&Nnkh<dyFf%>8Pk@~SVU7MkPs_sxfQ+KMn)ZOYHb+7up`h#|;c93?M`lB{py$JKK
zv$6ZRRqNKev>uGOS7}FR6SPU1p*3S>b}43N*Q)Pm{n}D(IY#NpTB??Y`B=JoFUIn>
zs<&YtwoF@rk$XAD?iHF7GqqC9t!~EneiLSLk7*}pCu+UgOl_JrOB<)n#SHHu^?CIL
z^%Jd6TY^zK%~>zfZ_zPl#oUx;ucu?IaHGE7vCi16--<cfB^b%yhLQa3#z^B-^x_`l
zEaL&=4&!lSqw%PIu)fjQYP?~*iTUz7=&L_Bes*B%mgc*vrs|IMSRcT@B8*b#pXS8D
zvVmp`>i`mRd{Y1!&`$yvGIWgeuu33d+yX9Q7<3)uMuJY`ieiRNqX+7nu_Lcv1}<Uf
z*MmzL#@k@*wi9$3ag{UlbHLQs1Ns0M<7R?>4cHCTKt2>a78nP48TcTE@d5Z?hC!oU
z(g`p=1k*Esej@lV2G&vp=5_+TCYE-9qZ#@YV2o`D`gP!A88pH}-zs5z3ZBc*F9y$J
zV0}ekwkXj53aqpUtSm_ASAi*QK))8eiXlggt04o%XW$JCtZ4{A_5yT@;|7LtC-_E&
zaVz*HhH*34hJkUiAU^^61~7#KbP7xN07p9bc82~4_zs3a`J*%d{VecZ3}YAgZiap?
z_#TG-DEMB6BLj@_BEg`v?q?XEfFA%J#Pw0&hZv4H@WTva518}-bjk<KDgb>Qn9=|o
zWY5PK29>qP8OA*DCWd}C_zB=Cr1cE=X$HnhLTm<}2daP<Y#a>UVq+5cMH@$fUjqIG
zQ2BVp2H9sT@EWiJc-;oYzs<&v;5Tes27VKG7q}XDkAbn65bxU{yHa`m5TJBEvO#fw
zY-1mo>`3?tpz;S`42QQ3fZf1v0NIf+2<&Aj@nCu$P*T9317AWWdw#`GEbxBd8(bd;
z{+6K}3jU6vknO)`C`W^T0DeLEAoy2?LHQ#+0HqiFJMbsui@<*|luN*WGZf1E0fs{U
zB)tKQErkM+K=mAbrvyERK2(D0J^E4!iUWPB1QzuL`c?+Y82VTVYzheUwTx77Bm;}V
z0(~zd4IItD7K1=v%*X)8GO*DgFy3XPgJEB3;~C%t8=2rl1~wXml4K(XoXnv1gZv?p
z4<?-eYD+MVW)y%a4S?DejI9}kU`hiJ$AhzMl!3Du)NWz?&2WO@Z|U<+aGs3{u*txd
zfWX+C;Rag_Y!L{B^doox(h0z3g}|7e;RTOiU@Jjj+`^~=k7Qs&MPMAm7z;*QK%h1e
z;~K^x;1UM4i5TZF4g*u(0C5_)+(rQGVu(}0lpjI^KzRVfNnp~OFdiUX0V=Z?ku#nI
z`x)YNaHWk2V9Em^&Hz{2m<S$YV-mQAAy6MNk6|1Mrm_o&bHP+z2~&WB8R8r;<(V)U
zIFupI10QCi30%t%Yr%Cks2tWa#KmCBGhr6c$Pkx<$wq`@0LnigE(KHG2y+0+4`Ci~
zI78NLs!N1T0Ob>)J_)lh#sV<u4N#wf85yGoO!)+;@51<+u@F3!L463u+l)Ri<p-cX
z0Ap~*3E&wFYWp!JXHc1;d;-)@U^c~A1*ZG}f_!?kjZ?sse}MW1jO!UxW{zWs&EUB<
zs0_?wP#;2VoCKA<`3&kelolK0-&O|oElQgW@-Nv4puPn2Q3m;O5rg^?jNuvN$Kx5)
zpI}VSAb)i*sBgg-pK%$ui$VPi#{3NOdk;gr1zuv~3UDuj`WwuR8RXM`2K6PFH!$u1
zFJ(}_fq4Xje7Br|S+T&pLPGW*D<Kme0?2;=^&yylGswT>CxH4H%&8a;gV)$d0$<1w
zKZDmXFy|J^dIo0SLfOEeF$m`A47yI|0QIHxmZb!h!)F;PZYi%aXpE?k4+wPqb%t02
zCLa)L0kS(l<1dA5O&}kVeF5<{ID{)9zrzs3@7lNu{2qhG1j_q1t_E*s&=^7az{WLT
z@)JPg1%>iMxE9#Szy`KZcG*Y-?_~(``92#y@Rtl4b17fhAV2-Y5LCX%)&v*u8$(<I
z{@uoG@Lvo;ZNT3)5-^0$WQb?LSq!Xh2sN8QV=Fa>p_~V<W++d9>lxUl7wQy-@)Y<e
zhOz}b6_|zeP#;z3p&kSICGc?o)vK*w_=7+;R#A@#WMdV1Q@bF;u4*?xW%?8Fa^M8W
zu$hYTsIG<#JE`!!dK%>Y;IjZKf8T>I2FM<;fqJ<O6dLskhC+F~nn6BS;XeZTR=tj)
zd<?!Gpz?SCd>_L&1^fWRK-%hq41;X7kzrf}ew1OX2S3JeIKZ0#*wPURehPq{9MNF%
z2Vg*NmFx&RIpV=6*XkR%ekqu21UNFmq$}VcUy;24M;7=)h9eLB5yO!Nru+a7@-x{K
zFfIr0U>H|`KVukYfKhG<#`$2BTY>@mYAE6ahZC$Y90g#N;V1$l0KriV))|h`;0T7J
z6l^dY<zU!_;P8N97lH$IL5pHID#5T3!GZFq#V{N-;8=!Z92n)BK&#(c62oyAIGN$7
z1E(-(C0m0XH4EVb;6h*|WRz`<^af}hTpPu3%m7m!N^pG^xQsz->Kf{y2HhP;gZ&K0
zTrlZ(Fs{!7Q`&%|4cy3ZECdG`jz!>pU;rR_rHxMTY8&({%ACaU;L~k%fZ;QOIum@R
zjRoMdfOBx2bUu$kbyB;4p&kpqkfD;!YZ)rVeGzayo;?(NBXB!p)O+m?hD!OplR@=c
zy9>A%VNL|2z7SN>>we%F$Yh6S8C0jW=YW@SeF^wq40R3o6^42$cq{NK!ki3#jX`x@
z+XlRW>np(TFsO~t(56UGTH9>|!5`X~4@NzZXaRp_qZRX50XT4ueCUxtEaZp5aRADd
zhI*?f0_l)pS3LtjeIh&QIY0&E%fN1+3i3{HH82+PSKx8LOvvAZ;SU{tpm=roK!@!q
zULE=ow5P$)Pa+H4%g{E1`)nX>+7Ba;eQ7O5f^=ESAbabiA0Zb&9VU?Nb+k<qdEiSK
z+Vfz_1Hl9?XJ{{iudtC1zLKH61is2f0eAz0d`N3a5=Gz}8016!MjNBRC`$zGbuh}3
z1nQZ74}<)y-)o};d>?~+uitN@6#M{#c6Rj#ZIpo@VQ6oGH`+j(qd(5j-Ue^7;R2I=
zVM{7gI@yi@zv`qP!3&U10F^JD^dR^EiVM&_0MqjXKkzPt%Ao$9jY{zQ4DBN@#YLzB
zb~31p>bq=IgZDDDPr&<Zi~)bn&^`r!VWS584MW=j{?^7=@DB_s`}&VI#tD&E&oE8^
zk7pPsf+qkI(f*?y$~%%_oD6Pa7-%c<rZ9{%!BZK=+29!r;~elz0Oj7e0DLsVSPQ<I
zVXOk9{1A*a;7ttUVj)a}A&`#gV9*@hL>(pIB|~ANo)T!DZN@VM(lZknH0L(c8DcRw
zgF*9D(_)BTa6W_Pn&t=wUdj_D$}xfFmnO<00WWL{6XlOU^Gnmq5U_)ZGC`oZnn`g1
z;w&(HPoO!Q34asB`Cy6{pm~@%h9O`pli~$vPG-V?1aTo4J|ocl%shl4E&?CQp!u13
z7(=WB*D`3XX4WypdNBM>pn03wzz|n}8yPeYGXo59B^YIcKyxw^WrHBD0;7x&Xntmr
zt^ln~nxr3~ECG{009q?FXESJSVa{RDdZBqV1A92aJcc1Qfk_WQSp%lD0a`~iDLp_z
znKb7y1nR9BWGLi|`3&(KxP^f|Az^kfXdTh)WMH32m|YC<GPs+ekS{20K<orldI0v5
zgn0@>>;j+4z#fw@Ph-$}pLse1`%c27xByz?Gs%|#&3{bt6Cl0^lWzd*PYILi03dz<
zU&2txhL<vwG2qJ>3dMIVgVs{b4GdaaH?L>VTAg_VLmURakwNQr=1mMy3%;2_Yk1}@
z3{eNZl|k!yCgmT%%e=y*JOi}0XWqfUtGmLaJOi}OXHuB}L?ifa2Cey-_b>#NwR;(~
z{%4Y10D&@R-p`=5K=T2Hm;io|p+tipVu*?0hZ(d+Xg<OaR3FKv0Ie6AWJf^E2S3K3
zbuyF6A|P78RQ>>3Gc&2o0iqTBB!kw^%%>Q5T~(M*GiWW%+{_RQz|SyfP0f6kAr^w4
zW6&C#`8-1`0>8kZ^)_=0L$rfmWYF51`4U5%41SqG>rdvt7~&N0D-4Bvw3R{o66UK6
zTH7#RW6&Oj`8tEvIm~Sg+N&_%V9=U}`6h$*EzGwVwEkhf&7eID^Bo4Qg_!R$Xivj@
zk3s7q=KBoV-!Qi`XpO}DfI)i|=7$Vg^DsYR(B6glF@x4W%ug7!k70hwptTTl2ZQ!D
z%+DCga_~+D?RA*D7|IIpZU(LQn|m0_b>O`WL3-_DC>y|^GX&}K1q1uG!u*m!`vK-x
z4D96!b3cRj2F$M+*xwcAHw;1ge#^j~uQ0!32-2O}1pxcN!lbqUpgjchM+WwWh4~YM
z_6^LR8Q3ot<}VD|Lok13U=LZCzcB>q@;gI;t(=J3sbGwaygF6D0U2>RBY`N$XM&@F
z1jy%t6M-biNZ*+Zq(Mg9&P*T+@_KMKkO%oPum$8p{tH|H6l3f}X^sL$<N8(L5}*Py
z?C*2~9)y7&PA^amIR-ois6iOm&^Z=36f(+~^Dv+mVKTsVKqKTF@C0BY!oViZ!+|3q
zKMbA%9EC8@$vG963AqS7o1s1qKANFE2|kuV^LXc62F>T4^MD|pg|5!|z(UBC;6*??
z(s~wrJb*GzbA4wIumtiK;9j5)GJNIi2L>P?0Hb_6mm!`g@N!@UWZ2ZX5;y^JA^1dK
z6=WZH4RA8#gTbc&@RbHzIL`tuM4YdJ*8&&eI&9%w2V4djws2k!z~1V+;0?g_xIP_x
z18^&3vd3+}y$JIu_&(r%$lrq>U}%SesSE+yL15G|f<``hgrWWj-pJ6#gC7MRLp;#Q
zNw(eu`E2kL3|bR$lHCCfwsVr*0S#@4lk5&?WXsJAjcoG_LxWwMWOqP20{k39qq6Wk
zLz@I9e*m;T;e3&yHG^LQUWPuGfd2)&0{I#+=>(|nfXSu+&EuVDO9>kJ?RADme%l7T
zf$K@&H-Wbxr-I4W0Ig3r-(zU$;P-*;h#$6gegJ$389s1+%%JrG=O+ve<-<w-0JIh0
z9l$QgWni>v&OMNw;Jpm36ugh2xxt?UUm$+6-<QBwkl_R8eg>^$Ill(bPH88Azh!7t
zW`AI4Gr{CnK$`~siJ{E`|H9D5fq!LabHTp>zay;&!G8dMLMEU5#h|q+=idyi4}5^3
zEfK<UFdP?xlNmJkwNe1sRX-1$#-KT{1)CD|Tfmt>7UVVHY=(XsI2Xvnb<`WnWay`Z
zEg&D)Q4g#F2F;(XkqjL+w<;Kpbzs<(U~C3^0Uy?XbZ{lZfih;*0Ams78DP{Cf)4*$
z2Qz3sY#jm|itCqv8yLnD;PDI{b<sjOCeU2kLVYIaw}X2a2I)xl0*q6^{Q&eeO2Dgt
z)sRWwlNiQX;5ES6xb6p^4_pA5bh(&eTn)aSVcZSAiDBFWz6C%&43t}o^Z<<e!IU4s
zcmRAC!yujM8Nhf9OyO|fco6&$@GxY+dX!;24yJHmV<Y%UhJmu055E%(l+%3pnV`d#
z`56pa1IV`+v<8q5KN57rmk%2e43zzR7sL1lJcVIw1s?@WMVL3h&A=SU&x4N!j)VLv
z7&apqZ-LhW>mj4A6sQbiFW6uhUw{)B2I^Ts62m~<D@bM-?|{=72J%{v#W3CnXETh?
z!6w7l4K8IE`@kp{1Y;+79>drHZUx$K{Uf|alnbD3(BYG!4GiN)F#J&TAi|)&7Ci#M
ze#Y-$l)obAVxX=TZ3do!{5N<D!}tmOGQ;>8{4a(>1H+C42lO482q4eKAozHO19mD-
zVK@{p>`gF!0mF91$P=vtx!^Y!`e$1Eag7DWLB2o;s3f5xo<H&YpI`^d?4L;cPaSOw
z_yE!)IM!p!;CNs$p5258agY8DJ}kT}{qv{@9bcI#O2&WwLj!cHG&izR<VIF0xslcQ
zk}GnI_SZ3gzK|Q)^~aKk+>XN&a=W%Ay`CqOo9mN}2UMYmND(j6M6M_lCBh@dV44=d
zw#_tgG$thUb>}j%8r$9HVG4hZxDhY-Jcvp1GuWtk6`NTfU?cD=ObUNjgyO*K!D)Cs
zxKJrkJa{>{PMM@ME3=h(%3{0}yh=GuITs&3U7}pA+=5qwA5u2q<CvH60_%tPK;{eO
zTYLibmnu|;8n33|504b8C8`@A%N(pWs7J`pW#-`}(tdmnbqZd^TdQ7%7w&GxYl07|
zkK#k9EqKxIZM@F6Q~eyTBL1xYg%=K^@giP^R-ld6+<0~H5PS}Ggf>;1t<BRG;w8R*
zymEK4c80cIyAmHp-KO2EJ)%9SJ+HljPiNlKKGF7Q`?Vjn-?c$KT2Ill^bz<Z!>iZe
z)4PB^1)oSAr?=swfIfVxw?;oxzW}e_U5(fA?$GbY=W0*uTl81)A<c*Ql;#WlJN;Mv
z0A9;ah)9cYMifPqMff6WA`XoRL`;g95pirpYsBJ+-iQ?uYa-5!xFF(^h^r%RjJPM_
zp@^p<UWj-l;?0PUBR-G#HsY6vzYWE381Y7$k!uthC5F!!Ycv{@jAmnwu>h~+_Zmx$
zRd@yXTw@(x_}ze4#_u*B!s~y}7%v&G8}AyQ(Mx~EUk=R??MT84!cNCXyaeo*FaM5r
zOm<9n9OGzl9Pj9HEOV@KoaQ*!vCeUY<2uJ3j{6;tI-YiHacp(G<@mtynd5WEw~k*N
ze?@AMQIYYHIgtgCqa)ps)scrpHbzd0Y>u22IX7}aWM^c5<Oz`{N1hqEF7m3#>m%=q
zd@%Cy$Y&y7ihM2d{m4%v_eOpl`BUVdQEF6FRAN*{lo?eNRTkxo8XHv`H6f}gYDUzt
zQLRynqk5xOM6HQBGwOn<OQNohx-sgGsQaTHje0t2OVq1TZ%2I?wKM9AsPCeFjXDq=
z5gi+y5}h5LA3Z9%BDyO2;OK_vBci89&yJoKy)e2fdLa75=u@N5iM}ZM^62ZLZ;8G;
z`l0Ae(a%P|9K9|2z3303KaJiUy)Sxy^taK!Mi0is#-zqLV@AdJV-Ai9#5BdsiV4OX
zAJZ8#5VI=goS1bn*Tmcsb5G2}F;B(37_%*Ad(6(5uVQ|R`8(E#O^D5m&5tdK^~F}j
z9vV9-c3SMb*!I{Zu`6TGj6ElIUF?;y8)9#deIRyI?DMf(W4Fb=6T3b3lh{46`(wY0
z{W12p*uUbGI7eJmTufYCTxwi;TvnVJmmfDOt~AaS=ZPB=R~I)qZbsbPxW#eH;!cfQ
z7k72s^>H`H-4S<h+#_+1$2}SMY}}T(SK{7?dq3`jxR2s?#qEjvJnrkb@8W)q`y=k}
zco82F9~++%pB<kcUm9N>e`x%K_-XO;;ydC`h(A64()c^#?~i{p{^|HF@vp|e9sgnc
z&iF6lzl;Ah{y;)RLTo}xLUuxa!l;CbgsOyt6B-hZNSK;1J7HeJ!i27bfrJwiPE9x`
z;i81g6Ru0RCE@ObhY~g=Je%-x!nTC>5<W@TldwPG$Amu;mBh%zgv9j3yu=ZSrHS6e
zn#98r$0trsoSt}0VoT!jiAxffC!UmeM&kL27bjkocthgtiT5RLOnfTwg~Y9iZzX<^
z_*vrTiQgvvlK6L$o)nXmoRpPhB^4*Rk}8u9N~%vfJn5*USxIw~79@2h^(UQ>bV}0M
zNo$iXOS(4c=A^rl9!z>X>6xULl3q`GH|gV~-AP|1{gCu~vPgC$$0w&H=Oz~>mn3_V
z$0Q$`97sMgd0O(($@7!jlY5evC9h6CJ^8%k^~qNzU!Qzi^1aEABtMz_eDW*FZzgX~
z-jTd7`J3dQlmAN5Qle9mQZiGVDI-(LQ~W98QtDDBrc6nhnQ~l8TS`YtU&_jqlT*%0
zxiIC@lxtFMO1U%Tft1HmHmAIp@><F}DIcZmO8GM7`;^~O22+jHxYX3toYaEU(W&m#
z>eNG08&fBxHmA->4W=$i?M_{qx+?Xw)N@nUrCyP`A@$bOdr}`xeIoU_)UB!8Q+K59
zOWmLPbDEkKm6n*6k!Ge9rIn@m(#EFMrcFp|N}G{(Y+7sD;<Vnh6=|oXU6^)d+RbVA
zrEN;vlJ-X0M``=gzDfHz?XPq#Jvu!pJu^K&y(Ha}J|_Lp^gw!3`mFT1=?l_3)BDp;
zNIxb0?DVzim!)5ueslU==?|tqp8ibwOX;ttznlJX`tJ0v(tk+*Jws$TGU7ARGIBEt
zGs-f28DleQGbUs-Wz5P5W-Q9+&RCkUD&w?_b2HXuT#>OM<MxaPG9Js=obhtTn;F|P
zc4mB)@k7S%nIhAX8K0S!nVVUdS(53?JSek1^YF~0GG}GZ&0LV#nc1ItLgp!%XJ@X>
zye#wD%$qas%6vHUsmvELw`RVT`9bEc%>9`^X8w_-WJP8rWTj{2WsS%x&GKf|WF3|@
zK5KH;^sHmDTC$GMT9UOq>!hqRvd+)CIP0pc8?tWCx-V;E*5<4ivtG-3C+nlEU0M6H
ze$M(UTg#5lPRh>Ac4m*vF3<L7ADkV?J~De+_OaOuvOBYvW}lROM)vvH7iV9UeM9!`
z+4p5{%-)>+a`v|D_p(39-jlsQ`^W4*a+I9NoP?b0ocx^P99K?t&Y?NubB@ZHlhcy3
zIA<W|q@1&IF3h<sXG6|yIrrr}p7UJJ)||I<KFRq!=lh&La@E}E+|=B>+>yDi+%dUz
zxkuzS=g!Fu<{qEho4Ydi<lJ*|*XLf9dqeK+x%cI6%zY~Nh1{*VZ{>cF`&sVix!>mg
zlKXd_o)?psoR^hn<rU|-@+$KVlArT7$qzl}=C$N4%v+q-o!6JQEboN8lk!f@J2UUx
zybJTz=UtX}Ro-=ZH|E`%cW2(cc@O4o%-fXrbl!7$Tl3z@+m*LJ?>AF5W6TsY&nz}Q
z_yoAoY%*u#Bj8SRnR&8#u6c=hoq3aakNK$ithv>E&)i{tWB%&YopH_#d=OmX^f?d0
zhoa5Sx%dRQ*LjljZ0CCCHTVGde&;6V3(nV_+nu|dUpxP_bSufqu|`-f>mVy&O|y=(
z7Fpfaa_eO4LhEvT_Ir=D$$G(h-P&&Lvc9(d%#X-V$j{0z$S=*W%s(hUkUs^V{<h?I
z<}b@XIscsei}SC^za{^^{Kxa3&wnldz5E^d-{k*VpcTXw<P{VbcnZc9G!`@!%r0mt
z=qy-Ta6-YU1?LxBR&ag6odpjUJYDc|!CM6%73?kew&3?dtuU@IqtGgJ6;>D479LSJ
zy>M<}N8!@KlM2r+Twi!i;jM-D7d~G2T;Usq9~AB_{I2l#5z2_95ji7@MpTTb8Bsst
z$PqI~1V^-w=o_(W#F-;58gbQ#n?~F{V$+BhM{FCheZ;;IKaTjj$WfG3lv6aKsJv)w
zQA5$>qG?6P6fG#~DOy={deQks7Z+V!bW72F^0Va^inbQLUG#C$&Z2!q`-^@l`g5c*
zGHPVP$gGjhkwqg*M^=t(7&&8P+sNLLCyzXL<Rv4o8+rT42S+|R^2L#FjQnuqo{`^<
z{JmH!jw{Y6&Mz)4t}H&Zcw%vL@v+4Vi<cCiP<(pvg~eAC-&lNi@y6n3ieD*yr})$2
zFN%LG{(F>TRMM#2Q6opWM~xlTFlzFsS)=BU>KL_j)S6M}jJkN#wWDqu^}whnMr|3j
zZPW*&c8~gI)NiBJ(Xpe`M_Z#yM*Bw}GJ3-3siTh>y<l|D=#`_-7=8Ze^`oyCef{X$
zM&CR7;n7cyeqr?1(eI4jIr{6-f0aa+q?P2CxJnK#IkIF%$=s4fCH*BQmt0tKZOI)a
z8%s8qyi~HS<b#r3CHqT$DmhRZS(;SpEOnLEl-8F{DxFq(OzDEs?$YI@Yf8^4y}0z6
z(mP8ZFMXl(_0soCca(l!`a|iTWqMg`S$dgOHoC03EKqh-+0kXKWgTVxWvk21EL&T4
zdD#tRca=R{_FUPUWgnOAEBmSJk8)9Nl*g7QmuHrn<s-^V%H8Ev<p-75l}{+2Tt2OQ
zPWim@1?3&(z2(cxSC^kweopz?@=MFFF2AAtw(@(*A1Z&md~^Ah@~!1>mcL*AN%`*b
zFU!9x|E2sdm+Fdi#k*2n*)Gd9(pBd2xyHI`T@zeQt~stY*Amw<*DBYkuJc`&yKZ#d
z<9f*TsOxFhbFP26wz=MOedyZh`oi^{>sQx-iinEXij<1%iu{Vw3U5VC#bFiWD<)S=
zuQ;ZnrQ-OCB^ApnPOdn=;*yFD6}MH~Tk&|svlTB_Y^!*$Vn@Zkif<}@tvKM0aL2mS
z+_~;TcM1NU+Zgwu?tuG9_cZs>?)mO^caM9Sd$s#?_j&I1?knBbyKi&f>wd)jr2BdI
zEABVl+ub|d``q8SfA$DZlqb=X;~C*8^;CHd_Dt|JdFFV6o(@l+=S0t$p7ow9JvV#q
z@@(`x<$2k&&GVsWr{`<WPo6<<q&LBv?alX=d41l4y!GBm-e&I{Z_vBQ+wEQIUFAK^
zd#-n#_X_U@@2%eZyc@mGdSCXw?fuZZ)BA<@JMXXF1HK4ftS`lv?aTL#@>Te%e6_v_
zz9!!sU%PLq?_}Rv-!;D5d=L7b^}Xu*$hXh;i(m04`g8mx{z`v?zsY}`zumvwf2x0-
z{~G^Y{*C@E{x|$P{9pNhsZ=UsD>Et!Do0nkE5}v_Dvzw3RynhBV^wigRc&XmrMJ7Q
zc7AW$(zb!FcDJX#0pw|{bu)RH{7h9$W0-20>X{lP)$wz6{9GMBS65Zry|BBhZ83tl
zJpp>a?P;VSZm-`bpL18$2V3w5)aqN>ds_xN7j(2OuWt!LwfffX{$LCK;#+@%Jm=7y
zrn|8L+6Vg^<()>(OQXz7WB4)oKpm@G$12zH<8`cZJ*!;LD%Z2h^;L~wl|79f$~ZLl
zj~`NRyi8~O@O1DO1ij;jwDeNMZnwYM?Q>Hu-JTlXgrNweVqQ+pTRUNXuy<mAdq->A
zM9#;=f5u!Nkm2h&BlWct!|EZ``osSbt=r>cPx&}cKK~?X+({wb5TI@n;+Ii|!g9<$
zHj$5Q<7eCWy_01GG82I@lZWE*SIRj2oDDxG>mSp^d1zWR(6unwJJ8t?9H7M9o(7K$
zU(X(>=TsUvl?K+ff#Yi6xEe?;x5v*RE4@vNx_i5191W~#14q@s0U9|fE?g+aQ>ETh
zLkfEuD>=SOj=hrOsN^^*8=GbD=6|zhCB^Obde}l$oJ19CThll#6uH|YuOT4ETE($e
z$)`P4Rnw(=r?Y9M%i=S=7k_qd`v0^N7ncSyE^JoKRKrvU@-#NGl^Uz2b3vFMwo4<c
z*~m&XvJ#DKo`8Gi!rtK0wwW@YGl%jyv$eeqe{Hb6Z??QYd+3f#ZH)amCmLYm1;)&g
z(aafMQaz0|wqYo&+cSpBE&NB?pxAkXoc-Xi7Kh`m<&sg$?LjS<t6IuB+(=mman@_?
zCW>oB9Y0sc&(-mBb=ARP^&>zJpv7UUj$!|~t6QY@Ekjvtk)CV`XQwsfSx=*z({u+~
zWsB1$@8Hj6QtR0!^U@Z6OzK+4D%Y{fb^LgpU5V{Vz$(|X%JtQ4VU^M1u+IaP3y0KO
zDAQRuJRQ`1-@+j+y%e$AT_szbMMF<Yjl7&r4Li?Uw+JmxyDXCJoDXRvyDrwV`t^0~
ztdvczRvF0KaQr_ahhy1MKF*S_a`D36wze+({mIt$mJVs>4yk4bw3ku%xLk&w<K%p7
zEgzf7&t~%bx?}|Mu|Q2%D7z?BoRv@;#47k}x`OmqiF><y7PWPA&bt3+4dX&;_jY#U
zYBx>|oC#U`JdLvUfk;Cn$*NWQy2JIYft7Ax7dLQ#M%LXfa*cJpLs_V-?hR!D%@Jq3
zlH;i4I4T2uGI-y=8M%_;M)ShYRB;kjzWz{jXn<r9_j)+GDvqv-RjT14RaHG8ojzbY
zohu@>Lj(WQN?eC!Q;c?qn@-v8;>>PXxKuS(57?zQY?nq>vypXaWL+9rmw;!PY-g6q
zd@dWx=dw^cv_jrrF?0u6_cY4Z#M2nyL<8*cK+Q@S&C2051MLvIv4+CJaioUZE6W>-
zE8D4(ngX}Ck_rRJz9=*8t(4DsWk-Q~(s*9(J-n5&o_T9znea*<B8Y6_ywa68BlCb{
z<L|XSC%X=}S9%V_$=W`v;$*8h*(xg92*SzMaAZ}|0p2Q3sD><xAoe}`jMJ;(k|I6t
z_EvK?t6A%6PPUqJTg}N<bF$T(Y&9oT&H1b5^s3o{)tpc@CnOtFw|5LjJ%*zm!%>gn
zsK;<*V>q%g9N8F-Yz!+uhU1jI3?gIYYgp?V+twU)4adn&^~yfO?X8vfJaPo*_STG9
zFn0m|pW9A{js<i3iTfwIf)iz#0?Xn89x7cpk+lLGDuEEWiqN&tAk-BkqkHNDQt&j^
zj|mC22*y>w4&$x21wU>D@xPsV&`v!#JazmjUJU&ZXef2Nr^Gc`MZr`_?KtZj?R0BB
zA;A|CDnmkbNT>-3bs?c4B!n_j7mBAY6i;0!o;t*1cc-pkNPz(E4(pq6Vrx0nKglGh
zhoX=)mbcUNa#Epw$`$Ou|F%)Mm%uqJZa?p1JEHpz<;NGwj}Q6j=%YU}><TVGEVUgy
zi-L7+{lW3U&Q9qmUyZ-92Y<r3yK4?EH}(goEdo!3JC6wV^aLjbJLk6sj~tjhFsr?(
zvz>bLDeY4ibvL&!><mr|4ov4~rz~o(U(`OOubrIltF4jg^mli4_t}xNj6bMM*C_U|
z5b~!TyS#44I$RzK*0zuz4pLs`L)nFtm)5q9{$Lwxvl18aKmO8lf3O{CEvB4w$ec+1
z>gu}&mbZ6vc6!=-7j^ehcKU+@0~|rmqV|?W?U1`Wk(zvl>yA(M{%)V_2tk!n38|-@
zHp_PYC~<j#gisFbbmetBz2Wjuuuw*aKm4CU@-?*n0XMZIAlb15crq8@5mvxW?F#P6
z-X`Ftb_HkDu7KnSGvJnePk`rw0Un?Qcu*hUJ~hD8s{oIF0z8fnaBmv$aGV~F)62Se
zS(kcFy`EF|@|o8@<LA8gbF7P(b@6d5K8}TFGyxt^1b8ME;4x8v$4dbp$HLRI01uP`
zvSaoH<PZguRF2cnaR&G-z-Mw8jv%a=pEdJyoIFzq@Q5V9(}w`}-T@w;1bBQBkiD5F
zz!QxC_wxbSIe7wAcCu`O04F4SEZnotI9VQ@1myGx_iX3zJ=te?0<zBlab&X3z?mI{
zwdR>gfCmNvo>vBHIMcF!_5^D9@fuED_NBPUkJqp}WPj-i$fXHSpq3x!Sx2CjALq$O
zpq5kTIY^+EAFpNQ-Ew9Ta8r-v3CLa-#Aj~mqfiv7YXng@2BKaUB*(D<w;av{cnKxI
z^O`^%-}7+P9y@A|Om^X(fQQdK9JPm|_Hfj44Z;(U69eeN_he^}i~O9IpW~H?0M8Nv
zUQX7_D%JCukCpJ*O7O*M4#G<f0iFN^e4LPvmEaYI0FU(pJi`d^U^~Fm`~c7W13dH&
z@R&Qms}BL52L$Ax1bMJaGAqx^M*&`c2=GiGz;ok3Bd0D0d7gkAv*B^}rX0-RBF7>}
zemG;T<;V|boIg48Lt*DLUSA0C@ID}y8E}s+h%qpElh+3VJUkCnb9s@YCfwun<d6?%
zoSq!=;fzy|Lp~HmKI3U^fak0MIn43|cy%qnt7`!{=t8w%CFGzBXPoyj9LpHHWZB;2
zkaB#5ioo9F<*xuQe+76BAK)Q$Kn}VPlH=qFWI#?Qu$aej1~^V$HVp7wJ`mvC1~{8?
zl!nS>hqNzpoVBbcPxk|IT#xRDq6U$}K~#M~RBzor=>WH{x-r<*-QU*H)*cKCu9jer
z48ucPUv;JILF9q%g?gY+zk*n}Oz?VOfamG~o~s7}T*G<Z5|Aqi$TT+|Jmm}UDpr73
zpzw=6NF0qZ6E7|Xc=i+ERhU3Mo4l^URu$fE42z9{uoxH$P(LI#42c*8a%Pd<kch!)
z_-aUW`(+CPqO?Ke8W1@HM9u(_GeG1FA|8N|FrTkThxlceiTlzoe%VRl41-(_R2vE{
z9p;zaChkkW`8{M#oRM|heqJH<^Rk6swnw<gI?473XRMQKk8s8s$j%pMtby!qamML+
zslwrm)AMqAvb%NrWdjXj8^|UZXPlmFl5xiA$tD?RoSvIUo;atT0mKQ*F$c~#VL9f&
znLX?$fz2jIA-KV+$We&f&yzntPsaRQRQ){V@ypuh_RES!WLp*jM<}~D+@NAh6uKX>
zysU+8f34fT0f8UniIQLTXt>V`$^ORemyHUDoi7JhZoe$PAU0UNJ#fdl9U+ewvHu`7
z;dKH(uM_xr4c0FkPPbnU7C@Y)Y#H2s*`a_qdfA2GjQt_I5S+0;WEX<7kS!o^mUu$%
zmjfx>XUE8)6V5`GfnbNOlZwj06z+2wk%K9maha5zj@vIg9T3+O+0EdL^C`O-oUy6=
zTt?)u3l~`fUhnkts)Jt+v~Z8plWW;H<Men9!p}<zeqM_3^HKzMcBHzz6yfKk2tO}H
zfNbybnuMQMA^f}w;pbHdKd(Z7LSaK?QjX-@eqNsN^YVnBS0enpGT`SW0YA^b{jw`S
zVdKo!gc66qmgTh&zZ_&C7*8~%!1sBo?zg9_D14zJB>MxLvuET;3Z;-sgzWur#)-<2
zJ_;kdq~2@i2?8e}TVA)HCog_pJoj@a;^$7p&+Bo1*;Au1vae*@?)J+r48_3X>g%Nl
zy&g{${cw%T&Bs1TJzWExSn_od_b=;aUWCO?DJ{Sc=&;bfl&|!)FP9hku))?Pr8fE%
z94X;9cQ_Cy&|?!P)Ndz5ObJPr36Ufdk^&_}0wp9_CPWe^M3PL11eroN1j+(2#VlFI
zOp=UQ3KTO56tiR*Gf5mXNit><WX$MxC}I%BOC+O(AY&z_NWl~*k&F@o#|S}22&RJX
zmZNNMqpZ##DkAuqE@~0H7y>X+Ey6{ri?~RQzZY9>OypmjQKOA}RQtR>*&l)IGZ~9d
z_D9}o*;aw%<BhUE@;1u;2t;)eBvbdu^?9!c9T>*nnBLH_F4&Je^|iIT`g<4Gy82q`
zfO?<-XaoYlcwhoB5jY$;0+<9G2}}l>fGNOHz*L|am<CJ-W&ksRS-@;y4p7UhN)UJj
z1;Vg(C7kiX5`@sWhaR#QwjlAU4FtKk)YpPc(k3thL85)&u;dL({;*UPmd1o7$~iwv
zd1r}oFQvM0e0AaY>ca8WQGE7ZF-i7gv}eo_(6+HHVdt17Y|hYQ^(}3!?HwIK5<{jK
zwwo+N$VDjJA6m|Xb9iaW)(@R_NTS4fe;Gn!$jptQxEudrX5NCPfWype??}_tkeP?}
zrE!%l61H4j*m8AYE$YISs}EZa4W9jMeb{pKWCDB3I&>G~HW`jKt|1NEyQZ^{MngN;
zq0nB6pZBr(5{zyq9@@<g1+5_;4BOKVhYu^}rA*Q0HppIog%C30@D*5G4wcoRHCS8>
zm(^jbuy(#M(hXT6Y{hy?FtieDhr?1VYTG{?2HRsBz_t+97Q;66k?Oo(PQtL#f$&tL
zY2zFuoi{9kumTutAP}!ghJuB?=ns3*Pbu=YI>!b#Q5=&)DNYVqL#pbp<WQbQf7rJE
zu=;*_vME$Xn?mMo`bU<VLJ>9%E2H*KJv}~r`-c;w{rXU{_2Dv!S%;mkhH!2g!uD$j
ztJe@#uR*F8GD#CXFZc1o@q|l$LpT*oXzWxP!>NQTKN=>!i;bOdxJuH2H~d47R#L*e
z`yUEl8P=*YoGQjgc3PDb8@~lW!awZS9P*5Ghzv;*-U|plT@}`}iga0sAKk+a==_ep
zP=FeWo?jT?OZ3iwE#b9+P_U}7K2>(^5RUYo9&+*Ykc+4PLq&eYfC3J4vHivYT@6)w
z`Q8Ct_>Vrf8&-JVE_9Hp5nATEp(ZR*ZNN2p86hl5E$w{}iXU%lgztsz6!IRP4Ck~l
z?8g9Ek>67wA(Yc$Z!6H{VHxCi7I1NPDD1HJ7wGb^uu|VKLurLI4}{BwtcLt*10J3e
z^7_zg4!A0#sR<YQ8j7Z|e-Vz;hO$g=KX6zS({O<eH8u7%-n2k4+P477tqc1p>|Q{!
z_ZT429tK^IN4b-Mvx!)I2g&^mFmGu<IC21o$#j_2j)T1c0ci@IVv_?$xz7Q{RtJvu
zz62y}c;JXV50d-nNWRC;2P8^wm_hA_hFy`nBebgDH!vUJq3zH~6YV$*ol>k=nXu!>
z;zU>q)e0<8gs<7Y!V{r#Noy0Vo8J>Ep;(^?UkjC0TAm1nvr8>vvCAGLd%OcFRNt^f
z5qcur`C*|Vd@ZaWwzuq<y<z>lVg0;e{k&oQykY&kVf|z`DXrlR>nD3Hz82Qc8`jSo
z*3TWbpF6CdJFK5Ote-oqpF6Cd96HG~u*PBMLrT1u;|{Cp4y)=8o6;RtH8gC(Do0pV
zcUV<-Sk-W2hlP(&a@AqAYQh-_)htXP!v?Gg>w*;zTh-9;6!XV$e6>S&!y1H!owUpm
zdR7iLW!6IjFIw*i-Nh1zokpmW!^|?QX{c+%wXjy<&IwB%p=TS1?uK;<kOsj{{32@~
zItR#d>ePo{@NL5hO`LF)^QOKQIc);btf{YsCQUfXIa6N?Pnr5!<ctZY%kiR3C+@S*
z+P#b#-X#NVee^4@!^H3%ES&aXN4bNdUNV3)^i(0SqisQdNS42n96CXm;rDPFy1i%x
zUbvxz+PYe4M;1b-E%e~0d%Nt%q#Sx?KHiI2+}3a3vd@O!#L})*gl^#nVrk|aG8i@&
zrOCk3XvAzbNNhL~r0F0?;}Ns@AlU|l#3qC=OwrJpohY3`fo?bqB7XF_Gbkl?-oSiY
zm-)6XU|W~@AzdJ_F7s_&z_u>)!@A55=`#Nxy4YtSU2q!GWqw$f`Mhq>+SM&*_rzou
z$x;`Rq+O&yx{yG2kt}r~iS0s?v<nGCb_t)cF7lLhA(8DulC%rf1?c@a7cuD~S?WTP
z)I|!U3kjr)WT^{DtP4p}7ZQea37@ep@|1NUk#!-dySH@#er;RE5Jc+$2cqS|5gh=I
zXt8ia{lpP16^@vs<A`ZGjuYh(Q+3FgtmBC3I*ypI<2YF!F=>Z9MIMim$EotzERWOV
zak@OtkjI(wI7=R9%Oj@ph=GgLd?~lcBNsQ+P~2T0j|=4y)eBe9G2?i=JT8_;RA5{|
zGk_!NB93TIaO{!CCGyxSkA3op>V&%k^0-tUm&qd<8eCr?k1OSoT1qc31bcbe*UKwy
zUb*q%_BOiP?9nNnY_msV6gfRuiS7fk%pl$&fsD64=-ASYcQfR@Q2Rko+bsx*b{hh5
z1zMN-$&CZO_<eCq-fFxZ?Y-1ZdEK>DJ^1Byyx<^DYFfMTG8>6<84*M)h9J3u<Cd?8
z;*1xE<U%)M;MFAgZUFAd#UZb!lBX;S=<Pkk;E@ZlAi3D&kqfanlgmpUx&DeXT9gOT
zRw;<qF+oxRkKE4o;{Cl2{H}M~l7V0c-jc-cVE0OyHnQj%-sb4-UM|J<t_3Ky{VNcO
z8+xPU_qXHKnDzy@+)vi-z>l`Kw*)&V6|da0z?xK5-vC-CYV{FO>p)At)WPGUo&eX|
zTIG3-JJ{RXy=;J1+MtqGo>AXG=aq5`0WY!1oL0*BA-vU<Ui{2?a3McZDHmt)x*G?n
ztCsg#`EfR2rQAM1EYb>9at8`8zsa*|x%K45CkP$gE8Dsjwo$Tfxdi~CEdY>Q`}ayu
zxxKvn>y<C><BS{zl8fkG`Q8SKr(DqW%C|9aM(c&3dWx)465hlo#}Lu-V@RaZf@^Zo
z88mdu<Fap&0};YIbW841;Klx-D{`^khf!8IW~sjqqpk22G8W>ga`Awggpe8#!?IlP
z_F*6vz9KiCd>D^~ugJXmFfI#Up`wS#Ylp5#3-~Zj3x^?NAWZ$RE4+^G<Bcg$_!jRK
z`Y<XFJ<i*PK9AS73-2HLFh*xP@z$V^w+4N@HRzM?&$xNv6-0FlB>l$=uW&ni#mh$J
ztv?@c{rPz74`l1fdw@Rgka2iB(1&q#NKf7w^zqK1&&!$Sy+9xD1^RgJ$;W$7KHhEe
z@&1vI_m6yX!5M{-ALrd7AMXf(!in*AkdNQ$go|KayCg|59FFgVN)+9*%c2zj8O%LA
zm|fH;m|e!C_|GS7$I_i)&P62(DI>+9XXw;UUyA>{V;3&EGpvBosjZ9@hn}e#N=J(S
zykn<BcZStFI<?c0;y<6U)1f=V>KG+!*C8nmJ%fGRP)?;7zJo>j&>bnVGE(F;JV?QQ
zREl;0x+(*>xiNIRt1%{PX>(C`&_yFMTSj^Ix@D;fG~%5Hmz)0vhSlC@1+9Lx(D+WE
zcd^yIz^ZNSp5JCQujuP<>+G{8cC~c(_H_4BlWetjS$Lt(nvUikXU%xAt__cOwN`ZZ
zTHUzQYqg-;LmS)H=c@1SSs{l!7B)WIWpwn)qyPVu!l*_4{XJtVDwZu<<_eM`E{u>W
zMweO3+WQw-Q_+F;E=AIT?yi1oa<H?_D&~9?yX^cl2fO;LDZSmwe){Vim7*JeapO}Z
z6+dm)r(CH#qb8~zbuxaEZMAx(`Za!BD@x19&ttXX?^&FMzhv=*_P+MDZsJE?8}PR&
zUev#jQ1DZa{)mYYN8@K6Pl{L@vBS`fOv7a?HcoIvIqDtb@pErSJ61bxalGMpFH*%{
za~KyHh@2nU5xES1zu}1}5#@{;fxpGj9<@H|s;H-;_C$Rd^;2|Iv<rV>VQln@=<}j4
zj=nE?ON<#aCZ;du+?bDIcE#q#mf^1-1n{>Hj)`rHU5&qaup{=D*gxa6xX3tXTut1<
zxZC13$E)#?_zMJ!;!lgeHvYl*Z{mMWP!gi>*9A)O_X9R0+@J7B!ix!SCA^>TQ({D7
zZsO|1Qxnfi+@Iu3DoUD(@B8N`-J7&6X-CqJ_<BDgxiYyS`JCh%l5a~9`1(E%U*A`z
zoR077zf3&{U&}8|eLnTG)F0Af)25`&ObezhOnW5lnY1s{en_{{%hPMp4@o~Y{gU)s
z@D2L|>F?v)^)J)^&d~9_`lyVF@+<YejFlM=XKc!NKI5f~*D~JD_#)$*jK4CKOiyM_
z=HkrdnP+64m$@$Uxy+X{_hkN(`6s?GpOiH<s}<jr_u-rJ)mf+Fd-9vI?#_BJ>(Q*2
zv%b#yDeI4{!E8M{E;~7UZ1xm<H@-OggzVGt)%YdZS7u+AePj0B+0SIZh;PNe%|4J5
zkuy5y$eh_Z$K@QK(}S<W*X2Bv^J31MIXiN`$oV$sm)x}6?A)^4%G|^7CHU0b8M(*e
zOYmj6t8-7yy)JiC?$fz%=DwHvV_sZdUS3gNX`VN448HfS#ZUS!&ASNSaX+8;dfwZ4
z+w=CBLVmkF5<lxZ!)!Hs%~j@^=34U#e6xM4d9V4r`JwrpGr}2zFSU#D!_7xJ=QtNS
zdz}5w6XXy1UVxwSz0`Rfeyn+m^A-G5^H<JaEzL@>QmtGo-zv7sERR)X9cDFKv#iC|
zYU_0C0&Bf>wRN*~xAlPasP(k<y!Ed2Ilk8(%y;A`=jY`Y=8wkDG#`|IWd6+jV19dk
zSAJjqiTUT{ug||R|L*+z^Ec&h&VMogb$qe?5x&{poBvh*clo~*C<TcH&Vs^%Q3aI+
zwFO5MOu?7i^9vRh^x)g=6AMl$I168IuP?Z~;F^M43LY%jT(Gs^y@K5ZUlsgTFjyFi
zueZ&@!orgOhp_Jeiz4aPew(ppuv<rD9F!S*S_LzPHRqfY2FwVGAc}%0Q3VH40Y$}(
z5di~15JWH_2r6L4h?sLg5Oqy8Y_q$6HGbdT@80|W&;RWDFjL)KU3KczIqx}j&K#TH
zY<k%Aw;5(L)@GuOlg)e^Uz-&+;WUT)fK3w3;XY||&Zf}jhD{00<9<Oixj)+cZbNLU
zX*RdgmbbOA)!JIy+R~ivE;OrqpzR3T3AT>5Znhq_i*0>vm)Wkg4UN4OQ?mb_d6Y6{
zaLj<%Ve!2iNxhZQG$~d~IORDqlqKHEa}xcdR!R%1nz2%2C9fs@2}i8ReBv%~q`uT&
z>L+nheaT&#PdLen^b^0-vK{$>v?MKVy!ra|MklF-)N*7yTahPeM(vfNxa4fn^)Bn{
z?!I!4zR#rGSF1#FUAZZGV_ck$2tz9*Ye^+3l7%03q_IJ2ND8!%cI2Kc)EB4B>M!!4
zGua4brpw%zsd@>v!Gf4jt{pPB;K$c<MORZ&LOfGNX_?B+W8rc)Jx?wewWQUzZ)5=J
zZ}VAdCAG0_B@K`Ue6=BM#EM!yrrjb6Vs`HOvnP3@Br{1dbyzPt$RqTjdPMPobSFI|
z#RsXLq?Q!zq#jatqG(6d;)hy;XJ4=Ubn^P$yQfCAYVAB~u*h$l%$Ac=N+OKAFRA+u
z^;|I7kkyYpeCkZxS$%P=^VE%^<mA`Ip_z^+D~;MqIZ2m}iBZbY+fFRGrcXVzb=zJs
z=p`E-VvJa&_x9hDLPs&()Pa@iDu+nD17`#{`A@eFSNi8JI~|xagwRE@P?BlY9ax?;
zD82Rm?S!NK5=8qrcGiBcy+?KFiLqz1Px&uSGZdDvsdMa)_R>qLK4aVWx$1IfiFnzE
z&02mmXs*uPYw6?(lMiOhGEC^pI_KSA^jy#9=3ab7cpVunsfbn@C=H@3p_N8U{KYQ0
z(+%M&zIfZEgsZyi(@#i>O@=jt*n)_IK}&Q#eybL*F{ry1O?YWYf7_GewP}Zrq^2%C
z;y!<g_ksn7y^oP7;n-o?wB*Qq_ocMykawD>&fjtI&~;tGwA6N+3}GYKoQSxUzB=D!
zA%1HOzgD5;>(@WZ9di1mh@H~e$#K(T&gsr(CSJLC%71>Ap{RsCH*Mh2{(7lFhu$`A
zZ%(`BExvVSi<V|BpRAiU*JGgln50vVhT(nKaaUf>f34@WxgI}Xvr)>QopV##5Cuz#
z$TRCqMnyA@H`S7cX^FXMxsq78-f1~>#@tb}4B;}bTPQ!0TGNj<>CA>Jo4lUBkX4iJ
zR>Yi)SCZc3H7nIoPL|XwTvxcSm`j&v`H2;2K^c>Yx{;)&H%PDP5*4eipGrP-N}n6!
z*-O%dOZMT?Z=(F>A_egzU$jjGe#qrnk7c?yxK{S#$JO>y1Bsv2d&oEgA1rf4$huIy
z&&r)ipEi>gn@BxTsxAGcq)Smmmm+Uwa??$QmE+`<F#78J=}N3MsONf?jL;97H>G2Q
zSQ5^jjEX*Zi0+0%l(8*-%6#3kNtt9JSu|-c^_05*Y)338Qx9~#_UTi`^^%f|QLS3J
zjvgrT6}kD3w~Hfpvd*hL7fsVo^GrUqS{xa|QmXVL9eS5aEu}$}914zX|EwfUrR^q5
zLFz~jvk#BtUHYseEo{z8bO$d{5_73YOBR%=-sCJ9FmQ%jCz1cDcxLsT<S8$&dKGrb
z5T(qM><FZ6_LlM|$<8Nsbe-1PhjtmKlk$F6HIo{tBv!f??6T51cs3<-@X6p)!I_dd
zxz|W)sN~oA_^%7lk6j#}o^d=rKQm+H(lqhpeKy5$Ld<x5({^*(%|1LUcezOU*HmA~
zIPQ7G#f3U#T}fL`n;d^IDT%b<JU!!lk|~!a$I<V8@rxGu`g(fC`y`9%d+F!jZW0GZ
zv2((WOMUeGT+eHR^rM`dJB5j*YuOV~d-uiZ`P1t&))1|*eaePuu2aLOOwsXA(@Cep
zq^?0yDwnmOyu)kDZqrGX4Ly_6v7BwG>}bdGSw~Y&pC;2d4-Y4&6pt*C-+5;HneBO0
z9PgaE&1vVX0%=(zA}C3HlaZC694~DPbzD6wbS9-h$k|nAjM<~ewnojAqor-eS*sjt
z+C$H-IkPHzJZ+cE={uiY&bfNlGi6R3`9oMIXx_N{yU%mf*%wZKVbDAXr49Z9QGcc5
zB5K>yCnW{Zv+{GqTuCLP-YH8`H>YEl)W18;Vbuy!Xw=@leCS-ZIOZnn<uyNWroPLh
zYeYrNuH1N$nHc1qC|<qIrq7#@JX|j|m-yyXfD9wb_N1A}Uq5~N&1SLx7Itn}&@w+g
z&xVJFM6T6)t&A@86#J8b1*AE9@led}ME#bXk>T6L13%a;#$_A*^!Cn6?VQC?QYW?(
ziIE`1bW)BYo!D~c*@x`)e#_RaHHtA!*{B^mBDd(1_6JWoEEY&D`bh)W30^CWp8B<`
zBBNG`flb-9(filM>x+&b_;6NyNgUW$QZ@m}ex-aRIq(XSY}8&XJaFQS=vd17E}kFg
zrtdeIO8E=dA0;1J>3dkbc%MyncRDymFEx}@HQL~7JE9YL?FfM<>x|m`+{CmrD%1I{
zf;7of%Xd-Q2kc9T+aA4Vmlzs%Fg#ZO?P(!lQjJL~V#K#Eq#=~b>*<EPCy3+_=SMbB
zRr*e<Pjqcn!IG|j7~A!>v{FS9I0H|$>kRFYxERWqG2V;)13f)s0~18D-YOxMw)w{_
z_V%M~ae+rfwX-mpqa7c;CpA^xx_6=QmhPFunVyqoc+Hq^$eqO|#~qGM)Mp;@cAh+9
ztfa7`!{2^_^@|GH8m-&Ae|zpmLr5;$F5D$xu5MPY-^JBb4!d!d&xpcg#%UZ$Q$e$6
zHmBLQQlP9=P$0D=gL?O8)x|ptlON~`XQoj}WE{s{j5xGxvChLcc=0L&AINFEdkLEK
zYXVtJXA42xq~xvU3jDIWf@LO2qd##ru2S>mKa}pvMa7P%L`~T|LG$HbD%bFTQ@IBO
zQcoa5zPJ#DCcDW2PIEfnLC|Ck*dTw(<TTj>oE9&2chS*{WFki|tfg&DvN+AdCKm;{
zF_PnnGW+)HO=3soq;<>PChI3JKYno?{nmL?_E4hKt5*rcoF}Kb%;U!nB<b@=jzD?6
zT1Y*RtUo7zF(;Q*#A4<ho3S(8raKxg_`0MF){mPx-`Pc^8-9Uz)<pd@FZa=FMgG$M
z3nw4zQdXt}#~Ql2vfF~T2Keh7yu4?I7<PLu+`2&jFN`7b{$%JolJk~7o^T{9!!zDJ
zA|i5qgjkr6cHyXD@j15V>^UR5=!Pb^<Qn*E`_E+D(j7A<1;>+f-14o<{B%y<zOz;t
z_IS8$bJ71oJ0ib~qqET7*yT>#+XS-eSZ?f2cG~Jij$`#>7iFJYEsmuUy@rZs&F6BO
zv*t3jPHv{uI%`g;^(cZ;i#AefJ+mS|22l2jTrTjZNDGb};K)2;c357&Ji560C&gs2
zNH(Z6rfqcbrc1fXCUfVH8a4OWPXo!NP~wbA8vJ|&(Hr<2D{`>1pULS#rF5|M!)m9#
zR24rX<_a&4zql<Y?u_n)%Yk-LhE>zq+;#gxSLlpEYy86v{7%mD9$_@zVU(kK2paD$
ziId+L_+`e|#PE<<ykas5LpBmdQNvF43G<rtCH*AkHASZu64RLi)xL!3Ox2xfK&|Vi
zo%-w&rFF_jyH1_Hu9wPc4V#toCR8LFm7PKzXAIM;1Ef(}w<SlCkL)>=uunV_a3aK2
zx5#UWyFpE67`4}~94@>mI%Zs$_dtK8PzJRw4=AYh2%4iGGAZZ9YLVp2p!R?aYDZQ|
z^~X&2m^9bG-#YH^I?vO8-aOC!$9%-ebJ&?j&wJj`^Glu!%q~;3VwV-Er+i4-?@is4
zvhRd-l=8sby&n4(JeJxwB3h+1j=Ug)$bD9-ryM3V5As~OXoV|P2LTzu$t#iulje;i
zt&$9qZnNr2GMQLY+0@dgeSiMKyEKuwn)b0$ZRKy$ni-M}73))pO)IiS?uz(ShZwzC
zuOMHeyWTfsQ&b3*3?;h+NswH$=XRe@yQbq?OI=8ezz^EdWAg|KjYbernr*7ZN<2^M
z2*v>Zl}R^D>FKxBIAgW><d-U{L&!<8UpmPjAYt0Mdlv0Y)g6wHNk}}n%+o)_-!H(x
zUr0#5wn?0@m0cXZD#(AqlI-ymq;!saoBBM44CgG#8)B|GO?HtC?ZNDW`G@k%Hz_qH
zX}P3QNxqV+mhj3e#DXQABnwjZR`ONSn*}oBg*1ZHB_409ZB)GX4ximAx`adf3n)gq
z%r=df={|u%@JR_2qLPeKDMQKkjy=fniTjh1Gj-P|o)|b}g3D-^gG*9<Wwd+3%4AzE
z?NX8*q?)~1UE7WXtE3%LHOrrHb2!>hFIh=-noE(A$B#CozPRqScC6D`!WzZ=w5$VZ
z`m5<~1NzRHJw;UiTh}d*F7y!FkYNu=6SgpAUv!dw%Z|wK9b(KcUFWMG@3N%bRIwA)
zbsb0ydBu_J56bUUJ!uOU6D4Uj;3WG%`t85IsBcNbOyD9Oue%ZP)ZFpJ*`RFw*UukG
zAM#tTGO3BAY1LC2CX&Tc7w!Cc+fTWPgjIdby?C`GWkPF7F@1tPmG9<?-2(rhys&5j
z39(U1c2X4UOoprMinQn6oPI=+L72p{4k~_6tUp;(Mgq%7eSs_^N`;L3)_kD2kD!<|
zCw3BYrRJjKBBQ+$EeU+0`gqQ}XKzQ>Hlq66zMQNlx)ftd(0_=(!7j_^gc<modoQLv
zqSuZF$5AO(BN!*TEOUx5@T!T%Mb1INQBf-meqGr$F^ATs>G_3p9HSnSe(&UQj3bJg
zag2JbBy~RK5jC;2%aqijG)*4GZi-XysY=s*$4_)$G(c1j7s!DlTHZ4-Wu|_Xum8j~
zBEQ><%x)1(K{}nx5;9L(Lb-MmCpk&;h?5M2woPHnO~wvNesbpzWd3t9<-H~8Li&dh
zb34kMZ^)X?TB81PmzcktSTG<)j8bXJZY5;p-O&+rzbdKwk6So%vY}`&o1T#opQ|rS
zTQFt3%S@@hsQKPqMIUdTHEWdpOqXG!XC!C1i4FtV>8Eeb{i;{@+?+j#DD*O1J)ZFk
zuDZIBJ^~+MJS*^ylIMNW;9d9UkM5FTFGf6~dt9>gH${<_kpaB+{w{&Pup>97NSEz$
zgj!asrn0#a`;30Nz@SinY8#MK+`V4hjQOrEhNyBff#ZJ&KS)E%OD2YDH%-}hD!B_^
z?ibXbjpfAQC7D;woF_baOgII3L52JP%7}HzV&YA~A}954JJ@5^bn$#2HuZRJ;x#=n
zyEIg4vQ4a>pj^Ll-O3Q1H2(+Po&yZ!wK|NuPBd#p@>nS~SUGldd%Ze@-6!y~j2}$x
z0*(goGa?_7#t%u|hg8I~q$g3dC#>fCJuBj-B<!oKPdA-YC+wCfY&yR;A>*v>L$4Hx
zF-SA%RcWS{KBu~J$k%P&65r9{0Lep38mlzlpDT-xE}1*q%X_4#Hf^_RN~S0;Z!g(g
zK;_qXimEzGv8<#r9r!6tR*nnpx7L9gB1P1<(TT*e6avd4PwK}1f35X@L4ENbsP86_
z+EPy~?<S~azS;PUG$C6!$||*gJ|Q;5(D9nYc=)VY=`HReU0AZFQYuphN+lQOvj>mI
z@66QS&UWh8XX?x$qaBZ?xrtK-voo`c=TNpVDTH@ViH2DBzb2W@a#-v*Pb5P&UoU#B
zKYk)$aXgjT#QemAZ=z|JWL~{zyTEI+QmBRDkuqn_LTX|hl}!w?OPZr4ZJytuT99Y%
zJrMYDREXYlpA~1XU$HzQe3cl}oZYx>+lFoWBm0f6F=9>&sk@XUdw_@q@nx^@TZ2|?
zTB@Hqb^hr2GR$$J8`71eQx$NS{zn=Lnj+FkAg(3!e#w<38l}{mM6;S#sikag+<|Qe
z$$Cz6HRdNv?~4~ScgQ3v(D^Di(uRKd%4ssDEp#0dE^1QprDlT!VkPSqd*d6Tc}N<)
zVbVWQ-lLm7g0f=WFO_sNc5PcBX-17(?lD8m=+DNd9p8OYfB(#k9@|Cfx-!DJ&eu;T
zHND@KG%`fI(GH(?<_Q&u%I>RX&mN~&Yrm1cebTzf4z7U3|Mf-vl%p?YD5cF6O9cK1
zIVnV%%H9i9)Q_*^Bzxj1B)uT|XA08GR9BmpxIg|NMgCho*kbZ<v~u-As#^~)_1f*B
zA2Mu=t)$2s{alPI*3Mj-R&qHd{djEb>cBWrYN7J+4-E0stI1^<)zl)hNiB`zJ*yu|
z(vgI-nnl+s(ykErr;#6sXAznBf%!>=(@w%GlE^jf1L+zWsU%Y<x3biWu!wr%AUTTC
zU@2YMFPtTlr9)cUE)+=unMe+D<dJstyo~z~PM*xWa%QGfD_WfD;p{h0?=8L4l7@u;
zN+O9z(+U|Tb);Sj$+~njVa{AkIFl|)L&8Rl@2z)rJ&@odjvdO*J$`Xvsb0;HbCf(a
zs9q?nB)n*vOu25fs{JC5adX{c&n_|a9?uTSyz2H&&xggtt~;VHR$fdFaTEEjWD>{h
zHceOTwjy<uc^`Kt?Md97K%vgQ#rr(>dR=PMh<aV9BO#osl?@bNC>`4yy@S1s-W2Er
z9a)hWe8i!w#s$_wGP3G|*u$CoV!~JNBPGIizlGb}^^*Clfz8Ef(l`o2Mp0jlX#nX^
zUfti0bX4-6$^>f9s7O4Ob&iA@GmGw1G7}ZY$49;;ZHtKYTjo2Z^Q;;=uhrg{){<^Y
z>M~J0BO}QON%2VPCrTY8ALRf_<w+DCk+#IFNHQbVB$Jbdlb%aB{+5F1OqRrs<1>;5
z7VFhlh{#?_h}-c$Y}+9H2*;&%j^ZGy?*~!aRw2a<QVx`D+gXl>M(Bh7hix0T%05B7
zBGE0(TP`KdII6RFDjr!<U-{rQv6L3bpQN$m6xIKZtYoQ_MoIo`glVkAD)|@Oerew#
z3VSp^QLrs9_LA=W?3A{f3?ZY~{D>H;9RgN_`h*!yNZquW?;(o>dfPrhU6Pc2Btsv&
zD<W(keXSsw`<twYK(&mKSaE#HBR1zi>~?ZP*#DD_T4mg5)Q@%Y?KNL?YQ>HxlbTDD
z?3K=+*eCAJ@niKXjq7CD(uCc(W%Guu`h#(yGY*I;eW_uhj3=Wv5tfxWWfa94H9D7+
zaMCbkR3BpCL_W<(I#XNCg6b!pj3<8zWN$!RfF&7Bh6$P{WU#ZK)O?)Gsia9HNN(sY
zo2=%%e(UD->$Zqg(%ho+&P+aXJY&%jm${3)UEPwsPl)Q#7u<7$4g5*fg~JJ%hxdht
z#!wF0=`(-pJiWwE8`MIaO(qI_EEz-P=)p7WtSG<eINjkxyPj+|tjeW&BW$GS7@gx$
zpO2viwKSG`lD2H!EBaH1-KvlXqkewKkvx%?J%v<8<`AVox=0V`0$g=W>#~XBE}PI-
z<n=4Ek|Q=hNHfZ9q%&Es{d)P*(<p=VTGey&xJzGkCcTxdy?xIx19`1_5neFfMkj6H
zjRF<2^!_cse20;-0{=H$LO@l2@Nte`;kDRlxu<!AGV02f>*sW&uT)FL`*J`1d9qBE
zemr%5n!e=dgw}Lof76NmH~*LDMh0m~YN3>>BoR`O_J2FWqygGWvR~l)Q&XPwc>K1v
zshK1wrOnmt*ghmxCG~zwRS+4oKXrfl-c-7y*UgKVI8P^aQmH4#`kV4AJp@xeIm$N)
z;fP}~wg1_Ugt{v_2@g14Dx_k85=`#*O>dLtSHA|fZ%w~%<bH?Jevj@=`PJ_P+OMrj
zU3@m>+(|x>ociP;kW(*|WTbS;1VLIxst9#QQY~KXZLI3WNPSKH6;fa0B2Jw^ZC75J
z{9O3OMCO`w%1ZY*%`Nf|6Qxroq6TY)(#35-z#{!LpCqa_&d4pQUoBJrX}PSDEY1%3
z#*=;8X##(VoW5e2^=Q<?Zx2U4q6lv+znauPM7fuOPmjw~tGp)71Uk!2&y~EtsnsW{
zvKy1u>~obw|2WMfN~yi1lw{97A41GS2+v!dsOU}5x{N0(#XYMUGnpq#3FW{>@($le
zMaMoq!1CnFSrn0eA+1PHK~uK)61#d;@Y*1~zwfTZ^!U{5BXs{7$g>FopK6e5Dfx2p
zu$-rAN5#jG_8YFU{gl*T>|M#9jX84iobKh&0?A^;C?6L`!^MGYN?O+5OnpxJQWr;0
zpTQKS-l1zoPas(0%3hURe<!Y2Wf11d@&h~_y<PSG#!Z`-i2*IyHGB3($d2ckTpnLc
z8eMu_%$#^k^bZweCa*njyi4YE+t2cYC8sje#{k*Apdi#DGZIIE4<hwAUNMK`<t1q<
zIR#N(J(EU{B|4CFZdSUams+#kReWTn$*Gbj*JZZxy&@wH-<q?k?j$Ma3!4$MKl+G%
z+qU)Vwu$_FL9NYO%O-Bwy*oB5&he(6?^m?wMhJDUnM=o%VLqM_v-Ry9Q$C5*pkyh>
zO1<9MleTA*qN0*(?pdr1U*;FFKtFK);d>&{(0ep0sma3`#OnB=O;Lvo{Fi}W$;k2^
z1e!Oz<P=9u@8C$HGFecQHh?D_SL!c|YZZTt?u7moviUNbT6pHB{$zG_fBN@8^$4Z<
z^tw}P5@o0H_L&<dx$2}ZggK(R6`h-M+^~J;_MO{y@KLLlZ(5<ZpXE2mT^uJ_unv@w
zs-^^-5U9*l@*hlHbECd=E$}I@^vS0@N%t9XphIcO#ZeAO6e`}e<+W$GCY~zN7bQB+
z+$!FTW}k#P-jfu1N#QuCSD2_y^3J44^0Tu1^Q@FM11XkiQ!>kgrORSQ@;G9~6O9$o
zQ`37RWztqwq^a@|`N;BLTRk&r1fKe1)RY4$|M3@=I;M`$4<11e!$e+rA~PZOr2c%o
zr+ma_PWDp)?N3gA;mKy9pA@!o#tO&anI;W)c18BeoPH#%5p`7X+Sd_TSyyyd=45t`
zFgU5sZHV#p(0K&<OxtKs`*JUN@|zDw?8#(-^n1gdAxzO_N{VIyd`5b9@oOEiZSh@d
zE469SOtS5qJtAYCA)<|n*9Q1)-R~!oma6#pxSjF(({T$%4_@f*Dyq-qB;3pr$7Qo~
z{d@u!>*?^ezo&;5HMZd-UNw@sWN+|9{hX-z;-4I)bk6{O$$56Q(HOQ;@8iEa;aFVS
znS&zXxoV?|*A<`6EV*!E(Yz%2q$+#%xXg~!$=7^@)R1R#suC4d5378&e<rR|ni~Ik
zftuN-##I+6K^M!KB<>$gvP#w@Mp=_cQ;feeBu!A9r@rRAv}?zxBXxUc_5)9<IHDu1
zH<McY7t@sh-b>JY=SgiU+>*#nu7=PxFU+ymRwZs!R?F`Rr+?^MdC5UrsoX`}S!zQL
z6G%J4P=HWQ_Hd%+>monjMT_G6l10AYVoq}2?o|YhBs2e3O$JC7=Hb*F;Mor<$!^US
z(wl9k+$!~!?6$J)RK$*M^^{^J=^1H30rEJ?`7cgWl&b1>TB5p~<ZujG_d-DhBgqyB
zBdIp9y#Hm2^v;u(JgLQGQTJViY;SH5c&V}R75VUrH`OgBt~VIIs_|_m`x&Y8oJhhm
z;;TG-ICdAWsCruEtzD=5^FnoFHe6LD|JkVIrFCT9bJ|;|B8$w^lF;W;s8X$(xYCn)
z6gE+hg8wg%!ZE%2LiKej7T4TcpS}LM`Qn%(Yme&BW+hxqq>!E;Wm@S-g?A3~nB3+5
zhGPimU&S|GdZ-%XzHo)BeyVTE!y3(?QeS(S``{XL_z`J(N5L2GEhf{8Eo-R2lVco3
zAyKRN5YCdS;t~=?_0M>!u33Kd4c1P{8}e_n$^4s+0)L18`(Rr5#qzWRy~kCXkP*E<
zUX<A^WMx>e-q)YnbVpOpoT@oBa-Joh8mXVGd1A>QHVx1cL-hc<x0Wk6?LV+7nVxvs
z5$i#Y)E4C^XEkI<o7+UVttjWe6_M6Nu)Qd?5czk#-dUDWKs-(cR}%%gK^`dgk`FBZ
zfnpP$>ibVh{)W#DOI{={Ry->ysO%ps(9x_7*7Nt2H&XqbogBT#&vA@SnIk$5r1L5l
z_{ewU_j1b%r1m0W@r+n_(#<}6C+oPz%W1rRyw~aMHR5pUboMtjCyDeO^`=jwj(U;4
zaiPH9V~E8&1+m~w7no~L6{H<c{^F>^$(%n=?h3qeCn=(jbbDk+>hYEZ1XQRQKQXuI
z42IKx!>E$vwXW`E9oYBEviGiOt%p%&=WlU?l{^gwcz!aM3``gI+}?F>Pl-97Ca(pB
zmNZD<?Tjl@6I+%)P3n`{9Zypi4R3sFQoN(8T4l23Eg#bXkc~pLsXj+N5Ccs8`HFLk
zh7FzI)_=s51Lr1-WBTxGq_OW!Yfa_?A14f?hC%dM`J~j`)XmgDAY&<c-<MJ8X{s$)
zu6(2^<F_qw5+#S{#98%laozxDo;;T?@RGgE?JhTEM%TYk@Un$bW7P9u9K*YhnP9j!
zhCQCjlbwPkPp(myz!wVql$oSU49`d%e^&lf@CV6X0zdM(z?<@A02FJYbrvXM7kG*f
zN(DYZ);+yt-NP#h_p)YpcCFc+_cE4Do$kDNg2Rls<4$z5uH)3&ojEL@UqrFRg(f76
z!X#eGp=A3o#=mM>0H3T};^Q`#-p8}#5#1;}c}MDKp3sq46cMW;1%HTI`_z)oBT$e$
zo_YI9@s?lxO6GYfT(Y~$n{Ja83_sb#P+KW=`}QNeA?_v1Zy!tr8^r?~IdYD2(;L$A
z73mYe$Z%!+&SPFz^r^91w(S@B$TG69jBJr7L?tsL^&pc3g)QGzIoHQ|`Ir#%L8LZs
z{4kD6Lw>UHEophV=rXZ;%ha^3pu_DWsgy)j-9k%ckE%Gucg8dipApnmG~pR_V5zT?
zn;gBhs#XBQAEnn8`taYF--{IIc+-UE^aj54JTX6C%CC-z4Nukcg=ADAPi@KG)SsbA
zk$Ur*GTE)TiE8E3dY^Kw*ZiGH^JPIEOV^I4o(r$a>d4lluZq7%eQGTz_-R4GFhw{|
z*<zK{p(o4lQobNPSZTCUEx8!qlY8&@4?>&Ed?_O}At?&k?@pYlE%u?OEHQY>J=Eh)
z+4Qw=oR=MC4|qkkNvq{ag(~wn#rwkro@!s|4BdDK0_cJ@pj)|_q~)(KyKc!-e+ok{
z<X7^PCh8IE4MV9juy}n8|I1TaA@$etpQ!JU_CqPROx`)v1pFvaeQQZ!SPe8_`0d6o
z#Ho^=$}v3k5{@XZ9;Q+gjw+--o6(VJGn0<c_gc~S_M%@YZ>nj*E?R!g8iTAs>)st@
z<SMtRV8R)sfmv4<>%l}TXo*{9uL`vIT?QkUl+6Tl$Qra(-ARTyCl}FX^6JydV9afn
z)&yfp6`+l08RP-EU>@_>$T08gAs-Ck<Vw)z8M!9fMOp#P3WYGEwd0Clrmsb7iJ3Jq
zlS_N=2d(>sYrtiOmKVcSn6+SV9cHcSVl&LTDNqcvUMk!HZZc+rfZH$|Y>oTCUB+w{
zPy#b2B`ra2=El=%WoAoQl)@~a79Il+7|=3vk6;$WV;f@@QIA&3HQS}Y4w&sz%9U-O
zF=ljvFJN}a3a=p7oqP?moLaQLnb~<Wxx{chEeiR!qTugZ1))#@^=q@k+k%$Ps|)BE
zETeVZfZ4PXAg}^*>0|}u0@miBHPmPcHTW@D$bgoZ3k0pV#`=K9bz&V@Uxw)g)*o03
z_yPmK1~912pbyXwa0HwHTBMH7t}hS^@PIdid4LbtW%X#yVwRTrI}BPdon3E+reHVH
zN^)Q~{Y`ZdBB8RAYqhJ|4MH5`LeFeXnQ2$3XeV=^S_;MvDxbQv#<Xe`10}E=h^Z;3
zeh|zMMzvbW3{a?O&vhWzUrq!LKt*3+00deF6RJ%N_JP)nQ*8#Eq1pmOL$$Rfg3M^G
zc~y2T7=hJ52!l01802EmYeCD?tMdHd$*6WxGBLnpU|LN<YdWzdH8(|o7Mqiq@;oR9
z;4WREnyTlOz!!j)^dn$g!T5q%17<Ur7|MTO%D|L^`2%K3m^Fsk7?@3h*#emP!z@BB
z5=?6V(-Nv?(J(s#vkaJBgV|fTaID!kD274dE*DHytb$?>6xX150>v{ZK2QmYT1wQ?
zqE<818ira<sI?rm_MlcKYUQEUBh>l<wk}v(uyp-qgAE0{7i<>T-=VAnWgjSGpp1hu
zQRW=gVyGU$yc5g^!rTGot}qXTc@)f(U|tCGOEA9;^T#kRgZX#V=1|*!+C5R*9<|+3
zdj)DAL+wkb{T#J_fD^&>1?K@S3|ut06mXZpJp=a_cnk2Yz>fug1N>Xmp)1%Mb=IKH
zR@8|_oeb0|MV&I#F`;g4)U`(4PN-{-x~{0Z8g;j#ZW8L|q3(UueTuq&L){SS&QOnm
z+7s%vP-jAY5$cCf|A4w0^%SVr4E3g>UI^+PM7_(X_Zjs}uwY<O4;GzaF&-9+VBrso
zRj}9ti%eKtgT+hK*P;F>)L(@9k*J>n%Vx0jfu%nzgJHP_mW9wXgl0N4IndmK<{cU^
zXdt3NFEm(y24QHh2Mtc3!4+uxLhAsnH?-@aHNnapRvlqA3RZ5g@`u$SSe=B`Wmr8&
zLj@Wd&~P9cI-%imG~9@WacEeKh7uYzL!;qnG#ibUq0x0Tx`{^j(da3xTf^E2>+7(7
z3G1KG)q}1zbbX<l0Nn!URzVj7T{d(j&{aXtK`%hx3Hp)HyFu>`eFF4J&=WMaL*rp+
zJR6PIqVZ`oeuTz<KrlcU4q-loFbIhd?m+kx23r_r!w@N#d8bvmMGeGp5RGz`+a``^
z;)*8E(R3)9u0qqhX!;CIzo8i`3-e|}(QF2qEk?7)X!a4!{)CMcY}&zQIBc9@vm7>C
zV3P!!i?FGHZC%)QgzW^_hQRg^nj6r(51J1~^Jp}`gXSO5q9<CcLyH4wQH_>7T6RUt
zp=cS1mdnv{6<S81Wei&8pk)bKzD3KQXvL#dC$yS_R;$r!7h3H@t5axo8?8Q}HHX$+
z(0T}3JE8RowBCi*sc3y0t$#-wOSI{LHdE1NCEDymn{2dsfwm3MwinvYLECj`dlYT&
zqwPDi{Ruk@*mZ@SJ?z|J7XZ6Wusa01T-ZHFJ2SMiMY~C8=ZkhxXqSTat<gRU?N6h9
z9@-b7gC#mFMu*er*c=^4q2n@ij7P^?_)US|?D1P5ev8C!NATM@bn1vs_UN<_oz|n%
zcXY0Y&I`~v44vcAIUk*$qKg4tdZWuUbXkTjh3Ha_u1a)mkFGP&H2__Apld$5enmGM
zbaOzrKy=%WZtu|T1G;@dH+n+Z9Np)mdo;SIp!<1re}?WR^e{({M(EKVJqDu36!ch%
z9^vS57(Gs-$1U_ILyy1FQ;(k8(en*@wL-5R=rs?$E~B>^y=S2J9`vb)KF;WK27Q(2
zt3}_2=xdF>F|r=%HyizKq2FipUx@x8=zkjnx?sRj40wZqDh%w8fvy<17Xz~~s1*i<
zV^BN>6<|;)2K|Y_O)xkbgRf!mcMKVVA;T~v8$)hj$RiASkD>K3bSQ>;VCXRn{f1$F
z7`7S1(lP9J3?GK!i5Omm5zR0n93!q_B#V(fFmgXeW@6-5jIzWiXN=m8QCBd!HAXMT
z=nRa0jWNwI#sg!PVvG@EHek#?jLE^6dl>TxV>yg%gt475b|S{^#Mms1Q({~rjBAf^
zLom(-<91-&S&VxMdlvTXVLuY~9<W~z`*hfs!u}78?}G7e7{3SOZ(;m5Oz40Kb1~r_
zCVap|GfcF>#BrGDgNeH^@gycb#v}_&YKTcqF{wW$&A}uiCLO?}>zG6@Rl%Vl9Bkmw
z91eDHXb*=ja2NoG32^X*gAoqv;cyWS#c;R{hd(jd43k+*R$+1{Ozwxt<1qO&CTC-c
z3R9Y6N=r=Xg(-b7r9Y;O#}r>o*?}pknDP))eqd?<re4Ri{+Koh({^IoQA}51I)~|f
zF+Bp)voQT{%vgaL;h6CiGtDq_8fNaq%oNPbgQF6Ti{ZEmj<+ytDrQ}WQ$IL4!O0Cy
zMmUARDFseBaJmnta;n7P+yc&{;p_(IFgWjkb2OY!!TBzne`2-;W{<(_b(o!m*@c+>
z5_1}0PD{+`g*nqPClGUXV$KQ7xraGF;ZhGS_2JSPE|cLB43{Lhe8${%m^%S;12A_p
z=5E8>Q<(b@t_)mT!_^h8`{9}c*XwZo1UCz~wS}8K+`QqI0Jr;?r^mcin0E&AZerdS
zxHo|NK)7##`*FD6fcsyV-vRTdWByvqKZE%{v7iSQY{G(<@MsT@(ePLTk9c_8fX7cP
zw8g^FShx)fpJQP)7PZ78M=XlOqBB_Z5uPpJ=?l+Xc)o{MGkDF0*8zCF$KrNaydI0o
z;5``LG4MVQ@0VD@U`Y!s8HFW_v1BWj6k$mfmNv!G5m=f@aT<IY!AFEo3;6Vc&lvd3
zhR+iC?10Zn_}qj~8GP%&w<CNV;2QwnMEE{{Umf_hho3$Croe9&{MN!R1%CJ7_Xqqt
z!QTV^o8X@T|7Qp=LqID8cp)Gh0S6F}hJY&wc#QxFfm#IGA#el&T@bh$fd>(oi@;I@
z{*7hLv1}}sEyc2AEPI9JR#@H^%g1853zmmt`3)?uz>3;f(F7~HW5pD#@WqO4SaBRH
zo*~ErL46Q32SG6ix`&`Y5!?d7a}j(1!B4QVAy&F$Wd@9GVVnZvQW!VFm<wYiLO6u9
zM92_?%tlBiR&iK04XZ-2>O59S2yKnfsR-SI(5qNo3#)r$br4qPVvQ1Ox?#;Gta*sF
zwXk*u);ePCLaYtM+9<3|!rBz9O~cxYSo;KP%dz$kgmDP7Mp$cv*&%EI!X_eY9>M|;
zwgX{V2)m51hX|`gcrAoCKzM6}_d<AIgik>DB80C-cr?QE5&jY3CPZ{cL{CHvK*TOY
z#9*B@*7d@=5m*<3b*r&173<Qmt{Cg?V0~+>?}GJ1v3?ZRkHva>te=7P^RPYy>&vnJ
zBO<L3*%^_O5E+ihYl!@g4VKt22OBP9V;yX?!bUr6jKs#B*!UJ3e}LAK-c%o(T4Gas
zY)ZtYKM~a%QG*cWhA2-&`64PBQ3cpsADcDUycnB9usIo<?@<c~TV`U*er&mkE!CiC
ze5*6I-oe&Cv8_F}g<)GXwmrx8KG;4F+xKC6BDUYh4kdQjVn-kB=#L#!uwxo_1YyT+
z?AVJP=dpv{@DV$wVdo6&T!ft`vGXFLyCB*D(Q^>J1<~6PU4ZCIh<=ag3he5KUHh@?
z0(KQ+*9YvPEnl&_9(L=n`y6)XWA{7kQDBb^_Dsc|NbE_+o-5dEiM@-l_YC%4#ojmA
zHx2u|u<tbXUBbRA*!K$iTVj7}?B9d^mDv9o`+p)vj~E-ov_VXN#CRYk0WnF`NWp=|
zI4~Rs7URGn9FPz@5V4C88;aN?h<$^&QHb+LTn6G9#5YC!Sj5L6{tDu6Azs44HaIvO
z2PffR01ht4!R<J>69+Hj;42(_gM)wKP+c4f#o@&`qQ;SKIO2dKTXAGNj>O~0Asji4
zBV{;3kia8hG!ix-;T{qQ61yU?I}%4BaSRe?BXKhl4<PXblC((jN77m(?Lks0k{%-I
zEt1|N*$l}Yk=!524oIGh<S-;(Kym?+OORZO<gYl|1V=mI=nx!@z|s9U`UELskP?BE
z5~TJ-sykAj;@ChO8-ruZacm2YZNssXICdAu{zRH3(q<uTG15Yi7KyZdNIQnKb4V*j
z+Eb)eBJEG4H$-{|q<2DkSEP?b`WU3UBHf7eZAjmV^n*w*MEXOdSK_!WjyvJ_P8?6f
z@e9akf{eAuh(X3NWL!qZ3!JdR2|Ju{!HM6I*%X<5k?DoZXk=bO<`-m*L6$SJe37*p
zSv!$+4q5M!MR2k%P8x8sGfoEKWHwH<#;G-+$Bd`#ae6n-OhI-XWP2ieF|vJ;?T_qG
zWN$<EE@aax<$1`yh3v=3ev9lc$o?B=YvXJkoUM<u8k`Nn*$p^*0B4WkY%b1zK@Ni)
z1#&EqV?a&|<g`alFXT)^&I05Zk+TaqN0F0-oU6!rjGV8?HAk)vxm}Pu0l5p18;aaa
z<X%GV?>ILF=ceP_Y@9oTyynQ;h`iUx`-XgT<m-^%5&6TBKNtB%<gY^hdgO0I{sH7C
zBR>!Mw~=3g{J(MD3g=tn{4AXJ#rgF(AA|FkaQ-bWXmFt&F7(BPiMZf}3*oqshzr@c
za2FROTwH;R+i)=j7w@B>Eed*~U^oh<qhKWpqEHZvf(#T~K*3WKd_|!Og)LCn1BLb|
zbVFef3OAwf6bf&mumVLY6tzLoP!##2Xbp<?peP+hr%-ebMNe?a0+)K>(kxsG!KFjE
zl!{9yaj5{8-r~~VxZDVro8fXhTponW({XtTE=S;U9xhkn3XdxhxKfNOw{hhGt~|%p
zwzwLGt9Nj%Bd(3XH4j`{iEF!YEe+SM<Jt#YZ-ndpaNQZ#SK#_~+^CBi?Qvr)Zg}Cw
zM%<`Eu^PqQQ9J>~i%=Yb;^QbTKyfLGKjUU=+#HIVj<~rTH=}X$C~oHC=3ltg4!2x!
zYdvlq#;rWu*5I}kZVR|=i`!nf{Tz4N;?4lvnT$JLxD$apyKyHOck*!OG4A}tT}#}x
z!`<<?I~R8YaW@KgkKpbF+%3Sp+PKH#o(t|p<K7$G`+$2DxL1vm4k+n@l0hh$gpvf5
zWS}G$C7)1YLWzX?t#H2`?svrfPPp%k`(C)e0{36y{%e%BN9lN!&OvD~O1Gdi6{QbR
z`V0>QJP`4qBOa{BgD5;Wjt3v`;3pm~#6vGUJc@@|cvyso*YL0y4{zb&6FjWIqgr^h
z5RW|ZC>oD4@#q>JeZ*q}9*@Ce4?I4HCnBCK#1mgUS%)Vjcv6n1eel#CPiNriLOflC
zr;&JCj%R)F%oERi@oX)gCE(cuJQwl2DV_)6c{HA1#EZswF%K_p;H4d2I^$(FUS7hh
z26(juuj26PIbN0HwTRap@VXOT56A0~cs&QNSKxIpUdQ8g9^TBrn|*kbhqu66Z@fK*
zcP!q`!@He$Z-w^(cz+P@ucJ(Zvgs&Wh_WD*MWAdq%2H8w4rO;yR)(@a@u4d|EX0Rk
ze2B(}N|cX6`4p79pnNgPm!mu!<=apmgYu&&KZ)}5D8G*KQk1_z`Dc_%s8FGz0V+gP
zv_(aCR189eJt}6P!W9*ZQL!8q;i%Y(ihZa^K*e!XWTT=06~(A1Ma3&rRG{JqD*nPp
z6+T+xV`F^mfRDZLaTq>Mz(*&1^v1^(_!xnY+wd_4ACvGg6Ccmx<8^#2#>ZRucn6gY
zP`MP9r%+jmPxbMsBR(1NDGr}b;L}Tdw!r7+_`D3CPvSGdm$vv4i7(giyB&TXf!~Ah
zdn&%x!`E5(x*cD0@ih-$zu;SYd|Qcck@$8I-`C>%etbWR??3RP8Gek%k3;y8gCFPc
z;}d@N!%uJgyb7WM83^J5asuQNO#NW;hUpkgH(+{!Dl1e4qG~IuQc?9c{$TKjC;l+v
zkL~y)34ff!A9o<}kb)uoK=n9OZ$kA6{Mj0RZp2?4{<?y{yW#KC4C*l0&M;;S6T~o8
zj9D;aR?aAfFp7PQ;x$u?V`@!cYB?~qrZTl=Ftv6vEW@y47}kej?=eb-QMP83V;E%;
zqkO@r1~aOKjOsOG&NAlqjQMe<HkjJ>Ol^Or_FaavVz}-MH-h1e40nj(PBGkNhWpC!
z28JKa@XHzgFvAx!breh;Tc*w|rj9RDhcI;ortVs%?kh&!h*9epbq_}E!KgPd>aR?_
z0H)pnrrs5%-gm~LF=O!?V=<PoxX4(1Vk`(#zYbI1imBh0so#aEKZ>dEz|{9(>hEAI
z%^AyKj3xc>fU$hcSpH-*4H!*BM$?SZbY?U|8O=0CGmp{uF`95j6U}IjF`8UPbDhyV
zW;7odO*PX%%``AD4LUImhBFPOF%3MJ2FsWR;f(eSqb*{zC5-kJqy5Bas~Ibfv9e~Y
zS~FIi7^^Xi)l|l624m&MSj}gwd>E_MjMW~-Dv7Z=#aP{Cte!Ad9~rAErlFE)*obM^
zifP!LX*ir|IFV^Mn`s!pG~CBDJkK<|&NTeaG-}2)YR@#9&NQ0GGzw-KZDSfGGL3F9
zjh-@%erK$ejJ1KW{*AHj%UBO%tfw*7Zj7}LV{K%tBN^+RjCCesozGa8GS;sc>q^Gj
z#ON4CSBKGQ8C`Qm*N4%~U~~zL?mD9@VRWAvJ<I5OGx~{)-kZ^{X7sxmeHx?BXY}_O
z{cEN%!!&NdG`3?J4`CY5WE%T2jn^}c_c4u+GW0OJ@fSu=F+wv&=*0+=8DR?}<T1i~
z#?YKGEMyF6j3JLP++_@}8N+u*v}8nEM(oCjlNfOdBTi$)nT+Vfh;taxg%Q^?V#@c(
z`=%|W%=4$@{WHaLE7OLmR@EEm*;4gWZNazf&os>7Ov{TlY*QKyI_txXH#AICIkVHO
zb}UVbj@6pFsE9&xV@aSiS4#sL=hA==H&$J(P>0eG-<qtXZi0F~N6&an-lUov&8Z6`
zKbYoykdG7PxKw&t=(Si_D#)>3<ZvY!OT)d$VG>#?h0^oSqm|X7QvHo%a_A{x_BTZb
zPF?XUmXBus3=<U3rV485_;bO79x2fi(?K*&>Vlw7qG>U5Vvvzj6Ic4LJ;yxzZc_9Y
z)H4Ki8P}0hZxMb<gUT!XO*iP6<l{#LdHYN&C!n|cj|B8~asoPWm3C-PAK$(sPL9)C
z8|WMEr5`gsKF?Dm)=95u_P{9J|H^5fP$tzQO_v(lWW60qtn}(bv1Gg;&v*sRf#@fw
z{Rou<#iTZIp%myKsQqi=+(-~tNJq;FG;qM2CeJC_a_U8qq*g~7O=uZz%G7uhM;b|~
zB+hbDJ+JI2J!LiN0Rw|Z`wcJ;SNh!#y5?Wffjn(QlXKLhqhPteDvE}w4G=W9Msn(9
z0?8E^;vmQ0I=m8E32JZBQeaM)Tomg$bv8#FIQb-8b9y?b32Y%~PTL9UaN|>so)*&3
zLE=GpO%55vX@dTo@=m46*^$R?Qo3ZG^(B=;r64DUj1tw&$Z~GHppGyScaA<mZ<{D+
zg6<2NoHS0I!O>JJ1@Zc<Xhs)p6P>c{JJR?aLjwsEn>qCyfwBzwDI65khlGoq6AkPm
zM)~-bRTR_vbI2Qk9_12SK}`~4-wFRZxi{B5ai!g_E~cl$>NRrv1p3+sG+AN#{MpVl
zWS{2u1PkhAbYPVDoT9m)j^iSvfixdPj%G6k5H+XyXsSbKAgSg_)xeG_&Bs-a^w$DT
z&|eF1&^KujEac`KK9(ki_hfB}`Ty%z1Jv>X?L$tpOO9gCS86Wb7BssKd}cM5vjj~d
zxkU%PNT5v2(5M?m@f%&`Zvyj{F2!U)9bzPhIr*$#bJ|JJ1U{yzh|(KX7fwAm^0ldD
z026Ims34=Qh&9a(HyLT@Q(tLY@XX-p!P9BzQ*Kc1%Cmjt%-z~_&HHnf2dl=*Yfb|b
zM+)i!fiw|nI%vVEC5uRtf@4xm4HUb$|J<IBQ)hDjv0L*}J9D979I?FEO=wR-=(2>-
zIH`Q@4Jqd|pZ=A7uK7vCGum;2=F<=w_WMwNfM$F!bbSZXoR41_>MrM-%k3qlmNad>
zx*y5VnEw6r_kJbI<!jlu<ZIHD8~<FokxgTX`v@9SynOxCnU7}}(!Z$e(!V>saY`E@
zU&*DTi^}aRgi4;I;ZJwU*>0rqKR5j;X`6DPzvK_;ahV}UU;g`A!U=6pfp$Pp*iG;{
zPD3n{)3jfo%*k#28!J!spZ3iA+TY&KnOWY0Hvg+96rRXqOoL1R-Iv#KcX=$o7alU1
z38Voj7c}HwQ}jBX&e15&DDK|_r1bo6W0XmI<*(!NI4K>jb`xUAcx{0jr64ybo1H1e
zPW|@<8Z$YbM&)Q|RE~m1<?OJfSAGpB`zmR5jv-0^4Cpv%tu5G^9eY7{#x;TF@q|oc
zbHZa*(LA2ztNp?Z8Iny+ujdM%{;vVwICtrvvC?Ic$r*b?6ZEg?$jh>lE=y4F?YUDb
z^qT6w+SH;Wm%JX5u9WyD>z4{sD2?$6r4dIf^u7VR6HXjElN&Am`v*Xz1%EbU|NGB_
zBq}}pon}rTb2ur<bXEI*{Z$e5YL5O-=4W@NiKCH~ci$z^^u$-CmL>x+x1|h~Lvl@K
z+T?3VH;)$640uhoR3NodNgL%fF17L*>BkZWsh`QZQaY@pH%}%@Drve_Z?d<tda_EB
z{p{6pE+_K&`=V!e$jIlG-)J1vLZawTlY{^GW<~s!#P;V^qJKXnuiZX5Hlq5$fn(>3
zbi}+>mZURCZq?nDH0OG9sfs?gKuboxP`x<4)P9`H{0?GIsZjf#7>Xprvr3ibkB=AT
z_v<yur7aDVltz?(drRiNA|u{D5*Ct_`9#@=CM{Lb$d#HGUM3A+PdPVuul&M43J#=R
zx}qa>T4hRl`a(HDEnZ906;&@z`i!3B>fTZ8A!TdHT>6fx$~@0ugC@^!OY_8Nj$!-+
zZo3qmOQ!gn?#eoD1P!0tOf0$hyqnuE9zC6BJ@y_ucb=2?1ifT7^eqkTYFYaB=eZ2u
z1*zhd`|K%~kr_Sp^oJgFG_Au!a-xyC9BCCKy7ppI{zI4hSB>w?ZKukNC@+$hRJlvN
zs{A?%YPsq7ua;p|vpWm&_e`2G(vqtr%|>%;s^$(9e!+m;i~j`#Hkf{P7HB|>@GpFj
zMH)Y@K?p_CHM&g-Wy;By9toZ#WgFE;-`7#u-Ag($fy)<aKm_rmqU_hF2~>*FPjuHU
z6;8=gjDE?bpGi|HH0Wn4tsV(|sI=0Qd2yPb6;xKy){@dk!X#Nx(YEiGsEnd**|+2&
z4!J?|jEQr$wvX^@3&<VjlZKCky`))9AJxP;f1uz+$G=>7BqWf=nn2o1HJM){jOg7|
z5Ye9Ayp%iYDN7;RcIN4_r;mgdvS|H5n-gnfYQ=y2T!g0bpC63S{CHS1B^1(W;D1Oi
zx&MDI{D<iJ)qWyRp2ONw`PHC8i?&jsMPqm#31elc^%FH0(&;E@1i7H83Rx}49~*JM
z=0nN&Yf3?0oJ>v4Uw3LmmzOL6nk=uuHh85lb^M+4+m(3s<eAe^;^wX#4d6MiboX;{
zly|vIFqys+f6<o=B|}JGO6I;&hvnRVLc9=}tG@k<r+%S6sbdXaedCVZBBMBxdSl8r
z%^w}OO;xkBnrbSR{)nd!{NgYgLewl-Mv9wcF1t))s84<&{mO~^7x~GFFJiuFayxK#
z(h{xa@AmYm8b1B?mhm#Le&eo`(mQiVhD*&ms7z^66)2A|m6*7wQsVKgU8&{=I&h^`
zj&j}$Re}|uTJQ%R(wo)<Jb5R-XlLcvZ<@EH%BX!)ntJM#NHV2BI~r=<R2As&zKUjx
zG#pm5>mE`RAZk8cJ|5_kBJaGw!z=eE=#pa(9F5)<9=_8M`;y%n=)YxwzRz@rp`zw~
z=!VdZp$5&{D1V<#OZ4=&GW7Be_2r~GWT^OWa7<cU{0ASuk(s~Zqd?=PX$lNwgKMPm
zb&5PFbS4{WShGS3E+Hf2WP`oLf?ITxOuR{hFR4V5@Aym3{)y%OM<k}EYWNX~X{;$0
zuPho*dRl(1NvlaP1#9nD2hSBu!FOnSP0<jQ=E)DqoMNh`(*FPYtQrs|r$O0iHBV?_
zNNd%<AUw^aP~N2*_!pp;zn!9+SpG)mL#+bZ&_bS!+;W2g5=T-dXzt13a`cMk9cfsz
zdHxS+?*SLp(ftoYaCgZ~vN7DOQSk0!Ni_Bvd&ClB7YmAtim2E-MQp6bg0aNjMeL|x
zK|#QV1;qw7R8UcgqM)czbnZGNzTb22E`lX_e*gCqqj2Y(GwsaGnbYPLrXnj%K})@$
zAc=Xsu(}B=`?^ZzC#-Dx{VMxT{g8;2OCK&->zR#Bg73AQO2T$<PfW1Zv3{RH3~PV_
z`3otPmF5WbQ{DBb{^zHZ!Q^|DGZ8N3Or+Ye1QsfFCDS&t<AM@;4EV%CI|*G|(8c4@
zc!kTivzp`~M=Q4EU0h;V6-+`kVY}ithp%TL=-}&IrM~TKoq)QE3uYD}J`curmiPCy
z&I0Z|@ff_eh;^vNM!KQ=t=)XHT`I)k>ymf_0i9(HN42b^)D{cmc&?m4)jhn+&IqiS
zQX4Q4q*jB?SK9F<4hR&T%m2~9W(sYw#{mUIHy{w@7=$(Eqcp}^5SWc+jv{=&E;UG<
zEnyej|IZ@q;caOTS5bSi2ts{yftuS1?Mw)?NASMG76?0M_h`63IdcB0!;P}ofXlp5
zbq$L`&_$N6TxX;YD!9?HZRjO_#ZHVn9weo*tXNZtMPoi$D@8P9Lvb0*gEM()ra{R8
zrJ=nfHU)_IXB8L@`AROGuw^XiOBqW>A;>Qj8B16PFanB+-H_3w2lnZ%kPf=L5s<GN
zpjNvP*wr|L*o$@o4>z#iYPU2<%NW-%iW_ub<?luT>6)34(#=46XeOlE%0PoU*pT4P
zv$9Em>qB580kxih=AtL}G2SXEa9tumA_*iKASnd0Na@mj8d?=<K8u)A80rF`#2rjS
zBTd)eRr2HB$`4cI$F=bTPVX8BY_=4~(fvr-<|d${6X2Aa#vTNts+_AbBVj)koy$oB
zMl`PDZG{CmJ{JJ$g$nh=Ret+D3YGnH3ya!<qCB-IpO>?U6O}so7nX14OOLSc)(|?#
zytee3O`@yO7tdMg=gLJKHS$xCF43?mNst*>(|fmU1%u?jaBw~n9w*iis>siZO7Dd}
z7dipyE6zXc$=9!UM3deqO#<?A@a4%x@f(gi$3j^C!)We-bYky>Wemjw<%|UCdK{AL
zf&0X4L&j10OgSnU9hLa8q(B`}1)(BcQN~r3^dDKzujLn36^xB67gLU~yp10nx^b2u
zIwkX!Q}U5ue?)bcc3=;gqwv80+MpArD_I>5wri-_<JD<BQYcyT>Q&v?WPcaaFSU|-
zpS`K^jZ2(x!G$+rIR-_&5wm;p=xs*6m|xdS+5KDWVG8)0X&5kM)z&d4wvb)btQfY~
zr;oFefe)cMv2(MlPL!%<(-<zqo);kNO2|l0vKa#Pm|Q*v0`=<L{03Uy3xcN|AAxmO
zf<y8)iMv*28@NluRQ415=~fDJG40Ox)#`f*_%n%kua~ew<weZ26Lqc0J%no1dn)E1
z7sNL{=(jCDpz#y=0S8zaA`&YU1crfeXDJlY>_Fm%88p)D{)>p1V|U8R;dGMc;3TKX
zq!vA8rC%uY@<8qdsO9}9vHUs6TvkSSO$UMDnWFZ}%7p9omkzR>A|Gwv5Os8;39jzf
zb3Ud$>X*k2tnqZ?urVWjdP8s;!%i!zsSk1^zOPsMjXkO@D7q$9tX8#6U71{4QobtU
zYB(!<nrX$HpCQC8X1tlS8P|l{ao3@tN|z9KvkirR|17o4Pg4Y>&FUtqsILyP((#G{
zYh(Tybg-a^q`H3Cp1UjM;uJGzPqgEbTpU~f-)2@v+50zRgF>JLRWqJNj6*eV0GG!<
z&)?ixcuyl1LLwl2!+I*DDB~5C1Ck2%7XI!@f}1~GcbYwIf(wuQ71B1bwtR{~Ji;VN
zBc`)&R$aaI#92uUX#D?`7*ITNtoxOr*JliDSTX`lB=J%nLlwTME>$O~@}Fu-%lBhb
zhl+1ID;r5ymFn1RmXk#4PmG0vO{{dBtzbUVE0ht~7r{9l0_2n&r+c_i-auij+zl@F
z#joDVd(!?i7s5@*F)3-D4{MylzjEQNYJSgg+nbPI6Y4^fj(w4E^6}|?!v}>Lk$%#&
z<QEMN`|tes_49Q07&@ryz@e-53^BHEq49}2JM5N=K7bv?g-Fpk&Sn*BO93=|NX{cU
z;STKB<u1ZLhL;c@ZDr+zP@MIhbMvSF$PnNV0O<rC{|Z#MyP}*Z4EcLI<lt&Tz!SB=
z$0iyj3M3V+Le~Nyr2t8(t>NE(odsw-+0j$17kxrK=<iYX)hYfJ>t(Bn_Zp?GK3mg`
zeMQj#g><5;Ebch63xAnH+=4G8_7<p4ah}mt6rV5Pj>Wc1EaZ9*oQmm{acR5?(H-Ym
zIu`qrG(t_q-m_gAiUVyVU|tZ6t7YK#RFr)kC1!?PeGXz?WdSGI1OvprsOwrVZxpm{
zf&|$P^v7P9pn_QX6cc6KO0cD)@EmklDBc1k)^?OzK>MwwSFsQ(E7aUCECKVe{vd+B
z``Cf_8sAc1A4vp>(XU^<9&aV_8qHfL3}&^ElPD3*U<>#N!)T=|uM2_Nda_P9%_<s>
z42RB{)Jvy$qz!n-sY2jrTu;kW)&w`gy?pvQC~-@ClxDm|X2_@Yq&#=D0{uzB9bQU@
zaKT7Hx(y6ff1Kif20yoqOrkz9=X(d0?}IGeafttE-5<{cQsL1|W<Vjsu4&l5j|~uB
zA5J{O+BnM&+#&x<9WUF}t5M_b@vN*-{t_u89CX|}vkv=yhA|+}+t=OMJ%0Epqkg1-
zKa+_YMhYv5O<pRMql2u}y+h1l%Tr9;Ei9=jId|A_6T60+$zq7ip7~#DKT^Z+C-qom
z<3O}llp9DdA*I_`Y4&wbg<AT1)NX=W`oB^WpIj-zdoR^-LlYs^Beg7=nD-vh*C3kr
z??m%|S9g&2l>V|SNw@EREJh-84O%UVg&>wJ1UK3UY&>1AP=K}I#HNyJ<Pa6zLeVx{
zpx!edT#-A2c2SeU0l70sA66D(Axpy#asaKw!wTg)l!ZbuK;T{`4^rro0L*@+WI}YI
zQVX9a$^)B8ZE)3M?XjVJTe#?SzBe|NHn^WTQ8mgHO~G0(_fW2AsEb7QGwKadC5Q{6
z+=o`Z^@do;{J|#3|J24gTLC+w)gr=LTlBRh`b1X?Hkg%#nS{-<eA5gc>H5<**B&O0
z(#lu956u~)-fjBkI>DyG^XWQ<q&1KJ;tNPW6@d+}G^N6Nsa&Xj!#PT~%F-{DWLOsv
z##On@5nj$z?j<6em}7nuWW&nQ<s2H_P|b$5MY<Er?ByZP=~}o4YB9Mg`1qTY7i<;_
zsdS$ker-3@qqpfg*T}^sd5rG(?lY0`E_aT*BO|Z-fZkpcrv9;Ts%h*Gn&8kqv$nbD
z=kVs)&*_$WT)88&S$|(ds-b;pFHII_?)bM$;i%U-n%~xKnTe>^k6MYM<==WsA1&D{
z|JH;`>R+=Nmkz<WG#SRFLscYhkhd6Oy){rV`wQ{H6$GRLs%0wDD(IS}if{@RM1MQL
zM%z`9L_ae+KNE=|hua}Dq@Vd5=w5^It((vt;d_-}Jc$E*5WwRA9nfA5sS1ck*8wn!
zMKniwJjy4cJf5gkkXLs`r75W>?~wxOR97dZ2!#JWc^ZQaCSEuZ#~k7SHtq7W%O0R}
z$V`1OQzy(IHOX$D>~9zYVpp%74g{QHL^}eQsQ@_wh^ayHEJJ&V1(JzvE4zpt0;TaN
zO-JdGP5dC3#}ko;cOS7nSBZiq(;pS(^%Q=Psz~!?Gq#_~G>)Z`ZS)I`BgW59VvEii
zVtt>p&)dgnXqG+=8F9`~gX!D%Llm{6MsKaQRPy1YR??%>#C)}4BD*o%0NonZEheu)
zL@$6w9B0*-uF7#Sh6W;l1|o(ABEXEe=X;nlGlMWR(e1kO<97n}TVVjD>$ib(7$~<3
zF~HGwQuIGvF$kED6x7h;3~S7E4bK#wkZ75)5KuhKs~bj04b)U;=;<dB_5vXW2<$T+
zTnIz$Ft8e&S895mW>%`QfZb@cm&)=*bT=jGrrKNIB&D}W@AuZ<3<fbg6nI7U<5=o$
zW9n`s&9arLmSd*DR9-YnjcJs;Xp|bdsf;BaHc$FHoF<+Ryv)9N&?P{whMf=jTyKpg
zCPOBm>C(z@lNi5i>%P<LjqHH#zw?BPw<w!-;^FW;2auF(S$ECw0PlWXoy9|)4~#r+
z6w`TC7S#Z@$5Dt2b-v2JepKte(@`XmYM#e@o{AZP&~n3|M>)u2;x@#)B!?<F$a@FW
z=~~uV%&2=BnYwpBF!+oLJ#aWal6|w*G~aLDsD&ez`IQ<xxUc^}7ubvj8E!3&jXU9T
zZfEbtCVhawe`8Tiq{1~mx~|k|$0GPJrQX}-KuOFsqwY`CeB1nguUgD7=YPe{bQY#7
zGPPY!9@La&ZHDY!EKYg|Q@=~gEVe>ga9eYSK~))ZisSEH85D{eQ(xC|mPQ=qaXCK;
z=I&jE&E2d+K}wwNjjHwR2E+Gk?EMdIw(@~2Vhn`$+hi?2tXRu$7e=>P%P}8DzNWKK
z)@r7yhwKIHOPFcek(nkTcF}>*Jv&SNubG7_-mSqLCz%G2fkrjMFO+XLk;-0y+2I<Z
z^4%r=ll&GNE_PddR5mO6>M7sF=7cY)u+K~t5?N_?X|a3{oVgXo|5)TTf&LIi^0#)?
zNqu+#2K_)7^ba5jZ<ss?Iz(|dw1^=j#S9j1u+sC+2x3MgPXK`s8Wen8$Rb+eYkC>#
zZAg*%fbo47B|<)Sa0?P4BUR_9B|SAy<Rq;ab7`UG7{ZBd)4^ex-{sC~G}0l#lS!z?
z%km%6Ya+3^lFC2f!JQ+=Y^nS^SX22I@i_Q_MfR2oyC9ThkxlRcqw~%!0UC`Ib%>&r
z?YvM)UA70~6r~(GZ-rhsbUHp0v&%wI<~}T{DoSwJycNc=2;XPo8+^~>v)RecLKN)>
zZ-w5ZRqymnv=Bylwv*15D2&;6R7E^1y^Fje$}=(tcfwfuD!vkNtn_aBUM`<>r)VpV
zhqnUzJad&&1uw&P;JR5Ebt|XmTcI^3;aQbbm?FyJF0-4g6D`O(fg|&k-8t%QspLX^
z8py)Egd#`BM<I$H843uF3p8ZZvtDW9KV>DZ5~9Q6?~PQ8^{{v=j5*GlA0PNkeBq`-
z;e2@IM(4vDGtLM6_?@-8)@iWy*g6sIq?5|Q&`H@OeFdu2A${Ak?^r%-ASekgf|1~2
z9L&x8H$-M8z5hf6bbX(EBtraW#qxQ7tTv7H8}8G~xpOpjNIp;w!FgBc<p|7C(P`z*
za$U9sv->Omsk6{uT4w3jL|U(`v9E23r4JTIV(EBqB$kc|Lt^Q8ZzPsJ=xR+YeXzKa
zDmjc&B^Reu$qOk}a&e?e<~1$T6oDu{3~O|~1itxN0^ihl-a4f}ZhZ%fQKsc$?=meH
zBlH=BUJU4Be8m-(KEzk+m9_k}1h$$n5&}=y3d;cS&wA-%-0j1lx$W**HFfh0wDVv^
zwDUk~wDVv^YG;V8oinJS1Ffl@Gf>gZmQ>LUs_3BSF-zaO=(Vzmyz6!dk*h)E+=*Nb
zBDc^+E<_>cPUJ#}Tx%j1qL6d%WAVY-S}$R!zm~9q8dIxX`L~vU&S<s5+h0rI?IzDX
zQjxt?jGs;eObw5rhR0LG<82L(pRSA$H9USgjZkycgpV{rEpJ)+Lxzkii3Jhg@|>hN
z95K_0P15)0a6?gDHQ<AUb0U(J4#h$IrbyaT@gFwwpXwOP>8dV^yp?YJBjA)#O=t=x
zc_4AS6fwUDDjV@nQ$rXSpDlwX2x;<S1m+@~zTI2GKPRwLzmk~eHOf}ukOy}vxEd*2
z^($OEXGor@hnen3s+g50G4T$1kbw?lodeEmrgs{~^pluwGSe%GSo8X3RwZKJT(=Ty
zkk?swCFManwSKr;ti8k&E!}YIlDcJz33<}`bljRM<0CXU!GW)E8#|384<=l@oG=D2
z@?hbi^sZvw-@9<5=ZUl&YcYdBko#_SWaYR4a59pGHGq<obtj9^8G!$0*>Ve1ZQy|Q
z0^D;I?h(N~2b}(u^eokWc*-88+na*kC*CA3#<1w&&Eb<JzX+s}Nri1FU1(`JrVdPB
zQbWOgOLY-@dKXS&%n?IeP3Wt10tLuarU@r2R5BT$e3gmoONuB3jY_?7Nu$!dOEih(
za<)%mUum!1M`lD{B{O0>WJYXg&5ZafpP-qItD;6K<c-$KG7C1!&B4fRBFD2Gf*8?X
zI3}N@gV75IBd;Bt4fS{pc1#)lE3l)LmslkR|CE^m$UuFlW<|kVOt~vQ=`XmF4l%u&
zz><g!>!JNO`U~Rzsp<tEADymSzu$uAOb^R>1B<xMBebOO{O199lOLjUSEcH-6JpkH
z81t*35zDLc#+?Pe2d;EC!Dp;n@KB^<W*dZkEspHa@LzO4ZSQ^?`u<P&*Rj`NQx=XS
zYnXSmfi(kzAk__SJdWbcfs%Mwal>PZ^uWRu#W5W6egTxT73wjdZmUrFe|w^_pLE${
z{;2HJr9oIYGtd%ZYibI4{bdyL`a1%zKh}gq8-jXCm&@;@Us90^t6r*@YF7wyznMS}
z(W*K}2jza;EoZ1I@hs`--Gw0hsu1{7f)@TB0!Aas>PQ@5rI!LOy%3zzfIyO?W>^Pe
zJ1b2IL~{xOrGpq;>V~RAq3kJE55^~jpl$)`%HOqN)SZhOACs=6(xsOeQKi%D#yej}
zs+0#+=m2lecMgy9<>1~@q2KX(O%n+(DX2#-J*EJ!NMt(Ppe`(w(2o0>gozQUZIFm1
z`+MmkE<0jQ3s?X#LfPjC9k=h-iX7A%ATPcrWuQExDwRCC{+i^V@$%Prvr9xyad~-X
zp-=-n<q7cwN5==G5o-%N%hNGiGIXN*nV?u2s9p2;Q4Aq~A^W^0(Pyhdb&xz6jvtkk
zZYUy+l}K56;(HPep?&~SRH9Kq4j;8XEzt-!;O`}slJ)*e5UNb`S`}%=qR&sv3KT?|
z9OcUU$_^q8e*8{ACsd)kpc~fVZ6}>l<QdRQNqwyfg<iJdlcyA`kBNJ4{6<)GByT)Y
z<c%O`3I2S50V;+(x5d;K3)EMqt^_0wjWHcQ(`UC=7ftv;uhl(muS2v9>m2EA>e(@F
zaNG&asHlUJ54k|izQ*wQ(1k18H&2_e-iU;dewyi<XYJVK%)a8y3?s)aTOVk`HDtVI
z>9~a>20K^o*|r6?g*Dj9N?v99Y+M`nLy<i8HG^pPl!XQxuAkVQvd`3Z@7aOLE@zd;
zx|DYfhT>g=7V5hOC$#fdEKuGx_%)Y1we2*p?Lgy&!JYQDKs(FYo<`A|=4Tt)^urS>
z2hLweRv*f0ZDONXe}kAo7t50_XCvui=`G=p!pPoGkPv?t;t=I^kh~9H2YKO(o&H~5
z2Pwo<>I$eqE1<tZF5B)ydXLN?m~Hnj6l0ZTV@K<Tww7$j;NXqdR`$jlCjSqu6!WcX
zf=*TOA<~~k-2^|t>-G>*zl9_9+XglDTkx#OF8=VwirBC>euL@pf%BJGDd+cIC#&)V
zx}0f7zrf)GdOAZ(aLnk>Vhk<bf2!<1-J4lW?AE-yx^2P{y6au|<EXCCFW?HDMXt~<
z;0m1sS7={sp5g->a8IQd>h3LuT49p`8%nUrfZYYy=d^<Z@TGF#jK^WP)(Uzaplb>A
zJU}A=Dz0X=X}d)$$Rn7=N@sBJe1jeLtQ92_C}#;J6DXGn<@`xy=e40M$LlcHovdh;
zAsbw<v!XsgbRB*p<Og=ZPPJ3e&7pa=(>K{}?>}Fu)wd=yXPO|Mw<6yM?s-DJ56r7T
ztgme5MI6G{&}AJy;<PEha}(#4ZC7>_Dcj|{vH{A)otGx<f!jS~Jaj@?>fLd8>Ld>x
zhv`#ZC2T&9boiO;;!j<2e%Neh>&?dQp}kf|Iq%rG@le#RiQ^*KRB1rBZSWfStX0Rl
z4X*m0A8$Gum=NUSJapW+?mhd5MfNj#G}DOkfx+j-oS8ka5lo)QISZkMQY=!1SMK_u
z!Z$UArX;rHV^&Ad?SqQuv(mGvF*TtCU#G|fyfm)1Hq0W$ig2?hIMXA*qRE0}rhW2i
z40D+MT8x(~Le2fz*^8N!VzpE7t<!gQ<T{Ifx7(-kuXwp;wYg}_pTo5B1YOpi!xs*2
z9@f{`xbf)vc)^Feu#PLLI1d>&s^5?iE4B_X_HV2i6&o9L0@>4FN+)lS|NUFLM$l@&
z3x9(mvXQ{%qYP-)F9BNu<Vsmi0NQ*PT<1a~x(iupkL;MgZSlq>rNrdGyWl?NDtzi4
zCUI@8@OIZH7{ySZpP-e2o&W<!8QF;FdYDc<kZRaEY}^M!V=L<gK7a0kO+P>x7c>b1
zol<xQ;@noUgrM{}|B1vo^o9B37VsO>k7thfTPe)r9+nYR(Hp4xDx6~4Eb6VpdKPH7
z)KQBEqM}$w!GBw#2_C7Zut@M+*!%BDX?4HM(tI*F;fxFc>{F2oiNwtN1W4`dGZ>K&
z)i4=R4TqGd25xU->3ynL)=H?G%6c+gWzzWr)ZY%U(RK<jGst%gkjSusM%op6pHAFq
zSMWp~V9%j4T!dIF;aBKo+_2>1Kqv@w;uJDsjJJ$S5nA-k^$%OrK*j}WpYSXd_^nf5
zY|?Ri7z03IA}GYG6rxYd%B^Id@TX!AXeEq;JzzMhI%KB)nW=+j751RrX*mTZflm$3
zQu$gu8l#A=7@s4+p9=IN3if<uS)-|TuagteqE1N8*!mOIc*}o2qh8s)E(BP#>!&S)
zkbK*rT}&fn{S{-n@H)*^jF?k}a6ah60E>lfzy;mz2R_J(Pze0PD&n>`V#V9Rm=iOL
z&ulK4NgcQaQ6r@npy}!8U_3gQt`5(wG=;0p!B6GCuYziBCNdt2kNQgNnuI*K{Jyr1
zutCO+^m%2;tSEjcKBm-7(u?1MH>0ZfnKlKAAAkQ<+ek&edH0!3M&P0@)KL#3A{iHG
zm$lT0w}y@zFn}dWg9QB`;SllVAR$5JU2FCCGa<Uq&$Tu{?x_{;FUHavs<dMzwFAbN
z0$#0>ikK~3+0=+!8@Hm>gtXrcSkZPW8vC+<Z+FtcPb_L3lRd2T3Z*_}RIJEpz)e?C
z#f*#UP4B%}9`=e<1@C|Si%yNEw9=HoADD9C^VCLSZEgAk6q1Sn_RFp?SW)pU6wkwI
zco!MODqGfoc0r^Nt6*6JvaX6kf})Rp5CScS)!PBSf}VXA$l-IGB}^fNTaZ0+DwoD5
z_M>Gzj=>guF#C?{DMz;x!+9i*`9VNjQu1`AtnVYsG30DrmPrT>mX(IeR2^wLu9C<l
zKEdZvmUXz2-NNWSIVTl~U1ELYC6G3haHhL-hfqVB*!S{sNDJ!sd(@&PXwgbI?aM3Z
zU@i``Ed@XoeC9iq&)8gF;=2>5@KmzeuEc?Lme1-eOoqU_E7ShqD+bf61KWg?$n+<C
zOzX0$U720un<iHL?1*E$TyyVTUfX(aF6G&BPhe!=cK=db-(g30R`yD4zla{|+LYQm
zqTianIAg2U#rsM>ysUwDFBW7Q+IBm3|6W|e)qQ)X_T6ooH)-C)iO&49{_UC@^=g0`
zlCL88j+8bG(RU745u?VcY3HPAhDSvO#k(;3=k#h*mFAGAdwPu@KF~D(2A<|&!~S+K
zj2gOp`(TsJ(x9g-vp56PYw{CzANiu$=TUg{g`GcC5GZ$x(hBDXGaWp)k^Qq!?rnaQ
zjg@S=7^@;i?+w+Ar8TLFlt+M=3$#G+;}NeyTXdhaMXbT!oA$u7AlI_#meeo!5xe`q
z{sO!}ejzsxyq9}5d3)p$Q~w*9vEKdtd%H9m8+&+;iS^l-d5+mTr}sG8s7=?AeY}k!
z+Ue&sRq#RyH>EUUuEy%nojlXU?A;R<<+6KgkdJ4-!Ms$ENgu)zq=K=6eMcFambqN-
z(R~yW1<%(0mO$Nms9kyxk&6Rj4hF_3308}alxm)E%|T!ysTI_y$2chmZwpmu`54Bc
z`46&T{>@*l#6TV<O8XD`BL<R<EHDant?JsdD@8+IK~&mt%p7YE&MBEkkEk|ueaOFV
z*<<_&U(*RU&8DrJR_t@RoPZaBJ=!)MG&pqQXj7l2ngMZ%fsj(l2H($2V{Z4A`(FP)
z9a!`Y!<cbP)&!XL?Tp;G!)3>+fC*zq2l$xqCQ(JhvYjiouh`-^VR!Vj11`@_CtbhX
zC$32kk8xf-O}}lJwRxNKUni3@c5K75lo0v~KT6puv}=U7X~OWJ!IOL(!FnAY-XhK$
z9%!E<ILPbnNtQ8q!=MY<U5tX7MEOYkmR);Hzt_~%kL~!x$mg-JPX<PYPzdQaS<{q2
z%U!S@1t`yB#b^^&hwodqWKPHuqqqw}4vQvD_+zw-YrkKsnC7__RP-+oHIsE`&r{qD
zaSxt=@s*zEz>Z(%$6UP8RH{*BF8R;*Ul2^MMAw<tvu8t>{sUHS9BdlcLNg-noc|e@
z>UbjhdQ4pM>3!afmtw^c_n^OBq}5V6Ngpo7Nz4IH1Xj7oKEH3zIJ0wLi&4wBcd`DB
z8|JJJS#LVAQPXrCu~GP@6)V@7#-7y7!1D={Tt-e=cWt(*^M<;EH8%(U5?|S+qkF+a
zL%UYRx}4ZQ&LhkOwdl8aH+4x$c~-_H<WECa?}(FT6C0VOnKymz^l8p@yxX+J8zIQd
zEgfXqnsAqV&Q{<B!NV(~5>0)sX~qojHT$}>>$^4fKxEi?(~UH(_^5-n<0!mm8@Vxl
z-}c~uU8Vzgf3#1}HJx34sMWu!_qKk=f=siae|4Yi<@>91<!2tu!KnWM6~Gl=TMI#G
zkJwP;hJJkPaf;WT&Z{W`?fJ2FTMxuIXV;JZv19j1BYGQS+%#dkBEYrrJNyRvj`r(d
z>evJ|UsscQ_Z`!Au<!D%1593Snt@42r=G`yT?HK&&VIm?KhO`a#X!0;%{{yc?#6|C
zytGNoDOaa|Rg;*dG!oC~i7(zY($P5YzM+E;I=V9~2{5tfYR*V)moZ9LVbkc!HOM{B
zHNCpk!-#Fd#>8??vHnmF3#>mx?Ebn&2-CaC7cZ6cfAIcU?CWfnm=m7`2Ohy8N|MLv
zj;!9Xf9X<U#sXI4_TDY)nS6B-gNB6laB(eP3D4YBOs~ZBN8>j|>@tNk)wB;8;?vN@
zyXT5<FVlb~njyz7PB`hZmL(Zl_CJ}EeH2fNN18`QnD{{5z+odM4sy{a;C;ejP#i_U
z2T7h&70zcB1wB1eRXm+J(=vBt{hv9oJ;8=+=eF&NGO-}uqjApnx~Y@KO&{&ju-lne
ztk}7esfRWP`GuQ~UDE6v*k@Z~7haO<s^Gb;rmR?9_MJ)J0x!MUGvV>o#}04`9BH_H
z<Y?Mq|9!qGCRSUnufz{enc_WV*pz;<C>)p^F*T+Mn?mu!tX_UY&EVDn19~|(Io#v6
z@mevzsiE7puZRjeU|Oi%*l&gJaOcreCyY1h$6{x@i(qEt{&!#-F`JH;&az_X`&{gJ
z%CsvyVqJvG+I6$0uP{a4(X93#xOA|KN0(6^UZ!JSUBW$Fh76oO+20gdPqTEz+J);}
zc18pZ*>39K-nUg-XI|`Ld*+CjTRq3^J{T8qIA*`;fKNovKF+<z4)!$aXCP^N3Qj|J
zD6eH5jzdc`>`eEyy#|e#;O)}g&-UI5y{;11GB5d1WL&gyW(CCWBG|k%Jh`*z9Xrxk
z-(kN<JQ6<~Vl9LPFR~F2O^MiptT2U7$OJ1y{%XQ2axCt{vAB@+eU2kh$2`%fRHEIN
zc_LsE?zjSX=bp@+>;;?P{S`<o2}#N6hWct=-ZI?AZt_5Y2HrUJGdNYp`)k3eiXr6?
zUen{fl!$FSDW-Fv$4?(NVM%FOd{d1yp40^Sy+gRq{q!_B5;R-ie`-B{p;F@O41ew$
zcG)Mfe@v+btLLp*>nzWJ&*UK8Qa}HNfi87>dbMhCv~%X^*bRHaO`C>o91zwQiv<3m
zqk=*=hOJq%Jv40k#0{nqGlKjFyP!2+TiU{m69{Q&{Hc^g``<1o)&m1eG%V%6YRPD@
zb^RZURvGae{haBu=gx8op1KTg4R@ek<)Bwnb<3v)E%tNq7&OS!Bf5W%DfpDZCur^Z
zwM$oR+`DYhSZqoN@W%uw1}fH5vJB+9zkPHS_B3bqMt!vWB|>C$Y%gxGvLo{m^1o)o
z0nnYY?8AQHEb#B=5^iycU4IB8ZaEA&3zOKmV8fY1dk@E(x^37$?25~o_}wwl^a4g}
zO*R7QH4=21VUp#0g^}>90&7%ZPsWBHiZjiuh*+a=oA9K*72qg7wcy1p11q*y5uiT(
zn6H>YmJU^-dWt82KYR~(6Qx!^s_Qas<bbJD7yL0zd9rfdCOjsgXAx2i)ndQ<>N68#
zy5=@HZN>#n<^1{D9_BGag7N6;H04o>H5+H{P;lhXd$>mx2z54*jy)!ZPt;Y|t&Hg8
zx$Fo2gB;AiXWv8HVu#n>>_ktj3_FI+Jod<}v$M{^gJ|{0us&-?v+{ga$=3k3<4v@l
z3)?O1h_nim!~J6?ZRh3L%#yBJy+1rYgC91!!%Czv?cIitpdS7L)(LoVu;^fe7_fW$
z{ADpF7JCQWUV^nt<L#hv7<m^@=!m11^&LGQ&#!&QKd-}^n#36H#y<aveP>+s(9pa?
zJj1IZyO{ROk*jOg&z`l;$j`$!XI4<)>`5;A2U31}!z*M?m?1EqGElDs2n-QjSa*nQ
zD-DNJ{E{l<FIRqnjt_#3`Wgz$xF^Z;!I(#NfU`b~0=LT=k!_yh03k>Ovxf_i0Flw5
zr^J$V?`3qL*9h|GYQ>dS7UjNjg=hQVn5n%JyDNI@$~n_F8$+LHmii4_=<UM4>Cg}-
zl)gJ_d5cxN2S(k4xCRH(4z|3i{foDxr>8{bsY%!v6?+w?vY(>pk;=|^Wq?n`GZTrr
zGm-widJi4d0W{{`W0h{&Cu01dxkX5K35+v(+@giHJZquh-)iy7P!CNHzX5%lJ9FLL
z0a!q5?io4^-FWC=<n}YBL|zFSM`_;S{vAaTx9P8+v5zAu1(b%q*vN|~r`%CAg(mUI
z|3z15gu7z@H9Py6Jeq4fbmjK^{CfB1MT<j?{&zI9r%stY*`?o<h?Ay8y5F{j&xZG@
za+$D9%2F;9kt|x0&#>-7{uvz51?P887M<UV@trR$bbvz}))CXADzw<|yrUs1a@mrt
zCTQbkO$nSi(Z!4OT5^>SG+Oypl$X)<c>1Fa;t}8v7T}bHZDlv~$II9{!z~0b(XpW_
z55y6qj#zj7R8uW`Eb$IH{H<#^OT#wfjWgw_NoF1RXS&|LqXNBM^b@f;Ue0ogU|zg4
zj`5nTH%#Za46$t()CzZAv(N4iI6rW&X#tXx+|S~@n`y<Xv3<66tLxlwQ0t$69+Z5`
zDBi!f?RadQF_nAOcn|`U?Z80;+SbCA@Qy31fHN00+<5@gbt_!=Ax7O`VIW;4jlpx8
zec$GM)iHSbFUYjIj%LBq#q*cA#IEmCgX;!0{<XVr)FTr@LAHb8BT+rCbh8Ef(x`7C
zSNK!@LP%pvRvlb*WYr<OkhZedYR{Fu)A*8->~k$|DhF$LDFisQnM=_TIrhjc;;;#u
zgf@{aSr)%IZrMTLEbqOv&kC;#z<H@X&z7u+TN<x?U)p<dpQT=>iI$_5mr!YS;}e4W
z{MKh$54_4a?dbH_X>pxdP)WSnrf*@<K16G-vY9JmR~}pu2g<9wR`pu#eV5NvTH_%H
ztvjhXw08ThBQ7ge%??>+3cIga6g1(FF)pq>e&r56COvnWD+k-N`m`|W(@|U#DN|Uc
zhJU5)&h?W9Od2w204koiZ_=*G`?@iGNfh8Yk4z16qhQTHQnUkcz?R$IlV0&49a6?*
zX_EMh8q7z>C-W>#2ex9ou69)OS4Mr!xewCMu|`?;auWpgu4!mkw0+Um#hV;sv`l;S
z^py*~yE?k}?pAZKY3w}wH=jtAOyZ9Vk?N?M=|9tN)_6x&g;h69o-%ieOXB8jn>V{`
zUN$vg-1zZ*(4*ow``Bq5d{8_22t2<AUL3}G=WHpKZO`zwVH_1n)Yq-roQuilSutn!
zUFBr{dF8e~Uj2-T%`|%=Vs@N%N!jPq+O1Ddu4`%1S107%%rTCw5!h8N*Io8He2w*x
zc(IhW*{x8i9Sh20Cs9FVraMR#RHh1oSc@#o)a8@M&!wZ1N>oWZAFsZ~Q>bL;fgPt@
zQuh0_ZtLBtTuV~}N{msLmBqPkBNoma57NYVsI<!7(>7hGX`n54+57Z)RNnY_yGvb6
zymSrL0vptFQd)m=%AS3B!(kD-W55%4-}q{Oh7`}V`DJd%W%5pyW#7<W`9Je~UmZ%6
z1u`1xr-o+RAA5D2IUIkb%BJ7lgRSxpHlr@n<CG~;7j}c0{EvJ5b5_EXUCiAx1w-p`
z<l3pzN8Gpv_woF-6CQglwtdT{9XrQv9655F-|!Ke$8X1b)M~~eCp>;MEztJ-k(h;4
zBn=T>do4ki2t!w)hart(GM=Rov)+FlQg#v`wsb^P(|Ke-f}*Mhn*(13RVZAikW0{l
zR%C``17(Nv%d-oDm`r*VJxf(K8!UX_wS`vnskIFmN*kWO!;`D#*Jv&1uLVDJw`N;X
z+FcJglON$>H&%~NMP8IL(Jh!}A1nfXY##FdWMS)auA-a5oi)747C|q60VBfIEVVwu
z%}{VVs;wguMG2^;1RDXRFK823p(mm#4q=B^|7DfrOa%K|f6>dC@S~w$kZa<Q<Y&>r
zAxrt4au0=2Aji|O2*sA4QV2%|IVvN_pWu<n!zq;MB{69%?7QLeYsC7~cjO(4Mo=QX
zaQFx%&u3T!MEz3<B08L4GE%}#2npf3@~dW&Qg#@Xr^+u7{;#y9J|avI=8p)Ii(?V=
z@d%M$NC42&8Uf<O5W%6O0T`l?k$4KJ6niRJF(^dD>E6A*sQ)?Z$`(m}Fvdo1*aewe
z9CAPRXSwf<T)yeYwEVuf+Bf;}m3EZh0Ix32?r{{!q|_dNQF%@nNdwUH((<!+xkv6J
zdPBa$Dj>^)17!-6>vKH9=@5M*kHR+`_#WL<37H4zX~e73(q~<SFqaH}F7NzennhZ#
z;9>nHsqdK~vO{?xT^}k@BCH7LXS`P9JcJ75gD>mlslBBSzOIp{HleSu^^h|!2=oPk
zUF9U$F2huvai~Q8H*ztddny8kb=6bF9cIAwG6Qgjxtx?q5e_@tVC30ihPrnL9B@KO
z%M6Sm&@&?zK#U*+FG7d_0?a=@$-h;lYQMP-D5O5<2B1j5^Z`gDAa-!QysWbj3ePeC
z3{63P3tib1Sdj?Ej)3e4%DhgVOwMMZl48~Y=n|N927}lxH$e7v1LQ6@K<)<Q7}#_|
z6-PSi>TZ<xL-Fo%(g2wG+bcfM2PKd=OEDg)D2_yNDv+<QSN)-(V}ctCAlP@Avr$K$
zs%;9CCn-h-bf-b`d!txK4tmd_<&#iFomxnt1;-aS>gt6)@Mux1Qps7pT0p6`64ikg
zO+AiB+I3uWT--?=?@b-wiH-vS4lX+q$Y(dw6%H==@jHRsy${ly+j@JA=4Thp&o#`C
zb?V!p=jPLj!wcpi1+YWU(35c$&%8Ge>*W^|+_A%4G`i#8k=6hS0UkTd??re}$CdaF
zrM~BBi<Js3n0V6cO_g6>1m8SU;yVB_AxZ6b(tG^|Um&^zy|o5-M7kotV@E=yb(XDM
zh0JaOxT-r1Sv4B6?!+q|t}0jIOqj34c!VfcEQL2%T_wKbn%ofa9b~+U+_h=<*-b_{
zxVlbEo!%Rn=k_D>Tn`s+SAL3wd@l)y!{Hf^XpSD5AuwfiB`*!ca-{Mf*#Se#0ViL*
zI08jegn4A72?EQYVZ%SEX!@A;X|+78iIkw&k4Q81Gzwd*qM3SHQQ%eNdFldAfN|6*
zo_#*dwv2M^0C?L@fy}k5NN!JS<sr0?5(Lt402W>pYr*2V1gOFR?Acm*6gJ2N;W@N+
z1Ql~P6F|?*fVyK=z@C{a3a8|uchM>`kSYqZXH=|~Rup{XkyvbK^EcOt!Zda57p*6U
ze=Sc#)SW;kB>?rXZ9F+tQ@UDH4r;n5kAPnrZ9NZY>&d~^!xO_8QdX+}9N3LRX&Vmy
zSaR*WL07g^LCYHQTIApvt2lT<wKKo4gQs$_BdFE+eH1UxM9SyVo!k`R79(3}_`+9}
zf~Lvm7KKh{agdO+?IUZs_&iZ@ShbeJ>$3nP&k9oimCgA?W@S{@Ps))6=aZkL`sC2c
zqr>QxSA^H<9KzXV137t~fFzd>mrsp8{9XP<y!T2u7+Fewc{uV~x<h|bC?TMJi10#E
z5^+AG#8JrAStxYUmU0Luku@LZYdq)H=Q(SRtYhbx?>WlcF&R!p%=bC>)#l|_D1*U8
zsvT>}&O*65M_`<zSh2Z*O0vs6vrDiqv{?)}E-$W6U43rDH6(c3;I_J5ShI)xc1iZN
zmU~kkOxzvbrGudapOZ%;af93=zc@=0pC2h9_sGrf0S)zK=3!t-xjaeRku@^NEpqcA
zXe!A-SuFvFGvosM{qkUk{UzkVxja=1M*uT#!^UY?Om2SbU$o4ZFXBV_DoxRBokas+
z^{iRSpX~9U_6T%lwO`_SZrHkNvkb$NGiRPGGvX!aO3ON2$aR(*miVzln@ZD+Ftk0H
zcBVrmXTFB#8D2invY(bSyBt=-nbqKSS^TGE#{1>)uJBKIWTFPI;mm6=yDID_vyt+7
z)<&MwMA#$nBr5)gMj@#LewwUhHJ4_mvF6UKE<Fpa<6n67syPD>IdglSp{u#r3&~cT
zS#>-{Tvx}NKWf5i;xTge?OZkumb+N?1)P-X!EP5Sh*vA&3;$B9KP;Uc4P#adx(u{v
zDe$h`Jy%GRSTQ6+x+4|IvjqEIF#!THu8iu#jyL4W$mo*aNdAf*FU6v1B-~S<(S8Ea
zXb*dmi3Ft;B}B}QR{-c4?N7!E_eAp8;m?V@uA2ZSE~r`I)P?4rM|01jxlw2?GEX?>
z3d@7pE93-2<kEGsT{b#Y0ZC0;;oowCeob(Wyg$q73KU*FnFDF69$n$BpvTtENe{UZ
za?{b{aMGkimnXTGm@&80<+`gBTgb`X5eXOJBl+Wr?|H>v%X7(y<@$TR$<Wtx<?;Te
z*YjS^e`OS(Kbybj)CHIL=;7@;4ewHGl4*5a%^#~)&tKyLGs)hb?HYUb?`YC@h8Oxy
zbi)&77rYrym4Bf<G3WC1(?&6j6=yx6Lfgt3I^tF5X<Qt@zwFA3A<3)gJ)BkOz<%t0
zjekD2<O}Yag(oq~Id}Yh+$?XSeoSz-9DmO#j(ye%J!{R1p?zevE^{ZFnOL#*Np;Vd
z#2Y`KXtOuQIV^Nt%;B?B##}dU{Zq5qt@*0fF8p&3kB&`Gc0be4BtEJ(q-hK8;LKfL
z)ni{6;g{K=+o6oRM~~kPGaVVQug|Z}wFdNT2`vJ=^z|~&vOj?7Zv2;nEI=a@eR^%;
zPUp)$;gv#-HP`l!eBum2*#M8yZ!?Swv-n>%v}gWc4)YGqcjVty;Cf!4mvZJm-S^B1
zG-d>?H_LiqGNp2LhgR}NEzDXo?7ej*{RrH9g45XqT=2m4NJ{9S=s-%`Q7?G)aKS6V
zOVm>@cz2Wwo~3xPW6|AsvxO$!SIe3$j6QzMB|oZ|NB?82%`6k^tL1HG_4n{_(fdhy
zujK(d5Y&KKL1=)uQg(&UvnMkw`{hO>_GPaprPu&T#33g+iYw!49jzbh;i&fpN`S@w
ziPI{19$48p4bSPydZbJi$KZ+3Vk}YMt>s0?O6A=(xr|GXvA>x|o3>QdEM32Dak$ID
zUB0bCO$&qg(EOPi{qo@KnmI^bGFS0uZ;P%szRFw4b^_uE#!F&jmIjAM)|Y+_kba%Z
zgi2~#=gZ^JO7{}%Gp!h&$66g`WwtUm;u|y9!!+)}1>zge@l5E<e(v;y_~thM`Z8}8
z!P_|MF-kYnm~R%CM!@oB-~J`ukc(pu_p5U_V%rbv!REErbPv1jd?WebwJjTdpSjKW
zP&aeT<lo1*h&Q_SI+%DqKI)W-IcDWosi95$W6QkQ`HsGR{sa0tx7*t@aXgvx9{oJN
zZ3}E);+?)P0*tpOh6Q7i{m4l@0IsWzB>jQl>|X=61<2(dIzdHjhY%5aajiTr*buRG
z(c*QcDfcuX6NBeWcNsZ(MdYq|Oj`8Rl=CqEH*JeqnmX(=o!FRv70k=|Ax$O*$Z>{d
zB`dWGLG_|DE2sUv%4}X@fU~%^Mr5~aqy9It^<KnIIR;fPkYHBIW+~Zq@4>%(6#LAo
zSaW*xC#wLpS;mNS-F6sZ3B8f<d(`aXvm77uZ94uXFV=`R<@H|FV#Q7K;LFkXbS|@t
zJ9IuJs%f1n-d$k*uc2Jh?Xe1BBTEQ2?1@;sWQ%E1re@ZJNg)$m#!XofnKtk7f?N};
znZ@&{A9YzZ9;&Ocz1st$ew)M)Rn`?7WNZa6|1VesX9d!DH-^T$32D5)DFeT~0HM9Q
zk1UnvV;d297nrEoYA_(;cUCjaR_?_zG}us@vKt!gjAgh#o;DV}`FCs@*N$bK`32sE
z=TJtq;D>T`+L4fgj5+7Aa;W+cJB58Ik2QoEZNbC8kd5Q!lq+Ly7`ekZ&DMHL-P<_x
zl07}Dg&5`NviZ@vN&}N_nIh+3igy-o#m<SE$qdqx?(;nHAibdDE-B^MFCjQ*+y#5Q
zy3VS-KopFlgDbX=Z{?~K`daEQ2X>FQ!{!m16zP0z)YdxNjjcBJguCa%gGpC+Y=Y;4
z@dOOoL;7rL51qPeO<t4Nd*Ycj+;nL2stLoL$4nSA+{dV28vIO-c<6K)-RQ&|y3p3n
z&SMWO{`@j?$!&MN;&Np#zY-C7LfOlY{lLq&`2l-5CpN{2@6?9rj8Itm8J;cJed4@}
z_&jdUsJ5*Kbmu<~!@f9g+uZPZk&etMzqp}$(_NVVHFH<5c3z*nbIB%`ySux#YuT%R
z8<VnE&A!I`vYirN*F%44GtOfT<c)?C5z&W@$@Am8;`wt&-Y{^`mCMfJljr%n;9Yd%
zHF7Xct%vZV>PX{Su3;l?SM4k}viaLhyx;7B{kpn{PkImAd~5&j`+i$z;&$34!{(0c
z0Y(4mR_q%LZn^21EF%Y&<j>jnFIai<Jvl)~i-UH~i8&{KKjFwqFJi?Xvxd&B>d#sH
z%StU;^V&w<TUUKi_tQDfH^UQ;oi|oV)^u#yuWD6i-iYbzFxOee7wm}P_Le=n4@Pz`
z&mB5<{b`2r_serHU2?{*^~pnavOGCOXd(2JZ>D^7JLg)<v=qTlDn|gz6*n~{lFfcP
zd|3TvArhxPGBwl*_qcBqC-Qpa!C7d-=r2!65k9&~`VqZtaM{sg3AsUm(BXnmp0Gb)
zy)3n6_C>CfPwpCKzcKf{ddtZ7m<isQ-KA~P>s*klpUW!d{(_|uhgF$|RT+0y=%WI~
zbeE2VG2D=Eu<h(Q^hB-_H}gRT@rIYAkD4XmA#xP0vlUg~gV-s2nF(J*)(&|gVx*b!
z(}xo8#gGvGu*CX?u^-_>E;l8N`yken_nizm=RU-<?g)?T&Gt%i6BMGT7YxpkAcly|
zN4KFM>|w>NZ^NB~m*Z2XEC4+ldN)G<Nk#viEqRBW9`;zclr}d(JeI%`3IAe(t0bOG
z;MY5>5X3WK4F255!?x0ouLOKwA<;9>;=P3NlAdsXPrD3UZ!4}haPN5|k?@qBAQFaP
z@}@+^TcP4jRJ@5w*a{`h_<yAX|70q0<}h0FNOHP-HwANZpZP&V^`No8g|S!47^=!r
zz86ym{@R#j<5xvEZ`-`?<N|1FrzUC2g!CTV*%?sngrdT3S(=fepA`9*EgCKLN}9{o
zK<_KtqslVM3?*ZTuh9(sLB)*0;e)+JX<2oWZefz1&?Nn?VlStLy=e(QZUOUCfIM44
zmf`)#WFU8;DJnpnMsFYtN}3U<^cXTNHX7*fl`cP}E>8<%(**k3531>>9@u}a-Od2N
zJw*>8TY<!yK$7WkZ(}WhuJkialJ&A6>_o4?td8P2*`8=zXWvU=3VQYsJ(Ir#1UjYw
zWU#k{t9I@wI+uaY$+|EGuir#7dqdcl%xD5Ss1eVZ(aF<h5c<<hlr*5UA&|+|%9u>x
zSE#{V7`Q!UFOp?~W(p11F>3OcSqgW;dl`&Xl0_5z{gOZsAFbpUh(-UZPt28BA2a?}
zeK6Ofl{Oaj1dA3>AwDfi#gjqU0u_}<KSoB+%j1sv#5VAbNbT=Oxyz8xRULd<>naQ}
z97@?$+7Jp&KrANU1}1=e;PPg@P}xW*6M#F_95zCk0CA~oPXr<q0xEZ{#n7F{$jt%_
z@m4H*TY&y<7l_4pO$Wq=!0ikS_B(q+bT$$lWg3=a78ZcgDNqVl;4lT^QYI4^(mLA4
ze=WxUJjQ=5=ru;ymnfspPD9!5N>Jh@S9Q=cl@)!GR&*w<=u58FK|dabLARn}$Q9Hu
zrGo0po&W;scz=w7qA2*6#JP0&ES%Gq1>)}6hW3G#*30L4xer}Fe`c~lJVYyFFhR)n
z!YzhatPYfF^fr2po%j$Y<`%7tPJpn-ZAH1gI>>bi|6BHU1CalRtF2rN=pB=sPNw6!
zgDPGUy2##6mN49hh~>Xf0j8$IC<TDOtn_IEKNPqkXw4Sq@UZpqe;CDE*p%vocnxmv
zOx*vsf;Nr)BOoAIy;&#AnS|T`H|tc~tV6B)$1c=@38!Y@qKtZ`7Qo*n_=eV-cqk@!
zSCJZN8&qo)L#fW{&~442q*WeZXBYsrh&NLhenz&Ewknx@&#G{{!~A;__o3wUsmNM&
zOZVi+m<CGLDt-ZxX&Bq<MK;@%cbn})8gM<WDYjN(N!V|2`Jl&1IQ9=<7Qu^shes<2
zN(6fb6@mk45P)%x4Z<A#w`yT4_#LAn`=Yj3IoyV8J3wjau=UECAgF$TS}JdVj$$+F
z;8q<);dR0Aa*e#?aOlY{sXixzmq2|rK7lqDTqYdF<E}EYkBJvuD@r&uc`|E-bMTCf
z=P$muYR+KQP@c487=Dn~jIu>5xyusezVB>5D9^s`^x9_HvZYJ=Ne;qoYObOmQI^2c
zZa7`xw+sbIA`~R2pdd+vg5(S-NSxVAgBVTgVUmh~6>$UbX^2k;d@A6t0X`M*ae((_
zFEJT2C7P{%3W5{+3gGvVZ2cqZqB`sit(O0Tu11y=s_MFFp)};&`wdA$LqJ(sNYS*A
zTx>XC@!1N_nfGz1@wM5TC+NyM){esr%O$MH%7SVP?DJ-JlF-kZ(fM<Bq)sxU`)kcK
zUM{kuDnFg2qict9bcr?!${I7PB;fA-2@<7c#~eZ}vf$2|-!*HknK&<EE~_U&{$de=
z7`6~n9_WR+qe)@jXi}Ivnlx`AHEFy&3y0mJ;&j+;D2{!1QE}|M^V~;Hi0JJC7+D97
zbEgweAxV4hr%4_sl5N>dFy}mX>xTRxX=2W>;OvfrB`3@0xSvn3J?9cD@A|u1c>#F~
zvpYfrmbajAm?{R3vx&jGyd=w(`~`rzsE~j>EdQmzDKc>Y;H)z7DD1=mtTG16(k#DE
zc|jgeWPcPaT>(Bw6^O?d2*iUiAv?PZZ`|@119S}ACs|eiF5o@ccoa^tfZNCzVtJMC
z1Hj={n(Y;uil9t13j}2w*#-*Pp+t6}LbkBX{Ep~TBFbbCRi$Tn5`eu!R4I6fBcx!T
z)~W<Oa3#%H|B{%ofh#d%KCP`M<(}~Il4W)N$O1aFiF`<BOt@8=20``Y{1`<sEX49x
z{&RHnbL!}?B<ne4u>QErAg#Z6#Il?wOkQR!ERZDuFx>o3m^@(ilHT~xtf`>W1oHV+
zKuGWkB)QHeT8=hj-U7`uaXZa#v@~;;a_qKb6D8rWhUrUC<;md*Bv1}cz~t>q!0i1+
z!)z%7a5}IKQ$t6a3rm)PW=!B{ED@Mu-)y1Lwv?vE_mvd7K6h0~bI4trh%@Lej>7?W
zQNiB3s31qFpcE?Dpsd#zs$x)rDsT=>D3EvtC*V{ZpMc5+C!n$|32#Cbez|5HsRH>E
z=wlYB^5-}`i9&uIRZ(a{C{6HKBPMu4C??piqiuqBjhEg`pb3@>QKMOgXK*2E)kqEn
zHFb7BMo!$b;7y7$yA^`78$fRlam8L7ujuZFW3L#AtztNKit$+0;!ex0GN^JrW0HC<
zu)1Kq1odR_NdWi&H^BQO0AXMPZ7s^_usQ)#KSG)MKM0jh2*MnZpq>%K2y-}L4kJu2
z!Ynu^Xz?bzu~T@Umi)N@X$ZTz(n{bfTl;(XBM9HNy{`sKlrA<xnX>9Yrw!g(x3a~*
zhpW`BZu7$u-fgH}G=XTweuY~qqZ1H_NPcQew0ynQ{eF-)`Y|XB{TSqpesuJv5h&R2
z2YG{mmU)ALWTiC~RVwP1ZzZGb`5z^t?)e_xMfUtb-tU^&(VKY8`%R?6V<%`bZM(lR
zSnloB6TrO+8tGmKjdZVqMz(5CjZ{y7*7Jzn+~<MaTF(Q!wW^|?0Ik~739z9Gcy6G=
zb5`o=LGW+X`xABbFlbf9%7q`+vO*FUR(W%fxNv!Jti)zhevXovZ{OxC)|OjrDm;JV
zcf#Cydt|pAcxFh05Q>H-@fNRhqdJ`Yx8xW)3_SLdX-*zHX%f?8_Kt0^$uy%jLN;5@
z>e1Q5Wx6~QVSx(iDXg2cKl80!4~23D>^Mho`^zXNB+HYV{F|L;2f3{Li;8M1Ij^wN
z!j|;6cB2&H=^!2t;_2mtvXs0bqngA9w;4`Ay#N&VK9G3LN1pa0!c&73n13f!t^08J
z3kd^32oG1oBvq(3@!AL?bYT`i#tRu~Z|%M?+cCt_U2{W|V%*TCYi{Kr$GG7Eg;HY?
zO-mjLscsSYp5RG1D}mGbqd3<RPRo8>2^vY6tay>i&^|*Jl3^)t?e<f1YNZruP-?j9
z8>39YH^}J%Q~TSuXFh27RqjBpHUvg~KCguysdxaIz?!CtSIr6^MB9N8QtgUz!d3G}
zSs~T#9WPuptIUuqn-L6pmTdG_VWW37Q!YGsnQLk=ZF(k>YOM@5oKIL8cgEBwRWr=n
z$2`!*t-lg5bYb(>-{)*I-PMV&k<0i^m&rbZe|4^u)14JJ_Cs)QWtCR4l~!<OQ>5tH
zDc@`Y&E;&06K)~=Mp45rr7`JE1*EdMYY<;pdE%w?J-&%An#y;r9PmCAP54Wxx&qaP
zpp@w?hsQ@K_ZBObX@;369Tu*5Sh&*bO5Dx@SEyTvh9#I}z=UPqED9oK47W^c@==BA
zuNEZY{g~mbg#~$dCx@~6!lLvSMajX2KFc6pv-U`VX_bzIPDPp}Uc(bev#fpmFFMp`
z1;#xc8}0jaN)R1o6#T&Ce=xg>N#JXYK#UuP;F?=qu!$QV^~P9~!_DAuKX7>J#}KY1
z473D&z}^@_Vn>W&i&S_W*)^fOPpBx`4i%-^)s=p?%rt<T;QOKEeM+@ECoLDSjlue7
z-z!s`Fbg&pXrL!38t5P8`v%bu`;mZoaf;3)QS?0>^#p%n8$YQtv5lY9f!GG%larmc
zrVsl7oOdTynqVDx6|Q%B^apU_WSAms{Pn+(qw!ba2Bq)(7`ZQPj0mW<_l1c`;mp2U
z+R7wkUO<<l?a*g`J5}u-Xou8}caT?^(%S~wVXyJSOxW;NrgcDgN)o;SZ@(FMer6TV
z-)@wA1v3(0#)dN?0muQ!jk}!Oh$zjQ{ehJC2XAU8HNOIA!>?yL(p>cVu<aAL7v*YL
zuDJD3PCWaQsp2?P9)-HcDOE3}!29u-(^1$e#wj!UN$tKkmA8|hPNV*O66T!+08n<X
z>7B=MM|-@U&g|#B?s4=ZT@MK3BP?SX4(W+uFVOEW&*1~x&o+tvZV9|>bBV1L*kCo2
z)dpm;Y9tLta%jqAMFo9u&TYwL8l^zY-zQH2KfSY&{y~Y33jHnz7h^xO>W!}B;?x`_
zy!z7ebhwEURbCR=w2+R)dU(~B+NHC>D%mH$%F}HJ)<-dvQ>wn?k<R*9F_4-|U9@C5
zMf07=c=~1LN)#`UM&g{N4k%@PlBp~_^QBTG=Eu<i4J*y0t1zBqWv+xqBp#NN^k1;$
zofQVrqB>F;#uYX;831!LUls)rWA@UT`ly*_J}tA4mdv4*hmtWwb8<TQ?-s5VDLk?A
zVyt6hgR7Yig;NnYG3J+og=d5MH)=F)Hn>LVq`xU#s~FSCw(bD*^L^nYvvW_%z`7#`
z<rr6t$~9LEON{GTq(5<m+acCnJgvKESFF33Fi#?G!&{k_@iDxZupP>}i+07jvm!@g
zC?3*AxL&H3%AoY(pHZe2)R$_9`l9X53Ku`jR<TX`GZh%kC~a-W3xa%;a+9F}n(O%L
z$sz{5*Sq~V8nHBsn8_{(aKpp;D)JF{AGMurlODgO2MIyGH5ORzYY((kd-Q{mDb8!C
z%PX!pmREFf>+;&4pe`?WJo9^%jYXn_7rirK0(KPNxC&2*&t7AVp%jdUQX$h*u|JEi
zT`47JGvcxj%!5oK7W?pXDdI0yGnma5UZjsMpfiuy>Wyv5DaG5;;|q$#f6f=M)4w1q
zs}JoQlT2pvz3F>wcJgaB_Mu*Y4^Vn4De{E}IOr(4`OMW-m`XguyumZih-aRHX9@$a
zOzZMuj{^K84BgIkWepW>c^U?8$-4`*r(u!QUxi)93Y$}pzer3aBT$anRlwUY*jgXc
zd6{AJm7FfT79L%~(Et&3bSvEc%ORTkfMGTg$5s-48UO`BG9qi~Pz78@zk<s_Aj!0&
zNu~{iOlw1Nv*NfV3so%0B^+R`ECE@S{)eENfCQk8N&s3wLIGM#f{GT9kc@`7O|YzQ
zBK$Ay>So!{8|44H1MZd$O{g7{X?IQ!{$JX`yIM9I&=@N-Sdn|BpZ#BuMgIgYS~gqv
z=>O-6iIJ?x1Je`!*NQ)<ib*~LDue^L&jlqN&gl8>I^rLWIT#s^Iq(lJn1kqWbq@T)
zF$exb5KEka+1d<_@*e_5^k3;&nBK}XpG!g|$Qvt()Jh_?@*Sy_R#Gd8RQOoS3dj-u
zp5V}cr9{s&5_4g@XI#D{;Ev(%uG}$3dgG4a?_Knc;qU&@JBGjayE}%zyL!j4vSGBl
zwE^zQ!V1eKTsy{Hge>9jeomS^9_unoDw~0A)K2t=FgX&kq<>c^TEO!ADq%k&ruPTa
zE1<!2D`t4c&N<UuMaZ!6w5<#R{v%{kyIF-eo7E=9{oiXqP&WAY{{a65v9SV=dqCNY
zZRszn2vdno{SvHf`mWFmR{*riFX2c5AHFMm50m)pU7;_8eg!kh#z;yTMxyQEwe+OI
zBViIwJyr1c51}Cpp)m}>Ao{n)C`PxYVGL2mF@#v4;uwXQX3*qUBxYLZsn%DNrtNO<
zKha#ts;GQbk@!j_9jOjZuzG8FB=of18vI?Um9ErESG3YE46WQBMy+&JTIrgMXJsv$
z45EK=?2Y5RiCJ9F;eY_QbYdQmZEzZ~W|BAso9-mmntRd)c~IrDN#K=tkhY_%V#aXw
z@S5rdoGETLq{G%NatgM{`ovC?6L6}%tH^e?DYX&m<OCb)A?r3dnYPKPZZnA63Ss_x
z6TOMo{%2?};xsF?azy?|bNH{shEr|3WdSBm&;P&_gWb5UfJF-saVq}@VxcOP16Liw
z*#gd6!VIRdn_4h-N33HvmBudEt*ni;Svx86Ma7Ik)+2aQOPb*Fwh=#A-a5tQfi>wQ
z_aHu=(jI&~=_L4g(ziIB+evgNSIkIIj^#<^iNLo71irNr_?8H?oT9Moq|IR2DOHHd
zW*pYGxi55NSIkIN4(*8xL2aVDjas~QUz>=1O`N!Ald`o1E(Etu+;dLy;+-t55SgxV
zkW2GUhF#Iet{u2!b$o^2E4*G~YaeZRpxfYXJv(~B@zsyFVoN#%YzUBRWxvMTVxJ?G
zHPU!)zF}xK@cfIXQRh=rquN$1Kd@~xQ+K|EyjXt@IrsaakkgL2o3H=LBxlyZ^%0_O
zi@R3i4UA%6Zc3~5%+IK=C6^&zzy@$6cA(Ji6YJ0HbiOcpXT{CN8XJ4XWI8julZWmd
zJ~4OB0pnv1$M~|`fjlv*<hFV>)|4`FdC)j#|H*#C;0TE11kP#9Jqx{Za8O-oXEW`b
z?3d2WBaQda&SCBvq}$;)wECXw1MFo3b>5G+HmpcqbS~MM?SOyf0zQ%bXl(Y=pB|Tf
zInuBcU&n>`$~lK_@5_uTwR-4^A<KOEYW{i2_)2#UT-|+rSE)Zn%pX47xzntUQ`;H!
z=L8<hGFT1!v+PF)_ANX^V&%mwT96kjVIi?_zuIVjo4GjL#!vAQ`%Htl3m!WcUlZ{)
z5rMMW^=zZYP3yz!;C|Nu=?#P+IWyP(6}h1ytU^wOds=rX2)Fb~_H0Uq1G|YFu(Jh)
zZ?LoQy}{Y&J{(Xzg3Aj*NcnEh!ZRJ1Sx$!L>m$D>+p`WRKQE^=K}`uPz#akAl^u{|
z<D`K4gXH3nJ<}bSt9;d9JvHcC4nBFySFIw;`%tvP=vyA3h7lCW7eSUX_YrHV+<@T3
z;$#^y7TMmw*0B+iXF)05bKw4xD4&KDa0r}#9uS8jr64?NKSO$`B#Ya_9?Mty;1dSs
zFLhul%bC;Ek+Oc6U>hm<x^jnSf^x^e4L*tq2c-NaaO$zYeAi)z+}QxDcz#p*ed=8Y
zR!r_}vwY`|mOa@hdw*8KAwu>f19vYx>@5G4WPcJJ^OHTvG7Y;l-$&o3;@eo+^NCQP
z?1y#t9e5MjS1~B77;!d?hO%#t)I}iBzvU(DvH)KK#ThSlynG+#-mB2{Zxx{Bk5z3-
zFz>ztBuf$o%UNy!Gwyz?;{Lo1V?Vjr!Jp%oEOzJt0-QF^eZYofvPQY|pcp+zmQjKQ
z!mH!?Y54w1u7|kE<ci5Zo16bLJUjA}3~Y$<9$E9IUPG#w-o*rEB5(%rw_0|FIr_pw
z<T)#aXCvj3-2DZcAp9&R@O-U5FKKS!$MwT`gW=sqO>-RCLc5#~)4b3^*AZe^m$Ufz
z+H6NwEx#`h)rQA!ytM9#BfS=nNF%lpO^(loCh@c2z)ee>*jv2+aQ}}I>{~F87B7xI
zJHt$x)7v&I3wK$xeD3U}CZyVZg;cwXf`jHyc4_T3u8NnbIj^N@j)V&=6rr)9&2`OK
zEkNY-@!H(lWiqlR1e-$3X#QBXZ0;hL?Hi_b+GaY#O;~Rm+0T-_Y=_iemL0){P3z__
zT44%&)k)G+J-9b85$RSou>()-;h5v-a7)nthOnoBnXJuoC;2O;X{h)ehr{m}j_j9N
zi96j-{<21KJZ7cfWX5(%nl>pn$2@S+pO*AbA4ykF!#b-QD}OBvMG%;mnR&y~X1)f`
zE4)u7h`sID;sir0AyUvsqE(nO2RSy_uw^Z^X~L^{Xw%VX${EM(CH;+H_F1EVP4tu}
zxEIk1Nx_DP2NRg@K2zxPwYj0M9NCXrv3`C6bF`G@OgEmp_;YbAHvp7Z7%?trn2Y(h
z`SYinL{I;+2!xms8af9#I|@ZvJ+?Xz7Q}qLi=$c^jOS1h`qfS-5+^l0_*HY(UUFI>
z?-2J)g0a*82Mq!yvN6MLmIfdSKJDIvK*ce<$us!3W5=qFsHwlsB)nc|<Y_wBMIBDO
zaF*MaDBq#0>r5j{)4iT`ru+BKd;`xhJj+64$Kt$9Rue%}WixoQ#l{B}YU+5i8D;BJ
z$W+a|I;`0YikP}j&y3^QayG}xs~N<q?ccGgV}1gk!;VP$c(C2ZY!(w}e-5E0(=o+z
zZTQ()%CahGa;o}VIr~e%s<HTD6txU*ffb{_w1`K$r<6OP+!v7~d6uPczx|6HhLKoq
ziUm;!`0uiKMby#^IJM?JV#6P?>UdT#5H5uiD4r{@1RJbn<zAkG$rT2)MDA*;#TM~P
zKe9fwCI=YU@N`}7k)gjf>NTvYNzYcWbiB32w2w1!RA>?Y5F*uQw}i{=oKOu(gsLIH
z$x>GSR@z8#)6_LT^8e%PJ;0($mNsAz&l&dYI=YO*>WsrN=ZraG&H)uOprC@HfQVo~
z!HBL|F$c^bpdz9KMHB@wW5l$A0TpvV>afk;{og)=VfTLj_x;cRJom0ccc0E(T~%H6
zmbqLFl*?1gX_Yc21;M1OXc4w=3%C=OLXQI3F92a^-O^#4tE+s$K{ynfxa+j>O{OE0
zw#aN{9a=3iyO2J8>KOZu-hb3x?$=r9fA0FkC)hXt3I5Q7TOf4)5X|SkJe;;}0>C6e
zd58LOu;K6FNgk{e{mR<0dev*P&NF0YE9!h;3y*;ur}7$I0voug029~5_@Q*of%$}3
z$QjQ*yw7OLYO-1b8`P4uF*^}j*fI^3&*H09U0p5aE3!&eN3ojK&-Q=lC$lbWk3bbg
z7%_wiZ^T9~^i4(`xqauvzC8H_n<$!T4oyMOOi&--3fzbDIr#pU-jc5HH4lNQ<8eNA
z2hgRLR39O5hhd?n<D~CU#s}*^<ea72RKMzZR^G*X$zp^TeQ(lr;HQkzG^_VUtco>0
zJ~_U%tlQCMw9ojE;1$4b(z(oN0>iyU+xCR+HEPXXmNXpkIk5&O`4YSd*5_m$%segk
zyCt|!aPf6CR_S$-WB>)OddrrJByG(~e`7p#)PLeZ`NAC`!L3(ZYXtg+AC$-ffwp9W
zX>BiSdBo%&;wb;<fcakzeC$Zka5^L5Kfg+VM=#kjoe}*s4O{;$h)bQ94(b#%dTXO}
z$MD8slkd0@tbYz~bCt+!eaDGRc~R$r;SbcnN^ps(3pVZ((M)T6Ijz|NS~G3t#ILlb
z1E)1R7KU?LqjOQF0a@Mayyk6+SGTsq_~uqDa6m?UX!Vld!64B(wCj#`0f4}_$U1hM
z28dLH9~D`LpwHFMvKn^0O>0s22+o!3Xe+bUD6@;xc}!@p^VsVA#8k#PR~OS#T}&VD
zQ#Onn)TW86_r|P>G(L~_Xd%NGS)f50s^9bitL8Zgi))9))gF{6<fy$A`M*(QHoIu3
zy#%sMb5Zm>aLJC2l1ixI)$=xmp!m9zAc#SnAf5z4q+g4iLFu2UBm{&Wsu!;ii@z<p
zhgje+3<a$c!#L;K8%DICR$-i4rQ$Ak%OTB6OOQ=#8p>%$BU|bP+VMUOw4;3G6RfHX
z*gTs4lJSs;Py#c3L(+39Qb$j2CpGUAeY&?BJ*APXjg$ZnR$3XzZ(P{Qgep$}f;HNf
zs*AczFc(3>@r_&e9x!eQTe4)GtlP8;w{7OynL#Ukjjh~9vr<0t2-Y{yA-L}h2Vm_?
zzY}yZ;0_F>8^Mv6l@+na#r5E6Yl}0PgTUfN?Ib#pK?tT=i0yuWPU!D4K+ez!GG#D0
zK~OXtkJ)LlLntofi^?x1&H&(M7OjecKvX}0sJ7Jr*<!_I9)94x0KOm=#Ppteb&K#L
ziv{yvw35b{#%g|FHNX@xWbc&yK^2#-(yR*&TN1X^8fBNgC8u|m3Y5i&%T`hv*GDyw
z(?OIXu-`;hmu(Yz(KgK6wq7EuN81DtD0ok$z$>E&@LibW1mPY_KotphMXJjZgj7+x
zVE)?@mH_130<YDaD=45DyyKXK-olq1*;fH}t1<`N$4ueOK>?V9vrZR%ZY-#%eTWf1
zLZw+;HrZJ6-6Y|ry@oY``EYHCc5o7z{6eGwELp(NAC_=SoU7wen3W9}yF13d+;m__
z#FPki>|vqn)UiKQhyIVE^);*w25w{G^(N$s)C*%di79QPR{XXOl~O~0>$1#YyGxqp
zo{rx1k>BaHB@vlBSUSRm1LUSP2nMA}-#>g=)b2ayB81KlS+>aNJ!@n7B)Kki7j$>;
zQDq@LX4}RC#x?7gg|3%(d=WS^=WiV7HnqVp8374}M%<~(+=5D9lk+tNY{)krs5SU9
zYQsZ|?^90e$x$s+G8T@tHj|1lK$ebCSzrc+d;ss&-87!FY)YKEt7b_2p0)<v*v{$3
zUsdP9+U?~%QHz_L4yX(cl~E5SP<hp538UT_8%{>WCs+JNsadIRdDs}Wvhxa0#r=~&
zw`OpKWRuvCj{tbJn<i^}Ei0<3+WeMS{AzpAOu!%E5y>i*W&$o1owkMrc9jhFvq)W(
zQXJH(D{DJrWS~pH2pqJ4l$nV$PIjfX6<9eGC@v-Vh>dY*HZFT>sSE)~t}+Du{DAY)
zOat$~x$w`w!w+P4RwHQ2+{v@Yp^m_~IZ?9@bfFp*7$`$$cAfQSd05$d)Nt#;Eiv1U
z0+cJ<ee0xc6CbdK6|gBXFnbR9HYF^QCs^~BK$;w=e-F+d69`_3MZq!Sp{Px!J1_Y@
zo6iX>DE1X`^_~N(jvMonC)Sn$nI>SbP}{~Ctlp?8OBPSIqh+AhxTY{IB|rf<^kzBW
z(0LnL^KJuKtw%KPA0>gyCINB2e5nxR6TEo`6EC?IB`r1~sP_NJ!|VQ2tWn9W%FELw
z^#fcj>)z?I9!fZmlj#j=o4;5}K5q%gpt1<FGDUTox|WRe1rlc&lF#2awdZtP;d}zQ
z@|=ApF!k@VIa41>aRAlUIdhhN3OM@hoS`2{Ru5)LFQsEJ&F?L(1edXregQOY9t`vm
zdS3avh7|ernt-)8*yiF!6sJqXO)-Pt6p6SgbnyX2GiLEpmdLl7Z9)c;SMose$voIF
zbw|62BVdPE6SfRsT<5?i^$Y;baUz3w#F!&sz-->U2Rl@&)gP>s<KStd$H`l$by^tJ
z-g$h@(e?Yb`+ux3WzO_Pjti_=Utd;kAiHW{qaHI20;B()uW#*ojdb#cWg9ja(&7@g
z#~ZK3jjmsBY~Mb(Mog>*4CAXmKWYNp)wt&@Thz|yc&0X6K*0k@<ALq+fo#Bm!%Fsu
z#PYx#xXom>1HJs_R`hXzgy<-|7au5H^;<v@fF_^GoWxzRThD~uwf;wFPqUxGIEpm|
z2kwJQ{l$;E%j<2)Xrgj}KLDqvdlqwFI2pb(jIKa~u)PootL6o-2sZX}@o(cPyVMp2
za_Mkz4K{dy#`PVtA9}d%?q{4Eyfk#4yrZ(PV$JI1YmIw$%^w*q$F#>y^cEf>7e87R
zwGY;B+_+-ZdU;0Sbm@d7v^;h!FcU0qBN_ufKJ$xJj${T{P9>`bsz~UIDYy6tgk`tG
z1I-A_RGkZiYfZxF%=2@v8nvn5vNENQmtcod+VMHneBKMLqoYG^*?tkJF@*|{3omoI
z@HJq1EXey0y_@N{N$V0!mnG<W0A4pHSifsC@6^n~6_U{T@X^^RTrk9=1W0i^u&-DY
z8_2a9-KO(kFHfeE<raDU!}X8WKZIK=Bts7D70ezZKcq%T&ABzK`z;8VI>k6|;ffUt
zAruBy<3i!qElYM9wGVa%B#;3ZoaHTVeWVkgt!~+VBnR=tg1pev0G-<GzGKwpaoKE0
zg=->WZEud-k-Rw`RAlkc1x-d7n8RnZQ$gdvMh3eDO_)0YG$=TBZtR@+b~LgAs~~Du
zgFSQkKm*Mv_`~mVj^Mx0b$<vgrd^_LIX(|G;4a^I1JuD3Hy5?LO5);b8=K3(B^L~K
zPcVBZ*6?|8yT(A*2S;eKG{-#90+pdt0Qf9h4#N+uAZkVevn-%i5MKVGJ8UR4hEzoi
zy(t7nMu$Wj-{+~A^F7}(!E=1jj4AS}I|8);%ti~%sxHEIU++!hjCGnsnQqr7@lec`
z?fd1>P6A@v>-%{E#wR`_Ro1aRdlt^vEweou-CqII0~h)kb&M9;&hT3kK24^*nw@)h
zui0(96zN!pS-Cq7mbK?h>z2Jxs+C{{n9tNLF4X?QkCdjk8tbjX;d)>q9bQmiAfOX8
zp#1>idky^}U~n7Y0b+t$hb4V5Vf~7J#-fPyOhOb&{D;f4foi@D@;%@nUr^MTIq2Wf
zb`v<3PD-^O3l|52!%<#{+T+WfQLQI;fw2w5Co>L8e_QGe7!^}bU@k^9re+-9^b*i9
zGc?yI&(wo+<AfEiPNnZ~DBrep)-;TAO^KST$VM2jxTe6s)Ar?M+HjRFpig;qolxcq
z0nt?>!LqoN74^drGk)Oc;$5H(u<hyO=QUA2)kD~||G;KYs1p-fY?9gF_T(hipFeDD
z2cz5gZM%JCm+pf5@$-S_aa0Du);oYke=N)g+~#j4r6F|N$CbsXw#*w2;@_%nJ}@Rq
zH|xZ7fpTMD*n$((aGYNnod<YYR&ndoc4Tc_gji<gNLp8}9RbAu_}&=f1S~{X6$bV)
zbY?C1LgcFp!G?&a62QlukGZBzlbOth3!FjMP*-7vcvI~EP~T@l<cX89yDrI@thV?M
z5?B)57#M5_kvkGT&;JZgypThpR|=rwci+NbPrxRAN2iz@<|^kYCDWijFWJw1Mo%2)
zF0alv2gEK^17g2Z17a7N17g490kP4iGn%7u2X@37uN`)0O_}egLH*{=U9~D$4rnec
z1Q_uFK)n8&`csET?fD|b^EHA(?QDAZ(Ik1yO~K!He4x9r{qTgB^JD`0=y37Trj)oW
zV{GIc{|Nci4I#>7^qzi3R*{u%!8);yADUAoY?gn-&(iKi%u`^-*{Ck${|tu8jw#u|
z2;4-L2;Jh24V-mN$<{~h-ghv@f8S&;|EZHE?w%SgQ#ISDJxH6jZ}Q}6NZT_tO4jXU
zw#C_e+ntqYFc*EzyV`~-zr!V}!DhA6oq~StL2AmI9rCtktDmiYV$GpA<^r*?tp?k3
z7<T(zQFm%FvsheXc75w!!G6>IjPuR3bS|f*r_8ieH&?0k0mmWX+i`Hm84^D9d_wKi
z^WCkay+<7X$%VSX-Low;0J(`AB>5CzgA<u#$D2b0k4L~B??wX=%3P^eT$78uwGwbf
zj!Va3z=d`AKduX45~C3A47G47Y^fgM0kE>^!zIh-{7Nzhdf9@jXStblfZ!f0JkF18
zBXJcZyLaM7au5J)`m+QYG(@FAJ5`cEmM<)EegV$PBR90M1sOhT>J5Xk?k`yP4@^^&
zRc=I;Ic<22$w)6b{D7G5x9llh{-nyJ8<h=^N&DEMoG$YX<p{?&ZQU1X+_)}u=~{@S
zJ8^|WB%QO;$JlPd@G3s?L{@6fsCgqoMgZ|XWp>Kk6A(z-(>ej5_gYr<JD1`C(R!=U
zz$}|iL!J$}W{}-;%a=H(`^i;*g}I{Vu4I#eEIXB}VKc>EKp&-H%U*y(kA+X-#g9-5
zSy~nS`oYvhQ=3}dGO<Q%y#R)U%TdFa18u8@%bGJPyrAwRFF8uHG;BH?q=QaKdq(f}
zg^apnt!B-VwM*A>8I@OFTIDEcT1nNwbt;7jtc@u^l~6@+OK#*?g*m#34BWJU>k|-C
z0Z^%JS0K&(LSuvzY|IxLb5f+A*%%>B)Ye2-R?J059R9YL$aM^Qn2)P`N&&ck2mKpy
z6SWZ@Zo8av*P!w%W*HUyN&)zlB+taz$%`s#7o%@|rG|)kOl=Ql3n{z8*X?-#b<f}u
znmF#ZNaff#E)Xx~V@KgZ80-ous$WdN(Z%KpO1~vPUWXNi)QewSoSKeNzZ}EAyapvx
ztO<MzzfK@z;x5t9*P2Nu0;*yIfWi*mMf*F}?M3?{N)1-;8IATDXO6ypd{?>tok0?o
zE?WG1h;c^HnuytQ4=Rfo7zyu$sLk8gg&Q}mqM4=;2%baT1NwW*gIF0n#ld;oTr2nr
z8keoP&VKvKVqF8%_tt#jS?yDRq}Gg=`8o*R$qw+C$LJ!!j9}7AeXuDB9KdhYm&&+r
zx9SIet7^>Q14`yX<$EB5-WRo1F^g--%ap0EnictdU8*BtvD>5eR~(%!`1^Ry7;o(0
zgh-lcm+wdI1$K(eu~UAG`@-yQ+kb-S*@X=)>SW20Iq^&gEPNWu1<YXTX`)`m!GgBS
zG6<qS<dU4hfNs}N>B@`P7k3q$&B(kpG}__7;a3ou$VxGOFg4QD1%hx5S}s6l9o;b4
zcaC?kFIc>w{j($I>>u({l~il8VAhz03G|DY`eyTiEs>iez#ne&**0aX_xZXNPKeqW
z%U(QqVN=4kOvHJ4skFn0--;U)0q$rL>tz-(=PR|}?E&xHNZl$~muzUn^IaczJ=eYb
zQ5d+T3W>w%8fX{T_#cWD{J(JXy8p0S%0ph9bM>@atvLKk_;Xzr%<UAod7nq-4<Vto
z$*30M*U;x+Xb?>9xh@$p*eu9k$@O6yaulYyZl(YU7dVRHy5<BG_jOTKldiBj#UL{Y
zzR-Bz%H|?~C&joy0C4`!|4#w?zx}o8?iW48$e3(V=Zx^rJa8<o|Nki@FVOibbEH%o
z@U_6CLWHZDkT}AM;v5mC%jIPWyZg2%EZGEvEt}(o!{D`zI04Y&Yyr<xCGRyzUFm@r
znp}`|v7Js0*cM@kIrux-ZL&MIGGTqh*6CbC^j}<Op*54|G@n(&;CSBUqN|-QtLmiA
zJ=jkMW_Zsb#1QhTzthPFIce#Scgd&Sj=Fa@G#ND%5Mqi2_j}T_Ujp_9L<W$2DeD#(
zBR#XYH5v?9MBtu4n`fWM_w$1n{b@u07rI&+hx}lDR%BeZOghbj(A&XO7P7{%I)YBy
z17_BCXPNOFs{{qK5+-tNcsreTqr?0>LDzki!^+^r%V!yTOc~cvW;#u~Rh>4na)@W(
zhAU%ngu_rW4Wdee$Y{-U#bM&4koi;XbhfJ;!l0!`vr9Iv{v9xG+EorkbtzW=`1bkF
zUpi$pZ{BHOm1?&KJeF^j9y>MaeCEEWW5@PQ?muAa<gv0&yE267Ih(cN65AkZZw5b8
z*4?v-pi;iCscar3zj@#uF7H2{DxdL8^G^wm%&*|N)_upAeW$L)-re(ubro@D4{t}0
zQG<^UJ?(zR`bNr)Gmj0AhMa9`2SmHxotwC98M%K1aEW@k4jkIVQ2l-zvPI4mWs^Q7
z@?iXtExw+^$4qjXXgB-dyyydlgyN2Xrs+K@KJ)0l=-31Dv4LrW(nrGWe%d6DAP=L~
zDL7B@&$B!V=EjpsJ(BWD_jkF7E4pXmxy%a*gIG`2)3q<+5IDj4xdmYACP+$LbJ2a8
z>+HV4)?MhQ;uZ{`-%j*SI%2CJGFfB#OPVB;4OJ|_?I-{TuH9XxZRY6F&(ZEuAK}Qs
z_?VN%Yq4W`*2U9oY1R!PAhcT~Cosvao>62WT{RV&4oOb5S+Yzhq$!0~6mi&e;kvNQ
zgfhzEH<oxn`pJsg*#fYB11;Z26`^tKXMMf6V_op5tSsv|hE)w=0oEAVAIic%;O7Io
zh4tMeC#XW2Kccx$En~ls_ZKT#a>j(gW8YV$R+xa#$@E*&XFdUaMr9$j^NEX>E+_Y8
zomuD6-FwT_x%82U{Rs&^`^S&>^>uaK?|TH35}c!i<ltNK$Ct{j(w9#3VLd#SdWHHx
z;Gq3NQuu)#hm6G`sPhJOKfEG()qWY*$$nvE;FJJQBi@knmB}34&Khbg2&XYPes)i(
zEbI-(+mpoXn4LYsTa9NEp0cuJ2l(=yV=e(iq|5R2t5*^n@x0Z=wGY6jST{^g7?ra$
z3m7eMSr(P!%QR+oAHGbI2Ei!aNeQ+}i?=Y7QJ1JJ0Jut)sN-E$ruo2$eFm79=opqL
zD~2zT1(v9@d5L_#E|Dda(-u~g#n;K7uTzG3osO5RQ{R$xYRcECX~{b6!8+Aa*QrTe
zI;w#*)zPhFou-)A=`>%bUEL)AZ|ii*yiOa=m@rM$0qfL^PgSXtR568%6#w^Rb#uOs
zx8?Rpm#$w=>VrqJ_Rih9$<*QdN_t}@Bl$`$Fs~%s6PJAcziY-yXPw4Mk6SV^)En`h
zC|XF~6|>_AU+Hecu+m3X#H>a@oN+8l7&(1X0760WbH=wB6-pHLPQr15PWo4VoB{~3
zc8b(fgeRb?;3w{YQ8u5Z8d$1{AbKP{&;4j15ohV=W{#9#ijPS#UOqIYpFOi^z`EkC
zN4wSJ^fZs)PlO}%(R9efk5HFDn?$}iz!Zu^)Qg8WN4hsSNs1p>OY=GE2ve;Mv}zx0
zK<dx{>l?)#>zL1x!x+{ugw6Qxb7Y@SjUUmvr<M_4@Jx(#2uYPZ&7(WPN4M>rq;AJy
z^y?4XQMsjV$60+stUL4VIIv`_fNir%vQ-+sMJ&M*${{^c$BIq)bF-ls>tT%bN;Jk=
z@7qv4%|o?Bqy%im^L)IX=JB2`8E@<l<L#r4w;|t;4b9_S8v%ICS~L*jZBoa)A3M3S
zdcka#wRWO;Kc3|KaeFt(^V@h2myCBwDu_v*viR$2;>`Y*3+^<Krnev~bI1WJHk}1>
zt*NcdDe7eyhW1O$1V!!7`mq77y-O%+5Azl{hb>Ut<Legig}ihh(_-EN4a{3WPrts0
z53klhzqGs02`b+N(VUdJcCS{0{R+)}Yfg~zX<`ly2ix3?IxZ&b`Y;E1MhnqJ?T72|
zf*5qxA)H&Kyv*8v>=Z)Jlxlf_X*>4!8s%h{(KYUH-0qa+71Mt|JZXrbpPLK&6;WPV
zYEVIqW3D~=jGEBB&&a5_@$!&P!idCc?w_!$$svypt9y=PI66GYYYTHilgL&V*Am*%
zK@Dr0hX-Zqx&7ewLt77m(OWuU$)E`aRv&i;`nur}=)xKa-TSHV5je+cjW03FNz)e2
z^_4eK1A!L4WiQ1U>}r~)u=mLB_3_5*$<A$B4;$IF&*<pG<K>~9gwe@Y-FQb3x^LAZ
zYLRcLZg?w-M4c8da;O4T?s$cjavALFGC`&;t1o9fFdjJ?=(AhKVK_Q|NOT7y-p+ri
z&X%!&FE!{_dFfMqUzamfE<{d^PTU!5ycj#SP3y7FLovC^>2JrzOxD77V;j|1w~_hS
z*s#v-tWF4<V?H)vU#}l@M*sNE+q@B{2E@>xreg<=pS@!E+&K%6_N7|)s@6Sj#7R&3
zQ|j;KG^nMa`im}bR@L1-rj*lnjTjVl)o}Jm^vR4vZiB|o9OvnYxH0bRl)m?{V;55+
zlH(7^k3Ft>cQOog_2_S>PHKxsv`W3@`0W`=5A=N}9DDf3@ubvC$-`K=_43e3uG7aE
z{n-l+9r<$sp4X>Vc?Z)>%f>AcT29UefMs%8MB-tYbzRhFU`M07dw7JO+^?J99(UI3
z9uz%^!7ysXkQTw-aRuQStM&t{o2<9~-NAF&Zw<G-5}d|*`iyZoG&Rm{<;rC%jmt+&
zaPI8~=uv#w81mdV14;I(G%C3yDOHex0CRPK!L0tjye~Bib~MprTSy#_ZFx(pQN-p^
zrlebq7ZfjA27nZ5B<W5QjK<h%dS8;e^F8aKM;U7owx6>pU+5stX8D5dbQ(-t7MO60
zjsiLlbP-;Gk}mfY3p|3)%d)}wc>iu}lSqg@Qd^fx{%o-RPG)RMqTD+}nCv|%z}+}(
zN=$Md)jt<VHRT%OX7G58T$s+lEN>4g0Pnj|IYbLEAxb4W2>|Y!lGSIW(ruHr1rny4
z_)kRl>w^Rov7z5A&t6o2UcyhRd)?}lV(cfOu$q-cb{9?LZcBAcEtE?XYT}s`JRBuh
z;*PIhuqOPA9mwXtO0th+DmIqMz!B=5Nj1@e`Zu+^YV|IY%HZ$P=6tgFT7)hDS)P|v
zb5OFdq%8S(@Gr<0${<rSnv`vMOsQ;jj3()o%Gt#T0!BX4pRLvOO2QH~1OH}M`g4Y;
ztt5^$XIOW&s$}gAG;qvH$4b^+MUV`&rcUOXI%OAgTPPoHIU9;yMWO1pS`4zV376$k
zD=;(__1DtQWZxN*)}!Z;Ar2kWoUY2+o~&XP<QQM8jjW<x@y#ms6}3H;i`UI*%0;AI
z=V>e`+p>7{pVh5cP-*D#8z0MoD$(nV;K0hW=HAR`WJcCJ@(wF6dpQX$sS-6FORccQ
zLs|Dft6Sd9x1#ZY)4UliI8b>{?9EyRs&$C!+@bPzU803ntkOtUopm*^t|wXbN30Tz
zkj-CG1AMB%r;n)8Nhl4w8mQ|?s@{q!*>&*}(B2_dht)E$TAr*9`T``+>!u<<$^!^L
zJ(ck5v1CpuGO_x48ea5)4F__~Uw+II({<fMxz{Q8qD?eeOhzPY3PPbX7yZRibHmTe
z=T@J(WVjv}HF_h|H_02r58Sx4_|!SW`Ay*`>~>#t5?hY*sv>s@bM0l&eejquUJ*^>
zC-k20+Qm>M&MQalNlESW)7#1Ld--sL*DmJ7MSqcR&QG{((7lY^apdZ9yXy!S+H?7g
zBZseqCEPT885iBs&Z+Ni@x-RU0rH^5!}}PzhEGWj1{(0_;K0e<`m7#4$S`1T;3zwP
ztjjdktmse6jdTes*i3&<q&Y=@3OvT)W%?vpJ!32NcmE9P@U7rZx@-lTA6}Bp{YObk
z)8AEwbP)d&RQj&s%D>Pn<>{g2-xkM0EN)v-HKn{h`^lYVr(zx7eoCBio|W<oAwlR1
zv}8Q)?42>-ql;r50Vi*)iZ?+cBqg5eFQRd#HAwy2VsMDXV@i6AbUaYhUnt~jSpE5H
zsNN!|I_l3yv9N`#-da|V)ejRIz+z~vpmpl>Sjl~26aUWnGnFnF`wkaqWqPHL*|zJz
zcDskJ1py8Q&!B+Gv+dd@Rt~>ycw5{IA{v#tdNC(v-oDv8W!<gRsHnJ1>dp2q$}>cU
z?@T%x8|WKlcjlH5<?eW(o3V;xzqS)M`0faR7&yXvlCu-*PrJ6(GkEz;8|^${N6aL<
z9s}^GIsAB*?@gmNx~OU(&Qf9;Bn;)Zw%owW4^~o*iu>zhmHw`Xv&<|9vliHSrMply
z2op811bKJAF9NmwPf*EnY$>6_R1=hV?N>^?n^WR6P-2+91ai_G#uGMi(o9hxxOgzE
zvl==LSTn11_nAs}=_8(}fR<<`!Z=(-66iaeqSdk&zgB*O*Y$)~zFRGS`CIu>CVn5>
zD5>;`xzbDK9^B$z-Bm9KEA;sWrQd#vC`VN1@4x4A&F9Dviwj@C7k4Bt{X;Pb%uAPJ
z)X4C*^(Ch1)O||d5q6gb3Q31!x1TVcj~hR@&v=h1&hnb~!j<}(uzE1@OeyZkZ;sF+
z>kD+vWc#GZnk+BiCF5(7M75CEoehV}JWq7O*>>VbThq+^XOYQ?pX=_;{({B`N%pM%
z#Uj6pmU&sp7p(I5p^v#(qsZ^$Md*66{yL&B@=N~94;B(%%TeVE$yrwXXi^NQLrmX~
zfBDrA5eDsR!O)_LXp^G!PhjcvSVC7T(o++-UY^ofB`3TmSoRXCqgbh3LqZABQ93s(
zwo(aB&v~giH|X~p&rVq;r^9%+_@=ZzN1qnIJ1SNlcUGA0I~7q#`na9En-zcRTGXz&
z)Aq`VDMGZ@_<aM7wVQNeKQZk?heEvJ^q7}Qqb^d#%O7}6R0Ywna`SIWto&>J<4<SB
zC$|z_KI?j@sm!X1kJ(5)RZP;HiJCcP#FXhnurbTgH9R>SK7ZuwG0TYLtd#So&nLs`
z9=g54$A16<S!(`A<toiuLt_5vN$W52@zO2(U3{5;;Zjb{g+2`$_UqeH?vSBRxqMKJ
z=`EZVUGEEf)^FOi+mP(B-PNv@m{Lc7evfAFhPkt5&I$IH5zD?&ZvNx0H*8+tBl#wE
zyQw?*TCvdIqeb~Q*!He35z&$@(%%HDF(0lRtHjH!hj32RJ-kdk@Yj3>lO5}ubh)u+
zY-PXBK;ibg1%tmag+gP5p`e2EzoYWu=WUMMxO4NIT6;LCM1lThLUPIp|Gn<pWY=)P
zZ$nVnR>RhfoA>SBJ11zTU2KZ5YwCn;<BUCA+=h;f^ot3S6Q&FMf;TS;G|ZS2GHtTY
zmR<gKV@C>;4<4PBV5CkP)&A*x&Pcq?i=k-K>7va(-d_3x-Hv@24<CTe`wYB!lmqOp
z{`jG7QTt{0L}A9vSs_!6V>}OKU5h<*Z1>iAv$x1clZ8Ejp4-P5TXpGMrE1o|TrBC&
zibX~+>K&M2uJ^{hf(N?rZ#AQ7T{wh-%izbwH|b|TeQ->zDOVHku{C-cx<_+50$AHV
zlZK(DOxEfa8E^HzLvypK&P|(?2UPZ%Qa>B9V4AU3`s)|B9y~AmUJ|Cc4w^OChzQ6P
zJ|ddKOsEFxKqun(7(8r!_H*w}{YK7=xwcI{P9E?AnCm7i6%Wpwx@Dq~S+{|pB+9zf
z#;1qeI({PJ=mEPGqAq7dSi;nE#<#$;M`T4;R*|Ye;}Xn9LHV_xEy4R*IU0$N<{|*k
zglT)uTs`(IYxlO0X<Ou}td=lgieJz)ydf{}&iZt#&utoai+;|sNxAp=DgDKJE_v%S
zQ#VAMmc7plfgYpgxpJ1{mpf3gIa6I&LN}%M*)_p;TMz6%V*K2wD_hX-{^<7{wcoR*
zZt*fQ%TD~RLKoVdaJraqA~G&Q?f2+)ho+o1et7i^&|clZ*_Ocr!en&X9)W_VQo~x*
z0iP_Qb$Xw`T?yxp{E@L|)4XY$Wj|I<@bvZ%@`u<2rOvQy(q~&9QifPPwY@Ixp<x14
zYyOBSdR^R&Kk~C%h+9c7Jj-q??xfB_59D>`4{7|5?(p>JEHv);5KOjSXwmVmcrRPe
zOOvFg;FWfXsfkHDNg5JN_L3!>#`>AG%VE9xI*(h2IRmhKjig;C`AJ%Cnd|<PD!!To
z)|ZAqMJVNpH1idED{2e)mxrZKR!t>sJc><yPcDJ{`w6Q!i~A0-Wt4E3xica7jnX^t
zoTT-7XF`A)YpaFen1yAp6o)|mC$*Hc?{?Av7&`Wlv@Vi1+tfnRt~VWGEuKFPP#j;w
zQtD?4=P2rD?&@0&zYdyG>eS^&4^w-?e)gwf-P%A8$QJ1153XGwE(bgk7S9R{on{;|
zdP|C*Oq#uS-%xD>b*%QD)n;|8*Jci^&fPjB`P(&$z0-$&F>3vG65yWD@m^4zbda>|
zDZ+#Z*Rc{;{;des*D-1Bp+0kXWeGDBYpV?0pH?Ow&Iby?QdSKlZJlLbl;(k!p~_VC
zDb*xW2PGVI2Bv|_XAcY>K64=6TV`d<IW;?@3oYmIF16G_ve{l#AFpE_A^G%$RglDN
zFg>tqu(oPu(l%Z8iXOkRJgQW;`rV}E%XL3>l*Io%m1>WFsruO_rUn$u^DZGY-)VXU
z;DD;!^3CoNkInb4E8a2gp(Kp_E$_gx&8n(2_GS$vyvVj$sstAsVaTT7gM#)iW+C-*
z7EfjNS9Ho&=`w;MwKM6I-N?9*^d`xYj2SP_TWyst=$9br8roiY&EC|OO`+ck_rMCP
z6IDX)Uo#L^3VrLHX-T1v(cu1ceQWGBvPo}ZnsOG-2T_OhpB|1)snbM2zrQ8N-_bXD
zF?Q6eRwb!NQ!N!a8{bbk>%r^$C7mO_yr5Sm9r46iX#xGZO8VM7=EB^AsuG`(3;%IY
zyK(tq6VrBb)1Mm;OE;-=vM`G69ER$6I-XYC^z}*Cc{FrGlCZwIIfH7SvZO`4WrV-c
zpIe)}GtH1RE~3FoyO80+$<Q71rW<C=S}=XFT^y^%zsO4e<6FnJN?GT>bqTY{=Va#<
zU64APb1|DiZNpNAzBcNL|4J%d1tq=jQFA_bHy&FlZK;cCe#qR#vy9UNH%A;jm~?8R
zjIblvL`IQyFAnFY{|M;>>Mq7Ioe&{T3~(LgXpU0IW+=1tTh44w-;##dOk15c58Uds
zZBPXSA=WNLSPg_X#*QKTWqAj4c2Exq%THGUTe}TPsASqiar!;Udrt37wO%Re{$#UY
ztHAu>zKA$D7pR;-O+ja0<}rT}g-z5mm-PhN?4-QnY8u_iWbB;z%Wh>PpSw=gZ`ts-
zg|=T>f~EYkz?MdfR5m}U@VaZ9gKA+{d|_+k$z;QO`vc6{4*Iq?qC==K=8gs*b=Fh$
ztD37Zfulxydv}q0u{rt-DwWJiox82k{h1v%b?D%+KAjQGf%VM(428sPvdz73a;BJ`
zYHLOCnfrHZfBv&ISlBZ!J=yYBX1R{>p2}O9rbks8T~T)2v{6IHPV0<V4+tr;-BB9C
z=A_Wj0LAGwr;Stz9*FK_BkfMjSd+5nXhOxl*932G&l#hP%?4ir6)1J#N^X2)kZ+`X
z@wyN@!7-|bk=0;7*MO3~d43}*J6m>dBgFhjY-cJt_U6B-!dWx@Wi5+JBi5!$k<XT-
z^-|v3o79vHs29+ci&V9rDOCB?2?igWT3<W+on8kiOYKd|5fYPU+&Ar{N{9ud^Is$B
ziWAv+oQUOo_RN`pj`2Ze0Wx3KXS*GxOcST}G!isM{m}tiW}SqC<tOdsL}s0I4L?bX
zL%&V}MY(UPV|K{_k+}=1vJTtoKEgbJq>!^I9{XaQbUBN6uE`ZEZxi*s{2e)Y9Xz3a
zyKh=TRUuzFBkx8hQ(N>qTDosqL6v}Ki^TpaEkPHcG5OVW{V}hkCZ{Ir5YFthbU&L%
z$?2J``;7GUD#3f}KIKwpV{aGNri*3W>+D6s(N$Zw?K0{<-{T{(N%xbU{fh$qko*G$
zQd5tn^1l0JquFPmK}Z7)0xr&dQyWf&3N3hgtfc!ALe?f-QOE)l|5-sYj|1~&9!ik6
ziBF&I&r2#zQqO$lXnxnEKenR(AR6g(|4or6jwdCpl2<uM#o@F{^qB58+L6Zc`?q9H
z39%>b;ZD+?6KmFJmh{8TJB#n60zf|UEn~inSqpV16-cMEY}B+mS9HZqr6tN60ONoT
z74OCe*igunvZ?B(Pr6r4CEb6P@NE@Jl5{+ue*J^$z2f;)CwIvwT}o4_E}N>?{ih+m
zR5z!&rQUph7Dx}WdC^rAH}I40PgGUFY8GjDFH^Bn$Z^Z2;h!9`bzdx+O4pUwxLZPS
zLA|!X4fVz19?FFVo_nUY=KQATCtV)FG9>%jzQadlTELuJzpbj7J8SAfZ)26A*Pzta
zT)gr^*1bD%U`}9!d@)N1+8VNbr(y55P5alcS-NDM-L5}`wKHd|_A+*I9Wel*8y7EM
zw0yCh?)i$KSu184!HfQagDLCs;5u*Jkm}q0z`L|kj}zFJ3w+PVzX51O2~QJCm10-n
zPjy$uvpKh^r<vj5PEez-asSRgH}m`@`kgp%v>t1|jYr}Lpund$(jCcU^9dVv0?Iv%
zP;B*gin(`FAfnm9%TTesDeB&&chTq`-iN)t?oB&3;rnlm1HzpTX61lLc!MT%<>vUD
zwW5`hcoWC<`(Ft-v-~e=b=I6+laGR@<X{~}^Vq%c!I$`ly65zpdT1VE4W1){FABZ5
zqSmP^7>V<&)>As$Tu%!eXP$tMY_9Woy$2*5S)TH=q@_^M1@#k`%=;!p>HSdBPB`4W
zc%<GVZ@>!jfL=Vh;sG<Cz>cUlU;rR-b-ZP4{?%$Txtwlr&~<ZP(|;fxC9EVycusOw
zcexj$I-+WRTCH-ySkiA;f`*cp+8|Qn!I&U*y1H;)w4EdHmXjuP^NWQbez|`QMu5hD
z@S-RAG$I9_)IYPIX-XZG|J!0F)K<D})D;Njw2=MG<4(r#xRc<ir8LgTqOHrhU}baF
z_SFh(p;xcUGhRRxYAMlSJP>fDIlRV9_yqMX2D$sdD}6~l)E<7#Lj(oTQ=Y9LyX}im
zKts{S|5OGUhtL5!ZvMUlABXyV+>Zl!1|D)B{i?rs7{LYU#VdxWV;buA%KZv6brxW$
zWR2)q)f|QIY&V_@?Ikeb6FF_Rd{l6os@~~=t%7xar!sk9&+k&Ddpu3;sEb77@d^H!
zhfPSH($ljxj|yq>7adF@C7t&;NUn2WpVS;X1G#($J}T^zO`cyGWb1~8@G=uZP-sgC
zFLm+~jA$G{6r4h^A-9CwgEt@M^@fSpX`Q>}3j*5mPww+io~xheFwY2V+mN@-H|C?l
zM5-G3Md!@RO+m5ks95Jp(=dccOt@NC5>-0*MR$-FIff$Fc-!VP9mywEEi)CcYCn{@
z!mEjT$fuXfC7Xf%r~a6u1l!{W2yY9C*(-Z-cW0YYNr67;l{5sG>%HoTWO_?k#+mWk
z7}cwLD1IK2OmE2xcjqJ&`Gg|yGFevxIS;atF`we*@p~ERFIhDuVwTzz`&rqy!jx?~
zi>CT1t1zK^p)r!KQYAn*TU9qLXJ@c4(3cLGNTy1Ufk2Jq@qh$ujn7C-Zz0uJ7W|X_
z{xSWB+fPl#?blo45?7sUU2%02zTE(Nc5Y4bt~5g;*x^-nA;W}|OTM$i7&=*~7bHFm
z!VNhaqj(ddeu`W2wFSQ=KU?6I#Lo&6?|+4}KMuh>gBR6X@-Uupt@3c432+32pHdng
zwQ7I<Ob&MfFL)-(=dL&(9@<}sa&y`?z-SieI)?W>>?}L>O!7FLDR><_JuB15DpMrl
z)t|Zg`0#<?>AUTiC;MFpiC7eK!~id@{(6ten|AxlG?9K6*88sU!sDmt)TIUV?0uKv
ze#R_<q+8JwTcuPUNHjt&<gz|se5d5GzeU!Dm2S;?gA*<d$7Ff&bA6Q|XJAGyrJemE
zN3d6-)>Xp))E(mbb;t0<!KA8-)AKE^h;PGs?tNoKlC1l4BCclU@TnTrwR>H<)$lAx
zE#Jjlt6|;S$X{2KZ?i7gX0RSdRrf6ZtFF5tsO+A_|6ZH!l|@>~_T*RbD_q5VVS1Nr
zEYw`^Ulo5sy#@bAwZ-QBc$kxS{VSr^n9j40@um&|{*R9m7@h;W<5G9ag-I74Q1yRG
z=B=Jrr<x1wynLs)jRFtki+6<oaVD_gPG|A?oOWfp`M@a4OY0PHHwC-@`!M+xmEp|O
zOO<*0m$bi*&e}_An#z^#q^jFt2KuT4IHFy2r;|y|GV|GH^?*Cwv^V)dLii&o8+wEL
zrnk9E@x@;qq#ng9R36FCOfh+01dqR5N;ivFx372(j_J2d&fE=$9OiB=5)^_mvn*H{
zdJSU#R|wTosl6ZQ5~hyV<;r6$m(u;&0p1|R!@)(VR)>FbtHb}+SSUHAxh+Y*Y=q}C
z3TgrR?d(6b8mxwTh4PQn{*^U~b9U{y7}V)$&j4lAbLuW#%U!ODjEES7C_ZF@3FrO7
z4HqsyGUPc%cZjeXuuE{>?!7hI5F5GkL~=ra&tbdt+rq)I1ESj)nWkO8hV3r8-Iyw8
zP7{vJiVku&czF9cIXdl$bGCDA4;^gc_)MSc3*FmPh>_ZJE)+z7x0;h1#F;Cz9;Q9#
zLW>)sK!hosenWN`Rb7ev0&~7j+041v_6Uq#^7&?}wCczFt!yk7L8<Xw#gqS|qDPr#
z3vJJd;OFg5_y#BgpW8eJo3@UALJ-W_AVa0jXXV@<oX~i;{O-N*WNMd8W?^KF+c#ss
z$OwJ;5M?iGp2R2KN{RCK-fma3+PZ;)Zrl4ghbFrj#`*cV`AiPm=Z(migL)x(a?Ba;
z8^#jN(lux>%(|seYH4q>=QBTstDJ0j@_=02^1b0tw1=umyTCa#dR5%9K0#$|&)J`n
zQar46hRNfvI%-5~dvHKJ!$IY_taUFlObBNES4E88p0h#UwOOr;0T~Jf7x`pR-4Y!a
zTEk#`=$8xtPSpL{9;-Wrd$SIqGVmz=hYD<yk^?T_A4x%6GC>lUwI6h4cwppWF4A-U
znE3~VOD(d|OsT5by88_zUH(mo2e>cq|0v7d`7X=lgG5<@oq{@0>WfPh-toFm`0fp}
zP(A|~0<D$K{;{>{To6Grc*=12VqO`A4+<JczjIlrgjyi?52(11zXUq2<tR{u8Vi3{
z@}cWO=8x6=QY5SZqY1wEht$6OtRV44;i+`gGN|xN;ZSoeyjObN7uo{PkfO=c{U=Y}
zH9bo9pr(3?OJ{M=w*cB|vff7>RN)WbVody7as$IqTYt)nzoI~ar7Or_2fr4N%J|^}
zba{Bu9BOYm!hksZ?-tR{B-{V7m87CjT5PHg_h&cGVe(QDI6SYFK7o9Mhp1AVs^a`z
zJvJC5xn!c*g2y||6FE-F!+~sViZBy<e1_b;kKvW`8{K2x`lvW^mmbFf_6CGL3F_Ju
zO=Wk_-mqZm?S80GrWDxMCuvx_yS+%a&`wu8J#g%Vfo8Rq))x`ZP3kW4HL3e6foe)W
zw7-vEP^mbT#)ns_i%iP_E|2hh1tVCB$Q$7;*nMrGOHNNR+I{UVujya=FYT@FzQw<)
zyB~u3?pypX73%UWzHV8If9zR{A2uy6)`XHt#q5~p^#4cab;TvC@GsRdz2_YGzY}kQ
zJ4Yf;pQ>k0<a*}2eI?k?LMTKA4v`HUMuDqxl4m_cRsa|Leo#W+P=14a`9s2S<u}Mi
zNZ@C>L{nWuX@~R76M2n5YneyZ!MKuNHsed7)H7GfIdlj?RatouW1jWloKhDuq>WiH
zgt=BF;Jkg!0vHD59NvygrVVdr5JbvmrX7mOEKVYa3l!1WcsxIyt-FQ#o|COojgyWN
ziS{4*a~cJ%Su!Vq(wdd(R8I-FH<=T;&;vqS6}onssO;`!YRW}4u7JlBRZ>&g5%j64
zDtaN^26eCpT>APQtokjsoU73Mm(hS0xzsMV1+@dRPak+1Z+pZ;`Az=#Km%~|R4|Y>
z_2O6=xh>Cus1L2=Gl1{h(%d{UqyIopZwFbMAZ-tR-8Vq#^IC=J@xxTcD3;jen)7+E
zR~**z4l6ZixbGO)w2w|_0;FbW3}O^3O>*Rky|KnC$DCnAQ`5_HLeRVwt3zbJW<to;
zn8kp#S<0Hfe8#2iG*!;0#eX@#!0+hY&$0q9|KequL31a&2F+QuYOY;?y|8fmzD0+O
z+DO(sPjMzZ+i=;=O0j0m^`ByIy^xiyRhW}z4y5)%c&cR1zrE-jjQ`=1Le1DtVWsF2
zGSxFUc*V*PyTF#h;%&PY#TeCB3_LpFNlEGW8jnLAY1V7@PSj3=u$}+JGFq8t6>Y0b
zyCyORWt6J<b|@YtP}%+Zi@+@<dsLgk>@Tz4g86OgA8Y)B8V9-n{saX%0_rQO$VCY;
zjoN`lw*o9vASOJQwG(sjtO~i}BeyEA_C|dhs>|)lKh>bRFb{1$Gz(PM`t;?;xu<(W
zVE$=n_ZE2UhSH<tS?h<#tXddRvqHT8_*#Wxy>HO6t?3(2Z%>D1<#xx7L$^BKWXmd0
z8F(IXjlN0zE_d_iu1=6RY)&agmP31WA5PgS#=K%9e2mVMNl$xo*<NuNmC-9d=N11f
zg73xK7}=ZFW9R14n`f5scp-|nRjTK)EgVp(2dhb~0hRTvxLjWj9^nLI{!zle->-f=
z)LPP<dO|DAcm%(F23G~^;ij}ze=qgu{WW%Mg{Iw_Ve$72N-5j+!`#{d_G^Xa{-RX(
z_6EGh9@Kx%0&-Q@tJ|bEkZt{2tmZnqtJQjHSj`3XJ2P7Y)4%FOHRs#med`HWjP6fq
zeIRfZOMUtBg}1Zc_6wdg$hhv|C8~xBa6^>UG@9VqeW4w#ufo=Ay04vZ=!JpGBEuG7
zFc15Xae<vSiNZ{}X9>1YXia^H$fFbj?!FC8eO`AZH;lz=CSRz3YP9|r3Pr9v@ere2
zg~(S`QtWW14w)$XA5WU#hT5z$DFx=d2WTHcp|$Qg`fx|>!*kw;S6}<^9DOK~8>1fe
zrPX7Z`fBmZE3T*N4MTFgSU5vqe4dEs15N!HCdqB!8@T>e@lSZEDDI7ii5r@maWjSw
zoiG*e9{<Cc*|zL8<-W4n0U>c2S;I*L9HK4!vB&{t#PpCkyn|zwD6u=@%$oCt1~$U;
zvaj>B5Nn?fKy(-^&<Lfwe$(YOhc{iehDSp#a~Jm<-I2EWhPC-<Q5yUaFT>3286jli
z<sE>Oc}9o|a*F_4`Yaw>xD!rS<J)A)vjL1)>E^(IdP$)mQ)Tiq3NE=OI&L<@>=}4q
z<#VPX9fe^T*QehBMOmhVTLRH%vef~THWK8hH!}k7qw>3vG}-f=ZlDroTZL1Uu-mK8
z!6RrO%tq`%QMfnlY9+i7M5q7!4vU6xVgvPbQ`#wTONlYeJz1|?Lcbi%yuDhkE$VuX
zSvu3p*{Iv;JTv<EQl2uV)9R!B`Ezfgq+J_K7VY5Y#5rU{0tMn8?E$JjhvRdAJ~o_X
zX=c<6tmR*u=bV>x!vi?j!lJF=OZOOmIK2P$>izw6{`j)~@5kef5|BhZ0Kg{!fDdL%
zu?x5ES^{6~7hwT+b7)r1O+fG!Qu()3zR*fpMcecaBR$%M+R-e{{m_#h4hB|ed*|fg
z`>X8OEVxdMJbcGM<yoZuEg+9-u6cHu${R@E^b)JN#_ndFE;xycn)YFO11tZmH`QFk
zPh!Nf*C4*oT=yqy75_s8;IrYIW+UG;*2NuJe_-U5H!Z*+aL=OvGXP&7t`p&!Yb;v>
za1pb4J%I@SsRHo*g4A^qp0*dO$u>yll@}DXr6?0}io-c5!Antl30{}>4`01jfpzdq
zY6Y|%6_lV{KJ7R4fU^5gJs$1enmyH%eLCd=p_l#uD??Uy(F5fKmrbC>F7_-A*Hb6F
zGrq!i1L>}GQj<*wB~M<sFRH~Ub1KPghukbR*D?4tRm&wEnpeY?PEw-vT?S5b9xb2m
zD(sJp-JWE;b;6}JzzIgRz#*+RZ^*a~MrY6Mk(1@V-Gp&*7be~|!t2F42QM<6nZ+w+
z2P2sc{LbdD1(JGgD-%_$f>@k~n(sehhz_;h0V40WChb|J8FEdIRp5eI#@$U*-*K#h
zT3cQ;C!_KA*ZOuNu0ru8q+GavKcydZy~2o|?PQoJ1kjKN)a<!sDty8?WQO9RgzJHy
z%YJS&o|SEvIQ%Mr^=dJ96|JBg4H0fKz!r(HLENkF<Pmu~JudvFoW)>F_QOlx|L~G`
zG$gNoz@7jKxkn<z$5!YfR!G-@7MZRb@fi%<ykQdqycf({xdQyU%gkmRH*d?%r8|vz
z*OTz7{!6{&Dii&eF7}fZt?A!4J#_)5-oS73f0A#f^kDtX%)O_Q<!_Iwt%sg?1qcG?
zTsBI~*^+krw(<CZA0Ah`^T$=GJ}hebkkFKyM*g?<<HvjYzi)yg$_pUt;Xl7h#W1(W
zZvKar3XKDGsQ1DlfYv>HjVT~ZK_d{@9iR~}IhdXUwbI~iI}v)BpPD2x8yQd!?4<aW
zV(j1)qXVZHJIoXVIC{-KV<*RH?qYWmeDz8HzS~0@%#YwOwRS5rg5Fg4rB9_+@YLqD
zb2x#Y8YjZxV+0xim3zco*f73xG)l+fE*wt4{wPjIIyQ&8T$bu`wc~uwBGc7qTpbMB
zUovUvw~k4yoVqS{SeHbJ#$qKRmle(bN{X2i;1+441TefiW-vU!mUH5C(oCGl0%5wk
zOMBI$ja%$*i~1oJg@0Q#Q1S4ZimQP(@D`5hKpSYpA9Fgg5h?+hyX-MFc=+I+C5)=9
zL9TJ<+uCx#gtGYwxbcK0$1#7y9?*b$Y(O5fZc?rNXMXUn>Z!po&E2>Fr@>>UcagOz
zQuAd6boUF;X9L660S#{>tXbRGQZ-R`jx3d*h3K$NyY?E_ul{`ruxFR=!hLma&Fr}=
ze2g7ECe-kgJz1IAgF;;Abg#IW8{(wRK5MPp3tJqH-^Fd5zA>aK^gum854087B2n84
zQ|o)4YP~K2#`6U*9()4HmrUm|x3yFbmW6W9YXr5%om~C}3FzhCwd(Z=Gq_T^=S3!3
zVcMYlD%oqQP_L68gt#5sH|{sCTlf1?K=)ncm+NzWx!&QI>+^UM^Ct`Pzrg+V{e|PW
zYT;?VvKK#;3(Xhqu)=NTD|b6A?N*p{?Kc7-;OX`YX}JdV>g50d9SB$Nc3izW=OG=F
z+*AF}0?2MR@8L@-&3ni<-)5ZbtI8Pg4e!A&{3-!<?icEd?p%B?#O>L#ey=fX-O{CN
zcqcz0bydjhl|jb-;{&?5%AMG+LQfHWb}J!d{#RjVjSe3Zwa+kX{;-{X-Qdf@KpO%b
z0`~wCZ%zJJMXHBFoEh#72R+@b3z!bHv=7svwsbihE!|obG7BvY827cMUYyBuQ||>0
za28*4zbh9$0=%fImy9w8mkii+7dGKLX~pyERNOfaMC}kvVOW=deF4gV*Zie9s}PTQ
z^ZDG3-bgK>jXNEdv?umx-)j~AzZrILbziM}O$&YDTL8xLt1yf|Fm(G2O2@4Txz!3%
z3*d>EJ%(;inv7Z^B;9lYfgPQgcJ{d09<$xKW!TZ#hlAprNLztvQGlfj3sum#QReGa
zfkT)T{$t)lO*OTk*sVny1r#1$W8Sp6Q|C@XC9`AZ?hD@I^sxfdfem15;m*Gcpm9Kz
z+8D8E|K@1OB3ryR`)>BhWR@H>ZY3tsir?%u95)U(J4Zh#Q2LfMqhbnm#4XPzY1A3y
zoWSxt>c`(RQ5^3wqxc16zQh)ZtG4f2dC++K(9}*cf+h)6TSJxGr7+tGeoGenVUoVf
zO<*nK!SFf1+ej80-|6x!IEQ(~f}aBX=8@+t_&Lb40GFwI5po9Bx7}fCb^5$zHV1y&
zDscp67&gJc1c+~Skp}w+T_HCy=`JNmkqUs?;GYu5Hqd0<&I2ahY4+(he@Nq2g#Y#S
z7Ft6};dD<$ck?LzNkw-9R2wIKiDuHLi}zH%K#TbQ!nTDdpI4ZEho@?VJ2nxYJ@Y>1
zfa9GItiOJC*Wn~N+51Fb!u*Km6{f72w9#Y7@iWmG;g_tdiE~EyyLfxJM7hRJjI%y}
zBs2c1;l{|5ZQx+mbWoqpo}0(*c843m;7KFgx*FPC>4r$1y1V{LL;c~s`=X;Z2TmR5
z>E}AlZqDBMdv?R~;}E;AA3iQ3DRRf|{k!BtV-m(DPq3an)n}fMQ9F*Sy7}|e5PmOg
z155I2ZUHRpJGS@$yW3w|)Pg}|$K0y8Zt_YyjXe$XPUEqpGiRVj0M^ggp-vEb2ZBJt
zV$u?u7gf}^1q5Gsb8-CiadQUFgCDbnMq3NJ>0_QHAYe;b#n~!0uYpbBHE!vWDRM#n
z%lv%9o359cRi^<yL!9g`^cNxy#O_Nno{jV#+Ock9){xoC+9nVu>OLSD?f|u@#cUGm
z17PGC`JlUE{@FLO?nBn_<2|?8LB4yLxhFO*&G4c_DieD+P8~ba?p${v3QhsXjHe=}
zVcI^pPMFLr?b`ARY!6KyImX@BsjutaC{KB4SHbn@^~sNo+TPgC<#TEL2TMBk1?Z8G
zL(AXD?MfF}C6W2D>q2{4tzlJi@qkrvM^xD6?NJq1iobg;9W}{NPouRDc?RR7{8yF_
z^Kla{0bUE{#V<rpR&TE0sF!Yas`k`ri{|;uVX#3bpI7WE3~#rco+Ru%7{1|%@m##;
zkilao4saY35iwC7-UX0XnUerQ-Z%I$Ip7uHg=KmH4Jojqy}|lVxmU=NN_R`G=RC}R
z0-X3OtT~sEWjq`^D`2ObnI*({42$SugzL7IJ#3@<yzfAwy!^3#sM~=j!E)UGxUDh9
zw1ZwwPUF2?v64SyCAsDwUdvWwz(N8bXv~g}_`4Ro^~=?#b?|#&CQl~JW8JN_J%jHn
z74O@md;}bL)7Nc3V?tMAMan$9kb8Y}oYQ_8%W?O}-njTQ!yi4;nPsgGLz+4ra!>TO
zTY|}V@*UyU)6gmxh_~3ihv|~O&(2YMlMKhBcO6fS@*d+oYqGZ=949BUApIccs1xx~
zkul-&ec#goBMhU*O>?r-_6UAX(tYau*fQx0IbuTQ<5hR)r2QG^jzk?xji20Xqdb19
z+e|MYr^oBTPLz5=qp45LdrYX&vIqR+t!@r`lW=lpY>do)TQu0EhjF~e_MOw^0X>9?
zhfe$4f=k(IxS=Rz163c!Ob`e!y)Nr6Osgladch5NS2hxKxoO1%RJ#qp;3;KGJQ}m!
zL(voZ0tiR5X|n3hIGLBEqpCY2Dy3|*XUk%kL#m#Q`VZpV9ICONelp~AO{~*(u+KPG
zyVPF7frHUo;*3dqr%iHTmHl?qm%lqedOf9Vw3kLuE2;jEUiuqp5l0i{p_hdz6TO1Q
z8=a@_iMc~n_Re?(@5fCoS@n6$+R);<%RANgv61Tg2xNe-zK@i}eIJo9-Nb)>^L?ZY
zC_vAWj(ajH!CV>2oge8McWta_&V=_P^3Cp#tRf190@?PPgX2<~kz;v`=EHw*hMwl<
zu=(&}sYi3*o=7=JoTI0lY?cGz@K-faDNqxYg6!e~)!(Ij(drV%zVfPL-xp8dEtD}(
znL||e&KI*=pE#0fSxp10d6H=#F;R8v<KLCI^_7QPpLi13Yc&m2b0le7k*K=$RXGG#
z(lQ2C#*>wGsKURhaZz~$|C$=`{J{_Ig`=hvnQCz7pV6upPVpnv$L78C&6}@Ai8J5U
z6ghtN!Q+N2fd@u!;Ldy-!Vg?IzW89gA!XCnug-i^8py-KrZ~fyZ_*4;IP-Z<be=zD
zxS@WWH+SZHFMadkL#=S)i+m-Yntvb(r2OEHL*JeF4#gye9Y{6gk2~<yiEs7@*=_N}
zF@|1n;tSzUd?A5TdW~5<(akVo?rgIY-!SDT8gEj58i>Uk2H|^?r0AFN--@1G@moI}
z>M>qOL|A%f2|xX5F;8DzlJ0?z+o~V@M0WVyA7zRL(Pk6MtS?E|AicLqt;QrNxdSA2
zmCn!>6P-C={t4*QGf7f0Ak+y8(=z&7k`{mH>A8uvoI-_cC_2f8s-1+~xJhEY)lPyf
zbj5FTCs7FMh@rfb&Co|At9?YW2fkJNh~IYj&HG43^buv$J|bO%blyk&G)X&o7ugPU
zk?r7J#Lr}j?ciMmuJ|Mq8)WVx+J6pEV&27I^f1`mK^RI)wjq3emZ5vL>I?>>Z^684
zuh2DHwPV5PSFqZxVDu_j?bLO2%2w?Xz_d)kyhFk054rLVwM2hf^6s=mZ(8!sEI?lt
zn7gu!_oOWE39Y_LF;^`QJffP2E+eRGkcKYNHg(Q`=H)7p$h$|Y(JNZbyG0EBg7!%5
z8Ly%G=}WgQX=$!iF0TM3?M$?q_fffrKBA=BOQdU%&ijd<SX>WvaeMN`?WrzqPxO^~
z^3GBidP`yE?xGi1+$yJ}DCv~xsRX#W#g}Q&CCep>jTO~Wiu9WjH=o#$Y`sF<<h*(0
zMwiVaDpW>X0J!7kiZJvM0Bs)41mT&;swiCnO|E6_6#XTtkWS(yo6~R+emL+CUBPK=
zLcDyxx)uNA+{Bo^8|4*XRZnf+ee|f|e$V|)>{xYZ_Pc{?NYk9zKg(mhpTDC#6pKq0
zz{g$`FGdHB89iw_kRAZZS>^_vyJZ;#Q{0)@q3KDxjvbbrQv}~>KC{OgySk*mdYO`*
z6}@L}z-~F|ln~|Xve(JTN;hiGs<3KL+LIM3sjcX*(y6PK=wGWRG)JPcBK`L8Hb+fp
zbDbGwU~c6UTk7dlv?k|-Ta~J#oLk{5cSWB?WwJh9=ilL@{aM(9WvFo$Yy64&US~To
z_~}aeb+Rrgkwaan>2(B?v8I04*)C+)MDM>`qu*|#|Kyl$MGG*5jMP2*0iigQHR^HS
zUK0}Rzi^tdg-gb(m#5Ni$M2pKuuD!pEksNiyRW|ydZU&I+f*&D9dHZb#HZZ2$ve}5
z_a_I|PaT+Jj?%Ryf;x4ejx9xPaT!IgbT#*vXP^sn(FIEyi5*!3ZNENx<$+Aetyr9<
zUqHY(U;oX~v+M?q6-GuJn+h;q*5-%rfp4368-XlF3ok@KsBZ)R(N1V6;t^($u!IKj
z%4cDUN@izU7EG=FMq*E1MX{-ndKB86zDo=4>o)Q2a2GKL;umHtIRgKy!*vDSjN8mn
zI4s^G$JjRj?F=2iaG;xk4Y;p#ZKUbM+<e*!OGKXs?Z}Ng{lPI=&yj*GPv4_%_b~W-
z)KfgM_;hHp-AXaB5dg44geOYZ_N<#Ya`m89E_O>q*OyFB!Gb+L*6=-)uC9SMwow4)
zfiw>u!)H)#3&2jMY1^7rW|bc_CyjigbkDJw`7e*1yL#pLpoR^`^yd&k9hBHBaDLz;
zZTN>e^^LBHFYhG2ec$<DeVNtAX7+%0M5ZP)de(^Hlc(~HtD!wt75kf(k&np-jruEt
z^r-nYulXu!t~aKCPZ{2FUG&lW)~wwk2W1MObAy%y8r|GC#stbwccwp}pA96p`QE{D
z7hC7gvg;FZ!Q~lNs<o1Qg$!z+YClr@)cTV6oV6D6#p=L@KNWs3{*vKMm*_@ztRDL3
ztS3W;COvA_Xy?h(9ML})rOZvrxNdno7ZG=?s4phveR@WA`jm)4d*p%p1dlCVo1zU7
zyLJG)G-!H+-SJf6pvQ=v!;SX+oVxdm_c{?MpPwomnH3S@WtcpD`e--T?FS~?jT|hD
zJ$`OFkYSl~QSfz3s*1X+V)=7mNMG(cd(sWNO3QS7Q>H$mP7lD5qvg*R&QWz3lDB2Q
zYZ`e@9zJwp)C)WMy%k%aVbwDSktG;{v5NiyUhlvXS3rI5MZ{O=Dzw1cgXi2)^Tx~>
zS#hZtbaLMDxhDpYXN9H+P@?D`5+VXwu2(i&y}>6R!FTwqi&-7BHoD>pagEoSNoyyi
zGM@^c#XnF}ThW6}T<EgMdEsc(G%tC6^1OthG_gV#aX6b8;<C_r-sp-;#D&R=5*H+S
zBAq+@I;*E;9euJ|hx(t1C*J-)ti1<Z6v@^$&M@>0PV1=5j^d0nO<LVGr#0)E6D9-{
zBS8U?oIynpRB%-g6DD#-#4H&xA)taepn|$)7uR*wnz@D7|I>r+_1^E^_r2fm`~R?=
z>6+^5>grRcPF0=rJiF3%r6gpb_}xCcf_4Rz|7eW9(;m(<hQy5-Aadvz85|iL;f<2k
zWJe@NCNFtr+=pLEb7rJ8R971L4lVYbuEhpIOOZ@wkZ6hNniXq2v4XHs6qX;J8<xN1
zgK>Wm=|VGcnG>(3imwVX5a*wP>&T@m)LDdBn9EE#Ed;Qsm@cK47-^n_90#B&TKmRj
ztR}o!cxjlM`$~TwF7`A-*r6@X7scE15q;~EnID#`Tv<nEs_0JQsmelN%}iWXQIM3B
z#<^88YgUCscqkXRov5ikbh0#UUsTwB?#O9oU#MH+0_9IXPdA~0x*5+QVzY2{?n9!4
z?ir2(4&@}KrE{^OZ7Z01jq^~-h~jLS6n~#R%axNRP47mTQ<hC!YMp$6|Dl`J`G=3B
zq(p_Ja<rS+KPV(35E6xsOM+Eoj;7rX34NzkT>SNtpr%n+gNJS;doEtI%o82no1D2P
zAtq*rdfx?R+sfcLKjm=uIg>aa@sb#3W)b}I-N}a2cQ2JxBIbO-Iit)gv+ho;BL+9z
z?#bSd!HUENOb_cTE}e5qAHm7~h_DhZTeBl^cl`Dp+qm`n_H5j(yn62F4N$K{?&8kX
zVD1sWI&@2jQuZ!l!VIU;&M6*gtGQ?~E({J^73i<<O<1{~Hvkb#;kj~Eptk}yu{!T_
zR}Grrcv3ER4@f(5EG^|gZhFvCXa4|C1UHS@PNU`XJ@#eq*|B@?E-re{{!P1;Cq;*n
z)&=@351fx?wIN=rH023$RORCD>!;pY%fCLcv_+xa`rPQqAAK5Sl~1%=$u@~B#j&M5
zn&$3Mj0~O0#><-d&y9}p8LniIjq--<%Ih3?F_iu$c8Lo04v*RryH34oI<sN#o|sIf
z?BQk2J`^IQZjei7K}jQ_s>b`G;?s@rReUC*GVBi;5+&3#6;X30njGS9gPvW7yh4I6
z@|1+wxLsUC4Uj`)HbnyzeOnTz=`gf~70*g`zMz(F)^@$h7c6QbB3<z$P?VXOl#rx6
zy32P7M{Sx&pg1!l`5y_5#9n;Y<J5S2Hy;l#^^sMc$xD>>p8npx9QtM<);gsCkMmNc
zE03djT>ZU$FcL%+GE+s;UwQE_A+hqtW>NGdCLkkkO^))fp5W>l9N@>7QGmRpJM2zK
z|13?rdg53w_#(rx{KXmvOHtGcj7?d7UVGe>6DC=jnp9do%*)@KmdZt2Gcz9X@>_rT
zV8P*()Tq!DEVPLOgF+&C`Msz$z9}eaLOV8*d7{$f+<jTfgxxV4cW`^JGjWk?Vndb7
z-Gl6Xxs9TzbGm2A)wHW2o;8B}yN!2wJdSqq`=y0d7Z#*A?Bka2aoe7uNZh+8Co3gl
zWxD!k1(V|KiY_>Iv4f3Gso%+!+@Y|8YyA|#D_6UFc<oO0P`k`!{PIgficpuEns%3n
z{UyN#XqyozH#<E(K8ag(f!Podu`xpFwJPZdN4h<@H0;-j;<W?k$1pRB(G$nzEVv6*
zj2?JZP}oG;;ywR>iwm*fm4TkU!-2UBX+s>Mk6&PTfYLE4qlhE6L#Tszbnd*HxDq<9
zR<NDi5)xP{0L{gu;x1J00y@O&2Q;b|HkgMnkfRyA#WwP(V4ucQ_y=;n79AqrCq9Lt
zkktPW{T{m*4{+gV=<Fe(y#Npp{Avj<oG5ajLqhoTm9JcJ&YLJvn9khAEidYH^kY%}
zg`7%gx%|0@X2FWJAcLCWiZM{+W#w;&>%1!5&NKZ*0Aqw^T}5_W!j(6KH(@>BDk!|2
zgGgoa81=OWkcs<R&vout(_MQoDraq;E$L-EM1<Y_>+4rC9&3XFS18x5-y9dgt+r&M
z_w3%7h&E5s$S;w3myFWL9vV#|We?NvWMt1J+Mj2E=|$X`A{sf3D8#adh=6iO4Pvwh
z>WnfPGakrNNEc*&0FE=+!_g(42TBzub2CZ`vO@fl)yGdU2fQ7#W+;bES~3tg+~bNI
zYL}p~L612U{#--B6=w;gIASRpOolRRMC3;U@(%2oB<IU-7-ryy|4!9nN<!)drld>=
zubL3~fwY8#M9%jdvu^F0^{bS=ftf^a6-P%*WQK@In^I<c$}xXlmR6Asm4dtVrB{Sx
zG!*E$Lx(C4tj_W);@*>NW~697?Gfp{HZaNyqh4gr+SI6QJJQ1#`)2~0%lO%c`FJSi
z7Py{MR~oF2Oh`=Hp1vm+vb4{0TR^ZPG%|cOo+Jnu{m}eVv@!C+6J|s@#}@2GEo(3g
zd>Ip_;TL!s=+8NAMy1TDmSL?wUA$M`cu|mcjhKRBaxf&dss8f&_cJf`c3K)1xPr^E
zWA>(}Z_ieq%JP`Em7`9g=+(bOtx}9RI^uWrFBjztLk<<fNE6v?@bX)#lvb#)n;Cui
zaUGdeFF5d!bbTO%UsAOEkE)7aIdXrhc%26T6S9206L`fiy?d`p%clISy{Vbp#$`;T
z*wNQ*o|oJ9L{GJs4dZ{fWX)maUg9HP<X3RM>OjHKWY8HvT^Nb|14AMJFwmm-M(<+0
zgmUHQ=>~sdHisv<At4?Hn6J~@nz9R6!1+mdLQ^IuKV6{UZ=hb9%2P;8L}I0!B%Y#)
zB5AZP4gOnvn#TWB3y<3Et?6Gy`kogYyGYC~3IS%^Uw*Ut%>DZ_&x{>A(`NYaYMYx}
zm4TzzfuiD^11C=8xG!Gf<?aYXH)8yNta>0Q|C2cUDSYrke&s3?ly`XTVddc?J5%zw
zD-)|OOs{29^L8I8R1~c_5}2p1t(|>g(nKcN!)2GV(#1I<*n^vVb@r^9=}e%<8s{Yn
z``ymaQ8T79B&=F)y}0<w)#Bo_=ZY3joU~-|9NZBY-Zp)oPY%+YCpO>nbX!-6@bJAt
z?2bi85HG4PzbBFnjCd!0lX&*(E9@_2_>;DZQ~BAaOY=h94y$F|BdY3Lj@sv0ZtsG8
zzhmXuGU9u2|5a8~`+%t^BZ(R-Y~9_b*)GaByhuH7RFPwycQr7(Z9&{K<tAD3(g<!m
z!fAi#yuU^@!}p7(#fc6b*?+i7vG*6425O?Z2~JPiM-+J=DlebRldRb3wre>TE}F7|
znS>?r-$h%(wyX(LjB}i6=?=iTO=S733sqI53fpfBu>Dqq|KW%j0#z{J0v%9A22_FZ
z16#FKWC}>9X%*1RXOsT3Y5!TIKMx1Cxdt;kvJbn}glAh5k>Nl;MAl)nfuUwI_)Mfx
zb(i14zaK8YasFUcF*of3<K*cc=%Adu==6(Fj@VYyMWSCoOOv43v1$9}?P{{FnywMO
z-dB3|y7EYFkY^@$sg@~qw#r2yk8#fdw2u!rJ({sTC;laJ)7rI)h)ruZuT{@MO0Ago
z&U!h7NCA%FqMb~wUl>&rgV&b<pD>nG%WoD`Rwt|BNIWxf`RSXA*R)xFxmi>iUzT#T
zVBrm8|6tEhw-`g252+Ss#iWO)1)siV?3wG3ZWC+RJhhvcvLOS0q9zJz-Z+SKT!rTA
z@tib0B!gds1{<Yo7JUBuA3P$v?9QJ(<fQ$vr=;y3E*(ZU>F^NSlAz|;R>hp#mR5X9
znYwS?hTWX(PTFJmOYI18-Qk0Iw%t@}vWnZVfC&+e-@uHxFAk>D!l_>HQk!48tXdTt
zAI60a2I1De$ei^BzW}0eXHZ^{=Iqn;!D+!p=ZWE;g-$1BndE`yjC_Y~$Jn~XJ2ZCn
zwy>RDPHPr1o42E7m4LR7loLVD-Lv`XMJ=X`--$IBZYkcjjFX=fCA_JNJCk2@rpvSo
zzRSIWT-Wp0B}DED-?gR-+F$14pXZt8ws#L<j2%R>nc?6ya@i6Qu{mPH`b`^@3C)bX
zNH#az99(NYL*R`yRY89|ZSioCS~g=fpa=@F=`UbpTlQ|)7qcHA`MgYjS5sL-dj2KV
z8u&EwQvIHn>Vt>&7i_6CB#Ii!iDD8rBu4KyBt2_HG7TLrirKqy?_Nmv%Gi~0E4lTe
z*&CQSjpD7L@hjs(4Shrt)-%>Hc>fedPj;F!)04m1bJDH+Od09*T+r}{SYkG8p*b#(
z6BW^33^+TN(Mq`k>Bba@5@<Jup6n}sL?UmC9?(bzJudQU`NT6<%O;YTpJ>cj(GU{D
z0RA|Je@ph)ZN&Ika$QW^-pPO20tlh4Hp~)OqnqW?r<r2Wo<*@y;49K$wS?Syb@S;>
z!A$_J-|U3Vnvf$fK3;$Wb02r%<}49uyQ*Iy6)EAJGfXsj12ef^j7&r2IimXGzLvmw
z=pmw`3|^5Q;+YYSZj&M6n;MCGIT_X{SczTZDAHX>wrO_asrFzF?!mhSB+Azi)5x35
zanbs*k<^r-`9rbpfK{{#Bo)vK9_gh3C$;5sL<h-nrY8_#jx+N`9`JbREAph9nFXRi
zq??Nl(GxSGnI%`mZ-I{xMNHS<WR8j=$A+U&)T5@Nfw<f|TO+vqI~np?NCF8XFFKN(
zo6T(zZC}bXXa<UI$1`VtKHt-dem{eJ?=OxU!(@5-?pv%JI&3mvilwzvUUO*;@_C*|
zZd4sRR-Bu%)<2Vj>T&n+5BKCLGHv9V_BAb_B;-+VLT;TeKUG#v&Pw=3eDm<+(`@ca
z`E1eVZJV}jSM1uf^Oqg!s<KI<r(VMjcH<kgqiAw8V_!d4jE^O{c3q5itvI}Tc@l@6
zJkoolJZjUrU)HH<uT!L_XmjM|wGj&1n|6|)Cu*^Ch)eKXv^TH*CkBx{uZSy|ZNc}u
z6Qs@W4Tt`eWk-+%sQ(6$%r)YzxN>`G`q3kX*jt|6t4S<77D2xkhlTk>cq{wNeGKHe
zA5J}eeKIe|J(olFOSP`Y7UtSwMDUOJeWY0C9$^8>H~*i|g=Q$I^%E@Pd>4YffJW6l
z$YOh*hT~wkyykXpX(_kh7US%&#BYIemS=uZ*3Q&@$s9@JwP{9TR#IB3A?a8>QnV{|
zTSl(p-MAX6KWe_)Vn_8kOQs<IK+;KNX||Vxd#ImJ0H{`ZX|^WA!~rV<LqY-!Jw+36
zUN2r35)%}lFu6H}$e{0bfkIwu`bFUoL7i+7tdARV(&0$swRClht9WASvWL8fuK*gQ
z?yab5N9loMWz#Mg`@8!FyGI#nyu~@|(?gT}F4Y>lowUoDyVX#Z|6)o{G3^>KfU<O^
zg3f!6Ad@bzxcK)R^x{R$)#o#-5l(I_`|T<TlHU@MfiwvGVj?=3Y`B?z>dcO3UFvEk
ziK0&W9a@ejR#mqcLxuFM7vCxgvD*U~;-72|aS~5oyTEg#axx?cep`crv|WRZ{=oEc
z*c(~MAK0v1xt{cRO2#YpZcN;es_yB}#I4#C5vh<B4H{xQe1jTjM}MelaUeLskS-7p
zS;9;aHx)9|#Y5~{zX4*l^x>D$5WTPMMWzmJGL}rOnEzgn@6#A;jtza-Vl^1!qm3?M
zitfkhx{R&gQOv^XDj?(V!>VQ>8Cnfz-!CtR4kK;l8msCSD}L<lQ**k8tmHdEAF{B9
zE<AlmM5OP|z=P_$A1dK41^>76ydtr#w-M_;czuE;@0B^?yT$Iq$1HXP*DTQomA&p?
zR(KuUghBwt!EYaQ#`Zx9ZSs&j`!rns{Nin53^*#%+45H3zLsNXXSM7zSuBx#{?Wt1
zQ7zS)f4#OJf9+NNKiR2D;u!8Bku~YHv~3wMTcTM`o4%H0uJ>(GO?uS$;?K|3bq0<e
zC!0B$xn6VL@e?QVoPJc}YTYelDU}+dDcEEoA)8=_d>{0&ij1r$BVQX4)5n^AcVtP#
zl;7o$EjiIrhnpt-{;7`~L_VWmofpfJs;o!^fM`ZzP7}x2lgUUTJ0)cIrW=+)<kfXj
zD$&euLV!za5v$X6MU;i02<+gHbzkq;To+qkQbB}uMkMIr#D}Eej%-&Y(4e+nlgJXr
zOq1X&L?xSBd4TRm6?RoVXsyHGO1=`Ym0xNxxbh#>h^^%7u??*!;mhSKVvCXyh^4Da
zB3}_=_-Qz9(1P;+wqHV0beWIc*jPtwt{aiyCQS$aisoNc_jLIhk*^u~;JaKVK?4c+
z26Dj)+BYRiJ`Kn2lddR>%7hz1H;F@QQKk=N1;45u;FUL3pKah|jSuFOOk5Qly*^aE
z{U!rPZW;)mH|wK5%)aELU0KRwxjsvrygZgI^G+=A<7^!nS;4~mQ=V4<sm9mSqH<GR
z%*`)N7J_P`uCjv><fuf}7=d~oj0jOB>l*7p#ILP&I>T4ngMYb3#1q({58?6XsoR}O
zZW-qxK`vd@{;C%sKK{#^HGZub-`vI*eyt<@bd5ve?hz%{HgxTit!r_EPs3-nwzTnu
zt#$kAs<9(xgdH(5gwHBF6;ZExj*8qqfBp_9Yl^tFq-^wZk2QXN>Id5n6`ogSB}arM
za|h2di2?43c1qKUqp-t+t7!WRqu!`v>g3KIxtGDs*A$VFn!YPjc|6q@?kJ}s9DV&)
zK+|s{S8sfIaisa#w=eD-1PYsPc()fwQ4OSp>}!~I_s_di8)VvV>#v8(HCC6^mU`wp
zrt%K<A2$Mh#x=;*Wszdm`S}mkvX7BS2m-$`N^+=6sVQg`YyKUPiC@cXNa5eq{S>^Z
zhLo>w>YfSz4*se1zg436dnVtO|F=rq;GW4hclfIf$A2yU!I*lLtZ~f$QQW5p6xTTB
z+u}Y&pt!~{C~kA>qffqJ^yf2j@@r8a{?u(tmeCw^JS~BI|8ouh<MTrne!W19|B{8h
zcZm`^0{@VO_bp3jNi?S+GEuK>bRD$q<7ch<jf{eNYmv8f+a%E}Z8;-<3^YQGVv^W1
z&@X&Jl%ee-tklq|uPX1KlxGvKJeyjTr>>_+DzbUi`v>2Z3jlE|+0X0VN4g&USr0GZ
zO~jQWLCah`gIruZ6AS!X`&z`p1E)PN!!jYqn*_w|v5>gEkw3<++~g(<k5+@I6`eeU
z@IxM-;h@G!2rExco~w|+YK95QGy{e3A!QNZ1heEv+Oz5c@T7ZS#ir+Me1o0>Mf&Vn
z<Od++0u&FXUK8njqv<;D`7s*-Z(m9SQV2>-kr43Jq)4Q8WD5Ynp%;G?V&iuU?-N7r
zNe=QHOV3rb+MxCRZ8YGtg@1$mH!-!X2gWy5mNIc-qAVpi{Y~6rMaN>52Q}q$zUFhv
zQZ!a%EYpPF@X<p|Y$p@tLMB>Fl?$ouWZn{O<jd^MmuX$am#I3+m#I2RaH=cw2j)jH
zJ#9c9tN6?)ws&i>KQPUFu|M#|TF)k`Wqh%!Wz>2$Lu0>Y_h|gm%ETPa+>cCdL^Dqw
zL?_e9L($CmJSFE#*3`TgoY8a_o*@UY!gz-CEWs*uoT!v4&(NNrvZsACN*LQxG|Smj
z7^ZIW2x=KkP_7Sn@>KJtp1P#bqOm}Gq!~l7D2@F=hMEs~&A-ddP0>w82Q)TVl6y@y
z%gHR2%z=E5#rCsDM%?G6p(`?6_?l@sGPUS3+3}f{>oUo9(*OhhLS5SKuNOi}G+iGH
zHC=fz%51S3LjHzYt|Fa24t_+2ew_5s=*VMD(PM<UUnia9f8K8ZtASwDU5jBe7ED{f
zMT=w}rLObJM=CAGPNZzV>!Y7EoIYK6h>JrU<H+iBP7jqbj}`&ZliRr+DJ{v%D=$8_
z-0l#!#ADftg-R4E_(eY3vGC$TuBNagze0KGnB(-hE=y)|(p}*%`@bTc`JgC0+2I?2
zywgKa4DnZCW`7sqpZrOXiYLsCd_so2<k@F7@jm2XFzf&{hk&=$#CpUZ)NHD?ul+)<
zVmy<VcWD1H<%1K`DaS=_ii}j8aG9TO2RebD`hxAb-LGTca=Ty3?d*@%KPW7_bL@EN
z0zm4w3ADAHg5^d>I^b9BZa8kS@2CAKyYhx2QoC#RA3!Gu`h5Rope^a4Xx>#?xhDaB
z=IVrpSXvK?4OG&u-WL2wfbIKZbTsXu_#tAEZCLo`*hqEwU?yf~a&)Rv8V~9ibk*ZR
za$ummQA9lcW`Y$=I^vV#djDv@Xn(BtZb)C3u`b<&+%Tqnrlrogk;h2kDfHbYvKG;9
z0Chq9)euDSCP`#BdLRXE#L`8yZL{Y5Z-R79m@u8fhzx6{&2b_anK^JN$YtWl#ot=&
zCW?tGh<p8LHQdxYY7V>=G{HhH1ouW0t^xG4IVt>PPTFW=T6ot3S@>&B@k6-0Gap_F
z!J90<SYA+Ylyks3oWEDVQsoloyap~;Ocd|y-jR-qceBn9>NS2c9jvAs#NNT4!7G9b
z#~bh8xqsK*ordOnZ_RzIoT}L)f0lJPFFQHFcDVDz$x|>KhD9Wk3rVCZ8H>oBG;@hu
zsQDf)l%hXQHC*E6i6+|&bLgl1Y1ENwTP`|28uLG5DURK;d5c<eeTRt5gfm1BYKOmp
zv<G-LW@7%(gV?DNKk-JsapRU)j!Y5nh}*t3UVY)r?IVwrjkjH_&T?DV$E}N0(COls
zjT>Xs(hB1A9Bo%2B&Sx%&(_lMh%(ifJ#R4s`5GB$T}!iR5)_8C!cS8!AbVd3$zDJC
z3ymp1TNz(_7MnTQSlXw_H2b18q8r9DttB4iOT4y9PO?c7^c2O1^>joF4P;tO`{HWE
znGQtOzY4wJhuJ+rVbjmzamF(m(>^VxVm#q^OKZHb>$9|n1x4D!!lGGn?P2ZVPlwTY
zuaD5)5oBoZ2sN`t$TfpCgIjb*%V7S3G1s-DuL};`)AqQB-^a)SH8vevka1))osKz5
zF#e{~VRSQ%Bh%?%63ksUpp$5Ctk%2WkN=#6D5IXBO>w~=|2c(wVSr@8?-)|Pr-FA#
z>P!U|n2U5Lf^MWUW*paNoza^9DkwUuHThLnRd3OyTa4EEle2itH0JE5p>nOM*5s2Z
zz$5TP=ZHOQ@awbg;FHL2VJTU2i6pjQJDEI_6yfJc7)1DX7hmpv>Mqx0i8XaJk$<`o
z_?0){uWP&C!51nYBd53$6pO7_XW(~l{QgX$jk}9)qqN=SEm`80I>KKbv9?@Oc3*I_
zT$B7jcyp~BA!$|hjE1%}i6>hz<t^9cnleptOBt$(te^F!@W|wIBJ?z-UoRrhKESJg
zcL^DJg?xXHwCU0k-;#`rtiYknPNQlkYGN2I^10`FZ_%xv7Z_g{SUC95_l9&oHT-(B
z*W%3F%<RmJ@fVGqon7pgFEDHghBGrGtqs=B6~t+=tU3UJ$_Bgd0s~16n4)e()nz<l
z`tWB=S5Kf(P#5lx9G=d-KW2e(U9aMP$Enaz>flS91SA%b%U9vv>ns1zP)pi!n(xH7
z{7=lBsc?<)TkD}dv64y7PpLeuxa)nc??v_eg0(v$G7P7+q>19A{NjC;y(d~tu{q^?
zhLgIj{Y|s-H^FJmC<IQg<@eNvk{1*QgC(n>^aX<ei)gtOF~V35wyg62D2)@Hr?NBD
z(1y0LqDE-#;Sz}DXF<CNJ;4L=O87uCm@HS3Su_nFytnCKl7@I-B@kLQgXK<SPzdI-
z;?2o4O?U18M9a})qA4yW`bC1~3&LzoF`26RD`ocueoM2MjFg0uYpM?<7}PVGs|!{9
z8FA-NGc;F6sY11VZ-GhrneaVuI*J@fpd?gtqcw$iXl}@-t6HXL^2s7W$`fI_CLdZm
zo-AT|K|^L~UfdSMlYC*k<^=%co}%0{e6a?6vAR=R{?w4aY0DIvf-+Kn6(*5d+~GP|
zr+R*qc-+Jo_gZs(u_{yp%0L0)`m9w#^0VevZ=|4jI7Q{-E%G-A)zrgtPgqap)FWnE
zQ%?p-q@kL##Y6~b-rm=Kzs9GYmHQxLEpZf(pWt*${57>DDCs6|)H%VZLzbJsFbD;<
z%=4E5l8>q5^qV+c#yfGrHZCJ=C41J~n|p7|{p@?W4YBuZ?-?DxJO9q6yE%8V?`*zn
zcUNW-@!_>Rec#@U%$0isLPA&j`X#PT;$$85yoo@bv2Sl?#>zeZA)#S@zPfb72oUTc
z|32j3gZyF0zY6&$jA;O5S=zq6Ss9_bgMvcW`1vHRPT@2%1Ei&Ah3-LGn2$f7CW|zA
z-_nP_Ctr3z@Jf`ue|0janPR|~`!&sP|Egq^+u=h?Z+ZIO)^dYe%SB!z1EghSqTFCz
z9dNzO#IOO2!?+*P_u_uKXTkkC7-ZpDke-<lvL`sO^?s?G%+SyW&%)==Xsw?go;?Lx
z@0yB^#Jk?YziRCSVk@A1h_`T$cEUo5rji5+Oh`|m8#yOI#@WcXk(Ur%zG=u7rkyab
zHJd%@EwtCv*Gsg0$$JSM^;IIZDQ5+UAG#)_1GR4bR8ok~U<ofZ+S!1>!0ys32@EIg
zY##f<2QXfT?@BZ;$OjcQ;RT2I{Oegg36*H-4TegjnkyFtbSO`IDb!psa8hZlt{Bn2
zq;~3MS*6y>K$ZeDt;#fs*6M-)E@240LE<EdPM#)1oHRFqVyvA9>6!rG4DCFF<GEQ!
zk9cM|IeGdxFC#rAkm`FXUYfObfS{(sfi)sD(b|14(c0V)Y<Vnn*3`*+s<c=V+ww^0
ztepn1x-TM4+wmf;Icwk}(az-Ir%ieEY3)pd7>Q24fs)uHwByBFJCn>10HyJbkh0np
zTU44GXgn)j*VWp5X}B3$n}Mp9gPJ1ZDfs;P8P7iwpeX`^Bk&tri}ONpR0MvSn(RSj
z;z(D9q|#A;ok&}663pL((aw~g&+b9`k8xngaccJ0iB#JS4ciOljZkU#UJ=l~mxTkg
zv*d-_bMq>c6}cYv+quiTn0t})D|;$?&YwFXlEbTfEtpjXiMTG$Oi9eo3E1Z!6SL`;
z7%ny^Ir+%`;3LM<eSH?&Dds2p9>H3iO`TxCW8o1^{V0ic=xf3Da-qBCio7N>yQD%<
z7M$hm8x*?2D{WPJ?3PWNW7RQU!9gyo3~|{vjZLRl39>H=pYtgH^DQS)eE=v;g69&F
z`(6}2pws15RR4-4oqzF)SgQS@HM8a_qL}G8WE~`yV#*dExZEt%j5Bz;<L0r)iUK%|
zrI8BB%59;6ipAami-7e&ckA@>gbTtdx*JNE`cw(rFAD#lKJu!G?=8(H&c;1ax-RVp
z+|yz9RkMrlTPvbVL`5cEv79t<_SH#zRrm^iPaK5bqlUx*`9;zIiGY_v>Io@C%-=l~
zbwRLNtWG7i$`7V@J`x~_3AQ{G_6BBIABpBl@q==~poiF|zVcAjst5TWZ%Y2@I~3y2
z_k^iXhd?zFjCv%@(xKKJOh0rqj~gTM2y|F5n*g9!r`GL%6)u8Wr(6}eq`Cx5=_+Cl
zyUM((iFCq15x~nM4Zu)B!yq6ujPH3cR3R&L17w8;qC3;T#VWYC@|~7WL8rAu8nHxL
zYdh|`Ae@bMoT{P-MZKf~p@NSb`?BV<htf`s*n^@mrFV;4e}JpPW-^9u1`<mLaAI^C
zg|>_QbL9;qI;rN-g-12A5SV$Z<uy^v^?m!Za})d=)v}`C3u0MFviL+oMsC*rmE+Yl
z+nEn5N+-E_ty~5VGttoq@BPb_lie1YLS&23-};c5=zT@<ii!%m6UXiF;dsK%&aT4I
zu>v2=f1{$n&e%h+q)}J~r15A;56R%AqB@CGtNg+X)iP3ZOn!@eM}EpdR6P9pfARv=
z6L;VY13D+#?*tvHg#FRa5mZm8)9sI>RHdB{@@k>w$q|@Y&!L0HLF;@Z#S$o-M9Dva
zXthFUX&yHV=$K~mL$h!(R2rw6tNN>);@lCWgQWwrfv*2rOo{flR-CLvi4G*|o6Bi?
z&EvHaT+CzC(|)JseQf?X@09E)?N`VbS$7_lv(ViBov%>E`L9*_2ME{~2ry(lS%s|K
zwap||)r~sqZk<<!3+8Jdw<3Fexw*DOodD>d=EO@v;%ntaE^kSj=_eVfHuk&#zVjW4
zCkST#0kp5nzF*T5+4C>T`w{7Md-%r~e#yTYfgqleZxBF{z5JAb^tsCypOzy}Q=wcS
z@{>Ndg}t;>TqRmb-98elqUP8KJ937MJ0m-6rn&S;BFiD|B(ih2`7fO%+87;ZKbD<<
zmtBMl4`aa_lUHDX7V!|EZzWr_*m;$d)4p;K)v&E4<A_ix)mqg;b&^`)B5mWp0QcjH
zjkw|@Tybdlzq_Oam;5uNKZa8>?2-{3QuFq1T8-?jhjx<u-1bu`7Zj%*@_Pc*AA~b8
zN#TKt;8l_S8`Q_>V4%Wz0GtZY&8P{_2C(V2&|6#hzfu8c>Z|YZZSo_jpykzMT(#^l
z2HEFm3aqsK=!<3<iSGwhT3a1sz?W9h+8VqrDXH1US?y%pqkO%rlvchu2ckHuwakod
zC5v7wk*{Y47?Zv<n%3}i?l~i>ASs>uXfDd1Rm0qVHuHGSz(?5C9rzQ2)glEkls_ye
zEZ@N`-otoD1_jJj&J9Y-j^q}HG4pp6*gr%Y$DTR>LFq<{`1dJ)aTTS!m{^!U;0e=R
zG++QjIKU0PC_Z^!S1<1<e?M!bwSPvou3lE#iXC1kr8*PCLpz^jsxa@jl4w0{LnO&j
zp`Z2|pf+_to0<+VV;Y3BG&g>fT;AX=;m;>G2q*IAq)Vu~N^AN=LVu{<eYde%mY=7&
zU=1v?8lcUfsmczjklnmNNEH~&`>05txw-<rNpYR}R|$=GcUQ}b=nq;CwDf&kUX-u0
zlhD6QZKW;abpK{br8$V+vj9s{=i$$cUclLI7LQ~tmNjgZkop!2av3Os=N~1iq$%Mq
zXYx5o*Jt6ux}4LHEoiGmR-ozK(r=1H8lIpDPe@KUo=}<)pKvTeM4b}ENLz`t!h};u
zD@-t?o(XN#DNgon+iYsfK8NVD&v&+MOAL3kZHG5kFB81h*AwX3>-p;C>fO=%B(M;8
z2zCjc>5KFg`jhlM^%L}u>uZH#;T++1VTv$Acv5&;cvtvL*kZsKj5U~R5NvS3;8%kW
zjEFI27BG%XEu8aviiV3eiV8$;#3RHD#p&W#hTj=>H5_0#$I#Kx(=g0%n_+=rso^`r
zPi;E1QM4J*CZJ7hn;mUVwP|Scr=+t)DH$f&Eh%6n>~}23+Otd9Kz1*i$sS}+uqA9u
zTbH)m+a|Q#-!{4Jop#;Z4R1HLoohSyb}8+0+I^I&rGunHr9VrTNq0yKq(`My?S<{-
z?M>QuZ*Se+yL~|WBkeD>zt#Rxd)lE*hu{vYI;`oixx>y5Sse;G8gyhk$~u~L9NW>d
zqfN)-9d8-^WHi!fjL{mSi$<@EKFP!~Rwk2~$@<IuWtYA)|8CrOmfwYbxAwc6-~B0{
zB)67_%QwsO<TvF{<gYt*=)`sE(`j%gpH5pkC3VW^bg0v*PSu@mbmltu?>xHm{LWsT
z{X2(t4)46ab9LwX&hLx|7!Na^Zal|$qj8*Zs&RqwW#encZ;drw+I3NNG3{d0CA!O|
zF8jJ1>Qdb0Y?s<D^<D0E`Pk)?LSG?PNEIfE0g6$I@rtR6nF>$EDn+;=N)fF%swh&N
zQQTEDDt=WoE8Z)+D#t0OE9WX*l%C39Ww<h0xkZ_zJg2;?Y*Ic^zEOTue(Ead%5?p)
zYrn1|yH4mjt*c8{_paVugStj_jp-WSbzj%RU5|CW+Vy_d=Uv}*{iG7AI;qsEo~i+=
zA*zw81uA!yk19YFrixW1sFGBfs(jTkRgtP(bw+g`_*5<GPU>#z9_qg8DQZWxhdNlj
zM!id2pe|Eas_WFZ)%Vp;)y?V;>Q9^j$8siIUv3aLj+@Ob<{Y>HE}YxIZRK`yd%09D
zo6F})xhvcQ?wyH&iLr^&q`OIflTjuUO{Sa7F|jjQVzSg^xk-@8N|P-ndrXo{4w)31
zRGQS7Tr;_6^2FqY$?qobO|+)0smipk>CdK<OlO(SGhJ-D)YQXtwdoeqZKnH7Q%o~W
z^GuJKmYAM4tv9`E`m1TP>3h=_GXt}>W->E{nTc69vz}(d&8C{!nK_%SF!MGGGuvdg
z)oj06rrANWV`gP$XUwY2>dbDKHJCM-Ju&;kOlvMOZ)dJB?`}TGe2n=-^J(U`=8Mdo
z%-zg=%md9=n@5>%G><jkZk}v@!2GCrg?X*{E%V3bugu?>|IPgG79tC&h1^1AVQ%rG
zMIVbn7Q-w?Ta34uVll&Fj>S9+M+<igAB$BMkrvSw+bj|-ax9KmoU|ylsI)k5QA>iu
z<>$&WFJ)qRd|Jj?-?K_$aQO*%3iVdpUU-W$Tgp@nPqG0?y!*T*4xX9!PsZiPpHb8H
zqIjFQ6%LA@-979Vc%6FqJm<=(duo%D%))WYd-hS#;Wq{mJvDnQ8?!9$tffo6G0V#K
zIffbNJd*P7`CovM<BA3KZ-`@f+>I}^GVB9Sn>;HeWh{CC(0b6FzQmBrd?lZ;40PMf
zxzp!P9`PNP&aE5BOxQ5b%2vtB3zFlvCvstrm}vNMM=AYQ@5;RwO9WfrVEvpHhz8}6
zaVmL1M#jMczl`O}{r#4^rTZ0dFqaC_k>-yyKcr<KP5OZ@k$<cJ!u4^EOw#NmTUBG}
z`f&R-3&NLRU2Ao5SXtP~!DPKL2(5^1OK7AAvtX6y@_EYeu(;SrE~r1VJ~1geOUYux
z6btkZUXzhcs~`G3;HZHglih#&_(_2CUTQaUfm7~Pb#45;QUx2e1naa%mn}`4r!>I>
zV*{+A2a%pCNzX6fVt!_($1Hamu5_56kh6$eI*M6-`bx+-<$kypPH;T;>gB1b+WdnN
zo`@n}CSJC}1FU+id}k>W7$3STO_7$myDV0{p^oVtW9K$UG3~5h<ytixeu;^Rh=KoH
z$m;Fs37e9(?BiJ8Q<C(0)kNGmjgSgk+KQ=}^`a3Y=avvNwWckwG=yU6{@W1JQ_W&K
zBxuY4mCS1l5ITd#SgT}#W1@jtKc<I7c5)2NWhB-~*lz(#{{gT1Z;($}BHnsAw^mW&
zp59}J+J7-q9Gw~-pz!ls10NVE(T2;P+&)+cm*nF#q!&EQOvNEVu4`SCwDTmOD3b1X
zpAy6BBYy7rT+J=!gp=j*K1wWNE2)gG2#^3YW+EOBsOis0TOoNGZmME=2n^DpuD<E{
z*aK5CxVcFS_8wK_rKOb}Em-MykgQQHwaErgj{c;XKMlL#a><`N6<itWq;T`|n>*hz
z<)FRVb}X~3^qN;4-tzy-2U425%2!7QQs82fKk6&V#}|eV4%?vLKw%G&sM%(EoY<1^
zW*Uxenb+Kc_D1D-iZKfnyU@ie*g-irAoo58$XYS27Sj&J6W+7f2i^JAP-W##o=Jse
zg#|>hpQHL>Hy6*~rAoFF?26Z-aT4}ld>Q^bPli@M2KHc<<2fK%9J(0K&5UQfH$;Z7
zY?U|fZGk(}6`ARK&&8_O)xlRWX1>b|#q<k4b$~=9R;mUOpk}NA`hxI87p6AjL<NxH
zI`lq5C2Bg44+V>plR;O+*Nz8S&vo$}%dsGr*c~pvRJpsjhFg4-S>fOmu}nF}F{`NX
zK+5HetY0=}a}VKfIR;E%b5=XKPFD1IH5Vk<>{GgysL0%h2&_if)KmJJjd}rJ!tHZ6
z+bvVjw?r&vj~&lWIjKCIM*a>Xi&U3MSQD~Rb(}E$fQtI|zq#!T-1hB1-L{kFho2-O
z7IMYYc0aT$na$I7AI~kUtc4rg7us%%DMuHT@wDBu+->HK{D!t$%+q#fUsRlFrR}y}
z8sh5arlajXp`-0C%Q=25hkLZV&TrBe+U~#51Y5BLzaj~K#S#1y_;T-o5LdDG-i8X`
z5th()kEsV7VjmHYQqm4q^?JLg5q1i?_)j1TO2q?clxt6DA-C7SWniH1SvSBBP;tv0
z@!;IK57g|gik;;<%E95aeg4k*yX@}M-;5CxO*(4Lpdjba#<i0oCa#^xE6A&1*H+h$
zAdSY|L?dY9>PcY}fNX_$kt-2bBd*RtI>L_GBgyGGg^Ida$0k}W4RCN)m)kQL$#5W4
z9!d-La9JKOhqDs{lK;1GdDE4H)s@_g8_ZIdB|aDu^e5{2{OzY7D~<-Z9pt-wq0`i(
z!<5)EQt(|K0QaD0C&M^)=kaaFw;x5F<CkrB+TnDOZZRe*(R<*Wnj(}XHqtiIdY!dK
zCONz2Z20NvB-Xf>Xc~=;unDt{fPp27JQH;$@~l15;YQ8M8&96N{8(|-`?#I6kB{TB
z+<*d5m18l>%G=e(UCrtobN+J5;r_Ezj?N*6`^zEcAKo~;Ck`i-FAc~%b|N!9|7f1)
zlz7h1FJP^|(jN}6AFjepgtVW1xBJglR-?xhFSvd1!0z-6ZumM^`#DPQ;9Yw{xaHPN
zXnI~~g;Lt;0rC%rH=VN^*Xr!{)zOW21>qG?{%szoKR6+DU#21_CAlO{y{4KO6tl>6
zx`LJOIK~9Vg>6ev?AyPie2Y4woar6CG<d0EaarKmDCnkG8Ubh$KYVr}EK6)9bRSJ5
z`=}usJ`;*OCD=>hyK+@fII{MW%-Y2)jC5aNtF(2`FOB48y_KBZUY1&{IJPvIC+?Wf
zlyBT034=9kU0^iShE2Hqe0k2{LKrLT3*gY=Mo{8I-pJmb0j8>x1W^aefe_k>j8?xj
zu$cN1@I2ivKY91=@&If_b)VYX0#8?Q9zop789y^p`MY|^{kzFWPWE_?Icbl+3=0>x
zxA1d$0oS$Vk}n)Fi+BbW4=}Lo2fGS;n<t&%wJ#_q-u@qy6EEDL2mWWu3HHX?h7DKH
z1?wnB956*9tkw*!+=oRhnGrrk!d^qD@f9pp=C4jw4{~L;ui6$6pjhG`v^YYYylnBV
z`AY2COMr&t%CX53S;=f0mF(o!&HT6H5?N`7CEk9nP73y4QI2^SB%mOR*obhFDFITn
zcuTXaXo(787PnNI`6AizZCLDZqfbPGB<zzl5_XsBf8tQd1)%TJ$7Bk~+pys$8VN|%
z_du`=5)q4!)ui*Ub1TO0<9)s~=aLUzs8Nu%KOCn@H6M^`NYmt?<`X|W>2GPh%(Wjk
zl$OZJ(q`!H=2M=N#@R0K38BwQj*H*Jt$xI8jEsh1624|<HphCjBGdAGdSAHv_<Q~<
zo1W&sXVZKC7n`0`etFFm;@BezVsTAGG}_^aqGSIgW+0GKY4jzTkg;z}B616lwhh8!
z*V0z>pADnN2@*ChH8n3UFwMgw0Fe4=fYg`XDJ(p9-o9}3XnT9BIfeFjxMBnEz|{PM
zsj1o7sex`Q0t3C#0@dr8?5#Tz_A6PQcNE-iEWZv(+Xk^vXq{Qal1BfsP8krotHhVH
z`QzXnraU!id&WKN+gN`Ohau78H_XFjj!83=;o%#j*K$cF%$E4L&D)e2$x-uDx%|;A
z@d|%V6gNow7XzLcoq~VLxc9{AjjS;ke4J#0>cnU!^JH;qiLx%qe%=-Uj0O#|HdDwN
zf4X4xNPXz3+{r7cu)O3T>A0WU60q58tH;iOF0QUi0+%U?GjW#R-%(V2R(bKj!jb56
zZ$)A7(dk!2Wbn!!bIyFs3|BjQo*w%EK$MPS$H9GJf7)wK3hjo><5hU##}YOgo8rdd
z^2XBAhJ28wYI^awy3^=j2Sm0-ixv^-cruuWL?l)%UDk#&ArT>wzDmF-BG{1q2{3oN
zH4BBiI|1Y3-^0ogSu2{u|Bg<_NN4UCz14;X_=R%m4-{Y8h9!t6l0IQ!$%tMeN^l~r
z*668dI2Jk=lkE(Zi)a`v2R=kOf}`1R7g$+YsY$uHfk{5zK_Q-=DIwViqV$uWPH-l!
zgF_jzh)$7bryxgAlDAJFa-@c2!R5$bLS_}gKuzA%eEnH2>7p{ysC6My<r;l?-o@Pd
z19ceB5RY;W0k(7t-6JPb#1M~Whz;Nxx-`>F5tcA*iElG}O-7J?%`LWKmM1IgC%Vx9
za-nbp28rl=Qjd_uWehbE(W%rM)%NDA9j~#HFLXXsTXUqKwDhp+%<0aqi#RsLRmEoP
zjYaoltBVewJHO=c%o+ABkYtw{NV0EGVs36qQf5X9o*^jIkCUQ{B9?eA!V(!c(Rxq`
z(W8raXMcc4pOb4`D#XP2)<imp{xoI`HRjl3oit9(^ty;#)vRQ$wv7Lg923(kEh`yT
z9-(5l1^aFFQCjqyP8qAbMfrXRGw1ulhF>Budx_6p#Z4yd3*Rt#dlI)ND|g3{P*ud1
z0Oj1JK{LI$IkX)!2I!>X7NFaZWw%9FX=nBfap=B>p(C(QQL*Rrp^FL@i<lIPm;@`o
zFUW9Jri8^K3>LwMOV|j9!YNePKu2@5FaH1&<>Ymt_}yt61b<6xtuesd+*@(Dfmh#Q
zsp^4W)%WaWs~1J9*%3fbXXPi3?@7()yegR00lrb*N;{XFbL%;>R1~{+^R|788!q>{
z51la8oa$Yl{#-qnERvUR%gH*XEZx7%nUg*fZ6k{0=g&zS!xDOU9GN8^XXZX6ihgIv
z(j(z7#|3FN1+((XC?+j-XZ&6zd$5z{yXQ1Y1oydTOf`Mi4>1UIHGRf>onsyMNnV(s
zW^LiM=FmiDJu@PM$j=*yVJ}G86S5BWtMqL>F>IQ1dQ38}&|h51I#GH}LG*@Ppwgdb
zx-Ya<S506J9X*;}t~`IpeeP^02MRFQ_d|F<yYEjpPMx*Tb&}<Ryra&X%~)oBQT@_)
zN~xLT5*wnD%0V{r7t;tkgv7q2ZQ~%GG1L>r{~x!1dpP3|(8eLJB{v>y<=7ZHHVDpl
zA0#*M`gl&V-)<0yQy)>x1IF#x$>5VpB6#~7=1;vQG*hYVT(9L$ygT6is8jHRAS+sW
z$-Ufm<+^gR-<nmN>^>FFx0<GwwldvHgNUq&1pLa%&#z;$<96;%IheVqO37A=&ZTA^
z+n*F2l}K)?b_A~2z8oyzi^hJ>*^ysVY;k(ZxozCs?F=ma)-?zABQS$qo|EZ3AFCk&
zCpbUJl%s#Kfcx@6&tgd%4B`AB-iCTpALtZtTyUBOgBKSqDZ=&WO9XE0slE6@*|O50
z$F!TID-ed8fj+c$>ewEz<Z82+h4%s*pD3QBHkRH~PtRiJ3~?U`EH!F)VC1<W*wS>@
zw7dAOtm?8L|2{E5aC#R6${szCl+Lg6Y+ug6X<zihp>){11;GK%>RcOUf9}D(dCFsZ
z0$ic!m20eACn~IuI#sK)F3P=D?#{~1PHWo9O%w+P1oIKOPcfgGjOl!XM0ybMF(oh2
z;`*&%w+$*;Ew5clo{Qi%Q^HU0ya>QDACm(TSyj>p{@V_T>>5b|F0fAM);E$azde<p
zf!cfoq#{xEtD%Aw{!wduxZR`=L)QI9Ux-3z-I?V~#*wsL$CX!09DW`>Z^;D9MF$Q!
zb92Wsi%RO8AX6ksrOtjOpRn}Yhj$fN1Idr@Jjl^dvGWRd-5SV?i~QDsWpRE#e(Rv$
z0EVrSSfJA<lrrqB2np<>H&cmR!g>e$u5eZ?P4dlH1;h$Ap+zJgwJ@_VEg>~CnPVgI
zz%6gySIq{hHatPCu-bl~3{a6%WTJ|0fmrS*#{fw*0mPV96#w7HoC)8DiV?{qyKj3<
zEX@Q=VAlrn<8$C#ia}{ChBFJE{`+@-LPUP<_6Ic|Hr3n3kvlb-$vSW%tz7xAY+jEY
zT#KRTm#~d|K-kD;3u2*uW-!sN>@oDlF42HB^A{l!F91~oknLBzTyQ_)MerE5JkTw_
zmS#!v5$XA_Xt|eowA?5E1}*mnkCrQD<>#6XG!R4V)wnmzX;M%3VM<4&3>}~t5Hxh*
z2({EM{OOz^O`jL6&G*bAzfj1>x(%DRtmi^ZnCP7e01CNqBDv`VS3?Y$TDt5HvaCh~
zybxAQIxN0sHii9`_d-mv_|DSGHTOF}q$ZfZ(otRXq7&$ZcilmCp;>HjqipdY;GJiP
z9`7zMzNu^x8vJZ``c(u+vP8Ys+S!gl2f31Zys}PlCLnjIr*Dw^imcFV^;Xel7hnG+
z@G$`5$5hvo4;u<g&(@XAr}CYgjqBndN2MQqBqu{(BXB90%<oI22-p+$`H9M@^2*Od
zQg$J$<S<9ateb8%Q0cg0PnJ7pKZ0>7Eex$wO5>>GGhjrM^RL2#*+`&h#)&S`$q2)|
zL?+{VB-IBz<8^YWpV-mFZybylzZ(u80T{xP=fn`(Ez6(GJkPNh!kwOJ-UWXE{Y*9X
z<pDt~d(i+Jvss&dAE>>%_{NzJQE7L!@eM~lAOh?+@dV$1MJv3L4h5-4&0%I7KC|LJ
zmZ03pRd50}w?zI(tVH|(*KH35&;Nb*E)EpBpFfB3E`&Z2dKND*M#vt_QOU}0sbmih
zNmy!h>1SfBW@*tDi2qEWJ=T&RE$_kI_&e3qmK{K&d~@*J?PkSI_d;98<=zfU3Ve^M
zF)5B!Zl3S5c$%M~bbn4((f(XmEE{I5pN7?jQE);Fhx2GZ8jTUjP*&VsBD*_LB`dDQ
z${{-`)2SX4>AS0W;AU|$BaK@dzGaPahGWQJXKwKi4BPlwuX}{vOBM3em0T}de!vk%
z$$6nhvQ`e4*q*RC9f>2L9XrzT5TTx!G&xd7c#6u&1n!gpTya_0B%|=h!l8|iIAB5D
zF$#Yy!0dnI*aK;4`3C~h-8};Q-B+Xq<Y6c>lH^>%)L?OMkYv{pHD2$ANoz-rQ_!PC
zjCovpF?Gb8u613kG?QN!v-xXXjIfwM9?P`^mghn0bQoscE!7<f8;@8yfKiY_<}NMd
zU7hcUVCWYzyoEZSXn`+Nj)->=s=J?=O5m7D_fHk!srDnv8P+e%O!n1`AWg4VSRmN}
z`7myRt>sQu48aPUF*P27&{lWq-h`17*455VaP<KCr~^|<9X=3;G7%oyL1V-_h9x4J
zAV_yB5kSeDh?Oa|auUIT$qEIDNI%3pVvb6-j(`#Kt_F|(ZU*Mg{C;kapZM2@H71rW
z&|xJJ3*KXoN1C`%`;q94s~s|A+;pmEa$|ZE79AG(9k0QXUr9-Z<MbJRPK$t<z8^c%
ztl+brO@!XN&w8ndVTZJ@XUR3ms^IkPn}Ut}E7`Xv&YX?sX76M?*ZFy3|Jg4$cO5r-
zEn^*j!se}#{YVTXEORX`>kyX16ER?OX^$9w#CAo*zRe)YaO_FE=@mrG29b%+NOXDZ
z)3N9L&xL;}o*YztyXJvm8r!GfVSn@|u_Jar{Yg7f`5<%Njr*}VkpqEvvh#h2nEc57
z`YVTrLsQ6IhEL+8C7YTxPA|a_RKha^m0ZP^tL8q>q(hgs+-FF~Y<Uw&s3G=fzglYl
zkR~wF2qsNJOeJZY*99gjB7FU7WguH|;Am|eH!q&?S|1h`<QP~oS;<z1za^s)`1_WP
zhP~F2C%$F_V%8!*Yjm7QSX+r0!S!MDRqPVt(0oiq9B%Rv*l_=XD2>MZohrc`iUk!R
zIi%vPS}e+tI1J@8$=2Bt_DcYu5#b}S01R!(PNp2xRear!#v2N97(*Gqpb2#dExDYP
z-wLaOQsBuYSxq>F;WkX-dzy(_8@3@#85p=bry%9Pu{>^q$Scrk2{{kGcYXPpzh<>Y
zuOw_rxQY#KK=(b6id~n$40n$}?7F1-<pFc2Q(hX<0x~dhMp_!uWGOJ$;TyF_!UAGN
z0XT?WsJao)BviuOgS8<fCHHVfOBgmt16BNz+<VEo`J9-eT<A+)N^HDcEMqunReIj(
z%ZiUfFHzNqv7QU&sjEga2Tv5IoK@DAc+Z-(Y(-CQ=Aio`Rtz}7(BoFjj?`USvy|6Q
zI!+k1VBxe`PMLXbob7nVv9QMFwNm;)C4e<5e6M16g%_z1;bEg<Tcf!Ihg-wACb5K*
z{746}OuqB-6l<kPH+Fqk@P?JjMXZi=Zcic%Lom;<q9y%Et!n3dW)GBpb`8T;CT0~D
zDqi+K(QVS4P&Yeu(HJK4=%IviW#z%(rOP}5W^mI-iCAmrd&8BB7kE!{;A$2#$5PXi
zvXv}?A}oVhSfE&fJ0OAKMbgk#t0bGq-z97SRwDufSTYhO_;Rc(h^dcgLqNzzKjj$r
z>}rmvk)jsUPIv7{+Y^bg@p)LQn*_dP6&puHI;3GL;s=!S%6mIFHaBTSiIROxk|bEC
zK&%zi06+fhXsJZ3hFQyMk@PiqRayB^32TD@5h7sWQ%qsj@=nE9ptG<@5{{OugF%Hg
z4te&mgv3+~hj6$4>WZ!W;)*S;l1SynV!MqY>G_KMq_m1()J5Wfv5rnN6f;gZ{u-;s
zl;VdM3ocR44Ejj1=_A=kdSgOFrh>IAm$3ZTKAniM=qw3A1_%h6r&#qHMu46Znn{8x
z_5rbyuw{}3%a=K+`3}PKQESHVli|irJb4&vR1fv>khFWs@(p20dxqMF+K2Evfx$&9
z3quPnNl)E^Hl|TfrC0`N2UR+aSg}Cz$IW_TQNxfNRuMl58>(};MeuZQAz8_L(;nQh
zBTG#(@S@x#;I(E+|8QcfVnM;p_q?ATJCZhPHib7*jUep&vLOtqb9?hD5_U#M@5J<E
z+seRr4<+s3INF?J6?KP?)*Q(S^~z9R1aiqzyWDX~Dj7DGwq@P(9Ua-vdg&2*!BDy9
z`2l}kgr1Ph9U*@yTF<t4YwU=Z01;QhRT`IO$sS1>wqN)asDFx(KJ|6oSj}RgE_!V^
zHd_5x?aF<#m2`_G?K!^HZjhbV1th3RSjx9%dl7NcFbu1hUE+Qoc7zjvApQWaF43QG
zkG9>&;XMQ})$AU;e{WtBu2~<Z41glZO+QkR&au;=Su2D2<uFo%MamZ#Fo*}_?Pe#9
z>?Q5UJ^)Z{um*!b&ZcWBHmDdz$~<DimSBCxU8nS|?}L?whZX;$8tQ@fD4MKdg>VR4
zgf<T&D}Vs4bpY7&3c1$d_9r-Q{^cq}&9xpYB}T=NUcSE*>?I2|)82mR_0yh6pngNE
zSz?am;V1n3)VZ3qR7rs;u%31tKnE(|7TvKw=?Y3CJD%{h)n+E;60z(pds9G%=-lO@
zjd!b9SJi@QJefP5j1}^jp{#&c?gH#;f}`OC@NREc{mfdGFRyy2_^qP8vFX(09)n$H
zTg^u|ovgy@Tb2Z>-jEd*S<APGv}ZJ35!UmG|JaCaixUU(iwlXJ#C?VR;sYyAaA0vz
z#uKBbWS|0ZLLHt^RlJ&=qLT8_&jLh03yCLI@m0j9j`(8SN2F$(NvHZzV}`X>Se^7d
zqh^)cwvqw~>uBpTQq5+c=g1mXW86$LSnMPjvTrp$Z&^HLuE^7Gsnbl}7q$5*3d%`M
z%E}B(_VNr0_Vq~#$wiOX2NO$AFtHfoZKT0e>QyDLcv95B+gQNbwLy%_-zC^tFl4)h
z|2`>5lN!t-c6uZNPDirgzY+kJ4|>VwrD3@h3XV5N$O3+Z3%Cx!<%x-dumi0Uutwkt
zWsl~-Gr=osnKSSIo$GUiW5v%;J6*T)WUz6;Z=?3JW#hv`x2#r9aq{gwj~hq_Fn!p6
zS*nr-KV*oBgw;(PF{rX+zY3s5hOFs{@kGS_5e{@F)PwwnO@Z?)8GslmEZqWxzaRX%
z**iqVoX_8%kgJT}xhZ-l$5wjSNZ6wRHgg>O!6Neus7zRlw5wo+lRj)K-xY&<Sn{F%
zEEz9}d&RK-wDu%L#49XvA%W3+>To||JZT=&Dz2EP3Q++SHhkgTJ_xL@LRND|@S#!o
zJGNnT_yrjKdCX;2w2Q1@uCwYv%b4vfvBTt^1^KNJw58GBkIRVRGVJzWsmEB)PdC33
z$UuaFD1(7mPlqbQ0$J<sURT8NiGvv_SP@}!STVO?Rr>~o`6#2-ZH|rN*lnAL1#KTh
zekT@C%tCS-?<s{>K!{rzCX$Mq%iJf9n74wr&Gn%&A$ww2%Va6A@|W6((L=gF#zS@8
zi`R+wtf^$nlVHt3ulYsj@hKu!I~P`o(Lt=Yw9!~0aMvGw%eLC+)<aguQH1ro@t`_l
zNs$UYmaU3P3=2?r>AVbBTQZ@En6$<#vm_q647tzCi8~7zpMl^*;<-iGzl}tn(1zeY
z@ooOiIr49g2x_SvJe>_S9r#My)lvc5Vh#{wbGDY$!|K0ot<6DFCACJSArNMbtgGdE
zPI{XJ+(vaZR<sRRoGTBqjd<{$tp`i`hLcMY7AnyGnE?1!LLtjT!INEA$*x)>7UKuB
zNDWz1BgADQ@HH9W5V17&Z>t4Q?y!i$o-Mx_#@-TO()CQp7OC(`^$E!Mgsjn;22u{O
z<w=gGVK4^E!0eYsEDzZEgr#%Q?(AFm9Izq}$LJU~*yvmXZ*B_lY;8nrwb2?hX9`ZA
zlj>)z5ln2BRPlOk3?3LfJ-Tl{vt|(z!CzgR>a&EXfT@DvtPRw7g2r8#(1{39U#FMA
zN+xrk3D~zrb)?P9hgm2PdxoomJ)G3iH^lf2tF^9!5n;{TVc`oYW-<1zVfFM=^lbF1
z_4M@neEz$>t)8|17`^`bzW7w=SquJ-&j6e!;5&c*M$eefBlw8)mpHcKNW<@wzI@Kc
zr>R~yeKS3Uew^NHedEt9LK8hBeU)B2!H3T+`d#&Y&^OTQt3Ob0s-RBqNBu#1Jq1+n
zN5LpPrM@A4>w|QW-bjJ?^EG`5zPHz#Dzwy_s^1UC_qzO3b=L&qw?lfy0yn+y^n2+|
z5d5y!R{uAgKhl%(-vy<5X1eF$pXvYSLpbj9r>}?pa=os9wHe=T-yVD$emyqosrmN&
zzdQ#2+x-0d_}>n^FaDkBjxxQj0>$S)@&2ac^9_!xIG*G9JJKe#rs<8w_h~qK;{4s$
z_pE!i*7rS&f9L;l2z2N4^B+1{;N{_~Oz?8?pAKGL{@;(@!iBnW2BNHgcl6iiW$`~9
zyo~;*qd;%2PJVeA{?~(->HpUw8D;#NgYPHb9(;fKpAKDL;``IL2QO!Kc<z0AgY`Gz
z^Cuj9fBU~XnExifu%q6fuLt_A{?|Uu_v>#D{W*F)`9Ayg(Diq|&;R#_@ZaUt=?h+G
z{HLSO=U;h!^39<y5PiM}{W1lg4LC02Xu?5S&-DiBbdN~y2YllA{1Bg0zv?1hAALQb
zm&OXZ<G0;99W{a1Q-b!NKjPCwp#1#d|6}h>;H)UF|LyAP<qj|mBMys*EF&NwAR;0n
zQNp6QBN7)vRAf^`G>ArxF-8$t4H`7WpiyJg7&XQax1b@2NDNV;L<yn-0umf?#BoGK
z`+d&o?z_y~83x2G|KHp9bG}twTi0^x)TyQWip)w#WtYgW8p!Qt2B>Tk`BpcoUsE{u
z=-Sh8L~dSgT0qCd_M<T&@-FhU2C^fFhpeqm;r2uZiyZ!12)Qn@Jt39vBI9c!WWUJ&
zY_c6qclb}+K-;s>^tBC4e|5ther*nQ%;M4ZYM1u^+_bm%oA%E0rn~d1Igm1TcRGga
z?NRhANO@Dnp94%WZ9Fi|Z+(%c9Zh}byXH`5K=`aPjJkqP>`2nQU-{!$ctnVNg&UPW
zI${?d_zSd@K5{uSI!(kIgTGa3rftPIDS6R07-s6*4yG;n$c%?lM^7V1q(0u#I`N#}
zasQ@i=ls>wgBm-Bn}9gI?0B=kdkJ(UWAXKvkDC3RN#uQ!X&sv_oJrvq*!P7xXWTT5
zgcE9|azCrTCv{o}bN@PoIXJ2J+Dz@Yf$8tGqt2v{2Jn0U&j;|iP}A@eJB)J1I*;l(
zV@(?!Z$+NU*vS~hczC*wf#@;mv8|(yH;3Ar@e{qL4Q<6Zq591R_zYdgzHa*1Crwvm
zpRrej<@V#S+`*J_*KX#1Hg?g6c7|JQf8rm9O!@*D+R}7$mecOfnlA8cKik~&A`izS
z<BqX~riie|J0BbCEH+K`xuej34l#q^oledg#;bbdP55TJsb~LgdfJtw_ay1}Gslru
zAMumt$ulH<Nt-;qqiIQ8A&Ju>d_(Qy!yWdV@MAj^ld`x@SZTlHeh22Km{Y^eN{Nnj
zKkoPAeg);Cyl&61((Ms`>~_WMjM)ye9sVEVPo22G<Nmj}KZN-p=IC&<kn;d-^Z+^w
z=}5iV!%3HPXs=3pFz%ZPBP6;CdW_qG`1SGMM!M9mOMLfH(z_e;PTXIGeh1CQpSpLC
z$FD#4pO8j8&bp-Sw!+<p?@PP5i@1M|`=>FVz&w?_2@T+RKMZ%cmxUjDO~XoWU(6!R
zLc;tUf1!uX>0WQ#dgHega|!03Fc)H86>b)CUou_2{<u*t?;n`t(R&&5ub5*A11WC^
zf9wV+{|FD&K+0FbTXi7#qbJmvI(`##Fy=~VMQpCd{4l1qn4dy_gWibgJ>@IuA2pHi
zu28~zduqb7!nbvz-Ka~g_d3*5PF>bDA4xdr+tiQqHuL~}-Dj?}FXPI-$g7BkV)kKN
z*kne~7uuWg(7&YbVm=?!)0huHo1jt9xv_a6=Cv`6z#JRX73Su!(##4!Ce1C9E^Sun
zG?#e-W@Fr64mS&_j65ZhgDNL)Hv5X4bO#yF9Ta}%9?SS~2>SFLgb_MBreT;<!p~K1
z#_}{RGi9D6x^*+-GOl-1nJM#yv8Es6&*|<I?Ef$=+&-A{?0$?#_h6o7_DRo)o<Qcx
z{8Z9Hm#03MqsqL-G?Mv?JBR%J694CUj^s)5BP4m0=ZgHk2tS#NbYx7Fw3?b$?#0Br
zCJfzc7}KR(({NAdEy9bO6_T`hb|OFQ0ObB8`qfy;M_fP0#`S}IlsTj3U37EFLox@F
zya<Vo-ih%;bPn_b^oT~HTi90_*I%WMG0{KT*rV|i%F;*SzXE#`ZhfK5JXz=1GA@X&
zWIthU$NbnHLzsO{FSi~#i15()l;wGzxgC0$ape=-8k=T`&du0jB|oaui+(8cbJ3fd
z!lyD%uQc^s@=ShhPM*l4KDRf1C-DsO<$Q)d@@w3mX6)TTxpq)4Of6Rr!X@;5!Y6bx
zdX&s5VttQ#DzfdUL(%QC>qc}d>QLq+ao*c&J;ge8I(~C=FnrO|{*bx5!&vW_6QH(G
zbEt7_cEJ?t1ht1GTu1n!mopW2iykQ9TgGM^a}@R0#qMVgr!OBS;go7lzbo;R^jq2z
zbV|~7cA9pYZVBa=^h?a)&ZmTH0*{ucUrqVVPOp6|Hxe0gh`Ypm%Q*_Z6k5pKW})dy
zm{Xkf(7vWOGyr>VXh3Wq01qDm^>SXsd=axh<ABgw)0uf{XMc_9TrkgcCZBpwyknd}
zq+LN9L&kjB+Zkw1h7N{?Lmi+tYMzCEXwG)dGELNcg7UAYFF~Z&$(~6%_nWgtzj9Be
z-j~x~mgBa}G|fsYN^>4*&(pM%XQ*l4r$22W?|-D7=hDCC!rODH*GG{n7nvSz2h)RR
z9jN^L9_vKSd4}Qny{V)3AbI9t+@FVCWXn?8qnVnK3=vr(YY@2E;q=>9`2CA~yu&k2
zH$$9%px-@<e!Y%<B0Bin<e%q!9b{iewj|UI9Xu(ElqZ`go0L!K6w^w}DP`R?of?NZ
zFke`$C#kF2h<cQ|RGM1nH7WGdcugv<f35GR9ZsW7q+PPfjqX{K5*eFNBKvDHr5*R2
z4zVBBF+MyZe3FlpcZ7fPkh_d=Xq-7icq<<XzkOvIMH=}C9u_`MNO@WKxh4`muR@IB
zt&oeS+tZMX$79O66m21WL3maBT5Dv3@F8)PM`#b}ciQJ(qc2HYN}LanuhLe-V?WWG
zq+ZC6eF!;1e`9R#W5*y*MIXQ&o&HPrYGlc^xXCm3C2sQE!OUlQE@Qe!+6Sfe1j+Bw
z=r8hI;oGcdN}tkazKUG=3G*d+=IMkv1pS5fbvt4I9&%tSW(j%z0{!Jk?5)f`N&m6u
zl4oQLGXGF*^A^|>{RLikQ{m_CA;kGE=}2Cr?D9NW)9j3!)XzHFLDJZO-cmo#zvxSI
z@V^LC@)@_2O_9ew=qIG9^(y6+x<GDd`K4`mM$!-DS^B(Q$j@Tr|M#i8*N_=+p&L}P
z9`X)-c)RK2EHZ78_dS@Gc5^agOb^DGBN!8M$C$?%V;*OWk#Xd1#*PJ;HH{IIdDdhz
z6lx2#hC0M%N6a2jXQ;jT!t{gMn?IY*P#fI-H{zW~xvn9v-({WUd$hri8S8&UIe&?H
z0dxlREAIbj4mZzXKbgIaTQE<9DxfEzCHT))^8n{o%!|>_CYoaBDRiLm^oJJcRufHu
zGc^3%xzOzAM9)0L>BTeU+21lP%s=7D^WeqrnM2I)Ob4@o^`!H$KgIajoAL8XNb-0M
zro=IrrDh*fNq(+^Cx(*#XFPK-<`AeW{4s!M?F&CZ=ArO*b>~^~JgAwbbDe3!^A6E=
ztDr5v13w&wIYM=<W{l0E(;NngPA1e8`UWI=S|3RKQcz%>@I%c0kzI8X2`gcag(R-%
zcS3>rc6eq&?(wFTx0JrKzd6D^3OdLf;2w@Sz?7!V0j9M(#&n49TdNs`X-&A+^wC!0
z=8e{Pt$0RhOrpz_qLcn1%PsLs%p+pIHkd-C$d3-pJCA2B(8U=~8+?N_#^NXINd=UB
zff+{o7Q1bjH;w0hJoPmmxrOOoVY)*5L2Y9Dp_oGAE|lC$nEl)X%?U#G3gfZ9w7+da
zKi`)=w;tM;zAg4xKQzBFEun_!@iPB>1CqJrh2{oyoc7e~CUb<@6u!j$zPQU=b0Rbq
zx&-<ebPx10^eD8{4l<pL3D1JYLbpLLK!1W(LT5rFp%b8i&}8VlS>|`JkATKN--Z@K
zPebB19Qs{MH(}lm{TP}KMd`K*H(>7o9RNvMlFkz70cbfS@gIfmi_K3lCH*_9kUUqO
zDbJY){W><qz5se0`a3iQl4r}agrr<jCNZVl;xBXx^h+oy_iLg@b3Yn74;q%op7<rE
z)YE0e+m6{Bitp9Di2J0xRZa054_ysSgpxX!e4h+WfKH2Pg83V3n+O9#tt$NhlZ!EA
zf98Ap^W_^OvjAMS8*8qC4#(|8a}qe7pJOiLXW^F{us>pc3;uzhW8O4tz)z4cj?>U7
z0-HO{c~}>x3-%sP5A27tZf%``j2_k*<P5_7IOjO<6z3FNCNT;)&ehJ<;0$L5F84V1
zVt<BF$#I@z%yOK?tfD&366f#WYtBk=m9q+b%h?FN=WGGXoHB4L>j{qY5wl9iaxu^K
znWbBsVoY^xV`j^aZ9?C1Y+F_$9D6W(1dct_9!i+Q(RCbq46|;}4q%PIvxDG#&mPB`
zuV+uTCxfTjQ^BFEuzL0kdj|MzMqz8uvFCv2+4D$Yv>gqOMG`pn0`{F9JJC)AFSVC~
zm)Xm}@1b)z_BwkVv2L(8fH%448taa9M;gZ+<&FX;x)WL7xYWHAyaE~ExmUSYfz#Y+
z_|9}^g0tP5!CT#1!MW~S@DBG5@E7hcz<ZfJJMIJS1K_XS-++r;>eF4}Qj_jG?mOUm
zcRje#r6%3?+|6K_OHI04U24*;a4W#i+|R(B?ia@K_<^qHgY~`oU<<DW*x5T6JkmQ7
z{Ij<jEcZS#j^D^{1a|a0f<yhG;934z;H5sb;s40L9-Qyb2Y=z;4gS*q75ISvAo!3^
zp8ZGsN5J3uaGn1<|8a1EzX1G`|0nRzKD^;C@t1&0{iWb5{wu~w6{U*6=Begjt5hqn
zb*is%Q%9%9ffuG`8yAjli)(BA+NMgucB%H@L8*hlPN`1d!6{0W>YC~X9-2B7JS=q>
zcz6n4Nga_o0z5KBnfb=kQQ*<3qrrZueqjI9An^3m>EP(p81TZ>h2TZ03E;#O<xfpY
zO#&yUCWBX`t^lu0T?t;DqCcdrNnHb8o4OXfE_EGveTw=@O-W4wr>3TY(<q7bU!nST
zM5CvS$3GGdGc874HEDtwGH%kCi_GE)BPUNZJB&vd6NaX#gf%6mmFZ}Dn7-x|bCx;Z
zOfXlN>&y%@*W6_uG>@BwW~o_WRuj@WeQ5tS=4g%Ej3+f<Eub}H!eQnc=2&y8Iopgf
z7n|>yADNlvHuDSfYx8^ata;J=9r+;7Yer2M@>JF$Oi$7|&I~cb&1f^xTxqU1v&`-0
zZu5{?fbO)+yoy9g^2u78X-Mq0=3pe!F=nti&3xO8F_)ODkVLc1Pt84ybAK>@GJi3z
z8FtN#|IOip+L&Pjh7N0Erk!&7$!*NS(@#9TjVT{C^u#voF-4_kUCJ~kbQjYLjdZ9P
zVaA$E&DCa#x!KG!_nL>z6K0Wl$*eSQ$NBe7BeS15&~#<w{H9@EWWHm@neUqKn;XrK
z&Ckp)k%~{EAN|$*!@Lv62~06MTRZfs-lo4f!3;C!m<!A#<m*&3$J}A=GmoOVEjG)|
z>t<~nCxy1QKN|8O=14OD3H&X-Np>N!_Xp-CbBp=8`4zJFY4bc1{SC7&j#FS7Gv0SF
z-Ax}e5Se|3IS-jV*<5R;nOn_#bH91aJY$xam(41(K8{n*>}w7%2bn|7QD%@i*_>%c
znv2Zk=7)?AKQVWj2hjKaXkIX{pmV-!HjErOVX{A5@qEScijx$tR=i$uhT^S?cPQRF
zs>fxc{D%}5C_bmSOz~C4HHw=Q%N2JB2HvQVmyHRE6iXCaD7I1Tpx8yRhhlHVqZJ2^
z8g=od!3l~Z6elWPr+BO4eTq*gE>m2sST=g%B^L)@3Z^{8`ijMhO%+=zmMV5s?55ar
z?4*&SQhgK$DxRWvmg4z}6BMsdyiRe3;@k-rjvJY}OYuI%hZG-Ed_r-d;$p>RiZ3g!
zoN&pg38~eJYZW&uZdI&M+#y(C6nSOg;z<RCij5VUE4ET>r`TDsyJ9cJzKZ=X!6+E4
zc#7gM#o>zQDUMZ~pg2kKO2un0nKXK0!4$<AigOfiSDdeSui}G>k18%ueCASl?jpsd
zipv#WRa~X`w&DiGEsEuem6yT81v>@nHC61cc!J_+#cLJkDL$^aTyfK77fu{o-zWx(
zg^G<8n=7_bY^T^+vAbfg%Pt;uY5l&6Cn%n!I9748;`NGi6z@`eSn-+5F6(}1{bh=;
zDy~u7q*$)FL$HCTSftoou@vmlpo?Np#lDII6;DzerZ_@zwBiKC$>3oPu2Gz#I7@M^
z;(W#X6dzVxptw+R3D~p2a>dsb*D7vNtWf+?u&_X}v0_Wb4&dR1-4%N&_Eqe!I9Tx%
z#bJuW70*)~d)ejZUsgClagySdiq|SmQJkSTNAY&W`HJ^mcKM~36+WoAKyi`ca>Z4O
z8x+eGcM3KvP%OE6%%n>iwo&Y$*hR62VsFKx6$dJwpg2VF48~y#$=JQOOqUU)G18qQ
z0AHJpwRp|-o?yxpn0n|G4bTW0G7cN_-|ym}gGejw3A*S#&CwmCJ-#lRgT5g7+cWfu
zYmLvkfTSV1mlJbi#FMVNL>Re<{>U279$_1ewP)Bu<L()@*0_6u4QRP`=wt_>Eq6kL
zJs7>QD_Wg_hySnmILsBK&G!UFcP>UIl`v~C@Y#RtZvUxqdv)0VnzU_F+IB(Oc23$h
zENwd>ZR?k|^-9~iq;0He2&e3SY-}DKo4sO_y?6ER5Sy)HvuSJ=#U`s38m=EET(^Jk
z*kq4i?>ok3o7iO4Mcs>IvmiF5Zxg?Ttn5fSCFE2&c>nroo5&`0Yf+iDm8EU#)3#M<
z+skR&lC<ra#J1mka7x?#?oynm$od2>vlN-NV!uw2SuS>Fzu-i{J?65AH$7%t`!gFl
zfOP(yc2<Km=ev(Rn0roS=6x-*!kd{1-^F}Q=H5$~7s~vz+-zsTrNAj>Wvz|V(dq8=
zcKSIdIm4V0&S<_;J=wX&nc~cH<~sA8`<#cJ1<pcN%9cAToi)w|R>dluovdq%hT-h@
zIxU3Rnl&#mo!et`Zfr^`iMzB}<gfDHnX6-i>#TPwSWT00!rDUHCK@X^(V}C9+c`GN
zqYy=x7G1BlplC+Xe7-}ysOZ(A4N=O8*{E}LU(5=UJaOL(Vw1Hqy%&zby~)7XWL-(`
zD<ZRLQIxZ$g-u&E?H;@Jj!o8ABy3aRD>0|V=FPFm3X{6O9Glx?leJ8BkDt+Ocy!+^
zPNx~GH{zeZ7e1H!yJM3TD!pG2o6G5W;=dxgZ{8uQr{?V<v-IA`z4T$@99Z9DCG5cZ
z4pQMjb_rRRYL^-y>qrL{5DFjGS_JFE=WUqtcVYdeH!CUwSzj2!a{^Yd1UrGnYA;rM
z8@0DlduO$GR(pL`v#fI*sGL!{+&HDHG(V|YU07$MOi>uiH=tRAD~-zAJ&wm+X;dSu
znw36?+%IN*Vl>>n3VR{rL32ivcC2|>*5D?CrL1{bR^O(8U0DUQtg&T>ycU<%tcXd-
z>%oIk*GU+)k3p-9Q)Gnh&bm%tR@o%{M6fOEZW8MvuwCjB@E}&-ENgs|z@yY<44hQN
z7!}uRYC1lx72Bq!VJ}r|mtuvQ*n(AK%+eTwZBsMBQpI+x&q)kH)&Sc+Og$uPHQDQK
z*()`og`G(FGpJ?Hj8EHGgO{~Q+*mP=egBZQy_wjYhG`q4f~-rjf80gg;0@0FupXZ}
z$YE_hHB9|jnU7MF75O;4w1qxj*5qTidlENUFPFG&Em~j?*7m2`X?C02(>>aq=FRZO
z`ws`#q=MAo)bP}Xf&~SY^?KL4y57qAoOgj&k7d2_4A#P`%e_a<6RZI)VdZTFYhr6y
zt=eq1nhLW6)(@OQ%c$c{ObxJqQ*)4I-<$hsc7>YL?MgLgaGqM+XWCcPoMm5AbGF1!
zjf>)AYJ5zMkE!u7H9n@s$JF?kv+Z(L=qFm`3@f!#YHtNQ*;~M_oIJFoeG@oHLZ-%X
zw!xCRaKv=>`7J367tFN69kc9@!P(XM*4~DDYkNCbYUhFj>`%Z!oNkcR=7H1g&%l|S
zeJ348yFR+UIFvQj^Wm0BtYlu#I_|BkG2Y9%>f@~bEn+QqIcuw{7*RHuEsQFaW~Y5a
z>t%ptT%f)N**DdkX8)<?bo-W?Gwf<LXIjR8!p*X4)SNBxsTYlpsqry2KBmUU)cBYh
zA5-IF&gR^x)aRX)qP4vXEVc8&0ruzMAn~OR?**sXyTR%9K5&K=E}Y4GSyG3;1ZOjk
zY{~fB5uLmzb<qzFJBd}@v*5AOoFTLBRrUeGwYCp}rS>tfll?8&RrYRDhuQnV0rpqm
zAp0;ljngUeyx)K`?XSUE_7N~&YyBSg)^-6{Y99v&*x!MJ>{H-0`vf?h{a{Jw51@=^
zo_!kI0A|5yX_H8C`$v3Q+l64M{WI9fE&{vSbHKywGvEOG95{_LK9cgEz!_hG1J-Iw
z4zTa2Imm8MbDBlxqot?YO=`}t@2WY|u2XZC-KgelOMF^V<6~-kOpTAJ@i8?%rpCwA
z_?WZp+sXlp!AtEj@Cv(x61BE3fTi|%aDaq?5B>s9voC_v?O(web}2Z^z68!@e%+IO
z3|aji#%lg(_A(~3&OXJ=q8H3Vr@D`R@EFo%A?xkSSP5TgR=dY&-dnr<)GT$6j>_VG
zL(M_%acYin2dX*E?XTu^_gFP&aH2rUKGXfCnzP(NYR={qwUl5BSZcR{o$N<oSGyS;
zVBZ4=*^j|7ZeMU5Cy%6LW#DvM4$iP2fHUp;;4J$gn2+x&ac^xu1xq;xEGbujgY4(v
zH2WDio%6bq&USDXYZu+o6#B7;GK8LSp1FV>k1Ne}>=E3|j?W$Jz}(Ni$K&iss04OT
z)Y7zePg1kgW&T5H2e`+pImkU-%`xr}HK)0!s5#vos^$#$R5fRECRF0ha!*rpw*8Xa
zw6-BwYI%=_eD4GYxy*N{k-^|Nmz}xPG?!I~)O6PeXSnR-Qqu;U<$B<3*0$OuBR$e@
zFk{Lv<llLWDie@^SE5f(aqAJXwOb!7bsK}7+<m~VR`iC$+yZcbn*s;9`+{TKCg6o`
z2{^%R3SQzCfz#YVaJpLz&TwUHo#{3JXSt2QJZ<CdhkI*IY|C?H1RmhB1IANYfz#ZU
z;B@x@a3-f&q-}ImcH3Yd;I;+_)v0s`60)`14lH%Mf}PwhU{~2qrgWv?0JkkT$UPVw
z!|4|(T{m!o+a0{b?FdeDJAl*C-lcR0fiqonNJ`fUoW0w8bEdX)YxgWQOWiZn9N>OS
z%|YyP3qOo;N2oc?9j@kdmpM1?Gk8~6%$e@lYR+=MqvmY)Fmlt{?Fp8;J-`9(q2M6S
z0!i71f#clX;54@vINj|7&Tx+aXL9C8%5x-`r?t=uNDZBW)X*qM0eylL&?ZO$U4j(Q
zBuD{0B7X{R;4Y(}r0^yvBcP=47AT{iq_7H<kuQG=YjGDTDk*FLMS@BSn?RAClEOMr
zB&Vd%Akv<z_5fs>)KWiC<eAjcH$ahPQcD9tkz-On$ATimq<+2$iu|fA<rDE0X&@<|
z0E#4#lurjm3P{SQfFc1T<x@fF{gU!&V9j|x6JOyMN%;&=ctuh^7Zg5`l!t@DBa-sB
zLE#Tc`8%NO<U36tVusa5=2_68;?nE{NY<AV7i`TYM-+z<7iOG7SuP`Rfzs&=;hw$k
zESF<(>5=2o2bT_M7u&3xX(#6y{CoU+Ini*R|11A~In&_(TFx~14|AsBQBE{GCg&Oa
z-*cYf5B?L}{X$MZ5bjC*ANQZa?MeSBW1E(ntMIGo_e)}B|9(Xp)qf9=ZvNksJVl<E
z`{TR?d8q046uFc9<@-JD=l?z9=l}iD&-<g?)_IV#B#XW0y(QiY-cs*HZ<+TO?<McA
z-g576-pk%A-U{#U-mBhg-b(Ku-s|2Q-YV~(-fHhnZ;khs_qO+rx7J(dt>>S)Hh3Go
zP2PLnX769#7Vmwp%=^IG>U}6@RJ?88$6kf^iC5|IsYdTJZ-@7}x6}K=`_c=2<2%0f
zUElM4{@W|%7x?x3`hEky&~M0BUmE$v{yu(Ve_y}EZ{j!goAK{o`}r;W{r#5y0e&mL
zwco~X>zDcm`tAJoeh2>`&cSr@JNpOwUHq<oH~$d7yML(P!#~XL=^yU*@{jO)`$zhH
z{G<H7{x|%i{bT%o{x|*p{s4cVKgd7UKh7WQAMc;wpXi_DpX{IFpX#5@zl{y?Pvd0G
z>HaYPTmBjTnVhfrw*MV}gny2Iu74i?MRvYF${+2I@yGh({0o?yUF1*jFZL(;mv9E>
zyZ$8qGJmpvxqpTKJ^xDoD*tN#`~Efl5BzKWANtqH`5gZSe~N#jKh?j<pXN{ZXZSPy
zS^jMQX8*_j9RC*oR{tmdT>m!zcK@gTJpX6@9sbWb&vWN)bANT-|0?{RpVJ?x!sCzR
z;qkh0bahUy&ch4+XZ`0mrL;)SDEZHGM(G7kD81+}^Z&yC!~NA??*GkynbS%u{J;CJ
z`mgyb{eSqc`)~NG{D1nZ{WtwJ{#*Xr{yY9!f1SVHf7jpWZ}Q*sH~atcxA^b-W&Q{L
zR{ul4-2cem=6~#0_@DTd{-^$S|1*Dw|GB@@|HA*$4_U5r0vou27x+OCq>R(}OXnqH
z_qC=ZC<yiqN`fZd4}xYv^I*TAMX-O+GB_Y;6|@f81Z{)T;J~0=fHu&$(!BLQ*Aw&g
z!=x8h?T3fb6Tgmrc#ihO|4cuWUifq55gOt?*O-(1|1>{-2}f4rNB>!J*W45ZLxR(S
zp~30Fu;5$48Nr#sS;5)Ch~PWH@PP5Ym=o+l|6o8cFc=gZ8ypu54vr5_2u=)62~G`8
z3Qjgo@fOZ=GU^v^fhy7?apJNg%f%M&EZ#<_&1pAVTy72sz8_o@{2;hC_+fBe@T1`R
z;D%sIaAPnvxG9*%|2WPFW(Ko@*}=`hkApeEEy1n9PlCC@9l_57R&0xx252kAL&#-^
z;Gm#m&?)H5|37vKx(3~XLxLW`VL|r*eYN;O;{|sI_XPI_zvQkB;d=&$2fczLg5JTA
z{9oizLEqpTLBHUe!O;P_T=5iB;+^Q7<eluD;+^UZ@lNxGdZ&BCypi7d-Y9RhH^v+5
zjq@(>F7(C|dMu&O^v?3m_J(`k_C|Q$@y_wi_0G#1TGSb*cp#djQ+zb*$+oy3Z`zIX
zj`8~OkCy$t0p37wkaw(ioHsac4xUT3NgbH#km{J~oH``cBh@q2E7d#IC)GD~OzK;y
zGgISJ7pK0Px-4~h>U*iHQr}PgAoau4k5V_JZsf5JPwQhEaN@R?J;L_3N7_F2DBIV5
zBlv~o{A6)&R+hmpneaKx{EB;;{W!JT)Hbut?SA|t=l-^(J;1iIt!*35@s`>HZ9CiE
zcCZK8j<%ESY!4334elg`=4i<rTqT7P&PH~zU2Qjei0#gK-yZfb+cRM0zPMP<N;n>2
zIFG<N;R0LF*0&AV-)LxyY$IE2_u<?y^TS3vd7~$V;B07|Mmwmt{A*6uy@<2M*1cBo
zhl<xJM()?E{RYJ;iZ?1wRlEsw8nF`qJ_;7V(*>*;H)Y?&Wq0flOMRHOym@Zf?YE8Q
z*oXg1w4ML=wVFF?(-n8AC)RZ|+M8P7e|q%UubLKE`wXa>4rs5kSKIG@rI}AYO)z(+
z^R;S$?zsQ>xSLlGBv=1Q-87G8>OUJ4cqddJ*Z6nkYU3YcXg<v~)>pmf{B|+|1a}3$
zh)1aIRYoZGRBIolWE?7NX@2aqb2_u<-plFh^mhjH&Wh~2pYL4YOl0T%YUes<Dtqs@
zI`f>n*nNM<dCYl&{rAPrOU?@Cb#~y_JDZ(yr_%Y-dW<TK8NXUFR&{0!>cx21-ww8?
z*kN|KJ<pD{6YL~=rM=cpu`}!(d%K-)@3jxwNBQUJXY3-o)GoKL+Ew;#yTNX;<+jrD
zuB=<&7P%#E3%8Bi!R_MqaC@@@H_$!79pawhj&RR+FW@bb$?nzeb?#Jm7VnA7bMNBc
zs~>V7;~%USx{KXq?i$|r*y$B|Exj&YUut@UH^H0iUF}`xP4#AZw|euuyS)3nhrGwU
z1>SSazh7pqy_&i7Hs;E#<$8Y(MuLlj^TFqXQQ(qbH26X=23#791z!xtfy)9;*m!>l
zE|ihZdnrI;@%|cI1TGIIfPV`v244;)g0BRZfGdJa!M_LJ1z!y&fv*LZfh&W_;6H-P
z!PkQ;z&C>LfvbWm!G8u<fvbb7dD@?Y@AI~g<nJ2r`QQiOlHgkKh2V$a(%?Emy%_w+
zvUW-iujg(NdAxzUmx3waUxOQQTOLg1?I6kHP2kJHH1L&RI=CX30scLh3BDT40$&Se
zgDZoZ!G8ol244^6fNuo1fUAOA!G8un0apiejrChuR-*mZmep#%jYSjl+u8<TsVxK#
zMBlJ}J6i;{w~fFKwirCf?gMtTjloW$pV$(AK54$mmr<;@hIg^8_m*uAzHRpd-?6Mm
zdu#3f;5yq9TyGBm-?gp44YoD7(Xs~ZZ9<c_-g~wb+-wg7|7F{OTP!m{?|sX9u~%jf
z0za^<AbVRaE5+W2wli364+g{F4svCJpM(3@u3%%^4cwPEnyp`AyMs++57}>Odw|XC
zVPJE<DQ5j{wikGaJpz<3JXpWGJreA}8`0K3jBklqzo+dB9?tug)))QT`VR<Cfz$&?
zjd^`#X5oK9tJMqYF}vuGX5JG`_Dp2V@g^12XTC82UHx!){w(erF#8yY=H3fk`)uwD
znTrfUk3Ry<dpP$EnVB4mR^J;v{M+0YF;6)T9sfwQ@)6uOV%9PkjlT~%`ggc5W)5>a
z`u|aA?B{U54>Ot*m<{wre?OP|#>{U{WNz>cwE6Sku#w0));%%N`;mgI;iBPx6CCaJ
z2gi5=z_H#yaGW;?yuf1(7tQ}TaJ)AdCH6#S7bBPx^$7Z5`wnxX!va!ZMt=|3D!3PH
z&CJ7Rc0ZhXQ}^I#>}`W@2PX%I%6x;93vd8uBxv<ix6~nMpjWCEDklhdCMN=H>SohD
zHOCp`F7S%{4S8o}%*bSBwx=_M)Gea_vcDrJr*S+^VwCbem7D@%hePw_xbJdT-;Cf5
znY+wAPAjLaGs+q3{@z1B=Y+%va~E!-u=D<wx|~a>wvL=Ea#FnQg^nJDbtn~Xj->9V
z+LQia(U}|cZrPbB;3;U}==*&4fPLn6oXhKs_T3$sA#XY#!`p&`cuVkP-VPkfTY=~C
z2H;rU{F}%df0yy5-*Wp8`?lNH9W1*P%r-11)C?z7_}Y<q!F*~SB!zR$oAxGF`*-qo
z-_6bl_ZD}qGs^v``+H}c`v>=FXA07Ki8I}O(Ou@;>i*UJt25Vq*?rx)&Hbml&biC`
zvwwl}04sZU+EdY%p0d|7zQ1ed`x}E4JF1RpsWsT1b10oC-=UQ7aNb@!lCv*Ir-r4@
z;LWrNsY`hqZ8C46UCG;L*YMWab-ZmhMdR-2OpjXC)^Ob4laAv{i&@5+BDr%pA%xoo
z>O<a~ywVtZjh)I)u4U5q9;^R2u(O}k)~9?YLF#FZ*3%bSPv6mc8m;wof!5QFT2C{y
zo_?bBbeq=G?OIR2khGcM4%W1N?`V&8ea5;QaGl}JFbx>-W}8Cqr`~+d0$H8o9ZuNo
z&Jnx~f24CP->(_$oM<j^PIk^U6P%IG&E|*B9OsYb5$9RwS@Tb4nX}BSc3yT~Hg7VH
zEaD7{<(o_EUDg`h_uZ`~<$gqsH1HaE`<jkkQ?C_YmTT*knqFReuf6H*b@X`i%j@Cw
z<t;OdRM5P7mwQ*3`s8XJ=cc4i@5IkRrkzdRs8RTtv4+0gKRDHxU}5l_=3YYZ-mr%4
zADkG4P0gWqkuuy&$()wX0hCN~&4{3B32)MWyzfyXQX8Zj=i*G{6r)r6{zQ-OSV|oH
zPsHruj;-tJgZJ!L;Kv5$AnN}V=Tv8ibDA^MIo%l+OikTJ4jjw=4)w#Bf&^&EPudQ7
z5S$a7W16wT^L<tXB-}_sxb)>x3fqnIP!20TKjK7&_>Ge?QnLEQzKSyhxH0oT&i+<T
zj=-zK?QkmfSDY*nAL|{D+!k9~eEBj564UTj;3sAPefv|hz$tR}H-A7Dbv4hUM;>8b
zQ%?Gaa?-obx8S7rl#{jzCpm3|lQ`cA4>>2p@y9x+pe3H`oMA`Wk<LUr&W>{~v6Jm&
z=TdsYqt18j@9ZY$XYN>ctn-TYiWS-`-q2q0ruK^M+AF@0Ucpi@(!&-=udwy#73*zd
zcZ0jxwiN!fZG}H=d*M&pU-;7=C;VxL2!Gn4!k_kZ?=Y{g{kHTTJBHF9Z^tr*e#?$y
z)EaNU3+H^#UM;=Ke&73<H{agqJ?lMdr%QjZGo&T#Olb)_OX}RtW`%94y&1XN-u@W*
zbda4R@7~&5SXDa2-YRe1+Mmc<w|1_)b!%^vw{Gq2^46{Wsl0V-=gC{Q_GgR_{p}s8
zfvJJ^=g72Sc0O|L411@%b!+cJzD=;dK*n8a@0Pc2?LG3=t-V*?y0yQQw{Goy^46{W
zmArLp@0Yi3?E~`Gt$h$Vc)k5~inng<L#f+Rx5>F6#shgvKH`v`j8c`RpYqx_wNIU?
zTy-{lI?RmJ{&gW7betKlTy&B9E~D4Q^z$BOqV}#!&`eG=SJ8h)nya<H->4GlChddM
zwC~TL&$KqP7zs<wY@~QsPHs4y>R{xOk<5QL?;0xWr?QT^r~M7dBJx1q7v8|mZuYyy
zUG&}Jq55v|X!;u$@A`@vy<3cI(D#N}gH!k9z2WFCc_TOzFL~EDd5gEZzQudAzQucz
zzQsFS-s0utN|ZwK7H@QyyrCQ2CGXxwcgb6|(OvSsY;>2r3ET0aF_R{mZHn6!zZ7&l
z#rlfHicJ+;DwZmCym;iKi=1wX0~LoWUaB}%alYc?ipvz=R;;-AqKhxG^%aX1n<}<c
zELH5N*iEsgVjsnRmtA=E7<;VZ35usE4plruak%0+isvhiRpjdtw5!OtJ;Qn$Q>3WJ
zDcyh-+X7tv-*9!}azv%s9ej{FxDUD;nh(u`=0bCzS<p0S3MA(@+HhjA>X|I*4G!m*
z)bzSUW@>nBPL9pBk=fw<*t{k-mqun`XEyyvr*IxJiZ*F@WxE;eXSKh-!x_hPyI|F{
zsm}#wH15&myfo~kr+8)|r{cO3>81Z^x`ENQ1Zv^5aXRo7k{-M*aWpP+M)?Hvg%g}J
z@~qz!v4YcvHJo{bxC<JhYdIx^evEaVXhmlk<MCwPs#xu;bvE%{#WsGE@!c+8Hqq2i
zaK3bg=sHiatsgzbHYG0)=}OU5+me-{S+>+!X8AfII}ttE_2|d=KF^-Syx}aqA##!(
z?G)MZP8((pSJ-RF$5h7s>p5F}vz^Ob5j2_K5POHc+um;<wvXGV>~nUBeaWt{uiG_t
zz1?iLqRr9#>=Zc8zJlgP&LBC?9K{Ce@($;S9H*YzuNQZ7J!dW@B<MV%apl{Yj?-B2
z01dfWaf9N|IRWiB&D8#xpmT-V%N0Y#t?E8s?Ki0XcZ$V)mCSKU)P0J&bXMF?U3RMd
zKt&@V&4=p#h2na3FH-wlwYOLM(`s+7_)B$pLGey?>8AEK6_>Ea;y8uQCtwG4xj}2D
zwc5WFbUG;(D|S@(&((f`+IJ{^qAnLIwo`1S7}fm6VmB+)<#x4y#43m5?625B(0rlx
z?rNW{_6~|CE3!vL_-=~r1x>l)8g*&Rc{6F97Y)t5tUtbmocZScMrX)>j4sGMU+!4m
zTax}Lz0qoa>=5_Js5hqjqA4e&uBVy}^rhT2)rU0I@_22v1FNgj7n7dYfu1&kw53OG
zkJnj?*(+>mOW6%f_p)>!8*Rr&y~|$jl+m+1LY_oFJcn8PXym|l`kH6wMm>yLHJmzk
zoF<Cx6^AGusn}Yvjp7B0CkUF^YCm7`D0P{m_Q{H;DITuaP4NK5V#VVW3l*bSjl^zt
zs7njQW`gW^K0)5jP<vx_KV5OK;@OJh6#FO#PE*ba)c&-(->rBW=iMFWM8$^cGElLL
z;{A$&;>(KN1x+?TcV%79aY{9P<!#>95bo`xn9bq6)J6H++^Y5(xZUZhz6UC%1S9@;
z<lA$O`9R&zRr|+^+Arch^%wOmW+l_HQMu&H)6%a&!#u}0FRXoG6LxtMiB?7v5<Mu9
zo2#UbUU=z+S2cv_`i8f5gc>qu>{#VZgP~@qIhIq^k`A5EVSWgfDDI<JENC_;zN;=>
z)&7}cnYtV(_`)?Wuq#cj#&h!4IM;n`G>3NyyE#3fK2AU9SZ16<owLAmc&l){bE$I$
z?-gF}OmlAL&B8mJyPf-axA1Z2DZa?HB;MUPC*I#!!&kQ|oE=P!17{8U=DN$_jE?p>
zNb6?V>mck7+n@Lk^Mt2J<8eC}ms6bki4pC9@GV^D96OdL@f9!K4Vh#o5pT1-5^6<?
z(cZ}5WOszP^RstIoPM%L;tZ8t66Y-TNnW-5CxPyjv`cnN>=d_z{S@wXXJsjO5<_-X
zqR{Qwe|g3(<@7eK$@kXj`-+Dv4p;0bXnvyhQHm$13;$U__&~8#k$*+NWr*Twg61~0
zAEQ{JxR2s-iVYN_lv83i{J#Myv{1B)Z54|ZdnncyG(T1REZiUa^=cm!^0g-Z<wjC?
zOz{B4#_IchzN+Uq4-1+N>atdSJE{FM#d5{h!$ySpKz+|syi2izVmm?esoGmA?yo5y
zsqRm!%j0VAt@eG@{<-2B#b?yLP;sH==LWTRQM^FVe5CgFid_}kC^l5=qu5>0tX6wZ
z#gi2eQ9MYoo?>S~Q>ONF)xJaV3w1eA@c9mZUP_p1@`0JY;~XgXeEsK(vqCgw4kW9@
z8TkMQIqwsCjh%uVYG&tQzf@g*rP{}1&URd6$A))q#eMOL#jj_j*ot`q??}d{ygT!T
zOY){eB5CeZ$uV7!_cuUR=>?xrR5`?Vzr^=bb&+|9<Q`l+W$}!xXO&iwZ2gdECn4ve
z_o$NR{Zr%LB&h3Lj>A_5N%1&!iE<-z97YpG`AUN0bXHV}_w1&{J@lzM+u%(<^FK_k
zzA;)tc~s{E`Jx`U#5jK*rgO0$BW3#_QFC^S?O<<HFh8}vpi4oIdJ7vI+u)=I=QNnm
z;ED#<G`POOss>vcR1^k<Jqw2yURpS{@ZrK&3(E_4H1rzQZ`i%z84a&#cyGgH4YwAR
z6!j@OspuSe%erW8(fvga7d=t5uxN47vZ9xZRu#Qnw4rEg(e|P*8+ncDH!5z_v{9Qz
z9U66M)T2@FM&~!WpwYxelN(*zXj-G&8_jR@Xrl#<-fpzBxM^|E;-SUY72jU`VDWRs
z%Zs<|Q@l^NeTM8aexG^!JigDe#!VZKZalv6rH!v>JiqaCjh8fjsqu=EJ|!oWoKrHo
z<m!@HC3lr9D0!)5Mah<u@{-CX1x;EtY1gDrlOaupH@U9KT}>Wq@<fy6P2O%=z?<5=
zoAz%yx#<&4SF)@04Zah9v?+Ctf%?&Z>N`jA?^S(G0Y2UF>5or;e7ZZ|<cqfbaUTR7
z%UsoZSFl!pB|X&fej8To0=t?f;U?28eBU$=cbFE~4~JfWmO?K=%b>qNFG1@G^DeXj
z+6ZmJ?LBBS^e<=&^gdJueGqPP7C?W1o`9Z&o`ODuc7&U}Yr?hOkHYu88=x8dYs^e&
z7Bm~01Kk4M6Tad-NVtcf--K&Z^}_d4^~vi4<hqPpmurq&@;@N0;H%b98>p0fdFx)*
z2@ZvNK%yJHK%Aw}i_kLYFVIWSE=pmxlip_#{~2UHhjv0=Kwm;3|21MD{#VGckPCT`
z56S;DrJw?+9#kJ{02M+FA^vkm|8uPvb6?uL1Zn~`g_=Rlq5Ys1(Ed<M=m3baI+WF+
ztWH~~6gm*%&3UIi#GCZaK@eXca5_QMg>x`OeX!c@Io){PAy9YdP^brV7{q@aIs8wN
zGm<c@p*W);Rxq70&{$|3bOCfBG#<JLngH>CBM#r>bS{DTDyQ>Zh_xE$GKjSq=W>Ye
zbn<;>&$$xfYn{&35T`z!UqcT;zkwD*&qGTf)@;}<@|;(o70?D~BeaS4M5!aj29Ldb
zkDYvveSD8ye2+bRW-SnP#O}Sv-o0n3BeYtNU3-r`dygG^kNtX&-FlC`dXJrYk9~TN
zU3!l_dXK$JkDYmseR+>vd5=ALj~#iB{df=E*<&x>gIhPktsCLijd1HmxOF4ky3xBe
zEcc#bytvpjfU8QNOy8=6Q`ec6^vAa0PUX-;;NHWy=lq1Zk+9D~&q05J7D0c87DLZN
zHTTC#`eP;iv6B8+2`8_kKdz%cuA@J$qd%^rKdz%cuA@J$gOe-Z<O(>s0#2@glPlol
z3OKm}POgBHE8ye`IJp8&u7Hy(;N%K8xdKkEfRiiW<O(>s0#2@glPlol3OKm}POfl@
zp<Qv;4F0KSCNv9@e-XPG`Y|*ITEJHq{s27zJqbMpeT4gGm^&CuEMElop#VBM+==|C
zM1E9yQ^W1vG-w8`GZUHx&4%Vcw?MasJG@`eLidF4dQTA!?F(5_i7cs1%?)>^Zlg_3
zqt#Z$az!Lzh1nko*OJ<APtA%{yb=GJWk>}zUqQ`RQ1cbkd<8XMLCsfC^A%<*X?+Nl
zLmxrgpzWmn8MFiX9NGze0euODVHvGaMr)MO8fCOb8Ld%9Yn0I%Wwb^atx-m6l+hYx
zv_=`NQATT&(Hdp6Mj5S9<_xAk=aa$<asL~%4*C!(hZ4zrdAP#60=f#C0^JDB2rJ<E
z3V6N(p09xCE8zJG@6ND{TKycpZ|6PDT6g0t$-KUn+FDO-t*5ruQ(Nn)t@YH_dTMJu
zwY8oUKVa|i0P5j<T4fO}QAtZ|)PB>Rwt~ly?1f170$Qe$mRUp%S5m{3)Nmy=TuBXA
zQo|dm;f>VrMrwE?HN24;-bf8^q=q+A!yBpLjnwc)YIq|xypbB-NDXhKhBs2f8>!)q
z)bK`Xcq28uks97e4R54|H&VkJcggRA`G<q+sa^QgnF8GiO@(fPra=!fZvPs32>K1Q
z0JlFtPe4yXPeBVw<8P4sTLR^z#dgwSJ87{>#?ngf^6*Jo>`7YeN$)yy0R5uEyB_lf
z%qh6t2u-D>ra?0pduKwkpxMwI=oaYKa2u`puJ;R5Kx=kO6_^9)BNg<Kic|x0!2jP8
z|1~WkJ)<0{7WKUcqrMj|<6Oi&;X>rwO61#0^uVZ3HrJlC2L0z?W?@b21^gr055qEB
z7Ot{eq3zs%2JL`8=U@Gh^Dc6px5P{MN5Zwd&F#6x&_4X5N6T;(|1h}9?GFuvCh{+T
zzYX~^F`*0HM*OE>F|-do(+awcvEheX+7G$cpxQGt&#NHhPEy$!$8XO6KvvCRJ^m+v
zuceWzVnVg!Dea7}`E6tha4o>KIj+sswTQ45*G!J;mSWvPrKqnjsjn}2KDkQQKy%f=
zt)TY^@;_TEe}w;~t6S>-f2gE=J(X$5vqUDr|03nS4j0E>E@#}}?B#w)TRF6#;BWcQ
zg~To{*&!mohDgbbYsQuxD@iAlT2<aiLKl$>hto}*wDYbt#oiC0>r8X+N0`@R-oUr4
z_&<$QJxtExA*Jc-?k0&9q2}9q2ZUR_Ui7<+%@zNwd7_lY^G;$UIT;=H6lP>Y(RUnN
zDtPvZxSvE%KbaBY6zr#ltGpqYr*S_tT;mN3%Yxq^1yXSem4qtS5JNGCg_Zd7^)r0S
zNJD%p@%@CjW%!nBytT1U5^t0E5U)agx5W8MeAnUozNXrM+-)M|ZG<Qz<uY=2H>qzX
zck6k=Ht%%ID2L09PsmOBe9DLGCQU<1p5&}tOYVE;qa}_apQ9<kShU9r(4JjfD{zs!
zGE>hRiU0Ye9)<hJ8$+4Kh9BYkM{m5AdIPyXpW4i%R4ysu`=LHrd^e@zM{(EV`w_k$
zF%FO9S(ztDP9**sLP*`bPn~AsXZu!imTn{|pHI0)@%+)ynD7bWZ}P^GYx3`17;cGk
zxh^N2N<vA9P4X0KEJ{OaBJo+z|D&AA|F)cE+S#-DZ>8awBQU?ifBBw^IRn4j_%G?(
zalaGuF3bloAH@7U|MR$jFbfI01p5n&NqaXn$A1y7$;NuDoiu0NggtNQ7^olgP3Tx?
zF!W=3PJug%5$&g88UK}A=5Au-`-oMC;&83M2&$T<BfZBANAtQ5&Feliulvxn?nBeM
z&--)uw)Z?7_#*UDIM;gx^Y74W;RcUYSno~z*FbMUZ$s}uYoT?}dgxtf1GEv^1ic4s
zhW-U@f!>G8pbwy}(1%btRLL_wg%~eAMs$x6-QNdl4DAb*Kuw^gP&24Gv>((toa=uR
zvp+Nd8VC)7j)jhc21Ca~CqO4c$O8Xl=oE<m6ZYwC{%O!q=yYfp^eyNN=uGG==xk^>
zbbh$O9|etu#z14CanJ?Oh0xq^i_czwe>=p=y+1G9g0{2Lc>e3*8vku*GxUk*9MxPz
zvho!@8E^61PUxM4-bv`~c|uG4ompXa)(|s)deO52k<Q*7(0u3-=(o`Ckl2xbgw=Ce
zLz@0}q_kf(U%`Ii)*A9=gZkmlfLXVk=EsJv9<ag`6o%V_hRB#k;Z}S<3HAwh1dU0B
z^ZmH6{)F$Apa`=OlB77?Mu=^kjjtbmif=itmEwx#SYL7kenPrC;ut&BPeMybxhp62
zN>iUal;c`S*m6y$VfZ?6wh&66Afaf@Et=v7aZcq)6&gPv?$)$xl=2pQ7`Ze>+1n}f
zPNG*vqez7}1bIA^`(gB~ND^*APHjMfZ9sxOfdt#iI2VmyGD7S`_V4sg4VMvfCnLmG
zVwW*OY$JtAB<4q?vK|Tf0kPjhLVhF?5*eP1TEmdXiL{TT<VU8FcM^0m|HH+91d?`{
zHw5!ELPpZN(i_ECJ(}@i4DTV2#T<v<g^a6`w*Ad$RwvCPa~@g2u0{j)*2=<4e(W&m
zZyP%Sc`n)}|0QR8t6%@kuJ)m8v<4n}L{1L-)Id3PP(}&uL##GZH;+BS$c<KGLe`Bj
z;e)UuTo0~igvz>znfRCI^Un&JwuTGC6-W)eNIy=Gw51JX2RibpgbU^QwfWm$vua6x
zzkGBa?=W0VM0h{k7Csif9WDx2^Y2`RadQ8s3~F*Abs%Q||Ib~*k>MI}IUKMVu3n?I
z_2DY@VFeKXGTd0f4cCI`9o)bAzg|&DYA$9K@s(w(RG+l`N_?n~oF13N{BJT<resN+
zy~WevgBeNl-&EeOJ1=nh3Nw&@87v4FAS1T0#`}@nBQ^1XAGYAL@axXSzdQZ#b>=*J
zg-hdSC-<+@XWoYr_kVNNkUorr)ca1x(VPoSg)71w4-<`@$+(#K#r({7=EB!m)34LT
z(`D3s9Z9eS`M61XTb&~AwLmp$ReS9T|9uIuoAUqsCGDDzcawq(_rh~|xGk@nq{eIs
zT*W-purg%A=Y+y1(kXHu`KZZWj`Ro}^;M@t50H^x#{PB6_uFFoTDX53`oNm-t+fAJ
zNvi)zvuY3jy7NMfm8(vmlIQDwT3ynob$jZ+>E0L0yDM^Wum6opyQ`VFN4_yKo~^)t
zS#+!asT<o9m&9NG)0dE7xDs9PPyALA8(S1IFBVWsGFnEnrg$ckH)M{ZJhO(Yfahmv
zIW>ezJG1)0tTnpL%%#%ahSiWgx@yh?HL{H-(gT@M73@a(5+m=Wb-s<<$K}WyD9cg9
z6~=Ywp`}!b7qw(oggRPl9)aRA*C(NttX4L!V}f#myM`++^TMimuOYa!F>ep6KIV~X
zbG^?B{56z$wYIaApt;QZvmREvwdOLfhF7=MUEkKaX&&qO?6Fj>tB~~e<RTAs9CyQK
z_9XrP?KuA@%lseG`Tw^$rAqFzB!udFS@%^!X5A*Mf00w}ow#LOqO}S^bhFK9D3vl#
z5}U>?4j<#pDJWxclv;IUFQdv8#nw?YkFFDGpwU>!YBp<-Rif|lZO!BBo+invEV@A5
zubRpt<xDQEm%Uf!-O68*huX}V%3O<nRa<g(_KRi|8GhKknok~+#LCwa!oyYF<JrDw
zd{tHmB*k!XlJ3`IM*S_5t86~0`xB!w<>!9si`B}UUcbmY8(dNMC+|tfz0=O}WTaBw
zepGWiYphMi-oj~VWA5y6&tv99!#gdcv?+XFc4L?|zaPG`C*|6kaWd;=;d0WgZwgt#
zT2IZ%N>(NRCscyI#amp=zgO?g=jKa`x>+Q=g}E+V8a|+5O2A^?ijmn0S61I?9OaN)
zitS^h$qrhngnro~{G7SpBJ%v}aB=>Y)3oah8IITd!3#W<cNEklzcnQ!&)yr)m*>DS
z?4;@Q<*aXgcIM?OqRonQK9`<JrgM|l<*89xlvJd4Gdpo2rMBXim$%cY<gt)inWmLT
zk|n`2wIWZ>xx6U9F-BeuGa*QQbGR`RKjTw(Tlgt_8`V(WNYzpgsEZos6}q#up=Qk_
z`w@iYlsdm;yo~rZN2{qW?ZbC?e!Ol&YMc*{`#4=!z9^0FCQ_9)TURaj*%`>OYpnOd
zb@Y$Q@ZB8G_$Jf-lIN<mkS>RYrd_s+ET{b?Cz8XM6RXC{_oQsMtf%JTzbxOR7P2GP
zVo&mwuDu$=X33H$OnqvIHN+Yt<akK>A`@$VPR%|!31x1&n0{!%J(;n~zs**=LV5ct
zzOrml?ZIW4IwQWkQGT>JAr8*lGg7wbF6OPyrd}xTaMtOfULGJ`)+&&!#&L0GxVF`W
z-L8YYxk*w<N{D2ipWAxjqe<zghc(eyMTs}7-oKHNR#uwdrxb}s(ooic!Yc_OYsu2v
zv~I&Uk_<2cRb*;8aTPP8JCWj3**-PdlYDDzav}97yH((l@G1J{%9>*C9rvjID1FQU
zdy;Bh`$cxzoZHw7S8hx1UV_r@)N;ABYyMTX@be_aOuI%dBE{8~9!I&8Z#Si{Ons`2
z9)(wjw0E5>$tacZh_qEE-8v<)hk;}aPe1j&bT4jzt+0BM8j^7+=hCq)$K}80hW96G
z&rDMDHHZ55v_s9$uf>OzbAF-~H_jU>n`b2e`^kJ$Z7*E;W^%PBE47%^WU^OSwXY>9
zAhYvm1Bq`POev@An?!Y!hmZ55A)$7`D|uqo$tkk}76lL2)+yT86UYnSCSj?Y=$Ad4
zN}gD?9^}4?Th%fpQENBZh0#$Cy_|PzqtP!X26>94wYVlDzS<ML1?@EZLKD?7Tf<a_
z|6<QClJ*tMYIav^+$p^Sc~~h@0Unf@FR5qg@x0-i{d5hL>rmxR<8P|snD;jP2X(@m
zm*^7}oOoQt)0<~%J?cB*-!f6-@q9CRs36ax--vFrQ9=-Z0~l+ukx8gG;y6hBUDZw9
zwL*Q~hgtdhC}YpEb<eWrSQDv0erwT8_Ke?h9`wI@Q&o!BQjTyQo=89XSLW2L?DDcB
z4&9eT-2?gkcHN{Fy7aX0arEZjauVs@@Ejd;jGV}1PFx=C;)i!6`4CfDT{ZK{@SX5A
zIT6DBYl`=Vvnj_N;mvyY9_~9><9Q|j3|7KazhuRPc+#iJb|+r-loFSWyh&X4zzm{#
z+1;2~<Dz^!zJzaf<h|l>C3!vT>=?_BHb#DX^ZJVUs$*7Ump#vwsl%FO9Flk`@6em@
zZ#qupkxSX~GqYk6t$)azLDxrAi(wT?#yZB0=*jW(<MA{*ohY-J{N>4fGD8)qFZ5|N
z{z>1|k!EWm^Q*?yUbeNWE3wE|_EqIRuWm1Wiq%#fccoA1+)TckoTA37#n2Mwv;=vf
z^wd!@a(mkU|Bl<1{CQzq%+m(hVG}ze-yCWsNf~FAiDK5MQ%e3-D@qc{WA1vM5JeKM
zA+=cZ;QY}vZbj!VhNzoxYSvtHb@(!_TuFFraXI-SLv%G0BfOLv--LFv1q~{y_jCza
z-PTovIDAb;%x^i~#o?0~eu-8<#6Pa7WClpi$zMx63Rq7P|3!+re;el}UAMa-V*}N+
za&#2Z-T>9Q51Oef$wl>RSN=&1p1#v~QM(eSP~D}LL@zFqyG%;bqjAWoLwbtbvtB4+
zxuk^+oXWRJ_{nOkt}}^tCO)-Yj7`xvRfg8O^=sK>$?1W$<t3jVrO^|Z8Nawj5?;x8
zWZ7z64X!39vLfbKshNo5sYU8$8#_HwjTh2N@w_+uBqxetY|OpnX*sP&TA7tFZ8=;%
z%Z;?_yQKf_I%G{DM6cb|+7?nowW8{2$m)%_(i%GJsTQJMC||^huZ)~X^K5#Kkc7!z
zb*9Z_7cSQ4(_HK(VKb>DF1aRqh;uXRZ4x@xK<m>MF+V2nuOu-gx4EN0;v**VkJ+p0
zvU&Pcaz-?YQ8nL;=+ihEypxsT&HRv~;Vp9RI1as#_2iFOiQN>wpy_W2-$i4UaBI>#
zv?WqI;S}8oS{OdfI~U6(cKA#(I|(0;au=t$AgkRn99hiUZM(R%W<}yASM<LjvNtPN
zH}(e(Hv<#TJZ4kA?UV1Sv*s1ITTh<UGhafxb`y!2heNvWGUhJwn8nW-&d$|hx}zDV
zbDiefoCnt?W20UbOK%;|bE1B&H~C~{wi|u&?aY`hS=p8J*xT9Fc8z-<a%Y3~W!cS@
z)wXy?BYGyjGP=XFu|^@ejYiEXnWA6H2ouTms(zcRIAq<@QtV#EGO+3xK)CEvM1;-d
zlI(PnC$|&FbZ<`Y->QbFVKUs86+N$&@+{3Qk?w?)ph*?VzLQ+J{;`|XSuIz-I5h-M
z#(dE`cjze(>05GI028T|9`BHKw5Xh=KnBXmk5BorrlYl+^njkGH>vRDGu+<~KMX&J
zcdz~x{wsQZ_$EFgzhiAMhi^A&TDlTeZL}tO_HH=Ok5j0jT;kl^Fb+u{)tslp>%1#!
zsq~&sEvcv%<z`&S4yDpT*5A_mn)&qqd~P|Z<fNJHQ=?t=6kQ|bzoluZBH@&*Q6w3!
z`GQ|g8ltae+}iL(C*GKlFp@{=GpZ5R7Nb}-t-KR<6C<9q{2B?FZzPtLlqeNRIZiJ&
z)9ySqeI>lEYmSWI@|L+?Q9AkMbF7c26X972SEV)4$VF4h((P(UFDs>7t8(m?T(|sp
zaDAra?4{E>CCnfqH!o_DM0P}VLyYL8gh)48on>X2HXyguVpL~Muy2p@jN97SmeEbC
zW+l6%Wl{sRNVOH2$eEmHxy4dE?a~f@SLvteO4?fI@I<^`T*Hb<R-TfyDCvVz-soOT
zJu4vZUS#@Ix;B$ogv#TV_)6WVB(9q8BtY6kmy5$hwL`tmr&sZ%M-5VpjJqSVmd@_G
zq)grO2Fn_9u5X>=QjS|P`m{7%n0?Hbo`aUS0_|^+q=n>oRns)#i`=b(;!!5afripl
z^7W=DF0s<1S9agjdQ12|HZ_KvxQH*6+I3k0NFr1-;kzh*J4s9BN=9ps0_SU$+N7Vv
zSJ_-eE>wGTB)#RiNt+fXVU%~2voa?Lm|L^%1k#SQMkO}h{KL+enbwNfwc&1qKEHx-
z>fM^wBqHuko`-2K=qG*in&H=eX^zyBnmcG0FZ?8F)2y)nSu5X_p&r(&h9SFD%c+O8
z$ku<u3C*P7kxY=@l6F}XaV5EmB|Po0Q)OfYy{|;W%DK#SdNT6?a+}T5Niut6(pQBi
z^1L|^uB~f=X_;Kt2z3sp@<mUJ#x~`9@|#os+`Bp_zRQ4FQaIKKX`iTP=?T8v1ZXir
zX+FuFn(=ulT3mjyjL40(J9ludoXX1Z2-1QlAvg2M8C)xKG$6)m+F9QkiP{#v-zF_j
zIr+B->>|NMhDXwVH?k(H0;I03LP;gQ)>9@4sgFImG+lCD`=vSOY%V%Nv;rw#@`)sJ
zMMkqAhufjmgj4MzZc91cmnCl_8J;b<;BS$YYoSQL=vlRNxw#{h)P{UZXpb*yQS+2N
zs_k)NSrKVx(fy;e7iD>*tzTDfN**B3rp7Z|yg2e<UbQv}6T58C_uJ8|<NKwN?vRAa
zS2vn^tVzVNo=?J8HyI1%<a<1hSNE@r3-Keqhqr`7v~-b+^ro1zGPRn7uRZNdf6`Pn
zJyMR%C~lH=?I~6FRXGyptGaLELO&6%=Y*%oHEgwTbJdnhr;*d^wQZ0xnwsp(WT%Mk
zp*2^jv$!OIYG!T?Xq?@aR@D;SZ3j4J6}e5`z)QzZYrScgnl0%bo@mN4x6!$Gj_lcG
zJ7qs1OXCv>#8(1ye3S7g>xrWC)#VCbl2CAtnn?^adinBv&V_ch1`TBm=7SjzVoo4F
zwH95HQ)JO1xr_D?v)disn}zR!DDCiW#->%G`w;eSIpZUHldPyLBl2LRLz^TG?wMH#
zCYSU!sc9XP5=S}NQCJhtW&$O)WbBIjxsEH5AFDlCcS-n~O<I`$Fo9x;Ms8OUT2F7)
zuoDsYyJ!w1>ky<7Nf$YfW@HU1X#w^*MVj%|1~f(HTgg?u&m=yHiEctGs_fF!TiAtv
z;&r?ve)60oR$Wa^D=qIO7IHU7lBwJKXyQAde<VB!2dMm@#s8K(OGbL)uT|U}t;<kq
z&TVCQ3xCxZvhzzAc>_pJGDoXqZITr8n>;&esnt3D!Z*y%bKGjYNuD3?c2MG^)Z`{v
z$B0LaD3Qd!YLbMe&;Iwxn>g2!w@9kPHUFtAscrHSw@=1}Jmu)4Nr+wNHENM;+;yBN
zM5ZmHeB|V&N+P;Dx0mWJTPw)qA$cJ0igPjVO-mr|VhJ9N$J(=AM_zAF!q9J4(;L`L
z&1h{&dYCyio8?}MH6x9sr&b*`tKQd=P#wK$T0zRLt0bxLZgP~?OrlXKbB|w6@25|e
z^98205<>f^tS&GnsJ$|hNm|;Dq#w;q)<#dt_iXWrN5hyKl2bUitHjK0fhcU0UfnTw
z1u97cxtNyGlu=q0ibv&u^En0FO@-3?1G&5SQl2XM`RnL-i{Z6ZNK<L&SmTSOGaQ)V
zgDCgeG8~sK(e4JZW%Y1trWK<%Z^?1~-Fu=&BL*?$6q)SCOYTGhXN`-|Gh^HXE{<YG
ztxn2ob)1uNQ%{ps;gf35O?q8UE^=<FhDdrd<&L;RS|o=XiSE&gxaVG!J}F;);;{am
z)O@nWM=i+?hUyf#aqD&$pBhjOuUm{-LY1iBo}?AUtR?BM$17=>oYbqdf{gjpeJpEp
zLhi;*)NUEwHP&Y0@pm^8N(V*v+dvQ5PTtZ|FYTGOWcps(sg9Pa9GcOXGjfQ&BYP#A
zGP8?>6XDe*xewyqbXmbzDbgzHaZx&1(o6cF^!H@0DYJ*lWHci+<q~>nwLY2qq`h}1
z&t|01Uc2{4x9a(<TIbb6>@^qR^2T{mOL{NzhAYSuVlO!9sLL*3BF(5}k%ye#!WPNM
zYEOyB(X5dps;#(nRG!9bhvhQX=^5K9=V+^?oj%(YJx(|@wh15J7vIF^x02WqC+uF&
zlF-a{%Cl$7xU8?vRrD$TvjF-i9xX*H(bHR)ne$t#RD*dLH#x&qPK>PYYRDX(9=I5H
zDaX_FsJGemTd8*b6+ynrCgVHh>lyESXG%^eu3|acMW|Y2i}=^=l3b7$z3Ho6$QmgR
z`(S&XP7-%-_BC=;!APumBYz7tcR72%;u3Re4g6hmiD<?28G<Mj&x>j_YXzKEU5mUd
zht_H+`JRIA{PN_?Je+<a>49rw%vuTJ9hRl|Y=}901w6Dl`bHxtDL;+xBHaNV9MxZD
z1dVmT?y@h;)q;6QMP{T>H-X}`tuB^G8nu+5QM*Osu-KCkIg^8|1e-@XdzMSu8r2-}
zwFcA9IhNY|aspPniE5>qa}|e3lS|}DwrBRvkGN+>$Lvs5?b-Q-H{@GmYtvzL)J)%1
zx3plExCL5V#jB8~N3x)bN8a1)mRiF<8N{d0lq-`H%`y|}8^uo7Q*A93Yqg2ykxzca
zeF`mT_bzz6G9&G4ii>2G)9viGWu4FQqR<)rM(2$?={wsA8GR!rOFm^JymGCaHHuF(
zvRD5$+RVGSKwMn}(CfD4E2*)ApOM+X`HRNBN-a(zq@1vke*pNe_^OiR{p-2nad0`Q
z*GJQouQlxeW%qMEbt>lp<YdIZ`8>ehE33$3{c=<M1t@grLe+KU#DC^0$dU!}^{2J0
z36&7CF;c!lY}87L*r<&PPJ$LtL)alCH(@@8i;I+##YO%LJN><=%tO9Dn@Bc&FS3r~
zpUAZ2{1qkI%$>N19u=*qRA5VMExXP)X~a8zyAHdjA+(1hwet4g+7ivkXnMGmFD|2&
zw6=)iS5;mhk0R}TR}sI0Kk{>tM9;i~08ed07Zsf{+H?QP+McA8T)DeLkt=eqj=Yql
zQa6*by~@cqPW41zy2*^mIu^iz`7S~)h}@|O-RltzMfq0V&3`OwM9vo-xA2MN{5Ii*
z2SiJgJupdcEx)ahyw|IBTtgytbSBm4i}Jhm{+0B=y?DhVX$>jvbspB0hqwe<{+N3b
zxe)ca8glb>IagV2+Wp7Cck*q#X!SCAS4@)O|Jra(%9uWHDPEL5=Ao=IOHP`q@7mpI
z=d2WBojT^*r2nJwi_2HPC?}<%wUQH&G7DIV<|?kDqw)XqwLfJy=j?IaWv5C1%Qxoe
zI8Dwfaz^azh`X?Be}7C$n2a4VmPomvB~j#D8AwPiEz)5vVN_lqAF@UaX860T_nh6L
zbX@HztI<hB`Ycr$#y=?Xl!TkoA)}n_3Cc<#vjcgbMKpssQg+OFNm|(@N!$`MOA|_*
zcGILCYm}neZ?^Adf?2_%ccR5XS6mjUZ4nySv}ir8%5F^jRy6a61yR3a6kU+pa!I{Q
zO1rwU!)lFg;%(}!<mII(CZn629E>l<(5myk#H&UVj+4<NPw&W$k|~4MX!@BNDv^89
z7!YA@^jhvR`IkV|dwuSgG@~)NmgMT-r9I-)glCX8yDWV=QPxm1HIa7RElX~Bqp0-t
zq&KGXlE{v_B~I^_?{+5rprD$3iG6Z8gjJx-^InagBx_BE@0ry3OOp9=2v6zy9x27V
z!v0^Cm9Kp9zN%X|KRbm)+v9(?Xg4hv@>fmGmGW}B2C`%3*bDWp3o%#ITXK0nCm=F#
zL&ibg#8O_{rR2`UNo@23dX=8gdV-npa`}Iua0G-b%gEIvbUst{h|T$Y^17AebFDf)
z3b&+XPeu4rRsVcx<a5)!#kx1E+iN&!wvd!(K_^LgxMu>GaI+!I65(i0p54Jp_zFg|
zx!6QglJQ1X!Q=1q<a=5bH%cmB@nQa2sLxu4wB8a9#ATH{QD#BmJWjT)jN)OtJ4u0d
z$T_u<xK}q>50brH)h}w&R7BQg^*{JZWlQs_sp*<j^j$Av)b*lFS)p_JR@+h5o6=*y
z&c!7^Nt{B>OC28;r4z0tzWj5aUbJD%_gcnXjtWWWIzF;mu>A3p`lU9~Wvv#qRtI@=
zPJ3|$J-<lhYEl-yuqI`eD~ng99bZr9rXYG-n|k5xIY`#`%Az>6Av#T7IV0(+3{Zb<
z$F-4U(_HBOc2>GcPP3e<Tgj1}1eW<|4PRJ};$&(t%_TXB<#){qQtc-G=3BMZoGNw1
zH=3)sR7<I@4l%E4?Ix|nSfv_zl18SaiA%1Tzio2E)OJ@jesrIdu&QruDdqYppQ0b?
zrEd(TODL<V8*)QOcdSIDIW6L59k-(T5w1=9=8Ijk8@!a{q=uc3yeZ2!taI9;+7m=R
z3bm`|6FIc3qWef{CG?so)yA<+W_glIv~w<ZwO@VpD?-DFT`6aU(|cc}oORLPlKk(A
zhq7YTZ0#6%MR^Civx?PG->Y6?y5rZh=BVnk>vCl$&?fsPw#!qhT`^a6q~DZRKj~C0
zcs_@|ICdm%Q~BD3q$hJ3LFh3_6MlUxJEGJ9bzej{_It4JWV}{e6biTIaT{kxt7`9=
ze8D8v%zEkSyo73u?iiJ}J2~l2+G{nkx@GZl)!9-D4Yiw)j2H1Ub~E;WZE*NMeHE}O
zKs(Y>oD!;jNgGC2Y?HXz@e}V|n3;5vfJxmZ_g~#q?Px6}NlUca)08}^9)yI+l>^Zj
znMmc@Q;B_9J7pKR0*t>cQ6)v`HTnhkB(=0ISI68Y@iHb)QXM5zx7xF`S7t)}du^FI
zOUB9Ff4<Hb(rbRX;~|<EvPZ65ex+_@U$U{tDpnul%Nh~}Etgv2jm?P1#ckJDrVJ7`
zS6|W=X5Uj&iTVv~zPlG+Hj(c?%4y#k|79c7s*-wkE|964qbF+lRAUxyi*r>=X7r4&
zp6ANtPU2S8yZ4}v*Yx0+OQVrp%JL~aMbG#}D=OlTev|gEnoe$eRQ0XPy{x<NjI5T*
zw$~vAZRzUaRDvXDEus?zNuU(`nYRv;cGVR^krx%wN;(mdA>1=lND|?$ELq=9$J0Kq
zA^55#B}=!Q#Dk;w$|dH?Bzz_<b<gwd<fJFjQ_91?lS1YR8d+!kPcVyO_Fva4-AmKs
zu;%V{iLYE+<r&q}<?Aw!5q1$I`^dGf=v0rrXD(<HPf1K&UC>sLSsOV~nM2Fepq=m8
z(|C?PEjKoK$ZG#wzvwR0;`w}Qa-)Zpu^zLWQY@1&(&`D1$lN)9|D)a|w5+Jcnt+&5
z4rrAX`D110f!bRT-N&&se)M$eQ{FL;{uyPpgsRGW*(vSXt~?fVR%TCN*YWmth~)g#
z-cI*_A-&y{taUF^Buxv6P=hqio0QD0RIcXr{f|1*>qKH_ov*HvohqlZqjxxop*>go
z;VSNO#?3nSpXS7r{lFUJYLv6&3zw2FTwHbCg><S?hOApw$jexB+d!XZ9FYHL*EO>H
zV#$*A&CaYyu~o{IXg$?^>*9j6+MF9sOQYZW6!)4&%-lH9T_iyhAE~8;>(S~qu$Q<T
zmj&oJ({xps?|^duTspjb2~_I-QDox_)W*wv$9^$#S-u4-XUjLRo<j}Q^^&*8!?jUp
z*4Wol%TsWP)<cCu_=;%SU%o5#cpP>mWoBi*rYn)#;;(f@TK`{p-vM4l)pon5ok=5|
zB%~*l6jDwq2^~Z49YG)oAwVD`kc1LIN`L?&*iniCf(jM{L<OWtSBfY_q)Cw?0)kX4
zckOi&60G0%m*@HJy=R_G_UxJ2vuEag*Sp@e_euWpgE@f@?UNBhGL!HJwO+PTdF*&l
z|F?zm=Zb@D{@?h|54W|7eGm8Izu^1jj0$%g%xiHi83?o`e|c9AuEpK|-POO|+Jhr&
zJShF!7l*%tk;%6yKX|&qEO5<x{QY|b-h!cC#(NCLNQ|5V8frU7_5oY^zlJyudJMb3
z$4Rv0??0@{u%P@sO0>6q<h;wupNF@w2UlPn?$9<zw=6rZeA54GWgx{Cc~4~Mv`f6J
zpMW7i7u3obY-Fx->#si#-pyYhQntr-wTBM_YJt)H-REC#zj7;hi(unGt~+I%{GmJf
zD~$))%a+Qm*vht}(c*zW?)!ZWp5EHu*Hvs+<k%IZioO4CNj{l>@}GzMTz<3-7v-8i
z55?qi@BUYMgRFr1Q~5iD^*lg%+k310_OSOZ`}|+mtYkhV$AN#s`X1(d(suBk@BMRc
z8G~d@`7eKP#Rs}lMI#l@OZKax{@*FFZ&$!f!8hS`7w}E@FHl0v$6xbi4lKXhR$((Z
z0<$`Bz3o`!$o2)ySKY)`z~}IE<oa)7b6MXWFk9wz*KN@c*Oz}+ayr__H$~CTA(ZeP
zCDh7M5!t_rcYGGC49EQa$94qUI{f!X{(kQRy8<d#>??cg|AO^boFkt~<*onSvaPoj
zjFDE4zX>P*AG2+wAN{FxN5AjQ|3qIauKxSh|2y00zZ^%Fvoho?R)<RYL-~JuX7lAp
zW4jj4`JK<pcZeqd3xr+a|2zLvpDK<hw+VR$TluLBgRZdV7q0)YJ$ckWeICR|>5G?b
zN7EM=OQ1gdPwP2*|JWm&5B{Ov#)D*aMd=R*{e1=Q1epfB`+z*IvKM2|U;J%CyhnL-
z#WgER5_Ps$yrsXoHgJ2pZC{0r<4hZlW1b_*e9|`i`RDfj>N==bJ@!l1pW=}6if|N9
zqeik*`Hh>7Xx&c!u=F=g{C~E~A3R-VTzG0_AC&NJ@Xc8Hmp$-vtbE7+m%ruH2?yfg
zznZ~EHsBe^l6*eln5lLLKLcQ2hu~FP@N)oj=howI^Ip3D3G(xoamH!X-Nq4nF~_Z<
zem!a`wrt<vm1mwqZhr!2t-t@`{mGbbEi)4tZ%^a@B$oZB#Q&_ffF8=3VUokhd*%0<
zr60>$eiM0}t-sj5Vw?M4_TQ*3VLz}B_eU(kJ~9kEIo6k*^<ayfm4Ef$h8utW6v&Ds
zlaaHZr79v(P4dUn%yMLQa|Or9?Z5fY3xD4B|82GZjvn-%ac_7lcu%q~WwGH4yhX%e
z+egL)aw=P_kZ+ZLtGPVekyb~0lJz*YVv8lo9BpS}#$fq=+fkL**k{vN%SNGS%eET%
ze?|DQ9f9`bygF%Vn4O2;^2fIRLY6AG`rj+tG9946A=^FJG7@AaTd<8E+ei8jy@Y>v
z9k!3Z?8oix<wwZhW%cFHhexqq=7qL1<^B9c@6iXDcVI8>P<ol|$yA!9!2i`DeNHNz
zWzVbP`Z%7mfq2C$=plb9_W$2h`s3aGC-xrCdoMVeMC7;egZ!?nbhMn4VY|#iY#s!b
z^xz%wJ;}eTX=|ZUJ!&d#mEAcqMSN`QvZ{xF+3bo|dBL`)%-?U>zCSMOXkA1BZe7AU
z1&b(~!zC;E;ho64k$*u?{#TnCSmW>N*?J}|4RgID-<5l%GIR&Czt_Nm4`6FzStD|e
zdHM5MRIUWyUj)_i3qBR6^5f+1@;6>SgS>2?6a5ml{&4-nTb0}Sr*h@zV>=cexwrCJ
zWl!xvPF}IEB2TYWw;O!o2%g6Jin{U=o`~H016aqA`vvm(l)Zs_c$RqfM3t5DXnZ?C
zx1A-wr+}xnw7iY--w&QoS>E)Z9@}zXc|KLv%I}UUKl<-}m&FB{N20xo58myT@-2Cc
z?YQ!qfBp^bCOzaq8xNmhtA{O3!7&npPe0hN2&)-nhM1vd4YQ^hW=5E`&1f^mj58C=
zB(sj0YSuFwnvKmz%rvv9+05)>_BXT59CL`7Yv!5x<}kCsEHX!$qs=kqICH!?(JV2i
zn5E`)bB6hZIn#X7oFx=78Ei8^1cG@6ix8;k)iFo5rl=*tz)d4Wq^OO*N)e6!z!nQ1
ziNk+cOTgUAB&CYttVAizlom>XQm7OuW0b|ptIB%iBV~iKN!hGyRdy&lm0iki<rC#o
zWskB~*{AGRK2ttd4k|~LQ_9!MY2}P^Ryn79qnuYRDwmXRmCMRC<%aTua#Ojb+*a-=
zca?j}kIGNV&uUdQM6InxsYz;v+Fu=@4pQ^fVQQf|O3T!;w6ofI?V@%`yP{pwZfQSi
zzi7YeimvIpZs-oWuO6w_)>Dmz#v)^hvDA3Yc*9s`ylK2;ykop;tTI-c&ZdtUh$j(b
z2AkE*T4uNzX-1i`rqzr$6U}5Z#jI=AHyfEv%mL<LbErAoEHp=$qs(G+togV(!JK4H
zHm91?(83_0;=eTM!azoA0;}wyM>t{}pb9vw3ugbiVMdq-kf17NuzF)oST)Qm^%HGG
zTQL~#;T^F;yer-p$HfV8Tij6&C?}OGs;Rnb)3uq}EN!;-toFP%Pg|(Hsx8sp(3Wd&
zYHw*<v;*4b+SmHW`c{3LzFps;@6>ncyY)}>PxU?eUVWdwU;j)$pntA^p&!%_>4)_r
z`j`4q{VV;LeqFy|xESF^XX8<0m@&yHF%}qWjLpW!##UpyvD5er_oSFDxt32zHM^SK
z@Vg4`QQk$Mv<qAn?c)4Z#u_|FRTyS-vxN|5YqK-Xc+~7G9L)?fOSqc@&4IXc751d!
zSqMCfBs`UOu_WN0Pr$NnV@ZN-Ig4c2Rtr%FwpAojU|X+>RM^*gQ5W{LMbuNaE4xKQ
z*w$W=ChbZzhh-fStzcb8MH@W1uSHu})_KtZ)^%BQRIVsjL|53>J<$!%)D(}ws;Y|K
zu&fZ#2euU@`og}FL^^CNLr6R8FEU|k14KV{lsZae;RzoQ{qYo!i6T6)&f;<0^Dr?U
zPpw2ukoF}e!opq?CDOvgRB2;k8m#OcF$0$Nu6ROPo0y3wyhhBzGyYi2HUsg*p5pUO
z=eiZvCZ35GJkN^vc9@o_nB7tD2v3#&=?Z)BY&OBecB@s(_V>X4DtM|ESRBq)j;bd5
zy8~8$Hqci^XuuF42TD)j3f>|CPj-YdQW>R;R*KP@^jPVgC*||P(|X{6Y7@1o+EVSP
zc2Ya5UDa-CAGNQVtqxU3sH4^O>PPAZb)&jT-K=g=Kh_*HN6ksAqB(2sS_Z84Nm}b`
z+Pm6D?PG1LwoTiw9n?;1XS562&+ydyy0h-5`|E*vs2)yFjnbp_HhNpVo!(yWpm)?e
z>7Dg1dRIMD@26+!{q<~pfId(kr03{^^-_Jh{-QotpRd2Hzpby(SL&bRooqBV!G^aO
z+l<eRFO0*+*T(n8b>oI{)3{^YGk!9Dw%A)7ERGf@OBIW=#l_-kakIEv0xYjv-momQ
zyeXeFtmuk1L>sS7&?ah=v=VKyHbt9?J&Il*YeRcMo1=ZNT{nKgmM@-J+0#<<;f;rQ
zADz+1vHIisv*_DG;~uW)imP~8ye-u%zLo&It6=;D!V7|dxdEb<;v+&7f2FSCDJ@?~
zP+BSNl|-eZ(gk(hl(kAj;_It?S4)Yn%Ym=EmA8PddzH6|uJ7Ot9#K{TVb3UQh^}ju
z3wWdJ@lL-3HeUtCZUV~QP__VNZz&%WVYjOIDBD#-O;mQMb<{e_ZCKB4<&OTT;jjE=
zL>e(_C&OyYRl6JWjaSqy<_qQv>UL>wY9lod(%3MqpRj8Ewf;(VEl<l+YQP^pQfgYh
zwOm#n!Ervou-QUr&uGsJQ+rW+PdIAtYwJX~wn5u2qP1PxZjr3*(e{WGSjcB0Rr^9a
zDC%j4wIiZ|_LX)?G}6A)u89uX4c$?6(Oq>9k*9m<fucYU(L=>py{2AMJPsR*5aabI
zJyuNA6ZCpwim|~s2X8xX+!gQ3cQ1AuzgkT3Df;B7kI=_JoEoQ(6Bd2EK1-PT)A}>Q
z8#eW#s0O>5D|}&F^M#-OhW@tjhlQ;Wp|G-*qPl5kI>HxK;Xq_jU@b$0JuGHCtYd;U
zL8!2tiNXQaGfCLNf=Y1TleNi0hb2uB7Hul*NyGUyfTePg-w)B@yRKNfW6@z7!8jrW
zi-Ncuien?OXo$yASjS>95Rv2H^YK_rpl2f5=p?$~++0zF^#Vi_UGY$&g{H(PNkUaJ
zl`$wkp*$@NWtsApFkv_E2|IZIcGT}wc4EC>Ie_)&z*IX#=L;yqUW6fSL@2Nk3)ZIU
zAsm39i9%Bwstw^6U+G^7d*eytIbm-;Z@z#&tFUcV=xRT;pHS6YH5bPgs0FAQp^o5w
z9bPm?DDb53g{EEC@E076U*J<JmYRs`XN9wNPCJJqE@<cnqWncXxf|LIJjGkuEtKzS
zcd@>w-NV!UQTq{3`X}ut)cmUbDpdJc@lFlh5DvOUH}RGobO)>*VM8vkAv|l{TlW@r
zdNsY8um@N0#a=(%PZ+c(Q;&c>S)@OsCR#__f>k97XFW+zLVb#!igjJsnVqrU*e{%n
zgT_JOXdE$)pnS@}-*GZ78JDoWYFrgnjN8U-lz)a5I^qti0X1$5Z!jHv3k7WFE^6)}
zKIv+{nh*atpdEk}9nucr=|<|2qAGYyZQ%tx>@3`YE`x*{5N0fT@VNfCa01dii~D?8
ze_43y3-yJ<0NULX8j#09*aLlBg$ED_bJBrAUZM(+$XmDqjj9P}Ad;_e0R{%Zj#Q-q
z-#~9XK3xo@We!D;9br?_K8Mmihk^lkiauZgRYhIID=$$GQN>#{0I%^8jlgZHiFEKA
zU(o~{$4_J+dijIrNUP4JRS%(6*MSGr5QX5JHSs^lq=o0w!gIkltzslCygn_wAy`6!
z=u10q4Cas|ibXQmQ*Y4$OEN8gsOX6$nf5<ajK-28reZ0gFANnM#WwVL2mHUT*dxxM
z&u7JX^!9?dihf=bKcJsCu_Tj;j1cz}S236#luHk)qtsKHi$bNP(h__`dQ-0QjPiyU
zNpEUMZ)yzWT`P)#wi|HFMr9+8-=u89G1AL&>1Da#!~3vT`dTi1tuc`MAdUey#`=tM
z279IV<tpDR*HH#qqaJ)%6w?!j&=ZHy2XpCzLx9DNL>KiD^%2n>F}o=^PII-n$WdFV
ztx(@qZ7X`I?bLRt>8N%TJrU76i9|&8&LRnsy(^dz7V)UsL+v375as)#K10m_50XCI
zPaUid7Cq?6SzzFKqQ5#^9gem1>TI=0EkarPc2_W_(I}5q$6`HB9fuYssgqEiqE5kj
zn))=_e@1;4y#i~%RracTQQoH>Lj6VcrpVO1wLsBdi__|1U0-W~nyy+p%9&a}tfy<!
zMO(0oCxs_?@odovk>wdt3y}rL4URld4ANfKUdH+r?G+IZ7P3$TYKyc*!b@AMEk+z!
zqAd|_+Uwfu*t=X?j&tAA-V)Wd71|2atkhQG+*R5t(GGFyeKB17K>GkKuhrIK??!DS
zTHCB`79GLAx8TT+wT}`1wj-8xLM+>b)?_S;*FHlm8-!T)1+I7y5zS3If{4}$5$!AV
z|CIJM_JR$eHHmfuh<47}H`;mOOU!d8<_$!4b4i3D0)8iI$UFyoB?@|LKWH~mmRLAY
zyRF?uSt8;<BBDPLF@cCU5Nzvb(H@NJ7aSwe(M9`ByN~!LG14FTl8UmXYd{%%P?o3}
zLew0n+w1nIk=Qv<chakfVY-X%BI1ak-nyIahP@t$$i9fkURX;^P0)RGACx7s1`$~Y
z5?N!x_WV&Fh}a#5*c~Ejfcu4_Mn-UdMDTEwCGHL+?#3dTM~U`CUl%<Vkv)tUJb)NH
zP_Luc!SND_2NH=B5Y<Nl%Zv45tYvI>Ky05Ns^}B-iHP}=^hv<V61@cF$@*lJr|460
zWT{>%M(fk`X(9rwayrU0^cg5W0bVeQykL~ROkal9-qhd1dW*hA6oMsv40PV6Z$o6*
zrSHP}Q~gsB4c7e`%Af0>V|`FRC^TeVhY)QJ>xU6Zj_5~#+F$BlB03$_k*_d%+94x5
zCSvsC`gOE<NB>EvhMQ3h>qsL~L>o<vUMTl7a)f3KHU^7)V~8;f5p%dP4Ol<jm?=!g
zUpwP@<0TOT2DVUiM#j5Tv^HKhUKe@Ba$`AaWJZ#QTx6AKX{<I@i&o4?S{Q4MwJ5JM
z*5Q~9#s(1yCcRnsfk|%>9?Vz#kQZ(h;b7L=L`|6?V(%_vm+&!m8=s*3sqv|ZGWHmI
zQQl|lLs>?}0OK=clFf|+#sN_qocwc<244OJj*-#Q)i`7vMp?$p0OL#JD9T?MU!nbD
z#xazS8^=Ycal$x>vW%z!;PYRjeA+mT_Rkn+#3RO8a6CV7yz`=&alyEN{#-OJqDIEv
z0OMQZGRof>-=Pmzj4LS1XdG-@Gp?b9?~U(8Q{)HNQU8PS1McpoaT8a+W!yrIjMxFl
z8}6Wd7aTGQ9P%ghU&e4(aFt(C|C{j}&bn{h7m*glq6j~WX3?<LEry7)Sim-$g9m>r
zx`Q*?As4nc9fXtV2>$3urZhyTVl#f^qG6FPsUr>>SinB8IAF^ZRTzmqpeooS+B#tI
zVN~{o!r+7qq6(H!Dh*zY(-FwA-JsvNV~Ien?IB_qv*Q@ElPbmRhK$)w7_*x)X18F>
zZjDw0pacbCF%Y+d(F4gx9T~aZkhjRC78XAo6^8v%GpddlUK?AIr=}v;kH+s9ERwOt
zB7)1fo?0ocH)33WgmJwY<9bWRbrrfud)#FQ(Gkx>@>)}LM|6)6y~GgIOOERyMu<_k
z6B+3}!3U<`PGr3I6{TW2`aT0osCWWPkeG=v`%v+Wn2+NZKy8VD-m(Jiyern=4&KKS
zAwCcr&{N40;>30=uH*_y;0njV6;6OLq>wQ*A!BGk#?YFKAwt~35-*h-v~w4W4|ELt
z-&(~@aTj6W5Z>V2K8lYBM3xtgddbM$lw_r@s7|dT6&YV!;it4y+KFJ~e(iB2vOko&
zDH%8>Qz<|@g-RjLEmDd_4XAEoP%~DUB%+iOWx9w}W+*d+Gx>c2c*$b$hF8H(lF3dQ
zk)1RnJ84NRB@BAqM`&5H6FaDOAEULc%2xDqhq41@nGdAO91~^am{@<NAUA_DbpXf6
z451lWOR926IgECWC`YhYGMH4U@1f?Lat`Hhly7kE1+bYg<f0c*gKQLizN%bB`I>SK
zJ(oE~0$ENNSx!r`97nR81m+vws;BBHyvTS`WtJ)e%kX!rz7+^7QP=_nY`X}D^05P$
zzEj@`e3!WF4n=G?Vw*(gYS6{@AkysB_aeeUA49#w>u{)K2Sg-MI~+RC7r=3e-Bx0E
zBC)$JvAY4WyD_mljo96s*xjlOyKm?>arImJZS+dwxJCb22S(`k4Oiqy64TucU&CKi
zC9+pDY8%nQ--t0{L<q9%B&?H-#@O4$=m=!#WOTw=osAwqrAHA1!i~p_OvD2j39O6+
zE{p_;hy;^FUFcEML>)uMgT{u;$C@)9v@+%zb8+r`V*%DL8?T6}GK+`Ls$wm%ry6m`
zpD5!`WQit@_!B|=i5)S-4wcvuM82;PJ9J`4EV08NcGM!@hqdDhaYPMYqK1`xzbW~C
z3h|-=S$`Zbqc*Y!i5hW4jRr)G0HOx8a4dmDjbLU2Aw-Q(qDBp(Mlw;O8d2jB;)Opk
z!k>r`4WEA>eUiQ%L$6ku0R+*Xb^5bGf38K=?*qSe6OGCJ<LIka=rDCrBQt=e^w<W>
z15%W>@Y@FP(sZn4P7p_*Y(Sq3pf@Va5(4RmA@su<^uuI&U<2j~Da;j`(i;QejhoS$
z%oyV6hjCETccDh+4JphU;^=`j=z)Rsy#`c2n?sK}i6f;S2Eq?dqkIP5m?HIdlx0>C
z2M@fAvQ$MI&;tXQXQa>%75ZTy^V3GmPowCQ$@EEI`lK&?vOc{rj`@eLmaS!rX5?S)
z`Y3%g@>9ve-1RZgS?WH}Sth^}Bo_-K7c+Iq#lpzNOmZ=Ia<K$*u{z{p3FKmR$i?Ex
z#p0Rmdgw3dFNsuro<0xj1^NQ4W&T@_`EP{2SYM3X{tf*NTwQWEi@sc6j<RHM7X2Ol
z9UT9z{w~(5^i^1|)z`xR*Xip-ZSuRO#20%g>sv({@x>4LvJ+*ADSpJ1G-8SaFl9gL
zC64$JN79HRe#DV9;)o-0#ECdkg*f6&9C0CzR40zO5=UwhN9=WpBTe+%z>zfKh#zp|
zSCl1=q!CB_h$Csl5eMK%BI+e}q>(N95h>D$6pq9QC$hyVL<bk5gDcUYrZLZ$hqD#{
z7t$<MEmegl^#Q3?RufgJ4|q`@NU{W3f<&Sv#1bMJlF@{b(U@d3VPrJEz>{IjMpd=3
z+8EkV6SawOXJ+cCrm1PdnfYmo+DvUGYBNi%uC`EHpxjbz35=H+tE#qE+n`3~tx3#V
ztE=tR_NeKgb`ZhLVZ)ij#xRGCSG%ZPgg-M`J7%(hYIn7}@MS)$s*kFV;<`Q6$IwD=
zwYR7)m245OrmN5?)J!!K`jpIbUDYf#OW1P+zzIrswn*kUfQvd%9VlWk`ZP#*s5xqm
z@MK2ptqxI#phhZOKG4O7iUelIAsC|?CPJ7a*J6$wg)yr_VP&Qq!c5tsj#NjYMvgFq
zKu;enYO2L*F?upa9fNDh3_3)8T!p@)j#tME7j=R<5!aI0bckA_PR6-1rw&o4s#8&4
zs+OW=8Zv8DeNLT+`<<_@#Qm;P*W!NHsq66E)+6JNSGTHraMyd)3pneR`ZL=9MYA9)
zG&L{bf$STjfm(<L)MXAHqP5hzV6V)<L!j(uAn(r9GEwfQ^%D_N`9)?5<rkTP%sUi}
zwk<+#ve;NG+>BR^SA_${MwUPWlle#;jKaN!{6c0Wp%^WB1LbALGDJL?p(q?Vi8S6e
z-WG|>Rzi&x#tIxGM^S=|mBvaD#{4Ck`AeMfp79=dxExn8jrWcB!Pq}AkgXdZ8Xw{;
znb*W2ulWf4T=H;7%Vo=DL@HH0OB?m1UDl#S2GACLX@8!yya-yJZzXGUptbp_(%QUf
zZ8d3aKD0J3T3b`9Cw^*%njs=pX<N0+bWmwqQM9dS+E#tqRt#+`j<%)Iwqj^oVYIC#
zv@M;sRgbo1rAAm?l@?Zm7G|Y|8MLr?T9}m<rqIITsmNGiTZm4yDl2uFNZM93Z7T-0
zH36145f+w03$xO~;%Q-4T38A#ES?HZQz|%~RB-&L;CNEOX{w%5Pr-+!juT1Sil%MF
zz_#q5;@WHWQ28A+2b3LQZ7I}xtXdFkt_E!`o;GKt?h{GNi=pLNX?Zc!fUH`UmL;0d
z@)|Jm#M1sW#-A#TKTeE4RTzH~8Giz)1q3tx1Tp?NGyViI{x~!KRAKx{V*E*F{7GW`
zNoM>>VEjp7{BdFYY0UW3nDM7E<4-fjpHRl15XPTG#-BjOpG3x=K*pcOj6aPTe;PCX
z)TRGe;6GsR^qhwDoK$*_KRqXvo>PtEjH&b)3w<V)KJy5DrW$+(k&WJxMsKmFw>Z*U
zOnOUIdW#*sr4hX)mEPh=6~JPwH`b$tkKj3t7!zC>6Fe9b+!zz&xLJUx!)Rd3a%<7M
zycijR7#W-y8G_(%?@+f>wHewI7~z?z%>>d&4bO_v?O9OQq>>jxB`+0Y-Oq_gjCVhe
znisXXC`(nZhBjZDkMaU-fv7@-&y@;aG!?#NDtwMq_`EPm{wi8tqAkVouW7HLEY-d+
zjGO~+v}M{dlre^mHl^|xslBbegFZ<8&w}yFchNVg0=iNKwAWT+%qo&vU?8->4{@&4
z0u!`#7{v;~C>Hb*>VnDICT$bSQXQ;Eb+882L4P^=i8iH17($IORojhGuMjGQAsF@A
zj~+_B(3N_j7xh9bM!*iEHK`hgP&HJwW7=`_^MrN+JwK_P#9pZ*)}W4<Oa)Pcg7}T7
zgLx6>p*YI1lNjoV-qaC;s3X>aj(8R0Z`YtE20=}{iL%rYL#ZQ%Yj-q!w~}h2Gu6b}
zR1*`aCWcZ?^rV^?12qx3jdmYuVvH0nL`|rP3OJq$O|hn&hk-FOsV0U~P4w37bc}RS
zQ*@)I=*;mL6KbLxj(6AHp)5)@F^FnnIMu{Ns)^xL6KhgU45gar3pFtSJX5NPK~xj#
zP)!V?nixbiF@|cQGj&8y>WDEq7F<QDi9vdzo`f;KWIY-Elxku))x=P$iHTIg6a!<*
zA_b$$n~}L~fgTo1J<NxCSTOal6zE|)L<D9{?1Z+o3wl@t^|0#D!}g%O*Vv1(AE}DD
zP!)@!Dwaf5%z>&{RjOjKP{j`6_`}9wTt%v4wV;Z9iJGI(#%e(uJ0_}A6^o!M=0jD?
zpep80Rm_E|m>pHI2&!TMP{l6dT&ah}Ll65FJ-iH6EP|?75>>GXs$zAiidCm7<|jwZ
zalcX(3#KZT0#)ob%2E%Dr5@%&J*+DAuvp_)=wT7m!-A=YDG;v|;bT!Ps;Ev?EP|?7
zb*f@=JW|dVQ88~u8cr-T&sb)jgPD28GV_dO&Kb{~Gm$xG9cG(D5W{_;%E-|r+lW#$
zbIW1O80E-l9P&arDq5GB;UMOOvCIi$nG+6XP8iE<FrL|9BJ;p{%mZ_o=?!E47RQ{e
zE;F=Y%)9C`Q;K6o6wQn%ni)|JbD?NPq)g(SAMkFb$S2YT5$W=YbRCFv?d7Z<?3E)I
zHMEz2booTO2q4`8l;tQ!1Tjt{#<eBJg%aah6XWtZmJy&W1;*tQ<1}F0GL+@GMtjT>
zdJ|=daqWn4`NTMl7?)3siy+2zCC23w<Jxe%qlWe&kS?D{rxEG$iFElyy0%2Rd?H<K
zB3%TLP65(w#aR;RIuPmF6Y27abQ+N^pGX(MG0slJyVk_J0E~AY#<>#jIuP&tfOp44
zo^~9lmruOQC*DO6@7i+Q#FwboisL5f#JfP^T~Fd&n)a>st!PTri{j`>I!8~cbMz#g
zsMnLImrm5{OVsO0)KiIikwm?oM7^3sy>yPD_;U;;ov5dB3?-doC?Om}Nhj((Le%R?
z)N4l6ODF2}B<cloJY@jKQ<`%;r8>t`(usr3h=b|G!F1waByljEIH(f`dlCo3II5Da
z2LKKG5Dn9ahEYVrbfTe3G)yNN_T<<~7%{OXG0~rBn8vXcUyiNxBqlyaOiU*x_9P}o
zl3{s}VY!oGd5~fCBf~Ptuo{wKH6X*XkYP0-!?KWJd5~dsA;aoOhSh}(t0Ng!XELnL
zWLQ<nu)33Bbtl8>PKMQs466|tmPv-yj||Ho!|F$dWsqTYC&TJahSi-6t1&bDCd}}M
zF~iT&rFIy@tUd;FralqFnbr4aJ|DwOKBkfun9UqMfjN9KbNCeI@Ttt+>oa@LV#XfB
zEIq~uG$O=sX6gNzna7l=cX9+Ln>l#`bMh2s<MkPJ>=1P}iwwpa2gaKW#+z=8H!V5-
zlELwpDja{wV7v+E_)7*OO*kWsD<e${Mj9tZnp%uB861DH=lDwoBaJJ^UotrU(vssZ
z8H_ZKGSXx)(zr6xWH8c%GtxLR(qu5wxN!WX3ddhE7;juT{*u8+(}IyEgOSFKktUpx
z#+l<U8H_aD7-?E^{3V0qFRqL?8H_jKoYUaRs8fqk$DX4w8H_sJ7<KIAkck+|v6u`-
zoeV~ua7LXLWU_J|mbZYm0d>QhOxA}?wg=UX-sH0b$zdCi!&=B;8&KVlvlo5n11fz$
zp%19^0i8Zz(gz&q19tQQd-{MKeZZbRpwb5n`hbN#V9*CF^Z|`NpwY5*SoU&Z!lvH@
zZ+Z*bmC2sjv1j(|nH^$jGse=%jGvBFYkU1k<n)1FTbJ>(H{+)p<7XeLwIx(*p+aMs
zLbY}(by^4Nw6m$x#z3X5EoM`vjiF9En>uYNqpqAIETgWRk(5G(_Ay4_dQ@niVjP}K
zg?17nup{-@UJpfJIU}Pk<FFg!a3AWiCDdbGsmI1pkDW?A)|E=^Y$~x1RAOgSiJeU)
zHik;<Y$~y(jO12ouqlk^^{Bx<MGbZ~HCPAguCuAT#!z>Sq3$}Hx~l_q*BHkCdQ@Cz
zQ)`_~m31~%RtKuAv#GMiP-UG>m31~%)>5jh4&)A2>Z^UJtUg5^F@-#03N_Uj@`x!^
zC`M7C=thO2C$))D)FvLKD$#=)SZ%5jE>tCIQk9T%HM@ygR3*Aol^6*Ptd|%-^{YSB
zuRdY|bqW`1U|Ccvs#C2PO|>F}N?0+~im_BHCQ_Biq#n_aN<<iyh@n&>##4z1qY@E8
z4I+#hL>H<LVbmSMs5?}r?l6`rLm2giFlq`TsVR(tb~Ok6oUguu^=s-ftXHXPFmpsI
zSOcJ7Z9vcE%n=vpSUW@()rV13A4aN2)Gu+2)F8U6U#q9FS1J+JsYHyW)(}RmVLVla
zFscmIsV{_4SqLL*D<WUh$kgn~)H;%*Ig^V8k&Bt+V&3FpZOFpB$iITfygHI|wI|yO
zBExD)Ze=02awe+^B9k)7p+d=?e94>a$(uToF$Iw&4IxWvLzd)4eq>L6R78F>o%!Gl
zaw3zQsE}-E7TJ(OHsnV()QLQ(19{La@}Mf@L9@t%{K$i5kpcOU0R@l&1(N~!kpZ<P
z1DZt!<VglJiwr1$3}_Y^P%AQ^S!6)%$bkIFfSkyHW|0B;kpYb$_c6$Qs*wB4BKL73
z_nAfRGmG3OnA~R;xsM&W4`%9NuAUFM&n$AEndCm5$bCAH`^+Nu2_W~GMegHA?&Cx5
z)0*7Jlia5hxlbXvj~`jjEV3RyvYuefNp1`6UCzF1j=9MF#3P)8*9`NJ2ScTovreWl
z5=`T)yeBv-?@302MwQr5!%A$ZAtS*wvKV(Vk!UiJSTd1Va**NVAhF~ivE(2*97l-z
z0|!YZ2Pxn<LVYrk!DJ%QWFoO-BC+Hk!^uHn$w6{BE)Z9VgQRj?pgx(%V5(6ys6&mR
z0yT)*Q#e(p8q}KxQf~^U(v(f5DUwQ46qTmOsWc6v#x#!VQWVvt8q}4>k?DAl<EUge
zoylVS$zS}*UjoTr+LFKM<S%(-E>+1{0?A4O$w&OjN7Bhe^2t5|$vfJTafFa@_>*x|
zBiHCmei2A!;ZJ6fOJ<QrW>J-#qBA*#2N{Gv8AMyosBDVa<5fgs%pZ3VEvPGZqw-~&
z<zZtD4J)yRDMAsp@2}~YqoL;X&(1H%ADSohrp?=S6~0-;1-Zg^U_myr+T6^dJj7;@
z7<?2&bvw-OQ0~j`0N6eXO0tZfYVx<It=i{DYl+Woi+yBi%hJ156jNPP;&TC2XH`Xs
zbF|u9jM~nc>T3vVrp2MQ1u9KR9aYg6b+LA`Mpdfue>HHTKmNt6Tsnw;qEO@`Y0k!U
zi)_(QF4mArjp?4fe>gqp`Ca?_zPSCl-xhqE(51u1=&(g49xJRR+BN+2Sfr_ns=AJU
z?z^AI?QGxka+`Uh4q1MwXRY#}tBQe6O`6G0YTa~;huW)2Tve-w1sirAPCc><i?R#y
zg3~gGWyg71-DS1u;n;LULBGtrkvX}!*>Nst4Ydv)mac;`M-^qq1z0f;r<?BR;c2S~
zPRlMR${CQ8m06UNpBEQo4UoGv53jP_U2}%wDw#uv<>U<vPHSQf^sW*Y9~U1VXXU4t
zca?Z+TzrBxJ|QVJDYciiZ>7$5>r#F>2M^CK#X~dmin6nU)A9?3<rmm4XSK%IE*JJ-
zx4d9*m+~ui$u1a~la*bFO9w{>w}`ivD4~@fkYWg}L~#+QcTh_dMXY-Jy;fb@yy)-l
zaI|LeGod{q^G~d;wLPtH$kxp<9ee%kxpn01G^J+Rn#E_E-MaMQ*lk67L%&?}yio79
zySjPJhfQk?*_Ym|-sesCr@0q;m(0vrQ+v<cz_$zhYPB04v?}i8&z&;WF0a3NyH%7i
zy4h>7GxlGcd-1m?&-Q54VCS<ZTHhO+@J+G9&(}vxZ?fS24z1JNH^0nX_*~Ak?1;%z
zw`O>5-~CBF&tqFAT@R{Kbn4mAw?4i5bJ4i43wK-lO?YG5E72>SxcvHsH^aOh&%FE6
zaJLO-J1%Z>zRyqRo!^LB_-1zS!J~67?H>19`<6}bS3BF(eAe;HK~pC789cgwvwa!O
z$9MhMW89A78=rhUT-D$MOD6qfophJ4GQb(3!ZUr|?Y!Q5_ZH1Nbn@}<8y&yWc4Ev)
zYrMq{)@~T4qUg1(HLRiK+g7F2Yfw?qu)49a`B{a-Vv1-wF<JRTX=4E%igI7Kvs&;=
z#SDZ-c!dE$dWtpKnz$%_k+n3Y?BuM1+)C%h+AONFL8Uc`!7;SwfSS6K)uFrxnw`~I
zw(26Uq{B}v)^NG)riWOAmcoYPs#(2lmg6cLq`gGPTN6{F<0_j6{70KKNoe--pDO--
zLQm_P-w%5Kr*rlJA9X0P^r@5ndgp~+vo8BTYu_~Q_R#Mh9cR7tW6rGVg^up|EtaoH
zb-Ne2YW_;!ZL`1YIY+#+->Kc|197k0^^P3#%h@pjJ=!kI_W8EBale{#@^<a2Gk9`{
z-RvfpPkz;-QNXBH(;~ereP2%*9O}NLQ?<$CKd_eQOW^S{%RJusvs)><f7_gtrym{s
zlAmwK-}U%^-G^*GY>i8K$cN)o%YC@tzvaV;FeE}o?SJy&E;$49vJ0diC;p=!znbNk
z+H~zl)!%5^>Lcg-i?3%oba`&&OUK`da%sII?|y0hF5O(J?$;aD{&o4BIbUtcEOvbC
zleVQJ&!0|f6Z*ont+mrWUU+oSn%RvzT$`G*&TU8aANoIfy=r`Z`yPu|Okb*g85y{*
z&6$%~hrMUSKen>(++NFG4)5sfeQnP1%zDi_1$^e--SOELzr3~L&VU9j-X2zP@!5;%
z`&`#;pWOfXY8z`#Jag%b(AN&ESH~<K_1t6G+pc*RZD>*&dBU#klg~c+O!O<Gng$Iz
zvaD#-ap%Y4XLg^Nu<@&`-K}1(yJN@Y1jjFKEb+TFbJJJv^_W@jl>Ww;(A70o#OxZj
zV^jOdwd{U&+_=2MT)Q)_;RSE*v-xp}(gRPbi`7XQKiy8n(6g7^swrLLZ(PQlXe}&v
zCph>(YqmAAd>alPSmvWeh0*l!QH3#uWe812uk+wowX}A{v6(rUF~2)Bwy3Z$Ix91J
zV0=tgc7e6N>|BtZWKFQfEs9+fUHNPY2!C@npx|Hi^7u;N)_iBq66e;Qfrr~3>zw7?
zsBiLyDi^FlvK!TPAFJ2IKS#fZqb!1mB1YF+^Gu{@d;O_?);gn?ObIjdeO8~Ud1BF_
z=e0LW+t*w;ud(KTa{syFJt2cE$3BQ(Gj#K<s9ISG-?ZvKw918T1D)?0OOtZP&G6d!
z?dq>re|s``=Wv&OFBF~lp!cbbb%N4HUl{%VzHmKw$(uLYY@Z(SjPu0L-F`XQdt_dR
zzRt~>H_5BA@^Z?&RdtWq4|n~=zj)2Wv2W+x`gOqvPF}TdOnA(`!TiV0dVT6KX{d-v
zsj@8Msi-rnZ}nQPyjyiaRBS81<DnmI`)%~|owk*(Dw*ErdV@8c78fVfjv2e|M6kWb
z@b3m!d+f7IuUUIU&1ltV-DeX%+1xO6P*#_D8*_@@-VsoL!n3EhZSX&;kFb^)g8@~Y
z%U~+E=l9Fch%?UTEbE^-9Z|FA?_p}vrw`+Vx3wxBI=F^&_w0fk>FiO#t@5&B%1MQz
zhgbQI;I0KD3X6i<XBUmiFBlS6*P0^Fbo7V|&x#0+w_1~f%a61*0nBKgUl5!*qG(Wl
zLC%=${=p*(vxD>Va*N}dS<~dXnn(TeQ-afSGYboY6M{RA=$D(572L5PXJ}?Y@xx3f
zxQVT;qGE|hNj6@C2v(;86XUU&T#kv8o_zRb%XrjZ5t}j|g<Gxw#fNUWfwi8k+ldbj
zDDQT&(M8#L{c(@oGjntLlPG~S^#?1$BQ2w0|3rgkroFp(`?7ZX4qV%nyk*f7#f9NV
zN1fl&byw2ekFNSHyxe2h!ESzG)t2u$tzbO-hj%Vo0zS7aduQ4@pDD3{0rve4o~&})
zdyO@}Z|9L-Pj(-><LSC3kH7!UqZh<QA0zpyHF)v$E8F_rn(ONO{GIDP27OYHym8#q
z%e=gTUu&gwieEJ6<`dSGw@MdRUGjr}aF32{*7pBmRqlmv>VIGtvb{~?Io|K>8F;+3
z$ybm4_EJF88g(z_EcUH2<h_=jH*Yyl-q9}Z=Z){K2&v!iyUWLpzWn8tX9C~b)-<qd
zK*{{8Jw2{jhn>rP{!Em4@Tn&+XMWQAtu`-3PFr`ZVV%hi*7ff<ed*WlH@-PBX;trc
z?v}%6Dd4ljnph5I0K#x9xK8;tfY7Hh(-{fFEyPp)ORkfRmlhDL_qF!6_Oj?G3TtO;
zt@7qn#ml#>xlyA=5l~@eva#5#VTAy<GQy>*R)62WI<jC`COS+IjkeadMl1?jRI{{t
zS+f#BD|a$>SXO32^uQ$YC`sMHqr9x1<rmV_2PN$fj4Dzd?xt6_hAf4-#`#&Rp#qNN
zUhYWkI<{#Q9UmPZmskmHm(2dG+9M6(&b$>eW6IDyUlqT)dUdad(00PX>^HWayz<d?
ztNqQi)SuLM6XFtn2OUJ)!8Zdoq_;bz{n)Biz&i~_`p;SKmv-S+srtx>(Yu_so_~3J
zVh88t-?m<}smYXSmv2p5)AqP)t9p08uKM))Dfd2X@!ezD9d9maJ>1o6tpAzYN3L$}
z*ggN=-1nAu`k?uWoiCogINzyi!;iwp#w`&yV`ffk={}?6d;9cOPEWtG`_7ytW9N<V
z*xllK!$$dz9V2pUk8W%I<(mvAkH$w*Ml3gr`~UiB{cpZ+`JCfvhnDxvA@$VBpAR^^
z?#xTKoEPS7kLebp%z1qL6sL(JM<nn0wRz^PoV~s;_piNP&->P`^D+0ii+in{ynRE9
ziLZyX6JwIK`kOLe%G$HgxHfU>wUaMAd-qz$Ls=)DT3VxcGtd^KP%kHi>Frmoee1Cm
zEmviQ7Kbf<t>|};%=#Y&K$1fyS(9KI<#}LS9cz-c&I7!>73X1fvpAOJ)AdzF^H7lx
zO5R?nQuVZJnw^_DDzo50YU<+Q3B(?mS(F{zp<rNUUd|X>uINew)(sCczD{CFTzu-o
zfGn>D^R;twNCRvR$S=st$&7Qey2wh?$*xOgUU2LD!t6MhyR33>@@>*TzaK!g7)kWd
zLK&&b64UJdaqd=Ed61)%eb?e)*@!)PMdc@Io_}-VKhoOozP;4x`_xh=r~3!{`<%{y
zS!;S`{!@KRPZgh;6R>HL$KABhmS)HgPt2X#*YfBMyEnJo(xXdr9sKlVm#-e#9)0DI
z`RSKCRwp{np0dT|7vEtU&IHz4zQbkgp_AI$C;ByfJZ#{A1$Cys(&zZ0dH3hfcV2cr
z_o?-3jy`>};ecH!mptR|CjXf5)rKFA&N}q<miGJoZ;qNgBeJ!<_+pa#;Nd?Wn|kKp
zd&lPPbtrB=I<)14o!?LGQvI7o_gl<*{b-{#p4P8V&RlTO+NQx5-#K?Z;CA`mLXSHi
zJw9*ajZ+iWjejnte%CV%qpoB}4hekZ)H!|i!P|$5t#{6SnD&ut>lyJm@0a#%rrjNM
zy@5wgIWE6|C-n@Ie;`npwdSJg<v?YpEdr5n^61tjy4*6N%U(Ft6(E*}E;;Z3Sq#?G
zt$nPISsXJ;TPmgZnklBY#oE^Tpe^9Bw*<~YWU~Dw9B1`=0LC@TF9<NM=JcnBNhJPr
zuKhbO1=l9_GS`l~dA#%2bE1M{Z`fIOw>_V8txoVrYi-%xARS4zHF#0rBLC8I^e@b+
z)Gutve7Hw>*ATASSX%*I%i;#Yl}A}1C_Aq|Bh`ZdWL5vB;i89N`cHBEPe`#{<cwER
zyxUw&exqR546k&zv-7U{^jbQ-N8uRfK{H*(&%Jx+*CSIy*1VWl{NwF5x!FO>ngt%H
zce~$D15b><xP9oW_BT%YypR`lY|GWUo6n9r^uf*}9e%aUw%>REP_uZw?HcQbeaUD0
z#=q@&+HGlePTg)BcD?0&XWExBYug8Tox9loXs?JRACC@tzDGu<<txTU&T(I4*W|Na
zlYCw{ck=%0qZ)=S_U`iGiRL|%o<1=$Vcx3E{c0C|;_7hu`T{L*_L1EBm%TqMy|H^i
z-*>kzdG%0}2^Z(D46!N^XM0|nvHpASJ|%ANwd|4V(ZAus_@{SHsQ#v7VWS1_&Yn2c
zXUwgICr(dzvia(puO<v?8CRmO15CfKDvEW|;{PxhR$c!PHY()IMUze;q?gN{_F9}%
zB{5UC`d8X=jB`egSs{K_g%3SAQICUy6tlF~obl@xH@>+;i(Kv8@*{DoM`!E!N~bu*
z4YTGg%AGh^bb&59LKKKB=%T^c$`pCfN`vurwF2x376VW-ROCQAEymU;l!`FbDOj|?
z{%kBmP?qQP$L};8Q@~?$vCcwGXS6ZY)@J1p2_aA~QN;XL4>&g7y!cfA@oPqhx9pc&
zd;8Lp{nDcw_iO(C6I*-^^xqhf{EqXp`94v;hf_Zr;MUHZU*dXfe4Oj95qjh+$NYx3
zU-`;Ut#W5}RqE{OY^mQn+0JRx66=oRk8e0PF?+gu>7JBzmr5sW?)~}XN4q|e)$@%E
z_X~NYqnEyH-S=qob-tEiFKe5J{`z6=)}`0{Ca=76X859O8!zQ<Sg}8A!Y_|J6E)U*
z>B<f3Iz69qZqfO%D{FqYBz;rLnv<Qk49oW#=lIg=Cnw&nzi!ruO%o2E|K_o@AD;XC
z&at1~+V%1r=Vw;;4R7?*kn=yDOKSMb#iIwc^ZRQLIGExa{cYm$cRpCX&He4Ok-yXp
z+2lWD|KbwW(OROK6>rZHSEAel+TM}|T=2iGEvc@55VtBBWFM<fMaQ%_#|Imx0&{#|
za7LU9*+ptxVqBfL)Wn2de=x`8ZyEPjOpAS?-V@z^%fFMo@mkfFTK|bT7%6ub^f}Y3
z{k+1^4O8pC-S@>{rG@8-O;r=S^=Vo2<Ia<c+{5cloLG1Dq;FE68gupd9LG=Z)yay^
znBOV+Y>%*~pW5~6mofDl|FG;}qt}}>thdJhD+g=8U3~*QTb%0XTjTtM=9A}M-LWk7
ziu?5gt)FO<_lEtnKIe~Kf2GB>*wD@6g1>9J^HoQ?d!P57zH`e&`y;Q6ckUWJHLXU~
z)@KLSHfp>y=m*P{72lkj^ypKArdz_NOeuOa>GbG*M?Du$N_BO+(qizq{>{QOy>mZq
z-M-JBHR{rrwjIjsI_Ok~USGS8sQ=-w=Wg6>d*yhap7quYwM&iO7dy|~bL9~?zi!<#
WZw&i>b#h4aRo|w&zp)zwApZwi;ZRoq

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.ttf b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.ttf
new file mode 100644
index 0000000000000000000000000000000000000000..86b00c067e0a15e5fdfe4f4d97e4665de8ad0410
GIT binary patch
literal 292404
zcmdSCeSlWe-v9qud++u&)u^eNYO3kFu6gWfnx<x|>3OQ@IZRD5X`(Wbq$h(AijX8B
zgb+f94j~jFbezzk2%#t?p+kodGS~0*+3T9*+??C}y?@_7zQe2c+H0@p=e73UGh##}
znSVUV@7t%W|HSav=ftbnhV6iovcUrrTBQ6W-q<verl|u<`VW}<#Z?!H+iZ=9`_jPD
z6U(MdTls;w;aOrF8CZ5w-z$E)zO8uCSt317IkBvL$5U5szgWbqCA@K`pEG{?!X5`Y
ziA1N1bUyX;^Q)q!yq+skzKr{A&X|7YIsWKnT|`E0!Oyv8jz4#LEG91Tt>S*dnNu!2
zV~`gcDRM!UI77EgnmE3)_V%64aodCYohM;YXYO&MxUS+lYtlJYvzkmfKw6ztk#PBx
zX{V1*IQ}xyQof1nigU)#nqK=!hqRcbxQ|X9f6m0SQg>#E^U@)a#HXiEJGbiI9|p}7
z=S|`tD${39oL<)K`6B$6;C_^7**UesMc-Zi>}mCTd?&Tt{n*G`byAO5z4)B!qUtRP
zQ{A0h*A^%6L3EVf_Uf<6(o*ghB}|RmtEb>6bc@>X?_x=mv!z!2ejTEtTqqGEu9N1J
zb4Q#7D9N*GPL+-(2iv;7>w2!^c;m$R!3pBDVfQKNdm^T2EarR_^ED-=K~&7$de?mE
zEYW*}zFbBMrR3zrs-2Uh%qf-*&J47fl$mO@itAf3>-ATXs&35p*nbX-;a=_!h-)dD
zE;&wyG;^+(QYSTb#EnWrr-dA6zKb1k(xjE+NqeV22AemewNof<&Ck->^pxgK0{8N;
z_oask#olu2V6HEN-Jvqr$%pK~{ougQdE9$cQq5VC;^az+`C1a416=QxdTKV$N=A?$
z&C~zSxP4>4)Zk2#w4-IF<#sGuhBaIxVJ*-9Azgmgz1GKn2lb_O7O-B@OtaXx)ZZ}l
zE7%I3K{a**tey12JQ&(?{Y_0h2YIvgeWKR+zhQ#wpJV?D+Jd%+nl_>B;*Zew^1r8@
zJ0=LHfUtg#4vx0PKSJB+AMuEc3fix>;eSWl^#7K-3FCLresV0@U;Yz8U()_`EZWY>
z$@d-7*|`?&1lr&JXVm&L?%f7bSOfjmsp-?&uaCtUA#JtK))4e}?el*g_xIce<AshH
ze?(qvkB%qD;21ylA>+#+^aJ<@d<;L>YbgxI9$#9a5Zi?gt{IDTJgR|lsgG&Ny`@l}
z@rQBB)Q^3KMoshBcRFU(5R6?qe*FP%p7aaGHXYyo9CiN4o!jd_hhcQwJWrZJ@3^@q
z3Zz}f(?7tez#n7ne}%G(kHI<)|6hS|UB~tsg7IC)_&<WNU&sGraau_}?JuZ<pgt3&
zhf`Pj26oufUQ?mfF>N$EFl+t)EZNQjl5Jj=eDjuMlE-}0D)x!foqh#D+tm4|g(OkO
zB}dy^4;f-wNgXpoI+%X3=gi31VQnYQc*1-jXdeS;BMRw?eHyfnR+zO7yb7<-N6ur6
zJ_`OOa^DGP64Vv*q^2dPgOO6l$&qx@@#}o3WwefQM9X7mP$r&vjO!02%e*eNp`qy{
zK7Kkolcl*k9WG=pz8rl-nwy!VeWpa>+RV(1{en3e+Wcx4xKVdXI2iYj>F+gV`X{vc
zpK#N*rriIN2L0BTz9x$@(?04;Gw4m9{yv~_>^tVR<~3`cV4ZV@M1%QO$5Wj<nWLBw
z%Yr$Ob<EMZtyM7JbZ{1NPuD$B>WX<HSl{fWow3$&-j#07)6$NyPn`2(2c2(Y2Mwz8
zuCt%(>oDtj=t%5Kr!W2oGA8}P7@8(|W;6BvoaEAGi&@Qf)_IvRuD6pY^>91bd@GK5
zNg4<7p3eHGz4WK;v^G1KuWFMvZ8wLdwzE|Voo$5oG~pM^K*H*#_cT6@L&LXoe(d8Q
zEcL6XpJuW50`uh9PtK{aZ=De+d2vnbd#9S~pU@xBt77{DYSvf}VE+L2=f}R#e7l9Q
z@7<2EZ{2oi8#D{e;{LbXr%c?(xPBD-htQR1Wo*A<9;BWgWX(c2T5e7!!X+H)>wBjy
z_WN<8=vsw!jN1(Vb-4cx;ZnXX{@q6iZ#jA=_HV&sa2@w4dv`GR`f~jpVZ`TIm$2P1
z_6}~S7k2~K&vU&FeF{C1v?=|F@3PoW?zypVy~eTcy=1f=nuwb_xUZ~|GOq}`BJRC{
zZbV-|*P|E4_ABmd($4FP9r^O!K}n<c2KqXB25ul|8`?hp2L$a$+t42nv@2~}e*)S^
zA+({4KST$i+h9vvKR~~ZvkUzJ{sHgB`7CHx+CTmXZM#ZM+xtIN+N`$QKgIu`EQ50Y
z6Xo=qvi!5@sBx!#oANOq!GrYmTI`jQnOBk-uPh_bZp;h&q=LSXEtBDM?Yrp9an_*^
z!ag`1PK)bV=%sNg&@<wkFN<Q|%fi^Vg!zSrOPzghQgxqzHpKpo*nTA#BTum7U@%TD
zl4Knx-Tvaa{bN761DHSBv!1>kH_GTZBhh)WpM!BTKAs*OGj*S&YwITLKMzoEI%evA
z;S4EuXA$;1%<o7uw;QT)7c(E-gO*E!qkE#K7;|-hs$sE~r##rB>b^$m>;A=EO#1HQ
z{>#LpY0~s4nnsOR$M3Vbr+blB%!wLSV+p(G;BR&;=FVnL*L=;#zJ{H+*Kt<Su!*~7
z{BZh_hne)NGc+CX@)-~>AI3-BGX`nbwYjFDW)GxkQFM*on)yT59IOvmN7UD~h4U8k
z`dgGS%K9Vf^x~d!%zBjem*8BDT@UzmpB(J5bzac5lJgyVJNCy;Z`>qHXSX(M5N$&f
z$ji&bc^KYcUil8YhSH>F&CT56XnKM*y{->+f3EB1#<Wx2r+?3B2x%t0&TrC08iRO?
zxHpVANSFDM^~hhaU&q}06Z!gye4#<UI^wQ|i*aAW@vNhCPZ3}5QBL)oEXq*V_Q#fu
zuB|9T-IK)Ao*k4^d`*4Sf2y>lT@*T(v3EDj^+tw3I;29wxaOitYsdz5*NXPg*<6La
z!#Ysir^PiY-6_9Zr>S(JFBho0fIkku9sX;=PjgaOQxdK@B3VJWDdb<nPmxaM2i!HH
zjiv<m{wTf2hL;^5H)_U^_U_AalIc#nRMxY%SugEybAtH<lBEdxVJ?DxadSV~aC_)%
zHldr)zRUy4E@{I)wN0%Z(k5Z4v>~0rHU4^={)ByqItG#IB2yyALt8inav&OLIrn2S
z+LTM9K%XN2pU{_p@LD@36V3xNTGv<ZFv|UP`pfIsZIZ^vgk{5AO4v(-uxsK7)cKPB
z^aW{umU>=7|5`%ZUP8G(!nks_baZp1BXMO0?fEm#iBgF}h`)$3`V2O6UBLA?%sRHb
zLVYv|)Q%xKmgpG-cFrmE+c5V&CmkOXN12qGcUa#&$NG9V{Y2N`ACZ3I`M-hlE@Mj#
zd91-}@}l`U7V@U~3phc-K|VFF|2-$f-DLcp+n}7Zto{>}qn2gBRsRQPQt|Q+%G=h%
zaOy<s<yc&M&6$*ru{G3;{ePrdkN@YicfS6U{%IrHPJWM|?P&Y?9o$XKLubk;ZCk&G
zwzvN^rxV8SK^xX~Ttm>7wLSk4+RpzC=I}7%Vwp3Xad9xJ=Tg*#_62RLL0^k7HfTG<
zZ_q}l5AAnBpL?6Wq;;u&{>k{Nb#+Sop01m;Tu6`e5aS5_jk&#>Gm-IB*8|wIrmuD{
zVl257JB>3Lzcuj=Vn0i~%;_Fsw>-K|(De3V{i5+|yFDgO?NdRVZ!xai#C}QREW=HE
z)-Tkr+Zyu)j00bxDWv%q)-PQ#howPH|8Y(u&5SXO`5l5fZ-%*M{X$!JL$ROT_V}4W
zIGPsCyT+$ynr*Pt^4U#2Xc&80x73NJU)M{ExqmjQ>5SKt6C#b>Sf3DPP_CL^Eepnt
zApcr7#8J}^G_D}N&WxW)jQ<x?c5gFg>||~5J?9}G(}xdBH?u*~8Sgu?FU>Q*&M_UC
zW4bUW{C19coH^!k<`|tvmNR#(LH}rus3NW^83E}Kft<LuLOVhm$d+HE7_#L>X#-L0
z{@?I7j(p7~tur`hxqv#jp1FQ5`MeLE1f$@7uAh}o@;v6_dA4x_IvftcQ?QZy*9F?b
z+=!mT`fREs@f5DmOr}3HV{J8663mF$&*m)7{cN1=O=sfNxKEO1@;+^H9BuIeX)ljS
zj;!H4X#(c8%%4TfpR+*II2%<zf@Vkq`JVJ#NShcz_&*ZoAhZ<P(LVYSS2FDZ<e}It
zfjx0)e9$BaXO2XPuYFK&hp5Z3w1)z;B3NrRVQ$tnO#$edOlb@~LDy;BK<|aXcTDVS
zw68S>YZ7&<ZU%t*)%Bg?%b3{7HMoN%?7c$YX)Z->cW8;Z6WUKQj%q)NxDzEOejN$a
zx{2T}LLUw6yh`c9b(lCZ;^<l?gEi@s$Jo`}tI;m;dr?%$VEo8o-#M7QK(3ig9rPrO
zGq|VcNeSeAjf|vzliVo#rpa7Sro1LIZlUh^(hizJG;Z#IDr&FPT&tU=Zl(-Tob$!w
ze5tw9h<=_-pZf%o>Dy|KuMg#6NrU59$Ls#{J<z@7S#kwyoNUT<pLCIZvDdgx#$NZD
zQ{gI@2DiaI@CG~ruQ>gswMdL7nz1wBX80St0NdbX7!N~$XRxs<m~o7b#asasVGOK?
zb)a^qz+-W)MsI=Z;To{vhGTm%^Yk><0yHcQXCpian?e0Q0xRPB1FGTQ{%>f!8mGp?
zv*p-d;;QB~@HlLRd7yD?T#DvP^Q5Zz*89o{a39p<`)yrEb6pAJVC3(ZYwp#kmeaZT
zJB+46{5sIHxvt6YzpLJx3>U#vs3~(z_wg_VhR2yA|KMzs!9Xb0fJ;z*f^*ej!n1mP
zX3Z09ak5ZPB<Ta5X6sLG@LXH%U8xh;`^+Tz-28{Qi({T*2R{DjALCu*UFN;uKj6RM
z_3|$DZuORW_xRhq^SuS$dET8~Z?D+v<Ms9Wc_m(dZ-6(@8{}Q!&GJ9+-}gWCW_!<x
zLmE6%>PtuxNI@N`%iiQTsVDU%iBYbhBufgrl*ZCTQl%;5WpnQ~?{4pQ|6^}SD3LzV
zLc+q@MbafhG9`<dC`VdKD_VCOX-i()F$T7meCZ$^r9cX$lXr)Am$%H{O{Tg@PZ=&_
z<W^ZOZ_1BySbmZt^0UNDvT0$`OxQ$C57XWBG`-CjGr^2Er<;kU(%finFgKZ-y?gx?
z{=@!*-U{y~?|yTQx7K^gTNgSm)Y#u8!{o32UjHM1hriQb>3{0)^S|^DIMe*k{8RmL
z&L~sQ%=9ktF825M`~6k^C;sQ&eD50X!q6h=EM4VpdBmLSE%dJQF88kR=6G}c_d+hu
z96tBg`ww|nc~^&)gl_ik^KSI!c~|-yq)000|EJ0+a*<ptm&k>3r`$yjm&s;Y%Ijue
zs9va1s7WX_)I8KQloo0hY7we0UcINN>RmL8knEzAie;Q!Dlf=Z`B?sCE;Vz^_2ly&
zv)a65c9=cpGxMeS&irV8ahf|_oPN%5r`)M<COMOxsm}S%#m=S9Jm*H|X6H8NPUmjt
zUT3xQgtN|B@4Vo==xlbjIv+WE+(fs&o9ss2Hg2xl!7X%qx_#aL?s)e+_agUFcY(Xm
zUF_cDKJ2b`Uvl4Yx4Q4R@44^0AG$l;-CoE`^y+(!y=Go}ud~<9JK3x7PV-Kut=&Ye
z-se5+J>fm=J?p*XZS~&w_IRIrUwhxS=+|O!i{o3AwiwZ(yv3Ln%UUdN@oYF0t{-j^
zP7h~?+lIS`2ZzhTr-!G7uMA%wzBPPT_{WHe)Q&WWG>SBhw1}ifT1PrWx<>j$`bP#w
zj*kqFoE#Y)850>B86P<-a!F)v<m$)`ky|78L>`Q+iENC#9r-ZwapddBp-6Q!6m1-B
z77a%;qB+t0XhF17v|F@yv?Mw>IwN{v^s?wR(M8cE(R-pRq7O#@5?vL2B>H&t$>=lD
z=hBnYo1{n6GtzU?^U_D8pOSuR`Zeh{WjGmrM*WP28I3ZUWrQ=@W(>+0moYIjlD$0p
ziR`DdpUZwR`<3k1vNz{6$eG+Sx#ftKpXFueb^qC`j`4nv&`a{AkBq0aZ;-dB@o$0}
zzR@f<k5a?`FrS!x<_mMk95zRs)S!k-oe|Dx=TvHViZjib<y_*-appTqoTbh(YWN;%
z_;KfH=UL}@YWNjri?iL?#cM?M-3D%|n@J7lQNvy1HCz?c@H}dGk$Z!CpS#L^%zfG2
z@|zkKFTp#`OY)j{&AoiDi`U&N_r`h?yqVr&?-p;l_mKApee4-;gZHMl&HKdL=Y8dU
zLk$n4hEJr1M;)zUKb#nD9FB&w!fnDG!@a^I!sX#9;W^<&;Tx&p<q?TEkvfrvk<>`D
zNHmfWX%p!f=@#i5859{3DUFPX*YIhP36aT>Ig!gF^CLG#mPYQ4tc*Mrc_s30WM^bo
z<eSL%)NsRSYBVhxrH0!_J5s}4qdlnMfzj#Fs^}%rInnFlHT(cI{4h2ASaeNvZBWCF
zkJfN$dRh7yYIt$Hh8s}BO^?=aWo8;R{CM_L+3T}6P{XfM!%6WP-j|n=*X?JC*D#fQ
z>`&|lo!x_<UdP(2Id)|=r$n)HV$=9{D*sJ`b7E6sXT>H3_j|?0x^Jn;JKh`SZu17Y
zujm!m?IBO`+IelgmR_cp;e}#{V&BF-W8UMPvTEjT`&0dw>IY)i#OBAYj$IYIBDN~_
z*Vv=6S+R>^vty6P*2JEQJ+1TlfByNL8Tj);=mMSg@7}*_|NH;R$0w{T_K*_(-M8oB
zJ(uj+QR8~g`+LsXbM~ICd*0qNe$RwG<E{Ok=k~Df+4C$sUE{JwKbv1;+FK^F@2!1X
z_c9mno29m&GJ1Zx=F`XaCG1PwS7%@CeF@yDyU*Fjfck0mrymgB?R#$hbmONRxSsLp
z%uk1WdfMK-d-v?!DYADZys~%w-rM)i**k0Z;@xGt`|s|zyZ7#%yD8b-BX)hgYw5>d
zeY|4FYws?8msJNphLO732{Yo};%sxicaz+XYR$Yl$YZ_Y4e=&<lf5b4RBt-{h1COg
z=Li1=W;NCPc(XiK8T!Lq9poi`HIrF<9=5Eryk*wzxBq&#aA!H(>pf0CJX*59b@kgT
z?+tH@_pY~t-g<!kdf5BPJ5oz(d9~`*N~+bkRw_#srJ2S0Rr^}uTG3h=wX$mE)GDfV
zLaowTXVjWf>-<`zx7HjHKi@yvru`Csgg?$_)%4pRe~Lfdzf|q~<**ty_}l$M%!aAV
zg55%d5E>R587dD|U^-P@qNk`iG=YEN*q>0jy$S_2V*gc}&<V%7;=080Ticqe5H<YU
zpHMW^3Y-6@*HfWItY%mZ`S<%P8L3x<8hcOqr+V}KJ>Iq6+E5eLN+0>H{MMo4{7=36
zy&FSmeoKFxca8s||C0Z*cM0pBF05m^2CK4RtjkVeWmdtO=EC@z=3CZj%Yt>y-Ll+&
zSN<xm2dkSm<uf^Cu3`1|BkQ-HS;56vT_v-AYZ0vAy0eDU72G=3aN}9Uoz4nwqW_+m
z$tvzfUB{WfnrB#Bb>|$Thg8c@a~%6FJvVB^xqTD%dyP5!OXa-0xtwOwWgPqO@g`Fy
zn_L-dB65ytFH=pvOfwy1y6GtAna(oHbd%Ypmt1O!Wu6%zS8&d9nHeZQ@NU7C?A5O_
zgUv9xhEs)W*_|&iC&)r`qAWHeWr-=5rR>6QF{hYu@;&Dd_n0%}VKZIsHD~IoP@du}
zXdQd_r_CkuoVi?{H&@68bEUjs=E*DOTKSt<Ag`Il@`hO=Tg)x8)!Zs?nWgf!xlKMa
z_sCxJknA^)$mjBvStAEI$@tnl>93M1d6d(e9p+x%MiiN2`pA8pglsdn%RA-{dDkqH
z_spHL-Q2~gQj*Lt1@ff1NT!%Px!H{7Nke^kk*6qsHw(@4<`uJ<^~4+IO|!*pHE)@>
z%{KFndCxKC@8(_ezCX`j=-=Sq6bi*xq%ByTHuIPIxA|B3*ZDVwBB6{>cBo~jb*OEq
zU8qB-Ak-<;CDb+4Jyaa(8!8E%7%B}74~?Mbj-v05b|<@2oRi%%SdWf&PI1OMr#V+T
zrL0d!IGo%$Cpn{>F|1-{vwpeMxy-rB8Rv|5COD@%mCi)x4ChSNuxGKxIh$3^Ijm);
zIn!C|%y4Ep=Q>r+d8}<OVBK?tGuOG?ndiRXHFY<5&D<Bg=I%>gn)|ZX!rkbF-M@S3
z?j|q8ecj7;-|$+wZ+flWEnXXUtJl_j%gc4&_S!Lv=CR&+m-TB$_kFLx{lF`9KlD1e
zJG{>BPOppmkyqq?>~(c_dEHp=cK2udm-?6aSNd1`3;abs?>?G_a<XYE<(wg&%~{V(
zQz++~E^>kCDp#8!GT#i9>o}uY#JSM*rc7?&yyr&FvTiab%Wa(T+-^>lJIraaiZi9P
z=2CgaTqe(&IkKL!ub0f#^0JvPn>f>Y)hv=v%u3nA^TJQf!}5h$&5qz{R*Y*+5ocw+
zjp6+jhxhPY>1#aB6l?L`lP~>Eh<92OWT2_d`wIFFab2DtCdvepC8u*vQE75yBJb{<
z!Mj;!n$|MOw2`w+Tbaw5<mH@Ot>B#Oe$HJUFlWnyW{RxjOzkh6p*>`#$!c?+JZ8?9
z$2lu|f^)GooPWK~`_vzp<+77=yN}EY`Is}iT|B$m&9nS{W|e$t9+Lx{dH&Np;e6>F
zaQ^9h<$UcNbgpI<d#$t3xz1VST<<J)4msbkZZ)ps>f7A4oI8T`?Q&MQ_d54EE8LKq
z;MQgDa-3U_)oqe<zw?0e7v~}8VP}=|SLYG8iJR)Yz<#Eq+sW<hc5#bX^>%Y!a$aUt
z{C8)Q^Q!Zj^Sbl7^M%8kJ5IF|b8EYG+@@|bR>@gzfm`VO!+FDblNIz<=Pl=LXPZ0N
z9pb#}yvK_Aedhz`LuZGx(>=)@<$Ubya&|kPID4GE&Zo{k=U>h@Zg01TTkL%64s>o{
z|8)&-sBd<sxl`Tgthg_6hq{B@VXp6%u`|1co!MQ^J8qSGzB`LmdP6tGZNz@8vGXWv
z`3Ieq?87c_FJ$H3j<tJxH^NS>t()&`V155AJGpi4#qMl(rhBqG(k*wpyQi_kTjOkW
z{^oq-p6kwFm9Bf%8@vZR_N?qpb@zHDYlZu~n?g7G8@vbEqutC(ekCjUzxX-+70lut
z{Q3Ul{zLvV{?q<iuc!C4zuDjFzr}v}9p>u&{&yi>uh;#q!&CauP5Nw8B%4)={<snT
ziN;~r;v66#Sl?t|2JbR7)8etx<CGx4e*n$4_-fC(QSo$L(bD4S>OtpbPRqPo(KZ(E
z9<;5+--hN|f)!Ug%-}6Rb*=~RJd|~_;@yenLs!hb(QeQk^95)Ri~j-I)8gxDSJMRk
zhp74iZ#G(N;Vebi+X=HKM?Nsd;@yU_wo$yh(Xkd?;W4)c_#dOES-d6aI1A@1!fsKR
ze}$74;bbAey93p@!Mh8+#1gC+FU1W0ZgjbYGYt_fFYq*sdoBLM=zSLdL3D-1zaNd`
zvrZPRC-9b|>JB`0tM?$(80F+o@mQ0~Ll$52r*VKcA6;ef_n?2Zc-NwjSiH69qn1z;
zl=Y(GYg~_6{Etvh73B%+TcK+#q2tgeE&ivdrUN|9hwduCyAjnmAf)BF&f;rZd&c6A
zL!Y&HdbYP7o+qvs(HAVNl|(kcM(7NGi_;T*CC)JP?{PRaluhs&X#03Qj+W16cmpnk
zH{)pdTjG3+ZjEy*`WCzk%iui=YcY}SakN~uy?zK9&yF}6_Rct;p<0g0A<*^*tl>m<
z!Cp8FT8>H#_E}6lRQ&^I<0AXv3(Q)cUs_BQJpf-}-yQwhVtS(oExZFG@-K@SgMI_w
z<9<B)gT>eUX*z&+YlZctu)Y+Y0|~3l0K>^S>&5`1d9St@txruiu(lL~QPF<R+!>($
zm_q}!-!qp6Xc)|?0elW6%&ivM7;|iZj6g$iQqTm8uuEm`wKPKOSmY$MZk#4)qD4lc
z8m`h9DBqxrN1^rOq@qa{8I3lG(;RJR(eXp;BOo2sG=YvKtfMU%sKx<0uCTVYWTF}e
z$Yiu>oLsb-MaM1H-<AkUeFt@Z4%#A4do*m3si?YB@*!%GX{e@8=>VE0km;zVL+J=v
z7C8^ij?)><vB)g6Wt?s(V}YV$BI_DUFSLzC$3)gSmSR-%1~LzA7iR#PXW==Hu&=O`
zpqdAe%TP_XG7vPaply~Fx#c;u&>~l&o#G5aH4h+Hp<Ut(MvLMML%Uk^xdQtb%kikT
zU65;0ZLdlx^t8wVRP(Hy0KF};5G{^#BHG8oS9ij?&!X+HpGB6SnrEdP`defvs%4~9
zfaV|M7F6@5oC2C3WgHB#1btiklJYEQK0)Usc43w?P)#@JoWYLFG9A@?g3ev6uPtYy
zBP=?Hu->+ui)wyA=K$8=mW$C*79IOplUuaSXg)#b33gMKOHj=Zh}P+tIG3ZEf6%#s
zb-hK~%&8XHfSwjd+rT)B&LKL+1!&uwV9|NQoE}H(x6-0>3*S9hw0^aWK<5(nqZX~l
zNfw<;Si@Vi9w%FLK4DF7(fXQV(Yb{+zU5YQszv7+*8CQ&_vsdS8=Vp7Hgu*%=NtCM
z7Om4Ni_RtN8!Qi@=Ua5%U>{-8x|?NTS1jx+0)qMDBFxGf(E0<NL)d>?w0^aoK<63u
zRF)^vIdK}G*IVQ}^hOJNZZS7m*nNvxZqYRe`*e%i>ow?H%0A4Z?eHaw!!7d<i>?uQ
zU(=%YZ(3vys&%0B0WEjX^%w7%ShNncd_lIMHQbK*9gC>G8|M!6J&Udh%=S3T(DyC6
zMlc`5xf9iT0$nc{&5v>yd}5Ik&^>XI(0vxsI{z$A0s4hS*IeeyI9gAKETZj8%Ua2U
z!xp(2{V~pH^oT`t4EQBZeU{Lv7T%8#r>TY04RM-TbZzA{x0r=!7Ypy*h||v^C!(bm
z^E^7-!aH)}jDT|Dqdz*N!>Pc$2|X3GUu{OI4@Jw^p&uz)#twONredaCooS$L`Xh7}
zT#T7Ab7+swrI;xvhq`y>VLpJ)2W@}<LYIJ+2W8+ajbqT;EJpLV%%XMfP=AWnt#h}<
z>_lm+yiYB>!!6Egi+?%#xWy-K=Lw6iW%abhzX4rq@oz%cSwbQ7S)eRK3Fz}cIfd$=
zS|8w(Zb!?JathT$Y1e#nBmOO@mJx(fQB5m^w63(gAk-B7&=P8a?y!U!p_(5EX+3M1
zg1;2qW$|xAcU%0cP};5HUx(6e6`%5TY2r#Kf*MOG19dE+Y!nAds3q!ILaotSmQY*N
zw}jfEl#3GTfKo0>h`!*~wuCyNl#vpmJ-T%*p{{76CDa|IeJgtU?KZH4iqVFaP+v6J
zq9@rd<>*FnKLE{y9L%(B-q#7xb8xqnB{T}vJhZ`0Iht$HGj*4K=#uu(7_`t5It|tI
z^~8Q0s&PYTBHG^)Iujjl2~9$);5<<CMRCqSFO8#qX>$RS(JSLjL8&vvIT^h=&Kc-@
zSb)8zd7(x7q`S!Cj76`vIGX0g7DvOr0q((XZ}dL+3ugMg`;f)a{61{a{_U=UM{zS7
zrN1bSrt2|y5wn)VOBU_Z?#u8h_A}7eEY2MCb&GQax*7g~o4M#47VY!y7TAjYh3GpL
z9V1-ElmLzE{W#;%593Tg=?4L)qr2l&vX2#@9cn(j1W3gEBzhdsu3Y-9mjsP5Q?6bU
zpg(CjdCj3c=3CKx=#2Rjv<q~@{3Y5QPR9H%l=|?f2MyPw4m`?U!}Um?;=X{AzJR9a
zOpCh#JvR<<>+>*0%U9200yHg)En425rcX%&`mmy9?=dz7v_NmMxEoQ;gA#_N7WePy
zZE@1k+b!-U^o}?g=yHqJp`IlLWTW?5v<|)d;<Q3(ON#p@N?Qt`pLvg1w4S|3<Fr9n
zTeR-I$Ktd_AGhd}UGIrFx#&|C_igm)IE*>oGZuFn`fQv$RLhsL)Hda5*(ubkr|DBV
zf~E<yeR-M=r2sT6a6drRzfuVATC@#%@5SkaZnwBQPz_7z44+uEje2|HbV2u7+>g-D
z;uN9#E$+wY=W)8CUs>E;=+|+&q2E}v?R($G=`PZupT)lz9cb}qqk~{D<3Hn2i{mZ+
zT=YbX&sfo-)Z$-_j<ERGprb7Q0`z2{-TRBsF&2L@y3FEVg3^8ze-8Sr#a|*4_ANp@
z;gCi5=wbS(B7_~LpDMb~4%f2?@rCPKbk7}bY>~6kCKlbNhNBjliKbh0uNls=$oVMk
zSke7un6{|M1t{%L(fwt(qeUo(Fl|E7y;@kq0-29e_loY>!qm4S*P$9N=sql5WD&|L
ztl@(0$->m1BG;qTnWFo%a4(D8fcCcN{w!Q<ksHxI7Tv3b`&#5ClzLZm-xe;h$ZcqU
zi|)h111xeoO50F$PZp+aC~^l%8&PzB7S^<ao=t`|ePCvwS|6Zih2hZ_-CKlDvFLeW
zc#MT-IQ*6!i#&^JI>5|9HEz&z#IVK(hBg@<XA$~sc)Z1ET}-gZ%joGAo(V~Kibc;6
z!{=CdP9))}7I_t&W-(e98aK!%sKy68Pm=KE7TJSdVc{8*gy&iGyf1vEh38HZ*04a&
z_`+J3pnIUO))UCTP^}x_`ILmU4}hNMg>Sa-zOICCv6v$CR*TW_?y~4vYIwOt&(_2D
zSoEwee6K}{(fcfVZWmr*kv{1C7CplYKVXr*=z|tL&kJk*LHePZXV9~~@Iw|UK{d~y
z=X_yp6CnN3zgqOnFZ_r_w5>gA(euBsmJ0}NF8r89&jQ1bTVxRWgvHcB*H~mQ`lLnA
z2*XcVMEj$bDd>4&Sj!P)0=mwk=VW1Riy)_?+WtV#%);8{Kq}GaEP8$xe%>Mz(HAUw
zmKNS%ku%U2EqbOFe#s(dqAy$Yj4iy;B9qX+S@gUu{E9`+LjP{jv$yaji_Aq|wdna%
z_%(}Mj=pX&T1T5L`dlLX4~w2{gx|2}Gm7w=7Cq+(Z?WjJittv8o_U1dvgmV*@Y@zW
z{|Ilh=rfG)I~F|)3BPO6=NaMmEP5^y-fq$78{zjYdPWldz@pD8!XH}n%p<(RqR%eE
zJ1u(t5&p=c&oROuTl6d>yvw4`Hp06tW)}L1MW1zq_gKt@=w6GS_lG~Vn7h$^7SVKl
zW--gr{T9)*d~V^nt%Sd@=<|T^mlmGoO89_9pACfnY2o><guk+gruS<L&wM3(&?1_4
z9T$M-z!KK60Q4C`_*)Clh9!K+qR$P&-&uHGEaC4h`V1lbgN0|v5<YAZP0NoKLs>-#
zI$~I3lh=p?A<TpsNr2jzuSV-YeazRQNzec@@kbg$Bg}*yNrk4EZ$g_v3(U8oQAo#p
z1kHe!terH@R?r&zJJ2@J9y8@1$%hWOAsvy9&;@f{v<SN5hBAzFgWi~FW07L$gPSI3
zU+9myIXVai<AySc41wb@KZ%yYaNLll$Ot$Yb2d8K;yi<nu{h76V=cOmkDO-F{d{B`
zjK?o&jZA<uF?T{I!CA!h5;_@Z<GR<6OothmKSyW6xtOV|NEMuixf-Q?M=l_o+UP8}
z5Hn>Oxd<-CoQckcOE4Fpb6_s!p6KO3UAdG+WIkL^nEyZ*!wuL|7Lgm_R?L(|WGPVI
z&b#PxxCi@_(0k!Q%vv5R;ZfXtjIM^qF#ijE+~W2|wGDyW1Er5CuGYy@7Ux^^X^T4$
zT?^|7hcrdBte?ev4Z7Z<XCe_TcW^1Yh?YCJj3E&%cW|{VH&|RPn-?uE<r2|y2X`p?
zvc=W5u+icUL$y9Y&nF^(x432KCU}+f+>E{kuVcOw)ieRWS3n|Krl9-y2xF<@YQ4Q_
zakbvIz*g)Vpl`w3m{U+KYtZwF$a@yIF}fYzCw$5}@&SB^nL3E<wCH(3<Rgnq`-o_L
zfO{dj3-(~nMH$l~pJI-n`z&r-^fQZ_kM4)h317?a3-}T<br3mV(Q~ZGKY?+|y%_!4
z;%b}y#^RogYQ2Ix5<O&b%hB&GZg=zti+dV+7=9$KC(xhZXUtkBM=W|)75T;Do{Lsn
z+!-R#kR^0I+R&nV-)J&WuHHhlkwy2wQOZ>D9zau}Ddst7GmAG5O@kKL({G|-i+3d&
zg>>xc2hj|R?w_MM7LPKIwzq_CL@86n-+*?60?vOtw38)78;f>@ZiIOiN<UFN>Nncc
zqWj@!FX)Z^&1i|mUyly7c=W|6?O4&hbd>(Acz;2sTYOEUmKXR}pjAM6{Wj<&a4BX@
z?`0N$J~{`k!M+f^4i;h7v@Egs%g}o){$J4*7XK0S0U#ef?KZ0E0RJ&m^8^0l=qih^
zX;weruS3-x_x&f(HSi>6h_1Ex&!FlK^`Azcv-q^tbn0F4X{YJbv*J;f=}jzp29O@L
z=ovsd^{9A+mrfZeK5aie&*FcDmRkJH=x`W;o2_UWoPv2HItEU~{122eQ~bBl#c&g5
z`bvgl@%N#=#s3_wZ}I7884WBxeJ`V-#eWBFWbw&sMpKKw9c^au_oHEpzZY$5@jpXp
z7mEK0I?m$nLMve+_B(iuC=D1JJnAHSxyAn$r5>`MzzzL1`zfIO{2x);Up8s+>8sfr
z;6=>8ps!f`L+Gm(|2y<GOUOkjM<qmhbCQ5O`!RH~B}6&3Otyp!N_i{(_b6r8l04}-
zP#*P`$Na2kKY87tJLW|qBq_iloS*UkGa91J{!H9IdyFk;HSsB-n|Nd}8P3M<v%$7B
zcj#KFU0VK_F^fj8HL)w#N=b`#Qd`{9PHnfAhuhI;|FcR~n{iw?xmdJG$K>Wl2ds9p
z2aG7s935Q{T`;(EL3BWL()h~NUUs0|n7Ckc`{-&ZD?f{WN0z6rE*{<dsBz-x(cK8g
z({S*D^97>`VRAeKG_Y#_3yx~#4vnsMb4tsHm#>~v(tLGs$>`?k>CyhHH<XsI-cZs!
zee`Ht`A1VqiZ3}UHJ;`WY4+Q2Kf#7lR=&Ep`Dz)xV1b5NR-T!@dd`9c%@>f5`1M-Z
z@NX7I{@tQDZb3;91|`vdt(j9wU`S?qbG67!&rBzsqf3apcJ9!!^8TbWeRMmP_icIk
z(Q(?E$9W^Jt$Etb&xtgyCkbtz_HyGU-U{xKpOu!RmQGP_Ml&_Z<Fyh(ZC8uU9@RE(
zMEPo?nOUuSbxGmvurqi9c?sskSOLF5WFNn=#)n>TDe(JoolTO+efzTs0ewpB<N{`0
zy||1*UKHqYwHOU*(W`46rbVLK3q#9A5{h9LpBqjRsZ#<6Me1%L;w)Gxavc8a5mUX5
zBK2`wf3--`GLZ&zL>i_7;U%vn(d8nI(8ePHw@oU5-jvF9Q^IY!SESi2k>=w>(h7l|
z*n)I~Nw4l4BcwN)0K^%LT-;CJ1_$Wv9;5;OGKN7V%!Vbf3h<w?0}e47BtjOHKm}C6
zLRbN~%UVt^o&xh=89jGCV3$MMbI5njetN1vD&)f;Ak8hO18!U5wk2*`;<hDjTj919
zZd>8D6>eMMw$&_H3@c#+Y=^@ltueR8-1?yK>tY}ZMNkTpU=A!5X*(a5!&=xPl1o^*
zgq4f`T>R(aza9SD;lCaJ+u^?*{@dX{&x16etn!9ICCmoODsL5RgdIRxwNHUuSPh$C
z7aSJJPl8rZ4COE#=EHJW3tM16zfM6Q74l&ajDuOQ7*@gt*bWCpIwn9XD28&80@77T
z{DlXEk3fMmcPa$Z+=+Xg(ax%*z4H=S1sh>691-b)-!8dO0u@jN3t@#w5ostQ4Mn7(
zh%^+Dh9c6?bvn$4<**jEz<&F}XSY-|9|plVAdGH{fiSueMmNIfc2J}{<{s05aC#6<
z55noO1qi370O9n^2g2z&4hW~`Vj!HJ`0YtJJrDBoXaYo`2ufiR%n|8Lo_enqDV{FU
zrw43;U2s^WZxXbEVkigP^qmjOVJ&Qd{lS5j^h-tap%f;;99Rmg0e2-wL<Wq5S+JNx
zD((&B-oQ<;3l576N`h8U4COFgWbhoo?O@yv#_eF-4#w>e+z!F*5Zn&I?GW4!nGefh
zEo_1PB102Ih6$uXJ`93!FbfvLO4tC~;h@OzxIaD$ML?QQpx#fQj8355PpAOu{e*=;
zy`QiiwuziLPoxxorT8l)>{7xmCG1kdE+y>Y_#KYl;rJbn-{JTjj^E)s;E>1&{Et`$
zYhW|%g(D(mDL~w1_%Evf{FmXs4F6^8VH+F}8R<b96v8m5gxRnJR>4Nt0f$6RN`YJ`
z;a97d@<3pcNO>0YfRQi-=D{+N(S$LYFh&!`Xu=px7^4Z}6v8-#Fis(iQ!1be7QzZx
z58HSFnerS%c~(#^6_iT_<yk>|6~s3dzhm(`7QbWhI~KoV@jDj3WAQuo052wckOqY?
z3@TwZEP++Lu#BH^<uD!Q!*W;)TVQ|if}xC0Me|`0P%q<W!D3hm)XVtoaF7Gd1R#wQ
zil7uGahM5}m?x$H@t(o;nWSS<uE<%%fZxfa^=x#?UXgQ_icGD7c_P!eKfOd`MiOv;
z=1P%sxvnCN^QMcO-wKZKP~@=4tYsn>Vt-KuY~%&&azJOV=f&zdu!9$>F<<7vevvtZ
zH+PrF<;z8`sDvZDM7UPuO3LM``65@7-mAGcpR~{C-ZfK17T|ZmGG5$UA+oRs4^g<j
z4!4W&e?8aN?-f~$`x{bWqsWa#Ks-0C6j?G7FyCCki+1?C1-o0b;E2dlxQ+O3qfBm(
z@^E7XF9s(9_m>gwGW;$h{$=xE8LWZLuov)qC)am!eb++Z{#{((rPtiQi~Dz{KrWO(
z1yliU?_L4xVH+F}S?)m=^nj5t1?B<n?%4>qy9amodXNT%FbpbTHY@?$+>4w0aC0AS
z?!(P}xVdi%%!5O`pq>caTagR+Td^0gzaKyMr@&^|0S9<ty&NXNEI1f{alI0)0^B@^
zn+K2Z0{eQv-(PU|&@jNwL$hHCtb&bz`-h0<;Y7&dVNoG3u$KVgKC)lr(QUk_zKoaD
z2icd?AD_Yt>V)+K_t$LV#q<hZL|n?tg}FdDYgh5|IcZym`I!~Ga87*di+IT}74Y-?
z5?(gP{e~)$7xDX|>O#Qni|b(<91wZQgET0FVNeN#_0kd`j+ZvV4mc$8aw23w4;Tqk
zU>+=kHLw}>!Vz9<Pk~%0feNUCg|GtF!!|g;i|-z!K_Lu-N|+5xU=?hH9dL*j;}anZ
zdca7S0`p)Qtbxt27mo1ad<x`32~<E8EQA%X9=5>&mcSmQK_Lu-N|+5xU=?hH9dJnG
z)fB+pt0SQbmcSa=28Vc|G7)lta9*1N3t<&(h6B7zp9on{0>tzBJXir6VJ|Q8dyoY^
zU?fa|d9VzKXEWh!R(D54{*eN?Py!WD1q)#XtcPuIfDZ#aNP|Kc29+=ymcT052s_{q
z9}gr#7W9CTFa_qpGFStfVJ{rv<AM~(g%YTMDp&|BU_ESu10q{JNP|Kc29+=ymcT05
z2s_{qA0{M17W9CTFa_qpGFStfVJ{pJc{>Gip#&<R3Kqf&SP$Fa053s$kOqY?5^%R|
z39Nx_a7g5x6exs|Pz6h16>J8=csCJpVHiw-g|G@X!vQ{`NQ5jPE$>yrJXir6VJ|OA
zdXNPrPzm$+z+$?{2aLBLY~e$TTv!35`$N6nE3zXAN}wF(!!lScvNHk5&(3_{{!Z@i
zoC0%zbnjdVgtL=yb`s9c!+fMc`aUAAj|zdXKH4GjG2wrV-N*RZMVPy0!$H1V-^>GF
z!uVt@-@cE8N~q$4jx50cr^9#%vxbj1@cS9=_Y?2_rF_+o{TGD!MJXJBBYez}2x*WD
zJpeafR=^=X?jZaFn?(Lu1cdihD?q;{PhXSngOhkLoC3K0W*Knro6REME`${#hspsr
zhi1WIk?)A(JL34BbbXKiAF%%c`@@xh-^2JljQx)z;h@M*gz<9;EaxK-;{IhErzAW0
z*kg$psS;yK;IJ46vzx_-94RngOs!Pd1lz^<bHs#7VZWG!O2BQxLNRsnf&1)>O<lIw
zb@5ZT6%<1`OalDYT?#A3Bw{|U2h0~!4|ny7#MCbolQa+Zi)pY%Ov7P79LXN6hr@iF
zv0O}}>98Ge*O>4dlb*)o06*-hP3j;hhfQLda=+<nG0ljp8Q0ATulX)9Y4gRjr~twY
zCqXMQku)F;ksWXVj)>uu*+lUl-5@4?v6u|*XOsYbGqYei5LV`LF<FF@wE{>-b}3-a
zA<ULVd}P7>*5s!R@wC~<2Njh-9&+)^e$=!(C?>Cp4=19qN=*JpF&(mCEo_2aVhU!9
zDa?f)!2LqPC{(+JumaY@X4nfy#B}y}nT7NfVb^sWY~iB_uDcI|17dpMrzh7vcZlhQ
z``)-KULvMXrI^0>?Tep&0!a{sd?<!hKwSNBUxNGoRbmDtz$`HXQ-QDtVIGX1!T1?W
z9@z_-A;X{o*79;pIZOiF4dwn&?hidEW*G4eBfep)`M3f9#}m&9+&i%l_VY2r8ZpDM
zA5ko(ECC3!Y&oojEkGFTCCtcGe7sN!T#rfv{EwOq8({|=;)NLepPU6FVIC|4!asRC
z5LbB;6u~%{536AVY!fp&3WI<!M{nX|hXmmIlsQ0J#?0bF2mDq{fyF?)6^HrY0XJhw
z+o_3gfR|}Xf%~Ve1j0UTI~)`<4maa4kM|%SDuA?2z#r><GocdjH(|Y)(+RtBH6J^0
zpY^^u6Z=V|>#UJtCNJgVh5cft5cZTUV$PW&W@<j*XIc-y&-4`FdPXsj{u#KRiT|0{
zox4y>RW9KFJno;L04w<bf%_K_-mGD;Ud)B~yJ!$#z8Loxmp}zn0byLc0`%TCI3Q-W
z2We0UgfY7kX2TL#1Djzl91(L#3gGV2Bp}X9N#A7x+`o+bbGSbz7fPT4s$e0kfb~FF
zb8tHcw{vkj7q@e9I~TWeaXS~cb8$Ntw{y3_0Wp_*kOqY?Qp^>pK)GE(9<LY&vtTh$
z7FTS5?Ql@cJais<WdcND3y|KcNbgmIaaBGL##MxI6=7Vp7zpDk!nm3=T}_&<CQVn9
zrmIQQ)uica(sVUxnopYMlcxEkX+CM1KLw8P0b&Z|0{*YT|20*B|7-An4gRm$2KZ+`
zWftInK_Lu-N|+5xU=?hH9dJm@wTX}gJzykMiCH*L%yp!H5qVieUKXjDyeuLwi^$9M
zr7#KRz*1NZn_w3l7PA;Xi}AA<Ka26R7(a^_!%Ely+u<M|D&pq`{M>+_8<U_F6a)4*
zVt*s{H(`Gh_BUaFQ#nkB`LG<;!WP&sW{E&5<ij8_H*<aSO4tC~;h>mX5+DjiPzsY^
z4lIS$unBg-VKKKRK`SVRa+nVDVL7Z7vy?Jjx?jv~l;`b~+3l3&9fWbm2G}BI8RgHu
z(kxp7D`1V7JI4Xx+&Kphz!5$!q5SXS`mV)5cy|%^-BVyTEEKbR7*xPPG4~MmJ=+2E
zy-UU17Zt;v&#WM>6@<THBWx3MKjGa^cn{#_!Etbam)ks8CFU<BFcK=E3g*EQSOIIq
zJjDHn6Cf4H?<x;)_g4YJd?X)m_bB16#=Lq9knYF0|JVi~eUIbsapHb_C1CeNIZWas
zr9onzOn_xT7*B47y<(mk2Bh(6+^;46wcKAvo}TF;=2`UFU1HX+7V{j}&*A>LLt@wi
znineJh?ottU_LB|wXg~Bv*Dna7m4r1D3I0{2f;WoFX858^ksBoshGcU|8JOInJ(t<
z#Q%57X%pA4E(XG9zhhocg4M7Aw!?lnEM_zIn_EE<5a#Cju!RqvQlS*MeuH~&;QkH5
zdK35TL(H4ly-B{`#Lt^mfIIdg=FQcx5w-(mvPB>TT0svW%q`@5%Pd$3%V7;{f*o*B
z%vKLlfiSmj5%bm{Anvzki`hn4><`R4NpOgdrIrG5y@&hvNXvWNdylZ*Bdqrbi}k(P
z&b{rqPz)ns5)jt*#jpa_!e+qFcGA54h?w`M@BvT);O>KMVm{0Q{C!B6JBom~cB~S!
zlXUDPT-NmFqaHx~9~0ll8^r7?gk55GbG;kCyVr~PgmCu=Q~>_>4ud0NKCKe7kFfTw
z7Q_18?8kmT_xE$}bMAe<UCbA0K)7G#!%8s+N@2g4f8zG51eh=8YxHZv{`#PpgLB0E
zi@5(a2{w!Q2LIobz%nu4mWw%*1e?TsS1IOu%-`=4^8@~W!2J&kfxP^%L(JikeAI>g
zPl>Qs%+D*u94Qv_%OE%;rh2KE*j{nuusBYMIBtqKUZFU(62$Q_`-j9yNQCX;)Ltr1
zopIvS#h!JxlQ<0K!4g;jo5ZQt18`Fh`+6&3GaMABK7Q&KK?UHqKJM$|zWxDml9Heh
z%3(Gv7pK8uSObT}X&42<Y>3-rfm9%z<YhqEDJ8HPaNB61IE``B7&ncvZ!!qV#YxQq
z(vymtrU}6Prn6wJIL+pZ)12^|6JB$|OUs2hfcvy<;<Q)-JH!d&FHD%>*|1BTND`C+
zaYhb_6CDP7#Yr!Q&EjO>He)&ve#UCp09ydR8Mx0Ryv#Jn2i#_s!yF(!o{>43YhWX6
zhXdkd38X+P=mDir3FISZ6C4qzC1JHBoR*}iCGoY~FHWl>m@iIi4+y_CVYepC*4%4-
zSe!QFV7)kP3A^odSP8_JI}$dD(=H3}*KU_MdBso#8^vj#1Qjq3aF?G3+{@o0P6xv3
zKsq`sgH=F$9X;p)gw=7gI0XWQFbi;3uo?)r0Jnuvm;&p?>68eB)roLAZ4;+6{yGzW
z=T<;?olBt-2&eM~I3P|J?sXxYqEx_KR0NA*hd5m;05{#Hz<zPM<FET+aeAx~rzh#@
zNu0e#0(QNJ!76cziL;nEig$_A2kmo2oW9G&>6Zoz#VJXE+2Zu)x<C0CPyt8888}Cr
zLEIZO2#9~Mz;tnjkp3a_0XIVl=MP!Sy)9BpM&fap!{3YGJ%akuP#Oupr%0rK`C2w}
z&DXKJZqRFV+(Ohsq*kxd>%?Q6ct#SqGz}VdeMZ<g2PV8Ft&`(|yGcjyHau#gqs4us
z#7+4f3L2z0$S!DaGDBSodYjB9ZkLv(L1?5oTz&gnMR{KP_Fi88iybbSHqDexb(Z`x
zW$2{J%8yPRJ-YgqH@8-gGt0LMzwe%W<nw#*YfA(26i;wnO>o^~a?n668fXsUF6ya8
zJ+*j7^w;0kB{Tf8>Gqm&&0r{Qm){{dRM0Zdw9Kq$+~k7f%$Av<_nSP}B&kI`uU^`h
z@63PaqJkX-rlPd8aBAl+=TuL37X32wF;);l$(F^_mMm$K&G#Vxefd5kStLM$#ALPC
z(#?`aT&<H7l4Z-77J*49?G~7{6bm|rokl5ss8QH7N~z~$x&<9OcPh+jYq(<#Wm^kQ
z>YbV2w)4Q8eifakmi6yhTzt}mK_?6wGQnBYAiGz)_NDc`#N+#R7?j_{%<0%Bzg2Zk
zr!Ix<H6KPg#11+7caI{{wI&aBwEXHEQ^LQtk+o8Xv^6-I%BDdoYh~m)oeFz71sxkV
z3FVp0jCv%wG3o2lq@FS5y{4R)*M9gpy?Tv{^lH{4r&YfW&BvGJmZbG+b!KAjs7r^J
zURIvhF@0#WNP5rmF4Hf|4iC=jK-!$3jEkxNI+84%YEt(fTX15KGHtC5kCtEKpxjy>
zEv`pzS=n~@xr6%@RGvNM^a5wmz4s2EUDoE*b1$5wf7zINHJ=e@T{-?w#As{HBQEVX
zHMN^SQ}cs5)tcllDF-!~-YC6ML8DCmEi((MzxeV?6Ll6%cyPjt6SN*Q-j9N|-tT`M
zZ_xW}Yz@lHwbh@0^%XI#o1lNhxu(wb?>A-sn#ccPoj)UCYQ?tYFu9GA+x!lH+zvWr
zb}DE<TbS5)Mp<5d*^E8|#z%TJ?U|Q5upn*X>1iF4X75cu=V)Unhz?Cnw~e8Gz3Wb^
z-j&`iNVoR6lAvw||A{hsh7{J+NFCCsqnp+jZ!~SuKE^vqTY?_ONLA1vlYh&qOzo<w
z>K~j%)jyihFEdR>^+)l#k-rnKOHcpr`?(FXtV%}<Ti&U$L*_30H{jKyxc~n$iv8Nh
z)-gb7i)oUP)3Qt0XuBnS^!*R}pB5=iDGcZ3RW;5Zl33KGdsceU0P}Qp?{+74&#-NX
z-_f^768R?NkJ4F7J9n)==-j~+QCnTqw!^3X?QX4Q9W-l6?Z8wgZnF6-NG=E^XS$(A
zWmWFyb6@>(&SR%ieD9govFaJ7@Vpn|<;QO=T!g=)`Tvi-*sbZi4d^RXCW(^VHX)wB
zTL>pz#{Oacel15$Grt8rp8De?1(U7+y7Bt2x8)g0)s_{wX&%pOkgw#hX;RS3bV=5h
z!O+$vGsG{MYnd5#8#O4qqN;96U9WC(-5K-Fc0J$mI-T8rN}=b}s>NSqtKJal6OHzX
zm|_}G+a{g6bZWA+`U8`*v`MEfotsp@6VFFa@{ufK{xBc$TKK(*I$pJjT2G0#o@!yR
zwNw8$xoA?5XSDSMNjD_@g3bLrukJJ}BzEz&1?P1!X(V;}wS_agRDYu5uFeTF86T1v
zA&!o_|6zpC8BFIbof~upJ9Z?{*{hz@vSTl1h@8v}zflT*U1E6g<Y8^v44YhBJo)%G
zZH}K@+_G10>X;Kw7?YaYE3y6POG{6@WK>?>s7p>Py>xW@i5a~|cbR(0B~!bM?wvtx
z*?A#M`PGxgd<FJLE&bS*z}h7~S{=top!*>^ayPDNX~8U8kJkYkF|P*mYuOu}$Cl*e
z^c&OZ)RPtu9X#Awl#+jZ*UqJ#njSRAU(l<4P);NGErGYQ#>$tWHR))f)zada4wkGI
z$y!g(N*jD7iPv_mBvV%8g><yQ#HtTdGGkIp#-!}ulvXn1K%Q&oS6iB)U{nYu*Wt&M
z+z%7xMLUh^m0nY@k#55~HW{AZII~`(2A#_?iYvNmDR!+W&Zv%^I=FV1QB?zL%DH65
zsG_<pvuf2Em7t5hco}!2jO)`wDr)lfUwUnQ&0BrV+wU~W1{8Yzpwl&Axx<1Y=!|Qn
z-VR&%slO?FUx$&*ronip>zlHj1?9!r1G_J~{JP4q{RR%~H<lV`H>AtZij?ZFjl?*=
zE-LDptK&-!<LfWfLxCKf7n*6pnjKRMzqSTDzCJ^;d9^V}UNdSSoy0sNt?{Gdownek
zqi<oJ)85q7KzxN0wBv|jIG}Z#hJ7z?Uy^xByP|IOn`bvZCAED{lk{%G^Se&Y=^ia<
z)4r%di=33vE%Gx{qCHPe?3j0Adh5KLl(a?-YqzWuZc~)ivR}uvb~!_ug<EGOH*eG+
zAv-bJrb||<0i7aR7e>?MBv2P2au_dXSM%roZvJ>Fmi(BYMft%Dm)R-3QD%epo-<!P
z=j2Y9@XI#tmeR+26K2z2!}K*w|98XG)xWk-pB9=-n88f1vr?EvA6?r{P-alqF?}+t
zk~8ze;f`4;(=z&uNlYI!W4M`CJ-^f7+~nlk!JW*k>Klg77?e)FVn@hV8fiFAifi)q
zUs~9Im?)poMOM7J3fzKUhirG#=8G$mnl|tnG_618g4Y@5o-V5F+O@LC3}#B^Z|Sgr
z*T1ioF6aOGcpGWyH2U4riPuT0x=6JHa!tx~2hvDVg9)Yum8p9XCYWPWdrZ1BUAr3z
zxl1m;pld=>f>*au-O`DrbsN|966z;(op#CM;R*G9FH}F_L~`|1r%8o{XBC<u)lU_i
z)rku;gn_&~XJ`)pSFa4(&T*766Dak3bgpqUoz5{iiO(eeVXjG1FG)6QtWM%<f)uP0
zZHAKFf+lv#>}?8Mwo*1D_04h5JTiAsViR^Cjq3Kl_>pJkmLAu%zIR-c#1qVL)ANQV
z`7K)HH@Ttu`RX;dH!BE-3!2>?w0UhC=10<9|JSzhKS{Sv{x+GEcBkJYuF-~#vj^5o
zOY)M!^#)$}w{OiI4`%nz$?2c{VD-drgEDJH+}{&-ZN3?f*R7`o;2l$Dzpj$(c*2mz
zs=~DArFwdw6YqWWnD&|glTH^j>5W>M9@V?eqt!2)-UH0O2?MH|O~7q?#;=#n56l{^
zWm-*)DH>yn)IK`2{yKu`UW1)BCC?g`7*mK*cju&){@IjtG-beL)QGQnbQcm1?%R=0
zT_)f%V@I&c)TyOQp3CGMYT1kNw{fEeY=!HYmTcfU)nkNfyrEBN`oMFBncDn4g{=PR
zZCanvy<*I1310fpP`E={$C5S;TP2>@r)AIFa6)os^ZIEi$2ZG4=gjJzozrqoNozLM
zPiY!$m>woQ{M~oPo!Wep*jO^;qME!Or+Gc@n7oG6A|%Pbn|Y6bbXjK?^0k7wg=QYu
zXjYp9Sv?L@i@>DIl1O0Es)=H<!+T~Zvq3?lkY>4Nm7+W9%naRZn=TpsBW|5B=em)>
zIeCLRHp}cbtWSr&9g7N!niV9bM+%*no*L0SBePFM*WRa>WSw@>$RQ)TeA<Meg}?nt
zeLfY`=fCf%f3G%c_SCliZ1Rs?LH#=89Nkhk?s#%>R;!ZH9rF7(FG^|Iq{ooK-C7hh
zYM)t_n9+A!&z|G@W=5L~ZIC>A=>JFDn+HaARQJMNw_9p0t(IEdtyb^*E~(XObxRuU
z(u}qlX?D%Ncx>Ypyl8CW6~}BI8;E%!d3gztkOe|Q0ytpou^|Kq;juX2kcBM}mav%c
zfSC1pTHo(f)!o#ZfqdT|U)~$K{kx^xRi~=XId!&LIp%lmi4f^Q`y%@FJZSF$5j5Jj
z5UFu%kVa}b8Qaso9ZdzLyRgi<KzkQn-J;Rn%jxXWW}zM5dO6mDZ&0zt!A7+fWN|E%
zYi*=TmIKJuo}Zk0X>!NzTwzDpwt+<!Tyl&I2Fm`yxiQCU@0mC|mkRs$K7MJc8qAy_
ziXU3rhl3%FkLdo-pgV4~wd_^bmegDI@fr7#TRX+Nv5#o+^zhD-CKiF3LQ5ykJFTB>
zg*_&&>0s6hS8Q3Za&#`8nLbb)+EWQwmHH=IRwrU3!EAE<@h_GueRGcF+?h%0eqw69
z;)=A+ExKJxV48ztvs2W62J*mJuRMzdysq|MDvx^a<#6=b@zMPGgbGGVr5FG)BN~Ja
zpEL+kdFf!2td6L(w_~M;87va6Q*(3Oxyimj$<-4KPMtl=9$Rm!WM)f&Hv78cVD&`(
zR_dSClH1I(UxL0P(7N{{|KBY4^gc=o+sOczp%WHg9vM)$^yQ~4E9lBa@Ya%LMd0Y(
zD95_+nc-M3x*kH;L(ta6ChkS6DYO!^w383V$L&sFQaI!c%MW3N!l<OZ3~HPcmb0F5
z2EGPe&C0E2VxhUE1uc=KW%okg?pidJaQow4e>PTK$a>P9?>X-13J>kfb|qZx9m)P9
z$4;boUR6sDl~bvqp}~pe{=$4Nn3?}VS8OmAt$J;aTqIoTw7KW|3UmEFd(&ZOF_51s
z^fcSsJT7nV*i33>Ajm#g862n#l?E&IH<V&wk3F1<r)mCS@MYiU`}3$uTgeD@+DZjU
zpMT?Wwt;5~Vmm-QyPS6+lH8nRFenO+M@-(u7p~p4ykU#(uIydfNabVYC>YzBaR0TZ
z>z`)n$)RYZ{!ZFk6IcPCR6d4P(5asZWoPu>>79Wr#2nJ{vti!bq@~50$Y7>O#CV#Q
zH^!p5TonJ<^L4K>n+k{1>2MgH3;f>ZbDKk!PviGonE!E=8d4c-_&uyN5*M^O+VQL1
z_|<OwYA=4Z!HR<8l-7krFzf7T^R~x*=eyDqBawVQ63yqIZE0G!HuV>k=1VVT=gL8A
zr`9z-M~Z?uGT2z8Nk#9~73N588C`q02#N|N)@);8{5(%v7XNRAY%E#3clkE!6A%2^
zQ};ixs(hrr`1McJzw%E<?<abpUz;yjeu{oMbsLM+S+-j$WZ+R*F@6BX+8u1f*ZkDf
z&_-9Q&2I1XIaX$rotK{Qx|DSo`uMo5E!g{U)U%a?xWeq~qY~@Djv29YK`qAmq@@E$
z2j{s@S_1eUz;|`tNOTJ}MyyMS4_eGZhoRF=OkK=mq#?7js<-eZZI??MD;x47x;#*u
zbtU(d)>h7^GXrBA>FmH5dwxDXFi^-0sq1{Q{!Uu%_>lCZy@>I8biMh%JznBfPg-az
zIxsqYJJJZW?I=fJ+>WGKt!n#`JwF#4P`fF%qm*?oqJM6vHd}2p`byOIqv~ZKiUv6K
z%o2@kG(!6!UdXx!4$WpVvxf!-4$ow>GlvIiQ&Y9t<fNuwB!!-lIDKqo_c78l(5L0i
zDWw&CBHiu*b(J)5um*pPE-r{jSTG<M!(y>wOS>QrE@Bc~7CRRVx@JM-6rzF1DfBy1
zgvHYExhjINLbFRk4EVf)-wXYYuZ%tUfkm#_<zq7u>(xTN3l4om`OD!zCOJo{-Fzw(
zIPiPStLt~9M@``lKUy0x%S+X9Ht4XDEpRuK0^6ssM0P>XZQ?`ez);;7Drp`~=(tdw
z6nqm3Y!|+XwNLv&s7_7Q5ht`Ha4;$7Mk+4rkghthm)n918L2-_lm7ZeRd@Qx+YSVh
zQh$n+F5zAtgYqO~&s`XkOShr?zgX`b(3xmDRCPm6g76A8i~Sf_$tJy?j-IaYjE_Bk
zWU$h9jm_3STK_!fV`M9TBl=O&`yn-)?N>E%ePPS-ajN?8>%=EW^YC$DXp#Z2<#1yf
z$spM)vPk-bA?LZu)u~#1Hj~SAM>6i-p{)Px!ODS1HBb$wlde$O;~&cV{ew%6Y<MLQ
zjt4q@-JLD1y@~$l?17YT!R?FsI=x*^d#f)|PQ*s?y@Ho`Fs9?mZJ5oymir*0O1)+=
zu-(XzwTzJnFH$R33h_&_zButodTKY{!=wRCvSby9Zth$1z*|6e!Jih#)2@X*&a?O5
zzpEqI?(tL{fzoX5d+SZFdCiIMtv5FvwsSilv+P9QzJc1mxT#59$x?1?*DE16Na@ER
zOxuu%7lGup$zBrA>qIX*aq@-q<+dSya)F@Xy8f3))5yijp^ek6*4S>xwWrx|{Y#TW
zu@u`^_bz1yNZvT`Kh&>A+mPO`%c%o=%c&L^h)~n<{{w$<$6A}W%?1<x+AZ&3&u^wy
zGMSasX5A~+AC!;J<9Fk~Cf{$Szv7f2eMj{y^kV#^iFn~*=)$~{pZ6lMD@z>Twsgs0
zIMMAUzxUAj@s@TwOg*hLH_W!e6l8bU$8Wy>!dQzF-<>U^=z4M?m0Cz{s-Jc5x01WE
z*@fgc#kzB%YyXI``1QRcZ74bobqRs!0rZ%p70qB5dQSe6F5Yu5xI4`^dhX5|EIoFg
z-ec#R|HpkJ?Y?$ftEaVe*Bjq_--N^8K?ba0W_kXUr|7}|KlStfx~iwo>n-}OqB-8I
z@i`7z7S**UO;HW~(=<F0l|WV}T7_68_=aAi$2}%(Z<?8A-D$ni6LEU&?$&I{(fYS{
z97exvt?t&9TORLBl_o#g)O1{FDy5_BTR(~|CKHSCA6?ok%$59nO(a0aKLQ;a?Lm4!
zb&XEdM9uaf+9A!Lt*{5V$s}v7coW}wmYx3g|CwS3PE6MS>Le~0tz-QST5nS_L~)DV
z9%ERS+u%tPzEf+TG2v?(o-^U&8a`~oQyN|{;j0>6GU0b=_^1irr{NPSzL}#~4h=6e
z?~C8o#&wH^*VOi$4)<yJ9hbrHGU1PD?e8|>AJFi7Rh;@`Rq2+sbGm`v=6?Ne?eFea
z|Bm-d$6sN>KdQC=4HN!B4S%JI^WRtLnzeJfs=rUMFPj-<1vbbq${L(ecZZB@(G9gm
zA0P=ED?CfI7h17<=?-Wo-yQAHFi3`w$%YIvq%2*8FIzn4#xQOJ1b4P45eUO=ew88a
zVA3LF*bn+9JAENX7%?$-A~wby^*I7ApDW}Vu76&On)%{De@`~<Z+Y)~$^G5r2}V1;
zUgw0f8<AHcj0R)7gpPJ%Y|YRV?^DMn?NIvIq~fUimUKrNX@o6OBlN&TAmVy#8b-FJ
zHtx{r1m@;M=tMhVBqb{eg|G~knH?g@$y#BVRbw;a)uf%}D{r#(4%9!$7TMp{fAN*C
zFjxKF4<BSNyMYZ>uBjuehKFtZ`JZF`^08PS!2Isv`!$Jg9U5NN@B-mbX+u~)yD)Yi
zbjN<nP3q_y-153v=P78@#69{jdwrNm;wya^LQzOv{8zE-NlOl&ISkRy=e84{IX-OC
zENQ;Mxe<gh@@vEsks@*Zo;{x%TAxbRb}a7UQAG!K&CF3$(Z0RQ=N@_FJ+&tG$FB5b
zv40u1{Jpy>E9GAH>Y;)DTs<&3xubS)oOqVy;O45_^HxrqJgdC;3*hBVAH^JjB4o<7
z+YhtjygiRa;=E7bNw(jB(_R&L#)K2E5%`1&U(oO&iBtT@jFs9q@!y?bW3rz)1#w0i
zUPihScoXlx5zhms{==M#I}+c3+Ai=HP&>$nZ}WbWHb6WZj=OE}qzR|-i1ry1PW==3
zgb62}E%0FzPCQ%S1rtuZMc^e9PIM9Ykcw~SDCSAS%PcF#&&Nf)S+uXI?Kw`eMc_Fd
zS30f4vju*K#7B609ly)azR5~FTeQDh$3aix*#f^;#i^g1XA@35n;fLXv(aBLfrFbF
z?lVg2@gWUS3%Z;peN1pnIuldm7-<x3-0t$E#f80uSPJYr(!<@{pF=#<!@ZyU05%dw
ze2U69l9FkPn723gO*(sm&iX&9kzP%%SZ`<0)$VQyyQ-W?#sYBZaz3KCf{E@PPfIh{
zq+#8BSsVXr8G4HKMEj%0*BOlP7<ZCgZ@_6i2|UAYFyOQf1YR=Xv<?J5q~SgVabX&M
zfL&vF53NhlenM+c{h{?I@PY}a^&#*a;g}!l{~f3USk>bt8|FvXN1vuM4)_>FOVA7@
z`5e&Mr^x4OP_x|+Vy=cbkJD`$Jw9pX(@uF?V-p)<(mcs7>#m7F!s%^sw)Td*otKYL
zvspWw)g^8x4EelK&+cyj)_66s|COD5y|(iC%1~`?!Xf(+#|HWcyv$Z4zv(sM{lLEh
zJ&<I^A3$cfAvHEsiP7MZ)a@!H9^tFx{NDqK;e*w^iLYe^Qi9HDE%<E0XDdE^_$000
zg-<$Vk`YBj$j}q=_PgOUsCeV}N8SR8luNpN@Mwm1Q^4HfB0}cQ<6He_?7Ow58}WbR
zbsxpfvG1Nchw*NLOIn`g>lUU&;*V5+9CU!hWLX2A6!_*3fcJ5_iS`+Ze-8MvmDZKO
za}xhH@QRiAqritH4qcjs`1%xhLEx4J^y2eYTK@tclI_Ls(mEITgltdlnQvK%4+^{{
z@#W2&<#T)<1zxtip7WvNX2$YEF5|aa=5+1G$cM;<Mw%P(7l$~-2z?AEX0pb~L;aij
zCOf?T_Q?5#P*=OB1&S9Ki7ylLx00@v+o7=#qWO<8_MDaWzUW&?_8ImS#lmSz1^_#F
z=v8t}`Y3h~?Qy08et<1$Yt@MBYjxGsKF^l8Y}||A{TDu`aLE#nvOFf<LpbhWB`t{X
zN%peMukgL#qu4+VKfvOK_8M-x13F%l*gK~7Wftdqhe0;{3!iIxf7V{0-^K5!&!LN$
z{w|Nd`vqc9euRE~1#{J*$HF%3ETfj)0s7eZ&LZoz0(%!llaeiu_LKvAN5uP%WT9)h
zMtpWih<G)SzyAC?a{s`(>i0dfu!9|_fBod*t$%&)-_b=H6ZZG-aGK%7PBdfZ4LGe+
zfe)!T_y^)3HN4F3ROPiY$=^e<P4u1>?L9_3X2NN`i}n*Hd`-i1Dh|C3af=#$fbBE9
zpZY1@Go-c8ncA1xKFQ}+O?V!-&<hcF$ot>L`yVstb4J{#7v9d-vS@GA3vcIqLf|>m
zdx%d6eAtAO920oKgl}m04iipv6YX`qGe>cg8eV4m`FMFeCFdWaea-Y9(u)Ls$7S%l
zO!#A3`@2mz=}Y20_i8x$qtS=-CFs+9PZ;|}JVN|kN&7pR2hu+T{#yQbR!jfpmvMvl
z<B-V-OCRbSN-L(ceCxbTm*E#7y|5qoej)2p)0fFst0J91x@iaDGmKCAZ}Pg6y*s8!
zdm;C`@vMMn^p+yxR+<u7dv=5zzhnvbVWSC$uhrAzb5o$Hn+H*5tv&4EH4D>|3sD{y
zdEL^?)KWN#nA7jJx7Uj^YbV}G5tQy1^N!JdgU5;+JS1{#|KN$jEjuatl&xpxf^5Ec
zfBkI~hq`mP{^2~fD;3eR=D;^R&>|13l(>R6BXk%Fc_bb$G)-wi)ih1gZD46b3zE8V
zHLF5bGSfJ&@(>BOv2@p=Qfd9}751m~Uw-+^U@S*dscScGFC4sY|Ngu8=ec5enmzZ@
zyYIOjbFNq_;QOz%7C=`+tm?1qZ=P#fe#nqKpF=;WFD!&2V$v9=0v{ZrXDDQy@>Rra
zY>E3lsK)*7o=7HJn~$`2jnxK*E*AhCZAm6vaYxEk3Jgy=`(AmpAsQIGQ;du3W$%_e
z4{LlIT;(OAJ;`#>UfqiVC!Qzp9NQ(|lOwumIN#GW|FF+cjC96QvuIJLGE7e22{NRT
z8>D0CA4z$#;*-a-8MB?`vrV2J#1rF;-o%~L2*wi2T88`b00yZ9SWU6P?B>47jDPyt
z#f%#C8>;RpXOrqlW5^I53}qoT;jvbZ-n&N&`@M1hc#mt?Cp8CF*%E3kWz!DMliiZO
zMUCh0;Ad%pPcS1+vOwTNDh}C!cw!Adz*HMS&V-lQxRepVxjd)$K%UckIPX%QubTcY
zkG~@s!efDXe<>G@WS}@Z37pPI0?(Lm;^hLL&~P8c6l?flhUfhKX8eGLBL<o4l;S-@
z+Iw=Q_mr83>xk>vkFUo1Dd^lIN|8KKLyV!$M@5Vw@lKq0`A&>t&4{Rbvev6He@V0;
zi#=aSYW4_^Uk0lr)<K?e;X0H%lzn*eRCpQ=uEL-T!456=Iw$&<R?jEqubDq_hyUJV
zCxb&Pj$(8v<g4V}$%wyY;n8q@{doNj_Li|zbLmriF7%vO&h8uvgEl-)nXd`*rP%Eg
z%*AOIz}(}o3t9^NFoRs7_FM1+TKk--eVMuVnh3z2WPDE^ICMBIKDtZai4E37ot972
zSqM9r&Xua6P{<%U{g8Zdg8PEgR!7KWhR|t#?D?0wPlhRi`tG|~am4oVbLT!jj${r#
z4jxO**BsJ`G42>!+!jxoa9WF^ea3_n4-$CJgp=MP@L>~9dW*mdCY<EDz)L3lE)5?w
z;iTt?_B%{C?G1rXnD94i_-!WqD;j>I3I9h8-!S2N`<H5Xj$+fb_GPxn=U>p7c(>?J
zjoM=__kkBvEc<}&M{2N?%LTzXaSne)oS0@`$Xh37J&4)oQL&hP&WCwaEO%c<j8X1(
zBRgj2`X`;9o|fABL`)BS_ZFsdnRJNEJ>rzslL~uVtf{4!t!|Bl-+6kz-`!nNS+E?>
z3(7OrDN7EKc2dXswPW+2v?RH9gp5p_KlJ$gDTowJI8!#+mSFu#chu)>Z9dxGxiGSQ
z+&*h{g?pqt9-nNle@KM!V;|GJJj2)jm-+fPu5%-9+!xPqeOR>T^QgUt*1y2@^`9ep
zXt=r_U@fzD@ZTlh2kpDZ_`chUCrvo*JJCL4!fAgAd|2Qj2A#j3VyVe)@k@Gt1D-VD
z^nTGkW5VhE0v|TvBr63zq~bWsBKBRw%a#{u{mb8_^)K4j)b`i}zu@N`f#(E{^@BKe
z-hV`vqW?*{lMZwiIPGhJPndA(kHCji9Q{E&yoQ&VpYO*U&eTRc&jR4bifSLnsWoUh
zrmo<Ij1_ro;5#w^&xi==rZ_MQb|OWplP^Q~JLp8v#dRf$E)iK<uu8$3!Gk)H4ef(|
z#Pha@Sw~i7lJEP^i!9#@7ud*%jfF(6FB|y+W&3_;9DO|q<(Tw%^3rS3+A{J**W--R
z1Fj=TSzGaG^jX1Q*@`4BU>nnO$f{}%+4<{hC+2t(+4W~0TUt7!yy1FpX?1L5-?0DT
zZ{0OHh-tw)YS=$FLKg_)T(w`NS2t+`-P>vd6g`VI&h>y+(5o9XY3J0T6NJbiC#!YL
zU=yv4#OYKdBK(D3N%8#%V`h71uUpC}jD67Y_QBoZTIS}Znd?__`Q10pEF5jCKh<>D
z(SPK=eJ$>`=hA__$-chBuQ+hv73=+H&Rli&Ec#D&_ZO7o=zmt%Wg^u3$hN%~x(rTw
z=pnh`F7nkD;iCxxquHgWs#asrWhjYoK%x9{3h}FW_0WCxzr1B<pv~*-j`lh|so`jM
zHk;}=e_QHQW$@r+!e3r;w6tDpYw}i4EY2RQ^*VfUZ#|{FVNbr4-1mwTCmuRPLV?!9
z<^lF~tOqM3!{xJ*WZs*;K;-JiVtyJ^!C-!s%fi(VfO_!!1A(m5OJS$I6n09+yT58_
zK4P`?6_wXsx+go2;uw6N^1KkP0~27kM;T7e*uPuxgb`Q%1N&68Pn&SEy$L*P!k^Lb
ziV6Qi4bPkKf7kGS6aGsLA2H!S((rK&&r!aMhL<guI6o2NYSr+n*8T;h!y4A`^Ac}D
z?9xXK_?>!t_7iJbYyWZs{!wdH!|%~>^hcvx*3Rh$dYk)oT>HEGw7;X@*YO8T__bR5
z2Tk~}hCig?^!qAZvvy8b_4lzROPho2Ul9{Gh$!rPRsImC9TsoQ+u;0^&Pt@=kX<qj
zZkh&{Xo1zC6@MY(5WVsnVwCVKj(tZ_p~Ci3=HG~e4D)YZyrs&u3gP#n<RBS@xFv5$
zszww!fIxehJ;WX;j5&P)M;r2m`nJm?>MsOcp6-Ba_^;G#qR;mAdDGF}mTD-oU0zXV
zEzslXs5!e>#FSoyT{{e3L~*+%&}!cD2P(BBH`U{HbdFAGgeo^}*0?Frf=*TiP|b_y
z1<s$y3e^iF2EH$l82*B|?jWaB63_ZUdrJ6w($WvS!f`tDkHC5r!{-z}DK>0Ywe;6a
zMC75&#GvhZiV20UihQgAR$`pUBO>eM<ForO{5EU##Qn)#u|ob_t+LA<**#cV9P~HU
zKi|B&78?%clZQ(?4uvac9O0Q@i=8Q_*Rnr+c5tvTiKMN)N4m6>tx};-N=_ZABs?<<
zUe~HGQcm{ejz@#8z8+u4P$nMv+{FAG_z$Ns@g*kg(h2taoG)=)0pE~#o^Y&R1#?0<
zUlE*kU$4%H4Bp!=I$hAG4Ro^OpBFYm^6yg&otP65M@1Gj5f4d0!=0c!Rk{&Uk!D1M
z1bgu<&F6rmWR`!UG_V}L3CTifV3ZakA}D`FI@sdk#(Um#*_5#1TGPRU<A;zJ79T%Y
z89OnZIJ34eu{`n=^1?v3Wt?9@2kd|HJlpMg7UMRH{HBlc#egHS0Qez>^9|ZlKGWZE
z{x9%^v?&n&an7#<o;KmcZv{SXz@Jb)rr~9YBOgq;R=ETlmhhubD#QGDi_rIwCx-T_
zf4#!_a}oNU5$Ew7m|uENna^(@ZVJX6QKcant+W07Qfg8+ypqDh-i8_OAU~D1$Go2v
z)?kXGG}<>vFKv_SK%HUI87N0f@GcQ6L;hl#b&5d6Nl2PJvgGpR^9=PtWH^e@X<o19
zCj+~O!)oH$o8P>#uy9q2HMr2h1E_oR(e5!veDcUh^~hub326Jq4<4*FUHbG;FnNaN
z*ORJ5ckV{_<h=bepSKvF&nRo(7Ec&)KA)m}+Jw`53VhszliU_~#e|dG7I@x-lY9|)
zzX_*xA@H(>=O~ZPfVc7ar*-$wR+7)6eN}4@ocs0!p4D-soy%u|pO?6mzlY?x!0*)C
zv;X39Ti`D@;Q!3!w!rVvaP(878_8|ZndByGg^i8!0S9?L;2_S?T7{;Dj5?zyR>;kZ
z(39LU4kQHrPLfb?lMvSJ5O@-WkX2O<Lb+!o5Y>f7%)43V-jqNqg6Y&u!Rren8Bcq6
z>tzxK<AvU~fZI(1@moA|5YjL`?y@S|CJ?5h5ro)rVfX@N5^C%3lt$mzNP6-7J-#jx
z(F!^x7~~$>bDYyr;As<1>qg-HCY;udz{@852O56Rgwr|}?Z-_xtyh8PO*rYR0?!J3
z^BXv9e4n3Zlf3^K%R}%<5ns(w-W=Ksyv!1Oy@KDG@H}v`5if7{n(%)3g1^FTf+GJe
zq-SBvxV-JT82PPi;82v|Mp1ccWCcZnQ)C6nBnNn$Dw8OBi1?bC*FoN5k=MbkjYbJX
z>3KXCnUW^B&@rXxNkJp>^nU&eo~8$5By0p<0%bnLWi#2vaAvT)lF#uHXje4g34w2Z
z5qKZXJ-4OV?P-aB2KX55X^Ceg{#D>v1-wV%6^Z{0cqf<r;&=0=_has5`*DFov$R;g
zOuR(mRf$g^rUH3}n9CIJe;HS^&|c1M4qCp6d_W)Ocvh7$(to9Eb;iAnwQY#15ZXd7
z_HM+G^^QX%%2MeY)Q}taNMW?Y-P0D`z=d+%E)O<iSmp<ka+-?two=++cO@V;pVg%$
z3F3E|=r3Z%ec%&PBK|jeD>5e_wnnz}u(4O$_6A+RTKF0|lA&{jq;Wsd7=2sD|2~7h
zHP*AzDXAZ5xpf0MqBLCbUgT!7e!ga&0YGc!ReX&t!=A73eVF0+0S0+3_NNIiv!J>^
zO?VzS+4IpqMM3`@dQQrJBNs`n?nN=s$PSWqk<?mX(pIBoRBqV*`hmB9;Qj}8v**A0
zO(ax4ckFK7=UK?8ko6r{hgm+BBzR4YkL3kc<2sYTCmCW%CH}vl1IhNbJ1l?4<5hM-
zx3hAZi1r68?^0<(`I_4M%a(T$O*Vf5Ue;lKxx};fJo2pnm1LTDZi#`XjT-(g51isy
zeuDlYbr;qXEtf)?ytm_BL>U|39i%(Afh+0RJ7krSxuKH`K6cnyD2zqT5&iJgP$hR_
zqmn<VXNtZzx>RGszl<!^e#jF>i5}Q|uy|t}WLP0t^Os`Wg!BC^@Un_;<|w~ZYhPyX
z5o-hs_WS%jdHJ3`^*ts$$_%(dvPQHYH{m2x1fErK%n#0s8h$|P#^^s}1o0u!zO1!}
ztTD7NvxvHuO?aM#xvZJTTK=|j5vwTAuL*6o{RZzp=~6H9aTWNuqEhy4#Z?*2aW11p
zdsRjYoW><^DJ%Ke;YH%p60aEFPkdV9s>~I?Yt`^EQ+uMPc)u#U^H`_IKh<#P0Gtlu
zJ)|Rw_Er5oN;lU91%6)QZJZ9I3kv*By*=ndHXMP!+=P=2N8tBpIQpZ}hjc;W|D+2V
z`o(Q5;_p;lM)a3-C4s+&|D6@|`wre`gH<GfC$Cm{xb!ROe9~w~pp_yrF7nt_VelU-
zkTA|GWMjaYkAI6$G#5X^kc~5kR$V|STK^)n&YXOM6S_f+pK9nVn^bkp%LTpoM##GB
zBO7?uj`ZF1LU>?cC=jL;-qrCEeMJ`UJDg8M`)c!d*LFHT5OMVMjHV`I>oqDD(l?fx
ziXEY^31%P8el2|bC&!km*{|XtNwj#u8h}kD2dO=-=PWeHGo2Pf+ENY~#g2&4`lY2L
z&qqbo9q442#3!BBN*ty5k{V=m37=!!52q^CBE@@)YE4!sVHgp*5|~t4R^w<JI53$?
zPaPPj9SMfl%cbSAA2m5X*Sx0|tHL6(K3F*#jvOATOiWaUCMKBUv*p2}p50s<DvyvQ
z#1(3lrjQZjPiVQ$pMf2OpD$ie;>ugGLIx~D>I%_`@HB>wVlc1-lZiWTIJm0QsSeH<
zIs@Cb8auOHK6a%)m2YicZ|`!)3O&i<cB$FkmSUkR+@9?k@JC7spFMu{EX}LddzJqv
zapFG|Q^@(VI16B|O}K$C0VjP;v^VbSIM)*eo|V2Q@CTxe)}HS}c_yR0^{la4TZ47Z
z=&hwQfbiCenjqx0CF_mwdkm;MgGbD6A2=h;k=hzzx%?Oi*jilOkx+BoeZ}!qG9m1c
zl|Gs64&BNf5B0RzGP5VfXqzOF^**#Z(bwgw_@xChp(Vg;a_KS7*U1hDxo7zf$Ni8q
z$gc*U5%>Yfb<!KAA!pvm<(0t4WqXo8cX9b6@UrFGy!|BjuJJu(%WrVL%W=-vsXgfp
z_+8?E;yLt#Rny-=ui)~D=Uems4#@s~gZ~c4IX@M6+G4~>9teC~!+n&ut>K3(-;(b!
z;|H|%$n)mo6YnW&c+T`5;5=St8S8RZ`7|oT+@S8XBw4_d+ZKrunbTzNPD-xZCBK2=
zVEu@^dg4D}@SiY>4G`6moCnj%guY3?6GdOc>tv(#C0CFdL?hg2$RD@yDu8b)EF=n*
zp?E5kAIyjRVShR`RJ}b^+h6P7Rq_R5fl$7j5Bd6L9sZuZ*-W4}7U+%lC!+oNVkFVG
zw5uLsKN;LR77Y|fqv=XM)8h&C`qQ;+e5}yRY3YHiJg!^<jZ1v4kohffAMo2W{E+3F
z+u{c-Uz2#w)V^%_8ec;mtdW}y@5uwld3p0^^t(K^N&Ifb^81!Yz}iHAZiAe<j`G@D
zw7hm1t)NRuS&otWCKR+6ad1?@koGZI$4LjZ;*&C{MGTIxmUrU6$rmi@WsJa1o7A%1
z;pz3N8Si9%nPi>?k@T*my@x3g{u{NX+j-{u?c<Xo_nngACpj&6{ySg)<cuXB8>$9i
zUv9+{Mx5^p(LQa$Ne>fv)`XKDCh&?0Cp}Eyd65??ewXVh0`E7q|E1P`#DM?EN_v}U
zKW4zc!TE~7$BnqPsI|Y<grCvy8%+2y4Zq!l>+NsW@Ek+lzSh3X@_cOxdXio!`ctL$
zSVKEuqx(6|dReR?c}|vzEc)s(Mhd9XKt$Zr4p+;HQjCD88bkIv5j#LREfi}>aXq4*
zlpfooda)=>My*d^um!NU7Dk=kKt~%&6!2OsykbEq7j*S>!5AQp-Tv0a3~I9&>lbJi
z0Su3i?*(O1`7>CfwMdAD`U+Q2DkVvzvk&`+v?fu70lp86Dk`lRhEYuEp+4MEP6O3y
zE+o1l6z2m4!WBxn8w)Tft=?qNpglC#$9Y8txhIrGt~2}*-zy37^N77-!lNdfbOzDB
zYQ(wDAn>e)=ZIEX`!f6^l!poKr+l98(INi3QFa&q-K}`Si1R%v+NVu8?L~oCB+ly)
z@b?q%C!5(OfB#lIVZ{0SMf<b~r}qoIV#4VxDe$s}53uj>y&`e;Coldd#w&i8_KLu(
zT6@$>;C6O_XC;n3!TyN%zbfX%@}Io_9Opbh;NvEo`XlhNibJ<RodW~@eNO)b<bn~;
zTfWcZd<G#Geyn^Imb$8*aVZm*x3fBkTr;Y9(*+&hg-_!8<O`xb+J#S&#<aeL$Bxbg
zs(z=c$~`_*7Uhxu6yB=G{fp{FC_Bmn<WXa~vwz<d>Z7mZ6VpEDVB!tYdwfHoN@^kY
zo6-Bm_r%5zl}9ER3ywubX58^UxOR??3?CYg`olwe<4e^kSEO^%T?{POrYGLMF>&p3
z?(~U+9ezimcV#wSO?yCRS?`G3ToRU7sN73hs`T+U6hM+E1eCPEV98Zx%-o|AZswv#
zYCRym;1T&Rg+Ibn@W@!ok`6{&3Lb4J;a!>1N+pO&migplSkdbpSzq<UYHv&}cogVe
zGZs98J#KT6*TPEZJWL97ok#1*`A>7Jn+3-nA-SE9@fX3F12Pf62fZf?6Fn6caStlR
zG@-+oP*S$kvUD(gYQ?cAU~!)oHpA=GQEf<GCaWto@f4+EB7TMyMa4R`X4WUDejDbB
z@p^I}f}Clr!LN@&pBPcY!&Etl7_3t<SB%?QDGoNZ3D`!TgPoe{<i(*?p53x88h%ai
zbXo>7dw{PCwRj$F5K0daC7}qVFjX?vCGeT!fyyWWWw2XQxp0+`yvxRdcY4je*KAw*
z&RmJ_#UJqu*KI4|(fXgm{-=7IL0CPtI#|EbDj+;2WPudET(W<tHUirFq7D`f8uwUX
zl@J%e%_;asJ0OE^LWb+BgVIgtUKD=L<I)c`zF7B-FFAwyLI;N?mM;8H*6z<oQnRr_
z=G<=$?aX(lf@5Qj+izf@nPh%(;=oldcOuZm>(;U+yC)ELM?*7mk0W*gW2Bm9cc^pO
zQ0q%S^b4Dhh-Fmc6i8RGW4fpUUaOY<L}T4rs#f<jQk-K<9cz}Csx=lgQ;W5UQnj&#
zn6>pJ)w<Ivn#o$V!68Q^GRU4su~c<?8%ou39!9Yl&vF~a!x*2HtTeP5{dBtW8{&&(
z7NpMDjDw~C4L>((se>lx78R+Yt&cJ~{22|IY#(?#z6nDRu>(=cf`;5@8nT+IK(?(;
zrbqjkN1xz@dc6Y+L&1{E7Yq~&R%N@Qy|KuU(p*@sMX9W5wRRlUd#8_&OkFjXJab_G
z;@*)jQ1xEY+34*1r<ij?WxXDvMvs9S`ry@iKQs`EXE1OL^~7k5x_q*5Fgf5I4u=Ml
z?uA+;?->oP)dmhtr_(b>FjsqAeqV7Sz57^q_ikS-F?V)~Y&X;|@_{|YK7@X?A^S|z
zmK&<0^;1{-sUYlAG#U`Q8IcwwQEBz1E&cqI+leM=J}Fc&jSA^q#MG!yOY$k*MIfzE
z_8uCAmT`w{dYTnj+<Y||g_}&k7RTbzOpnhu)Em9yxFhKF2W6S!YQArJ)!w|icYL-d
zKarjvX?3jzJ<dQp()*@twALFtG)xATm~SC<a@Cu5Elt<L<%~D%fmxr%Uff(%_F|n9
zPt|J1G@KOVH0f(pcL+XBu2#H?tZ~hBY~W;|%7S!phH&zW;1Np95)6mLt58L#?w}en
z1XaXbg^#KjYgyXNP>xS&P1TYv7TTqj<fD?to&c(Oc^%36kJQq9PxWM~(c@ZmKL6ei
zT}owhHtTv*3v*~y`b3<~e&rv)7y2x;SB=VpK4fV-+fL9>QJ@yN7xhYtWCkIr5(Imq
zz$Cqzvk0r93o68}rQ$(?GGv6KU@FZ~N%i!y#{CKhwlTzpR*GKOnYq$qId8<_?dXX3
z!MC=n@qANiyssBGQZyBEm;P-_v1i4S#vXl+%btYp@oKOm8h2^4+yU6+V#2}cLeN7g
zE=+J*9;(Zaf^jvmRG4_IxJCtw{hOuZ$?WLV<Wfuh6N)uFvUjKt7w@E|kN)PD>|_0v
zaYw|rlv<o?jkqf7Q;F2v*@?+Bb4fNhF*PgKFzRok&r~<^Zgu{C&FP{OEY<#Vaw|H;
z7T_Ny3>j922@|qYpW0thej9~lx1FUFG{h{*M{=36&D=x>>t5rG;LJky%CF<>&}@b6
z3Hw!@A5$&vhS(c@euy_A(@&cjim(xN1xaX#LZ7XmL7bm==`?`gbv`Rb=1L*$NtALP
zS{)8q6*g+08;k7-X49yYzJDT-oZLS+Fwyd*nj<lNr0R;cPVe%#_W1p<>P}E$?qf64
zlVsON-<6A)r#@I4wNty)&bHrH%{T#B!B~1BGsw0@+Dj|eo3L%UvC69Gdm5iKntr))
zP>V8c7(x$DGh72EJ%;RAS<MpwK{A13PlVO0d#hn9D|by45~wYnULRPxF1WtK+T(M0
zS^~~wPggwRvyUp)=*ZqmZ!X-)zR)t^NKNeRdoZ8jgPos9^^B%ln#S5XTfOP9uQTEr
zKCv@*)R!NPw{+M~6v@WNEOfSeH>ZJi4_X7a)o1T%I*(vg6LW3FXOzz)twYt)s%vgy
z?s&~^nTg100RAw}yvYPUr7Fj)g*`ixll}R8ba+>$Z+EgUP>v)A`Ua*}ubvzXjYbCg
z_BlM6(NtweyUjTsOAg1odVRaQT=8%ywl<r{bbEG(p<!8)7|S1FEJeM>Ly&}Ia9er)
zG)Zx+JvzV8Y$1jK^GH#Kw7cjQKg9H4d<HoW5m{tN`cOq>79x>2hjwk>Ka~#-lp>?S
z^5ivpCQHR)GBO+}E+0$J4uy01zRCF5io+M)?di@WX4hh&aNO0kyVMmQPR7Qaw)P#B
z)My5|o-`*)6UGt1src8M6^Jb9fNI63s0c=5qNpRP_+qYZZz!QI_@1g~5%X3jhqd&r
zjq_QFRCi@7Cl~U$ou?|(3ky?8GGzCk8r?c4vDvF;X3oyWjvYLF_>ej`SYw-C$5|<W
zGnro>jZCa)*kw2riF!cpE%QRw1F{)YWH#k*c8IE@@(4t=QPs#^oZg1CL(jf_=lASE
z@`ZYWtJj)7^O<p8?i<S=v@UH{l*7tzV6RT-dcVBkW&7Si96~#xydc;t;L$a%9}>Jy
zc@0budqURb1N}v;J*_UPV1(#$eA6Ne<tU~R@~wv#_W0CzR-u8pJk31To^}xrWM#JE
z*?ca!9Ge6m2<*xZtW-nb=(+4z*p=Fm7h*T+zx!->(C;7e_vT~W<DUry)_UBdgM0k3
z<jnEWv6Hh&_%EVk1wTpPzDzxF`dT&|41d<w?ahrPm-a~-u^(VP#$nUFOO<C=q!ARX
zZ73t?K~7SYGF1ORg4v8f+K~(sN*Gaz&VPbRbbK({4YpE=gxjx8n(45u<@B$jNGRN2
zZ*QQ3xbNdx(Bap+bwZqIg$0E6B3Y{S`xNh|LHDW}iLsuQ`DRTDW%fed4waA2XQ5*c
zjqeH9div6#p-j*2NpH$==A+@0j@azk8B(iLy$h~hZ*jV?@2I2gC40XWNYnf|aGwL!
z*zE;R(`rm!!CXbrj5xJ}_gw_PhozK%YX&O#J;f5a;Pa=N<l+RZj!&wIwGmTMR$eKB
z^BB?;!DD_owGavZv7tWiAB3WdQ{C=lQ<uyAg~jpot|9jJ@5V;r@sZef>nAG<>G8$g
z0q?+ke9Y&i+(+E51|HeL*JQs%yY==826ob*V8!MmLF|S6hFh>Cx1>0X7QW`l+D`GC
zq=^ME$`B3&qQ(}Dl8z42w@{;4455|C!u0&C#D#gYV5vALVYtkB^s0$c|4_)CaG^xd
zfn@SPK3H`n+@VU}z~s53nQUJ?)|YV{KU}`Lzv?{H-ciWs3mxr;oYnrT%ZHDj9!w<{
zqtV4=ihL^MOPON-f%)|4H@3<1kIu35s^s$gAcZ&>EEQ{Ml`0sOjU>YzIpb7w9jRa4
z6qKPJe+)hc7u#so{3Mm|#z+3>nk4R!5RQ>(n(e!UL`&);>51RRIWA^-iOMmgw@^R9
zTtQ6~Wiv=IB(qVo>@A&OC{=)zMqxA}1&mCj6z*p{l?W?>>GBJc;lOIV2*Y43xQ^e5
z@vqF!?Thc1V<EdJ#xh{JULA|Hn&@N6kfMP?Z<?`pdqZhP(wh$9erYHrN3~!RWGxY+
z+15<D?Ets4m~JyvqwzE<24^&qh;e^jno%)-E0{l=Vj$0^)iGZoHuGs%L}^ixEF|Nl
z8k;F^UiBgy198qt@5;u<Ha0%So`2?<y7!Zxq<svFAPc~b+726;cDJGoO4W%ejg7E%
zh_p*l)q(uSWQL+FE3&(hU)ez?J)9lLgDf(Al2xN+v~AzU>gvW0c_Rrt#!v^o@eOub
zkLpGJLiA~dk6nvEmfK11k**WdEnu{PXe$XnH}!@3#&1L6Bd2@$D&F$i8tYtJJIRJm
zoTz{LBo>!-^Mk0ScO%B{<CZzi+S70fksZMHRdsEuq|||o8vV`zs<=dV4p3b{^&Wzt
z#Dw1^iNDE%I*h`pgsK4*)<+v0Y|95D5RWed&oa`Cb;nXY^ZoHk%Dp%nPMx>K#{Km#
z1;b5=kk99TqYRg>|7_<_DC$X-g2OXT_PILDtOz>0IpPa=yIg+d37x{2_syR}S6_io
zB?Ns{yTeIxF@0AVui7Kciq2d#+oUt3@UI!;Ax(-5kT^5rNeGNf?Yj@O=dlCw+7mcS
zCRw&3a*IjV{f(vBN<QwzijXm`nW-VK7dO5-U7aCT9?54a-QTPK`S?>j+I3~-ug7g|
zJ?@U~j!q<Q34cipV{jo4OLAGA$BBhXb|?~xI1FiA6sNu~<wp~p8{R-`CoDvXrvd}h
z8RgkagVGoz-aVw?_7_NO?WVW}jjO>5rt^5&9eJ6d=1-<Gj>y9nnTw=piDJnr6^)vf
zOiaikIGvVn+-t9i^8!1+bXB|-nCUOiPS!j=SN<=4xUs?ReP{n-Igp&#`)nz;<V(zt
z*T(Jk9pA!z>L2-+$*-}{&_cd;XpAgRQa-#6d#v%UV11A2GED3&5usl3E^mAm4vgEd
zftY0hF^e|5C$4+u8vO3Yy-KHb(rRGH#!i7>9TY$!H&zchTd3w0i9hmLlCTLu{`W%f
z3Guc>BZ^N!J3J#Df%1fU@Y!R&0|Bwr+)zlL+&U)W7yoT-g<ndu!LO$wpZrp(HiIi`
zw5t&&*%7)Sfj+$Ru@YTe!^b!!$EaBY8_rKM%~JO=8P@_8T=Suuv~`*=Bn9k7Fp3r&
zg6XbGp?-@C>dEFO0xUdePvI1#8;DDJs8ndwpc`;DqTT&q9Jlhu=Hx<=4-Yr;7{>jP
zw_Tmiiz|7A+Mo}bD-V2M@jHkH^t;DmBwk|%@hSx{mk6-<VNH?jiJ_yyHb!T}7&@E5
zCq<i*zM6!97MdK1T(aSlb{CTljSw*5r=h<iPjx``SCXYdxGVK5hjg!{dMObkv2uHF
z%Gu*`M?BgMMC86STus!O8Y3sBUHCBd+lY)86$x)9+x(XF$HuQ<ozi#s(@>LCI*^Z@
zT#9Y59O7;VnNv&3l8Bcfrwu7k(zYSSr+Z<w8^bW9qA%(2y1D|Mvv%WcMV*NeK8{?L
z{la{2(OWXp1Eiz#c~tg6M>qJBWq0*GE>(6ukLZz{N6O|EJJp5x6sKsiVhBqi<*5t1
zC~+%dt@461eNMc(p<Zdrk0d(Hu4L6V&p9tEo1MuY(%3MK0R#Ce_=^wUBvZYD9wf9M
zvQrTEpnJ#dWD(#p8JvUj9L~jH0Hiy+CmAsax<fU>!fg4b#~hJ%o2~ign;z>3(--#q
zk9^}j11B@@tb2d#o$w8w$h;FIf}X+S*+E-3tVD6$uJS9qvf_3q;(w|qHj1i*y6sNh
zK14L-%BD1nqn-#lOV$VUlXaI4&15n&s7rX5J`b15(``R#n<)>^*?(c5b;M_`nuZxD
z9><w<`l^{Yd)Lgw#7zBNi}Uk~)OUV=qw+ZV9)P7zyW#y;_MA>$>b#SNqmF<s1`zU}
z&S%2nrSfFsxmp(Z@<Nb_9DA2)NkJ4zynK9TKELyLIXIYLfiHaE1K+5BIX2{Vgq+Th
zBUn!N^rXv<7=|^25!qS}-@f+Hp%&Z8CL0^IHF<JV#lGnr91b)uQ_5Q)x0@kXv%0mU
z!OJQGD|A&ya&(=6%bmf)1SpqK=$3RuuyIPz{#GL?iNg`2CPtqDdme$i4he5fC<W!3
zV%DmNmnMxkf;3e`i+TTG|J2le_S&_XseM1MoL(*#mrqx2tejaY_AQ;R{B&*I#`ap*
z*Vfjp_4nG=>%a4qlA1X+F#&Ut^6aw;ZbO}zI5m?}xaSdfSiHdcut!|F27iUwq?lc*
z2IJIbkj~yzO;_w1lEDrxPo-H*lcF_*fjYf(pA_9F6j*Wa8>PlrvF<%ONTE`&HS)f2
zolHAT$iC>LHtGXvU(|f_|Bro9luJ{FzAUoGK$ob#KO1iQm7U}K54;&;5RS_>d8aQ$
zMTm+><gTRp^n&NX;z=63fke7JeI;FqIzgYDPA`q&`3gG{=Ld&1%Got$C-hmm8!T#B
zQhA+zPtVgNI(YYl`qPYQYKC}e0aF&Ll!yeNX;cfYX_~JHY0$0*)4Iy_U<gR#U127z
znEgz@IPBwES0!J*4t?!LjI`v-4bjN@JnQBJ%}^jZ14F87*;iU9O{d)MfTt_!?_|}&
zQYGxX%5HOp2BLLxbAe}(9C#jc*$Hl`t*k3Zf~PTS3_O5lvkjkAtx;d!40B1!7MBIm
zg@7xTl3rB0BIiPpEq^e-I2;+yz2d=_Ebl0l%cULc`L5J>ab%b4WAAwnWBF7X(E_B%
zS=dus`_*6#(wWQCBtt<p>Q@Us>4qht^OD9yd`8~s#$`Zl1h+uZ;T@+Y5e4ufb*q|v
z#e>%^ZT#g9>RDHs_v)kXes|rw{yT+K8o}xmTd~ORcbm3o8Tnb#;j#uDPM;s4yAZXA
zMnVr0w#O{*Ultfe2wp@L)~uAGzC;#BIO#(YVc{|!>Q`L;)|d0g+r4c)&TKFT&EVI%
z2+q-5EHzmVHMIoGbJ^N*Z||>nDIAYSLmufrU{7iJ!SZb1z>oOZUU;EMQzKne>St=a
zoXL-74pVbwr%S#>M^8&<YbIoHcqmn}>B#u5OP|u><j5zpfPNWjc}d>1UB9RjPMn{<
zX?8>(<B&C^>5#TeYlrHjQy_)VA@p)s!Z)MZu1MxK^XrI74jCOarV(s)+HjAJ97SFC
z-%xJC0_8YhSB|QDKwtgBl_ZV^6mmtO0s3O6bOb5^Do*EGx`9hgHE6tC?;_<Bu;1l5
z2KDRL?Y6_sxKG4_+(u;qdyww>(dsre*syei;6=1Vael0I)q+KGoUBG_h6Ek6NS+gY
z$@3-XOLbwb(r8E~P@%Wco)t6~_cw^jCpfap!1qapbU~z3V6(LC-*{?c&mJBPj#&4<
z!QFgMrC4jN=^gmL@%qmY0e<c21CPg2FPopF&}r=BIL1cj>wf(Va)qck^c1}jTDs8C
z_5Ccw28A<5=^s{02SygB!=%(VDd&Tn9duJ;Mbtk=$PJP|gwn#?BkSW)XHTf}_$Ls8
z6fTDG|DD;y-yiD?^*E#B>yGr~T0XvGFzd9QSV<n4jnwi!U%nQZJ(65GVRdE)cf|8+
zlW>V(T$HEqW5|z~WtX~c8X~N8{v;xrZRj`EfS^4fy#5qZCHN%_wyK4PqQS7pjqwW1
zar|W)Lpgsg=$vhCw|6?jp5%C;H@sur@zUFvzyAEfRH(94ykJ$1G+F(XeYN>p_fw{l
z@qWaL+RrOU9rO=p4)l%RT>$BVTfX$0`yB6hwc%1kiUHkB?M|n6rw|6uc{T)!xD!$1
z*;o86s*puzPGL)8m`z%*<kO>*51n_!$%pPkBo%@8ho5|=7;dsO^i1z#?|m0`v~;xC
zS~^-sUj5Md2|Mma#5FCm*U!OLW@~A0fgDtCKSckx+>9v30fhwd^Uvaht4V6zE{Ex(
zut($El4eC#FcD?btVwD&M$wBAs(qhA@Tq#6XeTpt-|=*3x-^-in+IFmt(j6sw|4Vj
z+p-cY%niW3dW<d}9IFR^6kAFr7ZN|>edV=2DPFnLGNR7!74B}N^Q0oxE#e(?i%6wv
za<+N@<j?LNY47c@IeHz{yWjB^wsucsB!d5cPyO+?2>K)-n_t9l`gQs=T(Kz$#`RKu
za^<p_C?(uQEtqNY*ouA7A$Rd4i&xb<4>j4$p2&?PJL{MD9f;r3G|@nDJl-pBM7&W~
z?J&N?=DWGB6^6Y=i_6iux|~6ybx?2|p^}OaKOv*YPM1MX=}vmGeXF++1gXCi<_PBi
zzoHSxaSA(?RYsj`gw!zF#LPZnYiYWOz90FvC*uh&_74nu@>9iPQ|pmrGU?8__dB{1
zIArmg9Z_9#=W1mrIGFNw=N^l=6WKo6i;%UrffT$(vmrE`1LS(tbO5T9h3o^q7D=j#
z6E1Pr2E9NSKVYRr4Qtgx`|MT&?N`|K+nZ-k7)`T`ugAAy?*w(d`f~aTKdPz`P^8ID
zQ9{xd&S!UBC{AX($144E{vGjamimy3+lw4rHWM5u4TdUXxzI|o>K|Gu7k2I#4%B}D
zdZn;`|K8k(Ur|L)(1-e<W(KSKl;8U6`gn4p*qfT%Kd|#mY}_|d7@h9UP8C^qV0g#Q
zLV0D#Urnxra$}XyU}+#&|1kQ{iatDrJ{aaqMjbZjM|_Vo;cqb0km;gID=8ZMz6-2A
z;*1f#Q>oTCzdm6rl}O6{&o}Hju(oRlDAhZjxO%B?ZAZeL7zkc?_qW!YYNyHuQblUz
z0q+SU-jXJ7VIM(1Bl_C9LI5|_vQ=xM({W8$vq}3Pdna)e@}E#Sbl7{e@Dr}HL4EL5
zeCX!izWd?ol8KhP)(-4>!?#Wp&y5>MSw2;3T1OZ0d(E58Y(V(|EO{dq(E~3i^)#J;
zAU%m@s{TWkJ>o26cqUmwc1+@N&}`t!;m#aT3f>4_w7q#Xy?O)wZ}s-oG~1243a_vK
z?)d%V^$qs=TGRc+>#S6B7kA!0i;+?$`n<|xuV53PxE{n{^L~+}7e;Y9hm#3h*H+Xz
zz~b%;QLdI&+lV1agE`Ac^o@?~EtmJv=e}}JKGNMC$@lc+=rh;ji^Y7tc-+x<;?dK`
zA3o7PaQxxpryo7hcRDn4!|KvYX2apxmn^N`FcbPx%-0)@_WEKpE{6SSQC@>_^;;fN
z$J7vEDlJI*f|Z^TzHu!eFP+n|aIsXWtQDC)gz;R2J`e)+9#5$FB~6XWN-3eI0Gt+f
z5z|8#h4DEtFBz!$8UVh)wSE_S<l@HMoF_li9~$cJafUq6)Wz=XWM6Q=)e{I#ojuDQ
ztKZ5VTW>06W(ERnE$jB?e4$v$%$5Qa&wsFbqJAslP%(b%Fvg!zAP*rGQ_77z7cK~Y
z&{+eXC7kF5J$3_lpXDCPVeZj#m>axBS6CY4Bzg)jBZ>*b41FWV5jle>GJz;Ul%b0n
zEcl+nX9@;N3T!3zL}6;`QAm(vM0lyyLx(uXCS9lI=DKr}eSwmzCm5W1r}NAM4=jiq
zz9R*sI{z_I$UqeRx^I5}cl}m5X6qkf%yX81RM$v|&futer-dmrj8@)Gp|@x_$TZmS
z)AZ7`;b5O9Aa4L_1k@;30sd!@aDtO?62zIozghgF1*qU3kyQjkkUvJ)e2Fg=@vIO3
zYCx%m$W~&i=gMD?y0lzD;mfW<(EI-TP4wQlc%?PjKz>@peBJR_0@Rsqw@j*YAQczA
zsI;z&(sj1#cBFU$p~cuZPo~9Vh$C2CJ;y$I?p(cgj<0*fX|WlqnWs>`71gkZZ5I24
ze*d5WPf8pf8g`WKjFRm$0;hX!*&S44Ug9~~9x>bO4Bfpa@nMM<fG<%_s>BNt=i{bY
z0umpRxcFVvq?h=FsXc1mOT4Dy$W`Tcvr4>dxyb88;9efWVU^HsWs>Ypr>j&MvFe1+
zn@-$h1`sqRb|-w_bYC*nn04cmyuWn!C+rurl%Q1UbQi&E(&F?t{SzJD-u4?Qrek&W
zSSV_^2EvQ0kz3X2=@~*1V{z#x<^zRx*de;FPmZTV;{;1VJ#qziu3^O=RM&~r5%uxt
z76fDNrHG6b`l7f3S-5S<$`InkXh>#h$%08MIh*K$n2MWRQ2f-2tjj+^%q)tPJL10P
zPtV(I?YG<|J`hSOs+RXB*{zQb-#$`D+4TBjk5=v&VIitwj>Joh3$<Y>=Rs*^ALr|i
z|2M4*`fseqC=)d-w&DpRPPx{yecFVh-h#xlCLB4~60ewW)LW2v-h@+)Jkg(i6OMWd
z5+5<)sDC2yaScb!T&jN}@iI&E+-Wf`%7GW}uWIdIP?A&+OXBAx4td0$H{f>~+P70Z
zEZP3$I*#_Jhb8fQG@NSqs&u1zSfDfLZSL1`?eFf>{*HcM#~(1^sA(>L=Rp&Wn&uLJ
zNW<y(Rk~75bHndLk1B2sDi+vTNc*~=uIvU0a^=bo9o&CSXK}BLHzj36q%w&(O|q3y
z1y?#BQTmqH=LP<aqBcb0A$gU_ip=)|-`&zgrV0%TB{r0Xuo_al*xOOu+#Bp@Lk?5!
z)JyfunZc|qYX0YHnwMHKVmO$2?LCxl5~e&FtzHC6YN=k>H;6x{*lO&Xf8hIu|2N+^
z_;1W(g27&;w&U|G@HER9aH7A!`%U=AG#nvchW4o4D%&44;k4exd&W&T?I(ffO*rjK
zfoBN^AA_I7@(lcMjWs75Gz#!#lHwKAoK!w?X$pUcan9i-VXDWdh?)gS)UxFD7=e#a
zJw}O7vS!|%{4&3X-;+4%F@BuaW5k_PmM>8KMA`lT^kjPfH0qB2y#eQSM^XFcr;syF
zs>jINQ(dKpWIaaICFRdonbYuhcrNNO;`gZ@qajXGDopx#jXpkX2DGI!4{0?`Shwx?
zq&P{pT7nU*IV>tKZm=%3;9~uES&8~jdVf3Vw~%~TA4-+&rEzW6fe+&D7WgyyIO)C<
z@!wWHFZgfvZ;&rd`ng`(_H_B8TU1DqC66<C8!L4Cwd){zwEkUOWPR!LcpZKthW}aM
z?`zjR8`5&M-5W`lA+K*6{+2?I@ZKtnliqY3^2i?hhYQcvkFdhwY1`C-vUKUmg>%gM
zsZU|N)Ni`8yxAh=8`UKFT{O)^3GtlYrA(=wbl&54aN>><E2LjmKkqf@2KrIxY4nJp
zJ<SQJ_r2T`P1-?>kKYXwv~^2Fg!#V1?>u*ddg0;BjjM$%_Z+gswb$04D;;}apL!kN
zcJ~`%oLHAMPQ*3HanXIe6m^dwlU+s$f!-b9qtXD@Fn_upxz!GwBs;K`;!K>(Znb^t
z!l&;&+2wcHT>j1zbT0{89=&F4?3&T~2h`uDduN+r>r?-m?t^WHm6B*&5p#fV6y2ho
zsinH5&%WFU*yqB(hgziktWQTMaubs-M)%p!T8Mj@{8wQgt-lJ9VZX`VeeN7f;$Q1I
zq2tQAML)WTCj3sHanQtWx%>?-dLJa!WZnZmiqIl&5*^@|UDGoE&iPFXkwodc^m#cC
z5k7Vo|IIvp_(l9?yMBw1TuS=5jj?#NqA12dwU&y}y0aK;93}g_`G0zjy|4an?|+ib
zF0iIc3+Mjr`*fE!Vq+})4!mZ_Jp8w~6N>kPVympk5&NF<KIKpFZi+LRwIH9wNoU$X
zNyK8)ed^-oBD%v!98#|oG2%8wjIiw@M%I^?*V)_Yf9t=Pym~R4UA%hodi4uiSvlFl
zj<g(IUOw7Ve`m|d`uC38vh%0Lcbu9{+m0QxrDsp=7(X?iwH@bcssrQe;^Xmiy6(V#
zzZrBj+$1GuN~fz#=HvQ2WvB$Xb(HK_Vm(n_3VF)N>Pz0I4t$bMPlxgVnJF+TL|l<2
z3sPr_qOU|S3>zLlHIuk)*Up#DFWjD(JvIIvYhwEB?Aw0-*#0KAQh%ap|FPeH+w9rt
zgcZg17;G*U<q`0he%-e%6&Ss*`d(CfN9KUwXDI@YR)bMvNpXaFNhjPs#J<3XCucyl
zGTFT_d{xPIs9KtOeBS<-yE74Ye$P#_vp4R^yCWI*%YRv$_VrEWa?^dj>Dp<VyE3!d
zzw7pc0|N(d-_^f5Q*ql)9~!vt_~8EWczk^S;PLwg4)OWGBq)ba<1%AWV18}3-b7mr
z>+XlZ=Q-Ytcw69rRs0V*-ntcMNshOf@Na`~+uhy%L)c}W<n6l_w!Z(3z_Zv1zl)#b
zzpU;9eg{151G`<lW9@nL^Rx6GWnH}I|58Uqtl1d!&p7h#wAwulmNI>|C|*)co!^>^
zE#^!F$BO6#J%wIaDkz#b%V(2TrO-sl$VU37cBUjJ5;RRGBC!y@Ad-MH*(6eirj%($
zh76wG_q`)GrY6=3eS3Vi?%NS|?g)9D?oLNKFu0@HR-N@^BOb-xJreWgW1gDhRWF}9
zH=n9ZUE6={x%H^uXJ2n_Eesw%<4Kl+N2dlnh3UfDKG0)nb4`gse+a`Ia~p9Di)IOH
z@R3P}DBo`>a2g-qZz(=T@|JbNQcv+27cobWw)`o1L`A4D`HIL=gT04u!-4`LNr%D;
zwVYXsjfVTh%>!R}LY3-9X!b_fQlPqjG_y3CC>3Y-Cq@=heMd5iO?hZwZfvaA+Ziu~
zI%>(GDiWcWA6Fi$9Gy*h`{w(H_Xch4=T?T-h6CaJ#Q6!<G&wOi*Sy{wNELj8gNJti
z!CUjtABb;kuCec7eS|Ih%+!!dn;xm!;3Cs~IFzG=D=8!?EIf1z(><jO({@FSmX!ja
zXv!%$>_aGq9;+^7@9-3|35TsP+H!kas5m=dw>{n!3@3cGM;^OS4TKI{_0o~UkDr~o
z<+giP`mZTq?gnsX{2}J92-%}qJuVlu!Dnqq^C1m^yAb~;UlQE_brF^Z(NQb`VDMA%
zbCHPr)NUr$%6~)@pYXyP65Dw7t^HH!;J{?kSB!hSg_*v}O=H20l~@EtBEqqeTu*ez
z!AfncnweR4$BK^V*uiRH=SZ%jD_tB6`wCIF$9**K>*|WeQ(oWT=v-lVeKK)+X}+=?
z>DoUNEhpgj;<2tzVvYtZ*Q&bD6?4?d-<*WhBTsme*JTzt&?34!3`(d*?Iga(L6x}l
z>eG%@E&PToX^jdz+{g>VE#JDl5D~ML_U%ZF6f>Fl$WpHVP_j5OnX42_ow05dA(|Kq
zPsIjGheWRQSi7xblIO1n{kt=iBCRNgt;k?^`&W{^d_DFdp5?tbPZTYS=JnW+ai&|h
zM427o%TZ6oq+4agXyE7M%TNY^ViA%Zk=PGSDxxi#*`3FIy{*1nG&NU=78XyGyGN&{
zeC$-y;K}8_u6Q}IJR7_ikET5BT^;Rqd!%|`a_Ht8&Sn@x{r(dtqGxWrxi3{oc$=NW
z)!zMl95dKg-^82+u~JQ3rXk8gKl@XZg~-CB=mDQR>r<qQ$k3pu7|P6WQCz;}Y{YR1
zVXk`cI=huwtt^^}SK}Mj=IdK*$<^xana9T;xOZc4awuP}f1I5RujEdZN3T6yhY%4y
zqOW6Lbz*0vb$zyhAL>%#X>yc6rjTYue2!v3#6D6Zs9`;<sj}Nj7a3LttaPV0BB-s*
zaqj&2bLG9Gk;v%YvIn<#E1y(c!K6q3>UiHX?|;AQ3sUa$RgcWh9;x~+ece|(zH{gC
z8ioC#UfT<-1%BmjtQPz_g*7yIGxR<SYp0MxE~E7MoB7HexVu1ccRO89XWX%8mfbjT
z_1WWTUpF`=gdzRb^yW`_zHL&^wr$8k(a*WEH;_G4Qiki=4N(^qt1PlCL@liVXP?k^
zE#g}QvmxvA;^2aFixVO8Vy-DzzA|Mc(TR#+KK8oAO0v1b?)SXZYQMe7W(&<Ot>xRY
zdy3tq>PVn1f9HHlS4()$a1b-Umg<>G+%s@^exT*%_Q67G-|7<a3n#|cj5Xl4oKR`m
z;764QuI-0oEYibUkOn}`HCoFS9%l*KXWdzF4;dTO<HMmW`N)0$)D&LsiF6{tIlK3C
z?0xrc*xK6IkGgMcwV!TjzwXAml?h+MGGuoJ^PNK$w`or`MCrtc@G(&vih|xK&xKiH
zTtbsyMMQ0o#z`_Erp<)#2&13Sk45~3wo*8=L%=Z)JI-W@cPwwDvf)bbJT0D{?&hwR
zPG>xDvdh*pnd;3snPRm*uDqrGrSaidiS3dr%4)@uI$9`ncw?1PNy=a>u&;qvxb<66
z<*`kdz70WVS6J!9_i?_!XrW1C?HJ|nGybcm?m+&0q}7%mhTx6#jb|_X>{K9i)%Dl+
z9sBUf*}Lw#dmgmv0Uv$>e0UyOqlwm%w7PXi=fh8vo(DaXB##H5MNaP+=uHw=k9#Bc
zDaFAhAa#oPK7j87_)apqgzqJMC;m-dGH|*r{F_%)sf|cBPNlghTCO(YRW(QA>R|58
z?7kC%t7mss!oF-J+&2s-1*(qpu-`r3Kj{i*yq>VfoAiW+vp#pa8qZWB9U7l^G`9r$
z=LQoK<z%a^ducE+=927wq}-DUyOgGrO^Pc%5RT>oUCk}-U?#{}ztFka&-i>AqFx*H
zDI;gnee6UjRRUAEtH?kx7ARp|rGqo5qIR$}aELw+4UCSBjpCmpfvW9OsG^2XUQO-v
z(cQa`9oxP8C}ssUtQFk-0*zIRC~8PQH%cOMk6SPgBz**TZv{dpN|B!+JVlgeLfVrW
z8Nhu;)g+W#nlw0jNzf`DgSPPV#W4uY-*mN|cXhvPiT$55idBJn(cR&6W*uugJ1185
zrOrNgjr}Fho;cEUGJR-uq9fq3Dku>~d|0vU0uQi(wjM~Iz2=oE<(0l?q|u9Of>iy0
zBHL6KKS?c-D?@ozBI(>GQ|ReXyhSTV$Zmw~N=_aaym2Ejwwz5aM4*Mgq<^+DIyf61
zd7S;}{JELvtL~h>dOj6QPTdHN`|zQa1N+x*izA9jtO+Fr`uiYZwJ4}7tO?->j`4k?
zMv|(OCyMu)*GU|!Ka1l6b)7F3IwezzFLRU*Or^3jhx(a2KbI@?#mDyzl*gT+oWDFZ
ziDaeIlQU<gB4=$)%;q~eJ#u6+c6#4Ze7rxfXa5S0#w7a!kh32_-+Of*uH5uGt@YI`
z_AYT<5yL{grRXiWswo73Rs|J?kgi15mly~+es77LeT$-a+#P;rmuC<fV=ckj)|*bO
zJUSlm*lb6dDXz1EzR(@9hMX_y)7Sgb(77vAK@#ghXa&QRdXTLMDvItAfT((KllnDR
z*{t?ko51UpYI<O#(|fDiyWzO$Om1%$>QrDyqI;k++*>W}T_3(>r+?~!=~rBUZk5M+
zeGB5Vg`MgYtytKp5P=cY&YcapQF^w*|G!yJZ-1wr^>qLJde+lBF%PYqbI^T%208N(
zjfs_d@xN`_m>T3)gSax*Um-y(7|ung3`p<7MioU^=n_nk;!lYhB-k9>d`{a#EU$J-
zmCCxI48f*gb=$4USKRrb58nPt+l?>(i%;D42HS@mY@Lk-{`24K&(xm?!fV2Cuj?9a
z?6?gP8rM=RjGy;iw*w?dc}N(dHyXBSoLa;UEp*LDjY_9;2n~x$*EVsxo4T}`Jwjx0
z6P&)j>|QoBcX~(A+Ke^ESZ91Vb;H7Pm**Cb_tg(P{&tp`JyN+-F0?{E-4Pki^eFL5
zUsaA?UA}7CzvGsP3%{kjo$ptila;q)Zc04w$__5hm9qx^sP9=d5`gs4X7rkFt08+`
z9udI(Si3@(;4uMQ57IYBMcv5qq)%IgcqcaaH}+psO5K!2XXC|Y+r3Rq`B<XZ(iL>y
zkm^5mxUk1<^Xzgwc>ltMk>bRyyJnV$P{S^t-w~S}SY1nuR;!WR=so)%c&Jb=BglgI
zP=0fny$$2a;v{U+N%Yh3)6n`DOrvx#A;vD*Bv&Ca*=>U(g|4uAvNsq=C+2H$NYv8c
zLSWRB@r}%NNBaWtzMv!gfmpQ9(;IDfBt{QTj-Q;4$9%h8?nArMLy4Z&c3&hH3V>T$
zEsLPNANO~Jp$kpu_R%ZEZ<4O08c&Ahw<j&b=)5RPNm0gm&P|Dv>UN4rrlqKoEeRTr
zQ?WLC?CQag8<e;hz@=s|Rg4zbcNP7^duy4ck;HH<J%P;TsRKx*8eJ~B29xFLeM7U(
z@Ib7)R`F;19f9%FJO8V4bUNiN&h-!P_uFjI@=Ut2IvikM3-oy%v24G;+`qp*HeTz6
z?W3b}pfs5x|A=DQ0Uk}~NeAj>Y4zLkv}f{$$SYmjAX{Qyo_5KCC_?h`_$DG%$g3^%
zA~yyC+l)QY%xhdoW(_%lgJrXtw9A8-|I~%L=vG`F<j<f!&k3dZ=4NYu%9{*yDyQyV
z42H`)vv=GR8riQngF|Uo%k<&l9yWUEnX8UuD}HA!I@#|TIlHGlF}*LD+f@mD;JsJB
z?if}f*;B#K*(IFnN~k_$T7?a@a~tH4kxdAtidY00V<^xwi%%-9E6OGk)1cyyIOAcr
z$y#Va8>CVt)(}N(i+E#Js-9UYj1Qd27xwH5^iQSwmn)$n@>rp1wXm7J15imGf2Wd|
zJu|)dn%aE%^u*GkroW#!JQ9dcpBS4uw=<&@4j0%zR<Ex?Ygt<xga3u@M;fy_;SWBG
zIknqUEY9uZlz06k$FC8%1)f*5=k^YczeKh#a-5&hIexut|4ME@|0>?Y@7GiWF7MZ*
z-(^4J?O!I}g9u-|pUZuYZ^-u`QcK0@{x?P76^p<*59IA}hXU{ajr@221@A9eJ!mg}
z_a?e4Qhg7{#d~fN@7eq%CjDmRx5+OsL00$&Y<L~)@c#w;tiT5ee+6K|slCyU@SyM`
z&{Gqx`WJo*rlD{<zhZd~jhd|wsqcsTne6|H<+B_YbVGaP|4RH*9DkMCUipQ@|2M~9
z&GGM`{lmb~|D*Kw*WelTb1VK@iE}?X#b@DniEbq({BHtBJd?x=5~u#02OYAI60gT!
zfI?b-%s427-~Ari8~rH{%HRFr7W^iO6MYyTS2H7zhk-uIro?+WuG8n25_fZ4r_awN
zPM*wWtDq0{|8u<mtquJ*<9h#%exC>NE*cm0--sLgf13Yp>(>5TPfC1C|E)(PzNP=x
z!xA_4AM<GK7P#eEJ}%6#nBOfpW*9ie%MS7Jwrw5n7F-*z$)9ByuL(Ddm;F2MPute<
zvad>f%XrxrCB9|6>|Z6mWxVXS1-^B>TW~SnA7i{ZzMk7a9js>>HRyo#jC)UMJqx@b
z@t=b4eGk6PjHT=4ay9ez{{{Su0te&J_xtyNe+2zO`+bCK^Z~w|Uk~rMKFIsu#SmSf
zuV>&7NSq=bnyqp@1HVP!#F2o@^$h%_5+_%mx}J$I{RN+2mz-ZQkA%OU;{nSvyuCKR
zirLTjARjNSXETl&2Ho%;P?P&5866MReiFVQ@l`{Ah|dVV6kveSUd+pjp#LxUywI+u
zc>(9d`vp$(BJhI5i4Q15e`Vb~FL?it1#X@f;Qx&Np#2{D)d%Uv@&4z5H~2|`)BE2<
z{a4l*tq233vHlN<w{TqJGuGEj+{$r{&sZOoI1N~x7tjH#jlbXWdmPvIsTmjaK^+Hc
z4e<by-&$X$^zr`x68P<yN8pf087`0Pc#6S``N8v-i06a!9J6ep=O^WJtUp@|^#gpI
z<V}X;4R3)RLGz2}&GPwY`E!hyKgY}vo$y@nW5x0*{v6}x&wr-=y|pg?p5#!5_$+_^
z0)PG;^zRLLj{YB|rzDT4fAki5|JLWAhVeP#gkP|}mD7ddo#-#$r1h)F*SFx~pp1BK
z<$4Prm-)G*jC@YxqWy~ee9pHtx>)~89hdD1`JDJyhW01@zV%(&@4r_*ck}0xF4lKw
zfB$azocNhW7wez$=NPx`X7QZ!HH|XXbC-E8DI=cae)t!x9~ApQ^h^0`tzT7b-{@2+
zqLn(|X>I>#>%~fzX?4E;p86&Cg-(|bYJdNC@;U7foi0ynfB#|moc2kE_!p<!6WZT@
zNIs|iqSNJl{5jF(sCdrzjZT-f%RE=<!k<e$)~)HWRp_y8(D#IXi~Ho1v(z8^ysqCu
z?*;#nc=R%O!i4L3^6M^xU$_kZ=w<MSP56Y?pVwaof5eDWJhJS6zX?YitHkpr9C54?
z&+0hze8h7r*Kqn&rJgVJf1;bf=S?`#P2kbX;0Y5>bQA4gcNzS`W$;HYgFh^BaUP-m
zzeMz(VZ~$K1y21J_`C_H{tG;M89ZUassEz=>n?*|xD5X2W$=ehIL*6w|LZS<KVrn`
z&NSIREAe5RcUr8p{z*dE?Nyw2X#E#BPIM6Xyf_DKeu?8m2Z2ZB`Dh7vk?#wECuIB2
z^Y%msfxk}TpWT9AFtqm=&V!Fi{EKMcWxyYn`2PX!vl1P|`(J+<{1J(N4ec|0{fqYf
z5~sU8JE5Vg@5xL2Gr-3<-9-DW#J8RkUv?Q>o*y^AjrT;YBij3K5$)x9mgxU7xemKk
z{)2Na(O=;6Oq_GY`IqP~aKpXCXs_eO`_hf)<=2_sL-QiubKx@hqnE)SmN@sf@bz=6
z?0=T`U*Ob#fzPun-(TXKPUGE>>+KS6FK}uv@OgPo7dVYe;L*$A2@_7^6764i8T`U!
z@JBC$KWxHjy@~g~{xbL@Mx3u7(LQU!i4P0B--OdT6nNf<8|)7+y9_Sv64D+*>rK4p
z7TI3dJ&69o?onkoa{3FL=r8bj;KUCFPV^Ue^fGwDgcJQm``29tzi=7+(aYcun{cAP
zc>n7!gFj-#IsHZZti<!kyFuI|-gB0(!|NC#m$}>r&et>HSv$vxFGB7Ky?~w*oy^a5
z{eYemz0A*bJz@Ljy1qcqiGJq4*Y$?&pX>U=_Rn=aV*BU1K0(ikzUJT8^@{DE>-q(r
zb9$TqUez0BaL+B`p74Glx2}`-e{-DEop8{da8CCkr@MGgbT>cO<ul&P>27|m%jxZ(
z>++hO6Wz^!ugmT2pX>5_`{%kG-~PES&*?eQ-TeEyT;Kk=F5mH-)7|{{s+=FddWX*k
z?-%>vI)-+9e*@=qC!E$h{XMOBl`qh9l`rVeb^bulRsNtq*ZIWu&vkx5&sBb*|GmyP
zwtuekkL{o9d}RCQIzOT3DnHSGU*{{^KiBySo@@L?|9j47EEE^Ei^qi(;Y&1m10v+_
zh!}i?x>uL7Q&15DCVz^~ccX})9kF+myGl8JZhq?y#ixpIB6oqD16hjugDVS{(_Jwh
z%xPs0zc#ZJjISgv9~I_GCgV@H=8qH#=jW~*9Tun#6|iQw?}Nv+v|Cb$3&Lm}n!oo7
zQH?ym7qI{o+bE&}D2jyYUTJskaR-O$oYQ?AtV>3=STnPOK{etfSei~FXk_*H8U?qk
z9p8LcYkubNup0PMIW$vf?cX<uxyd7j3B~q#OrvRT8X{k$r-sL^QN)WV13?81C=N+R
zx0vIQa8FPsA!00KxX~>q{J!R{m_N5XmdNfrRefuGZ)SFFX=l0|c0>?9nsK!vzOcD1
zJ$`76$6P3T_RlW5T7BWPzxNROi}*J7di1y5vc<ot$F~_1iA0JT1y=ZwqL%a_K?07V
zWw!GR%18f}$DW;dW^L_F>zF%KV%*$=JB&YoI5>|Q-=_~+EUW4;t*UIAYUATW1de$<
z>}$8RwKR|2HeF)Pojr38ER|Sm=7zbI^;aJsc%O6dWdC3(FdDz=j<IrhDt-3O$?Nim
zM}O<DK6X8~TOhx4#qv$|A4(RPi59kQX|~<T`O-97v3wr5{r_R^P2eM|s{HYKuPUh|
zRjH&>d!^RYzGbUaW#9L$lkTLK^u9nhYXjY(5ol>}8C*aSL;(?(QE@>=QE}`BMZi&!
zad3AOml?;OC_1jVja~VF&%JM{N~IfgoX_V^lT_u@tM~3b_uRAJb0j$NszITk`MP)y
zhl%8c6Es_dcjFx6N01a?(45BKaHFB1e4~)96Si27TM}q^Wjgv!fbm%met%X#M<VQ^
ze=aX`C8F?u7In9@J(k3*_2@ebzri#ApO_X-X-(jWVbXZ%K5M@cp41$J&q1r=N?HM&
zZ)t5qs)4@Vdts;W)u&BQ)3`6eDa6OMR@~!K!A`dT?5B`}FJJo?z>aVj#y1Tcp+<Nc
z@~Nm^KC7fwT8fJ&`toEHBp&h<8HxaYb~JajPG_^!vIN!H5y3rscOOqr#j~CedxT51
z)r_mNIh+IbDX~{Lpv9>*csu0l?#KKG*!+VEtPCf(-yyMCcq_Y(Sr}}N`vALx!I*Wy
zV07I-G8nTg80=!e-oaqZs$j4ikjV+YjIrFRJXeLiPJ!*lk&rKl-@$b;1$G$t{xrk)
z(G6giDzFpcsPLe+6W_gp!?3o$7arBz3qK*{I!iPnorb~M@`4j|6qSWmdFGEv^c!rx
zSkkySV-015N875LE}I+03bJW$!h>2JYrn-k?>YB9t6B1sr6intr7IJ%&MelZVt%Xe
zsLt$3c+*+j(`|D(tB3}F1{x%PpjM^jlGCN2WgM7w1UoPE3Qux6l<8LFr<6p@^>HD|
z?qN|gq)YBX<R_*1vguQvIlnQ_x|EWiOyUo_F7y^&FxJ}xA>+tcgD=V+THjjjvf4e`
zezBv~8TFt#FL3d=5dW*5S*tu#UxK3VVQNoXB0kI5NNp(SsN+wpuy~@*)(){>>#<v1
z<O4p(Jk=d5E%OHR?8IG5m-++V3p&4EJWbl;;`(WxYo6zQrZi7_X30F?2Uc=t@jTfh
zH=5^j!h6B5?qer=m44e&rj>f~PD(XV0TO-J(J|Bj*btgOAUlSRWl;+NDn2C_d6N4i
zIG|`~c^hIWMUTqzP~Ntq6kX1WaHs+0Jq(6AF;@}6dmDS7s;;+sqcxL5NU{|dQ=yvL
z8l$;Ndi}?^)=+J%72CCbpV{3&(JpaKo?9I}@XFjIIjv4bO5{@kQcn;zw<^qyx8R|Y
z2b9vu(^q*XS3i^vS&1s$i<lDS*{+-EKiHx^^U$Or>a&{fKgTqM_iBv|ZnMv?Z5L~e
z)duY=*G-klg3`0;(4&?x;W%O#^*9Tu<j0iJj#PGz=_K-L^wX>eHLs;imC(69MK$Oe
zaOw`?jn1mu<gDRP40A$?NJ>}|K3I6_(vF=Y(eThp?ur9b6H`<BaGL#oYkD%9pKEvQ
z%y)M-liZ@QDd*<--*j#sX9I?5oivuUG4Xng-40TkB^^*ybU;bLRToD}h`|h~W;>nw
zr2Mi5{LtBd8(w+sRyJ~52(?aerUCy4QRqw`$_bTv6xK3nUwy>jGdLVhV|8t9ZIy7*
zyx~aU7mX>Q=AO!$>Y7KsIi+*wmj{~XW*6Geetqhjj|g42O$bkgdb@h0@hj)&K_EIP
z5W|RfpzeXp|5e6NrZk*^4lW?mhcem)yl;VyPUma+v1xk8OJ7-8rZjIdLNM<$)IgYK
z+=9PS$fAp5*YbRL%B!P{_arpntOd;vl=Bci(T{!z_y;7=AxYK=4-LWTlmt%sgtWTH
z2W%00MJ<YKx(u#VENq^czG8a1ArwpF?`o^wRACR>1|GlR?!_w>?-q8wKI0O!msDsC
zjm_cvgqp(d?+Z6K8nhLcXa!g1^@aBe(ZYA=2lD1mh#$=XFAJJi%Xo>C1%uviO0BGJ
z0(2Jv)C58ab5bH6R{V@63yf7VRzn$ubk2ej@=*B~Sc&6ZkiE-F*a+fv2-naVry0tb
z1jA{;aTom4o3wJFcRC>YQZNRMoNebyEgBaz1sk?+zij)qhF~aSkJMYLYAX!pdb44^
z+v;~PWV+4vcqnKdUb$>#xV|YIbC}&6nE^}p9J{u{q_@@^t0A=?Ba}TB%DAelfX2$Y
zM*9P|Cq3svvnTnc58E5-D)BkQI>U%YJBa;bLx$iPuqzQvnAkDZT_UTHSg?grh8D$Z
zi5M)%YLy9~@^g>A;;kdABX4=-r$2Y<E%U3J?i4N*5`{ksRqW?mg|`Wz!uRNho)tw7
zf&puq!mgGU$V*G;-Eaxz3Kg~Zobo-9?T^B3JWY*SW81M_)D@Q3a;FtiYAO+nDQ*iZ
zl@e8sxC+*>YqEohE!pn**{RL_Q-cGo$%#O3?9#p?S7$Q0iRkD~W2$`tCkS&Lt=n5O
znUvQ(A4%@o+&<T!Gj17do6REskMX8S;Lf6E(3f#dl_Ys>UOp26Sf%p|wD*kIjrEjB
zj5!j=r0$veY$uS7!&T_;q1P@Quc^?D{p<C|(Sl_3%c%DBU!7NHUoTvVIuX9kV;!$6
zypi#BJ|69i7}eemfL`A!Y$lG(;48qpN6r6~Qi#>Pq>htUgluF~KuOJ12~Ge%;g#SB
z=MHFr{H#BX-$m3xgi*{TOrpdlmR9%dutXwB;s=b<Ee%%V{CBQDvm5jH{e3u*#`ixF
z?rRJG$aX)`3gYVGE{r*;p8qS8zQtpPHY4qBvX}Xpe#%dcfJ%yYuRKn<-9Vk7>`gIj
zi-yCNi}$Xs?q0Ek!!dbt(vUYDFj^ZL4A^%TW#1_?kaylK50&gKl3klYA4bq9uL4m6
ztV-CDx6#t-^uw?E{*Q0`#8%vnHjcDuzytpWIB3K78&OX}+An1?O~nD<FPx@GrZr&A
zNS^T?6-xbgWTwJn!zx7589r^l4JEwwwN*xk&1SSVH3)}R?=&@<>Y7q{qpsp&QLG6K
zcOH1`Fje4KymM~haIZs_%j;{BjIsI=(19W6N@{~havZfmAh$QM&j~k59S`aHC~R$T
zX!bd>ZPa=jSX(V{;Q}t~IEO3Y;yiLv<{kCe2fU*K=_FL!gv&^3r>S5hKPYIkkaT2<
zn}j>uO(uJl)!Z017=Lj6p$=W!&a0nk+-9t-yilvN*c*kP|LToz{MFe%j#E~Vmc=VR
z4LYUs6n^zAlcZ{>`%69h!zqDRT&)AYl`GwFnM9RW4Ol&@s73xB;=fd@wyYiqa&2)U
z8VzJ9!(DHC+m6kfcL)#D@4|0i@#Z(b;sW|5%xv0HA&l!5=I0l5g)<df3V+;HapQ@r
zPgd;QS#k2}6E{}u0`6;p>*CrUOVFua&ghoaF)=6_)p@v^tWgnXqbf>Ngj4D^NxXq;
zP)n;XtU_BtIhU_fITz?gz@eZS!t*V79@V3j*0zj475CL5tmzc~MA9jUGGV+@Csh+6
zQHw_k?{Kt-yH^H-S4~U?S{habySBoa-!^dHeKS2eo!~xujQ9)|F@k3sRJtmgrCL9R
z*I?o&DQK3oT6(-vja;fOTrKlLK4<gNvCmxjnPc*NG3R5Pw~e6!B<b6mOMSFuwv%KW
zGmVuB<ET&MPs7vkRH7G>*VH_rA_r|%{b$o_HD~!K<_wQKQZy1^A84nnHu1x3EKZfv
zmW@Nz{mJ1+T~0_xAVW=Hqbk<;sVe3=jXx#)=!-)CO2?kDcw}T}e&5!~sXG_M^ue?C
zmg#KQLc3#6u8+b1*bBrLpdaIOoCADMIhj_rChPZ;osEd9MDgxCR4P|404qtT^`nB4
zAOKTKt4p1`Mk0}s-JM&eCuXN-CWQx9fhc?Pj6AknTj6Oyj$!6BzNj?5ZkbyD%F!_i
zu)%1SRu9V~xo|g)Was)}5RQ25+<NewqFUIJzgy)u>*WG<LU%}dlmU7aS^wMzPWUS3
zhE!s+#0a2+9KRm9I5ps#YMt3t^_M>zR;J^lo`K+{g98`MrPA{k8{3+veUXC~9bDP&
zch3gfQ(JG`y7km@g75`B{z{D14N0z4i;z6M>S!fBT?I&|v6!*B?xZ^Jn1f?kpg@xF
zjf?_Gmk+U-kft6ZMIGCK>=yaN>Hyk6&{=Ofd?N1bJusQ7xN&v$75dD?-tNI8Q}OuJ
zk-<n`+`c?Jw`@=J8WWqYoGif9Ec|Ks@MNTU+shZq>V#o_$ej~)pa<$hv@FwuM4ak$
zieoKoI?@hfh6!AD_(vuk6)oot5s8qw2@OfD4OvhZ6sK!?1+!Le{3G0U;O<xdQ~z9K
zct`fxXLj!%o0t$ZYZ{@>vU^kKOvVc3aQ8RTIEV|9;qq7b3Dup&{w3WoAoz>ms3R-E
zI|z<p;EW||D!l>vlcK9jELfeDN@Hh;o}gdKYr=UIX@{~VLbV>PY^5B;rO+sgos!{8
zLR}nLF<l#XeGtV7Ux5R!uEFGU)lUq2QkK;Z2!HsFv$d&p>tMv29W~bMtTecjzJZ<!
zUE!<XB?sTB(>b$?-Cgr-c4@xfXLWYTPoUR_gb14#=_SxJuy+(sN13cq=T)rr+9@-e
z*&%l9A0Ck*`g1E(M@yvI$$G>;eDLJ(sw6uGFI&hoFCHBn*zX^3_eZA>82|V`Rr?mx
zW1fNd5o2Qc)K+YoRC{pN?ccs~@Ztjz-*j^uhK#wuZW7Ki-N-7hndb9M*TRU9qxusp
zSXnJ6@KT(95{%kjw)2a0Na=j1x{hicFREOEUG*$Z-QkB@C;S8+X-sk-UmR$v%obHu
z*J7)UIeb2c)91U+;rBc6bI+>yWYFzyYI3`S^6S|?#zfg1oR|~xW})vHFiFUB@Chge
znkc**%8BsvXuD^y^F-ze;aot^Xp2VdeFi_0?(1VvvKHfPl@y&%(t;HxoD$&KA$2$+
zyQn5@{yNf&Ywe^LhZ=-UQxbE|KXRkVZK?~U^1`D7le053eWi-BEI6Pqzh!RW!d}P4
zxxQQ*@j?i=>o7+<G)1MebeZf>sqZvVnM89o(43a>Y+1vSbq{u)67#k^BiBkK-I4e7
zk!%fUUos!0iJFy3F0HPuPUX4u%b!^jj`vSO>|mJ+e-iYH1QePI--m?89KaW_Sg*t!
zTxy@5GHpSf0k6wKRu9(}M7AEJInhd)nYL8C@ljAj<_J%){od}*Z|e(OH8^f>w#b{j
zV{`YXKRwh<`=0L)lF2LDYhd>x_nPhXd8VZ>8&Z1>Bu}%d+x%Z!ktlEBc*&Mz;Wyd0
z56Etu^O%$3<2^Uy*Z`*?aWm#bU1ZN=RZ=WQwJcBIDW%q>_%Pj&^GR`%;g0(Z0^~CQ
zoY`Ack6il>hSOGoY$>wK$3&{}Xy7#t)f3ibbX=@8b8o9mxm00Q&(<FPVepO+oU2Q#
zf@byMYS}h8_6V5<m@m=WsCb&~nGspO7896UER^^6=CK6Y8l;kwTbH|8_|~B90PO}=
z6L_<-B~-Wc+itpP^*{cjH@9n){L=a1&hd$f**4*qdyXF6bKH^~ZSC6BYTwz`*O9^4
z)Y_)J=c`h8^E~q840JF#;6eTrE)iudhWjbF6yaKn79oxx@AMi(r`OGDS<|^xYVMMu
zi4}ve)v$A7dUsXf{;FNZ%=S}DTW;8zN^QMi%hIXs8F6CIu3dWy?n{pxxs>q9>z2+y
z{uS-tGHpdgFKh~+kb8iN{a2)(*ceC6!YxR>bE$(AbF;}!CAD9WYMPqtb?vtC0jt|&
zuQXLT+|~a8Qv781p>F*D&s%0IDlQRq;XuL3#z#C-cuw1c43r$5h1Z?i_AFKrOA3eL
z*gX{v4Ky68p%S?d6n?{s<O+y#vs$&-H;PVE#=BIirNjMNsTp@QxG%yv(3oX!7}-9s
zga9GSi~230Ckl^tu!bnUc`DHR+SjgvALxYi!KZo)|4u2Xw1;$SW2p3f4=VoMS!(~4
zc?~2|Vrn8)460(Bl)Q44&w#w~Lp2e#@E{tXeevptbYvG6GDc>{XFgoxgEaKueGu;n
z7Q-v~6`JwAcFZxzv>IwE-oe(iA}9NILoX>FfJ_g)_*{fJ`EPh>A%WK~!Wxy`{Vx_6
z_!F6`pxw2#A??M$+cHj)L4r`QI7R;BRFVI<j{to|0EsWDmV{KGkKr^AobnJIUq!hd
zA7L*AeDIh_9=K`)&cb*d#Vgedn#b#A{A|I>SLC9x5Xu1k@8bi6$UmEmI%~}K_XrUP
z$=b(0sjU<ZEy=$%OrTr%8lzbw!~Gk;k9W$rFT-qcy=t~PYDNzQu4Gr2thi941QSq5
zo0q~cgh-X}io*>IEgdYraHAS=c;n96#~zd83+v(zXW6i^x>3k0ia9i+j#x>~m6Q*s
zYQgGsc&}I<2cf}LvEAg8hItw`QJvI3mLysR6yU(>Q+9@|Jm&ZtC6Y!OGioBhRY#8T
z|H|)8o+tXy*g6`odE{f2sl>S>5Q&ktfc|03kL2+x<`;xUSu#J#WuwkdD!0Mt9w{J_
z2aRH3#7F4BzaFooO_Dc<7UVP{FW4Olckq`i63pxM9)HFNw2?ErS2y(fzkNpy-}H*6
z!$N<|_5VM7k7GVV;#HVW3p93VkE>jfFAU$X#O6HGfQq-DJgjmDKT(lrH0f+f$BX&+
zg?RDCQHHzT&(AgotpSbs4X{YodxTW3qwb9}up{NIK-6Vgk5!5cu(7s%V(Ti44!m!l
zMCpnWr_eX)N8ba!e40%%zRF};nHi;e&UyYGH{4Zs9t-%9MP9zdEcExSM}@X?hIP^h
z&llGrzrqhN-n8aodA#aqqy;Z?W}VmbfTR&fVzMwO4i4OccT=?+(yDN(v?ThYPN|$c
zD#iE9@gGd@B}Rah$*w027GA~3Xnno`+Ax*ThPpG=21II<h_gj}8RNImLdfx=kl8J?
z$swav*hIxaBRZ7JdBSaYX8rnFpOVU?K3U}n#05@+C+JyKGE%(cYA3RXne+pNR#|y=
zuDuhf`Zg8*u(~Q#uac9Q%ta6?S&-yp77z=99f37(T3<s|Qnu9bs5}^6Z9I=$U>p<V
zWubRGQ<oPbDe|_MP{CL(-&H3F!Hyk6;g-#p4=`^_Uo?)cI0u%<*W#bfR6p{G>W<~(
zQ;Vl|G&6rouzyGAm8alv2{l(e3@rmEi-kWi-vm~V>&)~wY!IauWm%1RH9kSrGj*&(
z3N$ltQ;LL8|J7<>&&GHu2|%iwN*m73v`X@>bfTwTN#{_qQD6@5^8C}uNt35uSMM`T
zUi(ki+`9T>Xp~3qkBmp7<B|IdxA*?|#~3E?TnjuSR|dS`;!;^qrr}Flj<F|NcRj|&
z3tH7eQ1gzf+=EWlfJD|&ma0luvQo-qSgFic?G+ocl#HLGf$&({Vy&xASL-lty8iTo
zH%%EGbvmQXFn;}muiOq=xyPOL`LgbNgv~<#n;flPZ>!@?g-`#CgaP70m=Cgo@Z5E^
zcgr}2N;ljuB=ZBF)k9p?$vHtTv{9sp2KuYbrO_fr$?GFVoSw<wKrw)#c$G8&m6BC@
z;1Lru<51+8VLf8uk>Re+B9F(?syu?p3B;?!H~aw}&D^%ZM<1Q(g|p-H8~Oe~X~-X9
zcKRDY0~GUrH(o`aKcgK({>%Z*8)Z)Wzs#Un!I~^$9{)edr4h){kLq~jVnzMjziVnu
z;YbEuQpH1}Hx%;X1sxG(H;wSOW!s2fv_;xHfmABsX^T)*T@kwpxi?rN8{||B83ITV
z1V14B{<V2H>rk;lT8_7DKI=4QB~wRyv}B;*hp5CLwi1nD%$&v$Ndg@8KeTm>Pr^4P
z`P_fPuH!L=Rw>4ihs?i(`LAD)uY=Di3EvX;IVB~Z6U!N3y#&bDgkA!G(|wg(0_|h$
zZ|<84E550ufC#qYvpTN8dn9-Ze9cc#PbVmhg!fkb{TJkLH$lss!QQ9>mtGfSBEwp4
zeCT?X7d#^;luMIfES!{!5M$k>hss6Jc#Aq@3{oLvlUC2SI4S)~!Bo^fvkTs1*QYlh
z8@KyiHiN_39q5|RdMdq(>BMA*x2bPSYimze)<5hWGQQ_6C+^r5tI<|gR#hA})m2p0
z$0i0sVPEgo&hEV<;l10ZrY8K!;Qm9HmzH`x3IB=n8WzkmqQ*BQ-lW!}lw6?95+DzA
z7&J#7gs>!^h+pzrq?Aj;Pn$rkW|1_-j0sUj8%yTIC;ZLy=M&>uZz7TI@#m+L`)6B|
z@s>?H+B2=$W#Rc+Ut1{LY1A3=*+?!_FN6agZ=mqeXuuaHUQc7c1!FJohop{M)uFjg
zK>l!Y>EW=6d0H5KMtB~*NU^?kYs;b!_iDg$t;-3OG!FHiQWIg|f-)FbOcaut%u;e5
zl9VPr#L1r|<%A9j(8nkv6zL**coc8Az~HGi*PHZCVe_o<(0}M1=Fh(Jfk$U6tjUS4
zFBh(wee?lA*R#bVbYPi4r*x+Jn~WX<00<OU62E{tf(f-FhUEBB$Eo_{&cHH4eQdU7
z^crUbN!~;rbtCVP1LLMHiX_A7Oc$MXB4dd%9jTh)X~e%m?1UHT$-I$l6Lb(M|5G2!
zBaVfX81j@NT`1e`&{OD?HCZR6B&4r-Td*$JP+e`Qv$l*iruz<~LhE=70(Jle>Vj`O
zdDY<I!K(yeQ^cmdv@+Fy=rf-=)Ss%nRBMYYtZAOXf0#PvQ3>AgCCq(X_35ZnmA0jt
z#VG+)0+s+{<n<Y&`r2nG3JjVhE{fiAl4Vew@kx1u@O@#{31B9K*ABeW>9=mYl7DQN
zd^$Yelg*Xqdy;x7WqUIGu<TflAZ!I0K`7u)Jwz(S4>)3>K>fhL;lY9WKqzLn)>*2n
z%{~iKul$xO;LYNQH~H(Ddk^<EoBU022fM)HuW#zK`pk5J5gh;mtIs^M8i+fpfjLL$
z@I1pN!3m!d+!mQX9C855DlI(^net-!oK&Kp4L_^5gksXFzW?4=U6r^baqN}%zW){1
zv|ZBrGNJlEAH{$FS@^@#_>Zqy0QCDH)-0{^n6jF;>LQ+jw?sg^LXHjd9;#IJoMNct
zO);_)hQ&DuxsLJ#PV$H=+~?WsuI84&Xdu&n!SrBDb4xth<IP03cSOf?{&+mo8S0%g
zx<WH9YqV*2Q_$=4HCSie?)qRyDA;S#8M?FKt|)@3obS8<Ug0RqHQ8wI75l)+7NN`=
z+CQY<H()Osuoqd(jfTp6;uLV8EKZY9Crn?d*J^9S#(OWhQm@n1hHCE>p8r5}Pm811
z{@a30eg_<bM-V@JLHsUc+0OycQ|dKF%f^eQ_J06JQheCw<rNff;2CCeE+=sc@()uT
zd~{`##2IPIeB|7#Bhxb@jp^f4MKszFsBgOe)X5p)`63dWE1boa=4Z<OjPVuqZBR);
z+O1*Qtzo`fDT?c4yH(BLB;gw1`ntReDT2uuk(!0hb{c}~mBQ1OCcn3KV($3y*=~DZ
z+-#|`R8-Z}xee(tqtjGXUC~fy)T5WfD<L61b8T~2tG!ed>K%u!x77+FZ5suz&u^5g
zi6={2Wcv8<wKu)<gKX~7o}lkmVL$u;G-OxvYb6Usr6DzwOG1L0z$5`wG|7<#@@G)K
zGwlq?yI7LDDfD?A)(S(F!&g~jt`g>t-%w?$GRzojE)vB=%lupC3pU}l{_Fd<Y~}kF
zG$jsToDt0)*&-;@4b)K(tz&kKKGxH^RibsW2@M((uA!Q#JXX!92#dpGLX7?qZD$*R
zn~FZISD1d)g27U)tFcwjzUm^aPABRNF2l^&9DeJB3iJzk{$KoE9#5D5UkbJd8rpJM
ztAEt{*kj%?pEa9nYj{9jGvT+GPf@SO^USBz@5ZwfY41u|iZ(Dq?A4HM`uLN_kK>r`
zBaakpPdz2e>%TC0om8ItGdx$1GX>J(o#(mm0Dw!7PDOQO2|FzL78=XDj-L^pr!}J9
z)U@Z<2E=Oi99|oU^n{1m--uiRyYNP^y5~jDm3)0FovG``{R`k3kaiVpZ?j0d`Q!Hp
z@4rX5Z5Qv`Zd}U?KSIaYO2mFhhfHA%Pod936muKWd`X_4q$a6d7RvfRNDtO4r!!P-
zjTg+WWmG~@Yw9=2Yxh%z9%V8%fq&Y-2b$P5VQA(~b`AC1j<Fe#$AR~cCGRx)I$%~*
zhnM=tBBF(RkQ67W-h)@lHtJ`eP<N~WyrbYkCnbq89i6gtaJ<J>q@m+Thr_0&%u$y7
z1~ok>b-=3Bn-O~*(OKKv+Yb9X#v<NktL`eDBkxX*wmAK{@knb%_YsTVYz{ZX^6i2@
zna{MELzaf{<G0S3EWGEe*);X;ch8!vp^@F)RFvO8b*o@A)(dqe<MO7(B`VHus4x7g
z&Hy?vVV%Fm)+Ed64f<>==*`Gu?q&J78?C;q&C<@T07l3QRhExCef;6$P*_2PR|#)q
zdMbNf9?yRY&$E{0<El?8j-ru#SMzbnmlezrs+&dL-46;8_Li{S5%FiHJ3PnRyF-EF
zpQzATQ{!!~dtGx%|7-yUF_&$R;kiXUEYGvAHl87;r}cTb)5mVV;`U?mJTX`PytQR*
z4W4(dJY03QD)*MpxXD2*S+kVAq$FiG%)=G$J^NuciW$QL4-}0A)&be1<R|WBV{xdt
zDrLL7G!K`13ySwS&%@<hhIYH0^+PERq*I-Kr(hXP&*pu;{A_x(_ks(0!3f^p5baN;
z2VxB?vr~)*kes*<V}ZXC7S#G2Too%Sui<A#D5o9#5Ic^a(jo3j9XW^wDeDh5WZ8%+
z%+znV17q_0F{X~pp+gyA_PFqT@u+@IY!X8Qo=7kHiZr(M(H3=Ns&FNbI=YRpk@4(c
zj-B$6Odp?-F*7rA!386wLm>LJgCD;ax=lb`p|Uy?#W*32hUY#JPPpDnmY6Kl<?~7#
zX54-%vn_z4-~OIy{bxT@GnVzYShMa;*|x1ik?`O)qt7>PcA%}&P>;nt<_!9W4vY-#
z9}aLF!KQi|<8*_Iug|$vaikWhmt<IRLd80F2<6<OPq4DSYNwJQ=dI+5g9$+kT%2=D
zegT$pYZrc#p6!lS?mT{cmp;}roy;uuHZ}DwX0x50+4kOEqc^|M{srOrM_Xq)8bjzC
z(~rI}dsk+tq{hq&o(+$afX{(DvgxG}OMxwQPLf-m*@4ulj;Gbq8K?#(PlyYWUChtL
z5G4e2DM24X1(UM;+O1RK@ta<s?DXfRlaGC*zrQt?`^ZP0Y#8fI^@i&qwS_k~MZyVL
zKlmoqqyc4+uI?9*(<s~dR0~{!X9<q6h->X)1!Qbmb3&epl!B?sSM{u_G*?x=%B0kY
z$+(fG>A+6}J}Tr9L#c0qdS_>oZ33zBMn06VK#3p@y!x>bE99ecloQPlQnL(PI!{7T
z2PPI-*?J-AXfoQWEj5m~&s^IWb9vgl$0sL`f8-+-zUkJTdwkuSzg$(ZO<Um_xOAy^
zK4bR!3SSdD@)b)<y~}&O>091-^o|`7$)0&TPFh5@6s*wen=~)5^^tU(;yra<dxrc~
zJlCI}M<eM^y9?*>NXCN>&zFU3&u$+K$3|D$TP7Q`wv4A^qUOoZS55W$I<2YDk})v6
ze`xr?P$1x#G+TQIH%*MX%~L)fttI8FzKQ8#&1`M^FpH<eC!sgNeFb0W53sPTe!MWr
z=Ev&CL!W|YQm8@x8fD*?=isW8D;*pM<^C^naGid?6S=o9b6^Jex%;>{+T?aMHMuAc
zm%pBURN|!=^H<l}HBYlSP;Rt{9xA^R{|$RA0G&(8!7a07iaDGKs}WPU0?&scu21Kx
z-SDcC1;cp-^&F+1tm|zVMIcBSxRuCFB}vuKOdGwWsoGeh6UInDFrjt-QC&@~S8$~-
zxFF38ooM^iU7HnQA>20ds?j?xBtgbxg~;tPFXAB5K01#^LD{N2GJgi%6S-}NtU=Md
zc#f?iL1?>3=L_Jk2-&2uPapp%lW2Uv9~HthSTZP-VLtT~leM5Lc+`cTqhfcZ(8Fy2
z3|wIQ<iGho5#WENxq$xutc_rECsgU9E`>C?V#`{#r+Gw-Y;3+$0x#XN)*_4arC8Vh
z)_up~`7CU4ru#vJ2;?=v{2)&@$X``0ZOUI&t?m7|KV$><LWu+HW)e?%f#Hh#Nc;kP
zB!DxUhH7Lnn+CoUoQoj7JH56n{1WtiuH031H>!wTpLI=CAm^?^pP}5<*!1zoj^AZG
zq?5Ed+XG~tV$DdWi=wZO9n|z9xvNBO2DU_`SXN>Cl;*B-lG`|UmA1?KZn@?7Lk|th
zYSeJgp+h~wM|NL$;qJ?ev^(I2_${+#h5uqWF=C7+=nCcepc`R>dz1wXPe7G0){mZv
znv#4_#r7x1vFxwWYd`s+t2foyYjjohh9=ukugzt$Rn%77-8Bb<=hwnB(dbP0=)$Io
zibJ9<5-5Cv)(eYvm-tp_PA%u$y~RpPv5ig5mk<^BLBrl^m{JcE{zNu5?uk0m!aG3&
zwW?lQre&+q@iSOO#MPyRkvqZA($Er7-7vB=5V@xgu1s`>a*ZPhMci=1@h{~oe!S~-
zy<hqgdu|PEIO=QMyguhs?OH7D;o_W6#2wC?^XZgwKB<c^&-t`sOfvU%;ys;)AXpHu
zl=B&drJaOa^0IX!t6B<P<zyeQl=FG+7y!%idU+dj@Si+?7~s%O7(3+b-#8HP9<qHX
z2EcJMt9kRfb!Os_>7r^pT|$$jc{5dyipMu$k<K8URaUvVA;w(+Jb8rLIc9(cau#&q
zwF$5NcqQ#<9IsRK1EDpI*J->?0X~bmMo2ah<owRRH68$0gZT1_nhL!&-0-)@1jJUu
z1MfwxIjtcTdg+0IYQi$%nbY9&;7k8UIh;%dD<&j0#K4KBlf@KXp+*^w?goKSWI>KI
ze3%VZ&;-D%DaO#U{*0_tF+$}|l0avK0Lx0+t;7p>#x}1NL3$!d@@DK;2TFD**_tmB
zXs8n&)P=@E=ZiHsVtHTf1OHgzcAqES;BASxD&NP~0dhzTVQyYklB<)D$XoTEQPQIb
z&4kDs{im>ZNs`n2B%PNdoO{TNBT<yq@^Ht=nd4>N`^)yQZCUETzaN-qGLnrg3Lo2P
z#L}XuZ^uVKXMT&%UWR~8`IHfD5oAAe1MnPvdNv$i)^Q#`z1VGd;9a^%%Z846B4c@c
z&;QN2mPI7WFqYM`G$oEF^6p<jxB)$qy1|H%=kOiFdbw4<d6~>mHHI_f=Y>3_RpKd?
zM0+IGjnCi*d3A_+z)-W{Iv3-@q*HMJ2=m#ntlE<J3%PBIBQO*tWD%I#b`^zS<_iUi
zs$#s*<1fW{V`@CPOpBN7OLZHm6Obq{N>Q39kJ7Bqv7{NvQift+2Cz%g@Tt}WzK(ZI
z>$FU1W<?qSRo=j#6u}Yu<p>TY`l2x$OnRdrj=WCfw>r0HNZMDJcX_TQ(FSrYRV|cq
zEiH1$=Qvztk_sx^#`x(B_A$j%>eqLEm6Q?{xoVyz&+XyfQaSfp_8pQmhDAkoY>pxk
z%$)+yDeatR7APuloScVG!8eQG1UU|=rsy)o2w=0V%aJR~bSP#qJhzhbM4sKixg$9T
zz#X-vHgs`n<@a^5;TCs%Y^AMrys^s~bM(zj_jt3m7DwJ&`@sFx$-(6g_-;b19U=K{
zT;@4zqaK_OG2pcUiZwt}S(N3x<XBZPRXoaKClulel%@!CNm5++b|RKe?p8;xB=ykt
z*-u<OPs*mjUNe8iKRu3avA>B-hQpJQ-xO?*7mvk`u6Yu{ON*qAMcNW-NJDi4lT)3H
zdW6W>cxWlfu|&ZPO1K~u(aOe!_Oj(^ou7TveDgbsMtIMO*FXMvzC!qjGRnnX3==pr
zVSRrGoSiGDQys0Uwc_y@f(b)#Vvtm?fuboC?_Hne$#XiX(k~5}azteQNGcD-tf38N
z6@^}6mN&Qd8C|tHgU!(KvU_ho*=cYXbk)}CmTTU0fW-L$d)j78ISvS#=l57sR{X!`
zk8fpS9rMX!&)6^@$=(3pV5?llpHx(n{VL~iP%Sg6(?(-OWLw%P<*^3ZG4J185^tEr
z$Vy`l%=1pZ9kMf+4Gwunf3tiXvLCh2VGStuelcE=uSdBm$Qv6+ocH}Q)hrO3T+pE6
zpEQ*+M*7#KugFO&Y9b3ifGrm+dnxHF|EyU6f+jeE<PbWNcK((`mUXFxe}}x5!iQ7+
zF{`jk^d%BLahG7F+{(W))kU0gC3}L&j*euoCy8oL@|r=a#xz~>+W2X0{IoXbPN{?v
z16)xWHUbnx>}5$Y7IJQ@d8Re0_A2Gbe6MUivNp@JX2iad!E!&(+V3>KC%+HIOEkxF
z6q(P0aukW?cuphwrHDT#zoUStpk%*)lU)~(uH(Mu2<-Z=vg^LU?+==OL3|fznEOT&
z0=#e1_y59t(iF?q>$6meR)(|h!!Llpxeo<>AtWCP9Nj9M>a$DmZsuDN5jXyw@GI<%
zRzzF3%J`RTTh*(r?v2xkEg}Jjah^`>Y9ep4V!cd*=)^l7_a$8d=gw)TOTJz7TP5)X
zElEnVq=Fu-<h7h;iF(nj!)#?{p)cfa8HqX5O*Vh;Qb(jU;4s*2{eg~=Se-50=4tAT
z*@Asr+w;S@`0$*?pESau-JYJv#f(&U&mL{@nkuw9%Dyz#i4~PqCZnOj)@X6Gc8w-G
zwhc7xogM2K^_!OmeXT(tQiop7zeC@)*Pv<YFtVdIYi^ctA=#@N@rg6w9|F$rkbXUd
zcU??(q?t<@iNFu}8(5wy-UskL0RKxZq(0Bzp{Nr1S*adgm4wv=T-l7UzzD-0Dj&26
z2xyx@$VlvK)}mc6Px3=W6my8F@06Hft)val<-c4xMUCR<p&jit8mp_V=2NNVctTfE
zsTEtYs5J`6jj5%0Qm4~v#b)tfpeOBir+Wg*Yd9PTgu@2}(TM6RW|ycr{G}s@n&(D(
zeW$v60IGKvG)JDg=%5S|JoaRNEZ(2A<24?`>vVIb8UJOPzdSSq+SO`2*c(T2t|S9}
zZ(MVWjA<!XLCwWisZL_iQXV`^Mmpk_f{AllL$~BXq9F*Swr5X+r3`7>nBa6P@4~p6
zyG|N_@=l-@x5T?1hWvi%Q*v^1BuarL_`xU(m>T7x_!=r{(>v^OP^uO+(&fgv7HGo^
z2#xC(ZS#3A3Ou8ru_N6V9i4Z^vyHy_WMk5FNkdmO(C79>7Zb6AJ59z!m(%Nyr5kgu
z^g_TB8Zvs@Mq^F+OvD_WLXa)(o*NA0GjU5|J`moX9XOV?HdgGd4!HwSQRirJyYo?Z
zxVg|`Yltjm9BsblF7VSh_Vc$v#|H4voQzpXL)wUjKLw92A)^w=;LH?3CS<;`nODZp
z5Sd4s=%5aoKWi>nUA=&Q95GLQy(i|7UX34m_q*TwzIVO*LpxnPyT?X%bvYbeyGF-$
z_qebxX28?FD4xWVl(Y6~E#Wfh`zg$VMns9+lzAh2a!EC-fojI{eP}tLV9&ha>eg}J
zwwLb}-aS?AYB>9!d-1#=p7(X&z>mEw-Chd7s~C_(3`mK17d?;cBJLsOCn<Tk?QCuU
zY>R@Sda1rIBZvWk>h_OZIvYn?biaEjy=SC(ro$T<TyAmoIPM)Cx@`AiINO`_4z*-G
z*{O7L`^sJf4-bM^1s0R~H;k`E%>`5?-Uj%f2=r-a-+qZh)WH_zk$Mt=PWEXGpHn?w
zB4If`%~meQmaudJN;>ARHeJ-z>78lq7;Z>S<y!`0=Js^7-`ktm)7?Cm_w{yk&xZOp
z8#|&i-b6OzihJso>l&l>cqZ658BW_%gYo>7Radt-m>z3!VQwO_DK)}Ru+}w@5=tye
zGTv0|t2_G)@F8cJl9otTsg{1Qnd$FJyeDI!8X9pu=z$~;MSp`is%i@7Z6qt@Y3hYk
z;U|B2?c!qL7x!yLozZQ2&nDq@g_~C1bM`jRoX6ElX;=*RU%~jA)Eroe?`$+W9<n8l
zjd?MdSBr5G3*iA;%47nCL&_Cnog>=<*K$#w(y!+)4&}U4t@-hxoImO9v<S<;s<p;k
ziRpYGGO*d03(YhphI+aO%$AVQbKssDgA?USJGOLr8D7)a*WU%rG{F<C>>|nKywS+d
z(6|tDB5y`%#FdUes8U(+^n=Th-+!I#0KXF~Ez5(E<oM3Eo+a;qxzp>*#a*IjHk24|
zYYgP4Q}ND@*2ccZ>Oo^<?!@ArS1rerz6o2SvvcQ2DDG^VX>Xm+`*sZUc6SBiTjwyU
zG#27pSOb%qrzBb48_fi98;KL}q9D~MDozESK?63ER{wsTJu%c=_?qycuJO28xAoQ=
zuN^utG5+#bzIhMH8j70`Ka7DJj^a#}w7sNE^o^c(8k&$rTI~Tm8Cm<-eKmL;U_!-*
z&w1`XowDG0Y$QtZC3x+GXRTNo;}p4;I0wq1%efUk5ov3*N15JZ7lf9D?w}=*a741+
z>|_E-R_;0{iW$Xy4gRjhN_S&hCem&VHP<%xIul(1Uu?|iZXSyH+TsDD&OMcl4Wyl}
z%wWu!iuesWqd(prhzz#4h2!qLFWH$%I>U{Q!Z+G8?uge}YwwG+c4NPi{`ocFhkAu5
zbQK}}8>i(J+eo!h(Tx);*vRNAf>|R+1H6;s#i(!%y5gdc=Z>K66nED`>*KawF-Csp
z>33BRH^;hiw(e!`K!Z$JbD_i-BdkO-=q@q7OPC17mgfd~y1NSxs+1LzD9am}yBb8d
zHI9K{y^G~vO05m~S4coQV<Ec-0^mGR3MHIJCUzEmrpiZW!e=)75>ENm8xDKDk%%fM
z8+-N)5AW)7xw>`@5AW$|d@vdeM(Jn$JnWEX3f-P(9$bc#G$&cXXFxm?y@MI&A{r&z
zn|ucxcABDU?9<X2Y9Z__j4~;&Qp+musWWq@>poLSQ<L8)a}tMqp~8PB^P_vZ-34nf
zA~YoOqkH>c7>V#7APx>XtAnks=q2aX0=R@DEuc6@gexXwF|5-}oE=NOf$J{1=(+$5
z23Oo$U+;~(TnW-r62{EdlMDBK-~;z9oZOn(>+0S$GP06)I`b<dBfGjuZgHMu15c__
zM_0y^q~Stm;5>=WF?|Z(CAy~^WTun6`vfT@qK2s>uVVLxcS86w=Kg=JkEDk$o{qJ5
zL<ZbLnSH~V>8vN*zoi-a$ZbXXNNankJ_4JOa%7;7h?Tk#W-HQo{|H=E>PF3EQ_|;<
znfQE+ecp?|e}?%~>c**59pmSu-~C<q`F%QDd@xh^58>^dW6^c|9AnAh+5g3!J!zz|
zQQyb^V1G}+(AE~wnIB5MQgiqvQX1E#0*WoB?td~1RN7;kBh<uBub1rq5-RK%GW$|)
zcgklT%z2|xw*N~g@yb(!E5rd-22Wl2!P5P&?w3Z$E@l6pXC7Q*rd>lGLvBsdDR7Mx
zYo`5AenQIl=P=@Q{GF^1$TMUdfFxBj$*4}8mt)$0$?Uu>=4Vh@Ihc0SJDs*6m?_z3
z;*dX7_^CbXRoH>u*5;M@0q4_m7-^B6BIz@=iri84L|Nk^U8a~HP%VLVIt!iD)U+;k
z`~BUEt!)eRy3p2<&vzha(HNV(a%TFf*;s7$s_B_4XJb3BI&k1B`T-qtJ7s7CJ7wb$
z{Y`eth0|5;hJsJEQ)V~d3+nU!K6c8*GqG%26n09A_(F##(6iX;?s2?nG`DlpM6jhN
z=^bq8@U%~)qEpkG(yE>Ee(;4k_;Ds=y-6Al#&?DiV?jQ21og#Clllz~iXnaRT&4+A
zlwQ;{@wA4mFiv(b<D@GCL0i9U_Qve-mVjp}oOYy#;`uq7PVY(N18L||7%SN)YafSw
zGQ{kYF?m*!eZpo10g8X5HW!;C=Qc%9xcMcRB6IIq5biD<+xecteV$p5J15y9?+0HU
zf==Hjk3_OX*5Ow*Kgjf;<9GZJ#ox#D*pUxUH6}*;dWOsmAz}F7J8Np3?Q<RZrEWUD
z0v?N=@WQi9K8$0<!S8{?Z(-afj9k*EC0U7a%gHv?Fx*I0cbrpIpWAxJt6n~QaB||N
zoA2IB&yjR>$QjDT6yYa&Kb|uO-86{=5$Q=G(oI7eh9PRILI)I!mC_I}L`o^rdze>d
zV^vf-O+uWb^5=o!#;Vb5vZuq91>rcefnZm{rS)u%tQ-t>&Llfm27<47p(%M_%V^)w
zP~l^Zo<*z8k>4>Kid}xVb+OBzUOF-Jq0<~!bVmJ$7;~j=J6N!+R}2;F6_O5z8Awwq
z)+@*la~{1yc!Jo+*~joOI{%H_YVrS`e>9I=I38|ok9L87>>SQa!JpMRPkxS9oQHp4
zJ)KxT@DHr#PDV#=(9JK!A>d|L71t{m{p0i9>~mGNk5|id_C;L(*V5TNI!9uNs}SSy
z2Ho7Y+Zmlrp1S$&ee_(^CBPby{xZqN5ym)wz}9R()=c)H-BYToO0sDq@1*RF*+@1~
z1+g++RU=EKgC|ZLT<=LsZM$*n@(s($`#<o(2X?yq_D_uO>vp-i_l-~N?;|EA%PHzl
zp;&AZ32i(&(ooC&Y2;NgoZFxFF-B<5sB-Ea_{kK1T3KZpDZPjJ(|G1EtKtqOKs`t(
z&k*8*^kits=k%w&{!Z>qgOnm~T4-RIq}1J`Cm-9?(Vt*4DmR^J-n(~Siz=f?ccr>x
z%DGxeMs17>8byh~!pPS9(&AY8^ZC+PUrX6p^3r{2U2}>rE!XNwdh3_#J#j~}Sr7u`
zO@qKnbk4z>wlticfU`>WrM-d4DkU}}9hKN<c09{R6<)=DG(D{ZR=kS&(RAg0G!zZs
z=bg*_Xb&t1cNAW>^8umqE)rg>hYq(1-T(=poHII)|GwOh_J8L?8z1N&sV5)W!Mh>I
zvYYbxt-U13L`jZOJ*y&L$9eYk-_eI=-Oz_N*Tj5iozqG3p?L<JRYS(u=IghTJ45nx
ztc)~8UD-_??F-$$9U}w%15L3#TP3;jEz~k9x4AZ=j2HEx*%Cu7<U{KokC}Dbxm=z+
z^_si)t3I^5V25-dDy7&W=c&ki8mBmAA6h?l826zW@Y>IOXkL7-`p`0rKaqWsV?08M
z7@o_ArUbS&cA@!`B`!2yz3f8Em3q+pQSL$W=h8uV(B?W~gXBRQin%he06b{HWUh&M
z&`#zCQ=QF8SJdk)Jl&r0#QkoQV>AW_8lx-jL%RohN?PT}lAfZj#>PH0SzURlKC~jm
z#U%dLJK(AsZjE(yxO%sG2P|DaPe;rpHqM2%9D!$6a-gjUlcD(DEkrzp4=WC|rr6<&
z+7`Qg(M{Jb?Ynt<0yH&<*!I^ow_zR|_PwoyBMfeC*$%FJ9Ti0iB$LK;Q&XCLNH(!P
zy|_ocdJjpvW^NM$-2;J?7(37_MVY2tZ8@RZo5=(cnavLmT85&Lra)|<YvwYb7xJ2o
ztEBhu)eL^Fp1@lX%Y7Bb5Y=66N3U|-)xsg%2pxja|Cjgx>WgchL;uSPWT<##y;9Q3
z*eH!uL?0vV)W))Ut-ff^*VJoQb@fqc=HC*w9y?a}(2o=Z(7oq1&mpg?<le<uGE|_S
zItV+^Da_)~7Tx;-ZT)<`u1C7}$BqeG3m-Zrn$n?QIvorFyRvR_oA^P<;smr}Nr9AV
zqGIek>4qO(q|zv1c_z^TU76U`If|$D_KG@hBxp}X{q6Rl;I8i2NJ}H?7x*o@b}VuL
z!}?aZuRWEBJHly?vp3piOAaIg+2&+(M?l2@=d;7YoxlNkE|f7gk>1`!eav}rd9oaN
zF1H6`tdVJJKo`r}QR`Ew3RsMxA1+(~0`xa%4_DN)vBrGu_Ti?T88*OV@-xd@qya^G
zG17!Rl<_(+Qqf(6L`3X`*Jz#uEmVNg>5Myg9J+g1TBsTHMRwf@twVUtC$GBdlSF&C
zR=5M#Ms+vfIz4{>8(tCX7jDozBYqTgPSxDep$bsy5ypBgP=bR^BJO{P#!q^Z32kL#
zEF#>{lY8ZG*4dL5g5CfQZwZ=F;bzUVIA_N1L#H*V1|IH%O_HlD+9mtgP291tH<}P`
zR_=itvb})u2=BmnqPiO~5<PxnoESguFMJ61kLqq>@S9}#+69_tHE%_aY{1Wck6*iX
zf$$;CTd`v}j6VA}`b<N;EBn!Zn`+__&a{9L&N^c`G_iI(eDlrC$B*~lxqN5jp10v6
zT%X7F&nwqM-;l2F!~r4Oq0F&knb-7(-*!*r&SiXrapL~M?YKUw`v(B@`28S*<37UO
z41P0%-%N1aKdJeu;1rPM%<xYpJI6mAg-rhUSC^M@Pw5)i7q64P^G)PjHf`{ope-rf
z^3Az9T*mJGP4V~Vx=wt$__~UR&UIbIYl^R{I;vbpPaqwwwN0=Eb5%$GfWn*fWSY}A
zg>Na>70-#r_hEiNHZL|l%<EQ$qe0DY(F6UByx+NWW-6|Ewcr(A3n@(NRfBo4^;(xB
z@@`iqXt4w{E?1_>Vrj~}+7fE<dRm*T)}~gEw<QD_j&T{+t{0wLd#ns^4n*LL!n3a)
zALn>8ih1EV_<^<X&`F$0N()6K=~Hwo3J~!xiTQ~M0191ePT>n{PlFTFKBD@@d>w5p
zc7(Ke#E!6=PX72vp!L$rFVAK#zx>kHz>yz6H#nI0#9amhg3|fHK{n2L^u2e9-^ZP3
z&WM1pIXfs2$C|l-sW`qeI6gi&)t$?AKXl~TSHJq%BY^|ozT%2+AE0@r);4MWpnM;u
zApbt?#10n8f-QHPeRm3Xc}V(ZfZd0_zjN&(!6!ZmOUHq^P&PTug`Y*D?0+zQ3R&Z4
z=aZLTewTLl;Mt}@ToqlrNb@u0d-A&T62H>-SdEjcIePi!Pu?{set+;U@4@#1((^ju
z={`fc6XL1#ya3(>**jP^uw}?amoBntc#2C=b^r$;qk%h1s0b48PX~+v`dpydSEto#
ztE@qnD`>64+d5x!AnypfDgvQUpu!b)+*KRM#Tzrpl+)B`GfkLmZj&pO%rwSxf!e`P
zCbhXW-(Ib&&gNP-r!pbFUYNHK#=QCX)p=9xBVJE2hIer`ej{FE&>exp9FotmAhf7V
zL8L#}X%OxQCQo(N#(eV}5Q-KLH1BUIpG=GYE<VUy7K3ch^Fhi}a+%z0N{uF`JS9eN
z#<l&zsQ53ScST>4=$&WIkxWDRU*k_V{q&vM!+*JlXk=xrQu99XzwsTSQKAsqm!J#t
z%KV?T&;11v2#pQ*oqv)0qRjf*&o=!`y02JtU%hl^9lNsyccwl+EA#X7LbLE#Vd(6)
zg)bFyG?rH3M&TdCFTjSd%KKH)f-rs(LBy;(vkqeM`q&$@J%=rq8wL$WEk}B?v%-y$
zgPA_pRad$CG6y5u>3(f%9}ynH{S2zNPSX8wKVE7A4TIS63ObC5AGii6t%nZdIV}2|
z1L{_%EoOOKf7f05y_I*}Rk<hzD);K|zaM{{{bBJlZ0eXL3yzK1(Mfk<zu2uDbUz2X
zpK?!jU)-_!t#7U7_m<v~?vhx082JMKgxxa1b}`XnJ=;sDU4wZs*-VLxJURkbfD+}V
zpb(U-e5a(N%SR|dkkDr;kxD@c0JnrYM|=)Ph<-Z{<_`wOTwS41B;GgP7tcg}HYCmE
zw)*mpPG88M=$q<Gq+>>tvw1|==85<k&Bi9TC+2gTO-+T#c(l*e7;riR9$#vpB{5<T
zw)r}u_NZgp+UT)6{9b>0Fw;EXsE@g@IiU(;esQePA7D3XF{_BY>Jrtewu<WBL1c(1
zNRk_9WG1|F^_l#h@mO?pS4VnL{QlV{A>7!t+}*#FbritT@eI&7=$B|*4;@gZa!3R$
zwGPWpeh8{;L{v}zR_1qd+9&#le1m>2{1*CoRCgWjr`KI4@LXBMjI;shzERyt20uyX
zIr#PBI~bf_e^NkL5^!8EzO3l_>)81Zk<|ma7w`bMqT+cEl71TG$7Yb+10h0`8pKdz
zOo!&jMn&WoR!~rlv7%0>j3~NLo*-7LS%0XudS9i%X|2s?!aa>c(L-ISshrmxO@(c`
zw5(fyW&g+p=0H=-nS|r3w>9HP_C;cS?Md)ZRlA0a!6xvD4`C1_FA;$PmWd`=GL#u|
zMSN)B>@7eKK8fP@&y;Jao(k7HC{~>{-*Neq;_ATJP5j!OYfs_6C#Czs0}Zewu}EHR
zzdSEKboN%6Z$E|m%Gb(#8|z7DULd2k=Lf~(?8YLKiN~01Gr$@+13x&wvpRP2OcFit
zvsRSh=U|mVv$hxpx>Il-KK!+o7D-w{_R)Anl9|Fl(S7AnaJkFR>2QA+uc5^5%cN+~
zO!ti*J}fv_abGS?rTYTEf}P3m_4u_g$qoGC^9KhDZ({fr>`ZR+YgPPOWc=dVD+UW&
z=vt;5;Cg=T2Kc>8c(Cv$8Nbj6lxyXg72)@;LE#FzE!Mte?f1wEr(V`E<kBh;Ej4g@
zh6=$#0VHZB7Yk2Zi-V@gK5R##aW`|n#PJ!F5ol<#`$Y|`mZn;CDoUiv;q2@{m`M;$
zj9jyl%dK29GID}mPmFXOoJuCA4t8}NoK7aE501pg+r9qWSR~Wu%vi#XY)^NqH))M|
z25VZjUq3&8-L_0-+jaBv*Kcp>NX%R`ICx|_9-lrkIC#-aV!1Ip-JG6mYix41H(16x
zddBSLE{C5ewFD1&Ohnn&#h9RDn7qU&sa=#DcLqt@0^C}~*m-db#H6CSCNU-0By|K$
zNndR4Q*Q|Nrd;k+Pq3>wnMx;`Uwq2@h09F7mS8B`WIpn~rf2}kfI5u_$*1>;Pq8)6
zAscNw_;?PYG>M-a7S)PH1<k?dpTu82{Dq0b>z##;m}I#?S!9q>67*^0{da1z3`XB<
ze}=xpYp{_m%N4_O5dtc)QGRr#-a%*36+C<|K9TeJauad+)t`^q?XkQ+kfYaJW+~WW
zX-MaSO%AiwY;g*`-rRILJ(Kf#b2I7mbk3V{B)UVPo}|N(><NXs6OP```$A@4)xz-b
zh4rRdsy(R{E)%a4-@_yfRYh#X+@1KL3|=a*V}YN$4jAHf5GiAp=j0Pl(Bm3vVpD@x
z$}L324d9AS=29sh+z0O{$AH(?wBSr1s}f+AnoVPOqq{q%?6B?MBUJBw{jQWt=SuFH
zs@4s659_Lh%YHpM`D>x;(&_0-3tw10`mv84U1dDWF6_scKa8E)tGOOy?!|Z$`02%1
zG#HBpqvZK?2|#!U&eN31!4lkgrs-*TtavUeoy6#s%362gn`t&;`eqC6MfarDY{6W}
ztBNP#9c^`5SDuy!y}1QCA$REU#u~`=Lj7Q_sh}4#@2*`m;ai4tNpsQ>wOZ4z$UxSc
zvqtK}W^04ZlJ*7beW}~m<6?hno7w8CGgaFSiAX$eH@6!a8jQyJDr;>bYzZ~i8`mQW
z^*4a0yMQMPsB^chqeyWN=075i7Gb+rk9S;B(_u_nd>y7qhcVFz3V)@5-a5S2;g!lh
z&{@9}t{^T5L~JlamHVydZk6u!ll#{|SJLT9b@>C?y12n@4zx4}tc|94Qn;*iRz`Lv
zVj%5sHnbQ`9odeKdQ+yA__rH$`~lE0)&34^F4}0eNKeOy#H)~?kI*;qDi7vDBtvD7
zY1Z^gWK9PM=`)JHtE8>sgyUf2nWH#1+s?e`989XR`3_w)x3p#2=UPm}o$IG4bj{Cg
z+T43VTZYkk``T`8k9a#I(iY7j$bDkC+!`LoJIWuWgK`3Dg3&u-%sDnO+PhZlU8=ei
z0$-v!!y!#0<51)Hj24wn&EUKZmY6b7r`b}f%O)9p@E_nHBy*rqj*x?j!B&zxf!V#1
zdB~(zB~qLQ1te{=bS~kYGq1j&cjCl-J2stKX^jocMN)lw(J>O}ob+}~r90eW?R3gD
z>u3(!gQFKsj-1@z+q`&Le{xH(amR^<sKad!x)a{I;Cq_)ymt4I`>z>p-*swk^un>G
zXw(;-A5U!^OSL7wc41@tWTyLq*>wKU>$f2fDe7n#Y8OII&mAFObEhi--=L^zU;B~x
zg7`_u^<~YaB{-Dvb%qWLO4yvoJ5C%NhrlDw8f}Ef2?>w1IS7}8L5|Cr|1B;}0xISY
zf~m;ZJTY|j&fMT-w{4y{z9k*ZPe$YIm7;AV*gA-IS&4R+Xqryhdo0m_)!Vmcu=k2>
z9m$E^+2B~CH@?_m4%=M@dxJgfGBtXm3)e2~y7Q9m)WXq`fqg^4WXKzv?n^8T#@Z66
z4>-~z>9%bH;g)UJ&yMXM@YdD!*&5cI?voAmo@Bc{7z92kuklCX>wqu6=305DsrmtS
z6t$)+E>I%tbX;%cb@WJEHGm4~l~@ZM9j1EoRHKfL5R-(Vv##{&!Yjc&c%|!n&~CF-
zHjw>f^+c5L2(h0Kgo*_p>~PL+t>3)MK5o0(F=ks_so%QSG2yt{88}gY;)%JN<{rd<
zczNQ9Cxp72n4Qyyou$+?LzTJ$=J`|60B@RE?QJccD>o=vCuPT5rP8p7B9K$uAa%4B
zK}6(Ip#Ii!2}FxN8{-F!(ea8ZP3xa9-)J`4(IvqC%tJRnbZz9Js9@~wPHasimkVDK
z4QF3Cbqa$7zgr^31Y_g;jx-mBbjbo$N2ivGr)n00RP#OrIcLKS$fIdv{DJT+*DCuf
zx*nv2rB9`1JN@aF?tx(MLi6%SzNIZYI@8&Ad`2|X`r0F*Va%p47w?HQ2py3?&{KFv
zBtC^Xke}ms!jDA<n6gr@K=MJT<1Z$w((@PaD3mDKWnxBX%k3SHC#Ux3v&)`Ad$WIN
zX?`S}w+~JjLt__?4j-9}#61&M`<|ukyWRFNa$2(<#iAZ~HA1v0`PF4uRb!B{kR<H!
z%zfByQYNL;SQR*W+t862G+4i|zd5~W;q7VB;2SzPI(BF{uygCm2N*7BJwJ};8r1VN
zWlxnzkA>Fgd9Z%4f+V`B?m7e&R+UbAVPD}>_<(^Q)*XUXX3E-@gzZ0i{PACihMm`L
zeJu=NS_69S1B}L%H7I*-aT`PERd^zaPI&~y&sY*xe*EN<qG8{wcTjjoTH_b6#sReg
z-Cw!JlwA+MJ7$RfevK_oe$K4exF}iqPN<n#8!V{)?t@c_<jkS&-X+hVtt~vhZDFz5
zeejFE1IqFz-Q!mK-tAlVSufu5%SK{rgb%Tnt;6PX?kUL`rxK}@wZ|5QZ9{dXc>Pss
z*~fhga+U3+)vvCuepNI)_0-uHzDJ=U{%rI$H(*`Ydz92iNrhMND0V;d(kgKU{(Z_N
zIf3uj!;dZTgY)28PVYk`kTs*Hv$1A4);`z2?Aa8^hN7#s^r*45rMokp7j|IRj<myS
zl5yn3bBt<r)iRnX!%=Z^UUA6-#wK;-&%g?EYNkG}#F;ou!W*waueU9&YCmzq2S0c6
zmTA%O-S0kA_}udg_j23`@57iX)VZH)On4&SI~;@97pp%I4Ta@>^4unIAFt*L8HZ)}
zk(OIs6m^40XjikisHdF3j?7YQvRb2ObEAaIYW9x&qI95^jYTmN=zMnw#V1fxhz=z$
zUBA0Y7hbszmEtQzUF){=_7<I3QK1zLzudq7muFx2qNSz1#d7VpzkMxx^F@viQG<C{
z)Shi+^N@zE&O;?zX&%MWgQC2A%v24BYG$x8TO8SD0d=m;A#E(=L#%A+>bLjmbTyY8
zduOk%q6Ucl-HGJI&7VE{f?zz6I@0_&(U8b`8YRIOHp*L92c&X;+2OKLZXnlGl@>!V
zy@ckjJ)@Dx=$@`l{@U3;HPt^jIcbbe9v&XLa3UNTzi?>y@MLuV{^h0JyO);tbKZ|L
z{HW&-1L54<u(-A|#f5lh58{R-Q5jB@nwU1o0v1(Sda`+;2WOENGK;fUbajJv&9R}D
z=8>fJVWDzI25Ksv-@3L}>;X<FzelO@E2&W`PNbs0pyD&g1CXCj6@5X!;QgeDa_hGa
zni5sCiO7ZADR76~UVNgC-08B<DI+227dwx6RxXjTcky=1NV36KYpZLUKeU68wd2q)
zw~w1|y;8>Gm9Mu%8!L26Rme7_c@Pg3fyX+;bC%D!i`2E1h)or$Jo|#|QDOrKX@c0e
zz~Mq)7O|4Y1W4wwtEDH>o4SMDtv6kN)xtzqXHR}yG}K21o4aQ%U;WHyg!)uGNjgvz
zeDZUm6R~n7=T0g=t72Ilot$%rV=+=ye)4Phfoo&~V20d<&A2E-CHDrf8V$;!P{|#@
z67v5vczLWRw2)398Kl3lHDbp(qE!FRKu_avD4d9g`n+vno2O&Wm<(?6HZ?W+ytU36
zcPQh71IHeB&)7UZkJDqa8=OroO`)DNMu0iF@#}NId3kSyjpjr?V)=Y{ac_i&?-f4u
zHsOJN`wGjr=OX<6;4z?UrO$&D*V^cwp90+y{Z)eM>OghOk|dErK21rs2&wGmZr|~)
zwzjULzRpFXyJz=^5Gj0XabRFkNEE(1vbzTp!Bkie%74eRYvG-d=%b8(6)W1Lm&jxy
z<>QuAM0(!`ubnd5Yjq~8adP#8qT!F3g$(}xqbxh&3lafF<U+}REqh*232k7P!M3LO
zbZLJO8_NoHus&i`S^-s$IiD;Zi&{=dtM-mOb@{Qh-l*4AS*wQk4Wi(*uA)|-zU1Q9
z4(SaQx=KUUfN1!0a!V5b|M|~}rDSp`@#nKI{K?<%_4fP!#Bc^&(RqCXPAn_3ODZFz
zu9vjQRDjA(Bs9BdmM#k5P{c`OHQLB~hWeVA%V}`OI;mHtO@e{vl~hU6!j$1=O`TAC
z@9n4Z)mEdfrlBf(-5qZ~)sM1CI`lq4bGpLe1{^JnHykdUE&TCvThi%F+Af#Y{?nL8
zox1jA^H7Jaj*SOFS%1lO<*@$o{_FAvXRXfYH0ED+|0BY}b>1$YugiN~;iHdm+{J;r
zf5tPb;U$m|A$iJFRH<T~^8~OY*rSw}O^zXciiytISJKJqoIvhQA!v&W!cT>(3u}UI
zOt@&@Sm7?po#(ctRuH4Q&td?2eL(Z;wc9p;hl=6i*Olv|CGhVn@OTOQOA5TB1paXa
zo-BcXPl2}-!?k(^-c<}2f2hFwWcXT~Y-R=Crup?>ej?9HTvOnA`Fh~}r&^-|zxo{T
zYf9h&<@#$&;FAjcdKu2fBjYWmXLtj?OU9*LQNH(b`Fm_!D*RLld`Y?frV{wP0)M3p
zXU~`M8q+hp%Fibs!&;Q_STDTU`((<KR1B5!RMB{vBn~nX_^~Rg=1_wjNxf^~hX*BA
zgZq+mmh>bpqaxDh#F1G<y^|abAvhdNkVjz7lozB`JQ2eEnZ7zlW330ihpXX(u=pKD
zm)U9dm^=PQaZY@vIb)9nT~((}k@ZnwZS>dKY^FX_gYf?(Zw1&X^~V(7gFRIVed@S8
zH^~lA=cZQrCwEB|E8b6;ar_-WZ$WVv?wsZEh$_jCL0S)wI*`wTM;)j(8rQ_ooG=I9
zWi>V-FHW3AqF6{T=wipUmT=)Gf=PJeH$VRI9~K_CZ$R*E`hT%ah0jRF@yU~*SvG#Q
zM}N)sXh`@X+oOD5w1+r6NpOr9+3_M2UPuLsh#!$>TxJTXo-wLL%**e%u>Q2FDXbrH
z6^c0Va|aZE!KZA6sUHxnD%bL${gJ*2gBKwNrgJKXDAsqUM0^eYv5RMC&*`l>dh}H(
zov>rQ%ceaM3I_@|CzA`^Ej&kHp8QUjJ1O#deL{%*<xj{FXj^lTF9+}^7<{V$|22cd
z$HQ>Q;UOVIIFx)pv@bb4S^_7&!r^@-@NX*cb_q_prk?SkC)soRgeG?XrL{Quad16{
zw+TVwLzGus0#5)=<EORr;`+*pyLm1I_W#G(xIf448xU&veb>Q5#c;--`SsBfIL(K{
z`%2)%pE<mv1WvTY;mHy>@evMhDS;DSIJ{kkgYUqfq`=z*BcDHwpYdUSeO|gA=?lWY
zh$KfiJTBh{@IN#D%;8r{@Fs=_;@cd4P0{tgLUxG^zqSbeaV_y@e*N__oQ;#{fZ*WI
z1SkGT<AwgQv=+s<4DeklJ=@BB8me3-or`lv;(xq`Lp?Yo*{$G<@Q?A3Ry95)Zyo2C
zRH#znjg&JX`O88QgJemM!X@c`lfBXOKir9?GY4FC9<#wx1;)tOVZdD_F%Qw)*wkRR
zR#k!_vOU9ab(u2vo29vv|MLY#W1nX<hO;)x-gtr05{E}i;6wu)-ckZ58sPAD1@1r%
zJlc~SzD4L(_T&p}&v1C3ay`Z)676w#vIzcrMjIR+CpgxI`VyzaHzAvAMdo#7Yoppx
zXAp0d>jKm2z!C%gDU~9Dcc)>EDPF!7^73UEcT?k0c87FiLXEJh@2JJrdcR+-%ODPP
zIsGPkWlfdUS!Xzh7f=*yDl^0SiY=nnVySO5j@Ma=e1gO?z#D4WdVGPcQ&ebGcno}n
zz!!(N39S;3agq;FfoA~!9%P#b_qiCfY=MMOq=V$pQ{|y_{0sUw&*Tx2VnSLaRZynT
zB-vLKai@eo3qGR`Qxr#Oz~3gkQbe9I7w9w|0+guDk1iebgN#{TRTm{5L!MbUAg897
z7xJsZD{>VJ_^+pM!;gL>ykc?^(}eu{EndFN=<|zg-T}?6Y~GY)9V>!|IDGBD0Z%hL
z@#~`!{40P@Gy381xCH+R;8|1@jp{hOLxNM>#lz^3!;>727@bD*b&=?t!`r3n`E!ZK
za(JI~{Q$22G2?X{o|oX$YjMq2*!pmIo90%=Yf@`b4f%f@s^`Cqo{M>n8TTidO*$7@
z9S&K)g4IhFzvNeWbGpCQ<}&zJCp`5AtHduH(SWO(l&5%)%qbYoe}lQlMcU(hY%S85
z$+!CrhTEsuT117sM1u|yzF1sOeHQfkEkXyEUyy&r@HU}Ck$=VT1mGn9HsiVPV{7^}
zyH7}SJHJ1{QDrcy<M4iA=h{_FjylNSs=&7hmHfH59(I%r*IljoFU>F5_3@JH+k{Fs
z9xeF)``B93{bTwhJ(ux+{yF4z$@dcY-k)G2Li1vAi&|AKl<g$dok>~jdaRY4LrIm$
z;Adx2p%$x0;eL9hDwC8!NAVNVIq75ubSoP&cd>thId|fs)z`*9`h&uUUq0L;SiV0!
zvhT#ccS$@RJ>AKk`&W)XVP3|cILT<1!`o#z)(3uO<@z>ZUY5_4lmqyerTb)+`xL_i
zLJ^$ta(;bZ37q6PhsS03nuGkp3Ve%z^a+W_Y1laV_3g^_@sjIR9yebCPk_g9J@9v8
zl8v7NK(K3tW;TA36~*vSF`Usgzdl+5r}1-myafIw1>R8tC)vfXPZq<eUaJJ}DTXt=
z@$35(cwB^ETDiVWXlCoe#?N>Ozdo;APxB%@h{LZw2mG26IO#|H`fE$zq#tqk^$MKE
zL;4ZHNk0NU+5W(|U~{yrJtwBcFf4>1<mhW<IV`!xRH>rMVSZAJcO$L9J^8yj@*ZJ7
zP#<Uc9pshtsaJy0E|Dz|lH6p0oQCBhUk5J=`v&P#F?~#_{z<9tJQ+%Bb#zi)KMT2R
zV|sY%cMs*7dm6puZr(kZYwmW_+b7Il59fwwZyB1c|3=u@)*l`X?dc|eb8CNiq-j?-
zx$XsPSL*jo`wG9hU|TNr`!F628QX?mkAR0;p$RHyz00_`iVbclJ24O9;S{6cT1c_B
zNHZmilJXKzGf~dwQx(Msq8}(Di@3w4;frS}&vHPx^xr@E$sZMN^>`LHZ}trx7#q7_
z*w5mwyM%39SGH}Tv0_h5iw`nuQStYmXRN2O${I}#<616oE9$2}V+*pekxqqk9^hH3
z&crLLQkI&UIKOe6q#psl>dNhgx`Ebc0t-+UFmY6co6L>1F>}V<(Ps)>G+r7#As)i!
zLwmo1a%%PZ;ypfH1TW?Z)3m3g>x=gk(-$OoT<}OdBu@BJu4j9b;W0{k7I|N-8pWe8
zRVr0?fO;_XG+BF0a+5Aa^%baENQ7Zg?yf6Y1gJ+VdGaa9RH>%|PO@BQRR@WdY2l~S
z{ZVJ<j{cw=Hd$GWg_(WeHRsx;zzXbyaGzD1m^d^b$4)N0vB})wkW>JnS&2r;_)Icg
zfb#?-85Z$UvL`tFW(m&XE{yknRl<KrksTuA?HrB-sUkS(O&s1Q!yzLOzfs^@1nh7w
z!%N_8LQK*r;(!zHrTajJ(|s6^l0Tm>`CbCwBU!=XFl@YElg6uO<Kpod;&~h%6^h|B
zUJmb5;0}uCDDbTsIK<igOW|9DY6(v9AJQZFecF}##7pkeCRDTeVLaORAYLS0ult(t
z1B_SDY{UK?0Nuq^9YhNJs#K?P8aa+sOE#*ad6=NVQ->bdM$8(b$O3+lEEELKrOx7v
z5|ws6$TS64C89&eN`#47h>5dS;m!F4SGPT5^N0Fot1dLPL_2#|y}jFeH(zW$G``86
z8Zt&4Bi6bQ&a)VLFS7eaMhagLrZRJ#{w+8&G2R#GOgaf~JeEXw{yJNiKFu%Ly13!v
zL5xX(Z`J&q;d4EFi{_USobah$-=_H`!>1cMT`@cXICMHChE=a}?lNzoiciwzsw7NO
zju`1}ROJx)Fu){PNR%m7i&y%Tnq)9f8U2zu_rurj@=?U=WiR_~r|vEL_PwR|yEK0m
z_hNMU4L1LPkYMv)4-XZ?nT+PwM@!(O!*F=K1Wq~(hj)~~X&-TTvII^x0f)B~!<lcM
z!@G*$MyB&{cux^r%XA(N?<<CD)5`s?DuG|Fz%MC*A5!4QOW^ADmn-l%`M8zq+k^z8
z10G+bm;fJ7p03BLE=oS}B=WMQSWKBmTumpDJvr3xgZ2*P6H<Pl?9l-OUl)Ze;o`!0
zrq5)xSGCUOJUlSj(9|A?Mv8qqVXv)9>*-k;ERI#?=kk%dhOErH*|>ivo)S^%RE=A`
z<ajBLNa2{{`j{y@62-+g>I&1bx1tDYyV>tFF_~=*HoMBhsX}#w*H-T}KxDgoserZe
zj}%^&==&6t$FGq1u1ep<@M5|@#pE=<o~@I7AF}H!I9#RgIN?Eo%j?|$-Ry&GUwup3
zSNqt$S`QBiMR2yS`1R2eIPD(}@8ED2GyXKY|G)G5YraeOFN24Q;q3nW`e+H9?$6;J
zC2*1(9NsR&VZ$O`sleMb-zECy&t*0PzdkQt58?4?<`3cUIEO=yz;<Ti{|;XlO@ZNu
z!P&m$@V*i_jfcbAWjMyeZEy~6)0}1dEe^h03{L?5C+JU-?;E<WN26qtmPJ3+ycf#I
z(=pk^&x>fV>nK-RuKZ3_s<=F(xF}EApdOKOUL+0~J6OsFk4pGvmGsDWud@8eqep+;
zsr!MPBl+vMB1!Vqy+8@Zx&$1NkA~`^oI6LSxKBKJ9Zg6jIYT4CxRp#iHA@F0<5@bZ
zi<w0!O=tROR~~6POZCyAmJITA4xic445v4Z0X0R%0OY<0K1?M`P)e2BNb;XXRM{d)
zs%pgOC{{(jX|BEVs`=!RCOux_0XY2{WMaO!T0S)Q&L9ej$MY*gAyE)k^;1L90cS^G
z|3H3aI2;+-mCsJp6bcpN#>nIagJ?85J?FE|dm@p^3x|d-oQ&=o9~~hl8t{O#p`r(K
zXj1DCNj<nXnt_~A)QC}%Uy(;4`Dp^mhLQW8@r-R7=1BBFo=H1m;o!t9!%#jmP^pLR
zlC>$7zl6&zDWj{-W^!2!btp#Q8M3cl6_`yWCOdpPj8#?J^>vAf&Q@e0MM8x)iH4p)
z)Hifw`qtMFJ*@2${uA_|g@tzROc6C}l4^`_D&TqnWvU>Z$PC||tYeY1Fo{d6H@IUa
zTaC>SbgtG%`p8%JuBwV1+KNm{_(P#OHqwUrZ1jBcgJA8Hypb|WP(8Z576F~#;Qrbg
zSe&)M9&fxsp4&!1{y)~<1TeCy${VluYRgioq_)(S+ACE_E!iqbW#6|>Z=sW>n_lPz
zx|_8TXoSWV1yRHqWK<MH0T*x?5f>DZ2A3H{oN-Wx(ZL-ZXZ)N|92FHEy7K@1?tQPS
zI_XB|`+sQltGapbzH`q#_iXo^bD3+v9g7O)`up_gIv}nbaYu1*%pY%XI~@VHQH0xF
zss-OQ#`@lCHLaLi<66{RB@XY8iIH4@`k5Zzj`|mfK>$DJ+Tz}xMeOZiZ20|AjLi(+
zye5a&#l&cvo5EYYCL-9etnB&^wSIqTJLV~hzE(wF^%d{xx~PsyZ@RWzhqp8CgxVXn
ztZ_^MVj`{42XA?>^zNTc_85C+l&_QqXZAgE-+kpVaNo<q{UnS@@=pE+FO*{xzIluA
z*&Bt;O54#0tS1cRI)Ll+4UHX&s5?Y@;C{{_`J40|kmn(tiXKDw+O4{eK;tphHurZw
zw6Zohabj_CVsdfu-?nf6RqOl_B<Ia0le32=8KJ)G;Le?U_wL+zP{PjmV2lO6VQnn*
z<yuVQj9npbo&}B@D)CzD=BpAj#r<V+CK)%?)y;^2O5Bd=!?!YG%54`BQzZUB<j%?A
z|9=4c(B4h|rG@@Z?Kl037U6F+0s@2b7+_)UdVK}2>q1VeS7s%)ymD?N`6A=WIR7zE
ztM(}<x0F7uG?gA#uHCf@XnT6sF2EptbY8$fyI9b#h~=+}iCc${>d<ZOx08k$Lr<;{
z1Di^Kia&MiYeazZ5m2%=R>~l}=NsZZ?ReQ|G1hv+*<*()zGxYlk2mpc;FP2x8Luh#
z`#Dn71A>j>wZ=T{pLj?)@%&rgsaR&d^2PD<9(Z_{#6MQBu%Rrp(aO38VWLi9L@ep^
z$dL@8=LUF%=8^S8zLyem5Y?;U<s$vogX8e6b-1#kKnhn{q`WdGhbeH(z2P+g{nUj3
z(muOlMj02dZ)=})j*#NRBDT@$xp#hKWL`PSfB&m^-grDdeqQk+{flB99yR~bJTg2y
zg3IU+XN{5mO<moa`ohNPX=Au=Q+L;<{)llFa|s`$@-G6%&k7t5LGZ2s$6iC(Q}!}(
z6({k$tbHP*Mu=<r_jRj~`(+OL@=*8$vCDAau!h2z{Ei?B#d+xJqy4>?^!6XU`p_pW
zhcCV9RkI^zMJcVCM`mAj)1`+kpG5yTz%&Tnk*(~1zKq}Xvv`6spZH`22Wm_7;xVVG
z1$02qYEs-mdo_dBjEEyEXjs;@C+<YBM!w9yqw~q@$sK46`<s$edj|&hP9>ZC;l=|$
z$o04qg~<4PcW$@Qp6(io_3vg#^zQ!HP*>V++<i`J&qQ)G=i9SkVo&NE($LxV<6gpC
zd`|4sNqtr5!v-Ve2fT4IKgwg+Za4werqicM3XR|^+JxrV)Zz;3H9w{uJct~Eo({SC
zs9&(sDKmFLapk}yJw*!Xm5wu{Nqyzmx=bnMeWmlMuR)F((_(!#;ya*hC_}l9A5{An
zm>noRHFby_sN_A<)4&<zZjp#KgfgS&br3q4+oAm8n4aDt08vRV#;l;1PVD~zj(i!8
z{{`Iy@zy^_H&Xw~QMc*)OX!DCzdQ{o4;}kU$Vj4mt!^RbK=~!+fO`ApvuYC+y<O6R
z%y6RK&N{L(>PhlS`e|un2tMt>nYEgvEhpVBGv@M~+?JtObYOFC`@+$|e#onR*V*HP
z+3aY_xqWLYD&<y1=h1#c=Rq9Md%<^9gA3<%4ghX9r29q#GLV$=oUIF`tz=8c{1WL~
zCLiUBW*$1vckv6Tk?P-9z(E(R>J9R-!YSplSh0^_H{Nt%eTy^gvfAqFt;*EK`U^^r
z9`Gc;{z|j8#`@srH`grfjSmfsq)OX2e;%b|FBwrb`Px!#8ti4=2RK8uIQ3c3Tc)xv
z^k?-Nr>56{!m%>Vz%jKiu1Cr(o^H&Q>Bd;x;8~10pwESEq)YCE$8cqALK~iMh5jW^
z=;L}x3y#a!Lxcw>;?{IOyqCy%f%qsCX$>Hei~jURg}IO(Wnk>Y_3!Vthut=t%Mr-W
z1xJgQ6-R?}d7HP!WwW`%_U`vze`4&p=M>MOP_yx{wXJyK>t8=nY%>`T8=FIiO8@oT
zb6{PDH1^K_LExcGc`XcbZZTB2Q)S(sM7*7zRl(gA=}&CIH|_y3i_&(6GW_e0Q5O{*
zMENfi7#%#EFUB`yazn3}FZLrNBQhEsNbD_~e_=YA8;T8WwI$M<LXo!Amc?WulJNN#
zBk?VhsZqPBexi$K{|OlgJ|=7pS4Gcw87?b#wJG5lGijlXhMD9Jm*l;un}>K17@7&I
zk>(h7Hws0UYPh7%WE#Hj>Pzd)rr~?3_xxSQk?bo=FR1lj?6^4dO2ww@K!D}%;Ny|;
zbzMsL>J7jfVGIJ-enZ)l@G?7EvY3@m&>VFTT_@sR7EXN!w%y<ta-W_Q)J%>>ZmXRU
zE=**NT$YbbFE&NvDX-V%GS^#OLFf2qj^8z{)<6B~VA4}-J))}a(1oS{BWPmve?Sxe
zg>@ZRSBv{hG(inbp6o4ilpUab-OC~3J~aClRE*^etq~_2+KokL*ygFX)j6HcI!DB=
zj2ycX!SD7+y4z+nUu3EY6fzs%z6pxug9DfKO`cou$TckD0;=_D#u5p81%E$H$JOq)
z3V!vFJ}(vBRNgP*GA)d!#P8GeM$DHHc=$H(;DU~*N$zzzdSz`;H|DI=fEUQ!V(4jF
zbRE||t!dOcEn<soTrp~8FL3I~&3SKgldr9*?up|Iou=&M)ereM+3NONTAa%3-*^4>
z?<-w2GL4R)w|2lUaTxSNy){zNtF$2D%G^}EQBuS6AmT~ppHQDAKWfzKwMfm@gBI@e
zF(-=NVMVI2tx}<N$pUynkri8|9_4>#Mn+~z_wwJ@9)0zzj~?VdO3h%=_#ejNpuChG
z-fTXA|I7;u^14~zc&+Zb3>h*39NR!^kRbJC3Gy=9hb}?%oef5R)kx}xtmYbk$XGu1
z*s+ba3t-!Cr*Q&#Ao#=tnBMpCzABH%x;5w_1N6u;UF3JN(i7L9*yDzhpMVW3bz{ac
zq2!Ztk*h6)Q#o6%>>CKg?Z>`tG`VvNeXn^<F=sM<PbAXF^^Zh#%thIjUN_2WTZj@~
z%13Hd9HkXkGp;OVCq^pA>sUT|C;q38Rrv^Ci1)3o7@P6FCV1k2TSFPQ>!N`)Fra_x
zS<<J!jfFmBBpoT4`$agCM0>Y}arJ|z9u!b)v^|KVX^C}-d9r4#Ep<u2;;)Q;9UK)M
zM|y)K_p4aE)tU{rs;V^`ndbI|4=90|&aFey*zi)v)NudE(BP2rk^P@{rbly~lWopD
zsca^RwM1V0F2G}i6c1K*#@E?R)&42g6$=P{OxaG)F6V-LS+6t?s|i@4(y|^hHGS;V
zqsN8`TYPA#W3an_bZD@fLPV`!1D>W6J`ecpu<Fk4%dM<*nM=)zmXiC*2uH4k^^hzd
z+p0scd6rPju7`m169oVJ8u(45f*+0DRd`Lsa*;U(@-!$Jhv9~0!1G>#E66NXJA%!k
z>!M|!BFj{0?%e)w_wJfXwa=a3H?S)-?(I(uZL0a|SL$YqiDL7}g6c(Sg2@dR&qQ;f
zxn}?5mhEGce)l|`w)AzrU~~djAMC_KXXVyfW>f|IY8Qvdysq$bdD4Nb$3gh1o03P$
z7$512h9*Y!0LrS4<!W!1+EQ2<OIt2DcI=S-H5U|jO(v6*y9P#PXGid{MMicMe*i1!
z$Q8*sE#G$E_U*fNZQs5R<3ao+^fKmoc`JFM>#$#0x0-yaI0<E*C|z+hB8^(54Gu(_
z22^mMZt7u3jC*CYhVl=`7Eavww!&z1aC5$PZnl4r6#9iPeBHHaq+_hL>3`l6&ux>k
z_3SwS!XB2f>>_rb>t^+LYA?pqij}9qx{mi%uQg<HK$4Q0>2(4!fO|?Wt~5ClT!Trp
zB;g5Q!QVvLX>M0hl1KMg%X4)xO#$VTpK`SZ+BOWt{Mn&+Q@Gw~wp*Ip`+K}m`!ObV
z9>)P=?c@2(NXlt6?@*2LbS7g`|3i6D8}CQeUqPp%?Zfz;CZW?o=MZ%|A{EPRojj?~
zl#HliF3w|E8G1BTGuDZWp{lHtN}Q5j!GQ%_L=tV$Yf-vU9<!|-<vV&=zM~6fT>V$R
zTC;IXmhgyAAD*2)GM5k~JSN7sFU-pt9vFv~-wU1T8C@r;_M4vB&jIpj#1z<24~|}@
zAnI;wbEqXmRu+`DQ6fAUh<b%l&($yEu`IX>zeQC+`a;!rBY5YGH;kI4;qdj|NW_cJ
z-N)4BSRfFO2LdtudJ0CU5UCiCR@VXJVeGF;-4(lmq_d8Smc7ohtIWtrNJj<tlG2F%
ziY}}Bo~X;peJH}8g6tFfAyDIZ&^&b7GKbA#O$p_;RqWuQy46}Ox2?N#X%M1mYsdY2
zHFa0Hu?;MEC|#}gmc>C?`@KkrEh!g_$fW@FL@IIe>sC@_e2<Z`G*68ObarN)f<<yU
zORjI|K6~nfk#FEbKO0#b4bk$hU?0y!))UK*{r#~XUE<#V_e!yyLbr|no$@$-@B=A#
zMI4LT1Ni+FJ8d2GTEe;5PoT_ooq-Sd03S8#>XjctTIt&5-m$UJa#dHMdWmOdx^KM|
zdKp)?z6M~Iacw`Tt?iE08|0dY9mjTQ$3<z!p<UVqwC`k$S(o9zrF{oo)_}3qBQ^v2
zR$W=&S~tSV{8aQi;=fvpW%<A5V_!b@u7-nVsZX8y-GcyF>QbsYAZTDgUy0SJf-I|H
z#HKDbQsJ5*X|q6-8P027sYFtBX8pEi5VubVX1G`24#Olf#YY#?X?>D!y6B=~Cr|e3
z)LY1sW;4p)Y}vJI%aWsYB!e@79p@%9?W}yS*<qNs0QUaMeuY2F7g;cmCr9dhF#>ue
zaB^kx#3w0rt55hf;v8A*2J-|-ZvU>UZ80!kr!>{g6$j^QO3&A9u(i$|nVLE@n@G$a
znwmN?*Q$JVdTMIA^p?#F3ouY*Zv86sh${Mg8SWviDQTJ0kD#wK@(d5GL9Css>~_tK
zBb6PamUVBgbJ-HE(Ls;T)@-e<ae1tlBLhFPobTP3J-%t&Xg;i}VPEN1^bMU=c?7j~
zt=J`mhtzm>`l?oIs&{Qr3k?2@<zGAZ*JAhagQY)W*M=k_>mxK&cI?+_<`uhy`(mgp
zE<9h{v9AGH>AneS>e2^EJD~yVld%nYNLivUycye`x88c}`$h9__rGoA``^cUgMEc{
z^9SI()A07w?G!f+F?W?Gs-kV4BxPtC0xdHOh?$uRjBw)K9nY6xtsMB`02A`_K}Bx-
zjXMhgKu!J;!gsdCaHZ{=#&cPWjWuWJrz_`K_0i=f)TKY`o%6!@RBz3m7`yDxJLoRi
zS^waJ&*8tb_~<^p`SSul>D3kCqst;5;WRsLT|}kEXoMXH&WY7zr|c5rv12vCngt#h
zQ%Sv?{<_BU?gIB!Alq1-05Q>G;lG^Y4xY#_n=+ddXLsGLOxYfMza<eqtMhJR$^HS(
zKYakhnEx;&+G*o^nK)&6j)Sz!DVI6-O}LV|QJT?GY!?2Q0O-|Jo>A=Yk&DO~rCdAR
zTgK^AzLvRb`q+Ap*>(HGbgglkJ<3Uva_ttuH%{mrdEFXX#{k!P$*bjpFh{Cg5o9l3
z!Og1-Vh$U_<?vM@s)boBJjPlEpymRkVLY`Mo6P%MZgaiG9dwR8a{SI|*v3!4x<4&F
zfQL#yrw34<lbw)dj5j@PPSzE8s>F^H4AykAYNvslKyflV-HMsvz9QEYvrNSdK#35>
z6DxWH>px#&)i3yL9(?czw2S_MP8$JBH|U?W@FMWTod(M~4{wG3xqquiT9E@vIYO~V
z4;QF>eGwXvJXGsO<#|)vOn1u}YU35pu|4>qy6n_>#kKYEhVAcPx6dqP31Z(shvjUG
zb&+G031(iuNmNIXVw$^uwZN7~&@TNktN_VtGdM2wXz<o*@q+J=-8k`fxAm^7k{)+m
zc=fUSiYBGIT-W34!wd*PYy<EL*EQDN#i!$Soy4ouSdepU0bH`K0=<boKnf4Kr~o8m
zc6b^*&wz(#{R}HluYZEQjzU$z7qRx<&|NNq@~YFzqg;3%mY-e;<+K7RAJXV#0(>Ne
z@dVb=$+~q`p%ZB)^E@Q(K<QOAb)^V=;!NH?lIx>Or+fSs0p00dzcT$&ZvP5!RrwsX
zX|LE#mHjd4$>E7A(8mE0tIE4H+x9dK_baZp7PuTkn#&P;5GIowCokV|#{is;zs3ut
z4qI*CY5QJJL3jN-tSzgxOF6oFb9qk^?TmL~J8E>WUDk7;j~!WsvOnchA}&<g_gz}P
zwifq?y+It#RMwr}SJs^~n(i!h!_VVAQg>#K8s4MpjClTe@x0Wr`MkU@LmeCU$@X8D
z+lPeiZNxdgFQ~2H5$({8CJk@Xd9dbEsNlK6VIM;lHKJ<;rH)|Cj5A}!ki20;quvoi
zUVMv|?+Y2C+7oF!5fy)pBZfq34D?MDgoLFf*)JsQAmp!hri>Q%q<dUg2N{9OVa3~D
zELg1E-@{2CMmXKYSwQf{xWJIGRzzOSKj)@9eU5O-<8XUY{jt$mPdwKg7?0;Y7lkK#
zJ6om~5-Xc*^|6j-uP>JHw7V0N0e7I+=F1erL6otzg@*#co>cQxzrQ^Zv4@J@fsOmN
zwbbsm=YkRCZb#DPY!A5uiPC*`TgzC~k!Vg}h$5a-`7ZK1So^<R^K+dbt6;Ud7M+aw
zs(3Q=T6B7>qaA5OVO6Q=+{}VQn>+QZI}vDX3?$sz)s|W~JTY;2wzU<0vWdeBsa>A@
zTu)&(<8ozY3q5mrTDUo^G1eEUsl<1!i!ZOl#mh`_BX&U;cR~x7Q6t5I<F3o{W1(}E
zw=dLq9B?s6-S`2ao0NSX>zs&{qw%<JN)1cbhv_Y(9)>scF<u>$S{<}%9Yd9UPkLzY
zWMX@w=pAd{J&>913`C0yX>Y&pl~diz8^%N1VxG}VyEi+MOw7;CCsgBp@@_BuP9FhW
z`HFqDP8+Puiu7_wo<iD``?eK5Fa<sEET_@Zt$rHV<vJ?gn>-Zm3(R!2_cf-*ySGhb
zQqh6nVC#-TcCM$Tx1%r}8{CLOZS&q(D(Vb->X$OHa6I6hjV4{K{qf9@)7UW4n;cAg
zNN24W6iR+#{kbb1!gbQJqW^QB&7{T2)Ib3u#w!^vHvFO$fKzqEJ&a~b=trohE2q%L
zUi#r1=jZ=$o2nS?PWx-OD5Ir+*#6pY?e|akykRf#+_L&Rg>gLb3Z7qvr|6NHmBZ8<
z0Gqx$Amf;{7>BhU%Crk+5(q-Ky?;1!ezXvn%;g7**-&esuSpsDUacePW~tHm;KurF
zc)^qC%4E8lnqo@LzN0lYuJ+Lkxdb?qY8cXd_pG+_mssHP9NM&yI^1E_eUy4mC8?%5
z23yOnqAd$1CM;XBv$Fded<``PHxDOLlPmfDt-;ZzLNL&g@T&g##KQUE!b~dG-I?+C
zyK4t+;qimB8!wxSC;hWc&CYfxU(uzNc4(^S=G)uzfzTw<_Bj_Z{BsZH!d_Y9>$K4d
z&2!I6-^~*HWe6vsa%?wR-(Yeki|wn*iJs9!qiOmThYl3>%@q$`bloPr$B3HfFDPHa
z+G<6{?6{%4SHCWHx$-WYDG2z6fIUi(lwn9nh9Fu}_(nOdpPfKF_6UyP)#ZWMUlsTi
z0znHGH0n}-L2Pujb*NGj{3*MkKkNvl-0_ZJ*F<XDzJ}%&ySufeDb%;Iw%M0UN3#=-
z_Fh+_E9_5?*gUD;h`&7+s53T?w8#2e-CM>y$*{lHSm%#r0#O{Bp%h)Y=4e|inrMG9
znQ#TYuDZrtB$*X-ggs}(xA|aCcU0)8m3Db+m0e!Z4^N7jLJkD97go-f-T=n-u%--S
z<86jk;DkFtlx|=x7-0E)E4WncVt2LL$Md|e2r@}WyE>f3rND@zC*<!)G^_rZSaJ;H
z0b0sz0ijJSEAC)uvM-;_x0jwv24<SP&dhXoOW55unrWLtqR#~BY#wAJ_KR>nE918v
z;Gys^u`K(#nCoiWrhH&4&+t^M+}3N(YkhXlo@f89d|In`7jW`_Ku>&ExBjkmI%#F=
zMrxw^A+CjS1;GNwsu!Mqi0htbpWUOps&e=!Yx=){GuN`vJkD}{D}(nOVv7FP=eOE}
z@vtYE2=xSdV=MiwV|l+PnhZIN<?~y8t&u=W*yWEld#6GvN3=T<%0`1N5zpy3DXu=J
z{1tF=rt@2&t)1!oR+~7#RU8*14seC`04KaCKva#L=LAp@0(ID$?8&w!LfwJB_;N-&
zz%}ZKbwxv&SO733yE5%91a&f;Qr=a@A@od$0-WD^2zu`ghEL1iIHUCt@?7y7=Y`>n
z)>XC-C<Vhe5S3vuy;j^et&HHT)hqD(M)4beSME~}<2n2t&%IWA4);NRUx9YqhjyHT
zD*DUd1XQ0gfal-DjXK1qp+KV22d>1kxS*|omYAhOuUbag`18tnqCZ#Pbhi7{{pI^M
zuf7)NSDrv`YtQ4u`I#_`S^xG72U))M+{ca{eeB%m(!;xVKfDAeva7GfIhLpOqp4T2
zpR{0KGCi;AK+D%^Jw!!+=x5jJ-8c*DAT*M{<UGs6>Qm#V9vR1Tsnxp;|5<)c$IIEy
zvphVmE{>lXz;jXUeckZ%orK2`m70LhliZyKE%F=u6Tl8Rc?wsVWsDskG9(dJtc4c?
zO=myMa(qNP%CaYkFC*ip9b<X8Z{8IRg&hrkSHql=^*h4hh<mPoyd@PWMtizzOf}s-
z(PAXkqKy;hR~`hEgtszI#(m23D^V*7d)|cChAYoA!8G<^VL)-?T*~krk;8>nVRVSN
z=<?~6mNkc03gDAH+9{kP<A=`xS^u0n5)M23S!J%l<!^9=Ls8d!AJ#({)OxPbrCKdh
zkk&T}TW%Y!tH{N*S`f&jwZ)Vhm3eXBOt~$BXBR}<Y`HCk`}T`x=gMuoZ&9?(m)qLV
zwpl#8P;TqNvs=V{8_I1N+_yp8w^(j#75x$BjpeopC2x4vxEpQI2{f2n(e{LB<5qzj
zTShr<xD!=9t(Gn2wy0t;yjQesEw_bN$CYypKfry!%PQUjTy4X371fpmUbME@>PBT=
z+y}g9Z4o@XAliTztu2N7_KRnMm#X^~MH}#<wYA~d&Ei?$MQiK9vs=V{z>C(F!F?OV
zeZY&>){3@8(MEVB%oC+Q7@k#HC0_LV(DsCAV~m%)FS9yrxO4Ski5IOcTKb0Jy`l|x
zVH@Od7_#bI<*j00ISJWlfxf&Z5Ch^64ll8JEF^$d>I^}dWo;7#{n+e|9kcvI+uNh~
z*e<`|f=e&G;DXDirxzC|kwL^DIt3>M;nm6;U_C_fHnHzX$zM_Bs5Zi!z?;fO;fKy`
z&3R{)RKLaLC|!>Z&`%8i%mZ#8^lR(_=}=d;E~T4JHw5V>v$9XYJt_v3^Z^t+T`T7&
zBF!mBPhcT4wh^Z!2X5<HIM^Obg}fcD?Nj4{uI`@T2D~={d@bO;?c($~?qsaNmQ3%E
zh1a>INHrpWs|%+}#=+3&wgZEp`9bMP>#k2;s%=yKB+<|GZ1MFci!JG5Z?-!cbhkG4
zgvN7$&ZH+6isrp-eYQ+8(-&?DMGDatZ;Q{Bi^dy+ZT?ukvA(l4n2YcnwG?o*A2_dr
zJ+=sJnb$*2=EXfrsrt}W%wP{AZlqI=n>%vHk{cRk;esJ9QQT8*Si+=3sP1<jzU!i)
zp$GSwP5FJf|M|u6zPpQ8Zq;zMi1)`)0|nODncm)j4L?0p!Akck-s+arR^APfvxYZT
zn`xiz-R$po<wBu!Ti6|GOgn%4?izcG4W^E}In__>1cL36c&gDB{QTmg*$m|)67EjA
zN&7fERN0KV^n-5`vNO>BV<1zffQ<Ct0LVC}Og9oDsb9o}3oY8p@6{$4EU>R^T-m>r
zDmdbeQFpG_oa!5z@Fcq<{&+Of7By#Vm+d`#MYDaN-aavwnjU0r_33ytoJ{s~2paFf
zylnyA?1)r<nYF@wW$q={a{r-XWSuZJ1>1rrm6k*{U^8}Y+qfaUp)<F%Z3ntF8ZsFB
z28=xd4W}s1lw{oS8d~P)3m82e;rIs1WddkHINsn62PRrIjAR8ys2gemPqU}W&Wg0=
z$DrubtSK5EpN;mldh)?Q)Sc)I4s2|N9n_ratB*yRJ>mAcV9M@`II;<wBi!aq^f#Ft
znTRhPY#iv0<n1O$Ptw;OcKjwB_4@tpK+6~7-bQz$ttOE5CV)TqG%&_RjFHhOoZqNE
z!iu?6DOnuFXt-8M?=Fm{SY;lG)hhPnik5^_MZ{!VKIu%j%$bls9<!u+oC$l>lkGL9
zdj}`o$?gy){~w!Ng$_>XzshMIZI#o^iI;qAV)a4r^Y4N&oc%oWcV;^}vg65kJh?J{
z<BlCSjt56xJw5$uI8AXx9-e=q{Co{M6=zMKrv6<xo{Ytk<LG5Ydon2c;q#f*7Y%pf
zOgeh)*Ui5S$El)q@cjJ@4Dv-HH4(or8uj@javags*Bjo8ewr%%RMJuz{>;sIFThF*
z1j@x?DY)XTirEv7dBd@xS9RE0TLOMxD4QuPQa*<bFDd7$cT1VAU~H7xxUQ;imNHvw
zga1XD7xz(@k@rRL?1E^cE+gAgxNpCBmby&kzD3bST}HOG;n~gN*@bdj51!p3?xQXv
z@5|u64dOoPGP11|ZHuA}@>Oe_Fnr4Jtojovv&;8=%J76}qb{TMrx>8iyh6%stqpZ8
zq06w1x{SOprW{xL)TdR8<y8VFVf@}Ke%~X02l0Em_<bwa!RjgKVXrcFV-Y)`#WFAk
ztPG!eRPt%W)W~R2?!YS$Qp|W`3p@nt^4s2Kztmpqu2XB=?|JhDx1AULo2YuIrzbw2
zNX(c1q<p-zbmf)cEq!?3alFq7T8N3vcNK4Q;%!l^N|{g2<>toQ>d@xK+qgH0+%YUb
zvi=q<Kv$)1wBW1d6RXhP*Nd(3zljfKe96>-Kz=m2(3eY}Qyky7ZyfLbc)h<3hm+Q;
z&J}R`rcyN2SNg{6IB)^^4cuI59E6`ZsA0kY*cid!&{&z5@78=n74{BZC2U>Gzh@Tu
zBGG}xO#7s}!;$j!PLK76vd)g8ay&G!t-o(&I1=*~nw;m%Eu7<Z_e@~K#K+CRM-A}L
zx6)rqj4)QB4sYeio3s&Qs1|LcJn;V7!&hB-K{_@*GdmvT$S%I@@}tuWTbHQFi+<<P
zFDnpZ?$DzFIF{8UrNB07W2zIq>v13jPoH9Y^xg0N9DAHQGJ70LMDK4(&<UX=UX*qH
zabEO(`jm#x-g~d;<k;NDWgo=v4Zv?qz$9>sK0?4Z#rt23XQ&oDDC<|bO#@Lz!gfq}
zI~}RW!0gn7Gg`a#UA{%2dywcJio`s9O)j8&TV2i0nZI+BAxYfaB5=d85H~{WA=Uv8
zBWTDcL1X3Y$i9`oU0L~Cj^-mDDJ?zmL>VWBThR|9ZnS=kjCVz(WZw$!EiK9W>=?Hn
z_cdWf$rZ-2TLdlXsvaJKi}o!Y6P`g|HWXQIiWQXOsn$$KvQr6{z8mgqgUefk{SNeH
zlin)y!#E!~2JTXWO$bqpT?FmaBSdV8C=+c&`gv4+E5<wazTuudSB(<X&wcJgr5B%C
zyrKM#QM|(};FYw4eQ!yHz)IiBr^N8yUPT*U!2Nz%_XzNii|{$((+t`s&!BpUv$4cC
z?CojiX6X@-0=mjMQpoPoj*-I2OntkzwisI$_iU{(s;wK6i%C_jAplP=Ej?XYIvLp#
zI`G632SQsSbZ}}ox(V=bUrfS5c<S-t8sK?Q5+3G{5L^1YMNYLt9A3q@?z}N)G+MUo
zxG|3l-}hg8<4didC@uYBPhxZOQ+$^yc*X;uX`Tn=t(sjoRu?H+WS^HghQ7;IQFwlm
zT_}V?I7vsp_6!gA6o!VB<B{RzzTV}*aCmUJw{LkkGQToEx3n}jzarjCzHtr4$TOdG
zD(2{#Kp9+3RLMOW-;i&WM^#H-!(GYId?3&<nwS~g+u0!~z#i#sZS7Au-t~jcDHM9+
z*g{I9@(9MpbDby~c!(}5yv4P5P%0QOPA{%hkNBJCHo0`0g$f;vnX{bR^ju+hxPYO4
zVS2Y`{#=QJ-q6xiV=>a`t!u1LDWBWEz#%Ve|JZ0(!?E*qZ0x$K$?rB9N6ip<gp;`7
zd@~-u9dL4W+3+EU!XZq+2W3g+I3}8ZV$MY<W##y4iJLp)BYA&k>d5)KCx*|<=Y~1+
zI9(vwHP-ma2Ojv@Tmslp3_h&sbAg+zzzk2G=3A|hT6VzX169d5wg_4(r!AFz=_CM@
zMO+`~A`f4-JepsQc6-MniFj*h#2NM5o7;-9)Iu=p=?sOV?ZM$}Zdo}VjShJI2+8&~
z1gxH5(i_OfT%ka(!yWMW{Ph86S8i|%U~R$>&If+1pi&7ZjW^ck<{3&Z?5~1rJKlVQ
zvgHKsyku^!^bU*x$D(75luZsn*(Pm_wRn!9s*E7Sc*?0(;)~^n+jcH@wxzn3b}GmB
zUiPcs&-VAv{{B~&?L~j9FQNCN=#K`ST$lQq#7>01602e|3&xw@c-}~zqaLSW)eUcd
z183r2k}L+0{1=_K)+sltjp#Eb;@%~%s*d*LI-tqw!H4D<<6)W*?ZFx1S=t5>Es2p-
zzqcyzrBYesz>XaWOP$$RW2-4F^wl)fsOCCza%tN|z2;i8YOb|(6TWXHW)Qy`|JJu+
zbK+WB`kuer=j--=53j-~$+!*!Udbyd>8WjTWpVZL+#;QSqq41lk>?i4Z-`peu~e*%
z&f)p%dfZOUiDP^7)}}gRjoq3(@7SyM^wc=&)LKVPmvZBezPY<G>hVMycYo`92OV*@
zJMK8hdHEl}v;#0TLKaKygRoe&w@Dp@^#WXLPA7Wp>v!ero%L#+t1iFeb;^zRDUM70
z9e(`(lG3jb#l-RY(f2v%yH@aG(h%hp&3N7YLR!*m#q$IrSD%XniGV5p*B@6BU;n0Z
zV~;X0*Hik+EFjYKTljWjGUfrjH33=+U?<;WoFOTcbM5|yy!x>QnThO|yk6|q$n7n;
z;g852o)ry`RS^+I9{1}z`gb2zePM66HyoNzzk0gH<nB@(QO9_<a=e)78>kCLT@6J?
z;I=O$oc@U>$6QU++s5&#hEA-R^Nri!!H*a=X{)X5$<nGNxOhaB5w~+%C5RS)YQZq-
zusBEnvekouG+-c7h~PkLD}(aZ?C2sP9ogE?cstxC>%_9r-5D60@umv7P-Z$FcSM!r
z9(PRn=C%D!?|B<DQ+eNXfB(Vw+wAp(7k+iXn^vC&_9#UtCxu>ym;PlsuU&a8F_iHI
z^25>A9($@G;7E3Lw0a}9xT9Y=?#)iLw~gn#&9?sf`k{`_L3>@F-A6nLyF}nAT-F+>
z`*Jl<_YGjqXm`puVa_H`2jbO(zfgZ*?4961ayzowi^2pBZ6b?(bO?Fe9~j@@OLqqX
z8K-G^#%grt%#lbW7J_4V&-T=4#_MY8zp~UBbNHqcZw>Z#93@V8{`_%e6gUaO_rpCw
zi514tL6;Jf<075_3#0uQ2NuGW(mpP9I<XCg3a6C27OO}M;#o!M0``dk*5?w#dA~n1
z5NYj;Hmd5^&4m<#fc(SP+-7a`JHzcjTW-8PJ)ZLgbH$*ou|Avi796gp>@Cd=Y0jAg
z{_S5H_kk-@zaey9d<YZa;kqJBCR_=Vv>xD&lX#Mmry&%NNjS#x`G#ONoCr2q9rf)K
z6IiR}Q6pjj;_mtp)ifBHDE$uzHDLG+ZAR>kk71vAr$*JnAEd>~35uSByOpB00QH_%
zGk(tjUGyKKO(2e`D=Z|#>mYz-$Ttx=4#X9?Ftsfad69t(fK(QWg?B)1vkxocp!(`U
z#=>y~s|dHycl5sD%^eL*o<>KoIoTDo2kVawT5H{jjzFEqX07pthDJvBZPC0H(Nt$k
zFk9!X_ho<6o@);v!QJhQ;IKD%4s+o~qj{{R#U9Lr>_)S>q0Zir%63mH?bs!XM6k8;
z+mPE~Q;bfxN5rIb0*6}!U2{Eg<+I)dwGr}qy00~BPFu!RQG=b!W><e~pmW8EZBRG*
z`R29b?(o9UKYk(J>T*9PX%l-chQBuM#M)>S(wve*c({Q~&7y#xO?sf1vvr=grN!GE
z3Qa7lF9qE006(SIE3+k`E32zNG5pT(X7twxYL93$OK3SM<kEC`HQ`E)2@|9{TxqUY
zApOhl^1FTYP3DGLPvdfzReR^}Or~+w7;M2Qybq#?iB*3;X_$B-pOkhC-$=PYJB$a8
z8__PSK2QqLEl$=b+py;GcAlILv1j#kE}O2}ee5;6mph2D(!bw+%ja(CKL^O-JB}MZ
zf_G4YVm)wF_|%9sni9oT3quN5=4<kaWd~-rzQ(N_@5?LKmTnHHV@9Ux08Z3hdm5ey
z=7mS`Jm-|L)T|H|6-3QhWexUPKu8&b`_RIyeex{+mHfdYbghC{B%~sa5ObtYzSWbU
zuOE!ObJ_|H9-H<x_s06Wmp!3i>xw57z^p5?IZtHBo0uOaJ*0jt{vl0BTy6o3ZV@e^
z(;VNc!zsNe%%`9(R7Hgnnld18$#zcF7~PT#BThkvd~p>OszPRvAN=3iJdZ{Pa(;hq
zAQ~Cubuf}>ZB5`K7++i4M9%BYO|(&NOb>K+4Gwm74q%*+t%g4-=Zp7-4I;M+Ga)o5
z?h<LyM&LxcY9XhnQ4o&<B)}t#rIAA8j7ad4s2$prNJmmU?e)OD%Wy!7)y^p^>Nf?2
zL=ASNO%s|_{gd)FWUWepnw&iNcU3Z#bxHq3pBwNK60(glO?nu3hJjhr=6G^}S%5?l
z&-ig>tP?c;7NGTsfEz3_GD0s%-jT+6K~l8+$>iwpPAvM;JqR5&)=a!58V<)>vVXdK
zz~R|-4w2U$EA{?;<c>h0=b{RoD1gfWpEuPFycHjrp+RI>v_xdNogvnlw?JN^Wh;<8
zYt&TH?y@#oowe>vBgt}b(qvpvjV;N)m$K=&(u8+p#U2>f+Zs8cvla%UBf3x^fYP7^
zVm%2s%VJ$;H7IyNJE;l|My7gMxXp5VeA?gY&3k?RY_KU7Xqp&kEqc<<xVyR8hOKWj
zIcAjOepjEv>27qn>Mag$*pnIXHWeBgo%Y&>`dYK4u{qkDN0~NMTLr&(-WUd0BN`_Z
zuvb%-NuwO9n4};sCn~TuT*)#8bEi?1=tF3bNZ51BlL|jL+||)jH@9tD-r3k>Pb$Z!
zi*Fq>?%X-~)<Nrt*~<6lpm%Ikp9I~ERli^Jl?%$|J9Gm~f2SSqwu5Ol0eeiQ5lWG6
zmazbaP>Svt=z?I0Czq#cjjlfB`25h<z8FuYpDUfr3bz>EPupY>@2`c$is9&Urv>B-
z8Bdld=gdlWRxXut{L1C-kTKM~^a_&1`!BfQ{X)P<+w<q>(}Pox{(?S1{5mGVP^k?w
z^p&a?x{_nl-zl9%M!IVnmBZ(*BpoJKb}sKm{NUzo2a_(<nG~?>+xPzW<5N2MmR-Bv
z0u;${jsqr#VW}D>EyApfXX2Oc*BU@#25XnDE2OIl4A5AEgG@ljqb#|Ufe{#H5-><7
z0a?u@2Y1CoCSPdh!6WA-W2O+ID?a@0AviuBc+W^*--v+6fc=OkVH2K4cUlHb86FE(
zNF4+}@z2?o-#~+aQ3w}`XL_Pp!lufEwJVEucYUM1&L63<+_cgU1J-1=TXRcSH;-ap
z*EnGgdmYO7UEX}a*WtUX^vOZG!vU8U_-hgLKt1y>v)x!R!h>{p?_F<r{;qqJ8}t7<
ziT}&~XbbilcVV0kfp=Nkk(IlExN@~Xo!iiP<axa>9cuEm7bBe$p7zG}KqAvUq}=$h
zBc93!V?8KY<m+|$lhNcr0x9#95!@a9cjX5{I&)`q&93E1%$bV7V}?L7+!F>j1Hg*~
zuQ6S)c5H9hesKF|w%>ohGI;;}=n2{9iW~i5yBnm)7#~c&gcrBJ4!0_9-l(j;1LsA3
zPI*Z9O60hBA2Y6W4+FI)YhN*J6nh1B<(l|F(={Ko*qfYnHdjr+p7?2|ziVZ#y*FH6
zV;-z+#DjQS4RmkPh7U@$Zcnb^O4P5B79yx30;NRKhXt(>v{AHh{Y12+AaW2PT%;L%
z8l{NiRz%=NIzcV^Z?oNQ*X7Fvi`{C(r)TTME>BOkzQJp3Zum`io3|sTc;4YjHa90d
z?<oB;-r;NO?rXA#vz-BZ6EGG~u2V*hci~$E9z<43p{8mAtK!ILA~a*+$o#)%{so`~
zz*w7cjpE9{j1;xCbkS=(&4+phtLjs)9K1OGXDloAg`@q~mv+6Zc_rY6{dY#VIs5;Q
z;eI4{@!-)v3wP%F{t~pJmoW>0Q7`1j5M(cR)@Zj1D;3zrsk0i>riD%0P{hmP8U&VU
zZHI+UEVt<Of-lu^<3&VFyf4)oZ&Zy>o7&T!R%ggR1dp_@eIOccGu?)ronUUD#nx1x
z&e`f=tnS{Lp2+zoQkhsMPzKnveMmqOI-Tokk%>aOFhxX47fJ!DO{CUp`BrfUP*Ec2
zq-9}<ly#&t`2c!?-6>Pe#I)5^<pbEgk{-=^+oGkD)gAy9y8dsKt-xahTFhw@LOTFg
zz#4@{S&2&F8ie~<tU*5vbIJwj7}rZx&`C~Wt{73H$~yIqVN*1HW#sikEt4%FZ&!0V
zt-9O&<C?CgTBlaVqS2;!V<^-5TbHwFx8<U>X@`5qLMvPv=}76(sSV#x++eqL=X2fU
zVX$EgH^B~)`&6_;^?j<&Ww7LLmb5t%@p9@HAy~YaC;HSRwL395u_IPx@1?80>)ZZ5
z&7j8Kg|`3yto{W(A)Y{OGyJ1^p@4&$u(r<zfsuKy+BPC$7BXrMXDjZ<-%gLIWi5$}
zQmf{AnQ*|qa%$~a@B5K<AL4kFdz60lqk;i4iWPMX@H}Hl8EDOlQ6!&gk4;sg1X$q5
zTDn_3p4RRb{TfZDqxdNIxRX6$Yzw&c>u@%n$YvAqEc(Y<H0)LWQ|-q}%!Bu7a;Q=*
z^&~b?^!g7hpxY+W4sd9njPV7-gTAYuK876%D;ytme+bh=8UW4PhQ}OEr(<k*rfX=Z
zYj${?zs84Wy~UQ6e(%NE;o)p%WMuEixOXrXAM}oo%taz|{1uOhUrmjTO@;B^zVY$C
zUPye!kY9Z(YBT>QAby<=vF6`F+^{x;N_M8qo}!lydw7EI851otVyV!}^MItQhqkZ>
z!{iyz+&_}{J%-&H`7BH}Jdwj)%m>cPfDo*MvJKE-6467b*Q}HePYs*sUh{mnV{g1S
zvC!V#)iyde+O{;a)HT~O+|rwD?~n}}k6vg_N4K=Z^X;)*GL|3joZD+Ve4!;9nnwIr
zI-HKhI;MLT4%m+Xt^yG8ef5o4`MY%-Xt^a798>}lPeR-(z<{n!WH3J6{3NH9m9?ab
z7Q^UhGQ^=cYoUf|2FdBWW7T>OTwdJlw|Y>(rfW!5FPyg3G=%yVbH%OU30Ef6*;{A5
z`&MHhsMzOyJBszL`dM?J;Lk7g1T)F;W`D8Z@ANIYoAV<f6I}d&5gt?Ixt;*`y;L8U
zRxj~P<D&Q9BG?;kL5BO$lVFEsAlWl3NVw3-@$j?+-o^Q51~grIRGWihoGe^|&uMA~
zMkg$zC-1rEp4Z)d?SwthXtD?G6UW|l^S$@pdl$-VD?N9{rsDCb*qx=PQFQw*454Za
z9>Z3B3|eBwna5xxkAarKTKp1jTG)+%k8rZCE#YL{z%#@6<UMbGpbEMV+<xziW6E3^
zvd6|=lyEg8mh6w9nLfjnI$T=Cmovj<hnS=2p!hNa3hFtu|5@-wRx@Jw9O;FBiQ~#U
zGq@7|EUr{t5g!lLl^L8Qqf~F-hyvwXluXb`iDjuQZcmGX^liO9m0eL5I+n(Bb>oAI
zGB{qBpIYh3ZwpPj^P&DZ+kgJIqCE9Q`%EF)<DE?GKq0jA1_w+vjWyU#8ZZs*8jFFx
zye&%$qZXSLyGo;To1>ADd>0U*8b(*Yr~Iq>W>8KXkv%f6k*c<=mMSZTaes!CLtT%K
zV4Y$(!Wd0TX#EbmA`4q0;|RimOForGm2<l4te%hdbaeFWKmV#|aTCrrVI{hBAm{7~
z%_o)KflYR$wQ*DFiVJKvT-LjNENwk>P>p)$Bc{^VRA1wUK*Y@D09x{`-lzOfy&Eov
zZb0fo3zKeW9_aFcmDo|80`o+F4C|4Q>P3YDVP}mg<FN9J<qE(;YB$oajuNUD^#`0D
ze|u}K`<w-r*|z;WcbDB;=X0b}X6scaeCFo%@dK)Td#y5k&Ld0a?u!rATX&dhMzX`(
zzm?xS5G9O8<O#l2`8D`)4OU*C;axgyX}P2o+KMve3;IZzNh4m8=Tui3DzzImHr~rS
zdRazOYpB$BqxVu)bt7+Y5<X6<H~P0+`CDH5hN`59Pc}AtT`8;E>%#06Ve07R>);2m
zQkE5%Mh%vZ<T*}cqoQoE*ew0c{sG&EQk|LXAzO>PA=fyuF+8xf+m^F6H92fqdtYL*
z#!=fJ%(*Ay+X^<d1I6qInoP>~jL%;=q1@)bvShfxXubS3iMw7gbH#Fh-9-nDhpzN?
zjMq7=r2%s!Fp}vsUVxd@`FfAx^*SCkZLWf)9wMbj))r-LD@nVI5|JF9G-?4I&~wIE
z2VF_^0$*XsEZLgC9W=>Xape>3xRTnrZhLTNw=_AK(=6HlS)_nmv;3D-4?)l|XuN1X
zXsj_U4_l0;)1-m<19u{q;;-JI`U8*%-g62A7Q5d*Xm0Q~RLKOlf2<*3A8Q*7QYe^d
zDk?8RCeV|efC|!K__B^02T=j1X_-DWk`i^lQosnSGDvNTd8xGM9NHESz03;6N*=~t
z_XMsHNDtJ{&<s*ai(338g)1Fsi~>mGJMqb<$)V}j<#$RI{*6+F_p@3zpXYkym0XhT
z#4hj4lZSW<X;%Ter3^wBAGmnINPtT5fq~%RJqa9103XfYG$ixiG1(HoUBG`=tSp{8
zhySkFw&^uZdGp{6!$y0D8oleT(#Tt%e?D(6=FBhPKZF23|NQgH_P%02a^!(Q=*r6P
zflCkeQDUgsp)ISIkxvqPErP?CK^L;>PYf{$&BAzy0Rsv~6~o_n78R%nzi37fXE9vG
z*?@@N0F%UCqo5QcqI?`66(u3u42i{=nYU#(4y7$4BbM~=#!TuRwWEwT8moDS^5z-y
z1J3kVela_d@%&Wn+0~UPo$96o1y!GZ1%}=vXrmV6Nh1ze8<Cb_U!jZ`NhKy%4fC_O
zR!9#q%?P3l6S7u=nls1M;}tX!((0`1D~5ILtoVx?W7cauNgaa}V8wGhX($e3D+VlK
zt`UdoLK<emYc>KC#)6B^9Q@0ID@Oh=E&f_+h}bVR)mqwXOMh&g9ZO!++#TK%>1o~{
z9~@7-GSMC_m~6Fai>f^EKxx};i;K@GnY>Afm7aU?MI~B#uBY^EB~$wLGX6sR7!6aH
z@879!#cZ`hUlmp&cOf!FMuy0se;ZB^h>r|_&cRwWU;qvHUW2PH2Kk!`6zyDY5|Lpf
zrIlFO)}{_c>c#O><v0c1Mzq2%`tib!md@cwBIh-|<t_U+ZQ5F+dIsvfDFk?U6NT(e
z%B!wCuqQL!;rF^X`o@Na1}vomZQkHkx9?_WQ-8iV@P)B4%z2rHqwxQBLOQ%kpYxZ|
z6e$&D_PHDw^%>GBDVKwx_F~6J*Ic-^$qlLNb8S=a@5PlC0>5_w2@xQG2|n7|#r^~4
zvYC1e6&ibm#=Y1Zz>@Cog@7rN)<Nx?u4<kgR+Qn{`u5^XYwC^mV(NsV+<BMs&d^fm
zP0Gc2Q(w;X>cQ!5Yh#V2-rN)Ki8X=vdjh^2YZ|S+=K2$2FCYWi`$Ndyl;Lt63z|Q+
zLirV2NOF9pfRK(kURF4QZ9{7S--7tY>UpU2E!H-x=fMgRf0dGgW2bw-Tzxi8#nz!)
zm*^-sU=%3EuBAb2o-K86ZJ!HHdb^_wn>NjPTI*LHA3o>kA#2aJs}^RjT<NVna-k&?
z9`}WAc*RvG?DcQiSNh42?GWh~`H9e3e+Hd(sG_s3(<>@=j@;WMF;fTP9E*KnT=hB?
zlBAQ`Unu){=USarX4i`oE`{*ZWT2i-FT-(!<->{QbjPYrE;cIu{TJ8G%!lnU#{&x=
zbNkzp(Sm<4x^;N@!n&HRuXdzePnCXSv*+`zGtq8mzPn)CdrmSqV0MHW@K4$oZEFck
zB=S49cv~H#ju!i9W859j#X}pNA-9N!VQmKLTtCHHNLDICY06P$<}1}o^s1e#BZ18k
z%qU~jDfdX_bp9A|CC}q(NSvnOis(OG!-Zz#5Xrq(&qD)!{l&|BmWN}};pM_~+d^Qn
zG1=UaoD47Im5Bq_JCtXf*PeReLQB{3u?=&a=>2<5?a^_U-&|^~?;dIGuws@K?6|N_
zF>SshIt^>pqbeiO4wMjzAS)xv^ZmHR#MB|iWpSoyop3%GQN@+amCJfzv{qP43bCSs
z8&eV?bXQolh)_pZA(VGHmDsGGn;Ds_d3xdI`kBEQ<>p%hNz3fCbz$J)*WLG%z4@*|
zb1J%L)X^Iqn_YJP<|lyPx%wOBCxAb0xIl;hWjGNxX-tCQ67%Fggp?H!DKGh*>ym#X
z58`^GRH7xtQvi{G(g*Ln_!K-vk5zoeFhx}MnY(p(1^*p;7yb*6bc7V+erx{)x7l9G
zP3OjQ)A=Xgylr~hI6hxhQPm-4b=Z6n-_!+@td$(YJp2&j@K$W^b-bi{t(`Uw&IDi;
z;{dF(W*apn(i2C*zj7oT87(W0Oq@4S9*>CcERX5Q>+s(L$`kkV`re7@iSdc)$uDf*
z{-((pew}z0`~h)x8q77Ih;of{t;9=(dMZ%MSR-zkk^56iR%ut0i!->CwD9Bu3(7V3
zmwu)^p?qb)JX#u5$45u`F6vH?13v+1p=C;a*_rleo`@4zYOJ(L5lU;4v(DWE!ayGs
zITf$e8Yy-utH^hy#V_QGmPuk)<)NM){AO@&RuSUlEuGs&6Uni2I+9=cN@#d;ayWGN
zfVnteR=Pde*{*KXH|ig|TiG-+I7+u9_JMYQud1*sjj$;}U2F4KnY(I5*?|u$hvrJ}
zwy7UDwF{4-mY4P%@^&6S({JYD;tZy{4QY|PU4tvmki(<MSysNqS3`%#J*E$dcQcwN
z4V!1&u+ear4u>YL9A%weo6br@^>hl*tGR<{sMw9w<~<#HvP?6})5x;&Ja~p)O{f5v
zfFU5i4c7@=J8+!?ad?3TW0f1ZI%61dT;<TB>UJSI7zzOISath934HEalV_~Fu(sje
zH4S10l$y)e<|CIry{>6`T?=#01~4yHF)!1r|Dniv+0WUq%qbt_v}pI(*W9y3+=D|P
zwR<?fE^!Y|k<<ElwYX<ad04xL@2XwX&w{vTR{5fKPaOAn#XU0yMeFB!?Vhh!^;3Vw
ze&$c>$A89t<`umk<U1SXJ+mNvIrd}XU6p%y2K}(;htf#i!{~CWWnMwmx-x!DYv9=?
z?paViqus-IImJEm<$mP57L+en_0zbfABmq0<#7>*b!+aC?^-P1!*}__J!{9cc-q+I
zJ!|1P{T?~44XeM@#typyV_#H6_?<=@Yhjk~Y?R}IR4Za#&jB7r#d*M)^M>>FHT~z8
zaHaP2NeDXqNMRnO*d|O*u2>!%Nye!&N3k-&x}l!o_!Rw%_bh8t^0EtLBK~#a@`p1n
zGq;|mUwTphw!RVoaKg19X_!`4HC@e0`~!IC1j>(8=C_65zhhVm{58-|DFv-yGL(X>
zEG3j?VLc^0-+K7r9S=Wz!4oS_;Q#DHi7G!*jsdUh_nP96Qqh$a%oeMVT&sLT#i?8P
zpWM;sZWuOeuuW6+a&zXg;XCdazT@q~Z^!?y9eKx{BX`|3a_2in?j&Iv0qY829mhBF
z<sN<Rw3%sOMV&f`LFsPN%ZSMN;9*iQav?pfRoJiQngH}ip>!Ha?&S{w|5|G(luU*~
zt;$9EH?h_}ZTKVdp5KnDHrE(lshCAu-0%tD;iqcK@-4$F3>N$=<7DE7YXElwvetuf
zGhm(GbStky+si9R&~8*b5k>h?X<B*Wi?`hJ#cMvg^3ek`U8b%Xj-B&V-G_J<eK0D5
z0Sla;aiy<Q=|iF~A6K5ZMm~Muqr|<6=M5SR4bTrXiK<aOlve$a)e0y${Kg}}`TVW7
zex6{x^Nxde92icU(!+mRUjAS7SpkjOOPt*)Plyg>ZwKx;SbBy%R{A78HW~(WI4im2
zXD3lA*q;RfQYon>R*pjwZ0YyP6Su#6`Qe9`-+en?rx=Qg7kd4@n3pm}DzaVA%ML0y
z78l;FMy2@9{dXTIc9}Z)+%2W!ciwUf36pcv3*7DpTPWAS)neUh%Q}LlsG>m*L7uZm
z8;80Utz5}GsPR!Nt?1ZY-Sm$aU=76J`-KreYtA~bxc~NTKUSI+H;XT&|6c4pvGUg|
zC&WL1DQb98c}{sZC@u?{V+}A`oz!s|OUrV~%sAt3Mkmva;)F`oid_%{Y$Ao6o-i43
zr|bxKwzYaP(Xr@!Li;)zoqN$A_78XTqT-l;xU-O_e2yA!Ri0CAp#L8W`u}m6{=s9w
z9}uxw#bfZcz8FqeQr=j)TX_Q9r1UGSjg;Xg^+mM-k(J$s5mZS$iFK|5%k+|x*$#+r
zti+oW-{?c-?gH0Bi<YVB!%WEFopxxCTw{;HK8GeLR!S?jf8qS#@mA6`M3<i&FwK+J
zs+t65EddW@Ce-nXy&WcdEYlN?4d?uU&dGGRyFF$%wVpqgp6Y4|b<dP8OAdR3BZ*YD
zQ+ZoQ??Cs)>E!H9BO{J@$QkSyjpygO0*;o1vwO0od$zp`Rc$ZJ#Zz6`M6yR2YU>)@
z*M*&X;&H?37PWxW=`8A{Vol_r3%>-p6^2KwT<1{px}QnulzZ~60xQI%%sr=fofQu;
z^Z3RcWELIJk$`i3MdY-YdSRzQEiBir`*~`nHxe1#+MQZx85<k!DkN8WF1@;K!=bLi
zMn`ZYJTyLN3-)Zt_biXZ;?dy62f7wwt#ALE9dABVJb!s-Yj}37Fo2<8t~yr_DqD@s
zfQnHB7PQE@rAYMyV#1__-?0*v?z|J{LNZ>JQ*?nNSYxw!+kFj<wua<H!O>#H&o-Y;
z{Jht!Za2+u9Ju!Q@!`UbiKNN6-L$Y+{)zX*S3jgq8GFHDNRKrdeZgmBw5E$LTG|lU
z@O&!XcWh|B`%*IwL^N8=AKd!vPUZf{;AH6w&Q>S>um00Z(3}L_8`L?}EwHGNv-q6{
zBYP9-6Ij%9#h87oZ&Vf7WerdjG|sEVqQU}XkeeiM3SC)DkVdr22*wrjxQzJ6_rqtD
zFO|OfxhIwLuA5VOmEO4nrqX|vexdD2ub}_^=-;}IkD-4u7Gai)<E&$j71ef4=?B-T
zFPyTex1YL_Jhut-^%=zJ#IdF}=n!hY8W}Zty7@&9fkD(5khNfCz_F}3K>rPQ@3kFO
z_?|#fTFQ)YNFf$P3*0k$bbpnCHPsol)cYH9{=CPJS_4z(TzIHE9?m<np-op6ib0Pz
zVRNU4)7U{>Xbd<0W^~6uV0p{=@7Wq2F0?ew1#+tSgM~{*+mpi>PY2Fn`mOqQ@T2a^
zsfI73;n5E+UCeYJGh+&;MQE$04lNn_6U!?ltcH|WJfvWQHOwOfiUn*1$9hJUUL+49
z;K*vh-;}p3-nf5YVE>Ja8*n}KMU&as{))-jYcjpvZ!P_k@>z3j=IHq3(M)Z9-|p+@
z=C0q}$7`+WGsukW=o=~E4DDU!N9*fzg}!{f?Nh`z_gep3ol<%BBI%ZE$0}BgS?Pm^
z6V&2WvZY@tu7Qs!Z!TT+u_mR?q|}Yyx92|G*|z#Kby97@vvGZfPpdqOL9^H_*(L_-
zu%=;DTGI~2a_@vvFS_w7w|#6tag}~K@Uha>0-iMBIj0N{cYL9IVFjDhMKJbsQSm5a
z0}qw1R&IL;4>l2!@zU?9v;0NyU~5c=2Rog}RVjKErBM3a#Jzjjk6#S*w$jxf8z}u!
z^qF7%l5vCj95_AoOL7+KmtGKl-q<o?Y<cOYXhOSx_2b69>I>R^TztIGT&pT4OXn-^
zQ{K14e|UDZ5w-L_Z9G@~6(mX;ISA_`pLq1l>C_?X6P;fFxmZO#{JU~;`#Y|foV?;4
z+x6@8@m+m=yN*v!Uq@27Zn}HNR4O&Kqg%Uf9J=hC=kLAi^5Nmj@7jC*J1-kr=sfR+
zty^!{+10g^*Yi5}CZ~26`*%;ZwodKtAJ{#a<XBb2B1xQ>G4rQ$T-G>XECDfuLrbl#
zF-I)FQT^uRslDo7pE@?8esA(r=f<LXo4{E&`k4jJnDx(?GYz+WAQMlw@<x;L#u3%n
z@zOuza3It<*YB+<Q!2SU*&6R}jVbbxQ<tmG(jT-3H{-M)#!fwjx%occLtR<Uq11Ef
z@h7b4K*@`D4H(^}>rAEV<T&-`SRH%)lQIgAeMrq)enXg~*h$d)E!JvXZ&HU&J*oG9
zqf)EX0+w#j%`E6k;(%`@-2j|~(r26%ps3HOFa5KzgZLpH^!p_qNPFDx)t@oP6#cQc
zoq8TYdD_F9Pdz1Y?guV5lySkQX*bYDlgktqC00Ie5wHCIOTQ5FfJgD}%Ciz5YoD&<
zb`u}6N3wv^`?l8V-ETVeq&lSP@3^t_2h_vkdlpxJuYN~;FK|*@k!}_LS9Qn=)ebN%
zsvTv5Tbxlh4xjoV&pNA9uN*q{&Y2zrH_CpEX=4)cR^dv&)dvW`I|fpusmky$srR?a
zNH-zBLCuJNv6}HJxgFrJD%*lH`AvzU+Z5S5Si;G`BZm^DTV|Ah>m6Efr`*GrY`%G_
zd+?Pbmwa{Csb`f_JOA}HHv*;&Lldrc@2L;Zh&eH>{zAP@eF*%3^ob;6F(;%WCLv>J
zWe|*r&M;c<jcn-I*f!xa1s8W6DJ~Q*-n$fXFW)}jJ^H%IT@T&&SH+3K>+XH@V$pXH
zp07Wtk6^s)oApLG-+YIx6;!RQISOH;%-x}YrFWfmPu}23g`NJ~NWvYnOqyyNeXe+C
z&=zRS)R;#GTY9Dgb?z|aYr<_ctM*!ZqqD)+(bXGjU-Ub?nPA5@XX&;1nNBb8-@p2M
z*fjTIUK=Yl@wLp3GwGaiYUOSQ&*23oknrUayT-zL@_zUJ`w!fIf59|VEDo85`uppY
z6=kLLVClgFH(Yb<HLp2#jljV+<$Z?ls2>NFSM%_o;%!v6xvzG$gEQNe%ikmPEZnPn
z2=}I}5EMAi!DOIE4K=FK#}~_e@NZnFwBm|i+}Q5AT6y1lE?1zZY41`kd>+3Clp9dz
z_7kGcEq_ldx1i4LW1`M2f49JfzgPWlylKB-hp}Be(}1?yMcblbMQghR=jLt(?OLr7
z1@VI7zJEpAW1=lyZo63RRZgn^f%{sk+9uHUYqSl^HjKxK+SFGHxkkBvdhUeJvd^OW
zo_dP#S=1HOnSBqQZ8yACdv6i%4dA^NYy2wQv-%I}sNtjHcZ9zUuF?yJD_0-K-*-;&
z_a1dzc}o2*`bd{yI;u|LOs>b#Rw%c<0q?q3zN_4Jg*vQ!TKzHZ%a_~Usdl0U@}JOF
zEVsQ^?N@$bM6`@`u-x{vI*B@DUqV}Vx$U7<uW~tLu+_Svu<iiidvdi)xk<F0EAN9Z
zuYL8m(8>M)it%FSqZ4v^9+u-i>=Ipz2;AEZPwE=a2%`!{WQYZnRBTPstYm4A1@R5X
zS)hm=+Zci?>q|1~fDs1<Y&Da6VQU>NZ$itP&~meA;ifxV!?=cFT91GuO^LrG(Yk_G
z_Oc6C-nAds{kW?i-w)&aVSMM`FT?lC@ZEy%SK&K146nnLPJ$cgf~)deRfmmNw^yeU
zS9`bq|Fl>4U;W-o>|U?k;cf2V)#+`n)qamQdA&_d-e!k(-PzdO+=%;}+I456*W1|S
z^*FVwet(^#x!KX^YtCuU?f1Cc9*^7Qxg7tv@qf?JW?b>Dx%5o4+lBw!&B|*$NE!FI
zou1NR{Wj%O&G-{;Xf7Qo-**Fg<FlU9zpU@qBkxBZCHTkcPOOn(tdaG5Pw+8vGZ)MR
zE=%=qm)@q1zH8G%eC9Ct&7_f)+1Bn?2@6Vp#{QwPd(@9#v*{K-^L907$QkW;rh#YO
ziL<MDqY<6QH(Z@mb5FaU!F^u_JRf>_c=(7q__if=bnqb-^IiQs;JN$d;o&p(!aZZ^
z$A@ka&-@GExm>`*I$W%6!)-RmF>5Y$^+t908TZoyKReW3!-vVYVCezus;psw9|aC2
zD`?h)03%_f2*GGXIFS{hVjsTZ*cJKfP1mdYZn-6U<OpFspnl45pK<04{R!N?e1G>H
zIB}roQq!gCx30J%wsR-@TZE7J5%92PQIWEG?@++UG<<Go(%7Smn@+HLv@w90DGb#P
zFrhlk`csi$W5Tki4ixdVrP1j!;=76fUhlMNb|Wr{sA)#va0YzxapRUVyjzTg#X$6T
zb0d}SW)e~5-Q~kmr1xz@uszz+=x8=>GL3bM?+Gius*k&U?qJw5J%#I#Wtz3>R*$JG
zhQ9_+miZ~nI~CLfKf+%tK6M3U)RomM)n^U2pOKa{Tw}uV!0iwu&x*S1kQrLPkds2@
z>3!gLM$p4vb=dHJ@O_Vg^@i8so493Jt0v&r0sJBv0YP<$Nrrxu8A-d<8DoPl*4!NP
zH5g}9cX~t}_Gbqo_0E{TsmUL6)<*`ievWUCI%2pV^XfSBdl+mXs*CFHDd_gOF*}-e
zE4$TjdwW>jt+>;p>WDux6wCDXW@1AboK~`WNPWWaF5_mb#I<7(c%hS&Im<k#3Q3b%
zJ_SagENrq)S@Nk=-ZEv~q&~4>q&}9(#Og;jNM5oV{XPKNUJtYA_hn$tkEWgK1!^df
z2;qXW-PI?UKNHPnqs*ZJ%#W*+h8f6Axu1gFf1&39yz-WBIF$<HqfS=#F7VuE)xS5)
z8|U!c8F`fji@v&(NLyP3ANB7mov4_LDa^&=Lgogct;)B{MP&nFQ;6~WwrU|%sDkWB
zAdv_J<MD^_3F5mtl?bq@@*)1z)m<3h2aLnwJ!S8iW?u*la>lum|B{zp8j$BJKdzm%
ztbR#9Zdt$LoyzJb)FH!p##(5;YiXgv-|$uzz%XjccTrYWN!58msjPKnvnSD^4t1NI
zPIt4qK^^S&#eH_I??((fjaQtZZ*Bcahx}RlZdh9MU=2OeZAM(TOC447X{~Q{^%k|$
za2&dpo_EG{R$34is58`nt0%R3(|>4ue25=UDCEIM?HtPHhK6$4p^mUW5Do|YbcbOs
z-l0BbxWstv|GNLq;o;7Xk&zBpFz9jzgX&|2Y_3qqWebR;^acW6FIG4Eza4pA--TYt
zIO=LI0|ZqBDNHcyc5EHRN9}L<MDoM<;F((i)4v(77SFJ@y5K%W>Ul;(8KdO5M$iaz
z?J3U2;V!%Oz{abN;iG>0p6r`j@F5I{J5eVf+n|4AC*lmeOog9}=`dOv4ErNs=yOO&
zwfq(8#4VY_hcmaJuLJ5AAlH`8(3gPh?0t<1iPnSXUlHB8Gx`ej^-~oY7V4=rb`i|0
zM#XF1thm(VcgF7qK2pHpl^PCNIY&wXxkMPvqXG>U3AVuLRTpjDaReW=|HH{owBUn2
zLcr;@8cxr+<`~Y#HFu^Cue@sGfn)fnkG(m2PYXU0uX_R4`{B!wHSh>kBRZ)pUa^!Q
z7O)wE<OaA=_X$yukpjZpk;`?c{kAY90c1nimK+$6{T@<Jf^TmG-!9L7HFu!wA>Ssn
zJb0SxwNi-VJh1GAG6Ppnf@@3uE&Kiw^oSm#1#6YmDD81{5oZdW*P<08x2QvzF83gI
z2%MpyI=(42=}!6E6>qaYKzjNhWaC!MhwOvCTVaceN*oj)%+62Ys2|Vf6>ByX@~DWD
z_r`sled@H@>~=cgRbBlW<lYdf=*T|gULJ?iuT{!M91p^HqV55c(F`EmLs@ks?aK%l
zHl?O$H|abLGP@6hQ&t~ZH5&G;J_XvOO<D2XdT|6W!=(3296dU5YIb-Q_uh|tx0UY|
z-Xa)Du<&^jCjzRs9i5ms`snPJdGABeRrjc0M~~$_)k@us&tm1!HGsl&co46^-8+T_
zJbysW|NY2$l4DfRCOFpV?6o%0R%_W&--s${%0oTYWWo__NIUX@SXT`DN2{ML{mC%A
z`W1}GgE2Ahh+aqXKdZ#Lg_6<hNiiqCI6O5mF_nr&Q>B;GfzHmNnpYxzf0V8}^mX@Y
z(r{RenSJSFmWnMS@_;81On&%la}#slAHMiv@r)7Ad=Ph^{)}8I8ouz{VLbA+J1)L>
zxctmhpfJW?z;hyCt}HLcL36zdT<h<|^Z5UxvzQ*@{O;8Sy!UlrOwvCf`#^vkCg<?i
z9vvRW{6D_hW|&$1hzk4KV0h_gf+qH?b{g(q{V>`JXoC+O_uaB;H5_04XS5a3_N>6g
zU8`Qhj@7TiAodDLPi#sFPu1K2F(`dd)QUie=huzqXM7t5&i{Fj$?b|+I<R@y)d4s^
z3_89@eO~KFN+)UNQoW+u;gV^)VqJJM=wb)^Qb$A&CUobHQqe$P0w#=@wMyy1tP?QN
z>^L1JsA>gl-)dk*^Br@cWSWq9njOuS^CxR#5dqu(>;68q+J!xE$RNQxDEmpz*xTfe
zCeFeX+hAk>&6xqa$5%f;8gw)_1suKK$mKk(QGZQmq1oNgkNOYF>L*uIhU?ImNA%UW
zwy&zlZY7u-wKoTB8$<CHN4={i<mmfuN4~i&9;os52AbV9mJvHWQp)N#;rHo;-$$nz
zl0DZn&9qL-HcROR_>^$p&8soPiPet-!}^{R<AX2~o@@;In!IWF#UHJ#+<rS~X9w>6
zu%I2R>6d;i=xOh&&+z`$&w-xuX#0WI)`+%Gqiq6h-w|z#t5L%vt0&QxE<by0b+h5G
zSKo;?*c~tZQQilc_K319?<*Y_WBD@H{d{@d>w!P?X3KSN>}zHys<p45JCMU%^H}?(
zmynO-_ebFIFLrif?*U^?Vyq8qV-+=^#aOwHxY$n&-!%MvgpS+}8F}-n4fjH=z}?(e
z5ng%ReUdB=9EUjKb2zmlapJ`%Zo27(2OsR(0&wx3Evrq2Pp*CvD}IOIEh=V~Pa-B6
z@{ulW#@b4!lZ*#8enYk~GKA$E_;*H#unq|G!<f^<Hpa(?Q2Wy=%RGs&hGvgdoNlQX
zNwau9SttbBa0F9ZptonthfKo}m)GO{KTC_jP$;;#RMVeGM6uEmiGB(1`=NX6Reu2L
zBMq1^LXB3cBDV^eLizt{vR(htUI1Na_Bdn@<`%y-8yUah>IXia!CE=8$~r=2nW4#W
zEBCMQLb{VhiCkpimiLdl3)$_e+itSf*y?@X80u}a1!|pkMV&Omor``;18M}m%xBOq
z<+lmYa}6qG6#y|HcD1xKdgR|vocQ-6(XLA`zr0Ym{PIiHNO62@Y`oag=C4PYd-P>o
zy-=Mtyc@M5W$YR2_^`HX9eO1%B!{O`#HcyO*VN(4*l`Dx!|H&uY73}iY2vHiaM+7t
z51(Pd2Ygq*96pi#wfM?rHsLDXzaMtcdyJd|#=iBg(M_RGa-*QJ42-T=5g3|c1g6>)
zqXsOPkro4dsRl{wz75wL(V_X001i;x@%qkJ9@Bpiw?>>o-Dh~v=&r(tu?inlw#kRr
z;)BX}wF~hye6(+0c%7%E#p4czeu5A3lv>ouXPp1!hlM~Zq5N4t9|@tKaV{PMbljI)
z|L&KYi-QwOZ(lbTS7cATN1p@zdfHq_S}4y&MbDv)AW!-s0(ktuT12=IX;M8O)rjaU
zT(e<VgXZ(vTo`voU)fpunLY>l_4K)rv_aamVJ>uwoNi=0Kp>5tjU2q7(`q;GtF(F8
zH@iKxS)Yq7`W*QG$@xr!{-eA$ir`|5sV!nIkb5cSpat)2`-Xf!GcR2D&hrxL*oMC`
zzo!{j)^b2Tb0z4E(OK}rRg-8nir#JPNcoeYKvT4~7heMj@l{znh2QMzZ*(+fE%Ne4
zeG>I+g^se?x=I6f9dBGVbj|4p5}gfqX}HU(*Z2_)ictk6^|W<8t-tc2p`nNL?^U$)
zZteX%L8sb(ChSDv)B3*vL|@axN;s(lQeM*c4h`K~p(35Xod;>g5?6h|gI-;M^CZ{_
zOkZl2Jog^6h?!&N3^SQ{M}RXZ4B<rjY_oRZLDRwX-aUJhYv###-t260&z|4th|#Z{
zAIbNg(clvG{OE74R6Ej$8~9mkPoDumX{$F@XGK(#RnNYT1EvEV`|er0`nFscTU?A?
z_$D1=`jzWXg+Fuvt33o5>w!Dw_|*$e#G0$*M7maLB95Ss(hp7sd~xc)o&%{PrvHz<
zH-V3;$o9wYty}kAvIhtdktHf1AcpQvClL2+jVJ;VK*hC5LWqPUlLZtV_iYsSWgPcy
z+_!Puhf&;@abeVP7)1pnh!7E(7!lF_eb1@7eLEpR^yzzV{_o%U)T#Z{sZ*y;t+&!p
zeqfatzt=Ix>{UAAl)dO2RK%LFC%(y|J6$QbmDP<@(3II*htvKBbuaoCBwhj3rH{`&
zy7K7UW93D|XO9+-?soj~yG6`VvqHfC!xr4OxHN(06keIqOuA>9_k_~&Xs+FR{(+k2
zJx4T;VVbi+^TnFxZY8-Z&7_iO2Q(#tZYsp1d-m|-J-SEiS&qjsnAgTSYdGknSDU+|
zSFwW7(hdVXB<ZnaT<6uKSCuo9GP4GcNS<&I{^78$k{oSk;J;#uuo$^V{~=klRMBm+
z*18O3_v>y1Ry%iH+oU@}=zlcPk-b_kd9^(wrFZ|K!&4?4u)l7r<WVv`y?3SvTO)TL
zHA2w<Swp+!gNDJZX}51Lhy~b6FIdw-2Ys<cn;`UM8)@3X2{OnNA@7>6*0>&17TbFc
z>$lsk*=gDCINu5O%$&K`0Y?YIX_;vw9c3|Z=ArGcww_?RN_R$H|0_g#9J^AC9^Ida
z9PI4lJHfr9j@s>@;{y4l{9R>H`|&vi-c7V{)0Acm_+RndKj|xax(!WDM{a5|eh89h
zZ=DY;MEK~kI^L8zz{=QVj{yVr*d@a{fKM&{H2j?K20ppyJ8aj?%w31|)h8EJwmM&U
z4Q2QC`?Eh|P>n=GBTbuV(NF!E9wxw)iS$*%iNo0AC)Oup*J?j^?5I&=VNJ3QIeqMc
zYHVE%+k5X}boB7k>q^_0ZkNLuQCoI&sE4|?gwMJDzf@PMC)GExt~4v^+qtfV^%DbK
z>N)~5q4tEzvizyGtwNg)=Ns?4>KmQA>b9lgNc|97DUALl0KJpbWdonC*nrjX^Qoap
zeemz{QVuTZGh}3P_pEqiFPVX7>TtVq?5F`lvr-pz!xpdoU%(_iVfL=SBIZ$^2qGa&
zB$SqPeGr!2l~CN~NR)^{am|s@nOA!#4Pxa%kBu5WuM^WmY##O|uf{#--u#UtjawLT
zF<#LZ%JkJTtv2cXNP0_hINU@ceTkie_&q_AKFs4wusF->PMwS>zyq@T+M~vd8D;M)
z`VK32+TLq~)+_t_PO)#_p(Fbx4;VgtKyts4L;GIcMZt*JiFi-%8tbp%AKmZ(tFZE=
z_Ed**^z5<HdAor=I%K6Q88rK(FU30_*mXzd!4vI$oY7;(jCS_1Cw}Csl0>cY+yP^g
zvxg7QP9A%}@4KiL^tVM~oN*p_=|Z>c)x)?%Dv#uk=%ZOB>6rM~qy*37<*}oVJm$zz
zM@x~DJEV`5>kb<^a+sTI^%;^Y#toi1bMXGtGY0P7H@)AGA^p<(?mm$AghZ?kI`|6k
zh{mV*w=;>m;a$gHk02T-X{yTyc6x$><v@bYIeyGhl}C*^R*J|3aBAe}(IdgB2};vO
zrWcM$?w6C(FL_KM)4}J(*0IoaG)nv5lha|h(z9Ie0rY9k&{2znKg4i6{Zg>{fWOg+
zGmY_dM!kab$4}rAbtMUBS46vvyeNn-e1=#D<ku9v07L?3Ik}jRq+=%Ahjnh(|BA||
zd9*Ylg-;DbH*I*rptt8~mu@KT9=rQx?K!mXArtHg1A31i5iJu3$@BqxWbYLeB@+LS
z!OnlT@0%#^FqC&@LV58w)pZ+eR~`*Ey=j8dsXS=nh+p0*CDCDB%PW4f@4G0kR^%C1
zS^Kfh^ZEoerB|IHaA(8pu?#CO*tAPD1Vs*q-1Y5r0?}Qc7}{^d;NAyLNEtD>Z|^03
zS554-c~)wlfxU+ewL&5-H7UjVZI^Bf8V?6gE>GY|w{1W=kCqrDpYb*TP5EIpMM@X+
zec*Y?y$7HP4(U5|&r`V(0(PI?d&m+I+$(#J0qIH92rPe8=D7)FcH0h#Wyaf~bD3y}
zgfbuFhUi>oe`*LW(`$=<7=NfO=pEhxs17|wL+wCfMk2QT3K-4b-O86q(Nn~9aaFes
zFg~ew-@zkNCLBmJ*X5m<fAdHyB`Gycgsh=MdJpWAN_XdWMd#WD-+7F{Ivw{VjbY{#
z+K)4KjkSxsgz!Dh{i#xT^K&h)_{iM=L#sc6+3+d10G121+rlVvsdmeRG&a7ydR&J)
z*caHO-L7$hN!Nqu*9&hP&(UuD_XqO~?M}h}JzA{YY360-AGJH(7>GHr%8UO7Xid@X
z-bOF$IORrUs-<z7rjcwl>TqGCV2#3gP27~Ra8gSon9@kHu7J)lC5?kCt?RWLR|4fJ
z+AWN9d7pM$#$?H_mLR=MNMjq#c!pl#af~sxm)A9x+IQ*jUPjod*6t)D+wsauF+$Ft
zb$FVU<Fsmbx)Dys7ko@xrZFVBP`i5@naM{eH!6{xtZ|~gS;?pCaAEXMzEZm_xbM+!
zY4k~cwxqt{<i?unxy?DDKrk?dV2EKjr>L@ic2!RK$xY2w^P6%e)>YIuHq<vpo2x2w
zM$T<+ZrEq+*o6xh=0+)5Zbkk4v7^T1EUamsn=`Gdsj6`Sl11w4nsX*c=U3&tS6<)J
zSW)$lTxI8!N9&q$rZ(2+lvmBKnO$F7IjyR?r8e3a$_<19`xccJ<0%@>K?#v=Z!aC<
zrWBXWtZHnksjtgX$)}c+BM{hkZhdn_ecghbU~V9He8Il+qw}ijo9E=#*31s&=I0jV
zg#!iMW7SmEH04Bdnj52)Rr8~b^K$Cv?1%?7bvey*t8!-4)euL@o52`lud5te-<VU6
zn8uun`j)!p#+s_8+@4uEHQG{}Q<|G|Fp_r5)aH{Ls;18cWz5X-`Z>)Dqm5NL2&k>8
zsH$s1*)4UID2<3IpExOJN<&qhN<2v=7?b0%E0`P1&0%CZFQJJph}P6bXV+G##*5}e
ziVn|-Ht&<8$!V%+tZ8U&%5AEt&8=^&9y=v6Nh8^gqRN^k)OU6ZF$Ap>t;>0@s61z4
z`9E@si^?aKkI6Y=;`D>3%$S~YMA5WqMU$sbEGy5MGA*ZM%H-0C(<e@u3|}OtX!21x
zhfbVaIwq$I!i0)doz&1+)zp*&zShidsI950%!Sxg^<3ecIY>(EXlkgcsF_n!ky9J3
zt8R%_SB=SOsA`;F(?r6<jRhvouR+tXzq)=wRbyREU3JdMkiDFirYaJF=IxlD+cRgn
zh_@%T<+ahKxnRnos>b?q2pD&`+M?QKln1%ViTcj!@~Xy~IY>JZ|0t&(iuPoq5zpXN
z<KI3v8#zV@R~mybW8&^mf;)`RBBK)dW*b#-mm_x*@>SvSttR*<8g)hmVjF>%V3gx3
z5i^qUHzRx>3}0h$ahm>ek;224%Q@#GZWNce5L7iISB^0a_?uuFjRk;&EduOyOz&i1
zn2*q$oNQ22Z?qs)g;ABW3veg+k*6Ff>zK-^NK?-tM0XA9Qg74(FO^db47Etv2u|dJ
z55$jsQRh<Jx1Iu5B2EvZ!nZf#I^$FMrXXjTF%xl(D7}U$CqDbwry{2p65#UYB2_c<
zqYibZ&kQMbE+*XtpkY4fn+JT9W)4DYxekOeAEp4GCxwx^;3v_VSg#!5qt=YVG=pkt
zBdQs3Wgf!nQR>f?gBr8}VVw(%IryBt4rP)2P^*^1r6fj`UWd@JD6J83R9DJFZj!JT
zZhw+ol8xM-C6!ZA8nt!~S~nN)V2zb}!p=!*GvvPk6if$gif6uL5=Z9%&qC%K)mEjT
z)`EnxEUJ1_U5LX}H;*&r=u4B}pThWwXFldhoiI>O?J8X)FJy8ODC=CVM@<y+6$L($
z`PqO(r{D8P0wUn;;jpP?_JQ4*J58tywL$}8sU1kdYhhEXRipK$ApfK;l=wC2iAR;d
zLVATT&qk|w5<<P6C;>!&FXDbP(I`i6&p|IEKYXk`j(}@AT679zY&v3(K<qU972#`)
z>4+=iyi*WD|1fL{LQ6TvM0QhuB+5z3CmTn>J`}N(hPYh?s(fjz!qtfeP)c%0a;xOE
z2K}W0oFMtE<oc6#AnyM37S4ejDXd=JCYFi{V4nk10j$)1b*#OjfK^N<NoFH!IHF8x
z9=~T%9-@-!LT&5ESEDr2w2i<>{k0nSPevH&)*L|6#hw-*ihfM;bAOi1bk<0ouFb&{
zo}|6I>e_PVKod$*eQFWYPwA8f^GCQ^v}r9uRsEE{A(`qfw3^EyDV(G6;?^}^;KI7*
zF(~nFelES5WZ|~paIAy&#K1QSUoq^32H6{8FcykAh<v1?^P!^0L8TX>TkVUlhW3Ye
zl|kqxKx`)(hd|^e;WdWI5X7nIfYU(AbO`fIi1LvT$ys>!{utv};{oF};}zpUW40-<
z+Ndz4X`7Den!WH%X|kDOrkZK^pe@79G<zGDnSIQ@_;$P>MDlyHzY)VbBiZII=0I~-
z<8P?otL7l%b^J%|A?8ps$K1`_-Q2?*W)3$;n0uNd%~9rPb1%I5F~;26%r(cF0eoZ|
z!soVOGaui@y<xm*78q}t<M2P##+!xaKIXpWe&+rry}o^rS!5QQC1$BvW=6~j#%l9m
zb0S{1In<nF9%jrjC!15uspjFvyT&r(@5Vz$wK>f!$Jcu^%$ep9=8@)6<}CAQ^BD73
zy!Y|2d7OE?d4d@=XPXsfrCDXpF{{nFW{r8GInS)c_grhtI<wwvFn?n<noVZ2*<vm*
z7n&y-?;GzK|G<9^n`<sIPcct5e`}s*o^GCjf2?tqdA50ud9Hb$dA@mp`8)GM^CEMx
zd9itkd8v7svBA9D_=|akd8K)kd9`_svDW;(iC0RE&y6q4>&)x%2Fi&Lka_4zwfG+v
zHyL&2&E_rUt@w8EcJmJNkLI1`UFO|*NbX+qKJ$L#7V`n~LGvN=VF>XL=AUqx=n?bJ
z=A-6grim9mp-9ZfjVAL6^GWk5^J()h<`TSb^o;qexzv2leBOM)d=alreQUmKzGA*=
zzGl8|{>^;DeA9dj?=6v<TwpH48%TdQ-!b1c-!uPVzHk21_@}wt{FnKG`JuVO{K)(m
zFQu$BSDCBLPmNE_HD;^1*8I#|XMS#+WUe<im~G}4=0;-?I{YcdZ;eyUFU?KnSLSB(
z-)6h{wb@~QV{S3OHMbhK;w_@@%x&iP<_~5JA7$e)Jz)tcY`jY0ieC7iAIV0mNWp6@
zX(HYDoyfo|#l1xz(N|=Ne#Ys>X~r3%zj3A*AhNM%Fi`9&28qF9h!`qz#BO4Dv4<EY
zhKmtmPcc%A5~Ial_&*|h8*L)jcv_4V0TC1-k!O5{6SRC$V5~PbigEa2rV!r{?<@Ah
zwe<tUf#M+SnHS@pYpE#1`xz6&!MG}ah&WVC5{HS&Vv3lG*9E4Daxq=Z5HrOQ;z)6n
zm?e%D$B1LaapHJ!f{2RQ_%@<aREasFTFezS;zTh|)Qb6{PSlGA@f*=7nnbf`5evjZ
ze7AeDSR_snr;6W-)5PiG3~{D7OPnpv5$B5Y#QEX^@jJZRagkUoF2-vfmx{~8<>Cr)
zrMOC5Ev^y27uSkE;8l<7#SP*{ag(@N+#+rjw~5=u9paDTPH~sGTihe=759nz#RK9&
z@sM~J-;zEe{wy99kBP^{6XHqn6uu_?i&!H5DxML~ilyQ?@w|9JyeM80FN;^itKv2B
zy7-%TL%b>85^sxT;_u=e@veAJ{6oAi{wbE@OY0BBhhl~JNPH|l!RO+u#A@-WSR-1+
zTJf1!CqBnZyVr{iqD_1uHi|FBCh?WnjJGh_#n+-ke1n&Dz7<==cVe6PUi=_%t=BRw
zVOf^6Y|F7+tCy8zC0i+0s+DG?TNzfS)!XW0^|i9BepY{LfR%0SVhyx*wFX&(ts&M>
zE63W++TGg28fFc*M&Ntxk=7_{w6&Kt#@ZWunq#ei6|_QDo)xz8tpaPDHQp+;_ObT0
z_Otf44zLci4zh}@Vyna|waToBHNiUAnrIzj9coRo4zng(Q>>}h;np;(+?sC9ux46E
zSVvk%S+lI8tz)cXt>diYtrM)MHQTDNDy=GOj#X{VwQ8&rt$9|hHQ%bU>a7OrH&&z7
zWHnnY)&gsxb&_?mwa7ZfI@S8Eb((d$b%u4Ob(VFub&hqeb)I#;b%FIe>q6@yYq52)
zb%}MUb(wX!b%k}Mb(M9sb&d6V>ssp%)^*nP)(zH;)=k#U)-Bep)@|19)*aR#tvju|
zth=pytb48dtoyA8tOu=!tcR^XS&vwMwjQ+}vmUpeu%5J@vYxj7VlA=$YCU5;Yb~{&
zv!1tJuwJxYvR<}cv0k-avtGCUX1!s(X}x8=Z7s9@ZoOl@YrSXv!+PKPr?uSrm-T`5
zp|!&L$okm&#9C>svQ}H4T5GIUYpwN}wa)t7T5oNz+N>|Ejn<deChIF}v-NMQ-TK<<
zu)eXjSl?P(t?#UD*7w#ARtzttnNmngN@+_+y0Vu{lF2efrph##E;D4N>@EAqzA{Vp
zll|oYnJssb1LdxAkQ^+B$e}Vv?k0Dad&psOxEvw(lq2ORIa=-|$H={9t{f`^GKgEd
zc`_{XWq}+g$IC*wkK9-8C-;{J$OGj;vPc%o5?LzCWJFGo2g`}_5P7JaBoC95<rFzp
z9xkWJayebjkTc~G@<@4<oF$Kz$H-&laq@V1f{e=9vO-qMDmh11%ek^fo+#(ZS~*|V
z$$Hr!e<K@ZlWdkPa)DeZPm(9gMe-DRs{E}yO`a~#kY~!X<k|8Zd9FN9o-Z$uzmpfr
zi{xT?vAjfHDle0l%PZuS@+x_?yhi?BUMv3~uanoy8|01hCV8{GMcyiJlefz|<R9go
z@-BI|yhq+E@00h-2jqkDA^EWUlYB(}Sw1QslaI?MB=+WUza|UkGyQQgl8v*Xf!LKD
zB%hK`%fHAa@~`q4`K(+jpOeqa7vzibCHb;^MZPLuldsFa$v5Pi@-6wcTqgf6-;wXi
z_vAn1`|_W1x%`*>Kz=A!$dBa5@)NmIu9B<er*aKW_UM1n4>9h;4(085`Q<j;ShTSl
z`-JhR@tE<V@sjb3@vL!=aj%gnTa8DIKg+f9Gr3NFZoFWeZxqY*as%$4q~iZ*9)!0N
zPry0K@pub$9ZuoSGM+ciGcJ&A@(a09eknJ}ujFR=Z`m%tmL2jNxkY{}x61E~i{v)r
zLSwP~Uj86s#vV5A580+IY|ECmZ9BGW_p+1hWIM%9wbSf$JHyVjd)s~NzIK+~&+cyz
zu(R!5?1A>K_8@z(J;WYr=h(a1yW4x%!|dVq2zyU^q&><WZSQ4|vG=xf?Xh;i4%#6*
z&ko!9c7Z+49&Z=g``G*1``P>32iOPN2iZk-v0Y-9+GTdco?strPqYuQ549)RhuM?u
zDfU$RaC@3vZcn#o*fZ@T>?7@?>{<5F_A&Oc_Hp*{_6c^>o^4mym3Eaq$F8>L+BNox
z_B^}Ro^RLL^>%~(8@thNvYYJ|dx5>sKFL1WUSywQpKAZsKFvPeKEpoKKFdDaKF2=S
zKF>bizQF#SeW87kz1Y6kzQn%NzRbSdzQVrJzRJGZzQ+E&eXacm`#Sr2`v&_)`zHHl
z`xg6F`!@S_`wsh$_MP@!_TBb9_PzFf_Wkw)_Jj6A_QUp{>__ZB+mG6h*^k>#*iYI|
z*-zVlv6t9?wV$z{wU^q@+0WZA*e}{I*)Q9#*st2J*{|Dwv){1awBNGdwwKv|x8Jef
zwcoS<VZU$x(_U`>%l^Rr&|YDGWPfabVz0DU*{khO?KO6*z1IHBUT1%9ueUeYZT1)T
zM*B;9ll_&w+5WfPZhvie*x%S&>~HO@_ILI+`+NHbJLVXU=?KSiq+>e{UQ6obBss}W
z3jT*lnv?EiIGIjwr;pRu$#VKR{ha|$wzG>f(Am`)<P3I(I76KrXE$eeXAftXGu#>B
z?CFejMmeLMy__-5-cGJF)(JR4C*<TgVJF`yaK<^~okC|HXJ2POXMg7a=RoHmr^qRG
zN}N)s%!xP?oP(W-&LPgB&LrnBXR<TJnd%&l`|st>bZ3S$(>cO9(mBeR<s9uC;~eW8
zhu0QPaH7s^r^2aps+>7awKLbLaZYsRIknDwr_QN&8l2xajZTx(?6f!woQ2Lw&dJUq
z=M?8u=eN#j&gsq>&Y8|x&e_g6&biKc&iT#-&hMNHor|2s&c)6p&ZW*}&gIS(&Xvwp
z&ehH}&hMRToj*9&IoCTkI5#>s88<pN8#g((IJY{tIk!7^IDd5RbnbHQcJ6WRb?$TS
zcOGyabRKdZcK+l%;{4fp)OpN#+<C%z(s{~x+WCvK#QCf9jPtCs)OpT%-g&`!(Rs;v
z*?Glz)p^Z%-T9mIhV!QLmh-l=%=x?Xj`Obbp7RgqednLfa_3*p2hNAi3g;u|W9JiR
zrL)Rejkgu(todBy8s}4Ijd70C>a2A>bJjVZJL{bdPMh<Ev(fp|+2nlXY<B+bv>QvD
zubmE@^}LM#mELZ2INvy1oNt}2&Uel>=X>V|C*~Ti=?d3!rE9wm&TYTMY0;Cei{<Q4
zV>ja}<7(qdECesba_}zW4&w^97hYw)!T6(_<R%+`Fs^e`+*CKsO~=1g&UAabecZlo
zmfO$mkEcbm-Cf*)?yl}2cd$Fe9qQ&7Pr19fySsb1!`$KS2zO81MK3WfHkKQ!+)?gm
zcQ1DgzF7E|af$JP@uBgN@rkj*_}EzK=DK6ufE#o}Zk`)<^W6e>oIBnvboX)h#Z8?3
z-2>bM-GkgBx7aOlOWiUz;!bc6b|<=rxQDuv+{4_-?i6>bd$>EzEqAB8Gu)Z(5$=)h
zQSL1FX!jWRSob*hc=rT1>dtm6+)B5~o#R%!bKM&EM0cKB>&|!U+<Ldc{f*n`Ho47i
zi@U&G=$_=B>@IRoaZh!B>z?MG?w;YE>7M1D?VjVF>z?PH?_S{k&b`pR$X)DS>|Wwt
z>R#qv?q1<u>0aet?Ox;l-o4iSgL|EOy?cXuqkEHkvwMqst9zS!yRp=G&MlfBt!S*T
zbBbm+RxPM<Tk2{8!IDz4gJnelZHKfS)^>rm$7{Pt+a=mAQ+Bb=U##;N>-@z9Zc%-8
zeO=W&N{83MIbR@H#_0l~aGuH^C`c)(sA;TdnLnqt>ZIh7%KGML1r9};ozjXZh}Nle
zsev*CH`Yg+oiY_$rmI%QRZA|5XV=te>Wek?#TrksroKc|U!tim(bSg|xMe=|!LlH8
z1GNaJOh}-1LZ{+z>=tq+Bv2g+q)^=h;c<by0M|DVEX+$e*vFu#4CzusMe^X;(MD%t
zb4_h!l{-<@jnbgKA}Vc(u2D&mJJF{QMVF);(itz_b=Pf}r)!rNb|ytDaJ1u0ic^VH
z#c~qrq0q;(=wk9T<MK4a!kS^>kTaQ4De5BQoyiF(!}$tZSXV5p2?>vPr>IJ$O_|$L
zR~>C^nO_@i;j#n4(x9%QZln@jW~nZ-R9B-^V=dKKOPSU{Fs#$(hwLeH>l?M`l<FFk
zYOJL?Rhh=B1rj~MnWmUCEnbsgS-!@dugl8U*zz^D{4%GUbETAb<$gXF6bJ=1D+_di
z1-crAWzO_?Nr9jWMsi(3fi9syp$QfgI5U)7%+NAFgJs^H(TL-&v>Dy-Q;S?Fw+8q-
zPBm6(p|*<^zsoc~%L?2XN~G)=KL5%z`DL0e{F@3^9A%o1k$`hVbz^ivm2-q*#1TFt
zl8&gXslvfuO_OsJr%5@=k5p*JduTKf5zS~w)GWrAJgZYD3zijn{No&f;CSvCXnrOT
z@*HxbnnTe<g{KQD(o$BW6;P3u)gtB&#DKX2TXUz#Q<S;`7VG@QI)AawUp&r@CU(dO
z=Yzu2tuS6Ue_&inh0lcKig@ju%D6NH%L2O8K*Xt1!8p%mC0?a8T~$1v;$yKUyI7N5
ztPvD@dc*5nn(PuycF8!m$|oC|P76sSKczZ>%<4|XLEYpz)d}Q=f=bgBu%=6y>*rL|
zg>-3!x^+XvaxQ7Q8YR&+s&14PVyYQcqH9!A?A9m>leC>%sZxeYQ%>w$5?Wt3W1g;O
zUViGl>c*<7I-DO@)>JsPs*l$)@v;`xQn>Q8SjY40((^Pw^E4mBnvdZ;r;bsn?2$sJ
zF3u0gqONCL5o)T!g(-E>hI$;a*Eh_qa_d#S)9SnFyjse=aoW@Wo{}up^;4ZYSf)BR
zY^EC&XnOPW?0Ua5m+IP-YUwD|smgS%JYg*>b{Z3Emp{&FjMpw$maln}ud(H8Z21wV
ziF2hib#0b>E(qF9XD!eL7UVh2am-MHTq`8gm<u%K0!?S3mQH*%-=ajPMR$u9r3_nG
z8Mbu8PpvJ~paCh<id_v4@Ox@aOKKTP(#o*K=U<s7zf99trs*rw^hJWsLZu8BDn=~y
z8IiOwt_)9B%J5`AlB6hDrc_z5ETV~sXt9BGEn<Ahi#qi~C_^m<g`5M;&V&U*N{rDR
zG(+>bQw2i#ELO0+aK)BTzRDj`;~e4@qeFW93*~cr1ww^Nyh2I@kWMMxkP-#>nT@d3
zs1@?sT@8MLkZO0>nhvkQ@o&qh^W&{<ZF2{LU(->j@fN6N3l->c3%LQ1&Wrc_y8J>d
zcS?W)p>diI<8*z-X*%$MIhQ|9(}90}r2LwWak|`by8h#I`QtRd$LVs%>2j5}4}`|+
za>na&#_Mv%>vG0xyyG?A@fz=Vjd#4R*LaOz4VS>H>s6@hQ|PsiE~ilA*K!e3qh26X
zq~e2W!i)ACZ_PP=jtz5s4Z~Xao7vTDP0Wq<n#iI`4i>=NXxc<yYAKkzVQw^Kq9@(C
z(Ih={&5fo`jLR#6iKCdvDp#<qWPIFJM441~^U{S%JXaX8RupALJzAn3EzwT2;0_Sx
z&7dWkK#QIWP<B=kxluPtO2WflQl?xO@q=+!Ufh)*ca4j?3gfQgxT`eoir23=j;}b5
zuQ-mcnDFTt1L_y2CxR4d2}3UkuhxX8`lGNajmBY$XASBR5JItO#Oi<=je)!tiPXSH
z4xQSe!Oz2!r@4*kO1z$V@p|T=p1o?D=mr!%uA2jNc2RA^+^8(BYL40yqVwlRxx3^+
z?8+K&%dEam&O($`hUn>Y;gS=vuCot~HZ(-B2AMy*GAa&h5tCcQku_Kn)X>aEOs%n|
z&8@e~YpUl*t?AJgcZNb`O`Tg~mB37Gs!_!h6()1}&GmKlO{uy>_VhxD?0`6FS1P$Y
zfk@Sbshqk1_GD;}moj<E{Hkh&%Z_qoXQLi=HC5KGtg3B}x>dTWix6Q^BrdF>sx?&A
zd0f?6uBsxsxJ1;oh?8nC>T`XqMpU+mE8C39w&=<>prREp@Y?l6g37HsY@V7O1@hE9
z0Cs*dQ>QAVDPm7A(83N(n><#K%d23jrbFe_#j__vd%Tp%Ob18xPQ<_=SzQuyAkiF*
z1X#JjR-<M_ufijGjv5KDvO~NYO(OwTcJQ;ZgRQ3Qk$@UqBgGn@p6f>R$||BK6%oBQ
zj_8?VL@%WxdNvUWYWzWsKcw-6G<{f8Gu@bRvK`X?kmuL=LtcJOUr5uJr}5=!e0u2_
z(X+0IUQ9>yoHC;4oRK_@PcO0~dafB!bCh62&FQfDpz((_{)qNRv|p`&kWSMZ*7Sxo
ze!X;y==objFX<wBHWShFxrm<6MbzLOjOZm`M9+RAY7h=a3OqVApCY<kH8>;Q^J_Zv
zY%Zdfw21fGRmZErFc?vTA#9CT4TkW0>2!Vc+A*T1O_35EU#R(_CM&^6p~h3F=~0sj
zgljy7x*gSIAsA76Rl!J+#-o>nks^&pFAXC_x;(u^j1*}+MY>)AwUUY8Ef1C_HTeie
z)Z_#5&4V#)o)p05K^rztK47a=L?oc5ff2pe7ST)42=>?*Z%~&L^vcnA)ubjE32J{(
zmlM?G1a&zfoj>H|*YRo+6pVy){*cbE_p2g$RTl|qIzpOG?4B`Qc^Yq?hgXM>)9LiS
zR79`UB6+&pJWZG0jEd+rSwyc4BYF)K(HlS!y)hKgYodr=3q|y1RYb4ZB5D!`{(JpJ
z*Gun3M)Y=7M6cQ+dSfI~rs+|W=wL)mhJi=RgPH^)T;o%dYxs42)Z`j|U4J#XM!(X2
zy%iPFtFVaLl0v-ZH?2iTpXwc?h+aHJ#%cLelTXC!^3|joeqFwrRKu^!Q<G}Qx%TU=
zjELT%h^R?xFrxQ#BYICaq9(EEhng-miG^SDXS~KY-ji2P9&~y&Sw+9o@}PHJBYM|0
zqIY&8dQlTmlUStJ`1S5VM6Cj`rL6HsG=9C89no7nk%;C;MDsySe$lVJ^j^5eU!>{R
zTR{=E{K6Q^<-lgSfz5gZHtUZ-o@%#1-ng=)XkC4CRc%#GG%fDRt%x>I`yrmogPm{l
zD4E2N;?umLHa>bHm6k5OR~^wiIuX626NzYTqt~7hwc!M=XsxE#_z}I08qph{5xtWT
z(QE&R-UE;5wQNLh>_tj=PX|&^N)*!m4kV_`cb7$ccO)TANrJmH!HtP_98YP28w&zI
zoZZZ=u+nOQu+nO<xiw*P>%mss3@a@Le*rHrVCzXOxn^rzss+Pp#(=b{CBwlYore}6
z)J6!2=TWU3R<j1gsMZb#neXtkmJfuL_Jqw+4O`Qxv?ctSPNgm3XDNfNX;QNg_%%&x
z)&ajRKg7KpeqDY@m#=0Wfv_57VC(YLr~<#{lNwdvXDNrR%MXlGH4b3HuehY<Ye=Cf
zQS&qSH6?)(ox@w2g##rXx73^sX*G3f&K3ykg??Bsw8Od&g!RHTtonQ)T&P>GFy4A_
z>DE)@InwCXDvY-lTslorK+#qd@LCcsFHX0J8ovW!HBJY@YCMIl<JEWyKli*qSoI9p
zL4~_SFX$-5!>#AzVRa}G2<!c&u-;z^>*Iy6()EF`noGgfd{R0p5LRO)Y~6}#Y=mF8
zq8c0F*R7bR`IQ&v7hJl&dh;i&=A+1?+cQt|FE7qNxV${YN(R)N6nV6?sW~b9TH4i^
z8VIW~6}IM`8bjgN(yqo(__ef!wX~}_EW$NSde=UzH?G2J&Wd<lzB<%_Uze{pvch^p
zDy%oO!g@n1tj63xSZ`>B^@dhBUrT#_T-x>4R#<Okh4ofeSZ`&8^R=|+$E6)E%`G)U
zMk%@#^)?q?Y*Sp++eu-)jTF|~GhsEdL6S8!g?h0~As%kM#TG6sR#I1}HyMzo*h^ES
zCDPlnfK10FQjKm1(JiWGqmXJXS!%S0U$=-_jX|bETFOIS4=M?H<*6|P(yejmBc-q&
z8N+&H4D0>lu$r+z%5^KNF)9#_<ncKHq&&B&k$D*k1`8berYbk!Dyu1p?S{IR`Mq#{
zoXd{ph4t)6Zk~(He0C<y!53cIRkJ{+YpOX(rE9`Tcb#%p(WhD}A-)V#33XWwy;PYE
zy3l5?P<BwE<j{qZQx&RQR4AvTLOGo(l%1+jPRNC_iwmpw%3ueTK@MF8IaL|TMP+b0
zDudIhGT5og;DlTTC*(3Ppt{66vZ(~vNs4oD^<u`cgV0kN!cJ)va&jr$l!#GNA{rk9
zYOND0Q)^k+#mRGOs#_YXDzQ04N$~Y4tEdp>Mar*K2f|quAe;xZ5RS!Fyix`5^KuLE
z-1S3wYT$+K`4zrAHSmVUDU}La;VDxCZ>UTSys%jn!B+GH)zMZc7z#KoSQHf$DXZ9x
zHly-QRd!8obK^W&l-pDxiwTqvC?!xvAVOdQfrAN5Byb3ULkUbGa2SEf1f~#}O5kt;
z(+HFkm`-2@ftdu3AaEpsqX^6bNGekMoa9m)olO<#MF~5d6rr{{n<`R^ys0B{ChMCX
zj6`i3HdXX0;_XhvQUl`R2PK3P8=e8*8S<TB-&x>0$NNs=kj6kP(oW)$au)k|i+#Ms
zKHg%+tM7*(n_c8(ri&sP58V~<oVYF$#~z@}xHM8#SyNjZg*&Mv&ZUH_Bpji(I-4re
z{Cg!7uCA8ArRc>hChjCc5KnhZ$W<0^in4eiWu2Qs-9$m+)Uw2;&^J>UiPscq{{0k$
zYi9Y3E%q5(?2}aN@di8QK4YPqJq#s2V@sH^`szwN0p`IfEnQ%NGd<xB3%p4a;`I3!
zTH-lER8W$-)}jN^Fhoc?D+G19C7!&H8Y(^Eii@AeCo@D9b?L4P>?D1}K(08C6Au|E
zA};R!F$1dPoim_;6Al`@x?*7wXOYk35@xb@*x;qbX#>bkxIv?{;sniO9=67Pp65|z
zlGJS)c6pLUjfza9KU}(2qwyef0v?|lOuz__+FJLh&GTD4?6-KB8$#W>(OA)*geqyW
zS9;Q9k5P(_aDKe}u+RRmPfD2cPl-$Ulz0nF=`7__JjAI}5~W;U=Rql%oo@8R2`t4(
zuO+?2muaj8z0gv>hNV7#OMPlfeQHY;wH~+ZDTJmMU-t3w`JJfLFAxh(ufQ_DKwrT?
z8R`T$L-o_<Gtbq%pg4kjrb68kif79Asm%9K1<NpF^oq?VtV!y!5M1dA_k}pZYeLm<
zoSL1uKNQDN;FDfJl%-YUQ+V8Km|cr+`!$yfxg2$~NC(p8BF~BYMe(EsK6M3NospJm
zk~AYO5;Ni=F{86csOv~boH`>>B=q$pM&c=!UVKRjL7AQIDIq{rx71VbIEeQ|7S3^g
zf<oU(eT%XM%gTHyDP#WY`%6gBi?1;GDSal!TN?R&29$XW!09`2IZ0h=Vpp6230IpC
zks80<M5)vTCw9ftC){?T^hYJKi7PNZp;W&v5nq;6|5i7l2=^>cOw#;oQ3zM;DD+wx
z_W}r;Q`S5eR<G%FfkCID`%-ZyPFB4ZVBN-(b6liCXtWofu)*chAs_5se9q@(z)>GL
z_1POGqXR$KD3nw4u^)v`#F-Q9UVQim2ec-g|G{M+)<SSH!y{|p#-SUZjZyGa3UF{D
z2&)$#3X&h^g0PZjsM9hE!Ra7bI3Q$S6XPK*oL59blR@PtFusq@nh=!1Ri%@yrk2^r
zl7=eyz6?GH^!+Tc*quT`?etU}_Jq6^fHN-A*s1c<#-*Efr{Wmmf{q<3KQu1$v?~=)
z>xn;#@WdBRZ&nAVCsT07n;N@RaSS*h_K@-5u4;jk<anr0Z^)-N<kK7S=?(exhJ1Q?
zfY*3^dU=r5p+3DKpWcv9Z@{NF;L{uM`5W-*4fym1e0q7Fs7k{Y7p9CP6Jd5nb+Au+
zz^6Un^E%+u9-kuug-?6Hr#;})?rU3Yd&Rjr&Zn}_uUx#(VtMZ~xX`BzTU=hd#OLc+
z-1~To5)%02#OL6&y%ooxCf>}5_+*pzx#9`1vE`K(ADFT1_eqbB#t8L^^aoOGbj2~0
zB_!}Eix4@f(fN4Br3qsfJZdqHK1@qiShQkApH~Z3MDu!;Y+9}&o>r@fSBq6R)LIn@
zc&Q2vQ*}}WPTr9wO}Q%T7n1%<`Athz6TK4ycZTQIap}Kl!OndXE{4=n8Au8*23ELJ
z*<D*Trx~6!_V9B{3X4jnV>7*MUV@~#C*z_Y6_`|2M@wXO&DXBf2D}4Q=V4}#moa@d
zF5u0pYSxh%+UrH9k{<^RiYE4WQEL073CHrheZmgrC_?lu1BIzw2IXSDQU>NMrPI76
zr{*qYQT&A~J%Mm|GZIOMKLu@DQ;(*FI~mVP&5yFvqinWE861kT**;~n<CKw0QHFGi
zGNkh;gVUo72{mQ2J5x5h3uUttC_{daGUVr7lghe!wdKSPqKq7xXXI2oQ!b*6(-CEy
zPEp2AMHwe#%E*<#Gx8?#jQk$Y$gL?Or=kqILXF&->>$d>p(!J$qD;AnGEPU7aXLjA
zI~8S|kSQZq0%hb)q>TI?W#rbBku$Bnv2qTc{$eyy2U-ZN?LcFag^`IYXiBos`N@KY
zBnw+8WMLD9tcl9PMhf|`l|mLaQ^>-03R#ntg)J5GO;y(6%9^IEa%D|d)(mCMRMrv7
zI#O9jDGM7dgiHyhGh6v8l%)jMfgYeFbCgxBEOcNB#3X~P6O}bjSx^=f2*pDdIz3rX
zWn?ud>o>}3R92I+pjRkKi?S9dYoW5B=_u}GWi4Whcj7`NYA-gVPar~iZ#JaP`2wM`
zKuVRK!~;W0m7bNtok{}$u5c=x%z~)H^@}=OhbWpEcepq{#nWJnMC&kiYb^%1b23z1
z$z)m9(pb;L1q(xIjAA}idULe#WLaC&$fr!9Kv99yfY;@4e+p#4TPQ2*>#CJU?NNsU
z>O=;%+QJK{OZM>dell!6p+RQ7#i(uuAzW=0hJyLYYLPexYLYq*UI1&XOhU(DM-!J8
zRA&T8tTrZt>RcXvwGkOqCj;=S(t`PcB%tCRG&hw;C*^KRAw8wtsodGLN0-Ab1w4FK
zf(4zbg}w|O@M;%QCv(`K)bs@Nl4!h|Pw(|9OgJ@*Ha6BTY~kHlAP6O~p9V2bk+06c
zaSvDF$X9ovLgP?2-gS#s>zw)O6ae>jbvm2|aD1i4qdA#h!gn};Pt~D7oyy`Kukw#m
zr?H^|b>|10x2lc-b#4W}I<E?;mJ5XRX+ubTi3PtpK?$i-?LbJ~;exGB4npcq7X0co
zBc$&5fF5-!nio*tSi$BEY?5qpvpm72zDt0e5F3oghImexhgqe!zm4y-bXZ<OSXhUJ
z6T<R!Sbjp7I+M%8%u~%a*%fWz{>E;<m~lG$xP<KEb=dfXutFVHm=IQ^!-^8Zigj3V
zLRg6oE1@tx+{wc<mirx86Vb8$k$YZHvn$B#B7q9z1=X<-Y>#aaOBItB58)1jw5rka
z)WtjaRio*heE7M0!d8v0ck&@KEM&0N@mZceGSAaT=6NB_SS&#_^&!natVH5G4Qc*i
zN#ciTiu9p+UPz0LK19#chv<3w_%%--zvk)V);xW5nx~FCAl14?`j|9NACu;VwJ2ee
zE?%}i0?jM%gm63wWQGz^c2ious+$*3{%YMO<O?LEWZ_Oo2?0+?>4_}m3Mb@ZaZN~9
zk`Tu-q2tg?<8-l`=t_w5D4{r}Bq6R)<D@v2(S*3XggEX_I<6q0Ja#9PM}Dt7c6W*M
z%A>f%^2qO%$L@rDL|Z`uE$E){`r(>HyzcDw<8V-fI7KtNwW?va=6MjM#?z47OG9oY
z%>k{F1A%eLO%0f}=hC2*S~uJGu<8ydS&WoLB6!`(#GAhKU&!zRE<J!Hw!n8P4853p
zC|<2H@gmZRfb{H`z*pR7!~Fo>bu#fL#AART;#+4E-)MIjCcRDtm~Cbo0xwIAfjeY|
z;LgXZQUWhVl>(NT_%DR!1iTz&;;pF32x&B%;a+4e0=&??5Fxjkx553ixdiYTb1C5S
z=JS9rntum;*L)9fxw#zhBeNCoGjly)o7o1q5icH@c;)Cj!^A5_c+7}iF#^P=;t1&@
z`T+LBt3@VWCfW^fF9AC70#OiY@&#&*w}uWhBwiXS0W1?`fD^<7z{A90fK$X2z-eL{
z;7l<S@Mv)~@*XFS13W>T01TC)5^#=~12|XA1*{WwfDHm~A>)mqCcuSaA>bL}4CFdn
zoDFzB{$rTH8#PhG#49xwfOS@#A@MFv1K<K{0pQ8j$$%GFct;s8&s+p}v2_XH6?l!<
z#LF{R0bXZa2Y9n}GvIC3?SOY#cLCmG-3PeT0zc`k7{E`gPXJe2s{varaFSky0c^9t
zNxTUIPU1C~cEE3~ZvnSi-{Vzb`~h0h227UtKXiEIWgsBlase!qg@Dh=4*>DbhhgHC
zjtsz&_DH~K_B6mF?IQsjY;c3#w*b7sz5x*LRRG>@{}B*xRRH3x3cv^K2LK<kA$9a#
z1>mFhqkzxa&jR9w3cwfb7Xe?kUj}^Je%mndWq&$gwwnz&#2o@S)ZNdp@YOwDKE_w_
z7vp6&VeE#`p@_rx{ebwsA8=3n?>Q4+_KyPG%SEl+z1>{EApRewiEsJy0Q2#`QB8c$
zKMt_aMV;|YKmJE2upa<;kb4kdv0DaM?v?}M`+UF}7ytW{zRm}%b5Vb{(QO25cAEhg
zxC;PJa!&$W<f1>|D}B5^jqmhN13be$1Mn;t{KD7z=K!APo(FgVYC`>&OtP`Yf@GFP
zCQUa6R-D{eYmC81iSvwUwb5pJn3Dh59eO<3$#`342%uR$tvCno%h2oI5?E63;>=L(
z6VM9%jhuvh^gkd6;C+SN4ZCPoS&k7XnKnJgIAC)5VL8U6@<YpWj9JsC9ZFA2Dtr<z
zGh`#R^4WM}hW?+5@;Ugw8w2sWp7ObPfo4~{w5NQ%@P5o7yt=1+^b*csdVy~qUcogs
zGu*=P2ZE+#n9MMfVSk2$81Bw+Bt6t@<}xg0IE!He!}A#4!0-`<uQL3YVf*}f_*Z|)
z3^N(_XE=!A?hHpV%w-s6xDUgFnraqRi3r0(7*1w5jp0m&vlt%7a5lp^3{T{CrT-?3
zSIK_{q}Rz!NV$a;wDI4{T)e1Z@c-`k&kr?qJyack3cMRUxC7=Em>XcOg}DmmGML3M
z7r>kYL;v%ho;wcUWygc?lH*jo)_4LWTO!WH)0J$?G0JvlX}ek5E0vuxTid5<`(<UP
zj>h9Qz>|6{+6QftcG9p5hc6y}=ZKjH=FVMy!FkU(=&#<-e0}=sPom6J<1J8Qn6Ljw
zo3rtXWfsgpGshf(nL-G!Odf!c5atMn;PuEu@K)q8coTB2S%)_t7nx_^HOIwBe+ANC
zi@&MnO)yjOBICWtb%^;e(mjsX6`#jDif<vudw3ynCEh}8!&`@&;jhCxhnRgZ_CxT-
z;Z(eBn2a|JlT|6AKXBj6C7mY*p`^uPcl<BVkubS<lW-rrJs2^s#Y=<J@T%Z(uq(}U
zaiW=n@qB?e6?B|u&cxe*7vLShtKdtAX~y4Fy#IF#-uk;A@A^H7H~e12dwt9BHs1=o
z!?#XsG+#w~V%W!Qr7uC_T!Asuyo_NAhkPPh5t792vnbp+OT5G>0nG<E?-+)C7!Kx?
z>lm(Kc)hp~DF?9oTY}~Sc5h-BW4MvSZ(#S??EVwOOq1qxSsZ>2hm2;p3x{lD_Z|!l
zN@;w_;omb{&Ee_nzKY$$+5Hr|vl-sbAuln!kwbFX{UO5_@#dt77f-(i9Kj)HGiQdf
z`v-#ND2AB~M{@Xg?4HZ+tqi~BkQ#==7!F~mI6t4<#xf4MhTUJ`B}&uWm0=1&<9l`o
z*nKg(M=(5$VTfTa!{G#tO$=9XNFVV&u=NqI7-;TSixHcO7tS!cnp6MB%v`)%^s%u9
z?`&?utbH5an(YOd&EnoDxId22JyP|?cwaO&Atm=myvth3eew$Q#+$ew-pg1wp)XQT
z9HIN7*AqveryYY(>XBQ_A9Vlgk9R_M$D5$>UKa0Tm3W(zdzU!NY(vkINI41p@Hm=V
zLl100Uz2!ilY1DrYKS|)=Y9-_Gn~q>kl|2<ISl7AJcOWeF}r6o+?PWxV|O#d!x`o?
z%w;&3VJ5=~3{x4ZTp8pxwsOcoh64!V-P6ZG+e~)%;qY>X2Qxg1VKu{jSOPC#$#K~I
z6o=o!@NjW2@Epo8jYCQqj$wEwLx<s83<Cs>M0wsD|HI2PcW3-8+h!`e_hFbQ;RPJR
za&BC~?jEGw+?!+fVCWK5@^6l2_ZJ*~JiGtRko$%1Q?GGsCa=R(y@KRMzXrrBuz)YE
zd}%G*shAC-m1(xhM)lt1#G{v9f9V}g(Vxdr%os6iOv8+GB;IHa<2~ks@DB4Nytzz&
z5scu32c6HH#W0IuZ-$u!jWrBE<q-TIa)jW&i37HA2<EOR^VFAaLP#oB#slCz<5x46
z;jQLeyvm%5H<%B?d&`sXn(~o=$Kkc)6Y(zc0=#{E7T!6&1n(JNXWoMMiSNf7#7|<?
z{36~HUWPY=kHbsBtMMlA3apIV&8=7vJLU?!<l6^t^$syB@iOmd5df}BM1j~3skVw@
z<i8*Jo&=6Z#K8!eY~G0+)A63}33$~v+dNLpK}lF?<MrG|`a`~T;v^WtcpBcwy%6v7
zUWRvYZxFX3?+tkE_CdUC`!rs$ec3z+Z`QtJPQweeADc(wJ=%A~dW=e&@aF6=u?;WG
z_OjB&IaU@@!_WC%hL3W598WzAWjrljwg#dVjM#d#W<Q4c3}-PMNzk~G-4zTE;gE~j
z?J(S(;R1$J86Hm1xSHJuGR$Jwo8bh8DGU{6m)yoS4jIT$Fx-t{Cc_ZJWP--;8Gakv
z74EaxT^1Vv`gi3t4>KIhun)(c5*vZo`w1FrIAkTqj$-$>3^y@+KZbR-@dd}8!0;x9
zBNz@NXne!&K@4|g%!M5O6o)**?(yvI%kJ+Ou3-2yho>@J!t|WY?lBDK5;VSI_i%=L
zGt6O_#&92o0fNQ{><%+LjNw>@dooO7IGUi*#_r?Uy_Mnj9I^+&7e+kyGSY0PA9z1%
z4}vcwzmS=bqCeI^{jsw2^#dfx+yEZ05a&Q!4-nVF-M}G#<k`o=<`#r}h!?I+jCM%*
z{IcgUs>jP5f_1_WtYSxFW?lfepHYmp0{v?OPt)ANn&Wo_jXT+0#*qI1xYk3)R*wCK
zLueghnyhJ_Kj--i6Uy4Xi)K^0Ef<>YNW8h~mG>{se?DV8iQR`YoWLQ98d~FEG+~&_
za5O{Kcz<2{e27cs)rNu9#(%J}umh2WKX8Y~R6}6b3+@*U^SSA~7P}N$b{}Ze#MQ<X
z;$XSfxxroCYfP_D(vp-&%A}OzQfgBcq@0>^R?6~}^(pPCPHH%HR%%1)d8zlOzLUBs
zb!(bTOHK=<%}hHr?Y6X6(>A7OrSFqIDgC(ghV--2uS&l&{r>dF)0d<_pZ;q4Tj|Tw
zKTcnhzA=4E`VSd0BRL~8qkl$D#)ynD8KI2v8M8CyX4GXgXPlOCLB=&1H)K4R@o2`!
z8QU`ZXNEJUWuB3FP3GO1&t$%lxw&^{@7&%~d!N|*+TM@!ezi~kK9zk=?9<R^L7yA?
zJk#gJKCky#mbFjTq^#qzDzg@4EzY_r>(Q*&vzBG8&)SsL(XUs(A^nE++o#{uezW?W
z(eI{y5BGb#-y8it?%%8bkpAQQ7x!=O|9JoR@bL5gMt}1FV|VjFn1j%NlFfaMEOS4j
z7h(d4DMm~&VghE7F~lrJco|FtJwnI@Myfmsy~UId#oB)a?rrpotu+S3HW=Blt;RsO
z^I=|sc^T#vm{(z5gLxfhHPU<vvj(OWW-Y=#gINdjIm~*P4KQsmU&Pj$kHS0#^Ek{C
zFi*mK3$r!0R-PJLDbI{;kY~eO80(N1!7PTk80IpV%VBPfy)ExXx_e>ni>-8%VjJ9K
z(0UiBZUfbunBqaP4(J1kS-v!A=WKWQN5iIlf*?!?hUQ5xA<xS&ufV(t^BT<SFh5cY
zV+-(o3$qpGJD6=S-^2U>6N`1228;<KU@RC3W5YNwE=(_&B$#BF6qr<)G?;Xl446!q
zzG(9-n0_$*VFtit!|Vbx5N21HK`?`1P*)RmHBnb{H<;aF_JA1%GaP0F%$_hKVMf7#
z7v^3t;D@<4OfJeB3lo3|!h~S*V8Sr@Fj1tz9*S83gB?t>3T6&WH4OG*%o>;zVdlZq
z!pw)kzPVWsgPn8pH!#?%F`HnpH)FQIU@zTV2y+q)cGPk9AkDjB?t!@%25(^F#6g-b
zz`O{9Jsa~an73h;!K{I4g;|UJfA9!ngB0MA0FMNCB)}s99trSBfJXv665x>lk1(s1
z0z4AnkpPbbcqG6h0UinPNPtHIJQCm$&L$-OQ-Z{QN|0hKOaKNlBp^eWJ4+EZB&4+!
z(%K4XZH2V9LRwoPt*!Ek*e1Loo@UH9QXo}XFn-_afTXT62BAOh7Td-WIu_EK2R}|~
zjB}CpuQ1QRJPWfF<~f+>VP1ggxj%NGKX#x$cA!6YK$2IXKdwT5T!sF)3jJ{v`r|6}
z$5rT$t02kkkmPnqayuls9g^G*Np6QEw?mTKA<6BK<aS7MJ0!UslH3kSZighdLz3Ge
z$?cHjc1UtNB)J`u+zv@@ha|T{lG`E4?LR7A7sfW37r`usxftdWm`h<UgLxEZQIEkq
z4)X*I{_D5-6~e!Ty%mFrh;0)#j01B(Y#a1P2lPjWJTJCIUI23;TIV8|#V{AcTn2MF
z%oVY%@@BNqt+7w#lSqfz7j#JnbV-MMRcxDkHQMBGwAym5S4b1K<3De1MT@l=!@*h7
zisvG}XC2ZG&bNc}?cjVnINuJ=w}bQT;C#EW5xBmD*#z?y%x0J^!2K=ER+#T#w!wT4
z^8-vQ)`r$-Lu<65HQLY`ZD@@)v_>0RqYbUmhSq39YqX&?+Rz$pXpJ_sMjKkA4Xx3J
z)@U;iMt|;33ok+Vn=q?jzJ%EX<7wuW*fO~Q=46<2V9tfPFxC#4Z->mcL+0Bd^X-uN
zc6np04P5;Waz70JZ<Edte9gRi2i#f>ZmkBlR)brs!L8Nc)@pETHMq4J7{4$~XE69M
z8?CYwEzyCNXytx09Bl;+2F;!d&E5+w(}9**3J!OG!yVvo2RPgT4tIdVt>ADgINS;j
zw}Qj1;BYHA+zJl2g2S!ga4R_63J$k|!>!<OD>&Q=4!45Ct>ADgINS;jw}Qj1;BYHA
z+zJl2g2SypD(?r!wwY&vyO2}!9GG)q&VxB0<^q_zF>c=jb1%$&FpnbaF__0;o`880
zW(jb-39||Y^+bzpLyK)gi*;Zu?T{_8C(vR~pv9h$XBdOgFWTi<u+N5l4#LibIS(y$
z0nCLMdoO}n40AEeWiXe+ToK!h*8Ei7Z1h5F=Hm74!RRCH=p*fJ3eJN5|CadQ(h}4&
zHbJYYzIV6kd$Csy3;kvZ^xJ#TZ|`9qsQP3!_oNk=|LlcTSU)j0woaTLYZGm;<zgeu
z7Wlt~*$VSrY@G!?Z$ZynNk*2H99wB+;QTuirnix84T>$dhQJiVl)}`-*2#xrD-etS
z3v6Y?wpy7mz0orTL8}j3h(lOB4tg(TyE6Uq+L3Y_ux!)$vyG(fQYRTBK~*NG%0#MR
zC}o&oGrbx355t)-L~9?MB~fTP(h7w76zv?wolAx1@MAxKUq7HEP!;DuHqXEXLHPjm
zf8wnCf!Mm8tkurZ@P8qdWSs_m=IJEJKWVvNBg7OfI42j7>^JNf+R8)=5_~AOChn$?
z#1twn4O-F<^<5r@L_9vWuCn2!P6rjHycT0zvOEp{1Lky?GmLC`ChW6dpKWA9OJ}=D
zu#;iv^whN0QZ5CVZXpN9Hp&9@JKtqde8M`B=#p|0Mv}uYhn<WS*)+^|OoX(f>_ZVg
z2|fKVj1ZIIo)TLwr@}rQ{%Nrla(b-Ixer>v)fhUEY7?iJ277v}1F@S72eECyL9rc(
z{Tg}O5W9)<t<*7IzO@vCeC-^&Ueo2pu0rev#+m}^)&lcpq-X=?Hc)p9u&)Dkt5L#c
zSq@uK_=aI4<ytNu^+V`d#z8grDBHv}x8-ci5-UJwC2BASv&XrZJzEHEM+o`aj3gOF
z{A^%X>AsRxsMDO-SBU+KJdta?2Gq|6H+@W-2oqwz<dP|NZ9KoqyBe`yA@(bb!%>vw
zmq3(I{uM|;yx9Pr`uP)MJB$?MU5nT@VBY|mH-Ngwk$<hM2GyWn*2LCpDpz&F(}7f!
zVl9;djwu|(2`^@~(N`Q{WQ!w>Vd5xbkeCJg7}&=eS>kxu7b5OzBU4<1@Ec*@1p6-7
zcf<a((MvpvG)s{7MYvzWnDonHGwoL(HHk0@dnei0H^G@V%z-cm!4$znU=D`46g{Vx
zwHPDX?_+J&<1lM6@_mI}hs@YYdnrs;oF?@iV-{v!cVOmq2WDP(V5W5kW?Fa1=VBkr
z7a)PJz`P#2O1=&I?=bJi)=2Ea$`2900_G!_k6}K6SqZZWW;M*GFl%61Vb;QY2D1+4
zbC~ro8(`XCzJS>X^CiqCm=2Wj4Gczfi4k35M7Mjx^nvLMlLgZcra#O8m~5C`U`EHT
zvWs9B!<4|3!j!>8U?#vE3^Nht5ST+@pbPB7U?#&%fkAJx4~LlsQw}p7W(Lemm?L10
zggFXk7R>C}8oL6f5~d1f4oo%7T$mb|t77YIoCVm|z+mUzzBaZVvz_-0X}=#^VSfy>
z4(4l`b8Htv8hSY-7UM1AwjlL3q~3<qTe?Y2`L`vc+15kO?(wOz9MaD6I+z<^9)NiW
z=1<VrDqg|uDeVELy#-p@?n;-lOKf8gv<W9Uw#~t++emVf;KE$p!48v?8r$NeLC0jo
zHX`<Gr*~|t(+5~wq}Yhq4#ci^(qU&nlVrv=BgJMzBK8}^ZbE1Wg<|HIOcVir4ZK@*
zj;$O=sVOD-HUWEwkqjC(A+!T&H!+^H*!#${9;vtlN`=;3&ltbZlu}9UoZms-jqy;0
zc|Bq<axq3a+ewv^&@0s_(k`b$A5VjSI(nAUgzKTF)<A=;fd+dV8f+uRIW>OK2(b;i
zf18{VdlfmiVT9O-+-(>kHUmQkH0D>pvKkul3*`O`8uBaBkkH}Ys5Kq>*wgk(OMYc!
z$Vo7V8AIe`m?^+F753psskC>8tiV`ZiSeS!$dYqlS0k<l<0|16_f=wd(s<yq2bSSf
zBL!z`ZLtpg;e?6*Hsd6qn;+Vy``@5$ga0>&ihECG4&3{|gIJ^3;J_yEpba$?_hPpZ
zym|NmjNF*j7%}V{!-gEh+GDE$S7U@q_#vkkzp1<Ugrsq2Y)Nbxv<ClxU*iLAY6Cif
zRxurrLMnep@!}rrT7upm9=sN}EEgdoWIwh!_HgXu*wWYsu@^C7{2%;*lS{w@x&!!s
z?ne?CTLJh6Bw!t+dIh^y$Ch&pb^sCIhA`~l##RDi-U0tR|LKf^rp6De3jIrPb#P2v
ze|a(BN2ea=<^11dvrb9SIKPxk$L{tu&HtwQ{@S!a(w7;fu}6(wu}7gJ)?<(NEAm5Y
zA_nrX9x+RPZ7Tk|@yFiBnumX}mvz~m|9$kC4KQB#e=}*&J{SqX_iY$QJN+<I!B4?X
z5r!H&y>Zct)AF2-Jnv&qf2V#ZokrdFp$XPQKdz<Two@5@u|z%2s(!H&{`VomY0CfS
zf7Gts$*xy%l3vJMH`3N^7-7R|32-^qp$2w_jMy_|Vvol$!mnc3##s*a2p;u$PKkK{
zjr=tBuVT61tlcXi{hKi#SP}au9{-Vt^?%at+QWZsTEMYQJSSky^J|y3Gx*WE;n*E$
z#XDm3?F#+ikNq7XXm_@~a22Z|#<OLJe^q%g+Qr>oh!>CjW&8-n-osq*S^T|++;FLs
z-NIhr5{;H>)udN4-KOjmNM-i$>xJ?YW;s2iiU(u&0jpN!_19AIXal<;KkL^s4dBRT
zl!zXP6;-dFfS+=7`(vJO2KBlg-6l#1<aDW;hZ3`tF8NeTCS=%2XU`*$u5&UF4Z?0^
z_D&+C8{9qobe)%UrM-vb)W#Asv?Yj_z?#kegv7r>oj>4qrW$0^x<8??9Xorj^9PXC
z%{xEeX5M7$c|Oiqy7DRpd_U(08g_ErjXnKy@c(D$`9E3b|Diemf3~D_p*}%F@O&@9
z-z8;&*W3M5L7jaR=7*@g3WAuMt-}nZgVssp;=Gx$hjHf=kj7$#ZF`8bj4nTwn@7=Z
z<~nKys>VX>W@8VsOZK1b?Rk9txhSzKi@Ctg|9Ywm)zkYiUw*kd|0Mc68g^v&ROcPc
zuXcoPr{mO$!k34i#(A$8FIRUhK{DJmT(9<N#@A(sfH20M_wfEYw(4&_Rf%%4^ChY}
zbuazY7q_c(eE*``)!?$7FZt)B{AJpiN`_YIwjcG}&YWwlAuh*lX~VcNbnC--p$6Zy
z0Mpvo20D$ws(C}~?VnSxUowxsUlw}<c$1A(>|m`1=V&LZgT6(<d<$Q3Vg3EVFIjGP
zxWJpGBwMgo#a@ox#c8qtGx1dntyb_$=sSHBg`kpL|Asc%idM=(zZ@9*4r{-qp!uHI
z^WC=`<KAiDOFYvDSwN}yMuBb6+Y=%x`<E!6%7Mh-B#q0byS~XdnWtYm+AN*dbMcjA
zoSOJt9vnrB0t<21KZzqPwGnaM%61$}Hx6KHV_e;6GB3H$6)L&YPbzvfR8eVu3SeIs
zYxVQ{F+1;yeFM2w9O^dHcGw;8qQ`XwpDeBEd1jJW1k&P`I{v)zQps(nS<Uv^KK2R9
z*ZVfWhWi2J*LW?wD5E5R?z>~xY&+@`3FzboPSQ6W$kPt^X{Si-@!Owh?#hLDJvcSm
zWee$Yv_DZo6lzKAny<T(62lTo?MD6*Vm&S-X5N9@qbtt69@8f15|t*ITOfYE)?-GF
zApE2gdoHKvm>w{X!S~-|@Ev$I?u>Wyi_zCt`j_BR+=G<)JVSo^qWl2k5S<)f&rscz
zPs`S5BPmATaPHI(TH-F`OV|aX-8lSkXLv`u3qP3$-BROW@oEUoenaQhi#_Po4t!Xl
z#wyf!9nbq)(F16wc>`+U%}CN{A1HPbQqW#9^)}{h?4KS17=hY-E_<P5`*SB?d@?bn
zC$~p8=LQwTM>?$nd@=SU`sRB*<@{yB75`9sEdf6VYtQ>@J!8YYjbGr`xut&^LTYz#
zc@wp3_q%Md?>vltyQ&b<;_Ql#qwvw&P4S=4Pj;b4A!<ZCdZ!%TDCNlrwUv)|r%?RN
zL^OuSOZ_a~i&NlA-5w>U#5mOH$75TkkpDd%d_S>cVm!|Goa(=)9eOT*2Qk<=#~;m#
z`*fQsQD!Lt&Xe(`+Ar|yZY8&4w8TY^lipcj*S_XqfX?n_HsHnXgiZCNa}&jzZsfQd
z9F*!uWTl&2I~C;bfT`rMl{=N~*GVK}9|JM*M*StOro0ln@`3za!n)SU%erG5r!YLq
zVP1}JYt`u2DF<j$+L}VW5ue@Oyalt<#2;p&JZ5v6j@aio^HbWs9jlt3I&0iUy#xBN
zgR}x<kXF9Ho-mKc7ru$5bE?h(U3{E>ZI{4qy|I6QC;0Lb^NDuccwCOsvwg0sz7u=X
z&#K4sb)cagG}HWs<~FUA0{Pbf>RGI^k?Nm14>bOd@n+{|g<Rg333PqsyAxc21a~K=
zrxif&4rV4lPu@Be^q=bKs>OFukJz<{g!V)K@^8)ZOUcyl==5Fveun=3c;~bh=F%6$
z9>Ki%A>2f|Ep{A_IR@Rx#F}`MI>nD&=g~nnwK~ttJ7S;2-lZEM@W0FOw%Em}$91tw
z*!LO2w_=ay?e15wlxF)M?U*1R^{KX>l5cxVUWl)6ypW$^JBlwqHD|)On2A?SvhZd{
zw?CaOtJ}z(4%GT1$DqGo^7mh)YbQyeQ}%9tJ`a1=anQss;~RP-_9l;0-RPx6{ps(R
zsQnLGGw}Wh&tk9(MPnVt4OOx(UyrAWcoeZdeccf6tx!qpllexCf7Ca5q}k}{{H}Sq
zmu>7Cid>*8@z=%Q?cARF6n0yA+@(InYcqN`*#*b9%fU75)DoZtwFi&9ky~>Ar<*|Q
zyQc-?VmED&nAUS+<hu-9@h~Hpbt2h4&MAq0o)vjWy0L$JouD$2)Bu~FdEoxh1@O|G
zI}--HiJh0Q*8Cv$7DDm!(!-_ei5D5vZva`b25@{WW;g3GgHn8t*ATngyo;dI_he~#
z>lB?Cd%~9&wF5%&np55i5R`+yL5S#u{UnNC%8<`*H8pYG{sbNC@Jy@I90j=7!0hlG
z)aMmZvHkDI;=LRweVZXwyCP32hZC1*UYt%o9~1Rx1a#sddJ6fmUr1^3qZT$Gsd$?N
zf3(}m`%E-DqnI82FgB@istvQ&jlaq%OQ#;VBU-wPLv8p5rXQy{;>n61k>J|lZt!+`
zA|YcZCpe=d9$W-(Hshp6aXb~Rq}RQ%uRCQiFgAAnQE8o854ilDFm5@7eA_wGkNdp-
z`{OBlN<s75AKTl47U5aZ_Bd$whC<OAyz1F5MN*7j#L+)rPsC+5zDDrUB<?z+&FK_Q
z&*$S(Y<X#YEM7=w8)t}D`TK2@TF*d}(H2@Bz3*4NoJ4KsQNW8K8~P8cSDwpu)2F;U
zqAEvMx-p_(fSbYFurs_4f6$|`%jw>+PQ3*C$zNe7c5Un>#=j=^DQ2vcZbkfrHjB6u
zJBLq#mc*XIHy3YE?%31b>Lm7vqE6#{G@;#miKPD_@FPFwENNWtm#q1vxJK{9<{PD6
zWH)wyyzSH7Z>MKoy4}JkDcl{R9}gpq*^Pt*el+Kg(3l|4zGQcv#RM=jj#C|%+fD`V
zNXM#PrL{MY=bf_ts-Et2W?~rn<j4M)O{Dyo_V}gA<#yG*4|-<}_hmZGrQJ4tqM^z}
zERF7vSv{j5YSpOOg(&n(8ex=P?;5wROF)7bErru7tpmG`0Z5m4iwJ2uOGzRgujFAA
z81K#T^IM)FavERy60&#eM15ZFTq8aS$-+!3mCl{$*EwE?5zlt;>n=|Z$-Ob3=AB#l
zmIw7Mx-9@3S}Q)@LD!*0=`ICyAl>}<27lPoVeWc8AZ&~W7QB3h@C~sqV_)dgtIuPf
ztMX$XB8K$0o(*=A+qH~~cfz(Ct&u(PG#uq?3_a9~g0l^bL)1r^@_2e)cd3?&pXuxX
z3rC^e7#9*#v38*SxA?hcck}=5!a8B;gflUwM>o$?c#kv-t(1;GNJ_#e;*HmM!LJhz
zny>m{Is89rUZpfdBlxK}g1tqRtEZiJq+N><k6L~OrR;7brkxapg)nP;+Kz{#)cDVn
zb>4Ht2u@#_^H1UFUO(&kcpM4J@}w$06ICIMC1GyY1HJ@Iot-SP>pO>a?}OC)HOE;x
zS|<xD2o)w(i+H+2@di26O$pL&v^$HPWwZgP1s4_1`oX<L(TuQ_+U3tpyONSv(>CJ3
z4z$`bKeJDHLYUU#@sMGVch-K4mvA%BArpGPxQ88+1e!ctsOjBQU*#v8?+Vbj7k;0L
zbJNR(RNaJmvBVqJ#9it362xuH<#Zaw9q{!A^eVjc$VoDx<F51f(sBAun8AB|!LkCB
z^H=8x*@Q4}^ciG~!Rq4%>N%JtF2n3^DdB?Vc!zNsu~*<*4x>jIj{;7`Si0*?Dlc-y
zN3X=b$$azVUfZ05Zd~XeYwexc0q`<xXG883ecOPG^@=}hSBbl8l^tn6%FnvFi(c5S
zXr;ZWT(3=2y)-O4ELr{y0<5jE?*xc;L~C@wg)jf$#+VtO717(-*hk><+c8dk+S8td
zl5Vd&*kbNM)HhF^b=nU`A>Y*8iguB)ue~-+Nc%tQ#Je)!!)l&k&?(g$;KNGj*8heZ
znqI|~PN3cr4_T_D5>#mok9OF`I<g(TFN@RCz06g7GxIJ`n<&#BnxAE(uaZo3^W{Kn
z<<26E>*Sryu+!;Szwm8Q?P9qHy`Adc*|*cke>7o&7S=ODw2$gpe1oqu0<;)XF`b}}
zZGB$~Elz)0M|95hQ+$wIx|QY22($%Cg5K;-&mgp;(+mh>HQJfK8c}Tvx!+7Jk9y+2
zJ-|&GoOHO-_CJ9%+7$qHZWYv&@-v@&6vU68^JBcAe8)eg9CvduM^HPE^pcO#$nE~j
z0u*k6`2gv7cA?vnZuceVTcyJjH5cTYbmdAIHNOaVtzBp8kczlLZwdYEAGpXgC5~!8
z8(Bg|v@^~974D@85pn0Q)tkHmsBCcDm*VGD4AxaEy)-&x4S(N`nYH%6tmY10s_uBh
z*!4_8=X$|QzrBsIkZ!)~aeVvuoe4pHCHIgmk`S()3ZdSlCClfkmwv~%{r<#Q86Plf
zTjlj|?-<kev8+clUE9ZcA?PP0^|;|ldJV1}NORYgi{t3j>$z>9Wf&Ws%OqmN+=DsS
z!K*kA!FG0M4sf2ItgW^~`jZ17G0Q=%_XS=&e|**(59!$v@8RA|nbtPE_U@#6ezctu
zOGudUkp{vmft_N#@hG80n)B_<FZMd6g5<F6<-m-dUY_st!|ZAWW+*FQ-|a^rXD#xB
zYwAaoLKiJ1pE^TKY<I}sV#GeGaK~=>f8>1!d=<so{_JcENeH1PkdQ`60wg&JE%XvX
zmo5mR^ePYplp-Qcqy-hrwV-0hUM_m=A|j$9A|fK9q9P(9q8E{iDF5eu_MDTGLR0T|
z@Av=q{LVYGvoo`^vu~fWkWD*9_d(v(GRH^8CgD-pgu<P{9g+fd;2f5Pz`!BYCOu7=
z6iAer9g(NP*`iE=SU`69>6~)Ky9RGh$XOu&sYASBe8U8PKSx7rw<9-aZ=GT!!cTXe
z4J3XD)ZuX#nUAK#hZJ}N80QpjhFu$=DZ<_g9HnU{a3v5zH^EyZ@8aw&#07u+e!M{W
zz<mOx&NgISL4Gf#z;}yrGNye8P5e0i9|mv|7(o7kH~wzmULxsHeh=Y(&o6_g#=NZ}
z+`@Hg4595s9$5h-GnqXvSyG_JvP0b4dsDlLT^GE8eO@f>lqZ4v`$s$Q#DS+qYXW`@
zzr^q=30yB(C31si|NHojztz$<kE;V~{!>Swx6u~=`zcC6n~Le9fgERUtM^7i;hD>L
zIf~w;*N$SXDNzYW=l-I;3)KpW+7P%Q){5hR-5caUIP-IGPac!9c7R_W3*-Ua>;g4l
zG_^=;3)F|OSkH!}pC($wjfGN6O3jkzr>W>HFP+MR6xvsTs!py(i-MYoCzXoMajh8j
zgC-AS2c|uegET7M1;_-(k9s_bPn(ANJ=<iDcc-%MEm!=~(2os)SvW{1$1MH^yu4n0
zXAg^epaOM(F9vxuo>AT^{(h<KV17;*&KBVx93Ln?iZ9PoLO<UD9dA8wZ6~;?yl210
z=jYDAz#=^GS|7^8k<!2$-9Tya9v&)si{8pxw7BfidldB~21?2-G8v7R)(Hm=k&E6v
z{qPT9u~*W2>!^7T<($Y(&L%5?C#CKipt@qMD0WgZM}V5~+#Ytw8!3j3C~n~`BE9&5
zrw=?|ILg5P9q9Rhj}N^hBN)^vikCgRGykjsV))sWI8Cl9y!J=x@=Bhj>VMCrz?&&n
zdx^IoG9P{K=e5Ohp2Lav-imZrzc%BSzvoa<Fe`Mwy`Yd|Xj_o$1uq68MYI=8I?G5&
z3@y@_i}(;|N5)F_6<HSnOa!iOD1IZXO&1TwcHveY#d-CFa4(@jq4$8TDb~Z$fHXsG
z#1c?xDVi*Pr@!t@?hQ#ns{QMwTj_R|?DNt&{<0Lo@=9gY7NB168yrp<IsSqqN?nWs
z2Dlk|S@<DlZz1OK$WnLl%h3?Y;q{jP?U0}PeTRod)^Uz)iFvf8>JHBB@@^*>>W>K?
z-seB@&)*7^_AuexC`)p~+BqC*EhFX2(pUwW!Z!=>|IsfkMJwU#Erdn$w{}v4*@85g
z!*v)XLiW`V8y*z69_jKN&x4{q!>HeO#_?4I*_BP?JD#tRf8@L9$&m|3w9M^7uG8=q
zxqfzsv;uX3n*Q7YUL((gaj-vLPoV5yNo#1)5lCXT4eeXY))gE3l@vdwo&vv5{X}?+
z!8rt8F5J)S(GU+f-s&Fk%ftBZVJ_KEfg``TbCDemI+6MS_xNFmCkSg;HsZ=&KZb7w
z4(<2$Xatm+pU2g890Bg^^<R+$_3MB>85hP;19r%fB1yqC0nx$O*+e{U6far5_vXoA
zi3cQdQ42yUjP-Q(kd$E5>p7HX4+fKqMNW6ESjJK(Uayo&E|K7Aashr4dNFk5N79R=
zV`#3D@zC}HH)OA|J;6Mbn!&Tuks7cP58%JP#HC2w-Qxu%E|hs1`lfc{O9uYgXT-|D
zjApTfT6(2}{dBrF<=1Khnnzju!%tJtg3j##jvp=J_NOWf&MLFpG1?X~KgaTN7wI>&
z8&80Cjv=SFM@$HRD&p|OTA6F)pV5f1`p=-ve1#PJaWoJBz3!*7o>b}1FNifTeBJ16
z=*20>DKl*33jqHWyDCZB|2>Ca4sJ&6;m|Z?x2EHOGWz)?`c&ov$jpfU;rRf6-Lncm
z=FUz29iX5?M^e|78UIB`SO_nW-JkZrCsYMFD}l=&kr;ZVip0<xM=%pK3_XN6{@~om
z^G{%L6fs#+<XhOm{i2F)^6!fYXXCoavy^|r(*pCa@I?D@CMlvvc^;J`hy}HlGq)Rc
z_(%NCocE9BAccc#l}W#+tF(wmgTm$c{LjcIJzYV$R+3+UA9>pQnF{`i>)@a3q<GO9
z1mM(9&_zY3^v2x(w6-TT1&-pQLtZNQ-dW;Opq8@>@od{L^9{3lyq#`}WHMy|FtDrx
zxz~E>=n0PXh=xMEm9_a#hDhYHiX-jhvw`{B$S*h`TAGZ3Nqu|pJA}Wi>t!FGqLQ;r
zMy=kC^5?YvN+|FzJp7XM6gB?kI84uj{|Wf~e(VYG1&`)V(VBl(atUwKx!(qOCwt?0
z-pjyRF{uXMYeQ<_8H4jJ<r1FWk3%8PEG?<Vt9#DnJ%`lb*Qxz@8=!w^{F3tL4?HKH
z25&1cBT}q@?a*8$Rdh6bfBy7$IY*n_-*=&Pg8s^qIh50A*^y!rJG9^#;-vQ{<p~3_
zLu83O7ycW(!o_(Ya`I`x9rhp(`33kxh{S+}f5v_<Hd+)cOG?=VokY0LM)ELxK@oQe
zU{f%s*RnqX#Zw6DK-RN}W^kQ6JHlH6b%j1jAT1DvXhMOca}4nwPsv3|H^<Jg!jSCV
znrKO&$7LO3>!5)x_WWrjMq~V|qG3O*_2>>#bZzlB7wC7X=}bpxUiRodtfoGMw!H0?
zgmjacgZ=|Dw4~h^xOB=87$?%B4C*Ler05ygqrrPJSAg$%GQfkyi=XDKsQr?uG}Ra1
zNz;?Tr>X8NE|DUB3E&L4%^9CQSSfs{MLiKrJ*P<V=k<z$)&tZSY)gQ5oL%LhZrQgp
zKnG!^_>2EaaSVYMsOWy%{C5&xlfr%`&;ifx-eu(iPSL-In*6we@xKzDud>Sh*|d|Z
zLTd<Ud-(1a-W#6_{FfnHMO+T{KxoNg@kpLEK*?R8mg2ZyEF*Z}-l7CqiA7vHBj+wE
z6NrHhKvkTf^(-vo&HT>HV5EST74g+T?y^Ga5&O%!Qf69}vQkURN5PgL?>Tbv?UL8a
zs-vtlw#~15!@Ip3GtFK?&CBucF8P5y695C)tdM7eU^Hf)-3CwiR!FlO5fe>G<c)a2
z{rmHjb+-~}cv9KL2li_u@3jfs`oPH!NZBcO6f5ZDEtuK1-7AOK>Oc*655;C}1ky`~
z@CV6QF7=C3X)40&Lg){8McxuyvNrmpynVe;;%pB*Q%LUOc+2-F{-&Vpr!6k+36zOs
zTh8)kUOgxGpuBv!j|bkNAMg2$XOs$o+-G^qQrXHbALw87M(|ln6+LZ&tehhi9|7e@
zk*@}x1v{+CGs_WztMVRq1X~m4t=2}rVD%jS;@>;yl{p=RPE#hIk$TAkc%AQYkH^{A
z3XX4w)Ej7NNK)x2S|l@p#U4Gy4$EGdq8<!lNwLbxPA!(D)QNx3w^H7m5`Ba{noFdV
zs_ASK{J6^A4ZJ1Ds$#OP=t;}2wd{9OcHXj5OP2S}15a4;YFRauokl!`e#nC>27^y1
zUe&#2m4YWCh-n@+Q*L?vBUl@}T2|>(rvaA&Ejh)=N0~Lt9@fR)MX5Uof0TdiQdhi$
z_!7F0)K&#l<JDTp9}_E2YVk(S<?QrFOYS1n52cUFT;br@7itbUKyQKep9zOTN}W2I
z=3VmI4(NjyD~;=_Hz*&jRXcT2UODq~g;tOhdg71ET}mB(tV#pj94<Z6sZ{o|5?UfL
z4P~pzZWmIY*fIj~e^TlMzCIaRQ2GFUABB7v??L<o<TYbnE~Lf!-*ITMlJQ1?9ZdY1
zSrdBaC08Zrj^5My&=Mc&-owI73&G`*)=~}TI!6$Y7yf&kW9k3e?7;uv5eBaS-Xq==
zW(k!(<Q;m4KPF{E%Lgu>AuOsVkTKA=f%88fQajp%Ckb-2)7L3&q8<beQ=AWYGBUuG
zPhX4wDtxCH1wI1k-&>+YjY2it0X|S$P?tN))&|NIg}4)Sl%l>RWsxe2a{bT7iux=d
zC(r%<v>1XuzvA)`ni+VH9L4b!eJkUVm4sKp`ye}ONFHdp=q0S!^l)6#&U_R-gXAr)
zFYygy+>^C<bc1((t_OBDk^LWKw(lvwvQhL_rS{NPfT!;F?#Sn(#w^(8Z`ElU!#Td3
z&s7{dQMRPs{Re3LR5$ixsVCXxS$+YfaE_nnQIYG=Z-UoL)>Hg_l)QR2=i+z4Jwo18
zX#6Z{;F~U;j~pa0*TS1o5Xj^LKg;aHz<Z^KQ250W&y$XV;2}7Nr4XnDX9olR?O-|5
zJab@IOFUWd%}F_66n42pxIK`+s4k|Lv3GKSl0YekPri>DitfO|wECZg6$R`6Y>yz7
z2IVkYw?oPkYfIdtbiF4xiDto-Y%-2~T8~cY(tj)k+Qf5GlHLWr1+m)D67n3pnNw)z
zf9!6!5ARmIG};jI{)=Dp&Whf6SyxY$1`0a}f6Qh)#U{xkZ#{q`Vmp^jf9Q9~Egn_B
zCLp2L0=$*2WtR$V1A1?*ckVC6^4{IipR&f>`!dQd$yE~fLTfs6oH*vktfDc2Gnf0T
za|Gs3{nhpUZ>aAaIqTU!lE+OWQQ#EZxXh}=wjy6G^Xh*z5mYA}J7j)!iRP4;o$amR
zL<v$Z>2N2`ipkBhrk_}pl<~k*@Kvv6fgLWTT}UyRdIs)P;u%6t;UPZ=pW9y0Jmi3U
zqn$po`}~|GWY5l!LjI^cS3v72ef4Zoz^(Qd&&Q|XexH(lDv4RVjCba7(7+Yxr2y7L
ztJ{mQ#LY-q3ms=My~5ZB6z8u5^UF@4()W*pH@<=1*n)lR*Ml$1UZ66!d@uYt=%KSc
zWcB#TJzj43*!Q597b3;;hYE&Z7t!E#*;ndmf8OnQW_adLbp-gfTxVaQu2UYE6Ikq;
zNDR?T(t@egyjVbX1k+C&3G^#6dGz15?Cf5xxK_Lse}MJ_8Wo;6iT5HD4FtZWczLSe
zy?FW0g0rtJn6q{;cFs2ky+b3Dw<!mDH;EBKK4Z!E2!0C<^#I;u5=LTV4rq#3M%sWg
z>+CpAu*JX&9FeLs!&1P{3j*&^xV?ACyvxv|_!+L?4ot%ndUJIB)^TW||KH-^6zk-f
zsG$=t@ve@8hk&~vRc5eJbCt7GAHjEX>MZ^%-rb641J{B^ce>;3>kq93ZxPx!IM-3X
zPG0OuPUYi)^|CIs7BBAQMvYrbUn`k{-g~ZOTG4rtja?Kgx_YiL>6tUpPw_Sfa(jGH
zApgZ=a)7$erZun%=zj{lLtsyk%X{xF^zGs5FKqK4_gRTOCF8)y0gqwMCvgYw`Pi9T
zOBp0G<qsdYW6-ZuR7p{PNxO>D&n3pT9fW2IeG^o-4=dfbAqJU`-Mnc7%i6XgoIwuE
z>cIUr;3p&7`!HYi71jcM4!tArG_u*>wxDK9yY8?j{cwNTS8_4x$4XJuvmG(4Q9`PW
zib(s4-tm{v%8=*uhnItOeR%quC9ekY3S7D9n*Xhz1@;$}kzNTs`}fAZ))r}u#Cq%r
zC*NcCM*7j7kS8kHn!lp0MRzY*`=2>S`(+$iW@X4M*6<MfA@H?lRv+Lr-n~$!1kKAk
zL=ON1fmisx^O@RIlp}x>Qi8P{_w%5GOgTY##`+}JnU0`*6k0ss<t8mqmcaY)SNn4|
zmu`_qgQe0vJxG#^Vx=;jJ^@bxO9RxsRq};WF|M3qZ$i9B$z62MqL^@<4MlJ1RQCqo
z-r!v;!f}-J_&DY{BF>)n@aN3+o$5YF*Oj-3)}I@md#8#}*C9o;Q(1A-3$=&IpRv<a
z@qg@6JoI$2xX^3<12McCtc;bNJ@DTZxbS~6l-@}L$HQ06KqD`q4<si2lZKgUNAVvG
z{MrtxT8IBu%$<7yd-Lu;`4;T+J5XW|(tbvc&6wj>l>P!ziq5<hyi)Qj*!H_o>V=bk
zJGlV!t;I4CdAkSSN%Vgy@xSXWpoKCsOmrA|R<3InI+j$fM1J0DFU}8obN~HcquP(_
z;C*;L@*-TLhJl`Ay1!KLj5;fK{rC7r*}XumNHiIl{VZM);cB8k?xB?<*3CiWk@M4h
zd7<pO|F@-{i$CbU<Js_5@SdbCe%Y`MZxM3XJ47x}r}AWlyjAYi9I$o->xfU1j=V)@
zjEUyxmBfs}z;!QID8x0-$Lb%2A})I=@?8-gUJleJ^XdfCFgp*S{5`l$VxhJExwvQP
zfD3H*p24$7V41ALIsV=u^g}A)zU#n!?Ci($4S^gI`qKmb!(2=kyU;5s&vS~_qYYwr
z;3}R_sLbn`kXZ`+R)^4>csTw2Rdj#k=WHO}@gQ2rf6?{-O|jBX_utrh^!H}yXu^>n
z#UJ*aKejWVli}QtAsz)mOA5Xtz9-pN)2ksQ9VsDa{wIf}h{J>aq~d{xSH#MF-W5N+
zAMw_YOB%6@T!3f$0dw(F{yAKd$b(NJPa`|%$yaS^17cr2uVsR1nCm6_u3Qz*&{53(
zUJDG~inF=?N@R|Cpnp~eJi#Yd!)v*Xy%HJ7Ct=`?2WF7_uSJqBf$PQ7i=TzobEbG`
z|9E*pk()zH`FkyBlNVhpveQG-HbI}*f!=tbC@l~}kI2=ZpmppxIYs)%{|1hsFVXkp
zDo;votWL1JQnF3~y>?%qjzAdfAHUrcOvkxg3)oZsT1w;!<UU>KmkVM?qQ0U7?{;0_
zO!9d70x4$>p}Pr%1nVeX!b=A(EkqvS!Fz(&4drta-DEe#t?kxvQ{8m8zMJ7@y4h|+
zx3SyQZRWOcTf1%D_HLfr!OeI3x+C3D?l|`ncY-^~EpR8hQ`~9p<?al3mOI;><IZ*G
zy9?b#?qYX|yVPCgE_Vx+p%y^ftf>;9c_yi3c++cPj%*!OSEWKXO;`0)ee6n+f$v~u
zfkv|Nm9>VLd)e41Z$udljC`Y$F~yi_OfzN~cN_N@FBmTxFBz{GuNv!(H;j$Oo5m*N
zE#qzD9b>ccuCc{<&v@VXz}RVgW_)h!F}^UqG`=$S8ebdV82gQHjRVFZ<45Bs<DbS6
z<7eZj@r!ZH_?L0q_*GZc$-2I7pd0I<dZZq$$LdLXvYx7^o5Rcz=9lKz<~Qbk^PqXi
zJYxRKJYoK38J1~TmTiSwHLQA8eXE&$m%ZA)*S^ob-+s_uV?S&^Vn1d-VLxR*?MAt=
zZUTBD(M@t|xpmz%x1QU;&2oKij@!s>;^w-|-Ii_}x1BrM9q&$bFLkH7m$}p3neG+t
zmF`vUJa>V6wR;U}7^^hC(qt(c7Oe|jRSy1$2#f=ihYni-vwtgMMp$KVf~uIo8iP4u
z)iJL$PIXh=)p)#z$JFEM3H6NnMD12TtE0wN<5T0Hc6B9lvAN7FG*_4_%^S_z%)88c
z%zMoT&4<i~%}302=2r84^K<JpYrXZlwZVGB+GxFLZL;37-nQPcHe2snTdeo2t=9Y2
zHtPdxyY->9!}`eDX?<+%vJP86+7;|HyN`W=J=vaT&$n0EYwcI<*X;H7279CZ9-hf?
zI}=I|X}6zyKEm>NMtO<^!3*3K^`iV!_FD9#R<_&G?WC03)$M~47q}Oz2zRJELRE6d
zxMT3-8u+Bq7YcpR7`^fYehu-=yMb9h<JTCt6{VU0w>qh&z^!R27r1qgY6kpzK{W?{
zty3+G4aO$b8o0Gt<q2M?j=-$#std4dr|O2D`&@MgW__)C0=o{VUdBP=py~(QI;PG?
zpStQoU{zH$7?_o;E&^^fP!|Kg8ml3|v7t)vY@`|nTpO*1>*;#B8i5|(sz#z0cd2RU
zu|DcbJo98V2fa35T_yOX<^sd+SMvqK)YXDx>Kb6#V`>R7?FqG1uuUyP53f~)=;PPa
z3O4~gb}jpN2w@jM7kyF<l;^{H`;eGvxc!kH0ZNrGUEvD)<`q!bCSBEkeE_bPN3S}-
zIFvSaY8UN&16Y7M&{jj4;341~h+T_2#Hfbo*~^T}jp@b=V<u`7iWTboRQe0O6{JAj
zPIu6qbuZmp_tE|I`T8P#u^y!->dW*D{epf`zocK*ujp6xI{lg%Zbq1qW_dHptYi)a
z)-ETu-fuo(zHGi`t~Xydx0oN8d(1D)ede#A)RR_}6=%g;308`gMoMj9Wmw&;?$&u$
z538ru%j#|QvHDv5tYOx0YlJn@8fA^P##m#man^Wik+s<Rn{}&oyLE^4sP(w@r1d`D
z$;<XDz~OcF>-PKhHv2>SbNdJTu>GU`Py48S%sy`a>XdWBod_q=Depu%6`W|NqEpGK
z={(>(=&W%bmYxO{9W*a7=a^TSbIp0?d~<=h(7YN~467xeZQf+wZ2n*#wol-!2Kvn3
zTe<+$xSh|@2W`B<y3$&Sw%uhP!yTh>mugOoQ{AcI)Wo|=!ao62kOZDvQ`I$MRk9Ip
zG&iaU<{J%-E=CWdk<rWOi?s8N=Zx0mulMj>-ADfV5cumR;}LMz&BmkTu8-jj?l7JN
zhyB7>OYZudu@7(b1-#Smz?;7Zk9`GP_D5qKxa<+*HFDVX8i%n#+q#kQhHk2x8b1Sj
zHW^2)x9xc2ce|dQse9W#`&QlGzTLi4uXAs5Z_*nC-*g*239hlp=5XaRN17vzTIM8k
zl2IG<@S;)2`PMmLv`4;J@URt1nb(^)D%bp*`F9mzK4U(w(#)644JyNY)7+$*nD3bH
zs9a#kd#aha&HO;MFh4YRs8;63=6==2{LVb2dYV645vs2hZB<s2tZG(*nqnneDe4NV
zj#Wop2^>mSbF2ndmYQodv|6Zz_Dl9xpti5=U(_@5?$svyH^)_PqfHUkW!5Y>r)FET
zm1E7Z3YBYJXI-yifKz`{)qz*Hsv5wp+f|(Pp!KMV2ZlYaQh;Sos#<QC8v$C>Dx93f
z0JdDB$^m2M06VTSuTmPAGgpNJd*-PyV9<O#_X2Z)vVchom1ABFd@@nKHh8K0WPOMQ
z+KmRRgr5c6NJ5Te{0zwD6y&Xkp9y)~05A(b8xlDiG@pZ?3+~wnb@W!}qwEAV4R95t
ziDgtaGL&g#8jY1Uh8eREUus;ZY-5e_h;o59e^+6k{tZaqXlw-BVr&I`A3QY-(s>`^
zz!zl;jwk~-;sCn3vI++WZKO=yTDJyWd~AKJ%Gt~98&o;>M)xMPSp&DVvh;90TxmT)
zPe9%&dJ0l5)0gqO1uD8(8K9&elxZF|v4ews0yL%Zs{^_IrHV4YGQUEOeJ0ugDgO<6
z?nm=S^x_fo2;#q(zW^RHkD+(}W&R62ecU{bl;6zXl$LJAJGCuag<Fp0;w^_;;eZjq
zp$fnu^tBaZ#i%f=x>a43gRW2mSL3WWWfPxVD;@ac2t6Yu!-CubRy9&lR%5F%(sQk5
zfX#ttVfGe#i;A>Aus=`{_6~ao;-A^r$I0Gr?+5(e{$7>0f3|-{{8wOM1fH-uxW>;a
z2AU35p+MXD1u4fMpDbOV3qT)R&8@(q?dEp$Zau4>stP@(zN!X(*hf_YcNwcHg2P;a
z7F=mvsUpE?R^mDDu<lS*th=nclnrioOqt+3;i??CPqeBG4um=B;6l|@d2pf_6%B4w
zT}6Q-)le0{18V}0w9$%hU@*GRQWJ@p6Vc)b;FRF!MB?W}XaH5zMbHAOs^*Ya)l>^e
zl^E3udQGfq1Kp;&8Up>MhH3{LCr%B8^ooa`BUn9wSbYhxx+y52wwel^vktyNCKx_}
z7(M~|rcYf?3~xycZw)P>p}LrO-WHleV>MGXf%Y_5^~A3UF@K^Oh+h-p|3ozdzg%@S
ze$z+`6V=P=b+q{n(0_CFj`{*^{!)F7*6vf^qn(G;PiW^q@oPd&<T7>4h*slCK@&(p
zO^p^tM>W;xY;=Y`BGfd&xZZeBT~2ChO=@Zj&ikC232yrm^1N)kjQp<{uON?5*#uJA
z1n9%>;;PWv1kzetaPAL~2f8uf7seO3D%3Z@_`x`gIJh;^p%1H>q{K@|iI<QDCy)j&
z0WWT&`s((&z3LB{-2pmIN8M44(_M5Iq<7cd)gXPIJ`X9qbT2g!61}%-1gYLfHHKvG
z2h9jSb%7qB2dF8K@)sk0s2&PENN9Mt9<Rr%0i@&+(7-3Dk@`}7DWFjGC_PP2LtJRP
zA2g;Jh+m<v0GzF7qlS5U9^wo2LcnYEb*TS(y%Md0)_}Wg)|(N3S8qr9H~ODym>FXx
zsF7y2*#fYo*$FBA%pr&mGlv5%HW#bz&@Ps%D$t8psNRq)*Q>gaEa2SGk#AFD%{$CH
z0Pi&KR5{Q>?otWnYIC)!X5MYy4LNeJd9SKyK43n8s}GqEq3k2(BdV79xcN9zo;06C
z*{95>)OnCo&!|hyXU%6(^K<5NxcajBGHQF(d{y;={=E)4Uo&5W{M!Io)*G_yP1Gi`
zEXRBgvTQ75**4tq14y)r<_<`--jHY?qy3+mpW`aDA=D<^ZZx@Fl)2aZTGb%Wt3;kR
z2G-4fl?n;?ovJN%4z3Cpj4^*Q|B1Np!ZGI0=Ff-=M;t?r7*CGakQ{Lgw5?xN4`^H`
zkVm*<1@m|FB;=d$$avUG8gbJy!DVnDE?hI2Tyu<7&MJo#;hkfwNUOY>Y*nx-sBCi3
z7^|XH5mzfiBG-UKt_CPPwV@Sj#Ud`8HIbZk3^{8Sw7qzwCqQ<mLUt#s+R*({kRlR1
z9uhnaapAjT$ak|K%^Rp5<h~WGEJ*fL^5D_r!DFnZR#W5`PCSO3xFMwa<>2Krt(kx#
z+ruH-uTtf$xz=3B{CU<q@XGnte8d-63lLvuU5%WJtVL>ub&Yk6N{3dt81W_662zB6
zFPKifV7j%&T7%jiwjKdoXRT9Hp(VWr?)<v-IwZrJ)|-HDTW_ljXx;B2{=W4-;0M+R
z%7o>$9n$7Q>qAJA9o7zT?T@UFAf0wvuvaKO!(fr^Qkm8#)?w6n)H<%TUD2)%SkJDf
zGVFHtAjF5;<CJNSx5ujj`x1LHB<7{|HQ@D&?PbcP{0*~jv~N+F(7^6eePHq4r@Gn?
z*bk^l_CxkVND+%<5^RyDRA>8X`)SpM7D*@jIr}-ppSPb!o|o*GR6S_Yuc|m`((6=Z
z+ADFe3)ibOXx6W*I$|N>>YMhPD%Rd)zlHeQ_S>p~{f@mE@ptWa5f`ag(|!+@WJi0e
zy;aqRPX4~igI>N3c|=-9+uQ9A5f_<R)BecbiTKC%$Ebgoy$kVA>`zpRz1#j2agnGs
zq0fJg_#S%?>i@$2LbbQQgpL;n9q((EZ|}4Bp*`Q&-ylU~Z%zAK`vBtK+25fJ2knE1
zi!@HM57~!M!w>ckssrqU!$|+h{s~X_Py3&^`w{yHQbc0cgxzoy@n4`rHh>O!9PJkw
z9t~aPH>Ce=|Bg~8?USmWV>pJ2b4<qsv>aPCa2#lx9iaz*tNKG{41+CP&J9<QZUpql
z2x>}~D6L+_Uw$TjLXsBbu#F$I5B$P$=Bo0P#FgPyC<kd9j$bULat(MGB4I(4$1jDR
zhH8}4>9DaY!hcf<zjWBzl~pEXb~a^p;}DtMnlif`Wp)S3>`s)~T~TXIc!Cn}vmv*W
z&;rp%BPh8m!fugYUHsyZD;3wpXH*L^ygtrEPi+QUKLcSVexk8vL4u21Zx$lg+fc5z
zr(DmcT<=V|uHhHyfv4=LdZ9l=uXR;_NcVI#NL_+-(QzxQ%hYr{iAee?&<7UcNkrb)
zP>a-Jw0#MFDQYQxiE0_f>{HbB>UQK`1#e3_{4I~8o+s2=Ji#;grK@MvOK7QR3E64`
ze$mtw8beq31iHd*Xbid37}`-|=tPa7D>a66bp*d0@!X)EU+{~C9|Pa5H7XjFR4R0c
z80g%wMyyJJm6w5Z(a0+rO^oKM7JVJfVDWWVamIPZc`6CEUk~Jj^@sTR#!%!LW=ugn
zQ;n%8JI$D>YQyU`3n^C^^Hc+4zOh(k8B2^MDvJ7jL+B-ULvOeT+DQ{?CvB*m<WoE8
zOkYYW{B<v)X3<W<;I(@VwXHYSqn&RUZy+xAKr^v15r>Tl_?`jV44$d2$Rid)KDCx+
z#&+XF)U(6bfvcjyG!y?GQob_2LVT~W7iITBn@NQ&`VCTGjiSxp8{Z>-$T)<Si;dBc
zT23mpoX*s8BB<pwq`eWNtLQ4K8a19~Vx_7CKmT2Ctp|q{F6_Vqwn3%A^YI3F`bKLb
z_`C4sO7Mtnf@~A+TpfO~cOYptTbm)_;2%S}@ar^q$+oI`<l1TQ^K1hj7vAk7?`}li
z-JHC;6?u1C^6otH?vCW$UHrWJN9&)s`w{DBv`YB6WBqD@M_4EAXxK=?(<|9E?08j`
zoV~hT-_B6+cBY-Fl3`^x25e%t#npCpFL0LLc5jsGV-EmVx&SgD&A!kc26-Toz(+|?
zfs&vRB*8q@9R8?lR8w2zL0enwv5u4nUF=)!TT%9Qdlldv_MNJ#Sn;4)t)3(AsZPEV
zPc9Qr&XPes5>E~iPu`J9-l54m5~=T-<Q*1yM;3X9P2N$L`aZB7cgQB!s6npbqrTsP
z`hG6?MJsCk+29%VVLb@f$R^ilMXphkTm!yv{1V7Dl4uPilWU}qYt$y!XhN=0om`_m
z`9(Z=L_9e{259~nv`J_?lT@u~0VI;1Ez+}1dag^YKNfUbQMIM+pG{iz!4K0MDPjS1
zAjP(#9gu5u2i>*;l@0+En;@Gs*@`q-lhkO?N=P6bCX)_plMb7Z0$b5m$fd2&fz+4)
zYJ3&7iN%mjI?RSQ{Y|8Z-H=PWA)6Ffn-rKp+G|DcXGi#>K1EKU!vxUb9>l)@HRg)H
z9dWTLvO$3d5Erj#D^g%h+8Mc|LxXgfK>M@}?b8ON$tI-98l=e@q{)_~#%$UjHOx`w
zD3wqBtCBU{ngRP%w6IFnEcjWP2mLHpff7U)OQkO6TB3`kQWtZni&dg7){webQ|e+3
zsf#tGE|x=GEQi)^W$PB}7S+tU&AJV6m9+{`?B5o&f77kIt-E2{KWIIOyNmATSPxkb
zAubx6V?Aa)hWt-hPXIn;Jq7rj^&IH`dFy#qpZZ+~@|SY(tglyj<S%jHFB=gTo)Sl%
zl1H8r4xX|F>B2|i$Vc+XN8-pw^2kRb$VVc{N6M3rM3IkFARnnkJ`znnQipt`oF#mu
zo%J*LNFMn}9Qep@hzlRdBOi$)AIT#h2?rl(gmmE@dDIr;$SLy3DI&-tBB?EwCwHho
z?hsAxP{+Q_z73^TfiL7aRh_D;3jG7(t*ox9(mzm*{(;6$qLZi^Imu44YE6wMl^Tsp
zjV6^EO%3pq$+SkbZmZkEchpX|Q<Z3$M(8}9r=n<|=IVT%uj<oEt))BZPKbBbox$V9
zV%55<?uHbxTN~4Et)+YD9!Tk_d#WVbuxYemGik%-=)StIil-$TMoTt9_t*VZ4cfC>
zU!X6*eFy3bQNv(8Sk)3ww#v~%H2f5Lm>vfIl-Rk^dW0UK%5elB5}xi+stLydD(EqK
zjLO33(^yqmkJIB+6<WkG`VxH!QpCd*3%~e8)sWV4GRCMTt7O{9b!j6vz?juk<)fvX
zOiS6(m+Q-sA|njR@TbpEb@WU<6D^sgXW?FAK_}}gHT*kzj-I0`=&STx+)J$KWIbOm
zKv}V=ll9g5YNRjHi;!{+ENiWA(6`}vZ`V)ad7skH;d!6e&!gX7fW@7o*Xwui)SLA_
zlsck+Mg1pC2UekLR#TN>ePcAxOg6!FX@e)5oz1?uDmHjBJo`gocMmg%AwJw3uF}Qx
z3(FLqUswuacNiFLTMgUfZu@Rk(Z0vNM}=c-<X-r|#2#siQMmhIUx-zbg3*!(5np4k
zfy5IF#o)+EJ^NAnQPqgnN{aos{W$W-C`zLJr2V8yrTvmY`z71{yZv|Q;WDn`+Rxa}
zKx2Q_hP7`0!~O?KiCvQoyXHmc=c0#4I0u{qkW^Z&B#u@gUe+Z>)+8?0ApTV$=A{$!
zYJ^~0II%5G3%11&+v*V8Vu@|lh;1F{J&Dsp^-xt$3vSi-`#}Y_8W6WKh+8d*TbabI
zY~q$l+{z?wr4qN=5w|SjRtw^mk3Pa$S}?3OG0aB{vx#9j#4sN*%piv4&?DmmZb3Q`
zt9<m!)FW<X5VtacTUP<|<^scViD5osSPn7FM-0m)hUL(M(}5nGD)ivQ(SuWk9-I#P
zGyNH8So}Ekh+7%NtxVun7`(XU%yRJZhnwMuM*!P$>Fe>CiNLwq#JL>eoR5B=dc?d;
zVxEtfmq{Ox&m3WnQ0<6$ttff2h<_&KPkG9pNXnn`ls}Cqe-h{mNTU2nr2L7Z{7Izz
ziK6@|Px;fB@}~*qPh-lTCX_!7DSsML{#2m+X-oOjmhz`9<xf84PYUHvGUZPr%AW+v
zpGK5F36wu=DSz5h{<Nk1X-@iaKtIslNja@aIn78p@uZw)q@3y;XKY5AaY!@GNHgt8
zGu1&ekZh!uJW@+JQcDD>#U-^=CAEZ+TH26Wnvq%}=ml`>7wi{M!;7GtHk1j`lnIq7
z6Dm?B$hcWe)s)h}vvTW_x~fq!BvLX&Q8FZg-X5dhPMb^2r5NE^W-bG#5g(opquYh>
zu8AivnV!6680)@4)x&uAjY#>Mc`M@L)vImZZr+agDsz=8PY+)-J$xDT@HL@_FM=Mv
zY8WNI2Q}Yo-iQ46oA)Cw-o8|foP*z(Ys@u>V+<X2is!GM`Kb9A+93Wv2ji7bpl#v>
zjHVZ`ocT1ytm@Ghm;hhkKTuYDfep>)F^ZLpQ7rgN=of5azGA+DxOfL!&^uV0-obbo
z{Y0JOBTS}`u$j3Dqh87M6eeTTYYSQ^{=#Vb3#-vz=)(xuhp0`whRO6AYIB$Q3EH{a
z+>MrhYJQ5V;zz7aKVlPl5KVXx_o}9t7x6Vbjxu(VNk3u?{fLS5BQ}K}@q3KF9fCJ8
z5#GdqA})T!6#5a<%%djOR??doMQ>t#dJ`Mbo0vjxVikH5GvQ5yZDXE<H!)Kj7pe}t
zi3W5$4WD8inTLTfGw~*-(VG}!g;^NsqEE3ReTq>Wk8$Bmtcd)TtV-}KiZ?Nl-o!L|
z6C2T+m_~169eNW}=uNBvZ(>d8nc_`Mq&KlCy@`qRCMMFGm`QJ96#a-*=ts=7@WWli
zo0w=dvKnK|uZh(J?G$ff8oh}r^d>f<C(N)hrmS)?s{AS}w{`G`WzioNOMh4r{b9NA
zhrOZFF>7KYd`oY_AC^vkSS|R&-a&k`y%}Ra;uWhvuUG?m#TwHq7EZ5NReHs;;1%1B
z{2$sM;x6J9s|&B#M@ZQT-&kGv#&)S%^opg^D;7(ym`$%(C3?jw&?^>3uUI<0Vm09v
z`vzsjAC?1u*tclm0eHpI=@n~CuUI<0V$JClt3|I^oQ#^|dBrQ1M6Xybykb8iF8;7A
z`ok*FA6AwAuq^vG_`}la4@;sy%z*RCP_d47w5mm~SUSC8wdfU-@kp63qA_nq5GRY4
zXBI8b@w7a%XnAJQ=FFkZ*@!l0Q(BvsK!(?VS4Kvcyb+}g+Ln`PG0MnjHta$f6>Uz-
za4c=YEZT%wv<b)4Cd{HWm_uu@5$(Vhv;!y5(wj{CEt@u5b6RMVX?HcJrIbyJD1#PJ
z1}&m-w1qM#k%p1q#ev@~Qw8L7iR5$z<a9mB>3Ybl9$b}?i`wQb;B*D#bm`!9s}Pq_
zjCArilRU0Fd0Yy4TvzhA0*+<WH17kCD<F?E!Q<8-F5?<KFiYrR#D&M5M;=!|9%qur
z6_CfJlgITVk1HUL>&Eep+U7sN=?ci{Omeyca=HR?y6)t31>|(~$?4L`=?rkX^(ZBr
zt|vKN4|2K!aypZou7I2_onxH6$?v+7-_^u;=Z7dO{H`bYT^#t`E;Y&g1YECx{H}of
zE}i_YJI76Gkn45fxXBRmy9DyPf#i32=C|gzssp)R1CE{y;pj;%j-Cu5*BeN#H-ud8
zVsgEK<a(N1uO7MHKytl0<a$Fmh7!*)lp*ALnqw$KIEIqUF_a<XdhN;e29oRLlj{v3
z*BeN#m&Eau(Hu|d$nlg~98VcSKA2BFID~v~2>D<=^1&hGgBJPVK=Q#<j;ai?YJwYH
zL~fWzZrFg_a0t1fCN~^HZa9!*E2-p(b;uLr$qn;3wo-#*D+9?BFC<SKLY_E~Jh2`%
ztjg4|DpA9#Obu%|H7uJNR%>clt*Bu+)UaAn!*Zx$Ri=j3ml{?tYFK@#VfCVh)rT5Z
zA8J@tsbTe}hSi@MR)1<(gQ#J(p@!vB!x~Nv%ch1koEnx*4XZyjtp3!n`cuPdOAEgp
zE&R!}@JCqUJIth2pNTnBZ>dXZ)sLh-pGiwTGsG7-iZ*;h+VD+i!{^e5Z$|6AC9U@n
zwAeFgrDxg+cDlNhR{BU<=9zx)os8g&qD|hAHhC_s@s^Z2VURkns-cuO;gmN+DR0iF
zyy?vGm!TYgDbMkjp_Dgi9Df-~Ns~rN6HQ6eiIOIglBO;t%}|cNl;ilzP)eF;j=v1$
z_)BMwzYL|Mxqy;pC?!oaCCyMunlwt92uhlvlr$AM{!*UfFGDGBqB;IDl#-?sCCyMu
znu?S(X_Pck9Df-~Npn6WO=ph34CVMsH08}u%9}LKX{bV}Q<qYw97kb>QtF&fsS_qc
zCTb$bVun)c45idbqtxj{O;+Y%#VGhT;N6I!CL2plb^yH_gQ?Gsp$^-MI;=w-wiUe_
zGJ7$WG@wZX25CT(1}xHmOBx6#4TO;f%8>@bNCV|a1DZ5olLj2pfK3{3NCPHmz$9i{
z!0d;V3!Hu!debBDUAb&o7+Y43EenGz&8I9~K=~O#Z|$HmBxfxAwaqC%2UC7lr2M>y
z-rD)}*1`*o-$Ht8ucn_ioPOFB^wVa-OIu&9pr1CAe%clE(=MXal{vy9b!A3UE<Lmt
zQUbT2hxS^^;RW>2&Z7j5pg(p{F$pX)GMZBkSEL-ii2m65^v6ciADc;k?A7$gM$;3!
zf}YrLdSX}56T5<**i3q2SI`r?h?3k#A8an=c?<erucZ%m1%0sL^t-O0-!+qd*G&3d
zSJ3YoPQPm=<$nu$TvyQ7x`JNT74))()62SoUe-){Sy#}@x`JNTMf9?UQ+M#uzj`q}
ztJhMGSV%o$A$_Wu)FT$sLouBmiu38A7)am5bowSPpjTo5ePH$Jm8d|kL>+o1WUl7<
zsxG|}{ppps96qo?YBarHBjNqJNL@ugMFsl6M$lVPi{6SE^i~X|Cu}CY6<5$(F_&J6
zVf04~rzawno`{L`M9iTlB9)$qbowAt>4WG???Wp64yp7z)S}<v3VIn*>0d~tPvLU<
z6sE&>bu-#|yS@|fe!T|pDZLgmN5q3Q8Xl~d&~lkMQUQLfH`EAvAEwj$aJk;0KSCby
zLG;(3>pi$Co`_oXL|j2%Ln?g@bLeGArI(=={R^q|ETmFvn?`-jq^4Gmnp!XFXi?O~
z5~+*1)Wu?`i*=(GR*m{sA~mmG)VX?4+e)N{)tS1LL)|KhT2&%7DVI7_3bm&i)SJpt
zZ|X&jDUn*zCDf9-QA?^u{iq!EqiNKS7SkSFLY>H^PBfL;P$9J;gW6CWwV~eBgL+aA
zDx@A%o_bIr^`JQFL50+S;-~@Dqz05k4JeKpP*-X|h17tmPy;HY22_(8P$4y-F4TYu
zsR5lw4JeKpP$V^=LTW&9)POFd?qgH;DNo&}kh)JKb)Q1&K84hMlBoL>Quhg??t__n
zn5!2{-KUVc&ob&hy{Y^3r0!El-KQpXpF-+BanyZcsrz)L?o)-jPjBizQ>pvJQR^wB
z))PmqCkb<syTkV`v+p`$F7j~Io^$Z>F%Nk>y!0~b<QhtXYd9-!DQD#^rzB_-q7AhU
z(S}-65?n(qrV=%g3~C}-)I_qVgIr1-B#Syo7Ilzu97o75rGqr14l;$~2ra3JjHf1&
zK}{r!nn)IPkV~n9WKjnh$8mw|5FMl$#|2ta6B$o$RBig9X3+yRmcFMndYx+1-!z8)
zrZjq*M$yw$kDjIm^fX;bPt#=jm}b+v)PUZl+Vm^UrlwPwI*z7x(}!A2JoT4&>Mse@
zU%FF&v8caHqUKVSI!gkzk_74_@zh6#P!lPj_K`rnqdPT@WNIAo)HteB*XTq2B7vGk
zJT;36)GQ`Zv#3g)q7QY7%G4m@sX=t-jLHs}Jzie5#r*LKsuTUn=hO4$&GPWHhSnik
z!$M^!?Ej?)S9nfY9XfXJr)rFtIc0+CHD=1FOVs)a!=_DA$HjeuH9#j}>&jkXRUnVk
zAW2(d9>fJ|I4sx8)m+SFxKZ7y)~Kg3S7D>ts&*l#(YH_gB-NT_V{oSkNd82X4hh^!
zb;JycfocTiZBAG7Fbm=)b(eZb{T-6`P4zzJHOT#9pgTn3u1S#bjZjY~%()n(Myg4e
zS215LS2wHG>S4^2ctvee+b|Cz(9RfTV%A9v^o9D6@NHCQ*w`1UQK|rQF&3yo^*435
zdIaOHud27y2kKMk6n48o`AMo@UY~wRYH^Rg=Ow9^`gZG^qz?D%(=ExU?SFa;^H^e$
zy8$$YwyF>2c#c++)huWwE7UFO9`z_@YOGUltL^GDfBS7!0a{HhXe3QBlN0kDG0$_1
zx>Q{OJ>yz+tGX96KK`LzgO&fG`rKc}ftR5Md<L1&Robhrsvl;Tj>VUCXJhurb?P>C
zALfTVr`D^@YKPk6FXLiPO&qkMEX-la!|c=ZG0SzFnyRi;*Klsh{g_YkJjR&cRUcut
zh}XAa@MFYdj)@O?O$TT{{V~gQJZ7)V!5o#9@IgGFo>VVjw#gQ?6Qj{ynR1xhB6DxD
z;o-<v=cxf|7-qd(rmn(_mK)R^>Ou9CdJ%fld+KBLmD)RO*o0~JAj08<;|Zq_&LW&o
zxRh`u;cbNXjL4Zf!hV==E#WJKn+UfN?k3zvc$o0GK*t&}Z0aZ{im(b{4Z<YCx`Yh~
za|m+@TN8E|F=FCmrz_!L!bya430D%{NBAt^Cc<5W2S-jSnCSd2(6tD|38M+C5ylgy
z5T+4k5;ht=W!MO}IbjFF9)uSV4kw&Icsb!*!li^aP8c_4n0qJTeS{AaK1uj2;Y)<;
z2{#dLA>2NpV8jG>7vUbl{e*`Ij}RUg7^VoFNtaEW5*A5Vi7=Khfv`4VJwhL06T+5+
z?F$fubtddV*pF}!;ZVZSgcAs-5Y8Z+Q!r)Zq_BmAO9`(dyqRzn;XQ<F2p=b0OZdWM
zx$io{jf9&Cw-N3n{ETof;Q_+Kgh!_Whr><?ELV-tN7$8cB;g#wTL_;f+)TJ{>bOax
z!xf=J7)e-(FqSZZur^^mLLXt1sS`&`4sS`=mGA<>(S*|o=M!E>cqiebgfC2;>dOw_
zM7WJ`H{m|Q!-U5LMp%SVgt3GvfH@Hj2pbW$B<w)gov<I_V8W4v69}gPHjJ1}xR7u;
z;f;i=2=60&lyEKKON1K$8%1m;+(Ed9@BrZv!rui(h7ndGj3=xM*f`Qh*o3epVSB>P
zggprR5e_08N;rDzWy7aNP9U5@ID>Ew;X=Ztgx3+?Ot^~ho~f5jo*KD^a4q3F!p(#`
z3HK5nCOjdqd>CPsS)-;Dlush8OW1%ghcK70HDL$Bu7te^`$G<E{6%*ERiOz9BI`i0
z9O~Z|Gaw12)qez*T)B!hH1N!au4Vo2OEI8>$n*XYXhQFiwYc&={#`Kx`hv9Yk3kz{
zHD=(#t%W*7_cHw0=;5Tv6c2hSqCXncBF`NrvFsm%HCXnK!9<q*BQOGQPFAg#T(hpA
z2mfEWV!&3Acm7A9=+4pLNwTI}0nh$pXK{=C@2hUy>|kt4Fg7+AyEqu@7mRfc#@YsB
zO@c95Gs&F|;(CB~fGKeu{b6f=*u)=Z`op^ZP{t@FzpPxBFv=e~{;(}V?356f>kobY
zFwGw(`NLR$80`<?vt>D<ZIrKZ%zs`5E#<BYahM_Fj|p#LT8*Q@*uh}z%V2D0Ft#Na
z+YpSs5QtU3515i%{Z7JL2v-s=CtO50mv9#0G{Q*&|1g$$xQVqzu%Bel2?b8}KNmM(
zO$vRSJIsOYISH2c99V@bU<uy|drfTb4X_Kv{yYr-v@*hsXw2?UGSUp6k!!StC%T_8
z*cfR{z+C;=#zJGcaig)yxDS5kweU1=z<m1c#%_3t4`QzE2`p6=4a2Cu18)dnVgv8o
z!0K2zH*WNY@|NUW-kF3q182PJA{$Kjo{wk_e_;M!q)zf=g--KAvz|XZOi7}nCP&R@
z%!yhWwJPfIsC7}>qV{?<2f_;Vyz}T9URZgoKOF531!K^HsvZ2{E`NB$3#&!(4raB;
zY6;bR{<K_wIN2WxUZIX^i~ZpWf4IgUZt;i5{NYi5=)XtIAn!cJUr)@066b>Fs6S@4
zKYZFBuJwnTy<Uvj>Yc~d_4+Bcwil+{<E5uOs*GCU)+&KAbD<W#5rF+!YGePEe58dT
z7p}n9A}}1dodlb|0Y^ew!|v}2p9)sYyLAZD0izj@b|s#~coO6F7_Y~8IQDGNMkhdG
zM#^Sor0isS+|#CP49TNYE=XCAa^Ca${N-?#;`K;2Vr#(nqv4+z3GCj9cqHV3%-*l<
zUXEQn65VNlDef%5RCgg@hC2hWaj~3pkdo-m226411E#ujB@g4HphNm=gpbJwzfMbc
z0`pG-Om@csrnp!Oh5jr6Om!y%rn^%BTQFr5FewT$%HOZ<5?o0nOm-I|o<dmLU5a=r
zVaXE9Swdj4yNo3S)^-a4Qwc{YBl%JEL%>%P>URtE)QA?=4W(pX4oi&>#->V5Oj{64
zdnOqBBoH&OSBF>DfK+f>NC~3>(|{o=(!kspH`T}i?8j>zcujIadinFqyWsr|d19}Q
zy8~%D8!?nkmbDr=Mh9b&UaWsI8=0-m#nw`+8hO;2?K*B}caXa`Y;D-la=GPZmD?Vk
zi8tOF9>X5+QC(aH-+Np=3m@PHc;2?cC$<~js{I(FJED#Q^&KNpL+Y55+&uj*!+gDs
z;bM&)1(3c(Z)dnvzt3=)evjdDjTMr(UMS_UOAN~+WO;-vkC5dNvOGeTN67LB3-xBK
zn4hGH8CrTJMP@>~>H2!W3@uoar>_Cbmz?exy#jEt7K~V;uLE4F1s9fS!HebkTEN26
zc&l$hdLl-sr2ZQL^YjgX`Iv7lwcP@^MBfUyO#cmVIiy{4`WO4ar#c+iG6kN@`S9be
zgpcta_*I{V_ir71xtrlz-3f`ZR~>*<IjT-zB+Khh$OZIIzW#*aV*N40CHhl_OZ6^>
z%QWOa@-5f985T-;^h=&bd4w#FkmV7wJVKU7$npqT9$}&Wko|cFo+1%raq_&Y0Q2<i
zfcbJ2eRvPxV!ax0iM|hTsTM3;rtbn=uI~jbgpW8Lk~a;WR+){}78uqYUfm0TV<YwB
zxW`QWAo3+*q)+bgBw)IJ0x&~g2-r|R0GOxm2h7)x0xs4M11`~z04~!H0WQ~%0haZ)
z{*LrSj2=qOPXp%ZrvURYBVOux7I2CF2jDXO44}v}3!{w42b(v@Z30|ezlbY|7=M)7
zUIR?m>i{$K#efa<3xIk06~M*%WxypGD?7o9{x}Bg;hW6UpEJzYdl@d)(D_JF`xq|O
zUol*!zhJmrf6cHE<DVV|pgi6v%OhlYgiA30U(#6~A<H9Vd4z=+MHPx#4>(zG0=!&r
zz!N26)Kz)_>z?tv$OAlh3vjW<8fet|4&YL~5pcPF8xXU5@#b67``r)T{E?i6Hyi%^
z<)DIFpi|ukI(QP?<t6yrH^CFWUF|a4ux*KETZSoSYleAdD~9=ICx)ZU4h$EY?HMjH
zJ2G5q<}qAmwqv;5%x74rzeS4@^#Q;X{S#oi{t+-k?+47&-vH)g#8|td%$9&-^dZ2-
z`XJyEeHd`5{vL3d{tj@t{sFKoygQ2YMEwh3ivAfePagry$65=i?O%XP^l`vt`WWDH
z_%3`HhiHp2lwP2Wp=vBfJZ7l57$aDL5ue*I0`maIJ)Xvh1UazTjZc$kc4wGk!v4V<
z%QL$$%*T2SIUi;AVz}7s!ElM$hv8DQC&Ojtc?_4Ey%`qj-_e>xeG)K5V;2>)`vhRV
z33~^%bp{+`nt+Q<cp=;+rVY5%#5_)S8B`QJiD>~A!neh}szlO*`*ns)=?DHd6jEgZ
zIN%KE(+kaV$eCz{1E!dj0MpHifEil!hK6PsV4mp$=9`rPN10Ut$C*_CCt&4(b_>iX
zz{O@H;1V+$aH%P>b(t9fxZJD&SjM|Ct0O(ptO1x}iUiIxF#?9WBmgcp;{lhLH365I
zae$ByB9+Y~#PdwdWQV?YHcwXzITOv=fGK7MV7l1=FaxW0<mplX^UP$xe6v2_C^HLi
zoS6wY0V{9h>Cylfn{@$~Kzo;`O9fnJLWjiDr2`h8Gu{l~drmYjV3=a|XP9T6&oCb=
zd_24v%y6+eh~W|wHaGBTsd*v8W#&MJ%gu`z7Mcywnnbe^V2YUom}h1K=3@sBdA5Fl
zW6WH@#by)0C1!KLrDjvWWoBc*<z_R$GTs)n0@Mbb0<}S-Kn>6*Py@6H)Bs%qH9(U<
z4bUUXuHhr3ixiX^J^>U7C^dWvDAG@A*a;|-uk0H3AYHhy)UX#&IH=UH4^X(L)bItM
za89Wq!qc7ux^931z|*9c+5!qclU`~CD7;L1sRN+!G3lR<fWpJ1f7$^G|2kdG-EdX7
zfz;d;P&k3q+!s)|fYjUrP&k0p+!Ii!Uuy0Rc<MF}z*WH)skuL(;EL2d1aOo&7*Mc8
zYQ7jyFhpt|2q@SgHJh;Ru(MiBlGtJRXG=;<SNyTNcQ6I9m}%bMpGQ()amqg=WiV3k
z57yHQ=NS7AN$H4`oMI`>ky1C9qGK|Z>`}HFE7b16`Wo36@&Q>-gLw_IH{_$3(}49e
znA3ng`!J7TEmq1ri?h3sS9Xy62d+Pj*$mGj_MFny4y&0mQ{oiAdu0Vr$PcUE%J^X&
z+$nxo$HqHi=Z=scR>R3Wi&Olt>W%HgO1M%#?D0|N59@u({9y%9SwB3tHr8O?%DL}6
z`H8jL`qcW&`rO)MePMlReP!*nzP9#R-&p&tZ><B?ch*7cd+U((gX~dh{bc=9R?}l1
z%P-b3>tEJ!tb;va{bv1+m9W@|z}B{j1tzxb*sdLBm$Sp|2s_d)Z%1Kw%V^Adsbp8S
ztJqcTYIckrYgfmb**H7iu8CQ>iFT5mY^T_@?Amr6yRMyz-7wQJN2b2rz|O#m{4A`;
z&$e^yhIS*nF;><#wR7!ec5}Oh-O_Glx3=5ZZ84Xoy`5)wu=DMXb|<^D-No)|ceA_O
z=h;2%p7ua{klhPw`1{y>?SA(8c7J;SR`FkGUt|xqFSdu+L+xRhhcm(+X^*l;+hgpp
zu+1*9C)gA1Np=BtGrZKEVo$ZF*_YXu+tckC_Dp-0eT6;SzS5p!UuDnbuAK|)h4$6<
zBKsQ5AzorHwU=QAPocfSzSh3ZzTRGG-+;M1H`zDaf3t7FE&#X59st+@;9Rl4H17Wy
zd_NVghhn(IOXGNHe15hJY%Yz-rE&NrS=Yn8B45MYqt|5x57zIzDYL0D3kmz!U>4FA
z%s$$RSx4JsT@F^|?2tLqvI++?qp>RuW*>cyxkq2f9BBJ%S!aWJN7!)&^NtQ;*3lu%
zHj=$3f5NP0tewG3=3g++=wFy+^sCHU#tfsAvPK3gWK5Z1#Q8-=rQeOWm9DI@20P5D
z>{M~8T32Geax7*m*Kp#Tc+6Bzz&zz7%u-HqYB{wXXakjws!#vdQDRwi7@)$EbeIiF
z{CCjd#iYdl3>^v;-VS~Q4YA^E)g5!;{<HY_J20{oKH4v%b+OnZu$R-@>ErZu`Z?!2
z{ha~M1<pWcuyc_!$br0%K8hUeojj+5lkaqNIys%4E>2gco72PT>2!C_Q%3Xwoh(v6
z`T+j22YXO{Gv#<lijF=J{S$J@{_I{Z9er5Ubgpn_J6Ae$oU5F<&OB$nv%p#CT<t7!
zu5lJSOPr<7GH1C{=&W$Ab*^)+cUC$#I5#@CIk!9T*hX)3pshsrLM!V!sZN@c?$mSY
zI}Mx+C)3Gta-4>a&w;)gy+&EiYUgg}9_L=1B_V$!r?Jz-Y3k%U&79^=3#X;i%4zGg
zb6Pvl<)Rm2x5cyEuNJxSJr`?$b%8a|8f0B)4Yn?_F1ChPL(AITmXB^kcYr2oM7M@N
zSx2|Uj&ftHHdb4!oz>pTvpQJ$R!6Io)w#?Tyb`jXbykVJtj~7`oO&;7+}Xh0nyU!x
zh};A_?d0lay18zlTk2NMT^hT6M(1Kq0O0R1_zYNn(T!Af%v!IeV|1*pu50Kx9j|NZ
z1f8gpbh1v-wRCM=N7vP<I!&kRdb++d#JK}C$Z7;-n5dx&=0-Nq89GyEX`jy4Il7^4
z<iK+ujeRST$3h<Lq>VLpVY-|S*AW=sD6gY*1s$y`>Pi~+VTBV|y^ftpb$Mk}IF5cR
z+vlXsOEhdsa}MEEgmVeK^!bc0AY4dzHQ^${YXFT37zqG;91tto@yDLa7<ZA~TC+6z
zLnUh)5cXV!>-3|Th5O&2?fn0*)!cD9UGa>1;@L{0zfueQPfMTbrL@4)TR^3BK-p13
zUvUb%M{*bcovq#TKd1$oWB%iEw@f_{t@=;ure$cR_RCI~)wPU$*!!2>uN^Y9EX~!g
zuUfCzwM7CrcRF{u-WL~2er*9`s_to}l*pmTcy+B&+o*>z_a;V5qdiuE_29VsaAT}7
z2_x^bjJd`ljJ>ZkZZYn}==;Oi8~s^~zpuxa1GZuX*KUlM?>7!(kE`FYT|qeHNGzmQ
zZAd5|BwtIcyXvfaU^UesJyegzs;4Q~qh}7*D=pR6>6`T`eUDzFAJ=QKB59r8h*e12
z^iHfi+N%%f!}=(8J<(<u_QJ1X)-aRIx@H42$IQhDTnDqO*~{#24mO9IW3g+=G;@|Y
z*Ia}ZM=P-c{7$Uoei-YrpT%11^;kK*8*6n=V4ZM0R;;u{PY<>xSktiDa4uF5F2^d_
zTdX^+`>;CjNo%e33ihPhg7qQ0U`zi5TN%Dw>osQ>;Cg2`;Oou^zzxnwz&D&xfE%6B
zfNwfu05>_9VPn1Jj1x&`z3q$#e8;&2aI-T3@Lgvj;1*{R;CoI1;8tfc;QP*{fZLoY
zfFC$h0k=ET06%mt1Ki<U4)~EX9dM^J1Mp*KCg3gydy%7cS7>;3(Z1P$uRB))ZgA!R
zzTsR2xY3!5TyHw_G<>IM;e4E}LmL<1>}_Wu;5*LMNZafz((odpjn@EfaTWu<=PUu-
z>MR9(-&qE@%~=lkfl~;$-B|(np>r+Z4(B?+kDTiPcRDKpKXz^a+~wS;w4I>giMA6p
zyw!G+h9+hw>j=OU9SK+q`i8b^>nOlFx&mNb9SxYOD*~qJN`UF2pXe&~D%AOjt_HYU
z#{hn+V*x+Y)d4@(@JCyFbR6IpIv(&#T@&ytodCF3Cjx%0;e)pJL6g?jH#!Ayzpe%N
zt*#AtK*JKWzSHm*TL*P2;P)CHWb2TIr`Y;I*8@DP>jR#2ZbPe-b30%~odH-$X98B%
z&{^y%+6P!w#*po5ItMUDHw28;jQ}%s6TmF&zo_kOoeSvG%>Z+BbHIkW1z;oH60osu
z1t|KrwjUIn0z^LmqQ|V3Vp-U~;jNX!7a4lNdZ_C(f+jlvJf@3svC5`5?1@yTF>w9@
zoJYX==m5>V3BC<65a*GwMe?D?H^rAC2I0IsER&AV>T~hkhzoHZ1v{k^bo^%cio{@?
zSAf;h85)0cd{g2goJYfk=>q+~1=e(3jPr`HXu850Xo>Gl48eIN*f-r^8??gLCx!yU
zhFSeB_&pIq?*|uz4;NpgXa_jbY7aQd$^#s2bpRY=<pYkj;KRk2Dmnp<w>m?K?FQ>&
zFl?e6r!8U^!8U5>paxj<cLOFk_W&ls@~~mu4}#s~b6O*w>|E%a=VXh$ftd@y0L)py
zTgSJ6vY>&^pcX1~18`5w2+-~dd^zYkBi~$WMcI4Hw8~(SiDmXjEd=*^(SI?%BT#1J
zSeS{Cf-e!tEFg?<uw91v70$xdV62e2Q{8PO7|F&6W3>5q3;H=`O$=6dB5efXhMU2Z
zA;^_%$jl<cO##&Yyx#Xu3`1(S@g0*4d;y7bZlHI|$V?dS0u3DcexgdkICE{x)2j#V
z+XtS3`L9?*n}?m|I$<ZTo>(Q@Uk}BK){w6Vfp34PKf^lE&N4~?YeQp(n!>o%>zHfu
z26l2?gBpgYPq0FDpE`lnp(~8RSP^=oF#;<>|89)Is?O()h4Li}V+q!6ZZcNNx=rIo
z>~yiixCyH?zcB8!UbDv<55lu|hwce&={Y?g^8G8l%KqAMF`{ayc=n+8ou`Zv-+1ch
z_Q!XfCY1d}Czefe179vWH%kva&9`Bge@8urEpJRi)<nsfi5Wsj+l&6t=(8D0VeRfB
zjO1z<ec!<Qj|7bD2YTxl>?bGvw443(8~f=Z_R~oA(^&S?)$FIG?57*pPdBljZe~B-
zC3VBX?aaDutF;BcK4jejq%O6VV$bg7Rw4Fu{hPH4bAj*;54`in$a~DdF5pHpqoW!G
z9iW>Ui(PbwVDJ24#tL<nah>s^dW?Iwe9YZ!cVQj(7WD~tfY^;%%3;MUd<|F`dkEi=
z_z^u4fmNxMu@jJdVI%{qNmEo4t|QIGI#R6svU04JSY@Wc71&m;{tQQ}Zo#}M>C-#p
zIl$8fqHX9=;4@?mXuG}B6Q4VN$$5pXmmC-INex`-=H+#-19hQh@5!)Na7{d!?7<6(
zz`6uCK|k1gU@3b8_4->e0DKD4DR|z^>W6cAqiw)>40sPlpRM=7dihV_V+8j3Jr9~#
zPwZdZ+vtNY*z|K2x$;dALt}gg{R5c-4iJx@ygTp%=VIq#?8I<|a|JvCl5ZIMAO+N{
zxZ2-<$7dd9WXQEK@{D-0aFmukpOFU3zmtAKW{v<?2kAjT&HFL4M6PJ73;4Fgl5w>+
z=o*-eRe{)56SVz{T8n*}<J2?YMH%XK=#fp;2gIZgiAi5^H-T@6Nk0iD8A*aknBNH;
zGR_0WcQkrHOB`bKmzDFzB-zQ&D3I0f#$-^!<Hn^}yS~r3)f{b(Hr^vuY$a8EM5_3N
zRB?<{@taTuT*2TTI!vfS%Np-5@ddEG=6)S7_^FcxKXo0!Pu*VdQ+E>l)V%~hbsxb`
z-4`pFTj~pidh{qfeHT3%GW2{s22yLhz7&`<U1LvHYk|H3U%6SOueM&cUe-&59`sUq
z6MC7v3B6qUTo=N_wn(o4->svs#XPxGeI4fIVNMmkk(Q-bf>&kh8^Dnp>KifFud%)f
z-==G-Z^rlOn(4n`?p_Oh3%*m=THgx!&|cq$Z`F0sx8qA<{q!pEwf_1J@V0UKPVl!0
z`Y!Oe$$B-uTsKAEjjz{D)A!&Dc9-jW@fEun`aXQgZkE0uU$dL7AHWyw=I96URlB)*
zjXU3+uOD(3x(oHg{5H`ec+=3b$QuMh8bL}O#oP+PwRWVb0mQ0-z|($e80l*qFsPFn
zPb|8GI|@w%o#)^?Lqg*P&`i3inV_FxY8L7JYI3A&NQ3ens$0}j&`hFQ4oR4z3L&L3
zFmpq8E{5b1NoIdlrVkbVQ}LtzQF;Ss5q{u(8&lTJ>Tx4S6-+6ZIH}k=;~HFNT!ZV3
z@s%6omr@$C6CCTL%p>#;p%aPYUtPi~UUKZeeDh;}cFNUT)Opb_<qcP_o*%mpNndKi
z$d2%pbL{$2rmkTt-!Lb<zJnd$<~P-bwYsmbx357+O8h+ubK@}~M1DQha4eiHP!q6V
zcpCn#<>yNdsm!X<eRCV_e!r`4Z{2s$mv7$EeqOU5pI<${^5eew<{|tCtTwfwb@ZGY
zzWa6d#vTI?bh~Z(cIQM3U-@8D4I7P`w~UQ6&$pb)dQiLUs=mq&PQofj4j46c+Ndd$
zlJbU49+h3iS4ooH$`Ktdn=*XZq|3)mm@q240%}8Qcx9*G*kRMBjmoa+!yf<VTM?D3
zcnL{)qozz7H+tNNVbjJHOv+C5)s)L-<!b)R{l-niU4~7ZJZ{pMq`Y>%gqZT#IoUZm
z**+eFV#??EvU3{xavC;n*0|Xq-^C$~J-=_@cHxz)^qo0z*raKrMkM7GOqpCT#k-x)
zm+9RuHF#NWnAA6L$G)ScTt05ZsHwPhQbtmz9N&B+CA5PKTbc8X3JU4rdcI+(ryl)#
zmww&;7GEiRXPueXrwpi9u=}~X8}g=Jvi{Y~UW0zEvi|ZFc}AVQwReA+e`NnZu6TXg
z=9G`t!ch9<yzgIK`;QK_FL`%Jev9`zY{{!MHD>;@ack?pb8Et*Q{w8LcWL5N*`NN}
zdzkL~z{5XxX<*ODzdviqmTzwT=J(}a4rtSA<I3G#k6qDl@67OD4_~&p-Kvvsn7wa(
z_@fDT-7xN&QRxe=UO%+ThD~p^sIqI_yu*p*r+v0E<&n34`E}at)P28njl1f>*YC`D
zeCdG)_C1_h?aE=l+;VBfm%i+Ecek%EI{tOkgAML_cvR8{J8#~<Y4-g+I(Il({mTyS
z%7~A~E}VPO_!%Sf-yPa<PQTYG&wgX(k8izpsWw3a_s%=+oA(P}Wz8rs+A2eC`+3sf
z&6}s)w*Av9e`xc`!R~W2KlSA}VZe6Vb`8U->#OZc37q?kMb*Ymn>M+5R#w4?sgpCO
z5p^<06ig(J)vRn7C#^7_gFu5vw81N^nP}zun)n*6&ROkSl<6-#V#<V&vRNKRg(6g5
zyG-OEKG&>cMf$=6Eil7;QBrFKxswGtaeQfVUeQYSCEf=d&aUo@@h~S^DkQ#S<oFup
zW@Lw=2k6I~H&2=6ZohWs4_6KJJ^aJiXO4eWuI7t9=Q|fQ9r8e*yQ&o)h+kQ*!=#@l
zes{ra-~NA%E37p&qEbPphaPWM@mRg5Zhx}I>npw+c(ZzJOXPV^Z_R!nY;e6<C%&9j
zb3pesqhi0E*>-rHn<u^bX4CNtlEYTCJMihp1KQM_-sPHl)trkT$Q_?j>E7Pe7tDFq
zH{ZG!6u-<*@lo#`$=&q(tBogFJICJ=SEE;n7XRC6$fIFjc5X2m&S@5);o;{*!;OGQ
zWEu6(M8kc@jhQrRiqLVRGt%)rBO;o0c<#ko4|eGCV${jI4-X6Pd&85reDYX>3SHlr
zbaGM4zUNn{y2WZ!|F?&3zWL)<hRuw)@U8BPF8_K@UbmE+4y~`B_u5@M$F5z`w&$U%
zbDyvHMy;PlUU0Z-PC<_WcR#-PKK)U>gm=4r@#%;UW0vGx_~ga64q9_ZTCb>>LpOgi
ztVMqBn(tNWAF;C2iANqkI=WS-M<-ADX5}|S-i>~K!-A1FR)4w9+%NWTOSymR3wqYw
z({H$N)a!?0roGf|QN7(^-IuRietpKB(>o-N-LYoc^iQHL%vsidS;Ln<9<iy*9nIf(
z<3PiRZ9m={cVyWsAOC&8vKF6N56((?y7uFlZ%%&Wl^zS~hW#4x@<Tmu4f`TGZOX&%
zdUQPB7=WJY>x&fRC)vTh;j1QRb%ZodLo)7M-_!s(fxyT3M)~Rm&OzV_ej1%NHG?!h
zeQM@ZKZhovHx1_1i|QBU9X4)QW{Ip>)22?%7%?nkOit#AQB!;^rE!T?V_!pG_Uf$F
z8KI?xA)KZ(Si#v+c}@s(>$q{;y-{7OBz)L?SDz6vZ7y!|Qu%$pL}^AXE7n(SZrR+g
zxRiwufj6SX+Ux77?uV}(?rS>Z-i4`dLG06?)!Dsz`;F$qi+a?#>$bLL{HI&Kn)y!h
zSZCL>Icq1rdZa<!5e@ft89A~1zSqY@{bJwOc*5)@)i!?n^yg21`)Sg~ODnv4)3n{s
z4*u-rripno_RV<a-83ud-iLqewqbGl^-*)*uXy6q!Iw|!d2v*J$99v-KY1Ycwx^o!
zDtBr0iTIgo=U(yXxFf%<dN#6J{U5Kouw1L#FZ{CF+m+`{RGGQu*Q8(D;ESh^40_0T
zqUx#!SzY2jNqO=0-)G#|`}IXn&0l=c;Z|#V-#xQo{md(#-<?#h@}=L6uYTcs`|tM+
zXt1P9o9ExV>aAB>r;HuZ_qLbEO?&i>nk}zdx##tl;&)n?`R3c>!K(WB+0=xAKRon>
z`XcHp=Y?zcq}Lf(l1<HfyEvbS@l{2qL)VDvKWfT2A@&AIUH)J5<{j45^~P~BWTp(m
zk{N~~`&>rY2!ad|L_kqgFbjx=fC<AuRb+}2tx#ns5o-af$f_)nAEKgYwL&Q<TMz{S
zm8G?mo&Z6tw*Bk(Jbic`a?Z&)Z_d5<y`T5{zPVvi4EUl#3@^)ngW$u8V22YtXyH+z
ztX+sDFz2ll!y_vx+5{s2hy?!3ITMf>PN6IUDIz>LltquGQ3(-j8X=U);2>*&18*$`
zZ_QsqaA1(wY=SYtGlI;ZQwW|cdI*Wd`Bdo;?B{HSb9g*5ozpcif|-3}q7m#8`Aj@;
z<kN$l*HM2bZ02<oJmim1{N#{rfYsc#O%^8bx4mXhIE_h#$GC~api^gs5)@5TsEXhz
zotI(%CW8(;6mskH+#fs|xkIeYImBVFY>n!#^|@m@RW+=5ZqPTZX``anvi!zw6ns|j
z?d1VM<(~!fE+<#WCm5<Ii;$Z-zM7CL1)=_4k+MfN#oS7@jN4mwdGm9D0r@4wVL;%%
zesz;PenwK^)Z}a5;JYm1^{-R&WMv88xuP~0<)n`t0_K;JxH7qKl?c9`ZspX+MU3Zt
z);|iX)w|iH%at?+Jx#K2+xo|8Wk*fR7j&+I=B^SK>9KL~_*?GChwFt`)U3%vgHKws
ze|>dArR1igijQ(!=I|E$2nc(|IMt&k)O7sFAnES5OKzuik}ICrn#GHP$}-2()1%i5
zVoi&-U7q6OGYR4|4w&#^20^$IK&`{?LlDX@RyvW;aoO-J|E<=c!HcF$!1{x2z)uhh
zn*zWKtl*nNqhuB4%|%5;%>osA8PAv@C5#Q>HZQo)XrQF<cQaXGB)H*Oi0T7fpq-<Y
zvph*--Yk!xi#KT)Mj;vN2bs?5D4ukOI!YG6hp*<89R|J7!hEKvba>OHuo^(^0(4hI
z5iElP@J3q7zmeQM-CXsJ^o<acMYPR5_Hfy18>HuwT1rAlV;kpuak1YgwB6rC`@XK@
zRn==CGUj0M8@kXKG5!lWW@)=~Ou0J1y%Y1^)m8bjO{7wKrJ}?0@g(%>h&^|3b^Y1(
zChNuXU#=~!u}?@I98WG?_f*o=YN|^nwKCz|HRqwNG|#czwYw!{W0ZO(T83|UZVG*O
zrX+vEk4{%^f7?BfiIcIdS{Z}n3XB;XPIg(E5;rOm;EGE<+c24)8<P=%Z*YEXyDC)7
zQ=6f?XC3&xZwC%<*J2)#FT|lv-?Q!;b@@iDThwJnXqOc_{^!77Dtb<ji=U&{8*DT{
zrSILBfQyZcAT~}rk;duw6|$+im00FWDX%9>&v5;&#@AOn$6nNO7l<ZetZPW8DUIir
zjKn66bfle}8u4tVv>(5q$+-b(3q>K8FA4)Zipno-z2Z_tQRirJzYG7%DFgp80P!@W
zDKLeu!OsH`GhhnL7I-<1;DMB&*nB>1jYeVcXqXW4bo-(~w6w4zjX{bcu@+KO3A{8U
zb|fjBMp(}ZA~EUFbGf4AtOH}0;DwCLOw17@i%)^f`!wjj!Z=X}h|R!I7L!gwq<{o(
zPzWdNO=1$(hO%i0ba&p6C{Dqi8cK#x<-jC5gw2ao^NA^qiYx_^yh&m>5g$$%4aOd3
zIDa8V`X3hltE?S*`C`MUMG_7-(?pf;4$a0m_GBLSPwM3Kq$}4Pz)v}-y9lYhJ#;3~
zUvTpq;ey(6tbP(hR1upuINVaN|EgK&-mkZcO~j5R)JpuW5LVrzvLgSML`-uBru-1u
zcCS`YV3ygzv)i9GXUt?~is$t+j#rkprjFSL-Z6h6Z8SxEZ`@Y>w)JRpSFOiSN@G#+
zDLQLK1Rft)x^wsYCy6~xB~Q-W7v(tZQFqyYdo<Boqi@xW^U;f~t4gIoSI6P30pMoy
zcu3smk<{S3bNI=sy&2cvbndU%_l<$IPmitME1J$OmDQcku*FRi%^WcK?3zQB<k}P?
zdRdbH8q8GiYa2YB&*e0DrcTTz|ByghV0n%PA5_Aa94I7k_>JEBe9zFIzu>UC0*Qsk
z@-%QDuSviLfbC$bpxBNi7gW-_H7FrDL9h-i*n&Kk<AIY6Gg&GR#}x7cjF<C25W;vF
z?u*lSB>uA2{tHZ@)}CeWY_5%rJ@x8J*CQCd5f*G%*H0fYBSZpS-gZ^7Fv$jl9F-iU
zBtHGwltuf39bP`{%ikIdS8l)+(sdr^FkIp11Ht?{>TIN12tWY+4~D}(!Sok7{smDi
ztdnxqT+VHn_&w`Rifn*XZ^p2^--Uy|>}c`e!xH<>OifO=B&wBuYr=Uy;l`k;=B-hA
zWHmwlEvS9pKz+!0kvARkX-vH*wZoP-dcSV|@pjAlX~AP64`!Oz7-83yg6apvUVoz>
z#JZ&}(CC&MtM6Qrn@s-Ipxi@M_Spcn)lWP3e|uC<`R>?|e<emIeQA!c{X@S4@@daH
zW-dnAYH{VfueCdEF->icG|nixLDmhwD=9koIt!z6tc77cD0eOCO+%J{VO{R|X8ZjE
znOD^SO1pQ<i<HVyx$SXMB`&@ec&hC=qtx5`H44PotFj7@#U{!}kDqJr-hafYc<j7!
zunQ80t$>&=L!(gO0QWzJVYK9DVdG;tGv`1j4C(x`rw9hYEh=VWfzqO$7$OdH%#X!S
z8F&vZEW{$Pf)s6MQ}rP;LNk-B>zQbnQU1r(0B5jo(GnaI2ADaF*qs92ur3+_e<nwP
zbx{KBkp!5qR!R`?gkz!bH4u)32+(2elmmNFuoVt}Fh~$^hVRqh-!9nZt)aqK2RMf{
zJC_0fQ{adfv=K6Ab8(1-g+Oc^O2Fo#dArSn32q9>>d*<A#D~0?im^tNl`#2-8br!Y
z*KQ)JL-M?AEdHdjLA=hE_3Dy+t!1%UU7PDPmwV&-();Q%Oad9Ahl_kIQPk&L{~1lk
z^_sP^l~aP4wuF=KyNu3?$S|~1bqve<rB&6#ExDR$Vc&+>4{vKZ`_*)s>(c?u%|{=W
zY<6OQ<v~i0=+~gjbfO~sq)u?($qW%&Dz&5^NXlOP4K%;yPOnxkY-p+68=bW(uEHXT
zO3Bgl?kebYxzV056D)mHY8k>jM%j|w&UR`s#22ciDh5|p_{f<jGzQ4ryH@AkztT6b
zEl|q!Ct}@5E^a1Zb?f9^XS{wJHx4ZZ;8UO<ubv<hhk6HTJI-@p*8jV<gqHlQxV6Y3
zw*&c)8^a)C3mqX8bjJmUTY^Z;stXIm1TjM_Oo88L?r1r5u&Tr>^H$B)4oPx*-nEpI
zyUV}e4l>yXN$%OFcE__5CAxDXV;=u<)PiGu-=DNo+@LY0NBif8(KRk!(VY{9GO-@2
z+&^xJ*65LB)eSVQ8>(Zj<R5fwQe2DO6()coD;EYiYBNIFqfF<9f>fX7J~BXfQ!$+~
zRV?*ByI{rH+DL)#HrPp<$ITpiu=mLKm+1w`_X7jlz{@V*qd`}&9)baNLn&Q$S9@=I
zS*b*q1Q$u<Y<RIg;6-4hj^Wd2R|T?Tkea&KJ_m*1&0!g_Jv7zc;z*0Hn_Zs&UY4eV
zu?=kKL?3;q&f*Tv5Y1y7I&@Fk-TP_CyPN56a<lE16>-6%<$@1u%QPYzg&q%0-PbD!
NZ!^EJg9yI>`4dh{B2EAR

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.woff b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/SourceSansPro-Semibold/SourceSansPro-Semibold.woff
new file mode 100644
index 0000000000000000000000000000000000000000..43379631b2da4cc061f2dbf5069740d3500a20f0
GIT binary patch
literal 118412
zcmZU)WmqLWur9ig!CeM-hr!+59R_!IS-88qyA1B`KDav!4g(DCuyDJ4d!KXfkK0eb
z>7=@<QpuC9q|?>ziV_k4FaQ7mHWLFt|GGlDu>rsV7+<;n-ytHbDh>eaq5ird@gK|x
z^?Jlqr6s>;jsO5EE&zao4MTwOA}J>RrBkaL007qp03ZeePs6+<l@wJ0V7k}<fD{)1
z3>;wVP`)myswM&eD^>yku$KV<KJDO_csfN@MwTx*;xGN`Uog}!U-dSzGy2kxSpTJ8
z2LRyEkKsFKH*s_M;-NPE;-UQyV46q}=8hJ2000%jS7RW);0&de!)amU?D%C%^A``y
zfB5_aKv>v%ngalwDF84qQ2@B?oD}5ePfIhSFI`~eUpyTD0d{o@&+?1-Mf>|zCjJ6B
zTp*&lrJak%mwjJ==L7%<HL+~Zn{6FTzWAsU003mjFPbilynnl$k;j+K;9p|@BTEe1
z0`6#UWM>8d<5~p(zR3ds2yIr_TcnN-&Mp8jfv-Nriv$2<0fmoJPL57yU$WFFU$UxS
zP*=t6{pz!?9QZdvuKS=a17yB?04&7u7X`2YhyC`yS8uxyu8%nwdx)*CGVE8?|49Hm
zz)TEH4Gnv5uJ|D!Mq~WHfBxXQ4Irfs@Wllbqe7kj#|51RNB|%JYyjW>R|Ww0pXFfA
z00;osfAZ!@Mp1@_W`>5R;0p){+bCJgas3g>h}09)BU4iYQ$s^Zzkh>rVX6B8-{Ke)
zK7?d;KmAMHKi9CaGaQ)UXqlL1pvRee&9lIhObnp_1e}P9|Jk*i;p&pz_849VGB=ZJ
zWouDgvHPX4KD1jrrKf6snUVQ_4$om`RtGH{kZ<w0fPmKi0`jNFjHJ&ujmOlQx@4N$
ztOy2noBN-c)zH!%+eC=trY+z3Bi>4iMX$5}t#Vk?90(40Izrr&bt?#UNf%r)koeZh
z&2gK%qNK`giLX~un77QNX3QkC*QR*g$6=h%o>ZtyC!R7IZ3T6zOk_(7E^kgP)=0Ib
zzZf<zov~2YUnp-J8J=FI;<t3!R(Ovy-FG$5_a%I)tgkhDsdR4Kzqz9zFx#LVZ;^9$
zSi~A3C+9GrcID$qU+_$F$2ULS$=s&=t4y%^`!@2cumAO$zq-UWgkBU{h#y4$sj-)X
z?zp|*Z%sRKLVH(s7Ycb)GWtAzsERh_ro9F^gOv?QWS8V^nsvY98l>pJu~LiYt*FxQ
zNI`JPz&`S_hVaL|Wa*f7-uiE^9l4H&yzHEEC7Ppy>z)Fqgkn-&=fwWis{~qg)#h-t
zOG;Lq9iOytmHDB`-lP<W%mYs#+)PNn@)yw%U<%99m-Ksyh%Rom*RS*r5R=d}8e8Rn
zd1R~>tc#XckP6PJ@kZEUWksi<&`U3ey@&<&@!~sJ2JcNX4G4c7&E^x)`^e<lA8+XX
zr>>78bVDCA52e}VhVtQTQ!Hq)#w>yk;*Aa3m_|VR??O(W><;O-Q*j#AJ95QG5tBo@
zEseeJNAar%cq@T7;S}#R`7tWYRwWPVPV7s3HKiE`e-uFvF`m(Pv8aTHX1%T-D0e#@
zE4!H9`sVZ=$8D_l>+|Eeh&Bz*KntdCebg!Tow5^;C~EQ9%l1S9uHK0SmsFn(|Ef4k
zC`>D@tt9esd%{D4-~T$oo}tfqlUE}pI31s|7b7v*%>AHNNGqTb(~YsX;s~r?0k!)o
z#`m-_i5(QBceubnIhCdJG)|-OV|rgs@9%JTN&O60!jojge9TqhQ0(y?CGWFi{`BPz
z2f;+hB))UBXS~IxthL4Illy{-R7B3veIuSlIWq(?toyoNpl>abTQ4-S^Y2k!9OUJ+
z$#6GHPU&aftxiI7g?S{c&)qXUI8gHKBsaX4iM4x(*Jdu`a=dlJ&RAZ2NJ+L-XmfXd
zq^G_3?%jfqc&E4po7#+=nw(Yh+YH7zjG8OtcQqWJ{X#a2*7HJcQgJZB1(Bz;Ku-Kv
zwi&MzOD`zPAi_T{+W+2!fvb6^crB@9mIj4cN<u9hJ@3Po{{nT2SKgQZ)|0XmxE*$B
z>Q`T`Gp%B&6a(RZY&~LzuNU=D{06-q;9K>3omlKsed%+!{oFz5^Dp5@7gA5wt*4`4
zjy%6N(UK}>$Q#<o_0D2ILom!i7DtZkHU6{3m|&bhP@IK*TEQyspK1goHbk5?b1RAO
z>qvH@*>n|cn-s~cr_@zNmzW?5kQRsr<aifM;UOx+5~idsye8s8_=5C8*$Hp=J8yYp
zV6AjG?=>vQ|EDms_Zu@0njYZF^Bu<T(Fbhuubt-k^Y*hE&$S+OZ>!edCcLSUOPbeu
zWkZvqzxEqFO8NaYoA>m^H4{l(2q3v2fli^`WbQ*`7v!h;Z9S0q?7m}_9R%+{tG;`<
z37@ke)+~uroEEJ`Ce+9qtgWqfrITFnqTIv|v!Lc?4<S`@GVm6Eyb;KP&4API*hGp=
zGR-w8;`_}tEi;eCF-hxS@315RmlZm(_3A_c?K+p%mHCbjD;WA)IP-&aF_sMVad4dT
z#bE#aF~W(Z9WP;Gg7(?y-c~JjlR$WDTc1JDUB*uAQXe&mAknq+P;K^P-qM=q@RT*D
zdaGDa&xv~qbHDP!NX;4B1iFvRt0G^FogLNAzNpq9Sk5QI6j_5H+1tm{PAt#AokNYM
zcK|1r<JBoCjk80X&L&=AkN43`vijUqWfqk(e*lkc6^8MGNPg6V?0fF{&i>SL4|JN8
z;_Is>axsIfbx@iLQHa#lZ*BeJ3#SzU9mawmsyq}sYi5O+@pzLx+#Y0I?#`{vt_~F?
z3oMq0hgGVF{|=AO|0EIyBOaEhOX0cl9>mLP)}^S=A$(|Qe7iuyrzs#eF-vKh*8HB^
zk9%7(($k>wSjzAD*)=rV^ZNqbjeh)tdjY+#d|_0kRvj%^c@EKuc+rMY5fwvd3N;<q
z74AU$R<}#HPWhxNO?6wVQd(o(EsbqIy*MVnsx5_uw^p0}xi!yc%%(+KqN}Dj$K?Ym
zPUG*s1YbdaG>h7O>UdlkITS@oysCk4+ETyLf-4g!pDlzOiT#uv#O@M-!P}d#M@&1c
z<3l=3&yZ|<-qGE}p40GYo-b@_my1hjQb08oBoe`sE8LTqd91ELl*nS6rn8A#$~r^O
zvN#fDh+yNVN+}xSX-YLBb82>MW?AI)&iZ&lb@)O4>YWIgfJovS9}>i0LQ0(iXM4cy
z|B;8C9*o%UN8k<O?-uV(dUN}l;NV_2$1CGWR1I5u`i_5G+J$ryHGFb&P)<U&BxGDS
zn>rn>cXB>ipf$OD@Xkd~Ws#SlN!OMzSJRJkMYg-zWAAsn8EEuulzsU%Ij0HAH>!h2
zL9pjYL-tgF(p?#E5v1yZ$t;jH;%tYro?c)9a>hN2)C19fTdh=UM;m%(ha;OH8$hHm
z{OrVYeK(?Mu&DfpJ268uULE2!uigE!)-|>Kj%uBk$f)n<SpL0F6Av)%RHMShn|pHQ
z#@^{Qz|J>3W$ksOttWn4%Zod|kZ;b%Kb|-ZUo^8NQ+y|6D>3Q7=Lvn>@SIROKVksT
zG_iJncf+x@<-~C${fjY0#lo580EmMjR<A1dqBL{B=^}exo#;5Xk?TDAFLy2NV^yOH
z=WJBs3d@Jz(q8==aQ$MIOS#X@#sU1qc;fuS$4b46xi?X2ZerFS|Ncn1uPnbz5Nj)k
z`yo+y3YFKdN5HN9*^#5dy??#&7<bPCdhavwe9I@YT(KlsoAz6^V7h}o(S42!*|tVG
z6pj4z$WNh*zFubJU&y~6c%5=F&cf$Pdr_gKAt{A9kKsb~O_acfm56OjQ832tR1oGr
zIp150-jzXH1_P%`Gk<j})JGSuBwRQ%pg5ELRVoi~7EDTVd5Cgh{0GUd(e5pHFA5oi
z9@Fq!;$4*DrBl~~S&^mbZt0iEn`AB+a(kxRD--LR_|-&i3tWo%ijh*=HyJ~36P{%*
zgkG2<&v@1eq1@s?&c2Wr3<PF0cii~-8ADHW_1tK=0E(wkC0jG;3h_&(^mZp(Po557
zTr%~;p1t6QdHmrXa_TYu<H!jlg%WILp6xL*_uS|Td$_rF=FU6`2jXzT#YW7vZ<lA*
zxGgKcuo7cpj7B@JQ3d>q2=c=6vC>JN(lPG&k5GY~<qAdKJs|-TstO9CehGKQjzt8|
zRcrJmuUK$HM$*s+e?q;X?aO`~P?;ar>G`KLz2>VZOX%GNidf0dD-v#$U_$j^(PBs*
z(WSCUeu~)JTmny)i9+N=ge{4IZdRMktLeIcog9XXtJ+PPj=4XdAG!!#I{(DRe||eZ
zb626;$>bcfc;3l+{Y_KPsEf2R$m@vQT^KH#7?BCq^?Uf5g%2LykjECe$PgPJ^0n+(
zHv@uq(AEQv@X@U4uitEiBWw<Q8P#ZPhQpl5@!se<j((8NF8$6UVf*+Qi{J-ltOwko
z2XA`+g+4uUKg6{_&Of`^`<S5M?%wk=`u)EnDXz0^SC%eRt4O8QWEXeRTSQ33J5Fp=
ziI1HY#yzpiD;HprzXfQ#`3Xh_^qEitKpUjmkz*%$MZ#j6pOq%$Z$xy1PYGY^=9n>v
zdTeu)fc~rN%R0M_Ry*F-|I&>^F1K6kjp{AtuKjN;0EixB$97tHu)oX*&yTUPAMXkI
z0nyK>yMhCsB-?Y@&yCo4lW&L)r|;c;@e%a;E4*F=M0*Y|Iv=fl`&TdCAHDv6iC!f2
zXU`<nO(j}6A1J89l7$o6BceM(WIJLeJA&vsqN+N=Y&zo3Is)-JBC|U}b$kPm?*bbZ
zy~`%sV>dd2c{`%JI>Nm>;$J-jpgkkPJwqftV@5rLs63;}Ji{zJ<Boh2knj5&@H|3S
zp0h+iCR}IFnfXtlJ5Q;C2ihHa_Q|~e7(C_mQ&$e;X~-!`LQ;}gRJ6ThkWVOleN1EG
zq?u<Vy%~wf2z+{H@4ubgx`>|dv6c??jz#B;#ojasA`Q)Rl`iiYV#Myf1nZKp_e63=
z^#G|UNAtMOFM5JGrSv=l({V<ARvhH^M7M#|w>Nc$9!yzc2OGF3y>uMXy~+dxCcM3D
z9MC5{BL}*rl;IW<B-jeTM6uxz%n@z0=!r_{7Vb|*TvR*Rw{q-d+ln_9Q=c%Mh23Du
z-EPPolygddn2_;u)6181xFqYdh?Gvsj3@RuDaB2AK5O}{=-i9@YV`ei)7G4{5wEFq
zZAs)<{<E(7dJG^a9CRsGSkdYf!a8HoE3k1XIy}+unyPKKxnS@fB5W$V;P&3yZg{K-
zS#AjXv&5rqab{0un<U?s+B(CruD)TPnP%6~x{>@T&cV;5St}-t-*=MJFzu3S%HjU!
ze@Dyzq<t-R_qcVv16Kyy|0D}Aq@}6ZOUhV&CRQpTF0aFs@C1LKgVPqpv*aZxat0A?
zm5hQm$Bh25!r_R=?n!7B1u@TOSlcGpFDQmdtFE&IP7&XYqcw)vl6sGmIK|}r*bxba
z21f~k!Dd259#248OMrh?f*DqVI#2>jRYJU<gWZ~g9%O=AWP+w^K&Ns9)40ZFypG)B
zN+Hu~99B@6py9$SJNl86d<SH;AJuCoLOx97i?z7L&l`pJWM({4>(1lM6gJNoFE!(t
z9x?|ub!)AiTg26e99TbV1*%72T1nFdrmj?4FGmIPFY6oCHE^zNoNqn&z5ZhTttH4o
z-Rg0EG32&~aCNeHG@Gx6SnZcEtt`LXyA0Hg6nv%R)6K4=R~`s&K3k{1$a@g+F7id$
z-3f_~+AGW{uMWYBqAaXAChv^uH7>@cqom!nlJV%!B;$yfmhougqMeDV>J){AKHl|;
zK~ty>S$s#af0l1ALnEw4UbHxdzc+h9dOtQ8KysoYx-DahDlAS3V^Pwo6kD#~Ml6|U
zOFdjPzHhj1PK}$B?o?<yM&(x>@Jw+;rO<szudf276(pJA;}}q;XPN=E)Hzc04h*?<
zVHHCm!1G|lxJdi!QHaJ93D**_o|Q3%{b4kOU6&*^TqF$;Mm6O|b*o40b4Dn1hgrK-
z1_JSC=BH%1V5u|)PPmHDW(MUuDBSmI`HsV{Z7I5iU>WyQyC1S0j~RCh&0(8@&<I~d
zxrAUP-_UAt&}%}{H>xgTAJi$j6=7dLQF>EXWpX}x_Oq`)A41oi0BK|};Fh0Vd22*v
zDF3;r|9d*KcD*vTCZB=qe7kf#HR`xshjaC^gzbDM3rXBeHs`tB3heQ_ZtL(iLU~l7
ztsSnSRnU**4eR05-L^+=XPOLy*H)_unc>X`Tr%KP3ndJWS)T#zbxk_`SdUPT+F3&T
zR`{_c%FUUra~!9N5LQeV#aqqk5A$FV0qM_co3;WR@v`px?)(9c9*N(Do&iNa*rgDa
z<NLAhg<O?#mk?cLTa@V4;CD_?U1Ro1+=w6tE%=^{m%!`owK-#Gb6z1#F3sGtd4D+2
zbz&|@8GGJQW*yXbdt7o5ftQC`=XtL4&G;fWm1)h}nq!Bt<N>hH)|y6)ObVDckLwgy
zY);HTDqhSz5qX$Gb<c0_ch9ri{5tPXds`>&Ho?%0y%k$=#XkEpuA6Q?&LeJzkWiDx
zp4DR=q^+ZIt2kZ8?&py`f&IO|9SIQ5;~{*jdRGPKx~Y(c=X0<cqe(Cv8M<=xB6)9!
z1;V5PG;Vmdhes`U@qEGsudzN*iIs*h8pL%`iGFhw)G+3CNYN%mr;xTt(cMN@7Is?F
z@kI9)3Oa;CjGZ@9Kat8#W;J%4!}TZRnz?f?)uuIVtnJ_Sz704GKD~YaQGO$6ncA|h
z?OVgFA>S`yb6nAqhQIdP^4{0^BEV8ZEjX9X4i8HE4@&Ys?U&DYZ<*|<U_Jv;r&!(i
zNnp!&tjCE`E`8dZkk=Lur<S)-V}5ElV+bLP-0Wg$yXyZPEYofO4H><S)-CfJ<lwv7
z*?+9zRBu%Fx!D9s&oRBJ+2@MSiytv~wcxbnBD6k=X3IZy<d=R<FNp*bWgJq`&n<Y@
zY89k@sM#&1dUtjd%z{{xi?%=J@|7L@CHwftoyp0b`TH?TR{8r03TbMrM0M8ZxBDcB
z%$c)~xmtl41hkd@Kjl6vX%)+nW~&$&%LN!K2pKEEB9}6Xt);D7NMp5=)%C_o4~u`g
zJ5@q=EG2KAiWA<K1wbi_4N@1NrYvyLTK+g-ONx4lHNjP+kpIQ9%$9kYB|=Z3B&u3b
zk-4;}i)%$P&6ZEuyikWfPs?Ko-_x8G7e%||7j}v==n}BYGlETEQLVtDPla7}CpXWH
z=8~D&IitH}+H2n+)TUL=`(r_;dSTS|&ynp4)=OH?OWylSoUdQiixu=ch@(mk+zO+l
zB}~C9bJ#1C!Yj4JE7r^__n@+W@l;;_!X%<IQS{ET`joFkRc`KEsZ-9K?g8#fN58y1
zFq^k~imu!IFL>Q;7|~JLi<X}P46;}j-zi(9!7<h|tY20>fl3$~iSHOTOL#Sj_ZY!#
z*js@iHGWi>N`V|TmUWnRfm=Cx_6D(ATf>EMS7unND9F-eafpqRe)`EWeO;N+Ri0mU
zhmA?T$T&>AFNTS18gg->nZr&_XK|*PlR$3Na&=~&ORvbOQ*!cwt*6k{D_fwn?!@9n
zasw&m630d&o7p^ve-~{dnIV$@AZdM(A(MYUX`_iDwCAtNMl?fg&)&ku8AEc<F3UzX
zLv+tU<N5|ecF%s}M!H_yajr&@!QCpSuKsK3q{WWY^TkGOfbS?~^HrzF1HZ;<?^To-
zBIf<z8;syW{3E(=Q2wPw`S;mMlE~!<@>3bNdy;%8B_#-&>d2q-<dxRAE$q2GS;BhL
zg}vsBLe7@u;%qC%+Lo~NEvef)V=x5f#c@nBk~lSsa!WXrC!~umktZ(+u`dzwFCp|V
zNx3h95Xv#oG(!lfkf{UZZ0cr?w3DK=;ToPnwAb~tw-K~A<+OJhmDla-2?}=7b#A6g
z-Yk_6nM;XNr()k-DXSz@B}}NRT3r6{bXxN3wFKI)OS#(>hI1^c@}AV`A<WrBStAEG
zr}ujWV|pd0dWExlrMGy+yL#o{zXTw@q}04b>AmFddnvVo!vUyYF1O2^o9s5+VsELD
zUxRHC8vplcj8*=KZrP^fDC?HB-9>cp9Q78sPDG6{MKHk`^`K-*tn*<V4k_>dIrV(C
z5&FZJSyt0}VX2h02WQHXlC>%3pxT(-Mst$qPxj;{etnc$jgh>K)&|d?113qX8CV6U
zsKuOJ%(~|pWWSpYwo>+ZPkM7;l~%5E&Jj3P$B<dA<MLtaUmni(ae8~_@UG3K+zZd&
zqJ%dYRD1_Gv(G~ocv?FnJ`FU<8B^2}&VLx(TC3g(Ol7mzCM@wvnR7j-j<WbK><pSR
zmd_8FvbooOOQ_c`=sz^%AJiC%(`k(jq&2ZXa}N<dG){scHFpu%+DM+QMbg_IP>;4d
zAa{jEe$MjH{P=YL!vy-&4-XwSlFmrV!AB0mG?LHwUK*Zi<f@4&J3`XnRE;J%G7WUy
zByb<f-9?_f2T*Y1N-Doq$#CHO&kT5xdvLz`zf+<1#-H4~58s)(D;sx;;l_`TzcP-j
z?U+88n+FXqcYo98q9t~^w`0AO1#_nNaU8Tpj}sSVXS)z6gJSlO3p0m^6j-DEbIcPB
z38rcLfm!lzPHbIIgO*7DOlQkFh76>gWgWv0QTvFd=|0G_6yJK;`krL1z*0=p%Sx28
zw(`>w|Dw{<^^0mN1dTR#KZ#m?yNO?jvJ9oxj_ylnMfK;lqx&FTR|q<4?s;;ygofRp
zi^C3K!~XGM%p>+@=2HG7d&~r@zkrFRP((LOB&Q)=pIMt`$gfA%uWcQK=#u+HckFeu
zGKYvpS%f#dBgrW}7ia(7AAF0n-=<UTZQLdM3HsO#HhGZ%t-64h!b8H{h?5t3i_A#3
zQzJ<6Sm0)5;eBtm5Sm<06j>%AmoVuU1pki@F)zr`9C(F={XOIoDo3bc$3H2<+^Wz=
z@}j!GDVhh&7Lha@5g~wE2*ZeX==NF9?V;Y9L9b|=MaWa?d_yL>Bk0ZqiqjSz=6)m2
zk#fb1*UWySREL5-w22-d)=2Ww{C!zB+?P}_mbtnc`YyJ21=53)M>K9J{{$(U7cxIH
z_u@Wj$NUe5#Q0;Pr)d7<5BkIo5K*LU$*0Uely^najoqQtQiNlR!o3NlE5uh%16{k9
zw8&^7T{7G(@(7Yz=2)vF(zNzcwpQsluDz_ec1oPRNE?a$Yz!&lS_*kf6|%(k2eyXs
z2=YCixnfH6q{uU=<m@Ral3FTxt6SpK_OEXx((!D2+eKFLe#PjI0`d-U#KG;zmJ+Hc
znM1x(tl1)Cq_vFG)=?zc?O<$OG@<x=VRJd9_)d{{63*FhV`TOS(>9eP`R(&;eHB6A
zdtr+~r95zvud&}bB$dTBHMN(PgqVT*mOxc>3ORxl49>(f7FT8MO;ha=HX$uwvL&}F
z^1-lt0j8YqPYljrbryLgtxbIG;btK<AiO2}BGmHmbP>B8-4YvtlI&((b1QcY&z|~1
zXDQxk<c8c?HuAjCChhv1izFFv<7+;^lOMV$lAktYLw8T$;1rz`+4NgqKoF+`N?O^l
z!r2WG6xmH%Hlw=-wQ`!w3vU9~=VOGafJc@VtT=i@xg~nj<Syv$k#3x<bE2E<FRhuu
zd3*MA?o)i-beELAvs0t5d-n6lQ{X<-mmC*n-}lIX@m3B^Xud<fa<5tP$5fZj>pQlC
z0HDEK;9hS@@Dw4!_eXvL;|HVi_N!y2CM+^J5jm_!_*{zq?>suXM4cj=Zk-FDem9`v
zF;Wv;8Tsk48t~wlecw@U6UJ-s=a4+G>V$p~qHTDqfU*(BeYod@zX|(sc<XEUq48n3
z=L@jN-e_(@ybS#qqyyd`+av?>qt3(ySwnA1+Iv8BtT2Mn-svC4x4Z5@=M$n*ijVIa
z=^rM0yjb!im*ny^i9oj0_B*x~vC_FcG;R^P=qg1#sejmZ)QQf`sM_`Mi)ogFy+RuW
zysvN<B#E!hWnzSL?l--0Rv-wFiC_@~ljbNL55}NNOd%Ol*gJb}fYv$DG5*x@K|BK!
z>W`E$&rUJY$77X9zT!!W+mzZN+J`=uaLA%#2H26gEi}1;SBea2WGSX>!W5?Ba9{{Q
zFySE3?T432PzMOV_WIca1l2A8eRm82t2!5sR$3ZQE+<VSn~^4v$VB5yYef4Z7xWDj
z3JHHA3p+BefhJc{NAdT`OJM-SMruTfo61CYPd=sK3+uelMm{AE0eiQgG!VoV77}VD
z2OGVhiT1s$f#QeszLaLxNP0cKJhjocEU5t*wuTTjOE^<QjiSuNSiOAn^m^E75+l|u
z^o~_}OF~$kc^~RAd--Uo)x0z@EjMUw>4Dnj%8)H9Nm%bWf#YaGY}4&QrbSE>ImH<E
zE8`ro?8Tc>JW9hP`{Zqm$ku{I^7S-@bW3j@(L$3Gx#}<HS=FH2=IM|urn5MWW+&NZ
z$m<QWMKTX`p;Bn%ol`|45K`PH?ZWCIpGO5Xib*cgwNDUA*Gan|^aN&~2ZCzFpch|D
zAqcbLJZyP(D^6n4OQW58Maw65M}KFZ{n5w8x>=L71Sekv-Y1i##wF+DKCj(bfnk{R
z6%H#$y<^hH9-b3f!Z!>1G>dzai&EXhEzVF<2%ud-Uf8J=#CuR#86@Mf4)KaxWU*yX
zY+Lbc6c6*=%*;Jg5`2$v&tqW2X^`rMcWD?8!Q9g;rIS~$M!Uk*vvV>`_E<SFPe$Ju
z>Jo0t)?FppmhW8rH^OjZKfgtZ{1EA$eaYzwl<MXM)sKgxb5)!r`%nBEbybDo9P*ZO
z$Qo!T+a~i`!RY6|A^d6|HDSbKhydI0wM=&zsD&m@aoAfzkd@-P!(;XYtCYMK^Xl9C
zOv*s~UQe+gPHpyQGBz?(5TPM<$j;TZ!~gfHxZzgU>e<^;hr~Nh?#aS>^kS`0hF8TM
zY#${5+;p5~JyW7n)sbLdbZFd}n<aaqV9ij(Yl8Jb+u4<6b4*}8Q~X%Y9o}1e7-m{4
zu@=@^URtC|&AUjW*0fNOqIbMhxppi!vFl>Koa91yz{OK%{jD>=2~AI_g+)(}JCmVS
zJC&hKS1w({PC`S8p@6QEql}J5V<A;-V?iyY>bSD<;@Em(*~NAF!G-=nyR+3=vNO(!
zKu@CuT~DziueNSI)Be|{4Cl`aX-*aUBD|`H!fficMR_&v#fucG<A+L<6NU*o7mZ~t
z7tRCr&aPA2&hT5FEmc>fEm_at%Nm~a%c5?{M>RdUN7e1J*D8hrNot}+GBu5bq7=pB
z`O2ze?g=ih+EY}oJeIt?I<FM{U(E~fYVnIzDGXjMr#N1@EK+qEJ#r38lnZ!jb#vK2
ztLC!RG#0y3P(g%dc3yRr$G#IhAirglmw-kFUnTYwf#PaOB6Y-~c<Qr7NwvWflL;sg
zP)#&niKAGtQu|nSLIPy9Ob)^^GkK}DR(Z*3g!R>D$MF?jOX)4o%IPh(l`v437dB9S
zD5|Uc{;Q7Wb#X-vet|Ou;yAl9^jK#i5M;MJ03tXbeyO!aeaUlT@-=9oCMduc5mcg=
z5d4W$LR9g+jEL@NLGkC=ykhFzu|?(m$<YJ^2!6Q$BzqwIl6uPY(sGOPF5$}cuI`!P
zSH=_MSH~yfuS6j2|C6vpup+KdkS>1S;HTuGL8`^ELnZpj)kKp^@hLfvjAvY&dam3k
z_3UCprRp))!8aa#SK8cPZz4Ks?u#4;8tb*4;cnDqR%NGt>m@OTTb0n3@hn*nm4wB<
z6WHr@UJ*#tCMUm6jd+x;iu}v-e)-dGff$#YKn^A0A4OhqA61}*&!4kY&d{j{R%N1d
z1MXCx>88j`#*knbVH>&Qwsv<)|L+#af0;i!-Q)%z>C@+VUbX{DFw=xGgT$oX<gp=R
z=Zb7_g-w0)ni11^Qv1XL-n589#IIP0;Q4fvkn&;wbn~TEiRrx=<ikNZH&#%lX5l4k
z3AwD%R!INM7|Wg$@>!X`9ESO5$*@um>zNg7in&ASfl?l8U^94SBl_a$-o-EW;SG74
z=(g}bm=26J;V+xnc^pEjZszL<)7;JhtwK5vsOv}<YqM6+E~fqkxpSHC;cj4`Y4Voq
zh+At7R>&Yz=tceG=^3fl0zqC*f`EeaHy7-Y+o?qt{1N9KuH1l%^92{&L#IQy-0)}J
zIyo#unl2u_u$G(-*%c%HSN<(xO2#c}N~|q%N}?^&ZOKkGIpt2ojShjl%ijtQj-9gI
zsxECAtuFBy94>VkZZ7#5gf4v<+n|7qB+#!6V^Bhd3Mc|wGCrz8Dt`C#sxtWmHpg_f
zv}~wLPBHpKY&POVWH#zVVs@90m!&5l`rHx}l~E3=%)kcW*519ffS~Lf(-$_3c@}w%
zI~Tf)I~Tn@#uUVfcA0red`T%Od}%2Oe8Z0T{E2)6)6a83sU90AHr=~EiZAMN&@aMr
zYA?!i6fe?p>@VVS3NLDMdM}7Oo*xn~5Q1yr$BZ|Zb34X73xdW^Ik4BmM6yK@1d>Ih
zxZW7C3~qd}ByO;=p{wV9Y;mi?Y=nDF&~uQ+(2D@bMyxsF26QX5hAk`Y8>%^%y@z>(
zu`yR!*61rsw|{@PN!Zd?OW4|0Q`wMj8>tpW_T1(Rjnn6ijWy=>jMEq0_LAlv_MjFN
zj%O5vy^D}}2`=dDu`j}R&*fa$M(Xe8r1#9{pZC-k#rOWqQD{!+%ce)`C~8D)2x&y>
z2(LtJD6E)3c#~~~Oxr@*qPGRxL%Zsn*aP2m5MyXB*<(pKIAdwt=nzr5f}tX}6p|yn
zg%=~dMJFS9#V3ovU-@bxaL+}XDNpMa7kBp<7JwOJhj-*-=#L>hz*#FXV4bBYkkJYQ
zm~Q0)?6R^2u2|v&XDz{j@s=_`MJr|?vL!$8(UOeK{I2PzBOm#{_ur#rH+(>%6DV6#
z{}P@0)c4%W0s9BVPUP3Mz7ten{xJ}ke*$}h$WI|qXOkoqF_qcZ9QxE9pCo}PNM1vH
z3GW+J_JXIBMNDq)@QXVkdAe^tpJeFHQcB4mjlEvC%>N@wF!7VcGB9nk>yBuOf(H8Q
z+lro&xV9)Wib4-Rn98INSM$}ynxW_L7EAjEj$@fynh};8KQ@P}XOcl*1}Z7DjhLmh
zf2Xb|TWuc}*-wycNQi|$qg4nUNr`jCnCtI>TtgF-3{Nx`@w~jHs7sN|w3CzMX1Vd`
zLG;^)l!V|#w)Lc;%HDrKd5Bo!b_qq)a8E)9Afba*9@{N~Mk)^W+8(T5`#;$!nOhLU
ziJAN(ty~e@AYh?jAgMG64uZ7pttFRbTenr?0bk0IZH!zq&rEI6G6S-7(QNsfOTI$*
zqMqim1co+3x+S{=T^Oo(xWfQ*?JGqbb|<keTjwu$CWLa23ngPWHC|eTfN_8FQ=5NZ
zeX#NS*K~bkVx)975S=w*bH?@;CF98G?}DCOap(!-)fr2ZU!-IJG}Fd8<s|UNfKE;B
z)fP@B>h?e8GVLB$hEgz5tG}sx0!f@8Oo#wc6R28%uV_MDfH}Yg;QJMjhVaP>Kma=g
zAb>-CLEsC1U-*hY10VZ}LHnv7VL~(j1r9@Em(_e^HTnOp1l)RT&l}Iy+~|3uuTJ{_
zzaeOTF+zS%byiZ#4gLGGCnzCJyCNQ?Q>BjBmMUarDIJ9wh4k!HF~SRSK9dJVONGRy
z`BJDgiwAbCO(ZTefmNM|WW^$(i|k*+ksY1CN$06Sgll|Nl>><%DLE))sIe1VnvSHS
z{7ta}u40!5#){rmd=^Ak3{9u}wa4hou4d!<(;cMnDI(F#qNbt8t}ff6@nLou;v>qg
zp+oX1a<OFLRZLU>h*Fbg|EU<e^gjf0fA~Vp)SsgFOJX%k!dr86z9Ax<AQ^v=UB{Bj
zLT&3`=GJ5wTIIPfa`C^8WeAoKdlvGQe&|+ImZ#yCD<aIZnqY%r1Lmr_mJii8T06c{
z-gRT=Zh9-e?e8Yt^ll&GPhsx8@gF<9`LXzi91haIBCNGfMynrcOgZmeSYmh{8O?Z)
zJjW~+U?L;tUjqYL&X0H)pXCWL*%o5GkQvN*k5KOtI+5yz{Nkr9$ih2f-6b9F(jcSC
zOH+ZA!GBj}+?+GZe5l~P1wOL*Xf2EJ*mIuba7j>^U$}7U)82KDDEh{Wf+RXo_fyUm
z^QFniNhNYv!EDxMUG;DOR{%J}U`{vMF)Mj~wP}C8-;Ix@usF{2-~^=E;GPu~NS2Ti
zi{WATR&6Hu_$&oywzS_hY0fn%#LwQ|Ar1z(sM)dJXsv0mn_c>E|Kz`A;<IQcp?Xrh
z&Jj6vxbzsK2RfDKnBovTjl79ha*#(s)9R2k;Vt@OSZXPAkF*g+^y;v<K53hyt0YDt
zOARbZxODX%3g>f#fOuLlM{c6?PtPoLA*g-L5rNu0L9+GjI2vg?r;H(5q}{CsFjJ;D
zv-5pgg9gUE!-m)<z5_<%(eyIz|4Vmh$U~1($$b!0`pxzS7}Mn=UOjZnHp-hkMY~q5
za=Mrc8ODtKT&!S1Fxoz;(M?vvHw{Z14E$k2q>-rcA_-zGB5yg7L)bIppb9`3X^8RF
zJ)pOqpp|i5M;8WL)C~7&<WEi>p#I(v9o;>&=?t%&`6nb{kX#)Yk?kWE=Sfi^Z(*EZ
zBJj=ckukm<0v|bLl(+-=GS(t|%(eW==#YIAmw*|m2k+#C`aYH+_RM4m@602|JtqAs
zWF+Hi$RA;e{nw%)3c&Cm5$_(8`Bd2CDylmkaMjUcfy(20uRj_KnUK$9BnF4Kan@%L
z>;2%;sYXDccqW`*un~t{pp)=Opyk-1;1Hq~8sgSk%VEsHP_vgzr+%iqJHBEP=*q<m
zcBQ~D+NIiibQ0h@Qx4qY%}2!co_V{AM)~}<&#2J9oqlMPKe=aLH*$}8qlf6>MnAB=
z(!mVI-cjM#R-Mlgp*dvzz$7ChA&u<pVA0-}oRFlvF!<Vq9%0p(=}Yc1RxwBS2#y-9
zIZY_ReCa0~3Pc8H%@{Uros-OlGa-aBXNn#^H^T7Uv0@6&5b*N&pk@k8!ad{DpG86{
z7|n|@f`2W44#&?w%y^t?KZ;%xA+qblSXw<2hwyY8erSwzH8_b}G4?O=bGU!*Vvcxz
zH}0N&v+z^uihsFNjd2ywd7MPj^;au$c$oCPyHaI33h(j9{gkcl<7|o#LE^^T`$W&^
z|M9&kRAAkOro3Tx2kL)ql^&-)DWDvNG|qan@Yn`We;WYA$Y6&V{ht#_A7Sv?_^a@0
zzti;nFwXn$Sa+|#7dR^&H0nDtEH@@S1mkxO1$&TSDaMjZj9m9xhsWG!it@r7dWIHv
z#Ie7^ScN5yM?*c(spylUsF19_9=+j{y`<R8)O=s$Oh-m|@b}O}WJg^{P*z-GBquKx
z^2Z~8QE>qkQ<D?Q{99sz>O9M}vC;m&kvBnAIBOmW%I$MqzT?jcYO7<|scL*NkU!PG
zpUnu}nyXwL^PkBoN{h@aH|9rs!k-Qj(xQrn<_E-uMCeYmJmB!Ws9XLxm;`~LvG5LW
z7E(yCfRMniXk+3?<__%Sp$u}UBy6#Q0Y7*l6os75)p7is&8O?#uB%9qgT38@?9zrr
z>Ys130Dj0-Oh{#H0Rmo=jX!vJ4gY7BP(0VO-8k%fVvyD2?3Cv0aa8NX3{&F@sUkjV
z#gr)^95F&|m3D{gM^vT`^*RnQ$_RD+y6F*fwXkJ;E%IX|(08XP2y3jv04Dfa-|KfK
zVeO#6i86gNIIrh9^lg59aM}4~CRT*M0K#1{mXE(xsI^Dz&O(*3qbRnDGHmSc8H1}q
ztrL0D@<$Gs&7D+m=ROB2-+G7!A}k}UjEhC``l{LcIiz<c`4==OFQ0qx=be|ps~sI9
zEQX*fLF>Q{f0ca=njgu2i?52TCyd_DoU#%<rgAhs>EnaW`huB0ZrD`GJFpf&z0%)I
znL*3fx}{2VpaJqsQswrzM;7sKRFEX-Ulj~8A)lE>-RSaRE-|8ph-D@<u&5Ua*`4XJ
zaHI+$Z}@OQnm6fCn(QF12<M1WRu<s6?H0$VaxX!!@>&>Y$H>xpxZ8!kve<)M9U!f}
zGy`$?wosxszM9IS@3tCd!m_<+>SL@7_wVJU0B<C)<E^?LZfe&6kq=slHKFO-jbO%I
z2xK6Rs7@ejNFts9!a04Ao`jcCvfNMlOiRJ@K`o{xvjjQYuP%eHVS-7nhYNQ^jqg9d
zIj0YNMte?MLeMZv@>HyVoJp5a(B^d9cG+W%n9QL_7T-GeA*Pb755g);h?M7o+>=E$
z$m*EH5D|R0h+x=7hZzLK?6gF$9QF#N6PC8~ig^j+t-~|){DQz;2X6fF*8IGH{hYn<
z6})l9%6XS~eaBdl3iAI{`VD6M()=4<Fi9#HpBi$E_-I1aF+Pg>p8v@Kv16H~cAvlt
z7A|GJA2P>CDS#7~{g(sJ5dQ%7E|!0gWtt-_MB!LbBx3s{={^o2xw1GiyzrYvLM`SV
zLLpNCn!6&_#s1}G9!nTw?^9tFKawYet_+VZ&!%U9FNy-tFF*5Y+uzUNkPP)LUl96P
z3S8@>@@z*msF@|YC+!7wZ6U5u@kG$7Bwo5Tk=q1jCDXfOT+noqXF?RbxlnNJ5NRxJ
z-?ujJ&@+!wBd`<hzE+C9Um8@VnU|D}t@?stGBLB)`$hrlV}RP<B;!rzg1KMST_+Gx
z&5k;y@rsFa8dLQdadxe?eH)Jw>%u(2a~gMkz~}xf69DsxW1dI;U<Ufp8=Y&4^Snnx
zej@-(tLi==BEdZ|PVr1SXOf$ZF$y#K`bojLYPx1*wT7b&7udSmn#*tBK05O~Tabct
z(}K^7Kie-Sn{O9S8Dn0E@h*bVgz?BTg2z1Xkb&_@9N(;&X^iD1ttH0yL70Ix*25W`
zYg$kLI+|<3vY*o_|2mdB%JNsb=TJ&p`W@dtc+@ePPcBZ+0nS3|!a)7Q8^3=2nY#qe
zH?m0DbsRGSo1$y#70)3opQbTfn(zM7fU=HBct4W#1>}$f34$%T#@IDR-v9K&U!5~a
zr2}H23;{wbGbOo3z(grsNxaL;b;q*ZOD{HET!zH<_OOR3c!$2rPZ!e=yBXLb_o7F!
z>->g%NLZjE<m0G68o3x0B0|Fe4f64;SisH@*`;Z~7a!U7lH{HgaV%VChEcjVX$0?k
zGBF8@rC|i-P%e$|rq+9ojWFYpJGZ0)yfTQnAIi<QApok=V^A)=cVQStF``FT6wkaX
zNet=MfS)Snj-9)%%50xb8Q&?EVD)_9v2`1#)Z!a=5fk7SURktVSq{UwF`nKNlo8QJ
z>xxNrW9x-xe4=X3y#I|=^|K4MdkL~+HIB{NBv8RA@3ngrCo|6?)|~csnlR3l+lq^o
zGr(2&C=9%r_|g%VB7)H=bF_HB?O1q;r<Cz#o{vfb;-fCICW6_@*P1@>Xq;w8?)#LO
zBHVJTC3~OJ*{m^xKpbvb&H+oEwDKV5QiThfGi*I7FkMU45Bm!9@Rt*VfX0dZz4lVY
z$m9A3SD%95=_p!Z2;oP82BL}9gcFi84!c#(go2NQ_KaZ8GGAKg4-2|*?s2m`^ui#*
zrDBTM$RB3xyxcQdwRc(A><Gk1e|F^#Sd6VUBDyxFe~yY(U*SjdxScHeL!F{ABrzcY
zs4sNat-9U(+Pk{g*c3idPrhAbN{M=x)-pQPKkZ$1U;jC(+fmT09g~E*))T9iLTe~A
z7Wc(^7sk<pjKIt_O#1d+I!U57BXc;PHH0<uNg^O)oDYiWsN^xFVCI1IpTTnkcb&OW
z{HGw=U&1!ZOD`z?c7f#(A3XE+XTrOU#@P$X((A1mVz15jsCI9E$3F{ptCPJugnXmj
zNcoGwJn?Vwae`>S`jYE@8Yz~|fY!XHPB#S@wu}Bu9zn)11!wAJuC>fM=<mO6PxzJ{
zz4Dy@?MEV1RYaJDn8H`a2-{^W({B22^?SkbC#=P8!(MZvb$Z9#u3I`Uv%?+9?1iDJ
zwGrRbjQecDiQBZ}Zm(%-w_i5Xxo3)9<!~nYghf$fYQ*|{L_V{QM#7lmVV|MV?4#Q<
zq97w~t3A?1i#VVYJ7Rp50iI!0nMtFZTq0<-UI|6C0cWkT+YX2_bg1)Vk`V*)@f(lv
zuWCcBb7<yJeCmiBE*d&M19ek!4l*6}X4+B{!Mus6nh_l>AoRL1OQ9JB_;KX$(+|2e
z%$r6P`u^>b4bq@zu83%l2ul=$k-)<8$X4u#6V2EyuBa*xST{zxf8ye7;)*ffyi@uj
zcN*c?nNgyFsN;=Mi2VquPR2ZL`xHqxdg`9!GZU5n#35gW`zn2J`V_s?tABjGB72QI
z$k~4Fuzh)}ivb3SOo8)37QH8cXK^)EhB1Nt`_A^rw4w>(8H1%U*ct8HIKGah2F573
z^^cE9jPM+j-lVprhA<x)hzZTz1e?6M)*q2ff7CuwX=WOTFv0xC3*$&csvW~yG|Y{1
zDybXGjfq}0`NKKbjZBrgg78oO=^2D^<BeR`G$7w`d<#hsc81Yv<0`8Gj&)v;&4_#B
zpB`t3W-GL~`4+?9xkHb&A2E7cE_%NZaq{&6PPVkuJiv;*zPW6Sy}ZYmO1i~FRgcLv
z9{f7cY#?Zh9n_V|;;_TDY`gx|zGj~J$b8St%4$NyD(XhWYVr|}Q~B1LXi6a<?d9~~
zuV5EHT5+`fy6XemSSSjk>|Jq0jJuWy%}z{6Uw}-^<^qC%nJlP+A!}u^u_bN{OlV>8
z#?(Uj*nmz%+%|44coY7|q<+2At&u4Ex@6<GZdl9Ze88&SffOoVZzVoLs;c5uPd!(H
zV4f-ZWN;cycsikNx|THUTeu%5n|=)vKjmJTQRF)Xoe<H_%v8?4t_PpOzC}T!wv>X$
z<GX&-tp7a@I42Guz{9RL4Hj2-9+c<UG!6c3mMB{EHx(8r5;*?|ARnd9{4o<@FXs$L
zWiEEuHE{OLVaN^`uF>~A<gi`vCe(kIoScglT>^g^yOe6f*>jgGgqo7eQ4ge!SvVd;
z0=*N<^ixSeBqv37(hLoDRgFQ{yTlGg1YriLL8^<1QxKJS7!V9fGG95XlGgl-4ppeY
zY+4=$1yAe}GOuXkCqf-YW0i$>dV3@1<8Sr3zmdC!%4@72NXHL%)b*LLQT=_rrSG6r
zqfOy48-OT^Yw1%)yC=mEJ)jNu0`KsXMY<+2G?7mMLo8v>EP>0#lo{uQllvYm%_(FL
z=|j;Udow@r458(DDpKM^st$XZm<7cn!YS8=7)B=_@6tNG$;$3|HE%1xj2c7H8J}j~
z%}GEo=|-HOvDl8qRtud9&wFb~Rfs@=C-;uazQt0i>)^kQr(MPne@|03n=4qNq@jOb
zS<zLh^PO?WZ$ms}Jo9PAu@vHBqd)RR>$_NDJ9CW<ghrL<>fD$;vGg^p{;s%3-iV^Q
ze_LnN{!(gko#1n1@)*~nWL6#Wn}2@SE}I*!p!oX*(FcG^kH6vrxOFIA-x2Y^FPH6)
zBCgy6w8l_~CG*h}q>lI&`ptlAv5zfxTAuM9aR;Reva`vKOy+5-!g1Ssg%J%)&O&Jq
z{UhWOf$(uLu1Zk4nM{<-TB&JzHEyqF`)4U3lXeXCE1<C!h4R-5oHAT<P&mx&;^b;?
zclAedXW<7P>x%t=^u6Rr$FZ{`L+k=Cm&U8Y6GIZcOV7KF{~%-V=WOAh^&hRVSgcv2
zFw!)tQO0|1*S>!TcZhfhvq7#BO=|}uo9#_i&Ah3{xFc5@-s{Nc3b-#*zqu7$%yn|q
z8;!PZ4NV3WIL<qRnhS`fv(!yj)bB@Rjw&4C1|!)96&V-%dOqQ+9($Zo|Gje9>#L?a
z9!(Qfy*#vmrDL{SQb$>l8Ao6R%Xk0!$Ekq(mIu9)ECkQnC<r0bjsRl#$4ZM6;jp^X
zb1VFh(?&yT-}-v5P*aJveF$|Hkj@Z^K)-;)EOU1bGD#y42p{g}P9yY=Yh6-K8|Wyw
z%l$rKT@v^@YT|q2VSw-$1knQb_jLe%>B{Kjn@GV=j3ozLzRs3)<~DldLAaHM<YZee
z*HZO=Y}NY}MkLf)a@~@_abPbs288vR_~{@lz-vqyHD|gb_OI=yl$mUq(^)`P8j*d_
z+iwz7Ot%D*UqOMxAU@RE8W`<+C)G@!Z`-oQjd73SG<?h6ZVs}O+f6+^7LP5>=e!%)
z70u5_4_EnjZE88U=lsdgmwDsn7MB7{p0m|HlxwUyogR-{Sh7w0(oGCv!h)REVi3Hy
zkm;GQx(Tq|<~??7d^J%`n0NJm&W1Fi;e(Udm^3u`-eMvfXilRT+v;?4en5VNJZ@<x
zvgabHC_?4(QHN7ja*_U99fQKhU;7Iahg|Sotp6lUeKmA3u~ZvUox^T8P|=*2s>Eh#
zj~LnXB-WZmS(m<66))xWXnb@8o;6iWZFRM_qMIqz24jm)Cr9C7COtCh;CZ{avz5!7
zar#I6Pgg?StP>|w74@^2=|H(y_rMXth=gZ5_J;(-Sq_D9(ipz1<7&ADsA%1F-bZAY
zoA(xaBxy2ZK(^~k_{97+XzVhb@49&r9)gSv0^Tt2;bvi|Tk)Mt!Uks6-8FSX$}f?)
zPalGp`plI?$`P_I*+9CO7-I?W4NOjC!$v}w%&Yort&LT7oJ)4)C&x4kGk!@VzoY19
z?(Hv+>K>bPsuX*^!*mLg1{+!p0lJGg<km4gTd~_|38zBFZQr5HSwbl`3krh_hkA?C
zB6_`wDItMPhFIvLX&Q#1rq*WGZ50`IL@Z;kcYs_9qHRBM$wWM*%dy=81foy<p|Y!X
zC^|gsF=X#M>RWick{y+z{wtIZ4=nRG#14+;=M2v+rt5~~;X)rWUy2U%UiQxtYAKcZ
z^k0LPp0$d)heNt-S&GjL6t9Olk@F=qKGMF%M%A(V>mzVa9QT>3vPH0eTOI`eVnQJ>
zEOo_(>$NHQq5RGokK0aYJel=>p7C@DXsHLA-K;SPVtf3kT|BrwVc>(Jz)8-AzgRdO
zqvsV&r^0)?M{CTteX>bR#Dj@{Tc-^|ak7=@0&9~xYeNn5n}KLcv(wKW?&qbPmE*xB
z_?|tg-s|$nT56le1Ha!u08qc8<Ew1Co6q&o_07LM2Ji0QPZ*1rK}UO2-TCz#2ha9k
z?Z#n)DDJ32iOy<SCps<5(Y;(LgR|sQf3O4#Y$iSC^QsqdE(F%x8m>U^xP6wZ2H?S5
zVRzoy5q0}7U|wtL2007n4Q$O~I3-Fcc$B^<-}5uV(ax8n`Jjq~IsEmvc`ke0{mWs5
z<`|0W_%<r&yAr{B-r`YonYbZ%r}4J8QWj2bMg8t|KV`r^o%Q#GNSjgMC;x^>?^<Jr
zK=w1Fu4QOD>RUOM67IZYP!!-dER1l@-|XwJSk$MB(=x|drjO-uBX$ooWvQ^Ydzv>z
z#{_ei3a`R={J)|P^y6y@v**vdl3#yqY%fEq|0VHHFhwjnBGL0s@v%4MX>9CQr1byg
znn~V}+Q>%EPN~}eZ(t~D$OC7gz01mSS8$s%6T71xYvb9Jm_5bP%5UiMxnrM0);K8A
zE#xkk9#MV<!Z-7>wLBJGG_T&lK&kUu>OOq9-sJ~=x8@Q25FVOxO>K<uc7tlZSS)qq
zWx10ps&y@*E>2@VvAyi=_mCJF5nNBY3i_dG`N|-Pxe~p?hWWIiv8arZ?n)_~L{zO%
zi-5+p5{#BcS%!`F6#S_9d*}3%)r=H^Y3N}+?^m9eJH1>z;o-~(SCxF9oqi>i^K8b)
z99%g9K_AOE!;^Foh?{)#`lHtfe$K6mi;bPSsn^2#d%a5g!PHJ>|6<N%Hm;3CJUG{9
zmVvyR20hf!^kFND#!oT#$Nz_|w+ySJ>4HTA1b24`?jGENySoQ>cMtCF?jZzscXxv8
z#x`u+T{f5ZJI}el&iwD0UfosQHET`RL<O)h%hzq54L#ZY+9HfQ;q1nCst$e-!ZKO`
zNd8)tH~Y=jvJ42a3!evIC*w$`NsU?9%-Vj}UO+%m1-VCrXuxUyo<z6E3Rb;uRxO&i
zxkSVrGQd<|>LgE}+%YRsv82O2g9E-y&d_YugTw>rF?g<OY|})g`4q8)n*v>QK~ioX
zI7cLs<a~8d2gWYu025vvnz_ije^C;Fg?iK~wx}gKGMR#S)mGI6D0EV<3#zmI%WsBM
z(rPCl``3pdxuRH}+nP&vTKjj!`VTMepn|F?TDwJn@IZY@Vus5>PqZOO?8+_ng<hIF
z#3ow`vs=b;iw|-Q%}r`g9@0yK##o1p@-AJ=5nA@Q7Q_i0HAiq57##llqNQ+(D_k@U
zlje%UqAGfk2KF=yALM4N*sW6F%~@@J75HNtgW!kSQGmMIBNxLIS{N0O8!P>X@iVN}
zzc#MWMhg76)7LMxavQe;m8Iv;5I$beBrcqh?^kNr9Fj1|Qsi887_)3fZVr7DnHeIv
zoyJRTgr_0j)+3$wtaAU^P;&scw%4hn>(!GHDW85&8{*A8&F6a(x%yB%_s4RN^XZ$s
zCatyK?I26AZ70bd+_npvo-;uykXi3^0=$?>7_M+E)xMMaGH(9RlMC$Z(?;#o3z<$!
zAL08A7`*|zIR51(93WM3(V=1iVcka)B|K$H(<f0skcO0hln;Yc)N|kz?BgWOH>Sq$
zO!!3v!dJJZd~<gpDEIMY@|Qw?uGUYcuZFt(ymR@>3qTJU@(`F0uuyqtSM&s#s@%s>
zwmf_b?UD8;_&3&QjnnF`IT-$`W9B4cIxm_s$6~|L-cdh!psl8cMB=4!P|>4KnXD*9
zPREqKLZUla!ZPU1xEknrzGx<=1eJCd3RTWk)d!_`Uu(xEvCH*CI-LDt#0QXsmj3x|
zTA7ur>-Xi&H;o+k@RpWVRreKe#_=WGKN8Gr3ySDsA?q3KsicW`yQW)wL;#N|T@t=r
z`0i->(c{)_c%|odW5P=*-%aCerSRL~zs~zj2zTsvD5rK6Tl?7tDkPpw`C;*NNpoCg
zcy}#^=SjoPFk^vW*RBkLt_Pv~GK&-B?NWQRSNOY9V(q}Zv<p}yXDRP}@fm1-W}Qpz
z;5w9v)6a^Nbrpb-G<I!p&H^3QTv|;EvS*|W|JEJpM9Pj)@62?#`v!b{(3Hw#q-fb-
z-o=+VW}#Q=w=~<i#7)2gmsJnv=Wlhfd&9Y!r0g~!$&-!LMgY^iE6rEwZy~U^1omp-
zB8t;}6z&@>!lOScToz%mrY8{hn#7;>u^2*L6Z21A^rX!Z+{_ujBbmWrNHeML+&E(q
zf9GuH;TK|)dqJvhtyK2t6Zh%#ZJGXgcxlT8%Z6UDE{!RJKSY3wjKfy9zN*7&5h#`O
zo;T};+>e&-#4+)!&z10nf12Zg%TlUoriK?lSf+G*Zb17Xb5flrB6CJlz4e2hNZ^Tl
z>a*3dl*ZNHLqcaa;|-E!X~b+#<vJ()6%pKq6ZFEZviq4qn-;}XnK|2+o=LmBs<322
zDE!8mv~T4OR(V(U>2q~vcS?e#f$xURo-aTKR2Yep!03sU-)u(q`SO9i*gW-hK2P9_
zmmmie$7;_Mlx4T`9WP0se~qMLsa9X5l#A@Ubxc{e+<Q1LLm>4|A~KOhL}Q#52OMD|
zk%$-to_DYtNw6~nmW>7PI%~By|2X=c$c)%Tg*w|m8crExm8e?~M-b-1M86f8c4Vmp
zSMCG!&2-QYhsCU@SXhdvLMf}O)ibb}Z`I{bS-iv0%$?nChY@B<{^V=bMx$9Op&hqa
zT}WG!AD&6{hqZK28;eSvD^E-qRd;?m<<nL7D1Z9Tes$DqAN5B+bW#=kO97X-du9^@
zPKBHwx5R1^2SIANBJH)uo*c`g!T}ea9PZ15v0|fKaH|3FTKyU2wx=UpJ{z3&I!{Dd
z5XaxMk%*~+wNSf!fN}TGPW6(tAO6W}*?YvhlQABALc0Quk^D=So}hg?fr^_F)$|<~
za&ag7d}MU}jb^Bgsc@T`kITT@>DSX|AH>+JM<X9WLj$=uxp^-eg#-5wvB(#g+?-Wo
zKy3&#;4TOHBN`BO#X!0D9?1>!1CNSJZ2gOazr#&2Y`W(L5mKzrS$D!k;~;IMGkfRk
z_Iqi=G_q}LHDY1RV8voxn?)C7m{GJ?)>PdS;#P};*9)H$d|~}M{sb3^RFaK3>s8HB
zukf|a*z>(HLdM#cO!Q^+PNSQuPFa+G<NDXLo9bD=aRc962weQ1?j}tgJGS@zy<vgx
z_u(U4`Ht8Q-?$7JY`9QL(AD|p*LnsQKIr=^icFFk*DoOVMzS4hVOO-b6bkMowgd*(
zI2snfQ8}pmUSB5GMp?QiQ<6J-t(r+ns$BTO1D`=pk(op?Z_n$xa=k=zZt?>Qm0v)I
z-iiJ>-e`dDr~{n0-{ND<tizPRhm~H}D}hxzA+B2|8;2{)cfH<)8MN>!p<K6tskzW@
zgfiKql^yn@?6m3jIzQPw<kE*#iDbqpoy}l#c|3TaI&}zU6o0Y@nOl5bfawbrkNC^*
zc$fUvka0%GbdHSri^`LEP>q7`kzlV?fC0UR7H+`(hi4=oeEp6}loGj;v>&01!X77(
zDrz*boKh%6fZ=+7OiRWO$Gdx4k6=OW+pHSs05KDcb`zaCYYiMt-yNj_YXWH~!NkDw
zse^tWxdxv`+7;owN5jzP@i!`r4}Ks^$`fi*ujtD={@Z)i^J5g`3g(1Gq{xd*vc8m=
zdCcHVTbKfu&H52yOQ*K*F@*<!->311R{<9!y9gj*Z;!8vUK}YA{%0{-VoRmK@{pLq
zpTweG0^2IL=a;v_sCMEeHZc*cf|XsDC!(_9S7lCD2LX;`B;StS2TqT-EnWcv{bRTF
z(+80<a<lJFj!Hj7v<AA}lh9ps<HdHncL(Yh_P)hc!*vcvJK?zt5|3$DRgCfgA-IOt
zChYj7`6z)%?E;&5P!7|Q8BO@RE^g3EF_&jf2`u15#ecmzU2Y%mi}hY7wV>l_?m7MI
z_88bOyZze&$L3gH6(gis=gNO9yK2HW0ykLu;#5MSsc}x1%oybOE|~Q~>7x>;q)Oyn
ztEQg)M$33wBRe?ru{XpX1o_o4A2v=gB=saWXwz^>(V%HbVmPn>vLJe8<Y}uzcW0fi
zLQ{i}4TBc;w0)P2pc?kH!?xSieeH)$SxUeFx??Fv&bRble^X~yfP#?*-mFy&K+@FR
zyk}&cC(Cg<QmFQZZ_fJqhHB?IJ;plzm#0%t%mwJU9Y>}c**o=u^;!l9A2mx}E7uj(
z^^Io*^ZG82{5_Pme8f$1?6zrW<cnrN)M=m2GgRWN;f?{&^W5(k+VFyz%>tImTYWEO
z3=^Y3!Z5=N*;{6h4M-O?`)yYC^G<VzOmWuvi6HCbtzPLsIB$swOF|d>C<cb5g|P&9
zL-S*Ww>CQe@|RCImA>_cyrs71YCFmpI%*q=?)n55;7g2iPX56Gj>Q<oW(xWtSJt^R
zZ3xCt*z&C6R625<(3%hn`K`=*;d5Dc6niXT6@Kh!4+^o{7<IK)-<`OHZZb#_cZ+QW
zNM)fWlR38HNnwpznK_xYbs~n#EWESqy!VE`)Ej7d`JUjMANybyi02n_XFeg_R1M{f
zA&wcy<A(di3$3IE;CLHM(1Z(6UE7awj=&$hWoA>GH-N1F$OiO1@C=FZ4PizXLo!Vl
zXrP!r@_K28F(@iv1lCXb$||fox&7GEev~|$ap;^rCv9S>RX$aIJwLD}p}A|%?cZez
zA<?M~Kle=*#?A3!&T;O7ASS#K*kT+ZY#rk0yQD!V;1C+P7iD%CdJ)Iir#JC2(;B*i
za~+4w(erZKWi~BXo<^B@;)AG(*60;G+YV<_JisV_7jv>w4$VrsWXn=T0qZ*zA8!nN
zbyZXQmc@@yfb$_9sC(Rn4z6VC$n=N@-|dLBEE|{q{TSJ>Phb;D=0@MKvnZ9pOd#mG
zXV@`4p}Yy*@r2qgbr7q84}kDesU~BA?}6JaA4x1nQp^rbd|jlz3BK!W96Kc!<j?n3
z7YywpfBKy+d7%l26;J{UjTX5vhy)CRo^BQhB8W_g8m?*T-KYt}h#QYrFY`>}0?Ny|
zotlmbkBBeA!*G!(YsAM)O>LR%IZ?>Y3<KogmKO0D^)yr0ko^;{I?l1}Z`O(xK0A))
zRdDpW5Ntbk(85RIoTqr(?##dNa&5WJl7Flh=ZB{?L*_WAr}s$Mi}*G@2C`aBCGj3*
zleH>WApuHy4|EBnI&)HcVdUTIU3bvd-U$*vQ9Uh7h#tM`hp;#5&n9cGy<ZiH(T*1i
zGvP(dy%#Ip7Xezc&93AB+Cm$t`P`o-1W3Mm^3{30$h&gp>G>U<RNw~e?}U6Ejq<$Z
zYm9Mz{}aWXguC8V#zsteBhcL~XvBb=KP#Jr8q19%KzXeLbdPcrtJ!TkFzJv0y1Ff=
z_C$64I_9MF&z~{bU~~QK51S*=;Q<la!O(r~PzlB-I1`_^fZ0Q~V{#Y?WJ)q`a5qc;
zkxr_HZR_(1Tm2VWrNW<sf8a{+TyOs59My~c3?CH;`%DMSt_Vo33SgYz4B4KPeP;R=
zi2S)QWi1Eas2-dSiIJPdc1g$ku}}=EC}$V39^6BoDI`{XWpDdAB@Tw(|A0c2?BX|@
zdf>T49cW$*PLlHpn!X#y9=CZNT7f2>UY+~HI*VGb7E8ulEdQ6n4ctE69A}YuN^ZpJ
zzm#nqi1xi)`25^J-l+M!50n|~a?}85wc%=I@eh?Fr||%yl%goG-_vd7X$#A8ml`!a
zvHcdyV`Kt1&u}(`{vn7Z92`>e5VXe@Oc7{c187@gc$d+A#bSicaUVQyo|-4;Fm#LL
z`A9n6=WkrwqTyOlViM}9`vNry&_45)LMcB~x?FWOiI~AnUzzuH;B~%XH9lY(;P4O2
zCMR3`E0lM0;#YPM^qr5T5|$!VpN+1%P2YCM`09#q!wBY2*o9|L_3M^uf~38HuMaFW
z{eIZN*S`J>t0DA@7~Tee>Y&g=bhp-@AU!5$BRjjNiTTx^{bCsZ&BA|6MTd$LvRAb0
z8NdE(&JMxx*NUHR8e_mZAr;keUs36)8-u-}M#K|V87$}d6zt}4&FZDz#MkxXdGa4=
zws(j1k^_wo-fB@TM=M%@Y$eGJ{<z=@L*sh1O4Q2X?(&x6v&RwQW^}1>DovCoTA6BR
zJEQ4SXX!=9^&!io6)J$Zq1A1A%yCrG?7!@t?4jEx7}Jy;8+oV9Su)b+m)QS7en%g1
zYLcIE;*{p=^C!{&YnarT`5W(<na^$<l-TH(J%*T>KwUPwVB90QiF|&pF&CgJS0a_j
znZBcDl^$ZU2!{f<)Lr@<BN`1M_wKT^3f(_pV3#0{S{As~HqwiO(x%D_8%f-uw04?x
zoK=#9JiFzzlL=bvsgy#@d7baKE~xy2Dgl*$aY*>~a`7HBdK5ujqeI$jae69=VkfJJ
z^H!Z+q;}|jjOBj(E%f>`o{Xf+VyJXKlm%OiSv6Pz*AYv~8mL~gc`4LHg-Hp_GJkU#
zHK|5_Di{P~6pT*Nu!4H{3ibM_vIW15TO*p92M*}_D9rB$=WVw;{rt8+4|fg@bZr2K
zl0(`Y=Hveln)$(aYwnFE)h0io11qV7V!D{GQOSE1_8uvERrVgqg&X8w^b&35bK(V*
z%9)M&?jjPkw0%T_XtaIU6+cZ+4pzU#CTU|*ICIamdU&0bc*1K`(G76a7*@Dsgq!-X
zF4UnWxM_K;h{+9jTH3^=N51|<!|7~F%G_S79{KH<_bkWs25cr|7YmWVbpV8NeZ+Ra
zOz8OkUiWK@I0{Y^3XHSK&Se^U8SXEfbU0n#=xoqwUOrdL85AZz+}ADfyq1z5NtnGx
zas(l+&QyCz?|t@<vIn_6T;KGbjHd-wY;^Y4Gv;kuHWE5P)(^v5^gksSLP+42pP)6w
zMA8cUKN_(syo>Uh`bIRT^*hd}cs@<W+I#eWp_cl!kgXs&9IbluN=XQMDSWC%gFOXc
z7?-29JZge~l3<lU-{%CWvBZwb@(U@R^*!qFYdUTGypv{82`kMx?i(`*SKSH${jrl`
z?bB<Iu3?IlZQkm(K5@!QV1eWq0KQh2gik)Y*On~Vz~18<8tJ~19zMLQC_LqU7xHWy
zA6mFde*Z;GoRr4u`}XV4)i`nil1|yUn5Kj8SiGSTZ(V-QSWWLm^}@mmonsFmD=+KM
zOu9g=|D6|w<xx7r+=XLkb02L~BJnvpQbPfezJ-=KMTiOUPty+GKPiTrEYIRqx*i9b
ze|NvqzikAw{DP2et?})56D_)n@GqFLzt+OwRx)ybw@}!2+1Hrv7L3_G-CW98bM<NQ
z{R8?mgz|N>vs;lnJTz?JcinQI4OnhOGGa~*6iyXxZ%T)+8-U3-V}g<yV%vQ5K83&P
z#K%^`t=aoK(v)s2x9uD@?36WBd!*li`yylsxHxxShYfLfb*jQ5lBYI(mvW3TP@9_O
zCeMF!Gip8eCeE9=394{^rN0o;T5ZQu19WN3N?IDZ?DS1~+6+7{XP2Nl*Vd-!-(&S~
ze_ieHhB^)_B|f*<Z4>>)7kD=eDBT)2D|evgH}CIc@$@`b;UAfwu+8Vm+DyE?b`RS{
z+`a8gc&z<)-U>wL(3+u0kb5J#DIJ>q#v=PxGUgs794SC?J({FN6@c!I+&=QgJa!9=
zn#8^8u^XF|d!~K=OZu$R&#&Wy*}HYu8K}HJcA0om9s5S<GOg|?qv?oqu%58ZAGe+I
z976>b0J5Zc!9P!yZ3m(S3Y&ucFHk4`eZVN_$1jdoc;p~8;^0zqO<sRz(&S-e#_vT0
zH!uo~kHpo@k?{@FSlES3Wzu6chkFY=(qAhnj+J%QHPM^6{Q6VoIHst=TUhKH*~7zW
z?CJgL)5r4N;(&6ZRFZfw#8B#Z(w_UDfvM??*W8xD167ru1Oo#gX%`&r{|koF7hOdL
zejQ=q+@h$4D=}fL<k*FPnMk2?y@al#LRHyTu`PdZ1vaQHC^S+pG4U!6_{3f8#3Tmi
zd~1upBQf&4Ue)oXVt1PpF`UcJfPda7iT>Xb$)Y?C=HPJO$f<L7Syysp_$hG4o!{`0
z*@h6sx0q0j?)_(3n=@@4RYu-~Hy`fh>AEU>n&kaa&DlvFc+cG*Tq)V9rF^h%Kfe8@
z$DCpF%i8ueAEIjAjy^4}W=$;?$!N)q&q6=Q&rN=Vl*m0cuI&Xe%4z4~CH%fRU1ikn
zt;mB7?Ds2?OG_wP-!j*GHx$J1V--G@5zvS;-uQAH<f97_I0HR+bAUx%(h`rL3MU9e
zsNpelEOm|sNh@QVg(^8eL<z4@u9JNqhZ(VBdviOjIQyxlCe`z@WX@z<CJTD=v!{6)
z7-)Xp8wzSpI&I-R&H20SicA2K;HV-={dyhq0)L$u25@2P#k=|f;y;EX%l*g)YsZl#
zC=1{4r`?Y2WAsLLS?q0V&XCU{=7)oB1P<VnzlqEc%E~y!JrAXF&4xJaLxMQQRAxo6
z@|E(1x7luR*4mq<Zi)AjjL;uLX{Kj1eBk<p4$WRv04u;J7(KeXF{R8}`~e;h3FQM4
zsW8Tl>D45bz!?U!6?|b#@ZeK=a<9F>>ke$f_ng@a&Cev3{*UwJkPuA&-I077ZzT#y
zn5MP$H@~vms6e_{$y(D{PaaJqMF%qN?T_&SJ?W{9?sNf@!wGMobCi*|VagLeP$DW2
ztDX58Hp!Cm^KF8peZ<d=8sPd2nZ6y~#dzR~;_VW}(EUG(Xru#%9Jvo}`8ng?P$~cu
zV@l*J^7rXx_tX=%`?tRV6VAdv<JHGW+6{E+xSauSLf7?JU3t%$9w-~xsOu)i{fUWb
zK|hCZMve}Uf@yz?mG9hF*qF3=&b7oEv*x-ydPRh<hCb1Hq72yK)$*zj&;P(fh52DJ
zN;A04K|{8@!l`Xki*rBx?%VY)A^u9JzxTf|{>Sddv0ID}>>Ka@6O>faDTZ)_fc4e#
z;8e=sW1~uaZvgK&9_VU{J3>H-qN*FRAgK-I4Flv5Wod=yhLcJ=5D21(Ff#zKmuQ!d
z?@B66Ake2`+bN!yTITY&B6CFd#0%ZIW0m1cKLt(L3!@ddQO4wFS|Jqx3Rpf*DhFQi
zy%>p(B|L2kn8ykNv13!LMXlC{C}14(poD(sN|E5c83ifPf)Z(<Kj5!QU0}Rbu7n|s
zD*QeN{vZ(DdwQo-98O2serz&$MUUW_2GC++g8YU6$Y|D#7bwo9V#c64O~2)r@%L6%
z)xfKSeuU&VPQ}8R&t3u|`}x~we9TEJT}giz;5)(#pE<$>|7hWfgWlw_&?92>iJK|s
zn*vMNq-KDLIKRzSHBF{pO{nUmkIelN_yMOti)un_Sr{L-5|LXZ-0D@3Hf<tiYiG($
zY%JV&YYvdl-nBoBwc@D7^1;g}z6wY~yM9yY=Zpd!TXhD?>ca+9oY#lm+$TL-UPuhI
z`mVKw1QnOeOH-I|9{mxRzmCHVeBo#DxyE_9l_G%<I}m(Tykf5nVOuN@fSE|gV(ZCB
zL15sxLeS%Y2NdRo!hwbG_`hEANCr&Z)2A@uYOD!H-?;)~{t&;EM1jU}y<;y?S<~+;
zJ>l|01Mb*ww&hl2;6|D>eqSE<WyK$$UcHKd4a4Z3k%nB(OgI<%Hwg9kA2-cCF6;ip
zUWIcVAyAt-v*XKcP`s?zB1oL~B^3wUC#&7r_8%iK36f;iyoD1=>M;$nOn?X!rZ|nr
zOQ+L5fn^Vv&+J_s>a}S?7dmY8b4!}VBf}A}I-HOIaz+)1<=cH~*=K>IS(RS8cO9U&
ze66uh2&_{Ln`_?7vwmX`+ClJ*fAUvwpi^1pzIog4_NmDNj04i9|L0zH?5P37RDFpV
zvmN6+6qZ1-{i2CVPD*%lqbf8}cp?>`ens*h2{R@zr2-;`CjSouQ_SvN&D&F9uYK|9
zdTkSXvz?0}1Ci!E(O9DT(zM1wvXil5d}IU8MH~`{vBLCd!e}_ASBM#&zgC}VC`KyS
zBJj`@x@0skc~>RgG_8I*wRXfF4QrU&LgQ}KQ)~V5=LXy*B;a-hSnTFin6F7WT?dSS
z&v&%V2csrR-}!@jl9Dv)C9OQe*1SilO>9MdS4ZItRAhyAwm%~L7Y=|*kdg*(hW7(}
zx)fBZ6x@Q{p4o7yS+I}pB<OVi;?kP%%1ZX2v2_#$f6%i^S?+E}by5nlj7W4;K~fy)
z$H#Db%s%N;;23dm8?JGjZ0F57O!)qc^7mX>mi>c-p0w4zXBhZXt694i7xA9&ypy3o
zj-@?^A<QpLLX=1-2QEy#UpUAR6d1-6x!bQfFcBdW8k+)H&qMz+C0>zl-fsWz{s=Z{
zd6=7I7r@?I*n<so!QP<L7dBk9BFSofBK!PIu^i^DdpyWl=^LSQHJq?z9&m94jCXk2
zU&1q^eO);8Nn4AWT(Nx01jL&94iS`hv`4e4*8HK?W|@DyF$?Q(`O7z&gG%<Cu}86k
zG_mr!aF$NimNg0r1-}rQ$}Bad)=50II&fknV|mP+<<;q`s>26*k}l$hI-oG^SA30s
z3vunx`iOsJ4_=DC9npJ!%0oXr8|8Uy(w{Pl^Na6_y=_he+y95gr2N<V{}2m=1jVIW
z07Kr)S$p7X{M4O3^U+APgs0K?$G&_{T*A)1oGh1Zv@B;0>-xM20?gO{;mu&GHO`O5
zdog)d<~dg)U#iB~r$5UuyqDW1?}o(;yS-@3rno9eJj1(JBExG^9?NLZ!Y{aX7aVh?
zLI7@%T;!TiOMjwSoQuW7$c}e`57W{Y52;3S(<VMMdYMt@NT$abU@OR9@F(e|Az?^G
zeWmB8&x+H@;0E3wdvAdV^j1LlYx(kCTV%ETxlvy^eE87ta{z5eC4po11#mtKmBH7=
z`FQvb?Sj{`>;g$HjUDJhH#CI~4JPOK*qhLATtNPDigdqtfp2Zp*8<+Zn$dSS?kq4@
zf{aXj`5!uMFujxfesuwWwx~(Ci3?Q=9aPPb50-w!CCZ`Up(rR^czDE?w#phjf3VS4
zkl|_Cakn#6!VK6uwx~vZQ~7rza>9>^?Jol?LId08y)*f@QCA4UAM>(y3A>ovKJr>W
za`7(p|NpJ^b5%(Fzgw$f9yR#eO>8RI8L07Tk^6Uyrt}UsX{Gd4mLjlds8%c>WayDh
zxJ&*eC&_kdAx=Q)eiE1UGxM2MMuX)Q55|A+k+BkMNE&`IV+f|v+Y?7LV(7SA#v`<W
zB@(q=i@QwexWPi)R{D0?bR3~pd8X(Xm_V?uI>e1*)~qr*_Qj!7u%%+C?F|gM8M6P1
zol1AmNU8Xs<272~qC!Xf0N*DFqy8s7m^?eklT5~cRiyoGCT#3SpE(E-E`o*2?En!E
zD~E&6Mpw{{Y59o|e~3ft_tW~$ezDRjleh977ts7uag%)t0c``a*#$I5{<l1&E*2bd
z@aSg}|Np9Sq?_WMH^Hw01<8?F&5YhdQ~wiB!XaI>*Pmz|8$C9i(@I=WG6YkBYmmKl
zCP1I^edq1{Ygewh%8U`S^8xuy_RvQ``^Oi%s*amq*S^~+OdHAO<0svZ7CPxbfG^=}
zY`OOflA4tmz8EAD6LNTRJ~CN%vM2!=B}6isD1q5HrLh{U==$%voDO(vijT|g%M<C@
zWIUSA?Z<axGnwAUJ3u>V%jKdX0V1Dn*A_h+R0#ROG7%WeGImAVU$Ipl5_>ERCoBpP
ze3@oxTT#Ns=}OAUlyvQ`egm>TvBTQ0WP^+`K+L!VzW%~W=Mrg(xMf0<o-`gi3f@ST
z3!xN#v0LOeTXuUgJnmWEJRXCg7OZtCILUduW3ohe$J_AL4>RuOF8aOeYcT2WP}%63
z;>pMT$F*7Ec)um<P5I+h@qsie>TILCdFk(ij)hcLdtnf$fhbfzox7NCy!RV~>a?Gf
zMv`yz-%_b1_ynwGOcMMwmdvZ8(w$tmGRsDf?8`CX9juAx_@NBJx}Vpn7$j?qG1%}4
znP;5CF2>KYu6T?`)6EU~9My#68zj~T%d9d}p>_gj+h5n1?e!@fq$l6f<h<+Nu*d8F
z_%(lZ;E;z8Xh@}&BRu**LLR0BbMP>ijnN-Wz0gl@OM;Bkl`dSLc*pvCgX~<IU9KiM
zMyhAAr1A}g|HTEwfW~i&DfyJ8LUe@3YcP^Q*AT^FsmfT*uI70OT~aosOA9LsUNn>K
zkI~r`m%ywi@bzm))|K`L>A^GCIc+HOR;K0`Mrv`War<_0E?8oSQZ(~8k3L4UU+8GT
z?<999I1c3LdlWDd6_fi9G4U5PlN-x3;Nu0yA$r?IY`p6s(Fns8UJ`rMRbQV)EyGCS
zLGY3KM|ucf_v~+TMYJ{%>pJgyhf!8wCDXz8PFa#`buGf_g@xb(QCkU^u0vdT4ZW7{
z(MuIJ(`!CG@cA+ct6fs*|LjV?w=FSi!3Ho}M)+AI{%zS5+Lie|*oLjrE$o<_#x;&$
zA4)s+!s}h#AgQ*m$xr&S98LY&UL3&?yy}J)K}}<(P&1~!z8Y?{$}yOkeb!X&Zqdm^
zf*GbuLO`NbK8Kex-f6A7pdT=Naf@1w1%n#@^60oG&|GolKY%eN@?iMpXKo>gX<u1k
zh{A3qo#VH>!!Mb&a!_un_fBV;vG8wqMd{E$MXc47tw5Iq0VcvT(UP;aF?;{Lzun;c
z+|>eA<rqnI3%M+2y-z4aSn9||1mCU7!J~;1IvK-Udfg~5O;dgTb<8(;B}%&Zo0+_8
zLrDNn_MwzDQ?P(zNK^}CYQkN`Rh<u4YaJ&|RsZTKO4ih&V$ADb>}CVg=G*VX?N%mM
zB5Q4R6^=t#=cw`6+3tuQAtQ(GI)<bkAg25SW;*+8v!AoUY=3e{CipqXN){4n518{Y
zxZsr<c<<Ho@*oAM{gE*@#KvYasQ$*<GqW^o&TS*jP{gtB;{Cw-$5w_JNuC&n+JKiq
z0ZBi94L=>!WfVb-SrnZ*0z)`{Xs-Sm)5}tJ_!>)>>RP+{mbmrg3WD5?6x{^Og)SwQ
zDcv-#G5SGykFmCE%s^Q+Fc!IXzfIrBM@QDud$0@gPOjzlSC7D#XhP=}$+kIZa9Qfi
zdKC@LXycwm;ThPN+Ez~L(v02?2la%8sh3(sO3Vm0GOsoM3O0)kh^ZD7`tBaUB0L8-
zE?7=%Ii4`Vt}e5!cJ<q-j9g`^f%=WHdk@tU6-AyKyO%z4X5jbCSGq1ty!Ge5r1ZYY
zYeLPF0>qgF_8!L#8?gRC|DfKXUZvjKN&=m}-Z*C5NE(KK+eep%+{v@u%)`4s%wNv!
ziacJ<za*gzia9j=UJT&6h%c_ciE{EkP#PmCQhC#Pe*VFH;nVYZrpLp7IOU(1p@@1t
zUvl1+&e*Gbfhux_hp^1SX8YU$8uVs0(fRe=`k)9qwEe~7Gc1>9=}S&Prq*k?2hi=}
zun0cH0bp~VLL;%!Z0lw9Q@z;0D{(IW$Cmyc^l?=Utabb|vQA=7m)yJ@$5G2&X~w~r
z?^V@eHl^3^un=qo)}$@@wFZ#{P04=`rZ3Hz8>z0*JSFD|&j_W)8)^%qXB)l}DLVF6
z4c2ee)hp(j9*D)Ab#%5-JR4V!IWJ2=V1=lhVzTAcdho9b{?)~~h52PWB)(~TW`mWB
z>oG;wrj3ooznjG6d_q$X9;D_1+JCq=Cgh17ZU|9x^glV3qr_HdU7fi3&C*lD=T*q=
z?v>u8a%k1BHt-vMTt_FhXcTYYK)Um@TGZmsz-|zVR4YT8wko0MR*+q-Y|-)UQ)icM
zjJIOtEgy0IFuKv7EmqKX%#OEGrb}}BsEiGh^3sjdrn0z$0`(!Pj<g+fD>Dx1UoUs+
z2iS4@ME;;j{{VyR>W?uyg))P!hp9g3Tc~5N&C8R9VM`BaDZacUE0ewrj!G_m5Yjo>
z_E_=g?%hd~t95nj<flt6t$O#`56`jB#8(*1JPM(#{Z)l{-<KtM00pbks&W3+asWL$
zuiS%^lbT6=f*`h*19|Qi2Yy`a<ur<dBFakzIe&Yr?>onJED;fj5bNGrv-?KN!F*$p
zZ$m+1cXHf8Ij}mYFPgxYJs(xN_oDr%eWuMoZ-UO?Ss#Y=N#oyx+rV#2Yisv_9urut
zDekw|-pBV4N8GGgf6Z0uP5BWU;SL+9tP9fONwS-UwnD7u(xiVf7B0csUU_VCbS$J#
z>kEJ-c<+n;Ml=^4%?{k`Dc)y3TPw4khn=x#>}#lhk%1!|KMo-_#CbS#TodsHF)o}>
zAiGtp*WC4Ld3Vn0borxfE6cktw~1RMQhGW~0Vmg}wQi4R_}7@PVVyJ<WeiT_>UZb-
z!JTI_9ETpJrK7^#L*Ai*gD%0Ig}C;SQa!r4#&2I{et-j4@NZ=0^bsI4MElCD44C`(
zTAY`Wc(D~;XGYN@ICRvjK~S}i*Oa?ZRc?f}kNuoW2R_j&3zB+VnkxVP^sgqZ@#0Xk
zdsuFFaX89;CC(#T*!;y-2>6fyku+NZ`&h9nq0(jYhVe+Fna<T)iMH-s^%8}I?{zZ|
zjG7C-tS8LW))WI`WgV1U)gpbl{yh8DE~-|O+?zPb@&B|U73UjEZfN+a&NUkPE`JMd
z?U%`T-@<<O-o9{BLT)*IN7l^)zpDB7M=8Gb7<nTYI`-dI?&Y7E)j8VCSjfkD`%Xy`
z61M6RFbutzVHnht)glwmUvWw7s8NVe>_q(gy6yqhO0_D@Kn(OFZkpFRMwTBjm-r4#
zS~20`>aBoKwdP$XoOkAS<lm9Y)G>UyjnNEp6Y8eOkwzw3$48*)$`_aJZeVid$y#8n
z)HVHQRi)8fHBN<U*;0LW3injLc|jLg7_vbCa~;^AKjWL|_o0@T)^)g#JyroXFKP3Q
ztQ}>j_JJcYRNsNOpN6nsG1)!e@6G`CDTS&tm_IUO#=d&2Qt82&#7&)KW6FaSgpFCY
zm6e@=Xr1~eEOpXHnZSC|nx(QC?#AwweK<(_*j%rOk!M7}zBi&;zV~Tdbvlf0IUS2H
z9;ln*q9=+4m#3vd04Y&X0M=($hXPf1ak?*-E+JQyuvOdq)%QM0C(zouD3?7Ymuyro
z`|*;AfShO4D3kr?XPzv2t&aCn=CsPJWv}xC(3D0=D7?V;X}9?Ldi0p*w*-xyc*0*%
zi|;fEWHo=op^P&GDnt5AL)G;!sgpf9w~mv##UOwXfi<ce>kV!$#=B-LEAimeC@A4~
zI)Ij@mq{vFV7ShP6cD`2xnVf*viZfsfvVNM(T28N)u5+}t+6d~<I|^ir)H}&#%NoN
zDc81uYVD5M1pN7a<ykeu{1xuoV8-M+V~XnO+C(;#{i4@|5dN1&SNVp{r*X&PP<|e)
z!x-9wm@E`0cKfUlvshQQx@60?Elk!ps_wO40X9SU+8SOjRl}s~dB{Q$Yj*y~D|EO8
zq?c}O$U#lrw%Q@RI+Qk=du|?4lXe_7?wY$0-dh>HiOp{5&pT58e!Dkj_E=O1lIzq9
zW<*aSLEP8~FpR^Uv%2!b&B`_9xHerr_m?dx2^tLQ;OI>ec;DVhbDeM|ll1%Ri-qJ#
zmWY<E9IX@as6~c1ocA&Z)Ln8+ZMb_pVfshor1Ug*H&3f);|i1_^8x?n?@LP^l;k^_
zxnob1kV<y?+tb9g9C8(t-T05B6Cl7V<)7|Md^=vx8-Q&0_+p@`v<JzgO&o)X#R07R
zB5mRksox|f!8;=Hya?5q8(bh^>>D>BkT77FCv-Hu5uTEj6x7vU6%%meNu#uPDwLQz
zvHJF&lP~Z4d%CB-$B%TJ?Z#DA>HXg&ia-o;Udq2WmxRVHq0OLz${K8aSL75)oZ4iu
z-1b>Cs1a=6BX{bk+2Y`X>)z{vKejvJ9WV}&kQ!G{5FKyFPj3f5(?XWU$Yd%vg~M`3
z&A-A<N+}uM5WqouW!y1u23}_k>u9DPQZgus+21T2zp>KkK&3xJbd}s$5Z#tq?-DGJ
zhyX_PPR|PZ#x!iZGepm({EF?qDPSaKDPbu9$>~>1@qUDv?fIxoK+14AiTqXe)ZzNM
zAbswESZjT!G@^4m-{2wqGBemuYp>&85_Q!#id`v^O20yKJGbmr*j@Lf5xWRIT?_SS
zM7P~YC9+Gez3W7ZjCuUI9i>3llf+@p=@-{DRC6@F{~(Ymg1##K@J5zV-x}UZp09iI
z3wEU9gdAoww9gS=l^NGmw2ip(AGoS4uXE5Q$!T?MUNAZ{C?wrix4E=}vG#ziS@$YK
zg#$wNH{$dXy^8pPe&)MPiJ~nBk+P;HgUv0rHb1%Xo0j)hacg+EYRkMURyy#(Owl1t
z38`co;*PLcIVd!@T1P8r2+l{P$MvtdOnAGdRTPe&y^ETQ4EL;sVQvy(iZJW~Ye9Ly
z(4H@sDoc6CMH@!NQ;n7pe%6486rI4YM!t%Ma76y=so`49PIUx{eJb4EjwKo49Z-Pd
z1xMLKsF3n^aQ~{~#VWChd*x7chcef^Fb-E2DW~);skX`1vFuh}x5Y4R(p5T|T<dD6
z;%2@f2})SFjNyR&oxdI*$Kp+S`mX%SpPSkV^k&be9W)gv?`|_CJ~yY;m`mb|OHyV4
zKPML#^gUtNYi0mL{DVWLi$xQJe_K$?7X+xLN!>554W9*dOuwWIt?2rdG_G}K2wx6{
z{eMSKvLk@q!IsOw6E$I`{ChWoC6u_4q87_wYBko9heQkH6dbzj7K8Su<OAyAd>H5p
z&F^^RA=g97r3OCCAp?5j9b3}NORPRge!a@)bQQH)CWMkO1%2ZPaC%>%pD7<pn{J{y
z;-<aCU#JfG@?f|ViT^mD#qf?BWy=n!LQs}npXb2Ba_{TmM8IZ%lef4r6K2mQ4O6#-
ziIwCpC&Av%osf<gtt`wAxG|(!b}Zlx%h0|n063tS2tD6V_1lv2>+2&5>{knKeTL+o
z%%4KIu7rP;m&Y3Vt#;sTytuX|_-x!P_DtZaioO4Ca?Javx?ML-|J9MGAR%HQ@bqvi
zVrL5dSZX>lO2i4(1+!S8hq{JfH_7j6VfM8B3+`HX%*%^w9&lP4uzhLyAxYUmwk*ax
z12Hv(@U3#5otJQ`gEREEbe3f1)l|LVwv807lOkOTZ@IQTD|dEH&4L<rLSbTVkSv;V
zZbVdKsJe992-WuAo1ZScUIx{yS?aL`EVwAIH!t4Lcty>`Wd{w9-iz>sv|j{s97b~U
z<x!#Ud~!riTUvJY?f6a?iPY)8$ES9V*)YPN1<dY(wDaEDk<TNWtLR(FXC`nO?cxrE
z!k*>zb#S)NXas(p5OEa5DZ00JkaGjv+<tTCjhFgfyRQE*>S8VOJu@X8<RO52LBj;1
zfsy7klnB-H^+}39OGB|W)HgN1-9!%RTU->l9q8aJr`-_cJQU{Bk4aOj^q)p@;uQ+s
zoLI`_3C+~~uS-ao2wFe%7}4(Jda%{1dN!1K$%W;k;8u1uDL|TQMw0V_;rRZ>!DV>q
zQpSHCaH#LbHV3#h-<Z(reKbaJQmE|`(8hm?h3zcHUAu*}ZO)m^#)jW=;7pE053mJ(
z&&BOgd0>OUS2XJFplb^r7hC{(d~eUmW)?{0dev1>u%9NADx1`eM@V^_Y^Ui{ieERQ
zhBru@L_GXW;8tJNVn{i`$Zpv4;MGSi#@w&9W3v$(>p@dv{3ogTXZOEDQtWEl;P>!h
zYWbUN->s$Yg3RQfGk>)#YQIZ~v<1}!ICsNZ3qbV54C7%XIBL<iaQ>}8i5cTak(azH
zJUuzCGc%8y0&1Cr!N{e4*G3~VK0M_;s3m!l;}js*A~@+kT!#@@k>g{Lxr8R1g|M^m
z_{y%W%T@3;HU8|~@RN=B0u)v7WC_{EyX}PfTwD9}_TAlO+ogcU$;7TuZLc<?Degir
z#cBnnYmbtY+dZsQ^Z4WU;YF;&%O2PT5Pj5}Tpxm>d7+L?{i^_xN!w@@09wu@vS%=&
zVwRq1OL<!e^*35uI%Kup^xs(O4;uc{+DcJ{?m7G78QXTF(#V_b8FzLydx68b8*k|7
z=KKxr9_{1DAq{Hw>W_CB7c>C^2Ep5DRwJ%H=1laS86${FEydikSZxZAY3UN#wcpMJ
zZ~kmCjh>w^^9*&(Pn*C(3Vvc?CIo&0aa#{MVUOoS%H$QPDF>^MqM!8`cywOay;VK>
z?MnW$lMK=1s-$zxefq3CxY}Z;HslwpW8K=}Rgy3KItJp1gqrgKQc(A3Dp4eLh#IPz
zU^8C#j@F9L?D*okzSpyy=4%>#S#YW~KCjUFrlhh4rVgy!5^BuIeHyw-mZiAS<qy{-
zpLV_m5r%Dh@<lj?=6vfwf}jVHdV#R!UD*+#MI3olajS!VYJXSSt#y<%SUroczINXw
zrYbwFcKh>--yid>djsbmeI*$tkDqy40&uyMJCiPG!lDIUZGIc4<8Q=XdVg?2r<G|G
zwfu2i*}T>4@~W=fA^)gh0z7I)2@5rFeT1y-gHE2Lp$1pit0H8Y(5EC6x<>RlR$5X^
zRaq7V7$-|m#Sy?Qd%T)Z*Pw%H&#qb9U2Jp~`WO%CZ+HHw<GPAiqMcknclS6@+Df?w
z3Ca!$3YD{udx{W(^5*5Xh~9Jc2YN-2bR;?3=CU$i*fbv)vI$5in=YTi$js`LsMHL?
zkA4aO=DG$iA5SS>rcXQy;#<Y~y!^;EtS{m4HYjR6j{SGP633WTcSkghhFF|jK>a;6
zYDwPri$El}Sk`rcu(EbFM?OzE#copC-)~-O>|{`H>=N#YizVilUCGcY6b^>PN-={S
zw&B(;yKwXSwh2g4h}ZS)#+9d$W~>Pt+SxPqrQg~edk`mT1m`xpa$yo)o;P3ziaklh
zu^K@Ta3xE`UqvkRQG^_Pn)6SB!EIEmb-bKC+Y6Q#3GS%P5wQDhTgyxQB$J=N&vXUr
zNR`r@9!Zy<4ND!xN*&nP^j1Y1F0V{;#;@Vgfw1j%l9)4f7`@De*yU}VqH0_m{SMyJ
zhocM!=;R76uiQ-PSIQsD&dP;fZqJdQyR#59+i$W`ogZh>Q-J6JsdLABZUgz%D0$@C
zvx|k(IPE=Zg{rXS9D0L}lewIj?7dh2^jsI%4HX$3vH}lgJx5XRHR{+Kxwq@yL3TaX
z`nE%KyWC@u2-3xUV{ev7z?AfP$eV;DOHKBxX7Nc75BZw(-@snVb!nLmLfl|P+~g0O
z8hyCEc0VW~!>-E9m!3TtKg*t=rAb`t8G|>(0aC#jang-nioag&;b<X!lUxMdweoyU
z5^K_rlM&L=ITXUbzI6C<nX}8?`O}$3cdTz1sHD(|Zc|V<j+%1$cApGgY&=$PcJOEE
zw!52epLb%u5)I-q%aam2^GU@kvgq@iJr#}GId?KyBz%w9K*ul?Sx*yZsQ?*Ia7xcf
z*TsHk{S~pw{o}?QnRb?H1$Mmfke7n0_xpf4J@nm>*J%6#1~ng8{_oJ6EG{+m{ppoG
zYCaJ$r+7q4{ESD+h_Mqai5*Ra@Ht)HxCN<z)0f^3FW!Lrhj1?|9&=mk^%}d_k-fD!
z>2*nkB|X>9n2g%$e-AMRrSD`xOL`IzyX2v?if1CQ^jECI=)c>Xl6T<UnD`{pLegz)
z|9N+YV<m?biCOhKnH2`39>9TO(<*;K0R<B+;;R$Eax=-IEs}nXMy;N1O@i!+b!G0<
zo&Hx)+3(z&taSFG`fLqM-rNVu&}tJ0Jv#4~dk0<9d;HQlQvX`z{D(v~_I|wZRfnBm
zeHr6ocXxXdLHNq>ix#>V`$s;ccT||lKwH2_8^l1a@eKhlh5L_P`LfwmD7PNSQwvq|
zMFEk8rKwPqR<?`zkH_Wnu-NStBbNQgaoE$xae}k*JiH(lh;fc;Q7CttzKQ!JCRQTC
zAJHm{Hx%01JfWn*Zhta`hhDmK01<~%n5hC0@0PSP7ro7pkFJ}NS9yCpJ7nRFJ}po5
z&gfTg!bVD0?<S->21E(ye!56sNJ3s!eW)QWQ@1?fuL9PdGa&L=J_{2Q!hIY^BH1*-
zJ7gnTEbG*d;J<3VvnbvxvI5J$&h;i6M~>U?SCq3ds)H}V6VYe|N)N3BOn+laE$b(D
zYiOa2k$kJC%SKI4n$n_$q&dy68`{2{%Pe>_Y@X;@Rezt~Z>>o|cLzDsB@38lb&a`0
z!8o*Yr6d6wdSqjbN=K+En$wOe;G?Bb_a0ZXP?Oee9o}9tMT<JlB<2a7snQzKY2Kf1
zHacq<v1Hco_9`7`4K?~uvWEps%g^`NP(>-g?7^2!Mst^p=^I9vj~aUefsiDryTV@t
z7zasV1Q-UlA-vSXKk%+fkv<4_pz*=JeXm~<<~$(t`$Y)&r#F_6ylVW2`&sxPj1JoJ
z@{C4mYj}*PU?2kPV;y<>YO70OpKvVvDu3HT2Y4a`(2P1J?n-^>l?nHR0AsAZ2O>Qx
zX#xs{2i)KyK@faQt&om9w_*&9Mho3-^{JCYqFMB=Lej4#aN^n{eT`HzLip`C?R?x{
z+b|{<#5KhycOH{~hmyXwh*2p~>XI{Vq28*usOiO)vUC(3XJnBj6=S$T?`S*XPow^o
z<899{!IyS^ejy17Kk;$Fm{;FWG<Jkx1n34yp#&%f1EHQY{}-Ow6aSZli7V1CB-A{>
zTr866Bv;iBNM4#Ssaa%lk1Z7!beic=THuq<y(%3kML*(qQi@SnCkmiaN6u!#J|*dX
zhI5FzD}uj~7gkLpba!Z;a1)M*(Jl{=nCcWzAS1jS$#TduUMW8Fk$?6Cxttm(l_2+w
zhi>wW*RO<;U0!Rwj|oSkzSF(>qnUP7N!3WUU;4L2d8+p{<#IX(GtT9JHRX7BaP&m$
znA|a%i<epj40B~aAoA;<S!#dWviq<%@9-)XWLksr^{`D#JdT*gJ|JW5zsikhM;352
zR)f%EYH7)JqHxNY4}EHiZH<iqI(<&Fa-f7vK{~~RjOm=*GDR7Pu)KirqOaawEV^ID
z_+_)42G#gFibj^RL5H7Uve|aklfTI|*Wc0NRZw$5wJpbwy@ZvZl7jHpD(bAb*{nE3
zGog;5kYOOTEtc*1b0Ob0ORqZ_i`SU!ZFQw<q`y==R_|~Oaf6HB(mk>c|D2XKziy$y
z#+s+Qj1nymTyN!lUkCD0(7QS+qwI-n*&naHyOr9FlI9aEKHCik-HflZZbowpt|Fe-
zYRU=eTY6AUNOhO?v7<W2_}`MeTVuyL-Ij(``+CZOzW$<|i!~}T{;|^9nY|59F~b?V
zHG7p;QmDiO0XH^6l;dr0YZ!b@WkO7M=zOX73~gVKPZ!*N&^Yeo<z5(DbAKG15EL__
zV}SDa>^<vSPFDp>fV0Ax0^4fk@pYTHN=0dYNNp{tt(v6N$oJW4hNgGIJz<wDLbu~e
z`$;mJP7XJ793Sp*X*Or|ub(4Vu<A+Z3qx$%i*tbs7<`wPoV#yI(EDQ)1&px|n~<>Y
zvh1xJjWj%D3%2!+wJXS4i{F;|!1>^F@}eio=M!-1x`UXVxv(DK&-R#^I<un>D703(
zUSWv7S_Sj~x+z44YYd`y#sGkxZd2o71mE=PQh(iL5{7+SmS-@|Zkn<TLO#|NcJMQS
zEIPf%`1zNYlw`e$#ZBR=w8^{7u8lw0!A&+_EaRFgbmnDWvN(}F@6U-J4A|HLj#q(c
zJxSgEy;%NYu#$l1LxUW`E4%BU@aay#+e{Lan9y}b>M~`~J=d<oO^+#5vopRsT7W{=
zuQBfSA&j4J%d-5N;@Rg9E~hR;^Zs@YXd%C&z7J&j)e8aVr9dns`0Z9ge`%=Ca6g!Y
z%@mO&$;IGrl>-Vy3y2M+74_RW)7E_s#9fSeDz(n^6!UbCS2scT5B3+@ylJ|>XG0WD
zCMieF;ou=c35H|59gerr{bG0HeDUHZp7`+qT_mFc;jLp=KFu3}QX_ZeYtQTB_bY+O
z{ez{w+hMCoxK;HJM7$qJ-SKq>9W&dLJr;sf5e=AIZAIF4?%mpU;HgMg#z)0pk#=+H
zZAHtK1eE`%sRK2o%*6V?j3+H`OXH@IA^kJz1vsk|2C}7Rax<*gQaXTaB1B3Y)nM(3
zyW^raBgxL#;U*q}NAd3QZcZ|~y{_i8zwvufdIRS?T9>Le0jor(+G~zi<>&mcYT>KO
zcFs{(raty6S7^`uQ8z~je71#6W%+TjgyQ&GkigHfJ=c$oF`hZeIo6aZd$(qDsp%d1
zO}I5fd!QQbtl?J!0uu}CeS=jb-q?Ykl2(+K@*6HWoni}HJ#KzxjkT=!(r0k+2)k4j
z|ME#<>Zfx&nhxLdc!L&g+LgTAJwVcZnRs#@_6-c`5f+^|opv);A2z}cct@9b_L~4J
z#G$EAmmOEfK)uD8Lt<ll^pEU2R2p4K2X)`NaRoCCE+T@GQqjmpNU{)MAv>)bn^9`8
zT<J3J%b2y(D(I`o6_9#R3*W@JKo|Ygp`&3Kom7Sn`_cMbv4A&lqf!ZE7taLC!erNZ
z*|%e^rO%(!^)38sD!Fgnc9JEolpyGF{ijkjrk!-2ADH_JL3v(i^2<9n*@8VT{S+-(
z`zzAdmg_UU9N3VD#b4V*j|8#xyW$UfB(LK-36n$@E<On8DV?6ST-zy#$g@X+&dr^c
zw#;0Hkxe!s*C^$@hs%U_{3RCE%jd{=)5KdP^)=^EJ^l-(Yxo%+w{`scwjk$>0t@ht
z6c+~a^x1R(3G%tr|Hs%@Ma97dO+v5$AwY0<cXtTx?(XjHlHfMDy9al-4+!q=?k)q&
zptJdR-*@-rp8L{uZueVv*R7iIv}Mi3l5-RR{v>5_T25GsHMBO^n;<cl!S1b-VR?E*
zx>p&~&je6reB2NIq$E&o_uY{FQT$1KT1b;-lx|k$uMx8Xjm_ZLJ`-*e)k5lkA)DH=
z!++V{@R>>a$w)%;7R{TT43duGtzL0T3N@LeyN=13OahzQE`J45<#~uz%`QY;6*ZYi
z20X>AFE{`?U`lko9qhczd;MMJ;y~OUS6Q+)y?DD*Q6Hl90wyZ9`kHcO4DFVMz+`09
zFjj2X9{+ZKh-3!k7u|wJ)y1@C2disb>cb0bM(0uPo$u?VYVNnn-ydidE`&@@`~!v7
z7N-Q+#ifP(P18+wF7}%adHM)r$-N?b_-<tz?|o7R`xA2r`s!~ZE|t8#c}Q^#vm6S|
ztdH#|@Z3MOr8!85kR4XV$HkH2Z-&hNC%&ZeyT=4$Rm)d}g8&Vztd49fhbd4gHcw^t
zRJ6P-o~5|WtPLuU8*pAlOhD%E-c|Yh(+AmC4r;PM{-KoRE+8f4bu@JvWHwVDmr#E+
zEi;i8n-gW&Ni@uZ`L=*moml7g^zyFrOwWk)yU(y>(Wd9(1wBCZ;_g>kVQ1b{<`i|p
zc;Cw`<IYM#-5-KbwVl%m4iNX!R#A&+YIv&rB=vH2s4}w!!||!2Df=!h*IIO$^)-1x
zQz$u=k?e_9K&11^?pjp~J~LLDHa9IMAnAPAM&3twCw~UZfoZ;aG`mG{=7m|n_aPQ~
zvG8_dsjX3Ck*W%yV`6KXJ%fY4&?jX@vt>96K+1{5pRSy_qmhL|>0zNLO-~PN5GJgW
zffeJn{M=OfkPdYpIkKaGp4nG?69gH1tIaR`4&Dt?ZFVzGxmc5wL^qx}q{9wp^xZ*k
zAsNwNVj=pPL3cW2+K5F=Hv`wh&1#G>anD@#-feY96Oli7O;ct=&F?*x`z<U__l^Eq
zu>4udQ9WnGezQa~6aGtj6g+aVPr=>F0qR?qpsnD5e=2P<b1Mh7J(pk8Ij3>xc!9Mp
z<IqXhj=N<=GZ5r4)+g2ajgC=2n52!ExF_cCY<D)+Jaf}s*N?#c#o60dxbMUw`D;&O
z`AImvXW49GDbZ6ysENKl-?nKFxvU-YmegGzCY9PAaL4=&stCulx0-fy;@<{d#!h)(
za>)zSZEfR~Qf6(1gF&mg{p(e!r;EJCIqOZ7vVaB+o&)vnGF>6Te9!D5UF+glTslIf
zdc@t<Y{EG{ajDQnlScwVL(^vAOkhM)omS@Qa=c>OkxgX1$f2`Vi?TP^&m*9V#X^Cs
zLdj-rk@T#Gu0p_Uk(>McnylNBV{8lT`z*Lk+g=nE(iFd~WoceNkyNkfOhm1_)K;!O
z`54HzyuG-nXvE0&NjhGvHBsK?d`hUeF5Ip@Vaha>)QIu3`@(|mw=n#Ps{{~Z;A%%9
zQ7a0Obl3Na<lqO3O`3ZU48h*gW+-#Z?;<fh@T3On{z0_|Q+3xf#v-`=4NjHxK+?Zj
z3PXzp(Ec>b4EH_Y^2_l&jrXn18is+<nR6?i1av?N^%!BHNoQG)jXKjy@5CqSI%=l1
z{`lWr+R5*Sb*VFonreI;wOw~%!6x#fk~D!r9Hx-cSebq46pHm50J`<Q@cT}q_|Q#;
zp&|zA#z!a)dUQ@X$yU!l?_sF71}I<>N^us-=(~?aerYZ+?hxBo<UV<agj+0T%`J*W
ztD^lI{NT`}Y)t|{$_&wYSB-wL!d0RsYXJI3O^dUM52Wxiq!^lE%0B{00ABDdy}UP2
zcJuvY-O~2DIqCDAcCvttbk%dYsOQSA=HR2GSD_XFikUcgKs25x>hs4Z@u?=oeXP}r
zUzro79O*%AcW_=4^7k*8E>yX)DSho>EIRgg5a}juKZjv*JDACUi+)B}%V8fEW^h#{
zuQyQW^BE8g|I^bWiU~`Gqky#$mvI?Svy5|_;DChTI<azTuWZ@P*!fs~ZI}_SkKl~k
zb<Y_asYiLQqV4j}7`Lv1U(z;NzKyE{>$5-J&u<rDLRERy*cjmV3T0@&Dh2mTFjDLB
z#|Cw7TVg-c9JNmW1(SBuJA;mXwhOTYN=uPNAv+e1axOiZ#<VaOM$0b*cv%INvMe1k
z>_1APOAL~bc<tbuX6-%=*ZEkH$7KeiN^mZ|^Qcf8<kR(j{{Y5I;i<v!D61!4Fokwq
zIj{J=ee49Cq-;u?X%$+<Fa?*AVob^8)UW;PQ;UUPyV|N9r;I$d`as$n&itS!;O4S5
zHoi2$bnE0A$$*!ygv-E+weLORZ6{KkLZC?-2*8eo*EcjIOW6|wQJ9|YPYsaS-&%fD
z7}NA5#A`PxWABXG!LX1{oB>A>(gdL$wh(q_x4ny7W>|cnn%M@W9DH3YCXLm;I3uZ_
z+T1Dg7$<%=Af*25cNiaYiH~1QY}_MjziNytbF+<|v&!%d<07Z7K+rG>WGu`kxG3wk
zCRx&(|7&TmxLzQ`U9ziwJ77rOEKA`V869NqTM$iiSvh#hxRoI2tMAYGItJww)9A(J
znIuvM#;e9PN6}rK9eJ%KkI~ZFO*D2Ksm*P~93E3`0g+=@ns3<ca@UtT{B!NrW0!2R
z=Z}*Z14;#zx|Uv&gl(2x8QJ7L?a8l1N|@3gHly(GJkd3<6DiF9cxiu-7u2dq!)pwb
z*+MM4D7goRr9zup*p`Oa3oWW*Zotpc9j*52!kmV8p2wjduFb(N$cSYZ`TtDh-?O$V
zXVBw0j%{bHYxhexR@$B46V~&@q0Iw0*IU=CR600@2Cl?1P(<wIahLO57P4iXn4cey
znIu5-8|iYWup4W7tCOG<yCqS-!Yvv(<HeI}Db>DB&ro?IOhHXOQRW2#0}Y;%$N9%u
zR^8^zP%#QaB-4+edcct+&QpFSmjrwF6*m4qACVO3lHC>Rt6r;#o2j_S`mPn#HAb7O
zJW<2Nxi)5u8)4Ah0MUMpW{Ni|B}zC9kbZYAS%f{wGvMMd@^%fY#L*ncCmi{1;c@-T
zNQc6kxklWx9FfUERB&saLt#fTkvmBV|9IXi{d~}Hjgh~h^GG&!vGZfGv2W?q#vy1h
zo$wo_brXO$Yrc_`bAMlvjy!n_1U<mh6l`;W_0l-i_j!ICQUB=7u+}5q?GKL{9~rjR
zhWqJt<C8DL6dNnlv!j~u2VHCsy4?D^3Cj}t8|M&9qKk$F@1i&BJFSSw_opv8xIqSk
z@=sidN*DHD^3z;oy{t|P_Ev4JdG$efLCMCa26#Bc@Pd=B+z3rT<G=Op=-s#8<1e=J
zP@vw-Eu6ZcyA(o^(HWWz&;1|!C`-(9%1;+Ov}i*RnLC&tJEHdl=m)2h*I#*T=aDyX
zKI0N;S%vyT`ohnWGE(bU$N>eWV0rmd<ls{<#<yU+IiNNmIDVhS8q9(iRPC{whZzVb
z#&xg%^_!Q6t0-y5Q9*b-mJie&?kJs5br`DYk_;n$ocPZK!v3WFej{t;PQ>NbW~g9R
zdu@ug@fV63*R3XiNbq4t5K-{wpexaxG(RLKZpMo5Lz8z7)r*AhBSd??KViGwSLow_
z7*Jngyftv|`53#&TbCkY+-NvBpYknOlIT5s;pv{;UOTp@SCh9z+iJF}vM&$04r1=L
zoBnh?EOG$udOjd=2{81(2l4jR^@34;e7~;!CGHRTc^B0I<<-t<OLRNCMg|X+;QBsm
zu>)>(;b|T1&2*P8j@%PTygN)g{8)tz)@a&gf)2jecv^cJ&cV&otEoIf9dO?3=t>rW
z?N=C_@09yQdshQMh`<z2o2ZSae?m`n21UkQ2>d!8UbNQnoU5#Z!-6_U_kHlrQtxB|
zEHyd7pA)XIv*DX;>+X&Brw{E&f>1tj2dv6Fiq|=1r(dpLL&GKukO%rH*2PbKt1s4N
z_h0KPJdieBC%ar<^#DAz1Qp(H1_nGz&ZoRaJW4P>05=gq`r$CaF-I>a(IQX<&chgD
zVtU43gQ#kx$-0OeOG@wOSO9}vn8oiVqoCBcf?~uK0>2S?Fy8ROEmnNP&D<f&@hAkk
zf3)HA-}P{`Ao2~zl&E;rcqRdouw>-+p4M;^MvJqi>Xw#0>YPL(tv`O>&eq2Xq^L*e
zI$$;Cn2{NkWNDEPdLLPE1%FhS=GX1Tg3-YrFs#Pfcal9gK@iu>b_Ou{4op9Uc4`+Z
z0DV{AuKnOgW<3Kh1#y-8d-}v7tt|LK*Ot(wFW}4B#6Sm~I~4$J4lC?l{UoNhxIX}H
zM3Tx_7`Y$vBQ8O%PY||07<NRK%9uE0H~9OAJeBcHq}OfOz3O<zF#o7C9SH)T7OI=W
zcYjsnJ@P$sSm_W1DDTyQKz0KdFp=loqUYV_<zD;5UC@8GHKDs&(a8UMRQ7+yflzl1
z3Ny~|d?JxCSRG%%ncq;MZt6ncEIQ!t1TOX}{>7~hIHz4pXPb&758Wdfzy>Hp{J+ql
z1gGwq+aL==K{S#7s5ZfI`~O}QVEiopKaujh+0;HgUqJW30=@SB?$AT)mHi5a86J(j
zcK3G#*j25)cDMI-Sf1FAkX>Db{`kY$AA*$cxObGJ1vEZ6ci;ajA%uAUPWeRj$=qLl
z`-|au7t8mF{JVSj%U;I#b8{+$rZC^-|5gXL+;x52j|}(M=rELj8RHI2zS#&}mAFgT
zIYR$SFK+Ma9n{_pe}{5}Jyd_m_n@xtLH<PVT6jCC;Jkm8q<7s%2#K@=CqOGt+<8M0
z!x_{C^Qt2B>qOu{^(&Nv=0bNUq#ucyLSjP_&<UZ5p|%VWK;tebd)`X}%KvIvAG%9F
z^akDE{5?pYiuoPtj&)S_!|?+2^>Txakm-;VH4N{&8#Ez~<*2A|$l<T5!y6zWXdGZ)
z1=w}XKdhK_e}4uN_G^0e^k0DUPWgiLk6jaS_ISrohU|%!ZV^|C%+F5PnJ@T=%Xw=i
znOqD~i6Woy00>op?pgOO8iBe>{-9A`K!Nb={pLR`t@ZoQszdMmQ?O&&sA*v2VZ%(t
z3jd#JgpmQZ0L;6G05mJ!Ddhi+@&f(;hl01e&pXADY`g{wM2;<?aI+7Iy?8a`s_jyv
zrosWutTy8(Im*nMzd!zo4}7>+K5}p({956=k`4ri+DZgmG8Nf&d#`BkGANva{7LKp
zH&Me{(#C57Q|Xs+WKM4;K}__RKh0ZOFHn5A#5{#LeBe?ajNll0^rkF>gBx5;m_QEb
z;uJ*B$)mACLYSBmrlyuj{Oyc&HQSqnL^~^*ZUN)WsH52_@<dZcywS2vfftKkXUivm
zWfK`1sJ5hx)|AHZ+Dsy)!VceFc(0QY@0+%@+)Gx><EI|MgNOd^&Oj%mct)iJ1P-Ov
z*bc04kLkbt4UJT5?OQ_u%waFn6zW}8%^WtZjPjq3V5M|#5zX2DT0)t>;!7QeF{@`h
z*6~4Nli!FTeRsnwth>$Is4UEVK?0W*wf4Z$i2I5}7(5lt68ZR&UV6fBvd+nene!n9
zy~Smfji)h1oK6lL@jI+}Bhy95($?+$0aTv-<>tyw6pokA#649shlJmVJN))^JoG`A
z!Vhcr;(|(U*dN~@6=>8+(O;dV<72Avgu|@o)nT>W3<hJ)==PluG4yb^_3yf62oFaS
zf4dxuhUq#uNRI%T9erZ=ONC>0!?|d7e#x<Mo+0aq&$JfeJJEfSeJ?1ZEB1Su=NpRl
z#)SO5c_|S4vP)~%Q6@Vf`y}v=+m(EVDPi#kP<=6$=vuzSpMZJS-dFd+U-m{$7D<AI
zqQO5zU03mnl~rGF{KlRWjW_b4sehM~lzu#^U231XubIYNbu6>R5_epuMjQ94byCRB
z6XWRae37xGKHl3$`*;vLY{gyO%)K-qEY5!|s#@ACU;;{fMs0fbhfcW<Gmi|%45Api
zfpQQTFdA)GYy$2~H*7+8Cz?20uhoWZlUlH4d9N!N#Bal|5u1Ju)&xTj42BR<y?+uO
zf}-))hC>XQ;`S4w;OL2lnm;%`8U14K;7=|Y6C&o*Cdn?>Z9+C4oYLm80F@b5D4&#{
z4&~!!TpMA~WH~NUMEq{kBFXkUhLG&(1un~zt;t&1ep9bXE@Cf&J8LX{>7}f(Wc!Uc
zEqRPG;A$zV(co)gnU%-6E;g(EGd6(t-ds(D@kw8_iTi75ZNdR=cLecpbv?N^a9I>&
zj^mWrytjTsF>_F`q?a;UPfX<O9loa6N;It%I!^Zet07T(qId%AV63$3Q9+kA!<IUo
z`TSz3t??>?;p_dpR{!c2^>(A^?N?p?t}y6%Q+A!4%l2kLvwz3WI(p|*gj^iV{3;u2
zg2TaAtBH-ydH=TbTRQvGw=s=}hzYMI{S~`YmV5v4wE%+HD<M)4W?f7lEYz!+{<y%%
zv{nMO(U%Yd=w!jP3(CysLNdAa&j0RpA1K)-|8<97!JCfMp>oUANBF;wnv((nJoYFv
zDw9jBu1#3!2cPLH*sXQZ{rv*uRoTn6Vijjz=ML9)x|<t?jtxrMl0Uydaf#||W}}@@
z`7o*&>7k|>Y?DgVlEm(3GX;jT9W9_JSBf!*-sJO7|GmXprhNJ}$>fDpdtsFZUhq_u
zTy8v<F=1;(HyfH0ll-r$561TNX#NZ}+1MmsejVu{HQiT7tfmV+<}gxzJ+=J+6`Q2L
z!`_k;6L%-A`)cp;=<zY=$8=Bv8C%-)tarBdgHZU=YlrVAk%)LdvYMmz$3}+>QPH+U
z*8*XhT3CxD^WMeEs<kO{&KJb3{+c{%J&uQfNv~+P5|P{zcE*>}GOo`LzO6rx7w`D@
z$D<m|Y3mNEJne05-1~>fRp!Hxwo%u~?RchXCe&bSJ<~}R)bf*4ZqIywyH^3!!y9eo
zgVB$`?cU47Q*>$%QrECG0U0A04KA5uWcH&V1&#zS1>p*^gSKC-(kN*kvf78Ck!CX-
zWq(#UC$}Z+>#{mU1P_RB*|L{qNYa<RJk8TjY8!+X%g5BXqhq8I;ziZP8DyJmHFXd7
zL!7)$nzFLIf_X*zcnDIn;nn}+1)rff>vcJtEBb)0Wf`zp?9eoyHTE1k%D|`XaB5y@
zYc5Gqwd0$yx5GsTsAsV?Ji%1YCBB0hif6}EeG;?;<X8dcML$uYo(@HDPn$S_MEism
zPseOFsSM~3<CDUcd^|lzftl8ydB^LVi<w;dmFT|3-q@sF=zuKWymzU23#8YcYXL8V
zCUgJpRT56P*4OeC_%x+zb*4w$EvpfQoEgk}e@}{T=5?;(C%8eYJVmo|>0OT58OJ$V
z6g^K4-Byw!M*qJBE!;fl+}v&Jil9F3lRu+Y(pOw0-0Pe8<F4uLdCy|5QE?;`ZpD!*
z9Dgf#fbU%%NGr|xWL8f#wy!l`i3;!K3j)Upq_w3X*JTB73-OS)hAuFC0IYOu@POjg
z)Am75V?UTPaNa-MhMDL=;qW+DPU$ryx0RU8;*X7_(oN`EHZ=xX>IipZ33UEspkW@R
zudYtM9Hy8-qv^ZkdeK?B!|dSJ<H@h{q5;5KX$4DwE2ObHd3?*l#zB(kb_??%IlziY
zfIoS>W3de_?s{j7Z?{gx8E<0B(ot}C0CPW&c-ny!AuKfqN7QNOgrn>o$Z61;B~7V{
zjUm<yH|Wq0U_=Tk>v*z|4>fz=trw_NqaDeoT+a{E>Y(=*=*vBdcEPH<>Z%3P!}^ky
z|NW<Y+n0V0%YSF(ryOxh9^hR_bSe1Z>FKVvq03@3FV{Kil5PFlT#zS)<BHW=NA~v5
z1rYz2GKRi3=w=Bal#QRHA-~R<=MPSh%eJ_Gn07MYTp0+E6}UM+=w3gQPPJOl_QJ?E
zw^8VOT`B6sl4{S_Tt@E*wo44C!tMP@lc-CaBlaII66_<+jlSV_vpmVyu<<?EWE|8g
zl<RAct#i{YQDixaTfp0dc`PuH<DA4!EH4$VI6RFc)RdCV=Hyp~5D=In+!=3BXEv9}
zcXu0xfR`R>DnWdx9o*BPC2z0ipPl=ii=I@3>0W^fpCFwq`NH8ZG==Pbt%IXlPP|m>
zz$yT>zE9MAwdLi&x3zd*Ow{H+0rR`CTdLKbj^EIGc}d`jAD=AgZLA>ASHfHK%V%=2
z2SH+&ps2k1pPDb+Ho~|kqYA4pmB9KGR&SLGDXt|wwE_HfX3Nx2q&Bma_;oFVP-APL
zt%4$ao=~A0<g9DRFlK5()B0+2IX+%mB7DbU6!O%q-FxAE`pGWZ8zWJE3(0liiLG!c
zF_dApJF{ESBp3Q+ZQw{z@HhMAXWY^D;Hj~8Z2)Peq=a?+mM&ykfX8_!nxrr|HaKAX
z(ioDAd`2SJ-BAXuOv}y0=%9v4Vz;LDK6w+7Q`dK)F*G4JR9RiuS83`UzeS=St>7ti
z+0K{{P4CFJdj<akOCv|)XRGX|NLpcA-KTAuj67xDq`KJeaVa$i_RjwNTG4QRU`kCL
z_F?vy6B;3TAH4~xEUt9<lD_RNyt8$#qh2$&i4-T}Vd}<#<XvHKTl@4gJ?5I%jht;<
zjA*)uRn-jPcL7{t$d}qMe(07mHLrauo5n}T3WLZ$q0RcE>#}+VzTjbo%${DnM?0=(
zr3O_?Z>t}~TS>d|0Vf}2SvblzW4`Nozb?u7X;j(j{lKP$VXg%YdGXDt9D0m4H8;fH
zErQGMFcNk1`DCc?-`q8S1QS9Y?R`wNS9k7ZTs)}ygEyBR3AhoX#ZMK^vm8L>O28ch
zh-x}X<}|W|uoS)<s{giUtDj&Nt|b1SnUeiOgbeLJ_-|+m1@jjxgE#XgE*{FJlT$}q
zQ&*UM-f658so6~P>64iKN{I|FMs$DAFJEvftEHz`mP@GQ09Qq+H8nIaqBjP$E<8tr
z@PQ!YnQ(fGlZ8ln!<c$D7|G-HhX0Zk>*b?9-sX`HL+j1~>)VPDaE{%og2fcuS+9@H
z9XLR+(WQt#CEFDal}Mz;K5~=$^g7PD+jg^!AfrUa<kK|+L(h>m;-8|90-Re{os<@>
zuYaML63kI(`5TvPI%r6b<V60XP)9&Kvthy8g?`6n@!~>0b$mQfNPM)MBI(>*eBd+6
z*4HU$9rIdU8i%ETKDpNFzMew5;x`vCjO<sP(Qh#ys%lWP0Z%vHnx0+R!NR@9G3UxR
z;O{7WTosEl?2lK>bdPubMh!4R|Lb0k(dYcHm%Xu>t91_l=Qw30vz7>#oS<1VQ*K+*
z!To%Q44OOKSOge{^On&r^<m!38*T@|2WP-HuFQqNRy#45tl;<Mr15tjY81`nsH8&p
zi0pNz7%V<QOj7Hx)TLz|)#Ae(iRR^%I#=D+6be8`&=U;!g+zxxfM_$~_smshmt~o%
zWo#$BKLO^jb5iHgoB$@0yjNv~KbblGIiih!IQj~+h?S>QN3Q7T%pknQzFg%h?9;r0
zty7YzW2<O=3WEDQ;RCY)65TeR$9TDg-TB|SJ!nv&BPpl5%11^&&$Y2!oB%w<=+gW#
zL3@%Y#_i+G`j&tfQP-Wx99POjgS9kB5lom8|LyCz`{MHKahSxCluPT{sFd(nBHFGl
zLqZ1TQ1ncbT%QV2b&|Y78dp>^R)Hk@(#SM(#`=Mqp}kl4^pPj1>MnED3i#r{?R@@W
zAd(}YOTbvF=xpw&!X^axJ%urvN#clq&EMZL84(|{Fn9R#*%I$F&*0gUE%gSQf~(9V
zGwd)kc4%P1LeSEqUA41gS>o6%SimUvB*p!6KZlcBF-IhSw16l#J16ft195`Y9K-iz
z_k@S&oWppm-09ai{wh1(N<6^PX4EE(sDy1g&YsHx)v`;2s4SIX{tweJH<Yc!ii%-F
z&p}PC(y4DVvEC33Lit$JqB4z8O<079@jagH%YcHB51sA5uZv4b*j2!$mXH=wmDfW2
zPC(sc)34jVp9^t!lH5B2jxX0A`3w=%3Uq<CiQbMkFI%S({%0L5xBlMIEI-5!E?;zv
zP1KM!#ba2+*iv7EopGY0_f3Wb#t%rEoQbyn^HTF^0j2xSEjv*=s!?1cU(;8<6!$du
zWN%6Kbz>42;=tw&#QwD2E8>Uw-TaZxt8~}yZulGf89q?Kh*%WOG?2Jbw~Z&{_3p>8
z(ZfS?EwofMDrd$sytc4HJG_A~5eBh^xs`^KWEu@}+J%3&uXc)r8}t&Rg-wXh1hU&Q
z+J8F%!0Bp{Pgi3n5bm=4sWcKsN{Tz)`(`hV(v?tULcFI3i&v%=`-kE9#8!FF$>myv
z2ZI%96P%U=^YBvT<3$>Mub&~VGjj!3Uc%`3+YvL?PPtxI?)suePlatef9K&yt-jM5
zc7k)a>EsH5H)Z&EZ@2d?(+0D!*OeKpue>$lG;5HkUS;p6?N1nu%Kn9)qT`IJ$muae
zC<igi%J1~EwpDDcp7=EIDBSUts*4tFT>Za2hLxWPZ^$6Ry_R)F`{bhNcbH6H9}Yg%
zt|aABOB(NDUO%dx4(7zPN~6Vvt|RqrVz&HagH2@J*xc>~D{E~oUurZ3?c>K{U3n_X
z1a&MOGr#&u=)Uk*QX{o`-TkJmgUc=iJ)Uc_lhC>x%pC>}-ySwBNx`i{Y7?y!rJes^
zH6kzl)c$QZrPy%kc=UvqJ!XCXE$xO#@U18sZ-Lg5+9+#R^33yY$_^9Ry;m&ey)LC?
zelm!rp(dmT=S1$+us=wA!?9@^GYHQ@?vsGq>PJUl^p%wS#U~IC{!^~K>MMq<wN6js
zonzJ*Pp+uzM4=Dd=queE>QBvNTA8^~pKJsSBLA4ggakL1?^!>AM>-LN$cZ4f2PcYK
z<fA|iUq@5_8<jO>PIid>8<hFcE~i~MnZtWOEBc<!B}Ksx0ys_n=lX0!%$z=^Wf$|F
zV5<FTq^cp^F=j&!tdzdei!TF`vx~lFP7z6-f?1uv8p~qWah&M&35{A8UdJe?-Uj)*
zhxnwpoB856a>S9Y>yA;iw^a+Z90+*1xEhW24lIPDejjCGKZ0ee<SCVdOGYBO-<#k2
z){u2bu87Q&(j!IYaT8YBe@aMm5Ff(?2pLgb1B=aj0^R=UhFQV!rAOmCnEuARLtQAv
z*1ISzfw4kpzarDLeSeW4g(ul))>FTPtmH8*6xJ8LLIj8oYlMadu}Xz(F)LTfk`Z8F
z(v{r5OQC)12S!<?@`~1~;+mfTWvzI>z*GQC;6q_-f~XdX@=@aABXwpx(fu;4h_s7F
zk+YPY^ex%9-kyQ^O0-EJXKE55Mewm$tmkS=l_RFjOeZAYJda=5_{Y>Gu4mtyZf>Rh
ziY#H3`6_hpV8Yj4L=RIUp+18w&!A~>g0ZWm?>mF|CZ}S?I?V0O)XVLVo_@;KloQ9P
zFB16ryRfjcry`ks4W|LVpNLQog0}=w);%DtY(qz0^&eN-h|uhf!m7#h#?u~MO$G&|
z?9160XN-5Go!!Z+n;NCQZ5VT`$Z3IT<<_SQ0@qb_!w10X>JHyD`mA%Wq+8PH<g9ap
zk*t|vn#m%hL9M)DJ-FjZwwmz{jUwzG_agiBMekPAtLqIuLK){ik3?JjS8;STtkXTM
zDtp&i${dnU3-{HB@$)hQ@AAyPVS$EbmzQ{n{R3q#A(gaEBH*pZZeO<(;H4?>K$O2t
zHyo26bG)+W(~e^yRizD7cB^({C)=$yhSk(GQRI;z);82lL?Xmh=4ykbmtl30ozQnS
zvs{1?{qR?4AX>$S+(-GoHBbb?cOcw)xTFo=IT!xlsooFaZ+t#Ca;5u-wR%bUASl^T
zrDkZvu|ah@o`-M4V#7!Js$5zuB?U?y;G`+F>Q=>hJ1rI?(4MqYzE;jArd^5ML03YL
z2f{gn_hu8b_KFwJP8@=f`Hc&|z*Ie5(9Nm`+kZBhE!H9_d=?+@WAzt2g*XR5Xwbz#
z!w1FEN)x84Sa7?p6_c4z=Y-kcSB^EP|BT>ZHJ%U}GS6@&rHn+9wwm+~8$DYk29_v`
ze)=2(CDxNRg&)^vXP(h5N44$FKPe$(ZOXw^yA}PhJ;=$BI9>pEQRtZ_M4FhhTLw8p
zM&J|jHv?W>GB_R4kTdNJQfaSvuam4Hi}f8@see~?M~0~jQq~@S$7RlXc=z{^Sen|V
zbXMk}muz+{YVZgW`6rgN8S?`e#OtQD<TmN5)mo8X0l3q}D@wGtCUm>@FmbQs&RZLK
zJqTD&|8K_r=(H0rpT_=EQX%-G0!btd_bk`U;Pme!okBwGaa+{1oAH->^st{iSWw#<
z-`chIXrOP8eX`H8`(^C;$q)|x5net~4~DMAZ8>BAh}*^Q?81hl)>`Wha#($7D5fp7
z0bwX4i(@pAYYE;-QqUu~Y7S~pac%R~_b@lUOdzIg+G%8=2<6{|*Obh6rba1w@&$hA
z^Yi<4H{YP2HoOW!yq+%GBK7}{jFd-|WVc07JNmfIk+?iLGCW=ppj>UT2??D8d{GI@
zUum`c&uPGXr8L*yw0zyPH2V-f976C4G-&@@rTNw=^MvM@yj;tIL7L7j(6tbmRWCu)
zG-Ja#e>pSz_xqIRU-I+eyu5M16?;(Ka@sutl3h4`0m{j{9^oBtZvMfjII(ufYUQ9e
z+D7#y8P{rk<X^gyWhm>rHN1DiN=Z5CnT@7BGvAKdJq*2i8z>g?sn*oY^@>u*%Kx-&
zHR&8lz+vA_Z_w$JM-`5a2$)s)vOV?U7k=~1R-!_5Y*zyJ%RoV1bpvQQS3yla!&}z3
z!!bKd-?zd^+g=1}MEt&noGUN~V2LR6ug4RN{e4B7j!EFW%9;m7r3U?|abnuKRhQo!
zFz=cQ=%sGvm@EgAb~YDi(@69r*3@4?D!-{u0th%1ZGSzRWxEvM=vIhD8?QfDIp?(Z
zcIxh0$s}xId`QbitVFl;#f#;0-{vSAvUzx%A;sZ@O5GoffdAW{4gS3Q*>i6;kGs_p
zF_Q>EtCxHi8N?{P#wc8@?1$I%G=UnSV`X+7O@KWzYqqI6p|>;(kZE*CRvZ4sO#HDj
z^kh!aAl2CRz%}t#Fnr?O74bjP#wk*cys&et1DKPB-4Y@~L4M9ZPv9YH@tnR+-O~k(
zRfhJy=sQJc0C>x>vackNE`Ae-tr_FdskYw4<@^lME}3DY+3#ekipI=|I+x=uftl4w
zE%zbiaAa>#wLfd`xbJZb{+(|~w^<@cOE;+MHh6NfF3JeA_o2+$7b0(z+WF^jxZ{PU
zfC}<a3VvT54_@E^CVsx5KTQ32a^KOqo?Eh%C(=maBA;rZv%}V=tuHdF6;GNLwr=iL
zx1G(T;d2?7QsGYng!$!-&jIS@BxZ=BDUm<>d|Q`A?76}MC}NE&CYPNuo7Y=*nETt6
zOH`gLV7AG`ZFgQUCPM|)y>}{ahsGZe-Cz3h;v_Z4BU6&;qX+m!JeSNK?x&9BR2@+M
z?7Gb#%Y_#&@4jNcZy|{JFP;c5lEjWI&~Qu3cp!>U+OG#Uw#In~gi-myDfl>x>d*3M
zhxCf3zPPoye6UW3vXFC3K}#`bOuTVi;&aecFudAyOJ8=Mj;J?-J7bu6jRn0=z9rDT
z5frgRja&duq2Rt)+HQ-TRk!q#{ds~fQ7J~AJpMU#{9pZLpp*6G(ffFcyHNROl+tdg
zvyGi?bLEdiyV&x|&Z1t$T2Amai;%cXA2k-*a4cL67fIjDS_~Y&LrDGX^22f%nHZSW
zZF>3^OlmJcg7Mg{SUN32-p^G;bm@UVt(kA2$t=bt<b_{km6VRKcmInFxc&D-skumW
z*}{vf?JWClaGW5UQ?W|dbJA5bsvKvhLxuA|8`XfP!II!N_xC37VlTnf<&iemTh}j;
zXBUkI8Oqzy2}S7rx3*t35LBcEsKmAy=J{xAqc+*He^e~ooKqt&0}Wc(@QJEyq5_&=
ztPWAkdv{|mZvn#X8y1{+P@A=zZm9p%%NWIsYX(`)WXr!TDe5OhtTNHYPyZvo_9m>Z
zXpnzpF-PE7LY|=Ppa)4%hfToy{es^IYMasMUSB^oNVE6~{$}#T(5YxpWdk6`cq{mV
z76cG3IXD*NIWL@>y1_u;+lPMM)?A?4mwpMf?CRqOVHNTEiLWozbwixqKfCX%z2!YO
zm+gJu)!zv_rEyZo4#OfwZ9kOU5=@g-6{)E;ttV@{8k-_osHvu$EPKOrYJCT<v~G%4
z|EpqAF-AasXmtNFHp=<^2)Evm%9hX!%@8wEu!ruMZc5v=s|u8#)DsWCmIU>}Ifk)@
zZ82;)WN}}eI5+;onL9><M1`L1GW<#UbkIk`bZo7S#M3(-A&)Nf04bc$IX1qG>1Io!
zfua(exl_9cw=wjhbOkt0A>!}v6S_OgYsT-@aM!BH3R>+x;e>~r<r8P8?g|Cca96c<
zD3+9$S=+h=rL}>(xv_ky@x$)g*Ez-?c(*N!U_`W6N!mLBBFw@CA~#dx2ueSGrFjf8
z+*N1hPTXYB1QXMMI5b`kwXimSKlNTEY|hZXjkhwwvA5lQcc074J$K8!y1MsQ3ThHH
zjZ(I7>Sn^y&S%1x2QE@L2qqK-mxVulxLDT(TwB)nCby^b#pTwUAqUmvlQ=D3p*-pT
zhl)cfKbPFL1RTQJal09ci_u-~1%084yQC6{6qbs`(?j)GdLBC7_=0=77a42+y04aX
zG2m_Tp<~8;>vnwl!#ohjU{0F)H>f=l{vdk5<*lysd_h>PBYmz|RLVlA-vE}4LQ1FC
z_k+qP38t9{(VtusldHjR$S{n$J!ftyO)!8r`c&!Ql)mzng<p|97>yegl(M*@p26M;
zVUmKs>n}@PF1I*2a){<=F2ONirKf>bbxL^w_e!+g|A+Bg5W}-KT5n~%*Q#(|khr}-
z)(MnYx_h&OcZ?&v%bxF9fug%<#@+15i;KHa=haE=VU_&TyhFR5pxtMC2thg$HO_~U
zI7w)E6)}$+v+AJ}PL53WLn_cIT&_U>kH$gx`>iQ+IZ6yy_1||gwp9!}13q83cJ?g+
z40-0Kmw-U|b%&zF>#Iw30bmY)zg%e*V4b<UU@6}8$;@kdAr-&5J9Ct8@Q627HLqIx
zUQSE0gJ{d{T*fwXib}5ynO;-t;p9N)oMq{*ew&*qx98<qXCN;pTIiwi*Drv<jX8;b
zO<)h&EwascRlM;nGJJ7Efi<6*kRVPx5;U{mH=p!_ni12Axt}X*uwD4$hOAG^jaAE+
z_LU6lwpo9gOXZWa6VLv5^u(E<W$Bm)qDea*0!Xb+aK9G0CBrz$L7{Ga0mYF|k}K;c
zm|GQWtkpQPNgH%&`LA7!@hU4R=Dn|t;u~-fG58w_<rFyBtub@!Ah7Igv?ng{84f!m
z8@@!;>c6Ff_%OVCF8*G6!M_BZ)V2Wn!0!1X*UDEftau0`OD`Y}sm!NLYo~A==A96n
zI=XIiS~TL#<*fWB>v&n|Rf|b;W83T-cdT!&5Uu}FkhvQhFijX0EaP}YVNwFDdn__*
zj~hR6DPYStT5l?U^)v8^3qX~5IYdu>7(JvLBT+tG(E8o}6?Nr)z|n|=_p={3(Au$$
zec=CQ#$gNX+k0NhdeW>LC|o_Q?I!}#70&pP-QT(r-8Zv=W&xDq$l~b}9mzxppRe;1
zz*}FOBaItmWsvE{hFzX4C5j`m1H4u}vo8~O#EaT;6PxH0l<ln6IH~U4*DWjs%pyw4
zS7Yd7;20#D5ag+xJ{snjmXFjE2d=MO0;Uv!tzwDKmP#$Q;?<c+w`ir=X>u<{&;bsn
zaO0Y<%gMFk4K2w5?-p5m35QTr=}xpEQ==r-@)H~Q)veFQl;++PH%!-Wa8o1W&OSTz
zIC*TPfvvcd%Jf~0d0bZ&FT`)g>$<UjV?8LkFP$HIoX*3&)&?DBrB6&h%CBJ{%lrb4
z7yWuWjwGb3kwopRGA!`?KiIzV|KM3pN`2<!l*Ya=^FgXjJF<D#e<uXjIVk|r{S8Zy
zc9(08y7BY*UdG0|mm;wYsyKH1o!7m&C=CW)jRSWz&z!1o?hJ>Y0=0EB{CA1Gb9-+4
zl9F+`7W~03ET3!n6w=QIdSrh!ZY=L-Df^klO5jC|he%p{VLl79^*#$vHa-grUgtDp
znaZ&xQ?!mbzJu^;@y*5Uo5xq&&_vp?Gf~2=U}(6RxH$>2F-4W{QvwPCGw!5HYuXT(
zKwpk)iib1Ch~K2I-?GQGE_M!#W7Vdm1YUsO7ZCL36^Q5v$_0HSY8OI($+3P3mZ-f#
zXPXoPnr3`^epWS$>DZ4*Q9dFF>U(SJqsdS7c(*{6zQnKi@3gtf&K0FVdD1sPm}%>D
z5lXlqB4&Mcu!M~EB)rQ2wHWt@FP2e}L(fE-$A6!|f1Xwp%TIXadm>MRRv|+S7R};m
zAFU|Rw?+OWark`BCv%sVugbrKdb@C+#Th%h6XHvh&^q-yyo=CtrTMd(^Gg}esBeWI
zg#X*-qZxbS3`B36P6XjS2rJ%oHczd?x+63PuM_{Lvog0($O*dv@yrRCE9wIE{-%wp
z>IgoJ_+>S5>_!rB17RbXxd3Qzv&j(BvgQoRPiRG8_{$&^rH3cy?GL5uSeffsaYt}o
zO&{Y?WM95IwrPPK#p=Fh4yiBcrwF#h<Ku7KNn?JxLXg+-r}lfQpLV=?)*M(&oL$O8
zS4Kc&bEjb4cwi&S3$h)VQBODv?iNi|^1f!a|49(==W6A8isr_f{Bx5jo%Y_YIInRz
zQ`o_o=n>7WS+2@|=0ObREFWl=lqg9+S&TSB?Una0$zgLPU7)-eldf{yc>~d1cSuux
zS+04F^_POo9@llF6^eWJ9u7B>K8E!mzgzgnI@Cs1rAz+lxUXq)^7mm<ZuwX>ELL-K
zD-HcBt<x<IQhV5$+P8ItSHt9N11=<!vATv`1edb+DugwCr^-=Zin4{%OC=j7?usLm
z!|Ee_unP<(ESRbptdU^;nYeO3_HYv}oY|pc<YO$NJmt<t7IvoBQ>6zmO{&p8wJv3Z
z&7~ZT7{CtKTOInOKMsqQr>to#&Ng)dZd*x#z3KisVyM&i#MvoZi!%<zTG1&QzF_d7
z2g?9vqz9yD3N+gq$dGgSruD$rs6qC_{Wzqvi_tXP{+J`?PG$oeZ#V5cv%#BS@Z@tn
z%gA~qllwHU7PPZSNT7E^-bEn7AT8s`qqW^LP!~{uDb6b6h*HYKG|q9asj91fE4qyd
z$LxX>z-wCP#C2*>7dgTb@K6Ou?@*<{gq#uhsA|UbBJM(umWlLPWE0SmjE%7oI-{PT
zrn?xm`X6kAloD!Ss$N~diu?KYe`gP?ZkO+a_SkC9^@Vpg)y~0>^8qlQxGJ4X(qk5$
za~b!Lz0-?V5AN0bbH+Dk?%$Adqnl$y;k;L*0wsgvMLcGVS(-_G{@3Ldt?-FI7k>Bp
zM*dZW?A4gl5hstaM(&BsrwEFOC2UT@QS<KpD6TLs?I0Fs#&J?#cB{Bjp@9A*;e=ky
zFGt73d17T9szWP3D+3@_S-qwJ73yZb258tfnKlIJpy#|7mAQ`+u)LFhKN`BsgC=^=
zPuksIJH{7WIkZJNHY5EI3=o!!9<+3N@IYX=isVc#<+oR3{w587-A@v5E2an`$yb6q
zrva?^uCVPjG-7atp<$S<ea$Mt<wcCIzquA=YCayY?21{4fakb6M>yxTj`fI<nRLZH
zW`2@S<(dNMq3M5Q#39xnx28rU_h`LxI%r8ES>Eh&C%mdxl|lZFvsrIH!Efo6A6Zag
z=99R$YjzsgIv9MES4a?TMlx9TA+jhtikpAz$z|aOJy+BN<3TGiZ#W`}en%XGu`)7#
z8!Qdp{RKbIO}V+bQpv9W6JFRC+XqzMtwVFU1K03I{y;~uc#W-AyfxjV!G**4-4vx9
z*Ga+Y0<^hMVk$pq?E!MUM)LBRqEB)CZ;=b%i36VfyD^!=<FoVSRKgKC1<=o1K@oE!
zFM8ZSM=>u{v8Y9Tk(B-qsH{uT#>QdckLI;h_s-V55ccJU@YyC0&kong3KME4e@|G_
zzcs(icALKHkN85kChtzmys|&F<$pU6O<Ts`KR92Orae9PlExlUwv^LwY@SNb8E^JK
z1+40<%i4g{Gs}t|?c!5kN~rAB@iA`BWTdHw@~}eExxp5J|2DAT8A6V4@nAT+4~A%u
z7UfzeC+;(+I2P&Rm<TCV8Ebt!H}wE}%5oK2Nir(Jhev9MHi>$K9T@0W{wTOs(weiH
zFZ{268;2@i=7m?|g?eEZHe$}!4o6YbNUvCj;Rlm`Wk&Z%4;}?lrzw=F9nGc;4JowW
zkeVNcx$x|JqGqMsCce=xdD<a}_^hDlnpz~`MvqZ-CfQ^*@VP&WE{Qe7wa5%sK*hK(
z%L<tKLU-A)n14cv$gQE|VY%y8rAh>$rO3iAD$AvF8*^rUg{MkJ{zh5zc{?SxV@sNU
za^zDi!r5jLZE;-}o+(t``KMRl=)9dzTz>wp2rHg{!_l>C2+@Bgd+o>-9JxF*rL&fy
z4DVTFYi1$8b`mN0Vj)3dcn9lcflxn%e}(dv{lTp)qmsGEtuJhWTpD9*?(bs1kn393
zl@vl=!#q_h6TU@DlaXlmY}(|<VZ}LUv7us`_cgRkmZG63npwxNH>7XMG*avGYtBpe
ztN5+os{bx%#yikvc%$1oz`?tHeXG~sAwao4ZDRB5em!EvSl-ByZ|$WDC2LG}$4*`8
zIM$lOVp7t3;Mif|!Qd4`{Y9pWV}B4y(5gps>&KSzbJCmd_(wjupiAg>1i{{ZP{ZGb
zH$GG2u=7}HHEwx%dBEyGI-YNIQT)j@Nv{vH*j6!u!%%c@N##1TwTlg(<26^mr2{xw
zNdA|D@f2U~41d#N^cukME$aRbEv+n5@q!?%k8?w>^<a4lW|-fWzzv93jPhW+Ks7fA
zi12l&-Xcg5>?HIJ^K7N;*B88D;I$U$lG-?2e0fySS<U*2!uwY2@2>{*)i&0i%?&nb
z?qcA)jI&Bvi7IjIoF-<MOg4JcAT^Cam3&x)m)u-XF%xvOyp$D~O!1HTCI+)s3_huy
zA&eQA)R+dTlLwZS-Npwr&rLNsa=R#VInU%QE}kko@@y%qM;{IwzaKs>sNMJ9qQix6
zl>5$-_tp9U>p;2wt>!zX*9~bt5Jj;9RHm`hJe;FI2D?au@&!yYC}ryEEe0qJHNRp#
zEiH=!y^gs8cO~y5nh5us%;v(;$^L)CmfHEO9va>b-8|szM#)gG&_6+65)g4ux1=T6
zxm<UfhX9^2M%WEWvhbmJC4H>DW8Xp&POYiy(`s9XU0Aj$Ds$Y^`EikngBjIg_cGrf
z242I?C{35Cml6!TZW<Ac1k5h}tB>asGEbM!i?Uu8eZXIX6shjA2KI{t9rortB4ppy
znSs81CufUI!J-&=fuIaQ7!-Qa^_gw}XB{kxFjo!d;uSAvH;3*bXYs=alDY@4<~#SN
z3P?htV$JJRarGNXZf?hCS^Ym-gKXLY)FE1Fu$PM=cUD{Wj~UVhV1>{aJK8+)oY)S+
zy4rzQ=$5y!^2b_8y>DlWIH!GDHJio?$=_oSt71;6vT&Hg$8zHO9Skmn=9w#vR0kgi
zN9^P&+5<apZx*hNt1OF##XaTL@>j-rrvwJUy0)^2p*n@XC0c9c&HDpk!`XyL`Uj%z
zaz$R!{6YgoEhq&o$A*n!>{f_t)5DN6g^k}z^3|0hYxAM7)WJbHwK!NG^fFoK5{_I<
z3}2h3;K|%O@ZZ_j)W*_KUt?+%@qdpWr$Ai4>EuYO?cd}!TCel18C~cAKhJnCb>=b8
zz2~F1eHKWJ@=30)&*_3nx0(lgtocHL+DS_7OoI<-6D$3^*{?WSKYy4*UqGX__T&cc
zb2X~C*7OML6*K3}V6~?1<oya+#QT=MD(io{la#c*tz{3oNlNPNeNG7L*+C1eb&f>z
zogYAH5x4u5U5}-PT&hqNkM?R|CGCi5E`9x;(i6_<AD{oEaG_1dJ)s?>UwjRWZ;>rS
zouf8gJ7)Q$PAA#iG-tr?5#1u5PPo4Go_k?XzTPVpavV!=BS`+zVt|zR7IoAqqeYda
z)7AFuTPGCsu7|qLszaevyMouKSE9imU6rz_<mk7FAbi)RSkXoW()IUB0NhOIGrky>
zlyv*oe7)xzr_Ci_I=YyW{mDEfOP->{TJqf@+1pSN?guoR>yhQvM$p6QI0WY?>F-!L
z$No&+UZEpzXD}sSiYF|5TWOTw!v&IWX^A>>Le0M}2E9m?ZK6-z4<hC>{|9&R{?KEZ
za&&b4Uijf-b+GmbETJFmZT!}sJ-b`ZDix7DOmf(cJtF?_lDi`yee=QLbxY@28ML3U
z4zfid;+dO0It&gKnjRbtPH}kG2K5GXUS?Sw8m}OCM|jqCOk;bWN4U+XM8yZ|D)+pP
z6d8KJuW@-C9+RXdK->hbXyd*+6%wf-x75J-?R>eoPf)>#3q}yQIKj20gS7O8JHX@q
zWreeGdBSxs_q6`UB+6-+S4L{w&Pi=m!u9$m-OO&8$4ZnLheuO@3V!EKcx+Ino8+i%
z&Hs_np;r|!V&}(H3@9UR@3yX_XpZi4p71yZ8veCbCCcv(@H&a<bn&@~$y%R09c0iZ
z6!d`$91ynb7!fXef;bhpS(J~j7<r_D=-jzZ!dD=NffM1)`wr9+&vdT*EFOG<z4AnD
zMnL-!H-^}h9S`RzzSJ8x52X?DMUL3$2jSxn3!_YFJkIE&qZT#MpW_oYbO)!q*@@9N
z1?$;S1RL4B{9oXk_}0g{X|`pX=Ik;&XBy~|pLxq+5Z%pqlM8t0Qvo(RDWpx9$<H+Q
zpp=hs*3E*r`ptrt^yH<3s%x2#TA87UHge$Ydf2W;kK3`(a68`#VOwtP-(BY)dI5io
z`*4zgIBg^b{-*CDJAPMF2<6xFjh{QFhTS9ygnrWUv1RUk4E?R6;c{I2_quJu3MSmU
z7{oytbG4$vF9FKuMk1{_moXQ>O(Rg#rSx}2#hrl3oaZ!;tX*?Zmf7rtC>UtC0MVe0
z;FtG)SQL1n`hNbh()h0-a4$;j0QH2>;?vI(#zT(r8hPR^&3g@37|(grYeqMTT4Mmy
z1BQ`3;p;l4tA(Hykry+B_P8fhR2&ggZ$`YhllK|)VDLf-k^J_}-<4`>kw?-)tXS3H
z^tr7+Yx5fE3=yj8Y24+l<p%TMK{vQh@;u=gp+S7Y!oFn)%M?lFJO#!tz>Eq{mWY;A
z@}fk6rcR+BAY&;{1eXQ;E}DOe^yWnIane4>x<7qG9hCbV>=uBUTz`!*T^97*8eCMc
zUCSyRNri4kzEGFB`>D4wTkh0ztoY_@^yR&VQk<3lOBjHp(b}u9vWI&crRn0ON&E+3
zRX69tc3!S}p{TlExWy<1dpBsY?U*3l92Bq@3aVRsMO9F`x^2|+e^yo?K5Hj~y<B3b
zUajO`+Rwhkj76#GR|@>?*}~DFgdW5@FO#>GvbQsIV|}X0QdGbuB5qk(u-|pLbnRTY
z!PzFK>X;qul2xbXj4$vsX14k>^{H`7fxXpv_p`+y!^<1RFx$zzi_`JxHx^$4GgHj~
zB!;=xpV-5;^Sk|2rQr%c`H2pac|u?elg|90;C#6wk*tE(+Ruz<xi&4w>WqP}dfKf%
z<Bv9SeLh@`!}6-N(nC);_5M8jt60W8ZY)kcvCKxg1ZVR`vQj4sfggc^LK~1!{+8&0
zU#d*YMMQoWx?@eTFYj%_U5SVRMBUxx-xWcSn(xyp>XF>H=KL*#3UL>6grVu>rk?)`
z&_FN0c=L7Js5*mdI(CivLe}hJSLdc4*Ur(wfk9t*?>5k(y|TuhOZTtn(2UXHG+mf`
zCc-+!j@R+|^42#UDC^MfLSfW}MyqsawKHH3fDUZ{bZ9E_K0q*Pycwv_p(TN@xsB=2
z@-M7HbH`*VG?%udLd(fDXzq}tL38I4UZO#p?+Oo54cc(nnhbl02F)AG`IrXnRBk9<
zNX4unr=|Gy&ZHyawrR{`VWL1o2y|$7llCRh*g82ycOD&@|DV*Mg(?~HN9UlmX{00E
z-DU0D<{Z>_yBu9%t6-n^Z#h<0pzXp_{>Z*9wDS}{3<@+~_~`M>QjaUNc+J-Rx9o_r
z8r1)To<gr?{>in}OJ~^-h0X45G}n+P7E>pDz65>IR<Sz0<QiJIhRiipMXy2T&al7Y
zLethv4mUfKNl!Gn`GFz*a46{Wga^B4FJUs3M3=1g?^Q2Y6L=f3<-Uy25K>%aLWms2
zG|vvH22ASzA}PN(`lawTnz|1;P>qy&>a$X1)Pfk!Dn(@lsV~xss|sz1xBR<!+m%-q
zKlD>z0KN7C`XzoIu3hCNLxY0^%7ubHt2c`k*S<j1E@&0K{Mw(m5^pPh=t@D8@Ou*p
zub*(YB%8ci_#hcUQ4~Y+oT%V*!<^%oZ%LrklF*={YS~qoE1UM#hBjx=Yl?^5ou*;$
z?w;^y+HUrR-FihQA;&|=`fi}VGaikY0||$vFO)IH2BV&ADwgW<00;OyJA&VUpJ$p2
zpwUNZ^hpkUM!vI=e7PNj#+Fjw8dQX{CXJ%(x>m`dXE$9yPI9-4M;o+^*08J7G~!!H
zQUb~A^UGT}LBT#kY1HITI?aSq!B)XUj27{&=rPh48dxo8f!Bi8r)e?h<0i$`q8Z=%
zsVlDd6zxmoT>Lt6Zb)$h?L*}6H`q10@eSyV@Npguqe22}5Rda>6+t=8uLwm>Ibu<<
z(H;)s8+vmu9m!gH6WHtY1nG6g@Ga=9@F2gAn&-gdrGpzQM#+A55nDLm3`OxRa1C-n
z*5?U5`0a$Akm4pvC;9sghLh{#4+#$v{APyVT*B8bKxfe#1&W|^PnR(KA@oKR<`_Gh
z9%HpD2gq0>(aVfyBIj8loGX}><_B)MC3W)Tz#Ep|5WM@%++U2G{~VmJfb+@!X5-=H
zl~*Qj9SFSn?%*4i*%+tS$FC*lhZL`%bdtXxVR)Y4Z({f@48Miq2$O#GEo{Ld7OBT<
zh@Ag46f*XkZ!IsA-|}<F{^B<No9_^xOJ9xOc#Sc9$9LxEQRzJ4&-Km|zFv7=!+rJ6
zYq+)YyrvUy9z`%a4;#I?rW4PT#GB+yPTzOy()VF@J<1bKA8FT}()@`2Nan{^N%hWo
z%v1!u96Rx8q-XqZDe-@u&g@;*q*t%^Cau<_Pp|hSU#|D3osJHl!Qks~IMaST&mnys
z{^i;uRdksNU21&x<r5P~I#0;sUkazlc{aHpFV$CqqptKLAwM}ufMWNW1%Gwz>qy70
z-3-?@vUN{n>mC_Rr+$9S({b^omu9n<UV3qd=h)AGIW&}aM64<mF-qr$hS>cVNZos@
z@C<5YZEoakHm7h!k=}0(O-u|;_vCUt_Z>U?@|T}I<~jJi%P#xgLHhgn+9G-$e&57@
zFDq5tc#{2gnq1{R{!0(L4*mVg+Hvd>9z#lGCT(fpZGmtxdMzqylh?{)mtK08xM%2`
zZ;0i(K8}73zr*mm#`5pz9*w+0mtOkVT|>e%L;rXWIp*Q_E1)>}U5+3H_B#*Tvyo4b
z5BousDDP=_AE?;TNC4S^Niqj)YUme&{?e0jwTYtGWbj(8UPBZ4*yc)k^5%fG!Q=OP
z8ms~HU9Fy6#GZ`BEgHK~GpRA!G}d@5X^-SQtwa7~d~-*>vsuxc&2?;!C;jw!v3BDC
z&|hx18S*KHX-{VKtI2y<qMyfo(1*$dL`dDu`ZU{NXN`QTO#y$XlF+<6UEP?p`!0#d
zT$T{onU{zxHOZ>6u_oCymQs`WxHy2vgfByFb?EQhbB?ZQ`mCt_)#9(-As+q5-SjuR
z)*8|Kgx?^M^)X!PW4f$v*TUb#U;e{FFeAC{!g;PMX7y{oUi>w`u26AZCBL#lTGhyv
zMRxUt1)Rc<6o=1!4?j`NQCd3iP52eUSCIx8<Wdm55BVvZtP5E)o#K_@S7m#T>MvCd
zsZQvR^=9YrO~FISe(M!iSo@QQf;*%dO&`Pek?W~Y=Q`O>UrIG0$fA&x=~BET<&-jK
zCgN7X7}h_kyz4IIzQ()mYFrXLjr)}M+(W*dd$#f(Mr4rh;3S&O1$vbNT*}P;u<OA!
z*>%Yko8S1xW_oS-MEMw9dw}e9K1xQ*BpZ#iFKSs|jFV5D(%MWN7Y8xlcjzm11Pa<K
zL+jn}T?#s+BsIYufx@WEZ1&T?mP7eNo^flp-ye+hPxMEUA(xRj&E>Ya^5%le?~e9Q
z_eT?9wZ@Vf#oHZ0mtCj!*&Jb)O{eh{ry`+#tKDO<cpR?yU^+T#@@8CJAyddaW3W3+
zX1CLw7)quF&DyY)^kfs4A3uhlC;LW`v?_SMI(P&iyD{2>e5ENuhhMsSCck$g92(o*
zl~@v<Ip@Oxd-rnBz}Bp}IEi>)#0$JH+M$<|OLGTaDJECy^;y<8SERmAUo_7sk#YY>
z<nxf?TDIn2%Y9{u>??YN4-)(o!%xw84(WX1?F_$`<87t$g%?+xe=R*92`nGTTL|t!
ziL&P1OPlPKWM~6~qtO(&VJ1UMVWYxXTJ6oi)hC5Crn!j3^GMboYHi-%sInMZ^T|N3
zeK>TuJ3gIr+CuSwQIROg*55oZdV$X43tM7D@zvLnG{^db;r`ATnQ%b5rfUpB*d^RY
ztre(pWy!LYg{&*WeS_!j;58J;-(SPI3XnUbwd8e|J|?UVo?ApnTDu-6*FDA070YWp
z%Yw7A<I=ov-?=+W^Y-K9y8K+3JdoAVHEKtGNI1zZEU-24O18GCSgzcrs#TH2#X@DQ
z7S=DkY?TZXLRYZm=+SSd(|olgYaiPOv9)6mu3Nc!G(c7(N#9kf(OOzXy*hf`(9xsV
zvYJlw)s+0@e848UrdIJ+U*a!0{*j^LYZxD}iLTpK{MDEEOU}J)sJI1W18l0#-@EWf
zim!on5&asQ>ht%mA$%FVEV)j4?a#u)td?~cO`!2w(dw>pIvY^BMb1k5!%pI8+#@06
z*icQwYL&wa9Ip;E!dH*JXjd+`>qVoZSJU^aN4pPA$70imy1Ng}#9}jtMk5oQPIqoR
znC!PC^#OCXx2MAyGlU&OE$JQCEi7ESJ(=8o?ZU!!JJMaz+2cb)$7UjtnPWpk$7iF<
z_Uue5F_p3VES>H8@vh!+ldjwBrreS7Ax|38k7_28!#u?(6}zJBQ#bk4CF9QdIS|&B
z(?=M&I1)d9+oxaY?TcG&@m_CtDi%*fQ|E8;0ep$ZmG=6xKHahR`9dBiZL0(Kks5rD
zv$p2YAj@8uBTH$FymB;v>8vDd6NG$ok#8+b|CS|Z$C%bFOU$$dhINqlEXCL_JIQE?
z@f>WVAD@p6IbI>fOhYb!4^KxXb1qkIGE#bX=ffsbIPdo4=zA`?)tlD0Cvsk&S!dAc
zEx6B_n@J>Qb53V&Hj$XgIpgMNkKf-LGn-?*et%EY-1iliU*~GtG%|8Tt7)ZqF+_Zc
zaINqjy27yNPCJd8PfHdDI|~q@T7EskV3vlgV-Nr><^L+xRK=j-wQxI*lv`7u^GjI*
zbiCL!O}InTNBGUg1AB4vzT0=ltqN;w_jI#jq-R9Yj4%29)YR{B_r)_a7Z<;}dg2qG
zII$|NJNN*h`NQO?^`Yws&3%O4XqvneTF@EVRZF_SC{*Ai`w;HnE@{ahL=LV)r;!+a
zJgs$s{4xQ*Op{;s@u!)lT2+3840ZloC4q%Jtu$s5v}`E5u_UP!YBczckz7m{GlvX@
zgf%#rb><8~Z9r#eH|i5EuhtcR?Rs7u=*Z{{t~O1xNfix7@+MuUs=ZyU);1YhqXE6&
zu2rvRlz?o6Pj?YM=}GV0v(E0(T$<5>Z1gH&rB?C;7YZJXNeV%cZ*f{s@(k?&()z8X
z7>sj$jTSc4o!uI3>l^p)p6-~%8t-;{vTYHSP3K9cJO;Za62q6sTcu_(5rYY{r9G|I
zbY;7`w3=iGqB~{Mk3S&1hvohbpyRb#>!g)lSZht>lb^NL!Mlu!x7x(JwQxo{)-3DV
zz!T1c+Aa6$q~XkRlhA=&)!yOb^INyfxU5Ujh-G~fareUf;^w{!GD+6gJJ<Gzy~1nB
zinIkCMr6W;^?8EozImV=MspA!pJNTPvjEHoS=J>#>*Yamo}Kmb334pXvtm!P<^;*7
znVM6!pGf8Y3Wd3uhK4m}*Uex&T@H<_3rUy>zhn007xYbD{kENpH}2{P56%bU{Yt?+
z>M2Y)yQULeHlcMUZk;oy0w(X+@u|^M2l`S=mkh+Vc<no{ZV#DlCa*2(Z1cV+wfFR%
zWB0shq;vO;^J7QGeW8#mv@j9hHXhGJzkS5sIhE|WU@nnAeEW9dhZHim4|ig}#qm17
zD^;*YgAxyaD*Q?K6yex1x)^u}{9>Obftw4^IV2vESGqPIC$%s*7%yjlm$Uy{UTScd
zG80O>;H!tPTFDJv^6Jf#C$}WL`KeH(vr#aPdOL<lxvXfXRnW}DO}+Y%$KdSWJJfgC
z_O96Eo~(D=?u;yT=>jIJ%G7QOST%NMXwx-YcfaAHp7^E{ql5d0y)nNtJkuZDG!)K6
zA3SJIj3zSM2LtKt*UgO|7<9I^^&8vQEVfhaT1TwY<n<zf`8EDjxQ%ecjjpMd52_QC
zfJ`UJtqmZps(3b+HXb^x<5H%c?{19z-O6zXKhH(&?KEv5du5gEW%RR`pNvC2Ik3~R
zuuZ#pw`sz7m3iE_v`f2fpLx=JmBn+l_UbRr-#q^j@*jEo;upV&+itGTX@&$^_W}P(
zP|-@=r02-v%2oBkTOl<pPyDLl6|Du*iIn_XDFvclndO1TqCQLGEtOx?-K0~S)FdkU
z%zd}qcTMoV5LWl}M7Kp_%f%-I)ww_2cq7z_$NwX!_<Xlx-40Y$Bi5E?v%oyo*`F?D
zA8#S={(rsdK^$-WOnk23PNaJVy?vWf%cJ>pCObA;=s!6ts9If}LH`J8O@A)Z8*Im2
zL66r_e0wl5U8+Tme=e9w3wqY+AXN2gQG@Lm;-Bj;GdPpmHxY?VAIN8y9Ydy+dwA=@
zXdrJInpFG8kBp5Rn+ir8lLph?tvmMEOylMHvP!~NH8P-FU9OgGkbFU4+|zTORaO7r
z`sU$dv!uZKk%3fVanoB9g32{~Xl(rOh-YQnt`9)n&-=-JRcN8kU7_pA>Oas<g?W`u
zWx8aWR+ascbWG-AudR5;Pal2szXjFGHQP?FAh_?ntdIB9yRR$-P9x6?2NcNeu@&$7
z`D2d>s{JqD`3(fm_)p{+d(ftT@fj2EdR}?_dMch;nEzG%Ctt{sDZ!}0c%bLdbTl@5
zxTkNcW5}2ZOl;q@l(HTAn(H7u{+MmTVA{81%YMU!TYhWzbAAY|>^W?%!w*o#sp@17
zg(n4bA1m1>&$7LB^;@f}-x5@hKYs2{Pd^RM0)2(tTddM3scIC?XV)V|ljy8~z=!8*
z@_Q|cZ-CcSMh0&Y6YZ(wa-`ROX<*s0=*jv+tH#8bx+C3Fh~)83GHORVoj|8xVPoXT
z#(4zJdDUZx+O?Y44ukb(?o-{uF<E9jC1ITS$s0cSrBipz2&y0c@J#Vb&uw}O@5k>G
z2+L9Yd^AB;JD$akT=GYPs<^zr)V3*d9Vfc1&UN5%R}YYCFD}+LjGR1%q!}sMCq3;G
z?30-vCA5Gj$uq{cVLuN_-g@00pCYj9T9PTgK~QvTPwYr5goXxDQ2qA6f#06{)7SLr
z&b0oT?|ttY_Tg*19f++DyU#PO>r60Js|R_QoaQ#Rj&Pdw=4=WNP^!hS--QXWSG~1Q
zp=i12%6IfB8d?Zr|L5x1g{d!``x91Q9Y2<Ol<A#VO{17#uIaa~`rrGlr@Hr!1%qRI
zy9?5LVPJZCU}$Pe9hy2iGJIq*5S%zNJaTj@bl|}9);)W+E+3HQe*8PaGYvA;oee>!
z3;DLxFdG_S{s*Ooj&A|BK9<_lOJb2XC70$d>+T_aR~H^mr$%Fj2XN!gWRTZo+9&i1
zX6D~Bw=Qm8wZ57qyT1?a-=;0;D$L*s)5bH}1S>d0M|-6=P@}S(9X83C^xrF2I(A)D
z;@*Wj^rNwMSF5otvv7DPW!BEazuhsRyYuoAA1}XMAF?+nwl*~*SVILtMToSZ<$8RC
zXIs;;N5}W0WE!9*O%PDbG8S`<i4My7e=)Jx<L&9V`MN7MO?DT0^Amzf8yrgY%;~@N
z`Ojl*JQDLWz2N`gF9{ZuCK9_m{jBN*eC{*|@vQt*ui<7`i2Mdsc{oySKy?ZsH<rAv
z{yKDNxYxfa5hV)i0eeT#MB<3z11p|h`-ndfjrjYWnSjyJHLs3&7o9$z-Q{exwAlPf
z7g6AtBDPth!{x9zG$xhBm-hL46BekA@FhW2qc(!7Zfyjisy4y{Z^0jWGro8K{^ByN
zbw|diNUmu_S-D-S4xdy!{*TJ@e0<U+rDAQt@$BXv*U9coru&4eu%x#2?it0w;&+z@
z2bXZP_`}gXy*8-Rj=xXt-HHnJdXP-eCOw{a6Y$5CWgU9o2d|k{n_3kbgL-Q9gM#WW
z$xTV}?=O7qq`Dx1z{rcX*1aE?HV9y5RU^&o>Vp^wswJqAd*`WGehN7)l~k4U4BdF?
zl?kO<sc14ZjqD#H38xhet;)nj7oHwgsu~oHs-{6f^|#oT82R_NzeTskVq2qsJNKu*
zx(A%j0ry{d{Y&OwtU^|FnLNK#wd7iBI+3MjW?W^4Mk{Me6FEm<pETr?ntd{Ij3<sM
zH%nh`SL<6|dt<)YpjNcBH)XGV-CJ)QP#IMUmA<(bw-%4KlhDFQ`_baL;$JQ`#w?bY
z@lyWmKgZ^eLfv+h$p+dWEf%3?T{^6H-*atVWocEYE$aM>?|B$+y4Kn4a&<eeEq?rA
z#Qi)F{xp+=C*-=L>h%)lgtA|@0!C9KK^oJP0!)V#_8KD?{|aAKT*HcSe0=|S@h<8+
zFYPTwEQAzaV0mOb==W={u7Ue2ap5VzLo)msz#}sJ3BbE#`2B##Wcbs7r)Bgg0q>Tb
z|19ABC44PHa24Pg^!tDO0?uCpJTJSx8t|*?;4hNl9>A}W;ZuNLS4j`>EiCbEJze51
z_}%qzJvn}(4Bra)%`$ue@R!Q&|1{h`U3q^bkmDgX$2w6M?OzuapsFb=TeuZi%|obK
zcvdqiJ`sc~XIo&63i9LS0*zGB;3o<PjmUOP%sUV?5%`{Df1BCf>L9v@tB4Ll?>4Kg
zI*ZPs>-sw=Cw`Dhn!;Xd(~URM-A9AL?rt+0HT{}){GVJ~LG>r+$e;HJG)bHZom>}T
zp{maG&(tMN$i(Irk$)mTfQ*YKutzj;Jw_X-X7#Xd6hIQg%509bs2P{Hz}}o+i520K
zqCQak1=iqKedqrBpDo_|wn6M#{Lk=W@$-CheCiZ=c8q>D7Jn~|Mf^4TOnJNR2Rue`
zLa~eBEu_6>W)VMz>TQL%NXJ?n<LP&-D9oN}oGYSZ5O+Y^OO8T4AU8;PJ{}1|RL|$v
z(@+LnI5$^UTXW*X%i;>WbG^!@GwKg`inqjKn|jickH7-{A2z-p<$1M&|M)A51u|1z
z4#B_3@NGDWN-;t|7ct;|oFqKtxbPI<AsPNG;QccEJAij`oat-W`H%7QeG<MFA-D?g
z4EB=o&ghrnQGyft*|T#Jys_a;P|NjxM)#Mb`5CwH`^j;CB~IJJ@sJFE7Vv%<{siD%
zGW>qPV>0|{z|%7PJAij`oV1_dD!?;XP211UUjsbP&tD|?mxX5lk5pX$Z=xFTt2pjs
zd?@2DsyP35q6hG6WPF<f{JKgyfp1}nZzXzJE%y+iONIPsZ{1yDd0i$l7oQzlAcun%
zwXl6F4eBdt>zcW?j(p;YDq(J{(3kl&VueNiqQrp4WY_#%Qlcqz9&4LJr_wi(iIGi*
z9$OQiJOrKH*KRU2HIfOj+?Otaw%@|r&U9m}FMWmgrQR|wJOy}2hCdB>T84iI@J_(Z
z1UCb|1@|BX=RXU0zwA2q10Jiu|13NMc!c7TZcm5{uR)z?*ZFqvP?5$8Q9yps@=3*o
z(`7ARnriuyRa(B#It%N0^nR^Yl`z<CacfMCElmbXo2rf$P!L)glOxK8ErO`mYwhZZ
zHhqOokk2u#?0I~ZKaUQWV~DO0@C@$YbBslXCkg&Ejl(6^xsd5(%;;F%U0S&!FFD9u
zrI=J%RdGw8tKnHzVT$cN+IcE+J@Z@u69X%1!^<Y<q^!DTvSc{shyrqYnrR`wg<q0u
z*hK#8E#C0cpW>HHO-c1pXerJoS^xYRmr?Iz?WRuF;R@U@;cLGkctUsz@DRtpN$?rr
z8NeeP{{_Lb!V`dZalA-yhj2gOF@9g_759|z9l$$f_k9-det!NS`Sx>R4e&h2XVxO<
zn}Q1P47!ueHSx6&`W;)pa~qm#bbPL9=DQ9v%pqA_g)h(R69cVAtID-H>CmbSe7-P;
zJl19^JVko>Od;|752P&-;c1{P&1t5(-Tz>`eVq5fJnw^M!NS_|1RvvF+?OvR!!x)G
z*1t+TN^rXVZKnED_DsLdpXqC*>r-4f0r&u3S-V2IFTquSZ^4bQZhjhY>Pi1I^xqOa
zvhy>zk<lYE{C<vyl`(o>IL_#m{Vq!IzaqT$dv3RAt;$JWrOxE~0VR{OFhca5`KF6d
zhf!eFEO`AqI-a=9$s#R?hM0KnGU3q{J-&K6^6?)PKYaa2FV;UZGrIrk{qKaD?u>u`
z&gb$4kWZ$B?*QJ(al#LRs{qg7h0^*gAa<Q6`E|17{A%1&i3`sH-Y>(S0X$N|*USW0
z0lo!yAOz=s2k=ffKLY2==ePwK9wj*KM@+BF===t!Gexdbjr%Kc;VHmFGW;39BQpF6
zz`JDl{eZ`0_Z0!}m7V`A;QfF{2yO;EgHyD<{QNb*^Rnx!0l%sa{vsLf0sI;nJ_Y!7
zmGl6A!V-T<bTPlhUkV8!fUL-iqUbb|sm5xq!z@yZS0inJPi<6t#6GpdCkGsLa!iUc
zcEif;lM<7_c@h4JuG?W{7_xs7*LUu=EgH-Pp6WB#6;={W{hr}ms@LwM>gGK|xm1sh
ze*B{DsX%UI?vCL(?SBN+nSsEVe{T=fH+KvKMt!?`sOlaYy5oQL?JxfBg6+BZp99>k
zK>j>T<^=<xdE3S;j*tOfeMXWN(K=}n@g1d9Iow;4NXmj@FstKshsBW#=cv=+Aintf
zpZe5Ki+4I4OPe>lh7XR9Uohfk(&28recP_>TeuBmM)(NZEzWI#R=P_>sD)8yWowQ^
zn-?r2;dL^T8A5KralVe7WPlj_nj3eh+6Fs9(OL!*b5p>lv$uwINn2OH#(#W5ZaqP~
z56{ps-ms-&j925HN?ce2JTJqa0X%{oFct{E0B2)>@iD|~NdeS>X4Yl!P}QhGKynZA
zmAjGG;HB9@f|b>EA%ClsZ5fOu8e9=kS;@$m#6ZYW*g4=WnN4;rg#&DV;MC<hIWx(+
zALuuT(aFPuCELj*H~Dm3W-bEYR24sC!qYG(q-Ar(C4k?;ab|a6bL_V`|NUiL_zvKm
zGW=P<`%CzmncynGx8N|y6qR@ehw0qN@%uSW)^K_q+3^M0@1g{!YX!5zFnYhu=~a^Z
zb6j`|@Q@6D7Vv(+%>=gqz6}wDxE$y0XhsOG^BurD;W`o7`5D~I=qKlk?-4AB<BD(N
zA2FTrcJdqsNxzGL48je+FK9<<CC3p+9-6b{M^KGIs)RybMC;=vXKMIdDzh!|n0B3C
z$M;2iVB^>4H(7g3Nu%4}Ki70blMWU7R-Ju2`Zix^I6SdviVv%U=21hNpTx7M`i`4i
zqoc*I;_2jk!M%mVOic893NZ`IFM|;0^HW@&{w?E=jqy_j_%=jxtJlD{px<&lBEvK2
zw}hV*Uy$KZg8#L`hNVT@>S+sQvmq|!mxJnbO;BgHg?oy%LXixvDWiW%Gxr16>~>L$
z*Nb2L!-C@9_V53<z8_M$nca)^%m3i>Rg|>98uwS?!c%~UWcV|HM`ZXDfOpC8`vH&1
z@TUP!%ji)8-d%yKMG^2`*>#=;ykB;m1mIW5@Jj)|NQNH<{A8W;F9ke8b=-hwaFq4~
zPR|<Pd3rvzJ93?P4E5F3h?m_-N}3!EA3IHwe;{adQsR0mq-++)6Uly!!PL|-mvcyl
z$#!3-ClsvI?F5|0CehKmYpBvznV-)G+uF0GxtrTdZxl$TLsa;u?WM%Jc(&SRIw->O
zP1APBEvTJ3w?)I&Y=bvttv09P=60u1>r{~?+v<vY42^%G=2g!38`*mNlB#}OiF+z>
zVGZ!S41Wgj2;dRQ2f+FBmTatS{Ct;Re?K|D8uwS?!c%~UWcU++cS*QpH)PlOKG#?L
zuqN)W#D%8-56SQ+0Pm9F-vPX{gs(*it^z!Ren{KP&tC&PFT2h&fJY=;vOzLBf57Q1
zmT}=(!24zRcL47!;cF3ss{qfSbCe!}FUasH!T*W`uKT9*t^@6;YyB+yy-<%l1zVe>
zco8JUia<s*4XkGhaM_?WA}eaenk%dlt~qdzeAg=Tk34bW_XWj|N<Name<N{{e0d)s
z8GLjot(LkzIw1Uk)=>lT&<gOxlZ75}FP+t;<Pvw&nK{v&CvG}hwV~m3lKANyeQ0OO
zhY-)fD|ndSsvm8ZXYr}CQZ+*spXRh=t5U<x!U-B_Z)JYog14$9dbpFIE{r4jUBi9>
z<5lJKaA?rd<vB2z-!&2lj_%H9CtHfeh6#0W>VhFsXmn=YWms?ogHuO_hmTB!c2A6r
zPI4bU(gp`<gAW~CSA)C0uOK-EGNV!}q#e9rc-=GZv29G#GbPQWDb3{<)4FQgStDfr
z!k6mfYHOQOW7VtLNHPM)uxa%Q&s;n@)#ci$Zfe@0Y>Q47I*1oi&|iFwpz8I6T*Jp^
z?!1-diP?{T!h9x;sIURANs?nk7T4IuYuSSTPHB<Yx_W~xtTDD2RbI=gHrP*fb?<Cy
z*eNz7<M{bvb9gjkXMEf*AnrF(rze0$m-){^%9eJf$CYYPweuWKgl{}%qq!{kv9+M&
zUFQdnJ4Pj5wfb5O?K+!5WbSqsbLYD@Z|<E+#d1T?$Gz^#et3WN_a|%!d=RM3OYsHJ
z-Te>y{wVkcf0+4HrZ?bIS>+L|+lp8IQ&1f!ZbJg{P^TVtEfvbu_3D7DfwbI0zH%Rv
z95Gpwt#%swm7aTVxwrV1UyO8$o#Xf`#h&r~54`>DWxE|~1F^Nh97(_b0D&%_eW$v4
z5&RHE!gW6yt0Ql~bSNuZOi<7rXuxNl>f4ns;G6h^_b;z^P8^<{9UhsT{pq%CzYR_u
zBf)tSfxyI(5o(-RIka=<-n~0_9+GHBUtzR=4ccO1-=6@VsqZnJXm$fWQ&J7xW`w!M
zhI#~){dN=|I88mK3>xM!MLYlViOmV}?|B6Go?`d@cleIj_a_-&vxJrh1r^VuFox>6
zoWjTi-*TuM3G<?g+qu2QAb(}?EyYh_ZSi6JqLmfGwkKCsV83i8G<*a6l$G2k?mWJ{
zoFDQU%3d-}(O!K2>end)@P~@qppX5Iwe<|UPn7)m4D%VU?>ki1Mbq}neTVq$%I*EM
zrG+rvqnMRmWAx)6!KZ%n+Bf0G@vnSgXxDo`v4Rln(HIS64+Sy>{r-K%|BkiakQhlP
z&5w%0XbMU5UWl!O4hUpcaW8`wo>3sgcck>ajfcQl`Md2b&DdZv=QOy12&H8DR_1sq
zs$7<5lv5htHr3xhg-_7G&lPqJ`FumW3dc(yu(EHU;jaz-eSQ7pZQz*+(Vd^~$js+l
z;@Ftz%FSmw=JRfGg0zqOvXS<DkMXz{Az_)>X6DZ4R{_=EO|*>=+SjUuT_LlV>8LI*
zm%>urJQ_bf$Uaji3fz9=<cWOOMP2z5Cy(6Mc=Y0zTsP6*fN^oHp?~7Kmt1_b@jfYc
zpwJ_jQ5@~sfZmn&XvR;(r6ntmX>z0`&1wK*YhwhBvA&SyT!!p@RA$OaX*0MP)R;Kf
z=CW!7qkFr1_KpU$R#)4>rxTref7U%Tl}YRtHQ|n4Z+<tOZFc9qy&YkVxO;PG&v0NM
zVc9b?yeG67)wRdfk%y5;*AL+%JU+@u_UxzV+GnX3C&d+;eCMv>dQ1)Tqf~Ke5<?bI
z4U62Z6(Z#&PpU?k)K^xkBBk)Viu<_CD2CbiY$Kmf(WhiNzgIF{doY*US|IKj>fm#0
zk@}20u7gr1#dhHTS}lclFhT^{U&J`;FKKj)(veJC{`r1mKYzdB@>k-_2Kx`A`i1)t
z{>bV^x)Ez>m2AP~_W$N``@;F<c3FfI%N+xC-Wowq+YYjZ7o>Rzy4^~BE;lC@d%d3S
zg~Yb$6FqsdUhRLe#@7>%4}{vcZ3=nT%RK!1hnXMHI~m=2Qm?a{*%Mr3=DD8IY^mo;
zTaK0>ltb=bI*(!=hpsN?X!VD4*+ERJ_<3o$PNJ03H!4XV(ugm)K;>u;>y>JiN{L73
zRELY7K4=Vl<LU-wlk(orFElOf_4Ri5hl<-4K2K7~Ueu50Es;=Uz3juJTqJyt^tTu~
zy<xegoy#?JS4Ztb?M(WT<eO$D<!c}+mb8iMTr|92HuFmR0(p;+-v?0ynW4sWn9aB^
zP+{LBtNM()2Txu5?u^D|P^<MiTXNDqP`IQpV4qB?%}si>+ThY;-hJ(<!DpYv#v@LX
zcvKlFochK$P8A{w@u+BW9w|QeEX#EiCi>pT86TkMIcT#Tb^KJ?AgTg^KGDH#Ks1U{
zEla~+uZ+5>!X59AJx7xT-%Kpgd-+r$Pa-nh1NLtJ-t4{$!huAuw|A4;AD(x*Bca9F
zfZy%6SZCe7#gWi}Mxh$+ptb)HlEw5)p!3YKPz6`TeI^@`p8IcW`P|!)!8$+7Rjd^K
zI=1d*3wi-v)S^)Iz5V3HEe(pkx6z68(bTc{)kQK$zL2^wb~RR4$a{|x9gpNk*MT!@
zH*gy5gx6NIV?#bcB8^+)K0zQ8F<X|FRS7qcqaySmlQi2xsn!%OcbBcJW3yV1FJw0B
z^$jYe-rhd+scY^U6I4%LZx0xomB$3Z;Jl#tOV%gW{!aSDbA*?+s$AT4_P?;h)lu0Y
z&9xk|2s&Dn6Bn4&$O>~7+Ffd+O5M`l-rk~fYjFSS6~y^n;|^!kV#9GolPw#Yd&4{t
zEbr~UBsa1>Ypf$z!+u3B<HB(zo3B1nC7Xi(B|HC%)p8@<$IyDJtWQnJW%N3HXkbsJ
zi5y3~k}~4nb<KP?ZI(*x4q=hUvxyq~vZUFhwM4WnpS@-}t%#4D{D^g4-EyGO(T-pK
zu4}J-SMhlNm=xEXBJDdWn3>$_=5iG{3D?v{NfMs%Y)PLg^7*KZ=WCH9TceiG##}p$
zB@s3#3AB1C0Ui@%u_OWheZ0Say!bZy_ofrqUw`5d{ezo&3gUl?g&ygx_=$yvgXF)4
z>1pYG0ihbQ>sGRc46}I25xRn?HX?mgWS57WPED-$^Z)6Rv32#q)j9QHvbW!cKg8Ap
zcE4fr=PZlcDbyW<MhY0q^PK|5AhU6=t0_%6qr=Db5htn2>9``-ZS!eXzauIPiRs*p
zHx?2K@rURB1alM-zhKW-KaROxE0tVEZ?0@Dm8wp>k^IlwN?!DajJKkR$rYP<eeinT
zKu}p7N*>7XR<1+e%<V-DIVu-ba9p_O+`Wv7IrY8w0ws*|EZ++Gv&3kzLhCslb##-B
zF#ExdS0>r`b27<>yL3PDK5QFLZ|e1U`<7Cpefj?0o?iT+1D|gX4<ynfk@h{Icq}00
z2oT=P_TcTvj%MWhraJnmCTfQR{S@Nd!Q{Oi(!EfwkXH@Lgz)OQPp|e-+I+oBsh&)J
zptmPO7ZE|Vjyx_C{)WX{nl~74seoObhOH2cOEoFky1J=E#li%oVxpP?mOY%ze_t2O
z$PN7AgRthB%3=)Yssw%*hBTR%K$mOddB-_5ARo{)6<nR0|4!G+Xec_lFW0@|95Uzq
zz4J|9`%241!Cx@-PYY(^l{zwW;kYN^oHSWS7Pk$KSPfH?rF`3BJE7Hr0_aGc*%~6F
zs#P3yD;+d|tV3l}DXPK^x@cMjoU(Wj*V1MQj_mSaxbg7n>JiP2hYKqsfxyU0cmKph
zKY6L${W}UzlU>lU%L0=;-gf`CZ7VC=w(Um(^`FF#vp6p^TCU4|7`JjIA;gI?RUF+!
ziagT>f&oMX94c;dHzZoxoDq#5U!6X6^Xsw$o}Ptd^W;RnhxX7%9{GlTzCSe>)c*Y)
zzQmTgF#vUZ_vyG<`;*W`+7qlBLnt3>Zfe1X=wSq_S35ijItBv-38bZjzkX1fL+>g}
zo#Zju@O}5|gSN;_x7Ql)^=VzI_6AL(DVpyzdo-&wu=5&)*d859#`;6;V#5wW^o3(F
zh47#FUfBEmmdJGP<aRhMmFXZ)hZ`+y)T4@z6BBq-nOMdV7$<cyI4G$(2$#}#ko1_5
zC`sSZMbme5kZqjmD_?7x8<bLb_{NS-j2)ZwvlJe~L))gOq#PdL-(e9NslP^*-n5RM
z1Bs}O;A)Z&PQ^6v14tGS32g;K3HK{4=j2p#?`)>GsK{HHt@uoH$c~#`F0;kuy4LJ=
zo5}0$Rbi{wX7l-MHgD<u+=qEy2k!fOHKm{V{t8rf6`p1NEQNNQPkMzo^%RV9kYz!K
zpaDA+r9X70N~W!_mT}=WSej|qOSzFuda1`l!;9Xtmy5gj<_MXBd&8AtFHFWD{T{Da
z7sMukR_t^WJ;_EiHAc|X7}ND+3MH=|uRl}L*&A7WJb9%-hf~qc94$l!tH~EvJ4-9>
zd%lPZQM%|xsD209@$}QuvVxf$(8=O(C+biS0q3yh>TApc7A8^4N4^vLtA=}OF6+3m
zBU?GdW8<0Arwa)-vSFWKXJh-z;G1^?#}UIH<8xew;cQ>P_IHwxSqJ*v+6`QmMNGcy
zqw-eEMr2u;)=VbF(u`?aSHHCS=GH?Ef=ZI=?!C7pO9?_Z>jTs4b^(x9LySucm<yB^
z4QHiyCDfRs+XKRB5U6-4L=BPQCC87iKJ-vmsrP2%w9m%ys~1;R7MFCv{urqVtlJ)l
zMST@^BR!$i`%lb^2B~r+%!}?cAr9t6dv#_DUPaQI!Xh{SR^_(no@&9`mdQfTR8#Rc
zO*87?<grmwYRvDSI5IkVY%++yHa0psR(#FE^z=f>PPE4M=o1^5J;*`WnM-l@2sA=Q
zGLy)o+Xr#QY+j1GZ)nl0{rZ6(qeX2}HaF>w%1cQEer#*9Yc77x{E*miR1jR2;%RPk
ze1PQIRiYf#kcw%``7Jkct4+3$6^Yg6_w5IoiS_ZG;$Mr~XcytWWvyuQhT;X9=@GEl
zH=Ql(CPdIdHZ%V+=Gy=+W&WINftWo{pI$v%X!zrS*Y%%0E9v6MxOtxNJdNHU-=`Sp
zO${}r&4-W$B!m`TI8oppPSkd%BFCE~DU{IE#%6T`w=CGw(){5(BVk^?_YITZ#Yx+o
zJYF8+ta5%T=xs<lXQo@B)A3V-mz-ZgchOGOz4t!*Y+W7QC+XIS>FAc3jxLT40)MJJ
zDy#N!O*}J)ljmX3qzNC`vvEQdYCl0V;3XKNYa40ch7@<CtzS~a7X0;9cgv&dd*9vY
zchyzi4KHclSJDCWk@mUJF=*fU{FF%@2iTc6@+cK;#cHNyZ4_7~>Sm;XC+ettqB3n6
zJU;yO*j;0*)f%%G?`Mx|ozm>n<RS5O?G`p~oT@X1p!e2KH~}+DwJL&dh|TLa#I)II
zsrf=0w#BSZ%2j}LV>~+R9Z6dBh6Yum!QMXjz%_3iBYWc~ug{02#vCdBif8~qFSC>T
zo0gvmOf5B^2_=IrK1yB<T#@ElCeR+xC!pa^fW_N!>k#Goua>A~XqBoDo_?B250dJD
z$=J(W#-5VV!Y8FV`ymy0T4C@+z+A&cdbwC9GhQ41jUqChan#6-SJ<q+_x&yL(Orf0
z`SJQR@2;{lmveQPsw(T%(lybzeg!g0oMT!RI@4-6B6962eK(OAw_TcB<%wLRNw#yh
z@~(=M9(P@Ea`o*61<pWTk8ku*hY*Zf314ZRL>Iac_<Eik3;Y>3LS6+8(;d>RT>`Rj
zt*4$>ez#H0diBTyKMKD*GYT7fugE|Wl<VZ_Q7+g;hF>WYiY!6O`*}YZCVe(U_14f&
z<m6ZN6WAs<LOny{8R#z(wY9W;l+aHv$u)knggUv_5Be`%w|^_wIr7I|Wgi1gP8*|0
z&$G(wYe~3Y(MKGF04FDa*dP=N1F5|H`qy`p+y7or)!5&0yVqBV?D{CTO`KSJ8Q3Jh
z3OPDD(C-<}^Hd0pG@nC_SpE*a@8^DhMA!c23LD6~Kz5E%*%@^7pO?j`y$o>rdlIn<
zGWNSb#*R@L8}Q!)-b-;LA_w_>P%xt?%ApbTI(fawIy<8zWV!AqP&@n7LePGx_YyS8
zK6&6gC-U%5G_K3TKKaOJC)AtFg1nk%D{K$VULvcB1A$*AW^pF{KVQf;Dyak!)?kq+
z-AmO=r5b%w*}-om#?ls@D`eCejG?@DV8ZB2m~2D7r17|Gq$}+hoAxiyt5x2V$!ziZ
zjZuSt#AdK{sV%XB%O3MP)vjKfy)$GQ&0C{>x5im8chBwL;%MHjN!Z=^Ze2j%9(5XQ
z{^Hv;YR8~Q=QsJo+@BNwK(Mep@c(QsI@g90-Q%Y80-cx^(xrEU-`3V<^BefPIy8NB
zc=+f<FgSUHyibQ#jLFH)>_kkjk4<DdCzD2AtCHpyX{w)(OI`z+%86&IDj?r=NpjG+
z9lv3^$*4Q`CoUVmm&qmrsGbtBTpCZB<v<>0+QO!a+Q&6Z(uRBYj`+9v3+BP-?(W!F
z+U6-ths}A*)uWlMGegcTUgJP4YL52@{8N)tenC8ds31U|%ZCVENwlzm_!_9v1a@1w
z92lxwjTXee>SDA%96933*~UAfxwg<yX3KCa<mtBe1b1ZPlbw#PRCdhUGpCMur_A1v
zr`=^#EycVppUphs3Fw1)U#z!XY#r_j^n{J9z9nfCN%_g@&~B}_TFU%ni0sex%uPHe
ze-pG!eMZ^^X!$wJwqB}28!lI&_5S0TTc@U;zf-`Xrd@N>A|5C{zU`*}IA9&Nm|bSd
zXUE!~F!kf{0iR(`*-#DI*7UzvhxVEAeV(jsB$4bX#GOG~PK$eg*sKc}XsS_P&zvgm
znl}17VzCab){C3=pJ-~*M+ahbmSFnuUaq_Mpv3ui;82G)OnQi1N6B^h5KCFVBCV;a
zAgwmO(B}`0EGP4u>;u}Y-Ins31?!Z5dY>yh9`a_=F>Bt?+@p349h#WCWYQO~PH0W-
zQ6hYKmX@PLQr(`6Mw2$@NEac4*NA>Avx#I;9ci>~JzA+2tzW7|`wB&Spb%Zdr#c7x
zZHlqWj~vYIpDY|Y{^EINXYC}sdyMcdh%#sh?bv`9JE<K={qT5F#t`adD}$XNA*eu`
zfR&+>_ki^kXic&Lw1c>un6k0}?cd@vd6&)^GWb&Vj^WUj{jDa4#t?L9ow>PYlO+-M
z#D{g!F1^3QWexYMjiD~LHR`psh^GFiHy<=C4jKb4YqQv5^~P+TeAt8w`h>|7@p}Bx
zzXbexyIJ4TmT(8+tRE4ZGm&8}NQF}6eiWn)4<glh>dpq`b!WM6ycz`wPhPkJt$fA!
zjio@kN!ZhoYA-C=`gNU7YszmDtmEFmAn6{YFU1x~M;qRX4R+^9E*Vcoi_ZpZ<63ij
zY%Jq&86pF*$S4W)8K(Vg%3H3_s$w-%lXZNq>lAFIH9Up-^;*BTXV3TKwMvOBMDAr~
z_sSp{%j$TGtF`4KuGCGyjq4Y2-SfTg?ZMZTi;oJd|Gq+q*R9{mocDD9TK!gy-RCj}
z{LW5Wmv=cI986k`o`6#)Lj6`t&~0<L^j43_Jn9VTJQ=q$?y)=EMmbLkYtQ1_1#`{%
zt*YAfTh(V_(69ooLY)Gxj3_rH>Zmf%84voM8C%Y`HO43;FP*o;<BWN2gr-18Eb5@7
zj<`bj&A>xelXZa9Z#_cf-W$*-rSGIh>k$;9-=!L@YZULsS#(A?O3u59oi~R2(OKa#
z^8IGSkCU3IM^T6#mujZ2@$<;~eHp=TX86q<kC6(f7TnG1iMF$Pog_gb&ef^cIrpn_
z{m)+sx79mOH~{A@tlfmI!YR~RRgaI<&#Yg_@}}(%o;dN~cF)o$cJKbg63Yj36M9~L
z9WGvx>(no3c@w{ahh2}=thyV!ghLywXL(fk>d?6dq<WTjle$=kHdxQ{=#Vfwbgr8m
z^YHs+SUt!zK{D)jHmGr-f%Li|h%zRtHI%dD?xBQD^@~{!_4DeFodNQpe@Irw@@Q^K
z?{T_xtyX>OB#v8kE|=RdnICe5+yzf(rb*G1>GTxbAqQ_K4p4gQ*01!FPXS)PGJyQ&
zsb9&~82W6>)hip<6|ZE(2ReD-%Ko9FH7LtZ8r&|I&Kk#)t$J&#&gJyzr*bq`9O<pw
zMZKVG97PCAwIjBW_cc*Tura{A_+~uC&Kn2JO@2GgunE9I<h%pyx0AB-W*IgGScG5;
z?6=c^b&}sMvh!vDi;?qY*m<*n1?lw|HV4=+PNMILy9qX5K969ZW!OT+^{zp0#J?ig
zB48feh~CMtO@O)9hVXXuw8WRSIf*aieGPq+@&z#O+8mx@=ZypACcm9#*aTo9a^3;<
z+ez7ZvkaR8EJCma_S<Q|I>~Pr*?BX7#mIRx?7UgPg7kU}n*(gP_&oX^4l=&Lc?A0`
z!xk#8H-_H0_6f=tz&yn>=$#DPBw;kZlB`wR@oSk~Ie_S7Bp0q=>1D>_b=Bc3oh=@m
z*s)`RzC6*WhrHC69zJ~W#fJ}HIyN>tJ3=Ce#@PI~g_@1=E66<MA$L<&-;Gy!I$N<R
zeE;@f!aRXP`9{62cx_o0og#EwPy$hfS(WLMsp()NsG+K9dQCQaz#7X%zO1ohd7s~H
z3hDlTt$hbzT*bBM%-n6#*1PR)(e~c8O}o-cTJ`28EE#uPD8_&RgB>t9@Jw@(7kV=U
z3`rn8^i(hj>6JK-m+rifyx!6akB?XX+_|$?D`^e90=}AiXJ^iwIp<6{Q_d;4rjmoJ
zEWwQH*6yj@i9pmNWFv`@x~n^1a8E<IKA_hWl$)U5=UglBXV*K}5nVQoa8Yw;;!=g4
znLA}$*pz<ll{`tu`%Gc2qbFSHid9Ofyx(n&7z>_y+La620v>-xh?jNAaI);}^7xAW
zE}_d|N&ACFcib7s7`3^GJMH5UK~bR9PM~=wGNBp3TDcNyvGc;R=~nH@=7k?N6_R%>
z#SIN5RjryP3v5iKtAx})dG^?aeSM$Up;Tmcr2pT4)OI{r*}sm_YzE2?qHZYN+^%#z
za?;Wf<r5^LhT__(X;5OTn)bQU8fT9s?eWCoUaQX-Gyn1-jiE~is*cqj?GdTtawmMj
zs8Q$s!pw|P36l?>Hy^e({p_y+UOK6DmbS7_7oTKvEc#RIdQ3|@kT(>2mZ@OC!LP5H
z-#HsC@<F5Dnl34$<-Q?XIPY@?{l2(gnbcjf{esKvhN{*uG#DN26>Y1J2L0Y}xR9kX
zUVuMqfo=vAf3votJSB1lp4<{8>o8|>$KB84u29OQ<GR<cnvPB9(zEL~0$2_uq3+XA
zcOOck3iT<;x37JXnk4HG-<VT~B3*cc3{ZB2Q6weL4SSa8Q}SX(tY?KbCBA>oUyj%^
zZkOL0%DJnnBA^G^qh)QtXSaD1o$jc?;p0;w9q)|`p&pZhPx>4&x3QY{Wef_w5OyTI
z{O`Sf!RfTRx?TzjMypY$aixS1qH7vd?!>+=Liy{@y@|<UKWnQx+E!uW)}kIQN@0b%
z>z8Zyj5%acCOytzKou>RLk7PsRZ_-Ey~EaU-UH14w#ib=iY)z+#O8sB#AcE4h^?7_
z0{ZixzNtU+2U6K=svZso!}Ikc8#f-QyZhfcI{MCjF@FT|pOEvn_h)`yJsb#x>i}h*
z<#baxbl$q~8oD1{2)SM83`fhC_W3)-gFz0TPvdhs{C<biC)LBha5H*8z%em6^6C*Y
zCjoFIv|^zaU`0zXf|a&lK=20ouFdKqT`s4?lS&q6=$MV(z-N;O*<3~=joA<`klUm&
zo5cmN22av-V{)7i@=npXaXBsu>2}h*6HC&~(6~uCE)H>PXx=F~t^j%0(sa{uToTev
z({wX(TttLN<5tOWL+Cm5WAZCDmtpB3?gWinvj`6(n9E!)joB;?>{_Dt)3|jl^*w~k
z<Yl5#T`SFP;Cl`Iewco{;d=x9emA1Fu3;W_EtjWv;ZjJl#jS@&E81_CZ@U@kunUJ3
zSxme8ZFd_kHgs4!iN^ZqZRg&)*?)(hoL?veCqtph#_Ra0#_az6h(l#4?+}z{rsq#8
zNL1`4KbL+)*nM(8?ciax2I8!;eS9bD`n$yYoQrm&?MpmXLA)50?+ErL9pUIMS7snQ
zRZhpws?>Mvs6*LLX`OL!N~$I1dFbs;4Zo+{I5{r)-Sq)&_H(_c3%MC3P)<6*z_YGQ
z5X(NZ=dOQDPL+NB>P#{*Y|ZjfM`?7h$CEN=EBKJ7y1u78U-JcoqRD*L#MD`WwJ?MT
zrN>P`4-MjJshXTb5se8-J|)%MB-L1U&d3yot1h@=|GBY1eQdn$7i+fnl6{wsPOY02
zg`dKm1h`rh0;rhQg;|qi76dp}r%noe(I{LQ>puI?LobRDC-#gVf+o_0H$vsajU>9@
z74TZ&l(GJE$B$DW2PU3EGJUTD`UU_eMq7a4L0uHa+om%!nERXb>Z)Hn37Z`fa(vWR
z9UmDo`#aXX&oKk!?iI=1=L^`%CJT^zeWzyA*q5w6xh_X3ZQP7DO2%tVPC7xuJm<@|
zBg^w2o1g!fSeuW3yfJ&?giI6kZh*rfErY}5Xg<C?4{1T<rE~_Uw-eHtkg-LsRJ4vu
zeOTR@9kTU0QXb!&DNw|RqLE}aoWtJ6Prc>1Ame@yz|x^SqhUv`S%=R{ex+r9R2^*B
z4Dv~Bw#6S6REfK1`z;S|yJA2@^~D!I(s=C~GuO#w3_ux5iZ5pPDkLf7i;(p>TD^N)
zWaEpF-ic~5Um+i(rxIkllX>9iWInRY45!5tkV{>XmU?72QrLsbTi11QT{GL(X*d#@
z4$p)M(TE7VJUjbxWA=I9TF<T%Cw6((`kr6J=LW#Xf?^{63?D6P14^W2_!yU#&8$<%
zrEWTs<~Y^bjYl#Nh~@qJ_TX&f>Bj7TYzwUkKPQ$&s7yc3^-_OOLJN1Tr{KML`}|F;
zD*P%nRrGkklTI@%)M|xdUmrf?tId^5bG=?~?_8-oSMyEIPfpCvPE5`t#QKecT%P)T
za<{Z_6Vk~o(ndMf#$HVMSa=}ga%BfXV*}fBSt<brUnvsl3Gwgy`I@Lls+$KJ@u#6~
zS`?>agE1#rcnh*Jj3&u3z93DHWWP<8x97L%)nctygsOgVbgOOhY>5UX&+Le?;xh`J
zMr{<oxM51H^3;YW2fFnK&S_F(%M~W4RlyA?H4>hT-}F3wf=Qr`^-w(0BW{^HCQ$!m
z%E-=`WZK*x0AWC$zwFOAbJ0ELY#pj?&ZKK1alpGkxO>p}%;S&$^F+u)ebxcr&j#A0
zC}kXs>*`ZW{Vf4KPPKYlvb-H{OBitaY-Y}%7Y2QyV8qjJ_B##scqI^>a;I!LkJq1Y
z*HY;@e8}&w3Qn)!5cDp!%^en8nSjOPD)CmA&EeF#%-!kUwScP$s&Ed_M~y6uI$Tb&
z&#e@>#e68;b{$@O7*bv|G10h>wxbe0M8_tcO16U4v4b5|)k~+v<--^BMfG><H_heZ
z(eBwz_|W!Ce)H$?o}TeP|K^hI^vn%FzZBqsLdPUlE00TZOI&hj=B9UT?(gKaL~H7-
zZMa3`#NUR+v!mg^ZT795_y{oq%m5l-FlBhlJRC_Qi-Ybw+K@xG6su+BzLlq=T^l!s
zRGmsrqtg_p${M|fC_9zm+4UEelpRW<>`>)J{C*G`gY&DwAN(LNLBq!E&zyOOBk%l~
zgs<3fT_E?Bgw3{$3~!8x+<zOHZCZo;W@Ensww2b?Ici}MOU>Z}+cRoYC#Nx}Q=1Q5
zyRD$%J4pwx>BdKX@%^nvzs=@1ZvDZ}cJo22HOTL#cS-@LjkNuE7)~NCYF65!cOuI&
z??iuf^OlU(tR<b6&dkOe@sUR`e~~lmgnt(`e)EV_Unjsmi_RNjOolpWJ888evS=$_
zMemDPM1karHs|+Vz@hJbA0H{;>O`UO^>IX+^IPNqj+dD<n<&RUv`;dbBnd_Awl|_P
zM`^dzDbbGEM_sg1<-sA5crkHqA!=1OXM46@Kpb8nFL*tZv3HJY6xMFS`}ukvAF3qF
z)lRqHqOb6-TfZ1GJBLjCgvKw#rM@T!_?^S8M^@xRs~LXk+)`@^7J8tJnH;7lvdTj@
zB^xY8v;&7c@*on0Nw&DyzHCP~6cqL7SA?upp&pv!tU1@<m=G<dJ;~8vkoV(5HfsQX
z|EeCduz6K-B;y$E>De8;+n{Cl$N=9M(9`ojobwv+=fP3G!<DJ|BLzcL@8ZMV*@)oN
z1^FI)NJtGO;`Ov(*Y#+%ec4>Ep|fmo0G%Yggwn|?&l)tWHE3v+KTq{ejZ6&F$tF>x
z`GZa7CPOR+lQqW3N?96yK2)D}#PTjz(yW*pQ*-9D(&zI9Jg_jlZ9{Y*DOgNB`y06c
z?-&i;<t}9}m3Zg^+y;OqZWKm&nJRFOPCor^5o6eCKMRB&HrfYQjP@!uy%<D2V;3dM
z6)%Qr8K*N@^+n2lBO%{Y7Nc+o$XPphtJ>%^dlNvmbUhKPrycHe#jP`HQz@ayTfSlF
zvg>0a&v=-3{wKEs2`I*}6LJ(Md0ErK?BaCF+5;@dNk~cj^I&n~W-yb{yHnnf+oa~T
ziJ>8AtI7cm&H@Cj+J2(w^$j)tAL4)uzZZ2zR6v7h4cf%G)p}NrO7sLu)1kJALNrvu
z_XO>@bYh%z&4n4}5yM_U*2S1w2P7*ZE7_I^4H#eP-70o-Oxk9zVd+j%>pX*LMUX`N
z{6K9@R&TNydAB{>?KZfz2YS^V)=<{fY164Sf~T*4V8>dvTH%l8y4<NwLF-8UK9Nqi
z;HHn&?1OWTuyUC88ad^lrpw??dJLRWsqZxCqpAETPQWga&j(v8fACm&9p=nd8$FYf
zqx%}7T)Wx2oR!T+2t4X0KjdcIa%wO)r?m70s=0YHY=c_y5ook^t9PpJ+g}VuEY?>g
z*^C13-^*>HHeoDmPDWR_Pce;R*`2M;LRXhy_jrcp$Qv%J)g?ZSoAG$#c?xggSLjdZ
zHh^aYe0}oVX>qYtM=_RWOqHd!=2Wd^Ijs(@NvZF!8Rxpytjs?t6m`P6yYQyQC%}k_
zx>-J>lh{u(Jx0gI1tp~ubdC^D*f>a-*S<~`$Fz_N9ri@3DX!Rh;QFm|S&?Fmf4u$Z
zi${CTLQ)xr(8r++7(rX+FB(QAu?odLEVj(+God*ixU1Dz@u6}CU)8wDMFu&AgeTF1
z?EC4>Xg}-C$w?7MHCyZyxvGPh4#3bUuV6S%N`01^^$)g_6mx-INEMbaUu|oKxluLr
z;DJ$xy%gxl&)Gcg$h^(t0<Ponw9VHigeGgEJVbv<{~#pG9N=h08Cm9}av7d%6~)Tt
zLQD!7Hp``OM8jDnG4z=OR#tF}6q4o|(*IcJ`K-U1b~@8lzpqyedwrouBm@ub_~P-Q
zv>>F1;^Me5TFrI$_IBs0(%6b#$LG*;z0%z(Hgjq{Z3I10b7~<~-AILp2N6)Sr7Vgl
zC4y5FYMBU97ZVd~mBnE-H=>61EjJxe-PxF8h>fbR<L`ucmo%V;hj)KT9#iSq26(Qa
zczWpArk7V3L>~sq7S9Dr*`78JC@UFi`X*{+df<i)Z~}-tzc{qLuHdu6(2OHifTN?F
zX6R18*Bk6gy}qx?+qRq~5-$;Gl)mh{$5kv`xF{zW@ZwQ~?P&1usAM@&Nf(jXb_SD=
z)@=+BPYsDy3>LLfZSJrpjiPk)4lB4R!gYneER9WvunEdYq5k&cM6+vweI1BE@~F@S
zF<~~WFH@9aS#FsJB`*=glUS<TgQL!fkP#ftl-m?=nTD#7iY;aiTJ3fnY<)u%KZXxE
zEoI(pHCilM6)$*g$*N!~>WyYYhhE#ER2l7ld!~=A)1Y5-USwmqw~;IblbjAQWX(w-
zyEG7+6;p~r<vN!3zpT>e|KVD9w$M4TetpJlG#SG9&}ikZL2lEg;k$a({Ytf1ei~@E
zihK>^W>79)UMpv`V`aCNX@Jl`RewY;(=1WTD$PmJJ=Ja)Sc2iXkq*vM#)l^RzVlKr
z9DB9#e9G!u)J<lf{0<al<+mQlx3JrbjAv@GJCjYN9NIsZ_i&#4?B$|JeDK_JKPV0`
zO!xd(fN4V$ZwDqde9oqO(rnlyJ02I`TFPW4i_0}ee8JiCVP0WLO=PTaesInD-C+wc
zhbb;Qc6<;Xz~{~_Tke$WSqGeWG|O;mJz*x(S;q`QX{bRd9b39G$|@R$SR)&n3`i*}
zW)fm*LBdRP(e5olkHX>Ew0qCya6sXK(-j|ms1FuC9)GmIT<)j%AUp;5IGNlny+I@6
zqoPaVT2{J=y+Jy9HKJuPv5uGMX$CxFuxgElPNz?!x?#Qt6j+7Qpia+TX&=Cd<A#)8
zfyeb@LdNCDI*v7->8(rhAOM}Z0I&a!?p6^OXJOM^ICjggk3Ec!WPUUZ{}y$@61N5F
z$<um*ZAWIgOU&73F+{N4?1*_xjzq<m8?q&g30EkY@54u)<%7|TJ5UJlAxFvL4Ew{?
z&?{2kn-zU$;h)p4KaSe$z$+n<LOyJbrHi1IqQJ$9>g)#nhTR)Jv*EGFaPMP}QJk~b
z3h+KFpWPw|N%%tY8zCvSiV5+;edr(1i}(q;RzmAV(}8fa6$WYcq%K#y9MhW)2CJrn
zA66Mm=1!eO<1&Q)A=%SCKanVTwHjq_hf%7J2K}DOh69Dr>h`^oIKM{BLB9{FnS7`q
z)+g=7(knndb}0xo2Ny{VULq-8+&s7u3yJjqSSoL|?3*j93~COZ!n(Z{TOp;@3!Gj5
z`+Qu;2C(fuTi9+7+wN=pXE5uC=gTI8H<fc4OrqX^uf_x1F?jO<FM8Qo3<Y#mP&29`
z*pY$V|Fbh`a*1<I2>lQmAdH?8X<ZSxx6-Pfdq?ly;9F=`<d2v3T+`U{rs@^N`%rtl
zDfj=6@&0srZ||jViFfjvo`&$|coQT5-hJd{y0ex?OiKl<HL?|N4YlIU&dWmRKE?bF
z$TPN{O4Hy=>ncMf1S(au6f_d<Wkn)pi<mvmK3I`<B&vRITyZO`g1ghzE}cmmOY5|N
z)z)>fp|oQtnhfL+lJ$KyCu;3=*~vsnj<w7&hBON3b1TQU#pM7iL)}SHUz{VgUjrz(
z^HGInXjH9eSp(QQ9~(#saew3amK6YM^Z5^W9pLIiDTeD(L#-57KQgwQN`W>A-vVuU
zPDo;8W*=o!74$v2M2Q-}E2ei=m56t<`+K5mxXUAS+hZ|eO*rdpu1C}(^MiiBDQNU0
zBY&`%D+XQK-x1@j8>b?$q!IHqK07jfDs-Jem(Qg0Y~F`%;MTK!D$=q~m7AkV6XOv*
zFGpU2R8U9x#DTclqJwa$ZW(K{?eAbAKGfX*|8et0ItNSQ=-cExiig;i*ghK!7|HjO
zcz?f?CXI_^=Zdqk7J8<(gQQC(#L|(DGp73mOGi)~Ka6|GCna44Qd;Fxnw`vI)SK%n
zPj=-aHd`d$)eQZym>(Yeur*xp!nT058P-z4P%0G)rlhurw&Q;zJt%-OD8ACl?(-<f
z>_12sPvT9deRTB$LZL_YJ|^x^sAE)AVwD!u*4GAkvzZ^Pjdl0+b&uET;#a*kE>ya@
zdW5~HS}m3A@88~E7kUH1UZLJU;qy(1U%>$VG8v7gV!c$Z*UP24NYl*1U0`eA-vHwq
zm)(UlzR4|iE&Ptzt{!GLVr{ZNphXLIHrcaxP)Y|m5>j5aPM>D?J2TROkaEjy_pCxT
zbGN7jDChxzpJulQOQESmzB@iJF%X{}o9!O&s&$pZiL4Z{>eBO+G5^}GU?verhXa{<
zZeqLcg7Z`<&nTS#ig{y!Kz6h+wac&v@G4Rpbnk+ezjfK&5@XxDC2Gi{m8TQQB{$40
z%wmu<MGG*^J9tt)Y8VTZ#qM_Hya)6K>3~$gR_yL0<h)UxM(-)lq$}&ZLzbi`SL#$h
z_-@YS#)e79#){UW9ap-F&dgN7oebCQ&PvglbIe%nnSPIAH*GIwde8MR@}P^CS>S3{
zFLB*PB_D0$PD&c00a7E`W}=1F$Ih$=3G4>6i%px|%ySWaR$PS^pRYaq@WVGgc-4@>
zWmFj4hM@!RyXpAx<Hx|vHZI&B7zqYP0{1sw2BX`@(2_dX(7I(d;o8@MW3!A-b}UiS
zu#F5)GsDvYc(%n6@Vo8t7VJKB`|;NX@q~=o=LcVt@Up{Mvi|~^DWm<%EWWhI%YZbL
zwi;$##=!J{yKK#fXYyj8@*<^7vK4|9^PZP$v2<3hL`&s<T!EKCZmC%+mDSdTMS+s{
zUGY?Qww~^+_hQ^z@63$M7c%QT!`6(aXF~UHzs2|)FB!&){(>+Z+6acwHuqK)8lwib
zld6ioErS7&FQIF8YCxq^!>-c6#2UY^KhsV7yn%(E;UAIPKyrepf~0$m3fk9lvON$J
zlN<$v&K8N$&>BmY+WDqo%R$m?^3fPSh(+Ypwoewa*}~3quJBh@gMSmz5?#!dHg|g_
z!?;vkZNL%Z>c(Z~>aM$_v|%u&K7Tjy3zI%Y<2%G*oObz?yCt4E79PQWM;@dr{9vzy
zUAk$#<)DYR4yl7?_DDLK779c?i^>Vmo7otV4LSg&)dudu9+%nXOhh`YXH8j@x(%DH
z-3Fo4!N;OX^%aL5N_(Qdix@U^;L)=_J*&*`JzuNdsL=GMY8!r#SyS~(HbwiOKmHx`
z#~Ne+*?QlyyQGV<<rgFTEfFCxA_NgDZ8x%rk{D595zD<d`$4)8>)TE2Cbdp}OUrK=
z_ST)pqR||?V2P@&f(5u&iN<8}b)qgTj%7tPB~px&7-__KTBTF<*qv3~N20l8>U>?7
zRi8Evt@2ja<#lPD$;9hYhH_|F!*}$!)7IhO`l60xF>X{%3j8zf*ZYU?t<L=obS|gf
zcYWyC<ztu4^>kjin>&BMkga#}>PA)RbM+^4+_^3NdI8;xmd@rDsZ<an3bJi0Cc8$t
zhu6p(b#xg~o}>!&J~jEH6dPjJiz7^`6HMAu5EdY19#TppKt<~Q&oBx|ZC3niz;qzU
z_Hq|ax;c$vuBPG?OGX3bhwkUp<gafbP8W;_!db<t%HTBgD)ml%%a~ww4(eTo!FaD*
z92AtIs)%1BhpDa{LUEKuUv1Kc7fHdd6e;;WrHazV%I>9#8XeEJc&yCo63;9)gdp@$
z+aornkgAx0t0-GQ6Hfue7(K15hc@P<cj2V;n~SA)v(d)G!T^g;v2+=+4-twnOA&TU
z#Y5=yDGJPd7JbCy9*_nS*hH@^cj&{JpD1*pKTN@Ym(9<dJpun+wtn^Xri`-px*BK5
z692JdjsClS{p*afl2-l^{(~dHzy9^F@rH7x2WxV4?G)iZ)3M2o0%-5s7@s8Sby3Mu
z%D24(5M!rQ3b32g0r*Xj?EwpnW`U+}Kt9AgR8dLcQrO1ZL=}!MGlXWw#_mq7>WiuR
z`&F^ps$}%OjsfwU(V*r&eA}4vadT`iGm{!h+WvtQwsa>Or}J4P_J0e%L5P^BY;*ul
zF?9d38}^Ge3WyN_sYV9YRz!ISFeS*)9BUcY9%j)=pfcg1O4DMC@xh~pU#v)wZ9PeI
z443!|^E4C$3<B~wR7(+hVnN9PCAgwRT+D&L;t0-(|HtUB4ZY8Bv7$qj=xF>`WPC7u
zp*`>2<}28D27BwFcZ3rDqC(dZQxW|5<Bj#V&dj`ulNkjLG+uq}HSBM^T4?+bCmTPU
zgI}b+Sv+<8Cvq2XD}gd-wn?3&NQ`9j-hzn^^GR`PD=OTwvu-vFvTr+E@$@i_Hq2IM
z<ZbPy@i#RupHq-^L^bF;znt3Gm8<zeX+d%4ojX^rUZ)|ps#b_vtwAAFOx=L5-M?#F
zay07{tg9S@eSK9`V^>^oud_OCGMjobmFgD<2Z86Z4Es?O<xmM-`!;5ZiypvaFXSMn
z?9M-%y%<_%E=KWpHrE%})sYf}4))%CN<1^wlxs=0rTMTpk5Mm`aY39y+loCU7+|QZ
zgS4-{!aiQZxHhg$RK_CFcNr?t!x-Ox3_swR^}Gk~%_z!g#XEaP^J=3;rBxP!g@6f!
zzu<Bl(HPYwrS@>2boTu&m>>KbP-5RQoAt)_7LDkhi4+=`Cw7}`;mFOb=V=j^t>*=$
zUzyxvwmhJ0^-Y6U9(?6R8{b?v*!uJJ&gR!8Cfvh9-aoZ^^@J^=oqwTr)}`mG3+u0#
z8s9%(>ezFhD(S5|Jl9=*#bJZ?&K-?k_36%EoU{HjjE8+_|MGc7drxre%wGqav+AT1
z8M2)UNu<N#FRVr#ZRV_nMGwVv@EgP|SYgME4twx7(Bkuw!_J+1JI5xyh5-Ng)RR_c
zJnSzzd;RNbbLVwx*1eODS-#Quz0Q!yM8^Dib0%NZZ9gmQt}1zt9{$7}{&<&bD3sZ_
zR*3Kee3xOs7_<h{LC-3)$13gJu{qa2KwAi-4a=-b7~6XB<e0@<*rSnc-`bdzcd;3+
zhqZ=K>kM}}qhoxJG{b$OTJEXrE6mjb{@Pq|G(P1THiqrl@UV9(gNJrq!{b-XSDpUj
zd8+QY1Je^CqjzpsB>Z)YQ`v}U^Zk*m8n}$nglMOj>U?{a*-K<KksV4fdx^}ypR~oK
zgom&b06gQTmGM(x_QE_=u3bPkkF>@u-fd;mniMVvT4pdpC^j+HKcRVf>L%@2?-;)6
z-L9}|d{jMEefGvjeziT*-K&iHw+-+m|KRwX`S-sP^}U7P<6i;(L3Hlh(pi<j0gf5e
z#0*o7*e2P#fpJClY{I0{!qyvLb)G&&Tg9fP5A$P6mq9O>hyM<|5B~G^XFZtPsqQ)V
zR^1!v(R4jMn)%vo>qpnu;rS*3s}2D*uXFeuBj*nL*nPymgL(+);&y$>o7dx1OFc|Y
zn{9d~PexWVGpm_}){Oa^kn2Owcgl78+STyi<M_m5V)*`{(V_a#=<pXeY<SP`nD{y*
z+Wsdp&Ki)2-eopQ+F>p2{OhFNpILlly*L!ki?Z;w$EWbY#~S~PPvEatl>?1lQXd$A
zvgo+;0+i)KA++ahaoWaKA`XiyR1Rqfb+S>%Zd&x5pk$$2q!*Q8so!N66ve0Id^DXL
z^3D4dbU3*)w|*cL9y}`>{`%KFwc+8K=fSG7QdQ!-Ej8Yq2m3}ngAd}>{k;Q{9h8NQ
z(618ED>>vqD-f6NuBvene-xiT(RfHlK6G00i`L9XRH_%+eT#Q-xfH;SN%x%~1Rrvc
z74ARbA3z9iVj9IqXxT<;yP=5cXcaoP%$6^|++q*kmYvIchvj->t9l=l%`|t)!$B8Y
z)s$>R^a1hX5Dr0@g>XVtqk#_G8Ey>YGsG*;5dU3D&n?UD8RI`Lk2t<8f^q<BR@_H!
zd}>A1=!zJTFIC`+n(}3I;hz{^c2d4f;15ICOk-G<W-UzvP9PDI`D>wRz>6G9^G*im
z*%mk*%iv7WG~@UsmL>>k1e#_HVV33^mgajcaI|gVOfG@rYzt>nhU1gdjLR~4U|E_d
zq^Z#~6LOmSSeoCp;G<ZE&w83>3V)`hEHh0rxmXrU^VJqO#<umEX7!TNbha&PhNY3p
za<r}2469dbn#ngy!|FA?@SiNr2ut()nQ><Ltdi=5l&AvjdV;oV9kS6Kg>%r`Zo-SU
zr=O>%C=9YI#kkyJB|}Vh);Y44*}P$on=fa&-7ocJ=SmmxucpCY+BP$5^O}C+wdUJO
zO8~4b2+R7q1FbTQusA1xT^{icmj_8!88K96xe;w~MzUx+`v=cHyYbm)&pk1J0{)3G
zupj>dAh+8?3c@JmpP#2?<<V96B<Vt0x^Jam_h>6Iahs+hh?_H))b6>bcF(=Fd*R<z
z{rBD9f9zQQ{rC0XFX@UwG!MAeS-)IZwnnU{R)5&3ghe#qcjin=La5c$PiwCUi2lM8
zi+Nfe5%KRtJf3ja<B8x4n{QO!K85}Z&)|EJT5%A)11qJrj-CcO`~!)qet<4VD)@UR
zqwzt&I|O5`4eHIY-9WV%(%D`H!v$?4w)rsrMPn47c<JcTmkxe%{*$}Lx)t4HXax+G
zmz|1Gvl(L@mvgwRv<1cN_{2de_pVP$_nd+VvHW`ES|;_fGx}Cklt3#9oiDum-Cq#H
z2kzN@&#qcb5v#pEH~02owxEVZfe^vr6BM8XZPz`!8?T5E8B8XRMpQ*B?vkHTM459v
zJu7ihSfL(FU>kqNCvJae?%8MO9=aWh!>ED<nAaZ%{9P-?cKKem8y79o38cycJ0ILt
z=~m>#d`BCH?mv3;e#V;;;Jg!A(1v9;+d7up7VltHV1D+@Y=*6sI}a5*y0tjR?#|aS
zR7W&9P$`P~96SMab!O-7>wk$&Gi&He<F_-V!}IT*KTQ7sd_Q^(zlt9MX-R>+XaPD$
z*T)vkDI+!`RzqlFhDRbn@hnBtM22+00&n!@;t^ZYKj@zfvDX3r#A{Bkvz9Go#2{D9
zNcX7Ujb9}?kpEv&`TwOX|L4;FL5cJ&eGHUV4wM5tepll`d;)rt#%~aZqUZ+l8qrg`
zbp2=!(iadxNbYQ_^vwcsY5Epry9;7l=wdfD9q>D%ZwYwk=v$vSlY}=YRlERV;93o^
z2`$cTA}uxvl#6C2NPTE~R$&Mv3*JC2?R4daW8QosU{FNP8H|l|cX{$-jZ4Bc!QCH<
zrgHf1Y^j=GH5wkjp}(IGdd%+ZKrl1W?c%#a=KOG1emv0)R&6gy2czAoP`H5m;@!PF
zy8ETEY<giWDS~%86}gzUi8Rb%-++GHD|;}MSKZr<Sj_lYgi=MMWT)&qlb7xD`J@4=
z<vt3n>C)pWG9msoI#%-ede`NnQ(c3DweDhgzHsrC@#*usi>r8dzqha6t8*8oGljYS
zK+x~ryQ_OD5V`k`jkld&IcIKD#5+D%tg^GS3%l_;&JI`!Xwe(GG^9G=ZHd{IMdZ}d
z7%8#nT;8qG>4bzsZ`A3-Lq)zz4WDs`j(#3jk`0Q<Rn@Bw9jX;K4uuum2F28j{3*)g
z!bivmS3*WAj~e+bnvzq;Di&$)vH~lgSh#Q6{@}&RPKAO~DL=gK$D8nDzTV-+7tIkf
z{3G9e;{dZCfXD>74fr)ezccXt9#Q8YXR|%BcM(kOh{c!LZ7@=Y^b7&n6*N_%EnHdj
zYii-(kK^xN!Cz^7^Tn^>%~wz05-v^bQZ)X(@gHnYdLH2K1o-L|{g{!t>=Pl1?yTXN
zC%S`;pI=S>cv?qpKfPa+FB8buXUNMa2yJS5*;<XIy=Kj92}`zMr31%i**<V`aYxmF
zMTx4k+A3KzXlHA#S7B&VIloHl)Tf;pn-gpejGT4e`T3wXV@`QiUs0^MZ9+(Ajn!hX
zgF0pO8h<~qvFe&zd(NZlytQJNX~LBz$`2PW8c2j|)Sly?$REhPz?VFld>b=7SO;fI
z%!u8X@-myCk~W?^wba6|2M2;449ic_R&ddPaiB1OOEGD)SOve~J7<pUtX6j(nVE+0
z^h*jQm$-a*{9v+_zpL?G{5fSu^3wY7rO6I$dFwS36W44li(!Z2GjKC9TkbFRPvR}g
z&uX>lVmYJLJ*Q-H^jk7QG<3XO^p*~|;W8G~AT0t;HU1M@s!!tE8dp4N!kr4-S$|~P
zBjO}=;h)JcF+tv7Tg$VjsIgggEmFy=W4H*c<FV@a5Y|#KPJHW=RcvYeXZ6X(l@y;C
z;B%IYj}l^tgiovj9eb>TZFsQyMB_?)>l2XCBw|u;{22;)d-$jp@xc|*KX*mIxY+p9
z(DCge94D>lt&J<6tTz4=N#}09!cCJ`*|{jp=9i-2XSl9@uIr6|VCQESp5nHXKeBX$
zrBikg{Cwja`~m!dS@=U88FR?L@G0(W@*8>wzSidClNa9J+WvE8>F-d`hWjoX9=`0p
z4b5=$(3Wy}%c0THt3^?`dNjXrBpMyrm}lXtzDpiBXZx{zwc5U8+s}F6lD?_j=Ihq2
zyKYl=_a-sioZB8A*;?t@IuePDZ0)IT9S+m^luQ#P>R8s}va<w~LX`lojs*BXW)=DV
z@agU3y{8ZKgYDzfxm6W%t2B29IO9Mw<r10+We^iv9=}V0-_=jJ>>GbW5NS!PLHflq
z<@AvNma?4QN6d}Cu#9U+mGbZ#z?)N$*T#6r=DE!Fg1`d+oS|8&oV9VaqH#5?r<_lN
zifwX&ILU8n`AxG7Zl!~PUQPN=f2|4s2=2fglm<^hy<TNBfKn+9AX^BRxpA75yh`5q
z8!k)euX1`u2PEzH%6XIl+{||O>0jfHX67}gzahyf)M;9#1;nr#Vb&}#4?r*^p}9`I
z@gJ0^l<zDrqeq+EKo9v%Ex&1&!B%%P!LL63HPR=SaisB=#$RYTGYfwvKOyg@^40d7
z_~MZj#74JPftwj4t7@nJPV{xwN%r@heqgLX;tVbq<HE>{ybSI#2Lg8aIDti;_eaE&
zZfyJp;5>{zN+?R&4&c>zy?ZRPI#jVLeA{~)qeR<(eyDMD4F7$pZ^|0A)-GCe(@4Je
z9sL)5bIa);<I|gdbo~*)X}WL7k`PXRbd34&`44h6c>-A|PxMU6G!W_~Ig(M}pj1wM
z+&5iV6(4da+%sGDRHiC>x6gX4bGJ|C2W}kR^28&5T^TCgc>J?_nJ>zJ!mpE0qd0}#
z$zbc*ShRGu#uvSubazM1>`;kzPj0bAy=G^+KV%K4h7}z~hXu^d>RiU8M%mxnRTy=3
zTD>s7hOBBOF?1M=X1ycZUGgMmoV<{9XV;q>f0Y@_3DhS3pFyWNPHmTzm)Q<(H-<{A
zm3A|<5|c%PMs(MhYEQyXAA4-qV~-UTeU(a|qOYf?6VK!M#wQw|*md2(1J_@F;Gkr?
z5Ptyuggk{5OZsp(7L0hk^-4<udS(OO_o!s23O+spX`^bY2gBd*Q5byy<0Tn}g252A
zxXMeb5|%6R2OiyrAwMgNsKor#j_q~mBzc<JxfQ=h@lkY&d>+0f`<7iKgpQNnLP<N(
zMlM0)^bmJDjhjL9EbbyQfY)$gi1T4HTc7$7#C@K|1?9NCq=cU*{{(T7mbf8^`yIs9
zAda2aBM!8myxR8eghRDMMI7JwhL~4H=CPMN3V9RgE(Wgx<+`9;l{$C@d@p>944_Za
zZ=d*$ER8>+{R=O^_ofl?dmE|aZ;+n?jF^nmrDOzun!EsUMLF&kDC@XXmK=8(so_tN
zUqW0)j(dRQzy|W`5Lc1o-cNe)e{dYc^~!NClVN-|`3l74<+vvn1iTN4>E^MW#eHp|
z8{a_V&Svz{p~S);hzI|Lp0^I69IBy7G>3M;F40wR0{3?GwWj>`i{jcZ^&d%QQucYY
z7T%`lTMxW-(>JqhUoy$u;G$ep#JeHpJtyITn46fJe<{`rp*IKRKqDBTzl0%n{-gwD
z3rn^0Bs`F+2i`9@2~SS?{gRXLu#1FOunpj=Av8mHowx*dhGXNc@k_2P{~yJlsoaYU
zf?(hUdsYn1g1v)%510hOWD@K=3pW|<b|b`_r4YUa!Dtd}W)?Qnck*^SZ*<tx?0cup
zVzt?<7TZ4fW3|G^rFID6&E9y$ZneOFRy)4lW)@SKZH)_>$?$V_i}(iV_Q>h3vq^bv
zjlW$9*CwU6NqbM5ppDeHaGSj+J#`MmuB4EU&E8E0-naS*G0z3i-wbp6+vKsd<}rL^
z@L}@Q!PQ5_Jol0`N^=I<t`Cdp9a2IL5(cNQ43qTB)>k0iR{@`oya_%m3+cUkmJIYh
zv08-v1;FRQH^GPHF%%yjBv17nrFs4q@YzT4(IUyV4HlEZ(rh|<<tkEp#rm?eH%Ch7
zqhh~>lFQb+C_b3o=~PfBN|-HBa+M-1@P^bMz3jkcnQIi+kR3;lruOU+;q4;Np+~r}
zHt;NO4eya%hj$e&R$NSeaM@*nO`Ak`Go+3_4Skp$b+@CJ>6Gk@Qg;8XJtZArwk%ly
zV~XmyGwO32L#i24t-x!S(QM)1oxlNJVN@}`3WAVdF-B=P2L0p<+}agoGrIFFWoua3
zx+P_+mae`{yA%E{BX8$cD+crQJ*0+L@`BZ2b$eB#BM|nfMn}c650H8EUh*j8AIdQ{
z!#cuyv4hO7UJYsXlOLno+sP86HOp{2_L3h%2D*pJ;KDeWpx+Dzd?%?qY$rAJLFo5w
z$lr$El(s5(Oi)K&Toj;p_XdeLKT7t;tYnPSI|6olz@g{Hh&9$vYR**Er!@zhCX+K@
z*7~X`r&!K5(vKbkzVhwM>0ssPn&lLm`Z<>xh*|Mg;!PyHWGlAD21vg%*%wHbO36T9
z(h0E7CnwPRxHZrc{q5+Y2Dl1%Iw@?~QYkQKYPEVqm5D|(suA^Sa$>q)8%QPt+Wu*&
zFWCxkALqu};B0vdoHGM4GdY)dLLm<XX2AIby*HCe`Ncal0Q&_pjK*Nh)Go1W%C~gU
z-e}Yd4;fzEyMTP3BVR_7+yv6Ll>xwKDG*;g?t_PXc@YQ!UW@=QUSPhG&+G@8JA)tO
zJ+4s5<qig)g~tu=WF+K*pyiS5YHWe}eTb{ka^mf=efx!8%=|0Az<e!}uPk@FOzHD9
z=|h{j4rFX6XRJShM??G279+3*6795kqAB(K8e1q!`tnM%*=i@#q&M#fIt&c<r_m<v
zvNo_SZwt15cE$#B^69)1&UIVJ0LjD{Y_f2a<j^7Vx_s|U$215PGBe3&zwy{tulI?M
z&Ev7bLvnqobYEXO)tB`;U0$!t>6LhKANf4Gh`Z{)4L?__<+A<#S&Q3kvAW&l^TkxU
zSWKsiS*IYlT!P?~;NMPq&`&u|oZT&1Wq^Uo2U->AR2$a~z(abvo(_K$9?0`<!0GR~
zD`}qaGOv`3qOESArQxiO1@%?CR$Xxb9`eJ7Q@3@&gV@+Mggz?HzfrXPSSwwJVb@?p
zcp_o|vyYBynajw~(c}deB#+W@?Taw3&9;GMd2?8UbVMsa{>%NFHu*0HSpPu6C{Io=
z(~Cg8GGalw23tt@C-nz`9#Np-envyLJPJU_PV*3Y_I{D3S6sMm;~scO&qu>gcfkWN
zJV4W{7){%>xi<&6|B6++4!}b`e_QI|E_e_dBYI$rI7RPuGm9gqS{pAFcTODl*jddT
zbSOwl1B5c0PG?Dv&I=;}j1690xLTFqo=={KetQ-4+u?SYYFWQc$6H!R>n)Sb&}C1_
z9XNR&dTpuymSBH{)KP&`AtR-EXOreZYBpM>W|B_&lHJx`*dZ``+@!ubI&6(P6Iif2
zT_TJRlNwsbaSR5ml}fs3mTR#+9d%|ywl(wWRMcZ5HO?Re9l0_YC3dUXtOOX}fpM>o
zQ%Er2Q8L~)EoB2DfQR2&Rd7l`!rGT2{V_+9;;=eO_avHq8jRUxTDK<_IJ9ly8%Vuu
z?N$g$d#BrmF1>W<^muI?(mn=h*UM??Y7t9ogS58d`b&p~F8%EISI0%TWB_!??;+(1
z8`TzZk$}*p0Shezih$G`YZRZq;3r@_xeXbY$Tz>V3+xERJ5(FBMzE5GpD3uqA>OTz
z@fla3J75vVwZ`kHw(xbp(gt|y8J<n+x=^f2B$i-{ik(uWHZn9c67~C|jW<X&m#dHr
z_Bow?BJuvgg)q8+*4frl=cY9vs5{$XzTi6(LldWJd-u{j9OU`%@;t1mFnU403n0sP
z?%BJyCg=GEJAa{FnupzhQOS8(nUEj;eRdq!GfrVl0gM}0oWD>*;tRg>*;)<w|H48X
zjV*kffPRh88~;pYV%tIvJ+|;sh$}+ef6}<43u<&|;cp<W0&zd4v^cgPpp6UPL^>oO
zMoo635i_?+(i#*qg?>)wKxWJ_T|MVt3ks_xpvuDLU3V5?D5)P^NPf-WNTY|O=Bk@k
zw_0qn3rPU6QG`YMDFg+8v-(wN5htjzk-}1=P6|uC0w<82qFP4FpUF;m!Z8suo1M3-
z&Kd3q_yD*6dw9<+bfe3~F^I~ufyp!Tu~R9E5-3gZ?a8Xa=Fm<KxOuzD#g|T|)3%7;
zsmT@XR(+4b1hAf2h@z_jmW{$PE{D}}vKzb80|vWGx5^Xj;<XlyhcEv$o3Y1(E{#xf
z*{vE?zrjrD_kCFR$t}FFd`*d}RXNpqRpXDarUdD3S_q)S3r``nypoUEO1{+ihi|C8
z_KW%X+i$05Ed%JIRCa10JHMpzw0*&WKDh8A#AP7v=Pb?$ai4;?A&C14jhk8Uqfak9
z4{<R$?}3Fi=)DUMKwJXi{!2;+y~?NYoRqF{h}Pw+(C#PYc8}$DuVL+;E8E4%h`QV(
z_SZGB%|qL7ypbh-r_+Zsq>{^3X<frm*JoK>xh3tW2+!f#4YgBnbmVqKAgvD4!nA^U
zXHqQj>ZFqM#o&PK;nz;waKj%z@rmxWlI*TsFrjA_o<Sb8k@gb=*&uzZ%QBn1=p^kx
za`0|zxhZFp%{fT-!(8ll4}_i^luV~#O?zBwIuVm?li8jr7F}_TLKAnD3WE--VClCA
zHsN1pXWSl-duCSC6AJmErG-L0622cKVYHq69BJA44Ov!NPHq*GMfo2ICz>CLBJhmq
z;{;S&%0s3j!*`s*e+Amgo&~TYw8B4vS{ySJ(*8BI#iX(>%6h(-+CZ!Zg<7N2I!^YL
z;yPD{*?`HgQbF-<REZDPGG9SFTL;!l`!(_ufD^ap8k_uk{_*hPf868mzIflhVsYQT
zi;1sN9~`V#y5df))+yr1Eu2S2(L>x0`Ao265u}ryFh|UOkAj`A>11ced7zK_49ZA$
zcIcae*DDA<-)G<v;GKNcdpPwwc$K1ANXy>|deEaB@PL+IS~=GdHwugl88)$E$fy`H
zty+;d0~T5}BUWT&$MnHHO>Dl>#NwWtbMH9N{6G|+c~VB7;H)k5;ADD8lWn}59&GX*
zI}<$;8>Viwb#>XS9?!4fvBEnUe#QJ<r%Tcj<Yy&6La14Gb6@Vi$BW%Vv-hsx#bv3(
zkG>f%SlOkO^BihGUPhv`4IwP*SmjJwYOZ*2y2gtA0xO!^<bOx5@y{|UZF!-Ud7-10
zd>6-8!&``hAhzR{?`s(!c8qU`u4(dOZIk}a@0wrHH$P-vRM?r?3KH!>+iBTdP*(h;
zRKA8Tb4mUZI>k74zsJsOIdHAZULk26PB;UJ9^$f5XV~L1`8!JR>I%_UyqtyK@9r`3
z#*|75-nD|6GVUpvc8hdVv86fvThK1H>`>_*R>%N$Mw*C>Hj8|sukVRAvh)xuzq|bk
z$NvZsxlPxwH@u=rAMfis-h5xA!)BzW7GBC|(Yk`6*`1t{=H)8MS3kQsV`ZFliO5jp
zH55A&*UsCm*d5!xZF_hbpSaEA<Kb=Fe&2>aj6Sb0yav$<Ye!7DPp#CaS0c#tYa>1b
zf`uK~U5Z`V9S<*WeQVDP%*+JNdr!OeM_@g)iV^3bs}?>a-tp726TW20EK(t%K-aCs
z4tQ^L*S1~JJ&Mcc>gSVcYTLHdSoGS|K??IqSQGy(cbLLVpJ7Fk>EW!dVzWB6Sb*51
zcVxGow>7(6@z;^vN%CA^$Bw`RPHZUv{Kjjfif(VgS&KT}66Y9nT1}iU$?U5$oMX`g
zX^OK0aK4q{-2FCimaQ;qPc1E^iTCcvjwasG*jzWGHToAWLT6nu)DB-t3JTT;kEsQ8
zWvMpVtjduNlhqULoE+jkQC1~IQfV~sW>O;Yklkz5A(<!t#N9#lyVBd`NjpTAx{hkr
z_OG<O-51eL4i2z7cP11D18*WFE*?xonXFO1l>rA2s<f>?yXj4flx}QkAvCj|*3-(*
zl|8O3lkZi=!nT0hp?9b&i?2YQv(HWqZtX7VP5QV>3MgI|18wf*K11;udu!VK?~rU#
z>~4}w+C|Jfs=mcnpx)-qfuVD{%VMvumIA<0+Na>QAPzZEh-y-bMgJQNJ@LJxX=Rws
z7?y5WkkZ!iOX;H2AZK)j1R>-!a)Wf&;_1jurGKY87nZQwWO9csZ07>XX8Q}@gtB>*
zUO8is>d(Q0;nA{-iUw)QWW-B$9CACRFYAO=tA2GZk;p-?nwz;k_l`ZVbQR8I!mx<-
zKd39$uCAAiZ!Mgmt_Mpuz3+cjSIp`w*OkqREKBR!d)ajNvbsiLCiKUa%A!Tyo)7hm
z&=c=&cB0eG>btnGF2&g(44hoC$Sy1+fv>}C_s6wUqh@csvpp%ENhyp*=qrXvE+P1=
zx@%UFMW)G@kzSrL%D0FqO#q=4h*Fi#454E=qAK+gDs{;{hjA&bLQ)UH6`>zXL@r(=
z8f&vPXtO26i+3F9xP=z)rk|3uO+SP#cp@hy6uZPY_&vrptQN80+O^bZPuN0g%0xPy
zP}Ybg-1B*5D#|*OfyGx+v-sk+P9YKzI&E>E<=$l-3|Y8{yoB!KP9Qx!;URV{t($Uy
z7qzV}*)icM$)wq5XvKzIJ2a=Jm3^vYI-OMYDW`wlzE^o^FxTmbL>!&D!TXnWEr8!O
zq=Ie%TB?x~rQW1p2DVcC^sL><W7ASvZcl95wkfeyLHt>-nairf@pu>%R<k!tDxR~?
z_6*D$T|tY%=JnbPmY~Z>akv!v;JdgJbbPA5tv;9`WMnf;^AdzwiMAuX`Mk~P?Fuq6
z36zQ_lX0Nbq}0<+%=e}{ZGOM4Gu=z^p!>z#cD6RMcn@1C_dQa7BVNt%CElBFEMN!u
zYJSh)x5XW2!uFR>(fs~){fF|@N<hx|U+3Y5kCz)P?;ZX!03xuLlZE++0U3}PrQ3K#
z)i-C49jv{XO>CTI%kz>WA?O(UtudcvW>PsR@YU$9aWbSZ2q8x*Pev6X-mEOYV)-tV
zw+6~P(o&xBP0M2)Fu$TasL;e>dDo8a3NJ5j<hzzvpu9^+5#7V}i+!HlCX6lMz3@0r
zNtTo>%t?foT9sJ71JSNc_-s)RU!T-QJr@3j_N}(a>C7(P>*ESUuj|lq?_4=AI16ZU
z=Uedrv#lWYA`e)9C-=+1gj+g!0Z1}q@x=~PCUh&!d`K}$@+n71Fm#AakjuQeJs;Ya
z$@s9mOkhMynV$kiEHBe8G6JC%Uf38f>`<lvpgoKaXVietr1>r#m+ooHfNBSC@kF(g
zb#dnU<0Zs@B+h9&bb3<Yd|uvV)={68fT)wajG`z&@41KZIz;0a{z!@~@i9Dr(EkTu
zIjFt>cmYhxC14#v5C-6XZ{hd~VU7wjCpJEjQ2`S&VP+NP$Y;ZK<*L?uU#_k<5C6jK
z?#wqc3!qB;f<Pu_09qg)GqeR8`?N$Q&S>@DAB`Tor44fNo3=3`4DFy$jL|Lvu|xYP
z5XW>V&czKKp-{HdPw_<d)6d|@p^OC($T3>LlXJ8MUvAJc={;J(m6wo7xB$M$7%kAG
z)@ciodO=I{sSmXJ?~lfUwrPVpy-wTsr0-}4ZDyQyk#AzOj~4Ta4rRIdNk?e&H2oB%
zUN`*=PrZSR1(5HJ(*oJvHf<r-yP{>%546H_?_=-u%<A0a_{2haOH*@GT`ISvbE32A
z&~Y1Q!t)px)Iq)f{@c(cJwekpM2KN+ET^H<5-k&vD1oHyY@RcDpZhSDV{A=<A#ynL
zP2o2q`7tMDyD*$zhG?3=sViFFwO&V4^8Z#bb}t8m?RKj)U`7>fGx+C-w>GYLW`gk>
zz|LD2d8!-3-|}|t3-evcj;PuNzVI#Qrm>5*E@!4%*V>QOa6EjKoE~Sdc1QpNa1Zx5
z*s|lZ_r?d?I^MxAa)vM*zFM`hXx)ZKYN(z+ebwmCrj1Kg+r?NtQBNN|9zMN2YG0KN
ztT}pJnnwH2+%E6qz&egA!|$BMiSr00++8_nJ-4uUF50z=-kPB94s)T`HJ>Ve4d|_;
z#>>vkSEx+L%-dz$YA>bMwlFRr_u7@lOEGym;jA-m2cGNzN8Hl|UPg)~Snn%0-e_Cv
zMQwJ?(|n%1WgTB~Urs2z?P5^D)~fZ@AUmHZzP+N-2HbbCjwlN0wBv6{&T0OgkCQyj
zkN876f1SOX^M_<MOQ!SmEaz;-C)xBgou}Cpr*lrGpZHBWJw0M$g+}wG^CkoaueRxG
zYf8nrF?U~>m#r6T=uBakw%}U3YOO0!(HY;^5Wt2s3q&*)t&?-rZj5)<ReXtg;58y)
z1mcaWs=JxFHr_wxtJYx!Qob7KFkte+)kz(Z4^zPUAXd5Yb_r}sC)83$m*mM(MJtNL
zG^Qbq@Eq-BtOxlqq=ZWNEyzI5;T<SKZm=_@<fwqvQzxqyTM5hmBz}bcB@OV~%1;5Y
zkEX=4f$bm3xFrkx3epVLfXCCOk9H2ElX|C!&_K)l7v<2dfhx%G15$@`U#li3RbD{X
zipId#(gLTNO372v8nOmrj0i)y_bc4_l#VH*S65>85&L)#Z^YaAW$-+s_fmf#E0yz=
z=oj$ZYlfm(0Trnb>;|@x*c3gdr?582`<aYjmeAIOoZ|n46cCTlry=&=sr4#XR(R5Q
zqI9toG+04i26Fkwb709y)Rp+X!^!@z<&Xr~XLryJ#GkQ>kI048>ZCR+X!S?cT#%M-
zGrFX(zTQRsjY*Bj)Il?c4>-FrnYr*3;S1gltV*}QvUEf4Em=#s+ku%JRZp;I65m~k
zJh>9#i1@~IVP526sqD7AhaPY6Sef|+R&(Xe(~>u#w<1R{!q?adR7e*(iqeN5v6S#!
z!Jff?B9;6ON2To2UsSc;Pl))*WXSuTP%hog`2qH0IpZXZe1J4ZM>Bed9cNf)_$4&O
zIi)l4&7fgA!9Jx^@km7$8|q}if5QF-7GNZ{A$yoctY4^;>VwqYiq=vCEjX9TRsXdy
zf7D^7r9?gW2JtC?S_+b-e@?z$8mml&V7$ELVLuy(H%ol1SfljzV6Px;#MhCPs7#mr
z_kpoWP5oCO{z6yPpUlktU+<gWFJU0is-Kjv*aat3q!0gaz$JKMe?Kh}W4}#XNggje
z@8YKa0R};y?*IS*cmZt7Q@|Jm00zMC#%yb0ww-6&Y4(21$hM6w+qP#b*X(TLxqH8q
z$bbHNE_L%i%HEiyWXh*PDyC8@r%I}(TB@f;YNl3dr_MjGUh1bo8m3Vir%9ToS(@kA
zv`EXeO6#;q+q6sjbV$c^O6PP**K|ww^hnS2O7HYZ-}FoW49F>YEORqEk7u9~N@kE!
zN-LwRo$PEEyV}j}_OPeD?47IaV_*B(KZEm!1M-&x9pqq#I5hJ!By${=c@B4ka*lMA
zqaCBX3M#6kvMQ>omY-EuLrt~RR!3d+)Yl-3vmgsK%p#5QtHzpWs+s1Fb)4g!;6x`m
zSqm+-(mHFk(N;U{b<i<Gb<$ZEU9&t(vNTU*m~Oi3p{HJY>!YuJ`WxVsT$3lA>NKZ2
z!$5-!HpEcF3^&3^ql`8t>y0%|fkH)!jW@wWlT6O4tjJ1JGTc<tOgF=s&T_VMoa;R2
zyTFAma<NNX>N1zR!j-Oab+)-CuejEAu6KhQv(Zg%c1yNohg;p|_KeJkjLMjdc85DN
z)?H?r<!<-5*M08yfCoL~VUKt;Gd<>UPk1up@~5Z7)1L9H=SX1+Qsns*d%=rd^0HUF
z>NT%>!<*jnws*Yiz5L>Rv&}KrJo7EE&?1X7A>%XAl1#GHGRv*7(kiR7+6O-Lk&k`i
zQ=j?V7uHy7UDjD|gN-)XY)dBFYMbqL_%c&7CDSq^(|zS@-}u&dzW0M4{p4rA_%*Zg
zl;8aB4}bcbAb0=_;{X5v_`BJxZQHhO+qN6ksjbwuncB8(TeI%|6Zi-p`^2X{^SLj4
z>8s#@uYKcN-vyDr_k$n(<Y&K#5rhSyLAaPfgjiyWBd&PjOCX^{5=$bfWRgoErBqT&
zBdv7O%Md)5F^HB)W?5vFEqElm9C8LvgO_s2EswnN$*+Kd3Ms6JqKYZ5gpx`rt&FnD
zDX)TxDygiBs;a53hMH=rt&Y0tsjq>C8fmPFrkZK4g_c@rt&O(YX|IEhI_a#7uDa>2
zhn{-rt&hI?=`Td6FySH$Fwh`_4KdU(k%k*#q)|p2W2|w;n_!|zCYxfaX{L)Z!%VZx
zHpg7^%(uWoi!8RpQp+s2!b+>Gw#HiPthd2Nn{2klR?)WEZik(A*=>)#_Sx@%gAO_D
zh@*}<?u3(0Iqi(I&N=Ubi!QnBimR@<?uMIgx$Ta-?z!)QhaP$CiKju7XP$fErB_~i
z<E?kz``}l<`Q0D>^q0T=<6r+11P=f}0001h{<dw~wr$(CZQHhO+qP}nw(Fk&0t$q{
zf(R;@;6ex~l+eNmE1d8mh$xcCqKGP*=wgT|me}HmE1vigNGOrSl1M6<<Wfi}mDJKm
zE1mQ*$S9M{vdAi%>~hE{m)!EmE1&!dD5#LaiYTg>;z}r~l+wy5tDN#GsHl?4s;H`(
z>T0N|mfGs5tDgEAXsD6KnrNz-=2~c}mDbv5tDW{b=%|y<y6CE#?t18{m)`p5tDpV`
z7-*2eh8Sv?;YJu~l+nf*Yn<^Wm}rv8rkHA)>1LQ|mf7Z*Yo7TQSZI;OmRM?;<yKf}
zmDSc*Yn}Br*l3f@w%BT$?RMB{m)-W*YoGlNIOveWjyUR=<4!o~l+(^Q>zwm0xagA0
zuDI%&>u$K|mfP;Q>z?}_c<7PGo_Ok+=U#Z}mDk>Q>z(&L_~?_*zWC~!?|%5{m*4*Q
zPY^r+hC)CA0DQHZZ9Cf@v+ag#+s(|jUEfBwZFAXfxSL3r6qd291SCq5EJdm`=`v)>
zk}XHBJoyR~DpIUOsWRm%RH{;~My)#amb1JStY{@GTg9qYv${2`X)SA8$GX<Dz71?>
zBOBYqrZ&@{QIlpZT5WC%TiVLjwy~}4Y;OlU+R4s#v8&zeZV!9f%ii{}ul?-r0BzcJ
z=yafi9PAK>I?UmYaHOLg?HI>8&hbugqLZBL6sJ1P>CSMbvz+Z5=Q_{%F3_c0k6wNH
z4Hz_J*oaXVy2y-u1#lg`vSt!P?3kG$W@fgJ9WygCGc(&U#mvmi%xuTZ%#6p3$IR>d
z-}`p=Rqbx=XsTwWTh*FsNiCJs`g(xQzI06M;)iP6=t7l!<*C*sBzxP)gpGaq+WG~&
zYunhyg?;tQ`sG)IG?O+glQiQd&Vw}5E{Is{CwasmdDH=U<U)CLpuB#rFuJBeX)w<j
zQnbhTUe;AXG0!>Hl*i<a&Q)G=#~E6+$HeL8RZ(-tIo_qm)C=!bZnW1KO7`>kVOPld
zaMWl?*o)vgzO%h%fv~}N_~(T5U=ZcnhzAv6sMB6||B=aLz)JUNHN|%K8Z$&?>zQtr
zm>4^sb2XnClt-LqK*N;JjUWDwdD}_wdPL6mGEnVv)6VyLOz-<L)cqcg^f6=?fz7VZ
zbb>-0hg=Nh|NRT$XFvH>{=fH;&-cn76fuAO2}|_+VSW~T0!$EB*!6}J=7|x76P20e
zh5s!2f7v6#d?}_eqH?Rcv7g0S4r9dCULfk69DyIyc_jv6)VT%!j9w0-<vDp0RONYP
z7G>qRMH&|6`Bfe#mN~g1*p_*vCTW(rg(@1B`IRoKr#bmDT&H>E|82O@%i)K_F(}dh
zKiZ#k{UUXfbi*q515LeuSBG(urhcKail$+u^WvIbzBJpKLAiC)ntrji%bH=e_dWM^
zjvzeuZi!(O_fCPL4EJ7z<7E4Go+MrSZkc6O`%aOjP5WMz=Y{8Xt|-3eZs~uwJ^8Y{
zFT3ToT`xPux;`J|Q21YZH9oc4<#cE5`H%HU*Z+J}xKA`$duzHPeF(kcTxb6Zk<;%L
zCR9jR>bQWj^%z^*ysmoaxCA439v<SoE}inafYE&(UFy27yd;TLVj3xoQJ^X<j8)+}
zHja@eOEr#FW?KQqDAKh8V^w*d(B$NP2BFC-F%BfkDNq(B%Bye!mF46~6P4waSr-=M
z6loh5<W&K8tkZJDk*qUH%oB~%3e=VV8QA5?Go5FY**ET{73n+gW>op!;QnRdg~O4k
zClLkVnAf3*Bbin)4I`O1!BM1{R!|kCnKxjWCz#eU^qN|GaR1+Se$A@6Pv#o=tZoh8
z^SplR>vvMF{TkvZu7eg787^Q0^CZ_{2Mk@?ejRmH+d&(SO&hR@`vQ`YUjPxSA42i-
z5N^obU%_ae`+mhKo`+t^YOl-he9t3O{2jWl*g_DYJ@h?OJ^!tlzho1-{fhtg1?<c7
zP_p&-naP@#(OR0-+JT2?xR$PJNwjl#1j;;;hpgGZTbi*`NcT1UCJIDsM6Z}AnMFPa
z6*1c7uJpVa+LKvCvxX&#vwZdcr6o#=QH3D<_(xrz17ZzDB<K;>_uo^WD0+D$-963M
z5Z!Bl&!DYg1nZ<5iWJL;k)jmqgcI{P%b1npxN?D7sKWn;{@M%9nuc^<&RqZU2jjZ*
z%ManY_KFv0xD2WvX1MkUCu_M3C@*Qb_DMIdy9{YRtUvstGNDulG%Dp%m3$Qq5fvGo
zOb<A0z}>hbeaG$S=_6+Lt7$z?0?PL|1}$OC%E$+hV@radF=+><BWEN(<i<CLudBDW
z?6Y2Rzy?cSKw4JTMbXpG%@JVkYWU-`oELS3hi;lm8fyb+IgrgM7eNrS5A`4|6x#Yo
zU@N5Dxskr><mI5$#HP7HTl6LMoklw;*toNO1)XnlPT4tb%(#{>)QVDh)~%2MBb7=x
zOQ_1#QDSUucJk((Lp_k;4<*UV{J-Sd?i+1Y(PmSvuPhL*mA`X!TCeR|#57t@qDs%f
zNewwQNbZm8tPB603cB7OXyge=E_P_Aib!r_)2Zf64Ps!^fq$_qu2+57OH1mrJX)Sc
zv)!-bMcai_Z_*jrk1PYjAo#=Zhh>~Kmv*x;_ehdr6HcHFUx)5i->hRv7~tDo`e5l^
z;;N}W*Eycofa+jsB7oC29sIL-_i|<KA^oJrl>HB7KQ(*qgx=t8yv<~B6S4u)+Ku`U
zLs0AEdRCgZ&$2hYt+{5yEc;Jmq1H#Hqg2~H{Jo^!3~ybUTP>QDCt>cJxq;mE>TLR~
zqhc@s=3gi>r@uj6wbR6`+Us}p2>P&!Vg!dpk7Lh--Dtb?ZAiYYmi;TbD#rE{Q9$|E
z%DdFJ^PRI`ZA^@322@|$z08ld9#5{i-10G~!!(<U(jx8IpPZ;XbYZkdzYri9{GrFU
zwU}#jK1;#`Wo;X$wF;(@A)}8cfkCTpLT_47xM5|43-HmEluk>i@+h@Ikud~h+Ne$Y
z;loDkX3atrTuv+ouq+`YP9mM=&Z=u1zp5OYq>KI-vW}hNO0~i+q`nhM7Azd&l8(|d
zNZ{&Yc55XHwYu*XO~W8mgTJNgszMO1-5Px>(+aEfiMCzaC)ZR)KU8=H!|VZ{6<zX=
zT1J3iKz_;n^6ci$@O#FJ-nM-2SZ>4SN4@}TIr(M>+k$D#3o{JYbimh$;V-^ZsVZQM
zQhJcrqqIj14WS&cWjEjKF~bbNQBrzZIV|8fc#-=!PX^_;{G&MFgr|FG^|=G~u^=8H
z@)q+IZ<<OPF&8T_7iDkff_P!|VY$_Ba@wF7E4~|i{*6h@>p{|E)xcG|P5*-*rqAWT
zRWW*Bc65IY%wEqIk=<nUK3#-?X+N`$^o9mJY~Zxq)MtaufdL%#efcvz8$q;)XPELA
z^}w#`IDOjxKb+s5ii<xZ+_P$B^dTMZ+h6qc1YlOD{pfCUK08nk=BKjPank;s``_O|
zSmQtMgvc6l;Izf?Y9Xw7;kdi)yl%47OP}9lSKc?u?n)bF_L7r9D`PH7IQdw=jCp+B
z*&9!4->W<*P3hZ@yAn*j96J**=wIBGqo0V%X}U)5Rn~C@*01a5CLI<o)XLh8lEcp&
zVjmo0wdovU!bvb1H^c&0*^G#hy?Nb}g{|(A<}`I|Av)3SRAx2RZSU?#Rctvsfp;n>
zvM#LAFJ1>(WtQI6Rji@96$H+6E@^Kn{Oy063ctbfMk-%bI?NJyMfx=_SC#Qb#k&k;
z<}~MRN~AdsRr1)-0ry3M(g)YpA~Q$^#AT}YZOGT`9p;yT%|j05yc!=>O@png?{)Hv
z`^JUiOQ3s|Fm?ym&ba*MyCZGDv!!{*R^kLT%d=b*pLN;sp+jf<9(^4fI@kPTUlDHc
z$wOc5{8ImnyXQygs_GDojTOceDBj1Th|Wk?{q2{QUFxPftjv3o@S*#=k7|W;V5wDj
zr%jkP`+$t<z&%N%zk)AoAzONJ(|jG}ou%eU6J_Ei$+4Mkv`>Oap&}-MQteRFay(U2
z(XyuUk-}RUut9;+j;oQC8AW57JK438;!h<-n@WN=^{75|nLhQ&=l#91<XPp_2Q$|j
zRQ!GN!?bj>mQd7>@QY4pcZ|4S%SWV(NmE}~vN+}1*~i$&M}ke7m+zp#5k^3IFhTVt
z**Q?$U3S!+vBkVws%<MgR~Oa>-=~A`w4k#d^Lb$VU`N!`bXF%l;j&;IJs|y_ueBRw
za1;={^ips+Sm1>r*p0c)^J>P|F*TAL-ZRk`?b7t%3IZC~-CX5oo_b4nY5hxHLp<`$
z6uG=iP-0|ez|@r3_-z)-ovi)>h6>wrW?YK*((>JZShP$1R<>6&p9~lHHonl*fS|++
z&Ab;=&_8+Ks^u?2S0)XPV5o7pzZ0|vgr<J-Mf2KCZ~jd>*XCTG>aU=;dhQ(^oaBG$
zIe(WPf9@@!udq79ZD@DjsQzEf_6G!IXFq0k*g$<XxwKwontH=p$_KmAaknRhO^suO
z7cZ<i8uBhf6qAZ&*<em-!GrYXZ2WGIS1(>QaX`i;<^!fpmhQN(?MDRP<K<esdPm#I
z-ze@4d4i8BEZgN;xT;#lZo|2=IeR(w2aX5X;0KQQ*N1h<H>P53hwjCpLLZao*7=7!
zGxz+N9N}PmFcE%MRW3})7X3k@mc@j|B7?ptum{ER|1hOK>HcUqF1W)_8u|R;@Bqk&
z6!3+Dx_?pAbJD2sBAju>Tw`sJ$=XJ+Y5y&2tp=*B71=QiT}e^Qa@>I5qvDfeq%&s*
zzMvJ_*)9@|bnLDc(ee{;7Qr0}Ny~MM$?&7Bb+$*X7mgXdr?IGl^<M?HWPALFY49(4
z#d6KwuSo=KI1Q&GM!kNL60*d9sGl;A^(yv$wS_yyGRz3G9Wg-vBWsYV<UnGaQbbPr
zXC-4W+HobeQ%a2c#6JaLdO8JsMVY;^OJN{Bb#;waZGC>+x!hb#aXTH_L$FQk@&?Jj
zKVM87>Iy9c!T)A}1)t^sWwzk?8D2f8(Jm_MdO1cFCViJJO*m`Pun-O~oKwwqvbm&B
zT{~5x2UWZ@<-^i-;wxEBuu@3~np1!k<~t?)VUmNC5Cq=gFo2m5!nS;6*Msc+g~=cY
z$+!0*#J3yH^U?9>cbVw>0KBd-*RhT&XTapO_S_<<L+F9Gr-Rmimbp}2^Q8aycw~;)
zeB?P4@qiQftrr(T+L|2MF;>KZfwsjIXZfPyVo!PQh*GYz?sM~geo0WRdq*Gqhm1WH
zePh3D$-=W_s`SW3<*wtT>OPq=O}y;+gi}@fb;6;f?QvvNbwg=G1yG4$t<vDS<SV;K
z_7lCa<ys5p?df^-g}mFx>y@1M=?Rn_BowD6VHC<5>KqCeDjiB2Y8{FfT8!L|?1}t>
z{2e(MSrmB)nH;$o*%bK@83Q@FvjuI;QzlktHS|Js6AB*BW1%#veP+}7-OIgQ#bY=R
z)$`Vg`NX-{!*VCMX3^(2zE#f`7roDM4-NzVRu2YJzY^j2It@-GH$?xwSA)(VAQSRI
zn7CTE^W*lowJD88!W_5o7UUi}2sn|L*O8FCO8Hyyu3$(s>VmpLHnJxUN~~{pzoTFh
zjjfK_#lNHM&jTY)`SmRw_oxRQwpXLgpfdiKld-3-cSnG;CIJL3TklJc5iaB9zDZ%r
z!1!VB3y##^6!du!+mc1$F3T`}BSsx*rjov@mjjCkcG|%QF&4YIr4Y&QBKp#7HDd+p
z%_$2WX?lV<2u&I)rA1gFj|pkm)^f(I5m0*H2la2SEHVeJmbs?K8k9EdvNopGOfV?r
zoSGH?H0yl{zV>wa_OE*nWw{<@Srgy~;PwkHM+4yYItc84Y9#p|jnq`!Q)w*S?;jk<
zodrmPqYMYG_+?F{iA~pJ!ZXr4^Ru`JexA%M_Iv-F^H|Qu4m_CQZspf<t7F`v*ht#t
zELHlxJP#dqRqYHEXD>1m9B|^d!{ECj5kQYGLvnJ|QrjCy@?z0H^;h+eoFsDW1YGua
z1<0JZPWQ!sbd$nyK$vdhYT5bFVg@$)n5Wn~Q9FDWVenhAn=n5wEHNj9`MW~##kI0c
zTm@r5$LJoz@CD}VRB2<hf)?|y3_g9hXsma>Jo><lr`%@Mq3$JWn4tjUyd+lBOwG(P
zcLQ%Xr_u5)V-ZRAI>i)ui?*V7Z<=TPO5r$5X#yGTly|Cuxg1E=&T{x8v<mP>+sZwB
z^8iwvbF^4i?YrY8F6j|ekel+>k#iwuyS(G&rbrAsaSUwgFOj_YbyE%ge(ekLV!~=F
z8(*B-qDNixf#Ctj5yc$twr6tKee<aKs%iHF(hkyP8#iM6o76V)_;y;Z>o)kU9$3>h
zD(p7w*<Vh~9*C5`q$&K1r??zn0n5K>IUv9|=75mdO9$}b|BH*?u`?b}xwHN`-PHRo
z()T%K6=A@k`)qSxm}od-)adb+{lA{U)_(_E{?wdwlWVr``~CCK)O))m0n!JuKDyYC
z{$HrHeRpEi7+A@xq1$#Zg}TM!>YLGB0+3t^^`pt`k1A=W0hc@w<*<s?65N|u-4U`_
z#cF6dDv8iOMght%6~(ii=Ed`Y!BXoPHs?St$ejRt?6qv0omCx?E!j#bQnm$>s;hYy
z)s<K~8FG9p4Qzl$6Lk3wTJRz<uu$laR-QG@RAqA}bd#NK=Gb#}XHkz}7+Xi;t38od
z)V%5qI{iA+7f{%bBU-SMW>~~(>Kiv><E*YG!fLu<TCj$X5EKOU%#Kjo^y#B#E)G?H
z6O~l;Agmk{LX((O<<AeSkk6Db5wa3tWm1#oXR-LW%>dRf^=snSIN@gkkNck)q#T(7
z7GRZ_eH~55zc8Z6F(WcVeI`F6NQ2L0%xu6mmocu#3g)`A?o^4hQk3C)gFfZk@bpGb
zi621-`MH2f`%rSO*!lsb>=45Hd{W%~Ehr3?TE0xG^+#fvQn`G&OebVyT7%g_k#=xZ
z)wuwt4JOoIyH;nXRL}URzZ_P$7u<oVoU*#=FIyW?f?F1<T&d^NrFLW)Fc`gscBEP`
z?7fwC<m)g9z4=!pJTUaV<yT}KFa*7(0`E@MuDg0OI}}li8CO!+Ln$a(KMgx}WjPke
zI3AtJw8(dDqN2r^<f`<L$5<oOstoGfY6U+ohaN$0L*1>9Z@0+o*E!z2Zm*B_-q&t~
ze4CbIx)0>CjFR<F_FkXJC6SZ4L%1+jHO5zB?Sns$wQI?@NU{d0_p;rwCh75`>)mz>
z2(5dTOaCHMSJd{PTchhzW%3`EKdlq{Fx_y9c1V!pzzuTV8f?@gh_|bA+p5Dy(;3|W
zP7Vk+6-efmx4uV5yV}w}G<YYi-bm9Jhb@MAhcc<69Y(Q72QZ7EYk$fuCD@w9$F!Xx
zl{A(A#Q2`2TOsZ-{Pq5&(XyrwUo@k?YY<ZNtR@+VWL>kU_gs5N#+!cvTUNHF(%I80
zL5Hc-x}GzN2B};%esvl9Gp)Sby5m#>OR3K?fNJTJxtKHR{K;gepqBOe<;>KAvy;J}
zc!OobmJWku!_3OIY!D29=h!9j2><FxQ!{Q?f7`{>qN$*Zqx9*Wd}iM-4vUU=u&fu3
zch3>h%KnK`Lf=1YeQ){dWQjKA{owo}b=P2tR-QGx2nYzfIj4YERX$y!Qeo}ZrrQ;k
zP6~9Bw_K#snfEV)P^M0`#i6$tC%?`c^g{mU#Xx<uF-)1(R6XRbj)SjR*-9BV1k9VQ
zR=E~;B1y8Yaba`L+e=QCy>Q`tr|PFOCwj4c+B?{!$T{=pvfAhM_2c8qH@B~FQ(*I$
zs))aKdb(u(y@0u~)pQ;(*fcT732(X9w8s6Im6S(RSBZGvo}x5eT<aRC6)qc3^;94Z
zC}mPE+S5`1(z@gL#_9??b8p~3%mW5))c{FPBOXjQbGIxVO7sI`w@mld)6`cUomrVY
zw0b&4#>++4XA$%A;~2-tUgF7n6565V&crs0$=A-_cv~~FSIlq7-HX-Nns4a7)7?Um
zi1kLAdTKTG_2&`oD>iO1c!5L9wQg~lBqqfx=Hv7=FeLSoXUHAnbbZukKRPC>`f$!5
zJ63E4*Unu!hAwtCU(S8Jrtwi5MbG8E*71kP&&9nqvxacTdc4Ml45$aO%Xg|g%7;vR
ze~lA>f`#6Ye8ICH4oPotr+SF!dlf#zR@m+|Y^>GJwbx9&*!}%(7lY8d!;35WWQKdW
zXP+lK2<*aTe-!bW+Ui4i6MXIG>zR6Wd|mAxw0+ZjUGW{{dqsF%`#_oyyQSIrbZ%~O
zZDPmI#0xMrHr)w3lYZrW;b%FIarsL;7whKOhIJ|BY9KS(v#Jy<IE#pzC9-|Qf<9CX
z%|R(WSZYosBRgkrk{0ARi>sBCv=i2VtXjO#!d5wOXWnUMMX<J)RZD(B@Ur*SzRE3w
zKz3VkhLVo#d#&de)9(X4Zf3ZDMEjB4lyHNF`WfA{aHGiw#N8w^{EG+7-9$3{Ob686
zWHJH{ho0Q@wL&n4jNK&H{i6pBAC-85ruyq2z4rA!x3c+B_2g0Y#S`?@6ZD0Z^putK
zrRVju=k*0y^b}e2VSMvGz*=V#SO2x&yS@Zrhw6?FdG(-E7aMyq$-v!{x_lP%!_lpF
zrBa)vfKaXvaUEa=QR)oWss*pRp6TqGybP?n5L>h#*@16e(w%5+w_5sm_;{W;y?}U@
zUO+^N4Y(f^qG<Az(cxvqcYUcaPhd4)3@k-WWiy$C#g?rV61uxv#@jDEpn8aQx>M{k
z%N!A3QV2gvjS2VK|EN4Q7?vJM5GZw$PR<3q&bNI+kjb*&oo@}vy1#ioJj_kMirMm^
zAwJ(R+-{c6)LRZ0h$Nr`!imGN6+Lcgvf@ghjfJL=hXti65do3~kn<5$`P=i*^(NEe
zZumNlK((Xa=(jyZ3}}$W(W$J7f;HT@KVbBswGgs{7OpJaJf7!|6$if39tBA2Q^EEk
zS|QZyAFjk-rVw)0V4T4a+Y#da5bdqCBgzmEl8WkH6C%mQeBBt5=OKOFQo_3H9tw8e
zs<N!Fx@%K8)u^%zt%7Kia7H_IP!I$u#%L&#pGdW$7WJ^C{a}ETs)zElLf4Nbz}`3%
zda#9VceHZqrfyS3a#1B4sO_vK`<W;7V10bUgl@!xiRtE8qGxJ8l5WqEMe$6qw7=9L
zB}MoATVt*GW6qKe=WJmi<qdb6#%3(@k?j6tGt<*vZRr>Oq+#oC(<|JrfXh8(ot!tx
zM&Cw!{ml~U@wF%Udy9v;)d!;PNn@=Ef+Mu-Yn%6^hZ}j`(jnZpTOQY;8Oi8!+$1&o
z5K{O-#r`2kzA*AcF-7m$Z{k1;=#wAfo+C+<aed{apK(pqL{50K;8J^iC=)dI>EIoq
z5fX?f6NT%vreL)lZ=uFCR%j4L_dpdLG`12!^TVQ`p!v}U2f34$v=p(x6rAPRXyfJs
z(&^Aq_BvTdB8S+sKZ!?5PtaQF5P%viE`;7ryUg)94<-=A?Yh4g?qVO;{1Wk$un(k$
zm&#q9PJ{%RRp6-cK8u(O`P;WU>MPHAxP9O-)^If;d*GT}X&{aq^v_E_wB6~j@Troo
zN(Z~PMGzq6+vY%Y*gPNT)-O*)JOQIdDe&on{&O=oNFa%Qlvx=^l%s}1>fy>*45IIP
z1k31u^dLQ=`ZSbyKoGB3_N>aT1K?Bn=t8*f(Usp;#dYU&xTJ=TX|zptz&-I9BmLcB
zg~*ZT9@Ete_EtmP3p&^Fm|GK6Z$!p-@>@>reX!#(LnaNJkng-&@V`p!yLVw{@@2Cm
zDnY-SjQRi!_l(2z+6qFVB}(tv7pA!O;;*0QZ|cM>#~@JtaIVUXFZIG={#oinpGJVu
zqu103;X&X0J&L@~SwnF4MX&~|K~MI`UoyvB5+fF;&qxz`I6Un;k*C}xg5wS%2eio^
z9L+#FO7QEClXQJPccpW<jS{C|^(%hN?|i>27q+~!HAmnqsOnJK^zI2dcJTDSBo_K!
zSRbk|zzybqa5#{G829Cei}lWJC+4SeNh$mN`7oMmnVTC5xz<K)sUHk2c&K6nFvA&Y
zxvi-!srdMVqXR>}so6*r5(bq3j1^5sb9ur(o#=X65Rh)<j)KIe>k2!szAI_`)cq|g
zFJ52SQSLyT#TgVA`q<^WqS4C_Z||wSvYzV55lzgahBxvF`HKOf^}@igr=;Hnb|kUi
z1iW(ajnUtvYxS_cBKhWKHogJ~lujR6bW!6ts?d_%3UXNvujA-aXEiPx#kfWzwaW3d
z@1BR;3p9GBB&t-NK>;4ZU9gEWvs&07vD9INleZJ2wDCHG&WoJ&qOq<$fC9}8iE7d(
zzBIk&6aSsQyFym7D$u%gcM_E4)r+)3se7ZhLY+OV-z6M1rY@d5#)uq`XeeeMq1t|j
zyQDneW<RjheIc`C+EI2l*e`S!e7+Klw=IX+P-r~7r$?`ZPBhe`<OT!V=X0d)=f!;6
zOR|i@wZnuN{XRAvnfn*jtfy((Z&LY6z#F9zs#Vmx4v>4~j?ET;uh~}5oAYF^xf(v&
z+_aAT^o<9;yM%qg@X?879SV#A4{#Wh-b>bUb63*sKUzPW8G}Qp>)&{#Jg<G_{Q5C2
zJn0W{#OasuRg<63sn2Q|JF`7@t&jIg^olD5ih0Hz)g2Wi>;{p@vIhFgt?YaD;x}oa
zvfv=vdZ&rU8@9A?+uTLaFe)0-suC7Ts;**5CuICRTR!{X<^=z`wEWy-MbudLbrCN;
zUQw0HSi$n7WK&F=GWl8Iy}H}HsV{qVHeeXAU2aElg0aJ?l=PQnt!}r@z5A|We(S}g
z&ow<u*o-0a_3p-{CwqC;diYIGR;h_Nxp$KRoLQfGjr~5k@ol0SuIwpWhtViT6@d)d
zZ|m=mU02YxrWNCN&h(*=$?C|$IGlDq8}HW#Xmx076kXQ?j++eP%(;waj!Or0PFF4j
zZrS!-t#fTb?Vu{;rM)Uyts!lUjar-F_D0W~7rF-(*T(kAE9@1KEXG+1maqumV8Gzs
zVEEvvNUFTGm);pm7u!9y^Pu})8I~oN)YxsR53`<0s`Z4-fm;3F4E;&QOGe3w!~>5T
z@f-IW%bPl2{i-I?DX(SWUCmw5U6wP`h{O-lp!gz^N*NEf($&42hzF@_R1cf$iieKl
z(yMtlUXY3BO$Tx3UZ<-Yh8z2P9KiE;E${~zhmXm<)|T)rx2v_MWx731vAlKns)nXM
z7SE?E$V+D<d-|!T>__8Tixg-r)p647u+OTlDyZtbs<X;xsbtJhEs}+JsAaNcsb$M;
z>v25Al7`I%yLdyzHSGoa!TKV3BYfj~(7X+*%{f_Y;YNgJ2|>F{r=2-F6g4$k#d^^v
zWw~3qz`U8!m;8dr)9I<qZggpcRC-b##TQhs^ckP7zx-=#&NrgaH|kpG^jZkbTDUd)
zEJM0&qPFP?Ed-C5U>{gLM8Psm%@AR=2vW5leBa76yDBF~5$1otLOG8TpU(UiX~;p-
zEdw}E4M`8dIxiY1f}wLyaRn9Q@0W^pyYHd`a|y&^qhO5~=?paeCGD~3$idj{Crzw+
zRIK`3UPo+ydTC8XfANR<83C05GW&+@B*fnf&P-F&3(1XZM}*B7B8*G-^MDT1ju;<W
zOb9tH)?caMCmz<Y5PDr~fY$y`0tgBrq%e7Zg#`O<2c>NVtv_S-5LNvFxHpLSgT!vA
z(L44$e&pAvS%b`O=u<oH9ltTIk;!(9JN#9zv2})U+)xx5;pP~@PHVs7)MB;Qe)qIT
z(mq00VBZ$uL5>L_At8n+6%*uQiV3ALBL3bwEXeyqE`$g*AH0x4kdw-elCBTfA|O`R
zD7l#bHPVcqdUd`;YxH4PeTT4I>#??p$LNHU$yvatY?>WQL*`y*@=+o;Tp~(4XhAKY
zQ7!mx`S(_}Xmrc(@FM~Cha-Oa=jrILum(`P7l)!>_yZ9|z$K*r&q{fxX+N1SQHh3R
z$%CFS>k-Jc46nhItU)y#e_4TiOgW+|NY@*brV{$N8jhAL^s0k&7AnSvGZTW*m?`=O
zawNJfY$Hr|!1eW3FA)pJ!=o}fCLw!3YRuodL*x2sOOk5+V^3?7Mmv@Q@9ho0_Zn~{
zOz_P3n;%v`#WGS4)eti{`sNjiFa)tT<X0)b^sj&@3b7QuKM*R*dcj~aLd1}@A$@?+
zn{;hA(wlZWcw)?fhs-CmM%At`_A5pz`C>970QPhUdc&?F>#!zV+ykdW>b5Tw-|_gN
z?}v5mVt~$VE&&*3e+<_YT5zC=3~)F&WK@G_=O?l@QMff-Ez!`?nT$P_D@m~s=@4u^
zUJu0}13bauBhoL#pMgkz3fgJEA@Ss67<yn~Dr$P*zh{Jqz#1S0^NqL?A<ps|y&&<5
zke10sVoL$r0spFfm{iTc0X6?ZwGmdA9o#=y(KUEM+1_0eLRO((Xtvwlu~dA7Oaygr
zA?HKm%6Va83pr6xOaE2j95Wq+d>ATu>L#^eN)|@F2El>_@76@uz9c2ECz3v@o{HU-
zfJS8@Mh$Ua?%|`H>F)B8K-(xjN)~w<g}_|CT#vhl`5fMosFS`c#``_$`|)qX*3?ja
zmgc~|ebfWk1a4Sk6J9z;Pc>{R=Ks35s;2CXrZOFz0UJIGl%<2lgKoT)o9`bNo_q0|
zH&UZlg~r<V?#<{YMje{A1Z~oJRS1Sgb=(`9PNuzOHC$%~>YaX@VeK>4b#<qGm|5S4
zfG1Hv_{epyiP2d(fT=+je+F7cVvA4RymGre-DsJY3UE&YamjzTbw0k**;}tto>m=8
zdhsW>uP|Tr-jvhAmA5x=@tegiP73bZH`j!69n*jjU0_6gw;kL^JBvrWTlhgIw67i+
z@QjRyo@Zss!(`==KFQ$q_|>yYT(lxG?i_jL1b&2f#Ad{l_!x(lcZqpL{nXj_`tA!y
z4EZVHZco2pzo~7CmZE4yFyxN5E3?wTQp*c0^--LP%zEpQ&q77nsb&d|TFwMp&UsQS
zYAXMM&XmAKof&C^oaULdHE9#0O|xs`9O&3`8Nxz@>ld@OT@GZ)PYXixd9R8;C4wdH
z^MqwDHDz@96!UN*7VxZMB?P(fLfSZL+K{5qqB`lh19bg~#?Azm+)wbk!#}do5KJML
zI<T1J5u__<<WRlVR%&cyi^8R%6C0;^k(18|u|$%Rxi%IBm<Wct@?6#sH;GOFZ2>{I
z?@AVSuwHA>M}b`AX;_KQ{de}~LnXrVdGkzyoLN8BKj@;q4E-)Zxf5qifV5!#{IRd+
z{x<E}p2K&$7sOk(t!{|~q%Xe^ZW&F`uXpjqfreOzRy6UM(nkEIim4Y?BJ2Jwg%Pez
zWcZOTX^)e~`%}bOvK{_zq}S-B&Nc&%^qZoszEVXWlN$<~C_Jnqmf9AasTmslj|6OL
z&?<kF^`zBsWMW1#u!kJ-GWFdbT!!sHXzo<rFVmigWu8R|&7y339o<T<!JXT39I*Ix
z4|hmoCn#49nPv2dy8fzXir#Au&+yOfSNI(W1b>6Cki1~C{}x|i8R?-L?KlqieA(A$
zL)C)^M`Rk(!u&)3`)wWv%upXUA{d$hiLA#c<y-h#=_XabvOcRC-r{doeOfh~ML%bK
zfEoeYZxb^=6|(@Bqu(;ih;06m`Y6k&YyszIing9d{x(N`I!6IM919Mc=5|~eUrjZl
zbm^<ZJgV2)H(z3cetJH5GM$y)7rBkPhqFbf@R#Snef;t!-6?(j1^f)5-TDcUU18eS
zYKOP}g<agbLUide_2s*VN1qCMwTJdGrOKn<4|4733!EvpwkU3yYA3Kur+m0#(b^#v
z^{>tp6V+9>YHjn|6ghuNT5ru@?7=xCI3)5)9Oc34cG%U$WA%l#f{!%uO9`KAxkE(1
zZU~l|!hKyqwEdO+TV1D^EI1tN3x@B6*1Y}wu!P^8=-siIvpw5IhTzVA7#CCAV81$J
zN#*op%N%c{YfXlW{T7(F3pckK|Lfx`mAvwdiCHaqW8$(&&=Ks(ue}6=AsUf(>*|Rj
zkEDBMli-9jw=P6g&RWgjmay4^(>_Qh#q``DpUQr=jG2o_OV88_?F@_!CLPa^&i$7{
z-jj2!IZ`TzjnJh|3OKKR5IP8&2E$td)cN5<K|l9luYP#qoo~B+a$1#~;6{Y5mL&^a
zNUvbiaiI?49bG!h{BB1);#{-CJ)f3mhJGqErm0GOm_u`z;W&ww;RxUDt7<nX&N)O2
z%ou1h$b4v0BVSC*TU4D6)sW{wg_9>l_qXrkU8iAL3OqFP9_;Wu%Ov~L$4}U}gKq)3
z5y_w5cbeRe6hF-B2rk3|WrpaHkK8sTczJ`X7s^_e7BzDSZ3G|TIf_j1^hA59mU!>;
z+*y4ls{U@=?UwYL4#ui>oQ&E#${yug5-Gadi}cDv3_7a-70ukBT)a|1nb&OJbgx`)
zXrW9zx-)EY)r-$}2V2QOS#{Cw4p}H?VeLLb7E&o7dEi_Jo}*$Fe4oa#r#g*v?JzR`
zF|2AF4?hUHNtbD07H;V@(pzV^Yzk-PNSC|nwcih2Id{pk0e;r56XA<;Yp_r0?v2$f
zId+gQ;BVc}PyBdvIDeE2-v=_S08e&)g7%db>YQcCm>}y^W9`;a=nKWut>%}djgf)O
z=a79M%GZm2gMD|P-F)CpGlLb(rYoy9d4XgQHo@mk#OrE|k&KoFEOhO%C1m&ojW_L^
z8r|l&WMfJ8Au&i?e6w-=JG%Pm7X8H`N#+yhgpbNa#oYee+Y(o}I90K_Vj$+?zD)`G
z#l-3kD?Iy}ki=!-Vg$OBH1?j^?0^`_ij=uU$n)6B0M~)`V%VrYXdTv4;}q2-rwiJV
z@cgDh45s*{I*-9yC_DMjkz=dVAJXG%r{jkG=;o>Ps;Od>PM>eyn+d$#-X-q56Kjo&
zoa1`l`FE`pTR^X4li#8*JYC}-6ys0Wl8j;etjx*s0-hf-;cV!V)Fb5)OhW?4r6Yi;
zsGjFvq0U<K_!i>Oz|CXb>qhDsBqTK7=c}%1@g>d~UQzM|)5R!lUN){jhPM$%SE+wt
zlN6mDXGb3ggA6Yn$4(th3p957Y6;S34*ztcSNFN26DDwlP1S#?oTa6I1_{l2PN;V4
z=iU+*63CU`!`GTsaeF<k?qn(n$)xK?L#oiIv#o>+B)6$0vdRA4?UtgrT&n=FQD$K1
zuu!i`jA(K<|D^4gI8hYp?|<`BYRe2(H%g_t-2QeAe%x6Q0<k8m4+O}rg#pv1p9hF^
zSYRV(SpbbFG7r^t275p2IyAr<?gA;#&M9mVI_nCmRB{>X!P<=6e-*#tR^PK_<3<nF
zNhWV1;=U?n0iwD7m@rNRbE$@ehR$;FkY%slgqFLc8y!F??zvbV+lPIv9baMFk#nmL
zFiwXW1A3|Zi;4UUzPu6l0QV0N(JV<B-h}E9Qf$qJHy@aFL3`Z%axXIm>l7YUanjFr
z8JfFYT6lS;tGl+eoE@XS^_{U)=b4xl7`caHv;}NV_EEbrHM;LBZ=rwb!0)?2Y<RK`
zJVqPKJAqSlZ~NxLG(R=;qpV{!8?c$4$Ii-zhj$D$c@a|R9vt&0pS}2n)K^B+YGCI*
z#9>Q$QY>&Jxprk|y=In+dzhn+xD{=(cH-GyQh+OXXT-xzEj7Z{I^xpCa_W+Md~~pH
zv%{laghvm>b9~2vzb<cIC^+|bRy6TwvFsNHj?F3GcIDS)ABzJ-Tpz6_@8`6@RE5^%
z;X_I2C5nUr4?g0T!LVg}Q{lnXFNhIDfa1Jvf1WoK?xGGJYF8|r)*t#|5r_Lf`^ZGz
zm_wPZMwXAL<Li=`LBKO!xbH0LsxRJu*|@Q~swkW4_aS?&-ZHZ=gx&ZqRV@f+df?B;
z_zFD~=yRR(p2A#Y6KJ6cDp&NwKy<t!f6-{Tg{<VyKc0^jRxbGnu(uDbk1Z)c6EYyW
zLQNLD=0#Vc3rD735daBSY>Rz-slsX_UQpt|?a3>vlVa~J;?0#rB({X`#1Ctfc1~OT
z03Tble2oToGS`~Xm*wrqR}gVSiew&2uvWq+z~4J7WIqU+S3-J}m+FBX#DmT;cB9Ni
ziF8BBI}Xe>sH+%WLlWs?XOkjXyiziEaat=s(TcuQ451(Pw)w;p(bA=;7Vmw978jl4
zG>n(rgHi+f1#bSx{^97PF=deVkdpFOebluuY8bf35<OtjOi%D)cG?(z#dk6pw=@yk
z&4mS&xA8ftVI9b7+INUcejmS=Elb0Hg}f((Q`}%5<VZErB>wGx)?^n{!;tCmvmG;<
z>>#?lA-j_C4jcmi$_nk2N749#vvKOxQetU+e{&x5$zie%-79PV9b7W}1=`HOi>e>O
zMI>S)b#Lpq$b?lYI$`e1VS%@4!JBONDqBUv$fF@QcqBkL<jxp1vMe-2q?t?~Mzj82
z!njdW<J?l+cu$@7uJVg90XHe%c~+XD)cNRhv(=njD>YAAF-10$(@~8(NI{5qSSy{T
z9qRh3wzf|l4mT=DV#}tlY>=(J`T-<25<F!3s^PBpF35M`_krc1b%CeL&ZEJnm$|yL
zh?5z4KK>oQ@1uxfAgWu0iPl5*%1~_OVD#(p>tZi;ZI7gRQTD+^Sa=ls+~jn!KW<k?
zVV%`r8fZ@dp($NCOFRf*(O^E;e?@d5b8cAf5QL`T_3OmeA+?Q1)e(R7$;j!^^aL}h
zC7hHBv~gqeef_h8p`n+;85Fz*|3cC{PrW@^xQ=VjD0*}*yqtKidS6wICU-yX@UH9-
z`L-(s`!s4_C@3XD#dU>qGizb{4kL<xQkIwd`YPnt`N~A2=|paXMc}QIS@277(LvoR
zmN{zhsCahPe5*Z$G*qq!AH7_L+qK9g(|SMm^#~buCYGr$xyTyM;$eny5We_LU;WOr
zKTPi-^_?TrrJK7U8iJc;3Zpwm$bH<h;ctf=?a*Zl4Q6*R@CO`C`xz+5Oswr&Ai5VZ
zqhy&Z-!RxoXIu75W6}pGU!SMLT3owQ(DbA?=6-7qnjmi{j}aAWT?(M(H9_jNL+Fh7
zlK#wE5A^jw*}@@l2(ycE4?RvnLol}f!Y#A21UOCf*7qOMIy)?kJR0q-b5z>LpiN`C
zX%r-G%4--{@SMWM3O+S(Bq1yS9@ptN0p1xpF~h}^#j1GPx*-+k@dstn_Vj=mn{`Qv
zD>vr}Z89F<RD73&NyaV`#&15~vZ>k5<W4J44m`~}v#<@aAAs`R-?A#{(In&(V;3at
z1<nV~&=+WHJ2Dv}36QDn1~nB;I8M_<aL`ip%euOMb5)ykvQ#!s&1}<5CQWh*G|E=V
z_Yt*E8l#^yY~aro&+aTZ_3L&IYSU03wlxr><{DzaMbVvWm6wa692*TPwz*>1|IAVH
zG#$rWZ(5x9H9i;affat+e_;u`q7r!9nAUxG-l!ws|CJ1Y)oyfFZ*wwl1q4y?{cyFM
zjmZKG8`EJ#WOo5wyP2N`y5FC=-<*!qNfekbrX*8?L#kM_zcBuREXU4P=d6X2h7g@%
z%@aEpP%JZVtTHH`9uB!9k%*VuWojm6y0KOw$BK+z>5e|JChf&vyO51UUr0!J#H45)
z379G@&g3bd$xDGPHReLwJ7LKsp{LJ9+WP`2$sI&2ZA)N;PG9;|`#rFsmZ@1mAQ>@U
z?V7|II_OV2((4>mH`j|3XSS(~%4kf|P~ce!#H?Ndk*JdQ>KIwB7{;myk!*lN{>hH3
zq&LLRT(Mi=H_Op!ykrR|)pQEP?MIlgpputB{!-o39LPTR6EHRB2jaNK1JyV5xsj@k
zL#|g*8BH#s{@$UX)KWG3F?kwVXvH|KGl1@w%ePCT2{;!gE{9v!71RpbyURJwXJ@)<
zLfn+}s<~1PoyZ#v3-u|2^NLt5eYrBChIz16;)*Mmvc=%<X3==GCaA>t9i<U?!khHy
zjaClP29tpI%Na848l9yQh5Vj1K*o#U0!T{|S_xx0?xii*bBa_?zA<KLt}tzwH*Pa8
z?U76!x&01dmd0Cu6+wJ}z}Q`V{41?{QH$5!(}UOPIGv~9u5^3~nY68Lk&ta|CWiDc
z!Uw!kVwuR*w=nuRbc=hR72q`1pS*g}eItw+Fs;|cN6)`Z2CYX%6?=Fm{qs-DyfS&k
zI<<+joU~<*qt9zI@*8=_*H452!I}maj`L42(Yx_nis@i(H!i(-^_hcWySHM<`T#6;
z*P=i{?SR|CMxwP*&%9p=I5%qe(%7W;7y0Kip-~zDD`}gvn$~p({!01@Se|n(ul2vv
z`Ns^V@nom-Ox|QbdxIV*$XYcJ3WWbI?^m7dB<JatH9_Mvw$EVe#pS1er}bp#lFClc
zQ6BcnOAo7Anr4ansoz=)SRc=7e$nT{%aSc^NEi<#%3l8^mgm^aiuU|oz^%)>l`{ZA
zr4&2ttbtE&DM5der<^?sQ8<9NgXPzKgYF46<%HA?jx3B`7pVb$yuTJKTHu2$`A1wd
z9_iqeN+^g@qluL7rN4lwa$K#h?#4Rw4QFo%4{17&^9QfHJXk$Sgkwf08!-vY>A0dg
zIUAxhQCQM5e>Q=O(-fz)fQP7=TTj8{i=J%^ygY`kc(^BINgQVjLX>f>Ud7z(g2~ZS
z0@B`TS{^_xjW=mJ*U{i{2301Pv4nlP)ZHJL+FoJ;(0wj7<k7Dc4H3W7%4-IP0g<#>
z+ctPrm+eygL>P+)vu^-%-a0WgHxjaKeWZ=J+`v|e(+`hv{&;|_4deQRd2Z`H@yU)k
zq6LsE{4Nt?cnG80B1$N!bn3Jnvh$OBw#U$J;uvZxXfCNGsWVcZB&m1;ETK=@2T#uT
z8)>GY-1ImN^>vC@v(g}aWdlCld3S$HnQ@}+Z}Vl~UFf8i%a=)vDRW3Q?-k|gCQ^2P
zK~`*Y16V^F5chDVh3!~ku2#q=I*BE=2S({4zeFC+*fVXbg81FLGx6pBOgY&EW=5LM
zwzsildZNqw?wi861v?zvs8O~^IH;%mvQF^cUUo`jOY+cPIdNfwUf%E36Z&yVJfT#{
z68_UcEj23bL&Y`&WNI;%%wvX6rF!@0@JtOG!l1Uj-w9grniKdn{anYPmOr{`P~j77
z)qpZljX2V5pTFtIZbke?R=Kq*U7XVPspn?I_Tw33t9uf?n|-nZPkZ7~HVX$+p#vxn
z_1teLYVmD;E9Y0;{aQhQVCU^O{a{=+3@zvXz+7ix+R?}u<O{Eq88qARdh?1aA2%DH
za}b16nOGF32Hh%9_GZc}td@o*b&)J)<j+liBIKby=N)ST<-2#GoK{3?lbvd29GUCp
z<aNe7TeS+FPJG&3r)b47RyYg8m$#GRM>h734=&JFQ39->Gi2b;i8DWCADVBL>_}7A
z$hdK@yYk<b)2TfYArc@)Ge6yYg*Xw-#+=j`oyzmUtC&|UmI>xU`g3A530)ve?fJ2=
z56s)Kc10P~r!Uifv8{V>$)u2q+@gks^Q}(#YZW(WbdK4#Yw+Hg#G}J1$DIZz-Bs*%
zy7;kP;6!UQ7@{p?q<SWvE|$g++Md48NtX(87b4btR_;DM!)%vAXTVJR4EdLtNP~Su
zau(C(rK_-Mr4)tlI;Dx~No^c&oXcC@5Coaz{CR#rAy9U4S$SkT2s7f6eWdScM96<%
z48N1{#D~yW5@{=J{m`vwdCto=VhwEqGF&ZkQjG+cRRwad*!-H@i3M56@V$l-pR3_k
zG^Hp@Shla<WVW+zGx(cTm*^n3xT5<NxZ6-we%i)Qll}R}TZD9P-eSJJzEQ3I`PSXV
zp7}4{GqPT=xoOXU4VWBLS0DeF3$<IoVA0E1lUi34mYZ`D#2+|QN=<Q5Pd%8*p;Yh4
ztclkWfW@)8p`tx4E@hm7gr+As92JO<xw~YhzM4i!(2#;}=vCkOvHr6+BRv>_rt+*|
zSl(PLcvLHvr_Ocx(y&VJT~tcM_E*&DY6h9;fi!SHcFlRHR<(}e3^cD~cOVfCxL0+>
zAB#9ykrdL!jf<0|;ugEY<+gqPYaknl1dY#PU3f8jay2}-kR2CDEXH@fS9!s1_T-5G
z*gAsUsc|57e#-p2wN>p+L(tqE!4MsQ96@zh6Oh~3Z5bs|Mt_r1FoorL$fjjkw60zS
zFcQ^P*gAUQgi3@QKE%F3M8*e2g9H5m4Gkry&|^XQrDWF#FkZ7G<?f(o7Qi^k9(aw9
z5~cP>>fS<Tt-AYoOCwB{%X&(x5(4dp)o3EGWlY<i=AwQjUSqV=>^T)j*qo>bxa{d&
zVWAa=pz&W(j?1&hW^)S_i<!7@X`9VqeEX(_3yQli<Gbm`cV;r9->&<?p7&H8s&rj6
zNCK)+@%S+Q%<Fa69IXV0Da(?O;m({~SI)MV`XF?vlxm>l%VWb3y*Q~4Kavlrr?J%T
zYL*gF21^&ih*jve`}&7UnCM=bT(Rj?cD_kSeOM^C66cgtIc}|-?`4!rbUG39uiV&M
zB^HHM_(&(-VQXgRdEnNT&%<1TJ8r_MmtGS_li*(5QukL!Pt;i(C>&-#)oGdHhC2+Z
zODclivA*?QyW-5mP%HM4<)jW&nuY3ungUg3lHys{)$zccBo*^VON72V&MSLlVXJ3(
z{Qj+6=5fClgN|`;R%|C$EA8-<LoRG`4dCNji7!KwY%f)5FgF$YMxYsi&v+Nmu0^)P
z{I^IZ`o<VEm4r9Vc_U$}n=D9keBz5F-GkGve(8DatZcGY|1-FbmzU_+*-GZtzQ`Iw
za#$47+lwaDyRU{t3%B^w%cVKc!20XSUt#qAFly90qj%F3vcr4tiWWzO7BNNBB5r+x
z)7EjeKnSP&TtE0f$qKoX17Ei?ke*Y&s<}TWU<?4w;4PhC#`kvlGow<HEV$DHp>&nt
z)+5He8M0)zXFja>^a;6CN}Wx_5H2dF7c7w(Jeb_cU`0&p<L}E1?^tp!#C*!<P7oS6
z(JQR0+(?^|qxvGv^_Fu+iqxKU%h>AJ4HX%;IGMoD8I6Cth!6lfrg)-CV|?LD`aD$3
z>nK#Ngjac(bHTx4_a&8#&$h;dd1Ks&-H9=7X{OO?#U7S1^Gt13;gs|F7+>pOEhHI@
zLc?CXBHLT~?%XmpWIDs&)#N7{m!=RNw+$L2-45g7F`oFH^xk|Ak$CKV)>F_i(viyw
zg)jOY1n#ijy!?Oh+{Wul@I+0f)IEuUdEXw&AJHQ5ABVn~nvg)=hCgJZ>*x%^F5D|>
zoFd@o-i>oxRJ)5GW^a-kt3}SBoj(pjVxY7%L?;XNSJV`OEHV#-80|RoD<T2t?yLnP
zoK$L)#>-#1K2Zso)|O|mm%=h&ds~UFrNHCWUqnA+;+RBqE9z9+DS4;D<9&Qa2Q@iA
za?QRt+1$1#s<sU5pFg^`sK|<5rUq@;pWoe@?SJqgUaO@AXPnArqPsdCBV|qTS!OJx
z1J2Cl2N3Ie!`zxQY3$hB;{DVv8h1@E!gVlCd?tLtxTg9`vKpgusR~sp0`BH<+0CY@
zwrgj(32^R=I0U-q^?mgTdCj@WtUshIRvmgbv%<kRnws#p-c{dJBmcYvAKI+?o+_qU
z@#SJbGiI(IBf_JlA1onL!!aG>6`}y6lNDlV{*<jcwmHcXn($6)=@xg)i~ZJ*{c&3H
zbZ^&qm?CK6dtRf9F|u>yUQruouaNG1SU3Q_Nw+hzlQguEF7~#?@fKN43uw9(SYV37
zW9LhqUfqwI&)@DiDI^aYRKEA#7@1USs<o<DZ%f??9SOGqRhxtWG!@ve*e4BMmTZ#`
z)QfwW&=y;QZ+L{#KlZ;>_sE$>2Jf@1FBOkYB_DJauRc$VSt<0{WvO1tb|6Ypyf#gG
zgJeUOaG`9Wg#Iwjm$v!7)q&TcJkdR5#4h_b*3FXT#KqN&DJcTK9c!JWbLJB&$cGHm
z8lW-8$x09z%-F#C?UOQnh(NMQEMX153Q?M0A}2|HH+KJ4jHX1|eNcd)TE!#e*wq~W
zJB48=$q;G*rm)fAb%QBxNsYIsAtXeOuGKNrE{`1JR_Q`VRaQ-qH6EDYb3W;ADhf=Y
z<t1^yjKH8pnBx?0wUzMg6+Ex?d)6^Z)Q5VbfT)@l18I$fISozsx7?yTXjdmCoaQGg
zsUgw$G)K5slv2UdPbW<FCydAXRu#?1(3uK5@Jby6RP$7|ET2@MRXUyV-LWUw?{&eD
zEc;(D(j5+7lj|g8S6Al&8oHtS^1N{72JWQcENaC2m)f+NHeNc_==~(DeWX~4sTEkJ
z8_m>Y?rA=)`y$|Y1l56I*;8S`Tn%SLhbt7`q=)r1_aO6RY@AnfCSEQufJZ}O8O@Qo
zJFxulKz?T;xDv`gf}*^LnqUR{;QYeu8AxM#Zb)TQ*iZ7ngH!Y@w%EDcHTBGwH}+Mk
z!suzYxUI}q)+BBuuy46(A~LhlVD0`BzJ$AJ!r2O8(X;Di^X22vOYyk+C9n9RTE<z9
zJK=}1z=|BN5>%o<q8#l!6susS96bwEq(J;MO#^JD;Mz1@0|K7F76S(?G;wbU16Ksx
zUhg9VqZGVi-z@|4IJ{%uYYhX<CvHu9@5WA+oox&KIzkVTQ7*Vd9;!q>>}VeDX#O{<
zJY=f;A7y#iW%-a6dFU4T@F#irC;5J;F-E0yc>CC?6!AuN;|a+?v?r0S#7m=8nq=iV
zmBkT{6+#^2c&jAZI_0Jjmleu(;O|$GPcJFZr&AxXgHqH8G$&>8|KRByfMn?zaJ{x|
zoV9J8wQbwBchB0kZQHhO+qUn1|GjmmCz<Xfo$0EXPN$ML&wJRInIh?+UOlQjmW(r&
z#Qi4ilftLPpgOGVxTFp2+JSu;+`ea1iG4%bX3qH+{7j#xnC!7Id+EVL*>{2Oi4Iwj
z=^@z+Q)Q`K9r-8UcdX}J_o3#4?Mw3;_ov!-$M=-)IVbQi7EMAxjxrJMNMJ~gLkV_C
zuu6_=5%x)NV3wU3c1o~fmJ|k-XdsoIPzp-1zmcA363Vf^vzCAwO0qu-0VX7%e;1LE
z0PyWsFmWgfNc?+y$Uy|jg9yvR48?^r7ZL%dorc?BgbBOh<L?T3Mc>>3*T)fY9g1>X
z_)}H7o^^Tj@aD#x8ooz%m)4wCycc&@-JEu`3%H)je66XhQ)*gUT2)mwJT>>Ru9I$9
zX<AiSH(WIjxUAD|SbJL4Ts3^T^unzZc9^Aj@$0U=+^u}v`S|Ic<~-!Q9r+aL9<97O
z`*4B$@=5E63!uLQd?BEIhwJl+M?rVSPwu~CzDzsE`$D4kun3$Wz1>Eh_Ed<2HU<b#
z;0F5XQ9_7hquT%+=Kv^PW6MMEOW#L}v0|%?n29x4auL_kBZrMHP?-sJcXBD-H2h5J
zMObr5*4F)91gdA_jIQ`i=bZtx)7o<8qKt3_W#^r-x(+Kdh571}LcS->d!-A@F>FZH
zjqRY<%A+;MRDm}|hHbz(90M5sRl*MaWt);7ATV(Q2V;r|p-;oS2;lh47%`-6XhwM8
ze(U!_dges)Knf<wj@*+`c;>w(HOJq_lU=u?WBSCrHjP%@_mhjq^rWA@v9`aQ#E9*u
zRu;DQY3b5JpVpm74WwQ+bGHj>Qy+%f*bV=3{c3-$U>72ecAWr3Z{2As{5P|!11bTZ
z=lJ)v`|tZXLxZAGxm3a#qhRt7>cqLxaVj0h#}Df1dh2s_!o`tC2XA%G#f^=9OFN-W
zWX67RhwWy|HCM|bjpM`?REq*Ki}-^jp!9OT2Ul4aUGbCimt4xZgmzJdbH??u?xQMC
zwQsG$Po2?3BQ=$|ag~Es*-}-obCb>TmWP_`g>hF^%u|yOYcJS30k)N(RVi%49&5kI
zI<89!kGbqd!*gesDgLTxbHa{MnXX8%>g$qE$<EQsd(IcA@0{+vs#o;PL(d0azL&f~
zBFa$=l+c)bA2|sn3Tm{3kgbrdh^_F=zcf-|Q|H9#C3j9;^iu)t!U$(b5Q8bqF5YU{
zQ_!x{pFn~Djt|@BO?H)o?AM#q0iNl4j%SFM=lq!iY{l2)eR+#SJYyk}UAgog62Naw
zI1)Mec{!2#!ZMU3%TkYdbq_J`GZJr(72WRm<hq`2B;Se^17B}VR=JyTwDYc2?VS_!
zO)~sBecz-R1J^H!=!XcO0b7sYZ7-Q$3W4MzRGUOqB(6)+K}@Cn_EJhyb(|&fTA^vc
z;VNkkiSI{wck#uQ<wwa@)3^GMza}Ccd`t%mfo*jXHgxM9Cqk2REnKn#r^<+g`|?1G
z0wE`AR&ul5FJ_wu;B?>}!=JY-=Z`qwN{zgF&jL$n-i0$T*15@6<S?-jSNbXKR+LG*
z>Pub_-eQ7Tk?AA1$2p0lfUacS9}LT(Dq>O%OsWWVl|D*6ILvbYHltFsV@)2*;Gu6W
z-@ql8$&-D@8QU1x?;3JFWSn@b@F@_h<|z>)$15KY&rv)P$}|t8v%_<9qu46bICI-|
z&(S~n__@>+9}q_Z0%8L0?8L*<e+rFJ?&DJ1ZVOHDaK_SNgytInAc@TgfhaUUh{Pih
z&yem5?Yx4ABywRW67%Sd$;BB_jLG@c$A9}cr7{#2@_5dr5YA=)-j#qn3ix0O7}D-I
zyx<c4C;(Hk6ai+!#HQiw5W)9NXx`HTwY{N05?jC~3RM|yl5%0V&MP91&e%tfL3bX&
z2Sy4-_M!6s!ENMSY;vL@yd(pUo7p+R7w*1QbHf1wzg^k<%Z4x=<x=2&CB%j(a*~Qv
zgI#e72|;xRq(pZvocfc%a#RX+c@Yv<Df$QzXw&CiJCUPzOnXLx!S$sa?Z}eCAp3x@
z`sQm`?7OnV@sRQjYD!O#$`&IOK}}FEBxxk|M-X&O4r)??1{E^d=4{jyGr4a`Y9cVk
z9ZDsLTX@(bxP-3GHm>|#tQl<i-$PUtq@kii@@~tU_2`Z3$ClXr$0u*J?>!$w_9GeQ
z%$p<mZi6@Lh;M8^F?-<xOMRTg$tXY87Eub5dpx+~!6rNLoVZKx8QvD~9$a~Ts`3GE
z_=5U-F8!7<JJg)M31R-kB)<>m6p>ir26s&UbAA_uY|BKzygO1{%yokQAE(@Yv0P|W
zQ9w?4N`+IAGqGYK<6HusS`eVj#(xDi!SaTG88H(|#|Uz85@d(-7iq{vScL7%F%`<t
z#0oSBv)W-Xm9UKzT7K6JU@G!(7JDd3ITIz8kmdm`fe>d_5NFo0vapbLx=Xo9E*98C
zao9$IEy6Ghsa`jbEzy(u!r0_u`F}ccXIVs&EE?6Ku{WSpw4F4q4)WLz*K9uM;~dz;
z9N@gT<E6CCP$>x-DJsU2QD9)I&YrgVV~I1Jg^JIMbLNHBrnCRlc7~PNvou9kl(A&J
zP)+7;_>5R4k1Oc(NG0E4sbJQaCNbC~RcRSl*-vU5Xm=R1)$FaM-l@JNRaEj;>%>Oj
zEL3sGwhTwMB8d(qu~Sy}&Dq07=cBg>=&md`4K-b^UAYgRopKrkUR-iIc4u4!V{5yv
zWHEJV(QWodZ(~2LEq&wya(VJSx}sFOuC!gy$7z47Og}IO0@}mEI}vS(X`!p$6R;(B
z^Q}tTA!Dd7VeFH3jNvpi&&7}xpW)0nG+>x^ta<eVwfs96vSB#Lx+diP(SLz(9a03|
zsUNc5bF0`GctgI10y8U59@MKUn8L`oV97iyX|d=23(mM*<eG;qi~f>V%G*0VpOJN>
zuViGJ=lBr$2@`zr@Xmbz{SI_~k8=M<;#~3_Dg0vMozdeS<ckvO4Er5Sb!WN7{ifrc
zcKi(d9nh3_KE~~4<ej0tLDoAO@;%6>kIc77*WS5|_Glsb!r^iM%@edntBh*xXSp`z
z$%IaGrlc<AZv3h}tD?gReWz8^^&#rR3BQJ;6uj*x=h3wKo;fhSZUZ)Ii&j16oWW=?
zTb2E}Q{N*Vw-$+O7c)`yn=hooiNEmNxT~L`D|W@ml6AyMDEcgPG#s}sdmfSFA>`W+
zkK6t$EOHeW`h4ddo)HGjC@u9P1=0~9o+rxB&DS=54y);=r<uWYqZ#@){I|esr>ntw
zqg%J=vDs2ld(Fy3;_Mney8%Zv7{4{6g01@aSfw5b*M_Wf-J&sINj=LX3Yv2ZtJ1HB
zRUNr$NTYO9Y04(e*p9ZM{h;0kFQv(U<05w_$OXP&s|&05<7sYhzZ@78-_OxC?c|z~
zPaj!>qS`h~S?+nSwJ&1`c6;-<xh?GkX`pQ|9anirnq*_)xiJ5Vvf%2YVi>L#c=i+c
z>aWca|F3hJ9v6mBDDL>7zDw$J?ZA~?)IMd*KYVl1{+NFBOPg1qb5s}5jq3V}GWb>C
zb<C8<TqMX-{lq<c&&>Bko+5Fr7sp%lOVD%4=XeL=niS*08r4JMTGb@7psr#d@yJf3
zb9Lglt}+VGiEh)An&*;Y_kb3K5ihBP-+mnU&S;C$bjy8JW0$S;H~r2We98x+Pa{-b
zk1*fR%q$ArrB{{6ewWb1o3T$?^8?kF1Sc`lYm`qx@?C})@r1}9_4S)uu3gvntjW!T
z7c&?#@1Ax0dHB+?F{;~;Pr|6(O8n*A1cWp0>lmsBvQP0>#qUJYPjg?e?@B&sQPicg
z-v&-&{C5o+OEj4;f5gFru99b|aaYe}P4Ao(sqVwdp6x64rSHN{V9$|l+04$f>n=GZ
z)6JXb?aP<<v+pjx8N<&kU;aawZ$8PF;*V0A?{Ur?zh~M{e@~$Ak?tLC_jAo&X`RQX
z=1(&0&YP=-zt=6#7yg%MR4lU3{(|pw&ROoN)$5XP(9dxX!%xXi*^uDC#U16(?9a;2
zQP20o4|B5YTj8@8ZBBv4HcQ;h0c%P>xNlz5ZKQC$U74JUb6)ws{9wg(tg5aY-CUg7
zzx;4^__>uprSgc(Wgr?#VCtm~8Rh&X7Jqd+nHvLTV#)y{p__u){K{r8)dd?)GQ}Iv
z6~NG7r*!@>d!Ef+9xXx!FM(?D<YJ6#qmFOoe)l4nt<ax_u@!u~v0yEOq^c(92`J_w
zrSdp=Z>KqV@6A3939O{RXzP+Xd8ez)O8ox8Dn<pipf#YK@s~W-HI8OqNtr!dn*!(A
zEM;-?sUN$gL(U+a&&6g-3jVf4FGJoUJF`BVoN7F4fseQAw3vyt_{(n<dorWa>Z|Yo
zoexk=mX$muAFph@|9uEFRAa^&nBT)lh903W&*`(;KLY#49#x>Z&P&BoC<wkoSU94P
zOluc&PoNCWF%xqvdRxS|#eIl>Rgv@5V5lm^tKX53ivQlVEQU>8qrV!=&RUqJjNf`$
z1gNp`oLl3<Ee&&$;}l48GU8Nd+Pg6wNzodej<6$h4B}E}-yDnIlSvM1Nz}hT+_D<Z
zs(tu=B*+Sx7j&3EDzM9h!X8bvV<dfQd&J2)v8TbSHXaMK%zJR~2;!+JR^4OApuF*P
z;+4P;ig{BTIGmL&%PE>UjTK?x$NB>Mwti2x{pOQAMj+cl6rJ1nsXnjcSqNZj&gwMk
z?hN~FO|HB%XING1tSbwoTcOzOpWeI!u2;HxO0L_I93vq$WZ-E|5Hw^EX-t83N*gRH
zRA{11X-&&4)+TmVwk{+D_aZ$Py2^B3l0B*DzpP)H!}lDDJXg9ZuueC3dF}AYFL<5s
zDaWr2%l%fmt`%R(-t%03`GMZmgsVJI9c211+?Ub%FF=<vdN2I7AG2MT-$P%;KrbC1
zg68bm_P%Ys5HC4&s(?~8k5Rl8Sfks!;GePeKCAFlP{}-~IwfEJ7C?6~kVYKK_!a)O
z>{&RaPT_nsUXJa2s)Csy1(_hmnIH*!#I33i-@HGyChYKN?C@~=-0X{dS2-%Sw=YL~
z&Oy3m>6t?f0^HD^Si3T4<3@xN2smQ`vDB9s!MI>t8v3GGF6^reKwR9Hr^Pob3oj$N
zB1DTAMK^TwFQ$9KQWy9Oe_x~WhA|dH^F){y#rUJpO6R~>{*=zav2f-MGcTI`!vgP(
zppG0B2qc6dkZcYSZ_)>-I$Vo0mCf!j|9T>9LDk6ph>2U8Tl5+|2Lh`VGce@VV|5l9
zwZ>8KXg0{yi<BBRs!wAst_?(Uz=#`=abTAQGSt#XQ&l65q9Kf`As@yV9^F$@TiB70
zWSiWFH6*T00BMfxN_~3BtrhhyOT}pp#PKP>$Vr{Lx(crguZ!)?L21w)B(BArNhJxP
za9H)vxsJ(!iyt#*ToWV39y{zVw1@dIlhRG?mII&fq1>9fMpK^cr`)o>ZjQxqL2Fl|
z)2<AmO%_GJ$cs3d8=^cjKz6FbY+nV@whE?Yl|jcIajDo;yr!6HE3z?n)4oo&g!|b7
z|G9Fs+)SS>XKj;CFX=GeL~9X#U~Y~4bzw4_zH;d3zrbrD>*T%2hJEv$<|zSu-}>W4
z@sAGD%N)wfT@zBu+@AtcioyvWB%0W+5c2;=5YZ?DaY*b6P@?0zV&FIwAw=4Cg#gji
z_P+lsNMUz~Phv;xM<o4U6y!&gAfYEJplRig0$E7zk2usggmfwghC7}on4){0LU}g<
zj2<r~T`aP63G93c%yJ3bbP24Owk%aa$|O%Z@57vqhb4^{RU9I+K)%4TTDs;>GrEDK
znJ+QfIEo~x6#hF+;^&eJR=WttwF(C}6S7KJKBP7U*D%2HuSI6B3fCnO7qy#XJz51D
zZX;p<?x6O-r4zS?nlvM3ta(-3B_8Wey+QF3C276Pr5)@NhD#8)jYRXnr8y|8f4a#r
zY1nb%%8N@EbQ1t&BgiGMxDA}VA>zs)YL&z#to%};Lum=aK1<ssr2>ksx`paWLRxPm
zPTO#Wyg#nP{*b?8yLyGZ7)O5`vt!I=o}3LPZp)yhbi$@dGpTvwk~K<iHg3yYf2XeF
zk~V2=%O$3~_H6XJ;e#byQS>>N2cz3}6c1{L8)tI;QeLxMLDQszMbGn6-FemVIdlE;
zO>gtyx!pTg<YTs5G3m?3w`}!W#?&A6xX4l&^|C`+o>Kz+e1BK|J@)aAa-grE_A;m7
zTyOs*_~gMq=H)0^*ZDYES9uSYqG!D(`N8rNOZm0QrwZzevqy&Hbu@Bkm#q|^%KRnc
zv-q}i%~l0AIDY@QaL4v#<B3nv#1C5(LAWo+{fvQ$Ns;a;er1w33_d<|U~+O2#`O-+
zE4)zxrB0-?ykuQhdru?H34as(p))_SP4+rr%D(5YRX6;);=@8vi^2K2<HLsNI^+Yf
z>wV#ic}82&sb@>~;S=6gB4(ZlqYJ2D%Z>v&j;NL$!gnjS1;9PvXKoq7T5xt5+?r{2
z8Q!{Uwpo-1Ge6sHb-Y&vNK<`vyl)xH>PWu=LesyB+iI$Bnbit6q)K@ein*TxA|tpK
zKp(DO0s)QS5+g8)oRP2|^$JAUkM=;H3S9GTbQx07ff1=0L?7^fWvn3kB~UVXpk&xU
zO+)<`r2Ez+;SvNdiVl9itxtuwUfEV50Lw}|%7VE}ysKI00un1?QhGoO@)&4qL{JCs
z9_aAM{4YN^XRY<9<_I_FEAqE_AK%n#3Fwc~?F{)h<_MqRYYFO4<X(=-=Yqd)`Ku}7
zkJ8=DpKpqT9L8_+0Y1%FQ|KS7y&UgPrZ8X9TUpSb$o(9sZ_J_ppM(0GF#N^cY@FQC
z=a8&EO+TS-!U5dLMB9*-I7Qu%hRe!?z=k|Etl^?A32bR@K;v9l6w<WVkSx7iKdF&k
z3Q+cO@I6T9d*HxoFTf>p+7F4#o`+1fSPQ6HJyl<=Gf5weslhOiO7fg-lXBWPy;?tg
zUg<n{>py+b2`hI`O71?<o?mh7EWNUylF@FRUCvh3(Qc{p;xwZ{?sbLIjT2-W*S{jP
zcd>-bQ<q!fVWKnhv<cK?D?|4*->Gw!G<DXry~=zvbCI=QBl08pB#&Pe0ktXvYBh`Q
z%_0kpvjqRu$nkYBT8()b>_;9M&7)yr!niRZ<;$H(DkYs-PH)o+we^A-MAXDd1f5u&
z^}MjY$B~k<>+k8)N2eA5hgT4Q$;rMk?z0Xd(i(_}_s-H&Twf@+!{sx=dfU(6X@^6%
zdHdnBgSBV}$rAY$#<#?q^Ts6Xb3IelhscCu56|xexi7i#qUtb6h+_{cn%RqpZa3)7
zu}@a<+2E@(p~_(pL`2GNaMbgeLSkmXm);sldYu~vna&<gS}l(JWAVvnzK@ljDv3-~
zA%J6$q@A9c8-|+Bj>suk0xD$>p?FD#zd$IBGyl3rZ<S%T50tK!7sh2~5JY-xX5ddM
zBZ+)s1tG2V7x`sw5R};-P+Ch6`NMut9><>Mv{{<jp71hI`^tjuQr(|a<-ZfI3H0NL
zFa2>FwG%^N5A-kGR*CVNLql*!2WU07T!bl`$x%COSn!g^2W-l{Bq^68!eMg_s7hC9
zDVL+dqw)+c6zV*&e03?Cqr*`Z>Ow5s7oWwBMilB$P%Gr?#FZ*xQL#maz~t&=lqyAr
zjtdQJD|-i;5A|;v2VNBFuuwOIhb)vXAy6gd>(W$~H-qKtgq1G;Qa&%B-PJmCTLHjh
z4-71Ce2)%Ta9bh5|JtR-NjHyN)fJVhMTP%HRQMb-V-I{I&iubL9bmvl-f}|6*Skfh
zQW##!_FGb{`i>i+Y+!e|LwCX%KW^~j%rr;iX@LyY^-Z$}k<`9qI)hBD{Q;R^GE$sW
zJH38rWH@H_h23#KZ18Qdn;~1|24?|JdsVWcuu%WsZJHVd>x|&$xu?_frW<FisSQ~V
z1z<KdgTyXn6p7ol<@8GD?V6TZEvx~6he@svWX=DFOEU8q<qR*rTFh0fJ-}@tlFIRp
zdYk1e-0ACeHIi!h2@^eX!*COM_=>(-YxwJR^EXY{%d$Obg*`N9s?}hV_aNN9uhl>+
z$KLce>*_t)^sYi&wGet9^|ubsLaKRK@fEVID$=bRnYim%C-C1C(BB;I5%<Xs-0iIx
zzNwD=Ey9~?)|+n^n|)oy8aLI>iwB#TjLp35W;XF{p53if*NVDGW78-PBG35e!!jQ6
z^Qf|vMNK(dsV>?lutjXe8;+;>yiG@P@vdq?@sRt~JmM#nQnuo4&Zl?}!*iZ{iWOet
zffDW~im^UtI8yM00N~%)69>ofwn%ww`>S{_Gq{2oXO7-{wMc*7?ovgE@s0!eX3p-3
zFTo{h8w^F5Uu}|_Dd~N3@>1e_5{``RbhuTjYW!ApZ7?g%HQU;FviW{Y`g5Q3+YXtp
zEvx~iVyaf-zsQH7l6rvCNDUl@YNQqpLnT_j33HibfYVSd1?D1BUz@%XI+$g&)&^r4
zcA#BfEeCTMabTROQWu75;{Treo5%)p5v-3(^@$wxQ+VrZ`5~;_lX_<Q9%iciBRWGz
z`8M>k4fJF2$^zR{w%5Y)8SSy7deejYkuRY;DPwGkG(-6n!>GG>IFbHYL#n%QxMAUi
z?+o>v(wl*_4YI9uAU*Sq^qf-uMRIGh{*5HY6vYf%c=ksc)SOcc`8g&3izK#K-xu;j
z^0%1S1EM*QIhGjmf2E8IAq&ekbj$y%Dfquq5zKzf(uHXv>FK{m$5`eb&ndM%%(tY!
z_2vWvE}rGe%t0ZSI!18@y^Imt+eSbxLN2C>WYH$z8q^m^xulLo)33qnuyx<BX~KE-
z>O0mLtrj&W%43Y|O|k8;uaB<YbrtW$VfSw3A;xqJyJE!!D%Oe}p%L^K)vhSkIu5U&
z`hGooWa`h%N0liR1+dDk_0nROTIDwTHN!qy<r)HOW1p`6T>+!SHe3HY0hZ1>TkjVP
z%luh?aX;acuztk$)y(aq>a%8DQ+bf&+*L1Qe#SwwwK&6D)%ESmVSYvN)mfGU{`i1a
zwUyhXF4<ys#aeP@zrNd;wg6T#mC4F}6@3mDe~z?{9QYgzltbDmh`UYPcmcI}Qn&I$
zO&`NkGyv}OiWalATle8^bzHZ>?ZOuZi?l&h$8QiYXo7@I>>@e_4)YwConulf2!;*Q
zJfa=YVRD_`W@)#A=Q{Q7o8Ag$2|JFJ*d(eRP;c_P!$N)mXMDxM1@n4tUC-$hz3LFX
zYEZt$VGtoVi4-mwxQ~^QYK*K}Hi$~ez)$ilA6B5W|0juEgoIWxEX_b~Wx??MsrGcG
zs&Sm+nV}ZEai6{_wE)%Ce2BYBtq|2xX&*19RrZgF*dQ`eoxp#e7y%gi2<WE+5Uv<|
za3O62e~dBqpoygPgDED_Iy}<x&^tU-Y;=`sCayxx9X-Tq@zDF;<5k)Qy7$#|7l7aC
zCGkzlZI@miQ~9;3eU$hXfRXG|g{bR;5tnNPFh$4*^t<T=&_puVeUi-KC0vB$F+{k=
zjICG<ODx0dSe_FPj0~`gFh0@(l(D#nbWXT_pmj8bEVLD{^&5|<RqE9;hFELW_=2iV
zYT`RZQY}N9CHmV3RcM+uWRyw7n=mb?c&v|$Y1yI>6vf3~D9Uo;mmlO)VsvijTyOgD
zr4~){Pnc1d8~+6>U|}8Q>cc_7X$<rC@l$|<0v3TJBFhQ?r2u?FltY-+0D=M<ha`t6
zP5I~l4-Ar=B)13z1tbw^R`S`reunWG@>zYHx9@jD{Q&uJS|u~iiMm9-e2DNCSu;)b
z_V;%9Eg`;UO7!tqH>2^4X`FL%nV=vmCo93DY?#Xso7vReG26P`nw?qK$F=jjfIcPD
z1-`otWT*1pN8{+r1yW{ub~X$Xi*pajs~~lW*x{d$1yUL2Aw|F<i~`fBHrQF3Y3u;Z
z{Ul#M15%slA8@fk(ztZ~Y(}vu0$0pJ(_ntM4|H~sKQD`=SDcGnpy$!gjhfEu)ojui
z(j7^~ni2~-Mdm&8kMiao`3&B2DbE#>8_q@Wg$=>>X!BDTLq?zRcanW{z@PKGDWZq<
z(dtl?6mG-^aa6?jsk~6v7zEKYgK>x>q{|ow5&qPS^=^OBVnz*c6(bpju>40M40`kL
zwJg;w)g8*4@|*s&m3m22>MAlV+8G36@&16eANO*&0aDKZ$Ety2fb7;ZUnyFH^Zbrl
za=FkpTQC0(VB%IBl)XKV*d0M+x)}|b$8c~GQWW$CJr#K4I{d-~Ho9izxn_@4MF(_!
zInc>CH;SqqB07vH<Vyx(G0`-vE57h<6IDA;pvgG@@X^r<E&6Ug;Or5fv`#MBpi+o8
zD?D++W|+sZG;{3o%X%(-bi=TVa;~)rXdST1#~+a|<W7XDqiI@p1mN9Au6XTIi6Y-d
zJB;)3EjHPp(+F2PM72kyTZcKjupjErcx;7qqaCNN)(;|p-noMk4%go^334apWaICj
z_;)_W68-Ui7Uf!c>(@GgW4Ko`n>UQ-NY=0|8Nj>CWb-=AAQ)kgarCoW=}@dxdZT2y
zU|G|eu&SNd!h7mu^S<2p=UBO*P2LYX9F|c0Hwn$VIMuW*%B5q(Q0F#T)(hP(+A%mn
z>ssVsNK&;_qryjVs->UQbMwNU&SRsb8=ifHYhkF`E&&qBh+Lsy>Yw>=W#gL8i+jK1
z_FWo2&@|+<Lm1VTRlZPK_>u*iSv#o8nnBJ7&zbSf`(}(!dDRsLd-0_$+!-K*4M1rB
zt#TXAFD%S@!z8{Ue=N@hyy^e4#HJ2)y|}yzhG<uTX)YrK?TKXu(^};yk&=-r2d7%m
zV-AEnqh#-RzMW9^C9?*?5eAJ?!I<>nCPRd4QB-;@;tSIRaIHc(;fBLnF<SQRJHu*>
zw`K!-qOV_1hlEmr7WC03gFtK5M$f6+CiGaW{#DgNmtzd{u_KXHY<0M}%nS{+{&F`|
zHlx7r*t3Tw$_dM^Gu-fVeu46le7M5sP##JRLVTosN~wSi`gqiVB(*py43|X9{a~vw
z8+v3gdEsc!!+yae7yEWNVF&h<)5AfnI4k=mo93L5A9v*0!x3({H~WTOVK;Y{tKTAb
zEd^wtX#Jez2Y)l8vG169VO>`Qb<m+sM~G9QnDkgD1A=OW)Dom@IVuCH=mQaP!Vm0e
ztB14p?DG1z58M!K4-~y(_;9`N7(&bFBdig1d8vbsYO$6FOjhBHl^6^(7gz8@4$Lwm
z8|)dXho@Sx;WyA8vW6?%@OAf1KQB(v86b-XaGHm{f@(pM2PoB`vGtg&0<!2)qFo?A
zlpAZ=;0E{Dkwy-bGNYge<e4sYqciOJvWI^u_B#i*BmY9j-YJt2M*}(N@zMGe)Br2=
zajgPrv}jeeJP$s}MsRY8+5PE1RcAII9UQc>mp!q6e{k->|4k}vG(RA0xOkLXayBOn
zynJbEvsixnJ<tBa5WdR7<UXbr#R$Ss=0^!4Zgu4e4}F<<4(0yd$w~)8`hs@=kPrM*
z<yG_!$Trj(`+|%9hD-JV7xiIUxRnzHrfFmdh8rGo!@x)WtZ{)D=t=tAZo}?69qHZa
zpuG8$Qlq{-UIeS9F;#@Br7>CLu9ZGkM4^Q>Qv{lue^J97;s$nyvJW{ZeOJp)1~=sA
zMtZ>DG_Dv%hSV}tu<zfhnTasa{uo#JvA4F-l<5FzPwBloZ%NB@FmFh^buceYtBqK)
zFHWEoK0*&~h}XLr(FX0vb&NI{m3krcnf1bgPm;(Gn%BdQT;3Cxpodx+AYBXV(#OjV
zGO~;Eed&#Sy+4y<yGH~>Qknt9EMc7<TAZI|#;XyTT##f&vmV-<pJhhJ85*6Ra7x`C
zTAiP9O6w7toqux5;t|8E$O{30itmT+Zp7VDEI0@r29JP${G4<N4#538yRHamTEu99
z!V92aZCOL)GvN|=5yWK&)z8yk(C^rP(GT8#av5hBvru<UtNv0&sw3Q)^3-d!Pd0d?
zej?yG?U1%<XY;2_nnXvoGun;qj(2}y@FkQF$(O)qhO;Nq4fjrCM;)JtSH{cl_0OHQ
z+~vn*`)uG$wWg{pK-~<`lESw<qB%x+vVRR#d$s9OLxu(r%9WnE2^2|We%Kv7WN|-C
zD(r(EAvs8U9}d&y@#d6!;sf~!-0zl{jS_y${P@bfY5a{33^>cD-gbnIs;ph^5m2@^
z!G*ZurrfkLI!KxoOzUKbRT-#wn>vR1nEy|I@rhK<L&(-hZAlZO`B5hL;9?4f>__E<
zb+ZlC^}07}LzpL1RpigLAULu<lvK&e{<kv>m4|b-#zJlN%F)^r%*Z2H@PdP}F$lyQ
zzHW_&Yc?zMLdV^s4R;r~?60r~+4F8thr5nU79%~Z%l*&(c<#9Rsmsoi*Mnz^t&gJM
zEdyPmj{gD{tu+R2*g|x*OP!?ba9BMpYW~ECId?S$$ms0hoV^*+z>u3Q>q^hRi=F<Z
zU)|urL3;Y?v<iwtYM@Dh_M*)>t}UZ2m@S)cOf^gUG*t7vU$!J&L5`$W;wu4%vO~n7
zU>PKRBqlvLS}&5?9(eZ4bRS787~3A)W{Bu5N_L;58}Q8@mBJ*0R6TKM{#=^j%j*BT
z2mf!IYdyrJTg}q(abT>Z?3y|1`GCe}@%Z%y!XP@dUi|HtMzqL%Ox)DNA%m+YqX?dk
zyvToy;atlhjJyBzQ6t);^4>IGljKwNXj!C7^`+6In={s2Mu<7=NK%Y>Rx}!Ui)6`+
zKYmRnG8W=oWf~kV-%cv9HZVl4u9&Me6{HYy#(5ai#$vb|6U2vgOrDCI7Zt(^IQ>i4
ziX$QFp-WB-S5RD-SKyS8#Vid=CucIwt6Y?_PU&(`lNon!qii|K<4$S0U(0m#$#(Y9
zaq!Wx^U<;Q(Q)$0cJ<M5@yY&8FPe|ZK`(tgI1#4&(l{HLVS42N?NXfM!t6?z^#p@A
z&G+CeH$B*cX_OrpP<O*n;t8d=BPlCXp{uv-hpNCnVlix*QplR?n=~BuGNC@1Otv>k
za*{SaW^{&AL}#)kd_ZF`2TVx*95S!+@5H*7V5i!x3~4}{=47|zhMUQT-To2(3;Fe-
zYTp34Zeqr@dgAh|p5$#4*n@hHHoCzr`Yj4n-2tNI2-$jtWVb-FTP@j3lkyLn7SL7e
ze;EZ9e99kX>#|Ee<<E*|WPqyTy)xPv8DH(qEFJcG@Nky`H_8rn081Zo-k~^`M_O<W
zw1|&~Ob-{X=4I4PMRkqI)AO2O72pTP<&!Gt$^QZHxQu&nk`^51Obp@YtXwRlGL&Zx
z8Xz>Rcr9=<G-r(*q0+5%_!Fi`%<4Hnq*-GY9sxk%<!|Gey!tS=MW=Y??<6AQnF=l`
z#_<X+ImWYNQ$$ZapV8YqClXzy+=1U%4rOO~|9(K6@U%gf{HlRE4pa6Objl^Y&1tWS
zIv!K<7&ROjwU5UQq{lt>P*>3$u2EdBQJk((?5-1k_g$}1oUapq4;`;j?5`8;uDy(R
zc2-}|pTE>2??3m%d}a_Wd0>}E7WBTt<<svH)qdZ6?E4=P=<$lms7nborS0eEYb{E~
z+C?p}r&INQo$9QGu1L!%38&XQ8CC$c?N2k0a#HXGmcZB=E5Gi+)l*jVE=Yk{fqG>8
zYvOt?NS`w^!y<Y%LdU_T670o7L1>s7DC}|U*xO0gPTx%FFFAaLv}lS3OeB!!NCnmC
z=LP~1eVan1lELkTrIOL@ua{)BAL60yZkLpB=SaENJIBSD6VmP}8TGVm##%PzZJSCi
zZDpqpic3eu@e|UZDH)WDgsi9*iUq7B>k7Fv$m<db8IPyp5!sQa;vw10r(?J1Gld0(
zw-7Vg3EZC150@NMj&~q4d4}BRvR|NkIDriawEV3Adr*N92-AYCpXh-X2-W<puzRF|
z9SAo3t$=%QfxVAEghZ^^w8kSvm92@ODffE{HlJf*eC~H-=--FEIo!UIv><KthyJn9
ze`!J6*bnn#B?V}~+8_>*esjRvxDV@NC;nE0wJ{!s$5sebgR}u1QpQ%j25OV@?&U|c
z+Ty6(pe|Ca*5Dy_?WA9<#4Mh?KM^Ih`Rt*rP+i!Lx<5(0Wr#AKqrRN{x{wzleQ<3#
z>Ic%Jfc`}QS^?^sm)h(e;*p*MWDW0JgG&Av8=4xJ7@6sh6f~@7ue8YA==2B^Da8yz
zY=kn&&WT29k{saLhFcAie<=B^N|?U0netwSOk=yCTcL-1`NOlbUFU@W0xyE_i?00#
zch$4-UvHBfke^T=QJ%pbQk=pZQ=P*dRG7pVRhh*ZR+`2dSDVKhSdhr@S4QdxElFjG
zt;yvHE=p#KuFB>LFH2{OuiL}Ne;d2{9}L%O-0HvjO0T|ux`l!yl*^ZLRsJ*j`Gt$-
zD`&Xiayp+a7pUg=0E59|vKlO=+9Q)nr?DC?XSze9(Wo~YETubRvs$k;8?Iz~gTvu+
zxa=>cIik~Qx49fFXL-Wo@wh+lFJ<J$y5jSCzdawU<ov5G4NYwgEKF>Stjz56kH6<D
zdyGZ-?^13XdwxBxI&zFQSV=c*I8CpxRsQ|u_YZ<VCDjTPlg}RtMJ3bm7ZQ&z5=$c0
z4wh1{KN?LU)BVpKGKpNdSnGdRU#eW96ELiM<Lmpwx5L-*?en&=#)titFeIJc^gqzF
zjCT9e=~BtgKYqdBC=3>p%|LO*;;B>?(`|oY$>b`vCX=mTY0c)V)h5#&KS9yxEOzJP
z%^*qD>aAAilkEUe*=*g`hLcx`Y-*_8rIKr|B$$FU;$LlZLfwB4A;<sM`)}y#IWoHX
zD(I=H;7huGkjwEjrM!dY6anFhf{gDIHs_03WGWdjrVl%t+$G=|mNH?;5M)mrV9z9C
zkLQ>)#(Plj6$oj(>4^ENsT$N-+4HWr&30DHD1A$*95}j@_?)Q}tP-dix)kygJeOyC
z;`{deZ1ahG`NTt}Q*5VZ`^Ur)(ZCVn$Px3<_7A!(RI)8HqRb=b-g^pTiUDWB9%lwJ
zb5uNYk|J{&GjrUWR^pA(A<NZc>27PMX6h~p|7RPu@RRvyqy2ekM@Mj+ZOaaCPaf~U
zK6_U@d*3{JPd)p<U1wKVXWv+7Pg&={d3#rSd*6C{Pn$OteoxT3X2mh+no*G=LTwT$
zxjyo!QjerUZHjZbA-Kn58aeAO&I<*9YQ!wD;0@Nw2svY|U!}P&3-{6pUbHS^E8TwC
zcoikXV!^6?sy2;v!ej#{!?MDvsj9B2d3t#RY{M+Ws==gY<r1`c7H!Qy(?HTXjiv>)
zxqfAh)?u7y`6)@eI_A55Wa$ld*_wxSTx0_S+w#DwQ@S>+i`3116!I;PJTb6d4)<I@
z&<u(ukH#tRnx2jtB4ePrmg*Anqu<Yt90ziwKg^CY6Y}J7RZP~>(R(hGl(_)3%1n@p
zb9PKLSJGWW%kKU}$1$%BmKHmJ9wTj3fHhc;JXoJyM34B_1c&>u03e85fI&hooH5Z6
z6u+3usEvB7?*b098lF-vj8drptf^Fx2kX^tO5FY|-7vji%Ljy*5Yu}W{c9E<m>z*b
zOc-k(7wmh{9i*_JCj#tSEl2a_=LDn&lpimK2hmgE`}qBAm8s6uaAqhwri-A!ZyhpL
zHbs2;Ld-sZKkKO7qPOqp4`D^p8EN*r?)=r~k1GrOhhxsR?)%~Qy2YcfvUmN>8PLx#
z9zuv6hUoX5%q`yv=sWCBmUphg7a7x2@~N>@{n(2NWrnZq(;kuMmDbIL>eW#gP&v@;
zp4Xr^YWZ;tW#Y5ak5`iaxm=I_wTKczk}!+B;v!;HG^xnKf%nVO+^|`P%Qn0yS;51)
zXAdq9y+^CdP7V$alSlXSjxKH&hllCo_i4d8!;it^)al3EjQ(i=vynaslw2?ta~^O3
z1L6V$dPE)4MICB~J;I1RT8cgL%ZT8e88@Qrh~u3>CsNIb=ADff0{)2Uov|14FU^?8
zD;|HB=@TL6Ai^uC=7FYrBIYUKONwuY?y2HSq-X2qDdbDscU$+V<qP<0;LGqU;fv|(
z;Y;$X;tTsr^h@<iwkij<0qSCwtZT7(U5Cqx?5b0{Y2*2?XDiQgw$)7I$@;`q)cMnn
zCBBODTl3ef&$V97KINN5b#l!f)|*CkQq2M9n@4qu?Jn4xh>g?s_MkKbR##fak!GuK
zcarAOMyqsp*2WQ6t6+Bm*HK5SWOqi#k!P!DcZ%oHN2_di&c_kB+h3np@S_knF`v|s
zEY)@*43rZttP?J@6E3_HF2obAv(Ec00pZNsMv)q&VJ7?j2K#=;X{tSU=3z{_K}@>e
zcnFhj1hZxkvt}5xW(c!p1k-j9({>osb_mmU1oLJP^M;dHgg`u6sD6?kKP{r05&p}F
z_k98gCN>CzJR<f_L>#4LEU9GN^}onLLEK9s3~Ih`sW%3ru^1vvA0WX)G6p3dsDZ;0
z1}z^jqC-;#1s^z$`-jma-M`tNf9{V`<Oq5q1>R6m#%l7_d|*lLFUXU2{-%ABjvvvz
z>J>S7g-Qt*NeL!Ni8f9Cjlv1k;J|QZM1Ep~hOLK^uE(0HN293+tEz{yuE)Eo2gI#M
z%u@Jj@d6UC@~GrxxDe}<I^h#6kThX5bzqKI)l;<clWrELt%WzWhlyA-Q?$+-_U6bi
zRPQIvFo|Hk9^t?lQDEJ0(yX-ioj!6)t{XC0MT!Eq!y~KBtYTeAw&0F^;D|&0U7FM^
zb$~*<ORQ4AWwPNArPvmmpgshbVMxU+bMQw-pM}f1y2@!=Wz8$&BzMK8ZQbJ#3!7wR
z-K=eTc=U-?#irKYp&%+H!^(ft3R&AoG1H!+q#>GzQ*#)zvgEpV&npq9Pjn*AD^ij^
zB!VM}<#OJgHpLFhvg{;yGnNQipt}-kiPiz!nfR<$YzF4RS<97W&xCoJZv~8)cjKaG
zyx1XKVe-|u>=>X*G9F}aw6xRrzwyD1=BNtOjqR=fJ$^QtdDJ;rpBuMupS+_uzifLD
z_I(g6&)t3uA(&NSnha`I!GVU0eRPm?{^cSR>v2X8+bc+0j9ZPtp_|D=EFR-qKbQy-
z)RoPo*;p<mTIDE01Nrn+589W}nct|_RbTZq{WucQ&&1YM&?Rp7%7ZS+|LQzC&kGRK
z3qUje%0+LjWq7aU2y$c=utzhohpbH=3D6!hR_|wdh02D|>i@+6?uQUI2Dq{Vrraa-
z@>jHmU$_Ht{k?TDT|&ByC06Nh$QuR-_khMA(Ss(8JX;wz$vyjN_EgsRHW9C5fd{ts
z^f}16(XtZ?p4uz5IEJ>*qWA4Q>Dm)Duin0aVkSK(kll$ul)3xb>wK)tR#xV#Ypt#D
zxrV3fG;xqehC12#Xrm<$?pqnFqb(2KTN!Mke?=lY&$`J(Ap4M#tpraE3SsgQW(+y5
zc{84fAT$k204t7Ul>P|aNX5Ve;oqstWTl53JZBu<M;y{mna6H2ZP^QOGiQ9+3xL@R
z{MieA*$WH=LLC`Y0KatCM(kWmXKbOLf**eUubk_kKOUiYVFtOr2Th>2WsRaFXXIb>
z;$WkChvRZ-(Qk~3&%>l^s@1*f4oO-;BZn$&s4){;4s6-8mQNbokokIUyq!>iZ2cRd
zd%pzsTC|mUv)rRbtaJ<Msvs8))r<T9*4g9J(yB)2Nlg$w)l(?#FaZ~pko-_n4-|+x
z&vhXHAc0A7|Koi-0!QOx3zQF^s4@VEI+B3Bi(&66+CRNDQsrXGO7{)bKmy&enz`)~
zKL_RrpWoEO7ceOAYma)kh70=(0fc6#^*=UO0Xk2<w`v$qG(Y-`S|X!jm?Q<pQYNO{
z5I}nlGbN}H!l;%CYnXm%=4s~Swk+Hia(ycqXPAriVDnPz0+qw2&`|I7IJ4;j%K(<O
zxCYYnJu`c4)91u8KyFAg&m@a}oXaB?{ut(kSYxYxF|*h?YL0m*3FEC|<>HE)1Xq!T
z;F*OXnT6;^m2r>Z36DO1#4U*9jl>MZg0b$tj4;6M+9MC7rW1oE^`oix9cWXAO#0XA
z15fUZIjD_7tlCDZT34#v2CLlqt6mqYUMbc4r0V@a<58*2RJdmp_J(dLD~Ng3neN8g
z!(^W&yy|`T6Nr#<aFSjR&8(}m**Vq*+FYK1)2alWs2wXaAKC^-)rXqKD61C+9>uO_
zD;_DY#d&Y}%7|Zgl#o7k$1^?EVK-#1t*IA}c!veOuPvok`IPJ2t){=CqLR6LU(Kd~
zqvD#mN7>D10-}<lxd+|OCIzF?Y`CeP!@JzvE|EWOAq>r6Vwj_c@5l`)VnnfJAKW7u
zno>uwR3+Ur>zXo0uyv{2{TZ6m$*@c<-Q(+;v&pb+vE9QNTGC3eTs7S_Ht|{>9^K@)
zLrwpYgXdqp1UB}KEI-;Ud$cPaWR-^vpJ7Zo_1s71evi6_9|xiLL#yd!xAY6Nn8&R#
zV^~h+q^VtW|4Mu3X<hAFI)3mSi#fkdw-@_$Or#YrVfmp$AH`+sE75&g;Fiv16?x8k
zo@lPWXrKoI5C7}g1O5hx-v9yt2LNPlWNhnTYi$DnA|xWE1b}7e?qCIgW$IvT34mp#
z?_>jj1@P+~^ZNn>0Qx-(=GU)7<$pE&`YKGNg8o(1ULCpd-yH2T!zfZX*qnonzE(g%
z#WC!4vTBXOz@T?prK!0hb&1&8s_K+Tkq!kkc-XS;=eoFPukg%1S>$>7`J8Tm=0}it
zj{g=Anb+kJbHVTd5g6b#X7QA7E!71s@<)S)%^@syVTJ-d_?KQEA3zFbT?qo1Uf&+T
z2o-_kkt?rek0b^V4TZK4bzD>&TXTsDZv2-!6u6E6Y*3W<dmg=3=@g~{-J9u`N~fKZ
z_)kW{x~Ja3C~YOf(11`M9>G9|Fb9PJEJ~oDsf6z0ll#fxay7biDTrlU*X!T#tdhLM
zXyN$r7-<-0kTPkmVt}6a-&iyy$X67wn3>&raU~5r;AP-;g$5`<^vs#5+&bt~YBb<w
zAS{InPJRxK5S3BWUXxxSi{9VC6ELKtz9XiFR41&QG5rCwUa9k8gwUO>u}Li>6b&1^
zU;b!57@#9CY$}i<Iejc{85kA{fT9+_(9qPx6cuVAg_MiZ{I1<ONEb0bZPb+Mthf>!
zTg*TbJUD<l@8&Iki`8F+`Q1=)7#qNZ>0Ls>giJAg6apc23R(mS$bJZU4Fm&KQD}K`
zv!7~U#4&l_wDa<nb*N;uqE$z%7`P6xBWYgWV4R$H^&77~0m|`Y54m}~`Hy|EG0<=6
z3Q_PB!PD>5YbNj*kPWHsB)ok`x>r`^6jOrC5$;nv!=yLb>ap5X3bc>C;u%P0r}<=D
zZ^UQ`VZw~8lTDxQ^S73_D+)lLloVDGA98#5KXN~xoW3rz>wc1{fy!KXb*$8eD)g7*
zrdc_qu6O4w_+9S}#x*p|uTzp$E;=_qlR2E9>b`|zkyYr+Tvurubw_K_dxPeU-${y2
zGR-5B`PnkBk4lae2f?^7^8xGQ=&B_)(XjA%^cL_c>fxS=Obt%`h53`Qn#h7BWI04q
zUBqsVSDPrzU}1jc^|HB@x-L{x%ymMQI`8Ma&#xJ5Zxxp5#ZMs2PQoei834lSOZ=E|
zsZdZsxL{WQmh>=lg$8kW`DQlO(gaVA;@%i3V$U+Q(uOA?$QJ=rP|1n-%uqmp3R$5m
z$?U+Z4Z<-(M|ZFn+Ngt?ryYbTpu(|)M9xPatxO_@fS>v>^_2XI7fVTSAtMIE7%>QG
zF7#;phDe2!Y7yyUsYEr`^Q7oxP<GGHKz>m8QtKHZ3Ytyga!rTTY759tW=lpaOvv^F
z$C0_`TZnB4Xiw?2%h4vUC$4aqP&;2owe+S2&K&xiZ|>&b^m=@!cn_eVxkgk3I&2RN
z%WwKMl}0wuea-1uCBwFd>Aff*CTpvVbldhB$~G08_2onrwI%+k>k9?($a7dnoDfrO
zm4g)ApN04#Xa)&=cHSV?xR<OvoVPI9SXo^aCXo)`{VMT%xq}ZGVDx724N~`6Fa|Jx
z^6s<&g?YONdRTmrm@=kzB~EtVZHMnfIH##zPa!XUMPX#j;KViN=i(F3RaUE4rKs*<
zJOuaBSVcv?*x0+b&Ys4`TjuEiY}Xo%rMu=-EaMhK6%TNWj@TBCaI`Ryo-7j&snaAE
zEop{27mDn46!AO_Y<c)=89U(?mia%{^dXEky6feO))yj!mROzTR=ID1#Hm|zxKWx|
z&&DU&FX}$}9rvv>DZH{hMc$VN?#B)Vip@pVbk~~J-JUqw)D&8*(e`^ufImjDquuf>
z9^dnCl9|isV48>Ao5OTgvpAw@Y#!MYWt{Izq0ZYWw9c)&*F9y7XIZZ8*MG;kb4)Im
z4Js@$cn+!DQ)EVx;T69kxte%vk}NWwA+Dn}@7dAv6=G4vfnM`!1%V+DjPLvtznfy^
zDL}b{0A|2o^lA`xk9Q0cXB^{)+z4YPKYTun{H__4&}kfAOK79SKiVh_jydMcW!6v_
zv-&{09k5yf(E%c|hGfF4;`Dx0HHfx-T@w{icF{c2)Qd37Out>7y#H(w5KMg)4m0Ty
zI%^uj0@gjgJbr{BDNLch;b<Aa3-{<G0&<6!o4~2=VW_Zeu!dVE8@hxVShH2a4W_bg
z`B1m&rxj@VraI8SNYxzBw@)O5PHIJ&qSv#0B(b*D6;BiD_^59weAS0JxrZ-Tp?(ez
z9AwD4tI0)VqvE!+07;gw-;tj0TXm467ri)jGe^<sjTD&&2ZH^oES%k{w{Ns-ScN|#
z%69e4$7oG%R+>WYghJSuhRfcnFjr(cWymLjMzgUtF3~uem0yZ&M6Z@~FHUjv=k=WT
z`&;slAkl?Bf*Qy=pSe;A5L?+}C8Js57a<fmf2nF64+czP_L<0tc9+wUmZqOo4yWQ3
zvJ7t>v}teCYU>_*h2}J@_z+2?gryRn(G<(8*;m$b8OMf42N4=qRwLi>saijA$Y6hU
zry-~2U}zPwE~5(}ShKiOm3AQp`N1jDGG-1E3@|?h;9MCmVY!b`cM+YqkU#-k=VP=9
zCLxaO#2dYQ;6f&-O^o92-C>YIrjU9G|52ud-pHLOp+$`lwZ-l~FsVs#Qe;m|7TJUH
znQ#^oxa)fPC5qZOkOH~x-oYam3BT}@CQtpu{FUE}2jAk;uE)QPlihHx?VoKF41a}j
zA$5o<FsC*t_G(s=Ar%~!b;o+P-FL)ut~uOqPSteP)wbuO%BI?lDy8xAV0{bM{0Xy3
zfW@V7hZjkMVO#epKrLz%J-fO-88>-JY`LmtH(_5`+mxa?;7<_A>ErJem!u|`#@BW*
zuWPYe&)YK0=AVI0+Ux)nzi+<~5V@hWJ~+D3EjiRWXwOM+cf*boTgUN}$PK01nF7t`
z5=QzeZz(QJd@U_VdwFTd=DFjkv~XvjtexNOjk*Mrm)mN!rJC}$?$o6x8D>p@54`BQ
zSfcJh0rur>a*Zjn6)_d{zG@fMmYjswf?$<pMXo->lXL^U$7@J#;V9=;W9|uXvHqMc
zO?pNhIsf7rU+TLP?4#=W6?n^^H~W5GfAf2V$D$$vse&Rz1Bg`@00;;UNtFP^A;7C2
z@f~x*ltl$f10V30Goo<>{r!W%x{8Y>%>2Ert*@UK=@|O!qEm2k*BhGWVWwyCS(3iV
zjb)c4xCqG(z;$O=S2e0ZSfr3y=!lnfyq|bQ8c>qP9rFjMD^D7b$0_)Yq@X^fVHr!!
zM&J-C1AwUQk25$h1t~9Of7rf|pEjzQX47r-oETrLb;(g?S{vIr2zEt<qHpe1BzR=i
zNk+R&Cz!=esZP$Ur?y_o&Ya6US3|-X!&GVvBBDvh7nBrLOom*}Q}`^=LqzrN44<~^
z9E*(O$HZtrNq~up)1wMbq|I#f?V0VIu9w$w2$6o)0mj`;`JWOqWJ#%wcRZJzF#M^v
z+VkH36F&#Q`1XXup?fa>)%tu5Uf=)3h!VI8dPkmD5w1H&*rS#nfnU7->if#7lGXWy
zt6{JG130*NJC;LHH2CslBAyWV&@+F#iXijrb>AmF;mdHX>fr+_lYP+T_p<&z*0!=&
za|81tc@!B{Ic@q(d}%?x`;D)mv|i>-<8_%1$Fb~}I*IkVt0bxW$}gS_E8Q|Y1}b*P
z_@1V%q~F+}^s02$tELr8`(MS^&>I(RvJsp?Xj_HQb}%VSkKKQC=eRxL`{`DK;gZe#
zpK1I53_wy|x&b%Xb%>X+2XF%(L%i&T2|z~~_x<0qFB*lBO&i(K6^&>;)nEpTR!HLx
z{WaAh=pn=|pz#@`IBqtL%`BE*k+w|0SS5lA#lzJTrg;6h9@5c}f+}8}ip)BT!(}sR
zuny3Y8ddPBNi;SolEY)bh}>oChBpq%<YXY%B;fHGxjgAM^L_aknXoR<maQIMEm@Gq
zK=vLsf3P7&?_X*7Z*sZw<%@(KFA*L;@F3H$m9q{L+_q*>ny6XOR%v#+jL=WD3Rkgw
zJ9pKrH03dGRCk>1#X5;t>L%E29o-KvI(5~kTz_<_+7-8O=2@*T#(5{(%!h5iq*YSW
zggH7l!++ZF?5wpOv)4~(s98O*W{u{yr>sTC57sVz=bv@O^MxLz-~FRY-O0DL3u;=<
z#@;r4S6DvBK2i<3U#2^0%E$UyZ4VCAuezx&2raS-pK-ZoR+9CTfPt_DTWSLi>VcM~
zd2648D8Kuin#p%{IzDV5ygxB*^{F?_GmcGPM)pl^^LOlG*iSYe+58w={h+T#0Ny`7
zLOr1!IfueLBuWdx^yj?xBQOWKyaHK~C4ej^&~RWYwjKnPDn^VX5_rO>B&R`TIDNn2
zKutzuSq_{f2XQ)>0LCffCW^vQq7NY`6$51u4XhP-Y#;?E4<To!6teV;AsE{#z}N`?
z+iD1j|B!2Ae$KTO013ZqNNlNeBssrPRlXYil=;eoQ~(_0K(_%_fFw2-n~DbM&!a00
zh!mt8Pf^&eqCf<&P}r^rKeo%1wgbZylJ!4#%vZ$pZ#n)uOsm?@S?_5O)$P8Odu0wW
zU8j9@w_)n0*(tnY&765!(^vJs|N3y2<-xyP1t0sOSPYA8A?9~|`Z7LcH%@<kF?XZd
zn<m2*Y{&Yu-QH)~r`8<4{4nmT@<O#+12rKOZ1h2J@|Jsh8f6!*Rc8}}={@S?m7NCf
zD;|-L###^`KhLa9wW~T;WU)MDV#4-4CH9rNV%4BKsbz*M9ybkaDfAyMF-SVn7&_K%
zabtnY>iuUj9QfC?)jM9V#h5RA$nxzlI3jv;b#2<-^Hm#bf@VBlv(FNs?Aph^m~*_x
zV1iKRKzNE5A=7^YW%1=1);n;#fVF!Umd-LP?%mMXI%9rl^}CHOIpMGndkn$!Av6jF
z$|V2KF#PMbq3{G!T-FSXhHj`D2F5Es-UOx!B^;~?6utVu`k#ha7*Ta`px=qlYw~T@
zWH`jna$bG(+rIQLFkPVu9?k=7F{^YElmv00e25FtAqGT3N;HTK@sP84#Ku8>vk*%z
z#DrLo04WtBXM89JISWJl4CFN#BFWlhBEM9m4p&x}g?!TyOCr)ouDs8mNQ)JsAipi1
zjefWKBy(s!bC)o*K5r{I_U;DCM>S*DX;>%FA+WEoNqZx)l(5u{Ty8%$&Pw}9?V-}O
zEo08x*e2nhR6aSs+BJ)%K5u`DH!Aa)ByGSZIL_uQ@p!*7rf%lak1dq-YWgg@#rDoe
zpXymy@x3KBEAsxz4eB2MaJ|OY6%h^3F&FNBRvHt^(}<;2<Uh4$>NlhEQ+1X|KInJ4
zKRiBM@0K=k%O_CtR`PYE)!wTQk54OJ8z4O9CCa3W9g|viw1=N*oH>xAw?M}TW-p|V
zt!U(hK6EDRwOnkHbNpDcf#=K{>H61?oR4`rA|<OXODE#C`}tQ@_<{71wePQm5uEBI
zLNpEt(JKGkJ!M#k`hd{3S1Mrc|Mat^UmtEM3UUH4RMaDGsGx!ZrvG@9U@cj8;RU<G
z9<Y}iNc}~Q-kq~g97tSq>GZfJ?Tp54N9HV@a`ZQH&|f#37PD^olycrIt=6i7lKX!z
z@DljmOruTGB;P1$v%7bv_;h$;adV%uerc?Q<l7nb(~dNv71_r3>dBHl+h+$qFp0!Y
z&Vw)+W_z=P?N}UM4?FDYj>XBg$@)NbbTyOSU#;_T-Hu`F&lW(N69V--g#&YMO`E@U
zH*-hD&8)0C@UkUkLG~VOtaAGK&N(fC``Rxg`j{6V$l0$YPIwWQ{vxZu-npST!Z;&1
z+tLa*oobvjCU13V8^fZ#y1;8{P584fhgR5Q{Ijk$qZiz<;z~LO+&xRLHaRQ}yneeg
vsg<4PdZF&`VZxlAqsn*A9<naDp>n^o|EA*(ex2v0iS7^t{R<bGjynJVUE7-V

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/bootstrap/glyphicons-halflings-regular.eot b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/bootstrap/glyphicons-halflings-regular.eot
new file mode 100644
index 0000000000000000000000000000000000000000..b93a4953fff68df523aa7656497ee339d6026d64
GIT binary patch
literal 20127
zcma%hV{j!vx9y2-`@~L8?1^pLwlPU2wr$&<*tR|KBoo`2;LUg6eW-eW-tKDb)vH%`
z^`A!Vd<6hNSRMcX|Cb;E|1qflDggj6Kmr)xA10^t-vIc3*Z+F{r%|K(GyE^?|I{=9
zNq`(c8=wS`0!RZy0g3<xfGPm^&oc(t0WAJyYk&j565#r82r@tgVE(V|{tq<<xco!B
z02==gmw&z10LOnkAb<tH1OWX@JOI9bn*UMykN1D0R{xl80Mq~Cd;ISaOaQKbJU)Q^
zKV{p0n*ZTg{L}i+{3Za_e=Uyx%G?09e;&`jxw-$pR}TDt)(rrNs7n5?o%-LK0RgDo
z0?1<k<naI!SC})WF>{M(8^tv41d}oRU?8#IBFtJy*9zAN5dcxqGlMZGL>GG%R#)4J
zDJ2;)4*E1pyHia%>lMv3X7Q`UoFyoB@|xvh^)kOE3)IL&0(G&i;g08s>c%~pHkN&6
z($7!kyv|A2DsV2mq-5Ku)D#$Kn$CzqD-wm5Q*OtEOEZe^&T$<q%?GPI*ug?*jFCZ7
zl1X3>xIb0NUL<TDAlC~xMcGnHsPe)Gh+nESIamgk2)5Ql^6QPK&XkQ+!qk}`TYc#I
zf~KwkK>}$)W)Ck`6oter6KcQG9Zcy>lXip)%e&!lQgtQ*N`#abOlytt!&i3fo)cKV
zP0BWmLxS1gQv(r_r|?9>rR0ZeEJPx;Vi|h1!Eo*dohr<W65y|5+tpvz!HDS=Q}DgN
z;O&E^rmV416<Hj_N10HwLk^Lwyhx2j;kDE@F*S-tuqy|n(-6~PPF09Xvxq56At8OG
z4-2Gj5=K^(f;q@WOp+9uP|<!09J~a(Y%m)hsl;TbWEvvuQ7(qWx_eKYE@rH9B(V+`
zF8+p6+N8}}{zS_o7#)%b=2DFYa}JT{_i@;_#xxEDZ)+D4Lz{Pv;LE}#`N2bQP*W;6
z(wPX2S3Zb<sNz$mW_!uE^K&d`O<hkRPv<3DnX$`Y*)_qR>&^lJgqJZns>&vexP@fs
zkPv93Nyw$-kM5Mw^{@wPU47Y1dSkiHyl3dtHLwV&6Tm1iv{ve;sYA}Z&kmH802s9Z
zyJEn+cfl7yFu#1^#DbtP7k&aR06|n{LnYFYEphKd@dJEq@)s#S)UA&8VJY@S2+{~>
z(4?M();zvayyd^j`@4>xCqH|Au>Sfzb$mEOcD7e4z8pPVRTiMUWiw;|gXHw7LS#U<
zsT(}Z5SJ)CRMXloh$qPnK77w_)ctHmgh}QAe<2S{DU^`!uwptCoq!Owz$u6bF)vnb
zL`bM$%>baN7l#)vtS3y6h*2?xC<XQJNpZVS!tVtuR(<D$%K=CTVlwa)G)}qDJup|w
z!YRUAk-}+0)MFG#RuE2vlb~4*bP&)ex6`$^%6ySxf}MiQja9&+C4)UgIK)TIHVp>k
z>w+s)@`O4(4_<t2L?B1i*y6fuRi+P?QZCG2j9(btWTetUT@0Q|8XO(SqEH6LSB!2L
z<;M1lya0G`cm9UEex~so>I{L-!+b%)NZcQ&ND=2lyP+xI#9OzsiY8$c)ys-MI?TG6
zEP6f=vuLo!G>J7F4v|s#lJ+7A`^nEQScH3e?B_jC&{<S@1dd<&?JtuP@v(wA>sj>m
zYD?!1z4nDG_Afi$!J(<{>z{~Q)$SaXWjj~%ZvF152Hd^VoG14rFykR=_TO)mCn&K$
z-TfZ!vMBvnToyBoKRkD{3=&=qD|L!vb#jf1f}2338z)e)g>7#NPe!FoaY*jY{f)<G
z+9IWTnFJO0p&^rK`xODpSZARax-jN9(N|ZWyg~(MGSuQYzXBQR*+_`oO>Bf>ohk-K
z4{>fVS}ZCicCqgLuYR_fYx2;*-4k>kffuywghn?15s1dIOOYfl+XLf5w?wtU2Og*f
z%X5x`H55F6g1>m~%F`655-W1wFJtY>>qNSdVT`M`1Mlh!5Q6#3j={n5#za;!X&^OJ
zgq;d4UJV-F>gg?c3Y?d=kvn3e<VW2IarGgIy4I@#ozBH$Q(a($^uvXS?@=l>V)Jb^
zO5vg0G0yN0%}xy#(6oTDSVw8l=_*2k;zTP?+N=*18H5wp`s90K-C67q{W3d8vQGmr
zhpW^>1HEQV2TG#8_P_0q91h8QgHT~8=-Ij5snJ3cj?Jn5_66uV=*pq(j}yHn<uy|J
zh=_`9%JG63kQPJ-Et!mF@={HFp+sB-S+XTFvdzD^x19Lbj{TXx=?FGKvX;|1-3-zU
zl2DyEls20Izb)isO0?xrx(b1`<I3ZDSNBd*<5l=jC`?Re`XCFaI(ny#9KlP!NYbU=
z^;IWB5he_V3}{Xdl1>f$<x%N5|7+dpJoB>Ft;5VVC?bz%9X31asJeQF2jEa47H#j`
zk<KNJ>&uxf3t?g!tltVP|B#G_UfDD}`<#B#iY^i>oDd-LGF}A@Fno~dR72c&hs6bR
z2F}9(i8+PR%R|~FV$;Ke^Q_E_B<teU&M|M>c;$)xN4Ti>Lgg4vaip!%M<tZtx+eW>
z06oxAF_*)LH57w|gCW3SwoEHwjO{}}U=pKhjKSZ{u!K<P`9nrZXY)DCi*vvJQDx`q
za_kyA2Qus4JQ%8kM3_Gd%I1O+cF3~V6=ZM1u9*Ea+iXPId}M`kd7I1T0d7Zx)Wa&?
z{PLQlHM^=&Y!og~I(XQ;5lJScjK~IrV<F7J6v`iM&M1#EkRsHYX8V%Dip>?1zm1q?
zXyA6y@)}_sONiJopF}_}(~}d4FDyp|(@w}Vb;Fl5bZL%{1`}gdw#i{KMjp2@Fb9pg
ziO|u7qP{$kxH$qh8%L+)AvwZNgUT6^zsZq-MRyZid{D?t`f|KzSAD~C?WT3d0rO`0
z=qQ6{)&UXXuHY{9g|P7l_nd-%eh}4%VVaK#Nik*tOu9lBM$<%FS@`NwGEbP0&;Xbo
zObCq=y%a`jSJmx_uTLa{@2@}^&F<l?4N8$IoqA~y`|!rgD24&AtvbWWlPF%K!I`Fp
zMCDiMrV(MWM2!hiB6=^)Er#O8q+%t)I4l3iuF$d;cBXqGAn?Z0Z*?MZRuh=zmPo~-
z_rOvv7sERj79T<uPMWCHIto@agn)X&#=QQyY*6wt){yHQ7~yFoEezd#C<dQF+u)2-
zEIMy-5P*TYpqPxY25dY9J+f-E^3<^@G(=jU{U&hQ3#o`a)dOUR&JT?mTRlBfHE<p|
zO&J|*26{JJ28qC1saVtkQ1WW^G58Smr^%f>4c%z6oe-TN&idjv+8E|$FHOvBqg5hT
zMB=7SHq`_-E?5g=()*!V>rIa&LcX(RU}aLm*38U_V$C_g4)7GrW5$GnvTwJZdBmy6
z*X)wi3=R8L=esOhY0a&eH`^fSpUHV8h$J1|o^3fKO<edeL`~4AS}?bGhbI@wd%7ob
z;HUsAzX8f<5Tcj`x1L`~p_%qxb{Gobu+`2Hh*bfnN@EZ$w1F5i32YXO9vreTkznl=
zRv&F3;kE3d@_Cys2UVvUxUU=oDO~U>|9QzaiKu>yZ9wmRkW?HTkc<*v7i*ylJ#u#j
zD1-n&{B`04oG>0Jn{5PKP*4Qsz{~`VVA3578gA+JUkiPc$Iq!^K|}*p_z3(-c&5z@
zKxmdNpp2&wg&%xL<cX5MdFnpzW;X?cI|~qZbhDWm)F_t}i=(x><xZ|=$k6lbFWo~R
z1yEA-t+BaHz`?1Zi{N`F<t?_rS*zpAEN-Lg7L9qKTVj|Ih7gOmTvLqTlA1e51SXNm
zeA`1UhC`&)%k?V^ii%`|O+coBH9$HjP#Fy1CjYhyW0DPZC>3xZNzG-5Xt7jnI@{?c
z25=M>-VF|;an2Os$Nn%HgQz7m(ujC}Ii0Oesa(y#8>D+P*_m^X##E|h$M6tJr%#=P
zWP*)Px>7z`E~U^2LNCNiy%Z7!!6RI%6fF@#ZY3z`CK91}^J<kz;gXvl4j_QvxfXmA
ze1j4n*Hru_ge<*I;p<wHXN`XVFAk2bTG~Vl5{?nXF6K!!HeqOu6_U-movw7Gx`O<C
zM~<jbZlSC}oXeAQr_Y8Tq)(9YogPgPY{6ELohD$98O2Fj5_M2=J84FuR#dyoS!A-|
z*c)!)9^dk4^<2$Ks79AAMW;%o-!%g7j{1(Pnwwy1tca#dUTE1+4y#<A6VSeCR)wQ`
zCEFu?oS$y=05cpTr}VLe+YU$GFp$#&tfXaK<ia*q3-&+6KDQP!)!Ru(yh0c}7za6=
ziFP^Nq3))g21c{b{ESQRdZN3Xnpa8jUP0DA2r&uofBU7TtM^7^s}7#&aUnGsvE`fu
z>$F!EB0YF1je9<lP78|=Z6bmMhpLsL)Tz)Cn&pP#eF?{kB>hJKU7!S5MnXV{+#K;y
zF~s*H%p@vj&-ru7#(F2L+_;IH46X(z{~HTfcThqD%b{>~u@lSc<+f5#xgt9L7$gSK
ziDJ6D*R%4&YeUB@yu@4+&70MBNTnjRyqMRd+@&lU#rV%0t3OmouhC`mkN}pL>tXin
zY*p)mt=}$EGT2E<4Q>E2`6)gZ`QJhGDNpI}bZL9}m+R>q?l`OzFjW?)Y)P`fUH(_4
zCb?sm1=DD0+Q5v}BW#0n5;Nm(@RTEa3(Y17H2H67La+>ptQHJ@WMy2xRQT$|7l`8c
zYHCxYw2o-rI?(fR2-%}pbs$I%w_&LPYE{4bo}vRoAW>3!SY_zH3`ofx3F1PsQ?&iq
z*BRG>?<6%z=x#`NhlEq{K~&rU7Kc7Y-90aRnoj~rVoKae)L$3^z*Utppk?I`)CX&&
zZ^@Go<Q-E-9qdDk;`1UZ+I6D_?B@62xgSC03f%4S8VtH3(P3D_6<1>9fm&fN`b`XY
zt0xE5aw4t@qTg_k=!-5LXU+_~DlW?53!afv6W(k@FPPX-`nA!FBMp7b!ODbL1zh58
z*69I}P_-?qSLKj}JW7gP!la}K@M}L>v?rDD!DY-tu+onu9kLoJz20M4urX_xf2dfZ
zORd9Zp&28_ff=wdMpXi%IiTTNegC}~RLkdYjA39kWqlA?jO~o1`*B&85Hd%VPkYZT
z48MPe62;TOq#c%H(`wX5(Bu>nlh4Fbd*Npasdhh?oRy8a;NB2(eb}6DgwXtx=n}fE
zx67rYw=(s0r?EsPjaya}^Qc-_UT5|*@|$Q}*|>V3O~USkIe6a0_>vd~6kHuP8=m}_
zo2IGKbv;yA+TBtlCpnw)8hDn&eq?26gN$Bh;SdxaS04Fsaih_Cfb98s39xbv)=mS0
z6M<@pM2#pe32w*lYSWG>DYqB95XhgAA)*9dOxHr{t)er0Xugoy)!Vz#2C3FaUMzYl
zCxy{igFB901*<tiyD63(hW(uERHv;@J~7F`;-e`O5Ld!(Fl>R2*F4>grPF}+G`;Yh
zGi@nRjWyG3mR(BVOeBPOF=_&}2IWT%)pqdNAcL{eP`L*^FDv#Rzq<iCP<KO7gjv}{
z^5ElYuo)cUV9?9{6e*c7eWVK@LCOKKaBR<2_;6r+GhH1i-~$};rNpE_D*2ZJ=O+cz
zyj}kfz8;}sw88^SYgzvxpkB>l5U&Suq_X%JfR_lC!S|y|xd5mQ0{0!G#9hV46S~A`
z0B!{yI-4FZEtol5)mNWXcX(`x&Pc*&gh4k{w%0S#EI>rqqlH2xv7mR=9XNCI$V#NG
z4wb-@u{PfQP;tTbzK>(DF(~bKp3;L1-A*HS!VB)Ae>Acnvde15Anb`h;I&0)aZBS6
z55ZS7mL5Wp!LCt45^{2_70<L`Ib`SKM1Oi<HkO)Y>YiI_Py=X{I3>$Px5Ez0ahLQ+
z9EWUWSyzA|+g-Axp*Lx-M{!ReQO07EG7r4^)K(xbj@%ZU=0tBC5shl)1a!ifM5OkF
z0<aV&1|hwix;hV`l{C+KeqEjnn@aQGS~k&rcJ^K626yC8@~#qf$xT7;xJLzv3M&rA
z)MirFFpng+&}hRJHKQ6_3l{ABCJLmIrj8g#cem2@!i;W7Q+}Wr^IrTp((?iq1h?Cq
z7Z^k%ps^N^e})9!YkyNa0;x`m&~<4yTQHl1+dFNY1CE<&_PZ=1v!ch(qU_a1lHd~T
zC&a1>w2xQ-<+r-h1fi7B6waX15|*GGqfva)S)dVcgea`lQ~SQ$KXPR+(3Tn2I2R<0
z9tK`L*pa^+*n%>tZPiqt{_`%v?Bb7CR-!GhMON_Fbs0$#|H}G?rW|{q5fQhvw!FxI
zs-5ZK>hAbnCS#ZQVi5K0X3PjL1JRdQO+&)*!oRCqB{wen60P6!7bGiWn@vD|+E@Xq
zb!!_WiU^I|@1M}Hz6fN-m04x=><rLlCfwyIrOU}U)<7QivZH0Rm_-}Sg~$eCMDR*Z
zx`cVPn__}6Q+CU!>Exm{b@>UCW|c8<K+|Vc^j#>vC`aNbt<B+h3ox;kC6?34Wa#|Y
zXq?n@d6k6MUBqn%SYLX5^>A@KCHujh^2RWZC}iYhL^<*Z93chIBJYU&w>$CGZDR<q
ztx<5t>cHuIgF&oyesDZ#&mA;?wxx4Cm#c0V$xYG?9OL(Smh}#fFuX(K;otJmvRP{h
ze^f-qv;)HKC7geB92_@3a9@M<H_?qNxE&=>GijS(hNNVd%-rZ;%@F_f7?Fjinbe1(
zn#jQ*jKZTqE+AUTEd3y6t>*=;AO##cmdwU4gc2&rT8l`rtKW2JF<`_M#p>cj+)yCG
zgKF)y8jrfxTjGO&ccm8RU>qn|HxQ7Z#sUo$q)P5H%8iBF$({0Ya51-rA@!I<SEC1_
zHUdTwrTB3a?*}j?j1(f*^9G0kG<5JX4@l|rR&H;`Qa2VcYZ3UxZL+D>t#NHN8MxqK
zrYyl_&=}WVfQ?+ykV4*@F6)=u_~3BebR2G2>>mKaEBPm<p!ix>SW3(qYGGXj??m3L
zHec{@jWCsSD8`xUy0pqT?Sw0oD?AUK*WxZn#D>-$`eI+IT)6ki>ic}W)t$V32^ITD
zR497@LO}S|re%A+#vdv-?fXsQGVnP?QB_d0cGE+U84Q=aM=XrOwGFN3`Lpl@P0fL$
zKN1PqOwojH*($uaQFh8_)H#>Acl&UBSZ>!2W1Dinei`R4dJGX$;~60X=|SG6#jci}
z&t4*dVDR*;+6Y(G{KGj1B2!qjvDYOyPC}%hnPbJ@g(4yBJrViG1#$$X75y+Ul1{%x
zBAuD}Q@w?MFNqF-m39FGpq7RGI?%Bvyyig&oGv)lR>d<`Bqh=p>urib5DE;u$c|$J
zwim~nPb19t?LJZsm{<(Iyyt@~H!a4yywmHKW&=1r5+oj*Fx6c89heW@(2R`i!Uiy*
zp)=`Vr8sR!)KChE-6SEIy<Vn-l!RzPhNVxOkQU85Nng*5JUtkAg)b6wP&$wmih=Au
zKs;dHW6q)pI2VT$E`W=7aAbKSJnb;$l%#?edH=)1)avHvVH)345mJ;(*l$Ed1MA<a
z72%vbZD4`I;B-RS=m{iM`7(#1x>i(dvG3<1KoVt>kGV=zZiG<Y+hj@$zd#Q#=4iVE
z)x-IdMbP%iC;0pg$QUoVt(A;lO{-jJjH=;buR+E#0Eulb^`hidN&<0Z-tju^RGPcG
z(C4$AS6l7m-h>7LGonH1+~yOK-`g0)r#+O|Q>)a`I2FVW%wr3lhO(P{ksNQuR!G_d
zeTx(M!%brW_vS9?IF>bzZ2A3mWX-MEaOk^V|4d38{1D|KOlZSjBKrj7Fgf^>JyL0k
zLoI$adZJ0T+8i_Idsuj}C;6jgx9LY#Ukh;!8eJ^B1N}q=Gn4onF*a2vY7~`x$r@rJ
z`*hi&Z2lazgu{&nz>gjd>#eq*IFlXed(%$s5!HR<!{AgXHWD~USVRvxKdGTp>XKNm
zDZld+DwDI`O6hyn2uJ)F^{^;ESf9sjJ)wMSKD~R=DqPBHyP!?cGAvL<1|7K-(=?VO
zGcKcF1spUa+ki<qEk7@%dE~%eGpEl!oK*hA!YE+isq^GFdJ#{KfWIULzmRCaF}4(*
z-$*W)k94bSp|#5~htGbQ<~v1feWKv$%wM~TX}E><`6K#@QxOTsd847N8WSWztG~?~
z!gUJn>z0O=_)VCE|56hkT~n5xXTp}Ucx$Ii%bQ{5;-a4~I2e|{l9ur#*ghd*hSqO=
z)GD@ev^w&5%k}YYB~!A%3*XbPPU-N6&3Lp1LxyP@|C<{qcn&?l54+zyMk&I3YDT|E
z{lXH-e?C{huu<@~li+73lMOk&k)3s7Asn$t6!PtXJV!RkA`qdo4|OC_a?vR!kE_}k
zK5R9KB%V@R7gt@9=TGL{=#r2gl!@3G;k-6sXp&E4u20DgvbY$iE**Xqj3TyxK>3AU
z!b9}NXuINqt>Htt6fXIy5mj7oZ{A&$XJ&thR5ySE{mkxq_YooME#VCHm2+3D!f`{)
zvR^WSjy_h4v^|!RJV-RaIT2Ctv=)UMMn@fAgjQV$2G+4?&dGA8vK35c-8r<daDqE-
zlIJCF%-7v?-xOAOA*Z$Wv;j3$ldn=}pR52aU>)z9Qqa=%k(FU)?iec14<^olkOU3p
zF-6`zHiDKPafKK<gsO-HjX!gIc-J@mlI}lqM!qAHMA?>^USUU+D01>C&Wh{{q?>5m
zGQp|z*+#>IIo=|ae8CtrN@@t~uLFOeT{}vX(IY*;>wAU=u1Qo4c+a&R);$^VCr>;!
zv4L{`lHgc9$BeM)pQ#XA_(Q#=_i<x#Kw|T_b{oltLKCCP2b6F_+)lx3b*Vc?@JD8p
z>SZL4>L~8Hx}NmOC$&*Q*bq|9Aq}rWgFnMDl~d*;7c44GipcpH9PWaBy-G$*MI^F0
z?Tdxir1D<2ui+Q#^c4?uKvq=p>)lq56<F6-{L-8bs~8_dC8J3p4CdV*Iq;6IOvBJh
z^E(Ti1wkp{O6qebTnBYm)da^xs3^-TV5tGhoGrFBA^b?UK`APfD~Y+F8!rz@iSNu3
zFO1o9o^S3!%nw&2bpBxHF!V{IaC(n}+(HqYMb(3!l`YX-ru;2?$oSZD;K6*RvAS8r
zf1jgZer>=Eb|N^qz~w7rsZu)@E4$;~snz+wIxi+980O6M#RmtgLYh@|2}9BiHSpTs
zacjGKvwkUwR3lwTSsCHlwb&*(onU;)$yvdhikonn|B44JMgs*&Lo!jn`6AE>XvBiO
z*LKNX3FVz9yLcsnmL!cRVO_qv=yIM#X|u&}#f%_?Tj0>8)8P_0r0!AjWNw;S44tst
zv+NXY1{zRLf9OYMr6H-z?4CF$Y%MdbpFIN@a-LEnmkcOF>h16cH_;A|e)pJTuCJ4O
zY7!4FxT4>4aFT8a92}84>q0&?46h>&0Vv0p>u~k&qd5$C1A6Q$I4V(5X~6{15;PD@
ze6!s9xh#^QI`J+%8*=^(-!P!@9%~buBmN2VSAp@TOo6}C?az+ALP8~&a0FWZk*F5N
z^8P8IREnN`N0i@>O0?{i-FoFShYbUB`D7O4HB`Im2{yzXmyrg$k>cY6A@>bf7i3n0
z5y&cf2#`zctT>dz+hNF&+d3g;2)U!#vsb-%LC+pqKRTiiSn#FH#e!bVwR1nAf*TG^
z!RKcCy$P>?Sfq6n<%M{T0I8?p@HlgwC!<R%oqdMv88ghhaN5z;w29c{kLz0?InueY
zuDv#J^DHLyGoyzt8(sCID)#E6<WCYlz7uC1Xvs8QhV{45h-M4rLYe7xw;{g462-zX
zIV>HoWO>~mT+X<{Ylm+$Vtj9};H3$EB}P2wR$3y!TO#$iY8eO-!}+F&jMu4%E6S>m
zB(N4w9O@2=<`WNJay5PwP8javDp~o~xkSbd4t4t8)<Wt_Xc73S;VOmD#Fsb|nTsJs
z59;v?-{=r}I{BDxTN)Iz2&5m`sG^%wjY0*@1I`W29gtM7#wwIQTHvQhS2gB?6J62R
zJXy=)7L1!%o4(?3j6J3Pc%v5LFvsR9gKoej%77dCetZylr9&mT=u=p$Kn1Z^C3ySy
z3|Tg>9jqu@bHmJHq=MV~Pt|(TghCA}fhMS?s-{klV>~=VrT$nsp7mf{?cze~KKOD4
z_1Y!F)*7^W+BBTt1R2h4f1X4Oy2%?=IMhZU8c{qk3xI1=!na*Sg<=A$?K=Y=GUR9@
zQ(ylIm4Lgm>pt#%p`zHxok%vx_=8Fap1|?OM02|N%X-g5_#S~sT@A!x&8k#wVI2lo
z1Uyj{tDQRpb*>c}mjU^gYA9{7mNhFAlM=wZkXcA#MHXWMEs^3>p9X)Oa?dx7b%N*y
zLz@K^%1JaArjgri;8ptNHwz1<0y8tcURSbHsm=26^@CYJ3hwMaE<khA9_uuFNLm1L
zw+Fp#304~-S;vdG5Nug~K2qs}yD1rrg&9Fcvifn@KphT~L22BKMX?U^9@?Ph`>vC7
z3Wi-@AaXIQ)%F6#i@%M>?Mw7$6(kW@?et@wbk-APcvMCC{>iew#vkZej8%9h0JSc?
zCb~K|!9cBU+))^q*co(E^9jRl7gR4Jihyqa(Z(P&ID#TPyysVNL7(^;?Gan!OU>au
zN}miBc&XX-M$mSv%3xs)bh>Jq9#aD_l|zO?I+p4_5qI0Ms*OZyyxA`sXcyiy>-{YN
zA70%HmibZYcHW&YOHk6S&PQ+$rJ3(utuUra3V0~@=_~QZy&nc~)AS>v&<6$gErZC3
zcbC=eVkV4Vu0#}E*r=&{X)<H<fOshUJUO>Kgq|8MGCh(wsH4geLj@#8EGYa})K2;n
z{1~=ghoz=9TSCxgzr5x3@sQZZ0FZ+t{?klSI_IZa16pSx6*;=O%n!uXVZ@1IL;JEV
zfOS&yyfE9dtS*^jmgt6>jQDOIJM5Gx#Y2eAcC3l^lmoJ{o0T>IHpEC<k{}Rs{I@x*
zb<od>TbfYgPI4#LZq0<d#zAXFmb<Y9lgw&{$vCxBQ~RnTL=zZ7D-RwUE3~Z#wraN%
z_E{llZ?GrX#>PKqnPC<SBsRloBYG4ZO7Eeh-Bv2C$rMVb@bcKn3t2`<&0ke8{h|+|
z29&HD`tAtGV2ZA(;c{wT$(NWY+fHTL0b7Km+3IMcIX(?D)PQ;HB*^`ex$kl}K>D}_
zyKxz;(`fE0z~nA1s?d{X2!#ZP8wUHzFSOoTWQrk%;wCnBV_3D%3@EC|u$Ao)tO|AO
z$4&aa!wbf}rbNc<V}`mLC?8U0y^+E9xuE>P{6=ajgg(`p5kTeu$ji20`zw)X1SH*x
zN?T36{d9TY*S896Ijc^!35LLUByY4QO=ARCQ#MMCjudFc7s!z%P$6DESz%zZ#>H|i
zw3Mc@v4~{Eke;FWs`5i@ifeYPh-Sb#vCa#qJPL|&quSKF%sp8*n#t?vIE7kFWjNFh
zJC@u^bRQ^?ra|%39Ux^Dn4I}QICyDKF0mpe+Bk}!lFlqS^WpYm&xwIYxUoS-rJ)N9
z1Tz*6Rl9;x`4lwS1cgW^H_M*)Dt*DX*W?ArBf?-t|1~ge&S}xM0K;U9Ibf{okZHf~
z#4v4qc6s6Zgm8iKch5VMbQc~_V-ZviirnKCi*ouN^c_2lo&-M;YSA>W>>^5tlXObg
zacX$k0=9Tf$Eg+#9k6yV(R5-&F{=DHP8!yvSQ`Y~XRnUx@{O$-bGCksk~3&qH^dqX
zkf+ZZ?Nv5u>LBM@2?k%k&_aUb5Xjqf#!&7%zN#VZwmv65ezo^Y4S#(ed0yUn4tFOB
zh1f1SJ6_s?a{)u6VdwUC!Hv=8`%T9(^c`2hc9nt$(q{Dm2X)dK49ba+KEheQ;7^0)
ziFKw$%EHy_B1)M>=yK^=Z$U-LT36yX<F=`VawpD(xy$9hZLKdS9NJ`Zn_|f^uS`)c
z-Rl}C$-9t=SeW=txVx%`NS&LLwx4tQT@F-lQnBqQ-sOH}Jc&bP@MTU&SQLci>>EKT
zvD8IAom2&2?bTmX@_PBR4W|p?6?LQ+&UMzXxqHC5VHzf@Eb1u)kwyfy+NOM8Wa2y@
zNNDL0PE$F;yFyf^jy&RGwDXQwYw6yz>OMWvJt98X@;yr<mIFkh{a&op3>!*RQDBE-
zE*l*u=($Zi1}0-Y4lGaK?J$yQjgb<Bq)i+tJ7(x$;ieC4!=clV5G5IPlSyhAR$E4=
z$1c&+)JfppzZ*VSL$xH3n1^iI1K%)!-^sJU%xwj7WT8t7w6499b3QQ%J+gW)4)JMb
z8GVT`4`(VvLA^xbTV6K2V_8Mv*?gDDUBYV!P-qg?Dq*YIhGKXu$p#?E9&(-}opTbz
zZ#J#VgX+|T3gSW)eF}>+*ljUvNQ!;QYAoCq@>70=sJ{o{^21^?zT@r~hhf&O;Qiq+
ziGQQLG*D@5;LZ%09mwMiE4Q{IPUx-emo*;a6#DrmWr(zY27d@ezre)Z1BGZdo&pXn
z+);gOFelKDmnjq#8dL7CTiVH)dHOqWi~uE|NM^QI3EqxE6+_n>IW67~UB#J==QOGF
zp_S)c8TJ}uiaEiaER}MyB(grNn=2m&0yztA=!%3xUREyuG_jmadN*D&1nxvjZ6^+2
zORi7iX1iPi$tKasppaR9$a3IUmrrX)m*)fg1>H+$KpqeB*G>AQV((-G{}h=qItj|d
zz~{5@{?&Dab6;0c7!!%Se>w($RmlG7Jlv_zV3Ru8b2rugY0MVPOOYGlokI7%nhIy&
z-B&wE=lh2dtD!F?noD{z^O1~Tq4MhxvchzuT_oF3-t4YyA*MJ*n&+1X3<j>~6quEN
z@m~aEp=b2~mP+}TUP^FmkRS_PDMA{B<dV*k52^3iWFIaXBr1MC#nA4rRMbI6g1e0>
zaSy(P=$T~R!yc^Ye0*pl5xcpm_JWI;@-di+nruhqZ4gy7cq-)I&s&Bt3BkgT(Zdjf
zTvvv0)8xzntEtp4iXm}~cT+pi5k{w{(Z@l2XU9lHr4Vy~3ycA_T?V(QS{qwt?v|}k
z_ST!s;C4!jyV5)^6xC#v!o<DVtBeh%T7qnQl{H-3DV=+H*Qr*Tk6W^hU(ZD0kJnpt
z6l*<^aakgBhlA+xpS}v`t7iyV?zu_V<U{&GBzBLYIuzDQe~f#6w^zD>*uS%a-jQ6<
z)>o?z7=+zNNtIz1*F_HJ(w@=`E+T|9TqhC(g7kKDc8z~?RbKQ)LRMn7A1p*PcX2YR
zUAr{);~c7I#3Ssv<0i-Woj0&Z4a!u|@Xt2J1>N-|ED<3$o2V?OwL4oQ%$@!zLamVz
zB)K&Ik^~GOmDAa143{I4?XUk1<3-k{<%?&OID&>Ud%z*Rkt*)mko0RwC2=qFf-^OV
z=d@47?tY=A;=2VAh0mF(3x;!#X!%{|vn;U2XW{(nu5b&8kOr)Kop3-5_xnK5oO_3y
z!EaIb{r%D{7zwtGgFVri4_!yUIGwR(xEV3YWSI_+E}Gdl>TINWsIrfj+7DE?xp+5^
zlr3pM-Cbse*WGKOd3+*Qen^*uHk)+EpH-{u@i%y}Z!YSid<}~kA*IRSk|nf+I1N=2
zIKi+&ej%Al-M5`cP^XU>9A(m7G>58>o|}j0ZWbMg&x`*$B9j#Rnyo0#=BMLdo%=ks
zLa3(2EinQLXQ(3zDe7Bce%Oszu%?8PO648TNst4SMFvj=+{b%)ELyB!0`B?9R6<HO
z0ZCx8TWpL$G_aCzv{2o6N{#z3g%x>aO{i-63|s@|raSQGL~s)9R#J#duFaTSZ2M{X
z1?YuM*a!!|jP^QJ(hAisJuPOM`8Y-Hzl~%d@latwj}t&0{DNNC+zJARnuQfiN`HQ#
z?boY_2?*q;Qk)LUB)s8(Lz5elaW56p&fDH*AWAq7Zrbeq1!?FBGYHCnFgRu5y1jwD
zc|yBz+UW|X`zDsc{W~8m<GsO<mO_1`^L`RbrG?Z6Us2*=^_x$`JV{a_LYEsuJtJYL
ziPBF7dm}M2=6vrP;RB?Z6!7)Zvt4B!$rUPf{RA&_8%VD|7)NrR9*=&gO*sOzLhB*~
z^{cR)lY*pt9GGm(POd`WZo!H=s$8fLl_}-xnV5A+4*BbLUMGLAzH|i9_k(p_(`_J-
zjFFqtuzWuLa;BGl;mNUQM^&@rL--@GcC@@A*GDUdTjOrweNe5I+671K_l#WVI|@LM
z6mSs@4|l^kTD;Gvy}KaDi)#o4AD~D*LX@4{{bfG+FoqQ?-6%VkN)4{7vy<hZ9gNX|
zQxtE>$sh@VVnZD$lLnKlq@Hg^;ky!}ZuPdKNi2BI70;hrpvaA4+Q_+K)I@|)q1N-H
zrycZU`*YUW``Qi^`bDX-j7j^&bO+-Xg$cz2#i##($uyW{Nl&{DK{=lLWV<rkzZltE
zVX#Q@q!0kD+4jwZ#haJNHLSu>3|=<&si||2)l=8^8_z+Vho-#5LB0EqQ3v5U#*DF7
zxT)1j^`m+lW}p$>WSIG1eZ>L|YR-@Feu!YNWiw*IZYh03mq+2QVtQ}1ezRJM?0PA<
z;mK(J5@N8>u@<6Y$QAHWNE};rR|)U_&bv8dsnsza7{=zD1VBcxrALqnOf-qW(zzTn
zTAp|pEo#FsQ$~*$j|~Q;$Zy&Liu9OM;VF@#_&*nL!N2hH!Q6l*OeTxq!l>dEc{;Hw
zCQni{iN%jHU*C;?M-VUaXxf0FEJ_G=C8)C-wD!DvhY+qQ#FT3}Th8;GgV&AV94F`D
ztT6=w_Xm8)*)dBnDkZd~UWL|W=Gl<gto;(*wC9U9tZbpA!j<N3*HCbtKUlby_Vyr4
z!?d@=(#f`*(ud3VsGC{9IRi#5(w*FK!J}~s9(p0ap?ykZJBp1cTUR*jPbbAP&K)BP
zDUly$`B#Sn(aWroZGbyL&=Dg67A>u!$hc|1w7_7l!3MAt95oIp4Xp{M%clu&TXehO
z+L-1#{mjkpTF@?|w1P98OCky~S%@OR&o75P<Wn%&Jm$EVDF7;}E<;f25{W=vmcPFf
zmJVk81ZR1bRmlb|#0}DPdayCjq(27hQh>&ZHvC}Y=(2_{ib(-Al_7aZ^U?s34#H}=
zGfFi5%KnFVCKtdO^>Htpb07#BeCXMDO8U}crpe1Gm`>Q=6qB4i=nLoLZ%p$TY=OcP
z)r}Et-Ed??u~f09d3Nx3bS@ja!fV(Dfa5lXxRs#;8?Y8G+Qvz+iv7fiRkL3liip})
z&G0u8RdEC9c$$rdU53=<QkS9aMArWJ!P8{(D~hr9YfM2Q0nl|;=ukHlQj%<P$wYfa
z?$=heR#}yGJkpA2LI#>MH`p!Jn|DHjhOxHK$tW_pw9wCTf0Eo<){HoN=zG!!Gq4z4
z7PwGh)V<N7ESN6`*^`^Q73fj(wcMs7=5Iu(yJo@Q_F?W?yk3)SdLai+cM6GrKPrjs
za_NJm=uOAmRL5F_{*Yjb_BZNY?)kCB%$WE8;A{ZK>NPXW-cE#MtofE`-$9~nmmj}m
zlzZscQ2+Jq%gaB9rMgVJkbhup0Ggpb)&L01T=%>n7-?v@I8!Q(p&+!fd+Y^Pu9l+u
zek(_$^HYFVRRIFt@0Fp52g5Q#I`tC3li`;UtDLP*rA{-#Yoa5qp{cD)QYhldihWe+
zG~zuaqLY~$-1sjh2lkbXCX;lq+p~!2Z=76cvuQe*Fl>IFwpUBP+d^<W!tp~MwxCaj
zHBQw{tTF&?2^15<bHvmlCS|A$khwaGVZw*2lw&_pOQz;LcFj@Ysq%CZ)?t&74A|dB
z4WL~cZpG-0G^KuK)}aNOTySm-Lt#QyW&mN^>&E4BGc<j4bbw_-4Ttv5`+q&kCfaBq
z#Rl}~m+g*DG5=zM=t?z8cf%Vr>{m#l%Kuo6#{XGoRyFc%Hqhf|%nYd<;yiC>tyEyk
z4I+a<QbTvlzlVm5v2!^bF)s*0Cw+t*kzz%N#&QZ42CimT6ySz~?+nd>`(%%Ie=-*n
z-{mg=j&t12)LH3R?@-B1tEb7FLMePI1HK0`Ae@#)KcS%!Qt9p4_fmBl5zhO10n401
zBSfnfJ;?_r{%R)hh}BBNSl=$BiAKbuWrNGQUZ)+0=Mt&5!X*D@yGCSaMNY&@`;^a4
z;v=%D_!K!WXV1!3%4P-M*s%V2b#2jF2bk!)#2GLVuGKd#vNpRMyg`kstw0GQ8@^k^
zuqK5uR<>FeRZ#3{%!|4X!hh7hgirQ@Mwg%%ez8pF!N$xhMNQN((yS(F2-OfduxxKE
zxY#7O(VGfNuLv-ImAw5+h@gwn%!ER;*Q+001;W7W^waWT%@(T+5k!c3A-j)a8y11t
zx4~rSN0s$M8HEOzkcWW4YbKK9GQez2XJ|Nq?TFy;jmGbg;`m&%U4hIiarKmdTHt#l
zL=H;ZHE?fYxKQQXKnC+K!TAU}r086{4m}r()-QaFmU(qWhJlc$eas&y<Oz%^3FaFm
z1?*33BSANpZbOjV<(WE=T(DuY)_XOR{Jho+f)Z}g61HjnqKKN*8E0S?ATVoi0{#On
zGn@2R)R+{|FLX_EYm8{*=&UqzSkXCnZ)vWGS!9t02v^*;nhYk{U}PXVkPhlRc3UH{
zA-5Xc>?=H9EYQy8N$8^bni9TpD<bzO7YS=tCt}zYcl)|7!PRQIoif~D7yjeqW#(B3
zmpkmPyyRt85TQV!liLz!S@Olwr9!I#6DL45xU1kD`j8+MN!ST75vIA5J=~k_se^q#
zaC@(uVW_ra*o|Fs!(sX4Ik6k-(M%QP2;-Z@Rf=+&=pE`Dv8K9?k1Fg2pF%vW*HO>p
zkA^WRs?KgYgjxX4T6?`SMs$`s3vlut(YU~f2F+id(Rf_)$BIMibk9lACI~LA+i7xn
z%-+=DHV*0TCTJp~-|$VZ@g2vmd*|2QXV;HeTzt530KyK>v&253N1l}bP_J#UjLy4)
zBJili9#-ey8Kj(dxmW^ctorxd;te|xo)%46l%5qE-YhAjP`Cc03vT)vV&GAV%#Cgb
zX~2}uWNvh`2<*AuxuJpq>SyNtZwzuU)r@@dqC@v=Ocd(HnnzytN+M&|Qi#f4Q8D=h
ziE<3ziFW%+!yy(q{il8H44g^5{_+pH60Mx5Z*FgC_3hKxmeJ+wVuX?T#ZfOOD3E4C
zRJsj#wA@3uvwZwHKKGN{{Ag+8^cs?S4N@6(Wkd$CkoCst(Z&hp+l=ffZ?2m%%ffI3
zdV7coR`R+*dPbNx=*ivWeNJK=Iy_vKd`-_Hng{l?hmp=|T3U&epbmgXXWs9ySE|=G
zeQ|^ioL}tve<e`!rDYCFUej_ysJ2z(4AIN3g4xGaB0&Y<^`&A^@AOml<{gmBP!-y6
z!IsbSiZ8eH@;)gbXcV?N4*>N{s72_&h+F+W;G}?;?_s@h5>DX(rp#eaZ!E=NivgLI
zWykLKev+}sHH41NCRm7W>K+_qdoJ8x9o5Cf!)|qLtF7Izxk*p|fX8UqEY)_sI_45O
zL2u>x=r5xLE%s|d%MO>zU%KV6QKFiEeo12g#bhei4!Hm+`~Fo~4h|BJ)%ENxy9)Up
zOxupSf1QZWun=)gF{L0YWJ<(r0?$bPFANrmphJ>kG`&7E+RgrWQi}ZS#-CQJ*i#8j
zM_A0?w@4Mq@xvk^>QSvEU|VYQoVI=TaOrsLTa`RZfe8{9F~mM{L+C`9YP9?Okn<Y+
zQ`?h`EW57j4Qxm_DjacY`kEKG93n7#6{CBssPbH&1L2KSo|Htm*KD+0p<wD8e>Lw|
zmkvz>cS6`pF0FYeLdY%>u&XpPj5$*iYkj=m7wMzHqzZ5SG~$i_^f@QEPEC+<2nf-{
zE7W+n%)q$!5@2pBuXMxhUSi*%F>e_g!$T-_`ovjBh(3jK9Q^~OR{)}!0}vdTE^M+m
z9QWsA?xG>EW;U~5gEuKR)Ubfi&YWnXV;3H6Zt^NE725*`;lpSK4HS1sN?{~9a4JkD
z%}23oAovytUKfRN87XTH2c=kq1)O<qRzRUy={bH%*8V=pA##jg=-EE6(Lotu<IYEm
zZ71>5(fH_M3M-o{{@&~KD`~TRot-gqg7Q2U2o-iiF}K>m?CokhmO<lc^{s0_OssMw
zc*3nzZ5WN~$;I6TzaKlN9W+6*SX5vHzSUyIfdtNx5K}gB*a}Ei-T%?Pusx0i{k6zW
zVCCXrjNT1#YIkZ%s$(OfAJ`FBR*66B?{y$nkK6iXlBVVr@2#yGM6%0i_(U5#>DaLB
z1p6(6JYGntNOg(s!(>ZU&lzDf+Ur)^Lirm%*}Z>T)9)fAZ9>k(kvnM;ab$ptA=hoh
zVgsVaveXbMpm{|4*d<0>?l_JUFOO8A3xNLQOh%nVXjYI6X8h?a@6kDe5-m&;M0xqx
z+1U$s>(P9P)f0!{z%M@E7|9nn#IWgEx6A6JNJ(7dk`%6$3@!C!l;JK-p2?gg+W|d-
ziEzgk$w7k48NMqg$CM*4O~Abj3+_yUKTyK1p6GDsGEs;}=E_q>^LI-~pym$qhXPJf
z2`!PJDp4l(TTm#|n@bN!j;-FFOM__eLl!6{*}z=)UAcGYloj?bv!-XY1TA6Xz;82J
zLRaF{8ayzGa|}c--}|^xh)xgX>6R(sZD|Z|qX50gu=d`gEwHqC@WYU7{%<5VOnf9+
zB<I4+b1=sZ53G|-kvYcPViY)E5R#f6q2$x?f020VY)3|@p~2oGrySSwa~uPN4nC&g
zX!I>@FX?|UL%`8EIAe!*UdYl|6wRz6Y>(#8x92$#y}wMeE|ZM2X*c}dKJ^4NIf;Fm
zNwzq%QcO?$NR-7`su!*$dlIKo2y(N;qgH@1|8QNo$0wbyyJ2^}$iZ>M{BhBjTdMjK
z>gPEzgX4;g3$rU?jvDeOq`X=>)zdt|jk1Lv3u~bjHI=EGLfIR&+K3ldcc4D&Um&04
z3^F*}WaxR(ZyaB>DlmF_UP@+Q*h$&nsOB#gwLt{1#F4i-{A5J@`>B9@{^i?g_Ce&O
z<<}_We-RUFU&&MHa1#t56u<quT+%|#XvIpRJ?co{{tU0{tvlHG=;UJAM%ZgS1Wk*<
zbzK}T;?L5YLE4NLu9J0u#X!J<y<O?uV#gKBNVOZ@7SW<kFyslWRX@_C90;+zxGfEz
zb5V;-W-;gzJ|=>_oM(Ljn7djja!T|gcxSoR=)@?owC*NkDarpBj=W4}=i1@)@L|C)
zQKA+o<(pMVp*Su(`zBC0l1yTa$MRfQ#uby|$mlOM<xEsq_18&vqMDMD7Zoz%Fkm7A
z3)Py9=vTp8h$K)n9Uvzc$sVOT&zol^a%bZk8R4Y8^rZSJmY_uRt<`DC1F!?x#33tZ
ze&XW>s=G`4J|?apMzKei%jZql#gP@IkOaOjB7MJM=@1j(&!jNnyVkn5;4lvro1!vq
ztXiV8HYj5%)r1PPpIOj)f!><jg)vV+x8*ZL<Q!-CP7F3VXp#~OA}`YkX&1&s!htsT
z^$c2`mPAtTVX<qUk`r6!8Vb=Uc23%M)2;P#-xg0%R+ozayS`Bp$+go_wMt83+CODc
z2B}|cG;*tiKwHPYIq{X<`rJQAk*7&QC@O%H3Z553ow$9gREC4~b(*v-N%(bN;Y@mL
zsmAcMVly_+3OO{6?K&3Aei;$vMv!82h}`Bdn#~L=J)xK(4o*51?I7`(&5m9X))pa;
zLPfmH5<-xa-W%$*L{V<;N$-)VdNT!&jA&vHrEgBjjo5UU0If7Vhz3vkcHNAY5aT+C
zc5euR<}4<-qaBP_Zef)X2|HW=07DGXb>pc^3#LvfZ(hz}C@-3R(Cx7R427*Fwd!XO
z4~j&IkPHcBm0h_|iG;ZNrYdJ4HI!$rSyo&sibmwIgm1|J#g6%>=ML1r!kcEhm(XY&
zD@mIJt;!O%WP7CE&wwE3?1-dt;RTHdm~LvP7K`ccWXkZ0kfFa2S;wGtx_a}S2lslw
z$<4^Jg-n#Ypc(3t2N67Juasu=h)j&UNTPNDil4MQMTlnI81kY46uMH5B^U{~nmc6+
z9>(lGhhvRK9ITfpAD!XQ&BPphL3p8B4PVBN0NF6U49;ZA0Tr75AgGw7(S=Yio+xg_
zepZ*?V#KD;sHH+15ix&yCs0eSB-Z%D%uujlXvT#V$Rz@$+w!u#3GIo*AwMI#Bm^oO
zLr1e}k5W~G0xaO!C%Mb{sarxWZ4%Dn9vG`KHmPC9GWZwOOm11XJp#o0-P-${3m4g(
z6~)X9FXw%Xm~&99tj>a-ri})ZcnsfJtc10F@t9xF5vq6E)X!iUXHq-ohlO`gQdS&k
zZl})3k||u)!_=nNlvMbz%AuIr89l#I$;rG}qvDGiK?xTd5HzMQkw*p$YvFLGyQM!J
zNC^gD!kP{A84nGosi~@MLKqWQNacfs7O$dkZtm4-BZ~iA8xWZPkTK!Hp<LTap+x4*
zUK;Ha0;Jc=$HCCwcHw+aadnOZR281fO)q}D^z9=|qH9;-;e${xK|?9elJ8=LaM<65
zE6;>A5zr!9Z&+icfAJ1)NWkTd!-9`NWU>9uXXUr;`Js#NbKFgrNhTcY4GNv*71}}T
zFJh?>=EcbUd2<|fiL+H=wMw8hbX6?+_cl4XnCB#ddwdG><R|vBc*yG=?!<`t>bki*
zt*&6Dy&EIPluL@A3_;R%)shA-tDQA1!Tw4ffBRyy;2n)vm_JV06(4O<t|JggQ(KZT
zsYO62-6u^^mX>r&QAOKNZB5f(MVC}&_!B>098R{Simr!UG}?CW1Ah+X+0#~0`X)od
zLYablwmFxN21L))!_zc`IfzWi<Gu||u|EiUx`=l}NMzvxMP68pmmwjICH*y4{3)P@
z%y44Q*AVc4<$z9@nMeRAeVJ+>`5>MxPe(Dm<mb5oz44!o-XIzF2v`EK`q7j%sCMv2
zL>jjO1}HHt7TJtAW+VXHt!aKZk>y6PoMsbDXRJnov;D~Ur~2R_7(Xr)aa%wJwZh<i
zvMmaF%EvU)a6S{Gh%whrx@S36i|iv5oL=QhR4YK<CK74@mwN~dH00RX{_e6r+#l%j
z7OK<7e3kn;@H(@8>S3gr7IGgt%@;`jpL@gyc6bGCVx!9CE7NgIbUNZ!Ur1RHror0~
zr(j$^yM4j`#c2KxSP61;(Tk^pe7b~}LWj~SZC=MEpdKf;B@on9=?_n|R|0q;Y*1_@
z>nGq>)&q!;u-8H)WCwtL<LrD$x{Fa((5#4K!l=^|krt6e2?!PZN=Rmwt*1$d&$Q{J
zCgeI0rGg+wn3iR*eck$cFmbQ~E3GYxr&dJb(4{lgPt?n#^<GT#&j{om5`|wE6bW}}
ze{Pav1oDZnak%Fz$PD1ZH8xBo#FnqUG6u>&7F4vbnnfSAlK1mwnRq2&gZrEr!b1MA
z(3%vAbh3aU-IX`d7b@q`-WiT6eitu}ZH9x#d&qx}?CtDuAXak%5<-P!{a`V=$|XmJ
zUn@4lX6#ulB@a=&-9HG)a>KkH=jE7>&S&N~0X0zD=Q=t|7w;kuh#cU=NN7gBGbQTT
z;?<kJaO{>bdSt8V&IIi}<ThZP?O{MP;s77svl-cIdCj)d-BZGJap1Ull?cz;BdUt4
zMAS0={#2iyI>sDTzA0dkU}Z-Qvg;RDe8v>468p3*&hbG<I%;HTx8<Z&Ih@Xrl%AO4
zEZ252P#-|8MJE+L5IXho^0!PtBR61%3tAJ8RP$~a8%~<+5(4Lyh@;kvSLVbDc4PRn
z?4(9&{Rpo>T1I3hi9hh~Z(!H}{+>eUyF)H&gdrX=k$aB%J6I<Mis<6rrEG;E4zw&M
zYsQ6$FFc_^cwkYGT9ds?4^G_w2+$2L@}W#bXUf0JW}7J?EgbIp`jFFailmTZXuEyM
z?LcqfTM!s>;6+^^kn1mL+E+?A!A}@xV(Qa@M%HD5C@+-4Mb4lI=Xp=@9+^x+jhtOc
zYgF2aVa(uSR*n(O)e6tf3JEg2xs#dJfhEmi1iOmDYWk|wXNHU?g23^IGKB&yHnsm7
zm_+;p?YpA#N*7vXCkeN2LTNG`{QDa#U3fcFz7SB)83=<8rF)|udrEbrZL$o6W?oDR
zQx!178Ih9B#D9Ko$H(jD{4MME&<|6%MPu|TfOc#E0B}!j^MMpV69D#h2`vsEQ{(?c
zJ3Lh!3&=yS5fWL~;1wCZ?)%nmK`Eqgcu)O6rD^3%ijcxL50^z?OI(LaVDvfL0#zjZ
z2?cPvC$QCzpxpt5jMFp05OxhK0F!Q<m=7hVYzR||ecS~Bi9y8}>`rPhDi5)y=-0C}
zIM~ku&S@pl1&0=jl+rlS<4`riV~LC-#pqNde@44MB(j%)On$0Ko(@q?4`1?4149Z_
zZi!5aU@2vM$dHR6WSZpj+VboK+>u-CbNi7*lw4K^ZxxM#24_Yc`<w`lM<_9<AjZra
zPf9|W$q@ib+eT6)aN(T>jvb9NPVi75L+MlM^U~`;a7`4H0L|TYK>%hfEfXLsu1JGM
zbh|8{wuc7ucV+`Ys1kqxsj`dajwyM;^X^`)#<+a~$WFy8b2t_RS{8yNYKKlnv+>vB
zX(QTf$kqrJ;%I@EwEs{cIcH@Z3|#^S@M+5jsP<^`@8^I4_8MlBb`~cE^n+{{;qW2q
z=p1=&+fUo%T{GhVX@;56kH8K_%?X=;$OTYqW1L*)hzelm^$*?_K;9JyIWhsn4SK(|
zSmXLTUE8VQX{se#8#Rj*lz`xHtT<61V~fb;WZUpu(M)f#<N`ZtP}(nwt@v*JXMv*g
zTjkPmLef!CJNB3?7*>;I+2_zR+)y5Jv?l`CxAinx|EY!`IJ*x9_gf_k&Gx2alL!hK
zUWj1T_pk|?iv}4EP#PZvYD_-LpzU!NfcL<ZIyO_4myXe0OU}<Cprr_|XIrM73FXg`
zNRt~K9+=_-Laa5&Rt6kJaobEvjFnh>L%fK&r$W8O1KH9c2&GV~N#T$kaXGvAOl)|T
zuF9%6(i=Y3q?X%VK-D2YIY<MPA*$`<$Z)_O$(a?^Bnjd_-qk6atAX5(s0D1W1}`G9
zl)%h^mai+5Kwy1+I$Zaauh0oNm3mQUQ=`8aEAo=0zrm72grj|c8&W!-^+^6zMgm-+
zSpJe{_P`h~;t1=21VLIQ5n~@Q5Y=~VMN|L<mJfGW44?>FPH3f|g$TrXW->&^Ab`WT
z7>Oo!u1u40?jAJ8H<j_H`^tLy@LZ5-N)dU$=t?bXuTI1>y`bv}qb<AzbCJ<X7c~}%
z50@S(*;X)_P8TrUWZGQQn`AI#Eve&0+FNaAqg<m^ZNYdEveME+t5Q5DV5-rT<{g7@
zG+rSFooLii=nDW~qWOU#YzUJee#V*XI!cGhpz&<{SF!$pIm@`rT3A99J?qG9DPU@z
z9jawkO0(cqfU^RIM<K3r*yl0SKgPT>gs8)cF0&qeVjD?e+3Ggn1Im>K77ZSpbU*08
zfZkIFcv?y)!*B{|>nx@cE{KoutP+seQU?bCGE`tS0GKUO3PN~t=2u7q_6$l;uw^4c
zVu^f{uaqsZ{*a-N?2B8ngrLS8<WR!m{e>E&s6}Xtv9rR9C^b`@q8*iH)pFz<!x=AK
zf6E-O(MiUN4a^nRWR%`TBl@CGu2cFmmpRkBUAPvyvw&qDg1_6Y)ycUoITv4yV(Mk5
z=Dtmg6tsakVjdG2BV~=LD3YcTEr=j6ou|^*Qem;+#vOz?`MQ>f1|kCfiLw6u{Z%aC
z!X^5CzF6qofFJgkl<Rtc72CagCpKF^gmhb1CH>JV3oc|Qc2XdFl+y5M9*P8}A>Kh{
zWRgRwMSZ(?Jw;m%0etU5BsWT-Dj-5F;Q$OQJrQd+lv`i6>MhVo^p*^w6{~=fhe|bN
z*37oV0kji)4an^%3ABbg5RC;CS50@PV5_hKfXjYx+(DqQdKC^JIEMo6X66$qDdLRc
z!YJPSKnbY`#Ht6`g@xGzJmKzz<St<)P9XB^ZWQT2VtTE^8HdQx8o;%`J{lUpkn0!&
z^d*IdfCW?sDnD#zV!vee5Xd}&#I@u4z;`)LVXVayyf`~NUMeM>n|abYbP+_Q(v?~~
z96%cd{E0BCsH^0HaWt{y(Cuto4VE7jhB1Z??#UaU(*R&Eo+J`UN+8mcb51F|I|n*J
zJCZ3R*OdyeS9hWkc_mA7-br>3Tw=CX2bl(=TpVt#WP8Bg^vE_9bP&6ccAf3lFMgr`
z{3=h@?Ftb$RTe&@IQtiJf<Z$(x)W;Yibdk0Eou)O=h)|ox2XJhbM7gDjm$)%o0c)W
z!;CM_%5jr$Dk{vl7{DX~*^!MCEDILf;SGbcLK^kRyl}+&4r>V;O&4fzh)e1>7seG;
z=%mA4@c7{aXeJnhEg2J@Bm;=)j=O=cl#^NNkQ<{r;Bm|8Hg}bJ-S^g4`|itx)~!LN
zXtL}?f1Hs6UQ+f0-X6&TBCW=A4>bU0{rv8C4T!(wD-h>VCK4YJk`6C9$by!fxOYw-
zV#n+0{E(0ttq<e;u-JNg<=7mR)Baf(#XbsMPDR?mv12UXo+AuGM*TW4&Dbw3MHmyv
zzQ)3g$Jc}F5k_3<jP&G5r+akl<UzYyi9?xB4hK@h8+B`?3~Bn5^eKgTbZcatPPir(
zn|7xaL9v;L3{V1l&DQSp%TOnp^O8OS$m-yD0^r7mU@qJQ<RvUSI@G_}IuDMi8mq0p
z?O{gor*9fmQL7Mrb|ducn%AQOk@nhAYv{%&-E+j$)7Bpd*!L2Cg%7pf&3ZLxA5Fwj
z%8~}*Sw2G<h3E&$jhO(1=)P&U%mN)4Rk5JcPDUdUN*FM8j0Mg^@Z|6~Ym*2e3TCV6
z?5B1NxqE*aMe#2m&+Fz%OG!n`J`B2Ww|QiS6U=1^3d+6`ls$U%hB`nu)=J>_#16B}
ze8$E#X9o{B!0vbq#WUwmv5Xz6{(!^~+}sBW{xctdNHL4^vDk!0E}(g|W_q;jR|ZK<
z8w>H-8G{%R#%f!E7cO_^B?yFRKLOH)RT9GJsb+kAKq~}WIF)NRLwKZ^Q;>!2MNa|}
z-mh?=B;*&D{Nd-mQRcfVnHkChI=DRHU4ga%xJ%+QkBd|-d9uRI76@BT(bjsjwS+r)
zvx=lGNLv1?SzZ;P)Gnn>04fO7Culg*?LmbEF0fATG8S@)oJ>NT3pYAXa*vX!eUTDF
ziBrp(QyDqr0ZMTr?4uG_Nqs6f%S0g?h`1vO5fo=5S&u#wI2d4+3hWiolEU!=3_oFo
zfie<EEFWI+<HRR}kMBRY{{xT?Ubu+n1E+3-XyZ@DlC1|CziB+t8LH;pSr1_{$txb2
z{LD6Cutu@sVLZ$sgxfHzi88%ifnz%FWxPwItQ=UFSeRQ?XX#H8uXPtSY1Da8V^-Nz
zx}G&3QUOW&pFuYAPt>?+4W#`;1dd#X@g9Yj<53S<6OB!TM8w8})7k-$&q5(smc%;r
z(BlXkTp`C47+%4JA{2X}MIaPbVF!35P#p;u7+fR*46{T+LR8+<Ms(<(ewo92Plp}^
z0K5%%0PpyoHDM$82Vjt^Jp>j25oduCfDzDv6R-hU{TVVo9fz?^N3ShMt!t0NsH)pB
zRK8-S{Dn*y3b|k^*?_B70<2gHt==l7c&cT>r`C#{S}J2;s#d{M)ncW(#Y$C*lByLQ
z&?+{dR7*gpdT~(1;<m}fXp@S^XBCFbD&Le<rzooSQB^d8r#S^ok_xS36-~w}kc?Ej
z7^zYrQY=EF$c06)iin^U556ixd{lb)^l<R>M(FfF==3z`^eW)=5a9RqvF-)2?S-(G
zhS;p(u~_qBum*q}On@$#08}ynd0+spzyVco0%G6;<-i5&016cV5UKzhQ~)fX03|>L
z8ej+HzzgVr6_5ZUpa4HW0Ca!=r1%*}Oo;2no&Zz8DfR)L!@r<<lmB!F&$32&71xdc
zAQ}KMGyqI!0F2N8;eY{y00CwIf0+QV$OUD<C@ujha0p9)KwJUh;0%`lShxaZKm`>5
z2viSZpmvo5XqXyAz{Ms7`7kX>fnr1gi4X~7KpznRT0{Xc5Cfz@43PjBMBoH@z_{~(
z(Wd}IPJ9hH+%)Fc)0!hrV+(A;76rhtI|YHbEDeERV~Ya>SQg^IvlazFkSK(KG9&{q
zkPIR~EeQaaBmwA<20}m<i2yt#0ML*D!NB+q2RLvyLxH9o41nNb1p??O7J)#e3I!NY
z1wlX)g#bnj0Jty$0KoMI0Cb7`0i50h9gE~g7Om;jPg0kO>BO?)N$(z1@p)5?%}rM|
zGF()~Z&Kx@OIDRI$d0T8;JX@vj3^2%pd_+@l9~a4lntZ;AvUIjqIZbuNTR6@hNJoV
zk4F;ut)LN4ARuyn2M6F~eg-e#UH%2P;8uPGFW^vq1vj8mdIayFOZo(tphk8C7hpT~
z1Fv8?b_LNR3QD9J+!v=p%}#<WkmT3SAH~zHvL~<r009F5U;qFWp(o;x5Q1O?TufB{
c@Yw=E7;q9obAc&xg(1}n;wTCO(gbOOU|30r`2YX_

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/bootstrap/glyphicons-halflings-regular.svg b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/bootstrap/glyphicons-halflings-regular.svg
new file mode 100644
index 0000000000..94fb5490a2
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/bootstrap/glyphicons-halflings-regular.svg
@@ -0,0 +1,288 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" >
+<svg xmlns="http://www.w3.org/2000/svg">
+<metadata></metadata>
+<defs>
+<font id="glyphicons_halflingsregular" horiz-adv-x="1200" >
+<font-face units-per-em="1200" ascent="960" descent="-240" />
+<missing-glyph horiz-adv-x="500" />
+<glyph horiz-adv-x="0" />
+<glyph horiz-adv-x="400" />
+<glyph unicode=" " />
+<glyph unicode="*" d="M600 1100q15 0 34 -1.5t30 -3.5l11 -1q10 -2 17.5 -10.5t7.5 -18.5v-224l158 158q7 7 18 8t19 -6l106 -106q7 -8 6 -19t-8 -18l-158 -158h224q10 0 18.5 -7.5t10.5 -17.5q6 -41 6 -75q0 -15 -1.5 -34t-3.5 -30l-1 -11q-2 -10 -10.5 -17.5t-18.5 -7.5h-224l158 -158 q7 -7 8 -18t-6 -19l-106 -106q-8 -7 -19 -6t-18 8l-158 158v-224q0 -10 -7.5 -18.5t-17.5 -10.5q-41 -6 -75 -6q-15 0 -34 1.5t-30 3.5l-11 1q-10 2 -17.5 10.5t-7.5 18.5v224l-158 -158q-7 -7 -18 -8t-19 6l-106 106q-7 8 -6 19t8 18l158 158h-224q-10 0 -18.5 7.5 t-10.5 17.5q-6 41 -6 75q0 15 1.5 34t3.5 30l1 11q2 10 10.5 17.5t18.5 7.5h224l-158 158q-7 7 -8 18t6 19l106 106q8 7 19 6t18 -8l158 -158v224q0 10 7.5 18.5t17.5 10.5q41 6 75 6z" />
+<glyph unicode="+" d="M450 1100h200q21 0 35.5 -14.5t14.5 -35.5v-350h350q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-350v-350q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v350h-350q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5 h350v350q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xa0;" />
+<glyph unicode="&#xa5;" d="M825 1100h250q10 0 12.5 -5t-5.5 -13l-364 -364q-6 -6 -11 -18h268q10 0 13 -6t-3 -14l-120 -160q-6 -8 -18 -14t-22 -6h-125v-100h275q10 0 13 -6t-3 -14l-120 -160q-6 -8 -18 -14t-22 -6h-125v-174q0 -11 -7.5 -18.5t-18.5 -7.5h-148q-11 0 -18.5 7.5t-7.5 18.5v174 h-275q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h125v100h-275q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h118q-5 12 -11 18l-364 364q-8 8 -5.5 13t12.5 5h250q25 0 43 -18l164 -164q8 -8 18 -8t18 8l164 164q18 18 43 18z" />
+<glyph unicode="&#x2000;" horiz-adv-x="650" />
+<glyph unicode="&#x2001;" horiz-adv-x="1300" />
+<glyph unicode="&#x2002;" horiz-adv-x="650" />
+<glyph unicode="&#x2003;" horiz-adv-x="1300" />
+<glyph unicode="&#x2004;" horiz-adv-x="433" />
+<glyph unicode="&#x2005;" horiz-adv-x="325" />
+<glyph unicode="&#x2006;" horiz-adv-x="216" />
+<glyph unicode="&#x2007;" horiz-adv-x="216" />
+<glyph unicode="&#x2008;" horiz-adv-x="162" />
+<glyph unicode="&#x2009;" horiz-adv-x="260" />
+<glyph unicode="&#x200a;" horiz-adv-x="72" />
+<glyph unicode="&#x202f;" horiz-adv-x="260" />
+<glyph unicode="&#x205f;" horiz-adv-x="325" />
+<glyph unicode="&#x20ac;" d="M744 1198q242 0 354 -189q60 -104 66 -209h-181q0 45 -17.5 82.5t-43.5 61.5t-58 40.5t-60.5 24t-51.5 7.5q-19 0 -40.5 -5.5t-49.5 -20.5t-53 -38t-49 -62.5t-39 -89.5h379l-100 -100h-300q-6 -50 -6 -100h406l-100 -100h-300q9 -74 33 -132t52.5 -91t61.5 -54.5t59 -29 t47 -7.5q22 0 50.5 7.5t60.5 24.5t58 41t43.5 61t17.5 80h174q-30 -171 -128 -278q-107 -117 -274 -117q-206 0 -324 158q-36 48 -69 133t-45 204h-217l100 100h112q1 47 6 100h-218l100 100h134q20 87 51 153.5t62 103.5q117 141 297 141z" />
+<glyph unicode="&#x20bd;" d="M428 1200h350q67 0 120 -13t86 -31t57 -49.5t35 -56.5t17 -64.5t6.5 -60.5t0.5 -57v-16.5v-16.5q0 -36 -0.5 -57t-6.5 -61t-17 -65t-35 -57t-57 -50.5t-86 -31.5t-120 -13h-178l-2 -100h288q10 0 13 -6t-3 -14l-120 -160q-6 -8 -18 -14t-22 -6h-138v-175q0 -11 -5.5 -18 t-15.5 -7h-149q-10 0 -17.5 7.5t-7.5 17.5v175h-267q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h117v100h-267q-10 0 -13 6t3 14l120 160q6 8 18 14t22 6h117v475q0 10 7.5 17.5t17.5 7.5zM600 1000v-300h203q64 0 86.5 33t22.5 119q0 84 -22.5 116t-86.5 32h-203z" />
+<glyph unicode="&#x2212;" d="M250 700h800q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#x231b;" d="M1000 1200v-150q0 -21 -14.5 -35.5t-35.5 -14.5h-50v-100q0 -91 -49.5 -165.5t-130.5 -109.5q81 -35 130.5 -109.5t49.5 -165.5v-150h50q21 0 35.5 -14.5t14.5 -35.5v-150h-800v150q0 21 14.5 35.5t35.5 14.5h50v150q0 91 49.5 165.5t130.5 109.5q-81 35 -130.5 109.5 t-49.5 165.5v100h-50q-21 0 -35.5 14.5t-14.5 35.5v150h800zM400 1000v-100q0 -60 32.5 -109.5t87.5 -73.5q28 -12 44 -37t16 -55t-16 -55t-44 -37q-55 -24 -87.5 -73.5t-32.5 -109.5v-150h400v150q0 60 -32.5 109.5t-87.5 73.5q-28 12 -44 37t-16 55t16 55t44 37 q55 24 87.5 73.5t32.5 109.5v100h-400z" />
+<glyph unicode="&#x25fc;" horiz-adv-x="500" d="M0 0z" />
+<glyph unicode="&#x2601;" d="M503 1089q110 0 200.5 -59.5t134.5 -156.5q44 14 90 14q120 0 205 -86.5t85 -206.5q0 -121 -85 -207.5t-205 -86.5h-750q-79 0 -135.5 57t-56.5 137q0 69 42.5 122.5t108.5 67.5q-2 12 -2 37q0 153 108 260.5t260 107.5z" />
+<glyph unicode="&#x26fa;" d="M774 1193.5q16 -9.5 20.5 -27t-5.5 -33.5l-136 -187l467 -746h30q20 0 35 -18.5t15 -39.5v-42h-1200v42q0 21 15 39.5t35 18.5h30l468 746l-135 183q-10 16 -5.5 34t20.5 28t34 5.5t28 -20.5l111 -148l112 150q9 16 27 20.5t34 -5zM600 200h377l-182 112l-195 534v-646z " />
+<glyph unicode="&#x2709;" d="M25 1100h1150q10 0 12.5 -5t-5.5 -13l-564 -567q-8 -8 -18 -8t-18 8l-564 567q-8 8 -5.5 13t12.5 5zM18 882l264 -264q8 -8 8 -18t-8 -18l-264 -264q-8 -8 -13 -5.5t-5 12.5v550q0 10 5 12.5t13 -5.5zM918 618l264 264q8 8 13 5.5t5 -12.5v-550q0 -10 -5 -12.5t-13 5.5 l-264 264q-8 8 -8 18t8 18zM818 482l364 -364q8 -8 5.5 -13t-12.5 -5h-1150q-10 0 -12.5 5t5.5 13l364 364q8 8 18 8t18 -8l164 -164q8 -8 18 -8t18 8l164 164q8 8 18 8t18 -8z" />
+<glyph unicode="&#x270f;" d="M1011 1210q19 0 33 -13l153 -153q13 -14 13 -33t-13 -33l-99 -92l-214 214l95 96q13 14 32 14zM1013 800l-615 -614l-214 214l614 614zM317 96l-333 -112l110 335z" />
+<glyph unicode="&#xe001;" d="M700 650v-550h250q21 0 35.5 -14.5t14.5 -35.5v-50h-800v50q0 21 14.5 35.5t35.5 14.5h250v550l-500 550h1200z" />
+<glyph unicode="&#xe002;" d="M368 1017l645 163q39 15 63 0t24 -49v-831q0 -55 -41.5 -95.5t-111.5 -63.5q-79 -25 -147 -4.5t-86 75t25.5 111.5t122.5 82q72 24 138 8v521l-600 -155v-606q0 -42 -44 -90t-109 -69q-79 -26 -147 -5.5t-86 75.5t25.5 111.5t122.5 82.5q72 24 138 7v639q0 38 14.5 59 t53.5 34z" />
+<glyph unicode="&#xe003;" d="M500 1191q100 0 191 -39t156.5 -104.5t104.5 -156.5t39 -191l-1 -2l1 -5q0 -141 -78 -262l275 -274q23 -26 22.5 -44.5t-22.5 -42.5l-59 -58q-26 -20 -46.5 -20t-39.5 20l-275 274q-119 -77 -261 -77l-5 1l-2 -1q-100 0 -191 39t-156.5 104.5t-104.5 156.5t-39 191 t39 191t104.5 156.5t156.5 104.5t191 39zM500 1022q-88 0 -162 -43t-117 -117t-43 -162t43 -162t117 -117t162 -43t162 43t117 117t43 162t-43 162t-117 117t-162 43z" />
+<glyph unicode="&#xe005;" d="M649 949q48 68 109.5 104t121.5 38.5t118.5 -20t102.5 -64t71 -100.5t27 -123q0 -57 -33.5 -117.5t-94 -124.5t-126.5 -127.5t-150 -152.5t-146 -174q-62 85 -145.5 174t-150 152.5t-126.5 127.5t-93.5 124.5t-33.5 117.5q0 64 28 123t73 100.5t104 64t119 20 t120.5 -38.5t104.5 -104z" />
+<glyph unicode="&#xe006;" d="M407 800l131 353q7 19 17.5 19t17.5 -19l129 -353h421q21 0 24 -8.5t-14 -20.5l-342 -249l130 -401q7 -20 -0.5 -25.5t-24.5 6.5l-343 246l-342 -247q-17 -12 -24.5 -6.5t-0.5 25.5l130 400l-347 251q-17 12 -14 20.5t23 8.5h429z" />
+<glyph unicode="&#xe007;" d="M407 800l131 353q7 19 17.5 19t17.5 -19l129 -353h421q21 0 24 -8.5t-14 -20.5l-342 -249l130 -401q7 -20 -0.5 -25.5t-24.5 6.5l-343 246l-342 -247q-17 -12 -24.5 -6.5t-0.5 25.5l130 400l-347 251q-17 12 -14 20.5t23 8.5h429zM477 700h-240l197 -142l-74 -226 l193 139l195 -140l-74 229l192 140h-234l-78 211z" />
+<glyph unicode="&#xe008;" d="M600 1200q124 0 212 -88t88 -212v-250q0 -46 -31 -98t-69 -52v-75q0 -10 6 -21.5t15 -17.5l358 -230q9 -5 15 -16.5t6 -21.5v-93q0 -10 -7.5 -17.5t-17.5 -7.5h-1150q-10 0 -17.5 7.5t-7.5 17.5v93q0 10 6 21.5t15 16.5l358 230q9 6 15 17.5t6 21.5v75q-38 0 -69 52 t-31 98v250q0 124 88 212t212 88z" />
+<glyph unicode="&#xe009;" d="M25 1100h1150q10 0 17.5 -7.5t7.5 -17.5v-1050q0 -10 -7.5 -17.5t-17.5 -7.5h-1150q-10 0 -17.5 7.5t-7.5 17.5v1050q0 10 7.5 17.5t17.5 7.5zM100 1000v-100h100v100h-100zM875 1000h-550q-10 0 -17.5 -7.5t-7.5 -17.5v-350q0 -10 7.5 -17.5t17.5 -7.5h550 q10 0 17.5 7.5t7.5 17.5v350q0 10 -7.5 17.5t-17.5 7.5zM1000 1000v-100h100v100h-100zM100 800v-100h100v100h-100zM1000 800v-100h100v100h-100zM100 600v-100h100v100h-100zM1000 600v-100h100v100h-100zM875 500h-550q-10 0 -17.5 -7.5t-7.5 -17.5v-350q0 -10 7.5 -17.5 t17.5 -7.5h550q10 0 17.5 7.5t7.5 17.5v350q0 10 -7.5 17.5t-17.5 7.5zM100 400v-100h100v100h-100zM1000 400v-100h100v100h-100zM100 200v-100h100v100h-100zM1000 200v-100h100v100h-100z" />
+<glyph unicode="&#xe010;" d="M50 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM650 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400 q0 21 14.5 35.5t35.5 14.5zM50 500h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM650 500h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400 q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe011;" d="M50 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200 q0 21 14.5 35.5t35.5 14.5zM850 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM50 700h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200 q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 700h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM850 700h200q21 0 35.5 -14.5t14.5 -35.5v-200 q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM50 300h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 300h200 q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM850 300h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5 t35.5 14.5z" />
+<glyph unicode="&#xe012;" d="M50 1100h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 1100h700q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v200 q0 21 14.5 35.5t35.5 14.5zM50 700h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 700h700q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-700 q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM50 300h200q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5zM450 300h700q21 0 35.5 -14.5t14.5 -35.5v-200 q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe013;" d="M465 477l571 571q8 8 18 8t17 -8l177 -177q8 -7 8 -17t-8 -18l-783 -784q-7 -8 -17.5 -8t-17.5 8l-384 384q-8 8 -8 18t8 17l177 177q7 8 17 8t18 -8l171 -171q7 -7 18 -7t18 7z" />
+<glyph unicode="&#xe014;" d="M904 1083l178 -179q8 -8 8 -18.5t-8 -17.5l-267 -268l267 -268q8 -7 8 -17.5t-8 -18.5l-178 -178q-8 -8 -18.5 -8t-17.5 8l-268 267l-268 -267q-7 -8 -17.5 -8t-18.5 8l-178 178q-8 8 -8 18.5t8 17.5l267 268l-267 268q-8 7 -8 17.5t8 18.5l178 178q8 8 18.5 8t17.5 -8 l268 -267l268 268q7 7 17.5 7t18.5 -7z" />
+<glyph unicode="&#xe015;" d="M507 1177q98 0 187.5 -38.5t154.5 -103.5t103.5 -154.5t38.5 -187.5q0 -141 -78 -262l300 -299q8 -8 8 -18.5t-8 -18.5l-109 -108q-7 -8 -17.5 -8t-18.5 8l-300 299q-119 -77 -261 -77q-98 0 -188 38.5t-154.5 103t-103 154.5t-38.5 188t38.5 187.5t103 154.5 t154.5 103.5t188 38.5zM506.5 1023q-89.5 0 -165.5 -44t-120 -120.5t-44 -166t44 -165.5t120 -120t165.5 -44t166 44t120.5 120t44 165.5t-44 166t-120.5 120.5t-166 44zM425 900h150q10 0 17.5 -7.5t7.5 -17.5v-75h75q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5 t-17.5 -7.5h-75v-75q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v75h-75q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h75v75q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe016;" d="M507 1177q98 0 187.5 -38.5t154.5 -103.5t103.5 -154.5t38.5 -187.5q0 -141 -78 -262l300 -299q8 -8 8 -18.5t-8 -18.5l-109 -108q-7 -8 -17.5 -8t-18.5 8l-300 299q-119 -77 -261 -77q-98 0 -188 38.5t-154.5 103t-103 154.5t-38.5 188t38.5 187.5t103 154.5 t154.5 103.5t188 38.5zM506.5 1023q-89.5 0 -165.5 -44t-120 -120.5t-44 -166t44 -165.5t120 -120t165.5 -44t166 44t120.5 120t44 165.5t-44 166t-120.5 120.5t-166 44zM325 800h350q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-350q-10 0 -17.5 7.5 t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe017;" d="M550 1200h100q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM800 975v166q167 -62 272 -209.5t105 -331.5q0 -117 -45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5 t-184.5 123t-123 184.5t-45.5 224q0 184 105 331.5t272 209.5v-166q-103 -55 -165 -155t-62 -220q0 -116 57 -214.5t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5q0 120 -62 220t-165 155z" />
+<glyph unicode="&#xe018;" d="M1025 1200h150q10 0 17.5 -7.5t7.5 -17.5v-1150q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v1150q0 10 7.5 17.5t17.5 7.5zM725 800h150q10 0 17.5 -7.5t7.5 -17.5v-750q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v750 q0 10 7.5 17.5t17.5 7.5zM425 500h150q10 0 17.5 -7.5t7.5 -17.5v-450q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v450q0 10 7.5 17.5t17.5 7.5zM125 300h150q10 0 17.5 -7.5t7.5 -17.5v-250q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5 v250q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe019;" d="M600 1174q33 0 74 -5l38 -152l5 -1q49 -14 94 -39l5 -2l134 80q61 -48 104 -105l-80 -134l3 -5q25 -44 39 -93l1 -6l152 -38q5 -43 5 -73q0 -34 -5 -74l-152 -38l-1 -6q-15 -49 -39 -93l-3 -5l80 -134q-48 -61 -104 -105l-134 81l-5 -3q-44 -25 -94 -39l-5 -2l-38 -151 q-43 -5 -74 -5q-33 0 -74 5l-38 151l-5 2q-49 14 -94 39l-5 3l-134 -81q-60 48 -104 105l80 134l-3 5q-25 45 -38 93l-2 6l-151 38q-6 42 -6 74q0 33 6 73l151 38l2 6q13 48 38 93l3 5l-80 134q47 61 105 105l133 -80l5 2q45 25 94 39l5 1l38 152q43 5 74 5zM600 815 q-89 0 -152 -63t-63 -151.5t63 -151.5t152 -63t152 63t63 151.5t-63 151.5t-152 63z" />
+<glyph unicode="&#xe020;" d="M500 1300h300q41 0 70.5 -29.5t29.5 -70.5v-100h275q10 0 17.5 -7.5t7.5 -17.5v-75h-1100v75q0 10 7.5 17.5t17.5 7.5h275v100q0 41 29.5 70.5t70.5 29.5zM500 1200v-100h300v100h-300zM1100 900v-800q0 -41 -29.5 -70.5t-70.5 -29.5h-700q-41 0 -70.5 29.5t-29.5 70.5 v800h900zM300 800v-700h100v700h-100zM500 800v-700h100v700h-100zM700 800v-700h100v700h-100zM900 800v-700h100v700h-100z" />
+<glyph unicode="&#xe021;" d="M18 618l620 608q8 7 18.5 7t17.5 -7l608 -608q8 -8 5.5 -13t-12.5 -5h-175v-575q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v375h-300v-375q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v575h-175q-10 0 -12.5 5t5.5 13z" />
+<glyph unicode="&#xe022;" d="M600 1200v-400q0 -41 29.5 -70.5t70.5 -29.5h300v-650q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v1100q0 21 14.5 35.5t35.5 14.5h450zM1000 800h-250q-21 0 -35.5 14.5t-14.5 35.5v250z" />
+<glyph unicode="&#xe023;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM525 900h50q10 0 17.5 -7.5t7.5 -17.5v-275h175q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe024;" d="M1300 0h-538l-41 400h-242l-41 -400h-538l431 1200h209l-21 -300h162l-20 300h208zM515 800l-27 -300h224l-27 300h-170z" />
+<glyph unicode="&#xe025;" d="M550 1200h200q21 0 35.5 -14.5t14.5 -35.5v-450h191q20 0 25.5 -11.5t-7.5 -27.5l-327 -400q-13 -16 -32 -16t-32 16l-327 400q-13 16 -7.5 27.5t25.5 11.5h191v450q0 21 14.5 35.5t35.5 14.5zM1125 400h50q10 0 17.5 -7.5t7.5 -17.5v-350q0 -10 -7.5 -17.5t-17.5 -7.5 h-1050q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h50q10 0 17.5 -7.5t7.5 -17.5v-175h900v175q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe026;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM525 900h150q10 0 17.5 -7.5t7.5 -17.5v-275h137q21 0 26 -11.5t-8 -27.5l-223 -275q-13 -16 -32 -16t-32 16l-223 275q-13 16 -8 27.5t26 11.5h137v275q0 10 7.5 17.5t17.5 7.5z " />
+<glyph unicode="&#xe027;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM632 914l223 -275q13 -16 8 -27.5t-26 -11.5h-137v-275q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v275h-137q-21 0 -26 11.5t8 27.5l223 275q13 16 32 16 t32 -16z" />
+<glyph unicode="&#xe028;" d="M225 1200h750q10 0 19.5 -7t12.5 -17l186 -652q7 -24 7 -49v-425q0 -12 -4 -27t-9 -17q-12 -6 -37 -6h-1100q-12 0 -27 4t-17 8q-6 13 -6 38l1 425q0 25 7 49l185 652q3 10 12.5 17t19.5 7zM878 1000h-556q-10 0 -19 -7t-11 -18l-87 -450q-2 -11 4 -18t16 -7h150 q10 0 19.5 -7t11.5 -17l38 -152q2 -10 11.5 -17t19.5 -7h250q10 0 19.5 7t11.5 17l38 152q2 10 11.5 17t19.5 7h150q10 0 16 7t4 18l-87 450q-2 11 -11 18t-19 7z" />
+<glyph unicode="&#xe029;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM540 820l253 -190q17 -12 17 -30t-17 -30l-253 -190q-16 -12 -28 -6.5t-12 26.5v400q0 21 12 26.5t28 -6.5z" />
+<glyph unicode="&#xe030;" d="M947 1060l135 135q7 7 12.5 5t5.5 -13v-362q0 -10 -7.5 -17.5t-17.5 -7.5h-362q-11 0 -13 5.5t5 12.5l133 133q-109 76 -238 76q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5h150q0 -117 -45.5 -224 t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5q192 0 347 -117z" />
+<glyph unicode="&#xe031;" d="M947 1060l135 135q7 7 12.5 5t5.5 -13v-361q0 -11 -7.5 -18.5t-18.5 -7.5h-361q-11 0 -13 5.5t5 12.5l134 134q-110 75 -239 75q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5h-150q0 117 45.5 224t123 184.5t184.5 123t224 45.5q192 0 347 -117zM1027 600h150 q0 -117 -45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5q-192 0 -348 118l-134 -134q-7 -8 -12.5 -5.5t-5.5 12.5v360q0 11 7.5 18.5t18.5 7.5h360q10 0 12.5 -5.5t-5.5 -12.5l-133 -133q110 -76 240 -76q116 0 214.5 57t155.5 155.5t57 214.5z" />
+<glyph unicode="&#xe032;" d="M125 1200h1050q10 0 17.5 -7.5t7.5 -17.5v-1150q0 -10 -7.5 -17.5t-17.5 -7.5h-1050q-10 0 -17.5 7.5t-7.5 17.5v1150q0 10 7.5 17.5t17.5 7.5zM1075 1000h-850q-10 0 -17.5 -7.5t-7.5 -17.5v-850q0 -10 7.5 -17.5t17.5 -7.5h850q10 0 17.5 7.5t7.5 17.5v850 q0 10 -7.5 17.5t-17.5 7.5zM325 900h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 900h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5zM325 700h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 700h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5zM325 500h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 500h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5zM325 300h50q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM525 300h450q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-450q-10 0 -17.5 7.5t-7.5 17.5v50 q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe033;" d="M900 800v200q0 83 -58.5 141.5t-141.5 58.5h-300q-82 0 -141 -59t-59 -141v-200h-100q-41 0 -70.5 -29.5t-29.5 -70.5v-600q0 -41 29.5 -70.5t70.5 -29.5h900q41 0 70.5 29.5t29.5 70.5v600q0 41 -29.5 70.5t-70.5 29.5h-100zM400 800v150q0 21 15 35.5t35 14.5h200 q20 0 35 -14.5t15 -35.5v-150h-300z" />
+<glyph unicode="&#xe034;" d="M125 1100h50q10 0 17.5 -7.5t7.5 -17.5v-1075h-100v1075q0 10 7.5 17.5t17.5 7.5zM1075 1052q4 0 9 -2q16 -6 16 -23v-421q0 -6 -3 -12q-33 -59 -66.5 -99t-65.5 -58t-56.5 -24.5t-52.5 -6.5q-26 0 -57.5 6.5t-52.5 13.5t-60 21q-41 15 -63 22.5t-57.5 15t-65.5 7.5 q-85 0 -160 -57q-7 -5 -15 -5q-6 0 -11 3q-14 7 -14 22v438q22 55 82 98.5t119 46.5q23 2 43 0.5t43 -7t32.5 -8.5t38 -13t32.5 -11q41 -14 63.5 -21t57 -14t63.5 -7q103 0 183 87q7 8 18 8z" />
+<glyph unicode="&#xe035;" d="M600 1175q116 0 227 -49.5t192.5 -131t131 -192.5t49.5 -227v-300q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v300q0 127 -70.5 231.5t-184.5 161.5t-245 57t-245 -57t-184.5 -161.5t-70.5 -231.5v-300q0 -10 -7.5 -17.5t-17.5 -7.5h-50 q-10 0 -17.5 7.5t-7.5 17.5v300q0 116 49.5 227t131 192.5t192.5 131t227 49.5zM220 500h160q8 0 14 -6t6 -14v-460q0 -8 -6 -14t-14 -6h-160q-8 0 -14 6t-6 14v460q0 8 6 14t14 6zM820 500h160q8 0 14 -6t6 -14v-460q0 -8 -6 -14t-14 -6h-160q-8 0 -14 6t-6 14v460 q0 8 6 14t14 6z" />
+<glyph unicode="&#xe036;" d="M321 814l258 172q9 6 15 2.5t6 -13.5v-750q0 -10 -6 -13.5t-15 2.5l-258 172q-21 14 -46 14h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h250q25 0 46 14zM900 668l120 120q7 7 17 7t17 -7l34 -34q7 -7 7 -17t-7 -17l-120 -120l120 -120q7 -7 7 -17 t-7 -17l-34 -34q-7 -7 -17 -7t-17 7l-120 119l-120 -119q-7 -7 -17 -7t-17 7l-34 34q-7 7 -7 17t7 17l119 120l-119 120q-7 7 -7 17t7 17l34 34q7 8 17 8t17 -8z" />
+<glyph unicode="&#xe037;" d="M321 814l258 172q9 6 15 2.5t6 -13.5v-750q0 -10 -6 -13.5t-15 2.5l-258 172q-21 14 -46 14h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h250q25 0 46 14zM766 900h4q10 -1 16 -10q96 -129 96 -290q0 -154 -90 -281q-6 -9 -17 -10l-3 -1q-9 0 -16 6 l-29 23q-7 7 -8.5 16.5t4.5 17.5q72 103 72 229q0 132 -78 238q-6 8 -4.5 18t9.5 17l29 22q7 5 15 5z" />
+<glyph unicode="&#xe038;" d="M967 1004h3q11 -1 17 -10q135 -179 135 -396q0 -105 -34 -206.5t-98 -185.5q-7 -9 -17 -10h-3q-9 0 -16 6l-42 34q-8 6 -9 16t5 18q111 150 111 328q0 90 -29.5 176t-84.5 157q-6 9 -5 19t10 16l42 33q7 5 15 5zM321 814l258 172q9 6 15 2.5t6 -13.5v-750q0 -10 -6 -13.5 t-15 2.5l-258 172q-21 14 -46 14h-250q-10 0 -17.5 7.5t-7.5 17.5v350q0 10 7.5 17.5t17.5 7.5h250q25 0 46 14zM766 900h4q10 -1 16 -10q96 -129 96 -290q0 -154 -90 -281q-6 -9 -17 -10l-3 -1q-9 0 -16 6l-29 23q-7 7 -8.5 16.5t4.5 17.5q72 103 72 229q0 132 -78 238 q-6 8 -4.5 18.5t9.5 16.5l29 22q7 5 15 5z" />
+<glyph unicode="&#xe039;" d="M500 900h100v-100h-100v-100h-400v-100h-100v600h500v-300zM1200 700h-200v-100h200v-200h-300v300h-200v300h-100v200h600v-500zM100 1100v-300h300v300h-300zM800 1100v-300h300v300h-300zM300 900h-100v100h100v-100zM1000 900h-100v100h100v-100zM300 500h200v-500 h-500v500h200v100h100v-100zM800 300h200v-100h-100v-100h-200v100h-100v100h100v200h-200v100h300v-300zM100 400v-300h300v300h-300zM300 200h-100v100h100v-100zM1200 200h-100v100h100v-100zM700 0h-100v100h100v-100zM1200 0h-300v100h300v-100z" />
+<glyph unicode="&#xe040;" d="M100 200h-100v1000h100v-1000zM300 200h-100v1000h100v-1000zM700 200h-200v1000h200v-1000zM900 200h-100v1000h100v-1000zM1200 200h-200v1000h200v-1000zM400 0h-300v100h300v-100zM600 0h-100v91h100v-91zM800 0h-100v91h100v-91zM1100 0h-200v91h200v-91z" />
+<glyph unicode="&#xe041;" d="M500 1200l682 -682q8 -8 8 -18t-8 -18l-464 -464q-8 -8 -18 -8t-18 8l-682 682l1 475q0 10 7.5 17.5t17.5 7.5h474zM319.5 1024.5q-29.5 29.5 -71 29.5t-71 -29.5t-29.5 -71.5t29.5 -71.5t71 -29.5t71 29.5t29.5 71.5t-29.5 71.5z" />
+<glyph unicode="&#xe042;" d="M500 1200l682 -682q8 -8 8 -18t-8 -18l-464 -464q-8 -8 -18 -8t-18 8l-682 682l1 475q0 10 7.5 17.5t17.5 7.5h474zM800 1200l682 -682q8 -8 8 -18t-8 -18l-464 -464q-8 -8 -18 -8t-18 8l-56 56l424 426l-700 700h150zM319.5 1024.5q-29.5 29.5 -71 29.5t-71 -29.5 t-29.5 -71.5t29.5 -71.5t71 -29.5t71 29.5t29.5 71.5t-29.5 71.5z" />
+<glyph unicode="&#xe043;" d="M300 1200h825q75 0 75 -75v-900q0 -25 -18 -43l-64 -64q-8 -8 -13 -5.5t-5 12.5v950q0 10 -7.5 17.5t-17.5 7.5h-700q-25 0 -43 -18l-64 -64q-8 -8 -5.5 -13t12.5 -5h700q10 0 17.5 -7.5t7.5 -17.5v-950q0 -10 -7.5 -17.5t-17.5 -7.5h-850q-10 0 -17.5 7.5t-7.5 17.5v975 q0 25 18 43l139 139q18 18 43 18z" />
+<glyph unicode="&#xe044;" d="M250 1200h800q21 0 35.5 -14.5t14.5 -35.5v-1150l-450 444l-450 -445v1151q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe045;" d="M822 1200h-444q-11 0 -19 -7.5t-9 -17.5l-78 -301q-7 -24 7 -45l57 -108q6 -9 17.5 -15t21.5 -6h450q10 0 21.5 6t17.5 15l62 108q14 21 7 45l-83 301q-1 10 -9 17.5t-19 7.5zM1175 800h-150q-10 0 -21 -6.5t-15 -15.5l-78 -156q-4 -9 -15 -15.5t-21 -6.5h-550 q-10 0 -21 6.5t-15 15.5l-78 156q-4 9 -15 15.5t-21 6.5h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-650q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h750q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5 t7.5 17.5v650q0 10 -7.5 17.5t-17.5 7.5zM850 200h-500q-10 0 -19.5 -7t-11.5 -17l-38 -152q-2 -10 3.5 -17t15.5 -7h600q10 0 15.5 7t3.5 17l-38 152q-2 10 -11.5 17t-19.5 7z" />
+<glyph unicode="&#xe046;" d="M500 1100h200q56 0 102.5 -20.5t72.5 -50t44 -59t25 -50.5l6 -20h150q41 0 70.5 -29.5t29.5 -70.5v-600q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5v600q0 41 29.5 70.5t70.5 29.5h150q2 8 6.5 21.5t24 48t45 61t72 48t102.5 21.5zM900 800v-100 h100v100h-100zM600 730q-95 0 -162.5 -67.5t-67.5 -162.5t67.5 -162.5t162.5 -67.5t162.5 67.5t67.5 162.5t-67.5 162.5t-162.5 67.5zM600 603q43 0 73 -30t30 -73t-30 -73t-73 -30t-73 30t-30 73t30 73t73 30z" />
+<glyph unicode="&#xe047;" d="M681 1199l385 -998q20 -50 60 -92q18 -19 36.5 -29.5t27.5 -11.5l10 -2v-66h-417v66q53 0 75 43.5t5 88.5l-82 222h-391q-58 -145 -92 -234q-11 -34 -6.5 -57t25.5 -37t46 -20t55 -6v-66h-365v66q56 24 84 52q12 12 25 30.5t20 31.5l7 13l399 1006h93zM416 521h340 l-162 457z" />
+<glyph unicode="&#xe048;" d="M753 641q5 -1 14.5 -4.5t36 -15.5t50.5 -26.5t53.5 -40t50.5 -54.5t35.5 -70t14.5 -87q0 -67 -27.5 -125.5t-71.5 -97.5t-98.5 -66.5t-108.5 -40.5t-102 -13h-500v89q41 7 70.5 32.5t29.5 65.5v827q0 24 -0.5 34t-3.5 24t-8.5 19.5t-17 13.5t-28 12.5t-42.5 11.5v71 l471 -1q57 0 115.5 -20.5t108 -57t80.5 -94t31 -124.5q0 -51 -15.5 -96.5t-38 -74.5t-45 -50.5t-38.5 -30.5zM400 700h139q78 0 130.5 48.5t52.5 122.5q0 41 -8.5 70.5t-29.5 55.5t-62.5 39.5t-103.5 13.5h-118v-350zM400 200h216q80 0 121 50.5t41 130.5q0 90 -62.5 154.5 t-156.5 64.5h-159v-400z" />
+<glyph unicode="&#xe049;" d="M877 1200l2 -57q-83 -19 -116 -45.5t-40 -66.5l-132 -839q-9 -49 13 -69t96 -26v-97h-500v97q186 16 200 98l173 832q3 17 3 30t-1.5 22.5t-9 17.5t-13.5 12.5t-21.5 10t-26 8.5t-33.5 10q-13 3 -19 5v57h425z" />
+<glyph unicode="&#xe050;" d="M1300 900h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-200v-850q0 -22 25 -34.5t50 -13.5l25 -2v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v850h-200q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h1000v-300zM175 1000h-75v-800h75l-125 -167l-125 167h75v800h-75l125 167z" />
+<glyph unicode="&#xe051;" d="M1100 900h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-200v-650q0 -22 25 -34.5t50 -13.5l25 -2v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v650h-200q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h1000v-300zM1167 50l-167 -125v75h-800v-75l-167 125l167 125v-75h800v75z" />
+<glyph unicode="&#xe052;" d="M50 1100h600q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 800h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM50 500h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe053;" d="M250 1100h700q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 800h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM250 500h700q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-700q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe054;" d="M500 950v100q0 21 14.5 35.5t35.5 14.5h600q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5zM100 650v100q0 21 14.5 35.5t35.5 14.5h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000 q-21 0 -35.5 14.5t-14.5 35.5zM300 350v100q0 21 14.5 35.5t35.5 14.5h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5zM0 50v100q0 21 14.5 35.5t35.5 14.5h1100q21 0 35.5 -14.5t14.5 -35.5v-100 q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5z" />
+<glyph unicode="&#xe055;" d="M50 1100h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 800h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM50 500h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h1100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe056;" d="M50 1100h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 1100h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM50 800h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 800h800q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 500h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 500h800q21 0 35.5 -14.5t14.5 -35.5v-100 q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM350 200h800 q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe057;" d="M400 0h-100v1100h100v-1100zM550 1100h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM550 800h500q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-500 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM267 550l-167 -125v75h-200v100h200v75zM550 500h300q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM550 200h600 q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe058;" d="M50 1100h100q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM900 0h-100v1100h100v-1100zM50 800h500q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-500 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM1100 600h200v-100h-200v-75l-167 125l167 125v-75zM50 500h300q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5zM50 200h600 q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-600q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe059;" d="M75 1000h750q31 0 53 -22t22 -53v-650q0 -31 -22 -53t-53 -22h-750q-31 0 -53 22t-22 53v650q0 31 22 53t53 22zM1200 300l-300 300l300 300v-600z" />
+<glyph unicode="&#xe060;" d="M44 1100h1112q18 0 31 -13t13 -31v-1012q0 -18 -13 -31t-31 -13h-1112q-18 0 -31 13t-13 31v1012q0 18 13 31t31 13zM100 1000v-737l247 182l298 -131l-74 156l293 318l236 -288v500h-1000zM342 884q56 0 95 -39t39 -94.5t-39 -95t-95 -39.5t-95 39.5t-39 95t39 94.5 t95 39z" />
+<glyph unicode="&#xe062;" d="M648 1169q117 0 216 -60t156.5 -161t57.5 -218q0 -115 -70 -258q-69 -109 -158 -225.5t-143 -179.5l-54 -62q-9 8 -25.5 24.5t-63.5 67.5t-91 103t-98.5 128t-95.5 148q-60 132 -60 249q0 88 34 169.5t91.5 142t137 96.5t166.5 36zM652.5 974q-91.5 0 -156.5 -65 t-65 -157t65 -156.5t156.5 -64.5t156.5 64.5t65 156.5t-65 157t-156.5 65z" />
+<glyph unicode="&#xe063;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 173v854q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57z" />
+<glyph unicode="&#xe064;" d="M554 1295q21 -72 57.5 -143.5t76 -130t83 -118t82.5 -117t70 -116t49.5 -126t18.5 -136.5q0 -71 -25.5 -135t-68.5 -111t-99 -82t-118.5 -54t-125.5 -23q-84 5 -161.5 34t-139.5 78.5t-99 125t-37 164.5q0 69 18 136.5t49.5 126.5t69.5 116.5t81.5 117.5t83.5 119 t76.5 131t58.5 143zM344 710q-23 -33 -43.5 -70.5t-40.5 -102.5t-17 -123q1 -37 14.5 -69.5t30 -52t41 -37t38.5 -24.5t33 -15q21 -7 32 -1t13 22l6 34q2 10 -2.5 22t-13.5 19q-5 4 -14 12t-29.5 40.5t-32.5 73.5q-26 89 6 271q2 11 -6 11q-8 1 -15 -10z" />
+<glyph unicode="&#xe065;" d="M1000 1013l108 115q2 1 5 2t13 2t20.5 -1t25 -9.5t28.5 -21.5q22 -22 27 -43t0 -32l-6 -10l-108 -115zM350 1100h400q50 0 105 -13l-187 -187h-368q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v182l200 200v-332 q0 -165 -93.5 -257.5t-256.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5zM1009 803l-362 -362l-161 -50l55 170l355 355z" />
+<glyph unicode="&#xe066;" d="M350 1100h361q-164 -146 -216 -200h-195q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5l200 153v-103q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5z M824 1073l339 -301q8 -7 8 -17.5t-8 -17.5l-340 -306q-7 -6 -12.5 -4t-6.5 11v203q-26 1 -54.5 0t-78.5 -7.5t-92 -17.5t-86 -35t-70 -57q10 59 33 108t51.5 81.5t65 58.5t68.5 40.5t67 24.5t56 13.5t40 4.5v210q1 10 6.5 12.5t13.5 -4.5z" />
+<glyph unicode="&#xe067;" d="M350 1100h350q60 0 127 -23l-178 -177h-349q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v69l200 200v-219q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5z M643 639l395 395q7 7 17.5 7t17.5 -7l101 -101q7 -7 7 -17.5t-7 -17.5l-531 -532q-7 -7 -17.5 -7t-17.5 7l-248 248q-7 7 -7 17.5t7 17.5l101 101q7 7 17.5 7t17.5 -7l111 -111q8 -7 18 -7t18 7z" />
+<glyph unicode="&#xe068;" d="M318 918l264 264q8 8 18 8t18 -8l260 -264q7 -8 4.5 -13t-12.5 -5h-170v-200h200v173q0 10 5 12t13 -5l264 -260q8 -7 8 -17.5t-8 -17.5l-264 -265q-8 -7 -13 -5t-5 12v173h-200v-200h170q10 0 12.5 -5t-4.5 -13l-260 -264q-8 -8 -18 -8t-18 8l-264 264q-8 8 -5.5 13 t12.5 5h175v200h-200v-173q0 -10 -5 -12t-13 5l-264 265q-8 7 -8 17.5t8 17.5l264 260q8 7 13 5t5 -12v-173h200v200h-175q-10 0 -12.5 5t5.5 13z" />
+<glyph unicode="&#xe069;" d="M250 1100h100q21 0 35.5 -14.5t14.5 -35.5v-438l464 453q15 14 25.5 10t10.5 -25v-1000q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v1000q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe070;" d="M50 1100h100q21 0 35.5 -14.5t14.5 -35.5v-438l464 453q15 14 25.5 10t10.5 -25v-438l464 453q15 14 25.5 10t10.5 -25v-1000q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5 t-14.5 35.5v1000q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe071;" d="M1200 1050v-1000q0 -21 -10.5 -25t-25.5 10l-464 453v-438q0 -21 -10.5 -25t-25.5 10l-492 480q-15 14 -15 35t15 35l492 480q15 14 25.5 10t10.5 -25v-438l464 453q15 14 25.5 10t10.5 -25z" />
+<glyph unicode="&#xe072;" d="M243 1074l814 -498q18 -11 18 -26t-18 -26l-814 -498q-18 -11 -30.5 -4t-12.5 28v1000q0 21 12.5 28t30.5 -4z" />
+<glyph unicode="&#xe073;" d="M250 1000h200q21 0 35.5 -14.5t14.5 -35.5v-800q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v800q0 21 14.5 35.5t35.5 14.5zM650 1000h200q21 0 35.5 -14.5t14.5 -35.5v-800q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v800 q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe074;" d="M1100 950v-800q0 -21 -14.5 -35.5t-35.5 -14.5h-800q-21 0 -35.5 14.5t-14.5 35.5v800q0 21 14.5 35.5t35.5 14.5h800q21 0 35.5 -14.5t14.5 -35.5z" />
+<glyph unicode="&#xe075;" d="M500 612v438q0 21 10.5 25t25.5 -10l492 -480q15 -14 15 -35t-15 -35l-492 -480q-15 -14 -25.5 -10t-10.5 25v438l-464 -453q-15 -14 -25.5 -10t-10.5 25v1000q0 21 10.5 25t25.5 -10z" />
+<glyph unicode="&#xe076;" d="M1048 1102l100 1q20 0 35 -14.5t15 -35.5l5 -1000q0 -21 -14.5 -35.5t-35.5 -14.5l-100 -1q-21 0 -35.5 14.5t-14.5 35.5l-2 437l-463 -454q-14 -15 -24.5 -10.5t-10.5 25.5l-2 437l-462 -455q-15 -14 -25.5 -9.5t-10.5 24.5l-5 1000q0 21 10.5 25.5t25.5 -10.5l466 -450 l-2 438q0 20 10.5 24.5t25.5 -9.5l466 -451l-2 438q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe077;" d="M850 1100h100q21 0 35.5 -14.5t14.5 -35.5v-1000q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v438l-464 -453q-15 -14 -25.5 -10t-10.5 25v1000q0 21 10.5 25t25.5 -10l464 -453v438q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe078;" d="M686 1081l501 -540q15 -15 10.5 -26t-26.5 -11h-1042q-22 0 -26.5 11t10.5 26l501 540q15 15 36 15t36 -15zM150 400h1000q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe079;" d="M885 900l-352 -353l352 -353l-197 -198l-552 552l552 550z" />
+<glyph unicode="&#xe080;" d="M1064 547l-551 -551l-198 198l353 353l-353 353l198 198z" />
+<glyph unicode="&#xe081;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM650 900h-100q-21 0 -35.5 -14.5t-14.5 -35.5v-150h-150 q-21 0 -35.5 -14.5t-14.5 -35.5v-100q0 -21 14.5 -35.5t35.5 -14.5h150v-150q0 -21 14.5 -35.5t35.5 -14.5h100q21 0 35.5 14.5t14.5 35.5v150h150q21 0 35.5 14.5t14.5 35.5v100q0 21 -14.5 35.5t-35.5 14.5h-150v150q0 21 -14.5 35.5t-35.5 14.5z" />
+<glyph unicode="&#xe082;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM850 700h-500q-21 0 -35.5 -14.5t-14.5 -35.5v-100q0 -21 14.5 -35.5 t35.5 -14.5h500q21 0 35.5 14.5t14.5 35.5v100q0 21 -14.5 35.5t-35.5 14.5z" />
+<glyph unicode="&#xe083;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM741.5 913q-12.5 0 -21.5 -9l-120 -120l-120 120q-9 9 -21.5 9 t-21.5 -9l-141 -141q-9 -9 -9 -21.5t9 -21.5l120 -120l-120 -120q-9 -9 -9 -21.5t9 -21.5l141 -141q9 -9 21.5 -9t21.5 9l120 120l120 -120q9 -9 21.5 -9t21.5 9l141 141q9 9 9 21.5t-9 21.5l-120 120l120 120q9 9 9 21.5t-9 21.5l-141 141q-9 9 -21.5 9z" />
+<glyph unicode="&#xe084;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM546 623l-84 85q-7 7 -17.5 7t-18.5 -7l-139 -139q-7 -8 -7 -18t7 -18 l242 -241q7 -8 17.5 -8t17.5 8l375 375q7 7 7 17.5t-7 18.5l-139 139q-7 7 -17.5 7t-17.5 -7z" />
+<glyph unicode="&#xe085;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM588 941q-29 0 -59 -5.5t-63 -20.5t-58 -38.5t-41.5 -63t-16.5 -89.5 q0 -25 20 -25h131q30 -5 35 11q6 20 20.5 28t45.5 8q20 0 31.5 -10.5t11.5 -28.5q0 -23 -7 -34t-26 -18q-1 0 -13.5 -4t-19.5 -7.5t-20 -10.5t-22 -17t-18.5 -24t-15.5 -35t-8 -46q-1 -8 5.5 -16.5t20.5 -8.5h173q7 0 22 8t35 28t37.5 48t29.5 74t12 100q0 47 -17 83 t-42.5 57t-59.5 34.5t-64 18t-59 4.5zM675 400h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe086;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM675 1000h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5 t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5zM675 700h-250q-10 0 -17.5 -7.5t-7.5 -17.5v-50q0 -10 7.5 -17.5t17.5 -7.5h75v-200h-75q-10 0 -17.5 -7.5t-7.5 -17.5v-50q0 -10 7.5 -17.5t17.5 -7.5h350q10 0 17.5 7.5t7.5 17.5v50q0 10 -7.5 17.5 t-17.5 7.5h-75v275q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe087;" d="M525 1200h150q10 0 17.5 -7.5t7.5 -17.5v-194q103 -27 178.5 -102.5t102.5 -178.5h194q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-194q-27 -103 -102.5 -178.5t-178.5 -102.5v-194q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v194 q-103 27 -178.5 102.5t-102.5 178.5h-194q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h194q27 103 102.5 178.5t178.5 102.5v194q0 10 7.5 17.5t17.5 7.5zM700 893v-168q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v168q-68 -23 -119 -74 t-74 -119h168q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-168q23 -68 74 -119t119 -74v168q0 10 7.5 17.5t17.5 7.5h150q10 0 17.5 -7.5t7.5 -17.5v-168q68 23 119 74t74 119h-168q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h168 q-23 68 -74 119t-119 74z" />
+<glyph unicode="&#xe088;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM759 823l64 -64q7 -7 7 -17.5t-7 -17.5l-124 -124l124 -124q7 -7 7 -17.5t-7 -17.5l-64 -64q-7 -7 -17.5 -7t-17.5 7l-124 124l-124 -124q-7 -7 -17.5 -7t-17.5 7l-64 64 q-7 7 -7 17.5t7 17.5l124 124l-124 124q-7 7 -7 17.5t7 17.5l64 64q7 7 17.5 7t17.5 -7l124 -124l124 124q7 7 17.5 7t17.5 -7z" />
+<glyph unicode="&#xe089;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5t57 -214.5 t155.5 -155.5t214.5 -57t214.5 57t155.5 155.5t57 214.5t-57 214.5t-155.5 155.5t-214.5 57zM782 788l106 -106q7 -7 7 -17.5t-7 -17.5l-320 -321q-8 -7 -18 -7t-18 7l-202 203q-8 7 -8 17.5t8 17.5l106 106q7 8 17.5 8t17.5 -8l79 -79l197 197q7 7 17.5 7t17.5 -7z" />
+<glyph unicode="&#xe090;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM600 1027q-116 0 -214.5 -57t-155.5 -155.5t-57 -214.5q0 -120 65 -225 l587 587q-105 65 -225 65zM965 819l-584 -584q104 -62 219 -62q116 0 214.5 57t155.5 155.5t57 214.5q0 115 -62 219z" />
+<glyph unicode="&#xe091;" d="M39 582l522 427q16 13 27.5 8t11.5 -26v-291h550q21 0 35.5 -14.5t14.5 -35.5v-200q0 -21 -14.5 -35.5t-35.5 -14.5h-550v-291q0 -21 -11.5 -26t-27.5 8l-522 427q-16 13 -16 32t16 32z" />
+<glyph unicode="&#xe092;" d="M639 1009l522 -427q16 -13 16 -32t-16 -32l-522 -427q-16 -13 -27.5 -8t-11.5 26v291h-550q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5h550v291q0 21 11.5 26t27.5 -8z" />
+<glyph unicode="&#xe093;" d="M682 1161l427 -522q13 -16 8 -27.5t-26 -11.5h-291v-550q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v550h-291q-21 0 -26 11.5t8 27.5l427 522q13 16 32 16t32 -16z" />
+<glyph unicode="&#xe094;" d="M550 1200h200q21 0 35.5 -14.5t14.5 -35.5v-550h291q21 0 26 -11.5t-8 -27.5l-427 -522q-13 -16 -32 -16t-32 16l-427 522q-13 16 -8 27.5t26 11.5h291v550q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe095;" d="M639 1109l522 -427q16 -13 16 -32t-16 -32l-522 -427q-16 -13 -27.5 -8t-11.5 26v291q-94 -2 -182 -20t-170.5 -52t-147 -92.5t-100.5 -135.5q5 105 27 193.5t67.5 167t113 135t167 91.5t225.5 42v262q0 21 11.5 26t27.5 -8z" />
+<glyph unicode="&#xe096;" d="M850 1200h300q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -10.5 -25t-24.5 10l-94 94l-249 -249q-8 -7 -18 -7t-18 7l-106 106q-7 8 -7 18t7 18l249 249l-94 94q-14 14 -10 24.5t25 10.5zM350 0h-300q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 10.5 25t24.5 -10l94 -94l249 249 q8 7 18 7t18 -7l106 -106q7 -8 7 -18t-7 -18l-249 -249l94 -94q14 -14 10 -24.5t-25 -10.5z" />
+<glyph unicode="&#xe097;" d="M1014 1120l106 -106q7 -8 7 -18t-7 -18l-249 -249l94 -94q14 -14 10 -24.5t-25 -10.5h-300q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 10.5 25t24.5 -10l94 -94l249 249q8 7 18 7t18 -7zM250 600h300q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -10.5 -25t-24.5 10l-94 94 l-249 -249q-8 -7 -18 -7t-18 7l-106 106q-7 8 -7 18t7 18l249 249l-94 94q-14 14 -10 24.5t25 10.5z" />
+<glyph unicode="&#xe101;" d="M600 1177q117 0 224 -45.5t184.5 -123t123 -184.5t45.5 -224t-45.5 -224t-123 -184.5t-184.5 -123t-224 -45.5t-224 45.5t-184.5 123t-123 184.5t-45.5 224t45.5 224t123 184.5t184.5 123t224 45.5zM704 900h-208q-20 0 -32 -14.5t-8 -34.5l58 -302q4 -20 21.5 -34.5 t37.5 -14.5h54q20 0 37.5 14.5t21.5 34.5l58 302q4 20 -8 34.5t-32 14.5zM675 400h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe102;" d="M260 1200q9 0 19 -2t15 -4l5 -2q22 -10 44 -23l196 -118q21 -13 36 -24q29 -21 37 -12q11 13 49 35l196 118q22 13 45 23q17 7 38 7q23 0 47 -16.5t37 -33.5l13 -16q14 -21 18 -45l25 -123l8 -44q1 -9 8.5 -14.5t17.5 -5.5h61q10 0 17.5 -7.5t7.5 -17.5v-50 q0 -10 -7.5 -17.5t-17.5 -7.5h-50q-10 0 -17.5 -7.5t-7.5 -17.5v-175h-400v300h-200v-300h-400v175q0 10 -7.5 17.5t-17.5 7.5h-50q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5h61q11 0 18 3t7 8q0 4 9 52l25 128q5 25 19 45q2 3 5 7t13.5 15t21.5 19.5t26.5 15.5 t29.5 7zM915 1079l-166 -162q-7 -7 -5 -12t12 -5h219q10 0 15 7t2 17l-51 149q-3 10 -11 12t-15 -6zM463 917l-177 157q-8 7 -16 5t-11 -12l-51 -143q-3 -10 2 -17t15 -7h231q11 0 12.5 5t-5.5 12zM500 0h-375q-10 0 -17.5 7.5t-7.5 17.5v375h400v-400zM1100 400v-375 q0 -10 -7.5 -17.5t-17.5 -7.5h-375v400h400z" />
+<glyph unicode="&#xe103;" d="M1165 1190q8 3 21 -6.5t13 -17.5q-2 -178 -24.5 -323.5t-55.5 -245.5t-87 -174.5t-102.5 -118.5t-118 -68.5t-118.5 -33t-120 -4.5t-105 9.5t-90 16.5q-61 12 -78 11q-4 1 -12.5 0t-34 -14.5t-52.5 -40.5l-153 -153q-26 -24 -37 -14.5t-11 43.5q0 64 42 102q8 8 50.5 45 t66.5 58q19 17 35 47t13 61q-9 55 -10 102.5t7 111t37 130t78 129.5q39 51 80 88t89.5 63.5t94.5 45t113.5 36t129 31t157.5 37t182 47.5zM1116 1098q-8 9 -22.5 -3t-45.5 -50q-38 -47 -119 -103.5t-142 -89.5l-62 -33q-56 -30 -102 -57t-104 -68t-102.5 -80.5t-85.5 -91 t-64 -104.5q-24 -56 -31 -86t2 -32t31.5 17.5t55.5 59.5q25 30 94 75.5t125.5 77.5t147.5 81q70 37 118.5 69t102 79.5t99 111t86.5 148.5q22 50 24 60t-6 19z" />
+<glyph unicode="&#xe104;" d="M653 1231q-39 -67 -54.5 -131t-10.5 -114.5t24.5 -96.5t47.5 -80t63.5 -62.5t68.5 -46.5t65 -30q-4 7 -17.5 35t-18.5 39.5t-17 39.5t-17 43t-13 42t-9.5 44.5t-2 42t4 43t13.5 39t23 38.5q96 -42 165 -107.5t105 -138t52 -156t13 -159t-19 -149.5q-13 -55 -44 -106.5 t-68 -87t-78.5 -64.5t-72.5 -45t-53 -22q-72 -22 -127 -11q-31 6 -13 19q6 3 17 7q13 5 32.5 21t41 44t38.5 63.5t21.5 81.5t-6.5 94.5t-50 107t-104 115.5q10 -104 -0.5 -189t-37 -140.5t-65 -93t-84 -52t-93.5 -11t-95 24.5q-80 36 -131.5 114t-53.5 171q-2 23 0 49.5 t4.5 52.5t13.5 56t27.5 60t46 64.5t69.5 68.5q-8 -53 -5 -102.5t17.5 -90t34 -68.5t44.5 -39t49 -2q31 13 38.5 36t-4.5 55t-29 64.5t-36 75t-26 75.5q-15 85 2 161.5t53.5 128.5t85.5 92.5t93.5 61t81.5 25.5z" />
+<glyph unicode="&#xe105;" d="M600 1094q82 0 160.5 -22.5t140 -59t116.5 -82.5t94.5 -95t68 -95t42.5 -82.5t14 -57.5t-14 -57.5t-43 -82.5t-68.5 -95t-94.5 -95t-116.5 -82.5t-140 -59t-159.5 -22.5t-159.5 22.5t-140 59t-116.5 82.5t-94.5 95t-68.5 95t-43 82.5t-14 57.5t14 57.5t42.5 82.5t68 95 t94.5 95t116.5 82.5t140 59t160.5 22.5zM888 829q-15 15 -18 12t5 -22q25 -57 25 -119q0 -124 -88 -212t-212 -88t-212 88t-88 212q0 59 23 114q8 19 4.5 22t-17.5 -12q-70 -69 -160 -184q-13 -16 -15 -40.5t9 -42.5q22 -36 47 -71t70 -82t92.5 -81t113 -58.5t133.5 -24.5 t133.5 24t113 58.5t92.5 81.5t70 81.5t47 70.5q11 18 9 42.5t-14 41.5q-90 117 -163 189zM448 727l-35 -36q-15 -15 -19.5 -38.5t4.5 -41.5q37 -68 93 -116q16 -13 38.5 -11t36.5 17l35 34q14 15 12.5 33.5t-16.5 33.5q-44 44 -89 117q-11 18 -28 20t-32 -12z" />
+<glyph unicode="&#xe106;" d="M592 0h-148l31 120q-91 20 -175.5 68.5t-143.5 106.5t-103.5 119t-66.5 110t-22 76q0 21 14 57.5t42.5 82.5t68 95t94.5 95t116.5 82.5t140 59t160.5 22.5q61 0 126 -15l32 121h148zM944 770l47 181q108 -85 176.5 -192t68.5 -159q0 -26 -19.5 -71t-59.5 -102t-93 -112 t-129 -104.5t-158 -75.5l46 173q77 49 136 117t97 131q11 18 9 42.5t-14 41.5q-54 70 -107 130zM310 824q-70 -69 -160 -184q-13 -16 -15 -40.5t9 -42.5q18 -30 39 -60t57 -70.5t74 -73t90 -61t105 -41.5l41 154q-107 18 -178.5 101.5t-71.5 193.5q0 59 23 114q8 19 4.5 22 t-17.5 -12zM448 727l-35 -36q-15 -15 -19.5 -38.5t4.5 -41.5q37 -68 93 -116q16 -13 38.5 -11t36.5 17l12 11l22 86l-3 4q-44 44 -89 117q-11 18 -28 20t-32 -12z" />
+<glyph unicode="&#xe107;" d="M-90 100l642 1066q20 31 48 28.5t48 -35.5l642 -1056q21 -32 7.5 -67.5t-50.5 -35.5h-1294q-37 0 -50.5 34t7.5 66zM155 200h345v75q0 10 7.5 17.5t17.5 7.5h150q10 0 17.5 -7.5t7.5 -17.5v-75h345l-445 723zM496 700h208q20 0 32 -14.5t8 -34.5l-58 -252 q-4 -20 -21.5 -34.5t-37.5 -14.5h-54q-20 0 -37.5 14.5t-21.5 34.5l-58 252q-4 20 8 34.5t32 14.5z" />
+<glyph unicode="&#xe108;" d="M650 1200q62 0 106 -44t44 -106v-339l363 -325q15 -14 26 -38.5t11 -44.5v-41q0 -20 -12 -26.5t-29 5.5l-359 249v-263q100 -93 100 -113v-64q0 -21 -13 -29t-32 1l-205 128l-205 -128q-19 -9 -32 -1t-13 29v64q0 20 100 113v263l-359 -249q-17 -12 -29 -5.5t-12 26.5v41 q0 20 11 44.5t26 38.5l363 325v339q0 62 44 106t106 44z" />
+<glyph unicode="&#xe109;" d="M850 1200h100q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-150h-1100v150q0 21 14.5 35.5t35.5 14.5h50v50q0 21 14.5 35.5t35.5 14.5h100q21 0 35.5 -14.5t14.5 -35.5v-50h500v50q0 21 14.5 35.5t35.5 14.5zM1100 800v-750q0 -21 -14.5 -35.5 t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v750h1100zM100 600v-100h100v100h-100zM300 600v-100h100v100h-100zM500 600v-100h100v100h-100zM700 600v-100h100v100h-100zM900 600v-100h100v100h-100zM100 400v-100h100v100h-100zM300 400v-100h100v100h-100zM500 400 v-100h100v100h-100zM700 400v-100h100v100h-100zM900 400v-100h100v100h-100zM100 200v-100h100v100h-100zM300 200v-100h100v100h-100zM500 200v-100h100v100h-100zM700 200v-100h100v100h-100zM900 200v-100h100v100h-100z" />
+<glyph unicode="&#xe110;" d="M1135 1165l249 -230q15 -14 15 -35t-15 -35l-249 -230q-14 -14 -24.5 -10t-10.5 25v150h-159l-600 -600h-291q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h209l600 600h241v150q0 21 10.5 25t24.5 -10zM522 819l-141 -141l-122 122h-209q-21 0 -35.5 14.5 t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h291zM1135 565l249 -230q15 -14 15 -35t-15 -35l-249 -230q-14 -14 -24.5 -10t-10.5 25v150h-241l-181 181l141 141l122 -122h159v150q0 21 10.5 25t24.5 -10z" />
+<glyph unicode="&#xe111;" d="M100 1100h1000q41 0 70.5 -29.5t29.5 -70.5v-600q0 -41 -29.5 -70.5t-70.5 -29.5h-596l-304 -300v300h-100q-41 0 -70.5 29.5t-29.5 70.5v600q0 41 29.5 70.5t70.5 29.5z" />
+<glyph unicode="&#xe112;" d="M150 1200h200q21 0 35.5 -14.5t14.5 -35.5v-250h-300v250q0 21 14.5 35.5t35.5 14.5zM850 1200h200q21 0 35.5 -14.5t14.5 -35.5v-250h-300v250q0 21 14.5 35.5t35.5 14.5zM1100 800v-300q0 -41 -3 -77.5t-15 -89.5t-32 -96t-58 -89t-89 -77t-129 -51t-174 -20t-174 20 t-129 51t-89 77t-58 89t-32 96t-15 89.5t-3 77.5v300h300v-250v-27v-42.5t1.5 -41t5 -38t10 -35t16.5 -30t25.5 -24.5t35 -19t46.5 -12t60 -4t60 4.5t46.5 12.5t35 19.5t25 25.5t17 30.5t10 35t5 38t2 40.5t-0.5 42v25v250h300z" />
+<glyph unicode="&#xe113;" d="M1100 411l-198 -199l-353 353l-353 -353l-197 199l551 551z" />
+<glyph unicode="&#xe114;" d="M1101 789l-550 -551l-551 551l198 199l353 -353l353 353z" />
+<glyph unicode="&#xe115;" d="M404 1000h746q21 0 35.5 -14.5t14.5 -35.5v-551h150q21 0 25 -10.5t-10 -24.5l-230 -249q-14 -15 -35 -15t-35 15l-230 249q-14 14 -10 24.5t25 10.5h150v401h-381zM135 984l230 -249q14 -14 10 -24.5t-25 -10.5h-150v-400h385l215 -200h-750q-21 0 -35.5 14.5 t-14.5 35.5v550h-150q-21 0 -25 10.5t10 24.5l230 249q14 15 35 15t35 -15z" />
+<glyph unicode="&#xe116;" d="M56 1200h94q17 0 31 -11t18 -27l38 -162h896q24 0 39 -18.5t10 -42.5l-100 -475q-5 -21 -27 -42.5t-55 -21.5h-633l48 -200h535q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-50q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v50h-300v-50 q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v50h-31q-18 0 -32.5 10t-20.5 19l-5 10l-201 961h-54q-20 0 -35 14.5t-15 35.5t15 35.5t35 14.5z" />
+<glyph unicode="&#xe117;" d="M1200 1000v-100h-1200v100h200q0 41 29.5 70.5t70.5 29.5h300q41 0 70.5 -29.5t29.5 -70.5h500zM0 800h1200v-800h-1200v800z" />
+<glyph unicode="&#xe118;" d="M200 800l-200 -400v600h200q0 41 29.5 70.5t70.5 29.5h300q42 0 71 -29.5t29 -70.5h500v-200h-1000zM1500 700l-300 -700h-1200l300 700h1200z" />
+<glyph unicode="&#xe119;" d="M635 1184l230 -249q14 -14 10 -24.5t-25 -10.5h-150v-601h150q21 0 25 -10.5t-10 -24.5l-230 -249q-14 -15 -35 -15t-35 15l-230 249q-14 14 -10 24.5t25 10.5h150v601h-150q-21 0 -25 10.5t10 24.5l230 249q14 15 35 15t35 -15z" />
+<glyph unicode="&#xe120;" d="M936 864l249 -229q14 -15 14 -35.5t-14 -35.5l-249 -229q-15 -15 -25.5 -10.5t-10.5 24.5v151h-600v-151q0 -20 -10.5 -24.5t-25.5 10.5l-249 229q-14 15 -14 35.5t14 35.5l249 229q15 15 25.5 10.5t10.5 -25.5v-149h600v149q0 21 10.5 25.5t25.5 -10.5z" />
+<glyph unicode="&#xe121;" d="M1169 400l-172 732q-5 23 -23 45.5t-38 22.5h-672q-20 0 -38 -20t-23 -41l-172 -739h1138zM1100 300h-1000q-41 0 -70.5 -29.5t-29.5 -70.5v-100q0 -41 29.5 -70.5t70.5 -29.5h1000q41 0 70.5 29.5t29.5 70.5v100q0 41 -29.5 70.5t-70.5 29.5zM800 100v100h100v-100h-100 zM1000 100v100h100v-100h-100z" />
+<glyph unicode="&#xe122;" d="M1150 1100q21 0 35.5 -14.5t14.5 -35.5v-850q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v850q0 21 14.5 35.5t35.5 14.5zM1000 200l-675 200h-38l47 -276q3 -16 -5.5 -20t-29.5 -4h-7h-84q-20 0 -34.5 14t-18.5 35q-55 337 -55 351v250v6q0 16 1 23.5t6.5 14 t17.5 6.5h200l675 250v-850zM0 750v-250q-4 0 -11 0.5t-24 6t-30 15t-24 30t-11 48.5v50q0 26 10.5 46t25 30t29 16t25.5 7z" />
+<glyph unicode="&#xe123;" d="M553 1200h94q20 0 29 -10.5t3 -29.5l-18 -37q83 -19 144 -82.5t76 -140.5l63 -327l118 -173h17q19 0 33 -14.5t14 -35t-13 -40.5t-31 -27q-8 -4 -23 -9.5t-65 -19.5t-103 -25t-132.5 -20t-158.5 -9q-57 0 -115 5t-104 12t-88.5 15.5t-73.5 17.5t-54.5 16t-35.5 12l-11 4 q-18 8 -31 28t-13 40.5t14 35t33 14.5h17l118 173l63 327q15 77 76 140t144 83l-18 32q-6 19 3.5 32t28.5 13zM498 110q50 -6 102 -6q53 0 102 6q-12 -49 -39.5 -79.5t-62.5 -30.5t-63 30.5t-39 79.5z" />
+<glyph unicode="&#xe124;" d="M800 946l224 78l-78 -224l234 -45l-180 -155l180 -155l-234 -45l78 -224l-224 78l-45 -234l-155 180l-155 -180l-45 234l-224 -78l78 224l-234 45l180 155l-180 155l234 45l-78 224l224 -78l45 234l155 -180l155 180z" />
+<glyph unicode="&#xe125;" d="M650 1200h50q40 0 70 -40.5t30 -84.5v-150l-28 -125h328q40 0 70 -40.5t30 -84.5v-100q0 -45 -29 -74l-238 -344q-16 -24 -38 -40.5t-45 -16.5h-250q-7 0 -42 25t-66 50l-31 25h-61q-45 0 -72.5 18t-27.5 57v400q0 36 20 63l145 196l96 198q13 28 37.5 48t51.5 20z M650 1100l-100 -212l-150 -213v-375h100l136 -100h214l250 375v125h-450l50 225v175h-50zM50 800h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v500q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe126;" d="M600 1100h250q23 0 45 -16.5t38 -40.5l238 -344q29 -29 29 -74v-100q0 -44 -30 -84.5t-70 -40.5h-328q28 -118 28 -125v-150q0 -44 -30 -84.5t-70 -40.5h-50q-27 0 -51.5 20t-37.5 48l-96 198l-145 196q-20 27 -20 63v400q0 39 27.5 57t72.5 18h61q124 100 139 100z M50 1000h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v500q0 21 14.5 35.5t35.5 14.5zM636 1000l-136 -100h-100v-375l150 -213l100 -212h50v175l-50 225h450v125l-250 375h-214z" />
+<glyph unicode="&#xe127;" d="M356 873l363 230q31 16 53 -6l110 -112q13 -13 13.5 -32t-11.5 -34l-84 -121h302q84 0 138 -38t54 -110t-55 -111t-139 -39h-106l-131 -339q-6 -21 -19.5 -41t-28.5 -20h-342q-7 0 -90 81t-83 94v525q0 17 14 35.5t28 28.5zM400 792v-503l100 -89h293l131 339 q6 21 19.5 41t28.5 20h203q21 0 30.5 25t0.5 50t-31 25h-456h-7h-6h-5.5t-6 0.5t-5 1.5t-5 2t-4 2.5t-4 4t-2.5 4.5q-12 25 5 47l146 183l-86 83zM50 800h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v500 q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe128;" d="M475 1103l366 -230q2 -1 6 -3.5t14 -10.5t18 -16.5t14.5 -20t6.5 -22.5v-525q0 -13 -86 -94t-93 -81h-342q-15 0 -28.5 20t-19.5 41l-131 339h-106q-85 0 -139.5 39t-54.5 111t54 110t138 38h302l-85 121q-11 15 -10.5 34t13.5 32l110 112q22 22 53 6zM370 945l146 -183 q17 -22 5 -47q-2 -2 -3.5 -4.5t-4 -4t-4 -2.5t-5 -2t-5 -1.5t-6 -0.5h-6h-6.5h-6h-475v-100h221q15 0 29 -20t20 -41l130 -339h294l106 89v503l-342 236zM1050 800h100q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5 v500q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe129;" d="M550 1294q72 0 111 -55t39 -139v-106l339 -131q21 -6 41 -19.5t20 -28.5v-342q0 -7 -81 -90t-94 -83h-525q-17 0 -35.5 14t-28.5 28l-9 14l-230 363q-16 31 6 53l112 110q13 13 32 13.5t34 -11.5l121 -84v302q0 84 38 138t110 54zM600 972v203q0 21 -25 30.5t-50 0.5 t-25 -31v-456v-7v-6v-5.5t-0.5 -6t-1.5 -5t-2 -5t-2.5 -4t-4 -4t-4.5 -2.5q-25 -12 -47 5l-183 146l-83 -86l236 -339h503l89 100v293l-339 131q-21 6 -41 19.5t-20 28.5zM450 200h500q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-500 q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe130;" d="M350 1100h500q21 0 35.5 14.5t14.5 35.5v100q0 21 -14.5 35.5t-35.5 14.5h-500q-21 0 -35.5 -14.5t-14.5 -35.5v-100q0 -21 14.5 -35.5t35.5 -14.5zM600 306v-106q0 -84 -39 -139t-111 -55t-110 54t-38 138v302l-121 -84q-15 -12 -34 -11.5t-32 13.5l-112 110 q-22 22 -6 53l230 363q1 2 3.5 6t10.5 13.5t16.5 17t20 13.5t22.5 6h525q13 0 94 -83t81 -90v-342q0 -15 -20 -28.5t-41 -19.5zM308 900l-236 -339l83 -86l183 146q22 17 47 5q2 -1 4.5 -2.5t4 -4t2.5 -4t2 -5t1.5 -5t0.5 -6v-5.5v-6v-7v-456q0 -22 25 -31t50 0.5t25 30.5 v203q0 15 20 28.5t41 19.5l339 131v293l-89 100h-503z" />
+<glyph unicode="&#xe131;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM914 632l-275 223q-16 13 -27.5 8t-11.5 -26v-137h-275 q-10 0 -17.5 -7.5t-7.5 -17.5v-150q0 -10 7.5 -17.5t17.5 -7.5h275v-137q0 -21 11.5 -26t27.5 8l275 223q16 13 16 32t-16 32z" />
+<glyph unicode="&#xe132;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM561 855l-275 -223q-16 -13 -16 -32t16 -32l275 -223q16 -13 27.5 -8 t11.5 26v137h275q10 0 17.5 7.5t7.5 17.5v150q0 10 -7.5 17.5t-17.5 7.5h-275v137q0 21 -11.5 26t-27.5 -8z" />
+<glyph unicode="&#xe133;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM855 639l-223 275q-13 16 -32 16t-32 -16l-223 -275q-13 -16 -8 -27.5 t26 -11.5h137v-275q0 -10 7.5 -17.5t17.5 -7.5h150q10 0 17.5 7.5t7.5 17.5v275h137q21 0 26 11.5t-8 27.5z" />
+<glyph unicode="&#xe134;" d="M600 1178q118 0 225 -45.5t184.5 -123t123 -184.5t45.5 -225t-45.5 -225t-123 -184.5t-184.5 -123t-225 -45.5t-225 45.5t-184.5 123t-123 184.5t-45.5 225t45.5 225t123 184.5t184.5 123t225 45.5zM675 900h-150q-10 0 -17.5 -7.5t-7.5 -17.5v-275h-137q-21 0 -26 -11.5 t8 -27.5l223 -275q13 -16 32 -16t32 16l223 275q13 16 8 27.5t-26 11.5h-137v275q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe135;" d="M600 1176q116 0 222.5 -46t184 -123.5t123.5 -184t46 -222.5t-46 -222.5t-123.5 -184t-184 -123.5t-222.5 -46t-222.5 46t-184 123.5t-123.5 184t-46 222.5t46 222.5t123.5 184t184 123.5t222.5 46zM627 1101q-15 -12 -36.5 -20.5t-35.5 -12t-43 -8t-39 -6.5 q-15 -3 -45.5 0t-45.5 -2q-20 -7 -51.5 -26.5t-34.5 -34.5q-3 -11 6.5 -22.5t8.5 -18.5q-3 -34 -27.5 -91t-29.5 -79q-9 -34 5 -93t8 -87q0 -9 17 -44.5t16 -59.5q12 0 23 -5t23.5 -15t19.5 -14q16 -8 33 -15t40.5 -15t34.5 -12q21 -9 52.5 -32t60 -38t57.5 -11 q7 -15 -3 -34t-22.5 -40t-9.5 -38q13 -21 23 -34.5t27.5 -27.5t36.5 -18q0 -7 -3.5 -16t-3.5 -14t5 -17q104 -2 221 112q30 29 46.5 47t34.5 49t21 63q-13 8 -37 8.5t-36 7.5q-15 7 -49.5 15t-51.5 19q-18 0 -41 -0.5t-43 -1.5t-42 -6.5t-38 -16.5q-51 -35 -66 -12 q-4 1 -3.5 25.5t0.5 25.5q-6 13 -26.5 17.5t-24.5 6.5q1 15 -0.5 30.5t-7 28t-18.5 11.5t-31 -21q-23 -25 -42 4q-19 28 -8 58q6 16 22 22q6 -1 26 -1.5t33.5 -4t19.5 -13.5q7 -12 18 -24t21.5 -20.5t20 -15t15.5 -10.5l5 -3q2 12 7.5 30.5t8 34.5t-0.5 32q-3 18 3.5 29 t18 22.5t15.5 24.5q6 14 10.5 35t8 31t15.5 22.5t34 22.5q-6 18 10 36q8 0 24 -1.5t24.5 -1.5t20 4.5t20.5 15.5q-10 23 -31 42.5t-37.5 29.5t-49 27t-43.5 23q0 1 2 8t3 11.5t1.5 10.5t-1 9.5t-4.5 4.5q31 -13 58.5 -14.5t38.5 2.5l12 5q5 28 -9.5 46t-36.5 24t-50 15 t-41 20q-18 -4 -37 0zM613 994q0 -17 8 -42t17 -45t9 -23q-8 1 -39.5 5.5t-52.5 10t-37 16.5q3 11 16 29.5t16 25.5q10 -10 19 -10t14 6t13.5 14.5t16.5 12.5z" />
+<glyph unicode="&#xe136;" d="M756 1157q164 92 306 -9l-259 -138l145 -232l251 126q6 -89 -34 -156.5t-117 -110.5q-60 -34 -127 -39.5t-126 16.5l-596 -596q-15 -16 -36.5 -16t-36.5 16l-111 110q-15 15 -15 36.5t15 37.5l600 599q-34 101 5.5 201.5t135.5 154.5z" />
+<glyph unicode="&#xe137;" horiz-adv-x="1220" d="M100 1196h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5v100q0 41 29.5 70.5t70.5 29.5zM1100 1096h-200v-100h200v100zM100 796h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000 q-41 0 -70.5 29.5t-29.5 70.5v100q0 41 29.5 70.5t70.5 29.5zM1100 696h-500v-100h500v100zM100 396h1000q41 0 70.5 -29.5t29.5 -70.5v-100q0 -41 -29.5 -70.5t-70.5 -29.5h-1000q-41 0 -70.5 29.5t-29.5 70.5v100q0 41 29.5 70.5t70.5 29.5zM1100 296h-300v-100h300v100z " />
+<glyph unicode="&#xe138;" d="M150 1200h900q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM700 500v-300l-200 -200v500l-350 500h900z" />
+<glyph unicode="&#xe139;" d="M500 1200h200q41 0 70.5 -29.5t29.5 -70.5v-100h300q41 0 70.5 -29.5t29.5 -70.5v-400h-500v100h-200v-100h-500v400q0 41 29.5 70.5t70.5 29.5h300v100q0 41 29.5 70.5t70.5 29.5zM500 1100v-100h200v100h-200zM1200 400v-200q0 -41 -29.5 -70.5t-70.5 -29.5h-1000 q-41 0 -70.5 29.5t-29.5 70.5v200h1200z" />
+<glyph unicode="&#xe140;" d="M50 1200h300q21 0 25 -10.5t-10 -24.5l-94 -94l199 -199q7 -8 7 -18t-7 -18l-106 -106q-8 -7 -18 -7t-18 7l-199 199l-94 -94q-14 -14 -24.5 -10t-10.5 25v300q0 21 14.5 35.5t35.5 14.5zM850 1200h300q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -10.5 -25t-24.5 10l-94 94 l-199 -199q-8 -7 -18 -7t-18 7l-106 106q-7 8 -7 18t7 18l199 199l-94 94q-14 14 -10 24.5t25 10.5zM364 470l106 -106q7 -8 7 -18t-7 -18l-199 -199l94 -94q14 -14 10 -24.5t-25 -10.5h-300q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 10.5 25t24.5 -10l94 -94l199 199 q8 7 18 7t18 -7zM1071 271l94 94q14 14 24.5 10t10.5 -25v-300q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -25 10.5t10 24.5l94 94l-199 199q-7 8 -7 18t7 18l106 106q8 7 18 7t18 -7z" />
+<glyph unicode="&#xe141;" d="M596 1192q121 0 231.5 -47.5t190 -127t127 -190t47.5 -231.5t-47.5 -231.5t-127 -190.5t-190 -127t-231.5 -47t-231.5 47t-190.5 127t-127 190.5t-47 231.5t47 231.5t127 190t190.5 127t231.5 47.5zM596 1010q-112 0 -207.5 -55.5t-151 -151t-55.5 -207.5t55.5 -207.5 t151 -151t207.5 -55.5t207.5 55.5t151 151t55.5 207.5t-55.5 207.5t-151 151t-207.5 55.5zM454.5 905q22.5 0 38.5 -16t16 -38.5t-16 -39t-38.5 -16.5t-38.5 16.5t-16 39t16 38.5t38.5 16zM754.5 905q22.5 0 38.5 -16t16 -38.5t-16 -39t-38 -16.5q-14 0 -29 10l-55 -145 q17 -23 17 -51q0 -36 -25.5 -61.5t-61.5 -25.5t-61.5 25.5t-25.5 61.5q0 32 20.5 56.5t51.5 29.5l122 126l1 1q-9 14 -9 28q0 23 16 39t38.5 16zM345.5 709q22.5 0 38.5 -16t16 -38.5t-16 -38.5t-38.5 -16t-38.5 16t-16 38.5t16 38.5t38.5 16zM854.5 709q22.5 0 38.5 -16 t16 -38.5t-16 -38.5t-38.5 -16t-38.5 16t-16 38.5t16 38.5t38.5 16z" />
+<glyph unicode="&#xe142;" d="M546 173l469 470q91 91 99 192q7 98 -52 175.5t-154 94.5q-22 4 -47 4q-34 0 -66.5 -10t-56.5 -23t-55.5 -38t-48 -41.5t-48.5 -47.5q-376 -375 -391 -390q-30 -27 -45 -41.5t-37.5 -41t-32 -46.5t-16 -47.5t-1.5 -56.5q9 -62 53.5 -95t99.5 -33q74 0 125 51l548 548 q36 36 20 75q-7 16 -21.5 26t-32.5 10q-26 0 -50 -23q-13 -12 -39 -38l-341 -338q-15 -15 -35.5 -15.5t-34.5 13.5t-14 34.5t14 34.5q327 333 361 367q35 35 67.5 51.5t78.5 16.5q14 0 29 -1q44 -8 74.5 -35.5t43.5 -68.5q14 -47 2 -96.5t-47 -84.5q-12 -11 -32 -32 t-79.5 -81t-114.5 -115t-124.5 -123.5t-123 -119.5t-96.5 -89t-57 -45q-56 -27 -120 -27q-70 0 -129 32t-93 89q-48 78 -35 173t81 163l511 511q71 72 111 96q91 55 198 55q80 0 152 -33q78 -36 129.5 -103t66.5 -154q17 -93 -11 -183.5t-94 -156.5l-482 -476 q-15 -15 -36 -16t-37 14t-17.5 34t14.5 35z" />
+<glyph unicode="&#xe143;" d="M649 949q48 68 109.5 104t121.5 38.5t118.5 -20t102.5 -64t71 -100.5t27 -123q0 -57 -33.5 -117.5t-94 -124.5t-126.5 -127.5t-150 -152.5t-146 -174q-62 85 -145.5 174t-150 152.5t-126.5 127.5t-93.5 124.5t-33.5 117.5q0 64 28 123t73 100.5t104 64t119 20 t120.5 -38.5t104.5 -104zM896 972q-33 0 -64.5 -19t-56.5 -46t-47.5 -53.5t-43.5 -45.5t-37.5 -19t-36 19t-40 45.5t-43 53.5t-54 46t-65.5 19q-67 0 -122.5 -55.5t-55.5 -132.5q0 -23 13.5 -51t46 -65t57.5 -63t76 -75l22 -22q15 -14 44 -44t50.5 -51t46 -44t41 -35t23 -12 t23.5 12t42.5 36t46 44t52.5 52t44 43q4 4 12 13q43 41 63.5 62t52 55t46 55t26 46t11.5 44q0 79 -53 133.5t-120 54.5z" />
+<glyph unicode="&#xe144;" d="M776.5 1214q93.5 0 159.5 -66l141 -141q66 -66 66 -160q0 -42 -28 -95.5t-62 -87.5l-29 -29q-31 53 -77 99l-18 18l95 95l-247 248l-389 -389l212 -212l-105 -106l-19 18l-141 141q-66 66 -66 159t66 159l283 283q65 66 158.5 66zM600 706l105 105q10 -8 19 -17l141 -141 q66 -66 66 -159t-66 -159l-283 -283q-66 -66 -159 -66t-159 66l-141 141q-66 66 -66 159.5t66 159.5l55 55q29 -55 75 -102l18 -17l-95 -95l247 -248l389 389z" />
+<glyph unicode="&#xe145;" d="M603 1200q85 0 162 -15t127 -38t79 -48t29 -46v-953q0 -41 -29.5 -70.5t-70.5 -29.5h-600q-41 0 -70.5 29.5t-29.5 70.5v953q0 21 30 46.5t81 48t129 37.5t163 15zM300 1000v-700h600v700h-600zM600 254q-43 0 -73.5 -30.5t-30.5 -73.5t30.5 -73.5t73.5 -30.5t73.5 30.5 t30.5 73.5t-30.5 73.5t-73.5 30.5z" />
+<glyph unicode="&#xe146;" d="M902 1185l283 -282q15 -15 15 -36t-14.5 -35.5t-35.5 -14.5t-35 15l-36 35l-279 -267v-300l-212 210l-308 -307l-280 -203l203 280l307 308l-210 212h300l267 279l-35 36q-15 14 -15 35t14.5 35.5t35.5 14.5t35 -15z" />
+<glyph unicode="&#xe148;" d="M700 1248v-78q38 -5 72.5 -14.5t75.5 -31.5t71 -53.5t52 -84t24 -118.5h-159q-4 36 -10.5 59t-21 45t-40 35.5t-64.5 20.5v-307l64 -13q34 -7 64 -16.5t70 -32t67.5 -52.5t47.5 -80t20 -112q0 -139 -89 -224t-244 -97v-77h-100v79q-150 16 -237 103q-40 40 -52.5 93.5 t-15.5 139.5h139q5 -77 48.5 -126t117.5 -65v335l-27 8q-46 14 -79 26.5t-72 36t-63 52t-40 72.5t-16 98q0 70 25 126t67.5 92t94.5 57t110 27v77h100zM600 754v274q-29 -4 -50 -11t-42 -21.5t-31.5 -41.5t-10.5 -65q0 -29 7 -50.5t16.5 -34t28.5 -22.5t31.5 -14t37.5 -10 q9 -3 13 -4zM700 547v-310q22 2 42.5 6.5t45 15.5t41.5 27t29 42t12 59.5t-12.5 59.5t-38 44.5t-53 31t-66.5 24.5z" />
+<glyph unicode="&#xe149;" d="M561 1197q84 0 160.5 -40t123.5 -109.5t47 -147.5h-153q0 40 -19.5 71.5t-49.5 48.5t-59.5 26t-55.5 9q-37 0 -79 -14.5t-62 -35.5q-41 -44 -41 -101q0 -26 13.5 -63t26.5 -61t37 -66q6 -9 9 -14h241v-100h-197q8 -50 -2.5 -115t-31.5 -95q-45 -62 -99 -112 q34 10 83 17.5t71 7.5q32 1 102 -16t104 -17q83 0 136 30l50 -147q-31 -19 -58 -30.5t-55 -15.5t-42 -4.5t-46 -0.5q-23 0 -76 17t-111 32.5t-96 11.5q-39 -3 -82 -16t-67 -25l-23 -11l-55 145q4 3 16 11t15.5 10.5t13 9t15.5 12t14.5 14t17.5 18.5q48 55 54 126.5 t-30 142.5h-221v100h166q-23 47 -44 104q-7 20 -12 41.5t-6 55.5t6 66.5t29.5 70.5t58.5 71q97 88 263 88z" />
+<glyph unicode="&#xe150;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM935 1184l230 -249q14 -14 10 -24.5t-25 -10.5h-150v-900h-200v900h-150q-21 0 -25 10.5t10 24.5l230 249q14 15 35 15t35 -15z" />
+<glyph unicode="&#xe151;" d="M1000 700h-100v100h-100v-100h-100v500h300v-500zM400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM801 1100v-200h100v200h-100zM1000 350l-200 -250h200v-100h-300v150l200 250h-200v100h300v-150z " />
+<glyph unicode="&#xe152;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1000 1050l-200 -250h200v-100h-300v150l200 250h-200v100h300v-150zM1000 0h-100v100h-100v-100h-100v500h300v-500zM801 400v-200h100v200h-100z " />
+<glyph unicode="&#xe153;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1000 700h-100v400h-100v100h200v-500zM1100 0h-100v100h-200v400h300v-500zM901 400v-200h100v200h-100z" />
+<glyph unicode="&#xe154;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1100 700h-100v100h-200v400h300v-500zM901 1100v-200h100v200h-100zM1000 0h-100v400h-100v100h200v-500z" />
+<glyph unicode="&#xe155;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM900 1000h-200v200h200v-200zM1000 700h-300v200h300v-200zM1100 400h-400v200h400v-200zM1200 100h-500v200h500v-200z" />
+<glyph unicode="&#xe156;" d="M400 300h150q21 0 25 -11t-10 -25l-230 -250q-14 -15 -35 -15t-35 15l-230 250q-14 14 -10 25t25 11h150v900h200v-900zM1200 1000h-500v200h500v-200zM1100 700h-400v200h400v-200zM1000 400h-300v200h300v-200zM900 100h-200v200h200v-200z" />
+<glyph unicode="&#xe157;" d="M350 1100h400q162 0 256 -93.5t94 -256.5v-400q0 -165 -93.5 -257.5t-256.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5z" />
+<glyph unicode="&#xe158;" d="M350 1100h400q165 0 257.5 -92.5t92.5 -257.5v-400q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-163 0 -256.5 92.5t-93.5 257.5v400q0 163 94 256.5t256 93.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5zM440 770l253 -190q17 -12 17 -30t-17 -30l-253 -190q-16 -12 -28 -6.5t-12 26.5v400q0 21 12 26.5t28 -6.5z" />
+<glyph unicode="&#xe159;" d="M350 1100h400q163 0 256.5 -94t93.5 -256v-400q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 163 92.5 256.5t257.5 93.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5zM350 700h400q21 0 26.5 -12t-6.5 -28l-190 -253q-12 -17 -30 -17t-30 17l-190 253q-12 16 -6.5 28t26.5 12z" />
+<glyph unicode="&#xe160;" d="M350 1100h400q165 0 257.5 -92.5t92.5 -257.5v-400q0 -163 -92.5 -256.5t-257.5 -93.5h-400q-163 0 -256.5 94t-93.5 256v400q0 165 92.5 257.5t257.5 92.5zM800 900h-500q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5 v500q0 41 -29.5 70.5t-70.5 29.5zM580 693l190 -253q12 -16 6.5 -28t-26.5 -12h-400q-21 0 -26.5 12t6.5 28l190 253q12 17 30 17t30 -17z" />
+<glyph unicode="&#xe161;" d="M550 1100h400q165 0 257.5 -92.5t92.5 -257.5v-400q0 -165 -92.5 -257.5t-257.5 -92.5h-400q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h450q41 0 70.5 29.5t29.5 70.5v500q0 41 -29.5 70.5t-70.5 29.5h-450q-21 0 -35.5 14.5t-14.5 35.5v100 q0 21 14.5 35.5t35.5 14.5zM338 867l324 -284q16 -14 16 -33t-16 -33l-324 -284q-16 -14 -27 -9t-11 26v150h-250q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5h250v150q0 21 11 26t27 -9z" />
+<glyph unicode="&#xe162;" d="M793 1182l9 -9q8 -10 5 -27q-3 -11 -79 -225.5t-78 -221.5l300 1q24 0 32.5 -17.5t-5.5 -35.5q-1 0 -133.5 -155t-267 -312.5t-138.5 -162.5q-12 -15 -26 -15h-9l-9 8q-9 11 -4 32q2 9 42 123.5t79 224.5l39 110h-302q-23 0 -31 19q-10 21 6 41q75 86 209.5 237.5 t228 257t98.5 111.5q9 16 25 16h9z" />
+<glyph unicode="&#xe163;" d="M350 1100h400q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-450q-41 0 -70.5 -29.5t-29.5 -70.5v-500q0 -41 29.5 -70.5t70.5 -29.5h450q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400 q0 165 92.5 257.5t257.5 92.5zM938 867l324 -284q16 -14 16 -33t-16 -33l-324 -284q-16 -14 -27 -9t-11 26v150h-250q-21 0 -35.5 14.5t-14.5 35.5v200q0 21 14.5 35.5t35.5 14.5h250v150q0 21 11 26t27 -9z" />
+<glyph unicode="&#xe164;" d="M750 1200h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -10.5 -25t-24.5 10l-109 109l-312 -312q-15 -15 -35.5 -15t-35.5 15l-141 141q-15 15 -15 35.5t15 35.5l312 312l-109 109q-14 14 -10 24.5t25 10.5zM456 900h-156q-41 0 -70.5 -29.5t-29.5 -70.5v-500 q0 -41 29.5 -70.5t70.5 -29.5h500q41 0 70.5 29.5t29.5 70.5v148l200 200v-298q0 -165 -93.5 -257.5t-256.5 -92.5h-400q-165 0 -257.5 92.5t-92.5 257.5v400q0 165 92.5 257.5t257.5 92.5h300z" />
+<glyph unicode="&#xe165;" d="M600 1186q119 0 227.5 -46.5t187 -125t125 -187t46.5 -227.5t-46.5 -227.5t-125 -187t-187 -125t-227.5 -46.5t-227.5 46.5t-187 125t-125 187t-46.5 227.5t46.5 227.5t125 187t187 125t227.5 46.5zM600 1022q-115 0 -212 -56.5t-153.5 -153.5t-56.5 -212t56.5 -212 t153.5 -153.5t212 -56.5t212 56.5t153.5 153.5t56.5 212t-56.5 212t-153.5 153.5t-212 56.5zM600 794q80 0 137 -57t57 -137t-57 -137t-137 -57t-137 57t-57 137t57 137t137 57z" />
+<glyph unicode="&#xe166;" d="M450 1200h200q21 0 35.5 -14.5t14.5 -35.5v-350h245q20 0 25 -11t-9 -26l-383 -426q-14 -15 -33.5 -15t-32.5 15l-379 426q-13 15 -8.5 26t25.5 11h250v350q0 21 14.5 35.5t35.5 14.5zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5z M900 200v-50h100v50h-100z" />
+<glyph unicode="&#xe167;" d="M583 1182l378 -435q14 -15 9 -31t-26 -16h-244v-250q0 -20 -17 -35t-39 -15h-200q-20 0 -32 14.5t-12 35.5v250h-250q-20 0 -25.5 16.5t8.5 31.5l383 431q14 16 33.5 17t33.5 -14zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5z M900 200v-50h100v50h-100z" />
+<glyph unicode="&#xe168;" d="M396 723l369 369q7 7 17.5 7t17.5 -7l139 -139q7 -8 7 -18.5t-7 -17.5l-525 -525q-7 -8 -17.5 -8t-17.5 8l-292 291q-7 8 -7 18t7 18l139 139q8 7 18.5 7t17.5 -7zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5zM900 200v-50h100v50 h-100z" />
+<glyph unicode="&#xe169;" d="M135 1023l142 142q14 14 35 14t35 -14l77 -77l-212 -212l-77 76q-14 15 -14 36t14 35zM655 855l210 210q14 14 24.5 10t10.5 -25l-2 -599q-1 -20 -15.5 -35t-35.5 -15l-597 -1q-21 0 -25 10.5t10 24.5l208 208l-154 155l212 212zM50 300h1000q21 0 35.5 -14.5t14.5 -35.5 v-250h-1100v250q0 21 14.5 35.5t35.5 14.5zM900 200v-50h100v50h-100z" />
+<glyph unicode="&#xe170;" d="M350 1200l599 -2q20 -1 35 -15.5t15 -35.5l1 -597q0 -21 -10.5 -25t-24.5 10l-208 208l-155 -154l-212 212l155 154l-210 210q-14 14 -10 24.5t25 10.5zM524 512l-76 -77q-15 -14 -36 -14t-35 14l-142 142q-14 14 -14 35t14 35l77 77zM50 300h1000q21 0 35.5 -14.5 t14.5 -35.5v-250h-1100v250q0 21 14.5 35.5t35.5 14.5zM900 200v-50h100v50h-100z" />
+<glyph unicode="&#xe171;" d="M1200 103l-483 276l-314 -399v423h-399l1196 796v-1096zM483 424v-230l683 953z" />
+<glyph unicode="&#xe172;" d="M1100 1000v-850q0 -21 -14.5 -35.5t-35.5 -14.5h-150v400h-700v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200z" />
+<glyph unicode="&#xe173;" d="M1100 1000l-2 -149l-299 -299l-95 95q-9 9 -21.5 9t-21.5 -9l-149 -147h-312v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM1132 638l106 -106q7 -7 7 -17.5t-7 -17.5l-420 -421q-8 -7 -18 -7 t-18 7l-202 203q-8 7 -8 17.5t8 17.5l106 106q7 8 17.5 8t17.5 -8l79 -79l297 297q7 7 17.5 7t17.5 -7z" />
+<glyph unicode="&#xe174;" d="M1100 1000v-269l-103 -103l-134 134q-15 15 -33.5 16.5t-34.5 -12.5l-266 -266h-329v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM1202 572l70 -70q15 -15 15 -35.5t-15 -35.5l-131 -131 l131 -131q15 -15 15 -35.5t-15 -35.5l-70 -70q-15 -15 -35.5 -15t-35.5 15l-131 131l-131 -131q-15 -15 -35.5 -15t-35.5 15l-70 70q-15 15 -15 35.5t15 35.5l131 131l-131 131q-15 15 -15 35.5t15 35.5l70 70q15 15 35.5 15t35.5 -15l131 -131l131 131q15 15 35.5 15 t35.5 -15z" />
+<glyph unicode="&#xe175;" d="M1100 1000v-300h-350q-21 0 -35.5 -14.5t-14.5 -35.5v-150h-500v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM850 600h100q21 0 35.5 -14.5t14.5 -35.5v-250h150q21 0 25 -10.5t-10 -24.5 l-230 -230q-14 -14 -35 -14t-35 14l-230 230q-14 14 -10 24.5t25 10.5h150v250q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe176;" d="M1100 1000v-400l-165 165q-14 15 -35 15t-35 -15l-263 -265h-402v-400h-150q-21 0 -35.5 14.5t-14.5 35.5v1000q0 20 14.5 35t35.5 15h250v-300h500v300h100zM700 1000h-100v200h100v-200zM935 565l230 -229q14 -15 10 -25.5t-25 -10.5h-150v-250q0 -20 -14.5 -35 t-35.5 -15h-100q-21 0 -35.5 15t-14.5 35v250h-150q-21 0 -25 10.5t10 25.5l230 229q14 15 35 15t35 -15z" />
+<glyph unicode="&#xe177;" d="M50 1100h1100q21 0 35.5 -14.5t14.5 -35.5v-150h-1200v150q0 21 14.5 35.5t35.5 14.5zM1200 800v-550q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v550h1200zM100 500v-200h400v200h-400z" />
+<glyph unicode="&#xe178;" d="M935 1165l248 -230q14 -14 14 -35t-14 -35l-248 -230q-14 -14 -24.5 -10t-10.5 25v150h-400v200h400v150q0 21 10.5 25t24.5 -10zM200 800h-50q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h50v-200zM400 800h-100v200h100v-200zM18 435l247 230 q14 14 24.5 10t10.5 -25v-150h400v-200h-400v-150q0 -21 -10.5 -25t-24.5 10l-247 230q-15 14 -15 35t15 35zM900 300h-100v200h100v-200zM1000 500h51q20 0 34.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-34.5 -14.5h-51v200z" />
+<glyph unicode="&#xe179;" d="M862 1073l276 116q25 18 43.5 8t18.5 -41v-1106q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v397q-4 1 -11 5t-24 17.5t-30 29t-24 42t-11 56.5v359q0 31 18.5 65t43.5 52zM550 1200q22 0 34.5 -12.5t14.5 -24.5l1 -13v-450q0 -28 -10.5 -59.5 t-25 -56t-29 -45t-25.5 -31.5l-10 -11v-447q0 -21 -14.5 -35.5t-35.5 -14.5h-200q-21 0 -35.5 14.5t-14.5 35.5v447q-4 4 -11 11.5t-24 30.5t-30 46t-24 55t-11 60v450q0 2 0.5 5.5t4 12t8.5 15t14.5 12t22.5 5.5q20 0 32.5 -12.5t14.5 -24.5l3 -13v-350h100v350v5.5t2.5 12 t7 15t15 12t25.5 5.5q23 0 35.5 -12.5t13.5 -24.5l1 -13v-350h100v350q0 2 0.5 5.5t3 12t7 15t15 12t24.5 5.5z" />
+<glyph unicode="&#xe180;" d="M1200 1100v-56q-4 0 -11 -0.5t-24 -3t-30 -7.5t-24 -15t-11 -24v-888q0 -22 25 -34.5t50 -13.5l25 -2v-56h-400v56q75 0 87.5 6.5t12.5 43.5v394h-500v-394q0 -37 12.5 -43.5t87.5 -6.5v-56h-400v56q4 0 11 0.5t24 3t30 7.5t24 15t11 24v888q0 22 -25 34.5t-50 13.5 l-25 2v56h400v-56q-75 0 -87.5 -6.5t-12.5 -43.5v-394h500v394q0 37 -12.5 43.5t-87.5 6.5v56h400z" />
+<glyph unicode="&#xe181;" d="M675 1000h375q21 0 35.5 -14.5t14.5 -35.5v-150h-105l-295 -98v98l-200 200h-400l100 100h375zM100 900h300q41 0 70.5 -29.5t29.5 -70.5v-500q0 -41 -29.5 -70.5t-70.5 -29.5h-300q-41 0 -70.5 29.5t-29.5 70.5v500q0 41 29.5 70.5t70.5 29.5zM100 800v-200h300v200 h-300zM1100 535l-400 -133v163l400 133v-163zM100 500v-200h300v200h-300zM1100 398v-248q0 -21 -14.5 -35.5t-35.5 -14.5h-375l-100 -100h-375l-100 100h400l200 200h105z" />
+<glyph unicode="&#xe182;" d="M17 1007l162 162q17 17 40 14t37 -22l139 -194q14 -20 11 -44.5t-20 -41.5l-119 -118q102 -142 228 -268t267 -227l119 118q17 17 42.5 19t44.5 -12l192 -136q19 -14 22.5 -37.5t-13.5 -40.5l-163 -162q-3 -1 -9.5 -1t-29.5 2t-47.5 6t-62.5 14.5t-77.5 26.5t-90 42.5 t-101.5 60t-111 83t-119 108.5q-74 74 -133.5 150.5t-94.5 138.5t-60 119.5t-34.5 100t-15 74.5t-4.5 48z" />
+<glyph unicode="&#xe183;" d="M600 1100q92 0 175 -10.5t141.5 -27t108.5 -36.5t81.5 -40t53.5 -37t31 -27l9 -10v-200q0 -21 -14.5 -33t-34.5 -9l-202 34q-20 3 -34.5 20t-14.5 38v146q-141 24 -300 24t-300 -24v-146q0 -21 -14.5 -38t-34.5 -20l-202 -34q-20 -3 -34.5 9t-14.5 33v200q3 4 9.5 10.5 t31 26t54 37.5t80.5 39.5t109 37.5t141 26.5t175 10.5zM600 795q56 0 97 -9.5t60 -23.5t30 -28t12 -24l1 -10v-50l365 -303q14 -15 24.5 -40t10.5 -45v-212q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v212q0 20 10.5 45t24.5 40l365 303v50 q0 4 1 10.5t12 23t30 29t60 22.5t97 10z" />
+<glyph unicode="&#xe184;" d="M1100 700l-200 -200h-600l-200 200v500h200v-200h200v200h200v-200h200v200h200v-500zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-12l137 -100h-950l137 100h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5 t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe185;" d="M700 1100h-100q-41 0 -70.5 -29.5t-29.5 -70.5v-1000h300v1000q0 41 -29.5 70.5t-70.5 29.5zM1100 800h-100q-41 0 -70.5 -29.5t-29.5 -70.5v-700h300v700q0 41 -29.5 70.5t-70.5 29.5zM400 0h-300v400q0 41 29.5 70.5t70.5 29.5h100q41 0 70.5 -29.5t29.5 -70.5v-400z " />
+<glyph unicode="&#xe186;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 700h-200v-100h200v-300h-300v100h200v100h-200v300h300v-100zM900 700v-300l-100 -100h-200v500h200z M700 700v-300h100v300h-100z" />
+<glyph unicode="&#xe187;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 300h-100v200h-100v-200h-100v500h100v-200h100v200h100v-500zM900 700v-300l-100 -100h-200v500h200z M700 700v-300h100v300h-100z" />
+<glyph unicode="&#xe188;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 700h-200v-300h200v-100h-300v500h300v-100zM900 700h-200v-300h200v-100h-300v500h300v-100z" />
+<glyph unicode="&#xe189;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 400l-300 150l300 150v-300zM900 550l-300 -150v300z" />
+<glyph unicode="&#xe190;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM900 300h-700v500h700v-500zM800 700h-130q-38 0 -66.5 -43t-28.5 -108t27 -107t68 -42h130v300zM300 700v-300 h130q41 0 68 42t27 107t-28.5 108t-66.5 43h-130z" />
+<glyph unicode="&#xe191;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 700h-200v-100h200v-300h-300v100h200v100h-200v300h300v-100zM900 300h-100v400h-100v100h200v-500z M700 300h-100v100h100v-100z" />
+<glyph unicode="&#xe192;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM300 700h200v-400h-300v500h100v-100zM900 300h-100v400h-100v100h200v-500zM300 600v-200h100v200h-100z M700 300h-100v100h100v-100z" />
+<glyph unicode="&#xe193;" d="M200 1100h700q124 0 212 -88t88 -212v-500q0 -124 -88 -212t-212 -88h-700q-124 0 -212 88t-88 212v500q0 124 88 212t212 88zM100 900v-700h900v700h-900zM500 500l-199 -200h-100v50l199 200v150h-200v100h300v-300zM900 300h-100v400h-100v100h200v-500zM701 300h-100 v100h100v-100z" />
+<glyph unicode="&#xe194;" d="M600 1191q120 0 229.5 -47t188.5 -126t126 -188.5t47 -229.5t-47 -229.5t-126 -188.5t-188.5 -126t-229.5 -47t-229.5 47t-188.5 126t-126 188.5t-47 229.5t47 229.5t126 188.5t188.5 126t229.5 47zM600 1021q-114 0 -211 -56.5t-153.5 -153.5t-56.5 -211t56.5 -211 t153.5 -153.5t211 -56.5t211 56.5t153.5 153.5t56.5 211t-56.5 211t-153.5 153.5t-211 56.5zM800 700h-300v-200h300v-100h-300l-100 100v200l100 100h300v-100z" />
+<glyph unicode="&#xe195;" d="M600 1191q120 0 229.5 -47t188.5 -126t126 -188.5t47 -229.5t-47 -229.5t-126 -188.5t-188.5 -126t-229.5 -47t-229.5 47t-188.5 126t-126 188.5t-47 229.5t47 229.5t126 188.5t188.5 126t229.5 47zM600 1021q-114 0 -211 -56.5t-153.5 -153.5t-56.5 -211t56.5 -211 t153.5 -153.5t211 -56.5t211 56.5t153.5 153.5t56.5 211t-56.5 211t-153.5 153.5t-211 56.5zM800 700v-100l-50 -50l100 -100v-50h-100l-100 100h-150v-100h-100v400h300zM500 700v-100h200v100h-200z" />
+<glyph unicode="&#xe197;" d="M503 1089q110 0 200.5 -59.5t134.5 -156.5q44 14 90 14q120 0 205 -86.5t85 -207t-85 -207t-205 -86.5h-128v250q0 21 -14.5 35.5t-35.5 14.5h-300q-21 0 -35.5 -14.5t-14.5 -35.5v-250h-222q-80 0 -136 57.5t-56 136.5q0 69 43 122.5t108 67.5q-2 19 -2 37q0 100 49 185 t134 134t185 49zM525 500h150q10 0 17.5 -7.5t7.5 -17.5v-275h137q21 0 26 -11.5t-8 -27.5l-223 -244q-13 -16 -32 -16t-32 16l-223 244q-13 16 -8 27.5t26 11.5h137v275q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe198;" d="M502 1089q110 0 201 -59.5t135 -156.5q43 15 89 15q121 0 206 -86.5t86 -206.5q0 -99 -60 -181t-150 -110l-378 360q-13 16 -31.5 16t-31.5 -16l-381 -365h-9q-79 0 -135.5 57.5t-56.5 136.5q0 69 43 122.5t108 67.5q-2 19 -2 38q0 100 49 184.5t133.5 134t184.5 49.5z M632 467l223 -228q13 -16 8 -27.5t-26 -11.5h-137v-275q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v275h-137q-21 0 -26 11.5t8 27.5q199 204 223 228q19 19 31.5 19t32.5 -19z" />
+<glyph unicode="&#xe199;" d="M700 100v100h400l-270 300h170l-270 300h170l-300 333l-300 -333h170l-270 -300h170l-270 -300h400v-100h-50q-21 0 -35.5 -14.5t-14.5 -35.5v-50h400v50q0 21 -14.5 35.5t-35.5 14.5h-50z" />
+<glyph unicode="&#xe200;" d="M600 1179q94 0 167.5 -56.5t99.5 -145.5q89 -6 150.5 -71.5t61.5 -155.5q0 -61 -29.5 -112.5t-79.5 -82.5q9 -29 9 -55q0 -74 -52.5 -126.5t-126.5 -52.5q-55 0 -100 30v-251q21 0 35.5 -14.5t14.5 -35.5v-50h-300v50q0 21 14.5 35.5t35.5 14.5v251q-45 -30 -100 -30 q-74 0 -126.5 52.5t-52.5 126.5q0 18 4 38q-47 21 -75.5 65t-28.5 97q0 74 52.5 126.5t126.5 52.5q5 0 23 -2q0 2 -1 10t-1 13q0 116 81.5 197.5t197.5 81.5z" />
+<glyph unicode="&#xe201;" d="M1010 1010q111 -111 150.5 -260.5t0 -299t-150.5 -260.5q-83 -83 -191.5 -126.5t-218.5 -43.5t-218.5 43.5t-191.5 126.5q-111 111 -150.5 260.5t0 299t150.5 260.5q83 83 191.5 126.5t218.5 43.5t218.5 -43.5t191.5 -126.5zM476 1065q-4 0 -8 -1q-121 -34 -209.5 -122.5 t-122.5 -209.5q-4 -12 2.5 -23t18.5 -14l36 -9q3 -1 7 -1q23 0 29 22q27 96 98 166q70 71 166 98q11 3 17.5 13.5t3.5 22.5l-9 35q-3 13 -14 19q-7 4 -15 4zM512 920q-4 0 -9 -2q-80 -24 -138.5 -82.5t-82.5 -138.5q-4 -13 2 -24t19 -14l34 -9q4 -1 8 -1q22 0 28 21 q18 58 58.5 98.5t97.5 58.5q12 3 18 13.5t3 21.5l-9 35q-3 12 -14 19q-7 4 -15 4zM719.5 719.5q-49.5 49.5 -119.5 49.5t-119.5 -49.5t-49.5 -119.5t49.5 -119.5t119.5 -49.5t119.5 49.5t49.5 119.5t-49.5 119.5zM855 551q-22 0 -28 -21q-18 -58 -58.5 -98.5t-98.5 -57.5 q-11 -4 -17 -14.5t-3 -21.5l9 -35q3 -12 14 -19q7 -4 15 -4q4 0 9 2q80 24 138.5 82.5t82.5 138.5q4 13 -2.5 24t-18.5 14l-34 9q-4 1 -8 1zM1000 515q-23 0 -29 -22q-27 -96 -98 -166q-70 -71 -166 -98q-11 -3 -17.5 -13.5t-3.5 -22.5l9 -35q3 -13 14 -19q7 -4 15 -4 q4 0 8 1q121 34 209.5 122.5t122.5 209.5q4 12 -2.5 23t-18.5 14l-36 9q-3 1 -7 1z" />
+<glyph unicode="&#xe202;" d="M700 800h300v-380h-180v200h-340v-200h-380v755q0 10 7.5 17.5t17.5 7.5h575v-400zM1000 900h-200v200zM700 300h162l-212 -212l-212 212h162v200h100v-200zM520 0h-395q-10 0 -17.5 7.5t-7.5 17.5v395zM1000 220v-195q0 -10 -7.5 -17.5t-17.5 -7.5h-195z" />
+<glyph unicode="&#xe203;" d="M700 800h300v-520l-350 350l-550 -550v1095q0 10 7.5 17.5t17.5 7.5h575v-400zM1000 900h-200v200zM862 200h-162v-200h-100v200h-162l212 212zM480 0h-355q-10 0 -17.5 7.5t-7.5 17.5v55h380v-80zM1000 80v-55q0 -10 -7.5 -17.5t-17.5 -7.5h-155v80h180z" />
+<glyph unicode="&#xe204;" d="M1162 800h-162v-200h100l100 -100h-300v300h-162l212 212zM200 800h200q27 0 40 -2t29.5 -10.5t23.5 -30t7 -57.5h300v-100h-600l-200 -350v450h100q0 36 7 57.5t23.5 30t29.5 10.5t40 2zM800 400h240l-240 -400h-800l300 500h500v-100z" />
+<glyph unicode="&#xe205;" d="M650 1100h100q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h50v50q0 21 14.5 35.5t35.5 14.5zM1000 850v150q41 0 70.5 -29.5t29.5 -70.5v-800 q0 -41 -29.5 -70.5t-70.5 -29.5h-600q-1 0 -20 4l246 246l-326 326v324q0 41 29.5 70.5t70.5 29.5v-150q0 -62 44 -106t106 -44h300q62 0 106 44t44 106zM412 250l-212 -212v162h-200v100h200v162z" />
+<glyph unicode="&#xe206;" d="M450 1100h100q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-300q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h50v50q0 21 14.5 35.5t35.5 14.5zM800 850v150q41 0 70.5 -29.5t29.5 -70.5v-500 h-200v-300h200q0 -36 -7 -57.5t-23.5 -30t-29.5 -10.5t-40 -2h-600q-41 0 -70.5 29.5t-29.5 70.5v800q0 41 29.5 70.5t70.5 29.5v-150q0 -62 44 -106t106 -44h300q62 0 106 44t44 106zM1212 250l-212 -212v162h-200v100h200v162z" />
+<glyph unicode="&#xe209;" d="M658 1197l637 -1104q23 -38 7 -65.5t-60 -27.5h-1276q-44 0 -60 27.5t7 65.5l637 1104q22 39 54 39t54 -39zM704 800h-208q-20 0 -32 -14.5t-8 -34.5l58 -302q4 -20 21.5 -34.5t37.5 -14.5h54q20 0 37.5 14.5t21.5 34.5l58 302q4 20 -8 34.5t-32 14.5zM500 300v-100h200 v100h-200z" />
+<glyph unicode="&#xe210;" d="M425 1100h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM425 800h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5 t17.5 7.5zM825 800h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM25 500h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150 q0 10 7.5 17.5t17.5 7.5zM425 500h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM825 500h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5 v150q0 10 7.5 17.5t17.5 7.5zM25 200h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM425 200h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5 t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM825 200h250q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-250q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe211;" d="M700 1200h100v-200h-100v-100h350q62 0 86.5 -39.5t-3.5 -94.5l-66 -132q-41 -83 -81 -134h-772q-40 51 -81 134l-66 132q-28 55 -3.5 94.5t86.5 39.5h350v100h-100v200h100v100h200v-100zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-12l137 -100 h-950l138 100h-13q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe212;" d="M600 1300q40 0 68.5 -29.5t28.5 -70.5h-194q0 41 28.5 70.5t68.5 29.5zM443 1100h314q18 -37 18 -75q0 -8 -3 -25h328q41 0 44.5 -16.5t-30.5 -38.5l-175 -145h-678l-178 145q-34 22 -29 38.5t46 16.5h328q-3 17 -3 25q0 38 18 75zM250 700h700q21 0 35.5 -14.5 t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-150v-200l275 -200h-950l275 200v200h-150q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe213;" d="M600 1181q75 0 128 -53t53 -128t-53 -128t-128 -53t-128 53t-53 128t53 128t128 53zM602 798h46q34 0 55.5 -28.5t21.5 -86.5q0 -76 39 -183h-324q39 107 39 183q0 58 21.5 86.5t56.5 28.5h45zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-13 l138 -100h-950l137 100h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe214;" d="M600 1300q47 0 92.5 -53.5t71 -123t25.5 -123.5q0 -78 -55.5 -133.5t-133.5 -55.5t-133.5 55.5t-55.5 133.5q0 62 34 143l144 -143l111 111l-163 163q34 26 63 26zM602 798h46q34 0 55.5 -28.5t21.5 -86.5q0 -76 39 -183h-324q39 107 39 183q0 58 21.5 86.5t56.5 28.5h45 zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-13l138 -100h-950l137 100h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe215;" d="M600 1200l300 -161v-139h-300q0 -57 18.5 -108t50 -91.5t63 -72t70 -67.5t57.5 -61h-530q-60 83 -90.5 177.5t-30.5 178.5t33 164.5t87.5 139.5t126 96.5t145.5 41.5v-98zM250 400h700q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-13l138 -100h-950l137 100 h-12q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5zM50 100h1100q21 0 35.5 -14.5t14.5 -35.5v-50h-1200v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe216;" d="M600 1300q41 0 70.5 -29.5t29.5 -70.5v-78q46 -26 73 -72t27 -100v-50h-400v50q0 54 27 100t73 72v78q0 41 29.5 70.5t70.5 29.5zM400 800h400q54 0 100 -27t72 -73h-172v-100h200v-100h-200v-100h200v-100h-200v-100h200q0 -83 -58.5 -141.5t-141.5 -58.5h-400 q-83 0 -141.5 58.5t-58.5 141.5v400q0 83 58.5 141.5t141.5 58.5z" />
+<glyph unicode="&#xe218;" d="M150 1100h900q21 0 35.5 -14.5t14.5 -35.5v-500q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v500q0 21 14.5 35.5t35.5 14.5zM125 400h950q10 0 17.5 -7.5t7.5 -17.5v-50q0 -10 -7.5 -17.5t-17.5 -7.5h-283l224 -224q13 -13 13 -31.5t-13 -32 t-31.5 -13.5t-31.5 13l-88 88h-524l-87 -88q-13 -13 -32 -13t-32 13.5t-13 32t13 31.5l224 224h-289q-10 0 -17.5 7.5t-7.5 17.5v50q0 10 7.5 17.5t17.5 7.5zM541 300l-100 -100h324l-100 100h-124z" />
+<glyph unicode="&#xe219;" d="M200 1100h800q83 0 141.5 -58.5t58.5 -141.5v-200h-100q0 41 -29.5 70.5t-70.5 29.5h-250q-41 0 -70.5 -29.5t-29.5 -70.5h-100q0 41 -29.5 70.5t-70.5 29.5h-250q-41 0 -70.5 -29.5t-29.5 -70.5h-100v200q0 83 58.5 141.5t141.5 58.5zM100 600h1000q41 0 70.5 -29.5 t29.5 -70.5v-300h-1200v300q0 41 29.5 70.5t70.5 29.5zM300 100v-50q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v50h200zM1100 100v-50q0 -21 -14.5 -35.5t-35.5 -14.5h-100q-21 0 -35.5 14.5t-14.5 35.5v50h200z" />
+<glyph unicode="&#xe221;" d="M480 1165l682 -683q31 -31 31 -75.5t-31 -75.5l-131 -131h-481l-517 518q-32 31 -32 75.5t32 75.5l295 296q31 31 75.5 31t76.5 -31zM108 794l342 -342l303 304l-341 341zM250 100h800q21 0 35.5 -14.5t14.5 -35.5v-50h-900v50q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe223;" d="M1057 647l-189 506q-8 19 -27.5 33t-40.5 14h-400q-21 0 -40.5 -14t-27.5 -33l-189 -506q-8 -19 1.5 -33t30.5 -14h625v-150q0 -21 14.5 -35.5t35.5 -14.5t35.5 14.5t14.5 35.5v150h125q21 0 30.5 14t1.5 33zM897 0h-595v50q0 21 14.5 35.5t35.5 14.5h50v50 q0 21 14.5 35.5t35.5 14.5h48v300h200v-300h47q21 0 35.5 -14.5t14.5 -35.5v-50h50q21 0 35.5 -14.5t14.5 -35.5v-50z" />
+<glyph unicode="&#xe224;" d="M900 800h300v-575q0 -10 -7.5 -17.5t-17.5 -7.5h-375v591l-300 300v84q0 10 7.5 17.5t17.5 7.5h375v-400zM1200 900h-200v200zM400 600h300v-575q0 -10 -7.5 -17.5t-17.5 -7.5h-650q-10 0 -17.5 7.5t-7.5 17.5v950q0 10 7.5 17.5t17.5 7.5h375v-400zM700 700h-200v200z " />
+<glyph unicode="&#xe225;" d="M484 1095h195q75 0 146 -32.5t124 -86t89.5 -122.5t48.5 -142q18 -14 35 -20q31 -10 64.5 6.5t43.5 48.5q10 34 -15 71q-19 27 -9 43q5 8 12.5 11t19 -1t23.5 -16q41 -44 39 -105q-3 -63 -46 -106.5t-104 -43.5h-62q-7 -55 -35 -117t-56 -100l-39 -234q-3 -20 -20 -34.5 t-38 -14.5h-100q-21 0 -33 14.5t-9 34.5l12 70q-49 -14 -91 -14h-195q-24 0 -65 8l-11 -64q-3 -20 -20 -34.5t-38 -14.5h-100q-21 0 -33 14.5t-9 34.5l26 157q-84 74 -128 175l-159 53q-19 7 -33 26t-14 40v50q0 21 14.5 35.5t35.5 14.5h124q11 87 56 166l-111 95 q-16 14 -12.5 23.5t24.5 9.5h203q116 101 250 101zM675 1000h-250q-10 0 -17.5 -7.5t-7.5 -17.5v-50q0 -10 7.5 -17.5t17.5 -7.5h250q10 0 17.5 7.5t7.5 17.5v50q0 10 -7.5 17.5t-17.5 7.5z" />
+<glyph unicode="&#xe226;" d="M641 900l423 247q19 8 42 2.5t37 -21.5l32 -38q14 -15 12.5 -36t-17.5 -34l-139 -120h-390zM50 1100h106q67 0 103 -17t66 -71l102 -212h823q21 0 35.5 -14.5t14.5 -35.5v-50q0 -21 -14 -40t-33 -26l-737 -132q-23 -4 -40 6t-26 25q-42 67 -100 67h-300q-62 0 -106 44 t-44 106v200q0 62 44 106t106 44zM173 928h-80q-19 0 -28 -14t-9 -35v-56q0 -51 42 -51h134q16 0 21.5 8t5.5 24q0 11 -16 45t-27 51q-18 28 -43 28zM550 727q-32 0 -54.5 -22.5t-22.5 -54.5t22.5 -54.5t54.5 -22.5t54.5 22.5t22.5 54.5t-22.5 54.5t-54.5 22.5zM130 389 l152 130q18 19 34 24t31 -3.5t24.5 -17.5t25.5 -28q28 -35 50.5 -51t48.5 -13l63 5l48 -179q13 -61 -3.5 -97.5t-67.5 -79.5l-80 -69q-47 -40 -109 -35.5t-103 51.5l-130 151q-40 47 -35.5 109.5t51.5 102.5zM380 377l-102 -88q-31 -27 2 -65l37 -43q13 -15 27.5 -19.5 t31.5 6.5l61 53q19 16 14 49q-2 20 -12 56t-17 45q-11 12 -19 14t-23 -8z" />
+<glyph unicode="&#xe227;" d="M625 1200h150q10 0 17.5 -7.5t7.5 -17.5v-109q79 -33 131 -87.5t53 -128.5q1 -46 -15 -84.5t-39 -61t-46 -38t-39 -21.5l-17 -6q6 0 15 -1.5t35 -9t50 -17.5t53 -30t50 -45t35.5 -64t14.5 -84q0 -59 -11.5 -105.5t-28.5 -76.5t-44 -51t-49.5 -31.5t-54.5 -16t-49.5 -6.5 t-43.5 -1v-75q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v75h-100v-75q0 -10 -7.5 -17.5t-17.5 -7.5h-150q-10 0 -17.5 7.5t-7.5 17.5v75h-175q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5h75v600h-75q-10 0 -17.5 7.5t-7.5 17.5v150 q0 10 7.5 17.5t17.5 7.5h175v75q0 10 7.5 17.5t17.5 7.5h150q10 0 17.5 -7.5t7.5 -17.5v-75h100v75q0 10 7.5 17.5t17.5 7.5zM400 900v-200h263q28 0 48.5 10.5t30 25t15 29t5.5 25.5l1 10q0 4 -0.5 11t-6 24t-15 30t-30 24t-48.5 11h-263zM400 500v-200h363q28 0 48.5 10.5 t30 25t15 29t5.5 25.5l1 10q0 4 -0.5 11t-6 24t-15 30t-30 24t-48.5 11h-363z" />
+<glyph unicode="&#xe230;" d="M212 1198h780q86 0 147 -61t61 -147v-416q0 -51 -18 -142.5t-36 -157.5l-18 -66q-29 -87 -93.5 -146.5t-146.5 -59.5h-572q-82 0 -147 59t-93 147q-8 28 -20 73t-32 143.5t-20 149.5v416q0 86 61 147t147 61zM600 1045q-70 0 -132.5 -11.5t-105.5 -30.5t-78.5 -41.5 t-57 -45t-36 -41t-20.5 -30.5l-6 -12l156 -243h560l156 243q-2 5 -6 12.5t-20 29.5t-36.5 42t-57 44.5t-79 42t-105 29.5t-132.5 12zM762 703h-157l195 261z" />
+<glyph unicode="&#xe231;" d="M475 1300h150q103 0 189 -86t86 -189v-500q0 -41 -42 -83t-83 -42h-450q-41 0 -83 42t-42 83v500q0 103 86 189t189 86zM700 300v-225q0 -21 -27 -48t-48 -27h-150q-21 0 -48 27t-27 48v225h300z" />
+<glyph unicode="&#xe232;" d="M475 1300h96q0 -150 89.5 -239.5t239.5 -89.5v-446q0 -41 -42 -83t-83 -42h-450q-41 0 -83 42t-42 83v500q0 103 86 189t189 86zM700 300v-225q0 -21 -27 -48t-48 -27h-150q-21 0 -48 27t-27 48v225h300z" />
+<glyph unicode="&#xe233;" d="M1294 767l-638 -283l-378 170l-78 -60v-224l100 -150v-199l-150 148l-150 -149v200l100 150v250q0 4 -0.5 10.5t0 9.5t1 8t3 8t6.5 6l47 40l-147 65l642 283zM1000 380l-350 -166l-350 166v147l350 -165l350 165v-147z" />
+<glyph unicode="&#xe234;" d="M250 800q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM650 800q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM1050 800q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44z" />
+<glyph unicode="&#xe235;" d="M550 1100q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM550 700q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44zM550 300q62 0 106 -44t44 -106t-44 -106t-106 -44t-106 44t-44 106t44 106t106 44z" />
+<glyph unicode="&#xe236;" d="M125 1100h950q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-950q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5zM125 700h950q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-950q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5 t17.5 7.5zM125 300h950q10 0 17.5 -7.5t7.5 -17.5v-150q0 -10 -7.5 -17.5t-17.5 -7.5h-950q-10 0 -17.5 7.5t-7.5 17.5v150q0 10 7.5 17.5t17.5 7.5z" />
+<glyph unicode="&#xe237;" d="M350 1200h500q162 0 256 -93.5t94 -256.5v-500q0 -165 -93.5 -257.5t-256.5 -92.5h-500q-165 0 -257.5 92.5t-92.5 257.5v500q0 165 92.5 257.5t257.5 92.5zM900 1000h-600q-41 0 -70.5 -29.5t-29.5 -70.5v-600q0 -41 29.5 -70.5t70.5 -29.5h600q41 0 70.5 29.5 t29.5 70.5v600q0 41 -29.5 70.5t-70.5 29.5zM350 900h500q21 0 35.5 -14.5t14.5 -35.5v-300q0 -21 -14.5 -35.5t-35.5 -14.5h-500q-21 0 -35.5 14.5t-14.5 35.5v300q0 21 14.5 35.5t35.5 14.5zM400 800v-200h400v200h-400z" />
+<glyph unicode="&#xe238;" d="M150 1100h1000q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-200h50q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-200h50q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5t-35.5 -14.5h-50v-200h50q21 0 35.5 -14.5t14.5 -35.5t-14.5 -35.5 t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5h50v200h-50q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5h50v200h-50q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5h50v200h-50q-21 0 -35.5 14.5t-14.5 35.5t14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe239;" d="M650 1187q87 -67 118.5 -156t0 -178t-118.5 -155q-87 66 -118.5 155t0 178t118.5 156zM300 800q124 0 212 -88t88 -212q-124 0 -212 88t-88 212zM1000 800q0 -124 -88 -212t-212 -88q0 124 88 212t212 88zM300 500q124 0 212 -88t88 -212q-124 0 -212 88t-88 212z M1000 500q0 -124 -88 -212t-212 -88q0 124 88 212t212 88zM700 199v-144q0 -21 -14.5 -35.5t-35.5 -14.5t-35.5 14.5t-14.5 35.5v142q40 -4 43 -4q17 0 57 6z" />
+<glyph unicode="&#xe240;" d="M745 878l69 19q25 6 45 -12l298 -295q11 -11 15 -26.5t-2 -30.5q-5 -14 -18 -23.5t-28 -9.5h-8q1 0 1 -13q0 -29 -2 -56t-8.5 -62t-20 -63t-33 -53t-51 -39t-72.5 -14h-146q-184 0 -184 288q0 24 10 47q-20 4 -62 4t-63 -4q11 -24 11 -47q0 -288 -184 -288h-142 q-48 0 -84.5 21t-56 51t-32 71.5t-16 75t-3.5 68.5q0 13 2 13h-7q-15 0 -27.5 9.5t-18.5 23.5q-6 15 -2 30.5t15 25.5l298 296q20 18 46 11l76 -19q20 -5 30.5 -22.5t5.5 -37.5t-22.5 -31t-37.5 -5l-51 12l-182 -193h891l-182 193l-44 -12q-20 -5 -37.5 6t-22.5 31t6 37.5 t31 22.5z" />
+<glyph unicode="&#xe241;" d="M1200 900h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-200v-850q0 -22 25 -34.5t50 -13.5l25 -2v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v850h-200q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h1000v-300zM500 450h-25q0 15 -4 24.5t-9 14.5t-17 7.5t-20 3t-25 0.5h-100v-425q0 -11 12.5 -17.5t25.5 -7.5h12v-50h-200v50q50 0 50 25v425h-100q-17 0 -25 -0.5t-20 -3t-17 -7.5t-9 -14.5t-4 -24.5h-25v150h500v-150z" />
+<glyph unicode="&#xe242;" d="M1000 300v50q-25 0 -55 32q-14 14 -25 31t-16 27l-4 11l-289 747h-69l-300 -754q-18 -35 -39 -56q-9 -9 -24.5 -18.5t-26.5 -14.5l-11 -5v-50h273v50q-49 0 -78.5 21.5t-11.5 67.5l69 176h293l61 -166q13 -34 -3.5 -66.5t-55.5 -32.5v-50h312zM412 691l134 342l121 -342 h-255zM1100 150v-100q0 -21 -14.5 -35.5t-35.5 -14.5h-1000q-21 0 -35.5 14.5t-14.5 35.5v100q0 21 14.5 35.5t35.5 14.5h1000q21 0 35.5 -14.5t14.5 -35.5z" />
+<glyph unicode="&#xe243;" d="M50 1200h1100q21 0 35.5 -14.5t14.5 -35.5v-1100q0 -21 -14.5 -35.5t-35.5 -14.5h-1100q-21 0 -35.5 14.5t-14.5 35.5v1100q0 21 14.5 35.5t35.5 14.5zM611 1118h-70q-13 0 -18 -12l-299 -753q-17 -32 -35 -51q-18 -18 -56 -34q-12 -5 -12 -18v-50q0 -8 5.5 -14t14.5 -6 h273q8 0 14 6t6 14v50q0 8 -6 14t-14 6q-55 0 -71 23q-10 14 0 39l63 163h266l57 -153q11 -31 -6 -55q-12 -17 -36 -17q-8 0 -14 -6t-6 -14v-50q0 -8 6 -14t14 -6h313q8 0 14 6t6 14v50q0 7 -5.5 13t-13.5 7q-17 0 -42 25q-25 27 -40 63h-1l-288 748q-5 12 -19 12zM639 611 h-197l103 264z" />
+<glyph unicode="&#xe244;" d="M1200 1100h-1200v100h1200v-100zM50 1000h400q21 0 35.5 -14.5t14.5 -35.5v-900q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v900q0 21 14.5 35.5t35.5 14.5zM650 1000h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400 q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM700 900v-300h300v300h-300z" />
+<glyph unicode="&#xe245;" d="M50 1200h400q21 0 35.5 -14.5t14.5 -35.5v-900q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v900q0 21 14.5 35.5t35.5 14.5zM650 700h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400 q0 21 14.5 35.5t35.5 14.5zM700 600v-300h300v300h-300zM1200 0h-1200v100h1200v-100z" />
+<glyph unicode="&#xe246;" d="M50 1000h400q21 0 35.5 -14.5t14.5 -35.5v-350h100v150q0 21 14.5 35.5t35.5 14.5h400q21 0 35.5 -14.5t14.5 -35.5v-150h100v-100h-100v-150q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v150h-100v-350q0 -21 -14.5 -35.5t-35.5 -14.5h-400 q-21 0 -35.5 14.5t-14.5 35.5v800q0 21 14.5 35.5t35.5 14.5zM700 700v-300h300v300h-300z" />
+<glyph unicode="&#xe247;" d="M100 0h-100v1200h100v-1200zM250 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM300 1000v-300h300v300h-300zM250 500h900q21 0 35.5 -14.5t14.5 -35.5v-400 q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe248;" d="M600 1100h150q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-150v-100h450q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5h350v100h-150q-21 0 -35.5 14.5 t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5h150v100h100v-100zM400 1000v-300h300v300h-300z" />
+<glyph unicode="&#xe249;" d="M1200 0h-100v1200h100v-1200zM550 1100h400q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-400q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM600 1000v-300h300v300h-300zM50 500h900q21 0 35.5 -14.5t14.5 -35.5v-400 q0 -21 -14.5 -35.5t-35.5 -14.5h-900q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5z" />
+<glyph unicode="&#xe250;" d="M865 565l-494 -494q-23 -23 -41 -23q-14 0 -22 13.5t-8 38.5v1000q0 25 8 38.5t22 13.5q18 0 41 -23l494 -494q14 -14 14 -35t-14 -35z" />
+<glyph unicode="&#xe251;" d="M335 635l494 494q29 29 50 20.5t21 -49.5v-1000q0 -41 -21 -49.5t-50 20.5l-494 494q-14 14 -14 35t14 35z" />
+<glyph unicode="&#xe252;" d="M100 900h1000q41 0 49.5 -21t-20.5 -50l-494 -494q-14 -14 -35 -14t-35 14l-494 494q-29 29 -20.5 50t49.5 21z" />
+<glyph unicode="&#xe253;" d="M635 865l494 -494q29 -29 20.5 -50t-49.5 -21h-1000q-41 0 -49.5 21t20.5 50l494 494q14 14 35 14t35 -14z" />
+<glyph unicode="&#xe254;" d="M700 741v-182l-692 -323v221l413 193l-413 193v221zM1200 0h-800v200h800v-200z" />
+<glyph unicode="&#xe255;" d="M1200 900h-200v-100h200v-100h-300v300h200v100h-200v100h300v-300zM0 700h50q0 21 4 37t9.5 26.5t18 17.5t22 11t28.5 5.5t31 2t37 0.5h100v-550q0 -22 -25 -34.5t-50 -13.5l-25 -2v-100h400v100q-4 0 -11 0.5t-24 3t-30 7t-24 15t-11 24.5v550h100q25 0 37 -0.5t31 -2 t28.5 -5.5t22 -11t18 -17.5t9.5 -26.5t4 -37h50v300h-800v-300z" />
+<glyph unicode="&#xe256;" d="M800 700h-50q0 21 -4 37t-9.5 26.5t-18 17.5t-22 11t-28.5 5.5t-31 2t-37 0.5h-100v-550q0 -22 25 -34.5t50 -14.5l25 -1v-100h-400v100q4 0 11 0.5t24 3t30 7t24 15t11 24.5v550h-100q-25 0 -37 -0.5t-31 -2t-28.5 -5.5t-22 -11t-18 -17.5t-9.5 -26.5t-4 -37h-50v300 h800v-300zM1100 200h-200v-100h200v-100h-300v300h200v100h-200v100h300v-300z" />
+<glyph unicode="&#xe257;" d="M701 1098h160q16 0 21 -11t-7 -23l-464 -464l464 -464q12 -12 7 -23t-21 -11h-160q-13 0 -23 9l-471 471q-7 8 -7 18t7 18l471 471q10 9 23 9z" />
+<glyph unicode="&#xe258;" d="M339 1098h160q13 0 23 -9l471 -471q7 -8 7 -18t-7 -18l-471 -471q-10 -9 -23 -9h-160q-16 0 -21 11t7 23l464 464l-464 464q-12 12 -7 23t21 11z" />
+<glyph unicode="&#xe259;" d="M1087 882q11 -5 11 -21v-160q0 -13 -9 -23l-471 -471q-8 -7 -18 -7t-18 7l-471 471q-9 10 -9 23v160q0 16 11 21t23 -7l464 -464l464 464q12 12 23 7z" />
+<glyph unicode="&#xe260;" d="M618 993l471 -471q9 -10 9 -23v-160q0 -16 -11 -21t-23 7l-464 464l-464 -464q-12 -12 -23 -7t-11 21v160q0 13 9 23l471 471q8 7 18 7t18 -7z" />
+<glyph unicode="&#xf8ff;" d="M1000 1200q0 -124 -88 -212t-212 -88q0 124 88 212t212 88zM450 1000h100q21 0 40 -14t26 -33l79 -194q5 1 16 3q34 6 54 9.5t60 7t65.5 1t61 -10t56.5 -23t42.5 -42t29 -64t5 -92t-19.5 -121.5q-1 -7 -3 -19.5t-11 -50t-20.5 -73t-32.5 -81.5t-46.5 -83t-64 -70 t-82.5 -50q-13 -5 -42 -5t-65.5 2.5t-47.5 2.5q-14 0 -49.5 -3.5t-63 -3.5t-43.5 7q-57 25 -104.5 78.5t-75 111.5t-46.5 112t-26 90l-7 35q-15 63 -18 115t4.5 88.5t26 64t39.5 43.5t52 25.5t58.5 13t62.5 2t59.5 -4.5t55.5 -8l-147 192q-12 18 -5.5 30t27.5 12z" />
+<glyph unicode="&#x1f511;" d="M250 1200h600q21 0 35.5 -14.5t14.5 -35.5v-400q0 -21 -14.5 -35.5t-35.5 -14.5h-150v-500l-255 -178q-19 -9 -32 -1t-13 29v650h-150q-21 0 -35.5 14.5t-14.5 35.5v400q0 21 14.5 35.5t35.5 14.5zM400 1100v-100h300v100h-300z" />
+<glyph unicode="&#x1f6aa;" d="M250 1200h750q39 0 69.5 -40.5t30.5 -84.5v-933l-700 -117v950l600 125h-700v-1000h-100v1025q0 23 15.5 49t34.5 26zM500 525v-100l100 20v100z" />
+</font>
+</defs></svg> 
\ No newline at end of file
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/bootstrap/glyphicons-halflings-regular.ttf b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/bootstrap/glyphicons-halflings-regular.ttf
new file mode 100644
index 0000000000000000000000000000000000000000..1413fc609ab6f21774de0cb7e01360095584f65b
GIT binary patch
literal 45404
zcmd?Sd0-pWwLh*qi$?oCk~i6sWlOeWJC3|4juU5JNSu9hSVACzERcmjLV&P^utNzg
zIE4Kr1=5g!SxTX#Ern9_%4<u(w1q<J@CsjEOL>&01rlrW`<y$HCCf?Z+y45=o|!u{
zcjlhEoqP5%FoVJ1G+bj44I8ITTQqxJ-LCg=WdK{*^eI!Pu_*@0U|>Z!56xXTGQR4C
z3vR~wXq>NDx$c~e?;ia3YjJ*$!C>69a?2$lLyhpI!C<oCzO?F`i#HxWjyD@jE}WZI
zU3l5~SDy9q1|;#myS}~pymONB?2*4U816rW`)#Xn!7@d1<NOHDt5&bOWb2!+g;p30
z4<NsI$%PwMp0nZD-M=sx9=^?B5SrGVvvng|Yryk+==sq4bJm^rO#Q?6;T&}k_iWs7
z@g?8i`(dlW@aQ!LgXLG3o_Fr~uM{nsXD~dq2>FfJsP=|`8@K0|bbMpWwVU<h#k=?&
z2hLD3ege)J^J9<Jz!_dI-O6?vWP>Eygg0=0x_)HeHpGSJagJNLA3c!$EuOV>j$wi!
zbo{vZ(s8tl>@!?}dmNHXo)ABy7ohD7_1G-P@SdJWT8*oeyB<gVy2N^Mz8Y_p4K;?4
zVT9pf!y_R}Xk_T@(1FkoDm{_X>VYVW9*vn}&VI4q++W;Z+uz=QTK}^C75!`aFYCX#
zf7fC2;o`%!huaTNJAB&VWrx=szU=VLhwnbT`vc<#<`4WI6n_x@AofA~2d90o?1L3w
z9!I|#P*NQ)$#9aASijuw>JRld^-t)Zhmy|i-`Iam|IWkgu<LN>aMR%lhi4p~cX-9&
zjfbx}yz}s`4-6>D^+6FzihR)Y!GsUy=_MWi_v7y#KmYi-{iZ+s@ekkq!<s)V`@Q^L
z`rY8W#qWgQ@xJ2-1w&;af5?RzOBGthmla=B{I%lG6(3e?tJqSpv0`mSvSMY$Srtnw
z=2y(Bm|8KV{P*SWmH)c@?ebrg|GfOw@*kDIQ2vZb)ms;}`oI6t>@Wxz!~BQwiI&ti
z>hC&iBe2m(dpNVvSbZe3DVgl(dxHt-k@{xv;&`^c8GJY%&^LpM;}7)B;5Qg5J^E${
z7z~k8eWOucjX6)7q1a%EVtmnND8cclz8R1=X4W@D8IDeUGXxEWe&p>Z*voO0u_2!!
zj3dT(Ki+4E;uykKi*yr?w6!BW2FD55PD6SMj`OfBLwXL5EA-9KjpMo4*5Eqs^>4&>
z8PezAcn!9jk-h-Oo!E9EjX8W6@EkTHeI<@AY{f|5fMW<-Ez-z)xCvW3()Z#x0oydB
zzm4MzY^NdpIF9qMp-jU;99LjlgY@@s+=z`}_%V*xV7nRV*Kwrx-i`FzI0BZ#yOI8#
z!SDeNA5b6u9!Imj89v0(g$;dT_y|Yz!3V`i{{_dez8U@##|X9<u78GO6Sj7w|BmAX
zYy>A};s^7vEd!3AcdyVlhVk$v?$O442KIM1-wX^R{U7`JW&lPr3N(%kXfXT_`7w^?
z=#ntx`tTF|N$UT?pELvw7T*2;=Q-x@KmDUIbLyXZ>f5=y7z1DT<7>Bp0k;eItHF?1
zErzhlD2B$Tm|^7DrxnTYm-tgg`Mt4Eivp5{r$o9e)8(fXBO4g|G^6Xy?y$SM*&V52
z6SR*%`%DZC^w(gOWQL?6DRoI*hBNT)xW9sxvmi@!vI^!mI$3kvAMmR_q#SGn3zRb_
zGe$=;Tv3dXN~9XuIHow*NEU4y&u}FcZEZoSlXb9IBOA}!@J3uov<cnLsMTt5KB)Lj
zYZXCxu;1bqjH18<x269<Tv%)JD-Sv?wUz&5KB?<}@bC!>p}yerhPMaiI8|SDhvWVr
z^BE&yx6e3&RYqIg;mYVZ*3#A-cDJ;#ms4txEmwm<RofF(aiZ;^6Sh1kbq&8p87Q}2
z)<!HT6VUck^|BOZR8X4U*lI4NmphK3T)k;q2UF1)TE2tD(Oq%0w%C5uBAc|kj54!X
zjK;0TBFmM`n@u^bcUhg<U$UozsV%ZmyUQe7juv~qZStAE?UA}H^b(uR^svd6<ohSA
zPN(&WybCrXyU=981ISP9mNdxHZPF8l4xGdT{y?OqQH)eNL?x_*jVgBKQggghY;ER4
z2ZJLPNi?@5u<K+P9v^?cajfyXk(LSV0q=;>@g^s`BB}KmSr7K+ruIoKs=s|gOXP|2
zb1!)87h9?(+1^QRWb(Vo8+@G=o24gyuzF3ytfsKjTHZJ}o{YznGcTDm!s)DRnmOX}
z3pPL4wExoN$kyc2>#J`k+<67sy-VsfbQ-1u+HkyFR?9G`9r6g4*8!(!c65Be-5hUg
zZHY$M0k(Yd+DT1*8)G(q)1<YNpB7js)5y12Eq7a-+TSy$n{z4WbFWWmXqX`NmQ;<8
z&#kMnTCG)e^Wqb#OY{bR(&}(pp3G}-_B)F+rS(l(vS<RecZ%(lx`adE6b#<MA*v6|
zqhg4L;6Ok2!XZ8=`3{3lFr+}jevG<T8z$m4n8_pfbf#&K;T~jROxF%RXK8L@N{?d!
z)#u0D$E0^47cxZAeVEjp$RK_kRO2h>&tDl=g9H7!bZTOvEEFnBOk_K=DXF(d4JOaH
zI}*A3jGmy{gR>s}EQzyJa_q_?TYPNXR<v?#Pfy-SGCMD6($H@d06+dYtCwDuCKCO`
zfTh}KuF@>U1O;fcV_&TQZhd{@*8Tgpraf~nT0BYktu*n{a~ub^UUqQPyr~yBY{k2O
zgV)honv{B_CqY|*S~3up%Wn%7i*_>Lu|%5~j)}rQLT1ZN?5%QN`LTJ}vA!EE=1`So
z!$$Mv?6T)xk)H8JTrZ~m)oNXxS}pwPd#);<*>zWsYoL6iK!gRSBB{JCgB28C#E{T?
z5VOCMW^;h~eMke(w6vLlKvm!!TyIf;k*RtK)|Q>_@nY#J%=h%aVb)?Ni_By)X<wQw
z7V$PDEtth$n$E;Ll`Y4%BO_9n-ugy!JpHdGlaMf3-bFSa<&`Z$)FNx2;bGa5ewQ9G
znS9p(JK$Y-8V}<ibr6q#cKkEx`_lIfW`o_}!WDwa=VY;jm&MFX_KN*c$8NiQ<*(1K
zOz-}+aK2WdJ+of=zJ0eN>NxY)E3`|}_u}fn+Kp^3p4RbhFUBRtGsDyx9Eolg77iWN
z2iH-}CiM!pfYDIn7;i#Ui1KG01{3D<{e}uWTdlX4Vr*nsb^>l0%{O?0L9tP|KGw8w
z+T5F}md>3qDZQ_IVkQ|BzuN08uN?SsVt$~wcHO4pB9~ykFTJO3g<4X({-Tm1w{Ufo
zI03<6KK`ZjqVyQ(>{_aMxu7Zm^ck&~)Q84MOsQ-XS~{6j>0lTl@lMtfWjj;PT{nlZ
zIn0YL?kK7CYJa)(8?unZ)j8L(O}%$5S#lTcq{rr5_gqqtZ@*0Yw4}OdjL*kBv+>+@
z&*24U=y{Nl<J@lPNofl42dq;77(U?JMya(0Crr4x>58qJyW1vTwqsvs=VRAzojm&V
zEn6=WzdL1y+^}%Vg!ap>x%%nFi=V#wn#<ZJY+2YKgUZIdddsj}x<a~(_z&i7iw6j~
zD6-dYj8)6VXu?|^ZEI$`u2WRyTK0%)bZh&!D^9oe9c{ncschFCaT|SNh@Ip0Y7e<>
zUuheBR@*<muvvX<=P{exAmqKj@)RY=k${p2#1fI%*ObNn_Svg5fBeeKm;N;8<i#ex
z@xiUPeR$hjC=hitVD9x2{{y_iS9U^gG9f@6f6&^Vs3zp5qf?=KTW@F7W@hJ`ZBCj<
zPCXs%#Cv+T9c^4a%MvhtBnK>KS)5Mn0`f=3fMwR|#-rPMQJg(fW*5e`7xO&^UUH<N
z8S{R+VU}U8VWDBEjsa+<a|A}qi`v{;%PNhy=5G#TrE#}Jn{iFX7S1~=;h}j7?-Paq
zPz1GeaZ=ceNsUv?a;Nj+<UmnU3}yC*^X?4%XYRVxg{MEFholmVGnq^}E!rMBWy|R_
zg)925;70bcj_+u_rTSN(=HrLgwiaEHUwf>{L(U8D$JtI!ac!g(Ze89<`UiO@L+)^D
zjPk2_Ie0p~4|LiI?-+pHXuRaZKG$%zVT0jn!yTvvM^jlcp`|VSHRt-G@_&~<4&qW@
z?b#zIN)G(}L|60jer*P7#KCu*Af;{mpWWvYK$@Squ|n-Vtfgr@<WJYami@2Z&u=;5
z5Vc}@3ijIdgOz2E{1ewt+&m|4loMa2;l_ZQ>ZOmR5Xpl;0q~VILmjk$$mgp+`<2jP
z@+nW5Oap%fF4nFwnVwR7rpFaOdmnfB$-rkO6T3#w^|*rft~acgCP|ZkgA6PHD#Of|
zY%E!3tXtsWS`udLsE7cSE8g@p$ceu*tI71V31uA7jwmXUCT7+Cu3uv|W>ZwD<C#<5
zr)TgUn*z=?aQx5GtI}?)S=9!TmC))*YbR(2eeE2+a>{&O4Nfjjvl43N#A$|FWxId!
z%=X!HSiQ-#4nS&smww~iXRn<-`&zc)nR~js?|Ei-cei$^$KsqtxNDZvl1oavXK#Pz
zT&%Wln^Y5M95w=vJxj0a-ko_iQt(LTX_5x#*QfQLtPil;kkR|kz}`*xHiLWr35ajx
zHRL-QQv$|PK-$ges|NHw8k6v?&d;{A$*q15hz9{}-`e6ys1EQ1oNNKDFGQ0xA!x^(
zkG*-ueZT(GukSnK&Bs=4+w|(kuWs5V_2#3`!;f}q?>xU5IgoMl^DNf+Xd<=sl2<ov
zdi9d6DbT*4=K1<NxE2(`@^$C>XvkqviJ>d?+G@Z5nxxd5Sqd$*ENUB_mb8Z+7CyyU
zA6mDQ&e+S~w49csl*UePzY;^K)Fbs^%?7;+hFc(xz#mWoek4_&QvmT7Fe)*{h-9R4
zqyXuN5{)HdQ6yVi#tRUO#M%;pL>rQxN~6yoZ)*{{!?jU)RD*oOxDoTjVh6iNmhWNC
zB5_{R=o{qvxEvi(k<Br-9y#p7E~9amU@sQujU02m+%O6`wmyB;RZm|f_25ZIu`sWx
z9Z!xjMn{xa)<lh?>hbRS`FOXmOO|&Dj$&~><!ER!M(aXh<Y=PO>*oo)bZz%lPhEA@
zQ;;w5eu5^%i;)w?T&*=UaK?*|U3~{0tC`rvfEsRPgR~16;~{_S2&=E{fE2=c>{+y}
zx1*NTv-*zO^px5TA|B```#NetKg`19O!BK*-#~wDM@KEllk^nfQ2quy25G%)l72<>
zzL$^{DDM#jKt?<>m;!?E2p0l12`j+QJjr{Lx*47Nq(v6i3M&*P{jkZB{xR?NOSPN%
zU>I+~d_ny=pX??qjF*E78>}Mgts@_yn`)C`wN-He_!OyE+gRI?-a>Om>Vh~3OX5+&
z6MX*d1`SkdXwvb7KH&=31RCC|&H!aA1g_=ZY0hP)-Wm6?A7SG0*|$mC7N^SSBh@MG
z9?V0tv_sE>X==yV{)^LsygK2=$Mo_0N!JCOU?r}rmWdHD%$h~~G3;bt`lH&<YttXG
zCx4~x@x7rvSlVC8c4`|@!#-B8ZKS<EH?nhD1$CFfEvQA7q3vKKC(B@*EPV@^RffeA
zqF7{q<g?nf7wl2mS$#hW3X3?XI^l_=xWmcuOlQEQZFITVPFH}vOiW=uH41qNTB4w>
zAuOOZ=G1Mih**0>lB5x+r)X^8mz!0K{SScj4|a=s^VhUEp#2M=^#WRqe?T&H9GnWa
zYOq{+gBn9Q0e0*Zu>C(BAX=I-Af9wIFhCW6_>TsIH$d>|{fIrs&BX?2G>GvFc=<8`
zVJ`#^knMU~65dWGgXcht`Kb>{V2oo%<{NK|iH+<q(5YAazG9MX#mAntl?z6uydZjo
zUFklHM_4M@0HYVoyB8BtKlWH`xbBg99hUSZMa9}uddMW%i`jRIi-g-Oj+Dcyby^(`
z%RQFN&dOf4Ittp8bTTLHYY;pny(Y2BDO&N?wA-C_6&0Pd?aun4t;+U8o0V7xD{xVE
zT_xFkLYF;IV~uA~NIx^oe`|Ag_zBH%@tGSHD~4^4RZ^~BcP(EUF`avIGk5b#Qq_%$
zWYy4>R^|Gx%q+env#Js*(EBT3V0=w4F@W+oLFsA)l7Qy8mx_;6Vrk;F2RjKFvmeq}
zro&>@b^(?f))OoQ#^#s)tRL>b0gzhRYRG}EU%wr9GjQ#~Rpo|RSkeik^p9x2<p!Ww
zwwmq`!~oDTY^~4nP7mqhE1&11QI*f_7OwLIc0Sdl0He@3A$?sO|G#_xO5%4jys!Au
zz!P*LF2Fu*;<$-+ZxX4HAsc@9KfXGYIspZeD-?_4;Ohrd$nih9sE;A+xh%Yxa|I;O
zMn43xybbA$h%OeU78ZAGUa0jg*n))`>+=rUr}vfnQoeFAlv=oX%YqbLpvyvcZ3l$B
z5bo;hDd(fjT;9o7g9xUg3|#?wU2#BJ0G&W1#wn?mfNR{O7bq74<ru+<wkuK7q*HuJ
zl3ikW@`O=kCFAR2we{1>7tc~mM%m%t+7YN}^tMa24O4@w<|$lk@pGx!;%pKiq&mZB
z?3h<&w>un8r?Xua6(@Txu~Za9tI@|C4#!dmHMzDF_-_~Jolztm=e)@vG11b<LZFLt
z=a@d3MJ-E4hYQZxA3y&6-j%$UZvUfp^pCgm<jTEuP^)mszD-y$n3Q&{-23}Wv_2Y8
ztp4g>ZQAs!tFvd9{C;oxC7VfWq377Y(LR^X_TyX9bn$)I765l=rJ%9uXcjggX*r?u
zk|0!db_*1$&i8>d&G3C}A`{Fun_1J;Vx0gk7P_}8KBZDowr*8$@X?W<UwWy2E;b%8
zDnv;u#sg4V5Tml=Bw6)GO(a6bm@pXL5;t*}iEhY9Zim8L-OM$RpsE=-)J6=6)|MD4
z8{19*DSK107+0Kbw2EdWh!twa9HVGLVmN$BX1?}c?!DT~m@%MuO{=cju@-!?UnaO{
z9Q;H&SNsH&+9*iqK+))0P{pW#u+IR2<&dC||BFzIuVKjDIAwxj0gQDf!MLF#VHC`D
zN_zXShCf+#K4Io(-dXedBI4SOK2y)rryrPZ_8G(S4~O-`iR!5u^?GLIlD&{}so=+h
zoX&5625-D!az-|Zx~ma2tVY~n7Eznkush<8w1#D9lj%>6v^LYmNWI)lN92yQ;tDpN
zOUdS-W4JZUjwF-X#w0r;97;i(l}ZZT$DRd4u#?pf^e2<Tp(F_Ylx9mIONs=GDOR7J
z!s@{!h&%A8Er}aMdD0mk#s%bH^(p8HL6l-6iKJ%JY$!?VLmDqZL7D4xf%;gN>yaFo
zbm>I@5}#8FjsmigM8w_f#m4fEP<w>~r~_?OWB%SGWcn$ThnJ@Y`ZI-O&Qs#Y14To(
zWAl>9Gw7#}eT(!c%D0m>5D8**a@h;sLW=6_AsT5v1Sd_T-C4pgu_kvc?7+X&n_fct
znkHy(_LExh=N%o3I-q#f$F4<wlfSnZ{aNtlaHgD*%*;+!if9}xbu`<To}#^Vl2QkO
z7|r$zhjK8GE;uJ+566KrGlUndEl83;o70s<D1jcM$y_hC&+<$#S-_D`DMkXCs6&Ja
zX$kb)3d(TSz&8E5_#CeAoC7l{hxp54WI)}a6Fq*MuVt{GA?j6in~9$1>QJpy>jZBW
zRF7?EhqTGk)w&Koi}QQY3sVh?@e-Z3C9)P!(hMhxmX<?O%M-wa0Dx5a@<^0#9_>LC
zF_+ZSTQU`Gqx@o<HpS{<a}-BAGy@<S0>(~<vXHshk{*j+nj`s1+omT#^krl>B$dbr
zHlEUKoK&`2gl>zKXlEi8w6}`X3kh3as1~sX5@^`X_nYl}hlbpeeVlj#2sv)CIMe%b
zBs7f|37f8qq}gA~Is9gj&=te^wN8ma?;vF)7gce;&sZ64!7LqpR!fy)?4cEZposQ8
zf;rZF7Q>YM<qvPX@rO5R|G8xB*d=47F5FbX>F1~eQ|Z*!5j0DuA=`~VG$Gg6B?Om1
z6fM@`Ck-K*k(eJ)Kvysb8sccsFf@7~3vfnC=<$q+VNv)FyVh6ZsWw}*vs>%k3$)9|
zR9ek-@pA23qswe1io)(Vz!vS1o*XEN*LhVYOq#T`;rDkgt86T@O`23xW~;W_#ZS|x
zvwx-XMb7_!hIte-#JNpFxskMMpo2OYhHRr0Yn8d^(jh3-+!CNs0K2B!1dL$9UuAD=
zQ%7Ae(Y@}%Cd~!`h|wAdm$2WoZ(iA1(a_-1?znZ%8h72o&Mm*4x8Ta<4++;Yr6|}u
zW<lfR&2thZ%arCCv7^XWW_6jB>8$p&izhdqF=m8$)HyS2J6cKyo;Yvb>DTfx4`4R{
zPSODe9E|uflE<`xTO=r>u~u=NuyB&H!(2a8vwh!jP!yfE3N>IiO1<sg)|!DAM%5V4
zImfj?oZv3;y3AIvb^=HU^uh7(X5<6aoUeyP2Mi=23DNrjwj6G-I5MpbGBBkQgLzRx
z_Qg%sVsEslI2A80hOod<S>jI>7e&3rR#RO3_}G23W?gwDHgSg<QXM9d4Lsp5W&)6?
zY*roO0w$UqxC4|r(Er$DV(2l9h4At3N_U`+Ukis<fpRRCK>ekzQ^PU&G5z&}V5GO?
zfg#*72*$DP1T8i`S7=P;bQ8lYF9_@8^C(|;9v8ZaK2GnWz4$Th2a0$)XTiaxNWfdq
z;yNi9veH<s@9We549w!!z+8C$Xr3bE8Io{iV0-^0*Z((QCVLd1<H5EqJokRheRd?M
z=9-#Ba=FG%;bgG2sZn!v5}(U9c2N6|uSx2-^nZJN<Y38%>!j)ba$9pke8`y2^63BP
zIyYKj^7;2don3se!P&%I2jzFf|LA&tQ=NDs{r9fIi-F{-yiG-}@2`VR^-LIFN8BC4
z&?*<A2U+2yvz#~5iMlAv#&#x?J%g>IvLiGHH5>NY(Z^CL_A;yISNdq58}=u~9!Ia7
zm7MkDiK~lsfLpvmPMo!0$keA$`%Tm`>Fx9JpG^EfEb(;}%5}B4Dw!O3BCkf$$W-dF
z$BupUPgLpHvr<<+QcNX*w@+Rz&VQz)Uh!j4|DYeKm5IC05T$KqVV3Y|MSXom+Jn8c
zgUEaFW1McGi^44xoG*b0JWE4T`vka7qTo#dcS4RauUpE{O!ZQ?r=-MlY#;VBzhHGU
zS@kCaZ*H73XX6~HtHd*4qr2h}Pf0Re@!WOyvres_9l2!AhPiV$@O2sX>$21)-3i+_
z*sHO4Ika^!&2utZ@5%VbpH(m2wE3qOPn-I5Tbnt&yn9{k*eMr3^u6zG-~PSr(w$p>
zw)x^a*8Ru$PE+{&)%VQUvAKKiWiwvc{`|GqK2K|ZMy^Tv3g|zENL86z7i<<vQD<>c
zW`W>zV1u}X%P;Ajn+>A)2iXZbJ5YB_r>K-h5g^N=LkN^h0Y6dPFfSBh(L`G$D%7c`
z&0RXDv$}c7#w*7!x^LUes_|V*=bd&aP+KFi((tG<uj&`TKbvJwt*s;^z;4Ys<BrXj
zUcC9nsnf4nJ}oNAV^;23Huc6W7jNCNGp&VZZ68xTF&1%{6q~EkQlv<(iM7j~voh3C
z@5k4r3!z`C;}lPV?5N1<S*Q-j1No*l<5(hps4yh~OUMfaqfZSw{1(}GVOnN8<B1ow
zokS3`Befl=7x!u#A9>*gakSR+FA26%{QJdB5G1F=UuU&koU*^zQA=cEN9}Vd?OEh|
zgzbFf1?@LlPkcXH$;YZe`WEJ3si6&R2MRb}LYK&zK9WRD=kY-JMPUurX-t4(Wy{%`
zZ@0WM2+IqPa9D(^*+MXw2NWwSX-_WdF0nMWpEhAyotIgqu5Y$wA=<qv3s0%`78x7-
z!YG+vXM)||6z({8VoMOb>zfuXJ0Y2lL3#ji26-P3Z?-&0^KBc*`T$+8+cqp`%g0WB
zTH9L)FZ&t073H4?t=(U6{8B+uRW_J_n*vW|p`DugT^3xe8Tomh^d}0k^G7$3wLgP&
zn)vTWiMA&=bR8lX9H=uh4G04R6>C&Zjnx_f@MMY!6HK5v$T%vaFm;E8q=`w2Y}ucJ
zkz~dKGqv9$E80NTtnx|Rf_)|3wxpnY6nh3U9<)fv2-vhQ6v=WhKO@~@X57N-`7Ppc
zF;I7)eL?RN23FmGh0s<krvL@Zi`9X>;Z#+p)}-TgTJE%&>{W+}C`^-sy{gTm<$>rR
z-X7F%MB9Sf%6o7A%ZHReD4R;imU6<9h81{%avv}hqugeaf=~^3A=x(Om6Lku-Pn9i
zC;LP%Q7Xw*0`Kg1)X~nAsUfdV%HWrpr8dZRpd-#%)c#Fu^mqo|^b{9Mam`^Zw_@j@
zR&ZdBr3?@<@%4Z-%LT&RLgDUFs4a(CTah_5x4X`xDRugi#vI-cw*^{ncwMtA4N<n#
zKe-3R=W^+cuK>KjByYBza)Y$hozZCpuxL{IP&=tw6ZO52WY3|iwGf&IJCn+u(>icK
zZB1~bWXCmwAUz|^<&ysd#*!DSp8}DLNbl5lRFat4NkvItxy;9tpp9~<f);nGGD>|@
z;JctShv^Iq4(z+y7^j&I?GCdKMVg&jCwtCkc4*@O7HY*veGDBtAIn*JgD$QftP}8=
zxFAdF=(S>Ra6(4slk#h%b?EOU-96TIX$Jbfl*<nInof4ph4hK=1pB+w>_7IY-|R%H
zF8u|~hYS-YwWt5+^!uGcnKL~jM;)ObZ#q68ZkA?}CzV-%6_vPIdzh_wHT_$mM%<x2
zq&@Ugp@y3#qmCWN2c()zUb2i%NHytqe#*|FOc9=9=lm37FJ~XnjPaYV#gu{Rxk3h%
z6(mfsR@KE$kTrlhgn%DPo5HpDO0=1-df|X)k_Bt?_o11|zfG(qa-#Sl@L(<sfroJg
zk#3es02GuhOy#7gPL>vws9lxUj;E@#1UX?WO2R^41(X!nk$+2oJGr!sgcbn1f^yl1
z#pbPB&Bf;1&2+?};Jg5qgD1{4_|%X#s48rOLE!vx3@ktstyBsDQWwDz4GYlcgu$UJ
zp|z_32yN72T*oT$SF8<}>e;FN^X&vWNCz>b2W0rwK#<1#kbV)Cf`vN-F$&knLo5T&
z8!sO-*^x4=kJ$L&*h%rQ@49l?7_9IG99~xJDDil00<${~D&;kiqRQqeW5*22A`8I2
z(^@`qZoF7_`CO_e;8#qF!&g>UY;wD5MxWU>az<ULIsNY$DJI@Av_2K^yD6wo0kqHs
zV#M>oo=E{kW(GU#pbOi%XAn%?W{b>-bTt&2?G=E&BnK9m0zs{qr$*&g8afR_x`B~o
zd#dxPpaap;I=>1j8=9Oj)i}s@V}oXhP*{R|@DAQXzQJekJnmuQ;vL90_)H_nD1g6e
zS1H#dzg)U&6$fz0g%|jxDdz|FQN{KJ&Yx0vfuzAFewJjv`pdMRpY-wU`-Y6WQnJ(@
zGVb!-8DRJZvHnRFiR3PG3Tu^nCn(CcZHh7hQvyd7i6Q3&ot86XI{jo%WZqCPcTR0<
zMRg$ZE=PQx66ovJDvI_JChN~k@L^Pyxv#?X^<)-TS5gk`M~d<~j%!UOWG;ZMi1af<
z+86U0=sm!qAVJAIqqU`Qs1uJhQJA&n@9F1PUrYuW!-~IT>l$I!#5dB<cfvg5VibV&
zDqvU$KKCo4v0yI;auEcF&ZcvUE7}qhEUthMrKK<ZZorlPhfA2o9*2RG_C6<ZwD)23
zgbU<ugZCNmzTNu!GMX!>aiAK}RUufjg{$#GdQBkxF1=KU2E@N=i^;xgG2Y4|{H>s`
z$<vvU|F(3Nv^%2-!)gt%bV2|xrF9!>t`k8c-8`fS7Yfb1FM#)vPKVE4Uf(Pk&%HLe
z%^4L>@Z^9Z{ZOX<^e)~adVRkKJDanJ6VBC_m@6qUq_WF<AGx+lu0P|(*RBdki}PPC
zR884Dd(Bf1Tr>@Epw>AYqf%r6qDzQ~AEJ<N!$QjqcKBS<-KzqABShp7@2HODUtuI-
zM1Hm0Vba1HggryAaeKKwP<qS1QZN90CS+8P%>!jtUvLp^CcqZ^G-;Kz3T;O4WG45Z
zFhrluCxlY`M+OKr2SeI697btH7Kj`O>A!+2DTEQ=48cR>Gg2^5uqp(+y5Sl09MRl*
zp|28!v*wvMd_~e2DdKDMMQ|({HMn3D%%ATEecGG8V9>`JeL)T0KG}=}6K8NiSN5W<
z79-ZdYWRUb`T}(b{RjN8>?M~opnSRl$$^gT`B27kMym5LNHu-k;A;VF8R(HtDYJHS
zU7;L{a@`>jd0svOYKbwzq+pWSC(C~SPgG~nWR3pBA8@OICK$Cy#U`kS$I;?|^-SBC
zBFkoO8Z^%8Fc-@X!KebF2Ob3%`8zlVHj6H;^(m7J35(_bS;cZPd}TY~qixY{MhykQ
zV&7u7s%E=?i`}Ax-7dB0ih47w*7!@GBt<*7ImM|_mYS|9_K7CH+i}?*#o~a&tF-?C
zlynEu1DmiAbGurEX2Flfy$wEVk7AU;`k#=IQE*6DMWafTL|9-vT0qs{A3mmZGzOyN
zcM9#Rgo7WgB_ujU+?Q@Ql?V-!E<ESfbH6cV^f<TVZZ6$j;;%C;F7k#%v)~#tDz@O9
zGjF`&rD{{KBD!Z>=jbypS+*ch<nT0vi*LE;jA`dwa7L|Pk{%Vkrl+;{Q+Icda+|DH
zxbX_5rMru~l@p?-nW}qiMdIwMuOHt$v$Z->I&zA+C_3_@aJal}!Q54?qsL0In({Ly
zjH;e+_SK8yi0NQB%TO+Dl77jp#2pMGtwsgaC>K!)NimXG3;m7y`W+&<(ZaV>N*K$j
zLL~I+6ouPk6_(iO>61cIsinx`5}DcKSaHjYkkMuDoVl>mKO<4$F<R}h5tU~DoQW2-
zb@mx6M$TIWS(5Azchs1S!C1Vg!dX-qRh*Tlox4o><>YJ5J9A2Vl}#BP7+u~L8C6~D
zsk`pZ$9Bz3teQS1Wb|8&c2SZ;qo<#F&gS;j`!~!ADr(jJXMtcDJ9cVi>&p3~{bqaP
zgo%s8i+8V{UrYTc9)HiUR_c?cfx{Yan2#%PqJ{%?Wux4J;T$#cumM0{Es3@$>}DJg
zqe*c8##t;X(<vs5F6*OK5RBh`;EMHg+sn$v%w2!Q1AFLXOj%hwP6VgZXe#dgvNr%C
zbK2>4$?A`ve)e@YU3d2Balcivot{1(ahlE5qg@S-h(mPNH&`pBX$_~HdG48~)$x5p
z{>ghzqqn_t8~pY<5?-To>cy^6o~mifr;KWvx_oMtXOw$$d6jddXG)V@a#lL4o%N@A
zNJlQAz6R8{7jax-kQsH6JU_u*En%k^NHlvBB!$JAK!cYmS)HkLAkm0*9G3!vwMIWv
zo#)+EamIJHEUV|$d|<)2iJ`lqBQLx;HgD}c3mRu{iK23C>G{0Mp1K)bt6OU?xC4!_
zZLqpFzeu&+>O1F>%g-%U^~yRg(-wSp@vmD-PT#bCWy!%&H;qT7rfuRCEgw67V!Qob
z&tvPU@*4*$YF#2_>M0(75QxqrJr3Tvh~iDeFhxl=MzV@(psx%G8|I{~9;tv#BBE`l
z3)_98eZqFNwEF1h)uqhBmT~mSmT8k$7vSHdR97K~kM)P9PuZdS;|Op4A?O<*%!?h`
zn`}r_j%xvffs46x2hCWuo0BfIQWCw9aKkH==#B(TJ%p}p-RuIVzsRlaPL_Co{&R0h
zQrqn=g1PGjQg3&sc2IlKG0Io#v%@p>tFwF)RG0ahYs@Zng6}M*d}Xua)+h&?$`%rb
z;>M=iMh5eIHuJ5c$aC`y@CYjbFsJnSPH&}LQz4}za9YjDuao>Z^EdL@%s<cic@|#d
zk`VYkAA1)5&zzBlUXwX>aRm&LGQWXs*;FzwN#p<?>H&j~SLhDZ+QzhplV_ij(NyMl
z;v|}a<m1KirP40Q9;?ZUGeiBO`6EQCP%m`AbDrv}WVxc|a9*xhB0zVg4PQB(Updr=
z()&PI0+wG1-G5cn-?{zrU(p$hh$VW4zkc`j%O6su+dqN;>mvxRddO81LJFa~2QFUs
z+<rMf(`FCeM}FJ^oJ6DQ^2{Nc9R`a9PEsYsk4d<kKA^opcC1pDZk0kh9^Gygk8>Lk
zZck)}9uK^buJNMo4G(rSdX{57(7&n=Q6$QZ@lIO9#<3pA2ceD<ex)Co(^yo~b^iS?
z-G6>pO_340B*pHlh_y{>i&c1?vdpN1j>3UN-;;Yq?P+V5oY`4Z(|P8SwWq<)<fz%B
zj)+x<OZ_gB*%c@YSI6p9w+Ydpc!Zcf$QEBFDuqEL6=PD@Pe~N@st{xMy+-n;*Mt~v
zmrteH;(NO63jTi5?DV@CF_fsL-w|T3X%De;sQHBB^9@P)Y{)Bp<max_sHiv=Y2ujB
z*Y0pN2vXRDgae#VLF1APpWP+=i6luTbXun4wCl7o-h=Gg-_V%L+$3>n`W@AwcQ?E9
zd5j8>FT^m=MHEWfN9jS}UHHsU`&SScib$qd0i=ky0>4dz5ADy70AeIuSzw#gHhQ_c
zOp1!v6qU<Kxjvk}u}KI}1IL4P)HQX%3Qy1||7)ACyj<$_yY^HUY1Qh86mASo5oGq6
zE#i-HjkgKyfR`wC1AzxilV;sCL6u<;DfJ$k2lHogcuG&96Y=9Dx08l3i%#>)@8MY+
zMNIID?(CysRc2uZQ$l*QZVY)$X?@4$VT^>djbugLQJdm^P>?51#lXBkdXglYm|4{L
zL%Sr?2f`J+xrcN@=0tiJt(<-=+v>tHy{XaGj7^cA6felUn_KPa?V4ebfq7~4i~GKE
zpm)e@1=E;PP%?`vK6KVPKXjUXyLS1^NbnQ&?z>epHCd+J$ktT1G&L~T)nQeExe;0Z
zlei}<<dHMjP`dMgT;)rz@KwnNqz2u#jL%!`ao{S@tM3IGYSeTv3Fk3tBkVZxLRlho
z@Yxs}5wdFIYX}Vx7;lNy5jfXGDv1)02|!y=K!RAWW@=@lh*MCQ(we#;x;&XaD>_ni
ztFo}j7nBl$)s_<W4is^tCJZEK$$)&HpdlqLPzQFWv`<{7GL_AD92F#&(|%OzJIbuy
z+Ol{_jn76nNgzuA>3odmdafVieFxc)m!wM+U`2u%yhJ90giFcU1`dR6BBTKc2cQ*d
zm-{?M&%(={<F~lIWhEX{d2;PTbK5UDb8+WLo7GcN=5=ow@4S4W$LOt!x3rG3C8mvr
z0>xYHy?VCx!ogr|4g5;V{2q(L?QzJGsirn~kWHU`l`rHiIrc-Nan!hR7zaLsPr4uR
zG{En&gaRK&B@lyWV@yfFpD_^&z>84~_0Rd!v(Nr%PJhFF_ci3D#ixf|(r@$igZiWw
za*qbXIJ_Hm4)TaQ=zW^g)FC6uvyO~Hg-#Z5Vsr<Zy{+LyD`h4YS(ghy#BfWzW^5Uo
zQ8PC9sjEJ4RGC&$F|HxuyK{woR4L3OZu<36tuvn9l2snS_;Y@J&z1A*lMO*_Ur`v=
zX;m?{v#RtbKP{_C_Pwp$oMe|?dH6}PAjk=@Y1ry|VVd(HV4<-(-0+OjB`EyB0T=kn
z(gB<B0#L(B#0`VW)>ybz6uOTF>Rq1($JS`imyNB7myWWpxYL(t7`H8*voI3Qz6mvm
z$JxtArLJ(1wlCO_te?L{>8YPzQ})xJlvc5wv8p7Z=HviPYB#^#_vGO#*`<0r%MR#u
zN_mV4vaBb2RwtoOYCw)X^>r{2a0kK|WyEYoBjGxcObFl&P*??)WEWKU*V~zG5o=s@
z;rc~uuQQf9wf)MYWsWgPR!wKGt6q;^8!cD_vxrG8GMoFGOVV=(J3w6Xk;}i)9(7*U
zwR4VkP_5Zx7wqn8%M8uDj4f1aP+vh1Wue&ry@h|wuN(D2W<Jk_Ub)RM4SgV&OId4;
zn2zn6!@5a6q<V@&t`j1NlR++Q;e@+-SbcuS)(a+|%YH!7_B%_B*R5T=?m|>;v6b1^
z`)7XBZ385zg;}&Pt@?dunQ=RduGRJn^9HLU&HaeUE_cA1{+oSIjmj3z+1YiOGiu-H
zf8u-oVnG%KfhB8H?cg%@#V5n+L$MO2F4>XoBjBeX>css^h}Omu#)ExTfUE^07KOQS
znMfQY2wz?!7!{*C^)aZ^UhMZf=TJNDv8VrrW;JJ9`=|L0`w9DE8MS>+o{f#{7}B4P
z{I34>342vLsP}o=ny1eZkEabr@niT5J2AhByUz&i3Ck0H*H`LRHz;>3C_ru!X+EhJ
z6(+(lI#4c`2{`q0o9aZhI|jRjBZOV~IA_km7ItNtUa(Wsr*Hmb;b4=;<J1?+^3A&j
zK3cnIJ@xJ)8})7lyFf5`owi5yu4lj04lY55Grhwxe6`Vjk5_%2h6Srm0%!Z7OTJgS
z7xk*fSj^YWvFa#^cCzaibaRR7wifomC%U_?eh_XL=5Hz83qQMDCary#^CqnoCok6y
z#aKY5h8k>R(gF@GmsRI`pF+0tmq0<eALkrdNz?_uQPl5L<ziG;l8G^BKV7-hN+!<*
z<qETgy|$oSZ328w$u~CVg?j38Ne8Nec!$^z3O9)SK=%x<?=HO#`R=(x+xbP_2n9~L
zA~@Y5=^p7G^ly*h(SjbX22XE{f_H~{EwlIe71&(CF%AC-KZ!PkfDiovb({chpQJjK
zFbjvUr>zy~wnoJD(<MLjh**JGO%zg$#8^?N-Q#VEMllAeBN{8Gkcp5385M+IP?10`
zKNJCQBzyb5Gta#5ZT-NK&Jkr}EY5LG-*{2<GI5k_E;Cjl{9Li(svK!m$F~O+U$JQS
zMZAi<dUJWWO0+lGoKxMN#+rIpvr}TmT8W9)5>LSEwHjT<no^?z{l8Hbtg<ND1Cr6K
z6#0!VQ^*}KTk66St&+e*u_9r$$-(;3c2C&lF^#Wti6x@NV{uFO48lerx@~U7EQm%~
zi8-wSrE-(Ma!Z+cdXdE^nH(<3+*mF-qjhezv`kVwaQ)pBtm+Jzn4-9>Ot4xb0XB-+
z&4RO{Snw4G%gS9w#uSUK$Zbb#=jxEl;}6&!b-rSY$0M4pftat-$Q)*y!bpx)R%P>8
zrB&`YEX2%+s#lFCIV;cUFUTIR$Gn2%F(3yLeiG8eG8&)+cpBlzx4)sK?>uIlH+$?2
z9q9wk5zY-xr_fzFSGxYp^KSY0s%1BhsI>ai2VAc8&JiwQ>3RRk?ITx!t~r45qsMnj
zkX4bl06ojFCMq<9l*4NHMAtIxDJOX)H=K*$NkkNG<^nl46<z}8DjmoX!f<;!=?S0X
zNm_qEi&;s|L9ptUk0h&55Ob{uhVekW1KY3{I#Svm7#;P3BE~;lg8EY6Q79rf(MCE=
zN8VGwjyg@p(Rvv6Qeo&vGBF~WTM7Tu+BS~CYXlw<;F93zrP+w<0f)nm=oOTD0XeL>
zHWH1GXb?Og1f0S+8-((5yaeegCT62&4N*pNQY;%asz9r9Lfr;@Bl${1@a4QA<GQZo
zHC=)78Wbo&u{ERGcuiNo;G#(z2^9z>vMLbV6JDp>8SO^q1)#(o%k!QiRSd0eTmzC<
zNIFWY5?)+JTl1Roi=nS4%@5iF+%XztpR^BSuM~DX9q`;Mv=+$M+GgE$_>o+~$#?*y
zAcD4nd~L~EsAjXV-+li6Lua4;(EFdi|M2qV53`^4|7gR8AJI;0Xb6QGLaYl1zr&eu
zH_vFUt+<?-wHx^jA;=HXzQKp_j)#`&591BSP(wIOS;Ce(17%gs%~hdM@>Ouf4SXA~
z&Hh8K@ms^`(hJfdicecj>J^Aqd00^ccqN!-f-!=N7C1?`4J+`_f^nV!B3Q^|fuU)7
z1NDNT04hd4QqE+qBP+>ZE7{v;n3OGN`->|lHjNL5w40pe<qclDY+ja_*(_95xs;%%
zq{v>PJ?^Y6bFk@^k%^5CXZ<+4qbOplxpe)l7c6m%o-l1oWmCx%c6@rx85hi(F=v(2
zJ$jN>?yPgU#DnbDXPkHLeQwED5)W5sH#<v%tu={Y=OlW2%;gK%O0*}OtgP0-W>-eS
z%#^4dxiVs{+q(Yd^ShMN3GH)!h!@W&N`$L!SbElXCuvnqh{U7lcCvHI#{ZjwnKvu~
zAeo7Pqot+Ohm{8|RJsTr3J4GjCy5UTo_u_~p)MS&Z5UrUc|+;Mc(YS+ju|m3Y_Dvt
zonVtpBWlM718YwaN3a3wUNqX;7TqvAFnVUoD5v5WTh~}r)KoLUDw%8Rrqso~bJqd>
z_T!&Rmr6ebpV^4|knJZ%qmzL;OvG3~A*loGY7?YS%hS{2R0%NQ@fRoEK52Aiu%gj(
z_7~a}eQUh8PnyI^J!>pxB(x7FeINHHC4zLDT`&C*XUpp@s0_B^!k5Uu)^j_uuu^T>
z8WW!QK0SgwFHTA%M!L`bl3h<zOXT*J6fe~c%_xb0$mxr#<2VD=$rO0L8nX7*#{Ksu
z$LONOvFCTfJN5XIapRVZlX}Y=<Lbb4!eHVHYIDPW9?-^*TjQ2+nH<TKdTCuE{W6Ky
z7>HjPp)|wL5Var_*A1-H8LV?uY5&ou{hRjj>#X@rxV>5<xG4RL_K~wL=!|H8*ZSVn
ze*QWuVl90vQ035NRw9cT+>%-9hbP+v?$4}3EfoRH;l_wSiz{&1<+`Y5%o%q~4<MOn
zEoNk8R4!uRxI3kmMnO0fow{Ibz3`A^4>rdpRF0jOsCoLnWY5x?V)0ga>CDo`NpqS)
z@x`mh1QGkx;f)p-n^*g5M^zRTHz%b2IkLBY{F+HsjrFC9_H(=9Z5W&Eymh~A_FUJ}
znhTc9KG((OnjFO=+q>JQZJbeOoUM77M{)$)qQMcxK9f;=L;IOv_J>*~w^YOW744QZ
zoG;!b9VD3ww}OX<8sZ0F##8hvfDP{hpa3HjaLsKbLJ8<m2C(MCx~x+Mo`}Jf7gdL>
z0WpY2E!w?&cWi7&N%bOMZD~o7QT*$xCRJ@{t31~qx~+0yYrLXubXh2{_L699Nl_pn
z6)9eu+uUTUdjHXYs#pX^L)AIb!FjjNsTp7C399w&B{Q4q%yKfmy}T2uQdU|1EpNcY
zDk~(h#AdxybjfzB+mg6rdU9mDZ^V>|U13Dl$Gj+pAL}lR2a1u!SJXU_YqP9N{ose4
zk+$v}BIHX60WSGVWv;S%zvHOWdDP(-ceo(<8`y@Goy%4wDu>57QZNJc)f>Ls+}9h7
z^N=#3q3|l?aG8K#HwiW2^PJu{v|x5;awYfahC?>_af3$LmMc4%N~JwVlRZa4c+eW2
zE!zosAjOv&UeCeu;Bn5OQUC=jtZjF;NDk9$fGbxf3d29SUBekX1<Pr@Tu%2mF`vob
zdsw;fW5J;CqD*)A#3k~8m#E~>!a$Vmq_VK*MHQ4)eB!dQrHH)LVYNF%-t8!d`@!cb
z2CsKs3|!}T^7fSZm?0dJ^JE`ZGxA&a!jC<>6_y67On0M)hd$m*RAzo_qM?aeqkm`*
zXpDYcc_>TFZYaC3JV>{>mp(5H^efu!Waa7hGTAts29jjuVd1vI*fEeB?A&uG<8dLZ
z(j6<v3j>;-%vJ7R0U9}XkH)1g>&uptXPHBEA*7PSO2TZ+dbhVxspNW~ZQT3fApz}2
z_@0-lZODcd>dLrYp!mHn4k>>7kibI!Em+Vh*;z}l?0qro=aJt68joCr5Jo(Vk<@i)
z5BCKb4p6Gdr9=JSf(2Mgr=_6}%4?SwhV+JZj3Ox^_^OrQk$B^v?e<VR4r!cUQcNa*
zLw&@@0{2I&$oQBHjs;Rdk`@6y1!<-(7NgjbFuEcwrG9}&Hy03(S??>Nz}d^xRaz&~
zKVnlLnK<O~>#8^y=If2f1zmb~^5lPLe?%l}>?~wN4IN((2~U{e9fKhLMtYFj)I$(y
zgnKv?R+ZpxA$f)Q2l=aqE6EPTK=i0sY&MDFJp!vQayyvzh4wee<}kybNthRlX>SHh
z7S}9he^EBOqzBCww^duHu!u+dnf9veG{HjW!}aT7aJqzze9K6-Z~8pZAgdm1n~aDs
z8_s7?WXMPJ3EPJHi}NL&d;lZP8hDhAXf5Hd!x|^kEHu`6QukXrVdLnq5zbI~oPo?7
z2Cbu8U?$K!Z4_yNM1a(bL!GRe!@{Qom+DxjrJ!B99qu5b*Ma%^&-=6UEbC+S2zX&=
zQ!%bgJTvmv^2}hhvNQg!l=kbapAgM^hruE3k@jTxsG(B6d=4thBC*4tzVpCYXFc$a
zeqgVB^zua)y-YjpiibCCdU%txXYeNFnXcbNj*D?~)5AGjL+!!ij_4{5EWKG<MLirH
z+DX^Dk(~hl-o)R17Ke7NBWBmGx0}_Yh*L{$3or|S`y{XU9=}stg7(?(^wZZS2Da%+
zWvCP|MzT2WK(<`aoEV!R1WAp-r%3{)SA=78<qFf;<rwNmD*Y*6(NUk(!LD}1(qHA3
z`=B=489M4KM^RxXd(tHgT%9X5Tjnh2mdXv4MCT5VYa7rd+N5ISRlSW}1lw5{(5L@K
zwzTh&rM#;2<;oP^LJod0{WsXpN5C{w?l*Jg>av0^={~M^q}baAFOPzxfUM>`KPf|G
z&hsaR*7(M6KzTj8Z?;45zX@L#xU{4n$9Q_<-ac(y4g~S|Hyp^-<*d8+P4NHe?~vfm
z@y309=`lGdvN8*jw-CL<;o#DKc-%lb0i9a3%{v&2X($|Qxv(_*()&=xD=5oBg=$B0
zU?41h9)JKvP0yR{KsHoC>&`(Uz>?_`tlLjw1&5tPH3FoB%}j;yffm$$s$C=<NH+_Q
zuVOy!BKDYAHt^L);tLou9Iw!KVrZ;__9lB4Qu}AkDaaH65g@R}lia;0J%u}*93`p?
zaeF={6)8oIBzH4kIggVAVvNSbROx-Z(+`hO*myDp7yv#WCwMIxk<hHjD5AkCV*KFy
z7uwrr!(roY4b(1>RHi`I3*m@%CPqWnP@B~%DEe;7ZT{9!IMTo1hT3Q347HJ&!)BM2
z3~aClf>aFh0_9||4G}(Npu`9xYY1*SD|M~9!CCFn{-J$u2&Dg*=5$_nozpoD2nxqq
zB!--eA8UWZlcEDp4r#vhZ6|vq^9sFvRnA9HpHch5Mq4*T)oGbruj!U8Lx_G%Lby}o
zTQ-_4A7b)5A42vA0U}hUJq6&wQ0J%$`w#ph!EGmW96)@{AUx>q6E>-r^Emk!iCR+X
zdIaNH`$}7%57D1FyTccs3}Aq0<0Ei{`=S7*>pyg=Kv3nrqblqZcpsCWSQl^uMSsdj
zYzh73?6th$c~CI0>%5@!Ej`o)Xm38u0fp9=HE@Sa6l2<mw_Yh7ly>oX9^^4|Aq%GA
z3(AbFR9gA_2T2i%Ck5V<FfGDt5jFr`inQh;1&EJ*>2Q2WW-(a&(j#@l6wE4Z`xg#S
za#-UWUpU2U!TmIo`CN0JwG^>{+V#9;z<j+vge|-bMmFe5eQtw=$jBe&1J+DLGhNXR
zVF0LJkT6h0B8nsw@>vx;ztc$}@NlcyJr?q(Y`UdW6qhq!aWyB5xV1#Jb{I-ghFNO0
z<gP-h@3s4i1u==>FU~+QgPs{FY1AbiU&S$QSix>*rqYVma<-~s%ALhFyVhAYepId1
zs!gOB&weC18yhE-v6ltKZMV|>JwTX+X)Y_EI(Ff^3$WTD|Ea-1HlP;6L~&40Q&5{0
z$e$2KhUgH8ucMJxJV#M%cs!d~#hR^nRwk|uuCSf6irJCkSyI<%CR==tftx6d%;?ef
zYIcjZrP@APzbtOeUe>m-TW}c-ugh+U*RbL1eIY{?>@8aW9bb1NGRy@MTse@>=<ra>
za%;5=U}X%K2tKTYe9gjMcBvX%qrC&uZ`d(t)g)X8snf?vBe3H%d<Ke$F$Z0AGpq$L
zh*N9G{;KEPa}gmeOBNBk0zORp;`+VU|1_04|4V$bCz(R~xePApA?YFdZU$CR63IbQ
z2Pq2(THUz7SlMWdHOdM19(SYTR)^7j>G=b<Uy4X-FL@RBUeVq-s%!3f=Wp$pdFiyc
z*UH5I+~YQSU-pf1Z~4Z+d0X6)<0i*Q_Z}vh)KKf>l^rv8Z@YN$gd9yveHY0@Wt0$s
zh^7jCp(q+6XDoekb;=%y=Wr8%<!i<hjG`j2f#)CHoE%?oHV1t_^966$UcQ|tMEj_Y
z^Dp_?#syJ7V{9Es?J3v}f}pPx{87yPa7|66#gbBs#7ePJ{bo_oH&rCWA~hx1V^t$U
z+8@1TWfn_Z`;{~9gC9mv?eoQ*Y-C)rhp|}dc#r5_J0yspKw$C`a}OGKQh(E&3WUik
z4AxbHbeGhXO7DYJ7=8m!=+Sj-HxJCb*@hx`<Q?E73ZqASI|ZO4gQX;PgpcX_I2dEP
z4PzF^;fhXQ)40w{k(P#>6;z0ANH5dDR_VudDG|&_lYykJaiR+(y{zpR=qL3|2e${8
z2V<U){GkH!99$-?(vZQ6`9xYUH;m>;?jgHj7}Kl(d8C9xWRjhpf_)KOXl+@c4wrHy
zL3#9U(`=N59og2KqVh>nK~g9>fX*PI0`>i;;b6K<iTA=O-~d|1@8nQW|764_gHT9A
z+Jdw)Cus?cfv_Gsi;gF31B#4DZ2^Yn1Wk~wI*LZ!hnDLnI_*R~z#5pH4R3KO1Ir1F
zNQX5wC;<FU(7pj+t&{Y#h#K(_6=WtrHj4aPX$5uUHjT;c(e}35?V4?SZCg90+pyx(
z`_R8jCQe*LR*{P)PNV>F|8zg+k2hViCt}4dfMdvb1NJ-Rfa7vL2;lPK{Lq*u`JT>S
zoM_bZ_?UY6oV6Ja14X^;LqJPl+w?vf*C!nGK;uU^0GRN|UeFF@;H(Hgp8x^|;ygh?
zIZx3DuO(lD01ksanR@Mn#lti=p28RTNYY6yK={RMFiVd~k8!@a&^jicZ&rxD3CCI!
zVb=fI?;c#f{K4Pp2lnb8iF2mig)|6JEmU86Y%l}m>(VnI*Bj`a6qk8QL&~PFDxI8b
z2mcsQBe9$q`Q$LfG2wdvK`M1}7?SwLAV&)nO;kAk`SAz%x9CDVHVbUd$O(*aI@D|s
zLxJW7W(QeGpQY<$dSD6U$ja(;Hb3{Zx@)*fIQaW{8<$KJ&fS0caI2Py^clOq9@Irt
z7th7F?7W`j{&UmM==Lo~T&^R7A?G=K_e-zfTX|)i`pLitlNE(~tq*}sS1x2}Jlul6
z5+r#4SpQu8h{ntIv#qCVH`uG~+I8l+7ZG&d`Dm!+(rZQDV*1LS^WfH%-!5aTAxry~
z4xl&rot5ct{xQ$w$MtVTUi6tBFSJWq2Rj@?HAX1H$eL*fk{Hq;E`x|hghRkipYNyt
zKCO=*KSziiVk|+)qQCGrTYH9X!Z0$k{Nde~0Wl`P{}ca%nv<6fnYw^<s*I^w2}g4)
zDT(2xL%uqsByOSZ61tavt7O>~9dYxTnTZB&&962jX0DM&wy&8fdxX8xeHSe=UU&Mq
zRTaUKnQO|A>E#|PUo+F=Q@dMdt`P*6e92za(TH{5C*2I2S~p?~O@hYiT>1(n^Lqqn
zqewq3ctA<T{c@#lWCZ$(!d{cN7=2we77Yx!0ew~Gx<3;vHo@;Z=)<i6dXzL;AY|z|
zQh^P>A%0E)r53*P-a8Ak32mGtUG`L^WVcm`QovX`ecB4E9X60wrA(6NZ7z~*_DV_e
z8$I*eZ8m=WtChE{#QzeyHpZ%7GwFHlwo2*tAuloI-j2exx3#x7EL^&D;Re|Kj-XT-
zt9<G*I5j~YwPM=zQc<-<5T)`?p=k3wJ6%=B%=d_@HDXhwqg3ij6<6Gneq}IMRsO?+
zZ$ux+&=>08^soV2`7s+Hha!d^#J+B)0-`{qIF_x=B811SZlbUe%kvPce^xu7?LY|C
z@f1gRPha1j<g?ml{#gpkD^O$XNTr0o(I;d;h4uA8LjteITT`#--;T+ZYX+t7g{&jY
z%jLmo;U5!e_41&}2`Y3PtJNiOtyHYGC;e`w)XqI9cfa-k)QH;zlhbma7)pQ1mZ#s9
zrt1Z7OQrg>q|=f}Se)}v-7MWH9)YAs*FJ&v3ZT9TSi?e#jarin0tjPNmxZNU_JFJG
z+tZi!q)JP|4pQ)?l8$hRaPeoKf!3>MM-bp06RodLa*wD=g3)@pYJ^*YrwSIO!SaZo
zDTb!G9d!hb%Y0QdYxqNSCT5o0I!GDD$Z@N!8J3eI@@0AiJmD7brkvF!pJGg_AiJ1I
zO^^cKe`w$DsO|1#^_|`6XTfw6E3SJ(agG*G9qj?JiqFSL|6tSD6vUwK?Cwr~gg)Do
zp@$D~7~66-=p4`!!UzJDKAymb!!R(}%O?Uel|rMH>OpRGINALtg%gpg`=}M^Q#V5(
zMgJY&gF)+;`e38QHI*c%B}m94o&tOfae;<xSoo%JWgt|4OsWqBge(0MrWCl{^{1qR
z$9kiQL{yp=)4GQGI_Jm5&g#GDTYcGhkauMJQ(qfM)1pg_a_8YpGwNbwNKp#T3-1@6
z|CjTBM~_fXe$Rs`cJE+v;7^0eysLT1ugyST5y-lLQ?!t5I+r@})qno};JoRD-E=Xi
zX_8OynCqNAP{M@6q0{1lA$fd7YVYB^B3HOC?;KS&skUZdpr&?G*{Dvo9Hf%gnd2O9
zvFCA)Qg13bH?d=3bMwL-iMgPupd}c_KuUy2B!UeZUr<=BIK|YBv?yV$q58*?!w_CK
zhp}K1=StAQ6{?zIqvi9mLesqVm&dX(9+AzcRVtrMpZ;{ErIyVQpVYzYVcvn6%u9m3
zENe?2g{r;1I%;x<{deB!54%lK?QVcb%q|Y(3&@xG42;qPh~(~r6ouOokrhp}g_Byo
zKp4yiKG~E3?*xr!?^(OHXYKbID@Vk%L$MJN?dLjF_FD?rZRr8zTic`kxqVF61s8OU
zY1cLlYqVUOIkCpn>og&!J2;6ENW}QeL7<PXg{yny8O<B+-%z=8!`{k@uZK?dU2tpL
zoDCc1bk4tH!`>3jatbI1*9X~y=$Dm%6FwDcnCyMRL<PZ=`4kP-O>}zo`0=y7=}*Uw
zo3!qZncAL{HCgY!+}eKr{P8o27ye+;qJP;kOB%RpSesGoHLT6tcYp*6v~Z9NCyb6m
zP#qds0jyqXX46qMNhXDn3pyIxw2f_z;L_X9EIB}<BZV)NY+Sf`GmW4*C1<w9<G3@Y
zR-2Ao^uw)%Z0Eww)CNf&GoE61(l=R$@lLulhRTBom-G)|sA)*B&(~_KWRT_L+saB5
zo*q>AhyC`FYI}G3$WnW>#NMy{0aw}nB%1=Z4&*(FaCn5QG(zvdG^pQRU25;{wwG4h
z@kuLO0F->{@g2!;NNd!<zny}%07Jn8Nf<E`qd>PfqM-;@F0;&wK}0fT9UrH}(8A5I
zt33(<pT6JhCadCO^EwcP0}B}m196bLHZSD1wzS~lgDzyBOMDp_>+&U;CLN|8+71@g
z(s!f-kZZZILUG$QXm9iYiE*>2w;gpM>lgM{R9vT3q>qI{ELO2hJHVi`)*jzOk$r)9
zq}$VrE0$GUCm6A3H5J-=Z9i*biw8<GlN{|J&^K2l_*g<#Pt^RN|DX}11Ly}*7(>ng
zi<1nM0lo^KqRY@Asucc#DMmWsnCS;5uPR)GL3pL=-IqSd>4&D&NKSGHH?pG;=Xo`w
zw~VV9ddkwbp~m>9G0*b?j7-0fOwR?*U#BE#n7A=_fDS>`fwatxQ+`F<!Rj$KZl*<p
zT?$eX^b9WOf%^Fc5Ow$#oiLZxFXB|4X4Ah-N23bVC3rdbHNy5`I((oY2SI(gVJE_3
zv~k-4(EcFxN5Hx@>zhBGQUAyIRZ??eJt46vHBlR>9m!vfb6I)8!v6TmtZ%G6&E|1e
zOtx5xy%yOSu+<9Ul5w5N=&~4Oph?I=ZKLX5DXO(*&Po>5KjbY7s@tp$8(fO|`Xy}Y
z;NmMypLoG7r#Xz4aHz7n)MYZ7Z1v;DFHLNV{)to;(;TJ=bbMgud96xRMME#0d$z-S
z-r1ROBbW^&YdQWA>U|Y>{whex#~K!ZgEEk=LYG8Wqo28NFv)!t!~}quaAt}I^y-m|
z8~E{9H2VnyVxb_wCZ7v%y(B@VrM6lzk~|ywCi3HeiSV`TF>j+I<PcrA4vbhkc}Ds9
zVnPj;dD9hvN^{*9tq;`Y3-i35x*J^9kk!Mknb6QMp+R%r;|Y~}U1bd=<D2Z^=6NHx
z)o!mbv)c13!qxVmdz@Dme2Ud2?)buFbw!<Z_N}SPHX2@PRM{c<oRhmdQ=Q!h%GA-#
zE|+zRyX;@_)`kh%@3wm_ZjUz-66I&coi<`>jd|p*kyn;=mqtf8&DK^|*f+y$<HJ*z
z{kCJi%r~syv1<5SAj?Qn<RD-N0#-mimPHVGsjQ(4>38+9!sis9N=S)nINm9=CJ<;Y
z!t&C>MIeyou4XLM*ywT_JuOXR>VkpFwuT9j5>66<JwXm0Iz|uD_GISrZ<tb63#|b6
zmesyu7v#<;wAs4wx|xl$8!C)O(dny+&uQp5Yiylr74+Z{`kuduLfD{$!RweaKvq@@
zSKvT=l{+EaFCqSAuk-})NiD5^S-DyEOCPWcr6mSZED8GEaH3HbBi=sIw&e0Ek0*HT
zg7i-oY%env)m$!wZo6{H^btX$@qVG{e!&!~J#BILfmfs_E?=UpX#O6)G;!&c?y}Qg
zZDtQIxqNpZ+R#vKv;FOFva`NsR7883$-r&2{_WuFALO<~3Fk}Bb(WC&g8i;%)qzDY
zRjOTdfX!%Ad(<}BcYy4>7A=CU*{TBrMTgb4HuW&!%Yt`;#md7-`R`ouOi$rEd!ErI
zo#>qggAcx?C7`rQ2;)~PYCw%CkS(@EJHZ|!!lhi@Dp$*n^mgrrImsS~(ioGak>3)w
zvop0lq@II<?zr~h{;~Z%uibTbs^_R=H(HEh%|uq3KKIc_zxBu?d|hToq+T%unvO@H
z_7G`_g*WS&kUbvS*4>SuA0Ou*#1JkG{U>xSQV1e}c)!d$L1plFX5XDXX5N<n2C0jm
zX{r1Jy%RD8vWp=4fyb$$F_f=*`nvNgb$TK5DH~vUeDX&BtW7RGgbP7rCk$}DqbN_=
zG+@cCNjfaVNpOlFw+a>7Ns{kT{y5|6MfhBD+esT)e7&CgSW8FxsXTAY=}?0A!j_V9
zJ;IJ~d%av<@=fNPJ9)T3qE78kaz64E>dJaYab5u<efW`3H($g#7XgvMkYf+oz36no
z(7hfLHbbB2R0{1uae-^d+wzih8L%N9he3ud^j?e&dq$dH2awC*y4Q%$6QP+9{{{^S
zS|%?I`*;k>aU`n~Zdp2h{8DV%SKE5G^$LfuOTRRjB;TnT(Jk$r{Pfe4CO!SM_7d)I
zquW~FVCpSycJ~c*B*V8?Qqo=GwU8CkmmLFugfHQ7;A{yCy1OL-+X=twLYg9|H=~8H
znnN@|tCs^ZLlCBl5wHvYF}2vo>a6%mUWpTds_mt*@wMN4-r`%NTA%+$(`m6{MNpi@
zMx)8f>U<?#KGhQOH9sd_@m#$xV)2XXy+)7rj<v$+@Y;iI(?-Y3Sg0r<Nksvzzi#Zp
z$q~EP;jFN*8js?YBQ<`b?Z-d1$^IIsy$A>4hd!row@gM&PVo&Hx+lV@$j9yWTjTue
zG9n0DP<*HUmJ7ZZWwI2x+{t3QEfr6?T}2iXl=6e0b~)J>X3`!fXd9+2wc1%cj&F@Z
zgYR|r5Xd5jy9;YW&=4{-0rJ*L5CgDPj9^3%bp-`HkyBs`j1iTUGD4?WilZ6RO8mIE
z+~Joc?GID6K96dyuv(dWREK9Os~%?$$FxswxQsoOi8M?RnL%B~Lyk&(-09D0M?^Jy
zWjP)n(b)TF<-|C<kuA~or~e()IVaJB8ThDOo%m84{2#Jw7lA;F7HB%yOOfao*a-Bo
z9vF{4tjJ*|r>G%!Vz?8Fu&6iU<>oG#kGcrcrrBlfZMVl0wOJvsq%RL9To%iCW@)#&
zZAJWhgzYAq)#NTNb~3GBcD%ZZOc43!YWSyA7TD6xkk<oWhdAZNF5oEMySt*u%}=mX
zY^=DnO8CU4$;_0G$Mo-Kkj5NlGljS+>)n^FaRAz73b}%9d&YisBic(?mv=Iq^r%Ug
zzHq-rRrhfOOF+yR=AN!a9*Rd#sM9ONt5h~w)yMP7Dl9lfpi$H0%GPW^lS4~~?vI8Z
z%^ToK#NOe0ExmUsb`lLO$W*}yXNOxPe@zD*90uTDULnH6C?InP3J=jYEO2d)&e|mP
z1DSd0QOZeuLW<s88&Dqv$ZDY(qEHICGi1F$d4+8O&b2468PMe9JW2)dic7s&U~)}9
zv>o*NqZzopA+LXy9)fJC00NSX=_4Mi1Z)YyZVC>C!g}cY(Amaj%QN+bev|Xxd2OPD
zk!dfkY6k!(sDBvsFC2r^?}hb81(WG5Lt9|riT`2?P;B%jaf5UX<~OJ;uAL$=Ien+V
zC!V8u0v?CU<?sa9rw*YNr=`U}IHdv2<G`|o3Bx8D;^GeQOIB`c%X^K&>a)4*Q+Q_u
zkx{q;NjLcvyMuU*{+uDsCQ4U{JLowYby-tn@<?{mQ!v2u1l{5e{t5@ZjF*S!>hatL
zy}X>9y08#}oytdn^qfFesF)Tt(2!XGw#r%?7&zzFFh2U;#U9XBO8W--#gOpfbJ`Ey
z|M8FCKlWQrOJwE;@Sm02l9OBr7N}go4V8ur)}M@m2uWjggb)DC4s`I4d7_8O&E(j;
z?3$9~R$QDxNM^rNh9Y;6P7w+bo2q}NEd6f&_raor-v`UCaTM3TT8HK2-$|n{N@U>_
zL-`P7EXoEU5JRMa)?tNUEe8XFis+w8g9k(QQ)%?&Oac}S`2V$b?%`DwXBgja&&fR@
zH_XidF$p1wA)J|Wk1;?lCl?fgc)=TB3>Y8;BoMqHwJqhL)Tgydv9(?(TBX)fq%=~C
zmLj!iX-kn7QA(9snzk0LRf<%SzO&~IhLor6A3f*U^UcoAygRe!H#@UCv$JUP&vPxs
zeDj$1%#<2T1!e|!7xI+~_VXLl5|jHqvOhU7ZDUGee;HnkcPP=_k_FFxPjXg*9KyI+
zIh0@+s)1JDSuKMeaDZ3|<_*J8{TUFDLl|mXmY8B>Wj_?4mC#=XjsCKPEO=p0c&t&Z
zd1%kHxR#o9S*C?du*}tEHfAC7WetnvS}`<%j=o7YVna)6pw(xzkUi7f#$|^y4WQ{7
zu@@lu=j6xr*11VEIY+`B{tgd(<i-P<xW8QmX{Uu}CW{$k=4G`<yQ5DK7nY#9L<7KO
zZl2V*aS4sKmaEUS-mY%P1^cv^q{7lxZ)5qzsWF(QH6y#+dwE4lRddpa#$Z}_cCaKa
zE;TlFY<W#EqQ=~xoZ>c3zO8%nGk0U^%ec6h)G_`ki|XQXr!?NsQkxzV6Bn1ea9L+@
z(Zr7CU_oXaW>VOdfzENm+FlFQ7Se0ROrNdw(QLvb6{f}HRQ{$Je>(c&rws#{dFI^r
zZ4^(`J*G0~Pu_+p5AAh>RRpkcbaS2a?Fe&JqxDTp`dIW9;<O_d1fh3g+@%<JHS<h;
z`xr?<<utwG<Lj5Zdhfz~Sd#5Kb7T9+cKkOui1y`+Uv$r&om%~&H3ligXMa!k1A}&8
z`oKdmM{uQUq3k>DL%0wxX5;`KxyA4F{(~_`93>NF@bj4LF!NC&D6Zm+Di$Q-tb2*Q
z&csGmXyqA%Z9s(AxNO3@Ij=WGt=UG6J7F;r*uqdQ<A<k`&*~1mNB0QW1T5I+z^l>a
z?7j!nV{8eQE-cwY7L(3AEXF3&V*9{DpSYdyCjRhv#&2johwf{r+k`QB81%!aRVN<&
z@b*N^xiw_lU>H~@4MWzgHxSOGVfnD|iC7=hf0%CPm_@@4^t-nj#GHMug&S|FJtr?i
z^JVrobltd(-?Ll>)6>jwgX=dUy+^n_ifzM>3)an3iOzpG9Tu;+96TP<0Jm_PIqof3
zMn=~M!#Ky{CTN_2f7Y-i#|gW~32RCWKA4-J9sS&>kYpTOx#xVNLCo)A$LUme^fVNH
z@^S7VU^UJ0YR8?<bG~Mj6Gj-lk3HOub{MXq84f%T`QY6$SQB%P+{DM48!0oDB|1i&
zZKxv58$HkYAPzeA(N@4W-r2I(ob~ZN%-H1^uVTL2tUjwxrv8WT<9HEQp}oppV?S-b
z?TWa%T=%&4xZ~a0-G(Qtj>Oy$^IYuG*bm|g;@aX~i60%`7XLy*AYpYvZ^F^U(!|RW
z*C!rJ@+7TGdL=nNd1gv^%B+;Fcr$y)i0!GRsZXRHPs>QVGVR{9r_#&Qd(wL|5;H;>
zD>HUw=4CF++&{7$<8G@j*nGjhEO%BQYfjeItp4mPvY*JYb1HKd<ZQ^<n)7B(e{N}R
zNACLEJ-M&vp2!R2b>!{HJ9*)(3%BR%{Pp?AM&*yHAJsW({ivOzj*qS!-7|XEn6@zo
z3L*tBT%<4RxoAh>q{0n_JBmgW6&8hx?kL(_^k%VL>?xjAyrKBmSl`$=V|SK}ELl}@
zd|d0eo#RfG`bw9SK3%r4Y+rdvc}w}~ixV%tqawbdqvE-WcgE+BUpxMT%F@btm76MG
zn=oQRWWuTm+a{dy)Oc2V4yX(@M{QAkx>(QB59*`dLT`<?!`ti2@y+pV_8st7_#g52
z1!@8-14n{+!KuOff(Jusq1w=z(B5!jxFx(cyss+1s<Z0Bs-u@|yyQrAPIYVbrs`9d
z>Pz3Lsj9iB=HSHAiCq()ns|Cr)1<p6y)@aLys9>*c605Cx}3V&x}Lg?b+6Q?)z7Kl
zQh&1Hx`y6JY-Cwvd*ozeps}a1xAA0CR+Da;+O(i)P1C;SjOI}Dtmf6tPqo-Bl`U78
zv$kYgPntPp@G)n1an9tEoL*Vumu9`>_@I(;+5+fBa-*?fEx=mTEjZ7wq}#@Gd5_cW
z!mP{N=yqEntDo)|>oy6{9cu+-3*GTnmb^`O0^FzRPO^&aG`f@F_R*aQ_e{F+_9%NW
z4KG_B`@X3EVV9L>?_RNDMddA>w=e0KfAiw5?#i1NFT%Zz#nuv(&!yIU>lVxmzYKQ`
zzJ*0w9<&L4aJ6A;0j|_<vbtcWAbbzpCj3Gin*xk%@5HxYh(fosHrML5=EAoJzwHRw
zh@)_=)rwlI8GD^(O|@nqTobf9QEEG(*M$^xqkm*B>~i>+y(q-=;2Xxhx2v%CYY^{}
z^J@LO()eLo|7!{ghQ+(u$wxO*xY#)cL(|mi<iezIsIQq}e;H<1HsO1a%jmXB^n!Yj
z`bEguLTH*W^N>H2_ck2yN{mu4O9=hBW*pM_()-_YdH#Ru{JtwJ^R2}3?!>>m1pohh
zrn(!xCjE<?5dV)b*C5Aj$gepjhO+1}F~03sn})p^Uz6_w9HjtSwO;4fgQNBdkCC(S
zXIQs_lKEg{DKt7!64@q0U7<~Z9sWW2MiWn5C=n^v2(+j+NQ}hd(YScLR6bFX1e5GJ
z{f}vqE*X+(y(=SeU6&=<n3p71@^G&#A3gi#b>0Q&EH1<ywPMV@T7r4FN~KK7(R*2e
zG3w@Kn+NlNX^aE);gT>QK?zA%sxVh&H99cObJUY$veZhQ)MLu-h%`!*G)s$2k;~+A
z)Kk->Ri?`oGDEJEtI*wijm(s5<vO`uZjc+%3o%>f$W78FH{+qBxiU{~kq((J3uK{m
z$|C8K#j-?hm8H@x%VfFqpnvu@xn1s%J7uNZC9C99a<_b1J|mx%)$%!6gPU|~<@2&m
zz99GDp`|a%m*iggvfL;4%X;~WY>)@!tMWB@P`)k?$;0x9JSrRI8?s3rlgH(o@`OAo
zn{f*gZ#t2u<vX%PzAIbh8QCV^lkM_->6K??hx|aElOM`Xd0t+SAIUEHvFw%?Wsm$s
zUXq{6UU?a>Nc@@Xlb_2k<d?Yk`js4zSLLAmT7Dyk<TW`guge>9M1Ctr<#+O?yd}rv
z_wu&<L5|BGrBD7Of0n<<JMvdKA@9n2@;7;3{*GxNK9rO44>=_t$!Yngd@N_AUj}T;
z#*Ce|%XZr_sQcsWcsl{pCnnj+c8ZNIMmx<;w=-g$Q>BU;9k;w|zQ;4!W32Xg2Cd?{
zvmO3kuKQ^Hv;o>6ZHP8ZJ2`4~Bx?N;cf<0fi=!*G^^WzbTF3e$b&d^qqB{>nqLG81
zs94bBh%|Vj+hLu=!8(b9brJ>ZBns9^6s(gdSVyP9qnu2_I{Sg8j-rloG6{d`De5We
zDe5WeY3ga}Y3ga}Y3ga}Y3ga}Y3ga}d8y~6o|k%F>UpW>rJk31Ug~+N=cS&HdOqs;
zsOO`ek9t1p`Kafko{xGy>iMbXr=FjBxZMYc8a#gL`Kjlpo}YSt>iMY`pk9DF0qO*(
z6QE9jIsxhgs1u-0kUBx8D@eT{^@7w3QZGooAoYUO3sNscy%6<6)C*BBM7<F8LevXU
zFGRf%^}^H(Q!h-tF!jRJ3sWyly>L`dk$Xk%6}eZQXgo#!75P`>Uy*-B{uTLG<X@40
zMgA4}SL9!je?|Tk`B&s$k$*-075P`>Uy*-B{uTLG<X@40MgA4}SL9!je?|Tk`B&s$
zk$*-075P`>Uy*-B{uTLG<X@40MgA4}SL9xidqwUQxmV;~k$Xk%6}eaBUXgo6?iIOL
z<X#1$JSg(7$iE{0iu^0`ugJe5|BC!8@~_ChBL9l~EAp?%zasyN{44UW$iE{0iu^0`
zugJe5|BC!8@~_ChBL9l~EAp?%zasyN{44UW$iEuoJ{&DaDjY3GsEwTSjAnVzEDxIH
zL9;w)mIux9pvk``|C;=3@~_FiCjXlJYx1wjy(agXylZl<$+;%y7~~jDCpp*TT9a!{
zt~I&V<XV$!O|CV$*5q1~YfY{-xz^-blWR?`G3|Ub9pqZ`yspW&Cf}NTYx1qhw<h13
qd~5Qp$+srontW^Wt)qNLLXk-9aux9_WlUi5WYd6^D_dVgyY*ioe@L+a

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/bootstrap/glyphicons-halflings-regular.woff b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/fonts/bootstrap/glyphicons-halflings-regular.woff
new file mode 100644
index 0000000000000000000000000000000000000000..9e612858f802245ddcbf59788a0db942224bab35
GIT binary patch
literal 23424
zcmY&eV{m0%u#Iioo_J#0nb?@vwry)-+qNe*Z>))v8{5gt_uj9!t5)^yb-JtjRGrhi
zYInOUNJxNyf_yKX01)K=WP|Si>HqEj|B{eUl?MR<)%<1&{(~)D+NPwKxWqT-@~snp
zg9KCz1VTZDiS?UH`PRk1VPM{29cgT9=<v;Lf`EYagMdIet=H@a8oRlWfPg?`f7?L(
zFKED?%?+Ku?I7~Mb(sI~^#uZMZsTe8&6R_I$YX<mq!jz=4cJ?l8k&HBDD{8auziCA
zQl4qm;+y>D?!Wc_@}qzggFv;gb@2cJQAYWWtpEZ7?y@jSVqjx${B5UV@SO|wH<<0;
z{><1KdVI%Ki}>~<`46C0AggwUwx-|QcU;iiZ{NZu`ur>hd*|<W)sXtmhXDixZoaeV
zklo$X=sQ21?>Hb(|6veERq<PbegkBRzi{?HIp-GW`hU_n&12ozz{J4dAGi@L6pDe-
z_ud2pJc-_b2pj}b3Pc9vzvpJBX4(Dy6a52IgD!!AfuwLEKN$^~jn+XAz)Mg9U?T~E
zgqNfL`tz^91n&aBz=T}M5SD}tB`7H25Mn@BQsEK4gL$l9qzGE52osF@rxjbO42^t7
z#@g=mu(37N%+Vt`PAJL-lQ=FQENF`3={3?oV6ei1hBKA`DuVTzgGk7b#0j#++TdzR
zI(97e!~g}_G7m33x=^Ssom?;fl4q}a+^;UP-1|ZzG9$*2kpk7p8YI9lAxj<90CjKp
zE8u&KGi5Zv=157hgKP@$c2&H4zuKcOmHoZD%?+qY(Kf~v8|7crq{Nr<WvZ$ts)Fb$
z8!IcdkQ`H>xu=b@5Bab=rqptGxd{QJg!4*-i_$sES~)AB46}Fjg|ea#e@?J}z%CUJ
zOsLWRQR1#<tB|QIEY)&I*ZbudHp)E;$><nb=BbXZ4tHi(jj=+TGtb?X^faOKFyozE
zS@PKF)~8;5xRSNpTm4ugp<(oc@Q3%7K-)@eyP?m1z&l;rf%%J4?;rfzsBU`M+aNyb
z*@?y5Vm{LN@ggUHmiuxx_Dtj5rsol#BM~=pjyHqe<HcvPas11*o_#i9ZJ%`X+7&6Y
z4F}#7CrnT%)O76bs<&03Bs~CBL9-lPzgZEx+oS+S$-gV~5q;R39w5(FZ(Km5B%*l&
z(rrr`BO68!fN#?(kC!s6W?du1@vWLl$02}9k4Iw`sS*azt|mzMLd*ov1C_X-Z_DEc
zA>ng^sD)A4FDuY!iUhzlgfJh(J@BRqd&P#v2B`+saBx>m+M&q7vk-75$NH%T5pi%m
z5FX?`2-5l53=a&GkC9^NZCLpN5(DMKMwwab$FDIs?q>4!!xBS}75gX_5;(luk;3Vl
zLCLd5a_8`Iyz}K}+#RMwu6DVk3O_-}n>aE!4NaD*sQn`GxY?cHe!Bl9n?u&g6?aKm
z-P8z&;Q3gr;h`YIxX%z^o&GZZg1=>_+hP2$$-DnL_?7?3^!WAsY4I7|@K;aL<>OTK
zByfjl2PA$T83*LM9(;espx-qB%wv7H2i6CFsfAg<9V>Pj*OpwX)l?^mQfr$*OPPS$
z=`mzTYs{*(UW^ij1U8UfXjNoY7GK*+YHht(2oKE&tfZuvAyoN(;_OF>-J6AMmS5fB
z<XKU7YH10@@&WJhj71Cj$=TP(r@q<cW{2}t$FbdUw)ad2!elcuLPw0X5toDsPadV*
zO3EPF>^sY6wea&&${+!}@R1f$5oC-2J>J-A${@r(dRzc`wnK>a7~8{Y-scc|ETOI8
zjtNY%Y2!PI;8-@a=O}+{ap1Ewk0@T`C`q!|=KceX9gK8wtOtIC96}-^7)v23Mu;MH
zhKyLGOQMujfRG$p(s`(2*nP4EH7*J57^=|%t(#PwCcW7U%e=8Jb>p6~<TTQ9e?y3C
zdb|J>>RAlY4a*t<yx)M!`#-^(n~+nSXHt)XXPCd>s=pl}_J{->@kKzxH|8XQ5{t=E
zV&o`$D#ZHdv&iZWFa)(~o<E{GN9+27JE4iktONzQ1b)q{Sex30G?of$HMKN~8KD%g
zA+E{L7XRV>Bh-Osl{~CS0hfM7?PyWUWsr5oYlsyC1cwULoQ4|Y5RHA2*rN+EnFPnu
z`Y_&Yz*#550YJwDy@brZU>0pWV^RxRjL221@2ABq)AtA%Cz?+FG(}Yh?^v)1Lnh%D
zeM{{3&-4#F9rZhS@DT0E(WRkrG!jC<!Dwf@j`RqVrLtHFoIyn_L9bxbWrgS*Z9wMu
z#p1&N;H{ZGv&zD_N*zbkas>#5?OFjZv*xQjUP~XsaxL2rqRKvPW$zHqHr8Urp2Z)L
z+)EvQeoeJ8c6A#Iy9>3lxiH3=@86uiTbnnJJJoypZ7gco_*Hv<E!$|Yb^#x+eGvv(
zIp;Wt3|Xgi12|CZQBu5wnkbr4Z_o<}@wU&ThE&G4r6LGOs?2M%<}Vu1j2>KOH97B?
zWiwp>+r}*Zf9b3ImxwvjL~h~j<<3shN8$k-$V1p|96I!=N6VBqmb==Bec|*;HUg?)
z4!5#R*(#Fe)w%+RH#y{8&%%!|<UeDoR>fQ5JcFzUE;-yVYR^&Ek55AXb{^w|@j|&G
z|6C-+*On%j;W|f8mj?;679?!qY86c{(s1-PI2Wahoclf%1*8%JAvRh1(0)5Vu37Iz
z`JY?RW@qKr+FMmBC{TC7k@}fv-k8t6iO}4K-i3WkF!Lc=D`<I4n3h#nG>nuD)v#Na
zA|R*no51fkUN3^rmI;tty#IK284*2Zu!kG13<C=xWI7mp_-$=}wb|<b)!OZRv-HEP
z{%b~I$E(4`VZ#-glOe-5)a2pflY1Bz-1#4je?)~T9!X4-E;pkTTM{XAe2I!K$wY&{
zHEYHdnV_WuXSOaFHmg_J8USFkT|e)_-*FkL@p7z7`X=kCplNBVHgHbdYiIA4b&ia%
zF^b30NW{}~a)`)^H3EMpr)@2a^C3(yt-t3eigT2)odQdx2zf*pafN9pF#;@+u4LZa
z7x<*Yxq9&rRf5M3B$p^s`skXsITAn=Zo(y=33sGRSGWuaK?&Ne`Pj#q{feF+D~&z+
zEyT)MiaBL7L|^V76c6eAiTxZof6@zS20aGf%dzLc3HH8OA(-=u{w4pJ6%*OO;uayC
zzR4O{sz+f(78K2km*}=(W9{c=$lUj4eqLf#^t$Qwnbo?bEXMO?j$N^G)CbdGe8!P9
zJnZQX@k)7bzDG0I8w{~ZPTf4?D$;UGe$M~$TSzciU_@dS=0n{mhB=qm5O0^X+E9+o
z1x?ef8>!$OlxJAt@zLU`kvsazO25TpJLbK&;M8kw*0)*14kpf*)3<d6yUQxMZe%8t
zXy(eYN2(&WrmwSg<nK0tWy!~|3-Ib)_FW|=FVb)tUsL?PQ@qp22p>;GiDh;C(F}$-
z1;!=OBkW#ctacN=je*Pr)lnGzX=OwgNZjTpVbFxqb;8kTc@X&L2XR0A7oc!Mf2?u9
zcctQLCCr+tYip<jrMK$>a_k=;1ETIpHt!Jeo;iy^xqBES^Ct6-+wHi%2g&)?7N^Yy
zUrMIu){Jk)luDa@7We5U!$$3XFNbyRT!YPIbMKj5$IEpTX1IOtVP~(UPO2-+9ZFi6
z-$3<|{Xb#@tABt0M0s1TVCWKwveDy^S!!@4$s|DAqhsEv--Z}Dl)t%0G>U#ycJ7cy
z^8%;|pg32=7~MJmqlC-x07Sd!2YX^|2D`?y;-$a!rZ3R5ia{v1QI_^>gi(HSS_e%2
zUbdg^zjMBBiLr8eSI^BqXM6HKKg#@-w`a**w(}RMe%XWl3MipvBODo*hi?+ykYq)z
ziqy4goZw0@VIUY65+L7DaM5q=KWFd$;W3S!Zi>sOzpEF#(*3V-27N;^pDRoMh~(ZD
zJLZXIam0lM7U#)119Hm947W)p3$%V`0Tv+*n=&ybF&}h~FA}7hEpA&1Y!BiYIb~~D
z$TSo9#3ee02e^%*@4|*+=Nq6&JG5>zX4k5f?)z*#pI-G(+j|jye%13CUdcSP;rNlY
z#Q!X%zHf|V)GWIcEz-=fW6AahfxI~y7w7i|PK6H@@twdgH>D_R@>&OtKl}%MuAQ7I
zcpFmV^~w~8$4@zzh~P~+?B~%L@EM3x(^KXJSg<wVEvJN(*DSLK{@lLZ^>c6I=;)B6
zpRco2LKIlURPE*XUmZ^|1vb?w*ZfF}EXvY13I4af+()bAI5V?BRbFp`Sb{8GRJHd*
z4S2s%4A)<beb5!5W2AL1ws>6Uc=PK%4@PbJ<{1R6+2THMk0c+kif**#ZGE)w6WsqH
z`r^DL&r8|OEAumm^qyrryd(HQ9olv$ltnVGB{aY?_76Uk%6p;e)2DTvF(;t=Q+|8b
zqfT(u5@BP);6;jmRAEV057E*2d^wx@*aL1GqWU|$6h5%O@cQtVtC^isd%gD7PZ_Io
z_BDP5w(2*)Mu&JxS@X%%ByH_@+l>y07jIc~!@;Raw)q_;9oy@*U#mCnc7%t85qa4?
z%_Vr5tkN^}(^>`EFhag;!MpRh!&bKnveQZAJ4)gEJo1@wHtT$Gs6IpznN$Lk-$NcM
z3ReVC&qcXvfGX$I0nfkS$a|Pm%x+lq{WweNc;K>a1M@EAVWs2IBcQPi<R5t!qadV8
z`@w2vB^p<`Z$u8twt230^FDUXk@KFGRjk|Wy)IU*vs&-S4^@ur^QOw}{f&PX2ZUtx
z2^VHiFLv0j^tM_qTCdnm{?$%kSnzz+Rz#c}<%d@@&Y%vBngG@bQjNu*$QIzHiMtlr
z%<!I8J_+!}g1P;40riIDVp#J58>EJNt}+Ea8~WiapASoMvo(&PdUO}AfC~>ZGzq<X
zA{wc(2{B`w8<FdY#fUA=!$2hWfZJFFh^biG^FRul&;5HGQt3HYB*8-U;tAm`ZDrW?
zLGzSCAtG}^Y%BI&AQbV|jc8`aQkJs}$KZGr4&D`BKH5)pk?++zISItrK-zIx+|7D6
zd{(|~knMc?H%TN~Ttm8w#&X{*x_x0Tx_urTbWQT(rM-zoT(XUHVI3m?V@uQP4J|db
z_OkbMEz8a;6}80;ZBwYhBLn3A0_Q%9Xo7*<Qa^td-Q$KXkb<^$rXNS+J!!v~e_27-
z?B(DtKu5zrraAfXQ`1kqTCnO1=JFF~4jJA+&eXD+hsTX=d50Jrj6yJ)U-=XHF8z-o
z1o@Y7@sl2x7U<!Ygv?%s5eyX!wKt`l=(%|REJ0yS<TOH?s9B)is6Iv13lr}2%hiI}
zPUW^d?_dD#I&an8I8t^fY)SnDOhO39OTDNje$JA5dr5!UH92rZ)87wX;yQSp&mZg<
zmgmz=w6D&%v&B;c-vM3DEvl$Gev##x*ndtU#f^N2I}99-3HZpRE^$`D%!0A_ujaQb
zI5z(Mh2X@IN1#BF?<;^jK#~(MAEc`h<3P$Nghud=)(&&|-qnC?^x{5VK>Wjd)4no(
ziLi#e3lOU~sI*XPH&n&J0cWfoh*}eWEEZW%vX?YK!$?w}htY|GALx3;YZoo=JCF4@
zdiaA-uq!*L5;Yg)z-_`MciiIwDAAR3-snC4V+<n|J*V*n#h?&wg+C8sg$z312~u%3
zz$RVnQhlm*2c)>KA>&V%Ak;p{1u>{Lw$NFj)Yn0Ms2*kxUZ)OTddbiJM}PK!DM}Ot
zczn?EZXhx3wyu6i{QMz_Ht%b?K&-@5r;8b076YDir`KXF0&2i9NQ~#JYaq*}Ylb}^
z<{{6xy&;dQ;|@k_(31PDr!}}W$zF7Jv@f%um0M$#=8ygpu%j(VU-d5JtQwT714#<!
z&vm@KPB=l<TMpuv%DS+RW~~WnEOz5WiaSxW4<ph#&0;zqiCMt1ekX<hrb8#^mBYaW
zJA2vi7UWJVhfbeu%Rejgz>f0z+Cm$F9J<FFP&8OfSp_OMl7>jGr_G!~NS@L9P;C1?
z;Ij2YVYuv}tzU+HugU=f9b1Wbx3418+xj$RKD;$gf$0j_A&c;-OhoF*z@DhEW@d9o
zbQBjqEQnn2aG?N9{bmD^A#Um6SDKsm0g{g_<4^dJjg_l_HXdDMk!p`oFv8+@_v_9>
zq;#WkQ!GNGfLT7f8m60H@$tu?p;o_It#TApmE`xnZr|_|cb3XXE)N^buLE`9R=Qbg
zXJu}6r07me2HU<)S7m?@GzrQDTE3UH?FXM7V+-lT#l}P(U>Fvnyw8T7RTeP`R579m
zj=Y>qDw1h-;|mX-)cSXCc$?hr;43LQt)7z$1QG^pyclQ1Bd!jbzsVEgIg~u9b38;>
zfsRa%U`l%did6HzPRd;TK{_EW;n^Ivp-%pu0%9G-z@Au{Ry+EqEcqW=z-#6;-!{WA
z;l+xC6Zke>dl+(R1q7B^Hu~HmrG~Kt575mzve>x*cL-shl+zqp6yuGX)DDGm`cid!
znlnZY=+a5*xQ=$qM}5$N+o!^(TqTFHDdyCcL8NM4VY@2gnNXF|D?5a558Lb*Yfm4)
z_;0%2EF7k{)i(tTvS`l5he^KvW%l&-suPwpIlWB_Za1Hfa$@J!emrcyPpTKKM@NqL
z?X_SqHt#DucWm<3Lp}W|&YyQE27zbGP55=HtZmB(k*WZA79f##?TweCt{%5yuc+Kx
zgfSrIZI*Y57FOD9l@H0nzq<E4Q@_YK<1;`>Ou|Bhrm&^m_RK6^Z<^N($=DDxyyPLA
z+J)E(gs9AfaO`5qk$IGGY+_*tEk0n_wrM}n4G#So>8Dw6#K7tx@g;U`8hN_R<bPv^
zP6}0b!dly7dCc=KnICM>;^Uw9JLRUgOQ?PTMr<oQ9o~>4YD5H7=ryv)bPtl=<&4&%
z*w6k|D-%Tg*F~sh0Ns(h&mOQ_Qf{`#_XU44(VDY8b})RFpLykg10uxUztD>gswTH}
z&&xgt>zc(+=GdM2gIQ%3V4AGxPFW0*l0YsbA|nFZpN~ih4u-P!{39d@_MN)DC%d1w
z7>SaUs-g@Hp7xqZ3Tn)e<dV~D-0@M0u`KSW@qBLlIFNKze0?;|tm!<F9_5{TDKnUY
zJB8#(%G(di5;`|v12#{)=^Bhy!6zu5lq~#Rj8QgnK?%W-bqS8Lq9_xGRU?MD1Z_M>
z7x^sC`xJ{V<3YrmbB{h9i5rdancCEyL=9ZOJXoVHo@$$-%Za<Y<=Dws@<HVOn84kp
zy7czzAj#&D?|uHYH^U!oq7C#CS4C-HKPWUJ-r}5;#IkR`+-?7IMg|O#r^#PS@coAT
z<xl(XMO(JUH%Fc8@Q;tlw>Nm-75Z-Ry9Z%!^+STWyv~To>{^T&MW0-;$3yc9L2mhq
z;ZbQ5LGNM+aN628)Cs16>p55^T^*8$Dw&ss_~4G5Go63gW^CY+0+Z07f2WB4Dh0^q
z-|6QgV8__5>~&z1gq0FxDWr`OzmR}3aJmCA^d_eufde7;d|OCrKdnaM>4(M%4<dMy
z`?Qi<9Ebh#nVT{&VVFv66RU??kcC8}u+l^~F(m>V`PxpCJc~UhEuddx9)@)9qe_|i
z)0EA%&P@_&9&o#9eqZCUCbh?`j!zgih5sJ%c4(7_#|Xt#r7MVL&Q+^PQEg3MBW;4T
zG^4-*<N;_j_KF=#ltp<I^9_IU8#T_ulQ_w;P&0IS=TATWkvf^^ks|nDnb@T^ShFUW
ztuyr~q)6&!?68RQ-V8G+#+EoOhWE-6A7rk5HfHxAG?Sknf`kY=i0}11&e`cz`MCO{
zQd*rofIJ{OtoMr$=gf?H!$EPT16>8L%s|A}R%*eGdx&i}B1He(mLygTmIAc^G(9Si
zK7e{Ngoq>r-r-zhyyg<ieAPsqNv@SQwQ@xsNn5Vw2I}E18CcU&C?((>K)*9cj8_%g
z)`>ANlipCdzw(raeqP-+ldhy<kGNs8`S#*G-e>Uv_VOht+!w*>Sh+Z7(7(l=9~_Vk
ztsM|g1xW`?)?|@m2jyAgC_IB`Mtz(O`mwgP15`lPb2V+VihV#29>y=H6ujE#rdnK`
zH`EaHzABs~teIrh`ScxMz}FC**_Ii?^EbL(n90b(F0r0PMQ70UkL}tv;*4~bKCiYm
zqngRuGy`^c_*M6{*_~%7FmOMquOEZXAg1^kM`)0ZrFqgC>C%R<qRBgHG)$UB@XBA@
zshx3_1QSr};A7TJ_s8FNBrzB>JvQSo_OAA(WF3{euE}GaeA?tu5kF@#62mM$a051I
zNhE>u>!gFE8g#Jj95BqHQS%|>DOj71MZ?EYfM+MiJcX?>*}vKfGaBfQFZ3f^Q-R1#
znhyK1*RvO@nHb|^i4Ep_0s{lZwCNa;Ix<{E5cUReguJf+72QRZIc%`9-Vy)D<o;c>
zWKhb?FbluyDTgT^naN%l2|rm}oO6D0=3kfXO2L{tqj(kDqjbl(pYz9DykeZlk4iW5
zER`)vqJxx(NOa;so@buE!389-YLbEi@6rZG0#GBsC+Z0fzT6+d7deYVU;dy!rPXiE
zmu73@Jr&~K{-9MVQD}&`)e>yLNWr>Yh8CXae9XqfvVQ&eC_;#zpoaMxZ0GpZz7xjx
z`t_Q-F?u=vr<JfY4KbWG<xAz}usjoo`>RPaj3r<9&t6K=+egimiJ8D4gh-rUYvaVy
zG($v+3zk5sMuOhjxkH7bQ}(5{PD3Mg?!@8PkK&w>n7tO8FmAmoF30_#^B~c(Q_`4L
zYWOoDVSnK|1=p{+@`Fk^Qb81Xf89_S`RSTzv(a4ID%71nll%{Wad$!CKfeTKkyC?n
zCkMKHU#*nz_(tO$M)UP&Zf<GNy8?Xs8hUzIu0nqFC9@Ka{&R$vXnbN*?hR?iwv-x*
zPrH;>J#*q(0Gr!E(l5(ce<3xut+_i8XrK8?Xr7_oeHz(bZ?~8q5q~$Rah{5@@7SMN
zx9PnJ-5?^xeW2m?yC_7A#<rjP_en{9P5bFL68vgKu`Lv^loBE5&?9+BtYGMUT06bd
zXEt*_Sdl_o?{!kSnxeJB_xVtFwR-bF`2MlsSO1bZtN)M(j%)mHVUj4b&G~L_`|PNv
zb05EL`!%-lV_>WK*B@oIy*Y@iC1n7lYKj&m7vV;KP4TVll=II)$39dOJ^czLRU>L>
z68P*PFMN+WXxdAu=Hyt3g$l(GTeTVOZYw3KY|W0Fk-$S_`@9`K=60)bEy?Z%tT+Iq
z7f>%M9P)FGg3EY$ood+v<G?d-tNS5y+I=S1dlJZvs-NC{^w-&Jr{gfwR>$pdsXvG?
zd2q3abeu-}LfAQWY@=*+#`CX8RChoA`=1!hS1x5dOF)rGjX4KFg!iPHZE2E=rv|A}
zro(8h38LLFljl^>?nJkc+wdY&MOOlVa@6>vBki#gKhNVv+%Add{g6#-@Z$k*ps}0Y
zQ=8$)+Nm||)mVz^aa4b-Vpg=1daRaOU)8@BY4j<Xy)*mrZf+Eqj^RX06GbC^vLKT|
zpteFBLq#626+?=M@k2|V@k{2aN?cRlCum?`TP_u}%3Y{AVZHbKwm{q2d`D~XsJSyD
zl=xk@5@i0e1=0fu$jfj1+lTA1h#%78*$MuUCU^B9>S>=5n#6abG@(F2`=k-eQ9@u#
zxfNFHv=z2w@{p1dzSOgHokX1AUGT0DY4jQI@YMw)EWQ~q5wmR$KQ}Y;(HPMSQCwzu
zdli|G?bj(>++CP)yQ4s6YfpDc3KqPmquQSxg%*EnTWumWugbDW5ef%8j-rT#3rJu?
z)5n;4b2c*;2LIW%LmvUu6t1~di~}0&Svy}QX#ER|hDFZwl!~zUP&}B1o<!gKVHBj1
z!0%hK_{Iy`*BgY<Qck8#<-rH4Lg1;Qj-hq2OvPXM$(Gkmg`0T7B6Gm*>KAxIzt~so
zb!GaJYOb#&qRUjEI1xe_`@<o~iP+Rf(GIMHq*yg6%vf7Mu<-aQ)$}%3o$R+x;;~W%
zCQ~RFyB5g)F1k-t!#^TN>7qv_-LggQ$JE8+{ryT4%ldwC5ete+{G3C#g@^oxfY3#F
zcLlj(l2G8>tC<5XWV|6_DZQZ7ow?MD8EZ9mM2oV~WoV-uoExmbwpzc6eMV}%J_{3l
zW(4t2a-o}XRlU|NSiYn!*nR(Sc>*@TuU*(S77gfCi7+WR%2b;4#RiyxWR3(u5BIdf
zo@#g4wQjtG3T$PqdX$2z8Zi|QP~I^*9iC+(!;?qkyk&Q7v>DLJGjS44q|%yBz}}>i
z&Ve%^6>xY<=Pi9WlwpWB%K10Iz`*#gS^YqMeV9$4qFchMFO}(%y}xs2Hn_E}s4=*3
z+lAeCKtS}9E{l(P=PBI;rsYVG-gw}-_x;KwUefIB@V%RLA&}WU2XCL_?hZHoR<7ED
zY}4#P_MmX(_G_lqfp=+iX|!*)RdLCr-1w`4rB_@bI&<E#m-6fJX?!@HMojcz?@FV(
zEwb`K9p)6DH8Vt-HX;X2^%28zP(BOT@+<+Oy5Uv8eD=4p<t0n4?tw(5<&#sr?h6zV
z!&Zb?gM&8<%??jXTdmMb1(#@6)m(rk*#aUo^iqOs4-#{`NA;|yExPzdS?_q~O>Uz#
z!>9C3&LdoB$r+O#n);WTPi;V52OhNeKfW6_NLn<EDp2Lr=qOaId}Ifx9lEG?H#PEN
zbI74Vx*PNK+cvB53_AWmzs=zCb5!9-mCcW#<QbIdOJM|=ASw5QpF+P}oobETGwNf<
z0{kapJo<fgf(@=YJA0C%pNqB2CMVFcToi3AV3#1!n@Z&vX@98&`Sz6*SUYY~uWq>w
zpFTuLC^@aPy~ZGUPZr;)=-p|b$-R8htO)JXy{ecE5a|b{{&0O%H2rN&9(VHxmvNly
zbY?sVk}@^{aw)%#J}|UW=ucLWs%%j)^n7S%8D1Woi$UT}VuU6@Sd6zc2+t_2IMBxd
zb4R#ykMr8s5gKy=v+opw6;4R&&46$V+OOpDZwp3iR0Osqpjx))joB*iX+diVl?E~Q
zc|$qmb#T#7Kcal042LUNAoPTPUxF-iGFw>ZFnUqU@y$&s8%h-HGD`EoNBbe#S>Y-4
zlkeAP>6<Z7QQ9XL^<-l?vhbA^VVM{w_AGyBxGo2D4xc6Tl~BnC{PHYDLP{4>2k~-N
zHQqXXyN6<L3Gg$i2mMBKaSbx<i~TEhvQ{`W#&P&}*M*bY-+RuxoiU+jyjZtu*2#d`
z4;V{mY|5$$TfD^8s7AA{v{=Q~S8RRnPkT2vB+qp-b$~mY>7hGD6CxQIq_zoepU&j0
zYO&}<4cS^2sp!;5))(aAD!KmUED#QGr48DVlwbyft31WlS2yU<1>#VMp?>D1BCFfB
z_JJ-kxTB{OLI}5XcPHXUo}x~->VP%of!G_N-(3Snvq`*gX3u0GR&}*fFwHo3-vIw0
zeiWskq3ZT9hTg^je{sC^@+z<IC+@jyb5}hL&*c9&Uv=C+8r5MFr<BeiUxikY7v-2j
z#^Wp1Woo#;-OnJd6+u?>3FAd}KNhbpE5RO+lsLgv$;1igG7pRwI|;BO7o($2>mS(E
z$CO@qYf5i=Zh6-xB=U8@mR7Yjk%OUp;_MMBfe_v1A(Hqk6!D})x%JNl838^ZA13Xu
zz}LyD@X2;5o1P61Rc$%jcUnJ>`;6r{h5yrEbnbM$$ntA@P2IS1PyW^RyG0$S2tUlh
z8?E(McS?7}X3n<sX7)_F=$tGzECOdx`5F$56$H6$2HeHDocU>AAJs2u_n{^05)*D7
zW{Y>o99!I9&KQdzgtG(k@BT|J*;{Pt*b|?A_})e98pXCbMWbhBZ$t&YbNQOwN^=F)
z_yIb_az2Pyya2530n@Y@<KMNVgC+@Hh^eD5>s>s>n?L79;U-O9oPY$==~f1gXro5Y
z*3~JaenSl_I}1*&dpYD?i8s<7w%~sEojqq~iFnaYyLgM#so%_ZZ^WTV0`R*H@{m2+
zja4MX^|#>xS9YQo{@F1I)!%<Q9x6E+JCnjAm>RhM{4ZUapHTKgLZLcn$ehRq(emb8
z9<w{<)uy~=x}G;ZX+CDl#T7`~iRBx5XO`@><&Nx*RLcS#)SdTxcURrJhxPM2IBP%I
zf1bWu&uRf{60-?Gclb5(IFI*!%tU*7d`i!l@>TaHzYQqH4_Y*6!Wy0d-B#Lz7Rg3l
zqKsvXUk9@6iKV6#!bDy5n&j9MYpcKm!vG7z*2&4G*Yl}iccl*@WqKZWQSJCgQSj+d
ze&}E1mAs^hP}>`{BJ6lv<q%AGiq()8hz}1^1ex;^<jj#cc=g{s#0iIU-+2jVmxWDS
zd7qq)5u4+Paaui>*>0-ft<;P@`u&VFI~P3qRtufE11+|#Y6|RJccqo27Wzr}Tp|DH
z`G4^v)_8}R24X3}=6X&@Uqu;hKEQV^-)VKnBzI*|Iskecw~l?+R|WKO*~(1LrpdJ?
z0!JKnCe<|m*WR>m+Qm+NKNH<_ye<gDWD0Fl@Ho4<!fm=u&SGgDO!cbo+8PUwfWk+V
z)@b~#GtD0d4#K=39kiev5hj=8h(Nljd<HunOw<O@9z?#m(rb)ZnCBDPu~!uM>fIml
z+x32qzkNRrhR^IhT#yCiYU{3oq196nC3ePkB)f%7X1G^Ibog$ZnYu4(HyHUiFB`6x
zo$ty-8pknmO|B9|(5TzoHG|%><C<pr4&IxzPg{!KcQqRSE~Tvrur~GxUa*ce)ipeE
zWgS=NE-mtVKb)JH#~V9~Hf<heFWK%N<`blD%sTD$A|XGR=J%4vWJQ9B3q;($v$3~e
zpgG#}?8+2jU@b$OcWYMF>s#7)CM(i=M7Nl=@GyDi-*ng6ahK(&-_4h(lyUN-oOa$`
zo+P;<GhFDlQ-b}GJ)A97b8DT!@21D?+G`33xflj&^Ajw)WxefL*Yy?uny35myNvN;
zJu2^EIk(I5BXd2N-yKn?<jAHF(>C4d@m^p9J4c~rbi$rq9nhGxayFjhg+Rqa{l#`Y
z!(P6K7fK3T;y!VZhGiC#)|pl$QX?a)a9$(4l(usVSH>2&5pIu5ALn*CqBt)9$yAl;
z-{fOmgu><7Y<XFolPQk)mb~-4Wz2OqAihGXbfUWv<O@$JoEd1wcAoD{S1ZgFTS^!t
z+_d^VD?_*`AXb~e&yM8k-n#rSNZe`F1hkVx1o46tWKB^*u4Iztzf9jS`;huL0efN_
zw(C5^O4iFb>J5k>*0Q~>lq72!XFX6P5Z{vW&zLsraKq5H%Z26}$OKDMv=sim;K<Yz
zr-(K#w$yhGyI)R05r<FcNBPUs!f8{%L|!+M;WNfIk0#<kNVlmop1dan3IH7GPG0zR
zbu5#oKma)07cl(sMbhFbgIx|mM?)DnP$;1oA~OW0kph!a5>?vsoVs(JNbgTU8-M%+
zN(+7Xl}`BDl=KDkUHM9fLlV)gN&PqbyX)$86!Wv!y+r*~kAyjFUKPDWL3A)m$@ir9
zjJ;uQV9#3$*`Dqo1Cy5*;^8DQcid^Td=CivAP+D;gl4b7*xa9IQ-R|lY5tIpiM~9-
z%Hm9*vDV@_1FfiR|Kqh_5Ml0sm?abD>@peo(cnhiSWs$uy&$RYcd+m`6%X9<SS+iH
zB{MTIilfs+m}FIm`WFe<b<`1NL(_5%pWxy`61V?hXOmI!N62_Zv-n^jPyCieqxTv3
zu0_=zb8f!dMp?R&UxGJe1qNBBRLXVmj-(R6+9rkXoo6CT-@FKe>FN%?<F{pFRdeJu
z{9WJNuwr(Se^zX7t-vqF<$J*yv&MnYO_uaKBS^eIab7YX1r1^(=OyZJp!PzX%0e7b
zeEpxGl+qFvtIR-KD}KZT9sfArU;dGM3-23I#q69NU-%A?w~!T{F+*-_Lil`8wsSSR
zeW-s?xK)R5p&SHb*TI!J314$wOF*NT7qT*&*Og`^+jXq)LaOJ8#&*`Gy)1X0+KiH$
zU-5JNg0Goq-9^C#_ZqHXSIP}b7@(P=L?LSJk~7{IhyH9xAy{$zEDuPUgJ_RJae#PE
zOqO-BK*KnjogIL_)Jz3RACJUY?ZEW~+1H$~{2k_o%Y(uIH3R6z`K|NdGL!=5lV$Vc
z*(&fGI7OherXM4x!s0w3{b4Ax#6<l}lTU2>w}s~Q=3!pJzbN~iJ}bbM*PPi@!E0eN
zhKcuT=kAsz8TQo76CMO+FW#hr6da({mqpGK2K4T|xv9SNIXZ}a=4_K5pbz1HE6T}9
zbApW~m0C`q)S^F}B9Kw5!eT)Bj_h9vlCX8%VRvMOg8PJ*>PU>%yt-hyGOhjg<ke2;
z7Th2%k_wZpW!A{?Dn2nLFJ4=lqYa4jV<d3;8-+Dg@?%0IvOWsDfrv_`J~>!2pZR4{
z=VR_*?Hw|aai##~+^H>3p$W@6Zi`o4^iO2Iy=FPdEAI58Ebc~*%1#sh8KzUKOVHs(
z<3$LMSCFP|!>fmF^oESZR|c|2JI3|gucuLq4R(||_!8L@gHU8hUQZKn2S#z@EVf3?
zTroZd&}JK(mJLe>#x8xL)jfx$6`okcHP?8i%dW?F%nZh=VJ)32CmY;^y5C1^?V0;M
z<3!e8GZcPej-h&-Osc>6PU2f4x=XhA*<_K*D6U6R)4xbEx~{3*ldB#N+7QEXD^v=I
z+i^L+V7_2ld}O2b-(#bmv*PyZI4|U#<t4E{c3+Oa>Q5|22a(-VLOTZc3!9ns1RI-?
zA<~h|tPH0y*bO1#EMrsWN>4yJM7vq<?d%8sAQUGrndP7J-=xw$nCMSpe7!xoUBNp3
zGTsNoHNSmE+wi-t?Vjri@)nrwy)cL`f%zSrKknks+ReH>FZr?uw$H8*P<CaW^*(*P
zrk<ZDEOj-RoW=I>hiHRQg1U9YoscX-G|gck+SSRX<zu*#%uOZJ$&`iwbI4f^EJ9pa
z@T8p1=V0x-K77AYupaOqRJ8Y8`CFqe-OG4O?Pk+3)K=lIg7Aj+5B{LP8{|uD9bb*L
z=JkjZ*a>!(e7@~eeUEw+POsT;=W9J&=EV`cUc{PIg_#TQVGnZsQbCs7#Q-)<h~+VJ
z%O_$A%X$-T2gv^1iV6X%A*e(F(fO?hnMA3<=C!;L;mUog>v#BicxLw#Fb?#)8TYbu
zN)5R=MI1i7FHhF|X}xEl=sW~`-kf;fOR^h1yjthSw?%#F{HqrY2$q>7!nbw~nZ8q9
z<TlAz0DCai`eopoTgUXKr$&x3a%Yszt2{+eo;=r&?LuF;Zj%RNLHAg=LM|in10Rm2
zxd6;k(nHtRPkOmYqHW7fNcCybHEd(KrX46#z77Z9Q1dkPl|2ZTAjBY-ol(B)e&98T
zgr-$?X`Ytyy13^aY2fa`@Y1*X*i2)xR`@;KF^;++G5hoP)3auvu~w3;5+L|E0eJ^s
zgZRj(m;s_<P67c5tRN5r2qBB}z`g`y!oX~V8oXD2oDd8#khWZ&toq|9@%NQ>h{vY!
z<QL?e6`jG`+hK%nypIRco?pA%s6+zYx(b~=Fi(E95-40VeV5w!L2#*>%i=H!!P&wh
z7_E%pB7l5)*VU>_O-S~d5Z!+;f{pQ4e86*&);?G<9*Q$J<tS(vm9lEGpTY@s(2ek+
z8c`{)@2$sFJY{r$73(<V2UKiNm)(n(&DNp1&6b1{q_xZVGIdKSwV*O`Z3q;#cCe`U
zk~C47tS5LEB&@mN%p)_=XY@OEf&MPgH{St5oHz7A*3o-mSC#2S@XC^m@?vD0WoA3+
z%jkw-8_?@Gk~M`p*@7Cp@q?r=ifcr#f5J(+ee*SCy-59!ceTk_CH8c7hwjNA;pzKD
zr8zf+A(f>EJ!ZxY;Oj5&@^eg0Zs!iLCAR`2K?MSFzjX;kHD6)^`&=EZOIdW>L#O`J
z<!j^{WZ{m%sbn?E@W3)ou>f~$M4}JiV}v6B-e{NUBGF<D@nTna4Fj(s(L&KkX*F3!
zglkC}q4NM*a2HP+ijp5<SToUO6J4Q%w}VEJFwp|MQ|{cP2x=Zt1r&nh4>gj-*H%NG
zfY0X(@|S8?V)drF;2OQcpDl2LV=~=%gGx?_$fbSsi@%J~taHcMTLLpjNF8FkjnjyM
zW;4sSf6RHaa~LijL#EJ0W2m!BmQP(f=%Km_N@hsBFw%q#7{Er?y1V~UEPEih87B`~
zv$jE%>Ug9&=o+sZVZL7^+sp)PSrS;ZIJac4S-M>#V;T--4FXZ*>CI7w%583<{>tb6
zOZ8gZ#B0jplyTbzto2VOs)s9U%trre`m=RlKf{I_Nwdxn(xNG%zaVNurEYiMV3*g|
z``3;{j7`UyfFrjlEbIJN{0db|r>|LA@=vX9CHFZYiexnkn$b%8Rvw0TZOQIXa;oTI
zv@j;ZP+#~|!J(aBz9S{wL7W%Dr1H)G-XUNt9-lP?ijJ-XEj1e*CI~-Xz@4(Xg;UoG
z{uzBf-U+(SHe}6oG%;A*93Zb=oE>uTb^%qsL>|bQf?7_6=KIiPU`I|r;YcZ!YG7y~
zQu@UldAwz$^|uoz3mz1;An-WVBtefSh-pv<`n&TU3oM!hrEI?l@v8A4#^$4t&~T32
zl*J=1q~h+60sNc43>0aVvhzyfjshgPYZoQ(<inR$cERK&%N~SSiy;WaiBTgdl;Bz@
zMx7h{4w6)@f3=XUfD<5b*Di$-gK~XeKu8qdfa(KL$OL~#uI0n&gFVreVt1RX*+{5+
z#8$4WWjNT2me=PpYKo4u#73>OOh>LbUIoblb@1z~zp?))n?^)q6WGuDh}gMUaA9|X
z3qq-XlcNl<s-dSKro}45AbD<^IA@6tvSaLv-;sRc5uLj-i(AB^*}0)lznJ6A48b01
zt^mDP9!TqxILrO*cRjO@t^fSYOWb`|vQ*V4*6V-Ii_hT$&15AhsiGo@jvJCCnY0);
z)Gbzh<7K3LRm`L**mLt1MLc+MqqaWkz{2JV0hUf-(7U6vlP$%@`2fR-Dt+r$66q)X
zh2sR=$#8zbejz`}<A~Y#k!TUpiD??3amyj(E}M)o)o#H-j|LmgBHBXsF9$ok?Wh84
zoxjF*=Hw;;!?a%bcJVG|FBP7@_uu_xpir_`+UDHcZX;}|^THjvjdPRUJ+HO3O$%_*
zsal`RIk@07Cuvh)iE1gNnn7n}$9q`Da-o@9CupmsX{@4y;aIQ1WV^7X(Rcx&McA%o
zqa*mh{MZ+m6i(RP#X)4DdX;+iKAzev_!HbYetk>dy5==T4rq*~g@XVY!9sYZjo#R7
zr{n)r5^S{9+$+8l7IVB*3_k5%-TBY@C%`P@&tZf>82sm#nfw7L%92>nN$663yW!yt
zhS>EfLcE_Z)gv-Y^<SaxB6gHmR|E)iyYeg|g|R}ujv8tMcq*gC>h1;xj(<<JyurkO
zku;yk5>4nD4GY{C-nWUgQc9cMmH{qpa!uEznrGF^?bbJHApScQ$j>$JZHAX80DdXu
z--AMgrA0$Otdd#N9#!cg2Z~N8&lj1d+wDh+^ZObWJ$J)_h(&2#msu>q0B$DEERy{1
zCJN{7M@%#E@8pda`@u!v@{gcT3bA*>g*xYLXlbb&o@1vX*x+l}Voys6o~^_7>#GB|
z*r!R%kA9k%J`?m>1tMHB9x$ZRe0$r~ui<kO`4q0h1q9yWTy1Vw;6%l{l&HBbZk8-0
z4ijBu+y@{d)|{@F;ZFKw{xPkg5F+CDU-3fF>}X}jOC)9LH=Po*2SLdtf3^4?VKn<h
zHzQbKiZ9a#y^bZOa6n&Wk$r`rPcR^1TWQZWl`R8PvM?r?^F}g*>u2ox&mV~0oDgi`
z;9d}P$g~9%ThTK8s}5o<m&w0gVXSc39p)SfaC_U5P2<JPm~s|o1ZFngBTt(DrBI%x
z4kDX}YqUJKdxxsso$;8{1MQ;f+HD&9TGSGCQS)Y9GN_l)t8XY5-si=Gs(k<5;!fvW
zxE8*OW}N`jlcqPjb~+szeAOl~e_-nyQAfun)m7Qku$%99s}G7SNoRK-D2Tt?3bf7l
z_f&iauzO~DnLmd4z7qW{*#v(VPN`62cvfV3MGioX->w2V4?(-lU*ed8ro|}mU}pk%
z;bqB0bx3AOk<0Joeh}Vl@_7Po&C`Cg>>gff>e<EyzTH_%h@VP9GTpHG^0d?A+RMpT
z+TYf8aiHmG?aSY>7fu41U3Ic{JQu1W%+!Gvz3GDO2ixKd;KF6UEw8F_cDAh08gB>@
zaRH2Q96sBJ>`4aXvrF0xPtI<C%^cGg^K!B-fX;2xnF2UCh5PH@z5cKKOHR==RLnzf
zSmET?(5QuFJxq~ag0rPdFM7)-DQc6Kkb_;fb-^S9@$f%6aPJ=U;g7Zr?Ox#q(-JyY
zKvu&Cw@3?z3?xc$8o*T2<9qK!(D=t1JD`+Ta(zAy-y-Frq_L?(ciWSU*N3cXEeC5N
zwIavKBghMD()mO&Qc6^H#jRYCBJ}jZ#?v?4($m6CK2G!{)QNVBe9)sd3#Jc(VH2H^
z=FWxE%(d%&VjzHKBh>WoA1pPsRQtU~xDtnEfTJnl{A9u5pR^K8=UdNq%T8F$)FbN>
zgK+_(BF#D>R>kK!M#OT~=@@}3yAYqm33?{Bv?2iBr|-aRK0@uapzuXI)wE0=R@m^7
zQ`wLBn(M*wg!mgmQT1d!@3<2z>~rmDW)KG0*B4>_R6LjiI0^9QT8gtDDT|Lclxppm
z+OeL6H3QpearJAB%1ellZ6d*)wBQ(hPbE=%?y6i^uf%`RXm*JW*WQ%>&J+=V(=qf{
zri~yItvTZbII+7S0>4Q0U9@>HnMP$X>8TqAfD(vAh};2P{QK)ik`a6$W$n<S7xQ?o
z_{n4xoeaH~jS^3HDy+veci7_+aLh^-n?E!YG6S#O$LPEC_>G<{bR2U<qLrkRpb!v0
z%U*eD$^H(<WG-@VF0k%r-g68(2_6$K`r1T6sUwW?8=<u8q_-5ITGbK36tV>fd!^iE
z#1K58$gW!xpeYHeehuhQCXZ9p%N8m<Fx1W4{1&odf~Dg9N*_P3FP{`cbE*_n{Eco>
zB+l~T_u-Ycr!U><XH<{<R0eR`Jn1$qaE<CV>!?xu!!*6rNxq37{`DhMMfY6NpD3Jw
zkYQDstvt30Hc_SaZuuMP2YrdW@HsPMbf^Y9lI<9$bnMil2X7`Ba-DGLbzgqP>mxwe
zf1&JkDH54D3nLar2KjJ3z`*R+rUABq4;>>4Kjc2i<Dy@)!kC&Aw;NA8e)mD}M7}y*
zi5fe;hrp`ef1|wy(>QEj7pVLcZYZ~pteAG4rm1{><Ecc%k1Tki@ADmF<}mEh$<1ax
zS8dQ&w8<!Cd38+}XJ1#f6|D`7AJ6+Fsr$rBs%wDxJx&tw*&5k&wN_-uj!ur;28wi0
zO+Qvl)mUZbXZm|~oa;LAHy_>PQy<rI@3u-En9*i_l~-?$0z#b@Vco$oFcZc}d3oKO
zD*z%H@Hm`{0l9tDx7KHebXBjGPA%mTPf<pnOy#m~KL9BjL-WcR=L#f{u~T2e78Ilg
z(JT)-B~I|YWyGa#aWq+mx~dt<5RI9)@9nr`in)T{m4a6g9DZqFJ{0ZDQ&w4XPvcfW
z)Zgnax(EnBgW0T@l}fNuwENi8sV_h5iwfdBoer10OP+L`!QRkj>=!QiV5G|tVk)53
zP?Azw+N)Yq3zZ`dW7Q9Bq@Y*jSK0<1f`HM;_>GH57pf_S%Ounz_yhTY8lplQSM`xx
zU{r-Deqs+*I~sLI$Oq`>i`J1kJ(+yNOYy$<j89}LeB{DsRRYsqux%gkK#X#@e^U8%
z#M!7}cTMHu<FLh@jarvDc8P_@QfzNdoQi_n+%?2AM>_>R3Jfi680<|^u#J@aY%Q>O
zqfI~sCbk#3--^zMkV&Yj0D(R^rK}+_npgPr_4^kYuG=pO%$C_7v{s@<a9Q#wuB)t?
z#;9BrH!k(Q*;IUj?T<*@HX2{0em!6debb4D8+OTu+|0s%`KdJcokszE{b|_{ztw|2
zP8WR(1+AaeXov%C!=7CsT*LuDx^}pAS;||)2N$TDO}r&-q#K7;nWjNxk~onpjleeK
zUPThfcj0^+;uf%68trL0i1;=y3B3G^4+!l>-{M-P@RL3^<`kO@b=YdKMuccfO1ZW#
zeRYE%D~CMAgPlo?T!O6?b|pOZv{iMWb;sN=jF%=?$Iz_5zH?K;aFGU^8l7u%zHgiy
z%)~y|k;Es-7YX69AMj^epGX#&^c@pp+lc}kKc`5CjPN4Z$$e58$Yn*J?81%`0~A)D
zPg-db*pj-t4-G9>ImW4IMi*v#9z^9V<wSEy0;H<_ip{R`3n$&`z?qY&+x1%E`|f!X
zF^6qcbMj~^Y|&mU__An*YVWv%D)nfhgB<CJl`_02TU%zkuVLq-ifv^5t4@48WjUK6
z<1pI%d1Hq!eHx}*)cFId$Vc5Z{|e7mEOmtuWJf&C8D27?iS2&%o3DCSW(Dy{q!vBU
z<@J%bdvlGuCbxSa3MmV6=PD4kiAVQdnmr=bOicK#q7Xa-!xi^j8Y6rBUZPWqHJ^kK
zO^AmTc89bc5I+T$XZ64^_c1Pnu-4Kq8TW>D9h@9t;3jMAUVxt=oor+16yHf{lT|G4
zya6{4#BxFw!!~UTRwXXawKU4iz$$GMY6=Z8VM{2@0{=5A0+A#p6$aT3ubRyWMWPq9
zCEH5(Il0v4e4=Yxg(tDglfYAy!UpC>&^4=x7#6_S&Ktds)a8^`^tp6RnRd{KImB^o
z2n=t#>iKx<*evmvoE{+fH#@WXGWs$)Uxr<sPjul^54Bff9y%ZVHz+5}qAbDf+|fnm
zNd{_kS$6bt11Qz5?-m)?lU>tf?r>AaxV0?kf0o@oDboJ6z0cgP@A$;k>SK1UqC?Q_
zk_I?j74;}uNXhOf_5ZxQSgB4otDEb9JJrX1kq`-o%T>g%M5~xXf!2_4P~K64tKgXq
z&KHZ0@!cPvUJG<f9>4kw-0;tPo$zJrU-Nop>Uo65Pm|yaNvKjhi7V1g98;^N1~V3%
zTR>yWa+X2FJ_wpPwz3i^6AGwOa_VMS-&`*KoKgF2&oR10Jn6{!pvVG@n=Jk@vjNuY
zL~P7aDGhg~O9G^!bHi$8?G9v9Gp0cmekYkK;(q=47;~gI>h-kx-c<vM%*#w&fX{!h
zF%L>eM{ml$#8KI$4ltyja<rI2qq{$AR1|U_tFD)9Y-d_jShjldAw-)(k${x89fc)V
z^uj$O=9MXT2cL+;^v%uZ%TIiT&+A8q@<LEWivxLuc7cEhkMJup7#M4iRHWn;gs)|%
z*`|SUEl(kbPZ=F^TZ)n%ySX6erWcgVc`2wiVw2VTP%;PP;UMWPi0k}AaIl!DD+>qP
zki^cyDERloAb)dcDBU4na9C(pfD{P@eBGA}0|Rb)p{ISqi60=^FUEdF!ok{Gs;vb)
zfj9(#1QA64w*ud^Y<WE?99td@r;1MVEDo>sN5&PeiI>c`VioE8h)e}W%S9NMA55Gs
zrWL6l+@3CKd@8(UQLTwe12SGWMqRn+j)QZRj*g)Xua)%ayzpqs{pD(WWESJYL3{M$
z%qkpM`jFoqLYVv6{IbCkL?fEiJj$VG=$taup&RL9e{s(Sgse2xVJlw0h74EXJKt<N
zv_^nt|CWo1^pEn7x}Dzrxu#9#iylF>2<mjN(C1_G037wJ*c!9$6Ya%e(y$WXL!EqA
z8HVt{2cY#I$^(s5lIv2_V)0(hY4lKgWN5U}$n%K8Jg_QsDR2~!MLCfAxETJK@puD+
zRpJ+#PBP2wu|C*%vKJ>eX|dx<CQ&quy2)IJEnV9z;^O>z{->0)3W`JN7Bv!rLvRZc
z0tAOZ2yVe4g9iq826qXAg`f!*+}(o1;1FDb>kKexumFS40KvK0yH1_@Z=LgWZ+}(Y
zwYsa;OLz6tTA%gS=>8$=Z7pLh>|K2QElL)E=Q*(n*H`8R`8={-@4mTD-SWBOYRxV?
zmF(-rJB8^Wlp?319rTrh^?QEP?|Msxrv?WbJ-+id+V#F2Y4(JPJ6U9bv+U1cIIH^W
z)lg$_=g^Ma>2~Pyd_YOAv29Cb-U6DJO?NxnW7~QP*SmYi*vdUVuW#LWQ_u0`hymZi
zaQS3Nb^4`ro$>0G%zbXmr5|D|iq0R<;S@?kr0j5Ruq87-Z1>crx%EzVZ9#U;{?}ti
zW2W%*9MQg3Nbh%Ti6LhDd|-aFSgXoPG`mHlUU1iCHr>ru>DX?W_#13(`u*!Plu2OP
z6jk=2>BC0l)aw<WV`x+C!_sw{a5i*Q67F^#P-aA<I@z6VbJW-5&rwZfvvRk3_cA8b
z-o}<6m7#V@uDa<CVdlJ4d|5@tUf!yN<DjY-Ylj}w8VTHcITO{giPiM2=!{`C)-kgy
z4M#`;s$Hx(F&Ry_6@hE&#+WZxZsYohII;=<B$l#U>;HCmxoYD1i4b%m$1`DYC_^L~
zIEAnFcHvad=-aO3(_MI=9#`z6-9*_!&$?<%meb5;jG<wc(D1r`!k7AFaq^l6-TVCr
zn@T;NWtk;qx(I~IDg2;{VNza#Y9hnvC&&D^iJtYTc_&lLexMB!uC87mR>d5Qp=MGf
z6BD{%`L#TAOq%z%@*ib95Ey7NbUF=BlszVk3Iu3imD&*91N-ij%hW?W@~2TtdHTfP
z#n0@Xd7X8Dyu36n{k#PwQ~T~X7mAO^cNV+z<<Rr{6qP*fL{*O`It}aSc#<7ICz`zH
zfdvuUP1@TR@FL!bPH1@um7aB~aO<rmJ%*b)*b*mqm<2+)la8vi-b#-P?L4aM?FRQw
z!SL2{$6_lC;MwX~JFGU~u@(2B?<Z2dhI@qhN$Or_U*}$DGND-zz*x~AawYee{HE;I
zGAb(xm0Nq$##BQLFEgd@aqT*NJhB}}du8b8cj%ob49sgx?Oi-i5sJpioR>HO@3X-#
z_@rAn$k~(l@kciCC;&Qd*fWRI>=;fL{UPlciNDWyj$bX<#r^(r;EE8wwUVQm&7~QY
zCXRj!**r^xybAEPq>h3W$uvI1j=yNIyzkE_D7fpGw)OV{U*Uwm{xB;mEg2(|y|ICd
zMdQVqzMb-=XM6|E-a9kNh)^9lY`-DjhhHD1w5lufRcy+QLgJ47!fFn<KQi>e86#F;
zX{ufroVBEZJOY?rDo!;Te6aOZ^1SO!dYRxQ*2njyA~dCWawn)>!*k7~>8Ikt<J9hI
zLTxVl%^kbxFjaJKz4UwX+jy29ohPH6;RO0%T`A|oSHWhqWuNJ8tYd1Xp}S%w!~<wT
zHSeF;1&d?WDhsdZgTM&TfZ@=Pp`{?gU%*=Eo2o<UfasbP*Vgmv1Y;j}@b2Fxb@=4D
zWq$ckb3BOYn%N0MW}!64?YGvuPD`}=WgRB1BPo(kSV>&e*0>>V5ZbO|*1+2LFOqVe
zXHb!aMk03^h%&9L8GMy7UDI2Kev>V@(R}*Iu6x+!Hn4~D@wj`P%#Hdbf(lK{+DD7f
zJ&(v*mhn_e(R$^5L#bM^^Q@-!*b!l|+Xrb(q*MRFJYnrE7*xko!SJOy9LngR2|q5k
zY`Ioiu+YBfzF{Labszk-E#*BYQk>$()=xWEGZRKwY)*UxP}0dGuPLZOk<u~1pRF`m
zxYnI*6_BmyuVfiETJ#r=!}C__TJ(hS&_}hqJq6T(xXbQJ?{M?GH1d;1)n-8$1pDWw
zJw5OAAMQDHK*ksFYeeo`fz$TbpGy<)Wsk%<#FfYFVTT9*sy=H-wkS^x;7&PL{erf!
zzf{M*8sv9&hkoBZuv}-Nb}O!f7}9<9ZL1vRNUZ5T^4kV6WRoRqMQo_+AH>NJDI9Hy
zFjfwiK6RjhH#rHW#B0(MW}i%V`943<6@Z*Nd^JEP5uZonXm=u%AM>{H^U@&Jy*i0s
za_Da^xI6pMtXzHc{e~_ZcnKP*;=YL2Z^RmzDl{dJTk7*}E_h*NvgnhnxVKB59Duh~
zqouS_WoOR*{UvUw_K#OWz;gMracr%8>QQ&V*jv!8)ho;U8}9~8EU{N<=Z_gR%IpMT
zbkePUG_a<Uo93~%MM1nso9|UdE|j>fm=#|iIfFmdqkpLMGxY5D$`?I}&T7>TexU@v
zkBx09kG)O;09ckj#(_Uov6vv{{HOcr-%H#DUQ@*GzF8Zh{iSM13%fuB%>wjdU@3Nf
zlnYE!GTyNrqes|;nLFXfWU*Wg-9wmr=NBd$nCk+H?iwNvcd0Wab^3CT9a`>3V~oWI
z9=<ivyrYLX+hLVmYbCVC7nx>_H+N-Q=M<NIna#%7G#cG5P!5#|H6`sbgz{jBdvfcF
z%F@i>Q(io4u4mpdQ;k&5FXnKV5M7R`@WJ9h(GrAirO#XXOU{qQpk^B^Vd=Dt{wiqT
zg-#j9J~@o%H2;W9mg)o6@*Vo;BSs2*4HAHpDk02mndAsov08R_48zJZ@J)s7+hyCo
zy*0L#y)?AqZt-wX%+_Vx`8*A95OLHvs1$k~{h-_N<KA7r(+uvizi3XCB3#4TpjNrJ
zvai45nQG0Co%wk~tYgN!u~~y2n6k!jjXBHc$+Gq4hqTzEj>_vov_gHJE=`X>L?5K+
zD?u59=mjtImMvd1GsDytuYp{Iy<NXRrLZ4s+5CA`p}CBZMPL-T31R=B$JFH(h7Qq$
zc5;cO7Li&TJM=S4-dTKdpeXu!TD{GoUj}7yzx4mPG(VBO;Kq@rcXv?}P$X>UkW&?h
zF>$#`n$~bZ)KN0B$<p$VcVWI@lvp&2*7))!ZYjjYh^fBV(ceia`pW>XGeMYh&`;g8
zo_2-koaO6+8O!+L>SpIQbG(i;QW9UJi{Ecewlo?s&D!^>i$|#jaW}#HJuxt|W48=?
zb^Y&O$a1s5ddr8DIt!sD!t=y1g(d4GR(s;s-HfV$GXl&m;+sAAxB^rk(3_NjE$p#L
z*t4em?tA0d+XwRxN^OQwzbDZMuSE0J1)Ky{mq)^t4bnSl*)s>zNM@mMdtd78&ebHN
z`!(|lE5q-p+TsRaNnMXwALaN5QIZ2IUi^Z22tsN5>nvIO+YU}Q*xh6}ee6@rR~<&1
z(PB4z>9ZBUMXZwSMmd9-aKKsmJeJq^G|#JclOh*xf0?^e0(`40nsg1z)(48;4}B_(
zGwPI)yo|{oX{dVDL-5-aMGr;~vU1cPtJP5JM(sswz&Q`e<@0?y{YhsO9YK8EYJA;L
z>7oG_Mts+(wCBC*Md82#XdKw&J*IizR?9k^rf1r{Ot-&>V^ke{9nI9zavlcNkIJtN
z7T>?o|4rENk-?|lewZ(EfdR;%BUrzKJ^UkCpsM)EA9QHBVV8trT&*O(9?FO{MLTFL
z=5P0H+T6C^jAuX0k4U;~GM!x`!X2N~3_n?qXY$HI>x@(DHEy&Q3ucT1R6fj28wX!I
zC=&d$@bJ_v^%?W2Ngl}e8ww`b%BrN-PzGH;$@B2Ky1?%GMkm#~Okj(-Admyy;qya|
zOi7<TIqKLJIjsT6%xMurCppK$`tFA>3kr_pwt?5Nj<kh;AkqM0FqJNvpLG2%nBiEz
zf%ifK$Kw|EzR5(&`uXcro~^V8i}*)jhx5-t$rA$`c)ZqIf9DQr!qkCRbJWjUI$JZJ
zm$fJ9L9f6?UO=_r2e^Rac$+nqbYU6z^YgMBa7iN^LoJ4qw_S?6p!J<$X}7t17(?2t
zcE?oZJ$Jvt+q&PyLJYNC4pJ6B2Qde+jOF0Lu$QB|%Hl8GeqMD>3p=&H>81!w#>Agj
z(QXx{j0r=pTl>micAI_5vUw<3`Sht?Z}-j2Wx~<RLz32QGv22&J{94fr~V)YDG95g
zjef+~vo?CO%A&z(jqgjVppWOfXF_a0rF&LK$Mau_gV9Ob!+u&!{<c^Y1J5Po?`a)A
zQzS-wDNMkxF(uva11Qd*)ipedF7L8cQx?g7Pl*j{fhk~H=G{iXJB{lDwggu}3W3aA
zqf(*0b}y=rmt<QkiQ35c+=PEj9}{Iru7J~e%e$QIlUdUy@-hWEOf@ncen^;YeTZ*X
zH+U;(?Wy8Xl+h@nkoL^sjJj(5zUISeV;JWYIiaB7RDchD*VdjmbXj9)pN{CA%vsJg
zciJ6y-i)!8uXW&CN8ViTMaOYPM$w1*SL53`0@H8hO>F8DKCUQrsXl2?W8hur42(F_
zsSJ)_36&x6A|YkY6c<2a94SXbv~d>4CC4nkDPvf9Z5Fys^6^5r0j5=E>Cgy_Dk@tS
z%?c}9!qB?t6t8(XMH%le8UeNWp@Nsma~Ql+^3Bo%_npMryeQJz4V=BAqE~T?dejng
z3ge<X@Z7g2fW4F?C!aagtvam=!RFFVpJA`q1dy-E%du?YwT%+fTkMY4<03TZ)j<Oe
zuSu|TMbn$JCNKw9K<+@tJ({pU#md3G(`)NO28!Z^`B|&xuS!YWO}}^8(&l&<H`8f(
zO-EXMeXU|crFs+^NzF_IZ*xCTMAZi{Y<c;sK84v<>{fjCHoNAfYBvsfq;G%VL|j7t
z`X0sy1EEgpyD;)tS1x+fnv-?C@glP0{RCW}Ma?3qpoq_&IJAYOy3G#s`rsh5=3>`K
zkj``<PxYPrnJ%66XZ%$jT_UO;S&LzWfo&581S_54ry#ectge+aWQh>=;|*x5HSjZC
zXNvPLh372q;=+6ja|SC!R-`JcL}}wwskajjTUGTpL(1zkN-p?BA2lmf<wk(A{@fWd
zR@`1h3RtSO<YT(S4xL@1hiEAxTBBzva~C*l--DU9m2vX&A2fTNg49@_4&`2Bzy8!U
z)6qtF$FpZMEKdNYC;O-#lGOq92InNM@``qD2YvzcS>+J3WsB7!k`0Brx8^cLTF9<g
z@nKD{&MQpkhV&mNuFe;7?=GL>h)r+LZ$vsZo}`OpOs)?c6$hclR!R#MAeh|_DY|9r
zy+_3c%IO9h9X?ksp?an&>Lw;QeQ`T-Ku6HaK~H?E9-Z5$cZu{YU;1+-6B$|JD;%!^
zt(4l>F8}a-UkC4YtOxFHckhl4VK<o_&-lD0mk1#hZYAraLBA)XZd9SwQ&Pgn$a!)D
z;&eLCGu8&`Ky;&{YdGM4YZMiZi$_@v^1aVdy+K+*Qo!QYDDtW4@Os*LbJ00k{m)5`
zoRKnSu)novfL2Ts{!-4+5Y{b=o+LpM;89G7S{vXl;M_l=ND-Rc5qgt=ci7TpEo=mH
zL6*Xt9up_3hU63OR>r6P$P_O*U!)IDory%}Wz`YeFx6TO{y2Y${SBm?H9cTWV=WWJ
z`_*CGso!ZN>l@~_jkeXtV}<eU5O#LliK7g)klc(Z=e{4*h!dp)V6v<*N!NnT1w~8K
za~UIar=<m6R+`}h>fczfA{TUkyeD>)i3|NFGcCsBmK3HXp&ol_@GVs7PIpfULy!hi
zs+%KYgS%(n7_z_}6<X(k(VFudPeVYWZh9|epL*7btD&ckkCMALmGw(owKL=w(~r63
zOyHtRRzRvkW>)hblk~W#LZ@&2)fwm6xkFP%&Ju|MFWbNiTwy{{g-pV1RK`L&=RE2D
z4|g;~vd<LODHcrO&uLo^tGtrbwh8*iCTXkJcd4-eXXU0I?k1m)6`j}QSOp%!d{k#o
zIrMoZ12w1s%;qprCkWS}WH>8x<?cZds#+JB{z{||9jq*<HT!M-cBcH=;7~J2uQ_26
zvZro;_+w%PUpNkSI<TD8&2%vNAnp4avGA`e@UKhI+!{F{Jx<Cv<%&v?&9%YQ4BL2T
zaOOpQFMay>d|teYS%w!IlT4W$&FTrk-hcTADX!P?*f1YWEIRwq$Ys%^(Z9w&HT$>}
zsMD#6Df=uJrX!JHP7<>Or;e_Cf=}`!`qR=i8fBj)$6Lxx{HRzd8Tnzd0p>kSps{OG
zKJkml>bUj8$u|F=``l(-aMxWBC@CGZ#FXClQZ<4|&%jN}Tkg#q8z)=>Ly{$i0`rjU
zv<vjl^OND_&nt8%K_DY<c$hBE?ht3o;zMF?PraCx<3H?R+3c+lcVP-`!*=iR^+4=@
zjAXY+K30oPt-hFFYy6`C$csm;r=3u|c~FmFo6B7|^>t|QddO&i=91e?h3>s~i;+6{
z8X4i6a1wDLrSuE#W(zhan+U*Zq+8p3a))JFVF4ffaV51K^YgTs<ELvmzH15OGhhY8
zrA_+PnYK;aeddV!Pi3^WYTGZ2*J)4~@C%)8#kRVzSG2!MszRFau_EOo^?}G1$p^yr
zk#PoR%ZY0-+cfohw#0i(2hnkZfA7b9`g0$EfREag|7IgZEqyUPIUSL{ls?ZdY2jlv
zX?1Mzw~@8iav*U46179*NN~X0%-qa(h<B)RSSGS9k|=WNp6TA~=CbwUXG!l)zfkxA
zNej9!)gKN9qFfwPo;8s*!hnDPngF9Kp{ukrX|iXeI3(#zb*h?bb?@D>o~3;Y*NmM;
zx8T?y-N0uyWY(8=me-HUC9xtABvX5~%yg+Cp&XF$Bq=OcK6T*D7eZ2EmIoCFWm{$S
z1PNw8HDpe5hHeCusN8kdeb&f2#=3M^A~7YwJ7FRrhq*)PG9x?JIAaC<n&nyz&js(6
zJeGWn+?QRH9iX#RFkV(w>{MV}5}<q?f|v9)L^XT#O^Q+lTLo@~KU5xyfaaECe?QTB
zEU+ll%CA@S4EasNBgDg3P3g>g#7R$-Ly%)4=IUkRCGOR|XTMjn&okRmFjaO^YF5^*
z@)#MCBOBezD)*xQNxydlUyN?dW{fS(s-T`gv*0BEnk}<MqB*2*JFz@&Ut*5R*2h-J
z)_1&Q{C@mZhFSfyIyZ=2gNVh5&AtuX!f!}*i1VjIDopYKYu?w1#R<cS5`I@F1PQbP
z*(_N34x08$O$DXg^I;Q5K8>`BdmrbmPO8q8y(X$AA}*RH%I7Av!~84pudHb&%Q5-j
zt?=6x(iR?<^_7X0v6Ys#VAL}dKk^hcjI=|EY;kPcZ_w<*H`_*|N7SacaM1ERD@6ab
zg`!iTm7$URV+lpW_{V$ruR&A>jrX68k4x2wo$45}&wf7o<|o(@B!u-L@bKyQBAGwy
z4#}UrRAu>^>Vb6k2-th^>WjvP;Nl|i3WrjWv3ISkj{m{eAcQIW^_ndxSX@|8T(ASJ
z?_<Q%GX;J*nopDj?vlGTW3<2Bi-14h9Ft?$MJo-;vYeHFBv>$fcP2u*6uOBk-{d>^
z0vWlfGQMvysI%R=iE|A+!!Nw?C917EU*_$`;;)px?s83CRd3i_jBN)k#nR5t$dJ(+
z_sP;wG@Ad)^(3LRj7q}0b2O(b`|i0~5SYb%Sjk^*5ISZ-Ab+}DGu$-X1n^TF1Ndw_
zF|e*1)cI2%`TR&AW~XpqpFb!=3cHbS>np9hYD_Mr5}y5Y<hjKC>`SY^r7isA2Q4(z
zazRQEqWDKT2zIEbjSYdCPi1ZOGz80Nsl}gxO^<!<`)h}k*WrLKhVC9A^uqPrAX2rJ
zk_X_<UKVZj#SZ`e5i&Jvd|AuDABtCTp9RP@piFO@ZU#$^j4fEyi5WR4tQO|sRzdLJ
z86FxwO1hlidA6EQ5OI;XPTXTa$K&JwxgTfPhh!ZPwc^HMC{@|JRTI?xh^Ptzlf~Qj
z4+amGs<?A`M~9~Ge+{a1r{l~f$XZHt1Ik1~ki({=W}#a+O?yAslpyDBa!(JThcKg+
z`7_G`o=!47FD0IvP768*p<&Vtm`CtC?;Dj`fo;v%1qH|i1@RjM=o$pEJq4&d1&L7t
zjHm`Qe8@BW2ApUJb#%iMo6qv$oT6Alh&RB*5@4ncFm(r*OBC@so8*msJq8zql&b-+
z5<*+q@YE4P>DWMY0AV<2K&OL{&^6#@L1?lXu#6xSMh%3^5c*}oM6DQGY#(a^@z<&D
zF(43I9e&5`h|A$5!+UFuOH0>F3$shBV4`0#M4RSB8=6F0ZgIbq<2LQ$Hh^(kAJu=!
zt8ZGXTacD{(3W{V1$j_{Jc)Ka7<N6;sXR!iJaN-JXwp2f^gSr_JqZ^)=odUOg+0iG
zJ@H#S=vq9neLbjrJ&FH#F#bWI5hI@wqj2Jp)bXe%8c1>t6u}ho`4kF+4@t_0!mCBn
z)}o%eA}L)_L?=jw6BIfll7tb3n}?*yLt&XADa=rW>qz=_6s9ziOd5sXjil>FVFx3r
zf>Feewk0v#W9>Gp4GacTRr>Sd2T6dWi-{YX`v!D)kCWzG5xQB=?es5ON(%nkwUhNl
zV>@xkWWWv*N+{e$(SrExvN6BXzU(Hxlx27{VYHf+LpIbTO+Yu(ltMk<<mdQtfilQ%
z#zERxP>;)3A(LU@ytVYFkYvTa79idMtUFhfxx?P!)2F`prNWW#Fub#l>N2s@nh&n_
zA4{#}|AIs9|A4P0ZF%fy=hDN!t#ifH<)4u2kirK~JUpjQ-J+~cXOZI&dI<edX<Pe$
z<5K%Sv8eq|W{$&;<^B}h+C6HiudVR>ts;P}UeXslP6zKvpEKSN-$y>kJ^nw2tC9bv
zo(|lT@?vZ!{_l|d^8Yh)eEBh*5ABh<!=o}_%`M5uz0&2FvS#W)djCI>+Lzjw+?V)o
z#P<J#52aEke-8d*<DbLpV99;)|DC457DTn))TG@GiB9R>-W7361>E(Y4;@`sv;VKn
G`u_lkUM?>H

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/images/caret.png b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/images/caret.png
new file mode 100644
index 0000000000000000000000000000000000000000..c5a91e69a3bf5d9cf9aa3d2708e50fa28a124af2
GIT binary patch
literal 2935
zcmV--3yAcIP)<h;3K|Lk000e1NJLTq000>P000pP1^@s6D7ps@000WNX+uL$Nkc;*
zP;zf(X>4Tx07%EJmv>N8`4-22_oj!076?U3=uLVD={0oeASxjVA(RkOP_ZGhxB_cI
zL<Gx<E>*#`&=wW3U`4=Q7i3XT*TsUMsO$wE;k`Grf4rG@GH325XU;u2=jQxoz83(}
z2!qd0hh+iC;E4p`ex9`0xOf`wcK{<FJdgug45pCp5f&B%{?R_&1JKO%w&_eQ@V}WH
zi!EdV0EHo(#1b+y5I%)?50ftt0f5R!;ySBD{28uASV4d^h;YXYbLO~rhLh&_kJ+5a
za4&=>0l<?O3;_oK5*mrqvY8yD4oMeb3m%KhLpTy)S7r)>g>Wgti!(AZXSfq#!=!(!
z!}*VzNs^ij21mkkv&<Uan=9m}GuD9rw`HV@=YK;RaZ-xFKODL0BhRchEi+KUyrhuO
zdFHZa^Jh6l>>oAHOrcl&JhK?yf%7a*i}ILfhG5}du81Bv&w|WwNqx4^Cqh!6O%Iav
zkRBr8WUeoLo^w(nW9B)V8yzyw!nBCMg&Z$QTp$jY^qeg4mCTqST<DF-Sm;5N66wFt
zTdbr97TeoL66Zxp^7$f9Nlkuwm?WQ_?k9;0vm+$;ijW1H=Tt^O*g~B!$@2k`AO(m4
z53m3m2tX3Z1nEEoXuunAfe`SKZw!E}hlsseG&6)(CV!29%SjQ@JdjhwrqOv!v&A$k
z3rkx7X3pf?U;cqQd)6T8wS`y~va61TNRYD-W9R_T_5uLPr-hi#dt_a90C1+4DHdeU
z#b(wPU;q)w00p1|G=L5;1g5|W*a2tY4tziW2t_7|11kU%nI{98WEEHkHh}_A1a^Sk
zpaL8Ohe0hk22Ow$&;iba%iucb1$V(?FaU<ZYcK{rfhh=ra1a@yKq`<Xqz9QmR*(ba
z3i&`mP&gC^B|;pC2Z^C|&}OIzDuF7XLr@*`E7S&^hps|>&_iet8in3NUtknWf)!wO
zSRXcr9bgYQ5RQbG!yGsZ&VlpcZE!hU1s{c*;q&ly_%1vEzlO(A040T@qO?$^C<l}m
zDijruN=6A#8&HL)GE^0+5!H_BM%_jYpx&T9qp@fTnuaz-JEQ&4QD`PQ3%vndjIKb}
zqMOkd(YMiq=rQzn3>l+_F~K-t=$Kdx2eS%OfGNXNV@_i(VeVpvF`uwlEEQ{jwa5Bn
z<FKjNwb)|peryxA6WfO!!j9u`I2D`;&IK2WW8g%%0^DBQQQSFPKW-Q|iI>7_;;rz$
z_;@@IpNB8Q*W=IP`|&UFQv_Lp9>IwaN?;Mz5VjMJ5ZVd12*ZRaq8!nH=t7JnrV=+1
z%ZZJ|OT;I{4^mQ6+ER{EOQpC{xl-j)$EB`F4N83`$&-vpUZez)n6!;lL+T_wBz+*0
z$@*k>ay(f?-bSt?Um!mtPfAmy&7|qlEa{EXmD0`9{nBq`2r_yy9x^Lra%9S6PRiVp
zc_T}Z)tB{>Wyo%jt(0w(y)Qd1N0GCX3zf@|E0(L5yDB##kCWGz_mOAG=gS|KzaT$E
zK~Z!lUKA!}Gvx^75@lEct6-o&S4dSTQaGm2qcEl@uV|wft+-mTQt^!902M{mr_!nE
z)a}$0)O*w~O6p1;N^GUAN{veWN)yV9l--rt%7w~J%6FB&sL)h=RMJ#-s<fy)RYj{B
zt1eYtrFua1lIoj93X7Z<F&7msI<e@H8mwll7Ou8d?XcPnwQ+R~bw72!`d;-5>Tfit
z8txjY8l@U%HAXclny#8$%~H*Cny+YzG!I%jt(<m|Hm0Sf<*y~yI;7R3HKlE!9i^S8
z-K70ghp6MAldMy!)1@<}tEn5TyH2-3_mLh!&p|ImZ;xKL-h{q^evJMW{TBTZ17!oc
zL5@L#!4pHWp_^frVU^(>Bdn2wQJT?yqh4d!*w#43xYGER32b6#!Zq1%(zh71*l{s$
zan<7crX*7j(`?fQ(?K(;S&&(tS&P|Qb6xXz^PT41=HD%BEz&KHSUk3rw+yh%vuw9~
zZ)I%7w5qhaV@<a9wccpmYW>c}#D;Biz~+H1#WvV>i*1+fH#>VffnB5BsJ*UzqWwPm
z`wj{YVGhL(R~#{po{k$GI~+ed**S@vPB{JLZ0elmT<<)x#9#?~$&n>PF4`^(mqRWC
zt~A#~*PmSn+_c;nZdGp2-F4hq?$z!uJ&Zh3J&t<3^|bI5c%Js0@N)86@73vz^7ivC
z^zQMI_lfeU@OkE|?aT3P@E!BB^;_%L>5uUb^xx@!pRP`4((CAB0rmmw11<)V0wV$|
z0-pyN2ML1OgW=$S;9bE_Li9p-AuXXGlpeY(^l6wuSXS6?OR-DCmR2r(5pEg2F1$N}
z60tI(KH^iPXXN(C$5Dn+;;61@ndpS*y6A}*@0gO9fmrj{^|9CERO7gDt?{_{==kdR
z@nt^Cb}t)FuuUjPxVPM3`Re6YSE#N?UvXxo%u2?}lZlwbn8f<TuZ&Pe6=OV!p0qD%
zjOoSP!+gzhXO*%>*)Hr7_RD0K<dWnOjtgfOXEenvr7YzQ*Na=heV6K=dN6e&Ei|nr
zZ8|+By(t5qk(klOljo)JE@o<EuFmY^oA3+x16fX4yR*gwfr4rwBwQ|R6)7O%=Z4r&
z{DXKf+cmo~dvaCus*|hbR`XWhSYy0q>zbE2zB#|FMXzP9?OLa`ZqvHK^&aaFZGbi;
zZRpylvoU|;aIRl&?Iz-;v`shjEb>b7K5mZL+@7zVpPN7QgWnGg1=0nAg8N&Xw;cQt
z{Ui6so~_nf_ip`O$SS;6WKmRB^tG5-eC;R8pUQul-j=+rXS?0@13R!gcsuUxblX{5
zB3F`AGPEmrS92+?w6OH!?v=Z*mf4gY+(X<W-ZM}hRNlH*ckhn9Un^27?pAtMHtkc}
zw{_pde%Ai}1MUYJ52_z5I{4*h?#~Yn`5kJm(yuBzj6Ixv_{EXvBi+9^{8Cq~T3uBA
zt%g@KP#a!*vCh7(u3oKvdjs4cZWuk9aJ2WB_p#PS)5b$h)TW~2;JEnst6vj;y>}w;
zMAu1&lZ~hJPVGBQIbGNcHLqzNYe{JtXpL*_YYS-WYIklw{hQfuH62<Vm1h*sY(Gmp
zn}2rtT+X@iPJZW`^PKZTT`RjDUx>YM=i<_fJ(mJ6UAgRg`9ilx_qi)BS30gbU2VJO
zaINLK-Sy@hwl_}Sw7q${$F8UOmi?{PUdP_{z9oHU``!A_-}b(J`40Wg^}8W=`|d^E
zdvHJD{=fs)gOP{n58pk?el+zs_X*}n;ZxbCWzW=}RsC-Cd((j3z?nhs!5hybo<AO9
z4!!<E_{Z1b{1@aGWiK^f){R(=bd36r_P$#7YWOw(_0*e!Kjr@1_tx<3slVL+x-k|z
zHvCTTZu))k2bB*sA8kH%jfagt`;_r%YNBvbWwQ3O!{_cVF<)Lzt@?`lTK>)GTl@FG
z?@y*Prl<J~0b^DQpb&?XlL2^N0{}S=(GG~NCQ8p~=2?U0bp9-Xf8se^J!^IV)VKo>
zl?y-+qEQYYu9rKft!E@tq&tAEttI|16DC_*&DA0y$`dm=J^eu)09-o&-vrasQ~Rf<
zza2rEeF#8j)|^(KF)Z>1Q(~Ybi@AKW#5w=JHS^zZy$adoxh@$1000JJOGiWi{{a60
z|De66lK=n!32;bRa{vGf6951U69E94oEQKA00(qQO+^Ra2?7r#AW&o(vH$=8K}keG
zR5;6H{Qv(y1FZoQ10BGqB_q@l7JQPfuC7?q_wL=h8L8$IY=)6)0a3w)Y$!PvFfcGM
hFplQ<QA>ulB>?VZ66NhRF4X`4002ovPDHLkV1jAaiw6Jz

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/images/default-logo.svg b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/images/default-logo.svg
new file mode 100644
index 0000000000..bc2feae9cc
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/images/default-logo.svg
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="100%" height="100%" viewBox="0 0 1200 359" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;">
+    <g transform="matrix(4.16667,0,0,4.16667,0,0)">
+        <g transform="matrix(1.18343,0,0,1.23077,0.299644,-12.2956)">
+            <g transform="matrix(0.763132,0,0,0.73378,3.6,12.99)">
+                <path d="M18.602,0.961L18.602,19.563L66.437,19.563L66.437,67.398L85.039,67.398L85.039,27.536L58.464,0.961L18.602,0.961Z" style="fill:rgb(192,62,20);fill-rule:nonzero;"/>
+            </g>
+            <g transform="matrix(0.763132,0,0,0.73378,3.6,12.99)">
+                <path d="M66.437,86L66.437,67.398L18.602,67.398L18.602,19.563L0,19.563L0,59.426L26.574,86L66.437,86Z" style="fill:rgb(192,62,20);fill-rule:nonzero;"/>
+            </g>
+        </g>
+        <g transform="matrix(1.04723,0,0,1.04723,-14.564,-2.37235)">
+            <path d="M140.024,37.345L140.024,43.579L144.106,43.579C146.277,43.579 147.668,42.503 147.668,40.462C147.668,38.309 146.351,37.345 144.106,37.345L140.024,37.345ZM140.024,49.665L140.024,56.437L132.621,56.437L132.621,31.24L145.368,31.24C151.658,31.24 155.183,35.229 155.183,40.313C155.183,45.453 151.658,49.665 145.368,49.665L140.024,49.665Z" style="fill:rgb(135,135,136);fill-rule:nonzero;"/>
+        </g>
+        <g transform="matrix(1.04723,0,0,1.04723,-14.564,-2.37235)">
+            <path d="M164.994,56.437L157.794,56.437L157.794,31.24L163.825,31.24L175.31,44.692L175.31,31.24L182.509,31.24L182.509,56.437L176.739,56.437L164.994,43.134L164.994,56.437Z" style="fill:rgb(135,135,136);fill-rule:nonzero;"/>
+        </g>
+        <g transform="matrix(1.04723,0,0,1.04723,-14.564,-2.37235)">
+            <path d="M195.603,45.527C199.332,46.177 200.854,47.809 200.854,50.927C200.854,54.601 197.848,56.809 192.82,56.809C190.074,56.809 187.309,56.4 185.398,55.732L186.047,50.389C187.272,50.815 189.74,51.446 192.003,51.446C193.488,51.446 194.36,51.279 194.36,50.834C194.36,50.426 193.729,50.296 192.133,50.073L190.964,49.906C186.938,49.331 185.12,47.754 185.12,44.358C185.12,40.536 188.33,38.254 193.673,38.254C195.974,38.254 198.683,38.718 199.926,39.182L199.24,44.6C198.331,44.21 195.918,43.765 194.249,43.765C192.337,43.765 191.484,43.987 191.484,44.488C191.484,44.896 192.263,44.952 194.434,45.323L195.603,45.527Z" style="fill:rgb(135,135,136);fill-rule:nonzero;"/>
+        </g>
+        <g transform="matrix(1.04723,0,0,1.04723,-14.564,-2.37235)">
+            <path d="M214.468,45.713C214.468,44.655 213.578,43.431 212.093,43.431C210.405,43.431 209.551,44.544 209.44,45.713L214.468,45.713ZM220.294,55.25C219.033,55.955 216.435,56.809 213.411,56.809C206.675,56.809 202.779,53.098 202.779,47.494C202.779,41.909 206.527,38.254 212.186,38.254C217.827,38.254 221.872,41.668 220.74,49.09L209.44,49.09C209.57,50.463 211.555,51.279 213.745,51.279C216.101,51.279 218.346,50.76 219.497,50.203L220.294,55.25Z" style="fill:rgb(135,135,136);fill-rule:nonzero;"/>
+        </g>
+        <g transform="matrix(1.04723,0,0,1.04723,-14.564,-2.37235)">
+            <path d="M242.054,44.488L242.054,56.437L234.929,56.437L234.929,46.603C234.929,45.342 234.039,44.47 232.758,44.47C231.478,44.47 230.606,45.342 230.606,46.603L230.606,56.437L223.481,56.437L223.481,38.625L229.975,38.625L230.142,40.332C231.144,39.107 233.129,38.254 235.671,38.254C239.457,38.254 242.054,40.777 242.054,44.488Z" style="fill:rgb(135,135,136);fill-rule:nonzero;"/>
+        </g>
+        <g transform="matrix(1.04723,0,0,1.04723,-14.564,-2.37235)">
+            <path d="M254.999,45.527C258.729,46.177 260.25,47.809 260.25,50.927C260.25,54.601 257.245,56.809 252.216,56.809C249.47,56.809 246.706,56.4 244.794,55.732L245.444,50.389C246.668,50.815 249.136,51.446 251.4,51.446C252.884,51.446 253.756,51.279 253.756,50.834C253.756,50.426 253.125,50.296 251.53,50.073L250.361,49.906C246.334,49.331 244.516,47.754 244.516,44.358C244.516,40.536 247.726,38.254 253.07,38.254C255.371,38.254 258.079,38.718 259.323,39.182L258.635,44.6C257.726,44.21 255.315,43.765 253.645,43.765C251.734,43.765 250.88,43.987 250.88,44.488C250.88,44.896 251.66,44.952 253.831,45.323L254.999,45.527Z" style="fill:rgb(135,135,136);fill-rule:nonzero;"/>
+        </g>
+        <g transform="matrix(1.04723,0,0,1.04723,-14.564,-2.37235)">
+            <path d="M273.865,45.713C273.865,44.655 272.974,43.431 271.49,43.431C269.801,43.431 268.948,44.544 268.836,45.713L273.865,45.713ZM279.691,55.25C278.429,55.955 275.832,56.809 272.807,56.809C266.072,56.809 262.175,53.098 262.175,47.494C262.175,41.909 265.923,38.254 271.582,38.254C277.223,38.254 281.268,41.668 280.136,49.09L268.836,49.09C268.966,50.463 270.952,51.279 273.141,51.279C275.498,51.279 277.743,50.76 278.893,50.203L279.691,55.25Z" style="fill:rgb(135,135,136);fill-rule:nonzero;"/>
+        </g>
+        <g transform="matrix(1.04723,0,0,1.04723,-14.564,-2.37235)">
+            <path d="M283.51,32.01L283.51,33.063L284.174,33.063C284.519,33.063 284.731,32.827 284.731,32.533C284.731,32.216 284.505,32.01 284.174,32.01L283.51,32.01ZM283.51,35.029L282.543,35.029L282.543,31.141L284.308,31.141C285.112,31.141 285.733,31.708 285.733,32.533C285.733,33.033 285.458,33.49 285.063,33.733L286.016,35.029L284.865,35.029L284.068,33.924L283.51,33.924L283.51,35.029ZM284.145,35.949C285.747,35.949 287.046,34.815 287.046,33.107C287.046,31.435 285.719,30.25 284.145,30.25C282.564,30.25 281.308,31.435 281.308,33.107C281.308,34.815 282.55,35.949 284.145,35.949ZM284.145,29.308C286.206,29.308 287.978,30.957 287.978,33.107C287.978,35.345 286.298,36.921 284.145,36.921C282.099,36.921 280.362,35.367 280.362,33.107C280.369,30.913 282.056,29.308 284.145,29.308Z" style="fill:rgb(135,135,136);fill-rule:nonzero;"/>
+        </g>
+        <g transform="matrix(1.04723,0,0,1.04723,-14.564,-2.37235)">
+            <path d="M116.372,50.222C112.753,50.222 110.323,47.624 110.323,43.82C110.323,40.072 112.753,37.512 116.372,37.512C119.915,37.512 122.272,40.072 122.272,43.82C122.272,47.624 119.915,50.222 116.372,50.222ZM116.334,30.869C115.277,30.869 114.267,30.968 113.303,31.146L113.303,38.254L103.958,38.254C103.23,39.902 102.827,41.766 102.827,43.802C102.827,51.465 108.337,56.809 116.334,56.809C124.294,56.809 129.768,51.483 129.768,43.82C129.768,36.194 124.294,30.869 116.334,30.869Z" style="fill:rgb(135,135,136);fill-rule:nonzero;"/>
+        </g>
+    </g>
+</svg>
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/images/favicon.png b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/images/favicon.png
new file mode 100644
index 0000000000000000000000000000000000000000..44f780deda5a320b2257957c2cf9c3bbf2a90622
GIT binary patch
literal 2221
zcmai032+l-6y72hC{~Ib(jsA93JQ|lWNixBCWTyWf&@xh=mnHzcav_}WYgVElX56@
zhOt~~>xj};D3m%wOR=ROj7lp<0Sl<eB_14F#bZ)MQIXR>N$EjBXR=BD|9kIy@BiNa
zUa~4>Msj3COauf$kruPj20rn?(?1-%%cc}JK+vP9Y+8ntVVzD;yb~p9ej$VUoNj<a
zkY<X{O;U>(30}xJSeF+0^@C;vW@#;wuCgkuZUd9cnimU9>f#w`)Z#^ynntE1MreEl
zAaF7g3HzL!OC)?+B*;sE?}2R$frBQ}A}x|(O@R%(z`!b0g({H52v{S~cEV;%>Tm`t
zEs`rqZUV!+UN7o>9_0lGrc|rdm;%ReTn;ScVxdbSeR7vLCO{G5Fft+~ux^RvU2uSt
zT*!MQErI|X?jWbBPHwkH;DXFFg)toCWL%PnDN!ZX-JbEWUD>$A4!MAESO5X$iXP??
zYk!D&0O@7!&gCUu%;nvkN%aWP3HNdYazEI`N4g(mY_<NkxzpL>7@}k<0K#<?p+`>l
z0*GmaZU(b4BJU9>##8{*8xs^RpbL@0`WP<5$O2JCPz^1jQrrh-J_I!I951ATOUP&u
zWzZ*}9AR;i4kn$YrQA-guKnqZ%W*#t$c*y@uEJ~=3(kUfab<L2T4WNAbqkaEK&Z10
zL@+xmPlM#14-$4k7K0&0;O#62FwvH*hb<;Uyiy$>FUQeP1W+^r__FpwBPjtZT!E|P
z3bkB;rzsUg+$2J&d`^KAijY)6YtTD1DUttYALsyBLsNvrN*ohhg*rmVNugC}$+3Yp
zAUM+H&>}uL&Dco~Cn1R}#k=Gj@8C69pl>*~gCe-P$DzS`1kiv4tyaR!iV`mrc8i(H
z<oApjY(E$dUMhm50yWVhZh@yg6hjA91lfmBk+(};QeboraG$h@&TeNx^$KCo*{s9G
z2rv%gXgnIyzSGN_%K*lQ%ZYVA&b{<BSg!+wPTy^c0Kd>4m`-5KVV!dhEIKD8;{xMR
z0CP~R$axEb!d9^0CiJ=i5cF(`r{sed9??a;+#H*?bW7z*(`xu+t9fnIu7={=p{J3g
z-_FE3WO~_=c}0D*_s3VlUtXVZ4f||P{qVk~!H2T4O(P?(R1AnM-oO+z-S&S{pD^%j
zip}zqM`o^W%u-zPq7zZI|J^vUx+MH5(v<G_VVwT-u1}Xtw14O+-<`MV=DDmnRqyv%
zpLBVa>CDapuOB$|OXiujQJ2xNgXa%R9MXQSt>}RF9ohJ+Yd*gE#7pJdR~AtV{80sm
zYbV=Urs-c8aO_xqb*Z{~>F7Vk)}6d|tKyI>zaOFNb3Gq#nM_?DK^yI(T^~Mnbal)>
z8!z6<#7k?BZZA!y)=eI;^V*uS*MFY1N_nyhFKs(<=dQn2HuCrNHG6JszH?r2Vafic
z$d)2<>8R+Wt0TCX?hQNI9FLRN4cGK0an#hC<0^7y?>dUk<#c~n#hg9RTx$I~X3hSu
z#_y8ruSCXSZ!Vs5;YwSWe&p}7&(-f4v`lDP_I<xWN=H-vdrS%VK^x#UXNnLsa7f?@
zgUTvKfC`Bgqb@CXg}*Fe#=)skQ%4uS@_5~3$k|>mOskm-ofN{R+0@CETVCB8_GfEy
zvCt<^>=(fuD_*y6bk%Y5%?Wo8Z+xasTQ$$18~$WN*e7MrEZFUq9jRe23NH5>QH^2k
zqU`5`nPRrekE-qnAJh1@w^i7-{iR0OkW|(`w$(gzMc?RcNYwZ-nSBv@>zb*RYr_Zk
ze=T~#lJtg2VUw2iYr=<=Q<0h_ukbU6oycc$2G428seR|R*^G{GoH(&6b$4U<rnT!g
zs}3g|k6XPwIjOe)t)rU163R?a`;ACH@`%Y8)B8o0e0P3l#&X@(>`h;6RK7X!#mG8W
zfxi0qCa<w}t+%Bn@5{Fv!z=%)m_PG)g1kjlKWK0JXZ-XXPZy-3i5u?Pb5wrA^pD!E
zq@Plh*Nw@diz2p!Z@AQo&Kp-_Dw#Osn?;s4EO{|wTVuV=pVPKGrsyAu<uj8Sza5zW
eR`XW4oZs{9!p(#BeO@2<mtir@Fz(PVDEb#=G7#VZ

literal 0
HcmV?d00001

diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/images/icon-logo.svg b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/images/icon-logo.svg
new file mode 100644
index 0000000000..25a04e7711
--- /dev/null
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/images/icon-logo.svg
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="100%" height="100%" viewBox="0 0 355 355" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;">
+    <g transform="matrix(3.17501,0,0,3.17501,42.5,39.4488)">
+        <g>
+            <g transform="matrix(1.18519,0,0,1.18519,-7.95273,-8.13069)">
+                <path d="M18.602,0.961L18.602,19.563L66.437,19.563L66.437,67.398L85.039,67.398L85.039,27.536L58.464,0.961L18.602,0.961Z" style="fill:rgb(192,62,20);fill-rule:nonzero;"/>
+            </g>
+            <g transform="matrix(1.18519,0,0,1.18519,-7.95273,-8.13069)">
+                <path d="M66.437,86L66.437,67.398L18.602,67.398L18.602,19.563L0,19.563L0,59.426L26.574,86L66.437,86Z" style="fill:rgb(192,62,20);fill-rule:nonzero;"/>
+            </g>
+        </g>
+    </g>
+</svg>

From dcb2e4d7f198325a7a6cff15c42b6ac8f5ec62cf Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 27 Oct 2025 11:26:30 +0100
Subject: [PATCH 2708/3088] misc/theme-flexcolor: automated style sweep and
 wording

---
 misc/theme-flexcolor/Makefile                 |   2 +-
 .../themes/flexcolor/build/css/dashboard.css  |   1 -
 .../www/themes/flexcolor/build/css/main.css   | 154 +++++++++---------
 .../themes/flexcolor/build/css/tokenize2.css  |   2 +-
 4 files changed, 79 insertions(+), 80 deletions(-)

diff --git a/misc/theme-flexcolor/Makefile b/misc/theme-flexcolor/Makefile
index 102f611200..4ff210b34b 100644
--- a/misc/theme-flexcolor/Makefile
+++ b/misc/theme-flexcolor/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		theme-flexcolor
 PLUGIN_VERSION=		1.0
-PLUGIN_COMMENT=		OPNsense theme with 3 different color schemes (black as default, light and darklight)
+PLUGIN_COMMENT=		Theme with 3 different color schemes: black as default, light and dark-light
 PLUGIN_MAINTAINER=	iengels@web.de
 PLUGIN_NO_ABI=		yes
 
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dashboard.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dashboard.css
index 6a605eb798..c9a3ba748f 100644
--- a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dashboard.css
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dashboard.css
@@ -369,4 +369,3 @@ div {
   align-items: center;
   justify-content: center;
 }
-
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/main.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/main.css
index 1a243c3d60..6c2eaad9c3 100644
--- a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/main.css
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/main.css
@@ -687,7 +687,7 @@ img {
 .img-thumbnail {
   padding: 4px;
   line-height: 1.428571429;
-  background-color: var(--pback); 
+  background-color: var(--pback);
   border: 1px solid var(--stdborderaccent);
   border-radius: 3px;
   -webkit-transition: all 0.2s ease-in-out;
@@ -845,7 +845,7 @@ a.text-warning:hover {
 a.text-danger:hover {
   color: var(--dangerhover); }
 .bg-primary {
-  color: var(--pfore); 
+  color: var(--pfore);
 }
 .bg-primary {
   background-color: var(--pback); }
@@ -990,7 +990,7 @@ code {
 kbd {
   padding: 2px 4px;
   font-size: 90%;
-  color: var(--pfore); 
+  color: var(--pfore);
   background-color: var(--pback);
   border-radius: 3px;
   box-shadow: inset 0 -1px 0 rgba(61, 61, 61, 0.25); }
@@ -1827,7 +1827,7 @@ th {
   vertical-align: bottom; }
 .table > caption + thead > tr:first-child > th,
 .table > caption + thead > tr:first-child > td,
-.table > colgroup + thead > tr:first-child > th, 
+.table > colgroup + thead > tr:first-child > th,
 .table > colgroup + thead > tr:first-child > td,
 .table > thead:first-child > tr:first-child > th,
 .table > thead:first-child > tr:first-child > td {
@@ -2079,7 +2079,7 @@ input[type=color] {
   font-size: 14px;
   line-height: 1.428571429;
   color: var(--txtboxfore);
-  background-color: var(--txtboxback); 
+  background-color: var(--txtboxback);
   background-image: none;
   border: 1px solid var(--txtboxborder);
   border-radius: 3px;
@@ -2661,7 +2661,7 @@ select[multiple].input-lg,
   color: var(--dfbtnforeactive);
   background-color: var(--dfbtnbackactive);
   border-color: var(--dfbtnborderactive);
-  background-image: none; 
+  background-image: none;
   outline: 0;
   -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
   box-shadow: var(--btnshadow1), var(--btnshadow2); }
@@ -2884,7 +2884,7 @@ tbody.collapse.in {
   font-size: 14px;
   text-align: left;
   color: var(--txtboxfore);
-  background-color: var(--txtboxback); 
+  background-color: var(--txtboxback);
   border: 1px solid var(--txtboxborder);
   background-clip: padding-box; }
 .dropdown-menu.pull-right {
@@ -2907,14 +2907,14 @@ tbody.collapse.in {
 .dropdown-menu > li > a:hover, .dropdown-menu > li > a:focus { /* Listenfeld Liste drüberstreichen */
   text-decoration: none;
   color: var(--txtboxforehover);
-  background-color: var(--txtboxbackhover); 
+  background-color: var(--txtboxbackhover);
   border: 1px solid var(--txtboxborderhover);
 }
 
 .dropdown-menu > .active > a, .dropdown-menu > .active > a:hover, .dropdown-menu > .active > a:focus { /*Listenfeld Liste atkiviert */
-  color: var(--txtboxforeactive); 
+  color: var(--txtboxforeactive);
   background-color: var(--txtboxbackactive);
-  border-color: var(--txtboxborderactive); 
+  border-color: var(--txtboxborderactive);
   text-decoration: none;
   outline: 0;
 }
@@ -3034,10 +3034,10 @@ tbody.collapse.in {
   border-top-left-radius: 0; }
 .btn-group .dropdown-toggle:active,
 .btn-group.open .dropdown-toggle {
-  outline: 0; 
+  outline: 0;
   color: var(--dfbtnfore);
   background-color: var(--dfbtnback); }
- 
+
 .btn-group > .btn + .dropdown-toggle {
   padding-left: 8px;
   padding-right: 8px; }
@@ -3273,7 +3273,7 @@ tbody.collapse.in {
 .nav-pills > li > a {
   border-radius: 0; }
 .nav-pills > li.active > a, .nav-pills > li.active > a:hover, .nav-pills > li.active > a:focus {
-  color: var(--pfore); 
+  color: var(--pfore);
   background-color: var(--primary); }
 .nav-stacked > li {
   float: none; }
@@ -3317,7 +3317,7 @@ tbody.collapse.in {
   .nav-tabs-justified > .active > a, .nav-tabs.nav-justified > .active > a,
 .nav-tabs-justified > .active > a:hover,
 .nav-tabs-justified > .active > a:focus {
-    border-bottom-color: var(--stdborderfore); 
+    border-bottom-color: var(--stdborderfore);
   }
 }
 
@@ -3478,7 +3478,7 @@ tbody.collapse.in {
   display: block;
   width: 22px;
   height: 2px;
-  border-radius: 1px; 
+  border-radius: 1px;
   }
 .navbar-toggle .icon-bar + .icon-bar {
   margin-top: 4px; }
@@ -3624,7 +3624,7 @@ tbody.collapse.in {
   color: var(--stdborder);
   background-color: transparent; }
 .navbar-default .navbar-toggle {
-  border-color: var(--sback); 
+  border-color: var(--sback);
 }
 .navbar-default .navbar-toggle:hover, .navbar-default .navbar-toggle:focus {
   background-color: var(--sdbaractback); }
@@ -3669,17 +3669,17 @@ tbody.collapse.in {
 .navbar-inverse .navbar-brand {
   color: var(--pforemuted); }
 .navbar-inverse .navbar-brand:hover, .navbar-inverse .navbar-brand:focus {
-  color: var(--pforeinverse); 
+  color: var(--pforeinverse);
   background-color: transparent; }
 .navbar-inverse .navbar-text {
   color: var(--pforemuted); }
 .navbar-inverse .navbar-nav > li > a {
   color: var(--pforemuted); }
 .navbar-inverse .navbar-nav > li > a:hover, .navbar-inverse .navbar-nav > li > a:focus {
-  color: var(--pforeinverse); 
+  color: var(--pforeinverse);
   background-color: transparent; }
 .navbar-inverse .navbar-nav > .active > a, .navbar-inverse .navbar-nav > .active > a:hover, .navbar-inverse .navbar-nav > .active > a:focus {
-  color: var(--pforeinverse); 
+  color: var(--pforeinverse);
   background-color:var(--pbackinverse); }
 .navbar-inverse .navbar-nav > .disabled > a, .navbar-inverse .navbar-nav > .disabled > a:hover, .navbar-inverse .navbar-nav > .disabled > a:focus {
   color: var(--stdborder);
@@ -3689,14 +3689,14 @@ tbody.collapse.in {
 .navbar-inverse .navbar-toggle:hover, .navbar-inverse .navbar-toggle:focus {
   background-color: var(--navbarinverse); }
 .navbar-inverse .navbar-toggle .icon-bar {
-  background-color: var(--pbackinverse); 
+  background-color: var(--pbackinverse);
 }
 .navbar-inverse .navbar-collapse,
 .navbar-inverse .navbar-form {
   border-color: var(--stdborderinverse); }
 .navbar-inverse .navbar-nav > .open > a, .navbar-inverse .navbar-nav > .open > a:hover, .navbar-inverse .navbar-nav > .open > a:focus {
   background-color:var(--pbackinverse);
-  color: var(--pforeinverse); 
+  color: var(--pforeinverse);
 }
 @media (max-width: 767px) {
   .navbar-inverse .navbar-nav .open .dropdown-menu > .dropdown-header {
@@ -3709,11 +3709,11 @@ tbody.collapse.in {
     color: var(--pforeinverse);
   }
   .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > li > a:focus {
-    color: var(--pforeinverse); 
+    color: var(--pforeinverse);
     background-color: transparent;
   }
   .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a, .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > .active > a:focus {
-    color: var(--pforeinverse); 
+    color: var(--pforeinverse);
     background-color:var(--pbackinverse);
   }
   .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a, .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:hover, .navbar-inverse .navbar-nav .open .dropdown-menu > .disabled > a:focus {
@@ -3724,12 +3724,12 @@ tbody.collapse.in {
 .navbar-inverse .navbar-link {
   color: var(--pforeinverse); }
 .navbar-inverse .navbar-link:hover {
-  color: var(--pforeinversehover); 
+  color: var(--pforeinversehover);
 }
 .navbar-inverse .btn-link {
   color: var(--pforeinverse); }
 .navbar-inverse .btn-link:hover, .navbar-inverse .btn-link:focus {
-  color: var(--pforeinversehover); 
+  color: var(--pforeinversehover);
 }
 .navbar-inverse .btn-link[disabled]:hover, .navbar-inverse .btn-link[disabled]:focus, fieldset[disabled] .navbar-inverse .btn-link:hover, fieldset[disabled] .navbar-inverse .btn-link:focus {
   color: var(--pforemuted); }
@@ -3762,7 +3762,7 @@ tbody.collapse.in {
   line-height: 1.428571429;
   text-decoration: none;
   color: var(--primary);
-  background-color: var(--pback); 
+  background-color: var(--pback);
   border: 1px solid var(--sdbaractback);
   margin-left: -1px; }
 .pagination > li:first-child > a,
@@ -3785,7 +3785,7 @@ tbody.collapse.in {
 .pagination > .active > span:hover,
 .pagination > .active > span:focus {
   z-index: 2;
-  color: var(--pforeinverse); 
+  color: var(--pforeinverse);
   background-color: var(--primary);
   border-color: var(--primary);
   cursor: default; }
@@ -3796,7 +3796,7 @@ tbody.collapse.in {
 .pagination > .disabled > a:hover,
 .pagination > .disabled > a:focus {
   color: var(--pforemuted);
-  background-color: var(--pback); 
+  background-color: var(--pback);
   border-color: var(--sdbaractback);
   cursor: not-allowed; }
 .pagination-lg > li > a,
@@ -3839,7 +3839,7 @@ tbody.collapse.in {
 .pager li > span {
   display: inline-block;
   padding: 5px 14px;
-  background-color: var(--pback); 
+  background-color: var(--pback);
   border: 1px solid var(--sdbaractback);
   border-radius: 15px; }
 .pager li > a:hover,
@@ -3857,7 +3857,7 @@ tbody.collapse.in {
 .pager .disabled > a:focus,
 .pager .disabled > span {
   color: var(--pforemuted);
-  background-color: var(--pbackmuted); 
+  background-color: var(--pbackmuted);
   cursor: not-allowed; }
 .label {
   display: inline;
@@ -3865,7 +3865,7 @@ tbody.collapse.in {
   font-size: 75%;
   font-weight: bold;
   line-height: 1;
-  color: var(--pfore); 
+  color: var(--pfore);
   text-align: center;
   white-space: nowrap;
   vertical-align: baseline;
@@ -3876,7 +3876,7 @@ tbody.collapse.in {
   position: relative;
   top: -1px; }
 a.label:hover, a.label:focus {
-  color: var(--pforehover); 
+  color: var(--pforehover);
   text-decoration: none;
   cursor: pointer; }
 .label-default {
@@ -3928,12 +3928,12 @@ a.label:hover, a.label:focus {
   padding: 1px 5px; }
 a.list-group-item.active > .badge, .nav-pills > .active > a > .badge {
   color: var(--primary);
-  background-color: var(--pback); 
+  background-color: var(--pback);
 }
 .nav-pills > li > a > .badge {
   margin-left: 3px; }
 a.badge:hover, a.badge:focus {
-  color: var(--pforehover); 
+  color: var(--pforehover);
   text-decoration: none;
   cursor: pointer; }
 .jumbotron {
@@ -3974,7 +3974,7 @@ a.badge:hover, a.badge:focus {
   padding: 4px;
   margin-bottom: 20px;
   line-height: 1.428571429;
-  background-color: var(--pback); 
+  background-color: var(--pback);
   border: 1px solid var(--sdbaractback);
   border-radius: 3px;
   -webkit-transition: all 0.2s ease-in-out;
@@ -4001,7 +4001,7 @@ a.thumbnail.active {
   padding: 15px;
   margin-bottom: 20px;
   border: 2px solid transparent;
-  border-radius: 3px; 
+  border-radius: 3px;
   -webkit-box-shadow: inset 0 1px 0 var(--boxshadow), 0 1px 0 var(--boxshadow);
   box-shadow: inset 0 1px 0 var(--boxshadow), 0 1px 0 var(--boxshadow); }
 .alert h4 {
@@ -4175,10 +4175,10 @@ a.list-group-item .list-group-item-heading {
   color: var(--sdbarfore) !important; }
 a.list-group-item:hover, a.list-group-item:focus {
   color: var(--sdbarhoverfore);
-  background: var(--sdbarhoverback); 
+  background: var(--sdbarhoverback);
   text-decoration: none; }
 a.list-group-item:hover:before, a.list-group-item:focus:before {
-  background: var(--sdbarhoverback); 
+  background: var(--sdbarhoverback);
   content: "";
   height: 42px;
   left: 0;
@@ -4231,7 +4231,7 @@ a.list-group-item-success:hover, a.list-group-item-success:focus {
   color: var(--successhover);
   background-color: var(--pback); }
 a.list-group-item-success.active, a.list-group-item-success.active:hover, a.list-group-item-success.active:focus {
-  color: var(--pfore); 
+  color: var(--pfore);
   background-color: var(--success);
   border-color: var(--pfore); }
 .list-group-item-info {
@@ -4245,7 +4245,7 @@ a.list-group-item-info:hover, a.list-group-item-info:focus {
   color: var(--infohover);
   background-color: var(--pback); }
 a.list-group-item-info.active, a.list-group-item-info.active:hover, a.list-group-item-info.active:focus {
-  color: var(--pfore); 
+  color: var(--pfore);
   background-color: var(--info);
   border-color: var(--pfore); }
 .list-group-item-warning {
@@ -4259,7 +4259,7 @@ a.list-group-item-warning:hover, a.list-group-item-warning:focus {
   color: var(--warninghover);
   background-color: var(--pback); }
 a.list-group-item-warning.active, a.list-group-item-warning.active:hover, a.list-group-item-warning.active:focus {
-  color: var(--pfore); 
+  color: var(--pfore);
   background-color: var(--warning);
   border-color: var(--pfore); }
 .list-group-item-danger {
@@ -4273,7 +4273,7 @@ a.list-group-item-danger:hover, a.list-group-item-danger:focus {
   color: var(--dangerhover);
   background-color: var(--pback); }
 a.list-group-item-danger.active, a.list-group-item-danger.active:hover, a.list-group-item-danger.active:focus {
-  color: var(--pfore); 
+  color: var(--pfore);
   background-color: var(--danger);
   border-color: var(--pfore); }
 .list-group-item-heading {
@@ -4284,14 +4284,14 @@ a.list-group-item-danger.active, a.list-group-item-danger.active:hover, a.list-g
   line-height: 1.3; }
 .panel {
   margin-bottom: 20px;
-  background-color: var(--panelbody); 
+  background-color: var(--panelbody);
   border: 1px solid transparent;
   border-radius: 3px;
   -webkit-box-shadow: 0 1px 1px var(--boxshadow);
   box-shadow: 0 1px 1px var(--boxshadow); }
 .panel-body {
   color: var(--panelinfo);
-  padding: 15px; 
+  padding: 15px;
   background-color: var(--panelbody); }
 .panel-body:before, .panel-body:after {
   content: " ";
@@ -4302,7 +4302,7 @@ a.list-group-item-danger.active, a.list-group-item-danger.active:hover, a.list-g
   padding: 10px 15px;
   border-bottom: 1px solid transparent;
   border-top-right-radius: 2px;
-  border-top-left-radius: 2px; 
+  border-top-left-radius: 2px;
   background-color: var(--panelheading); }
 .panel-heading > .dropdown .dropdown-toggle {
   color: var(--panelheadingfore); }
@@ -4471,7 +4471,7 @@ a.list-group-item-danger.active, a.list-group-item-danger.active:hover, a.list-g
 .panel-primary {
   border-color: var(--stdborder); }
 .panel-primary > .panel-heading {
-  color: var(--panelheadingfore); 
+  color: var(--panelheadingfore);
   background-color: var(--panelheading);
   border-color: var(--stdborder); }
 .panel-primary > .panel-heading + .panel-collapse > .panel-body {
@@ -4663,7 +4663,7 @@ button.close {
 .modal-body {
   color: var(--bsbodyfore) !important;
   position: relative;
-  padding: 15px; 
+  padding: 15px;
   background-color: var(--bsbodyback); }
 .modal-footer {
   padding: 15px;
@@ -4734,7 +4734,7 @@ button.close {
 .tooltip-inner {
   max-width: 200px;
   padding: 3px 8px;
-  color: var(--pbackinverse); 
+  color: var(--pbackinverse);
   text-align: center;
   text-decoration: none;
   background-color: var(--pforeinverse);
@@ -4798,7 +4798,7 @@ button.close {
   max-width: 276px;
   padding: 1px;
   text-align: left;
-  background-color: var(--pback); 
+  background-color: var(--pback);
   background-clip: padding-box;
   border: 1px solid var(--stdborder);
   border-radius: 6px;
@@ -4850,7 +4850,7 @@ button.close {
   bottom: 1px;
   margin-left: -10px;
   border-bottom-width: 0;
-  border-top-color: var(--pback); 
+  border-top-color: var(--pback);
 }
 .popover.right > .arrow
 {
@@ -4866,7 +4866,7 @@ button.close {
   left: 1px;
   bottom: -10px;
   border-left-width: 0;
-  border-right-color: var(--stdborder); 
+  border-right-color: var(--stdborder);
 }
 .popover.bottom > .arrow
 {
@@ -4882,7 +4882,7 @@ button.close {
   top: 1px;
   margin-left: -10px;
   border-top-width: 0;
-  border-bottom-color: var(--stdborder); 
+  border-bottom-color: var(--stdborder);
 }
 .popover.left > .arrow
 {
@@ -4897,7 +4897,7 @@ button.close {
   content: " ";
   right: 1px;
   border-right-width: 0;
-  border-left-color: var(--stdborder); 
+  border-left-color: var(--stdborder);
   bottom: -10px; }
 .carousel {
   position: relative; }
@@ -4949,7 +4949,7 @@ button.close {
   opacity: 0.5;
   filter: alpha(opacity=50);
   font-size: 20px;
-  color: var(--pfore); 
+  color: var(--pfore);
   text-align: center;
   text-shadow: 0 1px 2px var(--rgb50); }
 .carousel-control.left {
@@ -4968,7 +4968,7 @@ button.close {
   filter: progid:DXImageTransform.Microsoft.gradient(startColorstr="#FFEF8026", endColorstr="#80000000", GradientType=1); }
 .carousel-control:hover, .carousel-control:focus {
   outline: 0;
-  color: var(--pforehover); 
+  color: var(--pforehover);
   text-decoration: none;
   opacity: 0.9;
   filter: alpha(opacity=90); }
@@ -5014,7 +5014,7 @@ button.close {
   height: 10px;
   margin: 1px;
   text-indent: -999px;
-  border: 1px solid var(--stdborder); 
+  border: 1px solid var(--stdborder);
   border-radius: 10px;
   cursor: pointer;
   background-color: var(--highlighted) \9 ;
@@ -5023,7 +5023,7 @@ button.close {
   margin: 0;
   width: 12px;
   height: 12px;
-  background-color: var(--pback); 
+  background-color: var(--pback);
 }
 
 .carousel-caption {
@@ -5034,7 +5034,7 @@ button.close {
   z-index: 10;
   padding-top: 20px;
   padding-bottom: 20px;
-  color: var(--pfore); 
+  color: var(--pfore);
   text-align: center;
   text-shadow: 0 1px 2px var(--rgb50); }
 .carousel-caption .btn {
@@ -5342,7 +5342,7 @@ html, body {
   font-family: "SourceSansProRegular";
   scrollbar-width: thin;
   scrollbar-color: var(--scbarcolor);
-  background-color: var(--pageback); 
+  background-color: var(--pageback);
 }
 
 body {
@@ -5350,7 +5350,7 @@ body {
   min-width: 320px; }
 .widget-sort-handle {
   touch-action: none; }
-  
+
 .widgetdiv .content-box-head {
   background: var(--sback) !important;
   color: var(--sfore) !important;
@@ -5359,15 +5359,15 @@ body {
   padding-right: 1px !important;
   padding-left: 5px !important;
   min-height: 25px !important; }
-  
+
 .widgetdiv .content-box-head .btn-group .btn {
   color: var(--sfore) !important;
   background: none;
   border: 1px solid var(--stdborder); }
-  
+
 .widgetdiv .content-box-head .btn-group .btn .glyphicon {
   color: var(--stdborder) !important; }
-  
+
 .widgetdiv .content-box-head .list-inline li > h3 {
   padding-top: 4px; }
 .page-head { /* Seite Kopf (Funktion nicht klar) */
@@ -5408,7 +5408,7 @@ body {
   min-height: calc(100% - 64px);
   padding: 15px 0 73px; }
 .page-side { /* Seitenleiste Hintergrundfarbe */
-  background: var(--pageback); 
+  background: var(--pageback);
   border-right: 1px solid var(--pageborder);
   border-top: 1px solid var(--pageborder);
   border-bottom: 1px solid var(--pageborder);
@@ -5433,11 +5433,11 @@ body {
   width: 100%;
   z-index: 2; }
 section.page-content-main div.tab-content { /* Umrandung Boxen */
-  border: 1px solid var(--pageborder) !important; 
+  border: 1px solid var(--pageborder) !important;
   border-radius: 4px;}
 
 .content-box {
-  background: var(--contentboxback); 
+  background: var(--contentboxback);
   border: 1px solid var(--stdborder);
   border-radius: 4px; }
 .content-box-main {
@@ -5502,7 +5502,7 @@ div.content-box.wizard div img {
   font-size: 12px; }
 .login-modal-container {
   color: var(--loginboxfore);
-  background: var(--loginboxback); 
+  background: var(--loginboxback);
   max-width: 400px;
   margin: 100px auto 15px auto;
   border: 1px solid var(--stdborder);
@@ -5630,7 +5630,7 @@ main.page-content.col-lg-12 {
 #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapsing, #navigation.col-sidebar-left > div > nav > #mainmenu > div > div.collapse.in > div.collapsing {
   display: none; }
 button.toggle-sidebar {
-  color: var(--pagefore); 
+  color: var(--pagefore);
   background-color: var(--pageback);
   font-size: 14px;
   border: none;
@@ -5646,11 +5646,11 @@ button.toggle-sidebar {
 ul.nav > li.dropdown > ul.dropdown-menu > li > a {
   padding: 3px 10px; }
  section.page-content-main ul + div.tab-content { /* Umrandung Tab-Navigation */
-  border: 1px solid var(--stdborderprimary) !important; 
+  border: 1px solid var(--stdborderprimary) !important;
   outline: 0;
   -webkit-box-shadow: (--btnshadow1), var(--btnshadow2);
   box-shadow: (--btnshadow1), var(--btnshadow2); }
-  
+
 .nav-tabs {
   margin-right: 1px;
   border-bottom: 1px solid transparent; }
@@ -5670,7 +5670,7 @@ ul.nav > li.dropdown > ul.dropdown-menu > li > a {
   margin-right: 0px; }
 .nav-tabs > li > a:hover,
 .nav-tabs > li > a:focus {
-  color: var(--navtabforehover); 
+  color: var(--navtabforehover);
   background: var(--navtabbackhover);
   border-right: 1px solid var(--navtabborderhover);
   border-top: 1px solid var(--navtabborderhover);
@@ -5684,13 +5684,13 @@ ul.nav > li.dropdown > ul.dropdown-menu > li > a {
 .nav-tabs > li.active > a:hover,
 .nav-tabs > li.active > a:focus {
   color: var(--navtabforeactive);
-  background: var(--navtabbackactive) !important; 
+  background: var(--navtabbackactive) !important;
   border-right: 1px solid var(--navtabborderactive);
   border-top: 1px solid var(--navtabborderactive);
   border-left: 1px solid var(--navtabborderactive);
-  border-bottom: 1px solid var(--navtabborderactive); 
-  border-radius: 0px; 
-  border-top-right-radius: 10px; 
+  border-bottom: 1px solid var(--navtabborderactive);
+  border-radius: 0px;
+  border-top-right-radius: 10px;
   outline: 0;
   -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
   box-shadow: var(--btnshadow1), var(--btnshadow2); }
@@ -5698,7 +5698,7 @@ ul.nav > li.dropdown > ul.dropdown-menu > li > a {
   background-color: var(--navtabbackactive);
   color: var(--navtabforeactive);
   border-right: 1px var(--navtabborderactive);
-  border-color: 1px var(--navtabborderactive); 
+  border-color: 1px var(--navtabborderactive);
   outline: 0;
   -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
   box-shadow: var(--btnshadow1), var(--btnshadow2);}
@@ -5706,7 +5706,7 @@ ul.nav > li.dropdown > ul.dropdown-menu > li > a {
 .nav-tabs > li > a.visible-lg-inline-block.pull-right {
   background-color: var(--navtabbackactive);
   color: var(--navtabforeactive);
-  border-color: 1px solid var(--navtabborderactive); 
+  border-color: 1px solid var(--navtabborderactive);
   outline: 0;
   -webkit-box-shadow: var(--btnshadow1), var(--btnshadow2);
   box-shadow: var(--btnshadow1), var(--btnshadow2);}
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/tokenize2.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/tokenize2.css
index b87bbd9379..bcb38f9c6f 100644
--- a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/tokenize2.css
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/tokenize2.css
@@ -8,7 +8,7 @@
   cursor: text;
   border-radius: 3px;
   border: 1px solid var(--txtboxborder);
-  background-color: var(--txtboxback); 
+  background-color: var(--txtboxback);
   color: var(--txtboxfore);
 }
 

From 4b8549f7dd399efce2df37aac6ea6d5b77eb54c1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 27 Oct 2025 11:26:58 +0100
Subject: [PATCH 2709/3088] plugins: sync and wording in advanced theme

---
 LICENSE                      | 3 ++-
 README.md                    | 3 ++-
 misc/theme-advanced/Makefile | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/LICENSE b/LICENSE
index 97ae175c72..87aa831870 100644
--- a/LICENSE
+++ b/LICENSE
@@ -49,8 +49,9 @@ Copyright (c) 2021 Markus Peter <mpeter@one-it.de>
 Copyright (c) 2022 Markus Reiter <me@reitermark.us>
 Copyright (c) 2020 Martin Wasley
 Copyright (c) 2022 Marvo2011
+Copyright (c) 2025 Matthias Valvekens <dev@mvalvekens.be>
 Copyright (c) 2025 Maxime Thiebaut
-Copyright (c) 2017-2024 Michael Muenz <m.muenz@gmail.com>
+Copyright (c) 2017-2025 Michael Muenz <m.muenz@gmail.com>
 Copyright (c) 2024 Michał Brzeziński
 Copyright (c) 2024 Mike Shuey
 Copyright (c) 2023-2024 Mikhail Kharisov
diff --git a/README.md b/README.md
index 601479d90e..abfbea3e4e 100644
--- a/README.md
+++ b/README.md
@@ -42,8 +42,9 @@ emulators/qemu-guest-agent -- QEMU Guest Agent for OPNsense
 ftp/tftp -- TFTP server
 mail/postfix -- SMTP mail relay
 mail/rspamd -- Protect your network from spam
-misc/theme-advanced -- OPNsense theme based on AdvancedTomato GUI
+misc/theme-advanced -- Theme based on AdvancedTomato GUI
 misc/theme-cicada -- The cicada theme - dark grey onyx
+misc/theme-flexcolor -- Theme with 3 different color schemes: black as default, light and dark-light
 misc/theme-rebellion -- A suitably dark theme
 misc/theme-tukan -- The tukan theme - blue/white
 misc/theme-vicuna -- The vicuna theme - blue sapphire
diff --git a/misc/theme-advanced/Makefile b/misc/theme-advanced/Makefile
index 8c7f095291..2e92be9e10 100644
--- a/misc/theme-advanced/Makefile
+++ b/misc/theme-advanced/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		theme-advanced
 PLUGIN_VERSION=		1.1
-PLUGIN_COMMENT=		OPNsense theme based on AdvancedTomato GUI
+PLUGIN_COMMENT=		Theme based on AdvancedTomato GUI
 PLUGIN_MAINTAINER=	jacky@prahec.com
 PLUGIN_WWW=		https://prahec.com/
 PLUGIN_NO_ABI=		yes

From 5962dc7c1828e7303d26f145e83aac7456c066bd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 28 Oct 2025 15:24:25 +0100
Subject: [PATCH 2710/3088] net/upnp: switch to mwexecf variants

PR: https://github.com/opnsense/core/issues/9325
---
 net/upnp/Makefile                                | 1 +
 net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index ea12da5524..1f5e023a75 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		upnp
 PLUGIN_VERSION=		1.7
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		miniupnpd
 PLUGIN_COMMENT=		Universal Plug and Play (UPnP IGD & PCP/NAT-PMP) Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 6214f4ce0b..5a283d096f 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -75,15 +75,15 @@ function miniupnpd_start()
         return;
     }
 
-    mwexec_bg('/usr/local/sbin/miniupnpd -f /var/etc/miniupnpd.conf -P /var/run/miniupnpd.pid');
+    mwexecf_bg('/usr/local/sbin/miniupnpd -f %s -P %s', [ '/var/etc/miniupnpd.conf', '/var/run/miniupnpd.pid']);
 }
 
 function miniupnpd_stop()
 {
     killbypid('/var/run/miniupnpd.pid');
 
-    mwexec('/sbin/pfctl -aminiupnpd -Fr 2>&1 >/dev/null');
-    mwexec('/sbin/pfctl -aminiupnpd -Fn 2>&1 >/dev/null');
+    mwexecf('/sbin/pfctl -a miniupnpd -Fr');
+    mwexecf('/sbin/pfctl -a miniupnpd -Fn');
 }
 
 function miniupnpd_configure()

From 7ceccc441bea0ec966ea8e3b67e5c5148ff6b91e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 28 Oct 2025 15:26:04 +0100
Subject: [PATCH 2711/3088] www/nginx: use mwexecf

PR: https://github.com/opnsense/core/issues/9325
---
 www/nginx/Makefile                                     | 2 +-
 www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 7586338550..59e1f9511f 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.35
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php b/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
index 7a4ee048e8..93bfab68bc 100755
--- a/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
+++ b/www/nginx/src/opnsense/scripts/nginx/ngx_autoblock.php
@@ -216,7 +216,7 @@ function cleanup_work_files($work_files)
 
 // Triggering TLS-handshake processor when corresponding work file exists.
 if (in_array(TLS_HANDSHAKE_FILE_WORK, $work_files)) {
-    mwexec(TLS_HANDSHAKE_PROCESSING_TASK);
+    mwexecf(TLS_HANDSHAKE_PROCESSING_TASK);
 }
 
 // Abort if permanent ban file is missing

From 3af63008f945479f3be3a3a4be6c39c0aff32617 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 28 Oct 2025 15:27:51 +0100
Subject: [PATCH 2712/3088] net/igmp-proxy: use mwexecf and file_safe

PR: https://github.com/opnsense/core/issues/9325
---
 net/igmp-proxy/Makefile                                | 2 +-
 net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/igmp-proxy/Makefile b/net/igmp-proxy/Makefile
index 5c83bdf7e3..7aca81748e 100644
--- a/net/igmp-proxy/Makefile
+++ b/net/igmp-proxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		igmp-proxy
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_DEPENDS=		igmpproxy
 PLUGIN_COMMENT=		IGMP-Proxy Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc b/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc
index 246ca5e0f8..87f9f556d5 100644
--- a/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc
+++ b/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc
@@ -109,8 +109,8 @@ EOD;
     }
     $igmpconf .= "\n";
 
-    file_put_contents('/usr/local/etc/igmpproxy.conf', $igmpconf);
-    mwexec('/usr/local/etc/rc.d/igmpproxy onestart');
+    file_safe('/usr/local/etc/igmpproxy.conf', $igmpconf);
+    mwexecf('/usr/local/etc/rc.d/igmpproxy onestart');
 
     service_log("done.\n", $verbose);
 }

From ad06910687496e0951832d9965d41b4280e466b3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 28 Oct 2025 15:37:39 +0100
Subject: [PATCH 2713/3088] security/acme-client: use mwexec/file_safe

Although technically we shouldn't from classes inside MVC but it is what
it is.

PR: https://github.com/opnsense/core/issues/9325
---
 security/acme-client/Makefile                       |  1 +
 .../AcmeClient/LeValidation/HttpOpnsense.php        | 13 ++++++-------
 .../AcmeClient/LeValidation/TlsalpnAcme.php         | 13 ++++++-------
 3 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index a81e74fb70..711735a66b 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		acme-client
 PLUGIN_VERSION=		4.10
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
index 12ab4ba56c..8670eb96c8 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
@@ -126,18 +126,17 @@ public function prepare()
 
         // Create temporary port forward to allow acme challenges to get through
         $anchor_setup = "rdr-anchor \"acme-client\"\n";
-        file_put_contents("{$configdir}/acme_anchor_setup", $anchor_setup);
-        chmod("{$configdir}/acme_anchor_setup", 0600);
-        mwexec("/sbin/pfctl -f {$configdir}/acme_anchor_setup");
-        file_put_contents("{$configdir}/acme_anchor_rules", $anchor_rules);
-        chmod("{$configdir}/acme_anchor_rules", 0600);
-        mwexec("/sbin/pfctl -a acme-client -f {$configdir}/acme_anchor_rules");
+        // XXX Should not be using util.inc from here
+        file_safe("{$configdir}/acme_anchor_setup", $anchor_setup, 0600);
+        mwexecf('/sbin/pfctl -f %s', ["{$configdir}/acme_anchor_setup"]);
+        file_safe("{$configdir}/acme_anchor_rules", $anchor_rules, 0600);
+        mwexecf('/sbin/pfctl -a %s -f %s', ['acme-client', "{$configdir}/acme_anchor_rules"]);
     }
 
     public function cleanup()
     {
         // Flush OPNsense port forward rules.
-        mwexec('/sbin/pfctl -a acme-client -F all');
+        mwexecf('/sbin/pfctl -a %s -F %s', ['acme-client', 'all']);
 
         // Workaround to solve disconnection issues reported by some users.
         $backend = new \OPNsense\Core\Backend();
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
index 03a4f9d763..068adc8235 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
@@ -127,18 +127,17 @@ public function prepare()
 
         // Create temporary port forward to allow acme challenges to get through
         $anchor_setup = "rdr-anchor \"acme-client\"\n";
-        file_put_contents("{$configdir}/acme_anchor_setup", $anchor_setup);
-        chmod("{$configdir}/acme_anchor_setup", 0600);
-        mwexec("/sbin/pfctl -f {$configdir}/acme_anchor_setup");
-        file_put_contents("{$configdir}/acme_anchor_rules", $anchor_rules);
-        chmod("{$configdir}/acme_anchor_rules", 0600);
-        mwexec("/sbin/pfctl -a acme-client -f {$configdir}/acme_anchor_rules");
+        // XXX Should not be using util.inc from here
+        file_safe("{$configdir}/acme_anchor_setup", $anchor_setup, 0600);
+        mwexecf('/sbin/pfctl -f %s', ["{$configdir}/acme_anchor_setup"]);
+        file_safe("{$configdir}/acme_anchor_rules", $anchor_rules, 0600);
+        mwexecf("/sbin/pfctl -a %s -f %s", ['acme-client', "{$configdir}/acme_anchor_rules"]);
     }
 
     public function cleanup()
     {
         // Flush OPNsense port forward rules.
-        mwexec('/sbin/pfctl -a acme-client -F all');
+        mwexecf('/sbin/pfctl -a %s -F %s', ['acme-client', 'all']);
 
         // Workaround to solve disconnection issues reported by some users.
         $backend = new \OPNsense\Core\Backend();

From d2940eb8af510f6125677e31b1b2bd460e7d301a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 28 Oct 2025 16:07:25 +0100
Subject: [PATCH 2714/3088] dns/rfc2136: mwexecf_bg, exec_safe and file_safe

PR: https://github.com/opnsense/core/issues/9325
---
 dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
index bf346cd29b..55c84297ab 100644
--- a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
+++ b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
@@ -198,16 +198,15 @@ function rfc2136_configure_do($verbose = false, $int = null, $updatehost = '', $
         $upinst .= "\n";  /* mind that trailing newline! */
 
         if ($need_update) {
-            @file_put_contents("/var/etc/nsupdatecmds{$i}", $upinst);
-            unset($upinst);
-            /* invoke nsupdate */
-            $cmd = "/usr/local/bin/nsupdate -k {$keyfile}";
+            $cmds = "/var/etc/nsupdatecmds{$i}";
+            file_safe($cmds, $upinst);
+            $args = [];
+            $args[] = exec_safe('-k %s', $keyfile);
             if (isset($dnsupdate['usetcp'])) {
-                $cmd .= " -v";
+                $args[] = '-v';
             }
-            $cmd .= " /var/etc/nsupdatecmds{$i}";
-            mwexec_bg($cmd);
-            unset($cmd);
+            $args[] = exec_safe('%s', $cmds);
+            mwexecf_bg('/usr/local/bin/nsupdate ' . join(' ', $args));
         }
     }
 

From f69ae0ecd96ce164a58bfc927992b99bdbd2c508 Mon Sep 17 00:00:00 2001
From: Self-Hosting-Group
 <155233284+Self-Hosting-Group@users.noreply.github.com>
Date: Wed, 29 Oct 2025 10:05:50 +0100
Subject: [PATCH 2715/3088] net/upnp: Service improvements (#4629)

---
 net/upnp/Makefile                             |   5 +-
 .../src/etc/inc/plugins.inc.d/miniupnpd.inc   |  23 +--
 .../mvc/app/models/OPNsense/UPnP/ACL/ACL.xml  |   4 +-
 .../app/models/OPNsense/UPnP/Menu/Menu.xml    |   6 +-
 net/upnp/src/www/services_upnp.php            | 140 ++++++++++--------
 net/upnp/src/www/status_upnp.php              |  28 ++--
 6 files changed, 117 insertions(+), 89 deletions(-)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index 1f5e023a75..4c5c4109b4 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,8 +1,7 @@
 PLUGIN_NAME=		upnp
-PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.8
 PLUGIN_DEPENDS=		miniupnpd
-PLUGIN_COMMENT=		Universal Plug and Play (UPnP IGD & PCP/NAT-PMP) Service
+PLUGIN_COMMENT=		UPnP IGD & PCP/NAT-PMP Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
 .include "../../Mk/plugins.mk"
diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 5a283d096f..d27bcd751d 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -55,7 +55,7 @@ function miniupnpd_services()
 
     $pconfig = [];
     $pconfig['name'] = 'miniupnpd';
-    $pconfig['description'] = gettext('Universal Plug and Play');
+    $pconfig['description'] = gettext('UPnP IGD & PCP/NAT-PMP');
     $pconfig['php']['restart'] = ['miniupnpd_stop', 'miniupnpd_start'];
     $pconfig['php']['start'] = ['miniupnpd_start'];
     $pconfig['php']['stop'] = ['miniupnpd_stop'];
@@ -131,7 +131,7 @@ function miniupnpd_configure_do($verbose = false)
         return;
     }
 
-    service_log('Starting UPnP service...', $verbose);
+    service_log('Starting UPnP IGD & PCP/NAT-PMP service...', $verbose);
 
     $upnp_config = $config['installedpackages']['miniupnpd']['config'][0];
 
@@ -142,7 +142,7 @@ function miniupnpd_configure_do($verbose = false)
     }
 
     $config_text = "ext_ifname={$ext_ifname}\n";
-    $config_text .= "port=2189\n";
+    $config_text .= "http_port=2189\n";
 
     $ifaces_active = '';
 
@@ -198,7 +198,13 @@ function miniupnpd_configure_do($verbose = false)
                 $config_text .= "bitrate_up={$upload}\n";
             }
 
-            $config_text .= "secure_mode=yes\n";
+            if (!empty($upnp_config['allow_third_party_mapping'])) {
+                $config_text .= "secure_mode=no\n";
+                $config_text .= "pcp_allow_thirdparty=yes\n";
+            } else {
+                $config_text .= "secure_mode=yes\n";
+                $config_text .= "pcp_allow_thirdparty=no\n";
+            }
 
             /* enable logging of packets handled by miniupnpd rules */
             if (!empty($upnp_config['logpackets'])) {
@@ -234,17 +240,16 @@ function miniupnpd_configure_do($verbose = false)
             }
 
             if (!empty($upnp_config['permdefault'])) {
-                $config_text .= "deny 0-65535 0.0.0.0/0 0-65535\n";
+                $config_text .= "deny 1-65535 0.0.0.0/0 1-65535\n";
             }
 
             /* Allow UPnP IGD or PCP/NAT-PMP as requested */
             $config_text .= "enable_upnp="   . ( $upnp_config['enable_upnp']   ? "yes\n" : "no\n" );
             $config_text .= "enable_pcp_pmp=" . ( $upnp_config['enable_natpmp'] ? "yes\n" : "no\n" );
 
-            /* configure lifetimes to force periodic expire */
-            $config_text .= "clean_ruleset_interval=600\n";
-            $config_text .= "min_lifetime=120\n";
-            $config_text .= "max_lifetime=86400\n";
+            # When building with IGDv2, infinite (IGDv1 only) lease time port maps are reduced to 7d
+            # following the IGDv2 standard. Disabling it at runtime allows IGDv2 incompatible clients
+            $config_text .= "force_igd_desc_v1=yes\n";
 
             /* write out the configuration */
             file_put_contents('/var/etc/miniupnpd.conf', $config_text);
diff --git a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
index cc93dde4ad..6d4d755982 100644
--- a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
+++ b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
@@ -1,12 +1,12 @@
 <acl>
     <page-service-upnp>
-        <name>Service: Universal Plug and Play</name>
+        <name>Services: UPnP IGD &amp; PCP</name>
         <patterns>
             <pattern>services_upnp.php*</pattern>
         </patterns>
     </page-service-upnp>
     <page-status-upnpstatus>
-        <name>Status: Universal Plug and Play</name>
+        <name>Services: UPnP IGD &amp; PCP: Active Port Maps</name>
         <patterns>
             <pattern>status_upnp.php*</pattern>
         </patterns>
diff --git a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml
index 0dfae6b0f3..27ffe16182 100644
--- a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml
+++ b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml
@@ -1,10 +1,10 @@
 <menu>
     <Services>
-        <UPnP VisibleName="Universal Plug and Play" cssClass="fa fa-plug fa-fw">
-            <Settings url="/services_upnp.php">
+        <UPnP VisibleName="UPnP IGD &amp; PCP" cssClass="fa fa-plug fa-fw">
+            <Settings order="10" url="/services_upnp.php">
                 <Edit url="/services_upnp.php?*" visibility="hidden"/>
             </Settings>
-            <Status url="/status_upnp.php"/>
+            <ActivePortMaps VisibleName="Active Port Maps" order="20" url="/status_upnp.php"/>
         </UPnP>
     </Services>
 </menu>
diff --git a/net/upnp/src/www/services_upnp.php b/net/upnp/src/www/services_upnp.php
index d3a5897d88..adec811166 100644
--- a/net/upnp/src/www/services_upnp.php
+++ b/net/upnp/src/www/services_upnp.php
@@ -69,6 +69,7 @@ function miniupnpd_validate_port($port)
     $pconfig = [];
 
     $copy_fields = [
+        'allow_third_party_mapping',
         'download',
         'enable',
         'enable_natpmp',
@@ -174,7 +175,7 @@ function miniupnpd_validate_port($port)
         // save form data
         $upnp = [];
         // boolean types
-        foreach (['enable', 'enable_upnp', 'enable_natpmp', 'logpackets', 'sysuptime', 'permdefault'] as $fieldname) {
+        foreach (['enable', 'enable_upnp', 'enable_natpmp', 'logpackets', 'sysuptime', 'permdefault', 'allow_third_party_mapping'] as $fieldname) {
             $upnp[$fieldname] = !empty($pconfig[$fieldname]);
         }
         // numeric types
@@ -193,7 +194,7 @@ function miniupnpd_validate_port($port)
         // sync to config
         $config['installedpackages']['miniupnpd']['config'] = $upnp;
 
-        write_config('Modified Universal Plug and Play settings');
+        write_config('Modified UPnP IGD & PCP settings');
         miniupnpd_configure_do();
         filter_configure();
         header(url_safe('Location: /services_upnp.php'));
@@ -219,9 +220,7 @@ function miniupnpd_validate_port($port)
                 <table class="table table-striped opnsense_standard_table_form">
                   <thead>
                     <tr>
-                      <td style="width:22%">
-                        <strong><?=gettext("UPnP IGD & PCP/NAT-PMP Settings");?></strong>
-                      </td>
+                      <th style="width:22%"><?=gettext("Service Setup");?></th>
                       <td style="width:78%; text-align:right">
                         <small><?=gettext("full help"); ?> </small>
                         <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page"></i>
@@ -231,11 +230,11 @@ function miniupnpd_validate_port($port)
                   </thead>
                   <tbody>
                     <tr>
-                      <td><a id="help_for_enable" href="#" class="showhelp"><i class="fa fa-info-circle text-muted"></i></a> <?=gettext("Enable");?></td>
+                      <td><a id="help_for_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enable");?></td>
                       <td>
                        <input name="enable" type="checkbox" value="yes" <?=!empty($pconfig['enable']) ? "checked=\"checked\"" : ""; ?> />
                        <div class="hidden" data-for="help_for_enable">
-                         <?=gettext("Enable autonomous port mapping service.");?>
+                         <?=gettext("Start the autonomous port mapping service.");?>
                        </div>
                       </td>
                     </tr>
@@ -253,7 +252,7 @@ function miniupnpd_validate_port($port)
                       <td>
                        <input name="enable_natpmp" type="checkbox" value="yes" <?=!empty($pconfig['enable_natpmp']) ? "checked=\"checked\"" : ""; ?> />
                        <div class="hidden" data-for="help_for_enable_natpmp">
-                         <?=gettext("This protocol is often used by Apple-compatible systems.");?>
+                         <?=gettext("These protocols are often used by Apple-compatible systems.");?>
                        </div>
                       </td>
                     </tr>
@@ -270,12 +269,12 @@ function miniupnpd_validate_port($port)
                         endforeach;?>
                        </select>
                        <div class="hidden" data-for="help_for_ext_iface">
-                         <?=gettext("Select only your primary WAN interface (interface with your default route). Only one interface is allowed here, not multiple.");?>
+                         <?=gettext("The WAN network interface containing the default gateway.");?>
                        </div>
                       </td>
                     </tr>
                     <tr>
-                      <td><a id="help_for_iface_array" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Interfaces (generally LAN)");?></td>
+                      <td><a id="help_for_iface_array" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Internal interfaces");?></td>
                       <td>
                        <select class="selectpicker" name="iface_array[]" multiple="multiple">
                          <option value="lo0" <?=!empty($pconfig['iface_array']) && in_array('lo0', $pconfig['iface_array']) ? "selected=\"selected\"" : "";?>>
@@ -289,92 +288,105 @@ function miniupnpd_validate_port($port)
 <?php
                         endforeach;?>
                        </select>
-                       <div class="hidden" data-for="help_for_ext_iface">
-                         <?=gettext("You can select multiple interfaces here.");?>
+                       <div class="hidden" data-for="help_for_iface_array">
+                         <?=gettext("Select one or more internal network interfaces, such as LAN, where clients reside.");?>
                        </div>
                       </td>
                     </tr>
+                  </tbody>
+                </table>
+              </div>
+            </div>
+          </section>
+          <section class="col-xs-12">
+            <div class="content-box">
+              <div class="table-responsive">
+                <table class="table table-striped opnsense_standard_table_form">
+                  <thead>
                     <tr>
-                      <td><a id="help_for_overridesubnet" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Interface subnet override");?></td>
-                      <td>
-                        <select name="overridesubnet" class="selectpicker" id="overridesubnet">
-                          <option value="" <?= empty($pconfig['overridesubnet']) ? 'selected="selected"' : '' ?>><?= gettext('default') ?></option>
-<?php for ($i = 32; $i >= 1; $i--): ?>
-                          <option value="<?= $i ?>" <?=!empty($pconfig['overridesubnet']) && $pconfig['overridesubnet'] == $i ? 'selected="selected"' : '' ?>><?= $i ?></option>
-<?php endfor ?>
-                        </select>
-                        <div class="hidden" data-for="help_for_overridesubnet">
-                          <?=gettext("You can override a single LAN interface subnet here. Useful if you are rebroadcasting service traffic across networks.");?>
-                        </div>
-                      </td>
+                      <th style="width:22%"><?=gettext("Advanced Settings")?></th>
+                      <th style="width:78%"></th>
                     </tr>
+                  </thead>
+                  <tbody>
                     <tr>
                       <td><a id="help_for_stun_host" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('STUN server') ?></td>
                       <td>
                         <input name="stun_host" type="text" value="<?= !empty($pconfig['stun_host']) ? $pconfig['stun_host'] : '' ?>" />
                         <div class="hidden" data-for="help_for_stun_host">
-                          <?= gettext('STUN server used to predict external WAN IP.') ?>
+                          <?= gettext('Allow use of unrestricted endpoint-independent (1:1) CGNATs and detect the public IPv4.')?><br/><?= gettext('E.g. stun.3cx.com or stun.counterpath.com')?>
                         </div>
                       </td>
                     </tr>
                     <tr>
-                      <td><a id="help_for_stun_port" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('STUN port') ?></td>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?= gettext('STUN port') ?></td>
                       <td>
                         <input name="stun_port" type="text" placeholder="3478" value="<?= !empty($pconfig['stun_port']) ? $pconfig['stun_port'] : ''  ?>" />
-                        <div class="hidden" data-for="help_for_stun_port">
-                          <?= gettext('STUN port used to predict external WAN IP.') ?>
-                        </div>
                       </td>
                     </tr>
                     <tr>
-                      <td><a id="help_for_download" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Maximum Download Speed");?></td>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Override external IPv4");?></td>
                       <td>
-                        <input name="download" type="text" value="<?=$pconfig['download'];?>" />
-                        <div class="hidden" data-for="help_for_download">
-                          <?=gettext("(Kbits/second)");?>
-                        </div>
+                        <input name="overridewanip" type="text" value="<?=$pconfig['overridewanip'];?>" />
                       </td>
                     </tr>
                     <tr>
-                      <td><a id="help_for_upload" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Maximum Upload Speed");?></td>
+                      <td><a id="help_for_overridesubnet" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Internal interface IPv4 subnet override");?></td>
                       <td>
-                        <input name="upload" type="text" value="<?=$pconfig['upload'];?>" />
-                        <div class="hidden" data-for="help_for_upload">
-                          <?=gettext("(Kbits/second)");?>
+                        <select name="overridesubnet" class="selectpicker" id="overridesubnet">
+                          <option value="" <?= empty($pconfig['overridesubnet']) ? 'selected="selected"' : '' ?>><?= gettext('default') ?></option>
+<?php for ($i = 32; $i >= 1; $i--): ?>
+                          <option value="<?= $i ?>" <?=!empty($pconfig['overridesubnet']) && $pconfig['overridesubnet'] == $i ? 'selected="selected"' : '' ?>><?= $i ?></option>
+<?php endfor ?>
+                        </select>
+                        <div class="hidden" data-for="help_for_overridesubnet">
+                          <?=gettext("You can override a single LAN interface subnet here. Useful if you are rebroadcasting service traffic across networks.");?>
                         </div>
                       </td>
                     </tr>
                     <tr>
-                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Override WAN address");?></td>
+                      <td><a id="help_for_allow_third_party_mapping" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Allow third-party mapping");?></td>
                       <td>
-                        <input name="overridewanip" type="text" value="<?=$pconfig['overridewanip'];?>" />
+                        <input name="allow_third_party_mapping" type="checkbox" value="yes" <?=!empty($pconfig['allow_third_party_mapping']) ? "checked=\"checked\"" : ""; ?> />
+                        <div class="hidden" data-for="help_for_allow_third_party_mapping">
+                          <?=gettext("Allow adding port maps for non-requesting IP addresses.");?>
+                        </div>
                       </td>
                     </tr>
+                    <!-- <tr>
+                      <td><a id="help_for_sysuptime" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Report system uptime");?></td>
+                      <td>
+                       <input name="sysuptime" type="checkbox" value="yes" <?=!empty($pconfig['sysuptime']) ? "checked=\"checked\"" : ""; ?> />
+                       <div class="hidden" data-for="help_for_sysuptime">
+                         <?=gettext("Report system instead of service uptime.");?>
+                       </div>
+                      </td>
+                    --> </tr>
                     <tr>
-                      <td><a id="help_for_logpackets" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Log packets");?></td>
+                      <td><a id="help_for_logpackets" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Firewall logs");?></td>
                       <td>
                        <input name="logpackets" type="checkbox" value="yes" <?=!empty($pconfig['logpackets']) ? "checked=\"checked\"" : ""; ?> />
                        <div class="hidden" data-for="help_for_logpackets">
-                         <?=gettext("Log packets handled by service rules?");?>
+                         <?=gettext("Log mapped connections.");?>
                        </div>
                       </td>
                     </tr>
                     <tr>
-                      <td><a id="help_for_sysuptime" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Use system time");?></td>
+                      <td><a id="help_for_download" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Download speed");?></td>
                       <td>
-                       <input name="sysuptime" type="checkbox" value="yes" <?=!empty($pconfig['sysuptime']) ? "checked=\"checked\"" : ""; ?> />
-                       <div class="hidden" data-for="help_for_sysuptime">
-                         <?=gettext("Use system uptime instead of service uptime?");?>
-                       </div>
+                        <input name="download" type="text" placeholder="<?=gettext('Default interface link speed');?>" value="<?=$pconfig['download'];?>" />
+                        <div class="hidden" data-for="help_for_download">
+                          <?=gettext("Report maximum connection speed in kbit/s.");?>
+                        </div>
                       </td>
                     </tr>
                     <tr>
-                      <td><a id="help_for_permdefault" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Default deny");?></td>
+                      <td><a id="help_for_upload" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Upload speed");?></td>
                       <td>
-                       <input name="permdefault" type="checkbox" value="yes" <?=!empty($pconfig['permdefault']) ? "checked=\"checked\"" : ""; ?> />
-                       <div class="hidden" data-for="help_for_permdefault">
-                         <?=gettext("By default deny access to service?");?>
-                       </div>
+                        <input name="upload" type="text" placeholder="<?=gettext('Default interface link speed');?>" value="<?=$pconfig['upload'];?>" />
+                        <div class="hidden" data-for="help_for_upload">
+                          <?=gettext("Report maximum connection speed in kbit/s.");?>
+                        </div>
                       </td>
                     </tr>
                   </tbody>
@@ -388,32 +400,42 @@ function miniupnpd_validate_port($port)
                 <table class="table table-striped opnsense_standard_table_form">
                   <thead>
                     <tr>
-                      <th colspan="2"><?=gettext("User specified permissions");?></th>
+                      <th colspan="2"><?=gettext("Access Control List");?></th>
                     </tr>
                   </thead>
                   <tbody>
                     <tr>
-                      <td><a id="help_for_num_permuser" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Number of permissions");?></td>
+                      <td><a id="help_for_permdefault" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Default deny");?></td>
+                      <td>
+                       <input name="permdefault" type="checkbox" value="yes" <?=!empty($pconfig['permdefault']) ? "checked=\"checked\"" : ""; ?> />
+                       <div class="hidden" data-for="help_for_permdefault">
+                         <?=gettext("Deny access to service by default.");?>
+                       </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_num_permuser" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Number of entries");?></td>
                       <td>
                         <input name="num_permuser" type="text" value="<?= html_safe($pconfig['num_permuser']) ?>" />
                         <div class="hidden" data-for="help_for_num_permuser">
-                          <?=gettext("Number of permissions to configure.");?>
+                          <?=gettext("Number of ACL entries to configure.");?>
                         </div>
                       </td>
                     </tr>
 <?php foreach (miniupnpd_permuser_list() as $i => $permuser): ?>
                     <tr>
 <?php if ($i == 1): ?>
-                      <td style="width:22%"><a id="help_for_permuser" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Entry') . ' ' . $i ?></td>
+                      <td style="width:22%"><a id="help_for_permuser" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('ACL entry') . ' ' . $i ?></td>
 <?php else: ?>
-                      <td style="width:22%"><i class="fa fa-info-circle text-muted"></i> <?=gettext('Entry') . ' ' . $i ?></td>
+                      <td style="width:22%"><i class="fa fa-info-circle text-muted"></i> <?=gettext('ACL entry') . ' ' . $i ?></td>
 <?php endif ?>
                       <td style="width:78%">
                         <input name="<?= html_safe($permuser) ?>" type="text" value="<?= isset($pconfig[$permuser]) ? $pconfig[$permuser] : '' ?>" />
 <?php if ($i == 1): ?>
                         <div class="hidden" data-for="help_for_permuser">
-                          <?=gettext("Format: [allow or deny] [ext port or range] [int ipaddr or ipaddr/cidr] [int port or range]");?><br/>
-                          <?=gettext("Example: allow 1024-65535 192.168.0.0/24 1024-65535");?>
+                          <?=gettext("The ACL specifies which IP addresses and ports can be mapped. IPv6 is always accepted.");?><br/>
+                          <?=gettext("Format: (allow or deny) (ext port or range) (int IP or IP/netmask) (int port or range)");?><br/>
+                          <?=gettext("Example: allow 1024-65535 192.168.1.0/24 1024-65535");?>
                         </div>
 <?php endif ?>
                       </td>
diff --git a/net/upnp/src/www/status_upnp.php b/net/upnp/src/www/status_upnp.php
index 96ac60e80f..d52bcd0b7c 100644
--- a/net/upnp/src/www/status_upnp.php
+++ b/net/upnp/src/www/status_upnp.php
@@ -41,7 +41,7 @@
 }
 
 $rdr_entries = array();
-exec("/sbin/pfctl -aminiupnpd -sn", $rdr_entries, $pf_ret);
+exec("/sbin/pfctl -a miniupnpd -s nat -P", $rdr_entries, $pf_ret);
 
 $service_hook = 'miniupnpd';
 include("head.inc");
@@ -57,21 +57,21 @@
 <?php
           if (empty($config['installedpackages']['miniupnpd']['config'][0]['iface_array']) || empty($config['installedpackages']['miniupnpd']['config'][0]['enable'])): ?>
           <header class="content-box-head container-fluid">
-            <h3><?= gettext('UPnP is currently disabled.') ?></h3>
+            <h3><?= gettext('Service is currently disabled.') ?></h3>
           </header>
 <?php
           else: ?>
           <div class="table-responsive">
-            <table class="table table-striped table-condensed table-hover">
+            <table class="table table-striped table-hover">
               <thead>
                 <tr>
-                  <td><?=gettext("Ext. Port")?></td>
-                  <td><?=gettext("Internal IP")?></td>
-                  <td><?=gettext("Int. Port")?></td>
-                  <td><?=gettext("Protocol")?></td>
-                  <td><?=gettext("Source IP")?></td>
-                  <td><?=gettext("Source Port")?></td>
-                  <td><?=gettext("Description")?></td>
+                  <th><?=gettext("IP Address")?></th>
+                  <th><?=gettext("Port")?></th>
+                  <th><?=gettext("External Port")?></th>
+                  <th><?=gettext("Protocol")?></th>
+                  <th><?=gettext("Source IP")?></th>
+                  <th><?=gettext("Source Port")?></th>
+                  <th><?=gettext("Description")?></th>
                 </tr>
               </thead>
               <tbody>
@@ -82,9 +82,9 @@
                   }
               ?>
                 <tr>
-                  <td><?= html_safe($matches['extport']) ?></td>
                   <td><?= html_safe($matches['intaddr']) ?></td>
                   <td><?= html_safe($matches['intport']) ?></td>
+                  <td><?= html_safe($matches['extport']) ?></td>
                   <td><?= html_safe(strtoupper($matches['proto'])) ?></td>
                   <td><?= html_safe($matches['srcaddr']) ?></td>
                   <td><?= html_safe($matches['srcport'] ?: "any") ?></td>
@@ -97,8 +97,10 @@
                   <tr>
                     <td colspan="7">
                       <form method="post">
-                        <button type="submit" name="clear" id="clear" class="btn btn-primary" value="Clear"><?=gettext("Clear");?></button>
-                        <?=gettext("all currently connected sessions");?>.
+                        <button type="submit" name="clear" id="clear" class="btn btn-primary pull-right" value="Clear">
+                          <i class="fa fa-trash"></i>
+                          <?=gettext("Delete all port maps")?>
+                        </button>
                       </form>
                     </td>
                   </tr>

From b6db17f7b035f30a474c680d37370edb5513975c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Oct 2025 15:02:58 +0100
Subject: [PATCH 2716/3088] net/miniupnpd: small updates as discussed

---
 net/upnp/src/www/services_upnp.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/upnp/src/www/services_upnp.php b/net/upnp/src/www/services_upnp.php
index adec811166..6a88aa9f7f 100644
--- a/net/upnp/src/www/services_upnp.php
+++ b/net/upnp/src/www/services_upnp.php
@@ -314,7 +314,7 @@ function miniupnpd_validate_port($port)
                       <td>
                         <input name="stun_host" type="text" value="<?= !empty($pconfig['stun_host']) ? $pconfig['stun_host'] : '' ?>" />
                         <div class="hidden" data-for="help_for_stun_host">
-                          <?= gettext('Allow use of unrestricted endpoint-independent (1:1) CGNATs and detect the public IPv4.')?><br/><?= gettext('E.g. stun.3cx.com or stun.counterpath.com')?>
+                          <?= gettext('Allow use of unrestricted endpoint-independent (1:1) CGNATs and detect the public IPv4 using e.g. "stun.3cx.com" or "stun.counterpath.com".') ?>
                         </div>
                       </td>
                     </tr>
@@ -361,7 +361,7 @@ function miniupnpd_validate_port($port)
                          <?=gettext("Report system instead of service uptime.");?>
                        </div>
                       </td>
-                    --> </tr>
+                    </tr> -->
                     <tr>
                       <td><a id="help_for_logpackets" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Firewall logs");?></td>
                       <td>

From f658f82aa46df30f64074c468b717aebb9ce712b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 29 Oct 2025 16:40:48 +0100
Subject: [PATCH 2717/3088] net/upnp: suggestion from @Self-Hosting-Group

---
 net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml  | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
index 6d4d755982..98cadb6489 100644
--- a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
+++ b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
@@ -6,7 +6,7 @@
         </patterns>
     </page-service-upnp>
     <page-status-upnpstatus>
-        <name>Services: UPnP IGD &amp; PCP: Active Port Maps</name>
+        <name>Services: UPnP IGD &amp; PCP: Port Maps</name>
         <patterns>
             <pattern>status_upnp.php*</pattern>
         </patterns>
diff --git a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml
index 27ffe16182..ba129ede3e 100644
--- a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml
+++ b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml
@@ -4,7 +4,7 @@
             <Settings order="10" url="/services_upnp.php">
                 <Edit url="/services_upnp.php?*" visibility="hidden"/>
             </Settings>
-            <ActivePortMaps VisibleName="Active Port Maps" order="20" url="/status_upnp.php"/>
+            <PortMaps VisibleName="Port Maps" order="20" url="/status_upnp.php"/>
         </UPnP>
     </Services>
 </menu>

From 466c73a7b36aac7290bfe9797603ef2e66d52518 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 30 Oct 2025 12:46:30 +0100
Subject: [PATCH 2718/3088] net/upnp: suggestion from #4629

---
 net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
index 98cadb6489..df50ca093c 100644
--- a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
+++ b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
@@ -1,6 +1,6 @@
 <acl>
     <page-service-upnp>
-        <name>Services: UPnP IGD &amp; PCP</name>
+        <name>Services: UPnP IGD &amp; PCP: Settings</name>
         <patterns>
             <pattern>services_upnp.php*</pattern>
         </patterns>

From 1b489c0a68e4c432208a518e5fb5cb59c2096679 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 31 Oct 2025 11:21:40 +0100
Subject: [PATCH 2719/3088] net/frr: Add BFD configuration detect-multiplier,
 transmit-interval, receive-interval (#5000)

* net/frr: Add BFD configuration detect-multiplier, transmit-interval, receive-interval

* Hide in advanced mode
---
 .../Quagga/forms/dialogEditBFDNeighbor.xml    | 30 +++++++++++++++++++
 .../mvc/app/models/OPNsense/Quagga/BFD.xml    | 23 +++++++++++++-
 .../templates/OPNsense/Quagga/bfdd.conf       |  3 ++
 3 files changed, 55 insertions(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml
index fbaeabcd7d..c9bf3bfb3e 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml
@@ -31,4 +31,34 @@
       <formatter>boolean</formatter>
     </grid_view>
   </field>
+  <field>
+    <id>neighbor.detect_multiplier</id>
+    <label>Detect multiplier</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Configures the detection multiplier to determine packet loss. The remote transmission interval will be multiplied by this value to determine the connection loss detection timer. The default value is 3.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
+  </field>
+  <field>
+    <id>neighbor.receive_interval</id>
+    <label>Receive interval</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Configures the minimum interval that this system is capable of receiving control packets. The default value is 300 milliseconds.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
+  </field>
+  <field>
+    <id>neighbor.transmit_interval</id>
+    <label>Transmit interval</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>The minimum transmission interval (less jitter) that this system wants to use to send BFD control packets. Defaults to 300ms.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
+  </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
index 4986cc173b..962ff08e6b 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/bfd</mount>
     <description>BFD configuration</description>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <items>
         <enabled type="BooleanField">
             <Default>0</Default>
@@ -21,6 +21,27 @@
                     <Default>0</Default>
                     <Required>Y</Required>
                 </multihop>
+                <detect_multiplier type="IntegerField">
+                    <Default>3</Default>
+                    <Required>Y</Required>
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>255</MaximumValue>
+                    <ValidationMessage>Value must be between 1 and 255.</ValidationMessage>
+                </detect_multiplier>
+                <receive_interval type="IntegerField">
+                    <Default>300</Default>
+                    <Required>Y</Required>
+                    <MinimumValue>10</MinimumValue>
+                    <MaximumValue>4294967</MaximumValue>
+                    <ValidationMessage>Value must be between 10 and 4294967.</ValidationMessage>
+                </receive_interval>
+                <transmit_interval type="IntegerField">
+                    <Default>300</Default>
+                    <Required>Y</Required>
+                    <MinimumValue>10</MinimumValue>
+                    <MaximumValue>4294967</MaximumValue>
+                    <ValidationMessage>Value must be between 10 and 4294967.</ValidationMessage>
+                </transmit_interval>
             </neighbor>
         </neighbors>
     </items>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
index e4e3d832c8..58db29a339 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
@@ -5,6 +5,9 @@ bfd
 {%     for neighbor in helpers.toList('OPNsense.quagga.bfd.neighbors.neighbor') %}
 {%       if neighbor.enabled == '1' %}
  peer {{ neighbor.address }} {% if neighbor.multihop|default('0') == '1' %}multihop{% endif +%}
+  detect-multiplier {{ neighbor.detect_multiplier }}
+  receive-interval {{ neighbor.receive_interval }}
+  transmit-interval {{ neighbor.transmit_interval }}
 {%       endif %}
 {%     endfor %}
 {%   endif %}

From f4b6ed6b802c598bdb918eda647cbf18fb9b2047 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 31 Oct 2025 21:58:34 +0100
Subject: [PATCH 2720/3088] net/ndp-proxy-go: Add initial plugin version
 (#4998)

---
 net/ndp-proxy-go/Makefile                     |  7 ++
 net/ndp-proxy-go/pkg-descr                    |  8 ++
 .../src/etc/inc/plugins.inc.d/ndpproxy.inc    | 66 ++++++++++++++++
 .../NdpProxy/Api/GeneralController.php        | 40 ++++++++++
 .../NdpProxy/Api/ServiceController.php        | 41 ++++++++++
 .../OPNsense/NdpProxy/GeneralController.php   | 42 ++++++++++
 .../OPNsense/NdpProxy/forms/general.xml       | 79 +++++++++++++++++++
 .../app/models/OPNsense/NdpProxy/ACL/ACL.xml  | 17 ++++
 .../models/OPNsense/NdpProxy/Menu/Menu.xml    |  8 ++
 .../app/models/OPNsense/NdpProxy/NdpProxy.php | 68 ++++++++++++++++
 .../app/models/OPNsense/NdpProxy/NdpProxy.xml | 41 ++++++++++
 .../app/views/OPNsense/NdpProxy/general.volt  | 49 ++++++++++++
 .../conf/actions.d/actions_ndpproxy.conf      | 24 ++++++
 .../templates/OPNsense/NdpProxy/+TARGETS      |  1 +
 .../templates/OPNsense/NdpProxy/ndp_proxy_go  | 38 +++++++++
 .../OPNsense/Syslog/local/ndpproxy.conf       |  6 ++
 16 files changed, 535 insertions(+)
 create mode 100644 net/ndp-proxy-go/Makefile
 create mode 100644 net/ndp-proxy-go/pkg-descr
 create mode 100644 net/ndp-proxy-go/src/etc/inc/plugins.inc.d/ndpproxy.inc
 create mode 100644 net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/Api/GeneralController.php
 create mode 100644 net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/Api/ServiceController.php
 create mode 100644 net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/GeneralController.php
 create mode 100644 net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
 create mode 100644 net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/ACL/ACL.xml
 create mode 100644 net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/Menu/Menu.xml
 create mode 100644 net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.php
 create mode 100644 net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
 create mode 100644 net/ndp-proxy-go/src/opnsense/mvc/app/views/OPNsense/NdpProxy/general.volt
 create mode 100644 net/ndp-proxy-go/src/opnsense/service/conf/actions.d/actions_ndpproxy.conf
 create mode 100644 net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/+TARGETS
 create mode 100644 net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
 create mode 100644 net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/Syslog/local/ndpproxy.conf

diff --git a/net/ndp-proxy-go/Makefile b/net/ndp-proxy-go/Makefile
new file mode 100644
index 0000000000..a1375b02b7
--- /dev/null
+++ b/net/ndp-proxy-go/Makefile
@@ -0,0 +1,7 @@
+PLUGIN_NAME=		ndp-proxy-go
+PLUGIN_VERSION=		0.1
+PLUGIN_COMMENT=		IPv6 Neighbor Discovery Protocol Proxy
+PLUGIN_MAINTAINER=	cedrik@pischem.com
+PLUGIN_DEPENDS=		ndp-proxy-go
+
+.include "../../Mk/plugins.mk"
diff --git a/net/ndp-proxy-go/pkg-descr b/net/ndp-proxy-go/pkg-descr
new file mode 100644
index 0000000000..458bfea7df
--- /dev/null
+++ b/net/ndp-proxy-go/pkg-descr
@@ -0,0 +1,8 @@
+IPv6 Neighbor Discovery (ND), Router Advertisement (RA) and Duplicate Address Detection (DAD) Proxy
+
+Plugin Changelog
+================
+
+0.1
+
+* Initial Release
diff --git a/net/ndp-proxy-go/src/etc/inc/plugins.inc.d/ndpproxy.inc b/net/ndp-proxy-go/src/etc/inc/plugins.inc.d/ndpproxy.inc
new file mode 100644
index 0000000000..52b0f5b251
--- /dev/null
+++ b/net/ndp-proxy-go/src/etc/inc/plugins.inc.d/ndpproxy.inc
@@ -0,0 +1,66 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Cedrik Pischem
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function ndpproxy_services()
+{
+    global $config;
+
+    $services = [];
+
+    if (
+        isset($config['OPNsense']['ndpproxy']['general']['enabled']) &&
+        $config['OPNsense']['ndpproxy']['general']['enabled'] == 1
+    ) {
+        $services[] = [
+            'description' => gettext('NDP Proxy'),
+            'configd' => [
+                'start' => ['ndpproxy start'],
+                'restart' => ['ndpproxy restart'],
+                'stop' => ['ndpproxy stop'],
+            ],
+            'name' => 'ndpproxy',
+            'pidfile' => '/var/run/ndp_proxy_go.pid'
+        ];
+    }
+
+    return $services;
+}
+
+function ndpproxy_xmlrpc_sync()
+{
+    $result = [];
+
+    $result[] = array(
+        'description' => gettext('NDP Proxy'),
+        'section' => 'OPNsense.ndpproxy',
+        'id' => 'ndpproxy',
+        'services' => ["ndpproxy"],
+    );
+
+    return $result;
+}
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/Api/GeneralController.php b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/Api/GeneralController.php
new file mode 100644
index 0000000000..34d1fb3fe5
--- /dev/null
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/Api/GeneralController.php
@@ -0,0 +1,40 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Cedrik Pischem
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\NdpProxy\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Config;
+
+class GeneralController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'ndpproxy';
+    protected static $internalModelClass = 'OPNsense\NdpProxy\NdpProxy';
+}
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/Api/ServiceController.php b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/Api/ServiceController.php
new file mode 100644
index 0000000000..1430b910ac
--- /dev/null
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/Api/ServiceController.php
@@ -0,0 +1,41 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Cedrik Pischem
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\NdpProxy\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\NdpProxy\NdpProxy';
+    protected static $internalServiceTemplate = 'OPNsense/NdpProxy';
+    protected static $internalServiceEnabled = 'general.enabled';
+    protected static $internalServiceName = 'ndpproxy';
+}
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/GeneralController.php b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/GeneralController.php
new file mode 100644
index 0000000000..cb1038617f
--- /dev/null
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/GeneralController.php
@@ -0,0 +1,42 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Cedrik Pischem
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\NdpProxy;
+
+use OPNsense\Base\IndexController;
+
+class GeneralController extends IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/NdpProxy/general');
+        $this->view->generalForm = $this->getForm("general");
+    }
+}
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
new file mode 100644
index 0000000000..1d8422d653
--- /dev/null
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
@@ -0,0 +1,79 @@
+<form>
+    <field>
+        <type>header</type>
+        <label>General Settings</label>
+    </field>
+    <field>
+        <id>ndpproxy.general.enabled</id>
+        <label>Enable</label>
+        <type>checkbox</type>
+        <help>Enable or disable this service.</help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Proxy Settings</label>
+    </field>
+    <field>
+        <id>ndpproxy.general.upstream</id>
+        <label>Upstream interface</label>
+        <type>dropdown</type>
+        <help>Choose the upstream interface which receives the external IPv6 prefix from the ISP. Usually, this is the WAN interface.</help>
+    </field>
+    <field>
+        <id>ndpproxy.general.downstream</id>
+        <label>Downstream interfaces</label>
+        <type>select_multiple</type>
+        <help>Choose one or multiple downstream interfaces which should proxy the upstream IPv6 prefix.</help>
+    </field>
+    <field>
+        <id>ndpproxy.general.ra</id>
+        <label>Proxy router advertisements</label>
+        <type>checkbox</type>
+        <help>Proxy upstream RAs to downstream interfaces. Disable this if you use your own RA daemon.</help>
+    </field>
+    <field>
+        <id>ndpproxy.general.routes</id>
+        <label>Install host routes</label>
+        <type>checkbox</type>
+        <help>Automatically create host routes for discovered clients. Disabling this means you must manually handle all routing decisions.</help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Performance Settings</label>
+        <collapse>true</collapse>
+    </field>
+    <field>
+        <id>ndpproxy.general.cache_ttl</id>
+        <label>Neighbor cache lifetime</label>
+        <type>text</type>
+        <hint>10</hint>
+        <help>Neighbor cache lifetime in minutes.</help>
+    </field>
+    <field>
+        <id>ndpproxy.general.cache_max</id>
+        <label>Maximum learned neighbors</label>
+        <type>text</type>
+        <hint>4096</hint>
+        <help>Maximum learned neighbors, increase for large networks.</help>
+    </field>
+    <field>
+        <id>ndpproxy.general.route_qps</id>
+        <label>Max route operations</label>
+        <type>text</type>
+        <hint>50</hint>
+        <help>Max route operations per second, increase for large networks.</help>
+    </field>
+    <field>
+        <id>ndpproxy.general.pcap_timeout</id>
+        <label>Packet capture timeout</label>
+        <type>text</type>
+        <hint>50</hint>
+        <help>Controls CPU usage vs. NDP responsiveness. Lower values (e.g., 25 ms) minimize latency during cache refresh at the cost of more CPU. Higher values (100–250 ms) reduce CPU use but may introduce small latency spikes.</help>
+    </field>
+    <field>
+        <id>ndpproxy.general.debug</id>
+        <label>Debug log</label>
+        <type>checkbox</type>
+        <help>Enable debug logging.</help>
+    </field>
+</form>
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/ACL/ACL.xml b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/ACL/ACL.xml
new file mode 100644
index 0000000000..b70514587e
--- /dev/null
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/ACL/ACL.xml
@@ -0,0 +1,17 @@
+<acl>
+    <page-ndp-proxy-general>
+        <name>Services: NDP Proxy: General Settings</name>
+        <description>Allow access to NDP Proxy General Settings</description>
+        <patterns>
+            <pattern>ui/ndpproxy/general/*</pattern>
+            <pattern>api/ndpproxy/general/*</pattern>
+        </patterns>
+    </page-ndp-proxy-general>
+    <page-ndp-proxy-log>
+        <name>Services: NDP Proxy: Log File</name>
+        <patterns>
+            <pattern>ui/diagnostics/log/core/ndpproxy/*</pattern>
+            <pattern>api/diagnostics/log/core/ndpproxy/*</pattern>
+        </patterns>
+    </page-ndp-proxy-log>
+</acl>
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/Menu/Menu.xml b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/Menu/Menu.xml
new file mode 100644
index 0000000000..7efc570587
--- /dev/null
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/Menu/Menu.xml
@@ -0,0 +1,8 @@
+<menu>
+    <Services>
+        <ndpproxy VisibleName="NDP Proxy" cssClass="fa fa-bullseye fa-fw">
+            <Settings order="10" url="/ui/ndpproxy/general"/>
+            <Log VisibleName="Log File" order="20" url="/ui/diagnostics/log/core/ndpproxy"/>
+        </ndpproxy>
+    </Services>
+</menu>
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.php b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.php
new file mode 100644
index 0000000000..5831f6887a
--- /dev/null
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.php
@@ -0,0 +1,68 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Cedrik Pischem
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\NdpProxy;
+
+use OPNsense\Base\BaseModel;
+use OPNsense\Base\Messages\Message;
+
+class NdpProxy extends BaseModel
+{
+    private function checkConfiguration($messages)
+    {
+        if ($this->general->enabled->isEqual('1')) {
+            foreach (['upstream', 'downstream'] as $field) {
+                if ($this->general->$field->isEmpty()) {
+                    $messages->appendMessage(new Message(
+                        gettext('Interface is required.'),
+                        "general.$field"
+                    ));
+                }
+            }
+
+            $upstream = $this->general->upstream->getValue();
+            $downstreamList = array_filter(explode(',', $this->general->downstream->getValue()));
+
+            if (!empty($upstream) && in_array($upstream, $downstreamList, true)) {
+                $messages->appendMessage(new Message(
+                    gettext('Downstream interfaces cannot contain upstream interface.'),
+                    'general.downstream'
+                ));
+            }
+        }
+    }
+
+    public function performValidation($validateFullModel = false)
+    {
+        $messages = parent::performValidation($validateFullModel);
+        $this->checkConfiguration($messages);
+        return $messages;
+    }
+}
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
new file mode 100644
index 0000000000..c9239abfc1
--- /dev/null
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
@@ -0,0 +1,41 @@
+<model>
+    <mount>//OPNsense/ndpproxy</mount>
+    <description>NDP Proxy model</description>
+    <version>0.2</version>
+    <items>
+        <general>
+            <enabled type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enabled>
+            <upstream type="InterfaceField"/>
+            <downstream type="InterfaceField">
+                <Multiple>Y</Multiple>
+            </downstream>
+            <ra type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </ra>
+            <routes type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </routes>
+            <cache_ttl type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </cache_ttl>
+            <cache_max type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </cache_max>
+            <route_qps type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </route_qps>
+            <pcap_timeout type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </pcap_timeout>
+            <debug type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </debug>
+        </general>
+    </items>
+</model>
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/views/OPNsense/NdpProxy/general.volt b/net/ndp-proxy-go/src/opnsense/mvc/app/views/OPNsense/NdpProxy/general.volt
new file mode 100644
index 0000000000..5601b92bd5
--- /dev/null
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/views/OPNsense/NdpProxy/general.volt
@@ -0,0 +1,49 @@
+{#
+ # Copyright (c) 2025 Cedrik Pischem
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script>
+    $(document).ready(function() {
+        mapDataToFormUI({'frm_GeneralSettings': "/api/ndpproxy/general/get"}).done(function() {
+            $('.selectpicker').selectpicker('refresh');
+            updateServiceControlUI('ndpproxy');
+        });
+
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = $.Deferred();
+                saveFormToEndpoint("/api/ndpproxy/general/set", 'frm_GeneralSettings', dfObj.resolve, true, dfObj.reject);
+                return dfObj;
+            },
+        });
+
+    });
+</script>
+
+<div class="content-box __mb">
+    {{ partial("layout_partials/base_form", ['fields': generalForm, 'id': 'frm_GeneralSettings']) }}
+</div>
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/ndpproxy/service/reconfigure', 'data_service_widget': 'ndpproxy'}) }}
+
diff --git a/net/ndp-proxy-go/src/opnsense/service/conf/actions.d/actions_ndpproxy.conf b/net/ndp-proxy-go/src/opnsense/service/conf/actions.d/actions_ndpproxy.conf
new file mode 100644
index 0000000000..f5fcf8731d
--- /dev/null
+++ b/net/ndp-proxy-go/src/opnsense/service/conf/actions.d/actions_ndpproxy.conf
@@ -0,0 +1,24 @@
+[start]
+command:service ndp-proxy-go start
+parameters:
+type:script
+message:Starting NDP Proxy service
+
+[stop]
+command:service ndp-proxy-go stop
+parameters:
+type:script
+message:Stopping NDP Proxy service
+
+[restart]
+command:service ndp-proxy-go restart
+parameters:
+type:script
+message:Restarting NDP Proxy service
+description:Restart NDP Proxy service
+
+[status]
+command:service ndp-proxy-go status
+parameters:
+type:script_output
+message:Requesting NDP Proxy status
diff --git a/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/+TARGETS b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/+TARGETS
new file mode 100644
index 0000000000..a75c8d5120
--- /dev/null
+++ b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/+TARGETS
@@ -0,0 +1 @@
+ndp_proxy_go:/etc/rc.conf.d/ndp_proxy_go
diff --git a/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
new file mode 100644
index 0000000000..c75534e6a0
--- /dev/null
+++ b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
@@ -0,0 +1,38 @@
+# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
+{% set general = helpers.getNodeByTag('OPNsense.ndpproxy.general') %}
+{% if general.enabled|default("0") == "1" and general.upstream and general.downstream %}
+ndp_proxy_go_enable="YES"
+ndp_proxy_go_upstream="{{ helpers.physical_interface(general.upstream) }}"
+{%     set downstream_interfaces = [] %}
+{%     for interface in general.downstream.split(',') %}
+{%         do downstream_interfaces.append(helpers.physical_interface(interface)) %}
+{%     endfor %}
+ndp_proxy_go_downstream="{{ downstream_interfaces|join(' ') }}"
+{%     set flags = [] %}
+{%     if general.debug == "1" %}
+{%         do flags.append('--debug') %}
+{%     endif %}
+{%     if general.ra == "0" %}
+{%         do flags.append('--no-ra') %}
+{%     endif %}
+{%     if general.routes == "0" %}
+{%         do flags.append('--no-routes') %}
+{%     endif %}
+{%     if general.cache_ttl %}
+{%         do flags.append('--cache-ttl ' ~ general.cache_ttl ~ 'm') %}
+{%     endif %}
+{%     if general.cache_max %}
+{%         do flags.append('--cache-max ' ~ general.cache_max) %}
+{%     endif %}
+{%     if general.route_qps %}
+{%         do flags.append('--route-qps ' ~ general.route_qps) %}
+{%     endif %}
+{%     if general.pcap_timeout %}
+{%         do flags.append('--pcap-timeout ' ~ general.pcap_timeout ~ 'ms') %}
+{%     endif %}
+{%     if flags|length > 0 %}
+ndp_proxy_go_flags="{{ flags|join(' ') }}"
+{%     endif %}
+{% else %}
+ndp_proxy_go_enable="NO"
+{% endif %}
diff --git a/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/Syslog/local/ndpproxy.conf b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/Syslog/local/ndpproxy.conf
new file mode 100644
index 0000000000..302335e1c9
--- /dev/null
+++ b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/Syslog/local/ndpproxy.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration [ndpproxy].
+###################################################################
+filter f_local_ndpproxy {
+    program("ndpproxy");
+};

From b4f54361f012d47d6c7bc35b8cf17c6d9bdf315a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 3 Nov 2025 14:06:16 +0100
Subject: [PATCH 2721/3088] README: sync

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index abfbea3e4e..65f1a8a1ad 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,7 @@ net/google-cloud-sdk -- Google Cloud SDK
 net/haproxy -- Reliable, high performance TCP/HTTP load balancer
 net/igmp-proxy -- IGMP-Proxy Service
 net/mdns-repeater -- Proxy multicast DNS between networks
+net/ndp-proxy-go -- IPv6 Neighbor Discovery Protocol Proxy
 net/ndproxy -- Neighbor Discovery Proxy
 net/ntopng -- Traffic Analysis and Flow Collection
 net/radsecproxy -- RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
@@ -67,7 +68,7 @@ net/sslh -- sslh configuration front-end
 net/tayga -- Tayga NAT64
 net/turnserver -- The coturn STUN/TURN Server
 net/udpbroadcastrelay -- Control udpbroadcastrelay processes
-net/upnp -- Universal Plug and Play (UPnP IGD & PCP/NAT-PMP) Service
+net/upnp -- UPnP IGD & PCP/NAT-PMP Service
 net/vnstat -- Network traffic monitor
 net/wol -- Wake on LAN Service
 net/zerotier -- Virtual Networks That Just Work

From 674f0a6fa5680dc6dad3761e8aed370d0cad29a2 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 3 Nov 2025 15:07:52 +0100
Subject: [PATCH 2722/3088] net/frr: BGP add bestpath route selection options
 (#5002)

---
 .../mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml |  7 +++++++
 .../opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml   | 11 +++++++++++
 .../service/templates/OPNsense/Quagga/bgpd.conf       |  5 +++++
 3 files changed, 23 insertions(+)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
index f515a7b714..09288f2851 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
@@ -40,6 +40,13 @@
         <allownew>true</allownew>
         <help>Defines connected networks to be advertised over BGP. Disable Network Import-Check to announce all networks.</help>
     </field>
+    <field>
+        <id>bgp.bestpath</id>
+        <label>Bestpath</label>
+        <type>select_multiple</type>
+        <advanced>true</advanced>
+        <help>Route selection modifiers that influence the best path.</help>
+    </field>
     <field>
         <id>bgp.networkimportcheck</id>
         <label>Network Import-Check</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 2a7c33da92..a8df4dd41a 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -33,6 +33,17 @@
             <Required>Y</Required>
         </logneighborchanges>
         <networks type="CSVListField"/>
+        <bestpath type="OptionField">
+            <OptionValues>
+                <as_path_confed value="as-path confed">as-path confed</as_path_confed>
+                <as_path_multipath_relax value="as-path multipath-relax">as-path multipath-relax</as_path_multipath_relax>
+                <compare_routerid value="compare-routerid">compare-routerid</compare_routerid>
+                <peer_type_multipath_relax value="peer-type multipath-relax">peer-type multipath-relax</peer_type_multipath_relax>
+                <aigp>aigp</aigp>
+                <med_missing_as_worst value="med missing-as-worst">med missing-as-worst</med_missing_as_worst>
+            </OptionValues>
+            <Multiple>Y</Multiple>
+        </bestpath>
         <neighbors>
             <neighbor type="ArrayField">
                 <enabled type="BooleanField">
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 5f64a9bc39..2f30ec1b68 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -42,6 +42,11 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%   if helpers.exists('OPNsense.quagga.bgp.graceful') and OPNsense.quagga.bgp.graceful == '1' %}
  bgp graceful-restart
 {%   endif %}
+{%   if OPNsense.quagga.bgp.bestpath %}
+{%      for option in OPNsense.quagga.bgp.bestpath.split(',') %}
+ bgp bestpath {{ option }}
+{%      endfor %}
+{%   endif %}
 {%   if helpers.exists('OPNsense.quagga.bgp.routerid') and OPNsense.quagga.bgp.routerid != '' %}
  bgp router-id {{ OPNsense.quagga.bgp.routerid }}
 {%   endif %}

From 1ce75bdc5208b33538bb6854b754005f0c175b40 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 3 Nov 2025 15:08:31 +0100
Subject: [PATCH 2723/3088] net/frr: Allow disabling enforce_first_as, which is
 a new default in frr10 (#5001)

---
 .../mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml      | 7 +++++++
 .../src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml    | 4 ++++
 .../opnsense/service/templates/OPNsense/Quagga/bgpd.conf   | 3 +++
 3 files changed, 14 insertions(+)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
index 09288f2851..5b1e02975a 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
@@ -54,6 +54,13 @@
         <advanced>true</advanced>
         <help>When enabled (default), BGP only announces networks set at 'Network' if they are present in the routers routing table (alternatively, you can also set a null-route via System -> Routes). If disabled, all configured networks will be announced.</help>
     </field>
+    <field>
+        <id>bgp.enforce_first_as</id>
+        <label>Enforce First AS</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>Deny an update received from an external BGP (eBGP) peer that does not list its autonomous system number at the beginning of the AS_PATH in the incoming update.</help>
+    </field>
     <field>
         <id>bgp.logneighborchanges</id>
         <label>Log Neighbor Changes</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index a8df4dd41a..732e5aa16c 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -28,6 +28,10 @@
             <Default>1</Default>
             <Required>Y</Required>
         </networkimportcheck>
+        <enforce_first_as type="BooleanField">
+            <Default>1</Default>
+            <Required>Y</Required>
+        </enforce_first_as>
         <logneighborchanges type="BooleanField">
             <Default>0</Default>
             <Required>Y</Required>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 2f30ec1b68..140a66cf25 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -31,6 +31,9 @@
 router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%   if not helpers.empty('OPNsense.quagga.bgp.logneighborchanges') %}
  bgp log-neighbor-changes
+{%   endif %}
+{%   if OPNsense.quagga.bgp.enforce_first_as == '0' %}
+ no bgp enforce-first-as
 {%   endif %}
  no bgp default ipv4-unicast
  no bgp ebgp-requires-policy

From e03666d6143ad175f94ee67bed579f0ca9e44390 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 3 Nov 2025 15:08:45 +0100
Subject: [PATCH 2724/3088] net/frr: Bump version to 1.48 (#5003)

---
 net/frr/Makefile  | 3 +--
 net/frr/pkg-descr | 6 ++++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 2d077e7a10..d9a9d55962 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.47
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.48
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr10-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index c4bf9a4da1..6b0ed2ecb0 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,12 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.48
+
+* Add BFD detect-multiplier, transmit-interval, receive-interval (opnsense/plugins/pull/5000)
+* Add BGP enforce-first-as (opnsense/plugins/pull/5001)
+* Add BGP bestpath route selection options (opnsense/plugins/pull/5002)
+
 1.47
 
 * Add OSPF area configuration options (opnsense/plugins/pull/4880)

From 04585ada9eb2e3443097992be3c34c1b1feaf0b8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 4 Nov 2025 14:16:26 +0100
Subject: [PATCH 2725/3088] net/ndp-proxy-go: minor adjustments

---
 net/ndp-proxy-go/Makefile                                      | 1 +
 net/ndp-proxy-go/pkg-descr                                     | 3 ++-
 .../src/opnsense/mvc/app/views/OPNsense/NdpProxy/general.volt  | 1 -
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/ndp-proxy-go/Makefile b/net/ndp-proxy-go/Makefile
index a1375b02b7..faf976743d 100644
--- a/net/ndp-proxy-go/Makefile
+++ b/net/ndp-proxy-go/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ndp-proxy-go
 PLUGIN_VERSION=		0.1
+PLUGIN_DEVEL=		yes
 PLUGIN_COMMENT=		IPv6 Neighbor Discovery Protocol Proxy
 PLUGIN_MAINTAINER=	cedrik@pischem.com
 PLUGIN_DEPENDS=		ndp-proxy-go
diff --git a/net/ndp-proxy-go/pkg-descr b/net/ndp-proxy-go/pkg-descr
index 458bfea7df..b4f289789c 100644
--- a/net/ndp-proxy-go/pkg-descr
+++ b/net/ndp-proxy-go/pkg-descr
@@ -1,4 +1,5 @@
-IPv6 Neighbor Discovery (ND), Router Advertisement (RA) and Duplicate Address Detection (DAD) Proxy
+IPv6 Neighbor Discovery (ND), Router Advertisement (RA) and Duplicate Address
+Detection (DAD) Proxy.
 
 Plugin Changelog
 ================
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/views/OPNsense/NdpProxy/general.volt b/net/ndp-proxy-go/src/opnsense/mvc/app/views/OPNsense/NdpProxy/general.volt
index 5601b92bd5..821abbedb4 100644
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/views/OPNsense/NdpProxy/general.volt
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/views/OPNsense/NdpProxy/general.volt
@@ -46,4 +46,3 @@
     {{ partial("layout_partials/base_form", ['fields': generalForm, 'id': 'frm_GeneralSettings']) }}
 </div>
 {{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/ndpproxy/service/reconfigure', 'data_service_widget': 'ndpproxy'}) }}
-

From 1e8b6c8e0af9b5927e89f386954f65e9de6cd847 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 4 Nov 2025 14:17:27 +0100
Subject: [PATCH 2726/3088] README: sync

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 65f1a8a1ad..a3b1593425 100644
--- a/README.md
+++ b/README.md
@@ -56,7 +56,7 @@ net/google-cloud-sdk -- Google Cloud SDK
 net/haproxy -- Reliable, high performance TCP/HTTP load balancer
 net/igmp-proxy -- IGMP-Proxy Service
 net/mdns-repeater -- Proxy multicast DNS between networks
-net/ndp-proxy-go -- IPv6 Neighbor Discovery Protocol Proxy
+net/ndp-proxy-go -- IPv6 Neighbor Discovery Protocol Proxy (development only)
 net/ndproxy -- Neighbor Discovery Proxy
 net/ntopng -- Traffic Analysis and Flow Collection
 net/radsecproxy -- RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport

From 370bc89493d2fc0584f1ecb940b5403f3040b967 Mon Sep 17 00:00:00 2001
From: Robert Resch <robert@resch.dev>
Date: Tue, 4 Nov 2025 14:28:39 +0100
Subject: [PATCH 2727/3088] net/freeradius: add fallback Tunnel-Password field
 (#4983)

---
 .../app/controllers/OPNsense/Freeradius/forms/general.xml | 7 +++++++
 .../mvc/app/models/OPNsense/Freeradius/General.xml        | 3 +++
 .../opnsense/service/templates/OPNsense/Freeradius/users  | 8 ++++++--
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml
index 13272db6f0..98beb72d90 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml
@@ -152,4 +152,11 @@
         <advanced>true</advanced>
         <help>Fallback for proxy server. Default disabled.</help>
     </field>
+    <field>
+        <id>general.fallback_tunnel_password</id>
+        <label>Fallback Tunnel password</label>
+        <type>password</type>
+        <advanced>true</advanced>
+        <help>Define the Fallback Tunnel-Password. Allowed characters are 0-9, a-z, A-Z, and ,._-!$%/()+#=: with up to 128 characters.</help>
+    </field>
 </form>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
index 790839e8cc..48a594e6b8 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
@@ -152,5 +152,8 @@
             <Default>0</Default>
             <Required>Y</Required>
         </fallbackproxy>
+        <fallback_tunnel_password type="TextField">
+            <mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}:]){1,128}$/u</mask>
+        </fallback_tunnel_password>
     </items>
 </model>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
index dda33d3f3d..9603b713c4 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
@@ -113,12 +113,16 @@ DEFAULT Ldap-Group == "{{ ldapgroup_list.ldapgroupname }}"
 {%    endfor %}
 {%  endif %}
 
-{%  if helpers.exists('OPNsense.freeradius.general.fallbackvlan_enabled') and OPNsense.freeradius.general.fallbackvlan_enabled == '1' %}
-
+{%  if helpers.exists('OPNsense.freeradius.general.fallbackvlan_enabled') or helpers.exists('OPNsense.freeradius.general.fallback_tunnel_password') %}
 DEFAULT Auth-Type := Accept
+{%  if helpers.exists('OPNsense.freeradius.general.fallbackvlan_enabled') and OPNsense.freeradius.general.fallbackvlan_enabled == '1' %}
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id = {{ OPNsense.freeradius.general.fallbackvlan_id }},
+{%  endif %}
+{%  if helpers.exists('OPNsense.freeradius.general.fallback_tunnel_password') %}
+       Tunnel-Password = {{ OPNsense.freeradius.general.fallback_tunnel_password }},
+{%  endif %}
        Framed-Protocol = PPP
 {%  endif %}
 {% endif %}

From 001fa57d90cc6535115c2304f1568928e3b2d725 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 4 Nov 2025 14:31:00 +0100
Subject: [PATCH 2728/3088] net/freeradius: cleanups for next version

---
 net/freeradius/pkg-descr                      |  8 ++-----
 .../models/OPNsense/Freeradius/General.xml    |  2 +-
 .../app/models/OPNsense/Freeradius/Ldap.xml   |  2 +-
 .../app/models/OPNsense/Freeradius/Proxy.xml  | 23 +++++--------------
 .../app/models/OPNsense/Freeradius/User.xml   |  2 +-
 5 files changed, 11 insertions(+), 26 deletions(-)

diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 21116160b4..cfd09d34c6 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -9,18 +9,14 @@ needs of many Fortune-500 companies and Tier 1 ISPs.
 It is also widely used for Enterprise Wi-Fi and IEEE 802.1X network
 security, particularly in the academic community, including eduroam.
 
-The server is fast, feature-rich, modular, and scalable.
-
-WWW: https://www.freeradius.org
-
-
 Plugin Changelog
 ================
 
 1.9.28
 
 * Add Groups for VLAN assignment
-* Add Fallback PPSK
+* Add fallback PPSK (contributed by Tobias Perschon)
+* Add fallback Tunnel-Password field (contributed by Robert Resch)
 
 1.9.27
 
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
index 48a594e6b8..5e04541b4e 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
@@ -153,7 +153,7 @@
             <Required>Y</Required>
         </fallbackproxy>
         <fallback_tunnel_password type="TextField">
-            <mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}:]){1,128}$/u</mask>
+            <Mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}:]){1,128}$/u</Mask>
         </fallback_tunnel_password>
     </items>
 </model>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
index a6165dd99b..67cffa256e 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Ldap.xml
@@ -18,7 +18,7 @@
         <server type="TextField">
             <Required>N</Required>
         </server>
-      <serverport type="TextField">
+        <serverport type="TextField">
             <Required>N</Required>
         </serverport>
         <ldapcert type="CertificateField">
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml
index f5b7673619..8f25f7292e 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml
@@ -127,7 +127,7 @@
                     <Required>Y</Required>
                 </limit_idletimeout>
             </homeserver>
-         </homeservers>
+        </homeservers>
         <homeserverpools>
             <homeserverpool type="ArrayField">
                 <enabled type="BooleanField">
@@ -159,12 +159,9 @@
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please provide valid server addresses, i.e. radius.example.com, 10.0.0.2 or 10.0.0.0/24.</ValidationMessage>
                 </homeservers>
-                <fallback type="TextField">
-                    <Default></Default>
-                    <Required>N</Required>
-                </fallback>
+                <fallback type="TextField"/>
             </homeserverpool>
-         </homeserverpools>
+        </homeserverpools>
         <realms>
             <realm type="ArrayField">
                 <enabled type="BooleanField">
@@ -174,17 +171,9 @@
                 <name type="TextField">
                     <Required>Y</Required>
                 </name>
-                <auth_pool type="TextField">
-                    <Default></Default>
-                    <Required>N</Required>
-                </auth_pool>
-                <acct_pool type="TextField">
-                    <Default></Default>
-                    <Required>N</Required>
-                </acct_pool>
-                <nostrip type="BooleanField">
-                    <Required>N</Required>
-                </nostrip>
+                <auth_pool type="TextField"/>
+                <acct_pool type="TextField"/>
+                <nostrip type="BooleanField"/>
             </realm>
         </realms>
     </items>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
index 5b4546b230..b1e2dd2370 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/User.xml
@@ -133,7 +133,7 @@
                     <Required>N</Required>
                 </linkedAVPair>
                 <tunnel_password type="TextField">
-                    <mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}:]){1,128}$/u</mask>
+                    <Mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}:]){1,128}$/u</Mask>
                 </tunnel_password>
             </user>
         </users>

From f7e1982bfe8091cf57dc7064687c939540d58f45 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 4 Nov 2025 14:44:07 +0100
Subject: [PATCH 2729/3088] net/tayga: minimal polish

---
 net/tayga/pkg-descr                                             | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml      | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/tayga/pkg-descr b/net/tayga/pkg-descr
index c97a14600c..2a97f216ff 100644
--- a/net/tayga/pkg-descr
+++ b/net/tayga/pkg-descr
@@ -9,7 +9,7 @@ Plugin Changelog
 
 1.3
 
-* Static mapping support
+* Static mapping support (contributed by Matthias Valvekens)
 
 1.2
 
diff --git a/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
index 19861bafff..393717aedf 100644
--- a/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
+++ b/net/tayga/src/opnsense/mvc/app/models/OPNsense/Tayga/General.xml
@@ -18,7 +18,6 @@
             <AddressFamily>ipv4</AddressFamily>
         </v4destination>
         <v6address type="NetworkField">
-            <Required>N</Required>
             <AddressFamily>ipv6</AddressFamily>
         </v6address>
         <v6destination type="NetworkField">

From 124194c2fc18ab5447d46addfb1ebd7705653b51 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 4 Nov 2025 14:47:19 +0100
Subject: [PATCH 2730/3088] dns/rfc2136: bump revision

---
 dns/rfc2136/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/rfc2136/Makefile b/dns/rfc2136/Makefile
index 37d29c8e9d..d589ee31a2 100644
--- a/dns/rfc2136/Makefile
+++ b/dns/rfc2136/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		rfc2136
 PLUGIN_VERSION=		1.9
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_COMMENT=		RFC-2136 Support
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_DEPENDS=		bind-tools

From e51e36733626101cbff3e2b57868d640c504a564 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 6 Nov 2025 11:09:05 +0100
Subject: [PATCH 2731/3088] net/igmp-proxy: remove the notion of a "realif"

Actually the last in the plugin code!
---
 net/igmp-proxy/Makefile                                | 2 +-
 net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/igmp-proxy/Makefile b/net/igmp-proxy/Makefile
index 7aca81748e..71575b1318 100644
--- a/net/igmp-proxy/Makefile
+++ b/net/igmp-proxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		igmp-proxy
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	5
+PLUGIN_REVISION=	6
 PLUGIN_DEPENDS=		igmpproxy
 PLUGIN_COMMENT=		IGMP-Proxy Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc b/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc
index 87f9f556d5..6a50501857 100644
--- a/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc
+++ b/net/igmp-proxy/src/etc/inc/plugins.inc.d/igmpproxy.inc
@@ -87,13 +87,13 @@ EOD;
 
     foreach ($config['igmpproxy']['igmpentry'] as $igmpcf) {
         unset($iflist[$igmpcf['ifname']]);
-        $realif = get_real_interface($igmpcf['ifname']);
+        $device = get_real_interface($igmpcf['ifname']);
         if (empty($igmpcf['threshold'])) {
             $threshld = 1;
         } else {
             $threshld = $igmpcf['threshold'];
         }
-        $igmpconf .= "phyint {$realif} {$igmpcf['type']} ratelimit 0 threshold {$threshld}\n";
+        $igmpconf .= "phyint {$device} {$igmpcf['type']} ratelimit 0 threshold {$threshld}\n";
 
         if ($igmpcf['address'] <> "") {
             $item = explode(" ", $igmpcf['address']);
@@ -104,8 +104,8 @@ EOD;
         $igmpconf .= "\n";
     }
     foreach ($iflist as $ifn => $unused) {
-        $realif = get_real_interface($ifn);
-        $igmpconf .= "phyint {$realif} disabled\n";
+        $device = get_real_interface($ifn);
+        $igmpconf .= "phyint {$device} disabled\n";
     }
     $igmpconf .= "\n";
 

From 4518d481f5fcbe1d9531f9da433070784e0e7c45 Mon Sep 17 00:00:00 2001
From: Maurice Walker <maurice@walker.earth>
Date: Fri, 7 Nov 2025 06:55:03 +0100
Subject: [PATCH 2732/3088] net/tayga: fix typo in static mappings (#5010)

---
 .../OPNsense/Tayga/forms/dialogEditStaticMapping.xml            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/forms/dialogEditStaticMapping.xml b/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/forms/dialogEditStaticMapping.xml
index e838c49e76..e1402cbf33 100644
--- a/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/forms/dialogEditStaticMapping.xml
+++ b/net/tayga/src/opnsense/mvc/app/controllers/OPNsense/Tayga/forms/dialogEditStaticMapping.xml
@@ -20,7 +20,7 @@
         <id>staticmapping.v6</id>
         <label>IPv6 network or address</label>
         <type>text</type>
-        <help>IPv4 network to map. Must not overlap with NAT64 prefix.</help>
+        <help>IPv6 network to map. Must not overlap with NAT64 prefix.</help>
     </field>
     <field>
         <id>staticmapping.description</id>

From c4c5632a4928cae9eba8821fddd969827673daeb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 7 Nov 2025 12:22:16 +0100
Subject: [PATCH 2733/3088] misc/theme-flexcolor: add rc file for handling
 default_scheme.css

Due to not overcomplicating this with a GUI do the lower end RC so that
we users can change this easily.

This works nicely, but the import statement is cached by the browser:

@import url('default_scheme.css');

and this needs to be fixed or the plugin split.
---
 misc/theme-flexcolor/+POST_INSTALL.post       |   1 +
 misc/theme-flexcolor/pkg-descr                |  21 +-
 misc/theme-flexcolor/src/etc/rc.d/flexcolor   |  36 ++
 .../src/etc/rc.syshook.d/early/50-flexcolor   |   3 +
 .../flexcolor/build/css/default_scheme.css    | 380 ------------------
 5 files changed, 56 insertions(+), 385 deletions(-)
 create mode 100644 misc/theme-flexcolor/+POST_INSTALL.post
 create mode 100755 misc/theme-flexcolor/src/etc/rc.d/flexcolor
 create mode 100755 misc/theme-flexcolor/src/etc/rc.syshook.d/early/50-flexcolor
 delete mode 100644 misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/default_scheme.css

diff --git a/misc/theme-flexcolor/+POST_INSTALL.post b/misc/theme-flexcolor/+POST_INSTALL.post
new file mode 100644
index 0000000000..4b2fb8d68e
--- /dev/null
+++ b/misc/theme-flexcolor/+POST_INSTALL.post
@@ -0,0 +1 @@
+/usr/local/etc/rc.syshook.d/early/50-flexcolor
diff --git a/misc/theme-flexcolor/pkg-descr b/misc/theme-flexcolor/pkg-descr
index 484bd86da1..1849afb902 100644
--- a/misc/theme-flexcolor/pkg-descr
+++ b/misc/theme-flexcolor/pkg-descr
@@ -1,5 +1,16 @@
-Theme with the option to customize colors through color schemes.  To change
-the scheme, simply replace the corresponding default_scheme.css file in the
-theme /build/css-folder with an alternative from the corresponding folders
-in the /build/color_schemes/ folder.  Feel free to adjust all colors by
-changing the color codes in the scheme-file or to create your own schemes.
+Theme with the option to customize colors through color schemes.
+To change the scheme, edit /etc/rc.conf to add:
+
+flexcolor_theme="darklight"
+
+or
+
+flexcolor_theme="light"
+
+and run:
+
+# service flexcolor start
+
+The implicit default is:
+
+flexcolor_theme="black"
diff --git a/misc/theme-flexcolor/src/etc/rc.d/flexcolor b/misc/theme-flexcolor/src/etc/rc.d/flexcolor
new file mode 100755
index 0000000000..cb8fd322ea
--- /dev/null
+++ b/misc/theme-flexcolor/src/etc/rc.d/flexcolor
@@ -0,0 +1,36 @@
+#!/bin/sh
+#
+# PROVIDE: flexcolor
+# REQUIRE: FILESYSTEMS
+#
+
+. /etc/rc.subr
+
+name="flexcolor"
+start_cmd="flexcolor_start"
+stop_cmd=":"
+
+: ${flexcolor_theme:="black"}
+
+FLEXCOLORDIR="/usr/local/opnsense/www/themes/flexcolor"
+SCHEMESDIR="${FLEXCOLORDIR}/build/color_schemes"
+TARGETDIR="${FLEXCOLORDIR}/build/css"
+DEFAULTCSS="default_scheme.css"
+
+CACHEMARKER="/usr/local/opnsense/www/index.php"
+
+flexcolor_start()
+{
+	SELECTEDCSS="${SCHEMESDIR}/${flexcolor_theme}/${DEFAULTCSS}"
+
+	if [ -f "${SELECTEDCSS}" ]; then
+		cp "${SELECTEDCSS}" "${TARGETDIR}/${DEFAULTCSS}"
+
+		if [ -f "${CACHEMARKER}" ]; then
+			touch "${CACHEMARKER}"
+		fi
+	fi
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff --git a/misc/theme-flexcolor/src/etc/rc.syshook.d/early/50-flexcolor b/misc/theme-flexcolor/src/etc/rc.syshook.d/early/50-flexcolor
new file mode 100755
index 0000000000..f705eb6860
--- /dev/null
+++ b/misc/theme-flexcolor/src/etc/rc.syshook.d/early/50-flexcolor
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/usr/local/etc/rc.d/flexcolor start
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/default_scheme.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/default_scheme.css
deleted file mode 100644
index 2ee93ae03c..0000000000
--- a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/default_scheme.css
+++ /dev/null
@@ -1,380 +0,0 @@
-:root
-{
-    /* theme black, flexcolor */
-    /* main colors */
-    --pfore: #E6E6E6; /* main textcolor */
-    --pforehover: #FFFFFF; /* primary text hover */
-    --pforemuted: #B1B1B1; /* muted text */
-    --pforeinverse: #181E25; /* main textcolor inverse */
-    --pforeinversehover: #232323; /* main textcolor inverse hover */
-    --pback: #000000; /* primary background */
-    --pbackmuted: #E6E6E6; /* primary background */
-    --pbackinverse: #E6E6E6; /* primary background inverse */
-    --pbackhover: #232323; /* primary background hover*/
-    --sfore: #A3A3A3; /*second background */
-    --sback: #000000; /* second background #FAF9F6*/
-    --stdborder: #515151; /* standard border */
-    --stdborderfore: #E6E6E6; /* standard border with accent*/
-    --stdborderprimary: #336CDF; /* standard border with accent*/
-    --stdborderinverse: #000000; /* standard border with accent*/
-    --stdborder50bright: #A1A1A1; /* standard border with accent*/
-    --badgeback: #E6E6E6; /* badge background & progress-bar & blockquote*/
-    --progressbar: #D4D4D4; /* progress-bar*/
-    --token: #AF3604; /* background token */
-    --highlighted: #FFFFFF; /* highlighted element */
-    /* bootstrap */
-    /* bootstrap titlebar */
-    --bsheadfore: #E6E6E6;
-    --bsheadback: #000000;
-    --bsbodyfore: #E6E6E6;
-    --bsbodyback: #000000;
-    /* jquery-bootgrid */
-    --jqueryfore: #E6E6E6;
-    --jqueryback: #000000;
-    --jquerybarfore: #E6E6E6;
-    --jquerybarback: #1F57C6;
-    --jquerybarborder: #1F57C6;
-    /* login,(complete indepent, despite textboxes) */
-    --loginback: #000000; /* loginscreen background */
-    --loginboxtitle: #E6E6E6; /* loginscreen boxtitle */
-    --logindatefore: #E6E6E6; /* loginscreen textcolor */
-    --loginheadback: #000000; /* login-dialogbox head background */
-    --loginboxback: #000000; /* login-dialogbox background */
-    --loginboxfore: #E6E6E6; /* Login-dialogbox textcolor */
-    /* textbox (all kinds, tokenize, listbox, textbox, bootstrap select */
-    /* foreground */
-    --txtboxfore: #E6E6E6;
-    --txtboxforehover: #336CDF;
-    --txtboxforeactive: #336CDF;
-    --txtboxforeinverse: #E6E6E6;
-    --txtboxforedisabled: #E6E6E6;
-    --txtboxforetoken: #E6E6E6; /* only tokenize, pending delete */
-    --txtboxforedel: #E6E6E6; /* only tokenize, pending delete */
-    --txtboxforedismiss: #E6E6E6; /* only tokenize, dismiss */
-    --txtboxforeplaceholder: #E6E6E6;
-    /* background */
-    --txtboxback: #000000;
-    --txtboxbackhover: #000000;
-    --txtboxbackactive: #000000;
-    --txtboxbackdisabled: #000000;
-    --txtboxbacktoken: #E65C00;
-    --txtboxbackdel: #FF5252; /* only tokenize, pending delete */
-    --txtboxbackdismiss: #F2F7FD; /* only tokenize, dismiss */
-    /* border */
-    --txtboxborder: #E6E6E6;
-    --txtboxborderhover: #1C4DB0;
-    --txtboxborderactive: #336CDF;
-    --txtboxborderdisabled: #515151;
-    --txtboxbordertoken: #000000;
-    --txtboxborderdel: #E6E6E6; /* only tokenize, pending delete */
-    --txtboxborderdismiss: #E6E6E6; /* only tokenize, dismiss */
-    /* page */
-    --pagefore: #E6E6E6; /* text color page */
-    --pageback: #000000; /* backround color page */
-    --pageborder: #E6E6E6; /* border color page */
-    --headlineback: #000000; /*background headline box*/
-    --headlinebackshadow: 2px 2px 1px 0px rgba(0, 0, 0, 0); /* shadow headlinebackgroundbox */
-    /* navigation sidebar (complete independent) */
-    /* unselected */
-    --sdbarfore: #E6E6E6; /*textcolor navigation sidebar */
-    --sdbarback: #000000; /*background unselected navigation sidebar */
-    --sdbarhoverback: #000000; /* background sidebar hover */
-    --sdbarhoverfore: #D66E12; /* textcolor sidebar hover */
-    --sdbaractback: #1C1C1C; /* active menu #ECE7E2, #FFEDF5, #E5F4FF, #FFFBE5, #F5F5DC, #F2F2F2, #FFFACD */
-    --navbarinverse: #000000; /* navtab */
-    --navbarinversefore: #336CDF; /* navtab */
-    --navbaractivebefore: #FA6121; /*sidebar active before */
-    /* special  characters */
-    --link: #FA6121; /* OPNsense text login and links */
-    --linkhover: #E04605; /* OPNsense text login and links hover */
-    /* accents */
-    --primary: #336CDF; /* primary accent */
-    --primaryhover: #608DE6; /* primary accent hover */
-    --info: #008CDD; /* info accent */
-    --infohover: #0FA7FF; /* info accent hover */
-    --success: #388E3C; /* success accent */
-    --successhover: #47B34C; /* success accent hover */
-    --warning: #D66E12; /* warning accent */
-    --warninghover: #ED862B; /* warning accent hover */
-    --danger: #FF5252; /* danger accent */
-    --dangerhover: #BE2326FF8585; /* danger accent hover */
-    /* buttons (complete (independent) */
-    /* unselected */
-    --btnfore: #E6E6E6; /* textcolor */
-    --btnback: #000000; /* background */
-    --btnborder: #E6E6E6; /* border */
-    /* hover */
-    --btnforehover: #E6E6E6; /* textcolor hover*/
-    --btnbackhover: #000000; /* background hover*/
-    --btnborderhover: #336CDF; /* border hover */
-    /* active */
-    --btnforeactive: #336CDF; /* textcolor active*/
-    --btnbackactive: #000000; /* background active*/
-    --btnborderactive: #336CDF; /* border active */
-    /* disabled */
-    --btnforedisabled: #999999; /* textcolor disabled*/
-    --btnbackdisabled: #000000; /* background disabled*/
-    /* badge */
-    --btnforebadge: #000000; /* textcolor badge*/
-    --btnbackbadge: #000000; /* background badge*/
-    --btnborderbadge: #000000; /* border badge */
-    /* default button */
-    /* unselected */
-    --dfbtnfore: #E6E6E6; /* textcolor */
-    --dfbtnback: #000000; /* background */
-    --dfbtnborder: #E6E6E6; /* border */
-    /* hover */
-    --dfbtnforehover: #E6E6E6; /* textcolor hover*/
-    --dfbtnbackhover: #000000; /* background hover*/
-    --dfbtnborderhover: #336CDF; /* border hover */
-    /* active */
-    --dfbtnforeactive: #336CDF; /* textcolor active*/
-    --dfbtnbackactive: #000000; /* background active*/
-    --dfbtnborderactive: #336CDF; /* border active */
-    /* disabled */
-    --dfbtnforedisabled: #999999; /* textcolor disabled*/
-    --dfbtnbackdisabled: #000000; /* background disabled*/
-    --dfbtnborderdisabled: #E6E6E6; /* border disabled */
-    /* Badge */
-    --dfbtnforebadge: #000000; /* textcolor badge, traffic badge textcolor*/
-    --dfbtnbackbadge: #E6E6E6; /* background badge*/
-    --dfbtnborderbadge: #000000; /* border badge */
-    /* primary button */
-    /* unselected */
-    --pbtnfore: #E6E6E6; /* textcolor */
-    --pbtnback: #000000; /* background */
-    --pbtnborder: #336CDF; /* border */
-    /* hover */
-    --pbtnforehover: #336CDF; /* textcolor hover*/
-    --pbtnbackhover: #000000; /* background hover*/
-    --pbtnborderhover: #336CDF; /* border hover */
-    /* active */
-    --pbtnforeactive: #336CDF; /* textcolor active*/
-    --pbtnbackactive: #000000; /* background active*/
-    --pbtnborderactive: #336CDF; /* border active */
-    /* disabled */
-    --pbtnforedisabled: #999999; /* textcolor disabled*/
-    --pbtnbackdisabled: #000000; /* background disabled*/
-    --pbtnborderdisabled: #635D55; /* border disabled */
-    /* badge */
-    --pbtnforebadge: #000000; /* textcolor badge*/
-    --pbtnbackbadge: #000000; /* background badge*/
-    --pbtnborderbadge: #000000; /* border badge */
-    /* info button */
-    /* unselected */
-    --ibtnfore: #008CDD; /* textcolor */
-    --ibtnback: #000000; /* background */
-    --ibtnborder: #008CDD; /* border */
-    /* hover */
-    --ibtnforehover: #E6E6E6; /* textcolor hover*/
-    --ibtnbackhover: #000000; /* background hover*/
-    --ibtnborderhover: #336CDF; /* border hover */
-    /* active */
-    --ibtnforeactive: #336CDF; /* textcolor active*/
-    --ibtnbackactive: #000000; /* background active*/
-    --ibtnborderactive: #008CDD; /* border active */
-    /* disabled */
-    --ibtnforedisabled: #999999; /* textcolor disabled*/
-    --ibtnbackdisabled: #000000; /* background disabled*/
-    --ibtnborderdisabled: #515151; /* border disabled */
-    /* badge */
-    --ibtnforebadge: #008CDD; /* textcolor badge*/
-    --ibtnbackbadge: #000000; /* background badge*/
-    --ibtnborderbadge: #000000; /* border badge */
-    /* success button */
-    /* unselected */
-    --sbtnfore: #388E3C; /* textcolor */
-    --sbtnback: #000000; /* background */
-    --sbtnborder: #388E3C; /* border */
-    /* hover */
-    --sbtnforehover: #E6E6E6; /* textcolor hover*/
-    --sbtnbackhover: #000000; /* background hover*/
-    --sbtnborderhover: #336CDF; /* border hover */
-    /* active */
-    --sbtnforeactive: #336CDF; /* textcolor active*/
-    --sbtnbackactive: #000000; /* background active*/
-    --sbtnborderactive: #388E3C; /* border active */
-    /* disabled */
-    --sbtnforedisabled: #999999; /* textcolor disabled*/
-    --sbtnbackdisabled: #000000; /* background disabled*/
-    --sbtnborderdisabled: #31C234; /* border disabled */
-    /* badge */
-    --sbtnforebadge: #388E3C; /* textcolor badge*/
-    --sbtnbackbadge: #000000; /* background badge*/
-    --sbtnborderbadge: #000000; /* border badge */
-    /* warning button */
-    /* unselected */
-    --wbtnfore: #D66E12; /* textcolor */
-    --wbtnback: #000000; /* background */
-    --wbtnborder: #D66E12; /* border */
-    /* hover */
-    --wbtnforehover: #E6E6E6; /* textcolor hover*/
-    --wbtnbackhover: #000000; /* background hover*/
-    --wbtnborderhover: #336CDF; /* border hover */
-    /* active */
-    --wbtnforeactive: #336CDF; /* textcolor active*/
-    --wbtnbackactive: #000000; /* background active*/
-    --wbtnborderactive: #D66E12; /* border active */
-    /* disabled */
-    --wbtnforedisabled: #999999; /* textcolor disabled*/
-    --wbtnbackdisabled: #000000; /* background disabled*/
-    --wbtnborderdisabled: #515151; /* border disabled */
-    /* badge */
-    --wbtnforebadge: #D66E12; /* textcolor badge*/
-    --wbtnbackbadge: #000000; /* background badge*/
-    --wbtnborderbadge: #000000; /* border badge */
-    /* danger button */
-    /* unselected */
-    --dbtnfore: #FF5252; /* textcolor */
-    --dbtnback: #000000; /* background */
-    --dbtnborder: #FF5252; /* border */
-    /* hover */
-    --dbtnforehover: #E6E6E6; /* textcolor hover*/
-    --dbtnbackhover: #000000; /* background hover*/
-    --dbtnborderhover: #336CDF; /* border hover */
-    /* active */
-    --dbtnforeactive: #336CDF; /* textcolor active*/
-    --dbtnbackactive: #000000; /* background active*/
-    --dbtnborderactive: #FF5252; /* border active */
-    /* disabled */
-    --dbtnforedisabled: #999999; /* textcolor disabled*/
-    --dbtnbackdisabled: #000000; /* background disabled*/
-    --dbtnborderdisabled: #515151; /* border disabled */
-    /* badge */
-    --dbtnforebadge: #FF5252; /* textcolor badge*/
-    --dbtnbackbadge: #000000; /* background badge*/
-    --dbtnborderbadge: #000000; /* border badge */
-    /* link button */
-    /* unselected */
-    --lbtnfore: #336CDF; /* textcolor */
-    --lbtnback: #000000; /* background */
-    --lbtnborder: #E6E6E6; /* border */
-    /* hover */
-    --lbtnforehover: #437CEF; /* textcolor hover*/
-    --lbtnbackhover: #000000; /* background hover*/
-    --lbtnborderhover: #E6E6E6; /* border hover */
-    /* active */
-    --lbtnforeactive: #437CEF; /* textcolor active*/
-    --lbtnbackactive: transparent; /* background active*/
-    --lbtnborderactive: #E6E6E6; /* border active */
-    /* disabled */
-    --lbtnforedisabled: #999999; /* textcolor disabled*/
-    --lbtnbackdisabled: #515151; /* background disabled*/
-    --lbtnborderdisabled: #515151; /* border disabled */
-    /* navtabs (complete independent) */
-    /* active */
-    --navtabforeactive: #336CDF; /* textcolor active navtab */
-    --navtabbackactive: #000000; /* background active navtab */
-    --navtabborderactive: #336CDF; /* border active navtab */
-    /* inactive */
-    --navtabforeinactive: #E6E6E6; /* textcolor inactive navtab */
-    --navtabbackinactive: #000000; /* background inactive navtab */
-    --navtabborderinactive: #E6E6E6; /* border inactive navtab */
-    /* hover */
-    --navtabforehover: #E6E6E6; /* textcolor navtab hover */
-    --navtabbackhover: #000000; /* background navtab hover */
-    --navtabborderhover: #336CDF; /* border navtab hover */
-    /* tabulator (complete independent) */
-    /* tabulator frame foot background */
-    --tbfback: #000000;
-    /* tabulator header */
-    --tbheadfore: #E6E6E6; /* background */
-    --tbheadback: #1F1F1F; /* background */
-    --tbheadbackhover: #1F1F1F; /* background hover*/
-    --tbborder: #515151; /* border color headline */
-    /* tabulator body */
-    --tbbodybackhover: #333333; /* first row hover*/
-    --tbbordertable: #515151; /* border color table */
-    /* odd row */
-    --tbrowforeodd: #E6E6E6; /* background */
-    --tbrowbackodd: #000000; /* background */
-    /* even row */
-    --tbrowforeeven: #E6E6E6; /* background */
-    --tbrowbackeven: #000000; /* background */
-    /* tabulator footer */
-    /* unselected */
-    --tffore: #E6E6E6; /* textcolor */
-    --tfback: #000000; /* background */
-    --tfborder: #E6E6E6; /* border */
-    /* hover */
-    --tfforehover: #E6E6E6; /* textcolor hover*/
-    --tfbackhover: #000000; /* border hover */
-    --tfborderhover: #336CDF; /* textcolor hover*/
-    /* active */
-    --tfforeactive: #336CDF; /* textcolor active*/
-    --tfbackactive: #000000; /* background active*/
-    --tfborderactive: #336CDF; /* border active */
-    /* active hover*/
-    --tfforeactivehover: #467ECF; /* textcolor active*/
-    --tfbackactivehover: #000000; /* background active*/
-    --tfborderactivehover: #467CCF; /* border active */
-    /* panel, example: Reporting health */
-    --panelbody: #000000; /* panel body background*/
-    --panelheading: #000000; /* panel heading background*/
-    --panelheadingfore: #E6E6E6; /* panel heading textcolor*/
-    --panelfooter: #000000; /* panel footer */
-    --panelinfo: #E6E6E6; /* panel info, example wait circle */
-    /* content-box, example report traffic*/
-    --contentboxfore: #E6E6E6; /* content-box foreground and tabulator frame head background*/
-    --contentboxback: #000000; /* content-box background and tabulator frame head background*/
-    /* table */
-    --tableheadfore: #E6E6E6; /* textcolor table head */
-    --tablelegend: #E6E6E6;
-    --tableborder: #515151; /* background table in a table */
-    /* table not stripe */
-    --tablefore: #E6E6E6; /* textcolor table */
-    --tableback: #000000; /* background table */
-    /* table stripe */
-    --tablestripeback: #000000; /* alternative background table */
-    /* table inside a table */
-    --tabletablefore: #E6E6E6; /* headline table in a table */
-    --tabletableback: #000000; /* background table in a table */
-    /* scrollbar */
-    --scbarcolor: #4D4D4D #000000; /* scrollbarcolor: foreground vs background, the following colors are not important */
-    --scbarborder: #515151; /* bordercolor scrollbar*/
-    --scbar: #4D4D4D; /* scrollbar foreground*/
-    --scbarhover: #5D5D5D; /* scrollbar foreground hover*/
-    --scbarbutton: #4D4D4D; /* scrollbar button*/
-    /* unbound (complete independent) */
-    --unbiconsback: rgba(33,33,33,0.9); /* large icons on tabs */
-    --unbfore1: #E6E6E6; /* main text 1 */
-    --unbback1: #1F1F1F; /* background 1 */
-    --unbfore2: #008CDD; /* main text 2 */
-    --unbback2: #1F1F1F; /* background 2 */
-    --unbborder: #4D4D4D; /* unbound-border */
-    --unbborderactive: #336CDF; /* unbound-border active */
-    --unbsuccess: rgba(16,175,66,0.4); /* unbound detail background success */
-    --unbsuccessfore: rgba(241,241,241,1); /* unbound textcolor success */
-    --unbinfo: rgba(51,108,223,0.4); /* unbound detail background info */
-    --unbinfofore: rgba(241,241,241,1); /* unbound textcolor info */
-    --unbdanger: rgba(239,48,64,0.6); /* unbound detail background danger */
-    --unbdangerfore: rgba(241,241,241,1); /* unbound textcolor danger */
-    --unbwarning: rgba(219,57,61,0.4); /* unbound detail background warning */
-    --unbwarningfore: rgba(241,241,241,1,1); /* unbound textcolor warning */
-    --unberror: rgba(18,19,19,0); /* unbound detail background error */
-    --unberrorfore: rgba(162,17,42,1); /* unbound textcolor error */
-    --unbshadow: rgba(47,47,47,.8); /* unbound overview circle shadow */
-    /* dashboard, (independent, despite the buttons on the top ) */
-    --dbfore: #E6E6E6; /* textcolor dashboard */
-    --dbback: #000000; /* background color dashboard */
-    --dbbackhover: #000000; /* background color dashboard */
-    --dbborder: rgba(80,80,80,1); /* bordercolor dashboard */
-    --dbchartfore: rgba(241,241,241,1); /* textcolor dashboard charts */
-    --dbchartborder: rgba(61,61,61,1); /* bordercolor dashboard charts*/
-    --dbtoolfore: #000000; /* textcolor tooltip dashboard */
-    --dbtoolback: rgba(241, 241, 241, 0.9); /*background color tooltip */
-    /* graph */
-    --graphfore: #E6E6E6;
-    --graphback: #000000;
-    --nv3daxis: #E6E6E6;
-    /* rgb */
-    --rgb50: rgba(255,255,255,0,5);
-    --rgbshadowdark: rgba(255,255,255,.1);
-    --bootstrapshadow: rgba(204, 204, 204, 0.2);
-    --boxshadow: inset 0 1px 1px rgba(255,255,255,0.075);
-    --btnshadow1: inset 0 1px 1px rgba(25, 57, 183, 0.075);
-    --btnshadow2: 0 0 8px rgba(25, 57, 183, 0.6);
-    --progresshadow: inset 0px 1px 2px 1px rgb(217, 217, 217);
-    --progresshadow2: 0 5px 10px rgb(255, 255, 255, 0.1);
-    --mozshadow: 2px 2px 1px 0px rgba(234, 234, 234, 0.5)
-}

From 01521808650dac35f86f99aebea3d23dd82b0bcf Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 10 Nov 2025 17:01:03 +0100
Subject: [PATCH 2734/3088] www/caddy: Prevent sudo on startup via
 skip_install_trust (#5015)

This can happen when an internal domain has been added, e.g. example.internal. Caddy will then generate a self signed certificate via smallstep CA, and on startup it tries to install a root certificate for it into the FreeBSD trust store.

If running as www user, this causes sudo to appear at boot, because that is baked into smallstep CA.

https://github.com/smallstep/truststore/blob/master/truststore_freebsd.go

Via skip_install_trust, we prevent caddy from trying this.
---
 .../src/opnsense/service/templates/OPNsense/Caddy/Caddyfile      | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index c3f5a38624..d0b58323c4 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -228,6 +228,7 @@
     # Default of Caddy is to wait for all connections to close before allowing reload, meaning the higher the value, the longer applies take.
     #}
     grace_period {{ generalSettings.GracePeriod }}s
+    skip_install_trust
     import /usr/local/etc/caddy/caddy.d/*.global
 }
 

From 6061da298bc8d087eff141a092ede0dda0f087b2 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 11 Nov 2025 19:09:23 +0100
Subject: [PATCH 2735/3088] net/ndp-proxy-go: Fix naming and add docs link
 (#5017)

---
 net/ndp-proxy-go/Makefile  | 2 +-
 net/ndp-proxy-go/pkg-descr | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/ndp-proxy-go/Makefile b/net/ndp-proxy-go/Makefile
index faf976743d..914df8f898 100644
--- a/net/ndp-proxy-go/Makefile
+++ b/net/ndp-proxy-go/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		ndp-proxy-go
 PLUGIN_VERSION=		0.1
 PLUGIN_DEVEL=		yes
-PLUGIN_COMMENT=		IPv6 Neighbor Discovery Protocol Proxy
+PLUGIN_COMMENT=		IPv6 Neighbor Discovery Protocol (NDP) Proxy
 PLUGIN_MAINTAINER=	cedrik@pischem.com
 PLUGIN_DEPENDS=		ndp-proxy-go
 
diff --git a/net/ndp-proxy-go/pkg-descr b/net/ndp-proxy-go/pkg-descr
index b4f289789c..4430403b9a 100644
--- a/net/ndp-proxy-go/pkg-descr
+++ b/net/ndp-proxy-go/pkg-descr
@@ -1,5 +1,7 @@
-IPv6 Neighbor Discovery (ND), Router Advertisement (RA) and Duplicate Address
-Detection (DAD) Proxy.
+IPv6 Neighbor Discovery Protocol (NDP) Proxy
+
+WWW: https://github.com/monviech/ndp-proxy-go
+DOC: https://docs.opnsense.org/manual/ndp-proxy-go.html
 
 Plugin Changelog
 ================

From 68505ed3574c8077007967ea89c663c647eb83be Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 12 Nov 2025 19:05:42 +0100
Subject: [PATCH 2736/3088] net/frr: Add hint about service reload (frr-reload)
 vs full restart requirement (#5022)

* net/frr: Add hint about service reload (frr-reload) vs full restart requirement

* Add missing translations
---
 .../src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt  | 9 ++++++++-
 .../src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt  | 9 ++++++++-
 .../opnsense/mvc/app/views/OPNsense/Quagga/general.volt  | 9 ++++++++-
 .../src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt | 9 ++++++++-
 .../opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt    | 9 ++++++++-
 .../src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt  | 9 ++++++++-
 .../opnsense/mvc/app/views/OPNsense/Quagga/static.volt   | 9 ++++++++-
 7 files changed, 56 insertions(+), 7 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
index d7598f4668..2d496f1899 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bfd.volt
@@ -74,5 +74,12 @@ POSSIBILITY OF SUCH DAMAGE.
         {{ partial('layout_partials/base_bootgrid_table', formGridEditBFDNeighbor)}}
     </div>
 </div>
-{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/quagga/service/reconfigure', 'data_service_widget': 'quagga'}) }}
+{{ partial(
+    'layout_partials/base_apply_button',
+    {
+        'data_endpoint': '/api/quagga/service/reconfigure',
+        'data_service_widget': 'quagga',
+        'data_change_message_content': lang._('Apply will reload the service without causing interruptions. Some changes will need a full restart with the available service control buttons.')
+    }
+) }}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBFDNeighbor,'id':formGridEditBFDNeighbor['edit_dialog_id'],'label':lang._('Edit Neighbor')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
index 1014b83ada..5123843fbd 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/bgp.volt
@@ -172,7 +172,14 @@ POSSIBILITY OF SUCH DAMAGE.
         {{ partial('layout_partials/base_bootgrid_table', formGridEditBGPPeergroups)}}
     </div>
 </div>
-{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/quagga/service/reconfigure', 'data_service_widget': 'quagga'}) }}
+{{ partial(
+    'layout_partials/base_apply_button',
+    {
+        'data_endpoint': '/api/quagga/service/reconfigure',
+        'data_service_widget': 'quagga',
+        'data_change_message_content': lang._('Apply will reload the service without causing interruptions. Some changes will need a full restart with the available service control buttons.')
+    }
+) }}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPNeighbor,'id':formGridEditBGPNeighbor['edit_dialog_id'],'label':lang._('Edit Neighbor')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPASPaths,'id':formGridEditBGPASPaths['edit_dialog_id'],'label':lang._('Edit AS Paths')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBGPPrefixLists,'id':formGridEditBGPPrefixLists['edit_dialog_id'],'label':lang._('Edit Prefix Lists')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/general.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/general.volt
index d6113799a3..0421762229 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/general.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/general.volt
@@ -51,4 +51,11 @@ POSSIBILITY OF SUCH DAMAGE.
 <div class="content-box" style="padding-bottom: 1.5em;">
     {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
 </div>
-{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/quagga/service/reconfigure', 'data_service_widget': 'quagga'}) }}
+{{ partial(
+    'layout_partials/base_apply_button',
+    {
+        'data_endpoint': '/api/quagga/service/reconfigure',
+        'data_service_widget': 'quagga',
+        'data_change_message_content': lang._('Apply will reload the service without causing interruptions. Some changes will need a full restart with the available service control buttons.')
+    }
+) }}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
index 2a22a50394..51d069d388 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf.volt
@@ -199,7 +199,14 @@ POSSIBILITY OF SUCH DAMAGE.
         {{ partial('layout_partials/base_bootgrid_table', formGridEditRouteMaps)}}
     </div>
 </div>
-{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/quagga/service/reconfigure', 'data_service_widget': 'quagga'}) }}
+{{ partial(
+    'layout_partials/base_apply_button',
+    {
+        'data_endpoint': '/api/quagga/service/reconfigure',
+        'data_service_widget': 'quagga',
+        'data_change_message_content': lang._('Apply will reload the service without causing interruptions. Some changes will need a full restart with the available service control buttons.')
+    }
+) }}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditOSPFArea,'id':formGridEditOSPFArea['edit_dialog_id'],'label':lang._('Edit Area')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditOSPFNeighbor,'id':formGridEditOSPFNeighbor['edit_dialog_id'],'label':lang._('Edit Neighbor')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditNetwork,'id':formGridEditNetwork['edit_dialog_id'],'label':lang._('Edit Network')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
index 0bb6e9f5b8..fda09a55d0 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/ospf6.volt
@@ -154,7 +154,14 @@
         {{ partial('layout_partials/base_bootgrid_table', formGridEditRouteMaps)}}
     </div>
 </div>
-{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/quagga/service/reconfigure', 'data_service_widget': 'quagga'}) }}
+{{ partial(
+    'layout_partials/base_apply_button',
+    {
+        'data_endpoint': '/api/quagga/service/reconfigure',
+        'data_service_widget': 'quagga',
+        'data_change_message_content': lang._('Apply will reload the service without causing interruptions. Some changes will need a full restart with the available service control buttons.')
+    }
+) }}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditNetwork,'id':formGridEditNetwork['edit_dialog_id'],'label':lang._('Edit Network')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditInterface,'id':formGridEditInterface['edit_dialog_id'],'label':lang._('Edit Interface')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditPrefixLists,'id':formGridEditPrefixLists['edit_dialog_id'],'label':lang._('Edit Prefix Lists')])}}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
index 4434550201..332666f2f7 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/rip.volt
@@ -51,4 +51,11 @@ POSSIBILITY OF SUCH DAMAGE.
 <div class="content-box" style="padding-bottom: 1.5em;">
     {{ partial("layout_partials/base_form",['fields':ripForm,'id':'frm_rip_settings'])}}
 </div>
-{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/quagga/service/reconfigure', 'data_service_widget': 'quagga'}) }}
+{{ partial(
+    'layout_partials/base_apply_button',
+    {
+        'data_endpoint': '/api/quagga/service/reconfigure',
+        'data_service_widget': 'quagga',
+        'data_change_message_content': lang._('Apply will reload the service without causing interruptions. Some changes will need a full restart with the available service control buttons.')
+    }
+) }}
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
index e0fb2d4f4c..33c01a198d 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/static.volt
@@ -71,5 +71,12 @@
         {{ partial('layout_partials/base_bootgrid_table', formGridEditSTATICRoute)}}
     </div>
 </div>
-{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/quagga/service/reconfigure', 'data_service_widget': 'quagga'}) }}
+{{ partial(
+    'layout_partials/base_apply_button',
+    {
+        'data_endpoint': '/api/quagga/service/reconfigure',
+        'data_service_widget': 'quagga',
+        'data_change_message_content': lang._('Apply will reload the service without causing interruptions. Some changes will need a full restart with the available service control buttons.')
+    }
+) }}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditSTATICRoute,'id':formGridEditSTATICRoute['edit_dialog_id'],'label':lang._('Edit Routes')])}}

From 355309551b9dfe218d05d8a1a18756db56470f97 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 13 Nov 2025 10:37:42 +0100
Subject: [PATCH 2737/3088] net/frr: Fix STATIC template interface issue, use
 isEmpty() in validation (#5019)

* net/frr: Fix STATIC template interface issue, use isEmpty() in validation

* Properly safeguard optional parameters
---
 .../mvc/app/models/OPNsense/Quagga/STATICd.php      |  6 +++---
 .../service/templates/OPNsense/Quagga/staticd.conf  | 13 ++++++++++++-
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.php b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.php
index c336b3ad22..5d9213b738 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.php
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.php
@@ -48,7 +48,7 @@ public function performValidation($validateFullModel = false)
                 continue;
             }
             $key = $route->__reference;
-            if (!empty((string)$route->network) && !empty((string)$route->gateway)) {
+            if (!$route->network->isEmpty() && !$route->gateway->isEmpty()) {
                 $net_proto = str_contains($route->network, ':') ? 'inet6' : 'inet';
                 $gw_proto = str_contains($route->gateway, ':') ? 'inet6' : 'inet';
                 if ($net_proto != $gw_proto) {
@@ -57,10 +57,10 @@ public function performValidation($validateFullModel = false)
                     );
                 }
             }
-            if (empty((string)$route->gateway) && empty((string)$route->interfacename)) {
+            if ($route->gateway->isEmpty() && $route->interfacename->isEmpty()) {
                 $messages->appendMessage(
                     new Message(
-                        gettext("When no interface is provided, at least a gateway must be offered"),
+                        gettext("Either an interface or a gateway is required."),
                         $key . ".gateway"
                     )
                 );
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/staticd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/staticd.conf
index fdff7d0f28..43a810beb4 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/staticd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/staticd.conf
@@ -2,7 +2,18 @@
 {% if not helpers.empty('OPNsense.quagga.static.enabled') %}
 {%    for route in helpers.toList('OPNsense.quagga.static.routes.route') %}
 {%        if route.enabled == '1' %}
-{% if ':' in route.network %}ipv6{% else %}ip{% endif %} route {{ route.network }} {{ route.gateway|default('')}} {{ helpers.physical_interface(route.interfacename) }}
+{%-           if ':' in route.network %}
+ipv6
+{%-           else %}
+ip
+{%-           endif %}
+ route {{ route.network }}
+{%-           if route.gateway %}
+ {{ route.gateway}}
+{%-           endif %}
+{%-           if route.interfacename %}
+ {{ helpers.physical_interface(route.interfacename) }}
+{%-           endif +%}
 {%        endif %}
 {%    endfor %}
 {% endif %}

From 6fba852a9d3cc5b08753f1d5a28efa358c13cc07 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 13 Nov 2025 13:09:24 +0100
Subject: [PATCH 2738/3088] net/frr: Fix snmp ospfd and ospf6d flags (#5025)

---
 net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
index c9069cd810..fa77dd8faf 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
@@ -30,8 +30,8 @@ start_postcmd='
 {% if OPNsense.quagga.general.enablesnmp == '1' %}
 zebra_flags="${zebra_flags} -M snmp"
 bgpd_flags="${bgpd_flags} -M snmp"
-ospf_flags="${ospf_flags} -M snmp"
-ospf6_flags="${ospf6_flags} -M snmp"
+ospfd_flags="${ospfd_flags} -M snmp"
+ospf6d_flags="${ospf6d_flags} -M snmp"
 {% endif %}
 {% else %}
 frr_enable="NO"

From b92c2e631f663fafc54d279c1623266137c8c483 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 14 Nov 2025 20:30:30 +0100
Subject: [PATCH 2739/3088] dns/rfc2136: second iteration using mwexecfb(), no
 functional changes

---
 dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
index 55c84297ab..1e802cece2 100644
--- a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
+++ b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
@@ -198,15 +198,16 @@ function rfc2136_configure_do($verbose = false, $int = null, $updatehost = '', $
         $upinst .= "\n";  /* mind that trailing newline! */
 
         if ($need_update) {
-            $cmds = "/var/etc/nsupdatecmds{$i}";
-            file_safe($cmds, $upinst);
-            $args = [];
-            $args[] = exec_safe('-k %s', $keyfile);
+            file_safe("/var/etc/nsupdatecmds{$i}", $upinst);
+
+            $frmt = ['/var/etc/nsupdatecmds%s -k %s'];
+            $args = [$i, $keyfile];
+
             if (isset($dnsupdate['usetcp'])) {
-                $args[] = '-v';
+                $frmt[] = '-v';
             }
-            $args[] = exec_safe('%s', $cmds);
-            mwexecf_bg('/usr/local/bin/nsupdate ' . join(' ', $args));
+
+            mwexecfb($frmt, $args);
         }
     }
 

From 20b507efeb96c40dbbff384719d7ce58479807f8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 14 Nov 2025 20:31:58 +0100
Subject: [PATCH 2740/3088] net/upnp: minor transformation as mwexecf_bg() will
 be removed

---
 net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index d27bcd751d..5f9d687a1c 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -75,7 +75,7 @@ function miniupnpd_start()
         return;
     }
 
-    mwexecf_bg('/usr/local/sbin/miniupnpd -f %s -P %s', [ '/var/etc/miniupnpd.conf', '/var/run/miniupnpd.pid']);
+    mwexecfb('/usr/local/sbin/miniupnpd -f %s -P %s', [ '/var/etc/miniupnpd.conf', '/var/run/miniupnpd.pid']);
 }
 
 function miniupnpd_stop()

From 0916add402992fd7b9ef988b952da2887f4b041d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 15 Nov 2025 18:31:59 -0500
Subject: [PATCH 2741/3088] security/acme-client: fix legacy inclusion

---
 security/acme-client/Makefile                      |  2 +-
 .../AcmeClient/LeValidation/HttpOpnsense.php       | 14 +++++++-------
 .../AcmeClient/LeValidation/TlsalpnAcme.php        | 14 +++++++-------
 3 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 711735a66b..9c3b42af06 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		acme-client
 PLUGIN_VERSION=		4.10
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
index 8670eb96c8..03ca5e97cd 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
@@ -31,6 +31,8 @@
 use OPNsense\AcmeClient\LeValidationInterface;
 use OPNsense\AcmeClient\LeUtils;
 use OPNsense\Core\Config;
+use OPNsense\Core\File;
+use OPNsense\Core\Shell;
 
 /**
  * Use internal OPNsense webserver for HTTP-01 validation
@@ -125,18 +127,16 @@ public function prepare()
         }
 
         // Create temporary port forward to allow acme challenges to get through
-        $anchor_setup = "rdr-anchor \"acme-client\"\n";
-        // XXX Should not be using util.inc from here
-        file_safe("{$configdir}/acme_anchor_setup", $anchor_setup, 0600);
-        mwexecf('/sbin/pfctl -f %s', ["{$configdir}/acme_anchor_setup"]);
-        file_safe("{$configdir}/acme_anchor_rules", $anchor_rules, 0600);
-        mwexecf('/sbin/pfctl -a %s -f %s', ['acme-client', "{$configdir}/acme_anchor_rules"]);
+        File::file_put_contents("{$configdir}/acme_anchor_setup", "rdr-anchor \"acme-client\"\n", 0600);
+        Shell::run_safe('/sbin/pfctl -f %s', ["{$configdir}/acme_anchor_setup"]);
+        File::file_put_contents("{$configdir}/acme_anchor_rules", $anchor_rules, 0600);
+        Shell::run_safe('/sbin/pfctl -a %s -f %s', ['acme-client', "{$configdir}/acme_anchor_rules"]);
     }
 
     public function cleanup()
     {
         // Flush OPNsense port forward rules.
-        mwexecf('/sbin/pfctl -a %s -F %s', ['acme-client', 'all']);
+        Shell::run_safe('/sbin/pfctl -a %s -F %s', ['acme-client', 'all']);
 
         // Workaround to solve disconnection issues reported by some users.
         $backend = new \OPNsense\Core\Backend();
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
index 068adc8235..df5819600e 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
@@ -31,6 +31,8 @@
 use OPNsense\AcmeClient\LeValidationInterface;
 use OPNsense\AcmeClient\LeUtils;
 use OPNsense\Core\Config;
+use OPNsense\Core\File;
+use OPNsense\Core\Shell;
 
 /**
  * Use acme.sh TLS web server for TLS-ALPN-01 validation
@@ -126,18 +128,16 @@ public function prepare()
         }
 
         // Create temporary port forward to allow acme challenges to get through
-        $anchor_setup = "rdr-anchor \"acme-client\"\n";
-        // XXX Should not be using util.inc from here
-        file_safe("{$configdir}/acme_anchor_setup", $anchor_setup, 0600);
-        mwexecf('/sbin/pfctl -f %s', ["{$configdir}/acme_anchor_setup"]);
-        file_safe("{$configdir}/acme_anchor_rules", $anchor_rules, 0600);
-        mwexecf("/sbin/pfctl -a %s -f %s", ['acme-client', "{$configdir}/acme_anchor_rules"]);
+        File::file_put_contents("{$configdir}/acme_anchor_setup", "rdr-anchor \"acme-client\"\n", 0600);
+        Shell::run_safe('/sbin/pfctl -f %s', ["{$configdir}/acme_anchor_setup"]);
+        File::file_put_contents("{$configdir}/acme_anchor_rules", $anchor_rules, 0600);
+        Shell::run_safe("/sbin/pfctl -a %s -f %s", ['acme-client', "{$configdir}/acme_anchor_rules"]);
     }
 
     public function cleanup()
     {
         // Flush OPNsense port forward rules.
-        mwexecf('/sbin/pfctl -a %s -F %s', ['acme-client', 'all']);
+        Shell::run_safe('/sbin/pfctl -a %s -F %s', ['acme-client', 'all']);
 
         // Workaround to solve disconnection issues reported by some users.
         $backend = new \OPNsense\Core\Backend();

From c1b5dfe2a368fc6122906d622c2609a367d0bf28 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 16 Nov 2025 17:15:29 -0500
Subject: [PATCH 2742/3088] net/upnp: switch from shell_exec() to shell_safe()
 with automatic trim()

---
 net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 5f9d687a1c..28a3aa65da 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -230,7 +230,7 @@ function miniupnpd_configure_do($verbose = false)
             $config_text .= "serial=" . strtoupper(substr(miniupnpd_uuid(), 0, 8)) . "\n";
 
             /* set model number */
-            $config_text .= "model_number=" . trim(shell_exec('opnsense-version -v')) . "\n";
+            $config_text .= "model_number=" . shell_safe('opnsense-version -v') . "\n";
 
             /* upnp access restrictions */
             foreach (miniupnpd_permuser_list() as $permuser) {

From 458997d163cdce20000f6ea3b84d9dd3b33f4078 Mon Sep 17 00:00:00 2001
From: Self-Hosting-Group
 <155233284+Self-Hosting-Group@users.noreply.github.com>
Date: Mon, 17 Nov 2025 16:40:05 +0100
Subject: [PATCH 2743/3088] net/upnp: service improvements - additions (#5005)

---
 .../src/etc/inc/plugins.inc.d/miniupnpd.inc   | 24 +++++++--
 .../mvc/app/models/OPNsense/UPnP/ACL/ACL.xml  |  2 +-
 .../app/models/OPNsense/UPnP/Menu/Menu.xml    |  2 +-
 net/upnp/src/www/services_upnp.php            | 54 ++++++++++++++++---
 net/upnp/src/www/status_upnp.php              | 30 ++++++++---
 5 files changed, 91 insertions(+), 21 deletions(-)

diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 28a3aa65da..5c5a813acc 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -185,7 +185,7 @@ function miniupnpd_configure_do($verbose = false)
 
             /* configure STUN server if needed */
             if (!empty($upnp_config['stun_host'])) {
-                $config_text .= "ext_perform_stun=yes\n";
+                $config_text .= "ext_perform_stun=allow-filtered\n";
                 $config_text .= "ext_stun_host=" . ($upnp_config['stun_host']) . "\n";
                 $config_text .= "ext_stun_port=" . ($upnp_config['stun_port'] ?? "3478") . "\n";
             }
@@ -206,6 +206,10 @@ function miniupnpd_configure_do($verbose = false)
                 $config_text .= "pcp_allow_thirdparty=no\n";
             }
 
+            if (!empty($upnp_config['ipv6_disable'])) {
+                $config_text .= "ipv6_disable=yes\n";
+            }
+
             /* enable logging of packets handled by miniupnpd rules */
             if (!empty($upnp_config['logpackets'])) {
                 $config_text .= "packet_log=yes\n";
@@ -225,6 +229,13 @@ function miniupnpd_configure_do($verbose = false)
                 $config_text .= "/\n";
             }
 
+            if (!empty($upnp_config['friendly_name'])) {
+                // Encode required XML entities of text UPnP IGD config options until the daemon does so
+                $config_text .= "friendly_name=" . htmlspecialchars($upnp_config['friendly_name'], ENT_NOQUOTES | ENT_XML1) . "\n";
+            } else {
+                $config_text .= "friendly_name=OPNsense UPnP IGD &amp; PCP\n";
+            }
+
             /* set uuid and serial */
             $config_text .= "uuid=" . miniupnpd_uuid() . "\n";
             $config_text .= "serial=" . strtoupper(substr(miniupnpd_uuid(), 0, 8)) . "\n";
@@ -247,9 +258,14 @@ function miniupnpd_configure_do($verbose = false)
             $config_text .= "enable_upnp="   . ( $upnp_config['enable_upnp']   ? "yes\n" : "no\n" );
             $config_text .= "enable_pcp_pmp=" . ( $upnp_config['enable_natpmp'] ? "yes\n" : "no\n" );
 
-            # When building with IGDv2, infinite (IGDv1 only) lease time port maps are reduced to 7d
-            # following the IGDv2 standard. Disabling it at runtime allows IGDv2 incompatible clients
-            $config_text .= "force_igd_desc_v1=yes\n";
+            // When building the daemon with UPnP IGDv2, infinite (IGDv1 only) lease duration port maps are reduced
+            // to 7d, following the IGDv2 standard. Disabling it at runtime allows IGDv2-incompatible clients
+            if ($upnp_config['upnp_igd_compat'] == 'igdv1') {
+                $config_text .= "force_igd_desc_v1=yes\n";
+            }
+
+            $config_text .= "lease_file=/var/run/miniupnpd.leases\n";
+            $config_text .= "lease_file6=/var/run/miniupnpd.leases-ipv6\n";
 
             /* write out the configuration */
             file_put_contents('/var/etc/miniupnpd.conf', $config_text);
diff --git a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
index df50ca093c..23a2fa96e2 100644
--- a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
+++ b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
@@ -6,7 +6,7 @@
         </patterns>
     </page-service-upnp>
     <page-status-upnpstatus>
-        <name>Services: UPnP IGD &amp; PCP: Port Maps</name>
+        <name>Services: UPnP IGD &amp; PCP: Active Maps</name>
         <patterns>
             <pattern>status_upnp.php*</pattern>
         </patterns>
diff --git a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml
index ba129ede3e..c040d5ea16 100644
--- a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml
+++ b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml
@@ -4,7 +4,7 @@
             <Settings order="10" url="/services_upnp.php">
                 <Edit url="/services_upnp.php?*" visibility="hidden"/>
             </Settings>
-            <PortMaps VisibleName="Port Maps" order="20" url="/status_upnp.php"/>
+            <ActiveMaps VisibleName="Active Maps" order="20" url="/status_upnp.php"/>
         </UPnP>
     </Services>
 </menu>
diff --git a/net/upnp/src/www/services_upnp.php b/net/upnp/src/www/services_upnp.php
index 6a88aa9f7f..e4919ab2c7 100644
--- a/net/upnp/src/www/services_upnp.php
+++ b/net/upnp/src/www/services_upnp.php
@@ -75,7 +75,9 @@ function miniupnpd_validate_port($port)
         'enable_natpmp',
         'enable_upnp',
         'ext_iface',
+        'friendly_name',
         'iface_array',
+        'ipv6_disable',
         'logpackets',
         'overridesubnet',
         'overridewanip',
@@ -85,6 +87,7 @@ function miniupnpd_validate_port($port)
         'num_permuser',
         'sysuptime',
         'upload',
+        'upnp_igd_compat',
     ];
 
     foreach (miniupnpd_permuser_list() as $permuser) {
@@ -175,7 +178,7 @@ function miniupnpd_validate_port($port)
         // save form data
         $upnp = [];
         // boolean types
-        foreach (['enable', 'enable_upnp', 'enable_natpmp', 'logpackets', 'sysuptime', 'permdefault', 'allow_third_party_mapping'] as $fieldname) {
+        foreach (['enable', 'enable_upnp', 'enable_natpmp', 'logpackets', 'sysuptime', 'permdefault', 'allow_third_party_mapping', 'ipv6_disable'] as $fieldname) {
             $upnp[$fieldname] = !empty($pconfig[$fieldname]);
         }
         // numeric types
@@ -183,7 +186,7 @@ function miniupnpd_validate_port($port)
             $upnp['num_permuser'] = $pconfig['num_permuser'];
         }
         // text field types
-        foreach (['ext_iface', 'download', 'upload', 'overridewanip', 'overridesubnet', 'stun_host', 'stun_port'] as $fieldname) {
+        foreach (['ext_iface', 'download', 'upload', 'overridewanip', 'overridesubnet', 'stun_host', 'stun_port', 'friendly_name', 'upnp_igd_compat'] as $fieldname) {
             $upnp[$fieldname] = $pconfig[$fieldname];
         }
         foreach (miniupnpd_permuser_list() as $fieldname) {
@@ -257,7 +260,7 @@ function miniupnpd_validate_port($port)
                       </td>
                     </tr>
                     <tr>
-                      <td><a id="help_for_ext_iface" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("External Interface");?></td>
+                      <td><a id="help_for_ext_iface" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("External interface");?></td>
                       <td>
                        <select class="selectpicker" name="ext_iface">
 <?php
@@ -353,6 +356,12 @@ function miniupnpd_validate_port($port)
                         </div>
                       </td>
                     </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?= gettext('Disable IPv6 mapping') ?></td>
+                      <td>
+                        <input name="ipv6_disable" type="checkbox" value="yes" <?= !empty($pconfig['ipv6_disable']) ? "checked=\"checked\"" : ""; ?> />
+                      </td>
+                    </tr>
                     <!-- <tr>
                       <td><a id="help_for_sysuptime" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Report system uptime");?></td>
                       <td>
@@ -371,6 +380,31 @@ function miniupnpd_validate_port($port)
                        </div>
                       </td>
                     </tr>
+                  </tbody>
+                </table>
+              </div>
+            </div>
+          </section>
+          <section class="col-xs-12">
+            <div class="content-box">
+              <div class="table-responsive">
+                <table class="table table-striped opnsense_standard_table_form">
+                  <thead>
+                    <tr>
+                      <th style="width:22%"><?= gettext("UPnP IGD Adjustments") ?></th>
+                      <th style="width:78%"></th>
+                    </tr>
+                  </thead>
+                  <tbody>
+                  <tr>
+                    <td><i class="fa fa-info-circle text-muted"></i> <?= gettext('UPnP IGD compatibility mode') ?></td>
+                    <td>
+                      <select name="upnp_igd_compat">
+                        <option value="igdv1" <?= $pconfig['upnp_igd_compat'] == 'igdv1' ? "selected=\"selected\"" : ""; ?> ><?= gettext("IGDv1 (IPv4 only)"); ?></option>
+                        <option value="igdv2" <?= $pconfig['upnp_igd_compat'] == 'igdv2' ? "selected=\"selected\"" : ""; ?> ><?= gettext("IGDv2 (with workarounds)"); ?></option>
+                      </select>
+                    </td>
+                  </tr>
                     <tr>
                       <td><a id="help_for_download" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Download speed");?></td>
                       <td>
@@ -389,6 +423,12 @@ function miniupnpd_validate_port($port)
                         </div>
                       </td>
                     </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?= gettext('Router/friendly name') ?></td>
+                      <td>
+                        <input name="friendly_name" type="text" placeholder="OPNsense UPnP IGD &amp; PCP" value="<?= !empty($pconfig['friendly_name']) ? htmlspecialchars($pconfig['friendly_name']) : '' ?>" />
+                      </td>
+                    </tr>
                   </tbody>
                 </table>
               </div>
@@ -400,7 +440,7 @@ function miniupnpd_validate_port($port)
                 <table class="table table-striped opnsense_standard_table_form">
                   <thead>
                     <tr>
-                      <th colspan="2"><?=gettext("Access Control List");?></th>
+                      <th colspan="2"><?=gettext("Custom Access Control List");?></th>
                     </tr>
                   </thead>
                   <tbody>
@@ -416,7 +456,7 @@ function miniupnpd_validate_port($port)
                     <tr>
                       <td><a id="help_for_num_permuser" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Number of entries");?></td>
                       <td>
-                        <input name="num_permuser" type="text" value="<?= html_safe($pconfig['num_permuser']) ?>" />
+                        <input name="num_permuser" type="text" placeholder="8" value="<?= html_safe($pconfig['num_permuser']) ?>" />
                         <div class="hidden" data-for="help_for_num_permuser">
                           <?=gettext("Number of ACL entries to configure.");?>
                         </div>
@@ -433,14 +473,14 @@ function miniupnpd_validate_port($port)
                         <input name="<?= html_safe($permuser) ?>" type="text" value="<?= isset($pconfig[$permuser]) ? $pconfig[$permuser] : '' ?>" />
 <?php if ($i == 1): ?>
                         <div class="hidden" data-for="help_for_permuser">
-                          <?=gettext("The ACL specifies which IP addresses and ports can be mapped. IPv6 is always accepted.");?><br/>
-                          <?=gettext("Format: (allow or deny) (ext port or range) (int IP or IP/netmask) (int port or range)");?><br/>
+                          <?=gettext("Syntax: (allow or deny) (ext port or range) (int IP or IP/netmask) (int port or range)");?><br/>
                           <?=gettext("Example: allow 1024-65535 192.168.1.0/24 1024-65535");?>
                         </div>
 <?php endif ?>
                       </td>
                     </tr>
 <?php endforeach ?>
+                    <tr><td colspan="2"><?=gettext("The access control list (ACL) specifies which IP addresses and ports can be mapped. IPv6 is currently always accepted unless disabled.");?></td></tr>
                   </tbody>
                 </table>
               </div>
diff --git a/net/upnp/src/www/status_upnp.php b/net/upnp/src/www/status_upnp.php
index d52bcd0b7c..641d23fc07 100644
--- a/net/upnp/src/www/status_upnp.php
+++ b/net/upnp/src/www/status_upnp.php
@@ -34,6 +34,8 @@
 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     if (!empty($_POST['clear'])) {
         miniupnpd_stop();
+        unlink('/var/run/miniupnpd.leases');
+        unlink('/var/run/miniupnpd.leases-ipv6');
         miniupnpd_start();
         header(url_safe('Location: /status_upnp.php'));
         exit;
@@ -41,7 +43,7 @@
 }
 
 $rdr_entries = array();
-exec("/sbin/pfctl -a miniupnpd -s nat -P", $rdr_entries, $pf_ret);
+exec("/sbin/pfctl -P -a miniupnpd -s nat; /sbin/pfctl -P -a miniupnpd -s rules", $rdr_entries, $pf_ret);
 
 $service_hook = 'miniupnpd';
 include("head.inc");
@@ -65,30 +67,42 @@
             <table class="table table-striped table-hover">
               <thead>
                 <tr>
-                  <th><?=gettext("IP Address")?></th>
+                  <th><?=gettext("IP address")?></th>
                   <th><?=gettext("Port")?></th>
-                  <th><?=gettext("External Port")?></th>
+                  <th><?=gettext("External port")?></th>
                   <th><?=gettext("Protocol")?></th>
                   <th><?=gettext("Source IP")?></th>
-                  <th><?=gettext("Source Port")?></th>
-                  <th><?=gettext("Description")?></th>
+                  <th><?=gettext("Source port")?></th>
+                  <th><?=gettext("Added via / description")?></th>
                 </tr>
               </thead>
               <tbody>
 <?php
               foreach ($rdr_entries as $rdr_entry):
-                  if (!preg_match("/on (?P<iface>.*) inet proto (?P<proto>.*) from (?P<srcaddr>.*) (port (?P<srcport>.*) )?to (?P<extaddr>.*) port = (?P<extport>.*) keep state (label \"(?P<descr>.*)\" )?rtable [0-9] -> (?P<intaddr>.*) port (?P<intport>.*)/", $rdr_entry, $matches)) {
+                  if (!preg_match('/on (?P<iface>.+) inet proto (?P<proto>.+) from (?P<srcaddr>[^ ]+) (port (?P<srcport>.+) )?to (?P<extaddr>.+) port = (?P<extport>.+) keep state (label "(?P<descr>.+)" )?rtable [0-9] -> (?P<intaddr>.+) port (?P<intport>.+)/', $rdr_entry, $matches) &&
+                      !preg_match('/on (?P<iface>.+) inet6 proto (?P<proto>.+) from (?P<srcaddr>[^ ]+) (port = (?P<srcport>.+) )?to (?P<intaddr>.+) port = (?P<intport>\d+) (flags [^ ]+ )?keep state (label "(?P<descr>.+)" )?rtable [0-9]/', $rdr_entry, $matches)) {
                       continue;
                   }
+                  if (preg_match('/PCP .*([0-9a-f]{24})$/', $matches['descr'], $descrmatch) === 1) {
+                    $descr = "PCP (nonce  {$descrmatch[1]})";
+                  } elseif (preg_match('/^NAT-PMP \d+ \w+$/', $matches['descr'], $descrmatch) === 1) {
+                    $descr = 'NAT-PMP';
+                  } elseif (preg_match('/^pinhole-(\d+).*IGD2 pinhole$/', $matches['descr'], $descrmatch) === 1) {
+                    $descr = "UPnP IGD IPv6 (UID {$descrmatch[1]})";
+                  } elseif (preg_match('/^UPnP IGD/', $matches['descr'], $descrmatch) === 1) {
+                    $descr = $matches['descr'];
+                  } else {
+                    $descr = "UPnP IGD / {$matches['descr']}";
+                  }
               ?>
                 <tr>
                   <td><?= html_safe($matches['intaddr']) ?></td>
                   <td><?= html_safe($matches['intport']) ?></td>
-                  <td><?= html_safe($matches['extport']) ?></td>
+                  <td><?= ($matches['extport'] != '') ? html_safe($matches['extport']) : html_safe($matches['intport']) ?></td>
                   <td><?= html_safe(strtoupper($matches['proto'])) ?></td>
                   <td><?= html_safe($matches['srcaddr']) ?></td>
                   <td><?= html_safe($matches['srcport'] ?: "any") ?></td>
-                  <td><?= html_safe($matches['descr']) ?></td>
+                  <td><?= html_safe($descr) ?></td>
                 </tr>
 <?php
               endforeach;?>

From e2601dc2892e1d32e7167534ce34e19b9f1369ba Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Nov 2025 21:38:20 -0500
Subject: [PATCH 2744/3088] net/frr: safe execution changes

---
 net/frr/src/etc/rc.syshook.d/carp/50-frr | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/frr/src/etc/rc.syshook.d/carp/50-frr b/net/frr/src/etc/rc.syshook.d/carp/50-frr
index 5ffb4ca82a..e028a3e1d5 100755
--- a/net/frr/src/etc/rc.syshook.d/carp/50-frr
+++ b/net/frr/src/etc/rc.syshook.d/carp/50-frr
@@ -49,14 +49,14 @@ if (frr_carp_enabled()) {
 
     switch ($type) {
         case 'MASTER':
-            shell_exec('/usr/local/etc/rc.d/frr start');
+            mwexecfm('/usr/local/etc/rc.d/frr start');
             break;
         case 'BACKUP':
-            shell_exec('/usr/local/etc/rc.d/frr stop');
+            mwexecfm('/usr/local/etc/rc.d/frr stop');
             break;
     }
 } elseif (frr_enabled()) {
     // XXX: when not toggling between active and disabled, pass event so underlaying protocols can
     //      determine which actions to perform when reaching a certain state.
-    shell_exec('/usr/local/opnsense/scripts/frr/carp_event_handler');
+    mwexecfm('/usr/local/opnsense/scripts/frr/carp_event_handler');
 }

From db0943a4a2c9de3ec9f5066d292a2b126129fd66 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Nov 2025 21:39:54 -0500
Subject: [PATCH 2745/3088] net/upnp: safe execution change

shell_safe() is better than raw exec() although we do not have any
dynamic shell arguments to handle.  This call requires a new explode
extension (true parameter) that will be available in 25.7.8
---
 net/upnp/src/www/status_upnp.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/upnp/src/www/status_upnp.php b/net/upnp/src/www/status_upnp.php
index 641d23fc07..bb29974728 100644
--- a/net/upnp/src/www/status_upnp.php
+++ b/net/upnp/src/www/status_upnp.php
@@ -29,6 +29,7 @@
 
 require_once("guiconfig.inc");
 require_once("interfaces.inc");
+require_once("util.inc");
 require_once("plugins.inc.d/miniupnpd.inc");
 
 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
@@ -42,8 +43,7 @@
     }
 }
 
-$rdr_entries = array();
-exec("/sbin/pfctl -P -a miniupnpd -s nat; /sbin/pfctl -P -a miniupnpd -s rules", $rdr_entries, $pf_ret);
+$rdr_entries = shell_safe('/sbin/pfctl -P -a miniupnpd -s nat; /sbin/pfctl -P -a miniupnpd -s rules', [], true);
 
 $service_hook = 'miniupnpd';
 include("head.inc");

From b50c0c3daaec87f5ac25d7bf744397697ae389f9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Nov 2025 21:42:47 -0500
Subject: [PATCH 2746/3088] www/nginx: another change here

---
 www/nginx/src/opnsense/scripts/nginx/setup.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index e8722930dc..8d1c7af503 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -29,9 +29,11 @@
 
 const KEY_DIRECTORY = '/usr/local/etc/nginx/key/';
 const GROUP_OWNER = 'staff';
+
 require_once('config.inc');
 require_once('certs.inc');
 require_once('util.inc');
+
 use OPNsense\Nginx\Nginx;
 
 function export_pem_file($filename, $data, $post_append = null)
@@ -361,4 +363,5 @@ function find_ca($refid)
 
 syslog(LOG_DEBUG, "NGINX setup routine completed.");
 closelog();
-passthru('/usr/local/etc/rc.d/php-fpm start');
+
+pass_safe('/usr/local/etc/rc.d/php-fpm start');

From 9f23ada61dbec4770eeb6bde200508bf4938ea0d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Nov 2025 21:43:17 -0500
Subject: [PATCH 2747/3088] www/caddy: revision bump after trust store vs. sudo
 fix

---
 www/caddy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 1208069564..3132d78e42 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		2.0.4
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com

From 2e56601903b39bba663769973966413563e06aa6 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 17 Nov 2025 21:47:57 -0500
Subject: [PATCH 2748/3088] www/OPNProxy: switch to mwexecf() use

---
 www/OPNProxy/Makefile                               |  2 +-
 www/OPNProxy/src/etc/inc/plugins.inc.d/opnproxy.inc | 11 +++++------
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/www/OPNProxy/Makefile b/www/OPNProxy/Makefile
index c225b41a17..b982f8d232 100644
--- a/www/OPNProxy/Makefile
+++ b/www/OPNProxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		OPNProxy
 PLUGIN_VERSION=		1.0.5
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		OPNsense proxy additions
 PLUGIN_DEPENDS=		os-redis${PLUGIN_PKGSUFFIX} \
 			os-squid${PLUGIN_PKGSUFFIX} \
diff --git a/www/OPNProxy/src/etc/inc/plugins.inc.d/opnproxy.inc b/www/OPNProxy/src/etc/inc/plugins.inc.d/opnproxy.inc
index 96f00a995a..bf63709460 100644
--- a/www/OPNProxy/src/etc/inc/plugins.inc.d/opnproxy.inc
+++ b/www/OPNProxy/src/etc/inc/plugins.inc.d/opnproxy.inc
@@ -28,22 +28,21 @@
 
 function opnproxy_configure()
 {
-    return array(
+    return [
         'user_changed' => ['opnproxy_user_changed:2'],
         'webproxy' => ['opnproxy_webproxy:2'],
-    );
+    ];
 }
 
-
-function opnproxy_user_changed($verbose = false, $username = '')
+function opnproxy_user_changed($unused, $username = '')
 {
-    exec("/usr/local/opnsense/scripts/OPNProxy/redis_sync_users.py " . escapeshellarg($username));
+    mwexecf('/usr/local/opnsense/scripts/OPNProxy/redis_sync_users.py %', $username);
 }
 
-
 function opnproxy_webproxy($verbose = false, $action = null)
 {
     $response = configd_run('template reload Deciso/Proxy');
+
     if ($verbose) {
         printf("template reload Deciso/Proxy: %s\n", trim($response));
     }

From 840714060e923e645a6e02977567841467315dfe Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 18 Nov 2025 21:28:19 +0100
Subject: [PATCH 2749/3088] www/caddy: Add changelog for sudo fix (#5036)

---
 www/caddy/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index c4a06b79d6..7e861f39c5 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -11,6 +11,7 @@ Plugin Changelog
 Add: DNS-01 challenge delegation via CNAME (contributed by sdsys-ch) (opnsense/plugins/pull/4950)
 Fix: Enabling HTTP access log wrongly excluded the process logs (opnsense/plugins/pull/4974)
 Fix: fix setup.sh script not setting correct ownership in www user mode (opnsense/plugins/pull/4976)
+Fix: Prevent sudo on startup via skip_install_trust (opnsense/plugins/pull/5015)
 
 2.0.3
 

From a4fea0d6a23a620c2923f4226761f8c6fdf244a0 Mon Sep 17 00:00:00 2001
From: Florian Latifi <mail@florian-latifi.at>
Date: Tue, 11 Nov 2025 16:38:56 +0100
Subject: [PATCH 2750/3088] security/acme-client: add support for Hetzner Cloud
 DNS API

---
 .../AcmeClient/forms/dialogValidation.xml     | 10 +++++
 .../LeValidation/DnsHetznercloud.php          | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 3 files changed, 58 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHetznercloud.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index d710440361..a9a111f034 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1590,6 +1590,16 @@
         <label>API Token</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Hetzner Cloud DNS API</label>
+        <type>header</type>
+        <style>table_dns table_dns_hetznercloud</style>
+    </field>
+    <field>
+        <id>validation.dns_hetznercloud_token</id>
+        <label>API Token</label>
+        <type>password</type>
+    </field>
     <field>
         <label>1984Hosting API</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHetznercloud.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHetznercloud.php
new file mode 100644
index 0000000000..a45a3007fb
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHetznercloud.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Florian Latifi
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Hetzner Cloud DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsHetznercloud extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['HETZNER_TOKEN'] = (string)$this->config->dns_hetznercloud_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 9534d4beff..9bb3b08ed5 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -469,6 +469,7 @@
                         <dns_googledomains>Google Domains</dns_googledomains>
                         <dns_gdnsdk>GratisDNS.dk</dns_gdnsdk>
                         <dns_hetzner>Hetzner</dns_hetzner>
+                        <dns_hetznercloud>Hetzner Cloud</dns_hetznercloud>
                         <dns_hexonet>hexonet.com</dns_hexonet>
                         <dns_hostingde>hosting.de</dns_hostingde>
                         <dns_he>Hurricane Electric</dns_he>
@@ -1177,6 +1178,9 @@
                 <dns_hetzner_token type="TextField">
                     <Required>N</Required>
                 </dns_hetzner_token>
+                <dns_hetznercloud_token type="TextField">
+                    <Required>N</Required>
+                </dns_hetznercloud_token>
                 <dns_hexonet_login type="TextField">
                     <Required>N</Required>
                 </dns_hexonet_login>

From 9f23d0fb805ef4b6c11430e782f919d360ba9100 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 19 Nov 2025 11:03:17 -0500
Subject: [PATCH 2751/3088] sysutils/git-backup: update the shell execution
 code

1. Use explicit commands here for better tracing even if it requires
   spelling out '/usr/local/bin/git' a number of times.
2. Use the functionality that the Shell class has to offer now.
3. Use -C for changing the git working directory.
4. A bit of style left and right.
---
 sysutils/git-backup/Makefile                  |  2 +-
 .../mvc/app/library/OPNsense/Backup/Git.php   | 85 ++++++++++---------
 2 files changed, 48 insertions(+), 39 deletions(-)

diff --git a/sysutils/git-backup/Makefile b/sysutils/git-backup/Makefile
index 7474455971..65ebacdb40 100644
--- a/sysutils/git-backup/Makefile
+++ b/sysutils/git-backup/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		git-backup
 PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Track config changes using git
 PLUGIN_DEPENDS=		git
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
index f9573f33e5..f780a5500f 100644
--- a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
+++ b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
@@ -1,38 +1,37 @@
 <?php
 
-/**
- *    Copyright (C) 2020 Deciso B.V.
- *
- *    All rights reserved.
+/*
+ * Copyright (C) 2020 Deciso B.V.
+ * All rights reserved.
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
- *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Backup;
 
+use OPNsense\Backup\GitSettings;
 use OPNsense\Core\Backend;
 use OPNsense\Core\Config;
-use OPNsense\Backup\GitSettings;
+use OPNsense\Core\Shell;
 
 /**
  * Class Git backup
@@ -136,29 +135,35 @@ public function setConfiguration($conf)
      */
     public function backup()
     {
-        $targetdir = "/conf/backup/git";
-        $git = "/usr/local/bin/git";
+        $targetdir = '/conf/backup/git';
         $mdl = new GitSettings();
+
         if (!is_dir($targetdir)) {
             mkdir($targetdir);
         }
+
         if (!is_dir('{$targetdir}/.git')) {
-            exec("{$git} init {$targetdir}");
+            Shell::run_safe('/usr/local/bin/git init %s', $targetdir);
         }
+
         // XXX: since our git backup is plain text and already contains the private key, it doesn't really matter
         //      to keep the same key in the git directory (we're not going to push it)
         $ident_file = "{$targetdir}/identity";
         $privkey = trim(str_replace("\r", "", (string)$mdl->privkey)) . "\n";
         file_put_contents($ident_file, $privkey);
         chmod("{$targetdir}/identity", 0600);
+
         // When there are unprocessed config backups, flush them out.
-        (new Backend())->configdRun("system event config_changed");
+        (new Backend())->configdRun('system event config_changed');
+
         // configure upstream
-        exec("cd {$targetdir} && " .
-            "{$git} config core.sshCommand " .
-            "\"ssh -i {$ident_file} -o StrictHostKeyChecking=accept-new -o PasswordAuthentication=no\"");
+        Shell::run_safe('/usr/local/bin/git -C %s config core.sshCommand %s', [
+            $targetdir, "ssh -i {$ident_file} -o StrictHostKeyChecking=accept-new -o PasswordAuthentication=no",
+        ]);
+
         $url = (string)$mdl->url;
         $pos = strpos($url, '//');
+
         // inject credentials in url (either username or username:password, depending on transport)
         if (stripos(trim((string)$mdl->url), 'http') === 0) {
             $cred = urlencode((string)$mdl->user) . ":" . urlencode((string)$mdl->password);
@@ -166,13 +171,16 @@ public function backup()
         } else {
             $url = substr($url, 0, $pos + 2) . urlencode((string)$mdl->user) . "@" . substr($url, $pos + 2);
         }
-        exec("cd {$targetdir} && {$git} remote remove origin");
-        exec("cd {$targetdir} && {$git} remote add origin " . escapeshellarg($url));
-        $force_flag = (string)$mdl->force_push === "1" ? "--force " : "";
-        $pushtxt = shell_exec(
-            "(cd {$targetdir} && {$git} push {$force_flag}origin " . escapeshellarg("master:{$mdl->branch}") .
-            " && echo '__exit_ok__') 2>&1"
-        );
+
+        Shell::run_safe('/usr/local/bin/git -C %s remote remove origin', $targetdir);
+        Shell::run_safe('/usr/local/bin/git -C %s remote add origin %s', [$targetdir, $url]);
+        $gitfrmt = ['(/usr/local/bin/git -C %s push'];
+        if ($mdl->force_push->isEqual('1')) {
+            $gitfrmt[] = '--force';
+        }
+        $gitfrmt[] = 'origin %s && echo "__exit_ok__") 2>&1';
+        $pushtxt = Shell::shell_safe($gitfrmt, "master:{$mdl->branch}");
+
         if (strpos($pushtxt, '__exit_ok__')) {
             $error_type = null;
         } elseif (strpos($pushtxt, 'Permission denied') || strpos($pushtxt, 'Authentication failed ')) {
@@ -184,12 +192,13 @@ public function backup()
         } else {
             $error_type = "unknown error, check log for details";
         }
+
         if (!empty($error_type)) {
             syslog(LOG_ERR, "git-backup {$error_type} (" . str_replace("\n", " ", $pushtxt) . ")");
             throw new \Exception($error_type);
         } else {
             // return filelist in git
-            return explode("\n", shell_exec("cd {$targetdir} && git ls-files"));
+            return Shell::shell_safe('/usr/local/bin/git -C %s ls-files', $targetdir, true);
         }
     }
 

From 16c1d89a57b8f9b5ab93025f3fe083021e8ff96a Mon Sep 17 00:00:00 2001
From: GutierrezJeremy <110025419+GutierrezJeremy@users.noreply.github.com>
Date: Wed, 19 Nov 2025 17:51:48 +0100
Subject: [PATCH 2752/3088] Add StartAgentPollers and
 MaxConcurrentChecksPerPoller options to Zabbix Proxy plugin (#5037)

Co-authored-by: Jeremy Gutierrez <Jeremy.gutierrez@markt.de>
---
 .../OPNsense/Zabbixproxy/forms/general.xml           | 12 ++++++++++++
 .../mvc/app/models/OPNsense/Zabbixproxy/General.xml  | 10 ++++++++++
 .../OPNsense/Zabbixproxy/zabbix_proxy.conf.in        |  6 ++++++
 3 files changed, 28 insertions(+)

diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
index 9e9a174ea4..81f27139af 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
@@ -75,6 +75,12 @@
         <type>text</type>
         <help>Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java).</help>
     </field>
+    <field>
+        <id>general.startagentpollers</id>
+        <label>Start Agent Pollers</label>
+        <type>text</type>
+        <help>The number of pre-forked instances of Zabbix agent pollers.</help>
+    </field>
     <field>
         <id>general.starttrappers</id>
         <label>Start Trappers</label>
@@ -99,6 +105,12 @@
         <type>text</type>
         <help>Number of pre-forked instances of VMware Collectors.</help>
     </field>
+    <field>
+        <id>general.maxconcurrentchecksperpoller</id>
+        <label>Max Concurrent Checks per Poller</label>
+        <type>text</type>
+        <help>The maximum number of asynchronous checks that can be executed at once.</help>
+    </field>
     <field>
         <id>general.starthttppollers</id>
         <label>Start HTTP Pollers</label>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
index 2ad956f58c..bee067f448 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
@@ -29,6 +29,16 @@
         <startpollers type="TextField"/>
         <startipmipollers type="IntegerField"/>
         <startpollersunreachable type="IntegerField"/>
+        <startagentpollers type="IntegerField">
+            <MinimumValue>0</MinimumValue>
+            <MaximumValue>1000</MaximumValue>
+            <Required>N</Required>
+        </startagentpollers>
+        <maxconcurrentchecksperpoller type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>1000</MaximumValue>
+            <Required>N</Required>
+        </maxconcurrentchecksperpoller>
         <starttrappers type="IntegerField"/>
         <startpingers type="IntegerField"/>
         <startdiscoverers type="IntegerField"/>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
index 90d7e38ac1..f4cb6cf867 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
@@ -57,6 +57,12 @@ StartIPMIPollers={{ OPNsense.zabbixproxy.general.startipmipollers }}
 {% if helpers.exists('OPNsense.zabbixproxy.general.startpollersunreachable') and OPNsense.zabbixproxy.general.startpollersunreachable != '' %}
 StartPollersUnreachable={{ OPNsense.zabbixproxy.general.startpollersunreachable }}
 {% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.startagentpollers') and OPNsense.zabbixproxy.general.startagentpollers != '' %}
+StartAgentPollers={{ OPNsense.zabbixproxy.general.startagentpollers }}
+{% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.maxconcurrentchecksperpoller') and OPNsense.zabbixproxy.general.maxconcurrentchecksperpoller != '' %}
+MaxConcurrentChecksPerPoller={{ OPNsense.zabbixproxy.general.maxconcurrentchecksperpoller }}
+{% endif %}
 {% if helpers.exists('OPNsense.zabbixproxy.general.starttrappers') and OPNsense.zabbixproxy.general.starttrappers != '' %}
 StartTrappers={{ OPNsense.zabbixproxy.general.starttrappers }}
 {% endif %}

From 9c9c657d797c30542e5bc8068a5078ba263de61c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 20 Nov 2025 09:42:08 -0500
Subject: [PATCH 2753/3088] net/ndp-proxy-go: release 1.0

---
 net/ndp-proxy-go/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/ndp-proxy-go/Makefile b/net/ndp-proxy-go/Makefile
index 914df8f898..74c200a73e 100644
--- a/net/ndp-proxy-go/Makefile
+++ b/net/ndp-proxy-go/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ndp-proxy-go
-PLUGIN_VERSION=		0.1
-PLUGIN_DEVEL=		yes
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		IPv6 Neighbor Discovery Protocol (NDP) Proxy
 PLUGIN_MAINTAINER=	cedrik@pischem.com
 PLUGIN_DEPENDS=		ndp-proxy-go

From 65187a2de4bee7aab2c499e21e669db633d43692 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 20 Nov 2025 09:43:37 -0500
Subject: [PATCH 2754/3088] README: sync

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a3b1593425..382bb0b854 100644
--- a/README.md
+++ b/README.md
@@ -56,7 +56,7 @@ net/google-cloud-sdk -- Google Cloud SDK
 net/haproxy -- Reliable, high performance TCP/HTTP load balancer
 net/igmp-proxy -- IGMP-Proxy Service
 net/mdns-repeater -- Proxy multicast DNS between networks
-net/ndp-proxy-go -- IPv6 Neighbor Discovery Protocol Proxy (development only)
+net/ndp-proxy-go -- IPv6 Neighbor Discovery Protocol (NDP) Proxy
 net/ndproxy -- Neighbor Discovery Proxy
 net/ntopng -- Traffic Analysis and Flow Collection
 net/radsecproxy -- RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport

From a92fe03b6a8754d9102e3ff91348525ed48c0605 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 20 Nov 2025 09:46:06 -0500
Subject: [PATCH 2755/3088] www/nginx: one more refactor revision bump

---
 www/nginx/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 59e1f9511f..ee39050d5c 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.35
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 0f09a24fc8d887b84f61032ec3bbb921daa9a1d0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 20 Nov 2025 11:13:17 -0500
Subject: [PATCH 2756/3088] net/frr: new version

---
 net/frr/Makefile  | 2 +-
 net/frr/pkg-descr | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index d9a9d55962..72426c8e52 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.48
+PLUGIN_VERSION=		1.49
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr10-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 6b0ed2ecb0..0f648c4dbe 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,13 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.49
+
+* Add hint about service reload / restart behaviour
+* Fix SNMP OSPF argument flags in RC configuration file
+* Fix STATIC template interface issue
+* Replace shell_exec() with mwexecfm()
+
 1.48
 
 * Add BFD detect-multiplier, transmit-interval, receive-interval (opnsense/plugins/pull/5000)

From a696ef090fae8654cbfc5f28a27009857b30edee Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 20 Nov 2025 16:00:23 -0500
Subject: [PATCH 2757/3088] make: expand on plain target or target with
 argument

---
 Makefile | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/Makefile b/Makefile
index 839ba7cce1..2d253f1a4c 100644
--- a/Makefile
+++ b/Makefile
@@ -47,15 +47,18 @@ list:
 	    $$(if [ -n "$$(${MAKE} -C ${PLUGIN_DIR} -v PLUGIN_OBSOLETE)" ]; then echo "(pending removal)"; fi)
 .endfor
 
-# shared targets that are sane to run from the root directory
+# known good targets (expanded below)
 TARGETS=	clean glint lint revision style sweep test
 
-.for TARGET in ${TARGETS}
-${TARGET}:
-.  for PLUGIN_DIR in ${PLUGIN_DIRS}
-	@echo ">>> Entering ${PLUGIN_DIR}"
-	@${MAKE} -C ${PLUGIN_DIR} ${TARGET}
-.  endfor
+.for _TARGET in ${.TARGETS}
+__TARGET=	${TARGETS:M${_TARGET:C/-.*//}}
+.  if "${__TARGET}" != ""
+${_TARGET}:
+.    for PLUGIN_DIR in ${PLUGIN_DIRS}
+	@echo ">>> Entering ${PLUGIN_DIR} with target '${_TARGET}'"
+	@${MAKE} -C ${PLUGIN_DIR} ${_TARGET}
+.    endfor
+.  endif
 .endfor
 
 license:

From 9ebf053b8ea25a4555fa14ee85703b09fcf3f746 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 22 Nov 2025 14:13:11 +0100
Subject: [PATCH 2758/3088] misc/theme-flexcolor: inject css into files that
 are cache safe

This is a bit weird, but lets us inline the branding CSS and the
cache invalidation for CSS works fine.
---
 misc/theme-flexcolor/src/etc/rc.d/flexcolor     | 17 ++++++++++++-----
 ...p-dialog.css => bootstrap-dialog.css.shadow} |  0
 ...p-select.css => bootstrap-select.css.shadow} |  0
 .../css/{dashboard.css => dashboard.css.shadow} |  0
 ...dns-overview.css => dns-overview.css.shadow} |  0
 ....bootgrid.css => jquery.bootgrid.css.shadow} |  0
 .../build/css/{main.css => main.css.shadow}     |  0
 .../build/css/{nv.d3.css => nv.d3.css.shadow}   |  0
 ...ootgrid.css => opnsense-bootgrid.css.shadow} |  0
 .../css/{tokenize2.css => tokenize2.css.shadow} |  0
 10 files changed, 12 insertions(+), 5 deletions(-)
 rename misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/{bootstrap-dialog.css => bootstrap-dialog.css.shadow} (100%)
 rename misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/{bootstrap-select.css => bootstrap-select.css.shadow} (100%)
 rename misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/{dashboard.css => dashboard.css.shadow} (100%)
 rename misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/{dns-overview.css => dns-overview.css.shadow} (100%)
 rename misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/{jquery.bootgrid.css => jquery.bootgrid.css.shadow} (100%)
 rename misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/{main.css => main.css.shadow} (100%)
 rename misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/{nv.d3.css => nv.d3.css.shadow} (100%)
 rename misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/{opnsense-bootgrid.css => opnsense-bootgrid.css.shadow} (100%)
 rename misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/{tokenize2.css => tokenize2.css.shadow} (100%)

diff --git a/misc/theme-flexcolor/src/etc/rc.d/flexcolor b/misc/theme-flexcolor/src/etc/rc.d/flexcolor
index cb8fd322ea..8566e8e41a 100755
--- a/misc/theme-flexcolor/src/etc/rc.d/flexcolor
+++ b/misc/theme-flexcolor/src/etc/rc.d/flexcolor
@@ -22,13 +22,20 @@ CACHEMARKER="/usr/local/opnsense/www/index.php"
 flexcolor_start()
 {
 	SELECTEDCSS="${SCHEMESDIR}/${flexcolor_theme}/${DEFAULTCSS}"
+	if [ ! -f "${SELECTEDCSS}" ]; then
+		warn "The theme '${flexcolor_theme}' was not found."
+		return
+	fi
 
-	if [ -f "${SELECTEDCSS}" ]; then
-		cp "${SELECTEDCSS}" "${TARGETDIR}/${DEFAULTCSS}"
+	for FILE in $(find ${TARGETDIR} -name "*.sample"); do
+		FILE=${FILE%.sample}
+		cp ${FILE}.sample ${FILE}
+		sed -i '' -e "/@import url('default_scheme.css');/r ${SELECTEDCSS}" ${FILE}
+		sed -i '' -e "/@import url('default_scheme.css');/d" ${FILE}
+	done
 
-		if [ -f "${CACHEMARKER}" ]; then
-			touch "${CACHEMARKER}"
-		fi
+	if [ -f "${CACHEMARKER}" ]; then
+		touch "${CACHEMARKER}"
 	fi
 }
 
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/bootstrap-dialog.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/bootstrap-dialog.css.shadow
similarity index 100%
rename from misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/bootstrap-dialog.css
rename to misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/bootstrap-dialog.css.shadow
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/bootstrap-select.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/bootstrap-select.css.shadow
similarity index 100%
rename from misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/bootstrap-select.css
rename to misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/bootstrap-select.css.shadow
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dashboard.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dashboard.css.shadow
similarity index 100%
rename from misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dashboard.css
rename to misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dashboard.css.shadow
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dns-overview.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dns-overview.css.shadow
similarity index 100%
rename from misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dns-overview.css
rename to misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/dns-overview.css.shadow
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/jquery.bootgrid.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/jquery.bootgrid.css.shadow
similarity index 100%
rename from misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/jquery.bootgrid.css
rename to misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/jquery.bootgrid.css.shadow
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/main.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/main.css.shadow
similarity index 100%
rename from misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/main.css
rename to misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/main.css.shadow
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/nv.d3.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/nv.d3.css.shadow
similarity index 100%
rename from misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/nv.d3.css
rename to misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/nv.d3.css.shadow
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/opnsense-bootgrid.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/opnsense-bootgrid.css.shadow
similarity index 100%
rename from misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/opnsense-bootgrid.css
rename to misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/opnsense-bootgrid.css.shadow
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/tokenize2.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/tokenize2.css.shadow
similarity index 100%
rename from misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/tokenize2.css
rename to misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/tokenize2.css.shadow

From b5fd182511bc9d620f132c4de2673115e211c30f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 22 Nov 2025 15:07:58 +0100
Subject: [PATCH 2759/3088] sysutils/virtualbox: switch to newer package

---
 sysutils/virtualbox/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sysutils/virtualbox/Makefile b/sysutils/virtualbox/Makefile
index 19a947dbc8..c8025aada2 100644
--- a/sysutils/virtualbox/Makefile
+++ b/sysutils/virtualbox/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		virtualbox
 PLUGIN_VERSION=		1.0
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		VirtualBox guest additions
-PLUGIN_DEPENDS=		virtualbox-ose-additions-nox11
+PLUGIN_DEPENDS=		virtualbox-ose-additions-nox11-72
 PLUGIN_MAINTAINER=	franco@opnsense.org
 
 .include "../../Mk/plugins.mk"

From d2a47d4703ce5c6e11fb94828489076ca2c1403a Mon Sep 17 00:00:00 2001
From: Q-Feeds <support@qfeeds.com>
Date: Sat, 22 Nov 2025 16:00:28 +0100
Subject: [PATCH 2760/3088] security/q-feeds-connector - Add license expiry
 date + name to widget (#5040)

---
 .../OPNsense/QFeeds/Api/SettingsController.php   |  7 +++++++
 .../src/opnsense/www/js/widgets/QFeeds.js        | 16 +++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
index b65b7b1a66..2a1b9ab52d 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
@@ -110,6 +110,13 @@ public function statsAction()
                     }
                 }
             }
+            // Add license information from company_info if available
+            if (!empty($info['company_info'])) {
+                $stats['license'] = [
+                    'name' => $info['company_info']['license_name'] ?? null,
+                    'expiry_date' => $info['company_info']['license_expiry_date'] ?? null
+                ];
+            }
         }
         return $stats;
     }
diff --git a/security/q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js b/security/q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js
index bf5acbcb12..aa13fb5e8b 100644
--- a/security/q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js
+++ b/security/q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js
@@ -71,6 +71,8 @@ export default class QFeeds extends BaseTableWidget {
         }
         let rows = [];
         let feeds = [];
+        let licenseInfoShown = false;
+        
         for (let feed of data.feeds) {
             feeds.push(
                 `<b><i class="fa fa-fw fa-angle-right" aria-hidden="true"></i> ${feed.name}</b>`,
@@ -78,7 +80,19 @@ export default class QFeeds extends BaseTableWidget {
                 `<div><i class="fa fa-fw fa-circle-o" aria-hidden="true"></i> &nbsp;&nbsp;${this.translations.next_update}: ${feed.next_update}</div>`
             );
             if (feed.licensed) {
-                feeds.push(`<div><i class="fa fa-fw fa-check" aria-hidden="true"></i> &nbsp;&nbsp;${this.translations.licensed}</div>`);
+                let licenseText = this.translations.licensed;
+                if (data.license && data.license.name) {
+                    licenseText += ` (${data.license.name})`;
+                }
+                feeds.push(`<div><i class="fa fa-fw fa-check" aria-hidden="true"></i> &nbsp;&nbsp;${licenseText}</div>`);
+                if (!licenseInfoShown && data.license && data.license.expiry_date) {
+                    const expiryDate = new Date(data.license.expiry_date);
+                    if (!isNaN(expiryDate.getTime())) {
+                        const formattedDate = expiryDate.toLocaleDateString();
+                        feeds.push(`<div><i class="fa fa-fw fa-calendar" aria-hidden="true"></i> &nbsp;&nbsp;Expires: ${formattedDate}</div>`);
+                    }
+                    licenseInfoShown = true;
+                }
             } else {
                 feeds.push(`<div><i class="fa fa-fw fa-close" aria-hidden="true"></i> &nbsp;&nbsp;${this.translations.unlicensed}</div>`);
             }

From 52ec3fd3f9076d4052322c9102cd399a9a29641f Mon Sep 17 00:00:00 2001
From: Q-Feeds <support@qfeeds.com>
Date: Sun, 23 Nov 2025 18:29:58 +0100
Subject: [PATCH 2761/3088] Add ports to events page (#5043)

* Add ports to Events page

* Update Makefile

* Update pkg-descr

* Update security/q-feeds-connector/pkg-descr

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

* Update security/q-feeds-connector/Makefile

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 security/q-feeds-connector/Makefile                      | 2 +-
 security/q-feeds-connector/pkg-descr                     | 4 ++++
 .../OPNsense/QFeeds/Api/SettingsController.php           | 2 ++
 .../opnsense/mvc/app/views/OPNsense/QFeeds/index.volt    | 2 ++
 .../src/opnsense/scripts/qfeeds/lib/log.py               | 9 +++++++--
 5 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/security/q-feeds-connector/Makefile b/security/q-feeds-connector/Makefile
index 4b4a22416d..b2bf170b23 100644
--- a/security/q-feeds-connector/Makefile
+++ b/security/q-feeds-connector/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		q-feeds-connector
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_TIER=		2
 PLUGIN_COMMENT=		Connector for Q-Feeds threat intel
 PLUGIN_MAINTAINER=	devel@qfeeds.com
diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index 796c7e92bf..ca7e38c891 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -2,6 +2,10 @@ Connector for Q-Feeds threat intel
 
 Plugin Changelog
 ================
+1.3
+
+* Events: added source and destination port
+* Widget: Added license info 
 
 1.2
 
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
index 2a1b9ab52d..5e14ae7f51 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
@@ -85,6 +85,8 @@ public function searchEventsAction()
                     'direction' => $row[2],
                     'source' => $row[3],
                     'destination' => $row[4],
+                    'source_port' => $row[5] ?? '',
+                    'destination_port' => $row[6] ?? '',
                 ];
             }
         }
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt b/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
index 52425088dc..0d350f8cd8 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
@@ -110,7 +110,9 @@ POSSIBILITY OF SUCH DAMAGE.
                     <th data-column-id="interface" data-type="string">{{ lang._('Interface') }}</th>
                     <th data-column-id="direction" data-type="string">{{ lang._('Direction') }}</th>
                     <th data-column-id="source" data-type="string">{{ lang._('Source') }}</th>
+                    <th data-column-id="source_port" data-type="string">{{ lang._('Source Port') }}</th>
                     <th data-column-id="destination" data-type="string">{{ lang._('Destination') }}</th>
+                    <th data-column-id="destination_port" data-type="string">{{ lang._('Destination Port') }}</th>
                 </tr>
             </thead>
             <tbody>
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
index fd2c506db9..d3aca4ee2e 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
@@ -58,10 +58,15 @@ def _collect_rule_ids(self):
 
     @staticmethod
     def _parse_log_line(line):
-        # quick scan for datetime, interface, direction, source, dest
+        # quick scan for datetime, interface, direction, source, dest, source_port, dest_port
         parts = line.split()
         fw_line = parts[-1].split(',') # strip syslog
-        return [parts[1], fw_line[4], fw_line[7]] + [x for x in fw_line if is_ip_address(x)]
+        ip_addresses = [x for x in fw_line if is_ip_address(x)]
+        # Find destination IP position to get ports from next fields (only if numeric)
+        dest_idx = fw_line.index(ip_addresses[1]) if len(ip_addresses) > 1 else len(fw_line)
+        source_port = fw_line[dest_idx + 1] if dest_idx + 1 < len(fw_line) and fw_line[dest_idx + 1].isdigit() else ''
+        dest_port = fw_line[dest_idx + 2] if dest_idx + 2 < len(fw_line) and fw_line[dest_idx + 2].isdigit() else ''
+        return [parts[1], fw_line[4], fw_line[7]] + ip_addresses + [source_port, dest_port]
 
     def find(self, max_time=60, max_results=50000):
         result = []

From 3897c7316c93193ca346058ffede2425a760dbba Mon Sep 17 00:00:00 2001
From: Q-Feeds <support@qfeeds.com>
Date: Mon, 24 Nov 2025 08:30:14 +0100
Subject: [PATCH 2762/3088] Feature/threat lookup magnifier button (#5044)

* Update Makefile

* Update pkg-descr

* Update security/q-feeds-connector/pkg-descr

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

* Update security/q-feeds-connector/Makefile

Co-authored-by: Franco Fichtner <franco@lastsummer.de>

* Add threat lookup magnifier buttons to events table

- Add magnifier buttons next to source and destination IP addresses in events table
- Buttons open Threat Intelligence Portal in new tab with IP pre-filled
- Automatically triggers search when TIP page loads
- Buttons are right-aligned in their respective columns
- Works for both logged-in and logged-out users (with proper redirect handling)

* Update pkg-descr

* Refactor formatters to use template literals (backticks) for better readability

Addresses reviewer feedback to use template literals instead of string concatenation for HTML generation in JavaScript formatters.

* Update pkg-descr: consolidate all changes into version 1.3

* Use const instead of var for modern JavaScript best practices

Addresses reviewer feedback to use const/let instead of var for better block scoping and to prevent accidental reassignment.

---------

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 security/q-feeds-connector/pkg-descr          |  3 +-
 .../mvc/app/views/OPNsense/QFeeds/index.volt  | 41 +++++++++++++++++--
 2 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index ca7e38c891..02f302bdff 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -2,9 +2,10 @@ Connector for Q-Feeds threat intel
 
 Plugin Changelog
 ================
-1.3
 
+1.3
 * Events: added source and destination port
+* Events: added quick Threat Lookup button to dest-ip and source-ip fields
 * Widget: Added license info 
 
 1.2
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt b/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
index 0d350f8cd8..c719d9cb45 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
@@ -56,7 +56,42 @@ POSSIBILITY OF SUCH DAMAGE.
             } else if (e.target.id === 'events_tab') {
                 if (!$("#grid-events").hasClass('tabulator')) {
                     $("#grid-events").UIBootgrid({
-                        'search': '/api/q_feeds/settings/search_events/'
+                        'search': '/api/q_feeds/settings/search_events/',
+                        'options': {
+                            formatters: {
+                                'source': function(column, row) {
+                                    if (!row.source) return '';
+                                    return `<div style="display: flex; justify-content: space-between; align-items: center;">
+                                        <span>${row.source}</span>
+                                        <button type="button" class="btn btn-xs btn-default threat-lookup-btn bootgrid-tooltip" 
+                                                data-ip="${row.source}" 
+                                                title="Lookup Source IP in Threat Intelligence Portal">
+                                            <span class="fa fa-fw fa-search"></span>
+                                        </button>
+                                    </div>`;
+                                },
+                                'destination': function(column, row) {
+                                    if (!row.destination) return '';
+                                    return `<div style="display: flex; justify-content: space-between; align-items: center;">
+                                        <span>${row.destination}</span>
+                                        <button type="button" class="btn btn-xs btn-default threat-lookup-btn bootgrid-tooltip" 
+                                                data-ip="${row.destination}" 
+                                                title="Lookup Destination IP in Threat Intelligence Portal">
+                                            <span class="fa fa-fw fa-search"></span>
+                                        </button>
+                                    </div>`;
+                                }
+                            }
+                        }
+                    });
+                    
+                    // Add click handler for threat lookup button
+                    $(document).on('click', '.threat-lookup-btn', function() {
+                        const ip = $(this).data('ip');
+                        if (ip) {
+                            const tipUrl = 'https://tip.qfeeds.com/views/threat-lookup/index.php?q=' + encodeURIComponent(ip);
+                            window.open(tipUrl, '_blank');
+                        }
                     });
                 } else {
                     $("#grid-events").bootgrid("reload");
@@ -109,9 +144,9 @@ POSSIBILITY OF SUCH DAMAGE.
                     <th data-column-id="timestamp" data-type="string">{{ lang._('Timestamp') }}</th>
                     <th data-column-id="interface" data-type="string">{{ lang._('Interface') }}</th>
                     <th data-column-id="direction" data-type="string">{{ lang._('Direction') }}</th>
-                    <th data-column-id="source" data-type="string">{{ lang._('Source') }}</th>
+                    <th data-column-id="source" data-type="string" data-formatter="source">{{ lang._('Source') }}</th>
                     <th data-column-id="source_port" data-type="string">{{ lang._('Source Port') }}</th>
-                    <th data-column-id="destination" data-type="string">{{ lang._('Destination') }}</th>
+                    <th data-column-id="destination" data-type="string" data-formatter="destination">{{ lang._('Destination') }}</th>
                     <th data-column-id="destination_port" data-type="string">{{ lang._('Destination Port') }}</th>
                 </tr>
             </thead>

From 6f123ed55373b8083d145f1658cd9e22f43c474b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 24 Nov 2025 09:07:56 +0100
Subject: [PATCH 2763/3088] security/q-feeds-connector: style sweep

---
 security/q-feeds-connector/pkg-descr                   |  3 ++-
 .../opnsense/mvc/app/views/OPNsense/QFeeds/index.volt  | 10 +++++-----
 .../src/opnsense/www/js/widgets/QFeeds.js              |  2 +-
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index 02f302bdff..c336c3b3db 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -4,9 +4,10 @@ Plugin Changelog
 ================
 
 1.3
+
 * Events: added source and destination port
 * Events: added quick Threat Lookup button to dest-ip and source-ip fields
-* Widget: Added license info 
+* Widget: Added license info
 
 1.2
 
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt b/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
index c719d9cb45..21d3b54c7e 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
@@ -63,8 +63,8 @@ POSSIBILITY OF SUCH DAMAGE.
                                     if (!row.source) return '';
                                     return `<div style="display: flex; justify-content: space-between; align-items: center;">
                                         <span>${row.source}</span>
-                                        <button type="button" class="btn btn-xs btn-default threat-lookup-btn bootgrid-tooltip" 
-                                                data-ip="${row.source}" 
+                                        <button type="button" class="btn btn-xs btn-default threat-lookup-btn bootgrid-tooltip"
+                                                data-ip="${row.source}"
                                                 title="Lookup Source IP in Threat Intelligence Portal">
                                             <span class="fa fa-fw fa-search"></span>
                                         </button>
@@ -74,8 +74,8 @@ POSSIBILITY OF SUCH DAMAGE.
                                     if (!row.destination) return '';
                                     return `<div style="display: flex; justify-content: space-between; align-items: center;">
                                         <span>${row.destination}</span>
-                                        <button type="button" class="btn btn-xs btn-default threat-lookup-btn bootgrid-tooltip" 
-                                                data-ip="${row.destination}" 
+                                        <button type="button" class="btn btn-xs btn-default threat-lookup-btn bootgrid-tooltip"
+                                                data-ip="${row.destination}"
                                                 title="Lookup Destination IP in Threat Intelligence Portal">
                                             <span class="fa fa-fw fa-search"></span>
                                         </button>
@@ -84,7 +84,7 @@ POSSIBILITY OF SUCH DAMAGE.
                             }
                         }
                     });
-                    
+
                     // Add click handler for threat lookup button
                     $(document).on('click', '.threat-lookup-btn', function() {
                         const ip = $(this).data('ip');
diff --git a/security/q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js b/security/q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js
index aa13fb5e8b..d69ed21cd4 100644
--- a/security/q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js
+++ b/security/q-feeds-connector/src/opnsense/www/js/widgets/QFeeds.js
@@ -72,7 +72,7 @@ export default class QFeeds extends BaseTableWidget {
         let rows = [];
         let feeds = [];
         let licenseInfoShown = false;
-        
+
         for (let feed of data.feeds) {
             feeds.push(
                 `<b><i class="fa fa-fw fa-angle-right" aria-hidden="true"></i> ${feed.name}</b>`,

From b8b276326b90f5a4442fc082c46fab290b05ace3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 24 Nov 2025 09:10:55 +0100
Subject: [PATCH 2764/3088] [bd]*: minimal style sweep (whitespace only)

---
 .../models/OPNsense/iperf/FakeInstance.xml    |  18 +-
 .../mvc/app/models/OPNsense/Redis/Redis.xml   | 210 +++++++++---------
 .../mvc/app/models/OPNsense/Bind/Acl.xml      |   2 +-
 3 files changed, 115 insertions(+), 115 deletions(-)

diff --git a/benchmarks/iperf/src/opnsense/mvc/app/models/OPNsense/iperf/FakeInstance.xml b/benchmarks/iperf/src/opnsense/mvc/app/models/OPNsense/iperf/FakeInstance.xml
index 1ca2f112ed..f3254be98e 100644
--- a/benchmarks/iperf/src/opnsense/mvc/app/models/OPNsense/iperf/FakeInstance.xml
+++ b/benchmarks/iperf/src/opnsense/mvc/app/models/OPNsense/iperf/FakeInstance.xml
@@ -1,11 +1,11 @@
 <model>
-  <mount>//OPNsense/Iperf3</mount>
-  <description>Fake model for the API - will be never stored to config (only used for defaults, validation etc.).</description>
-  <items>
-    <interface type="InterfaceField">
-      <Default>lan</Default>
-      <Required>Y</Required>
-      <Multiple>N</Multiple>
-    </interface>
-  </items>
+    <mount>//OPNsense/Iperf3</mount>
+    <description>Fake model for the API - will be never stored to config (only used for defaults, validation etc.).</description>
+    <items>
+        <interface type="InterfaceField">
+            <Default>lan</Default>
+            <Required>Y</Required>
+            <Multiple>N</Multiple>
+        </interface>
+    </items>
 </model>
diff --git a/databases/redis/src/opnsense/mvc/app/models/OPNsense/Redis/Redis.xml b/databases/redis/src/opnsense/mvc/app/models/OPNsense/Redis/Redis.xml
index 2a2f05d315..df895e9862 100644
--- a/databases/redis/src/opnsense/mvc/app/models/OPNsense/Redis/Redis.xml
+++ b/databases/redis/src/opnsense/mvc/app/models/OPNsense/Redis/Redis.xml
@@ -1,108 +1,108 @@
 <model>
-  <mount>//OPNsense/redis</mount>
-  <description>Redis DB</description>
-  <items>
-    <general>
-      <enabled type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </enabled>
-      <listen type="InterfaceField">
-        <Required>N</Required>
-        <Multiple>Y</Multiple>
-      </listen>
-      <protected_mode type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-      </protected_mode>
-      <port type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <MaximumValue>65536</MaximumValue>
-        <Required>N</Required>
-        <Default>6379</Default>
-        <ValidationMessage>This must be a valid port number.</ValidationMessage>
-      </port>
-      <log_level type="OptionField">
-        <Required>Y</Required>
-        <Default>warning</Default>
-        <OptionValues>
-          <debug>Debug</debug>
-          <verbose>Verbose</verbose>
-          <notice>Notice</notice>
-          <warning>Warning</warning>
-        </OptionValues>
-      </log_level>
-      <syslog_enabled type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </syslog_enabled>
-      <syslog_facility type="OptionField">
-        <Required>Y</Required>
-        <Default>LOCAL0</Default>
-        <OptionValues>
-          <USER>USER</USER>
-          <LOCAL0>LOCAL0</LOCAL0>
-          <LOCAL1>LOCAL1</LOCAL1>
-          <LOCAL2>LOCAL2</LOCAL2>
-          <LOCAL3>LOCAL3</LOCAL3>
-          <LOCAL4>LOCAL4</LOCAL4>
-          <LOCAL5>LOCAL5</LOCAL5>
-          <LOCAL6>LOCAL6</LOCAL6>
-          <LOCAL7>LOCAL7</LOCAL7>
-        </OptionValues>
-      </syslog_facility>
-      <databases type="IntegerField">
-        <MinimumValue>0</MinimumValue>
-        <Required>Y</Required>
-        <Default>16</Default>
-      </databases>
-    </general>
-    <security>
-      <password type="TextField">
-        <Required>N</Required>
-      </password>
-      <disable_commands type="CSVListField">
+    <mount>//OPNsense/redis</mount>
+    <description>Redis DB</description>
+    <items>
+        <general>
+            <enabled type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enabled>
+            <listen type="InterfaceField">
+                <Required>N</Required>
+                <Multiple>Y</Multiple>
+            </listen>
+            <protected_mode type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </protected_mode>
+            <port type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>65536</MaximumValue>
+                <Required>N</Required>
+                <Default>6379</Default>
+                <ValidationMessage>This must be a valid port number.</ValidationMessage>
+            </port>
+            <log_level type="OptionField">
+                <Required>Y</Required>
+                <Default>warning</Default>
+                <OptionValues>
+                    <debug>Debug</debug>
+                    <verbose>Verbose</verbose>
+                    <notice>Notice</notice>
+                    <warning>Warning</warning>
+                </OptionValues>
+            </log_level>
+            <syslog_enabled type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </syslog_enabled>
+            <syslog_facility type="OptionField">
+                <Required>Y</Required>
+                <Default>LOCAL0</Default>
+                <OptionValues>
+                    <USER>USER</USER>
+                    <LOCAL0>LOCAL0</LOCAL0>
+                    <LOCAL1>LOCAL1</LOCAL1>
+                    <LOCAL2>LOCAL2</LOCAL2>
+                    <LOCAL3>LOCAL3</LOCAL3>
+                    <LOCAL4>LOCAL4</LOCAL4>
+                    <LOCAL5>LOCAL5</LOCAL5>
+                    <LOCAL6>LOCAL6</LOCAL6>
+                    <LOCAL7>LOCAL7</LOCAL7>
+                </OptionValues>
+            </syslog_facility>
+            <databases type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+                <Required>Y</Required>
+                <Default>16</Default>
+            </databases>
+        </general>
+        <security>
+            <password type="TextField">
+                <Required>N</Required>
+            </password>
+            <disable_commands type="CSVListField">
       </disable_commands>
-    </security>
-    <limits>
-      <maxclients type="IntegerField">
-        <MinimumValue>0</MinimumValue>
-        <Required>N</Required>
-        <Default>10000</Default>
-      </maxclients>
-      <maxmemory type="IntegerField">
-        <MinimumValue>0</MinimumValue>
-        <Required>N</Required>
-      </maxmemory>
-      <maxmemory_policy type="OptionField">
-        <Required>Y</Required>
-        <Default>noeviction</Default>
-        <OptionValues>
-          <noeviction>noeviction</noeviction>
-          <volatile-ttl>volatile-ttl</volatile-ttl>
-          <allkeys-random>allkeys-random</allkeys-random>
-          <volatile-random>volatile-random</volatile-random>
-          <allkeys-lru>allkeys-lru</allkeys-lru>
-          <volatile-lru>volatile-lru</volatile-lru>
-        </OptionValues>
-      </maxmemory_policy>
-      <maxmemory_samples type="IntegerField">
-        <MinimumValue>0</MinimumValue>
-        <Required>N</Required>
-        <Default>5</Default>
-      </maxmemory_samples>
-    </limits>
-    <slowlog>
-      <slower_than type="IntegerField">
-        <MinimumValue>0</MinimumValue>
-        <Required>N</Required>
-        <Default>10000</Default>
-      </slower_than>
-      <max_len type="IntegerField">
-        <MinimumValue>0</MinimumValue>
-        <Required>N</Required>
-        <Default>128</Default>
-      </max_len>
-    </slowlog>
-  </items>
+        </security>
+        <limits>
+            <maxclients type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+                <Required>N</Required>
+                <Default>10000</Default>
+            </maxclients>
+            <maxmemory type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+                <Required>N</Required>
+            </maxmemory>
+            <maxmemory_policy type="OptionField">
+                <Required>Y</Required>
+                <Default>noeviction</Default>
+                <OptionValues>
+                    <noeviction>noeviction</noeviction>
+                    <volatile-ttl>volatile-ttl</volatile-ttl>
+                    <allkeys-random>allkeys-random</allkeys-random>
+                    <volatile-random>volatile-random</volatile-random>
+                    <allkeys-lru>allkeys-lru</allkeys-lru>
+                    <volatile-lru>volatile-lru</volatile-lru>
+                </OptionValues>
+            </maxmemory_policy>
+            <maxmemory_samples type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+                <Required>N</Required>
+                <Default>5</Default>
+            </maxmemory_samples>
+        </limits>
+        <slowlog>
+            <slower_than type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+                <Required>N</Required>
+                <Default>10000</Default>
+            </slower_than>
+            <max_len type="IntegerField">
+                <MinimumValue>0</MinimumValue>
+                <Required>N</Required>
+                <Default>128</Default>
+            </max_len>
+        </slowlog>
+    </items>
 </model>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
index a628f28a5f..efa489b85b 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml
@@ -13,7 +13,7 @@
                     <Required>Y</Required>
                     <Mask>/^(?!any$|localhost$|localnets$|none$)[0-9a-zA-Z_\-]{1,32}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9, a-z, A-Z, _ and -. Built-in ACL names must not be used: any, localhost, localnets, none.</ValidationMessage>
-                     <Constraints>
+                    <Constraints>
                         <check001>
                             <ValidationMessage>An ACL with this name already exists.</ValidationMessage>
                             <type>UniqueConstraint</type>

From df4b6e006e2a74566d8e7bfdb219c10ecc588e8c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 26 Nov 2025 20:49:22 +0100
Subject: [PATCH 2765/3088] databases/redis: wow, fix this stupid bug

PR: https://www.reddit.com/r/opnsense/comments/1ozm5pc/cant_start_redis_on_opnsense_2577_4_track66379/
---
 databases/redis/Makefile                                    | 2 +-
 .../opnsense/service/templates/OPNsense/Redis/redis.conf    | 6 +-----
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/databases/redis/Makefile b/databases/redis/Makefile
index 129de8ac7d..c6639e95e5 100644
--- a/databases/redis/Makefile
+++ b/databases/redis/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		redis
 PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Redis DB
 PLUGIN_DEPENDS=		redis72
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/databases/redis/src/opnsense/service/templates/OPNsense/Redis/redis.conf b/databases/redis/src/opnsense/service/templates/OPNsense/Redis/redis.conf
index a42284da49..8882751ea7 100644
--- a/databases/redis/src/opnsense/service/templates/OPNsense/Redis/redis.conf
+++ b/databases/redis/src/opnsense/service/templates/OPNsense/Redis/redis.conf
@@ -55,11 +55,7 @@
 {%     if helpers.exists('virtualip') %}
 {%       for intf_item in helpers.toList('virtualip.vip') %}
 {%         if intf_item.interface == listen_interface and intf_item.mode in ['carp', 'ipalias'] %}
-{%           if intf_item.subnet.find(':') > -1 %}
-{% do listen_ip.append(interface_ip) %}
-{%           else %}
-{% do listen_ip.append(interface_ip) %}
-{%           endif %}
+{% do listen_ip.append(intf_item.subnet) %}
 {%         endif %}
 {%       endfor %}
 {%     endif %}

From c77c3c0cca0033c7597ed458a49d13a9a22b77de Mon Sep 17 00:00:00 2001
From: GutierrezJeremy <110025419+GutierrezJeremy@users.noreply.github.com>
Date: Thu, 27 Nov 2025 17:36:51 +0100
Subject: [PATCH 2766/3088] net-mgmt/zabbix-proxy and zabbix-agent: add
 ListenBacklog option (#5046)

Co-authored-by: Jeremy Gutierrez <Jeremy.gutierrez@markt.de>
---
 .../controllers/OPNsense/ZabbixAgent/forms/settings.xml   | 8 ++++++++
 .../mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml   | 5 +++++
 .../templates/OPNsense/ZabbixAgent/zabbix_agentd.conf     | 4 ++++
 .../controllers/OPNsense/Zabbixproxy/forms/general.xml    | 6 ++++++
 .../mvc/app/models/OPNsense/Zabbixproxy/General.xml       | 5 +++++
 .../templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in   | 3 +++
 6 files changed, 31 insertions(+)

diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml
index 46fdf4947c..cc854c45bc 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/controllers/OPNsense/ZabbixAgent/forms/settings.xml
@@ -34,6 +34,14 @@
             <hint>Optional</hint>
             <help><![CDATA[An optional source IP address for outgoing connections.]]></help>
         </field>
+        <field>
+            <id>zabbixagent.settings.main.listenBacklog</id>
+            <label>Listen Backlog</label>
+            <type>text</type>
+            <minimum>0</minimum>
+            <maximum>2147483647</maximum>
+            <help><![CDATA[The maximum number of pending connections in the TCP queue.]]></help>
+        </field>
         <field>
             <id>zabbixagent.settings.main.serverList</id>
             <label>Zabbix Servers</label>
diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
index 0a181f74bf..29fc8168a1 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
@@ -46,6 +46,11 @@
                     <NetMaskAllowed>N</NetMaskAllowed>
                     <ValidationMessage>Please provide a valid IP address, i.e. 10.0.0.1.</ValidationMessage>
                 </sourceIP>
+                <listenBacklog type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>2147483647</MaximumValue>
+                    <Required>N</Required>
+                </listenBacklog>
                 <syslogEnable type="BooleanField"/>
                 <logFileSize type="IntegerField">
                     <Default>100</Default>
diff --git a/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf b/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf
index bafea22b4f..f8f08a5b50 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf
+++ b/net-mgmt/zabbix-agent/src/opnsense/service/templates/OPNsense/ZabbixAgent/zabbix_agentd.conf
@@ -33,6 +33,10 @@ Server={{OPNsense.ZabbixAgent.settings.main.serverList}}
 ListenPort={{OPNsense.ZabbixAgent.settings.main.listenPort}}
 ListenIP={{OPNsense.ZabbixAgent.settings.main.listenIP}}
 
+{% if helpers.exists('OPNsense.ZabbixAgent.settings.main.listenBacklog') and OPNsense.ZabbixAgent.settings.main.listenBacklog != '' %}
+ListenBacklog={{ OPNsense.ZabbixAgent.settings.main.listenBacklog }}
+{% endif %}
+
 {% if OPNsense.ZabbixAgent.settings.features.enableActiveChecks == '1' and OPNsense.ZabbixAgent.settings.features.activeCheckServers|default("") != "" %}
 ServerActive={{OPNsense.ZabbixAgent.settings.features.activeCheckServers}}
 {% endif %}
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
index 81f27139af..c31655fb8f 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/controllers/OPNsense/Zabbixproxy/forms/general.xml
@@ -57,6 +57,12 @@
         <type>text</type>
         <help>Source IP address for outgoing connections.</help>
     </field>
+    <field>
+        <id>general.listenbacklog</id>
+        <label>Listen Backlog</label>
+        <type>text</type>
+        <help>The maximum number of pending connections in the TCP queue.</help>
+    </field>
     <field>
         <id>general.startpollers</id>
         <label>Start Pollers</label>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
index bee067f448..4d130fab1a 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
@@ -26,6 +26,11 @@
             <AsList>Y</AsList>
         </listenip>
         <sourceip type="NetworkField"/>
+        <listenbacklog type="IntegerField">
+            <MinimumValue>0</MinimumValue>
+            <MaximumValue>2147483647</MaximumValue>
+            <Required>N</Required>
+        </listenbacklog>
         <startpollers type="TextField"/>
         <startipmipollers type="IntegerField"/>
         <startpollersunreachable type="IntegerField"/>
diff --git a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
index f4cb6cf867..6849c02b60 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
+++ b/net-mgmt/zabbix-proxy/src/opnsense/service/templates/OPNsense/Zabbixproxy/zabbix_proxy.conf.in
@@ -25,6 +25,9 @@ ListenPort={{ OPNsense.zabbixproxy.general.listenport }}
 {% if helpers.exists('OPNsense.zabbixproxy.general.sourceip') and OPNsense.zabbixproxy.general.sourceip != '' %}
 SourceIP={{ OPNsense.zabbixproxy.general.sourceip }}
 {% endif %}
+{% if helpers.exists('OPNsense.zabbixproxy.general.listenbacklog') and OPNsense.zabbixproxy.general.listenbacklog != '' %}
+ListenBacklog={{ OPNsense.zabbixproxy.general.listenbacklog }}
+{% endif %}
 {% if helpers.exists('OPNsense.zabbixproxy.general.syslogEnable') and OPNsense.zabbixproxy.general.syslogEnable == '1' %}
 LogType=system
 {% else %}

From 351090da19d4c9eb5b924ba4c150935ef9a94bd5 Mon Sep 17 00:00:00 2001
From: Sam Sheridan <sheridans@users.noreply.github.com>
Date: Thu, 27 Nov 2025 16:40:17 +0000
Subject: [PATCH 2767/3088] security/tailscale: fix to prevent use of pre-auth
 key in startup after auth (#5047)

---
 security/tailscale/Makefile                   |  2 +-
 security/tailscale/pkg-descr                  |  4 ++
 .../templates/OPNsense/Tailscale/rc.conf.d    | 39 +++++++++++--------
 3 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/security/tailscale/Makefile b/security/tailscale/Makefile
index ed1eeaebb6..6c95b7cd0e 100644
--- a/security/tailscale/Makefile
+++ b/security/tailscale/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		tailscale
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		VPN mesh securely connecting clients using WireGuard
 PLUGIN_DEPENDS=		tailscale
 PLUGIN_MAINTAINER=	sam@sheridan.uk
diff --git a/security/tailscale/pkg-descr b/security/tailscale/pkg-descr
index 54639ddb97..2720f8a92a 100644
--- a/security/tailscale/pkg-descr
+++ b/security/tailscale/pkg-descr
@@ -6,6 +6,10 @@ https://tailscale.com/
 Plugin Changelog
 ================
 
+1.3
+
+* modify rc script to prevent re-using auth key if already authenticated
+
 1.2
 
 * add option to allow Tailscale to manage SSH connections
diff --git a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
index e8e9e63938..2bad6d020c 100644
--- a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
+++ b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
@@ -38,23 +38,28 @@ tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%    if helpers.exists('OPNsense.tailscale.authentication.loginServer') %}
 {%      do up_args.append("--login-server=" + OPNsense.tailscale.authentication.loginServer) %}
 {%    endif %}
-{%    if helpers.exists('OPNsense.tailscale.authentication.preAuthKey') %}
-{%      do up_args.append("--auth-key=" + OPNsense.tailscale.authentication.preAuthKey) %}
-{%    else %}
-{%      do up_args.append("--auth-key=non-specified") %}
-{%    endif %}
-{#  loop through subnets to build list #}
-{%    if helpers.exists('OPNsense.tailscale.settings.subnets.subnet4') %}
-{%      set subnets = [] %}
-{%      for subnet_list in helpers.toList('OPNsense.tailscale.settings.subnets.subnet4') %}
-{%        do subnets.append(subnet_list.subnet) %}
-{%      endfor %}
-{%      set subnetString = subnets|join(',') %}
-{%      do up_args.append("--advertise-routes=" + subnetString) %}
-{%    else %}
-{%      do up_args.append("--advertise-routes=") %}
-{%    endif %}
+{#    loop through subnets to build list #}
+{%      if helpers.exists('OPNsense.tailscale.settings.subnets.subnet4') %}
+{%        set subnets = [] %}
+{%        for subnet_list in helpers.toList('OPNsense.tailscale.settings.subnets.subnet4') %}
+{%          do subnets.append(subnet_list.subnet) %}
+{%        endfor %}
+{%        set subnetString = subnets|join(',') %}
+{%        do up_args.append("--advertise-routes=" + subnetString) %}
+{%      else %}
+{%        do up_args.append("--advertise-routes=") %}
+{%      endif %}
+{%      if helpers.exists('OPNsense.tailscale.authentication.preAuthKey') %}
+# Conditionally add auth-key only if not already authenticated
+if [ -f /var/db/tailscale/tailscaled.state ] && grep -q '"_current-profile"' /var/db/tailscale/tailscaled.state 2>/dev/null; 
+then
+    tailscaled_up_args="{{ up_args|join(' ') }}"
+else
+    tailscaled_up_args="{{ up_args|join(' ') }} --auth-key={{ OPNsense.tailscale.authentication.preAuthKey }}"
+fi
+{%      else %}
 tailscaled_up_args="{{ up_args|join(' ') }}"
+{%      endif %}
 {%  else %}
-tailscaled_enable=NO
+tailscaled_enable="NO"
 {%  endif %}

From 248ef71920f9711130b37f829fae11c4823b405b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 27 Nov 2025 17:48:28 +0100
Subject: [PATCH 2768/3088] security/tailscale: simplify previous a little

---
 security/tailscale/pkg-descr                        |  2 +-
 .../service/templates/OPNsense/Tailscale/rc.conf.d  | 13 ++++++-------
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/security/tailscale/pkg-descr b/security/tailscale/pkg-descr
index 2720f8a92a..b2066fa79c 100644
--- a/security/tailscale/pkg-descr
+++ b/security/tailscale/pkg-descr
@@ -8,7 +8,7 @@ Plugin Changelog
 
 1.3
 
-* modify rc script to prevent re-using auth key if already authenticated
+* modify RC script to prevent re-using auth key if already authenticated
 
 1.2
 
diff --git a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
index 2bad6d020c..42c21b5615 100644
--- a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
+++ b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
@@ -7,6 +7,7 @@ tailscaled_enable="YES"
 # see - https://github.com/tailscale/tailscale/issues/5573#issuecomment-1584695981
 tailscaled_env="TS_DEBUG_NETSTACK_SUBNETS=0"
 {%    endif %}
+tailscaled_up_args_ext=
 {%    if helpers.exists('OPNsense.tailscale.settings.listenPort') %}
 tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%    endif %}
@@ -51,15 +52,13 @@ tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%      endif %}
 {%      if helpers.exists('OPNsense.tailscale.authentication.preAuthKey') %}
 # Conditionally add auth-key only if not already authenticated
-if [ -f /var/db/tailscale/tailscaled.state ] && grep -q '"_current-profile"' /var/db/tailscale/tailscaled.state 2>/dev/null; 
-then
-    tailscaled_up_args="{{ up_args|join(' ') }}"
-else
-    tailscaled_up_args="{{ up_args|join(' ') }} --auth-key={{ OPNsense.tailscale.authentication.preAuthKey }}"
+if [ -f /var/db/tailscale/tailscaled.state ]; then
+	if ! grep -q '"_current-profile"' /var/db/tailscale/tailscaled.state; then
+		tailscaled_up_args_ext="--auth-key={{ OPNsense.tailscale.authentication.preAuthKey }}"
+	fi
 fi
-{%      else %}
-tailscaled_up_args="{{ up_args|join(' ') }}"
 {%      endif %}
+tailscaled_up_args="{{ up_args|join(' ') }} ${tailscaled_up_args_ext}"
 {%  else %}
 tailscaled_enable="NO"
 {%  endif %}

From 5ca28c84470c83643e3465d6a69d230180c7d818 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 29 Nov 2025 08:24:35 +0100
Subject: [PATCH 2769/3088] net/freeradius: proposal for #5050

---
 net/freeradius/Makefile                         |  1 +
 .../app/models/OPNsense/Freeradius/General.xml  | 17 +++++++++++++----
 .../service/templates/OPNsense/Freeradius/users |  6 +++---
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index abfa82c673..3b4090d528 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		freeradius
 PLUGIN_VERSION=		1.9.28
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
index 5e04541b4e..754287d6e8 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
@@ -25,7 +25,7 @@
             <MaximumValue>4096</MaximumValue>
             <Constraints>
                 <check001>
-                    <ValidationMessage>You need to set a propper VLAN ID.</ValidationMessage>
+                    <ValidationMessage>VLAN fallback assignment needs to be enabled.</ValidationMessage>
                     <type>DependConstraint</type>
                     <addFields>
                         <field1>fallbackvlan_enabled</field1>
@@ -33,6 +33,18 @@
                 </check001>
             </Constraints>
         </fallbackvlan_id>
+        <fallback_tunnel_password type="TextField">
+            <Mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}:]){1,128}$/u</Mask>
+            <Constraints>
+                <check001>
+                    <ValidationMessage>VLAN fallback assignment needs to be enabled.</ValidationMessage>
+                    <type>DependConstraint</type>
+                    <addFields>
+                        <field1>fallbackvlan_enabled</field1>
+                    </addFields>
+                </check001>
+            </Constraints>
+        </fallback_tunnel_password>
         <ldap_enabled type="BooleanField">
             <Default>0</Default>
             <Required>N</Required>
@@ -152,8 +164,5 @@
             <Default>0</Default>
             <Required>Y</Required>
         </fallbackproxy>
-        <fallback_tunnel_password type="TextField">
-            <Mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}:]){1,128}$/u</Mask>
-        </fallback_tunnel_password>
     </items>
 </model>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
index 9603b713c4..4fa541ac78 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/users
@@ -113,14 +113,14 @@ DEFAULT Ldap-Group == "{{ ldapgroup_list.ldapgroupname }}"
 {%    endfor %}
 {%  endif %}
 
-{%  if helpers.exists('OPNsense.freeradius.general.fallbackvlan_enabled') or helpers.exists('OPNsense.freeradius.general.fallback_tunnel_password') %}
+{%  if OPNsense.freeradius.general.fallbackvlan_enabled == '1' %}
 DEFAULT Auth-Type := Accept
-{%  if helpers.exists('OPNsense.freeradius.general.fallbackvlan_enabled') and OPNsense.freeradius.general.fallbackvlan_enabled == '1' %}
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
+{%  if helpers.exists('OPNsense.freeradius.general.fallbackvlan_id') and OPNsense.freeradius.general.fallbackvlan_id != '' %}
        Tunnel-Private-Group-Id = {{ OPNsense.freeradius.general.fallbackvlan_id }},
 {%  endif %}
-{%  if helpers.exists('OPNsense.freeradius.general.fallback_tunnel_password') %}
+{%  if helpers.exists('OPNsense.freeradius.general.fallback_tunnel_password') and OPNsense.freeradius.general.fallback_tunnel_password != '' %}
        Tunnel-Password = {{ OPNsense.freeradius.general.fallback_tunnel_password }},
 {%  endif %}
        Framed-Protocol = PPP

From 4e967c787d1af6041338cb27cd14b088d565cd42 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sat, 29 Nov 2025 08:51:48 +0100
Subject: [PATCH 2770/3088] net/freeradius: modify VLAN fallback logic #5050

While it's nice to constrain this it's also very inflexible.
With fallback disabled we can retain values in tunnel pw and
VLAN ID.  Enabling it without these options may be weird, but
not a large problem.  Template was rearranged to generate
the most logic outcome.

Some due maintenance sprinkled on top.
---
 .../OPNsense/Freeradius/forms/general.xml     | 14 ++---
 .../models/OPNsense/Freeradius/General.xml    | 18 ------
 .../views/OPNsense/Freeradius/general.volt    | 57 +++++++++----------
 3 files changed, 34 insertions(+), 55 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml
index 98beb72d90..aca4163624 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/general.xml
@@ -25,6 +25,13 @@
         <advanced>true</advanced>
         <help>Define the Fallback VLAN group ID.</help>
     </field>
+    <field>
+        <id>general.fallback_tunnel_password</id>
+        <label>Fallback VLAN tunnel password</label>
+        <type>password</type>
+        <advanced>true</advanced>
+        <help>Define the Fallback VLAN Tunnel-Password. Allowed characters are 0-9, a-z, A-Z, and ,._-!$%/()+#=: with up to 128 characters.</help>
+    </field>
     <field>
         <id>general.ldap_enabled</id>
         <label>Enable LDAP</label>
@@ -152,11 +159,4 @@
         <advanced>true</advanced>
         <help>Fallback for proxy server. Default disabled.</help>
     </field>
-    <field>
-        <id>general.fallback_tunnel_password</id>
-        <label>Fallback Tunnel password</label>
-        <type>password</type>
-        <advanced>true</advanced>
-        <help>Define the Fallback Tunnel-Password. Allowed characters are 0-9, a-z, A-Z, and ,._-!$%/()+#=: with up to 128 characters.</help>
-    </field>
 </form>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
index 754287d6e8..b530c42bcb 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/General.xml
@@ -23,27 +23,9 @@
         <fallbackvlan_id type="IntegerField">
             <MinimumValue>1</MinimumValue>
             <MaximumValue>4096</MaximumValue>
-            <Constraints>
-                <check001>
-                    <ValidationMessage>VLAN fallback assignment needs to be enabled.</ValidationMessage>
-                    <type>DependConstraint</type>
-                    <addFields>
-                        <field1>fallbackvlan_enabled</field1>
-                    </addFields>
-                </check001>
-            </Constraints>
         </fallbackvlan_id>
         <fallback_tunnel_password type="TextField">
             <Mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=\{\}:]){1,128}$/u</Mask>
-            <Constraints>
-                <check001>
-                    <ValidationMessage>VLAN fallback assignment needs to be enabled.</ValidationMessage>
-                    <type>DependConstraint</type>
-                    <addFields>
-                        <field1>fallbackvlan_enabled</field1>
-                    </addFields>
-                </check001>
-            </Constraints>
         </fallback_tunnel_password>
         <ldap_enabled type="BooleanField">
             <Default>0</Default>
diff --git a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/general.volt b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/general.volt
index d87dedf7e9..4db7788a6d 100644
--- a/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/general.volt
+++ b/net/freeradius/src/opnsense/mvc/app/views/OPNsense/Freeradius/general.volt
@@ -1,36 +1,33 @@
 {#
-
-OPNsense® is Copyright © 2014 – 2017 by Deciso B.V.
-This file is Copyright © 2017 by Michael Muenz <m.muenz@gmail.com>
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-1.  Redistributions of source code must retain the above copyright notice,
-    this list of conditions and the following disclaimer.
-
-2.  Redistributions in binary form must reproduce the above copyright notice,
-    this list of conditions and the following disclaimer in the documentation
-    and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-#}
+ # Copyright (c) 2014-2017 Deciso B.V.
+ # Copyright (c) 2017 Michael Muenz <m.muenz@gmail.com>
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1  Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2  Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
 
 <div class="content-box" style="padding-bottom: 1.5em;">
     {{ partial("layout_partials/base_form",['fields':generalForm,'id':'frm_general_settings'])}}
-    <div class="col-md-12">
-        <hr />
+    <div class="col-md-12 __mt">
         <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_progress" class=""></i></button>
     </div>
 </div>
@@ -52,7 +49,7 @@ POSSIBILITY OF SUCH DAMAGE.
                     updateServiceControlUI('freeradius');
                     $("#saveAct_progress").removeClass("fa fa-spinner fa-pulse");
                 });
-            });
+            }, true);
         });
     });
 </script>

From fafe14b7bd8805b092005b6e54271013b1295bbf Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 30 Nov 2025 11:13:35 +0100
Subject: [PATCH 2771/3088] www/squid - remove references to firewall_nat.php
 as this will go away shortly and we don't plan to re-add a similar template
 for this.

ref: https://github.com/opnsense/core/issues/8401
---
 .../mvc/app/controllers/OPNsense/Proxy/forms/main.xml         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
index 8c01e6af79..bc45c4c442 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -312,13 +312,13 @@
                 <id>proxy.forward.transparentMode</id>
                 <label>Enable Transparent HTTP proxy</label>
                 <type>checkbox</type>
-                <help><![CDATA[Enable transparent proxy mode. You will need a firewall rule to forward traffic from the firewall to the proxy server. You may leave the proxy interfaces empty, but remember to set a valid ACL in that case. <a href="/firewall_nat_edit.php?template=transparent_proxy"> Add a new firewall rule </a>]]></help>
+                <help><![CDATA[Enable transparent proxy mode. You will need a firewall rule to forward traffic from the firewall to the proxy server. You may leave the proxy interfaces empty, but remember to set a valid ACL in that case.]]></help>
             </field>
             <field>
                 <id>proxy.forward.sslbump</id>
                 <label>Enable SSL inspection</label>
                 <type>checkbox</type>
-                <help><![CDATA[Enable SSL inspection mode, which allows to log HTTPS connections information, such as requested URL and/or make the proxy act as a man in the middle between the internet and your clients. Be aware of the security implications before enabling this option. If you plan to use transparent HTTPS mode, you need nat rules to reflect your traffic.<a href="/firewall_nat_edit.php?template=transparent_proxy&https=1">Add a new firewall rule </a>]]></help>
+                <help><![CDATA[Enable SSL inspection mode, which allows to log HTTPS connections information, such as requested URL and/or make the proxy act as a man in the middle between the internet and your clients. Be aware of the security implications before enabling this option. If you plan to use transparent HTTPS mode, you need nat rules to reflect your traffic.]]></help>
             </field>
             <field>
                 <id>proxy.forward.sslurlonly</id>

From ce2dfe77053a3a9aa4886587475cbf2f47889e44 Mon Sep 17 00:00:00 2001
From: Peter <145142820+peterv99@users.noreply.github.com>
Date: Sun, 30 Nov 2025 22:34:50 +0100
Subject: [PATCH 2772/3088] security/acme-client: Add support for mijn.host DNS
 challenge (#4446)

* Add support for mijn.host DNS challenge.
---
 .../AcmeClient/forms/dialogValidation.xml     |  9 ++++
 .../AcmeClient/LeValidation/DnsMijnhost.php   | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 3 files changed, 57 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMijnhost.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index a9a111f034..9883fc6fd5 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1950,6 +1950,15 @@
         <type>password</type>
     </field>
     <field>
+        <label>mijn.host</label>
+        <type>header</type>
+        <style>table_dns table_dns_mijnhost</style>
+    </field>
+    <field>
+        <id>validation.dns_mijnhost_api_key</id>
+        <label>API Key</label>
+        <type>text</type>
+        <help><![CDATA[Please refer to the <a href="https://mijn.host/api/doc/">API documentation</a> for further information.]]></help>
         <label>scaleway</label>
         <type>header</type>
         <style>table_dns table_dns_scaleway</style>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMijnhost.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMijnhost.php
new file mode 100644
index 0000000000..f077995c25
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsMijnhost.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Peter Vos
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * mijn.host DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsMijnhost extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['MIJNHOST_API_KEY'] = (string)$this->config->dns_mijnhost_api_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 9bb3b08ed5..c46efd2c50 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -492,6 +492,7 @@
                         <dns_loopia>Loopia</dns_loopia>
                         <dns_lua>LuaDNS.com</dns_lua>
                         <dns_miab>MailinaBox</dns_miab>
+                        <dns_mijnhost>mijn.host</dns_mijnhost>
                         <dns_mydnsjp>MyDNS.JP</dns_mydnsjp>
                         <dns_mythic_beasts>Mythic Beasts</dns_mythic_beasts>
                         <dns_namecom>Name.com</dns_namecom>
@@ -1319,6 +1320,9 @@
                 <dns_rage4_user type="TextField">
                     <Required>N</Required>
                 </dns_rage4_user>
+                <dns_mijnhost_api_key type="TextField">
+                    <Required>N</Required>
+                </dns_mijnhost_api_key>
                 <dns_scaleway_token type="TextField">
                     <Required>N</Required>
                 </dns_scaleway_token>

From a12012ad37693b39cabd363776080ef11547f0b3 Mon Sep 17 00:00:00 2001
From: Lis <olgagorbushina1980@gmail.com>
Date: Mon, 1 Dec 2025 00:53:46 +0300
Subject: [PATCH 2773/3088] security/acme-client: add support for selectel.ru
 V2 API (#4824)

* security/acme-client: add support for selectel.ru V2 API
* fix syntax depreciation warning in SecurityController.php
---
 .../AcmeClient/Api/SettingsController.php     |  4 +--
 .../AcmeClient/forms/dialogValidation.xml     | 36 ++++++++++++++++++-
 .../AcmeClient/LeValidation/DnsSelectel.php   |  7 ++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 18 ++++++++++
 4 files changed, 62 insertions(+), 3 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
index 5251a32f7c..4104f6bf29 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php
@@ -77,7 +77,7 @@ public function fetchCronIntegrationAction()
                     } else {
                         // Cron job NOT found. This should not happen, try to fix
                         // this automatically.
-                        $this->getLogger()->error("AcmeClient: cron job with stored UUID not found in system config: ${cron_uuid}");
+                        $this->getLogger()->error("AcmeClient: cron job with stored UUID not found in system config: {$cron_uuid}");
 
                         // Search for existing AcmeClient cron job.
                         foreach ((new Cron())->getNodeByReference('jobs.job')->iterateItems() as $cron) {
@@ -86,7 +86,7 @@ public function fetchCronIntegrationAction()
                             if ($_origin == 'AcmeClient') {
                                 // Found a matching AcmeClient cron job.
                                 $cron_found = 1;
-                                $this->getLogger()->notice("AcmeClient: found existing AcmeClient cron job, fixing inconsistency in config (new UUID: ${_uuid})");
+                                $this->getLogger()->notice("AcmeClient: found existing AcmeClient cron job, fixing inconsistency in config (new UUID: {$_uuid})");
                                 // Update UUID in Acme Client config.
                                 $mdlAcme->settings->UpdateCron = $_uuid;
                                 // Save updated configuration.
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 269807d1e2..6a8f69a648 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1236,8 +1236,42 @@
     </field>
     <field>
         <id>validation.dns_sl_key</id>
-        <label>API Key</label>
+        <label>API Key (DEPRECIATED)</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_sl_apiver</id>
+        <label>API Version</label>
+        <type>text</type>
+        <help>Available Values: V2</help>
+    </field>
+    <field>
+        <id>validation.dns_sl_token_lifetime</id>
+        <label>Token lifetime</label>
+        <type>text</type>
+        <help>Token lifetime in minutes (0-1440)</help>
+    </field>
+    <field>
+        <id>validation.dns_sl_account_id</id>
+        <label>Account ID</label>
         <type>text</type>
+        <help>Account number, can be seen in the upper right corner on the provider's website</help>
+    </field>
+    <field>
+        <id>validation.dns_sl_project_name</id>
+        <label>Project name</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_sl_login_name</id>
+        <label>Service username</label>
+        <type>text</type>
+        <help>Service username, can be seen in the control panel</help>
+    </field>
+    <field>
+        <id>validation.dns_sl_password</id>
+        <label>Password</label>
+        <type>password</type>
     </field>
     <field>
         <label>Selfhost</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php
index 56e3112666..9d1ee7ec86 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php
@@ -2,6 +2,7 @@
 
 /*
  * Copyright (C) 2020 Frank Wall
+ * Modifications Copyright (C) 2025 Renat Gorbushin
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -40,5 +41,11 @@ class DnsSelectel extends Base implements LeValidationInterface
     public function prepare()
     {
         $this->acme_env['SL_Key'] = (string)$this->config->dns_sl_key;
+        $this->acme_env['SL_Ver'] = (string)$this->config->dns_sl_apiver;
+        $this->acme_env['SL_Expire'] = (string)$this->config->dns_slv2_token_lifetime;
+        $this->acme_env['SL_Login_ID'] = (string)$this->config->dns_sl_account_id;
+        $this->acme_env['SL_Project_Name'] = (string)$this->config->dns_sl_project_name;
+        $this->acme_env['SL_Login_Name'] = (string)$this->config->dns_sl_login_name;
+        $this->acme_env['SL_Pswd'] = (string)$this->config->dns_sl_password;
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 3e4e6b916f..672eac7a23 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1056,6 +1056,24 @@
                 <dns_sl_key type="TextField">
                     <Required>N</Required>
                 </dns_sl_key>
+                <dns_sl_apiver type="TextField">
+                    <Required>N</Required>
+                </dns_sl_apiver>
+                <dns_sl_token_lifetime type="TextField">
+                    <Required>N</Required>
+                </dns_sl_token_lifetime>
+                <dns_sl_account_id type="TextField">
+                    <Required>N</Required>
+                </dns_sl_account_id>
+                <dns_sl_project_name type="TextField">
+                    <Required>N</Required>
+                </dns_sl_project_name>
+                <dns_sl_login_name type="TextField">
+                    <Required>N</Required>
+                </dns_sl_login_name>
+                <dns_sl_password type="TextField">
+                    <Required>N</Required>
+                </dns_sl_password>
                 <dns_selfhost_user type="TextField">
                     <Required>N</Required>
                 </dns_selfhost_user>

From b9241d6888cd35a068f0c958f82a13a5654b9036 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 1 Dec 2025 07:59:07 +0100
Subject: [PATCH 2774/3088] security/acme-client: style changes

---
 .../app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php   | 2 +-
 .../library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php
index 5f478d1432..88e86551fc 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsAzure.php
@@ -43,7 +43,7 @@ public function prepare()
         $this->acme_env['AZUREDNS_TENANTID'] = (string)$this->config->dns_azuredns_tenantid;
         $this->acme_env['AZUREDNS_APPID'] = (string)$this->config->dns_azuredns_appid;
         $this->acme_env['AZUREDNS_CLIENTSECRET'] = (string)$this->config->dns_azuredns_clientsecret;
-        
+
         if ($this->config->dns_azuredns_managedidentity == '1') {
             $this->acme_env['AZUREDNS_MANAGEDIDENTITY'] = 'true';
         }
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php
index 9d1ee7ec86..5cae485b2f 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php
@@ -2,7 +2,7 @@
 
 /*
  * Copyright (C) 2020 Frank Wall
- * Modifications Copyright (C) 2025 Renat Gorbushin
+ * Copyright (C) 2025 Renat Gorbushin
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without

From 5675e6f23d5b9b04623ba78d8db227a0bedce1c7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 1 Dec 2025 08:06:11 +0100
Subject: [PATCH 2775/3088] LICENSE: sync

---
 LICENSE | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/LICENSE b/LICENSE
index 87aa831870..d28296414d 100644
--- a/LICENSE
+++ b/LICENSE
@@ -24,6 +24,7 @@ Copyright (c) 2008-2014 Ermal Luçi
 Copyright (c) 2016-2019 EURO-LOG AG
 Copyright (c) 2017-2020 Fabian Franz
 Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
+Copyright (c) 2025 Florian Latifi
 Copyright (c) 2024 Francisco Dimattia <info@tecnoservicio.com.ar>
 Copyright (c) 2014-2025 Franco Fichtner <franco@opnsense.org>
 Copyright (c) 2016-2025 Frank Wall
@@ -67,8 +68,10 @@ Copyright (c) 2023 Oliver Hartl
 Copyright (c) 2025 Oliver Traber <hi@bluemedia.dev>
 Copyright (c) 2024 Olly Baker <ilumos@gmail.com>
 Copyright (c) 2019 Pascal Mathis <mail@pascalmathis.com>
+Copyright (c) 2025 Peter Vos
 Copyright (c) 2025 Ralph Moser, PJ Monitoring GmbH
 Copyright (c) 2024 realizelol
+Copyright (c) 2025 Renat Gorbushin
 Copyright (c) 2022 Robbert Rijkse
 Copyright (c) 2023 sattamjh
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>

From 564674b469722a619c7d1a5e880cd82e25364740 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 1 Dec 2025 08:14:21 +0100
Subject: [PATCH 2776/3088] net/haproxy: change wording style for "DEPRECATED"

---
 .../app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index a826ecfa85..ded45f08c2 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -207,9 +207,9 @@
     </field>
     <field>
         <id>frontend.forwardFor</id>
-        <label>X-Forwarded-For (DEPRECATED)</label>
+        <label>X-Forwarded-For (deprecated)</label>
         <type>checkbox</type>
-        <help><![CDATA[This option is DEPRECATED and should no longer be used. A new option is available in backend pool settings.]]></help>
+        <help><![CDATA[This option is deprecated and should no longer be used. A new option is available in backend pool settings.]]></help>
     </field>
     <field>
         <id>frontend.prometheus_enabled</id>

From 77424cdf9f41dcaff358fbd7f7c53764a34e14fc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 1 Dec 2025 08:15:50 +0100
Subject: [PATCH 2777/3088] security/acme-client: fix style for "DEPREC(I)ATED"

---
 security/acme-client/pkg-descr                         |  2 +-
 .../OPNsense/AcmeClient/forms/dialogValidation.xml     | 10 +++++-----
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml  |  4 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index f954107257..77d44c6779 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -354,7 +354,7 @@ Changed:
 
 Changed:
 * rename "Linode Cloud API" to "Linode API (v4)" (#2609)
-* rename "Linode API" to "Linode API (v3 / Deprecated)" (#2609)
+* rename "Linode API" to "Linode API (v3/deprecated)" (#2609)
 
 3.3
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 6a8f69a648..1ae76c22c1 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -580,9 +580,9 @@
     </field>
     <field>
         <id>validation.dns_gandi_livedns_key</id>
-        <label>API Key (DEPRECATED)</label>
+        <label>API key (deprecated)</label>
         <type>text</type>
-        <help>The API Key is the previous mechanism that was replaced with Personal Access Tokens. API Keys should no longer be used.</help>
+        <help>The API key is the previous mechanism that was replaced with Personal Access Tokens. API keys should no longer be used.</help>
     </field>
     <field>
         <label>Google Cloud DNS</label>
@@ -825,7 +825,7 @@
         <help>Specify the location of the generated TSIG Key inside the TSIG file using grep and cut, example: grep \# /etc/knot/acme.key | cut -d' ' -f2</help>
     </field>
     <field>
-        <label>lexicon (DEPRECATED)</label>
+        <label>Lexicon (deprecated)</label>
         <type>header</type>
         <style>table_dns table_dns_lexicon</style>
     </field>
@@ -855,7 +855,7 @@
         <type>text</type>
     </field>
     <field>
-        <label>Linode API (v3 / Deprecated)</label>
+        <label>Linode API (v3/deprecated)</label>
         <type>header</type>
         <style>table_dns table_dns_linode</style>
     </field>
@@ -1236,7 +1236,7 @@
     </field>
     <field>
         <id>validation.dns_sl_key</id>
-        <label>API Key (DEPRECIATED)</label>
+        <label>API key (deprecated)</label>
         <type>text</type>
     </field>
     <field>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 672eac7a23..451ddee709 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -485,9 +485,9 @@
                         <dns_kinghost>KingHost</dns_kinghost>
                         <dns_knot>Knot (knsupdate)</dns_knot>
                         <dns_leaseweb>LeaseWeb</dns_leaseweb>
-                        <dns_lexicon>lexicon (DEPRECATED)</dns_lexicon>
+                        <dns_lexicon>Lexicon (deprecated)</dns_lexicon>
                         <dns_limacity>Lima-City (TrafficPlex)</dns_limacity>
-                        <dns_linode>Linode (v3 / Deprecated)</dns_linode>
+                        <dns_linode>Linode (v3/deprecated)</dns_linode>
                         <dns_linode_v4>Linode (v4)</dns_linode_v4>
                         <dns_loopia>Loopia</dns_loopia>
                         <dns_lua>LuaDNS.com</dns_lua>

From 5032208e800bab2c0d04d23979946acd051f3851 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 1 Dec 2025 11:15:29 +0100
Subject: [PATCH 2778/3088] net/zerotier: set as unmaintained for #4746

---
 Makefile              | 1 +
 Mk/plugins.mk         | 4 ++--
 README.md             | 2 +-
 net/zerotier/Makefile | 1 -
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 2d253f1a4c..abd83c36f1 100644
--- a/Makefile
+++ b/Makefile
@@ -43,6 +43,7 @@ all:
 list:
 .for PLUGIN_DIR in ${PLUGIN_DIRS}
 	@echo ${PLUGIN_DIR} -- $$(${MAKE} -C ${PLUGIN_DIR} -v PLUGIN_COMMENT) \
+	    $$(if [ "$$(${MAKE} -C ${PLUGIN_DIR} -v PLUGIN_MAINTAINER)" = "N/A" ]; then echo "(not maintained)"; fi) \
 	    $$(if [ -n "$$(${MAKE} -C ${PLUGIN_DIR} -v PLUGIN_DEVEL _PLUGIN_DEVEL=)" ]; then echo "(development only)"; fi) \
 	    $$(if [ -n "$$(${MAKE} -C ${PLUGIN_DIR} -v PLUGIN_OBSOLETE)" ]; then echo "(pending removal)"; fi)
 .endfor
diff --git a/Mk/plugins.mk b/Mk/plugins.mk
index 3144a72851..2c89efc64e 100644
--- a/Mk/plugins.mk
+++ b/Mk/plugins.mk
@@ -43,12 +43,12 @@ PLUGIN_SCRIPTS=		+PRE_INSTALL +POST_INSTALL \
 			+PRE_DEINSTALL +POST_DEINSTALL
 
 PLUGIN_WWW?=		https://opnsense.org/
+PLUGIN_MAINTAINER?=	N/A
 PLUGIN_LICENSE?=	BSD2CLAUSE
 PLUGIN_TIER?=		3
 PLUGIN_REVISION?=	0
 
-PLUGIN_REQUIRES=	PLUGIN_NAME PLUGIN_VERSION PLUGIN_COMMENT \
-			PLUGIN_MAINTAINER
+PLUGIN_REQUIRES=	PLUGIN_NAME PLUGIN_VERSION PLUGIN_COMMENT
 
 .include "common.mk"
 .include "git.mk"
diff --git a/README.md b/README.md
index 382bb0b854..dfb72caf40 100644
--- a/README.md
+++ b/README.md
@@ -71,7 +71,7 @@ net/udpbroadcastrelay -- Control udpbroadcastrelay processes
 net/upnp -- UPnP IGD & PCP/NAT-PMP Service
 net/vnstat -- Network traffic monitor
 net/wol -- Wake on LAN Service
-net/zerotier -- Virtual Networks That Just Work
+net/zerotier -- Virtual Networks That Just Work (not maintained)
 net-mgmt/collectd -- Collect system and application performance metrics periodically
 net-mgmt/lldpd -- LLDP allows you to know exactly on which port is a server
 net-mgmt/net-snmp -- Net-SNMP is a daemon for the SNMP protocol
diff --git a/net/zerotier/Makefile b/net/zerotier/Makefile
index bd40a597be..ae7f99b1ee 100644
--- a/net/zerotier/Makefile
+++ b/net/zerotier/Makefile
@@ -3,6 +3,5 @@ PLUGIN_VERSION=		1.3.2
 PLUGIN_REVISION=	6
 PLUGIN_COMMENT=		Virtual Networks That Just Work
 PLUGIN_DEPENDS=		zerotier
-PLUGIN_MAINTAINER=	dharrigan@gmail.com
 
 .include "../../Mk/plugins.mk"

From 124b4dbf68238c357b164fbd82582d779015b9ac Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 1 Dec 2025 00:34:12 +0100
Subject: [PATCH 2779/3088] net/turnserver: add log page, switch to syslog

Co-authored-by: Franco Fichtner <franco@lastsummer.de>
---
 net/turnserver/Makefile                                  | 2 +-
 net/turnserver/pkg-descr                                 | 7 +++++++
 .../controllers/OPNsense/Turnserver/forms/settings.xml   | 4 ++--
 .../mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml       | 2 ++
 .../mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml     | 5 ++++-
 .../scripts/OPNsense/Turnserver/export_certs.php         | 9 +++++++++
 .../templates/OPNsense/Syslog/local/turnserver.conf      | 6 ++++++
 .../templates/OPNsense/Turnserver/turnserver.conf        | 1 +
 8 files changed, 32 insertions(+), 4 deletions(-)
 create mode 100644 net/turnserver/src/opnsense/service/templates/OPNsense/Syslog/local/turnserver.conf

diff --git a/net/turnserver/Makefile b/net/turnserver/Makefile
index dfe3b1ce6e..9fbad5318f 100644
--- a/net/turnserver/Makefile
+++ b/net/turnserver/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		turnserver
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		The coturn STUN/TURN Server
 PLUGIN_DEPENDS=		turnserver
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/turnserver/pkg-descr b/net/turnserver/pkg-descr
index c2673e293f..b33cc92cbe 100644
--- a/net/turnserver/pkg-descr
+++ b/net/turnserver/pkg-descr
@@ -5,8 +5,15 @@ WWW: https://github.com/coturn/coturn
 
 1.1
 
+Added:
+* add log page
+
 Changed:
 * hide protocol violating options
+* switch to local syslog logging
+
+Removed:
+* remove old log files
 
 1.0
 
diff --git a/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml
index 4f6c322d35..f16808f18c 100644
--- a/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml
+++ b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml
@@ -116,14 +116,14 @@
         <id>turnserver.settings.ChannelLifetime</id>
         <label>Channel Lifetime</label>
         <type>text</type>
-        <help>The lifetime for the channel (in seconds). Default value is 600 secs (10 minutes). MUST NOT be changed, because this would violate RFC 5766.</help>
+        <help>The lifetime for the channel in seconds. Default value is 600 seconds (10 minutes). Changing this value violates RFC 5766. Use with care.</help>
         <advanced>true</advanced>
     </field>
     <field>
         <id>turnserver.settings.PermissionLifetime</id>
         <label>Permission Lifetime</label>
         <type>text</type>
-        <help>The permission lifetime (in seconds). Default value is 300 secs (5 minutes). MUST NOT be changed, because this would violate RFC 5766.</help>
+        <help>The permission lifetime in seconds. Default value is 300 seconds (5 minutes). Changing this value violates RFC 5766. Use with care.</help>
         <advanced>true</advanced>
     </field>
 </form>
diff --git a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml
index dfc800ea50..4e4cb549ab 100644
--- a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml
+++ b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml
@@ -4,6 +4,8 @@
         <patterns>
             <pattern>ui/turnserver</pattern>
             <pattern>api/turnserver/*</pattern>
+            <pattern>ui/diagnostics/log/core/turnserver/*</pattern>
+            <pattern>api/diagnostics/log/core/turnserver/*</pattern>
         </patterns>
     </page-services-turnserver>
 </acl>
diff --git a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml
index 4134d75c29..a52806dd54 100644
--- a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml
+++ b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml
@@ -1,5 +1,8 @@
 <menu>
     <Services>
-        <Turnserver cssClass="fa fa-comment-o fa-fw" url="/ui/turnserver"/>
+        <Turnserver cssClass="fa fa-comment-o fa-fw">
+            <Settings order="10" url="/ui/turnserver"/>
+            <Log VisibleName="Log File" order="40" url="/ui/diagnostics/log/core/turnserver"/>
+        </Turnserver>
     </Services>
 </menu>
diff --git a/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/export_certs.php b/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/export_certs.php
index 247d301fee..cbacca2b13 100755
--- a/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/export_certs.php
+++ b/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/export_certs.php
@@ -59,3 +59,12 @@
         }
     }
 }
+
+# Purge obsolete log files.
+# TODO: Should be removed in plugin version 2.0.
+$log_files = glob('/var/log/turn_*.log');
+foreach ($log_files as $file) {
+    if (is_file($file)) {
+        unlink($file);
+    }
+}
diff --git a/net/turnserver/src/opnsense/service/templates/OPNsense/Syslog/local/turnserver.conf b/net/turnserver/src/opnsense/service/templates/OPNsense/Syslog/local/turnserver.conf
new file mode 100644
index 0000000000..a1623cd385
--- /dev/null
+++ b/net/turnserver/src/opnsense/service/templates/OPNsense/Syslog/local/turnserver.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [turnserver].
+###################################################################
+filter f_local_turnserver {
+    program("turnserver");
+};
diff --git a/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf
index 67c96cbabb..f5442f1d9d 100644
--- a/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf
+++ b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf
@@ -50,6 +50,7 @@ channel-lifetime={{ OPNsense.turnserver.settings.ChannelLifetime }}
 permission-lifetime={{ OPNsense.turnserver.settings.PermissionLifetime }}
 
 # Defaults
+log-file=syslog
 no-cli
 no-software-attribute
 no-multicast-peers

From bfd90d27f7f80906212dbb2930b2bd78b71c8543 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 30 Nov 2025 23:05:33 +0100
Subject: [PATCH 2780/3088] security/acme-client: post-merge fixes for #4824

---
 .../OPNsense/AcmeClient/forms/dialogValidation.xml       | 9 ++++-----
 .../OPNsense/AcmeClient/LeValidation/DnsSelectel.php     | 2 +-
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml    | 6 +++++-
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 1ae76c22c1..043047fff7 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1230,7 +1230,7 @@
         <type>text</type>
     </field>
     <field>
-        <label>selectel</label>
+        <label>Selectel</label>
         <type>header</type>
         <style>table_dns table_dns_selectel</style>
     </field>
@@ -1242,8 +1242,7 @@
     <field>
         <id>validation.dns_sl_apiver</id>
         <label>API Version</label>
-        <type>text</type>
-        <help>Available Values: V2</help>
+        <type>dropdown</type>
     </field>
     <field>
         <id>validation.dns_sl_token_lifetime</id>
@@ -1255,7 +1254,7 @@
         <id>validation.dns_sl_account_id</id>
         <label>Account ID</label>
         <type>text</type>
-        <help>Account number, can be seen in the upper right corner on the provider's website</help>
+        <help>The account number can be found on the Selectel control panel</help>
     </field>
     <field>
         <id>validation.dns_sl_project_name</id>
@@ -1266,7 +1265,7 @@
         <id>validation.dns_sl_login_name</id>
         <label>Service username</label>
         <type>text</type>
-        <help>Service username, can be seen in the control panel</help>
+        <help>The service username can be found in the Selectel control panel</help>
     </field>
     <field>
         <id>validation.dns_sl_password</id>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php
index 5cae485b2f..54a115cd39 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSelectel.php
@@ -42,7 +42,7 @@ public function prepare()
     {
         $this->acme_env['SL_Key'] = (string)$this->config->dns_sl_key;
         $this->acme_env['SL_Ver'] = (string)$this->config->dns_sl_apiver;
-        $this->acme_env['SL_Expire'] = (string)$this->config->dns_slv2_token_lifetime;
+        $this->acme_env['SL_Expire'] = (string)$this->config->dns_sl_token_lifetime;
         $this->acme_env['SL_Login_ID'] = (string)$this->config->dns_sl_account_id;
         $this->acme_env['SL_Project_Name'] = (string)$this->config->dns_sl_project_name;
         $this->acme_env['SL_Login_Name'] = (string)$this->config->dns_sl_login_name;
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 451ddee709..e176c7f8eb 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1056,8 +1056,12 @@
                 <dns_sl_key type="TextField">
                     <Required>N</Required>
                 </dns_sl_key>
-                <dns_sl_apiver type="TextField">
+                <dns_sl_apiver type="OptionField">
                     <Required>N</Required>
+                    <OptionValues>
+                        <v1>API version 1 (deprecated)</v1>
+                        <v2>API version 2</v2>
+                    </OptionValues>
                 </dns_sl_apiver>
                 <dns_sl_token_lifetime type="TextField">
                     <Required>N</Required>

From 249288dce6ab9182165019d98a09111108fc3c37 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 1 Dec 2025 16:11:07 +0100
Subject: [PATCH 2781/3088] net/ndp-proxy-go: Bump plugin version to v1.1
 (#5056)

---
 net/ndp-proxy-go/Makefile                                  | 2 +-
 net/ndp-proxy-go/pkg-descr                                 | 6 +++++-
 .../app/controllers/OPNsense/NdpProxy/forms/general.xml    | 7 +++----
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/net/ndp-proxy-go/Makefile b/net/ndp-proxy-go/Makefile
index 74c200a73e..0feb84ad13 100644
--- a/net/ndp-proxy-go/Makefile
+++ b/net/ndp-proxy-go/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ndp-proxy-go
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		IPv6 Neighbor Discovery Protocol (NDP) Proxy
 PLUGIN_MAINTAINER=	cedrik@pischem.com
 PLUGIN_DEPENDS=		ndp-proxy-go
diff --git a/net/ndp-proxy-go/pkg-descr b/net/ndp-proxy-go/pkg-descr
index 4430403b9a..3df98f3a38 100644
--- a/net/ndp-proxy-go/pkg-descr
+++ b/net/ndp-proxy-go/pkg-descr
@@ -6,6 +6,10 @@ DOC: https://docs.opnsense.org/manual/ndp-proxy-go.html
 Plugin Changelog
 ================
 
-0.1
+1.1
+
+* Add experimental point-to-point device upstream support (e.g. PPPoE)
+
+1.0
 
 * Initial Release
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
index 1d8422d653..b7d161623d 100644
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
@@ -17,13 +17,13 @@
         <id>ndpproxy.general.upstream</id>
         <label>Upstream interface</label>
         <type>dropdown</type>
-        <help>Choose the upstream interface which receives the external IPv6 prefix from the ISP. Usually, this is the WAN interface.</help>
+        <help>Choose the upstream interface which receives the external IPv6 prefix from the ISP. Usually, this is the WAN interface. Ethernet interfaces are fully supported, point-to-point (PPPoE) devices are experimental.</help>
     </field>
     <field>
         <id>ndpproxy.general.downstream</id>
         <label>Downstream interfaces</label>
         <type>select_multiple</type>
-        <help>Choose one or multiple downstream interfaces which should proxy the upstream IPv6 prefix.</help>
+        <help>Choose one or multiple downstream interfaces which should proxy the upstream IPv6 prefix. Only ethernet interfaces are supported.</help>
     </field>
     <field>
         <id>ndpproxy.general.ra</id>
@@ -40,14 +40,13 @@
     <field>
         <type>header</type>
         <label>Performance Settings</label>
-        <collapse>true</collapse>
     </field>
     <field>
         <id>ndpproxy.general.cache_ttl</id>
         <label>Neighbor cache lifetime</label>
         <type>text</type>
         <hint>10</hint>
-        <help>Neighbor cache lifetime in minutes.</help>
+        <help>Neighbor cache lifetime in minutes. This controls when stale clients and host routes are cleaned up. When using a point-to-point interface as upstream, increasing this lifetime is necessary to not prematurely clean up routes.</help>
     </field>
     <field>
         <id>ndpproxy.general.cache_max</id>

From c503b7f4189e0f571a9280c8453b33e50beee31c Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 30 Nov 2025 23:20:26 +0100
Subject: [PATCH 2782/3088] security/acme-client release 4.11

---
 security/acme-client/Makefile  |  3 +--
 security/acme-client/pkg-descr | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 9c3b42af06..8ae4798d8e 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.10
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		4.11
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 77d44c6779..35361185e0 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,23 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.11
+
+Added:
+* add support for Hetzner Cloud DNS API (#5020)
+* add support for Selectel.ru V2 API (#4824)
+* add support for mijn.host DNS API (#4446)
+* add support for AzureDNS System Assigned Managed Identity #4830 (4830)
+
+Changed:
+* use mwexec/file_safe for HTTP-01/TLSALPN challenge types (core #9325)
+
+Fixed:
+* fix deprecated PHP syntax in cron settings (#4824)
+
+Deprecated:
+* deprecate support for HTTP-01 challenge types (no removal date yet)
+
 4.10
 
 Added:

From 6d3b36c0f7df6b8aba46339f9bf8643c2b8ae8fe Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 1 Dec 2025 22:30:01 +0100
Subject: [PATCH 2783/3088] net-mgmt/zabbix-agent: release 1.18

---
 net-mgmt/zabbix-agent/Makefile  | 2 +-
 net-mgmt/zabbix-agent/pkg-descr | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index f43fb87e7d..a01225eb54 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		zabbix-agent
-PLUGIN_VERSION=		1.17
+PLUGIN_VERSION=		1.18
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix74 zabbix6
diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index 52f1c1c6ed..f884fbcd5a 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -12,8 +12,14 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.18
+
+Added:
+* Add ListenBacklog option (#5046)
+
 1.17
 
+Added:
 * Plugin variant for Zabbix Agent 7.4
 
 1.16

From 289eb34bacec33a2a854400e3b254828fb9c49ea Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 2 Dec 2025 07:53:20 +0100
Subject: [PATCH 2784/3088] net/turnserver: small model style changes

---
 .../mvc/app/models/OPNsense/Turnserver/Turnserver.xml     | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
index 573ff81230..47aae5f065 100644
--- a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
+++ b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
@@ -10,7 +10,6 @@
             </Enabled>
             <ListenIP type="NetworkField">
                 <Default>127.0.0.1</Default>
-                <FieldSeparator>,</FieldSeparator>
                 <AsList>Y</AsList>
                 <Required>Y</Required>
             </ListenIP>
@@ -30,10 +29,7 @@
                 <Default>0</Default>
                 <Required>Y</Required>
             </TlsEnabled>
-            <TlsCertificate type="CertificateField">
-                <Required>N</Required>
-                <ValidationMessage>Please select a valid certificate from the list.</ValidationMessage>
-            </TlsCertificate>
+            <TlsCertificate type="CertificateField"/>
             <TlsPort type="PortField">
                 <Default>5349</Default>
                 <Required>Y</Required>
@@ -43,12 +39,10 @@
                 <Required>Y</Required>
             </UseAuthSecret>
             <StaticAuthSecret type="TextField">
-                <Required>N</Required>
                 <Mask>/^.{16,128}$/u</Mask>
                 <ValidationMessage>Should be a string between 16 and 128 characters.</ValidationMessage>
             </StaticAuthSecret>
             <Realm type="TextField">
-                <Required>N</Required>
                 <Mask>/^.{1,128}$/u</Mask>
                 <ValidationMessage>Should be a string between 1 and 128 characters.</ValidationMessage>
             </Realm>

From b1c5dddd6cd25f75200012308b8cea3685abf245 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 2 Dec 2025 08:00:13 +0100
Subject: [PATCH 2785/3088] net/turnserver: pretty up pkg-descr

---
 net/turnserver/pkg-descr | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/turnserver/pkg-descr b/net/turnserver/pkg-descr
index b33cc92cbe..3b816781b2 100644
--- a/net/turnserver/pkg-descr
+++ b/net/turnserver/pkg-descr
@@ -3,6 +3,9 @@ The TURN Server is a VoIP media traffic NAT traversal server and gateway.
 
 WWW: https://github.com/coturn/coturn
 
+Plugin Changelog
+================
+
 1.1
 
 Added:
@@ -17,4 +20,4 @@ Removed:
 
 1.0
 
-Initial release
+* Initial release

From 0565c8b3a4aa0a18863874d3f4e5a1c2c434f043 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 2 Dec 2025 08:03:52 +0100
Subject: [PATCH 2786/3088] net-mgmt/zabbix-proxy: release 1.16 (#5058)

---
 net-mgmt/zabbix-proxy/Makefile  | 2 +-
 net-mgmt/zabbix-proxy/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 55c98a4c14..1500e25317 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		zabbix-proxy
-PLUGIN_VERSION=		1.15
+PLUGIN_VERSION=		1.16
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix74 zabbix6
diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index ee37ddc130..8b9d500538 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -12,6 +12,11 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.16
+
+* Add StartAgentPollers and MaxConcurrentChecksPerPoller options (#5037)
+* Add ListenBacklog option (#5046)
+
 1.15
 
 * Add VMware parameters (contributed by us3241)

From e5ff7d62969caa56f221745efebf48060ef02b76 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 2 Dec 2025 08:06:22 +0100
Subject: [PATCH 2787/3088] et-mgmt/zabbix-proxy: model style

---
 .../opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml   | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
index 4d130fab1a..24ccaf3833 100644
--- a/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
+++ b/net-mgmt/zabbix-proxy/src/opnsense/mvc/app/models/OPNsense/Zabbixproxy/General.xml
@@ -29,7 +29,6 @@
         <listenbacklog type="IntegerField">
             <MinimumValue>0</MinimumValue>
             <MaximumValue>2147483647</MaximumValue>
-            <Required>N</Required>
         </listenbacklog>
         <startpollers type="TextField"/>
         <startipmipollers type="IntegerField"/>
@@ -37,12 +36,10 @@
         <startagentpollers type="IntegerField">
             <MinimumValue>0</MinimumValue>
             <MaximumValue>1000</MaximumValue>
-            <Required>N</Required>
         </startagentpollers>
         <maxconcurrentchecksperpoller type="IntegerField">
             <MinimumValue>1</MinimumValue>
             <MaximumValue>1000</MaximumValue>
-            <Required>N</Required>
         </maxconcurrentchecksperpoller>
         <starttrappers type="IntegerField"/>
         <startpingers type="IntegerField"/>

From 70862d6727eb225e53e05932a1d2fd8f0497077f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 2 Dec 2025 08:12:34 +0100
Subject: [PATCH 2788/3088] dns/rfc2136: fix command change not released yet

---
 dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
index 1e802cece2..2f36beac2c 100644
--- a/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
+++ b/dns/rfc2136/src/etc/inc/plugins.inc.d/rfc2136.inc
@@ -200,13 +200,16 @@ function rfc2136_configure_do($verbose = false, $int = null, $updatehost = '', $
         if ($need_update) {
             file_safe("/var/etc/nsupdatecmds{$i}", $upinst);
 
-            $frmt = ['/var/etc/nsupdatecmds%s -k %s'];
-            $args = [$i, $keyfile];
+            $frmt = ['/usr/local/bin/nsupdate -k %s'];
+            $args = [$keyfile];
 
             if (isset($dnsupdate['usetcp'])) {
                 $frmt[] = '-v';
             }
 
+            $args[] = "/var/etc/nsupdatecmds{$i}";
+            $frmt[] = '%s';
+
             mwexecfb($frmt, $args);
         }
     }

From 63d40de4a12a1b1d9981b83af1dfa3c5859c61a3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 2 Dec 2025 08:19:50 +0100
Subject: [PATCH 2789/3088] net-mgmt/zabbix-agent: model style, MaskPerItem
 simplification

---
 .../app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml    | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
index 29fc8168a1..5940395e1c 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
@@ -22,7 +22,8 @@
                     <Default>127.0.0.1</Default>
                     <Required>Y</Required>
                     <Multiple>Y</Multiple>
-                    <Mask>/^([a-zA-Z0-9\.:\[\]\-\/]*?,)*([a-zA-Z0-9\.:\[\]\-\/]*)$/</Mask>
+                    <Mask>/^[a-zA-Z0-9\.:\[\]\-\/]*$/</Mask>
+                    <MaskPerItem>Y</MaskPerItem>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please provide valid Zabbix server addresses, i.e. zabbix.example.com, 10.0.0.2 or 10.0.0.0/24.</ValidationMessage>
                 </serverList>
@@ -38,18 +39,15 @@
                     <Multiple>Y</Multiple>
                     <NetMaskAllowed>N</NetMaskAllowed>
                     <AsList>Y</AsList>
-                    <FieldSeparator>,</FieldSeparator>
                     <ValidationMessage>Please provide one or more valid IP addresses, i.e. 10.0.0.1.</ValidationMessage>
                 </listenIP>
                 <sourceIP type="NetworkField">
-                    <Required>N</Required>
                     <NetMaskAllowed>N</NetMaskAllowed>
                     <ValidationMessage>Please provide a valid IP address, i.e. 10.0.0.1.</ValidationMessage>
                 </sourceIP>
                 <listenBacklog type="IntegerField">
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>2147483647</MaximumValue>
-                    <Required>N</Required>
                 </listenBacklog>
                 <syslogEnable type="BooleanField"/>
                 <logFileSize type="IntegerField">
@@ -118,9 +116,9 @@
                     <Required>Y</Required>
                 </enableActiveChecks>
                 <activeCheckServers type="CSVListField">
-                    <Required>N</Required>
                     <Multiple>Y</Multiple>
-                    <Mask>/^([a-zA-Z0-9\.:\[\]\-]*?,)*([a-zA-Z0-9\.:\[\]\-]*)$/</Mask>
+                    <Mask>/^[a-zA-Z0-9\.:\[\]\-]*$/</Mask>
+                    <MaskPerItem>Y</MaskPerItem>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please provide valid active check receivers, i.e. 10.0.0.1:10051, zabbix.example.com or [::1]:30051.</ValidationMessage>
                 </activeCheckServers>

From 110eaa13e8479ba75f04931dc494120a7b0fa738 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 2 Dec 2025 08:21:55 +0100
Subject: [PATCH 2790/3088] net-mgmt/zabbix-agent: plus is more appropriate

Required=X steeres whether or not the value can be empty so the
validation mask only executes when the values is not empty.
---
 .../mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
index 5940395e1c..7c05fcd070 100644
--- a/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
+++ b/net-mgmt/zabbix-agent/src/opnsense/mvc/app/models/OPNsense/ZabbixAgent/ZabbixAgent.xml
@@ -22,7 +22,7 @@
                     <Default>127.0.0.1</Default>
                     <Required>Y</Required>
                     <Multiple>Y</Multiple>
-                    <Mask>/^[a-zA-Z0-9\.:\[\]\-\/]*$/</Mask>
+                    <Mask>/^[a-zA-Z0-9\.:\[\]\-\/]+$/</Mask>
                     <MaskPerItem>Y</MaskPerItem>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please provide valid Zabbix server addresses, i.e. zabbix.example.com, 10.0.0.2 or 10.0.0.0/24.</ValidationMessage>
@@ -117,7 +117,7 @@
                 </enableActiveChecks>
                 <activeCheckServers type="CSVListField">
                     <Multiple>Y</Multiple>
-                    <Mask>/^[a-zA-Z0-9\.:\[\]\-]*$/</Mask>
+                    <Mask>/^[a-zA-Z0-9\.:\[\]\-]+$/</Mask>
                     <MaskPerItem>Y</MaskPerItem>
                     <ChangeCase>lower</ChangeCase>
                     <ValidationMessage>Please provide valid active check receivers, i.e. 10.0.0.1:10051, zabbix.example.com or [::1]:30051.</ValidationMessage>

From c9861c1933963fc2bbb887f8abe1a614e6c7844f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 3 Dec 2025 12:10:21 +0100
Subject: [PATCH 2791/3088] net/upnp: status update via
 https://github.com/opnsense/plugins/pull/5005#issuecomment-3606197018

---
 net/upnp/src/www/status_upnp.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/upnp/src/www/status_upnp.php b/net/upnp/src/www/status_upnp.php
index bb29974728..394d421706 100644
--- a/net/upnp/src/www/status_upnp.php
+++ b/net/upnp/src/www/status_upnp.php
@@ -83,12 +83,12 @@
                       !preg_match('/on (?P<iface>.+) inet6 proto (?P<proto>.+) from (?P<srcaddr>[^ ]+) (port = (?P<srcport>.+) )?to (?P<intaddr>.+) port = (?P<intport>\d+) (flags [^ ]+ )?keep state (label "(?P<descr>.+)" )?rtable [0-9]/', $rdr_entry, $matches)) {
                       continue;
                   }
-                  if (preg_match('/PCP .*([0-9a-f]{24})$/', $matches['descr'], $descrmatch) === 1) {
-                    $descr = "PCP (nonce  {$descrmatch[1]})";
+                  if (preg_match('/PCP ([A-Z]+) ([0-9a-f]{24})$/', $matches['descr'], $descrmatch) === 1) {
+                    $descr = "PCP ({$descrmatch[1]} nonce {$descrmatch[2]})";
                   } elseif (preg_match('/^NAT-PMP \d+ \w+$/', $matches['descr'], $descrmatch) === 1) {
                     $descr = 'NAT-PMP';
                   } elseif (preg_match('/^pinhole-(\d+).*IGD2 pinhole$/', $matches['descr'], $descrmatch) === 1) {
-                    $descr = "UPnP IGD IPv6 (UID {$descrmatch[1]})";
+                    $descr = "UPnP IGDv2 IPv6 (UID {$descrmatch[1]})";
                   } elseif (preg_match('/^UPnP IGD/', $matches['descr'], $descrmatch) === 1) {
                     $descr = $matches['descr'];
                   } else {

From 91ebb21622ab09610ecef04274a4025830e0c585 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 3 Dec 2025 12:31:20 +0100
Subject: [PATCH 2792/3088] net/upnp: fix escaping in the file for #5005

* remove pconfig escaping as it is already escaped globally
* change htmlspecialchars() to html_safe()
* protect some spots with html_safe() (being legacy code this is an uphill battle)
* some more style tweaks for readability
---
 net/upnp/src/www/services_upnp.php | 40 ++++++++++++++----------------
 1 file changed, 18 insertions(+), 22 deletions(-)

diff --git a/net/upnp/src/www/services_upnp.php b/net/upnp/src/www/services_upnp.php
index e4919ab2c7..ec54020425 100644
--- a/net/upnp/src/www/services_upnp.php
+++ b/net/upnp/src/www/services_upnp.php
@@ -263,13 +263,11 @@ function miniupnpd_validate_port($port)
                       <td><a id="help_for_ext_iface" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("External interface");?></td>
                       <td>
                        <select class="selectpicker" name="ext_iface">
-<?php
-                        foreach (get_configured_interface_with_descr() as $iface => $ifacename):?>
-                          <option value="<?=$iface;?>" <?=$pconfig['ext_iface'] == $iface ? "selected=\"selected\"" : "";?>>
-                            <?=htmlspecialchars($ifacename);?>
+<?php foreach (get_configured_interface_with_descr() as $iface => $ifacename): ?>
+                          <option value="<?= html_safe($iface) ?>" <?= $pconfig['ext_iface'] == $iface ? 'selected="selected"' : '' ?>>
+                            <?= html_safe($ifacename) ?>
                           </option>
-<?php
-                        endforeach;?>
+<?php endforeach ?>
                        </select>
                        <div class="hidden" data-for="help_for_ext_iface">
                          <?=gettext("The WAN network interface containing the default gateway.");?>
@@ -280,16 +278,14 @@ function miniupnpd_validate_port($port)
                       <td><a id="help_for_iface_array" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Internal interfaces");?></td>
                       <td>
                        <select class="selectpicker" name="iface_array[]" multiple="multiple">
-                         <option value="lo0" <?=!empty($pconfig['iface_array']) && in_array('lo0', $pconfig['iface_array']) ? "selected=\"selected\"" : "";?>>
-                           <?=gettext("Localhost");?>
+                         <option value="lo0" <?=!empty($pconfig['iface_array']) && in_array('lo0', $pconfig['iface_array']) ? 'selected="selected"' : '' ?>>
+                           <?= html_safe(gettext('Localhost')) ?>
                          </option>
-<?php
-                        foreach (get_configured_interface_with_descr() as $iface => $ifacename):?>
-                          <option value="<?=$iface;?>" <?=!empty($pconfig['iface_array']) && in_array($iface, $pconfig['iface_array']) ? "selected=\"selected\"" : "";?>>
-                            <?=htmlspecialchars($ifacename);?>
+<?php foreach (get_configured_interface_with_descr() as $iface => $ifacename): ?>
+                          <option value="<?= html_safe($iface) ?>" <?= in_array($iface, $pconfig['iface_array'] ?? []) ? 'selected="selected"' : '' ?>>
+                            <?= html_safe($ifacename) ?>
                           </option>
-<?php
-                        endforeach;?>
+<?php endforeach ?>
                        </select>
                        <div class="hidden" data-for="help_for_iface_array">
                          <?=gettext("Select one or more internal network interfaces, such as LAN, where clients reside.");?>
@@ -315,7 +311,7 @@ function miniupnpd_validate_port($port)
                     <tr>
                       <td><a id="help_for_stun_host" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('STUN server') ?></td>
                       <td>
-                        <input name="stun_host" type="text" value="<?= !empty($pconfig['stun_host']) ? $pconfig['stun_host'] : '' ?>" />
+                        <input name="stun_host" type="text" value="<?= $pconfig['stun_host'] ?? '' ?>" />
                         <div class="hidden" data-for="help_for_stun_host">
                           <?= gettext('Allow use of unrestricted endpoint-independent (1:1) CGNATs and detect the public IPv4 using e.g. "stun.3cx.com" or "stun.counterpath.com".') ?>
                         </div>
@@ -324,7 +320,7 @@ function miniupnpd_validate_port($port)
                     <tr>
                       <td><i class="fa fa-info-circle text-muted"></i> <?= gettext('STUN port') ?></td>
                       <td>
-                        <input name="stun_port" type="text" placeholder="3478" value="<?= !empty($pconfig['stun_port']) ? $pconfig['stun_port'] : ''  ?>" />
+                        <input name="stun_port" type="text" placeholder="3478" value="<?= $pconfig['stun_port'] ?? ''  ?>" />
                       </td>
                     </tr>
                     <tr>
@@ -400,8 +396,8 @@ function miniupnpd_validate_port($port)
                     <td><i class="fa fa-info-circle text-muted"></i> <?= gettext('UPnP IGD compatibility mode') ?></td>
                     <td>
                       <select name="upnp_igd_compat">
-                        <option value="igdv1" <?= $pconfig['upnp_igd_compat'] == 'igdv1' ? "selected=\"selected\"" : ""; ?> ><?= gettext("IGDv1 (IPv4 only)"); ?></option>
-                        <option value="igdv2" <?= $pconfig['upnp_igd_compat'] == 'igdv2' ? "selected=\"selected\"" : ""; ?> ><?= gettext("IGDv2 (with workarounds)"); ?></option>
+                        <option value="igdv1" <?= ($pconfig['upnp_igd_compat'] ?? '') == 'igdv1' ? 'selected="selected"' : '' ?> ><?= gettext('IGDv1 (IPv4 only)') ?></option>
+                        <option value="igdv2" <?= ($pconfig['upnp_igd_compat'] ?? '') == 'igdv2' ? 'selected="selected"' : '' ?> ><?= gettext('IGDv2 (with workarounds)') ?></option>
                       </select>
                     </td>
                   </tr>
@@ -426,7 +422,7 @@ function miniupnpd_validate_port($port)
                     <tr>
                       <td><i class="fa fa-info-circle text-muted"></i> <?= gettext('Router/friendly name') ?></td>
                       <td>
-                        <input name="friendly_name" type="text" placeholder="OPNsense UPnP IGD &amp; PCP" value="<?= !empty($pconfig['friendly_name']) ? htmlspecialchars($pconfig['friendly_name']) : '' ?>" />
+                        <input name="friendly_name" type="text" placeholder="OPNsense UPnP IGD &amp; PCP" value="<?= $pconfig['friendly_name'] ?? '' ?>" />
                       </td>
                     </tr>
                   </tbody>
@@ -456,7 +452,7 @@ function miniupnpd_validate_port($port)
                     <tr>
                       <td><a id="help_for_num_permuser" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Number of entries");?></td>
                       <td>
-                        <input name="num_permuser" type="text" placeholder="8" value="<?= html_safe($pconfig['num_permuser']) ?>" />
+                        <input name="num_permuser" type="text" placeholder="8" value="<?= $pconfig['num_permuser'] ?>" />
                         <div class="hidden" data-for="help_for_num_permuser">
                           <?=gettext("Number of ACL entries to configure.");?>
                         </div>
@@ -470,7 +466,7 @@ function miniupnpd_validate_port($port)
                       <td style="width:22%"><i class="fa fa-info-circle text-muted"></i> <?=gettext('ACL entry') . ' ' . $i ?></td>
 <?php endif ?>
                       <td style="width:78%">
-                        <input name="<?= html_safe($permuser) ?>" type="text" value="<?= isset($pconfig[$permuser]) ? $pconfig[$permuser] : '' ?>" />
+                        <input name="<?= html_safe($permuser) ?>" type="text" value="<?= $pconfig[$permuser] ?? '' ?>" />
 <?php if ($i == 1): ?>
                         <div class="hidden" data-for="help_for_permuser">
                           <?=gettext("Syntax: (allow or deny) (ext port or range) (int IP or IP/netmask) (int port or range)");?><br/>
@@ -494,7 +490,7 @@ function miniupnpd_validate_port($port)
                     <tr>
                      <td style="width:22%; vertical-align:top">&nbsp;</td>
                      <td style="width:78%">
-                       <input name="Submit" type="submit" class="btn btn-primary" value="<?=gettext("Save");?>" />
+                       <input name="Submit" type="submit" class="btn btn-primary" value="<?= html_safe(gettext('Save')) ?>" />
                      </td>
                     </tr>
                   </tbody>

From 187246adc4c9a92114e86528820b3c019f75a002 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 3 Dec 2025 12:52:38 +0100
Subject: [PATCH 2793/3088] net/upnp: default to IDGv1 when not yet set

---
 net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 5c5a813acc..069680a361 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -260,7 +260,7 @@ function miniupnpd_configure_do($verbose = false)
 
             // When building the daemon with UPnP IGDv2, infinite (IGDv1 only) lease duration port maps are reduced
             // to 7d, following the IGDv2 standard. Disabling it at runtime allows IGDv2-incompatible clients
-            if ($upnp_config['upnp_igd_compat'] == 'igdv1') {
+            if (($upnp_config['upnp_igd_compat'] ?? 'igdv1') == 'igdv1') {
                 $config_text .= "force_igd_desc_v1=yes\n";
             }
 

From 8a06728c8fe24f3ae6cefe53e9725aa1e1097a20 Mon Sep 17 00:00:00 2001
From: Anton Avramov <lukav@lukav.com>
Date: Wed, 3 Dec 2025 09:54:51 -0500
Subject: [PATCH 2794/3088] security/acme-client: Add support for ZoneEdit DNS
 API (#4671)

* Add ZoneEdit settings for acme.sh
---
 .../AcmeClient/forms/dialogValidation.xml     | 15 +++++++
 .../AcmeClient/LeValidation/DnsZoneedit.php   | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 3 files changed, 67 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsZoneedit.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 043047fff7..5773c1c0f9 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -568,6 +568,21 @@
         <label>ApiKey</label>
         <type>password</type>
     </field>
+    <field>
+        <label>ZoneEdit</label>
+        <type>header</type>
+        <style>table_dns table_dns_zoneedit</style>
+    </field>
+    <field>
+        <id>validation.dns_zoneedit_id</id>
+        <label>ZoneEdit ID</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_zoneedit_token</id>
+        <label>ZoneEdit Token</label>
+        <type>text</type>
+    </field>
     <field>
         <label>Gandi LiveDNS</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsZoneedit.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsZoneedit.php
new file mode 100644
index 0000000000..5252b44104
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsZoneedit.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Anton Avramov
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * FreeDNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsZoneedit extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['ZONEEDIT_ID'] = (string)$this->config->dns_zoneedit_id;
+        $this->acme_env['ZONEEDIT_Token'] = (string)$this->config->dns_zoneedit_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index e176c7f8eb..d552f3d0b6 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -532,6 +532,7 @@
                         <dns_yandex>Yandex PDD</dns_yandex>
                         <dns_zilore>Zilore</dns_zilore>
                         <dns_zone>Zone.eu</dns_zone>
+                        <dns_zoneedit>ZoneEdit</dns_zoneedit>
                         <dns_zonomi>zonomi.com</dns_zonomi>
                     </OptionValues>
                 </dns_service>
@@ -1352,6 +1353,12 @@
                 <dns_scaleway_token type="TextField">
                     <Required>N</Required>
                 </dns_scaleway_token>
+                <dns_zoneedit_id type="TextField">
+                    <Required>N</Required>
+                </dns_zoneedit_id>
+                <dns_zoneedit_token type="TextField">
+                    <Required>N</Required>
+                </dns_zoneedit_token>
             </validation>
         </validations>
         <actions>

From f6191e0f66cf80cc3c331edc754f31a7a816885a Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 3 Dec 2025 15:56:11 +0100
Subject: [PATCH 2795/3088] security/acme-client: update release notes, refs
 #4671

---
 security/acme-client/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 35361185e0..971425135c 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -15,6 +15,7 @@ Added:
 * add support for Selectel.ru V2 API (#4824)
 * add support for mijn.host DNS API (#4446)
 * add support for AzureDNS System Assigned Managed Identity #4830 (4830)
+* add support for ZoneEdit DNS API (#4671)
 
 Changed:
 * use mwexec/file_safe for HTTP-01/TLSALPN challenge types (core #9325)

From 6450cbcaca311ea1793564dfd8eafe35b636bfcf Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 4 Dec 2025 09:15:48 +0100
Subject: [PATCH 2796/3088] www/web-proxy-sso: very old and likely unused
 nowadays

---
 www/web-proxy-sso/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/web-proxy-sso/Makefile b/www/web-proxy-sso/Makefile
index cbfbf3e00f..f09fdd203e 100644
--- a/www/web-proxy-sso/Makefile
+++ b/www/web-proxy-sso/Makefile
@@ -3,6 +3,7 @@ PLUGIN_VERSION=		2.2
 PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Kerberos authentication module
 PLUGIN_DEPENDS=		msktutil cyrus-sasl-gssapi
+PLUGIN_OBSOLETE=	yes
 PLUGIN_MAINTAINER=	evbevz@gmail.com
 PLUGIN_WWW=		https://smart-soft.ru
 

From e3bf36a2ec14b42a7d40b0151b396e061224a759 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 4 Dec 2025 09:19:37 +0100
Subject: [PATCH 2797/3088] plugins: remove a few of my historic
 maintainerships

These plugins have had maintainership attached due to the fact
that they became plugins at one point in time.  Since we can now
annotate this better, do it.
---
 net/igmp-proxy/Makefile | 1 -
 net/wol/Makefile        | 1 -
 sysutils/smart/Makefile | 1 -
 www/squid/Makefile      | 1 -
 4 files changed, 4 deletions(-)

diff --git a/net/igmp-proxy/Makefile b/net/igmp-proxy/Makefile
index 71575b1318..036669b4f0 100644
--- a/net/igmp-proxy/Makefile
+++ b/net/igmp-proxy/Makefile
@@ -3,6 +3,5 @@ PLUGIN_VERSION=		1.5
 PLUGIN_REVISION=	6
 PLUGIN_DEPENDS=		igmpproxy
 PLUGIN_COMMENT=		IGMP-Proxy Service
-PLUGIN_MAINTAINER=	franco@opnsense.org
 
 .include "../../Mk/plugins.mk"
diff --git a/net/wol/Makefile b/net/wol/Makefile
index 19e6aa94dd..90f4508aac 100644
--- a/net/wol/Makefile
+++ b/net/wol/Makefile
@@ -3,6 +3,5 @@ PLUGIN_VERSION=		2.5
 PLUGIN_REVISION=	3
 PLUGIN_DEPENDS=		wol
 PLUGIN_COMMENT=		Wake on LAN Service
-PLUGIN_MAINTAINER=	franco@opnsense.org
 
 .include "../../Mk/plugins.mk"
diff --git a/sysutils/smart/Makefile b/sysutils/smart/Makefile
index 132bbe4b30..d09cf52331 100644
--- a/sysutils/smart/Makefile
+++ b/sysutils/smart/Makefile
@@ -2,6 +2,5 @@ PLUGIN_NAME=		smart
 PLUGIN_VERSION=		2.4
 PLUGIN_COMMENT=		SMART tools
 PLUGIN_DEPENDS=		smartmontools
-PLUGIN_MAINTAINER=	franco@opnsense.org
 
 .include "../../Mk/plugins.mk"
diff --git a/www/squid/Makefile b/www/squid/Makefile
index 0678e6fd26..def32ee4f3 100644
--- a/www/squid/Makefile
+++ b/www/squid/Makefile
@@ -2,6 +2,5 @@ PLUGIN_NAME=		squid
 PLUGIN_VERSION=		1.4
 PLUGIN_COMMENT=		Squid is a caching proxy for the web
 PLUGIN_DEPENDS=		squid squid-langpack
-PLUGIN_MAINTAINER=	franco@opnsense.org
 
 .include "../../Mk/plugins.mk"

From db5ddb287338ff5fc4efe08befc7e5c8fef1dbe5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 4 Dec 2025 09:21:40 +0100
Subject: [PATCH 2798/3088] LICENSE/README: sync

---
 LICENSE   |  1 +
 README.md | 10 +++++-----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/LICENSE b/LICENSE
index d28296414d..f3f0d44d1f 100644
--- a/LICENSE
+++ b/LICENSE
@@ -4,6 +4,7 @@ Copyright (c) 2022 agh1467 <agh1467@protonmail.com>
 Copyright (c) 2024 Alex Smith
 Copyright (c) 2021 Alexander Noack
 Copyright (c) 2021 Andreas Stuerz
+Copyright (c) 2025 Anton Avramov
 Copyright (c) 2021 Axelrtgs
 Copyright (c) 2023 Bernhard Frenking <bernhard@frenking.eu>
 Copyright (c) 2023 Cannon Matthews <cannonmatthews@google.com>
diff --git a/README.md b/README.md
index dfb72caf40..1841694bff 100644
--- a/README.md
+++ b/README.md
@@ -54,7 +54,7 @@ net/frr -- The FRRouting Protocol Suite
 net/ftp-proxy -- Control ftp-proxy processes
 net/google-cloud-sdk -- Google Cloud SDK
 net/haproxy -- Reliable, high performance TCP/HTTP load balancer
-net/igmp-proxy -- IGMP-Proxy Service
+net/igmp-proxy -- IGMP-Proxy Service (not maintained)
 net/mdns-repeater -- Proxy multicast DNS between networks
 net/ndp-proxy-go -- IPv6 Neighbor Discovery Protocol (NDP) Proxy
 net/ndproxy -- Neighbor Discovery Proxy
@@ -70,7 +70,7 @@ net/turnserver -- The coturn STUN/TURN Server
 net/udpbroadcastrelay -- Control udpbroadcastrelay processes
 net/upnp -- UPnP IGD & PCP/NAT-PMP Service
 net/vnstat -- Network traffic monitor
-net/wol -- Wake on LAN Service
+net/wol -- Wake on LAN Service (not maintained)
 net/zerotier -- Virtual Networks That Just Work (not maintained)
 net-mgmt/collectd -- Collect system and application performance metrics periodically
 net-mgmt/lldpd -- LLDP allows you to know exactly on which port is a server
@@ -116,7 +116,7 @@ sysutils/node_exporter -- Prometheus exporter for machine metrics
 sysutils/nut -- Network UPS Tools
 sysutils/puppet-agent -- Manage Puppet Agent
 sysutils/sftp-backup -- Backup configurations using SFTP
-sysutils/smart -- SMART tools
+sysutils/smart -- SMART tools (not maintained)
 sysutils/virtualbox -- VirtualBox guest additions
 sysutils/vmware -- VMware tools
 sysutils/xen -- Xen guest utilities
@@ -126,8 +126,8 @@ www/c-icap -- c-icap connects the web proxy with a virus scanner
 www/cache -- Webserver cache
 www/caddy -- Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 www/nginx -- Nginx HTTP server and reverse proxy
-www/squid -- Squid is a caching proxy for the web
-www/web-proxy-sso -- Kerberos authentication module
+www/squid -- Squid is a caching proxy for the web (not maintained)
+www/web-proxy-sso -- Kerberos authentication module (pending removal)
 ```
 
 A brief description of how to use the plugins repository

From 94a21efccc8583290266640727104157de2eda25 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 4 Dec 2025 09:26:01 +0100
Subject: [PATCH 2799/3088] www/OPNProxy: same here

---
 README.md             | 2 +-
 www/OPNProxy/Makefile | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 1841694bff..b982193b02 100644
--- a/README.md
+++ b/README.md
@@ -121,7 +121,7 @@ sysutils/virtualbox -- VirtualBox guest additions
 sysutils/vmware -- VMware tools
 sysutils/xen -- Xen guest utilities
 vendor/sunnyvalley -- Vendor Repository for Zenarmor (Enterprise Security Modules - NGFW, SSE, SASE, f.k.a Sensei)
-www/OPNProxy -- OPNsense proxy additions
+www/OPNProxy -- OPNsense proxy additions (not maintained)
 www/c-icap -- c-icap connects the web proxy with a virus scanner
 www/cache -- Webserver cache
 www/caddy -- Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
diff --git a/www/OPNProxy/Makefile b/www/OPNProxy/Makefile
index b982f8d232..d134b25984 100644
--- a/www/OPNProxy/Makefile
+++ b/www/OPNProxy/Makefile
@@ -5,6 +5,5 @@ PLUGIN_COMMENT=		OPNsense proxy additions
 PLUGIN_DEPENDS=		os-redis${PLUGIN_PKGSUFFIX} \
 			os-squid${PLUGIN_PKGSUFFIX} \
 			py${PLUGIN_PYTHON}-redis
-PLUGIN_MAINTAINER=	ad@opnsense.org
 
 .include "../../Mk/plugins.mk"

From 61e0663137c8338f92bc2bbd7b6f11e1755c96f5 Mon Sep 17 00:00:00 2001
From: Angel Marin <anmar@ndgn.net>
Date: Thu, 4 Dec 2025 16:56:05 +0100
Subject: [PATCH 2800/3088] securiry/tinc: don't create symlink as it conflicts
 with ifconfig symlink creation (#5064)

---
 security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
index 7979c93002..43839a8cfb 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
@@ -116,13 +116,13 @@ def deploy(config_filename):
 
         # configure and rename new tun device, place all in group "tinc" symlink associated tun device
         if interface_name not in interfaces:
+            # remove symlink from previus run (created by ifconfig) if it wasn't cleaned up properly on exit
+            if os.path.islink('/dev/%s' % interface_name):
+                os.remove('/dev/%s' % interface_name)
             tundev = subprocess.run(['/sbin/ifconfig', interface_type, 'create'],
                                     capture_output=True, text=True).stdout.split()[0]
             subprocess.run(['/sbin/ifconfig',tundev,'name',interface_name])
             subprocess.run(['/sbin/ifconfig',interface_name,'group','tinc'])
-            if os.path.islink('/dev/%s' % interface_name):
-                os.remove('/dev/%s' % interface_name)
-            os.symlink('/dev/%s' % tundev, '/dev/%s' % interface_name)
     return networks
 
 if len(sys.argv) > 1:

From fafde8629f7cb05e694094524a8b58bdcf12c496 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 5 Dec 2025 12:19:54 +0100
Subject: [PATCH 2801/3088] security/tinc: revision and style

---
 security/tinc/Makefile                        |  2 +-
 .../mvc/app/models/OPNsense/Tinc/Tinc.xml     | 22 +++++++++----------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index 4db6cb7a70..20ab416b8b 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		tinc
 PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
index 078be08320..18c611398b 100644
--- a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
+++ b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
@@ -76,17 +76,17 @@
                     <Default>aes-256-cbc</Default>
                 </cipher>
                 <mode type="OptionField">
-                  <Required>Y</Required>
-                  <Default>router</Default>
-                  <OptionValues>
-                      <router>router</router>
-                      <switch>switch</switch>
-                  </OptionValues>
-                  <Constraints>
-                      <check001>
-                          <reference>subnet.check001</reference>
-                      </check001>
-                  </Constraints>
+                    <Required>Y</Required>
+                    <Default>router</Default>
+                    <OptionValues>
+                        <router>router</router>
+                        <switch>switch</switch>
+                    </OptionValues>
+                    <Constraints>
+                        <check001>
+                            <reference>subnet.check001</reference>
+                        </check001>
+                    </Constraints>
                 </mode>
                 <PMTUDiscovery type="BooleanField">
                     <Default>1</Default>

From 06170082adb8fb12ae207685da71a8c3f211c3b2 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 5 Dec 2025 20:36:43 +0100
Subject: [PATCH 2802/3088] net/ndp-proxy-go: Add pf table (firewall alias)
 functionality (#5069)

---
 net/ndp-proxy-go/Makefile                     |  2 +-
 net/ndp-proxy-go/pkg-descr                    |  4 +++
 .../NdpProxy/Api/GeneralController.php        | 26 ++++++++++++++
 .../OPNsense/NdpProxy/GeneralController.php   |  5 ++-
 .../OPNsense/NdpProxy/forms/dialogAlias.xml   | 22 ++++++++++++
 .../app/models/OPNsense/NdpProxy/NdpProxy.xml | 22 ++++++++++++
 .../app/views/OPNsense/NdpProxy/general.volt  | 35 +++++++++++++++++--
 .../templates/OPNsense/NdpProxy/ndp_proxy_go  |  8 +++++
 8 files changed, 120 insertions(+), 4 deletions(-)
 create mode 100644 net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/dialogAlias.xml

diff --git a/net/ndp-proxy-go/Makefile b/net/ndp-proxy-go/Makefile
index 0feb84ad13..76068232f1 100644
--- a/net/ndp-proxy-go/Makefile
+++ b/net/ndp-proxy-go/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ndp-proxy-go
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		IPv6 Neighbor Discovery Protocol (NDP) Proxy
 PLUGIN_MAINTAINER=	cedrik@pischem.com
 PLUGIN_DEPENDS=		ndp-proxy-go
diff --git a/net/ndp-proxy-go/pkg-descr b/net/ndp-proxy-go/pkg-descr
index 3df98f3a38..9bd61a7647 100644
--- a/net/ndp-proxy-go/pkg-descr
+++ b/net/ndp-proxy-go/pkg-descr
@@ -6,6 +6,10 @@ DOC: https://docs.opnsense.org/manual/ndp-proxy-go.html
 Plugin Changelog
 ================
 
+1.2
+
+* Add firewall alias support
+
 1.1
 
 * Add experimental point-to-point device upstream support (e.g. PPPoE)
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/Api/GeneralController.php b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/Api/GeneralController.php
index 34d1fb3fe5..f932bb2fb9 100644
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/Api/GeneralController.php
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/Api/GeneralController.php
@@ -37,4 +37,30 @@ class GeneralController extends ApiMutableModelControllerBase
 {
     protected static $internalModelName = 'ndpproxy';
     protected static $internalModelClass = 'OPNsense\NdpProxy\NdpProxy';
+
+    public function searchAliasAction()
+    {
+        return $this->searchBase('aliases.alias');
+    }
+
+    public function setAliasAction($uuid)
+    {
+        return $this->setBase('alias', 'aliases.alias', $uuid);
+    }
+
+    public function addAliasAction()
+    {
+        return $this->addBase('alias', 'aliases.alias');
+    }
+
+    public function getAliasAction($uuid = null)
+    {
+        return $this->getBase('alias', 'aliases.alias', $uuid);
+    }
+
+    public function delAliasAction($uuid)
+    {
+        return $this->delBase('aliases.alias', $uuid);
+    }
+
 }
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/GeneralController.php b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/GeneralController.php
index cb1038617f..5ce88c3731 100644
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/GeneralController.php
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/GeneralController.php
@@ -37,6 +37,9 @@ class GeneralController extends IndexController
     public function indexAction()
     {
         $this->view->pick('OPNsense/NdpProxy/general');
-        $this->view->generalForm = $this->getForm("general");
+        $this->view->generalForm = $this->getForm('general');
+
+        $this->view->formDialogAlias = $this->getForm('dialogAlias');
+        $this->view->formGridAlias = $this->getFormGrid('dialogAlias');
     }
 }
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/dialogAlias.xml b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/dialogAlias.xml
new file mode 100644
index 0000000000..455afc62f4
--- /dev/null
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/dialogAlias.xml
@@ -0,0 +1,22 @@
+<form>
+    <field>
+        <id>alias.interface</id>
+        <label>Interface</label>
+        <type>dropdown</type>
+        <help>Add IPv6 addresses to the firewall alias that belong to this proxied interface. When choosing any, all IPv6 addresses will be added.</help>
+        <grid_view>
+            <formatter>any</formatter>
+        </grid_view>
+    </field>
+    <field>
+        <id>alias.alias</id>
+        <label>Firewall alias</label>
+        <type>dropdown</type>
+        <help>Choose an "external (advanced)" type alias from "Firewall - Aliases". Whenever a client is discovered, the IPv6 address will be automatically added to the chosen alias. When the neighbor cache lifetime expires, the IPv6 address will be removed from the alias.</help>
+    </field>
+    <field>
+        <id>alias.description</id>
+        <label>Description</label>
+        <type>text</type>
+    </field>
+</form>
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
index c9239abfc1..4298f1d53a 100644
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
@@ -37,5 +37,27 @@
                 <Required>Y</Required>
             </debug>
         </general>
+        <aliases>
+            <alias type="ArrayField">
+                <interface type="InterfaceField">
+                    <BlankDesc>any</BlankDesc>
+                </interface>
+                <alias type="ModelRelationField">
+                    <Model>
+                        <aliases>
+                            <source>OPNsense.Firewall.Alias</source>
+                            <items>aliases.alias</items>
+                            <display>name</display>
+                            <filters>
+                                <type>/^[Ee]xternal.*/</type>
+                                <name>/^(?!bogons$|bogonsv6$|virusprot$|sshlockout$|__.*).*/</name>
+                            </filters>
+                        </aliases>
+                    </Model>
+                    <Required>Y</Required>
+                </alias>
+                <description type="DescriptionField"/>
+            </alias>
+        </aliases>
     </items>
 </model>
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/views/OPNsense/NdpProxy/general.volt b/net/ndp-proxy-go/src/opnsense/mvc/app/views/OPNsense/NdpProxy/general.volt
index 821abbedb4..4c36c5e879 100644
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/views/OPNsense/NdpProxy/general.volt
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/views/OPNsense/NdpProxy/general.volt
@@ -39,10 +39,41 @@
             },
         });
 
+        $("#{{formGridAlias['table_id']}}").UIBootgrid({
+            search:'/api/ndpproxy/general/search_alias/',
+            get:'/api/ndpproxy/general/get_alias/',
+            set:'/api/ndpproxy/general/set_alias/',
+            add:'/api/ndpproxy/general/add_alias/',
+            del:'/api/ndpproxy/general/del_alias/',
+            options: {
+                formatters:{
+                    any: function(column, row) {
+                        if (row[column.id] !== '') {
+                            return row[`%${column.id}`] || row[column.id];
+                        } else {
+                            return '{{ lang._('any') }}';
+                        }
+                    },
+                },
+            },
+        });
+
     });
 </script>
 
-<div class="content-box __mb">
-    {{ partial("layout_partials/base_form", ['fields': generalForm, 'id': 'frm_GeneralSettings']) }}
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
+    <li><a data-toggle="tab" href="#aliases">{{ lang._('Aliases') }}</a></li>
+</ul>
+
+<div class="tab-content content-box">
+    <div id="general" class="tab-pane fade in active">
+        {{ partial('layout_partials/base_form', ['fields': generalForm, 'id': 'frm_GeneralSettings']) }}
+    </div>
+    <div id="aliases" class="tab-pane fade in">
+        {{ partial('layout_partials/base_bootgrid_table', formGridAlias)}}
+    </div>
 </div>
+
 {{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/ndpproxy/service/reconfigure', 'data_service_widget': 'ndpproxy'}) }}
+{{ partial('layout_partials/base_dialog',['fields':formDialogAlias,'id':formGridAlias['edit_dialog_id'],'label':lang._('Edit Alias')])}}
diff --git a/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
index c75534e6a0..884649915d 100644
--- a/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
+++ b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
@@ -30,6 +30,14 @@ ndp_proxy_go_downstream="{{ downstream_interfaces|join(' ') }}"
 {%     if general.pcap_timeout %}
 {%         do flags.append('--pcap-timeout ' ~ general.pcap_timeout ~ 'ms') %}
 {%     endif %}
+{%     for alias in helpers.toList('OPNsense.ndpproxy.aliases.alias') %}
+{%         set iface = alias.interface|default('') %}
+{%         if iface == '' %}
+{%             do flags.append('--pf=:' ~ helpers.getUUID(alias.alias).name) %}
+{%         else %}
+{%             do flags.append('--pf=' ~ helpers.physical_interface(iface) ~ ':' ~ helpers.getUUID(alias.alias).name) %}
+{%         endif %}
+{%     endfor %}
 {%     if flags|length > 0 %}
 ndp_proxy_go_flags="{{ flags|join(' ') }}"
 {%     endif %}

From ec2181d8a37f63cb87f55c9a09eb2ed80127bf7b Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 8 Dec 2025 17:09:31 +0100
Subject: [PATCH 2803/3088] www/caddy: Fix race condition that moved domain
 filter selectpicker into invisible tab, fix css (#5076)

---
 www/caddy/Makefile                            |  2 +-
 www/caddy/pkg-descr                           |  1 +
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 29 ++++++++++++-------
 3 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 3132d78e42..344360c87d 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		caddy
 PLUGIN_VERSION=		2.0.4
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 7e861f39c5..71e6740172 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -12,6 +12,7 @@ Add: DNS-01 challenge delegation via CNAME (contributed by sdsys-ch) (opnsense/p
 Fix: Enabling HTTP access log wrongly excluded the process logs (opnsense/plugins/pull/4974)
 Fix: fix setup.sh script not setting correct ownership in www user mode (opnsense/plugins/pull/4976)
 Fix: Prevent sudo on startup via skip_install_trust (opnsense/plugins/pull/5015)
+Fix: Fix race condition that moved domain filter selectpicker into invisible tab (opnsense/plugins/pull/5076)
 
 2.0.3
 
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index bf6de62520..9ea070147d 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -260,12 +260,16 @@
 
 {% if entrypoint == 'reverse_proxy' %}
 
-                    // insert buttons and selectpicker
+                    // insert buttons and selectpicker only when the tab is actually visible
                     if (['{{formGridReverseProxy["table_id"]}}', '{{formGridHandle["table_id"]}}'].includes(grid_id)) {
+                        if (!$(e.target.hash).is(':visible')) {
+                            return;  // prevents the selectpicker from being moved into hidden tabs
+                        }
+
                         const header = $("#" + grid_id + "-header");
                         const $actionBar = header.find('.actionBar');
                         if ($actionBar.length) {
-                            $('#add_filter_container').detach().insertBefore($actionBar.find('.search')).show();
+                            $('#add_filter_container').detach().insertAfter($actionBar.find('.search')).show();
                         }
                     }
 
@@ -447,9 +451,6 @@
 </script>
 
 <style>
-    #add_filter_container {
-        float: left;
-    }
     .actions .dropdown-menu.pull-right {
         max-height: 400px;
         min-width: max-content;
@@ -462,20 +463,26 @@
         font-size: 16px;
         font-style: italic;
     }
-    #reverseFilterClear {
-        border-right: none;
+    #add_filter_container {
+        display: flex;
+        gap: 8px;
     }
-    #add_filter_container .bootstrap-select > .dropdown-toggle {
-        border-top-left-radius: 0;
-        border-bottom-left-radius: 0;
+    @media (max-width: 1024px) {
+        #reverseFilterClear {
+            flex: 1 1 100%;
+        }
+        #reverseFilter {
+            flex: 1 1 100%;
+        }
     }
+
 </style>
 
 <div id="add_filter_container" class="btn-group" style="display: none;">
     <button type="button" id="reverseFilterClear" class="btn btn-default" title="{{ lang._('Clear Selection') }}">
         <i id="reverseFilterIcon" class="fa fa-fw fa-filter"></i>
     </button>
-    <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="300px" data-size="10" data-container="body" title="{{ lang._('Filter by Domain') }}">
+    <select id="reverseFilter" class="selectpicker form-control" multiple data-live-search="true" data-width="200px" data-size="10" data-container="body" title="{{ lang._('Filter by Domain') }}">
     </select>
 </div>
 

From e71840b1ffb9cb1cb10bf45738c24f8802af7462 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Dec 2025 14:51:31 +0100
Subject: [PATCH 2804/3088] www/web-proxy-sso: switch to ummaintained instead
 of obsolete for now

PR: https://github.com/opnsense/plugins/commit/6450cbcaca3
---
 README.md                  | 2 +-
 www/web-proxy-sso/Makefile | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/README.md b/README.md
index b982193b02..d31a31dd4a 100644
--- a/README.md
+++ b/README.md
@@ -127,7 +127,7 @@ www/cache -- Webserver cache
 www/caddy -- Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 www/nginx -- Nginx HTTP server and reverse proxy
 www/squid -- Squid is a caching proxy for the web (not maintained)
-www/web-proxy-sso -- Kerberos authentication module (pending removal)
+www/web-proxy-sso -- Kerberos authentication module (not maintained)
 ```
 
 A brief description of how to use the plugins repository
diff --git a/www/web-proxy-sso/Makefile b/www/web-proxy-sso/Makefile
index f09fdd203e..e62e084a45 100644
--- a/www/web-proxy-sso/Makefile
+++ b/www/web-proxy-sso/Makefile
@@ -3,8 +3,6 @@ PLUGIN_VERSION=		2.2
 PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Kerberos authentication module
 PLUGIN_DEPENDS=		msktutil cyrus-sasl-gssapi
-PLUGIN_OBSOLETE=	yes
-PLUGIN_MAINTAINER=	evbevz@gmail.com
 PLUGIN_WWW=		https://smart-soft.ru
 
 .include "../../Mk/plugins.mk"

From b54176af74fe006da6b0f34779e56610db81209a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Dec 2025 14:55:30 +0100
Subject: [PATCH 2805/3088] sysutils/dmidecode: mark unmaintained, last update
 in 2019

---
 README.md                   | 2 +-
 sysutils/dmidecode/Makefile | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/README.md b/README.md
index d31a31dd4a..5f53869db9 100644
--- a/README.md
+++ b/README.md
@@ -104,7 +104,7 @@ sysutils/apuled -- PC Engine APU LED control (development only)
 sysutils/beats -- Send logs, network, metrics and heartbeat to Elasticsearch
 sysutils/cpu-microcode -- CPU microcode updates
 sysutils/dec-hw -- Deciso hardware specific information
-sysutils/dmidecode -- Display hardware information on the dashboard
+sysutils/dmidecode -- Display hardware information on the dashboard (not maintained)
 sysutils/gdrive-backup -- Backup configurations using Google Drive
 sysutils/git-backup -- Track config changes using git
 sysutils/hw-probe -- Collect hardware diagnostics
diff --git a/sysutils/dmidecode/Makefile b/sysutils/dmidecode/Makefile
index 590aef8fa9..bcc369e09f 100644
--- a/sysutils/dmidecode/Makefile
+++ b/sysutils/dmidecode/Makefile
@@ -2,7 +2,6 @@ PLUGIN_NAME=		dmidecode
 PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		Display hardware information on the dashboard
 PLUGIN_DEPENDS=		dmidecode
-PLUGIN_MAINTAINER=	evbevz@gmail.com
 PLUGIN_WWW=		https://smart-soft.ru
 
 .include "../../Mk/plugins.mk"

From 3752d19c57843641e6567e920ce5bfe9918c1530 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Dec 2025 15:24:39 +0100
Subject: [PATCH 2806/3088] net/ndp-proxy-go: style change

---
 .../app/controllers/OPNsense/NdpProxy/Api/GeneralController.php  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/Api/GeneralController.php b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/Api/GeneralController.php
index f932bb2fb9..7662fcbd8e 100644
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/Api/GeneralController.php
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/Api/GeneralController.php
@@ -62,5 +62,4 @@ public function delAliasAction($uuid)
     {
         return $this->delBase('aliases.alias', $uuid);
     }
-
 }

From c93a745e7289a4e0af9ec20f09b2658de0eedb92 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Dec 2025 15:27:17 +0100
Subject: [PATCH 2807/3088] www/c-icap: style

---
 .../app/models/OPNsense/CICAP/Antivirus.xml   | 20 ++++++-------
 .../mvc/app/models/OPNsense/CICAP/General.xml | 28 ++++++++-----------
 2 files changed, 21 insertions(+), 27 deletions(-)

diff --git a/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/Antivirus.xml b/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/Antivirus.xml
index d31805eb8d..cd45fe479e 100644
--- a/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/Antivirus.xml
+++ b/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/Antivirus.xml
@@ -11,15 +11,15 @@
             <Default>TEXT,DATA,EXECUTABLE,ARCHIVE,GIF,JPEG,MSOFFICE</Default>
             <Multiple>Y</Multiple>
             <Required>Y</Required>
-                <OptionValues>
-                    <TEXT>Text files</TEXT>
-                    <DATA>Binary files</DATA>
-                    <EXECUTABLE>Executables</EXECUTABLE>
-                    <ARCHIVE>Archives</ARCHIVE>
-                    <GIF>GIF animations</GIF>
-                    <JPEG>JPEG pictures</JPEG>
-                    <MSOFFICE>Microsoft office files</MSOFFICE>
-                </OptionValues>
+            <OptionValues>
+                <TEXT>Text files</TEXT>
+                <DATA>Binary files</DATA>
+                <EXECUTABLE>Executables</EXECUTABLE>
+                <ARCHIVE>Archives</ARCHIVE>
+                <GIF>GIF animations</GIF>
+                <JPEG>JPEG pictures</JPEG>
+                <MSOFFICE>Microsoft office files</MSOFFICE>
+            </OptionValues>
         </scanfiletypes>
         <sendpercentdata type="IntegerField">
             <Default>5</Default>
@@ -41,5 +41,5 @@
             <Default>5M</Default>
             <Required>Y</Required>
         </maxobjectsize>
-	</items>
+    </items>
 </model>
diff --git a/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/General.xml b/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/General.xml
index 8f1d7232a4..ba65b5243b 100644
--- a/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/General.xml
+++ b/www/c-icap/src/opnsense/mvc/app/models/OPNsense/CICAP/General.xml
@@ -33,31 +33,25 @@
         </minsparethreads>
         <maxsparethreads type="IntegerField">
             <Default>20</Default>
-	    <Required>Y</Required>
-	</maxsparethreads>
+            <Required>Y</Required>
+        </maxsparethreads>
         <threadsperchild type="IntegerField">
             <Default>10</Default>
-	    <Required>Y</Required>
-	</threadsperchild>
+            <Required>Y</Required>
+        </threadsperchild>
         <maxrequestsperchild type="IntegerField">
             <Default>0</Default>
-	    <Required>Y</Required>
-	</maxrequestsperchild>
+            <Required>Y</Required>
+        </maxrequestsperchild>
         <listenaddress type="NetworkField">
             <Default>::1</Default>
-	    <WildcardEnabled>N</WildcardEnabled>
-	    <NetMaskRequired>N</NetMaskRequired>
-	    <FieldSeparator>,</FieldSeparator>
+            <WildcardEnabled>N</WildcardEnabled>
+            <NetMaskRequired>N</NetMaskRequired>
+            <FieldSeparator>,</FieldSeparator>
             <Required>Y</Required>
         </listenaddress>
-        <serveradmin type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </serveradmin>
-        <servername type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </servername>
+        <serveradmin type="TextField"/>
+        <servername type="TextField"/>
         <enable_accesslog type="BooleanField">
             <Default>1</Default>
             <Required>Y</Required>

From c8a35ea27b6bee4e20b962943697de0dd4500e15 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Dec 2025 15:27:43 +0100
Subject: [PATCH 2808/3088] www/squid: style

---
 .../mvc/app/models/OPNsense/Proxy/Proxy.xml   | 432 +++++++++---------
 1 file changed, 216 insertions(+), 216 deletions(-)

diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index d870282407..3a0d406bbc 100644
--- a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -101,14 +101,14 @@
                         <Required>Y</Required>
                     </cache_mem>
                     <maximum_object_size type="IntegerField">
-                      <MinimumValue>1</MinimumValue>
-                      <MaximumValue>99999</MaximumValue>
-                      <ValidationMessage>Specify a maximum object size (number of MBs).</ValidationMessage>
+                        <MinimumValue>1</MinimumValue>
+                        <MaximumValue>99999</MaximumValue>
+                        <ValidationMessage>Specify a maximum object size (number of MBs).</ValidationMessage>
                     </maximum_object_size>
                     <maximum_object_size_in_memory type="IntegerField">
-                      <MinimumValue>1</MinimumValue>
-                      <MaximumValue>99999</MaximumValue>
-                      <ValidationMessage>Specify a maximum object size in memory (number of KBs).</ValidationMessage>
+                        <MinimumValue>1</MinimumValue>
+                        <MaximumValue>99999</MaximumValue>
+                        <ValidationMessage>Specify a maximum object size in memory (number of KBs).</ValidationMessage>
                     </maximum_object_size_in_memory>
                     <memory_cache_mode type="OptionField">
                         <BlankDesc>Default</BlankDesc>
@@ -279,27 +279,27 @@
                 <ValidationMessage>Please select a valid certificate from the list.</ValidationMessage>
             </sslcertificate>
             <sslnobumpsites type="CSVListField">
-              <Mask>/^([a-zA-Z0-9\.:\[\]\s\-]*?,)*([a-zA-Z0-9\.:\[\]\s\-]*)$/</Mask>
-              <ValidationMessage>Please enter ip addresses or domain names here.</ValidationMessage>
+                <Mask>/^([a-zA-Z0-9\.:\[\]\s\-]*?,)*([a-zA-Z0-9\.:\[\]\s\-]*)$/</Mask>
+                <ValidationMessage>Please enter ip addresses or domain names here.</ValidationMessage>
             </sslnobumpsites>
             <workers type="IntegerField">
-              <MinimumValue>1</MinimumValue>
-              <MaximumValue>100</MaximumValue>
-              <ValidationMessage>Worker number needs to be an integer value between 1 and 100.</ValidationMessage>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>100</MaximumValue>
+                <ValidationMessage>Worker number needs to be an integer value between 1 and 100.</ValidationMessage>
             </workers>
             <ssl_crtd_storage_max_size type="IntegerField">
-              <Required>Y</Required>
-              <Default>4</Default>
-              <MinimumValue>1</MinimumValue>
-              <MaximumValue>65535</MaximumValue>
-              <ValidationMessage>Maximum size needs to be an integer value between 1 and 65535.</ValidationMessage>
+                <Required>Y</Required>
+                <Default>4</Default>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>Maximum size needs to be an integer value between 1 and 65535.</ValidationMessage>
             </ssl_crtd_storage_max_size>
             <sslcrtd_children type="IntegerField">
-              <Required>Y</Required>
-              <Default>5</Default>
-              <MinimumValue>1</MinimumValue>
-              <MaximumValue>32</MaximumValue>
-              <ValidationMessage>The number of sslrtd children needs to be an integer value between 1 and 32.</ValidationMessage>
+                <Required>Y</Required>
+                <Default>5</Default>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>32</MaximumValue>
+                <ValidationMessage>The number of sslrtd children needs to be an integer value between 1 and 32.</ValidationMessage>
             </sslcrtd_children>
             <snmp_enable type="BooleanField">
                 <Default>0</Default>
@@ -497,203 +497,203 @@
             </authentication>
         </forward>
         <pac>
-          <proxy type="ArrayField">
-              <name type="TextField">
-                  <Required>Y</Required>
-                  <ValidationMessage>The proxy name must be set.</ValidationMessage>
-                  <Constraints>
-                      <check001>
-                          <ValidationMessage>Proxy name should be unique.</ValidationMessage>
-                          <type>UniqueConstraint</type>
-                      </check001>
-                  </Constraints>
-              </name>
-              <proxy_type type="OptionField">
-                  <Required>Y</Required>
-                  <OptionValues>
-                      <PROXY>Proxy</PROXY>
-                      <DIRECT>Direct Connection (no Proxy)</DIRECT>
-                      <HTTP>HTTP Proxy</HTTP>
-                      <HTTPS>HTTPS Proxy</HTTPS>
-                      <SOCKS>SOCKS</SOCKS>
-                      <SOCKS4>SOCKS Version 4</SOCKS4>
-                      <SOCKS5>SOCKS Version 5</SOCKS5>
-                  </OptionValues>
-              </proxy_type>
-              <url type="TextField">
-                  <ValidationMessage>This does not look like a valid proxy or direct connection.</ValidationMessage>
-              </url>
-              <description type="TextField">
-                  <Mask>/^([\t\n\v\f\r 0-9a-zA-Z\-.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
-              </description>
-          </proxy>
-          <match type="ArrayField">
-              <name type="TextField">
-                  <Required>Y</Required>
-                  <ValidationMessage>The match name must be set.</ValidationMessage>
-                  <Constraints>
-                      <check001>
-                          <ValidationMessage>Match name should be unique.</ValidationMessage>
-                          <type>UniqueConstraint</type>
-                      </check001>
-                  </Constraints>
-              </name>
-              <description type="TextField">
-                  <Mask>/^([\t\n\v\f\r 0-9a-zA-Z\-.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
-              </description>
-              <negate type="BooleanField">
-                  <Default>0</Default>
-                  <Required>Y</Required>
-              </negate>
-              <match_type type="OptionField">
-                  <Required>Y</Required>
-                  <OptionValues>
-                      <url_matches>URL Matches</url_matches>
-                      <hostname_matches>Hostname Matches</hostname_matches>
-                      <dns_domain_is>DNS Domain Is</dns_domain_is>
-                      <destination_in_net>IP Is In Network</destination_in_net>
-                      <my_ip_in_net>My IP Is In Network</my_ip_in_net>
-                      <plain_hostname>Plain Hostname (No Dots Inside)</plain_hostname>
-                      <is_resolvable>Is Resolvable</is_resolvable>
-                      <dns_domain_levels>DNS Domain Levels (Count Of Dots)</dns_domain_levels>
-                      <weekday_range>Weekday Range</weekday_range>
-                      <date_range>Date Range</date_range>
-                      <time_range>Time Range</time_range>
-                  </OptionValues>
-              </match_type>
-              <hostname type="TextField"/>
-              <url type="TextField">
-                  <Mask>/^[^"]*$/</Mask>
-              </url>
-              <network type="NetworkField"/>
-              <domain_level_from type="IntegerField">
-                  <MinimumValue>0</MinimumValue>
-                  <ValidationMessage>Minimum domain level must be bigger than 0.</ValidationMessage>
-              </domain_level_from>
-              <domain_level_to type="IntegerField">
-                  <MinimumValue>0</MinimumValue>
-                  <ValidationMessage>A hostname cannot have a negative count of levels.</ValidationMessage>
-              </domain_level_to>
-              <time_from type="IntegerField">
-                  <MinimumValue>0</MinimumValue>
-                  <ValidationMessage>The first hour of the day is 0.</ValidationMessage>
-              </time_from>
-              <time_to type="IntegerField">
-                  <MinimumValue>0</MinimumValue>
-                  <MaximumValue>23</MaximumValue>
-                  <ValidationMessage>The last hour of the day is 23.</ValidationMessage>
-              </time_to>
-              <date_from type="OptionField">
-                  <Required>Y</Required>
-                  <OptionValues>
-                      <JAN>January</JAN>
-                      <FEB>February</FEB>
-                      <MAR>March</MAR>
-                      <APR>April</APR>
-                      <MAY>May</MAY>
-                      <JUN>June</JUN>
-                      <JUL>July</JUL>
-                      <AUG>August</AUG>
-                      <SEP>September</SEP>
-                      <OCT>October</OCT>
-                      <NOV>November</NOV>
-                      <DEC>December</DEC>
-                  </OptionValues>
-              </date_from>
-              <date_to type="OptionField">
-                  <Required>Y</Required>
-                  <OptionValues>
-                      <JAN>January</JAN>
-                      <FEB>February</FEB>
-                      <MAR>March</MAR>
-                      <APR>April</APR>
-                      <MAY>May</MAY>
-                      <JUN>June</JUN>
-                      <JUL>July</JUL>
-                      <AUG>August</AUG>
-                      <SEP>September</SEP>
-                      <OCT>October</OCT>
-                      <NOV>November</NOV>
-                      <DEC>December</DEC>
-                  </OptionValues>
-              </date_to>
-              <weekday_from type="OptionField">
-                  <Required>Y</Required>
-                  <OptionValues>
-                      <MON>Monday</MON>
-                      <TUE>Tuesday</TUE>
-                      <WED>Wednesday</WED>
-                      <THU>Thursday</THU>
-                      <FRI>Friday</FRI>
-                      <SAT>Saturday</SAT>
-                      <SUN>Sunday</SUN>
-                  </OptionValues>
-              </weekday_from>
-              <weekday_to type="OptionField">
-                  <Required>Y</Required>
-                  <OptionValues>
-                      <MON>Monday</MON>
-                      <TUE>Tuesday</TUE>
-                      <WED>Wednesday</WED>
-                      <THU>Thursday</THU>
-                      <FRI>Friday</FRI>
-                      <SAT>Saturday</SAT>
-                      <SUN>Sunday</SUN>
-                  </OptionValues>
-              </weekday_to>
-          </match>
-          <rule type="ArrayField">
-              <enabled type="BooleanField">
-                  <Default>1</Default>
-                  <Required>Y</Required>
-              </enabled>
-              <description type="TextField">
-                  <Mask>/^([\t\n\v\f\r 0-9a-zA-Z\-.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
-              </description>
-              <matches type="ModelRelationField">
-                  <Model>
-                      <queues>
-                          <source>OPNsense.Proxy.Proxy</source>
-                          <items>pac.match</items>
-                          <display>name</display>
-                      </queues>
-                  </Model>
-                  <Required>Y</Required>
-                  <Multiple>Y</Multiple>
-              </matches>
-              <join_type type="OptionField">
-                  <Required>Y</Required>
-                  <OptionValues>
-                      <and>And</and>
-                      <or>Or</or>
-                  </OptionValues>
-              </join_type>
-              <match_type type="OptionField">
-                  <Required>Y</Required>
-                  <OptionValues>
-                      <if>If</if>
-                      <unless>Unless</unless>
-                  </OptionValues>
-              </match_type>
-              <proxies type="ModelRelationField">
-                  <Sorted>Y</Sorted>
-                  <Model>
-                      <queues>
-                          <source>OPNsense.Proxy.Proxy</source>
-                          <items>pac.proxy</items>
-                          <display>name</display>
-                      </queues>
-                  </Model>
-                  <Required>Y</Required>
-                  <Multiple>Y</Multiple>
-              </proxies>
-          </rule>
+            <proxy type="ArrayField">
+                <name type="TextField">
+                    <Required>Y</Required>
+                    <ValidationMessage>The proxy name must be set.</ValidationMessage>
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>Proxy name should be unique.</ValidationMessage>
+                            <type>UniqueConstraint</type>
+                        </check001>
+                    </Constraints>
+                </name>
+                <proxy_type type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <PROXY>Proxy</PROXY>
+                        <DIRECT>Direct Connection (no Proxy)</DIRECT>
+                        <HTTP>HTTP Proxy</HTTP>
+                        <HTTPS>HTTPS Proxy</HTTPS>
+                        <SOCKS>SOCKS</SOCKS>
+                        <SOCKS4>SOCKS Version 4</SOCKS4>
+                        <SOCKS5>SOCKS Version 5</SOCKS5>
+                    </OptionValues>
+                </proxy_type>
+                <url type="TextField">
+                    <ValidationMessage>This does not look like a valid proxy or direct connection.</ValidationMessage>
+                </url>
+                <description type="TextField">
+                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z\-.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+                </description>
+            </proxy>
+            <match type="ArrayField">
+                <name type="TextField">
+                    <Required>Y</Required>
+                    <ValidationMessage>The match name must be set.</ValidationMessage>
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>Match name should be unique.</ValidationMessage>
+                            <type>UniqueConstraint</type>
+                        </check001>
+                    </Constraints>
+                </name>
+                <description type="TextField">
+                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z\-.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+                </description>
+                <negate type="BooleanField">
+                    <Default>0</Default>
+                    <Required>Y</Required>
+                </negate>
+                <match_type type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <url_matches>URL Matches</url_matches>
+                        <hostname_matches>Hostname Matches</hostname_matches>
+                        <dns_domain_is>DNS Domain Is</dns_domain_is>
+                        <destination_in_net>IP Is In Network</destination_in_net>
+                        <my_ip_in_net>My IP Is In Network</my_ip_in_net>
+                        <plain_hostname>Plain Hostname (No Dots Inside)</plain_hostname>
+                        <is_resolvable>Is Resolvable</is_resolvable>
+                        <dns_domain_levels>DNS Domain Levels (Count Of Dots)</dns_domain_levels>
+                        <weekday_range>Weekday Range</weekday_range>
+                        <date_range>Date Range</date_range>
+                        <time_range>Time Range</time_range>
+                    </OptionValues>
+                </match_type>
+                <hostname type="TextField"/>
+                <url type="TextField">
+                    <Mask>/^[^"]*$/</Mask>
+                </url>
+                <network type="NetworkField"/>
+                <domain_level_from type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <ValidationMessage>Minimum domain level must be bigger than 0.</ValidationMessage>
+                </domain_level_from>
+                <domain_level_to type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <ValidationMessage>A hostname cannot have a negative count of levels.</ValidationMessage>
+                </domain_level_to>
+                <time_from type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <ValidationMessage>The first hour of the day is 0.</ValidationMessage>
+                </time_from>
+                <time_to type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>23</MaximumValue>
+                    <ValidationMessage>The last hour of the day is 23.</ValidationMessage>
+                </time_to>
+                <date_from type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <JAN>January</JAN>
+                        <FEB>February</FEB>
+                        <MAR>March</MAR>
+                        <APR>April</APR>
+                        <MAY>May</MAY>
+                        <JUN>June</JUN>
+                        <JUL>July</JUL>
+                        <AUG>August</AUG>
+                        <SEP>September</SEP>
+                        <OCT>October</OCT>
+                        <NOV>November</NOV>
+                        <DEC>December</DEC>
+                    </OptionValues>
+                </date_from>
+                <date_to type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <JAN>January</JAN>
+                        <FEB>February</FEB>
+                        <MAR>March</MAR>
+                        <APR>April</APR>
+                        <MAY>May</MAY>
+                        <JUN>June</JUN>
+                        <JUL>July</JUL>
+                        <AUG>August</AUG>
+                        <SEP>September</SEP>
+                        <OCT>October</OCT>
+                        <NOV>November</NOV>
+                        <DEC>December</DEC>
+                    </OptionValues>
+                </date_to>
+                <weekday_from type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <MON>Monday</MON>
+                        <TUE>Tuesday</TUE>
+                        <WED>Wednesday</WED>
+                        <THU>Thursday</THU>
+                        <FRI>Friday</FRI>
+                        <SAT>Saturday</SAT>
+                        <SUN>Sunday</SUN>
+                    </OptionValues>
+                </weekday_from>
+                <weekday_to type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <MON>Monday</MON>
+                        <TUE>Tuesday</TUE>
+                        <WED>Wednesday</WED>
+                        <THU>Thursday</THU>
+                        <FRI>Friday</FRI>
+                        <SAT>Saturday</SAT>
+                        <SUN>Sunday</SUN>
+                    </OptionValues>
+                </weekday_to>
+            </match>
+            <rule type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <description type="TextField">
+                    <Mask>/^([\t\n\v\f\r 0-9a-zA-Z\-.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+                </description>
+                <matches type="ModelRelationField">
+                    <Model>
+                        <queues>
+                            <source>OPNsense.Proxy.Proxy</source>
+                            <items>pac.match</items>
+                            <display>name</display>
+                        </queues>
+                    </Model>
+                    <Required>Y</Required>
+                    <Multiple>Y</Multiple>
+                </matches>
+                <join_type type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <and>And</and>
+                        <or>Or</or>
+                    </OptionValues>
+                </join_type>
+                <match_type type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <if>If</if>
+                        <unless>Unless</unless>
+                    </OptionValues>
+                </match_type>
+                <proxies type="ModelRelationField">
+                    <Sorted>Y</Sorted>
+                    <Model>
+                        <queues>
+                            <source>OPNsense.Proxy.Proxy</source>
+                            <items>pac.proxy</items>
+                            <display>name</display>
+                        </queues>
+                    </Model>
+                    <Required>Y</Required>
+                    <Multiple>Y</Multiple>
+                </proxies>
+            </rule>
         </pac>
         <error_pages>
-          <template type="TextField">
-              <Mask>/[0-9a-zA-Z\+\=\/]{20,}/u</Mask>
-              <ValidationMessage>File content should be in Base64-encoded ZIP format.</ValidationMessage>
-          </template>
+            <template type="TextField">
+                <Mask>/[0-9a-zA-Z\+\=\/]{20,}/u</Mask>
+                <ValidationMessage>File content should be in Base64-encoded ZIP format.</ValidationMessage>
+            </template>
         </error_pages>
     </items>
 </model>

From e591bd7e5a225de5d8b4df3dc0d1e1c42f15d43b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Dec 2025 15:28:09 +0100
Subject: [PATCH 2809/3088] www/web-proxy-sso: style

---
 .../app/models/OPNsense/ProxySSO/ProxySSO.xml | 38 +++++++++----------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.xml b/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.xml
index 963d01260c..85760d9271 100644
--- a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.xml
+++ b/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.xml
@@ -1,23 +1,23 @@
 <model>
-<mount>//OPNsense/ProxySSO</mount>
-<description>
+    <mount>//OPNsense/ProxySSO</mount>
+    <description>
     Web-proxy Single Sign-On plugin
 </description>
-<items>
-    <EnableSSO type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-    </EnableSSO>
-    <ADKerberosImplementation type="OptionField">
-        <Default>W2008</Default>
-        <Required>Y</Required>
-        <OptionValues>
-            <W2003>Windows 2003</W2003>
-            <W2008>Windows 2008 with AES</W2008>
-        </OptionValues>
-    </ADKerberosImplementation>
-    <KerberosHostName type="TextField">
-        <Required>N</Required>
-    </KerberosHostName>
-</items>
+    <items>
+        <EnableSSO type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </EnableSSO>
+        <ADKerberosImplementation type="OptionField">
+            <Default>W2008</Default>
+            <Required>Y</Required>
+            <OptionValues>
+                <W2003>Windows 2003</W2003>
+                <W2008>Windows 2008 with AES</W2008>
+            </OptionValues>
+        </ADKerberosImplementation>
+        <KerberosHostName type="TextField">
+            <Required>N</Required>
+        </KerberosHostName>
+    </items>
 </model>

From e164391213d1db1a49c1cd41bfcba45db768de61 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Dec 2025 15:28:41 +0100
Subject: [PATCH 2810/3088] sysutils/sftp-backup: style

---
 .../models/OPNsense/Backup/SftpSettings.xml   | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml b/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml
index 187a9b04c5..292568a8db 100644
--- a/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml
+++ b/sysutils/sftp-backup/src/opnsense/mvc/app/models/OPNsense/Backup/SftpSettings.xml
@@ -4,16 +4,16 @@
     <description>OPNsense sftp Backup Settings</description>
     <items>
         <enabled type="BooleanField">
-          <Default>0</Default>
-          <Required>Y</Required>
-          <Constraints>
-              <check001>
-                  <reference>privkey.check001</reference>
-              </check001>
-              <check002>
-                  <reference>url.check001</reference>
-              </check002>
-          </Constraints>
+            <Default>0</Default>
+            <Required>Y</Required>
+            <Constraints>
+                <check001>
+                    <reference>privkey.check001</reference>
+                </check001>
+                <check002>
+                    <reference>url.check001</reference>
+                </check002>
+            </Constraints>
         </enabled>
         <url type="TextField">
             <Required>N</Required>
@@ -49,8 +49,8 @@
             <MinimumValue>0</MinimumValue>
         </backupcount>
         <prefixhostname type="BooleanField">
-          <Default>0</Default>
-          <Required>N</Required>
+            <Default>0</Default>
+            <Required>N</Required>
         </prefixhostname>
     </items>
 </model>

From 66a47b839434163e1363d375ef4c850455aa818a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Dec 2025 15:30:21 +0100
Subject: [PATCH 2811/3088] mail/rspamd: style

---
 .../mvc/app/models/OPNsense/Rspamd/RSpamd.xml | 1007 ++++++++---------
 1 file changed, 495 insertions(+), 512 deletions(-)

diff --git a/mail/rspamd/src/opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml b/mail/rspamd/src/opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml
index 5bd77ea2f4..b327dff800 100644
--- a/mail/rspamd/src/opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml
+++ b/mail/rspamd/src/opnsense/mvc/app/models/OPNsense/Rspamd/RSpamd.xml
@@ -1,514 +1,497 @@
 <model>
-  <mount>//OPNsense/Rspamd</mount>
-  <description>rspamd anti spam filter</description>
-  <version>1.0.2</version>
-  <items>
-    <general>
-      <enabled type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </enabled>
-      <enable_redis_plugin type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </enable_redis_plugin>
-      <enable_bayes_autolearn type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </enable_bayes_autolearn>
-      <rejectscore type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>1</MinimumValue>
-        <MaximumValue>999</MaximumValue>
-        <Constraints>
-          <check001>
-            <ValidationMessage>This field must be bigger than the subject score.</ValidationMessage>
-            <type>ComparedToFieldConstraint</type>
-            <field>subjectscore</field>
-            <operator>gt</operator>
-          </check001>
-          <check002>
-            <ValidationMessage>This field must be bigger than the reject score.</ValidationMessage>
-            <type>ComparedToFieldConstraint</type>
-            <field>headerscore</field>
-            <operator>gt</operator>
-          </check002>
-          <check003>
-            <ValidationMessage>This field must be bigger than the greylist score.</ValidationMessage>
-            <type>ComparedToFieldConstraint</type>
-            <field>greylistscore</field>
-            <operator>gt</operator>
-          </check003>
-        </Constraints>
-      </rejectscore>
-      <headerscore type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>1</MinimumValue>
-        <MaximumValue>999</MaximumValue>
-        <Constraints>
-          <check001>
-            <ValidationMessage>This field must be lower than the subject score.</ValidationMessage>
-            <type>ComparedToFieldConstraint</type>
-            <field>subjectscore</field>
-            <operator>lt</operator>
-          </check001>
-          <check002>
-            <ValidationMessage>This field must be lower than the reject score.</ValidationMessage>
-            <type>ComparedToFieldConstraint</type>
-            <field>rejectscore</field>
-            <operator>lt</operator>
-          </check002>
-          <check003>
-            <ValidationMessage>This field must be bigger than the greylist score.</ValidationMessage>
-            <type>ComparedToFieldConstraint</type>
-            <field>greylistscore</field>
-            <operator>gt</operator>
-          </check003>
-        </Constraints>
-      </headerscore>
-      <greylistscore type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>1</MinimumValue>
-        <MaximumValue>999</MaximumValue>
-        <Constraints>
-          <check001>
-            <ValidationMessage>This field must be lower than the header score.</ValidationMessage>
-            <type>ComparedToFieldConstraint</type>
-            <field>headerscore</field>
-            <operator>lt</operator>
-          </check001>
-          <check002>
-            <ValidationMessage>This field must be lower than the reject score.</ValidationMessage>
-            <type>ComparedToFieldConstraint</type>
-            <field>rejectscore</field>
-            <operator>lt</operator>
-          </check002>
-          <check003>
-            <ValidationMessage>This field must be lower than the subject score.</ValidationMessage>
-            <type>ComparedToFieldConstraint</type>
-            <field>subjectscore</field>
-            <operator>lt</operator>
-          </check003>
-        </Constraints>
-      </greylistscore>
-      <subjectscore type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>1</MinimumValue>
-        <MaximumValue>999</MaximumValue>
-        <Constraints>
-          <check001>
-            <ValidationMessage>This field must be bigger than the header score.</ValidationMessage>
-            <type>ComparedToFieldConstraint</type>
-            <field>headerscore</field>
-            <operator>gt</operator>
-          </check001>
-          <check002>
-            <ValidationMessage>This field must be lower than the reject score.</ValidationMessage>
-            <type>ComparedToFieldConstraint</type>
-            <field>rejectscore</field>
-            <operator>lt</operator>
-          </check002>
-          <check003>
-            <ValidationMessage>This field must be bigger than the subject score.</ValidationMessage>
-            <type>ComparedToFieldConstraint</type>
-            <field>greylistscore</field>
-            <operator>gt</operator>
-          </check003>
-        </Constraints>
-      </subjectscore>
-      <rewritesubject type="TextField">
-        <Required>N</Required>
-      </rewritesubject>
-      <historyrows type="IntegerField">
-        <Default>200</Default>
-        <Required>Y</Required>
-        <MinimumValue>1</MinimumValue>
-        <MaximumValue>100000</MaximumValue>
-        <ValidationMessage>Choose a value between 1 and 100000.</ValidationMessage>
-      </historyrows>
-      <nameserver type="HostnameField">
-        <Default>127.0.0.1</Default>
-        <Required>Y</Required>
-        <FieldSeparator>,</FieldSeparator>
-        <AsList>Y</AsList>
-      </nameserver>
-    </general>
-
-    <milter_headers>
-      <enabled type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </enabled>
-      <enable_extended_spam_headers type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </enable_extended_spam_headers>
-      <enable_authentication_results type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </enable_authentication_results>
-      <enable_spamd_bar type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </enable_spamd_bar>
-      <skip_local type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </skip_local>
-      <skip_authenticated type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </skip_authenticated>
-      <extended_headers_rcpt type="CSVListField">
-        <Mask>/[a-z0-9\.\-_@,]+/i</Mask>
-        <Required>N</Required>
-      </extended_headers_rcpt>
-    </milter_headers>
-
-    <graylist>
-      <expire type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>1</MinimumValue>
-      </expire>
-      <timeout type="IntegerField">
-        <Required>N</Required>
-        <MinimumValue>1</MinimumValue>
-      </timeout>
-      <max_data_len type="IntegerField">
-        <Required>N</Required>
-      </max_data_len>
-      <ipv4mask type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>N</Required>
-        <MaximumValue>32</MaximumValue>
-        <ValidationMessage>A valid IPv4 mask must be between 1 and 32 bits.</ValidationMessage>
-        <Default>19</Default>
-      </ipv4mask>
-      <ipv6mask type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>N</Required>
-        <MaximumValue>128</MaximumValue>
-        <Default>64</Default>
-        <ValidationMessage>A valid IPv6 mask must be between 1 and 128 bits. 64 bits are recommended as this is the recommended subnet size in IPv6.</ValidationMessage>
-      </ipv6mask>
-      <whitelist_ip type="CSVListField">
-        <Required>N</Required>
-        <Mask>/^([a-fA-F0-9\.:\[\]\/]*?,)*([a-fA-F0-9\.:\[\]\/]*)$/</Mask>
-      </whitelist_ip>
-    </graylist>
-
-    <dkim>
-      <cache_size type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>N</Required>
-        <ValidationMessage>A valid cache size must be set.</ValidationMessage>
-      </cache_size>
-      <cache_expire type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>N</Required>
-        <ValidationMessage>A valid cache expiration must be set.</ValidationMessage>
-      </cache_expire>
-      <time_jitter type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>N</Required>
-        <ValidationMessage>A valid time jitter must be set.</ValidationMessage>
-      </time_jitter>
-      <trusted_only type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </trusted_only>
-      <skip_multi type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </skip_multi>
-      <!-- dkim signing -->
-      <allow_envfrom_empty type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-      </allow_envfrom_empty>
-      <allow_hdrfrom_mismatch type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </allow_hdrfrom_mismatch>
-      <allow_hdrfrom_multiple type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </allow_hdrfrom_multiple>
-      <allow_username_mismatch type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </allow_username_mismatch>
-      <auth_only type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-      </auth_only>
-      <sign_local type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-      </sign_local>
-      <try_fallback type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </try_fallback>
-      <use_domain type="OptionField">
-        <Default>header</Default>
-        <Required>Y</Required>
-        <OptionValues>
-          <header>Header</header>
-          <envelope>Envelope</envelope>
-        </OptionValues>
-      </use_domain>
-      <use_esld type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-      </use_esld>
-    </dkim>
-
-    <mx-check>
-      <enabled type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </enabled>
-      <expire type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>N</Required>
-        <Default>86400</Default>
-        <ValidationMessage>A valid cache expiration must be set.</ValidationMessage>
-      </expire>
-    </mx-check>
-
-    <phishing>
-      <openphish_enabled type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </openphish_enabled>
-      <openphish_map type="TextField">
-        <Default></Default>
-        <Required>N</Required>
-      </openphish_map>
-      <openphish_premium_enabled type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </openphish_premium_enabled>
-      <phishtank_enabled type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </phishtank_enabled>
-      <phishtank_map type="TextField">
-        <Default></Default>
-        <Required>N</Required>
-      </phishtank_map>
-      <exclusion type="CSVListField">
-        <Required>N</Required>
-      </exclusion>
-    </phishing>
-
-    <rate_limit>
-      <per_recipient>
-        <count type="IntegerField">
-          <MinimumValue>1</MinimumValue>
-          <Required>N</Required>
-          <ValidationMessage>The count value must be a positive number.</ValidationMessage>
-        </count>
-        <time type="IntegerField">
-          <MinimumValue>1</MinimumValue>
-          <Required>N</Required>
-          <ValidationMessage>The time must be a positive integer.</ValidationMessage>
-        </time>
-        <time_unit type="OptionField">
-          <Default>m</Default>
-          <Required>Y</Required>
-          <OptionValues>
-            <s>Seconds</s>
-            <m>Minutes</m>
-            <h>Hours</h>
-          </OptionValues>
-        </time_unit>
-      </per_recipient>
-      <per_ip>
-        <count type="IntegerField">
-          <MinimumValue>1</MinimumValue>
-          <Required>N</Required>
-          <ValidationMessage>The count value must be a positive number.</ValidationMessage>
-        </count>
-        <time type="IntegerField">
-          <MinimumValue>1</MinimumValue>
-          <Required>N</Required>
-          <ValidationMessage>The time must be a positive integer.</ValidationMessage>
-        </time>
-        <time_unit type="OptionField">
-          <Default>m</Default>
-          <Required>Y</Required>
-          <OptionValues>
-            <s>Seconds</s>
-            <m>Minutes</m>
-            <h>Hours</h>
-          </OptionValues>
-        </time_unit>
-      </per_ip>
-      <per_ip_from>
-        <count type="IntegerField">
-          <MinimumValue>1</MinimumValue>
-          <Required>N</Required>
-          <ValidationMessage>The count value must be a positive number.</ValidationMessage>
-        </count>
-        <time type="IntegerField">
-          <MinimumValue>1</MinimumValue>
-          <Required>N</Required>
-          <ValidationMessage>The time must be a positive integer.</ValidationMessage>
-        </time>
-        <time_unit type="OptionField">
-          <Default>m</Default>
-          <Required>Y</Required>
-          <OptionValues>
-            <s>Seconds</s>
-            <m>Minutes</m>
-            <h>Hours</h>
-          </OptionValues>
-        </time_unit>
-      </per_ip_from>
-      <bounce>
-        <count type="IntegerField">
-          <MinimumValue>1</MinimumValue>
-          <Required>N</Required>
-          <ValidationMessage>The count value must be a positive number.</ValidationMessage>
-        </count>
-        <time type="IntegerField">
-          <MinimumValue>1</MinimumValue>
-          <Required>N</Required>
-          <ValidationMessage>The time must be a positive integer.</ValidationMessage>
-        </time>
-        <time_unit type="OptionField">
-          <Default>m</Default>
-          <Required>Y</Required>
-          <OptionValues>
-            <s>Seconds</s>
-            <m>Minutes</m>
-            <h>Hours</h>
-          </OptionValues>
-        </time_unit>
-      </bounce>
-      <bounce_ip>
-        <count type="IntegerField">
-          <MinimumValue>1</MinimumValue>
-          <Required>N</Required>
-          <ValidationMessage>The count value must be a positive number.</ValidationMessage>
-        </count>
-        <time type="IntegerField">
-          <MinimumValue>1</MinimumValue>
-          <Required>N</Required>
-          <ValidationMessage>The time must be a positive integer.</ValidationMessage>
-        </time>
-        <time_unit type="OptionField">
-          <Default>m</Default>
-          <Required>Y</Required>
-          <OptionValues>
-            <s>Seconds</s>
-            <m>Minutes</m>
-            <h>Hours</h>
-          </OptionValues>
-        </time_unit>
-      </bounce_ip>
-      <user>
-        <count type="IntegerField">
-          <MinimumValue>1</MinimumValue>
-          <Required>N</Required>
-          <ValidationMessage>The count value must be a positive number.</ValidationMessage>
-        </count>
-        <time type="IntegerField">
-          <MinimumValue>1</MinimumValue>
-          <Required>N</Required>
-          <ValidationMessage>The time must be a positive integer.</ValidationMessage>
-        </time>
-        <time_unit type="OptionField">
-          <Default>m</Default>
-          <Required>Y</Required>
-          <OptionValues>
-            <s>Seconds</s>
-            <m>Minutes</m>
-            <h>Hours</h>
-          </OptionValues>
-        </time_unit>
-      </user>
-      <whitelisted_rcpts type="CSVListField">
-        <Default>postmaster,mailer-daemon</Default>
-      </whitelisted_rcpts>
-      <max_rcpt type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>Y</Required>
-        <Default>20</Default>
-      </max_rcpt>
-    </rate_limit>
-
-    <spamtrap>
-      <enabled type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </enabled>
-      <fuzzy_learning type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </fuzzy_learning>
-      <spam_learning type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-      </spam_learning>
-      <spam_recipients type="CSVListField">
-        <Required>N</Required>
-      </spam_recipients>
-    </spamtrap>
-
-    <spf>
-      <spf_cache_size type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>N</Required>
-        <Default>2</Default>
-        <ValidationMessage>A valid cache size in kilobytes must be set.</ValidationMessage>
-      </spf_cache_size>
-      <spf_cache_expire type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>N</Required>
-        <ValidationMessage>A valid expiration time must be set.</ValidationMessage>
-      </spf_cache_expire>
-    </spf>
-
-    <av>
-      <force-reject type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-      </force-reject>
-      <attachments-only type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-      </attachments-only>
-      <max-size type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Default>20000000</Default>
-        <Required>N</Required>
-        <ValidationMessage>A valid maximum size in bytes must be set.</ValidationMessage>
-      </max-size>
-      <whitelist type="CSVListField">
-        <Required>N</Required>
-      </whitelist>
-    </av>
-
-    <surbl>
-      <whitelist type="CSVListField">
-        <Required>N</Required>
-      </whitelist>
-      <exceptions type="CSVListField">
-        <Required>N</Required>
-      </exceptions>
-    </surbl>
-
-    <multimap>
-      <badfileextension type="CSVListField">
-        <Required>N</Required>
-        <Default>exe,dll,scr,com,cmd,js,bat,vbs,ps1,bat,cpl,lnk,msi,msp,reg</Default>
-      </badfileextension>
-      <whitelistsender type="CSVListField">
-        <Required>N</Required>
-      </whitelistsender>
-    </multimap>
-  </items>
+    <mount>//OPNsense/Rspamd</mount>
+    <description>rspamd anti spam filter</description>
+    <version>1.0.2</version>
+    <items>
+        <general>
+            <enabled type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enabled>
+            <enable_redis_plugin type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enable_redis_plugin>
+            <enable_bayes_autolearn type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enable_bayes_autolearn>
+            <rejectscore type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>999</MaximumValue>
+                <Constraints>
+                    <check001>
+                        <ValidationMessage>This field must be bigger than the subject score.</ValidationMessage>
+                        <type>ComparedToFieldConstraint</type>
+                        <field>subjectscore</field>
+                        <operator>gt</operator>
+                    </check001>
+                    <check002>
+                        <ValidationMessage>This field must be bigger than the reject score.</ValidationMessage>
+                        <type>ComparedToFieldConstraint</type>
+                        <field>headerscore</field>
+                        <operator>gt</operator>
+                    </check002>
+                    <check003>
+                        <ValidationMessage>This field must be bigger than the greylist score.</ValidationMessage>
+                        <type>ComparedToFieldConstraint</type>
+                        <field>greylistscore</field>
+                        <operator>gt</operator>
+                    </check003>
+                </Constraints>
+            </rejectscore>
+            <headerscore type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>999</MaximumValue>
+                <Constraints>
+                    <check001>
+                        <ValidationMessage>This field must be lower than the subject score.</ValidationMessage>
+                        <type>ComparedToFieldConstraint</type>
+                        <field>subjectscore</field>
+                        <operator>lt</operator>
+                    </check001>
+                    <check002>
+                        <ValidationMessage>This field must be lower than the reject score.</ValidationMessage>
+                        <type>ComparedToFieldConstraint</type>
+                        <field>rejectscore</field>
+                        <operator>lt</operator>
+                    </check002>
+                    <check003>
+                        <ValidationMessage>This field must be bigger than the greylist score.</ValidationMessage>
+                        <type>ComparedToFieldConstraint</type>
+                        <field>greylistscore</field>
+                        <operator>gt</operator>
+                    </check003>
+                </Constraints>
+            </headerscore>
+            <greylistscore type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>999</MaximumValue>
+                <Constraints>
+                    <check001>
+                        <ValidationMessage>This field must be lower than the header score.</ValidationMessage>
+                        <type>ComparedToFieldConstraint</type>
+                        <field>headerscore</field>
+                        <operator>lt</operator>
+                    </check001>
+                    <check002>
+                        <ValidationMessage>This field must be lower than the reject score.</ValidationMessage>
+                        <type>ComparedToFieldConstraint</type>
+                        <field>rejectscore</field>
+                        <operator>lt</operator>
+                    </check002>
+                    <check003>
+                        <ValidationMessage>This field must be lower than the subject score.</ValidationMessage>
+                        <type>ComparedToFieldConstraint</type>
+                        <field>subjectscore</field>
+                        <operator>lt</operator>
+                    </check003>
+                </Constraints>
+            </greylistscore>
+            <subjectscore type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>999</MaximumValue>
+                <Constraints>
+                    <check001>
+                        <ValidationMessage>This field must be bigger than the header score.</ValidationMessage>
+                        <type>ComparedToFieldConstraint</type>
+                        <field>headerscore</field>
+                        <operator>gt</operator>
+                    </check001>
+                    <check002>
+                        <ValidationMessage>This field must be lower than the reject score.</ValidationMessage>
+                        <type>ComparedToFieldConstraint</type>
+                        <field>rejectscore</field>
+                        <operator>lt</operator>
+                    </check002>
+                    <check003>
+                        <ValidationMessage>This field must be bigger than the subject score.</ValidationMessage>
+                        <type>ComparedToFieldConstraint</type>
+                        <field>greylistscore</field>
+                        <operator>gt</operator>
+                    </check003>
+                </Constraints>
+            </subjectscore>
+            <rewritesubject type="TextField">
+                <Required>N</Required>
+            </rewritesubject>
+            <historyrows type="IntegerField">
+                <Default>200</Default>
+                <Required>Y</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>100000</MaximumValue>
+                <ValidationMessage>Choose a value between 1 and 100000.</ValidationMessage>
+            </historyrows>
+            <nameserver type="HostnameField">
+                <Default>127.0.0.1</Default>
+                <Required>Y</Required>
+                <FieldSeparator>,</FieldSeparator>
+                <AsList>Y</AsList>
+            </nameserver>
+        </general>
+        <milter_headers>
+            <enabled type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enabled>
+            <enable_extended_spam_headers type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enable_extended_spam_headers>
+            <enable_authentication_results type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enable_authentication_results>
+            <enable_spamd_bar type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enable_spamd_bar>
+            <skip_local type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </skip_local>
+            <skip_authenticated type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </skip_authenticated>
+            <extended_headers_rcpt type="CSVListField">
+                <Mask>/[a-z0-9\.\-_@,]+/i</Mask>
+                <Required>N</Required>
+            </extended_headers_rcpt>
+        </milter_headers>
+        <graylist>
+            <expire type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+            </expire>
+            <timeout type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+            </timeout>
+            <max_data_len type="IntegerField">
+                <Required>N</Required>
+            </max_data_len>
+            <ipv4mask type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <Required>N</Required>
+                <MaximumValue>32</MaximumValue>
+                <ValidationMessage>A valid IPv4 mask must be between 1 and 32 bits.</ValidationMessage>
+                <Default>19</Default>
+            </ipv4mask>
+            <ipv6mask type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <Required>N</Required>
+                <MaximumValue>128</MaximumValue>
+                <Default>64</Default>
+                <ValidationMessage>A valid IPv6 mask must be between 1 and 128 bits. 64 bits are recommended as this is the recommended subnet size in IPv6.</ValidationMessage>
+            </ipv6mask>
+            <whitelist_ip type="CSVListField">
+                <Required>N</Required>
+                <Mask>/^([a-fA-F0-9\.:\[\]\/]*?,)*([a-fA-F0-9\.:\[\]\/]*)$/</Mask>
+            </whitelist_ip>
+        </graylist>
+        <dkim>
+            <cache_size type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <Required>N</Required>
+                <ValidationMessage>A valid cache size must be set.</ValidationMessage>
+            </cache_size>
+            <cache_expire type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <Required>N</Required>
+                <ValidationMessage>A valid cache expiration must be set.</ValidationMessage>
+            </cache_expire>
+            <time_jitter type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <Required>N</Required>
+                <ValidationMessage>A valid time jitter must be set.</ValidationMessage>
+            </time_jitter>
+            <trusted_only type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </trusted_only>
+            <skip_multi type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </skip_multi>
+            <!-- dkim signing -->
+            <allow_envfrom_empty type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </allow_envfrom_empty>
+            <allow_hdrfrom_mismatch type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </allow_hdrfrom_mismatch>
+            <allow_hdrfrom_multiple type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </allow_hdrfrom_multiple>
+            <allow_username_mismatch type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </allow_username_mismatch>
+            <auth_only type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </auth_only>
+            <sign_local type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </sign_local>
+            <try_fallback type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </try_fallback>
+            <use_domain type="OptionField">
+                <Default>header</Default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <header>Header</header>
+                    <envelope>Envelope</envelope>
+                </OptionValues>
+            </use_domain>
+            <use_esld type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </use_esld>
+        </dkim>
+        <mx-check>
+            <enabled type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enabled>
+            <expire type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <Required>N</Required>
+                <Default>86400</Default>
+                <ValidationMessage>A valid cache expiration must be set.</ValidationMessage>
+            </expire>
+        </mx-check>
+        <phishing>
+            <openphish_enabled type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </openphish_enabled>
+            <openphish_map type="TextField"/>
+            <openphish_premium_enabled type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </openphish_premium_enabled>
+            <phishtank_enabled type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </phishtank_enabled>
+            <phishtank_map type="TextField"/>
+            <exclusion type="CSVListField">
+                <Required>N</Required>
+            </exclusion>
+        </phishing>
+        <rate_limit>
+            <per_recipient>
+                <count type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <Required>N</Required>
+                    <ValidationMessage>The count value must be a positive number.</ValidationMessage>
+                </count>
+                <time type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <Required>N</Required>
+                    <ValidationMessage>The time must be a positive integer.</ValidationMessage>
+                </time>
+                <time_unit type="OptionField">
+                    <Default>m</Default>
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <s>Seconds</s>
+                        <m>Minutes</m>
+                        <h>Hours</h>
+                    </OptionValues>
+                </time_unit>
+            </per_recipient>
+            <per_ip>
+                <count type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <Required>N</Required>
+                    <ValidationMessage>The count value must be a positive number.</ValidationMessage>
+                </count>
+                <time type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <Required>N</Required>
+                    <ValidationMessage>The time must be a positive integer.</ValidationMessage>
+                </time>
+                <time_unit type="OptionField">
+                    <Default>m</Default>
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <s>Seconds</s>
+                        <m>Minutes</m>
+                        <h>Hours</h>
+                    </OptionValues>
+                </time_unit>
+            </per_ip>
+            <per_ip_from>
+                <count type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <Required>N</Required>
+                    <ValidationMessage>The count value must be a positive number.</ValidationMessage>
+                </count>
+                <time type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <Required>N</Required>
+                    <ValidationMessage>The time must be a positive integer.</ValidationMessage>
+                </time>
+                <time_unit type="OptionField">
+                    <Default>m</Default>
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <s>Seconds</s>
+                        <m>Minutes</m>
+                        <h>Hours</h>
+                    </OptionValues>
+                </time_unit>
+            </per_ip_from>
+            <bounce>
+                <count type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <Required>N</Required>
+                    <ValidationMessage>The count value must be a positive number.</ValidationMessage>
+                </count>
+                <time type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <Required>N</Required>
+                    <ValidationMessage>The time must be a positive integer.</ValidationMessage>
+                </time>
+                <time_unit type="OptionField">
+                    <Default>m</Default>
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <s>Seconds</s>
+                        <m>Minutes</m>
+                        <h>Hours</h>
+                    </OptionValues>
+                </time_unit>
+            </bounce>
+            <bounce_ip>
+                <count type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <Required>N</Required>
+                    <ValidationMessage>The count value must be a positive number.</ValidationMessage>
+                </count>
+                <time type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <Required>N</Required>
+                    <ValidationMessage>The time must be a positive integer.</ValidationMessage>
+                </time>
+                <time_unit type="OptionField">
+                    <Default>m</Default>
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <s>Seconds</s>
+                        <m>Minutes</m>
+                        <h>Hours</h>
+                    </OptionValues>
+                </time_unit>
+            </bounce_ip>
+            <user>
+                <count type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <Required>N</Required>
+                    <ValidationMessage>The count value must be a positive number.</ValidationMessage>
+                </count>
+                <time type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <Required>N</Required>
+                    <ValidationMessage>The time must be a positive integer.</ValidationMessage>
+                </time>
+                <time_unit type="OptionField">
+                    <Default>m</Default>
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <s>Seconds</s>
+                        <m>Minutes</m>
+                        <h>Hours</h>
+                    </OptionValues>
+                </time_unit>
+            </user>
+            <whitelisted_rcpts type="CSVListField">
+                <Default>postmaster,mailer-daemon</Default>
+            </whitelisted_rcpts>
+            <max_rcpt type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <Required>Y</Required>
+                <Default>20</Default>
+            </max_rcpt>
+        </rate_limit>
+        <spamtrap>
+            <enabled type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enabled>
+            <fuzzy_learning type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </fuzzy_learning>
+            <spam_learning type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </spam_learning>
+            <spam_recipients type="CSVListField">
+                <Required>N</Required>
+            </spam_recipients>
+        </spamtrap>
+        <spf>
+            <spf_cache_size type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <Required>N</Required>
+                <Default>2</Default>
+                <ValidationMessage>A valid cache size in kilobytes must be set.</ValidationMessage>
+            </spf_cache_size>
+            <spf_cache_expire type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <Required>N</Required>
+                <ValidationMessage>A valid expiration time must be set.</ValidationMessage>
+            </spf_cache_expire>
+        </spf>
+        <av>
+            <force-reject type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </force-reject>
+            <attachments-only type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </attachments-only>
+            <max-size type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <Default>20000000</Default>
+                <Required>N</Required>
+                <ValidationMessage>A valid maximum size in bytes must be set.</ValidationMessage>
+            </max-size>
+            <whitelist type="CSVListField">
+                <Required>N</Required>
+            </whitelist>
+        </av>
+        <surbl>
+            <whitelist type="CSVListField">
+                <Required>N</Required>
+            </whitelist>
+            <exceptions type="CSVListField">
+                <Required>N</Required>
+            </exceptions>
+        </surbl>
+        <multimap>
+            <badfileextension type="CSVListField">
+                <Required>N</Required>
+                <Default>exe,dll,scr,com,cmd,js,bat,vbs,ps1,bat,cpl,lnk,msi,msp,reg</Default>
+            </badfileextension>
+            <whitelistsender type="CSVListField">
+                <Required>N</Required>
+            </whitelistsender>
+        </multimap>
+    </items>
 </model>

From 1f2af6b146c0acd1021ceb9afac67ec6669a4a60 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Dec 2025 15:33:28 +0100
Subject: [PATCH 2812/3088] net-mgmt/net-snmp: style

---
 .../mvc/app/models/OPNsense/Netsnmp/General.xml | 17 +++--------------
 .../mvc/app/models/OPNsense/Netsnmp/User.xml    |  9 +++------
 2 files changed, 6 insertions(+), 20 deletions(-)

diff --git a/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml b/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml
index c3e0d7e951..19118edcef 100644
--- a/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml
+++ b/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/General.xml
@@ -7,18 +7,9 @@
             <Default>0</Default>
             <Required>Y</Required>
         </enabled>
-        <community type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </community>
-        <syslocation type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </syslocation>
-        <syscontact type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </syscontact>
+        <community type="TextField"/>
+        <syslocation type="TextField"/>
+        <syscontact type="TextField"/>
         <l3visibility type="BooleanField">
             <Default>0</Default>
             <Required>Y</Required>
@@ -36,8 +27,6 @@
             <Required>Y</Required>
         </enableobservium>
         <listen type="NetworkField">
-            <FieldSeparator>,</FieldSeparator>
-            <Required>N</Required>
             <AsList>Y</AsList>
         </listen>
     </items>
diff --git a/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/User.xml b/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/User.xml
index 9a705d5320..9b788f584b 100644
--- a/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/User.xml
+++ b/net-mgmt/net-snmp/src/opnsense/mvc/app/models/OPNsense/Netsnmp/User.xml
@@ -10,22 +10,19 @@
                     <Required>Y</Required>
                 </enabled>
                 <username type="TextField">
-                    <Default></Default>
                     <Required>Y</Required>
                     <Mask>/^([0-9a-zA-Z._\-]){1,64}$/u</Mask>
-                    <ValidationMessage>Should be a string between 1 and 64 characters. Allowed characters are 0-9a-zA-Z._-</ValidationMessage>
+                    <ValidationMessage>Should be a string between 1 and 64 characters. Allowed characters are 0-9a-zA-Z_-.</ValidationMessage>
                 </username>
                 <password type="TextField">
-                    <Default></Default>
                     <Required>Y</Required>
                     <Mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=]){8,64}$/u</Mask>
-                    <ValidationMessage>Should be a string between 8 and 64 characters. Allowed characters are 0-9a-zA-Z._-!$%/()+#=</ValidationMessage>
+                    <ValidationMessage>Should be a string between 8 and 64 characters. Allowed characters are 0-9a-zA-Z_-!$%/()+#=.</ValidationMessage>
                 </password>
                 <enckey type="TextField">
-                    <Default></Default>
                     <Required>Y</Required>
                     <Mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=]){8,64}$/u</Mask>
-                    <ValidationMessage>Should be a string between 8 and 64 characters. Allowed characters are 0-9a-zA-Z._-!$%/()+#=</ValidationMessage>
+                    <ValidationMessage>Should be a string between 8 and 64 characters. Allowed characters are 0-9a-zA-Z_-!$%/()+#=.</ValidationMessage>
                 </enckey>
                 <readwrite type="BooleanField">
                     <Default>0</Default>

From e8a05cb8eccb48eb1427b9618c1f8d9ec89739fc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Dec 2025 15:35:02 +0100
Subject: [PATCH 2813/3088] net-mgmt/nrpe: style

---
 .../nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/Command.xml  | 1 -
 .../nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/General.xml  | 2 --
 2 files changed, 3 deletions(-)

diff --git a/net-mgmt/nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/Command.xml b/net-mgmt/nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/Command.xml
index a158754a3e..af8d72e492 100644
--- a/net-mgmt/nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/Command.xml
+++ b/net-mgmt/nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/Command.xml
@@ -10,7 +10,6 @@
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <Default></Default>
                     <Required>Y</Required>
                     <Mask>/^[0-9a-z_\-]{1,32}$/ui</Mask>
                     <ValidationMessage>Only alphanumeric characters, dashes and underscores allowed.</ValidationMessage>
diff --git a/net-mgmt/nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/General.xml b/net-mgmt/nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/General.xml
index b1ed611e84..5e4975e407 100644
--- a/net-mgmt/nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/General.xml
+++ b/net-mgmt/nrpe/src/opnsense/mvc/app/models/OPNsense/Nrpe/General.xml
@@ -14,13 +14,11 @@
         <server_address type="NetworkField">
             <Default>127.0.0.1</Default>
             <Required>Y</Required>
-            <FieldSeparator>,</FieldSeparator>
             <AsList>Y</AsList>
         </server_address>
         <allowed_hosts type="NetworkField">
             <Default>127.0.0.1,::1</Default>
             <Required>Y</Required>
-            <FieldSeparator>,</FieldSeparator>
             <AsList>Y</AsList>
         </allowed_hosts>
         <dont_blame_nrpe type="BooleanField">

From 8516ed07475dcd14305d614b733c9391c597b1ce Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Dec 2025 15:36:15 +0100
Subject: [PATCH 2814/3088] sutils/nut: style

---
 .../mvc/app/models/OPNsense/Nut/Nut.xml       | 303 +++++++++---------
 1 file changed, 149 insertions(+), 154 deletions(-)

diff --git a/sysutils/nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml b/sysutils/nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml
index 9de3788b5e..8ff52d8237 100644
--- a/sysutils/nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml
+++ b/sysutils/nut/src/opnsense/mvc/app/models/OPNsense/Nut/Nut.xml
@@ -1,156 +1,151 @@
 <model>
-  <mount>//OPNsense/Nut</mount>
-  <description>Network UPS Tools</description>
-  <version>1.0.4</version>
-  <items>
-    <general>
-      <enable type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-      </enable>
-      <mode type="OptionField">
-        <Default>standalone</Default>
-        <Required>Y</Required>
-        <OptionValues>
-          <standalone>standalone</standalone>
-          <netclient>netclient</netclient>
-        </OptionValues>
-      </mode>
-      <name type="TextField">
-        <Default>UPSName</Default>
-        <Required>Y</Required>
-        <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
-        <ValidationMessage>The name should only contain alphanumeric characters, dashes, underscores or a dot.</ValidationMessage>
-      </name>
-      <listen type="CSVListField">
-        <Default>127.0.0.1,::1</Default>
-        <Required>Y</Required>
-      </listen>
-    </general>
-
-    <account>
-      <admin_password type="TextField">
-        <Required>Y</Required>
-        <Default>Password</Default>
-      </admin_password>
-      <mon_password type="TextField">
-        <Required>Y</Required>
-        <Default>Password</Default>
-      </mon_password>
-    </account>
-
-    <usbhid>
-      <enable type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </enable>
-      <args type="CSVListField">
-        <Default>port=auto</Default>
-        <Required>N</Required>
-      </args>
-    </usbhid>
-    <apcsmart>
-      <enable type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </enable>
-      <args type="CSVListField">
-        <Default>port=auto</Default>
-        <Required>N</Required>
-      </args>
-    </apcsmart>
-    <apcupsd>
-      <enable type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </enable>
-      <hostname type="HostnameField">
-        <Required>Y</Required>
-        <Default>localhost</Default>
-      </hostname>
-      <port type="PortField">
-        <Required>N</Required>
-      </port>
-    </apcupsd>
-    <bcmxcpusb>
-      <enable type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </enable>
-      <args type="CSVListField">
-        <Default>port=auto</Default>
-        <Required>N</Required>
-      </args>
-    </bcmxcpusb>
-    <blazerusb>
-      <enable type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </enable>
-      <args type="CSVListField">
-        <Default>port=auto</Default>
-        <Required>N</Required>
-      </args>
-    </blazerusb>
-    <blazerser>
-      <enable type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </enable>
-      <args type="CSVListField">
-        <Default>port=auto</Default>
-        <Required>N</Required>
-      </args>
-    </blazerser>
-    <netclient>
-      <enable type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </enable>
-      <address type="HostnameField">
-        <Default></Default>
-        <Required>N</Required>
-      </address>
-      <port type="PortField">
-        <Default>3493</Default>
-        <Required>N</Required>
-      </port>
-      <user type="TextField">
-        <Required>N</Required>
-      </user>
-      <password type="TextField">
-        <Required>N</Required>
-      </password>
-    </netclient>
-    <qx>
-      <enable type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </enable>
-      <args type="CSVListField">
-        <Default>port=auto</Default>
-        <Required>N</Required>
-      </args>
-    </qx>
-    <riello>
-      <enable type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </enable>
-      <args type="CSVListField">
-        <Default>port=auto</Default>
-        <Required>N</Required>
-      </args>
-    </riello>
-    <snmp>
-      <enable type="BooleanField">
-        <Required>Y</Required>
-        <Default>0</Default>
-      </enable>
-      <args type="CSVListField">
-        <Default>community=public</Default>
-        <Required>N</Required>
-      </args>
-    </snmp>
-  </items>
+    <mount>//OPNsense/Nut</mount>
+    <description>Network UPS Tools</description>
+    <version>1.0.4</version>
+    <items>
+        <general>
+            <enable type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enable>
+            <mode type="OptionField">
+                <Default>standalone</Default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <standalone>standalone</standalone>
+                    <netclient>netclient</netclient>
+                </OptionValues>
+            </mode>
+            <name type="TextField">
+                <Default>UPSName</Default>
+                <Required>Y</Required>
+                <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
+                <ValidationMessage>The name should only contain alphanumeric characters, dashes, underscores or a dot.</ValidationMessage>
+            </name>
+            <listen type="CSVListField">
+                <Default>127.0.0.1,::1</Default>
+                <Required>Y</Required>
+            </listen>
+        </general>
+        <account>
+            <admin_password type="TextField">
+                <Required>Y</Required>
+                <Default>Password</Default>
+            </admin_password>
+            <mon_password type="TextField">
+                <Required>Y</Required>
+                <Default>Password</Default>
+            </mon_password>
+        </account>
+        <usbhid>
+            <enable type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </enable>
+            <args type="CSVListField">
+                <Default>port=auto</Default>
+                <Required>N</Required>
+            </args>
+        </usbhid>
+        <apcsmart>
+            <enable type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </enable>
+            <args type="CSVListField">
+                <Default>port=auto</Default>
+                <Required>N</Required>
+            </args>
+        </apcsmart>
+        <apcupsd>
+            <enable type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </enable>
+            <hostname type="HostnameField">
+                <Required>Y</Required>
+                <Default>localhost</Default>
+            </hostname>
+            <port type="PortField">
+                <Required>N</Required>
+            </port>
+        </apcupsd>
+        <bcmxcpusb>
+            <enable type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </enable>
+            <args type="CSVListField">
+                <Default>port=auto</Default>
+                <Required>N</Required>
+            </args>
+        </bcmxcpusb>
+        <blazerusb>
+            <enable type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </enable>
+            <args type="CSVListField">
+                <Default>port=auto</Default>
+                <Required>N</Required>
+            </args>
+        </blazerusb>
+        <blazerser>
+            <enable type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </enable>
+            <args type="CSVListField">
+                <Default>port=auto</Default>
+                <Required>N</Required>
+            </args>
+        </blazerser>
+        <netclient>
+            <enable type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </enable>
+            <address type="HostnameField"/>
+            <port type="PortField">
+                <Default>3493</Default>
+                <Required>N</Required>
+            </port>
+            <user type="TextField">
+                <Required>N</Required>
+            </user>
+            <password type="TextField">
+                <Required>N</Required>
+            </password>
+        </netclient>
+        <qx>
+            <enable type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </enable>
+            <args type="CSVListField">
+                <Default>port=auto</Default>
+                <Required>N</Required>
+            </args>
+        </qx>
+        <riello>
+            <enable type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </enable>
+            <args type="CSVListField">
+                <Default>port=auto</Default>
+                <Required>N</Required>
+            </args>
+        </riello>
+        <snmp>
+            <enable type="BooleanField">
+                <Required>Y</Required>
+                <Default>0</Default>
+            </enable>
+            <args type="CSVListField">
+                <Default>community=public</Default>
+                <Required>N</Required>
+            </args>
+        </snmp>
+    </items>
 </model>

From 20397482d66826222545cdd47cb06c7fe387e45b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Dec 2025 15:36:51 +0100
Subject: [PATCH 2815/3088] net/ftp-proxy: style

---
 .../app/models/OPNsense/FtpProxy/FtpProxy.xml | 150 +++++++++---------
 1 file changed, 75 insertions(+), 75 deletions(-)

diff --git a/net/ftp-proxy/src/opnsense/mvc/app/models/OPNsense/FtpProxy/FtpProxy.xml b/net/ftp-proxy/src/opnsense/mvc/app/models/OPNsense/FtpProxy/FtpProxy.xml
index a2c7447f3a..f105108f07 100644
--- a/net/ftp-proxy/src/opnsense/mvc/app/models/OPNsense/FtpProxy/FtpProxy.xml
+++ b/net/ftp-proxy/src/opnsense/mvc/app/models/OPNsense/FtpProxy/FtpProxy.xml
@@ -1,77 +1,77 @@
 <model>
-   <mount>//OPNsense/ftpproxies</mount>
-   <version>1.0.0</version>
-   <description>Ftp Proxy settings</description>
-   <items>
-      <ftpproxy type="ArrayField">
-         <enabled type="BooleanField">
-            <Default>1</Default>
-            <Required>Y</Required>
-         </enabled>
-         <listenaddress type="TextField">
-            <Required>Y</Required>
-            <Default>127.0.0.1</Default>
-            <Mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</Mask>
-            <ValidationMessage>Listen address must be a valid IPv4 address</ValidationMessage>
-         </listenaddress>
-         <listenport type="IntegerField">
-            <Default>8021</Default>
-            <Required>Y</Required>
-            <MinimumValue>1</MinimumValue>
-            <MaximumValue>65535</MaximumValue>
-            <ValidationMessage>Listen port needs to be an integer value between 1 and 65535</ValidationMessage>
-         </listenport>
-         <sourceaddress type="TextField">
-            <Required>N</Required>
-            <Mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</Mask>
-            <ValidationMessage>Source address must be a valid IPv4 address</ValidationMessage>
-         </sourceaddress>
-         <rewritesourceport  type="BooleanField">
-            <Default>0</Default>
-            <Required>N</Required>
-         </rewritesourceport>
-         <idletimeout type="IntegerField">
-            <Default>86400</Default>
-            <Required>N</Required>
-            <MinimumValue>1</MinimumValue>
-            <MaximumValue>86400</MaximumValue>
-            <ValidationMessage>Idle timeout needs to be an integer value between 1 and 86400</ValidationMessage>
-         </idletimeout>
-         <maxsessions type="IntegerField">
-            <Default>100</Default>
-            <Required>N</Required>
-            <MinimumValue>1</MinimumValue>
-            <MaximumValue>500</MaximumValue>
-            <ValidationMessage>Maximum number of concurrent FTP sessions needs to be an integer value between 1 and 500</ValidationMessage>
-         </maxsessions>
-         <reverseaddress type="TextField">
-            <Required>N</Required>
-            <Mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</Mask>
-            <ValidationMessage>Reverse address must be a valid IPv4 address</ValidationMessage>
-         </reverseaddress>
-         <reverseport type="IntegerField">
-            <Default>21</Default>
-            <Required>N</Required>
-            <MinimumValue>1</MinimumValue>
-            <MaximumValue>65535</MaximumValue>
-            <ValidationMessage>Reverse port needs to be an integer value between 1 and 65535</ValidationMessage>
-         </reverseport>
-         <logconnections type="BooleanField">
-            <Default>0</Default>
-            <Required>N</Required>
-         </logconnections>
-         <debuglevel type="IntegerField">
-            <Default>5</Default>
-            <Required>N</Required>
-            <MinimumValue>0</MinimumValue>
-            <MaximumValue>7</MaximumValue>
-            <ValidationMessage>Debug level needs to be an integer value between 0 and 7</ValidationMessage>
-         </debuglevel>
-         <description type="TextField">
-            <Required>N</Required>
-            <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
-            <ValidationMessage>Enter a description.</ValidationMessage>
-         </description>
-      </ftpproxy>
-   </items>
+    <mount>//OPNsense/ftpproxies</mount>
+    <version>1.0.0</version>
+    <description>Ftp Proxy settings</description>
+    <items>
+        <ftpproxy type="ArrayField">
+            <enabled type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </enabled>
+            <listenaddress type="TextField">
+                <Required>Y</Required>
+                <Default>127.0.0.1</Default>
+                <Mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</Mask>
+                <ValidationMessage>Listen address must be a valid IPv4 address</ValidationMessage>
+            </listenaddress>
+            <listenport type="IntegerField">
+                <Default>8021</Default>
+                <Required>Y</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>Listen port needs to be an integer value between 1 and 65535</ValidationMessage>
+            </listenport>
+            <sourceaddress type="TextField">
+                <Required>N</Required>
+                <Mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</Mask>
+                <ValidationMessage>Source address must be a valid IPv4 address</ValidationMessage>
+            </sourceaddress>
+            <rewritesourceport type="BooleanField">
+                <Default>0</Default>
+                <Required>N</Required>
+            </rewritesourceport>
+            <idletimeout type="IntegerField">
+                <Default>86400</Default>
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>86400</MaximumValue>
+                <ValidationMessage>Idle timeout needs to be an integer value between 1 and 86400</ValidationMessage>
+            </idletimeout>
+            <maxsessions type="IntegerField">
+                <Default>100</Default>
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>500</MaximumValue>
+                <ValidationMessage>Maximum number of concurrent FTP sessions needs to be an integer value between 1 and 500</ValidationMessage>
+            </maxsessions>
+            <reverseaddress type="TextField">
+                <Required>N</Required>
+                <Mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</Mask>
+                <ValidationMessage>Reverse address must be a valid IPv4 address</ValidationMessage>
+            </reverseaddress>
+            <reverseport type="IntegerField">
+                <Default>21</Default>
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>Reverse port needs to be an integer value between 1 and 65535</ValidationMessage>
+            </reverseport>
+            <logconnections type="BooleanField">
+                <Default>0</Default>
+                <Required>N</Required>
+            </logconnections>
+            <debuglevel type="IntegerField">
+                <Default>5</Default>
+                <Required>N</Required>
+                <MinimumValue>0</MinimumValue>
+                <MaximumValue>7</MaximumValue>
+                <ValidationMessage>Debug level needs to be an integer value between 0 and 7</ValidationMessage>
+            </debuglevel>
+            <description type="TextField">
+                <Required>N</Required>
+                <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+                <ValidationMessage>Enter a description.</ValidationMessage>
+            </description>
+        </ftpproxy>
+    </items>
 </model>

From 938cd94d24df2e7bdec9d8e682cbd3e144b7c3f9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Dec 2025 15:37:33 +0100
Subject: [PATCH 2816/3088] net/radsecproxy: style

---
 .../OPNsense/RadSecProxy/RadSecProxy.xml      | 74 -------------------
 1 file changed, 74 deletions(-)

diff --git a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml
index 273500536a..41d446fe56 100644
--- a/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml
+++ b/net/radsecproxy/src/opnsense/mvc/app/models/OPNsense/RadSecProxy/RadSecProxy.xml
@@ -6,12 +6,10 @@
     <version>0.0.1</version>
     <items>
         <general>
-
             <enabled type="BooleanField">
                 <Default>0</Default>
                 <Required>Y</Required>
             </enabled>
-
             <logLevel type="OptionField">
                 <Required>Y</Required>
                 <Default>2</Default>
@@ -23,7 +21,6 @@
                     <ll5 value="5">5 (log everything)</ll5>
                 </OptionValues>
             </logLevel>
-
             <logFullUsername type="OptionField">
                 <Required>Y</Required>
                 <Default>off</Default>
@@ -32,7 +29,6 @@
                     <off>Off</off>
                 </OptionValues>
             </logFullUsername>
-
             <logMac type="OptionField">
                 <Required>Y</Required>
                 <Default>Original</Default>
@@ -45,7 +41,6 @@
                     <FullyKeyHashed>FullyKeyHashed</FullyKeyHashed>
                 </OptionValues>
             </logMac>
-
             <loopPrevention type="OptionField">
                 <Required>Y</Required>
                 <Default>on</Default>
@@ -54,49 +49,37 @@
                     <off>Off</off>
                 </OptionValues>
             </loopPrevention>
-
             <listenUdp type="TextField">
                 <Required>N</Required>
             </listenUdp>
-
             <listenTcp type="TextField">
                 <Required>N</Required>
             </listenTcp>
-
             <listenTls type="TextField">
                 <Required>N</Required>
             </listenTls>
-
             <listenDtls type="TextField">
                 <Required>N</Required>
             </listenDtls>
-
             <sourceUdp type="TextField">
                 <Required>N</Required>
             </sourceUdp>
-
             <sourceTcp type="TextField">
                 <Required>N</Required>
             </sourceTcp>
-
             <sourceTls type="TextField">
                 <Required>N</Required>
             </sourceTls>
-
             <sourceDtls type="TextField">
                 <Required>N</Required>
             </sourceDtls>
-
         </general>
-
         <clients>
             <client type="ArrayField">
-
                 <enabled type="BooleanField">
                     <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
-
                 <identifier type="TextField">
                     <Required>Y</Required>
                     <Mask>/^([0-9a-zA-Z_\-]){1,25}$/u</Mask>
@@ -108,11 +91,9 @@
                         </check001>
                     </Constraints>
                 </identifier>
-
                 <description type="TextField">
                     <Required>N</Required>
                 </description>
-
                 <host type="NetworkField">
                     <Required>Y</Required>
                     <IpAllowed>Y</IpAllowed>
@@ -122,7 +103,6 @@
                         </check001>
                     </Constraints>
                 </host>
-
                 <type type="OptionField">
                     <Required>Y</Required>
                     <Default>udp</Default>
@@ -133,7 +113,6 @@
                         <dtls>DTLS</dtls>
                     </OptionValues>
                 </type>
-
                 <secret type="TextField">
                     <Required>N</Required>
                     <Constraints>
@@ -151,7 +130,6 @@
                         </check002>
                     </Constraints>
                 </secret>
-
                 <tlsConfig type="ModelRelationField">
                     <Required>N</Required>
                     <Model>
@@ -162,7 +140,6 @@
                         </tlsConfigs>
                     </Model>
                 </tlsConfig>
-
                 <certificateNameCheck type="OptionField">
                     <Required>Y</Required>
                     <Default>off</Default>
@@ -171,11 +148,9 @@
                         <off>Off</off>
                     </OptionValues>
                 </certificateNameCheck>
-
                 <matchCertificateAttribute type="TextField">
                     <Required>N</Required>
                 </matchCertificateAttribute>
-
                 <rewriteIn type="ModelRelationField">
                     <Required>N</Required>
                     <Model>
@@ -186,7 +161,6 @@
                         </rewrites>
                     </Model>
                 </rewriteIn>
-
                 <rewriteOut type="ModelRelationField">
                     <Required>N</Required>
                     <Model>
@@ -197,13 +171,10 @@
                         </rewrites>
                     </Model>
                 </rewriteOut>
-
             </client>
         </clients>
-
         <servers>
             <server type="ArrayField">
-
                 <identifier type="TextField">
                     <Required>Y</Required>
                     <Mask>/^([0-9a-zA-Z_\-]){1,25}$/u</Mask>
@@ -215,20 +186,16 @@
                         </check001>
                     </Constraints>
                 </identifier>
-
                 <description type="TextField">
                     <Required>N</Required>
                 </description>
-
                 <host type="TextField">
                     <Required>Y</Required>
                     <IpAllowed>Y</IpAllowed>
                 </host>
-
                 <port type="PortField">
                     <Required>N</Required>
                 </port>
-
                 <statusServer type="OptionField">
                     <Required>Y</Required>
                     <Default>off</Default>
@@ -239,7 +206,6 @@
                         <auto>Auto</auto>
                     </OptionValues>
                 </statusServer>
-
                 <type type="OptionField">
                     <Required>Y</Required>
                     <Default>udp</Default>
@@ -250,7 +216,6 @@
                         <dtls>DTLS</dtls>
                     </OptionValues>
                 </type>
-
                 <secret type="TextField">
                     <Required>N</Required>
                     <Constraints>
@@ -268,7 +233,6 @@
                         </check002>
                     </Constraints>
                 </secret>
-
                 <tlsConfig type="ModelRelationField">
                     <Required>N</Required>
                     <Model>
@@ -279,7 +243,6 @@
                         </tlsConfigs>
                     </Model>
                 </tlsConfig>
-
                 <certificateNameCheck type="OptionField">
                     <Required>Y</Required>
                     <Default>off</Default>
@@ -288,11 +251,9 @@
                         <off>Off</off>
                     </OptionValues>
                 </certificateNameCheck>
-
                 <matchCertificateAttribute type="TextField">
                     <Required>N</Required>
                 </matchCertificateAttribute>
-
                 <rewriteIn type="ModelRelationField">
                     <Required>N</Required>
                     <Model>
@@ -303,7 +264,6 @@
                         </rewrites>
                     </Model>
                 </rewriteIn>
-
                 <rewriteOut type="ModelRelationField">
                     <Required>N</Required>
                     <Model>
@@ -314,13 +274,10 @@
                         </rewrites>
                     </Model>
                 </rewriteOut>
-
             </server>
         </servers>
-
         <tlsConfigs>
             <tlsConfig type="ArrayField">
-
                 <name type="TextField">
                     <Required>Y</Required>
                     <Mask>/^([0-9a-zA-Z_\-]){1,25}$/u</Mask>
@@ -333,28 +290,23 @@
                         </check001>
                     </Constraints>
                 </name>
-
                 <description type="TextField">
                     <Required>N</Required>
                 </description>
-
                 <caCertificateRefId type="CertificateField">
                     <Required>Y</Required>
                     <ValidationMessage>Field is required</ValidationMessage>
                     <Type>ca</Type>
                 </caCertificateRefId>
-
                 <proxyCertificateRefId type="CertificateField">
                     <Required>Y</Required>
                     <ValidationMessage>Field is required</ValidationMessage>
                     <Type>cert</Type>
                 </proxyCertificateRefId>
-
                 <policyOids type="CSVListField">
                     <Required>N</Required>
                     <Multiple>Y</Multiple>
                 </policyOids>
-
                 <crlCheck type="OptionField">
                     <Required>Y</Required>
                     <Default>off</Default>
@@ -363,26 +315,20 @@
                         <off>Off</off>
                     </OptionValues>
                 </crlCheck>
-
                 <cacheExpiry type="IntegerField">
                     <Required>N</Required>
                 </cacheExpiry>
-
             </tlsConfig>
         </tlsConfigs>
-
         <realms>
             <realm type="ArrayField">
-
                 <enabled type="BooleanField">
                     <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
-
                 <description type="TextField">
                     <Required>N</Required>
                 </description>
-
                 <realm type="TextField">
                     <Required>Y</Required>
                     <ValidationMessage>Must not be empty</ValidationMessage>
@@ -393,7 +339,6 @@
                         </check001>
                     </Constraints>
                 </realm>
-
                 <server type="ModelRelationField">
                     <Multiple>Y</Multiple>
                     <Required>N</Required>
@@ -407,7 +352,6 @@
                     </Model>
                     <ValidationMessage>Related server not found</ValidationMessage>
                 </server>
-
                 <accountingServer type="ModelRelationField">
                     <Multiple>Y</Multiple>
                     <Required>N</Required>
@@ -421,7 +365,6 @@
                     </Model>
                     <ValidationMessage>Related server not found</ValidationMessage>
                 </accountingServer>
-
                 <accountingResponse type="OptionField">
                     <Required>Y</Required>
                     <Default>off</Default>
@@ -430,22 +373,17 @@
                         <off>Off</off>
                     </OptionValues>
                 </accountingResponse>
-
                 <replyMessage type="TextField">
                     <Required>N</Required>
                 </replyMessage>
-
             </realm>
         </realms>
-
         <rewrites>
             <rewrite type="ArrayField">
-
                 <enabled type="BooleanField">
                     <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
-
                 <name type="TextField">
                     <Required>Y</Required>
                     <Mask>/^([0-9a-zA-Z_\-]){1,25}$/u</Mask>
@@ -458,39 +396,30 @@
                         </check001>
                     </Constraints>
                 </name>
-
                 <addAttributes type="TextField">
                     <Required>N</Required>
                 </addAttributes>
-
                 <addVendorAttributes type="TextField">
                     <Required>N</Required>
                 </addVendorAttributes>
-
                 <supplementAttributes type="TextField">
                     <Required>N</Required>
                 </supplementAttributes>
-
                 <supplementVendorAttributes type="TextField">
                     <Required>N</Required>
                 </supplementVendorAttributes>
-
                 <modifyAttributes type="TextField">
                     <Required>N</Required>
                 </modifyAttributes>
-
                 <modifyVendorAttributes type="TextField">
                     <Required>N</Required>
                 </modifyVendorAttributes>
-
                 <removeAttributes type="TextField">
                     <Required>N</Required>
                 </removeAttributes>
-
                 <removeVendorAttributes type="TextField">
                     <Required>N</Required>
                 </removeVendorAttributes>
-
                 <whitelistMode type="OptionField">
                     <Required>Y</Required>
                     <Default>off</Default>
@@ -499,15 +428,12 @@
                         <off>Off</off>
                     </OptionValues>
                 </whitelistMode>
-
                 <whitelistAttributes type="TextField">
                     <Required>N</Required>
                 </whitelistAttributes>
-
                 <whitelistVendorAttributes type="TextField">
                     <Required>N</Required>
                 </whitelistVendorAttributes>
-
             </rewrite>
         </rewrites>
     </items>

From 9d6a12d5f2c9c14c68bea14d17a4820aef2300a7 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 9 Dec 2025 15:37:59 +0100
Subject: [PATCH 2817/3088] net/relayd: style

---
 .../mvc/app/models/OPNsense/Relayd/Relayd.xml | 714 +++++++++---------
 1 file changed, 357 insertions(+), 357 deletions(-)

diff --git a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
index 45e1fd94bc..5029e52726 100644
--- a/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
+++ b/net/relayd/src/opnsense/mvc/app/models/OPNsense/Relayd/Relayd.xml
@@ -1,359 +1,359 @@
 <model>
-   <mount>//OPNsense/relayd</mount>
-   <version>1.0.6</version>
-   <description>Relayd settings</description>
-   <items>
-      <general>
-         <enabled type="BooleanField">
-            <Default>0</Default>
-            <Required>Y</Required>
-         </enabled>
-         <interval type="IntegerField">
-            <Required>N</Required>
-            <MinimumValue>1</MinimumValue>
-            <ValidationMessage>Check interval must be greater than 0</ValidationMessage>
-         </interval>
-         <log type="OptionField">
-            <Required>N</Required>
-            <OptionValues>
-               <updates>new states</updates>
-               <all>all states</all>
-            </OptionValues>
-         </log>
-         <prefork type="IntegerField">
-            <Required>N</Required>
-            <MinimumValue>1</MinimumValue>
-            <ValidationMessage>Number of processes must be greater than 0</ValidationMessage>
-         </prefork>
-         <timeout type="IntegerField">
-            <Required>N</Required>
-            <MinimumValue>1</MinimumValue>
-            <ValidationMessage>The timeout must be greater than 0</ValidationMessage>
-         </timeout>
-      </general>
-      <host type="ArrayField">
-        <enabled type="BooleanField">
-            <Default>1</Default>
-            <Required>Y</Required>
-         </enabled>
-         <name type="TextField">
-            <Required>Y</Required>
-            <Mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</Mask>
-            <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
-            <Constraints>
-                <check001>
-                    <ValidationMessage>Host names should be unique.</ValidationMessage>
-                    <type>UniqueConstraint</type>
-                </check001>
-            </Constraints>
-         </name>
-         <address type="TextField">
-            <Required>Y</Required>
-            <Mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</Mask>
-            <ChangeCase>lower</ChangeCase>
-            <ValidationMessage>Please specify a valid servername or IP address.</ValidationMessage>
-         </address>
-         <ipTTL type="IntegerField">
-            <Required>N</Required>
-            <MinimumValue>1</MinimumValue>
-            <ValidationMessage>The IP TTL must be greater than 0</ValidationMessage>
-         </ipTTL>
-         <priority type="IntegerField">
-            <Required>N</Required>
-            <MinimumValue>1</MinimumValue>
-            <ValidationMessage>The route priority must be greater than 0</ValidationMessage>
-         </priority>
-         <retry type="IntegerField">
-            <Required>N</Required>
-            <MinimumValue>1</MinimumValue>
-            <ValidationMessage>The number of retries must be greater than 0</ValidationMessage>
-         </retry>
-      </host>
-      <table type="ArrayField">
-         <name type="TextField">
-            <Required>Y</Required>
-            <Mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</Mask>
-            <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
-            <Constraints>
-                <check001>
-                    <ValidationMessage>Table names should be unique.</ValidationMessage>
-                    <type>UniqueConstraint</type>
-                </check001>
-            </Constraints>
-         </name>
-         <enabled type="BooleanField">
-            <Default>1</Default>
-            <Required>Y</Required>
-         </enabled>
-         <hosts type="ModelRelationField">
-            <Model>
-               <template>
-                  <source>OPNsense.relayd.relayd</source>
-                  <items>host</items>
-                  <display>name</display>
-               </template>
-            </Model>
-            <ValidationMessage>Host not found</ValidationMessage>
-            <Multiple>Y</Multiple>
-            <Required>Y</Required>
-         </hosts>
-      </table>
-      <tablecheck type="ArrayField">
-         <name type="TextField">
-            <Required>Y</Required>
-            <Mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</Mask>
-            <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
-         </name>
-         <type type="OptionField">
-            <Default>icmp</Default>
-            <Required>Y</Required>
-            <OptionValues>
-               <icmp>ICMP</icmp>
-               <tcp>TCP</tcp>
-               <tls>TLS</tls>
-               <send>SEND</send>
-               <script>SCRIPT</script>
-               <http>HTTP</http>
-            </OptionValues>
-         </type>
-         <path type="TextField">
-            <Required>N</Required>
-         </path>
-         <host type="TextField">
-            <Mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</Mask>
-            <ChangeCase>lower</ChangeCase>
-            <ValidationMessage>Please specify a valid servername or IP address.</ValidationMessage>
-            <Required>N</Required>
-         </host>
-         <code type="IntegerField">
-            <Required>N</Required>
-            <ValidationMessage>Expected return code must be a number.</ValidationMessage>
-         </code>
-         <digest type="TextField">
-            <Required>N</Required>
-         </digest>
-         <data type="TextField">
-            <Required>N</Required>
-         </data>
-         <expect type="TextField">
-            <Required>N</Required>
-         </expect>
-         <ssl type="BooleanField">
-            <Required>N</Required>
-         </ssl>
-      </tablecheck>
-      <virtualserver type="ArrayField">
-         <name type="TextField">
-            <Required>Y</Required>
-            <Mask>/^([0-9a-zA-Z\._\- ]){1,31}$/u</Mask>
-            <ValidationMessage>Should be a string between 1 and 31 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
-            <Constraints>
-                <check001>
-                    <ValidationMessage>Virtual server names should be unique.</ValidationMessage>
-                    <type>UniqueConstraint</type>
-                </check001>
-            </Constraints>
-         </name>
-         <enabled type="BooleanField">
-            <Default>1</Default>
-            <Required>Y</Required>
-         </enabled>
-         <type type="OptionField">
-            <Default>relay</Default>
-            <Required>Y</Required>
-            <OptionValues>
-               <relay>Relay</relay>
-               <redirect>Redirection</redirect>
-            </OptionValues>
-         </type>
-         <listen_address type="TextField">
-            <Required>Y</Required>
-            <Mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</Mask>
-            <ChangeCase>lower</ChangeCase>
-            <ValidationMessage>Please specify a valid servername or IP address.</ValidationMessage>
-         </listen_address>
-         <listen_proto type="OptionField">
-             <Required>Y</Required>
-             <Default>tcp</Default>
-             <OptionValues>
-                 <tcp>TCP</tcp>
-                 <udp>UDP</udp>
-             </OptionValues>
-         </listen_proto>
-         <listen_startport type="PortField">
-            <Required>Y</Required>
-            <MinimumValue>1</MinimumValue>
-            <MaximumValue>65535</MaximumValue>
-            <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
-         </listen_startport>
-         <listen_endport type="PortField">
-            <Required>N</Required>
-            <MinimumValue>1</MinimumValue>
-            <MaximumValue>65535</MaximumValue>
-            <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
-         </listen_endport>
-         <listen_interface type="InterfaceField">
-            <Required>N</Required>
-            <filters>
-               <enable>/^(?!0).*$/</enable>
-               <ipaddr>/^((?!dhcp).)*$/</ipaddr>
-            </filters>
-         </listen_interface>
-         <transport_type type="OptionField">
-            <Default>forward</Default>
-            <Required>Y</Required>
-            <OptionValues>
-               <forward>Forward</forward>
-               <route>Route</route>
-            </OptionValues>
-         </transport_type>
-         <routing_interface type="InterfaceField">
-            <Required>N</Required>
-            <filters>
-               <enable>/^(?!0).*$/</enable>
-               <ipaddr>/^((?!dhcp).)*$/</ipaddr>
-            </filters>
-         </routing_interface>
-         <transport_table type="ModelRelationField">
-            <Model>
-               <template>
-                  <source>OPNsense.relayd.relayd</source>
-                  <items>table</items>
-                  <display>name</display>
-               </template>
-            </Model>
-            <ValidationMessage>Table not found</ValidationMessage>
-            <Required>Y</Required>
-         </transport_table>
-         <transport_port type="PortField">
-            <Required>N</Required>
-            <MinimumValue>1</MinimumValue>
-            <MaximumValue>65535</MaximumValue>
-            <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
-         </transport_port>
-         <transport_interval type="IntegerField">
-            <Required>N</Required>
-            <MinimumValue>2</MinimumValue>
-            <ValidationMessage>Check interval must be a multiple of the global interval.</ValidationMessage>
-         </transport_interval>
-         <transport_timeout type="IntegerField">
-            <Required>N</Required>
-            <MinimumValue>1</MinimumValue>
-            <ValidationMessage>The timeout must be greater than 0</ValidationMessage>
-         </transport_timeout>
-         <transport_tablemode type="OptionField">
-            <Required>Y</Required>
-            <Default>roundrobin</Default>
-            <OptionValues>
-               <hash>Hash</hash>
-               <least-states>Least States</least-states>
-               <loadbalance>Load Balance</loadbalance>
-               <random>Random</random>
-               <roundrobin>Round Robin</roundrobin>
-               <source-hash>Source Hash</source-hash>
-            </OptionValues>
-         </transport_tablemode>
-         <transport_tablecheck type="ModelRelationField">
-            <Model>
-               <template>
-                  <source>OPNsense.relayd.relayd</source>
-                  <items>tablecheck</items>
-                  <display>name</display>
-               </template>
-            </Model>
-            <ValidationMessage>Table check not found</ValidationMessage>
-            <Required>Y</Required>
-         </transport_tablecheck>
-         <backuptransport_table type="ModelRelationField">
-            <Model>
-               <template>
-                  <source>OPNsense.relayd.relayd</source>
-                  <items>table</items>
-                  <display>name</display>
-               </template>
-            </Model>
-            <ValidationMessage>Table not found</ValidationMessage>
-            <Required>N</Required>
-         </backuptransport_table>
-         <backuptransport_interval type="IntegerField">
-            <Required>N</Required>
-            <MinimumValue>2</MinimumValue>
-            <ValidationMessage>Check interval must be a multiple of the global interval.</ValidationMessage>
-         </backuptransport_interval>
-         <backuptransport_timeout type="IntegerField">
-            <Required>N</Required>
-            <MinimumValue>1</MinimumValue>
-            <ValidationMessage>The timeout must be greater than 0</ValidationMessage>
-         </backuptransport_timeout>
-         <backuptransport_tablecheck type="ModelRelationField">
-            <Model>
-               <template>
-                  <source>OPNsense.relayd.relayd</source>
-                  <items>tablecheck</items>
-                  <display>name</display>
-               </template>
-            </Model>
-            <ValidationMessage>Table check not found</ValidationMessage>
-            <Required>N</Required>
-            <Constraints>
-                <check001>
-                    <ValidationMessage>Table check must be set.</ValidationMessage>
-                    <type>DependConstraint</type>
-                    <addFields>
-                        <field1>backuptransport_table</field1>
-                    </addFields>
-                </check001>
-            </Constraints>
-         </backuptransport_tablecheck>
-         <backuptransport_tablemode type="OptionField">
-            <Required>Y</Required>
-            <Default>roundrobin</Default>
-            <OptionValues>
-               <hash>Hash</hash>
-               <least-states>Least States</least-states>
-               <loadbalance>Load Balance</loadbalance>
-               <random>Random</random>
-               <roundrobin>Round Robin</roundrobin>
-               <source-hash>Source Hash</source-hash>
-            </OptionValues>
-         </backuptransport_tablemode>
-         <sessiontimeout type="IntegerField">
-            <Required>N</Required>
-            <MinimumValue>1</MinimumValue>
-            <MaximumValue>2147483647</MaximumValue>
-            <ValidationMessage>The timeout must be a number between 1 and 2147483647.</ValidationMessage>
-         </sessiontimeout>
-         <stickyaddress type="BooleanField"/>
-         <protocol type="ModelRelationField">
-            <Model>
-               <template>
-                  <source>OPNsense.relayd.relayd</source>
-                  <items>protocol</items>
-                  <display>name</display>
-               </template>
-            </Model>
-            <ValidationMessage>Protocol not found</ValidationMessage>
-            <Required>N</Required>
-         </protocol>
-      </virtualserver>
-      <protocol type="ArrayField">
-         <name type="TextField">
-            <Required>Y</Required>
-            <Mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</Mask>
-            <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
-         </name>
-         <type type="OptionField">
-            <Default>tcp</Default>
-            <Required>Y</Required>
-            <OptionValues>
-               <tcp>TCP</tcp>
-               <dns>DNS</dns>
-               <http>HTTP</http>
-            </OptionValues>
-         </type>
-         <options type="TextField">
-            <Required>N</Required>
-         </options>
-      </protocol>
-   </items>
+    <mount>//OPNsense/relayd</mount>
+    <version>1.0.6</version>
+    <description>Relayd settings</description>
+    <items>
+        <general>
+            <enabled type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enabled>
+            <interval type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <ValidationMessage>Check interval must be greater than 0</ValidationMessage>
+            </interval>
+            <log type="OptionField">
+                <Required>N</Required>
+                <OptionValues>
+                    <updates>new states</updates>
+                    <all>all states</all>
+                </OptionValues>
+            </log>
+            <prefork type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <ValidationMessage>Number of processes must be greater than 0</ValidationMessage>
+            </prefork>
+            <timeout type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <ValidationMessage>The timeout must be greater than 0</ValidationMessage>
+            </timeout>
+        </general>
+        <host type="ArrayField">
+            <enabled type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </enabled>
+            <name type="TextField">
+                <Required>Y</Required>
+                <Mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</Mask>
+                <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
+                <Constraints>
+                    <check001>
+                        <ValidationMessage>Host names should be unique.</ValidationMessage>
+                        <type>UniqueConstraint</type>
+                    </check001>
+                </Constraints>
+            </name>
+            <address type="TextField">
+                <Required>Y</Required>
+                <Mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</Mask>
+                <ChangeCase>lower</ChangeCase>
+                <ValidationMessage>Please specify a valid servername or IP address.</ValidationMessage>
+            </address>
+            <ipTTL type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <ValidationMessage>The IP TTL must be greater than 0</ValidationMessage>
+            </ipTTL>
+            <priority type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <ValidationMessage>The route priority must be greater than 0</ValidationMessage>
+            </priority>
+            <retry type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <ValidationMessage>The number of retries must be greater than 0</ValidationMessage>
+            </retry>
+        </host>
+        <table type="ArrayField">
+            <name type="TextField">
+                <Required>Y</Required>
+                <Mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</Mask>
+                <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
+                <Constraints>
+                    <check001>
+                        <ValidationMessage>Table names should be unique.</ValidationMessage>
+                        <type>UniqueConstraint</type>
+                    </check001>
+                </Constraints>
+            </name>
+            <enabled type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </enabled>
+            <hosts type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.relayd.relayd</source>
+                        <items>host</items>
+                        <display>name</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Host not found</ValidationMessage>
+                <Multiple>Y</Multiple>
+                <Required>Y</Required>
+            </hosts>
+        </table>
+        <tablecheck type="ArrayField">
+            <name type="TextField">
+                <Required>Y</Required>
+                <Mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</Mask>
+                <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
+            </name>
+            <type type="OptionField">
+                <Default>icmp</Default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <icmp>ICMP</icmp>
+                    <tcp>TCP</tcp>
+                    <tls>TLS</tls>
+                    <send>SEND</send>
+                    <script>SCRIPT</script>
+                    <http>HTTP</http>
+                </OptionValues>
+            </type>
+            <path type="TextField">
+                <Required>N</Required>
+            </path>
+            <host type="TextField">
+                <Mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</Mask>
+                <ChangeCase>lower</ChangeCase>
+                <ValidationMessage>Please specify a valid servername or IP address.</ValidationMessage>
+                <Required>N</Required>
+            </host>
+            <code type="IntegerField">
+                <Required>N</Required>
+                <ValidationMessage>Expected return code must be a number.</ValidationMessage>
+            </code>
+            <digest type="TextField">
+                <Required>N</Required>
+            </digest>
+            <data type="TextField">
+                <Required>N</Required>
+            </data>
+            <expect type="TextField">
+                <Required>N</Required>
+            </expect>
+            <ssl type="BooleanField">
+                <Required>N</Required>
+            </ssl>
+        </tablecheck>
+        <virtualserver type="ArrayField">
+            <name type="TextField">
+                <Required>Y</Required>
+                <Mask>/^([0-9a-zA-Z\._\- ]){1,31}$/u</Mask>
+                <ValidationMessage>Should be a string between 1 and 31 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
+                <Constraints>
+                    <check001>
+                        <ValidationMessage>Virtual server names should be unique.</ValidationMessage>
+                        <type>UniqueConstraint</type>
+                    </check001>
+                </Constraints>
+            </name>
+            <enabled type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </enabled>
+            <type type="OptionField">
+                <Default>relay</Default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <relay>Relay</relay>
+                    <redirect>Redirection</redirect>
+                </OptionValues>
+            </type>
+            <listen_address type="TextField">
+                <Required>Y</Required>
+                <Mask>/^([0-9a-zA-Z\.,_\-:]){0,1024}$/u</Mask>
+                <ChangeCase>lower</ChangeCase>
+                <ValidationMessage>Please specify a valid servername or IP address.</ValidationMessage>
+            </listen_address>
+            <listen_proto type="OptionField">
+                <Required>Y</Required>
+                <Default>tcp</Default>
+                <OptionValues>
+                    <tcp>TCP</tcp>
+                    <udp>UDP</udp>
+                </OptionValues>
+            </listen_proto>
+            <listen_startport type="PortField">
+                <Required>Y</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
+            </listen_startport>
+            <listen_endport type="PortField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
+            </listen_endport>
+            <listen_interface type="InterfaceField">
+                <Required>N</Required>
+                <filters>
+                    <enable>/^(?!0).*$/</enable>
+                    <ipaddr>/^((?!dhcp).)*$/</ipaddr>
+                </filters>
+            </listen_interface>
+            <transport_type type="OptionField">
+                <Default>forward</Default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <forward>Forward</forward>
+                    <route>Route</route>
+                </OptionValues>
+            </transport_type>
+            <routing_interface type="InterfaceField">
+                <Required>N</Required>
+                <filters>
+                    <enable>/^(?!0).*$/</enable>
+                    <ipaddr>/^((?!dhcp).)*$/</ipaddr>
+                </filters>
+            </routing_interface>
+            <transport_table type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.relayd.relayd</source>
+                        <items>table</items>
+                        <display>name</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Table not found</ValidationMessage>
+                <Required>Y</Required>
+            </transport_table>
+            <transport_port type="PortField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
+            </transport_port>
+            <transport_interval type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>2</MinimumValue>
+                <ValidationMessage>Check interval must be a multiple of the global interval.</ValidationMessage>
+            </transport_interval>
+            <transport_timeout type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <ValidationMessage>The timeout must be greater than 0</ValidationMessage>
+            </transport_timeout>
+            <transport_tablemode type="OptionField">
+                <Required>Y</Required>
+                <Default>roundrobin</Default>
+                <OptionValues>
+                    <hash>Hash</hash>
+                    <least-states>Least States</least-states>
+                    <loadbalance>Load Balance</loadbalance>
+                    <random>Random</random>
+                    <roundrobin>Round Robin</roundrobin>
+                    <source-hash>Source Hash</source-hash>
+                </OptionValues>
+            </transport_tablemode>
+            <transport_tablecheck type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.relayd.relayd</source>
+                        <items>tablecheck</items>
+                        <display>name</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Table check not found</ValidationMessage>
+                <Required>Y</Required>
+            </transport_tablecheck>
+            <backuptransport_table type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.relayd.relayd</source>
+                        <items>table</items>
+                        <display>name</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Table not found</ValidationMessage>
+                <Required>N</Required>
+            </backuptransport_table>
+            <backuptransport_interval type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>2</MinimumValue>
+                <ValidationMessage>Check interval must be a multiple of the global interval.</ValidationMessage>
+            </backuptransport_interval>
+            <backuptransport_timeout type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <ValidationMessage>The timeout must be greater than 0</ValidationMessage>
+            </backuptransport_timeout>
+            <backuptransport_tablecheck type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.relayd.relayd</source>
+                        <items>tablecheck</items>
+                        <display>name</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Table check not found</ValidationMessage>
+                <Required>N</Required>
+                <Constraints>
+                    <check001>
+                        <ValidationMessage>Table check must be set.</ValidationMessage>
+                        <type>DependConstraint</type>
+                        <addFields>
+                            <field1>backuptransport_table</field1>
+                        </addFields>
+                    </check001>
+                </Constraints>
+            </backuptransport_tablecheck>
+            <backuptransport_tablemode type="OptionField">
+                <Required>Y</Required>
+                <Default>roundrobin</Default>
+                <OptionValues>
+                    <hash>Hash</hash>
+                    <least-states>Least States</least-states>
+                    <loadbalance>Load Balance</loadbalance>
+                    <random>Random</random>
+                    <roundrobin>Round Robin</roundrobin>
+                    <source-hash>Source Hash</source-hash>
+                </OptionValues>
+            </backuptransport_tablemode>
+            <sessiontimeout type="IntegerField">
+                <Required>N</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>2147483647</MaximumValue>
+                <ValidationMessage>The timeout must be a number between 1 and 2147483647.</ValidationMessage>
+            </sessiontimeout>
+            <stickyaddress type="BooleanField"/>
+            <protocol type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.relayd.relayd</source>
+                        <items>protocol</items>
+                        <display>name</display>
+                    </template>
+                </Model>
+                <ValidationMessage>Protocol not found</ValidationMessage>
+                <Required>N</Required>
+            </protocol>
+        </virtualserver>
+        <protocol type="ArrayField">
+            <name type="TextField">
+                <Required>Y</Required>
+                <Mask>/^([0-9a-zA-Z\._\- ]){1,255}$/u</Mask>
+                <ValidationMessage>Should be a string between 1 and 255 characters. Allowed characters are letters and numbers as well as underscore, minus, dot and space.</ValidationMessage>
+            </name>
+            <type type="OptionField">
+                <Default>tcp</Default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <tcp>TCP</tcp>
+                    <dns>DNS</dns>
+                    <http>HTTP</http>
+                </OptionValues>
+            </type>
+            <options type="TextField">
+                <Required>N</Required>
+            </options>
+        </protocol>
+    </items>
 </model>

From 8b468b8742c24d788797fdaa7558635977ec3c62 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Dec 2025 11:04:14 +0100
Subject: [PATCH 2818/3088] plugins: change support tiers for 26.1

---
 security/openvpn-legacy/Makefile    | 1 -
 security/strongswan-legacy/Makefile | 1 -
 sysutils/gdrive-backup/Makefile     | 1 -
 3 files changed, 3 deletions(-)

diff --git a/security/openvpn-legacy/Makefile b/security/openvpn-legacy/Makefile
index 62af375318..91dd22fada 100644
--- a/security/openvpn-legacy/Makefile
+++ b/security/openvpn-legacy/Makefile
@@ -3,6 +3,5 @@ PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		OpenVPN legacy support
 PLUGIN_DEPENDS=		# openvpn
 PLUGIN_MAINTAINER=	ad@opnsense.org
-PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"
diff --git a/security/strongswan-legacy/Makefile b/security/strongswan-legacy/Makefile
index 2f2a02c733..f6a1ff3e6c 100644
--- a/security/strongswan-legacy/Makefile
+++ b/security/strongswan-legacy/Makefile
@@ -3,6 +3,5 @@ PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		IPsec legacy support
 PLUGIN_DEPENDS=		# strongswan
 PLUGIN_MAINTAINER=	ad@opnsense.org
-PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"
diff --git a/sysutils/gdrive-backup/Makefile b/sysutils/gdrive-backup/Makefile
index 4372dbfc80..ff88386c0c 100644
--- a/sysutils/gdrive-backup/Makefile
+++ b/sysutils/gdrive-backup/Makefile
@@ -3,6 +3,5 @@ PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		Backup configurations using Google Drive
 PLUGIN_DEPENDS=		php${PLUGIN_PHP}-google-api-php-client
 PLUGIN_MAINTAINER=	ad@opnsense.org
-PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"

From 361ec0b498e1da3da7246f445c177c716eb62745 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 10 Dec 2025 11:05:59 +0100
Subject: [PATCH 2819/3088] sysutils/lcdproc-sdeclcd: remove maintainership

---
 README.md                         | 2 +-
 sysutils/lcdproc-sdeclcd/Makefile | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 5f53869db9..d27df73964 100644
--- a/README.md
+++ b/README.md
@@ -108,7 +108,7 @@ sysutils/dmidecode -- Display hardware information on the dashboard (not maintai
 sysutils/gdrive-backup -- Backup configurations using Google Drive
 sysutils/git-backup -- Track config changes using git
 sysutils/hw-probe -- Collect hardware diagnostics
-sysutils/lcdproc-sdeclcd -- LCDProc for SDEC LCD devices
+sysutils/lcdproc-sdeclcd -- LCDProc for SDEC LCD devices (not maintained)
 sysutils/mail-backup -- Send configuration file backup by e-mail
 sysutils/munin-node -- Munin monitoring agent
 sysutils/nextcloud-backup -- Track config changes using NextCloud
diff --git a/sysutils/lcdproc-sdeclcd/Makefile b/sysutils/lcdproc-sdeclcd/Makefile
index a709853da7..73a802ba99 100644
--- a/sysutils/lcdproc-sdeclcd/Makefile
+++ b/sysutils/lcdproc-sdeclcd/Makefile
@@ -3,6 +3,5 @@ PLUGIN_VERSION=		1.1
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		LCDProc for SDEC LCD devices
 PLUGIN_DEPENDS=		lcdproc
-PLUGIN_MAINTAINER=	ad@opnsense.org
 
 .include "../../Mk/plugins.mk"

From 306d3977941d098cad64b2654ceb74bf766b02bd Mon Sep 17 00:00:00 2001
From: Peter <145142820+peterv99@users.noreply.github.com>
Date: Wed, 10 Dec 2025 17:39:19 +0100
Subject: [PATCH 2820/3088] Update dialogValidation.xml fix for #4446

See comment https://github.com/opnsense/plugins/pull/4446#issuecomment-3637663519. Missing close and open field tags between mijn.host and scaleway entries.
---
 .../controllers/OPNsense/AcmeClient/forms/dialogValidation.xml  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 5773c1c0f9..20ab6cd547 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -2013,6 +2013,8 @@
         <label>API Key</label>
         <type>text</type>
         <help><![CDATA[Please refer to the <a href="https://mijn.host/api/doc/">API documentation</a> for further information.]]></help>
+    </field>
+    <field>
         <label>scaleway</label>
         <type>header</type>
         <style>table_dns table_dns_scaleway</style>

From 420efa0c47ea7ae94800f2be53fe339dc220901b Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Sat, 13 Dec 2025 14:10:25 +0100
Subject: [PATCH 2821/3088] net/ndp-proxy-go: Add cache file support (#5085)

---
 net/ndp-proxy-go/pkg-descr                                | 1 +
 .../controllers/OPNsense/NdpProxy/forms/dialogAlias.xml   | 2 +-
 .../app/controllers/OPNsense/NdpProxy/forms/general.xml   | 8 +++++++-
 .../mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml         | 6 +++++-
 .../service/templates/OPNsense/NdpProxy/ndp_proxy_go      | 3 +++
 5 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/net/ndp-proxy-go/pkg-descr b/net/ndp-proxy-go/pkg-descr
index 9bd61a7647..68c72ebadc 100644
--- a/net/ndp-proxy-go/pkg-descr
+++ b/net/ndp-proxy-go/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 1.2
 
 * Add firewall alias support
+* Add cache file support for faster recovery after system reboots
 
 1.1
 
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/dialogAlias.xml b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/dialogAlias.xml
index 455afc62f4..31ac751182 100644
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/dialogAlias.xml
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/dialogAlias.xml
@@ -3,7 +3,7 @@
         <id>alias.interface</id>
         <label>Interface</label>
         <type>dropdown</type>
-        <help>Add IPv6 addresses to the firewall alias that belong to this proxied interface. When choosing any, all IPv6 addresses will be added.</help>
+        <help>Add IPv6 addresses to the firewall alias that belongs to this proxied interface. When choosing any, all IPv6 addresses will be added.</help>
         <grid_view>
             <formatter>any</formatter>
         </grid_view>
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
index b7d161623d..d496342cda 100644
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
@@ -46,7 +46,7 @@
         <label>Neighbor cache lifetime</label>
         <type>text</type>
         <hint>10</hint>
-        <help>Neighbor cache lifetime in minutes. This controls when stale clients and host routes are cleaned up. When using a point-to-point interface as upstream, increasing this lifetime is necessary to not prematurely clean up routes.</help>
+        <help>Neighbor cache lifetime in minutes. This controls when stale clients, host routes and firewall aliases are cleaned up. When using a point-to-point interface as upstream, increasing this lifetime is necessary to not prematurely clean up routes.</help>
     </field>
     <field>
         <id>ndpproxy.general.cache_max</id>
@@ -55,6 +55,12 @@
         <hint>4096</hint>
         <help>Maximum learned neighbors, increase for large networks.</help>
     </field>
+    <field>
+        <id>ndpproxy.general.cache_file</id>
+        <label>Neighbor cache file</label>
+        <type>checkbox</type>
+        <help>Persist cache to file on service stop and load it on service start. Only neighbors with a valid cache lifetime are loaded. This helps on system reboots to minimize downtime of individual clients.</help>
+    </field>
     <field>
         <id>ndpproxy.general.route_qps</id>
         <label>Max route operations</label>
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
index 4298f1d53a..a88c26c5f0 100644
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/ndpproxy</mount>
     <description>NDP Proxy model</description>
-    <version>0.2</version>
+    <version>1.0</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -26,6 +26,10 @@
             <cache_max type="IntegerField">
                 <MinimumValue>1</MinimumValue>
             </cache_max>
+            <cache_file type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </cache_file>
             <route_qps type="IntegerField">
                 <MinimumValue>1</MinimumValue>
             </route_qps>
diff --git a/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
index 884649915d..71acffe934 100644
--- a/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
+++ b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
@@ -8,6 +8,9 @@ ndp_proxy_go_upstream="{{ helpers.physical_interface(general.upstream) }}"
 {%         do downstream_interfaces.append(helpers.physical_interface(interface)) %}
 {%     endfor %}
 ndp_proxy_go_downstream="{{ downstream_interfaces|join(' ') }}"
+{%     if general.cache_file == "1" %}
+ndp_proxy_go_cache_file="/var/db/ndpproxy/cache.json"
+{%     endif %}
 {%     set flags = [] %}
 {%     if general.debug == "1" %}
 {%         do flags.append('--debug') %}

From fb27dc4444ed339d99199f485d0bca127fd2105d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Severin=20Sch=C3=BCller?= <severin@schueller.xyz>
Date: Wed, 17 Dec 2025 09:27:19 +0100
Subject: [PATCH 2822/3088] net/freeradius: Add option to enable EAP-PWD
 (#4093)

* Add option to enable EAP-PWD

* also make server_id configurable
---
 .../app/controllers/OPNsense/Freeradius/forms/eap.xml | 11 +++++++++++
 .../mvc/app/models/OPNsense/Freeradius/Eap.xml        |  9 +++++++++
 .../templates/OPNsense/Freeradius/mods-enabled-eap    |  8 +++++---
 3 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
index cb032d2fcc..1f9cc42dc5 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
@@ -29,6 +29,17 @@
         <type>dropdown</type>
         <help>Choose the certificate the Radius service should use.</help>
     </field>
+    <field>
+        <id>eap.enable_pwd</id>
+        <label>Enable EAP-PWD</label>
+        <type>checkbox</type>
+        <help>This enables EAP-PWD authentication</help>
+    </field>
+    <field>
+        <id>eap.pwd_serverid</id>
+        <label>EAP-PWD server id</label>
+        <type>text</type>
+    </field>
     <field>
         <id>eap.crl</id>
         <label>CRL</label>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index 9bab64ac50..6a18117fe2 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -9,6 +9,7 @@
             <Multiple>N</Multiple>
             <OptionValues>
                 <md5>MD5</md5>
+                <pwd>PWD</pwd>
                 <mschapv2>MSCHAPv2</mschapv2>
                 <peap>PEAP</peap>
                 <tls>TLS</tls>
@@ -37,6 +38,14 @@
             <Type>cert</Type>
             <Required>N</Required>
         </certificate>
+        <enable_pwd type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enable_pwd>
+        <pwd_serverid type="TextField">
+            <default>theserver@example.com</default>
+            <Required>Y</Required>
+        </pwd_serverid>
         <crl type="CertificateField">
             <Type>crl</Type>
             <Required>N</Required>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
index 954edf8b66..82577438a2 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@@ -87,12 +87,13 @@ eap {
         }
 
 
+{% if OPNsense.freeradius.eap.enable_pwd == '1' %}
         #  EAP-pwd -- secure password-based authentication
         #
-        #pwd {
+        pwd {
         #        group = 19
 
-        #        server_id = theserver@example.com
+                server_id = {{ OPNsense.freeradius.eap.pwd_serverid }}
 
                 #  This has the same meaning as for TLS.
                 #
@@ -106,7 +107,8 @@ eap {
                 # no User-Password, CHAP-Password, EAP-Message, etc.
                 #
         #        virtual_server = "inner-tunnel"
-        #}
+        }
+{% endif %}
 
 
         #  Cisco LEAP

From 4b64525274420b395a16b980bec131a1915ebcac Mon Sep 17 00:00:00 2001
From: Matou25 <mb@loeli.fr>
Date: Wed, 17 Dec 2025 09:37:52 +0100
Subject: [PATCH 2823/3088] add Name prefix to influxdb Telegraf plugin (#4198)

---
 net-mgmt/telegraf/pkg-descr                                 | 4 ++++
 .../mvc/app/controllers/OPNsense/Telegraf/forms/output.xml  | 6 ++++++
 .../opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml    | 1 +
 .../service/templates/OPNsense/Telegraf/telegraf.conf       | 3 +++
 4 files changed, 14 insertions(+)

diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 2be143db98..70c56c7d57 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.influxdata.com/time-series-platform/telegraf/
 Plugin Changelog
 ================
 
+1.12.14
+
+* Add name_prefix in influxdb config
+
 1.12.13
 
 * Implement memory_saving_mode formerly named enable_file_download (contributed by sopex)
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
index 056f64a929..ba6b50c21f 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/controllers/OPNsense/Telegraf/forms/output.xml
@@ -27,6 +27,12 @@
         <type>text</type>
         <help>Write timeout (for the InfluxDB client), formatted as a string. If not provided, will default to 5s. 0s means no timeout (not recommended).</help>
     </field>
+    <field>
+        <id>output.influx_name_prefix</id>
+        <label>Name Prefix</label>
+        <type>text</type>
+        <help>Specifies a prefix to attach to the measurement name, formatted as a string.</help>
+    </field>
     <field>
         <id>output.influx_username</id>
         <label>Username</label>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index 21c424e128..199dbd6630 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -19,6 +19,7 @@
             <Default>5</Default>
             <Required>N</Required>
         </influx_timeout>
+        <influx_name_prefix type="TextField"/>
         <influx_username type="TextField">
             <Default></Default>
             <Required>N</Required>
diff --git a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
index b5c1414c5c..acc65c9040 100644
--- a/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
+++ b/net-mgmt/telegraf/src/opnsense/service/templates/OPNsense/Telegraf/telegraf.conf
@@ -66,6 +66,9 @@
 {%   if helpers.exists('OPNsense.telegraf.output.influx_timeout') and OPNsense.telegraf.output.influx_timeout != '' %}
   timeout = "{{ OPNsense.telegraf.output.influx_timeout }}s"
 {%   endif %}
+{%   if helpers.exists('OPNsense.telegraf.output.influx_name_prefix') and OPNsense.telegraf.output.influx_name_prefix != '' %}
+  name_prefix = "{{ OPNsense.telegraf.output.influx_name_prefix }}"
+{%   endif %}
 {%   if helpers.exists('OPNsense.telegraf.output.influx_username') and OPNsense.telegraf.output.influx_username != '' %}
   username = "{{ OPNsense.telegraf.output.influx_username }}"
 {%   endif %}

From 1f1ae511c256c74630a41316d5cce6c823f3609b Mon Sep 17 00:00:00 2001
From: Michael <m.muenz@gmail.com>
Date: Wed, 17 Dec 2025 09:42:54 +0100
Subject: [PATCH 2824/3088] mail/postfix: align mailbox and message size
 (#4330)

---
 .../src/opnsense/service/templates/OPNsense/Postfix/main.cf      | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index 49419f5d14..65be3ea0ff 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -80,6 +80,7 @@ smtpd_banner = $myhostname ESMTP Postfix
 {% endif %}
 {% if helpers.exists('OPNsense.postfix.general.message_size_limit') and OPNsense.postfix.general.message_size_limit != '' %}
 message_size_limit = {{ OPNsense.postfix.general.message_size_limit }}
+mailbox_size_limit = {{ OPNsense.postfix.general.message_size_limit }}
 {% endif %}
 {% if helpers.exists('OPNsense.postfix.general.masquerade_domains') and OPNsense.postfix.general.masquerade_domains != '' %}
 masquerade_domains = {{ OPNsense.postfix.general.masquerade_domains }}

From 6cee39de81ddf4e296f4f55ca5e37eea42b1d58c Mon Sep 17 00:00:00 2001
From: An <shen.an89@gmail.com>
Date: Wed, 17 Dec 2025 16:45:03 +0800
Subject: [PATCH 2825/3088] Add dnspod.cn ddns support (#4370)

* Add dnspod.cn ddns support

* Add multiple hostname support

* Fix the problem of processing the result returned by ModifyRecordBatch

* Fix using wrong variable

---------

Co-authored-by: AnShen <x@ipy.me>
---
 .../OPNsense/DynDNS/forms/dialogAccount.xml   |   2 +-
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml |   1 +
 .../scripts/ddclient/lib/account/dnspod_cn.py | 301 ++++++++++++++++++
 .../templates/OPNsense/ddclient/ddclient.conf |   2 +-
 4 files changed, 304 insertions(+), 2 deletions(-)
 create mode 100644 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dnspod_cn.py

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index 8eada3ee4c..0ffcf2040e 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -62,7 +62,7 @@
         <id>account.zone</id>
         <label>Zone</label>
         <type>text</type>
-        <style>optional_setting service_aws service_zoneedit1 service_cloudflare service_nsupdate service_gandi service_godaddy service_nfsn service_hetzner service_digitalocean</style>
+        <style>optional_setting service_aws service_zoneedit1 service_cloudflare service_nsupdate service_gandi service_godaddy service_nfsn service_hetzner service_digitalocean service_dnspodcn</style>
         <help>Zone containing the host entry.</help>
     </field>
     <field>
diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index d1a19de7c7..6eac4cd24c 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -53,6 +53,7 @@
                         <dnsexit2>DNSExit</dnsexit2>
                         <dyndns2>DynDNS.com</dyndns2>
                         <dnspark>DnsPark</dnspark>
+                        <dnspodcn>dnspodcn</dnspodcn>
                         <dslreports1>DSLReports</dslreports1>
                         <dondominio>DonDominio</dondominio>
                         <duckdns>Duck DNS</duckdns>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dnspod_cn.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dnspod_cn.py
new file mode 100644
index 0000000000..e95ffbe5d6
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dnspod_cn.py
@@ -0,0 +1,301 @@
+"""
+    Copyright (c) 2024 AnShen <root@lshell.com>
+    Copyright (c) 2023 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+import json
+import syslog
+import time
+import hashlib
+import hmac
+import requests
+from datetime import datetime
+from . import BaseAccount
+
+
+# dnspod api 3.0
+# https://cloud.tencent.com/document/api/1427
+
+class DNSPod_CN(BaseAccount):
+    _priority = 65535
+
+    _services = {
+        'dnspodcn': 'dnspod.tencentcloudapi.com'
+    }
+
+    def __init__(self, account: dict):
+        super().__init__(account)
+        self.service = 'dnspod'
+
+    @staticmethod
+    def known_services():
+        return  {'dnspodcn': 'dnspodcn'}
+
+    @staticmethod
+    def match(account):
+        return account.get('service') in DNSPod_CN._services
+
+
+    @staticmethod
+    def _sign(key, msg):
+        """
+        Generate HMAC-SHA256 signature.
+        
+        Args:
+            key (bytes): Signing key
+            msg (str): Message to sign
+        
+        Returns:
+            bytes: Signature digest
+        """
+        return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest()
+
+    def generate_signature(self, action, payload="{}"):
+        """
+        Generate signature and headers for a Tencent Cloud API request.
+        
+        Args:
+            action (str): API action name
+            payload (str or dict, optional): Request payload. Defaults to "{}".
+        
+        Returns:
+            tuple: Request headers and canonical request
+        """
+        # Ensure payload is a string
+        payload = json.dumps(payload) if isinstance(payload, dict) else payload
+        
+        # Get current timestamp
+        timestamp = int(time.time())
+        date = datetime.utcfromtimestamp(timestamp).strftime("%Y-%m-%d")
+        
+        # Step 1: Create Canonical Request
+        http_request_method = "POST"
+        canonical_uri = "/"
+        canonical_querystring = ""
+        ct = "application/json; charset=utf-8"
+        canonical_headers = f"content-type:{ct}\nhost:{self._services[self.settings.get('service')]}\nx-tc-action:{action.lower()}\n"
+        signed_headers = "content-type;host;x-tc-action"
+        hashed_request_payload = hashlib.sha256(payload.encode("utf-8")).hexdigest()
+        
+        canonical_request = (
+            f"{http_request_method}\n"
+            f"{canonical_uri}\n"
+            f"{canonical_querystring}\n"
+            f"{canonical_headers}\n"
+            f"{signed_headers}\n"
+            f"{hashed_request_payload}"
+        )
+        
+        # Step 2: Create String to Sign
+        algorithm = "TC3-HMAC-SHA256"
+        credential_scope = f"{date}/{self.service}/tc3_request"
+        hashed_canonical_request = hashlib.sha256(canonical_request.encode("utf-8")).hexdigest()
+        
+        string_to_sign = (
+            f"{algorithm}\n"
+            f"{timestamp}\n"
+            f"{credential_scope}\n"
+            f"{hashed_canonical_request}"
+        )
+        
+        # Step 3: Calculate Signature
+        secret_date = self._sign(("TC3" + self.settings.get('password')).encode("utf-8"), date)
+        secret_service = self._sign(secret_date, self.service)
+        secret_signing = self._sign(secret_service, "tc3_request")
+        signature = hmac.new(secret_signing, string_to_sign.encode("utf-8"), hashlib.sha256).hexdigest()
+        
+        # Step 4: Create Authorization Header
+        authorization = (
+            f"{algorithm} "
+            f"Credential={self.settings.get('username', '')}/{credential_scope}, "
+            f"SignedHeaders={signed_headers}, "
+            f"Signature={signature}"
+        )
+        
+        # Prepare headers
+        headers = {
+            "Authorization": authorization,
+            "Content-Type": "application/json; charset=utf-8",
+            "Host": self._services[self.settings.get('service')],
+            "X-TC-Action": action,
+            "X-TC-Timestamp": str(timestamp),
+            "X-TC-Version": "2021-03-23",
+            'User-Agent': 'OPNsense-dyndns',
+        }
+        
+        return headers, payload
+
+    def send_request(self, action, payload="{}", region="", token=""):
+        """
+        Send a request to the Tencent Cloud API.
+        
+        Args:
+            action (str): API action name
+            payload (str or dict, optional): Request payload. Defaults to "{}".
+            region (str, optional): Optional region parameter
+            token (str, optional): Optional token parameter
+        
+        Returns:
+            dict: API response JSON
+        """
+        # Get headers and prepared payload
+        headers, payload = self.generate_signature(action, payload)
+        
+        # Add optional headers
+        if region:
+            headers["X-TC-Region"] = region
+        if token:
+            headers["X-TC-Token"] = token
+        
+        try:
+            # Send request using requests library
+            response = requests.post(
+                url=f"https://{self._services[self.settings.get('service')]}", 
+                headers=headers, 
+                data=payload,
+                timeout=10
+            )
+            
+            # Raise an exception for bad responses
+            response.raise_for_status()
+            
+            # Return JSON response
+            return response
+        
+        except requests.RequestException as err:
+            print(f"Request error: {err}")
+            
+            # If there's a response, print its content for debugging
+            if hasattr(err, 'response') and err.response is not None:
+                print(f"Response content: {err.response.text}")
+            
+            return None
+
+
+    def execute(self):
+        if super().execute():
+            # IPv4/IPv6
+            recordType = "AAAA" if str(self.current_address).find(':') > 1 else "A"
+
+            subdomains = []
+            hostnames = self.settings.get('hostnames').split(',')
+            for _subdomain in hostnames:
+                if _subdomain == self.settings.get('zone') or _subdomain == '@':
+                    subdomains.append('@')
+                else:
+                    subdomains.append(_subdomain.replace(f".{self.settings.get('zone')}", ''))
+            
+            if len(subdomains) < 1:
+                syslog.syslog(
+                        syslog.LOG_ERR,
+                        "Account %s hostnames format error" % self.description
+                    )
+                return False
+
+            # Get record ID
+            response = self.send_request(
+                action='DescribeRecordList',
+                payload={
+                    'RecordType': recordType,
+                    'Domain': self.settings.get('zone')
+                }
+            )
+            try:
+                payload = response.json()
+            except requests.exceptions.JSONDecodeError:
+                payload = {}
+            if 'Response' in payload and 'Error' in payload['Response']:
+                syslog.syslog(
+                        syslog.LOG_ERR,
+                        "Account %s error parsing JSON response [ZoneID] %s" % (self.description, payload['Response']['Error']['Code'])
+                    )
+                return False
+            if not payload['Response'].get('RecordList', False):
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Account %s error receiving ZoneID [%s]" % (self.description, response.text)
+                )
+                return False
+
+            record_id_list = [x['RecordId'] for x in payload['Response']['RecordList'] if x['Name'] in subdomains]
+            if len(record_id_list) < 1:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Account %s error Not Found Record [%s]" % (self.description, self.settings.get('hostnames'))
+                )
+                return False
+
+            if self.is_verbose:
+                syslog.syslog(
+                    syslog.LOG_NOTICE,
+                    "Account %s ZoneID for %s %s" % (self.description, self.settings.get('zone'), record_id_list)
+                )
+
+            # Send IP address update
+            response = self.send_request(
+                action='ModifyRecordBatch',
+                payload={
+                    'RecordIdList': record_id_list,
+                    'Change': 'value',
+                    'ChangeTo': str(self.current_address),
+                }
+            )
+            try:
+                payload = response.json()
+            except requests.exceptions.JSONDecodeError:
+                payload = {}
+            if 'Response' in payload and 'Error' in payload['Response']:
+                syslog.syslog(
+                        syslog.LOG_ERR,
+                        "Account %s error parsing JSON response [UpdateIP] %s" % (self.description, payload['Response']['Error']['Code'])
+                    )
+                return False
+            if len(payload['Response']['DetailList']) < 1:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Account %s failed to set new ip %s [%s]" % (self.description, self.current_address, response.text)
+                )
+                return False
+            
+            record_list = payload['Response']['DetailList'][0].get('RecordList', False)
+            if record_list and len(record_list) == len(subdomains):
+                syslog.syslog(
+                    syslog.LOG_NOTICE,
+                    "Account %s set new ip %s %s" % (
+                        self.description,
+                        self.current_address,
+                        subdomains
+                    )
+                )
+
+                self.update_state(address=self.current_address)
+                return True
+
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s failed to set new ip %s %s" % (self.description, self.current_address, subdomains)
+            )
+
+
+        return False
diff --git a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
index 95e37f9c73..d82eb19d9d 100644
--- a/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
+++ b/dns/ddclient/src/opnsense/service/templates/OPNsense/ddclient/ddclient.conf
@@ -36,7 +36,7 @@ use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -t {{account.force_ss
 {%      if account.service == 'custom' %}
 protocol={{account.protocol}}, \
 server={{account.server}}, \
-{%      elif account.service in ['cloudflare', 'digitalocean'] %}
+{%      elif account.service in ['cloudflare', 'digitalocean', 'dnspodcn'] %}
 protocol={{account.service}}, \
 zone={{account.zone}}, \
 {%      elif account.service == 'cloudns' %}

From ea438ed72cd6d550f46672d0995b58e362a51b3c Mon Sep 17 00:00:00 2001
From: Andreas <github@weinlein.info>
Date: Wed, 17 Dec 2025 09:54:47 +0100
Subject: [PATCH 2826/3088] Set SMUX socket to localhost (#4652)

Defaults to all interfaces and isn't needed. Setting it to the loopback address disables the outdated feature as much as possible.
---
 .../src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf b/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf
index 61699aea19..cdf813a1a6 100644
--- a/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf
+++ b/net-mgmt/net-snmp/src/opnsense/service/templates/OPNsense/Netsnmp/snmpd.conf
@@ -18,6 +18,8 @@ agentxsocket /var/agentx/master
 agentxperms 777 777
 {% endif %}
 
+smuxsocket 127.0.0.1
+
 {% if OPNsense.netsnmp.general.enableobservium == '1' %}
 extend .1.3.6.1.4.1.2021.7890.1 distro /usr/local/opnsense/scripts/OPNsense/Netsnmp/distro.sh
 extend .1.3.6.1.4.1.2021.7890.2 hardware /bin/kenv smbios.planar.product

From 8015cbf4bd5ac0bd6cf4c3e6f8a0f292c8af96b9 Mon Sep 17 00:00:00 2001
From: Andy Binder <AndyBinder@gmx.de>
Date: Wed, 17 Dec 2025 10:00:22 +0100
Subject: [PATCH 2827/3088] net/frr: watchfrr service handling (#4712)

---
 net/frr/src/etc/rc.syshook.d/start/50-frr     | 39 ++++++++++++-
 .../src/opnsense/scripts/frr/frr_wrapper.sh   | 55 +++++++++++++++++++
 .../conf/actions.d/actions_quagga.conf        |  2 +-
 .../service/templates/OPNsense/Quagga/frr     | 10 +---
 .../OPNsense/Syslog/local/routing_frr.conf    |  2 +-
 5 files changed, 94 insertions(+), 14 deletions(-)
 create mode 100755 net/frr/src/opnsense/scripts/frr/frr_wrapper.sh

diff --git a/net/frr/src/etc/rc.syshook.d/start/50-frr b/net/frr/src/etc/rc.syshook.d/start/50-frr
index efded3c94a..dd4254a89b 100755
--- a/net/frr/src/etc/rc.syshook.d/start/50-frr
+++ b/net/frr/src/etc/rc.syshook.d/start/50-frr
@@ -1,4 +1,37 @@
-#!/bin/sh
+#!/usr/local/bin/php
+<?php
 
-# XXX this should not be strictly needed
-/usr/local/etc/rc.d/frr start
+/*
+ * Copyright (C) 2018 Franco Fichtner <franco@opnsense.org>
+ * Copyright (C) 2004 Scott Ullrich <sullrich@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once('config.inc');
+require_once('util.inc');
+require_once('plugins.inc.d/frr.inc');
+
+if (frr_enabled()) {
+    shell_exec('/usr/local/opnsense/scripts/frr/carp_event_handler');
+}
\ No newline at end of file
diff --git a/net/frr/src/opnsense/scripts/frr/frr_wrapper.sh b/net/frr/src/opnsense/scripts/frr/frr_wrapper.sh
new file mode 100755
index 0000000000..5b3a812991
--- /dev/null
+++ b/net/frr/src/opnsense/scripts/frr/frr_wrapper.sh
@@ -0,0 +1,55 @@
+#!/bin/sh
+
+# Copyright (c) 2025 Andy Binder <AndyBinder@gmx.de>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+# Service wrapper for starting/restarting frr service
+# This wrapper is needed to react on specific service interactions through watchfrr.
+# Startup details with watchfrr enabled (default):
+# 1. "service frr start" calls "service frr start watchfrr"
+# 2. watchfrr once started calls "service frr restart all"
+# 3. "restart all" need to loop the list of $frr_daemons to start each
+#    of then
+# 4. vtysh -b is executed to load boot startup configuration
+
+ACTION="$1"
+COMMAND="$2"
+
+/usr/sbin/service frr "$ACTION" "$COMMAND"
+SERVICE_EXIT_CODE=$?
+
+# If frr starts/restarts ospfd, e.g. on process error (parameter: start/restart ospfd)
+if [ "$2" = "ospfd" ]; then
+    logger -t frr_wrapper "WATCHFRR - OSPFD - Starting CARP event handler now"
+    /usr/local/opnsense/scripts/frr/carp_event_handler
+fi
+# If frr starts up (parameter: restart all)
+if [ "$2" = "all" ]; then
+    (
+        /usr/bin/logger -t frr_wrapper "WATCHFRR - STARTUP - Starting CARP event handler now"
+        /usr/local/opnsense/scripts/frr/carp_event_handler
+    ) &
+fi
+exit $SERVICE_EXIT_CODE
diff --git a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
index aa2e0b70bd..32b7e533c0 100644
--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@@ -18,7 +18,7 @@ message:restarting frr
 description:Restart FRR
 
 [reload]
-command:service frr reload
+command:service frr reload; /usr/local/opnsense/scripts/frr/carp_event_handler
 parameters:
 type:script
 message:reloading frr
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
index fa77dd8faf..97d1f02c09 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
@@ -18,15 +18,7 @@ frr_carp_demote="{%
     if not helpers.empty('OPNsense.quagga.ospf.carp_demote') %} ospfd{% endif %}{%
     if not helpers.empty('OPNsense.quagga.ospf6.carp_demote') %} ospf6d{% endif
 %}"
-start_postcmd='
-	# XXX rc.d/frr declares its own post command we need to hook first
-	start_postcmd
-	# XXX rc.d/frr iterates through daemons so we need to hook last one
-	if [ "${frr_daemons}" != "${frr_daemons% ${name}}" ]; then
-		echo "Starting CARP event handler now"
-		/usr/local/opnsense/scripts/frr/carp_event_handler
-	fi
-'
+watchfrr_flags="-r /usr/local/opnsense/scripts/frr/frr_wrapper.shbBrestartbB%s -s /usr/local/opnsense/scripts/frr/frr_wrapper.shbBstartbB%s -k /usr/sbin/servicebBfrrbBstopbB%s -b bB -t 30"
 {% if OPNsense.quagga.general.enablesnmp == '1' %}
 zebra_flags="${zebra_flags} -M snmp"
 bgpd_flags="${bgpd_flags} -M snmp"
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Syslog/local/routing_frr.conf b/net/frr/src/opnsense/service/templates/OPNsense/Syslog/local/routing_frr.conf
index ad0869d3c7..61a95d16ac 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Syslog/local/routing_frr.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Syslog/local/routing_frr.conf
@@ -2,5 +2,5 @@
 # Local syslog-ng configuration filter definition [FRR].
 ###################################################################
 filter f_local_routing_frr {
-     program("bgpd") or program("ospfd") or program("ospf6d") or program("ripd") or program("zebra") or program("frr_carp");
+     program("bgpd") or program("ospfd") or program("ospf6d") or program("ripd") or program("zebra") or program("frr_carp") or program("frr_wrapper");
 };

From 592a2feeb79fb4f317d999e509da6c38b16df49e Mon Sep 17 00:00:00 2001
From: Martin Wasley <mjwasley@queens-park.com>
Date: Wed, 17 Dec 2025 09:04:05 +0000
Subject: [PATCH 2828/3088] Opnsense-Bootgrid.css added (#4718)

Added file to correct colours in new areas of GUI
---
 misc/theme-rebellion/Makefile                 |   2 +-
 .../rebellion/build/css/opnsense-bootgrid.css | 276 ++++++++++++++++++
 2 files changed, 277 insertions(+), 1 deletion(-)
 create mode 100644 misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/opnsense-bootgrid.css

diff --git a/misc/theme-rebellion/Makefile b/misc/theme-rebellion/Makefile
index 0711ceeae1..20a3f7b783 100644
--- a/misc/theme-rebellion/Makefile
+++ b/misc/theme-rebellion/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-rebellion
-PLUGIN_VERSION=		1.9.3
+PLUGIN_VERSION=		1.9.4
 PLUGIN_COMMENT=		A suitably dark theme
 PLUGIN_MAINTAINER=	martin@queens-park.com
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/opnsense-bootgrid.css b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/opnsense-bootgrid.css
new file mode 100644
index 0000000000..76e0b46f3d
--- /dev/null
+++ b/misc/theme-rebellion/src/opnsense/www/themes/rebellion/build/css/opnsense-bootgrid.css
@@ -0,0 +1,276 @@
+/**
+* Main theming elements
+*/
+.tabulator {
+  font-size: 15px;
+  background-color: transparent;
+  border: 1px solid #E5E5E5;
+}
+
+/* theme: header */
+.tabulator .tabulator-header {
+  background-color: transparent;
+  border-bottom: none;
+}
+
+.tabulator .tabulator-header .tabulator-col {
+  border-right: 1px solid #E5E5E5;
+  background-color: transparent;
+  background: transparent;
+  color: #ECECEC;
+}
+
+.tabulator .tabulator-header .tabulator-col.tabulator-sortable.tabulator-col-sorter-element:hover {
+  background-color: #373736;
+}
+
+.tabulator .tabulator-headers {
+  height: 100% !important; /* make sure the border below appears */
+  border-bottom: 1px solid #E5E5E5;
+}
+
+/*------------*/
+/* theme: body */
+.tabulator .tabulator-tableholder .tabulator-table {
+  background-color: transparent;
+}
+
+.tabulator-row {
+  background-color: transparent;
+  color: #ECECEC;
+}
+
+.tabulator-row.tabulator-row-odd {
+  background-color: #373736;
+}
+
+.tabulator-row.tabulator-row-odd.tabulator-selectable:hover:not(.tabulator-selected) {
+  background-color: #373736;
+}
+
+.tabulator-row.tabulator-row-even {
+  background-color: transparent;
+}
+
+.tabulator-row.tabulator-row-even.tabulator-selectable:hover:not(.tabulator-selected) {
+  background-color: transparent;
+}
+
+.tabulator .tabulator-tableholder {
+  background-color: transparent;
+  border-right: 1px solid #373736;
+}
+
+.tabulator-row.tabulator-selected {
+  background-color: #9abcea;
+}
+
+.tabulator-row.tabulator-selected:hover {
+  cursor: pointer;
+  background-color: #9abcea;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg {
+  color: #ECECEC; /* spinner icon */
+}
+
+/* Command column styles */
+.tabulator-col.tabulator-frozen.tabulator-frozen-right {
+  background-color: #333333;
+}
+
+.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right {
+  background-color: #333333;
+}
+
+/* Checkbox column styles */
+.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-left {
+  border-right: 1px solid #E5E5E5; /* separates checkbox column from table rows */
+  border-left: 1px solid #373736;
+}
+
+.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left {
+  border-right: 1px solid #E5E5E5;
+  border-top: 1px solid #373736;
+  border-bottom: 1px solid #E5E5E5;
+  border-left: 1px solid #373736;
+}
+
+.tabulator-col.tabulator-row-header.tabulator-frozen.tabulator-frozen-left {
+  background-color: #333333;
+}
+
+.tabulator-cell.tabulator-row-header.tabulator-frozen.tabulator-frozen-left {
+  background-color: #333333;
+}
+
+/*------------*/
+/* theme: cells */
+.tabulator-row .tabulator-cell {
+  text-overflow: ellipsis;
+  white-space: nowrap;
+  line-height: 1.2;
+  vertical-align: top;
+  border-bottom: 1px solid rgba(229, 229, 229, 0.5);
+  border-right: 1px solid rgba(229, 229, 229, 0.5);
+}
+
+/*-------------*/
+/* theme: footer */
+.tabulator .tabulator-footer {
+  border-top: 1px solid #E5E5E5;
+  background-color: transparent;
+}
+
+.tabulator .tabulator-footer .tabulator-page {
+  background-color: #333333;
+  color: #C03E14;
+}
+
+.tabulator .tabulator-footer .tabulator-page.active {
+  background-color: #C03E14;
+  border-color: #C03E14;
+  cursor: default;
+  color: #333333;
+}
+
+.tabulator .tabulator-footer .tabulator-page:not(disabled):hover {
+  color: #7b280d;
+  background-color: #242937;
+  border-color: #ddd;
+}
+
+.tabulator .tabulator-footer .tabulator-page:not(disabled).active:hover {
+  background-color: #C03E14;
+  border-color: #C03E14;
+  color: #333333;
+  cursor: default;
+}
+
+.tabulator-page-counter {
+  color: #ECECEC;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator {
+  color: #ECECEC;
+}
+
+.tabulator .tabulator-footer .tabulator-page {
+  border-radius: 0px;
+  margin: 0px;
+  padding: 6px 12px;
+  border: 1px solid #E5E5E5;
+}
+
+/*----------*/
+/* end of main theming elements */
+.tabulator-paginator {
+  flex: 0 !important;
+}
+
+.tabulator-page-counter {
+  flex: 1;
+  text-align: right;
+}
+
+.tabulator-col-sorter i {
+  display: flex;
+  justify-content: center;
+  align-items: center;
+}
+
+.tabulator .tabulator-header .tabulator-col {
+  padding: 5px;
+}
+
+.tabulator .tabulator-headers > :first-child {
+  padding-left: 10px;
+}
+
+.opnsense-bootgrid-responsive {
+  white-space: wrap !important;
+  text-overflow: inherit !important;
+  overflow: visible !important;
+  word-break: break-word !important;
+}
+
+.opnsense-bootgrid-ellipsis {
+  overflow: hidden !important;
+  white-space: nowrap !important;
+  text-overflow: ellipsis !important;
+}
+
+.tabulator-row > :first-child {
+  padding-left: 10px;
+}
+
+.tabulator .tabulator-header .tabulator-col .tabulator-col-content {
+  padding: 0px;
+}
+
+.tabulator-page-counter {
+  padding-right: 20px;
+}
+
+.bootgrid-footer-commands {
+  width: 90px;
+  padding-left: 8px;
+}
+
+.tabulator-tableholder::after {
+  content: "";
+  display: block;
+  width: 1px;
+  height: 1px;
+  min-width: 100%;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator .tabulator-page:first-child {
+  border-bottom-left-radius: 3px;
+  border-top-left-radius: 3px;
+}
+
+.tabulator .tabulator-footer .tabulator-paginator .tabulator-page:last-child {
+  border-bottom-right-radius: 3px;
+  border-top-right-radius: 3px;
+}
+
+/* border line corrections and hover/selection behavior */
+.tabulator-row:first-child > .tabulator-cell {
+  border-top: none;
+}
+
+.tabulator .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title {
+  padding: 0px;
+}
+
+/* Row highlight behavior */
+@keyframes highlight {
+  0% {
+    background: #ffff99;
+  }
+  100% {
+    background: none;
+  }
+}
+.highlight-bg {
+  animation: highlight 2s;
+}
+
+/* Tabulator "loading" and "error" overrides */
+.tabulator .tabulator-alert {
+  background: none;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg {
+  border: none;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg {
+  background: initial;
+  font-size: 18px;
+}
+
+.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-error {
+  border: none;
+}

From 2ea658a856698367fe0d115350fbc4c4d2888b59 Mon Sep 17 00:00:00 2001
From: Martin Wasley <mjwasley@queens-park.com>
Date: Wed, 17 Dec 2025 09:04:40 +0000
Subject: [PATCH 2829/3088] index.volt changes (#4719)

Removed fixed size grid data-width specifiers.
---
 net/udpbroadcastrelay/Makefile                |  2 +-
 .../OPNsense/UDPBroadcastRelay/index.volt     | 20 +++++++++----------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/net/udpbroadcastrelay/Makefile b/net/udpbroadcastrelay/Makefile
index 0dd56ef13d..e0170423b9 100644
--- a/net/udpbroadcastrelay/Makefile
+++ b/net/udpbroadcastrelay/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		udpbroadcastrelay
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	5
+PLUGIN_REVISION=	6
 PLUGIN_COMMENT=		Control udpbroadcastrelay processes
 PLUGIN_DEPENDS=		udpbroadcastrelay
 PLUGIN_MAINTAINER=	mjwasley@gmail.com
diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt b/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
index a59babcc02..f521ae1899 100644
--- a/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/views/OPNsense/UDPBroadcastRelay/index.volt
@@ -87,16 +87,16 @@ POSSIBILITY OF SUCH DAMAGE.
         <table id="grid-proxies" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogEdit">
             <thead>
             <tr>
-                <th data-column-id="enabled" data-width="1em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
-                <th data-column-id="interfaces" data-width="2em" data-type="string" data-visible="true">{{ lang._('Interfaces') }}</th>
-                <th data-column-id="multicastaddress" data-width="2em" data-type="string" data-visible="true">{{ lang._('Multicast Addresses') }}</th>
-                <th data-column-id="sourceaddress"  data-width="2em" data-type="string" data-visible="true">{{ lang._('Source Address') }}</th>
-                <th data-column-id="listenport" data-width="2em" data-type="string" data-visible="true">{{ lang._('Listen Port') }}</th>
-                <th data-column-id="InstanceID" data-width="1em" data-type="string" data-visible="true">{{ lang._('ID') }}</th>
-                <th data-column-id="description" data-width="2em" data-type="string">{{ lang._('Description') }}</th>
-                <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                <th data-column-id="RevertTTL" data-width="2em" data-type="string"  data-visible="true" data-formatter="boolean">{{ lang._('Use ID as TTL') }}</th>
-                <th data-column-id="commands" data-width="2em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="interfaces" data-type="string" data-visible="true">{{ lang._('Interfaces') }}</th>
+                <th data-column-id="multicastaddress" data-type="string" data-visible="true">{{ lang._('Multicast Addresses') }}</th>
+                <th data-column-id="sourceaddress" data-type="string" data-visible="true">{{ lang._('Source Address') }}</th>
+                <th data-column-id="listenport" data-type="string" data-visible="true">{{ lang._('Listen Port') }}</th>
+                <th data-column-id="InstanceID" data-type="string" data-visible="true">{{ lang._('ID') }}</th>
+                <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
+                <th data-column-id="uuid" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                <th data-column-id="RevertTTL" data-type="string"  data-visible="true" data-formatter="boolean">{{ lang._('Use ID as TTL') }}</th>
+                <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
             </tr>
             </thead>
             <tbody>

From 4b8006728456cd286b1a8d42f0516ae4b3894386 Mon Sep 17 00:00:00 2001
From: schreibubi <schreibubi@users.noreply.github.com>
Date: Wed, 17 Dec 2025 10:12:36 +0100
Subject: [PATCH 2830/3088] net/freeradius: Change TLS max version to 1.3
 (#4883)

---
 .../service/templates/OPNsense/Freeradius/mods-enabled-eap      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
index 82577438a2..652bebc8e9 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@@ -456,7 +456,7 @@ eap {
                 #  The values must be in quotes.
                 #
                 tls_min_version = "{{ OPNsense.freeradius.eap.tls_min_version }}"
-                tls_max_version = "1.2"
+                tls_max_version = "1.3"
 
                 #  Elliptical cryptography configuration
                 #

From 2cf65f8e53c9d28c0fdd00a7db5c4c7e83e8f992 Mon Sep 17 00:00:00 2001
From: Nuadh123 <lysfjord.daniel+github@smokepit.net>
Date: Wed, 17 Dec 2025 10:16:36 +0100
Subject: [PATCH 2831/3088] Rewrite plugin, so it backs up the content of
 /conf/backup/ instead, (#4952)

this makes it only upload configs that have actually changed.

fixes #4945

Co-authored-by: Daniel Lysfjord <lysfjord.daniel@smokepit.net>
---
 .../app/library/OPNsense/Backup/Nextcloud.php | 69 ++++++++++++-------
 1 file changed, 44 insertions(+), 25 deletions(-)

diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
index 5adad6c43b..b2fdde4973 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
@@ -138,13 +138,7 @@ public function backup()
             $password = (string)$nextcloud->password;
             $backupdir = (string)$nextcloud->backupdir;
             $crypto_password = (string)$nextcloud->password_encryption;
-            $hostname = $config->system->hostname . '.' . $config->system->domain;
-            $configname = 'config-' . $hostname . '-' .  date('Y-m-d_H_i_s') . '.xml';
-            // backup source data to local strings (plain/encrypted)
-            $confdata = file_get_contents('/conf/config.xml');
-            if (!empty($crypto_password)) {
-                $confdata = $this->encrypt($confdata, $crypto_password);
-            }
+
             // Check if destination directory exists, create (full path) if not
             try {
                 $internal_username = $this->getInternalUsername($url, $username, $password);
@@ -153,26 +147,51 @@ public function backup()
                 return array();
             }
 
-            try {
-                $this->upload_file_content(
-                    $url,
-                    $username,
-                    $password,
-                    $internal_username,
-                    $backupdir,
-                    $configname,
-                    $confdata
-                );
-                // do not list directories
-                return array_filter(
-                    $this->listFiles($url, $username, $password, $internal_username, "/$backupdir/", false),
-                    function ($filename) {
-                        return (substr($filename, -1) !== '/');
+            // Get list of files from local backup system
+            $local_files = array();
+            $tmp_local_files = scandir('/conf/backup/');
+            // Remove '.' and '..'
+            foreach ($tmp_local_files as $tmp_local_file) {
+                if ($tmp_local_file === '.' || $tmp_local_file === '..') { continue; }
+                $local_files[] = $tmp_local_file;
+            }
+
+            // Get list of filenames (without path) on remote location
+            $remote_files = array();
+            $tmp_remote_files = $this->listfiles($url, $username, $password, $internal_username, "/$backupdir/", false);
+            foreach ($tmp_remote_files as $tmp_remote_file) {
+                $remote_files[] = pathinfo($tmp_remote_file)['basename'];
+            }
+
+
+            $uploaded_files = array();
+
+            // Loop over each local file,
+            // see if it's in $remote_files,
+            // if not, optionally encrypt, and upload
+            foreach ($local_files as $file_to_upload) {
+                if (!in_array($file_to_upload, $remote_files)) {
+                    $confdata = file_get_contents("/conf/backup/$file_to_upload");
+                    if (!empty($crypto_password)) {
+                        $confdata = $this->encrypt($confdata, $crypto_password);
                     }
-                );
-            } catch (\Exception $e) {
-                return array();
+                    try {
+                        $this->upload_file_content(
+                            $url,
+                            $username,
+                            $password,
+                            $internal_username,
+                            $backupdir,
+                            $file_to_upload,
+                            $confdata
+                        );
+                        $uploaded_files[] = $file_to_upload;
+                    } catch (\Exception $e) {
+                        return $uploaded_files;
+                    }
+                }
             }
+            return $uploaded_files;
         }
     }
 

From 89b8cddd8846d9c8280f802ec15bfcabda8d9242 Mon Sep 17 00:00:00 2001
From: "Michael J. Arcan" <github@arcan-it.de>
Date: Wed, 17 Dec 2025 10:20:08 +0100
Subject: [PATCH 2832/3088] ddclient: add Hetzner DNS provider (#5082)

Add native support for Hetzner Cloud DNS API (api.hetzner.cloud).
  Hetzner is migrating from dns.hetzner.com to Cloud Console,
  with the old API shutting down in May 2026.

  Features:
  - Bearer token authentication
  - A and AAAA record support
  - Multiple hostnames (comma-separated)
  - Configurable TTL
---
 .../scripts/ddclient/lib/account/hetzner.py   | 545 ++++++++++++++++++
 1 file changed, 545 insertions(+)
 create mode 100644 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py
new file mode 100644
index 0000000000..68074597ee
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py
@@ -0,0 +1,545 @@
+"""
+    Copyright (c) 2025 Arcan Consulting (www.arcan-it.de)
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+    Hetzner DNS providers for OPNsense DynDNS
+
+    Supports both APIs:
+    - Hetzner DNS (api.hetzner.cloud) - new Cloud API for migrated zones
+    - Hetzner DNS Legacy (dns.hetzner.com) - old API, shutting down May 2026
+"""
+import syslog
+import requests
+from . import BaseAccount
+
+
+class Hetzner(BaseAccount):
+    """
+    Hetzner Cloud DNS API provider
+    Uses the new Cloud API (api.hetzner.cloud)
+    API Documentation: https://docs.hetzner.cloud/#dns
+    """
+    _priority = 65535
+
+    _services = ['hetzner']
+
+    _api_base = "https://api.hetzner.cloud/v1"
+
+    def __init__(self, account: dict):
+        super().__init__(account)
+
+    @staticmethod
+    def known_services():
+        return {'hetzner': 'Hetzner DNS'}
+
+    @staticmethod
+    def match(account):
+        return account.get('service') in Hetzner._services
+
+    def _get_headers(self):
+        return {
+            'User-Agent': 'OPNsense-dyndns',
+            'Authorization': 'Bearer ' + self.settings.get('password', ''),
+            'Content-Type': 'application/json'
+        }
+
+    def _get_zone_name(self):
+        """Get zone name from settings - try 'zone' field first, then 'username' as fallback"""
+        zone_name = self.settings.get('zone', '').strip()
+        if not zone_name:
+            zone_name = self.settings.get('username', '').strip()
+        return zone_name
+
+    def _get_zone_id(self, headers):
+        """Get zone ID by zone name"""
+        zone_name = self._get_zone_name()
+
+        url = f"{self._api_base}/zones"
+        params = {'name': zone_name}
+
+        response = requests.get(url, headers=headers, params=params)
+
+        if response.status_code != 200:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s error fetching zones: HTTP %d - %s" % (
+                    self.description, response.status_code, response.text
+                )
+            )
+            return None
+
+        try:
+            payload = response.json()
+        except requests.exceptions.JSONDecodeError:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s error parsing JSON response: %s" % (self.description, response.text)
+            )
+            return None
+
+        zones = payload.get('zones', [])
+        if not zones:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s zone '%s' not found" % (self.description, zone_name)
+            )
+            return None
+
+        zone_id = zones[0].get('id')
+        if self.is_verbose:
+            syslog.syslog(
+                syslog.LOG_NOTICE,
+                "Account %s found zone ID %s for %s" % (self.description, zone_id, zone_name)
+            )
+
+        return zone_id
+
+    def _get_record(self, headers, zone_id, record_name, record_type):
+        """Get existing record by name and type"""
+        url = f"{self._api_base}/zones/{zone_id}/rrsets/{record_name}/{record_type}"
+
+        response = requests.get(url, headers=headers)
+
+        if response.status_code == 404:
+            return None
+
+        if response.status_code != 200:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s error fetching record: HTTP %d - %s" % (
+                    self.description, response.status_code, response.text
+                )
+            )
+            return None
+
+        try:
+            payload = response.json()
+            return payload.get('rrset')
+        except requests.exceptions.JSONDecodeError:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s error parsing JSON response: %s" % (self.description, response.text)
+            )
+            return None
+
+    def _update_record(self, headers, zone_id, record_name, record_type, address):
+        """Update existing record with new address"""
+        url = f"{self._api_base}/zones/{zone_id}/rrsets/{record_name}/{record_type}"
+
+        data = {
+            'records': [{'value': str(address)}],
+            'ttl': int(self.settings.get('ttl', 300))
+        }
+
+        response = requests.put(url, headers=headers, json=data)
+
+        if response.status_code != 200:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s error updating record: HTTP %d - %s" % (
+                    self.description, response.status_code, response.text
+                )
+            )
+            return False
+
+        if self.is_verbose:
+            syslog.syslog(
+                syslog.LOG_NOTICE,
+                "Account %s updated %s %s to %s" % (
+                    self.description, record_name, record_type, address
+                )
+            )
+
+        return True
+
+    def _create_record(self, headers, zone_id, record_name, record_type, address):
+        """Create new record"""
+        url = f"{self._api_base}/zones/{zone_id}/rrsets"
+
+        data = {
+            'name': record_name,
+            'type': record_type,
+            'records': [{'value': str(address)}],
+            'ttl': int(self.settings.get('ttl', 300))
+        }
+
+        response = requests.post(url, headers=headers, json=data)
+
+        if response.status_code not in [200, 201]:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s error creating record: HTTP %d - %s" % (
+                    self.description, response.status_code, response.text
+                )
+            )
+            return False
+
+        if self.is_verbose:
+            syslog.syslog(
+                syslog.LOG_NOTICE,
+                "Account %s created %s %s with %s" % (
+                    self.description, record_name, record_type, address
+                )
+            )
+
+        return True
+
+    def _extract_record_name(self, hostname, zone_name):
+        """Extract record name from hostname, handling FQDN format"""
+        hostname = hostname.rstrip('.')
+
+        if hostname.endswith('.' + zone_name):
+            record_name = hostname[:-len(zone_name) - 1]
+        elif hostname == zone_name:
+            record_name = '@'
+        else:
+            record_name = hostname
+
+        if not record_name or record_name == '@':
+            record_name = '@'
+
+        return record_name
+
+    def execute(self):
+        if super().execute():
+            record_type = "AAAA" if ':' in str(self.current_address) else "A"
+            headers = self._get_headers()
+
+            zone_id = self._get_zone_id(headers)
+            if not zone_id:
+                return False
+
+            zone_name = self._get_zone_name()
+
+            hostnames_raw = self.settings.get('hostnames', '')
+            hostnames = [h.strip() for h in hostnames_raw.split(',') if h.strip()]
+
+            if not hostnames:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Account %s no hostnames configured" % self.description
+                )
+                return False
+
+            all_success = True
+            for hostname in hostnames:
+                record_name = self._extract_record_name(hostname, zone_name)
+
+                if self.is_verbose:
+                    syslog.syslog(
+                        syslog.LOG_NOTICE,
+                        "Account %s updating %s (record: %s, type: %s) to %s" % (
+                            self.description, hostname, record_name, record_type, self.current_address
+                        )
+                    )
+
+                existing = self._get_record(headers, zone_id, record_name, record_type)
+
+                if existing:
+                    success = self._update_record(
+                        headers, zone_id, record_name, record_type, self.current_address
+                    )
+                else:
+                    success = self._create_record(
+                        headers, zone_id, record_name, record_type, self.current_address
+                    )
+
+                if success:
+                    syslog.syslog(
+                        syslog.LOG_NOTICE,
+                        "Account %s set new IP %s for %s" % (
+                            self.description, self.current_address, hostname
+                        )
+                    )
+                else:
+                    all_success = False
+
+            if all_success:
+                self.update_state(address=self.current_address)
+                return True
+
+        return False
+
+
+class HetznerLegacy(BaseAccount):
+    """
+    Hetzner DNS Console (Legacy) API provider
+    Uses the old API at dns.hetzner.com - will be shut down May 2026
+    For zones not yet migrated to Hetzner Cloud Console
+    API Documentation: https://dns.hetzner.com/api-docs
+    """
+    _priority = 65535
+
+    _services = ['hetzner-legacy']
+
+    _api_base = "https://dns.hetzner.com/api/v1"
+
+    def __init__(self, account: dict):
+        super().__init__(account)
+
+    @staticmethod
+    def known_services():
+        return {'hetzner-legacy': 'Hetzner DNS Legacy (deprecated)'}
+
+    @staticmethod
+    def match(account):
+        return account.get('service') in HetznerLegacy._services
+
+    def _get_headers(self):
+        return {
+            'User-Agent': 'OPNsense-dyndns',
+            'Auth-API-Token': self.settings.get('password', ''),
+            'Content-Type': 'application/json'
+        }
+
+    def _get_zone_name(self):
+        """Get zone name from settings - try 'zone' field first, then 'username' as fallback"""
+        zone_name = self.settings.get('zone', '').strip()
+        if not zone_name:
+            zone_name = self.settings.get('username', '').strip()
+        return zone_name
+
+    def _get_zone_id(self, headers):
+        """Get zone ID by zone name"""
+        zone_name = self._get_zone_name()
+
+        url = f"{self._api_base}/zones"
+        response = requests.get(url, headers=headers)
+
+        if response.status_code != 200:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s error fetching zones: HTTP %d - %s" % (
+                    self.description, response.status_code, response.text
+                )
+            )
+            return None
+
+        try:
+            payload = response.json()
+        except requests.exceptions.JSONDecodeError:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s error parsing JSON response: %s" % (self.description, response.text)
+            )
+            return None
+
+        zones = payload.get('zones', [])
+        for zone in zones:
+            if zone.get('name') == zone_name:
+                zone_id = zone.get('id')
+                if self.is_verbose:
+                    syslog.syslog(
+                        syslog.LOG_NOTICE,
+                        "Account %s found zone ID %s for %s" % (self.description, zone_id, zone_name)
+                    )
+                return zone_id
+
+        syslog.syslog(
+            syslog.LOG_ERR,
+            "Account %s zone '%s' not found" % (self.description, zone_name)
+        )
+        return None
+
+    def _get_record_id(self, headers, zone_id, record_name, record_type):
+        """Get record ID by name and type"""
+        url = f"{self._api_base}/records"
+        params = {'zone_id': zone_id}
+
+        response = requests.get(url, headers=headers, params=params)
+
+        if response.status_code != 200:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s error fetching records: HTTP %d - %s" % (
+                    self.description, response.status_code, response.text
+                )
+            )
+            return None
+
+        try:
+            payload = response.json()
+        except requests.exceptions.JSONDecodeError:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s error parsing JSON response: %s" % (self.description, response.text)
+            )
+            return None
+
+        records = payload.get('records', [])
+        for record in records:
+            if record.get('name') == record_name and record.get('type') == record_type:
+                record_id = record.get('id')
+                if self.is_verbose:
+                    syslog.syslog(
+                        syslog.LOG_NOTICE,
+                        "Account %s found record ID %s for %s %s" % (
+                            self.description, record_id, record_name, record_type
+                        )
+                    )
+                return record_id
+
+        return None
+
+    def _update_record(self, headers, zone_id, record_id, record_name, record_type, address):
+        """Update existing record with new address"""
+        url = f"{self._api_base}/records/{record_id}"
+
+        data = {
+            'zone_id': zone_id,
+            'type': record_type,
+            'name': record_name,
+            'value': str(address),
+            'ttl': int(self.settings.get('ttl', 300))
+        }
+
+        response = requests.put(url, headers=headers, json=data)
+
+        if response.status_code != 200:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s error updating record: HTTP %d - %s" % (
+                    self.description, response.status_code, response.text
+                )
+            )
+            return False
+
+        if self.is_verbose:
+            syslog.syslog(
+                syslog.LOG_NOTICE,
+                "Account %s updated %s %s to %s" % (
+                    self.description, record_name, record_type, address
+                )
+            )
+
+        return True
+
+    def _create_record(self, headers, zone_id, record_name, record_type, address):
+        """Create new record"""
+        url = f"{self._api_base}/records"
+
+        data = {
+            'zone_id': zone_id,
+            'type': record_type,
+            'name': record_name,
+            'value': str(address),
+            'ttl': int(self.settings.get('ttl', 300))
+        }
+
+        response = requests.post(url, headers=headers, json=data)
+
+        if response.status_code not in [200, 201]:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s error creating record: HTTP %d - %s" % (
+                    self.description, response.status_code, response.text
+                )
+            )
+            return False
+
+        if self.is_verbose:
+            syslog.syslog(
+                syslog.LOG_NOTICE,
+                "Account %s created %s %s with %s" % (
+                    self.description, record_name, record_type, address
+                )
+            )
+
+        return True
+
+    def _extract_record_name(self, hostname, zone_name):
+        """Extract record name from hostname, handling FQDN format"""
+        hostname = hostname.rstrip('.')
+
+        if hostname.endswith('.' + zone_name):
+            record_name = hostname[:-len(zone_name) - 1]
+        elif hostname == zone_name:
+            record_name = '@'
+        else:
+            record_name = hostname
+
+        if not record_name or record_name == '@':
+            record_name = '@'
+
+        return record_name
+
+    def execute(self):
+        if super().execute():
+            record_type = "AAAA" if ':' in str(self.current_address) else "A"
+            headers = self._get_headers()
+
+            zone_id = self._get_zone_id(headers)
+            if not zone_id:
+                return False
+
+            zone_name = self._get_zone_name()
+
+            hostnames_raw = self.settings.get('hostnames', '')
+            hostnames = [h.strip() for h in hostnames_raw.split(',') if h.strip()]
+
+            if not hostnames:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Account %s no hostnames configured" % self.description
+                )
+                return False
+
+            all_success = True
+            for hostname in hostnames:
+                record_name = self._extract_record_name(hostname, zone_name)
+
+                if self.is_verbose:
+                    syslog.syslog(
+                        syslog.LOG_NOTICE,
+                        "Account %s updating %s (record: %s, type: %s) to %s" % (
+                            self.description, hostname, record_name, record_type, self.current_address
+                        )
+                    )
+
+                record_id = self._get_record_id(headers, zone_id, record_name, record_type)
+
+                if record_id:
+                    success = self._update_record(
+                        headers, zone_id, record_id, record_name, record_type, self.current_address
+                    )
+                else:
+                    success = self._create_record(
+                        headers, zone_id, record_name, record_type, self.current_address
+                    )
+
+                if success:
+                    syslog.syslog(
+                        syslog.LOG_NOTICE,
+                        "Account %s set new IP %s for %s" % (
+                            self.description, self.current_address, hostname
+                        )
+                    )
+                else:
+                    all_success = False
+
+            if all_success:
+                self.update_state(address=self.current_address)
+                return True
+
+        return False

From dcaf201b0c9b6e81239bb732ee6b5d0be9c54450 Mon Sep 17 00:00:00 2001
From: Jan Chlouba <cboubik@gmail.com>
Date: Wed, 17 Dec 2025 10:30:41 +0100
Subject: [PATCH 2833/3088] nginx: add optional HTTP/3 support with dynamic
 Alt-Svc (#5071)

---
 .../OPNsense/Nginx/forms/httpserver.xml            |  7 +++++++
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml        |  4 ++++
 .../service/templates/OPNsense/Nginx/http.conf     | 14 ++++++++++++++
 3 files changed, 25 insertions(+)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
index 21f8b4a288..cc441d1a1e 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
@@ -173,6 +173,13 @@
     <help>Enable the HTTP/2 protocol.</help>
     <advanced>true</advanced>
   </field>
+  <field>
+    <id>httpserver.enable_http3</id>
+    <label>HTTP/3 (QUIC)</label>
+    <type>checkbox</type>
+    <help>Enable HTTP/3/QUIC for this server (adds QUIC listeners and Alt-Svc header).</help>
+    <advanced>true</advanced>
+  </field>
   <field>
     <id>httpserver.tls_protocols</id>
     <label>TLS Protocols</label>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 88d65ee883..58c73dd62d 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -801,6 +801,10 @@
                 <Default>1</Default>
                 <Required>Y</Required>
             </http2>
+            <enable_http3 type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enable_http3>
             <tls_protocols type="OptionField">
                 <Multiple>Y</Multiple>
                 <Sorted>Y</Sorted>
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index f787eff2c4..cc316538ac 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -120,8 +120,19 @@ server {
 {%   endif %}
 
 {%   if server.listen_https_address is defined and server.listen_https_address != '' %}
+{%     set http3_alt_svc_ports = [] %}
 {%     for listen_address in server.listen_https_address.split(',') %}
     listen {{ listen_address }} ssl{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %}{% if server.default_server is defined and server.default_server == '1' %} default_server{% endif %};
+{%       if server.enable_http3|default("0") == "1" %}
+    listen {{ listen_address }} quic reuseport{% if server.default_server is defined and server.default_server == '1' %} default_server{% endif %};
+{%         set listen_address_clean = listen_address.replace(' ', '') %}
+{%         if listen_address_clean != '' %}
+{%           set listen_port = listen_address_clean.split(':')[-1] %}
+{%           if listen_port not in http3_alt_svc_ports %}
+{%             do http3_alt_svc_ports.append(listen_port) %}
+{%           endif %}
+{%         endif %}
+{%       endif %}
 {%     endfor %}
     http2 {% if server.http2|default("1") == "1" %}on{% else %}off{% endif %};
 {%     if server.tls_reject_handshake is defined and server.tls_reject_handshake == '1'%}
@@ -155,6 +166,9 @@ server {
 {%       else %}
     ssl_stapling off;
 {%       endif %}
+{%       if server.enable_http3|default("0") == "1" and http3_alt_svc_ports|length > 0 %}
+    add_header Alt-Svc '{% for listen_port in http3_alt_svc_ports %}h3=":{{ listen_port }}"; ma=86400{% if not loop.last %}, {% endif %}{% endfor %}' always;
+{%       endif %}
 {%     endif %}
 {%   endif %}
 {%   if server.resolver is defined and server.resolver != '' %}

From b943ea34a72d70dc8c47d5c0e12795492094856a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 17 Dec 2025 12:08:50 +0100
Subject: [PATCH 2834/3088] www/nginx: bump model version

---
 www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 58c73dd62d..f740f7297d 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/Nginx</mount>
-    <version>1.35.1</version>
+    <version>1.35.2</version>
     <description>nginx web server, reverse proxy and waf</description>
     <items>
         <general>

From 716e75eec405ecaff92b12fc26121498c0045e49 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 17 Dec 2025 14:48:52 +0100
Subject: [PATCH 2835/3088] ddclient: Cloudflare - add Cloudflare dns ip check
 option, merge https://github.com/opnsense/plugins/pull/4184 with minor
 modifications.

---
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.xml |  1 +
 .../src/opnsense/scripts/ddclient/checkip     |  4 +--
 .../opnsense/scripts/ddclient/lib/__init__.py |  2 +-
 .../opnsense/scripts/ddclient/lib/address.py  | 33 ++++++++++++++++---
 4 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
index 6eac4cd24c..75c390ce1e 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.xml
@@ -146,6 +146,7 @@
                         <web_cloudflare>cloudflare</web_cloudflare>
                         <web_cloudflare_ipv4 value="cloudflare-ipv4">cloudflare-ipv4</web_cloudflare_ipv4>
                         <web_cloudflare_ipv6 value="cloudflare-ipv6">cloudflare-ipv6</web_cloudflare_ipv6>
+                        <dns_cloudflare value="dns_cloudflare-dns">cloudflare-dns</dns_cloudflare>
                         <web_dynu_ipv4 value="dynu-ipv4">dynu-ipv4</web_dynu_ipv4>
                         <web_dynu_ipv6 value="dynu-ipv6">dynu-ipv6</web_dynu_ipv6>
                         <web_freedns>freedns</web_freedns>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/checkip b/dns/ddclient/src/opnsense/scripts/ddclient/checkip
index 0f51265521..08d9edc6fe 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/checkip
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/checkip
@@ -26,13 +26,13 @@
     POSSIBILITY OF SUCH DAMAGE.
 """
 import argparse
-from lib import checkip_service_list, checkip
+from lib import registered_services, checkip
 
 
 if __name__ == '__main__':
     # handle parameters
     parser = argparse.ArgumentParser()
-    parser.add_argument('-s', '--service', help='service name', choices=checkip_service_list.keys(), required=True)
+    parser.add_argument('-s', '--service', help='service name', choices=registered_services(), required=True)
     parser.add_argument('-i', '--interface', help='interface', type=str, default='')
     parser.add_argument('-t', '--tls', help='enforce tls', choices=['0', '1'], default='1')
     parser.add_argument('--timeout', help='timeout', type=str, default='10')
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/__init__.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/__init__.py
index 025fbe05a3..762f022d13 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/__init__.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/__init__.py
@@ -57,5 +57,5 @@
         changed (return status of `execute()`) the state is flushed to disk.
 
 """
-from .address import checkip_service_list, checkip
+from .address import registered_services, checkip
 from .poller import AccountFactory, Poller
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
index 44ad79299a..396b4720b1 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/address.py
@@ -26,6 +26,8 @@
 import subprocess
 import re
 import ipaddress
+import dns.resolver
+import dns.rdataclass
 from urllib.parse import urlparse
 
 checkip_service_list = {
@@ -51,6 +53,19 @@
   'zoneedit': '%s://dynamic.zoneedit.com/checkip.html'
 }
 
+checkip_dns_list = {
+   'cloudflare-dns': {
+       'nameservers': ['1.1.1.1','1.0.0.1'],
+       'resolve_params': {
+           'qname': 'whoami.cloudflare',
+           'rdtype': 'TXT',
+           'rdclass': dns.rdataclass.from_text('CH')
+       }
+   }
+}
+
+def registered_services():
+    return list(checkip_service_list.keys()) + list(checkip_dns_list.keys())
 
 def extract_address(host, txt):
     """ Extract first IPv4 or IPv6 address from provided string
@@ -87,17 +102,17 @@ def transform_ip(ip, ipv6host=None):
 
 
 def checkip(service, proto='https', timeout='10', interface=None, dynipv6host=None):
-    """ find ip address using external services defined in checkip_service_list
+    """ find ip address using external web services defined in checkip_service_list
+        or dns services defined in checkip_dns_list
         :param proto: protocol
         :param timeout: timeout in seconds
         :param interface: bind to interface
         :param dynipv6host: optional partial ipv6 address
         :return: str
     """
-    if service.startswith('web_'):
+    if service.lstrip('web_') in checkip_service_list:
         # configuration name, strip web_ part
-        service = service[4:]
-    if service in checkip_service_list:
+        service = service.lstrip('web_')
         params = ['/usr/local/bin/curl', '-m', timeout]
         if interface is not None:
             params.append("--interface")
@@ -124,5 +139,15 @@ def checkip(service, proto='https', timeout='10', interface=None, dynipv6host=No
                             return str(address)
                     except ValueError:
                         continue
+    elif service.lstrip('dns_') in checkip_dns_list:
+        svc_info = checkip_dns_list[service.lstrip('dns_')]
+        resolve_params = svc_info['resolve_params']
+        dns_resolver = dns.resolver.Resolver()
+        dns_resolver.nameservers = svc_info['nameservers']
+        try:
+            dns_response = dns_resolver.resolve(**resolve_params)
+            return dns_response[0].to_text().strip('"')
+        except:
+            return ""
     else:
         return ""

From 81f3e21a1a9788bf72f7093efd46e6b100bf04b0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 18 Dec 2025 10:31:39 +0100
Subject: [PATCH 2836/3088] www/squid: remove old link reference; closes #9537

---
 .../opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
index bc45c4c442..7d0aac1b84 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -336,7 +336,7 @@
                 <id>proxy.forward.sslcertificate</id>
                 <label>CA to use</label>
                 <type>dropdown</type>
-                <help><![CDATA[Select a Certificate Authority to use. To create a CA, go to <a href="/system_camanager.php">CA Manager</a>.]]></help>
+                <help>Select a certificate authority to use.</help>
             </field>
             <field>
                 <id>proxy.forward.sslnobumpsites</id>

From d987a7e53eca19362a8935916014d7ac726f9c7a Mon Sep 17 00:00:00 2001
From: Q-Feeds <support@qfeeds.com>
Date: Fri, 19 Dec 2025 09:58:20 +0100
Subject: [PATCH 2837/3088] Feature/dnscrypt proxy blocklist support (#5083)

* Add ports to Events page

* fixes race condition updating the blocklist

* Native integration with DNSCrypt-proxy

Added Q-Feeds domains to the DNSBL list of DNSCrypt-Proxy. Changed since the initial way, this is more native. Q-Feeds domains txt files only created if DNSCrypt-proxy is installed and if the list (qf) is selected.
---
 .../models/OPNsense/Dnscryptproxy/Dnsbl.xml   |  1 +
 .../scripts/OPNsense/Dnscryptproxy/dnsbl.sh   | 10 ++
 security/q-feeds-connector/Makefile           |  2 +-
 security/q-feeds-connector/pkg-descr          |  8 ++
 .../dnscryptproxy/blocklists/qfeeds_bl.py     | 92 +++++++++++++++++++
 .../opnsense/scripts/qfeeds/lib/__init__.py   | 21 ++++-
 .../conf/actions.d/actions_qfeeds.conf        |  2 +-
 7 files changed, 133 insertions(+), 3 deletions(-)
 create mode 100644 security/q-feeds-connector/src/opnsense/scripts/dnscryptproxy/blocklists/qfeeds_bl.py

diff --git a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Dnsbl.xml b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Dnsbl.xml
index 188564ee6c..ba05d656e2 100644
--- a/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Dnsbl.xml
+++ b/dns/dnscrypt-proxy/src/opnsense/mvc/app/models/OPNsense/Dnscryptproxy/Dnsbl.xml
@@ -19,6 +19,7 @@
                 <ep>Easyprivacy List</ep>
                 <nc>NoCoin List</nc>
                 <pt>PornTop1M List</pt>
+                <qf>Q-Feeds (when installed)</qf>
                 <sa>Simple Ad List</sa>
                 <st>Simple Tracker List</st>
                 <sb>Steven Black List</sb>
diff --git a/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh b/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh
index 23bb785899..77420eef0c 100755
--- a/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh
+++ b/dns/dnscrypt-proxy/src/opnsense/scripts/OPNsense/Dnscryptproxy/dnsbl.sh
@@ -154,6 +154,13 @@ simpletrack() {
 	rm ${WORKDIR}/simpletrack-raw
 }
 
+qfeeds() {
+	# Q-Feeds List
+	if [ -f "/usr/local/etc/dnscrypt-proxy/blacklist-qfeeds.txt" ] && [ -s "/usr/local/etc/dnscrypt-proxy/blacklist-qfeeds.txt" ]; then
+		sed "/\.$/d" /usr/local/etc/dnscrypt-proxy/blacklist-qfeeds.txt | sed "/^#/d" | sed "/\_/d" | sed "/^[[:space:]]*$/d" | sed "/\.\./d" | sed "s/^\.//g" > ${WORKDIR}/qfeeds
+	fi
+}
+
 install() {
 	# Put all files in correct format
 	for FILE in $(find ${WORKDIR} -type f); do
@@ -222,6 +229,9 @@ for CAT in $(echo ${DNSBL} | tr ',' ' '); do
 	yy)
 		yoyo
 		;;
+	qf)
+		qfeeds
+		;;
 	esac
 done
 
diff --git a/security/q-feeds-connector/Makefile b/security/q-feeds-connector/Makefile
index b2bf170b23..cf53d91cda 100644
--- a/security/q-feeds-connector/Makefile
+++ b/security/q-feeds-connector/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		q-feeds-connector
-PLUGIN_VERSION=		1.3
+PLUGIN_VERSION=		1.4
 PLUGIN_TIER=		2
 PLUGIN_COMMENT=		Connector for Q-Feeds threat intel
 PLUGIN_MAINTAINER=	devel@qfeeds.com
diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index c336c3b3db..02c1a8ae85 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -2,6 +2,14 @@ Connector for Q-Feeds threat intel
 
 Plugin Changelog
 ================
+1.4
+
+* Feature: Added DNSCrypt-Proxy
+
+1.3
+
+* Widget: Added license info 
+* Events: added source and destination port
 
 1.3
 
diff --git a/security/q-feeds-connector/src/opnsense/scripts/dnscryptproxy/blocklists/qfeeds_bl.py b/security/q-feeds-connector/src/opnsense/scripts/dnscryptproxy/blocklists/qfeeds_bl.py
new file mode 100644
index 0000000000..ab04f81924
--- /dev/null
+++ b/security/q-feeds-connector/src/opnsense/scripts/dnscryptproxy/blocklists/qfeeds_bl.py
@@ -0,0 +1,92 @@
+#!/usr/local/bin/python3
+
+"""
+    Copyright (c) 2025 Deciso B.V.
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+
+import os
+import glob
+import re
+
+# Check if 'qf' is selected in DNSCrypt-proxy DNSBL configuration
+def is_qf_selected():
+    rc_conf_file = '/etc/rc.conf.d/dnscrypt_proxy'
+    if os.path.exists(rc_conf_file):
+        try:
+            with open(rc_conf_file, 'r') as f:
+                for line in f:
+                    # Look for dnscrypt_proxy_dnsbl="..." line
+                    match = re.search(r'dnscrypt_proxy_dnsbl="([^"]*)"', line)
+                    if match:
+                        dnsbl_list = match.group(1)
+                        # Check if 'qf' is in the comma-separated list
+                        return 'qf' in [x.strip() for x in dnsbl_list.split(',')]
+        except Exception:
+            pass
+    return False
+
+# Q-Feeds domain files directory
+qfeeds_tables_dir = '/var/db/qfeeds-tables'
+
+# Automatically find all domain files (*_domains.txt) in qfeeds-tables directory
+# This will include malware_domains.txt, phishing_domains.txt, etc.
+qfeeds_filenames = []
+if os.path.isdir(qfeeds_tables_dir):
+    # Find all files ending with _domains.txt (e.g., malware_domains.txt, phishing_domains.txt)
+    pattern = os.path.join(qfeeds_tables_dir, '*_domains.txt')
+    qfeeds_filenames = sorted(glob.glob(pattern))
+
+# Collect q-feeds domains
+qfeeds_domains = set()
+for filename in qfeeds_filenames:
+    if os.path.exists(filename):
+        with open(filename, 'r') as f_in:
+            for line in f_in:
+                domain = line.strip()
+                if domain:
+                    qfeeds_domains.add(domain)
+
+# Write q-feeds domains to blacklist-qfeeds.txt
+# dnscrypt-proxy's dnsbl.sh qfeeds() function will read this file when 'qf' is selected in DNSBL config
+qfeeds_blacklist_file = '/usr/local/etc/dnscrypt-proxy/blacklist-qfeeds.txt'
+dnscrypt_proxy_dir = '/usr/local/etc/dnscrypt-proxy'
+
+# Only proceed if DNSCrypt-proxy directory exists (plugin is installed) AND 'qf' is selected
+if os.path.isdir(dnscrypt_proxy_dir) and is_qf_selected():
+	if qfeeds_domains:
+		# Write q-feeds domains to separate file
+		with open(qfeeds_blacklist_file, 'w') as f_out:
+			for domain in sorted(qfeeds_domains):
+				f_out.write("%s\n" % domain)
+	else:
+		# Remove q-feeds blacklist file if no domains available
+		if os.path.exists(qfeeds_blacklist_file):
+			os.remove(qfeeds_blacklist_file)
+elif os.path.isdir(dnscrypt_proxy_dir):
+	# DNSCrypt-proxy is installed but 'qf' is not selected - remove the file if it exists
+	if os.path.exists(qfeeds_blacklist_file):
+		os.remove(qfeeds_blacklist_file)
+
+
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
index f0f029c1db..87ba013dc4 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
@@ -46,6 +46,7 @@ def list_actions(cls):
             'show_index',
             'firewall_load',
             'unbound_load',
+            'dnscryptproxy_load',
             'update',
             'stats',
             'logs'
@@ -121,6 +122,24 @@ def unbound_load(self):
             subprocess.run(['/usr/local/sbin/configctl', 'unbound', 'dnsbl'])
             yield 'update unbound blocklist'
 
+    def dnscryptproxy_load(self):
+        script_path = '/usr/local/opnsense/scripts/dnscryptproxy/blocklists/qfeeds_bl.py'
+        dnscrypt_proxy_dir = '/usr/local/etc/dnscrypt-proxy'
+        if os.path.exists(script_path) and os.path.isdir(dnscrypt_proxy_dir):
+            subprocess.run([script_path], capture_output=True, text=True)
+            # Trigger dnscrypt-proxy DNSBL update to merge blacklist-qfeeds.txt
+            # Only if DNSCrypt-proxy is installed (directory exists)
+            result = subprocess.run(['/usr/local/sbin/configctl', 'dnscryptproxy', 'dnsbl'], 
+                                  capture_output=True, text=True)
+            if result.returncode == 0:
+                yield 'update dnscrypt-proxy blocklist'
+            else:
+                yield 'dnscrypt-proxy not available'
+        elif not os.path.isdir(dnscrypt_proxy_dir):
+            yield 'dnscrypt-proxy not installed'
+        else:
+            yield 'dnscrypt-proxy blocklist script not found'
+
     def update(self):
         update_sleep = 99999
         try:
@@ -136,7 +155,7 @@ def update(self):
         if do_update:
                 if 0 < update_sleep <= 300:
                     time.sleep(update_sleep)
-                for action in ['fetch_index', 'fetch', 'firewall_load', 'unbound_load']:
+                for action in ['fetch_index', 'fetch', 'firewall_load', 'unbound_load', 'dnscryptproxy_load']:
                     yield from getattr(self, action)()
 
     def stats(self):
diff --git a/security/q-feeds-connector/src/opnsense/service/conf/actions.d/actions_qfeeds.conf b/security/q-feeds-connector/src/opnsense/service/conf/actions.d/actions_qfeeds.conf
index e2fba096ec..9558b9c88a 100644
--- a/security/q-feeds-connector/src/opnsense/service/conf/actions.d/actions_qfeeds.conf
+++ b/security/q-feeds-connector/src/opnsense/service/conf/actions.d/actions_qfeeds.conf
@@ -1,5 +1,5 @@
 [reconfigure]
-command:/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py fetch_index fetch firewall_load unbound_load && echo 'EXIT OK'
+command:/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py fetch_index fetch firewall_load unbound_load dnscryptproxy_load && echo 'EXIT OK'
 parameters:
 type:script_output
 message:reconfigure QFeeds

From 809f2ae9d8209cd7940c4b897132ecb0f6c38fb0 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 19 Dec 2025 13:43:52 +0100
Subject: [PATCH 2838/3088] net/ndp-proxy-go: Add ratelimit for pfctl
 operations (#5096)

---
 net/ndp-proxy-go/Makefile                             |  2 +-
 net/ndp-proxy-go/pkg-descr                            |  4 ++++
 .../controllers/OPNsense/NdpProxy/forms/general.xml   | 11 +++++++++--
 .../mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml     |  3 +++
 .../service/templates/OPNsense/NdpProxy/ndp_proxy_go  |  3 +++
 5 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/net/ndp-proxy-go/Makefile b/net/ndp-proxy-go/Makefile
index 76068232f1..8c95b55dd7 100644
--- a/net/ndp-proxy-go/Makefile
+++ b/net/ndp-proxy-go/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ndp-proxy-go
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		IPv6 Neighbor Discovery Protocol (NDP) Proxy
 PLUGIN_MAINTAINER=	cedrik@pischem.com
 PLUGIN_DEPENDS=		ndp-proxy-go
diff --git a/net/ndp-proxy-go/pkg-descr b/net/ndp-proxy-go/pkg-descr
index 68c72ebadc..73d314b14a 100644
--- a/net/ndp-proxy-go/pkg-descr
+++ b/net/ndp-proxy-go/pkg-descr
@@ -6,6 +6,10 @@ DOC: https://docs.opnsense.org/manual/ndp-proxy-go.html
 Plugin Changelog
 ================
 
+1.3
+
+* Add ratelimit for pfctl operations
+
 1.2
 
 * Add firewall alias support
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
index d496342cda..5d6c3372d8 100644
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
@@ -50,7 +50,7 @@
     </field>
     <field>
         <id>ndpproxy.general.cache_max</id>
-        <label>Maximum learned neighbors</label>
+        <label>Max learned neighbors</label>
         <type>text</type>
         <hint>4096</hint>
         <help>Maximum learned neighbors, increase for large networks.</help>
@@ -66,7 +66,14 @@
         <label>Max route operations</label>
         <type>text</type>
         <hint>50</hint>
-        <help>Max route operations per second, increase for large networks.</help>
+        <help>Maximum route operations per second. Limits how fast routes are applied; excess operations are queued, not dropped.</help>
+    </field>
+    <field>
+        <id>ndpproxy.general.pf_qps</id>
+        <label>Max alias operations</label>
+        <type>text</type>
+        <hint>50</hint>
+        <help>Maximum firewall alias operations per second. Limits how fast aliases are populated; excess operations are queued, not dropped.</help>
     </field>
     <field>
         <id>ndpproxy.general.pcap_timeout</id>
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
index a88c26c5f0..b71d385129 100644
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
@@ -33,6 +33,9 @@
             <route_qps type="IntegerField">
                 <MinimumValue>1</MinimumValue>
             </route_qps>
+            <pf_qps type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+            </pf_qps>
             <pcap_timeout type="IntegerField">
                 <MinimumValue>1</MinimumValue>
             </pcap_timeout>
diff --git a/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
index 71acffe934..f5131e9af2 100644
--- a/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
+++ b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
@@ -30,6 +30,9 @@ ndp_proxy_go_cache_file="/var/db/ndpproxy/cache.json"
 {%     if general.route_qps %}
 {%         do flags.append('--route-qps ' ~ general.route_qps) %}
 {%     endif %}
+{%     if general.pf_qps %}
+{%         do flags.append('--pf-qps ' ~ general.pf_qps) %}
+{%     endif %}
 {%     if general.pcap_timeout %}
 {%         do flags.append('--pcap-timeout ' ~ general.pcap_timeout ~ 'ms') %}
 {%     endif %}

From d3cbedaa8e405a72fc8317d0b4d4aed9c96a63c3 Mon Sep 17 00:00:00 2001
From: mbedworth <michael.bedworth@me.com>
Date: Sun, 28 Dec 2025 04:23:52 -0500
Subject: [PATCH 2839/3088] security/wazuh-agent: Fix active response duplicate
 key causing false aborts (#5104)

When multiple IPs trigger the same rule simultaneously, they were
sharing the same check_keys value (only rule ID), causing the manager
to abort all but the first execution.

Changed the key to include both rule_id and srcip to make it unique
per source IP, allowing multiple simultaneous blocks while still
preventing duplicate blocks of the same IP.

Fixes #4738
---
 security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw b/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw
index f2b349a250..a13439c2ec 100755
--- a/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw
+++ b/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw
@@ -121,7 +121,8 @@ def main(params):
                 },
                 "command": "check_keys",
                 "parameters":{
-                    "keys": [event['parameters']['alert']['rule']['id']]
+                   unique_key = "%s-%s" % (event['parameters']['alert']['rule']['id'], srcip)
+		   "keys": [unique_key] 
                 }
             }))
             sys.stdout.flush()

From 8895dd979615300af463dde284d4c8375763ead0 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 5 Jan 2026 12:55:17 +0100
Subject: [PATCH 2840/3088] net/frr: Prevent errors in diagnostics view when a
 frr daemon is not started (#5119)

* net/frr: Prevent errors in diagnostics view when a frr daemon is not started

* Add revision
---
 net/frr/Makefile                              |  1 +
 net/frr/pkg-descr                             |  1 +
 .../conf/actions.d/actions_quagga.conf        | 23 +++++++++++++++++++
 3 files changed, 25 insertions(+)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 72426c8e52..5e04f6ac3c 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.49
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr10-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 0f648c4dbe..28367b2b45 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -18,6 +18,7 @@ Plugin Changelog
 * Fix SNMP OSPF argument flags in RC configuration file
 * Fix STATIC template interface issue
 * Replace shell_exec() with mwexecfm()
+* Prevent errors in diagnostics view when a frr daemon is not started
 
 1.48
 
diff --git a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
index 32b7e533c0..291c82d516 100644
--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@@ -33,137 +33,160 @@ message:request frr
 [diagnostics.general_running-config]
 command:/usr/local/bin/vtysh -c "show running-config"
 parameters:
+errors:no
 type:script_output
 message:FRR diagnosticts "show running-config"
 
 [diagnostics.general_route4]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip route %s'
+errors:no
 type:script_output
 message:FRR diagnosticts "show ip route"
 
 [diagnostics.general_route6]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ipv6 route %s'
+errors:no
 type:script_output
 message:FRR diagnosticts "show ipv6 route"
 
 [diagnostics.bgp_route4]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp ipv4 %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv4 %s"
 
 [diagnostics.bgp_route6]
 command:/usr/local/bin/vtysh
 parameters:-c 'show bgp ipv6 %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv6 %s"
 
 [diagnostics.bgp_summary]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp summary %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp summary %s"
 
 [diagnostics.bgp_summary4]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp ipv4 summary %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv4 summary %s"
 
 [diagnostics.bgp_summary6]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp ipv6 summary %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv6 summary %s"
 
 [diagnostics.bgp_neighbors]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp neighbors %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp neighbors %s"
 
 [diagnostics.bgp_neighbors4]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp ipv4 neighbors %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv4 neighbors %s"
 
 [diagnostics.bgp_neighbors6]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bgp ipv6 neighbors %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bgp ipv6 neighbors %s"
 
 [diagnostics.ospf_overview]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip ospf %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ip ospf %s"
 
 [diagnostics.ospf_neighbor]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip ospf neighbor %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ip ospf neighbor %s"
 
 [diagnostics.ospf_route]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip ospf route %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ip ospf route %s"
 
 [diagnostics.ospf_interface]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip ospf interface %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ip ospf interface %s"
 
 [diagnostics.bfd_neighbors]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bfd peers %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bfd peers json %s"
 
 [diagnostics.bfd_summary]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bfd peers brief %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bfd peers brief %s"
 
 [diagnostics.bfd_counters]
 command:/usr/local/bin/vtysh
 parameters: -c 'show bfd peers counters %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show bfd peers counters %s"
 
 [diagnostics.ospf_database]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip ospf database %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ip ospf database"
 
 [diagnostics.ospfv3_overview]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ipv6 ospf6 %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ipv6 ospf6 %s"
 
 [diagnostics.ospfv3_route]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ipv6 ospf6 route %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ipv6 ospf6 route %s"
 
 [diagnostics.ospfv3_database]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ipv6 ospf6 database %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ipv6 ospf6 database json"
 
 [diagnostics.ospfv3_interface]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ipv6 ospf6 interface %s'
+errors:no
 type:script_output
 message:FRR diagnostics "show ipv6 ospf6 interface %s"

From f34410b9a3a10a83f8405edb6f568e5b9c9c56e3 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 5 Jan 2026 17:19:31 +0100
Subject: [PATCH 2841/3088] net/ndp-proxy-go: Add depend on CARP syshook
 (#5108)

* net/ndp-proxy-go: Add depend on CARP syshook

* net/ndp-proxy-go: When carp_depend_on is enabled, prevent service start on BACKUP

* Depend on CARP is advanced mode, sort other more advanced options under headers

* Use model instead of global config

* Use custom variable for carp check

* Change label and adjust help text
---
 net/ndp-proxy-go/pkg-descr                    |  1 +
 .../src/etc/rc.syshook.d/carp/20-ndpproxy     | 53 +++++++++++++++++++
 .../OPNsense/NdpProxy/forms/general.xml       | 20 ++++++-
 .../app/models/OPNsense/NdpProxy/NdpProxy.xml |  6 ++-
 .../templates/OPNsense/NdpProxy/ndp_proxy_go  |  3 ++
 5 files changed, 81 insertions(+), 2 deletions(-)
 create mode 100755 net/ndp-proxy-go/src/etc/rc.syshook.d/carp/20-ndpproxy

diff --git a/net/ndp-proxy-go/pkg-descr b/net/ndp-proxy-go/pkg-descr
index 73d314b14a..161f8684eb 100644
--- a/net/ndp-proxy-go/pkg-descr
+++ b/net/ndp-proxy-go/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 1.3
 
 * Add ratelimit for pfctl operations
+* Add CARP failover
 
 1.2
 
diff --git a/net/ndp-proxy-go/src/etc/rc.syshook.d/carp/20-ndpproxy b/net/ndp-proxy-go/src/etc/rc.syshook.d/carp/20-ndpproxy
new file mode 100755
index 0000000000..8ec0ccb33b
--- /dev/null
+++ b/net/ndp-proxy-go/src/etc/rc.syshook.d/carp/20-ndpproxy
@@ -0,0 +1,53 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2025 Cedrik Pischem
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once('script/load_phalcon.php');
+require_once('util.inc');
+
+use OPNsense\NdpProxy\NdpProxy;
+
+$subsystem = $argv[1] ?? '';
+$type = $argv[2] ?? '';
+$model = new NdpProxy();
+
+if (
+    (!in_array($type, ['MASTER', 'BACKUP'], true)) ||  /* exclude INIT */
+    strpos($subsystem, '@') === false ||  /* only react to real CARP events */
+    $model->general->enabled->isEmpty() ||
+    $model->general->carp_depend_on->isEmpty()
+) {
+    exit(0);
+}
+
+$actions = [
+    'MASTER' => 'start',
+    'BACKUP' => 'stop',
+];
+
+mwexecfm('/usr/local/etc/rc.d/ndp-proxy-go ' . $actions[$type]);
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
index 5d6c3372d8..596c7b1af4 100644
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/controllers/OPNsense/NdpProxy/forms/general.xml
@@ -9,6 +9,13 @@
         <type>checkbox</type>
         <help>Enable or disable this service.</help>
     </field>
+    <field>
+        <id>ndpproxy.general.carp_depend_on</id>
+        <label>Enable CARP failover</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>If any CARP VHID on this node is in MASTER state the service will be started, otherwise stopped. As NDP is stateless, a short interruption of IPv6 connectivity must be expected during CARP transitions.</help>
+    </field>
     <field>
         <type>header</type>
         <label>Proxy Settings</label>
@@ -39,7 +46,8 @@
     </field>
     <field>
         <type>header</type>
-        <label>Performance Settings</label>
+        <label>Neighbor Settings</label>
+        <collapse>true</collapse>
     </field>
     <field>
         <id>ndpproxy.general.cache_ttl</id>
@@ -61,6 +69,11 @@
         <type>checkbox</type>
         <help>Persist cache to file on service stop and load it on service start. Only neighbors with a valid cache lifetime are loaded. This helps on system reboots to minimize downtime of individual clients.</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Performance Settings</label>
+        <collapse>true</collapse>
+    </field>
     <field>
         <id>ndpproxy.general.route_qps</id>
         <label>Max route operations</label>
@@ -82,6 +95,11 @@
         <hint>50</hint>
         <help>Controls CPU usage vs. NDP responsiveness. Lower values (e.g., 25 ms) minimize latency during cache refresh at the cost of more CPU. Higher values (100–250 ms) reduce CPU use but may introduce small latency spikes.</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Log Settings</label>
+        <collapse>true</collapse>
+    </field>
     <field>
         <id>ndpproxy.general.debug</id>
         <label>Debug log</label>
diff --git a/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
index b71d385129..9f02e11462 100644
--- a/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
+++ b/net/ndp-proxy-go/src/opnsense/mvc/app/models/OPNsense/NdpProxy/NdpProxy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/ndpproxy</mount>
     <description>NDP Proxy model</description>
-    <version>1.0</version>
+    <version>1.1</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -43,6 +43,10 @@
                 <Default>0</Default>
                 <Required>Y</Required>
             </debug>
+            <carp_depend_on type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </carp_depend_on>
         </general>
         <aliases>
             <alias type="ArrayField">
diff --git a/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
index f5131e9af2..61b7c01f2b 100644
--- a/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
+++ b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
@@ -2,6 +2,9 @@
 {% set general = helpers.getNodeByTag('OPNsense.ndpproxy.general') %}
 {% if general.enabled|default("0") == "1" and general.upstream and general.downstream %}
 ndp_proxy_go_enable="YES"
+{%     if general.carp_depend_on %}
+ndp_proxy_go_check_carp="YES"
+{%     endif %}
 ndp_proxy_go_upstream="{{ helpers.physical_interface(general.upstream) }}"
 {%     set downstream_interfaces = [] %}
 {%     for interface in general.downstream.split(',') %}

From 565bd0223599bb2910438fb160b657a1d13503d5 Mon Sep 17 00:00:00 2001
From: mbedworth <michael.bedworth@me.com>
Date: Tue, 6 Jan 2026 02:48:13 -0500
Subject: [PATCH 2842/3088] [wazuh-agent] Add repeated_offenders config, fix
 template issues (#5116)

- Add repeated_offenders field to active response settings
- Remove 'without context' from ossec.conf include loop to allow
  variable access in config fragments
- Fix opnsense-fw.conf template bug: wazuh_command -> active_response
- Bump model version to 1.0.3
---
 .../controllers/OPNsense/WazuhAgent/forms/settings.xml | 10 ++++++++++
 .../mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml  |  7 ++++++-
 .../templates/OPNsense/WazuhAgent/opnsense-fw.conf     |  2 +-
 .../service/templates/OPNsense/WazuhAgent/ossec.conf   |  2 +-
 .../WazuhAgent/ossec_config.d/005-active-response.conf |  3 +++
 5 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
index 18f9d6196a..99791664d8 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/controllers/OPNsense/WazuhAgent/forms/settings.xml
@@ -87,6 +87,16 @@
             active-response action.
         </help>
     </field>
+    <field>
+        <id>agent.active_response.repeated_offenders</id>
+        <label>Repeated offenders</label>
+        <type>text</type>
+        <help>
+            Comma-separated list of increasing timeout values in minutes for repeat offenders (e.g., 30,60,120,240).
+            When an IP triggers active response multiple times, each subsequent block uses the next timeout value.
+            Leave empty to disable repeated offender escalation.
+        </help>
+    </field>
     <field>
         <id>agent.active_response.remote_commands</id>
         <label>Wazuh remote commands</label>
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
index 62941e94a7..9657b91baf 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/WazuhAgent</mount>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <description>Wazuh Agent</description>
     <items>
         <general>
@@ -112,6 +112,11 @@
                 </Model>
                 <Required>N</Required>
             </fw_alias_ignore>
+            <repeated_offenders type="TextField">
+                <Required>N</Required>
+                <Mask>/^([0-9]+)(,[0-9]+)*$/</Mask>
+                <ValidationMessage>Enter comma-separated timeout values in minutes (e.g., 30,60,120,240)</ValidationMessage>
+            </repeated_offenders>
         </active_response>
     </items>
 </model>
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
index b97c634396..b014fbaaf1 100644
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/opnsense-fw.conf
@@ -1,4 +1,4 @@
 [general]
 {% if not helpers.empty('OPNsense.WazuhAgent.active_response.fw_alias_ignore') and helpers.getUUID(OPNsense.WazuhAgent.active_response.fw_alias_ignore) %}
-skip_alias={{helpers.getUUID(OPNsense.WazuhAgent.wazuh_command.fw_alias_ignore).name}}
+skip_alias={{helpers.getUUID(OPNsense.WazuhAgent.active_response.fw_alias_ignore).name}}
 {% endif %}
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
index 5abdacd54a..c92a5825f8 100644
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec.conf
@@ -22,7 +22,7 @@
   </client_buffer>
 
 {%  for sfilename in helpers.glob("OPNsense/WazuhAgent/ossec_config.d/*.conf") %}{%
-        include sfilename without context
+        include sfilename
 +%}
 
 {%  endfor %}
diff --git a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/005-active-response.conf b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/005-active-response.conf
index 6627c9eac2..711e86fccf 100644
--- a/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/005-active-response.conf
+++ b/security/wazuh-agent/src/opnsense/service/templates/OPNsense/WazuhAgent/ossec_config.d/005-active-response.conf
@@ -1,4 +1,7 @@
   <!-- Active response -->
   <active-response>
     <disabled>{% if not helpers.empty('OPNsense.WazuhAgent.active_response.enabled') %}no{% else %}yes{% endif %}</disabled>
+{% if not helpers.empty('OPNsense.WazuhAgent.active_response.repeated_offenders') %}
+    <repeated_offenders>{{ OPNsense.WazuhAgent.active_response.repeated_offenders }}</repeated_offenders>
+{% endif %}
   </active-response>

From 6ef3face701b8226e1a7109aff6ec428dbb04b21 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 8 Jan 2026 14:33:00 +0100
Subject: [PATCH 2843/3088] net/relayd: removed isEmptyAndRequired()

---
 net/relayd/Makefile                           |  2 +-
 .../Relayd/Api/SettingsController.php         | 51 +++++++++----------
 2 files changed, 26 insertions(+), 27 deletions(-)

diff --git a/net/relayd/Makefile b/net/relayd/Makefile
index 7900b4f554..eac86962db 100644
--- a/net/relayd/Makefile
+++ b/net/relayd/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		relayd
 PLUGIN_VERSION=		2.9
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_DEPENDS=		relayd
 PLUGIN_COMMENT=		Relayd Load Balancer
 PLUGIN_MAINTAINER=	frank.brendel@eurolog.com
diff --git a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
index f8cac66f1a..4be8107273 100644
--- a/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
+++ b/net/relayd/src/opnsense/mvc/app/controllers/OPNsense/Relayd/Api/SettingsController.php
@@ -1,31 +1,30 @@
 <?php
 
-/**
- *    Copyright (C) 2018 EURO-LOG AG
- *    Copyright (c) 2021 Deciso B.V.
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2018 EURO-LOG AG
+ * Copyright (c) 2021 Deciso B.V.
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Relayd\Api;
@@ -145,7 +144,7 @@ public function delAction($nodeType = null, $uuid = null)
             if ($uuid != null) {
                 $node = $this->getModel()->getNodeByReference($nodeType . '.' . $uuid);
                 if ($node != null) {
-                    $nodeName = $this->getModel()->getNodeByReference($nodeType . '.' . $uuid . '.name')->__toString();
+                    $nodeName = $this->getModel()->getNodeByReference($nodeType . '.' . $uuid . '.name')->getValue();
                     if ($this->getModel()->$nodeType->del($uuid) == true) {
                         // delete relations
                         switch ($nodeType) {
@@ -303,13 +302,13 @@ private function deleteRelations(
                 if ($fieldUuid == $relUuid) {
                     $refField = $nodeType . '.' . $nodeUuid . '.' . $nodeField;
                     $relNode = $this->getModel()->getNodeByReference($refField);
-                    $nodeRels = str_replace($relUuid, '', $relNode->__toString());
+                    $nodeRels = str_replace($relUuid, '', $relNode->getValue());
                     $nodeRels = str_replace(',,', ',', $nodeRels);
                     $nodeRels = rtrim($nodeRels, ',');
                     $nodeRels = ltrim($nodeRels, ',');
                     $this->getModel()->setNodeByReference($refField, $nodeRels);
-                    if ($relNode->isEmptyAndRequired()) {
-                        $nodeName = $this->getModel()->getNodeByReference("{$nodeType}.{$nodeUuid}.name")->__toString();
+                    if ($relNode->isRequired() && !$relNode->isSet()) {
+                        $nodeName = $this->getModel()->getNodeByReference("{$nodeType}.{$nodeUuid}.name")->getValue();
                         throw new \Exception("Cannot delete $relNodeType '$relNodeName' from $nodeType '$nodeName'");
                     }
                 }

From ea053db65a63ef36e5198c01bf5d2e8507bab1c7 Mon Sep 17 00:00:00 2001
From: Joe Bauser <coderjoe@coderjoe.net>
Date: Thu, 7 Mar 2024 01:22:14 -0500
Subject: [PATCH 2844/3088] security/acme-client: add support for acme.sh
 deploy hook "zyxel_gs1900"

Fixes #5080
---
 security/acme-client/pkg-descr                |  5 ++
 .../AcmeClient/forms/dialogAction.xml         | 35 ++++++++++
 .../LeAutomation/AcmeZyxelGs1900.php          | 66 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 21 ++++++
 4 files changed, 127 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeZyxelGs1900.php

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 971425135c..cc5acb60ca 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.12
+
+Added:
+* new automation to upload to Zyxel GS1900 series switches (#5080)
+
 4.11
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index 93167a695c..fda3912063 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -435,4 +435,39 @@
         <type>checkbox</type>
         <help>If checked version 2 of the kv store will be used, otherwise version 1. If you use v2 please consider the comment in the field "Vault Prefix".</help>
     </field>
+    <field>
+        <label>Required Parameters</label>
+        <type>header</type>
+        <style>method_table method_table_acme_zyxel_gs1900</style>
+    </field>
+    <field>
+        <id>action.acme_zyxel_gs1900_host</id>
+        <label>Switch Host</label>
+        <type>text</type>
+        <help>Hostname or IP adress of a Zyxel GS1900 series switch.</help>
+    </field>
+    <field>
+        <id>action.acme_zyxel_gs1900_user</id>
+        <label>Switch Admin User</label>
+        <type>text</type>
+        <help>A user configured as an adminstrator. Defaults to admin.</help>
+    </field>
+    <field>
+        <id>action.acme_zyxel_gs1900_password</id>
+        <label>Switch Admin Password</label>
+        <label>Password</label>
+        <type>password</type>
+    </field>
+    <field>
+        <id>action.acme_zyxel_gs1900_insecure</id>
+        <label>Skip Certificate Validation</label>
+        <type>checkbox</type>
+        <help>If checked the deployment will be run in insecure mode and will skip certificate validation when connecting to the switch.</help>
+    </field>
+    <field>
+        <id>action.acme_zyxel_gs1900_reboot</id>
+        <label>Restart Switch</label>
+        <type>checkbox</type>
+        <help>If checked the switch will be rebooted once the certificate has been successfully installed.</help>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeZyxelGs1900.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeZyxelGs1900.php
new file mode 100644
index 0000000000..ba79dfba2e
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeZyxelGs1900.php
@@ -0,0 +1,66 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Joseph Bauser
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Run acme.sh deploy hook zyxel_gs1900
+ * @package OPNsense\AcmeClient
+ */
+class AcmeZyxelGs1900 extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        // Required parameters
+        $this->acme_env['DEPLOY_ZYXEL_SWITCH_PASSWORD'] = (string)$this->config->acme_zyxel_gs1900_password;
+        
+        // Optional Parameters
+        if (!empty((string)$this->config->acme_zyxel_gs1900_host)) {
+            $this->acme_env['DEPLOY_ZYXEL_SWITCH'] = (string)$this->config->acme_zyxel_gs1900_host;
+        }
+        if (!empty((string)$this->config->acme_zyxel_gs1900_user)) {
+            $this->acme_env['DEPLOY_ZYXEL_SWITCH_USER'] = (string)$this->config->acme_zyxel_gs1900_user;
+        }
+        if (!empty((string)$this->config->acme_zyxel_gs1900_validate)) {
+            $this->acme_env['DEPLOY_ZYXEL_SWITCH_VALIDATE'] = (string)$this->config->acme_zyxel_gs1900_validate;
+        }
+        if (!empty((string)$this->config->acme_zyxel_gs1900_reboot)) {
+            $this->acme_env['DEPLOY_ZYXEL_SWITCH_REBOOT'] = (string)$this->config->acme_zyxel_gs1900_reboot;
+        }
+
+        $this->acme_args[] = '--deploy-hook zyxel_gs1900';
+        
+        if ((string)$this->config->acme_zyxel_gs1900_insecure == 1) {
+            array_push($this->acme_args, '--insecure');
+        }
+
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index d552f3d0b6..fbd0e8dfd9 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1396,6 +1396,7 @@
                         <acme_vault>Upload certificate to HashiCorp Vault</acme_vault>
                         <acme_synology_dsm>Upload certificate to Synology DSM</acme_synology_dsm>
                         <acme_truenas>Upload certificate to TrueNAS Core Server</acme_truenas>
+                        <acme_zyxel_gs1900>Upload certificate to Zyxel GS1900 series switches</acme_zyxel_gs1900>
                         <acme_unifi>Update local Unifi keystore</acme_unifi>
                         <configd_generic>System or Plugin Command</configd_generic>
                     </OptionValues>
@@ -1720,6 +1721,26 @@
                 <acme_vault_kvv2 type="BooleanField">
                     <Default>1</Default>
                 </acme_vault_kvv2>
+                <acme_zyxel_gs1900_host type="HostnameField">
+                    <Required>N</Required>
+                    <mask>/^.{1,1024}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_zyxel_gs1900_host>
+                <acme_zyxel_gs1900_user type="TextField">
+                    <default>admin</default>
+                    <Required>N</Required>
+                </acme_zyxel_gs1900_user>
+                <acme_zyxel_gs1900_password type="TextField">
+                    <Required>N</Required>
+                </acme_zyxel_gs1900_password>
+                <acme_zyxel_gs1900_insecure type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </acme_zyxel_gs1900_insecure>
+                <acme_zyxel_gs1900_reboot type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </acme_zyxel_gs1900_reboot>
             </action>
         </actions>
     </items>

From ea48c1445bfbd198267cf84ea6b2ae72e732d3e4 Mon Sep 17 00:00:00 2001
From: rfrederick <rfrederick@users.noreply.github.com>
Date: Tue, 13 Jan 2026 01:29:33 -0600
Subject: [PATCH 2845/3088] net/frr: Add BGP remove-private-AS to neighbors
 (#5090)

* net/frr: Add BGP remove-private-AS to neighbors

* net/frr: Simplify implementation of BGP remove-private-AS for neighbors

* Apply suggestion from @Monviech

---------

Co-authored-by: Monviech <79600909+Monviech@users.noreply.github.com>
---
 net/frr/Makefile                                       |  3 +--
 net/frr/pkg-descr                                      |  4 ++++
 .../OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml    | 10 ++++++++++
 .../opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml    |  8 ++++++++
 .../service/templates/OPNsense/Quagga/bgpd.conf        |  3 +++
 5 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 5e04f6ac3c..072f29e7da 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.49
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.50
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr10-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 28367b2b45..fe335aa280 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.50
+
+* Add BGP remove-private-AS (opnsense/plugins/issues/5038)
+
 1.49
 
 * Add hint about service reload / restart behaviour
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 501c6d8789..4a5c87dc71 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -217,6 +217,16 @@
       <visible>false</visible>
     </grid_view>
   </field>
+  <field>
+    <id>neighbor.removeprivateas</id>
+    <label>Remove Private AS</label>
+    <type>dropdown</type>
+    <help>Remove Private AS: Remove Private ASNs in outbound updates. Remove All AS: Remove all ASNs in outbound updates. Replace Priva
+te AS: Replace private ASNs with our ASN in outbound updates. Replace All AS: Replace all ASNs with our ASN in outbound updates.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
+  </field>
   <field>
     <id>neighbor.allowas_in</id>
     <label>Allow AS In</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 732e5aa16c..471c26c1b5 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -108,6 +108,14 @@
                 </connecttimer>
                 <defaultoriginate type="BooleanField"/>
                 <asoverride type="BooleanField"/>
+                <removeprivateas type="OptionField">
+                    <OptionValues>
+                        <removeprivateas value="remove-private-AS">Remove Private AS</removeprivateas>
+                        <removeallas value="remove-private-AS all">Remove All AS</removeallas>
+                        <replaceprivateas value="remove-private-AS replace-AS">Replace Private AS</replaceprivateas>
+                        <replaceallas value="remove-private-AS all replace-AS">Replace All AS</replaceallas>
+                    </OptionValues>
+                </removeprivateas>
                 <allowas_in type="OptionField">
                     <OptionValues>
                         <val1 value="1">1</val1>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 140a66cf25..56a117cf30 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -193,6 +193,9 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%     if 'asoverride' in neighbor and neighbor.asoverride == '1' %}
   neighbor {{ neighbor.address }} as-override
 {%         endif %}
+{%     if 'removeprivateas' in neighbor and neighbor.removeprivateas %}
+  neighbor {{ neighbor.address }} {{ neighbor.removeprivateas }}
+{%     endif %}
 {%     if 'allowas_in' in neighbor and neighbor.allowas_in %}
   neighbor {{ neighbor.address }} allowas-in {{ neighbor.allowas_in }}
 {%         endif %}

From d31618ee9b539fce667f73da2b11ec54b7f9c832 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 13 Jan 2026 08:30:13 +0100
Subject: [PATCH 2846/3088] net/frr: Add CARP event handler to restart command
 (#5132)

---
 net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
index 291c82d516..86170cd9ba 100644
--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@@ -11,7 +11,7 @@ type:script
 message:stopping frr
 
 [restart]
-command:/usr/local/etc/rc.d/frr restart
+command:/usr/local/etc/rc.d/frr restart; /usr/local/opnsense/scripts/frr/carp_event_handler
 parameters:
 type:script
 message:restarting frr

From 2ffb9c413a1604705faa52559f91d00e2f3cfdc9 Mon Sep 17 00:00:00 2001
From: Shelldog95 <101978994+Shelldog95@users.noreply.github.com>
Date: Tue, 13 Jan 2026 08:33:14 +0100
Subject: [PATCH 2847/3088] net/frr: Add capability support for BGP neighbors
 (#5128)

* net/frr: Add capability support for BGP neighbors

I've recently tried to use OPNsense in an environment where the use of link-local addresses is required.
Since the link-local capability is not available, I was not able to use OPNsense then.

Obviously, there are some other with the same problem:

  * [os-frr] wrong interface for IPv6 link-local used to connect to neighbor #4962
  * https://forum.opnsense.org/index.php?topic=36088.0

So, I'd like to offer support for BGP capabilities.

* net/frr: Improve help string for BGP Capabilities as suggested by @Monviech

* net/frr: Fix typo as found by @Monviech

* net/frr: Remove not needed attribute as suggested by @Monviech

* Apply suggestion from @Monviech

---------

Co-authored-by: Monviech <79600909+Monviech@users.noreply.github.com>
---
 .../OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml    | 10 ++++++++++
 .../opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml    |  9 +++++++++
 .../service/templates/OPNsense/Quagga/bgpd.conf        |  5 +++++
 3 files changed, 24 insertions(+)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 4a5c87dc71..fd6e4f2c34 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -257,6 +257,16 @@ te AS: Replace private ASNs with our ASN in outbound updates. Replace All AS: Re
       <visible>false</visible>
     </grid_view>
   </field>
+  <field>
+    <id>neighbor.capabilities</id>
+    <label>Enable capabilities</label>
+    <type>select_multiple</type>
+    <advanced>true</advanced>
+    <help>Allow this neighbor to negotiate additional capabilities with its peer.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
+  </field>
   <field>
     <id>neighbor.linkedPrefixlistIn</id>
     <label>Prefix-List In</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 471c26c1b5..c6a49ffdee 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -139,6 +139,15 @@
                         <med>med</med>
                     </OptionValues>
                 </attributeunchanged>
+                <capabilities type="OptionField">
+                    <OptionValues>
+                        <extended-nexthop>extended-nexthop</extended-nexthop>
+                        <dynamic>dynamic</dynamic>
+                        <fqdn>fqdn</fqdn>
+                        <link-local>link-local</link-local>
+                    </OptionValues>
+                    <Multiple>Y</Multiple>
+                </capabilities>
                 <linkedPrefixlistIn type="ModelRelationField">
                     <Model>
                         <template>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 56a117cf30..c280332f21 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -149,6 +149,11 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%         if 'connecttimer' in neighbor and neighbor.connecttimer != '' %}
  neighbor {{ neighbor.address }} timers connect {{ neighbor.connecttimer }}
 {%         endif %}
+{%         if 'capabilities' in neighbor and neighbor.capabilities %}
+{%           for capability in neighbor.capabilities.split(',') %}
+ neighbor {{ neighbor.address }} capability {{ capability }}
+{%           endfor %}
+{%         endif %}
 {%         if 'attributeunchanged' in neighbor and neighbor.attributeunchanged != '' %}
  neighbor {{ neighbor.address }} attribute-unchanged {{ neighbor.attributeunchanged }}
 {%         endif %}

From af86f322cd937f6744b589e2d770d391751f4e4d Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Tue, 13 Jan 2026 09:10:49 +0100
Subject: [PATCH 2848/3088] net/frr: Changelog for v1.50 (#5133)

* net/frr: Changelog for v1.50

* Fix a helptext to be more generic and one string.

* Remove private AS should be advanced
---
 net/frr/pkg-descr                                    | 12 +++++++-----
 .../OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml  |  4 ++--
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index fe335aa280..311843b090 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -14,15 +14,17 @@ Plugin Changelog
 
 1.50
 
-* Add BGP remove-private-AS (opnsense/plugins/issues/5038)
+* Add BGP remove-private-AS (contributed by rfrederick) (opnsense/plugins/pull/5090)
+* Fix watchfrr service handling (contributed by Andy Binder) (opnsense/plugins/pull/4712 and 5132)
+* Add capability support for BGP neighbors (contributed by Shelldog95) (opnsense/plugins/pull/5128)
+* Prevent errors in diagnostics view when a frr daemon is not started (opnsense/plugins/pull/5119)
 
 1.49
 
-* Add hint about service reload / restart behaviour
-* Fix SNMP OSPF argument flags in RC configuration file
-* Fix STATIC template interface issue
+* Add hint about service reload / restart behaviour (opnsense/plugins/pull/5022)
+* Fix SNMP OSPF argument flags in RC configuration file (opnsense/plugins/pull/5025)
+* Fix STATIC template interface issue (opnsense/plugins/pull/5019)
 * Replace shell_exec() with mwexecfm()
-* Prevent errors in diagnostics view when a frr daemon is not started
 
 1.48
 
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index fd6e4f2c34..7b1a679148 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -221,8 +221,8 @@
     <id>neighbor.removeprivateas</id>
     <label>Remove Private AS</label>
     <type>dropdown</type>
-    <help>Remove Private AS: Remove Private ASNs in outbound updates. Remove All AS: Remove all ASNs in outbound updates. Replace Priva
-te AS: Replace private ASNs with our ASN in outbound updates. Replace All AS: Replace all ASNs with our ASN in outbound updates.</help>
+    <advanced>true</advanced>
+    <help>Configure how ASNs are propagated in outbound updates. Depending on selection, they can be removed or replaced.</help>
     <grid_view>
       <visible>false</visible>
     </grid_view>

From 764f2d977ba3840abbc477858886eaf7abeaea0e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 Jan 2026 12:36:26 +0100
Subject: [PATCH 2849/3088] LICENSE: sync

---
 LICENSE | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/LICENSE b/LICENSE
index f3f0d44d1f..df10b90436 100644
--- a/LICENSE
+++ b/LICENSE
@@ -4,7 +4,10 @@ Copyright (c) 2022 agh1467 <agh1467@protonmail.com>
 Copyright (c) 2024 Alex Smith
 Copyright (c) 2021 Alexander Noack
 Copyright (c) 2021 Andreas Stuerz
+Copyright (c) 2025 Andy Binder <AndyBinder@gmx.de>
+Copyright (c) 2024 AnShen <root@lshell.com>
 Copyright (c) 2025 Anton Avramov
+Copyright (c) 2025 Arcan Consulting (www.arcan-it.de)
 Copyright (c) 2021 Axelrtgs
 Copyright (c) 2023 Bernhard Frenking <bernhard@frenking.eu>
 Copyright (c) 2023 Cannon Matthews <cannonmatthews@google.com>

From 23997fecc1bb9bb3937bd3798ea1e158bbfc5855 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 Jan 2026 12:36:36 +0100
Subject: [PATCH 2850/3088] net/isc-dhcp: add plugin for legacy code

---
 README.md              | 1 +
 net/isc-dhcp/Makefile  | 8 ++++++++
 net/isc-dhcp/pkg-descr | 7 +++++++
 3 files changed, 16 insertions(+)
 create mode 100644 net/isc-dhcp/Makefile
 create mode 100644 net/isc-dhcp/pkg-descr

diff --git a/README.md b/README.md
index d27df73964..6ebc497928 100644
--- a/README.md
+++ b/README.md
@@ -55,6 +55,7 @@ net/ftp-proxy -- Control ftp-proxy processes
 net/google-cloud-sdk -- Google Cloud SDK
 net/haproxy -- Reliable, high performance TCP/HTTP load balancer
 net/igmp-proxy -- IGMP-Proxy Service (not maintained)
+net/isc-dhcp -- ISC DHCPv4/v6 server
 net/mdns-repeater -- Proxy multicast DNS between networks
 net/ndp-proxy-go -- IPv6 Neighbor Discovery Protocol (NDP) Proxy
 net/ndproxy -- Neighbor Discovery Proxy
diff --git a/net/isc-dhcp/Makefile b/net/isc-dhcp/Makefile
new file mode 100644
index 0000000000..d89716ef0a
--- /dev/null
+++ b/net/isc-dhcp/Makefile
@@ -0,0 +1,8 @@
+PLUGIN_NAME=		isc-dhcp
+PLUGIN_VERSION=		0.1
+PLUGIN_COMMENT=		ISC DHCPv4/v6 server
+PLUGIN_DEPENDS=		isc-dhcp44-server
+PLUGIN_MAINTAINER=	franco@opnsense.org
+PLUGIN_TIER=		2
+
+.include "../../Mk/plugins.mk"
diff --git a/net/isc-dhcp/pkg-descr b/net/isc-dhcp/pkg-descr
new file mode 100644
index 0000000000..1e3fb4a211
--- /dev/null
+++ b/net/isc-dhcp/pkg-descr
@@ -0,0 +1,7 @@
+The ISC Dynamic Host Configuration Protocol Distribution provides a
+freely redistributable reference implementation of all aspects of the
+DHCP protocol.
+
+This plugin implements the DHCPv4 and DHCPv6 server in OPNsense, which
+used to be the standard implementation of DHCP until better alternatives
+such as Dnsmasq and Kea were supplied.

From 50d93374eed402eede93a08c18a4ac527c6ae1c1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 Jan 2026 13:29:22 +0100
Subject: [PATCH 2851/3088] net/isc-dhcp: start adding the files

PR: https://github.com/opnsense/core/issues/9155
---
 LICENSE                                       |    2 +-
 net/isc-dhcp/src/etc/dhcpd.opnsense.d/README  |    1 +
 net/isc-dhcp/src/etc/dhcpd6.opnsense.d/README |    1 +
 .../src/etc/inc/plugins.inc.d/dhcpd.inc       | 1319 +++++++++++++++++
 .../OPNsense/DHCPv4/Api/LeasesController.php  |  205 +++
 .../OPNsense/DHCPv4/Api/ServiceController.php |   50 +
 .../OPNsense/DHCPv4/LeasesController.php      |   39 +
 .../OPNsense/DHCPv6/Api/LeasesController.php  |  272 ++++
 .../OPNsense/DHCPv6/Api/ServiceController.php |   50 +
 .../OPNsense/DHCPv6/LeasesController.php      |   39 +
 .../mvc/app/views/OPNsense/DHCPv4/leases.volt |  182 +++
 .../mvc/app/views/OPNsense/DHCPv6/leases.volt |  221 +++
 net/isc-dhcp/src/www/services_dhcp.php        | 1218 +++++++++++++++
 net/isc-dhcp/src/www/services_dhcp_edit.php   |  509 +++++++
 net/isc-dhcp/src/www/services_dhcpv6.php      |  901 +++++++++++
 net/isc-dhcp/src/www/services_dhcpv6_edit.php |  273 ++++
 16 files changed, 5281 insertions(+), 1 deletion(-)
 create mode 100644 net/isc-dhcp/src/etc/dhcpd.opnsense.d/README
 create mode 100644 net/isc-dhcp/src/etc/dhcpd6.opnsense.d/README
 create mode 100644 net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
 create mode 100644 net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv4/Api/LeasesController.php
 create mode 100644 net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv4/Api/ServiceController.php
 create mode 100644 net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv4/LeasesController.php
 create mode 100644 net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv6/Api/LeasesController.php
 create mode 100644 net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv6/Api/ServiceController.php
 create mode 100644 net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv6/LeasesController.php
 create mode 100644 net/isc-dhcp/src/opnsense/mvc/app/views/OPNsense/DHCPv4/leases.volt
 create mode 100644 net/isc-dhcp/src/opnsense/mvc/app/views/OPNsense/DHCPv6/leases.volt
 create mode 100644 net/isc-dhcp/src/www/services_dhcp.php
 create mode 100644 net/isc-dhcp/src/www/services_dhcp_edit.php
 create mode 100644 net/isc-dhcp/src/www/services_dhcpv6.php
 create mode 100644 net/isc-dhcp/src/www/services_dhcpv6_edit.php

diff --git a/LICENSE b/LICENSE
index df10b90436..86260d122a 100644
--- a/LICENSE
+++ b/LICENSE
@@ -79,7 +79,7 @@ Copyright (c) 2025 Renat Gorbushin
 Copyright (c) 2022 Robbert Rijkse
 Copyright (c) 2023 sattamjh
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
-Copyright (c) 2010 Seth Mos <seth.mos@dds.nl>
+Copyright (c) 2010-2011 Seth Mos <seth.mos@dds.nl>
 Copyright (c) 2024 Sheridan Computers
 Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
 Copyright (c) 2017-2018 Smart-Soft
diff --git a/net/isc-dhcp/src/etc/dhcpd.opnsense.d/README b/net/isc-dhcp/src/etc/dhcpd.opnsense.d/README
new file mode 100644
index 0000000000..236e6b01b3
--- /dev/null
+++ b/net/isc-dhcp/src/etc/dhcpd.opnsense.d/README
@@ -0,0 +1 @@
+OPNsense: automatically included dhcpd.conf files for IPv4.
diff --git a/net/isc-dhcp/src/etc/dhcpd6.opnsense.d/README b/net/isc-dhcp/src/etc/dhcpd6.opnsense.d/README
new file mode 100644
index 0000000000..1bf81ac229
--- /dev/null
+++ b/net/isc-dhcp/src/etc/dhcpd6.opnsense.d/README
@@ -0,0 +1 @@
+OPNsense: automatically included dhcpd.conf files for IPv6.
diff --git a/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc b/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
new file mode 100644
index 0000000000..c8931d919f
--- /dev/null
+++ b/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
@@ -0,0 +1,1319 @@
+<?php
+
+/*
+ * Copyright (C) 2014-2025 Franco Fichtner <franco@opnsense.org>
+ * Copyright (C) 2010 Ermal Luçi
+ * Copyright (C) 2005-2006 Colin Smith <ethethlay@gmail.com>
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function dhcpd_configure()
+{
+    return [
+        'dhcp' => ['dhcpd_dhcp_configure:3'],
+        'local' => ['dhcpd_dhcp_configure'],
+    ];
+}
+
+function dhcpd_run()
+{
+    return [
+        'static_mapping' => 'dhcpd_staticmap',
+    ];
+}
+
+function dhcpd_syslog()
+{
+    return ['dhcpd' => ['facility' => ['dhcpd']]];
+}
+
+function dhcpd_dhcpv6_enabled()
+{
+    global $config;
+
+    $explicit_off = [];
+
+    /* handle manually configured DHCP6 server settings first */
+    foreach (config_read_array('dhcpdv6') as $dhcpv6if => $dhcpv6ifconf) {
+        if (isset($config['interfaces'][$dhcpv6if]['enable']) && isset($dhcpv6ifconf['enable'])) {
+            if ($dhcpv6ifconf['enable'] == '-1') {
+                $explicit_off[] = $dhcpv6if;
+            } else {
+                return true;
+            }
+        }
+    }
+
+    /* handle DHCP-PD prefixes and 6RD dynamic interfaces */
+    foreach (legacy_config_get_interfaces(['virtual' => false]) as $ifnm => $ifcfg) {
+        if (in_array($ifnm, $explicit_off)) {
+            continue;
+        }
+        if (isset($ifcfg['enable']) && ($ifcfg['ipaddrv6'] ?? 'none') == 'track6' && !isset($ifcfg['dhcpd6track6allowoverride'])) {
+            return true;
+        }
+    }
+
+    return false;
+}
+
+function dhcpd_dhcpv4_enabled()
+{
+    global $config;
+
+    foreach (config_read_array('dhcpd') as $dhcpif => $dhcpifconf) {
+        if (isset($dhcpifconf['enable']) && !empty($config['interfaces'][$dhcpif])) {
+            return true;
+        }
+    }
+
+    return false;
+}
+
+function dhcpd_services()
+{
+    $services = [];
+
+    if (dhcpd_dhcpv4_enabled()) {
+        $pconfig = [];
+        $pconfig['name'] = 'dhcpd';
+        $pconfig['description'] = gettext('ISC DHCPv4 Server');
+        $pconfig['php']['restart'] = ['dhcpd_dhcp4_configure'];
+        $pconfig['php']['start'] = ['dhcpd_dhcp4_configure'];
+        $pconfig['pidfile'] = '/var/dhcpd/var/run/dhcpd.pid';
+        $services[] = $pconfig;
+    }
+
+    if (dhcpd_dhcpv6_enabled()) {
+        $pconfig = [];
+        $pconfig['name'] = 'dhcpd6';
+        $pconfig['description'] = gettext('ISC DHCPv6 Server');
+        $pconfig['php']['restart'] = ['dhcpd_dhcp6_configure'];
+        $pconfig['php']['start'] = ['dhcpd_dhcp6_configure'];
+        $pconfig['pidfile'] = '/var/dhcpd/var/run/dhcpdv6.pid';
+        $services[] = $pconfig;
+    }
+
+    return $services;
+}
+
+function dhcpd_xmlrpc_sync()
+{
+    $result = [];
+
+    $result[] = [
+        'description' => gettext('ISC DHCPv4'),
+        'help' => gettext('Synchronize the DHCP Server settings over to the other HA host.'),
+        'section' => 'dhcpd',
+        'id' => 'dhcpd',
+        'services' => ['dhcpd'],
+    ];
+
+    $result[] = [
+        'description' => gettext('ISC DHCPv6'),
+        'help' => gettext('Synchronize DHCPv6 Server settings over to the other HA host.'),
+        'section' => 'dhcpdv6',
+        'id' => 'dhcpdv6',
+        'services' => ['dhcpdv6'],
+    ];
+
+    return $result;
+}
+
+function dhcpd_dhcp_configure($verbose = false, $family = null, $ignorelist = [])
+{
+    $dirs = ['/dev', '/etc', '/lib', '/run', '/usr', '/usr/local/sbin', '/var/db', '/var/run'];
+
+    foreach ($dirs as $dir) {
+        mwexecf('/bin/mkdir -p %s', "/var/dhcpd{$dir}");
+    }
+
+    if (mwexecfm('/sbin/mount -uw %s', '/var/dhcpd/dev')) {
+        mwexecf('/sbin/mount -t devfs devfs %s', '/var/dhcpd/dev');
+    }
+
+    mwexecf('/usr/sbin/chown -R dhcpd:dhcpd %s', '/var/dhcpd');
+
+    if ($family == null || $family == 'inet') {
+        dhcpd_dhcp4_configure($verbose);
+    }
+
+    if ($family == null || $family == 'inet6') {
+        dhcpd_dhcp6_configure($verbose, $ignorelist);
+    }
+}
+
+function dhcpd_dhcp4_configure($verbose = false)
+{
+    global $config;
+
+    $need_ddns_updates = false;
+    $ddns_zones = [];
+
+    if (!dhcpd_dhcpv4_enabled()) {
+        /* XXX dhcpd_staticarp() does not care to disable either way */
+        killbypid('/var/dhcpd/var/run/dhcpd.pid');
+        return;
+    }
+
+    service_log('Starting DHCPv4 service...', $verbose);
+
+    killbypid('/var/dhcpd/var/run/dhcpd.pid');
+
+    /* Only consider DNS servers with IPv4 addresses for the IPv4 DHCP server. */
+    $dns_arrv4 = [];
+    if (!empty($config['system']['dnsserver'][0])) {
+        foreach ($config['system']['dnsserver'] as $dnsserver) {
+            if (is_ipaddrv4($dnsserver)) {
+                $dns_arrv4[] = $dnsserver;
+            }
+        }
+    }
+
+    $custoptions = "";
+    $ifconfig_details = legacy_interfaces_details();
+    foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) {
+        if (isset($dhcpifconf['numberoptions']['item'])) {
+            foreach ($dhcpifconf['numberoptions']['item'] as $itemidx => $item) {
+                if (!empty($item['type'])) {
+                    $itemtype = $item['type'];
+                } else {
+                    $itemtype = "text";
+                }
+                $custoptions .= "option custom-{$dhcpif}-{$itemidx} code {$item['number']} = {$itemtype};\n";
+            }
+        }
+    }
+    $dhcpdconf = <<<EOD
+option domain-name "{$config['system']['domain']}";
+option ldap-server code 95 = text;
+option arch code 93 = unsigned integer 16; # RFC4578
+option pac-webui code 252 = text;
+{$custoptions}
+default-lease-time 7200;
+max-lease-time 86400;
+log-facility local7;
+one-lease-per-client true;
+deny duplicates;
+ping-check true;
+update-conflict-detection false;
+authoritative;
+
+EOD;
+
+    $omapi_added = false;
+    $dhcpdifs = [];
+
+    /*
+     * loop through and determine if we need
+     * to setup failover peer "bleh" entries
+     */
+    foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) {
+        dhcpd_staticarp($dhcpif, $ifconfig_details);
+
+        if (!isset($dhcpifconf['enable'])) {
+            continue;
+        }
+
+        if (!empty($dhcpifconf['failover_peerip'])) {
+            $intip = get_interface_ip($dhcpif, $ifconfig_details);
+            $failover_primary = false;
+            if (!empty($config['virtualip']['vip'])) {
+                foreach ($config['virtualip']['vip'] as $vipent) {
+                    if ($vipent['interface'] == $dhcpif) {
+                        $carp_nw = gen_subnet($vipent['subnet'], $vipent['subnet_bits']);
+                        if (ip_in_subnet($dhcpifconf['failover_peerip'], "{$carp_nw}/{$vipent['subnet_bits']}")) {
+                            /* this is the interface! */
+                            if (is_numeric($vipent['advskew']) && (intval($vipent['advskew']) < 20)) {
+                                $failover_primary = true;
+                            }
+                            break;
+                        }
+                    }
+                }
+            } else {
+                log_msg("DHCP failover set up on {$dhcpif} but no CARP virtual IPs defined!", LOG_WARNING);
+            }
+            $dhcpdconf_pri = "";
+            if ($failover_primary) {
+                $my_port = "519";
+                $peer_port = "520";
+                $type = "primary";
+                $dhcpdconf_pri  = "split 128;\n";
+                if (isset($dhcpifconf['failover_split'])) {
+                    $dhcpdconf_pri  = "split {$dhcpifconf['failover_split']};\n";
+                }
+                $dhcpdconf_pri .= "  mclt 600;\n";
+            } else {
+                $type = "secondary";
+                $my_port = "520";
+                $peer_port = "519";
+            }
+
+            if (is_ipaddrv4($intip)) {
+                $dhcpdconf .= <<<EOPP
+failover peer "dhcp_{$dhcpif}" {
+  {$type};
+  address {$intip};
+  port {$my_port};
+  peer address {$dhcpifconf['failover_peerip']};
+  peer port {$peer_port};
+  max-response-delay 10;
+  max-unacked-updates 10;
+  {$dhcpdconf_pri}
+  load balance max seconds 3;
+}
+\n
+EOPP;
+            }
+        }
+    }
+
+    $iflist = get_configured_interface_with_descr();
+
+    foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) {
+        if (!isset($dhcpifconf['enable']) || !isset($iflist[$dhcpif])) {
+            continue;
+        }
+
+        list ($ifcfgip, $ifcfgnet, $ifcfgsn) = interfaces_primary_address($dhcpif, $ifconfig_details);
+        if (!is_ipaddrv4($ifcfgip) || !is_subnetv4($ifcfgnet)) {
+            $device = get_real_interface($dhcpif);
+            log_msg("dhcpd_dhcp4_configure() found no suitable IPv4 address on {$dhcpif}({$device})", LOG_WARNING);
+            continue;
+        }
+
+        $subnetmask = gen_subnet_mask($ifcfgsn);
+        $subnet = explode('/', $ifcfgnet)[0];
+
+        $all_pools = [];
+        $all_pools[] = $dhcpifconf;
+        if (!empty($dhcpifconf['pool'])) {
+            $all_pools = array_merge($all_pools, $dhcpifconf['pool']);
+        }
+
+        $dnscfg = "";
+
+        if (!empty($dhcpifconf['domain'])) {
+            $dnscfg .= "  option domain-name \"{$dhcpifconf['domain']}\";\n";
+        }
+
+        if (!empty($dhcpifconf['domainsearchlist'])) {
+            $dnscfg .= "  option domain-search \"" . join("\",\"", preg_split("/[ ;]+/", $dhcpifconf['domainsearchlist'])) . "\";\n";
+        }
+
+        $newzone = [];
+
+        if (isset($dhcpifconf['ddnsupdate'])) {
+            $need_ddns_updates = true;
+            if (!empty($dhcpifconf['ddnsdomain'])) {
+                $newzone['domain-name'] = $dhcpifconf['ddnsdomain'];
+                $dnscfg .= "  ddns-domainname \"{$dhcpifconf['ddnsdomain']}\";\n";
+            } else {
+                $newzone['domain-name'] = $config['system']['domain'];
+            }
+            $revsubnet = array_reverse(explode(".", $subnet));
+            $subnetmask_rev = array_reverse(explode('.', $subnetmask));
+            foreach ($subnetmask_rev as $octet) {
+                if ($octet == "0") {
+                    array_shift($revsubnet);
+                }
+            }
+            $newzone['ptr-domain'] = implode(".", $revsubnet) . ".in-addr.arpa";
+        }
+
+        if (!empty($dhcpifconf['dnsserver'][0])) {
+            $dnscfg .= "  option domain-name-servers " . join(",", $dhcpifconf['dnsserver']) . ";";
+            if (!empty($newzone['domain-name'])) {
+                $newzone['dns-servers'] = $dhcpifconf['dnsserver'];
+            }
+        } elseif (!empty(service_by_filter(['dns_ports' => '53']))) {
+            $dnscfg .= "  option domain-name-servers {$ifcfgip};";
+            if (!empty($newzone['domain-name'])) {
+                $newzone['dns-servers'] = [$ifcfgip];
+            }
+        } elseif (!empty($dns_arrv4)) {
+            $dnscfg .= "  option domain-name-servers " . join(",", $dns_arrv4) . ";";
+            if (!empty($newzone['domain-name'])) {
+                $newzone['dns-servers'] = $dns_arrv4;
+            }
+        }
+
+        /*
+         * Create classes - These all contain comma-separated lists.
+         * Join them into one big comma-separated string then split
+         * them all up.
+         */
+        $all_mac_strings = [];
+        foreach ($all_pools as $poolconf) {
+            if (!empty($poolconf['mac_allow'])) {
+                $all_mac_strings[] = $poolconf['mac_allow'];
+            }
+            if (!empty($poolconf['mac_deny'])) {
+                $all_mac_strings[] = $poolconf['mac_deny'];
+            }
+        }
+        $all_mac_list = array_unique(explode(',', implode(',', $all_mac_strings)));
+        foreach ($all_mac_list as $mac) {
+            if (!empty($mac)) {
+                $dhcpdconf .= 'class "' . str_replace(':', '', $mac) . '" {' . "\n";
+                // Skip the first octet of the MAC address - for media type, typically Ethernet ("01") and match the rest.
+                $dhcpdconf .= '  match if substring (hardware, 1, ' . (substr_count($mac, ':') + 1) . ') = ' . $mac . ';' . "\n";
+                $dhcpdconf .= '}' . "\n";
+            }
+        }
+
+        $dhcpdconf .= "\nsubnet {$subnet} netmask {$subnetmask} {\n";
+
+        // Setup pool options
+        foreach ($all_pools as $poolconf) {
+            $dhcpdconf .= "  pool {\n";
+            if (!empty($poolconf['dnsserver'][0])) {
+                $dhcpdconf .= '    option domain-name-servers ' . join(',', $poolconf['dnsserver']) . ";\n";
+            }
+
+            /* allow/deny MACs */
+            if (!empty($poolconf['mac_allow'])) {
+                $mac_allow_list = array_unique(explode(',', $poolconf['mac_allow']));
+                foreach ($mac_allow_list as $mac) {
+                    if (!empty($mac)) {
+                        $dhcpdconf .= "    allow members of \"" . str_replace(':', '', $mac) . "\";\n";
+                    }
+                }
+            }
+            if (!empty($poolconf['mac_deny'])) {
+                $mac_deny_list = array_unique(explode(',', $poolconf['mac_deny']));
+                foreach ($mac_deny_list as $mac) {
+                    if (!empty($mac)) {
+                        $dhcpdconf .= "    deny members of \"" . str_replace(':', '', $mac) . "\";\n";
+                    }
+                }
+            }
+
+            if (!empty($poolconf['failover_peerip'])) {
+                $dhcpdconf .= "    deny dynamic bootp clients;\n";
+            }
+
+            if (isset($poolconf['denyunknown'])) {
+                $dhcpdconf .= "    deny unknown-clients;\n";
+            }
+
+            if (isset($poolconf['ignoreuids'])) {
+                $dhcpdconf .= "    ignore-client-uids true;\n";
+            }
+
+            if (
+                !empty($poolconf['gateway']) && $poolconf['gateway'] != "none"
+                && (empty($dhcpifconf['gateway']) || $poolconf['gateway'] != $dhcpifconf['gateway'])
+            ) {
+                $dhcpdconf .= "    option routers {$poolconf['gateway']};\n";
+            }
+
+            if (!empty($dhcpifconf['failover_peerip'])) {
+                $dhcpdconf .= "    failover peer \"dhcp_{$dhcpif}\";\n";
+            }
+
+            if (
+                !empty($poolconf['domain'])
+                && (empty($dhcpifconf['domain']) || $poolconf['domain'] != $dhcpifconf['domain'])
+            ) {
+                $dhcpdconf .= "    option domain-name \"{$poolconf['domain']}\";\n";
+            }
+
+            if (
+                !empty($poolconf['domainsearchlist'])
+                && (empty($dhcpifconf['domainsearchlist']) || $poolconf['domainsearchlist'] != $dhcpifconf['domainsearchlist'])
+            ) {
+                $dhcpdconf .= "    option domain-search \"" . join("\",\"", preg_split("/[ ;]+/", $poolconf['domainsearchlist'])) . "\";\n";
+            }
+
+            if (isset($poolconf['ddnsupdate'])) {
+                if (
+                    !empty($poolconf['ddnsdomain'])
+                    && (empty($dhcpifconf['ddnsdomain']) || $poolconf['ddnsdomain'] != $dhcpifconf['ddnsdomain'])
+                ) {
+                    $dhcpdconf .= "    ddns-domainname \"{$poolconf['ddnsdomain']}\";\n";
+
+                    $newddnszone = [];
+                    $newddnszone['domain-name'] = $poolconf['ddnsdomain'];
+                    $newddnszone['dns-servers'] = array($poolconf['ddnsdomainprimary']);
+                    $newddnszone['ddnsdomainkeyname'] = $poolconf['ddnsdomainkeyname'] ?? '';
+                    $newddnszone['ddnsdomainkey'] = $poolconf['ddnsdomainkey'] ?? '';
+                    $newddnszone['ddnsdomainalgorithm'] = !empty($poolconf['ddnsdomainalgorithm']) ? $poolconf['ddnsdomainalgorithm'] : "hmac-md5";
+                    $ddns_zones[] = $newddnszone;
+                }
+            }
+
+            // default-lease-time
+            if (
+                !empty($poolconf['defaultleasetime'])
+                && (empty($dhcpifconf['defaultleasetime']) || $poolconf['defaultleasetime'] != $dhcpifconf['defaultleasetime'])
+            ) {
+                $dhcpdconf .= "    default-lease-time {$poolconf['defaultleasetime']};\n";
+            }
+
+            // max-lease-time
+            if (
+                !empty($poolconf['maxleasetime'])
+                && (empty($dhcpifconf['maxleasetime']) || $poolconf['maxleasetime'] != $dhcpifconf['maxleasetime'])
+            ) {
+                $dhcpdconf .= "    max-lease-time {$poolconf['maxleasetime']};\n";
+            }
+            // interface MTU
+            if (
+                !empty($poolconf['interface_mtu'])
+                && (empty($dhcpifconf['interface_mtu']) || $poolconf['interface_mtu'] != $dhcpifconf['interface_mtu'])
+            ) {
+                $dhcpdconf .= "    option interface-mtu {$poolconf['interface_mtu']};\n";
+            }
+
+            // netbios-name*
+            if (
+                !empty($poolconf['winsserver'][0])
+                && (empty($dhcpifconf['winsserver'][0]) || $poolconf['winsserver'][0] != $dhcpifconf['winsserver'][0])
+            ) {
+                $dhcpdconf .= "    option netbios-name-servers " . join(",", $poolconf['winsserver']) . ";\n";
+                $dhcpdconf .= "    option netbios-node-type 8;\n";
+            }
+
+            // ntp-servers
+            if (
+                !empty($poolconf['ntpserver'][0])
+                && (empty($dhcpifconf['ntpserver'][0]) || $poolconf['ntpserver'][0] != $dhcpifconf['ntpserver'][0])
+            ) {
+                $dhcpdconf .= "    option ntp-servers " . join(",", $poolconf['ntpserver']) . ";\n";
+            }
+
+            // tftp-server-name
+            if (!empty($poolconf['tftp']) && (empty($dhcpifconf['tftp']) || $poolconf['tftp'] != $dhcpifconf['tftp'])) {
+                $dhcpdconf .= "    option tftp-server-name \"{$poolconf['tftp']}\";\n";
+
+                // bootfile-name
+                if (!empty($poolconf['bootfilename']) && (empty($dhcpifconf['bootfilename']) || $poolconf['bootfilename'] != $dhcpifconf['bootfilename'])) {
+                    $dhcpdconf .= "    option bootfile-name \"{$poolconf['bootfilename']}\";\n";
+                }
+            }
+
+            // ldap-server
+            if (!empty($poolconf['ldap']) && (empty($dhcpifconf['ldap']) || $poolconf['ldap'] != $dhcpifconf['ldap'])) {
+                $dhcpdconf .= "    option ldap-server \"{$poolconf['ldap']}\";\n";
+            }
+
+            // net boot information
+            if (isset($poolconf['netboot'])) {
+                if (!empty($poolconf['nextserver']) && (empty($dhcpifconf['nextserver']) || $poolconf['nextserver'] != $dhcpifconf['nextserver'])) {
+                    $dhcpdconf .= "    next-server {$poolconf['nextserver']};\n";
+                }
+                if (!empty($poolconf['filename']) && (empty($dhcpifconf['filename']) || $poolconf['filename'] != $dhcpifconf['filename'])) {
+                    $dhcpdconf .= "    filename \"{$poolconf['filename']}\";\n";
+                }
+                if (!empty($poolconf['rootpath']) && (empty($dhcpifconf['rootpath']) || $poolconf['rootpath'] != $dhcpifconf['rootpath'])) {
+                    $dhcpdconf .= "    option root-path \"{$poolconf['rootpath']}\";\n";
+                }
+            }
+            $dhcpdconf .= "    range {$poolconf['range']['from']} {$poolconf['range']['to']};\n";
+            $dhcpdconf .= "  }\n\n";
+        }
+        // End of settings inside pools
+
+        if (!empty($dhcpifconf['gateway'])) {
+            $routers = $dhcpifconf['gateway'] != "none" ? $dhcpifconf['gateway'] : null;
+        } else {
+            // by default, add interface address in "option routers"
+            $routers = $ifcfgip;
+        }
+        if (!empty($routers)) {
+            $dhcpdconf .= "  option routers {$routers};\n";
+        }
+
+        $dhcpdconf .= <<<EOD
+$dnscfg
+
+EOD;
+        // default-lease-time
+        if (!empty($dhcpifconf['defaultleasetime'])) {
+            $dhcpdconf .= "  default-lease-time {$dhcpifconf['defaultleasetime']};\n";
+        }
+
+        // max-lease-time
+        if (!empty($dhcpifconf['maxleasetime'])) {
+            $dhcpdconf .= "  max-lease-time {$dhcpifconf['maxleasetime']};\n";
+        }
+
+        // min-secs
+        if (!empty($dhcpifconf['minsecs'])) {
+            $dhcpdconf .= "  min-secs {$dhcpifconf['minsecs']};\n";
+        }
+
+        // interface MTU
+        if (!empty($dhcpifconf['interface_mtu'])) {
+            $dhcpdconf .= "  option interface-mtu {$dhcpifconf['interface_mtu']};\n";
+        }
+
+        // netbios-name*
+        if (!empty($dhcpifconf['winsserver'][0])) {
+            $dhcpdconf .= "  option netbios-name-servers " . join(",", $dhcpifconf['winsserver']) . ";\n";
+            $dhcpdconf .= "  option netbios-node-type 8;\n";
+        }
+
+        // ntp-servers
+        if (!empty($dhcpifconf['ntpserver'][0])) {
+            $dhcpdconf .= "  option ntp-servers " . join(",", $dhcpifconf['ntpserver']) . ";\n";
+        }
+
+        // tftp-server-name
+        if (!empty($dhcpifconf['tftp'])) {
+            $dhcpdconf .= "  option tftp-server-name \"{$dhcpifconf['tftp']}\";\n";
+
+            // bootfile-name
+            if (!empty($dhcpifconf['bootfilename'])) {
+                $dhcpdconf .= "  option bootfile-name \"{$dhcpifconf['bootfilename']}\";\n";
+            }
+        }
+
+        // add pac url if it applies
+        if (isset($dhcpifconf['wpad']) && !empty($config['system']['hostname']) && !empty($config['system']['domain'])) {
+            $protocol = !empty($config['system']['webgui']['protocol']) ? $config['system']['webgui']['protocol'] : 'https';
+            // take hostname from system settings - it can be used to be resolved to anything based on client IP
+            $host = implode('.', array('wpad', $config['system']['domain']));
+            $default_port = (isset($config['system']['webgui']['protocol']) && $config['system']['webgui']['protocol'] == 'https') ? 443 : 80;
+            $port = !empty($config['system']['webgui']['port']) ? $config['system']['webgui']['port'] : $default_port;
+            $webui_url = "$protocol://$host:$port/wpad.dat";
+
+            $dhcpdconf .= "  option pac-webui \"$webui_url\";\n";
+        }
+
+        // Handle option, number rowhelper values
+        if (isset($dhcpifconf['numberoptions']['item'])) {
+            $dhcpdconf .= "\n";
+            foreach ($dhcpifconf['numberoptions']['item'] as $itemidx => $item) {
+                if (empty($item['type']) || $item['type'] == "text") {
+                    $dhcpdconf .= "  option custom-{$dhcpif}-{$itemidx} \"{$item['value']}\";\n";
+                } else {
+                    $dhcpdconf .= "  option custom-{$dhcpif}-{$itemidx} {$item['value']};\n";
+                }
+            }
+        }
+
+        // ldap-server
+        if (!empty($dhcpifconf['ldap'])) {
+            $dhcpdconf .= "  option ldap-server \"{$dhcpifconf['ldap']}\";\n";
+        }
+
+        // net boot information
+        if (isset($dhcpifconf['netboot'])) {
+            if (!empty($dhcpifconf['nextserver'])) {
+                $dhcpdconf .= "  next-server {$dhcpifconf['nextserver']};\n";
+            }
+
+            $conditional = false;
+            $filemap = [
+                '00:06' => 'filename32',
+                '00:07' => 'filename64',
+                '00:09' => 'filename64',
+                '00:0a' => 'filename32arm',
+                '00:0b' => 'filename64arm',
+            ];
+
+            if (!empty($dhcpifconf['filenameipxe'])) {
+                $dhcpdconf .= "  if exists user-class and option user-class = \"iPXE\" {\n";
+                $dhcpdconf .= "    filename \"{$dhcpifconf['filenameipxe']}\";\n";
+                $dhcpdconf .= "  }";
+                $conditional = true;
+            }
+
+            foreach ($filemap as $arch => $file) {
+                if (empty($dhcpifconf[$file])) {
+                    continue;
+                }
+
+                $dhcpdconf .= $conditional ? ' else ' : '  ';
+                $dhcpdconf .= "if option arch = {$arch} {\n";
+                $dhcpdconf .= "    filename \"{$dhcpifconf[$file]}\";\n";
+                $dhcpdconf .= "  }";
+
+                $conditional = true;
+            }
+
+            if ($conditional) {
+                if (!empty($dhcpifconf['filename'])) {
+                    $dhcpdconf .= "  else {\n";
+                    $dhcpdconf .= "    filename \"{$dhcpifconf['filename']}\";\n";
+                    $dhcpdconf .= "  }";
+                }
+                $dhcpdconf .= "\n";
+            } elseif (!empty($dhcpifconf['filename'])) {
+                $dhcpdconf .= "  filename \"{$dhcpifconf['filename']}\";\n";
+            }
+
+            if (!empty($dhcpifconf['rootpath'])) {
+                $dhcpdconf .= "  option root-path \"{$dhcpifconf['rootpath']}\";\n";
+            }
+        }
+
+        $dhcpdconf .= <<<EOD
+}
+
+EOD;
+
+        /* add static mappings */
+        if (!empty($dhcpifconf['staticmap'])) {
+            foreach ($dhcpifconf['staticmap'] as $i => $sm) {
+                $dhcpdconf .= "\nhost s_{$dhcpif}_{$i} {\n";
+                if (!empty($sm['mac'])) {
+                    $dhcpdconf .= "  hardware ethernet {$sm['mac']};\n";
+                }
+
+                if (!empty($sm['cid'])) {
+                    $dhcpdconf .= "  option dhcp-client-identifier \"{$sm['cid']}\";\n";
+                }
+
+                if (!empty($sm['ipaddr'])) {
+                    $dhcpdconf .= "  fixed-address {$sm['ipaddr']};\n";
+                }
+
+                if (!empty($sm['hostname'])) {
+                    $dhhostname = str_replace(" ", "_", $sm['hostname']);
+                    $dhhostname = str_replace(".", "_", $dhhostname);
+                    $dhcpdconf .= "  option host-name \"{$dhhostname}\";\n";
+                    if ($need_ddns_updates) {
+                        $dhcpdconf .= "  ddns-hostname \"{$dhhostname}\";\n";
+                    }
+                    $dhcpdconf .= "  set hostname-override = config-option host-name;\n";
+                }
+                if (!empty($sm['filename'])) {
+                    $dhcpdconf .= "  filename \"{$sm['filename']}\";\n";
+                }
+
+                if (!empty($sm['rootpath'])) {
+                    $dhcpdconf .= "  option root-path \"{$sm['rootpath']}\";\n";
+                }
+
+                if (!empty($sm['gateway']) && $sm['gateway'] != "none" && (empty($dhcpifconf['gateway']) || $sm['gateway'] != $dhcpifconf['gateway'])) {
+                    $dhcpdconf .= "  option routers {$sm['gateway']};\n";
+                }
+
+                $smdnscfg = "";
+                if (!empty($sm['domain']) && ($sm['domain'] != $dhcpifconf['domain'])) {
+                    $smdnscfg .= "  option domain-name \"{$sm['domain']}\";\n";
+                }
+
+                if (!empty($sm['domainsearchlist']) && ($sm['domainsearchlist'] != $dhcpifconf['domainsearchlist'])) {
+                    $smdnscfg .= "  option domain-search \"" . join("\",\"", preg_split("/[ ;]+/", $sm['domainsearchlist'])) . "\";\n";
+                }
+
+                if ($need_ddns_updates) {
+                    if (!empty($sm['ddnsdomain']) && ($sm['ddnsdomain'] != $dhcpifconf['ddnsdomain'])) {
+                        $smdnscfg .= "  ddns-domainname \"{$sm['ddnsdomain']}\";\n";
+                    }
+                }
+
+                if (!empty($sm['dnsserver']) && ($sm['dnsserver'][0]) && ($sm['dnsserver'][0] != $dhcpifconf['dnsserver'][0])) {
+                    $smdnscfg .= "  option domain-name-servers " . join(",", $sm['dnsserver']) . ";\n";
+                }
+                $dhcpdconf .= "{$smdnscfg}";
+
+                // default-lease-time
+                if (!empty($sm['defaultleasetime']) && ($sm['defaultleasetime'] != $dhcpifconf['defaultleasetime'])) {
+                    $dhcpdconf .= "  default-lease-time {$sm['defaultleasetime']};\n";
+                }
+
+                // max-lease-time
+                if (!empty($sm['maxleasetime']) && ($sm['maxleasetime'] != $dhcpifconf['maxleasetime'])) {
+                    $dhcpdconf .= "  max-lease-time {$sm['maxleasetime']};\n";
+                }
+
+                // netbios-name*
+                if (!empty($sm['winsserver']) && $sm['winsserver'][0] && ($sm['winsserver'][0] != $dhcpifconf['winsserver'][0])) {
+                    $dhcpdconf .= "  option netbios-name-servers " . join(",", $sm['winsserver']) . ";\n";
+                    $dhcpdconf .= "  option netbios-node-type 8;\n";
+                }
+
+                // ntp-servers
+                if (!empty($sm['ntpserver']) && $sm['ntpserver'][0] && ($sm['ntpserver'][0] != $dhcpifconf['ntpserver'][0])) {
+                    $dhcpdconf .= "  option ntp-servers " . join(",", $sm['ntpserver']) . ";\n";
+                }
+
+                // tftp-server-name
+                if (!empty($sm['tftp']) && ($sm['tftp'] != $dhcpifconf['tftp'])) {
+                    $dhcpdconf .= "  option tftp-server-name \"{$sm['tftp']}\";\n";
+
+                    // bootfile-name
+                    if (!empty($sm['bootfilename']) && ($sm['bootfilename'] != $dhcpifconf['bootfilename'])) {
+                        $dhcpdconf .= "  option bootfile-name \"{$sm['bootfilename']}\";\n";
+                    }
+                }
+
+                $dhcpdconf .= "}\n";
+            }
+        }
+
+        if (!empty($newzone['domain-name']) && isset($dhcpifconf['ddnsupdate']) && is_ipaddrv4($dhcpifconf['ddnsdomainprimary'])) {
+            $newzone['dns-servers'] = array($dhcpifconf['ddnsdomainprimary']);
+            $newzone['ddnsdomainkeyname'] = $dhcpifconf['ddnsdomainkeyname'] ?? '';
+            $newzone['ddnsdomainkey'] = $dhcpifconf['ddnsdomainkey'] ?? '';
+            $newzone['ddnsdomainalgorithm'] = !empty($dhcpifconf['ddnsdomainalgorithm']) ? $dhcpifconf['ddnsdomainalgorithm'] : "hmac-md5";
+            $ddns_zones[] = $newzone;
+        }
+
+        if (isset($dhcpifconf['omapi']) && !$omapi_added) {
+            $dhcpdconf .= "\nomapi-port {$dhcpifconf['omapiport']};\n";
+            if (isset($dhcpifconf['omapialgorithm']) && isset($dhcpifconf['omapikey'])) {
+                $dhcpdconf .= "key omapi_key {\n";
+                $dhcpdconf .= "  algorithm {$dhcpifconf['omapialgorithm']};\n";
+                $dhcpdconf .= "  secret \"{$dhcpifconf['omapikey']}\";\n";
+                $dhcpdconf .= "};\nomapi-key omapi_key;\n\n";
+
+                /* make sure we only add this OMAPI block once */
+                $omapi_added = true;
+            }
+        }
+
+        $dhcpdifs[] = escapeshellarg(get_real_interface($dhcpif));
+    }
+
+    if ($need_ddns_updates) {
+        $dhcpdconf .= "\nddns-update-style interim;\n";
+        $dhcpdconf .= "update-static-leases on;\n";
+        $dhcpdconf .= dhcpd_zones($ddns_zones);
+    }
+
+    foreach (glob('/usr/local/etc/dhcpd.opnsense.d/*.conf') as $file) {
+        $dhcpdconf .= "\n\n# including custom file {$file}\n" . file_get_contents($file);
+    }
+
+    @file_put_contents('/var/dhcpd/etc/dhcpd.conf', $dhcpdconf);
+    @touch('/var/dhcpd/var/db/dhcpd.leases');
+
+    if (count($dhcpdifs) > 0) {
+        mwexecf('/usr/local/opnsense/scripts/dhcp/cleanup_leases4.php -m');
+        mwexecf('/usr/local/sbin/dhcpd -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid ' . implode(' ', $dhcpdifs));
+    }
+
+    service_log("done.\n", $verbose);
+}
+
+function dhcpd_zones($ddns_zones, $ipproto = 'inet')
+{
+    $dhcpdconf = '';
+    if (is_array($ddns_zones)) {
+        $added_zones = [];
+        $added_keys = [];
+        foreach ($ddns_zones as $zone) {
+            $versionsuffix = $ipproto == "inet6" ? "6" : "";
+            // We don't need to add zones multiple times.
+            foreach ([$zone['domain-name'], $zone['ptr-domain']] as $domain) {
+                if (!empty($domain) && !in_array($domain, $added_zones)) {
+                    /* dhcpdconf2 is injected *after* the key */
+                    $dhcpdconf2 = "zone {$domain}. {\n";
+                    // XXX: $zone['dns-servers'] only contains one item, ref $newzone['dns-servers']
+                    $dhcpdconf2 .= "  primary{$versionsuffix} {$zone['dns-servers'][0]};\n";
+                    if (!empty($zone['ddnsdomainkeyname']) && !empty($zone['ddnsdomainkey'])) {
+                        if (!in_array($zone['ddnsdomainkeyname'], $added_keys)) {
+                            $dhcpdconf .= "\nkey {$zone['ddnsdomainkeyname']} {\n";
+                            $dhcpdconf .= "  algorithm {$zone['ddnsdomainalgorithm']};\n";
+                            $dhcpdconf .= "  secret {$zone['ddnsdomainkey']};\n";
+                            $dhcpdconf .= "}\n";
+                            $added_keys[] = $zone['ddnsdomainkeyname'];
+                        }
+                        $dhcpdconf2 .= "  key {$zone['ddnsdomainkeyname']};\n";
+                    }
+                    $dhcpdconf2 .= "}\n";
+                    $dhcpdconf .= $dhcpdconf2;
+                    $added_zones[] = $domain;
+                }
+            }
+        }
+    }
+
+    return $dhcpdconf;
+}
+
+function dhcpd_dhcp6_configure($verbose = false, $ignorelist = [])
+{
+    global $config;
+
+    if (!dhcpd_dhcpv6_enabled()) {
+        killbypid('/var/dhcpd/var/run/dhcpdv6.pid');
+        killbypid('/var/run/dhcpleases6.pid');
+        return;
+    }
+
+    service_log('Starting DHCPv6 service...', $verbose);
+
+    killbypid('/var/dhcpd/var/run/dhcpdv6.pid');
+    killbypid('/var/run/dhcpleases6.pid');
+
+    $iflist = get_configured_interface_with_descr();
+    $ifconfig_details = legacy_interfaces_details();
+    $dhcpdv6cfg = config_read_array('dhcpdv6');
+
+    /* Only consider DNS servers with IPv6 addresses for the IPv6 DHCP server. */
+    $dns_arrv6 = array();
+    if (!empty($config['system']['dnsserver'][0])) {
+        foreach ($config['system']['dnsserver'] as $dnsserver) {
+            if (is_ipaddrv6($dnsserver)) {
+                $dns_arrv6[] = $dnsserver;
+            }
+        }
+    }
+
+    /* we add a fake entry for interfaces that are set to track6 another WAN */
+    foreach (array_keys($iflist) as $ifname) {
+        /* Do not put in the config an interface which is down */
+        if (isset($ignorelist[$ifname])) {
+            continue;
+        }
+        if (($config['interfaces'][$ifname]['ipaddrv6'] ?? 'none') == 'track6') {
+            list ($ifcfgipv6) = interfaces_primary_address6($ifname, $ifconfig_details);
+            if (!is_ipaddrv6($ifcfgipv6)) {
+                continue;
+            }
+
+            $ifcfgipv6 = Net_IPv6::getNetmask($ifcfgipv6, 64);
+            $ifcfgipv6arr = explode(':', $ifcfgipv6);
+
+            if (!isset($config['interfaces'][$ifname]['dhcpd6track6allowoverride'])) {
+                /* mock a real server */
+                if (!empty($dhcpdv6cfg[$ifname]['enable']) && $dhcpdv6cfg[$ifname]['enable'] == '-1') {
+                    /* tracking, but dhcpv6 disabled */
+                    $dhcpdv6cfg[$ifname] = [];
+                } else {
+                    $dhcpdv6cfg[$ifname] = ['enable' => true];
+                }
+
+                /* fixed range */
+                $ifcfgipv6arr[7] = '1000';
+                $dhcpdv6cfg[$ifname]['range'] = array();
+                $dhcpdv6cfg[$ifname]['range']['from'] = Net_IPv6::compress(implode(':', $ifcfgipv6arr));
+                $ifcfgipv6arr[7] = '2000';
+                $dhcpdv6cfg[$ifname]['range']['to'] = Net_IPv6::compress(implode(':', $ifcfgipv6arr));
+
+                /* with enough room we can add dhcp6 prefix delegation */
+                $pdlen = calculate_ipv6_delegation_length($config['interfaces'][$ifname]['track6-interface']);
+                if ($pdlen > 2) {
+                    /* XXX calculation is probably out of whack, please fix */
+
+                    $pdlenmax = $pdlen;
+                    $pdlenhalf = $pdlenmax - 1;
+                    $pdlenmin = 64 - ceil($pdlenhalf / 4);
+                    $dhcpdv6cfg[$ifname]['prefixrange'] = array();
+                    $dhcpdv6cfg[$ifname]['prefixrange']['prefixlength'] = $pdlenmin;
+
+                    /* set the delegation start to half the current address block */
+                    $range = Net_IPv6::parseAddress($ifcfgipv6, (64 - $pdlenmax));
+                    $range['start'] = Net_IPv6::getNetmask($range['end'], (64 - $pdlenhalf));
+
+                    /* set the end range to a multiple of the prefix delegation size, required by dhcpd */
+                    $range = Net_IPv6::parseAddress($range['end'], (64 - $pdlenhalf));
+                    $range['end'] = Net_IPv6::getNetmask($range['end'], (64 - round($pdlen / 2)));
+
+                    $dhcpdv6cfg[$ifname]['prefixrange']['from'] = Net_IPv6::compress($range['start']);
+                    $dhcpdv6cfg[$ifname]['prefixrange']['to'] = Net_IPv6::compress($range['end']);
+                }
+            } else {
+                if (!empty($dhcpdv6cfg[$ifname]['range']['from']) && !empty($dhcpdv6cfg[$ifname]['range']['to'])) {
+                    /* get config entry and marry it to the live prefix */
+                    $dhcpdv6cfg[$ifname]['range']['from'] = merge_ipv6_address($ifcfgipv6, $dhcpdv6cfg[$ifname]['range']['from']);
+                    $dhcpdv6cfg[$ifname]['range']['to'] = merge_ipv6_address($ifcfgipv6, $dhcpdv6cfg[$ifname]['range']['to']);
+                }
+
+                if (!empty($dhcpdv6cfg[$ifname]['prefixrange']['from']) && !empty($dhcpdv6cfg[$ifname]['prefixrange']['to'])) {
+                    /* XXX $pdlen is never validated against prefixlenght setting, but must be smaller or equal */
+                    $pdlen = 64 - calculate_ipv6_delegation_length($config['interfaces'][$ifname]['track6-interface']);
+
+                    $range_from = $dhcpdv6cfg[$ifname]['prefixrange']['from'];
+                    if (merge_ipv6_address($range_from, '::') == '::') {
+                        log_msg("'{$dhcpdv6cfg[$ifname]['prefixrange']['from']}' is not a valid prefix range value", LOG_WARNING);
+                        /* XXX previously it was suggested to use suffix but it was actually infix so shift 64 bits if possible */
+                        $range_from = $dhcpdv6cfg[$ifname]['prefixrange']['from'] . ':0:0:0:0';
+                    }
+
+                    $range_to = $dhcpdv6cfg[$ifname]['prefixrange']['to'];
+                    if (merge_ipv6_address($range_to, '::') == '::') {
+                        log_msg("'{$dhcpdv6cfg[$ifname]['prefixrange']['to']}' is not a valid prefix range value", LOG_WARNING);
+                        /* XXX previously it was suggested to use suffix but it was actually infix so shift 64 bits if possible */
+                        $range_to = $dhcpdv6cfg[$ifname]['prefixrange']['to'] . ':0:0:0:0';
+                    }
+
+                    $dhcpdv6cfg[$ifname]['prefixrange']['from'] = merge_ipv6_address($ifcfgipv6, $range_from, $pdlen);
+                    $dhcpdv6cfg[$ifname]['prefixrange']['to'] = merge_ipv6_address($ifcfgipv6, $range_to, $pdlen);
+                }
+            }
+        }
+    }
+
+    $custoptionsv6 = "";
+    foreach ($dhcpdv6cfg as $dhcpv6if => $dhcpv6ifconf) {
+        if (isset($dhcpv6ifconf['numberoptions']['item'])) {
+            foreach ($dhcpv6ifconf['numberoptions']['item'] as $itemv6idx => $itemv6) {
+                if (!empty($itemv6['type'])) {
+                    $itemtype = $itemv6['type'];
+                } else {
+                    $itemtype = "text";
+                }
+                $custoptionsv6 .= "option custom-{$dhcpv6if}-{$itemv6idx} code {$itemv6['number']} = {$itemtype};\n";
+            }
+        }
+    }
+
+    if (isset($dhcpv6ifconf['netboot']) && !empty($dhcpv6ifconf['bootfile_url'])) {
+        $custoptionsv6 .= "option dhcp6.bootfile-url code 59 = string;\n";
+    }
+
+    $dhcpdv6conf = <<<EOD
+option dhcp6.domain-search "{$config['system']['domain']}";
+option dhcp6.rapid-commit;
+{$custoptionsv6}
+default-lease-time 7200;
+max-lease-time 86400;
+log-facility local7;
+one-lease-per-client true;
+deny duplicates;
+ping-check true;
+update-conflict-detection false;
+authoritative;
+
+EOD;
+
+    $dhcpdv6ifs = [];
+    $ddns_zones = [];
+    $need_ddns_updates = false;
+
+    foreach ($dhcpdv6cfg as $dhcpv6if => $dhcpv6ifconf) {
+        if (!isset($dhcpv6ifconf['enable']) || !isset($iflist[$dhcpv6if])) {
+            continue;
+        }
+
+        if (isset($ignorelist[$dhcpv6if])) {
+            continue;
+        }
+
+        list ($ifcfgipv6, $networkv6) = interfaces_primary_address6($dhcpv6if, $ifconfig_details);
+        if (!is_ipaddrv6($ifcfgipv6) || !is_subnetv6($networkv6)) {
+            $device = get_real_interface($dhcpv6if, 'inet6');
+            log_msg("dhcpd_dhcp6_configure() found no suitable IPv6 address on {$dhcpv6if}({$device})", LOG_WARNING);
+            continue;
+        }
+
+        $dnscfgv6 = "";
+
+        if (!empty($dhcpv6ifconf['domainsearchlist'])) {
+            $dnscfgv6 .= "  option dhcp6.domain-search \"" . join("\",\"", preg_split("/[ ;]+/", $dhcpv6ifconf['domainsearchlist'])) . "\";\n";
+        }
+
+        $newzone = array();
+
+        if (isset($dhcpv6ifconf['ddnsupdate'])) {
+            $need_ddns_updates = true;
+            if (!empty($dhcpv6ifconf['ddnsdomain'])) {
+                $dnscfgv6 .= "  ddns-domainname \"{$dhcpv6ifconf['ddnsdomain']}\";\n";
+                $newzone['domain-name'] = $dhcpv6ifconf['ddnsdomain'];
+            } else {
+                $newzone['domain-name'] = $config['system']['domain'];
+            }
+
+            $subnetv6 = explode("/", $networkv6)[0];
+            $addr = inet_pton($subnetv6);
+            $addr_unpack = unpack('H*hex', $addr);
+            $addr_hex = $addr_unpack['hex'];
+            $revsubnet = array_reverse(str_split($addr_hex));
+            foreach ($revsubnet as $octet) {
+                if ($octet == "0") {
+                    array_shift($revsubnet);
+                } else {
+                    break;
+                }
+            }
+
+            $newzone['ptr-domain'] = implode(".", $revsubnet) . ".ip6.arpa";
+        }
+
+        if (isset($dhcpv6ifconf['dnsserver'][0])) {
+            $dnscfgv6 .= "  option dhcp6.name-servers " . join(",", $dhcpv6ifconf['dnsserver']) . ";";
+        } elseif (!empty(service_by_filter(['dns_ports' => '53']))) {
+            $dnscfgv6 .= "  option dhcp6.name-servers {$ifcfgipv6};";
+        } elseif (!empty($dns_arrv6)) {
+            $dnscfgv6 .= "  option dhcp6.name-servers " . join(",", $dns_arrv6) . ";";
+        }
+
+        $dhcpdv6conf .= "\nsubnet6 {$networkv6} {\n";
+
+        if (!empty($dhcpv6ifconf['range']['from'])) {
+            $dhcpdv6conf .= "  range6 {$dhcpv6ifconf['range']['from']} {$dhcpv6ifconf['range']['to']};\n";
+        }
+
+        $dhcpdv6conf .= "{$dnscfgv6}\n";
+
+        if (!empty($dhcpv6ifconf['prefixrange']['from']) && is_ipaddrv6($dhcpv6ifconf['prefixrange']['from']) && is_ipaddrv6($dhcpv6ifconf['prefixrange']['to'])) {
+            $dhcpdv6conf .= "  prefix6 {$dhcpv6ifconf['prefixrange']['from']} {$dhcpv6ifconf['prefixrange']['to']}/{$dhcpv6ifconf['prefixrange']['prefixlength']};\n";
+        }
+
+        // default-lease-time
+        if (!empty($dhcpv6ifconf['defaultleasetime'])) {
+            $dhcpdv6conf .= "  default-lease-time {$dhcpv6ifconf['defaultleasetime']};\n";
+        }
+
+        // max-lease-time
+        if (!empty($dhcpv6ifconf['maxleasetime'])) {
+            $dhcpdv6conf .= "  max-lease-time {$dhcpv6ifconf['maxleasetime']};\n";
+        }
+
+        // min-secs
+        if (!empty($dhcpv6ifconf['minsecs'])) {
+            $dhcpdv6conf .= "  min-secs {$dhcpv6ifconf['minsecs']};\n";
+        }
+
+        // ntp-servers
+        if (isset($dhcpv6ifconf['ntpserver'][0])) {
+            $ntpservers = array();
+            foreach ($dhcpv6ifconf['ntpserver'] as $ntpserver) {
+                if (is_ipaddrv6($ntpserver)) {
+                    $ntpservers[] = $ntpserver;
+                }
+            }
+            if (count($ntpservers) > 0) {
+                $dhcpdv6conf .= "  option dhcp6.sntp-servers " . join(",", $dhcpv6ifconf['ntpserver']) . ";\n";
+            }
+        }
+
+        // Handle option, number rowhelper values
+        if (isset($dhcpv6ifconf['numberoptions']['item'])) {
+            $dhcpdv6conf .= "\n";
+            foreach ($dhcpv6ifconf['numberoptions']['item'] as $itemv6idx => $itemv6) {
+                if (empty($itemv6['type']) || $itemv6['type'] == "text") {
+                    $dhcpdv6conf .= "  option custom-{$dhcpv6if}-{$itemv6idx} \"{$itemv6['value']}\";\n";
+                } else {
+                    $dhcpdv6conf .= "  option custom-{$dhcpv6if}-{$itemv6idx} {$itemv6['value']};\n";
+                }
+            }
+        }
+
+        // net boot information
+        if (isset($dhcpv6ifconf['netboot'])) {
+            if (!empty($dhcpv6ifconf['bootfile_url'])) {
+                $dhcpdv6conf .= "  option dhcp6.bootfile-url \"{$dhcpv6ifconf['bootfile_url']}\";\n";
+            }
+        }
+
+        $dhcpdv6conf .= "}\n";
+
+        /* add static mappings */
+        /* Needs to use DUID */
+        if (isset($dhcpv6ifconf['staticmap'])) {
+            $i = 0;
+            foreach ($dhcpv6ifconf['staticmap'] as $sm) {
+                $dhcpdv6conf .= <<<EOD
+
+host s_{$dhcpv6if}_{$i} {
+  host-identifier option dhcp6.client-id {$sm['duid']};
+
+EOD;
+                if (!empty($sm['ipaddrv6'])) {
+                    if (isset($config['interfaces'][$dhcpv6if]['dhcpd6track6allowoverride'])) {
+                        $sm['ipaddrv6'] = merge_ipv6_address($ifcfgipv6, $sm['ipaddrv6']);
+                    }
+                    $dhcpdv6conf .= "  fixed-address6 {$sm['ipaddrv6']};\n";
+                }
+
+                if (!empty($sm['hostname'])) {
+                    $dhhostname = str_replace(" ", "_", $sm['hostname']);
+                    $dhhostname = str_replace(".", "_", $dhhostname);
+                    $dhcpdv6conf .= "  option host-name \"{$dhhostname}\";\n";
+                    if ($need_ddns_updates) {
+                        $dhcpdv6conf .= "  ddns-hostname \"{$dhhostname}\";\n";
+                    }
+                }
+                if (!empty($sm['filename'])) {
+                    $dhcpdv6conf .= "  filename \"{$sm['filename']}\";\n";
+                }
+
+                if (!empty($sm['rootpath'])) {
+                    $dhcpdv6conf .= "  option root-path \"{$sm['rootpath']}\";\n";
+                }
+
+                if (!empty($sm['domainsearchlist']) && ($sm['domainsearchlist'] != $dhcpv6ifconf['domainsearchlist'])) {
+                    $dhcpdv6conf .= "  option dhcp6.domain-search \"" . join("\",\"", preg_split("/[ ;]+/", $sm['domainsearchlist'])) . "\";\n";
+                }
+
+                $dhcpdv6conf .= "}\n";
+                $i++;
+            }
+        }
+
+        if (!empty($newzone['domain-name']) && isset($dhcpv6ifconf['ddnsupdate']) && is_ipaddrv6($dhcpv6ifconf['ddnsdomainprimary'])) {
+            $newzone['dns-servers'] = array($dhcpv6ifconf['ddnsdomainprimary']);
+            $newzone['ddnsdomainkeyname'] = $dhcpv6ifconf['ddnsdomainkeyname'];
+            $newzone['ddnsdomainkey'] = $dhcpv6ifconf['ddnsdomainkey'];
+            $newzone['ddnsdomainalgorithm'] = !empty($dhcpv6ifconf['ddnsdomainalgorithm']) ? $dhcpv6ifconf['ddnsdomainalgorithm'] : "hmac-md5";
+            $ddns_zones[] = $newzone;
+        }
+
+        $dhcpdv6ifs[] = escapeshellarg(get_real_interface($dhcpv6if, 'inet6'));
+    }
+
+    if ($need_ddns_updates) {
+        $dhcpdv6conf .= "\nddns-update-style interim;\n";
+        $dhcpdv6conf .= "update-static-leases on;\n";
+        $dhcpdv6conf .= dhcpd_zones($ddns_zones, "inet6");
+    } else {
+        $dhcpdv6conf .= "\nddns-update-style none;\n";
+    }
+
+    foreach (glob('/usr/local/etc/dhcpd6.opnsense.d/*.conf') as $file) {
+        $dhcpdv6conf .= "\n\n# including custom file {$file}\n" . file_get_contents($file);
+    }
+
+    @file_put_contents('/var/dhcpd/etc/dhcpdv6.conf', $dhcpdv6conf);
+    @touch('/var/dhcpd/var/db/dhcpd6.leases');
+
+    if (count($dhcpdv6ifs) > 0) {
+        mwexecf('/usr/local/sbin/dhcpd -6 -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run/dhcpdv6.pid ' . implode(' ', $dhcpdv6ifs));
+        mwexecf('/usr/sbin/daemon -m0 -f -p %s %s', ['/var/run/dhcpleases6.pid', '/usr/local/opnsense/scripts/dhcp/prefixes.sh']);
+    }
+
+    service_log("done.\n", $verbose);
+}
+
+function dhcpd_staticmap($proto = null, $valid_addresses = true, $ifconfig_details = null, $allow_disabled = false)
+{
+    $staticmap = [];
+    foreach (empty($proto) ? [4, 6] : [$proto] as $inet) {
+        $ipaddr = $inet == 6 ? 'ipaddrv6' : 'ipaddr';
+
+        foreach (config_read_array($inet == 6 ? 'dhcpdv6' : 'dhcpd') as $dhcpif => $dhcpifconf) {
+            if (!isset($dhcpifconf['staticmap']) || (!isset($dhcpifconf['enable']) && !$allow_disabled)) {
+                continue;
+            }
+
+            $ifconf = config_read_array('interfaces', $dhcpif);
+            list ($ipaddrv6) = $inet == 6 && isset($ifconf['dhcpd6track6allowoverride']) ?
+                interfaces_primary_address6($dhcpif, $ifconfig_details) : [null];
+
+            foreach ($dhcpifconf['staticmap'] as $host) {
+                if (empty($host[$ipaddr]) && $valid_addresses) {
+                    /* we only return proper entries with an IP address */
+                    continue;
+                }
+
+                if (!empty($ipaddrv6)) {
+                    /* expand IPv6 suffix address, but only allow user-given compressed suffix */
+                    $host['ipaddrv6'] = merge_ipv6_address($ipaddrv6, $host['ipaddrv6']);
+                }
+
+                if (!empty($host['ipaddrv6'])) {
+                    /* avoid sloppy input by recompressing the address correctly */
+                    $host['ipaddrv6'] = Net_IPv6::compress(Net_IPv6::uncompress($host['ipaddrv6']));
+                }
+
+                $domain = null;
+
+                // XXX: dhcpdv6 domain entries have been superseded by domainsearchlist,
+                //      for backward compatibility support both here.
+                if ($inet == 6 && !empty($host['domainsearchlist'])) {
+                    $domain = $host['domainsearchlist'];
+                } elseif (!empty($host['domain'])) {
+                    $domain = $host['domain'];
+                } elseif ($inet == 6 && !empty($dhcpifconf['domainsearchlist'])) {
+                    $domain = $dhcpifconf['domainsearchlist'];
+                } elseif (!empty($dhcpifconf['domain'])) {
+                    $domain = $dhcpifconf['domain'];
+                }
+
+                if ($domain !== null) {
+                    /* first entry only */
+                    $domain = preg_split('/[ ;]+/', $domain)[0];
+                }
+
+                $entry = [
+                    'descr' => $host['descr'] ?? null,
+                    'domain' => $domain,
+                    'hostname' => $host['hostname'] ?? null,
+                    'interface' => $dhcpif,
+                    $ipaddr => $host[$ipaddr],
+                ];
+
+                foreach (['mac', 'duid'] as $property) {
+                    if (isset($host[$property])) {
+                        $entry[$property] = $host[$property];
+                    }
+                }
+
+                $staticmap[] = $entry;
+            }
+        }
+    }
+
+    return $staticmap;
+}
+
+function dhcpd_parse_duid($duid_string)
+{
+    $parsed_duid = [];
+
+    for ($i = 0; $i < strlen($duid_string); $i++) {
+        $s = substr($duid_string, $i, 1);
+        if ($s == '\\') {
+            $n = substr($duid_string, $i + 1, 1);
+            if ($n == '\\' || $n == '"') {
+                $parsed_duid[] = sprintf('%02x', ord($n));
+                $i += 1;
+            } elseif (is_numeric($n)) {
+                $parsed_duid[] = sprintf('%02x', octdec(substr($duid_string, $i + 1, 3)));
+                $i += 3;
+            }
+        } else {
+            $parsed_duid[] = sprintf('%02x', ord($s));
+        }
+    }
+
+    $iaid = array_slice($parsed_duid, 0, 4);
+    $duid = array_slice($parsed_duid, 4);
+
+    return [$iaid, $duid];
+}
+
+function dhcpd_staticarp($interface, $ifconfig_details)
+{
+    global $config;
+
+    $ifcfg = $config['interfaces'][$interface];
+    if (empty($ifcfg['if']) || !isset($ifcfg['enable'])) {
+        return;
+    }
+
+    $device = $ifcfg['if'];
+
+    $have = in_array('staticarp', $ifconfig_details[$device]['flags']);
+    $want = isset($config['dhcpd'][$interface]['staticarp']);
+
+    if ($have !== $want) {
+        mwexecf('/sbin/ifconfig %s %sstaticarp', [$device, $want ? '' : '-']);
+        mwexecf('/usr/sbin/arp -d -i %s -a', [$device]);
+
+        /* call this only when the ARP cache was flushed */
+        interfaces_neighbors_configure($interface, $ifconfig_details);
+    }
+}
diff --git a/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv4/Api/LeasesController.php b/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv4/Api/LeasesController.php
new file mode 100644
index 0000000000..0b3db93c07
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv4/Api/LeasesController.php
@@ -0,0 +1,205 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\DHCPv4\Api;
+
+use OPNsense\Base\ApiControllerBase;
+use OPNsense\Core\Backend;
+use OPNsense\Core\Config;
+use OPNsense\Firewall\Util;
+
+class LeasesController extends ApiControllerBase
+{
+    public function searchLeaseAction()
+    {
+        $inactive = $this->request->get('inactive');
+        $selected_interfaces = $this->request->get('selected_interfaces');
+        $backend = new Backend();
+        $config = Config::getInstance()->object();
+        $online = [];
+        $if_devs = [];
+        $if_descrs = [];
+        $ip_ranges = [];
+        $interfaces = [];
+
+        /* get ARP data to match online clients */
+        $arp_data = json_decode($backend->configdRun('dhcpd list arp'), true) ?? [];
+        /* get static leases */
+        $sleases = json_decode($backend->configdRun('dhcpd list static 0'), true) ?? [];
+        /* get dynamic leases, include inactive leases if requested */
+        $leases = json_decode($backend->configdpRun('dhcpd list leases', [$inactive]), true) ?? [];
+        /* get manufacturer info */
+        $mac_man = json_decode($backend->configdRun('interface list macdb'), true) ?? [];
+        /* get ifconfig info to match IPs to interfaces */
+        $ifconfig = json_decode($backend->configdRun('interface list ifconfig'), true) ?? [];
+
+        /* get all device names and their associated interface names */
+        foreach ($config->interfaces->children() as $if => $if_props) {
+            $if_devs[$if] = (string)$if_props->if;
+            $if_descrs[$if] = (string)$if_props->descr ?: strtoupper($if);
+        }
+
+        /* list online IPs and MACs */
+        if (is_array($arp_data) && isset($arp_data['arp']) && !empty($arp_data['arp']['arp-cache'])) {
+            foreach ($arp_data['arp']['arp-cache'] as $arp_entry) {
+                if (!isset($arp_entry['expired'])) {
+                    array_push($online, $arp_entry['mac-address'], $arp_entry['ip-address']);
+                }
+            }
+        }
+
+        /* gather ip ranges from ifconfig */
+        foreach ($ifconfig as $if => $data) {
+            if (!empty($data['ipv4'])) {
+                foreach ($data['ipv4'] as $ip) {
+                    if (!empty($ip['ipaddr']) && !empty($ip['subnetbits'])) {
+                        $ip_ranges[$ip['ipaddr'] . '/' . $ip['subnetbits']] = $if;
+                    }
+                }
+            }
+        }
+
+        /* parse dynamic leases */
+        foreach ($leases as $idx => $lease) {
+            $leases[$idx]['type'] = 'dynamic';
+            $leases[$idx]['status'] = 'offline';
+            $leases[$idx]['descr'] = '';
+            $leases[$idx]['mac'] = '';
+            $leases[$idx]['starts'] = '';
+            $leases[$idx]['ends'] = '';
+            $leases[$idx]['hostname'] = '';
+            $leases[$idx]['state'] = $lease['binding'] == 'free' ? 'expired' : $lease['binding'];
+
+            if (array_key_exists('hardware', $lease)) {
+                $mac = $lease['hardware']['mac-address'];
+                $leases[$idx]['mac'] = $mac;
+                $leases[$idx]['status'] = in_array(strtolower($lease['address']), $online) ? 'online' : 'offline';
+                unset($leases[$idx]['hardware']);
+            }
+
+            if (array_key_exists('starts', $lease)) {
+                $leases[$idx]['starts'] = date('Y/m/d H:i:s', $lease['starts']);
+            }
+
+            if (array_key_exists('ends', $lease)) {
+                $leases[$idx]['ends'] = date('Y/m/d H:i:s', $lease['ends']);
+            }
+
+            if (array_key_exists('client-hostname', $lease)) {
+                $leases[$idx]['hostname'] = $lease['client-hostname'];
+            }
+        }
+
+        /* parse static leases */
+        $statics = [];
+        if ($sleases) {
+            foreach ($sleases["dhcpd"] as $slease) {
+                $static = [];
+                $static['address'] = $slease['ipaddr'] ?? '';
+                $static['type'] = 'static';
+                $static['mac'] = $slease['mac'] ?? '';
+                $static['starts'] = '';
+                $static['ends'] = '';
+                $static['hostname'] = $slease['hostname'] ?? '';
+                $static['descr'] = $slease['descr'] ?? '';
+                $static['if_descr'] = '';
+                $static['if'] = $slease['interface'] ?? '';
+                $static['state'] = 'active';
+                $static['status'] = in_array(strtolower($static['mac']), $online) ? 'online' : 'offline';
+                $statics[] = $static;
+            }
+        }
+
+        /* merge dynamic and static leases */
+        $leases = array_merge($leases, $statics);
+
+        foreach ($leases as $idx => $lease) {
+            /* include manufacturer info */
+            $leases[$idx]['man'] = '';
+            if ($lease['mac'] != '') {
+                $mac_hi = strtoupper(substr(str_replace(':', '', $lease['mac']), 0, 6));
+                if (array_key_exists($mac_hi, $mac_man)) {
+                    $leases[$idx]['man'] = $mac_man[$mac_hi];
+                }
+            }
+
+            /* include interface */
+            $intf = '';
+            $intf_descr = '';
+
+            if (!empty($lease['if'])) {
+                /* interface already included */
+                $intf = $lease['if'];
+                $intf_descr = $if_descrs[$intf];
+            } else {
+                /* interface not known, check range */
+                foreach ($ip_ranges as $cidr => $if_dev) {
+                    if (!empty($lease['address']) && Util::isIPInCIDR($lease['address'], $cidr)) {
+                        $intf = array_search($if_dev, $if_devs);
+                        $intf_descr = $if_descrs[$intf];
+                        break;
+                    }
+                }
+            }
+
+            $leases[$idx]['if'] = $intf;
+            $leases[$idx]['if_descr'] = $intf_descr;
+
+            if (!empty($intf_descr) && !array_key_exists($intf, $interfaces)) {
+                $interfaces[$intf] = $intf_descr;
+            }
+        }
+
+        $response = $this->searchRecordsetBase($leases, null, 'address', function ($key) use ($selected_interfaces) {
+            if (empty($selected_interfaces) || in_array($key['if'], $selected_interfaces)) {
+                return true;
+            }
+
+            return false;
+        });
+
+        /* present relevant interfaces to the view so they can be filtered on */
+        $response['interfaces'] = $interfaces;
+        return $response;
+    }
+
+    public function delLeaseAction($ip)
+    {
+        $result = ["result" => "failed"];
+
+        if ($this->request->isPost()) {
+            $response = json_decode((new Backend())->configdpRun("dhcpd remove lease", [$ip]), true);
+            if ($response["removed_leases"] != "0") {
+                $result["result"] = "deleted";
+            }
+        }
+
+
+        return $result;
+    }
+}
diff --git a/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv4/Api/ServiceController.php b/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv4/Api/ServiceController.php
new file mode 100644
index 0000000000..050af775e1
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv4/Api/ServiceController.php
@@ -0,0 +1,50 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\DHCPv4\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Config;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceName = 'dhcpd';
+
+    protected function serviceEnabled()
+    {
+        $config = Config::getInstance()->object();
+
+        foreach ($config->dhcpd->children() as $dhcpifconf) {
+            if (!empty((string)$dhcpifconf->enable) && (string)$dhcpifconf->enable == '1') {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}
diff --git a/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv4/LeasesController.php b/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv4/LeasesController.php
new file mode 100644
index 0000000000..c53538f83d
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv4/LeasesController.php
@@ -0,0 +1,39 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\DHCPv4;
+
+use OPNsense\Base\IndexController;
+
+class LeasesController extends IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/DHCPv4/leases');
+    }
+}
diff --git a/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv6/Api/LeasesController.php b/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv6/Api/LeasesController.php
new file mode 100644
index 0000000000..bc4edd4248
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv6/Api/LeasesController.php
@@ -0,0 +1,272 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+ namespace OPNsense\DHCPv6\Api;
+
+ use OPNsense\Base\ApiControllerBase;
+ use OPNsense\Core\Backend;
+ use OPNsense\Core\Config;
+ use OPNsense\Firewall\Util;
+
+class LeasesController extends ApiControllerBase
+{
+    public function searchLeaseAction()
+    {
+        $inactive = $this->request->get('inactive');
+        $selected_interfaces = $this->request->get('selected_interfaces');
+        $backend = new Backend();
+        $config = Config::getInstance()->object();
+        $online = [];
+        $if_devs = [];
+        $if_descrs = [];
+        $ip_ranges = [];
+        $leases = [];
+        $interfaces = [];
+
+        /* get NDP data to match online clients */
+        $ndp_data = json_decode($backend->configdRun('interface list ndp json'), true);
+        /* get static leases */
+        $sleases = json_decode($backend->configdRun('dhcpd6 list static 0'), true);
+        /* get dynamic leases, inactive leases if requested */
+        $raw_leases = json_decode($backend->configdpRun('dhcpd6 list leases', [$inactive]), true);
+        /* get manufacturer info */
+        $mac_man = json_decode($backend->configdRun('interface list macdb'), true);
+        /* get ifconfig info to match IPs to interfaces */
+        $ifconfig = json_decode($backend->configdRun('interface list ifconfig'), true);
+
+        /* get all device names and their associated interface names */
+        foreach ($config->interfaces->children() as $if => $if_props) {
+            $if_devs[$if] = (string)$if_props->if;
+            $if_descrs[$if] = (string)$if_props->descr ?: strtoupper($if);
+        }
+
+        /* list online IPs and MACs */
+        foreach ($ndp_data as $ndp_entry) {
+            array_push($online, $ndp_entry['mac'], $ndp_entry['ip']);
+        }
+
+        /* gather ip ranges from ifconfig */
+        foreach ($ifconfig as $if => $data) {
+            if (!empty($data['ipv6'])) {
+                foreach ($data['ipv6'] as $ip) {
+                    if (!empty($ip['ipaddr']) && !empty($ip['subnetbits'])) {
+                        $ip_ranges[$ip['ipaddr'] . '/' . $ip['subnetbits']] = $if;
+                    }
+                }
+            }
+        }
+
+        foreach ($raw_leases as $raw_lease) {
+            if (!array_key_exists('addresses', $raw_lease)) {
+                continue;
+            }
+
+            /* set defaults */
+            $lease = [];
+            $lease['type'] = 'dynamic';
+            $lease['lease_type'] = $raw_lease['lease_type'];
+            $lease['iaid'] = $raw_lease['iaid'];
+            $lease['duid'] = $raw_lease['duid'];
+            $lease['iaid_duid'] = $raw_lease['iaid_duid'];
+            $lease['descr'] = '';
+            $lease['if'] = '';
+
+            if (array_key_exists('cltt', $raw_lease)) {
+                $lease['cltt'] = date('Y/m/d H:i:s', $raw_lease['cltt']);
+            }
+
+            /* XXX we pick the first address, this will be fine for a typical deployment
+            * according to RFC8415 section 6.6, but it should be noted that the protocol
+            * (and isc-dhcpv6) is capable of handing over multiple addresses/prefixes to
+            * a single client within a single lease. The backend accounts for this.
+            */
+            $seg = $raw_lease['addresses'][0];
+            $lease['state'] = $seg['binding'] == 'free' ? 'expired' : $seg['binding'];
+            if (array_key_exists('ends', $seg)) {
+                $lease['ends'] =  date('Y/m/d H:i:s', $seg['ends']);
+            }
+
+            $lease['address'] = $seg['iaaddr'];
+            $lease['status'] = in_array(strtolower($lease['address']), $online) ? 'online' : 'offline';
+            $leases[] = $lease;
+        }
+
+        $statics = [];
+        if ($sleases) {
+            foreach ($sleases['dhcpd'] as $slease) {
+                $static = [
+                    'address' => $slease['ipaddrv6'] ?? '',
+                    'type' => 'static',
+                    'cltt' => '',
+                    'ends' => '',
+                    'descr' => $slease['descr'] ?? '',
+                    'iaid' => '',
+                    'duid' => $slease['duid'] ?? '',
+                    'if_descr' => '',
+                    'if' => $slease['interface'] ?? '',
+                    'state' => 'active',
+                    'status' => in_array(strtolower($slease['ipaddrv6']), $online) ? 'online' : 'offline'
+                ];
+                $statics[] = $static;
+            }
+        }
+
+        /* merge dynamic and static leases */
+        $leases = array_merge($leases, $statics);
+
+        foreach ($leases as $idx => $lease) {
+            $leases[$idx]['man'] = '';
+            $leases[$idx]['mac'] = '';
+            $done = false;
+            /* We infer the MAC from NDP data if available, otherwise we extract it out
+             * of the DUID. However, RFC8415 section 11 states that an attempt to parse
+             * a DUID to obtain a client's link-layer address is unreliable, as there is no
+             * guarantee that the client is still using the same link-layer address as when
+             * it generated its DUID. Therefore, if we can link it to a manufacturer, chances
+             * are fairly high that this is a valid MAC address, otherwise we omit the MAC
+             * address.
+             */
+            if (!empty(['address'])) {
+                foreach ($ndp_data as $ndp) {
+                    if ($ndp['ip'] == $lease['address']) {
+                        $leases[$idx]['mac'] = $ndp['mac'];
+                        $leases[$idx]['man'] = empty($ndp['manufacturer']) ? '' : $ndp['manufacturer'];
+                        $leases[$idx]['if'] = array_search($ndp['intf'], $if_devs);
+                        $leases[$idx]['if_descr'] = $if_descrs[$leases[$idx]['if']];
+                        if (!empty($leases[$idx]['if_descr'])) {
+                            $interfaces[$leases[$idx]['if']] = $leases[$idx]['if_descr'];
+                        }
+                        $done = true;
+                        break;
+                    }
+                }
+                if ($done) {
+                    continue;
+                }
+            }
+
+            /* include MAC */
+            if (!empty($lease['duid'])) {
+                $mac = '';
+                $duid_type = substr($lease['duid'], 0, 5);
+                if ($duid_type === "00:01" || $duid_type === "00:03") {
+                    /* DUID generated based on LL addr with or without timestamp */
+                    $hw_type = substr($lease['duid'], 6, 5);
+                    if ($hw_type == "00:01") { /* HW type ethernet */
+                        $mac = substr($lease['duid'], -17, 17);
+                    }
+                }
+
+                if (!empty($mac)) {
+                    $mac_hi = strtoupper(substr(str_replace(':', '', $mac), 0, 6));
+                    if (array_key_exists($mac_hi, $mac_man)) {
+                        $leases[$idx]['mac'] = $mac;
+                        $leases[$idx]['man'] = $mac_man[$mac_hi];
+                    }
+                }
+            }
+
+            /* include interface */
+            $intf = '';
+            $intf_descr = '';
+            if (!empty($lease['if'])) {
+                $intf = $lease['if'];
+                $intf_descr = $if_descrs[$intf];
+            } else {
+                foreach ($ip_ranges as $cidr => $if) {
+                    if (!empty($lease['address']) && Util::isIPInCIDR($lease['address'], $cidr)) {
+                        $intf = array_search($if, $if_devs);
+                        $intf_descr = $if_descrs[$intf];
+                        break;
+                    }
+                }
+            }
+
+            $leases[$idx]['if'] = $intf;
+            $leases[$idx]['if_descr'] = $intf_descr;
+
+            if (!empty($intf_descr) && !array_key_exists($intf, $interfaces)) {
+                $interfaces[$intf] = $intf_descr;
+            }
+        }
+
+        $response = $this->searchRecordsetBase($leases, null, 'address', function ($key) use ($selected_interfaces) {
+            if (empty($selected_interfaces) || in_array($key['if'], $selected_interfaces)) {
+                return true;
+            }
+
+            return false;
+        }, SORT_REGULAR);
+
+        $response['interfaces'] = $interfaces;
+        return $response;
+    }
+
+    public function searchPrefixAction()
+    {
+        $backend = new Backend();
+        $prefixes = [];
+
+        $raw_leases = json_decode($backend->configdpRun('dhcpd6 list leases 1'), true);
+        foreach ($raw_leases as $raw_lease) {
+            if ($raw_lease['lease_type'] === 'ia-pd' && array_key_exists('prefixes', $raw_lease)) {
+                $prefix = [];
+                $prefix['lease_type'] = $raw_lease['lease_type'];
+                $prefix['iaid'] = $raw_lease['iaid'];
+                $prefix['duid'] = $raw_lease['duid'];
+                if (array_key_exists('cltt', $raw_lease)) {
+                    $prefix['cltt'] = date('Y/m/d H:i:s', $raw_lease['cltt']);
+                }
+
+                $prefix_raw = $raw_lease['prefixes'][0];
+                $prefix['prefix'] = $prefix_raw['iaprefix'];
+                if (array_key_exists('ends', $prefix_raw)) {
+                    $prefix['ends'] =  date('Y/m/d H:i:s', $prefix_raw['ends']);
+                }
+                $prefix['state'] = $prefix_raw['binding'] == 'free' ? 'expired' : $prefix_raw['binding'];
+                $prefixes[] = $prefix;
+            }
+        }
+
+        return $this->searchRecordsetBase($prefixes, null, 'prefix', null, SORT_REGULAR);
+    }
+
+    public function delLeaseAction($ip)
+    {
+        $result = ["result" => "failed"];
+
+        if ($this->request->isPost()) {
+            $response = json_decode((new Backend())->configdpRun("dhcpd6 remove lease", [$ip]), true);
+            if ($response["removed_leases"] != "0") {
+                $result["result"] = "deleted";
+            }
+        }
+
+        return $result;
+    }
+}
diff --git a/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv6/Api/ServiceController.php b/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv6/Api/ServiceController.php
new file mode 100644
index 0000000000..e063439791
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv6/Api/ServiceController.php
@@ -0,0 +1,50 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\DHCPv6\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+use OPNsense\Core\Config;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceName = 'dhcpd6';
+
+    protected function serviceEnabled()
+    {
+        $config = Config::getInstance()->object();
+
+        foreach ($config->dhcpdv6->children() as $dhcpifconf) {
+            if (!empty((string)$dhcpifconf->enable) && (string)$dhcpifconf->enable == '1') {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}
diff --git a/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv6/LeasesController.php b/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv6/LeasesController.php
new file mode 100644
index 0000000000..872d5d7de4
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/mvc/app/controllers/OPNsense/DHCPv6/LeasesController.php
@@ -0,0 +1,39 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\DHCPv6;
+
+use OPNsense\Base\IndexController;
+
+class LeasesController extends IndexController
+{
+    public function indexAction()
+    {
+        $this->view->pick('OPNsense/DHCPv6/leases');
+    }
+}
diff --git a/net/isc-dhcp/src/opnsense/mvc/app/views/OPNsense/DHCPv4/leases.volt b/net/isc-dhcp/src/opnsense/mvc/app/views/OPNsense/DHCPv4/leases.volt
new file mode 100644
index 0000000000..f0b0d860c4
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/mvc/app/views/OPNsense/DHCPv4/leases.volt
@@ -0,0 +1,182 @@
+{#
+ # Copyright (c) 2023 Deciso B.V.
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script>
+    $( document ).ready(function() {
+        let show_inactive = false;
+        let selected_interfaces = [];
+
+        if (window.localStorage) {
+            if (window.localStorage.getItem("api.dhcp.leases.inactive") !== null) {
+                show_inactive = window.localStorage.getItem("api.dhcp.leases.inactive") == 'true'
+                $("#show-inactive").prop('checked', show_inactive);
+            }
+        }
+
+        $("#show-inactive").change(function() {
+            show_inactive = this.checked;
+            if (window.localStorage) {
+                window.localStorage.setItem("api.dhcp.leases.inactive", show_inactive);
+            }
+
+            $("#grid-leases").bootgrid('reload');
+        });
+
+        $("#interface-selection").on("changed.bs.select", function (e) {
+            selected_interfaces = $(this).val();
+            $("#grid-leases").bootgrid('reload');
+        })
+
+        $("#grid-leases").UIBootgrid({
+            search:'/api/dhcpv4/leases/search_lease/',
+            del:'/api/dhcpv4/leases/del_lease/',
+            options: {
+                virtualDOM: true,
+                selection: false,
+                multiSelect: false,
+                useRequestHandlerOnGet: true,
+                requestHandler: function(request) {
+                    request['inactive'] = show_inactive;
+                    request['selected_interfaces'] = selected_interfaces;
+                    return request;
+                },
+                responseHandler: function (response) {
+                    if (response.hasOwnProperty('interfaces')) {
+                        for ([intf, descr] of Object.entries(response['interfaces'])) {
+                            let exists = false;
+                            $('#interface-selection option').each(function() {
+                                if (this.value == intf) {
+                                    exists = true;
+                                }
+                            });
+
+                            if (!exists) {
+                                $("#interface-selection").append($('<option>', {
+                                    value: intf,
+                                    text: descr
+                                }));
+                            }
+                        }
+                        $("#interface-selection").selectpicker('refresh');
+                    }
+                    return response;
+                },
+                formatters: {
+                    "macformatter": function (column, row) {
+                        let mac = '<span class="overflow">' + row.mac + '</span>';
+                        if (row.man != '') {
+                            mac = mac + '<br/>' + '<small class="overflow"><i>' + row.man + '</i></small>';
+                        }
+                        return mac;
+                    },
+                    "tooltipformatter": function (column, row) {
+                        return '<span class="overflow">' + row[column.id] + '</span><br/>'
+                    },
+                    "statusformatter": function (column, row) {
+                        let connected = row.status == 'online' ? 'text-success' : 'text-danger';
+                        return '<i class="fa fa-plug ' + connected +'" title="' + row.status + '" data-toggle="tooltip"></i>'
+                    },
+                    "commands": function (column, row) {
+                        /* we override the default commands data formatter in order to utilize
+                         * two different types of data keys for two different actions. The mapping
+                         * action needs a MAC address, while the delete action requires an IP address.
+                         */
+                        if (row.type == 'static') {
+                            return '';
+                        }
+
+                        let static_map = '';
+                        if (row.if != '') {
+                            static_map = '<a class="btn btn-default btn-xs" href="/services_dhcp_edit.php?if=' + row.if +
+                                '&amp;mac=' + row.mac + '&amp;hostname=' + row["hostname"] + '">' +
+                                '<i class="fa fa-plus fa-fw act-map" data-value="' + row.mac + '" data-toggle="tooltip" ' +
+                                'title="{{lang._("Add a static mapping for this MAC address")}}"></i>' +
+                                '</a>';
+                        }
+
+                        /* The delete action can be hooked up to the default bootgrid behaviour */
+                        let deleteip = '<button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-delete"' +
+                                'data-row-id="' + row.address + '">' +
+                                '<i class="fa fa-trash fa-fw"></i>' +
+                                '</a>';
+
+                        return static_map + ' ' + deleteip;
+                    }
+                }
+            }
+        });
+
+        $("#inactive-selection-wrapper").detach().insertBefore('#grid-leases-header .search');
+        $("#interface-selection-wrapper").detach().insertAfter('#grid-leases-header .search');
+
+        updateServiceControlUI('dhcpv4');
+    });
+</script>
+
+<style>
+.overflow {
+    text-overflow: clip;
+    white-space: normal;
+    word-break: break-word;
+}
+</style>
+
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs"></ul>
+<div class="tab-content content-box col-xs-12 __mb">
+    <div id="inactive-selection-wrapper" style="float: left;">
+        <label>
+            <input id="show-inactive" type="checkbox"/>
+            {{ lang._('Show inactive') }}
+        </label>
+    </div>
+    <div class="btn-group" id="interface-selection-wrapper">
+        <select class="selectpicker" multiple="multiple" data-live-search="true" id="interface-selection" data-width="auto" title="All Interfaces">
+        </select>
+    </div>
+    <table id="grid-leases" class="table table-condensed table-hover table-striped table-responsive">
+        <tr>
+        <thead>
+        <tr>
+            <th data-column-id="if_descr" data-type="string">{{ lang._('Interface') }}</th>
+            <th data-column-id="address" data-identifier="true" data-type="string" data-width="8em">{{ lang._('IP Address') }}</th>
+            <th data-column-id="mac" data-type="string" data-formatter="macformatter" data-width="9em">{{ lang._('MAC Address') }}</th>
+            <th data-column-id="hostname" data-type="string" data-formatter="tooltipformatter">{{ lang._('Hostname') }}</th>
+            <th data-column-id="descr" data-type="string" data-formatter="tooltipformatter">{{ lang._('Description') }}</th>
+            <th data-column-id="starts" data-type="string" data-formatter="tooltipformatter">{{ lang._('Start') }}</th>
+            <th data-column-id="ends" data-type="string" data-formatter="tooltipformatter">{{ lang._('End') }}</th>
+            <th data-column-id="status" data-type="string" data-formatter="statusformatter">{{ lang._('Status') }}</th>
+            <th data-column-id="state" data-type="string">{{ lang._('State') }}</th>
+            <th data-column-id="type" data-type="string">{{ lang._('Lease Type') }}</th>
+            <th data-column-id="commands" data-formatter="commands", data-sortable="false"></th>
+        </tr>
+        </thead>
+        <tbody>
+        </tbody>
+        <tfoot>
+        </tfoot>
+        </tr>
+    </table>
+</div>
diff --git a/net/isc-dhcp/src/opnsense/mvc/app/views/OPNsense/DHCPv6/leases.volt b/net/isc-dhcp/src/opnsense/mvc/app/views/OPNsense/DHCPv6/leases.volt
new file mode 100644
index 0000000000..50fbb44f3b
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/mvc/app/views/OPNsense/DHCPv6/leases.volt
@@ -0,0 +1,221 @@
+{#
+ # Copyright (c) 2023 Deciso B.V.
+ # All rights reserved.
+ #
+ # Redistribution and use in source and binary forms, with or without modification,
+ # are permitted provided that the following conditions are met:
+ #
+ # 1. Redistributions of source code must retain the above copyright notice,
+ #    this list of conditions and the following disclaimer.
+ #
+ # 2. Redistributions in binary form must reproduce the above copyright notice,
+ #    this list of conditions and the following disclaimer in the documentation
+ #    and/or other materials provided with the distribution.
+ #
+ # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ # AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ # POSSIBILITY OF SUCH DAMAGE.
+ #}
+
+<script>
+    $( document ).ready(function() {
+        let show_inactive = false;
+        let selected_interfaces = [];
+
+        if (window.localStorage) {
+            if (window.localStorage.getItem("api.dhcp.leases6.inactive") !== null) {
+                show_inactive = window.localStorage.getItem("api.dhcp.leases6.inactive") == 'true'
+                $("#show-inactive").prop('checked', show_inactive);
+            }
+        }
+
+        $("#show-inactive").change(function() {
+            show_inactive = this.checked;
+            if (window.localStorage) {
+                window.localStorage.setItem("api.dhcp.leases6.inactive", show_inactive);
+            }
+
+            $("#grid-leases").bootgrid('reload');
+        });
+
+        $("#interface-selection").on("changed.bs.select", function (e) {
+            console.log($(this).val());
+            selected_interfaces = $(this).val();
+            $("#grid-leases").bootgrid('reload');
+        })
+
+        $("#grid-leases").UIBootgrid({
+            search:'/api/dhcpv6/leases/search_lease/',
+            del:'/api/dhcpv6/leases/del_lease/',
+            options: {
+                selection: false,
+                multiSelect: false,
+                useRequestHandlerOnGet: true,
+                requestHandler: function(request) {
+                    request['inactive'] = show_inactive;
+                    request['selected_interfaces'] = selected_interfaces;
+                    return request;
+                },
+                responseHandler: function (response) {
+                    if (response.hasOwnProperty('interfaces')) {
+                        for ([intf, descr] of Object.entries(response['interfaces'])) {
+                            let exists = false;
+                            $('#interface-selection option').each(function() {
+                                if (this.value == intf) {
+                                    exists = true;
+                                }
+                            });
+
+                            if (!exists) {
+                                $("#interface-selection").append($('<option>', {
+                                    value: intf,
+                                    text: descr
+                                }));
+                            }
+                        }
+                        $("#interface-selection").selectpicker('refresh');
+                    }
+                    return response;
+                },
+                formatters: {
+                    "macformatter": function (column, row) {
+                        let mac = '<span class="overflow">' + row.mac + '</span>';
+                        if (row.man != '') {
+                            mac = mac + '<br/>' + '<small><i>' + row.man + '</i></small>';
+                        }
+                        return mac;
+                    },
+                    "overflow": function (column, row) {
+                        return '<span class="overflow">' + row[column.id] + '</span><br/>'
+                    },
+                    "statusformatter": function (column, row) {
+                        let connected = row.status == 'online' ? 'text-success' : 'text-danger';
+                        return '<i class="fa fa-plug ' + connected +'" title="' + row.status + '" data-toggle="tooltip"></i>'
+                    },
+                    "commands": function (column, row) {
+                        /* we override the default commands data formatter in order to utilize
+                         * two different types of data keys for two different actions. The mapping
+                         * action needs a DUID, while the delete action requires an IPv6 address.
+                         */
+                        if (row.type == 'static') {
+                            return '';
+                        }
+
+                        let static_map = '';
+
+                        if (row.if != '') {
+                            static_map = '<a class="btn btn-default btn-xs" href="/services_dhcpv6_edit.php?if=' + row.if +
+                                '&amp;duid=' + row.duid + '">' +
+                                '<i class="fa fa-plus fa-fw act-map" data-value="' + row.duid + '" data-toggle="tooltip" ' +
+                                'title="{{lang._("Add a static mapping for this MAC address")}}"></i>' +
+                                '</a>';
+                        }
+
+                        /* The delete action can be hooked up to the default bootgrid behaviour */
+                        let deleteip = '<button type="button" class="btn btn-xs btn-default bootgrid-tooltip command-delete"' +
+                                'data-row-id="' + row.address + '" data-action="deleteSelected">' +
+                                '<i class="fa fa-trash fa-fw"></i>' +
+                                '</a>';
+
+                        return static_map + ' ' + deleteip;
+                    }
+                }
+            }
+        }).on("loaded.rs.jquery.bootgrid", function (e) {
+            $(".lease-tooltip").tooltip({placement: "auto left"});
+        });
+
+        $("#grid-prefixes").UIBootgrid({
+            search:'/api/dhcpv6/leases/search_prefix/'
+        });
+
+        $("#inactive-selection-wrapper").detach().insertBefore('#grid-leases-header .search');
+        $("#interface-selection-wrapper").detach().insertAfter('#grid-leases-header .search');
+
+        if (window.location.hash != "") {
+            $('a[href="' + window.location.hash + '"]').click();
+        } else {
+            $('a[href="#leases"]').click();
+        }
+
+        updateServiceControlUI('dhcpv6');
+    });
+</script>
+
+<style>
+.overflow {
+    text-overflow: clip;
+    white-space: normal;
+    word-break: break-word;
+}
+</style>
+
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
+    <li><a data-toggle="tab" href="#leases" id="leases_tab">{{ lang._('Leases') }}</a></li>
+    <li><a data-toggle="tab" href="#prefixes" id="prefixes_tab">{{ lang._('Delegated Prefixes') }}</a></li>
+</ul>
+<div class="tab-content content-box col-xs-12 __mb">
+    <div id="leases" class="tab-pane fade in active">
+        <div id="inactive-selection-wrapper" style="float: left;">
+            <label>
+                <input id="show-inactive" type="checkbox"/>
+                {{ lang._('Show inactive') }}
+            </label>
+        </div>
+        <div class="btn-group" id="interface-selection-wrapper">
+            <select class="selectpicker" multiple="multiple" data-live-search="true" id="interface-selection" data-width="auto" title="All Interfaces">
+            </select>
+        </div>
+        <table id="grid-leases" class="table table-condensed table-hover table-striped table-responsive">
+            <tr>
+            <thead>
+            <tr>
+                <th data-column-id="if_descr" data-type="string" data-formatter="overflow">{{ lang._('Interface') }}</th>
+                <th data-column-id="address" data-identifier="true" data-width="12em" data-formatter="overflow">{{ lang._('IP Address') }}</th>
+                <th data-column-id="iaid" data-type="number" data-formatter="overflow">{{ lang._('IAID') }}</th>
+                <th data-column-id="duid" data-type="string" data-formatter="overflow">{{ lang._('DUID') }}</th>
+                <th data-column-id="mac" data-type="string" data-width="9em" data-formatter="macformatter">{{ lang._('MAC Address') }}</th>
+                <th data-column-id="descr" data-type="string" data-formatter="overflow">{{ lang._('Description') }}</th>
+                <th data-column-id="cltt" data-type="string" data-formatter="overflow">{{ lang._('Last Transaction Time') }}</th>
+                <th data-column-id="ends" data-type="string" data-formatter="overflow">{{ lang._('End') }}</th>
+                <th data-column-id="status" data-type="string" data-formatter="statusformatter">{{ lang._('Status') }}</th>
+                <th data-column-id="state" data-type="string">{{ lang._('State') }}</th>
+                <th data-column-id="type" data-type="string">{{ lang._('Lease Type') }}</th>
+                <th data-column-id="commands" data-formatter="commands", data-sortable="false"></th>
+            </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            </tfoot>
+            </tr>
+        </table>
+    </div>
+    <div id="prefixes" class="tab-pane fade in">
+        <table id="grid-prefixes" class="table table-condensed table-hover table-striped table-responsive">
+            <tr>
+            <thead>
+            <tr>
+                <th data-column-id="prefix" data-type="string">{{ lang._('IPv6 Prefix') }}</th>
+                <th data-column-id="iaid" data-type="number" data-width="5em">{{ lang._('IAID') }}</th>
+                <th data-column-id="duid" data-type="string">{{ lang._('DUID') }}</th>
+                <th data-column-id="cltt" data-type="string">{{ lang._('Last Transaction Time') }}</th>
+                <th data-column-id="ends" data-type="string">{{ lang._('End') }}</th>
+                <th data-column-id="state" data-type="string">{{ lang._('State') }}</th>
+            </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            </tfoot>
+            </tr>
+        </table>
+    </div>
+</div>
diff --git a/net/isc-dhcp/src/www/services_dhcp.php b/net/isc-dhcp/src/www/services_dhcp.php
new file mode 100644
index 0000000000..21667c0c9f
--- /dev/null
+++ b/net/isc-dhcp/src/www/services_dhcp.php
@@ -0,0 +1,1218 @@
+<?php
+
+/*
+ * Copyright (C) 2014-2021 Deciso B.V.
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("filter.inc");
+require_once("system.inc");
+require_once("interfaces.inc");
+require_once("plugins.inc.d/dhcpd.inc");
+
+function validate_partial_mac_list($maclist)
+{
+    $macs = explode(',', $maclist);
+
+    foreach ($macs as $mac) {
+        if (!is_macaddr($mac, true)) {
+            return false;
+        }
+    }
+
+    return true;
+}
+
+function reconfigure_dhcpd()
+{
+    system_resolver_configure();
+    dhcpd_dhcp4_configure();
+    clear_subsystem_dirty('staticmaps');
+}
+
+$config_copy_fieldsnames = array('enable', 'staticarp', 'failover_peerip', 'failover_split', 'descr',
+  'defaultleasetime', 'maxleasetime', 'gateway', 'domain', 'domainsearchlist', 'denyunknown','ignoreuids', 'ddnsdomain',
+  'ddnsdomainprimary', 'ddnsdomainkeyname', 'ddnsdomainkey', 'ddnsdomainalgorithm', 'ddnsupdate', 'mac_allow',
+  'mac_deny', 'tftp', 'bootfilename', 'ldap', 'netboot', 'nextserver', 'filename', 'filename32', 'filename64',
+  'filename32arm', 'filename64arm', 'filenameipxe', 'rootpath', 'netmask', 'numberoptions', 'interface_mtu', 'wpad', 'omapi', 'omapiport',
+  'omapialgorithm', 'omapikey', 'minsecs');
+
+if ($_SERVER['REQUEST_METHOD'] === 'GET') {
+    // handle identifiers and action
+    if (!empty($_GET['if']) && !empty($config['interfaces'][$_GET['if']]) &&
+        isset($config['interfaces'][$_GET['if']]['enable']) &&
+        is_ipaddr($config['interfaces'][$_GET['if']]['ipaddr'])) {
+        $if = $_GET['if'];
+        if (isset($_GET['pool']) && !empty($config['dhcpd'][$_GET['if']]['pool'][$_GET['pool']])) {
+            $pool = $_GET['pool'];
+        }
+    } else {
+        /* if no interface is provided this invoke is invalid */
+        header(url_safe('Location: /index.php'));
+        exit;
+    }
+
+    $a_pools = &config_read_array('dhcpd', $if, 'pool');
+
+    if (!empty($_GET['act'])) {
+        $act = $_GET['act'];
+    } else {
+        $act = null;
+    }
+
+    // point to source of data (pool or main dhcp section)
+    if (isset($pool)) {
+        $dhcpdconf = &$a_pools[$pool];
+    } elseif ($act == "newpool") {
+        $dhcpdconf = array();
+    } else {
+        $dhcpdconf = &config_read_array('dhcpd', $if);
+    }
+    $pconfig = array();
+    // simple 1-on-1 copy
+    foreach ($config_copy_fieldsnames as $fieldname) {
+        if (isset($dhcpdconf[$fieldname])) {
+            $pconfig[$fieldname] = $dhcpdconf[$fieldname];
+        } else {
+            $pconfig[$fieldname] = null;
+        }
+    }
+    // handle booleans
+    $pconfig['enable'] =  isset($dhcpdconf['enable']);
+    $pconfig['wpad'] =  isset($dhcpdconf['wpad']);
+    $pconfig['staticarp'] = isset($dhcpdconf['staticarp']);
+    $pconfig['denyunknown'] = isset($dhcpdconf['denyunknown']);
+    $pconfig['ignoreuids'] = isset($dhcpdconf['ignoreuids']);
+    $pconfig['ddnsupdate'] = isset($dhcpdconf['ddnsupdate']);
+    $pconfig['netboot'] = isset($dhcpdconf['netboot']);
+
+    // array conversions
+    $pconfig['numberoptions'] = !empty($pconfig['numberoptions']) ? $pconfig['numberoptions'] : array();
+
+    // list items
+    $pconfig['range_from'] = !empty($dhcpdconf['range']['from']) ? $dhcpdconf['range']['from'] : "";
+    $pconfig['range_to'] = !empty($dhcpdconf['range']['to']) ? $dhcpdconf['range']['to'] : "";
+    $pconfig['wins1'] = !empty($dhcpdconf['winsserver'][0]) ? $dhcpdconf['winsserver'][0] : "";
+    $pconfig['wins2'] = !empty($dhcpdconf['winsserver'][1]) ? $dhcpdconf['winsserver'][1] : "";
+    $pconfig['dns1'] = !empty($dhcpdconf['dnsserver'][0]) ? $dhcpdconf['dnsserver'][0] : "";
+    $pconfig['dns2'] = !empty($dhcpdconf['dnsserver'][1]) ? $dhcpdconf['dnsserver'][1] : "";
+    $pconfig['ntp1'] = !empty($dhcpdconf['ntpserver'][0]) ? $dhcpdconf['ntpserver'][0] : "";
+    $pconfig['ntp2'] = !empty($dhcpdconf['ntpserver'][1]) ? $dhcpdconf['ntpserver'][1] : "";
+} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    // handle identifiers and actions
+    if (!empty($_POST['if']) && !empty($config['interfaces'][$_POST['if']])) {
+        $if = $_POST['if'];
+        if (isset($_POST['pool']) && !empty($config['dhcpd'][$_POST['if']]['pool'][$_POST['pool']])) {
+            $pool = $_POST['pool'];
+        }
+    }
+
+    $a_pools = &config_read_array('dhcpd', $if, 'pool');
+
+    if (!empty($_POST['act'])) {
+        $act = $_POST['act'];
+    } else {
+        $act = null;
+    }
+    $pconfig = $_POST;
+    $input_errors = array();
+
+    if (isset($_POST['submit'])) {
+        // transform Additional BOOTP/DHCP Options
+        $pconfig['numberoptions'] =  array();
+        if (isset($pconfig['numberoptions_number'])) {
+            $pconfig['numberoptions']['item'] = array();
+            foreach ($pconfig['numberoptions_number'] as $opt_seq => $opt_number) {
+                if (!empty($opt_number)) {
+                    $pconfig['numberoptions']['item'][] = array('number' => $opt_number,
+                                                                'type' => $pconfig['numberoptions_type'][$opt_seq],
+                                                                'value' => $pconfig['numberoptions_value'][$opt_seq]
+                                                          );
+                }
+            }
+        }
+
+        /* input validation */
+        $reqdfields = explode(" ", "range_from range_to");
+        $reqdfieldsn = array(gettext("Range begin"),gettext("Range end"));
+
+        do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);
+
+        if (!is_ipaddrv4($pconfig['range_from'])) {
+            $input_errors[] = gettext("A valid range must be specified.");
+        }
+        if (!is_ipaddrv4($pconfig['range_to'])) {
+            $input_errors[] = gettext("A valid range must be specified.");
+        }
+        if (!empty($pconfig['gateway']) && $pconfig['gateway'] != "none" && !is_ipaddrv4($pconfig['gateway'])) {
+            $input_errors[] = gettext("A valid IP address must be specified for the gateway.");
+        }
+        if ((!empty($pconfig['wins1']) && !is_ipaddrv4($pconfig['wins1'])) || (!empty($pconfig['wins2']) && !is_ipaddrv4($pconfig['wins2']))) {
+            $input_errors[] = gettext("A valid IP address must be specified for the primary/secondary WINS servers.");
+        }
+        list (, $parent_net) = interfaces_primary_address($pconfig['if']);
+        if (is_subnetv4($parent_net) && $pconfig['gateway'] && $pconfig['gateway'] != "none") {
+            if (!ip_in_subnet($pconfig['gateway'], $parent_net) && !ip_in_interface_alias_subnet($pconfig['if'], $pconfig['gateway'])) {
+                $input_errors[] = sprintf(gettext("The gateway address %s does not lie within the chosen interface's subnet."), $pconfig['gateway']);
+            }
+        }
+        if ((!empty($pconfig['dns1']) && !is_ipaddrv4($pconfig['dns1'])) || (!empty($pconfig['dns2']) && !is_ipaddrv4($pconfig['dns2']))) {
+            $input_errors[] = gettext("A valid IP address must be specified for the primary/secondary DNS servers.");
+        }
+
+        if (!empty($pconfig['defaultleasetime']) && (!is_numeric($pconfig['defaultleasetime']) || ($pconfig['defaultleasetime'] < 60))) {
+            $input_errors[] = gettext("The default lease time must be at least 60 seconds.");
+        }
+
+        if (!empty($pconfig['maxleasetime']) && (!is_numeric($pconfig['maxleasetime']) || ($pconfig['maxleasetime'] < 60) || ($pconfig['maxleasetime'] <= $pconfig['defaultleasetime']))) {
+            $input_errors[] = gettext("The maximum lease time must be at least 60 seconds and higher than the default lease time.");
+        }
+
+        if (!empty($pconfig['minsecs']) && (!is_numeric($pconfig['minsecs']) || ($pconfig['minsecs'] < 0) || ($pconfig['minsecs'] > 255))) {
+            $input_errors[] = gettext("The response delay must be higher than 0 and no more than 255 seconds.");
+        }
+
+        if ((!empty($pconfig['ddnsdomain']) && !is_domain($pconfig['ddnsdomain']))) {
+            $input_errors[] = gettext("A valid domain name must be specified for the dynamic DNS registration.");
+        }
+        if ((!empty($pconfig['ddnsdomainprimary']) && !is_ipaddrv4($pconfig['ddnsdomainprimary']))) {
+            $input_errors[] = gettext("A valid primary domain name server IP address must be specified for the dynamic domain name.");
+        }
+        if (!empty($pconfig['ddnsdomainkey']) && base64_encode(base64_decode($pconfig['ddnsdomainkey'], true)) !== $pconfig['ddnsdomainkey']) {
+            $input_errors[] = gettext('You must specify a Base64-encoded domain key.');
+        }
+        if ((!empty($pconfig['ddnsdomainkey']) && empty($pconfig['ddnsdomainkeyname'])) ||
+            (!empty($pconfig['ddnsdomainkeyname']) && empty($pconfig['ddnsdomainkey']))
+            ) {
+            $input_errors[] = gettext("You must specify both a valid domain key and key name.");
+        }
+        if (!empty($pconfig['domainsearchlist'])) {
+            $domain_array=preg_split("/[ ;]+/",$pconfig['domainsearchlist']);
+            foreach ($domain_array as $curdomain) {
+                if (!is_domain($curdomain, true)) {
+                    $input_errors[] = gettext("A valid domain search list must be specified.");
+                    break;
+                }
+            }
+        }
+
+        // Validate MACs
+        if (!empty($pconfig['mac_allow']) && !validate_partial_mac_list($pconfig['mac_allow'])) {
+            $input_errors[] = gettext("If you specify a mac allow list, it must contain only valid partial MAC addresses.");
+        }
+        if (!empty($pconfig['mac_deny']) && !validate_partial_mac_list($pconfig['mac_deny'])) {
+            $input_errors[] = gettext("If you specify a mac deny list, it must contain only valid partial MAC addresses.");
+        }
+
+        if ((!empty($pconfig['ntp1']) && !is_ipaddrv4($pconfig['ntp1'])) || (!empty($pconfig['ntp2']) && !is_ipaddrv4($pconfig['ntp2']))) {
+            $input_errors[] = gettext("A valid IP address must be specified for the primary/secondary NTP servers.");
+        }
+        if (!empty($pconfig['domain']) && !is_domain($pconfig['domain'], true)) {
+            $input_errors[] = gettext("A valid domain name must be specified for the DNS domain.");
+        }
+        if (!empty($pconfig['tftp']) && !is_ipaddrv4($pconfig['tftp']) && !is_domain($pconfig['tftp']) && !is_URL($pconfig['tftp'])) {
+            $input_errors[] = gettext("A valid IP address or hostname must be specified for the TFTP server.");
+        }
+        if (!empty($pconfig['nextserver']) && !is_ipaddrv4($pconfig['nextserver'])) {
+            $input_errors[] = gettext("A valid IP address must be specified for the network boot server.");
+        }
+
+        if (gen_subnet($config['interfaces'][$if]['ipaddr'], $config['interfaces'][$if]['subnet']) == $pconfig['range_from']) {
+            $input_errors[] = gettext("You cannot use the network address in the starting subnet range.");
+        }
+        if (gen_subnet_max($config['interfaces'][$if]['ipaddr'], $config['interfaces'][$if]['subnet']) == $pconfig['range_to']) {
+            $input_errors[] = gettext("You cannot use the broadcast address in the ending subnet range.");
+        }
+
+        if ($pconfig['omapi'] && (empty($pconfig['omapiport']) || !is_numeric($pconfig['omapiport']) || $pconfig['omapiport'] < 1 || $pconfig['omapiport'] > 65535)) {
+            $input_errors[] = gettext("A valid port number must be specified for the OMAPI port.");
+        }
+
+        // Disallow a range that includes the virtualip
+        if (isset($config['virtualip']['vip'])) {
+            foreach($config['virtualip']['vip'] as $vip) {
+                if ($vip['interface'] == $if) {
+                    if ($vip['subnet'] && is_inrange_v4($vip['subnet'], $pconfig['range_from'], $pconfig['range_to'])) {
+                        $input_errors[] = sprintf(gettext("The subnet range cannot overlap with virtual IP address %s."),$vip['subnet']);
+                    }
+                }
+            }
+        }
+
+        $a_maps = &config_read_array('dhcpd', $if, 'staticmap');
+        $noip = false;
+        foreach ($a_maps as $map) {
+            if (empty($map['ipaddr'])) {
+                $noip = true;
+            }
+        }
+        if (!empty($pconfig['staticarp']) && $noip) {
+            $input_errors[] = gettext("Cannot enable static ARP when you have static map entries without IP addresses. Ensure all static maps have IP addresses and try again.");
+        }
+        if (!empty($pconfig['interface_mtu']) && (
+          (string)((int)$pconfig['interface_mtu']) != $pconfig['interface_mtu'] || $pconfig['interface_mtu'] < 68 || $pconfig['interface_mtu'] > 65535)
+        ) {
+            $input_errors[] = gettext("A valid MTU value must be specified.");
+        }
+        if ($pconfig['failover_split'] != "" && (
+            (string)((int)$pconfig['failover_split']) != $pconfig['failover_split'] || $pconfig['failover_split'] < 0 || $pconfig['failover_split'] > 256)
+        ) {
+            $input_errors[] = gettext("Failover split must be a number between 0 and 256.");
+        }
+
+        if (is_array($pconfig['numberoptions']['item'])) {
+            foreach ($pconfig['numberoptions']['item'] as $numberoption) {
+              if ($numberoption['type'] == 'text' && strstr($numberoption['value'], '"')) {
+                  $input_errors[] = gettext("Text type cannot include quotation marks.");
+              } elseif ($numberoption['type'] == 'string' && !preg_match('/^"[^"]*"$/', $numberoption['value']) && !preg_match('/^[0-9a-f]{2}(?:\:[0-9a-f]{2})*$/i', $numberoption['value'])) {
+                  $input_errors[] = gettext("String type must be enclosed in quotes like \"this\" or must be a series of octets specified in hexadecimal, separated by colons, like 01:23:45:67:89:ab:cd:ef");
+              } elseif ($numberoption['type'] == 'boolean' && $numberoption['value'] != 'true' && $numberoption['value'] != 'false' && $numberoption['value'] != 'on' && $numberoption['value'] != 'off') {
+                  $input_errors[] = gettext("Boolean type must be true, false, on, or off.");
+              } elseif ($numberoption['type'] == 'unsigned integer 8' && (!is_numeric($numberoption['value']) || $numberoption['value'] < 0 || $numberoption['value'] > 255)) {
+                  $input_errors[] = gettext("Unsigned 8-bit integer type must be a number in the range 0 to 255.");
+              } elseif ($numberoption['type'] == 'unsigned integer 16' && (!is_numeric($numberoption['value']) || $numberoption['value'] < 0 || $numberoption['value'] > 65535)) {
+                  $input_errors[] = gettext("Unsigned 16-bit integer type must be a number in the range 0 to 65535.");
+              } elseif ($numberoption['type'] == 'unsigned integer 32' && (!is_numeric($numberoption['value']) || $numberoption['value'] < 0 || $numberoption['value'] > 4294967295) ) {
+                  $input_errors[] = gettext("Unsigned 32-bit integer type must be a number in the range 0 to 4294967295.");
+              } elseif ($numberoption['type'] == 'signed integer 8' && (!is_numeric($numberoption['value']) || $numberoption['value'] < -128 || $numberoption['value'] > 127)) {
+                  $input_errors[] = gettext("Signed 8-bit integer type must be a number in the range -128 to 127.");
+              } elseif ($numberoption['type'] == 'signed integer 16' && (!is_numeric($numberoption['value']) || $numberoption['value'] < -32768 || $numberoption['value'] > 32767)) {
+                  $input_errors[] = gettext("Signed 16-bit integer type must be a number in the range -32768 to 32767.");
+              } elseif ($numberoption['type'] == 'signed integer 32' && (!is_numeric($numberoption['value']) || $numberoption['value'] < -2147483648 || $numberoption['value'] > 2147483647)) {
+                  $input_errors[] = gettext("Signed 32-bit integer type must be a number in the range -2147483648 to 2147483647.");
+              } elseif ($numberoption['type'] == 'ip-address' && !is_ipaddrv4($numberoption['value']) && !is_hostname($numberoption['value'])) {
+                  $input_errors[] = gettext("IP address or host type must be an IP address or host name.");
+              }
+            }
+        }
+
+        if (count($input_errors) == 0 && isset($pconfig['enable'])) {
+            /* make sure the range lies within the current subnet */
+            $subnet_start = ip2ulong(long2ip32(ip2long($config['interfaces'][$if]['ipaddr']) & gen_subnet_mask_long($config['interfaces'][$if]['subnet'])));
+            $subnet_end = ip2ulong(long2ip32(ip2long($config['interfaces'][$if]['ipaddr']) | (~gen_subnet_mask_long($config['interfaces'][$if]['subnet']))));
+
+            if ((ip2ulong($pconfig['range_from']) < $subnet_start) || (ip2ulong($pconfig['range_from']) > $subnet_end) ||
+              (ip2ulong($pconfig['range_to']) < $subnet_start) || (ip2ulong($pconfig['range_to']) > $subnet_end)) {
+                $input_errors[] = gettext("The specified range lies outside of the current subnet.");
+            }
+
+            if (ip2ulong($pconfig['range_from']) > ip2ulong($pconfig['range_to'])) {
+                $input_errors[] = gettext("The range is invalid (first element higher than second element).");
+            }
+
+            if (isset($pool) || ($act == "newpool")) {
+                $rfrom = $config['dhcpd'][$if]['range']['from'];
+                $rto = $config['dhcpd'][$if]['range']['to'];
+                if (is_inrange_v4($pconfig['range_from'], $rfrom, $rto) || is_inrange_v4($pconfig['range_to'], $rfrom, $rto)) {
+                    $input_errors[] = gettext("The specified range must not be within the DHCP range for this interface.");
+                }
+            }
+
+            foreach ($a_pools as $id => $p) {
+                if (isset($pool) && ($id == $pool)) {
+                    continue;
+                }
+                if (is_inrange_v4($pconfig['range_from'], $p['range']['from'], $p['range']['to']) ||
+                    is_inrange_v4($pconfig['range_to'], $p['range']['from'], $p['range']['to'])) {
+                    $input_errors[] = gettext("The specified range must not be within the range configured on a DHCP pool for this interface.");
+                    break;
+                }
+            }
+        }
+
+        // save data
+        if (count($input_errors) == 0) {
+            $dhcpdconf = array();
+            // simple 1-on-1 copy
+            foreach ($config_copy_fieldsnames as $fieldname) {
+                if (!empty($pconfig[$fieldname]) || $pconfig[$fieldname] === "0") {
+                    $dhcpdconf[$fieldname] = $pconfig[$fieldname];
+                }
+            }
+            // handle booleans
+            $dhcpdconf['enable'] = !empty($dhcpdconf['enable']);
+            $dhcpdconf['staticarp'] = !empty($dhcpdconf['staticarp']);
+            $dhcpdconf['denyunknown'] = !empty($dhcpdconf['denyunknown']);
+            $dhcpdconf['ignoreuids'] = !empty($dhcpdconf['ignoreuids']);
+            $dhcpdconf['ddnsupdate'] = !empty($dhcpdconf['ddnsupdate']);
+            $dhcpdconf['netboot'] = !empty($dhcpdconf['netboot']);
+
+            // supply range
+            $dhcpdconf['range'] = array();
+            $dhcpdconf['range']['from'] = $pconfig['range_from'];
+            $dhcpdconf['range']['to'] = $pconfig['range_to'];
+
+            // array types
+            $dhcpdconf['winsserver'] = [];
+            if (!empty($pconfig['wins1'])) {
+                $dhcpdconf['winsserver'][] = $pconfig['wins1'];
+            }
+            if (!empty($pconfig['wins2'])) {
+                $dhcpdconf['winsserver'][] = $pconfig['wins2'];
+            }
+            $dhcpdconf['dnsserver'] = [];
+            if (!empty($pconfig['dns1'])) {
+                $dhcpdconf['dnsserver'][] = $pconfig['dns1'];
+            }
+            if (!empty($pconfig['dns2'])) {
+                $dhcpdconf['dnsserver'][] = $pconfig['dns2'];
+            }
+            $dhcpdconf['ntpserver'] = [];
+            if (!empty($pconfig['ntp1'])) {
+                $dhcpdconf['ntpserver'][] = $pconfig['ntp1'];
+            }
+            if (!empty($pconfig['ntp2'])) {
+                $dhcpdconf['ntpserver'][] = $pconfig['ntp2'];
+            }
+
+            // handle changes
+            if (!isset($pool) && $act != "newpool") {
+                if (isset($config['dhcpd'][$if]['enable']) != !empty($pconfig['enable'])) {
+                    // DHCP has been enabled or disabled.
+                    //  The pf ruleset will need to be rebuilt to allow or disallow DHCP.
+                    $exec_filter_configure = true;
+                }
+                $previous = !empty($config['dhcpd'][$if]['failover_peerip']) ? $config['dhcpd'][$if]['failover_peerip'] : "";
+                if ($previous != $pconfig['failover_peerip']) {
+                    mwexecf('/bin/rm -rf /var/dhcpd/var/db/*');
+                }
+            }
+            // save changes to config
+            if (isset($pool)) {
+                $a_pools[$pool] = $dhcpdconf;
+            } elseif ($act == "newpool") {
+                $a_pools[] = $dhcpdconf;
+            } else {
+                // copy structures back in
+                foreach (array('pool', 'staticmap') as $fieldname) {
+                    if (!empty($config['dhcpd'][$if][$fieldname])) {
+                        $dhcpdconf[$fieldname] = $config['dhcpd'][$if][$fieldname];
+                    }
+                }
+                $config['dhcpd'][$if] = $dhcpdconf;
+            }
+            write_config();
+            if (isset($exec_filter_configure)) {
+                filter_configure();
+            }
+            reconfigure_dhcpd();
+            header(url_safe('Location: /services_dhcp.php?if=%s', array($if)));
+            exit;
+        }
+    } elseif (isset($_POST['apply'])) {
+        // apply changes
+        reconfigure_dhcpd();
+        header(url_safe('Location: /services_dhcp.php?if=%s', array($if)));
+        exit;
+    } elseif ($act ==  "del") {
+        if (!empty($config['dhcpd'][$if]['staticmap'][$_POST['id']])) {
+            if (isset($config['dhcpd'][$if]['staticmap'][$_POST['id']]['ipaddr'])) {
+                configdp_run('interface remove arp', [
+                    $config['dhcpd'][$if]['staticmap'][$_POST['id']]['ipaddr']
+                ]);
+            }
+            unset($config['dhcpd'][$if]['staticmap'][$_POST['id']]);
+            write_config();
+            if (isset($config['dhcpd'][$if]['enable'])) {
+                mark_subsystem_dirty('staticmaps');
+            }
+        }
+        header(url_safe('Location: /services_dhcp.php?if=%s', array($if)));
+        exit;
+    } elseif ($act ==  "delpool") {
+        if (!empty($a_pools[$_POST['id']])) {
+            unset($a_pools[$_POST['id']]);
+            write_config();
+        }
+        header(url_safe('Location: /services_dhcp.php?if=%s', array($if)));
+    } elseif ($act == "export") {
+        $static = dhcpd_staticmap(null, true, null, true);
+
+        header("Content-Type: text/csv");
+        header("Content-Disposition: attachment; filename=\"isc_export_{$if}.csv\"");
+        header("Content-Transfer-Encoding: binary");
+        header("Pragma: no-cache");
+        header("Expires: 0");
+
+        $stream = fopen('php://output', 'w');
+
+        fputcsv($stream, ['ip_address', 'hw_address', 'hostname', 'description']);
+        foreach ($static as $record) {
+            if ($record['interface'] !== $if) {
+                continue;
+            }
+
+            fputcsv($stream, array_map(fn($k) => $record[$k], ['ipaddr', 'mac', 'hostname', 'descr']));
+        }
+
+        @fclose($stream);
+
+        exit;
+    }
+}
+
+$range_from = ip2long(long2ip32(ip2long($config['interfaces'][$if]['ipaddr']) & gen_subnet_mask_long($config['interfaces'][$if]['subnet']))) + 1;
+$range_to = ip2long(long2ip32(ip2long($config['interfaces'][$if]['ipaddr']) | (~gen_subnet_mask_long($config['interfaces'][$if]['subnet'])))) - 1;
+
+$service_hook = 'dhcpd';
+legacy_html_escape_form_data($pconfig);
+include("head.inc");
+?>
+
+<body>
+
+<script>
+//<![CDATA[
+    function show_shownumbervalue() {
+        $("#shownumbervaluebox").html('');
+        $("#shownumbervalue").show();
+    }
+
+    function show_ddns_config() {
+        $("#showddnsbox").html('');
+        $("#showddns").show();
+    }
+
+    function show_maccontrol_config() {
+        $("#showmaccontrolbox").html('');
+        $("#showmaccontrol").show();
+    }
+
+    function show_ntp_config() {
+        $("#showntpbox").html('');
+        $("#showntp").show();
+    }
+
+    function show_tftp_config() {
+        $("#showtftpbox").html('');
+        $("#showtftp").show();
+    }
+
+    function show_ldap_config() {
+        $("#showldapbox").html('');
+        $("#showldap").show();
+    }
+
+    function show_wpad_config() {
+        $("#showwpadbox").html('');
+        $("#showwpad").show();
+    }
+
+    function show_netboot_config() {
+        $("#shownetbootbox").html('');
+        $("#shownetboot").show();
+    }
+
+    function show_omapi_config() {
+        $("#showomapibox").html('');
+        $("#showomapi").show();
+    }
+//]]>
+</script>
+
+<script>
+  $( document ).ready(function() {
+    /**
+     * Additional BOOTP/DHCP Options extendable table
+     */
+    function removeRow() {
+        if ( $('#numberoptions_table > tbody > tr').length == 1 ) {
+            $('#numberoptions_table > tbody > tr:last > td > input').each(function(){
+              $(this).val("");
+            });
+        } else {
+            $(this).parent().parent().remove();
+        }
+    }
+    // add new detail record
+    $("#addNew").click(function(){
+        // copy last row and reset values
+        $('#numberoptions_table > tbody').append('<tr>'+$('#numberoptions_table > tbody > tr:last').html()+'</tr>');
+        $('#numberoptions_table > tbody > tr:last > td > input').each(function(){
+          $(this).val("");
+        });
+        $(".act-removerow").click(removeRow);
+    });
+    $(".act-removerow").click(removeRow);
+
+    // delete pool action
+    $(".act_delete_pool").click(function(event){
+      event.preventDefault();
+      var id = $(this).data("id");
+      var intf = $(this).data("if");
+      // delete single
+      BootstrapDialog.show({
+        type:BootstrapDialog.TYPE_DANGER,
+        title: "<?= gettext("DHCP");?>",
+        message: "<?=gettext("Do you really want to delete this pool?");?>",
+        buttons: [{
+                  label: "<?= gettext("No");?>",
+                  action: function(dialogRef) {
+                      dialogRef.close();
+                  }}, {
+                  label: "<?= gettext("Yes");?>",
+                  action: function(dialogRef) {
+                    $.post(window.location, {act: 'delpool', id:id, if:intf}, function(data) {
+                        location.reload();
+                    });
+                }
+              }]
+      });
+    });
+
+    // delete static action
+    $(".act_delete_static").click(function(event){
+      event.preventDefault();
+      var id = $(this).data("id");
+      var intf = $(this).data("if");
+      // delete single
+      BootstrapDialog.show({
+        type:BootstrapDialog.TYPE_DANGER,
+        title: "<?= gettext("DHCP");?>",
+        message: "<?=gettext("Do you really want to delete this mapping?");?>",
+        buttons: [{
+                  label: "<?= gettext("No");?>",
+                  action: function(dialogRef) {
+                      dialogRef.close();
+                  }}, {
+                  label: "<?= gettext("Yes");?>",
+                  action: function(dialogRef) {
+                    $.post(window.location, {act: 'del', id:id, if:intf}, function(data) {
+                        location.reload();
+                    });
+                }
+              }]
+      });
+    });
+
+    window_highlight_table_option();
+  });
+</script>
+
+<?php include("fbegin.inc"); ?>
+  <section class="page-content-main">
+    <div class="container-fluid">
+      <div class="row">
+        <?php if (isset($input_errors) && count($input_errors) > 0) print_input_errors($input_errors); ?>
+        <?php if (isset($savemsg)) print_info_box($savemsg); ?>
+        <?php if (is_subsystem_dirty('staticmaps')): ?><br/>
+        <?php print_info_box_apply(gettext("The static mapping configuration has been changed") . ".<br />" . gettext("You must apply the changes in order for them to take effect."));?><br />
+        <?php endif; ?>
+        <section class="col-xs-12">
+            <div class="tab-content content-box col-xs-12">
+              <form method="post" name="iform" id="iform">
+                <div class="table-responsive">
+                  <table class="table table-striped opnsense_standard_table_form">
+                    <tr>
+                      <td style="width:22%"></td>
+                      <td style="width:78%; text-align:right">
+                        <small><?=gettext("full help"); ?> </small>
+                        <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page"></i>
+                      </td>
+                    </tr>
+<?php
+                    if (!isset($pool) && !($act == "newpool")): ?>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Enable");?> </td>
+                      <td>
+                        <input name="enable" id="enable" type="checkbox" value="yes" <?=!empty($pconfig['enable']) ? "checked=\"checked\"" : ""; ?> />
+                        <strong><?= sprintf(gettext("Enable DHCP server on the %s interface"),!empty($config['interfaces'][$if]['descr']) ? htmlspecialchars($config['interfaces'][$if]['descr']) : strtoupper($if));?></strong>
+                      </td>
+                    </tr>
+<?php
+                    else: ?>
+                    <tr>
+                      <td colspan="2"><?= gettext('Editing Pool-Specific Options. To return to the Interface, click its tab above.') ?></td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Pool Description");?></td>
+                      <td>
+                        <input name="descr" type="text" id="descr" value="<?=$pconfig['descr'];?>" />
+                      </td>
+                    </tr>
+<?php
+                    endif; ?>
+                    <tr>
+                      <td><a id="help_for_denyunknown" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Deny unknown clients");?></td>
+                      <td>
+                        <input name="denyunknown" type="checkbox" value="yes" <?=!empty($pconfig['denyunknown']) ? "checked=\"checked\"" : ""; ?> />
+                        <div class="hidden" data-for="help_for_denyunknown">
+                          <?=gettext("If this is checked, only the clients defined below will get DHCP leases from this server.");?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_ignoreuids" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Ignore Client UIDs");?></td>
+                      <td>
+                        <input name="ignoreuids" type="checkbox" value="yes" <?=!empty($pconfig['ignoreuids']) ? "checked=\"checked\"" : ""; ?> />
+                        <div class="hidden" data-for="help_for_ignoreuids">
+                          <?=gettext('By default, the same MAC can get multiple leases if the requests are sent using different UIDs. To avoid this behavior, check this box and client UIDs will be ignored.');?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Subnet");?></td>
+                      <td>
+                        <?=gen_subnet($config['interfaces'][$if]['ipaddr'], $config['interfaces'][$if]['subnet']);?>
+                      </td>
+                    </tr>
+                    <tr>
+                        <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Subnet mask");?></td>
+                        <td>
+                          <?=gen_subnet_mask($config['interfaces'][$if]['subnet']);?>
+                        </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Available range");?></td>
+                      <td>
+<?php if ($range_to <= $range_from): ?>
+                        <span class="text-danger"><?= gettext('No available address range for configured interface subnet size.') ?></span>
+<?php else: ?>
+                        <?= long2ip32($range_from) ?> - <?= long2ip32($range_to) ?>
+<?php endif ?>
+<?php if (isset($pool) || ($act == "newpool")): ?>
+                        <br />In-use DHCP Pool Ranges:
+                          <br /><?=htmlspecialchars($config['dhcpd'][$if]['range']['from']); ?>-<?=htmlspecialchars($config['dhcpd'][$if]['range']['to']);?>
+<?php foreach ($a_pools as $p): ?>
+                          <br /><?= htmlspecialchars($p['range']['from']); ?>-<?=htmlspecialchars($p['range']['to']); ?>
+<?php endforeach ?>
+<?php endif ?>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Range");?></td>
+                      <td>
+                        <table class="table table-condensed">
+                            <thead>
+                              <tr>
+                                <th><?=gettext("from");?></th>
+                                <th><?=gettext("to");?></th>
+                              </tr>
+                            </thead>
+                            <tbody>
+                              <tr>
+                                <td><input name="range_from" type="text" id="range_from" value="<?=$pconfig['range_from'];?>" /></td>
+                                <td><input name="range_to" type="text" id="range_to" value="<?=$pconfig['range_to'];?>" /> </td>
+                              </tr>
+                            </tbody>
+                        </table>
+                      </td>
+                    </tr>
+<?php
+                    if (!isset($pool) && !($act == "newpool")): ?>
+                    <tr>
+                      <td><a id="help_for_additionalpools" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Additional Pools");?></td>
+                      <td>
+                        <table class="table table-condensed">
+                            <thead>
+                              <tr>
+                                <th><?=gettext("Pool Start");?></th>
+                                <th><?=gettext("Pool End");?></th>
+                                <th><?=gettext("Description");?></th>
+                                <th class="text-nowrap">
+                                  <a href="services_dhcp.php?if=<?=htmlspecialchars($if);?>&amp;act=newpool" class="btn btn-primary btn-xs"><i class="fa fa-plus fa-fw"></i></a>
+                                </th>
+                              </tr>
+                            </thead>
+                            <tbody>
+<?php
+                            $i = 0;
+                            foreach ($a_pools as $poolent): ?>
+                            <tr>
+                              <td><?=htmlspecialchars($poolent['range']['from']);?></td>
+                              <td><?=htmlspecialchars($poolent['range']['to']);?></td>
+                              <td><?=htmlspecialchars($poolent['descr']);?></td>
+                              <td class="text-nowrap">
+                                <a href="services_dhcp.php?if=<?=$if;?>&amp;pool=<?=$i;?>" class="btn btn-xs btn-default"><i class="fa fa-pencil fa-fw"></i></a>
+                                <a href="#" data-if="<?=$if;?>" data-id="<?=$i;?>" class="act_delete_pool btn btn-xs btn-default"><i class="fa fa-trash fa-fw"></i></a>
+                              </td>
+                            </tr>
+<?php
+                            $i++;
+                            endforeach;?>
+                            </tbody>
+                        </table>
+                        <div class="hidden" data-for="help_for_additionalpools">
+                            <?=gettext("If you need additional pools of addresses inside of this subnet outside the above Range, they may be specified here."); ?>
+                        </div>
+                      </td>
+                    </tr>
+<?php
+                    endif; ?>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("WINS servers");?></td>
+                      <td>
+                        <input name="wins1" type="text" value="<?=$pconfig['wins1'];?>" /><br />
+                        <input name="wins2" type="text" value="<?=$pconfig['wins2'];?>" />
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_dns" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("DNS servers");?></td>
+                      <td>
+                        <input name="dns1" type="text" value="<?=$pconfig['dns1'];?>" /><br />
+                        <input name="dns2" type="text" value="<?=$pconfig['dns2'];?>" />
+                        <div class="hidden" data-for="help_for_dns">
+                          <?= gettext('Leave blank to use the system default DNS servers: This interface IP address if a DNS service is enabled or the configured global DNS servers.') ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_gateway" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Gateway");?></td>
+                      <td>
+                        <input name="gateway" type="text" class="form-control host" value="<?=$pconfig['gateway'];?>" />
+                        <div class="hidden" data-for="help_for_gateway">
+                          <?=gettext('The default is to use the IP on this interface of the firewall as the gateway, if a valid (online) gateway has been configured under System->Gateways. '.
+                                     'Specify an alternate gateway here if this is not the correct gateway for your network. Type "none" for no gateway assignment.');?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_domain" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Domain name");?></td>
+                      <td>
+                        <input name="domain" type="text" value="<?=$pconfig['domain'];?>" />
+                        <div class="hidden" data-for="help_for_domain">
+                          <?=gettext("The default is to use the domain name of this system as the default domain name provided by DHCP. You may specify an alternate domain name here.");?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_domainsearchlist" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Domain search list");?></td>
+                      <td>
+                        <input name="domainsearchlist" type="text" id="domainsearchlist" value="<?=$pconfig['domainsearchlist'];?>" />
+                        <div class="hidden" data-for="help_for_domainsearchlist">
+                          <?=gettext("The DHCP server can optionally provide a domain search list. Use the semicolon character as separator.");?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_defaultleasetime" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Default lease time (seconds)")?></td>
+                      <td>
+                        <input name="defaultleasetime" type="text" id="defaultleasetime" value="<?=$pconfig['defaultleasetime'];?>" />
+                        <div class="hidden" data-for="help_for_defaultleasetime">
+                          <?=gettext("This is used for clients that do not ask for a specific expiration time."); ?><br />
+                          <?=gettext("The default is 7200 seconds.");?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_maxleasetime" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Maximum lease time");?> (<?=gettext("seconds");?>)</td>
+                      <td>
+                        <input name="maxleasetime" type="text" id="maxleasetime" value="<?=$pconfig['maxleasetime'];?>" />
+                        <div class="hidden" data-for="help_for_maxleasetime">
+                          <?=gettext("This is the maximum lease time for clients that ask for a specific expiration time."); ?><br />
+                          <?=gettext("The default is 86400 seconds.");?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_minsecs" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Response delay");?> (<?=gettext("seconds");?>)</td>
+                      <td>
+                        <input name="minsecs" type="text" id="minsecs" value="<?=$pconfig['minsecs'];?>" />
+                        <div class="hidden" data-for="help_for_minsecs">
+                          <?=gettext("This is the minimum number of seconds since a client began trying to acquire a new lease before the DHCP server will respond to its request."); ?><br/>
+                          <?=gettext("The default is 0 seconds (no delay).");?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_interface_mtu" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Interface MTU");?></td>
+                      <td>
+                        <input name="interface_mtu"  type="text" value="<?=$pconfig['interface_mtu']?>" />
+                        <div class="hidden" data-for="help_for_interface_mtu">
+                          <?=gettext('This option specifies the MTU to use on this interface. The minimum legal value for the MTU is 68.');?>
+                        </div>
+                      </td>
+                    </tr>
+<?php
+                    if (!isset($pool) && !($act == "newpool")): ?>
+                    <tr>
+                      <td><a id="help_for_failover_peerip" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Failover peer IP:");?></td>
+                      <td>
+                        <input name="failover_peerip" type="text" class="form-control host" id="failover_peerip" value="<?=$pconfig['failover_peerip'];?>" />
+                        <div class="hidden" data-for="help_for_failover_peerip">
+                          <?=gettext("Leave blank to disable. Enter the interface IP address of the other machine. Machines must be using CARP. Interface's advskew determines whether the DHCPd process is Primary or Secondary. Ensure one machine's advskew<20 (and the other is >20). Note that changing this value will delete the current leases-database!");?>
+                        </div>
+                      </td>
+                    </tr>
+                    <td><a id="help_for_failover_split" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Failover split:");?></td>
+                      <td>
+                        <input name="failover_split" type="text" class="form-control host" id="failover_split" value="<?=$pconfig['failover_split'];?>" />
+                        <div class="hidden" data-for="help_for_failover_split">
+                          <?=gettext("Leave blank to use default (128) which should be fine for most cases. ".
+                                     "Enter a number (0-256) to specify the load-balancing split between the failover peers, ".
+                                     "the default of 128 means both peers will handle approximately 50% of the clients, ".
+                                     "256 will make the primary handle all the clients. This value is only used on the primary peer, ".
+                                     "leave blank on the secondary.");?>
+                        </div>
+                      </td>
+                    </tr>
+
+                    <tr>
+                      <td><a id="help_for_failover_staticarp" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Static ARP");?></td>
+                      <td>
+                        <input type="checkbox" value="yes" name="staticarp" <?=!empty($pconfig['staticarp']) ? " checked=\"checked\"" : ""; ?> />&nbsp;
+                        <strong><?=gettext("Enable Static ARP entries");?></strong>
+                        <div class="hidden" data-for="help_for_failover_staticarp">
+                          <?=gettext("Warning: This option persists even if DHCP server is disabled. Only the machines listed below will be able to communicate with the firewall on this NIC.");?>
+                        </div>
+                      </td>
+                    </tr>
+<?php
+                    endif; ?>
+                    <tr>
+                    <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Dynamic DNS");?></td>
+                    <td>
+                      <div id="showddnsbox">
+                        <input type="button" onclick="show_ddns_config()" class="btn btn-default btn-xs" value="<?= html_safe(gettext('Advanced')) ?>" /> - <?=gettext("Show Dynamic DNS");?>
+                      </div>
+                      <div id="showddns" style="display:none">
+                        <input type="checkbox" value="yes" name="ddnsupdate" <?=!empty($pconfig['ddnsupdate']) ? " checked=\"checked\"" :""; ?> />
+                        <strong><?=gettext("Enable registration of DHCP client names in DNS.");?></strong><br />
+                        <?=gettext("Enter the dynamic DNS domain which will be used to register client names in the DNS server.");?>
+                        <?=gettext("Note: Leave blank to disable dynamic DNS registration.");?><br />
+                        <input name="ddnsdomain" type="text" value="<?=$pconfig['ddnsdomain'];?>" />
+                        <?=gettext("Enter the primary domain name server IP address for the dynamic domain name.");?><br />
+                        <input name="ddnsdomainprimary" type="text" value="<?=$pconfig['ddnsdomainprimary'];?>" />
+                        <?=gettext("Enter the dynamic DNS domain key name which will be used to register client names in the DNS server.");?>
+                        <input name="ddnsdomainkeyname" type="text" value="<?=$pconfig['ddnsdomainkeyname'];?>" />
+                        <?=gettext("Enter the dynamic DNS domain key secret which will be used to register client names in the DNS server.");?>
+                        <input name="ddnsdomainkey" type="text" value="<?=$pconfig['ddnsdomainkey'];?>" />
+                        <?=gettext("Choose the dynamic DNS domain key algorithm.");?><br />
+                        <select name='ddnsdomainalgorithm' id="ddnsdomainalgorithm" class="selectpicker">
+<?php
+                        foreach (array("hmac-md5", "hmac-sha512") as $algorithm) :
+                          $selected = "";
+                          if (! empty($pconfig['ddnsdomainalgorithm'])) {
+                            if ($pconfig['ddnsdomainalgorithm'] == $algorithm) {
+                              $selected = "selected=\"selected\"";
+                            }
+                          }?>
+                          <option value="<?=$algorithm;?>" <?=$selected;?>><?=$algorithm;?></option>
+<?php
+                        endforeach; ?>
+                        </select>
+                      </div>
+                    </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("MAC Address Control");?></td>
+                      <td>
+                        <div id="showmaccontrolbox">
+                          <input type="button" onclick="show_maccontrol_config()" class="btn btn-default btn-xs" value="<?= html_safe(gettext('Advanced')) ?>" /> - <?=gettext("Show MAC Address Control");?>
+                        </div>
+                        <div id="showmaccontrol" style="display:none">
+                          <?= sprintf(gettext("Enter a list of partial MAC addresses to allow, comma-separated, no spaces, such as %s"), '00:00:00,01:E5:FF') ?>
+                          <input name="mac_allow" type="text" id="mac_allow" value="<?= $pconfig['mac_allow'] ?>" />
+                          <?= sprintf(gettext("Enter a list of partial MAC addresses to deny access, comma-separated, no spaces, such as %s"), '00:00:00,01:E5:FF') ?>
+                          <input name="mac_deny" type="text" id="mac_deny" value="<?= $pconfig['mac_deny'] ?>" /><br />
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("NTP servers");?></td>
+                      <td>
+                        <div id="showntpbox">
+                          <input type="button" onclick="show_ntp_config()" class="btn btn-default btn-xs" value="<?= html_safe(gettext('Advanced')) ?>" /> - <?=gettext("Show NTP configuration");?>
+                        </div>
+                        <div id="showntp" style="display:none">
+                          <input name="ntp1" type="text" id="ntp1" value="<?=$pconfig['ntp1'];?>" /><br />
+                          <input name="ntp2" type="text" id="ntp2" value="<?=$pconfig['ntp2'];?>" />
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("TFTP server");?></td>
+                      <td>
+                        <div id="showtftpbox">
+                          <input type="button" onclick="show_tftp_config()" class="btn btn-default btn-xs" value="<?= html_safe(gettext('Advanced')) ?>" /> - <?=gettext("Show TFTP configuration");?>
+                        </div>
+                        <div id="showtftp" style="display:none">
+                          <?=gettext("Set TFTP hostname");?>
+                          <input name="tftp" type="text" size="50" value="<?=$pconfig['tftp'];?>" /><br />
+                          <?=gettext("Set Bootfile");?>
+                          <input name="bootfilename" type="text" value="<?=$pconfig['bootfilename'];?>" /><br />
+                          <?=gettext("Leave blank to disable. Enter a full hostname or IP for the TFTP server and optionally a full path for a bootfile.");?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("LDAP URI");?></td>
+                      <td>
+                        <div id="showldapbox">
+                          <input type="button" onclick="show_ldap_config()" class="btn btn-default btn-xs" value="<?= html_safe(gettext('Advanced')) ?>" /> - <?=gettext("Show LDAP configuration");?>
+                        </div>
+                        <div id="showldap" style="display:none">
+                          <input name="ldap" type="text" id="ldap" size="80" value="<?=$pconfig['ldap'];?>" /><br />
+                          <?=sprintf(gettext("Leave blank to disable. Enter a full URI for the LDAP server in the form %s"),'ldap://ldap.example.com/dc=example,dc=com')?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?= gettext('Network booting') ?></td>
+                      <td>
+                        <div id="shownetbootbox">
+                          <input type="button" onclick="show_netboot_config()" class="btn btn-default btn-xs" value="<?= html_safe(gettext('Advanced')) ?>" /> - <?=gettext("Show Network booting");?>
+                        </div>
+                        <div id="shownetboot" style="display:none">
+                          <input type="checkbox" value="yes" name="netboot" id="netboot" <?=!empty($pconfig['netboot']) ? " checked=\"checked\"" : ""; ?> />
+                          <?= gettext('Enable network booting') ?>
+                          <br/><br/>
+                          <?=gettext('Set next-server IP');?>
+                          <input name="nextserver" type="text" id="nextserver" value="<?=$pconfig['nextserver'];?>" /><br />
+                          <?=gettext('Set default bios filename');?>
+                          <input name="filename" type="text" id="filename" value="<?=$pconfig['filename'];?>" /><br />
+                          <?=gettext('Set x86 UEFI (32-bit) filename');?>
+                          <input name="filename32" type="text" id="filename32" value="<?=$pconfig['filename32'];?>" /><br />
+                          <?=gettext('Set x64 UEFI/EBC (64-bit) filename');?>
+                          <input name="filename64" type="text" id="filename64" value="<?=$pconfig['filename64'];?>" /><br />
+                          <?=gettext('Set ARM UEFI (32-bit) filename');?>
+                          <input name="filename32arm" type="text" id="filename32arm" value="<?=$pconfig['filename32arm'];?>" /><br />
+                          <?=gettext('Set ARM UEFI (64-bit) filename');?>
+                          <input name="filename64arm" type="text" id="filename64arm" value="<?=$pconfig['filename64arm'];?>" /><br />
+                          <?=gettext('Set iPXE boot filename');?>
+                          <input name="filenameipxe" type="text" id="filenameipxe" value="<?=$pconfig['filenameipxe'];?>" /><br />
+                          <?= gettext('You need both a filename and a boot server configured for this to work.') ?><br/>
+                          <br/>
+                          <?=gettext('Set root-path string');?>
+                          <input name="rootpath" type="text" id="rootpath" size="90" value="<?=$pconfig['rootpath'];?>" /><br />
+                          <?=gettext("Note: string-format: iscsi:(servername):(protocol):(port):(LUN):targetname");?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("WPAD");?> </td>
+                      <td>
+                        <div id="showwpadbox">
+                          <input type="button" onclick="show_wpad_config()" class="btn btn-default btn-xs" value="<?= html_safe(gettext('Advanced')) ?>" /> - <?=gettext("Show WPAD");?>
+                        </div>
+                        <div id="showwpad" style="display:none">
+                          <input name="wpad" id="wpad" type="checkbox" value="yes" <?=!empty($pconfig['wpad']) ? "checked=\"checked\"" : ""; ?> />
+                          <strong><?= gettext("Enable Web Proxy Auto Discovery") ?></strong>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Enable OMAPI");?></td>
+                      <td>
+                        <div id="showomapibox">
+                          <input type="button" onclick="show_omapi_config()" class="btn btn-default btn-xs" value="<?=gettext("Advanced");?>" /> - <?=gettext("Show OMAPI configuration");?>
+                        </div>
+                        <div id="showomapi" style="display:none">
+                          <input type="checkbox" value="yes" name="omapi" id="omapi" <?=!empty($pconfig['omapi']) ? " checked=\"checked\"" : ""; ?> />
+                          <strong><?=gettext("Enables OMAPI");?></strong>
+                          <br/><br/>
+                          <?=gettext('OMAPI port');?>
+                          <input name="omapiport" type="text" id="omapiport" value="<?=$pconfig['omapiport'];?>" /><br />
+                          <?=gettext('Key algorithm');?>
+                          <input name="omapialgorithm" type="text" id="omapialgorithm" value="<?=$pconfig['omapialgorithm'];?>" /><br />
+                          <?=gettext('OMAPI key');?>
+                          <input name="omapikey" type="text" id="omapikey" value="<?=$pconfig['omapikey'];?>" /><br />
+                        </div>
+                      </td>
+                    </tr>
+<?php
+                    if (!isset($pool) && !($act == "newpool")): ?>
+                    <tr>
+                      <td><a id="help_for_numberoptions" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Additional Options");?></td>
+                      <td>
+                        <div id="shownumbervaluebox">
+                          <input type="button" onclick="show_shownumbervalue()" class="btn btn-default btn-xs" value="<?= html_safe(gettext('Advanced')) ?>" /> - <?=gettext("Show Additional BOOTP/DHCP Options");?>
+                        </div>
+                        <div id="shownumbervalue" style="display:none">
+                          <table class="table table-striped table-condensed" id="numberoptions_table">
+                            <thead>
+                              <tr>
+                                <th></th>
+                                <th id="detailsHeading1"><?=gettext("Number"); ?></th>
+                                <th id="detailsHeading3"><?=gettext("Type"); ?></th>
+                                <th id="updatefreqHeader" ><?=gettext("Value");?></th>
+                              </tr>
+                            </thead>
+                            <tbody>
+<?php
+                            if (empty($pconfig['numberoptions']['item'])) {
+                                $numberoptions = array();
+                                $numberoptions[] = array('number' => null, 'value' => null, 'type' => null);
+                            } else {
+                                $numberoptions = $pconfig['numberoptions']['item'];
+                            }
+                            foreach($numberoptions as $item):?>
+                              <tr>
+                                <td>
+                                  <div style="cursor:pointer;" class="act-removerow btn btn-default btn-xs"><i class="fa fa-minus fa-fw"></i></div>
+                                </td>
+                                <td>
+                                  <input name="numberoptions_number[]" type="text" value="<?=$item['number'];?>" />
+                                </td>
+                                <td>
+                                  <select name="numberoptions_type[]">
+                                    <option value="text" <?=$item['type'] == "text" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('Text');?>
+                                    </option>
+                                    <option value="string" <?=$item['type'] == "string" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('String');?>
+                                    </option>
+                                    <option value="boolean" <?=$item['type'] == "boolean" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('Boolean');?>
+                                    </option>
+                                    <option value="unsigned integer 8" <?=$item['type'] == "unsigned integer 8" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('Unsigned 8-bit integer');?>
+                                    </option>
+                                    <option value="unsigned integer 16" <?=$item['type'] == "unsigned integer 16" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('Unsigned 16-bit integer');?>
+                                    </option>
+                                    <option value="unsigned integer 32" <?=$item['type'] == "unsigned integer 32" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('Unsigned 32-bit integer');?>
+                                    </option>
+                                    <option value="signed integer 8" <?=$item['type'] == "signed integer 8" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('Signed 8-bit integer');?>
+                                    </option>
+                                    <option value="signed integer 16" <?=$item['type'] == "signed integer 16" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('Signed 16-bit integer');?>
+                                    </option>
+                                    <option value="signed integer 32" <?=$item['type'] == "signed integer 32" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('Signed 32-bit integer');?>
+                                    </option>
+                                    <option value="ip-address" <?=$item['type'] == "ip-address" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('IP address or host');?>
+                                    </option>
+                                  </select>
+                                </td>
+                                <td> <input name="numberoptions_value[]" type="text" value="<?=$item['value'];?>" /> </td>
+                              </tr>
+<?php
+                            endforeach;?>
+                            </tbody>
+                            <tfoot>
+                              <tr>
+                                <td colspan="4">
+                                  <div id="addNew" style="cursor:pointer;" class="btn btn-default btn-xs"><i class="fa fa-plus fa-fw"></i></div>
+                                </td>
+                              </tr>
+                            </tfoot>
+                          </table>
+                          <div class="hidden" data-for="help_for_numberoptions">
+                          <?= sprintf(gettext("Enter the DHCP option number and the value for each item you would like to include in the DHCP lease information. For a list of available options please visit this %sURL%s."), '<a href="https://www.iana.org/assignments/bootp-dhcp-parameters/" target="_blank">', '</a>') ?>
+                          </div>
+                        </div>
+                      </td>
+                    </tr>
+<?php
+                    endif; ?>
+                    <tr>
+                      <td>&nbsp;</td>
+                      <td>
+<?php
+                        if ($act == "newpool"): ?>
+                        <input type="hidden" name="act" value="newpool" />
+<?php
+                        endif; ?>
+<?php
+                        if (isset($pool)): ?>
+                        <input type="hidden" name="pool" value="<?=$pool; ?>" />
+<?php
+                        endif; ?>
+                        <input name="if" type="hidden" value="<?=$if;?>" />
+                        <input name="submit" type="submit" class="btn btn-primary" value="<?=html_safe(gettext('Save'));?>"  />
+                      </td>
+                    </tr>
+                  </table>
+                </div>
+              </form>
+            </div>
+          </section>
+<?php if (!isset($pool) && !($act == 'newpool')): ?>
+          <section class="col-xs-12">
+            <div class="tab-content content-box col-xs-12">
+              <div class="table-responsive">
+                <table class="table table-striped">
+                  <tr>
+                    <td colspan="6">
+                      <form method="POST">
+                        <input name="if" type="hidden" value="<?=$if;?>" />
+                        <input name="act" type="hidden" value="export">
+                        <button type="submit" id="download_hosts" class="btn btn-xs" data-if="<?=$if;?>" data-toggle="tooltip" data-title="<?=gettext("Export as CSV");?>">
+                          <span class="fa fa-fw fa-table"></span>
+                        </button>
+                        <strong><?=gettext("DHCP Static Mappings for this interface.");?></strong>
+                      </form>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><?=gettext("Static ARP");?></td>
+                    <td><?=gettext("MAC address");?></td>
+                    <td><?=gettext("IP address");?></td>
+                    <td><?=gettext("Hostname");?></td>
+                    <td><?=gettext("Description");?></td>
+                    <td class="text-nowrap">
+                      <a href="services_dhcp_edit.php?if=<?=htmlspecialchars($if);?>" class="btn btn-primary btn-xs"><i class="fa fa-plus fa-fw"></i></a>
+                    </td>
+                  </tr>
+<?php
+                  if (!empty($config['dhcpd'][$if]['staticmap'])):
+                    $i = 0;
+                    foreach ($config['dhcpd'][$if]['staticmap'] as $mapent): ?>
+<?php
+                        if ($mapent['mac'] != '' || $mapent['ipaddr'] != ''): ?>
+                    <tr>
+                      <td>
+<?php
+                          if (isset($mapent['arp_table_static_entry'])): ?>
+                            <i class="fa fa-info-circle fa-fw"></i>
+<?php
+                          endif; ?>
+                      </td>
+                      <td>
+                        <?=htmlspecialchars($mapent['mac']);?>
+                      </td>
+                      <td>
+                        <?=htmlspecialchars($mapent['ipaddr']);?>
+                      </td>
+                      <td>
+                        <?=htmlspecialchars($mapent['hostname'] ?? '');?>
+                      </td>
+                      <td>
+                        <?=htmlspecialchars($mapent['descr'] ?? '');?>
+                      </td>
+                      <td class="text-nowrap">
+                        <a href="services_dhcp_edit.php?if=<?=htmlspecialchars($if);?>&amp;id=<?=$i;?>" class="btn btn-default btn-xs"><i class="fa fa-pencil fa-fw"></i></a>
+                        <a href="#" data-if="<?=$if;?>" data-id="<?=$i;?>" class="act_delete_static btn btn-xs btn-default"><i class="fa fa-trash fa-fw"></i></a>
+                      </td>
+                    </tr>
+<?php
+                        endif;
+                        $i++;
+                      endforeach;
+                    endif; ?>
+                </table>
+              </div>
+            </div>
+          </section>
+<?php endif ?>
+      </div>
+    </div>
+  </section>
+<?php include("foot.inc"); ?>
diff --git a/net/isc-dhcp/src/www/services_dhcp_edit.php b/net/isc-dhcp/src/www/services_dhcp_edit.php
new file mode 100644
index 0000000000..ceb180a706
--- /dev/null
+++ b/net/isc-dhcp/src/www/services_dhcp_edit.php
@@ -0,0 +1,509 @@
+<?php
+
+/*
+ * Copyright (C) 2014-2016 Deciso B.V.
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("interfaces.inc");
+
+if ($_SERVER['REQUEST_METHOD'] === 'GET') {
+    // handle identifiers and action
+    if (!empty($_GET['if']) && !empty($config['interfaces'][$_GET['if']])) {
+        $if = $_GET['if'];
+    } else {
+        header(url_safe('Location: /services_dhcp.php'));
+        exit;
+    }
+    if (isset($if) && isset($_GET['id']) && !empty($config['dhcpd'][$if]['staticmap'][$_GET['id']])) {
+        $id = $_GET['id'];
+    }
+
+    // read form data
+    $pconfig = array();
+    $config_copy_fieldnames = array('mac', 'cid', 'hostname', 'filename', 'rootpath', 'descr', 'arp_table_static_entry',
+      'defaultleasetime', 'maxleasetime', 'gateway', 'domain', 'domainsearchlist', 'winsserver', 'dnsserver', 'ddnsdomain',
+      'ntpserver', 'tftp', 'bootfilename', 'ipaddr', 'winsserver', 'dnsserver');
+    foreach ($config_copy_fieldnames as $fieldname) {
+        if (isset($if) && isset($id) && isset($config['dhcpd'][$if]['staticmap'][$id][$fieldname])) {
+            $pconfig[$fieldname] = $config['dhcpd'][$if]['staticmap'][$id][$fieldname];
+        } elseif (isset($_GET[$fieldname])) {
+            $pconfig[$fieldname] = $_GET[$fieldname];
+        } else {
+            $pconfig[$fieldname] = null;
+        }
+    }
+
+    // handle array types
+    if (isset($pconfig['winsserver'][0])) {
+        $pconfig['wins1'] = $pconfig['winsserver'][0];
+    }
+    if (isset($pconfig['winsserver'][1])) {
+        $pconfig['wins2'] = $pconfig['winsserver'][1];
+    }
+    if (isset($pconfig['dnsserver'][0])) {
+        $pconfig['dns1'] = $pconfig['dnsserver'][0];
+    }
+    if (isset($pconfig['dnsserver'][1])) {
+        $pconfig['dns2'] = $pconfig['dnsserver'][1];
+    }
+    if (isset($pconfig['ntpserver'][0])) {
+        $pconfig['ntp1'] = $pconfig['ntpserver'][0];
+    }
+    if (isset($pconfig['ntpserver'][1])) {
+        $pconfig['ntp2'] = $pconfig['ntpserver'][1];
+    }
+} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $pconfig = $_POST;
+
+    // handle identifiers and actions
+    if (!empty($pconfig['if']) && !empty($config['interfaces'][$pconfig['if']])) {
+        $if = $pconfig['if'];
+    }
+    if (!empty($config['dhcpd'][$if]['staticmap'][$pconfig['id']])) {
+        $id = $pconfig['id'];
+    }
+
+    $a_maps = &config_read_array('dhcpd', $if, 'staticmap');
+    $input_errors = array();
+
+    /* input validation */
+    $reqdfields = array();
+    $reqdfieldsn = array();
+    do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
+
+    /* either MAC or Client-ID must be specified */
+    if (empty($pconfig['mac']) && empty($pconfig['cid'])) {
+        $input_errors[] = gettext("Either MAC address or Client identifier must be specified");
+    }
+
+    /* normalize MAC addresses - lowercase and convert Windows-ized hyphenated MACs to colon delimited */
+    $pconfig['mac'] = strtolower(str_replace("-", ":", $pconfig['mac']));
+
+    if (!empty($pconfig['hostname'])) {
+        preg_match("/\-\$/", $pconfig['hostname'], $matches);
+        if ($matches) {
+            $input_errors[] = gettext("The hostname cannot end with a hyphen according to RFC952");
+        }
+        if (!is_hostname($pconfig['hostname'])) {
+            $input_errors[] = gettext("The hostname can only contain the characters A-Z, 0-9 and '-'.");
+        } elseif (strpos($pconfig['hostname'],'.')) {
+            $input_errors[] = gettext("A valid hostname is specified, but the domain name part should be omitted");
+        }
+    }
+
+    if (!empty($pconfig['domain'])) {
+        if (strpos($pconfig['domain'], '.') === 0) {
+            $input_errors[] = gettext("The domain name cannot start with a dot.");
+        } elseif (!is_domain($pconfig['domain'])) {
+            $input_errors[] = gettext("A valid domain name must be specified.");
+        }
+    }
+
+    if (!empty($pconfig['ipaddr']) && !is_ipaddr($_POST['ipaddr'])) {
+        $input_errors[] = gettext("A valid IP address must be specified.");
+    }
+    if (!empty($pconfig['mac']) && !is_macaddr($pconfig['mac'])) {
+        $input_errors[] = gettext("A valid MAC address must be specified.");
+    }
+    if (isset($config['dhcpd'][$if]['staticarp']) && empty($pconfig['ipaddr'])) {
+        $input_errors[] = gettext("Static ARP is enabled. You must specify an IP address.");
+    }
+
+    /* check for overlaps */
+    foreach ($a_maps as $mapent) {
+        if (isset($id) && ($a_maps[$id] === $mapent)) {
+            continue;
+        }
+        if (!empty($mapent['mac']) && $pconfig['mac'] == $mapent['mac']) {
+            $input_errors[] = gettext('This MAC address already exists.');
+            break;
+        }
+        if (!empty($mapent['cid']) && $pconfig['cid'] == $mapent['cid']) {
+            $input_errors[] = gettext('This client identifier already exists.');
+            break;
+        }
+    }
+
+    list (, $parent_net) = interfaces_primary_address($if);
+
+    if (!empty($pconfig['ipaddr'])) {
+      if (!ip_in_subnet($pconfig['ipaddr'], $parent_net)) {
+          $ifcfgdescr = convert_friendly_interface_to_friendly_descr($if);
+          $input_errors[] = sprintf(gettext('The IP address must lie in the %s subnet.'), $ifcfgdescr);
+      }
+    }
+
+    if (!empty($pconfig['gateway']) && $pconfig['gateway'] != "none" && !is_ipaddrv4($pconfig['gateway'])) {
+        $input_errors[] = gettext("A valid IP address must be specified for the gateway.");
+    }
+
+    if ((!empty($pconfig['wins1']) && !is_ipaddrv4($pconfig['wins1'])) ||
+      (!empty($pconfig['wins2']) && !is_ipaddrv4($pconfig['wins2']))) {
+        $input_errors[] = gettext("A valid IP address must be specified for the primary/secondary WINS servers.");
+    }
+
+    if (is_subnetv4($parent_net) && $pconfig['gateway'] != "none" &&  !empty($pconfig['gateway'])) {
+        if (!ip_in_subnet($pconfig['gateway'], $parent_net) && !ip_in_interface_alias_subnet($if, $pconfig['gateway'])) {
+            $input_errors[] = sprintf(gettext("The gateway address %s does not lie within the chosen interface's subnet."), $_POST['gateway']);
+        }
+    }
+
+    if ((!empty($pconfig['dns1']) && !is_ipaddrv4($pconfig['dns1'])) || (!empty($pconfig['dns2']) && !is_ipaddrv4($pconfig['dns2']))) {
+        $input_errors[] = gettext("A valid IP address must be specified for the primary/secondary DNS servers.");
+    }
+
+    if (!empty($pconfig['defaultleasetime']) && (!is_numeric($pconfig['defaultleasetime']) || ($pconfig['defaultleasetime'] < 60))) {
+        $input_errors[] = gettext("The default lease time must be at least 60 seconds.");
+    }
+    if (!empty($pconfig['maxleasetime']) && (!is_numeric($pconfig['maxleasetime']) || ($pconfig['maxleasetime'] < 60) || ($pconfig['maxleasetime'] <= $pconfig['defaultleasetime']))) {
+        $input_errors[] = gettext("The maximum lease time must be at least 60 seconds and higher than the default lease time.");
+    }
+    if (!empty($pconfig['ddnsdomain']) && !is_domain($pconfig['ddnsdomain'])) {
+        $input_errors[] = gettext("A valid domain name must be specified for the dynamic DNS registration.");
+    }
+    if (!empty($pconfig['domainsearchlist'])) {
+        $domain_array=preg_split("/[ ;]+/", $pconfig['domainsearchlist']);
+        foreach ($domain_array as $curdomain) {
+            if (!is_domain($curdomain, true)) {
+                $input_errors[] = gettext("A valid domain search list must be specified.");
+                break;
+            }
+        }
+    }
+
+    if ((!empty($pconfig['ntp1']) && !is_ipaddrv4($pconfig['ntp1'])) || (!empty($pconfig['ntp2']) && !is_ipaddrv4($pconfig['ntp2']))) {
+        $input_errors[] = gettext("A valid IP address must be specified for the primary/secondary NTP servers.");
+    }
+    if (!empty($pconfig['tftp']) && !is_ipaddrv4($pconfig['tftp']) && !is_domain($pconfig['tftp']) && !is_URL($pconfig['tftp'])) {
+        $input_errors[] = gettext("A valid IP address or hostname must be specified for the TFTP server.");
+    }
+    if ((!empty($pconfig['nextserver']) && !is_ipaddrv4($pconfig['nextserver']))) {
+        $input_errors[] = gettext("A valid IP address must be specified for the network boot server.");
+    }
+
+    if (count($input_errors) == 0){
+        $mapent = array();
+        $config_copy_fieldnames = array('mac', 'cid', 'ipaddr', 'hostname', 'descr', 'filename', 'rootpath',
+          'arp_table_static_entry', 'defaultleasetime', 'maxleasetime', 'gateway', 'domain', 'domainsearchlist',
+          'ddnsdomain', 'tftp', 'bootfilename', 'winsserver', 'dnsserver');
+
+        foreach ($config_copy_fieldnames as $fieldname) {
+            if (!empty($pconfig[$fieldname])) {
+                $mapent[$fieldname] = $pconfig[$fieldname];
+            }
+        }
+
+        // boolean
+        $mapent['arp_table_static_entry'] = !empty($pconfig['arp_table_static_entry']);
+
+        // arrays
+        $mapent['winsserver'] = array();
+        if (!empty($pconfig['wins1'])) {
+            $mapent['winsserver'][] = $pconfig['wins1'];
+        }
+        if (!empty($pconfig['wins2'])) {
+            $mapent['winsserver'][] = $pconfig['wins2'];
+        }
+
+        $mapent['dnsserver'] = array();
+        if (!empty($pconfig['dns1'])) {
+            $mapent['dnsserver'][] = $_POST['dns1'];
+        }
+        if (!empty($pconfig['dns2'])) {
+            $mapent['dnsserver'][] = $_POST['dns2'];
+        }
+
+        $mapent['ntpserver'] = array();
+        if (!empty($pconfig['ntp1'])) {
+            $mapent['ntpserver'][] = $pconfig['ntp1'];
+        }
+        if (!empty($pconfig['ntp2'])) {
+            $mapent['ntpserver'][] = $pconfig['ntp2'];
+        }
+
+        if (isset($id)) {
+            $a_maps[$id] = $mapent;
+        } else {
+            $a_maps[] = $mapent;
+        }
+
+        usort($config['dhcpd'][$if]['staticmap'], function ($a, $b) {
+            return ipcmp($a['ipaddr'], $b['ipaddr']);
+        });
+
+        write_config();
+
+        if (isset($config['dhcpd'][$if]['enable'])) {
+            mark_subsystem_dirty('staticmaps');
+        }
+
+        header(url_safe('Location: /services_dhcp.php?if=%s', array($if)));
+        exit;
+    }
+}
+
+$service_hook = 'dhcpd';
+legacy_html_escape_form_data($pconfig);
+
+include("head.inc");
+
+?>
+<body>
+<script>
+//<![CDATA[
+  function show_ntp_config() {
+    $("#showntpbox").hide();
+    $("#showntp").show();
+  }
+
+  function show_tftp_config() {
+    $("#showtftpbox").hide();
+    $("#showtftp").show();
+  }
+//]]>
+</script>
+<?php include("fbegin.inc"); ?>
+<section class="page-content-main">
+  <div class="container-fluid">
+    <div class="row">
+      <?php if (isset($input_errors) && count($input_errors) > 0) print_input_errors($input_errors); ?>
+      <section class="col-xs-12">
+        <div class="content-box">
+          <form method="post" name="iform" id="iform">
+            <div class="table-responsive">
+              <table class="table table-striped opnsense_standard_table_form">
+                <tr>
+                  <td style="width:22%"><strong><?=gettext("Static DHCP Mapping");?></strong></td>
+                  <td style="width:78%; text-align:right">
+                    <small><?=gettext("full help"); ?> </small>
+                    <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page"></i>
+                  </td>
+                </tr>
+                <tr>
+                  <td><a id="help_for_mac" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("MAC address");?></td>
+                  <td>
+                    <input name="mac" id="mac" type="text" value="<?=$pconfig['mac'];?>" />
+<?php
+                    $ip = getenv('REMOTE_ADDR');
+                    $mac = `/usr/sbin/arp -an | grep {$ip} | /usr/bin/head -n1 | /usr/bin/cut -d" " -f4`;
+                    $mac = str_replace("\n","",$mac);?>
+                    <a onclick="$('#mac').val('<?=$mac?>');" href="#"><?=gettext("Copy my MAC address");?></a>
+                    <div class="hidden" data-for="help_for_mac">
+                      <?=gettext("Enter a MAC address in the following format: "."xx:xx:xx:xx:xx:xx");?>
+                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Client identifier");?></td>
+                  <td>
+                    <input name="cid" type="text" value="<?=$pconfig['cid'];?>" />
+                  </td>
+                </tr>
+                <tr>
+                  <td><a id="help_for_ipaddr" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IP address");?></td>
+                  <td>
+                    <input name="ipaddr" type="text" value="<?=$pconfig['ipaddr'];?>" />
+                    <div class="hidden" data-for="help_for_ipaddr">
+                      <?=gettext("If an IPv4 address is entered, the address must be within the interface subnet.");?>
+                      <br />
+                      <?=gettext("If no IPv4 address is given, one will be dynamically allocated from the pool.");?>
+                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><a id="help_for_hostname" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Hostname");?></td>
+                  <td>
+                    <input name="hostname" type="text" value="<?=$pconfig['hostname'];?>" />
+                    <div class="hidden" data-for="help_for_hostname">
+                      <?=gettext("Name of the host, without domain part.");?>
+                    </div>
+                  </td>
+                </tr>
+<?php
+                if (isset($config['dhcpd'][$if]['netboot'])):?>
+                <tr>
+                  <td><a id="help_for_filename" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Netboot Filename') ?></td>
+                  <td>
+                    <input name="filename" type="text" id="filename" size="20" value="<?=$pconfig['filename'];?>" />
+                    <div class="hidden" data-for="help_for_filename">
+                      <?= gettext('Name of the file that should be loaded when this host boots off of the network, overrides setting on main page.') ?>
+                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><a id="help_for_rootpath" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Root Path') ?></td>
+                  <td>
+                    <input name="rootpath" type="text" value="<?=$pconfig['rootpath'];?>" />
+                    <div class="hidden" data-for="help_for_rootpath">
+                      <?= gettext("Enter the root-path-string, overrides setting on main page.") ?>
+                    </div>
+                  </td>
+                </tr>
+<?php
+                endif;?>
+                <tr>
+                  <td><a id="help_for_descr" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Description");?></td>
+                  <td>
+                    <input name="descr" type="text" value="<?=$pconfig['descr'];?>" />
+                    <div class="hidden" data-for="help_for_descr">
+                      <?=gettext("You may enter a description here for your reference (not parsed).");?>
+                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><a id="help_for_arp_table_static_entry" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("ARP Table Static Entry");?></td>
+                  <td>
+                    <input name="arp_table_static_entry" id="arp_table_static_entry" type="checkbox" value="yes" <?=!empty($pconfig['arp_table_static_entry']) ? "checked=\"checked\"" : ""; ?> />
+                    <div class="hidden" data-for="help_for_arp_table_static_entry">
+                      <?=gettext('Create a static ARP table entry for this MAC and IP address pair.');?>
+                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("WINS servers");?></td>
+                  <td>
+                    <input name="wins1" type="text" value="<?=$pconfig['wins1'];?>" /><br />
+                    <input name="wins2" type="text" value="<?=$pconfig['wins2'];?>" />
+                  </td>
+                </tr>
+                <tr>
+                  <td><a id="help_for_dns" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("DNS servers");?></td>
+                  <td>
+                    <input name="dns1" type="text" value="<?=$pconfig['dns1'];?>" /><br/>
+                    <input name="dns2" type="text" value="<?=$pconfig['dns2'];?>" />
+                    <div class="hidden" data-for="help_for_dns">
+                      <?= gettext('Leave blank to use the system default DNS servers: This interface IP address if a DNS service is enabled or the configured global DNS servers.') ?>
+                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><a id="help_for_gateway" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Gateway");?></td>
+                  <td>
+                    <input name="gateway" type="text" value="<?=$pconfig['gateway'];?>" />
+                    <div class="hidden" data-for="help_for_gateway">
+                      <?=gettext('The default is to use the IP on this interface of the firewall as the gateway. '.
+                                 'Specify an alternate gateway here if this is not the correct gateway for your network. ' .
+                                 'Type "none" for no gateway assignment.');?>
+                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><a id="help_for_domain" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Domain name");?></td>
+                  <td>
+                    <input name="domain" type="text" value="<?=$pconfig['domain'];?>" />
+                    <div class="hidden" data-for="help_for_domain">
+                      <?=gettext("The default is to use the domain name of this system as the default domain name provided by DHCP. You may specify an alternate domain name here.");?>
+                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><a id="help_for_domainsearchlist" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Domain search list");?></td>
+                  <td>
+                    <input name="domainsearchlist" type="text" id="domainsearchlist" size="20" value="<?=$pconfig['domainsearchlist'];?>" />
+                    <div class="hidden" data-for="help_for_domainsearchlist">
+                      <?=gettext("The DHCP server can optionally provide a domain search list. Use the semicolon character as separator.");?>
+                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><a id="help_for_defaultleasetime" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Default lease time");?> (<?=gettext("seconds");?>)</td>
+                  <td>
+                    <input name="defaultleasetime" type="text" id="deftime" size="10" value="<?=$pconfig['defaultleasetime'];?>" />
+                    <div class="hidden" data-for="help_for_defaultleasetime">
+                      <?=gettext("This is used for clients that do not ask for a specific " ."expiration time."); ?><br />
+                      <?=gettext("The default is 7200 seconds.");?>
+                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><a id="help_for_maxleasetime" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Maximum lease time");?> (<?=gettext("seconds");?>)</td>
+                  <td>
+                    <input name="maxleasetime" type="text" value="<?=$pconfig['maxleasetime'];?>" />
+                    <div class="hidden" data-for="help_for_maxleasetime">
+                      <?=gettext("This is the maximum lease time for clients that ask"." for a specific expiration time."); ?><br />
+                      <?=gettext("The default is 86400 seconds.");?>
+                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><a id="help_for_ddnsdomain" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Dynamic DNS domain') ?></td>
+                  <td>
+                    <input name="ddnsdomain" type="text" id="ddnsdomain" size="20" value="<?= html_safe($pconfig['ddnsdomain']) ?>" />
+                    <div class="hidden" data-for="help_for_ddnsdomain">
+                      <?= gettext('Enter the dynamic DNS domain which will be used to register this client in the DNS server.') ?>
+                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("NTP servers");?></td>
+                  <td>
+                    <div id="showntpbox">
+                      <input type="button" onclick="show_ntp_config()" class="btn btn-xs btn-default" value="<?= html_safe(gettext('Advanced')) ?>" /> - <?=gettext("Show NTP configuration");?>
+                    </div>
+                    <div id="showntp" style="display:none">
+                      <input name="ntp1" type="text" id="ntp1" size="20" value="<?=$pconfig['ntp1'];?>" /><br />
+                      <input name="ntp2" type="text" id="ntp2" size="20" value="<?=$pconfig['ntp2'];?>" />
+                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("TFTP server");?></td>
+                  <td>
+                    <div id="showtftpbox">
+                      <input type="button" onclick="show_tftp_config()" class="btn btn-xs btn-default" value="<?= html_safe(gettext('Advanced')) ?>" /> - <?=gettext("Show TFTP configuration");?>
+                    </div>
+                    <div id="showtftp" style="display:none">
+                      <?=gettext("Set TFTP hostname");?>
+                      <input name="tftp" type="text" size="50" value="<?=$pconfig['tftp'];?>" /><br />
+                      <?=gettext("Set Bootfile");?>
+                      <input name="bootfilename" type="text" value="<?=$pconfig['bootfilename'];?>" /><br />
+                      <?=gettext("Leave blank to disable. Enter a full hostname or IP for the TFTP server and optionally a full path for a bootfile.");?>
+                    </div>
+                  </td>
+                </tr>
+                <tr>
+                  <td></td>
+                  <td>
+                    <input name="Submit" type="submit" class="formbtn btn btn-primary" value="<?=html_safe(gettext('Save'));?>" />
+                    <input type="button" class="formbtn btn btn-default" value="<?=html_safe(gettext('Cancel'));?>" onclick="window.location.href='/services_dhcp.php?if=<?= html_safe($if) ?>'" />
+<?php
+                  if (isset($id)): ?>
+                    <input name="id" type="hidden" value="<?=$id;?>" />
+<?php
+                  endif; ?>
+                    <input name="if" type="hidden" value="<?=$if;?>" />
+                  </td>
+                </tr>
+              </table>
+            </div>
+          </form>
+        </div>
+      </section>
+    </div>
+  </div>
+</section>
+<?php include("foot.inc"); ?>
diff --git a/net/isc-dhcp/src/www/services_dhcpv6.php b/net/isc-dhcp/src/www/services_dhcpv6.php
new file mode 100644
index 0000000000..7308b2a164
--- /dev/null
+++ b/net/isc-dhcp/src/www/services_dhcpv6.php
@@ -0,0 +1,901 @@
+<?php
+
+/*
+ * Copyright (C) 2014-2025 Deciso B.V.
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
+ * Copyright (C) 2010 Seth Mos <seth.mos@dds.nl>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("filter.inc");
+require_once("system.inc");
+require_once("interfaces.inc");
+require_once("plugins.inc.d/dhcpd.inc");
+
+function show_track6_form($if)
+{
+  global $config;
+  $service_hook = 'dhcpd6';
+  include("head.inc");
+  include("fbegin.inc");
+  $enable_label = gettext("Enable");
+  $range_label = gettext("Range");
+  $enable_descr = sprintf(gettext("Enable DHCPv6 server on " . "%s " ."interface"),!empty($config['interfaces'][$if]['descr']) ? htmlspecialchars($config['interfaces'][$if]['descr']) : strtoupper($if));
+  $enable_input = 'checked="checked"';
+  $save_btn_text = html_safe(gettext('Save'));
+  /* calculated "fixed" range */
+  list ($ifcfgipv6) = interfaces_primary_address6($if, legacy_interfaces_details());
+  $range = ['from' => '?', 'to' => '?'];
+  if (is_ipaddrv6($ifcfgipv6)) {
+      $ifcfgipv6 = Net_IPv6::getNetmask($ifcfgipv6, 64);
+      $ifcfgipv6arr = explode(':', $ifcfgipv6);
+      $ifcfgipv6arr[7] = '1000';
+      $range['from'] = Net_IPv6::compress(implode(':', $ifcfgipv6arr));
+      $ifcfgipv6arr[7] = '2000';
+      $range['to'] = Net_IPv6::compress(implode(':', $ifcfgipv6arr));
+  }
+
+  if (!empty($config['dhcpdv6']) && !empty($config['dhcpdv6'][$if]) && isset($config['dhcpdv6'][$if]['enable']) && $config['dhcpdv6'][$if]['enable'] == '-1') {
+      /* disabled */
+      $enable_input = '';
+  }
+
+  $range_tr = <<<EOD
+    <tr>
+      <td><i class="fa fa-info-circle text-muted"></i> $range_label</td>
+      <td>{$range['from']} - {$range['to']}</td>
+    </tr>
+  EOD;
+
+
+  echo <<<EOD
+    <section class="page-content-main">
+      <div class="container-fluid">
+        <div class="row">
+          <section class="col-xs-12">
+            <div class="tab-content content-box col-xs-12">
+              <form method="post" name="iform" id="iform">
+                <div class="table-responsive">
+                  <table class="table table-striped opnsense_standard_table_form">
+                    <tr>
+                      <td style="width:22%"></td>
+                      <td style="width:78%; text-align:right">
+                        <div style='height: 15px;'></div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> $enable_label</td>
+                      <td>
+                        <input name="enable" type="checkbox" value="yes" $enable_input/>
+                        <strong>$enable_descr</strong>
+                      </td>
+                      $range_tr
+                    </tr>
+                    <tr>
+                      <td>&nbsp;</td>
+                      <td>
+                        <input name="if" type="hidden" value="$if" />
+                        <input name="submit" type="submit" class="formbtn btn btn-primary" value="$save_btn_text"/>
+                      </td>
+                    </tr>
+                  </table>
+                </div>
+              </form>
+            </div>
+          </section>
+        </div>
+      </div>
+    </section>
+  EOD;
+  include("foot.inc");
+}
+
+function process_track6_form($if)
+{
+    $dhcpdv6cfg = &config_read_array('dhcpdv6');
+    $this_server = [];
+    if (empty($_POST['enable'])) {
+        $this_server['enable'] = '-1';
+    }
+    $dhcpdv6cfg[$if] = $this_server;
+    write_config();
+    reconfigure_dhcpd();
+    filter_configure();
+    header(url_safe('Location: /services_dhcpv6.php?if=%s', array($if)));
+}
+
+function reconfigure_dhcpd()
+{
+    system_resolver_configure();
+    dhcpd_dhcp6_configure();
+    clear_subsystem_dirty('staticmapsv6');
+}
+
+$if = null;
+$act = null;
+
+if ($_SERVER['REQUEST_METHOD'] === 'GET') {
+    // handle identifiers and action
+    if (!empty($_GET['if']) && !empty($config['interfaces'][$_GET['if']]) &&
+        isset($config['interfaces'][$_GET['if']]['enable']) &&
+        (is_ipaddr($config['interfaces'][$_GET['if']]['ipaddrv6']) ||
+        $config['interfaces'][$_GET['if']]['ipaddrv6'] == 'track6')) {
+        $if = $_GET['if'];
+    }
+} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    // handle identifiers and actions
+    if (!empty($_POST['if']) && !empty($config['interfaces'][$_POST['if']])) {
+        $if = $_POST['if'];
+    }
+    if (!empty($_POST['act'])) {
+        $act = $_POST['act'];
+    }
+}
+
+/**
+ * XXX: In case of tracking, show different form and only handle on/off options.
+ *      this code injection is intended to keep changes as minimal as possible and avoid regressions on existing isc-dhcp6 installs,
+ *      while showing current state for tracking interfaces.
+ **/
+if ($if === null) {
+    /* if no interface is provided this invoke is invalid */
+    header(url_safe('Location: /index.php'));
+    exit;
+} elseif (($config['interfaces'][$if]['ipaddrv6'] ?? 'none') == 'track6' && !isset($config['interfaces'][$if]['dhcpd6track6allowoverride'])) {
+    if ($_SERVER['REQUEST_METHOD'] === 'GET') {
+        show_track6_form($if);
+    } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
+        process_track6_form($if);
+    }
+    exit;
+}
+/* default form processing */
+
+$ifcfgip = $config['interfaces'][$if]['ipaddrv6'];
+$ifcfgsn = $config['interfaces'][$if]['subnetv6'];
+
+if (isset($config['interfaces'][$if]['dhcpd6track6allowoverride'])) {
+    list ($ifcfgip,, $ifcfgsn) = interfaces_primary_address6($if);
+    $pdlen = calculate_ipv6_delegation_length($config['interfaces'][$if]['track6-interface']) - 1;
+}
+
+$subnet_start = gen_subnetv6($ifcfgip, $ifcfgsn);
+$subnet_end = gen_subnetv6_max($ifcfgip, $ifcfgsn);
+
+if ($_SERVER['REQUEST_METHOD'] === 'GET') {
+    $pconfig = array();
+
+    if (!empty($config['dhcpdv6'][$if]['range'])) {
+        $pconfig['range_from'] = $config['dhcpdv6'][$if]['range']['from'];
+        $pconfig['range_to'] = $config['dhcpdv6'][$if]['range']['to'];
+    }
+    if (!empty($config['dhcpdv6'][$if]['prefixrange'])) {
+        $pconfig['prefixrange_from'] = $config['dhcpdv6'][$if]['prefixrange']['from'];
+        $pconfig['prefixrange_to'] = $config['dhcpdv6'][$if]['prefixrange']['to'];
+        $pconfig['prefixrange_length'] = $config['dhcpdv6'][$if]['prefixrange']['prefixlength'];
+    }
+    $config_copy_fieldsnames = array('defaultleasetime', 'maxleasetime', 'domain', 'domainsearchlist', 'ddnsdomain',
+        'ddnsdomainprimary', 'ddnsdomainkeyname', 'ddnsdomainkey', 'ddnsdomainalgorithm', 'bootfile_url', 'netmask',
+        'numberoptions', 'dhcpv6leaseinlocaltime', 'staticmap', 'minsecs');
+    foreach ($config_copy_fieldsnames as $fieldname) {
+        if (isset($config['dhcpdv6'][$if][$fieldname])) {
+            $pconfig[$fieldname] = $config['dhcpdv6'][$if][$fieldname];
+        } else {
+            $pconfig[$fieldname] = null;
+        }
+    }
+    // handle booleans
+    $pconfig['enable'] = isset($config['dhcpdv6'][$if]['enable']);
+    $pconfig['ddnsupdate'] = isset($config['dhcpdv6'][$if]['ddnsupdate']);
+    $pconfig['netboot'] = isset($config['dhcpdv6'][$if]['netboot']);
+
+    // handle arrays
+    $pconfig['staticmap'] = empty($pconfig['staticmap']) ? array() : $pconfig['staticmap'];
+    $pconfig['numberoptions'] = empty($pconfig['numberoptions']) ? array() : $pconfig['numberoptions'];
+    $pconfig['dns1'] = !empty($config['dhcpdv6'][$if]['dnsserver'][0]) ? $config['dhcpdv6'][$if]['dnsserver'][0] : "";
+    $pconfig['dns2'] = !empty($config['dhcpdv6'][$if]['dnsserver'][1]) ? $config['dhcpdv6'][$if]['dnsserver'][1] : "";
+    $pconfig['ntp1'] = !empty($config['dhcpdv6'][$if]['ntpserver'][0]) ? $config['dhcpdv6'][$if]['ntpserver'][0] : "";
+    $pconfig['ntp2'] = !empty($config['dhcpdv6'][$if]['ntpserver'][1]) ? $config['dhcpdv6'][$if]['ntpserver'][1] : "";
+
+    // backward compatibility: migrate 'domain' to 'domainsearchlist'
+    if (empty($pconfig['domainsearchlist'])) {
+        $pconfig['domainsearchlist'] = $pconfig['domain'];
+    }
+
+} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $pconfig = $_POST;
+    $input_errors = array();
+
+    if (isset($pconfig['submit'])) {
+        // transform Additional BOOTP/DHCP Options
+        $pconfig['numberoptions'] =  array();
+        if (isset($pconfig['numberoptions_number'])) {
+            $pconfig['numberoptions']['item'] = array();
+            foreach ($pconfig['numberoptions_number'] as $opt_seq => $opt_number) {
+                if (!empty($opt_number)) {
+                    $pconfig['numberoptions']['item'][] = array('number' => $opt_number,
+                                                                'type' => $pconfig['numberoptions_type'][$opt_seq],
+                                                                'value' => $pconfig['numberoptions_value'][$opt_seq]
+                                                          );
+                }
+            }
+        }
+
+        if (!empty($pconfig['prefixrange_from']) && !is_ipaddrv6($pconfig['prefixrange_from']) ||
+            !empty($pconfig['prefixrange_to']) && !is_ipaddrv6($pconfig['prefixrange_to'])) {
+            $input_errors[] = gettext("A valid prefix range must be specified.");
+        }
+        if (!empty($pconfig['range_from']) && empty($pconfig['range_to']) ||
+            empty($pconfig['range_from']) && !empty($pconfig['range_to'])) {
+            $input_errors[] = gettext("A valid range must be specified.");
+        } elseif (!empty($pconfig['range_from']) && !is_ipaddrv6($pconfig['range_from']) ||
+            !empty($pconfig['range_to']) && !is_ipaddrv6($pconfig['range_to'])) {
+            $input_errors[] = gettext("A valid range must be specified.");
+        } else {
+            /* Disallow a range that includes the virtualip */
+            if (!empty($config['virtualip']['vip'])) {
+                foreach($config['virtualip']['vip'] as $vip) {
+                    if ($vip['interface'] == $if) {
+                        if (!empty($vip['subnetv6']) && is_inrange_v6($vip['subnetv6'], $pconfig['range_from'], $pconfig['range_to'])) {
+                            $input_errors[] = sprintf(gettext("The subnet range cannot overlap with virtual IPv6 address %s."),$vip['subnetv6']);
+                        }
+                    }
+                }
+            }
+        }
+
+        if (!empty($pconfig['gateway']) && !is_ipaddrv6($pconfig['gateway'])) {
+            $input_errors[] = gettext("A valid IPv6 address must be specified for the gateway.");
+        }
+        if ((!empty($pconfig['dns1']) && !is_ipaddrv6($pconfig['dns1'])) || (!empty($pconfig['dns2']) && !is_ipaddrv6($pconfig['dns2']))) {
+            $input_errors[] = gettext("A valid IPv6 address must be specified for the primary/secondary DNS servers.");
+        }
+
+        if (!empty($pconfig['defaultleasetime']) && (!is_numeric($pconfig['defaultleasetime']) || ($pconfig['defaultleasetime'] < 60))) {
+            $input_errors[] = gettext("The default lease time must be at least 60 seconds.");
+        }
+        if (!empty($pconfig['maxleasetime']) && (!is_numeric($pconfig['maxleasetime']) || ($pconfig['maxleasetime'] < 60) || ($pconfig['maxleasetime'] <= $_POST['defaultleasetime']))) {
+            $input_errors[] = gettext("The maximum lease time must be at least 60 seconds and higher than the default lease time.");
+        }
+        if (!empty($pconfig['minsecs']) && (!is_numeric($pconfig['minsecs']) || ($pconfig['minsecs'] < 0) || ($pconfig['minsecs'] > 255))) {
+            $input_errors[] = gettext("The response delay must be at least 0 and no more than 255 seconds.");
+        }
+        if (!empty($pconfig['ddnsdomain']) && !is_domain($pconfig['ddnsdomain'])) {
+            $input_errors[] = gettext("A valid domain name must be specified for the dynamic DNS registration.");
+        }
+        if (!empty($pconfig['ddnsdomainprimary']) && !is_ipaddrv6($pconfig['ddnsdomainprimary'])) {
+            $input_errors[] = gettext("A valid primary domain name server IPv6 address must be specified for the dynamic domain name.");
+        }
+        if (!empty($pconfig['ddnsdomainkey']) && base64_encode(base64_decode($pconfig['ddnsdomainkey'], true)) !== $pconfig['ddnsdomainkey']) {
+            $input_errors[] = gettext('You must specify a Base64-encoded domain key.');
+        }
+        if ((!empty($pconfig['ddnsdomainkey']) && empty($pconfig['ddnsdomainkeyname'])) ||
+          (!empty($pconfig['ddnsdomainkeyname']) && empty($pconfig['ddnsdomainkey']))) {
+            $input_errors[] = gettext("You must specify both a valid domain key and key name.");
+        }
+        if (!empty($pconfig['domainsearchlist'])) {
+            $domain_array=preg_split("/[ ;]+/",$pconfig['domainsearchlist']);
+            foreach ($domain_array as $curdomain) {
+                if (!is_domain($curdomain, true)) {
+                    $input_errors[] = gettext("A valid domain search list must be specified.");
+                    break;
+                }
+            }
+        }
+
+        if ((!empty($pconfig['ntp1']) && !is_ipaddrv6($pconfig['ntp1'])) || (!empty($pconfig['ntp2']) && !is_ipaddrv6($pconfig['ntp2']))) {
+            $input_errors[] = gettext("A valid IPv6 address must be specified for the primary/secondary NTP servers.");
+        }
+        if (!empty($pconfig['bootfile_url']) && !is_URL($pconfig['bootfile_url'])) {
+            $input_errors[] = gettext("A valid URL must be specified for the network bootfile.");
+        }
+
+        if (count($input_errors) == 0 && !empty($pconfig['enable'])) {
+            $range_from = $pconfig['range_from'];
+            $range_to = $pconfig['range_to'];
+
+            if (isset($config['interfaces'][$if]['dhcpd6track6allowoverride'])) {
+                $range_from = merge_ipv6_address($ifcfgip, $pconfig['range_from']);
+                $range_to = merge_ipv6_address($ifcfgip, $pconfig['range_to']);
+            }
+
+            if (!empty($pconfig['range_from']) && !empty($pconfig['range_to'])) {
+               /* make sure the range lies within the current subnet */
+                if ((!is_inrange_v6($range_from, $subnet_start, $subnet_end)) ||
+                    (!is_inrange_v6($range_to, $subnet_start, $subnet_end))) {
+                    $input_errors[] = gettext('The specified range lies outside of the current subnet.');
+                }
+
+                /* single IP subnet does not have enough addresses */
+                if ($subnet_start == $subnet_end) {
+                    $input_errors[] = gettext('The range is unavailable (single host network mask /128 used).');
+                /* "from" cannot be higher than "to" */
+                } elseif (inet_pton($pconfig['range_from']) > inet_pton($pconfig['range_to'])) {
+                    $input_errors[] = gettext("The range is invalid (first element higher than second element).");
+                }
+
+                /* Verify static mappings do not overlap:
+                   - available DHCP range
+                   - prefix delegation range (FIXME: still need to be completed) */
+                $dynsubnet_start = inet_pton($pconfig['range_from']);
+                $dynsubnet_end = inet_pton($pconfig['range_to']);
+                if (!empty($config['dhcpdv6'][$if]['staticmap'])) {
+                    foreach ($config['dhcpdv6'][$if]['staticmap'] as $map) {
+                        if (!empty($map['ipaddrv6']) && inet_pton($map['ipaddrv6']) > $dynsubnet_start && inet_pton($map['ipaddrv6']) < $dynsubnet_end) {
+                            $input_errors[] = sprintf(gettext("The DHCP range cannot overlap any static DHCP mappings."));
+                            break;
+                        }
+                    }
+                }
+            }
+        }
+
+        if (count($input_errors) == 0) {
+            config_read_array('dhcpdv6', $if);
+            $dhcpdconf = array();
+
+            // simple 1-on-1 copy
+            $config_copy_fieldsnames = array('defaultleasetime', 'maxleasetime', 'netmask', 'domainsearchlist',
+              'ddnsdomain', 'ddnsdomainprimary', 'ddnsdomainkeyname', 'ddnsdomainkey', 'ddnsdomainalgorithm', 'bootfile_url',
+              'dhcpv6leaseinlocaltime', 'minsecs');
+            foreach ($config_copy_fieldsnames as $fieldname) {
+                if (!empty($pconfig[$fieldname])) {
+                    $dhcpdconf[$fieldname] = $pconfig[$fieldname];
+                }
+            }
+
+            $dhcpdv6_enable_changed = !empty($pconfig['enable']) != !empty($config['dhcpdv6'][$if]['enable']);
+
+            // boolean types
+            $dhcpdconf['netboot'] = !empty($pconfig['netboot']);
+            $dhcpdconf['enable'] = !empty($pconfig['enable']);
+            $dhcpdconf['ddnsupdate'] = !empty($pconfig['ddnsupdate']);
+
+            // array types
+            $dhcpdconf['range'] = array();
+            $dhcpdconf['range']['from'] = $pconfig['range_from'];
+            $dhcpdconf['range']['to'] = $pconfig['range_to'];
+            $dhcpdconf['prefixrange'] = array();
+            $dhcpdconf['prefixrange']['from'] = $pconfig['prefixrange_from'];
+            $dhcpdconf['prefixrange']['to'] = $pconfig['prefixrange_to'];
+            $dhcpdconf['prefixrange']['prefixlength'] = $pconfig['prefixrange_length'];
+            $dhcpdconf['dnsserver'] = array();
+            if (!empty($pconfig['dns1'])) {
+                $dhcpdconf['dnsserver'][] = $pconfig['dns1'];
+            }
+            if (!empty($pconfig['dns2'])) {
+                $dhcpdconf['dnsserver'][] = $pconfig['dns2'];
+            }
+            $dhcpdconf['ntpserver'] = [];
+            if (!empty($pconfig['ntp1'])) {
+                $dhcpdconf['ntpserver'][] = $pconfig['ntp1'];
+            }
+            if (!empty($pconfig['ntp2'])) {
+                $dhcpdconf['ntpserver'][] = $pconfig['ntp2'];
+            }
+            $dhcpdconf['numberoptions'] = $pconfig['numberoptions'];
+
+            // copy structures back in
+            foreach (array('staticmap') as $fieldname) {
+                if (!empty($config['dhcpdv6'][$if][$fieldname])) {
+                    $dhcpdconf[$fieldname] = $config['dhcpdv6'][$if][$fieldname];
+                }
+            }
+            // router advertisement data lives in the same spot, copy
+            foreach (array_keys($config['dhcpdv6'][$if]) as $fieldname) {
+                if ((substr($fieldname, 0, 2) == 'ra' || substr($fieldname, 0, 3) == 'Adv') && !in_array($fieldname, array_keys($dhcpdconf))) {
+                    $dhcpdconf[$fieldname] = $config['dhcpdv6'][$if][$fieldname];
+                }
+            }
+            $config['dhcpdv6'][$if] = $dhcpdconf;
+
+            write_config();
+
+            reconfigure_dhcpd();
+            if ($dhcpdv6_enable_changed) {
+                filter_configure();
+            }
+
+            header(url_safe('Location: /services_dhcpv6.php?if=%s', array($if)));
+            exit;
+        }
+    } elseif (isset($pconfig['apply'])) {
+        reconfigure_dhcpd();
+        header(url_safe('Location: /services_dhcpv6.php?if=%s', array($if)));
+        exit;
+    } elseif ($act == "del") {
+        if (!empty($config['dhcpdv6'][$if]['staticmap'][$_POST['id']])) {
+            unset($config['dhcpdv6'][$if]['staticmap'][$_POST['id']]);
+            write_config();
+            if (isset($config['dhcpdv6'][$if]['enable'])) {
+                mark_subsystem_dirty('staticmapsv6');
+            }
+        }
+        exit;
+    }
+}
+
+$service_hook = 'dhcpd6';
+
+legacy_html_escape_form_data($pconfig);
+
+include("head.inc");
+
+?>
+<body>
+<script>
+  $( document ).ready(function() {
+    /**
+     * Additional BOOTP/DHCP Options extendable table
+     */
+    function removeRow() {
+        if ( $('#numberoptions_table > tbody > tr').length == 1 ) {
+            $('#numberoptions_table > tbody > tr:last > td > input').each(function(){
+              $(this).val("");
+            });
+        } else {
+            $(this).parent().parent().remove();
+        }
+    }
+    // add new detail record
+    $("#addNew").click(function(){
+        // copy last row and reset values
+        $('#numberoptions_table > tbody').append('<tr>'+$('#numberoptions_table > tbody > tr:last').html()+'</tr>');
+        $('#numberoptions_table > tbody > tr:last > td > input').each(function(){
+          $(this).val("");
+        });
+        $(".act-removerow").click(removeRow);
+    });
+    $(".act-removerow").click(removeRow);
+
+    // delete static action
+    $(".act_delete_static").click(function(event){
+      event.preventDefault();
+      var id = $(this).data("id");
+      var intf = $(this).data("if");
+      // delete single
+      BootstrapDialog.show({
+        type:BootstrapDialog.TYPE_DANGER,
+        title: "<?= gettext("DHCP");?>",
+        message: "<?=gettext("Do you really want to delete this mapping?");?>",
+        buttons: [{
+                  label: "<?= gettext("No");?>",
+                  action: function(dialogRef) {
+                      dialogRef.close();
+                  }}, {
+                  label: "<?= gettext("Yes");?>",
+                  action: function(dialogRef) {
+                    $.post(window.location, {act: 'del', id:id, if:intf}, function(data) {
+                        location.reload();
+                    });
+                }
+              }]
+      });
+    });
+  });
+</script>
+
+<script>
+  function show_shownumbervalue() {
+    $("#shownumbervaluebox").hide();
+    $("#shownumbervalue").show();
+  }
+
+  function show_ddns_config() {
+    $("#showddnsbox").hide();
+    $("#showddns").show();
+  }
+  function show_ntp_config() {
+    $("#showntpbox").hide();
+    $("#showntp").show();
+  }
+
+  function show_netboot_config() {
+    $("#shownetbootbox").hide();
+    $("#shownetboot").show();
+  }
+</script>
+
+
+<?php include("fbegin.inc"); ?>
+  <section class="page-content-main">
+    <div class="container-fluid">
+      <div class="row">
+        <?php if (isset($input_errors) && count($input_errors) > 0) print_input_errors($input_errors); ?>
+        <?php if (isset($savemsg)) print_info_box($savemsg); ?>
+        <?php if (is_subsystem_dirty('staticmapsv6')): ?><p>
+        <?php print_info_box_apply(gettext("The static mapping configuration has been changed") . ".<br />" . gettext("You must apply the changes in order for them to take effect."));?><br />
+        <?php endif; ?>
+        <section class="col-xs-12">
+        <div class="tab-content content-box col-xs-12">
+          <form method="post" name="iform" id="iform">
+                <div class="table-responsive">
+                  <table class="table table-striped opnsense_standard_table_form">
+                    <tr>
+                      <td style="width:22%"></td>
+                      <td style="width:78%; text-align:right">
+                        <small><?=gettext("full help"); ?> </small>
+                        <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page"></i>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i>  <?=gettext("Enable");?></td>
+                      <td>
+                        <input name="enable" type="checkbox" value="yes" <?php if ($pconfig['enable']) echo "checked=\"checked\""; ?> />
+                        <strong><?= sprintf(gettext("Enable DHCPv6 server on " . "%s " ."interface"),!empty($config['interfaces'][$if]['descr']) ? htmlspecialchars($config['interfaces'][$if]['descr']) : strtoupper($if));?></strong>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Subnet");?></td>
+                      <td><?= $subnet_start ?></td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Subnet mask");?></td>
+                      <td><?= htmlspecialchars($ifcfgsn) ?> <?= gettext('bits') ?></td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?= gettext('Available range') ?></td>
+                      <td>
+<?php if ($subnet_start == $subnet_end): ?>
+                        <span class="text-danger"><?= gettext('No available address range for configured interface subnet size.') ?></span>
+<?php else: ?>
+                        <?= $subnet_start ?> - <?= $subnet_end ?>
+<?php endif ?>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_range" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Range");?></td>
+                      <td>
+                        <table class="table table-condensed">
+                          <thead>
+                            <tr>
+                              <th><?=gettext("from");?></th>
+                              <th><?=gettext("to");?></th>
+                            </tr>
+                          </thead>
+                          <tbody>
+                            <tr>
+                              <td><input name="range_from" type="text" id="range_from" value="<?=$pconfig['range_from'];?>" /></td>
+                              <td><input name="range_to" type="text" id="range_to" value="<?=$pconfig['range_to'];?>" /> </td>
+                            </tr>
+                          </tbody>
+                        </table>
+                        <div class="hidden" data-for="help_for_range">
+<?php if (!isset($config['interfaces'][$if]['dhcpd6track6allowoverride'])): ?>
+                          <?= gettext('The range should be entered using the full IPv6 address.') ?>
+<?php else: ?>
+                          <?= gettext('The range should be entered using the suffix part of the IPv6 address, i.e. ::1:2:3:4. ' .
+                            'The subnet prefix will be added automatically.') ?>
+<?php endif ?>
+                      </td>
+                    </tr>
+<?php if ($pdlen >= 0): ?>
+                     <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Available prefix delegation size");?></td>
+                      <td><?= 64 - $pdlen ?> <?= gettext('bits') ?></td>
+                    </tr>
+<?php endif ?>
+                    <tr>
+                      <td><a id="help_for_prefixrange" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Prefix Delegation Range");?></td>
+                      <td>
+                        <table class="table table-condensed">
+                          <thead>
+                            <tr>
+                              <th><?=gettext("from");?></th>
+                              <th><?=gettext("to");?></th>
+                            </tr>
+                          </thead>
+                          <tbody>
+                            <tr>
+                              <td><input name="prefixrange_from" type="text" id="range_from" value="<?=$pconfig['prefixrange_from'];?>" /></td>
+                              <td><input name="prefixrange_to" type="text" id="range_to" value="<?=$pconfig['prefixrange_to'];?>" /> </td>
+                            </tr>
+                            <tr>
+                              <td>
+                                <strong><?=gettext("Prefix Delegation Size"); ?>:</strong>
+                                <select name="prefixrange_length" id="prefixrange_length">
+<?php for ($i = 48; $i <= 64; $i++): ?>
+                                  <option value="<?= $i ?>" <?=$pconfig['prefixrange_length'] == $i ? 'selected="selected"' : '' ?>><?= $i ?></option>
+<?php endfor ?>
+                                </select>
+                              </td>
+                              <td></td>
+                          </tbody>
+                        </table>
+                        <div class="hidden" data-for="help_for_prefixrange">
+                          <?= gettext("You can define a Prefix range here for DHCP Prefix Delegation. This allows for assigning networks to subrouters. " .
+                          "The start and end of the range must end on boundaries of the prefix delegation size."); ?>
+                           <?= gettext("Ensure that any prefix delegation range does not overlap the LAN prefix range."); ?>
+<?php if (isset($config['interfaces'][$if]['dhcpd6track6allowoverride'])): ?>
+                          <br/><br/>
+                          <?= gettext('When using a tracked interface then please only enter the range itself, i.e. ::xxxx:0:0:0:0. ' .
+                            'For example, for a /56 delegation from ::100:0:0:0:0 to ::f00:0:0:0:0. ' .
+                            'Also make sure that the desired prefix delegation size is not longer than the available size shown above.') ?>
+<?php endif ?>
+                          <br/><br/>
+                          <?= gettext('The system does not check the validity of your entry against the selected mask - please refer to an online net ' .
+                            'calculator to ensure you have entered a correct range if the dhcpd6 server fails to start.') ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_dns" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("DNS servers");?></td>
+                      <td>
+                        <input name="dns1" type="text" id="dns1" value="<?=$pconfig['dns1'];?>" /><br />
+                        <input name="dns2" type="text" id="dns2" value="<?=$pconfig['dns2'];?>" />
+                        <div class="hidden" data-for="help_for_dns">
+                          <?= gettext('Leave blank to use the system default DNS servers: This interface IP address if a DNS service is enabled or the configured global DNS servers.') ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_domainsearchlist" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Domain search list");?></td>
+                      <td>
+                        <input name="domainsearchlist" type="text" id="domainsearchlist" value="<?=$pconfig['domainsearchlist'];?>" />
+                        <div class="hidden" data-for="help_for_domainsearchlist">
+                          <?=gettext("The default is to use the domain name of this system as the domain search list option provided by DHCPv6. You may optionally specify one or multiple domain(s) here. Use the semicolon character as separator. The first domain in this list will also be used for DNS registration of DHCP static mappings (if enabled).");?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_defaultleasetime" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Default lease time");?> (<?=gettext("seconds");?>)</td>
+                      <td>
+                        <input name="defaultleasetime" type="text" value="<?=$pconfig['defaultleasetime'];?>" />
+                        <div class="hidden" data-for="help_for_defaultleasetime">
+                          <?=gettext("This is used for clients that do not ask for a specific expiration time."); ?><br />
+                          <?=gettext("The default is 7200 seconds.");?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_maxleasetime" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Maximum lease time");?> (<?=gettext("seconds");?>)</td>
+                      <td>
+                        <input name="maxleasetime" type="text" id="maxleasetime" size="10" value="<?=$pconfig['maxleasetime'];?>" />
+                        <div class="hidden" data-for="help_for_maxleasetime">
+                          <?=gettext("This is the maximum lease time for clients that ask for a specific expiration time."); ?><br />
+                          <?=gettext("The default is 86400 seconds.");?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_minsecs" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Response delay");?> (<?=gettext("seconds");?>)</td>
+                      <td>
+                       <input name="minsecs" type="text" value="<?=$pconfig['minsecs'];?>" />
+                        <div class="hidden" data-for="help_for_minsecs">
+                          <?=gettext("This is the minimum number of seconds since a client began trying to acquire a new lease before the DHCP server will respond to its request."); ?><br />
+                          <?=gettext("The default is 0 seconds (no delay).");?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><a id="help_for_dhcpv6leaseinlocaltime" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Time format change"); ?></td>
+                      <td>
+                        <input name="dhcpv6leaseinlocaltime" type="checkbox" id="dhcpv6leaseinlocaltime" value="yes" <?=!empty($pconfig['dhcpv6leaseinlocaltime']) ? "checked=\"checked\"" : ""; ?> />
+                        <strong>
+                          <?=gettext("Change DHCPv6 display lease time from UTC to local time."); ?>
+                        </strong>
+                        <div class="hidden" data-for="help_for_dhcpv6leaseinlocaltime">
+                          <?=gettext("By default DHCPv6 leases are displayed in UTC time. By checking this box DHCPv6 lease time will be displayed in local time and set to time zone selected. This will be used for all DHCPv6 interfaces lease time."); ?>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Dynamic DNS");?></td>
+                      <td>
+                        <div id="showddnsbox">
+                          <input type="button" onclick="show_ddns_config()" value="<?= html_safe(gettext('Advanced')) ?>" class="btn btn-xs btn-default"/> - <?=gettext("Show Dynamic DNS");?>
+                        </div>
+                        <div id="showddns" style="display:none">
+                          <input type="checkbox" value="yes" name="ddnsupdate" id="ddnsupdate" <?php if ($pconfig['ddnsupdate']) echo " checked=\"checked\""; ?> />&nbsp;
+                          <b><?=gettext("Enable registration of DHCP client names in DNS.");?></b><br />
+                          <?=gettext("Note: Leave blank to disable dynamic DNS registration.");?><br />
+                          <?=gettext("Enter the dynamic DNS domain which will be used to register client names in the DNS server.");?>
+                          <input name="ddnsdomain" type="text" id="ddnsdomain" value="<?=$pconfig['ddnsdomain'];?>" />
+                          <?=gettext("Enter the primary domain name server IP address for the dynamic domain name.");?><br />
+                          <input name="ddnsdomainprimary" type="text" id="ddnsdomainprimary" size="20" value="<?=$pconfig['ddnsdomainprimary'];?>" />
+                          <?=gettext("Enter the dynamic DNS domain key name which will be used to register client names in the DNS server.");?>
+                          <input name="ddnsdomainkeyname" type="text" id="ddnsdomainkeyname" size="20" value="<?=$pconfig['ddnsdomainkeyname'];?>" />
+                          <?=gettext("Enter the dynamic DNS domain key secret which will be used to register client names in the DNS server.");?>
+                          <input name="ddnsdomainkey" type="text" id="ddnsdomainkey" size="20" value="<?=$pconfig['ddnsdomainkey'];?>" />
+                          <?=gettext("Choose the dynamic DNS domain key algorithm.");?><br />
+                          <select name='ddnsdomainalgorithm' id="ddnsdomainalgorithm" class="selectpicker">
+<?php
+                          foreach (array("hmac-md5", "hmac-sha512") as $algorithm) :?>
+                              <option value="<?=$algorithm;?>" <?=$pconfig['ddnsdomainalgorithm'] == $algorithm ? "selected=\"selected\"" :"";?>>
+                                <?=$algorithm;?>
+                              </option>
+<?php
+                          endforeach; ?>
+                          </select>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("NTP servers");?></td>
+                      <td>
+                        <div id="showntpbox">
+                          <input type="button" onclick="show_ntp_config()" value="<?= html_safe(gettext('Advanced')) ?>" class="btn btn-xs btn-default"/> - <?=gettext("Show NTP configuration");?>
+                        </div>
+                        <div id="showntp" style="display:none">
+                          <input name="ntp1" type="text" id="ntp1" value="<?=$pconfig['ntp1'];?>" /><br />
+                          <input name="ntp2" type="text" id="ntp2" value="<?=$pconfig['ntp2'];?>" />
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Enable network booting");?></td>
+                      <td>
+                        <div id="shownetbootbox">
+                          <input type="button" onclick="show_netboot_config()" value="<?= html_safe(gettext('Advanced')) ?>" class="btn btn-xs btn-default"/> - <?=gettext("Show Network booting");?>
+                        </div>
+                        <div id="shownetboot" style="display:none">
+                          <input type="checkbox" value="yes" name="netboot" id="netboot" <?=!empty($pconfig['netboot']) ? 'checked="checked"' : ""; ?> />
+                          <b><?=gettext("Enables network booting.");?></b>
+                          <br/>
+                          <?=gettext("Enter the Bootfile URL");?>
+                          <input name="bootfile_url" type="text" id="bootfile_url" value="<?=$pconfig['bootfile_url'];?>" />
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Additional BOOTP/DHCP Options");?></td>
+                      <td>
+                        <div id="shownumbervaluebox">
+                          <input type="button" onclick="show_shownumbervalue()" value="<?= html_safe(gettext('Advanced')) ?>" class="btn btn-xs btn-default"/> - <?=gettext("Show Additional BOOTP/DHCP Options");?>
+                        </div>
+                        <div id="shownumbervalue" style="display:none">
+                          <table class="table table-striped table-condensed" id="numberoptions_table">
+                            <thead>
+                              <tr>
+                                <th></th>
+                                <th id="detailsHeading1"><?=gettext("Number"); ?></th>
+                                <th id="detailsHeading3"><?=gettext("Type"); ?></th>
+                                <th id="updatefreqHeader" ><?=gettext("Value");?></th>
+                              </tr>
+                            </thead>
+                            <tbody>
+<?php
+                            if (empty($pconfig['numberoptions']['item'])) {
+                                $numberoptions = array();
+                                $numberoptions[] = array('number' => null, 'value' => null, 'type' => null);
+                            } else {
+                                $numberoptions = $pconfig['numberoptions']['item'];
+                            }
+                            foreach($numberoptions as $item):?>
+                              <tr>
+                                <td>
+                                  <div style="cursor:pointer;" class="act-removerow btn btn-default btn-xs"><i class="fa fa-minus fa-fw"></i></div>
+                                </td>
+                                <td>
+                                  <input name="numberoptions_number[]" type="text" value="<?=$item['number'];?>" />
+                                </td>
+                                <td>
+                                  <select name="numberoptions_type[]">
+                                    <option value="text" <?=$item['type'] == "text" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('Text');?>
+                                    </option>
+                                    <option value="string" <?=$item['type'] == "string" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('String');?>
+                                    </option>
+                                    <option value="boolean" <?=$item['type'] == "boolean" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('Boolean');?>
+                                    </option>
+                                    <option value="unsigned integer 8" <?=$item['type'] == "unsigned integer 8" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('Unsigned 8-bit integer');?>
+                                    </option>
+                                    <option value="unsigned integer 16" <?=$item['type'] == "unsigned integer 16" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('Unsigned 16-bit integer');?>
+                                    </option>
+                                    <option value="unsigned integer 32" <?=$item['type'] == "unsigned integer 32" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('Unsigned 32-bit integer');?>
+                                    </option>
+                                    <option value="signed integer 8" <?=$item['type'] == "signed integer 8" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('Signed 8-bit integer');?>
+                                    </option>
+                                    <option value="signed integer 16" <?=$item['type'] == "signed integer 16" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('Signed 16-bit integer');?>
+                                    </option>
+                                    <option value="signed integer 32" <?=$item['type'] == "signed integer 32" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('Signed 32-bit integer');?>
+                                    </option>
+                                    <option value="ip-address" <?=$item['type'] == "ip-address" ? "selected=\"selected\"" : "";?>>
+                                      <?=gettext('IP address or host');?>
+                                    </option>
+                                  </select>
+                                </td>
+                                <td> <input name="numberoptions_value[]" type="text" value="<?=$item['value'];?>" /> </td>
+                              </tr>
+<?php
+                            endforeach;?>
+                            </tbody>
+                            <tfoot>
+                              <tr>
+                                <td colspan="4">
+                                  <div id="addNew" style="cursor:pointer;" class="btn btn-default btn-xs"><i class="fa fa-plus fa-fw"></i></div>
+                                </td>
+                              </tr>
+                            </tfoot>
+                          </table>
+                          <div class="hidden" data-for="help_for_numberoptions">
+                          <?= sprintf(gettext("Enter the DHCP option number and the value for each item you would like to include in the DHCP lease information. For a list of available options please visit this %sURL%s."),'<a href="https://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xhtml#dhcpv6-parameters-2" target="_blank">','</a>') ?>
+                          </div>
+                        </div>
+                      </td>
+                    </tr>
+                    <tr>
+                      <td>&nbsp;</td>
+                      <td>
+                        <input name="if" type="hidden" value="<?=$if;?>" />
+                        <input name="submit" type="submit" class="formbtn btn btn-primary" value="<?=html_safe(gettext('Save'));?>"/>
+                      </td>
+                    </tr>
+                  </table>
+                </div>
+              </form>
+            </div>
+          </section>
+
+          <section class="col-xs-12">
+            <div class="tab-content content-box col-xs-12">
+                <div class="table-responsive">
+                  <table class="tabcont table table-striped" style="width:100%; border:0;">
+                    <tr>
+                      <th colspan="5"><?= gettext('DHCPv6 Static Mappings for this interface.') ?></th>
+                    </tr>
+                    <tr>
+                      <td><?=gettext("DUID");?></td>
+                      <td><?=gettext("IPv6 address");?></td>
+                      <td><?=gettext("Hostname");?></td>
+                      <td><?=gettext("Description");?></td>
+                      <td class="text-nowrap">
+                        <a href="services_dhcpv6_edit.php?if=<?=$if;?>" class="btn btn-primary btn-xs"><i class="fa fa-plus fa-fw"></i></a>
+                      </td>
+                    </tr>
+<?php
+                    if (!empty($config['dhcpdv6'][$if]['staticmap'])):
+                      $i = 0;
+                      foreach ($config['dhcpdv6'][$if]['staticmap'] as $mapent): ?>
+                    <tr>
+                      <td><?=htmlspecialchars($mapent['duid']);?></td>
+                      <td><?=isset($mapent['ipaddrv6']) ? htmlspecialchars($mapent['ipaddrv6']) : "";?></td>
+                      <td><?=htmlspecialchars($mapent['hostname']);?></td>
+                      <td><?=htmlspecialchars($mapent['descr']);?></td>
+                      <td class="text-nowrap">
+                        <a href="services_dhcpv6_edit.php?if=<?=$if;?>&amp;id=<?=$i;?>" class="btn btn-default btn-xs"><i class="fa fa-pencil fa-fw"></i></a>
+                        <button type="button" data-if="<?=$if;?>" data-id="<?=$i;?>" class="act_delete_static btn btn-xs btn-default"><i class="fa fa-trash fa-fw"></i></button>
+                      </td>
+                    </tr>
+<?php
+                      $i++;
+                      endforeach;
+                    endif; ?>
+                  </table>
+                </div>
+              </div>
+          </section>
+        </div>
+      </div>
+    </section>
+<?php include("foot.inc"); ?>
diff --git a/net/isc-dhcp/src/www/services_dhcpv6_edit.php b/net/isc-dhcp/src/www/services_dhcpv6_edit.php
new file mode 100644
index 0000000000..b7fe8cb0b4
--- /dev/null
+++ b/net/isc-dhcp/src/www/services_dhcpv6_edit.php
@@ -0,0 +1,273 @@
+<?php
+
+/*
+ * Copyright (C) 2014-2016 Deciso B.V.
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>
+ * Copyright (C) 2011 Seth Mos <seth.mos@dds.nl>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("interfaces.inc");
+
+if ($_SERVER['REQUEST_METHOD'] === 'GET') {
+    // handle identifiers and action
+    if (!empty($_GET['if']) && !empty($config['interfaces'][$_GET['if']])) {
+        $if = $_GET['if'];
+    } else {
+        header(url_safe('Location: /services_dhcpv6.php'));
+        exit;
+    }
+    if (isset($if) && isset($_GET['id']) && !empty($config['dhcpdv6'][$if]['staticmap'][$_GET['id']])) {
+        $id = $_GET['id'];
+    }
+
+    // read form data
+    $pconfig = array();
+    $config_copy_fieldnames = array('duid', 'hostname', 'ipaddrv6', 'filename' ,'rootpath' ,'descr', 'domain', 'domainsearchlist');
+    foreach ($config_copy_fieldnames as $fieldname) {
+        if (isset($if) && isset($id) && isset($config['dhcpdv6'][$if]['staticmap'][$id][$fieldname])) {
+            $pconfig[$fieldname] = $config['dhcpdv6'][$if]['staticmap'][$id][$fieldname];
+        } elseif (isset($_GET[$fieldname])) {
+            $pconfig[$fieldname] = $_GET[$fieldname];
+        } else {
+            $pconfig[$fieldname] = null;
+        }
+    }
+
+    // backward compatibility: migrate 'domain' to 'domainsearchlist'
+    if (empty($pconfig['domainsearchlist'])) {
+        $pconfig['domainsearchlist'] = $pconfig['domain'];
+    }
+
+} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $input_errors = array();
+    $pconfig = $_POST;
+
+    // handle identifiers and actions
+    if (!empty($pconfig['if']) && !empty($config['interfaces'][$pconfig['if']])) {
+        $if = $pconfig['if'];
+    }
+    if (!empty($config['dhcpdv6'][$if]['staticmap'][$pconfig['id']])) {
+        $id = $pconfig['id'];
+    }
+
+    config_read_array('dhcpdv6', $if, 'staticmap');
+
+    /* input validation */
+    if (!empty($pconfig['hostname'])) {
+        preg_match("/\-\$/", $pconfig['hostname'], $matches);
+        if ($matches) {
+            $input_errors[] = gettext("The hostname cannot end with a hyphen according to RFC952");
+        }
+        if (!is_hostname($pconfig['hostname'])) {
+            $input_errors[] = gettext("The hostname can only contain the characters A-Z, 0-9 and '-'.");
+        } elseif (strpos($pconfig['hostname'],'.')) {
+            $input_errors[] = gettext("A valid hostname is specified, but the domain name part should be omitted");
+        }
+    }
+    if (!empty($pconfig['ipaddrv6']) && !is_ipaddrv6($pconfig['ipaddrv6'])) {
+        $input_errors[] = gettext("A valid IPv6 address must be specified.");
+    }
+
+    if (!empty($pconfig['duid'])) {
+        $pconfig['duid'] = str_replace("-",":",$pconfig['duid']);
+        if( preg_match('/^([a-fA-F0-9]{2}[:])*([a-fA-F0-9]{2}){1}$/', $pconfig['duid']) !== 1) {
+            $input_errors[] = gettext("A valid DUID Identifier must be specified.");
+        }
+    }
+
+    if (!empty($pconfig['domainsearchlist'])) {
+        $domain_array=preg_split("/[ ;]+/",$pconfig['domainsearchlist']);
+        foreach ($domain_array as $curdomain) {
+            if (!is_domain($curdomain, true)) {
+                $input_errors[] = gettext("A valid domain search list must be specified.");
+                break;
+            }
+        }
+    }
+
+    /* check for overlaps */
+    $a_maps = &config_read_array('dhcpdv6', $if, 'staticmap');
+    foreach ($a_maps as $mapent) {
+        if (isset($id) && ($a_maps[$id] === $mapent)) {
+            continue;
+        }
+        if ((($mapent['hostname'] == $pconfig['hostname']) && $mapent['hostname'])  || ($mapent['duid'] == $pconfig['duid'])) {
+            $input_errors[] = gettext("This Hostname, IP or DUID Identifier already exists.");
+            break;
+        }
+    }
+    if (count($input_errors) == 0) {
+        $mapent = array();
+        $config_copy_fieldnames = array('duid', 'ipaddrv6', 'hostname', 'descr', 'filename', 'rootpath', 'domainsearchlist');
+        foreach ($config_copy_fieldnames as $fieldname) {
+            if (!empty($pconfig[$fieldname])) {
+                $mapent[$fieldname] = $pconfig[$fieldname];
+            }
+        }
+
+        if (isset($id)) {
+            $config['dhcpdv6'][$if]['staticmap'][$id] = $mapent;
+        } else {
+            $config['dhcpdv6'][$if]['staticmap'][] = $mapent;
+        }
+
+        usort($config['dhcpdv6'][$if]['staticmap'], function ($a, $b) {
+            return ipcmp($a['ipaddrv6'], $b['ipaddrv6']);
+        });
+
+        write_config();
+
+        if (isset($config['dhcpdv6'][$if]['enable'])) {
+            mark_subsystem_dirty('staticmapsv6');
+        }
+
+        header(url_safe('Location: /services_dhcpv6.php?if=%s', array($if)));
+        exit;
+    }
+}
+
+$service_hook = 'dhcpd6';
+
+legacy_html_escape_form_data($pconfig);
+
+include("head.inc");
+
+?>
+
+<body>
+<?php include("fbegin.inc"); ?>
+  <section class="page-content-main">
+    <div class="container-fluid">
+      <div class="row">
+        <?php if (isset($input_errors) && count($input_errors) > 0) print_input_errors($input_errors); ?>
+        <section class="col-xs-12">
+          <div class="content-box">
+            <form method="post" name="iform" id="iform">
+              <div class="table-responsive">
+                <table class="table table-striped opnsense_standard_table_form">
+                  <tr>
+                    <td style="width:22%"><strong><?=gettext("Static DHCPv6 Mapping");?></strong></td>
+                    <td style="width:78%; text-align:right">
+                      <small><?=gettext("full help"); ?> </small>
+                      <i class="fa fa-toggle-off text-danger"  style="cursor: pointer;" id="show_all_help_page"></i>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_duid" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("DUID Identifier");?></td>
+                    <td>
+                      <input name="duid" type="text" value="<?=$pconfig['duid'];?>" />
+                      <div class="hidden" data-for="help_for_duid">
+                        <?= gettext('Enter a DUID Identifier in the following format:') ?><br />
+                        "<?= gettext('DUID-LLT - ETH -- TIME --- ---- ADDR ----') ?>" <br />
+                        "xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx"
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_ipaddrv6" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPv6 address");?></td>
+                    <td>
+                      <input name="ipaddrv6" type="text" value="<?=$pconfig['ipaddrv6'];?>" />
+                      <div class="hidden" data-for="help_for_ipaddrv6">
+                        <?=gettext("If an IPv6 address is entered, the address must be outside of the pool.");?>
+                        <br />
+                        <?=gettext("If no IPv6 address is given, one will be dynamically allocated from the pool.");?>
+                        <br />
+                        <?= gettext("When using a static WAN address, this should be entered using the full IPv6 address. " .
+                        "When using a dynamic WAN address, only enter the suffix part (i.e. ::1:2:3:4)."); ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_hostname" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Hostname");?></td>
+                    <td>
+                      <input name="hostname" type="text" value="<?=$pconfig['hostname'];?>" />
+                      <div class="hidden" data-for="help_for_hostname">
+                        <?=gettext("Name of the host, without domain part.");?>
+                        <?=gettext("If no IP address is given above, hostname will not be visible to DNS services with lease registration enabled.");?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_domainsearchlist" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Domain search list");?></td>
+                    <td>
+                      <input name="domainsearchlist" type="text" value="<?=$pconfig['domainsearchlist'];?>" />
+                      <div class="hidden" data-for="help_for_domainsearchlist">
+                        <?=gettext("If you want to use a custom domain search list for this host, you may optionally specify one or multiple domains here. " .
+                        "Use the semicolon character as separator. The first domain in this list will also be used for DNS registration of this host if enabled. " .
+                        "If empty, the first domain in the interface's domain search list will be used. If this is empty, too, the system domain will be used.");?>
+                      </div>
+                    </td>
+                  </tr>
+<?php if (isset($config['dhcpdv6'][$if]['netboot'])): ?>
+                  <tr>
+                    <td><a id="help_for_filename" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Netboot filename') ?></td>
+                    <td>
+                      <input name="filename" type="text" value="<?=$pconfig['filename'];?>" />
+                      <div class="hidden" data-for="help_for_filename">
+                        <?= gettext('Name of the file that should be loaded when this host boots off of the network, overrides setting on main page.') ?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td><a id="help_for_rootpath" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Root Path') ?></td>
+                    <td>
+                      <input name="rootpath" type="text" value="<?=$pconfig['rootpath'];?>" />
+                      <div class="hidden" data-for="help_for_rootpath">
+                        <?= gettext('Enter the root-path-string, overrides setting on main page.') ?>
+                      </div>
+                    </td>
+                  </tr>
+<?php
+              endif;?>
+                  <tr>
+                    <td><a id="help_for_descr" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Description");?></td>
+                    <td>
+                      <input name="descr" type="text" value="<?=$pconfig['descr'];?>" />
+                      <div class="hidden" data-for="help_for_descr">
+                        <?=gettext("You may enter a description here for your reference (not parsed).");?>
+                      </div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td></td>
+                    <td>
+                      <input name="Submit" type="submit" class="formbtn btn btn-primary" value="<?=html_safe(gettext('Save'));?>" />
+                      <input type="button" class="formbtn btn btn-default" value="<?=html_safe(gettext('Cancel'));?>" onclick="window.location.href='/services_dhcpv6.php?if=<?= html_safe($if) ?>'" />
+                      <?php if (isset($id)): ?>
+                      <input name="id" type="hidden" value="<?=$id;?>" />
+                      <?php endif; ?>
+                      <input name="if" type="hidden" value="<?=$if;?>" />
+                    </td>
+                  </tr>
+                </table>
+              </div>
+            </form>
+          </div>
+        </section>
+      </div>
+    </div>
+  </section>
+<?php include("foot.inc"); ?>

From c8781d24b1e7c3817a0a3db6426087541821f5be Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 Jan 2026 14:23:51 +0100
Subject: [PATCH 2852/3088] net/isc-dhcp: more files

PR: PR: https://github.com/opnsense/core/issues/9155
---
 LICENSE                                       |   2 +-
 .../opnsense/scripts/dhcp/cleanup_leases4.php | 117 ++++++++++++
 .../opnsense/scripts/dhcp/cleanup_leases6.php | 108 +++++++++++
 .../src/opnsense/scripts/dhcp/get_leases.py   |  53 ++++++
 .../src/opnsense/scripts/dhcp/get_leases6.py  | 171 ++++++++++++++++++
 .../src/opnsense/scripts/dhcp/prefixes.php    | 138 ++++++++++++++
 .../src/opnsense/scripts/dhcp/prefixes.sh     |  40 ++++
 .../service/conf/actions.d/actions_dhcpd.conf |  50 +++++
 .../conf/actions.d/actions_dhcpd6.conf        |  50 +++++
 9 files changed, 728 insertions(+), 1 deletion(-)
 create mode 100755 net/isc-dhcp/src/opnsense/scripts/dhcp/cleanup_leases4.php
 create mode 100755 net/isc-dhcp/src/opnsense/scripts/dhcp/cleanup_leases6.php
 create mode 100755 net/isc-dhcp/src/opnsense/scripts/dhcp/get_leases.py
 create mode 100755 net/isc-dhcp/src/opnsense/scripts/dhcp/get_leases6.py
 create mode 100755 net/isc-dhcp/src/opnsense/scripts/dhcp/prefixes.php
 create mode 100755 net/isc-dhcp/src/opnsense/scripts/dhcp/prefixes.sh
 create mode 100644 net/isc-dhcp/src/opnsense/service/conf/actions.d/actions_dhcpd.conf
 create mode 100644 net/isc-dhcp/src/opnsense/service/conf/actions.d/actions_dhcpd6.conf

diff --git a/LICENSE b/LICENSE
index 86260d122a..87e14c2672 100644
--- a/LICENSE
+++ b/LICENSE
@@ -79,7 +79,7 @@ Copyright (c) 2025 Renat Gorbushin
 Copyright (c) 2022 Robbert Rijkse
 Copyright (c) 2023 sattamjh
 Copyright (c) 2004-2012 Scott Ullrich <sullrich@gmail.com>
-Copyright (c) 2010-2011 Seth Mos <seth.mos@dds.nl>
+Copyright (c) 2010-2012 Seth Mos <seth.mos@dds.nl>
 Copyright (c) 2024 Sheridan Computers
 Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
 Copyright (c) 2017-2018 Smart-Soft
diff --git a/net/isc-dhcp/src/opnsense/scripts/dhcp/cleanup_leases4.php b/net/isc-dhcp/src/opnsense/scripts/dhcp/cleanup_leases4.php
new file mode 100755
index 0000000000..ed10d5548e
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/scripts/dhcp/cleanup_leases4.php
@@ -0,0 +1,117 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ *    Copyright (C) 2022 Deciso B.V.
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("config.inc");
+require_once("util.inc");
+require_once("interfaces.inc");
+require_once("plugins.inc.d/dhcpd.inc");
+
+$dhcp_lease_file = "/var/dhcpd/var/db/dhcpd.leases";
+$opts = getopt('d::f::hms', []);
+
+if (isset($opts['h']) || empty($opts)) {
+    echo "Usage: cleanup_leases4.php [-h]\n\n";
+    echo "\t-h show this help text and exit\n";
+    echo "\t-m cleanup static mac addresses\n";
+    echo "\t-s restart service (required when service is active)\n";
+    echo "\t-d=xxx remove ip address\n";
+    echo "\t-f=dhcpd.leases file (default = /var/dhcpd/var/db/dhcpd.leases)\n";
+    exit(0);
+}
+
+
+if (!empty($opts['f'])) {
+    $dhcp_lease_file = $opts['f'];
+}
+// collect map of addresses to remove
+$addresses = [];
+if (isset($opts['m'])) {
+    foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) {
+        if (!empty($dhcpifconf['staticmap']) && !empty($dhcpifconf['enable'])) {
+            foreach ($dhcpifconf['staticmap'] as $static) {
+                if (!empty($static['mac']) && !empty($static['ipaddr'])) {
+                    $addresses[$static['mac']] = $static['ipaddr'];
+                }
+            }
+        }
+    }
+}
+if (!empty($opts['d'])) {
+    $addresses[] = $opts['d'];
+}
+
+if (isset($opts['s'])) {
+    killbypid('/var/dhcpd/var/run/dhcpd.pid');
+} elseif (isvalidpid('/var/dhcpd/var/run/dhcpd.pid')) {
+    echo "dhcpd active, can't update lease file";
+    exit(1);
+}
+
+
+
+$removed_leases = 0;
+$fin = @fopen($dhcp_lease_file, 'r+');
+$fout = @fopen($dhcp_lease_file . '.new', 'w');
+if ($fin && flock($fin, LOCK_EX)) {
+    $lease = '';
+    $lease_ip = '';
+    $lease_mac = ';';
+    while (($line = fgets($fin, 4096)) !== false) {
+        $fields = explode(' ', trim($line));
+        if (strpos($line, 'lease ') === 0) {
+            $lease_ip = trim($fields[1]);
+        } elseif (strpos($line, 'hardware ethernet ') > 0) {
+            $lease_mac = strtolower(trim($fields[2], ' \n;'));
+        }
+        $lease .= $line;
+
+        if ($line == "}\n") {
+            // end of segment, flush when relevant
+            $exact_match = isset($addresses[$lease_mac]) && $addresses[$lease_mac] == $lease_ip;
+            if ((!isset($addresses[$lease_mac]) && !in_array($lease_ip, $addresses)) || $exact_match) {
+                fputs($fout, $lease);
+            } else {
+                $removed_leases++;
+            }
+            $lease = '';
+            $lease_ip = '';
+            $lease_mac = ';';
+        }
+    }
+    flock($fin, LOCK_UN);
+    fclose($fin);
+    fclose($fout);
+    @unlink($dhcp_lease_file);
+    @rename($dhcp_lease_file . '.new', $dhcp_lease_file);
+}
+if (isset($opts['s'])) {
+    dhcpd_dhcp4_configure();
+}
+
+echo json_encode(["removed_leases" => $removed_leases]);
diff --git a/net/isc-dhcp/src/opnsense/scripts/dhcp/cleanup_leases6.php b/net/isc-dhcp/src/opnsense/scripts/dhcp/cleanup_leases6.php
new file mode 100755
index 0000000000..c8a9447ab0
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/scripts/dhcp/cleanup_leases6.php
@@ -0,0 +1,108 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ *    Copyright (C) 2023 Deciso B.V.
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("config.inc");
+require_once("util.inc");
+require_once("interfaces.inc");
+require_once("plugins.inc.d/dhcpd.inc");
+
+$dhcp_lease_file = "/var/dhcpd/var/db/dhcpd6.leases";
+$opts = getopt('d::f::hs', []);
+
+if (isset($opts['h']) || empty($opts)) {
+    echo "Usage: cleanup_leases6.php [-h]\n\n";
+    echo "\t-h show this help text and exit\n";
+    echo "\t-s restart service (required when service is active)\n";
+    echo "\t-d=xxx remove ipv6 address\n";
+    echo "\t-f=dhcpd6.leases file (default = /var/dhcpd/var/db/dhcpd6.leases)\n";
+    exit(0);
+}
+
+if (!empty($opts['f'])) {
+    $dhcp_lease_file = $opts['f'];
+}
+
+if (!empty($opts['d'])) {
+    $ip_to_remove = $opts['d'];
+}
+
+if (isset($opts['s'])) {
+    killbypid('/var/dhcpd/var/run/dhcpdv6.pid');
+} elseif (isvalidpid('/var/dhcpd/var/run/dhcpdv6.pid')) {
+    echo "dhcpdv6 active, can't update lease file";
+    exit(1);
+}
+
+$removed_leases = 0;
+$fin = @fopen($dhcp_lease_file, "r+");
+$fout = @fopen($dhcp_lease_file . ".new", "w");
+if ($fin && flock($fin, LOCK_EX)) {
+    $iaaddr = "";
+    $content_to_flush = array();
+    while (($line = fgets($fin, 4096)) !== false) {
+        $fields = explode(' ', trim($line));
+        if ($fields[0] == 'iaaddr') {
+            // lease segment, record ip
+            $iaaddr = trim($fields[1]);
+            $content_to_flush[] = $line;
+        } elseif ($fields[0] == 'ia-na' || count($content_to_flush) > 0) {
+            $content_to_flush[] = $line;
+        } else {
+            // output data directly if we're not in a "ia-na" section
+            fputs($fout, $line);
+        }
+
+        if ($line == "}\n") {
+            if ($iaaddr != $ip_to_remove) {
+                // write ia-na section
+                foreach ($content_to_flush as $cached_line) {
+                    fputs($fout, $cached_line);
+                }
+            } else {
+                $removed_leases++;
+                // skip empty line
+                fgets($fin, 4096);
+            }
+            // end of segment
+            $content_to_flush = array();
+            $iaaddr = "";
+        }
+    }
+    flock($fin, LOCK_UN);
+    fclose($fin);
+    fclose($fout);
+    @unlink($dhcp_lease_file);
+    @rename($dhcp_lease_file . ".new", $dhcp_lease_file);
+}
+
+if (isset($opts['s'])) {
+    dhcpd_dhcp6_configure();
+}
+
+echo json_encode(["removed_leases" => $removed_leases]);
diff --git a/net/isc-dhcp/src/opnsense/scripts/dhcp/get_leases.py b/net/isc-dhcp/src/opnsense/scripts/dhcp/get_leases.py
new file mode 100755
index 0000000000..8b20a86289
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/scripts/dhcp/get_leases.py
@@ -0,0 +1,53 @@
+#!/usr/local/bin/python3
+
+"""
+    Copyright (c) 2017-2019 Ad Schellevis <ad@opnsense.org>
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+    --------------------------------------------------------------------------------------
+    list dhcp leases
+"""
+import sys
+sys.path.insert(0, "/usr/local/opnsense/site-python")
+import watchers.dhcpd
+import time
+import argparse
+import ujson
+
+parser = argparse.ArgumentParser()
+parser.add_argument('--inactive', help='include inactive leases', default='0', type=str)
+args = parser.parse_args()
+
+last_leases = dict()
+result = list()
+dhcpdleases = watchers.dhcpd.DHCPDLease()
+for lease in dhcpdleases.watch():
+    # only the last entries for a given IP are relevant
+    last_leases[lease['address']] = lease
+
+for lease in last_leases.values():
+    if ('ends' in lease and lease['ends'] is not None and lease['ends'] > time.time()) or args.inactive == '1':
+        result.append(lease)
+
+print (ujson.dumps(result))
diff --git a/net/isc-dhcp/src/opnsense/scripts/dhcp/get_leases6.py b/net/isc-dhcp/src/opnsense/scripts/dhcp/get_leases6.py
new file mode 100755
index 0000000000..5315c06ab6
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/scripts/dhcp/get_leases6.py
@@ -0,0 +1,171 @@
+#!/usr/local/bin/python3
+
+"""
+    Copyright (c) 2023 Deciso B.V.
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+    --------------------------------------------------------------------------------------
+    list dhcpv6 leases
+"""
+import ujson
+import calendar
+import datetime
+import time
+import argparse
+
+def parse_date(dt):
+    try:
+        return calendar.timegm(datetime.datetime.strptime(dt.strip(), "%Y/%m/%d %H:%M:%S;").timetuple())
+    except ValueError:
+        return None
+
+def parse_iaaddr_iaprefix(input):
+    """
+    parse either an iaaddr or iaprefix segment. return a tuple
+    containing the type parsed and the corresponding segment
+    """
+    segment = dict()
+    for idx, line in enumerate(input):
+        parts = line.split(maxsplit=1)
+        if idx == 0:
+            segment[parts[0]] = parts[1].split()[0]
+        elif not parts[0]:
+            continue
+        elif parts[0] == 'binding':
+            segment[parts[0]] = parts[1].split()[1].strip(';')
+        elif parts[0] in ('preferred-life', 'max-life'):
+            segment[parts[0]] = parts[1].strip(';')[0]
+        elif parts[0] == 'ends':
+            segment[parts[0]] = parse_date(parts[1].split(maxsplit=1)[1])
+
+    return segment
+
+def parse_iaid_duid(input):
+    """
+    parse the combined IAID_DUID value. This is provided in octal format.
+    non-printable characters are provided as octal escapes.
+    We return the hex representation of the raw IAID_DUID value, the IAID integer,
+    as well as the separated DUID value in a dict. The IAID_DUID value is
+    used to uniquely identify a lease, so this value should be used to determine the last
+    relevant entry in the leases file.
+    """
+    parsed = []
+    i = 0
+    while i < len(input):
+        c = input[i]
+        if c == '\\':
+            next_c = input[i + 1]
+            if next_c == '\\' or next == '"':
+                parsed.append("%02x" % ord(next_c))
+                i += 1
+            elif next_c.isnumeric():
+                octal_to_decimal = int(input[i+1:i+4], 8)
+                parsed.append("%02x" % octal_to_decimal)
+                i += 3
+        else:
+            parsed.append("%02x" % ord(c))
+        i += 1
+
+    return {
+        'iaid': int(''.join(reversed(parsed[0:4])), 16),
+        'duid': ":".join([str(a) for a in parsed[4:]]),
+        'iaid_duid': ":".join([str(a) for a in parsed])
+    }
+
+def parse_lease(lines):
+    """
+    Parse a DHCPv6 lease. We return a two-tuple containing the combined iaid_duid
+    and the lease. a single lease may contain multiple addresses/prefixes.
+    """
+    lease = dict()
+    cur_segment = []
+    addresses = []
+    prefixes = []
+
+    for idx, line in enumerate(lines):
+        parts = line.split(maxsplit=1)
+        if idx == 0:
+            lease['lease_type'] = parts[0]
+            lease.update(parse_iaid_duid(parts[1][parts[1].index('"')+1:parts[1].rfind('"')]))
+        elif parts[0] == 'cltt' and len(parts) >= 2:
+            cltt = parse_date(parts[1].split(maxsplit=1)[1])
+            lease['cltt'] = cltt
+
+        if len(line) > 1 and line[0] == ' ' and '}' in line and len(cur_segment) > 0:
+            cur_segment.append(line)
+            segment = parse_iaaddr_iaprefix(cur_segment)
+            if 'iaaddr' in segment:
+                addresses.append(segment)
+            elif 'iaprefix' in segment:
+                prefixes.append(segment)
+            cur_segment = []
+        elif len(cur_segment) > 0 or parts[0] in ['iaaddr', 'iaprefix']:
+            cur_segment.append(line)
+
+    # ia_ta/ia_na (addresses) and ia_pd (prefixes) are mutually exclusive.
+    if addresses:
+        lease['addresses'] = addresses
+    elif prefixes:
+        lease['prefixes'] = prefixes
+
+    return lease
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser()
+    parser.add_argument('--inactive', help='include inactive leases', default='0', type=str)
+    args = parser.parse_args()
+    leasefile = '/var/dhcpd/var/db/dhcpd6.leases'
+    result = []
+    cur_lease = []
+    last_leases = dict()
+
+    try:
+        with open(leasefile, 'r') as leasef:
+            for line in leasef:
+                if len(line) > 5 and (line[0:5] == 'ia-ta' or line[0:5] == 'ia-na' or line[0:5] == 'ia-pd'):
+                    cur_lease.append(line)
+                elif len(line) > 1 and line[0] == '}' and len(cur_lease) > 0:
+                    cur_lease.append(line)
+                    parsed_lease = parse_lease(cur_lease)
+                    last_leases["%s,%s" % (parsed_lease['lease_type'], parsed_lease['iaid_duid'])] = parsed_lease
+                    cur_lease = []
+                elif len(cur_lease) > 0:
+                    cur_lease.append(line)
+    except IOError:
+        pass
+
+    for lease in last_leases.values():
+        if args.inactive == '1':
+            result.append(lease)
+        else:
+            for key in ('addresses', 'prefixes'):
+                if key in lease:
+                    for i in range(len(lease[key])):
+                        segment = lease[key][i]
+                        if not ('ends' in segment and segment['ends'] is not None and segment['ends'] > time.time()):
+                            del lease[key][i]
+                if key in lease and lease[key]:
+                    result.append(lease)
+
+    print(ujson.dumps(result))
diff --git a/net/isc-dhcp/src/opnsense/scripts/dhcp/prefixes.php b/net/isc-dhcp/src/opnsense/scripts/dhcp/prefixes.php
new file mode 100755
index 0000000000..92880ea10f
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/scripts/dhcp/prefixes.php
@@ -0,0 +1,138 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2022-2024 Franco Fichtner <franco@opnsense.org>
+ * Copyright (C) 2012 Seth Mos <seth.mos@dds.nl>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once 'config.inc';
+require_once 'interfaces.inc';
+require_once 'util.inc';
+require_once 'plugins.inc.d/dhcpd.inc';
+
+$leases_file = '/var/dhcpd/var/db/dhcpd6.leases';
+if (!file_exists($leases_file)) {
+    exit(1);
+}
+
+$duid_arr = [];
+foreach (new SplFileObject($leases_file) as $line) {
+    if (preg_match("/^(ia-[np][ad])[ ]+\"(.*?)\"/i ", $line, $duidmatch)) {
+        $type = $duidmatch[1];
+        $duid = $duidmatch[2];
+    } elseif (preg_match("/iaaddr[ ]+([0-9a-f:]+)[ ]+/i", $line, $addressmatch)) {
+        $ia_na = $addressmatch[1];
+    } elseif (preg_match("/iaprefix[ ]+([0-9a-f:\/]+)[ ]+/i", $line, $prefixmatch)) {
+        $ia_pd = $prefixmatch[1];
+    } elseif (preg_match("/binding state active/i", $line, $activematch)) {
+        $active = true;
+    } elseif (preg_match("/^}/i ", $line)) {
+        $iaid_duid = dhcpd_parse_duid($duid);
+        $duid = implode(':', $iaid_duid[1]);
+
+        switch ($type) {
+            case 'ia-na':
+                if (!empty($ia_na) && !empty($active)) {
+                    $duid_arr[$duid]['address'] = $ia_na;
+                }
+                break;
+            case 'ia-pd':
+                if (!empty($ia_pd) && !empty($active)) {
+                    if (empty($duid_arr[$duid]['prefix'])) {
+                        $duid_arr[$duid]['prefix'] = [];
+                    }
+                    $duid_arr[$duid]['prefix'][] = $ia_pd;
+                }
+                break;
+        }
+
+        unset($active);
+        unset($duid);
+        unset($ia_na);
+        unset($ia_pd);
+        unset($type);
+    }
+}
+
+/* since a route requires a gateway address try to derive it from static mapping as well */
+foreach (plugins_run('static_mapping:dhcpd') as $map) {
+    foreach ($map as $host) {
+        if (empty($host['duid'])) {
+            continue;
+        }
+
+        if (empty($duid_arr[$host['duid']])) {
+            continue;
+        }
+
+        if (!empty($host['ipaddrv6'])) {
+            $ipaddrv6 = $host['ipaddrv6'];
+
+            /* although link-local is not a real static mapping use it to reach the downstream router */
+            if (is_linklocal($ipaddrv6) && strpos($ipaddrv6, '%') === false) {
+                $ipaddrv6 .= '%' . get_real_interface($host['interface'], 'inet6');
+            }
+
+            /* we want static mapping to have a higher priority */
+            $duid_arr[$host['duid']]['address'] = $ipaddrv6;
+        }
+    }
+}
+
+$routes = [];
+
+/* collect expired leases */
+$dhcpd_log = shell_safe('opnsense-log -n dhcpd');
+if (!empty($dhcpd_log)) {
+    foreach (new SplFileObject($dhcpd_log) as $line) {
+        if (preg_match('/releases prefix ([0-9a-f:]+\/[0-9]+)/i', $line, $expire)) {
+            /* expire first, overwritten later when active */
+            $routes[$expire[1]] = null;
+        }
+    }
+}
+
+/* collect active leases */
+foreach ($duid_arr as $entry) {
+    if (!empty($entry['prefix']) && !empty($entry['address'])) {
+        foreach ($entry['prefix'] as $prefix) {
+            /* new or reassigned takes priority */
+            $routes[$prefix] = $entry['address'];
+        }
+    }
+}
+
+/* expire all first */
+foreach (array_keys($routes) as $prefix) {
+    mwexecfm('/sbin/route delete -inet6 %s', [$prefix]);
+}
+
+/* active route apply */
+foreach ($routes as $prefix => $address) {
+    if (!empty($address)) {
+        mwexecf('/sbin/route add -inet6 %s %s', [$prefix, $address]);
+    }
+}
diff --git a/net/isc-dhcp/src/opnsense/scripts/dhcp/prefixes.sh b/net/isc-dhcp/src/opnsense/scripts/dhcp/prefixes.sh
new file mode 100755
index 0000000000..00aeda5873
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/scripts/dhcp/prefixes.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# Copyright (C) 2022 Franco Fichtner <franco@opnsense.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice,
+#    this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+CHECKSUM="md5 -q"
+INTERVAL=${1:-20}
+LEASES="/var/dhcpd/var/db/dhcpd6.leases"
+PREVIOUS=
+
+while :; do
+	CURRENT=$(${CHECKSUM} ${LEASES})
+	if [ "${CURRENT}" != "${PREVIOUS}" ]; then
+		configctl dhcpd6 update prefixes
+		PREVIOUS=${CURRENT}
+	fi
+
+	sleep "${INTERVAL}"
+done
diff --git a/net/isc-dhcp/src/opnsense/service/conf/actions.d/actions_dhcpd.conf b/net/isc-dhcp/src/opnsense/service/conf/actions.d/actions_dhcpd.conf
new file mode 100644
index 0000000000..00ec71db8c
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/service/conf/actions.d/actions_dhcpd.conf
@@ -0,0 +1,50 @@
+[list.leases]
+command:/usr/local/opnsense/scripts/dhcp/get_leases.py
+parameters:--inactive %s
+type:script_output
+message:list dhcp leases %s
+
+[list.arp]
+command:/usr/sbin/arp
+parameters:-an --libxo json
+type:script_output
+message:list arp table
+
+[list.static]
+command:/usr/local/sbin/pluginctl -r static_mapping:dhcpd 4
+parameters:%s
+type:script_output
+message: list dhcp static mappings %s
+
+[start]
+command:/usr/local/sbin/pluginctl -s dhcpd start
+parameters:
+type:script
+message:Starting dhcpd
+description:Start DHCPd
+
+[stop]
+command:/usr/local/sbin/pluginctl -s dhcpd stop
+parameters:
+type:script
+message:Stopping dhcpd
+description:Stop DHCPd
+
+[restart]
+command:/usr/local/sbin/pluginctl -s dhcpd restart
+parameters:%s
+type:script
+message:Restarting %s dhcpd
+description:Restart DHCPd
+
+[status]
+command:/usr/local/sbin/pluginctl -s dhcpd status
+parameters:
+type:script_output
+message:Request DHCPd status
+
+[remove.lease]
+command:/usr/local/opnsense/scripts/dhcp/cleanup_leases4.php
+parameters:-d=%s -s
+type:script_output
+message:remove lease for %s
diff --git a/net/isc-dhcp/src/opnsense/service/conf/actions.d/actions_dhcpd6.conf b/net/isc-dhcp/src/opnsense/service/conf/actions.d/actions_dhcpd6.conf
new file mode 100644
index 0000000000..6dbcbc49f5
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/service/conf/actions.d/actions_dhcpd6.conf
@@ -0,0 +1,50 @@
+[list.leases]
+command:/usr/local/opnsense/scripts/dhcp/get_leases6.py
+parameters:--inactive %s
+type:script_output
+message:list dhcpv6 leases %s
+
+[list.static]
+command:/usr/local/sbin/pluginctl -r static_mapping:dhcpd 6
+parameters:%s
+type:script_output
+message: list dhcpv6 static mappings %s
+
+[update.prefixes]
+command:/usr/local/opnsense/scripts/dhcp/prefixes.php
+parameters:
+type:script
+message:update IPv6 prefixes
+
+[start]
+command:/usr/local/sbin/pluginctl -s dhcpd6 start
+parameters:
+type:script
+message:Starting dhcpd6
+description:Start DHCPd6
+
+[stop]
+command:/usr/local/sbin/pluginctl -s dhcpd6 stop
+parameters:
+type:script
+message:Stopping dhcpd6
+description:Stop DHCPd6
+
+[restart]
+command:/usr/local/sbin/pluginctl -s dhcpd6 restart
+parameters:%s
+type:script
+message:Restarting %s dhcpd6
+description:Restart DHCPd6
+
+[status]
+command:/usr/local/sbin/pluginctl -s dhcpd6 status
+parameters:
+type:script_output
+message:Request DHCPd6 status
+
+[remove.lease]
+command:/usr/local/opnsense/scripts/dhcp/cleanup_leases6.php
+parameters:-d=%s -s
+type:script_output
+message:remove lease for %s

From 3af383e1e05b3a6831f7ed1f3d75ed0b17a77756 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 Jan 2026 14:47:38 +0100
Subject: [PATCH 2853/3088] net/isc-dhcp: ACL and Menus

PR: https://github.com/opnsense/core/issues/9155
---
 .../app/models/OPNsense/DHCPv4/ACL/ACL.xml    | 28 +++++++++++++++++++
 .../app/models/OPNsense/DHCPv4/Menu/Menu.xml  |  8 ++++++
 .../app/models/OPNsense/DHCPv6/ACL/ACL.xml    | 21 ++++++++++++++
 .../app/models/OPNsense/DHCPv6/Menu/Menu.xml  |  7 +++++
 4 files changed, 64 insertions(+)
 create mode 100644 net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv4/ACL/ACL.xml
 create mode 100644 net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv4/Menu/Menu.xml
 create mode 100644 net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv6/ACL/ACL.xml
 create mode 100644 net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv6/Menu/Menu.xml

diff --git a/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv4/ACL/ACL.xml b/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv4/ACL/ACL.xml
new file mode 100644
index 0000000000..1be674d634
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv4/ACL/ACL.xml
@@ -0,0 +1,28 @@
+<acl>
+    <page-diagnostics-logs-dhcp>
+        <name>Services: ISC DHCPv4: Log File</name>
+        <patterns>
+            <pattern>ui/diagnostics/log/core/dhcpd/*</pattern>
+            <pattern>api/diagnostics/log/core/dhcpd/*</pattern>
+        </patterns>
+    </page-diagnostics-logs-dhcp>
+    <page-status-dhcpleases>
+        <name>Services: ISC DHCPv4: Leases</name>
+        <patterns>
+            <pattern>ui/dhcpv4/leases</pattern>
+            <pattern>api/dhcpv4/leases/*</pattern>
+        </patterns>
+    </page-status-dhcpleases>
+    <page-services-dhcpserver-editstaticmapping>
+        <name>Services: ISC DHCPv4: Edit</name>
+        <patterns>
+            <pattern>services_dhcp_edit.php*</pattern>
+        </patterns>
+    </page-services-dhcpserver-editstaticmapping>
+    <page-services-dhcpserver>
+        <name>Services: ISC DHCPv4</name>
+        <patterns>
+            <pattern>services_dhcp.php*</pattern>
+        </patterns>
+    </page-services-dhcpserver>
+</acl>
diff --git a/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv4/Menu/Menu.xml b/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv4/Menu/Menu.xml
new file mode 100644
index 0000000000..336effdbc2
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv4/Menu/Menu.xml
@@ -0,0 +1,8 @@
+<menu>
+    <Services>
+        <ISC_DHCPv4 VisibleName="ISC DHCPv4 [legacy]" cssClass="fa fa-bullseye fa-fw">
+            <Leases order="300" url="/ui/dhcpv4/leases"/>
+            <LogFile VisibleName="Log File" order="400" url="/ui/diagnostics/log/core/dhcpd"/>
+        </ISC_DHCPv4>
+    </Services>
+</menu>
diff --git a/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv6/ACL/ACL.xml b/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv6/ACL/ACL.xml
new file mode 100644
index 0000000000..85aba9a1e4
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv6/ACL/ACL.xml
@@ -0,0 +1,21 @@
+<acl>
+    <page-services-dhcpserverv6-editstaticmapping>
+        <name>Services: ISC DHCPv6: Edit</name>
+        <patterns>
+            <pattern>services_dhcpv6_edit.php*</pattern>
+        </patterns>
+    </page-services-dhcpserverv6-editstaticmapping>
+    <page-services-dhcpv6server>
+        <name>Services: ISC DHCPv6</name>
+        <patterns>
+            <pattern>services_dhcpv6.php*</pattern>
+        </patterns>
+    </page-services-dhcpv6server>
+    <page-status-dhcpv6leases>
+        <name>Status: ISC DHCPv6: Leases</name>
+        <patterns>
+            <pattern>ui/dhcpv6/leases</pattern>
+            <pattern>api/dhcpv6/leases/*</pattern>
+        </patterns>
+    </page-status-dhcpv6leases>
+</acl>
diff --git a/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv6/Menu/Menu.xml b/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv6/Menu/Menu.xml
new file mode 100644
index 0000000000..13e0eaa73c
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv6/Menu/Menu.xml
@@ -0,0 +1,7 @@
+<menu>
+    <Services>
+        <ISC_DHCPv6 VisibleName="ISC DHCPv6 [legacy]" cssClass="fa fa-bullseye fa-fw">
+            <Leases order="400" url="/ui/dhcpv6/leases"/>
+        </ISC_DHCPv6>
+    </Services>
+</menu>

From d7fe3b2be92904424e36b33d96493d077cfdd053 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 Jan 2026 15:10:21 +0100
Subject: [PATCH 2854/3088] isc-dhcp: syslog definitions and shuffling

---
 .../service/templates/OPNsense/Syslog/local/dhcpd.conf      | 6 ++++++
 .../templates/OPNsense/Syslog/sources/005-dhcpd.conf        | 1 +
 2 files changed, 7 insertions(+)
 create mode 100644 net/isc-dhcp/src/opnsense/service/templates/OPNsense/Syslog/local/dhcpd.conf
 create mode 100644 net/isc-dhcp/src/opnsense/service/templates/OPNsense/Syslog/sources/005-dhcpd.conf

diff --git a/net/isc-dhcp/src/opnsense/service/templates/OPNsense/Syslog/local/dhcpd.conf b/net/isc-dhcp/src/opnsense/service/templates/OPNsense/Syslog/local/dhcpd.conf
new file mode 100644
index 0000000000..1a6a37b0d8
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/service/templates/OPNsense/Syslog/local/dhcpd.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [dhcpd].
+###################################################################
+filter f_local_dhcpd {
+    facility(local7) or program("dhcpd");
+};
diff --git a/net/isc-dhcp/src/opnsense/service/templates/OPNsense/Syslog/sources/005-dhcpd.conf b/net/isc-dhcp/src/opnsense/service/templates/OPNsense/Syslog/sources/005-dhcpd.conf
new file mode 100644
index 0000000000..b66b33993c
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/service/templates/OPNsense/Syslog/sources/005-dhcpd.conf
@@ -0,0 +1 @@
+    unix-dgram("/var/dhcpd/var/run/log" dir_perm(0755) flags(syslog-protocol));

From 04473b33848cfd10a44c59cf708db781a54e7107 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 Jan 2026 15:21:24 +0100
Subject: [PATCH 2855/3088] dns/ddclient: copyrights are not for advertising

The email if given is for easy contact.  Don't mind a link drop but
not via LICENSE pollution.
---
 LICENSE                                                       | 2 +-
 .../src/opnsense/scripts/ddclient/lib/account/hetzner.py      | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/LICENSE b/LICENSE
index 87e14c2672..3e2721e30f 100644
--- a/LICENSE
+++ b/LICENSE
@@ -7,7 +7,7 @@ Copyright (c) 2021 Andreas Stuerz
 Copyright (c) 2025 Andy Binder <AndyBinder@gmx.de>
 Copyright (c) 2024 AnShen <root@lshell.com>
 Copyright (c) 2025 Anton Avramov
-Copyright (c) 2025 Arcan Consulting (www.arcan-it.de)
+Copyright (c) 2025 Arcan Consulting
 Copyright (c) 2021 Axelrtgs
 Copyright (c) 2023 Bernhard Frenking <bernhard@frenking.eu>
 Copyright (c) 2023 Cannon Matthews <cannonmatthews@google.com>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py
index 68074597ee..a066269ea5 100644
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py
@@ -1,5 +1,5 @@
 """
-    Copyright (c) 2025 Arcan Consulting (www.arcan-it.de)
+    Copyright (c) 2025 Arcan Consulting
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
@@ -23,7 +23,7 @@
     ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
     POSSIBILITY OF SUCH DAMAGE.
 
-    Hetzner DNS providers for OPNsense DynDNS
+    Hetzner DNS providers for OPNsense DynDNS via www.arcan-it.de
 
     Supports both APIs:
     - Hetzner DNS (api.hetzner.cloud) - new Cloud API for migrated zones

From eafb46d82b5648463ed899bec9cbea146d525717 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 14 Jan 2026 16:32:11 +0100
Subject: [PATCH 2856/3088] net/isc-dhcp: bump version for clarity

---
 net/isc-dhcp/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/isc-dhcp/Makefile b/net/isc-dhcp/Makefile
index d89716ef0a..e35fb84491 100644
--- a/net/isc-dhcp/Makefile
+++ b/net/isc-dhcp/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		isc-dhcp
-PLUGIN_VERSION=		0.1
+PLUGIN_VERSION=		0.2
 PLUGIN_COMMENT=		ISC DHCPv4/v6 server
 PLUGIN_DEPENDS=		isc-dhcp44-server
 PLUGIN_MAINTAINER=	franco@opnsense.org

From b7cf2c098a8228c79b46bbd0c480155c0d844d86 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 15 Jan 2026 16:23:10 +0100
Subject: [PATCH 2857/3088] net-mgmt/telegraf: bump version (forgotten
 previously)

---
 net-mgmt/telegraf/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/telegraf/Makefile b/net-mgmt/telegraf/Makefile
index e16239dfc2..8217de4b1c 100644
--- a/net-mgmt/telegraf/Makefile
+++ b/net-mgmt/telegraf/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		telegraf
-PLUGIN_VERSION=		1.12.13
+PLUGIN_VERSION=		1.12.14
 PLUGIN_COMMENT=		Agent for collecting metrics and data
 PLUGIN_DEPENDS=		telegraf
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From c3e099c5ae34a6746b4521b1fdcacb402e76cd9b Mon Sep 17 00:00:00 2001
From: Thomas Moore <tmoore@tomhursta.com>
Date: Thu, 15 Jan 2026 14:26:26 -0500
Subject: [PATCH 2858/3088] Added support for Hurricane Electic DDNS in acme
 client plugin.

---
 .../AcmeClient/forms/dialogValidation.xml     | 10 +++++
 .../AcmeClient/LeValidation/DnsHeDdns.php     | 44 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 3 files changed, 58 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHeDdns.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 5773c1c0f9..b6f7935350 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -683,6 +683,16 @@
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Hurricane Electric DDNS</label>
+        <type>header</type>
+        <style>table_dns table_dns_he_ddns</style>
+    </field>
+    <field>
+        <id>validation.dns_he_ddns_key</id>
+        <label>Key</label>
+        <type>text</type>
+    </field>
     <field>
         <label>Infoblox</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHeDdns.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHeDdns.php
new file mode 100644
index 0000000000..7144227e7b
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsHeDdns.php
@@ -0,0 +1,44 @@
+<?php
+
+/*
+ * Copyright (C) 2026 Thomas Moore
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * HE DDNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsHeDdns extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['HE_DDNS_KEY'] = (string)$this->config->dns_he_ddns_key;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index d552f3d0b6..6af378b400 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -473,6 +473,7 @@
                         <dns_hexonet>hexonet.com</dns_hexonet>
                         <dns_hostingde>hosting.de</dns_hostingde>
                         <dns_he>Hurricane Electric</dns_he>
+                        <dns_he_ddns>Hurricane Electric DDNS</dns_he_ddns>
                         <dns_infoblox>Infoblox</dns_infoblox>
                         <dns_infomaniak>Infomaniak</dns_infomaniak>
                         <dns_internetbs>internetbs.net</dns_internetbs>
@@ -746,6 +747,9 @@
                 <dns_he_password type="TextField">
                     <Required>N</Required>
                 </dns_he_password>
+                <dns_he_ddns_key type="TextField">
+                    <Required>N</Required>
+                </dns_he_ddns_key>
                 <dns_infoblox_credentials type="TextField">
                     <Required>N</Required>
                 </dns_infoblox_credentials>

From 10e42b15e03386e854fef0f430baa6d7e2c4cbd8 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 16 Jan 2026 21:21:23 +0100
Subject: [PATCH 2859/3088] net/ndp-proxy-go: Fix carp_depend_on condition in
 template (#5141)

---
 net/ndp-proxy-go/Makefile                                       | 1 +
 .../opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go   | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ndp-proxy-go/Makefile b/net/ndp-proxy-go/Makefile
index 8c95b55dd7..7075e62a01 100644
--- a/net/ndp-proxy-go/Makefile
+++ b/net/ndp-proxy-go/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ndp-proxy-go
 PLUGIN_VERSION=		1.3
+PLUGIN_REVISION= 	1
 PLUGIN_COMMENT=		IPv6 Neighbor Discovery Protocol (NDP) Proxy
 PLUGIN_MAINTAINER=	cedrik@pischem.com
 PLUGIN_DEPENDS=		ndp-proxy-go
diff --git a/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
index 61b7c01f2b..83d2d4002a 100644
--- a/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
+++ b/net/ndp-proxy-go/src/opnsense/service/templates/OPNsense/NdpProxy/ndp_proxy_go
@@ -2,7 +2,7 @@
 {% set general = helpers.getNodeByTag('OPNsense.ndpproxy.general') %}
 {% if general.enabled|default("0") == "1" and general.upstream and general.downstream %}
 ndp_proxy_go_enable="YES"
-{%     if general.carp_depend_on %}
+{%     if general.carp_depend_on|default("0") == "1" %}
 ndp_proxy_go_check_carp="YES"
 {%     endif %}
 ndp_proxy_go_upstream="{{ helpers.physical_interface(general.upstream) }}"

From fe467364cb881bc18478442f0e8976ab6cf4d74d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 04:17:06 +0100
Subject: [PATCH 2860/3088] dns/ddclient: wrap up new version

---
 dns/ddclient/Makefile                         |  2 +-
 dns/ddclient/pkg-descr                        | 10 +++-
 .../scripts/ddclient/lib/account/dnspod_cn.py | 52 +++++++++----------
 .../scripts/ddclient/lib/account/hetzner.py   |  0
 4 files changed, 35 insertions(+), 29 deletions(-)
 mode change 100644 => 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dnspod_cn.py
 mode change 100644 => 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index cd453e19cf..f947225d0c 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.28
+PLUGIN_VERSION=		1.29
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index f5f2d1aceb..7ead5a14f1 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -1,11 +1,17 @@
+This plugin offers dynamic DNS capabilities using a native backend
+or ddclient.  The native backend is the default implementation.
 ddclient is a Perl client used to update dynamic DNS entries for
 accounts on many dynamic DNS services.
 
-WWW: https://github.com/ddclient/ddclient
-
 Plugin Changelog
 ================
 
+1.29
+
+* Add native backend support for Hetzner DNS (contributed by Michael J. Arcan)
+* Add native backend support for dnspod.cn (contributed by Ansen)
+* Add Cloudflare DNS IP check option (contributed by GTechAlpha)
+
 1.28
 
 * Add native backend support for PowerDNS API (contributed by Oliver Traber)
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dnspod_cn.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dnspod_cn.py
old mode 100644
new mode 100755
index e95ffbe5d6..cb4631fcc0
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dnspod_cn.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/dnspod_cn.py
@@ -61,11 +61,11 @@ def match(account):
     def _sign(key, msg):
         """
         Generate HMAC-SHA256 signature.
-        
+
         Args:
             key (bytes): Signing key
             msg (str): Message to sign
-        
+
         Returns:
             bytes: Signature digest
         """
@@ -74,21 +74,21 @@ def _sign(key, msg):
     def generate_signature(self, action, payload="{}"):
         """
         Generate signature and headers for a Tencent Cloud API request.
-        
+
         Args:
             action (str): API action name
             payload (str or dict, optional): Request payload. Defaults to "{}".
-        
+
         Returns:
             tuple: Request headers and canonical request
         """
         # Ensure payload is a string
         payload = json.dumps(payload) if isinstance(payload, dict) else payload
-        
+
         # Get current timestamp
         timestamp = int(time.time())
         date = datetime.utcfromtimestamp(timestamp).strftime("%Y-%m-%d")
-        
+
         # Step 1: Create Canonical Request
         http_request_method = "POST"
         canonical_uri = "/"
@@ -97,7 +97,7 @@ def generate_signature(self, action, payload="{}"):
         canonical_headers = f"content-type:{ct}\nhost:{self._services[self.settings.get('service')]}\nx-tc-action:{action.lower()}\n"
         signed_headers = "content-type;host;x-tc-action"
         hashed_request_payload = hashlib.sha256(payload.encode("utf-8")).hexdigest()
-        
+
         canonical_request = (
             f"{http_request_method}\n"
             f"{canonical_uri}\n"
@@ -106,25 +106,25 @@ def generate_signature(self, action, payload="{}"):
             f"{signed_headers}\n"
             f"{hashed_request_payload}"
         )
-        
+
         # Step 2: Create String to Sign
         algorithm = "TC3-HMAC-SHA256"
         credential_scope = f"{date}/{self.service}/tc3_request"
         hashed_canonical_request = hashlib.sha256(canonical_request.encode("utf-8")).hexdigest()
-        
+
         string_to_sign = (
             f"{algorithm}\n"
             f"{timestamp}\n"
             f"{credential_scope}\n"
             f"{hashed_canonical_request}"
         )
-        
+
         # Step 3: Calculate Signature
         secret_date = self._sign(("TC3" + self.settings.get('password')).encode("utf-8"), date)
         secret_service = self._sign(secret_date, self.service)
         secret_signing = self._sign(secret_service, "tc3_request")
         signature = hmac.new(secret_signing, string_to_sign.encode("utf-8"), hashlib.sha256).hexdigest()
-        
+
         # Step 4: Create Authorization Header
         authorization = (
             f"{algorithm} "
@@ -132,7 +132,7 @@ def generate_signature(self, action, payload="{}"):
             f"SignedHeaders={signed_headers}, "
             f"Signature={signature}"
         )
-        
+
         # Prepare headers
         headers = {
             "Authorization": authorization,
@@ -143,53 +143,53 @@ def generate_signature(self, action, payload="{}"):
             "X-TC-Version": "2021-03-23",
             'User-Agent': 'OPNsense-dyndns',
         }
-        
+
         return headers, payload
 
     def send_request(self, action, payload="{}", region="", token=""):
         """
         Send a request to the Tencent Cloud API.
-        
+
         Args:
             action (str): API action name
             payload (str or dict, optional): Request payload. Defaults to "{}".
             region (str, optional): Optional region parameter
             token (str, optional): Optional token parameter
-        
+
         Returns:
             dict: API response JSON
         """
         # Get headers and prepared payload
         headers, payload = self.generate_signature(action, payload)
-        
+
         # Add optional headers
         if region:
             headers["X-TC-Region"] = region
         if token:
             headers["X-TC-Token"] = token
-        
+
         try:
             # Send request using requests library
             response = requests.post(
-                url=f"https://{self._services[self.settings.get('service')]}", 
-                headers=headers, 
+                url=f"https://{self._services[self.settings.get('service')]}",
+                headers=headers,
                 data=payload,
                 timeout=10
             )
-            
+
             # Raise an exception for bad responses
             response.raise_for_status()
-            
+
             # Return JSON response
             return response
-        
+
         except requests.RequestException as err:
             print(f"Request error: {err}")
-            
+
             # If there's a response, print its content for debugging
             if hasattr(err, 'response') and err.response is not None:
                 print(f"Response content: {err.response.text}")
-            
+
             return None
 
 
@@ -205,7 +205,7 @@ def execute(self):
                     subdomains.append('@')
                 else:
                     subdomains.append(_subdomain.replace(f".{self.settings.get('zone')}", ''))
-            
+
             if len(subdomains) < 1:
                 syslog.syslog(
                         syslog.LOG_ERR,
@@ -277,7 +277,7 @@ def execute(self):
                     "Account %s failed to set new ip %s [%s]" % (self.description, self.current_address, response.text)
                 )
                 return False
-            
+
             record_list = payload['Response']['DetailList'][0].get('RecordList', False)
             if record_list and len(record_list) == len(subdomains):
                 syslog.syslog(
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py
old mode 100644
new mode 100755

From 5a7b8b93cf1bbe84083a097d62e3a0238cad79d1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 04:24:07 +0100
Subject: [PATCH 2861/3088] mail/postfix: make a minor release and model style

---
 mail/postfix/Makefile                         |  2 +-
 mail/postfix/pkg-descr                        |  4 ++
 .../app/models/OPNsense/Postfix/Domain.xml    | 27 ++++++-------
 .../app/models/OPNsense/Postfix/General.xml   | 38 +++----------------
 .../app/models/OPNsense/Postfix/Recipient.xml | 30 +++++++--------
 .../app/models/OPNsense/Postfix/Sender.xml    | 30 +++++++--------
 6 files changed, 53 insertions(+), 78 deletions(-)

diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile
index 5feb4c74f5..ca319ebf68 100644
--- a/mail/postfix/Makefile
+++ b/mail/postfix/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		postfix
-PLUGIN_VERSION=		1.24
+PLUGIN_VERSION=		1.24.1
 PLUGIN_COMMENT=		SMTP mail relay
 PLUGIN_DEPENDS=		postfix
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/mail/postfix/pkg-descr b/mail/postfix/pkg-descr
index f9756bc691..77caa08879 100644
--- a/mail/postfix/pkg-descr
+++ b/mail/postfix/pkg-descr
@@ -6,6 +6,10 @@ is completely different.
 Plugin Changelog
 ================
 
+1.24.1
+
+* Align mailbox and message size
+
 1.24
 
 * Disable broken, insecure, legacy NTLM authentication (contributed by Alfred Egger)
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Domain.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Domain.xml
index a4af4ed775..a4b9f5c2fd 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Domain.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Domain.xml
@@ -4,21 +4,18 @@
     <version>1.0.1</version>
     <items>
         <domains>
-                <domain type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <domainname type="TextField">
-                                <Default></Default>
-                                <Required>Y</Required>
-                        </domainname>
-                        <destination type="TextField">
-                                <Default></Default>
-                                <Required>N</Required>
-                                <Mask>/^([0-9a-zA-Z.:\-\[\]]){1,64}$/u</Mask>
-                                <ValidationMessage>Only 64 of the following characters are allowed: 0-9a-zA-Z.:-[]</ValidationMessage>
-                        </destination>
+            <domain type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <domainname type="TextField">
+                    <Required>Y</Required>
+                </domainname>
+                <destination type="TextField">
+                    <Mask>/^([0-9a-zA-Z.:\-\[\]]){1,64}$/u</Mask>
+                    <ValidationMessage>Only 64 of the following characters are allowed: 0-9a-zA-Z.:-[]</ValidationMessage>
+                </destination>
             </domain>
         </domains>
     </items>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
index a78a6b5b8f..ddc1928f9d 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
@@ -7,18 +7,9 @@
             <Default>0</Default>
             <Required>Y</Required>
         </enabled>
-        <myhostname type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </myhostname>
-        <mydomain type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </mydomain>
-        <myorigin type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </myorigin>
+        <myhostname type="TextField"/>
+        <mydomain type="TextField"/>
+        <myorigin type="TextField"/>
         <inet_interfaces type="TextField">
             <Default>all</Default>
             <Required>Y</Required>
@@ -37,27 +28,21 @@
             </OptionValues>
         </ip_version>
         <bind_address type="NetworkField">
-            <Required>N</Required>
             <AddressFamily>ipv4</AddressFamily>
         </bind_address>
         <bind_address6 type="NetworkField">
-            <Required>N</Required>
             <AddressFamily>ipv6</AddressFamily>
         </bind_address6>
         <mynetworks type="CSVListField">
             <Default>127.0.0.0/8,[::ffff:127.0.0.0]/104,[::1]/128</Default>
             <Required>Y</Required>
         </mynetworks>
-        <banner type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </banner>
+        <banner type="TextField"/>
         <message_size_limit type="IntegerField">
             <Default>51200000</Default>
             <Required>Y</Required>
         </message_size_limit>
         <masquerade_domains type="CSVListField">
-            <Required>N</Required>
             <Mask>/^([0-9a-z\.\-\_]{1,128})(,[0-9a-z\.\-\_]{1,128})*$/ui</Mask>
             <ValidationMessage>Only up to 128 of the following characters are allowed: 0-9a-zA-Z.-_</ValidationMessage>
         </masquerade_domains>
@@ -85,11 +70,9 @@
         </tlswrappermode>
         <certificate type="CertificateField">
             <Type>cert</Type>
-            <Required>N</Required>
         </certificate>
         <ca type="CertificateField">
             <Type>ca</Type>
-            <Required>N</Required>
         </ca>
         <smtpclient_security type="OptionField">
             <Default>may</Default>
@@ -102,7 +85,6 @@
             </OptionValues>
         </smtpclient_security>
         <relayhost type="TextField">
-            <Required>N</Required>
             <Mask>/^([0-9a-zA-Z.:\-\[\]]){1,64}$/u</Mask>
             <ValidationMessage>Only 64 of the following characters are allowed: 0-9a-zA-Z.:-[]</ValidationMessage>
         </relayhost>
@@ -110,14 +92,8 @@
             <Default>0</Default>
             <Required>Y</Required>
         </smtpauth_enabled>
-        <smtpauth_user type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </smtpauth_user>
-        <smtpauth_password type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </smtpauth_password>
+        <smtpauth_user type="TextField"/>
+        <smtpauth_password type="TextField"/>
         <enforce_recipient_check type="BooleanField">
             <Default>0</Default>
             <Required>Y</Required>
@@ -187,8 +163,6 @@
             <Required>Y</Required>
         </reject_unverified_recipient>
         <delay_warning_time type="IntegerField">
-            <Default>0</Default>
-            <Required>N</Required>
             <MinimumValue>0</MinimumValue>
             <MaximumValue>24</MaximumValue>
             <ValidationMessage>Choose a value between 1 and 24 to activate - 0 or empty to disable.</ValidationMessage>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Recipient.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Recipient.xml
index 5782e4a535..e90726dea8 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Recipient.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Recipient.xml
@@ -4,21 +4,21 @@
     <version>1.0.0</version>
     <items>
         <recipients>
-                <recipient type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <address type="TextField">
-                                <Required>Y</Required>
-                        </address>
-                        <action type="OptionField">
-                                <Required>Y</Required>
-                                <OptionValues>
-                                    <OK>OK</OK>
-                                    <REJECT>REJECT</REJECT>
-                                </OptionValues>
-                        </action>
+            <recipient type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <address type="TextField">
+                    <Required>Y</Required>
+                </address>
+                <action type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <OK>OK</OK>
+                        <REJECT>REJECT</REJECT>
+                    </OptionValues>
+                </action>
             </recipient>
         </recipients>
     </items>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Sender.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Sender.xml
index 6408af54d1..d293eeaf72 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Sender.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/Sender.xml
@@ -4,21 +4,21 @@
     <version>1.0.0</version>
     <items>
         <senders>
-                <sender type="ArrayField">
-                        <enabled type="BooleanField">
-                                <Default>1</Default>
-                                <Required>Y</Required>
-                        </enabled>
-                        <address type="TextField">
-                                <Required>Y</Required>
-                        </address>
-                        <action type="OptionField">
-                                <Required>Y</Required>
-                                <OptionValues>
-                                    <OK>OK</OK>
-                                    <REJECT>REJECT</REJECT>
-                                </OptionValues>
-                        </action>
+            <sender type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <address type="TextField">
+                    <Required>Y</Required>
+                </address>
+                <action type="OptionField">
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <OK>OK</OK>
+                        <REJECT>REJECT</REJECT>
+                    </OptionValues>
+                </action>
             </sender>
         </senders>
     </items>

From 5df21765b315e19f3e2736f543ddc3e1f47a0fa4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 04:25:11 +0100
Subject: [PATCH 2862/3088] net/frr: style issue

---
 net/frr/src/etc/rc.syshook.d/start/50-frr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/etc/rc.syshook.d/start/50-frr b/net/frr/src/etc/rc.syshook.d/start/50-frr
index dd4254a89b..b3388a3791 100755
--- a/net/frr/src/etc/rc.syshook.d/start/50-frr
+++ b/net/frr/src/etc/rc.syshook.d/start/50-frr
@@ -34,4 +34,4 @@ require_once('plugins.inc.d/frr.inc');
 
 if (frr_enabled()) {
     shell_exec('/usr/local/opnsense/scripts/frr/carp_event_handler');
-}
\ No newline at end of file
+}

From 6f0735b1be6b7c247b916da7c1fd5cbcf05d1f50 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 04:26:06 +0100
Subject: [PATCH 2863/3088] net/ndp-proxy-go: whitespace

---
 net/ndp-proxy-go/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ndp-proxy-go/Makefile b/net/ndp-proxy-go/Makefile
index 7075e62a01..886c424755 100644
--- a/net/ndp-proxy-go/Makefile
+++ b/net/ndp-proxy-go/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ndp-proxy-go
 PLUGIN_VERSION=		1.3
-PLUGIN_REVISION= 	1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		IPv6 Neighbor Discovery Protocol (NDP) Proxy
 PLUGIN_MAINTAINER=	cedrik@pischem.com
 PLUGIN_DEPENDS=		ndp-proxy-go

From bf34600cfea893c4f7089d1d7a84b3cdb5236e44 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 04:29:08 +0100
Subject: [PATCH 2864/3088] net-mgmt/collectd: basic model style

---
 .../app/models/OPNsense/Collectd/General.xml  | 38 ++++++-------------
 1 file changed, 11 insertions(+), 27 deletions(-)

diff --git a/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml b/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml
index 35ca8d0b2b..3daf6ef045 100644
--- a/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml
+++ b/net-mgmt/collectd/src/opnsense/mvc/app/models/OPNsense/Collectd/General.xml
@@ -8,9 +8,7 @@
             <Required>Y</Required>
         </enabled>
         <hostname type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-	    <Mask>/^.{1,64}$/u</Mask>
+            <Mask>/^.{1,64}$/u</Mask>
         </hostname>
         <fqdnlookup type="BooleanField">
             <Default>1</Default>
@@ -25,29 +23,21 @@
             <Required>N</Required>
         </p_network_enable>
         <p_network_host type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-	    <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
-	    <Mask>/^([0-9a-zA-Z\-\.]){1,1024}$/u</Mask>
+            <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
+            <Mask>/^([0-9a-zA-Z\-\.]){1,1024}$/u</Mask>
         </p_network_host>
         <p_network_port type="IntegerField">
-            <Default></Default>
-            <Required>N</Required>
-	    <MinimumValue>1</MinimumValue>
-	    <MaximumValue>65535</MaximumValue>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>65535</MaximumValue>
         </p_network_port>
         <p_network_username type="TextField">
-            <Default></Default>
-            <Required>N</Required>
             <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
         </p_network_username>
-            <p_network_password type="TextField">
-                <Default></Default>
-            <Required>N</Required>
+        <p_network_password type="TextField">
             <Mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=]){1,128}$/u</Mask>
         </p_network_password>
-            <p_network_encryption type="BooleanField">
-                <Default>0</Default>
+        <p_network_encryption type="BooleanField">
+            <Default>0</Default>
             <Required>N</Required>
         </p_network_encryption>
         <p_graphite_enable type="BooleanField">
@@ -55,19 +45,13 @@
             <Required>N</Required>
         </p_graphite_enable>
         <p_graphite_node type="TextField">
-            <Default></Default>
-            <Required>N</Required>
         </p_graphite_node>
         <p_graphite_host type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-	    <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
+            <Mask>/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/</Mask>
         </p_graphite_host>
         <p_graphite_port type="IntegerField">
-            <Default></Default>
-            <Required>N</Required>
-	    <MinimumValue>1</MinimumValue>
-	    <MaximumValue>65535</MaximumValue>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>65535</MaximumValue>
         </p_graphite_port>
         <p_graphite_prefix type="TextField">
             <Default>collectd</Default>

From cf6f0179702cb5b38bbabf2d519a5d84da6d0f7d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 04:32:20 +0100
Subject: [PATCH 2865/3088] net-mgmt/telegraf: basic model style

---
 .../app/models/OPNsense/Telegraf/General.xml  | 13 ++--
 .../app/models/OPNsense/Telegraf/Input.xml    | 10 +--
 .../mvc/app/models/OPNsense/Telegraf/Key.xml  |  4 --
 .../app/models/OPNsense/Telegraf/Output.xml   | 70 ++++---------------
 4 files changed, 20 insertions(+), 77 deletions(-)

diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/General.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/General.xml
index f3ef2714ce..4445033e53 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/General.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/General.xml
@@ -37,16 +37,13 @@
         </flush_interval>
         <flush_jitter type="IntegerField">
             <Default>0</Default>
-	        <Required>Y</Required>
-	    </flush_jitter>
-        <hostname type="TextField">
-            <Default></Default>
-	        <Required>N</Required>
-	    </hostname>
+            <Required>Y</Required>
+        </flush_jitter>
+        <hostname type="TextField"/>
         <omit_hostname type="BooleanField">
             <Default>0</Default>
-	        <Required>Y</Required>
-	    </omit_hostname>
+            <Required>Y</Required>
+        </omit_hostname>
         <quiet type="BooleanField">
             <Default>1</Default>
             <Required>Y</Required>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
index 773ce46b0b..57b2ebd9ed 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Input.xml
@@ -23,14 +23,8 @@
             <Default>1</Default>
             <Required>N</Required>
         </disk>
-        <disk_mount_points type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </disk_mount_points>
-        <disk_ignore_fs type="CSVListField">
-            <Default></Default>
-            <Required>N</Required>
-        </disk_ignore_fs>
+        <disk_mount_points type="TextField"/>
+        <disk_ignore_fs type="CSVListField"/>
         <diskio type="BooleanField">
             <Default>1</Default>
             <Required>N</Required>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Key.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Key.xml
index c49ccdb334..20f722b081 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Key.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Key.xml
@@ -10,14 +10,10 @@
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <Default></Default>
-                    <Required>N</Required>
                     <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
                     <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen allowed. Do not use more than 128 characters.</ValidationMessage>
                 </name>
                 <value type="TextField">
-                    <Default></Default>
-                    <Required>N</Required>
                     <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
                     <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen allowed. Do not use more than 128 characters.</ValidationMessage>
                 </value>
diff --git a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
index 199dbd6630..8c38289573 100644
--- a/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
+++ b/net-mgmt/telegraf/src/opnsense/mvc/app/models/OPNsense/Telegraf/Output.xml
@@ -7,27 +7,15 @@
             <Default>0</Default>
             <Required>N</Required>
         </influx_enable>
-        <influx_url type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </influx_url>
-        <influx_database type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </influx_database>
+        <influx_url type="TextField"/>
+        <influx_database type="TextField"/>
         <influx_timeout type="IntegerField">
             <Default>5</Default>
             <Required>N</Required>
         </influx_timeout>
         <influx_name_prefix type="TextField"/>
-        <influx_username type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </influx_username>
-        <influx_password type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </influx_password>
+        <influx_username type="TextField"/>
+        <influx_password type="TextField"/>
         <influx_insecure_skip_verify type="BooleanField">
             <Default>0</Default>
             <Required>N</Required>
@@ -104,22 +92,10 @@
             <Default>0</Default>
             <Required>N</Required>
         </influx_v2_enable>
-        <influx_v2_url type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </influx_v2_url>
-        <influx_v2_token type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </influx_v2_token>
-        <influx_v2_organization type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </influx_v2_organization>
-        <influx_v2_bucket type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </influx_v2_bucket>
+        <influx_v2_url type="TextField"/>
+        <influx_v2_token type="TextField"/>
+        <influx_v2_organization type="TextField"/>
+        <influx_v2_bucket type="TextField"/>
         <influx_v2_insecure_skip_verify type="BooleanField">
             <Default>0</Default>
             <Required>N</Required>
@@ -132,27 +108,17 @@
             <Default>0</Default>
             <Required>N</Required>
         </datadog_enable>
-        <datadog_url type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </datadog_url>
-        <datadog_apikey type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </datadog_apikey>
+        <datadog_url type="TextField"/>
+        <datadog_apikey type="TextField"/>
         <mqtt_enable type="BooleanField">
             <Default>0</Default>
             <Required>N</Required>
         </mqtt_enable>
         <mqtt_topic_prefix type="TextField">
-            <Default></Default>
-            <Required>N</Required>
             <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
             <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen are allowed. Do not use more than 128 characters.</ValidationMessage>
         </mqtt_topic_prefix>
         <mqtt_topic type="TextField">
-            <Default></Default>
-            <Required>N</Required>
             <Mask>/^([0-9a-zA-Z._\-\/{}]){1,200}$/u</Mask>
             <ValidationMessage>Only characters, numbers, a dot, underscore, hyphen, slash and curly braces are allowed. Do not use more than 200 characters.</ValidationMessage>
         </mqtt_topic>
@@ -166,8 +132,6 @@
             <Required>N</Required>
         </mqtt_insecure_skip_verify>
         <mqtt_client_id type="TextField">
-            <Default></Default>
-            <Required>N</Required>
             <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
             <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen allowed. Do not use more than 128 characters.</ValidationMessage>
         </mqtt_client_id>
@@ -180,31 +144,23 @@
                 <qos2 value="2">(2) Exactly once</qos2>
             </OptionValues>
         </mqtt_qos>
-        <mqtt_retain type="BooleanField">
-            <Default></Default>
-            <Required>N</Required>
-        </mqtt_retain>
+        <mqtt_retain type="BooleanField"/>
         <mqtt_timeout type="IntegerField">
             <Default>5</Default>
             <Required>N</Required>
         </mqtt_timeout>
         <mqtt_username type="TextField">
-            <Default></Default>
-            <Required>N</Required>
             <Mask>/^([0-9a-zA-Z._\-]){1,128}$/u</Mask>
             <ValidationMessage>Only characters, numbers, a dot, underscore and hyphen allowed. Do not use more than 128 characters.</ValidationMessage>
         </mqtt_username>
-        <mqtt_password type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </mqtt_password>
+        <mqtt_password type="TextField"/>
         <mqtt_layout type="OptionField">
             <Default>non-batch</Default>
             <Required>Y</Required>
             <OptionValues>
                 <non-batch>(non-batch) send individual messages, one for each metric</non-batch>
                 <batch>(batch) send all metric as a single message per MQTT topic</batch>
-                <field >(field) send individual messages for each field</field>
+                <field>(field) send individual messages for each field</field>
             </OptionValues>
         </mqtt_layout>
         <mqtt_data_format type="OptionField">

From 923bd52a944e55d811980c68857acca73c5cfe02 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 04:32:54 +0100
Subject: [PATCH 2866/3088] security/q-feeds-connector: plugin style

---
 security/q-feeds-connector/pkg-descr                            | 2 +-
 .../src/opnsense/scripts/dnscryptproxy/blocklists/qfeeds_bl.py  | 2 --
 .../src/opnsense/scripts/qfeeds/lib/__init__.py                 | 2 +-
 3 files changed, 2 insertions(+), 4 deletions(-)
 mode change 100644 => 100755 security/q-feeds-connector/src/opnsense/scripts/dnscryptproxy/blocklists/qfeeds_bl.py

diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index 02c1a8ae85..6c9ff4ae29 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -8,7 +8,7 @@ Plugin Changelog
 
 1.3
 
-* Widget: Added license info 
+* Widget: Added license info
 * Events: added source and destination port
 
 1.3
diff --git a/security/q-feeds-connector/src/opnsense/scripts/dnscryptproxy/blocklists/qfeeds_bl.py b/security/q-feeds-connector/src/opnsense/scripts/dnscryptproxy/blocklists/qfeeds_bl.py
old mode 100644
new mode 100755
index ab04f81924..b5f77a328b
--- a/security/q-feeds-connector/src/opnsense/scripts/dnscryptproxy/blocklists/qfeeds_bl.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/dnscryptproxy/blocklists/qfeeds_bl.py
@@ -88,5 +88,3 @@ def is_qf_selected():
 	# DNSCrypt-proxy is installed but 'qf' is not selected - remove the file if it exists
 	if os.path.exists(qfeeds_blacklist_file):
 		os.remove(qfeeds_blacklist_file)
-
-
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
index 87ba013dc4..f661bbfd39 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
@@ -129,7 +129,7 @@ def dnscryptproxy_load(self):
             subprocess.run([script_path], capture_output=True, text=True)
             # Trigger dnscrypt-proxy DNSBL update to merge blacklist-qfeeds.txt
             # Only if DNSCrypt-proxy is installed (directory exists)
-            result = subprocess.run(['/usr/local/sbin/configctl', 'dnscryptproxy', 'dnsbl'], 
+            result = subprocess.run(['/usr/local/sbin/configctl', 'dnscryptproxy', 'dnsbl'],
                                   capture_output=True, text=True)
             if result.returncode == 0:
                 yield 'update dnscrypt-proxy blocklist'

From d2c5b7acc2f3738bebedc2510690d3bdb0ff736a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 04:34:04 +0100
Subject: [PATCH 2867/3088] net/freeradius: basic model style

---
 .../src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index 6a18117fe2..532fe86a3c 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -39,11 +39,11 @@
             <Required>N</Required>
         </certificate>
         <enable_pwd type="BooleanField">
-            <default>0</default>
+            <Default>0</Default>
             <Required>Y</Required>
         </enable_pwd>
         <pwd_serverid type="TextField">
-            <default>theserver@example.com</default>
+            <Default>theserver@example.com</Default>
             <Required>Y</Required>
         </pwd_serverid>
         <crl type="CertificateField">

From 783ebec7ec2d5e35cd07be474184b527a29d0d1f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 04:40:49 +0100
Subject: [PATCH 2868/3088] net/siproxd: model style

Scrapped defaults for networks since they are not used.  The DO
look useful so I'm making this note if somebody misses them the
fields probably need a Required=Y flip but here I just enforce
what is actually happening in the model and the fact that nobody
complained about it.
---
 .../app/models/OPNsense/Siproxd/Domain.xml    |   2 -
 .../app/models/OPNsense/Siproxd/General.xml   | 102 ++++--------------
 .../mvc/app/models/OPNsense/Siproxd/User.xml  |   2 -
 3 files changed, 21 insertions(+), 85 deletions(-)

diff --git a/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/Domain.xml b/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/Domain.xml
index d2cf4bb516..8bf8be94b3 100644
--- a/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/Domain.xml
+++ b/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/Domain.xml
@@ -10,11 +10,9 @@
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
-                    <Default></Default>
                     <Required>Y</Required>
                 </name>
                 <host type="TextField">
-                    <Default></Default>
                     <Required>Y</Required>
                 </host>
                 <port type="IntegerField">
diff --git a/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/General.xml b/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/General.xml
index 0154ec3bf8..2983cf6aa4 100644
--- a/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/General.xml
+++ b/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/General.xml
@@ -8,43 +8,29 @@
             <Required>Y</Required>
         </enabled>
         <if_inbound type="InterfaceField">
-            <Default></Default>
             <Required>Y</Required>
         </if_inbound>
         <if_outbound type="InterfaceField">
-            <Default></Default>
             <Required>Y</Required>
         </if_outbound>
-        <host_outbound type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </host_outbound>
+        <host_outbound type="TextField"/>
         <hosts_allow_reg type="NetworkField">
-            <Default></Default>
             <WildcardEnabled>N</WildcardEnabled>
             <NetMaskRequired>Y</NetMaskRequired>
-            <FieldSeparator>,</FieldSeparator>
-            <Required>N</Required>
         </hosts_allow_reg>
         <hosts_allow_sip type="NetworkField">
-            <Default></Default>
             <WildcardEnabled>N</WildcardEnabled>
             <NetMaskRequired>Y</NetMaskRequired>
-            <FieldSeparator>,</FieldSeparator>
-            <Required>N</Required>
         </hosts_allow_sip>
         <hosts_deny_sip type="NetworkField">
-            <Default></Default>
             <WildcardEnabled>N</WildcardEnabled>
             <NetMaskRequired>Y</NetMaskRequired>
-            <FieldSeparator>,</FieldSeparator>
-            <Required>N</Required>
         </hosts_deny_sip>
         <sip_listen_port type="IntegerField">
             <Default>5060</Default>
             <Required>Y</Required>
-	    <MinimumValue>1</MinimumValue>
-	    <MaximumValue>65535</MaximumValue>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>65535</MaximumValue>
         </sip_listen_port>
         <rtp_port_low type="IntegerField">
             <Default>7070</Default>
@@ -88,10 +74,7 @@
             <MinimumValue>0</MinimumValue>
             <MaximumValue>5000</MaximumValue>
         </rtp_output_dejitter>
-        <proxy_auth_enable type="BooleanField">
-            <Default>0</Default>
-            <Required>N</Required>
-        </proxy_auth_enable>
+        <proxy_auth_enable type="BooleanField"/>
         <tcp_timeout type="IntegerField">
             <Default>600</Default>
             <Required>Y</Required>
@@ -110,81 +93,38 @@
             <MinimumValue>0</MinimumValue>
             <MaximumValue>10000</MaximumValue>
         </tcp_keepalive>
-        <ua_string type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </ua_string>
+        <ua_string type="TextField"/>
         <use_rport type="OptionField">
             <Default>Option1</Default>
-            <Multiple>N</Multiple>
             <Required>Y</Required>
-                <OptionValues>
-                    <Option1 value="0">Do not add ;rport to via header (0)</Option1>
-                    <Option2 value="1">Add ;rport to INCOMING via header (1)</Option2>
-                    <Option3 value="2">Add ;rport to OUTGOING via header (2)</Option3>
-                    <Option4 value="3">Add ;rport to OUTGOING and INCOMING via headers (3)</Option4>
-                </OptionValues>
+            <OptionValues>
+                <Option1 value="0">Do not add ;rport to via header (0)</Option1>
+                <Option2 value="1">Add ;rport to INCOMING via header (1)</Option2>
+                <Option3 value="2">Add ;rport to OUTGOING via header (2)</Option3>
+                <Option4 value="3">Add ;rport to OUTGOING and INCOMING via headers (3)</Option4>
+            </OptionValues>
         </use_rport>
-        <plugin_defaulttarget_enable type="BooleanField">
-            <Default>0</Default>
-            <Required>N</Required>
-        </plugin_defaulttarget_enable>
-        <plugin_defaulttarget_log type="BooleanField">
-            <Default>0</Default>
-            <Required>N</Required>
-        </plugin_defaulttarget_log>
-        <plugin_defaulttarget_target type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </plugin_defaulttarget_target>
-        <plugin_fix_bogus_via_enable type="BooleanField">
-            <Default>1</Default>
-            <Required>N</Required>
-        </plugin_fix_bogus_via_enable>
+        <plugin_defaulttarget_enable type="BooleanField"/>
+        <plugin_defaulttarget_log type="BooleanField"/>
+        <plugin_defaulttarget_target type="TextField"/>
+        <plugin_fix_bogus_via_enable type="BooleanField"/>
         <plugin_fix_bogus_via_networks type="NetworkField">
-            <Default>10.0.0.0/8,172.16.0.0/12,192.168.0.0/16</Default>
             <WildcardEnabled>N</WildcardEnabled>
             <NetMaskRequired>Y</NetMaskRequired>
-            <FieldSeparator>,</FieldSeparator>
-            <Required>N</Required>
         </plugin_fix_bogus_via_networks>
-        <plugin_fix_DTAG_enable type="BooleanField">
-            <Default>1</Default>
-            <Required>N</Required>
-        </plugin_fix_DTAG_enable>
+        <plugin_fix_DTAG_enable type="BooleanField"/>
         <plugin_fix_DTAG_networks type="NetworkField">
-            <Default>217.0.23.100/32</Default>
             <WildcardEnabled>N</WildcardEnabled>
             <NetMaskRequired>Y</NetMaskRequired>
-            <FieldSeparator>,</FieldSeparator>
-            <Required>N</Required>
         </plugin_fix_DTAG_networks>
-        <plugin_fbox_anoncall_enable type="BooleanField">
-            <Default>1</Default>
-            <Required>N</Required>
-        </plugin_fbox_anoncall_enable>
+        <plugin_fbox_anoncall_enable type="BooleanField"/>
         <plugin_fbox_anoncall_networks type="NetworkField">
-            <Default>10.0.0.0/8,172.16.0.0/12,192.168.0.0/16</Default>
             <WildcardEnabled>N</WildcardEnabled>
             <NetMaskRequired>Y</NetMaskRequired>
-            <FieldSeparator>,</FieldSeparator>
-            <Required>N</Required>
         </plugin_fbox_anoncall_networks>
-        <plugin_stun_server_enable type="BooleanField">
-            <Default>0</Default>
-            <Required>N</Required>
-        </plugin_stun_server_enable>
-        <plugin_stun_server_host type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </plugin_stun_server_host>
-        <plugin_stun_server_port type="IntegerField">
-            <Default></Default>
-            <Required>N</Required>
-        </plugin_stun_server_port>
-        <plugin_stun_server_period type="IntegerField">
-            <Default></Default>
-            <Required>N</Required>
-        </plugin_stun_server_period>
+        <plugin_stun_server_enable type="BooleanField"/>
+        <plugin_stun_server_host type="TextField"/>
+        <plugin_stun_server_port type="IntegerField"/>
+        <plugin_stun_server_period type="IntegerField"/>
     </items>
 </model>
diff --git a/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/User.xml b/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/User.xml
index 6c4d1c4df9..05302306c1 100644
--- a/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/User.xml
+++ b/net/siproxd/src/opnsense/mvc/app/models/OPNsense/Siproxd/User.xml
@@ -10,12 +10,10 @@
                     <Required>Y</Required>
                 </enabled>
                 <username type="TextField">
-                    <Default></Default>
                     <Required>Y</Required>
                     <Mask>/^([0-9a-zA-Z._\-\+\@]){1,128}$/u</Mask>
                 </username>
                 <password type="TextField">
-                    <Default></Default>
                     <Required>Y</Required>
                     <Mask>/^([0-9a-zA-Z._\-\!\$\%\/\(\)\+\#\=]){1,128}$/u</Mask>
                 </password>

From 4bb1b60ced3867fb662a72bd3fff608c967429f5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 04:44:35 +0100
Subject: [PATCH 2869/3088] net/udpbroadcastrelay: basic model style

---
 .../UDPBroadcastRelay/UDPBroadcastRelay.xml   | 104 ++++++++----------
 1 file changed, 48 insertions(+), 56 deletions(-)

diff --git a/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.xml b/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.xml
index 48f0028d51..aa3ca1b4bb 100644
--- a/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.xml
+++ b/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.xml
@@ -1,60 +1,52 @@
 <model>
-   <mount>//OPNsense/udpbroadcastrelays</mount>
-   <version>1.0.0</version>
-   <description>UDP Broadcast Relay settings</description>
-   <items>
-      <udpbroadcastrelay type="ArrayField">
-         <enabled type="BooleanField">
-            <Default>1</Default>
-            <Required>Y</Required>
-         </enabled>
+    <mount>//OPNsense/udpbroadcastrelays</mount>
+    <version>1.0.0</version>
+    <description>UDP Broadcast Relay settings</description>
+    <items>
+        <udpbroadcastrelay type="ArrayField">
+            <enabled type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </enabled>
             <interfaces type="InterfaceField">
-            <Default>lan</Default>
-            <Required>Y</Required>
-            <Multiple>Y</Multiple>
+                <Default>lan</Default>
+                <Required>Y</Required>
+                <Multiple>Y</Multiple>
             </interfaces>
-         <multicastaddress type="CSVListField">
-            <Required>N</Required>
-            <Default></Default>
-            <Multiple>Y</Multiple>
-            <Mask>/^([\/0-9.,])*/u</Mask>
-            <ValidationMessage>Broadcast address must be a valid IPv4 address</ValidationMessage>
-         </multicastaddress>
-         <sourceaddress  type="TextField">
-            <Required>N</Required>
-            <Default></Default>
-            <Mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</Mask>
-            <ValidationMessage>Source address must be a valid IPv4 address</ValidationMessage>
-         </sourceaddress>
-         <listenport type="IntegerField">
-            <Default></Default>
-            <Required>Y</Required>
-            <MinimumValue>1</MinimumValue>
-            <MaximumValue>65535</MaximumValue>
-            <ValidationMessage>Listen port needs to be an integer value between 1 and 65535</ValidationMessage>
-         </listenport>
-         <sourceaddress  type="TextField">
-            <Required>N</Required>
-            <Default></Default>
-            <Mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</Mask>
-            <ValidationMessage>Source address must be a valid IPv4 address</ValidationMessage>
-         </sourceaddress>
-         <InstanceID type="IntegerField">
-            <Default>0</Default>
-            <Required>Y</Required>
-            <MinimumValue>1</MinimumValue>
-            <MaximumValue>63</MaximumValue>
-            <ValidationMessage>InstanceID needs to be an integer value between 1 and 63</ValidationMessage>
-         </InstanceID>
-         <RevertTTL type="BooleanField">
-            <Default>0</Default>
-            <Required>Y</Required>
-         </RevertTTL>
-         <description type="TextField">
-            <Required>N</Required>
-            <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
-            <ValidationMessage>Enter a description.</ValidationMessage>
-         </description>
-      </udpbroadcastrelay>
-   </items>
+            <multicastaddress type="CSVListField">
+                <Multiple>Y</Multiple>
+                <Mask>/^([\/0-9.,])*/u</Mask>
+                <ValidationMessage>Broadcast address must be a valid IPv4 address.</ValidationMessage>
+            </multicastaddress>
+            <sourceaddress type="TextField">
+                <Mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</Mask>
+                <ValidationMessage>Source address must be a valid IPv4 address.</ValidationMessage>
+            </sourceaddress>
+            <listenport type="IntegerField">
+                <Required>Y</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>Listen port needs to be an integer value between 1 and 65535.</ValidationMessage>
+            </listenport>
+            <sourceaddress type="TextField">
+                <Mask>/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-4]|2[0-5][0-9]|[01]?[0-9][0-9]?)$/</Mask>
+                <ValidationMessage>Source address must be a valid IPv4 address.</ValidationMessage>
+            </sourceaddress>
+            <InstanceID type="IntegerField">
+                <Default>0</Default>
+                <Required>Y</Required>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>63</MaximumValue>
+                <ValidationMessage>InstanceID needs to be an integer value between 1 and 63.</ValidationMessage>
+            </InstanceID>
+            <RevertTTL type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </RevertTTL>
+            <description type="TextField">
+                <Mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_\x{00A0}-\x{FFFF}]){1,255}$/u</Mask>
+                <ValidationMessage>Enter a description.</ValidationMessage>
+            </description>
+        </udpbroadcastrelay>
+    </items>
 </model>

From b9bb07a0c9a00e314836654e2743f1a2ff09a50d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 04:45:18 +0100
Subject: [PATCH 2870/3088] security/tor: basic model style

---
 .../app/models/OPNsense/Tor/ACLExitPolicy.xml |  84 +++---
 .../models/OPNsense/Tor/ACLSocksPolicy.xml    |  58 ++--
 .../mvc/app/models/OPNsense/Tor/General.xml   | 274 +++++++++---------
 .../app/models/OPNsense/Tor/HiddenService.xml |  60 ++--
 .../models/OPNsense/Tor/HiddenServiceACL.xml  |  80 ++---
 .../mvc/app/models/OPNsense/Tor/Relay.xml     | 182 ++++++------
 6 files changed, 369 insertions(+), 369 deletions(-)

diff --git a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/ACLExitPolicy.xml b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/ACLExitPolicy.xml
index 644e47f344..87e7f68570 100644
--- a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/ACLExitPolicy.xml
+++ b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/ACLExitPolicy.xml
@@ -1,44 +1,44 @@
 <model>
-  <mount>//OPNsense/tor/exitpolicy</mount>
-  <description>ACL for Socks port</description>
-  <items>
-    <policy type="ArrayField">
-      <enabled type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-      </enabled>
-      <type type="OptionField">
-        <Default>both</Default>
-        <Required>Y</Required>
-        <OptionValues>
-          <both>both</both>
-          <v4>IPv4</v4>
-          <v6>IPv6</v6>
-        </OptionValues>
-      </type>
-      <network type="NetworkField">
-        <Required>Y</Required>
-      </network>
-      <startport type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>N</Required>
-        <MaximumValue>65535</MaximumValue>
-        <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
-      </startport>
-      <endport type="IntegerField">
-        <MinimumValue>1</MinimumValue>
-        <Required>N</Required>
-        <MaximumValue>65535</MaximumValue>
-        <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
-      </endport>
-      <action type="OptionField">
-          <Default>accept</Default>
-          <Required>Y</Required>
-          <OptionValues>
-            <accept>Accept</accept>
-            <reject>Reject</reject>
-          </OptionValues>
-      </action>
-    </policy>
-  </items>
+    <mount>//OPNsense/tor/exitpolicy</mount>
+    <description>ACL for Socks port</description>
+    <items>
+        <policy type="ArrayField">
+            <enabled type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </enabled>
+            <type type="OptionField">
+                <Default>both</Default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <both>both</both>
+                    <v4>IPv4</v4>
+                    <v6>IPv6</v6>
+                </OptionValues>
+            </type>
+            <network type="NetworkField">
+                <Required>Y</Required>
+            </network>
+            <startport type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <Required>N</Required>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
+            </startport>
+            <endport type="IntegerField">
+                <MinimumValue>1</MinimumValue>
+                <Required>N</Required>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
+            </endport>
+            <action type="OptionField">
+                <Default>accept</Default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <accept>Accept</accept>
+                    <reject>Reject</reject>
+                </OptionValues>
+            </action>
+        </policy>
+    </items>
 </model>
diff --git a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/ACLSocksPolicy.xml b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/ACLSocksPolicy.xml
index 8d5e90a5e6..2ae8203b71 100644
--- a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/ACLSocksPolicy.xml
+++ b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/ACLSocksPolicy.xml
@@ -1,31 +1,31 @@
 <model>
-  <mount>//OPNsense/tor/aclsockspolicy</mount>
-  <description>ACL for Socks port</description>
-  <items>
-    <policy type="ArrayField">
-      <enabled type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-      </enabled>
-      <type type="OptionField">
-        <Default>v6</Default>
-        <Required>Y</Required>
-        <OptionValues>
-          <v4>IPv4</v4>
-          <v6>IPv6</v6>
-        </OptionValues>
-      </type>
-      <network type="NetworkField">
-        <Required>Y</Required>
-      </network>
-      <action type="OptionField">
-          <Default>accept</Default>
-          <Required>Y</Required>
-          <OptionValues>
-            <accept>Accept</accept>
-            <reject>Reject</reject>
-          </OptionValues>
-      </action>
-    </policy>
-  </items>
+    <mount>//OPNsense/tor/aclsockspolicy</mount>
+    <description>ACL for Socks port</description>
+    <items>
+        <policy type="ArrayField">
+            <enabled type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </enabled>
+            <type type="OptionField">
+                <Default>v6</Default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <v4>IPv4</v4>
+                    <v6>IPv6</v6>
+                </OptionValues>
+            </type>
+            <network type="NetworkField">
+                <Required>Y</Required>
+            </network>
+            <action type="OptionField">
+                <Default>accept</Default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <accept>Accept</accept>
+                    <reject>Reject</reject>
+                </OptionValues>
+            </action>
+        </policy>
+    </items>
 </model>
diff --git a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/General.xml b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/General.xml
index c5f9c22253..0be1e3b283 100644
--- a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/General.xml
+++ b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/General.xml
@@ -1,141 +1,141 @@
 <model>
-  <mount>//OPNsense/tor/general</mount>
-  <description>General Tor configuration</description>
-  <version>1.0.0</version>
-  <items>
-    <enabled type="BooleanField">
-      <Default>0</Default>
-      <Required>Y</Required>
-    </enabled>
-    <socks_listen_ip type="InterfaceField">
-      <Required>N</Required>
-      <Multiple>Y</Multiple>
-    </socks_listen_ip>
-    <socks_listen_port type="IntegerField">
-      <Default>9050</Default>
-      <MinimumValue>0</MinimumValue>
-      <Required>Y</Required>
-      <MaximumValue>65535</MaximumValue>
-      <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
-    </socks_listen_port>
-    <control_port type="IntegerField">
-      <Default>9051</Default>
-      <MinimumValue>1</MinimumValue>
-      <Required>N</Required>
-      <MaximumValue>65535</MaximumValue>
-      <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
-    </control_port>
-    <control_port_password type="TextField">
-      <Required>N</Required>
-      <Mask>/^.+$/</Mask>
-    </control_port_password>
-    <control_port_password_hashed type="TextField">
-      <Required>N</Required>
-      <Mask>/^.+$/</Mask>
-    </control_port_password_hashed>
-    <enablelogfile type="BooleanField">
-      <Default>0</Default>
-      <Required>Y</Required>
-    </enablelogfile>
-    <dormant_canceled_by_startup type="BooleanField">
-      <Default>0</Default>
-      <Required>Y</Required>
-    </dormant_canceled_by_startup>
-    <logfilelevel type="OptionField">
-      <Required>Y</Required>
-      <Multiple>N</Multiple>
-      <Default>notifications</Default>
-      <OptionValues>
-        <err>Errors</err>
-        <warn>Warnings</warn>
-        <notice>Notifications</notice>
-        <info>Informational</info>
-        <debug>Debugging</debug>
-      </OptionValues>
-    </logfilelevel>
-    <enablesyslog type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-    </enablesyslog>
-    <sysloglevel type="OptionField">
-      <Required>Y</Required>
-      <Multiple>N</Multiple>
-      <Default>notifications</Default>
-      <OptionValues>
-        <err>Errors</err>
-        <warn>Warnings</warn>
-        <notice>Notifications</notice>
-        <info>Informational</info>
-        <debug>Debugging</debug>
-      </OptionValues>
-    </sysloglevel>
-    <scheduler type="OptionField">
-      <Required>Y</Required>
-      <Multiple>N</Multiple>
-      <Default>KISTLiteVanilla</Default>
-      <OptionValues>
-        <KISTLiteVanilla>KISTLite,Vanilla</KISTLiteVanilla>
-        <VanillaKISTLite>Vanilla,KISTLite</VanillaKISTLite>
-        <KISTLite>KISTLite</KISTLite>
-        <Vanilla>Vanilla</Vanilla>
-      </OptionValues>
-    </scheduler>
-    <fascist_firewall type="BooleanField">
-      <Default>0</Default>
-      <Required>Y</Required>
-    </fascist_firewall>
-    <fascist_firewall_ports type="CSVListField">
-      <Default>80,443</Default>
-      <Required>Y</Required>
-      <Mask>/^(\d+,)*\d+$/</Mask>
-    </fascist_firewall_ports>
-    <enable_transparent type="BooleanField">
-      <Default>0</Default>
-      <Required>Y</Required>
-    </enable_transparent>
-    <transparent_port type="IntegerField">
-      <Default>9040</Default>
-      <MinimumValue>0</MinimumValue>
-      <Required>Y</Required>
-      <MaximumValue>65535</MaximumValue>
-      <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
-    </transparent_port>
-    <transparent_dns type="IntegerField">
-      <Default>9053</Default>
-      <MinimumValue>0</MinimumValue>
-      <Required>Y</Required>
-      <MaximumValue>65535</MaximumValue>
-      <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
-    </transparent_dns>
-    <transparent_ip_pool type="NetworkField">
-      <Default>172.29.0.0/16</Default>
-      <Required>Y</Required>
-    </transparent_ip_pool>
-    <dns_map_hosts type="BooleanField">
-      <Default>0</Default>
-      <Required>Y</Required>
-    </dns_map_hosts>
-    <client_authentications>
-      <client_auth type="ArrayField">
+    <mount>//OPNsense/tor/general</mount>
+    <description>General Tor configuration</description>
+    <version>1.0.0</version>
+    <items>
         <enabled type="BooleanField">
-          <Default>1</Default>
-          <Required>Y</Required>
+            <Default>0</Default>
+            <Required>Y</Required>
         </enabled>
-        <onion_service type="TextField">
-          <Required>Y</Required>
-          <Default>exampleexample23.onion</Default>
-          <Mask>/^[a-z2-7]{16}\.onion$/i</Mask>
-        </onion_service>
-        <auth_cookie type="TextField">
-          <Required>Y</Required>
-          <Default>0000000000000000000000</Default>
-          <Mask>/^[a-z0-9\+\/]{22}$/i</Mask>
-        </auth_cookie>
-      </client_auth>
-    </client_authentications>
-    <max_memory_in_queues type="IntegerField">
-      <MinimumValue>0</MinimumValue>
-      <Required>N</Required>
-    </max_memory_in_queues>
-  </items>
+        <socks_listen_ip type="InterfaceField">
+            <Required>N</Required>
+            <Multiple>Y</Multiple>
+        </socks_listen_ip>
+        <socks_listen_port type="IntegerField">
+            <Default>9050</Default>
+            <MinimumValue>0</MinimumValue>
+            <Required>Y</Required>
+            <MaximumValue>65535</MaximumValue>
+            <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
+        </socks_listen_port>
+        <control_port type="IntegerField">
+            <Default>9051</Default>
+            <MinimumValue>1</MinimumValue>
+            <Required>N</Required>
+            <MaximumValue>65535</MaximumValue>
+            <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
+        </control_port>
+        <control_port_password type="TextField">
+            <Required>N</Required>
+            <Mask>/^.+$/</Mask>
+        </control_port_password>
+        <control_port_password_hashed type="TextField">
+            <Required>N</Required>
+            <Mask>/^.+$/</Mask>
+        </control_port_password_hashed>
+        <enablelogfile type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </enablelogfile>
+        <dormant_canceled_by_startup type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </dormant_canceled_by_startup>
+        <logfilelevel type="OptionField">
+            <Required>Y</Required>
+            <Multiple>N</Multiple>
+            <Default>notifications</Default>
+            <OptionValues>
+                <err>Errors</err>
+                <warn>Warnings</warn>
+                <notice>Notifications</notice>
+                <info>Informational</info>
+                <debug>Debugging</debug>
+            </OptionValues>
+        </logfilelevel>
+        <enablesyslog type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </enablesyslog>
+        <sysloglevel type="OptionField">
+            <Required>Y</Required>
+            <Multiple>N</Multiple>
+            <Default>notifications</Default>
+            <OptionValues>
+                <err>Errors</err>
+                <warn>Warnings</warn>
+                <notice>Notifications</notice>
+                <info>Informational</info>
+                <debug>Debugging</debug>
+            </OptionValues>
+        </sysloglevel>
+        <scheduler type="OptionField">
+            <Required>Y</Required>
+            <Multiple>N</Multiple>
+            <Default>KISTLiteVanilla</Default>
+            <OptionValues>
+                <KISTLiteVanilla>KISTLite,Vanilla</KISTLiteVanilla>
+                <VanillaKISTLite>Vanilla,KISTLite</VanillaKISTLite>
+                <KISTLite>KISTLite</KISTLite>
+                <Vanilla>Vanilla</Vanilla>
+            </OptionValues>
+        </scheduler>
+        <fascist_firewall type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </fascist_firewall>
+        <fascist_firewall_ports type="CSVListField">
+            <Default>80,443</Default>
+            <Required>Y</Required>
+            <Mask>/^(\d+,)*\d+$/</Mask>
+        </fascist_firewall_ports>
+        <enable_transparent type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </enable_transparent>
+        <transparent_port type="IntegerField">
+            <Default>9040</Default>
+            <MinimumValue>0</MinimumValue>
+            <Required>Y</Required>
+            <MaximumValue>65535</MaximumValue>
+            <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
+        </transparent_port>
+        <transparent_dns type="IntegerField">
+            <Default>9053</Default>
+            <MinimumValue>0</MinimumValue>
+            <Required>Y</Required>
+            <MaximumValue>65535</MaximumValue>
+            <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
+        </transparent_dns>
+        <transparent_ip_pool type="NetworkField">
+            <Default>172.29.0.0/16</Default>
+            <Required>Y</Required>
+        </transparent_ip_pool>
+        <dns_map_hosts type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </dns_map_hosts>
+        <client_authentications>
+            <client_auth type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <onion_service type="TextField">
+                    <Required>Y</Required>
+                    <Default>exampleexample23.onion</Default>
+                    <Mask>/^[a-z2-7]{16}\.onion$/i</Mask>
+                </onion_service>
+                <auth_cookie type="TextField">
+                    <Required>Y</Required>
+                    <Default>0000000000000000000000</Default>
+                    <Mask>/^[a-z0-9\+\/]{22}$/i</Mask>
+                </auth_cookie>
+            </client_auth>
+        </client_authentications>
+        <max_memory_in_queues type="IntegerField">
+            <MinimumValue>0</MinimumValue>
+            <Required>N</Required>
+        </max_memory_in_queues>
+    </items>
 </model>
diff --git a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/HiddenService.xml b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/HiddenService.xml
index e9af42514a..e373d08f80 100644
--- a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/HiddenService.xml
+++ b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/HiddenService.xml
@@ -1,32 +1,32 @@
 <model>
-  <mount>//OPNsense/tor/hiddenservice</mount>
-  <description>Tor Onion service configuration</description>
-  <version>1.0.0</version>
-  <items>
-    <service type="ArrayField">
-      <enabled type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-      </enabled>
-      <name type="TextField">
-        <Required>Y</Required>
-        <Mask>/^[a-z0-9_-]+$/i</Mask>
-        <ValidationMessage>The name should only consist of alphanumeric characters, dashes and underscores.</ValidationMessage>
-      </name>
-      <type type="OptionField">
-        <Default>basic</Default>
-        <Required>Y</Required>
-        <OptionValues>
-            <basic>Basic</basic>
-            <stealth>Stealth</stealth>
-        </OptionValues>
-      </type>
-      <clients type="CSVListField">
-        <Multiple>Y</Multiple>
-        <Required>N</Required>
-        <Mask>/^([a-z0-9_+-]+,)*([a-z0-9_+-]*)$/i</Mask>
-        <ValidationMessage>The authorized clients should only consist of alphanumeric characters, dashes, underscores and plus sign.</ValidationMessage>
-      </clients>
-    </service>
-  </items>
+    <mount>//OPNsense/tor/hiddenservice</mount>
+    <description>Tor Onion service configuration</description>
+    <version>1.0.0</version>
+    <items>
+        <service type="ArrayField">
+            <enabled type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </enabled>
+            <name type="TextField">
+                <Required>Y</Required>
+                <Mask>/^[a-z0-9_-]+$/i</Mask>
+                <ValidationMessage>The name should only consist of alphanumeric characters, dashes and underscores.</ValidationMessage>
+            </name>
+            <type type="OptionField">
+                <Default>basic</Default>
+                <Required>Y</Required>
+                <OptionValues>
+                    <basic>Basic</basic>
+                    <stealth>Stealth</stealth>
+                </OptionValues>
+            </type>
+            <clients type="CSVListField">
+                <Multiple>Y</Multiple>
+                <Required>N</Required>
+                <Mask>/^([a-z0-9_+-]+,)*([a-z0-9_+-]*)$/i</Mask>
+                <ValidationMessage>The authorized clients should only consist of alphanumeric characters, dashes, underscores and plus sign.</ValidationMessage>
+            </clients>
+        </service>
+    </items>
 </model>
diff --git a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/HiddenServiceACL.xml b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/HiddenServiceACL.xml
index 4cda6c1d2b..05d230068a 100644
--- a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/HiddenServiceACL.xml
+++ b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/HiddenServiceACL.xml
@@ -1,42 +1,42 @@
 <model>
-  <mount>//OPNsense/tor/hiddenserviceacl</mount>
-  <description>Tor Onion Service ACL</description>
-  <items>
-    <hiddenserviceacl type="ArrayField">
-      <enabled type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-      </enabled>
-      <hiddenservice type="ModelRelationField">
-        <Model>
-          <template>
-            <source>OPNsense.Tor.HiddenService</source>
-            <items>service</items>
-            <display>name</display>
-          </template>
-        </Model>
-        <ValidationMessage>An Onion service must be set.</ValidationMessage>
-        <Multiple>N</Multiple>
-        <Required>Y</Required>
-      </hiddenservice>
-      <port type="IntegerField">
-        <Default>80</Default>
-        <MinimumValue>1</MinimumValue>
-        <Required>Y</Required>
-        <MaximumValue>65535</MaximumValue>
-        <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
-      </port>
-      <target_host type="NetworkField">
-        <Required>Y</Required>
-        <Default>127.0.0.1</Default>
-      </target_host>
-      <target_port type="IntegerField">
-        <Default>80</Default>
-        <MinimumValue>1</MinimumValue>
-        <Required>Y</Required>
-        <MaximumValue>65535</MaximumValue>
-        <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
-      </target_port>
-    </hiddenserviceacl>
-  </items>
+    <mount>//OPNsense/tor/hiddenserviceacl</mount>
+    <description>Tor Onion Service ACL</description>
+    <items>
+        <hiddenserviceacl type="ArrayField">
+            <enabled type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </enabled>
+            <hiddenservice type="ModelRelationField">
+                <Model>
+                    <template>
+                        <source>OPNsense.Tor.HiddenService</source>
+                        <items>service</items>
+                        <display>name</display>
+                    </template>
+                </Model>
+                <ValidationMessage>An Onion service must be set.</ValidationMessage>
+                <Multiple>N</Multiple>
+                <Required>Y</Required>
+            </hiddenservice>
+            <port type="IntegerField">
+                <Default>80</Default>
+                <MinimumValue>1</MinimumValue>
+                <Required>Y</Required>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
+            </port>
+            <target_host type="NetworkField">
+                <Required>Y</Required>
+                <Default>127.0.0.1</Default>
+            </target_host>
+            <target_port type="IntegerField">
+                <Default>80</Default>
+                <MinimumValue>1</MinimumValue>
+                <Required>Y</Required>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
+            </target_port>
+        </hiddenserviceacl>
+    </items>
 </model>
diff --git a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml
index 09eab593bc..a9a2bd7ff2 100644
--- a/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml
+++ b/security/tor/src/opnsense/mvc/app/models/OPNsense/Tor/Relay.xml
@@ -1,93 +1,93 @@
 <model>
-  <mount>//OPNsense/tor/relay</mount>
-  <version>1.0.0</version>
-  <description>Tor Relay configuration</description>
-  <items>
-    <enabled type="BooleanField">
-      <Default>0</Default>
-      <Required>Y</Required>
-    </enabled>
-    <dir_frontpage type="BooleanField">
-      <Default>0</Default>
-      <Required>Y</Required>
-    </dir_frontpage>
-    <host type="TextField">
-      <Required>N</Required>
-      <Mask>/^([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])$/</Mask>
-    </host>
-    <hostv6 type="TextField">
-      <Required>N</Required>
-      <Mask>/^[a-f0-9:]{2,}$/i</Mask>
-    </hostv6>
-    <outboundbind type="TextField">
-      <Required>N</Required>
-      <Mask>/^([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])$/</Mask>
-    </outboundbind>
-    <outboundbindv6 type="TextField">
-      <Required>N</Required>
-      <Mask>/^[a-f0-9:]{2,}$/i</Mask>
-    </outboundbindv6>
-    <port type="IntegerField">
-      <Default>9001</Default>
-      <MinimumValue>0</MinimumValue>
-      <Required>Y</Required>
-      <MaximumValue>65535</MaximumValue>
-      <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
-    </port>
-    <directory_port type="IntegerField">
-      <MinimumValue>1</MinimumValue>
-      <Required>N</Required>
-      <MaximumValue>65535</MaximumValue>
-      <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
-    </directory_port>
-    <address type="TextField">
-      <Required>N</Required>
-      <!-- hostname -->
-      <Mask>/^[a-z0-9.-]+$/i</Mask>
-    </address>
-    <nick type="TextField">
-      <Required>N</Required>
-      <!-- by docs -->
-      <Mask>/^[a-zA-Z0-9]+$/</Mask>
-    </nick>
-    <contact_info type="TextField">
-      <Required>N</Required>
-      <Mask><![CDATA[/^[a-zA-Z0-9 !§$%\/\(\)\\@,;.:_\-#+~*\?&<>]+$/]]></Mask>
-    </contact_info>
-    <family type="TextField">
-      <Required>N</Required>
-      <!-- series of hex arrays -->
-      <Mask>/^[a-fA-F0-9,]+$/</Mask>
-    </family>
-    <bandwithrate type="IntegerField">
-      <Required>N</Required>
-    </bandwithrate>
-    <bandwithburst type="IntegerField">
-      <Required>N</Required>
-    </bandwithburst>
-    <relay type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-    </relay>
-    <exitrejectprivateip type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-    </exitrejectprivateip>
-    <publish type="BooleanField">
-        <Default>0</Default>
-        <Required>Y</Required>
-    </publish>
-    <exitenabled type="BooleanField">
-      <Default>0</Default>
-      <Required>Y</Required>
-    </exitenabled>
-    <exitipv6 type="BooleanField">
-      <Default>0</Default>
-      <Required>N</Required>
-    </exitipv6>
-    <exitrejectlocalif type="BooleanField">
-        <Default>1</Default>
-        <Required>Y</Required>
-    </exitrejectlocalif>
-  </items>
+    <mount>//OPNsense/tor/relay</mount>
+    <version>1.0.0</version>
+    <description>Tor Relay configuration</description>
+    <items>
+        <enabled type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </enabled>
+        <dir_frontpage type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </dir_frontpage>
+        <host type="TextField">
+            <Required>N</Required>
+            <Mask>/^([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])$/</Mask>
+        </host>
+        <hostv6 type="TextField">
+            <Required>N</Required>
+            <Mask>/^[a-f0-9:]{2,}$/i</Mask>
+        </hostv6>
+        <outboundbind type="TextField">
+            <Required>N</Required>
+            <Mask>/^([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-5])$/</Mask>
+        </outboundbind>
+        <outboundbindv6 type="TextField">
+            <Required>N</Required>
+            <Mask>/^[a-f0-9:]{2,}$/i</Mask>
+        </outboundbindv6>
+        <port type="IntegerField">
+            <Default>9001</Default>
+            <MinimumValue>0</MinimumValue>
+            <Required>Y</Required>
+            <MaximumValue>65535</MaximumValue>
+            <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
+        </port>
+        <directory_port type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <Required>N</Required>
+            <MaximumValue>65535</MaximumValue>
+            <ValidationMessage>A valid Port number must be specified.</ValidationMessage>
+        </directory_port>
+        <address type="TextField">
+            <Required>N</Required>
+            <!-- hostname -->
+            <Mask>/^[a-z0-9.-]+$/i</Mask>
+        </address>
+        <nick type="TextField">
+            <Required>N</Required>
+            <!-- by docs -->
+            <Mask>/^[a-zA-Z0-9]+$/</Mask>
+        </nick>
+        <contact_info type="TextField">
+            <Required>N</Required>
+            <Mask><![CDATA[/^[a-zA-Z0-9 !§$%\/\(\)\\@,;.:_\-#+~*\?&<>]+$/]]></Mask>
+        </contact_info>
+        <family type="TextField">
+            <Required>N</Required>
+            <!-- series of hex arrays -->
+            <Mask>/^[a-fA-F0-9,]+$/</Mask>
+        </family>
+        <bandwithrate type="IntegerField">
+            <Required>N</Required>
+        </bandwithrate>
+        <bandwithburst type="IntegerField">
+            <Required>N</Required>
+        </bandwithburst>
+        <relay type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </relay>
+        <exitrejectprivateip type="BooleanField">
+            <Default>1</Default>
+            <Required>Y</Required>
+        </exitrejectprivateip>
+        <publish type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </publish>
+        <exitenabled type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </exitenabled>
+        <exitipv6 type="BooleanField">
+            <Default>0</Default>
+            <Required>N</Required>
+        </exitipv6>
+        <exitrejectlocalif type="BooleanField">
+            <Default>1</Default>
+            <Required>Y</Required>
+        </exitrejectlocalif>
+    </items>
 </model>

From 2783ef18b7f47594e9139a4d93eba8b53719fe62 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 04:46:53 +0100
Subject: [PATCH 2871/3088] net/wol: model style

---
 .../mvc/app/models/OPNsense/Wol/Wol.xml       | 37 ++++++++-----------
 1 file changed, 15 insertions(+), 22 deletions(-)

diff --git a/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/Wol.xml b/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/Wol.xml
index 08c10cc1fb..9fddd8987f 100644
--- a/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/Wol.xml
+++ b/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/Wol.xml
@@ -3,27 +3,20 @@
     <description>Wake On Lan configuration</description>
     <version>1.0.0</version>
     <items>
-      <wolentry type="ArrayField">
-        <interface type="InterfaceField">
-            <Required>Y</Required>
-            <Multiple>N</Multiple>
-            <Default></Default>
-            <filters>
-                <enable>/^(?!0).*$/</enable>
-            </filters>
-        </interface>
-        <mac type="TextField">
-            <Required>Y</Required>
-            <Multiple>N</Multiple>
-            <Mask>/^((?:[a-fA-F0-9]{2}:){5}(?:[a-fA-F0-9]{2}))$/</Mask>
-            <Default>00:00:00:00:00:00</Default>
-            <ValidationMessage>Should be 6 groups of 2 hex characters (a-fA-F0-9) separated by ':'</ValidationMessage>
-        </mac>
-        <descr type="TextField">
-            <Required>N</Required>
-            <Multiple>N</Multiple>
-            <Default></Default>
-        </descr>
-      </wolentry>
+        <wolentry type="ArrayField">
+            <interface type="InterfaceField">
+                <Required>Y</Required>
+                <filters>
+                    <enable>/^(?!0).*$/</enable>
+                </filters>
+            </interface>
+            <mac type="TextField">
+                <Required>Y</Required>
+                <Mask>/^((?:[a-fA-F0-9]{2}:){5}(?:[a-fA-F0-9]{2}))$/</Mask>
+                <Default>00:00:00:00:00:00</Default>
+                <ValidationMessage>Should be 6 groups of 2 hex characters (a-fA-F0-9) separated by ':'.</ValidationMessage>
+            </mac>
+            <descr type="TextField"/>
+        </wolentry>
     </items>
 </model>

From e1d9f49c8123f690348270a6c4fa056d8c7a7ec3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 04:48:50 +0100
Subject: [PATCH 2872/3088] net/zerotier: model style

---
 .../app/models/OPNsense/Zerotier/Zerotier.xml | 19 ++++---------------
 1 file changed, 4 insertions(+), 15 deletions(-)

diff --git a/net/zerotier/src/opnsense/mvc/app/models/OPNsense/Zerotier/Zerotier.xml b/net/zerotier/src/opnsense/mvc/app/models/OPNsense/Zerotier/Zerotier.xml
index 1a5b010145..bbd7750f6a 100644
--- a/net/zerotier/src/opnsense/mvc/app/models/OPNsense/Zerotier/Zerotier.xml
+++ b/net/zerotier/src/opnsense/mvc/app/models/OPNsense/Zerotier/Zerotier.xml
@@ -1,21 +1,14 @@
 <model>
     <mount>//OPNsense/zerotier</mount>
-    <description>
-        Zerotier - Virtual Networks That Just Work.
-    </description>
+    <description>Zerotier configuration</description>
     <version>1.3.0</version>
     <items>
         <enabled type="BooleanField">
             <Default>0</Default>
             <Required>Y</Required>
         </enabled>
-        <apiAccessToken type="TextField">
-            <Default></Default>
-            <Required>N</Required>
-        </apiAccessToken>
-        <localconf type="TextField">
-            <Required>N</Required>
-        </localconf>
+        <apiAccessToken type="TextField"/>
+        <localconf type="TextField"/>
         <networks>
             <network type="ArrayField">
                 <enabled type="BooleanField">
@@ -23,13 +16,9 @@
                     <Required>Y</Required>
                 </enabled>
                 <networkId type="TextField">
-                    <Default></Default>
                     <Required>Y</Required>
                 </networkId>
-                <description type="TextField">
-                    <Default></Default>
-                    <Required>N</Required>
-                </description>
+                <description type="TextField"/>
             </network>
         </networks>
     </items>

From 7f7406535e2f14fad0995a8e3a733e5ff4ee30ea Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 04:49:41 +0100
Subject: [PATCH 2873/3088] security/clamav: basic model style

---
 .../app/models/OPNsense/ClamAV/General.xml    | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/General.xml b/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/General.xml
index 138ab9e833..ff0be29cc9 100644
--- a/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/General.xml
+++ b/security/clamav/src/opnsense/mvc/app/models/OPNsense/ClamAV/General.xml
@@ -37,16 +37,16 @@
         </followdirsym>
         <followfilesym type="BooleanField">
             <Default>0</Default>
-	    <Required>N</Required>
-	</followfilesym>
+            <Required>N</Required>
+        </followfilesym>
         <disablecache type="TextField">
             <Default>0</Default>
-	    <Required>N</Required>
-	</disablecache>
+            <Required>N</Required>
+        </disablecache>
         <scanpe type="BooleanField">
             <Default>1</Default>
-	    <Required>N</Required>
-	</scanpe>
+            <Required>N</Required>
+        </scanpe>
         <scanelf type="BooleanField">
             <Default>1</Default>
             <Required>N</Required>
@@ -99,18 +99,18 @@
             <Default>100M</Default>
             <Required>N</Required>
         </maxscansize>
-	<maxfilesize type="TextField">
+        <maxfilesize type="TextField">
             <Default>25M</Default>
             <Required>N</Required>
         </maxfilesize>
-	<maxrecursion type="IntegerField">
+        <maxrecursion type="IntegerField">
             <Default>16</Default>
             <Required>N</Required>
         </maxrecursion>
-	<maxfiles type="IntegerField">
+        <maxfiles type="IntegerField">
             <Default>10000</Default>
             <Required>N</Required>
-	</maxfiles>
+        </maxfiles>
         <logverbose type="BooleanField">
             <Default>0</Default>
             <Required>N</Required>

From 5e83a9f93cf7321588e3ba63e4a6a7a6310c4ec3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 04:53:57 +0100
Subject: [PATCH 2874/3088] security/crowdsec: model style

Changed a validation message to not end with question.  Although
I do not oppose to this the current rule is "dot" for end of sentence
only and the question appears to be better suited for the help text
where it can be accessed beforehand by the user.
---
 .../app/models/OPNsense/CrowdSec/General.xml  | 116 ++++++++----------
 1 file changed, 52 insertions(+), 64 deletions(-)

diff --git a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
index cef04eb0cd..8494d3d2f9 100644
--- a/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
+++ b/security/crowdsec/src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml
@@ -1,66 +1,54 @@
 <model>
-  <mount>//OPNsense/crowdsec/general</mount>
-  <description>CrowdSec general configuration</description>
-  <version>1.0.12</version>
-  <items>
-
-    <agent_enabled type="BooleanField">
-      <Default>1</Default>
-      <Required>Y</Required>
-    </agent_enabled>
-
-    <lapi_enabled type="BooleanField">
-      <Default>1</Default>
-      <Required>Y</Required>
-    </lapi_enabled>
-
-    <firewall_bouncer_enabled type="BooleanField">
-      <Default>1</Default>
-      <Required>Y</Required>
-    </firewall_bouncer_enabled>
-
-    <lapi_manual_configuration type="BooleanField">
-      <Default>0</Default>
-      <Required>Y</Required>
-    </lapi_manual_configuration>
-
-    <lapi_listen_address type="NetworkField">
-      <Default>127.0.0.1</Default>
-      <Required>Y</Required>
-      <NetMaskAllowed>N</NetMaskAllowed>
-    </lapi_listen_address>
-
-    <lapi_listen_port type="PortField">
-      <Default>8080</Default>
-      <Required>Y</Required>
-      <EnableWellKnown>N</EnableWellKnown>
-      <EnableRanges>N</EnableRanges>
-    </lapi_listen_port>
-
-    <rules_enabled type="BooleanField">
-      <Default>1</Default>
-      <Required>Y</Required>
-    </rules_enabled>
-
-    <rules_log type="BooleanField">
-      <Default>0</Default>
-      <Required>Y</Required>
-    </rules_log>
-
-    <rules_tag type="TextField">
-      <Mask>/^([0-9a-zA-Z]{1,63})$/u</Mask>
-      <ValidationMessage>A tag must only contain numbers and letters and must be between 1 and 63 characters.</ValidationMessage>
-    </rules_tag>
-
-    <enroll_key type="TextField">
-      <Mask>/^([0-9a-zA-Z]{1,63})$/u</Mask>
-      <ValidationMessage>The enrollment key can only contain numbers and letters and must be between 1 and 63 characters. Did you take it from app.crowdsec.net?</ValidationMessage>
-    </enroll_key>
-
-    <crowdsec_firewall_verbose type="BooleanField">
-      <Default>0</Default>
-      <Required>Y</Required>
-    </crowdsec_firewall_verbose>
-
-  </items>
+    <mount>//OPNsense/crowdsec/general</mount>
+    <description>CrowdSec general configuration</description>
+    <version>1.0.12</version>
+    <items>
+        <agent_enabled type="BooleanField">
+            <Default>1</Default>
+            <Required>Y</Required>
+        </agent_enabled>
+        <lapi_enabled type="BooleanField">
+            <Default>1</Default>
+            <Required>Y</Required>
+        </lapi_enabled>
+        <firewall_bouncer_enabled type="BooleanField">
+            <Default>1</Default>
+            <Required>Y</Required>
+        </firewall_bouncer_enabled>
+        <lapi_manual_configuration type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </lapi_manual_configuration>
+        <lapi_listen_address type="NetworkField">
+            <Default>127.0.0.1</Default>
+            <Required>Y</Required>
+            <NetMaskAllowed>N</NetMaskAllowed>
+        </lapi_listen_address>
+        <lapi_listen_port type="PortField">
+            <Default>8080</Default>
+            <Required>Y</Required>
+            <EnableWellKnown>N</EnableWellKnown>
+            <EnableRanges>N</EnableRanges>
+        </lapi_listen_port>
+        <rules_enabled type="BooleanField">
+            <Default>1</Default>
+            <Required>Y</Required>
+        </rules_enabled>
+        <rules_log type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </rules_log>
+        <rules_tag type="TextField">
+            <Mask>/^([0-9a-zA-Z]{1,63})$/u</Mask>
+            <ValidationMessage>A tag must only contain numbers and letters and must be between 1 and 63 characters.</ValidationMessage>
+        </rules_tag>
+        <enroll_key type="TextField">
+            <Mask>/^([0-9a-zA-Z]{1,63})$/u</Mask>
+            <ValidationMessage>The enrollment key can only contain numbers and letters and must be between 1 and 63 characters.</ValidationMessage>
+        </enroll_key>
+        <crowdsec_firewall_verbose type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </crowdsec_firewall_verbose>
+    </items>
 </model>

From 33540053e7cff5db09802745ad747d22a84baf38 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 04:56:20 +0100
Subject: [PATCH 2875/3088] security/openconnect: model style

---
 .../models/OPNsense/Openconnect/General.xml   | 36 ++++++++-----------
 1 file changed, 15 insertions(+), 21 deletions(-)

diff --git a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
index b9713f044d..32234fa409 100644
--- a/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
+++ b/security/openconnect/src/opnsense/mvc/app/models/OPNsense/Openconnect/General.xml
@@ -24,30 +24,26 @@
             <Required>Y</Required>
         </password>
         <servercert type="TextField">
-            <Required>N</Required>
             <Mask>/^([a-zA-Z0-9\/\+\=]){40,64}$/u</Mask>
             <ValidationMessage>Please provide a valid hash.</ValidationMessage>
         </servercert>
         <hash type="OptionField">
             <Default>sha256</Default>
             <Required>Y</Required>
-                <OptionValues>
-                    <sha256>SHA256</sha256>
-                    <sha1>SHA1</sha1>
-                    <pin-sha256>PIN-SHA256</pin-sha256>
-                </OptionValues>
+            <OptionValues>
+                <sha256>SHA256</sha256>
+                <sha1>SHA1</sha1>
+                <pin-sha256>PIN-SHA256</pin-sha256>
+            </OptionValues>
         </hash>
         <group type="TextField">
-            <Required>N</Required>
             <Mask>/^[() a-zA-Z0-9._-]{1,64}$/</Mask>
             <ValidationMessage>Please provide a valid group name. Allowed are at most 64 characters from a-zA-Z0-9._-() and space.</ValidationMessage>
         </group>
         <clientcertificate type="CertificateField">
             <Type>cert</Type>
-            <Required>N</Required>
         </clientcertificate>
         <tokenmode type="OptionField">
-            <Required>N</Required>
             <OptionValues>
                 <rsa>RSA SecurID</rsa>
                 <totp>TOTP</totp>
@@ -55,9 +51,7 @@
                 <oidc>OpenIDConnect</oidc>
             </OptionValues>
         </tokenmode>
-        <tokensecret type="TextField">
-            <Required>N</Required>
-        </tokensecret>
+        <tokensecret type="TextField"/>
         <allowinsecure type="BooleanField">
             <Default>0</Default>
             <Required>Y</Required>
@@ -65,15 +59,15 @@
         <protocol type="OptionField">
             <Default>anyconnect</Default>
             <Required>Y</Required>
-                <OptionValues>
-                    <anyconnect>Cisco AnyConnect</anyconnect>
-                    <nc>Juniper</nc>
-                    <pulse>Pulse Connect Secure</pulse>
-                    <gp>Palo Alto Networks GlobalProtect</gp>
-                    <f5>F5 Big-IP</f5>
-                    <fortinet>Fortinet Fortigate</fortinet>
-                    <array>Array Networks AG</array>
-                </OptionValues>
+            <OptionValues>
+                <anyconnect>Cisco AnyConnect</anyconnect>
+                <nc>Juniper</nc>
+                <pulse>Pulse Connect Secure</pulse>
+                <gp>Palo Alto Networks GlobalProtect</gp>
+                <f5>F5 Big-IP</f5>
+                <fortinet>Fortinet Fortigate</fortinet>
+                <array>Array Networks AG</array>
+            </OptionValues>
         </protocol>
     </items>
 </model>

From 87a27341ce421e42c4abdc1f90086b8b78372f87 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 05:00:45 +0100
Subject: [PATCH 2876/3088] security/wazuh-agent: model style and wrap up next
 version

As a note the default value for "syslog_programs" was scrapped
because it was not used.  Consider flipping Required=Y and putting
it back to whom it may concern.
---
 security/wazuh-agent/Makefile                              | 3 +--
 security/wazuh-agent/pkg-descr                             | 5 +++++
 .../mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml      | 7 +------
 .../wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw     | 2 +-
 4 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/security/wazuh-agent/Makefile b/security/wazuh-agent/Makefile
index 6f156d3d36..990ce80eb7 100644
--- a/security/wazuh-agent/Makefile
+++ b/security/wazuh-agent/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		wazuh-agent
-PLUGIN_VERSION=		1.2
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		Agent for the open source security platform Wazuh
 PLUGIN_DEPENDS=		wazuh-agent
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/security/wazuh-agent/pkg-descr b/security/wazuh-agent/pkg-descr
index 7a6dd7666d..2a7e397c2f 100644
--- a/security/wazuh-agent/pkg-descr
+++ b/security/wazuh-agent/pkg-descr
@@ -8,6 +8,11 @@ solution.
 Plugin Changelog
 ================
 
+1.3
+
+* Fix active response duplicate key causing false aborts (contributed by Michael Bedworth)
+* Add repeated_offenders config and fix template issues (contributed by Michael Bedworth)
+
 1.2
 
 * Implement options to change server ports (contributed by 999eagle)
diff --git a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
index 9657b91baf..43c66aa0b7 100644
--- a/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
+++ b/security/wazuh-agent/src/opnsense/mvc/app/models/OPNsense/WazuhAgent/WazuhAgent.xml
@@ -13,7 +13,6 @@
                 <IpAllowed>Y</IpAllowed>
             </server_address>
             <agent_name type="HostnameField">
-                <Required>N</Required>
                 <IpAllowed>N</IpAllowed>
             </agent_name>
             <protocol type="OptionField">
@@ -58,9 +57,7 @@
                 <Required>Y</Required>
             </remote_commands>
             <syslog_programs type="JsonKeyValueStoreField">
-                <Required>N</Required>
                 <Multiple>Y</Multiple>
-                <Default>filterlog,openvpn,unbound,audit,sshd</Default>
                 <ConfigdPopulateAct>syslog list applications</ConfigdPopulateAct>
                 <SourceFile>/tmp/syslog_applications.json</SourceFile>
                 <ConfigdPopulateTTL>20</ConfigdPopulateTTL>
@@ -110,12 +107,10 @@
                         </filters>
                     </alias>
                 </Model>
-                <Required>N</Required>
             </fw_alias_ignore>
             <repeated_offenders type="TextField">
-                <Required>N</Required>
                 <Mask>/^([0-9]+)(,[0-9]+)*$/</Mask>
-                <ValidationMessage>Enter comma-separated timeout values in minutes (e.g., 30,60,120,240)</ValidationMessage>
+                <ValidationMessage>Enter comma-separated timeout values in minutes (e.g., 30,60,120,240).</ValidationMessage>
             </repeated_offenders>
         </active_response>
     </items>
diff --git a/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw b/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw
index a13439c2ec..3eefe8154c 100755
--- a/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw
+++ b/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw
@@ -122,7 +122,7 @@ def main(params):
                 "command": "check_keys",
                 "parameters":{
                    unique_key = "%s-%s" % (event['parameters']['alert']['rule']['id'], srcip)
-		   "keys": [unique_key] 
+		   "keys": [unique_key]
                 }
             }))
             sys.stdout.flush()

From 1dcf1eace1689c86c1162523be8bf5eaf3fa1495 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 05:10:27 +0100
Subject: [PATCH 2877/3088] sysutils/munin-node: model style

---
 .../opnsense/mvc/app/models/OPNsense/Muninnode/General.xml   | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/sysutils/munin-node/src/opnsense/mvc/app/models/OPNsense/Muninnode/General.xml b/sysutils/munin-node/src/opnsense/mvc/app/models/OPNsense/Muninnode/General.xml
index 85543a3e87..3d82dc0b11 100644
--- a/sysutils/munin-node/src/opnsense/mvc/app/models/OPNsense/Muninnode/General.xml
+++ b/sysutils/munin-node/src/opnsense/mvc/app/models/OPNsense/Muninnode/General.xml
@@ -15,9 +15,6 @@
             <Default>4949</Default>
             <Required>Y</Required>
         </port>
-        <allowednetworks type="CSVListField">
-            <Default></Default>
-            <Required>N</Required>
-        </allowednetworks>
+        <allowednetworks type="CSVListField"/>
     </items>
 </model>

From 3bccb618b4fdd611f0a9d003b36c85fc96d137d5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 05:14:40 +0100
Subject: [PATCH 2878/3088] sysutils/node_exporter: model style

---
 .../models/OPNsense/NodeExporter/General.xml  | 77 +++++--------------
 1 file changed, 21 insertions(+), 56 deletions(-)

diff --git a/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml b/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml
index a3af1f8e68..07eb285951 100644
--- a/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml
+++ b/sysutils/node_exporter/src/opnsense/mvc/app/models/OPNsense/NodeExporter/General.xml
@@ -1,68 +1,33 @@
 <model>
     <mount>//OPNsense/NodeExporter</mount>
-    <description>
-        node_exporter - Prometheus exporter for hardware and OS metrics.
-    </description>
+    <description>node_exporter configuration</description>
     <version>0.2.0</version>
     <items>
         <enabled type="BooleanField">
-          <Default>0</Default>
-          <Required>Y</Required>
+            <Default>0</Default>
+            <Required>Y</Required>
         </enabled>
         <listenaddress type="NetworkField">
-          <Default>0.0.0.0</Default>
-          <Required>Y</Required>
-          <NetMaskAllowed>N</NetMaskAllowed>
-          <ValidationMessage>Please provide a valid IP address.</ValidationMessage>
+            <Default>0.0.0.0</Default>
+            <Required>Y</Required>
+            <NetMaskAllowed>N</NetMaskAllowed>
+            <ValidationMessage>Please provide a valid IP address.</ValidationMessage>
         </listenaddress>
         <listenport type="PortField">
-          <Default>9100</Default>
-          <Required>Y</Required>
-          <ValidationMessage>Please provide a valid port number between 1 and 65535. Port 9100 is the default.</ValidationMessage>
+            <Default>9100</Default>
+            <Required>Y</Required>
+            <ValidationMessage>Please provide a valid port number between 1 and 65535. Port 9100 is the default.</ValidationMessage>
         </listenport>
-        <cpu type="BooleanField">
-          <Default>1</Default>
-          <Required>N</Required>
-        </cpu>
-        <exec type="BooleanField">
-          <Default>1</Default>
-          <Required>N</Required>
-        </exec>
-        <filesystem type="BooleanField">
-          <Default>1</Default>
-          <Required>N</Required>
-        </filesystem>
-        <loadavg type="BooleanField">
-          <Default>1</Default>
-          <Required>N</Required>
-        </loadavg>
-        <meminfo type="BooleanField">
-          <Default>1</Default>
-          <Required>N</Required>
-        </meminfo>
-        <netdev type="BooleanField">
-          <Default>1</Default>
-          <Required>N</Required>
-        </netdev>
-        <time type="BooleanField">
-          <Default>1</Default>
-          <Required>N</Required>
-        </time>
-        <devstat type="BooleanField">
-          <Default>0</Default>
-          <Required>N</Required>
-        </devstat>
-        <interrupts type="BooleanField">
-          <Default>0</Default>
-          <Required>N</Required>
-        </interrupts>
-        <ntp type="BooleanField">
-          <Default>0</Default>
-          <Required>N</Required>
-        </ntp>
-        <zfs type="BooleanField">
-          <Default>0</Default>
-          <Required>N</Required>
-        </zfs>
+        <cpu type="BooleanField"/>
+        <exec type="BooleanField"/>
+        <filesystem type="BooleanField"/>
+        <loadavg type="BooleanField"/>
+        <meminfo type="BooleanField"/>
+        <netdev type="BooleanField"/>
+        <time type="BooleanField"/>
+        <devstat type="BooleanField"/>
+        <interrupts type="BooleanField"/>
+        <ntp type="BooleanField"/>
+        <zfs type="BooleanField"/>
     </items>
 </model>

From ae2d51e036a75b43bf88972ed5132577b1d18e13 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 05:22:40 +0100
Subject: [PATCH 2879/3088] sysutils/nextcloud-backup: new version, style and
 unmaintaned marker

While the plugin just received a partial rewrite it hasn't gotten
any TLC in years though.
---
 README.md                                             |  2 +-
 sysutils/nextcloud-backup/Makefile                    |  4 +---
 sysutils/nextcloud-backup/pkg-descr                   | 11 +++++++++++
 .../mvc/app/library/OPNsense/Backup/Nextcloud.php     |  4 +++-
 .../app/models/OPNsense/Backup/NextcloudSettings.xml  | 11 ++++-------
 5 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index 6ebc497928..b4ec143b09 100644
--- a/README.md
+++ b/README.md
@@ -112,7 +112,7 @@ sysutils/hw-probe -- Collect hardware diagnostics
 sysutils/lcdproc-sdeclcd -- LCDProc for SDEC LCD devices (not maintained)
 sysutils/mail-backup -- Send configuration file backup by e-mail
 sysutils/munin-node -- Munin monitoring agent
-sysutils/nextcloud-backup -- Track config changes using NextCloud
+sysutils/nextcloud-backup -- Track config changes using NextCloud (not maintained)
 sysutils/node_exporter -- Prometheus exporter for machine metrics
 sysutils/nut -- Network UPS Tools
 sysutils/puppet-agent -- Manage Puppet Agent
diff --git a/sysutils/nextcloud-backup/Makefile b/sysutils/nextcloud-backup/Makefile
index 146dce479f..6ec93c476a 100644
--- a/sysutils/nextcloud-backup/Makefile
+++ b/sysutils/nextcloud-backup/Makefile
@@ -1,7 +1,5 @@
 PLUGIN_NAME=		nextcloud-backup
-PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Track config changes using NextCloud
-PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
 
 .include "../../Mk/plugins.mk"
diff --git a/sysutils/nextcloud-backup/pkg-descr b/sysutils/nextcloud-backup/pkg-descr
index 23c4f87d84..7a96846941 100644
--- a/sysutils/nextcloud-backup/pkg-descr
+++ b/sysutils/nextcloud-backup/pkg-descr
@@ -2,3 +2,14 @@ This package adds a backup option using an existing NextCloud instance.
 
 Due to the sensitive nature of the data being send to the backup, we
 strongly advise to not use a public service to send backups to.
+
+Plugin Changelog
+================
+
+1.1
+
+* Back up the content of /conf/backup (contributed by Daniel Lysfjor)
+
+1.0
+
+* Initial release
diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
index b2fdde4973..6f72ba479e 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
@@ -152,7 +152,9 @@ public function backup()
             $tmp_local_files = scandir('/conf/backup/');
             // Remove '.' and '..'
             foreach ($tmp_local_files as $tmp_local_file) {
-                if ($tmp_local_file === '.' || $tmp_local_file === '..') { continue; }
+                if ($tmp_local_file === '.' || $tmp_local_file === '..') {
+                    continue;
+                }
                 $local_files[] = $tmp_local_file;
             }
 
diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
index 026ec4ce59..10a12429e9 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
@@ -4,13 +4,12 @@
     <description>OPNsense Nextcloud Backup Settings</description>
     <items>
         <enabled type="BooleanField">
-          <Default>0</Default>
-          <Required>Y</Required>
+            <Default>0</Default>
+            <Required>Y</Required>
         </enabled>
         <url type="TextField">
-            <Required>N</Required>
             <Mask>/^https?:\/\/.*[^\/]$/</Mask>
-            <ValidationMessage>The url must be valid without a trailing slash. For example: https://nextcloud.example.com or https://example.com/nextcloud</ValidationMessage>
+            <ValidationMessage>The URL must be valid without a trailing slash.</ValidationMessage>
             <Constraints>
                 <check001>
                     <ValidationMessage>An URL for the Nextcloud server must be set.</ValidationMessage>
@@ -43,9 +42,7 @@
                 </check001>
             </Constraints>
         </password>
-        <password_encryption type="TextField">
-            <Required>N</Required>
-        </password_encryption>
+        <password_encryption type="TextField"/>
         <backupdir type="TextField">
             <Required>Y</Required>
             <Mask>/^([\w%+\-]+\/)*[\w+%\-]+$/</Mask>

From da46d009448f703eb84251cdd2e9c6a77190fd85 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 19 Jan 2026 05:33:35 +0100
Subject: [PATCH 2880/3088] plugins: PLUGIN_TIER last so it's not confused with
 PLUGIN_REVISION

---
 security/q-feeds-connector/Makefile | 2 +-
 sysutils/cpu-microcode/Makefile     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/q-feeds-connector/Makefile b/security/q-feeds-connector/Makefile
index cf53d91cda..ae71aa8ba9 100644
--- a/security/q-feeds-connector/Makefile
+++ b/security/q-feeds-connector/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		q-feeds-connector
 PLUGIN_VERSION=		1.4
-PLUGIN_TIER=		2
 PLUGIN_COMMENT=		Connector for Q-Feeds threat intel
 PLUGIN_MAINTAINER=	devel@qfeeds.com
+PLUGIN_TIER=		2
 
 .include "../../Mk/plugins.mk"
diff --git a/sysutils/cpu-microcode/Makefile b/sysutils/cpu-microcode/Makefile
index 4a4d477b76..261093b60b 100644
--- a/sysutils/cpu-microcode/Makefile
+++ b/sysutils/cpu-microcode/Makefile
@@ -3,8 +3,8 @@ PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		CPU microcode updates
 PLUGIN_DEPENDS=		x86info
 PLUGIN_MAINTAINER=	franco@opnsense.org
-PLUGIN_TIER=		2
 PLUGIN_VARIANTS=	amd intel
+PLUGIN_TIER=		2
 
 amd_NAME=		cpu-microcode-amd
 amd_DEPENDS=		cpu-microcode-amd

From 0ac435ec6acdbeec114a79d8691be25515d03648 Mon Sep 17 00:00:00 2001
From: Hasan UCAK <hasan.ucak@gmail.com>
Date: Tue, 20 Jan 2026 13:53:59 +0300
Subject: [PATCH 2881/3088] update information of os-sunnyvalley pkg pkg-descr,
 Makefile (#5148)

---
 vendor/sunnyvalley/Makefile  |  6 +++---
 vendor/sunnyvalley/pkg-descr | 29 +++++++++++++++--------------
 2 files changed, 18 insertions(+), 17 deletions(-)

diff --git a/vendor/sunnyvalley/Makefile b/vendor/sunnyvalley/Makefile
index 1dcd36551d..c9a6a0da64 100644
--- a/vendor/sunnyvalley/Makefile
+++ b/vendor/sunnyvalley/Makefile
@@ -1,8 +1,8 @@
 PLUGIN_NAME=		sunnyvalley
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	1
-PLUGIN_COMMENT=		Vendor Repository for Zenarmor (Enterprise Security Modules - NGFW, SSE, SASE, f.k.a Sensei)
-PLUGIN_MAINTAINER=	opensource@zenarmor.com
+PLUGIN_REVISION=	2
+PLUGIN_COMMENT=		Vendor Repository for Zenarmor - Enterprise SASE & SSE platform (NGFW, SWG, CASB, ZTNA, SD-WAN)
+PLUGIN_MAINTAINER=	oss@zenarmor.com 
 PLUGIN_WWW=		https://www.zenarmor.com
 PLUGIN_TIER=		2
 
diff --git a/vendor/sunnyvalley/pkg-descr b/vendor/sunnyvalley/pkg-descr
index 76d286396e..10573ba75b 100644
--- a/vendor/sunnyvalley/pkg-descr
+++ b/vendor/sunnyvalley/pkg-descr
@@ -1,16 +1,17 @@
-This plugin adds a proprietary repository to install Zenarmor (previously Sensei),
-a plugin for OPNsense, complementing the firewall with state of the art
-next generation firewall features.
+This is the vendor repository package, please also install the actual os-sensei package which delivers the below-mentioned capabilities.
+Zenarmor is an enterprise network security and secure access platform, delivering advanced threat protection, content filtering, application-aware inspection, identity-based policy enforcement, and high-performance secure connectivity in a single, plug-and-secure deployment.
+Zenarmor integrates instantly and directly with OPNsense and can also be centrally managed through Zenconsole, enabling centralized policy management, multi-tenant administration, and identity provider (IdP) integration for consistent security enforcement across your organization's networks.
 
-You will need to install os-sensei plugin after installing this repo plugin.
+Features and capabilities include:
 
-Zenarmor for OPNsense features:
-
-* Application Control
-* Advanced Network Analytics
-* Auto-blocking based on Real-time Cloud Threat Intelligence
-* All-ports Full TLS Inspection
-* Web Security & Web Filtering
-* User based filtering
-* Policy based filtering
-* Active Directory/LDAP Integration
+* Secure Web Gateway (Application and Web Traffic Control)
+* Zero-Trust Network Access (ZTNA)
+* Full Mesh Business VPN/SD-WAN with micro-segmentation
+* Advanced Network Analytics and Integrated Threat Intelligence
+* Cloud Access Security Broker (CASB) - Granular Cloud Application Control
+* Automated threat blocking using real-time threat intelligence
+* Full TLS inspection across all ports
+* Advanced Content Inspection (e.g. File Scanning, Deep DNS Inspection)
+* User-, group-, and identity-based policy enforcement (IdP, AD / LDAP)
+* Identity and Access Management & Single Sign-on (SSO, Entra ID, Okta etc.)
+* Centralized policy & configuration management and multi-tenant administration
\ No newline at end of file

From e6ac625b0f595297568971145f7f621863bda45f Mon Sep 17 00:00:00 2001
From: sourceforge807 <30810603+sourceforge807@users.noreply.github.com>
Date: Tue, 20 Jan 2026 12:05:38 +0100
Subject: [PATCH 2882/3088] security/acme-client: add support for Technitium
 DNS API (#5111)

---
 .../AcmeClient/forms/dialogValidation.xml     | 17 +++++++
 .../AcmeClient/LeValidation/DnsTechnitium.php | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  7 +++
 3 files changed, 69 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTechnitium.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 20ab6cd547..45e1d9f9eb 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -2024,4 +2024,21 @@
         <label>API Key</label>
         <type>text</type>
     </field>
+    <field>
+        <label>Technitium</label>
+        <type>header</type>
+        <style>table_dns table_dns_technitium</style>
+    </field>
+    <field>
+        <id>validation.dns_technitium_token</id>
+        <label>API Token</label>
+        <type>password</type>
+        <help><![CDATA[Generate a token from Technitium user and grant rights to the necessary zones.]]></help>
+    </field>
+    <field>
+        <id>validation.dns_technitium_hostname</id>
+        <label>Server URL</label>
+        <type>text</type>
+        <help><![CDATA[The full server URL, for example https://technitium:5380. The port number is optional.<br/><div class="text-info"><b>NOTE: </b>Remove the trailing / if it is present.</div>]]></help>
+    </field>
 </form>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTechnitium.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTechnitium.php
new file mode 100644
index 0000000000..bff5a5f094
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTechnitium.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2025 sourceforge807
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Technitium DNS API
+ * @package OPNsense\AcmeClient
+ */
+class DnsTechnitium extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['Technitium_Token'] = (string)$this->config->dns_technitium_token;
+        $this->acme_env['Technitium_Server'] = (string)$this->config->dns_technitium_hostname;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index fbd0e8dfd9..1338667e6c 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -521,6 +521,7 @@
                         <dns_selfhost>Selfhost</dns_selfhost>
                         <dns_servercow>Servercow</dns_servercow>
                         <dns_simply>Simply.com</dns_simply>
+                        <dns_technitium>Technitium</dns_technitium>
                         <dns_transip>Transip</dns_transip>
                         <dns_udr>united-domains Reselling</dns_udr>
                         <dns_unoeuro>UnoEuro</dns_unoeuro>
@@ -1100,6 +1101,12 @@
                 <dns_simply_account_name type="TextField">
                     <Required>N</Required>
                 </dns_simply_account_name>
+                <dns_technitium_token type="TextField">
+                    <Required>N</Required>
+                </dns_technitium_token>
+                <dns_technitium_hostname type="TextField">
+                    <Required>N</Required>
+                </dns_technitium_hostname>
                 <dns_transip_username type="TextField">
                     <Required>N</Required>
                 </dns_transip_username>

From fe403ccbd4230accafe8857de879107e1db3f597 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Jan 2026 12:05:19 +0100
Subject: [PATCH 2883/3088] vendor/sunnyvalley: small style sweep

---
 vendor/sunnyvalley/Makefile  |  2 +-
 vendor/sunnyvalley/pkg-descr | 17 +++++++++++++----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/vendor/sunnyvalley/Makefile b/vendor/sunnyvalley/Makefile
index c9a6a0da64..7b8e3158fb 100644
--- a/vendor/sunnyvalley/Makefile
+++ b/vendor/sunnyvalley/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		sunnyvalley
 PLUGIN_VERSION=		1.5
 PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Vendor Repository for Zenarmor - Enterprise SASE & SSE platform (NGFW, SWG, CASB, ZTNA, SD-WAN)
-PLUGIN_MAINTAINER=	oss@zenarmor.com 
+PLUGIN_MAINTAINER=	oss@zenarmor.com
 PLUGIN_WWW=		https://www.zenarmor.com
 PLUGIN_TIER=		2
 
diff --git a/vendor/sunnyvalley/pkg-descr b/vendor/sunnyvalley/pkg-descr
index 10573ba75b..57e5012d9d 100644
--- a/vendor/sunnyvalley/pkg-descr
+++ b/vendor/sunnyvalley/pkg-descr
@@ -1,6 +1,15 @@
-This is the vendor repository package, please also install the actual os-sensei package which delivers the below-mentioned capabilities.
-Zenarmor is an enterprise network security and secure access platform, delivering advanced threat protection, content filtering, application-aware inspection, identity-based policy enforcement, and high-performance secure connectivity in a single, plug-and-secure deployment.
-Zenarmor integrates instantly and directly with OPNsense and can also be centrally managed through Zenconsole, enabling centralized policy management, multi-tenant administration, and identity provider (IdP) integration for consistent security enforcement across your organization's networks.
+This is the vendor repository package, please also install the actual
+os-sensei package which delivers the below-mentioned capabilities.
+
+Zenarmor is an enterprise network security and secure access platform,
+delivering advanced threat protection, content filtering, application-aware
+inspection, identity-based policy enforcement, and high-performance secure
+connectivity in a single, plug-and-secure deployment.
+
+Zenarmor integrates instantly and directly with OPNsense and can also be
+centrally managed through Zenconsole, enabling centralized policy management,
+multi-tenant administration, and identity provider (IdP) integration for
+consistent security enforcement across your organization's networks.
 
 Features and capabilities include:
 
@@ -14,4 +23,4 @@ Features and capabilities include:
 * Advanced Content Inspection (e.g. File Scanning, Deep DNS Inspection)
 * User-, group-, and identity-based policy enforcement (IdP, AD / LDAP)
 * Identity and Access Management & Single Sign-on (SSO, Entra ID, Okta etc.)
-* Centralized policy & configuration management and multi-tenant administration
\ No newline at end of file
+* Centralized policy & configuration management and multi-tenant administration

From 0ec3d0484349bb0ce8201147af311f74bce9ea6d Mon Sep 17 00:00:00 2001
From: GutierrezJeremy <110025419+GutierrezJeremy@users.noreply.github.com>
Date: Tue, 20 Jan 2026 12:08:44 +0100
Subject: [PATCH 2884/3088] security/acme-client: Add support for Timeweb Cloud
 DNS API (#5149)

---
 .../AcmeClient/forms/dialogValidation.xml     | 10 +++++
 .../AcmeClient/LeValidation/DnsTimeweb.php    | 45 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml |  4 ++
 3 files changed, 59 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTimeweb.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 515d97788f..a6b2792643 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1333,6 +1333,16 @@
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Timeweb Cloud DNS</label>
+        <type>header</type>
+        <style>table_dns table_dns_timeweb</style>
+    </field>
+    <field>
+        <id>validation.dns_timeweb_token</id>
+        <label>Timeweb Cloud API Token</label>
+        <type>text</type>
+    </field>
     <field>
         <label>Transip</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTimeweb.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTimeweb.php
new file mode 100644
index 0000000000..e4bba4264f
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTimeweb.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+ * Copyright (C) 2026 Jeremy Gutierrez
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Timeweb Cloud DNS API
+ * @package OPNsense\AcmeClient
+ */
+
+class DnsTimeweb extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['TW_Token'] = (string)$this->config->dns_timeweb_token;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index ec9995b2ba..bd3c704789 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -523,6 +523,7 @@
                         <dns_servercow>Servercow</dns_servercow>
                         <dns_simply>Simply.com</dns_simply>
                         <dns_technitium>Technitium</dns_technitium>
+                        <dns_timeweb>Timeweb Cloud</dns_timeweb>
                         <dns_transip>Transip</dns_transip>
                         <dns_udr>united-domains Reselling</dns_udr>
                         <dns_unoeuro>UnoEuro</dns_unoeuro>
@@ -1117,6 +1118,9 @@
                 <dns_transip_key type="TextField">
                     <Required>N</Required>
                 </dns_transip_key>
+                <dns_timeweb_token type="TextField">
+                    <Required>N</Required>
+                </dns_timeweb_token>
                 <dns_udr_user type="TextField">
                     <Required>N</Required>
                 </dns_udr_user>

From d4cd3e35243d6dc4664cc4739e32b335b1c8d595 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 20 Jan 2026 12:21:26 +0100
Subject: [PATCH 2885/3088] security/acme-client: release 4.12

---
 security/acme-client/Makefile  | 2 +-
 security/acme-client/pkg-descr | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 8ae4798d8e..22d30a042d 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.11
+PLUGIN_VERSION=		4.12
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index cc5acb60ca..4402d75cea 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -12,6 +12,12 @@ Plugin Changelog
 
 Added:
 * new automation to upload to Zyxel GS1900 series switches (#5080)
+* add support for Technitium DNS API (#5111)
+* add support for Hurricane Electric DDNS API (#5138)
+* add support for Timeweb Cloud DNS API (#5149)
+
+Fixed:
+* fix mijn.host and scaleway DNS API settings (#5146)
 
 4.11
 

From a30717fa4212e4231f9087ba7231d4edd4c57707 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Jan 2026 12:21:50 +0100
Subject: [PATCH 2886/3088] security/acme-client: style sweep

---
 .../OPNsense/AcmeClient/LeAutomation/AcmeZyxelGs1900.php  | 4 ++--
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml     | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeZyxelGs1900.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeZyxelGs1900.php
index ba79dfba2e..ccd7de67ab 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeZyxelGs1900.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeZyxelGs1900.php
@@ -40,7 +40,7 @@ public function prepare()
     {
         // Required parameters
         $this->acme_env['DEPLOY_ZYXEL_SWITCH_PASSWORD'] = (string)$this->config->acme_zyxel_gs1900_password;
-        
+
         // Optional Parameters
         if (!empty((string)$this->config->acme_zyxel_gs1900_host)) {
             $this->acme_env['DEPLOY_ZYXEL_SWITCH'] = (string)$this->config->acme_zyxel_gs1900_host;
@@ -56,7 +56,7 @@ public function prepare()
         }
 
         $this->acme_args[] = '--deploy-hook zyxel_gs1900';
-        
+
         if ((string)$this->config->acme_zyxel_gs1900_insecure == 1) {
             array_push($this->acme_args, '--insecure');
         }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index bd3c704789..f8ad82cecc 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1738,22 +1738,22 @@
                 </acme_vault_kvv2>
                 <acme_zyxel_gs1900_host type="HostnameField">
                     <Required>N</Required>
-                    <mask>/^.{1,1024}$/u</mask>
+                    <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_zyxel_gs1900_host>
                 <acme_zyxel_gs1900_user type="TextField">
-                    <default>admin</default>
+                    <Default>admin</Default>
                     <Required>N</Required>
                 </acme_zyxel_gs1900_user>
                 <acme_zyxel_gs1900_password type="TextField">
                     <Required>N</Required>
                 </acme_zyxel_gs1900_password>
                 <acme_zyxel_gs1900_insecure type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </acme_zyxel_gs1900_insecure>
                 <acme_zyxel_gs1900_reboot type="BooleanField">
-                    <default>0</default>
+                    <Default>0</Default>
                     <Required>N</Required>
                 </acme_zyxel_gs1900_reboot>
             </action>

From 54e7c681d0d607752b8f65b1581301febcb0a3c4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Jan 2026 12:31:57 +0100
Subject: [PATCH 2887/3088] dns/dnscrypt-proxy: bump after last change

---
 dns/dnscrypt-proxy/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index d0b5eeb8bc..b0e6868f11 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		dnscrypt-proxy
 PLUGIN_VERSION=		1.16
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 7b646b8309f98fb6167b24c2608f918309eaadfc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Jan 2026 12:33:50 +0100
Subject: [PATCH 2888/3088] net-mgmt/net-snmp: bump after change

---
 net-mgmt/net-snmp/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net-mgmt/net-snmp/Makefile b/net-mgmt/net-snmp/Makefile
index 6d3792c1c7..92647cdc96 100644
--- a/net-mgmt/net-snmp/Makefile
+++ b/net-mgmt/net-snmp/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		net-snmp
 PLUGIN_VERSION=		1.6
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Net-SNMP is a daemon for the SNMP protocol
 PLUGIN_DEPENDS=		net-snmp
 PLUGIN_MAINTAINER=	m.muenz@gmail.com

From 9c6fe3082ae40873f743f1b42894898a2404310c Mon Sep 17 00:00:00 2001
From: Joerg Werner <schreibubi@gmail.com>
Date: Fri, 16 Jan 2026 17:55:44 +0100
Subject: [PATCH 2889/3088] net/freeradius: EAP: Allow user to select minimum
 TLS Version of 1.3; closes #5140

---
 .../src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml      | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index 532fe86a3c..fba2390009 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -62,6 +62,7 @@
                 <Option1 value="1.0">1.0</Option1>
                 <Option2 value="1.1">1.1</Option2>
                 <Option3 value="1.2">1.2</Option3>
+                <Option4 value="1.3">1.3</Option4>
             </OptionValues>
         </tls_min_version>
     </items>

From cb7b2aafe610a483bf52d9d2308ec4e2a82a0552 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Jan 2026 12:47:13 +0100
Subject: [PATCH 2890/3088] net/freeradius: new version

---
 net/freeradius/Makefile  | 3 +--
 net/freeradius/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 3b4090d528..1275fb1000 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.9.28
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.10
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index cfd09d34c6..8d4ee41c88 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -12,6 +12,11 @@ security, particularly in the academic community, including eduroam.
 Plugin Changelog
 ================
 
+1.10
+
+* Change max TLS version to 1.3 and allow min TLS version 1.3 (contributed by Joerg Werner)
+* Add option to enable EAP-PWD (contributed by Severin Schüller)
+
 1.9.28
 
 * Add Groups for VLAN assignment

From 6d2c6ce60d87f6f83b1a3cda7296dca7856d4286 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Jan 2026 12:50:56 +0100
Subject: [PATCH 2891/3088] net/isc-dhcp: ready for prime time

---
 net/isc-dhcp/Makefile  | 2 +-
 net/isc-dhcp/pkg-descr | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/net/isc-dhcp/Makefile b/net/isc-dhcp/Makefile
index e35fb84491..e8d39960e6 100644
--- a/net/isc-dhcp/Makefile
+++ b/net/isc-dhcp/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		isc-dhcp
-PLUGIN_VERSION=		0.2
+PLUGIN_VERSION=		1.0
 PLUGIN_COMMENT=		ISC DHCPv4/v6 server
 PLUGIN_DEPENDS=		isc-dhcp44-server
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/isc-dhcp/pkg-descr b/net/isc-dhcp/pkg-descr
index 1e3fb4a211..1c04f41326 100644
--- a/net/isc-dhcp/pkg-descr
+++ b/net/isc-dhcp/pkg-descr
@@ -5,3 +5,12 @@ DHCP protocol.
 This plugin implements the DHCPv4 and DHCPv6 server in OPNsense, which
 used to be the standard implementation of DHCP until better alternatives
 such as Dnsmasq and Kea were supplied.
+
+Plugin Changelog
+================
+
+1.0
+
+* First release resembling the core state of 25.7.11
+* Minor changes due to "radvd" extraction out of DHCPv6 configuration
+* Minor changes regarding "track6" mode handling

From 9603879e5f16d1399a93bb664fcf79e2e62e137c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Jan 2026 12:51:48 +0100
Subject: [PATCH 2892/3088] net/haproxy: change revision due to pending changes
 coming to 26.1

Since there wasn't a relese here in a while my minor modifications piled
up.  That's not a bad thing, but to make it traceable bump the revision
now in order to have better means to distinguish the problem on the stable
plugin since this will be stable/26.1 in a few minutes.
---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 0e7ae42d4c..15a0d1ec64 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		4.6
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy30 py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de

From b4ae3dc4da8e1b762ce6d10473190aad3ae72308 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Jan 2026 12:55:38 +0100
Subject: [PATCH 2893/3088] security/q-feeds-connector: style

---
 security/q-feeds-connector/pkg-descr | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index 6c9ff4ae29..789ff86635 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -2,9 +2,10 @@ Connector for Q-Feeds threat intel
 
 Plugin Changelog
 ================
+
 1.4
 
-* Feature: Added DNSCrypt-Proxy
+* Feature: Added DNSCrypt-Proxy integration
 
 1.3
 

From 38e6614831fcfac474f5cac228f39d51ad87178a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Jan 2026 12:59:16 +0100
Subject: [PATCH 2894/3088] www/nginx: new version

---
 www/nginx/Makefile  | 3 +--
 www/nginx/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index ee39050d5c..1d8bbd8b7d 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.35
-PLUGIN_REVISION=	4
+PLUGIN_VERSION=		1.36
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index c12a093281..0ff2ddd42a 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -8,6 +8,10 @@ reuse, SSL offload and HTTP media streaming.
 Plugin Changelog
 ================
 
+1.36
+
+* Add optional HTTP/3 support with dynamic Alt-Svc (contributed by Jan Chlouba)
+
 1.35
 
 * Global options sendfile directive typo fix

From 728902ca2f8b2abba8778b1272e637dbfdfa436e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Jan 2026 13:01:50 +0100
Subject: [PATCH 2895/3088] plugins: this is 26.1

---
 Mk/defaults.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index 77a93b13a9..e2eefeb481 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -48,7 +48,7 @@ VERSIONBIN=	${LOCALBASE}/sbin/opnsense-version
 _PLUGIN_ABI!=	${VERSIONBIN} -a
 PLUGIN_ABIS?=	${_PLUGIN_ABI}
 .else
-PLUGIN_ABIS?=	25.7
+PLUGIN_ABIS?=	26.1
 .endif
 
 PLUGIN_ABI?=	${PLUGIN_ABIS:[1]}

From 5a94cd82a889f9323d8c6f942c3c4205e77bae95 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 20 Jan 2026 13:28:27 +0100
Subject: [PATCH 2896/3088] LICENSE|README: sync

---
 LICENSE   | 5 ++++-
 README.md | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/LICENSE b/LICENSE
index 3e2721e30f..eefc91d4c2 100644
--- a/LICENSE
+++ b/LICENSE
@@ -38,9 +38,10 @@ Copyright (c) 2024 Hasan Ucak <hasan@sunnyvalley.io>
 Copyright (c) 2023 Ingo Lafrenz <opnsense@der-ingo.de>
 Copyright (c) 2016 IT-assistans Sverige AB
 Copyright (c) 2021-2023 Jan Winkler
-Copyright (c) 2023 Jeremy Gutierrez
+Copyright (c) 2023-2026 Jeremy Gutierrez
 Copyright (c) 2010 Jim Pingle <jimp@pfsense.org>
 Copyright (c) 2015 Jos Schellevis <jos@opnsense.org>
+Copyright (c) 2025 Joseph Bauser
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>
 Copyright (c) 2019-2022 Juergen Kellerer
 Copyright (c) 2024 laraveluser
@@ -83,9 +84,11 @@ Copyright (c) 2010-2012 Seth Mos <seth.mos@dds.nl>
 Copyright (c) 2024 Sheridan Computers
 Copyright (c) 2008 Shrew Soft Inc. <mgrooms@shrew.net>
 Copyright (c) 2017-2018 Smart-Soft
+Copyright (c) 2025 sourceforge807
 Copyright (c) 2025 squared GmbH
 Copyright (c) 2020 Starkstromkonsument
 Copyright (c) 2023-2024 Thomas Cekal <thomas@cekal.org>
+Copyright (c) 2026 Thomas Moore
 Copyright (c) 2020 Tobias Boehnert
 Copyright (c) 2024 txr13
 Copyright (c) 2024 W516
diff --git a/README.md b/README.md
index b4ec143b09..6509dd35f8 100644
--- a/README.md
+++ b/README.md
@@ -121,7 +121,7 @@ sysutils/smart -- SMART tools (not maintained)
 sysutils/virtualbox -- VirtualBox guest additions
 sysutils/vmware -- VMware tools
 sysutils/xen -- Xen guest utilities
-vendor/sunnyvalley -- Vendor Repository for Zenarmor (Enterprise Security Modules - NGFW, SSE, SASE, f.k.a Sensei)
+vendor/sunnyvalley -- Vendor Repository for Zenarmor - Enterprise SASE & SSE platform (NGFW, SWG, CASB, ZTNA, SD-WAN)
 www/OPNProxy -- OPNsense proxy additions (not maintained)
 www/c-icap -- c-icap connects the web proxy with a virus scanner
 www/cache -- Webserver cache

From cac1fa71aef398e35ae51f6f41f90fc94061de9f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 22 Dec 2025 21:04:51 +0100
Subject: [PATCH 2897/3088] net/haproxy: add support for http-request
 silent-drop

---
 net/haproxy/pkg-descr                                          | 3 +++
 .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml   | 1 +
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf   | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 13a4f948b6..348f8e5b15 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,9 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+Added:
+* add support for "http-request silent-drop"
+
 4.6
 
 Changed:
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index e1a40e1c57..aad51398ed 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2259,6 +2259,7 @@
                         <http-request_replace-value>http-request header replace value</http-request_replace-value>
                         <http-request_set-path>http-request set-path</http-request_set-path>
                         <http-request_set-var>http-request set-var</http-request_set-var>
+                        <http-request_silent-drop>http-request silent-drop</http-request_silent-drop>
                         <http-response_allow>http-response allow</http-response_allow>
                         <http-response_deny>http-response deny</http-response_deny>
                         <http-response_lua>http-response lua script</http-response_lua>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 642a84e4a6..a11ba548d3 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -561,6 +561,8 @@
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
 {%           endif %}
+{%         elif action_data.type == 'http-request_silent-drop' %}
+{%           do action_options.append('http-request silent-drop') %}
 {%         elif action_data.type == 'http-response_allow' %}
 {%           do action_options.append('http-response allow') %}
 {%         elif action_data.type == 'http-response_deny' %}

From b3ab4e7dd325235302f959f18c677877c278e532 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 22 Dec 2025 21:43:53 +0100
Subject: [PATCH 2898/3088] net/haproxy: add new condition: HTTP method

---
 net/haproxy/pkg-descr                            |  1 +
 .../OPNsense/HAProxy/forms/dialogAcl.xml         | 11 +++++++++++
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml  | 16 ++++++++++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf      |  7 +++++++
 4 files changed, 35 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 348f8e5b15..78424afb27 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -8,6 +8,7 @@ Plugin Changelog
 
 Added:
 * add support for "http-request silent-drop"
+* add new condition: HTTP method
 
 4.6
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
index 895bd6e4b2..849a44e850 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
@@ -88,6 +88,17 @@
         <type>text</type>
         <help><![CDATA[HTTP host header contains string (substring match)]]></help>
     </field>
+
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_http_method</style>
+    </field>
+    <field>
+        <id>acl.http_method</id>
+        <label>HTTP Method</label>
+        <type>select_multiple</type>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index aad51398ed..8c43890cf5 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1728,6 +1728,7 @@
                         <cust_hdr>HTTP Header matches</cust_hdr>
                         <cust_hdr_reg>HTTP Header regex</cust_hdr_reg>
                         <cust_hdr_sub>HTTP Header contains</cust_hdr_sub>
+                        <http_method>HTTP Method</http_method>
                         <url_param>URL parameter contains</url_param>
                         <ssl_c_verify>SSL Client certificate is valid</ssl_c_verify>
                         <ssl_c_verify_code>SSL Client certificate verify error result</ssl_c_verify_code>
@@ -2195,6 +2196,21 @@
                     <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </allowedGroups>
+                <http_method type="OptionField">
+                    <Required>N</Required>
+                    <Multiple>Y</Multiple>
+                    <OptionValues>
+                        <CONNECT>CONNECT</CONNECT>
+                        <DELETE>DELETE</DELETE>
+                        <GET>GET</GET>
+                        <HEAD>HEAD</HEAD>
+                        <OPTIONS>OPTIONS</OPTIONS>
+                        <PATCH>PATCH</PATCH>
+                        <POST>POST</POST>
+                        <PUT>PUT</PUT>
+                        <TRACE>TRACE</TRACE>
+                    </OptionValues>
+                </http_method>
             </acl>
         </acls>
         <actions>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index a11ba548d3..1c352d83e9 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -136,6 +136,13 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'http_method' %}
+{%               if acl_data.http_method|default("") != "" %}
+{%                 do acl_options.append('method ' ~ acl_data.http_method|replace(',', ' ')) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'path_beg' %}
 {%               if acl_data.path_beg|default("") != "" %}
 {%                 do acl_options.append('path_beg') %}

From 7877d225adc27139106b2bb8d675f4bb272dab1e Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 22 Dec 2025 22:03:30 +0100
Subject: [PATCH 2899/3088] net/haproxy: support deny_status in http-request
 deny

---
 net/haproxy/pkg-descr                                 |  1 +
 .../OPNsense/HAProxy/forms/dialogAction.xml           | 11 +++++++++++
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml       |  6 ++++++
 .../service/templates/OPNsense/HAProxy/haproxy.conf   |  6 +++++-
 4 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 78424afb27..257dd3590d 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 Added:
 * add support for "http-request silent-drop"
 * add new condition: HTTP method
+* support custom HTTP status code in "http-request deny" rules
 
 4.6
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index 0386b9f1ae..cfc4cbf392 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -80,6 +80,17 @@
         <type>text</type>
         <help><![CDATA[When HAProxy requests user name and password from the user, this optional authentication realm is returned with the response (typically the application's name).]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>type_table table_http-request_deny</style>
+    </field>
+    <field>
+        <id>action.http_request_deny_status</id>
+        <label>HTTP Status Code</label>
+        <type>text</type>
+        <help><![CDATA[By default an HTTP 403 error is returned for requests, and 502 for responses, but optionally a different HTTP status code may be specified.]]></help>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 8c43890cf5..59d863b431 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2340,6 +2340,12 @@
                     <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_auth>
+                <http_request_deny_status type="IntegerField">
+                    <MinimumValue>100</MinimumValue>
+                    <MaximumValue>999</MaximumValue>
+                    <ValidationMessage>Please specify a value between 100 and 999.</ValidationMessage>
+                    <Required>N</Required>
+                </http_request_deny_status>
                 <!-- XXX: add support for all "redirect" parameters as separate fields -->
                 <http_request_redirect type="TextField">
                     <Mask>/^.{1,4096}$/u</Mask>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 1c352d83e9..aa7fd84419 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -489,7 +489,11 @@
 {%         elif action_data.type == 'http-request_allow' %}
 {%           do action_options.append('http-request allow') %}
 {%         elif action_data.type == 'http-request_deny' %}
-{%           do action_options.append('http-request deny') %}
+{%           if action_data.http_request_deny_status|default("") != "" %}
+{%             do action_options.append('http-request deny deny_status ' ~ action_data.http_request_deny_status) %}
+{%           else %}
+{%             do action_options.append('http-request deny') %}
+{%           endif %}
 {%         elif action_data.type == 'http-request_tarpit' %}
 {%           do action_options.append('http-request tarpit') %}
 {%         elif action_data.type == 'http-request_auth' %}

From 1c84ca6f491bf453175b74a8d15c29f285059f9b Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 22 Dec 2025 22:43:51 +0100
Subject: [PATCH 2900/3088] net/haproxy: bump version

---
 net/haproxy/Makefile  | 3 +--
 net/haproxy/pkg-descr | 4 +++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 15a0d1ec64..eea1ecd8b1 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		4.6
-PLUGIN_REVISION=	2
+PLUGIN_VERSION=		4.7
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy30 py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 257dd3590d..d3c0881644 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,8 +6,10 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+4.7
+
 Added:
-* add support for "http-request silent-drop"
+* add new rule: http-request silent-drop
 * add new condition: HTTP method
 * support custom HTTP status code in "http-request deny" rules
 

From 0220a8fb7971bc1f275770d9e10da4c33499b588 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 19 Jan 2026 16:53:45 +0100
Subject: [PATCH 2901/3088] net/haproxy: switch to HAProxy 3.2, refs #5147

---
 net/haproxy/Makefile                                 |  2 +-
 net/haproxy/pkg-descr                                |  3 +++
 .../controllers/OPNsense/HAProxy/forms/dialogAcl.xml |  1 -
 .../OPNsense/HAProxy/forms/dialogAction.xml          | 12 ++++++------
 .../OPNsense/HAProxy/forms/dialogBackend.xml         | 12 ++++++------
 .../OPNsense/HAProxy/forms/dialogFcgi.xml            |  2 +-
 .../OPNsense/HAProxy/forms/dialogFrontend.xml        |  6 +++---
 .../OPNsense/HAProxy/forms/dialogMapfile.xml         |  2 +-
 .../mvc/app/views/OPNsense/HAProxy/index.volt        | 10 +++++-----
 9 files changed, 26 insertions(+), 24 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index eea1ecd8b1..65a0022a09 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,7 +1,7 @@
 PLUGIN_NAME=		haproxy
 PLUGIN_VERSION=		4.7
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
-PLUGIN_DEPENDS=		haproxy30 py${PLUGIN_PYTHON}-haproxy-cli
+PLUGIN_DEPENDS=		haproxy py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de
 
 .include "../../Mk/plugins.mk"
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index d3c0881644..60b84f6c01 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -13,6 +13,9 @@ Added:
 * add new condition: HTTP method
 * support custom HTTP status code in "http-request deny" rules
 
+Changed:
+* upgrade to HAProxy 3.2 release series (#5147)
+
 4.6
 
 Changed:
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
index 849a44e850..18298899ef 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
@@ -88,7 +88,6 @@
         <type>text</type>
         <help><![CDATA[HTTP host header contains string (substring match)]]></help>
     </field>
-
     <field>
         <label>Parameters</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index cfc4cbf392..9748247d63 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -100,7 +100,7 @@
         <id>action.http_request_redirect</id>
         <label>Redirect Command</label>
         <type>text</type>
-        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. A full redirect command is required, e.g. "location https://www.example.net/" or "scheme https code 301". See <a href="http://docs.haproxy.org/3.0/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. A full redirect command is required, e.g. "location https://www.example.net/" or "scheme https code 301". See <a href="http://docs.haproxy.org/3.2/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -139,7 +139,7 @@
         <id>action.http_request_add_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.0/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.2/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -156,7 +156,7 @@
         <id>action.http_request_set_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.0/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.2/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -262,7 +262,7 @@
         <id>action.http_response_add_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.0/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.2/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -279,7 +279,7 @@
         <id>action.http_response_set_header_content</id>
         <label>Header Content</label>
         <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.0/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.2/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -479,6 +479,6 @@
         <id>action.fcgi_set_param</id>
         <label>Parameter</label>
         <type>text</type>
-        <help><![CDATA[Set a FastCGI parameter that should be passed to the application. Its value must follow HAProxy's <a href="http://docs.haproxy.org/3.0/configuration.html#8.2.4">Custom Log format rules</a>. With this directive, it is possible to overwrite the value of default FastCGI parameters.]]></help>
+        <help><![CDATA[Set a FastCGI parameter that should be passed to the application. Its value must follow HAProxy's <a href="http://docs.haproxy.org/3.2/configuration.html#8.2.4">Custom Log format rules</a>. With this directive, it is possible to overwrite the value of default FastCGI parameters.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index 014b959aeb..8b607d6c7c 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -28,7 +28,7 @@
         <id>backend.algorithm</id>
         <label>Balancing Algorithm</label>
         <type>dropdown</type>
-        <help><![CDATA[Define the load balancing algorithm to be used in a Backend Pool. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#balance">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Define the load balancing algorithm to be used in a Backend Pool. See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#balance">HAProxy documentation</a> for a full description.]]></help>
         <hint>Choose a load balancing algorithm.</hint>
     </field>
     <field>
@@ -42,7 +42,7 @@
         <id>backend.proxyProtocol</id>
         <label>Proxy Protocol</label>
         <type>dropdown</type>
-        <help><![CDATA[Enforces use of the PROXY protocol over any connection established to the configured servers. The PROXY protocol informs the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the servers are not aware of the PROXY protocol. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#send-proxy">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Enforces use of the PROXY protocol over any connection established to the configured servers. The PROXY protocol informs the other end about the layer 3/4 addresses of the incoming connection, so that it can know the client's address or the public address it accessed to, whatever the upper layer protocol. This setting must not be used if the servers are not aware of the PROXY protocol. See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#send-proxy">HAProxy documentation</a> for a full description.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
@@ -186,7 +186,7 @@
         <style>tokenize</style>
         <allownew>true</allownew>
         <sortable>true</sortable>
-        <help><![CDATA[This may be used to add more information to the forwarded header. Default behavior enables proto parameter and injects original client IP. See he <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#option forwarded">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This may be used to add more information to the forwarded header. Default behavior enables proto parameter and injects original client IP. See he <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#option forwarded">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.forwardFor</id>
@@ -213,7 +213,7 @@
         <id>backend.persistence_cookiemode</id>
         <label>Cookie handling</label>
         <type>dropdown</type>
-        <help><![CDATA[Usually it is better to reuse an existing cookie. In this case HAProxy prefixes the cookie with the required information. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#4.2-cookie">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Usually it is better to reuse an existing cookie. In this case HAProxy prefixes the cookie with the required information. See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#4.2-cookie">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.persistence_cookiename</id>
@@ -235,14 +235,14 @@
         <id>backend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
+        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
         <hint>Choose a persistence type.</hint>
     </field>
     <field>
         <id>backend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.stickiness_expire</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
index 4ad9d1e94e..d8883e203c 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml
@@ -33,7 +33,7 @@
         <id>fcgi.path_info</id>
         <label>Path Info</label>
         <type>text</type>
-        <help><![CDATA[Define a regular expression to extract the script-name and the path-info from the URL-decoded path, see <a href="http://docs.haproxy.org/3.0/configuration.html#10.1.1-path-info">HAProxy's documentation</a> for further details and examples.]]></help>
+        <help><![CDATA[Define a regular expression to extract the script-name and the path-info from the URL-decoded path, see <a href="http://docs.haproxy.org/3.2/configuration.html#10.1.1-path-info">HAProxy's documentation</a> for further details and examples.]]></help>
     </field>
     <field>
         <id>fcgi.log_stderr</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index ded45f08c2..c40928fda2 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -350,14 +350,14 @@
         <id>frontend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
+        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
         <hint>Choose a stick-table type.</hint>
     </field>
     <field>
         <id>frontend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>frontend.stickiness_expire</id>
@@ -384,7 +384,7 @@
         <id>frontend.stickiness_counter_key</id>
         <label>Sticky counter key</label>
         <type>text</type>
-        <help><![CDATA[It describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters. Defaults to "src" to track elements of the source IP. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#tcp-request connection">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[It describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters. Defaults to "src" to track elements of the source IP. See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#tcp-request connection">HAProxy documentation</a> for a full description.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
index 554246fa45..76f22f2285 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
@@ -15,6 +15,6 @@
         <id>mapfile.content</id>
         <label>Content</label>
         <type>textbox</type>
-        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://docs.haproxy.org/3.0/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index cb6eea31a4..8ab604f663 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -702,7 +702,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('Lastly, enable HAProxy using the %sService%s settings page.') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Please be aware that you need to %smanually%s add the required firewall rules for all configured services.') | format('<b>', '</b>') }}</p>
-            <p>{{ lang._('Further information is available in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="http://docs.haproxy.org/3.0/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._('Further information is available in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('<a href="http://docs.haproxy.org/3.2/configuration.html" target="_blank">', '</a>', '<a href="https://github.com/opnsense/plugins/issues/" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -744,7 +744,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('%sConditions:%s HAProxy is capable of extracting data from requests, responses and other connection data and match it against predefined patterns. Use these powerful patterns to compose a condition that may be used in multiple Rules.') | format('<b>', '</b>') }}</li>
               <li>{{ lang._('%sRules:%s Perform a large set of actions if one or more %sConditions%s match. These Rules may be used in %sBackend Pools%s as well as %sPublic Services%s.') | format('<b>', '</b>', '<b>', '</b>', '<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/3.0/configuration.html#7" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/3.2/configuration.html#7" target="_blank">', '</a>') }}</p>
             <p>{{ lang._('Note that it is possible to directly add options to the HAProxy configuration by using the "option pass-through", a setting that is available for several configuration items. It allows you to implement configurations that are currently not officially supported by this plugin. It is strongly discouraged to rely on this feature. Please report missing features on our GitHub page!') | format('<b>', '</b>') }}</p>
             <br/>
         </div>
@@ -759,7 +759,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._('%sGroup:%s A optional list containing one or more users. Groups usually make it easier to manage permissions for a large number of users') | format('<b>', '</b>') }}</li>
             </ul>
             <p>{{ lang._('Note that users and groups must be selected from the Backend Pool or Public Service configuration in order to be used for authentication. In addition to this users and groups may also be used in Rules/Conditions.') }}</p>
-            <p>{{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/3.0/configuration.html#3.4" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('<b>', '</b>', '<a href="http://docs.haproxy.org/3.2/configuration.html#3.4" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -777,7 +777,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sCache:%s HAProxy's cache which was designed to perform cache on small objects (favicon, css, etc.). This is a minimalist low-maintenance cache which runs in RAM.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sPeers:%s Configure a communication channel between two HAProxy instances. This will propagate entries of any data-types in stick-tables between these HAProxy instances over TCP connections in a multi-master fashion. Useful when aiming for a seamless failover in a HA setup.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://docs.haproxy.org/3.0/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/3.0/configuration.html#10" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/3.0/configuration.html#3.5" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('<a href="http://docs.haproxy.org/3.2/configuration.html#stats%20enable" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/3.2/configuration.html#10" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/3.2/configuration.html#3.5" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>
@@ -795,7 +795,7 @@ POSSIBILITY OF SUCH DAMAGE.
               <li>{{ lang._("%sResolvers:%s This feature allows in-depth configuration of how HAProxy handles name resolution and interacts with name resolvers (DNS). Each resolver configuration can be used in %sBackend Pools%s to apply individual name resolution configurations.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
               <li>{{ lang._("%sE-Mail Alerts:%s It is possible to send email alerts when the state of servers changes. Each configuration can be used in %sBackend Pools%s to send e-mail alerts to the configured recipient.") | format('<b>', '</b>', '<b>', '</b>') }}</li>
             </ul>
-            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://docs.haproxy.org/3.0/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/3.0/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/3.0/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/3.0/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/3.0/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/3.0/configuration.html#process" target="_blank">', '</a>','<a href="http://docs.haproxy.org/3.0/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
+            <p>{{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('<a href="http://docs.haproxy.org/3.2/configuration.html#4-errorfile" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/3.2/configuration.html#lua-load" target="_blank">', '</a>', '<a href="http://docs.haproxy.org/3.2/configuration.html#map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/3.2/configuration.html#cpu-map" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/3.2/configuration.html#bind-process" target="_blank">', '</a>' ,'<a href="http://docs.haproxy.org/3.2/configuration.html#process" target="_blank">', '</a>','<a href="http://docs.haproxy.org/3.2/configuration.html#5.3.2" target="_blank">', '</a>') }}</p>
             <br/>
         </div>
     </div>

From 36ef9648e2140c1bff59f2899465cf030552e768 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 20 Jan 2026 13:42:03 +0100
Subject: [PATCH 2902/3088] net/haproxy: control PROXY protocol for health
 checks, closes #2909

---
 net/haproxy/pkg-descr                                 |  1 +
 .../OPNsense/HAProxy/forms/dialogBackend.xml          |  7 +++++++
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml       |  9 +++++++++
 .../service/templates/OPNsense/HAProxy/haproxy.conf   | 11 +++++++++--
 4 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 60b84f6c01..b29727da13 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -12,6 +12,7 @@ Added:
 * add new rule: http-request silent-drop
 * add new condition: HTTP method
 * support custom HTTP status code in "http-request deny" rules
+* add new backend option to control PROXY protocol for health checks (#2909)
 
 Changed:
 * upgrade to HAProxy 3.2 release series (#5147)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index 8b607d6c7c..40d46a123d 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -147,6 +147,13 @@
         <type>dropdown</type>
         <help><![CDATA[Select an e-mail alert configuration. An e-mail is sent when the state of a server changes.]]></help>
     </field>
+    <field>
+        <id>backend.healthCheckProxyProto</id>
+        <label>Use Proxy Protocol</label>
+        <type>dropdown</type>
+        <help><![CDATA[This option controls the emission of a PROXY protocol line with outgoing health checks. The default value is good for most situations. However, if either the server or the health check does not support the PROXY protocol, this option may be useful.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <label>HTTP(S) settings</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 59d863b431..a6779063e7 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1079,6 +1079,15 @@
                     <Multiple>N</Multiple>
                     <Required>N</Required>
                 </linkedMailer>
+                <healthCheckProxyProto type="OptionField">
+                    <Required>N</Required>
+                    <Default>backend</Default>
+                    <OptionValues>
+                        <backend>Follow Backend Pool settings [default]</backend>
+                        <enable>Enable for Health Check</enable>
+                        <disable>Disable for Health Check</disable>
+                    </OptionValues>
+                </healthCheckProxyProto>
                 <http2Enabled type="BooleanField">
                     <Default>1</Default>
                     <Required>N</Required>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index aa7fd84419..0bfcb5f3d5 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1944,12 +1944,19 @@ backend {{backend.name}}
 {%               elif server_data.source|default("") != "" %}
 {%                 do server_options.append('source ' ~ server_data.source) %}
 {%               endif %}
-{#               # PROXY protocol #}
+{#               # PROXY protocol for server connections #}
 {%               if backend.proxyProtocol|default("") == "v1" %}
 {%                 do server_options.append('send-proxy') %}
-{%                 do server_options.append('check-send-proxy') %}
 {%               elif backend.proxyProtocol|default("") == "v2" %}
 {%                 do server_options.append('send-proxy-v2') %}
+{%               endif %}
+{#               # PROXY protocol for health checks #}
+{%               if backend.healthCheckProxyProto|default("") == "" or backend.healthCheckProxyProto|default("") == "backend" %}
+{%                 if backend.proxyProtocol|default("") != "" %}
+{#                   # enable PROXY protocol if activated in backend #}
+{%                   do server_options.append('check-send-proxy') %}
+{%                 endif %}
+{%               elif backend.healthCheckProxyProto|default("") == "enable" %}
 {%                 do server_options.append('check-send-proxy') %}
 {%               endif %}
 {#               # cookie-based persistence #}

From 4a030864229f2aa7258d76dd623a7fe39d4f582d Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 20 Jan 2026 14:22:49 +0100
Subject: [PATCH 2903/3088] net/haproxy: add support for map_reg, closes #3641

---
 net/haproxy/pkg-descr                                  |  1 +
 .../OPNsense/HAProxy/forms/dialogMapfile.xml           |  6 ++++++
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml        |  8 ++++++++
 .../service/templates/OPNsense/HAProxy/haproxy.conf    | 10 +++++++++-
 4 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index b29727da13..2b1a0af29c 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -13,6 +13,7 @@ Added:
 * add new condition: HTTP method
 * support custom HTTP status code in "http-request deny" rules
 * add new backend option to control PROXY protocol for health checks (#2909)
+* add support for new map file type: reg (#3641)
 
 Changed:
 * upgrade to HAProxy 3.2 release series (#5147)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
index 76f22f2285..8c7d74b414 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
@@ -11,6 +11,12 @@
         <type>text</type>
         <help>Description for this map file.</help>
     </field>
+    <field>
+        <id>mapfile.type</id>
+        <label>Type</label>
+        <type>dropdown</type>
+        <help>The type of the map data.</help>
+    </field>
     <field>
         <id>mapfile.content</id>
         <label>Content</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index a6779063e7..4af8285da3 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2745,6 +2745,14 @@
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </description>
+                <type type="OptionField">
+                    <Required>Y</Required>
+                    <Default>dom</Default>
+                    <OptionValues>
+                        <dom>Domains (dom)</dom>
+                        <reg>Regular Expressions (reg)</reg>
+                    </OptionValues>
+                </type>
                 <content type="TextField">
                     <Required>Y</Required>
                 </content>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 0bfcb5f3d5..01bce31410 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -459,6 +459,14 @@
 {%           if action_data.map_use_backend_file|default("") != "" %}
 {%             set mapfile_data = helpers.getUUID(action_data.map_use_backend_file) %}
 {%             set mapfile_path = '/tmp/haproxy/mapfiles/' ~ mapfile_data.id ~ '.txt' %}
+{#             # Determine map type #}
+{%             set mapfile_type = mapfile_data.type %}
+{%             if mapfile_data.type|default("") == "reg" %}
+{%               set mapfile_config = 'map_' ~ mapfile_type %}
+{%             else %}
+{#               # Default to map_dom #}
+{%               set mapfile_config = 'lower,map_dom' %}
+{%             endif %}
 {#             # Check if a default backend is specified #}
 {%             if action_data.map_use_backend_default|default("") != "" %}
 {%               set defaultbackend_data = helpers.getUUID(action_data.map_use_backend_default) %}
@@ -467,7 +475,7 @@
 {%               set defaultbackend_option = '' %}
 {%             endif %}
 {#             # Finally add map file to config #}
-{%             do action_options.append('use_backend %[req.hdr(host),lower,map_dom(' ~ mapfile_path ~ defaultbackend_option ~ ')]') %}
+{%             do action_options.append('use_backend %[req.hdr(host),' ~ mapfile_config ~ '(' ~ mapfile_path ~ defaultbackend_option ~ ')]') %}
 {%           else %}
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters

From 735eaa545e8b86554a7b15748070a72cc33de139 Mon Sep 17 00:00:00 2001
From: Thojo0 <53666000+thojo0@users.noreply.github.com>
Date: Tue, 20 Jan 2026 14:45:40 +0100
Subject: [PATCH 2904/3088] add disablesubnetroutes option (#5136)

closes https://github.com/opnsense/plugins/issues/5135
---
 .../OPNsense/Tinc/forms/dialogNetwork.xml       |  6 ++++++
 .../mvc/app/models/OPNsense/Tinc/Tinc.xml       |  6 +++++-
 .../scripts/OPNsense/Tinc/lib/objects.py        |  7 +++++++
 .../src/opnsense/scripts/OPNsense/Tinc/tincd.py | 17 +++++++++--------
 .../templates/OPNsense/Tinc/tinc_deploy.xml     |  1 +
 5 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
index 2545c37308..113023c6a4 100644
--- a/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
+++ b/security/tinc/src/opnsense/mvc/app/controllers/OPNsense/Tinc/forms/dialogNetwork.xml
@@ -96,6 +96,12 @@
         <allownew>true</allownew>
         <help>This machines part of the network</help>
     </field>
+    <field>
+        <id>network.disablesubnetroutes</id>
+        <label>Disable subnet routes</label>
+        <type>checkbox</type>
+        <help>This will prevent installing subnet routes. Usually you only enable this to do own routing decisions via a local gateway and gateway rules.</help>
+    </field>
     <field>
         <id>network.privkey</id>
         <label>Private key</label>
diff --git a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
index 18c611398b..874f967330 100644
--- a/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
+++ b/security/tinc/src/opnsense/mvc/app/models/OPNsense/Tinc/Tinc.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/Tinc</mount>
-    <version>1.0.4</version>
+    <version>1.0.5</version>
     <description>
         OPNsense Tinc VPN
     </description>
@@ -64,6 +64,10 @@
                     <Default>0</Default>
                     <Required>Y</Required>
                 </StrictSubnets>
+                <disablesubnetroutes type="BooleanField">
+                    <Default>0</Default>
+                    <Required>Y</Required>
+                </disablesubnetroutes>
                 <privkey type="TextField">
                     <Required>Y</Required>
                 </privkey>
diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
index ae4a291aa4..ff7204ab2c 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/lib/objects.py
@@ -70,6 +70,7 @@ def __init__(self):
         self._payload['mode'] = 'switch'
         self._payload['PMTUDiscovery'] = 'yes'
         self._payload['StrictSubnets'] = 'no'
+        self._disablesubnetroutes = False
         self._hosts = list()
 
     def get_id(self):
@@ -84,6 +85,9 @@ def get_mode(self):
     def get_debuglevel(self):
         return self._payload['debuglevel'][1] if len(self._payload['debuglevel']) > 1 else '0'
 
+    def get_disablesubnetroutes(self):
+        return self._disablesubnetroutes
+
     def set_hosts(self, hosts):
         for host in hosts:
             hostObj = Host()
@@ -97,6 +101,9 @@ def set_PMTUDiscovery(self, value):
     def set_StrictSubnets(self, value):
         self._payload['StrictSubnets'] = 'no' if value.text != '1' else 'yes'
 
+    def set_disablesubnetroutes(self, value):
+        self._disablesubnetroutes = value.text == '1'
+
     def config_text(self):
         result = list()
         result.append('AddressFamily=any')
diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
index 43839a8cfb..95aadc99b5 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
@@ -105,14 +105,15 @@ def deploy(config_filename):
         for filename in chroot_needs:
             os.makedirs('%s%s' % (network.get_basepath(), os.path.dirname(filename)), exist_ok=True)
             shutil.copy(filename, '%s/%s' % (network.get_basepath(), filename))
-        write_file("%s/subnet-up" % network.get_basepath(), '\n'.join([
-            "#!/bin/sh",
-            "route add $SUBNET -iface %s\n" % interface_name
-        ]), 0o700)
-        write_file("%s/subnet-down" % network.get_basepath(), '\n'.join([
-            "#!/bin/sh",
-            "route delete $SUBNET -iface %s\n" % interface_name
-        ]), 0o700)
+        if not network.get_disablesubnetroutes():
+            write_file("%s/subnet-up" % network.get_basepath(), '\n'.join([
+                "#!/bin/sh",
+                "route add $SUBNET -iface %s\n" % interface_name
+            ]), 0o700)
+            write_file("%s/subnet-down" % network.get_basepath(), '\n'.join([
+                "#!/bin/sh",
+                "route delete $SUBNET -iface %s\n" % interface_name
+            ]), 0o700)
 
         # configure and rename new tun device, place all in group "tinc" symlink associated tun device
         if interface_name not in interfaces:
diff --git a/security/tinc/src/opnsense/service/templates/OPNsense/Tinc/tinc_deploy.xml b/security/tinc/src/opnsense/service/templates/OPNsense/Tinc/tinc_deploy.xml
index f8120fca1d..46c12f1682 100644
--- a/security/tinc/src/opnsense/service/templates/OPNsense/Tinc/tinc_deploy.xml
+++ b/security/tinc/src/opnsense/service/templates/OPNsense/Tinc/tinc_deploy.xml
@@ -15,6 +15,7 @@
         <debuglevel>{{network.debuglevel}}</debuglevel>
         <pingtimeout>{{network.pingtimeout}}</pingtimeout>
         <StrictSubnets>{{network.StrictSubnets}}</StrictSubnets>
+        <disablesubnetroutes>{{network.disablesubnetroutes}}</disablesubnetroutes>
         <hosts>
             <host>
                 <hostname>{{network.hostname}}</hostname>

From 512a24fb5893e6bb6b25904469f630953d817174 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 20 Jan 2026 15:25:10 +0100
Subject: [PATCH 2905/3088] net/haproxy: support more sample fetches, closes
 #3702

---
 net/haproxy/pkg-descr                                        | 1 +
 .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml | 3 +++
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf | 5 +++++
 3 files changed, 9 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 2b1a0af29c..a949284066 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -14,6 +14,7 @@ Added:
 * support custom HTTP status code in "http-request deny" rules
 * add new backend option to control PROXY protocol for health checks (#2909)
 * add support for new map file type: reg (#3641)
+* add support for more sample fetches: quic_enabled, stopping, wait_end (#3702)
 
 Changed:
 * upgrade to HAProxy 3.2 release series (#5147)
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 4af8285da3..cd2facaa27 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1720,6 +1720,7 @@
                 <expression type="OptionField">
                     <Required>Y</Required>
                     <OptionValues>
+                        <stopping>HAProxy process is currently stopping</stopping>
                         <http_auth>HTTP Basic Auth: username/password from client matches selected User/Group</http_auth>
                         <hdr_beg>Host starts with</hdr_beg>
                         <hdr_end>Host ends with</hdr_end>
@@ -1738,6 +1739,8 @@
                         <cust_hdr_reg>HTTP Header regex</cust_hdr_reg>
                         <cust_hdr_sub>HTTP Header contains</cust_hdr_sub>
                         <http_method>HTTP Method</http_method>
+                        <wait_end>Inspection period is over (WAIT_END)</wait_end>
+                        <quic_enabled>QUIC transport protocol is enabled</quic_enabled>
                         <url_param>URL parameter contains</url_param>
                         <ssl_c_verify>SSL Client certificate is valid</ssl_c_verify>
                         <ssl_c_verify_code>SSL Client certificate verify error result</ssl_c_verify_code>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 01bce31410..6e46f610f3 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -41,6 +41,7 @@
 {# Macro expects a CSV list of Actions and validates them. #}
 {%- macro AclsAndActions(linkedData) -%}
 {%   if linkedData is defined %}
+{%     set acl_boolean_types = ['quic_enabled', 'stopping', 'wait_end'] %}
 {#     # remember all ACLs to avoid duplicate declarations #}
 {%     set acls_seen = [] %}
 {%     set global_action_options = [] %}
@@ -411,6 +412,10 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{#             # handle boolean ACL types that do not require any input #}
+{%             elif acl_data.expression in acl_boolean_types %}
+{%               do acl_options.append(acl_data.expression) %}
+{#             # handle custom ACL types #}
 {%             elif acl_data.expression == 'custom_acl' %}
 {%               if acl_data.custom_acl|default("") != "" %}
 {%                 do acl_options.append(acl_data.custom_acl) %}

From 20ff8e5af49303701538d45cd12610ec11e5ebaf Mon Sep 17 00:00:00 2001
From: Alexander Pritchard <alexander.pritchard@onepak.com>
Date: Tue, 20 Jan 2026 10:22:47 -0600
Subject: [PATCH 2906/3088] Add ACME profile support to acme-client

---
 .../OPNsense/AcmeClient/forms/dialogCertificate.xml      | 6 ++++++
 .../app/library/OPNsense/AcmeClient/LeCertificate.php    | 3 +++
 .../library/OPNsense/AcmeClient/LeValidation/Base.php    | 9 +++++++++
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml    | 5 +++++
 4 files changed, 23 insertions(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
index 703b67d98c..4c05f7706c 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
@@ -78,6 +78,12 @@
         <type>checkbox</type>
         <help>Generate and add OCSP Must Staple extension to the certificate. When this option is enabled and issueance/renewal requests fail, then this extension is probably not supported by the CA.</help>
     </field>
+    <field>
+        <id>certificate.profile</id>
+        <label>Certificate Profile</label>
+        <type>text</type>
+        <help><![CDATA[Optional. Specify the ACME Certificate Profile to use (e.g. "shortlived"). See CA documentation for available profiles.]]></help>
+    </field>
     <field>
         <label>Advanced Settings</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index e45f92dedd..0faf0cdf09 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -648,6 +648,9 @@ public function setValidation()
             $val->setRenewal((int)$renewInterval);
             $val->setForce($this->force);
             $val->setOcsp((string)$this->config->ocsp == 1 ? true : false);
+            if (!empty((string)$this->config->profile)) {
+                $val->setProfile((string)$this->config->profile);
+            }
             // strip prefix from key value
             $val->setKey(substr($this->config->keyLength, 4));
             $val->prepare();
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
index 6163abadd3..db814ef191 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/Base.php
@@ -280,6 +280,15 @@ public function setOcsp(bool $ocsp = false)
         $this->acme_args[] = $ocsp == true ? '--ocsp' : null;
     }
 
+    /**
+     * set certificate profile
+     * @param $profile string profile name
+     */
+    public function setProfile(string $profile)
+    {
+        $this->acme_args[] = LeUtils::execSafe('--cert-profile %s', $profile);
+    }
+
     /**
      * set renewal interval
      * @param $interval int specifies the renewal interval in days
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index f8ad82cecc..97d4be7176 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -260,6 +260,11 @@
                     <Default>0</Default>
                     <Required>N</Required>
                 </ocsp>
+                <profile type="TextField">
+                    <Required>N</Required>
+                    <Mask>/^.{1,255}$/u</Mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                </profile>
                 <restartActions type="ModelRelationField">
                     <Model>
                         <actions>

From f2a122bdc824abb2ccdf7c0d8a41c71945216d45 Mon Sep 17 00:00:00 2001
From: Alexander Pritchard <alexander.pritchard@onepak.com>
Date: Tue, 20 Jan 2026 10:50:27 -0600
Subject: [PATCH 2907/3088] security/acme-client: fallback display name for
 certs with no CN

---
 .../mvc/app/library/OPNsense/AcmeClient/LeCertificate.php  | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 0faf0cdf09..342ce0d817 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -226,7 +226,12 @@ public function import(bool $skip_validation = false)
         $cert = array();
         $cert['refid'] = uniqid();
         $cert['caref'] = (string)$ca['refid'];
-        $cert['descr'] = (string)$cert_cn . ' (ACME Client)';
+        if (empty($cert_cn)) {
+            // Fallback to configured name if Common Name is empty (e.g. for IP certificates)
+            $cert['descr'] = (string)$this->config->name . ' (ACME Client)';
+        } else {
+            $cert['descr'] = (string)$cert_cn . ' (ACME Client)';
+        }
         $import_log_message = 'imported';
         $cert_found = false;
 

From c367618fee799918cf7a98cf2bcb4dbcf076ab43 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 20 Jan 2026 18:09:36 +0100
Subject: [PATCH 2908/3088] net/haproxy: add support for HTTP/3 over QUIC,
 closes #4341

---
 net/haproxy/pkg-descr                         |  1 +
 .../OPNsense/HAProxy/forms/dialogFrontend.xml |  4 +--
 .../app/models/OPNsense/HAProxy/HAProxy.xml   |  5 ++--
 .../templates/OPNsense/HAProxy/haproxy.conf   | 27 ++++++++++++++++---
 4 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index a949284066..2ab84561cf 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 4.7
 
 Added:
+* add support for HTTP/3 over QUIC to frontends (#4341)
 * add new rule: http-request silent-drop
 * add new condition: HTTP method
 * support custom HTTP status code in "http-request deny" rules
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index c40928fda2..6d2ecee8a1 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -23,7 +23,7 @@
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
-        <help><![CDATA[Configure listen addresses for this Public Service, i.e. 127.0.0.1:8080 or www.example.com:443 or unix@socket-name. Use TAB key to complete typing a listen address.]]></help>
+        <help><![CDATA[Configure listen addresses for this Public Service, i.e. 127.0.0.1:8080 or www.example.com:443 or unix@socket-name. Add quic4@ or quic6@ to enable QUIC for IPv4/IPv6, e.g. quic4@www.example.com:443. Use TAB key to complete typing a listen address.]]></help>
         <hint>Enter address:port here. Finish with TAB.</hint>
     </field>
     <field>
@@ -203,7 +203,7 @@
         <style>tokenize</style>
         <allownew>true</allownew>
         <sortable>true</sortable>
-        <help><![CDATA[When using the TLS ALPN extension, HAProxy advertises the specified protocol list as supported on top of ALPN. SSL offloading must be enabled.]]></help>
+        <help><![CDATA[When using the TLS ALPN extension, HAProxy advertises the specified protocol list as supported on top of ALPN. SSL offloading must be enabled. Note that HTTP/3 will only be added to QUIC-compatible Listening Addresses.]]></help>
     </field>
     <field>
         <id>frontend.forwardFor</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index cd2facaa27..09becb6532 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -515,9 +515,9 @@
                 <bind type="CSVListField">
                     <Required>Y</Required>
                     <Multiple>Y</Multiple>
-                    <Mask>/^((([0-9a-zA-Z._\-\*:\[\]]+:+[0-9]+(-[0-9]+)?|unix@[0-9a-z_\-]+)([,]){0,1}))*/u</Mask>
+                    <Mask>/^((([quic4@|quic6@]*[0-9a-zA-Z._\-\*:\[\]]+:+[0-9]+(-[0-9]+)?|unix@[0-9a-z_\-]+)([,]){0,1}))*/u</Mask>
                     <ChangeCase>lower</ChangeCase>
-                    <ValidationMessage>Please provide a valid listen address, i.e. 127.0.0.1:8080, [::1]:8080, www.example.com:443 or unix@socket-name. Port range as start-end, i.e. 127.0.0.1:1220-1240.</ValidationMessage>
+                    <ValidationMessage>Please provide a valid listen address, i.e. 127.0.0.1:8080, [::1]:8080, www.example.com:443, quic4@www.example.com or unix@socket-name. Port range as start-end, i.e. 127.0.0.1:1220-1240.</ValidationMessage>
                 </bind>
                 <bindOptions type="TextField">
                     <Required>N</Required>
@@ -853,6 +853,7 @@
                     <Sorted>Y</Sorted>
                     <Multiple>Y</Multiple>
                     <OptionValues>
+                        <h3>HTTP/3</h3>
                         <h2>HTTP/2</h2>
                         <http11>HTTP/1.1</http11>
                         <http10>HTTP/1.0</http10>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 6e46f610f3..5ae3c9ad57 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1013,6 +1013,8 @@ global
 {% if helpers.exists('OPNsense.HAProxy.general.tuning.maxConnections') %}
     maxconn                     {{OPNsense.HAProxy.general.tuning.maxConnections}}
 {% endif %}
+{# # TODO: remove this option when OpenSSL 3.5 is available on OPNsense #}
+    limited-quic
 {# # check if OCSP is enabled #}
 {% if OPNsense.HAProxy.general.tuning.ocspUpdateEnabled|default('') == '1' %}
 {%   if helpers.exists('OPNsense.HAProxy.general.tuning.ocspUpdateMinDelay') %}
@@ -1420,9 +1422,8 @@ frontend {{frontend.name}}
 {%         endif %}
 {#         # HTTP/2 with TLS enabled #}
 {%         if frontend.http2Enabled|default("") == '1' and frontend.advertised_protocols|default("") != "" %}
-{#           # convert protocols to HAProxy-compatible format #}
-{%           set alpn_options = frontend.advertised_protocols|replace('http10', 'http/1.0')|replace('http11', 'http/1.1') %}
-{%           do ssl_options.append('alpn ' ~ alpn_options) %}
+{#           # To ensure proper handling of each HTTP protocol, these #}
+{#           # entries will be processed when parsing individual bind lines. #}
 {%         else %}
 {#           # disable ALPN to enforce the GUI settings #}
 {%           do ssl_options.append('no-alpn') %}
@@ -1448,6 +1449,8 @@ frontend {{frontend.name}}
 {#       # bind/listen configuration #}
 {%       if frontend.bind|default("") != "" %}
 {%         for bind in frontend.bind.split(",") %}
+{#           # alpn advertisements are specific to each bind line #}
+{%           set alpn_options = [] %}
 {#           # check if this is a unix socket #}
 {%           set unix_bind = bind | regex_replace ("^unix@.*","TRUE") %}
 {%           if unix_bind == "TRUE" %}
@@ -1459,7 +1462,23 @@ frontend {{frontend.name}}
 {%             set bind_address = bind %}
 {%             set bind_name = bind %}
 {%           endif %}
-    bind {{bind_address}} name {{bind_name}} {% if frontend.bindOptions|default("") != "" %}{{ frontend.bindOptions }} {% endif %}{% if frontend.ssl_enabled == '1' and ssl_certs|default("") != "" %}ssl {{ ssl_options|join(' ') }} {{ ssl_certs|join(' ') }} {% endif %}{% if adv_options|length > 0 %} {{ adv_options|join(' ') }} {% endif %}
+{#           # handle incompatible alpn advertisements #}
+{%           if bind.startswith('quic4@') or bind.startswith('quic6@') %}
+{#             # strip incompatible advertisement for QUIC bind lines #}
+{%             set alpn_incompatible = ['h2', 'http11', 'http10'] %}
+{%             set alpn_filtered = frontend.advertised_protocols.split(',') | reject('in', alpn_incompatible) | join(',') %}
+{%           else %}
+{#             # strip incompatible advertisement for non-QUIC bind lines #}
+{%             set alpn_incompatible = ['h3'] %}
+{%             set alpn_filtered = frontend.advertised_protocols.split(',') | reject('in', alpn_incompatible) | join(',') %}
+{%           endif %}
+{#           # add alpn advertisements #}
+{%           if alpn_filtered|default("") != "" %}
+{#             # convert alpn protocols to HAProxy-compatible format #}
+{%             set alpn_conv = alpn_filtered|replace('http10', 'http/1.0')|replace('http11', 'http/1.1') %}
+{%             do alpn_options.append('alpn ' ~ alpn_conv) %}
+{%           endif %}
+    bind {{bind_address}} name {{bind_name}} {% if frontend.bindOptions|default("") != "" %}{{ frontend.bindOptions }} {% endif %}{% if frontend.ssl_enabled == '1' and ssl_certs|default("") != "" %}ssl {{ ssl_options|join(' ') }} {{ alpn_options|join(' ') }} {{ ssl_certs|join(' ') }} {% endif %}{% if adv_options|length > 0 %} {{ adv_options|join(' ') }} {% endif %}
 
 {%         endfor %}
 {%       endif %}

From 5fb8a58d933ec6ba44dc51beee37998f2e028beb Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 20 Jan 2026 18:16:09 +0100
Subject: [PATCH 2909/3088] net/haproxy: bump model version

---
 .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 09becb6532..734c95c709 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/HAProxy</mount>
-    <version>4.1.0</version>
+    <version>4.2.0</version>
     <description>the HAProxy load balancer</description>
     <items>
         <general>

From e3bae8e72fa4965bae0447c9d369313e85723b5e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 21 Jan 2026 07:51:20 +0100
Subject: [PATCH 2910/3088] security/tinc: update version

---
 security/tinc/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index 20ab416b8b..c60772668b 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		tinc
-PLUGIN_VERSION=		1.7
-PLUGIN_REVISION=	5
+PLUGIN_VERSION=		1.8
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org

From add84716cad456ac1bd60404ea38b9d258c4f810 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 22 Jan 2026 00:17:32 +0100
Subject: [PATCH 2911/3088] net/haproxy: add support for HTTP compression,
 closes #4867

---
 net/haproxy/pkg-descr                         |  1 +
 .../OPNsense/HAProxy/forms/dialogAction.xml   | 59 ++++++++++++++++++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 60 +++++++++++++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf   | 41 ++++++++++++-
 4 files changed, 160 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 2ab84561cf..46c6e7a492 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -16,6 +16,7 @@ Added:
 * add new backend option to control PROXY protocol for health checks (#2909)
 * add support for new map file type: reg (#3641)
 * add support for more sample fetches: quic_enabled, stopping, wait_end (#3702)
+* add support for HTTP compression (#4867)
 
 Changed:
 * upgrade to HAProxy 3.2 release series (#5147)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index 9748247d63..6dd920eb81 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -481,4 +481,63 @@
         <type>text</type>
         <help><![CDATA[Set a FastCGI parameter that should be passed to the application. Its value must follow HAProxy's <a href="http://docs.haproxy.org/3.2/configuration.html#8.2.4">Custom Log format rules</a>. With this directive, it is possible to overwrite the value of default FastCGI parameters.]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>type_table table_compression</style>
+    </field>
+    <field>
+        <id>action.compression_direction</id>
+        <label>Compression Direction</label>
+        <type>dropdown</type>
+        <help><![CDATA[Whether HAProxy uses compression for HTTP responses, HTTP requests, or both. Be aware that most servers will not support request body decompression. For safekeeping only enable compression for HTTP responses.]]></help>
+    </field>
+    <field>
+        <id>action.compression_algo_res</id>
+        <label>Response Algorithm</label>
+        <type>dropdown</type>
+        <help><![CDATA[The compression algorithm used for HTTP responses. Compression will only be used depending on the Accept-Encoding request header.]]></help>
+    </field>
+    <field>
+        <id>action.compression_algo_req</id>
+        <label>Request Algorithm</label>
+        <type>dropdown</type>
+        <help><![CDATA[The compression algorithm used for HTTP requests. Compression will only be used depending on the Accept-Encoding request header.]]></help>
+    </field>
+    <field>
+        <id>action.compression_mime_res</id>
+        <label>Response Mime Types</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[HTTP responses will use compression for the specified mime types, i.e. text/css, text/html, application/javascript.]]></help>
+        <hint>Enter MIME types here. Finish with TAB.</hint>
+    </field>
+    <field>
+        <id>action.compression_mime_req</id>
+        <label>Request Mime Types</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[HTTP requests will use compression for the specified mime types, i.e. text/css, text/html, application/javascript.]]></help>
+        <hint>Enter MIME types here. Finish with TAB.</hint>
+    </field>
+    <field>
+        <id>action.compression_minsize_res</id>
+        <label>Response Minimum Size</label>
+        <type>text</type>
+        <help><![CDATA[Specifies a minimum file size for HTTP response compression in bytes. By avoiding unnecessary compression work on very small files, this may reduce CPU overhead. Entering 0 disables this option.]]></help>
+    </field>
+    <field>
+        <id>action.compression_minsize_req</id>
+        <label>Request Minimum Size</label>
+        <type>text</type>
+        <help><![CDATA[Specifies a minimum file size for HTTP request compression in bytes. By avoiding unnecessary compression work on very small files, this may reduce CPU overhead. Entering 0 disables this option.]]></help>
+    </field>
+    <field>
+        <id>action.compression_offloading</id>
+        <label>Compression Offloading</label>
+        <type>checkbox</type>
+        <help><![CDATA[When enabled, the load balancer will remove the Accept-Encoding header before forwarding a request to backend servers. This prevents the servers from performing compression, offloading that work to the load balancer. This may impact HAProxy's performance.]]></help>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 734c95c709..8fd95f2756 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2272,6 +2272,7 @@
                         <use_backend>Use specified Backend Pool</use_backend>
                         <use_server>Override server in Backend Pool</use_server>
                         <map_use_backend>Map domains to backend pools using a map file</map_use_backend>
+                        <compression>Enable compression for HTTP responses/requests</compression>
                         <fcgi_pass_header>FastCGI pass-header</fcgi_pass_header>
                         <fcgi_set_param>FastCGI set-param</fcgi_set_param>
                         <http-request_allow>http-request allow</http-request_allow>
@@ -2586,6 +2587,65 @@
                     <Multiple>N</Multiple>
                     <Required>N</Required>
                 </map_use_backend_default>
+                <compression_algo_res type="OptionField">
+                    <Required>N</Required>
+                    <Default>gzip</Default>
+                    <OptionValues>
+                        <gzip>gzip [default]</gzip>
+                        <deflate>deflate</deflate>
+                        <raw-deflate>raw-deflate</raw-deflate>
+                    </OptionValues>
+                </compression_algo_res>
+                <compression_algo_req type="OptionField">
+                    <Required>N</Required>
+                    <Default>gzip</Default>
+                    <OptionValues>
+                        <gzip>gzip [default]</gzip>
+                        <deflate>deflate</deflate>
+                        <raw-deflate>raw-deflate</raw-deflate>
+                    </OptionValues>
+                </compression_algo_req>
+                <compression_mime_res type="CSVListField">
+                    <Required>N</Required>
+                    <Multiple>Y</Multiple>
+                    <Mask>/^((([0-9a-zA-Z]+\/+[0-9a-zA-Z]+)([,]){0,1}))*/u</Mask>
+                    <ChangeCase>lower</ChangeCase>
+                    <ValidationMessage>Please provide valid MIME types, i.e. text/css, text/html, application/json.</ValidationMessage>
+                </compression_mime_res>
+                <compression_mime_req type="CSVListField">
+                    <Required>N</Required>
+                    <Multiple>Y</Multiple>
+                    <Mask>/^((([0-9a-zA-Z]+\/+[0-9a-zA-Z]+)([,]){0,1}))*/u</Mask>
+                    <ChangeCase>lower</ChangeCase>
+                    <ValidationMessage>Please provide valid MIME types, i.e. text/css, text/html, application/json.</ValidationMessage>
+                </compression_mime_req>
+                <compression_offloading type="BooleanField">
+                    <Default>0</Default>
+                    <Required>N</Required>
+                </compression_offloading>
+                <compression_minsize_res type="IntegerField">
+                    <Default>1500</Default>
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>1000000</MaximumValue>
+                    <ValidationMessage>Please specify a number between 0 and 1000000.</ValidationMessage>
+                    <Required>N</Required>
+                </compression_minsize_res>
+                <compression_minsize_req type="IntegerField">
+                    <Default>1500</Default>
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>1000000</MaximumValue>
+                    <ValidationMessage>Please specify a number between 0 and 1000000.</ValidationMessage>
+                    <Required>N</Required>
+                </compression_minsize_req>
+                <compression_direction type="OptionField">
+                    <Required>N</Required>
+                    <Default>response</Default>
+                    <OptionValues>
+                        <response>Compress responses [default]</response>
+                        <request>Compress requests</request>
+                        <both>Compress both</both>
+                    </OptionValues>
+                </compression_direction>
             </action>
         </actions>
         <luas>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 5ae3c9ad57..59c7ddcd86 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -442,6 +442,7 @@
 {#       #       because doing otherwise would lead to unpredictable behaviour. #}
 {%       if acl_errors|int == 0 %}
 {%         set action_enabled = '1' %}
+{%         set action_multiline = '0' %}
 {%         set action_options = [] %}
 {%         if action_data.type == 'use_backend' %}
 {%           if action_data.use_backend|default("") != "" %}
@@ -709,6 +710,36 @@
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
 {%           endif %}
+{%         elif action_data.type == 'compression' %}
+{%           set action_multiline = '1' %}
+{%           if action_data.compression_mime_resp|default("") != "" or action_data.compression_mime_req|default("") != "" %}
+{%             do action_options.append('filter compression') %}
+{%             do action_options.append('compression direction ' ~ action_data.compression_direction) %}
+{%             if action_data.compression_direction|default("") == "response" or action_data.compression_direction|default("") == "both" %}
+{%               do action_options.append('compression algo-res ' ~ action_data.compression_algo_res) %}
+{%               if action_data.compression_mime_res|default("") != "" %}
+{%                 do action_options.append('compression type-res ' ~ action_data.compression_mime_res|replace(",", " ")) %}
+{%               endif %}
+{%               if action_data.compression_minsize_res|default("") != "0" %}
+{%                 do action_options.append('compression minsize-res ' ~ action_data.compression_minsize_res) %}
+{%               endif %}
+{%             endif %}
+{%             if action_data.compression_direction|default("") == "request" or action_data.compression_direction|default("") == "both" %}
+{%               do action_options.append('compression algo-req ' ~ action_data.compression_algo_req) %}
+{%               if action_data.compression_mime_req|default("") != "" %}
+{%                 do action_options.append('compression type-req ' ~ action_data.compression_mime_req|replace(",", " ")) %}
+{%               endif %}
+{%               if action_data.compression_minsize_req|default("") != "0" %}
+{%                 do action_options.append('compression minsize-req ' ~ action_data.compression_minsize_req) %}
+{%               endif %}
+{%             endif %}
+{%             if action_data.compression_offloading|default("") == "1" %}
+{%               do action_options.append('compression offload') %}
+{%             endif %}
+{%           else %}
+{%             set action_enabled = '0' %}
+    # ERROR: missing parameters
+{%           endif %}
 {%         elif action_data.type == 'custom' %}
 {%           if action_data.custom|default("") != "" %}
 {%             do action_options.append(action_data.custom) %}
@@ -736,8 +767,16 @@
 {%             set comment_lines = comment_lines + ['    # NOTE: actions with no ACLs/conditions will always match'] %}
 {%           endif %}
 {%           if action_options|length > 0 %}
+{#             # handle multiline options #}
+{%             if action_multiline == '1' %}
+{%               set join_char = '\n    ' %}
+{#               # ACLs are unsupported in multiline options, remove them #}
+{%               set acl_line = '' %}
+{%             else %}
+{%               set join_char = ' ' %}
+{%             endif %}
 {%             do global_action_options.append(comment_lines|join('\n')) -%}
-{%             do global_action_options.append(([action_options|join(' '), acl_line]|join(' '))) %}
+{%             do global_action_options.append(([action_options|join(join_char), acl_line]|join(' '))) %}
 {%           endif %}
 {%         else %}
     # ACTION INVALID: {{action_data.name}}

From 5e39080312bd83c53440374290e279601bd818d8 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 22 Jan 2026 00:32:51 +0100
Subject: [PATCH 2912/3088] net/haproxy: use GUI names in config comments

---
 .../templates/OPNsense/HAProxy/haproxy.conf   | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 59c7ddcd86..5463a11f28 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -749,7 +749,7 @@
 {%           endif %}
 {%         else %}
 {%           set action_enabled = '0' %}
-    # ERROR: unsupported action type
+    # ERROR: unsupported rule type
 {%         endif %}
 {#         # check if action is valid #}
 {%         if action_enabled == '1' %}
@@ -759,12 +759,12 @@
 {%             set join_operator = ' ' %}
 {%           endif %}
 {#           # check if action depends on ACLs #}
-{%           set comment_lines = ['# ACTION: ' + action_data.name] %}
+{%           set comment_lines = ['# RULE: ' + action_data.name] %}
 {%           if action_acls|length > 0 %}
 {%             set acl_line = [action_data.testType, action_acls|join(join_operator)]|join(' ') %}
 {%           else %}
 {%             set acl_line = '' %}
-{%             set comment_lines = comment_lines + ['    # NOTE: actions with no ACLs/conditions will always match'] %}
+{%             set comment_lines = comment_lines + ['    # NOTE: Rules with no Conditions will always match'] %}
 {%           endif %}
 {%           if action_options|length > 0 %}
 {#             # handle multiline options #}
@@ -779,11 +779,11 @@
 {%             do global_action_options.append(([action_options|join(join_char), acl_line]|join(' '))) %}
 {%           endif %}
 {%         else %}
-    # ACTION INVALID: {{action_data.name}}
+    # RULE INVALID: {{action_data.name}}
 {%         endif %}
 {%       else %}
-    # ACTION INVALID: {{action_data.name}}
-    # ACL ERROR COUNT: {{acl_errors}}
+    # RULE INVALID: {{action_data.name}}
+    # CONDITIONS WITH ERRORS: {{acl_errors}}
 {%       endif %}
 {%     endfor %}
 
@@ -1395,7 +1395,7 @@ mailers {{mailer.id}}
 {% if helpers.exists('OPNsense.HAProxy.frontends') %}
 {%   for frontend in helpers.toList('OPNsense.HAProxy.frontends.frontend') %}
 {%     if frontend.enabled == '1' %}
-# Frontend: {{frontend.name}} ({{frontend.description}})
+# Public Service: {{frontend.name}} ({{frontend.description}})
 frontend {{frontend.name}}
 {%       set ssl_certs = [] %}
 {%       set ssl_options = [] %}
@@ -1601,7 +1601,7 @@ frontend {{frontend.name}}
 {%       endif %}
 
 {%     else %}
-# Frontend (DISABLED): {{frontend.name}} ({{frontend.description}})
+# Public Service (DISABLED): {{frontend.name}} ({{frontend.description}})
 
 {%     endif %}
 {%   endfor %}
@@ -1615,10 +1615,10 @@ frontend {{frontend.name}}
 {%   for backend in helpers.toList('OPNsense.HAProxy.backends.backend') %}
 {#     # ignore disabled backends #}
 {%     if backend.enabled == '1' %}
-# Backend: {{backend.name}} ({{backend.description}})
+# Backend Pool: {{backend.name}} ({{backend.description}})
 backend {{backend.name}}
 {%       if backend.linkedServers|default("") == "" %}
-    # HINT: no servers configured for this backend.
+    # HINT: no servers configured for this backend pool.
 {%       endif %}
 {#       # store additional parameters for the "server" entries #}
 {%       set healthcheck_additions = [] %}
@@ -2048,7 +2048,7 @@ backend {{backend.name}}
 {%       endif %}
 
 {%     else %}
-# Backend (DISABLED): {{backend.name}} ({{backend.description}})
+# Backend Pool (DISABLED): {{backend.name}} ({{backend.description}})
 
 {%     endif %}
 {%   endfor %}

From 2cc2215bbeacaef2325c903769c0aaae47c666b4 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 22 Jan 2026 17:31:38 +0100
Subject: [PATCH 2913/3088] net/frr: Fix stall on carp hook by redirecting
 stdout (#5160)

---
 net/frr/src/etc/rc.syshook.d/carp/50-frr | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/frr/src/etc/rc.syshook.d/carp/50-frr b/net/frr/src/etc/rc.syshook.d/carp/50-frr
index e028a3e1d5..defb3812d6 100755
--- a/net/frr/src/etc/rc.syshook.d/carp/50-frr
+++ b/net/frr/src/etc/rc.syshook.d/carp/50-frr
@@ -49,7 +49,8 @@ if (frr_carp_enabled()) {
 
     switch ($type) {
         case 'MASTER':
-            mwexecfm('/usr/local/etc/rc.d/frr start');
+            // XXX: This will stall if stdout is not redirected
+            mwexecfm('/usr/local/etc/rc.d/frr start > /dev/null');
             break;
         case 'BACKUP':
             mwexecfm('/usr/local/etc/rc.d/frr stop');

From f6576fb536a5eb997f16fc252522b01faa06e301 Mon Sep 17 00:00:00 2001
From: Leandro Scardua <24698541+leandroscardua@users.noreply.github.com>
Date: Thu, 22 Jan 2026 17:42:00 +0000
Subject: [PATCH 2914/3088] ddclient: add Hostinger DNS provider (#5161)

* hostinger integration
---
 .../scripts/ddclient/lib/account/hostinger.py | 106 ++++++++++++++++++
 1 file changed, 106 insertions(+)
 create mode 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hostinger.py

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hostinger.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hostinger.py
new file mode 100755
index 0000000000..74da1d183c
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hostinger.py
@@ -0,0 +1,106 @@
+"""
+    Copyright (c) 2024 Thomas Cekal <thomas@cekal.org>
+    Copyright (c) 2024 Ad Schellevis <ad@opnsense.org>
+    Copyright (c) 2026 Leandro Scardua
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+"""
+
+import json
+import syslog
+import requests
+from . import BaseAccount
+
+# Hostinger DNS API documentation:
+# https://developers.hostinger.com/#tag/dns-zone/PUT/api/dns/v1/zones/{domain}
+
+class Hostinger(BaseAccount):
+    _services = {
+        'hostinger': 'developers.hostinger.com'
+    }
+
+    def __init__(self, account: dict):
+        super().__init__(account)
+
+    @staticmethod
+    def known_services():
+        return Hostinger._services.keys()
+
+    @staticmethod
+    def match(account):
+        return account.get('service') in Hostinger._services
+
+    def execute(self):
+        if super().execute():
+            # IPv4/IPv6
+            recordType = "AAAA" if str(self.current_address).find(':') > 1 else "A"
+            
+            # Validate TTL
+            ttl = int(self.settings.get('ttl', 300)) if (60 <= int(self.settings.get('ttl', 300)) <= 86400) else 300
+
+            # Use bearer authentication
+            url = "https://developers.hostinger.com/api/dns/v1/zones/" + self.settings.get('zone')
+            
+            # Build the zone update payload
+            payload = {
+                "overwrite": True,
+                "zone": [
+                    {
+                        "name": self.settings.get('hostnames'),
+                        "type": recordType,
+                        "ttl": ttl,
+                        "records": [
+                            {
+                                "content": self.current_address
+                            }
+                        ]
+                    }
+                ]
+            }
+            
+            headers = {
+                'authorization': "Bearer " + self.settings.get('password'),
+                'content-type': "application/json",
+                'User-Agent': 'OPNsense-dyndns'
+            }
+            
+            # Send IP address update
+            req = requests.request("PUT", url, data=json.dumps(payload), headers=headers)
+            if 200 <= req.status_code < 300:
+                if self.is_verbose:
+                    syslog.syslog(
+                        syslog.LOG_NOTICE,
+                        "Account %s set new ip %s [%s]" % (self.description, self.current_address, req.text.strip())
+                    )
+
+                self.update_state(address=self.current_address, status='success')
+                return True
+            else:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Account %s failed to set new ip %s [%d - %s]" % (
+                        self.description, self.current_address, req.status_code, req.text.replace('\n', '')
+                    )
+                )
+
+        return False
\ No newline at end of file

From 6dbefe5481b5e55deff62e50179abf80a212d367 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 22 Jan 2026 22:32:46 +0100
Subject: [PATCH 2915/3088] net/haproxy: add support for http-after-response
 rules

---
 net/haproxy/pkg-descr                         |  1 +
 .../OPNsense/HAProxy/forms/dialogAction.xml   | 15 +++++++++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 32 +++++++++++++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf   | 10 ++++++
 4 files changed, 58 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 46c6e7a492..f979807b33 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -11,6 +11,7 @@ Plugin Changelog
 Added:
 * add support for HTTP/3 over QUIC to frontends (#4341)
 * add new rule: http-request silent-drop
+* add new rule: http-after-response
 * add new condition: HTTP method
 * support custom HTTP status code in "http-request deny" rules
 * add new backend option to control PROXY protocol for health checks (#2909)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index 6dd920eb81..951b42f26d 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -540,4 +540,19 @@
         <type>checkbox</type>
         <help><![CDATA[When enabled, the load balancer will remove the Accept-Encoding header before forwarding a request to backend servers. This prevents the servers from performing compression, offloading that work to the load balancer. This may impact HAProxy's performance.]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>type_table table_http-after-response</style>
+    </field>
+    <field>
+        <id>action.http_after_response_action</id>
+        <label>Action</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>action.http_after_response_option</id>
+        <label>Options/Values</label>
+        <type>text</type>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 8fd95f2756..9174d0b06f 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2275,6 +2275,7 @@
                         <compression>Enable compression for HTTP responses/requests</compression>
                         <fcgi_pass_header>FastCGI pass-header</fcgi_pass_header>
                         <fcgi_set_param>FastCGI set-param</fcgi_set_param>
+                        <http-after-response>http-after-response</http-after-response>
                         <http-request_allow>http-request allow</http-request_allow>
                         <http-request_deny>http-request deny</http-request_deny>
                         <http-request_tarpit>http-request tarpit</http-request_tarpit>
@@ -2350,6 +2351,37 @@
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                     <Required>N</Required>
                 </fcgi_set_param>
+                <http_after_response_action type="OptionField">
+                    <Required>N</Required>
+                    <OptionValues>
+                        <add-header>add-header</add-header>
+                        <allow>allow</allow>
+                        <capture>capture</capture>
+                        <del-header>del-header</del-header>
+                        <del-map>del-map</del-map>
+                        <do-log>do-log</do-log>
+                        <replace-header>replace-header</replace-header>
+                        <replace-value>replace-value</replace-value>
+                        <sc-add-gpc>sc-add-gpc</sc-add-gpc>
+                        <sc-inc-gpc>sc-inc-gpc</sc-inc-gpc>
+                        <sc-inc-gpc0>sc-inc-gpc0</sc-inc-gpc0>
+                        <sc-inc-gpc1>sc-inc-gpc1</sc-inc-gpc1>
+                        <sc-set-gpt>sc-set-gpt</sc-set-gpt>
+                        <sc-set-gpt0>sc-set-gpt0</sc-set-gpt0>
+                        <set-header>set-header</set-header>
+                        <set-log-level>set-log-level</set-log-level>
+                        <set-map>set-map</set-map>
+                        <set-status>set-status</set-status>
+                        <set-var>set-var</set-var>
+                        <set-var-fmt>set-var-fmt</set-var-fmt>
+                        <strict-mode>strict-mode</strict-mode>
+                        <unset-var>unset-var</unset-var>
+                    </OptionValues>
+                </http_after_response_action>
+                <http_after_response_option type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </http_after_response_option>
                 <http_request_auth type="TextField">
                     <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 5463a11f28..6f05023321 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -500,6 +500,16 @@
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
 {%           endif %}
+{%         elif action_data.type == 'http-after-response' %}
+{%           if action_data.http_after_response_action|default('') != '' %}
+{%             do action_options.append('http-after-response ' ~ action_data.http_after_response_action) %}
+{%             if action_data.http_after_response_option|default('') != '' %}
+{%               do action_options.append(action_data.http_after_response_option) %}
+{%             endif %}
+{%           else %}
+{%             set action_enabled = '0' %}
+    # ERROR: missing parameters
+{%           endif %}
 {%         elif action_data.type == 'http-request_allow' %}
 {%           do action_options.append('http-request allow') %}
 {%         elif action_data.type == 'http-request_deny' %}

From 14a130188860b755babf159aacb1b91989cdbaa6 Mon Sep 17 00:00:00 2001
From: Stephan de Wit <stephan.de.wit@deciso.com>
Date: Fri, 23 Jan 2026 12:05:19 +0100
Subject: [PATCH 2916/3088] isc-dhcpdv6: add static mapping export (#5164)

---
 .../src/etc/inc/plugins.inc.d/dhcpd.inc       |  3 +-
 net/isc-dhcp/src/www/services_dhcp.php        |  2 +-
 net/isc-dhcp/src/www/services_dhcpv6.php      | 34 ++++++++++++++++++-
 3 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc b/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
index c8931d919f..87552f2f71 100644
--- a/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
+++ b/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
@@ -1243,8 +1243,7 @@ function dhcpd_staticmap($proto = null, $valid_addresses = true, $ifconfig_detai
                 }
 
                 if ($domain !== null) {
-                    /* first entry only */
-                    $domain = preg_split('/[ ;]+/', $domain)[0];
+                    $domain = preg_replace('/\s*;\s*/', ',', trim($domain));
                 }
 
                 $entry = [
diff --git a/net/isc-dhcp/src/www/services_dhcp.php b/net/isc-dhcp/src/www/services_dhcp.php
index 21667c0c9f..d53b868670 100644
--- a/net/isc-dhcp/src/www/services_dhcp.php
+++ b/net/isc-dhcp/src/www/services_dhcp.php
@@ -449,7 +449,7 @@ function reconfigure_dhcpd()
         }
         header(url_safe('Location: /services_dhcp.php?if=%s', array($if)));
     } elseif ($act == "export") {
-        $static = dhcpd_staticmap(null, true, null, true);
+        $static = dhcpd_staticmap(4, true, null, true);
 
         header("Content-Type: text/csv");
         header("Content-Disposition: attachment; filename=\"isc_export_{$if}.csv\"");
diff --git a/net/isc-dhcp/src/www/services_dhcpv6.php b/net/isc-dhcp/src/www/services_dhcpv6.php
index 7308b2a164..6fc7112794 100644
--- a/net/isc-dhcp/src/www/services_dhcpv6.php
+++ b/net/isc-dhcp/src/www/services_dhcpv6.php
@@ -433,6 +433,29 @@ function reconfigure_dhcpd()
                 mark_subsystem_dirty('staticmapsv6');
             }
         }
+        exit;
+    } elseif ($act == "export") {
+        $static = dhcpd_staticmap(6, true, null, true);
+
+        header("Content-Type: text/csv");
+        header("Content-Disposition: attachment; filename=\"isc_dhcpdv6_export_{$if}.csv\"");
+        header("Content-Transfer-Encoding: binary");
+        header("Pragma: no-cache");
+        header("Expires: 0");
+
+        $stream = fopen('php://output', 'w');
+
+        fputcsv($stream, ['ip_address', 'duid', 'hostname', 'domain_search', 'description']);
+        foreach ($static as $record) {
+            if ($record['interface'] !== $if) {
+                continue;
+            }
+
+            fputcsv($stream, array_map(fn($k) => $record[$k], ['ipaddrv6', 'duid', 'hostname', 'domain', 'descr']));
+        }
+
+        @fclose($stream);
+
         exit;
     }
 }
@@ -862,7 +885,16 @@ function show_netboot_config() {
                 <div class="table-responsive">
                   <table class="tabcont table table-striped" style="width:100%; border:0;">
                     <tr>
-                      <th colspan="5"><?= gettext('DHCPv6 Static Mappings for this interface.') ?></th>
+                      <td colspan="6">
+                        <form method="POST">
+                          <input name="if" type="hidden" value="<?=$if;?>" />
+                          <input name="act" type="hidden" value="export">
+                          <button type="submit" id="download_hosts" class="btn btn-xs" data-if="<?=$if;?>" data-toggle="tooltip" data-title="<?=gettext("Export as CSV");?>">
+                            <span class="fa fa-fw fa-table"></span>
+                          </button>
+                          <strong><?=gettext("DHCPv6 Static Mappings for this interface.");?></strong>
+                        </form>
+                      </td>
                     </tr>
                     <tr>
                       <td><?=gettext("DUID");?></td>

From 7de2634b8892cd9f4268cd380fa82c63c42d18cc Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 23 Jan 2026 12:40:38 +0100
Subject: [PATCH 2917/3088] net/isc-dhcp: small change for #5164

---
 net/isc-dhcp/Makefile                            | 1 +
 net/isc-dhcp/pkg-descr                           | 1 +
 net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc | 6 ++++--
 net/isc-dhcp/src/www/services_dhcp.php           | 2 +-
 net/isc-dhcp/src/www/services_dhcpv6.php         | 2 +-
 5 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/net/isc-dhcp/Makefile b/net/isc-dhcp/Makefile
index e8d39960e6..839e834622 100644
--- a/net/isc-dhcp/Makefile
+++ b/net/isc-dhcp/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		isc-dhcp
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		ISC DHCPv4/v6 server
 PLUGIN_DEPENDS=		isc-dhcp44-server
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/isc-dhcp/pkg-descr b/net/isc-dhcp/pkg-descr
index 1c04f41326..8e95254835 100644
--- a/net/isc-dhcp/pkg-descr
+++ b/net/isc-dhcp/pkg-descr
@@ -14,3 +14,4 @@ Plugin Changelog
 * First release resembling the core state of 25.7.11
 * Minor changes due to "radvd" extraction out of DHCPv6 configuration
 * Minor changes regarding "track6" mode handling
+* Added DHCPv6 static mappings export
diff --git a/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc b/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
index 87552f2f71..96900d2859 100644
--- a/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
+++ b/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
@@ -1197,7 +1197,7 @@ EOD;
     service_log("done.\n", $verbose);
 }
 
-function dhcpd_staticmap($proto = null, $valid_addresses = true, $ifconfig_details = null, $allow_disabled = false)
+function dhcpd_staticmap($proto = null, $valid_addresses = true, $ifconfig_details = null, $allow_disabled = false, $for_export = false)
 {
     $staticmap = [];
     foreach (empty($proto) ? [4, 6] : [$proto] as $inet) {
@@ -1243,7 +1243,9 @@ function dhcpd_staticmap($proto = null, $valid_addresses = true, $ifconfig_detai
                 }
 
                 if ($domain !== null) {
-                    $domain = preg_replace('/\s*;\s*/', ',', trim($domain));
+                    /* first entry only unless requested */
+                    $domain = !$for_export ? preg_split('/[ ;]+/', $domain)[0] :
+                        preg_replace('/\s*;\s*/', ',', trim($domain));
                 }
 
                 $entry = [
diff --git a/net/isc-dhcp/src/www/services_dhcp.php b/net/isc-dhcp/src/www/services_dhcp.php
index d53b868670..6b00cc16ef 100644
--- a/net/isc-dhcp/src/www/services_dhcp.php
+++ b/net/isc-dhcp/src/www/services_dhcp.php
@@ -449,7 +449,7 @@ function reconfigure_dhcpd()
         }
         header(url_safe('Location: /services_dhcp.php?if=%s', array($if)));
     } elseif ($act == "export") {
-        $static = dhcpd_staticmap(4, true, null, true);
+        $static = dhcpd_staticmap(4, true, null, true, true);
 
         header("Content-Type: text/csv");
         header("Content-Disposition: attachment; filename=\"isc_export_{$if}.csv\"");
diff --git a/net/isc-dhcp/src/www/services_dhcpv6.php b/net/isc-dhcp/src/www/services_dhcpv6.php
index 6fc7112794..dfe2e587e8 100644
--- a/net/isc-dhcp/src/www/services_dhcpv6.php
+++ b/net/isc-dhcp/src/www/services_dhcpv6.php
@@ -435,7 +435,7 @@ function reconfigure_dhcpd()
         }
         exit;
     } elseif ($act == "export") {
-        $static = dhcpd_staticmap(6, true, null, true);
+        $static = dhcpd_staticmap(6, true, null, true, true);
 
         header("Content-Type: text/csv");
         header("Content-Disposition: attachment; filename=\"isc_dhcpdv6_export_{$if}.csv\"");

From 48b4168bdfa0d43a138468da73b0323aba15091c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 23 Jan 2026 12:42:15 +0100
Subject: [PATCH 2918/3088] net/frr: fix hang in carp start hook

---
 net/frr/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 072f29e7da..8a8f78a19f 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.50
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr10-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org

From b879d7b6ddac58212f05ed57ab06e40f876257e9 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 23 Jan 2026 12:43:41 +0100
Subject: [PATCH 2919/3088] net/frr: annotate fix

---
 net/frr/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 311843b090..5a47995ed6 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -18,6 +18,7 @@ Plugin Changelog
 * Fix watchfrr service handling (contributed by Andy Binder) (opnsense/plugins/pull/4712 and 5132)
 * Add capability support for BGP neighbors (contributed by Shelldog95) (opnsense/plugins/pull/5128)
 * Prevent errors in diagnostics view when a frr daemon is not started (opnsense/plugins/pull/5119)
+* Fix CARP hook service start hang (opnsense/plugins/pull/5160)
 
 1.49
 

From 4800383a521907909ef0c281f76853b35c27ca9d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 23 Jan 2026 12:46:35 +0100
Subject: [PATCH 2920/3088] LICENSE: sync

---
 LICENSE | 1 +
 1 file changed, 1 insertion(+)

diff --git a/LICENSE b/LICENSE
index eefc91d4c2..71066b3796 100644
--- a/LICENSE
+++ b/LICENSE
@@ -45,6 +45,7 @@ Copyright (c) 2025 Joseph Bauser
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>
 Copyright (c) 2019-2022 Juergen Kellerer
 Copyright (c) 2024 laraveluser
+Copyright (c) 2026 Leandro Scardua
 Copyright (c) 2023 Liam Steckler <liam@liamsteckler.com>
 Copyright (c) 2020-2021 Manuel Faux
 Copyright (c) 2021 Manuel Hofmann

From 2b4415626780c38c498d890603bd9710093ef7d1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 23 Jan 2026 12:46:56 +0100
Subject: [PATCH 2921/3088] dns/ddclient: small bump for now

---
 dns/ddclient/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index f947225d0c..469f49c666 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.29
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From e9eb048a7ccece15f61fe3394931d23237886313 Mon Sep 17 00:00:00 2001
From: Jeremy Gutierrez <Jeremy.gutierrez@markt.de>
Date: Thu, 22 Jan 2026 12:59:31 +0100
Subject: [PATCH 2922/3088] security/acme-client: add support for acme.sh
 deploy hook "Ruckus"

---
 .../AcmeClient/forms/dialogAction.xml         | 22 +++++++++
 .../AcmeClient/LeAutomation/AcmeRuckus.php    | 47 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 12 +++++
 3 files changed, 81 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeRuckus.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index fda3912063..d518bdeaab 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -377,6 +377,28 @@
         <type>header</type>
         <style>method_table method_table_acme_truenas</style>
     </field>
+    <field>
+        <label>Required Parameters</label>
+        <type>header</type>
+        <style>method_table method_table_acme_ruckus</style>
+    </field>
+    <field>
+        <id>action.acme_ruckus_host</id>
+        <label>Ruckus Host</label>
+        <type>text</type>
+    </field>
+
+    <field>
+        <id>action.acme_ruckus_user</id>
+        <label>Ruckus User</label>
+        <type>text</type>
+    </field>
+
+    <field>
+        <id>action.acme_ruckus_pass</id>
+        <label>Ruckus Password</label>
+        <type>password</type>
+    </field>
     <field>
         <id>action.acme_truenas_apikey</id>
         <label>TrueNAS API key</label>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeRuckus.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeRuckus.php
new file mode 100644
index 0000000000..63fb88e340
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeRuckus.php
@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * Copyright (C) 2026 Jeremy Gutierrez
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Run acme.sh deploy hook ruckus
+ * @package OPNsense\AcmeClient
+ */
+class AcmeRuckus extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['RUCKUS_HOST'] = (string)$this->config->acme_ruckus_host;
+        $this->acme_env['RUCKUS_USER'] = (string)$this->config->acme_ruckus_user;
+        $this->acme_env['RUCKUS_PASS'] = (string)$this->config->acme_ruckus_pass;
+        $this->acme_args[] = '--deploy-hook ruckus';
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index f8ad82cecc..199dfccadc 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1408,6 +1408,7 @@
                         <acme_panos>Upload certificate to Palo Alto Networks Firewall</acme_panos>
                         <acme_proxmoxbs>Upload certificate to Proxmox Backup Server</acme_proxmoxbs>
                         <acme_proxmoxve>Upload certificate to Proxmox VE</acme_proxmoxve>
+                        <acme_ruckus>Upload certificate to Ruckus controller</acme_ruckus>
                         <acme_vault>Upload certificate to HashiCorp Vault</acme_vault>
                         <acme_synology_dsm>Upload certificate to Synology DSM</acme_synology_dsm>
                         <acme_truenas>Upload certificate to TrueNAS Core Server</acme_truenas>
@@ -1694,6 +1695,17 @@
                     <Mask>/^.{1,1024}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                 </acme_proxmoxbs_tokenkey>
+                <acme_ruckus_host type="HostnameField">
+                    <Mask>/^.{1,1024}$/u</Mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </acme_ruckus_host>
+                <acme_ruckus_user type="TextField">
+                    <Required>N</Required>
+                </acme_ruckus_user>
+                <acme_ruckus_pass type="TextField">
+                    <Required>N</Required>
+                </acme_ruckus_pass>
                 <acme_truenas_apikey type="TextField">
                     <Required>N</Required>
                     <Mask>/^.{1,1024}$/u</Mask>

From 93f434dc4341a3f23e30fd40486493f6a1d36ded Mon Sep 17 00:00:00 2001
From: Benno Kutschenreuter <benno.kutschenreuter@markt.de>
Date: Thu, 22 Jan 2026 14:55:10 +0100
Subject: [PATCH 2923/3088] security/acme-client:add support for DNS challenge
 Spaceship.com

---
 .../AcmeClient/forms/dialogValidation.xml     | 20 ++++++++
 .../AcmeClient/LeValidation/DnsSpaceship.php  | 51 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 10 ++++
 3 files changed, 81 insertions(+)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSpaceship.php

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index a6b2792643..c952cbbfc5 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1333,6 +1333,26 @@
         <label>Password</label>
         <type>password</type>
     </field>
+    <field>
+        <label>Spaceship DNS</label>
+        <type>header</type>
+        <style>table_dns table_dns_spaceship</style>
+    </field>
+    <field>
+        <id>validation.dns_spaceship_api_key</id>
+        <label>API Key</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_spaceship_api_secret</id>
+        <label>API Secret</label>
+        <type>text</type>
+    </field>
+    <field>
+        <id>validation.dns_spaceship_root_domain</id>
+        <label>Root Domain (Optional)</label>
+        <type>text</type>
+    </field>
     <field>
         <label>Timeweb Cloud DNS</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSpaceship.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSpaceship.php
new file mode 100644
index 0000000000..b8b8697581
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsSpaceship.php
@@ -0,0 +1,51 @@
+<?php
+
+/*
+ * Copyright (C) 2026 Benno Kutschenreuter
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeValidation;
+
+use OPNsense\AcmeClient\LeValidationInterface;
+use OPNsense\Core\Config;
+
+/**
+ * Spaceship DNS API
+ * @package OPNsense\AcmeClient
+ */
+
+class DnsSpaceship extends Base implements LeValidationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['SPACESHIP_API_KEY'] = (string)$this->config->dns_spaceship_api_key;
+        $this->acme_env['SPACESHIP_API_SECRET'] = (string)$this->config->dns_spaceship_api_secret;
+
+        // optional root domain
+        if (!empty((string)$this->config->dns_spaceship_root_domain)) {
+            $this->acme_env['SPACESHIP_ROOT_DOMAIN'] = (string)$this->config->dns_spaceship_root_domain;
+        }
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index f8ad82cecc..558e96071f 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -522,6 +522,7 @@
                         <dns_selfhost>Selfhost</dns_selfhost>
                         <dns_servercow>Servercow</dns_servercow>
                         <dns_simply>Simply.com</dns_simply>
+                        <dns_spaceship>Spaceship</dns_spaceship>
                         <dns_technitium>Technitium</dns_technitium>
                         <dns_timeweb>Timeweb Cloud</dns_timeweb>
                         <dns_transip>Transip</dns_transip>
@@ -1106,6 +1107,15 @@
                 <dns_simply_account_name type="TextField">
                     <Required>N</Required>
                 </dns_simply_account_name>
+                <dns_spaceship_api_key type="TextField">
+                    <Required>N</Required>
+                </dns_spaceship_api_key>
+                <dns_spaceship_api_secret type="TextField">
+                    <Required>N</Required>
+                </dns_spaceship_api_secret>
+                <dns_spaceship_root_domain type="TextField">
+                    <Required>N</Required>
+                </dns_spaceship_root_domain>
                 <dns_technitium_token type="TextField">
                     <Required>N</Required>
                 </dns_technitium_token>

From b23594e102377faa3e4f006438bb4000bea99339 Mon Sep 17 00:00:00 2001
From: Caleb Norton <n0603919@outlook.com>
Date: Sat, 24 Jan 2026 15:18:46 -0600
Subject: [PATCH 2924/3088] security/acme-client: allow always renew

---
 .../opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index f8ad82cecc..8f6897d8b1 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -282,7 +282,7 @@
                 </autoRenewal>
                 <renewInterval type="IntegerField">
                     <Required>Y</Required>
-                    <MinimumValue>1</MinimumValue>
+                    <MinimumValue>0</MinimumValue>
                     <MaximumValue>5000</MaximumValue>
                     <Default>60</Default>
                 </renewInterval>

From 76805d1eb1c9dc099160d0798a023048aae91f53 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Fri, 23 Jan 2026 13:58:02 +0100
Subject: [PATCH 2925/3088] net/haproxy: refactor http/tcp rules

---
 net/haproxy/pkg-descr                         |   3 +
 .../OPNsense/HAProxy/forms/dialogAction.xml   | 443 ++++--------------
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 312 ++++++++++--
 .../OPNsense/HAProxy/Migrations/M4_2_0.php    | 310 ++++++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf   | 253 +++-------
 5 files changed, 720 insertions(+), 601 deletions(-)
 create mode 100644 net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_2_0.php

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index f979807b33..ec9cad2399 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -18,9 +18,12 @@ Added:
 * add support for new map file type: reg (#3641)
 * add support for more sample fetches: quic_enabled, stopping, wait_end (#3702)
 * add support for HTTP compression (#4867)
+* add all action keywords for http-request/-response and tcp-request/-response rules
 
 Changed:
 * upgrade to HAProxy 3.2 release series (#5147)
+* refactor http/tcp rules to make extensions easier
+* rename some labels in rules
 
 4.6
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index 951b42f26d..c2e70417f3 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -15,33 +15,33 @@
         <label>Optional condition</label>
         <type>header</type>
     </field>
-    <field>
-        <id>action.testType</id>
-        <label>Test type</label>
-        <type>dropdown</type>
-        <help><![CDATA[Choose how to test. By using IF it tests if the condition evaluates to true. If you use UNLESS, the sense of the test is reversed.]]></help>
-    </field>
     <field>
         <id>action.linkedAcls</id>
         <label>Select conditions</label>
         <type>select_multiple</type>
         <help><![CDATA[Select one or more conditions to be used for this rule.]]></help>
     </field>
+    <field>
+        <id>action.testType</id>
+        <label>Match Mode</label>
+        <type>dropdown</type>
+        <help><![CDATA[Apply this rule when conditions are met (IF) or unmet (UNLESS).]]></help>
+    </field>
     <field>
         <id>action.operator</id>
-        <label>Logical operator for conditions</label>
+        <label>Logic Operator</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose a logical operator.]]></help>
+        <help><![CDATA[Combine multiple conditions using AND (all must match) or OR (any must match).]]></help>
     </field>
     <field>
-        <label>HAProxy function</label>
+        <label>Rule type</label>
         <type>header</type>
     </field>
     <field>
         <id>action.type</id>
-        <label>Execute function</label>
+        <label>Type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose a HAProxy function that should be executed if the condition evaluates to true.]]></help>
+        <help><![CDATA[Choose a HAProxy action that should be used if the condition evaluates to true.]]></help>
     </field>
     <field>
         <label>Parameters</label>
@@ -69,302 +69,6 @@
         <label>NOTE: The specified server must be present in the Backend Pool where this rule is applied.</label>
         <type>info</type>
     </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-request_auth</style>
-    </field>
-    <field>
-        <id>action.http_request_auth</id>
-        <label>Auth Realm</label>
-        <type>text</type>
-        <help><![CDATA[When HAProxy requests user name and password from the user, this optional authentication realm is returned with the response (typically the application's name).]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-request_deny</style>
-    </field>
-    <field>
-        <id>action.http_request_deny_status</id>
-        <label>HTTP Status Code</label>
-        <type>text</type>
-        <help><![CDATA[By default an HTTP 403 error is returned for requests, and 502 for responses, but optionally a different HTTP status code may be specified.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-request_redirect</style>
-    </field>
-    <field>
-        <id>action.http_request_redirect</id>
-        <label>Redirect Command</label>
-        <type>text</type>
-        <help><![CDATA[Use HAProxy's redirect function to return a HTTP redirection. A full redirect command is required, e.g. "location https://www.example.net/" or "scheme https code 301". See <a href="http://docs.haproxy.org/3.2/configuration.html#redirect">HAProxy's documentation</a> for further details and examples.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-request_lua</style>
-    </field>
-    <field>
-        <id>action.http_request_lua</id>
-        <label>Lua function</label>
-        <type>text</type>
-        <help><![CDATA[Execute the specified Lua function. You will most likely need to include/load your Lua code first.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-request_use-service</style>
-    </field>
-    <field>
-        <id>action.http_request_use_service</id>
-        <label>Lua service</label>
-        <type>text</type>
-        <help><![CDATA[Register the specified Lua service. You will most likely need to include/load your Lua code first.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-request_add-header</style>
-    </field>
-    <field>
-        <id>action.http_request_add_header_name</id>
-        <label>HTTP Header</label>
-        <type>text</type>
-        <help><![CDATA[Append a HTTP header field with the specified name.]]></help>
-    </field>
-    <field>
-        <id>action.http_request_add_header_content</id>
-        <label>Header Content</label>
-        <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it is possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.2/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-request_set-header</style>
-    </field>
-    <field>
-        <id>action.http_request_set_header_name</id>
-        <label>HTTP Header</label>
-        <type>text</type>
-        <help><![CDATA[Remove the HTTP header field with the specified name and add a new one with the same name. This is useful when passing security information to the server, where the header must not be manipulated by external users.]]></help>
-    </field>
-    <field>
-        <id>action.http_request_set_header_content</id>
-        <label>Header Content</label>
-        <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.2/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-request_del-header</style>
-    </field>
-    <field>
-        <id>action.http_request_del_header_name</id>
-        <label>HTTP Header</label>
-        <type>text</type>
-        <help><![CDATA[Remove the HTTP header field with the specified name.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-request_replace-header</style>
-    </field>
-    <field>
-        <id>action.http_request_replace_header_name</id>
-        <label>HTTP Header</label>
-        <type>text</type>
-        <help><![CDATA[The name of the HTTP header field.]]></help>
-    </field>
-    <field>
-        <id>action.http_request_replace_header_regex</id>
-        <label>Regular Expression</label>
-        <type>text</type>
-        <help><![CDATA[Matches the specified regular expression in all occurrences of the header field.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-request_replace-value</style>
-    </field>
-    <field>
-        <id>action.http_request_replace_value_name</id>
-        <label>HTTP Header</label>
-        <type>text</type>
-        <help><![CDATA[The name of the HTTP header field.]]></help>
-    </field>
-    <field>
-        <id>action.http_request_replace_value_regex</id>
-        <label>Regular Expression</label>
-        <type>text</type>
-        <help><![CDATA[This is suited for all header fields which are allowed to carry more than one value: Matches the specified regular expression against every comma-delimited value of the header field.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-request_set-path</style>
-    </field>
-    <field>
-        <id>action.http_request_set_path</id>
-        <label>Set Path</label>
-        <type>text</type>
-        <help><![CDATA[Rewrites the request path. The query string, if any, is left intact. If a scheme and authority is found before the path, they are left intact as well.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-request_set-var</style>
-    </field>
-    <field>
-        <id>action.http_request_set_var_scope</id>
-        <label>Variable Scope</label>
-        <type>dropdown</type>
-        <help><![CDATA[The name of the variable starts with an indication about its scope.]]></help>
-    </field>
-    <field>
-        <id>action.http_request_set_var_name</id>
-        <label>Variable Name</label>
-        <type>text</type>
-    </field>
-    <field>
-        <id>action.http_request_set_var_expr</id>
-        <label>Expression</label>
-        <type>text</type>
-        <help><![CDATA[A standard HAProxy expression formed by a sample-fetch followed by some converters.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-response_lua</style>
-    </field>
-    <field>
-        <id>action.http_response_lua</id>
-        <label>Lua function</label>
-        <type>text</type>
-        <help><![CDATA[Execute the specified Lua function. You will most likely need to include/load your Lua code first.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-response_add-header</style>
-    </field>
-    <field>
-        <id>action.http_response_add_header_name</id>
-        <label>HTTP Header</label>
-        <type>text</type>
-        <help><![CDATA[Append a HTTP header field with the specified name.]]></help>
-    </field>
-    <field>
-        <id>action.http_response_add_header_content</id>
-        <label>Header Content</label>
-        <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.2/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-response_set-header</style>
-    </field>
-    <field>
-        <id>action.http_response_set_header_name</id>
-        <label>HTTP Header</label>
-        <type>text</type>
-        <help><![CDATA[Remove the HTTP header field with the specified name and add a new one with the same name. This is useful when passing security information to the server, where the header must not be manipulated by external users.]]></help>
-    </field>
-    <field>
-        <id>action.http_response_set_header_content</id>
-        <label>Header Content</label>
-        <type>text</type>
-        <help><![CDATA[The value that should be set for the specified HTTP header. Note that it's possible to use pre-defined variables, see <a href="http://docs.haproxy.org/3.2/configuration.html#8.2.4">HAProxy's documentation</a> for further details and examples.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-response_del-header</style>
-    </field>
-    <field>
-        <id>action.http_response_del_header_name</id>
-        <label>HTTP Header</label>
-        <type>text</type>
-        <help><![CDATA[Remove the HTTP header field with the specified name.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-response_replace-header</style>
-    </field>
-    <field>
-        <id>action.http_response_replace_header_name</id>
-        <label>HTTP Header</label>
-        <type>text</type>
-        <help><![CDATA[The name of the HTTP header field.]]></help>
-    </field>
-    <field>
-        <id>action.http_response_replace_header_regex</id>
-        <label>Regular Expression</label>
-        <type>text</type>
-        <help><![CDATA[Matches the specified regular expression in all occurrences of header field.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-response_replace-value</style>
-    </field>
-    <field>
-        <id>action.http_response_replace_value_name</id>
-        <label>HTTP Header</label>
-        <type>text</type>
-        <help><![CDATA[The name of the HTTP header field.]]></help>
-    </field>
-    <field>
-        <id>action.http_response_replace_value_regex</id>
-        <label>Regular Expression</label>
-        <type>text</type>
-        <help><![CDATA[This is suited for all header fields which are allowed to carry more than one value: Matches the specified regular expression against every comma-delimited value of the header field.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-response_set-status</style>
-    </field>
-    <field>
-        <id>action.http_response_set_status_code</id>
-        <label>HTTP Status Code</label>
-        <type>text</type>
-        <help><![CDATA[Replaces the response status code. Must be an integer between 100 and 999.]]></help>
-    </field>
-    <field>
-        <id>action.http_response_set_status_reason</id>
-        <label>HTTP Reason Text</label>
-        <type>text</type>
-        <help><![CDATA[An optional custom reason text for the HTTP status code. If empty the default reason for the specified code will be used.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_http-response_set-var</style>
-    </field>
-    <field>
-        <id>action.http_response_set_var_scope</id>
-        <label>Variable Scope</label>
-        <type>dropdown</type>
-        <help><![CDATA[The name of the variable starts with an indication about its scope.]]></help>
-    </field>
-    <field>
-        <id>action.http_response_set_var_name</id>
-        <label>Variable Name</label>
-        <type>text</type>
-    </field>
-    <field>
-        <id>action.http_response_set_var_expr</id>
-        <label>Expression</label>
-        <type>text</type>
-        <help><![CDATA[A standard HAProxy expression formed by a sample-fetch followed by some converters.]]></help>
-    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>
@@ -376,61 +80,6 @@
         <type>text</type>
         <help><![CDATA[Specifies a URI which will be intercepted to return HAProxy's health status instead of forwarding the request. When a HTTP request is received, HAProxy will return either "HTTP/1.0 200 OK" or "HTTP/1.0 503 Service unavailable", depending on the fined failure conditions.]]></help>
     </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_tcp-request_content_lua</style>
-    </field>
-    <field>
-        <id>action.tcp_request_content_lua</id>
-        <label>Lua function</label>
-        <type>text</type>
-        <help><![CDATA[Execute the specified Lua function. You will most likely need to include/load your Lua code first.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_tcp-request_content_use-service</style>
-    </field>
-    <field>
-        <id>action.tcp_request_content_use_service</id>
-        <label>Lua service</label>
-        <type>text</type>
-        <help><![CDATA[Register the specified Lua service. You will most likely need to include/load your Lua code first.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_tcp-request_inspect-delay</style>
-    </field>
-    <field>
-        <id>action.tcp_request_inspect_delay</id>
-        <label>TCP inspection delay</label>
-        <type>text</type>
-        <help><![CDATA[Set the maximum allowed time to wait for data during content inspection. Defaults to milliseconds. You may also enter a number followed by one of the supported suffixes "d" (days), "h" (hour), "m" (minute), "s" (seconds), "ms" (miliseconds).]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_tcp-response_content_lua</style>
-    </field>
-    <field>
-        <id>action.tcp_response_content_lua</id>
-        <label>Lua function</label>
-        <type>text</type>
-        <help><![CDATA[Execute the specified Lua function. You will most likely need to include/load your Lua code first.]]></help>
-    </field>
-    <field>
-        <label>Parameters</label>
-        <type>header</type>
-        <style>type_table table_tcp-response_inspect-delay</style>
-    </field>
-    <field>
-        <id>action.tcp_response_inspect_delay</id>
-        <label>TCP inspection delay</label>
-        <type>text</type>
-        <help><![CDATA[Set the maximum allowed time to wait for a response during content inspection. Defaults to milliseconds. You may also enter a number followed by one of the supported suffixes "d" (days), "h" (hour), "m" (minute), "s" (seconds), "ms" (miliseconds).]]></help>
-    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>
@@ -549,10 +198,80 @@
         <id>action.http_after_response_action</id>
         <label>Action</label>
         <type>dropdown</type>
+        <help><![CDATA[A detailed explanation of each action and examples can be found in <a href="http://docs.haproxy.org/3.2/configuration.html#4.3">HAProxy's documentation</a>.]]></help>
     </field>
     <field>
         <id>action.http_after_response_option</id>
         <label>Options/Values</label>
         <type>text</type>
+        <help><![CDATA[Some actions require additional parameters and specific syntax. Examples and explanations can be found in the <a href="http://docs.haproxy.org/3.2/configuration.html#http-after-response">HAProxy's documentation</a>.]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>type_table table_http-request</style>
+    </field>
+    <field>
+        <id>action.http_request_action</id>
+        <label>Action</label>
+        <type>dropdown</type>
+        <help><![CDATA[A detailed explanation of each action and examples can be found in <a href="http://docs.haproxy.org/3.2/configuration.html#4.3">HAProxy's documentation</a>.]]></help>
+    </field>
+    <field>
+        <id>action.http_request_option</id>
+        <label>Options/Values</label>
+        <type>text</type>
+        <help><![CDATA[Some actions require additional parameters and specific syntax. Examples and explanations can be found in the <a href="http://docs.haproxy.org/3.2/configuration.html#http-request">HAProxy's documentation</a>.]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>type_table table_http-response</style>
+    </field>
+    <field>
+        <id>action.http_response_action</id>
+        <label>Action</label>
+        <type>dropdown</type>
+        <help><![CDATA[A detailed explanation of each action and examples can be found in <a href="http://docs.haproxy.org/3.2/configuration.html#4.3">HAProxy's documentation</a>.]]></help>
+    </field>
+    <field>
+        <id>action.http_response_option</id>
+        <label>Options/Values</label>
+        <type>text</type>
+        <help><![CDATA[Some actions require additional parameters and specific syntax. Examples and explanations can be found in the <a href="http://docs.haproxy.org/3.2/configuration.html#http-response">HAProxy's documentation</a>.]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>type_table table_tcp-request</style>
+    </field>
+    <field>
+        <id>action.tcp_request_action</id>
+        <label>Action</label>
+        <type>dropdown</type>
+        <help><![CDATA[A detailed explanation of each action and examples can be found in <a href="http://docs.haproxy.org/3.2/configuration.html#4.3">HAProxy's documentation</a>.]]></help>
+    </field>
+    <field>
+        <id>action.tcp_request_option</id>
+        <label>Options/Values</label>
+        <type>text</type>
+        <help><![CDATA[Some actions require additional parameters and specific syntax. Examples and explanations can be found in the <a href="http://docs.haproxy.org/3.2/configuration.html#tcp-request">HAProxy's documentation</a>.]]></help>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>type_table table_tcp-response</style>
+    </field>
+    <field>
+        <id>action.tcp_response_action</id>
+        <label>Action</label>
+        <type>dropdown</type>
+        <help><![CDATA[A detailed explanation of each action and examples can be found in <a href="http://docs.haproxy.org/3.2/configuration.html#4.3">HAProxy's documentation</a>.]]></help>
+    </field>
+    <field>
+        <id>action.tcp_response_option</id>
+        <label>Options/Values</label>
+        <type>text</type>
+        <help><![CDATA[Some actions require additional parameters and specific syntax. Examples and explanations can be found in the <a href="http://docs.haproxy.org/3.2/configuration.html#tcp-response">HAProxy's documentation</a>.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 9174d0b06f..fe49d5d225 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2269,13 +2269,20 @@
                 <type type="OptionField">
                     <Required>Y</Required>
                     <OptionValues>
-                        <use_backend>Use specified Backend Pool</use_backend>
-                        <use_server>Override server in Backend Pool</use_server>
-                        <map_use_backend>Map domains to backend pools using a map file</map_use_backend>
-                        <compression>Enable compression for HTTP responses/requests</compression>
+                        <compression>Compression for HTTP responses/requests</compression>
                         <fcgi_pass_header>FastCGI pass-header</fcgi_pass_header>
                         <fcgi_set_param>FastCGI set-param</fcgi_set_param>
                         <http-after-response>http-after-response</http-after-response>
+                        <http-request>http-request</http-request>
+                        <http-response>http-response</http-response>
+                        <map_use_backend>Map domains to backend pools using a map file</map_use_backend>
+                        <monitor_fail>monitor fail: report failure to a monitor request</monitor_fail>
+                        <tcp-request>tcp-request</tcp-request>
+                        <tcp-response>tcp-response</tcp-response>
+                        <use_backend>Use specified Backend Pool</use_backend>
+                        <use_server>Override server in Backend Pool</use_server>
+                        <custom>Custom rule (option pass-through)</custom>
+                        <!-- XXX obsolete fields, should be removed
                         <http-request_allow>http-request allow</http-request_allow>
                         <http-request_deny>http-request deny</http-request_deny>
                         <http-request_tarpit>http-request tarpit</http-request_tarpit>
@@ -2301,7 +2308,6 @@
                         <http-response_replace-value>http-response header replace value</http-response_replace-value>
                         <http-response_set-status>http-response set-status</http-response_set-status>
                         <http-response_set-var>http-response set-var</http-response_set-var>
-                        <monitor_fail>monitor fail: report failure to a monitor request</monitor_fail>
                         <tcp-request_connection_accept>tcp-request connection accept</tcp-request_connection_accept>
                         <tcp-request_connection_reject>tcp-request connection reject</tcp-request_connection_reject>
                         <tcp-request_content_accept>tcp-request content accept</tcp-request_content_accept>
@@ -2314,7 +2320,7 @@
                         <tcp-response_content_reject>tcp-response content reject</tcp-response_content_reject>
                         <tcp-response_content_lua>tcp-response content lua script</tcp-response_content_lua>
                         <tcp-response_inspect-delay>tcp-response inspect-delay</tcp-response_inspect-delay>
-                        <custom>Custom rule (option pass-through)</custom>
+                        -->
                     </OptionValues>
                 </type>
                 <use_backend type="ModelRelationField">
@@ -2351,6 +2357,14 @@
                     <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
                     <Required>N</Required>
                 </fcgi_set_param>
+                <monitor_fail_uri type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </monitor_fail_uri>
+                <custom type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </custom>
                 <http_after_response_action type="OptionField">
                     <Required>N</Required>
                     <OptionValues>
@@ -2382,6 +2396,248 @@
                     <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_after_response_option>
+                <http_request_action type="OptionField">
+                    <Required>N</Required>
+                    <OptionValues>
+                        <add-acl>add-acl</add-acl>
+                        <add-header>add-header</add-header>
+                        <allow>allow</allow>
+                        <auth>auth</auth>
+                        <cache-use>cache-use</cache-use>
+                        <capture>capture</capture>
+                        <del-acl>del-acl</del-acl>
+                        <del-header>del-header</del-header>
+                        <del-map>del-map</del-map>
+                        <deny>deny</deny>
+                        <disable-l7-retry>disable-l7-retry</disable-l7-retry>
+                        <do-log>do-log</do-log>
+                        <do-resolve>do-resolve</do-resolve>
+                        <early-hint>early-hint</early-hint>
+                        <normalize-uri>normalize-uri</normalize-uri>
+                        <redirect>redirect</redirect>
+                        <reject>reject</reject>
+                        <replace-header>replace-header</replace-header>
+                        <replace-path>replace-path</replace-path>
+                        <replace-pathq>replace-pathq</replace-pathq>
+                        <replace-uri>replace-uri</replace-uri>
+                        <replace-value>replace-value</replace-value>
+                        <return>return</return>
+                        <sc-add-gpc>sc-add-gpc</sc-add-gpc>
+                        <sc-inc-gpc>sc-inc-gpc</sc-inc-gpc>
+                        <sc-inc-gpc0>sc-inc-gpc0</sc-inc-gpc0>
+                        <sc-inc-gpc1>sc-inc-gpc1</sc-inc-gpc1>
+                        <sc-set-gpt>sc-set-gpt</sc-set-gpt>
+                        <sc-set-gpt0>sc-set-gpt0</sc-set-gpt0>
+                        <send-spoe-group>send-spoe-group</send-spoe-group>
+                        <set-dst>set-dst</set-dst>
+                        <set-dst-port>set-dst-port</set-dst-port>
+                        <set-fc-mark>set-fc-mark</set-fc-mark>
+                        <set-fc-tos>set-fc-tos</set-fc-tos>
+                        <set-header>set-header</set-header>
+                        <set-log-level>set-log-level</set-log-level>
+                        <set-map>set-map</set-map>
+                        <set-method>set-method</set-method>
+                        <set-nice>set-nice</set-nice>
+                        <set-path>set-path</set-path>
+                        <set-pathq>set-pathq</set-pathq>
+                        <set-priority-class>set-priority-class</set-priority-class>
+                        <set-priority-offset>set-priority-offset</set-priority-offset>
+                        <set-query>set-query</set-query>
+                        <set-src>set-src</set-src>
+                        <set-src-port>set-src-port</set-src-port>
+                        <set-timeout>set-timeout</set-timeout>
+                        <set-uri>set-uri</set-uri>
+                        <set-var>set-var</set-var>
+                        <set-var-fmt>set-var-fmt</set-var-fmt>
+                        <silent-drop>silent-drop</silent-drop>
+                        <strict-mode>strict-mode</strict-mode>
+                        <tarpit>tarpit</tarpit>
+                        <track-sc0>track-sc0</track-sc0>
+                        <track-sc1>track-sc1</track-sc1>
+                        <track-sc2>track-sc2</track-sc2>
+                        <track-sc>track-sc</track-sc>
+                        <unset-var>unset-var</unset-var>
+                        <use-service>use-service</use-service>
+                        <wait-for-body>wait-for-body</wait-for-body>
+                        <wait-for-handshake>wait-for-handshake</wait-for-handshake>
+                    </OptionValues>
+                </http_request_action>
+                <http_request_option type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </http_request_option>
+                <http_response_action type="OptionField">
+                    <Required>N</Required>
+                    <OptionValues>
+                        <add-acl>add-acl</add-acl>
+                        <add-header>add-header</add-header>
+                        <allow>allow</allow>
+                        <cache-store>cache-store</cache-store>
+                        <capture>capture</capture>
+                        <del-acl>del-acl</del-acl>
+                        <del-header>del-header</del-header>
+                        <del-map>del-map</del-map>
+                        <deny>deny</deny>
+                        <do-log>do-log</do-log>
+                        <redirect>redirect</redirect>
+                        <replace-header>replace-header</replace-header>
+                        <replace-value>replace-value</replace-value>
+                        <return>return</return>
+                        <sc-add-gpc>sc-add-gpc</sc-add-gpc>
+                        <sc-inc-gpc>sc-inc-gpc</sc-inc-gpc>
+                        <sc-inc-gpc0>sc-inc-gpc0</sc-inc-gpc0>
+                        <sc-inc-gpc1>sc-inc-gpc1</sc-inc-gpc1>
+                        <sc-set-gpt>sc-set-gpt</sc-set-gpt>
+                        <sc-set-gpt0>sc-set-gpt0</sc-set-gpt0>
+                        <send-spoe-group>send-spoe-group</send-spoe-group>
+                        <set-fc-mark>set-fc-mark</set-fc-mark>
+                        <set-fc-tos>set-fc-tos</set-fc-tos>
+                        <set-header>set-header</set-header>
+                        <set-log-level>set-log-level</set-log-level>
+                        <set-map>set-map</set-map>
+                        <set-nice>set-nice</set-nice>
+                        <set-status>set-status</set-status>
+                        <set-timeout>set-timeout</set-timeout>
+                        <set-var>set-var</set-var>
+                        <set-var-fmt>set-var-fmt</set-var-fmt>
+                        <silent-drop>silent-drop</silent-drop>
+                        <strict-mode>strict-mode</strict-mode>
+                        <track-sc0>track-sc0</track-sc0>
+                        <track-sc1>track-sc1</track-sc1>
+                        <track-sc2>track-sc2</track-sc2>
+                        <track-sc>track-sc</track-sc>
+                        <unset-var>unset-var</unset-var>
+                        <wait-for-body>wait-for-body</wait-for-body>
+                    </OptionValues>
+                </http_response_action>
+                <http_response_option type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </http_response_option>
+                <tcp_request_action type="OptionField">
+                    <Required>N</Required>
+                    <OptionValues>
+                        <connection_accept>connection accept</connection_accept>
+                        <connection_expect-netscaler-cip>connection expect-netscaler-cip</connection_expect-netscaler-cip>
+                        <connection_expect-proxy>connection expect-proxy</connection_expect-proxy>
+                        <connection_fc-silent-drop>connection fc-silent-drop</connection_fc-silent-drop>
+                        <connection_reject>connection reject</connection_reject>
+                        <connection_sc-add-gpc>connection sc-add-gpc</connection_sc-add-gpc>
+                        <connection_sc-inc-gpc>connection sc-inc-gpc</connection_sc-inc-gpc>
+                        <connection_sc-inc-gpc0>connection sc-inc-gpc0</connection_sc-inc-gpc0>
+                        <connection_sc-inc-gpc1>connection sc-inc-gpc1</connection_sc-inc-gpc1>
+                        <connection_sc-set-gpt>connection sc-set-gpt</connection_sc-set-gpt>
+                        <connection_sc-set-gpt0>connection sc-set-gpt0</connection_sc-set-gpt0>
+                        <connection_send-spoe-group>connection send-spoe-group</connection_send-spoe-group>
+                        <connection_set-dst>connection set-dst</connection_set-dst>
+                        <connection_set-dst-port>connection set-dst-port</connection_set-dst-port>
+                        <connection_set-fc-mark>connection set-fc-mark</connection_set-fc-mark>
+                        <connection_set-fc-tos>connection set-fc-tos</connection_set-fc-tos>
+                        <connection_set-log-level>connection set-log-level</connection_set-log-level>
+                        <connection_set-src>connection set-src</connection_set-src>
+                        <connection_set-src-port>connection set-src-port</connection_set-src-port>
+                        <connection_set-var>connection set-var</connection_set-var>
+                        <connection_set-var-fmt>connection set-var-fmt</connection_set-var-fmt>
+                        <connection_silent-drop>connection silent-drop</connection_silent-drop>
+                        <connection_track-sc>connection track-sc</connection_track-sc>
+                        <connection_track-sc0>connection track-sc0</connection_track-sc0>
+                        <connection_track-sc1>connection track-sc1</connection_track-sc1>
+                        <connection_track-sc2>connection track-sc2</connection_track-sc2>
+                        <connection_unset-var>connection unset-var</connection_unset-var>
+                        <content_accept>content accept</content_accept>
+                        <content_capture>content capture</content_capture>
+                        <content_do-resolve>content do-resolve</content_do-resolve>
+                        <content_lua>content lua</content_lua>
+                        <content_reject>content reject</content_reject>
+                        <content_sc-add-gpc>content sc-add-gpc</content_sc-add-gpc>
+                        <content_sc-inc-gpc>content sc-inc-gpc</content_sc-inc-gpc>
+                        <content_sc-inc-gpc0>content sc-inc-gpc0</content_sc-inc-gpc0>
+                        <content_sc-inc-gpc1>content sc-inc-gpc1</content_sc-inc-gpc1>
+                        <content_sc-set-gpt>content sc-set-gpt</content_sc-set-gpt>
+                        <content_sc-set-gpt0>content sc-set-gpt0</content_sc-set-gpt0>
+                        <content_send-spoe-group>content send-spoe-group</content_send-spoe-group>
+                        <content_set-dst>content set-dst</content_set-dst>
+                        <content_set-dst-port>content set-dst-port</content_set-dst-port>
+                        <content_set-fc-mark>content set-fc-mark</content_set-fc-mark>
+                        <content_set-fc-tos>content set-fc-tos</content_set-fc-tos>
+                        <content_set-log-level>content set-log-level</content_set-log-level>
+                        <content_set-nice>content set-nice</content_set-nice>
+                        <content_set-priority-class>content set-priority-class</content_set-priority-class>
+                        <content_set-priority-offset>content set-priority-offset</content_set-priority-offset>
+                        <content_set-src>content set-src</content_set-src>
+                        <content_set-src-port>content set-src-port</content_set-src-port>
+                        <content_set-var>content set-var</content_set-var>
+                        <content_set-var-fmt>content set-var-fmt</content_set-var-fmt>
+                        <content_silent-drop>content silent-drop</content_silent-drop>
+                        <content_switch-mode>content switch-mode</content_switch-mode>
+                        <content_track-sc>content track-sc</content_track-sc>
+                        <content_track-sc0>content track-sc0</content_track-sc0>
+                        <content_track-sc1>content track-sc1</content_track-sc1>
+                        <content_track-sc2>content track-sc2</content_track-sc2>
+                        <content_unset-var>content unset-var</content_unset-var>
+                        <content_use-service>content use-service</content_use-service>
+                        <inspect-delay>inspect-delay</inspect-delay>
+                        <session_accept>session accept</session_accept>
+                        <session_attach-srv>session attach-srv</session_attach-srv>
+                        <session_reject>session reject</session_reject>
+                        <session_sc-add-gpc>session sc-add-gpc</session_sc-add-gpc>
+                        <session_sc-inc-gpc>session sc-inc-gpc</session_sc-inc-gpc>
+                        <session_sc-inc-gpc0>session sc-inc-gpc0</session_sc-inc-gpc0>
+                        <session_sc-inc-gpc1>session sc-inc-gpc1</session_sc-inc-gpc1>
+                        <session_sc-set-gpt>session sc-set-gpt</session_sc-set-gpt>
+                        <session_sc-set-gpt0>session sc-set-gpt0</session_sc-set-gpt0>
+                        <session_send-spoe-group>session send-spoe-group</session_send-spoe-group>
+                        <session_set-dst>session set-dst</session_set-dst>
+                        <session_set-dst-port>session set-dst-port</session_set-dst-port>
+                        <session_set-fc-mark>session set-fc-mark</session_set-fc-mark>
+                        <session_set-fc-tos>session set-fc-tos</session_set-fc-tos>
+                        <session_set-log-level>session set-log-level</session_set-log-level>
+                        <session_set-src>session set-src</session_set-src>
+                        <session_set-src-port>session set-src-port</session_set-src-port>
+                        <session_set-var>session set-var</session_set-var>
+                        <session_set-var-fmt>session set-var-fmt</session_set-var-fmt>
+                        <session_silent-drop>session silent-drop</session_silent-drop>
+                        <session_track-sc>session track-sc</session_track-sc>
+                        <session_track-sc0>session track-sc0</session_track-sc0>
+                        <session_track-sc1>session track-sc1</session_track-sc1>
+                        <session_track-sc2>session track-sc2</session_track-sc2>
+                        <session_unset-var>session unset-var</session_unset-var>
+                    </OptionValues>
+                </tcp_request_action>
+                <tcp_request_option type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </tcp_request_option>
+                <tcp_response_action type="OptionField">
+                    <Required>N</Required>
+                    <OptionValues>
+                        <content_accept>content accept</content_accept>
+                        <content_close>content close</content_close>
+                        <content_lua>content lua</content_lua>
+                        <content_reject>content reject</content_reject>
+                        <content_sc-add-gpc>content sc-add-gpc</content_sc-add-gpc>
+                        <content_sc-inc-gpc>content sc-inc-gpc</content_sc-inc-gpc>
+                        <content_sc-inc-gpc0>content sc-inc-gpc0</content_sc-inc-gpc0>
+                        <content_sc-inc-gpc1>content sc-inc-gpc1</content_sc-inc-gpc1>
+                        <content_sc-set-gpt>content sc-set-gpt</content_sc-set-gpt>
+                        <content_sc-set-gpt0>content sc-set-gpt0</content_sc-set-gpt0>
+                        <content_send-spoe-group>content send-spoe-group</content_send-spoe-group>
+                        <content_set-fc-mark>content set-fc-mark</content_set-fc-mark>
+                        <content_set-fc-tos>content set-fc-tos</content_set-fc-tos>
+                        <content_set-log-level>content set-log-level</content_set-log-level>
+                        <content_set-nice>content set-nice</content_set-nice>
+                        <content_set-var>content set-var</content_set-var>
+                        <content_set-var-fmt>content set-var-fmt</content_set-var-fmt>
+                        <content_silent-drop>content silent-drop</content_silent-drop>
+                        <content_unset-var>content unset-var</content_unset-var>
+                        <inspect-delay>inspect-delay</inspect-delay>
+                    </OptionValues>
+                </tcp_response_action>
+                <tcp_response_option type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </tcp_response_option>
+                <!-- /START/ TODO obsolete options, required for migration to model 4.2.0 -->
                 <http_request_auth type="TextField">
                     <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
@@ -2392,7 +2648,6 @@
                     <ValidationMessage>Please specify a value between 100 and 999.</ValidationMessage>
                     <Required>N</Required>
                 </http_request_deny_status>
-                <!-- XXX: add support for all "redirect" parameters as separate fields -->
                 <http_request_redirect type="TextField">
                     <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
@@ -2533,10 +2788,6 @@
                     <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_response_set_var_expr>
-                <monitor_fail_uri type="TextField">
-                    <Mask>/^.{1,4096}$/u</Mask>
-                    <Required>N</Required>
-                </monitor_fail_uri>
                 <tcp_request_content_lua type="TextField">
                     <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
@@ -2557,44 +2808,7 @@
                     <Mask>/^.{1,32}$/u</Mask>
                     <Required>N</Required>
                 </tcp_response_inspect_delay>
-                <custom type="TextField">
-                    <Mask>/^.{1,4096}$/u</Mask>
-                    <Required>N</Required>
-                </custom>
-                <!-- XXX old values, required for migration to model 2.0.0 -->
-                <useBackend type="ModelRelationField">
-                    <Model>
-                        <template>
-                            <source>OPNsense.HAProxy.HAProxy</source>
-                            <items>backends.backend</items>
-                            <display>name</display>
-                        </template>
-                    </Model>
-                    <ValidationMessage>Related backend item not found</ValidationMessage>
-                    <Multiple>Y</Multiple>
-                    <Required>N</Required>
-                </useBackend>
-                <useServer type="ModelRelationField">
-                    <Model>
-                        <template>
-                            <source>OPNsense.HAProxy.HAProxy</source>
-                            <items>servers.server</items>
-                            <display>name</display>
-                        </template>
-                    </Model>
-                    <ValidationMessage>Related server item not found</ValidationMessage>
-                    <Multiple>Y</Multiple>
-                    <Required>N</Required>
-                </useServer>
-                <actionName type="TextField">
-                    <Required>N</Required>
-                </actionName>
-                <actionFind type="TextField">
-                    <Required>N</Required>
-                </actionFind>
-                <actionValue type="TextField">
-                    <Required>N</Required>
-                </actionValue>
+                <!-- /END/ TODO obsolete options, required for migration to model 4.2.0 -->
                 <map_use_backend_file type="ModelRelationField">
                     <Model>
                         <template>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_2_0.php b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_2_0.php
new file mode 100644
index 0000000000..4bf0305efc
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_2_0.php
@@ -0,0 +1,310 @@
+<?php
+
+/**
+ *    Copyright (C) 2026 Frank Wall
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\HAProxy\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M4_2_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        foreach ($model->getNodeByReference('actions.action')->iterateItems() as $action) {
+            switch ((string)$action->type) {
+                case 'http-request_add-header':
+                    $action->type = 'http-request';
+                    $action->http_request_action = 'add-header';
+                    if (isset($action->http_request_add_header_name)) {
+                        $action->http_request_option = (string)$action->http_request_add_header_name . ' ' . (string)$action->http_request_add_header_content;
+                        $action->http_request_add_header_name = null;
+                        $action->http_request_add_header_content = null;
+                    }
+                    break;
+                case 'http-request_allow':
+                    $action->type = 'http-request';
+                    $action->http_request_action = 'allow';
+                    break;
+                case 'http-request_auth':
+                    $action->type = 'http-request';
+                    $action->http_request_action = 'auth';
+                    if (isset($action->http_request_auth)) {
+                        $action->http_request_option = 'realm ' . (string)$action->http_request_auth;
+                        $action->http_request_auth = null;
+                    }
+                    break;
+                case 'http-request_del-header':
+                    $action->type = 'http-request';
+                    $action->http_request_action = 'del-header';
+                    if (isset($action->http_request_del_header_name)) {
+                        $action->http_request_option = (string)$action->http_request_del_header_name;
+                        $action->http_request_del_header_name = null;
+                    }
+                    break;
+                case 'http-request_deny':
+                    $action->type = 'http-request';
+                    $action->http_request_action = 'deny';
+                    if (!empty($action->http_request_deny_status)) {
+                        $action->http_request_option = 'deny_status ' . (string)$action->http_request_deny_status;
+                        $action->http_request_deny_status = null;
+                    }
+                    break;
+                case 'http-request_lua':
+                    $action->type = 'http-request';
+                    $action->http_request_action = 'lua';
+                    if (isset($action->http_request_lua)) {
+                        $action->http_request_option = (string)$action->http_request_lua;
+                        $action->http_request_lua = null;
+                    }
+                    break;
+                case 'http-request_redirect':
+                    $action->type = 'http-request';
+                    $action->http_request_action = 'redirect';
+                    if (isset($action->http_request_redirect)) {
+                        $action->http_request_option = (string)$action->http_request_redirect;
+                        $action->http_request_redirect = null;
+                    }
+                    break;
+                case 'http-request_replace-header':
+                    $action->type = 'http-request';
+                    $action->http_request_action = 'replace-header';
+                    if (isset($action->http_request_replace_header_name)) {
+                        $action->http_request_option = (string)$action->http_request_replace_header_name . ' ' . (string)$action->http_request_replace_header_regex;
+                        $action->http_request_replace_header_name = null;
+                        $action->http_request_replace_header_regex = null;
+                    }
+                    break;
+                case 'http-request_replace-value':
+                    $action->type = 'http-request';
+                    $action->http_request_action = 'replace-value';
+                    if (isset($action->http_request_replace_value_name)) {
+                        $action->http_request_option = (string)$action->http_request_replace_value_name . ' ' . (string)$action->http_request_replace_value_regex;
+                        $action->http_request_replace_value_name = null;
+                        $action->http_request_replace_value_regex = null;
+                    }
+                    break;
+                case 'http-request_set-header':
+                    $action->type = 'http-request';
+                    $action->http_request_action = 'set-header';
+                    if (isset($action->http_request_set_header_name)) {
+                        $action->http_request_option = (string)$action->http_request_set_header_name . ' ' . (string)$action->http_request_set_header_content;
+                        $action->http_request_set_header_name = null;
+                        $action->http_request_set_header_content = null;
+                    }
+                    break;
+                case 'http-request_set-path':
+                    $action->type = 'http-request';
+                    $action->http_request_action = 'set-path';
+                    if (isset($action->http_request_set_path)) {
+                        $action->http_request_option = (string)$action->http_request_set_path;
+                        $action->http_request_set_path = null;
+                    }
+                    break;
+                case 'http-request_set-var':
+                    $action->type = 'http-request';
+                    $action->http_request_action = 'set-var';
+                    if (isset($action->http_request_set_var_scope)) {
+                        $action->http_request_option = '(' . (string)$action->http_request_set_var_scope . '.' . (string)$action->http_request_set_var_name . ') ' . (string)$action->http_request_set_var_expr;
+                        $action->http_request_set_var_scope = null;
+                        $action->http_request_set_var_name = null;
+                        $action->http_request_set_var_expr = null;
+                    }
+                    break;
+                case 'http-request_silent-drop':
+                    $action->type = 'http-request';
+                    $action->http_request_action = 'silent-drop';
+                    break;
+                case 'http-request_tarpit':
+                    $action->type = 'http-request';
+                    $action->http_request_action = 'tarpit';
+                    break;
+                case 'http-request_use-service':
+                    $action->type = 'http-request';
+                    $action->http_request_action = 'use-service';
+                    if (isset($action->http_request_use_service)) {
+                        $action->http_request_option = (string)$action->http_request_use_service;
+                        $action->http_request_use_service = null;
+                    }
+                    break;
+                case 'http-response_add-header':
+                    $action->type = 'http-response';
+                    $action->http_response_action = 'add-header';
+                    if (isset($action->http_response_add_header_name)) {
+                        $action->http_response_option = (string)$action->http_response_add_header_name . ' ' . (string)$action->http_response_add_header_content;
+                        $action->http_response_add_header_name = null;
+                        $action->http_response_add_header_content = null;
+                    }
+                    break;
+                case 'http-response_allow':
+                    $action->type = 'http-response';
+                    $action->http_response_action = 'allow';
+                    break;
+                case 'http-response_del-header':
+                    $action->type = 'http-response';
+                    $action->http_response_action = 'del-header';
+                    if (isset($action->http_response_del_header_name)) {
+                        $action->http_response_option = (string)$action->http_response_del_header_name;
+                        $action->http_response_del_header_name = null;
+                    }
+                    break;
+                case 'http-response_deny':
+                    $action->type = 'http-response';
+                    $action->http_response_action = 'deny';
+                    break;
+                case 'http-response_lua':
+                    $action->type = 'http-response';
+                    $action->http_response_action = 'lua';
+                    if (isset($action->http_response_lua)) {
+                        $action->http_response_option = (string)$action->http_response_lua;
+                        $action->http_response_lua = null;
+                    }
+                    break;
+                case 'http-response_replace-header':
+                    $action->type = 'http-response';
+                    $action->http_response_action = 'replace-header';
+                    if (isset($action->http_response_replace_header_name)) {
+                        $action->http_response_option = (string)$action->http_response_replace_header_name . ' ' . (string)$action->http_response_replace_header_regex;
+                        $action->http_response_replace_header_name = null;
+                        $action->http_response_replace_header_regex = null;
+                    }
+                    break;
+                case 'http-response_replace-value':
+                    $action->type = 'http-response';
+                    $action->http_response_action = 'replace-value';
+                    if (isset($action->http_response_replace_value_name)) {
+                        $action->http_response_option = (string)$action->http_response_replace_value_name . ' ' . (string)$action->http_response_replace_value_regex;
+                        $action->http_response_replace_value_name = null;
+                        $action->http_response_replace_value_regex = null;
+                    }
+                    break;
+                case 'http-response_set-header':
+                    $action->type = 'http-response';
+                    $action->http_response_action = 'set-header';
+                    if (isset($action->http_response_set_header_name)) {
+                        $action->http_response_option = (string)$action->http_response_set_header_name . ' ' . (string)$action->http_response_set_header_content;
+                        $action->http_response_set_header_name = null;
+                        $action->http_response_set_header_content = null;
+                    }
+                    break;
+                case 'http-response_set-status':
+                    $action->type = 'http-response';
+                    $action->http_response_action = 'set-status';
+                    if (isset($action->http_response_set_status_code)) {
+                        if (isset($action->http_response_set_status_reason)) {
+                            $status_reason = ' reason "' . (string)$action->http_response_set_status_reason . '"';
+                        } else {
+                            $status_reason = '';
+                        }
+                        $action->http_response_option = (string)$action->http_response_set_status_code . $status_reason;
+                        $action->http_response_set_status_code = null;
+                        $action->http_response_set_status_reason = null;
+                  }
+                    break;
+                case 'http-response_set-var':
+                    $action->type = 'http-response';
+                    $action->http_response_action = 'set-var';
+                    if (isset($action->http_response_set_var_scope)) {
+                        $action->http_response_option = '(' . (string)$action->http_response_set_var_scope . '.' . (string)$action->http_response_set_var_name . ') ' . (string)$action->http_response_set_var_expr;
+                        $action->http_response_set_var_scope = null;
+                        $action->http_response_set_var_name = null;
+                        $action->http_response_set_var_expr = null;
+                    }
+                    break;
+                case 'tcp-request_connection_accept':
+                    $action->type = 'tcp-request';
+                    $action->tcp_request_action = 'connection_accept';
+                    break;
+                case 'tcp-request_connection_reject':
+                    $action->type = 'tcp-request';
+                    $action->tcp_request_action = 'connection_reject';
+                    break;
+                case 'tcp-request_content_accept':
+                    $action->type = 'tcp-request';
+                    $action->tcp_request_action = 'content_accept';
+                    break;
+                case 'tcp-request_content_lua':
+                    $action->type = 'tcp-request';
+                    $action->tcp_request_action = 'content_lua';
+                    if (isset($action->tcp_request_content_lua)) {
+                        $action->tcp_request_option = (string)$action->tcp_request_content_lua;
+                        $action->tcp_request_content_lua = null;
+                    }
+                    break;
+                case 'tcp-request_content_reject':
+                    $action->type = 'tcp-request';
+                    $action->tcp_request_action = 'content_reject';
+                    break;
+                case 'tcp-request_content_use-service':
+                    $action->type = 'tcp-request';
+                    $action->tcp_request_action = 'content_use-service';
+                    if (isset($action->tcp_request_content_use_service)) {
+                        $action->tcp_request_option = (string)$action->tcp_request_content_use_service;
+                        $action->tcp_request_content_use_service = null;
+                    }
+                    break;
+                case 'tcp-request_inspect-delay':
+                    $action->type = 'tcp-request';
+                    $action->tcp_request_action = 'inspect-delay';
+                    if (isset($action->tcp_request_inspect_delay)) {
+                        $action->tcp_request_option = (string)$action->tcp_request_inspect_delay;
+                        $action->tcp_request_inspect_delay = null;
+                    }
+                    break;
+                case 'tcp-response_content_accept':
+                    $action->type = 'tcp-response';
+                    $action->tcp_response_action = 'content_accept';
+                    break;
+                case 'tcp-response_content_close':
+                    $action->type = 'tcp-response';
+                    $action->tcp_response_action = 'content_close';
+                    break;
+                case 'tcp-response_content_lua':
+                    $action->type = 'tcp-response';
+                    $action->tcp_response_action = 'content_lua';
+                    if (isset($action->tcp_response_content_lua)) {
+                        $action->tcp_response_option = (string)$action->tcp_response_content_lua;
+                        $action->tcp_response_content_lua = null;
+                    }
+                    break;
+                case 'tcp-response_content_reject':
+                    $action->type = 'tcp-response';
+                    $action->tcp_response_action = 'content_reject';
+                    break;
+                case 'tcp-response_inspect-delay':
+                    $action->type = 'tcp-response';
+                    $action->tcp_response_action = 'inspect-delay';
+                    if (isset($action->tcp_response_inspect_delay)) {
+                        $action->tcp_response_option = (string)$action->tcp_response_inspect_delay;
+                        $action->tcp_response_inspect_delay = null;
+                    }
+                    break;
+            }
+        }
+    }
+}
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 6f05023321..022f2938d4 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -58,7 +58,7 @@
 {%           set acl_data = helpers.getUUID(acl) %}
 {#           # check if this ACL can be found in configuration #}
 {%           if acl_data == {} %}
-    # ERROR: ACL data not found ({{acl}})
+    # ERROR: Condition data not found ({{acl}})
 {%             set acl_errors = acl_errors + 1 %}
 {%             set acl_enabled = '0' %}
 {%           else %}
@@ -70,7 +70,7 @@
 {%             endif %}
 {#             # check if this ACL was already defined in this scope #}
 {%             if acl_data.id in acls_seen %}
-{#  # DEBUG: ignoring duplicate ACL {{acl_data.name}} #}
+{#  # DEBUG: ignoring duplicate condition {{acl_data.name}} #}
 {%               continue %}
 {%             endif %}
 {%             do acls_seen.append(acl_data.id) %}
@@ -425,16 +425,16 @@
 {%               endif %}
 {%             else %}
 {%               set acl_enabled = '0' %}
-    # ERROR: unsupported ACL expression
+    # ERROR: unsupported expression in condition
 {%             endif %}
 {%           endif %}
 {#           # check if ACL is valid #}
 {%           if acl_enabled == '1' %}
-    # ACL: {{acl_data.name}}
+    # CONDITION: {{acl_data.name}}
     acl acl_{{acl_data.id}} {{acl_options|join(' ')}}
 {%           else %}
 {%             set acl_errors = acl_errors + 1 %}
-    # ACL INVALID: {{acl_data.name}} ({{acl}})
+    # CONDITION INVALID: {{acl_data.name}} ({{acl}})
 {%           endif %}
 {%         endfor %}
 {%       endif %}
@@ -510,155 +510,40 @@
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
 {%           endif %}
-{%         elif action_data.type == 'http-request_allow' %}
-{%           do action_options.append('http-request allow') %}
-{%         elif action_data.type == 'http-request_deny' %}
-{%           if action_data.http_request_deny_status|default("") != "" %}
-{%             do action_options.append('http-request deny deny_status ' ~ action_data.http_request_deny_status) %}
-{%           else %}
-{%             do action_options.append('http-request deny') %}
-{%           endif %}
-{%         elif action_data.type == 'http-request_tarpit' %}
-{%           do action_options.append('http-request tarpit') %}
-{%         elif action_data.type == 'http-request_auth' %}
-{%           if action_data.http_request_auth|default("") != "" %}
-{%             do action_options.append('http-request auth realm ' ~ action_data.http_request_auth) %}
-{%           else %}
-{%             do action_options.append('http-request auth') %}
-{%           endif %}
-{%         elif action_data.type == 'http-request_redirect' %}
-{%           if action_data.http_request_redirect|default("") != "" %}
-{%             do action_options.append('http-request redirect ' ~ action_data.http_request_redirect) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'http-request_lua' %}
-{%           if action_data.http_request_lua|default("") != "" %}
-{%             do action_options.append('http-request lua.' ~ action_data.http_request_lua) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'http-request_use-service' %}
-{%           if action_data.http_request_use_service|default("") != "" %}
-{%             do action_options.append('http-request use-service lua.' ~ action_data.http_request_use_service) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'http-request_add-header' %}
-{%           if action_data.http_request_add_header_name|default("") != "" and action_data.http_request_add_header_content|default("") != "" %}
-{%             do action_options.append('http-request add-header ' ~ action_data.http_request_add_header_name ~ ' ' ~ action_data.http_request_add_header_content) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'http-request_set-header' %}
-{%           if action_data.http_request_set_header_name|default("") != "" and action_data.http_request_set_header_content|default("") != "" %}
-{%             do action_options.append('http-request set-header ' ~ action_data.http_request_set_header_name ~ ' ' ~ action_data.http_request_set_header_content) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'http-request_del-header' %}
-{%           if action_data.http_request_del_header_name|default("") != "" %}
-{%             do action_options.append('http-request del-header ' ~ action_data.http_request_del_header_name) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'http-request_replace-header' %}
-{%           if action_data.http_request_replace_header_name|default("") != "" and action_data.http_request_replace_header_regex|default("") != "" %}
-{%             do action_options.append('http-request replace-header ' ~ action_data.http_request_replace_header_name ~ ' ' ~ action_data.http_request_replace_header_regex) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'http-request_replace-value' %}
-{%           if action_data.http_request_replace_value_name|default("") != "" and action_data.http_request_replace_value_regex|default("") != "" %}
-{%             do action_options.append('http-request replace-value ' ~ action_data.http_request_replace_value_name ~ ' ' ~ action_data.http_request_replace_value_regex) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'http-request_set-path' %}
-{%           if action_data.http_request_set_path|default("") != "" %}
-{%             do action_options.append('http-request set-path ' ~ action_data.http_request_set_path) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'http-request_set-var' %}
-{%           if action_data.http_request_set_var_scope|default("") != "" and action_data.http_request_set_var_name|default("") != "" and action_data.http_request_set_var_expr|default("") != "" %}
-{%             do action_options.append('http-request set-var(' ~ action_data.http_request_set_var_scope ~ '.' ~ action_data.http_request_set_var_name ~ ') ' ~ action_data.http_request_set_var_expr) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'http-request_silent-drop' %}
-{%           do action_options.append('http-request silent-drop') %}
-{%         elif action_data.type == 'http-response_allow' %}
-{%           do action_options.append('http-response allow') %}
-{%         elif action_data.type == 'http-response_deny' %}
-{%           do action_options.append('http-response deny') %}
-{%         elif action_data.type == 'http-response_lua' %}
-{%           if action_data.http_response_lua|default("") != "" %}
-{%             do action_options.append('http-response lua.' ~ action_data.http_response_lua) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'http-response_add-header' %}
-{%           if action_data.http_response_add_header_name|default("") != "" and action_data.http_response_add_header_content|default("") != "" %}
-{%             do action_options.append('http-response add-header ' ~ action_data.http_response_add_header_name ~ ' ' ~ action_data.http_response_add_header_content) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'http-response_set-header' %}
-{%           if action_data.http_response_set_header_name|default("") != "" and action_data.http_response_set_header_content|default("") != "" %}
-{%             do action_options.append('http-response set-header ' ~ action_data.http_response_set_header_name ~ ' ' ~ action_data.http_response_set_header_content) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'http-response_del-header' %}
-{%           if action_data.http_response_del_header_name|default("") != "" %}
-{%             do action_options.append('http-response del-header ' ~ action_data.http_response_del_header_name) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'http-response_replace-header' %}
-{%           if action_data.http_response_replace_header_name|default("") != "" and action_data.http_response_replace_header_regex|default("") != "" %}
-{%             do action_options.append('http-response replace-header ' ~ action_data.http_response_replace_header_name ~ ' ' ~ action_data.http_response_replace_header_regex) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'http-response_replace-value' %}
-{%           if action_data.http_response_replace_value_name|default("") != "" and action_data.http_response_replace_value_regex|default("") != "" %}
-{%             do action_options.append('http-response replace-value ' ~ action_data.http_response_replace_value_name ~ ' ' ~ action_data.http_response_replace_value_regex) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'http-response_set-status' %}
-{%           if action_data.http_response_set_status_code|default("") != "" %}
-{%             if action_data.http_response_set_status_reason|default("") != "" %}
-{%               set status_reason = ' reason "' ~ action_data.http_response_set_status_reason ~ '"' %}
+{%         elif action_data.type == 'http-request' %}
+{%           if action_data.http_request_action|default('') != '' %}
+{#             # Some action keywords require a different syntax. #}
+{%             if action_data.http_request_action == 'lua' %}
+{%               set action_keyword_data = 'lua.' ~ action_data.http_request_option %}
+{%             elif action_data.http_request_action == 'set-var' %}
+{%               set action_keyword_data = 'set-var' ~ action_data.http_request_option %}
+{%             elif action_data.http_request_action == 'use-service' %}
+{%               set action_keyword_data = 'use-service lua.' ~ action_data.http_request_option %}
 {%             else %}
-{%               set status_reason = '' %}
+{%               set action_keyword_data = action_data.http_request_action %}
+{%               if action_data.http_request_option|default('') != '' %}
+{%                 set action_keyword_data = action_keyword_data ~ ' ' ~ action_data.http_request_option %}
+{%               endif %}
 {%             endif %}
-{%             do action_options.append('http-response set-status ' ~ action_data.http_response_set_status_code ~ status_reason) %}
+{%             do action_options.append('http-request ' ~ action_keyword_data) %}
 {%           else %}
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
 {%           endif %}
-{%         elif action_data.type == 'http-response_set-var' %}
-{%           if action_data.http_response_set_var_scope|default("") != "" and action_data.http_response_set_var_name|default("") != "" and action_data.http_response_set_var_expr|default("") != "" %}
-{%             do action_options.append('http-response set-var(' ~ action_data.http_response_set_var_scope ~ '.' ~ action_data.http_response_set_var_name ~ ') ' ~ action_data.http_response_set_var_expr) %}
+{%         elif action_data.type == 'http-response' %}
+{%           if action_data.http_response_action|default('') != '' %}
+{#             # Some action keywords require a different syntax. #}
+{%             if action_data.http_response_action == 'lua' %}
+{%               set action_keyword_data = 'lua.' ~ action_data.http_response_option %}
+{%             elif action_data.http_response_action == 'set-var' %}
+{%               set action_keyword_data = 'set-var' ~ action_data.http_response_option %}
+{%             else %}
+{%               set action_keyword_data = action_data.http_response_action %}
+{%               if action_data.http_response_option|default('') != '' %}
+{%                 set action_keyword_data = action_keyword_data ~ ' ' ~ action_data.http_response_option %}
+{%               endif %}
+{%             endif %}
+{%             do action_options.append('http-response ' ~ action_keyword_data) %}
 {%           else %}
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
@@ -671,51 +556,40 @@
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
 {%           endif %}
-{%         elif action_data.type == 'tcp-request_connection_accept' %}
-{%           do action_options.append('tcp-request connection accept') %}
-{%         elif action_data.type == 'tcp-request_connection_reject' %}
-{%           do action_options.append('tcp-request connection reject') %}
-{%         elif action_data.type == 'tcp-request_content_accept' %}
-{%           do action_options.append('tcp-request content accept') %}
-{%         elif action_data.type == 'tcp-request_content_reject' %}
-{%           do action_options.append('tcp-request content reject') %}
-{%         elif action_data.type == 'tcp-request_content_lua' %}
-{%           if action_data.tcp_request_content_lua|default("") != "" %}
-{%             do action_options.append('tcp-request content lua.' ~ action_data.tcp_request_content_lua) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'tcp-request_content_use-service' %}
-{%           if action_data.tcp_request_content_use_service|default("") != "" %}
-{%             do action_options.append('tcp-request content use-service lua.' ~ action_data.tcp_request_content_use_service) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'tcp-request_inspect-delay' %}
-{%           if action_data.tcp_request_inspect_delay|default("") != "" %}
-{%             do action_options.append('tcp-request inspect-delay ' ~ action_data.tcp_request_inspect_delay) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-    # ERROR: missing parameters
-{%           endif %}
-{%         elif action_data.type == 'tcp-response_content_accept' %}
-{%           do action_options.append('tcp-response content accept') %}
-{%         elif action_data.type == 'tcp-response_content_close' %}
-{%           do action_options.append('tcp-response content close') %}
-{%         elif action_data.type == 'tcp-response_content_reject' %}
-{%           do action_options.append('tcp-response content reject') %}
-{%         elif action_data.type == 'tcp-response_content_lua' %}
-{%           if action_data.tcp_response_content_lua|default("") != "" %}
-{%             do action_options.append('tcp-response content lua.' ~ action_data.tcp_response_content_lua) %}
+{%         elif action_data.type == 'tcp-request' %}
+{%           if action_data.tcp_request_action|default('') != '' %}
+{#             # Convert back to HAProxy-compatible format. #}
+{%             set action_name = action_data.tcp_request_action|replace("_", " ") %}
+{#             # Some action keywords require a different syntax. #}
+{%             if action_data.tcp_request_action == 'content_lua' %}
+{%               set action_keyword_data = action_name ~ '.' ~ action_data.tcp_request_option %}
+{%             elif action_data.tcp_request_action == 'content_use-service' %}
+{%               set action_keyword_data = action_name ~ ' lua.' ~ action_data.tcp_request_option %}
+{%             else %}
+{%               set action_keyword_data = action_name %}
+{%               if action_data.tcp_request_option|default('') != '' %}
+{%                 set action_keyword_data = action_keyword_data ~ ' ' ~ action_data.tcp_request_option %}
+{%               endif %}
+{%             endif %}
+{%             do action_options.append('tcp-request ' ~ action_keyword_data) %}
 {%           else %}
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
 {%           endif %}
-{%         elif action_data.type == 'tcp-response_inspect-delay' %}
-{%           if action_data.tcp_response_inspect_delay|default("") != "" %}
-{%             do action_options.append('tcp-response inspect-delay ' ~ action_data.tcp_response_inspect_delay) %}
+{%         elif action_data.type == 'tcp-response' %}
+{%           if action_data.tcp_response_action|default('') != '' %}
+{#             # Convert back to HAProxy-compatible format. #}
+{%             set action_name = action_data.tcp_response_action|replace("_", " ") %}
+{#             # Some action keywords require a different syntax. #}
+{%             if action_data.tcp_response_action == 'content_lua' %}
+{%               set action_keyword_data = action_name ~ '.' ~ action_data.tcp_response_option %}
+{%             else %}
+{%               set action_keyword_data = action_name %}
+{%               if action_data.tcp_response_option|default('') != '' %}
+{%                 set action_keyword_data = action_keyword_data ~ ' ' ~ action_data.tcp_response_option %}
+{%               endif %}
+{%             endif %}
+{%             do action_options.append('tcp-response ' ~ action_keyword_data) %}
 {%           else %}
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
@@ -774,7 +648,6 @@
 {%             set acl_line = [action_data.testType, action_acls|join(join_operator)]|join(' ') %}
 {%           else %}
 {%             set acl_line = '' %}
-{%             set comment_lines = comment_lines + ['    # NOTE: Rules with no Conditions will always match'] %}
 {%           endif %}
 {%           if action_options|length > 0 %}
 {#             # handle multiline options #}

From fcece25f9d46568f840de902eaa12aa97026e2bc Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 25 Jan 2026 15:18:11 +0100
Subject: [PATCH 2926/3088] net/haproxy: change LUA boolean conversion

---
 net/haproxy/pkg-descr                                            | 1 +
 .../src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf | 1 +
 2 files changed, 2 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index ec9cad2399..f8ad61a805 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -24,6 +24,7 @@ Changed:
 * upgrade to HAProxy 3.2 release series (#5147)
 * refactor http/tcp rules to make extensions easier
 * rename some labels in rules
+* change LUA boolean conversion (see tune.lua.bool-sample-conversion)
 
 4.6
 
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 022f2938d4..fb1e5c1060 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -968,6 +968,7 @@ global
 {% if OPNsense.HAProxy.general.tuning.bufferSize|default("") != "" %}
     tune.bufsize                {{OPNsense.HAProxy.general.tuning.bufferSize}}
 {% endif %}
+    tune.lua.bool-sample-conversion normal
 {% if OPNsense.HAProxy.general.tuning.luaMaxMem|default("") != "" %}
     tune.lua.maxmem             {{OPNsense.HAProxy.general.tuning.luaMaxMem}}
 {% endif %}

From 713771e40d606daee3bc4fc17f92565d34562528 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 25 Jan 2026 15:39:40 +0100
Subject: [PATCH 2927/3088] net/haproxy: add "enabled" field to rules

---
 net/haproxy/pkg-descr                         |  1 +
 .../HAProxy/Api/SettingsController.php        |  9 +++-
 .../OPNsense/HAProxy/forms/dialogAction.xml   |  6 +++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   |  4 ++
 .../OPNsense/HAProxy/Migrations/M4_2_0.php    |  3 ++
 .../mvc/app/views/OPNsense/HAProxy/index.volt |  2 +
 .../templates/OPNsense/HAProxy/haproxy.conf   | 53 ++++++++++---------
 7 files changed, 52 insertions(+), 26 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index f8ad61a805..7022ea069f 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -19,6 +19,7 @@ Added:
 * add support for more sample fetches: quic_enabled, stopping, wait_end (#3702)
 * add support for HTTP compression (#4867)
 * add all action keywords for http-request/-response and tcp-request/-response rules
+* add "enabled" field to rules
 
 Changed:
 * upgrade to HAProxy 3.2 release series (#5147)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
index 4231ca119b..8724f3086f 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2016-2022 Frank Wall
+ *    Copyright (C) 2016-2026 Frank Wall
  *    Copyright (C) 2015 Deciso B.V.
  *
  *    All rights reserved.
@@ -206,9 +206,14 @@ public function delActionAction($uuid)
         return $this->delBase('actions.action', $uuid);
     }
 
+    public function toggleActionAction($uuid, $enabled = null)
+    {
+        return $this->toggleBase('actions.action', $uuid);
+    }
+
     public function searchActionsAction()
     {
-        return $this->searchBase('actions.action', array('name', 'description'), 'name');
+        return $this->searchBase('actions.action', array('enabled', 'name', 'description'), 'name');
     }
 
     public function getLuaAction($uuid = null)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index c2e70417f3..e24b1e5421 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -1,4 +1,10 @@
 <form>
+    <field>
+        <id>action.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>Enable this rule.</help>
+    </field>
     <field>
         <id>action.name</id>
         <label>Name</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index fe49d5d225..d246d19716 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2228,6 +2228,10 @@
         </acls>
         <actions>
             <action type="ArrayField">
+                <enabled type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </enabled>
                 <name type="TextField">
                     <Mask>/^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u</Mask>
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_2_0.php b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_2_0.php
index 4bf0305efc..e8c713f8d8 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_2_0.php
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_2_0.php
@@ -37,6 +37,9 @@ class M4_2_0 extends BaseModelMigration
     public function run($model)
     {
         foreach ($model->getNodeByReference('actions.action')->iterateItems() as $action) {
+            // Rules have an 'enabled' field now
+            $action->enabled = '1';
+            // Migrate TCP/HTTP rules to new format
             switch ((string)$action->type) {
                 case 'http-request_add-header':
                     $action->type = 'http-request';
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 8ab604f663..18c3c68a03 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -101,6 +101,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 set:'/api/haproxy/settings/set_action/',
                 add:'/api/haproxy/settings/add_action/',
                 del:'/api/haproxy/settings/del_action/',
+                toggle:'/api/haproxy/settings/toggle_action/',
                 options: {
                 }
             }
@@ -910,6 +911,7 @@ POSSIBILITY OF SUCH DAMAGE.
         <table id="grid-actions" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogAction" data-editAlert="haproxyChangeMessage">
             <thead>
             <tr>
+                <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                 <th data-column-id="actionid" data-type="number"  data-visible="false">{{ lang._('Rule ID') }}</th>
                 <th data-column-id="name" data-type="string">{{ lang._('Rule Name') }}</th>
                 <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index fb1e5c1060..b6415c5c3f 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -635,34 +635,39 @@
 {%           set action_enabled = '0' %}
     # ERROR: unsupported rule type
 {%         endif %}
-{#         # check if action is valid #}
-{%         if action_enabled == '1' %}
-{%           if action_data.operator == 'or' %}
-{%             set join_operator = ' || ' %}
-{%           else %}
-{%             set join_operator = ' ' %}
-{%           endif %}
-{#           # check if action depends on ACLs #}
-{%           set comment_lines = ['# RULE: ' + action_data.name] %}
-{%           if action_acls|length > 0 %}
-{%             set acl_line = [action_data.testType, action_acls|join(join_operator)]|join(' ') %}
-{%           else %}
-{%             set acl_line = '' %}
-{%           endif %}
-{%           if action_options|length > 0 %}
-{#             # handle multiline options #}
-{%             if action_multiline == '1' %}
-{%               set join_char = '\n    ' %}
-{#               # ACLs are unsupported in multiline options, remove them #}
-{%               set acl_line = '' %}
+{#         # Is this rule enabled in the GUI? #}
+{%         if action_data.enabled|default('') == '1' %}
+{#           # check if action is valid #}
+{%           if action_enabled == '1' %}
+{%             if action_data.operator == 'or' %}
+{%               set join_operator = ' || ' %}
+{%             else %}
+{%               set join_operator = ' ' %}
+{%             endif %}
+{#             # check if action depends on ACLs #}
+{%             set comment_lines = ['# RULE: ' + action_data.name] %}
+{%             if action_acls|length > 0 %}
+{%               set acl_line = [action_data.testType, action_acls|join(join_operator)]|join(' ') %}
 {%             else %}
-{%               set join_char = ' ' %}
+{%               set acl_line = '' %}
+{%             endif %}
+{%             if action_options|length > 0 %}
+{#               # handle multiline options #}
+{%               if action_multiline == '1' %}
+{%                 set join_char = '\n    ' %}
+{#                 # ACLs are unsupported in multiline options, remove them #}
+{%                 set acl_line = '' %}
+{%               else %}
+{%                 set join_char = ' ' %}
+{%               endif %}
+{%               do global_action_options.append(comment_lines|join('\n')) -%}
+{%               do global_action_options.append(([action_options|join(join_char), acl_line]|join(' '))) %}
 {%             endif %}
-{%             do global_action_options.append(comment_lines|join('\n')) -%}
-{%             do global_action_options.append(([action_options|join(join_char), acl_line]|join(' '))) %}
+{%           else %}
+    # RULE INVALID: {{action_data.name}}
 {%           endif %}
 {%         else %}
-    # RULE INVALID: {{action_data.name}}
+    # RULE DISABLED: {{action_data.name}}
 {%         endif %}
 {%       else %}
     # RULE INVALID: {{action_data.name}}

From 1846df163963471edf262828125643e43d9e7c81 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 25 Jan 2026 15:52:29 +0100
Subject: [PATCH 2928/3088] net/haproxy: respect order in error messages

---
 .../templates/OPNsense/HAProxy/haproxy.conf   | 36 +++++++++----------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index b6415c5c3f..0e2688315e 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -450,7 +450,7 @@
 {%             do action_options.append('use_backend ' ~ acl_backend_data.name) %}
 {%           else %}
 {%             set action_enabled = '0' %}
-    # ERROR: missing parameters
+{%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
 {%         elif action_data.type == 'use_server' %}
 {%           if action_data.use_server|default("") != "" %}
@@ -458,7 +458,7 @@
 {%             do action_options.append('use-server ' ~ server_data.name) %}
 {%           else %}
 {%             set action_enabled = '0' %}
-    # ERROR: missing parameters
+{%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
 {%         elif action_data.type == 'map_use_backend' %}
 {#           # First get the map file path #}
@@ -484,21 +484,21 @@
 {%             do action_options.append('use_backend %[req.hdr(host),' ~ mapfile_config ~ '(' ~ mapfile_path ~ defaultbackend_option ~ ')]') %}
 {%           else %}
 {%             set action_enabled = '0' %}
-    # ERROR: missing parameters
+{%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
 {%         elif action_data.type == 'fcgi_pass_header' %}
 {%           if action_data.fcgi_pass_header|default('') != '' %}
 {%             do action_options.append('pass-header ' ~ action_data.fcgi_pass_header) %}
 {%           else %}
 {%             set action_enabled = '0' %}
-    # ERROR: missing parameters
+{%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
 {%         elif action_data.type == 'fcgi_set_param' %}
 {%           if action_data.fcgi_set_param|default('') != '' %}
 {%             do action_options.append('set-param ' ~ action_data.fcgi_set_param) %}
 {%           else %}
 {%             set action_enabled = '0' %}
-    # ERROR: missing parameters
+{%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
 {%         elif action_data.type == 'http-after-response' %}
 {%           if action_data.http_after_response_action|default('') != '' %}
@@ -508,7 +508,7 @@
 {%             endif %}
 {%           else %}
 {%             set action_enabled = '0' %}
-    # ERROR: missing parameters
+{%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
 {%         elif action_data.type == 'http-request' %}
 {%           if action_data.http_request_action|default('') != '' %}
@@ -528,7 +528,7 @@
 {%             do action_options.append('http-request ' ~ action_keyword_data) %}
 {%           else %}
 {%             set action_enabled = '0' %}
-    # ERROR: missing parameters
+{%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
 {%         elif action_data.type == 'http-response' %}
 {%           if action_data.http_response_action|default('') != '' %}
@@ -546,7 +546,7 @@
 {%             do action_options.append('http-response ' ~ action_keyword_data) %}
 {%           else %}
 {%             set action_enabled = '0' %}
-    # ERROR: missing parameters
+{%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
 {%         elif action_data.type == 'monitor_fail' %}
 {%           if action_data.monitor_fail_uri|default("") != "" %}
@@ -554,7 +554,7 @@
 {%             do action_options.append('monitor fail') %}
 {%           else %}
 {%             set action_enabled = '0' %}
-    # ERROR: missing parameters
+{%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
 {%         elif action_data.type == 'tcp-request' %}
 {%           if action_data.tcp_request_action|default('') != '' %}
@@ -574,7 +574,7 @@
 {%             do action_options.append('tcp-request ' ~ action_keyword_data) %}
 {%           else %}
 {%             set action_enabled = '0' %}
-    # ERROR: missing parameters
+{%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
 {%         elif action_data.type == 'tcp-response' %}
 {%           if action_data.tcp_response_action|default('') != '' %}
@@ -592,7 +592,7 @@
 {%             do action_options.append('tcp-response ' ~ action_keyword_data) %}
 {%           else %}
 {%             set action_enabled = '0' %}
-    # ERROR: missing parameters
+{%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
 {%         elif action_data.type == 'compression' %}
 {%           set action_multiline = '1' %}
@@ -622,18 +622,18 @@
 {%             endif %}
 {%           else %}
 {%             set action_enabled = '0' %}
-    # ERROR: missing parameters
+{%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
 {%         elif action_data.type == 'custom' %}
 {%           if action_data.custom|default("") != "" %}
 {%             do action_options.append(action_data.custom) %}
 {%           else %}
 {%             set action_enabled = '0' %}
-    # ERROR: missing parameters
+{%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
 {%         else %}
 {%           set action_enabled = '0' %}
-    # ERROR: unsupported rule type
+{%           do global_action_options.append('# ERROR: unsupported rule type' ~ action_data.type) %}
 {%         endif %}
 {#         # Is this rule enabled in the GUI? #}
 {%         if action_data.enabled|default('') == '1' %}
@@ -664,14 +664,14 @@
 {%               do global_action_options.append(([action_options|join(join_char), acl_line]|join(' '))) %}
 {%             endif %}
 {%           else %}
-    # RULE INVALID: {{action_data.name}}
+{%             do global_action_options.append('# RULE INVALID: ' + action_data.name) %}
 {%           endif %}
 {%         else %}
-    # RULE DISABLED: {{action_data.name}}
+{%           do global_action_options.append('# RULE DISABLED: ' + action_data.name) %}
 {%         endif %}
 {%       else %}
-    # RULE INVALID: {{action_data.name}}
-    # CONDITIONS WITH ERRORS: {{acl_errors}}
+{%         do global_action_options.append('# RULE INVALID: ' + action_data.name) %}
+{%         do global_action_options.append('# CONDITIONS WITH ERRORS: ' + acl_errors) %}
 {%       endif %}
 {%     endfor %}
 

From 276b8ecdc521520ea9d55d31b8fa71f7badfd420 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 26 Jan 2026 07:57:22 +0100
Subject: [PATCH 2929/3088] net/isc-dhcp: support idassoc6 mode correctly

Slightly simplify the previous code conditions since the new
GUI code does auto-track6 separately now and both modes have
'track6-interface' set.

PR: https://forum.opnsense.org/index.php?topic=50474.msg257718#msg257718
---
 net/isc-dhcp/Makefile                         |  2 +-
 net/isc-dhcp/pkg-descr                        |  2 +-
 .../src/etc/inc/plugins.inc.d/dhcpd.inc       | 11 ++++---
 net/isc-dhcp/src/www/services_dhcpv6.php      | 30 +++++++++++--------
 4 files changed, 26 insertions(+), 19 deletions(-)

diff --git a/net/isc-dhcp/Makefile b/net/isc-dhcp/Makefile
index 839e834622..93478a0aa9 100644
--- a/net/isc-dhcp/Makefile
+++ b/net/isc-dhcp/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		isc-dhcp
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		ISC DHCPv4/v6 server
 PLUGIN_DEPENDS=		isc-dhcp44-server
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/isc-dhcp/pkg-descr b/net/isc-dhcp/pkg-descr
index 8e95254835..fe0e35dae3 100644
--- a/net/isc-dhcp/pkg-descr
+++ b/net/isc-dhcp/pkg-descr
@@ -13,5 +13,5 @@ Plugin Changelog
 
 * First release resembling the core state of 25.7.11
 * Minor changes due to "radvd" extraction out of DHCPv6 configuration
-* Minor changes regarding "track6" mode handling
+* Minor changes regarding "track6" and "idassoc6" mode handling
 * Added DHCPv6 static mappings export
diff --git a/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc b/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
index 96900d2859..aaea6aff30 100644
--- a/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
+++ b/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
@@ -886,7 +886,7 @@ function dhcpd_dhcp6_configure($verbose = false, $ignorelist = [])
         if (isset($ignorelist[$ifname])) {
             continue;
         }
-        if (($config['interfaces'][$ifname]['ipaddrv6'] ?? 'none') == 'track6') {
+        if (isset($config['interfaces'][$ifname]['track6-interface'])) {
             list ($ifcfgipv6) = interfaces_primary_address6($ifname, $ifconfig_details);
             if (!is_ipaddrv6($ifcfgipv6)) {
                 continue;
@@ -895,7 +895,10 @@ function dhcpd_dhcp6_configure($verbose = false, $ignorelist = [])
             $ifcfgipv6 = Net_IPv6::getNetmask($ifcfgipv6, 64);
             $ifcfgipv6arr = explode(':', $ifcfgipv6);
 
-            if (!isset($config['interfaces'][$ifname]['dhcpd6track6allowoverride'])) {
+            if (
+                ($config['interfaces'][$ifname]['ipaddrv6'] ?? 'none') == 'track6' &&
+                !isset($config['interfaces'][$ifname]['dhcpd6track6allowoverride'])
+            ) {
                 /* mock a real server */
                 if (!empty($dhcpdv6cfg[$ifname]['enable']) && $dhcpdv6cfg[$ifname]['enable'] == '-1') {
                     /* tracking, but dhcpv6 disabled */
@@ -1132,7 +1135,7 @@ host s_{$dhcpv6if}_{$i} {
 
 EOD;
                 if (!empty($sm['ipaddrv6'])) {
-                    if (isset($config['interfaces'][$dhcpv6if]['dhcpd6track6allowoverride'])) {
+                    if (isset($config['interfaces'][$dhcpv6if]['track6-interface'])) {
                         $sm['ipaddrv6'] = merge_ipv6_address($ifcfgipv6, $sm['ipaddrv6']);
                     }
                     $dhcpdv6conf .= "  fixed-address6 {$sm['ipaddrv6']};\n";
@@ -1209,7 +1212,7 @@ function dhcpd_staticmap($proto = null, $valid_addresses = true, $ifconfig_detai
             }
 
             $ifconf = config_read_array('interfaces', $dhcpif);
-            list ($ipaddrv6) = $inet == 6 && isset($ifconf['dhcpd6track6allowoverride']) ?
+            list ($ipaddrv6) = $inet == 6 && isset($ifconf['track6-interface']) ?
                 interfaces_primary_address6($dhcpif, $ifconfig_details) : [null];
 
             foreach ($dhcpifconf['staticmap'] as $host) {
diff --git a/net/isc-dhcp/src/www/services_dhcpv6.php b/net/isc-dhcp/src/www/services_dhcpv6.php
index dfe2e587e8..8f1f17e6f6 100644
--- a/net/isc-dhcp/src/www/services_dhcpv6.php
+++ b/net/isc-dhcp/src/www/services_dhcpv6.php
@@ -141,7 +141,7 @@ function reconfigure_dhcpd()
     if (!empty($_GET['if']) && !empty($config['interfaces'][$_GET['if']]) &&
         isset($config['interfaces'][$_GET['if']]['enable']) &&
         (is_ipaddr($config['interfaces'][$_GET['if']]['ipaddrv6']) ||
-        $config['interfaces'][$_GET['if']]['ipaddrv6'] == 'track6')) {
+        in_array($config['interfaces'][$_GET['if']]['ipaddrv6'], ['idassoc6', 'track6']))) {
         $if = $_GET['if'];
     }
 } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
@@ -154,29 +154,33 @@ function reconfigure_dhcpd()
     }
 }
 
-/**
- * XXX: In case of tracking, show different form and only handle on/off options.
- *      this code injection is intended to keep changes as minimal as possible and avoid regressions on existing isc-dhcp6 installs,
- *      while showing current state for tracking interfaces.
- **/
 if ($if === null) {
     /* if no interface is provided this invoke is invalid */
     header(url_safe('Location: /index.php'));
     exit;
 } elseif (($config['interfaces'][$if]['ipaddrv6'] ?? 'none') == 'track6' && !isset($config['interfaces'][$if]['dhcpd6track6allowoverride'])) {
+    /*
+     * In case of automatic tracking, show different form and only handle on/off options.
+     * This code injection is intended to keep changes as minimal as possible and avoid
+     * regressions on existing isc-dhcp installs, while showing current state for tracking
+     * interfaces.
+     */
     if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         show_track6_form($if);
     } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
         process_track6_form($if);
+    } else {
+        header(url_safe('Location: /index.php'));
     }
     exit;
 }
-/* default form processing */
+
+/* default form processing (for manual track6 and idassoc6 but handled via 'track6-interface') */
 
 $ifcfgip = $config['interfaces'][$if]['ipaddrv6'];
 $ifcfgsn = $config['interfaces'][$if]['subnetv6'];
 
-if (isset($config['interfaces'][$if]['dhcpd6track6allowoverride'])) {
+if (isset($config['interfaces'][$if]['track6-interface'])) {
     list ($ifcfgip,, $ifcfgsn) = interfaces_primary_address6($if);
     $pdlen = calculate_ipv6_delegation_length($config['interfaces'][$if]['track6-interface']) - 1;
 }
@@ -316,7 +320,7 @@ function reconfigure_dhcpd()
             $range_from = $pconfig['range_from'];
             $range_to = $pconfig['range_to'];
 
-            if (isset($config['interfaces'][$if]['dhcpd6track6allowoverride'])) {
+            if (isset($config['interfaces'][$if]['track6-interface'])) {
                 $range_from = merge_ipv6_address($ifcfgip, $pconfig['range_from']);
                 $range_to = merge_ipv6_address($ifcfgip, $pconfig['range_to']);
             }
@@ -606,11 +610,11 @@ function show_netboot_config() {
                           </tbody>
                         </table>
                         <div class="hidden" data-for="help_for_range">
-<?php if (!isset($config['interfaces'][$if]['dhcpd6track6allowoverride'])): ?>
-                          <?= gettext('The range should be entered using the full IPv6 address.') ?>
-<?php else: ?>
+<?php if (isset($config['interfaces'][$if]['track6-interface'])): ?>
                           <?= gettext('The range should be entered using the suffix part of the IPv6 address, i.e. ::1:2:3:4. ' .
                             'The subnet prefix will be added automatically.') ?>
+<?php else: ?>
+                          <?= gettext('The range should be entered using the full IPv6 address.') ?>
 <?php endif ?>
                       </td>
                     </tr>
@@ -651,7 +655,7 @@ function show_netboot_config() {
                           <?= gettext("You can define a Prefix range here for DHCP Prefix Delegation. This allows for assigning networks to subrouters. " .
                           "The start and end of the range must end on boundaries of the prefix delegation size."); ?>
                            <?= gettext("Ensure that any prefix delegation range does not overlap the LAN prefix range."); ?>
-<?php if (isset($config['interfaces'][$if]['dhcpd6track6allowoverride'])): ?>
+<?php if (isset($config['interfaces'][$if]['track6-interface'])): ?>
                           <br/><br/>
                           <?= gettext('When using a tracked interface then please only enter the range itself, i.e. ::xxxx:0:0:0:0. ' .
                             'For example, for a /56 delegation from ::100:0:0:0:0 to ::f00:0:0:0:0. ' .

From 9810e4b1d701196ba76452291ca58c8389bffd4a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 26 Jan 2026 10:40:36 +0100
Subject: [PATCH 2930/3088] syssutils/apuled: drop obsolete plugin

---
 LICENSE                                       |  1 -
 README.md                                     |  1 -
 sysutils/apuled/+POST_INSTALL                 | 18 ----
 sysutils/apuled/LICENSE                       | 25 -----
 sysutils/apuled/Makefile                      |  8 --
 sysutils/apuled/README.md                     | 18 ----
 sysutils/apuled/pkg-descr                     |  2 -
 .../src/etc/rc.syshook.d/early/30-apuled      | 42 ---------
 .../src/etc/rc.syshook.d/start/60-apuled      | 11 ---
 .../src/opnsense/scripts/apuled/apuledctl     | 91 -------------------
 .../conf/actions.d/actions_apuled.conf        |  6 --
 11 files changed, 223 deletions(-)
 delete mode 100644 sysutils/apuled/+POST_INSTALL
 delete mode 100644 sysutils/apuled/LICENSE
 delete mode 100644 sysutils/apuled/Makefile
 delete mode 100644 sysutils/apuled/README.md
 delete mode 100644 sysutils/apuled/pkg-descr
 delete mode 100755 sysutils/apuled/src/etc/rc.syshook.d/early/30-apuled
 delete mode 100755 sysutils/apuled/src/etc/rc.syshook.d/start/60-apuled
 delete mode 100755 sysutils/apuled/src/opnsense/scripts/apuled/apuledctl
 delete mode 100644 sysutils/apuled/src/opnsense/service/conf/actions.d/actions_apuled.conf

diff --git a/LICENSE b/LICENSE
index 71066b3796..78db51e708 100644
--- a/LICENSE
+++ b/LICENSE
@@ -13,7 +13,6 @@ Copyright (c) 2023 Bernhard Frenking <bernhard@frenking.eu>
 Copyright (c) 2023 Cannon Matthews <cannonmatthews@google.com>
 Copyright (c) 2023-2025 Cedrik Pischem
 Copyright (c) 2025 Christopher Linn, BackendMedia IT-Services GmbH
-Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
 Copyright (c) 2021 Dan Lundqvist
 Copyright (c) 2021 David Berry
diff --git a/README.md b/README.md
index 6509dd35f8..fa5c613514 100644
--- a/README.md
+++ b/README.md
@@ -101,7 +101,6 @@ security/tinc -- Tinc VPN
 security/tor -- The Onion Router
 security/wazuh-agent -- Agent for the open source security platform Wazuh
 sysutils/apcupsd -- APCUPSD - APC UPS daemon
-sysutils/apuled -- PC Engine APU LED control (development only)
 sysutils/beats -- Send logs, network, metrics and heartbeat to Elasticsearch
 sysutils/cpu-microcode -- CPU microcode updates
 sysutils/dec-hw -- Deciso hardware specific information
diff --git a/sysutils/apuled/+POST_INSTALL b/sysutils/apuled/+POST_INSTALL
deleted file mode 100644
index a2e28a44dc..0000000000
--- a/sysutils/apuled/+POST_INSTALL
+++ /dev/null
@@ -1,18 +0,0 @@
-LED1="/dev/led/led1"
-LED2="/dev/led/led2"
-LED3="/dev/led/led3"
-LEDKO="/boot/kernel/apuled.ko"
-
-if [ ! -e /boot/kernel/apuled.ko ]; then
-    exit 0
-fi
-
-kldload $LEDKO 2>&1
-
-echo "m-" > $LED1
-echo "m -" > $LED2
-echo "m  -" > $LED3
-sleep 2
-echo 1 > $LED1
-echo 1 > $LED2
-echo 1 > $LED3
diff --git a/sysutils/apuled/LICENSE b/sysutils/apuled/LICENSE
deleted file mode 100644
index 2877b69952..0000000000
--- a/sysutils/apuled/LICENSE
+++ /dev/null
@@ -1,25 +0,0 @@
-BSD 2-Clause License
-
-Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-* Redistributions of source code must retain the above copyright notice, this
-  list of conditions and the following disclaimer.
-
-* Redistributions in binary form must reproduce the above copyright notice,
-  this list of conditions and the following disclaimer in the documentation
-  and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/sysutils/apuled/Makefile b/sysutils/apuled/Makefile
deleted file mode 100644
index 7dc896fa79..0000000000
--- a/sysutils/apuled/Makefile
+++ /dev/null
@@ -1,8 +0,0 @@
-PLUGIN_NAME=		apuled
-PLUGIN_VERSION=		0.2
-PLUGIN_REVISION=	1
-PLUGIN_DEVEL=		yes
-PLUGIN_COMMENT=		PC Engine APU LED control
-PLUGIN_MAINTAINER=	julio@cloudfence.com.br
-
-.include "../../Mk/plugins.mk"
diff --git a/sysutils/apuled/README.md b/sysutils/apuled/README.md
deleted file mode 100644
index ab9d823847..0000000000
--- a/sysutils/apuled/README.md
+++ /dev/null
@@ -1,18 +0,0 @@
-### APU LED Plugin ###
-
-#### LED control for PC Engines APU platform OPNsense plugin ####
-
-**Left -> Right**
-LED1|LED2|LED3
-
-At system boot, the 3 LEDs will blink (leds test).
-
-|                                       | LED1     | LED2                      | LED3 |
-|---------------------------------------|----------|---------------------------|------|
-| System booting...                     | Blinking | OFF                       | OFF  |
-| System OK                             | ON       | ON                        | ON   |
-| CPU Load > 90%                        | Blinking | -                         | -    |
-| Disk freespace < 10%                  | -        | Blinking (SOS morse code) | -    |
-| WAN offline (without Internet access) | -        | Blinking fast             | -    |
-| WAN packetloss > 30%                  | -        | Blinking slow             | -    |
-| WAN online (Internet access)          | -        | ON                        | -    |
diff --git a/sysutils/apuled/pkg-descr b/sysutils/apuled/pkg-descr
deleted file mode 100644
index 78d0bae2e2..0000000000
--- a/sysutils/apuled/pkg-descr
+++ /dev/null
@@ -1,2 +0,0 @@
-LED control for PC Engines APU platform OPNsense plugin
-Cloudfence 2019 - JCC
diff --git a/sysutils/apuled/src/etc/rc.syshook.d/early/30-apuled b/sysutils/apuled/src/etc/rc.syshook.d/early/30-apuled
deleted file mode 100755
index 182dfdc4e3..0000000000
--- a/sysutils/apuled/src/etc/rc.syshook.d/early/30-apuled
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/sh
-set -x
-# APU LED plugin - Cloudfence 2019 JCC
-
-
-# LEDs
-LED1="/dev/led/led1"
-LED2="/dev/led/led2"
-LED3="/dev/led/led3"
-LEDKO="/boot/kernel/apuled.ko"
-
-
-messages()
-{
-MSG=$1
-echo "$MSG"
-logger -t "APU Plugin" "$MSG"
-}
-
-# check if the module file exists
-if [ -e /boot/kernel/apuled.ko ];then
-# Load module
-    kldload $LEDKO 2>&1
-else
-    messages "Error: APU LED module is missing"
-    exit 1
-fi
-
-# starting boot LED message
-# make the initial test
-echo "m-" > $LED1
-echo "m -" > $LED2
-echo "m  -" > $LED3
-sleep 2
-echo 1 > $LED1
-echo 1 > $LED2
-echo 1 > $LED3
-sleep 2
-# PWR bliking to show booting state
-echo "f6" > $LED1
-echo 0 > $LED2
-echo 0 > $LED3
diff --git a/sysutils/apuled/src/etc/rc.syshook.d/start/60-apuled b/sysutils/apuled/src/etc/rc.syshook.d/start/60-apuled
deleted file mode 100755
index ceac7245b9..0000000000
--- a/sysutils/apuled/src/etc/rc.syshook.d/start/60-apuled
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/sh
-
-# LEDs
-LED1="/dev/led/led1"
-LED2="/dev/led/led2"
-LED3="/dev/led/led3"
-
-#stop blinking PWR LED
-echo 1 > $LED1
-echo 1 > $LED2
-echo 1 > $LED3
diff --git a/sysutils/apuled/src/opnsense/scripts/apuled/apuledctl b/sysutils/apuled/src/opnsense/scripts/apuled/apuledctl
deleted file mode 100755
index 9ca443e866..0000000000
--- a/sysutils/apuled/src/opnsense/scripts/apuled/apuledctl
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/bin/sh
-#
-# Copyright (c) 2019 Cloudfence - Julio Camargo (JCC)
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are met:
-#
-#  1. Redistributions of source code must retain the above copyright notice,
-#     this list of conditions and the following disclaimer.
-#
-#  2. Redistributions in binary form must reproduce the above copyright
-#     notice, this list of conditions and the following disclaimer in the
-#     documentation and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-# POSSIBILITY OF SUCH DAMAGE.
-
-# LEDs
-LED1="/dev/led/led1"
-LED2="/dev/led/led2"
-LED3="/dev/led/led3"
-
-# check if LEDs exists
-if [ ! -e "$LED1" ];then
-   logger -t "APULED Plugin" "Error: LED device not exists"
-fi
-
-check_wan(){
-# LED2 - network notifications
-# Fetch from dpinger the list of gateways and the status of each one
-GWLIST=$(ls /var/run/dpinger* | grep sock)
-
-for GW in $GWLIST; do
-    GWSTATUS=$(nc -U $GW | awk '{print $4}')
-    # We're ONLINE
-    if [ "$GWSTATUS" -eq 0 ];then
-        echo "1" > $LED2
-    # Some losses - LATENCY
-    elif [ "$GWSTATUS" -gt 30 ] && [ "$GWSTATUS" -lt 100 ];then
-        LATENCY=1
-    # One of our Gateways is DOWN - ALARM
-    # Test if the GWs are OK. If just one of the GWs failed the test, the LED will show DOWN status
-    elif [ "$GWSTATUS" -eq 100 ];then
-        echo "f1" > $LED2
-        exit 0
-    fi
-done
-
-# In case of packets loss, I'll warn!
-if [ ! -z "$LATENCY" ];then
-    echo "f3" > $LED2
-fi
-}
-
-check_load(){
-# check CPU idle
-# LED1 - system notifications
-CHK_IDLE=$(vmstat 1 2 | tail -1 | awk '{ print $19 }')
-
-if [ "$CHK_IDLE" -lt "10"  ];then
-    echo "f4" > $LED1
-else
-    echo "1" > $LED1
-fi
-}
-
-check_disk(){
-# check Disk space
-# LED3 - system notifications
-DSK_FREE=$(df -kh / | tail -1 | awk '{ print 100-$5 }')
-
-if [ "$DSK_FREE" -lt "10"  ];then
-    echo "m...---..." > $LED3
-else
-    echo "1" > $LED3
-fi
-}
-
-# Main routine
-check_load
-check_disk
-check_wan
diff --git a/sysutils/apuled/src/opnsense/service/conf/actions.d/actions_apuled.conf b/sysutils/apuled/src/opnsense/service/conf/actions.d/actions_apuled.conf
deleted file mode 100644
index a876901a84..0000000000
--- a/sysutils/apuled/src/opnsense/service/conf/actions.d/actions_apuled.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-[run]
-command:/usr/local/opnsense/scripts/apuled/apuledctl
-parameters:
-type:script
-message:APU LEDs control
-description:APULED LED status

From 7c4f3c7e4a92e74b779b1274025e61cbe671036c Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 26 Jan 2026 10:47:47 +0100
Subject: [PATCH 2931/3088] dns/ddclient: style sweep

---
 .../opnsense/scripts/ddclient/lib/account/hostinger.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hostinger.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hostinger.py
index 74da1d183c..b9b004e359 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hostinger.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hostinger.py
@@ -54,13 +54,13 @@ def execute(self):
         if super().execute():
             # IPv4/IPv6
             recordType = "AAAA" if str(self.current_address).find(':') > 1 else "A"
-            
+
             # Validate TTL
             ttl = int(self.settings.get('ttl', 300)) if (60 <= int(self.settings.get('ttl', 300)) <= 86400) else 300
 
             # Use bearer authentication
             url = "https://developers.hostinger.com/api/dns/v1/zones/" + self.settings.get('zone')
-            
+
             # Build the zone update payload
             payload = {
                 "overwrite": True,
@@ -77,13 +77,13 @@ def execute(self):
                     }
                 ]
             }
-            
+
             headers = {
                 'authorization': "Bearer " + self.settings.get('password'),
                 'content-type': "application/json",
                 'User-Agent': 'OPNsense-dyndns'
             }
-            
+
             # Send IP address update
             req = requests.request("PUT", url, data=json.dumps(payload), headers=headers)
             if 200 <= req.status_code < 300:
@@ -103,4 +103,4 @@ def execute(self):
                     )
                 )
 
-        return False
\ No newline at end of file
+        return False

From 4020561368ab697fbef2c5d6a3585b7647298fd3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 26 Jan 2026 11:05:35 +0100
Subject: [PATCH 2932/3088] isc-dhcp: check if device we try to configure
 exists in the system

PR: https://github.com/opnsense/plugins/issues/5169
---
 net/isc-dhcp/Makefile                            | 2 +-
 net/isc-dhcp/pkg-descr                           | 1 +
 net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc | 4 ++++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/isc-dhcp/Makefile b/net/isc-dhcp/Makefile
index 93478a0aa9..970944acbe 100644
--- a/net/isc-dhcp/Makefile
+++ b/net/isc-dhcp/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		isc-dhcp
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		ISC DHCPv4/v6 server
 PLUGIN_DEPENDS=		isc-dhcp44-server
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/isc-dhcp/pkg-descr b/net/isc-dhcp/pkg-descr
index fe0e35dae3..36f4461845 100644
--- a/net/isc-dhcp/pkg-descr
+++ b/net/isc-dhcp/pkg-descr
@@ -14,4 +14,5 @@ Plugin Changelog
 * First release resembling the core state of 25.7.11
 * Minor changes due to "radvd" extraction out of DHCPv6 configuration
 * Minor changes regarding "track6" and "idassoc6" mode handling
+* Safeguard dhcpd_staticarp() from nonexistent interface configuration
 * Added DHCPv6 static mappings export
diff --git a/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc b/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
index aaea6aff30..df22829e0d 100644
--- a/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
+++ b/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
@@ -1310,6 +1310,10 @@ function dhcpd_staticarp($interface, $ifconfig_details)
 
     $device = $ifcfg['if'];
 
+    if (empty($ifconfig_details[$device])) {
+        return;
+    }
+
     $have = in_array('staticarp', $ifconfig_details[$device]['flags']);
     $want = isset($config['dhcpd'][$interface]['staticarp']);
 

From beacd221e328b834a04ba5a7ab5e2334decf1bea Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 27 Jan 2026 15:24:39 +0100
Subject: [PATCH 2933/3088] net/haproxy: improve stick-table support

---
 net/haproxy/pkg-descr                         |   2 +
 .../OPNsense/HAProxy/forms/dialogBackend.xml  |  64 +++++++--
 .../OPNsense/HAProxy/forms/dialogFrontend.xml |  61 ++++++--
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 132 +++++++++++++++---
 .../templates/OPNsense/HAProxy/haproxy.conf   |  28 ++--
 5 files changed, 234 insertions(+), 53 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 7022ea069f..aefc012eb2 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -20,12 +20,14 @@ Added:
 * add support for HTTP compression (#4867)
 * add all action keywords for http-request/-response and tcp-request/-response rules
 * add "enabled" field to rules
+* add support for all stick-table data types
 
 Changed:
 * upgrade to HAProxy 3.2 release series (#5147)
 * refactor http/tcp rules to make extensions easier
 * rename some labels in rules
 * change LUA boolean conversion (see tune.lua.bool-sample-conversion)
+* stick-table "size" and "expiration time" are no longer advanced options (now always visible)
 
 4.6
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index 40d46a123d..1090f3a320 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -249,20 +249,39 @@
         <id>backend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#11.1">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>backend.stickiness_expire</id>
         <label>Expiration time</label>
         <type>text</type>
         <help><![CDATA[Enter a number followed by one of the supported suffixes "d" (days), "h" (hour), "m" (minute), "s" (seconds), "ms" (miliseconds). This configures the maximum duration of an entry in the stick-table since it was last created, refreshed or matched. The maximum duration is slightly above 24 days.]]></help>
-        <advanced>true</advanced>
     </field>
     <field>
         <id>backend.stickiness_size</id>
-        <label>Size</label>
+        <label>Table size</label>
         <type>text</type>
         <help><![CDATA[Enter a number followed by one of the supported suffixes "k", "m", "g". This configures the maximum number of entries that can fit in the table. This value directly impacts memory usage. Count approximately 50 bytes per entry, plus the size of a string if any.]]></help>
+    </field>
+    <field>
+        <id>backend.stickiness_length</id>
+        <label>Max. data length</label>
+        <type>text</type>
+        <help><![CDATA[Specify the maximum length for a value in the stick-table. If the value is larger than this value it will be truncated before being stored. Depending on the stick-table type this repesents either characters or bytes.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>backend.stickiness_bytesInRatePeriod</id>
+        <label>Bytes in rate period</label>
+        <type>text</type>
+        <help><![CDATA[The length of the period over which the average is measured. It reports the average incoming bytes rate over that period, in bytes per period. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>backend.stickiness_bytesOutRatePeriod</id>
+        <label>Bytes out rate period</label>
+        <type>text</type>
+        <help><![CDATA[The length of the period over which the average is measured. It reports the average outgoing bytes rate over that period, in bytes per period. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
         <advanced>true</advanced>
     </field>
     <field>
@@ -285,10 +304,31 @@
         <advanced>true</advanced>
     </field>
     <field>
-        <id>backend.stickiness_sessRatePeriod</id>
-        <label>Session rate period</label>
+        <id>backend.stickiness_glitchRatePeriod</id>
+        <label>Glitch rate period</label>
         <type>text</type>
-        <help><![CDATA[The length of the period over which the average is measured. It reports the average incoming session rate over that period, in sessions per period. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+        <help><![CDATA[The length of the period over which the average is measured. It reports the average front glitches rate over that period. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>backend.stickiness_gpcElements</id>
+        <label>GPC elements</label>
+        <type>text</type>
+        <help><![CDATA[The number of array elements that will be used for the General Purpose Counter. This is limited to a maximum of 100 elements, ranging from 0 to 99.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>backend.stickiness_gpcRatePeriod</id>
+        <label>GPC rate period</label>
+        <type>text</type>
+        <help><![CDATA[The length of the period over which the average is measured. Most of the time it will be used to measure the frequency of occurrence of certain events. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>backend.stickiness_gptElements</id>
+        <label>GPT elements</label>
+        <type>text</type>
+        <help><![CDATA[The number of array elements that will be used for the General Purpose Tag. This is limited to a maximum of 100 elements, ranging from 0 to 99.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
@@ -306,17 +346,17 @@
         <advanced>true</advanced>
     </field>
     <field>
-        <id>backend.stickiness_bytesInRatePeriod</id>
-        <label>Bytes in rate period</label>
+        <id>backend.stickiness_httpFailRatePeriod</id>
+        <label>HTTP fail rate period</label>
         <type>text</type>
-        <help><![CDATA[The length of the period over which the average is measured. It reports the average incoming bytes rate over that period, in bytes per period. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+        <help><![CDATA[The length of the period over which the average is measured. It reports the average HTTP response fail error rate over that period, in requests per period. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
         <advanced>true</advanced>
     </field>
     <field>
-        <id>backend.stickiness_bytesOutRatePeriod</id>
-        <label>Bytes out rate period</label>
+        <id>backend.stickiness_sessRatePeriod</id>
+        <label>Session rate period</label>
         <type>text</type>
-        <help><![CDATA[The length of the period over which the average is measured. It reports the average outgoing bytes rate over that period, in bytes per period. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+        <help><![CDATA[The length of the period over which the average is measured. It reports the average incoming session rate over that period, in sessions per period. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 6d2ecee8a1..a84eb88b59 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -350,28 +350,26 @@
         <id>frontend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#stick-table">HAProxy documentation</a> for further information.]]></help>
+        <help><![CDATA[Choose the type of data that should be stored in this stick-table. Note that this stick-table cannot be used for session persistence, it is only used to store additional per-connection data (select below). See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#11.1">HAProxy documentation</a> for further information.]]></help>
         <hint>Choose a stick-table type.</hint>
     </field>
     <field>
         <id>frontend.stickiness_dataTypes</id>
         <label>Stored data types</label>
         <type>select_multiple</type>
-        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#stick-table">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[This is used to store additional information in the stick-table. It may be used by ACLs in order to control various criteria related to the activity of the client matching the stick-table. Note that this directly impacts memory usage. See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#11.1">HAProxy documentation</a> for a full description.]]></help>
     </field>
     <field>
         <id>frontend.stickiness_expire</id>
         <label>Expiration time</label>
         <type>text</type>
         <help><![CDATA[Enter a number followed by one of the supported suffixes "d" (days), "h" (hour), "m" (minute), "s" (seconds), "ms" (miliseconds). This configures the maximum duration of an entry in the stick-table since it was last created, refreshed or matched. The maximum duration is slightly above 24 days.]]></help>
-        <advanced>true</advanced>
     </field>
     <field>
         <id>frontend.stickiness_size</id>
-        <label>Size</label>
+        <label>Table size</label>
         <type>text</type>
         <help><![CDATA[Enter a number followed by one of the supported suffixes "k", "m", "g". This configures the maximum number of entries that can fit in the table. This value directly impacts memory usage. Count approximately 50 bytes per entry, plus the size of a string if any.]]></help>
-        <advanced>true</advanced>
     </field>
     <field>
         <id>frontend.stickiness_counter</id>
@@ -394,6 +392,20 @@
         <help><![CDATA[Specify the maximum length for a value in the stick-table. If the value is larger than this value it will be truncated before being stored. Depending on the stick-table type this repesents either characters or bytes.]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>frontend.stickiness_bytesInRatePeriod</id>
+        <label>Bytes in rate period</label>
+        <type>text</type>
+        <help><![CDATA[The length of the period over which the average is measured. It reports the average incoming bytes rate over that period, in bytes per period. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>frontend.stickiness_bytesOutRatePeriod</id>
+        <label>Bytes out rate period</label>
+        <type>text</type>
+        <help><![CDATA[The length of the period over which the average is measured. It reports the average outgoing bytes rate over that period, in bytes per period. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>frontend.stickiness_connRatePeriod</id>
         <label>Connection rate period</label>
@@ -402,10 +414,31 @@
         <advanced>true</advanced>
     </field>
     <field>
-        <id>frontend.stickiness_sessRatePeriod</id>
-        <label>Session rate period</label>
+        <id>frontend.stickiness_glitchRatePeriod</id>
+        <label>Glitch rate period</label>
         <type>text</type>
-        <help><![CDATA[The length of the period over which the average is measured. It reports the average incoming session rate over that period, in sessions per period. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+        <help><![CDATA[The length of the period over which the average is measured. It reports the average front glitches rate over that period. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>frontend.stickiness_gpcElements</id>
+        <label>GPC elements</label>
+        <type>text</type>
+        <help><![CDATA[The number of array elements that will be used for the General Purpose Counter. This is limited to a maximum of 100 elements, ranging from 0 to 99.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>frontend.stickiness_gpcRatePeriod</id>
+        <label>GPC rate period</label>
+        <type>text</type>
+        <help><![CDATA[The length of the period over which the average is measured. Most of the time it will be used to measure the frequency of occurrence of certain events. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>frontend.stickiness_gptElements</id>
+        <label>GPT elements</label>
+        <type>text</type>
+        <help><![CDATA[The number of array elements that will be used for the General Purpose Tag. This is limited to a maximum of 100 elements, ranging from 0 to 99.]]></help>
         <advanced>true</advanced>
     </field>
     <field>
@@ -423,17 +456,17 @@
         <advanced>true</advanced>
     </field>
     <field>
-        <id>frontend.stickiness_bytesInRatePeriod</id>
-        <label>Bytes in rate period</label>
+        <id>frontend.stickiness_httpFailRatePeriod</id>
+        <label>HTTP fail rate period</label>
         <type>text</type>
-        <help><![CDATA[The length of the period over which the average is measured. It reports the average incoming bytes rate over that period, in bytes per period. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+        <help><![CDATA[The length of the period over which the average is measured. It reports the average HTTP response fail error rate over that period, in requests per period. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
         <advanced>true</advanced>
     </field>
     <field>
-        <id>frontend.stickiness_bytesOutRatePeriod</id>
-        <label>Bytes out rate period</label>
+        <id>frontend.stickiness_sessRatePeriod</id>
+        <label>Session rate period</label>
         <type>text</type>
-        <help><![CDATA[The length of the period over which the average is measured. It reports the average outgoing bytes rate over that period, in bytes per period. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
+        <help><![CDATA[The length of the period over which the average is measured. It reports the average incoming session rate over that period, in sessions per period. Defaults to milliseconds. Optionally the unit may be specified as either "d", "h", "m", "s", "ms" or "us".]]></help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index d246d19716..b8b76a2ebf 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -758,19 +758,32 @@
                     <Required>N</Required>
                     <Multiple>Y</Multiple>
                     <OptionValues>
-                        <conn_cnt>Connection count</conn_cnt>
-                        <conn_cur>Current connections</conn_cur>
-                        <conn_rate>Connection rate</conn_rate>
-                        <sess_cnt>Session count</sess_cnt>
-                        <sess_rate>Session rate</sess_rate>
-                        <http_req_cnt>HTTP request count</http_req_cnt>
-                        <http_req_rate>HTTP request rate</http_req_rate>
-                        <http_err_cnt>HTTP error count</http_err_cnt>
-                        <http_err_rate>HTTP error rate</http_err_rate>
                         <bytes_in_cnt>Bytes in count (client to server)</bytes_in_cnt>
                         <bytes_in_rate>Bytes in rate (client to server)</bytes_in_rate>
                         <bytes_out_cnt>Bytes out count (server to client)</bytes_out_cnt>
                         <bytes_out_rate>Bytes out rate (server to client)</bytes_out_rate>
+                        <conn_cnt>Connection count (total)</conn_cnt>
+                        <conn_cur>Connection count (current)</conn_cur>
+                        <conn_rate>Connection rate</conn_rate>
+                        <glitch_cnt>Glitch count</glitch_cnt>
+                        <glitch_rate>Glitch rate</glitch_rate>
+                        <gpc>General Purpose Counters (array of elements)</gpc>
+                        <gpc_rate>General Purpose Counter rate</gpc_rate>
+                        <gpc0>gpc0</gpc0>
+                        <gpc0_rate>gpc0 rate</gpc0_rate>
+                        <gpc1>gpc1</gpc1>
+                        <gpc1_rate>gpc1 rate</gpc1_rate>
+                        <gpt>General Purpose Tags (array of elements)</gpt>
+                        <gpt0>gpt0</gpt0>
+                        <http_err_cnt>HTTP error count</http_err_cnt>
+                        <http_err_rate>HTTP error rate</http_err_rate>
+                        <http_fail_cnt>HTTP fail count</http_fail_cnt>
+                        <http_fail_rate>HTTP fail rate</http_fail_rate>
+                        <http_req_cnt>HTTP request count</http_req_cnt>
+                        <http_req_rate>HTTP request rate</http_req_rate>
+                        <server_id>Server ID</server_id>
+                        <sess_cnt>Session count</sess_cnt>
+                        <sess_rate>Session rate</sess_rate>
                     </OptionValues>
                 </stickiness_dataTypes>
                 <stickiness_expire type="TextField">
@@ -839,6 +852,38 @@
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </stickiness_bytesOutRatePeriod>
+                <stickiness_gpcElements type="IntegerField">
+                    <Default>0</Default>
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>99</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 99.</ValidationMessage>
+                    <Required>N</Required>
+                </stickiness_gpcElements>
+                <stickiness_gpcRatePeriod type="TextField">
+                    <Default>1m</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
+                    <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
+                    <Required>N</Required>
+                </stickiness_gpcRatePeriod>
+                <stickiness_gptElements type="IntegerField">
+                    <Default>0</Default>
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>99</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 99.</ValidationMessage>
+                    <Required>N</Required>
+                </stickiness_gptElements>
+                <stickiness_httpFailRatePeriod type="TextField">
+                    <Default>1m</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
+                    <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
+                    <Required>N</Required>
+                </stickiness_httpFailRatePeriod>
+                <stickiness_glitchRatePeriod type="TextField">
+                    <Default>1m</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
+                    <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
+                    <Required>N</Required>
+                </stickiness_glitchRatePeriod>
                 <http2Enabled type="BooleanField">
                     <Default>1</Default>
                     <Required>N</Required>
@@ -1169,19 +1214,32 @@
                     <Required>N</Required>
                     <Multiple>Y</Multiple>
                     <OptionValues>
-                        <conn_cnt>Connection count</conn_cnt>
-                        <conn_cur>Current connections</conn_cur>
-                        <conn_rate>Connection rate</conn_rate>
-                        <sess_cnt>Session count</sess_cnt>
-                        <sess_rate>Session rate</sess_rate>
-                        <http_req_cnt>HTTP request count</http_req_cnt>
-                        <http_req_rate>HTTP request rate</http_req_rate>
-                        <http_err_cnt>HTTP error count</http_err_cnt>
-                        <http_err_rate>HTTP error rate</http_err_rate>
                         <bytes_in_cnt>Bytes in count (client to server)</bytes_in_cnt>
                         <bytes_in_rate>Bytes in rate (client to server)</bytes_in_rate>
                         <bytes_out_cnt>Bytes out count (server to client)</bytes_out_cnt>
                         <bytes_out_rate>Bytes out rate (server to client)</bytes_out_rate>
+                        <conn_cnt>Connection count (total)</conn_cnt>
+                        <conn_cur>Connection count (current)</conn_cur>
+                        <conn_rate>Connection rate</conn_rate>
+                        <glitch_cnt>Glitch count</glitch_cnt>
+                        <glitch_rate>Glitch rate</glitch_rate>
+                        <gpc>General Purpose Counters (array of elements)</gpc>
+                        <gpc_rate>General Purpose Counter rate</gpc_rate>
+                        <gpc0>gpc0</gpc0>
+                        <gpc0_rate>gpc0 rate</gpc0_rate>
+                        <gpc1>gpc1</gpc1>
+                        <gpc1_rate>gpc1 rate</gpc1_rate>
+                        <gpt>General Purpose Tags (array of elements)</gpt>
+                        <gpt0>gpt0</gpt0>
+                        <http_err_cnt>HTTP error count</http_err_cnt>
+                        <http_err_rate>HTTP error rate</http_err_rate>
+                        <http_fail_cnt>HTTP fail count</http_fail_cnt>
+                        <http_fail_rate>HTTP fail rate</http_fail_rate>
+                        <http_req_cnt>HTTP request count</http_req_cnt>
+                        <http_req_rate>HTTP request rate</http_req_rate>
+                        <server_id>Server ID</server_id>
+                        <sess_cnt>Session count</sess_cnt>
+                        <sess_rate>Session rate</sess_rate>
                     </OptionValues>
                 </stickiness_dataTypes>
                 <stickiness_expire type="TextField">
@@ -1209,6 +1267,12 @@
                     <ValidationMessage>Please specify a value between 1 and 10000.</ValidationMessage>
                     <Required>N</Required>
                 </stickiness_cookielength>
+                <stickiness_length type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>16384</MaximumValue>
+                    <ValidationMessage>Please specify a value between 1 and 16384.</ValidationMessage>
+                    <Required>N</Required>
+                </stickiness_length>
                 <stickiness_connRatePeriod type="TextField">
                     <Default>10s</Default>
                     <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
@@ -1245,6 +1309,38 @@
                     <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
                     <Required>N</Required>
                 </stickiness_bytesOutRatePeriod>
+                <stickiness_gpcElements type="IntegerField">
+                    <Default>0</Default>
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>99</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 99.</ValidationMessage>
+                    <Required>N</Required>
+                </stickiness_gpcElements>
+                <stickiness_gptElements type="IntegerField">
+                    <Default>0</Default>
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>99</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 99.</ValidationMessage>
+                    <Required>N</Required>
+                </stickiness_gptElements>
+                <stickiness_gpcRatePeriod type="TextField">
+                    <Default>1m</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
+                    <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
+                    <Required>N</Required>
+                </stickiness_gpcRatePeriod>
+                <stickiness_httpFailRatePeriod type="TextField">
+                    <Default>1m</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
+                    <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
+                    <Required>N</Required>
+                </stickiness_httpFailRatePeriod>
+                <stickiness_glitchRatePeriod type="TextField">
+                    <Default>1m</Default>
+                    <Mask>/^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u</Mask>
+                    <ValidationMessage>Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us".</ValidationMessage>
+                    <Required>N</Required>
+                </stickiness_glitchRatePeriod>
                 <basicAuthEnabled type="BooleanField">
                     <Default>0</Default>
                     <Required>N</Required>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 0e2688315e..3e2a42ba84 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -694,18 +694,28 @@
 {%         set stickiness_datatypes = [] %}
 {%         for datatype in proxy.stickiness_dataTypes.split(",") %}
 {#           # add time period to all types where this is required #}
-{%           if datatype == 'conn_rate' %}
-{%             do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_connRatePeriod ~ ')') %}
-{%           elif datatype == 'sess_rate' %}
-{%             do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_sessRatePeriod ~ ')') %}
-{%           elif datatype == 'http_req_rate' %}
-{%             do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_httpReqRatePeriod ~ ')') %}
-{%           elif datatype == 'http_err_rate' %}
-{%             do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_httpErrRatePeriod ~ ')') %}
-{%           elif datatype == 'bytes_in_rate' %}
+{%           if datatype == 'bytes_in_rate' %}
 {%             do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_bytesInRatePeriod ~ ')') %}
 {%           elif datatype == 'bytes_out_rate' %}
 {%             do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_bytesOutRatePeriod ~ ')') %}
+{%           elif datatype == 'conn_rate' %}
+{%             do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_connRatePeriod ~ ')') %}
+{%           elif datatype == 'glitch_rate' %}
+{%             do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_glitchRatePeriod ~ ')') %}
+{%           elif datatype == 'gpc_rate' %}
+{%             do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_gpcElements ~ ',' ~ proxy.stickiness_gpcRatePeriod ~ ')') %}
+{%           elif datatype == 'gpc0_rate' %}
+{%             do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_gpcRatePeriod ~ ')') %}
+{%           elif datatype == 'gpc1_rate' %}
+{%             do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_gpcRatePeriod ~ ')') %}
+{%           elif datatype == 'http_err_rate' %}
+{%             do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_httpErrRatePeriod ~ ')') %}
+{%           elif datatype == 'http_fail_rate' %}
+{%             do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_httpFailRatePeriod ~ ')') %}
+{%           elif datatype == 'http_req_rate' %}
+{%             do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_httpReqRatePeriod ~ ')') %}
+{%           elif datatype == 'sess_rate' %}
+{%             do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_sessRatePeriod ~ ')') %}
 {%           else %}
 {%             do stickiness_datatypes.append(datatype) %}
 {%           endif %}

From c1b50f084e43aecb129236114085d380b05b6b26 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 27 Jan 2026 15:27:58 +0100
Subject: [PATCH 2934/3088] net/haproxy: replace stick-table type "ip" with
 "ipv4", refs #5147

---
 net/haproxy/pkg-descr                                           | 1 +
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf    | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index aefc012eb2..89fccb69b2 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -28,6 +28,7 @@ Changed:
 * rename some labels in rules
 * change LUA boolean conversion (see tune.lua.bool-sample-conversion)
 * stick-table "size" and "expiration time" are no longer advanced options (now always visible)
+* replace stick-table type "ip" with "ipv4" (#5147)
 
 4.6
 
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 3e2a42ba84..29d8452884 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -724,7 +724,7 @@
 {%       endif %}
 {#       # check stick-table type #}
 {%       if proxy.stickiness_pattern == "sourceipv4" or proxy.stickiness_pattern == "ipv4" %}
-{%         set table_type = 'ip' %}
+{%         set table_type = 'ipv4' %}
 {%       elif proxy.stickiness_pattern == "sourceipv6" or proxy.stickiness_pattern == "ipv6" %}
 {%         set table_type = 'ipv6' %}
 {%       elif proxy.stickiness_pattern == "cookievalue" or proxy.stickiness_pattern == "string" %}

From 6e0fd49774329b463676054acc0167b3a7a89bba Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 27 Jan 2026 15:33:28 +0100
Subject: [PATCH 2935/3088] net/haproxy: major release 5.0

---
 net/haproxy/Makefile                                         | 2 +-
 net/haproxy/pkg-descr                                        | 5 ++++-
 .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml | 2 +-
 .../OPNsense/HAProxy/Migrations/{M4_2_0.php => M5_0_0.php}   | 2 +-
 4 files changed, 7 insertions(+), 4 deletions(-)
 rename net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/{M4_2_0.php => M5_0_0.php} (99%)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 65a0022a09..bc5ac0c84e 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		4.7
+PLUGIN_VERSION=		5.0
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 89fccb69b2..25c5a7d052 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,7 +6,10 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
-4.7
+5.0
+
+WARNING: This is a new major release, which may result in
+incompatible changes for some users.
 
 Added:
 * add support for HTTP/3 over QUIC to frontends (#4341)
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index b8b76a2ebf..9326743dae 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/HAProxy</mount>
-    <version>4.2.0</version>
+    <version>5.0.0</version>
     <description>the HAProxy load balancer</description>
     <items>
         <general>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_2_0.php b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M5_0_0.php
similarity index 99%
rename from net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_2_0.php
rename to net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M5_0_0.php
index e8c713f8d8..3fd4fdcc6c 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_2_0.php
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M5_0_0.php
@@ -32,7 +32,7 @@
 
 use OPNsense\Base\BaseModelMigration;
 
-class M4_2_0 extends BaseModelMigration
+class M5_0_0 extends BaseModelMigration
 {
     public function run($model)
     {

From 4212ffea8c2c287c1ad9daba23590bfac857be10 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 28 Jan 2026 14:06:56 +0100
Subject: [PATCH 2936/3088] sysutils/git-backup: fix missing target dir

PR: https://forum.opnsense.org/index.php?topic=50542.0
---
 sysutils/git-backup/Makefile                                    | 2 +-
 .../src/opnsense/mvc/app/library/OPNsense/Backup/Git.php        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/sysutils/git-backup/Makefile b/sysutils/git-backup/Makefile
index 65ebacdb40..5ac1f91b85 100644
--- a/sysutils/git-backup/Makefile
+++ b/sysutils/git-backup/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		git-backup
 PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Track config changes using git
 PLUGIN_DEPENDS=		git
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
index f780a5500f..ab15998383 100644
--- a/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
+++ b/sysutils/git-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Git.php
@@ -179,7 +179,7 @@ public function backup()
             $gitfrmt[] = '--force';
         }
         $gitfrmt[] = 'origin %s && echo "__exit_ok__") 2>&1';
-        $pushtxt = Shell::shell_safe($gitfrmt, "master:{$mdl->branch}");
+        $pushtxt = Shell::shell_safe($gitfrmt, [$targetdir, "master:{$mdl->branch}"]);
 
         if (strpos($pushtxt, '__exit_ok__')) {
             $error_type = null;

From c38013625856dc5911c4ea2bcba2d92313e177eb Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 28 Jan 2026 14:06:47 +0100
Subject: [PATCH 2937/3088] net/haproxy: add support for GPC/GPT/SC, refs #1123
 refs #5109

---
 net/haproxy/pkg-descr                         |   2 +
 .../OPNsense/HAProxy/forms/dialogAcl.xml      | 450 +++++++++++++-
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 552 ++++++++++++++++--
 .../templates/OPNsense/HAProxy/haproxy.conf   | 535 ++++++++++++++---
 4 files changed, 1387 insertions(+), 152 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 25c5a7d052..a7d97e8b0a 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -24,6 +24,7 @@ Added:
 * add all action keywords for http-request/-response and tcp-request/-response rules
 * add "enabled" field to rules
 * add support for all stick-table data types
+* add support for GPC/GPT/SC to conditions (#1123, #5109)
 
 Changed:
 * upgrade to HAProxy 3.2 release series (#5147)
@@ -32,6 +33,7 @@ Changed:
 * change LUA boolean conversion (see tune.lua.bool-sample-conversion)
 * stick-table "size" and "expiration time" are no longer advanced options (now always visible)
 * replace stick-table type "ip" with "ipv4" (#5147)
+* show the actual HAProxy option name in conditions for clarity
 
 4.6
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
index 18298899ef..e2d3cc7fe7 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
@@ -19,7 +19,7 @@
         <id>acl.expression</id>
         <label>Condition type</label>
         <type>dropdown</type>
-        <hint>Select condition type.</hint>
+        <help><![CDATA[Choose the condition type. Note that a wide range of sample fetch methods is either available in <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#7.3.3">layer 4</a> or <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#7.3.6">layer 7</a>. The syntax check will show errors when using an incompatible sample fetch method.]]></help>
     </field>
     <field>
         <id>acl.negate</id>
@@ -629,4 +629,452 @@
         <type>textbox</type>
         <help><![CDATA[Specify a HAProxy condition/ACL that is currently not supported by the GUI.]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_bytes_in_rate</style>
+    </field>
+    <field>
+        <id>acl.sc_bytes_in_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_bytes_in_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_bytes_out_rate</style>
+    </field>
+    <field>
+        <id>acl.sc_bytes_out_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_bytes_out_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_clr_gpc</style>
+    </field>
+    <field>
+        <id>acl.sc_clr_gpc_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_clr_gpc</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_conn_cnt</style>
+    </field>
+    <field>
+        <id>acl.sc_conn_cnt_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_conn_cnt</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_conn_cur</style>
+    </field>
+    <field>
+        <id>acl.sc_conn_cur_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_conn_cur</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_conn_rate</style>
+    </field>
+    <field>
+        <id>acl.sc_conn_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_conn_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_get_gpc</style>
+    </field>
+    <field>
+        <id>acl.sc_get_gpc_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_get_gpc</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_get_gpt</style>
+    </field>
+    <field>
+        <id>acl.sc_get_gpt_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_get_gpt</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_glitch_cnt</style>
+    </field>
+    <field>
+        <id>acl.sc_glitch_cnt_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_glitch_cnt</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_glitch_rate</style>
+    </field>
+    <field>
+        <id>acl.sc_glitch_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_glitch_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_gpc_rate</style>
+    </field>
+    <field>
+        <id>acl.sc_gpc_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_gpc_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_http_err_cnt</style>
+    </field>
+    <field>
+        <id>acl.sc_http_err_cnt_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_http_err_cnt</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_http_err_rate</style>
+    </field>
+    <field>
+        <id>acl.sc_http_err_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_http_err_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_http_fail_cnt</style>
+    </field>
+    <field>
+        <id>acl.sc_http_fail_cnt_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_http_fail_cnt</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_http_fail_rate</style>
+    </field>
+    <field>
+        <id>acl.sc_http_fail_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_http_fail_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_http_req_cnt</style>
+    </field>
+    <field>
+        <id>acl.sc_http_req_cnt_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_http_req_cnt</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_http_req_rate</style>
+    </field>
+    <field>
+        <id>acl.sc_http_req_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_http_req_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_inc_gpc</style>
+    </field>
+    <field>
+        <id>acl.sc_inc_gpc_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_inc_gpc</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_sess_cnt</style>
+    </field>
+    <field>
+        <id>acl.sc_sess_cnt_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_sess_cnt</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_sess_rate</style>
+    </field>
+    <field>
+        <id>acl.sc_sess_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_sess_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_get_gpc</style>
+    </field>
+    <field>
+        <id>acl.src_get_gpc_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_get_gpc</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_get_gpt</style>
+    </field>
+    <field>
+        <id>acl.src_get_gpt_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_get_gpt</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_glitch_cnt</style>
+    </field>
+    <field>
+        <id>acl.src_glitch_cnt_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_glitch_cnt</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_glitch_rate</style>
+    </field>
+    <field>
+        <id>acl.src_glitch_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_glitch_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_gpc_rate</style>
+    </field>
+    <field>
+        <id>acl.src_gpc_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_gpc_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_http_fail_cnt</style>
+    </field>
+    <field>
+        <id>acl.src_http_fail_cnt_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_http_fail_cnt</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_http_fail_rate</style>
+    </field>
+    <field>
+        <id>acl.src_http_fail_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_http_fail_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_inc_gpc</style>
+    </field>
+    <field>
+        <id>acl.src_inc_gpc_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_inc_gpc</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Conditional Parameters</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>acl.gpc_number</id>
+        <label>GPC number</label>
+        <type>text</type>
+        <help><![CDATA[Refers to the number of the General Purpose Counter, e.g. 0 or 1 when using gpc0 or gpc1 respectively. This value will be ignored in rules that do not support GPC.]]></help>
+    </field>
+    <field>
+        <id>acl.gpt_number</id>
+        <label>GPT number</label>
+        <type>text</type>
+        <help><![CDATA[Refers to the number of the General Purpose Tag, e.g. 0 or 1 when using gpt0 or gpt1 respectively. This value will be ignored in rules that do not support GPT.]]></help>
+    </field>
+    <field>
+        <id>acl.sc_number</id>
+        <label>SC number</label>
+        <type>text</type>
+        <help><![CDATA[Refers to the number of the Stick Counter, e.g. 0 or 1 when using sc0 or sc1 respectively. This value will be ignored in rules that do not support SC.]]></help>
+    </field>
+    <field>
+        <id>acl.table_name</id>
+        <label>Table name</label>
+        <type>text</type>
+        <help><![CDATA[Specifies the name of a stick-table that will be used for key lookups. This is usually the name of the backend/frontend where the stick-stable is configured. When nothing is specified, the stick-table of the current backend/frontend will be used.]]></help>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 9326743dae..9ed90cbb18 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1817,63 +1817,87 @@
                 <expression type="OptionField">
                     <Required>Y</Required>
                     <OptionValues>
-                        <stopping>HAProxy process is currently stopping</stopping>
-                        <http_auth>HTTP Basic Auth: username/password from client matches selected User/Group</http_auth>
-                        <hdr_beg>Host starts with</hdr_beg>
-                        <hdr_end>Host ends with</hdr_end>
-                        <hdr>Host matches</hdr>
-                        <hdr_reg>Host regex</hdr_reg>
-                        <hdr_sub>Host contains</hdr_sub>
-                        <path_beg>Path starts with</path_beg>
-                        <path_end>Path ends with</path_end>
-                        <path>Path matches</path>
-                        <path_reg>Path regex</path_reg>
-                        <path_dir>Path contains subdir</path_dir>
-                        <path_sub>Path contains string</path_sub>
-                        <cust_hdr_beg>HTTP Header starts with</cust_hdr_beg>
-                        <cust_hdr_end>HTTP Header ends with</cust_hdr_end>
-                        <cust_hdr>HTTP Header matches</cust_hdr>
-                        <cust_hdr_reg>HTTP Header regex</cust_hdr_reg>
-                        <cust_hdr_sub>HTTP Header contains</cust_hdr_sub>
-                        <http_method>HTTP Method</http_method>
-                        <wait_end>Inspection period is over (WAIT_END)</wait_end>
-                        <quic_enabled>QUIC transport protocol is enabled</quic_enabled>
-                        <url_param>URL parameter contains</url_param>
-                        <ssl_c_verify>SSL Client certificate is valid</ssl_c_verify>
-                        <ssl_c_verify_code>SSL Client certificate verify error result</ssl_c_verify_code>
-                        <ssl_c_ca_commonname>SSL Client certificate issued by CA common-name</ssl_c_ca_commonname>
-                        <ssl_hello_type>SSL Hello Type</ssl_hello_type>
-                        <src>Source IP matches specified IP</src>
-                        <src_is_local>Source IP is local</src_is_local>
-                        <src_port>Source IP: TCP source port</src_port>
-                        <src_bytes_in_rate>Source IP: incoming bytes rate</src_bytes_in_rate>
-                        <src_bytes_out_rate>Source IP: outgoing bytes rate</src_bytes_out_rate>
-                        <src_kbytes_in>Source IP: amount of data received (in kilobytes)</src_kbytes_in>
-                        <src_kbytes_out>Source IP: amount of data sent (in kilobytes)</src_kbytes_out>
-                        <!-- <src_clr_gpc0>Source IP: clear first General Purpose Counter</src_clr_gpc0> -->
-                        <src_conn_cnt>Source IP: cumulative number of connections</src_conn_cnt>
-                        <src_conn_cur>Source IP: concurrent connections</src_conn_cur>
-                        <src_conn_rate>Source IP: connection rate</src_conn_rate>
-                        <!-- <src_get_gpc0>Source IP: get first General Purpose Counter</src_get_gpc0> -->
-                        <!-- <src_get_gpt0>Source IP: get first General Purpose Tag</src_get_gpt0> -->
-                        <!-- <src_gpc0_rate>Source IP: increment rate of the first General Purpose Counter</src_gpc0_rate> -->
-                        <src_http_err_cnt>Source IP: cumulative number of HTTP errors</src_http_err_cnt>
-                        <src_http_err_rate>Source IP: rate of HTTP errors</src_http_err_rate>
-                        <src_http_req_cnt>Source IP: number of HTTP requests</src_http_req_cnt>
-                        <src_http_req_rate>Source IP: rate of HTTP requests</src_http_req_rate>
-                        <!-- <src_inc_gpc0>Source IP: increment the first General Purpose Counter</src_inc_gpc0> -->
-                        <src_sess_cnt>Source IP: cumulative number of sessions</src_sess_cnt>
-                        <src_sess_rate>Source IP: session rate</src_sess_rate>
-                        <nbsrv>Minimum number of usable servers in backend</nbsrv>
-                        <traffic_is_http>Traffic is HTTP</traffic_is_http>
-                        <traffic_is_ssl>Traffic is SSL (TCP request content inspection)</traffic_is_ssl>
-                        <ssl_fc>Traffic is SSL (locally deciphered)</ssl_fc>
-                        <ssl_fc_sni>SNI TLS extension matches (locally deciphered)</ssl_fc_sni>
-                        <ssl_sni>SNI TLS extension matches (TCP request content inspection)</ssl_sni>
-                        <ssl_sni_sub>SNI TLS extension contains (TCP request content inspection)</ssl_sni_sub>
-                        <ssl_sni_beg>SNI TLS extension starts with (TCP request content inspection)</ssl_sni_beg>
-                        <ssl_sni_end>SNI TLS extension ends with (TCP request content inspection)</ssl_sni_end>
-                        <ssl_sni_reg>SNI TLS extension regex (TCP request content inspection)</ssl_sni_reg>
+                        <cust_hdr_beg>hdr_beg – specified HTTP Header starts with</cust_hdr_beg>
+                        <cust_hdr_end>hdr_end – specified HTTP Header ends with</cust_hdr_end>
+                        <cust_hdr>hdr – specified HTTP Header matches</cust_hdr>
+                        <cust_hdr_reg>hdr_reg – specified HTTP Header regex</cust_hdr_reg>
+                        <cust_hdr_sub>hdr_sub – specified HTTP Header contains</cust_hdr_sub>
+                        <hdr_beg>hdr_beg – HTTP Host Header starts with</hdr_beg>
+                        <hdr_end>hdr_end – HTTP Host Header ends with</hdr_end>
+                        <hdr>hdr – HTTP Host Header matches</hdr>
+                        <hdr_reg>hdr_reg – HTTP Host Header regex</hdr_reg>
+                        <hdr_sub>hdr_sub – HTTP Host Header contains</hdr_sub>
+                        <http_auth>http_auth – HTTP Basic Auth: username/password from client matches selected User/Group</http_auth>
+                        <http_method>http_method – HTTP Method</http_method>
+                        <nbsrv>nbsrv – Minimum number of usable servers in backend</nbsrv>
+                        <path_beg>path_beg – Path starts with</path_beg>
+                        <path_dir>path_dir – Path contains subdir</path_dir>
+                        <path_end>path_end – Path ends with</path_end>
+                        <path>path – Path matches</path>
+                        <path_reg>path_reg – Path regex</path_reg>
+                        <path_sub>path_sub – Path contains string</path_sub>
+                        <quic_enabled>quic_enabled – QUIC transport protocol is enabled</quic_enabled>
+                        <traffic_is_http>req.proto_http – Traffic is HTTP</traffic_is_http>
+                        <traffic_is_ssl>req.ssl_ver – Traffic is SSL (TCP request content inspection)</traffic_is_ssl>
+                        <sc_bytes_in_rate>sc_bytes_in_rate – Sticky counter: incoming bytes rate</sc_bytes_in_rate>
+                        <sc_bytes_out_rate>sc_bytes_out_rate – Sticky counter: outgoing bytes rate</sc_bytes_out_rate>
+                        <sc_clr_gpc>sc_clr_gpc – Sticky counter: clear General Purpose Counter</sc_clr_gpc>
+                        <sc_conn_cnt>sc_conn_cnt – Sticky counter: cumulative number of connections</sc_conn_cnt>
+                        <sc_conn_cur>sc_conn_cur – Sticky counter: concurrent connections</sc_conn_cur>
+                        <sc_conn_rate>sc_conn_rate – Sticky counter: connection rate</sc_conn_rate>
+                        <sc_get_gpc>sc_get_gpc – Sticky counter: get General Purpose Counter value</sc_get_gpc>
+                        <sc_get_gpt>sc_get_gpt – Sticky counter: get General Purpose Tag value</sc_get_gpt>
+                        <sc_glitch_cnt>sc_glitch_cnt – Sticky counter: cumulative number of glitches</sc_glitch_cnt>
+                        <sc_glitch_rate>sc_glitch_rate – Sticky counter: rate of glitches</sc_glitch_rate>
+                        <sc_gpc_rate>sc_gpc_rate – Sticky counter: increment rate of General Purpose Counter</sc_gpc_rate>
+                        <sc_http_err_cnt>sc_http_err_cnt – Sticky counter: cumulative number of HTTP errors</sc_http_err_cnt>
+                        <sc_http_err_rate>sc_http_err_rate – Sticky counter: rate of HTTP errors</sc_http_err_rate>
+                        <sc_http_fail_cnt>sc_http_fail_cnt – Sticky counter: cumulative number of HTTP failures</sc_http_fail_cnt>
+                        <sc_http_fail_rate>sc_http_fail_rate – Sticky counter: rate of HTTP failures</sc_http_fail_rate>
+                        <sc_http_req_cnt>sc_http_req_cnt – Sticky counter: cumulative number of HTTP requests</sc_http_req_cnt>
+                        <sc_http_req_rate>sc_http_req_rate – Sticky counter: rate of HTTP requests</sc_http_req_rate>
+                        <sc_inc_gpc>sc_inc_gpc – Sticky counter: increment General Purpose Counter</sc_inc_gpc>
+                        <sc_sess_cnt>sc_sess_cnt – Sticky counter: cumulative number of sessions</sc_sess_cnt>
+                        <sc_sess_rate>sc_sess_rate – Sticky counter: session rate</sc_sess_rate>
+                        <src_bytes_in_rate>src_bytes_in_rate – Source IP: incoming bytes rate</src_bytes_in_rate>
+                        <src_bytes_out_rate>src_bytes_out_rate – Source IP: outgoing bytes rate</src_bytes_out_rate>
+                        <src_clr_gpc>Source IP: clear General Purpose Counter</src_clr_gpc>
+                        <src_conn_cnt>src_conn_cnt – Source IP: cumulative number of connections</src_conn_cnt>
+                        <src_conn_cur>src_conn_cur – Source IP: concurrent connections</src_conn_cur>
+                        <src_conn_rate>src_conn_rate – Source IP: connection rate</src_conn_rate>
+                        <src_get_gpc>src_get_gpc – Source IP: get General Purpose Counter value</src_get_gpc>
+                        <src_get_gpt>src_get_gpt – Source IP: get General Purpose Tag value</src_get_gpt>
+                        <src_glitch_cnt>src_glitch_cnt – Source IP: cumulative number of glitches</src_glitch_cnt>
+                        <src_glitch_rate>src_glitch_rate – Source IP: rate of glitches</src_glitch_rate>
+                        <src_gpc_rate>src_gpc_rate – Source IP: increment rate of General Purpose Counter</src_gpc_rate>
+                        <src_http_err_cnt>src_http_err_cnt – Source IP: cumulative number of HTTP errors</src_http_err_cnt>
+                        <src_http_err_rate>src_http_err_rate – Source IP: rate of HTTP errors</src_http_err_rate>
+                        <src_http_fail_cnt>src_http_fail_cnt – Source IP: cumulative number of HTTP failures</src_http_fail_cnt>
+                        <src_http_fail_rate>src_http_fail_rate – Source IP: rate of HTTP failures</src_http_fail_rate>
+                        <src_http_req_cnt>src_http_req_cnt – Source IP: number of HTTP requests</src_http_req_cnt>
+                        <src_http_req_rate>src_http_req_rate – Source IP: rate of HTTP requests</src_http_req_rate>
+                        <src_inc_gpc>src_inc_gpc – Source IP: increment General Purpose Counter</src_inc_gpc>
+                        <src_is_local>src_is_local – Source IP is local</src_is_local>
+                        <src_kbytes_in>src_kbytes_in – Source IP: amount of data received (in kilobytes)</src_kbytes_in>
+                        <src_kbytes_out>src_kbytes_out – Source IP: amount of data sent (in kilobytes)</src_kbytes_out>
+                        <src_port>src_port – Source IP: TCP source port</src_port>
+                        <src_sess_cnt>src_sess_cnt – Source IP: cumulative number of sessions</src_sess_cnt>
+                        <src_sess_rate>src_sess_rate – Source IP: session rate</src_sess_rate>
+                        <src>src – Source IP matches specified IP</src>
+                        <ssl_c_ca_commonname>ssl_c_ca_commonname – SSL Client certificate issued by CA common-name</ssl_c_ca_commonname>
+                        <ssl_c_verify_code>ssl_c_verify_code – SSL Client certificate verify error result</ssl_c_verify_code>
+                        <ssl_c_verify>ssl_c_verify – SSL Client certificate is valid</ssl_c_verify>
+                        <ssl_fc_sni>ssl_fc_sni – SNI TLS extension matches (locally deciphered)</ssl_fc_sni>
+                        <ssl_fc>ssl_fc – Traffic is SSL (locally deciphered)</ssl_fc>
+                        <ssl_hello_type>ssl_hello_type – SSL Hello Type</ssl_hello_type>
+                        <ssl_sni_beg>ssl_sni_beg – SNI TLS extension starts with (TCP request content inspection)</ssl_sni_beg>
+                        <ssl_sni_end>ssl_sni_end – SNI TLS extension ends with (TCP request content inspection)</ssl_sni_end>
+                        <ssl_sni_reg>ssl_sni_reg – SNI TLS extension regex (TCP request content inspection)</ssl_sni_reg>
+                        <ssl_sni>ssl_sni – SNI TLS extension matches (TCP request content inspection)</ssl_sni>
+                        <ssl_sni_sub>ssl_sni_sub – SNI TLS extension contains (TCP request content inspection)</ssl_sni_sub>
+                        <stopping>stopping – HAProxy process is currently stopping</stopping>
+                        <url_param>url_param – URL parameter contains</url_param>
+                        <wait_end>wait_end – Inspection period is over</wait_end>
                         <custom_acl>Custom condition (option pass-through)</custom_acl>
                     </OptionValues>
                 </expression>
@@ -2320,6 +2344,420 @@
                         <TRACE>TRACE</TRACE>
                     </OptionValues>
                 </http_method>
+                <sc_bytes_in_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_bytes_in_rate_comparison>
+                <sc_bytes_in_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc_bytes_in_rate>
+                <sc_bytes_out_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_bytes_out_rate_comparison>
+                <sc_bytes_out_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc_bytes_out_rate>
+                <sc_clr_gpc_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_clr_gpc_comparison>
+                <sc_clr_gpc type="IntegerField">
+                    <Required>N</Required>
+                </sc_clr_gpc>
+                <sc_conn_cnt_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_conn_cnt_comparison>
+                <sc_conn_cnt type="IntegerField">
+                    <Required>N</Required>
+                </sc_conn_cnt>
+                <sc_conn_cur_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_conn_cur_comparison>
+                <sc_conn_cur type="IntegerField">
+                    <Required>N</Required>
+                </sc_conn_cur>
+                <sc_conn_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_conn_rate_comparison>
+                <sc_conn_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc_conn_rate>
+                <sc_get_gpc_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_get_gpc_comparison>
+                <sc_get_gpc type="IntegerField">
+                    <Required>N</Required>
+                </sc_get_gpc>
+                <sc_get_gpt_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_get_gpt_comparison>
+                <sc_get_gpt type="IntegerField">
+                    <Required>N</Required>
+                </sc_get_gpt>
+                <sc_glitch_cnt_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_glitch_cnt_comparison>
+                <sc_glitch_cnt type="IntegerField">
+                    <Required>N</Required>
+                </sc_glitch_cnt>
+                <sc_glitch_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_glitch_rate_comparison>
+                <sc_glitch_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc_glitch_rate>
+                <sc_gpc_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_gpc_rate_comparison>
+                <sc_gpc_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc_gpc_rate>
+                <sc_http_err_cnt_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_http_err_cnt_comparison>
+                <sc_http_err_cnt type="IntegerField">
+                    <Required>N</Required>
+                </sc_http_err_cnt>
+                <sc_http_err_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_http_err_rate_comparison>
+                <sc_http_err_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc_http_err_rate>
+                <sc_http_fail_cnt_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_http_fail_cnt_comparison>
+                <sc_http_fail_cnt type="IntegerField">
+                    <Required>N</Required>
+                </sc_http_fail_cnt>
+                <sc_http_fail_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_http_fail_rate_comparison>
+                <sc_http_fail_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc_http_fail_rate>
+                <sc_http_req_cnt_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_http_req_cnt_comparison>
+                <sc_http_req_cnt type="IntegerField">
+                    <Required>N</Required>
+                </sc_http_req_cnt>
+                <sc_http_req_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_http_req_rate_comparison>
+                <sc_http_req_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc_http_req_rate>
+                <sc_inc_gpc_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_inc_gpc_comparison>
+                <sc_inc_gpc type="IntegerField">
+                    <Required>N</Required>
+                </sc_inc_gpc>
+                <sc_sess_cnt_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_sess_cnt_comparison>
+                <sc_sess_cnt type="IntegerField">
+                    <Required>N</Required>
+                </sc_sess_cnt>
+                <sc_sess_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_sess_rate_comparison>
+                <sc_sess_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc_sess_rate>
+                <src_get_gpc_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_get_gpc_comparison>
+                <src_get_gpc type="IntegerField">
+                    <Required>N</Required>
+                </src_get_gpc>
+                <src_get_gpt_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_get_gpt_comparison>
+                <src_get_gpt type="IntegerField">
+                    <Required>N</Required>
+                </src_get_gpt>
+                <src_glitch_cnt_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_glitch_cnt_comparison>
+                <src_glitch_cnt type="IntegerField">
+                    <Required>N</Required>
+                </src_glitch_cnt>
+                <src_glitch_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_glitch_rate_comparison>
+                <src_glitch_rate type="IntegerField">
+                    <Required>N</Required>
+                </src_glitch_rate>
+                <src_gpc_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_gpc_rate_comparison>
+                <src_gpc_rate type="IntegerField">
+                    <Required>N</Required>
+                </src_gpc_rate>
+                <src_http_fail_cnt_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_http_fail_cnt_comparison>
+                <src_http_fail_cnt type="IntegerField">
+                    <Required>N</Required>
+                </src_http_fail_cnt>
+                <src_http_fail_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_http_fail_rate_comparison>
+                <src_http_fail_rate type="IntegerField">
+                    <Required>N</Required>
+                </src_http_fail_rate>
+                <src_inc_gpc_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_inc_gpc_comparison>
+                <src_inc_gpc type="IntegerField">
+                    <Required>N</Required>
+                </src_inc_gpc>
+                <gpc_number type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>100</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 99.</ValidationMessage>
+                    <Required>N</Required>
+                </gpc_number>
+                <gpt_number type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>100</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 99.</ValidationMessage>
+                    <Required>N</Required>
+                </gpt_number>
+                <sc_number type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>100</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 99.</ValidationMessage>
+                    <Required>N</Required>
+                </sc_number>
+                <table_name type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </table_name>
             </acl>
         </acls>
         <actions>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 29d8452884..8837f00040 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -41,7 +41,8 @@
 {# Macro expects a CSV list of Actions and validates them. #}
 {%- macro AclsAndActions(linkedData) -%}
 {%   if linkedData is defined %}
-{%     set acl_boolean_types = ['quic_enabled', 'stopping', 'wait_end'] %}
+{#     # a list of simple boolean ACL types #}
+{%     set acl_boolean_types = ['quic_enabled', 'src_is_local', 'stopping', 'wait_end'] %}
 {#     # remember all ACLs to avoid duplicate declarations #}
 {%     set acls_seen = [] %}
 {%     set global_action_options = [] %}
@@ -75,31 +76,57 @@
 {%             endif %}
 {%             do acls_seen.append(acl_data.id) %}
 {%             set acl_options = [] %}
-{%             if acl_data.expression == 'http_auth' %}
-{%               if acl_data.allowedUsers|default("") != "" or acl_data.allowedGroups|default("") != "" %}
-{%                 do acl_options.append('http_auth(acl_' ~ acl_data.id ~ ')') %}
+{%             if acl_data.expression == 'cust_hdr' %}
+{%               if acl_data.cust_hdr|default("") != "" and acl_data.cust_hdr_name|default("") != "" %}
+{%                 do acl_options.append('hdr(' ~ acl_data.cust_hdr_name ~ ')') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.cust_hdr) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'hdr_beg' %}
-{%               if acl_data.hdr_beg|default("") != "" %}
-{%                 do acl_options.append('hdr_beg(host)') %}
+{%             elif acl_data.expression == 'cust_hdr_beg' %}
+{%               if acl_data.cust_hdr_beg|default("") != "" and acl_data.cust_hdr_beg_name|default("") != "" %}
+{%                 do acl_options.append('hdr_beg(' ~ acl_data.cust_hdr_beg_name ~ ')') %}
 {%                 if acl_data.caseSensitive|default('0') == '0' %}
 {%                   do acl_options.append('-i') %}
 {%                 endif %}
-{%                 do acl_options.append(acl_data.hdr_beg) %}
+{%                 do acl_options.append(acl_data.cust_hdr_beg) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'hdr_end' %}
-{%               if acl_data.hdr_end|default("") != "" %}
-{%                 do acl_options.append('hdr_end(host)') %}
+{%             elif acl_data.expression == 'cust_hdr_end' %}
+{%               if acl_data.cust_hdr_end|default("") != "" and acl_data.cust_hdr_end_name|default("") %}
+{%                 do acl_options.append('hdr_end(' ~ acl_data.cust_hdr_end_name ~ ')') %}
 {%                 if acl_data.caseSensitive|default('0') == '0' %}
 {%                   do acl_options.append('-i') %}
 {%                 endif %}
-{%                 do acl_options.append(acl_data.hdr_end) %}
+{%                 do acl_options.append(acl_data.cust_hdr_end) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'cust_hdr_reg' %}
+{%               if acl_data.cust_hdr_reg|default("") != "" and acl_data.cust_hdr_reg_name|default("") != "" %}
+{%                 do acl_options.append('hdr_reg(' ~ acl_data.cust_hdr_reg_name ~ ')') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.cust_hdr_reg) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'cust_hdr_sub' %}
+{%               if acl_data.cust_hdr_sub|default("") != "" and acl_data.cust_hdr_sub_name|default("") != "" %}
+{%                 do acl_options.append('hdr_sub(' ~ acl_data.cust_hdr_sub_name ~ ')') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.cust_hdr_sub) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
@@ -115,6 +142,28 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'hdr_beg' %}
+{%               if acl_data.hdr_beg|default("") != "" %}
+{%                 do acl_options.append('hdr_beg(host)') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.hdr_beg) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'hdr_end' %}
+{%               if acl_data.hdr_end|default("") != "" %}
+{%                 do acl_options.append('hdr_end(host)') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.hdr_end) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'hdr_reg' %}
 {%               if acl_data.hdr_reg|default("") != "" %}
 {%                 do acl_options.append('hdr_reg(host)') %}
@@ -137,6 +186,13 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'http_auth' %}
+{%               if acl_data.allowedUsers|default("") != "" or acl_data.allowedGroups|default("") != "" %}
+{%                 do acl_options.append('http_auth(acl_' ~ acl_data.id ~ ')') %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'http_method' %}
 {%               if acl_data.http_method|default("") != "" %}
 {%                 do acl_options.append('method ' ~ acl_data.http_method|replace(',', ' ')) %}
@@ -144,6 +200,30 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'nbsrv' %}
+{%               do acl_options.append('') %}
+{%               if acl_data.nbsrv|default("") != "" %}
+{%                 if acl_data.nbsrv_backend|default("") != "" %}
+{%                   set nbsrv_backend_data = helpers.getUUID(acl_data.nbsrv_backend) %}
+{%                   do acl_options.append('nbsrv(' ~ nbsrv_backend_data.name ~ ') ge ' ~ acl_data.nbsrv) %}
+{%                 else %}
+{%                   do acl_options.append('nbsrv ge ' ~ acl_data.nbsrv) %}
+{%                 endif %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'path' %}
+{%               if acl_data.path|default("") != "" %}
+{%                 do acl_options.append('path') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.path) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'path_beg' %}
 {%               if acl_data.path_beg|default("") != "" %}
 {%                 do acl_options.append('path_beg') %}
@@ -155,24 +235,24 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'path_end' %}
-{%               if acl_data.path_end|default("") != "" %}
-{%                 do acl_options.append('path_end') %}
+{%             elif acl_data.expression == 'path_dir' %}
+{%               if acl_data.path_dur|default("") != "" %}
+{%                 do acl_options.append('path_dir') %}
 {%                 if acl_data.caseSensitive|default('0') == '0' %}
 {%                   do acl_options.append('-i') %}
 {%                 endif %}
-{%                 do acl_options.append(acl_data.path_end) %}
+{%                 do acl_options.append(acl_data.path_dir) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'path' %}
-{%               if acl_data.path|default("") != "" %}
-{%                 do acl_options.append('path') %}
+{%             elif acl_data.expression == 'path_end' %}
+{%               if acl_data.path_end|default("") != "" %}
+{%                 do acl_options.append('path_end') %}
 {%                 if acl_data.caseSensitive|default('0') == '0' %}
 {%                   do acl_options.append('-i') %}
 {%                 endif %}
-{%                 do acl_options.append(acl_data.path) %}
+{%                 do acl_options.append(acl_data.path_end) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
@@ -188,139 +268,390 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'path_dir' %}
-{%               if acl_data.path_dur|default("") != "" %}
-{%                 do acl_options.append('path_dir') %}
+{%             elif acl_data.expression == 'path_sub' %}
+{%               if acl_data.path_sub|default("") != "" %}
+{%                 do acl_options.append('path_sub') %}
 {%                 if acl_data.caseSensitive|default('0') == '0' %}
 {%                   do acl_options.append('-i') %}
 {%                 endif %}
-{%                 do acl_options.append(acl_data.path_dir) %}
+{%                 do acl_options.append(acl_data.path_sub) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'path_sub' %}
-{%               if acl_data.path_sub|default("") != "" %}
-{%                 do acl_options.append('path_sub') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
+{%             elif acl_data.expression == 'src' %}
+{%               if acl_data.src|default("") != "" %}
+{%                 do acl_options.append('src ' ~ acl_data.src) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc_bytes_in_rate' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_bytes_in_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append(acl_data.path_sub) %}
+{%                 do acl_options.append('sc_bytes_in_rate(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_bytes_in_rate_comparison ~ ' ' ~ acl_data.sc_bytes_in_rate) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'cust_hdr_beg' %}
-{%               if acl_data.cust_hdr_beg|default("") != "" and acl_data.cust_hdr_beg_name|default("") != "" %}
-{%                 do acl_options.append('hdr_beg(' ~ acl_data.cust_hdr_beg_name ~ ')') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
+{%             elif acl_data.expression == 'sc_bytes_out_rate' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_bytes_out_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append(acl_data.cust_hdr_beg) %}
+{%                 do acl_options.append('sc_bytes_out_rate(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_bytes_out_rate_comparison ~ ' ' ~ acl_data.sc_bytes_out_rate) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'cust_hdr_end' %}
-{%               if acl_data.cust_hdr_end|default("") != "" and acl_data.cust_hdr_end_name|default("") %}
-{%                 do acl_options.append('hdr_end(' ~ acl_data.cust_hdr_end_name ~ ')') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
+{%             elif acl_data.expression == 'sc_clr_gpc' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.gpc_number|default("") != "" and acl_data.sc_clr_gpc|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append(acl_data.cust_hdr_end) %}
+{%                 do acl_options.append('sc_clr_gpc(' ~ acl_data.gpc_number ~ ',' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_clr_gpc_comparison ~ ' ' ~ acl_data.sc_clr_gpc) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'cust_hdr' %}
-{%               if acl_data.cust_hdr|default("") != "" and acl_data.cust_hdr_name|default("") != "" %}
-{%                 do acl_options.append('hdr(' ~ acl_data.cust_hdr_name ~ ')') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
+{%             elif acl_data.expression == 'sc_conn_cnt' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_conn_cnt|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append(acl_data.cust_hdr) %}
+{%                 do acl_options.append('sc_conn_cnt(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_conn_cnt_comparison ~ ' ' ~ acl_data.sc_conn_cnt) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'cust_hdr_reg' %}
-{%               if acl_data.cust_hdr_reg|default("") != "" and acl_data.cust_hdr_reg_name|default("") != "" %}
-{%                 do acl_options.append('hdr_reg(' ~ acl_data.cust_hdr_reg_name ~ ')') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
+{%             elif acl_data.expression == 'sc_conn_cur' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_conn_cur|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append(acl_data.cust_hdr_reg) %}
+{%                 do acl_options.append('sc_conn_cur(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_conn_cur_comparison ~ ' ' ~ acl_data.sc_conn_cur) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'cust_hdr_sub' %}
-{%               if acl_data.cust_hdr_sub|default("") != "" and acl_data.cust_hdr_sub_name|default("") != "" %}
-{%                 do acl_options.append('hdr_sub(' ~ acl_data.cust_hdr_sub_name ~ ')') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
+{%             elif acl_data.expression == 'sc_conn_rate' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_conn_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append(acl_data.cust_hdr_sub) %}
+{%                 do acl_options.append('sc_conn_rate(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_conn_rate_comparison ~ ' ' ~ acl_data.sc_conn_rate) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'url_param' %}
-{%               if acl_data.url_param_value|default("") != "" and acl_data.url_param|default("") != "" %}
-{%                 do acl_options.append('url_param(' ~ acl_data.url_param ~ ')') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
+{%             elif acl_data.expression == 'sc_get_gpc' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.gpc_number|default("") != "" and acl_data.sc_get_gpc|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append(acl_data.url_param_value) %}
+{%                 do acl_options.append('sc_get_gpc(' ~ acl_data.gpc_number ~ ',' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_get_gpc_comparison ~ ' ' ~ acl_data.sc_get_gpc) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'ssl_c_verify_code' %}
-{%               if acl_data.ssl_c_verify_code|default("") != "" %}
-{%                 do acl_options.append('ssl_c_verify ' ~ acl_data.ssl_c_verify_code) %}
+{%             elif acl_data.expression == 'sc_get_gpt' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.gpt_number|default("") != "" and acl_data.sc_get_gpt|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_get_gpt(' ~ acl_data.gpt_number ~ ',' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_get_gpt_comparison ~ ' ' ~ acl_data.sc_get_gpt) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'ssl_c_verify' %}
-{%               do acl_options.append('ssl_c_verify 0') %}
-{%             elif acl_data.expression == 'ssl_c_ca_commonname' %}
-{%               if acl_data.ssl_c_ca_commonname|default("") != "" %}
-{%                 do acl_options.append('ssl_c_i_dn(CN) ' ~ acl_data.ssl_c_ca_commonname) %}
+{%             elif acl_data.expression == 'sc_glitch_cnt' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_glitch_cnt|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_glitch_cnt(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_glitch_cnt_comparison ~ ' ' ~ acl_data.sc_glitch_cnt) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'ssl_hello_type' %}
-{%               do acl_options.append('req.ssl_hello_type ' ~ acl_data.ssl_hello_type|replace('x', '')) %}
-{%             elif acl_data.expression == 'src' %}
-{%               if acl_data.src|default("") != "" %}
-{%                 do acl_options.append('src ' ~ acl_data.src) %}
+{%             elif acl_data.expression == 'sc_glitch_rate' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_glitch_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_glitch_rate(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_glitch_rate_comparison ~ ' ' ~ acl_data.sc_glitch_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc_gpc_rate' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.gpc_number|default("") != "" and acl_data.sc_gpc_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_gpc_rate(' ~ acl_data.gpc_number ~ ',' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_gpc_rate_comparison ~ ' ' ~ acl_data.sc_gpc_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc_http_err_cnt' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_http_err_cnt|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_http_err_cnt(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_http_err_cnt_comparison ~ ' ' ~ acl_data.sc_http_err_cnt) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc_http_err_rate' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_http_err_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_http_err_rate(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_http_err_rate_comparison ~ ' ' ~ acl_data.sc_http_err_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc_http_fail_cnt' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_http_fail_cnt|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_http_fail_cnt(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_http_fail_cnt_comparison ~ ' ' ~ acl_data.sc_http_fail_cnt) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc_http_fail_rate' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_http_fail_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_http_fail_rate(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_http_fail_rate_comparison ~ ' ' ~ acl_data.sc_http_fail_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc_http_req_cnt' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_http_req_cnt|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_http_req_cnt(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_http_req_cnt_comparison ~ ' ' ~ acl_data.sc_http_req_cnt) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc_http_req_rate' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_http_req_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_http_req_rate(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_http_req_rate_comparison ~ ' ' ~ acl_data.sc_http_req_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc_inc_gpc' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.gpc_number|default("") != "" and acl_data.sc_inc_gpc|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_inc_gpc(' ~ acl_data.gpc_number ~ ',' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_inc_gpc_comparison ~ ' ' ~ acl_data.sc_inc_gpc) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc_sess_cnt' %}
+{%               if acl_data.sc_number|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" and acl_data.sc_sess_cnt|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_sess_cnt(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_sess_cnt_comparison ~ ' ' ~ acl_data.sc_sess_cnt) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc_sess_rate' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_sess_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_sess_rate(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_sess_rate_comparison ~ ' ' ~ acl_data.sc_sess_rate) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'src_is_local' %}
-{%               do acl_options.append('src_is_local') %}
 {%             elif acl_data.expression == 'src_bytes_in_rate' %}
 {%               do acl_options.append('src_bytes_in_rate ' ~ acl_data.src_bytes_in_rate_comparison ~ ' ' ~ acl_data.src_bytes_in_rate) %}
 {%             elif acl_data.expression == 'src_bytes_out_rate' %}
 {%               do acl_options.append('src_bytes_out_rate ' ~ acl_data.src_bytes_out_rate_comparison ~ ' ' ~ acl_data.src_bytes_out_rate) %}
+{%             elif acl_data.expression == 'src_clr_gpc' %}
+{%               if acl_data.gpc_number|default("") != "" and acl_data.src_clr_gpc|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_clr_gpc(' ~ acl_data.gpc_number ~ table_data ~ ') ' ~ acl_data.src_clr_gpc_comparison ~ ' ' ~ acl_data.src_clr_gpc) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'src_conn_cnt' %}
 {%               do acl_options.append('src_conn_cnt ' ~ acl_data.src_conn_cnt_comparison ~ ' ' ~ acl_data.src_conn_cnt) %}
 {%             elif acl_data.expression == 'src_conn_cur' %}
 {%               do acl_options.append('src_conn_cur ' ~ acl_data.src_conn_cur_comparison ~ ' ' ~ acl_data.src_conn_cur) %}
 {%             elif acl_data.expression == 'src_conn_rate' %}
 {%               do acl_options.append('src_conn_rate ' ~ acl_data.src_conn_rate_comparison ~ ' ' ~ acl_data.src_conn_rate) %}
+{%             elif acl_data.expression == 'src_get_gpc' %}
+{%               if acl_data.gpc_number|default("") != "" and acl_data.src_get_gpc|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_get_gpc(' ~ acl_data.gpc_number ~ table_data ~ ') ' ~ acl_data.src_get_gpc_comparison ~ ' ' ~ acl_data.src_get_gpc) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'src_get_gpt' %}
+{%               if acl_data.gpt_number|default("") != "" and acl_data.src_get_gpt|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_get_gpt(' ~ acl_data.gpt_number ~ table_data ~ ') ' ~ acl_data.src_get_gpt_comparison ~ ' ' ~ acl_data.src_get_gpt) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'src_glitch_cnt' %}
+{%               if acl_data.src_glitch_cnt|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_glitch_cnt' ~ table_data ~ ' ' ~ acl_data.src_glitch_cnt_comparison ~ ' ' ~ acl_data.src_glitch_cnt) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'src_glitch_rate' %}
+{%               if acl_data.src_glitch_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_glitch_rate' ~ table_data ~ ' ' ~ acl_data.src_glitch_rate_comparison ~ ' ' ~ acl_data.src_glitch_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'src_gpc_rate' %}
+{%               if acl_data.gpc_number|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_gpc_rate(' ~ acl_data.gpc_number ~ table_data ~ ') ' ~ acl_data.src_gpc_rate_comparison ~ ' ' ~ acl_data.src_gpc_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'src_http_err_cnt' %}
 {%               do acl_options.append('src_http_err_cnt ' ~ acl_data.src_http_err_cnt_comparison ~ ' ' ~ acl_data.src_http_err_cnt) %}
 {%             elif acl_data.expression == 'src_http_err_rate' %}
 {%               do acl_options.append('src_http_err_rate ' ~ acl_data.src_http_err_rate_comparison ~ ' ' ~ acl_data.src_http_err_rate) %}
+{%             elif acl_data.expression == 'src_http_fail_cnt' %}
+{%               if acl_data.src_http_fail_cnt|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_http_fail_cnt' ~ table_data ~ ' ' ~ acl_data.src_http_fail_cnt_comparison ~ ' ' ~ acl_data.src_http_fail_cnt) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'src_http_fail_rate' %}
+{%               if acl_data.src_http_fail_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_http_fail_rate' ~ table_data ~ ' ' ~ acl_data.src_http_fail_rate_comparison ~ ' ' ~ acl_data.src_http_fail_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'src_http_req_cnt' %}
 {%               do acl_options.append('src_http_req_cnt ' ~ acl_data.src_http_req_cnt_comparison ~ ' ' ~ acl_data.src_http_req_cnt) %}
 {%             elif acl_data.expression == 'src_http_req_rate' %}
 {%               do acl_options.append('src_http_req_rate ' ~ acl_data.src_http_req_rate_comparison ~ ' ' ~ acl_data.src_http_req_rate) %}
+{%             elif acl_data.expression == 'src_inc_gpc' %}
+{%               if acl_data.gpc_number|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_inc_gpc(' ~ acl_data.gpc_number ~ table_data ~ ') ' ~ acl_data.src_inc_gpc_comparison ~ ' ' ~ acl_data.src_inc_gpc ) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'src_kbytes_in' %}
 {%               do acl_options.append('src_kbytes_in ' ~ acl_data.src_kbytes_in_comparison ~ ' ' ~ acl_data.src_kbytes_in) %}
 {%             elif acl_data.expression == 'src_kbytes_out' %}
@@ -331,23 +662,22 @@
 {%               do acl_options.append('src_sess_cnt' ~ acl_data.src_sess_cnt_comparison ~ ' ' ~ acl_data.src_sess_cnt) %}
 {%             elif acl_data.expression == 'src_sess_rate' %}
 {%               do acl_options.append('src_sess_rate ' ~ acl_data.src_sess_rate_comparison ~ ' ' ~ acl_data.src_sess_rate) %}
-{%             elif acl_data.expression == 'nbsrv' %}
-{%               do acl_options.append('') %}
-{%               if acl_data.nbsrv|default("") != "" %}
-{%                 if acl_data.nbsrv_backend|default("") != "" %}
-{%                   set nbsrv_backend_data = helpers.getUUID(acl_data.nbsrv_backend) %}
-{%                   do acl_options.append('nbsrv(' ~ nbsrv_backend_data.name ~ ') ge ' ~ acl_data.nbsrv) %}
-{%                 else %}
-{%                   do acl_options.append('nbsrv ge ' ~ acl_data.nbsrv) %}
-{%                 endif %}
+{%             elif acl_data.expression == 'ssl_c_verify_code' %}
+{%               if acl_data.ssl_c_verify_code|default("") != "" %}
+{%                 do acl_options.append('ssl_c_verify ' ~ acl_data.ssl_c_verify_code) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'ssl_c_verify' %}
+{%               do acl_options.append('ssl_c_verify 0') %}
+{%             elif acl_data.expression == 'ssl_c_ca_commonname' %}
+{%               if acl_data.ssl_c_ca_commonname|default("") != "" %}
+{%                 do acl_options.append('ssl_c_i_dn(CN) ' ~ acl_data.ssl_c_ca_commonname) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'traffic_is_http' %}
-{%               do acl_options.append('req.proto_http') %}
-{%             elif acl_data.expression == 'traffic_is_ssl' %}
-{%               do acl_options.append('req.ssl_ver gt 0') %}
 {%             elif acl_data.expression == 'ssl_fc' %}
 {%               do acl_options.append('ssl_fc') %}
 {%             elif acl_data.expression == 'ssl_fc_sni' %}
@@ -357,6 +687,8 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'ssl_hello_type' %}
+{%               do acl_options.append('req.ssl_hello_type ' ~ acl_data.ssl_hello_type|replace('x', '')) %}
 {%             elif acl_data.expression == 'ssl_sni' %}
 {%               if acl_data.ssl_sni|default("") != "" %}
 {%                 do acl_options.append('req.ssl_sni') %}
@@ -412,6 +744,21 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'traffic_is_http' %}
+{%               do acl_options.append('req.proto_http') %}
+{%             elif acl_data.expression == 'traffic_is_ssl' %}
+{%               do acl_options.append('req.ssl_ver gt 0') %}
+{%             elif acl_data.expression == 'url_param' %}
+{%               if acl_data.url_param_value|default("") != "" and acl_data.url_param|default("") != "" %}
+{%                 do acl_options.append('url_param(' ~ acl_data.url_param ~ ')') %}
+{%                 if acl_data.caseSensitive|default('0') == '0' %}
+{%                   do acl_options.append('-i') %}
+{%                 endif %}
+{%                 do acl_options.append(acl_data.url_param_value) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {#             # handle boolean ACL types that do not require any input #}
 {%             elif acl_data.expression in acl_boolean_types %}
 {%               do acl_options.append(acl_data.expression) %}

From a4f2a6ba5cdd92ebd9ae1940e822db33c47df9b4 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 28 Jan 2026 14:50:41 +0100
Subject: [PATCH 2938/3088] net/haproxy: add support for SSL SNI expressions,
 refs #3756

---
 net/haproxy/pkg-descr                                  |  1 +
 .../OPNsense/HAProxy/forms/dialogServer.xml            | 10 ++++++++--
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml        |  5 +++++
 .../service/templates/OPNsense/HAProxy/haproxy.conf    |  2 ++
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index a7d97e8b0a..691f992e20 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -25,6 +25,7 @@ Added:
 * add "enabled" field to rules
 * add support for all stick-table data types
 * add support for GPC/GPT/SC to conditions (#1123, #5109)
+* add support for SSL SNI expression to servers (#3756)
 
 Changed:
 * upgrade to HAProxy 3.2 release series (#5147)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
index 99db8ffab0..4dea54e117 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
@@ -117,9 +117,15 @@
     </field>
     <field>
         <id>server.sslSNI</id>
-        <label>SSL SNI</label>
+        <label>SSL SNI Name</label>
         <type>text</type>
-        <help><![CDATA[The host name sent in the SNI TLS extension to the server.]]></help>
+        <help><![CDATA[The host name sent in the SNI TLS extension to the server. When present it will be preferred over the SNI expression.]]></help>
+    </field>
+    <field>
+        <id>server.sslSNIExpr</id>
+        <label>SSL SNI Expression</label>
+        <type>text</type>
+        <help><![CDATA[A HAProxy <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html##sni">SNI expression</a> to specify the data that will be sent in the SNI TLS extension to the server, e.g. req.hdr(host). When a SNI name is present it will be used instead and this option will be ignored.]]></help>
     </field>
     <field>
         <id>server.sslVerify</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 9ed90cbb18..8c69d381fe 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1553,6 +1553,11 @@
                     <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
                     <Required>N</Required>
                 </sslSNI>
+                <sslSNIExpr type="TextField">
+                    <Mask>/^.{1,255}$/u</Mask>
+                    <ValidationMessage>Should be a string between 1 and 255 characters.</ValidationMessage>
+                    <Required>N</Required>
+                </sslSNIExpr>
                 <sslVerify type="BooleanField">
                     <Default>1</Default>
                     <Required>Y</Required>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 8837f00040..508484eb3b 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -2174,6 +2174,8 @@ backend {{backend.name}}
 {#                 # SNI #}
 {%                 if server_data.sslSNI|default('') != '' %}
 {%                   do server_options.append('sni str(' ~ server_data.sslSNI ~ ')') %}
+{%                 elif server_data.sslSNIExpr|default('') != '' %}
+{%                   do server_options.append('sni ~ server_data.sslSNIExpr) %}
 {%                 endif %}
 {#                 # HTTP/2 #}
 {%                 if backend.http2Enabled|default("") == '1' and backend.ba_advertised_protocols|default("") != "" %}

From 2738d4af6436b83ceb82c10051d8f6c63873b352 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 28 Jan 2026 15:01:31 +0100
Subject: [PATCH 2939/3088] net/haproxy: add column "mode" to servers overview,
 refs #4632

---
 net/haproxy/pkg-descr                                           | 1 +
 .../app/controllers/OPNsense/HAProxy/Api/SettingsController.php | 2 +-
 .../src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt      | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 691f992e20..10994bf4d3 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -26,6 +26,7 @@ Added:
 * add support for all stick-table data types
 * add support for GPC/GPT/SC to conditions (#1123, #5109)
 * add support for SSL SNI expression to servers (#3756)
+* add column "mode" to servers overview (#4632)
 
 Changed:
 * upgrade to HAProxy 3.2 release series (#5147)
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
index 8724f3086f..b19a13df72 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/SettingsController.php
@@ -133,7 +133,7 @@ public function toggleServerAction($uuid, $enabled = null)
 
     public function searchServersAction()
     {
-        return $this->searchBase('servers.server', array('enabled', 'name', 'type', 'address', 'port', 'description'), 'name');
+        return $this->searchBase('servers.server', array('enabled', 'name', 'type', 'mode', 'address', 'port', 'description'), 'name');
     }
 
     public function getHealthcheckAction($uuid = null)
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 18c3c68a03..6402371b2e 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -861,6 +861,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 <th data-column-id="serverid" data-type="number"  data-visible="false">{{ lang._('Server ID') }}</th>
                 <th data-column-id="name" data-type="string">{{ lang._('Server Name') }}</th>
                 <th data-column-id="type" data-type="string">{{ lang._('Type') }}</th>
+                <th data-column-id="mode" data-type="string">{{ lang._('Mode') }}</th>
                 <th data-column-id="address" data-type="string">{{ lang._('Server Address') }}</th>
                 <th data-column-id="port" data-type="string">{{ lang._('Server Port') }}</th>
                 <th data-column-id="description" data-type="string">{{ lang._('Description') }}</th>

From be5be59d608665c03c2428aad3ac1ba5c36dd508 Mon Sep 17 00:00:00 2001
From: Jeroen Kool <jeroenkool74@gmail.com>
Date: Thu, 29 Jan 2026 22:24:03 +0100
Subject: [PATCH 2940/3088] security/acme-client:  make it possible to obtain a
 global access token from TransIP (#5166)

* security/acme-client: Add option for global token to TransIP

The TransIP dns api and the acme.sh api for TransIP support the possibility to create a global access token.
With a global access token, the api call to TransIP can be amde from every ip adress.
There is a new button in the client configuration for TransIP, and this will be added to the account configuration file, which is used by acme.sh
---
 .../OPNsense/AcmeClient/forms/dialogValidation.xml          | 6 ++++++
 .../library/OPNsense/AcmeClient/LeValidation/DnsTransip.php | 1 +
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml       | 4 ++++
 3 files changed, 11 insertions(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index c952cbbfc5..d8c86d6e64 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -1385,6 +1385,12 @@
         <type>textbox</type>
         <help>Requires the whole key file in a format that is compatible with TransIP.</help>
     </field>
+    <field>
+        <id>validation.dns_transip_token_global_key</id>
+        <label>Global key</label>
+        <type>checkbox</type>
+        <help>When using a global key, IP whitelisting is disabled.</help>
+    </field>
     <field>
         <label>united-domains Reselling</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTransip.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTransip.php
index 4d9dc3b5f7..e87ff3db21 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTransip.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTransip.php
@@ -47,5 +47,6 @@ public function prepare()
         // Add env variables
         $this->acme_env['TRANSIP_Username'] = (string)$this->config->dns_transip_username;
         $this->acme_env['TRANSIP_Key_File'] = $secret_key_filename;
+        $this->acme_env['TRANSIP_Token_Global_Key'] = ((string)$this->config->dns_transip_token_global_key === '1') ? 'true' : 'false';
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 516fcd954c..4440f63c9b 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1133,6 +1133,10 @@
                 <dns_transip_key type="TextField">
                     <Required>N</Required>
                 </dns_transip_key>
+                <dns_transip_token_global_key type="BooleanField">
+                    <Required>N</Required>
+                    <Default>0</Default>
+                </dns_transip_token_global_key>
                 <dns_timeweb_token type="TextField">
                     <Required>N</Required>
                 </dns_timeweb_token>

From d18e09c78dda06e32104f93f1042e18bdd0a9ede Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 29 Jan 2026 21:58:53 +0100
Subject: [PATCH 2941/3088] security/acme-client: release 4.13

---
 security/acme-client/Makefile  | 2 +-
 security/acme-client/pkg-descr | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 22d30a042d..9f8906b31e 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.12
+PLUGIN_VERSION=		4.13
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 4402d75cea..a86ecbd96b 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,13 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.13
+
+Added:
+* add support for ACME profiles (#5154)
+* add support for deploy hook "Ruckus" (#5157)
+* add support for Spaceship.com DNS API (#5158)
+
 4.12
 
 Added:

From db0b943465382085d2a844f34a936eb5fffd50ef Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 29 Jan 2026 22:16:27 +0100
Subject: [PATCH 2942/3088] security/acme-client: remove duplicate slashes,
 refs #5166

---
 security/acme-client/pkg-descr                              | 3 +++
 .../OPNsense/AcmeClient/LeValidation/DnsNsupdate.php        | 2 +-
 .../library/OPNsense/AcmeClient/LeValidation/DnsTransip.php | 2 +-
 .../OPNsense/AcmeClient/LeValidation/HttpOpnsense.php       | 6 +++---
 .../OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php        | 6 +++---
 5 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index a86ecbd96b..299b909ee5 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -15,6 +15,9 @@ Added:
 * add support for deploy hook "Ruckus" (#5157)
 * add support for Spaceship.com DNS API (#5158)
 
+Fixed:
+* remove duplicate slashes in nsupdate, TransIP, OPNsense, TLS ALPN challenge types (#5166)
+
 4.12
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php
index 9992767510..fba6d3662f 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsNsupdate.php
@@ -40,7 +40,7 @@ class DnsNsupdate extends Base implements LeValidationInterface
     public function prepare()
     {
         $configdir = (string)sprintf(self::ACME_CONFIG_DIR, $this->cert_id);
-        $secret_key_filename = "{$configdir}/secret.key";
+        $secret_key_filename = "{$configdir}secret.key";
         $secret_key_data = (string)$this->config->dns_nsupdate_key . "\n";
         file_put_contents($secret_key_filename, $secret_key_data);
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTransip.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTransip.php
index e87ff3db21..b62043acfa 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTransip.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsTransip.php
@@ -40,7 +40,7 @@ class DnsTransip extends Base implements LeValidationInterface
     public function prepare()
     {
         $configdir = (string)sprintf(self::ACME_CONFIG_DIR, $this->cert_id);
-        $secret_key_filename = "{$configdir}/secret.key";
+        $secret_key_filename = "{$configdir}secret.key";
         $secret_key_data = (string)$this->config->dns_transip_key . "\n";
         file_put_contents($secret_key_filename, $secret_key_data);
 
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
index 03ca5e97cd..bbb2cb5941 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
@@ -127,10 +127,10 @@ public function prepare()
         }
 
         // Create temporary port forward to allow acme challenges to get through
-        File::file_put_contents("{$configdir}/acme_anchor_setup", "rdr-anchor \"acme-client\"\n", 0600);
+        File::file_put_contents("{$configdir}acme_anchor_setup", "rdr-anchor \"acme-client\"\n", 0600);
         Shell::run_safe('/sbin/pfctl -f %s', ["{$configdir}/acme_anchor_setup"]);
-        File::file_put_contents("{$configdir}/acme_anchor_rules", $anchor_rules, 0600);
-        Shell::run_safe('/sbin/pfctl -a %s -f %s', ['acme-client', "{$configdir}/acme_anchor_rules"]);
+        File::file_put_contents("{$configdir}acme_anchor_rules", $anchor_rules, 0600);
+        Shell::run_safe('/sbin/pfctl -a %s -f %s', ['acme-client', "{$configdir}acme_anchor_rules"]);
     }
 
     public function cleanup()
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
index df5819600e..f662e90a2f 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
@@ -128,10 +128,10 @@ public function prepare()
         }
 
         // Create temporary port forward to allow acme challenges to get through
-        File::file_put_contents("{$configdir}/acme_anchor_setup", "rdr-anchor \"acme-client\"\n", 0600);
+        File::file_put_contents("{$configdir}acme_anchor_setup", "rdr-anchor \"acme-client\"\n", 0600);
         Shell::run_safe('/sbin/pfctl -f %s', ["{$configdir}/acme_anchor_setup"]);
-        File::file_put_contents("{$configdir}/acme_anchor_rules", $anchor_rules, 0600);
-        Shell::run_safe("/sbin/pfctl -a %s -f %s", ['acme-client', "{$configdir}/acme_anchor_rules"]);
+        File::file_put_contents("{$configdir}acme_anchor_rules", $anchor_rules, 0600);
+        Shell::run_safe("/sbin/pfctl -a %s -f %s", ['acme-client', "{$configdir}acme_anchor_rules"]);
     }
 
     public function cleanup()

From e0118195323c5693cdcb19a8e63d7cf8266b99fb Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 29 Jan 2026 22:27:47 +0100
Subject: [PATCH 2943/3088] security/acme-client: update changelog

---
 security/acme-client/pkg-descr | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 299b909ee5..9fbe37ce3b 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -14,6 +14,10 @@ Added:
 * add support for ACME profiles (#5154)
 * add support for deploy hook "Ruckus" (#5157)
 * add support for Spaceship.com DNS API (#5158)
+* add global access key option for TransIP DNS API (#5166)
+
+Changed:
+* allow setting renewal interval to 0 (#5168)
 
 Fixed:
 * remove duplicate slashes in nsupdate, TransIP, OPNsense, TLS ALPN challenge types (#5166)

From 590bd9211c83c42177f25ddade401fb76d33b08f Mon Sep 17 00:00:00 2001
From: mbedworth <michael.bedworth@me.com>
Date: Fri, 30 Jan 2026 01:44:12 -0500
Subject: [PATCH 2944/3088] security/wazuh-agent: fix syntax error in
 opnsense-fw active response (#5174)

Fix critical syntax error in opnsense-fw active response script that prevents IPs from being added to the __wazuh_agent_drop alias.

## Problem
The script contains invalid Python syntax - a variable assignment inside a dictionary literal:
```python
"parameters":{
   unique_key = "%s-%s" % (...)  # Invalid Python syntax
   "keys": [unique_key]
}
```

This causes the script to fail with a SyntaxError on all 'add' commands, meaning attacking IPs are never blocked.

## Changes
- Move unique_key assignment outside dictionary literal (fixes SyntaxError)
- Fix typo: 'even' -> 'event' in error message
- Add debug logging for easier troubleshooting

## Testing
- Verified syntax with `python3 -m py_compile`
- Tested active response add/delete operations on OPNsense 26.1
---
 .../src/opnsense/scripts/wazuh/opnsense-fw          | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw b/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw
index 3eefe8154c..aff38306c6 100755
--- a/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw
+++ b/security/wazuh-agent/src/opnsense/scripts/wazuh/opnsense-fw
@@ -101,7 +101,7 @@ def main(params):
     try:
         ipaddress.ip_address(srcip)
     except ValueError:
-        send_log('Unable to process even, invalid srcip (%s)' % srcip)
+        send_log('Unable to process event, invalid srcip (%s)' % srcip)
         return -1
 
     if skip_alias != '' and command == 'add':
@@ -113,16 +113,17 @@ def main(params):
     if command == 'add':
         # return rule id for timeout list
         try:
+            unique_key = "%s-%s" % (event['parameters']['alert']['rule']['id'], srcip)
+            send_log('Sending check_keys for: %s' % unique_key)
             print(json.dumps({
                 "version": 1,
                 "origin": {
                     "name": sys.argv[0],
-                    "module":"active-response"
+                    "module": "active-response"
                 },
                 "command": "check_keys",
-                "parameters":{
-                   unique_key = "%s-%s" % (event['parameters']['alert']['rule']['id'], srcip)
-		   "keys": [unique_key]
+                "parameters": {
+                    "keys": [unique_key]
                 }
             }))
             sys.stdout.flush()
@@ -131,6 +132,7 @@ def main(params):
         # When attached to stdin we're likely running inside the agent, in which case we will read a second event which
         # may abort the first one.
         if params.input == '/dev/stdin':
+            send_log('Waiting for manager response...')
             timeout_event = None
             try:
                 timeout_event=json.loads(read_data(params.input))
@@ -138,6 +140,7 @@ def main(params):
                 pass
             if timeout_event:
                 send_log('Received : %s' % json.dumps(timeout_event))
+                send_log('Manager says: %s' % timeout_event.get('command'))
                 if timeout_event.get('command') == 'abort':
                     send_log('Aborted')
                     return 0

From 4773ff712e97ee30bb49731c5f564ca6866a45ca Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 30 Jan 2026 15:55:28 +0100
Subject: [PATCH 2945/3088] security/wazuh-agent: bump revision

---
 security/wazuh-agent/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/wazuh-agent/Makefile b/security/wazuh-agent/Makefile
index 990ce80eb7..52165d834c 100644
--- a/security/wazuh-agent/Makefile
+++ b/security/wazuh-agent/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		wazuh-agent
 PLUGIN_VERSION=		1.3
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Agent for the open source security platform Wazuh
 PLUGIN_DEPENDS=		wazuh-agent
 PLUGIN_MAINTAINER=	ad@opnsense.org

From c2c49fb1a17e00a2af37456c39d5e4470672da12 Mon Sep 17 00:00:00 2001
From: Kota Shiratsuka <kota@unchained.co.jp>
Date: Sat, 31 Jan 2026 03:54:11 +0900
Subject: [PATCH 2946/3088] FreeRADIUS: add TLS maximum version setting for EAP
 (#5175)

---
 .../OPNsense/Freeradius/forms/eap.xml         |  6 ++++++
 .../app/models/OPNsense/Freeradius/Eap.php    | 20 +++++++++++++++++++
 .../app/models/OPNsense/Freeradius/Eap.xml    | 13 +++++++++++-
 .../OPNsense/Freeradius/mods-enabled-eap      |  2 +-
 4 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
index 1f9cc42dc5..dea3145153 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
@@ -58,4 +58,10 @@
         <type>dropdown</type>
         <help>Set minimum TLS version. Please be aware that every version below 1.2 is considered as insecure.</help>
     </field>
+    <field>
+        <id>eap.tls_max_version</id>
+        <label>TLS Maximum Version</label>
+        <type>dropdown</type>
+        <help>Set maximum TLS version. Use 1.2 to avoid TLS 1.3 for legacy clients.</help>
+    </field>
 </form>
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php
index 7698b14bed..f135125c2c 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php
@@ -3,6 +3,7 @@
 namespace OPNsense\Freeradius;
 
 use OPNsense\Base\BaseModel;
+use OPNsense\Base\Messages\Message;
 
 /*
     Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
@@ -32,4 +33,23 @@
 
 class Eap extends BaseModel
 {
+    public function performValidation($validateFullModel = false)
+    {
+        $messages = parent::performValidation($validateFullModel);
+
+        if (
+            $validateFullModel ||
+            $this->tls_min_version->isFieldChanged() ||
+            $this->tls_max_version->isFieldChanged()
+        ) {
+            if ($this->tls_min_version->asFloat() > $this->tls_max_version->asFloat()) {
+                $messages->appendMessage(new Message(
+                    gettext('TLS minimum version must be less than or equal to TLS maximum version.'),
+                    $this->tls_max_version->getInternalXMLTagName()
+                ));
+            }
+        }
+
+        return $messages;
+    }
 }
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index fba2390009..7cda2110c3 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/freeradius/eap</mount>
     <description>EAP configuration</description>
-    <version>1.9.17</version>
+    <version>1.9.18</version>
     <items>
         <default_eap_type type="OptionField">
             <Default>md5</Default>
@@ -65,5 +65,16 @@
                 <Option4 value="1.3">1.3</Option4>
             </OptionValues>
         </tls_min_version>
+        <tls_max_version type="OptionField">
+            <Default>1.3</Default>
+            <Required>Y</Required>
+            <Multiple>N</Multiple>
+            <OptionValues>
+                <Option1 value="1.0">1.0</Option1>
+                <Option2 value="1.1">1.1</Option2>
+                <Option3 value="1.2">1.2</Option3>
+                <Option4 value="1.3">1.3</Option4>
+            </OptionValues>
+        </tls_max_version>
     </items>
 </model>
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
index 652bebc8e9..e43e157087 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@@ -456,7 +456,7 @@ eap {
                 #  The values must be in quotes.
                 #
                 tls_min_version = "{{ OPNsense.freeradius.eap.tls_min_version }}"
-                tls_max_version = "1.3"
+                tls_max_version = "{{ OPNsense.freeradius.eap.tls_max_version }}"
 
                 #  Elliptical cryptography configuration
                 #

From a999d59f57b5c13498f0bdbcac50fc748e35a3c8 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 1 Feb 2026 22:47:50 +0100
Subject: [PATCH 2947/3088] net/haproxy: finishing touches and bugfixes

---
 net/haproxy/pkg-descr                         |  1 +
 .../OPNsense/HAProxy/forms/dialogBackend.xml  |  5 +--
 .../OPNsense/HAProxy/forms/dialogFrontend.xml |  2 +-
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 19 ++++----
 .../OPNsense/HAProxy/Migrations/M5_0_0.php    |  4 --
 .../templates/OPNsense/HAProxy/haproxy.conf   | 44 +++++++++----------
 6 files changed, 36 insertions(+), 39 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 10994bf4d3..3679ae30d6 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -36,6 +36,7 @@ Changed:
 * stick-table "size" and "expiration time" are no longer advanced options (now always visible)
 * replace stick-table type "ip" with "ipv4" (#5147)
 * show the actual HAProxy option name in conditions for clarity
+* allow stick-table types "binary", "integer" and "string" in backends
 
 4.6
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
index 1090f3a320..2f39423dff 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -235,15 +235,14 @@
         <help><![CDATA[Enable to automatically strip quotes from the cookie value. Some broken HTTP clients add quotes, which breaks persistence.]]></help>
     </field>
     <field>
-        <label>Stick-table persistence</label>
+        <label>Stick-table</label>
         <type>header</type>
     </field>
     <field>
         <id>backend.stickiness_pattern</id>
         <label>Table type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose a request pattern to associate a user to a server. See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#stick on">HAProxy documentation</a> for a full description.<br/><div class="text-info"><b>NOTE:</b> Consider not using this feature in multi-process mode, it can result in random behaviours.</div>]]></help>
-        <hint>Choose a persistence type.</hint>
+        <help><![CDATA[Choose the type of data that should be stored in this stick-table. See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#11.1">HAProxy documentation</a> for further information.]]></help>
     </field>
     <field>
         <id>backend.stickiness_dataTypes</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index a84eb88b59..6698a6464d 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -343,7 +343,7 @@
         <advanced>true</advanced>
     </field>
     <field>
-        <label>Stickiness table</label>
+        <label>Stick-table</label>
         <type>header</type>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 8c69d381fe..ae86846ca5 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -747,11 +747,11 @@
                 <stickiness_pattern type="OptionField">
                     <Required>N</Required>
                     <OptionValues>
-                        <ipv4>only store IPv4 addresses [default]</ipv4>
-                        <ipv6>only store IPv6 addresses</ipv6>
-                        <integer>store 32bit integers</integer>
-                        <string>store substrings</string>
-                        <binary>store binary blocks</binary>
+                        <binary>Binary</binary>
+                        <integer>Integer</integer>
+                        <ipv4>IPv4 [default]</ipv4>
+                        <ipv6>IPv6</ipv6>
+                        <string>String</string>
                     </OptionValues>
                 </stickiness_pattern>
                 <stickiness_dataTypes type="OptionField">
@@ -1204,10 +1204,13 @@
                     <Required>N</Required>
                     <Default>sourceipv4</Default>
                     <OptionValues>
-                        <sourceipv4>Source-IP [default]</sourceipv4>
-                        <sourceipv6>Source-IPv6</sourceipv6>
-                        <cookievalue>Existing cookie value</cookievalue>
+                        <binary>Binary</binary>
+                        <cookievalue>Cookie value</cookievalue>
+                        <integer>Integer</integer>
                         <rdpcookie>RDP-Cookie</rdpcookie>
+                        <sourceipv4>Source-IPv4 [default]</sourceipv4>
+                        <sourceipv6>Source-IPv6</sourceipv6>
+                        <string>String</string>
                     </OptionValues>
                 </stickiness_pattern>
                 <stickiness_dataTypes type="OptionField">
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M5_0_0.php b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M5_0_0.php
index 3fd4fdcc6c..310aa79338 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M5_0_0.php
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M5_0_0.php
@@ -73,10 +73,6 @@ public function run($model)
                 case 'http-request_deny':
                     $action->type = 'http-request';
                     $action->http_request_action = 'deny';
-                    if (!empty($action->http_request_deny_status)) {
-                        $action->http_request_option = 'deny_status ' . (string)$action->http_request_deny_status;
-                        $action->http_request_deny_status = null;
-                    }
                     break;
                 case 'http-request_lua':
                     $action->type = 'http-request';
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 508484eb3b..e401a2926e 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1705,14 +1705,6 @@ frontend {{frontend.name}}
 {%             endif %}
 {%           endif %}
 {%         endif %}
-{#         # HTTP/2 with TLS enabled #}
-{%         if frontend.http2Enabled|default("") == '1' and frontend.advertised_protocols|default("") != "" %}
-{#           # To ensure proper handling of each HTTP protocol, these #}
-{#           # entries will be processed when parsing individual bind lines. #}
-{%         else %}
-{#           # disable ALPN to enforce the GUI settings #}
-{%           do ssl_options.append('no-alpn') %}
-{%         endif %}
 {#       # HTTP/2 without TLS #}
 {%       elif frontend.http2Enabled|default("") == '1' and frontend.http2Enabled_nontls|default("") == '1' %}
 {%         do adv_options.append('proto h2') %}
@@ -1747,21 +1739,27 @@ frontend {{frontend.name}}
 {%             set bind_address = bind %}
 {%             set bind_name = bind %}
 {%           endif %}
-{#           # handle incompatible alpn advertisements #}
-{%           if bind.startswith('quic4@') or bind.startswith('quic6@') %}
-{#             # strip incompatible advertisement for QUIC bind lines #}
-{%             set alpn_incompatible = ['h2', 'http11', 'http10'] %}
-{%             set alpn_filtered = frontend.advertised_protocols.split(',') | reject('in', alpn_incompatible) | join(',') %}
+{#           # Check if TLS ALPN support is enabled #}
+{%           if frontend.http2Enabled|default("") == '1' and frontend.advertised_protocols|default("") != "" %}
+{#             # handle incompatible alpn advertisements #}
+{%             if bind.startswith('quic4@') or bind.startswith('quic6@') %}
+{#               # strip incompatible advertisement for QUIC bind lines #}
+{%               set alpn_incompatible = ['h2', 'http11', 'http10'] %}
+{%               set alpn_filtered = frontend.advertised_protocols.split(',') | reject('in', alpn_incompatible) | join(',') %}
+{%             else %}
+{#               # strip incompatible advertisement for non-QUIC bind lines #}
+{%               set alpn_incompatible = ['h3'] %}
+{%               set alpn_filtered = frontend.advertised_protocols.split(',') | reject('in', alpn_incompatible) | join(',') %}
+{%             endif %}
+{#             # add alpn advertisements #}
+{%             if alpn_filtered|default("") != "" %}
+{#               # convert alpn protocols to HAProxy-compatible format #}
+{%               set alpn_conv = alpn_filtered|replace('http10', 'http/1.0')|replace('http11', 'http/1.1') %}
+{%               do alpn_options.append('alpn ' ~ alpn_conv) %}
+{%             endif %}
 {%           else %}
-{#             # strip incompatible advertisement for non-QUIC bind lines #}
-{%             set alpn_incompatible = ['h3'] %}
-{%             set alpn_filtered = frontend.advertised_protocols.split(',') | reject('in', alpn_incompatible) | join(',') %}
-{%           endif %}
-{#           # add alpn advertisements #}
-{%           if alpn_filtered|default("") != "" %}
-{#             # convert alpn protocols to HAProxy-compatible format #}
-{%             set alpn_conv = alpn_filtered|replace('http10', 'http/1.0')|replace('http11', 'http/1.1') %}
-{%             do alpn_options.append('alpn ' ~ alpn_conv) %}
+{#             # disable ALPN to enforce the GUI settings #}
+{%             do ssl_options.append('no-alpn') %}
 {%           endif %}
     bind {{bind_address}} name {{bind_name}} {% if frontend.bindOptions|default("") != "" %}{{ frontend.bindOptions }} {% endif %}{% if frontend.ssl_enabled == '1' and ssl_certs|default("") != "" %}ssl {{ ssl_options|join(' ') }} {{ alpn_options|join(' ') }} {{ ssl_certs|join(' ') }} {% endif %}{% if adv_options|length > 0 %} {{ adv_options|join(' ') }} {% endif %}
 
@@ -2175,7 +2173,7 @@ backend {{backend.name}}
 {%                 if server_data.sslSNI|default('') != '' %}
 {%                   do server_options.append('sni str(' ~ server_data.sslSNI ~ ')') %}
 {%                 elif server_data.sslSNIExpr|default('') != '' %}
-{%                   do server_options.append('sni ~ server_data.sslSNIExpr) %}
+{%                   do server_options.append('sni ' ~ server_data.sslSNIExpr) %}
 {%                 endif %}
 {#                 # HTTP/2 #}
 {%                 if backend.http2Enabled|default("") == '1' and backend.ba_advertised_protocols|default("") != "" %}

From 6594d14d9ab030fc3178cdaf29b9068ffe0edc54 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 2 Feb 2026 18:25:18 +0100
Subject: [PATCH 2948/3088] net/haproxy: fix ssl certificates on maintenance
 page

---
 net/haproxy/pkg-descr                                         | 3 +++
 .../opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 3679ae30d6..70a3732780 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -28,6 +28,9 @@ Added:
 * add support for SSL SNI expression to servers (#3756)
 * add column "mode" to servers overview (#4632)
 
+Fixed:
+* Maintenance tab "SSL Certificates" not working with only one cert
+
 Changed:
 * upgrade to HAProxy 3.2 release series (#5147)
 * refactor http/tcp rules to make extensions easier
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml
index 2f7d7a4eec..b805cb1c81 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/sslCerts.yaml
@@ -8,14 +8,14 @@
 {# ################## #}
 {%  macro getCA(refId) -%}
 {%    set result = '{}' %}
-{%    for data in helpers.getNodeByTag('ca') if data.refid == refId %}
+{%    for data in helpers.toList('ca') if data.refid == refId %}
 {{      data.crt -}}
 {%    else %}
 {{     "{}" }}
 {%    endfor %}
 {%- endmacro %}
 {%  macro getCert(refId, indent=4) -%}
-{%    for data in helpers.getNodeByTag('cert') if data.refid == refId %}
+{%    for data in helpers.toList('cert') if data.refid == refId %}
 {%      if data.caref %}
 {%        do data.update({'ca': getCA(data.caref)}) %}
 {%      else %}

From 0558c85bb529490e36a0ad3ee4079168d65b1240 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 2 Feb 2026 21:39:59 +0100
Subject: [PATCH 2949/3088] net/haproxy: add support for loading mapfiles in
 ACLs

---
 net/haproxy/pkg-descr                         |  1 +
 .../OPNsense/HAProxy/forms/dialogAcl.xml      |  6 ++++++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 15 +++++++++++++--
 .../templates/OPNsense/HAProxy/haproxy.conf   | 19 ++++++++++++-------
 4 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 70a3732780..319adfec96 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -27,6 +27,7 @@ Added:
 * add support for GPC/GPT/SC to conditions (#1123, #5109)
 * add support for SSL SNI expression to servers (#3756)
 * add column "mode" to servers overview (#4632)
+* add support for loading mapfiles in ACLs
 
 Fixed:
 * Maintenance tab "SSL Certificates" not working with only one cert
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
index e2d3cc7fe7..6cd726c670 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
@@ -1077,4 +1077,10 @@
         <type>text</type>
         <help><![CDATA[Specifies the name of a stick-table that will be used for key lookups. This is usually the name of the backend/frontend where the stick-stable is configured. When nothing is specified, the stick-table of the current backend/frontend will be used.]]></help>
     </field>
+    <field>
+        <id>acl.mapfile</id>
+        <label>Mapfile</label>
+        <type>dropdown</type>
+        <help><![CDATA[Load patterns from a map file.]]></help>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index ae86846ca5..d0faaf3e4b 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1867,9 +1867,10 @@
                         <sc_inc_gpc>sc_inc_gpc – Sticky counter: increment General Purpose Counter</sc_inc_gpc>
                         <sc_sess_cnt>sc_sess_cnt – Sticky counter: cumulative number of sessions</sc_sess_cnt>
                         <sc_sess_rate>sc_sess_rate – Sticky counter: session rate</sc_sess_rate>
+                        <src>src – Source IP matches specified IP</src>
                         <src_bytes_in_rate>src_bytes_in_rate – Source IP: incoming bytes rate</src_bytes_in_rate>
                         <src_bytes_out_rate>src_bytes_out_rate – Source IP: outgoing bytes rate</src_bytes_out_rate>
-                        <src_clr_gpc>Source IP: clear General Purpose Counter</src_clr_gpc>
+                        <src_clr_gpc>src_clr_gpc – Source IP: clear General Purpose Counter</src_clr_gpc>
                         <src_conn_cnt>src_conn_cnt – Source IP: cumulative number of connections</src_conn_cnt>
                         <src_conn_cur>src_conn_cur – Source IP: concurrent connections</src_conn_cur>
                         <src_conn_rate>src_conn_rate – Source IP: connection rate</src_conn_rate>
@@ -1891,7 +1892,6 @@
                         <src_port>src_port – Source IP: TCP source port</src_port>
                         <src_sess_cnt>src_sess_cnt – Source IP: cumulative number of sessions</src_sess_cnt>
                         <src_sess_rate>src_sess_rate – Source IP: session rate</src_sess_rate>
-                        <src>src – Source IP matches specified IP</src>
                         <ssl_c_ca_commonname>ssl_c_ca_commonname – SSL Client certificate issued by CA common-name</ssl_c_ca_commonname>
                         <ssl_c_verify_code>ssl_c_verify_code – SSL Client certificate verify error result</ssl_c_verify_code>
                         <ssl_c_verify>ssl_c_verify – SSL Client certificate is valid</ssl_c_verify>
@@ -2766,6 +2766,17 @@
                     <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </table_name>
+                <mapfile type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.HAProxy.HAProxy</source>
+                            <items>mapfiles.mapfile</items>
+                            <display>name</display>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related mapfile item not found</ValidationMessage>
+                    <Required>N</Required>
+                </mapfile>
             </acl>
         </acls>
         <actions>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index e401a2926e..27e17a1376 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -279,13 +279,6 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
-{%             elif acl_data.expression == 'src' %}
-{%               if acl_data.src|default("") != "" %}
-{%                 do acl_options.append('src ' ~ acl_data.src) %}
-{%               else %}
-{%                 set acl_enabled = '0' %}
-    # ERROR: missing parameters
-{%               endif %}
 {%             elif acl_data.expression == 'sc_bytes_in_rate' %}
 {%               if acl_data.sc_number|default("") != "" and acl_data.sc_bytes_in_rate|default("") != "" %}
 {%                 if acl_data.table_name|default("") != "" %}
@@ -526,6 +519,12 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'src' %}
+{%               do acl_options.append('src') %}
+{#               # optional source IP #}
+{%               if acl_data.src|default("") != "" %}
+{%                 do acl_options.append(acl_data.src) %}
+{%               endif %}
 {%             elif acl_data.expression == 'src_bytes_in_rate' %}
 {%               do acl_options.append('src_bytes_in_rate ' ~ acl_data.src_bytes_in_rate_comparison ~ ' ' ~ acl_data.src_bytes_in_rate) %}
 {%             elif acl_data.expression == 'src_bytes_out_rate' %}
@@ -774,6 +773,12 @@
 {%               set acl_enabled = '0' %}
     # ERROR: unsupported expression in condition
 {%             endif %}
+{#             # load ACL pattern from mapfile #}
+{%             if acl_data.mapfile|default("") != "" %}
+{%               set mapfile_data = helpers.getUUID(acl_data.mapfile) %}
+{%               set mapfile_path = '/tmp/haproxy/mapfiles/' ~ mapfile_data.id ~ '.txt' %}
+{%               do acl_options.append('-f ' ~ mapfile_path) %}
+{%             endif %}
 {%           endif %}
 {#           # check if ACL is valid #}
 {%           if acl_enabled == '1' %}

From 291b41bf229856e878c538e636cd463274b064b6 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 2 Feb 2026 23:10:43 +0100
Subject: [PATCH 2950/3088] net/haproxy: improve mapfile handling

---
 net/haproxy/pkg-descr                         |  5 ++-
 .../OPNsense/HAProxy/forms/dialogAction.xml   | 23 +++++++++++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 38 ++++++++++++++++++-
 .../templates/OPNsense/HAProxy/haproxy.conf   | 27 +++++++++++--
 4 files changed, 85 insertions(+), 8 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 319adfec96..8b3c176454 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -18,7 +18,7 @@ Added:
 * add new condition: HTTP method
 * support custom HTTP status code in "http-request deny" rules
 * add new backend option to control PROXY protocol for health checks (#2909)
-* add support for new map file type: reg (#3641)
+* add support for new map file types: beg,end,int,ip,reg,str (#3641)
 * add support for more sample fetches: quic_enabled, stopping, wait_end (#3702)
 * add support for HTTP compression (#4867)
 * add all action keywords for http-request/-response and tcp-request/-response rules
@@ -27,7 +27,7 @@ Added:
 * add support for GPC/GPT/SC to conditions (#1123, #5109)
 * add support for SSL SNI expression to servers (#3756)
 * add column "mode" to servers overview (#4632)
-* add support for loading mapfiles in ACLs
+* add support for loading mapfiles in conditions
 
 Fixed:
 * Maintenance tab "SSL Certificates" not working with only one cert
@@ -41,6 +41,7 @@ Changed:
 * replace stick-table type "ip" with "ipv4" (#5147)
 * show the actual HAProxy option name in conditions for clarity
 * allow stick-table types "binary", "integer" and "string" in backends
+* make mapfiles more useful in rules
 
 4.6
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index e24b1e5421..db2b07e9c1 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -114,6 +114,29 @@
         <type>dropdown</type>
         <help><![CDATA[HAProxy will use this backend pool if no match is found in the map file.]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>type_table table_map_data_use_backend</style>
+    </field>
+    <field>
+        <id>action.map_data_use_backend_file</id>
+        <label>Map file</label>
+        <type>dropdown</type>
+        <help><![CDATA[HAProxy will extract the Host header from the HTTP request and search the map file for a match. If a match is found, the backend pool from the map file will be used.]]></help>
+    </field>
+    <field>
+        <id>action.map_data_use_backend_input</id>
+        <label>Input Sample</label>
+        <type>textbox</type>
+        <help><![CDATA[The sample expression (e.g., path, req.ssl_sni, hdr(Host), str(active)) whose fetched value is used as the lookup key for the map file.]]></help>
+    </field>
+    <field>
+        <id>action.map_data_use_backend_default</id>
+        <label>Default backend pool</label>
+        <type>dropdown</type>
+        <help><![CDATA[HAProxy will use this backend pool if no match is found in the map file.]]></help>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index d0faaf3e4b..fd79203c98 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2832,6 +2832,7 @@
                         <http-after-response>http-after-response</http-after-response>
                         <http-request>http-request</http-request>
                         <http-response>http-response</http-response>
+                        <map_data_use_backend>Map data to backend pools using a map file</map_data_use_backend>
                         <map_use_backend>Map domains to backend pools using a map file</map_use_backend>
                         <monitor_fail>monitor fail: report failure to a monitor request</monitor_fail>
                         <tcp-request>tcp-request</tcp-request>
@@ -3366,6 +3367,34 @@
                     <Required>N</Required>
                 </tcp_response_inspect_delay>
                 <!-- /END/ TODO obsolete options, required for migration to model 4.2.0 -->
+                <map_data_use_backend_file type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.HAProxy.HAProxy</source>
+                            <items>mapfiles.mapfile</items>
+                            <display>name</display>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related map file item not found</ValidationMessage>
+                    <Multiple>N</Multiple>
+                    <Required>N</Required>
+                </map_data_use_backend_file>
+                <map_data_use_backend_default type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.HAProxy.HAProxy</source>
+                            <items>backends.backend</items>
+                            <display>name</display>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related backend pool item not found</ValidationMessage>
+                    <Multiple>N</Multiple>
+                    <Required>N</Required>
+                </map_data_use_backend_default>
+                <map_data_use_backend_input type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </map_data_use_backend_input>
                 <map_use_backend_file type="ModelRelationField">
                     <Model>
                         <template>
@@ -3616,8 +3645,13 @@
                     <Required>Y</Required>
                     <Default>dom</Default>
                     <OptionValues>
-                        <dom>Domains (dom)</dom>
-                        <reg>Regular Expressions (reg)</reg>
+                        <beg>beg – key begins with requested value</beg>
+                        <dom>dom – Domains</dom>
+                        <end>end – key ends with requested value</end>
+                        <int>int – Integers</int>
+                        <ip>ip – IPs</ip>
+                        <reg>reg – Regular Expressions</reg>
+                        <str>str – Strings</str>
                     </OptionValues>
                 </type>
                 <content type="TextField">
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 27e17a1376..dd3a57344b 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -819,11 +819,11 @@
 {%             set mapfile_path = '/tmp/haproxy/mapfiles/' ~ mapfile_data.id ~ '.txt' %}
 {#             # Determine map type #}
 {%             set mapfile_type = mapfile_data.type %}
-{%             if mapfile_data.type|default("") == "reg" %}
-{%               set mapfile_config = 'map_' ~ mapfile_type %}
-{%             else %}
-{#               # Default to map_dom #}
+{%             if mapfile_data.type|default("") == "dom" %}
+{#               # retain the original behaviour for map_dom #}
 {%               set mapfile_config = 'lower,map_dom' %}
+{%             else %}
+{%               set mapfile_config = 'map_' ~ mapfile_type %}
 {%             endif %}
 {#             # Check if a default backend is specified #}
 {%             if action_data.map_use_backend_default|default("") != "" %}
@@ -838,6 +838,25 @@
 {%             set action_enabled = '0' %}
 {%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
+{%         elif action_data.type == 'map_data_use_backend' %}
+{%           if action_data.map_data_use_backend_file|default("") != "" and action_data.map_data_use_backend_input|default("") != "" %}
+{#             # Get the mapfile data #}
+{%             set mapfile_data = helpers.getUUID(action_data.map_data_use_backend_file) %}
+{%             set mapfile_path = '/tmp/haproxy/mapfiles/' ~ mapfile_data.id ~ '.txt' %}
+{%             set mapfile_config = 'map_' ~ mapfile_data.type %}
+{#             # Check if a default backend is specified #}
+{%             if action_data.map_data_use_backend_default|default("") != "" %}
+{%               set defaultbackend_data = helpers.getUUID(action_data.map_data_use_backend_default) %}
+{%               set defaultbackend_option = ',' ~ defaultbackend_data.name %}
+{%             else %}
+{%               set defaultbackend_option = '' %}
+{%             endif %}
+{#             # Finally add map file to config #}
+{%             do action_options.append('use_backend %[' ~ action_data.map_data_use_backend_input ~ ',' ~ mapfile_config ~ '(' ~ mapfile_path ~ defaultbackend_option ~ ')]') %}
+{%           else %}
+{%             set action_enabled = '0' %}
+{%             do global_action_options.append('# ERROR: missing parameters') %}
+{%           endif %}
 {%         elif action_data.type == 'fcgi_pass_header' %}
 {%           if action_data.fcgi_pass_header|default('') != '' %}
 {%             do action_options.append('pass-header ' ~ action_data.fcgi_pass_header) %}

From 1278de17db21868fae0559708e51f120f6840c3c Mon Sep 17 00:00:00 2001
From: Maurice Walker <maurice@walker.earth>
Date: Tue, 3 Feb 2026 07:36:37 +0100
Subject: [PATCH 2951/3088] net/tayga: enable forwarding of UDP packets with
 zero checksum (#5183)

---
 net/tayga/Makefile                                            | 2 +-
 net/tayga/pkg-descr                                           | 4 ++++
 .../src/opnsense/service/templates/OPNsense/Tayga/tayga.conf  | 1 +
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/tayga/Makefile b/net/tayga/Makefile
index 9b9a62daf1..e6f3f582b4 100644
--- a/net/tayga/Makefile
+++ b/net/tayga/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		tayga
-PLUGIN_VERSION=		1.3
+PLUGIN_VERSION=		1.4
 PLUGIN_COMMENT=		Tayga NAT64
 PLUGIN_DEPENDS=		tayga
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/tayga/pkg-descr b/net/tayga/pkg-descr
index 2a97f216ff..1e354df0b0 100644
--- a/net/tayga/pkg-descr
+++ b/net/tayga/pkg-descr
@@ -7,6 +7,10 @@ networks where dedicated NAT64 hardware would be overkill.
 Plugin Changelog
 ================
 
+1.4
+
+* Enable forwarding of UDP packets with zero checksum (contributed by Maurice Walker)
+
 1.3
 
 * Static mapping support (contributed by Matthias Valvekens)
diff --git a/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga.conf b/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga.conf
index 853353f95a..6441f1f9c7 100644
--- a/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga.conf
+++ b/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga.conf
@@ -2,6 +2,7 @@
 
 tun-device nat64
 data-dir /var/db/tayga
+udp-cksum-mode fwd
 
 ipv4-addr {{ OPNsense.tayga.general.v4address }}
 {% if helpers.exists('OPNsense.tayga.general.v6address') and OPNsense.tayga.general.v6address != '' %}

From f216f3d458632685f7c57f969504b7c982506561 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 3 Feb 2026 15:24:14 +0100
Subject: [PATCH 2952/3088] LICENSE: sync

---
 LICENSE | 1 +
 1 file changed, 1 insertion(+)

diff --git a/LICENSE b/LICENSE
index 78db51e708..04c70bf2e2 100644
--- a/LICENSE
+++ b/LICENSE
@@ -9,6 +9,7 @@ Copyright (c) 2024 AnShen <root@lshell.com>
 Copyright (c) 2025 Anton Avramov
 Copyright (c) 2025 Arcan Consulting
 Copyright (c) 2021 Axelrtgs
+Copyright (c) 2026 Benno Kutschenreuter
 Copyright (c) 2023 Bernhard Frenking <bernhard@frenking.eu>
 Copyright (c) 2023 Cannon Matthews <cannonmatthews@google.com>
 Copyright (c) 2023-2025 Cedrik Pischem

From 93c198903688d9eceeb2599504134d88fac14ad0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 3 Feb 2026 15:26:38 +0100
Subject: [PATCH 2953/3088] dns/ddclient: wrap up version

---
 dns/ddclient/Makefile  | 3 +--
 dns/ddclient/pkg-descr | 4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 469f49c666..ce25fefbcc 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		ddclient
-PLUGIN_VERSION=		1.29
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.30
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 7ead5a14f1..50f29b10df 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -6,6 +6,10 @@ accounts on many dynamic DNS services.
 Plugin Changelog
 ================
 
+1.30
+
+* Add native backend support for Hostinger (contributed by Leandro Scardua)
+
 1.29
 
 * Add native backend support for Hetzner DNS (contributed by Michael J. Arcan)

From 0fe62ae500c83d2bc970023551ab4a2e30738f26 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 3 Feb 2026 15:30:08 +0100
Subject: [PATCH 2954/3088] net/freeradius: wrap up version

---
 net/freeradius/Makefile                                  | 2 +-
 net/freeradius/pkg-descr                                 | 9 +++++----
 .../opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml  | 2 +-
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/net/freeradius/Makefile b/net/freeradius/Makefile
index 1275fb1000..b7ad31404b 100644
--- a/net/freeradius/Makefile
+++ b/net/freeradius/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		freeradius
-PLUGIN_VERSION=		1.10
+PLUGIN_VERSION=		1.10.1
 PLUGIN_COMMENT=		RADIUS Authentication, Authorization and Accounting Server
 PLUGIN_DEPENDS=		freeradius3
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/freeradius/pkg-descr b/net/freeradius/pkg-descr
index 8d4ee41c88..c63bd9f1c7 100644
--- a/net/freeradius/pkg-descr
+++ b/net/freeradius/pkg-descr
@@ -2,16 +2,17 @@ FreeRADIUS includes a RADIUS server, a BSD licensed client library, a
 PAM library, and an Apache module. In most cases, the word FreeRADIUS
 refers to the RADIUS server.
 
-FreeRADIUS is the most widely deployed RADIUS server in the world. It
-is the basis for multiple commercial offerings. It supplies the AAA
-needs of many Fortune-500 companies and Tier 1 ISPs.
-
 It is also widely used for Enterprise Wi-Fi and IEEE 802.1X network
 security, particularly in the academic community, including eduroam.
 
+
 Plugin Changelog
 ================
 
+1.10.1
+
+* Add TLS maximum version setting for EAP (contributed by Kota Shiratsuka)
+
 1.10
 
 * Change max TLS version to 1.3 and allow min TLS version 1.3 (contributed by Joerg Werner)
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index 7cda2110c3..e362a12d4e 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/freeradius/eap</mount>
     <description>EAP configuration</description>
-    <version>1.9.18</version>
+    <version>1.10.0</version>
     <items>
         <default_eap_type type="OptionField">
             <Default>md5</Default>

From d90ef9bc1b054e5e129431b4dd7507216027f3f4 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 3 Feb 2026 16:03:30 +0100
Subject: [PATCH 2955/3088] net/haproxy: add support for GPC/GPT/SC to rules

---
 net/haproxy/pkg-descr                         |   2 +-
 .../OPNsense/HAProxy/forms/dialogAcl.xml      |   6 +-
 .../OPNsense/HAProxy/forms/dialogAction.xml   |  22 ++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   |  61 ++---
 .../templates/OPNsense/HAProxy/haproxy.conf   | 217 +++++++++++-------
 5 files changed, 178 insertions(+), 130 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 8b3c176454..c0396f6dc4 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -24,7 +24,7 @@ Added:
 * add all action keywords for http-request/-response and tcp-request/-response rules
 * add "enabled" field to rules
 * add support for all stick-table data types
-* add support for GPC/GPT/SC to conditions (#1123, #5109)
+* add support for GPC/GPT/SC to conditions and rules (#1123, #5109)
 * add support for SSL SNI expression to servers (#3756)
 * add column "mode" to servers overview (#4632)
 * add support for loading mapfiles in conditions
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
index 6cd726c670..514b772179 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
@@ -1057,19 +1057,19 @@
         <id>acl.gpc_number</id>
         <label>GPC number</label>
         <type>text</type>
-        <help><![CDATA[Refers to the number of the General Purpose Counter, e.g. 0 or 1 when using gpc0 or gpc1 respectively. This value will be ignored in rules that do not support GPC.]]></help>
+        <help><![CDATA[Refers to the number of the General Purpose Counter, e.g. 0 or 1 when using gpc0 or gpc1 respectively. This value will be ignored in conditions that do not support GPC.]]></help>
     </field>
     <field>
         <id>acl.gpt_number</id>
         <label>GPT number</label>
         <type>text</type>
-        <help><![CDATA[Refers to the number of the General Purpose Tag, e.g. 0 or 1 when using gpt0 or gpt1 respectively. This value will be ignored in rules that do not support GPT.]]></help>
+        <help><![CDATA[Refers to the number of the General Purpose Tag, e.g. 0 or 1 when using gpt0 or gpt1 respectively. This value will be ignored in conditions that do not support GPT.]]></help>
     </field>
     <field>
         <id>acl.sc_number</id>
         <label>SC number</label>
         <type>text</type>
-        <help><![CDATA[Refers to the number of the Stick Counter, e.g. 0 or 1 when using sc0 or sc1 respectively. This value will be ignored in rules that do not support SC.]]></help>
+        <help><![CDATA[Refers to the number of the Stick Counter, e.g. 0 or 1 when using sc0 or sc1 respectively. This value will be ignored in conditions that do not support SC.]]></help>
     </field>
     <field>
         <id>acl.table_name</id>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index db2b07e9c1..5b39bf1feb 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -303,4 +303,26 @@
         <type>text</type>
         <help><![CDATA[Some actions require additional parameters and specific syntax. Examples and explanations can be found in the <a href="http://docs.haproxy.org/3.2/configuration.html#tcp-response">HAProxy's documentation</a>.]]></help>
     </field>
+    <field>
+        <label>Conditional Parameters</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>action.gpc_number</id>
+        <label>GPC number</label>
+        <type>text</type>
+        <help><![CDATA[Refers to the number of the General Purpose Counter, e.g. 0 or 1 when using gpc0 or gpc1 respectively. This value will be ignored in rules that do not support GPC.]]></help>
+    </field>
+    <field>
+        <id>action.gpt_number</id>
+        <label>GPT number</label>
+        <type>text</type>
+        <help><![CDATA[Refers to the number of the General Purpose Tag, e.g. 0 or 1 when using gpt0 or gpt1 respectively. This value will be ignored in rules that do not support GPT.]]></help>
+    </field>
+    <field>
+        <id>action.sc_number</id>
+        <label>SC number</label>
+        <type>text</type>
+        <help><![CDATA[Refers to the number of the Stick Counter, e.g. 0 or 1 when using sc0 or sc1 respectively. This value will be ignored in rules that do not support SC.]]></help>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index fd79203c98..f13fea00ae 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2840,45 +2840,6 @@
                         <use_backend>Use specified Backend Pool</use_backend>
                         <use_server>Override server in Backend Pool</use_server>
                         <custom>Custom rule (option pass-through)</custom>
-                        <!-- XXX obsolete fields, should be removed
-                        <http-request_allow>http-request allow</http-request_allow>
-                        <http-request_deny>http-request deny</http-request_deny>
-                        <http-request_tarpit>http-request tarpit</http-request_tarpit>
-                        <http-request_auth>http-request auth</http-request_auth>
-                        <http-request_redirect>http-request redirect</http-request_redirect>
-                        <http-request_lua>http-request lua action</http-request_lua>
-                        <http-request_use-service>http-request lua service</http-request_use-service>
-                        <http-request_add-header>http-request header add</http-request_add-header>
-                        <http-request_set-header>http-request header set</http-request_set-header>
-                        <http-request_del-header>http-request header delete</http-request_del-header>
-                        <http-request_replace-header>http-request header replace</http-request_replace-header>
-                        <http-request_replace-value>http-request header replace value</http-request_replace-value>
-                        <http-request_set-path>http-request set-path</http-request_set-path>
-                        <http-request_set-var>http-request set-var</http-request_set-var>
-                        <http-request_silent-drop>http-request silent-drop</http-request_silent-drop>
-                        <http-response_allow>http-response allow</http-response_allow>
-                        <http-response_deny>http-response deny</http-response_deny>
-                        <http-response_lua>http-response lua script</http-response_lua>
-                        <http-response_add-header>http-response header add</http-response_add-header>
-                        <http-response_set-header>http-response header set</http-response_set-header>
-                        <http-response_del-header>http-response header delete</http-response_del-header>
-                        <http-response_replace-header>http-response header replace</http-response_replace-header>
-                        <http-response_replace-value>http-response header replace value</http-response_replace-value>
-                        <http-response_set-status>http-response set-status</http-response_set-status>
-                        <http-response_set-var>http-response set-var</http-response_set-var>
-                        <tcp-request_connection_accept>tcp-request connection accept</tcp-request_connection_accept>
-                        <tcp-request_connection_reject>tcp-request connection reject</tcp-request_connection_reject>
-                        <tcp-request_content_accept>tcp-request content accept</tcp-request_content_accept>
-                        <tcp-request_content_reject>tcp-request content reject</tcp-request_content_reject>
-                        <tcp-request_content_lua>tcp-request content lua script</tcp-request_content_lua>
-                        <tcp-request_content_use-service>tcp-request content use-service</tcp-request_content_use-service>
-                        <tcp-request_inspect-delay>tcp-request inspect-delay</tcp-request_inspect-delay>
-                        <tcp-response_content_accept>tcp-response content accept</tcp-response_content_accept>
-                        <tcp-response_content_close>tcp-response content close</tcp-response_content_close>
-                        <tcp-response_content_reject>tcp-response content reject</tcp-response_content_reject>
-                        <tcp-response_content_lua>tcp-response content lua script</tcp-response_content_lua>
-                        <tcp-response_inspect-delay>tcp-response inspect-delay</tcp-response_inspect-delay>
-                        -->
                     </OptionValues>
                 </type>
                 <use_backend type="ModelRelationField">
@@ -3195,7 +3156,7 @@
                     <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </tcp_response_option>
-                <!-- /START/ TODO obsolete options, required for migration to model 4.2.0 -->
+                <!-- /START/ TODO obsolete options, required for migration to model 5.0.0 -->
                 <http_request_auth type="TextField">
                     <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
@@ -3366,7 +3327,7 @@
                     <Mask>/^.{1,32}$/u</Mask>
                     <Required>N</Required>
                 </tcp_response_inspect_delay>
-                <!-- /END/ TODO obsolete options, required for migration to model 4.2.0 -->
+                <!-- /END/ TODO obsolete options, required for migration to model 5.0.0 -->
                 <map_data_use_backend_file type="ModelRelationField">
                     <Model>
                         <template>
@@ -3478,6 +3439,24 @@
                         <both>Compress both</both>
                     </OptionValues>
                 </compression_direction>
+                <gpc_number type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>100</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 99.</ValidationMessage>
+                    <Required>N</Required>
+                </gpc_number>
+                <gpt_number type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>100</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 99.</ValidationMessage>
+                    <Required>N</Required>
+                </gpt_number>
+                <sc_number type="IntegerField">
+                    <MinimumValue>0</MinimumValue>
+                    <MaximumValue>100</MaximumValue>
+                    <ValidationMessage>Please specify a value between 0 and 99.</ValidationMessage>
+                    <Required>N</Required>
+                </sc_number>
             </action>
         </actions>
         <luas>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index dd3a57344b..e0219c90c8 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -38,6 +38,45 @@
 {%   endif %}
 {%- endmacro -%}
 
+{#- Macro expects an action item and checks for conditional args. #}
+{%- macro ActionConditionalArgs(action_data,action_name) -%}
+{%   if action_data is defined and action_name is defined %}
+{# action_data | pprint #}
+{#     # Check if the action keyword may need conditional parameters. #}
+{#     # Order is important: Usually the first value needs to be the #}
+{#     # GPC/GPT number, followed by the SC number, e.g. sc-inc-gpc(<idx>,<sc-id>). #}
+{%     set action_keyword_args = '' %}
+{%     if 'sc-' in action_name or '-sc' in action_name %}
+{%       set action_keyword_tmp = [] %}
+{#       # Check if the GPC number should be added. #}
+{%       if 'gpc0' in action_name or 'gpc1' in action_name %}
+{#         # Legacy syntax. #}
+{%       elif 'gpc' in action_name and action_data.gpc_number|default('') != '' %}
+{%         do action_keyword_tmp.append(action_data.gpc_number) %}
+{%       endif %}
+{#       # Check if the GPT number should be added. #}
+{%       if 'gpt0' in action_name or 'gpt1' in action_name %}
+{#         # Legacy syntax. #}
+{%       elif 'gpt' in action_name and action_data.gpt_number|default('') != '' %}
+{%         do action_keyword_tmp.append(action_data.gpt_number) %}
+{%       endif %}
+{#       # Check if the SC number should be added. #}
+{%       if 'sc0' in action_name or 'sc1' in action_name %}
+{#         # Legacy syntax. #}
+{%       elif action_data.sc_number|default('') != '' %}
+{%         do action_keyword_tmp.append(action_data.sc_number) %}
+{%       endif %}
+{#       # If parameters were found, add them to the config. #}
+{%       if action_keyword_tmp|length > 0 %}
+{%         set action_keyword_args = '(' ~ action_keyword_tmp|join(',') ~ ')' %}
+{%       endif %}
+{%     endif %}
+{{ action_keyword_args }}
+{%   else %}
+# ERROR: ActionConditionalArgs called with empty data
+{%   endif %}
+{%- endmacro -%}
+
 {# Macro expects a CSV list of Actions and validates them. #}
 {%- macro AclsAndActions(linkedData) -%}
 {%   if linkedData is defined %}
@@ -796,63 +835,39 @@
 {%         set action_enabled = '1' %}
 {%         set action_multiline = '0' %}
 {%         set action_options = [] %}
-{%         if action_data.type == 'use_backend' %}
-{%           if action_data.use_backend|default("") != "" %}
-{%             set acl_backend_data = helpers.getUUID(action_data.use_backend) %}
-{%             do action_options.append('use_backend ' ~ acl_backend_data.name) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-{%             do global_action_options.append('# ERROR: missing parameters') %}
-{%           endif %}
-{%         elif action_data.type == 'use_server' %}
-{%           if action_data.use_server|default("") != "" %}
-{%             set server_data = helpers.getUUID(action_data.use_server) %}
-{%             do action_options.append('use-server ' ~ server_data.name) %}
-{%           else %}
-{%             set action_enabled = '0' %}
-{%             do global_action_options.append('# ERROR: missing parameters') %}
-{%           endif %}
-{%         elif action_data.type == 'map_use_backend' %}
-{#           # First get the map file path #}
-{%           if action_data.map_use_backend_file|default("") != "" %}
-{%             set mapfile_data = helpers.getUUID(action_data.map_use_backend_file) %}
-{%             set mapfile_path = '/tmp/haproxy/mapfiles/' ~ mapfile_data.id ~ '.txt' %}
-{#             # Determine map type #}
-{%             set mapfile_type = mapfile_data.type %}
-{%             if mapfile_data.type|default("") == "dom" %}
-{#               # retain the original behaviour for map_dom #}
-{%               set mapfile_config = 'lower,map_dom' %}
-{%             else %}
-{%               set mapfile_config = 'map_' ~ mapfile_type %}
+{%         if action_data.type == 'compression' %}
+{%           set action_multiline = '1' %}
+{%           if action_data.compression_mime_resp|default("") != "" or action_data.compression_mime_req|default("") != "" %}
+{%             do action_options.append('filter compression') %}
+{%             do action_options.append('compression direction ' ~ action_data.compression_direction) %}
+{%             if action_data.compression_direction|default("") == "response" or action_data.compression_direction|default("") == "both" %}
+{%               do action_options.append('compression algo-res ' ~ action_data.compression_algo_res) %}
+{%               if action_data.compression_mime_res|default("") != "" %}
+{%                 do action_options.append('compression type-res ' ~ action_data.compression_mime_res|replace(",", " ")) %}
+{%               endif %}
+{%               if action_data.compression_minsize_res|default("") != "0" %}
+{%                 do action_options.append('compression minsize-res ' ~ action_data.compression_minsize_res) %}
+{%               endif %}
 {%             endif %}
-{#             # Check if a default backend is specified #}
-{%             if action_data.map_use_backend_default|default("") != "" %}
-{%               set defaultbackend_data = helpers.getUUID(action_data.map_use_backend_default) %}
-{%               set defaultbackend_option = ',' ~ defaultbackend_data.name %}
-{%             else %}
-{%               set defaultbackend_option = '' %}
+{%             if action_data.compression_direction|default("") == "request" or action_data.compression_direction|default("") == "both" %}
+{%               do action_options.append('compression algo-req ' ~ action_data.compression_algo_req) %}
+{%               if action_data.compression_mime_req|default("") != "" %}
+{%                 do action_options.append('compression type-req ' ~ action_data.compression_mime_req|replace(",", " ")) %}
+{%               endif %}
+{%               if action_data.compression_minsize_req|default("") != "0" %}
+{%                 do action_options.append('compression minsize-req ' ~ action_data.compression_minsize_req) %}
+{%               endif %}
+{%             endif %}
+{%             if action_data.compression_offloading|default("") == "1" %}
+{%               do action_options.append('compression offload') %}
 {%             endif %}
-{#             # Finally add map file to config #}
-{%             do action_options.append('use_backend %[req.hdr(host),' ~ mapfile_config ~ '(' ~ mapfile_path ~ defaultbackend_option ~ ')]') %}
 {%           else %}
 {%             set action_enabled = '0' %}
 {%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
-{%         elif action_data.type == 'map_data_use_backend' %}
-{%           if action_data.map_data_use_backend_file|default("") != "" and action_data.map_data_use_backend_input|default("") != "" %}
-{#             # Get the mapfile data #}
-{%             set mapfile_data = helpers.getUUID(action_data.map_data_use_backend_file) %}
-{%             set mapfile_path = '/tmp/haproxy/mapfiles/' ~ mapfile_data.id ~ '.txt' %}
-{%             set mapfile_config = 'map_' ~ mapfile_data.type %}
-{#             # Check if a default backend is specified #}
-{%             if action_data.map_data_use_backend_default|default("") != "" %}
-{%               set defaultbackend_data = helpers.getUUID(action_data.map_data_use_backend_default) %}
-{%               set defaultbackend_option = ',' ~ defaultbackend_data.name %}
-{%             else %}
-{%               set defaultbackend_option = '' %}
-{%             endif %}
-{#             # Finally add map file to config #}
-{%             do action_options.append('use_backend %[' ~ action_data.map_data_use_backend_input ~ ',' ~ mapfile_config ~ '(' ~ mapfile_path ~ defaultbackend_option ~ ')]') %}
+{%         elif action_data.type == 'custom' %}
+{%           if action_data.custom|default("") != "" %}
+{%             do action_options.append(action_data.custom) %}
 {%           else %}
 {%             set action_enabled = '0' %}
 {%             do global_action_options.append('# ERROR: missing parameters') %}
@@ -891,7 +906,9 @@
 {%             elif action_data.http_request_action == 'use-service' %}
 {%               set action_keyword_data = 'use-service lua.' ~ action_data.http_request_option %}
 {%             else %}
-{%               set action_keyword_data = action_data.http_request_action %}
+{#               # Setup conditional parameters. #}
+{%               set action_keyword_args = ActionConditionalArgs(action_data,action_data.http_request_action) | trim %}
+{%               set action_keyword_data = action_data.http_request_action ~ action_keyword_args %}
 {%               if action_data.http_request_option|default('') != '' %}
 {%                 set action_keyword_data = action_keyword_data ~ ' ' ~ action_data.http_request_option %}
 {%               endif %}
@@ -909,7 +926,9 @@
 {%             elif action_data.http_response_action == 'set-var' %}
 {%               set action_keyword_data = 'set-var' ~ action_data.http_response_option %}
 {%             else %}
-{%               set action_keyword_data = action_data.http_response_action %}
+{#               # Setup conditional parameters. #}
+{%               set action_keyword_args = ActionConditionalArgs(action_data,action_data.http_response_action) | trim %}
+{%               set action_keyword_data = action_data.http_response_action ~ action_keyword_args %}
 {%               if action_data.http_response_option|default('') != '' %}
 {%                 set action_keyword_data = action_keyword_data ~ ' ' ~ action_data.http_response_option %}
 {%               endif %}
@@ -919,6 +938,51 @@
 {%             set action_enabled = '0' %}
 {%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
+{%         elif action_data.type == 'map_data_use_backend' %}
+{%           if action_data.map_data_use_backend_file|default("") != "" and action_data.map_data_use_backend_input|default("") != "" %}
+{#             # Get the mapfile data #}
+{%             set mapfile_data = helpers.getUUID(action_data.map_data_use_backend_file) %}
+{%             set mapfile_path = '/tmp/haproxy/mapfiles/' ~ mapfile_data.id ~ '.txt' %}
+{%             set mapfile_config = 'map_' ~ mapfile_data.type %}
+{#             # Check if a default backend is specified #}
+{%             if action_data.map_data_use_backend_default|default("") != "" %}
+{%               set defaultbackend_data = helpers.getUUID(action_data.map_data_use_backend_default) %}
+{%               set defaultbackend_option = ',' ~ defaultbackend_data.name %}
+{%             else %}
+{%               set defaultbackend_option = '' %}
+{%             endif %}
+{#             # Finally add map file to config #}
+{%             do action_options.append('use_backend %[' ~ action_data.map_data_use_backend_input ~ ',' ~ mapfile_config ~ '(' ~ mapfile_path ~ defaultbackend_option ~ ')]') %}
+{%           else %}
+{%             set action_enabled = '0' %}
+{%             do global_action_options.append('# ERROR: missing parameters') %}
+{%           endif %}
+{%         elif action_data.type == 'map_use_backend' %}
+{#           # First get the map file path #}
+{%           if action_data.map_use_backend_file|default("") != "" %}
+{%             set mapfile_data = helpers.getUUID(action_data.map_use_backend_file) %}
+{%             set mapfile_path = '/tmp/haproxy/mapfiles/' ~ mapfile_data.id ~ '.txt' %}
+{#             # Determine map type #}
+{%             set mapfile_type = mapfile_data.type %}
+{%             if mapfile_data.type|default("") == "dom" %}
+{#               # retain the original behaviour for map_dom #}
+{%               set mapfile_config = 'lower,map_dom' %}
+{%             else %}
+{%               set mapfile_config = 'map_' ~ mapfile_type %}
+{%             endif %}
+{#             # Check if a default backend is specified #}
+{%             if action_data.map_use_backend_default|default("") != "" %}
+{%               set defaultbackend_data = helpers.getUUID(action_data.map_use_backend_default) %}
+{%               set defaultbackend_option = ',' ~ defaultbackend_data.name %}
+{%             else %}
+{%               set defaultbackend_option = '' %}
+{%             endif %}
+{#             # Finally add map file to config #}
+{%             do action_options.append('use_backend %[req.hdr(host),' ~ mapfile_config ~ '(' ~ mapfile_path ~ defaultbackend_option ~ ')]') %}
+{%           else %}
+{%             set action_enabled = '0' %}
+{%             do global_action_options.append('# ERROR: missing parameters') %}
+{%           endif %}
 {%         elif action_data.type == 'monitor_fail' %}
 {%           if action_data.monitor_fail_uri|default("") != "" %}
 {%             do action_options.append('monitor-uri ' ~ action_data.monitor_fail_uri ~ '\n   ') %}
@@ -937,7 +1001,9 @@
 {%             elif action_data.tcp_request_action == 'content_use-service' %}
 {%               set action_keyword_data = action_name ~ ' lua.' ~ action_data.tcp_request_option %}
 {%             else %}
-{%               set action_keyword_data = action_name %}
+{#               # Setup conditional parameters. #}
+{%               set action_keyword_args = ActionConditionalArgs(action_data,action_name) | trim %}
+{%               set action_keyword_data = action_name ~ action_keyword_args %}
 {%               if action_data.tcp_request_option|default('') != '' %}
 {%                 set action_keyword_data = action_keyword_data ~ ' ' ~ action_data.tcp_request_option %}
 {%               endif %}
@@ -955,7 +1021,9 @@
 {%             if action_data.tcp_response_action == 'content_lua' %}
 {%               set action_keyword_data = action_name ~ '.' ~ action_data.tcp_response_option %}
 {%             else %}
-{%               set action_keyword_data = action_name %}
+{#               # Setup conditional parameters. #}
+{%               set action_keyword_args = ActionConditionalArgs(action_data,action_name) | trim %}
+{%               set action_keyword_data = action_name ~ action_keyword_args %}
 {%               if action_data.tcp_response_option|default('') != '' %}
 {%                 set action_keyword_data = action_keyword_data ~ ' ' ~ action_data.tcp_response_option %}
 {%               endif %}
@@ -965,46 +1033,25 @@
 {%             set action_enabled = '0' %}
 {%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
-{%         elif action_data.type == 'compression' %}
-{%           set action_multiline = '1' %}
-{%           if action_data.compression_mime_resp|default("") != "" or action_data.compression_mime_req|default("") != "" %}
-{%             do action_options.append('filter compression') %}
-{%             do action_options.append('compression direction ' ~ action_data.compression_direction) %}
-{%             if action_data.compression_direction|default("") == "response" or action_data.compression_direction|default("") == "both" %}
-{%               do action_options.append('compression algo-res ' ~ action_data.compression_algo_res) %}
-{%               if action_data.compression_mime_res|default("") != "" %}
-{%                 do action_options.append('compression type-res ' ~ action_data.compression_mime_res|replace(",", " ")) %}
-{%               endif %}
-{%               if action_data.compression_minsize_res|default("") != "0" %}
-{%                 do action_options.append('compression minsize-res ' ~ action_data.compression_minsize_res) %}
-{%               endif %}
-{%             endif %}
-{%             if action_data.compression_direction|default("") == "request" or action_data.compression_direction|default("") == "both" %}
-{%               do action_options.append('compression algo-req ' ~ action_data.compression_algo_req) %}
-{%               if action_data.compression_mime_req|default("") != "" %}
-{%                 do action_options.append('compression type-req ' ~ action_data.compression_mime_req|replace(",", " ")) %}
-{%               endif %}
-{%               if action_data.compression_minsize_req|default("") != "0" %}
-{%                 do action_options.append('compression minsize-req ' ~ action_data.compression_minsize_req) %}
-{%               endif %}
-{%             endif %}
-{%             if action_data.compression_offloading|default("") == "1" %}
-{%               do action_options.append('compression offload') %}
-{%             endif %}
+{%         elif action_data.type == 'use_backend' %}
+{%           if action_data.use_backend|default("") != "" %}
+{%             set acl_backend_data = helpers.getUUID(action_data.use_backend) %}
+{%             do action_options.append('use_backend ' ~ acl_backend_data.name) %}
 {%           else %}
 {%             set action_enabled = '0' %}
 {%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
-{%         elif action_data.type == 'custom' %}
-{%           if action_data.custom|default("") != "" %}
-{%             do action_options.append(action_data.custom) %}
+{%         elif action_data.type == 'use_server' %}
+{%           if action_data.use_server|default("") != "" %}
+{%             set server_data = helpers.getUUID(action_data.use_server) %}
+{%             do action_options.append('use-server ' ~ server_data.name) %}
 {%           else %}
 {%             set action_enabled = '0' %}
 {%             do global_action_options.append('# ERROR: missing parameters') %}
 {%           endif %}
 {%         else %}
 {%           set action_enabled = '0' %}
-{%           do global_action_options.append('# ERROR: unsupported rule type' ~ action_data.type) %}
+{%           do global_action_options.append('# ERROR: unsupported rule type ' ~ action_data.type) %}
 {%         endif %}
 {#         # Is this rule enabled in the GUI? #}
 {%         if action_data.enabled|default('') == '1' %}

From d0374346e282d9e9920168cb144134a000aa5730 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 3 Feb 2026 16:07:33 +0100
Subject: [PATCH 2956/3088] sysutils/gdrive-backup: switch class name for
 linter

---
 sysutils/gdrive-backup/Makefile                                 | 1 +
 .../src/opnsense/mvc/app/library/OPNsense/Backup/GDrive.php     | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/sysutils/gdrive-backup/Makefile b/sysutils/gdrive-backup/Makefile
index ff88386c0c..58f3a7919b 100644
--- a/sysutils/gdrive-backup/Makefile
+++ b/sysutils/gdrive-backup/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		gdrive-backup
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Backup configurations using Google Drive
 PLUGIN_DEPENDS=		php${PLUGIN_PHP}-google-api-php-client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/sysutils/gdrive-backup/src/opnsense/mvc/app/library/OPNsense/Backup/GDrive.php b/sysutils/gdrive-backup/src/opnsense/mvc/app/library/OPNsense/Backup/GDrive.php
index 089ff08cd4..2ae1beca53 100644
--- a/sysutils/gdrive-backup/src/opnsense/mvc/app/library/OPNsense/Backup/GDrive.php
+++ b/sysutils/gdrive-backup/src/opnsense/mvc/app/library/OPNsense/Backup/GDrive.php
@@ -34,7 +34,7 @@
  * Class google drive backup
  * @package OPNsense\Backup
  */
-class Gdrive extends Base implements IBackupProvider
+class GDrive extends Base implements IBackupProvider
 {
     /**
      * get required (user interface) fields for backup connector

From b27b732ce4369bc76a798322b4fbe96e1ff0e72c Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 3 Feb 2026 17:46:14 +0100
Subject: [PATCH 2957/3088] net/haproxy: full support for table names in
 conditions

---
 .../app/models/OPNsense/HAProxy/HAProxy.xml   |  5 -
 .../templates/OPNsense/HAProxy/haproxy.conf   | 91 ++++++++++++++++---
 2 files changed, 78 insertions(+), 18 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index f13fea00ae..6494889908 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2974,7 +2974,6 @@
                         <track-sc0>track-sc0</track-sc0>
                         <track-sc1>track-sc1</track-sc1>
                         <track-sc2>track-sc2</track-sc2>
-                        <track-sc>track-sc</track-sc>
                         <unset-var>unset-var</unset-var>
                         <use-service>use-service</use-service>
                         <wait-for-body>wait-for-body</wait-for-body>
@@ -3024,7 +3023,6 @@
                         <track-sc0>track-sc0</track-sc0>
                         <track-sc1>track-sc1</track-sc1>
                         <track-sc2>track-sc2</track-sc2>
-                        <track-sc>track-sc</track-sc>
                         <unset-var>unset-var</unset-var>
                         <wait-for-body>wait-for-body</wait-for-body>
                     </OptionValues>
@@ -3058,7 +3056,6 @@
                         <connection_set-var>connection set-var</connection_set-var>
                         <connection_set-var-fmt>connection set-var-fmt</connection_set-var-fmt>
                         <connection_silent-drop>connection silent-drop</connection_silent-drop>
-                        <connection_track-sc>connection track-sc</connection_track-sc>
                         <connection_track-sc0>connection track-sc0</connection_track-sc0>
                         <connection_track-sc1>connection track-sc1</connection_track-sc1>
                         <connection_track-sc2>connection track-sc2</connection_track-sc2>
@@ -3089,7 +3086,6 @@
                         <content_set-var-fmt>content set-var-fmt</content_set-var-fmt>
                         <content_silent-drop>content silent-drop</content_silent-drop>
                         <content_switch-mode>content switch-mode</content_switch-mode>
-                        <content_track-sc>content track-sc</content_track-sc>
                         <content_track-sc0>content track-sc0</content_track-sc0>
                         <content_track-sc1>content track-sc1</content_track-sc1>
                         <content_track-sc2>content track-sc2</content_track-sc2>
@@ -3116,7 +3112,6 @@
                         <session_set-var>session set-var</session_set-var>
                         <session_set-var-fmt>session set-var-fmt</session_set-var-fmt>
                         <session_silent-drop>session silent-drop</session_silent-drop>
-                        <session_track-sc>session track-sc</session_track-sc>
                         <session_track-sc0>session track-sc0</session_track-sc0>
                         <session_track-sc1>session track-sc1</session_track-sc1>
                         <session_track-sc2>session track-sc2</session_track-sc2>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index e0219c90c8..91f86577f5 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -565,9 +565,19 @@
 {%                 do acl_options.append(acl_data.src) %}
 {%               endif %}
 {%             elif acl_data.expression == 'src_bytes_in_rate' %}
-{%               do acl_options.append('src_bytes_in_rate ' ~ acl_data.src_bytes_in_rate_comparison ~ ' ' ~ acl_data.src_bytes_in_rate) %}
+{%               if acl_data.table_name|default("") != "" %}
+{%                 set table_data = '(' ~ acl_data.table_name  ~ ') ' %}
+{%               else %}
+{%                 set table_data = ' ' %}
+{%               endif %}
+{%               do acl_options.append('src_bytes_in_rate' ~ table_data ~ acl_data.src_bytes_in_rate_comparison ~ ' ' ~ acl_data.src_bytes_in_rate) %}
 {%             elif acl_data.expression == 'src_bytes_out_rate' %}
-{%               do acl_options.append('src_bytes_out_rate ' ~ acl_data.src_bytes_out_rate_comparison ~ ' ' ~ acl_data.src_bytes_out_rate) %}
+{%               if acl_data.table_name|default("") != "" %}
+{%                 set table_data = '(' ~ acl_data.table_name  ~ ') ' %}
+{%               else %}
+{%                 set table_data = ' ' %}
+{%               endif %}
+{%               do acl_options.append('src_bytes_out_rate' ~ table_data ~ acl_data.src_bytes_out_rate_comparison ~ ' ' ~ acl_data.src_bytes_out_rate) %}
 {%             elif acl_data.expression == 'src_clr_gpc' %}
 {%               if acl_data.gpc_number|default("") != "" and acl_data.src_clr_gpc|default("") != "" %}
 {%                 if acl_data.table_name|default("") != "" %}
@@ -581,11 +591,26 @@
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'src_conn_cnt' %}
-{%               do acl_options.append('src_conn_cnt ' ~ acl_data.src_conn_cnt_comparison ~ ' ' ~ acl_data.src_conn_cnt) %}
+{%               if acl_data.table_name|default("") != "" %}
+{%                 set table_data = '(' ~ acl_data.table_name  ~ ') ' %}
+{%               else %}
+{%                 set table_data = ' ' %}
+{%               endif %}
+{%               do acl_options.append('src_conn_cnt' ~ table_data ~ acl_data.src_conn_cnt_comparison ~ ' ' ~ acl_data.src_conn_cnt) %}
 {%             elif acl_data.expression == 'src_conn_cur' %}
-{%               do acl_options.append('src_conn_cur ' ~ acl_data.src_conn_cur_comparison ~ ' ' ~ acl_data.src_conn_cur) %}
+{%               if acl_data.table_name|default("") != "" %}
+{%                 set table_data = '(' ~ acl_data.table_name  ~ ') ' %}
+{%               else %}
+{%                 set table_data = ' ' %}
+{%               endif %}
+{%               do acl_options.append('src_conn_cur' ~ table_data ~ acl_data.src_conn_cur_comparison ~ ' ' ~ acl_data.src_conn_cur) %}
 {%             elif acl_data.expression == 'src_conn_rate' %}
-{%               do acl_options.append('src_conn_rate ' ~ acl_data.src_conn_rate_comparison ~ ' ' ~ acl_data.src_conn_rate) %}
+{%               if acl_data.table_name|default("") != "" %}
+{%                 set table_data = '(' ~ acl_data.table_name  ~ ') ' %}
+{%               else %}
+{%                 set table_data = ' ' %}
+{%               endif %}
+{%               do acl_options.append('src_conn_rate' ~ table_data ~ acl_data.src_conn_rate_comparison ~ ' ' ~ acl_data.src_conn_rate) %}
 {%             elif acl_data.expression == 'src_get_gpc' %}
 {%               if acl_data.gpc_number|default("") != "" and acl_data.src_get_gpc|default("") != "" %}
 {%                 if acl_data.table_name|default("") != "" %}
@@ -647,9 +672,19 @@
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'src_http_err_cnt' %}
-{%               do acl_options.append('src_http_err_cnt ' ~ acl_data.src_http_err_cnt_comparison ~ ' ' ~ acl_data.src_http_err_cnt) %}
+{%               if acl_data.table_name|default("") != "" %}
+{%                 set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%               else %}
+{%                 set table_data = ' ' %}
+{%               endif %}
+{%               do acl_options.append('src_http_err_cnt' ~ table_data ~ ' ' ~ acl_data.src_http_err_cnt_comparison ~ ' ' ~ acl_data.src_http_err_cnt) %}
 {%             elif acl_data.expression == 'src_http_err_rate' %}
-{%               do acl_options.append('src_http_err_rate ' ~ acl_data.src_http_err_rate_comparison ~ ' ' ~ acl_data.src_http_err_rate) %}
+{%               if acl_data.table_name|default("") != "" %}
+{%                 set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%               else %}
+{%                 set table_data = ' ' %}
+{%               endif %}
+{%               do acl_options.append('src_http_err_rate' ~ tabel_data ~ ' ' ~ acl_data.src_http_err_rate_comparison ~ ' ' ~ acl_data.src_http_err_rate) %}
 {%             elif acl_data.expression == 'src_http_fail_cnt' %}
 {%               if acl_data.src_http_fail_cnt|default("") != "" %}
 {%                 if acl_data.table_name|default("") != "" %}
@@ -675,9 +710,19 @@
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'src_http_req_cnt' %}
-{%               do acl_options.append('src_http_req_cnt ' ~ acl_data.src_http_req_cnt_comparison ~ ' ' ~ acl_data.src_http_req_cnt) %}
+{%               if acl_data.table_name|default("") != "" %}
+{%                 set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%               else %}
+{%                 set table_data = ' ' %}
+{%               endif %}
+{%               do acl_options.append('src_http_req_cnt' ~ table_data ~ ' ' ~ acl_data.src_http_req_cnt_comparison ~ ' ' ~ acl_data.src_http_req_cnt) %}
 {%             elif acl_data.expression == 'src_http_req_rate' %}
-{%               do acl_options.append('src_http_req_rate ' ~ acl_data.src_http_req_rate_comparison ~ ' ' ~ acl_data.src_http_req_rate) %}
+{%               if acl_data.table_name|default("") != "" %}
+{%                 set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%               else %}
+{%                 set table_data = ' ' %}
+{%               endif %}
+{%               do acl_options.append('src_http_req_rate' ~ table_data ~ ' ' ~ acl_data.src_http_req_rate_comparison ~ ' ' ~ acl_data.src_http_req_rate) %}
 {%             elif acl_data.expression == 'src_inc_gpc' %}
 {%               if acl_data.gpc_number|default("") != "" %}
 {%                 if acl_data.table_name|default("") != "" %}
@@ -691,15 +736,35 @@
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'src_kbytes_in' %}
-{%               do acl_options.append('src_kbytes_in ' ~ acl_data.src_kbytes_in_comparison ~ ' ' ~ acl_data.src_kbytes_in) %}
+{%               if acl_data.table_name|default("") != "" %}
+{%                 set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%               else %}
+{%                 set table_data = ' ' %}
+{%               endif %}
+{%               do acl_options.append('src_kbytes_in' ~ table_data ~ ' ' ~ acl_data.src_kbytes_in_comparison ~ ' ' ~ acl_data.src_kbytes_in) %}
 {%             elif acl_data.expression == 'src_kbytes_out' %}
-{%               do acl_options.append('src_kbytes_out ' ~ acl_data.src_kbytes_out_comparison ~ ' ' ~ acl_data.src_kbytes_out) %}
+{%               if acl_data.table_name|default("") != "" %}
+{%                 set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%               else %}
+{%                 set table_data = ' ' %}
+{%               endif %}
+{%               do acl_options.append('src_kbytes_out' ~ table_data ~ ' ' ~ acl_data.src_kbytes_out_comparison ~ ' ' ~ acl_data.src_kbytes_out) %}
 {%             elif acl_data.expression == 'src_port' %}
 {%               do acl_options.append('src_port ' ~ acl_data.src_port_comparison ~ ' ' ~ acl_data.src_port) %}
 {%             elif acl_data.expression == 'src_sess_cnt' %}
-{%               do acl_options.append('src_sess_cnt' ~ acl_data.src_sess_cnt_comparison ~ ' ' ~ acl_data.src_sess_cnt) %}
+{%               if acl_data.table_name|default("") != "" %}
+{%                 set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%               else %}
+{%                 set table_data = ' ' %}
+{%               endif %}
+{%               do acl_options.append('src_sess_cnt' ~ table_data ~ ' ' ~ acl_data.src_sess_cnt_comparison ~ ' ' ~ acl_data.src_sess_cnt) %}
 {%             elif acl_data.expression == 'src_sess_rate' %}
-{%               do acl_options.append('src_sess_rate ' ~ acl_data.src_sess_rate_comparison ~ ' ' ~ acl_data.src_sess_rate) %}
+{%               if acl_data.table_name|default("") != "" %}
+{%                 set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%               else %}
+{%                 set table_data = ' ' %}
+{%               endif %}
+{%               do acl_options.append('src_sess_rate' ~ table_data ~ ' ' ~ acl_data.src_sess_rate_comparison ~ ' ' ~ acl_data.src_sess_rate) %}
 {%             elif acl_data.expression == 'ssl_c_verify_code' %}
 {%               if acl_data.ssl_c_verify_code|default("") != "" %}
 {%                 do acl_options.append('ssl_c_verify ' ~ acl_data.ssl_c_verify_code) %}

From c6496afabc2b3c06ad9997e9342128efe1761dd7 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 5 Feb 2026 00:39:25 +0100
Subject: [PATCH 2958/3088] net/haproxy: add support for legacy GPC/GPT/SC ACLs

This is necessary, because according to the documentation,
the modern syntax cannot be mixed with legacy syntax in
several cases:

"This fetch applies only to the 'gpc' array data_type (and not
to the legacy 'gpc0' nor 'gpc1' data_types)."
---
 .../OPNsense/HAProxy/forms/dialogAcl.xml      | 707 ++++++++++++++++-
 .../OPNsense/HAProxy/forms/dialogAction.xml   |   2 +-
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 718 +++++++++++++++++-
 .../templates/OPNsense/HAProxy/haproxy.conf   | 566 +++++++++++++-
 4 files changed, 1970 insertions(+), 23 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
index 514b772179..39716d8adf 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
@@ -1050,7 +1050,712 @@
         <type>text</type>
     </field>
     <field>
-        <label>Conditional Parameters</label>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_clr_gpc0</style>
+    </field>
+    <field>
+        <id>acl.sc_clr_gpc0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_clr_gpc0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_clr_gpc1</style>
+    </field>
+    <field>
+        <id>acl.sc_clr_gpc1_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_clr_gpc1</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc0_clr_gpc0</style>
+    </field>
+    <field>
+        <id>acl.sc0_clr_gpc0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc0_clr_gpc0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc0_clr_gpc1</style>
+    </field>
+    <field>
+        <id>acl.sc0_clr_gpc1_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc0_clr_gpc1</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc1_clr_gpc</style>
+    </field>
+    <field>
+        <id>acl.sc1_clr_gpc_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc1_clr_gpc</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc1_clr_gpc0</style>
+    </field>
+    <field>
+        <id>acl.sc1_clr_gpc0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc1_clr_gpc0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc1_clr_gpc1</style>
+    </field>
+    <field>
+        <id>acl.sc1_clr_gpc1_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc1_clr_gpc1</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc2_clr_gpc</style>
+    </field>
+    <field>
+        <id>acl.sc2_clr_gpc_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc2_clr_gpc</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc2_clr_gpc0</style>
+    </field>
+    <field>
+        <id>acl.sc2_clr_gpc0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc2_clr_gpc0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc2_clr_gpc1</style>
+    </field>
+    <field>
+        <id>acl.sc2_clr_gpc1_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc2_clr_gpc1</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_get_gpc0</style>
+    </field>
+    <field>
+        <id>acl.sc_get_gpc0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_get_gpc0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_get_gpc1</style>
+    </field>
+    <field>
+        <id>acl.sc_get_gpc1_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_get_gpc1</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc0_get_gpc0</style>
+    </field>
+    <field>
+        <id>acl.sc0_get_gpc0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc0_get_gpc0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc0_get_gpc1</style>
+    </field>
+    <field>
+        <id>acl.sc0_get_gpc1_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc0_get_gpc1</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc1_get_gpc0</style>
+    </field>
+    <field>
+        <id>acl.sc1_get_gpc0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc1_get_gpc0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc1_get_gpc1</style>
+    </field>
+    <field>
+        <id>acl.sc1_get_gpc1_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc1_get_gpc1</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc2_get_gpc0</style>
+    </field>
+    <field>
+        <id>acl.sc2_get_gpc0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc2_get_gpc0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc2_get_gpc1</style>
+    </field>
+    <field>
+        <id>acl.sc2_get_gpc1_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc2_get_gpc1</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_get_gpt</style>
+    </field>
+    <field>
+        <id>acl.sc_get_gpt_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_get_gpt</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_get_gpt0</style>
+    </field>
+    <field>
+        <id>acl.sc_get_gpt0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_get_gpt0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc0_get_gpt0</style>
+    </field>
+    <field>
+        <id>acl.sc0_get_gpt0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc0_get_gpt0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc1_get_gpt0</style>
+    </field>
+    <field>
+        <id>acl.sc1_get_gpt0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc1_get_gpt0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc2_get_gpt0</style>
+    </field>
+    <field>
+        <id>acl.sc2_get_gpt0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc2_get_gpt0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_gpc0_rate</style>
+    </field>
+    <field>
+        <id>acl.sc_gpc0_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_gpc0_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_gpc1_rate</style>
+    </field>
+    <field>
+        <id>acl.sc_gpc1_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_gpc1_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc0_gpc0_rate</style>
+    </field>
+    <field>
+        <id>acl.sc0_gpc0_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc0_gpc0_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc0_gpc1_rate</style>
+    </field>
+    <field>
+        <id>acl.sc0_gpc1_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc0_gpc1_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc1_gpc0_rate</style>
+    </field>
+    <field>
+        <id>acl.sc1_gpc0_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc1_gpc0_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc1_gpc1_rate</style>
+    </field>
+    <field>
+        <id>acl.sc1_gpc1_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc1_gpc1_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc2_gpc0_rate</style>
+    </field>
+    <field>
+        <id>acl.sc2_gpc0_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc2_gpc0_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc2_gpc1_rate</style>
+    </field>
+    <field>
+        <id>acl.sc2_gpc1_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc2_gpc1_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_inc_gpc0</style>
+    </field>
+    <field>
+        <id>acl.sc_inc_gpc0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_inc_gpc0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc_inc_gpc1</style>
+    </field>
+    <field>
+        <id>acl.sc_inc_gpc1_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc_inc_gpc1</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc0_inc_gpc0</style>
+    </field>
+    <field>
+        <id>acl.sc0_inc_gpc0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc0_inc_gpc0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc0_inc_gpc1</style>
+    </field>
+    <field>
+        <id>acl.sc0_inc_gpc1_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc0_inc_gpc1</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc1_inc_gpc0</style>
+    </field>
+    <field>
+        <id>acl.sc1_inc_gpc0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc1_inc_gpc0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc1_inc_gpc1</style>
+    </field>
+    <field>
+        <id>acl.sc1_inc_gpc1_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc1_inc_gpc1</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc2_inc_gpc0</style>
+    </field>
+    <field>
+        <id>acl.sc2_inc_gpc0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc2_inc_gpc0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_sc2_inc_gpc1</style>
+    </field>
+    <field>
+        <id>acl.sc2_inc_gpc1_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.sc2_inc_gpc1</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_clr_gpc0</style>
+    </field>
+    <field>
+        <id>acl.src_clr_gpc0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_clr_gpc0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_clr_gpc1</style>
+    </field>
+    <field>
+        <id>acl.src_clr_gpc1_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_clr_gpc1</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_get_gpc0</style>
+    </field>
+    <field>
+        <id>acl.src_get_gpc0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_get_gpc0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_get_gpc1</style>
+    </field>
+    <field>
+        <id>acl.src_get_gpc1_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_get_gpc1</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_gpc0_rate</style>
+    </field>
+    <field>
+        <id>acl.src_gpc0_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_gpc0_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_gpc1_rate</style>
+    </field>
+    <field>
+        <id>acl.src_gpc1_rate_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_gpc1_rate</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_inc_gpc0</style>
+    </field>
+    <field>
+        <id>acl.src_inc_gpc0_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_inc_gpc0</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_src_inc_gpc1</style>
+    </field>
+    <field>
+        <id>acl.src_inc_gpc1_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.src_inc_gpc1</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
+    <field>
+        <label>Conditional parameters</label>
         <type>header</type>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index 5b39bf1feb..0222a2f4b0 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -304,7 +304,7 @@
         <help><![CDATA[Some actions require additional parameters and specific syntax. Examples and explanations can be found in the <a href="http://docs.haproxy.org/3.2/configuration.html#tcp-response">HAProxy's documentation</a>.]]></help>
     </field>
     <field>
-        <label>Conditional Parameters</label>
+        <label>Conditional parameters</label>
         <type>header</type>
     </field>
     <field>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 6494889908..a99d6d4693 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1850,14 +1850,44 @@
                         <sc_bytes_in_rate>sc_bytes_in_rate – Sticky counter: incoming bytes rate</sc_bytes_in_rate>
                         <sc_bytes_out_rate>sc_bytes_out_rate – Sticky counter: outgoing bytes rate</sc_bytes_out_rate>
                         <sc_clr_gpc>sc_clr_gpc – Sticky counter: clear General Purpose Counter</sc_clr_gpc>
+                        <sc_clr_gpc0>sc_clr_gpc0 – Sticky counter: clear General Purpose Counter</sc_clr_gpc0>
+                        <sc_clr_gpc1>sc_clr_gpc1 – Sticky counter: clear General Purpose Counter</sc_clr_gpc1>
+                        <sc0_clr_gpc0>sc0_clr_gpc0 – Sticky counter: clear General Purpose Counter</sc0_clr_gpc0>
+                        <sc0_clr_gpc1>sc0_clr_gpc1 – Sticky counter: clear General Purpose Counter</sc0_clr_gpc1>
+                        <sc1_clr_gpc>sc1_clr_gpc – Sticky counter: clear General Purpose Counter</sc1_clr_gpc>
+                        <sc1_clr_gpc0>sc1_clr_gpc0 – Sticky counter: clear General Purpose Counter</sc1_clr_gpc0>
+                        <sc1_clr_gpc1>sc1_clr_gpc1 – Sticky counter: clear General Purpose Counter</sc1_clr_gpc1>
+                        <sc2_clr_gpc>sc2_clr_gpc – Sticky counter: clear General Purpose Counter</sc2_clr_gpc>
+                        <sc2_clr_gpc0>sc2_clr_gpc0 – Sticky counter: clear General Purpose Counter</sc2_clr_gpc0>
+                        <sc2_clr_gpc1>sc2_clr_gpc1 – Sticky counter: clear General Purpose Counter</sc2_clr_gpc1>
                         <sc_conn_cnt>sc_conn_cnt – Sticky counter: cumulative number of connections</sc_conn_cnt>
                         <sc_conn_cur>sc_conn_cur – Sticky counter: concurrent connections</sc_conn_cur>
                         <sc_conn_rate>sc_conn_rate – Sticky counter: connection rate</sc_conn_rate>
                         <sc_get_gpc>sc_get_gpc – Sticky counter: get General Purpose Counter value</sc_get_gpc>
+                        <sc_get_gpc0>sc_get_gpc0 – Sticky counter: get General Purpose Counter value</sc_get_gpc0>
+                        <sc_get_gpc1>sc_get_gpc1 – Sticky counter: get General Purpose Counter value</sc_get_gpc1>
+                        <sc0_get_gpc0>sc0_get_gpc0 – Sticky counter: get General Purpose Counter value</sc0_get_gpc0>
+                        <sc0_get_gpc1>sc0_get_gpc1 – Sticky counter: get General Purpose Counter value</sc0_get_gpc1>
+                        <sc1_get_gpc0>sc1_get_gpc0 – Sticky counter: get General Purpose Counter value</sc1_get_gpc0>
+                        <sc1_get_gpc1>sc1_get_gpc1 – Sticky counter: get General Purpose Counter value</sc1_get_gpc1>
+                        <sc2_get_gpc0>sc2_get_gpc0 – Sticky counter: get General Purpose Counter value</sc2_get_gpc0>
+                        <sc2_get_gpc1>sc2_get_gpc1 – Sticky counter: get General Purpose Counter value</sc2_get_gpc1>
                         <sc_get_gpt>sc_get_gpt – Sticky counter: get General Purpose Tag value</sc_get_gpt>
+                        <sc_get_gpt0>sc_get_gpt0 – Sticky counter: get General Purpose Tag value</sc_get_gpt0>
+                        <sc0_get_gpt0>sc0_get_gpt0 – Sticky counter: get General Purpose Tag value</sc0_get_gpt0>
+                        <sc1_get_gpt0>sc1_get_gpt0 – Sticky counter: get General Purpose Tag value</sc1_get_gpt0>
+                        <sc2_get_gpt0>sc2_get_gpt0 – Sticky counter: get General Purpose Tag value</sc2_get_gpt0>
                         <sc_glitch_cnt>sc_glitch_cnt – Sticky counter: cumulative number of glitches</sc_glitch_cnt>
                         <sc_glitch_rate>sc_glitch_rate – Sticky counter: rate of glitches</sc_glitch_rate>
                         <sc_gpc_rate>sc_gpc_rate – Sticky counter: increment rate of General Purpose Counter</sc_gpc_rate>
+                        <sc_gpc0_rate>sc_gpc0_rate – Sticky counter: increment rate of General Purpose Counter</sc_gpc0_rate>
+                        <sc_gpc1_rate>sc_gpc1_rate – Sticky counter: increment rate of General Purpose Counter</sc_gpc1_rate>
+                        <sc0_gpc0_rate>sc0_gpc0_rate – Sticky counter: increment rate of General Purpose Counter</sc0_gpc0_rate>
+                        <sc0_gpc1_rate>sc0_gpc1_rate – Sticky counter: increment rate of General Purpose Counter</sc0_gpc1_rate>
+                        <sc1_gpc0_rate>sc1_gpc0_rate – Sticky counter: increment rate of General Purpose Counter</sc1_gpc0_rate>
+                        <sc1_gpc1_rate>sc1_gpc1_rate – Sticky counter: increment rate of General Purpose Counter</sc1_gpc1_rate>
+                        <sc2_gpc0_rate>sc2_gpc0_rate – Sticky counter: increment rate of General Purpose Counter</sc2_gpc0_rate>
+                        <sc2_gpc1_rate>sc2_gpc1_rate – Sticky counter: increment rate of General Purpose Counter</sc2_gpc1_rate>
                         <sc_http_err_cnt>sc_http_err_cnt – Sticky counter: cumulative number of HTTP errors</sc_http_err_cnt>
                         <sc_http_err_rate>sc_http_err_rate – Sticky counter: rate of HTTP errors</sc_http_err_rate>
                         <sc_http_fail_cnt>sc_http_fail_cnt – Sticky counter: cumulative number of HTTP failures</sc_http_fail_cnt>
@@ -1865,20 +1895,34 @@
                         <sc_http_req_cnt>sc_http_req_cnt – Sticky counter: cumulative number of HTTP requests</sc_http_req_cnt>
                         <sc_http_req_rate>sc_http_req_rate – Sticky counter: rate of HTTP requests</sc_http_req_rate>
                         <sc_inc_gpc>sc_inc_gpc – Sticky counter: increment General Purpose Counter</sc_inc_gpc>
+                        <sc_inc_gpc0>sc_inc_gpc0 – Sticky counter: increment General Purpose Counter</sc_inc_gpc0>
+                        <sc_inc_gpc1>sc_inc_gpc1 – Sticky counter: increment General Purpose Counter</sc_inc_gpc1>
+                        <sc0_inc_gpc0>sc0_inc_gpc0 – Sticky counter: increment General Purpose Counter</sc0_inc_gpc0>
+                        <sc0_inc_gpc1>sc0_inc_gpc1 – Sticky counter: increment General Purpose Counter</sc0_inc_gpc1>
+                        <sc1_inc_gpc0>sc1_inc_gpc0 – Sticky counter: increment General Purpose Counter</sc1_inc_gpc0>
+                        <sc1_inc_gpc1>sc1_inc_gpc1 – Sticky counter: increment General Purpose Counter</sc1_inc_gpc1>
+                        <sc2_inc_gpc0>sc2_inc_gpc0 – Sticky counter: increment General Purpose Counter</sc2_inc_gpc0>
+                        <sc2_inc_gpc1>sc2_inc_gpc1 – Sticky counter: increment General Purpose Counter</sc2_inc_gpc1>
                         <sc_sess_cnt>sc_sess_cnt – Sticky counter: cumulative number of sessions</sc_sess_cnt>
                         <sc_sess_rate>sc_sess_rate – Sticky counter: session rate</sc_sess_rate>
                         <src>src – Source IP matches specified IP</src>
                         <src_bytes_in_rate>src_bytes_in_rate – Source IP: incoming bytes rate</src_bytes_in_rate>
                         <src_bytes_out_rate>src_bytes_out_rate – Source IP: outgoing bytes rate</src_bytes_out_rate>
                         <src_clr_gpc>src_clr_gpc – Source IP: clear General Purpose Counter</src_clr_gpc>
+                        <src_clr_gpc0>src_clr_gpc0 – Source IP: clear General Purpose Counter</src_clr_gpc0>
+                        <src_clr_gpc1>src_clr_gpc1 – Source IP: clear General Purpose Counter</src_clr_gpc1>
                         <src_conn_cnt>src_conn_cnt – Source IP: cumulative number of connections</src_conn_cnt>
                         <src_conn_cur>src_conn_cur – Source IP: concurrent connections</src_conn_cur>
                         <src_conn_rate>src_conn_rate – Source IP: connection rate</src_conn_rate>
                         <src_get_gpc>src_get_gpc – Source IP: get General Purpose Counter value</src_get_gpc>
+                        <src_get_gpc0>src_get_gpc0 – Source IP: get General Purpose Counter value</src_get_gpc0>
+                        <src_get_gpc1>src_get_gpc1 – Source IP: get General Purpose Counter value</src_get_gpc1>
                         <src_get_gpt>src_get_gpt – Source IP: get General Purpose Tag value</src_get_gpt>
                         <src_glitch_cnt>src_glitch_cnt – Source IP: cumulative number of glitches</src_glitch_cnt>
                         <src_glitch_rate>src_glitch_rate – Source IP: rate of glitches</src_glitch_rate>
                         <src_gpc_rate>src_gpc_rate – Source IP: increment rate of General Purpose Counter</src_gpc_rate>
+                        <src_gpc0_rate>src_gpc0_rate – Source IP: increment rate of General Purpose Counter</src_gpc0_rate>
+                        <src_gpc1_rate>src_gpc1_rate – Source IP: increment rate of General Purpose Counter</src_gpc1_rate>
                         <src_http_err_cnt>src_http_err_cnt – Source IP: cumulative number of HTTP errors</src_http_err_cnt>
                         <src_http_err_rate>src_http_err_rate – Source IP: rate of HTTP errors</src_http_err_rate>
                         <src_http_fail_cnt>src_http_fail_cnt – Source IP: cumulative number of HTTP failures</src_http_fail_cnt>
@@ -1886,6 +1930,8 @@
                         <src_http_req_cnt>src_http_req_cnt – Source IP: number of HTTP requests</src_http_req_cnt>
                         <src_http_req_rate>src_http_req_rate – Source IP: rate of HTTP requests</src_http_req_rate>
                         <src_inc_gpc>src_inc_gpc – Source IP: increment General Purpose Counter</src_inc_gpc>
+                        <src_inc_gpc0>src_inc_gpc0 – Source IP: increment General Purpose Counter</src_inc_gpc0>
+                        <src_inc_gpc1>src_inc_gpc1 – Source IP: increment General Purpose Counter</src_inc_gpc1>
                         <src_is_local>src_is_local – Source IP is local</src_is_local>
                         <src_kbytes_in>src_kbytes_in – Source IP: amount of data received (in kilobytes)</src_kbytes_in>
                         <src_kbytes_out>src_kbytes_out – Source IP: amount of data sent (in kilobytes)</src_kbytes_out>
@@ -2450,20 +2496,6 @@
                 <sc_get_gpc type="IntegerField">
                     <Required>N</Required>
                 </sc_get_gpc>
-                <sc_get_gpt_comparison type="OptionField">
-                    <Required>N</Required>
-                    <Default>gt</Default>
-                    <OptionValues>
-                        <gt>greater than</gt>
-                        <ge>greater equal</ge>
-                        <eq>equal</eq>
-                        <lt>less than</lt>
-                        <le>less equal</le>
-                    </OptionValues>
-                </sc_get_gpt_comparison>
-                <sc_get_gpt type="IntegerField">
-                    <Required>N</Required>
-                </sc_get_gpt>
                 <sc_glitch_cnt_comparison type="OptionField">
                     <Required>N</Required>
                     <Default>gt</Default>
@@ -2744,6 +2776,664 @@
                 <src_inc_gpc type="IntegerField">
                     <Required>N</Required>
                 </src_inc_gpc>
+                <sc_clr_gpc0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_clr_gpc0_comparison>
+                <sc_clr_gpc0 type="IntegerField">
+                    <Required>N</Required>
+                </sc_clr_gpc0>
+                <sc_clr_gpc1_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_clr_gpc1_comparison>
+                <sc_clr_gpc1 type="IntegerField">
+                    <Required>N</Required>
+                </sc_clr_gpc1>
+                <sc0_clr_gpc0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc0_clr_gpc0_comparison>
+                <sc0_clr_gpc0 type="IntegerField">
+                    <Required>N</Required>
+                </sc0_clr_gpc0>
+                <sc0_clr_gpc1_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc0_clr_gpc1_comparison>
+                <sc0_clr_gpc1 type="IntegerField">
+                    <Required>N</Required>
+                </sc0_clr_gpc1>
+                <sc1_clr_gpc_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc1_clr_gpc_comparison>
+                <sc1_clr_gpc type="IntegerField">
+                    <Required>N</Required>
+                </sc1_clr_gpc>
+                <sc1_clr_gpc0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc1_clr_gpc0_comparison>
+                <sc1_clr_gpc0 type="IntegerField">
+                    <Required>N</Required>
+                </sc1_clr_gpc0>
+                <sc1_clr_gpc1_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc1_clr_gpc1_comparison>
+                <sc1_clr_gpc1 type="IntegerField">
+                    <Required>N</Required>
+                </sc1_clr_gpc1>
+                <sc2_clr_gpc_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc2_clr_gpc_comparison>
+                <sc2_clr_gpc type="IntegerField">
+                    <Required>N</Required>
+                </sc2_clr_gpc>
+                <sc2_clr_gpc0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc2_clr_gpc0_comparison>
+                <sc2_clr_gpc0 type="IntegerField">
+                    <Required>N</Required>
+                </sc2_clr_gpc0>
+                <sc2_clr_gpc1_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc2_clr_gpc1_comparison>
+                <sc2_clr_gpc1 type="IntegerField">
+                    <Required>N</Required>
+                </sc2_clr_gpc1>
+                <sc_get_gpc0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_get_gpc0_comparison>
+                <sc_get_gpc0 type="IntegerField">
+                    <Required>N</Required>
+                </sc_get_gpc0>
+                <sc_get_gpc1_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_get_gpc1_comparison>
+                <sc_get_gpc1 type="IntegerField">
+                    <Required>N</Required>
+                </sc_get_gpc1>
+                <sc0_get_gpc0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc0_get_gpc0_comparison>
+                <sc0_get_gpc0 type="IntegerField">
+                    <Required>N</Required>
+                </sc0_get_gpc0>
+                <sc0_get_gpc1_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc0_get_gpc1_comparison>
+                <sc0_get_gpc1 type="IntegerField">
+                    <Required>N</Required>
+                </sc0_get_gpc1>
+                <sc1_get_gpc0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc1_get_gpc0_comparison>
+                <sc1_get_gpc0 type="IntegerField">
+                    <Required>N</Required>
+                </sc1_get_gpc0>
+                <sc1_get_gpc1_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc1_get_gpc1_comparison>
+                <sc1_get_gpc1 type="IntegerField">
+                    <Required>N</Required>
+                </sc1_get_gpc1>
+                <sc2_get_gpc0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc2_get_gpc0_comparison>
+                <sc2_get_gpc0 type="IntegerField">
+                    <Required>N</Required>
+                </sc2_get_gpc0>
+                <sc2_get_gpc1_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc2_get_gpc1_comparison>
+                <sc2_get_gpc1 type="IntegerField">
+                    <Required>N</Required>
+                </sc2_get_gpc1>
+                <sc_get_gpt_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_get_gpt_comparison>
+                <sc_get_gpt type="IntegerField">
+                    <Required>N</Required>
+                </sc_get_gpt>
+                <sc_get_gpt0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_get_gpt0_comparison>
+                <sc_get_gpt0 type="IntegerField">
+                    <Required>N</Required>
+                </sc_get_gpt0>
+                <sc0_get_gpt0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc0_get_gpt0_comparison>
+                <sc0_get_gpt0 type="IntegerField">
+                    <Required>N</Required>
+                </sc0_get_gpt0>
+                <sc1_get_gpt0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc1_get_gpt0_comparison>
+                <sc1_get_gpt0 type="IntegerField">
+                    <Required>N</Required>
+                </sc1_get_gpt0>
+                <sc2_get_gpt0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc2_get_gpt0_comparison>
+                <sc2_get_gpt0 type="IntegerField">
+                    <Required>N</Required>
+                </sc2_get_gpt0>
+                <sc_gpc0_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_gpc0_rate_comparison>
+                <sc_gpc0_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc_gpc0_rate>
+                <sc_gpc1_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_gpc1_rate_comparison>
+                <sc_gpc1_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc_gpc1_rate>
+                <sc0_gpc0_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc0_gpc0_rate_comparison>
+                <sc0_gpc0_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc0_gpc0_rate>
+                <sc0_gpc1_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc0_gpc1_rate_comparison>
+                <sc0_gpc1_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc0_gpc1_rate>
+                <sc1_gpc0_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc1_gpc0_rate_comparison>
+                <sc1_gpc0_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc1_gpc0_rate>
+                <sc1_gpc1_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc1_gpc1_rate_comparison>
+                <sc1_gpc1_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc1_gpc1_rate>
+                <sc2_gpc0_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc2_gpc0_rate_comparison>
+                <sc2_gpc0_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc2_gpc0_rate>
+                <sc2_gpc1_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc2_gpc1_rate_comparison>
+                <sc2_gpc1_rate type="IntegerField">
+                    <Required>N</Required>
+                </sc2_gpc1_rate>
+                <sc_inc_gpc0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_inc_gpc0_comparison>
+                <sc_inc_gpc0 type="IntegerField">
+                    <Required>N</Required>
+                </sc_inc_gpc0>
+                <sc_inc_gpc1_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc_inc_gpc1_comparison>
+                <sc_inc_gpc1 type="IntegerField">
+                    <Required>N</Required>
+                </sc_inc_gpc1>
+                <sc0_inc_gpc0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc0_inc_gpc0_comparison>
+                <sc0_inc_gpc0 type="IntegerField">
+                    <Required>N</Required>
+                </sc0_inc_gpc0>
+                <sc0_inc_gpc1_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc0_inc_gpc1_comparison>
+                <sc0_inc_gpc1 type="IntegerField">
+                    <Required>N</Required>
+                </sc0_inc_gpc1>
+                <sc1_inc_gpc0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc1_inc_gpc0_comparison>
+                <sc1_inc_gpc0 type="IntegerField">
+                    <Required>N</Required>
+                </sc1_inc_gpc0>
+                <sc1_inc_gpc1_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc1_inc_gpc1_comparison>
+                <sc1_inc_gpc1 type="IntegerField">
+                    <Required>N</Required>
+                </sc1_inc_gpc1>
+                <sc2_inc_gpc0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc2_inc_gpc0_comparison>
+                <sc2_inc_gpc0 type="IntegerField">
+                    <Required>N</Required>
+                </sc2_inc_gpc0>
+                <sc2_inc_gpc1_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </sc2_inc_gpc1_comparison>
+                <sc2_inc_gpc1 type="IntegerField">
+                    <Required>N</Required>
+                </sc2_inc_gpc1>
+                <src_clr_gpc0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_clr_gpc0_comparison>
+                <src_clr_gpc0 type="IntegerField">
+                    <Required>N</Required>
+                </src_clr_gpc0>
+                <src_clr_gpc1_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_clr_gpc1_comparison>
+                <src_clr_gpc1 type="IntegerField">
+                    <Required>N</Required>
+                </src_clr_gpc1>
+                <src_get_gpc0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_get_gpc0_comparison>
+                <src_get_gpc0 type="IntegerField">
+                    <Required>N</Required>
+                </src_get_gpc0>
+                <src_get_gpc1_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_get_gpc1_comparison>
+                <src_get_gpc1 type="IntegerField">
+                    <Required>N</Required>
+                </src_get_gpc1>
+                <src_gpc0_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_gpc0_rate_comparison>
+                <src_gpc0_rate type="IntegerField">
+                    <Required>N</Required>
+                </src_gpc0_rate>
+                <src_gpc1_rate_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_gpc1_rate_comparison>
+                <src_gpc1_rate type="IntegerField">
+                    <Required>N</Required>
+                </src_gpc1_rate>
+                <src_inc_gpc0_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_inc_gpc0_comparison>
+                <src_inc_gpc0 type="IntegerField">
+                    <Required>N</Required>
+                </src_inc_gpc0>
+                <src_inc_gpc1_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </src_inc_gpc1_comparison>
+                <src_inc_gpc1 type="IntegerField">
+                    <Required>N</Required>
+                </src_inc_gpc1>
                 <gpc_number type="IntegerField">
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>100</MaximumValue>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 91f86577f5..21b83addf1 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -354,6 +354,126 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'sc_clr_gpc0' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_clr_gpc0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_clr_gpc0(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_clr_gpc0_comparison ~ ' ' ~ acl_data.sc_clr_gpc0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc_clr_gpc1' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_clr_gpc1|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_clr_gpc1(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_clr_gpc1_comparison ~ ' ' ~ acl_data.sc_clr_gpc1) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc0_clr_gpc0' %}
+{%               if acl_data.sc0_clr_gpc0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc0_clr_gpc0' ~ table_data ~ ' ' ~ acl_data.sc0_clr_gpc0_comparison ~ ' ' ~ acl_data.sc0_clr_gpc0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc0_clr_gpc1' %}
+{%               if acl_data.sc0_clr_gpc1|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc0_clr_gpc1' ~ table_data ~ ' ' ~ acl_data.sc0_clr_gpc1_comparison ~ ' ' ~ acl_data.sc0_clr_gpc1) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc1_clr_gpc' %}
+{%               if acl_data.sc1_clr_gpc|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc1_clr_gpc' ~ table_data ~ ' ' ~ acl_data.sc1_clr_gpc_comparison ~ ' ' ~ acl_data.sc1_clr_gpc) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc1_clr_gpc0' %}
+{%               if acl_data.sc1_clr_gpc0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc1_clr_gpc0' ~ table_data ~ ' ' ~ acl_data.sc1_clr_gpc0_comparison ~ ' ' ~ acl_data.sc1_clr_gpc0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc1_clr_gpc1' %}
+{%               if acl_data.sc1_clr_gpc1|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc1_clr_gpc1' ~ table_data ~ ' ' ~ acl_data.sc1_clr_gpc1_comparison ~ ' ' ~ acl_data.sc1_clr_gpc1) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc2_clr_gpc' %}
+{%               if acl_data.sc2_clr_gpc|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc2_clr_gpc' ~ table_data ~ ' ' ~ acl_data.sc2_clr_gpc_comparison ~ ' ' ~ acl_data.sc2_clr_gpc) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc2_clr_gpc0' %}
+{%               if acl_data.sc2_clr_gpc0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc2_clr_gpc0' ~ table_data ~ ' ' ~ acl_data.sc2_clr_gpc0_comparison ~ ' ' ~ acl_data.sc2_clr_gpc0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc2_clr_gpc1' %}
+{%               if acl_data.sc2_clr_gpc1|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc2_clr_gpc1' ~ table_data ~ ' ' ~ acl_data.sc2_clr_gpc1_comparison ~ ' ' ~ acl_data.sc2_clr_gpc1) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'sc_conn_cnt' %}
 {%               if acl_data.sc_number|default("") != "" and acl_data.sc_conn_cnt|default("") != "" %}
 {%                 if acl_data.table_name|default("") != "" %}
@@ -402,6 +522,102 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'sc_get_gpc0' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_get_gpc0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_get_gpc0(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_get_gpc0_comparison ~ ' ' ~ acl_data.sc_get_gpc0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc_get_gpc1' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_get_gpc1|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_get_gpc1(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_get_gpc1_comparison ~ ' ' ~ acl_data.sc_get_gpc1) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc0_get_gpc0' %}
+{%               if acl_data.sc0_get_gpc0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc0_get_gpc0' ~ table_data ~ ' ' ~ acl_data.sc0_get_gpc0_comparison ~ ' ' ~ acl_data.sc0_get_gpc0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc0_get_gpc1' %}
+{%               if acl_data.sc0_get_gpc1|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc0_get_gpc1' ~ table_data ~ ' ' ~ acl_data.sc0_get_gpc1_comparison ~ ' ' ~ acl_data.sc0_get_gpc1) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc1_get_gpc0' %}
+{%               if acl_data.sc1_get_gpc0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc1_get_gpc0' ~ table_data ~ ' ' ~ acl_data.sc1_get_gpc0_comparison ~ ' ' ~ acl_data.sc1_get_gpc0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc1_get_gpc1' %}
+{%               if acl_data.sc1_get_gpc1|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc1_get_gpc1' ~ table_data ~ ' ' ~ acl_data.sc1_get_gpc1_comparison ~ ' ' ~ acl_data.sc1_get_gpc1) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc2_get_gpc0' %}
+{%               if acl_data.sc2_get_gpc0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc2_get_gpc0' ~ table_data ~ ' ' ~ acl_data.sc2_get_gpc0_comparison ~ ' ' ~ acl_data.sc2_get_gpc0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc2_get_gpc1' %}
+{%               if acl_data.sc2_get_gpc1|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc2_get_gpc1' ~ table_data ~ ' ' ~ acl_data.sc2_get_gpc1_comparison ~ ' ' ~ acl_data.sc2_get_gpc1) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'sc_get_gpt' %}
 {%               if acl_data.sc_number|default("") != "" and acl_data.gpt_number|default("") != "" and acl_data.sc_get_gpt|default("") != "" %}
 {%                 if acl_data.table_name|default("") != "" %}
@@ -414,6 +630,54 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'sc_get_gpt0' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_get_gpt0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_get_gpt0(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_get_gpt0_comparison ~ ' ' ~ acl_data.sc_get_gpt0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc0_get_gpt0' %}
+{%               if acl_data.sc0_get_gpt0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc0_get_gpt0' ~ table_data ~ ' ' ~ acl_data.sc0_get_gpt0_comparison ~ ' ' ~ acl_data.sc0_get_gpt0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc1_get_gpt0' %}
+{%               if acl_data.sc1_get_gpt0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc1_get_gpt0' ~ table_data ~ ' ' ~ acl_data.sc1_get_gpt0_comparison ~ ' ' ~ acl_data.sc1_get_gpt0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc2_get_gpt0' %}
+{%               if acl_data.sc2_get_gpt0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc2_get_gpt0' ~ table_data ~ ' ' ~ acl_data.sc2_get_gpt0_comparison ~ ' ' ~ acl_data.sc2_get_gpt0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'sc_glitch_cnt' %}
 {%               if acl_data.sc_number|default("") != "" and acl_data.sc_glitch_cnt|default("") != "" %}
 {%                 if acl_data.table_name|default("") != "" %}
@@ -450,6 +714,102 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'sc_gpc0_rate' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_gpc0_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_gpc0_rate(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_gpc0_rate_comparison ~ ' ' ~ acl_data.sc_gpc0_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc_gpc1_rate' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_gpc1_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_gpc1_rate(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_gpc1_rate_comparison ~ ' ' ~ acl_data.sc_gpc1_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc0_gpc0_rate' %}
+{%               if acl_data.sc0_gpc0_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc0_gpc0_rate' ~ table_data ~ ' ' ~ acl_data.sc0_gpc0_rate_comparison ~ ' ' ~ acl_data.sc0_gpc0_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc0_gpc1_rate' %}
+{%               if acl_data.sc0_gpc1_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc0_gpc1_rate' ~ table_data ~ ' ' ~ acl_data.sc0_gpc1_rate_comparison ~ ' ' ~ acl_data.sc0_gpc1_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc1_gpc0_rate' %}
+{%               if acl_data.sc1_gpc0_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc1_gpc0_rate' ~ table_data ~ ' ' ~ acl_data.sc1_gpc0_rate_comparison ~ ' ' ~ acl_data.sc1_gpc0_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc1_gpc1_rate' %}
+{%               if acl_data.sc1_gpc1_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc1_gpc1_rate' ~ table_data ~ ' ' ~ acl_data.sc1_gpc1_rate_comparison ~ ' ' ~ acl_data.sc1_gpc1_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc2_gpc0_rate' %}
+{%               if acl_data.sc2_gpc0_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc2_gpc0_rate' ~ table_data ~ ' ' ~ acl_data.sc2_gpc0_rate_comparison ~ ' ' ~ acl_data.sc2_gpc0_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc2_gpc1_rate' %}
+{%               if acl_data.sc2_gpc1_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc2_gpc1_rate' ~ table_data ~ ' ' ~ acl_data.sc2_gpc1_rate_comparison ~ ' ' ~ acl_data.sc2_gpc1_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'sc_http_err_cnt' %}
 {%               if acl_data.sc_number|default("") != "" and acl_data.sc_http_err_cnt|default("") != "" %}
 {%                 if acl_data.table_name|default("") != "" %}
@@ -534,6 +894,102 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'sc_inc_gpc0' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_inc_gpc0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_inc_gpc0(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_inc_gpc0_comparison ~ ' ' ~ acl_data.sc_inc_gpc0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc_inc_gpc1' %}
+{%               if acl_data.sc_number|default("") != "" and acl_data.sc_inc_gpc1|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = ',' ~ acl_data.table_name %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_inc_gpc1(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_inc_gpc1_comparison ~ ' ' ~ acl_data.sc_inc_gpc1) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc0_inc_gpc0' %}
+{%               if acl_data.sc0_inc_gpc0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc0_inc_gpc0' ~ table_data ~ ' ' ~ acl_data.sc0_inc_gpc0_comparison ~ ' ' ~ acl_data.sc0_inc_gpc0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc0_inc_gpc1' %}
+{%               if acl_data.sc0_inc_gpc1|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc0_inc_gpc1' ~ table_data ~ ' ' ~ acl_data.sc0_inc_gpc1_comparison ~ ' ' ~ acl_data.sc0_inc_gpc1) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc1_inc_gpc0' %}
+{%               if acl_data.sc1_inc_gpc0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc1_inc_gpc0' ~ table_data ~ ' ' ~ acl_data.sc1_inc_gpc0_comparison ~ ' ' ~ acl_data.sc1_inc_gpc0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc1_inc_gpc1' %}
+{%               if acl_data.sc1_inc_gpc1|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc1_inc_gpc1' ~ table_data ~ ' ' ~ acl_data.sc1_inc_gpc1_comparison ~ ' ' ~ acl_data.sc1_inc_gpc1) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc2_inc_gpc0' %}
+{%               if acl_data.sc2_inc_gpc0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc2_inc_gpc0' ~ table_data ~ ' ' ~ acl_data.sc2_inc_gpc0_comparison ~ ' ' ~ acl_data.sc2_inc_gpc0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'sc2_inc_gpc1' %}
+{%               if acl_data.sc2_inc_gpc1|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc2_inc_gpc1' ~ table_data ~ ' ' ~ acl_data.sc2_inc_gpc1_comparison ~ ' ' ~ acl_data.sc2_inc_gpc1) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'sc_sess_cnt' %}
 {%               if acl_data.sc_number|default("") != "" %}
 {%                 if acl_data.table_name|default("") != "" and acl_data.sc_sess_cnt|default("") != "" %}
@@ -566,18 +1022,18 @@
 {%               endif %}
 {%             elif acl_data.expression == 'src_bytes_in_rate' %}
 {%               if acl_data.table_name|default("") != "" %}
-{%                 set table_data = '(' ~ acl_data.table_name  ~ ') ' %}
+{%                 set table_data = '(' ~ acl_data.table_name  ~ ')' %}
 {%               else %}
-{%                 set table_data = ' ' %}
+{%                 set table_data = '' %}
 {%               endif %}
-{%               do acl_options.append('src_bytes_in_rate' ~ table_data ~ acl_data.src_bytes_in_rate_comparison ~ ' ' ~ acl_data.src_bytes_in_rate) %}
+{%               do acl_options.append('src_bytes_in_rate' ~ table_data ~ ' ' ~ acl_data.src_bytes_in_rate_comparison ~ ' ' ~ acl_data.src_bytes_in_rate) %}
 {%             elif acl_data.expression == 'src_bytes_out_rate' %}
 {%               if acl_data.table_name|default("") != "" %}
-{%                 set table_data = '(' ~ acl_data.table_name  ~ ') ' %}
+{%                 set table_data = '(' ~ acl_data.table_name  ~ ')' %}
 {%               else %}
-{%                 set table_data = ' ' %}
+{%                 set table_data = '' %}
 {%               endif %}
-{%               do acl_options.append('src_bytes_out_rate' ~ table_data ~ acl_data.src_bytes_out_rate_comparison ~ ' ' ~ acl_data.src_bytes_out_rate) %}
+{%               do acl_options.append('src_bytes_out_rate' ~ table_data ~ ' ' ~ acl_data.src_bytes_out_rate_comparison ~ ' ' ~ acl_data.src_bytes_out_rate) %}
 {%             elif acl_data.expression == 'src_clr_gpc' %}
 {%               if acl_data.gpc_number|default("") != "" and acl_data.src_clr_gpc|default("") != "" %}
 {%                 if acl_data.table_name|default("") != "" %}
@@ -590,6 +1046,30 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'src_clr_gpc0' %}
+{%               if acl_data.src_clr_gpc0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_clr_gpc0' ~ table_data ~ ' ' ~ acl_data.src_clr_gpc0_comparison ~ ' ' ~ acl_data.src_clr_gpc0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'src_clr_gpc1' %}
+{%               if acl_data.src_clr_gpc1|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_clr_gpc1' ~ table_data ~ ' ' ~ acl_data.src_clr_gpc1_comparison ~ ' ' ~ acl_data.src_clr_gpc1) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'src_conn_cnt' %}
 {%               if acl_data.table_name|default("") != "" %}
 {%                 set table_data = '(' ~ acl_data.table_name  ~ ') ' %}
@@ -623,6 +1103,30 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'src_get_gpc0' %}
+{%               if acl_data.src_get_gpc0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_get_gpc0' ~ table_data ~ ' ' ~ acl_data.src_get_gpc0_comparison ~ ' ' ~ acl_data.src_get_gpc0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'src_get_gpc1' %}
+{%               if acl_data.src_get_gpc1|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_get_gpc1' ~ table_data ~ ' ' ~ acl_data.src_get_gpc1_comparison ~ ' ' ~ acl_data.src_get_gpc1) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'src_get_gpt' %}
 {%               if acl_data.gpt_number|default("") != "" and acl_data.src_get_gpt|default("") != "" %}
 {%                 if acl_data.table_name|default("") != "" %}
@@ -671,11 +1175,35 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'src_gpc0_rate' %}
+{%               if acl_data.src_gpc0_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_gpc0_rate' ~ table_data ~ ' ' ~ acl_data.src_gpc0_rate_comparison ~ ' ' ~ acl_data.src_gpc0_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'src_gpc1_rate' %}
+{%               if acl_data.src_gpc1_rate|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_gpc1_rate' ~ table_data ~ ' ' ~ acl_data.src_gpc1_rate_comparison ~ ' ' ~ acl_data.src_gpc1_rate) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'src_http_err_cnt' %}
 {%               if acl_data.table_name|default("") != "" %}
 {%                 set table_data = '(' ~ acl_data.table_name  ~ ')' %}
 {%               else %}
-{%                 set table_data = ' ' %}
+{%                 set table_data = '' %}
 {%               endif %}
 {%               do acl_options.append('src_http_err_cnt' ~ table_data ~ ' ' ~ acl_data.src_http_err_cnt_comparison ~ ' ' ~ acl_data.src_http_err_cnt) %}
 {%             elif acl_data.expression == 'src_http_err_rate' %}
@@ -735,6 +1263,30 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'src_inc_gpc0' %}
+{%               if acl_data.src_inc_gpc0|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_inc_gpc0' ~ table_data ~ ' ' ~ acl_data.src_inc_gpc0_comparison ~ ' ' ~ acl_data.src_inc_gpc0) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
+{%             elif acl_data.expression == 'src_inc_gpc1' %}
+{%               if acl_data.src_inc_gpc1|default("") != "" %}
+{%                 if acl_data.table_name|default("") != "" %}
+{%                   set table_data = '(' ~ acl_data.table_name  ~ ')' %}
+{%                 else %}
+{%                   set table_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('src_inc_gpc1' ~ table_data ~ ' ' ~ acl_data.src_inc_gpc1_comparison ~ ' ' ~ acl_data.src_inc_gpc1) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'src_kbytes_in' %}
 {%               if acl_data.table_name|default("") != "" %}
 {%                 set table_data = '(' ~ acl_data.table_name  ~ ')' %}

From 95a30c536d20c5f8447052ab4b44f9863ac8f8ff Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 5 Feb 2026 15:45:46 +0100
Subject: [PATCH 2959/3088] net/haproxy: fix potential model migration error

---
 .../OPNsense/HAProxy/Migrations/M5_0_0.php    | 50 +++++++++----------
 1 file changed, 25 insertions(+), 25 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M5_0_0.php b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M5_0_0.php
index 310aa79338..04f55aae85 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M5_0_0.php
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M5_0_0.php
@@ -44,7 +44,7 @@ public function run($model)
                 case 'http-request_add-header':
                     $action->type = 'http-request';
                     $action->http_request_action = 'add-header';
-                    if (isset($action->http_request_add_header_name)) {
+                    if (!empty((string)$action->http_request_add_header_name)) {
                         $action->http_request_option = (string)$action->http_request_add_header_name . ' ' . (string)$action->http_request_add_header_content;
                         $action->http_request_add_header_name = null;
                         $action->http_request_add_header_content = null;
@@ -57,7 +57,7 @@ public function run($model)
                 case 'http-request_auth':
                     $action->type = 'http-request';
                     $action->http_request_action = 'auth';
-                    if (isset($action->http_request_auth)) {
+                    if (!empty((string)$action->http_request_auth)) {
                         $action->http_request_option = 'realm ' . (string)$action->http_request_auth;
                         $action->http_request_auth = null;
                     }
@@ -65,7 +65,7 @@ public function run($model)
                 case 'http-request_del-header':
                     $action->type = 'http-request';
                     $action->http_request_action = 'del-header';
-                    if (isset($action->http_request_del_header_name)) {
+                    if (!empty((string)$action->http_request_del_header_name)) {
                         $action->http_request_option = (string)$action->http_request_del_header_name;
                         $action->http_request_del_header_name = null;
                     }
@@ -77,7 +77,7 @@ public function run($model)
                 case 'http-request_lua':
                     $action->type = 'http-request';
                     $action->http_request_action = 'lua';
-                    if (isset($action->http_request_lua)) {
+                    if (!empty((string)$action->http_request_lua)) {
                         $action->http_request_option = (string)$action->http_request_lua;
                         $action->http_request_lua = null;
                     }
@@ -85,7 +85,7 @@ public function run($model)
                 case 'http-request_redirect':
                     $action->type = 'http-request';
                     $action->http_request_action = 'redirect';
-                    if (isset($action->http_request_redirect)) {
+                    if (!empty((string)$action->http_request_redirect)) {
                         $action->http_request_option = (string)$action->http_request_redirect;
                         $action->http_request_redirect = null;
                     }
@@ -93,7 +93,7 @@ public function run($model)
                 case 'http-request_replace-header':
                     $action->type = 'http-request';
                     $action->http_request_action = 'replace-header';
-                    if (isset($action->http_request_replace_header_name)) {
+                    if (!empty((string)$action->http_request_replace_header_name)) {
                         $action->http_request_option = (string)$action->http_request_replace_header_name . ' ' . (string)$action->http_request_replace_header_regex;
                         $action->http_request_replace_header_name = null;
                         $action->http_request_replace_header_regex = null;
@@ -102,7 +102,7 @@ public function run($model)
                 case 'http-request_replace-value':
                     $action->type = 'http-request';
                     $action->http_request_action = 'replace-value';
-                    if (isset($action->http_request_replace_value_name)) {
+                    if (!empty((string)$action->http_request_replace_value_name)) {
                         $action->http_request_option = (string)$action->http_request_replace_value_name . ' ' . (string)$action->http_request_replace_value_regex;
                         $action->http_request_replace_value_name = null;
                         $action->http_request_replace_value_regex = null;
@@ -111,7 +111,7 @@ public function run($model)
                 case 'http-request_set-header':
                     $action->type = 'http-request';
                     $action->http_request_action = 'set-header';
-                    if (isset($action->http_request_set_header_name)) {
+                    if (!empty((string)$action->http_request_set_header_name)) {
                         $action->http_request_option = (string)$action->http_request_set_header_name . ' ' . (string)$action->http_request_set_header_content;
                         $action->http_request_set_header_name = null;
                         $action->http_request_set_header_content = null;
@@ -120,7 +120,7 @@ public function run($model)
                 case 'http-request_set-path':
                     $action->type = 'http-request';
                     $action->http_request_action = 'set-path';
-                    if (isset($action->http_request_set_path)) {
+                    if (!empty((string)$action->http_request_set_path)) {
                         $action->http_request_option = (string)$action->http_request_set_path;
                         $action->http_request_set_path = null;
                     }
@@ -128,7 +128,7 @@ public function run($model)
                 case 'http-request_set-var':
                     $action->type = 'http-request';
                     $action->http_request_action = 'set-var';
-                    if (isset($action->http_request_set_var_scope)) {
+                    if (!empty((string)$action->http_request_set_var_name)) {
                         $action->http_request_option = '(' . (string)$action->http_request_set_var_scope . '.' . (string)$action->http_request_set_var_name . ') ' . (string)$action->http_request_set_var_expr;
                         $action->http_request_set_var_scope = null;
                         $action->http_request_set_var_name = null;
@@ -146,7 +146,7 @@ public function run($model)
                 case 'http-request_use-service':
                     $action->type = 'http-request';
                     $action->http_request_action = 'use-service';
-                    if (isset($action->http_request_use_service)) {
+                    if (!empty((string)$action->http_request_use_service)) {
                         $action->http_request_option = (string)$action->http_request_use_service;
                         $action->http_request_use_service = null;
                     }
@@ -154,7 +154,7 @@ public function run($model)
                 case 'http-response_add-header':
                     $action->type = 'http-response';
                     $action->http_response_action = 'add-header';
-                    if (isset($action->http_response_add_header_name)) {
+                    if (!empty((string)$action->http_response_add_header_name)) {
                         $action->http_response_option = (string)$action->http_response_add_header_name . ' ' . (string)$action->http_response_add_header_content;
                         $action->http_response_add_header_name = null;
                         $action->http_response_add_header_content = null;
@@ -167,7 +167,7 @@ public function run($model)
                 case 'http-response_del-header':
                     $action->type = 'http-response';
                     $action->http_response_action = 'del-header';
-                    if (isset($action->http_response_del_header_name)) {
+                    if (!empty((string)$action->http_response_del_header_name)) {
                         $action->http_response_option = (string)$action->http_response_del_header_name;
                         $action->http_response_del_header_name = null;
                     }
@@ -179,7 +179,7 @@ public function run($model)
                 case 'http-response_lua':
                     $action->type = 'http-response';
                     $action->http_response_action = 'lua';
-                    if (isset($action->http_response_lua)) {
+                    if (!empty((string)$action->http_response_lua)) {
                         $action->http_response_option = (string)$action->http_response_lua;
                         $action->http_response_lua = null;
                     }
@@ -187,7 +187,7 @@ public function run($model)
                 case 'http-response_replace-header':
                     $action->type = 'http-response';
                     $action->http_response_action = 'replace-header';
-                    if (isset($action->http_response_replace_header_name)) {
+                    if (!empty((string)$action->http_response_replace_header_name)) {
                         $action->http_response_option = (string)$action->http_response_replace_header_name . ' ' . (string)$action->http_response_replace_header_regex;
                         $action->http_response_replace_header_name = null;
                         $action->http_response_replace_header_regex = null;
@@ -196,7 +196,7 @@ public function run($model)
                 case 'http-response_replace-value':
                     $action->type = 'http-response';
                     $action->http_response_action = 'replace-value';
-                    if (isset($action->http_response_replace_value_name)) {
+                    if (!empty((string)$action->http_response_replace_value_name)) {
                         $action->http_response_option = (string)$action->http_response_replace_value_name . ' ' . (string)$action->http_response_replace_value_regex;
                         $action->http_response_replace_value_name = null;
                         $action->http_response_replace_value_regex = null;
@@ -205,7 +205,7 @@ public function run($model)
                 case 'http-response_set-header':
                     $action->type = 'http-response';
                     $action->http_response_action = 'set-header';
-                    if (isset($action->http_response_set_header_name)) {
+                    if (!empty((string)$action->http_response_set_header_name)) {
                         $action->http_response_option = (string)$action->http_response_set_header_name . ' ' . (string)$action->http_response_set_header_content;
                         $action->http_response_set_header_name = null;
                         $action->http_response_set_header_content = null;
@@ -214,8 +214,8 @@ public function run($model)
                 case 'http-response_set-status':
                     $action->type = 'http-response';
                     $action->http_response_action = 'set-status';
-                    if (isset($action->http_response_set_status_code)) {
-                        if (isset($action->http_response_set_status_reason)) {
+                    if (!empty((string)$action->http_response_set_status_code)) {
+                        if (!empty((string)$action->http_response_set_status_reason)) {
                             $status_reason = ' reason "' . (string)$action->http_response_set_status_reason . '"';
                         } else {
                             $status_reason = '';
@@ -228,7 +228,7 @@ public function run($model)
                 case 'http-response_set-var':
                     $action->type = 'http-response';
                     $action->http_response_action = 'set-var';
-                    if (isset($action->http_response_set_var_scope)) {
+                    if (!empty((string)$action->http_response_set_var_name)) {
                         $action->http_response_option = '(' . (string)$action->http_response_set_var_scope . '.' . (string)$action->http_response_set_var_name . ') ' . (string)$action->http_response_set_var_expr;
                         $action->http_response_set_var_scope = null;
                         $action->http_response_set_var_name = null;
@@ -250,7 +250,7 @@ public function run($model)
                 case 'tcp-request_content_lua':
                     $action->type = 'tcp-request';
                     $action->tcp_request_action = 'content_lua';
-                    if (isset($action->tcp_request_content_lua)) {
+                    if (!empty((string)$action->tcp_request_content_lua)) {
                         $action->tcp_request_option = (string)$action->tcp_request_content_lua;
                         $action->tcp_request_content_lua = null;
                     }
@@ -262,7 +262,7 @@ public function run($model)
                 case 'tcp-request_content_use-service':
                     $action->type = 'tcp-request';
                     $action->tcp_request_action = 'content_use-service';
-                    if (isset($action->tcp_request_content_use_service)) {
+                    if (!empty((string)$action->tcp_request_content_use_service)) {
                         $action->tcp_request_option = (string)$action->tcp_request_content_use_service;
                         $action->tcp_request_content_use_service = null;
                     }
@@ -270,7 +270,7 @@ public function run($model)
                 case 'tcp-request_inspect-delay':
                     $action->type = 'tcp-request';
                     $action->tcp_request_action = 'inspect-delay';
-                    if (isset($action->tcp_request_inspect_delay)) {
+                    if (!empty((string)$action->tcp_request_inspect_delay)) {
                         $action->tcp_request_option = (string)$action->tcp_request_inspect_delay;
                         $action->tcp_request_inspect_delay = null;
                     }
@@ -286,7 +286,7 @@ public function run($model)
                 case 'tcp-response_content_lua':
                     $action->type = 'tcp-response';
                     $action->tcp_response_action = 'content_lua';
-                    if (isset($action->tcp_response_content_lua)) {
+                    if (!empty((string)$action->tcp_response_content_lua)) {
                         $action->tcp_response_option = (string)$action->tcp_response_content_lua;
                         $action->tcp_response_content_lua = null;
                     }
@@ -298,7 +298,7 @@ public function run($model)
                 case 'tcp-response_inspect-delay':
                     $action->type = 'tcp-response';
                     $action->tcp_response_action = 'inspect-delay';
-                    if (isset($action->tcp_response_inspect_delay)) {
+                    if (!empty((string)$action->tcp_response_inspect_delay)) {
                         $action->tcp_response_option = (string)$action->tcp_response_inspect_delay;
                         $action->tcp_response_inspect_delay = null;
                     }

From 8cafe712012b7253aefffc8deea69aef37aaa8d8 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 5 Feb 2026 21:19:22 +0100
Subject: [PATCH 2960/3088] security/q-feeds-connector: track if qfeeds lists
 are loaded when deselected and reload unbounds blocklist in that case (via
 qfeedsctl.py), for https://github.com/opnsense/plugins/issues/5190

---
 .../src/opnsense/scripts/qfeeds/lib/__init__.py       | 11 +++++++++--
 .../src/opnsense/scripts/qfeeds/qfeedsctl.py          |  2 +-
 .../opnsense/scripts/unbound/blocklists/qfeeds_bl.py  |  2 ++
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
index f661bbfd39..ddc3023009 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
@@ -1,5 +1,5 @@
 """
-    Copyright (c) 2025 Deciso B.V.
+    Copyright (c) 2025-2026 Deciso B.V.
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
@@ -117,7 +117,14 @@ def firewall_load(self):
 
     def unbound_load(self):
         bl_conf = '/usr/local/etc/unbound/qfeeds-blocklists.conf'
-        if os.path.exists(bl_conf) and os.path.getsize(bl_conf) > 20:
+        bl_configured = os.path.exists(bl_conf) and os.path.getsize(bl_conf) > 20
+        bl_stat = '/tmp/qfeeds-unbound-bl.stat'
+        if bl_configured or os.path.exists(bl_stat):
+            # when de-configuring domain lists, we need to reconfigure unbound on deselect, track an empty file to
+            # detect that event (written by the unbound helper).
+            if os.path.exists(bl_stat):
+                os.remove(bl_stat)
+
             # when qfeeds-blocklists.conf is ~empty, skip updates
             subprocess.run(['/usr/local/sbin/configctl', 'unbound', 'dnsbl'])
             yield 'update unbound blocklist'
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
index 7973d59f4c..9fbede080e 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
@@ -1,7 +1,7 @@
 #!/usr/local/bin/python3
 
 """
-    Copyright (c) 2025 Deciso B.V.
+    Copyright (c) 20252-2026 Deciso B.V.
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
diff --git a/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py b/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
index e10428db08..8d2f2c955d 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
@@ -44,6 +44,8 @@ def get_blocklist(self):
         if self.cnf and self.cnf.has_section('settings'):
             if self.cnf.has_option('settings', 'filenames'):
                 qfeeds_filenames = self.cnf.get('settings', 'filenames').split(',')
+                # touch a file to help qfeedsctl detect the current instance uses its list
+                open('/tmp/qfeeds-unbound-bl.stat', 'w').write('')
 
         result = {}
         for filename in qfeeds_filenames:

From fe9abad52b84dfd99d03912475f52a7986b90917 Mon Sep 17 00:00:00 2001
From: Maurice Walker <maurice@walker.earth>
Date: Fri, 6 Feb 2026 06:44:18 +0100
Subject: [PATCH 2961/3088] net/tayga: update website in pkg-descr (new
 maintainer @apalrd) (#5193)

---
 net/tayga/pkg-descr | 2 --
 1 file changed, 2 deletions(-)

diff --git a/net/tayga/pkg-descr b/net/tayga/pkg-descr
index 1e354df0b0..347391cc3a 100644
--- a/net/tayga/pkg-descr
+++ b/net/tayga/pkg-descr
@@ -26,5 +26,3 @@ Plugin Changelog
 1.0
 
 * Support for IPv6 prefix and IPv4 pool
-
-WWW: http://www.litech.org/tayga/

From 630cd208ea94c8acc524e0155dc6fc9679cbc104 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 6 Feb 2026 10:57:50 +0100
Subject: [PATCH 2962/3088] LICENSE: fix a typo and sync

---
 LICENSE                                                         | 2 +-
 .../q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/LICENSE b/LICENSE
index 04c70bf2e2..8544019fd7 100644
--- a/LICENSE
+++ b/LICENSE
@@ -19,7 +19,7 @@ Copyright (c) 2021 Dan Lundqvist
 Copyright (c) 2021 David Berry
 Copyright (c) 2017-2018 David Harrigan
 Copyright (c) 2021 David Hughes
-Copyright (c) 2014-2025 Deciso B.V.
+Copyright (c) 2014-2026 Deciso B.V.
 Copyright (c) 2020 devNan0 <nan0@nan0.dev>
 Copyright (c) 2023 Dmitry Shinkaruk
 Copyright (c) 2024 DollarSign23
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
index 9fbede080e..64190d6e0d 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
@@ -1,7 +1,7 @@
 #!/usr/local/bin/python3
 
 """
-    Copyright (c) 20252-2026 Deciso B.V.
+    Copyright (c) 2025-2026 Deciso B.V.
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without

From b9dcae8a9c9e10a27f265dff5b0d4334e2903ccb Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 8 Feb 2026 00:08:08 +0100
Subject: [PATCH 2963/3088] net/haproxy: support mapfiles in hdr/path ACLs

Previously a path or header had to be specified. But with the
extended mapfile support, these are no longer required values.
A mapfile may be used instead.
---
 .../templates/OPNsense/HAProxy/haproxy.conf   | 121 +++++++-----------
 1 file changed, 44 insertions(+), 77 deletions(-)

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 21b83addf1..7e9c221cf8 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -171,59 +171,44 @@
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'hdr' %}
+{%               do acl_options.append('hdr(host)') %}
+{%               if acl_data.caseSensitive|default('0') == '0' %}
+{%                 do acl_options.append('-i') %}
+{%               endif %}
 {%               if acl_data.hdr|default("") != "" %}
-{%                 do acl_options.append('hdr(host)') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
-{%                 endif %}
 {%                 do acl_options.append(acl_data.hdr) %}
-{%               else %}
-{%                 set acl_enabled = '0' %}
-    # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'hdr_beg' %}
+{%               do acl_options.append('hdr_beg(host)') %}
+{%               if acl_data.caseSensitive|default('0') == '0' %}
+{%                 do acl_options.append('-i') %}
+{%               endif %}
 {%               if acl_data.hdr_beg|default("") != "" %}
-{%                 do acl_options.append('hdr_beg(host)') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
-{%                 endif %}
 {%                 do acl_options.append(acl_data.hdr_beg) %}
-{%               else %}
-{%                 set acl_enabled = '0' %}
-    # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'hdr_end' %}
+{%               do acl_options.append('hdr_end(host)') %}
+{%               if acl_data.caseSensitive|default('0') == '0' %}
+{%                 do acl_options.append('-i') %}
+{%               endif %}
 {%               if acl_data.hdr_end|default("") != "" %}
-{%                 do acl_options.append('hdr_end(host)') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
-{%                 endif %}
 {%                 do acl_options.append(acl_data.hdr_end) %}
-{%               else %}
-{%                 set acl_enabled = '0' %}
-    # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'hdr_reg' %}
+{%               do acl_options.append('hdr_reg(host)') %}
+{%               if acl_data.caseSensitive|default('0') == '0' %}
+{%                 do acl_options.append('-i') %}
+{%               endif %}
 {%               if acl_data.hdr_reg|default("") != "" %}
-{%                 do acl_options.append('hdr_reg(host)') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
-{%                 endif %}
 {%                 do acl_options.append(acl_data.hdr_reg) %}
-{%               else %}
-{%                 set acl_enabled = '0' %}
-    # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'hdr_sub' %}
+{%               do acl_options.append('hdr_sub(host)') %}
+{%               if acl_data.caseSensitive|default('0') == '0' %}
+{%                 do acl_options.append('-i') %}
+{%               endif %}
 {%               if acl_data.hdr_sub|default("") != "" %}
-{%                 do acl_options.append('hdr_sub(host)') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
-{%                 endif %}
 {%                 do acl_options.append(acl_data.hdr_sub) %}
-{%               else %}
-{%                 set acl_enabled = '0' %}
-    # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'http_auth' %}
 {%               if acl_data.allowedUsers|default("") != "" or acl_data.allowedGroups|default("") != "" %}
@@ -253,70 +238,52 @@
     # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'path' %}
+{%               do acl_options.append('path') %}
+{%               if acl_data.caseSensitive|default('0') == '0' %}
+{%                 do acl_options.append('-i') %}
+{%               endif %}
 {%               if acl_data.path|default("") != "" %}
-{%                 do acl_options.append('path') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
-{%                 endif %}
 {%                 do acl_options.append(acl_data.path) %}
-{%               else %}
-{%                 set acl_enabled = '0' %}
-    # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'path_beg' %}
+{%               do acl_options.append('path_beg') %}
+{%               if acl_data.caseSensitive|default('0') == '0' %}
+{%                 do acl_options.append('-i') %}
+{%               endif %}
 {%               if acl_data.path_beg|default("") != "" %}
-{%                 do acl_options.append('path_beg') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
-{%                 endif %}
 {%                 do acl_options.append(acl_data.path_beg) %}
-{%               else %}
-{%                 set acl_enabled = '0' %}
-    # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'path_dir' %}
+{%               do acl_options.append('path_dir') %}
+{%               if acl_data.caseSensitive|default('0') == '0' %}
+{%                 do acl_options.append('-i') %}
+{%               endif %}
 {%               if acl_data.path_dur|default("") != "" %}
-{%                 do acl_options.append('path_dir') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
-{%                 endif %}
 {%                 do acl_options.append(acl_data.path_dir) %}
-{%               else %}
-{%                 set acl_enabled = '0' %}
-    # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'path_end' %}
+{%               do acl_options.append('path_end') %}
+{%               if acl_data.caseSensitive|default('0') == '0' %}
+{%                 do acl_options.append('-i') %}
+{%               endif %}
 {%               if acl_data.path_end|default("") != "" %}
-{%                 do acl_options.append('path_end') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
-{%                 endif %}
 {%                 do acl_options.append(acl_data.path_end) %}
-{%               else %}
-{%                 set acl_enabled = '0' %}
-    # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'path_reg' %}
+{%               do acl_options.append('path_reg') %}
+{%               if acl_data.caseSensitive|default('0') == '0' %}
+{%                 do acl_options.append('-i') %}
+{%               endif %}
 {%               if acl_data.path_reg|default("") != "" %}
-{%                 do acl_options.append('path_reg') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
-{%                 endif %}
 {%                 do acl_options.append(acl_data.path_reg) %}
-{%               else %}
-{%                 set acl_enabled = '0' %}
-    # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'path_sub' %}
+{%               do acl_options.append('path_sub') %}
+{%               if acl_data.caseSensitive|default('0') == '0' %}
+{%                 do acl_options.append('-i') %}
+{%               endif %}
 {%               if acl_data.path_sub|default("") != "" %}
-{%                 do acl_options.append('path_sub') %}
-{%                 if acl_data.caseSensitive|default('0') == '0' %}
-{%                   do acl_options.append('-i') %}
-{%                 endif %}
 {%                 do acl_options.append(acl_data.path_sub) %}
-{%               else %}
-{%                 set acl_enabled = '0' %}
-    # ERROR: missing parameters
 {%               endif %}
 {%             elif acl_data.expression == 'sc_bytes_in_rate' %}
 {%               if acl_data.sc_number|default("") != "" and acl_data.sc_bytes_in_rate|default("") != "" %}

From 3c2dd310fedd22c6d16937dbd60c7acaad4368cf Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sun, 8 Feb 2026 22:43:34 +0100
Subject: [PATCH 2964/3088] net/haproxy: support more advanced sample fetches
 and converters

---
 net/haproxy/pkg-descr                         |  3 +-
 .../OPNsense/HAProxy/forms/dialogAcl.xml      | 27 ++++++++++++
 .../OPNsense/HAProxy/forms/dialogAction.xml   | 18 ++++++++
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 43 +++++++++++++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf   | 28 ++++++++++++
 5 files changed, 118 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index c0396f6dc4..0af36b5e2a 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -27,7 +27,8 @@ Added:
 * add support for GPC/GPT/SC to conditions and rules (#1123, #5109)
 * add support for SSL SNI expression to servers (#3756)
 * add column "mode" to servers overview (#4632)
-* add support for loading mapfiles in conditions
+* add support for loading mapfiles in conditions and rules
+* add support for sample fetches in rules
 
 Fixed:
 * Maintenance tab "SSL Certificates" not working with only one cert
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
index 39716d8adf..1929789378 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
@@ -266,6 +266,27 @@
         <type>text</type>
         <help><![CDATA[Specify the value for the URL parameter.]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_var</style>
+    </field>
+    <field>
+        <id>acl.var_comparison</id>
+        <label>Comparison</label>
+        <type>dropdown</type>
+    </field>
+    <field>
+        <id>acl.var</id>
+        <label>Variable</label>
+        <type>text</type>
+        <help><![CDATA[The name of a variable, followed by an optional default value, e.g. (req.rate_limit) or (req.rate_limit,10).]]></help>
+    </field>
+    <field>
+        <id>acl.var_value</id>
+        <label>Value</label>
+        <type>text</type>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>
@@ -1788,4 +1809,10 @@
         <type>dropdown</type>
         <help><![CDATA[Load patterns from a map file.]]></help>
     </field>
+    <field>
+        <id>acl.converter</id>
+        <label>Converter</label>
+        <type>text</type>
+        <help><![CDATA[Transforms or processes the output of a sample fetch (e.g. variable, mapping, arithmetic, string manipulation) and passes the result to the next converter or final evaluation. Make more complex conditions possible, e.g. acl rate_abuse var(req.rate_limit),sub(req.request_rate) lt 0.]]></help>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index 0222a2f4b0..64c4230b32 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -325,4 +325,22 @@
         <type>text</type>
         <help><![CDATA[Refers to the number of the Stick Counter, e.g. 0 or 1 when using sc0 or sc1 respectively. This value will be ignored in rules that do not support SC.]]></help>
     </field>
+    <field>
+        <id>action.mapfile</id>
+        <label>Mapfile</label>
+        <type>dropdown</type>
+        <help><![CDATA[Load patterns from a map file.]]></help>
+    </field>
+    <field>
+        <id>action.map_default</id>
+        <label>Map default value</label>
+        <type>text</type>
+        <help><![CDATA[When a map file is specified, this is the default value.]]></help>
+    </field>
+    <field>
+        <id>action.sample_fetch</id>
+        <label>Sample fetch</label>
+        <type>text</type>
+        <help><![CDATA[Extracts a value from the request or connection context (e.g. path, header, source IP) to be used as input for converters or matching rules. May be used in combination with set-var and map files to create more complex rules, e.g.<br/>http-request set-var(req.rate_limit) path,map_beg(/path/to/mapfile,20)</br>http-request set-var(req.request_rate) base32+src,table_http_req_rate()]]></help>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index a99d6d4693..17d19969a4 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1951,6 +1951,7 @@
                         <ssl_sni_sub>ssl_sni_sub – SNI TLS extension contains (TCP request content inspection)</ssl_sni_sub>
                         <stopping>stopping – HAProxy process is currently stopping</stopping>
                         <url_param>url_param – URL parameter contains</url_param>
+                        <var>var – Compare the value of a variable</var>
                         <wait_end>wait_end – Inspection period is over</wait_end>
                         <custom_acl>Custom condition (option pass-through)</custom_acl>
                     </OptionValues>
@@ -2076,6 +2077,25 @@
                     <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </url_param_value>
+                <var type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </var>
+                <var_value type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </var_value>
+                <var_comparison type="OptionField">
+                    <Required>N</Required>
+                    <Default>gt</Default>
+                    <OptionValues>
+                        <gt>greater than</gt>
+                        <ge>greater equal</ge>
+                        <eq>equal</eq>
+                        <lt>less than</lt>
+                        <le>less equal</le>
+                    </OptionValues>
+                </var_comparison>
                 <ssl_c_verify_code type="IntegerField">
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>500000</MaximumValue>
@@ -3467,6 +3487,10 @@
                     <ValidationMessage>Related mapfile item not found</ValidationMessage>
                     <Required>N</Required>
                 </mapfile>
+                <converter type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </converter>
             </acl>
         </acls>
         <actions>
@@ -4142,6 +4166,25 @@
                     <ValidationMessage>Please specify a value between 0 and 99.</ValidationMessage>
                     <Required>N</Required>
                 </sc_number>
+                <mapfile type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.HAProxy.HAProxy</source>
+                            <items>mapfiles.mapfile</items>
+                            <display>name</display>
+                        </template>
+                    </Model>
+                    <ValidationMessage>Related mapfile item not found</ValidationMessage>
+                    <Required>N</Required>
+                </mapfile>
+                <map_default type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </map_default>
+                <sample_fetch type="TextField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </sample_fetch>
             </action>
         </actions>
         <luas>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 7e9c221cf8..bf0ad72d8a 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1381,6 +1381,18 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'var' %}
+{%               if acl_data.var|default("") != "" and acl_data.var_value|default("") != "" %}
+{%                 if acl_data.converter|default("") != "" %}
+{%                   set converter_data = ',' ~ acl_data.converter %}
+{%                 else %}
+{%                   set converter_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('var' ~ acl_data.var ~ converter_data ~ ' ' ~ acl_data.var_comparison ~ ' ' ~ acl_data.var_value) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {#             # handle boolean ACL types that do not require any input #}
 {%             elif acl_data.expression in acl_boolean_types %}
 {%               do acl_options.append(acl_data.expression) %}
@@ -1637,6 +1649,22 @@
 {%           set action_enabled = '0' %}
 {%           do global_action_options.append('# ERROR: unsupported rule type ' ~ action_data.type) %}
 {%         endif %}
+{#         # Add sample fetch to map file config. #}
+{%         if action_data.mapfile|default("") != "" %}
+{%           set mapfile_data = helpers.getUUID(action_data.mapfile) %}
+{%           set mapfile_path = '/tmp/haproxy/mapfiles/' ~ mapfile_data.id ~ '.txt' %}
+{%           set mapfile_config = 'map_' ~ mapfile_data.type %}
+{%           if action_data.map_default|default("") != "" %}
+{%             set mapfile_default = ',' ~ action_data.map_default %}
+{%           endif %}
+{%           if action_data.sample_fetch|default("") != "" %}
+{%             set mapfile_sf = action_data.sample_fetch ~ ',' %}
+{%           endif %}
+{%           do action_options.append(mapfile_sf ~ mapfile_config ~ '(' ~ mapfile_path ~ mapfile_default ~ ')') %}
+{#         # Add/append sample fetch. #}
+{%         elif action_data.sample_fetch|default("") != "" %}
+{%           do action_options.append(action_data.sample_fetch) %}
+{%         endif %}
 {#         # Is this rule enabled in the GUI? #}
 {%         if action_data.enabled|default('') == '1' %}
 {#           # check if action is valid #}

From acbaa92aad8fcb5deedffb2baaec659df6a8a3f3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 9 Feb 2026 07:42:21 +0100
Subject: [PATCH 2965/3088] net/haproxy: style sweep and LICENSE sync

---
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 272 +++++++++---------
 .../OPNsense/HAProxy/Migrations/M5_0_0.php    |   2 +-
 2 files changed, 137 insertions(+), 137 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 17d19969a4..fb4a4b8e0e 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1825,134 +1825,134 @@
                 <expression type="OptionField">
                     <Required>Y</Required>
                     <OptionValues>
-                        <cust_hdr_beg>hdr_beg – specified HTTP Header starts with</cust_hdr_beg>
-                        <cust_hdr_end>hdr_end – specified HTTP Header ends with</cust_hdr_end>
-                        <cust_hdr>hdr – specified HTTP Header matches</cust_hdr>
-                        <cust_hdr_reg>hdr_reg – specified HTTP Header regex</cust_hdr_reg>
-                        <cust_hdr_sub>hdr_sub – specified HTTP Header contains</cust_hdr_sub>
-                        <hdr_beg>hdr_beg – HTTP Host Header starts with</hdr_beg>
-                        <hdr_end>hdr_end – HTTP Host Header ends with</hdr_end>
-                        <hdr>hdr – HTTP Host Header matches</hdr>
-                        <hdr_reg>hdr_reg – HTTP Host Header regex</hdr_reg>
-                        <hdr_sub>hdr_sub – HTTP Host Header contains</hdr_sub>
-                        <http_auth>http_auth – HTTP Basic Auth: username/password from client matches selected User/Group</http_auth>
-                        <http_method>http_method – HTTP Method</http_method>
-                        <nbsrv>nbsrv – Minimum number of usable servers in backend</nbsrv>
-                        <path_beg>path_beg – Path starts with</path_beg>
-                        <path_dir>path_dir – Path contains subdir</path_dir>
-                        <path_end>path_end – Path ends with</path_end>
-                        <path>path – Path matches</path>
-                        <path_reg>path_reg – Path regex</path_reg>
-                        <path_sub>path_sub – Path contains string</path_sub>
-                        <quic_enabled>quic_enabled – QUIC transport protocol is enabled</quic_enabled>
-                        <traffic_is_http>req.proto_http – Traffic is HTTP</traffic_is_http>
-                        <traffic_is_ssl>req.ssl_ver – Traffic is SSL (TCP request content inspection)</traffic_is_ssl>
-                        <sc_bytes_in_rate>sc_bytes_in_rate – Sticky counter: incoming bytes rate</sc_bytes_in_rate>
-                        <sc_bytes_out_rate>sc_bytes_out_rate – Sticky counter: outgoing bytes rate</sc_bytes_out_rate>
-                        <sc_clr_gpc>sc_clr_gpc – Sticky counter: clear General Purpose Counter</sc_clr_gpc>
-                        <sc_clr_gpc0>sc_clr_gpc0 – Sticky counter: clear General Purpose Counter</sc_clr_gpc0>
-                        <sc_clr_gpc1>sc_clr_gpc1 – Sticky counter: clear General Purpose Counter</sc_clr_gpc1>
-                        <sc0_clr_gpc0>sc0_clr_gpc0 – Sticky counter: clear General Purpose Counter</sc0_clr_gpc0>
-                        <sc0_clr_gpc1>sc0_clr_gpc1 – Sticky counter: clear General Purpose Counter</sc0_clr_gpc1>
-                        <sc1_clr_gpc>sc1_clr_gpc – Sticky counter: clear General Purpose Counter</sc1_clr_gpc>
-                        <sc1_clr_gpc0>sc1_clr_gpc0 – Sticky counter: clear General Purpose Counter</sc1_clr_gpc0>
-                        <sc1_clr_gpc1>sc1_clr_gpc1 – Sticky counter: clear General Purpose Counter</sc1_clr_gpc1>
-                        <sc2_clr_gpc>sc2_clr_gpc – Sticky counter: clear General Purpose Counter</sc2_clr_gpc>
-                        <sc2_clr_gpc0>sc2_clr_gpc0 – Sticky counter: clear General Purpose Counter</sc2_clr_gpc0>
-                        <sc2_clr_gpc1>sc2_clr_gpc1 – Sticky counter: clear General Purpose Counter</sc2_clr_gpc1>
-                        <sc_conn_cnt>sc_conn_cnt – Sticky counter: cumulative number of connections</sc_conn_cnt>
-                        <sc_conn_cur>sc_conn_cur – Sticky counter: concurrent connections</sc_conn_cur>
-                        <sc_conn_rate>sc_conn_rate – Sticky counter: connection rate</sc_conn_rate>
-                        <sc_get_gpc>sc_get_gpc – Sticky counter: get General Purpose Counter value</sc_get_gpc>
-                        <sc_get_gpc0>sc_get_gpc0 – Sticky counter: get General Purpose Counter value</sc_get_gpc0>
-                        <sc_get_gpc1>sc_get_gpc1 – Sticky counter: get General Purpose Counter value</sc_get_gpc1>
-                        <sc0_get_gpc0>sc0_get_gpc0 – Sticky counter: get General Purpose Counter value</sc0_get_gpc0>
-                        <sc0_get_gpc1>sc0_get_gpc1 – Sticky counter: get General Purpose Counter value</sc0_get_gpc1>
-                        <sc1_get_gpc0>sc1_get_gpc0 – Sticky counter: get General Purpose Counter value</sc1_get_gpc0>
-                        <sc1_get_gpc1>sc1_get_gpc1 – Sticky counter: get General Purpose Counter value</sc1_get_gpc1>
-                        <sc2_get_gpc0>sc2_get_gpc0 – Sticky counter: get General Purpose Counter value</sc2_get_gpc0>
-                        <sc2_get_gpc1>sc2_get_gpc1 – Sticky counter: get General Purpose Counter value</sc2_get_gpc1>
-                        <sc_get_gpt>sc_get_gpt – Sticky counter: get General Purpose Tag value</sc_get_gpt>
-                        <sc_get_gpt0>sc_get_gpt0 – Sticky counter: get General Purpose Tag value</sc_get_gpt0>
-                        <sc0_get_gpt0>sc0_get_gpt0 – Sticky counter: get General Purpose Tag value</sc0_get_gpt0>
-                        <sc1_get_gpt0>sc1_get_gpt0 – Sticky counter: get General Purpose Tag value</sc1_get_gpt0>
-                        <sc2_get_gpt0>sc2_get_gpt0 – Sticky counter: get General Purpose Tag value</sc2_get_gpt0>
-                        <sc_glitch_cnt>sc_glitch_cnt – Sticky counter: cumulative number of glitches</sc_glitch_cnt>
-                        <sc_glitch_rate>sc_glitch_rate – Sticky counter: rate of glitches</sc_glitch_rate>
-                        <sc_gpc_rate>sc_gpc_rate – Sticky counter: increment rate of General Purpose Counter</sc_gpc_rate>
-                        <sc_gpc0_rate>sc_gpc0_rate – Sticky counter: increment rate of General Purpose Counter</sc_gpc0_rate>
-                        <sc_gpc1_rate>sc_gpc1_rate – Sticky counter: increment rate of General Purpose Counter</sc_gpc1_rate>
-                        <sc0_gpc0_rate>sc0_gpc0_rate – Sticky counter: increment rate of General Purpose Counter</sc0_gpc0_rate>
-                        <sc0_gpc1_rate>sc0_gpc1_rate – Sticky counter: increment rate of General Purpose Counter</sc0_gpc1_rate>
-                        <sc1_gpc0_rate>sc1_gpc0_rate – Sticky counter: increment rate of General Purpose Counter</sc1_gpc0_rate>
-                        <sc1_gpc1_rate>sc1_gpc1_rate – Sticky counter: increment rate of General Purpose Counter</sc1_gpc1_rate>
-                        <sc2_gpc0_rate>sc2_gpc0_rate – Sticky counter: increment rate of General Purpose Counter</sc2_gpc0_rate>
-                        <sc2_gpc1_rate>sc2_gpc1_rate – Sticky counter: increment rate of General Purpose Counter</sc2_gpc1_rate>
-                        <sc_http_err_cnt>sc_http_err_cnt – Sticky counter: cumulative number of HTTP errors</sc_http_err_cnt>
-                        <sc_http_err_rate>sc_http_err_rate – Sticky counter: rate of HTTP errors</sc_http_err_rate>
-                        <sc_http_fail_cnt>sc_http_fail_cnt – Sticky counter: cumulative number of HTTP failures</sc_http_fail_cnt>
-                        <sc_http_fail_rate>sc_http_fail_rate – Sticky counter: rate of HTTP failures</sc_http_fail_rate>
-                        <sc_http_req_cnt>sc_http_req_cnt – Sticky counter: cumulative number of HTTP requests</sc_http_req_cnt>
-                        <sc_http_req_rate>sc_http_req_rate – Sticky counter: rate of HTTP requests</sc_http_req_rate>
-                        <sc_inc_gpc>sc_inc_gpc – Sticky counter: increment General Purpose Counter</sc_inc_gpc>
-                        <sc_inc_gpc0>sc_inc_gpc0 – Sticky counter: increment General Purpose Counter</sc_inc_gpc0>
-                        <sc_inc_gpc1>sc_inc_gpc1 – Sticky counter: increment General Purpose Counter</sc_inc_gpc1>
-                        <sc0_inc_gpc0>sc0_inc_gpc0 – Sticky counter: increment General Purpose Counter</sc0_inc_gpc0>
-                        <sc0_inc_gpc1>sc0_inc_gpc1 – Sticky counter: increment General Purpose Counter</sc0_inc_gpc1>
-                        <sc1_inc_gpc0>sc1_inc_gpc0 – Sticky counter: increment General Purpose Counter</sc1_inc_gpc0>
-                        <sc1_inc_gpc1>sc1_inc_gpc1 – Sticky counter: increment General Purpose Counter</sc1_inc_gpc1>
-                        <sc2_inc_gpc0>sc2_inc_gpc0 – Sticky counter: increment General Purpose Counter</sc2_inc_gpc0>
-                        <sc2_inc_gpc1>sc2_inc_gpc1 – Sticky counter: increment General Purpose Counter</sc2_inc_gpc1>
-                        <sc_sess_cnt>sc_sess_cnt – Sticky counter: cumulative number of sessions</sc_sess_cnt>
-                        <sc_sess_rate>sc_sess_rate – Sticky counter: session rate</sc_sess_rate>
-                        <src>src – Source IP matches specified IP</src>
-                        <src_bytes_in_rate>src_bytes_in_rate – Source IP: incoming bytes rate</src_bytes_in_rate>
-                        <src_bytes_out_rate>src_bytes_out_rate – Source IP: outgoing bytes rate</src_bytes_out_rate>
-                        <src_clr_gpc>src_clr_gpc – Source IP: clear General Purpose Counter</src_clr_gpc>
-                        <src_clr_gpc0>src_clr_gpc0 – Source IP: clear General Purpose Counter</src_clr_gpc0>
-                        <src_clr_gpc1>src_clr_gpc1 – Source IP: clear General Purpose Counter</src_clr_gpc1>
-                        <src_conn_cnt>src_conn_cnt – Source IP: cumulative number of connections</src_conn_cnt>
-                        <src_conn_cur>src_conn_cur – Source IP: concurrent connections</src_conn_cur>
-                        <src_conn_rate>src_conn_rate – Source IP: connection rate</src_conn_rate>
-                        <src_get_gpc>src_get_gpc – Source IP: get General Purpose Counter value</src_get_gpc>
-                        <src_get_gpc0>src_get_gpc0 – Source IP: get General Purpose Counter value</src_get_gpc0>
-                        <src_get_gpc1>src_get_gpc1 – Source IP: get General Purpose Counter value</src_get_gpc1>
-                        <src_get_gpt>src_get_gpt – Source IP: get General Purpose Tag value</src_get_gpt>
-                        <src_glitch_cnt>src_glitch_cnt – Source IP: cumulative number of glitches</src_glitch_cnt>
-                        <src_glitch_rate>src_glitch_rate – Source IP: rate of glitches</src_glitch_rate>
-                        <src_gpc_rate>src_gpc_rate – Source IP: increment rate of General Purpose Counter</src_gpc_rate>
-                        <src_gpc0_rate>src_gpc0_rate – Source IP: increment rate of General Purpose Counter</src_gpc0_rate>
-                        <src_gpc1_rate>src_gpc1_rate – Source IP: increment rate of General Purpose Counter</src_gpc1_rate>
-                        <src_http_err_cnt>src_http_err_cnt – Source IP: cumulative number of HTTP errors</src_http_err_cnt>
-                        <src_http_err_rate>src_http_err_rate – Source IP: rate of HTTP errors</src_http_err_rate>
-                        <src_http_fail_cnt>src_http_fail_cnt – Source IP: cumulative number of HTTP failures</src_http_fail_cnt>
-                        <src_http_fail_rate>src_http_fail_rate – Source IP: rate of HTTP failures</src_http_fail_rate>
-                        <src_http_req_cnt>src_http_req_cnt – Source IP: number of HTTP requests</src_http_req_cnt>
-                        <src_http_req_rate>src_http_req_rate – Source IP: rate of HTTP requests</src_http_req_rate>
-                        <src_inc_gpc>src_inc_gpc – Source IP: increment General Purpose Counter</src_inc_gpc>
-                        <src_inc_gpc0>src_inc_gpc0 – Source IP: increment General Purpose Counter</src_inc_gpc0>
-                        <src_inc_gpc1>src_inc_gpc1 – Source IP: increment General Purpose Counter</src_inc_gpc1>
-                        <src_is_local>src_is_local – Source IP is local</src_is_local>
-                        <src_kbytes_in>src_kbytes_in – Source IP: amount of data received (in kilobytes)</src_kbytes_in>
-                        <src_kbytes_out>src_kbytes_out – Source IP: amount of data sent (in kilobytes)</src_kbytes_out>
-                        <src_port>src_port – Source IP: TCP source port</src_port>
-                        <src_sess_cnt>src_sess_cnt – Source IP: cumulative number of sessions</src_sess_cnt>
-                        <src_sess_rate>src_sess_rate – Source IP: session rate</src_sess_rate>
-                        <ssl_c_ca_commonname>ssl_c_ca_commonname – SSL Client certificate issued by CA common-name</ssl_c_ca_commonname>
-                        <ssl_c_verify_code>ssl_c_verify_code – SSL Client certificate verify error result</ssl_c_verify_code>
-                        <ssl_c_verify>ssl_c_verify – SSL Client certificate is valid</ssl_c_verify>
-                        <ssl_fc_sni>ssl_fc_sni – SNI TLS extension matches (locally deciphered)</ssl_fc_sni>
-                        <ssl_fc>ssl_fc – Traffic is SSL (locally deciphered)</ssl_fc>
-                        <ssl_hello_type>ssl_hello_type – SSL Hello Type</ssl_hello_type>
-                        <ssl_sni_beg>ssl_sni_beg – SNI TLS extension starts with (TCP request content inspection)</ssl_sni_beg>
-                        <ssl_sni_end>ssl_sni_end – SNI TLS extension ends with (TCP request content inspection)</ssl_sni_end>
-                        <ssl_sni_reg>ssl_sni_reg – SNI TLS extension regex (TCP request content inspection)</ssl_sni_reg>
-                        <ssl_sni>ssl_sni – SNI TLS extension matches (TCP request content inspection)</ssl_sni>
-                        <ssl_sni_sub>ssl_sni_sub – SNI TLS extension contains (TCP request content inspection)</ssl_sni_sub>
-                        <stopping>stopping – HAProxy process is currently stopping</stopping>
-                        <url_param>url_param – URL parameter contains</url_param>
-                        <var>var – Compare the value of a variable</var>
-                        <wait_end>wait_end – Inspection period is over</wait_end>
+                        <cust_hdr_beg>hdr_beg - specified HTTP Header starts with</cust_hdr_beg>
+                        <cust_hdr_end>hdr_end - specified HTTP Header ends with</cust_hdr_end>
+                        <cust_hdr>hdr - specified HTTP Header matches</cust_hdr>
+                        <cust_hdr_reg>hdr_reg - specified HTTP Header regex</cust_hdr_reg>
+                        <cust_hdr_sub>hdr_sub - specified HTTP Header contains</cust_hdr_sub>
+                        <hdr_beg>hdr_beg - HTTP Host Header starts with</hdr_beg>
+                        <hdr_end>hdr_end - HTTP Host Header ends with</hdr_end>
+                        <hdr>hdr - HTTP Host Header matches</hdr>
+                        <hdr_reg>hdr_reg - HTTP Host Header regex</hdr_reg>
+                        <hdr_sub>hdr_sub - HTTP Host Header contains</hdr_sub>
+                        <http_auth>http_auth - HTTP Basic Auth: username/password from client matches selected User/Group</http_auth>
+                        <http_method>http_method - HTTP Method</http_method>
+                        <nbsrv>nbsrv - Minimum number of usable servers in backend</nbsrv>
+                        <path_beg>path_beg - Path starts with</path_beg>
+                        <path_dir>path_dir - Path contains subdir</path_dir>
+                        <path_end>path_end - Path ends with</path_end>
+                        <path>path - Path matches</path>
+                        <path_reg>path_reg - Path regex</path_reg>
+                        <path_sub>path_sub - Path contains string</path_sub>
+                        <quic_enabled>quic_enabled - QUIC transport protocol is enabled</quic_enabled>
+                        <traffic_is_http>req.proto_http - Traffic is HTTP</traffic_is_http>
+                        <traffic_is_ssl>req.ssl_ver - Traffic is SSL (TCP request content inspection)</traffic_is_ssl>
+                        <sc_bytes_in_rate>sc_bytes_in_rate - Sticky counter: incoming bytes rate</sc_bytes_in_rate>
+                        <sc_bytes_out_rate>sc_bytes_out_rate - Sticky counter: outgoing bytes rate</sc_bytes_out_rate>
+                        <sc_clr_gpc>sc_clr_gpc - Sticky counter: clear General Purpose Counter</sc_clr_gpc>
+                        <sc_clr_gpc0>sc_clr_gpc0 - Sticky counter: clear General Purpose Counter</sc_clr_gpc0>
+                        <sc_clr_gpc1>sc_clr_gpc1 - Sticky counter: clear General Purpose Counter</sc_clr_gpc1>
+                        <sc0_clr_gpc0>sc0_clr_gpc0 - Sticky counter: clear General Purpose Counter</sc0_clr_gpc0>
+                        <sc0_clr_gpc1>sc0_clr_gpc1 - Sticky counter: clear General Purpose Counter</sc0_clr_gpc1>
+                        <sc1_clr_gpc>sc1_clr_gpc - Sticky counter: clear General Purpose Counter</sc1_clr_gpc>
+                        <sc1_clr_gpc0>sc1_clr_gpc0 - Sticky counter: clear General Purpose Counter</sc1_clr_gpc0>
+                        <sc1_clr_gpc1>sc1_clr_gpc1 - Sticky counter: clear General Purpose Counter</sc1_clr_gpc1>
+                        <sc2_clr_gpc>sc2_clr_gpc - Sticky counter: clear General Purpose Counter</sc2_clr_gpc>
+                        <sc2_clr_gpc0>sc2_clr_gpc0 - Sticky counter: clear General Purpose Counter</sc2_clr_gpc0>
+                        <sc2_clr_gpc1>sc2_clr_gpc1 - Sticky counter: clear General Purpose Counter</sc2_clr_gpc1>
+                        <sc_conn_cnt>sc_conn_cnt - Sticky counter: cumulative number of connections</sc_conn_cnt>
+                        <sc_conn_cur>sc_conn_cur - Sticky counter: concurrent connections</sc_conn_cur>
+                        <sc_conn_rate>sc_conn_rate - Sticky counter: connection rate</sc_conn_rate>
+                        <sc_get_gpc>sc_get_gpc - Sticky counter: get General Purpose Counter value</sc_get_gpc>
+                        <sc_get_gpc0>sc_get_gpc0 - Sticky counter: get General Purpose Counter value</sc_get_gpc0>
+                        <sc_get_gpc1>sc_get_gpc1 - Sticky counter: get General Purpose Counter value</sc_get_gpc1>
+                        <sc0_get_gpc0>sc0_get_gpc0 - Sticky counter: get General Purpose Counter value</sc0_get_gpc0>
+                        <sc0_get_gpc1>sc0_get_gpc1 - Sticky counter: get General Purpose Counter value</sc0_get_gpc1>
+                        <sc1_get_gpc0>sc1_get_gpc0 - Sticky counter: get General Purpose Counter value</sc1_get_gpc0>
+                        <sc1_get_gpc1>sc1_get_gpc1 - Sticky counter: get General Purpose Counter value</sc1_get_gpc1>
+                        <sc2_get_gpc0>sc2_get_gpc0 - Sticky counter: get General Purpose Counter value</sc2_get_gpc0>
+                        <sc2_get_gpc1>sc2_get_gpc1 - Sticky counter: get General Purpose Counter value</sc2_get_gpc1>
+                        <sc_get_gpt>sc_get_gpt - Sticky counter: get General Purpose Tag value</sc_get_gpt>
+                        <sc_get_gpt0>sc_get_gpt0 - Sticky counter: get General Purpose Tag value</sc_get_gpt0>
+                        <sc0_get_gpt0>sc0_get_gpt0 - Sticky counter: get General Purpose Tag value</sc0_get_gpt0>
+                        <sc1_get_gpt0>sc1_get_gpt0 - Sticky counter: get General Purpose Tag value</sc1_get_gpt0>
+                        <sc2_get_gpt0>sc2_get_gpt0 - Sticky counter: get General Purpose Tag value</sc2_get_gpt0>
+                        <sc_glitch_cnt>sc_glitch_cnt - Sticky counter: cumulative number of glitches</sc_glitch_cnt>
+                        <sc_glitch_rate>sc_glitch_rate - Sticky counter: rate of glitches</sc_glitch_rate>
+                        <sc_gpc_rate>sc_gpc_rate - Sticky counter: increment rate of General Purpose Counter</sc_gpc_rate>
+                        <sc_gpc0_rate>sc_gpc0_rate - Sticky counter: increment rate of General Purpose Counter</sc_gpc0_rate>
+                        <sc_gpc1_rate>sc_gpc1_rate - Sticky counter: increment rate of General Purpose Counter</sc_gpc1_rate>
+                        <sc0_gpc0_rate>sc0_gpc0_rate - Sticky counter: increment rate of General Purpose Counter</sc0_gpc0_rate>
+                        <sc0_gpc1_rate>sc0_gpc1_rate - Sticky counter: increment rate of General Purpose Counter</sc0_gpc1_rate>
+                        <sc1_gpc0_rate>sc1_gpc0_rate - Sticky counter: increment rate of General Purpose Counter</sc1_gpc0_rate>
+                        <sc1_gpc1_rate>sc1_gpc1_rate - Sticky counter: increment rate of General Purpose Counter</sc1_gpc1_rate>
+                        <sc2_gpc0_rate>sc2_gpc0_rate - Sticky counter: increment rate of General Purpose Counter</sc2_gpc0_rate>
+                        <sc2_gpc1_rate>sc2_gpc1_rate - Sticky counter: increment rate of General Purpose Counter</sc2_gpc1_rate>
+                        <sc_http_err_cnt>sc_http_err_cnt - Sticky counter: cumulative number of HTTP errors</sc_http_err_cnt>
+                        <sc_http_err_rate>sc_http_err_rate - Sticky counter: rate of HTTP errors</sc_http_err_rate>
+                        <sc_http_fail_cnt>sc_http_fail_cnt - Sticky counter: cumulative number of HTTP failures</sc_http_fail_cnt>
+                        <sc_http_fail_rate>sc_http_fail_rate - Sticky counter: rate of HTTP failures</sc_http_fail_rate>
+                        <sc_http_req_cnt>sc_http_req_cnt - Sticky counter: cumulative number of HTTP requests</sc_http_req_cnt>
+                        <sc_http_req_rate>sc_http_req_rate - Sticky counter: rate of HTTP requests</sc_http_req_rate>
+                        <sc_inc_gpc>sc_inc_gpc - Sticky counter: increment General Purpose Counter</sc_inc_gpc>
+                        <sc_inc_gpc0>sc_inc_gpc0 - Sticky counter: increment General Purpose Counter</sc_inc_gpc0>
+                        <sc_inc_gpc1>sc_inc_gpc1 - Sticky counter: increment General Purpose Counter</sc_inc_gpc1>
+                        <sc0_inc_gpc0>sc0_inc_gpc0 - Sticky counter: increment General Purpose Counter</sc0_inc_gpc0>
+                        <sc0_inc_gpc1>sc0_inc_gpc1 - Sticky counter: increment General Purpose Counter</sc0_inc_gpc1>
+                        <sc1_inc_gpc0>sc1_inc_gpc0 - Sticky counter: increment General Purpose Counter</sc1_inc_gpc0>
+                        <sc1_inc_gpc1>sc1_inc_gpc1 - Sticky counter: increment General Purpose Counter</sc1_inc_gpc1>
+                        <sc2_inc_gpc0>sc2_inc_gpc0 - Sticky counter: increment General Purpose Counter</sc2_inc_gpc0>
+                        <sc2_inc_gpc1>sc2_inc_gpc1 - Sticky counter: increment General Purpose Counter</sc2_inc_gpc1>
+                        <sc_sess_cnt>sc_sess_cnt - Sticky counter: cumulative number of sessions</sc_sess_cnt>
+                        <sc_sess_rate>sc_sess_rate - Sticky counter: session rate</sc_sess_rate>
+                        <src>src - Source IP matches specified IP</src>
+                        <src_bytes_in_rate>src_bytes_in_rate - Source IP: incoming bytes rate</src_bytes_in_rate>
+                        <src_bytes_out_rate>src_bytes_out_rate - Source IP: outgoing bytes rate</src_bytes_out_rate>
+                        <src_clr_gpc>src_clr_gpc - Source IP: clear General Purpose Counter</src_clr_gpc>
+                        <src_clr_gpc0>src_clr_gpc0 - Source IP: clear General Purpose Counter</src_clr_gpc0>
+                        <src_clr_gpc1>src_clr_gpc1 - Source IP: clear General Purpose Counter</src_clr_gpc1>
+                        <src_conn_cnt>src_conn_cnt - Source IP: cumulative number of connections</src_conn_cnt>
+                        <src_conn_cur>src_conn_cur - Source IP: concurrent connections</src_conn_cur>
+                        <src_conn_rate>src_conn_rate - Source IP: connection rate</src_conn_rate>
+                        <src_get_gpc>src_get_gpc - Source IP: get General Purpose Counter value</src_get_gpc>
+                        <src_get_gpc0>src_get_gpc0 - Source IP: get General Purpose Counter value</src_get_gpc0>
+                        <src_get_gpc1>src_get_gpc1 - Source IP: get General Purpose Counter value</src_get_gpc1>
+                        <src_get_gpt>src_get_gpt - Source IP: get General Purpose Tag value</src_get_gpt>
+                        <src_glitch_cnt>src_glitch_cnt - Source IP: cumulative number of glitches</src_glitch_cnt>
+                        <src_glitch_rate>src_glitch_rate - Source IP: rate of glitches</src_glitch_rate>
+                        <src_gpc_rate>src_gpc_rate - Source IP: increment rate of General Purpose Counter</src_gpc_rate>
+                        <src_gpc0_rate>src_gpc0_rate - Source IP: increment rate of General Purpose Counter</src_gpc0_rate>
+                        <src_gpc1_rate>src_gpc1_rate - Source IP: increment rate of General Purpose Counter</src_gpc1_rate>
+                        <src_http_err_cnt>src_http_err_cnt - Source IP: cumulative number of HTTP errors</src_http_err_cnt>
+                        <src_http_err_rate>src_http_err_rate - Source IP: rate of HTTP errors</src_http_err_rate>
+                        <src_http_fail_cnt>src_http_fail_cnt - Source IP: cumulative number of HTTP failures</src_http_fail_cnt>
+                        <src_http_fail_rate>src_http_fail_rate - Source IP: rate of HTTP failures</src_http_fail_rate>
+                        <src_http_req_cnt>src_http_req_cnt - Source IP: number of HTTP requests</src_http_req_cnt>
+                        <src_http_req_rate>src_http_req_rate - Source IP: rate of HTTP requests</src_http_req_rate>
+                        <src_inc_gpc>src_inc_gpc - Source IP: increment General Purpose Counter</src_inc_gpc>
+                        <src_inc_gpc0>src_inc_gpc0 - Source IP: increment General Purpose Counter</src_inc_gpc0>
+                        <src_inc_gpc1>src_inc_gpc1 - Source IP: increment General Purpose Counter</src_inc_gpc1>
+                        <src_is_local>src_is_local - Source IP is local</src_is_local>
+                        <src_kbytes_in>src_kbytes_in - Source IP: amount of data received (in kilobytes)</src_kbytes_in>
+                        <src_kbytes_out>src_kbytes_out - Source IP: amount of data sent (in kilobytes)</src_kbytes_out>
+                        <src_port>src_port - Source IP: TCP source port</src_port>
+                        <src_sess_cnt>src_sess_cnt - Source IP: cumulative number of sessions</src_sess_cnt>
+                        <src_sess_rate>src_sess_rate - Source IP: session rate</src_sess_rate>
+                        <ssl_c_ca_commonname>ssl_c_ca_commonname - SSL Client certificate issued by CA common-name</ssl_c_ca_commonname>
+                        <ssl_c_verify_code>ssl_c_verify_code - SSL Client certificate verify error result</ssl_c_verify_code>
+                        <ssl_c_verify>ssl_c_verify - SSL Client certificate is valid</ssl_c_verify>
+                        <ssl_fc_sni>ssl_fc_sni - SNI TLS extension matches (locally deciphered)</ssl_fc_sni>
+                        <ssl_fc>ssl_fc - Traffic is SSL (locally deciphered)</ssl_fc>
+                        <ssl_hello_type>ssl_hello_type - SSL Hello Type</ssl_hello_type>
+                        <ssl_sni_beg>ssl_sni_beg - SNI TLS extension starts with (TCP request content inspection)</ssl_sni_beg>
+                        <ssl_sni_end>ssl_sni_end - SNI TLS extension ends with (TCP request content inspection)</ssl_sni_end>
+                        <ssl_sni_reg>ssl_sni_reg - SNI TLS extension regex (TCP request content inspection)</ssl_sni_reg>
+                        <ssl_sni>ssl_sni - SNI TLS extension matches (TCP request content inspection)</ssl_sni>
+                        <ssl_sni_sub>ssl_sni_sub - SNI TLS extension contains (TCP request content inspection)</ssl_sni_sub>
+                        <stopping>stopping - HAProxy process is currently stopping</stopping>
+                        <url_param>url_param - URL parameter contains</url_param>
+                        <var>var - Compare the value of a variable</var>
+                        <wait_end>wait_end - Inspection period is over</wait_end>
                         <custom_acl>Custom condition (option pass-through)</custom_acl>
                     </OptionValues>
                 </expression>
@@ -3496,7 +3496,7 @@
         <actions>
             <action type="ArrayField">
                 <enabled type="BooleanField">
-                    <default>1</default>
+                    <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
@@ -4352,13 +4352,13 @@
                     <Required>Y</Required>
                     <Default>dom</Default>
                     <OptionValues>
-                        <beg>beg – key begins with requested value</beg>
-                        <dom>dom – Domains</dom>
-                        <end>end – key ends with requested value</end>
-                        <int>int – Integers</int>
-                        <ip>ip – IPs</ip>
-                        <reg>reg – Regular Expressions</reg>
-                        <str>str – Strings</str>
+                        <beg>beg - key begins with requested value</beg>
+                        <dom>dom - Domains</dom>
+                        <end>end - key ends with requested value</end>
+                        <int>int - Integers</int>
+                        <ip>ip - IPs</ip>
+                        <reg>reg - Regular Expressions</reg>
+                        <str>str - Strings</str>
                     </OptionValues>
                 </type>
                 <content type="TextField">
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M5_0_0.php b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M5_0_0.php
index 04f55aae85..9546c29eee 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M5_0_0.php
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M5_0_0.php
@@ -223,7 +223,7 @@ public function run($model)
                         $action->http_response_option = (string)$action->http_response_set_status_code . $status_reason;
                         $action->http_response_set_status_code = null;
                         $action->http_response_set_status_reason = null;
-                  }
+                    }
                     break;
                 case 'http-response_set-var':
                     $action->type = 'http-response';

From 92fb6dcb2d2f9462a47cac0c95af70bf42d21f3e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 9 Feb 2026 07:51:37 +0100
Subject: [PATCH 2966/3088] security/q-feeds-connector: wrap up this revision

---
 security/q-feeds-connector/Makefile                             | 1 +
 security/q-feeds-connector/pkg-descr                            | 1 +
 .../q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py  | 2 +-
 .../src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py        | 2 +-
 4 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/security/q-feeds-connector/Makefile b/security/q-feeds-connector/Makefile
index ae71aa8ba9..70ee9f0eb8 100644
--- a/security/q-feeds-connector/Makefile
+++ b/security/q-feeds-connector/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		q-feeds-connector
 PLUGIN_VERSION=		1.4
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Connector for Q-Feeds threat intel
 PLUGIN_MAINTAINER=	devel@qfeeds.com
 PLUGIN_TIER=		2
diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index 789ff86635..08c3c9cb70 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -6,6 +6,7 @@ Plugin Changelog
 1.4
 
 * Feature: Added DNSCrypt-Proxy integration
+* Bugfix: Track loaded lists when deselected and reload Unbounds blocklist in that case
 
 1.3
 
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
index 64190d6e0d..7973d59f4c 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
@@ -1,7 +1,7 @@
 #!/usr/local/bin/python3
 
 """
-    Copyright (c) 2025-2026 Deciso B.V.
+    Copyright (c) 2025 Deciso B.V.
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without
diff --git a/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py b/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
index 8d2f2c955d..d880d1e863 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
@@ -1,7 +1,7 @@
 #!/usr/local/bin/python3
 
 """
-    Copyright (c) 2025 Deciso B.V.
+    Copyright (c) 2025-2026 Deciso B.V.
     All rights reserved.
 
     Redistribution and use in source and binary forms, with or without

From 59d158e93a252d39324cb5cc8d0739e318a604ad Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 9 Feb 2026 07:52:45 +0100
Subject: [PATCH 2967/3088] LICENSE: sync

---
 LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index 8544019fd7..c0b094a0dc 100644
--- a/LICENSE
+++ b/LICENSE
@@ -31,7 +31,7 @@ Copyright (c) 2019 Felix Matouschek <felix@matouschek.org>
 Copyright (c) 2025 Florian Latifi
 Copyright (c) 2024 Francisco Dimattia <info@tecnoservicio.com.ar>
 Copyright (c) 2014-2025 Franco Fichtner <franco@opnsense.org>
-Copyright (c) 2016-2025 Frank Wall
+Copyright (c) 2016-2026 Frank Wall
 Copyright (c) 2021 Github-jjw
 Copyright (c) 2023 Greg Glockner <greg@glockners.net>
 Copyright (c) 2024 Hasan Ucak <hasan@sunnyvalley.io>

From f64be105b0d5fbff5df0f7ab1d7b933e7c03159c Mon Sep 17 00:00:00 2001
From: Q-Feeds <support@qfeeds.com>
Date: Mon, 9 Feb 2026 10:52:52 +0100
Subject: [PATCH 2968/3088] Fix: Strip whitespace from API token to prevent 401
 authentication errors (#5203)

---
 .../q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
index 6f2bb6a3cb..749abeec92 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
@@ -37,7 +37,7 @@ def __init__(self):
             cnf = ConfigParser()
             cnf.read(config_filename)
             if cnf.has_section('api') and cnf.has_option('api', 'key'):
-                self.api_key = cnf.get('api', 'key')
+                self.api_key = cnf.get('api', 'key').strip()
 
 
 class Api:

From 0a6ed55f61db280d99ca98f12896ab253b807b2d Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 9 Feb 2026 11:27:46 +0100
Subject: [PATCH 2969/3088] security/acme-client: release 4.14

---
 security/acme-client/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 9f8906b31e..3d9fa6fafb 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.13
+PLUGIN_VERSION=		4.14
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 911c1ab5fca860b884386e4fccec2a42b3e8a0cd Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 9 Feb 2026 11:48:11 +0100
Subject: [PATCH 2970/3088] security/acme-client: fix class name of Google
 Domains DNS API

---
 security/acme-client/pkg-descr                               | 5 +++++
 .../OPNsense/AcmeClient/LeValidation/DnsGoogledomains.php    | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 9fbe37ce3b..b3df214a1b 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.14
+
+Fixed:
+* fix class name of Google Domains DNS API (to make PHP linter happy)
+
 4.13
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGoogledomains.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGoogledomains.php
index d6119cad62..f367ff319e 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGoogledomains.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsGoogledomains.php
@@ -34,7 +34,7 @@
  * Google Domains DNS API
  * @package OPNsense\AcmeClient
  */
-class DnsGoogleDomains extends Base implements LeValidationInterface
+class DnsGoogledomains extends Base implements LeValidationInterface
 {
     public function prepare()
     {

From 3aa7c39481e8e9218ee716d67246da5e04255644 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 9 Feb 2026 17:04:33 +0100
Subject: [PATCH 2971/3088] net/haproxy: support new map file type "sub"

---
 net/haproxy/pkg-descr                                           | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml    | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 0af36b5e2a..75ae2c0e46 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -18,7 +18,7 @@ Added:
 * add new condition: HTTP method
 * support custom HTTP status code in "http-request deny" rules
 * add new backend option to control PROXY protocol for health checks (#2909)
-* add support for new map file types: beg,end,int,ip,reg,str (#3641)
+* add support for new map file types: beg,end,int,ip,reg,str,sub (#3641)
 * add support for more sample fetches: quic_enabled, stopping, wait_end (#3702)
 * add support for HTTP compression (#4867)
 * add all action keywords for http-request/-response and tcp-request/-response rules
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index fb4a4b8e0e..b6ee4174e9 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -4359,6 +4359,7 @@
                         <ip>ip - IPs</ip>
                         <reg>reg - Regular Expressions</reg>
                         <str>str - Strings</str>
+                        <sub>sub - substring matches requested value</sub>
                     </OptionValues>
                 </type>
                 <content type="TextField">

From 6c779f06903c0c2d9e1198095638a61cbaca7173 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 9 Feb 2026 23:26:26 +0100
Subject: [PATCH 2972/3088] net/haproxy: fix syntax of set-var-fmt

---
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index bf0ad72d8a..e722821ee6 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -1499,6 +1499,8 @@
 {%               set action_keyword_data = 'lua.' ~ action_data.http_request_option %}
 {%             elif action_data.http_request_action == 'set-var' %}
 {%               set action_keyword_data = 'set-var' ~ action_data.http_request_option %}
+{%             elif action_data.http_request_action == 'set-var-fmt' %}
+{%               set action_keyword_data = 'set-var-fmt' ~ action_data.http_request_option %}
 {%             elif action_data.http_request_action == 'use-service' %}
 {%               set action_keyword_data = 'use-service lua.' ~ action_data.http_request_option %}
 {%             else %}

From 85f1bb94bf292e031fd006728c9db49a6b9ae2be Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 10 Feb 2026 11:30:50 +0100
Subject: [PATCH 2973/3088] www/web-proxy-sso: model style

---
 .../mvc/app/models/OPNsense/ProxySSO/ProxySSO.xml         | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.xml b/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.xml
index 85760d9271..fade5a5510 100644
--- a/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.xml
+++ b/www/web-proxy-sso/src/opnsense/mvc/app/models/OPNsense/ProxySSO/ProxySSO.xml
@@ -1,8 +1,6 @@
 <model>
     <mount>//OPNsense/ProxySSO</mount>
-    <description>
-    Web-proxy Single Sign-On plugin
-</description>
+    <description>Web-proxy Single Sign-On plugin</description>
     <items>
         <EnableSSO type="BooleanField">
             <Default>0</Default>
@@ -16,8 +14,6 @@
                 <W2008>Windows 2008 with AES</W2008>
             </OptionValues>
         </ADKerberosImplementation>
-        <KerberosHostName type="TextField">
-            <Required>N</Required>
-        </KerberosHostName>
+        <KerberosHostName type="TextField"/>
     </items>
 </model>

From fb59f87e9993ce9894669309db74a0bffdc93328 Mon Sep 17 00:00:00 2001
From: Andrei Hodorog <andrei@xpreflect.co.uk>
Date: Tue, 10 Feb 2026 15:31:42 +0000
Subject: [PATCH 2974/3088]  dns/dnscrypt-proxy: fix bootstrap_resolvers with
 multiple comma-separated servers (#5163)

When multiple bootstrap resolvers are configured in the "Fallback Resolver"
field (e.g., "1.1.1.1:53,9.9.9.9:53"), the generated config incorrectly
places the comma inside a single string:

  bootstrap_resolvers = ['1.1.1.1:53,9.9.9.9:53']

This causes dnscrypt-proxy to fail with:

  [FATAL] Bootstrap resolver [...]: Host does not parse as IP '1.1.1.1:53,9.9.9.9:53'

The fix applies the same split/join pattern already used for listen_addresses,
server_names, disabled_server_names, and relaylist in the same template:

  bootstrap_resolvers = ['1.1.1.1:53','9.9.9.9:53']

This bug was introduced in commit 1eec51a65 which renamed fallback_resolver
to bootstrap_resolvers but did not update the template syntax from a single
string to a TOML array format.
---
 .../templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
index 84d98ff086..7f19af4f94 100644
--- a/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
+++ b/dns/dnscrypt-proxy/src/opnsense/service/templates/OPNsense/Dnscryptproxy/dnscrypt-proxy.toml
@@ -95,7 +95,7 @@ tls_disable_session_tickets = true
 tls_disable_session_tickets = false
 {%   endif %}
 
-bootstrap_resolvers = ['{{ OPNsense.dnscryptproxy.general.fallback_resolver }}']
+bootstrap_resolvers = ['{{ OPNsense.dnscryptproxy.general.fallback_resolver.split(',') | join("','") }}']
 
 {%   if helpers.exists('OPNsense.dnscryptproxy.general.ignore_system_dns') and OPNsense.dnscryptproxy.general.ignore_system_dns == '1' %}
 ignore_system_dns = true

From cca920acb0f5925b2451999ea39baaef67f2cecc Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 10 Feb 2026 17:04:38 +0100
Subject: [PATCH 2975/3088] net/haproxy: support converts in more ACLs

---
 net/haproxy/pkg-descr                         |  5 ++
 .../templates/OPNsense/HAProxy/haproxy.conf   | 77 ++++++++++++++++---
 2 files changed, 71 insertions(+), 11 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 75ae2c0e46..e7c26f768f 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+5.1
+
+Added:
+* more conditions have support for converters
+
 5.0
 
 WARNING: This is a new major release, which may result in
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index e722821ee6..2e9c90d76a 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -448,7 +448,12 @@
 {%                 else %}
 {%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append('sc_conn_cnt(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_conn_cnt_comparison ~ ' ' ~ acl_data.sc_conn_cnt) %}
+{%                 if acl_data.converter|default("") != "" %}
+{%                   set converter_data = ',' ~ acl_data.converter %}
+{%                 else %}
+{%                   set converter_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_conn_cnt(' ~ acl_data.sc_number ~ table_data ~ ')' ~ converter_data ~ ' ' ~ acl_data.sc_conn_cnt_comparison ~ ' ' ~ acl_data.sc_conn_cnt) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
@@ -460,7 +465,12 @@
 {%                 else %}
 {%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append('sc_conn_cur(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_conn_cur_comparison ~ ' ' ~ acl_data.sc_conn_cur) %}
+{%                 if acl_data.converter|default("") != "" %}
+{%                   set converter_data = ',' ~ acl_data.converter %}
+{%                 else %}
+{%                   set converter_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_conn_cur(' ~ acl_data.sc_number ~ table_data ~ ')' ~ converter_data ~ ' ' ~ acl_data.sc_conn_cur_comparison ~ ' ' ~ acl_data.sc_conn_cur) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
@@ -472,7 +482,12 @@
 {%                 else %}
 {%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append('sc_conn_rate(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_conn_rate_comparison ~ ' ' ~ acl_data.sc_conn_rate) %}
+{%                 if acl_data.converter|default("") != "" %}
+{%                   set converter_data = ',' ~ acl_data.converter %}
+{%                 else %}
+{%                   set converter_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_conn_rate(' ~ acl_data.sc_number ~ table_data ~ ')' ~ converter_data ~ ' ' ~ acl_data.sc_conn_rate_comparison ~ ' ' ~ acl_data.sc_conn_rate) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
@@ -784,7 +799,12 @@
 {%                 else %}
 {%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append('sc_http_err_cnt(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_http_err_cnt_comparison ~ ' ' ~ acl_data.sc_http_err_cnt) %}
+{%                 if acl_data.converter|default("") != "" %}
+{%                   set converter_data = ',' ~ acl_data.converter %}
+{%                 else %}
+{%                   set converter_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_http_err_cnt(' ~ acl_data.sc_number ~ table_data ~ ')' ~ converter_data ~ ' ' ~ acl_data.sc_http_err_cnt_comparison ~ ' ' ~ acl_data.sc_http_err_cnt) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
@@ -796,7 +816,12 @@
 {%                 else %}
 {%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append('sc_http_err_rate(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_http_err_rate_comparison ~ ' ' ~ acl_data.sc_http_err_rate) %}
+{%                 if acl_data.converter|default("") != "" %}
+{%                   set converter_data = ',' ~ acl_data.converter %}
+{%                 else %}
+{%                   set converter_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_http_err_rate(' ~ acl_data.sc_number ~ table_data ~ ')' ~ converter_data ~ ' ' ~ acl_data.sc_http_err_rate_comparison ~ ' ' ~ acl_data.sc_http_err_rate) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
@@ -808,7 +833,12 @@
 {%                 else %}
 {%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append('sc_http_fail_cnt(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_http_fail_cnt_comparison ~ ' ' ~ acl_data.sc_http_fail_cnt) %}
+{%                 if acl_data.converter|default("") != "" %}
+{%                   set converter_data = ',' ~ acl_data.converter %}
+{%                 else %}
+{%                   set converter_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_http_fail_cnt(' ~ acl_data.sc_number ~ table_data ~ ')' ~ converter_data ~ ' ' ~ acl_data.sc_http_fail_cnt_comparison ~ ' ' ~ acl_data.sc_http_fail_cnt) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
@@ -820,7 +850,12 @@
 {%                 else %}
 {%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append('sc_http_fail_rate(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_http_fail_rate_comparison ~ ' ' ~ acl_data.sc_http_fail_rate) %}
+{%                 if acl_data.converter|default("") != "" %}
+{%                   set converter_data = ',' ~ acl_data.converter %}
+{%                 else %}
+{%                   set converter_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_http_fail_rate(' ~ acl_data.sc_number ~ table_data ~ ')' ~ converter_data ~ ' ' ~ acl_data.sc_http_fail_rate_comparison ~ ' ' ~ acl_data.sc_http_fail_rate) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
@@ -832,7 +867,12 @@
 {%                 else %}
 {%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append('sc_http_req_cnt(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_http_req_cnt_comparison ~ ' ' ~ acl_data.sc_http_req_cnt) %}
+{%                 if acl_data.converter|default("") != "" %}
+{%                   set converter_data = ',' ~ acl_data.converter %}
+{%                 else %}
+{%                   set converter_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_http_req_cnt(' ~ acl_data.sc_number ~ table_data ~ ')' ~ converter_data ~ ' ' ~ acl_data.sc_http_req_cnt_comparison ~ ' ' ~ acl_data.sc_http_req_cnt) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
@@ -844,7 +884,12 @@
 {%                 else %}
 {%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append('sc_http_req_rate(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_http_req_rate_comparison ~ ' ' ~ acl_data.sc_http_req_rate) %}
+{%                 if acl_data.converter|default("") != "" %}
+{%                   set converter_data = ',' ~ acl_data.converter %}
+{%                 else %}
+{%                   set converter_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_http_req_rate(' ~ acl_data.sc_number ~ table_data ~ ')' ~ converter_data ~ ' ' ~ acl_data.sc_http_req_rate_comparison ~ ' ' ~ acl_data.sc_http_req_rate) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
@@ -964,7 +1009,12 @@
 {%                 else %}
 {%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append('sc_sess_cnt(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_sess_cnt_comparison ~ ' ' ~ acl_data.sc_sess_cnt) %}
+{%                 if acl_data.converter|default("") != "" %}
+{%                   set converter_data = ',' ~ acl_data.converter %}
+{%                 else %}
+{%                   set converter_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_sess_cnt(' ~ acl_data.sc_number ~ table_data ~ ')' ~ converter_data ~ ' ' ~ acl_data.sc_sess_cnt_comparison ~ ' ' ~ acl_data.sc_sess_cnt) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
@@ -976,7 +1026,12 @@
 {%                 else %}
 {%                   set table_data = '' %}
 {%                 endif %}
-{%                 do acl_options.append('sc_sess_rate(' ~ acl_data.sc_number ~ table_data ~ ') ' ~ acl_data.sc_sess_rate_comparison ~ ' ' ~ acl_data.sc_sess_rate) %}
+{%                 if acl_data.converter|default("") != "" %}
+{%                   set converter_data = ',' ~ acl_data.converter %}
+{%                 else %}
+{%                   set converter_data = '' %}
+{%                 endif %}
+{%                 do acl_options.append('sc_sess_rate(' ~ acl_data.sc_number ~ table_data ~ ')' ~ converter_data ~ ' ' ~ acl_data.sc_sess_rate_comparison ~ ' ' ~ acl_data.sc_sess_rate) %}
 {%               else %}
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters

From ae5b72b5e521fc68b4da590153bd4eb85ab571ea Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 10 Feb 2026 17:05:02 +0100
Subject: [PATCH 2976/3088] net/haproxy: release 5.1

---
 net/haproxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index bc5ac0c84e..fc7cf35177 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		5.0
+PLUGIN_VERSION=		5.1
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de

From 8701588fad5899c6126f5f2d185ff45ca1724f5a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 11 Feb 2026 14:31:07 +0100
Subject: [PATCH 2977/3088] dns/dnscrypt-proxy: wrap up revision

---
 dns/dnscrypt-proxy/Makefile  | 2 +-
 dns/dnscrypt-proxy/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index b0e6868f11..cf19aed0a8 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		dnscrypt-proxy
 PLUGIN_VERSION=		1.16
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Flexible DNS proxy supporting DNSCrypt and DoH
 PLUGIN_DEPENDS=		dnscrypt-proxy2
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/dnscrypt-proxy/pkg-descr b/dns/dnscrypt-proxy/pkg-descr
index f06697ce8b..bc9af91cf2 100644
--- a/dns/dnscrypt-proxy/pkg-descr
+++ b/dns/dnscrypt-proxy/pkg-descr
@@ -7,6 +7,7 @@ Plugin Changelog
 1.16
 
 * Fix ODoH servers not working (contributed by Pascal Herget)
+* Fix bootstrap_resolvers with multiple comma-separated servers (contributed by Andrei Hodorog)
 
 1.15
 

From a444a16214d26f490a60866bc9c62ad32a1ca44d Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 11 Feb 2026 16:11:03 +0100
Subject: [PATCH 2978/3088] security/acme-client: fix truenas automations,
 closes #5210

regression introduced in #5157
---
 security/acme-client/pkg-descr                |  1 +
 .../AcmeClient/forms/dialogAction.xml         | 36 +++++++++----------
 2 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index b3df214a1b..3c5d7f5cfb 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -12,6 +12,7 @@ Plugin Changelog
 
 Fixed:
 * fix class name of Google Domains DNS API (to make PHP linter happy)
+* parameters for TrueNAS automation not visible (#5210)
 
 4.13
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index d518bdeaab..865546d336 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -377,6 +377,24 @@
         <type>header</type>
         <style>method_table method_table_acme_truenas</style>
     </field>
+    <field>
+        <id>action.acme_truenas_apikey</id>
+        <label>TrueNAS API key</label>
+        <type>text</type>
+        <help>API key generated in the TrueNAS web UI.</help>
+    </field>
+    <field>
+        <id>action.acme_truenas_hostname</id>
+        <label>TrueNAS hostname</label>
+        <type>text</type>
+        <help>Hostname or IP address of TrueNAS Core Server.</help>
+    </field>
+    <field>
+        <id>action.acme_truenas_scheme</id>
+        <label>TrueNAS scheme</label>
+        <type>dropdown</type>
+        <help>Connection scheme that will be used when uploading certificates to TrueNAS Core Server.</help>
+    </field>
     <field>
         <label>Required Parameters</label>
         <type>header</type>
@@ -399,24 +417,6 @@
         <label>Ruckus Password</label>
         <type>password</type>
     </field>
-    <field>
-        <id>action.acme_truenas_apikey</id>
-        <label>TrueNAS API key</label>
-        <type>text</type>
-        <help>API key generated in the TrueNAS web UI.</help>
-    </field>
-    <field>
-        <id>action.acme_truenas_hostname</id>
-        <label>TrueNAS hostname</label>
-        <type>text</type>
-        <help>Hostname or IP address of TrueNAS Core Server.</help>
-    </field>
-    <field>
-        <id>action.acme_truenas_scheme</id>
-        <label>TrueNAS scheme</label>
-        <type>dropdown</type>
-        <help>Connection scheme that will be used when uploading certificates to TrueNAS Core Server.</help>
-    </field>
     <field>
         <label>Required Parameters</label>
         <type>header</type>

From b9b11409103a61156503272c6a6a1bbc4a8409d4 Mon Sep 17 00:00:00 2001
From: Nuadh123 <lysfjord.daniel+github@smokepit.net>
Date: Wed, 11 Feb 2026 19:18:58 +0100
Subject: [PATCH 2979/3088] os-nextcloud-backup Add support for having backing
 up to a subdirectory instead of the root backupdir (#5191)

---
 .../mvc/app/library/OPNsense/Backup/Nextcloud.php     | 11 +++++++++++
 .../app/models/OPNsense/Backup/NextcloudSettings.xml  |  6 +++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
index 6f72ba479e..3457e4b151 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
@@ -84,6 +84,13 @@ public function getConfigurationFields()
                 "type" => "text",
                 "label" => gettext("Directory Name without leading slash, starting from user's root"),
                 "value" => 'OPNsense-Backup'
+            ),
+            array(
+                "name" => "addhostname",
+                "type" => "checkbox",
+                "label" => gettext("Backup to directory named after hostname"),
+                "help" => gettext("Create subdirectory under backupdir for this host"),
+                "value" => null
             )
         );
         $nextcloud = new NextcloudSettings();
@@ -139,6 +146,10 @@ public function backup()
             $backupdir = (string)$nextcloud->backupdir;
             $crypto_password = (string)$nextcloud->password_encryption;
 
+            if (!$nextcloud->addhostname->isEmpty()) {
+                $backupdir .= "/".gethostname()."/";
+            }
+
             // Check if destination directory exists, create (full path) if not
             try {
                 $internal_username = $this->getInternalUsername($url, $username, $password);
diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
index 10a12429e9..e5c5b10c32 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//system/backup/nextcloud</mount>
-    <version>1.0.0</version>
+    <version>1.0.1</version>
     <description>OPNsense Nextcloud Backup Settings</description>
     <items>
         <enabled type="BooleanField">
@@ -49,5 +49,9 @@
             <Default>OPNsense-Backup</Default>
             <ValidationMessage>The Backup Directory can only consist of alphanumeric characters, dash, underscores and slash. No leading or trailing slash.</ValidationMessage>
         </backupdir>
+        <addhostname type="BooleanField">
+            <Default>1</Default>
+            <Required>Y</Required>
+        </addhostname>
     </items>
 </model>

From 449323e6a505b78592ce5bc70a385383aeb9821d Mon Sep 17 00:00:00 2001
From: Nuadh123 <lysfjord.daniel+github@smokepit.net>
Date: Wed, 11 Feb 2026 19:21:09 +0100
Subject: [PATCH 2980/3088] os-nextcloud-backup Skip non-files when enumerating
 local entries to backup (#5192)

---
 .../opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php   | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
index 3457e4b151..e606c85160 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
@@ -161,11 +161,14 @@ public function backup()
             // Get list of files from local backup system
             $local_files = array();
             $tmp_local_files = scandir('/conf/backup/');
-            // Remove '.' and '..'
+            // Remove '.' and '..', skip directories
             foreach ($tmp_local_files as $tmp_local_file) {
                 if ($tmp_local_file === '.' || $tmp_local_file === '..') {
                     continue;
                 }
+                if (!is_file("/conf/backup/".$tmp_local_file)) {
+                    continue;
+                }
                 $local_files[] = $tmp_local_file;
             }
 

From de4c98eee25b26850bae87ac4fce68e794452e01 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <AdSchellevis@users.noreply.github.com>
Date: Mon, 16 Feb 2026 16:58:17 +0100
Subject: [PATCH 2981/3088] Security: Q-Feeds Connect - add new options as
 available in integrated blocklists (#5226)

* Security: Q-Feeds Connect - add new options as available in integrated blocklists, closes https://github.com/opnsense/plugins/issues/5197

This adds allowlists (regex patterns), source_nets Q-Feeds applies on, address to return and optional NXDOMAIN responses.

Please note this version is only compatible with current community versions, business edition installs will have to wait for 26.4.

* Security: Q-Feeds Connect - update version and changelog
---
 security/q-feeds-connector/Makefile           |  3 +-
 security/q-feeds-connector/pkg-descr          |  8 +++
 .../OPNsense/QFeeds/forms/settings.xml        | 38 ++++++++++++++
 .../app/models/OPNsense/QFeeds/Connector.xml  | 16 ++++++
 .../mvc/app/views/OPNsense/QFeeds/index.volt  |  7 +++
 .../scripts/unbound/blocklists/qfeeds_bl.py   | 50 ++++++++++++++++---
 .../OPNsense/QFeeds/qfeeds-blocklists.conf    |  7 +++
 7 files changed, 121 insertions(+), 8 deletions(-)

diff --git a/security/q-feeds-connector/Makefile b/security/q-feeds-connector/Makefile
index 70ee9f0eb8..f690fad92d 100644
--- a/security/q-feeds-connector/Makefile
+++ b/security/q-feeds-connector/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		q-feeds-connector
-PLUGIN_VERSION=		1.4
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		1.5
 PLUGIN_COMMENT=		Connector for Q-Feeds threat intel
 PLUGIN_MAINTAINER=	devel@qfeeds.com
 PLUGIN_TIER=		2
diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index 08c3c9cb70..699c608493 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -3,6 +3,14 @@ Connector for Q-Feeds threat intel
 Plugin Changelog
 ================
 
+1.5 
+
+* Feature: Add passlist option for unbound
+* Feature: Add effective networks for unbound
+* Feature: Add NXDOMAIN option for unbound
+* Feature: Add dest address for unbound
+
+
 1.4
 
 * Feature: Added DNSCrypt-Proxy integration
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml
index 0469ed6ca4..acb8342532 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml
@@ -15,4 +15,42 @@
         <type>checkbox</type>
         <help>Use domain feeds in Unbound DNS blocklist, requires blocklists to be enabled in order to have effect</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Unbound blocklist settings</label>
+        <style>unbound_options</style>
+    </field>
+    <field>
+        <id>connect.unbound.allowlists</id>
+        <label>Allowlist Domains</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>List of domains to allow. You can use regular expressions. This allow list only applies to blocklist matches on items in this policy.</help>
+    </field>
+    <field>
+        <id>connect.unbound.source_nets</id>
+        <label>Source Net(s)</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>Source networks to apply policy on. Examples are 192.168.1.0/24 or 192.168.1.1. Leave empty to apply on everything. All specified networks should use the same protocol family and have equal sizes to avoid priority issues. </help>
+    </field>
+    <field>
+        <id>connect.unbound.address</id>
+        <label>Destination Address</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>
+            Destination ip address for entries in the blocklist (leave empty to use default: 0.0.0.0).
+            Not used when "Return NXDOMAIN" is checked.
+        </help>
+    </field>
+    <field>
+        <id>connect.unbound.nxdomain</id>
+        <label>Return NXDOMAIN</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>Use the DNS response code NXDOMAIN instead of a destination address.</help>
+    </field>
 </form>
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml
index fb158adcfe..d748a54efd 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/models/OPNsense/QFeeds/Connector.xml
@@ -7,5 +7,21 @@
             <apikey type="TextField"/>
             <enable_unbound_bl type="BooleanField"/>
         </general>
+        <unbound>
+            <allowlists type="CSVListField"/>
+            <source_nets type="NetworkField">
+                <Multiple>Y</Multiple>
+                <Strict>Y</Strict>
+                <ValidationMessage>Please specify a valid network segment or address (IPv4/IPv6). If a mask is provided, please omit the host bits.</ValidationMessage>
+                <WildcardEnabled>N</WildcardEnabled>
+                <NetMaskRequired>N</NetMaskRequired>
+                <AsList>Y</AsList>
+            </source_nets>
+            <address type="NetworkField">
+                <NetMaskAllowed>N</NetMaskAllowed>
+                <AddressFamily>ipv4</AddressFamily>
+            </address>
+            <nxdomain type="BooleanField"/>
+        </unbound>
     </items>
 </model>
diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt b/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
index 21d3b54c7e..c015c80940 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/views/OPNsense/QFeeds/index.volt
@@ -99,6 +99,13 @@ POSSIBILITY OF SUCH DAMAGE.
             }
         });
 
+        $("#connect\\.general\\.enable_unbound_bl").change(function(){
+            if ($(this).is(':checked')) {
+                $(".unbound_options").closest('table').show();
+            } else {
+                $(".unbound_options").closest('table').hide();
+            }
+        });
 
         let selected_tab = window.location.hash != "" ? window.location.hash : "#settings";
         $('a[href="' +selected_tab + '"]').tab('show');
diff --git a/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py b/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
index d880d1e863..1675557ba9 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
@@ -27,12 +27,19 @@
 """
 
 import os
+import re
+import syslog
+import uuid
 from . import BaseBlocklistHandler
 
-class DefaultBlocklistHandler(BaseBlocklistHandler):
+class QFeedsBlocklistHandler(BaseBlocklistHandler):
     def __init__(self):
         super().__init__('/usr/local/etc/unbound/qfeeds-blocklists.conf')
         self.priority = 50
+        self._compat_id = str(uuid.uuid4())
+
+    def _is_enabled(self):
+        return self.cnf and self.cnf.has_section('settings') and self.cnf.has_option('settings', 'filenames')
 
     def get_config(self):
         # do not use, unbound worker settings
@@ -41,11 +48,10 @@ def get_config(self):
     def get_blocklist(self):
         # Only return domains if integration is enabled (filenames are offered)
         qfeeds_filenames = []
-        if self.cnf and self.cnf.has_section('settings'):
-            if self.cnf.has_option('settings', 'filenames'):
-                qfeeds_filenames = self.cnf.get('settings', 'filenames').split(',')
-                # touch a file to help qfeedsctl detect the current instance uses its list
-                open('/tmp/qfeeds-unbound-bl.stat', 'w').write('')
+        if self._is_enabled():
+            qfeeds_filenames = self.cnf.get('settings', 'filenames').split(',')
+            # touch a file to help qfeedsctl detect the current instance uses its list
+            open('/tmp/qfeeds-unbound-bl.stat', 'w').write('')
 
         result = {}
         for filename in qfeeds_filenames:
@@ -58,3 +64,35 @@ def get_blocklist(self):
 
     def get_passlist_patterns(self):
         return []
+
+    def get_policies(self):
+        if not self._is_enabled():
+            return []
+
+        cfg = {
+            'source_nets': [],
+            'address': '',
+            'rcode': '',
+            'id': self._compat_id,
+            'allowlists': []
+        }
+        for k,v in self.cnf['settings'].items():
+            if k in cfg and v.strip() != '':
+                if type(cfg[k]) is list:
+                    cfg[k] = v.split(',')
+                else:
+                    cfg[k] = v.strip()
+
+        if cfg['allowlists']:
+            compiled_passlist = set()
+            for pattern in cfg['allowlists']:
+                try:
+                    re.compile(pattern, re.IGNORECASE)
+                    compiled_passlist.add(pattern)
+                except re.error:
+                    syslog.syslog(syslog.LOG_ERR,'Q-Feeds : skip invalid whitelist exclude pattern "%s"' % pattern)
+
+            cfg['passlist'] = '|'.join(compiled_passlist)
+            del cfg['allowlists']
+
+        return [cfg]
\ No newline at end of file
diff --git a/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/qfeeds-blocklists.conf b/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/qfeeds-blocklists.conf
index 6113177758..fb4bbd7e4c 100644
--- a/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/qfeeds-blocklists.conf
+++ b/security/q-feeds-connector/src/opnsense/service/templates/OPNsense/QFeeds/qfeeds-blocklists.conf
@@ -2,4 +2,11 @@
       not helpers.empty('OPNsense.QFeedsConnector.general.enable_unbound_bl') %}
 [settings]
 filenames=/var/db/qfeeds-tables/malware_domains.txt
+{% if not helpers.empty('OPNsense.QFeedsConnector.unbound') %}
+allowlists={{OPNsense.QFeedsConnector.unbound.allowlists|default('')}}
+source_nets={{OPNsense.QFeedsConnector.unbound.source_nets|default('')}}
+address={{OPNsense.QFeedsConnector.unbound.address|default('0.0.0.0')}}
+rcode={% if OPNsense.QFeedsConnector.unbound.nxdomain|default('0') == '1' %}NXDOMAIN{%else%}NOERROR{%endif +%}
+cache_ttl={{OPNsense.QFeedsConnector.unbound.cache_ttl|default('72000')}}
+{% endif %}
 {% endif %}

From 3b1c816363b8a35f6edcea3074caeb7d6106a78b Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 16 Feb 2026 22:49:45 +0100
Subject: [PATCH 2982/3088] net/haproxy: fix migration of lua rules, closes
 #5225

---
 net/haproxy/pkg-descr                                       | 3 +++
 .../opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml    | 6 ++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index e7c26f768f..8a53fdd808 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -11,6 +11,9 @@ Plugin Changelog
 Added:
 * more conditions have support for converters
 
+Fixed:
+* migration fails if a http-request/-response "lua" rule is configured
+
 5.0
 
 WARNING: This is a new major release, which may result in
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index b6ee4174e9..83cf0a2ca1 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -3646,6 +3646,7 @@
                         <do-log>do-log</do-log>
                         <do-resolve>do-resolve</do-resolve>
                         <early-hint>early-hint</early-hint>
+                        <lua>lua</lua>
                         <normalize-uri>normalize-uri</normalize-uri>
                         <redirect>redirect</redirect>
                         <reject>reject</reject>
@@ -3689,7 +3690,7 @@
                         <track-sc1>track-sc1</track-sc1>
                         <track-sc2>track-sc2</track-sc2>
                         <unset-var>unset-var</unset-var>
-                        <use-service>use-service</use-service>
+                        <use-service>use-service - use a lua service</use-service>
                         <wait-for-body>wait-for-body</wait-for-body>
                         <wait-for-handshake>wait-for-handshake</wait-for-handshake>
                     </OptionValues>
@@ -3711,6 +3712,7 @@
                         <del-map>del-map</del-map>
                         <deny>deny</deny>
                         <do-log>do-log</do-log>
+                        <lua>lua</lua>
                         <redirect>redirect</redirect>
                         <replace-header>replace-header</replace-header>
                         <replace-value>replace-value</replace-value>
@@ -3804,7 +3806,7 @@
                         <content_track-sc1>content track-sc1</content_track-sc1>
                         <content_track-sc2>content track-sc2</content_track-sc2>
                         <content_unset-var>content unset-var</content_unset-var>
-                        <content_use-service>content use-service</content_use-service>
+                        <content_use-service>content use-service - use a lua service</content_use-service>
                         <inspect-delay>inspect-delay</inspect-delay>
                         <session_accept>session accept</session_accept>
                         <session_attach-srv>session attach-srv</session_attach-srv>

From f5af443a43ed9d577930d47f7171173a9e5c6763 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 17 Feb 2026 00:04:28 +0100
Subject: [PATCH 2983/3088] net/haproxy: add support for mapfile URLs, refs
 #4825

---
 net/haproxy/pkg-descr                         |  1 +
 .../OPNsense/HAProxy/forms/dialogMapfile.xml  |  8 ++-
 .../app/models/OPNsense/HAProxy/HAProxy.xml   |  6 ++-
 .../OPNsense/HAProxy/exportMapFiles.php       | 54 +++++++++++++++++--
 4 files changed, 62 insertions(+), 7 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 8a53fdd808..48c8151c58 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -10,6 +10,7 @@ Plugin Changelog
 
 Added:
 * more conditions have support for converters
+* add support for mapfile URLs (#4825)
 
 Fixed:
 * migration fails if a http-request/-response "lua" rule is configured
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
index 8c7d74b414..23a4394747 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml
@@ -21,6 +21,12 @@
         <id>mapfile.content</id>
         <label>Content</label>
         <type>textbox</type>
-        <help><![CDATA[Paste the content of your map file here. See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
+        <help><![CDATA[Paste the content of the map file here. See the <a target="_blank" href="http://docs.haproxy.org/3.2/configuration.html#map">HAProxy documentation</a> for a full description.]]></help>
+    </field>
+    <field>
+        <id>mapfile.url</id>
+        <label>Download URL</label>
+        <type>text</type>
+        <help><![CDATA[A URL from which the map file will be downloaded. The contents will be cached until next reload/restart of HAProxy. If the download fails, then the specified content will be used instead. In order to enable automatic updates of map files, setup a cron job that periodically reloads HAProxy.]]></help>
     </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 83cf0a2ca1..4d0ae9b9b4 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -4365,8 +4365,12 @@
                     </OptionValues>
                 </type>
                 <content type="TextField">
-                    <Required>Y</Required>
+                    <Required>N</Required>
                 </content>
+                <url type="UrlField">
+                    <Mask>/^.{1,4096}$/u</Mask>
+                    <Required>N</Required>
+                </url>
             </mapfile>
         </mapfiles>
         <groups>
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php
index fe2e682f78..eebeaa7733 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php
@@ -2,7 +2,7 @@
 <?php
 
 /*
- * Copyright (C) 2016-2018 Frank Wall
+ * Copyright (C) 2016-2026 Frank Wall
  * Copyright (C) 2015 Deciso B.V.
  * All rights reserved.
  *
@@ -41,12 +41,56 @@
     foreach ($configObj->OPNsense->HAProxy->mapfiles->children() as $mapfile) {
         $mf_name = (string)$mapfile->name;
         $mf_id = (string)$mapfile->id;
+        $mf_url = (string)$mapfile->url;
         if ($mf_id != "") {
-            $mf_content = htmlspecialchars_decode(str_replace("\r", "", (string)$mapfile->content));
             $mf_filename = $export_path . $mf_id . ".txt";
-            file_put_contents($mf_filename, $mf_content);
-            chmod($mf_filename, 0600);
-            echo "map file exported to " . $mf_filename . "\n";
+            // Download file from URL (if URL was provided).
+            try {
+                if ($mf_url == "") {
+                    throw new \Exception("no URL provided");
+                }
+                $fp = fopen($mf_filename, 'wb');
+                if ($fp === false) {
+                    throw new \Exception("unable to open {$mf_filename} for writing");
+                }
+
+                $ch = curl_init();
+                curl_setopt($ch, CURLOPT_URL, $mf_url);
+                curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
+                curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
+                curl_setopt($ch, CURLOPT_TIMEOUT, 60);
+                curl_setopt($ch, CURLOPT_FAILONERROR, true);
+                curl_setopt($ch, CURLOPT_FILE, $fp);
+
+                if (!curl_exec($ch)) {
+                    throw new \Exception("download error: " . curl_error($ch));
+                }
+                echo "map file downloaded to " . $mf_filename . "\n";
+            } catch (\Exception $e) {
+                // Show error message only if URL was specified.
+                if ($mf_url != "") {
+                  echo "download of map file failed, error: " . $e->getMessage() . "\n";
+                  echo "trying to fill map file with fallback content\n";
+                  $mf_content = "# NOTE: Download failed, this is the fallback content.\n";
+                } else {
+                  $mf_content = '';
+                }
+
+                // Write contents to map file.
+                // This is also used as a fallback if map file download fails.
+                $mf_content = $mf_content . htmlspecialchars_decode(str_replace("\r", "", (string)$mapfile->content));
+                file_put_contents($mf_filename, $mf_content);
+                echo "map file exported to " . $mf_filename . "\n";
+            } finally {
+                if (isset($ch)) {
+                    curl_close($ch);
+                }
+                if (isset($fp) && is_resource($fp)) {
+                    fclose($fp);
+                }
+                chmod($mf_filename, 0600);
+                chown($mf_filename, 'www');
+            }
         }
     }
 }

From 1bfb448cf26b3297102ba7359f79bbdad4345ae4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 18 Feb 2026 09:07:18 +0100
Subject: [PATCH 2984/3088] net/isc-dhcp: move ip_in_interface_alias_subnet()
 here

Only called by this plugin.  So we can ditch it from core.
---
 net/isc-dhcp/Makefile                          |  2 +-
 .../src/etc/inc/plugins.inc.d/dhcpd.inc        | 18 ++++++++++++++++++
 net/isc-dhcp/src/www/services_dhcp.php         |  2 +-
 net/isc-dhcp/src/www/services_dhcp_edit.php    |  2 +-
 4 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/net/isc-dhcp/Makefile b/net/isc-dhcp/Makefile
index 970944acbe..1b8e9c572a 100644
--- a/net/isc-dhcp/Makefile
+++ b/net/isc-dhcp/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		isc-dhcp
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		ISC DHCPv4/v6 server
 PLUGIN_DEPENDS=		isc-dhcp44-server
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc b/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
index df22829e0d..156f0e8401 100644
--- a/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
+++ b/net/isc-dhcp/src/etc/inc/plugins.inc.d/dhcpd.inc
@@ -1325,3 +1325,21 @@ function dhcpd_staticarp($interface, $ifconfig_details)
         interfaces_neighbors_configure($interface, $ifconfig_details);
     }
 }
+
+function dhcpd_ip_in_interface_alias_subnet($interface, $ipalias)
+{
+    if (empty($interface) || !is_ipaddr($ipalias)) {
+        return false;
+    }
+
+    foreach (config_read_array('virtualip', 'vip', false) as $vip) {
+        if ($vip['mode'] == 'ipalias' && $vip['interface'] == $interface) {
+            $subnet = is_ipaddrv6($ipalias) ? gen_subnetv6($vip['subnet'], $vip['subnet_bits']) : gen_subnet($vip['subnet'], $vip['subnet_bits']);
+            if (ip_in_subnet($ipalias, "{$subnet}/{$vip['subnet_bits']}")) {
+                return true;
+            }
+        }
+    }
+
+    return false;
+}
diff --git a/net/isc-dhcp/src/www/services_dhcp.php b/net/isc-dhcp/src/www/services_dhcp.php
index 6b00cc16ef..ad87e530bc 100644
--- a/net/isc-dhcp/src/www/services_dhcp.php
+++ b/net/isc-dhcp/src/www/services_dhcp.php
@@ -175,7 +175,7 @@ function reconfigure_dhcpd()
         }
         list (, $parent_net) = interfaces_primary_address($pconfig['if']);
         if (is_subnetv4($parent_net) && $pconfig['gateway'] && $pconfig['gateway'] != "none") {
-            if (!ip_in_subnet($pconfig['gateway'], $parent_net) && !ip_in_interface_alias_subnet($pconfig['if'], $pconfig['gateway'])) {
+            if (!ip_in_subnet($pconfig['gateway'], $parent_net) && !dhcpd_ip_in_interface_alias_subnet($pconfig['if'], $pconfig['gateway'])) {
                 $input_errors[] = sprintf(gettext("The gateway address %s does not lie within the chosen interface's subnet."), $pconfig['gateway']);
             }
         }
diff --git a/net/isc-dhcp/src/www/services_dhcp_edit.php b/net/isc-dhcp/src/www/services_dhcp_edit.php
index ceb180a706..f4eb8c807e 100644
--- a/net/isc-dhcp/src/www/services_dhcp_edit.php
+++ b/net/isc-dhcp/src/www/services_dhcp_edit.php
@@ -167,7 +167,7 @@
     }
 
     if (is_subnetv4($parent_net) && $pconfig['gateway'] != "none" &&  !empty($pconfig['gateway'])) {
-        if (!ip_in_subnet($pconfig['gateway'], $parent_net) && !ip_in_interface_alias_subnet($if, $pconfig['gateway'])) {
+        if (!ip_in_subnet($pconfig['gateway'], $parent_net) && !dhcpd_ip_in_interface_alias_subnet($if, $pconfig['gateway'])) {
             $input_errors[] = sprintf(gettext("The gateway address %s does not lie within the chosen interface's subnet."), $_POST['gateway']);
         }
     }

From 58f0dfd86e75dfd9f3c09a7460912cc150e36a29 Mon Sep 17 00:00:00 2001
From: Q-Feeds <support@qfeeds.com>
Date: Thu, 19 Feb 2026 09:06:10 +0100
Subject: [PATCH 2985/3088] q-feeds-connector: Update help text to mention
 DNScrypt-proxy blocklists (#5237)

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .../mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml
index acb8342532..37e9dec8ea 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/forms/settings.xml
@@ -13,7 +13,7 @@
         <id>connect.general.enable_unbound_bl</id>
         <label>Register domain feeds</label>
         <type>checkbox</type>
-        <help>Use domain feeds in Unbound DNS blocklist, requires blocklists to be enabled in order to have effect</help>
+        <help>Use domain feeds in Unbound DNS and DNScrypt-proxy blocklists, requires blocklists to be enabled in order to have effect</help>
     </field>
     <field>
         <type>header</type>

From 9250d4ddc8d31d694db828217742cc4f66c42aeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Fri, 20 Feb 2026 08:18:12 +0100
Subject: [PATCH 2986/3088] Theme cicada/vicuna/tukan some fixes (#5198)

---
 misc/theme-cicada/Makefile                                 | 2 +-
 .../www/themes/cicada/build/css/opnsense-bootgrid.css      | 5 -----
 .../opnsense/www/themes/cicada/build/css/tabulator.min.css | 2 +-
 misc/theme-tukan/Makefile                                  | 2 +-
 .../www/themes/tukan/build/css/opnsense-bootgrid.css       | 7 +------
 misc/theme-vicuna/Makefile                                 | 2 +-
 .../www/themes/vicuna/build/css/opnsense-bootgrid.css      | 5 -----
 .../opnsense/www/themes/vicuna/build/css/tabulator.min.css | 2 +-
 8 files changed, 6 insertions(+), 21 deletions(-)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index e7d7ac36ee..baff1111e8 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-cicada
-PLUGIN_VERSION=		1.40
+PLUGIN_VERSION=		1.41
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/opnsense-bootgrid.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/opnsense-bootgrid.css
index 9fe95901a4..63af6ab071 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/opnsense-bootgrid.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/opnsense-bootgrid.css
@@ -210,11 +210,6 @@
   padding-right: 20px;
 }
 
-.bootgrid-footer-commands {
-  width: 90px;
-  padding-left: 8px;
-}
-
 .tabulator-tableholder::after {
   content: "";
   display: block;
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/tabulator.min.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/tabulator.min.css
index 7034e96558..aeff5d2d87 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/tabulator.min.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/tabulator.min.css
@@ -1,2 +1,2 @@
-.tabulator{background-color:#888;border:1px solid #191919;font-size:14px;overflow:hidden;position:relative;text-align:left;-webkit-transform:translateZ(0);-moz-transform:translateZ(0);-ms-transform:translateZ(0);-o-transform:translateZ(0);transform:translateZ(0)}.tabulator[tabulator-layout=fitDataFill] .tabulator-tableholder .tabulator-table{min-width:100%}.tabulator[tabulator-layout=fitDataTable]{display:inline-block}.tabulator.tabulator-block-select,.tabulator.tabulator-ranges .tabulator-cell:not(.tabulator-editing){user-select:none; }.tabulator .tabulator-header{background-color:#e6e6e6;border-bottom:1px solid #999;box-sizing:border-box;color:#555;font-weight:700;outline:none;overflow:hidden;position:relative;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;white-space:nowrap;width:100%}.tabulator .tabulator-header.tabulator-header-hidden{display:none}.tabulator .tabulator-header .tabulator-header-contents{overflow:hidden;position:relative}.tabulator .tabulator-header .tabulator-header-contents .tabulator-headers{display:inline-block}.tabulator .tabulator-header .tabulator-col{background:#e6e6e6;border-right:1px solid #aaa;box-sizing:border-box;display:inline-flex;flex-direction:column;justify-content:flex-start;overflow:hidden;position:relative;text-align:left;vertical-align:bottom}.tabulator .tabulator-header .tabulator-col.tabulator-moving{background:#cdcdcd;border:1px solid #999;pointer-events:none;position:absolute}.tabulator .tabulator-header .tabulator-col.tabulator-range-highlight{background-color:#d6d6d6;color:#000}.tabulator .tabulator-header .tabulator-col.tabulator-range-selected{background-color:#3876ca;color:#fff}.tabulator .tabulator-header .tabulator-col .tabulator-col-content{box-sizing:border-box;padding:4px;position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-header-popup-button{padding:0 8px}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-header-popup-button:hover{cursor:pointer;opacity:.6}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title-holder{position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title{box-sizing:border-box;overflow:hidden;text-overflow:ellipsis;vertical-align:bottom;white-space:nowrap;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title.tabulator-col-title-wrap{text-overflow:clip;white-space:normal}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title .tabulator-title-editor{background:#fff;border:1px solid #999;box-sizing:border-box;padding:1px;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title .tabulator-header-popup-button+.tabulator-title-editor{width:calc(100% - 22px)}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter{align-items:center;bottom:0;display:flex;position:absolute;right:4px;top:0}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #bbb;border-left:6px solid transparent;border-right:6px solid transparent;height:0;width:0}.tabulator .tabulator-header .tabulator-col.tabulator-col-group .tabulator-col-group-cols{border-top:1px solid #aaa;display:flex;margin-right:-1px;overflow:hidden;position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter{box-sizing:border-box;margin-top:2px;position:relative;text-align:center;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter textarea{height:auto!important}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter svg{margin-top:3px}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter input::-ms-clear{height:0;width:0}.tabulator .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title{padding-right:25px}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable.tabulator-col-sorter-element:hover{background-color:#cdcdcd;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter{color:#bbb}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-bottom:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #bbb;border-top:none}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter{color:#666}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-bottom:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #666;border-top:none}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter{color:#666}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-top:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:none;border-top:6px solid #666;color:#666}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical .tabulator-col-content .tabulator-col-title{align-items:center;display:flex;justify-content:center;text-orientation:mixed;writing-mode:vertical-rl}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-col-vertical-flip .tabulator-col-title{transform:rotate(180deg)}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable .tabulator-col-title{padding-right:0;padding-top:20px}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable.tabulator-col-vertical-flip .tabulator-col-title{padding-bottom:20px;padding-right:0}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable .tabulator-col-sorter{bottom:auto;justify-content:center;left:0;right:0;top:4px}.tabulator .tabulator-header .tabulator-frozen{left:0;position:sticky;z-index:11}.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-left{border-right:2px solid #151515}.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-right{border-left:2px solid #151515}.tabulator .tabulator-header .tabulator-calcs-holder{background:#f3f3f3!important;border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;display:inline-block}.tabulator .tabulator-header .tabulator-calcs-holder .tabulator-row{background:#f3f3f3!important}.tabulator .tabulator-header .tabulator-calcs-holder .tabulator-row .tabulator-col-resize-handle{display:none}.tabulator .tabulator-header .tabulator-frozen-rows-holder{display:inline-block}.tabulator .tabulator-header .tabulator-frozen-rows-holder:empty{display:none}.tabulator .tabulator-tableholder{-webkit-overflow-scrolling:touch;overflow:auto;position:relative;white-space:nowrap;width:100%}.tabulator .tabulator-tableholder:focus{outline:none}.tabulator .tabulator-tableholder .tabulator-placeholder{align-items:center;box-sizing:border-box;display:flex;justify-content:center;min-width:100%;width:100%}.tabulator .tabulator-tableholder .tabulator-placeholder[tabulator-render-mode=virtual]{min-height:100%}.tabulator .tabulator-tableholder .tabulator-placeholder .tabulator-placeholder-contents{color:#ccc;display:inline-block;font-size:20px;font-weight:700;padding:10px;text-align:center;white-space:normal}.tabulator .tabulator-tableholder .tabulator-table{background-color:#fff;color:#333;display:inline-block;overflow:visible;position:relative;white-space:nowrap}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs{background:#e2e2e2!important;font-weight:700}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs.tabulator-calcs-top{border-bottom:2px solid #aaa}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs.tabulator-calcs-bottom{border-top:2px solid #aaa}.tabulator .tabulator-tableholder .tabulator-range-overlay{inset:0;pointer-events:none;position:absolute;z-index:10}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range{border:1px solid #2975dd;box-sizing:border-box;position:absolute}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range.tabulator-range-active:after{background-color:#2975dd;border-radius:999px;bottom:-3px;content:"";height:6px;position:absolute;right:-3px;width:6px}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range-cell-active{border:2px solid #2975dd;box-sizing:border-box;position:absolute}.tabulator .tabulator-footer{background-color:#e6e6e6;border-top:1px solid #999;color:#555;font-weight:700;user-select:none;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;white-space:nowrap}.tabulator .tabulator-footer .tabulator-footer-contents{align-items:center;display:flex;flex-direction:row;justify-content:space-between;padding:5px 10px}.tabulator .tabulator-footer .tabulator-footer-contents:empty{display:none}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs{margin-top:-5px;overflow-x:auto}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab{border:1px solid #999;border-bottom-left-radius:5px;border-bottom-right-radius:5px;border-top:none;display:inline-block;font-size:.9em;padding:5px}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab:hover{cursor:pointer;opacity:.7}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab.tabulator-spreadsheet-tab-active{background:#fff}.tabulator .tabulator-footer .tabulator-calcs-holder{background:#f3f3f3!important;border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;overflow:hidden;text-align:left;width:100%}.tabulator .tabulator-footer .tabulator-calcs-holder .tabulator-row{background:#f3f3f3!important;display:inline-block}.tabulator .tabulator-footer .tabulator-calcs-holder .tabulator-row .tabulator-col-resize-handle{display:none}.tabulator .tabulator-footer .tabulator-calcs-holder:only-child{border-bottom:none;margin-bottom:-5px}.tabulator .tabulator-footer>*+.tabulator-page-counter{margin-left:10px}.tabulator .tabulator-footer .tabulator-page-counter{font-weight:400}.tabulator .tabulator-footer .tabulator-paginator{color:#555;flex:1;font-family:inherit;font-size:inherit;font-weight:inherit;text-align:right}.tabulator .tabulator-footer .tabulator-page-size{border:1px solid #aaa;border-radius:3px;display:inline-block;margin:0 5px;padding:2px 5px}.tabulator .tabulator-footer .tabulator-pages{margin:0 7px}.tabulator .tabulator-footer .tabulator-page{background:hsla(0,0%,100%,.2);border:1px solid #aaa;border-radius:3px;display:inline-block;margin:0 2px;padding:2px 5px}.tabulator .tabulator-footer .tabulator-page.active{color:#d00}.tabulator .tabulator-footer .tabulator-page:disabled{opacity:.5}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-footer .tabulator-page:not(disabled):hover{background:rgba(0,0,0,.2);color:#fff;cursor:pointer}}.tabulator .tabulator-col-resize-handle{display:inline-block;margin-left:-3px;margin-right:-3px;position:relative;vertical-align:middle;width:6px;z-index:11}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-col-resize-handle:hover{cursor:ew-resize}}.tabulator .tabulator-col-resize-handle:last-of-type{margin-right:0;width:3px}.tabulator .tabulator-col-resize-guide{background-color:#999;height:100%;margin-left:-.5px;opacity:.5;position:absolute;top:0;width:4px}.tabulator .tabulator-row-resize-guide{background-color:#999;height:4px;left:0;margin-top:-.5px;opacity:.5;position:absolute;width:100%}.tabulator .tabulator-alert{align-items:center;background:rgba(0,0,0,.4);display:flex;height:100%;left:0;position:absolute;text-align:center;top:0;width:100%;z-index:100}.tabulator .tabulator-alert .tabulator-alert-msg{background:#fff;border-radius:10px;display:inline-block;font-size:16px;font-weight:700;margin:0 auto;padding:10px 20px}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg{border:4px solid #333;color:#000}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-error{border:4px solid #d00;color:#590000}.tabulator-row{background-color:#fff;box-sizing:border-box;min-height:22px;position:relative}.tabulator-row.tabulator-row-even{background-color:#efefef}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-selectable:hover{background-color:#bbb;cursor:pointer}}.tabulator-row.tabulator-selected{background-color:#9abcea}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-selected:hover{background-color:#769bcc;cursor:pointer}}.tabulator-row.tabulator-row-moving{background:#fff;border:1px solid #000}.tabulator-row.tabulator-moving{border-bottom:1px solid #aaa;border-top:1px solid #aaa;pointer-events:none;position:absolute;z-index:15}.tabulator-row.tabulator-range-highlight .tabulator-cell.tabulator-range-row-header{background-color:#d6d6d6;color:#000}.tabulator-row.tabulator-range-highlight.tabulator-range-selected .tabulator-cell.tabulator-range-row-header,.tabulator-row.tabulator-range-selected .tabulator-cell.tabulator-range-row-header{background-color:#3876ca;color:#fff}.tabulator-row .tabulator-row-resize-handle{bottom:0;height:5px;left:0;position:absolute;right:0}.tabulator-row .tabulator-row-resize-handle.prev{bottom:auto;top:0}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-row-resize-handle:hover{cursor:ns-resize}}.tabulator-row .tabulator-responsive-collapse{border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;padding:5px}.tabulator-row .tabulator-responsive-collapse:empty{display:none}.tabulator-row .tabulator-responsive-collapse table{font-size:14px}.tabulator-row .tabulator-responsive-collapse table tr td{position:relative}.tabulator-row .tabulator-responsive-collapse table tr td:first-of-type{padding-right:10px}.tabulator-row .tabulator-cell{border-right:1px solid #aaa;box-sizing:border-box;display:inline-block;outline:none;overflow:hidden;padding:4px;position:relative;text-overflow:ellipsis;vertical-align:middle;white-space:nowrap}.tabulator-row .tabulator-cell.tabulator-row-header{background:#e6e6e6;border-bottom:1px solid #aaa;border-right:1px solid #999}.tabulator-row .tabulator-cell.tabulator-frozen{background-color:inherit;display:inline-block;left:0;position:sticky;z-index:11}.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left{border-right:2px solid #151515}.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right{border-left:2px solid #151515}.tabulator-row .tabulator-cell.tabulator-editing{border:1px solid #1d68cd;outline:none;padding:0}.tabulator-row .tabulator-cell.tabulator-editing input,.tabulator-row .tabulator-cell.tabulator-editing select{background:transparent;border:1px;outline:none}.tabulator-row .tabulator-cell.tabulator-validation-fail{border:1px solid #d00}.tabulator-row .tabulator-cell.tabulator-validation-fail input,.tabulator-row .tabulator-cell.tabulator-validation-fail select{background:transparent;border:1px;color:#d00}.tabulator-row .tabulator-cell.tabulator-row-handle{align-items:center;display:inline-flex;justify-content:center;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none}.tabulator-row .tabulator-cell.tabulator-row-handle .tabulator-row-handle-box{width:80%}.tabulator-row .tabulator-cell.tabulator-row-handle .tabulator-row-handle-box .tabulator-row-handle-bar{background:#666;height:3px;margin-top:2px;width:100%}.tabulator-row .tabulator-cell.tabulator-range-selected:not(.tabulator-range-only-cell-selected):not(.tabulator-range-row-header){background-color:#9abcea}.tabulator-row .tabulator-cell .tabulator-data-tree-branch-empty{display:inline-block;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-branch{border-bottom:2px solid #aaa;border-bottom-left-radius:1px;border-left:2px solid #aaa;display:inline-block;height:9px;margin-right:5px;margin-top:-9px;vertical-align:middle;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-control{align-items:center;background:rgba(0,0,0,.1);border:1px solid #333;border-radius:2px;display:inline-flex;height:11px;justify-content:center;margin-right:5px;overflow:hidden;vertical-align:middle;width:11px}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-cell .tabulator-data-tree-control:hover{background:rgba(0,0,0,.2);cursor:pointer}}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-collapse{background:transparent;display:inline-block;height:7px;position:relative;width:1px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-collapse:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-expand{background:#333;display:inline-block;height:7px;position:relative;width:1px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-expand:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle{align-items:center;background:#666;border-radius:20px;color:#fff;display:inline-flex;font-size:1.1em;font-weight:700;height:15px;justify-content:center;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;width:15px}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle:hover{cursor:pointer;opacity:.7}}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle.open .tabulator-responsive-collapse-toggle-close{display:initial}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle.open .tabulator-responsive-collapse-toggle-open{display:none}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle svg{stroke:#fff}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle .tabulator-responsive-collapse-toggle-close{display:none}.tabulator-row .tabulator-cell .tabulator-traffic-light{border-radius:14px;display:inline-block;height:14px;width:14px}.tabulator-row.tabulator-group{background:#ccc;border-bottom:1px solid #999;border-right:1px solid #aaa;border-top:1px solid #999;box-sizing:border-box;font-weight:700;min-width:100%;padding:5px 5px 5px 10px}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-group:hover{background-color:rgba(0,0,0,.1);cursor:pointer}}.tabulator-row.tabulator-group.tabulator-group-visible .tabulator-arrow{border-bottom:0;border-left:6px solid transparent;border-right:6px solid transparent;border-top:6px solid #666;margin-right:10px}.tabulator-row.tabulator-group.tabulator-group-level-1{padding-left:30px}.tabulator-row.tabulator-group.tabulator-group-level-2{padding-left:50px}.tabulator-row.tabulator-group.tabulator-group-level-3{padding-left:70px}.tabulator-row.tabulator-group.tabulator-group-level-4{padding-left:90px}.tabulator-row.tabulator-group.tabulator-group-level-5{padding-left:110px}.tabulator-row.tabulator-group .tabulator-group-toggle{display:inline-block}.tabulator-row.tabulator-group .tabulator-arrow{border-bottom:6px solid transparent;border-left:6px solid #666;border-right:0;border-top:6px solid transparent;display:inline-block;height:0;margin-right:16px;vertical-align:middle;width:0}.tabulator-row.tabulator-group span{color:#d00;margin-left:10px}.tabulator-toggle{background:#dcdcdc;border:1px solid #ccc;box-sizing:border-box;display:flex;flex-direction:row}.tabulator-toggle.tabulator-toggle-on{background:#1c6cc2}.tabulator-toggle .tabulator-toggle-switch{background:#fff;border:1px solid #ccc;box-sizing:border-box}.tabulator-popup-container{-webkit-overflow-scrolling:touch;background:#fff;border:1px solid #aaa;box-shadow:0 0 5px 0 rgba(0,0,0,.2);box-sizing:border-box;display:inline-block;font-size:14px;overflow-y:auto;position:absolute;z-index:10000}.tabulator-popup{border-radius:3px;padding:5px}.tabulator-tooltip{border-radius:2px;box-shadow:none;font-size:12px;max-width:Min(500px,100%);padding:3px 5px;pointer-events:none}.tabulator-menu .tabulator-menu-item{box-sizing:border-box;padding:5px 10px;position:relative;user-select:none}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-disabled{opacity:.5}@media (hover:hover) and (pointer:fine){.tabulator-menu .tabulator-menu-item:not(.tabulator-menu-item-disabled):hover{background:#efefef;cursor:pointer}}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-submenu{padding-right:25px}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-submenu:after{border-color:#aaa;border-style:solid;border-width:1px 1px 0 0;content:"";display:inline-block;height:7px;position:absolute;right:10px;top:calc(5px + .4em);transform:rotate(45deg);vertical-align:top;width:7px}.tabulator-menu .tabulator-menu-separator{border-top:1px solid #aaa}.tabulator-edit-list{-webkit-overflow-scrolling:touch;font-size:14px;max-height:200px;overflow-y:auto}.tabulator-edit-list .tabulator-edit-list-item{color:#333;outline:none;padding:4px}.tabulator-edit-list .tabulator-edit-list-item.active{background:#1d68cd;color:#fff}.tabulator-edit-list .tabulator-edit-list-item.active.focused{outline:1px solid hsla(0,0%,100%,.5)}.tabulator-edit-list .tabulator-edit-list-item.focused{outline:1px solid #1d68cd}@media (hover:hover) and (pointer:fine){.tabulator-edit-list .tabulator-edit-list-item:hover{background:#1d68cd;color:#fff;cursor:pointer}}.tabulator-edit-list .tabulator-edit-list-placeholder{color:#333;padding:4px;text-align:center}.tabulator-edit-list .tabulator-edit-list-group{border-bottom:1px solid #aaa;color:#333;font-weight:700;padding:6px 4px 4px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-2,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-2{padding-left:12px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-3,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-3{padding-left:20px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-4,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-4{padding-left:28px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-5,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-5{padding-left:36px}.tabulator.tabulator-ltr{direction:ltr}.tabulator.tabulator-rtl{direction:rtl;text-align:initial}.tabulator.tabulator-rtl .tabulator-header .tabulator-col{border-left:1px solid #aaa;border-right:initial;text-align:initial}.tabulator.tabulator-rtl .tabulator-header .tabulator-col.tabulator-col-group .tabulator-col-group-cols{margin-left:-1px;margin-right:0}.tabulator.tabulator-rtl .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title{padding-left:25px;padding-right:0}.tabulator.tabulator-rtl .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter{left:8px;right:auto}.tabulator.tabulator-rtl .tabulator-tableholder .tabulator-range-overlay .tabulator-range.tabulator-range-active:after{background-color:#2975dd;border-radius:999px;bottom:-3px;content:"";height:6px;left:-3px;position:absolute;right:auto;width:6px}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell{border-left:1px solid #aaa;border-right:initial}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell .tabulator-data-tree-branch{border-bottom-left-radius:0;border-bottom-right-radius:1px;border-left:initial;border-right:2px solid #aaa;margin-left:5px;margin-right:0}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell .tabulator-data-tree-control{margin-left:5px;margin-right:0}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left{border-left:2px solid #aaa}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right{border-right:2px solid #aaa}.tabulator.tabulator-rtl .tabulator-row .tabulator-col-resize-handle:last-of-type{margin-left:0;margin-right:-3px;width:3px}.tabulator.tabulator-rtl .tabulator-footer .tabulator-calcs-holder{text-align:initial}.tabulator-print-fullscreen{bottom:0;left:0;position:absolute;right:0;top:0;z-index:10000}body.tabulator-print-fullscreen-hide>:not(.tabulator-print-fullscreen){display:none!important}.tabulator-print-table{border-collapse:collapse}.tabulator-print-table .tabulator-data-tree-branch{border-bottom:2px solid #aaa;border-bottom-left-radius:1px;border-left:2px solid #aaa;display:inline-block;height:9px;margin-right:5px;margin-top:-9px;vertical-align:middle;width:7px}.tabulator-print-table .tabulator-print-table-group{background:#ccc;border-bottom:1px solid #999;border-right:1px solid #aaa;border-top:1px solid #999;box-sizing:border-box;font-weight:700;min-width:100%;padding:5px 5px 5px 10px}@media (hover:hover) and (pointer:fine){.tabulator-print-table .tabulator-print-table-group:hover{background-color:rgba(0,0,0,.1);cursor:pointer}}.tabulator-print-table .tabulator-print-table-group.tabulator-group-visible .tabulator-arrow{border-bottom:0;border-left:6px solid transparent;border-right:6px solid transparent;border-top:6px solid #666;margin-right:10px}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-1 td{padding-left:30px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-2 td{padding-left:50px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-3 td{padding-left:70px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-4 td{padding-left:90px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-5 td{padding-left:110px!important}.tabulator-print-table .tabulator-print-table-group .tabulator-group-toggle{display:inline-block}.tabulator-print-table .tabulator-print-table-group .tabulator-arrow{border-bottom:6px solid transparent;border-left:6px solid #666;border-right:0;border-top:6px solid transparent;display:inline-block;height:0;margin-right:16px;vertical-align:middle;width:0}.tabulator-print-table .tabulator-print-table-group span{color:#d00;margin-left:10px}.tabulator-print-table .tabulator-data-tree-control{align-items:center;background:rgba(0,0,0,.1);border:1px solid #333;border-radius:2px;display:inline-flex;height:11px;justify-content:center;margin-right:5px;overflow:hidden;vertical-align:middle;width:11px}@media (hover:hover) and (pointer:fine){.tabulator-print-table .tabulator-data-tree-control:hover{background:rgba(0,0,0,.2);cursor:pointer}}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-collapse{background:transparent;display:inline-block;height:7px;position:relative;width:1px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-collapse:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-expand{background:#333;display:inline-block;height:7px;position:relative;width:1px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-expand:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}
+.tabulator{background-color:#888;border:1px solid #999;font-size:14px;overflow:hidden;position:relative;text-align:left;-webkit-transform:translateZ(0);-moz-transform:translateZ(0);-ms-transform:translateZ(0);-o-transform:translateZ(0);transform:translateZ(0)}.tabulator[tabulator-layout=fitDataFill] .tabulator-tableholder .tabulator-table{min-width:100%}.tabulator[tabulator-layout=fitDataTable]{display:inline-block}.tabulator.tabulator-block-select,.tabulator.tabulator-ranges .tabulator-cell:not(.tabulator-editing){user-select:none}.tabulator .tabulator-header{background-color:#e6e6e6;border-bottom:1px solid #999;box-sizing:border-box;color:#555;font-weight:700;outline:none;overflow:hidden;position:relative;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;white-space:nowrap;width:100%}.tabulator .tabulator-header.tabulator-header-hidden{display:none}.tabulator .tabulator-header .tabulator-header-contents{overflow:hidden;position:relative}.tabulator .tabulator-header .tabulator-header-contents .tabulator-headers{display:inline-block}.tabulator .tabulator-header .tabulator-col{background:#e6e6e6;border-right:1px solid #aaa;box-sizing:border-box;display:inline-flex;flex-direction:column;justify-content:flex-start;overflow:hidden;position:relative;text-align:left;vertical-align:bottom}.tabulator .tabulator-header .tabulator-col.tabulator-moving{background:#cdcdcd;border:1px solid #999;pointer-events:none;position:absolute}.tabulator .tabulator-header .tabulator-col.tabulator-range-highlight{background-color:#d6d6d6;color:#000}.tabulator .tabulator-header .tabulator-col.tabulator-range-selected{background-color:#3876ca;color:#fff}.tabulator .tabulator-header .tabulator-col .tabulator-col-content{box-sizing:border-box;padding:4px;position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-header-popup-button{padding:0 8px}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-header-popup-button:hover{cursor:pointer;opacity:.6}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title-holder{position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title{box-sizing:border-box;overflow:hidden;text-overflow:ellipsis;vertical-align:bottom;white-space:nowrap;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title.tabulator-col-title-wrap{text-overflow:clip;white-space:normal}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title .tabulator-title-editor{background:#fff;border:1px solid #999;box-sizing:border-box;padding:1px;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title .tabulator-header-popup-button+.tabulator-title-editor{width:calc(100% - 22px)}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter{align-items:center;bottom:0;display:flex;position:absolute;right:4px;top:0}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #bbb;border-left:6px solid transparent;border-right:6px solid transparent;height:0;width:0}.tabulator .tabulator-header .tabulator-col.tabulator-col-group .tabulator-col-group-cols{border-top:1px solid #aaa;display:flex;margin-right:-1px;overflow:hidden;position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter{box-sizing:border-box;margin-top:2px;position:relative;text-align:center;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter textarea{height:auto!important}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter svg{margin-top:3px}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter input::-ms-clear{height:0;width:0}.tabulator .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title{padding-right:25px}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable.tabulator-col-sorter-element:hover{background-color:#cdcdcd;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter{color:#bbb}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-bottom:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #bbb;border-top:none}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter{color:#666}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-bottom:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #666;border-top:none}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter{color:#666}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-top:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:none;border-top:6px solid #666;color:#666}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical .tabulator-col-content .tabulator-col-title{align-items:center;display:flex;justify-content:center;text-orientation:mixed;writing-mode:vertical-rl}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-col-vertical-flip .tabulator-col-title{transform:rotate(180deg)}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable .tabulator-col-title{padding-right:0;padding-top:20px}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable.tabulator-col-vertical-flip .tabulator-col-title{padding-bottom:20px;padding-right:0}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable .tabulator-col-sorter{bottom:auto;justify-content:center;left:0;right:0;top:4px}.tabulator .tabulator-header .tabulator-frozen{left:0;position:sticky;z-index:11}.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-left{border-right:2px solid #aaa}.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-right{border-left:2px solid #191919}.tabulator .tabulator-header .tabulator-calcs-holder{background:#f3f3f3!important;border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;display:inline-block}.tabulator .tabulator-header .tabulator-calcs-holder .tabulator-row{background:#f3f3f3!important}.tabulator .tabulator-header .tabulator-calcs-holder .tabulator-row .tabulator-col-resize-handle{display:none}.tabulator .tabulator-header .tabulator-frozen-rows-holder{display:inline-block}.tabulator .tabulator-header .tabulator-frozen-rows-holder:empty{display:none}.tabulator .tabulator-tableholder{-webkit-overflow-scrolling:touch;overflow:auto;position:relative;white-space:nowrap;width:100%}.tabulator .tabulator-tableholder:focus{outline:none}.tabulator .tabulator-tableholder .tabulator-placeholder{align-items:center;box-sizing:border-box;display:flex;justify-content:center;min-width:100%;width:100%}.tabulator .tabulator-tableholder .tabulator-placeholder[tabulator-render-mode=virtual]{min-height:100%}.tabulator .tabulator-tableholder .tabulator-placeholder .tabulator-placeholder-contents{color:#ccc;display:inline-block;font-size:20px;font-weight:700;padding:10px;text-align:center;white-space:normal}.tabulator .tabulator-tableholder .tabulator-table{background-color:#fff;color:#333;display:inline-block;overflow:visible;position:relative;white-space:nowrap}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs{background:#e2e2e2!important;font-weight:700}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs.tabulator-calcs-top{border-bottom:2px solid #aaa}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs.tabulator-calcs-bottom{border-top:2px solid #aaa}.tabulator .tabulator-tableholder .tabulator-range-overlay{inset:0;pointer-events:none;position:absolute;z-index:10}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range{border:1px solid #2975dd;box-sizing:border-box;position:absolute}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range.tabulator-range-active:after{background-color:#2975dd;border-radius:999px;bottom:-3px;content:"";height:6px;position:absolute;right:-3px;width:6px}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range-cell-active{border:2px solid #2975dd;box-sizing:border-box;position:absolute}.tabulator .tabulator-footer{background-color:#e6e6e6;border-top:1px solid #999;color:#555;font-weight:700;user-select:none;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;white-space:nowrap}.tabulator .tabulator-footer .tabulator-footer-contents{align-items:center;display:flex;flex-direction:row;justify-content:space-between;padding:5px 10px}.tabulator .tabulator-footer .tabulator-footer-contents:empty{display:none}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs{margin-top:-5px;overflow-x:auto}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab{border:1px solid #999;border-bottom-left-radius:5px;border-bottom-right-radius:5px;border-top:none;display:inline-block;font-size:.9em;padding:5px}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab:hover{cursor:pointer;opacity:.7}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab.tabulator-spreadsheet-tab-active{background:#fff}.tabulator .tabulator-footer .tabulator-calcs-holder{background:#f3f3f3!important;border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;overflow:hidden;text-align:left;width:100%}.tabulator .tabulator-footer .tabulator-calcs-holder .tabulator-row{background:#f3f3f3!important;display:inline-block}.tabulator .tabulator-footer .tabulator-calcs-holder .tabulator-row .tabulator-col-resize-handle{display:none}.tabulator .tabulator-footer .tabulator-calcs-holder:only-child{border-bottom:none;margin-bottom:-5px}.tabulator .tabulator-footer>*+.tabulator-page-counter{margin-left:10px}.tabulator .tabulator-footer .tabulator-page-counter{font-weight:400}.tabulator .tabulator-footer .tabulator-paginator{color:#555;flex:1;font-family:inherit;font-size:inherit;font-weight:inherit;text-align:right}.tabulator .tabulator-footer .tabulator-page-size{border:1px solid #aaa;border-radius:3px;display:inline-block;margin:0 5px;padding:2px 5px}.tabulator .tabulator-footer .tabulator-pages{margin:0 7px}.tabulator .tabulator-footer .tabulator-page{background:hsla(0,0%,100%,.2);border:1px solid #aaa;border-radius:3px;display:inline-block;margin:0 2px;padding:2px 5px}.tabulator .tabulator-footer .tabulator-page.active{color:#d00}.tabulator .tabulator-footer .tabulator-page:disabled{opacity:.5}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-footer .tabulator-page:not(disabled):hover{background:rgba(0,0,0,.2);color:#fff;cursor:pointer}}.tabulator .tabulator-col-resize-handle{display:inline-block;margin-left:-3px;margin-right:-3px;position:relative;vertical-align:middle;width:6px;z-index:11}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-col-resize-handle:hover{cursor:ew-resize}}.tabulator .tabulator-col-resize-handle:last-of-type{margin-right:0;width:3px}.tabulator .tabulator-col-resize-guide{background-color:#999;height:100%;margin-left:-.5px;opacity:.5;position:absolute;top:0;width:4px}.tabulator .tabulator-row-resize-guide{background-color:#999;height:4px;left:0;margin-top:-.5px;opacity:.5;position:absolute;width:100%}.tabulator .tabulator-alert{align-items:center;background:rgba(0,0,0,.4);display:flex;height:100%;left:0;position:absolute;text-align:center;top:0;width:100%;z-index:100}.tabulator .tabulator-alert .tabulator-alert-msg{background:#fff;border-radius:10px;display:inline-block;font-size:16px;font-weight:700;margin:0 auto;padding:10px 20px}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg{border:4px solid #333;color:#000}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-error{border:4px solid #d00;color:#590000}.tabulator-row{background-color:#fff;box-sizing:border-box;min-height:22px;position:relative}.tabulator-row.tabulator-row-even{background-color:#efefef}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-selectable:hover{background-color:#bbb;cursor:pointer}}.tabulator-row.tabulator-selected{background-color:#9abcea}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-selected:hover{background-color:#769bcc;cursor:pointer}}.tabulator-row.tabulator-row-moving{background:#fff;border:1px solid #000}.tabulator-row.tabulator-moving{border-bottom:1px solid #aaa;border-top:1px solid #aaa;pointer-events:none;position:absolute;z-index:15}.tabulator-row.tabulator-range-highlight .tabulator-cell.tabulator-range-row-header{background-color:#d6d6d6;color:#000}.tabulator-row.tabulator-range-highlight.tabulator-range-selected .tabulator-cell.tabulator-range-row-header,.tabulator-row.tabulator-range-selected .tabulator-cell.tabulator-range-row-header{background-color:#3876ca;color:#fff}.tabulator-row .tabulator-row-resize-handle{bottom:0;height:5px;left:0;position:absolute;right:0}.tabulator-row .tabulator-row-resize-handle.prev{bottom:auto;top:0}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-row-resize-handle:hover{cursor:ns-resize}}.tabulator-row .tabulator-responsive-collapse{border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;padding:5px}.tabulator-row .tabulator-responsive-collapse:empty{display:none}.tabulator-row .tabulator-responsive-collapse table{font-size:14px}.tabulator-row .tabulator-responsive-collapse table tr td{position:relative}.tabulator-row .tabulator-responsive-collapse table tr td:first-of-type{padding-right:10px}.tabulator-row .tabulator-cell{border-right:1px solid #aaa;box-sizing:border-box;display:inline-block;outline:none;overflow:hidden;padding:4px;position:relative;text-overflow:ellipsis;vertical-align:middle;white-space:nowrap}.tabulator-row .tabulator-cell.tabulator-row-header{background:#e6e6e6;border-bottom:1px solid #aaa;border-right:1px solid #999}.tabulator-row .tabulator-cell.tabulator-frozen{background-color:inherit;display:inline-block;left:0;position:sticky;z-index:11}.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left{border-right:2px solid #aaa}.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right{border-left:2px solid #191919}.tabulator-row .tabulator-cell.tabulator-editing{border:1px solid #1d68cd;outline:none;padding:0}.tabulator-row .tabulator-cell.tabulator-editing input,.tabulator-row .tabulator-cell.tabulator-editing select{background:transparent;border:1px;outline:none}.tabulator-row .tabulator-cell.tabulator-validation-fail{border:1px solid #d00}.tabulator-row .tabulator-cell.tabulator-validation-fail input,.tabulator-row .tabulator-cell.tabulator-validation-fail select{background:transparent;border:1px;color:#d00}.tabulator-row .tabulator-cell.tabulator-row-handle{align-items:center;display:inline-flex;justify-content:center;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none}.tabulator-row .tabulator-cell.tabulator-row-handle .tabulator-row-handle-box{width:80%}.tabulator-row .tabulator-cell.tabulator-row-handle .tabulator-row-handle-box .tabulator-row-handle-bar{background:#666;height:3px;margin-top:2px;width:100%}.tabulator-row .tabulator-cell.tabulator-range-selected:not(.tabulator-range-only-cell-selected):not(.tabulator-range-row-header){background-color:#9abcea}.tabulator-row .tabulator-cell .tabulator-data-tree-branch-empty{display:inline-block;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-branch{border-bottom:2px solid #aaa;border-bottom-left-radius:1px;border-left:2px solid #aaa;display:inline-block;height:9px;margin-right:5px;margin-top:-9px;vertical-align:middle;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-control{align-items:center;background:rgba(0,0,0);border:1px solid #fdfdfd;border-radius:2px;display:inline-flex;height:11px;justify-content:center;margin-right:5px;overflow:hidden;vertical-align:middle;width:11px}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-cell .tabulator-data-tree-control:hover{background:rgba(0,0,0,.2);cursor:pointer}}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-collapse{background:transparent;display:inline-block;height:7px;position:relative;width:1px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-collapse:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-expand{background:#fff;display:inline-block;height:7px;position:relative;width:1px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-expand:after{background:#fff;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle{align-items:center;background:#666;border-radius:20px;color:#fff;display:inline-flex;font-size:1.1em;font-weight:700;height:15px;justify-content:center;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;width:15px}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle:hover{cursor:pointer;opacity:.7}}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle.open .tabulator-responsive-collapse-toggle-close{display:initial}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle.open .tabulator-responsive-collapse-toggle-open{display:none}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle svg{stroke:#fff}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle .tabulator-responsive-collapse-toggle-close{display:none}.tabulator-row .tabulator-cell .tabulator-traffic-light{border-radius:14px;display:inline-block;height:14px;width:14px}.tabulator-row.tabulator-group{background:#191919;border-bottom:1px solid #191919;border-right:1px solid #191919;border-top:1px solid #191919;box-sizing:border-box;font-weight:700;min-width:100%;padding:5px 5px 5px 10px}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-group:hover{background-color:rgba(0,0,0,.1);cursor:pointer}}.tabulator-row.tabulator-group.tabulator-group-visible .tabulator-arrow{border-bottom:0;border-left:6px solid transparent;border-right:6px solid transparent;border-top:6px solid #666;margin-right:10px}.tabulator-row.tabulator-group.tabulator-group-level-1{padding-left:30px}.tabulator-row.tabulator-group.tabulator-group-level-2{padding-left:50px}.tabulator-row.tabulator-group.tabulator-group-level-3{padding-left:70px}.tabulator-row.tabulator-group.tabulator-group-level-4{padding-left:90px}.tabulator-row.tabulator-group.tabulator-group-level-5{padding-left:110px}.tabulator-row.tabulator-group .tabulator-group-toggle{display:inline-block}.tabulator-row.tabulator-group .tabulator-arrow{border-bottom:6px solid transparent;border-left:6px solid #666;border-right:0;border-top:6px solid transparent;display:inline-block;height:0;margin-right:16px;vertical-align:middle;width:0}.tabulator-row.tabulator-group span{color:#d00;margin-left:10px}.tabulator-toggle{background:#dcdcdc;border:1px solid #ccc;box-sizing:border-box;display:flex;flex-direction:row}.tabulator-toggle.tabulator-toggle-on{background:#1c6cc2}.tabulator-toggle .tabulator-toggle-switch{background:#fff;border:1px solid #ccc;box-sizing:border-box}.tabulator-popup-container{-webkit-overflow-scrolling:touch;background:#fff;border:1px solid #aaa;box-shadow:0 0 5px 0 rgba(0,0,0,.2);box-sizing:border-box;display:inline-block;font-size:14px;overflow-y:auto;position:absolute;z-index:10000}.tabulator-popup{border-radius:3px;padding:5px}.tabulator-tooltip{border-radius:2px;box-shadow:none;font-size:12px;max-width:Min(500px,100%);padding:3px 5px;pointer-events:none}.tabulator-menu .tabulator-menu-item{box-sizing:border-box;padding:5px 10px;position:relative;user-select:none}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-disabled{opacity:.5}@media (hover:hover) and (pointer:fine){.tabulator-menu .tabulator-menu-item:not(.tabulator-menu-item-disabled):hover{background:#efefef;cursor:pointer}}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-submenu{padding-right:25px}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-submenu:after{border-color:#aaa;border-style:solid;border-width:1px 1px 0 0;content:"";display:inline-block;height:7px;position:absolute;right:10px;top:calc(5px + .4em);transform:rotate(45deg);vertical-align:top;width:7px}.tabulator-menu .tabulator-menu-separator{border-top:1px solid #aaa}.tabulator-edit-list{-webkit-overflow-scrolling:touch;font-size:14px;max-height:200px;overflow-y:auto}.tabulator-edit-list .tabulator-edit-list-item{color:#333;outline:none;padding:4px}.tabulator-edit-list .tabulator-edit-list-item.active{background:#1d68cd;color:#fff}.tabulator-edit-list .tabulator-edit-list-item.active.focused{outline:1px solid hsla(0,0%,100%,.5)}.tabulator-edit-list .tabulator-edit-list-item.focused{outline:1px solid #1d68cd}@media (hover:hover) and (pointer:fine){.tabulator-edit-list .tabulator-edit-list-item:hover{background:#1d68cd;color:#fff;cursor:pointer}}.tabulator-edit-list .tabulator-edit-list-placeholder{color:#333;padding:4px;text-align:center}.tabulator-edit-list .tabulator-edit-list-group{border-bottom:1px solid #aaa;color:#333;font-weight:700;padding:6px 4px 4px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-2,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-2{padding-left:12px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-3,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-3{padding-left:20px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-4,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-4{padding-left:28px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-5,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-5{padding-left:36px}.tabulator.tabulator-ltr{direction:ltr}.tabulator.tabulator-rtl{direction:rtl;text-align:initial}.tabulator.tabulator-rtl .tabulator-header .tabulator-col{border-left:1px solid #aaa;border-right:initial;text-align:initial}.tabulator.tabulator-rtl .tabulator-header .tabulator-col.tabulator-col-group .tabulator-col-group-cols{margin-left:-1px;margin-right:0}.tabulator.tabulator-rtl .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title{padding-left:25px;padding-right:0}.tabulator.tabulator-rtl .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter{left:8px;right:auto}.tabulator.tabulator-rtl .tabulator-tableholder .tabulator-range-overlay .tabulator-range.tabulator-range-active:after{background-color:#2975dd;border-radius:999px;bottom:-3px;content:"";height:6px;left:-3px;position:absolute;right:auto;width:6px}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell{border-left:1px solid #aaa;border-right:initial}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell .tabulator-data-tree-branch{border-bottom-left-radius:0;border-bottom-right-radius:1px;border-left:initial;border-right:2px solid #aaa;margin-left:5px;margin-right:0}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell .tabulator-data-tree-control{margin-left:5px;margin-right:0}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left{border-left:2px solid #aaa}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right{border-right:2px solid #191919}.tabulator.tabulator-rtl .tabulator-row .tabulator-col-resize-handle:last-of-type{margin-left:0;margin-right:-3px;width:3px}.tabulator.tabulator-rtl .tabulator-footer .tabulator-calcs-holder{text-align:initial}.tabulator-print-fullscreen{bottom:0;left:0;position:absolute;right:0;top:0;z-index:10000}body.tabulator-print-fullscreen-hide>:not(.tabulator-print-fullscreen){display:none!important}.tabulator-print-table{border-collapse:collapse}.tabulator-print-table .tabulator-data-tree-branch{border-bottom:2px solid #aaa;border-bottom-left-radius:1px;border-left:2px solid #aaa;display:inline-block;height:9px;margin-right:5px;margin-top:-9px;vertical-align:middle;width:7px}.tabulator-print-table .tabulator-print-table-group{background:#ccc;border-bottom:1px solid #999;border-right:1px solid #aaa;border-top:1px solid #999;box-sizing:border-box;font-weight:700;min-width:100%;padding:5px 5px 5px 10px}@media (hover:hover) and (pointer:fine){.tabulator-print-table .tabulator-print-table-group:hover{background-color:rgba(0,0,0,.1);cursor:pointer}}.tabulator-print-table .tabulator-print-table-group.tabulator-group-visible .tabulator-arrow{border-bottom:0;border-left:6px solid transparent;border-right:6px solid transparent;border-top:6px solid #666;margin-right:10px}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-1 td{padding-left:30px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-2 td{padding-left:50px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-3 td{padding-left:70px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-4 td{padding-left:90px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-5 td{padding-left:110px!important}.tabulator-print-table .tabulator-print-table-group .tabulator-group-toggle{display:inline-block}.tabulator-print-table .tabulator-print-table-group .tabulator-arrow{border-bottom:6px solid transparent;border-left:6px solid #666;border-right:0;border-top:6px solid transparent;display:inline-block;height:0;margin-right:16px;vertical-align:middle;width:0}.tabulator-print-table .tabulator-print-table-group span{color:#d00;margin-left:10px}.tabulator-print-table .tabulator-data-tree-control{align-items:center;background:rgba(0,0,0,.1);border:1px solid #333;border-radius:2px;display:inline-flex;height:11px;justify-content:center;margin-right:5px;overflow:hidden;vertical-align:middle;width:11px}@media (hover:hover) and (pointer:fine){.tabulator-print-table .tabulator-data-tree-control:hover{background:rgba(0,0,0,.2);cursor:pointer}}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-collapse{background:transparent;display:inline-block;height:7px;position:relative;width:1px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-collapse:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-expand{background:#333;display:inline-block;height:7px;position:relative;width:1px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-expand:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}
 /*# sourceMappingURL=tabulator.min.css.map */
\ No newline at end of file
diff --git a/misc/theme-tukan/Makefile b/misc/theme-tukan/Makefile
index cf339ac2d5..d1cc287bd3 100644
--- a/misc/theme-tukan/Makefile
+++ b/misc/theme-tukan/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-tukan
-PLUGIN_VERSION=		1.30
+PLUGIN_VERSION=		1.31
 PLUGIN_COMMENT=		The tukan theme - blue/white
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/opnsense-bootgrid.css b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/opnsense-bootgrid.css
index 4e997565c3..bc23035f33 100644
--- a/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/opnsense-bootgrid.css
+++ b/misc/theme-tukan/src/opnsense/www/themes/tukan/build/css/opnsense-bootgrid.css
@@ -40,7 +40,7 @@
 
 .tabulator-row {
   background-color: transparent;
-  color: #bac3ca;
+  color: #000;
 }
 
 .tabulator-row.tabulator-row-odd {
@@ -210,11 +210,6 @@
   padding-right: 20px;
 }
 
-.bootgrid-footer-commands {
-  width: 90px;
-  padding-left: 8px;
-}
-
 .tabulator-tableholder::after {
   content: "";
   display: block;
diff --git a/misc/theme-vicuna/Makefile b/misc/theme-vicuna/Makefile
index 80af9cb0ed..7db2ab4bea 100644
--- a/misc/theme-vicuna/Makefile
+++ b/misc/theme-vicuna/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-vicuna
-PLUGIN_VERSION=		1.50
+PLUGIN_VERSION=		1.51
 PLUGIN_COMMENT=		The vicuna theme - blue sapphire
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/opnsense-bootgrid.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/opnsense-bootgrid.css
index 21ce95b59e..03477ce3ad 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/opnsense-bootgrid.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/opnsense-bootgrid.css
@@ -210,11 +210,6 @@
   padding-right: 20px;
 }
 
-.bootgrid-footer-commands {
-  width: 90px;
-  padding-left: 8px;
-}
-
 .tabulator-tableholder::after {
   content: "";
   display: block;
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/tabulator.min.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/tabulator.min.css
index 7034e96558..aeff5d2d87 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/tabulator.min.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/tabulator.min.css
@@ -1,2 +1,2 @@
-.tabulator{background-color:#888;border:1px solid #191919;font-size:14px;overflow:hidden;position:relative;text-align:left;-webkit-transform:translateZ(0);-moz-transform:translateZ(0);-ms-transform:translateZ(0);-o-transform:translateZ(0);transform:translateZ(0)}.tabulator[tabulator-layout=fitDataFill] .tabulator-tableholder .tabulator-table{min-width:100%}.tabulator[tabulator-layout=fitDataTable]{display:inline-block}.tabulator.tabulator-block-select,.tabulator.tabulator-ranges .tabulator-cell:not(.tabulator-editing){user-select:none; }.tabulator .tabulator-header{background-color:#e6e6e6;border-bottom:1px solid #999;box-sizing:border-box;color:#555;font-weight:700;outline:none;overflow:hidden;position:relative;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;white-space:nowrap;width:100%}.tabulator .tabulator-header.tabulator-header-hidden{display:none}.tabulator .tabulator-header .tabulator-header-contents{overflow:hidden;position:relative}.tabulator .tabulator-header .tabulator-header-contents .tabulator-headers{display:inline-block}.tabulator .tabulator-header .tabulator-col{background:#e6e6e6;border-right:1px solid #aaa;box-sizing:border-box;display:inline-flex;flex-direction:column;justify-content:flex-start;overflow:hidden;position:relative;text-align:left;vertical-align:bottom}.tabulator .tabulator-header .tabulator-col.tabulator-moving{background:#cdcdcd;border:1px solid #999;pointer-events:none;position:absolute}.tabulator .tabulator-header .tabulator-col.tabulator-range-highlight{background-color:#d6d6d6;color:#000}.tabulator .tabulator-header .tabulator-col.tabulator-range-selected{background-color:#3876ca;color:#fff}.tabulator .tabulator-header .tabulator-col .tabulator-col-content{box-sizing:border-box;padding:4px;position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-header-popup-button{padding:0 8px}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-header-popup-button:hover{cursor:pointer;opacity:.6}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title-holder{position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title{box-sizing:border-box;overflow:hidden;text-overflow:ellipsis;vertical-align:bottom;white-space:nowrap;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title.tabulator-col-title-wrap{text-overflow:clip;white-space:normal}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title .tabulator-title-editor{background:#fff;border:1px solid #999;box-sizing:border-box;padding:1px;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title .tabulator-header-popup-button+.tabulator-title-editor{width:calc(100% - 22px)}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter{align-items:center;bottom:0;display:flex;position:absolute;right:4px;top:0}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #bbb;border-left:6px solid transparent;border-right:6px solid transparent;height:0;width:0}.tabulator .tabulator-header .tabulator-col.tabulator-col-group .tabulator-col-group-cols{border-top:1px solid #aaa;display:flex;margin-right:-1px;overflow:hidden;position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter{box-sizing:border-box;margin-top:2px;position:relative;text-align:center;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter textarea{height:auto!important}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter svg{margin-top:3px}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter input::-ms-clear{height:0;width:0}.tabulator .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title{padding-right:25px}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable.tabulator-col-sorter-element:hover{background-color:#cdcdcd;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter{color:#bbb}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-bottom:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #bbb;border-top:none}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter{color:#666}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-bottom:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #666;border-top:none}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter{color:#666}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-top:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:none;border-top:6px solid #666;color:#666}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical .tabulator-col-content .tabulator-col-title{align-items:center;display:flex;justify-content:center;text-orientation:mixed;writing-mode:vertical-rl}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-col-vertical-flip .tabulator-col-title{transform:rotate(180deg)}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable .tabulator-col-title{padding-right:0;padding-top:20px}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable.tabulator-col-vertical-flip .tabulator-col-title{padding-bottom:20px;padding-right:0}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable .tabulator-col-sorter{bottom:auto;justify-content:center;left:0;right:0;top:4px}.tabulator .tabulator-header .tabulator-frozen{left:0;position:sticky;z-index:11}.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-left{border-right:2px solid #151515}.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-right{border-left:2px solid #151515}.tabulator .tabulator-header .tabulator-calcs-holder{background:#f3f3f3!important;border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;display:inline-block}.tabulator .tabulator-header .tabulator-calcs-holder .tabulator-row{background:#f3f3f3!important}.tabulator .tabulator-header .tabulator-calcs-holder .tabulator-row .tabulator-col-resize-handle{display:none}.tabulator .tabulator-header .tabulator-frozen-rows-holder{display:inline-block}.tabulator .tabulator-header .tabulator-frozen-rows-holder:empty{display:none}.tabulator .tabulator-tableholder{-webkit-overflow-scrolling:touch;overflow:auto;position:relative;white-space:nowrap;width:100%}.tabulator .tabulator-tableholder:focus{outline:none}.tabulator .tabulator-tableholder .tabulator-placeholder{align-items:center;box-sizing:border-box;display:flex;justify-content:center;min-width:100%;width:100%}.tabulator .tabulator-tableholder .tabulator-placeholder[tabulator-render-mode=virtual]{min-height:100%}.tabulator .tabulator-tableholder .tabulator-placeholder .tabulator-placeholder-contents{color:#ccc;display:inline-block;font-size:20px;font-weight:700;padding:10px;text-align:center;white-space:normal}.tabulator .tabulator-tableholder .tabulator-table{background-color:#fff;color:#333;display:inline-block;overflow:visible;position:relative;white-space:nowrap}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs{background:#e2e2e2!important;font-weight:700}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs.tabulator-calcs-top{border-bottom:2px solid #aaa}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs.tabulator-calcs-bottom{border-top:2px solid #aaa}.tabulator .tabulator-tableholder .tabulator-range-overlay{inset:0;pointer-events:none;position:absolute;z-index:10}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range{border:1px solid #2975dd;box-sizing:border-box;position:absolute}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range.tabulator-range-active:after{background-color:#2975dd;border-radius:999px;bottom:-3px;content:"";height:6px;position:absolute;right:-3px;width:6px}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range-cell-active{border:2px solid #2975dd;box-sizing:border-box;position:absolute}.tabulator .tabulator-footer{background-color:#e6e6e6;border-top:1px solid #999;color:#555;font-weight:700;user-select:none;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;white-space:nowrap}.tabulator .tabulator-footer .tabulator-footer-contents{align-items:center;display:flex;flex-direction:row;justify-content:space-between;padding:5px 10px}.tabulator .tabulator-footer .tabulator-footer-contents:empty{display:none}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs{margin-top:-5px;overflow-x:auto}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab{border:1px solid #999;border-bottom-left-radius:5px;border-bottom-right-radius:5px;border-top:none;display:inline-block;font-size:.9em;padding:5px}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab:hover{cursor:pointer;opacity:.7}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab.tabulator-spreadsheet-tab-active{background:#fff}.tabulator .tabulator-footer .tabulator-calcs-holder{background:#f3f3f3!important;border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;overflow:hidden;text-align:left;width:100%}.tabulator .tabulator-footer .tabulator-calcs-holder .tabulator-row{background:#f3f3f3!important;display:inline-block}.tabulator .tabulator-footer .tabulator-calcs-holder .tabulator-row .tabulator-col-resize-handle{display:none}.tabulator .tabulator-footer .tabulator-calcs-holder:only-child{border-bottom:none;margin-bottom:-5px}.tabulator .tabulator-footer>*+.tabulator-page-counter{margin-left:10px}.tabulator .tabulator-footer .tabulator-page-counter{font-weight:400}.tabulator .tabulator-footer .tabulator-paginator{color:#555;flex:1;font-family:inherit;font-size:inherit;font-weight:inherit;text-align:right}.tabulator .tabulator-footer .tabulator-page-size{border:1px solid #aaa;border-radius:3px;display:inline-block;margin:0 5px;padding:2px 5px}.tabulator .tabulator-footer .tabulator-pages{margin:0 7px}.tabulator .tabulator-footer .tabulator-page{background:hsla(0,0%,100%,.2);border:1px solid #aaa;border-radius:3px;display:inline-block;margin:0 2px;padding:2px 5px}.tabulator .tabulator-footer .tabulator-page.active{color:#d00}.tabulator .tabulator-footer .tabulator-page:disabled{opacity:.5}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-footer .tabulator-page:not(disabled):hover{background:rgba(0,0,0,.2);color:#fff;cursor:pointer}}.tabulator .tabulator-col-resize-handle{display:inline-block;margin-left:-3px;margin-right:-3px;position:relative;vertical-align:middle;width:6px;z-index:11}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-col-resize-handle:hover{cursor:ew-resize}}.tabulator .tabulator-col-resize-handle:last-of-type{margin-right:0;width:3px}.tabulator .tabulator-col-resize-guide{background-color:#999;height:100%;margin-left:-.5px;opacity:.5;position:absolute;top:0;width:4px}.tabulator .tabulator-row-resize-guide{background-color:#999;height:4px;left:0;margin-top:-.5px;opacity:.5;position:absolute;width:100%}.tabulator .tabulator-alert{align-items:center;background:rgba(0,0,0,.4);display:flex;height:100%;left:0;position:absolute;text-align:center;top:0;width:100%;z-index:100}.tabulator .tabulator-alert .tabulator-alert-msg{background:#fff;border-radius:10px;display:inline-block;font-size:16px;font-weight:700;margin:0 auto;padding:10px 20px}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg{border:4px solid #333;color:#000}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-error{border:4px solid #d00;color:#590000}.tabulator-row{background-color:#fff;box-sizing:border-box;min-height:22px;position:relative}.tabulator-row.tabulator-row-even{background-color:#efefef}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-selectable:hover{background-color:#bbb;cursor:pointer}}.tabulator-row.tabulator-selected{background-color:#9abcea}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-selected:hover{background-color:#769bcc;cursor:pointer}}.tabulator-row.tabulator-row-moving{background:#fff;border:1px solid #000}.tabulator-row.tabulator-moving{border-bottom:1px solid #aaa;border-top:1px solid #aaa;pointer-events:none;position:absolute;z-index:15}.tabulator-row.tabulator-range-highlight .tabulator-cell.tabulator-range-row-header{background-color:#d6d6d6;color:#000}.tabulator-row.tabulator-range-highlight.tabulator-range-selected .tabulator-cell.tabulator-range-row-header,.tabulator-row.tabulator-range-selected .tabulator-cell.tabulator-range-row-header{background-color:#3876ca;color:#fff}.tabulator-row .tabulator-row-resize-handle{bottom:0;height:5px;left:0;position:absolute;right:0}.tabulator-row .tabulator-row-resize-handle.prev{bottom:auto;top:0}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-row-resize-handle:hover{cursor:ns-resize}}.tabulator-row .tabulator-responsive-collapse{border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;padding:5px}.tabulator-row .tabulator-responsive-collapse:empty{display:none}.tabulator-row .tabulator-responsive-collapse table{font-size:14px}.tabulator-row .tabulator-responsive-collapse table tr td{position:relative}.tabulator-row .tabulator-responsive-collapse table tr td:first-of-type{padding-right:10px}.tabulator-row .tabulator-cell{border-right:1px solid #aaa;box-sizing:border-box;display:inline-block;outline:none;overflow:hidden;padding:4px;position:relative;text-overflow:ellipsis;vertical-align:middle;white-space:nowrap}.tabulator-row .tabulator-cell.tabulator-row-header{background:#e6e6e6;border-bottom:1px solid #aaa;border-right:1px solid #999}.tabulator-row .tabulator-cell.tabulator-frozen{background-color:inherit;display:inline-block;left:0;position:sticky;z-index:11}.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left{border-right:2px solid #151515}.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right{border-left:2px solid #151515}.tabulator-row .tabulator-cell.tabulator-editing{border:1px solid #1d68cd;outline:none;padding:0}.tabulator-row .tabulator-cell.tabulator-editing input,.tabulator-row .tabulator-cell.tabulator-editing select{background:transparent;border:1px;outline:none}.tabulator-row .tabulator-cell.tabulator-validation-fail{border:1px solid #d00}.tabulator-row .tabulator-cell.tabulator-validation-fail input,.tabulator-row .tabulator-cell.tabulator-validation-fail select{background:transparent;border:1px;color:#d00}.tabulator-row .tabulator-cell.tabulator-row-handle{align-items:center;display:inline-flex;justify-content:center;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none}.tabulator-row .tabulator-cell.tabulator-row-handle .tabulator-row-handle-box{width:80%}.tabulator-row .tabulator-cell.tabulator-row-handle .tabulator-row-handle-box .tabulator-row-handle-bar{background:#666;height:3px;margin-top:2px;width:100%}.tabulator-row .tabulator-cell.tabulator-range-selected:not(.tabulator-range-only-cell-selected):not(.tabulator-range-row-header){background-color:#9abcea}.tabulator-row .tabulator-cell .tabulator-data-tree-branch-empty{display:inline-block;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-branch{border-bottom:2px solid #aaa;border-bottom-left-radius:1px;border-left:2px solid #aaa;display:inline-block;height:9px;margin-right:5px;margin-top:-9px;vertical-align:middle;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-control{align-items:center;background:rgba(0,0,0,.1);border:1px solid #333;border-radius:2px;display:inline-flex;height:11px;justify-content:center;margin-right:5px;overflow:hidden;vertical-align:middle;width:11px}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-cell .tabulator-data-tree-control:hover{background:rgba(0,0,0,.2);cursor:pointer}}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-collapse{background:transparent;display:inline-block;height:7px;position:relative;width:1px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-collapse:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-expand{background:#333;display:inline-block;height:7px;position:relative;width:1px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-expand:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle{align-items:center;background:#666;border-radius:20px;color:#fff;display:inline-flex;font-size:1.1em;font-weight:700;height:15px;justify-content:center;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;width:15px}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle:hover{cursor:pointer;opacity:.7}}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle.open .tabulator-responsive-collapse-toggle-close{display:initial}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle.open .tabulator-responsive-collapse-toggle-open{display:none}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle svg{stroke:#fff}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle .tabulator-responsive-collapse-toggle-close{display:none}.tabulator-row .tabulator-cell .tabulator-traffic-light{border-radius:14px;display:inline-block;height:14px;width:14px}.tabulator-row.tabulator-group{background:#ccc;border-bottom:1px solid #999;border-right:1px solid #aaa;border-top:1px solid #999;box-sizing:border-box;font-weight:700;min-width:100%;padding:5px 5px 5px 10px}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-group:hover{background-color:rgba(0,0,0,.1);cursor:pointer}}.tabulator-row.tabulator-group.tabulator-group-visible .tabulator-arrow{border-bottom:0;border-left:6px solid transparent;border-right:6px solid transparent;border-top:6px solid #666;margin-right:10px}.tabulator-row.tabulator-group.tabulator-group-level-1{padding-left:30px}.tabulator-row.tabulator-group.tabulator-group-level-2{padding-left:50px}.tabulator-row.tabulator-group.tabulator-group-level-3{padding-left:70px}.tabulator-row.tabulator-group.tabulator-group-level-4{padding-left:90px}.tabulator-row.tabulator-group.tabulator-group-level-5{padding-left:110px}.tabulator-row.tabulator-group .tabulator-group-toggle{display:inline-block}.tabulator-row.tabulator-group .tabulator-arrow{border-bottom:6px solid transparent;border-left:6px solid #666;border-right:0;border-top:6px solid transparent;display:inline-block;height:0;margin-right:16px;vertical-align:middle;width:0}.tabulator-row.tabulator-group span{color:#d00;margin-left:10px}.tabulator-toggle{background:#dcdcdc;border:1px solid #ccc;box-sizing:border-box;display:flex;flex-direction:row}.tabulator-toggle.tabulator-toggle-on{background:#1c6cc2}.tabulator-toggle .tabulator-toggle-switch{background:#fff;border:1px solid #ccc;box-sizing:border-box}.tabulator-popup-container{-webkit-overflow-scrolling:touch;background:#fff;border:1px solid #aaa;box-shadow:0 0 5px 0 rgba(0,0,0,.2);box-sizing:border-box;display:inline-block;font-size:14px;overflow-y:auto;position:absolute;z-index:10000}.tabulator-popup{border-radius:3px;padding:5px}.tabulator-tooltip{border-radius:2px;box-shadow:none;font-size:12px;max-width:Min(500px,100%);padding:3px 5px;pointer-events:none}.tabulator-menu .tabulator-menu-item{box-sizing:border-box;padding:5px 10px;position:relative;user-select:none}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-disabled{opacity:.5}@media (hover:hover) and (pointer:fine){.tabulator-menu .tabulator-menu-item:not(.tabulator-menu-item-disabled):hover{background:#efefef;cursor:pointer}}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-submenu{padding-right:25px}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-submenu:after{border-color:#aaa;border-style:solid;border-width:1px 1px 0 0;content:"";display:inline-block;height:7px;position:absolute;right:10px;top:calc(5px + .4em);transform:rotate(45deg);vertical-align:top;width:7px}.tabulator-menu .tabulator-menu-separator{border-top:1px solid #aaa}.tabulator-edit-list{-webkit-overflow-scrolling:touch;font-size:14px;max-height:200px;overflow-y:auto}.tabulator-edit-list .tabulator-edit-list-item{color:#333;outline:none;padding:4px}.tabulator-edit-list .tabulator-edit-list-item.active{background:#1d68cd;color:#fff}.tabulator-edit-list .tabulator-edit-list-item.active.focused{outline:1px solid hsla(0,0%,100%,.5)}.tabulator-edit-list .tabulator-edit-list-item.focused{outline:1px solid #1d68cd}@media (hover:hover) and (pointer:fine){.tabulator-edit-list .tabulator-edit-list-item:hover{background:#1d68cd;color:#fff;cursor:pointer}}.tabulator-edit-list .tabulator-edit-list-placeholder{color:#333;padding:4px;text-align:center}.tabulator-edit-list .tabulator-edit-list-group{border-bottom:1px solid #aaa;color:#333;font-weight:700;padding:6px 4px 4px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-2,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-2{padding-left:12px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-3,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-3{padding-left:20px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-4,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-4{padding-left:28px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-5,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-5{padding-left:36px}.tabulator.tabulator-ltr{direction:ltr}.tabulator.tabulator-rtl{direction:rtl;text-align:initial}.tabulator.tabulator-rtl .tabulator-header .tabulator-col{border-left:1px solid #aaa;border-right:initial;text-align:initial}.tabulator.tabulator-rtl .tabulator-header .tabulator-col.tabulator-col-group .tabulator-col-group-cols{margin-left:-1px;margin-right:0}.tabulator.tabulator-rtl .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title{padding-left:25px;padding-right:0}.tabulator.tabulator-rtl .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter{left:8px;right:auto}.tabulator.tabulator-rtl .tabulator-tableholder .tabulator-range-overlay .tabulator-range.tabulator-range-active:after{background-color:#2975dd;border-radius:999px;bottom:-3px;content:"";height:6px;left:-3px;position:absolute;right:auto;width:6px}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell{border-left:1px solid #aaa;border-right:initial}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell .tabulator-data-tree-branch{border-bottom-left-radius:0;border-bottom-right-radius:1px;border-left:initial;border-right:2px solid #aaa;margin-left:5px;margin-right:0}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell .tabulator-data-tree-control{margin-left:5px;margin-right:0}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left{border-left:2px solid #aaa}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right{border-right:2px solid #aaa}.tabulator.tabulator-rtl .tabulator-row .tabulator-col-resize-handle:last-of-type{margin-left:0;margin-right:-3px;width:3px}.tabulator.tabulator-rtl .tabulator-footer .tabulator-calcs-holder{text-align:initial}.tabulator-print-fullscreen{bottom:0;left:0;position:absolute;right:0;top:0;z-index:10000}body.tabulator-print-fullscreen-hide>:not(.tabulator-print-fullscreen){display:none!important}.tabulator-print-table{border-collapse:collapse}.tabulator-print-table .tabulator-data-tree-branch{border-bottom:2px solid #aaa;border-bottom-left-radius:1px;border-left:2px solid #aaa;display:inline-block;height:9px;margin-right:5px;margin-top:-9px;vertical-align:middle;width:7px}.tabulator-print-table .tabulator-print-table-group{background:#ccc;border-bottom:1px solid #999;border-right:1px solid #aaa;border-top:1px solid #999;box-sizing:border-box;font-weight:700;min-width:100%;padding:5px 5px 5px 10px}@media (hover:hover) and (pointer:fine){.tabulator-print-table .tabulator-print-table-group:hover{background-color:rgba(0,0,0,.1);cursor:pointer}}.tabulator-print-table .tabulator-print-table-group.tabulator-group-visible .tabulator-arrow{border-bottom:0;border-left:6px solid transparent;border-right:6px solid transparent;border-top:6px solid #666;margin-right:10px}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-1 td{padding-left:30px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-2 td{padding-left:50px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-3 td{padding-left:70px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-4 td{padding-left:90px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-5 td{padding-left:110px!important}.tabulator-print-table .tabulator-print-table-group .tabulator-group-toggle{display:inline-block}.tabulator-print-table .tabulator-print-table-group .tabulator-arrow{border-bottom:6px solid transparent;border-left:6px solid #666;border-right:0;border-top:6px solid transparent;display:inline-block;height:0;margin-right:16px;vertical-align:middle;width:0}.tabulator-print-table .tabulator-print-table-group span{color:#d00;margin-left:10px}.tabulator-print-table .tabulator-data-tree-control{align-items:center;background:rgba(0,0,0,.1);border:1px solid #333;border-radius:2px;display:inline-flex;height:11px;justify-content:center;margin-right:5px;overflow:hidden;vertical-align:middle;width:11px}@media (hover:hover) and (pointer:fine){.tabulator-print-table .tabulator-data-tree-control:hover{background:rgba(0,0,0,.2);cursor:pointer}}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-collapse{background:transparent;display:inline-block;height:7px;position:relative;width:1px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-collapse:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-expand{background:#333;display:inline-block;height:7px;position:relative;width:1px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-expand:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}
+.tabulator{background-color:#888;border:1px solid #999;font-size:14px;overflow:hidden;position:relative;text-align:left;-webkit-transform:translateZ(0);-moz-transform:translateZ(0);-ms-transform:translateZ(0);-o-transform:translateZ(0);transform:translateZ(0)}.tabulator[tabulator-layout=fitDataFill] .tabulator-tableholder .tabulator-table{min-width:100%}.tabulator[tabulator-layout=fitDataTable]{display:inline-block}.tabulator.tabulator-block-select,.tabulator.tabulator-ranges .tabulator-cell:not(.tabulator-editing){user-select:none}.tabulator .tabulator-header{background-color:#e6e6e6;border-bottom:1px solid #999;box-sizing:border-box;color:#555;font-weight:700;outline:none;overflow:hidden;position:relative;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;white-space:nowrap;width:100%}.tabulator .tabulator-header.tabulator-header-hidden{display:none}.tabulator .tabulator-header .tabulator-header-contents{overflow:hidden;position:relative}.tabulator .tabulator-header .tabulator-header-contents .tabulator-headers{display:inline-block}.tabulator .tabulator-header .tabulator-col{background:#e6e6e6;border-right:1px solid #aaa;box-sizing:border-box;display:inline-flex;flex-direction:column;justify-content:flex-start;overflow:hidden;position:relative;text-align:left;vertical-align:bottom}.tabulator .tabulator-header .tabulator-col.tabulator-moving{background:#cdcdcd;border:1px solid #999;pointer-events:none;position:absolute}.tabulator .tabulator-header .tabulator-col.tabulator-range-highlight{background-color:#d6d6d6;color:#000}.tabulator .tabulator-header .tabulator-col.tabulator-range-selected{background-color:#3876ca;color:#fff}.tabulator .tabulator-header .tabulator-col .tabulator-col-content{box-sizing:border-box;padding:4px;position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-header-popup-button{padding:0 8px}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-header-popup-button:hover{cursor:pointer;opacity:.6}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title-holder{position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title{box-sizing:border-box;overflow:hidden;text-overflow:ellipsis;vertical-align:bottom;white-space:nowrap;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title.tabulator-col-title-wrap{text-overflow:clip;white-space:normal}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title .tabulator-title-editor{background:#fff;border:1px solid #999;box-sizing:border-box;padding:1px;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-title .tabulator-header-popup-button+.tabulator-title-editor{width:calc(100% - 22px)}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter{align-items:center;bottom:0;display:flex;position:absolute;right:4px;top:0}.tabulator .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #bbb;border-left:6px solid transparent;border-right:6px solid transparent;height:0;width:0}.tabulator .tabulator-header .tabulator-col.tabulator-col-group .tabulator-col-group-cols{border-top:1px solid #aaa;display:flex;margin-right:-1px;overflow:hidden;position:relative}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter{box-sizing:border-box;margin-top:2px;position:relative;text-align:center;width:100%}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter textarea{height:auto!important}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter svg{margin-top:3px}.tabulator .tabulator-header .tabulator-col .tabulator-header-filter input::-ms-clear{height:0;width:0}.tabulator .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title{padding-right:25px}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable.tabulator-col-sorter-element:hover{background-color:#cdcdcd;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter{color:#bbb}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-bottom:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=none] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #bbb;border-top:none}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter{color:#666}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-bottom:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=ascending] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:6px solid #666;border-top:none}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter{color:#666}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter.tabulator-col-sorter-element .tabulator-arrow:hover{border-top:6px solid #555;cursor:pointer}}.tabulator .tabulator-header .tabulator-col.tabulator-sortable[aria-sort=descending] .tabulator-col-content .tabulator-col-sorter .tabulator-arrow{border-bottom:none;border-top:6px solid #666;color:#666}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical .tabulator-col-content .tabulator-col-title{align-items:center;display:flex;justify-content:center;text-orientation:mixed;writing-mode:vertical-rl}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-col-vertical-flip .tabulator-col-title{transform:rotate(180deg)}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable .tabulator-col-title{padding-right:0;padding-top:20px}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable.tabulator-col-vertical-flip .tabulator-col-title{padding-bottom:20px;padding-right:0}.tabulator .tabulator-header .tabulator-col.tabulator-col-vertical.tabulator-sortable .tabulator-col-sorter{bottom:auto;justify-content:center;left:0;right:0;top:4px}.tabulator .tabulator-header .tabulator-frozen{left:0;position:sticky;z-index:11}.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-left{border-right:2px solid #aaa}.tabulator .tabulator-header .tabulator-frozen.tabulator-frozen-right{border-left:2px solid #191919}.tabulator .tabulator-header .tabulator-calcs-holder{background:#f3f3f3!important;border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;display:inline-block}.tabulator .tabulator-header .tabulator-calcs-holder .tabulator-row{background:#f3f3f3!important}.tabulator .tabulator-header .tabulator-calcs-holder .tabulator-row .tabulator-col-resize-handle{display:none}.tabulator .tabulator-header .tabulator-frozen-rows-holder{display:inline-block}.tabulator .tabulator-header .tabulator-frozen-rows-holder:empty{display:none}.tabulator .tabulator-tableholder{-webkit-overflow-scrolling:touch;overflow:auto;position:relative;white-space:nowrap;width:100%}.tabulator .tabulator-tableholder:focus{outline:none}.tabulator .tabulator-tableholder .tabulator-placeholder{align-items:center;box-sizing:border-box;display:flex;justify-content:center;min-width:100%;width:100%}.tabulator .tabulator-tableholder .tabulator-placeholder[tabulator-render-mode=virtual]{min-height:100%}.tabulator .tabulator-tableholder .tabulator-placeholder .tabulator-placeholder-contents{color:#ccc;display:inline-block;font-size:20px;font-weight:700;padding:10px;text-align:center;white-space:normal}.tabulator .tabulator-tableholder .tabulator-table{background-color:#fff;color:#333;display:inline-block;overflow:visible;position:relative;white-space:nowrap}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs{background:#e2e2e2!important;font-weight:700}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs.tabulator-calcs-top{border-bottom:2px solid #aaa}.tabulator .tabulator-tableholder .tabulator-table .tabulator-row.tabulator-calcs.tabulator-calcs-bottom{border-top:2px solid #aaa}.tabulator .tabulator-tableholder .tabulator-range-overlay{inset:0;pointer-events:none;position:absolute;z-index:10}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range{border:1px solid #2975dd;box-sizing:border-box;position:absolute}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range.tabulator-range-active:after{background-color:#2975dd;border-radius:999px;bottom:-3px;content:"";height:6px;position:absolute;right:-3px;width:6px}.tabulator .tabulator-tableholder .tabulator-range-overlay .tabulator-range-cell-active{border:2px solid #2975dd;box-sizing:border-box;position:absolute}.tabulator .tabulator-footer{background-color:#e6e6e6;border-top:1px solid #999;color:#555;font-weight:700;user-select:none;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;white-space:nowrap}.tabulator .tabulator-footer .tabulator-footer-contents{align-items:center;display:flex;flex-direction:row;justify-content:space-between;padding:5px 10px}.tabulator .tabulator-footer .tabulator-footer-contents:empty{display:none}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs{margin-top:-5px;overflow-x:auto}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab{border:1px solid #999;border-bottom-left-radius:5px;border-bottom-right-radius:5px;border-top:none;display:inline-block;font-size:.9em;padding:5px}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab:hover{cursor:pointer;opacity:.7}.tabulator .tabulator-footer .tabulator-spreadsheet-tabs .tabulator-spreadsheet-tab.tabulator-spreadsheet-tab-active{background:#fff}.tabulator .tabulator-footer .tabulator-calcs-holder{background:#f3f3f3!important;border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;overflow:hidden;text-align:left;width:100%}.tabulator .tabulator-footer .tabulator-calcs-holder .tabulator-row{background:#f3f3f3!important;display:inline-block}.tabulator .tabulator-footer .tabulator-calcs-holder .tabulator-row .tabulator-col-resize-handle{display:none}.tabulator .tabulator-footer .tabulator-calcs-holder:only-child{border-bottom:none;margin-bottom:-5px}.tabulator .tabulator-footer>*+.tabulator-page-counter{margin-left:10px}.tabulator .tabulator-footer .tabulator-page-counter{font-weight:400}.tabulator .tabulator-footer .tabulator-paginator{color:#555;flex:1;font-family:inherit;font-size:inherit;font-weight:inherit;text-align:right}.tabulator .tabulator-footer .tabulator-page-size{border:1px solid #aaa;border-radius:3px;display:inline-block;margin:0 5px;padding:2px 5px}.tabulator .tabulator-footer .tabulator-pages{margin:0 7px}.tabulator .tabulator-footer .tabulator-page{background:hsla(0,0%,100%,.2);border:1px solid #aaa;border-radius:3px;display:inline-block;margin:0 2px;padding:2px 5px}.tabulator .tabulator-footer .tabulator-page.active{color:#d00}.tabulator .tabulator-footer .tabulator-page:disabled{opacity:.5}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-footer .tabulator-page:not(disabled):hover{background:rgba(0,0,0,.2);color:#fff;cursor:pointer}}.tabulator .tabulator-col-resize-handle{display:inline-block;margin-left:-3px;margin-right:-3px;position:relative;vertical-align:middle;width:6px;z-index:11}@media (hover:hover) and (pointer:fine){.tabulator .tabulator-col-resize-handle:hover{cursor:ew-resize}}.tabulator .tabulator-col-resize-handle:last-of-type{margin-right:0;width:3px}.tabulator .tabulator-col-resize-guide{background-color:#999;height:100%;margin-left:-.5px;opacity:.5;position:absolute;top:0;width:4px}.tabulator .tabulator-row-resize-guide{background-color:#999;height:4px;left:0;margin-top:-.5px;opacity:.5;position:absolute;width:100%}.tabulator .tabulator-alert{align-items:center;background:rgba(0,0,0,.4);display:flex;height:100%;left:0;position:absolute;text-align:center;top:0;width:100%;z-index:100}.tabulator .tabulator-alert .tabulator-alert-msg{background:#fff;border-radius:10px;display:inline-block;font-size:16px;font-weight:700;margin:0 auto;padding:10px 20px}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-msg{border:4px solid #333;color:#000}.tabulator .tabulator-alert .tabulator-alert-msg.tabulator-alert-state-error{border:4px solid #d00;color:#590000}.tabulator-row{background-color:#fff;box-sizing:border-box;min-height:22px;position:relative}.tabulator-row.tabulator-row-even{background-color:#efefef}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-selectable:hover{background-color:#bbb;cursor:pointer}}.tabulator-row.tabulator-selected{background-color:#9abcea}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-selected:hover{background-color:#769bcc;cursor:pointer}}.tabulator-row.tabulator-row-moving{background:#fff;border:1px solid #000}.tabulator-row.tabulator-moving{border-bottom:1px solid #aaa;border-top:1px solid #aaa;pointer-events:none;position:absolute;z-index:15}.tabulator-row.tabulator-range-highlight .tabulator-cell.tabulator-range-row-header{background-color:#d6d6d6;color:#000}.tabulator-row.tabulator-range-highlight.tabulator-range-selected .tabulator-cell.tabulator-range-row-header,.tabulator-row.tabulator-range-selected .tabulator-cell.tabulator-range-row-header{background-color:#3876ca;color:#fff}.tabulator-row .tabulator-row-resize-handle{bottom:0;height:5px;left:0;position:absolute;right:0}.tabulator-row .tabulator-row-resize-handle.prev{bottom:auto;top:0}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-row-resize-handle:hover{cursor:ns-resize}}.tabulator-row .tabulator-responsive-collapse{border-bottom:1px solid #aaa;border-top:1px solid #aaa;box-sizing:border-box;padding:5px}.tabulator-row .tabulator-responsive-collapse:empty{display:none}.tabulator-row .tabulator-responsive-collapse table{font-size:14px}.tabulator-row .tabulator-responsive-collapse table tr td{position:relative}.tabulator-row .tabulator-responsive-collapse table tr td:first-of-type{padding-right:10px}.tabulator-row .tabulator-cell{border-right:1px solid #aaa;box-sizing:border-box;display:inline-block;outline:none;overflow:hidden;padding:4px;position:relative;text-overflow:ellipsis;vertical-align:middle;white-space:nowrap}.tabulator-row .tabulator-cell.tabulator-row-header{background:#e6e6e6;border-bottom:1px solid #aaa;border-right:1px solid #999}.tabulator-row .tabulator-cell.tabulator-frozen{background-color:inherit;display:inline-block;left:0;position:sticky;z-index:11}.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left{border-right:2px solid #aaa}.tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right{border-left:2px solid #191919}.tabulator-row .tabulator-cell.tabulator-editing{border:1px solid #1d68cd;outline:none;padding:0}.tabulator-row .tabulator-cell.tabulator-editing input,.tabulator-row .tabulator-cell.tabulator-editing select{background:transparent;border:1px;outline:none}.tabulator-row .tabulator-cell.tabulator-validation-fail{border:1px solid #d00}.tabulator-row .tabulator-cell.tabulator-validation-fail input,.tabulator-row .tabulator-cell.tabulator-validation-fail select{background:transparent;border:1px;color:#d00}.tabulator-row .tabulator-cell.tabulator-row-handle{align-items:center;display:inline-flex;justify-content:center;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none}.tabulator-row .tabulator-cell.tabulator-row-handle .tabulator-row-handle-box{width:80%}.tabulator-row .tabulator-cell.tabulator-row-handle .tabulator-row-handle-box .tabulator-row-handle-bar{background:#666;height:3px;margin-top:2px;width:100%}.tabulator-row .tabulator-cell.tabulator-range-selected:not(.tabulator-range-only-cell-selected):not(.tabulator-range-row-header){background-color:#9abcea}.tabulator-row .tabulator-cell .tabulator-data-tree-branch-empty{display:inline-block;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-branch{border-bottom:2px solid #aaa;border-bottom-left-radius:1px;border-left:2px solid #aaa;display:inline-block;height:9px;margin-right:5px;margin-top:-9px;vertical-align:middle;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-control{align-items:center;background:rgba(0,0,0);border:1px solid #fdfdfd;border-radius:2px;display:inline-flex;height:11px;justify-content:center;margin-right:5px;overflow:hidden;vertical-align:middle;width:11px}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-cell .tabulator-data-tree-control:hover{background:rgba(0,0,0,.2);cursor:pointer}}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-collapse{background:transparent;display:inline-block;height:7px;position:relative;width:1px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-collapse:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-expand{background:#fff;display:inline-block;height:7px;position:relative;width:1px}.tabulator-row .tabulator-cell .tabulator-data-tree-control .tabulator-data-tree-control-expand:after{background:#fff;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle{align-items:center;background:#666;border-radius:20px;color:#fff;display:inline-flex;font-size:1.1em;font-weight:700;height:15px;justify-content:center;-moz-user-select:none;-khtml-user-select:none;-webkit-user-select:none;-o-user-select:none;width:15px}@media (hover:hover) and (pointer:fine){.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle:hover{cursor:pointer;opacity:.7}}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle.open .tabulator-responsive-collapse-toggle-close{display:initial}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle.open .tabulator-responsive-collapse-toggle-open{display:none}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle svg{stroke:#fff}.tabulator-row .tabulator-cell .tabulator-responsive-collapse-toggle .tabulator-responsive-collapse-toggle-close{display:none}.tabulator-row .tabulator-cell .tabulator-traffic-light{border-radius:14px;display:inline-block;height:14px;width:14px}.tabulator-row.tabulator-group{background:#191919;border-bottom:1px solid #191919;border-right:1px solid #191919;border-top:1px solid #191919;box-sizing:border-box;font-weight:700;min-width:100%;padding:5px 5px 5px 10px}@media (hover:hover) and (pointer:fine){.tabulator-row.tabulator-group:hover{background-color:rgba(0,0,0,.1);cursor:pointer}}.tabulator-row.tabulator-group.tabulator-group-visible .tabulator-arrow{border-bottom:0;border-left:6px solid transparent;border-right:6px solid transparent;border-top:6px solid #666;margin-right:10px}.tabulator-row.tabulator-group.tabulator-group-level-1{padding-left:30px}.tabulator-row.tabulator-group.tabulator-group-level-2{padding-left:50px}.tabulator-row.tabulator-group.tabulator-group-level-3{padding-left:70px}.tabulator-row.tabulator-group.tabulator-group-level-4{padding-left:90px}.tabulator-row.tabulator-group.tabulator-group-level-5{padding-left:110px}.tabulator-row.tabulator-group .tabulator-group-toggle{display:inline-block}.tabulator-row.tabulator-group .tabulator-arrow{border-bottom:6px solid transparent;border-left:6px solid #666;border-right:0;border-top:6px solid transparent;display:inline-block;height:0;margin-right:16px;vertical-align:middle;width:0}.tabulator-row.tabulator-group span{color:#d00;margin-left:10px}.tabulator-toggle{background:#dcdcdc;border:1px solid #ccc;box-sizing:border-box;display:flex;flex-direction:row}.tabulator-toggle.tabulator-toggle-on{background:#1c6cc2}.tabulator-toggle .tabulator-toggle-switch{background:#fff;border:1px solid #ccc;box-sizing:border-box}.tabulator-popup-container{-webkit-overflow-scrolling:touch;background:#fff;border:1px solid #aaa;box-shadow:0 0 5px 0 rgba(0,0,0,.2);box-sizing:border-box;display:inline-block;font-size:14px;overflow-y:auto;position:absolute;z-index:10000}.tabulator-popup{border-radius:3px;padding:5px}.tabulator-tooltip{border-radius:2px;box-shadow:none;font-size:12px;max-width:Min(500px,100%);padding:3px 5px;pointer-events:none}.tabulator-menu .tabulator-menu-item{box-sizing:border-box;padding:5px 10px;position:relative;user-select:none}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-disabled{opacity:.5}@media (hover:hover) and (pointer:fine){.tabulator-menu .tabulator-menu-item:not(.tabulator-menu-item-disabled):hover{background:#efefef;cursor:pointer}}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-submenu{padding-right:25px}.tabulator-menu .tabulator-menu-item.tabulator-menu-item-submenu:after{border-color:#aaa;border-style:solid;border-width:1px 1px 0 0;content:"";display:inline-block;height:7px;position:absolute;right:10px;top:calc(5px + .4em);transform:rotate(45deg);vertical-align:top;width:7px}.tabulator-menu .tabulator-menu-separator{border-top:1px solid #aaa}.tabulator-edit-list{-webkit-overflow-scrolling:touch;font-size:14px;max-height:200px;overflow-y:auto}.tabulator-edit-list .tabulator-edit-list-item{color:#333;outline:none;padding:4px}.tabulator-edit-list .tabulator-edit-list-item.active{background:#1d68cd;color:#fff}.tabulator-edit-list .tabulator-edit-list-item.active.focused{outline:1px solid hsla(0,0%,100%,.5)}.tabulator-edit-list .tabulator-edit-list-item.focused{outline:1px solid #1d68cd}@media (hover:hover) and (pointer:fine){.tabulator-edit-list .tabulator-edit-list-item:hover{background:#1d68cd;color:#fff;cursor:pointer}}.tabulator-edit-list .tabulator-edit-list-placeholder{color:#333;padding:4px;text-align:center}.tabulator-edit-list .tabulator-edit-list-group{border-bottom:1px solid #aaa;color:#333;font-weight:700;padding:6px 4px 4px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-2,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-2{padding-left:12px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-3,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-3{padding-left:20px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-4,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-4{padding-left:28px}.tabulator-edit-list .tabulator-edit-list-group.tabulator-edit-list-group-level-5,.tabulator-edit-list .tabulator-edit-list-item.tabulator-edit-list-group-level-5{padding-left:36px}.tabulator.tabulator-ltr{direction:ltr}.tabulator.tabulator-rtl{direction:rtl;text-align:initial}.tabulator.tabulator-rtl .tabulator-header .tabulator-col{border-left:1px solid #aaa;border-right:initial;text-align:initial}.tabulator.tabulator-rtl .tabulator-header .tabulator-col.tabulator-col-group .tabulator-col-group-cols{margin-left:-1px;margin-right:0}.tabulator.tabulator-rtl .tabulator-header .tabulator-col.tabulator-sortable .tabulator-col-title{padding-left:25px;padding-right:0}.tabulator.tabulator-rtl .tabulator-header .tabulator-col .tabulator-col-content .tabulator-col-sorter{left:8px;right:auto}.tabulator.tabulator-rtl .tabulator-tableholder .tabulator-range-overlay .tabulator-range.tabulator-range-active:after{background-color:#2975dd;border-radius:999px;bottom:-3px;content:"";height:6px;left:-3px;position:absolute;right:auto;width:6px}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell{border-left:1px solid #aaa;border-right:initial}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell .tabulator-data-tree-branch{border-bottom-left-radius:0;border-bottom-right-radius:1px;border-left:initial;border-right:2px solid #aaa;margin-left:5px;margin-right:0}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell .tabulator-data-tree-control{margin-left:5px;margin-right:0}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-left{border-left:2px solid #aaa}.tabulator.tabulator-rtl .tabulator-row .tabulator-cell.tabulator-frozen.tabulator-frozen-right{border-right:2px solid #191919}.tabulator.tabulator-rtl .tabulator-row .tabulator-col-resize-handle:last-of-type{margin-left:0;margin-right:-3px;width:3px}.tabulator.tabulator-rtl .tabulator-footer .tabulator-calcs-holder{text-align:initial}.tabulator-print-fullscreen{bottom:0;left:0;position:absolute;right:0;top:0;z-index:10000}body.tabulator-print-fullscreen-hide>:not(.tabulator-print-fullscreen){display:none!important}.tabulator-print-table{border-collapse:collapse}.tabulator-print-table .tabulator-data-tree-branch{border-bottom:2px solid #aaa;border-bottom-left-radius:1px;border-left:2px solid #aaa;display:inline-block;height:9px;margin-right:5px;margin-top:-9px;vertical-align:middle;width:7px}.tabulator-print-table .tabulator-print-table-group{background:#ccc;border-bottom:1px solid #999;border-right:1px solid #aaa;border-top:1px solid #999;box-sizing:border-box;font-weight:700;min-width:100%;padding:5px 5px 5px 10px}@media (hover:hover) and (pointer:fine){.tabulator-print-table .tabulator-print-table-group:hover{background-color:rgba(0,0,0,.1);cursor:pointer}}.tabulator-print-table .tabulator-print-table-group.tabulator-group-visible .tabulator-arrow{border-bottom:0;border-left:6px solid transparent;border-right:6px solid transparent;border-top:6px solid #666;margin-right:10px}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-1 td{padding-left:30px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-2 td{padding-left:50px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-3 td{padding-left:70px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-4 td{padding-left:90px!important}.tabulator-print-table .tabulator-print-table-group.tabulator-group-level-5 td{padding-left:110px!important}.tabulator-print-table .tabulator-print-table-group .tabulator-group-toggle{display:inline-block}.tabulator-print-table .tabulator-print-table-group .tabulator-arrow{border-bottom:6px solid transparent;border-left:6px solid #666;border-right:0;border-top:6px solid transparent;display:inline-block;height:0;margin-right:16px;vertical-align:middle;width:0}.tabulator-print-table .tabulator-print-table-group span{color:#d00;margin-left:10px}.tabulator-print-table .tabulator-data-tree-control{align-items:center;background:rgba(0,0,0,.1);border:1px solid #333;border-radius:2px;display:inline-flex;height:11px;justify-content:center;margin-right:5px;overflow:hidden;vertical-align:middle;width:11px}@media (hover:hover) and (pointer:fine){.tabulator-print-table .tabulator-data-tree-control:hover{background:rgba(0,0,0,.2);cursor:pointer}}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-collapse{background:transparent;display:inline-block;height:7px;position:relative;width:1px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-collapse:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-expand{background:#333;display:inline-block;height:7px;position:relative;width:1px}.tabulator-print-table .tabulator-data-tree-control .tabulator-data-tree-control-expand:after{background:#333;content:"";height:1px;left:-3px;position:absolute;top:3px;width:7px}
 /*# sourceMappingURL=tabulator.min.css.map */
\ No newline at end of file

From 5c705233079d08a468b9123518fe397d32a14ab9 Mon Sep 17 00:00:00 2001
From: 7Knights <sevengiants@users.noreply.github.com>
Date: Fri, 20 Feb 2026 08:36:40 -0500
Subject: [PATCH 2987/3088] Fix the os-redis service page status issue (#5241)

---
 .../opnsense/mvc/app/views/OPNsense/Redis/index.volt  | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/databases/redis/src/opnsense/mvc/app/views/OPNsense/Redis/index.volt b/databases/redis/src/opnsense/mvc/app/views/OPNsense/Redis/index.volt
index bf0bc4d96f..e031f94867 100644
--- a/databases/redis/src/opnsense/mvc/app/views/OPNsense/Redis/index.volt
+++ b/databases/redis/src/opnsense/mvc/app/views/OPNsense/Redis/index.volt
@@ -34,12 +34,11 @@ $( document ).ready(function() {
     mapDataToFormUI(data_get_map).done(function(){
         formatTokenizersUI();
         $('.selectpicker').selectpicker('refresh');
-        // request service status on load and update status box
-        ajaxCall(url="/api/redis/service/status", sendData={}, callback=function(data,status) {
-            updateServiceStatusUI(data['status']);
-        });
     });
 
+    // request service status on load and update status box
+    updateServiceControlUI('redis');
+
     // update history on tab state and implement navigation
     if(window.location.hash != "") {
         $('a[href="' + window.location.hash + '"]').click()
@@ -73,9 +72,7 @@ $( document ).ready(function() {
                             draggable: true
                         });
                     } else {
-                        ajaxCall(url="/api/redis/service/status", sendData={}, callback=function(data,status) {
-                            updateServiceStatusUI(data['status']);
-                        });
+                        updateServiceControlUI('redis');
                     }
                 });
             });

From a6acffd7fe2038492aa55ecadce2168a09f0f0b6 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Mon, 23 Feb 2026 12:57:53 +0100
Subject: [PATCH 2988/3088] Update contributing with a small section about new
 plugins (#5231)

---
 CONTRIBUTING.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 5bd849c95e..b35353f5e0 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -47,3 +47,16 @@ When creating pull request, please heed the following:
 * Code review may ensue in order to help shape your proposal
 * Pull request must adhere to 2-Clause BSD licensing
 * Explain the problem and your proposed solution
+
+New plugins
+-----------
+
+The pull request notes apply, but with the following additional points:
+
+* Open an issue first to explain what you want to work on and give it time for discussion
+* If you are integrating a service binary it should at least be available in FreeBSD ports
+* Precompiled binaries in the plugins are not allowed
+* Plugins should almost always focus on integrating an existing service and providing MVC/API GUI pages for it
+* It is not possible to review and integrate plugins with a large initial codebase
+* If you use AI tools in your submission please disclose their use (name and model)
+* Even though you are the maintainer you effectively force burden of maintainership to the community and OPNsense developers as soon as you open your first PR

From 11764a1dc451dd949bf7e4140164c15d9c9ee757 Mon Sep 17 00:00:00 2001
From: Sam Sheridan <sheridans@users.noreply.github.com>
Date: Tue, 24 Feb 2026 14:25:50 +0000
Subject: [PATCH 2989/3088] security/tailscale: Set auth key to optional in UI
 (#5065)

---
 security/tailscale/Makefile                                   | 2 +-
 security/tailscale/pkg-descr                                  | 4 ++++
 .../controllers/OPNsense/Tailscale/forms/authentication.xml   | 3 ++-
 .../mvc/app/models/OPNsense/Tailscale/Authentication.xml      | 2 +-
 4 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/security/tailscale/Makefile b/security/tailscale/Makefile
index 6c95b7cd0e..67a3f4be5d 100644
--- a/security/tailscale/Makefile
+++ b/security/tailscale/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		tailscale
-PLUGIN_VERSION=		1.3
+PLUGIN_VERSION=		1.4
 PLUGIN_COMMENT=		VPN mesh securely connecting clients using WireGuard
 PLUGIN_DEPENDS=		tailscale
 PLUGIN_MAINTAINER=	sam@sheridan.uk
diff --git a/security/tailscale/pkg-descr b/security/tailscale/pkg-descr
index b2066fa79c..2676046f4f 100644
--- a/security/tailscale/pkg-descr
+++ b/security/tailscale/pkg-descr
@@ -6,6 +6,10 @@ https://tailscale.com/
 Plugin Changelog
 ================
 
+1.4
+
+* set pre-auth key field in UI to optional, enables registration via pre-auth key or AuthURL from status page
+
 1.3
 
 * modify RC script to prevent re-using auth key if already authenticated
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/authentication.xml b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/authentication.xml
index b2bcae8b3a..2a0c126e55 100644
--- a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/authentication.xml
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/authentication.xml
@@ -9,6 +9,7 @@
         <id>authentication.preAuthKey</id>
         <label>Pre-authentication Key</label>
         <type>text</type>
-        <help>Use a non-reusable auth key and disable expiration</help>
+        <help>Use a non-reusable auth key and disable expiration (optional). If not specified use AuthURL from Status page</help>
+        <advanced>true</advanced>
     </field>
 </form>
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.xml
index b1b404f48d..dce55a679c 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.xml
@@ -8,7 +8,7 @@
             <ValidationMessage>Please enter a valid URL</ValidationMessage>
         </loginServer>
         <preAuthKey type="TextField">
-            <Required>Y</Required>
+            <Required>N</Required>
         </preAuthKey>
     </items>
 </model>

From cb77c1e6168d6bd4f2c2e212905cc35ab607cc1a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 24 Feb 2026 15:55:19 +0100
Subject: [PATCH 2990/3088] security/tailscale: model changes, default
 validation message is enough

---
 .../mvc/app/models/OPNsense/Tailscale/Authentication.xml     | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.xml
index dce55a679c..0c44860cd8 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Authentication.xml
@@ -5,10 +5,7 @@
         <loginServer type="UrlField">
             <Default>https://controlplane.tailscale.com</Default>
             <Required>Y</Required>
-            <ValidationMessage>Please enter a valid URL</ValidationMessage>
         </loginServer>
-        <preAuthKey type="TextField">
-            <Required>N</Required>
-        </preAuthKey>
+        <preAuthKey type="TextField"/>
     </items>
 </model>

From 63fc5442abb244de63113d847de9aa4cc1f45eb0 Mon Sep 17 00:00:00 2001
From: Bethuel Mmbaga <bethuelmbaga12@gmail.com>
Date: Tue, 24 Feb 2026 16:00:57 +0100
Subject: [PATCH 2991/3088] security/netbird: Add SSH configuration options
 (#5113)

---
 security/netbird/Makefile                     |  2 +-
 .../OPNsense/Netbird/forms/settings.xml       | 30 +++++++++++++++++++
 .../app/models/OPNsense/Netbird/Settings.php  |  5 ++++
 .../app/models/OPNsense/Netbird/Settings.xml  | 22 +++++++++++++-
 4 files changed, 57 insertions(+), 2 deletions(-)

diff --git a/security/netbird/Makefile b/security/netbird/Makefile
index 94edc0d4f2..f7c2e956fe 100644
--- a/security/netbird/Makefile
+++ b/security/netbird/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		netbird
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
 PLUGIN_DEPENDS=		netbird
 PLUGIN_COMMENT=		Peer-to-peer VPN that seamlessly connects your devices
 PLUGIN_MAINTAINER=	dev@netbird.io
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
index 2f5f4224fc..7a2cb69c7b 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
@@ -42,6 +42,36 @@
         <type>checkbox</type>
         <help>Allows incoming SSH connections</help>
     </field>
+    <field>
+        <id>settings.ssh.enableRoot</id>
+        <label>Enable Root Login</label>
+        <type>checkbox</type>
+        <help>Allow root user login</help>
+    </field>
+    <field>
+        <id>settings.ssh.enableSFTP</id>
+        <label>Enable SFTP</label>
+        <type>checkbox</type>
+        <help>Enable SFTP subsystem for file transfers</help>
+    </field>
+    <field>
+        <id>settings.ssh.enableLocalPortForwarding</id>
+        <label>Enable Local Port Forwarding</label>
+        <type>checkbox</type>
+        <help>Allow clients to forward local ports through the server</help>
+    </field>
+    <field>
+        <id>settings.ssh.enableRemotePortForwarding</id>
+        <label>Enable Remote Port Forwarding</label>
+        <type>checkbox</type>
+        <help>Allow clients to request remote port forwarding</help>
+    </field>
+    <field>
+        <id>settings.ssh.enableAuth</id>
+        <label>Enable SSH Authentication</label>
+        <type>checkbox</type>
+        <help>Enable JWT authentication for SSH connections. When disabled, allows any peer with network access</help>
+    </field>
     <field>
         <type>header</type>
         <label>DNS</label>
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php
index 0de5371db4..4d3a3b4c41 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php
@@ -46,6 +46,11 @@ public function syncConfig($target = '/var/db/netbird/config.json')
 
         $config["WgPort"] = (int)$this->general->wireguardPort->__toString();
         $config["ServerSSHAllowed"] = $this->ssh->enable->__toString() == 1;
+        $config["EnableSSHRoot"] = $this->ssh->enableRoot->__toString() == 1;
+        $config["EnableSSHSFTP"] = $this->ssh->enableSFTP->__toString() == 1;
+        $config["EnableSSHLocalPortForwarding"] = $this->ssh->enableLocalPortForwarding->__toString() == 1;
+        $config["EnableSSHRemotePortForwarding"] = $this->ssh->enableRemotePortForwarding->__toString() == 1;
+        $config["DisableSSHAuth"] = $this->ssh->enableAuth->__toString() != 1;
         $config["DisableFirewall"] = $this->firewall->allowConfig->__toString() != 1;
         $config["BlockInbound"] = $this->firewall->blockInboundConnection->__toString() == 1;
         $config["DisableDNS"] = $this->dns->enable->__toString() != 1;
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
index a99ce9985a..b606c6f75d 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/netbird/settings</mount>
     <description>NetBird settings</description>
-    <version>1.1.0</version>
+    <version>1.2.0</version>
     <items>
         <general>
             <enable type="BooleanField">
@@ -31,6 +31,26 @@
                 <Default>0</Default>
                 <Required>Y</Required>
             </enable>
+            <enableRoot type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enableRoot>
+            <enableSFTP type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enableSFTP>
+            <enableLocalPortForwarding type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enableLocalPortForwarding>
+            <enableRemotePortForwarding type="BooleanField">
+                <Default>0</Default>
+                <Required>Y</Required>
+            </enableRemotePortForwarding>
+            <enableAuth type="BooleanField">
+                <Default>1</Default>
+                <Required>Y</Required>
+            </enableAuth>
         </ssh>
         <dns>
             <enable type="BooleanField">

From 24c4f9a11150cbbbd607f2a01ff0d2461e4e5f5d Mon Sep 17 00:00:00 2001
From: Nuadh123 <lysfjord.daniel+github@smokepit.net>
Date: Tue, 24 Feb 2026 16:05:27 +0100
Subject: [PATCH 2992/3088] os-nextcloud-backup Add option to upload to one
 file each day instead of syncing the contents of /conf/backup/ (#5200)

---
 .../app/library/OPNsense/Backup/Nextcloud.php | 40 ++++++++++++++++++-
 .../OPNsense/Backup/NextcloudSettings.xml     |  6 ++-
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
index e606c85160..438840c6c0 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
@@ -85,13 +85,19 @@ public function getConfigurationFields()
                 "label" => gettext("Directory Name without leading slash, starting from user's root"),
                 "value" => 'OPNsense-Backup'
             ),
+            array(
+                "name" => "strategy",
+                "type" => "checkbox",
+                "help" => gettext("Select this one to back up to a file named config-YYYYMMDD instead of syncing contents of /conf/backup"),
+                "label" => gettext("Daily file instead of sync all"),
+            ),
             array(
                 "name" => "addhostname",
                 "type" => "checkbox",
                 "label" => gettext("Backup to directory named after hostname"),
                 "help" => gettext("Create subdirectory under backupdir for this host"),
                 "value" => null
-            )
+            ),
         );
         $nextcloud = new NextcloudSettings();
         foreach ($fields as &$field) {
@@ -145,6 +151,9 @@ public function backup()
             $password = (string)$nextcloud->password;
             $backupdir = (string)$nextcloud->backupdir;
             $crypto_password = (string)$nextcloud->password_encryption;
+            $strategy = (string)$nextcloud->strategy;
+            // Strategy 0 = Sync /conf/backup
+            // Strategy 1 = Copy /conf/config.xml to $backupdir/conf-YYYYMMDD.xml
 
             if (!$nextcloud->addhostname->isEmpty()) {
                 $backupdir .= "/".gethostname()."/";
@@ -158,6 +167,35 @@ public function backup()
                 return array();
             }
 
+            // Backup strategy 1, sync /conf/config.xml to $backupdir/config-YYYYMMDD.xml
+            if ($strategy) {
+                $confdata = file_get_contents('/conf/config.xml');
+                $mdate = filemtime('/conf/config.xml');
+                $datestring = date('Ymd', $mdate);
+                $target_filename = 'config-' . $datestring . '.xml';
+                // Optionally encrypt
+                if (!empty($crypto_password)) {
+                    $confdata = $this->encrypt($confdata, $crypto_password);
+                }
+                try {
+                    $this->upload_file_content(
+                        $url,
+                        $username,
+                        $password,
+                        $internal_username,
+                        $backupdir,
+                        $target_filename,
+                        $confdata
+                    );
+                    return array($backupdir . '/' . $target_filename);
+                } catch (\Exception $e) {
+                    syslog(LOG_ERR, $e);
+                    return array();
+                }
+            }
+
+            // Default strategy (0), sync /conf/backup/
+
             // Get list of files from local backup system
             $local_files = array();
             $tmp_local_files = scandir('/conf/backup/');
diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
index e5c5b10c32..e18c69d5c5 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//system/backup/nextcloud</mount>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <description>OPNsense Nextcloud Backup Settings</description>
     <items>
         <enabled type="BooleanField">
@@ -49,6 +49,10 @@
             <Default>OPNsense-Backup</Default>
             <ValidationMessage>The Backup Directory can only consist of alphanumeric characters, dash, underscores and slash. No leading or trailing slash.</ValidationMessage>
         </backupdir>
+        <strategy type="BooleanField">
+            <Required>Y</Required>
+            <Default>0</Default>
+        </strategy>
         <addhostname type="BooleanField">
             <Default>1</Default>
             <Required>Y</Required>

From 10c98b7b09538a258040b1dba4d235c680ed65dc Mon Sep 17 00:00:00 2001
From: Nuadh123 <lysfjord.daniel+github@smokepit.net>
Date: Tue, 24 Feb 2026 19:32:43 +0100
Subject: [PATCH 2993/3088] os-nextcloud-backup Only back up when local file is
 newer than remote (#5213)

---
 .../app/library/OPNsense/Backup/Nextcloud.php | 87 +++++++++++++++++--
 1 file changed, 78 insertions(+), 9 deletions(-)

diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
index 438840c6c0..58956a44ce 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
@@ -134,6 +134,41 @@ public function setConfiguration($conf)
         return $validation_messages;
     }
 
+    /**
+     * check remote file last modified tag
+     * @param string $remote_filename filename to check on server
+     * @param string $username username for login to server
+     * @param string $password password for authentication
+     * @return int unix timestamp or 0 if errors occour
+     */
+    public function get_remote_file_lastmodified(
+        $remote_filename,
+        $username,
+        $password
+    ) {
+        $reply = $this->curl_request_nothrow($remote_filename, $username, $password, 'PROPFIND', 'Cannot get remote fileinfo');
+        $http_code = $reply['info']['http_code'];
+        if ($http_code >= 200 && $http_code < 300) {
+            $xml_data = $reply['response'];
+            if ($xml_data == NULL) {
+                syslog(LOG_ERR, 'Data was NULL');
+                return 0;
+            }
+            $xml_data = str_replace(['<d:', '</d:'], ['<', '</'], $xml_data);
+            $xml = simplexml_load_string($xml_data);
+            foreach ($xml->children() as $response) {
+                if ($response->getName() == 'response') {
+                    $lastmodifiedstr = $response->propstat->prop->getlastmodified;
+                    $filedate = strtotime($lastmodifiedstr);
+                    return $filedate;
+                }
+            }
+        }
+        return 0;
+    }
+
+
+
     /**
      * perform backup
      * @return array filelist
@@ -173,10 +208,17 @@ public function backup()
                 $mdate = filemtime('/conf/config.xml');
                 $datestring = date('Ymd', $mdate);
                 $target_filename = 'config-' . $datestring . '.xml';
+                // Find the same filename @ remote
+                $remote_filename = $url . '/remote.php/dav/files/' . $internal_username . '/' . $backupdir . '/' . $target_filename;
+                $remote_file_date = $this->get_remote_file_lastmodified($remote_filename, $username, $password);
+                if ($remote_file_date >= $mdate) {
+                    return array();
+                }
                 // Optionally encrypt
                 if (!empty($crypto_password)) {
                     $confdata = $this->encrypt($confdata, $crypto_password);
                 }
+                // Finally, upload some data
                 try {
                     $this->upload_file_content(
                         $url,
@@ -189,7 +231,7 @@ public function backup()
                     );
                     return array($backupdir . '/' . $target_filename);
                 } catch (\Exception $e) {
-                    syslog(LOG_ERR, $e);
+                    syslog(LOG_ERR, 'Backup to ' . $url . ' failed: ' . $e);
                     return array();
                 }
             }
@@ -303,14 +345,21 @@ public function listFiles($url, $username, $password, $internal_username, $direc
      */
     public function upload_file_content($url, $username, $password, $internal_username, $backupdir, $filename, $local_file_content)
     {
-        $this->curl_request(
-            $url . "/remote.php/dav/files/$internal_username/$backupdir/$filename",
+        $url = $url . "/remote.php/dav/files/$internal_username/$backupdir/$filename";
+        $reply = $this->curl_request(
+            $url,
             $username,
             $password,
             'PUT',
             'cannot execute PUT',
             $local_file_content
         );
+        $http_code = $reply['info']['http_code'];
+        // Accepted http codes for upload is 200-299
+        if (!($http_code >= 200 && $http_code < 300)) {
+            syslog(LOG_ERR, 'Could not PUT '. $url);
+            throw new \Exception();
+        }
     }
 
     /**
@@ -394,6 +443,31 @@ public function curl_request(
         $error_message,
         $postdata = null,
         $headers = array("User-Agent: OPNsense Firewall")
+    ) {
+        $result = $this->curl_request_nothrow($url, $username, $password, $method, $error_message, $postdata, $headers);
+        $info = $result['info'];
+        $err = $result['err'];
+        $response = $result['response'];
+        if (!($info['http_code'] == 200 || $info['http_code'] == 207 || $info['http_code'] == 201) || $err) {
+            syslog(LOG_ERR, $error_message);
+            syslog(LOG_ERR, json_encode($info));
+            throw new \Exception();
+        }
+        return array('response' => $response, 'info' => $info);
+    }
+
+
+    // Add this here, since I'm fundamentally opposed to throwing exceptions
+    // if http codes aren't to your liking in a generic function.
+    // Delegate that to upper functions, where it belongs.
+    public function curl_request_nothrow(
+        $url,
+        $username,
+        $password,
+        $method,
+        $error_message,
+        $postdata = null,
+        $headers = array("User-Agent: OPNsense Firewall")
     ) {
         $curl = curl_init();
         curl_setopt_array($curl, array(
@@ -413,13 +487,8 @@ public function curl_request(
         $response = curl_exec($curl);
         $err = curl_error($curl);
         $info = curl_getinfo($curl);
-        if (!($info['http_code'] == 200 || $info['http_code'] == 207 || $info['http_code'] == 201) || $err) {
-            syslog(LOG_ERR, $error_message);
-            syslog(LOG_ERR, json_encode($info));
-            throw new \Exception();
-        }
         curl_close($curl);
-        return array('response' => $response, 'info' => $info);
+        return array('response' => $response, 'info' => $info, 'err' => $err);
     }
 
     /**

From 2bf6206e0136495a8e5dc1ef9e666be27f046391 Mon Sep 17 00:00:00 2001
From: Self-Hosting-Group
 <155233284+Self-Hosting-Group@users.noreply.github.com>
Date: Wed, 25 Feb 2026 08:52:43 +0100
Subject: [PATCH 2994/3088] net/upnp: Complete service improvements (#5126)

---
 net/upnp/Makefile                             |  2 +-
 .../src/etc/inc/plugins.inc.d/miniupnpd.inc   | 19 ++++++++--
 .../mvc/app/models/OPNsense/UPnP/ACL/ACL.xml  |  7 ++++
 .../app/models/OPNsense/UPnP/Menu/Menu.xml    |  1 +
 .../OPNsense/Syslog/local/miniupnpd.conf      |  6 ++++
 net/upnp/src/www/services_upnp.php            | 35 ++++++++++++++-----
 net/upnp/src/www/status_upnp.php              |  8 ++---
 7 files changed, 62 insertions(+), 16 deletions(-)
 create mode 100644 net/upnp/src/opnsense/service/templates/OPNsense/Syslog/local/miniupnpd.conf

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index 4c5c4109b4..a805a22bb4 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		upnp
-PLUGIN_VERSION=		1.8
+PLUGIN_VERSION=		1.9
 PLUGIN_DEPENDS=		miniupnpd
 PLUGIN_COMMENT=		UPnP IGD & PCP/NAT-PMP Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 069680a361..e7ff451176 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -26,6 +26,11 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
+function miniupnpd_syslog()
+{
+    return ['miniupnpd' => ['facility' => ['miniupnpd']]];
+}
+
 function miniupnpd_enabled()
 {
     global $config;
@@ -75,7 +80,16 @@ function miniupnpd_start()
         return;
     }
 
-    mwexecfb('/usr/local/sbin/miniupnpd -f %s -P %s', [ '/var/etc/miniupnpd.conf', '/var/run/miniupnpd.pid']);
+    global $config;
+    $upnp_config = $config['installedpackages']['miniupnpd']['config'][0];
+    if (($upnp_config['log_level'] ?? '') == 'info') {
+        $exec_cmd='/usr/local/sbin/miniupnpd -f %s -P %s -v';
+    } elseif (($upnp_config['log_level'] ?? '') == 'debug') {
+        $exec_cmd='/usr/local/sbin/miniupnpd -f %s -P %s -vv';
+    } else {
+        $exec_cmd='/usr/local/sbin/miniupnpd -f %s -P %s';
+    }
+    mwexecfb($exec_cmd, ['/var/etc/miniupnpd.conf', '/var/run/miniupnpd.pid']);
 }
 
 function miniupnpd_stop()
@@ -217,7 +231,8 @@ function miniupnpd_configure_do($verbose = false)
 
             /* enable system uptime instead of miniupnpd uptime */
             if (!empty($upnp_config['sysuptime'])) {
-                $config_text .= "system_uptime=yes\n";
+                /* Disable system uptime to workaround daemon bug with PCP/NAT-PMP epoch on BSD */
+                //$config_text .= "system_uptime=yes\n";
             }
 
             /* set webgui url */
diff --git a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
index 23a2fa96e2..77d5cf5822 100644
--- a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
+++ b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
@@ -11,4 +11,11 @@
             <pattern>status_upnp.php*</pattern>
         </patterns>
     </page-status-upnpstatus>
+    <page-services-upnp-log>
+        <name>Services: UPnP IGD &amp; PCP: Log File</name>
+        <patterns>
+            <pattern>ui/diagnostics/log/core/miniupnpd/*</pattern>
+            <pattern>api/diagnostics/log/core/miniupnpd/*</pattern>
+        </patterns>
+    </page-services-upnp-log>
 </acl>
diff --git a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml
index c040d5ea16..4359bbcdbc 100644
--- a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml
+++ b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/Menu/Menu.xml
@@ -5,6 +5,7 @@
                 <Edit url="/services_upnp.php?*" visibility="hidden"/>
             </Settings>
             <ActiveMaps VisibleName="Active Maps" order="20" url="/status_upnp.php"/>
+            <LogFile VisibleName="Log File" order="30" url="/ui/diagnostics/log/core/miniupnpd"/>
         </UPnP>
     </Services>
 </menu>
diff --git a/net/upnp/src/opnsense/service/templates/OPNsense/Syslog/local/miniupnpd.conf b/net/upnp/src/opnsense/service/templates/OPNsense/Syslog/local/miniupnpd.conf
new file mode 100644
index 0000000000..107e0a4141
--- /dev/null
+++ b/net/upnp/src/opnsense/service/templates/OPNsense/Syslog/local/miniupnpd.conf
@@ -0,0 +1,6 @@
+###################################################################
+# Local syslog-ng configuration filter definition [miniupnpd].
+###################################################################
+filter f_local_miniupnpd {
+    program("miniupnpd");
+};
diff --git a/net/upnp/src/www/services_upnp.php b/net/upnp/src/www/services_upnp.php
index ec54020425..7ac9002f7c 100644
--- a/net/upnp/src/www/services_upnp.php
+++ b/net/upnp/src/www/services_upnp.php
@@ -78,6 +78,7 @@ function miniupnpd_validate_port($port)
         'friendly_name',
         'iface_array',
         'ipv6_disable',
+        'log_level',
         'logpackets',
         'overridesubnet',
         'overridewanip',
@@ -186,7 +187,7 @@ function miniupnpd_validate_port($port)
             $upnp['num_permuser'] = $pconfig['num_permuser'];
         }
         // text field types
-        foreach (['ext_iface', 'download', 'upload', 'overridewanip', 'overridesubnet', 'stun_host', 'stun_port', 'friendly_name', 'upnp_igd_compat'] as $fieldname) {
+        foreach (['download', 'ext_iface', 'friendly_name', 'log_level', 'overridesubnet', 'overridewanip', 'stun_host', 'stun_port', 'upload', 'upnp_igd_compat'] as $fieldname) {
             $upnp[$fieldname] = $pconfig[$fieldname];
         }
         foreach (miniupnpd_permuser_list() as $fieldname) {
@@ -233,16 +234,16 @@ function miniupnpd_validate_port($port)
                   </thead>
                   <tbody>
                     <tr>
-                      <td><a id="help_for_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enable");?></td>
+                      <td><a id="help_for_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enable service");?></td>
                       <td>
                        <input name="enable" type="checkbox" value="yes" <?=!empty($pconfig['enable']) ? "checked=\"checked\"" : ""; ?> />
                        <div class="hidden" data-for="help_for_enable">
-                         <?=gettext("Start the autonomous port mapping service.");?>
+                         <?=gettext("Enable the autonomous port mapping service.");?>
                        </div>
                       </td>
                     </tr>
                     <tr>
-                      <td><a id="help_for_enable_upnp" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Allow UPnP IGD Port Mapping");?></td>
+                      <td><a id="help_for_enable_upnp" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enable UPnP IGD protocol");?></td>
                       <td>
                        <input name="enable_upnp" type="checkbox" value="yes" <?=!empty($pconfig['enable_upnp']) ? "checked=\"checked\"" : ""; ?> />
                        <div class="hidden" data-for="help_for_enable_upnp">
@@ -251,7 +252,7 @@ function miniupnpd_validate_port($port)
                       </td>
                     </tr>
                     <tr>
-                      <td><a id="help_for_enable_natpmp" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Allow PCP/NAT-PMP Port Mapping");?></td>
+                      <td><a id="help_for_enable_natpmp" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enable PCP/NAT-PMP protocols");?></td>
                       <td>
                        <input name="enable_natpmp" type="checkbox" value="yes" <?=!empty($pconfig['enable_natpmp']) ? "checked=\"checked\"" : ""; ?> />
                        <div class="hidden" data-for="help_for_enable_natpmp">
@@ -324,16 +325,19 @@ function miniupnpd_validate_port($port)
                       </td>
                     </tr>
                     <tr>
-                      <td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Override external IPv4");?></td>
+                      <td><a id="help_for_overridewanip" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Override external IPv4");?></td>
                       <td>
                         <input name="overridewanip" type="text" value="<?=$pconfig['overridewanip'];?>" />
+                        <div class="hidden" data-for="help_for_overridewanip">
+                          <?=gettext('Report custom public/external (WAN) IPv4 address.');?>
+                        </div>
                       </td>
                     </tr>
                     <tr>
                       <td><a id="help_for_overridesubnet" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Internal interface IPv4 subnet override");?></td>
                       <td>
                         <select name="overridesubnet" class="selectpicker" id="overridesubnet">
-                          <option value="" <?= empty($pconfig['overridesubnet']) ? 'selected="selected"' : '' ?>><?= gettext('default') ?></option>
+                          <option value="" <?= empty($pconfig['overridesubnet']) ? 'selected="selected"' : '' ?>><?= gettext('Default') ?></option>
 <?php for ($i = 32; $i >= 1; $i--): ?>
                           <option value="<?= $i ?>" <?=!empty($pconfig['overridesubnet']) && $pconfig['overridesubnet'] == $i ? 'selected="selected"' : '' ?>><?= $i ?></option>
 <?php endfor ?>
@@ -367,6 +371,16 @@ function miniupnpd_validate_port($port)
                        </div>
                       </td>
                     </tr> -->
+                    <tr>
+                      <td><i class="fa fa-info-circle text-muted"></i> <?= gettext('Log level') ?></td>
+                      <td>
+                        <select name="log_level">
+                          <option value="default" <?= ($pconfig['log_level'] ?? '') == 'default' ? 'selected="selected"' : '' ?> ><?= gettext('Default') ?></option>
+                          <option value="info" <?= ($pconfig['log_level'] ?? '') == 'info' ? 'selected="selected"' : '' ?> ><?= gettext('Info') ?></option>
+                          <option value="debug" <?= ($pconfig['log_level'] ?? '') == 'debug' ? 'selected="selected"' : '' ?> ><?= gettext('Debug') ?></option>
+                        </select>
+                      </td>
+                    </tr>
                     <tr>
                       <td><a id="help_for_logpackets" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Firewall logs");?></td>
                       <td>
@@ -393,12 +407,15 @@ function miniupnpd_validate_port($port)
                   </thead>
                   <tbody>
                   <tr>
-                    <td><i class="fa fa-info-circle text-muted"></i> <?= gettext('UPnP IGD compatibility mode') ?></td>
+                    <td><a id="help_for_upnp_igd_compat" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('UPnP IGD compatibility') ?></td>
                     <td>
                       <select name="upnp_igd_compat">
                         <option value="igdv1" <?= ($pconfig['upnp_igd_compat'] ?? '') == 'igdv1' ? 'selected="selected"' : '' ?> ><?= gettext('IGDv1 (IPv4 only)') ?></option>
                         <option value="igdv2" <?= ($pconfig['upnp_igd_compat'] ?? '') == 'igdv2' ? 'selected="selected"' : '' ?> ><?= gettext('IGDv2 (with workarounds)') ?></option>
                       </select>
+                      <div class="hidden" data-for="help_for_upnp_igd_compat">
+                        <?=sprintf(gettext('Set compatibility mode (act as device) to workaround IGDv2-incompatible clients; %s are known to only work with %s.'), 'Sony PS, Activision CoD…', 'IGDv1');?>
+                      </div>
                     </td>
                   </tr>
                     <tr>
@@ -436,7 +453,7 @@ function miniupnpd_validate_port($port)
                 <table class="table table-striped opnsense_standard_table_form">
                   <thead>
                     <tr>
-                      <th colspan="2"><?=gettext("Custom Access Control List");?></th>
+                      <th colspan="2"><?=gettext("Access Control List");?></th>
                     </tr>
                   </thead>
                   <tbody>
diff --git a/net/upnp/src/www/status_upnp.php b/net/upnp/src/www/status_upnp.php
index 394d421706..aa73ec879f 100644
--- a/net/upnp/src/www/status_upnp.php
+++ b/net/upnp/src/www/status_upnp.php
@@ -71,8 +71,8 @@
                   <th><?=gettext("Port")?></th>
                   <th><?=gettext("External port")?></th>
                   <th><?=gettext("Protocol")?></th>
-                  <th><?=gettext("Source IP")?></th>
-                  <th><?=gettext("Source port")?></th>
+                  <th><?=gettext("Remote IP")?></th>
+                  <th><?=gettext("Remote port")?></th>
                   <th><?=gettext("Added via / description")?></th>
                 </tr>
               </thead>
@@ -83,8 +83,8 @@
                       !preg_match('/on (?P<iface>.+) inet6 proto (?P<proto>.+) from (?P<srcaddr>[^ ]+) (port = (?P<srcport>.+) )?to (?P<intaddr>.+) port = (?P<intport>\d+) (flags [^ ]+ )?keep state (label "(?P<descr>.+)" )?rtable [0-9]/', $rdr_entry, $matches)) {
                       continue;
                   }
-                  if (preg_match('/PCP ([A-Z]+) ([0-9a-f]{24})$/', $matches['descr'], $descrmatch) === 1) {
-                    $descr = "PCP ({$descrmatch[1]} nonce {$descrmatch[2]})";
+                  if (preg_match('/PCP [A-Z]+ ([0-9a-f]{24})$/', $matches['descr'], $descrmatch) === 1) {
+                    $descr = "PCP (nonce {$descrmatch[1]})";
                   } elseif (preg_match('/^NAT-PMP \d+ \w+$/', $matches['descr'], $descrmatch) === 1) {
                     $descr = 'NAT-PMP';
                   } elseif (preg_match('/^pinhole-(\d+).*IGD2 pinhole$/', $matches['descr'], $descrmatch) === 1) {

From 7658677f1683f90c950ba35c8bc4b1bc91632ba8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 25 Feb 2026 09:42:40 +0100
Subject: [PATCH 2995/3088] net/upnp: modify log level and start code for
 clarity

---
 .../src/etc/inc/plugins.inc.d/miniupnpd.inc   | 27 ++++++++++++-------
 net/upnp/src/www/services_upnp.php            |  2 +-
 2 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index e7ff451176..a3f01f48c0 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -72,6 +72,8 @@ function miniupnpd_services()
 
 function miniupnpd_start()
 {
+    global $config;
+
     if (!miniupnpd_enabled()) {
         return;
     }
@@ -80,16 +82,23 @@ function miniupnpd_start()
         return;
     }
 
-    global $config;
-    $upnp_config = $config['installedpackages']['miniupnpd']['config'][0];
-    if (($upnp_config['log_level'] ?? '') == 'info') {
-        $exec_cmd='/usr/local/sbin/miniupnpd -f %s -P %s -v';
-    } elseif (($upnp_config['log_level'] ?? '') == 'debug') {
-        $exec_cmd='/usr/local/sbin/miniupnpd -f %s -P %s -vv';
-    } else {
-        $exec_cmd='/usr/local/sbin/miniupnpd -f %s -P %s';
+    $log_level = $config['installedpackages']['miniupnpd']['config'][0]['log_level'] ?? '';
+
+    $cmd_frmt = ['/usr/local/sbin/miniupnpd -f %s -P %s'];
+    $cmd_args = ['/var/etc/miniupnpd.conf', '/var/run/miniupnpd.pid'];
+
+    switch ($log_level) {
+        case 'debug':
+            $cmd_frmt[] = '-v';
+            /* FALLTHROUGH */
+        case 'info':
+            $cmd_frmt[] = '-v';
+            /* FALLTHROUGH */
+        default:
+            break;
     }
-    mwexecfb($exec_cmd, ['/var/etc/miniupnpd.conf', '/var/run/miniupnpd.pid']);
+
+    mwexecfb($cmd_frmt, $cmd_args);
 }
 
 function miniupnpd_stop()
diff --git a/net/upnp/src/www/services_upnp.php b/net/upnp/src/www/services_upnp.php
index 7ac9002f7c..d9a3e2230b 100644
--- a/net/upnp/src/www/services_upnp.php
+++ b/net/upnp/src/www/services_upnp.php
@@ -375,7 +375,7 @@ function miniupnpd_validate_port($port)
                       <td><i class="fa fa-info-circle text-muted"></i> <?= gettext('Log level') ?></td>
                       <td>
                         <select name="log_level">
-                          <option value="default" <?= ($pconfig['log_level'] ?? '') == 'default' ? 'selected="selected"' : '' ?> ><?= gettext('Default') ?></option>
+                          <option value="" <?= ($pconfig['log_level'] ?? '') == '' ? 'selected="selected"' : '' ?> ><?= gettext('Default') ?></option>
                           <option value="info" <?= ($pconfig['log_level'] ?? '') == 'info' ? 'selected="selected"' : '' ?> ><?= gettext('Info') ?></option>
                           <option value="debug" <?= ($pconfig['log_level'] ?? '') == 'debug' ? 'selected="selected"' : '' ?> ><?= gettext('Debug') ?></option>
                         </select>

From bbee307f2bd24646996712f2c19ce64096573f49 Mon Sep 17 00:00:00 2001
From: Nuadh123 <lysfjord.daniel+github@smokepit.net>
Date: Wed, 25 Feb 2026 09:51:20 +0100
Subject: [PATCH 2996/3088] os-nextcloud-backup Add optional housekeeping
 (#5227)

---
 .../app/library/OPNsense/Backup/Nextcloud.php | 391 ++++++++++++++----
 .../OPNsense/Backup/NextcloudSettings.xml     |   8 +
 2 files changed, 314 insertions(+), 85 deletions(-)

diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
index 58956a44ce..0dc1221281 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
@@ -98,6 +98,20 @@ public function getConfigurationFields()
                 "help" => gettext("Create subdirectory under backupdir for this host"),
                 "value" => null
             ),
+            array(
+                "name" => "numdays",
+                "type" => "text",
+                "label" => gettext("Number of days worth of backups to keep"),
+                "help" => gettext("This works in collaboration with Number of backups below, the one with the oldest/most will win"),
+                "value" => null
+            ),
+            array(
+                "name" => "numbackups",
+                "type" => "text",
+                "label" => gettext("Number of backups to keep"),
+                  "help" => gettext("This works in collaboration with Number of days above, the one with the oldest/most will win"),
+                  "value" => null
+            ),
         );
         $nextcloud = new NextcloudSettings();
         foreach ($fields as &$field) {
@@ -167,7 +181,267 @@ public function get_remote_file_lastmodified(
         return 0;
     }
 
+    /**
+     * backup with strategy 0 (copy everything in /conf/backup/ to $backupdir/)
+     * @param string $internal_username the returnvalue from $this->getInternalUsername
+     * @param string $username
+     * @param string $password
+     * @param string $url server protocol and hostname
+     * @param string $backupdir
+     * @param string $crypto_password
+     */
+    public function backupstrat_zero(
+        $internal_username,
+        $username,
+        $password,
+        $url,
+        $backupdir,
+        $crypto_password
+    ) {
+        // Get list of files from local backup system
+        $local_files = array();
+        $tmp_local_files = scandir('/conf/backup/');
+        // Remove '.' and '..', skip directories
+        foreach ($tmp_local_files as $tmp_local_file) {
+            if ($tmp_local_file === '.' || $tmp_local_file === '..') {
+                continue;
+            }
+            if (!is_file("/conf/backup/".$tmp_local_file)) {
+                continue;
+            }
+            $local_files[] = $tmp_local_file;
+        }
+
+        // Get list of filenames (without path) on remote location
+        $remote_files = array();
+        $tmp_remote_files = $this->listfiles($url, $username, $password, $internal_username, "/$backupdir/", false);
+        foreach ($tmp_remote_files as $tmp_remote_file) {
+            $remote_files[] = pathinfo($tmp_remote_file)['basename'];
+        }
+
+
+        $uploaded_files = array();
+
+        // Loop over each local file,
+        // see if it's in $remote_files,
+        // if not, optionally encrypt, and upload
+        foreach ($local_files as $file_to_upload) {
+            if (!in_array($file_to_upload, $remote_files)) {
+                $confdata = file_get_contents("/conf/backup/$file_to_upload");
+                if (!empty($crypto_password)) {
+                    $confdata = $this->encrypt($confdata, $crypto_password);
+                }
+                try {
+                    $this->upload_file_content(
+                        $url,
+                        $username,
+                        $password,
+                        $internal_username,
+                        $backupdir,
+                        $file_to_upload,
+                        $confdata
+                    );
+                    $uploaded_files[] = $file_to_upload;
+                } catch (\Exception $e) {
+                    return $uploaded_files;
+                }
+            }
+        }
+        return $uploaded_files;
+    }
+
+    /**
+     * backup with strategy 1 (copy /conf/config.xml to $backupdir/conf-YYYYMMDD.xml)
+     * @param string $internal_username the returnvalue from $this->getInternalUsername
+     * @param string $username
+     * @param string $password
+     * @param string url server protocol and hostname
+     * @param string $backupdir
+     * @param string $crypto_password
+    */
+    public function backupstrat_one(
+        $internal_username,
+        $username,
+        $password,
+        $url,
+        $backupdir,
+        $crypto_password
+    ) {
+        $confdata = file_get_contents('/conf/config.xml');
+        $mdate = filemtime('/conf/config.xml');
+        $datestring = date('Ymd', $mdate);
+        $target_filename = 'config-' . $datestring . '.xml';
+        // Find the same filename @ remote
+        $remote_filename = $url . '/remote.php/dav/files/' . $internal_username . '/' . $backupdir . '/' . $target_filename;
+        $remote_file_date = $this->get_remote_file_lastmodified($remote_filename, $username, $password);
+        if ($remote_file_date >= $mdate) {
+            return array();
+        }
+
+        // Optionally encrypt
+        if (!empty($crypto_password)) {
+            $confdata = $this->encrypt($confdata, $crypto_password);
+        }
+        // Finally, upload some data
+        try {
+            $this->upload_file_content(
+                $url,
+                $username,
+                $password,
+                $internal_username,
+                $backupdir,
+                $target_filename,
+                $confdata
+            );
+            return array($backupdir . '/' . $target_filename);
+        } catch (\Exception $e) {
+            syslog(LOG_ERR, 'Backup to ' . $url . ' failed: ' . $e);
+            return array();
+        }
+    }
+
+    /**
+     * Get timestamp value from filename in list
+     * @param $filelist array of files in remote location
+     * @return array($filedata => $filename)
+     */
+    public function get_filelist_dates($filelist) {
+        // Save as associative array
+        // key = lastmodified
+        // value = filename
+        $files = array();
+        foreach ($filelist as $target_filename) {
+            // Find suggested creation date
+            // Base this on the filename. Either it is a unix timestamp, or it should be YYYYMMDD
+            // Either way, it's the part between "config-" and ".xml"
+            $filestr_no_xml = explode(".xml", $target_filename)[0];
+            $filedatestr = intval(explode("-", $filestr_no_xml)[1]);
+            if (($filedate = strtotime($filedatestr)) === false) {
+                // Cannot convert string to time.. probably already a unix-timestamp
+                // Try to convert with date()
+                $date = date(DATE_ATOM, $filedatestr);
+                // Then to a UNIX timestamp again
+                $maybedate = strtotime($date);
+                if ($maybedate === $filedatestr) {
+                    // They represent the same time, this is good
+                    // Just copy the intval() and be done with this
+                    $filedate = $filedatestr;
+                }
+            }
+            if ($filedate) {
+                $files[(string)$filedate] = $target_filename;
+            } else {
+                syslog(LOG_ERR, "Skipping file " . $target_filename . ", cannot determine date");
+            }
+        }
+        ksort($files);
+        return $files;
+    }
+
+    /**
+     * housekeeping
+     * @param $internal_username returnvalue from $this->getInternalUsername
+     * @param $username
+     * @param $password
+     * @param $url protocol and hostname of server
+     * @param $backupdir directory to operate in
+     * @param $keep_days number of days to keep backups for
+     * @param $keep_num number of backups to keep
+     */
+    public function retention(
+        $internal_username,
+        $username,
+        $password,
+        $url,
+        $backupdir,
+        $keep_days,
+        $keep_num
+    ) {
+        // Are we configured to run at all?
+        // Short circuit in case none of our options are set
+        if ((strlen($keep_days)) and (strlen($keep_num)) {
+            return;
+        }
+        // Get list of filenames (without path) on remote location
+        $remote_files = array();
+        $tmp_remote_files = $this->listfiles($url, $username, $password, $internal_username, "/$backupdir/", false);
+        foreach ($tmp_remote_files as $tmp_remote_file) {
+            if (!($tmp_remote_file === "")) {
+                if (!($tmp_remote_file == "/$backupdir/")) {
+                    // No idea why the root directory is in the list..
+                    $remote_files[] = pathinfo($tmp_remote_file)['basename'];
+                }
+            }
+        }
+        $num_remote_files = count($remote_files);
+        // Short-circuit, if too few files, no need to check no more
+        if (!($keep_num === "")) {
+            if ($keep_num > $num_remote_files) {
+                return;
+            }
+        }
 
+        $date = new \DateTime();
+        $files = $this->get_filelist_dates($remote_files);
+        if (strlen($keep_days)) {
+            // Admin has specified number of days to keep
+            $dateinterval = \DateInterval::createFromDateString($keep_days . " day");
+            $target_timestamp = date_sub($date, $dateinterval)->format('U');
+            // $files is an associative array with key=creation_time, value=filename
+            // should be sorted by ksort, hopefully that is a numerical sort:)
+            $new_files = array();
+            $old_files = array();
+            foreach(array_keys($files) as $file_timestamp) {
+                if ($file_timestamp > $target_timestamp) {
+                    $new_files[(string)$file_timestamp] = $files[$file_timestamp];
+                } else {
+                    // file is "old", aka ripe for deletion
+                    $old_files[(string)$file_timestamp] = $files[$file_timestamp];
+                }
+            }
+            if (strlen($keep_num)) {
+                $num_new_files = count($new_files);
+                if ($num_new_files < $keep_num) {
+                    // Not enough new files to satisfy $keep_num
+                    $missing_num = $keep_num - $num_new_files;
+                    // Can we slice some files from the $old_files list to satisfy $keep_num?
+                    $total_files = count($files);
+                    if ($total_files >= $keep_num) {
+                        // Yes, we can
+                        $tmp_files = array_slice($old_files, 0, $missing_num * -1);
+                        foreach(array_keys($tmp_files) as $filetodelete) {
+                            $this->delete_file($url, $username, $password, $internal_username, $backupdir, $tmp_files[$filetodelete]);
+                        }
+                    }
+                    // No, we can't. Keep all things as is
+                } else {
+                    // We have more new files than what we need to satisfy $keep_num
+                    foreach(array_keys($old_files) as $filetodelete) {
+                        $this->delete_file($url, $username, $password, $internal_username, $backupdir, $old_files[$filetodelete]);
+                    }
+                    // We do not delete files from new_files, as they are covered by the $keep_days
+                }
+            } else {
+                // We have not been told to keep N items,
+                // delete everything in $old_files
+                foreach(array_keys($old_files) as $filetodelete) {
+                    $this->delete_file($url, $username, $password, $internal_username, $backupdir, $old_files[$filetodelete]);
+                }
+            }
+        } else {
+            // No $keep_days specified
+            if (strlen($keep_num)) {
+                // keep_num is some number
+                // Delete filenames based on their creation time
+                if (count($files) > $keep_num) {
+                    $tmp_files = array_slice($files, 0, $keep_num * -1);
+                    foreach(array_keys($tmp_files) as $filetodelete) {
+                        $this->delete_file($url, $username, $password, $internal_username, $backupdir, $tmp_files[$filetodelete]);
+                    }
+                }
+            }
+        }
+    }
 
     /**
      * perform backup
@@ -177,6 +451,7 @@ public function get_remote_file_lastmodified(
      */
     public function backup()
     {
+        date_default_timezone_set('UTC');
         $cnf = Config::getInstance();
         $nextcloud = new NextcloudSettings();
         if ($cnf->isValid() && !empty((string)$nextcloud->enabled)) {
@@ -189,6 +464,8 @@ public function backup()
             $strategy = (string)$nextcloud->strategy;
             // Strategy 0 = Sync /conf/backup
             // Strategy 1 = Copy /conf/config.xml to $backupdir/conf-YYYYMMDD.xml
+            $keep_days = (string)$nextcloud->numdays;
+            $keep_num = (string)$nextcloud->numbackups;
 
             if (!$nextcloud->addhostname->isEmpty()) {
                 $backupdir .= "/".gethostname()."/";
@@ -202,92 +479,13 @@ public function backup()
                 return array();
             }
 
-            // Backup strategy 1, sync /conf/config.xml to $backupdir/config-YYYYMMDD.xml
             if ($strategy) {
-                $confdata = file_get_contents('/conf/config.xml');
-                $mdate = filemtime('/conf/config.xml');
-                $datestring = date('Ymd', $mdate);
-                $target_filename = 'config-' . $datestring . '.xml';
-                // Find the same filename @ remote
-                $remote_filename = $url . '/remote.php/dav/files/' . $internal_username . '/' . $backupdir . '/' . $target_filename;
-                $remote_file_date = $this->get_remote_file_lastmodified($remote_filename, $username, $password);
-                if ($remote_file_date >= $mdate) {
-                    return array();
-                }
-                // Optionally encrypt
-                if (!empty($crypto_password)) {
-                    $confdata = $this->encrypt($confdata, $crypto_password);
-                }
-                // Finally, upload some data
-                try {
-                    $this->upload_file_content(
-                        $url,
-                        $username,
-                        $password,
-                        $internal_username,
-                        $backupdir,
-                        $target_filename,
-                        $confdata
-                    );
-                    return array($backupdir . '/' . $target_filename);
-                } catch (\Exception $e) {
-                    syslog(LOG_ERR, 'Backup to ' . $url . ' failed: ' . $e);
-                    return array();
-                }
-            }
-
-            // Default strategy (0), sync /conf/backup/
-
-            // Get list of files from local backup system
-            $local_files = array();
-            $tmp_local_files = scandir('/conf/backup/');
-            // Remove '.' and '..', skip directories
-            foreach ($tmp_local_files as $tmp_local_file) {
-                if ($tmp_local_file === '.' || $tmp_local_file === '..') {
-                    continue;
-                }
-                if (!is_file("/conf/backup/".$tmp_local_file)) {
-                    continue;
-                }
-                $local_files[] = $tmp_local_file;
+                $list_of_files = $this->backupstrat_one($internal_username, $username, $password, $url, $backupdir, $crypto_password);
+            } else {
+                $list_of_files = $this->backupstrat_zero($internal_username, $username, $password, $url, $backupdir, $crypto_password);
             }
-
-            // Get list of filenames (without path) on remote location
-            $remote_files = array();
-            $tmp_remote_files = $this->listfiles($url, $username, $password, $internal_username, "/$backupdir/", false);
-            foreach ($tmp_remote_files as $tmp_remote_file) {
-                $remote_files[] = pathinfo($tmp_remote_file)['basename'];
-            }
-
-
-            $uploaded_files = array();
-
-            // Loop over each local file,
-            // see if it's in $remote_files,
-            // if not, optionally encrypt, and upload
-            foreach ($local_files as $file_to_upload) {
-                if (!in_array($file_to_upload, $remote_files)) {
-                    $confdata = file_get_contents("/conf/backup/$file_to_upload");
-                    if (!empty($crypto_password)) {
-                        $confdata = $this->encrypt($confdata, $crypto_password);
-                    }
-                    try {
-                        $this->upload_file_content(
-                            $url,
-                            $username,
-                            $password,
-                            $internal_username,
-                            $backupdir,
-                            $file_to_upload,
-                            $confdata
-                        );
-                        $uploaded_files[] = $file_to_upload;
-                    } catch (\Exception $e) {
-                        return $uploaded_files;
-                    }
-                }
-            }
-            return $uploaded_files;
+            $this->retention($internal_username, $username, $password, $url, $backupdir, $keep_days, $keep_num);
+            return $list_of_files;
         }
     }
 
@@ -338,6 +536,7 @@ public function listFiles($url, $username, $password, $internal_username, $direc
      * @param string $url remote location
      * @param string $username remote user
      * @param string $password password to use
+     * @param string $internal_username UUID
      * @param string $backupdir remote directory
      * @param string $filename filename to use
      * @param string $local_file_content contents to save
@@ -346,7 +545,7 @@ public function listFiles($url, $username, $password, $internal_username, $direc
     public function upload_file_content($url, $username, $password, $internal_username, $backupdir, $filename, $local_file_content)
     {
         $url = $url . "/remote.php/dav/files/$internal_username/$backupdir/$filename";
-        $reply = $this->curl_request(
+        $reply = $this->curl_request_nothrow(
             $url,
             $username,
             $password,
@@ -362,6 +561,28 @@ public function upload_file_content($url, $username, $password, $internal_userna
         }
     }
 
+    /**
+     * delete a file
+     * @param string $url remote location
+     * @param string $username remote user
+     * @param string $password password to use
+     * @param strign $internal_username UUID
+     * @param string $backupdir remote directory
+     * @param string $filename filename to use
+     */
+    public function delete_file($url, $username, $password, $internal_username, $backupdir, $filename) {
+        $url = $url . "/remote.php/dav/files/$internal_username/$backupdir/$filename";
+        $reply = $this->curl_request_nothrow(
+            $url,
+            $username,
+            $password,
+            'DELETE',
+            'cannot delete file'
+        );
+        $http_code = $reply['info']['http_code'];
+        syslog(LOG_ERR, "Deleting " . $url . " returned " . $http_code);
+    }
+
     /**
      * create new remote directory if doesn't exist
      * @param string $url remote location
diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
index e18c69d5c5..a2599ef5c9 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
@@ -57,5 +57,13 @@
             <Default>1</Default>
             <Required>Y</Required>
         </addhostname>
+        <numdays type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <Required>N</Required>
+        </numdays>
+        <numbackups type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <Required>N</Required>
+        </numbackups>
     </items>
 </model>

From 681894d423fb83e0d45da9ee678e75c001446674 Mon Sep 17 00:00:00 2001
From: Daniel Lysfjord <lysfjord.daniel@smokepit.net>
Date: Wed, 25 Feb 2026 09:51:19 +0100
Subject: [PATCH 2997/3088] sysutils/nextcloud-backup: make logic the right way
 around and small model tweak

---
 .../opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php    | 4 ++--
 .../mvc/app/models/OPNsense/Backup/NextcloudSettings.xml      | 2 --
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
index 0dc1221281..9b57700282 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
@@ -359,7 +359,7 @@ public function retention(
     ) {
         // Are we configured to run at all?
         // Short circuit in case none of our options are set
-        if ((strlen($keep_days)) and (strlen($keep_num)) {
+        if (!strlen($keep_days) && !strlen($keep_num)) {
             return;
         }
         // Get list of filenames (without path) on remote location
@@ -375,7 +375,7 @@ public function retention(
         }
         $num_remote_files = count($remote_files);
         // Short-circuit, if too few files, no need to check no more
-        if (!($keep_num === "")) {
+        if (strlen($keep_num)) {
             if ($keep_num > $num_remote_files) {
                 return;
             }
diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
index a2599ef5c9..3a62950240 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
@@ -59,11 +59,9 @@
         </addhostname>
         <numdays type="IntegerField">
             <MinimumValue>1</MinimumValue>
-            <Required>N</Required>
         </numdays>
         <numbackups type="IntegerField">
             <MinimumValue>1</MinimumValue>
-            <Required>N</Required>
         </numbackups>
     </items>
 </model>

From 5db89b3b2673ac9348bd869edeb58c989e87fbef Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 25 Feb 2026 12:22:00 +0100
Subject: [PATCH 2998/3088] net/haproxy: style sweep

---
 .../opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php  | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php
index eebeaa7733..d1cdbb220b 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportMapFiles.php
@@ -69,11 +69,11 @@
             } catch (\Exception $e) {
                 // Show error message only if URL was specified.
                 if ($mf_url != "") {
-                  echo "download of map file failed, error: " . $e->getMessage() . "\n";
-                  echo "trying to fill map file with fallback content\n";
-                  $mf_content = "# NOTE: Download failed, this is the fallback content.\n";
+                    echo "download of map file failed, error: " . $e->getMessage() . "\n";
+                    echo "trying to fill map file with fallback content\n";
+                    $mf_content = "# NOTE: Download failed, this is the fallback content.\n";
                 } else {
-                  $mf_content = '';
+                    $mf_content = '';
                 }
 
                 // Write contents to map file.

From f8694c7767f0b04c90c2090917d11b98b34db3e4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 25 Feb 2026 12:22:11 +0100
Subject: [PATCH 2999/3088] security/q-feeds-connector: style sweep

---
 security/q-feeds-connector/pkg-descr                            | 2 +-
 .../src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index 699c608493..35f7033018 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -3,7 +3,7 @@ Connector for Q-Feeds threat intel
 Plugin Changelog
 ================
 
-1.5 
+1.5
 
 * Feature: Add passlist option for unbound
 * Feature: Add effective networks for unbound
diff --git a/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py b/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
index 1675557ba9..022a599528 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/unbound/blocklists/qfeeds_bl.py
@@ -95,4 +95,4 @@ def get_policies(self):
             cfg['passlist'] = '|'.join(compiled_passlist)
             del cfg['allowlists']
 
-        return [cfg]
\ No newline at end of file
+        return [cfg]

From 47733dd70be58d786f612faebae71b77670e336b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 25 Feb 2026 12:22:25 +0100
Subject: [PATCH 3000/3088] sysutils/nextcloud-backup: style sweep

---
 .../app/library/OPNsense/Backup/Nextcloud.php | 24 ++++++++++---------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
index 9b57700282..974259ac7b 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
@@ -164,7 +164,7 @@ public function get_remote_file_lastmodified(
         $http_code = $reply['info']['http_code'];
         if ($http_code >= 200 && $http_code < 300) {
             $xml_data = $reply['response'];
-            if ($xml_data == NULL) {
+            if ($xml_data == null) {
                 syslog(LOG_ERR, 'Data was NULL');
                 return 0;
             }
@@ -206,7 +206,7 @@ public function backupstrat_zero(
             if ($tmp_local_file === '.' || $tmp_local_file === '..') {
                 continue;
             }
-            if (!is_file("/conf/backup/".$tmp_local_file)) {
+            if (!is_file("/conf/backup/" . $tmp_local_file)) {
                 continue;
             }
             $local_files[] = $tmp_local_file;
@@ -305,7 +305,8 @@ public function backupstrat_one(
      * @param $filelist array of files in remote location
      * @return array($filedata => $filename)
      */
-    public function get_filelist_dates($filelist) {
+    public function get_filelist_dates($filelist)
+    {
         // Save as associative array
         // key = lastmodified
         // value = filename
@@ -391,7 +392,7 @@ public function retention(
             // should be sorted by ksort, hopefully that is a numerical sort:)
             $new_files = array();
             $old_files = array();
-            foreach(array_keys($files) as $file_timestamp) {
+            foreach (array_keys($files) as $file_timestamp) {
                 if ($file_timestamp > $target_timestamp) {
                     $new_files[(string)$file_timestamp] = $files[$file_timestamp];
                 } else {
@@ -409,14 +410,14 @@ public function retention(
                     if ($total_files >= $keep_num) {
                         // Yes, we can
                         $tmp_files = array_slice($old_files, 0, $missing_num * -1);
-                        foreach(array_keys($tmp_files) as $filetodelete) {
+                        foreach (array_keys($tmp_files) as $filetodelete) {
                             $this->delete_file($url, $username, $password, $internal_username, $backupdir, $tmp_files[$filetodelete]);
                         }
                     }
                     // No, we can't. Keep all things as is
                 } else {
                     // We have more new files than what we need to satisfy $keep_num
-                    foreach(array_keys($old_files) as $filetodelete) {
+                    foreach (array_keys($old_files) as $filetodelete) {
                         $this->delete_file($url, $username, $password, $internal_username, $backupdir, $old_files[$filetodelete]);
                     }
                     // We do not delete files from new_files, as they are covered by the $keep_days
@@ -424,7 +425,7 @@ public function retention(
             } else {
                 // We have not been told to keep N items,
                 // delete everything in $old_files
-                foreach(array_keys($old_files) as $filetodelete) {
+                foreach (array_keys($old_files) as $filetodelete) {
                     $this->delete_file($url, $username, $password, $internal_username, $backupdir, $old_files[$filetodelete]);
                 }
             }
@@ -435,7 +436,7 @@ public function retention(
                 // Delete filenames based on their creation time
                 if (count($files) > $keep_num) {
                     $tmp_files = array_slice($files, 0, $keep_num * -1);
-                    foreach(array_keys($tmp_files) as $filetodelete) {
+                    foreach (array_keys($tmp_files) as $filetodelete) {
                         $this->delete_file($url, $username, $password, $internal_username, $backupdir, $tmp_files[$filetodelete]);
                     }
                 }
@@ -468,7 +469,7 @@ public function backup()
             $keep_num = (string)$nextcloud->numbackups;
 
             if (!$nextcloud->addhostname->isEmpty()) {
-                $backupdir .= "/".gethostname()."/";
+                $backupdir .= "/" . gethostname() . "/";
             }
 
             // Check if destination directory exists, create (full path) if not
@@ -556,7 +557,7 @@ public function upload_file_content($url, $username, $password, $internal_userna
         $http_code = $reply['info']['http_code'];
         // Accepted http codes for upload is 200-299
         if (!($http_code >= 200 && $http_code < 300)) {
-            syslog(LOG_ERR, 'Could not PUT '. $url);
+            syslog(LOG_ERR, 'Could not PUT ' . $url);
             throw new \Exception();
         }
     }
@@ -570,7 +571,8 @@ public function upload_file_content($url, $username, $password, $internal_userna
      * @param string $backupdir remote directory
      * @param string $filename filename to use
      */
-    public function delete_file($url, $username, $password, $internal_username, $backupdir, $filename) {
+    public function delete_file($url, $username, $password, $internal_username, $backupdir, $filename)
+    {
         $url = $url . "/remote.php/dav/files/$internal_username/$backupdir/$filename";
         $reply = $this->curl_request_nothrow(
             $url,

From f7185ee286d2beaf41b01c5e60d794685aacb5fb Mon Sep 17 00:00:00 2001
From: Nuadh123 <lysfjord.daniel+github@smokepit.net>
Date: Wed, 25 Feb 2026 21:13:01 +0100
Subject: [PATCH 3001/3088] os-nextcloud-backup Switch to UpdateOnlyTextField
 from TextField (#5257)

---
 .../app/library/OPNsense/Backup/Nextcloud.php | 21 +++++++++----------
 .../OPNsense/Backup/NextcloudSettings.xml     |  4 ++--
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
index 974259ac7b..340fb3048a 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/library/OPNsense/Backup/Nextcloud.php
@@ -456,20 +456,19 @@ public function backup()
         $cnf = Config::getInstance();
         $nextcloud = new NextcloudSettings();
         if ($cnf->isValid() && !empty((string)$nextcloud->enabled)) {
-            $config = $cnf->object();
-            $url = (string)$nextcloud->url;
-            $username = (string)$nextcloud->user;
-            $password = (string)$nextcloud->password;
-            $backupdir = (string)$nextcloud->backupdir;
-            $crypto_password = (string)$nextcloud->password_encryption;
-            $strategy = (string)$nextcloud->strategy;
+            $url = $nextcloud->url->getValue();
+            $username = $nextcloud->user->getValue();
+            $password = $nextcloud->password->getValue();
+            $backupdir = $nextcloud->backupdir->getValue();
+            $crypto_password = $nextcloud->password_encryption->getValue();
+            $strategy = $nextcloud->strategy->getValue();
             // Strategy 0 = Sync /conf/backup
             // Strategy 1 = Copy /conf/config.xml to $backupdir/conf-YYYYMMDD.xml
-            $keep_days = (string)$nextcloud->numdays;
-            $keep_num = (string)$nextcloud->numbackups;
+            $keep_days = $nextcloud->numdays->getValue();
+            $keep_num = $nextcloud->numbackups->getValue();
 
-            if (!$nextcloud->addhostname->isEmpty()) {
-                $backupdir .= "/" . gethostname() . "/";
+            if ($nextcloud->addhostname->isEqual('1')) {
+                $backupdir .= "/" . gethostname();
             }
 
             // Check if destination directory exists, create (full path) if not
diff --git a/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
index 3a62950240..8fa58d2b77 100644
--- a/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
+++ b/sysutils/nextcloud-backup/src/opnsense/mvc/app/models/OPNsense/Backup/NextcloudSettings.xml
@@ -31,7 +31,7 @@
                 </check001>
             </Constraints>
         </user>
-        <password type="TextField">
+        <password type="UpdateOnlyTextField">
             <Constraints>
                 <check001>
                     <ValidationMessage>A password for a Nextcloud server must be set.</ValidationMessage>
@@ -42,7 +42,7 @@
                 </check001>
             </Constraints>
         </password>
-        <password_encryption type="TextField"/>
+        <password_encryption type="UpdateOnlyTextField"/>
         <backupdir type="TextField">
             <Required>Y</Required>
             <Mask>/^([\w%+\-]+\/)*[\w+%\-]+$/</Mask>

From 267d2c7cb9dc604194cebcce6fc47cb050acef15 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 26 Feb 2026 00:22:37 +0100
Subject: [PATCH 3002/3088] security/acme-client: fix buttons not working,
 closes #5123

While here, modernize UIBootgrid code and remove some dead code.
---
 security/acme-client/pkg-descr                |   1 +
 .../views/OPNsense/AcmeClient/accounts.volt   | 246 ++---------
 .../OPNsense/AcmeClient/certificates.volt     | 402 +++++-------------
 .../app/views/OPNsense/AcmeClient/logs.volt   |  25 --
 4 files changed, 139 insertions(+), 535 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 3c5d7f5cfb..7872c70764 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -13,6 +13,7 @@ Plugin Changelog
 Fixed:
 * fix class name of Google Domains DNS API (to make PHP linter happy)
 * parameters for TrueNAS automation not visible (#5210)
+* multiple buttons not working (#5123)
 
 4.13
 
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
index 3836955d8f..935520fa43 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/accounts.volt
@@ -99,224 +99,38 @@ POSSIBILITY OF SUCH DAMAGE.
             },
         };
 
-        /**
-         * reload bootgrid, return to current selected page
-         */
-        function std_bootgrid_reload(gridId) {
-            var currentpage = $("#"+gridId).bootgrid("getCurrentPage");
-            $("#"+gridId).bootgrid("reload");
-            // absolutely not perfect, bootgrid.reload doesn't seem to support when().done()
-            setTimeout(function(){
-                $('#'+gridId+'-footer  a[data-page="'+currentpage+'"]').click();
-            }, 400);
-        }
-
-        /**
-         * copy actions for selected items from opnsense_bootgrid_plugin.js
-         */
-        const grid_accounts = $("#grid-accounts").UIBootgrid($.extend(gridParams, { options: gridopt }));
-
-        $("#grid-accounts").on("loaded.rs.jquery.bootgrid", function (e)
-        {
-            // toggle all rendered tooltips (once for all)
-            $('.bootgrid-tooltip').tooltip();
-
-            // scale footer on resize
-            $(this).find("tfoot td:first-child").attr('colspan',$(this).find("th").length - 1);
-            $(this).find('tr[data-row-id]').each(function(){
-                if ($(this).find('[class*="command-toggle"]').first().data("value") == "0") {
-                    $(this).addClass("text-muted");
-                }
-            });
-
-            // edit dialog id to use
-            var editDlg = $(this).attr('data-editDialog');
-            var gridId = $(this).attr('id');
-
-            // link Add new to child button with data-action = add
-            $(this).find("*[data-action=add]").click(function(){
-                if ( gridParams['get'] != undefined && gridParams['add'] != undefined) {
-                    var urlMap = {};
-                    urlMap['frm_' + editDlg] = gridParams['get'];
-                    mapDataToFormUI(urlMap).done(function(){
-                        // update selectors
-                        formatTokenizersUI();
-                        $('.selectpicker').selectpicker('refresh');
-                        // clear validation errors (if any)
-                        clearFormValidation('frm_' + editDlg);
-                    });
-
-                    // show dialog for edit
-                    $('#'+editDlg).modal({backdrop: 'static', keyboard: false});
-                    //
-                    $("#btn_"+editDlg+"_save").unbind('click').click(function(){
-                        saveFormToEndpoint(url=gridParams['add'],
-                            formid='frm_' + editDlg, callback_ok=function(){
-                                $("#"+editDlg).modal('hide');
-                                $("#"+gridId).bootgrid("reload");
-                            }, true);
-                    });
-                }  else {
-                    console.log("[grid] action add missing")
-                }
-            });
-
-            // link delete selected items action
-            $(this).find("*[data-action=deleteSelected]").click(function(){
-                if ( gridParams['del'] != undefined) {
-                    stdDialogConfirm('{{ lang._('Confirm removal') }}',
-                        '{{ lang._('Do you want to remove the selected item?') }}',
-                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function () {
-                        var rows =$("#"+gridId).bootgrid('getSelectedRows');
-                        if (rows != undefined){
-                            var deferreds = [];
-                            $.each(rows, function(key,uuid){
-                                deferreds.push(ajaxCall(url=gridParams['del'] + uuid, sendData={},null));
-                            });
-                            // refresh after load
-                            $.when.apply(null, deferreds).done(function(){
-                                std_bootgrid_reload(gridId);
-                            });
-                        }
-                    });
-                } else {
-                    console.log("[grid] action del missing")
-                }
-            });
-
-        });
-
-        /**
-         * copy actions for items from opnsense_bootgrid_plugin.js
-         */
-        grid_accounts.on("loaded.rs.jquery.bootgrid", function(){
-
-            // edit dialog id to use
-            var editDlg = $(this).attr('data-editDialog');
-            var gridId = $(this).attr('id');
-
-            // edit item
-            grid_accounts.find(".command-edit").on("click", function(e)
-            {
-                if (editDlg != undefined && gridParams['get'] != undefined) {
-                    var uuid = $(this).data("row-id");
-                    var urlMap = {};
-                    urlMap['frm_' + editDlg] = gridParams['get'] + uuid;
-                    mapDataToFormUI(urlMap).done(function () {
-                        // update selectors
-                        formatTokenizersUI();
-                        $('.selectpicker').selectpicker('refresh');
-                        // clear validation errors (if any)
-                        clearFormValidation('frm_' + editDlg);
-                    });
-
-                    // show dialog for pipe edit
-                    $('#'+editDlg).modal({backdrop: 'static', keyboard: false});
-                    // define save action
-                    $("#btn_"+editDlg+"_save").unbind('click').click(function(){
-                        if (gridParams['set'] != undefined) {
-                            saveFormToEndpoint(url=gridParams['set']+uuid,
-                                formid='frm_' + editDlg, callback_ok=function(){
-                                    $("#"+editDlg).modal('hide');
-                                    std_bootgrid_reload(gridId);
-                                }, true);
-                        } else {
-                            console.log("[grid] action set missing")
-                        }
-                    });
-                } else {
-                    console.log("[grid] action get or data-editDialog missing")
-                }
-            });
-
-            // copy item, save as new
-            grid_accounts.find(".command-copy").on("click", function(e)
-            {
-                if (editDlg != undefined && gridParams['get'] != undefined) {
-                    var uuid = $(this).data("row-id");
-                    var urlMap = {};
-                    urlMap['frm_' + editDlg] = gridParams['get'] + uuid;
-                    mapDataToFormUI(urlMap).done(function () {
-                        // update selectors
-                        formatTokenizersUI();
-                        $('.selectpicker').selectpicker('refresh');
-                        // clear validation errors (if any)
-                        clearFormValidation('frm_' + editDlg);
-                    });
-
-                    // show dialog for pipe edit
-                    $('#'+editDlg).modal({backdrop: 'static', keyboard: false});
-                    // define save action
-                    $("#btn_"+editDlg+"_save").unbind('click').click(function(){
-                        if (gridParams['add'] != undefined) {
-                            saveFormToEndpoint(url=gridParams['add'],
-                                formid='frm_' + editDlg, callback_ok=function(){
-                                    $("#"+editDlg).modal('hide');
-                                    std_bootgrid_reload(gridId);
-                                }, true);
-                        } else {
-                            console.log("[grid] action add missing")
-                        }
-                    });
-                } else {
-                    console.log("[grid] action get or data-editDialog missing")
-                }
-            });
-
-            // delete item
-            grid_accounts.find(".command-delete").on("click", function(e)
-            {
-                if (gridParams['del'] != undefined) {
-                    var uuid=$(this).data("row-id");
-                    stdDialogConfirm('{{ lang._('Confirm removal') }}',
-                        '{{ lang._('Do you want to remove the selected item?') }}',
-                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function () {
-                        ajaxCall(url=gridParams['del'] + uuid,
-                            sendData={},callback=function(data,status){
-                                // reload grid after delete
-                                $("#"+gridId).bootgrid("reload");
-                            });
-                    });
-                } else {
-                    console.log("[grid] action del missing")
+        const grid_accounts = $("#grid-accounts").UIBootgrid($.extend(gridParams, {
+            options: gridopt,
+            commands: {
+                register: {
+                    method: function(event, cell) {
+                        var uuid = $(this).data("row-id");
+                        stdDialogConfirm(
+                            '{{ lang._('Confirmation Required') }}',
+                            '{{ lang._('Register the selected account with the configured ACME CA?') }}',
+                            '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}',
+                            function() {
+                                ajaxCall(gridParams['register'] + uuid, {}, function() {
+                                    grid_accounts.bootgrid("reload");
+                                });
+                            }
+                        );
+                    },
+                    classname: 'fa fa-address-book-o',
+                    title: '{{ lang._('Register account') }}',
+                    sequence: 510
                 }
-            });
-
-            // toggle item
-            grid_accounts.find(".command-toggle").on("click", function(e)
-            {
-                if (gridParams['toggle'] != undefined) {
-                    var uuid=$(this).data("row-id");
-                    $(this).addClass("fa-spinner fa-pulse");
-                    ajaxCall(url=gridParams['toggle'] + uuid,
-                        sendData={},callback=function(data,status){
-                            // reload grid after toggle
-                            std_bootgrid_reload(gridId);
-                        });
-                } else {
-                    console.log("[grid] action toggle missing")
-                }
-            });
-
-            // register account
-            grid_accounts.find(".command-register").on("click", function(e)
-            {
-                if (gridParams['register'] != undefined) {
-                    var uuid=$(this).data("row-id");
-                    stdDialogConfirm('{{ lang._('Confirmation Required') }}',
-                        '{{ lang._('Register the selected account with the configured ACME CA?') }}',
-                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
-                        ajaxCall(url=gridParams['register'] + uuid,sendData={},callback=function(data,status){
-                            // reload grid afterwards
-                            $("#"+gridId).bootgrid("reload");
-                        });
-                    });
-                } else {
-                    console.log("[grid] action register missing")
+            },
+            tabulatorOptions: {
+                rowFormatter: function(row) {
+                    if (parseInt(row.getData()['enabled'], 2) !== 1) {
+                        $(row.getElement()).addClass('text-muted');
+                    } else {
+                        $(row.getElement()).removeClass('text-muted');
+                    }
                 }
-            });
-
-        });
+            }
+        }));
 
         // hook into on-show event for dialog to extend layout.
         $('#DialogAccount').on('shown.bs.modal', function (e) {
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index e824edd850..0a84f599b4 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -124,302 +124,116 @@ POSSIBILITY OF SUCH DAMAGE.
             },
         };
 
-        /**
-         * reload bootgrid, return to current selected page
-         */
-        function std_bootgrid_reload(gridId) {
-            var currentpage = $("#"+gridId).bootgrid("getCurrentPage");
-            $("#"+gridId).bootgrid("reload");
-            // absolutely not perfect, bootgrid.reload doesn't seem to support when().done()
-            setTimeout(function(){
-                $('#'+gridId+'-footer  a[data-page="'+currentpage+'"]').click();
-            }, 400);
-        }
-
-        /**
-         * copy actions for selected items from opnsense_bootgrid_plugin.js
-         */
-        const grid_certificates = $("#grid-certificates").UIBootgrid($.extend(gridParams, { options: gridopt }));
-
-        $("#grid_certificates").on("loaded.rs.jquery.bootgrid", function (e)
-        {
-            // toggle all rendered tooltips (once for all)
-            $('.bootgrid-tooltip').tooltip();
-
-            // scale footer on resize
-            $(this).find("tfoot td:first-child").attr('colspan',$(this).find("th").length - 1);
-            $(this).find('tr[data-row-id]').each(function(){
-                if ($(this).find('[class*="command-toggle"]').first().data("value") == "0") {
-                    $(this).addClass("text-muted");
-                }
-            });
-
-            // edit dialog id to use
-            var editDlg = $(this).attr('data-editDialog');
-            var gridId = $(this).attr('id');
-
-            // link Add new to child button with data-action = add
-            $(this).find("*[data-action=add]").click(function(){
-                if ( gridParams['get'] != undefined && gridParams['add'] != undefined) {
-                    var urlMap = {};
-                    urlMap['frm_' + editDlg] = gridParams['get'];
-                    mapDataToFormUI(urlMap).done(function(){
-                        // update selectors
-                        formatTokenizersUI();
-                        $('.selectpicker').selectpicker('refresh');
-                        // clear validation errors (if any)
-                        clearFormValidation('frm_' + editDlg);
-                    });
-
-                    // show dialog for edit
-                    $('#'+editDlg).modal({backdrop: 'static', keyboard: false});
-                    //
-                    $("#btn_"+editDlg+"_save").unbind('click').click(function(){
-                        saveFormToEndpoint(url=gridParams['add'],
-                            formid='frm_' + editDlg, callback_ok=function(){
-                                $("#"+editDlg).modal('hide');
-                                $("#"+gridId).bootgrid("reload");
-                            }, true);
-                    });
-                }  else {
-                    console.log("[grid] action add missing")
-                }
-            });
-
-            // link delete selected items action
-            $(this).find("*[data-action=deleteSelected]").click(function(){
-                if ( gridParams['del'] != undefined) {
-                    stdDialogConfirm('{{ lang._('Confirm removal') }}',
-                        '{{ lang._('Do you want to remove the selected item?') }}',
-                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function () {
-                        var rows =$("#"+gridId).bootgrid('getSelectedRows');
-                        if (rows != undefined){
-                            var deferreds = [];
-                            $.each(rows, function(key,uuid){
-                                deferreds.push(ajaxCall(url=gridParams['del'] + uuid, sendData={},null));
-                            });
-                            // refresh after load
-                            $.when.apply(null, deferreds).done(function(){
-                                std_bootgrid_reload(gridId);
-                            });
-                        }
-                    });
-                } else {
-                    console.log("[grid] action del missing")
-                }
-            });
-
-        });
-
-        /**
-         * copy actions for items from opnsense_bootgrid_plugin.js
-         */
-        grid_certificates.on("loaded.rs.jquery.bootgrid", function(){
-            // edit dialog id to use
-            var editDlg = $(this).attr('data-editDialog');
-            var gridId = $(this).attr('id');
-
-            // edit item
-            grid_certificates.find(".command-edit").on("click", function(e)
-            {
-                if (editDlg != undefined && gridParams['get'] != undefined) {
-                    var uuid = $(this).data("row-id");
-                    var urlMap = {};
-                    urlMap['frm_' + editDlg] = gridParams['get'] + uuid;
-                    mapDataToFormUI(urlMap).done(function () {
-                        // update selectors
-                        formatTokenizersUI();
-                        $('.selectpicker').selectpicker('refresh');
-                        // clear validation errors (if any)
-                        clearFormValidation('frm_' + editDlg);
-                    });
-
-                    // show dialog for pipe edit
-                    $('#'+editDlg).modal({backdrop: 'static', keyboard: false});
-                    // define save action
-                    $("#btn_"+editDlg+"_save").unbind('click').click(function(){
-                        if (gridParams['set'] != undefined) {
-                            saveFormToEndpoint(url=gridParams['set']+uuid,
-                                formid='frm_' + editDlg, callback_ok=function(){
-                                    $("#"+editDlg).modal('hide');
-                                    std_bootgrid_reload(gridId);
-                                }, true);
-                        } else {
-                            console.log("[grid] action set missing")
-                        }
-                    });
-                } else {
-                    console.log("[grid] action get or data-editDialog missing")
-                }
-            });
-
-            // copy item, save as new
-            grid_certificates.find(".command-copy").on("click", function(e)
-            {
-                if (editDlg != undefined && gridParams['get'] != undefined) {
-                    var uuid = $(this).data("row-id");
-                    var urlMap = {};
-                    urlMap['frm_' + editDlg] = gridParams['get'] + uuid;
-                    mapDataToFormUI(urlMap).done(function () {
-                        // update selectors
-                        formatTokenizersUI();
-                        $('.selectpicker').selectpicker('refresh');
-                        // clear validation errors (if any)
-                        clearFormValidation('frm_' + editDlg);
-                    });
-
-                    // show dialog for pipe edit
-                    $('#'+editDlg).modal({backdrop: 'static', keyboard: false});
-                    // define save action
-                    $("#btn_"+editDlg+"_save").unbind('click').click(function(){
-                        if (gridParams['add'] != undefined) {
-                            saveFormToEndpoint(url=gridParams['add'],
-                                formid='frm_' + editDlg, callback_ok=function(){
-                                    $("#"+editDlg).modal('hide');
-                                    std_bootgrid_reload(gridId);
-                                }, true);
-                        } else {
-                            console.log("[grid] action add missing")
-                        }
-                    });
-                } else {
-                    console.log("[grid] action get or data-editDialog missing")
-                }
-            });
-
-            // delete item
-            grid_certificates.find(".command-delete").on("click", function(e)
-            {
-                if (gridParams['del'] != undefined) {
-                    var uuid=$(this).data("row-id");
-                    stdDialogConfirm('{{ lang._('Confirm removal') }}',
-                        '{{ lang._('Do you want to remove the selected item?') }}',
-                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function () {
-                        ajaxCall(url=gridParams['del'] + uuid,
-                            sendData={},callback=function(data,status){
-                                // reload grid after delete
-                                $("#"+gridId).bootgrid("reload");
-                            });
-                    });
-                } else {
-                    console.log("[grid] action del missing")
-                }
-            });
-
-            // toggle item
-            grid_certificates.find(".command-toggle").on("click", function(e)
-            {
-                if (gridParams['toggle'] != undefined) {
-                    var uuid=$(this).data("row-id");
-                    $(this).addClass("fa-spinner fa-pulse");
-                    ajaxCall(url=gridParams['toggle'] + uuid,
-                        sendData={},callback=function(data,status){
-                            // reload grid after toggle
-                            std_bootgrid_reload(gridId);
-                        });
-                } else {
-                    console.log("[grid] action toggle missing")
-                }
-            });
-
-            // sign cert
-            grid_certificates.find(".command-sign").on("click", function(e)
-            {
-                if (gridParams['sign'] != undefined) {
-                    var uuid=$(this).data("row-id");
-                    stdDialogConfirm('{{ lang._('Confirmation Required') }}',
-                        '{{ lang._('Forcefully issue or renew the selected certificate?') }}',
-                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
-                        // Handle HAProxy integration (no-op if not applicable)
-                        ajaxCall(url="/api/acmeclient/settings/fetch_ha_proxy_integration", sendData={}, callback=function(data,status) {
-                            ajaxCall(url=gridParams['sign'] + uuid,sendData={},callback=function(data,status){
-                                // reload grid after sign
-                                $("#"+gridId).bootgrid("reload");
-                            });
-                        });
-                    });
-                } else {
-                    console.log("[grid] action sign missing")
-                }
-            });
-
-            // revoke cert
-            grid_certificates.find(".command-revoke").on("click", function(e)
-            {
-                if (gridParams['revoke'] != undefined) {
-                    var uuid=$(this).data("row-id");
-                    stdDialogConfirm('{{ lang._('Confirmation Required') }}',
-                        '{{ lang._('Revoke selected certificate?') }}',
-                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
-                        ajaxCall(url=gridParams['revoke'] + uuid,
-                            sendData={},callback=function(data,status){
-                                // reload grid after sign
-                                $("#"+gridId).bootgrid("reload");
-                            });
-                    }, 'danger');
-                } else {
-                    console.log("[grid] action revoke missing")
-                }
-            });
-
-            // remove private key
-            grid_certificates.find(".command-removekey").on("click", function(e)
-            {
-                if (gridParams['removekey'] != undefined) {
-                    var uuid=$(this).data("row-id");
-                    stdDialogConfirm('{{ lang._('Confirmation Required') }}',
-                        '{{ lang._('Really remove the private key?%s%sThe certificate will be completely reset. This is useful when the private key has been compromised or when you have changed the key options and want to regenerate the private key.%sNote that you have to revalidate the certificate afterwards in order to create a new private key and a matching certificate.') | format('<br/>', '<br/>', '<br/>') }}',
-                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
-                        ajaxCall(url=gridParams['removekey'] + uuid,
-                            sendData={},callback=function(data,status){
-                                // reload grid after sign
-                                $("#"+gridId).bootgrid("reload");
-                            });
-                    }, 'danger');
-                } else {
-                    console.log("[grid] action removekey missing")
-                }
-            });
-
-            // run automation
-            grid_certificates.find(".command-automation").on("click", function(e)
-            {
-                if (gridParams['automation'] != undefined) {
-                    var uuid=$(this).data("row-id");
-                    stdDialogConfirm('{{ lang._('Confirmation Required') }}',
-                        '{{ lang._('Rerun all automations for the selected certificate?') }}',
-                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
-                        ajaxCall(url=gridParams['automation'] + uuid,
-                            sendData={},callback=function(data,status){
-                                // reload grid after sign
-                                $("#"+gridId).bootgrid("reload");
-                            });
-                    });
-                } else {
-                    console.log("[grid] action automation missing")
+        const grid_certificates = $("#grid-certificates").UIBootgrid($.extend(gridParams, {
+            options: gridopt,
+            commands: {
+                sign: {
+                    method: function(event, cell) {
+                        var uuid = $(this).data("row-id");
+                        stdDialogConfirm(
+                            '{{ lang._('Confirmation Required') }}',
+                            '{{ lang._('Forcefully issue or renew the selected certificate?') }}',
+                            '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}',
+                            function() {
+                                // Handle HAProxy integration (no-op if not applicable)
+                                ajaxCall("/api/acmeclient/settings/fetch_ha_proxy_integration",
+                                    {}, function(data, status) {
+                                    ajaxCall(gridParams['sign'] + uuid, {}, function() {
+                                        grid_certificates.bootgrid("reload");
+                                    });
+                                });
+                            }
+                        );
+                    },
+                    classname: 'fa fa-repeat',
+                    title: '{{ lang._('Issue or renew certificate') }}',
+                    sequence: 510
+                },
+                import: {
+                    method: function(event, cell) {
+                        var uuid = $(this).data("row-id");
+                        stdDialogConfirm(
+                            '{{ lang._('Confirmation Required') }}',
+                            '{{ lang._('(Re-) import the selected certificate and associated CA certificates into the trust storage?') }}',
+                            '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}',
+                            function() {
+                                ajaxCall(gridParams['import'] + uuid, {}, function() {
+                                    grid_certificates.bootgrid("reload");
+                                });
+                            }
+                        );
+                    },
+                    classname: 'fa fa-certificate',
+                    title: '{{ lang._('(Re-) Import certificate') }}',
+                    sequence: 520
+                },
+                automation: {
+                    method: function(event, cell) {
+                        var uuid = $(this).data("row-id");
+                        stdDialogConfirm(
+                            '{{ lang._('Confirmation Required') }}',
+                            '{{ lang._('Rerun all automations for the selected certificate?') }}',
+                            '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}',
+                            function() {
+                                ajaxCall(gridParams['automation'] + uuid, {}, function() {
+                                    grid_certificates.bootgrid("reload");
+                                });
+                            }
+                        );
+                    },
+                    classname: 'fa fa-paper-plane',
+                    title: '{{ lang._('Run automations') }}',
+                    sequence: 530
+                },
+                revoke: {
+                    method: function(event, cell) {
+                        var uuid = $(this).data("row-id");
+                        stdDialogConfirm(
+                            '{{ lang._('Confirmation Required') }}',
+                            '{{ lang._('Revoke selected certificate?') }}',
+                            '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}',
+                            function() {
+                                ajaxCall(gridParams['revoke'] + uuid, {}, function() {
+                                    grid_certificates.bootgrid("reload");
+                                });
+                            },
+                            'danger'
+                        );
+                    },
+                    classname: 'fa fa-power-off',
+                    title: '{{ lang._('Revoke certificate') }}',
+                    sequence: 540
+                },
+                removekey: {
+                    method: function(event, cell) {
+                        var uuid = $(this).data("row-id");
+                        stdDialogConfirm(
+                            '{{ lang._('Confirmation Required') }}',
+                            '{{ lang._('Really remove the private key?%s%sThe certificate will be completely reset. This is useful when the private key has been compromised or when you have changed the key options and want to regenerate the private key.%sNote that you have to revalidate the certificate afterwards in order to create a new private key and a matching certificate.') | format('<br/>', '<br/>', '<br/>') }}',
+                            '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}',
+                            function() {
+                                ajaxCall(gridParams['removekey'] + uuid, {}, function() {
+                                    grid_certificates.bootgrid("reload");
+                                });
+                            },
+                            'danger'
+                        );
+                    },
+                    classname: 'fa fa-history',
+                    title: '{{ lang._('Reset certificate') }}',
+                    sequence: 550
                 }
-            });
-
-            // import certificate into trust storage
-            grid_certificates.find(".command-import").on("click", function(e)
-            {
-                if (gridParams['import'] != undefined) {
-                    var uuid=$(this).data("row-id");
-                    stdDialogConfirm('{{ lang._('Confirmation Required') }}',
-                        '{{ lang._('(Re-) import the selected certificate and associated CA certificates into the trust storage?') }}',
-                        '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
-                        ajaxCall(url=gridParams['import'] + uuid,
-                            sendData={},callback=function(data,status){
-                                // reload grid after sign
-                                $("#"+gridId).bootgrid("reload");
-                            });
-                    });
-                } else {
-                    console.log("[grid] action import missing")
+            },
+            tabulatorOptions: {
+                rowFormatter: function(row) {
+                    if (parseInt(row.getData()['enabled'], 2) !== 1) {
+                        $(row.getElement()).addClass('text-muted');
+                    } else {
+                        $(row.getElement()).removeClass('text-muted');
+                    }
                 }
-            });
-
-        });
+            }
+        }));
 
         // Hide options that are irrelevant in this context.
         $('#DialogCertificate').on('shown.bs.modal', function (e) {
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt
index dbfb34efb8..544d314d96 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/logs.volt
@@ -54,31 +54,6 @@
           search:'/api/diagnostics/log/core/acmeclient'
       });
 
-      grid_systemlog.on("loaded.rs.jquery.bootgrid", function(){
-          $(".action-page").click(function(event){
-              event.preventDefault();
-              $("#grid-systemlog").bootgrid("search",  "");
-              let new_page = parseInt((parseInt($(this).data('row-id')) / $("#grid-log").bootgrid("getRowCount")))+1;
-              $("input.search-field").val("");
-              // XXX: a bit ugly, but clearing the filter triggers a load event.
-              setTimeout(function(){
-                  $("ul.pagination > li:last > a").data('page', new_page).click();
-              }, 100);
-          });
-      });
-
-      grid_acmelog.on("loaded.rs.jquery.bootgrid", function(){
-          $(".action-page").click(function(event){
-              event.preventDefault();
-              $("#grid-acmelog").bootgrid("search",  "");
-              let new_page = parseInt((parseInt($(this).data('row-id')) / $("#grid-log").bootgrid("getRowCount")))+1;
-              $("input.search-field").val("");
-              // XXX: a bit ugly, but clearing the filter triggers a load event.
-              setTimeout(function(){
-                  $("ul.pagination > li:last > a").data('page', new_page).click();
-              }, 100);
-          });
-      });
     });
 </script>
 

From d46585f5fe9e6c5172abf7e966917e0336023066 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 26 Feb 2026 09:54:59 +0100
Subject: [PATCH 3003/3088] www/caddy: Remove NTML support and cleanup service
 control (#5258)

* www/caddy: Remove NTML plugin as it causes issues with service control that can not worked around with anymore.

The NTML plugin and caddy core diverged too much and its considered unmaintained. While there clean up all service control workarounds that were implemented.
Since removing the service control (caddy_control.py) script would make it hard to somehow funnel caddyfile validation in, this has been removed too.
Our input is heavily validated so the Caddyfile will be valid in almost all cases, and in cases its not the log will show the error.
---
 .../OPNsense/Caddy/Api/ServiceController.php  |  25 +---
 .../OPNsense/Caddy/forms/dialogHandle.xml     |  12 --
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  18 +--
 .../app/views/OPNsense/Caddy/diagnostics.volt |  37 +----
 .../mvc/app/views/OPNsense/Caddy/general.volt |  47 +-----
 .../views/OPNsense/Caddy/reverse_proxy.volt   |  47 +-----
 .../scripts/OPNsense/Caddy/caddy_control.py   | 135 ------------------
 .../service/conf/actions.d/actions_caddy.conf |  16 +--
 .../templates/OPNsense/Caddy/Caddyfile        |   6 +-
 9 files changed, 15 insertions(+), 328 deletions(-)
 delete mode 100755 www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
index 6aaa5a578e..6ea5161520 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2023-2024 Cedrik Pischem
+ *    Copyright (C) 2023-2026 Cedrik Pischem
  *    Copyright (C) 2015 Deciso B.V.
  *
  *    All rights reserved.
@@ -47,27 +47,4 @@ protected function reconfigureForceRestart()
         return 0;
     }
 
-    public function validateAction()
-    {
-        $backend = new Backend();
-
-        // First, reload the template to ensure the latest configuration is used
-        $backend->configdRun("template reload " . self::$internalServiceTemplate);
-
-        // Validate the Caddyfile
-        $validateResult = trim($backend->configdRun('caddy validate'));
-
-        // Attempt to parse the JSON output from the validation result
-        if (($jsonStartPos = strpos($validateResult, '{"message":')) !== false) {
-            $jsonOutput = substr($validateResult, $jsonStartPos);
-            $result = json_decode($jsonOutput, true);
-
-            if (is_array($result) && isset($result['status'])) {
-                return ["status" => $result['status'], "message" => $result['message']];
-            }
-        }
-
-        // If unable to parse the expected JSON output, return a generic error message
-        return ["status" => "failed", "message" => gettext("Unable to parse the validation result.")];
-    }
 }
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 3e72c80e26..15389ae78e 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -218,18 +218,6 @@
             <visible>false</visible>
         </grid_view>
     </field>
-    <field>
-        <id>handle.HttpNtlm</id>
-        <label>NTLM</label>
-        <type>checkbox</type>
-        <style>style_tls_handle</style>
-        <help><![CDATA[Enable or disable NTLM. Needed to reverse proxy an Exchange Server. Warning: NTLM has been deprecated by Microsoft. This option will stay for as long as the optional http.reverse_proxy.transport.http_ntlm module can be compiled without errors.]]></help>
-        <grid_view>
-            <visible>false</visible>
-            <type>boolean</type>
-            <formatter>boolean</formatter>
-        </grid_view>
-    </field>
     <field>
         <id>handle.description</id>
         <label>Description</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 8a1ffeb463..affa2bf8a6 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>Caddy Reverse Proxy</description>
-    <version>1.3.7</version>
+    <version>1.3.8</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -401,15 +401,6 @@
                         <https value="1">https://</https>
                         <h2c value="2">h2c://</h2c>
                     </OptionValues>
-                    <Constraints>
-                        <check001>
-                            <ValidationMessage>HTTPS and NTLM must be enabled at the same time.</ValidationMessage>
-                            <type>DependConstraint</type>
-                            <addFields>
-                                <field1>HttpNtlm</field1>
-                            </addFields>
-                        </check001>
-                    </Constraints>
                 </HttpTls>
                 <HttpVersion type="OptionField">
                     <BlankDesc>HTTP/1.1, HTTP/2 (default)</BlankDesc>
@@ -423,13 +414,6 @@
                     <MinimumValue>0</MinimumValue>
                     <MaximumValue>86400</MaximumValue>
                 </HttpKeepalive>
-                <HttpNtlm type="BooleanField">
-                    <Constraints>
-                        <check001>
-                            <reference>HttpNtlm.check001</reference>
-                        </check001>
-                    </Constraints>
-                </HttpNtlm>
                 <HttpTlsInsecureSkipVerify type="BooleanField"/>
                 <HttpTlsTrustedCaCerts type="CertificateField">
                     <Type>ca</Type>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt
index 4d9a3dc9f8..65fe3a6463 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/diagnostics.volt
@@ -1,5 +1,5 @@
 {#
- # Copyright (c) 2024 Cedrik Pischem
+ # Copyright (c) 2024-2026 Cedrik Pischem
  # All rights reserved.
  #
  # Redistribution and use in source and binary forms, with or without modification,
@@ -75,27 +75,6 @@
             a_tag.remove();  // Remove the anchor tag
         }
 
-        /**
-         * Shows a BootstrapDialog alert with custom settings.
-         *
-         * @param {string} type - Type of the dialog based on BootstrapDialog types.
-         * @param {string} title - Title of the dialog.
-         * @param {string} message - Message to be displayed in the dialog.
-         */
-        function showDialogAlert(type, title, message) {
-            BootstrapDialog.show({
-                type: type,
-                title: title,
-                message: message,
-                buttons: [{
-                    label: '{{ lang._('Close') }}',
-                    action: function(dialogRef) {
-                        dialogRef.close();
-                    }
-                }]
-            });
-        }
-
         // Fetch and display Caddyfile and JSON configuration
         fetchAndDisplay('/api/caddy/diagnostics/caddyfile', '#caddyfileDisplay');
         fetchAndDisplay('/api/caddy/diagnostics/config', '#jsonDisplay');
@@ -116,19 +95,6 @@
             downloadContent(content, filename, "text/plain");
         });
 
-        // Event handler for the Validate Caddyfile button
-        $('#validateCaddyfile').click(function() {
-            ajaxGet('/api/caddy/service/validate', null, function(data, status) {
-                if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
-                    showDialogAlert(BootstrapDialog.TYPE_SUCCESS, "{{ lang._('Validation Successful') }}", data['message']);
-                } else {
-                    showDialogAlert(BootstrapDialog.TYPE_WARNING, "{{ lang._('Validation Error') }}", data['message']);  // Show error message from the API
-                }
-            }).fail(function(xhr, status, error) {
-                showDialogAlert(BootstrapDialog.TYPE_DANGER, "{{ lang._('Validation Request Failed') }}", error);  // Show AJAX error
-            });
-        });
-
     });
 </script>
 
@@ -163,7 +129,6 @@
         <div class="content-box">
             <pre id="caddyfileDisplay" class="display-area"></pre>
             <button class="btn btn-primary download-btn" id="downloadCaddyfile" type="button">{{ lang._('Download') }}</button>
-            <button class="btn btn-secondary" id="validateCaddyfile" type="button">{{ lang._('Validate Caddyfile') }}</button>
             <br/><br/>
         </div>
     </div>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
index fd56411d1f..379f47b40d 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/general.volt
@@ -1,5 +1,5 @@
 {#
- # Copyright (c) 2023-2025 Cedrik Pischem
+ # Copyright (c) 2023-2026 Cedrik Pischem
  # All rights reserved.
  #
  # Redistribution and use in source and binary forms, with or without modification,
@@ -33,31 +33,6 @@
             updateServiceControlUI('caddy');
         });
 
-        /**
-         * Displays an alert message to the user.
-         *
-         * @param {string} message - The message to display.
-         * @param {string} [type="error"] - The type of alert (error or success).
-         */
-        function showAlert(message, type = "error") {
-            const alertClass = type === "error" ? "alert-danger" : "alert-success";
-            const messageArea = $("#messageArea");
-            messageArea.stop(true, true).hide();
-            messageArea.removeClass("alert-success alert-danger").addClass(alertClass).html(message);
-            messageArea.fadeIn(500).delay(15000).fadeOut(500, function() {
-                $(this).html('');
-            });
-        }
-
-        /**
-         * Centralizes error handling.
-         * @param {string} type - The type of error.
-         * @param {string} message - The error message.
-         */
-        function handleError(type, message) {
-            showAlert(message, type);
-        }
-
         // Event binding for saving forms
         $('[id^="save_general-"]').each(function () {
             const $btn = $(this);
@@ -77,25 +52,13 @@
                         "/api/caddy/general/set",
                         formId,
                         function () {
-                            ajaxGet("/api/caddy/service/validate", null, function (data, status) {
-                                if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
-                                    dfObj.resolve();
-                                } else {
-                                    showAlert(data?.message || "{{ lang._('Validation Error') }}", "error");
-                                    dfObj.reject();
-                                }
-                            }).fail(function(xhr, status, error) {
-                                showAlert("{{ lang._('Validation request failed: ') }}" + error, "error");
-                                dfObj.reject();
-                            });
+                            dfObj.resolve();
                         },
                         true,
-                        function (errorData) {
-                            showAlert(errorData.message || "{{ lang._('Validation Error') }}", "error");
+                        function () {
                             dfObj.reject();
                         }
                     );
-
                     return dfObj.promise();
                 }
             });
@@ -111,8 +74,4 @@
 
 <div id="generalTabsContent" class="content-box tab-content">
     {{ partial("layout_partials/base_tabs_content", ['formData': generalForm]) }}
-    <!-- Message Area for error/success messages -->
-    <div style="max-width: 98%; margin: 10px auto;">
-        <div id="messageArea" class="alert alert-info" style="display: none;"></div>
-    </div>
 </div>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index 9ea070147d..b8a38d2410 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -1,5 +1,5 @@
 {#
- # Copyright (c) 2023-2025 Cedrik Pischem
+ # Copyright (c) 2023-2026 Cedrik Pischem
  # All rights reserved.
  #
  # Redistribution and use in source and binary forms, with or without modification,
@@ -279,28 +279,6 @@
             }
         });
 
-        /**
-         * Displays an alert message to the user.
-         *
-         * @param {string} message - The message to display.
-         * @param {string} [type="error"] - The type of alert (error or success).
-         */
-        function showAlert(message, type = "error") {
-            const alertClass = type === "error" ? "alert-danger" : "alert-success";
-            const messageArea = $("#messageArea");
-
-            messageArea.stop(true, true).hide();
-            messageArea.removeClass("alert-success alert-danger").addClass(alertClass).html(message);
-            messageArea.fadeIn(500).delay(15000).fadeOut(500, function() {
-                $(this).html('');
-            });
-        }
-
-        // Hide message area when starting new actions
-        $('input, select, textarea').on('change', function() {
-            $("#messageArea").hide();
-        });
-
         // Populate domain filter selectpicker
         $('#reverseFilter').fetch_options('/api/caddy/reverse_proxy/get_all_reverse_domains');
 
@@ -311,26 +289,8 @@
             $('#reverseFilter').trigger('change');
         });
 
-        // Reconfigure button with custom validation
-        $("#reconfigureAct").SimpleActionButton({
-            onPreAction: function() {
-                const dfObj = new $.Deferred();
-
-                ajaxGet("/api/caddy/service/validate", null, function(data, status) {
-                    if (status === "success" && data && data['status'].toLowerCase() === 'ok') {
-                        dfObj.resolve();
-                    } else {
-                        showAlert(data['message'], "error");
-                        dfObj.reject();
-                    }
-                }).fail(function(xhr, status, error) {
-                    showAlert("{{ lang._('Validation request failed: ') }}" + error, "error");
-                    dfObj.reject();
-                });
-
-                return dfObj.promise();
-            }
-        });
+        // Reconfigure button
+        $("#reconfigureAct").SimpleActionButton();
 
 {% if entrypoint == 'reverse_proxy' %}
 
@@ -445,7 +405,6 @@
         });
 
         updateServiceControlUI('caddy');
-        $('<div id="messageArea" class="alert alert-info" style="display: none;"></div>').insertBefore('#change_message_base_form');
     });
 
 </script>
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
deleted file mode 100755
index 8acc99f2b8..0000000000
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_control.py
+++ /dev/null
@@ -1,135 +0,0 @@
-#!/usr/local/bin/python3
-
-#
-# Copyright (c) 2023-2024 Cedrik Pischem
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without modification,
-# are permitted provided that the following conditions are met:
-#
-# 1. Redistributions of source code must retain the above copyright notice,
-#    this list of conditions and the following disclaimer.
-#
-# 2. Redistributions in binary form must reproduce the above copyright notice,
-#    this list of conditions and the following disclaimer in the documentation
-#    and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-# POSSIBILITY OF SUCH DAMAGE.
-#
-
-import subprocess
-import json
-import sys
-import os
-import signal
-import time
-
-
-def kill_and_start_caddy(pidfile):
-    """
-    Caddy can fail to reload in rare circumstances when
-    persistent keepalive connections are open with the NTLM
-    module active
-    """
-    if os.path.exists(pidfile):
-        try:
-            with open(pidfile, 'r') as f:
-                pid = int(f.read().strip())
-
-            os.kill(pid, signal.SIGKILL)
-            time.sleep(2)
-            subprocess.run(["service", "caddy", "start"], check=True)
-        except Exception as e:
-            print(f"Error: {str(e)}")
-    else:
-        subprocess.run(["service", "caddy", "start"], check=True)
-
-
-def run_service_command(service_action, action_message):
-    """
-    Includes special actions like a validation and
-    timeouts that force a restart when caddy is unresponsive
-    """
-    result = {"message": action_message}
-    pidfile = "/var/run/caddy/caddy.pid"
-
-    if service_action == "validate":
-        try:
-            validation_output = subprocess.check_output(
-                ["caddy", "validate", "--config", "/usr/local/etc/caddy/Caddyfile"], stderr=subprocess.STDOUT,
-                text=True)
-            if "Valid configuration" in validation_output:
-                result["status"] = "ok"
-                result["message"] = "Caddy configuration is valid."
-            else:
-                error_msg = next((line for line in validation_output.split('\n') if line.startswith("Error:")),
-                                 "Caddy configuration is not valid.")
-                result["status"] = "failed"
-                result["message"] = error_msg
-        except subprocess.CalledProcessError as e:
-            error_msg = next((line for line in e.output.split('\n') if line.startswith("Error:")), "Validation failed.")
-            result["status"] = "failed"
-            result["message"] = error_msg
-    elif service_action in ["stop", "restart", "reloadssl"]:
-        try:
-            proc = subprocess.Popen(["service", "caddy", service_action])
-            try:
-                proc.wait(timeout=20)
-                result["status"] = "ok"
-            except subprocess.TimeoutExpired:
-                kill_and_start_caddy(pidfile)
-                result["status"] = "ok"
-                result["message"] = f"{service_action.capitalize()} took too long, Caddy was forcefully restarted."
-        except subprocess.CalledProcessError as e:
-            result["status"] = "failed"
-            result["message"] = str(e)
-    else:
-        try:
-            subprocess.run(["service", "caddy", service_action], check=True)
-            result["status"] = "ok"
-        except subprocess.CalledProcessError as e:
-            result["status"] = "failed"
-            result["message"] = str(e)
-
-    return json.dumps(result)
-
-
-# "cmd_action": "service_action"
-actions = {
-    "start": "start",
-    "stop": "stop",
-    "restart": "restart",
-    "reload": "reloadssl",
-    "validate": "validate"
-}
-
-if __name__ == "__main__":
-    if len(sys.argv) > 1:
-        action = sys.argv[1]
-        if action in actions:
-            cmd_action = action
-            service_action = actions[action]
-            message = f"{cmd_action.capitalize()} Caddy service"
-
-            # Call setup script for 'validate' and 'reloadssl' actions. This is needed because the setup script triggers
-            # the caddy_certs.php script, which exports all certificates into the filesystem. Caddy reloads certificates
-            # when reloadssl is used. Because it is a non-standard command, the caddy_setup script will not be triggered
-            # in /etc/rc.conf.d/caddy. The validate command needs it to make sure all certificates are in the filesystem,
-            # because otherwise the validation fails.
-            if service_action in ["validate", "reloadssl"]:
-                subprocess.run(["/usr/local/opnsense/scripts/OPNsense/Caddy/setup.sh"], check=True)
-
-            print(run_service_command(service_action, message))
-        else:
-            print(json.dumps({"status": "failed", "message": f"Unknown action: {action}"}))
-    else:
-        print(json.dumps({"status": "failed", "message": "No action provided"}))
diff --git a/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf b/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
index 0d768ce42b..a91afe9d45 100644
--- a/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
+++ b/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
@@ -1,35 +1,29 @@
 [start]
-command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py start
+command:service caddy start
 parameters:
 type:script
 message:Starting Caddy service
 
 [stop]
-command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py stop
+command:service caddy stop
 parameters:
 type:script
 message:Stopping Caddy service
 
 [restart]
-command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py restart
+command:service caddy restart
 parameters:
 type:script
 message:Restarting Caddy service
 description:Restart Caddy service
 
 [reload]
-command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py reload
+command:/bin/sh -c '/usr/local/opnsense/scripts/OPNsense/Caddy/setup.sh && /usr/sbin/service caddy reloadssl'
 parameters:
 type:script
-message:Reloading Caddy configuration
+message:Reloading Caddy service
 description:Reload Caddy service
 
-[validate]
-command:/usr/local/opnsense/scripts/OPNsense/Caddy/caddy_control.py validate
-parameters:
-type:script_output
-message:Validating Caddy configuration
-
 [status]
 command:/usr/local/sbin/pluginctl -s caddy status
 parameters:
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index d0b58323c4..7ed89fd103 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -1,5 +1,5 @@
 {#
-# Copyright (c) 2023-2025 Cedrik Pischem
+# Copyright (c) 2023-2026 Cedrik Pischem
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without modification,
@@ -485,11 +485,7 @@ http://{{ domain }} {
                 handle.HttpTlsTrustedCaCerts or
                 handle.HttpTlsServerName -%}
             {% if has_transport_options %}
-                {% if handle.HttpNtlm|default("0") == "1" %}
-                transport http_ntlm {
-                {% else %}
                 transport http {
-                {% endif %}
                     {% if handle.HttpVersion %}
                         {% set version_map = {'http1': 1.1, 'http2': 2, 'http3': 3} %}
                         versions {{ version_map[handle.HttpVersion] }}

From 332841481313443cbcf1a0966fbe4555548b7be8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 26 Feb 2026 12:02:32 +0100
Subject: [PATCH 3004/3088] security/openvpn-legacy: drop this in from core

---
 security/openvpn-legacy/Makefile                       | 1 +
 security/openvpn-legacy/src/www/vpn_openvpn_server.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/openvpn-legacy/Makefile b/security/openvpn-legacy/Makefile
index 91dd22fada..a0dbce9745 100644
--- a/security/openvpn-legacy/Makefile
+++ b/security/openvpn-legacy/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		openvpn-legacy
 PLUGIN_VERSION=		1.0
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		OpenVPN legacy support
 PLUGIN_DEPENDS=		# openvpn
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/security/openvpn-legacy/src/www/vpn_openvpn_server.php b/security/openvpn-legacy/src/www/vpn_openvpn_server.php
index 4bf340fe4b..2693a822cf 100644
--- a/security/openvpn-legacy/src/www/vpn_openvpn_server.php
+++ b/security/openvpn-legacy/src/www/vpn_openvpn_server.php
@@ -1474,7 +1474,7 @@
                           </span><br>
                           <select name='netbios_ntype' class="selectpicker">
 <?php
-                          foreach ($netbios_nodetypes as $type => $name) :
+                          foreach (['0' => 'none', '1' => 'b-node', '2' => 'p-node', '4' => 'm-node', '5' => 'h-node'] as $type => $name):
                               $selected = "";
                               if ($pconfig['netbios_ntype'] == $type) {
                                   $selected = "selected=\"selected\"";

From e1ff5c9cea2fadcfa1c5a29a35fad58ec8e9fd15 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 26 Feb 2026 16:19:35 +0100
Subject: [PATCH 3005/3088] www/caddy: Remove add handler shortcut command
 (#5260)

The add handler shortcut button needed multiple workarounds and still broke regularly due to subtle race conditions.
---
 .../views/OPNsense/Caddy/reverse_proxy.volt   | 87 ++++---------------
 1 file changed, 17 insertions(+), 70 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index b8a38d2410..d2dbff9096 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -96,79 +96,31 @@
 {% if entrypoint == 'reverse_proxy' %}
 
                         if (["{{ formGridReverseProxy['table_id'] }}", "{{ formGridSubdomain['table_id'] }}"].includes(grid_id)) {
-                            const update_filter = function (selectValues) {
-                                suppressFilterReload = true;
-
-                                return $('#reverseFilter')
-                                    .fetch_options('/api/caddy/reverse_proxy/get_all_reverse_domains')
-                                    .done(function () {
-                                        $('#reverseFilter')
-                                            .selectpicker('val', selectValues)
-                                            .selectpicker('refresh');
-
-                                        // manually update icon (since we skip .change())
-                                        const hasSelection = Array.isArray(selectValues) && selectValues.length > 0;
-                                        $('#reverseFilterIcon')
-                                            .toggleClass('text-success fa-filter-circle-xmark', hasSelection)
-                                            .toggleClass('fa-filter', !hasSelection);
-
-                                        $('#maintabs a[href="#handlers"]').tab('show');
-
-                                        // manually reload just the handlers grid
-                                        const grid_id = "{{ formGridHandle['table_id'] }}";
-                                        if (all_grids[grid_id]) {
-                                            all_grids[grid_id].bootgrid('reload');
-                                        }
-                                    })
-                                    .always(function () {
-                                        suppressFilterReload = false;
-                                    });
-                            };
-
                             commands.search_handler = {
                                 method: function () {
                                     const rowUuid = $(this).data("row-id");
                                     if (!rowUuid) return;
 
-                                    update_filter([rowUuid]);
+                                    suppressFilterReload = true;
+
+                                    $('#reverseFilter')
+                                        .selectpicker('val', [rowUuid])
+                                        .selectpicker('refresh');
+
+                                    $('#reverseFilterIcon')
+                                        .removeClass('fa-filter')
+                                        .addClass('text-success fa-filter-circle-xmark');
+
+                                    $('#maintabs a[href="#handlers"]').tab('show');
+
+                                    all_grids["{{ formGridHandle['table_id'] }}"]?.bootgrid('reload');
+
+                                    suppressFilterReload = false;
                                 },
                                 classname: 'fa fa-fw fa-search',
                                 title: "{{ lang._('Search Handler') }}",
                                 sequence: 20
                             };
-
-                            commands.add_handler = {
-                                method: function () {
-                                    const rowUuid = $(this).data("row-id");
-                                    if (!rowUuid) return;
-
-                                    open_add_dialog = function (selectValues) {
-                                        update_filter(selectValues);
-
-                                        // Ensure selectpicker has values selected before click on add button
-                                        $('#reverseFilter').one('changed.bs.select', function (e) {
-                                            $("#" + "{{ formGridHandle['table_id'] }}")
-                                                .find("button[data-action='add']")
-                                                .trigger('click');
-                                        });
-                                    };
-
-                                    // Resolve reverse domains, as subdomains need wildcard domain and subdomain in dialog
-                                    if (grid_id === "{{ formGridSubdomain['table_id'] }}") {
-                                        ajaxGet(`/api/caddy/reverse_proxy/get_{{ formGridSubdomain['table_id'] }}/` + rowUuid, {}, function (rowData) {
-                                            const reverseUuids = rowData?.subdomain?.reverse || {};
-                                            const selectedReverse = Object.entries(reverseUuids).find(([uuid, entry]) => entry.selected === 1);
-                                            const selectValues = selectedReverse ? [selectedReverse[0], rowUuid] : [rowUuid];
-                                            open_add_dialog(selectValues);
-                                        });
-                                    } else {
-                                        open_add_dialog([rowUuid]);
-                                    }
-                                },
-                                classname: 'fa fa-fw fa-plus',
-                                title: "{{ lang._('Add Handler') }}",
-                                sequence: 10
-                            };
                         }
 
 {% endif %}
@@ -399,11 +351,6 @@
         const $initial = $tabs.filter(`[href="${location.hash}"]`).first();
         ($initial.length ? $initial : $tabs.first()).tab('show');
 
-        // Trigger handlers tab too (even if not active) to ensure command buttons always work
-        $(document).one('ajaxStop', function () {
-            $('a[href="#handlers"]').triggerHandler('shown.bs.tab');
-        });
-
         updateServiceControlUI('caddy');
     });
 
@@ -471,11 +418,11 @@
     <div id="domains" class="tab-pane fade in active">
         <!-- Reverse Proxy -->
         <h1 class="custom-header">{{ lang._('Domains') }}</h1>
-        {{ partial('layout_partials/base_bootgrid_table', formGridReverseProxy + {'command_width': '160'})}}
+        {{ partial('layout_partials/base_bootgrid_table', formGridReverseProxy + {'command_width': '120'})}}
 
         <!-- Subdomains Tab -->
         <h1 class="custom-header">{{ lang._('Subdomains') }}</h1>
-        {{ partial('layout_partials/base_bootgrid_table', formGridSubdomain + {'command_width': '160'})}}
+        {{ partial('layout_partials/base_bootgrid_table', formGridSubdomain + {'command_width': '120'})}}
     </div>
 
     <!-- Handle Tab -->

From ac6d362b4e1a3bdfa9e977c0467a9f97fe5721b4 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Thu, 26 Feb 2026 16:20:04 +0100
Subject: [PATCH 3006/3088] www/caddy: Remove CDATA in help texts, fix some
 typos, remove links, add one missing selectpicker style (#5261)

---
 .../OPNsense/Caddy/forms/dialogAccessList.xml | 14 ++--
 .../OPNsense/Caddy/forms/dialogBasicAuth.xml  |  6 +-
 .../OPNsense/Caddy/forms/dialogHandle.xml     | 80 +++++++++---------
 .../OPNsense/Caddy/forms/dialogHeader.xml     | 10 +--
 .../OPNsense/Caddy/forms/dialogLayer4.xml     | 38 ++++-----
 .../Caddy/forms/dialogReverseProxy.xml        | 30 +++----
 .../OPNsense/Caddy/forms/dialogSubdomain.xml  | 20 ++---
 .../OPNsense/Caddy/forms/general.xml          | 82 +++++++++----------
 8 files changed, 140 insertions(+), 140 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
index 9c9fe2077c..2f02a393aa 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogAccessList.xml
@@ -3,7 +3,7 @@
         <id>accesslist.accesslistName</id>
         <label>Access List Name</label>
         <type>text</type>
-        <help><![CDATA[Enter a name for this access list.]]></help>
+        <help>Enter a name for this access list.</help>
     </field>
     <field>
         <id>accesslist.clientIps</id>
@@ -11,13 +11,13 @@
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
-        <help><![CDATA[Enter the client IP addresses or networks for this access list. Accepts multiple IPv4/IPv6 addresses or networks.]]></help>
+        <help>Enter the client IP addresses or networks for this access list. Accepts multiple IPv4/IPv6 addresses or networks.</help>
     </field>
     <field>
         <id>accesslist.accesslistInvert</id>
         <label>Invert List</label>
         <type>checkbox</type>
-        <help><![CDATA[If checked, the access list logic will be inverted (i.e., the listed IPs will be blocked instead of allowed).]]></help>
+        <help>If checked, the access list logic will be inverted (i.e., the listed IPs will be blocked instead of allowed).</help>
         <grid_view>
             <type>boolean</type>
             <formatter>boolean</formatter>
@@ -28,7 +28,7 @@
         <label>HTTP Response Code</label>
         <type>text</type>
         <hint>abort</hint>
-        <help><![CDATA[Set a custom HTTP response code that should be returned to the requesting client when the access list does not match. If empty, the connection is aborted with no response.]]></help>
+        <help>Set a custom HTTP response code that should be returned to the requesting client when the access list does not match. If empty, the connection is aborted with no response.</help>
         <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
@@ -38,7 +38,7 @@
         <id>accesslist.HttpResponseMessage</id>
         <label>HTTP Response Message</label>
         <type>text</type>
-        <help><![CDATA[Set a custom HTTP response message in addition to the HTTP response code. If empty, the default HTTP response message for the chosen HTTP response code will be used.]]></help>
+        <help>Set a custom HTTP response message in addition to the HTTP response code. If empty, the default HTTP response message for the chosen HTTP response code will be used.</help>
         <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
@@ -48,7 +48,7 @@
         <id>accesslist.RequestMatcher</id>
         <label>Request Matcher</label>
         <type>dropdown</type>
-        <help><![CDATA[Set the request matcher that will be applied to this access list.]]></help>
+        <help>Set the request matcher that will be applied to this access list.</help>
         <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
@@ -58,6 +58,6 @@
         <id>accesslist.description</id>
         <label>Description</label>
         <type>text</type>
-        <help><![CDATA[Enter a description for this access list.]]></help>
+        <help>Enter a description for this access list.</help>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml
index 72862167b4..8efbab9d8c 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogBasicAuth.xml
@@ -3,13 +3,13 @@
         <id>basicauth.basicauthuser</id>
         <label>User</label>
         <type>text</type>
-        <help><![CDATA[Enter a username. Afterwards, select it in a "Domain" or "Subdomain" to restrict access with basic auth.]]></help>
+        <help>Enter a username. Afterwards, select it in a "Domain" or "Subdomain" to restrict access with Basic Auth.</help>
     </field>
     <field>
         <id>basicauth.basicauthpass</id>
         <label>Password</label>
         <type>text</type>
-        <help><![CDATA[Enter a password. It will be hashed with bcrypt. It can only be set and changed but will not be visible anymore.]]></help>
+        <help>Enter a password. It will be hashed with bcrypt. It can only be set and changed but will not be visible anymore.</help>
         <grid_view>
             <ignore>true</ignore>
         </grid_view>
@@ -18,6 +18,6 @@
         <id>basicauth.description</id>
         <label>Description</label>
         <type>text</type>
-        <help><![CDATA[Enter a description for this user.]]></help>
+        <help>Enter a description for this user.</help>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
index 15389ae78e..043f6d4c76 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml
@@ -3,7 +3,7 @@
         <id>handle.enabled</id>
         <label>Enabled</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable this handler.]]></help>
+        <help>Enable this handler.</help>
         <grid_view>
             <width>20</width>
             <type>boolean</type>
@@ -18,7 +18,7 @@
         <id>handle.reverse</id>
         <label>Domain</label>
         <type>dropdown</type>
-        <help><![CDATA[Select a domain to handle.]]></help>
+        <help>Select a domain to handle.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -27,7 +27,7 @@
         <id>handle.subdomain</id>
         <label>Subdomain</label>
         <type>dropdown</type>
-        <help><![CDATA[Select a subdomain to handle. Make sure to additionaly choose a wildcard domain as "Domain". Leave unset, if not using subdomains.]]></help>
+        <help>Select a subdomain to handle. Make sure to additionally choose a wildcard domain as "Domain". Leave unset, if not using subdomains.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -40,7 +40,7 @@
         <id>handle.HandleType</id>
         <label>Handler</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose a handling type: "handle" (default) will keep the path in all requests. "handle_path" will strip the path from all requests.]]></help>
+        <help>Choose a handling type: "handle" (default) will keep the path in all requests. "handle_path" will strip the path from all requests.</help>
         <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
@@ -51,7 +51,7 @@
         <label>Path</label>
         <type>text</type>
         <hint>any</hint>
-        <help><![CDATA[Enter a path to handle. Choose a pattern like "/*" or "/example/*". Leave empty to handle any paths (recommended). Any request matching this pattern will be handled by the chosen directive.]]></help>
+        <help>Enter a path to handle. Choose a pattern like "/*" or "/example/*". Leave empty to handle any paths (recommended). Any request matching this pattern will be handled by the chosen directive.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -66,8 +66,8 @@
         <id>handle.accesslist</id>
         <label>Access List</label>
         <type>dropdown</type>
-        <style>style_reverse_proxy</style>
-        <help><![CDATA[Select an Access List to restrict access to this handler. If unset, any local or remote client is allowed access.]]></help>
+        <style>selectpicker style_reverse_proxy</style>
+        <help>Select an Access List to restrict access to this handler. If unset, any local or remote client is allowed access.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -78,7 +78,7 @@
         <type>select_multiple</type>
         <size>5</size>
         <style>selectpicker style_reverse_proxy</style>
-        <help><![CDATA[Select Users to restrict access to this path. If unset, any user is allowed access.]]></help>
+        <help>Select Users to restrict access to this path. If unset, any user is allowed access.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -88,7 +88,7 @@
         <label>Forward Auth</label>
         <type>checkbox</type>
         <style>style_reverse_proxy</style>
-        <help><![CDATA[Enable or disable Forward Auth. Requires an "Auth Provider" in "General Settings". Headers are set automatically to the standard of the chosen provider. Enabling this option will additionally generate the forward_auth directive in front of the reverse_proxy directive inside the scope of this handler.]]></help>
+        <help>Enable or disable Forward Auth. Requires an "Auth Provider" in "General Settings". Headers are set automatically to the standard of the chosen provider. Enabling this option will additionally generate the forward_auth directive in front of the reverse_proxy directive inside the scope of this handler.</help>
         <grid_view>
             <visible>false</visible>
             <type>boolean</type>
@@ -103,7 +103,7 @@
         <id>handle.HandleDirective</id>
         <label>Directive</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose a handling directive: "reverse_proxy" will proxy all HTTP traffic to the selected upstream. "redir" will create a HTTP redirect.]]></help>
+        <help>Choose a handling directive: "reverse_proxy" will proxy all HTTP traffic to the selected upstream. "redir" will create a HTTP redirect.</help>
     </field>
     <field>
         <type>header</type>
@@ -116,7 +116,7 @@
         <label>HTTP Version</label>
         <type>dropdown</type>
         <style>selectpicker style_reverse_proxy</style>
-        <help><![CDATA[The default versions are highly recommended. Choose a HTTP version for the upstream destination. HTTP/3 (HTTP over QUIC) requires HTTPS, and only establishes connections to webservers that also support HTTP/3.]]></help>
+        <help>The default versions are highly recommended. Choose a HTTP version for the upstream destination. HTTP/3 (HTTP over QUIC) requires HTTPS, and only establishes connections to web servers that also support HTTP/3.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -128,7 +128,7 @@
         <type>select_multiple</type>
         <size>5</size>
         <style>selectpicker style_reverse_proxy</style>
-        <help><![CDATA[Select one or multiple headers. Caddy sets "X-Forwarded-For", "X-Forwarded-Proto" and "X-Forwarded-Host" by default, adding them here is not needed. Setting a wrong configuration can be a security risk or break functionality.]]></help>
+        <help>Select one or multiple headers. Caddy sets "X-Forwarded-For", "X-Forwarded-Proto" and "X-Forwarded-Host" by default, adding them here is not needed. Setting a wrong configuration can be a security risk or break functionality.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -139,7 +139,7 @@
         <type>text</type>
         <hint>120</hint>
         <style>style_reverse_proxy</style>
-        <help><![CDATA[Leave empty to use default. Keepalive is either 0 (off) or a duration value that specifies how long to keep connections open (timeout) in seconds.]]></help>
+        <help>Leave empty to use default. Keepalive is either 0 (off) or a duration value that specifies how long to keep connections open (timeout) in seconds.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -152,7 +152,7 @@
         <id>handle.HttpTls</id>
         <label>Protocol</label>
         <type>dropdown</type>
-        <help><![CDATA[Enable or disable HTTP over TLS (HTTPS) to communicate with the upstream destination. Caddy uses HTTP with the upstream destination by default.]]></help>
+        <help>Enable or disable HTTP over TLS (HTTPS) to communicate with the upstream destination. Caddy uses HTTP with the upstream destination by default.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -163,7 +163,7 @@
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
-        <help><![CDATA[Enter a domain name or IP address of the upstream destination. If multiple are chosen, they will be load balanced with the default random policy. A health check can be activated by populating "Upstream Fail Duration" in advanced mode. When directive is "redir", only the first domain will be evaluated.]]></help>
+        <help>Enter a domain name or IP address of the upstream destination. If multiple are chosen, they will be load balanced with the default random policy. A health check can be activated by populating "Upstream Fail Duration" in advanced mode. When directive is "redir", only the first domain will be evaluated.</help>
         <grid_view>
             <formatter>to_domain</formatter>
         </grid_view>
@@ -172,7 +172,7 @@
         <id>handle.ToPort</id>
         <label>Upstream Port</label>
         <type>text</type>
-        <help><![CDATA[Leave empty to use the default port or choose a custom port for the upstream destination.]]></help>
+        <help>Leave empty to use the default port or choose a custom port for the upstream destination.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -181,7 +181,7 @@
         <id>handle.ToPath</id>
         <label>Upstream Path</label>
         <type>text</type>
-        <help><![CDATA[When directive is "reverse_proxy", enter a path prefix like "/guacamole" that should be prepended to the upstream request. This is useful for destinations that have a virtual directory as their base path. When directive is "redir", add the path the request should be redirected to; leaving it empty will append {uri}.]]></help>
+        <help>When directive is "reverse_proxy", enter a path prefix like "/guacamole" that should be prepended to the upstream request. This is useful for destinations that have a virtual directory as their base path. When directive is "redir", add the path the request should be redirected to; leaving it empty will append {uri}.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -191,7 +191,7 @@
         <label>TLS Insecure Skip Verify</label>
         <type>checkbox</type>
         <style>style_tls_handle</style>
-        <help><![CDATA[Caddy uses HTTP by default to connect to the Upstream. If the Upstream is only reachable via HTTPS, this option disables the TLS handshake verification. This makes the connection insecure and vulnerable to man-in-the-middle attacks. In private networks the risk is low, though do not use in production if possible. It is advised to either use plain HTTP, or proper TLS handling by using the options in "Trust".]]></help>
+        <help>Caddy uses HTTP by default to connect to the Upstream. If the Upstream is only reachable via HTTPS, this option disables the TLS handshake verification. This makes the connection insecure and vulnerable to man-in-the-middle attacks. In private networks the risk is low, though do not use in production if possible. It is advised to either use plain HTTP, or proper TLS handling by using the options in "Trust".</help>
         <grid_view>
             <visible>false</visible>
             <type>boolean</type>
@@ -203,7 +203,7 @@
         <label>TLS Trust Pool</label>
         <type>dropdown</type>
         <style>selectpicker style_tls_handle</style>
-        <help><![CDATA[Choose a CA or self-signed certificate to trust from "System - Trust - Authorities". Useful if the upstream destination only accepts TLS connections and offers a self signed certificate. Adding that certificate here will allow for the encrypted connection to succeed.]]></help>
+        <help>Choose a CA or self-signed certificate to trust from "System - Trust - Authorities". Useful if the upstream destination only accepts TLS connections and offers a self signed certificate. Adding that certificate here will allow for the encrypted connection to succeed.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -213,7 +213,7 @@
         <label>TLS Server Name</label>
         <type>text</type>
         <style>style_tls_handle</style>
-        <help><![CDATA[Enter a hostname or IP address that matches the SAN "Subject Alternative Name" of the offered upstream certificate. This will change the SNI "Server Name Indication" of Caddy. Setting an IP address as "Upstream Domain", enabling "TLS" and selecting a "TLS Trust Pool", would make the SAN of the offered upstream certificate not match with the SNI of Caddy, since it will be an IP address instead of a hostname. Setting the hostname of the certificate here, fixes this issue. Please note that only SAN certificates are supported; CN "Common Name" will not work.]]></help>
+        <help>Enter a hostname or IP address that matches the SAN "Subject Alternative Name" of the offered upstream certificate. This will change the SNI "Server Name Indication" of Caddy. Setting an IP address as "Upstream Domain", enabling "TLS" and selecting a "TLS Trust Pool", would make the SAN of the offered upstream certificate not match with the SNI of Caddy, since it will be an IP address instead of a hostname. Setting the hostname of the certificate here, fixes this issue. Please note that only SAN certificates are supported; CN "Common Name" will not work.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -222,7 +222,7 @@
         <id>handle.description</id>
         <label>Description</label>
         <type>text</type>
-        <help><![CDATA[Enter a description for this handler.]]></help>
+        <help>Enter a description for this handler.</help>
     </field>
     <field>
         <type>header</type>
@@ -235,7 +235,7 @@
         <label>Load Balance Policy</label>
         <type>dropdown</type>
         <style>selectpicker style_reverse_proxy</style>
-        <help><![CDATA[lb_policy is the name of the load balancing policy, along with any options. For policies that involve hashing, the highest-random-weight (HRW) algorithm is used to ensure that a client or request with the same hash key is mapped to the same upstream, even if the list of upstreams change.]]></help>
+        <help>lb_policy is the name of the load balancing policy, along with any options. For policies that involve hashing, the highest-random-weight (HRW) algorithm is used to ensure that a client or request with the same hash key is mapped to the same upstream, even if the list of upstreams change.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -246,7 +246,7 @@
         <type>text</type>
         <style>style_reverse_proxy</style>
         <hint>off</hint>
-        <help><![CDATA[lb_retries is how many times to retry selecting available backends for each request if the next available host is down. If lb_try_duration is also configured, then retries may stop early if the duration is reached. In other words, the retry duration takes precedence over the retry count.]]></help>
+        <help>lb_retries is how many times to retry selecting available backends for each request if the next available host is down. If lb_try_duration is also configured, then retries may stop early if the duration is reached. In other words, the retry duration takes precedence over the retry count.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -257,7 +257,7 @@
         <type>text</type>
         <style>style_reverse_proxy</style>
         <hint>0</hint>
-        <help><![CDATA[lb_try_duration is a duration value that defines how long to try selecting available backends for each request if the next available host is down. Clients will wait for up to this long while the load balancer tries to find an available upstream host. A reasonable starting point might be 5s since the HTTP transport's default dial timeout is 3s, so that should allow for at least one retry if the first selected upstream cannot be reached.]]></help>
+        <help>lb_try_duration is a duration value that defines how long to try selecting available backends for each request if the next available host is down. Clients will wait for up to this long while the load balancer tries to find an available upstream host. A reasonable starting point might be 5s since the HTTP transport's default dial timeout is 3s, so that should allow for at least one retry if the first selected upstream cannot be reached.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -268,7 +268,7 @@
         <type>text</type>
         <style>style_reverse_proxy</style>
         <hint>250</hint>
-        <help><![CDATA[lb_try_interval is a duration value that defines how long to wait between selecting the next host from the pool. Only relevant when a request to an upstream host fails. Be aware that setting this to 0 with a non-zero lb_try_duration can cause the CPU to spin if all backends are down and latency is very low.]]></help>
+        <help>lb_try_interval is a duration value that defines how long to wait between selecting the next host from the pool. Only relevant when a request to an upstream host fails. Be aware that setting this to 0 with a non-zero lb_try_duration can cause the CPU to spin if all backends are down and latency is very low.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -279,7 +279,7 @@
         <type>text</type>
         <style>style_reverse_proxy</style>
         <hint>off</hint>
-        <help><![CDATA[fail_duration enables a passive health check when multiple destinations in "Upstream Domain" are set. It is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking. A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
+        <help>fail_duration enables a passive health check when multiple destinations in "Upstream Domain" are set. It is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking. A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -290,7 +290,7 @@
         <type>text</type>
         <style>style_reverse_proxy</style>
         <hint>1</hint>
-        <help><![CDATA[max_fails is the maximum number of failed requests within fail_duration that are needed before considering an upstream to be down.]]></help>
+        <help>max_fails is the maximum number of failed requests within fail_duration that are needed before considering an upstream to be down.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -301,7 +301,7 @@
         <type>text</type>
         <style>style_reverse_proxy</style>
         <hint>off</hint>
-        <help><![CDATA[unhealthy_status counts a request as failed if the response comes back with one of these status codes. Can be a 3-digit status code or a status code class ending in xx, for example: 404 or 5xx.]]></help>
+        <help>unhealthy_status counts a request as failed if the response comes back with one of these status codes. Can be a 3-digit status code or a status code class ending in xx, for example: 404 or 5xx.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -312,7 +312,7 @@
         <type>text</type>
         <style>style_reverse_proxy</style>
         <hint>off</hint>
-        <help><![CDATA[unhealthy_latency is a duration value in ms that counts a request as failed if it takes this long to get a response.]]></help>
+        <help>unhealthy_latency is a duration value in ms that counts a request as failed if it takes this long to get a response.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -323,7 +323,7 @@
         <type>text</type>
         <style>style_reverse_proxy</style>
         <hint>off</hint>
-        <help><![CDATA[unhealthy_request_count is the permissible number of simultaneous requests to a backend before marking it as down. In other words, if a particular backend is currently handling this many requests, then it is considered "overloaded" and other backends will be preferred instead. This should be a reasonably large number; configuring this means that the proxy will have a limit of unhealthy_request_count × upstreams_count total simultaneous requests, and any requests after that point will result in an error due to no upstreams being available.]]></help>
+        <help>unhealthy_request_count is the permissible number of simultaneous requests to a backend before marking it as down. In other words, if a particular backend is currently handling this many requests, then it is considered "overloaded" and other backends will be preferred instead. This should be a reasonably large number; configuring this means that the proxy will have a limit of unhealthy_request_count × upstreams_count total simultaneous requests, and any requests after that point will result in an error due to no upstreams being available.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -333,7 +333,7 @@
         <label>Active Health URI</label>
         <type>text</type>
         <style>style_reverse_proxy</style>
-        <help><![CDATA[health_uri is the URI path (and optional query) for active health checks.]]></help>
+        <help>health_uri is the URI path (and optional query) for active health checks.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -343,7 +343,7 @@
         <label>Active Health Upstream</label>
         <type>text</type>
         <style>style_reverse_proxy</style>
-        <help><![CDATA[health_upstream is the ip:port to use for active health checks, if different from the upstream. This should be used in tandem with health_header and {http.reverse_proxy.active.target_upstream}]]></help>
+        <help>health_upstream is the ip:port to use for active health checks, if different from the upstream. This should be used in tandem with health_header and {http.reverse_proxy.active.target_upstream}</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -353,7 +353,7 @@
         <label>Active Health Port</label>
         <type>text</type>
         <style>style_reverse_proxy</style>
-        <help><![CDATA[health_port is the port to use for active health checks, if different from the upstream's port. Ignored if health_upstream is used.]]></help>
+        <help>health_port is the port to use for active health checks, if different from the upstream's port. Ignored if health_upstream is used.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -364,7 +364,7 @@
         <type>text</type>
         <style>style_reverse_proxy</style>
         <hint>30</hint>
-        <help><![CDATA[health_interval is a duration value that defines how often to perform active health checks. Default: 30s.]]></help>
+        <help>health_interval is a duration value that defines how often to perform active health checks. Default: 30s.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -375,7 +375,7 @@
         <type>text</type>
         <style>style_reverse_proxy</style>
         <hint>1</hint>
-        <help><![CDATA[health_passes is the number of consecutive health checks required before marking the backend as healthy again. Default: 1.]]></help>
+        <help>health_passes is the number of consecutive health checks required before marking the backend as healthy again. Default: 1.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -386,7 +386,7 @@
         <type>text</type>
         <style>style_reverse_proxy</style>
         <hint>1</hint>
-        <help><![CDATA[health_fails is the number of consecutive health checks required before marking the backend as unhealthy. Default: 1.]]></help>
+        <help>health_fails is the number of consecutive health checks required before marking the backend as unhealthy. Default: 1.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -397,7 +397,7 @@
         <type>text</type>
         <style>style_reverse_proxy</style>
         <hint>5</hint>
-        <help><![CDATA[health_timeout is a duration value that defines how long to wait for a reply before marking the backend as down. Default: 5s.]]></help>
+        <help>health_timeout is a duration value that defines how long to wait for a reply before marking the backend as down. Default: 5s.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -408,7 +408,7 @@
         <type>text</type>
         <style>style_reverse_proxy</style>
         <hint>200</hint>
-        <help><![CDATA[health_status is the HTTP status code to expect from a healthy backend. Can be a 3-digit status code, or a status code class ending in xx. For example: 200 (which is the default), or 2xx.]]></help>
+        <help>health_status is the HTTP status code to expect from a healthy backend. Can be a 3-digit status code, or a status code class ending in xx. For example: 200 (which is the default), or 2xx.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -418,7 +418,7 @@
         <label>Active Health Body</label>
         <type>text</type>
         <style>style_reverse_proxy</style>
-        <help><![CDATA[health_body is a substring or regular expression to match on the response body of an active health check. If the backend does not return a matching body, it will be marked as down.]]></help>
+        <help>health_body is a substring or regular expression to match on the response body of an active health check. If the backend does not return a matching body, it will be marked as down.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -428,7 +428,7 @@
         <label>Active Health Follow Redirects</label>
         <type>checkbox</type>
         <style>style_reverse_proxy</style>
-        <help><![CDATA[health_follow_redirects will cause the health check to follow redirects provided by upstream. By default, a redirect response would cause the health check to count as a fail.]]></help>
+        <help>health_follow_redirects will cause the health check to follow redirects provided by upstream. By default, a redirect response would cause the health check to count as a fail.</help>
         <grid_view>
             <visible>false</visible>
             <type>boolean</type>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
index 163b644517..895fa1a0cc 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHeader.xml
@@ -3,7 +3,7 @@
         <id>header.HeaderUpDown</id>
         <label>Header</label>
         <type>dropdown</type>
-        <help><![CDATA["header_up" sets, adds (with the "+" prefix), deletes (with the "-" prefix), or performs a replacement (by using two arguments, a search and replacement) in a request header going upstream to the backend. "header_down" sets, adds (with the "+" prefix), deletes (with the "-" prefix), or performs a replacement (by using two arguments, a search and replacement) in a response header coming downstream from the backend. For more information: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#headers]]></help>
+        <help>"header_up" sets, adds (with the "+" prefix), deletes (with the "-" prefix), or performs a replacement (by using two arguments, a search and replacement) in a request header going upstream to the backend. "header_down" sets, adds (with the "+" prefix), deletes (with the "-" prefix), or performs a replacement (by using two arguments, a search and replacement) in a response header coming downstream from the backend.</help>
         <grid_view>
             <width>120</width>
         </grid_view>
@@ -12,13 +12,13 @@
         <id>header.HeaderType</id>
         <label>Header Type</label>
         <type>text</type>
-        <help><![CDATA[Enter a header, for example "Host". Use the "+" or "-" prefix to add or remove this header, for example "-Host" or "+Host". A suffix match like "-Host-*" is also supported. To replace a header, use "Host" without "+" or "-".]]></help>
+        <help>Enter a header, for example "Host". Use the "+" or "-" prefix to add or remove this header, for example "-Host" or "+Host". A suffix match like "-Host-*" is also supported. To replace a header, use "Host" without "+" or "-".</help>
     </field>
     <field>
         <id>header.HeaderValue</id>
         <label>Header Value</label>
         <type>text</type>
-        <help><![CDATA[Enter a value for the selected header. One of the most common options is "{upstream_hostport}". It is also possible to use a regular expression to search for a specific value in a header. For example: "^prefix-([A-Za-z0-9]*)$" which uses the regular expression language RE2 included in Go.]]></help>
+        <help>Enter a value for the selected header. One of the most common options is "{upstream_hostport}". It is also possible to use a regular expression to search for a specific value in a header. For example: "^prefix-([A-Za-z0-9]*)$" which uses the regular expression language RE2 included in Go.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -27,7 +27,7 @@
         <id>header.HeaderReplace</id>
         <label>Header Replace</label>
         <type>text</type>
-        <help><![CDATA[If a regular expression is used to search for a Header Value, the replacement string can be set here. For example: "replaced-$1-suffix" which expands the replacement string, allowing the use of captured values, "$1" being the first capture group.]]></help>
+        <help>If a regular expression is used to search for a Header Value, the replacement string can be set here. For example: "replaced-$1-suffix" which expands the replacement string, allowing the use of captured values, "$1" being the first capture group.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -36,6 +36,6 @@
         <id>header.description</id>
         <label>Description</label>
         <type>text</type>
-        <help><![CDATA[Enter a description for this header.]]></help>
+        <help>Enter a description for this header.</help>
     </field>
 </form>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
index 259cca425f..c52b8681da 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
@@ -3,7 +3,7 @@
         <id>layer4.enabled</id>
         <label>Enabled</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable this Layer4 route.]]></help>
+        <help>Enable this Layer4 route.</help>
         <grid_view>
             <width>20</width>
             <type>boolean</type>
@@ -14,7 +14,7 @@
         <id>layer4.Sequence</id>
         <label>Sequence</label>
         <type>text</type>
-        <help><![CDATA[Rules are sorted based on the sequence number, higher number means lower priority. Rules without a sequence number will be processed first.]]></help>
+        <help>Rules are sorted based on the sequence number, a higher number means lower priority. Rules without a sequence number will be processed first.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -27,7 +27,7 @@
         <id>layer4.Type</id>
         <label>Routing Type</label>
         <type>dropdown</type>
-        <help><![CDATA[Choose either "listener_wrappers" for multiplexing protocols on the default HTTP and HTTPS ports on OSI Layer 7, or "global" for raw TCP/UDP traffic routing on a custom "Local port" on OSI Layer 4 with optional OSI Layer 7 protocol matching.]]></help>
+        <help>Choose either "listener_wrappers" for multiplexing protocols on the default HTTP and HTTPS ports on OSI Layer 7, or "global" for raw TCP/UDP traffic routing on a custom "Local port" on OSI Layer 4 with optional OSI Layer 7 protocol matching.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -37,7 +37,7 @@
         <label>Protocol</label>
         <type>dropdown</type>
         <style>selectpicker style_type</style>
-        <help><![CDATA[Match the received traffic on OSI Layer 4, either TCP or UDP. When "Routing Type" is "listener_wrappers", currently only TCP will match.]]></help>
+        <help>Match the received traffic on OSI Layer 4, either TCP or UDP. When "Routing Type" is "listener_wrappers", currently only TCP will match.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -47,7 +47,7 @@
         <label>Local Port</label>
         <type>text</type>
         <style>style_type</style>
-        <help><![CDATA[Choose a custom local port to listen on.]]></help>
+        <help>Choose a custom local port to listen on.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -60,7 +60,7 @@
         <id>layer4.Matchers</id>
         <label>Matchers</label>
         <type>dropdown</type>
-        <help><![CDATA[Match the received traffic on OSI Layer 7. When choosing a protocol like TLS, it will be matched and routed to the upstream destination. When "Routing Type" of the matcher is "listener_wrapper", any unmatched traffic will be received by the "HTTP App" (reverse_proxy). When "Routing Type" of the matcher is "global", unmatched traffic will be consumed and blocked. Choose "ANY" to not match on OSI Layer 7 and allow any traffic.]]></help>
+        <help>Match the received traffic on OSI Layer 7. When choosing a protocol like TLS, it will be matched and routed to the upstream destination. When "Routing Type" of the matcher is "listener_wrapper", any unmatched traffic will be received by the "HTTP App" (reverse_proxy). When "Routing Type" of the matcher is "global", unmatched traffic will be consumed and blocked. Choose "ANY" to not match on OSI Layer 7 and allow any traffic.</help>
     </field>
     <field>
         <id>layer4.FromDomain</id>
@@ -68,14 +68,14 @@
         <type>select_multiple</type>
         <style>tokenize style_domain</style>
         <allownew>true</allownew>
-        <help><![CDATA[Enter one or multiple domains to route via SNI or Host Header. Wildcard domains and host wildcards are allowed, e.g. "*.example.com" and "*".]]></help>
+        <help>Enter one or multiple domains to route via SNI or Host Header. Wildcard domains and host wildcards are allowed, e.g. "*.example.com" and "*".</help>
     </field>
     <field>
         <id>layer4.FromOpenvpnModes</id>
         <label>OpenVPN Mode</label>
         <type>dropdown</type>
         <style>selectpicker style_openvpn</style>
-        <help><![CDATA[Select the mode matching the OpenVPN Server or Client.]]></help>
+        <help>Select the mode matching the OpenVPN Server or Client.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -87,7 +87,7 @@
         <style>selectpicker style_openvpn</style>
         <hint>Any</hint>
         <size>5</size>
-        <help><![CDATA[Select a Static Key to match. Multiple Static Keys are only supported for tls-crypt2_client mode.]]></help>
+        <help>Select a Static Key to match. Multiple Static Keys are only supported for tls-crypt2_client mode.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -96,7 +96,7 @@
         <id>layer4.InvertMatchers</id>
         <label>Invert Matchers</label>
         <type>checkbox</type>
-        <help><![CDATA[Invert the sense of the matcher. E.g., if the protocol is TLS, inverting will match all traffic that is not TLS. When domains have been chosen, these will be equally inverted.]]></help>
+        <help>Invert the sense of the matcher. E.g., if the protocol is TLS, inverting will match all traffic that is not TLS. When domains have been chosen, these will be equally inverted.</help>
         <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
@@ -109,7 +109,7 @@
         <label>Terminate TLS</label>
         <type>checkbox</type>
         <style>style_domain</style>
-        <help><![CDATA[Terminate TLS before routing to the upstream. Since this requires a certificate, ensure there is a domain configured in "Reverse Proxy" that matches the SNI of "Domain". The best matching SAN or wildcard certificate will be used automatically for this route.]]></help>
+        <help>Terminate TLS before routing to the upstream. Since this requires a certificate, ensure there is a domain configured in "Reverse Proxy" that matches the SNI of "Domain". The best matching SAN or wildcard certificate will be used automatically for this route.</help>
         <grid_view>
             <visible>false</visible>
             <type>boolean</type>
@@ -126,7 +126,7 @@
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
-        <help><![CDATA[Enter a domain name or IP address of the upstream destination. If multiple are chosen, they will be load balanced with the default random policy.]]></help>
+        <help>Enter a domain name or IP address of the upstream destination. If multiple are chosen, they will be load balanced with the default random policy.</help>
         <grid_view>
             <formatter>to_domain</formatter>
         </grid_view>
@@ -135,7 +135,7 @@
         <id>layer4.ToPort</id>
         <label>Upstream Port</label>
         <type>text</type>
-        <help><![CDATA[Choose a custom port for the upstream destination.]]></help>
+        <help>Choose a custom port for the upstream destination.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -144,7 +144,7 @@
         <id>layer4.ProxyProtocol</id>
         <label>Proxy Protocol</label>
         <type>dropdown</type>
-        <help><![CDATA[Add the HA Proxy Protocol header. Either version 1 or 2 can be chosen. The default is off, since it is only needed when the upstream can use the Proxy Protocol header.]]></help>
+        <help>Add the HA Proxy Protocol header. Either version 1 or 2 can be chosen. The default is off, since it is only needed when the upstream can use the Proxy Protocol header.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -153,7 +153,7 @@
         <id>layer4.description</id>
         <label>Description</label>
         <type>text</type>
-        <help><![CDATA[Enter a description for this Layer4 route.]]></help>
+        <help>Enter a description for this Layer4 route.</help>
     </field>
     <field>
         <type>header</type>
@@ -165,7 +165,7 @@
         <label>Load Balance Policy</label>
         <type>dropdown</type>
         <style>selectpicker</style>
-        <help><![CDATA[lb_policy is the name of the load balancing policy, along with any options. For policies that involve hashing, the highest-random-weight (HRW) algorithm is used to ensure that a client or request with the same hash key is mapped to the same upstream, even if the list of upstreams change.]]></help>
+        <help>lb_policy is the name of the load balancing policy, along with any options. For policies that involve hashing, the highest-random-weight (HRW) algorithm is used to ensure that a client or request with the same hash key is mapped to the same upstream, even if the list of upstreams changes.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -175,7 +175,7 @@
         <label>Passive Health Fail Duration (s)</label>
         <type>text</type>
         <hint>off</hint>
-        <help><![CDATA[fail_duration enables a passive health check when multiple destinations in "Upstream Domain" are set. It is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking. A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.]]></help>
+        <help>fail_duration enables a passive health check when multiple destinations in "Upstream Domain" are set. It is a value that defines how long to remember a failed request. A duration of 1 or more seconds enables passive health checking. A reasonable starting point might be 30s to balance error rates with responsiveness when bringing an unhealthy upstream back online.</help>
         <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
@@ -186,7 +186,7 @@
         <label>Passive Health Max Fails</label>
         <type>text</type>
         <hint>1</hint>
-        <help><![CDATA[max_fails is the maximum number of failed requests within fail_duration that are needed before considering an upstream to be down.]]></help>
+        <help>max_fails is the maximum number of failed requests within fail_duration that are needed before considering an upstream to be down.</help>
         <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
@@ -202,7 +202,7 @@
         <type>select_multiple</type>
         <style>tokenize</style>
         <allownew>true</allownew>
-        <help><![CDATA[Enter one or multiple IP addresses and networks. Leaving this empty will allow any remote client to connect. If populated and the remote IP address of a client matches, the connection to the "Upstream Domain" is allowed, otherwise the connection is dropped. Due to restrictions with this matcher, this list can not be inverted.]]></help>
+        <help>Enter one or multiple IP addresses and networks. Leaving this empty will allow any remote client to connect. If populated and the remote IP address of a client matches, the connection to the "Upstream Domain" is allowed, otherwise the connection is dropped. Due to restrictions with this matcher, this list can not be inverted.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
index ed431a6dbe..227d0a3990 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml
@@ -3,7 +3,7 @@
         <id>reverse.enabled</id>
         <label>Enabled</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable this domain.]]></help>
+        <help>Enable this domain.</help>
         <grid_view>
             <width>20</width>
             <type>boolean</type>
@@ -18,7 +18,7 @@
         <id>reverse.DisableTls</id>
         <label>Protocol</label>
         <type>dropdown</type>
-        <help><![CDATA[When choosing HTTP, automatic certificate management will be disabled and all traffic to and from this domain will be unencrypted.]]></help>
+        <help>When choosing HTTP, automatic certificate management will be disabled and all traffic to and from this domain will be unencrypted.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -27,7 +27,7 @@
         <id>reverse.FromDomain</id>
         <label>Domain</label>
         <type>text</type>
-        <help><![CDATA[Enter a domain name. For a base domain, use "example.com" or "opn.example.com". For a wildcard domain, use "*.example.com". Using a wildcard domain with subdomains requires a "DNS Provider" and the "DNS-01 Challenge" or a custom certificate.]]></help>
+        <help>Enter a domain name. For a base domain, use "example.com" or "opn.example.com". For a wildcard domain, use "*.example.com". Using a wildcard domain with subdomains requires a "DNS Provider" and the "DNS-01 Challenge" or a custom certificate.</help>
         <grid_view>
             <formatter>from_domain</formatter>
         </grid_view>
@@ -36,7 +36,7 @@
         <id>reverse.FromPort</id>
         <label>Port</label>
         <type>text</type>
-        <help><![CDATA[Leave empty to use ports 80 and 443 with automatic redirection from HTTP to HTTPS or choose a custom port. Don't forget to allow these ports with a Firewall rule. If the default ports have been changed in "General Settings", leaving this empty will use the chosen alternative ports instead.]]></help>
+        <help>Leave empty to use ports 80 and 443 with automatic redirection from HTTP to HTTPS or choose a custom port. Don't forget to allow these ports with a Firewall rule. If the default ports have been changed in "General Settings", leaving this empty will use the chosen alternative ports instead.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -46,7 +46,7 @@
         <label>Certificate</label>
         <type>dropdown</type>
         <style>selectpicker style_tls_reverse</style>
-        <help><![CDATA[Choose "Auto HTTPS" to get automatic "Let's Encrypt" or "ZeroSSL" certificates; no additional plugin required. Alternatively, choose a custom certificate from "System - Trust - Certificates" for this domain, e.g., certificates managed by the optional os-acme-client plugin.]]></help>
+        <help>Choose "Auto HTTPS" to get automatic "Let's Encrypt" or "ZeroSSL" certificates; no additional plugin required. Alternatively, choose a custom certificate from "System - Trust - Certificates" for this domain, e.g., certificates managed by the optional os-acme-client plugin.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -55,7 +55,7 @@
         <id>reverse.AcmePassthrough</id>
         <label>HTTP-01 Challenge Redirection</label>
         <type>text</type>
-        <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this domain, and will still issue a certificate using the TLS-ALPN-01 challenge or DNS-01 challenge for itself. This option can be used for High Availability when using Caddy with a master and backup OPNsense.]]></help>
+        <help>Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this domain, and will still issue a certificate using the TLS-ALPN-01 challenge or DNS-01 challenge for itself. This option can be used for High Availability when using Caddy with a master and backup OPNsense.</help>
         <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
@@ -66,7 +66,7 @@
         <label>DNS-01 Challenge</label>
         <type>checkbox</type>
         <style>style_tls_reverse</style>
-        <help><![CDATA[Enable the DNS-01 Challenge for this domain. Requires a "DNS Provider" in "General Settings". This is only needed for wildcard domains, or when the default challenges can not be used due to restrictive firewall policies.]]></help>
+        <help>Enable the DNS-01 Challenge for this domain. Requires a "DNS Provider" in "General Settings". This is only needed for wildcard domains, or when the default challenges can not be used due to restrictive firewall policies.</help>
         <grid_view>
             <visible>false</visible>
             <type>boolean</type>
@@ -77,7 +77,7 @@
         <id>reverse.DnsChallengeOverrideDomain</id>
         <label>DNS-01 Override Domain</label>
         <type>text</type>
-        <help><![CDATA[If using CNAME delegation for DNS-01 challenges, enter the target domain here. The DNS provider will manage TXT records at '_acme-challenge.targetdomain' instead of the certificate domain. Your configured DNS Provider must have write access to this target domain. For wildcard certificates, ensure the CNAME delegation covers the _acme-challenge label. This enables least-privilege setups or can be used as a workaround when the primary DNS provider lacks an API. Leave empty if your DNS Provider has a dedicated field for this.]]></help>
+        <help>If using CNAME delegation for DNS-01 challenges, enter the target domain here. The DNS provider will manage TXT records at '_acme-challenge.targetdomain' instead of the certificate domain. Your configured DNS Provider must have write access to this target domain. For wildcard certificates, ensure the CNAME delegation covers the _acme-challenge label. This enables least-privilege setups or can be used as a workaround when the primary DNS provider lacks an API. Leave empty if your DNS Provider has a dedicated field for this.</help>
         <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
@@ -87,7 +87,7 @@
         <id>reverse.DynDns</id>
         <label>Dynamic DNS</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable or disable Dynamic DNS. Requires a "DNS Provider" in "General Settings". The DNS records of this domain will be automatically updated. A wildcard domain will create a "*.example.com" record. A base domain will create a "example.com" or "opn.example.com" record. Some providers need subdomains to set records for domains like "opn.example.com"; in that case use the checkbox in the subdomains tab.]]></help>
+        <help>Enable or disable Dynamic DNS. Requires a "DNS Provider" in "General Settings". The DNS records of this domain will be automatically updated. A wildcard domain will create a "*.example.com" record. A base domain will create a "example.com" or "opn.example.com" record. Some providers need subdomains to set records for domains like "opn.example.com"; in that case use the checkbox in the subdomains tab.</help>
         <grid_view>
             <visible>false</visible>
             <type>boolean</type>
@@ -98,7 +98,7 @@
         <id>reverse.description</id>
         <label>Description</label>
         <type>text</type>
-        <help><![CDATA[Enter a description for this domain.]]></help>
+        <help>Enter a description for this domain.</help>
     </field>
     <field>
         <type>header</type>
@@ -108,7 +108,7 @@
         <id>reverse.accesslist</id>
         <label>Access List</label>
         <type>dropdown</type>
-        <help><![CDATA[Select an Access List to restrict access to this domain. If unset, any local or remote client is allowed access.]]></help>
+        <help>Select an Access List to restrict access to this domain. If unset, any local or remote client is allowed access.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -118,7 +118,7 @@
         <label>Basic Auth</label>
         <type>select_multiple</type>
         <size>5</size>
-        <help><![CDATA[Select Users to restrict access to this domain. Basic Auth matches after Access Lists. If unset, any user is allowed access. When using CrowdSec, authorization failures will result in automatic bans.]]></help>
+        <help>Select Users to restrict access to this domain. Basic Auth matches after Access Lists. If unset, any user is allowed access.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -127,7 +127,7 @@
         <id>reverse.ClientAuthTrustPool</id>
         <label>Client Auth Trust Pool</label>
         <type>select_multiple</type>
-        <help><![CDATA[Choose multiple CAs or self-signed certificates from "System - Trust - Authorities". Client Auth is activated as soon as at least one certificate has been chosen. Important: Certificate revocation lists are not evaluated. If you need granular control, provide individual self-signed certificates for each device, and unset them to block access. Though keep in mind that if no certificate is left in this field, Client Auth will be deactivated.]]></help>
+        <help>Choose multiple CAs or self-signed certificates from "System - Trust - Authorities". Client Auth is activated as soon as at least one certificate has been chosen. Important: Certificate revocation lists are not evaluated. If you need granular control, provide individual self-signed certificates for each device, and unset them to block access. Though keep in mind that if no certificate is left in this field, Client Auth will be deactivated.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -137,7 +137,7 @@
         <label>Client Auth Mode</label>
         <type>dropdown</type>
         <advanced>true</advanced>
-        <help><![CDATA["request" - Ask clients for a certificate, but allow even if there isn't one; do not verify it. "require" - Require clients to present a certificate, but do not verify it. "verify_if_given" - Ask clients for a certificate; allow even if there isn't one, but verify it if there is. "require_and_verify" - Require clients to present a valid certificate that is verified.]]></help>
+        <help>"request" - Ask clients for a certificate, but allow even if there isn't one; do not verify it. "require" - Require clients to present a certificate, but do not verify it. "verify_if_given" - Ask clients for a certificate; allow even if there isn't one, but verify it if there is. "require_and_verify" - Require clients to present a valid certificate that is verified.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -146,7 +146,7 @@
         <id>reverse.AccessLog</id>
         <label>HTTP Access Log</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable HTTP request logging for this domain and its subdomains. This option is mostly used for troubleshooting, audits and CrowdSec. It will log every single request.]]></help>
+        <help>Enable HTTP request logging for this domain and its subdomains. This option is mostly used for troubleshooting. It will log every single request.</help>
         <grid_view>
             <visible>false</visible>
             <type>boolean</type>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
index 4cdceffe36..fb13e33d0f 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogSubdomain.xml
@@ -3,7 +3,7 @@
         <id>subdomain.enabled</id>
         <label>Enabled</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable this subdomain.]]></help>
+        <help>Enable this subdomain.</help>
         <grid_view>
             <width>20</width>
             <type>boolean</type>
@@ -18,7 +18,7 @@
         <id>subdomain.reverse</id>
         <label>Domain</label>
         <type>dropdown</type>
-        <help><![CDATA[Select a wildcard domain for this subdomain.]]></help>
+        <help>Select a wildcard domain for this subdomain.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -27,13 +27,13 @@
         <id>subdomain.FromDomain</id>
         <label>Subdomain</label>
         <type>text</type>
-        <help><![CDATA[Enter a subdomain. For example, "opn.example.com" if the wildcard domain is "*.example.com". All subdomains use the same ports and protocols as their parent wildcard domain.]]></help>
+        <help>Enter a subdomain. For example, "opn.example.com" if the wildcard domain is "*.example.com". All subdomains use the same ports and protocols as their parent wildcard domain.</help>
     </field>
     <field>
         <id>subdomain.DynDns</id>
         <label>Dynamic DNS</label>
         <type>checkbox</type>
-        <help><![CDATA[Enable or disable Dynamic DNS. Requires a "DNS Provider" in "General Settings". The DNS records of this subdomain will be automatically updated.]]></help>
+        <help>Enable or disable Dynamic DNS. Requires a "DNS Provider" in "General Settings". The DNS records of this subdomain will be automatically updated.</help>
         <grid_view>
             <visible>false</visible>
             <type>boolean</type>
@@ -44,7 +44,7 @@
         <id>subdomain.AcmePassthrough</id>
         <label>HTTP-01 Challenge Redirection</label>
         <type>text</type>
-        <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this subdomain.]]></help>
+        <help>Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this subdomain.</help>
         <advanced>true</advanced>
         <grid_view>
             <visible>false</visible>
@@ -54,7 +54,7 @@
         <id>subdomain.description</id>
         <label>Description</label>
         <type>text</type>
-        <help><![CDATA[Enter a description for this subdomain.]]></help>
+        <help>Enter a description for this subdomain.</help>
     </field>
     <field>
         <type>header</type>
@@ -64,7 +64,7 @@
         <id>subdomain.accesslist</id>
         <label>Access List</label>
         <type>dropdown</type>
-        <help><![CDATA[Select an Access List to restrict access to this subdomain. If unset, any local or remote client is allowed access.]]></help>
+        <help>Select an Access List to restrict access to this subdomain. If unset, any local or remote client is allowed access.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -74,7 +74,7 @@
         <label>Basic Auth</label>
         <type>select_multiple</type>
         <size>5</size>
-        <help><![CDATA[Select Users to restrict access to this subdomain. Basic Auth matches after Access Lists. If unset, any user is allowed access.]]></help>
+        <help>Select Users to restrict access to this subdomain. Basic Auth matches after Access Lists. If unset, any user is allowed access.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -83,7 +83,7 @@
         <id>subdomain.ClientAuthTrustPool</id>
         <label>Client Auth Trust Pool</label>
         <type>select_multiple</type>
-        <help><![CDATA[Choose multiple CAs or self-signed certificates from "System - Trust - Authorities". Client Auth is activated as soon as at least one certificate has been chosen. Important: Certificate revocation lists are not evaluated. If you need granular control, provide individual self-signed certificates for each device, and unset them to block access. Though keep in mind that if no certificate is left in this field, Client Auth will be deactivated.]]></help>
+        <help>Choose multiple CAs or self-signed certificates from "System - Trust - Authorities". Client Auth is activated as soon as at least one certificate has been chosen. Important: Certificate revocation lists are not evaluated. If you need granular control, provide individual self-signed certificates for each device, and unset them to block access. Though keep in mind that if no certificate is left in this field, Client Auth will be deactivated.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
@@ -93,7 +93,7 @@
         <label>Client Auth Mode</label>
         <type>dropdown</type>
         <advanced>true</advanced>
-        <help><![CDATA["request" - Ask clients for a certificate, but allow even if there isn't one; do not verify it. "require" - Require clients to present a certificate, but do not verify it. "verify_if_given" - Ask clients for a certificate; allow even if there isn't one, but verify it if there is. "require_and_verify" - Require clients to present a valid certificate that is verified.]]></help>
+        <help>"request" - Ask clients for a certificate, but allow even if there isn't one; do not verify it. "require" - Require clients to present a certificate, but do not verify it. "verify_if_given" - Ask clients for a certificate; allow even if there isn't one, but verify it if there is. "require_and_verify" - Require clients to present a valid certificate that is verified.</help>
         <grid_view>
             <visible>false</visible>
         </grid_view>
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index bb7d29b7b0..0017ac4813 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -4,25 +4,25 @@
             <id>caddy.general.enabled</id>
             <label>Enable Caddy</label>
             <type>checkbox</type>
-            <help><![CDATA[Enable or disable the Caddy web server.]]></help>
+            <help>Enable or disable the Caddy web server.</help>
         </field>
         <field>
             <id>caddy.general.EnableLayer4</id>
             <label>Enable Layer4 Proxy</label>
             <type>checkbox</type>
-            <help><![CDATA[Enable Layer4 Proxy to stream TCP/UDP. Layer4 Proxy matches before the Reverse Proxy; both can be used concurrently. More information: https://github.com/mholt/caddy-l4]]></help>
+            <help>Enable Layer4 Proxy to stream TCP/UDP. Layer4 Proxy matches before the Reverse Proxy; both can be used concurrently.</help>
         </field>
         <field>
             <id>caddy.general.TlsEmail</id>
             <label>ACME Email</label>
             <type>text</type>
-            <help><![CDATA[Enter the email address for certificate notifications. This is required to receive automatic certificates from "Let's Encrypt" and "ZeroSSL".]]></help>
+            <help>Enter the email address for certificate notifications. This is required to receive automatic certificates from "Let's Encrypt" and "ZeroSSL".</help>
         </field>
         <field>
             <id>caddy.general.TlsAutoHttps</id>
             <label>Auto HTTPS</label>
             <type>dropdown</type>
-            <help><![CDATA[Select the Auto HTTPS option. "On (default)" creates automatic certificates using "Let's Encrypt" or "ZeroSSL". "Off" turns all automatic certificate requests off.]]></help>
+            <help>Select the Auto HTTPS option. "On (default)" creates automatic certificates using "Let's Encrypt" or "ZeroSSL". "Off" turns all automatic certificate requests off.</help>
         </field>
     </tab>
     <tab id="general-advanced" description="Advanced Settings">
@@ -34,7 +34,7 @@
             <id>caddy.general.DisableSuperuser</id>
             <label>System User</label>
             <type>dropdown</type>
-            <help><![CDATA[Run this service as "www" user and group, instead of "root". This setting increases security, but comes with the hard restriction that the well-known port range can not be used anymore. After enabling and saving this setting, the service has to be totally restarted. For this, please disable Caddy and press Apply. Afterwards enable Caddy and press Apply. This setting is reversible by following the same steps.]]></help>
+            <help>Run this service as "www" user and group, instead of "root". This setting increases security, but comes with the hard restriction that the well-known port range can not be used anymore. After enabling and saving this setting, the service has to be totally restarted. For this, please disable Caddy and press Apply. Afterwards enable Caddy and press Apply. This setting is reversible by following the same steps.</help>
         </field>
         <field>
             <type>header</type>
@@ -44,21 +44,21 @@
             <id>caddy.general.HttpVersions</id>
             <label>HTTP Versions</label>
             <type>select_multiple</type>
-            <help><![CDATA[Select the HTTP versions for the frontend listeners. By default, QUIC (HTTP/3) is disabled.]]></help>
+            <help>Select the HTTP versions for the frontend listeners. By default, QUIC (HTTP/3) is disabled.</help>
         </field>
         <field>
             <id>caddy.general.HttpPort</id>
             <label>HTTP Port</label>
             <type>text</type>
             <hint>80</hint>
-            <help><![CDATA[If the default HTTP port is changed to e.g. 8080, then a port forward from port 80 to 8080 is necessary to issue automatic certificates with the HTTP-01 challenge and serve clients the reverse proxied resources.]]></help>
+            <help>If the default HTTP port is changed to e.g. 8080, then a port forward from port 80 to 8080 is necessary to issue automatic certificates with the HTTP-01 challenge and serve clients the reverse proxied resources.</help>
         </field>
         <field>
             <id>caddy.general.HttpsPort</id>
             <label>HTTPS Port</label>
             <type>text</type>
             <hint>443</hint>
-            <help><![CDATA[If the default HTTPS port is changed to e.g. 8443, then a port forward from port 443 to 8443 is necessary to issue automatic certificates with the TLS-ALPN-01 challenge and serve clients the reverse proxied resources.]]></help>
+            <help>If the default HTTPS port is changed to e.g. 8443, then a port forward from port 443 to 8443 is necessary to issue automatic certificates with the TLS-ALPN-01 challenge and serve clients the reverse proxied resources.</help>
         </field>
         <field>
             <type>header</type>
@@ -68,7 +68,7 @@
             <id>caddy.general.accesslist</id>
             <label>Trusted Proxies</label>
             <type>dropdown</type>
-            <help><![CDATA[Select an Access List to set IP ranges of Trusted Proxies. Access Lists can be added in "Reverse Proxy - Access". If Caddy is not the first server being connected to by clients (for example, when a "CDN" is in front of Caddy), configure "Trusted Proxies" with a list of IP ranges (CIDRs) from which incoming requests are trusted to have sent good values for these headers. Additionally, set the same Access List to the domains the Trusted Proxies connect to.]]></help>
+            <help>Select an Access List to set IP ranges of Trusted Proxies. Access Lists can be added in "Reverse Proxy - Access". If Caddy is not the first server being connected to by clients (for example, when a "CDN" is in front of Caddy), configure "Trusted Proxies" with a list of IP ranges (CIDRs) from which incoming requests are trusted to have sent good values for these headers. Additionally, set the same Access List to the domains the Trusted Proxies connect to.</help>
         </field>
         <field>
             <id>caddy.general.ClientIpHeaders</id>
@@ -78,42 +78,42 @@
             <size>5</size>
             <style>selectpicker</style>
             <hint>X-Forwarded-For</hint>
-            <help><![CDATA[Select one or multiple headers to extract the real client IP. Headers can be added in "Reverse Proxy - Headers". As example, setting "X-Forwarded-For" and "Cf-Connecting-Ip" can extract the real client IP from Cloudflare.]]></help>
+            <help>Select one or multiple headers to extract the real client IP. Headers can be added in "Reverse Proxy - Headers". As example, setting "X-Forwarded-For" and "Cf-Connecting-Ip" can extract the real client IP from Cloudflare.</help>
         </field>
         <field>
             <id>caddy.general.GracePeriod</id>
             <label>Grace Period</label>
             <type>text</type>
             <hint>10</hint>
-            <help><![CDATA[Defines the grace period for shutting down Caddy during a reload in seconds. If clients do not finish their requests within the grace period, the server will be forcefully terminated to allow the reload to complete and free up resources. This can influence how long "Apply" of new configurations take, since Caddy waits for all open connections to close. If the grace period is over and Caddy is unresponsive, there will be a forced kill and service restart.]]></help>
+            <help>Defines the grace period for shutting down Caddy during a reload in seconds. If clients do not finish their requests within the grace period, the server will be forcefully terminated to allow the reload to complete and free up resources. This can influence how long "Apply" of new configurations take, since Caddy waits for all open connections to close. If the grace period is over and Caddy is unresponsive, there will be a forced kill and service restart.</help>
         </field>
         <field>
             <id>caddy.general.timeout_read_body</id>
             <label>Read Body Timeout</label>
             <type>text</type>
-            <hint>no timout</hint>
-            <help><![CDATA[read_body is a duration value in seconds that sets how long to allow a read from a client's upload. Setting this to a short, non-zero value can mitigate slowloris attacks, but may also affect legitimately slow clients.]]></help>
+            <hint>no timeout</hint>
+            <help>read_body is a duration value in seconds that sets how long to allow a read from a client's upload. Setting this to a short, non-zero value can mitigate slowloris attacks, but may also affect legitimately slow clients.</help>
         </field>
         <field>
             <id>caddy.general.timeout_read_header</id>
             <label>Read Header Timeout</label>
             <type>text</type>
-            <hint>no timout</hint>
-            <help><![CDATA[read_header is a duration value in seconds that sets how long to allow a read from a client's request headers.]]></help>
+            <hint>no timeout</hint>
+            <help>read_header is a duration value in seconds that sets how long to allow a read from a client's request headers.</help>
         </field>
         <field>
             <id>caddy.general.timeout_write</id>
             <label>Write Timeout</label>
             <type>text</type>
-            <hint>no timout</hint>
-            <help><![CDATA[write is a duration value in seconds that sets how long to allow a write to a client. Note that setting this to a small value when serving large files may negatively affect legitimately slow clients.]]></help>
+            <hint>no timeout</hint>
+            <help>write is a duration value in seconds that sets how long to allow a write to a client. Note that setting this to a small value when serving large files may negatively affect legitimately slow clients.</help>
         </field>
         <field>
             <id>caddy.general.timeout_idle</id>
             <label>Idle Timeout</label>
             <type>text</type>
             <hint>300</hint>
-            <help><![CDATA[idle is a duration value in seconds that sets the maximum time to wait for the next request when keep-alives are enabled. Defaults value helps to avoid resource exhaustion.]]></help>
+            <help>idle is a duration value in seconds that sets the maximum time to wait for the next request when keep-alives are enabled. The default value helps to avoid resource exhaustion.</help>
         </field>
     </tab>
     <tab id="general-logsettings" description="Log Settings">
@@ -121,26 +121,26 @@
             <id>caddy.general.LogLevel</id>
             <label>Log Level</label>
             <type>dropdown</type>
-            <help><![CDATA[Select the minimum global Log Level. "INFO" is the default and should not be changed without a reason, as it displays the ACME Client messages for automatic certificates. This setting does not influence the HTTP Access logs; they always use "INFO", which is their lowest supported Log Level.]]></help>
+            <help>Select the minimum global Log Level. "INFO" is the default and should not be changed without a reason, as it displays the ACME Client messages for automatic certificates. This setting does not influence the HTTP Access logs; they always use "INFO", which is their lowest supported Log Level.</help>
         </field>
         <field>
             <id>caddy.general.LogCredentials</id>
             <label>Log Credentials</label>
             <type>checkbox</type>
-            <help><![CDATA[Log all cookies and authorization in HTTP request logging. Use this option combined with "HTTP Access Log" in a "Domain". Enable this option only for troubleshooting.]]></help>
+            <help>Log all cookies and authorization in HTTP request logging. Use this option combined with "HTTP Access Log" in a "Domain". Enable this option only for troubleshooting.</help>
         </field>
         <field>
             <id>caddy.general.LogAccessPlain</id>
             <label>Log HTTP Access in JSON Format</label>
             <type>checkbox</type>
-            <help><![CDATA[Log HTTP access in a standard JSON logfile per domain, e.g., for processing by CrowdSec. Use this option combined with "HTTP Access Log" in a "Domain". Enabling this will make the HTTP Access Log disappear from the standard Log File. Logs can be found in the filesystem at "/var/log/caddy/access/".]]></help>
+            <help>Log HTTP access in a standard JSON logfile per domain. Use this option combined with "HTTP Access Log" in a "Domain". Enabling this will make the HTTP Access Log disappear from the standard Log File. Logs can be found in the filesystem at "/var/log/caddy/access/".</help>
         </field>
         <field>
             <id>caddy.general.LogAccessPlainKeep</id>
             <label>Keep HTTP Access JSON Logs for (days)</label>
             <hint>10</hint>
             <type>text</type>
-            <help><![CDATA[Specify how many days to keep the JSON access logs.]]></help>
+            <help>Specify how many days to keep the JSON access logs.</help>
         </field>
     </tab>
     <tab id="general-dnsprovider" description="DNS Provider">
@@ -148,13 +148,13 @@
             <id>caddy.general.TlsDnsProvider</id>
             <label>DNS Provider</label>
             <type>dropdown</type>
-            <help><![CDATA[Select the DNS Provider. If you cannot find your provider here, consider using os-acme-client for the DNS-01 Challenge and os-ddclient for Dynamic DNS as alternatives.]]></help>
+            <help>Select the DNS Provider. If you cannot find your provider here, consider using os-acme-client for the DNS-01 Challenge and os-ddclient for Dynamic DNS as alternatives.</help>
         </field>
         <field>
             <id>caddy.general.TlsDnsApiKey</id>
             <label>API Key</label>
             <type>text</type>
-            <help><![CDATA[This is the standard field for the API Key.]]></help>
+            <help>This is the standard field for the API Key.</help>
         </field>
         <field>
             <type>header</type>
@@ -164,27 +164,27 @@
             <id>caddy.general.TlsDnsPropagationResolvers</id>
             <label>Resolvers</label>
             <type>text</type>
-            <help><![CDATA[Leave empty to use the system resolvers (default). Resolvers customizes the DNS resolvers used when performing the DNS challenge; these take precedence over system resolvers or any default ones. If set here, the resolvers will propagate to all configured certificate issuers. If the system resolvers use DNS over TLS, setting an external resolver here is required or the DNS challenge will fail.]]></help>
+            <help>Leave empty to use the system resolvers (default). Resolvers customizes the DNS resolvers used when performing the DNS challenge; these take precedence over system resolvers or any default ones. If set here, the resolvers will propagate to all configured certificate issuers. If the system resolvers use DNS over TLS, setting an external resolver here is required or the DNS challenge will fail.</help>
         </field>
         <field>
             <id>caddy.general.TlsDnsPropagationTimeout</id>
             <label>Disable Propagation Timeout</label>
             <type>checkbox</type>
-            <help><![CDATA[This will disable propagation_timeout.]]></help>
+            <help>This will disable propagation_timeout.</help>
         </field>
         <field>
             <id>caddy.general.TlsDnsPropagationTimeoutPeriod</id>
             <label>Propagation Timeout</label>
             <type>text</type>
             <hint>120</hint>
-            <help><![CDATA[propagation_timeout is a duration value in seconds that sets the maximum time to wait for the DNS TXT records to appear when using the DNS challenge.]]></help>
+            <help>propagation_timeout is a duration value in seconds that sets the maximum time to wait for the DNS TXT records to appear when using the DNS challenge.</help>
         </field>
         <field>
             <id>caddy.general.TlsDnsPropagationDelay</id>
             <label>Propagation Delay</label>
             <type>text</type>
             <hint>0</hint>
-            <help><![CDATA[propagation_delay is a duration value in seconds that sets how long to wait before starting DNS TXT records propagation checks when using the DNS challenge.]]></help>
+            <help>propagation_delay is a duration value in seconds that sets how long to wait before starting DNS TXT records propagation checks when using the DNS challenge.</help>
         </field>
         <field>
             <type>header</type>
@@ -194,7 +194,7 @@
             <id>caddy.general.TlsDnsEchDomain</id>
             <label>ECH Domain</label>
             <type>text</type>
-            <help><![CDATA[Enables Encrypted ClientHello (ECH) by using the specified public domain name as the plaintext server name (SNI) in TLS handshakes. More information: https://caddyserver.com/docs/caddyfile/options#ech]]></help>
+            <help>Enables Encrypted ClientHello (ECH) by using the specified public domain name as the plaintext server name (SNI) in TLS handshakes.</help>
         </field>
         <field>
             <type>header</type>
@@ -204,38 +204,38 @@
             <id>caddy.general.DynDnsIpVersions</id>
             <label>IP Version</label>
             <type>dropdown</type>
-            <help><![CDATA[Select the DynDns IP Version: "IPv4+IPv6" to set IPv4 A-Records and IPv6 AAAA-Records, "IPv4 only" for only A-Records, "IPv6 only" for only AAAA-Records.]]></help>
+            <help>Select the DynDns IP Version: "IPv4+IPv6" to set IPv4 A-Records and IPv6 AAAA-Records, "IPv4 only" for only A-Records, "IPv6 only" for only AAAA-Records.</help>
         </field>
         <field>
             <id>caddy.general.DynDnsUpdateOnly</id>
             <label>Update Only</label>
             <type>checkbox</type>
-            <help><![CDATA[If enabled, no new DNS records will be created. Only existing records will be updated. This means that the A or AAAA records need to be created manually ahead of time.]]></help>
+            <help>If enabled, no new DNS records will be created. Only existing records will be updated. This means that the A or AAAA records need to be created manually ahead of time.</help>
         </field>
         <field>
             <id>caddy.general.DynDnsInterval</id>
             <label>Check Interval</label>
             <type>text</type>
             <hint>1800</hint>
-            <help><![CDATA[Set the interval in seconds to poll for changes in the IP address. Leave empty to use system defaults.]]></help>
+            <help>Set the interval in seconds to poll for changes in the IP address. Leave empty to use system defaults.</help>
         </field>
         <field>
             <id>caddy.general.DynDnsTtl</id>
             <label>Time to Live</label>
             <type>text</type>
-            <help><![CDATA[Set the TTL (Time to Live) for DNS records in seconds. Leave empty to use the default of an already existing TTL (when updating only) or the default of the provider API (when creating new records). If explicitely set, values should be as defined in rfc2181 section 8.]]></help>
+            <help>Set the TTL (Time to Live) for DNS records in seconds. Leave empty to use the default of an already existing TTL (when updating only) or the default of the provider API (when creating new records). If explicitly set, values should be as defined in RFC 2181 Section 8.”</help>
         </field>
         <field>
             <id>caddy.general.DynDnsSimpleHttp</id>
             <label>Check Http</label>
             <type>text</type>
-            <help><![CDATA[Enter a URL to test the current IP address of the firewall via the HTTP protocol. This is generally not needed as Caddy uses default providers to test the current IP addresses. If a custom provider is preferred, enter the "https://" link to an IP address testing website.]]></help>
+            <help>Enter a URL to test the current IP address of the firewall via the HTTP protocol. This is generally not needed as Caddy uses default providers to test the current IP addresses. If a custom provider is preferred, enter the "https://" link to an IP address testing website.</help>
         </field>
         <field>
             <id>caddy.general.DynDnsInterface</id>
             <label>Check Interface</label>
             <type>dropdown</type>
-            <help><![CDATA[Select an interface to extract the current IP addresses of the firewall. This is generally not needed as Caddy uses default providers to test the current IP addresses. Depending on the specified DynDns IP Version, at most one IPv6 Global Unicast Address and one IPv4 non-RFC1918 Address will be extracted.]]></help>
+            <help>Select an interface to extract the current IP addresses of the firewall. This is generally not needed as Caddy uses default providers to test the current IP addresses. Depending on the specified DynDns IP Version, at most one IPv6 Global Unicast Address and one IPv4 non-RFC1918 Address will be extracted.</help>
         </field>
     </tab>
     <tab id="general-authprovider" description="Auth Provider">
@@ -243,31 +243,31 @@
             <id>caddy.general.AuthProvider</id>
             <label>Forward Auth Provider</label>
             <type>dropdown</type>
-            <help><![CDATA[Select a Forward Auth Provider. It can be added inside a "Handler" by enabling the "Forward Auth" checkbox. For Authelia only the basic subdomain example is supported. More information: https://www.authelia.com/integration/proxies/caddy/#basic-examples. For Authentik custom headers are not supported. More information: https://docs.goauthentik.io/docs/providers/proxy/server_caddy]]></help>
+            <help>Select a Forward Auth Provider. It can be added inside a "Handler" by enabling the "Forward Auth" checkbox.</help>
         </field>
         <field>
             <id>caddy.general.AuthToTls</id>
             <label>Protocol</label>
             <type>dropdown</type>
-            <help><![CDATA[Enable or disable HTTP over TLS (HTTPS) to communicate with the Forward Auth Provider.]]></help>
+            <help>Enable or disable HTTP over TLS (HTTPS) to communicate with the Forward Auth Provider.</help>
         </field>
         <field>
             <id>caddy.general.AuthToDomain</id>
             <label>Forward Auth Domain</label>
             <type>text</type>
-            <help><![CDATA[Enter the domain name or IP address of the chosen Forward Auth Provider.]]></help>
+            <help>Enter the domain name or IP address of the chosen Forward Auth Provider.</help>
         </field>
         <field>
             <id>caddy.general.AuthToPort</id>
             <label>Forward Auth Port</label>
             <type>text</type>
-            <help><![CDATA[Enter the listen port of the chosen Forward Auth Provider.]]></help>
+            <help>Enter the listen port of the chosen Forward Auth Provider.</help>
         </field>
         <field>
             <id>caddy.general.AuthToUri</id>
             <label>Forward Auth URI</label>
             <type>text</type>
-            <help><![CDATA[Enter the URI of the authz api endpoint.]]></help>
+            <help>Enter the URI of the authz api endpoint.</help>
         </field>
         <field>
             <id>caddy.general.CopyHeaders</id>
@@ -276,7 +276,7 @@
             <type>select_multiple</type>
             <size>5</size>
             <style>selectpicker</style>
-            <help><![CDATA[Select headers to copy in addition to the default of the chosen provider. Headers can be added in "Reverse Proxy - Headers". As example, copying "Authorization" can pass Basic Auth credentials from the Auth Provider to the reverse proxied application.]]></help>
+            <help>Select headers to copy in addition to the default of the chosen provider. Headers can be added in "Reverse Proxy - Headers". As example, copying "Authorization" can pass Basic Auth credentials from the Auth Provider to the reverse proxied application.</help>
         </field>
     </tab>
     <activetab>general-settings</activetab>

From 2698d36a0fee62a04192c8268307a18333ba1ee1 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Thu, 26 Feb 2026 20:23:00 +0100
Subject: [PATCH 3007/3088] net/haproxy: modernize UI templates

---
 net/haproxy/pkg-descr                         |   3 +
 .../app/views/OPNsense/HAProxy/export.volt    |  58 ++--
 .../mvc/app/views/OPNsense/HAProxy/index.volt | 161 ++++-------
 .../views/OPNsense/HAProxy/maintenance.volt   | 253 ++++++++----------
 .../views/OPNsense/HAProxy/statistics.volt    | 158 +++++------
 5 files changed, 260 insertions(+), 373 deletions(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 48c8151c58..fbeff94fe2 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -15,6 +15,9 @@ Added:
 Fixed:
 * migration fails if a http-request/-response "lua" rule is configured
 
+Changed:
+* modernize UI templates
+
 5.0
 
 WARNING: This is a new major release, which may result in
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
index 19c31de7a3..07962662ff 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/export.volt
@@ -1,6 +1,6 @@
 {#
 
-Copyright (C) 2021 Frank Wall
+Copyright (C) 2021-2026 Frank Wall
 OPNsense® is Copyright © 2014 – 2016 by Deciso B.V.
 All rights reserved.
 
@@ -29,16 +29,17 @@ POSSIBILITY OF SUCH DAMAGE.
 
 <script>
     $( document ).ready(function() {
+        'use strict';
+
         /**
          * show HAProxy config
          */
         function update_showconf() {
-            ajaxCall(url="/api/haproxy/export/config/", sendData={}, callback=function(data,status) {
+            ajaxCall("/api/haproxy/export/config/", {}, function(data, status) {
                 if (data['response'] && data['response'].trim()) {
                     $("#showconf").text(data['response']);
                 } else {
-                    conf_help = "<br><span style=\"color: #000000; white-space: pre-wrap; font-family: monospace;\"> {{ lang._('Config file not found. Run a syntax check to create it.') }}</span><br>";
-                    $("#showconfempty").append(conf_help);
+                    $("#showconfempty").append('<br><span class="conf-message"> {{ lang._('Config file not found. Run a syntax check to create it.') }}</span><br>');
                     $("#showconf").hide();
                 }
             });
@@ -49,29 +50,16 @@ POSSIBILITY OF SUCH DAMAGE.
          * show HAProxy config diff
          */
         function update_showdiff() {
-            ajaxCall(url="/api/haproxy/export/diff/", sendData={}, callback=function(data,status) {
-                diff = '';
+            ajaxCall("/api/haproxy/export/diff/", {}, function(data, status) {
+                const diffClasses = {'+': 'diff-add', '-': 'diff-remove', '@': 'diff-hunk'};
+                let diff = '';
                 if (data['response'] && data['response'].trim()) {
-                    var lines = data['response'].split("\n");
-                    $.each(lines, function(n, line) {
-                        switch(line.substring(0,1)) {
-                            case '+':
-                                color = '#3bbb33';
-                                break;
-                            case '-':
-                                color = '#c13928';
-                                break;
-                            case '@':
-                                color = '#3bb9c3';
-                                break;
-                            default:
-                                color = '#000000';
-                        }
-                        diff += '<span style="color: ' + color + '; white-space: pre-wrap; font-family: monospace;">' + line + '</span><br>';
-
+                    data['response'].split("\n").forEach(function(line) {
+                        const cssClass = diffClasses[line.substring(0, 1)] || 'diff-context';
+                        diff += `<span class="${cssClass}">${$('<span/>').text(line).html()}</span><br>`;
                     });
                 } else {
-                    diff = "<br><span style=\"color: #000000; white-space: pre-wrap; font-family: monospace;\"> {{ lang._('New and old config files are identical.') }}</span><br>";
+                    diff = '<br><span class="diff-context"> {{ lang._('New and old config files are identical.') }}</span><br>';
                 }
                 $("#showdiff").append(diff);
             });
@@ -83,11 +71,11 @@ POSSIBILITY OF SUCH DAMAGE.
          */
         $('[id*="exportbtn"]').each(function(){
             $(this).click(function(){
-                var type = $(this).data("type");
-                ajaxGet("/api/haproxy/export/download/"+type+"/", {}, function(data, status){
+                const type = $(this).data("type");
+                ajaxGet("/api/haproxy/export/download/" + type + "/", {}, function(data, status){
                     if (data.filename !== undefined) {
-                        var link = $('<a></a>')
-                            .attr('href','data:'+data.filetype+';base64,' + data.content)
+                        const link = $('<a></a>')
+                            .attr('href', 'data:' + data.filetype + ';base64,' + data.content)
                             .attr('download', data.filename)
                             .appendTo('body');
 
@@ -101,18 +89,26 @@ POSSIBILITY OF SUCH DAMAGE.
         });
 
         // update history on tab state and implement navigation
-        if(window.location.hash != "") {
-            $('a[href="' + window.location.hash + '"]').click()
+        if (window.location.hash != "") {
+            $('a[href="' + window.location.hash + '"]').click();
         }
         $('.nav-tabs a').on('shown.bs.tab', function (e) {
             history.pushState(null, null, e.target.hash);
         });
         $(window).on('hashchange', function(e) {
-            $('a[href="' + window.location.hash + '"]').click()
+            $('a[href="' + window.location.hash + '"]').click();
         });
     });
 </script>
 
+<style>
+    .diff-add     { color: #3bbb33; white-space: pre-wrap; font-family: monospace; }
+    .diff-remove  { color: #c13928; white-space: pre-wrap; font-family: monospace; }
+    .diff-hunk    { color: #3bb9c3; white-space: pre-wrap; font-family: monospace; }
+    .diff-context { white-space: pre-wrap; font-family: monospace; }
+    .conf-message { white-space: pre-wrap; font-family: monospace; }
+</style>
+
 <ul class="nav nav-tabs" role="tablist" id="maintabs">
     <li class="active"><a data-toggle="tab" href="#export"><b>{{ lang._('Config Export') }}</b></a></li>
     <li><a data-toggle="tab" href="#diff">{{ lang._('Config Diff') }}</a></li>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 6402371b2e..8120b18835 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -1,6 +1,6 @@
 {#
 
-Copyright (C) 2016-2021 Frank Wall
+Copyright (C) 2016-2026 Frank Wall
 OPNsense® is Copyright © 2014 – 2015 by Deciso B.V.
 All rights reserved.
 
@@ -30,16 +30,17 @@ POSSIBILITY OF SUCH DAMAGE.
 <script>
 
     $( document ).ready(function() {
+        'use strict';
 
         // get general HAProxy settings
-        var data_get_map = {'frm_haproxy':"/api/haproxy/settings/get"};
+        const data_get_map = {'frm_haproxy':"/api/haproxy/settings/get"};
 
         // load initial data
         mapDataToFormUI(data_get_map).done(function(){
             formatTokenizersUI();
             $('.selectpicker').selectpicker('refresh');
             // request service status on load and update status box
-            ajaxCall(url="/api/haproxy/service/status", sendData={}, callback=function(data,status) {
+            ajaxCall("/api/haproxy/service/status", {}, function(data, status) {
                 updateServiceStatusUI(data['status']);
             });
         });
@@ -226,7 +227,7 @@ POSSIBILITY OF SUCH DAMAGE.
         // hook into on-show event for dialog to extend layout.
         $('#DialogAcl').on('shown.bs.modal', function (e) {
             $("#acl\\.expression").change(function(){
-                var service_id = 'table_' + $(this).val();
+                const service_id = 'table_' + $(this).val();
                 $(".expression_table").hide();
                 $("."+service_id).show();
             });
@@ -236,7 +237,7 @@ POSSIBILITY OF SUCH DAMAGE.
         // hook into on-show event for dialog to extend layout.
         $('#DialogAction').on('shown.bs.modal', function (e) {
             $("#action\\.type").change(function(){
-                var service_id = 'table_' + $(this).val();
+                const service_id = 'table_' + $(this).val();
                 $(".type_table").hide();
                 $("."+service_id).show();
             });
@@ -246,21 +247,21 @@ POSSIBILITY OF SUCH DAMAGE.
         // hook into on-show event for dialog to extend layout.
         $('#DialogBackend').on('shown.bs.modal', function (e) {
             $("#backend\\.mode").change(function(){
-                var service_id = 'table_' + $(this).val();
+                const service_id = 'table_' + $(this).val();
                 $(".mode_table").hide();
                 $("."+service_id).show();
             });
             $("#backend\\.mode").change();
 
             $("#backend\\.healthCheckEnabled").change(function(){
-                var service_id = 'table_healthcheck_' + $(this).is(':checked');
+                const service_id = 'table_healthcheck_' + $(this).is(':checked');
                 $(".healthcheck_table").hide();
                 $("."+service_id).show();
             });
             $("#backend\\.healthCheckEnabled").change();
 
             $("#backend\\.persistence").change(function(){
-                var persistence_id = 'table_persistence_' + $(this).val();
+                const persistence_id = 'table_persistence_' + $(this).val();
                 $(".persistence_table").hide();
                 $("."+persistence_id).show();
             });
@@ -270,7 +271,7 @@ POSSIBILITY OF SUCH DAMAGE.
         // hook into on-show event for dialog to extend layout.
         $('#DialogFrontend').on('shown.bs.modal', function (e) {
             $("#frontend\\.mode").change(function(){
-                var service_id = 'table_' + $(this).val();
+                const service_id = 'table_' + $(this).val();
                 $(".mode_table").hide();
                 $("."+service_id).show();
             });
@@ -278,7 +279,7 @@ POSSIBILITY OF SUCH DAMAGE.
 
             // show/hide SSL offloading
             $("#frontend\\.ssl_enabled").change(function(){
-                var service_id = 'table_ssl_' + $(this).is(':checked');
+                const service_id = 'table_ssl_' + $(this).is(':checked');
                 $(".table_ssl").hide();
                 $("."+service_id).show();
             });
@@ -286,7 +287,7 @@ POSSIBILITY OF SUCH DAMAGE.
 
             // show/hide advanced SSL settings
             $("#frontend\\.ssl_advancedEnabled").change(function(){
-                var service_id = 'table_ssl_advanced_' + $(this).is(':checked');
+                const service_id = 'table_ssl_advanced_' + $(this).is(':checked');
                 $(".table_ssl_advanced").hide();
                 $("."+service_id).show();
             });
@@ -296,7 +297,7 @@ POSSIBILITY OF SUCH DAMAGE.
         // hook into on-show event for dialog to extend layout.
         $('#DialogHealthcheck').on('shown.bs.modal', function (e) {
             $("#healthcheck\\.type").change(function(){
-                var service_id = 'table_' + $(this).val();
+                const service_id = 'table_' + $(this).val();
                 $(".type_table").hide();
                 $("."+service_id).show();
             });
@@ -306,7 +307,7 @@ POSSIBILITY OF SUCH DAMAGE.
         // hook into on-show event for dialog to extend layout.
         $('#DialogServer').on('shown.bs.modal', function (e) {
             $("#server\\.type").change(function(){
-                var service_id = 'table_server_type_' + $(this).val();
+                const service_id = 'table_server_type_' + $(this).val();
                 $(".table_server_type").hide();
                 $("."+service_id).show();
             });
@@ -321,31 +322,20 @@ POSSIBILITY OF SUCH DAMAGE.
         $('[id*="reconfigureAct"]').each(function(){
             $(this).click(function(){
                 // set progress animation
-                $('[id*="reconfigureAct_progress"]').each(function(){
-                    $(this).addClass("fa fa-spinner fa-pulse");
-                });
+                $('[id*="reconfigureAct_progress"]').addClass("fa fa-spinner fa-pulse");
                 // first run syntax check to catch critical errors
-                ajaxCall(url="/api/haproxy/service/configtest", sendData={}, callback=function(data,status) {
+                ajaxCall("/api/haproxy/service/configtest", {}, function(data, status) {
                     // show warning in case of critical errors
                     if (data['result'].indexOf('ALERT') > -1) {
+                        $('[id*="reconfigureAct_progress"]').removeClass("fa fa-spinner fa-pulse");
                         BootstrapDialog.show({
                             type: BootstrapDialog.TYPE_DANGER,
                             title: "{{ lang._('HAProxy configtest found critical errors') }}",
                             message: "{{ lang._('The HAProxy service may not be able to start due to critical errors. Run syntax check for further details or review the changes in the %sConfiguration Diff%s.')|format('<a href=\"/ui/haproxy/export#diff\">','</a>') }}",
-                            buttons: [{
-                                icon: 'fa fa-trash-o',
-                                label: '{{ lang._('Abort') }}',
-                                action: function(dlg){
-                                    // when done, disable progress animation
-                                    $('[id*="reconfigureAct_progress"]').each(function(){
-                                        $(this).removeClass("fa fa-spinner fa-pulse");
-                                    });
-                                    dlg.close();
-                                }
-                            }]
+                            draggable: true
                         });
                     } else {
-                        ajaxCall(url="/api/haproxy/service/reconfigure", sendData={}, callback=function(data,status) {
+                        ajaxCall("/api/haproxy/service/reconfigure", {}, function(data, status) {
                             if (status != "success" || data['status'] != 'ok') {
                                 BootstrapDialog.show({
                                     type: BootstrapDialog.TYPE_WARNING,
@@ -356,13 +346,11 @@ POSSIBILITY OF SUCH DAMAGE.
                             } else {
                                 // reload page to hide pending changes reminder
                                 setTimeout(function () {
-                                    window.location.reload(true)
+                                    window.location.reload(true);
                                 }, 300);
                             }
                             // when done, disable progress animation
-                            $('[id*="reconfigureAct_progress"]').each(function(){
-                                $(this).removeClass("fa fa-spinner fa-pulse");
-                            });
+                            $('[id*="reconfigureAct_progress"]').removeClass("fa fa-spinner fa-pulse");
                         });
                     }
                 });
@@ -373,15 +361,11 @@ POSSIBILITY OF SUCH DAMAGE.
         $('[id*="configtestAct"]').each(function(){
             $(this).click(function(){
                 // set progress animation
-                $('[id*="configtestAct_progress"]').each(function(){
-                    $(this).addClass("fa fa-spinner fa-pulse");
-                });
+                $('[id*="configtestAct_progress"]').addClass("fa fa-spinner fa-pulse");
 
-                ajaxCall(url="/api/haproxy/service/configtest", sendData={}, callback=function(data,status) {
+                ajaxCall("/api/haproxy/service/configtest", {}, function(data, status) {
                     // when done, disable progress animation
-                    $('[id*="configtestAct_progress"]').each(function(){
-                        $(this).removeClass("fa fa-spinner fa-pulse");
-                    });
+                    $('[id*="configtestAct_progress"]').removeClass("fa fa-spinner fa-pulse");
 
                     if (data['result'].indexOf('ALERT') > -1) {
                         BootstrapDialog.show({
@@ -413,17 +397,15 @@ POSSIBILITY OF SUCH DAMAGE.
         $('[id*="saveAndTestAct"]').each(function(){
             $(this).click(function(){
                 // extract the form id from the button id
-                var frm_id = "frm_" + $(this).attr("id").split('_')[1]
+                const frm_id = "frm_" + $(this).attr("id").split('_')[1];
 
                 // save data for this tab
-                saveFormToEndpoint(url="/api/haproxy/settings/set",formid=frm_id,callback_ok=function(){
+                saveFormToEndpoint("/api/haproxy/settings/set", frm_id, function(){
                     // set progress animation
-                    $('[id*="saveAndTestAct_progress"]').each(function(){
-                        $(this).addClass("fa fa-spinner fa-pulse");
-                    });
+                    $('[id*="saveAndTestAct_progress"]').addClass("fa fa-spinner fa-pulse");
 
                     // on correct save, perform config test
-                    ajaxCall(url="/api/haproxy/service/configtest", sendData={}, callback=function(data,status) {
+                    ajaxCall("/api/haproxy/service/configtest", {}, function(data, status) {
                         if (data['result'].indexOf('ALERT') > -1) {
                             BootstrapDialog.show({
                                 type: BootstrapDialog.TYPE_DANGER,
@@ -448,9 +430,7 @@ POSSIBILITY OF SUCH DAMAGE.
                         }
 
                         // when done, disable progress animation
-                        $('[id*="saveAndTestAct_progress"]').each(function(){
-                            $(this).removeClass("fa fa-spinner fa-pulse");
-                        });
+                        $('[id*="saveAndTestAct_progress"]').removeClass("fa fa-spinner fa-pulse");
                     });
                 });
             });
@@ -460,57 +440,36 @@ POSSIBILITY OF SUCH DAMAGE.
         $('[id*="saveAndReconfigureAct"]').each(function(){
             $(this).click(function(){
                 // extract the form id from the button id
-                var frm_id = "frm_" + $(this).attr("id").split('_')[1]
+                const frm_id = "frm_" + $(this).attr("id").split('_')[1];
 
                 // save data for this tab
-                saveFormToEndpoint(url="/api/haproxy/settings/set",formid=frm_id,callback_ok=function(){
+                saveFormToEndpoint("/api/haproxy/settings/set", frm_id, function(){
                     // set progress animation
-                    $('[id*="saveAndReconfigureAct_progress"]').each(function(){
-                        $(this).addClass("fa fa-spinner fa-pulse");
-                    });
+                    $('[id*="saveAndReconfigureAct_progress"]').addClass("fa fa-spinner fa-pulse");
 
                     // on correct save, perform config test
-                    ajaxCall(url="/api/haproxy/service/configtest", sendData={}, callback=function(data,status) {
+                    ajaxCall("/api/haproxy/service/configtest", {}, function(data, status) {
                         // show warning in case of critical errors
                         if (data['result'].indexOf('ALERT') > -1) {
-                            BootstrapDialog.show({
-                                type: BootstrapDialog.TYPE_DANGER,
-                                title: "{{ lang._('HAProxy config contains critical errors') }}",
-                                message: "{{ lang._('The HAProxy service may not be able to start due to critical errors. Try anyway?') }}",
-                                buttons: [{
-                                    label: '{{ lang._('Continue') }}',
-                                    cssClass: 'btn-primary',
-                                    action: function(dlg){
-                                        ajaxCall(url="/api/haproxy/service/reconfigure", sendData={}, callback=function(data,status) {
-                                            if (status != "success" || data['status'] != 'ok') {
-                                                BootstrapDialog.show({
-                                                    type: BootstrapDialog.TYPE_WARNING,
-                                                    title: "{{ lang._('Error reconfiguring HAProxy') }}",
-                                                    message: data['status'],
-                                                    draggable: true
-                                                });
-                                            }
-                                        });
-                                        // when done, disable progress animation
-                                        $('[id*="saveAndReconfigureAct_progress"]').each(function(){
-                                            $(this).removeClass("fa fa-spinner fa-pulse");
-                                        });
-                                        dlg.close();
-                                    }
-                                }, {
-                                    icon: 'fa fa-trash-o',
-                                    label: '{{ lang._('Abort') }}',
-                                    action: function(dlg){
-                                        // when done, disable progress animation
-                                        $('[id*="saveAndReconfigureAct_progress"]').each(function(){
-                                            $(this).removeClass("fa fa-spinner fa-pulse");
-                                        });
-                                        dlg.close();
-                                    }
-                                }]
-                            });
+                            $('[id*="saveAndReconfigureAct_progress"]').removeClass("fa fa-spinner fa-pulse");
+                            stdDialogConfirm(
+                                "{{ lang._('HAProxy config contains critical errors') }}",
+                                "{{ lang._('The HAProxy service may not be able to start due to critical errors. Try anyway?') }}",
+                                "{{ lang._('Continue') }}", "{{ lang._('Abort') }}", function() {
+                                    ajaxCall("/api/haproxy/service/reconfigure", {}, function(data, status) {
+                                        if (status != "success" || data['status'] != 'ok') {
+                                            BootstrapDialog.show({
+                                                type: BootstrapDialog.TYPE_WARNING,
+                                                title: "{{ lang._('Error reconfiguring HAProxy') }}",
+                                                message: data['status'],
+                                                draggable: true
+                                            });
+                                        }
+                                    });
+                                }
+                            );
                         } else {
-                            ajaxCall(url="/api/haproxy/service/reconfigure", sendData={}, callback=function(data,status) {
+                            ajaxCall("/api/haproxy/service/reconfigure", {}, function(data, status) {
                                 if (status != "success" || data['status'] != 'ok') {
                                     BootstrapDialog.show({
                                         type: BootstrapDialog.TYPE_WARNING,
@@ -521,13 +480,11 @@ POSSIBILITY OF SUCH DAMAGE.
                                 } else {
                                     // reload page to hide pending changes reminder
                                     setTimeout(function () {
-                                        window.location.reload(true)
+                                        window.location.reload(true);
                                     }, 300);
                                 }
                                 // when done, disable progress animation
-                                $('[id*="saveAndReconfigureAct_progress"]').each(function(){
-                                    $(this).removeClass("fa fa-spinner fa-pulse");
-                                });
+                                $('[id*="saveAndReconfigureAct_progress"]').removeClass("fa fa-spinner fa-pulse");
                             });
                         }
                     });
@@ -542,7 +499,7 @@ POSSIBILITY OF SUCH DAMAGE.
 
         // show reminder when config has pending changes
         function pending_changes_reminder() {
-            ajaxCall(url="/api/haproxy/export/diff/", sendData={}, callback=function(data,status) {
+            ajaxCall("/api/haproxy/export/diff/", {}, function(data, status) {
                 if (data['response'] && data['response'].trim()) {
                     $("#haproxyPendingReminder").show();
                 } else {
@@ -553,14 +510,8 @@ POSSIBILITY OF SUCH DAMAGE.
         pending_changes_reminder();
 
         // show hint after every config change
-        function add_apply_reminder() {
-            hint_msg = "{{ lang._('After changing settings, please remember to test and apply them with the buttons below.') }}"
-            $('[id*="haproxyChangeMessage"]').each(function(){
-                $(this).append(hint_msg);
-            });
-
-        };
-        add_apply_reminder();
+        const hint_msg = "{{ lang._('After changing settings, please remember to test and apply them with the buttons below.') }}";
+        $('[id*="haproxyChangeMessage"]').append(hint_msg);
 
         // show or hide the correct buttons depending on which tab is shown
         // NOTE: This does not work on already shown tabs, so this event must
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
index 0094f996c9..f585cc8c0c 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/maintenance.volt
@@ -1,5 +1,6 @@
 {#
 
+Copyright (C) 2026 Frank Wall
 Copyright (C) 2021 Andreas Stuerz
 OPNsense® is Copyright © 2014 – 2016 by Deciso B.V.
 All rights reserved.
@@ -28,37 +29,32 @@ POSSIBILITY OF SUCH DAMAGE.
 #}
 <script>
     $( document ).ready(function() {
+        'use strict';
 
         // Get cronjobs
-        var cronjobs_data_get_map = {'frm_cronjobs':"/api/haproxy/maintenance/get"};
+        const cronjobs_data_get_map = {'frm_cronjobs':"/api/haproxy/maintenance/get"};
         // load initial data
         mapDataToFormUI(cronjobs_data_get_map).done(function(data){
-            // Add link to cron job edit page: First iterate over all cron settings.
-            // FIXME: Oh boy, this is ugly. Should be refactored.
-            $.each(data.frm_cronjobs.haproxy.maintenance.cronjobs, function(key, value) {
-                // Check if cron setting is enabled.
+            // Add link to cron job edit page for each enabled cron setting.
+            function addCronLink(key, cronData) {
+                const cron_cfg = key + 'Cron';
+                if (!(cron_cfg in cronData)) {
+                    return;
+                }
+                Object.entries(cronData[cron_cfg]).forEach(function([refkey, refvalue]) {
+                    if (refvalue.selected == 1) {
+                        const content_id = `[id="haproxy.maintenance.cronjobs.${key}"]`;
+                        const cron_link = `<br><a href="/ui/cron/item/open/${refkey}"><span class="fa fa-pencil"></span> {{ lang._('Configure cron job') }}</a>`;
+                        $(content_id).closest("td").append(cron_link);
+                    }
+                });
+            }
+
+            const cronData = data.frm_cronjobs.haproxy.maintenance.cronjobs;
+            Object.entries(cronData).forEach(function([key, value]) {
                 if (value == 1) {
-                    // Find the matching cron job reference.
-                    cron_cfg = key + 'Cron';
-                    $.each(data.frm_cronjobs.haproxy.maintenance.cronjobs, function(cronkey, cronvalue) {
-                        // Check if it is the correct entry for this cron setting.
-                        if (cronkey == cron_cfg) {
-                            // Get the cron job UUID.
-                            $.each(cronvalue, function(refkey, refvalue) {
-                                // Only the "selected" item belongs to this entry.
-                                if (refvalue.selected == 1) {
-                                    // Find the correct container for this cron setting.
-                                    content_id = "[id=\"haproxy.maintenance.cronjobs." + key + "\"]";
-                                    $(content_id).each(function(){
-                                        // Finally add the link to the cron job edit page.
-                                        cron_link = "<br><a href=\"/ui/cron/item/open/" + refkey + "\"><span class=\"fa fa-pencil\"></span> {{ lang._('Configure cron job') }}</a>";
-                                        $(this).closest("td").append(cron_link);
-                                    });
-                                };
-                            });
-                        };
-                    });
-                };
+                    addCronLink(key, cronData);
+                }
             });
 
             formatTokenizersUI();
@@ -69,27 +65,22 @@ POSSIBILITY OF SUCH DAMAGE.
         $('[id*="saveAndReconfigureAct"]').each(function(){
             $(this).click(function(){
                 // set progress animation
-                $('[id*="saveAndReconfigureAct_progress"]').each(function(){
-                    $(this).addClass("fa fa-spinner fa-pulse");
-                });
+                $('[id*="saveAndReconfigureAct_progress"]').addClass("fa fa-spinner fa-pulse");
 
                 // extract the form id from the button id
-                var frm_id = "frm_" + $(this).attr("id").split('_')[1]
+                const frm_id = "frm_" + $(this).attr("id").split('_')[1];
 
                 // save data for this tab
-                saveFormToEndpoint(url="/api/haproxy/maintenance/set",formid=frm_id,callback_ok=function(){
+                saveFormToEndpoint("/api/haproxy/maintenance/set", frm_id, function(){
                     // Handle cron integration
-                    ajaxCall(url="/api/haproxy/maintenance/fetch_cron_integration", sendData={}, callback=function(data,status) {
+                    ajaxCall("/api/haproxy/maintenance/fetch_cron_integration", {}, function(data, status) {
                     });
 
-                    // when done, disable progress animation
-                    $('[id*="saveAndReconfigureAct_progress"]').each(function(){
-                        $(this).removeClass("fa fa-spinner fa-pulse");
-                        // reload page to show or hide links to cron edit page
-                        setTimeout(function () {
-                            window.location.reload(true)
-                        }, 300);
-                    });
+                    // when done, disable progress animation and reload to show/hide cron links
+                    $('[id*="saveAndReconfigureAct_progress"]').removeClass("fa fa-spinner fa-pulse");
+                    setTimeout(function () {
+                        window.location.reload(true);
+                    }, 300);
                 });
             });
         });
@@ -127,7 +118,7 @@ POSSIBILITY OF SUCH DAMAGE.
         }
 
         function showDiffDialog(payload) {
-            $.post('/api/haproxy/maintenance/cert_diff', payload, function(data) {
+            ajaxCall("/api/haproxy/maintenance/cert_diff", payload, function(data, status) {
                 BootstrapDialog.show({
                     type: BootstrapDialog.TYPE_INFO,
                     title: "{{ lang._('Diff between configured and active SSL certificates') }}",
@@ -143,19 +134,18 @@ POSSIBILITY OF SUCH DAMAGE.
         }
 
         function applyDiffDialog(payload, requested_count) {
-            $.post('/api/haproxy/maintenance/cert_actions', payload, function(data_actions) {
-                question = ''
-                question += `<pre>${data_actions}</pre>`;
+            ajaxCall("/api/haproxy/maintenance/cert_actions", payload, function(data_actions, status) {
+                let question = `<pre>${data_actions}</pre>`;
                 question += '<b>{{ lang._('Apply SSL certificates to HAProxy?') }}</b></br></br>';
 
                 stdDialogConfirm('{{ lang._('Confirmation Required') }}',
                     question,
                     '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
-                    $.post('/api/haproxy/maintenance/cert_sync', payload, function(data) {
-                        modified_count = data.result.add_count + data.result.remove_count + data.result.update_count;
+                    ajaxCall("/api/haproxy/maintenance/cert_sync", payload, function(data, status) {
+                        const modified_count = data.result.add_count + data.result.remove_count + data.result.update_count;
 
                         if (requested_count != modified_count) {
-                            var error_msg = syncErrorMessage(data.result.modified, data.result.deleted);
+                            const error_msg = syncErrorMessage(data.result.modified, data.result.deleted);
                             BootstrapDialog.show({
                                 type: BootstrapDialog.TYPE_DANGER,
                                 title: "{{ lang._('Error applying SSL certificates to HAProxy') }}",
@@ -174,8 +164,7 @@ POSSIBILITY OF SUCH DAMAGE.
             });
         }
 
-        $("#grid-certificates").bootgrid('destroy');
-        var grid_certificates = $("#grid-certificates").UIBootgrid({
+        const grid_certificates = $("#grid-certificates").UIBootgrid({
             search: '/api/haproxy/maintenance/search_certificate_diff',
             options: {
                 ajax: true,
@@ -188,83 +177,63 @@ POSSIBILITY OF SUCH DAMAGE.
                 },
                 formatters: {
                     "commands": function (column, row) {
-                        buttons = ""
-                        buttons += "<button type=\"button\"  data-action=\"showDiff\" title=\"{{ lang._('Show diff') }}\" class=\"btn btn-xs btn-default\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-info-circle\"></span></button>"
-                        buttons += " <button type=\"button\" data-action=\"applyDiff\" title=\"{{ lang._('Apply changes') }}\" class=\"btn btn-xs btn-default\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-refresh\"></span></button>"
+                        let buttons = "";
+                        buttons += `<button type="button" data-action="showDiff" title="{{ lang._('Show diff') }}" class="btn btn-xs btn-default" data-row-id="${row.id}"><span class="fa fa-info-circle"></span></button>`;
+                        buttons += ` <button type="button" data-action="applyDiff" title="{{ lang._('Apply changes') }}" class="btn btn-xs btn-default" data-row-id="${row.id}"><span class="fa fa-refresh"></span></button>`;
                         return buttons;
                     },
                 },
             }
         }).on("loaded.rs.jquery.bootgrid", function(){
             grid_certificates.find("*[data-action=showDiff]").off().on("click", function(e) {
-                var row_id = $(this).data("row-id");
-                var frontend_ids = row_id;
-                var payload = {
-                  'frontend_ids': frontend_ids,
-                };
-                showDiffDialog(payload);
+                const row_id = $(this).data("row-id");
+                showDiffDialog({'frontend_ids': row_id});
             });
 
             grid_certificates.find("*[data-action=applyDiff]").off().on("click", function(e) {
-                var row_id = $(this).data("row-id");
-                var rows = $("#grid-certificates").bootgrid("getCurrentRows");
-                var row =  rows.filter(function(row) {
-			return row.id == row_id;
+                const row_id = $(this).data("row-id");
+                const rows = $("#grid-certificates").bootgrid("getCurrentRows");
+                const row = rows.filter(function(r) {
+                    return r.id == row_id;
                 })[0];
-                var requested_count = row.total_count;
-                var frontend_ids = row.id
-                var payload = {
-                  'frontend_ids': frontend_ids,
-                };
-
-                applyDiffDialog(payload, requested_count);
+                applyDiffDialog({'frontend_ids': row.id}, row.total_count);
             });
 
             grid_certificates.find("*[data-action=showDiffBulk]").off().on("click", function(e) {
-                var rows = $("#grid-certificates").bootgrid("getSelectedRows");
-                var payload = {
-                  'frontend_ids': rows.join()
-                };
+                const rows = $("#grid-certificates").bootgrid("getSelectedRows");
                 if (rows != undefined && rows.length > 0) {
-                    showDiffDialog(payload);
+                    showDiffDialog({'frontend_ids': rows.join()});
                 }
             });
 
             grid_certificates.find("*[data-action=applyDiffBulk]").off().on("click", function(e) {
-                var rows = $("#grid-certificates").bootgrid("getSelectedRows");
-                var frontend_ids = rows.join();
-                var all_rows = $("#grid-certificates").bootgrid("getCurrentRows");
-                var requested_count = 0;
+                const rows = $("#grid-certificates").bootgrid("getSelectedRows");
+                const all_rows = $("#grid-certificates").bootgrid("getCurrentRows");
+                let requested_count = 0;
                 all_rows.forEach(function(row) {
                     if (rows.indexOf(row.id) != -1) {
-                        requested_count = requested_count + row.total_count;
+                        requested_count += row.total_count;
                     }
                 });
-                var payload = {
-                  'frontend_ids': frontend_ids,
-                };
                 if (rows != undefined && rows.length > 0) {
-                    applyDiffDialog(payload, requested_count);
+                    applyDiffDialog({'frontend_ids': rows.join()}, requested_count);
                 }
             });
         });
 
         // Apply all changes
         $("*[data-action=applyDiffAll]").off().on("click", function(e) {
-            $('[id*="applyDiffAll_progress"]').each(function(){
-                $(this).addClass("fa fa-spinner fa-pulse");
-            });
-            var all_rows = $("#grid-certificates").bootgrid("getCurrentRows");
-            var requested_count = 0;
+            $('[id*="applyDiffAll_progress"]').addClass("fa fa-spinner fa-pulse");
+            const all_rows = $("#grid-certificates").bootgrid("getCurrentRows");
+            let requested_count = 0;
             all_rows.forEach(function(row) {
-                requested_count = requested_count + row.total_count;
+                requested_count += row.total_count;
             });
 
-            var payload = {};
-            $.post('/api/haproxy/maintenance/cert_sync_bulk', payload, function(data) {
-                modified_count = data.result.add_count + data.result.remove_count + data.result.update_count;
+            ajaxCall("/api/haproxy/maintenance/cert_sync_bulk", {}, function(data, status) {
+                const modified_count = data.result.add_count + data.result.remove_count + data.result.update_count;
                 if (requested_count != modified_count) {
-                    var error_msg = syncErrorMessage(data.result.modified, data.result.deleted);
+                    const error_msg = syncErrorMessage(data.result.modified, data.result.deleted);
                     BootstrapDialog.show({
                         type: BootstrapDialog.TYPE_DANGER,
                         title: "{{ lang._('Error applying SSL certificates to HAProxy') }}",
@@ -283,8 +252,7 @@ POSSIBILITY OF SUCH DAMAGE.
         });
 
         // grid-status
-        $("#grid-status").bootgrid('destroy');
-        var grid_status = $("#grid-status").UIBootgrid({
+        const grid_status = $("#grid-status").UIBootgrid({
             search: '/api/haproxy/maintenance/search_server',
             options: {
                 ajax: true,
@@ -297,11 +265,11 @@ POSSIBILITY OF SUCH DAMAGE.
                 },
                 formatters: {
                     "commands": function (column, row) {
-                        buttons = ""
-                        buttons += "<button type=\"button\"  title=\"{{ lang._('Set state to ready') }}\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"ready\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-check\"></span></button>"
-                        buttons += " <button type=\"button\" title=\"{{ lang._('Set state to drain') }}\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"drain\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-sort-amount-desc\"></span></button>"
-                        buttons += " <button type=\"button\" title=\"{{ lang._('Set state to maintenance') }}\" class=\"btn btn-xs btn-default command-set-state\" data-state=\"maint\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-wrench\"></span></button>"
-                        buttons += " <button type=\"button\" title=\"{{ lang._('Change server weight') }}\" class=\"btn btn-xs btn-default command-set-weight\" data-weight=\"" + row.weight + "\" data-row-id=\"" + row.id + "\"><span class=\"fa fa-balance-scale\"></span></button>"
+                        let buttons = "";
+                        buttons += `<button type="button" title="{{ lang._('Set state to ready') }}" class="btn btn-xs btn-default command-set-state" data-state="ready" data-row-id="${row.id}"><span class="fa fa-check"></span></button>`;
+                        buttons += ` <button type="button" title="{{ lang._('Set state to drain') }}" class="btn btn-xs btn-default command-set-state" data-state="drain" data-row-id="${row.id}"><span class="fa fa-sort-amount-desc"></span></button>`;
+                        buttons += ` <button type="button" title="{{ lang._('Set state to maintenance') }}" class="btn btn-xs btn-default command-set-state" data-state="maint" data-row-id="${row.id}"><span class="fa fa-wrench"></span></button>`;
+                        buttons += ` <button type="button" title="{{ lang._('Change server weight') }}" class="btn btn-xs btn-default command-set-weight" data-weight="${row.weight}" data-row-id="${row.id}"><span class="fa fa-balance-scale"></span></button>`;
                         return buttons;
                     },
                 },
@@ -309,24 +277,20 @@ POSSIBILITY OF SUCH DAMAGE.
         }).on("loaded.rs.jquery.bootgrid", function(){
             // set single - server state
             grid_status.find(".command-set-state").off().on("click", function(e) {
-                var uuid = $(this).data("row-id");
-                var backend = uuid.split("/")[0];
-                var server = uuid.split("/")[1];
-                var state = $(this).data("state");
-                var payload = {
-                  'backend': backend,
-                  'server': server,
-                  'state': state
-                };
-
-                question = '<b>{{ lang._('Server: ') }}' + uuid + '</b></br>';
-                question += '<b>{{ lang._('State: ') }}' + state + '</b></br></br>';
+                const uuid = $(this).data("row-id");
+                const backend = uuid.split("/")[0];
+                const server = uuid.split("/")[1];
+                const state = $(this).data("state");
+                const payload = {'backend': backend, 'server': server, 'state': state};
+
+                let question = `<b>{{ lang._('Server: ') }}${uuid}</b></br>`;
+                question += `<b>{{ lang._('State: ') }}${state}</b></br></br>`;
                 question += '{{ lang._('Set administrative state for this server?') }} </br></br>';
 
                 stdDialogConfirm('{{ lang._('Confirmation Required') }}',
                     question,
                     '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
-                        $.post('/api/haproxy/maintenance/server_state', payload, function(data) {
+                        ajaxCall("/api/haproxy/maintenance/server_state", payload, function(data, status) {
                             if (data.status != 'ok') {
                                 BootstrapDialog.show({
                                     type: BootstrapDialog.TYPE_DANGER,
@@ -348,15 +312,15 @@ POSSIBILITY OF SUCH DAMAGE.
 
             // set single - server weight
             grid_status.find(".command-set-weight").off().on("click", function(e) {
-                var uuid = $(this).data("row-id");
-                var backend = uuid.split("/")[0];
-                var server = uuid.split("/")[1];
-                var currentWeight = $(this).data("weight");
+                const uuid = $(this).data("row-id");
+                const backend = uuid.split("/")[0];
+                const server = uuid.split("/")[1];
+                const currentWeight = $(this).data("weight");
 
-                question = '<b>{{ lang._('Server: ') }}' + uuid + '</b></br></br>';
+                let question = `<b>{{ lang._('Server: ') }}${uuid}</b></br></br>`;
                 question += '<b>{{ lang._('Weight: ') }}</b>';
                 question += '<div class="form-group" style="display: block;">';
-                question += '<input class="form-control" id="newWeight" value="' + currentWeight  + '" type="text"/>';
+                question += `<input class="form-control" id="newWeight" value="${currentWeight}" type="text"/>`;
                 question += '</div>';
                 question += '{{ lang._('Set weight for this server?') }} </br></br>';
 
@@ -364,13 +328,13 @@ POSSIBILITY OF SUCH DAMAGE.
                     question,
                     '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
 
-                    var payload = {
-                      'backend': backend,
-                      'server': server,
-                      'weight': $("#newWeight").val()
+                    const payload = {
+                        'backend': backend,
+                        'server': server,
+                        'weight': $("#newWeight").val()
                     };
 
-                    $.post('/api/haproxy/maintenance/server_weight', payload, function(data) {
+                    ajaxCall("/api/haproxy/maintenance/server_weight", payload, function(data, status) {
                         if (data.status != 'ok') {
                             BootstrapDialog.show({
                                 type: BootstrapDialog.TYPE_DANGER,
@@ -392,28 +356,23 @@ POSSIBILITY OF SUCH DAMAGE.
 
             // set bulk - server state
             grid_status.find("*[data-action=setStateBulk]").off().on("click", function(e) {
-                var rows = $("#grid-status").bootgrid("getSelectedRows");
-                var server_ids = rows.join()
-                var state = $(this).data("state");
-                var payload = {
-                  'server_ids': server_ids,
-                  'state': state
-                };
+                const rows = $("#grid-status").bootgrid("getSelectedRows");
+                const state = $(this).data("state");
+                const payload = {'server_ids': rows.join(), 'state': state};
 
                 if (rows != undefined && rows.length > 0) {
-                    question = '<b>{{ lang._('Selected server: ') }}</b></br>';
-                    question += '<ul>';
-                    $.each(rows, function(key, id){
-                        question += '<li>' + id + '</li>';
+                    let question = '<b>{{ lang._('Selected server: ') }}</b></br><ul>';
+                    rows.forEach(function(id) {
+                        question += `<li>${id}</li>`;
                     });
                     question += '</ul>';
-                    question += '<b>{{ lang._('State: ') }}' + state + '</b></br></br>';
+                    question += `<b>{{ lang._('State: ') }}${state}</b></br></br>`;
                     question += '{{ lang._('Set administrative state for all selected servers?') }} </br></br>';
 
                     stdDialogConfirm('{{ lang._('Confirmation Required') }}',
                         question,
                         '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
-                            $.post('/api/haproxy/maintenance/server_state_bulk', payload, function(data) {
+                            ajaxCall("/api/haproxy/maintenance/server_state_bulk", payload, function(data, status) {
                                 if (data.status != 'ok') {
                                     BootstrapDialog.show({
                                         type: BootstrapDialog.TYPE_DANGER,
@@ -439,14 +398,13 @@ POSSIBILITY OF SUCH DAMAGE.
 
             // set bulk - server weight
             grid_status.find("*[data-action=setWeightBulk]").off().on("click", function(e) {
-                var rows = $("#grid-status").bootgrid("getSelectedRows");
-                var server_ids = rows.join()
+                const rows = $("#grid-status").bootgrid("getSelectedRows");
+                const server_ids = rows.join();
 
                 if (rows != undefined && rows.length > 0) {
-                    question = '<b>{{ lang._('Selected server: ') }}</b></br>';
-                    question += '<ul>';
-                    $.each(rows, function(key, id){
-                        question += '<li>' + id + '</li>';
+                    let question = '<b>{{ lang._('Selected server: ') }}</b></br><ul>';
+                    rows.forEach(function(id) {
+                        question += `<li>${id}</li>`;
                     });
                     question += '</ul>';
                     question += '<b>{{ lang._('Weight: ') }}</b>';
@@ -458,12 +416,12 @@ POSSIBILITY OF SUCH DAMAGE.
                     stdDialogConfirm('{{ lang._('Confirmation Required') }}',
                         question,
                         '{{ lang._('Yes') }}', '{{ lang._('Cancel') }}', function() {
-                            var payload = {
-                              'server_ids': server_ids,
-                              'weight': $("#newBulkWeight").val()
+                            const payload = {
+                                'server_ids': server_ids,
+                                'weight': $("#newBulkWeight").val()
                             };
 
-                            $.post('/api/haproxy/maintenance/server_weight_bulk', payload, function(data) {
+                            ajaxCall("/api/haproxy/maintenance/server_weight_bulk", payload, function(data, status) {
                                 if (data.status != 'ok') {
                                     BootstrapDialog.show({
                                         type: BootstrapDialog.TYPE_DANGER,
@@ -475,7 +433,6 @@ POSSIBILITY OF SUCH DAMAGE.
                                               dialog.close();
                                               // reload - because some are successfully executed
                                               $("#grid-status").bootgrid("reload");
-
                                             }
                                         }]
                                     });
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/statistics.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/statistics.volt
index 1f2c4085dd..f365f0f76e 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/statistics.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/statistics.volt
@@ -1,6 +1,6 @@
 {#
 
-Copyright (C) 2016 Frank Wall
+Copyright (C) 2016-2026 Frank Wall
 OPNsense® is Copyright © 2014 – 2016 by Deciso B.V.
 All rights reserved.
 
@@ -29,7 +29,9 @@ POSSIBILITY OF SUCH DAMAGE.
 
 <script>
     $( document ).ready(function() {
-        var gridopt = {
+        'use strict';
+
+        const gridopt = {
             ajax: false,
             selection: false,
             multiSelect: false
@@ -37,118 +39,96 @@ POSSIBILITY OF SUCH DAMAGE.
         $("#grid-status").bootgrid('destroy');
         $("#grid-status").bootgrid(gridopt);
 
+        // build table rows safely from key/value data
+        function buildInfoRows(data) {
+            return Object.entries(data).map(function([key, value]) {
+                return $("<tr/>").append(
+                    $("<td/>").text(key),
+                    $("<td/>").text(value)
+                );
+            });
+        }
+
+        // build table rows from an array of objects using a field list
+        function buildGridRows(data, fields) {
+            return Object.values(data).map(function(value) {
+                const $tr = $("<tr/>");
+                fields.forEach(function(field) {
+                    $("<td/>").text(value[field] != null ? value[field] : '').appendTo($tr);
+                });
+                return $tr;
+            });
+        }
+
         // update info
         $("#update-info").click(function() {
             $('#processing-dialog').modal('show');
-            $('#updatelist').empty();
-            ajaxGet(url = "/api/haproxy/statistics/info/", sendData={},
-                    callback = function (data, status) {
-                        $("#infolist > tbody").empty();
-                        $("#infolist > thead").hide();
-                        if (status == "success") {
-                            $("#infolist > thead").show();
-                            $.each(data, function (key, value) {
-                                $('#infolist > tbody').append('<tr><td>'+key+'</td>' +
-                                "<td>"+value+"</td></tr>");
-                            });
-                        } else {
-                            $("#infolist > tbody").append("<tr><td colspan=2 style='text-align:center;'><br/>{{ lang._('The statistics could not be fetched. Is HAProxy running?') }}<br/><br/></td></tr>");
-                        }
-                        $('#processing-dialog').modal('hide');
+            ajaxGet("/api/haproxy/statistics/info/", {},
+                function (data, status) {
+                    $("#infolist > tbody").empty();
+                    $("#infolist > thead").hide();
+                    if (status == "success") {
+                        $("#infolist > thead").show();
+                        $("#infolist > tbody").append(buildInfoRows(data));
+                    } else {
+                        $("<tr/>").append(
+                            $("<td/>").attr("colspan", 2).css("text-align", "center")
+                                .html("<br/>{{ lang._('The statistics could not be fetched. Is HAProxy running?') }}<br/><br/>")
+                        ).appendTo("#infolist > tbody");
                     }
+                    $('#processing-dialog').modal('hide');
+                }
             );
         });
 
         // update status
         $("#update-status").click(function() {
             $('#processing-dialog').modal('show');
-            ajaxGet(url = "/api/haproxy/statistics/counters/", sendData={},
-                    callback = function (data, status) {
-                        if (status == "success") {
-                            // status
-                            $("#status_nav").show();
-                            $("#grid-status").bootgrid('destroy');
-                            var html = [];
-                            $.each(data, function (key, value) {
-                                var fields = ["id", "pxname", "svname", "status", "lastchg", "weight", "act", "downtime"];
-                                tr_str = '<tr>';
-                                for (var i = 0; i < fields.length; i++) {
-                                    if (value[fields[i]] != null) {
-                                        tr_str += '<td>' + value[fields[i]] + '</td>';
-                                    } else {
-                                        tr_str += '<td></td>';
-                                    }
-                                }
-                                tr_str += '</tr>';
-                                html.push(tr_str);
-                            });
-                            $("#grid-status > tbody").html(html.join(''));
-                            $("#grid-status").bootgrid(gridopt);
-                        }
-                        $('#processing-dialog').modal('hide');
+            ajaxGet("/api/haproxy/statistics/counters/", {},
+                function (data, status) {
+                    if (status == "success") {
+                        const fields = ["id", "pxname", "svname", "status", "lastchg", "weight", "act", "downtime"];
+                        $("#status_nav").show();
+                        $("#grid-status").bootgrid('destroy');
+                        $("#grid-status > tbody").empty().append(buildGridRows(data, fields));
+                        $("#grid-status").bootgrid(gridopt);
                     }
+                    $('#processing-dialog').modal('hide');
+                }
             );
         });
 
         // update counters
         $("#update-counters").click(function() {
             $('#processing-dialog').modal('show');
-            ajaxGet(url = "/api/haproxy/statistics/counters/", sendData={},
-                    callback = function (data, status) {
-                        if (status == "success") {
-                            // counters
-                            $("#counters_nav").show();
-                            $("#grid-counters").bootgrid('destroy');
-                            var html = [];
-                            $.each(data, function (key, value) {
-                                var fields = ["id", "pxname", "svname", "qcur", "qmax", "qlimit", "rate", "rate_max", "rate_lim", "scur", "smax", "slim", "stot", "bin", "bout", "dreq", "dresp", "ereq", "econ", "eresp", "wretr", "wredis"];
-                                tr_str = '<tr>';
-                                for (var i = 0; i < fields.length; i++) {
-                                    if (value[fields[i]] != null) {
-                                        tr_str += '<td>' + value[fields[i]] + '</td>';
-                                    } else {
-                                        tr_str += '<td></td>';
-                                    }
-                                }
-                                tr_str += '</tr>';
-                                html.push(tr_str);
-                            });
-                            $("#grid-counters> tbody").html(html.join(''));
-                            $("#grid-counters").bootgrid(gridopt);
-                        }
-                        $('#processing-dialog').modal('hide');
+            ajaxGet("/api/haproxy/statistics/counters/", {},
+                function (data, status) {
+                    if (status == "success") {
+                        const fields = ["id", "pxname", "svname", "qcur", "qmax", "qlimit", "rate", "rate_max", "rate_lim", "scur", "smax", "slim", "stot", "bin", "bout", "dreq", "dresp", "ereq", "econ", "eresp", "wretr", "wredis"];
+                        $("#counters_nav").show();
+                        $("#grid-counters").bootgrid('destroy');
+                        $("#grid-counters > tbody").empty().append(buildGridRows(data, fields));
+                        $("#grid-counters").bootgrid(gridopt);
                     }
+                    $('#processing-dialog').modal('hide');
+                }
             );
         });
 
         // update tables
         $("#update-tables").click(function() {
             $('#processing-dialog').modal('show');
-            ajaxGet(url = "/api/haproxy/statistics/tables/", sendData={},
-                    callback = function (data, status) {
-                        if (status == "success") {
-                            // tables
-                            $("#tables_nav").show();
-                            $("#grid-tables").bootgrid('destroy');
-                            var html = [];
-                            $.each(data, function (key, value) {
-                                var fields = ["table", "type", "size", "used"];
-                                tr_str = '<tr>';
-                                for (var i = 0; i < fields.length; i++) {
-                                    if (value[fields[i]] != null) {
-                                        tr_str += '<td>' + value[fields[i]] + '</td>';
-                                    } else {
-                                        tr_str += '<td></td>';
-                                    }
-                                }
-                                tr_str += '</tr>';
-                                html.push(tr_str);
-                            });
-                            $("#grid-tables> tbody").html(html.join(''));
-                            $("#grid-tables").bootgrid(gridopt);
-                        }
-                        $('#processing-dialog').modal('hide');
+            ajaxGet("/api/haproxy/statistics/tables/", {},
+                function (data, status) {
+                    if (status == "success") {
+                        const fields = ["table", "type", "size", "used"];
+                        $("#tables_nav").show();
+                        $("#grid-tables").bootgrid('destroy');
+                        $("#grid-tables > tbody").empty().append(buildGridRows(data, fields));
+                        $("#grid-tables").bootgrid(gridopt);
                     }
+                    $('#processing-dialog').modal('hide');
+                }
             );
         });
 

From c8c74362e1118b8ffa7e11908a0f933cfb30dd56 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 27 Feb 2026 07:58:29 +0100
Subject: [PATCH 3008/3088] www/caddy: Add Layer 4 upstream originate TLS
 feature (#5263)

* www/caddy: Add Layer 4 upstream originate TLS feature, which can connect to an upstream via TLS after TLS has been terminated

* Add a proper validation for OriginateTls and modernize validation logic with framework cast helpers
---
 .../OPNsense/Caddy/forms/dialogLayer4.xml     | 10 +++
 .../mvc/app/models/OPNsense/Caddy/Caddy.php   | 85 ++++++++++---------
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml   |  6 ++
 .../views/OPNsense/Caddy/reverse_proxy.volt   |  7 +-
 .../templates/OPNsense/Caddy/includeLayer4    | 36 ++++----
 5 files changed, 88 insertions(+), 56 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
index c52b8681da..f4836a48e7 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogLayer4.xml
@@ -140,6 +140,16 @@
             <visible>false</visible>
         </grid_view>
     </field>
+    <field>
+        <id>layer4.OriginateTls</id>
+        <label>Originate TLS</label>
+        <type>dropdown</type>
+        <style>selectpicker style_terminate_tls</style>
+        <help>Setting this option will establish a new TLS connection to the upstream after it has been terminated.</help>
+        <grid_view>
+            <visible>false</visible>
+        </grid_view>
+    </field>
     <field>
         <id>layer4.ProxyProtocol</id>
         <label>Proxy Protocol</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index 2be38c8bb6..11ed8143d5 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -42,8 +42,8 @@ private function checkForUniquePortCombos($messages)
         $combos = [];
         foreach ($this->reverseproxy->reverse->iterateItems() as $item) {
             $key = $item->__reference;
-            $fromDomain = (string) $item->FromDomain;
-            $fromPort = (string) $item->FromPort;
+            $fromDomain = $item->FromDomain->getValue();
+            $fromPort = $item->FromPort->getValue();
 
             if ($fromPort === '') {
                 $defaultPorts = ['80', '443'];
@@ -78,11 +78,11 @@ private function checkDisableTlsConflicts($messages)
     {
         foreach ($this->reverseproxy->reverse->iterateItems() as $item) {
             if ($item->isFieldChanged()) {
-                if ((string) $item->DisableTls === '1') {
+                if ($item->DisableTls->isEqual('1')) {
                     $conflictChecks = [
-                        'DnsChallenge' => (string) $item->DnsChallenge === '1',
-                        'AcmePassthrough' => !empty((string) $item->AcmePassthrough),
-                        'CustomCertificate' => !empty((string) $item->CustomCertificate)
+                        'DnsChallenge' => $item->DnsChallenge->isEqual('1'),
+                        'AcmePassthrough' => !$item->AcmePassthrough->isEmpty(),
+                        'CustomCertificate' => !$item->CustomCertificate->isEmpty()
                     ];
 
                     $conflictFields = array_keys(array_filter($conflictChecks));
@@ -110,9 +110,9 @@ private function checkDisableTlsConflicts($messages)
      */
     private function checkSuperuserPorts($messages)
     {
-        if ((string)$this->general->DisableSuperuser === '1') {
-            $httpPort = !empty((string)$this->general->HttpPort) ? (string)$this->general->HttpPort : 80;
-            $httpsPort = !empty((string)$this->general->HttpsPort) ? (string)$this->general->HttpsPort : 443;
+        if ($this->general->DisableSuperuser->isEqual('1')) {
+            $httpPort = !$this->general->HttpPort->isEmpty() ? $this->general->HttpPort->asInt() : 80;
+            $httpsPort = !$this->general->HttpsPort->isEmpty() ? $this->general->HttpsPort->asInt() : 443;
 
             // Check default HTTP port
             if ($httpPort < 1024) {
@@ -136,7 +136,7 @@ private function checkSuperuserPorts($messages)
 
             // Check ports under domain configurations
             foreach ($this->reverseproxy->reverse->iterateItems() as $item) {
-                $fromPort = !empty((string)$item->FromPort) ? (string)$item->FromPort : null;
+                $fromPort = !$item->FromPort->isEmpty() ? $item->FromPort->asInt() : null;
 
                 if ($fromPort !== null && $fromPort < 1024) {
                     $messages->appendMessage(new Message(
@@ -155,7 +155,7 @@ private function checkSuperuserPorts($messages)
             }
 
             foreach ($this->reverseproxy->layer4->iterateItems() as $item) {
-                $fromPort = !empty((string)$item->FromPort) ? (string)$item->FromPort : null;
+                $fromPort = !$item->FromPort->isEmpty() ? $item->FromPort->asInt() : null;
 
                 if ($fromPort !== null && $fromPort < 1024) {
                     $messages->appendMessage(new Message(
@@ -177,27 +177,27 @@ private function checkSuperuserPorts($messages)
 
     private function checkLayer4Matchers($messages)
     {
-        foreach ($this->reverseproxy->layer4->iterateItems() as $item) {
-            if ($item->isFieldChanged()) {
-                $key = $item->__reference;
+        foreach ($this->reverseproxy->layer4->iterateItems() as $layer4) {
+            if ($layer4->isFieldChanged()) {
+                $key = $layer4->__reference;
                 if (
-                    in_array((string)$item->Matchers, ['httphost', 'tlssni', 'quicsni']) &&
-                    empty((string)$item->FromDomain)
+                    in_array($layer4->Matchers->getValue(), ['httphost', 'tlssni', 'quicsni']) &&
+                    $layer4->FromDomain->isEmpty()
                 ) {
                     $messages->appendMessage(new Message(
                         sprintf(
                             gettext(
                                 'When "%s" matcher is selected, domain is required.'
                             ),
-                            $item->Matchers
+                            $layer4->Matchers->getValue()
                         ),
                         $key . ".FromDomain"
                     ));
                 } elseif (
-                        !in_array((string)$item->Matchers, ['httphost', 'tlssni', 'quicsni']) &&
+                        !in_array($layer4->Matchers->getValue(), ['httphost', 'tlssni', 'quicsni']) &&
                         (
-                            !empty((string)$item->FromDomain) &&
-                            (string)$item->FromDomain != '*'
+                            !$layer4->FromDomain->isEmpty() &&
+                            !$layer4->FromDomain->isEqual('*')
                         )
                 ) {
                     $messages->appendMessage(new Message(
@@ -205,96 +205,101 @@ private function checkLayer4Matchers($messages)
                             gettext(
                                 'When "%s" matcher is selected, domain must be empty or *.'
                             ),
-                            $item->Matchers
+                            $layer4->Matchers->getValue()
                         ),
                         $key . ".FromDomain"
                     ));
                 }
 
-                if (!in_array((string)$item->Matchers, ['tlssni', 'quicsni']) && !empty((string)$item->TerminateTls)) {
+                if (!in_array($layer4->Matchers->getValue(), ['tlssni', 'quicsni']) && !$layer4->TerminateTls->isEmpty()) {
                     $messages->appendMessage(new Message(
                         sprintf(
                             gettext(
                                 'When "%s" matcher is selected, TLS can not be terminated.'
                             ),
-                            $item->Matchers
+                            $layer4->Matchers->getValue()
                         ),
                         $key . ".TerminateTls"
                     ));
                 }
 
-                if ((string)$item->Matchers !== 'openvpn' && !empty((string)$item->FromOpenvpnModes)) {
+                if ($layer4->TerminateTls->isEmpty() && !$layer4->OriginateTls->isEmpty()) {
+                    $messages->appendMessage(new Message(
+                        gettext(
+                            'This field cannot be selected without terminating TLS.'
+                        ),
+                        $key . ".OriginateTls"
+                    ));
+                }
+
+                if (!$layer4->Matchers->isEqual('openvpn') && !$layer4->FromOpenvpnModes->isEmpty()) {
                     $messages->appendMessage(new Message(
                         sprintf(
                             gettext(
                                 'When "%s" matcher is selected, field must be empty.'
                             ),
-                            $item->Matchers
+                            $layer4->Matchers->getValue()
                         ),
                         $key . ".FromOpenvpnModes"
                     ));
                 }
 
-                if ((string)$item->Matchers !== 'openvpn' && !empty((string)$item->FromOpenvpnStaticKey)) {
+                if (!$layer4->Matchers->isEqual('openvpn') && !$layer4->FromOpenvpnStaticKey->isEmpty()) {
                     $messages->appendMessage(new Message(
                         sprintf(
                             gettext(
                                 'When "%s" matcher is selected, field must be empty.'
                             ),
-                            $item->Matchers
+                            $layer4->Matchers->getValue()
                         ),
                         $key . ".FromOpenvpnStaticKey"
                     ));
                 }
 
-                if ((string)$item->Type === 'global' && empty((string)$item->FromPort)) {
+                if ($layer4->Type->isEqual('global') && $layer4->FromPort->isEmpty()) {
                     $messages->appendMessage(new Message(
                         sprintf(
                             gettext(
                                 'When routing type is "%s", port is required.'
                             ),
-                            $item->Type
+                            $layer4->Type->getValue()
                         ),
                         $key . ".FromPort"
                     ));
-                } elseif ((string)$item->Type !== 'global' && !empty((string)$item->FromPort)) {
+                } elseif (!$layer4->Type->isEqual('global') && !$layer4->FromPort->isEmpty()) {
                     $messages->appendMessage(new Message(
                         sprintf(
                             gettext(
                                 'When routing type is "%s", port must be empty.'
                             ),
-                            $item->Type
+                            $layer4->Type->getValue()
                         ),
                         $key . ".FromPort"
                     ));
                 }
 
-                if ((string)$item->Type !== 'global' && ((string)$item->Protocol !== 'tcp')) {
+                if (!$layer4->Type->isEqual('global') && !$layer4->Protocol->isEqual('tcp')) {
                     $messages->appendMessage(new Message(
                         sprintf(
                             gettext(
                                 'When routing type is "%s", protocol must be TCP.'
                             ),
-                            $item->Type
+                            $layer4->Type->getValue()
                         ),
                         $key . ".Protocol"
                     ));
                 }
 
                 if (
-                    (string)$item->Type !== 'global' &&
-                    (
-                        (string)$item->Matchers == 'tls' ||
-                        (string)$item->Matchers == 'http' ||
-                        (string)$item->Matchers == 'quic'
-                    )
+                    !$layer4->Type->isEqual('global') &&
+                    in_array($layer4->Matchers->getValue(), ['tls', 'http', 'quic'])
                 ) {
                     $messages->appendMessage(new Message(
                         sprintf(
                             gettext(
                                 'When routing type is "%s", matchers "HTTP", "TLS" or "QUIC" cannot be chosen.'
                             ),
-                            $item->Type
+                            $layer4->Type->getValue()
                         ),
                         $key . ".Matchers"
                     ));
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index affa2bf8a6..b93b64b94c 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -652,6 +652,12 @@
                 <ToPort type="PortField">
                     <Required>Y</Required>
                 </ToPort>
+                <OriginateTls type="OptionField">
+                    <OptionValues>
+                        <tls>TLS (Verify certificate)</tls>
+                        <tls_insecure_skip_verify>TLS (Skip verification)</tls_insecure_skip_verify>
+                    </OptionValues>
+                </OriginateTls>
                 <ProxyProtocol type="OptionField">
                     <BlankDesc>Off (default)</BlankDesc>
                     <OptionValues>
diff --git a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
index d2dbff9096..46cad6bd96 100644
--- a/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
+++ b/www/caddy/src/opnsense/mvc/app/views/OPNsense/Caddy/reverse_proxy.volt
@@ -283,12 +283,13 @@
 
 {% endif %}
 
-        $("#handle\\.HttpTls, #handle\\.HandleDirective, #reverse\\.DisableTls, #layer4\\.Matchers, #layer4\\.Type").on("keyup change", function () {
+        $("#handle\\.HttpTls, #handle\\.HandleDirective, #reverse\\.DisableTls, #layer4\\.Matchers, #layer4\\.Type, #layer4\\.TerminateTls").on("keyup change", function () {
             const http_tls = String($("#handle\\.HttpTls").val() || "")
             const handle_directive = String($("#handle\\.HandleDirective").val() || "")
             const disable_tls = String($("#reverse\\.DisableTls").val() || "")
             const layer4_matchers = String($("#layer4\\.Matchers").val() || "")
             const layer4_type = String($("#layer4\\.Type").val() || "")
+            const layer4_terminate_tls = $("#layer4\\.TerminateTls").is(":checked");
 
             const styleVisibility = [
                 {
@@ -315,6 +316,10 @@
                     class: "style_type",
                     visible: layer4_type === "global"
                 },
+                {
+                    class: "style_terminate_tls",
+                    visible: layer4_terminate_tls
+                },
             ];
 
             styleVisibility.forEach(style => {
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4 b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
index 53b04b1a9b..4ee95e425f 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
@@ -26,22 +26,28 @@
     {% if layer4.TerminateTls|default("0") == "1" %}
     tls
     {% endif %}
-    proxy {% for domain in layer4.ToDomain.split(',') %}
+    proxy {
+        {% for domain in layer4.ToDomain.split(',') %}
         {% set is_ipv6 = (':' in domain) %}
-        {{ layer4.Protocol }}/{{ '[' if is_ipv6 }}{{ domain }}{{ ']' if is_ipv6 }}:{{ layer4.ToPort }}{% if not loop.last %} {% endif %}
-    {% endfor %} {
-    {% if layer4.lb_policy|default("") %}
-        lb_policy {{ layer4.lb_policy }}
-    {% endif %}
-    {% if layer4.PassiveHealthFailDuration|default("") %}
-        fail_duration {{ layer4.PassiveHealthFailDuration }}s
-    {% endif %}
-    {% if layer4.PassiveHealthMaxFails|default("") %}
-        max_fails {{ layer4.PassiveHealthMaxFails }}
-    {% endif %}
-    {% if layer4.ProxyProtocol %}
-        proxy_protocol {{ layer4.ProxyProtocol }}
-    {% endif %}
+        upstream {{ layer4.Protocol }}/{{ '[' if is_ipv6 }}{{ domain }}{{ ']' if is_ipv6 }}:{{ layer4.ToPort }} {
+            {% if layer4.OriginateTls %}
+                {{ layer4.OriginateTls }}
+            {% endif %}
+        }
+        {% endfor %}
+
+        {% if layer4.lb_policy|default("") %}
+            lb_policy {{ layer4.lb_policy }}
+        {% endif %}
+        {% if layer4.PassiveHealthFailDuration|default("") %}
+            fail_duration {{ layer4.PassiveHealthFailDuration }}s
+        {% endif %}
+        {% if layer4.PassiveHealthMaxFails|default("") %}
+            max_fails {{ layer4.PassiveHealthMaxFails }}
+        {% endif %}
+        {% if layer4.ProxyProtocol %}
+            proxy_protocol {{ layer4.ProxyProtocol }}
+        {% endif %}
     }
 {% endmacro %}
 

From 26d0718448d81e64c56192681098812ce2a59035 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 27 Feb 2026 13:40:22 +0100
Subject: [PATCH 3009/3088] www/caddy: Simplify reload command (#5267)

---
 .../src/opnsense/service/conf/actions.d/actions_caddy.conf      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf b/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
index a91afe9d45..7d81c496fc 100644
--- a/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
+++ b/www/caddy/src/opnsense/service/conf/actions.d/actions_caddy.conf
@@ -18,7 +18,7 @@ message:Restarting Caddy service
 description:Restart Caddy service
 
 [reload]
-command:/bin/sh -c '/usr/local/opnsense/scripts/OPNsense/Caddy/setup.sh && /usr/sbin/service caddy reloadssl'
+command:/usr/local/opnsense/scripts/OPNsense/Caddy/setup.sh; service caddy reloadssl
 parameters:
 type:script
 message:Reloading Caddy service

From f9fb06e3f635f5c409671afafaeea0866ea45f28 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 27 Feb 2026 14:38:01 +0100
Subject: [PATCH 3010/3088] net/isc-dhcp: add pluggable neighbor file here

---
 .../OPNsense/Interfaces/Neighbor/dhcpd.php    | 58 +++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/Interfaces/Neighbor/dhcpd.php

diff --git a/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/Interfaces/Neighbor/dhcpd.php b/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/Interfaces/Neighbor/dhcpd.php
new file mode 100644
index 0000000000..7b80084c1e
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/Interfaces/Neighbor/dhcpd.php
@@ -0,0 +1,58 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Interfaces\Neighbor;
+
+use OPNsense\Core\Config;
+
+class dhcpd
+{
+    public function collect()
+    {
+        $result = [];
+        $intfmap = [];
+        $config = Config::getInstance()->object();
+        if ($config->dhcpd->count() > 0) {
+            foreach ($config->dhcpd->children() as $intf => $node) {
+                foreach ($node->children() as $key => $data) {
+                    if ($key == 'staticmap') {
+                        if (!empty($data->arp_table_static_entry) || !empty($node->staticarp)) {
+                            $result[] = [
+                                'etheraddr' => (string)$data->mac,
+                                'ipaddress' => (string)$data->ipaddr,
+                                'descr' => (string)$data->descr,
+                                'source' => sprintf('dhcpd-%s', $intf)
+                            ];
+                        }
+                    }
+                }
+            }
+        }
+        return $result;
+    }
+}

From daff8c450a5c9d3584b68d57747ad5fa4aadbd20 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 27 Feb 2026 14:52:59 +0100
Subject: [PATCH 3011/3088] www/caddy: Use BaseField cast helpers in
 certificate extraction script (#5268)

---
 .../scripts/OPNsense/Caddy/caddy_certs.php    | 65 ++++++++-----------
 1 file changed, 27 insertions(+), 38 deletions(-)

diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
index bcf424ece4..3227752632 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
@@ -2,7 +2,7 @@
 <?php
 
 /*
- *    Copyright (C) 2024 Cedrik Pischem
+ *    Copyright (C) 2024-2026 Cedrik Pischem
  *    All rights reserved.
  *
  *    Redistribution and use in source and binary forms, with or without
@@ -49,24 +49,25 @@
 // leaf certificate chain
 $certificateRefs = [];
 
-foreach ((new Caddy())->reverseproxy->reverse->iterateItems() as $reverseItem) {
-    $certRef = (string)$reverseItem->CustomCertificate;
-    if (!empty($certRef)) {
-        $certificateRefs[] = $certRef;
+$caddyMdl = new Caddy();
+
+foreach ($caddyMdl->reverseproxy->reverse->iterateItems() as $reverseItem) {
+    if (!$reverseItem->CustomCertificate->isEmpty()) {
+        $certificateRefs[] = $reverseItem->CustomCertificate->getValue();
     }
 }
 
 $certificateRefs = array_unique($certificateRefs);
 
 foreach ((new Cert())->cert->iterateItems() as $cert) {
-    $refid = (string)$cert->refid;
+    $refid = $cert->refid->getValue();
 
     if (in_array($refid, $certificateRefs, true)) {
-        $certChain = base64_decode((string)$cert->crt);
-        $certKey = base64_decode((string)$cert->prv);
+        $certChain = base64_decode($cert->crt->getValue());
+        $certKey = base64_decode($cert->prv->getValue());
 
-        if (!empty((string)$cert->caref)) {
-            $ca = CertStore::getCaChain((string)$cert->caref);
+        if (!$cert->caref->isEmpty()) {
+            $ca = CertStore::getCaChain($cert->caref->getValue());
             if ($ca) {
                 $certChain .= "\n" . $ca;
             }
@@ -80,36 +81,24 @@
 // ca certificate
 $caCertRefs = [];
 
-foreach ((new Caddy())->reverseproxy->handle->iterateItems() as $handleItem) {
-    $caCertField = (string)$handleItem->HttpTlsTrustedCaCerts;
-
-    if (!empty($caCertField)) {
-        $caCertRefs[] = $caCertField;
+foreach ($caddyMdl->reverseproxy->handle->iterateItems() as $handleItem) {
+    if (!$handleItem->HttpTlsTrustedCaCerts->isEmpty()) {
+        $caCertRefs[] = $handleItem->HttpTlsTrustedCaCerts->getValue();
     }
 }
 
-foreach ((new Caddy())->reverseproxy->reverse->iterateItems() as $reverseItem) {
-    $caCertField = (string)$reverseItem->ClientAuthTrustPool;
-
-    if (!empty($caCertField)) {
-        $refs = array_map('trim', explode(',', $caCertField));
-        foreach ($refs as $ref) {
-            if (!empty($ref)) {
-                $caCertRefs[] = $ref;
-            }
+foreach ($caddyMdl->reverseproxy->reverse->iterateItems() as $reverseItem) {
+    foreach (explode(',', $reverseItem->ClientAuthTrustPool->getValue()) as $ref) {
+        if (!empty($ref)) {
+            $caCertRefs[] = $ref;
         }
     }
 }
 
-foreach ((new Caddy())->reverseproxy->subdomain->iterateItems() as $subdomainItem) {
-    $caCertField = (string)$subdomainItem->ClientAuthTrustPool;
-
-    if (!empty($caCertField)) {
-        $refs = array_map('trim', explode(',', $caCertField));
-        foreach ($refs as $ref) {
-            if (!empty($ref)) {
-                $caCertRefs[] = $ref;
-            }
+foreach ($caddyMdl->reverseproxy->subdomain->iterateItems() as $subdomainItem) {
+    foreach (explode(',', $subdomainItem->ClientAuthTrustPool->getValue()) as $ref) {
+        if (!empty($ref)) {
+            $caCertRefs[] = $ref;
         }
     }
 }
@@ -117,17 +106,17 @@
 $caCertRefs = array_unique($caCertRefs);
 
 foreach ((new Ca())->ca->iterateItems() as $caItem) {
-    $refid = (string)$caItem->refid;
+    $refid = $caItem->refid->getValue();
     if (in_array($refid, $caCertRefs, true)) {
-        $caCert = base64_decode((string)$caItem->crt);
+        $caCert = base64_decode($caItem->crt->getValue());
         $writeFileIfChanged($tempDir . $refid . '.pem', $caCert);
     }
 }
 
 // openvpn static keys
-foreach ((new Caddy())->reverseproxy->layer4openvpn->iterateItems() as $openvpnItem) {
+foreach ($caddyMdl->reverseproxy->layer4openvpn->iterateItems() as $openvpnItem) {
     $writeFileIfChanged(
-        $tempDir . (string)$openvpnItem->getAttributes()['uuid'] . '.key',
-        (string)$openvpnItem->StaticKey
+        $tempDir . $openvpnItem->getAttributes()['uuid'] . '.key',
+        $openvpnItem->StaticKey->getValue()
     );
 }

From e6ed91077c0b4ab9581d9c23830eee1a2c9f9ca3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 27 Feb 2026 15:12:09 +0100
Subject: [PATCH 3012/3088] www/caddy: style

---
 .../mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
index 6ea5161520..51bfb12a05 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/Api/ServiceController.php
@@ -46,5 +46,4 @@ protected function reconfigureForceRestart()
         // Caddy can use a reload action instead
         return 0;
     }
-
 }

From 542c5e8be8685709139ac2e7cb8a96bb1200662d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 27 Feb 2026 15:13:49 +0100
Subject: [PATCH 3013/3088] security/q-feeds-connector: style

---
 security/q-feeds-connector/pkg-descr | 1 -
 1 file changed, 1 deletion(-)

diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index 35f7033018..87d1455830 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -10,7 +10,6 @@ Plugin Changelog
 * Feature: Add NXDOMAIN option for unbound
 * Feature: Add dest address for unbound
 
-
 1.4
 
 * Feature: Added DNSCrypt-Proxy integration

From 4f7655a0ae15097915de070d6a6d275f46153060 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 27 Feb 2026 15:21:56 +0100
Subject: [PATCH 3014/3088] Contributing: Add plugin pull-request template
 (#5269)

---
 .github/pull_request_template.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 .github/pull_request_template.md

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 0000000000..6cafeef0e0
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,28 @@
+**Important notices**
+Before you submit a pull request, we ask you kindly to acknowledge the following:
+
+- [ ] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
+- [ ] I opened an issue first for non-trivial changes and linked it below.
+- [ ] AI tools were used to create at least part of the code submitted herewith.
+
+If AI was used, please disclose:
+
+- Model used:
+- Extent of AI involvement:
+
+---
+
+**Related issue**
+If this pull request relates to an issue, link it here:
+
+---
+
+**Describe the problem**
+A clear and concise description of the problem this pull request addresses.
+
+---
+
+**Describe the proposed solution**
+Explain what this pull request changes and why.
+
+---

From 1e2acfdd69544e95f6a0bdf4a731c2bbfb53d6fd Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 27 Feb 2026 15:23:55 +0100
Subject: [PATCH 3015/3088] databases/redis: bump for latest change

---
 databases/redis/Makefile  | 2 +-
 databases/redis/pkg-descr | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/databases/redis/Makefile b/databases/redis/Makefile
index c6639e95e5..95048dc98b 100644
--- a/databases/redis/Makefile
+++ b/databases/redis/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		redis
 PLUGIN_VERSION=		1.1
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_COMMENT=		Redis DB
 PLUGIN_DEPENDS=		redis72
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/databases/redis/pkg-descr b/databases/redis/pkg-descr
index 3bc510cbca..399ab102cf 100644
--- a/databases/redis/pkg-descr
+++ b/databases/redis/pkg-descr
@@ -23,6 +23,7 @@ Plugin Changelog
 1.1
 
 * Add a button to reset all databases (contributed by Michael Muenz)
+* Fix service widget behaviour (contributed by sevengiants)
 
 1.0
 
@@ -31,6 +32,3 @@ Plugin Changelog
 * Allow password protection
 * Connection limits
 * Performance monitoring of slow connections
-
-
-WWW: http://redis.io/

From 155aa2e796486b0485be178665dbe2d6d0b543cf Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Fri, 27 Feb 2026 16:09:13 +0100
Subject: [PATCH 3016/3088] www/caddy: Add changelog and bump plugin version to
 v2.1.0 (#5270)

---
 www/caddy/Makefile  |  3 +--
 www/caddy/pkg-descr | 45 ++++++++++++++++++++++++++++-----------------
 2 files changed, 29 insertions(+), 19 deletions(-)

diff --git a/www/caddy/Makefile b/www/caddy/Makefile
index 344360c87d..a5730f402c 100644
--- a/www/caddy/Makefile
+++ b/www/caddy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		caddy
-PLUGIN_VERSION=		2.0.4
-PLUGIN_REVISION=	3
+PLUGIN_VERSION=		2.1.0
 PLUGIN_DEPENDS=		caddy-custom
 PLUGIN_COMMENT=		Modern Reverse Proxy with Automatic HTTPS, Dynamic DNS and Layer4 Routing
 PLUGIN_MAINTAINER=	cedrik@pischem.com
diff --git a/www/caddy/pkg-descr b/www/caddy/pkg-descr
index 71e6740172..1b88f41d0b 100644
--- a/www/caddy/pkg-descr
+++ b/www/caddy/pkg-descr
@@ -6,34 +6,45 @@ DOC: https://docs.opnsense.org/manual/how-tos/caddy.html
 Plugin Changelog
 ================
 
+2.1.0
+
+* Remove: NTLM plugin support due to service control instability and protocol deprecation (opnsense/plugins/pull/5258)
+* Remove: validateAction and caddy_control.py service control validation funnel (opnsense/plugins/pull/5258)
+* Remove: “Add Handler” shortcut command (opnsense/plugins/pull/5260)
+* Add: Layer 4 upstream originate TLS feature (opnsense/plugins/pull/5263)
+* Cleanup: Simplify reload command handling (opnsense/plugins/pull/5267)
+* Cleanup: Use BaseField cast helpers in certificate extraction script (opnsense/plugins/pull/5268)
+* Cleanup: Remove CDATA in help texts, fix typos, remove obsolete links, add missing selectpicker style (opnsense/plugins/pull/5261)
+* Cleanup: Use BaseField cast helpers in validation messages (opnsense/plugins/pull/5263)
+
 2.0.4
 
-Add: DNS-01 challenge delegation via CNAME (contributed by sdsys-ch) (opnsense/plugins/pull/4950)
-Fix: Enabling HTTP access log wrongly excluded the process logs (opnsense/plugins/pull/4974)
-Fix: fix setup.sh script not setting correct ownership in www user mode (opnsense/plugins/pull/4976)
-Fix: Prevent sudo on startup via skip_install_trust (opnsense/plugins/pull/5015)
-Fix: Fix race condition that moved domain filter selectpicker into invisible tab (opnsense/plugins/pull/5076)
+* Add: DNS-01 challenge delegation via CNAME (contributed by sdsys-ch) (opnsense/plugins/pull/4950)
+* Fix: Enabling HTTP access log wrongly excluded the process logs (opnsense/plugins/pull/4974)
+* Fix: fix setup.sh script not setting correct ownership in www user mode (opnsense/plugins/pull/4976)
+* Fix: Prevent sudo on startup via skip_install_trust (opnsense/plugins/pull/5015)
+* Fix: Fix race condition that moved domain filter selectpicker into invisible tab (opnsense/plugins/pull/5076)
 
 2.0.3
 
-Add: Tabulator groupBy of domain and subdomain (opnsense/plugins/pull/4909)
-Cleanup: Grid HTML and style
-Fix: Tabulator 'Data Load Response Blocked' warning
-Fix: setup.sh interaction with caddy storage and permissions (opnsense/plugins/pull/4911)
-Fix: Emit subdomain http access logs when wildcard parent has logging enabled (opnsense/plugins/issues/4914)
+* Add: Tabulator groupBy of domain and subdomain (opnsense/plugins/pull/4909)
+* Cleanup: Grid HTML and style
+* Fix: Tabulator 'Data Load Response Blocked' warning
+* Fix: setup.sh interaction with caddy storage and permissions (opnsense/plugins/pull/4911)
+* Fix: Emit subdomain http access logs when wildcard parent has logging enabled (opnsense/plugins/issues/4914)
 
 2.0.2
 
-Add: Global server timeout options (opnsense/plugins/pull/4778)
-Cleanup: Change all camelCase to snake_case in api notations (opnsense/plugins/pull/4767,4768,4776)
-Cleanup: Use SimpleActionButton in general.volt (opnsense/plugins/pull/4779)
-Cleanup: Change em into px, fix key/value display in formatter (opnsense/plugins/pull/4807)
-Cleanup: Remove obsolete model_relation_domain formatter (opnsense/plugins/pull/4813)
+* Add: Global server timeout options (opnsense/plugins/pull/4778)
+* Cleanup: Change all camelCase to snake_case in api notations (opnsense/plugins/pull/4767,4768,4776)
+* Cleanup: Use SimpleActionButton in general.volt (opnsense/plugins/pull/4779)
+* Cleanup: Change em into px, fix key/value display in formatter (opnsense/plugins/pull/4807)
+* Cleanup: Remove obsolete model_relation_domain formatter (opnsense/plugins/pull/4813)
 
 2.0.1
 
-Add: Active health checks to handlers (contributed by zaben903) (opnsense/plugins/pull/4721)
-Fix: Add handler command sometimes clearing domain selection in open dialogue (opnsense/plugins/pull/4748)
+* Add: Active health checks to handlers (contributed by zaben903) (opnsense/plugins/pull/4721)
+* Fix: Add handler command sometimes clearing domain selection in open dialogue (opnsense/plugins/pull/4748)
 
 2.0.0
 

From 8887a667fa260a9b5c48c43a20554d42dd850842 Mon Sep 17 00:00:00 2001
From: Peter Gerber <peter@arbitrary.ch>
Date: Mon, 2 Mar 2026 15:53:03 +0000
Subject: [PATCH 3017/3088] security/acme-client: always use configured cert
 name in cert description

This a fix for the PHP warning below. I propose to simply never use the
certificate name because:

a) It's easier to understand if the description always has the same source.

b) The use of a common name is no longer recommended and will disappear
   sooner or later anyway [1,2].

[1]: https://letsencrypt.org/docs/glossary/#def-CN
[2]: https://letsencrypt.org/docs/profiles/#tlsserver

Related PHP warning:

[02-Mar-2026 15:02:54 Etc/UTC] PHP Warning:  Undefined array key "commonname" in /usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php on line 206
---
 .../app/library/OPNsense/AcmeClient/LeCertificate.php  | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
index 342ce0d817..4ce93cbbca 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php
@@ -203,7 +203,6 @@ public function import(bool $skip_validation = false)
             $cert_details = CertStore::parseX509($cert_content);
             $cert_subject = $cert_details['name'];
             $cert_serial  = $cert_details['serialNumber'];
-            $cert_cn      = $cert_details['commonname'];
             $cert_issuer  = implode(",", $cert_details['issuer']);
         } else {
             LeUtils::log_error('unable to read certificate content from file');
@@ -226,12 +225,7 @@ public function import(bool $skip_validation = false)
         $cert = array();
         $cert['refid'] = uniqid();
         $cert['caref'] = (string)$ca['refid'];
-        if (empty($cert_cn)) {
-            // Fallback to configured name if Common Name is empty (e.g. for IP certificates)
-            $cert['descr'] = (string)$this->config->name . ' (ACME Client)';
-        } else {
-            $cert['descr'] = (string)$cert_cn . ' (ACME Client)';
-        }
+        $cert['descr'] = (string)$this->config->name . ' (ACME Client)';
         $import_log_message = 'imported';
         $cert_found = false;
 
@@ -273,7 +267,7 @@ public function import(bool $skip_validation = false)
             $newcert->crt = base64_encode($cert_content);
             $newcert->prv = base64_encode($key_content);
         }
-        LeUtils::log("{$import_log_message} ACME X.509 certificate: {$cert_cn} ({$cert['refid']})");
+        LeUtils::log("{$import_log_message} ACME X.509 certificate: {$this->config->name} ({$cert['refid']})");
 
         // Serialize to config and save
         // Skip validation because the current in-memory model may not

From c4758d35253c6805e3d17e8df8755c1ef736351d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 3 Mar 2026 13:33:41 +0100
Subject: [PATCH 3018/3088] net/upnp: mark this release as development

---
 net/upnp/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index a805a22bb4..4a2b80837b 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		upnp
-PLUGIN_VERSION=		1.9
+PLUGIN_VERSION=		1.9.d
 PLUGIN_DEPENDS=		miniupnpd
 PLUGIN_COMMENT=		UPnP IGD & PCP/NAT-PMP Service
 PLUGIN_MAINTAINER=	franco@opnsense.org

From 7baf70309ffec0347e84b1b0d8399788003246cf Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 3 Mar 2026 13:38:39 +0100
Subject: [PATCH 3019/3088] sysutils/nextcloud-backup: changelog and version

---
 sysutils/nextcloud-backup/Makefile  | 2 +-
 sysutils/nextcloud-backup/pkg-descr | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/sysutils/nextcloud-backup/Makefile b/sysutils/nextcloud-backup/Makefile
index 6ec93c476a..6ac87d90bd 100644
--- a/sysutils/nextcloud-backup/Makefile
+++ b/sysutils/nextcloud-backup/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nextcloud-backup
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		Track config changes using NextCloud
 
 .include "../../Mk/plugins.mk"
diff --git a/sysutils/nextcloud-backup/pkg-descr b/sysutils/nextcloud-backup/pkg-descr
index 7a96846941..42db2aed4b 100644
--- a/sysutils/nextcloud-backup/pkg-descr
+++ b/sysutils/nextcloud-backup/pkg-descr
@@ -6,6 +6,14 @@ strongly advise to not use a public service to send backups to.
 Plugin Changelog
 ================
 
+1.2
+
+* Add option to upload to one file each day instead of syncing the contents of /conf/backup
+* Add support for having backing up to a subdirectory instead of the root backup dir
+* Skip non-files when enumerating local entries to backup
+* Only back up when local file is newer than remote
+* Switch to UpdateOnlyTextField from TextField
+
 1.1
 
 * Back up the content of /conf/backup (contributed by Daniel Lysfjor)

From cd01f842bfde835a46e71b07215f610799b6f42b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Tue, 3 Mar 2026 13:51:01 +0100
Subject: [PATCH 3020/3088] Theme Cicada/Vicuna (#5279)

---
 .../opnsense/www/themes/cicada/assets/stylesheets/main.scss   | 2 +-
 .../src/opnsense/www/themes/cicada/build/css/main.css         | 2 +-
 .../www/themes/cicada/build/css/opnsense-bootgrid.css         | 4 ++--
 .../opnsense/www/themes/vicuna/assets/stylesheets/main.scss   | 4 ++--
 .../src/opnsense/www/themes/vicuna/build/css/main.css         | 4 ++--
 .../www/themes/vicuna/build/css/opnsense-bootgrid.css         | 4 ++--
 6 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index 4234977963..d2f755571d 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -5370,7 +5370,7 @@ tbody.collapse.in {
     height: 1px;
     margin: 9px 0;
     overflow: hidden;
-    background-color: #e5e5e5;
+    background-color: #191919;
   }
 
   > {
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index d097eb55ea..ac6fbb3bd1 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -3198,7 +3198,7 @@ tbody.collapse.in {
     height: 1px;
     margin: 9px 0;
     overflow: hidden;
-    background-color: #e5e5e5; }
+    background-color: #191919; }
   .dropdown-menu > li > a {
     display: block;
     padding: 3px 20px;
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/opnsense-bootgrid.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/opnsense-bootgrid.css
index 63af6ab071..d5581fb85c 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/opnsense-bootgrid.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/opnsense-bootgrid.css
@@ -48,7 +48,7 @@
 }
 
 .tabulator-row.tabulator-row-odd.tabulator-selectable:hover:not(.tabulator-selected) {
-  background-color: #242424;
+  background-color: #282828;
 }
 
 .tabulator-row.tabulator-row-even {
@@ -56,7 +56,7 @@
 }
 
 .tabulator-row.tabulator-row-even.tabulator-selectable:hover:not(.tabulator-selected) {
-  background-color: #242424;
+  background-color: #282828;
 }
 
 .tabulator .tabulator-tableholder {
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
index 4b0341812f..1e5e9b71dc 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/assets/stylesheets/main.scss
@@ -5481,7 +5481,7 @@ tbody.collapse.in {
     height: 1px;
     margin: 9px 0;
     overflow: hidden;
-    background-color: #e5e5e5;
+    background-color: #191919;
   }
 
   > {
@@ -5559,7 +5559,7 @@ tbody.collapse.in {
   padding: 3px 20px;
   font-size: 12px;
   line-height: 1.428571429;
-  color: #191919;
+  color: #999;
   white-space: nowrap;
 }
 
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
index 6cf410f8cf..f622195ce8 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/main.css
@@ -3184,7 +3184,7 @@ tbody.collapse.in {
     height: 1px;
     margin: 9px 0;
     overflow: hidden;
-    background-color: #e5e5e5; }
+    background-color: #191919; }
   .dropdown-menu > li > a {
     display: block;
     padding: 3px 20px;
@@ -3235,7 +3235,7 @@ tbody.collapse.in {
   padding: 3px 20px;
   font-size: 12px;
   line-height: 1.428571429;
-  color: #191919;
+  color: #999;
   white-space: nowrap; }
 
 .dropdown-backdrop {
diff --git a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/opnsense-bootgrid.css b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/opnsense-bootgrid.css
index 03477ce3ad..46d72bbb2d 100644
--- a/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/opnsense-bootgrid.css
+++ b/misc/theme-vicuna/src/opnsense/www/themes/vicuna/build/css/opnsense-bootgrid.css
@@ -48,7 +48,7 @@
 }
 
 .tabulator-row.tabulator-row-odd.tabulator-selectable:hover:not(.tabulator-selected) {
-  background-color: #1b272f;
+  background-color: #1f2c35;
 }
 
 .tabulator-row.tabulator-row-even {
@@ -56,7 +56,7 @@
 }
 
 .tabulator-row.tabulator-row-even.tabulator-selectable:hover:not(.tabulator-selected) {
-  background-color: #1b272f;
+  background-color: #1f2c35;
 }
 
 .tabulator .tabulator-tableholder {

From 1728943ccabc82f3880a3ee4a0df9e9d44b9c4c4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 3 Mar 2026 14:28:35 +0100
Subject: [PATCH 3021/3088] misc/theme-flexcolor: manually merge #5095

---
 misc/theme-flexcolor/Makefile                 |  2 +-
 .../color_schemes/black/default_scheme.css    | 28 ++++++++++++++--
 .../darklight/default_scheme.css              | 26 +++++++++++++--
 .../color_schemes/light/default_scheme.css    | 26 +++++++++++++--
 .../flexcolor/build/css/main.css.shadow       | 33 ++++++++++++-------
 5 files changed, 95 insertions(+), 20 deletions(-)

diff --git a/misc/theme-flexcolor/Makefile b/misc/theme-flexcolor/Makefile
index 4ff210b34b..6498db4ce3 100644
--- a/misc/theme-flexcolor/Makefile
+++ b/misc/theme-flexcolor/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		theme-flexcolor
-PLUGIN_VERSION=		1.0
+PLUGIN_VERSION=		1.1
 PLUGIN_COMMENT=		Theme with 3 different color schemes: black as default, light and dark-light
 PLUGIN_MAINTAINER=	iengels@web.de
 PLUGIN_NO_ABI=		yes
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/black/default_scheme.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/black/default_scheme.css
index 2ee93ae03c..03b33f8f54 100644
--- a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/black/default_scheme.css
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/black/default_scheme.css
@@ -18,7 +18,7 @@
     --stdborderprimary: #336CDF; /* standard border with accent*/
     --stdborderinverse: #000000; /* standard border with accent*/
     --stdborder50bright: #A1A1A1; /* standard border with accent*/
-    --badgeback: #E6E6E6; /* badge background & progress-bar & blockquote*/
+    --badgeback: #1F62C1; /* badge background & progress-bar & blockquote*/
     --progressbar: #D4D4D4; /* progress-bar*/
     --token: #AF3604; /* background token */
     --highlighted: #FFFFFF; /* highlighted element */
@@ -57,7 +57,7 @@
     --txtboxbackhover: #000000;
     --txtboxbackactive: #000000;
     --txtboxbackdisabled: #000000;
-    --txtboxbacktoken: #E65C00;
+    --txtboxbacktoken: #1F62C1;
     --txtboxbackdel: #FF5252; /* only tokenize, pending delete */
     --txtboxbackdismiss: #F2F7FD; /* only tokenize, dismiss */
     /* border */
@@ -87,6 +87,8 @@
     /* special  characters */
     --link: #FA6121; /* OPNsense text login and links */
     --linkhover: #E04605; /* OPNsense text login and links hover */
+    --colorcheckbox: #388E3C; /* background color checkbox */
+    --colorradio: #FF3333; /* background color radio button */
     /* accents */
     --primary: #336CDF; /* primary accent */
     --primaryhover: #608DE6; /* primary accent hover */
@@ -97,7 +99,27 @@
     --warning: #D66E12; /* warning accent */
     --warninghover: #ED862B; /* warning accent hover */
     --danger: #FF5252; /* danger accent */
-    --dangerhover: #BE2326FF8585; /* danger accent hover */
+    --dangerhover: #E64949; /* danger accent hover */
+    /* alert messages */
+    /* alert*/
+    --alertback: #000000;
+    --alertborder: transparent;
+    /* alert success */
+    --alertsuccessfore: #E6E6E6;
+    --alertsuccessback: #000000;
+    --alertsuccessborder: #36D93E;
+    /* alert info */
+    --alertinfofore: #E6E6E6;
+    --alertinfoback: #000000;
+    --alertinfoborder: #369DD9;
+    /* alert warning */
+    --alertwarningfore: #E6E6E6;
+    --alertwarningback: #000000;
+    --alertwarningborder: #D98236;
+    /* alert danger */
+    --alertdangerfore: #E6E6E6;
+    --alertdangerback: #000000;
+    --alertdangerborder: #D93636;
     /* buttons (complete (independent) */
     /* unselected */
     --btnfore: #E6E6E6; /* textcolor */
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/darklight/default_scheme.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/darklight/default_scheme.css
index 5522478e3f..7ff8048402 100644
--- a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/darklight/default_scheme.css
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/darklight/default_scheme.css
@@ -18,7 +18,7 @@
     --stdborderprimary: #FA6121; /* standard border with accent*/
     --stdborderinverse: #647D9B; /* standard border with accent*/
     --stdborder50bright: #A2B1C3; /* standard border with accent*/
-    --badgeback: #FFC59E; /* badge background & progress-bar & blockquote*/
+    --badgeback: #AD7A7A; /* badge background & progress-bar & blockquote*/
     --progressbar: #181E25; /* progress-bar*/
     --token: #FA6121; /* background token */
     --highlighted: #FFFFFF; /* highlighted element */
@@ -57,7 +57,7 @@
     --txtboxbackhover: #F2F7FD;
     --txtboxbackactive: #F2F7FD;
     --txtboxbackdisabled: #181E25;
-    --txtboxbacktoken: #FFC59E;
+    --txtboxbacktoken: #AD7A7A;
     --txtboxbackdel: #DB393D; /* only tokenize, pending delete */
     --txtboxbackdismiss: #F2F7FD; /* only tokenize, dismiss */
     /* border */
@@ -87,6 +87,8 @@
     /* special  characters */
     --link: #FA6121; /* OPNsense text login and links */
     --linkhover: #E04605; /* OPNsense text login and links hover */
+    --colorcheckbox: #39E63C; /* background color checkbox */
+    --colorradio: #0089D0; /* background color radio button */
     /* accents */
     --primary: #FA6121; /* primary accent */
     --primaryhover: #E04605; /* primary accent hover */
@@ -98,6 +100,26 @@
     --warninghover: #B87A00; /* warning accent hover */
     --danger: #DB393D; /* danger accent */
     --dangerhover: #BE2326; /* danger accent hover */
+    /* alert messages */
+    /* alert*/
+    --alertback: #181E25;
+    --alertborder: transparent;
+    /* alert success */
+    --alertsuccessfore: #00E604;
+    --alertsuccessback: #181E25;
+    --alertsuccessborder: #F2F7FD;
+    /* alert info */
+    --alertinfofore: #0099E6;
+    --alertinfoback: #181E25;
+    --alertinfoborder: #F2F7FD;
+    /* alert warning */
+    --alertwarningfore: #E69900;
+    --alertwarningback: #181E25;
+    --alertwarningborder: #F2F7FD;
+    /* alert danger */
+    --alertdangerfore: #E60004;
+    --alertdangerback: #181E25;
+    --alertdangerborder: #F2F7FD;
     /* buttons (complete (independent) */
     /* unselected */
     --btnfore: #181E25; /* textcolor */
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/light/default_scheme.css b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/light/default_scheme.css
index 8d6de04f7e..d4ad8b34eb 100644
--- a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/light/default_scheme.css
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/color_schemes/light/default_scheme.css
@@ -18,7 +18,7 @@
     --stdborderprimary: #336CDF; /* standard border with accent*/
     --stdborderinverse: #131313; /* standard border with accent*/
     --stdborder50bright: #A1A1A1; /* standard border with accent*/
-    --badgeback: #FFC59E; /* badge background & progress-bar & blockquote*/
+    --badgeback: #8DA6BD; /* badge background & progress-bar & blockquote*/
     --progressbar: #131313; /* progress-bar*/
     --token: #71ADF4; /* background token */
     --highlighted: #131313; /* highlighted element */
@@ -57,7 +57,7 @@
     --txtboxbackhover: #F5F5F5;
     --txtboxbackactive: #F5F5F5;
     --txtboxbackdisabled: #F5F5F5;
-    --txtboxbacktoken: #71ADF4;
+    --txtboxbacktoken: #8DA6BD;
     --txtboxbackdel: #FC2529; /* only tokenize, pending delete */
     --txtboxbackdismiss: #F5F5F5; /* only tokenize, dismiss */
     /* border */
@@ -87,6 +87,8 @@
     /* special  characters */
     --link: #FA6121; /* OPNsense text login and links */
     --linkhover: #E04605; /* OPNsense text login and links hover */
+    --colorcheckbox: #28A839; /* background color checkbox */
+    --colorradio: #1066CC; /* background color radio button */
     /* accents */
     --primary: #1066CC; /* primary accent */
     --primaryhover: #0C4E9C; /* primary accent hover */
@@ -98,6 +100,26 @@
     --warninghover: #D97B03; /* warning accent hover */
     --danger: #FC2529; /* danger accent */
     --dangerhover: #EC0308; /* danger accent hover */
+    /* alert messages */
+    /* alert*/
+    --alertback: #F5F5F5;
+    --alertborder: transparent;
+    /* alert success */
+    --alertsuccessfore: #000000;
+    --alertsuccessback: #D4FAD9;
+    --alertsuccessborder: #28A839;
+    /* alert info */
+    --alertinfofore: #000000;
+    --alertinfoback: #D4F1FA;
+    --alertinfoborder: #10A6D8;
+    /* alert warning */
+    --alertwarningfore: #000000;
+    --alertwarningback: #F2E3CE;
+    --alertwarningborder: #FC9510;
+    /* alert danger */
+    --alertdangerfore: #000000;
+    --alertdangerback: #F2CECE;
+    --alertdangerborder: #FC2529;
     /* buttons (complete (independent) */
     /* unselected */
     --btnfore: #454545; /* textcolor */
diff --git a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/main.css.shadow b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/main.css.shadow
index 6c2eaad9c3..2a13a6df92 100644
--- a/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/main.css.shadow
+++ b/misc/theme-flexcolor/src/opnsense/www/themes/flexcolor/build/css/main.css.shadow
@@ -119,10 +119,14 @@ input::-moz-focus-inner {
   padding: 0; }
 input {
   line-height: normal; }
-input[type=checkbox],
+input[type=checkbox] {
+  box-sizing: border-box;
+  padding: 0;
+  accent-color: var(--colorcheckbox); }
 input[type=radio] {
   box-sizing: border-box;
-  padding: 0; }
+  padding: 0;
+  accent-color: var(--colorradio); }
 input[type=number]::-webkit-inner-spin-button,
 input[type=number]::-webkit-outer-spin-button {
   height: auto; }
@@ -3996,14 +4000,11 @@ a.thumbnail:focus,
 a.thumbnail.active {
   border-color: var(--primary); }
 .alert {
-  background-color: var(--pback);
-  color: var(--pfore);
   padding: 15px;
+  background-color: var(--alertback);
   margin-bottom: 20px;
-  border: 2px solid transparent;
-  border-radius: 3px;
-  -webkit-box-shadow: inset 0 1px 0 var(--boxshadow), 0 1px 0 var(--boxshadow);
-  box-shadow: inset 0 1px 0 var(--boxshadow), 0 1px 0 var(--boxshadow); }
+  border: 2px solid var(--alertborder);
+  border-radius: 3px; }
 .alert h4 {
   margin-top: 0;
   color: inherit; }
@@ -4024,25 +4025,33 @@ a.thumbnail.active {
   right: -21px;
   color: inherit; }
 .alert-success {
-  border-color: var(--success); }
+  color: var(--alertsuccessfore);
+  background-color: var(--alertsuccessback);
+  border-color: var(--alertsuccessborder); }
 .alert-success hr {
   border-top-color: var(--pfore); }
 .alert-success .alert-link {
   color: var(--primary); }
 .alert-info {
-  border-color: var(--info); }
+  color: var(--alertinfofore);
+  background-color: var(--alertinfoback);
+  border-color: var(--alertinfoborder); }
 .alert-info hr {
   border-top-color: var(--pfore); }
 .alert-info .alert-link {
   color: var(--info); }
 .alert-warning {
-  border-color: var(--warning); }
+  color: var(--alertwarningfore);
+  background-color: var(--alertwarningback);
+  border-color: var(--alertwarningborder); }
 .alert-warning hr {
   border-top-color: var(--pfore); }
 .alert-warning .alert-link {
   color: var(--primary); }
 .alert-danger {
-  border-color: var(--danger); }
+  color: var(--alertdangerfore);
+  background-color: var(--alertdangerback);
+  border-color: var(--alertdangerborder); }
 .alert-danger hr {
   border-top-color: var(--pfore); }
 .alert-danger .alert-link {

From cc2149dedf873f0caba84d64dc44fd9690a79f85 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 4 Mar 2026 08:35:24 +0100
Subject: [PATCH 3022/3088] dns/ddclient: reduce code and fix #5287

---
 .../mvc/app/models/OPNsense/DynDNS/DynDNS.php | 33 +++++++++----------
 1 file changed, 16 insertions(+), 17 deletions(-)

diff --git a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
index a3cbb5a866..5ce08ea111 100644
--- a/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
+++ b/dns/ddclient/src/opnsense/mvc/app/models/OPNsense/DynDNS/DynDNS.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2021-2023 Deciso B.V.
+ * Copyright (C) 2021-2026 Deciso B.V.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -41,6 +41,7 @@ public function performValidation($validateFullModel = false)
     {
         $messages = parent::performValidation($validateFullModel);
         $validate_servers = [];
+
         foreach ($this->getFlatNodes() as $key => $node) {
             $tagName = $node->getInternalXMLTagName();
             $parentNode = $node->getParentNode();
@@ -51,27 +52,24 @@ public function performValidation($validateFullModel = false)
                 }
             }
         }
+
         foreach ($validate_servers as $key => $node) {
-            if ((string)$node->service == 'powerdns') {
-                if (empty($srv) || filter_var($srv, FILTER_VALIDATE_URL) === false) {
-                    $messages->appendMessage(
-                        new Message(
-                            gettext("A valid URI is required."),
-                            $key . ".server"
-                        )
-                    );
-                }
-            }
-            if ((string)$node->service != 'custom') {
+            $validate_url = false;
+
+            if ($node->service->isEqual('powerdns')) {
+                $validate_url = true;
+            } elseif (!$node->service->isEqual('custom')) {
                 continue;
             }
+
             $srv = (string)$node->server;
-            if (in_array((string)$node->protocol, ['get', 'post', 'put'])) {
+
+            if (in_array((string)$node->protocol, ['get', 'post', 'put']) || $validate_url) {
                 if (empty($srv) || filter_var($srv, FILTER_VALIDATE_URL) === false) {
                     $messages->appendMessage(
                         new Message(
-                            gettext("A valid URI is required."),
-                            $key . ".server"
+                            gettext('A valid URI is required.'),
+                            $key . '.server'
                         )
                     );
                 }
@@ -79,13 +77,14 @@ public function performValidation($validateFullModel = false)
                 if (empty($srv) || filter_var($srv, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) === false) {
                     $messages->appendMessage(
                         new Message(
-                            gettext("A valid domain is required."),
-                            $key . ".server"
+                            gettext('A valid domain is required.'),
+                            $key . '.server'
                         )
                     );
                 }
             }
         }
+
         return $messages;
     }
 }

From 6c81f6d085ada5f88a336bd588dc599d635db317 Mon Sep 17 00:00:00 2001
From: Self-Hosting-Group
 <155233284+Self-Hosting-Group@users.noreply.github.com>
Date: Wed, 4 Mar 2026 09:34:53 +0100
Subject: [PATCH 3023/3088] net/upnp: Complete service improvements 2/2 (#5256)

---
 net/upnp/pkg-descr                            | 16 +++++++++++++
 .../src/etc/inc/plugins.inc.d/miniupnpd.inc   | 23 +++++++++++--------
 .../mvc/app/models/OPNsense/UPnP/ACL/ACL.xml  |  4 ++--
 net/upnp/src/www/services_upnp.php            | 15 ++++++++----
 4 files changed, 41 insertions(+), 17 deletions(-)

diff --git a/net/upnp/pkg-descr b/net/upnp/pkg-descr
index e970623794..b1e98c6a17 100644
--- a/net/upnp/pkg-descr
+++ b/net/upnp/pkg-descr
@@ -7,6 +7,22 @@ WWW: https://miniupnp.tuxfamily.org/
 Plugin Changelog
 ================
 
+1.9
+
+* Separate service log file and log level UI option
+* More specific allow third-party mapping UI option
+* Impove help/wording and update missed changelog
+* Add daemon patch to improve logging
+
+1.8
+
+* New UI options: disable IPv6 mapping, allow third-party mapping, UPnP IGD compatibility, router/friendly name; remove option: report system uptime (bug)
+* List IPv6 maps and keep active maps when reconfiguring/restarting service, clearer added via / description field
+* New UI sections, rewording plugin, set allow-filtered with STUN to workaround CGNAT test limitation, clean up daemon config
+* Update daemon to 2.3.9, add build options (e.g. IGDv2 support), add daemon patch to improve UPnP IGDv2 compatibility
+
+(1.8/1.9 contributed by Self-Hosting-Group)
+
 1.7
 
 * Add option to allow arbitrary number of UPnP/NAT-PMP rules (contributed by Kreeblah)
diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index a3f01f48c0..7f91e74406 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -44,10 +44,12 @@ function miniupnpd_firewall($fw)
         return;
     }
 
+    /* required for IPv4: */
     $fw->registerAnchor('miniupnpd', 'rdr');
+    /* required for IPv6: */
     $fw->registerAnchor('miniupnpd', 'fw');
+    /* required for IPv4 NAT hairpinning: */
     $fw->registerAnchor('miniupnpd', 'nat', 0, 'head');
-    $fw->registerAnchor('miniupnpd', 'binat');
 }
 
 function miniupnpd_services()
@@ -88,14 +90,11 @@ function miniupnpd_start()
     $cmd_args = ['/var/etc/miniupnpd.conf', '/var/run/miniupnpd.pid'];
 
     switch ($log_level) {
-        case 'debug':
-            $cmd_frmt[] = '-v';
-            /* FALLTHROUGH */
         case 'info':
             $cmd_frmt[] = '-v';
-            /* FALLTHROUGH */
-        default:
             break;
+        case 'debug':
+            $cmd_frmt[] = '-vv';
     }
 
     mwexecfb($cmd_frmt, $cmd_args);
@@ -105,8 +104,8 @@ function miniupnpd_stop()
 {
     killbypid('/var/run/miniupnpd.pid');
 
-    mwexecf('/sbin/pfctl -a miniupnpd -Fr');
-    mwexecf('/sbin/pfctl -a miniupnpd -Fn');
+    mwexecf('/sbin/pfctl -a miniupnpd -F rules');
+    mwexecf('/sbin/pfctl -a miniupnpd -F nat');
 }
 
 function miniupnpd_configure()
@@ -221,11 +220,15 @@ function miniupnpd_configure_do($verbose = false)
                 $config_text .= "bitrate_up={$upload}\n";
             }
 
-            if (!empty($upnp_config['allow_third_party_mapping'])) {
+            if (in_array($upnp_config['allow_third_party_mapping'] ?? '', ['1', 'upnp-igd'])) {
                 $config_text .= "secure_mode=no\n";
-                $config_text .= "pcp_allow_thirdparty=yes\n";
             } else {
                 $config_text .= "secure_mode=yes\n";
+            }
+
+            if (in_array($upnp_config['allow_third_party_mapping'] ?? '', ['1', 'pcp'])) {
+                $config_text .= "pcp_allow_thirdparty=yes\n";
+            } else {
                 $config_text .= "pcp_allow_thirdparty=no\n";
             }
 
diff --git a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
index 77d5cf5822..159112fb57 100644
--- a/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
+++ b/net/upnp/src/opnsense/mvc/app/models/OPNsense/UPnP/ACL/ACL.xml
@@ -11,11 +11,11 @@
             <pattern>status_upnp.php*</pattern>
         </patterns>
     </page-status-upnpstatus>
-    <page-services-upnp-log>
+    <page-diagnostics-logs-upnp>
         <name>Services: UPnP IGD &amp; PCP: Log File</name>
         <patterns>
             <pattern>ui/diagnostics/log/core/miniupnpd/*</pattern>
             <pattern>api/diagnostics/log/core/miniupnpd/*</pattern>
         </patterns>
-    </page-services-upnp-log>
+    </page-diagnostics-logs-upnp>
 </acl>
diff --git a/net/upnp/src/www/services_upnp.php b/net/upnp/src/www/services_upnp.php
index d9a3e2230b..76a4626306 100644
--- a/net/upnp/src/www/services_upnp.php
+++ b/net/upnp/src/www/services_upnp.php
@@ -179,7 +179,7 @@ function miniupnpd_validate_port($port)
         // save form data
         $upnp = [];
         // boolean types
-        foreach (['enable', 'enable_upnp', 'enable_natpmp', 'logpackets', 'sysuptime', 'permdefault', 'allow_third_party_mapping', 'ipv6_disable'] as $fieldname) {
+        foreach (['enable', 'enable_upnp', 'enable_natpmp', 'logpackets', 'sysuptime', 'permdefault', 'ipv6_disable'] as $fieldname) {
             $upnp[$fieldname] = !empty($pconfig[$fieldname]);
         }
         // numeric types
@@ -187,7 +187,7 @@ function miniupnpd_validate_port($port)
             $upnp['num_permuser'] = $pconfig['num_permuser'];
         }
         // text field types
-        foreach (['download', 'ext_iface', 'friendly_name', 'log_level', 'overridesubnet', 'overridewanip', 'stun_host', 'stun_port', 'upload', 'upnp_igd_compat'] as $fieldname) {
+        foreach (['allow_third_party_mapping', 'download', 'ext_iface', 'friendly_name', 'log_level', 'overridesubnet', 'overridewanip', 'stun_host', 'stun_port', 'upload', 'upnp_igd_compat'] as $fieldname) {
             $upnp[$fieldname] = $pconfig[$fieldname];
         }
         foreach (miniupnpd_permuser_list() as $fieldname) {
@@ -234,7 +234,7 @@ function miniupnpd_validate_port($port)
                   </thead>
                   <tbody>
                     <tr>
-                      <td><a id="help_for_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enable service");?></td>
+                      <td><a id="help_for_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enabled");?></td>
                       <td>
                        <input name="enable" type="checkbox" value="yes" <?=!empty($pconfig['enable']) ? "checked=\"checked\"" : ""; ?> />
                        <div class="hidden" data-for="help_for_enable">
@@ -350,9 +350,14 @@ function miniupnpd_validate_port($port)
                     <tr>
                       <td><a id="help_for_allow_third_party_mapping" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Allow third-party mapping");?></td>
                       <td>
-                        <input name="allow_third_party_mapping" type="checkbox" value="yes" <?=!empty($pconfig['allow_third_party_mapping']) ? "checked=\"checked\"" : ""; ?> />
+                        <select name="allow_third_party_mapping">
+                          <option value="0" <?= ($pconfig['allow_third_party_mapping'] ?? '') == '0' ? 'selected="selected"' : '' ?> ><?= gettext('Disabled (recommended)') ?></option>
+                          <option value="1" <?= ($pconfig['allow_third_party_mapping'] ?? '') == '1' ? 'selected="selected"' : '' ?> ><?= gettext('Enabled') ?></option>
+                          <option value="upnp-igd" <?= ($pconfig['allow_third_party_mapping'] ?? '') == 'upnp-igd' ? 'selected="selected"' : '' ?> ><?= gettext('Enabled (UPnP IGD only)') ?></option>
+                          <option value="pcp" <?= ($pconfig['allow_third_party_mapping'] ?? '') == 'pcp' ? 'selected="selected"' : '' ?> ><?= gettext('Enabled (PCP only)') ?></option>
+                        </select>
                         <div class="hidden" data-for="help_for_allow_third_party_mapping">
-                          <?=gettext("Allow adding port maps for non-requesting IP addresses.");?>
+                          <?=gettext("Allow adding port maps for non-requesting IP addresses; use with care.");?>
                         </div>
                       </td>
                     </tr>

From e05c8ee1da06aa659d1678aa3396e62052d296c8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 4 Mar 2026 09:40:12 +0100
Subject: [PATCH 3024/3088] net/upnp: coding style and version bump

---
 net/upnp/Makefile                                |  2 +-
 net/upnp/pkg-descr                               |  4 +++-
 net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc | 11 ++++++-----
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/net/upnp/Makefile b/net/upnp/Makefile
index 4a2b80837b..a805a22bb4 100644
--- a/net/upnp/Makefile
+++ b/net/upnp/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		upnp
-PLUGIN_VERSION=		1.9.d
+PLUGIN_VERSION=		1.9
 PLUGIN_DEPENDS=		miniupnpd
 PLUGIN_COMMENT=		UPnP IGD & PCP/NAT-PMP Service
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/upnp/pkg-descr b/net/upnp/pkg-descr
index b1e98c6a17..5032d31d5c 100644
--- a/net/upnp/pkg-descr
+++ b/net/upnp/pkg-descr
@@ -14,6 +14,8 @@ Plugin Changelog
 * Impove help/wording and update missed changelog
 * Add daemon patch to improve logging
 
+(all contributed by Self-Hosting-Group)
+
 1.8
 
 * New UI options: disable IPv6 mapping, allow third-party mapping, UPnP IGD compatibility, router/friendly name; remove option: report system uptime (bug)
@@ -21,7 +23,7 @@ Plugin Changelog
 * New UI sections, rewording plugin, set allow-filtered with STUN to workaround CGNAT test limitation, clean up daemon config
 * Update daemon to 2.3.9, add build options (e.g. IGDv2 support), add daemon patch to improve UPnP IGDv2 compatibility
 
-(1.8/1.9 contributed by Self-Hosting-Group)
+(all contributed by Self-Hosting-Group)
 
 1.7
 
diff --git a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
index 7f91e74406..1c76948875 100644
--- a/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/net/upnp/src/etc/inc/plugins.inc.d/miniupnpd.inc
@@ -84,17 +84,18 @@ function miniupnpd_start()
         return;
     }
 
-    $log_level = $config['installedpackages']['miniupnpd']['config'][0]['log_level'] ?? '';
-
     $cmd_frmt = ['/usr/local/sbin/miniupnpd -f %s -P %s'];
     $cmd_args = ['/var/etc/miniupnpd.conf', '/var/run/miniupnpd.pid'];
 
-    switch ($log_level) {
+    switch ($config['installedpackages']['miniupnpd']['config'][0]['log_level'] ?? '') {
+        case 'debug':
+            $cmd_frmt[] = '-vv';
+            break;
         case 'info':
             $cmd_frmt[] = '-v';
             break;
-        case 'debug':
-            $cmd_frmt[] = '-vv';
+        default:
+            break;
     }
 
     mwexecfb($cmd_frmt, $cmd_args);

From 7e3e3e3c0b1ccf9e199db77ae376e361d3d3ea61 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 4 Mar 2026 09:44:42 +0100
Subject: [PATCH 3025/3088] dns/ddclient: bump revisionm

---
 dns/ddclient/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index ce25fefbcc..77279351aa 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.30
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 02ec4f56eb8cbc5ccb8ce1395f5db64636654b35 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 4 Mar 2026 11:36:43 +0100
Subject: [PATCH 3026/3088] LICENSE: sync

---
 LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index c0b094a0dc..5239926e0a 100644
--- a/LICENSE
+++ b/LICENSE
@@ -12,7 +12,7 @@ Copyright (c) 2021 Axelrtgs
 Copyright (c) 2026 Benno Kutschenreuter
 Copyright (c) 2023 Bernhard Frenking <bernhard@frenking.eu>
 Copyright (c) 2023 Cannon Matthews <cannonmatthews@google.com>
-Copyright (c) 2023-2025 Cedrik Pischem
+Copyright (c) 2023-2026 Cedrik Pischem
 Copyright (c) 2025 Christopher Linn, BackendMedia IT-Services GmbH
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
 Copyright (c) 2021 Dan Lundqvist

From 78e3906a3ec5ea7e157cd33c17012fa0995ed85a Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 9 Mar 2026 11:03:22 +0100
Subject: [PATCH 3027/3088] security/q-feeds-connector - on reconfigure, ensure
 alias cache is flushed to prevent consumers not knowing about our just
 registered dynamic entries. closes
 https://github.com/opnsense/plugins/issues/5288

---
 .../app/controllers/OPNsense/QFeeds/Api/SettingsController.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
index 5e14ae7f51..9368c524f1 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
@@ -34,6 +34,7 @@
 use OPNsense\Base\UserException;
 use OPNsense\Core\Backend;
 use OPNsense\Core\Config;
+use OPNsense\Firewall\Alias;
 
 class SettingsController extends ApiMutableModelControllerBase
 {
@@ -51,6 +52,8 @@ public function reconfigureAction()
         if (strpos($res, 'EXIT OK') === false) {
             throw new UserException($res);
         }
+        /* as we register new dynamic aliases, we're also responsible for invalidating an existing cache */
+        Alias::flushCacheData();
         return ['status' => 'ok', 'output' => $res];
     }
 

From 4b70c2627998287ef5bfe776c87ae014b3983f16 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 11 Mar 2026 08:58:46 +0100
Subject: [PATCH 3028/3088] dns/ddclient: changelog

---
 dns/ddclient/pkg-descr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index 50f29b10df..e143286c26 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 1.30
 
 * Add native backend support for Hostinger (contributed by Leandro Scardua)
+* Fix PowerDNS URL validation
 
 1.29
 

From ca028fc1ce9bdb87184f491d909c79c2b46074ec Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 11 Mar 2026 09:00:03 +0100
Subject: [PATCH 3029/3088] security/q-feeds-connector: annotate last fix

---
 security/q-feeds-connector/Makefile  | 1 +
 security/q-feeds-connector/pkg-descr | 1 +
 2 files changed, 2 insertions(+)

diff --git a/security/q-feeds-connector/Makefile b/security/q-feeds-connector/Makefile
index f690fad92d..6ec2187cd4 100644
--- a/security/q-feeds-connector/Makefile
+++ b/security/q-feeds-connector/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		q-feeds-connector
 PLUGIN_VERSION=		1.5
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Connector for Q-Feeds threat intel
 PLUGIN_MAINTAINER=	devel@qfeeds.com
 PLUGIN_TIER=		2
diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index 87d1455830..d005e7e7e6 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 * Feature: Add effective networks for unbound
 * Feature: Add NXDOMAIN option for unbound
 * Feature: Add dest address for unbound
+* Bugfix: Invalidate alias cache on reconfigure
 
 1.4
 

From 06b8dae9d1664320c5e3cae098751b7fa38deb18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <34602360+opnsenseuser@users.noreply.github.com>
Date: Wed, 11 Mar 2026 15:04:59 +0100
Subject: [PATCH 3030/3088] Firewall - old rules - fix disabled rule (#5310)

Co-authored-by: Manuel <mr-manuel@outlook.it>
---
 .../opnsense/www/themes/cicada/assets/stylesheets/main.scss  | 5 +++++
 .../src/opnsense/www/themes/cicada/build/css/main.css        | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
index d2f755571d..9d48254e94 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/assets/stylesheets/main.scss
@@ -10631,6 +10631,11 @@ ul.jqtree-tree {
   border: 1px solid #191919 !important;
 }
 
+.rule.text-muted {
+  background-color: #242424 !important;
+  opacity: 0.4;
+}
+
 .rule.text-muted > td {
   &:nth-child(1n+3) {
     text-decoration: line-through;
diff --git a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
index ac6fbb3bd1..86ed11a99f 100644
--- a/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
+++ b/misc/theme-cicada/src/opnsense/www/themes/cicada/build/css/main.css
@@ -6617,6 +6617,11 @@ ul.jqtree-tree .jqtree-title {
   border: 1px solid #191919 !important;
 }
 
+.rule.text-muted {
+	background-color: #242424 !important;
+	opacity: 0.4;
+}
+
 .rule.text-muted > td:nth-child(1n+3) {
   text-decoration: line-through;
 }

From e389a81569a395e80d0ca815cdfb229e08907942 Mon Sep 17 00:00:00 2001
From: Daniel Ohnesorge <82357071+danohn@users.noreply.github.com>
Date: Thu, 12 Mar 2026 20:21:30 +1100
Subject: [PATCH 3031/3088] net/frr: add per-neighbor local-as option for BGP
 (#5308)

---
 net/frr/Makefile                                         | 2 +-
 net/frr/pkg-descr                                        | 4 ++++
 .../OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml      | 9 +++++++++
 .../src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml  | 4 ++++
 .../opnsense/service/templates/OPNsense/Quagga/bgpd.conf | 3 +++
 5 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index 8a8f78a19f..a488ddeb12 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.50
+PLUGIN_VERSION=		1.51
 PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr10-pythontools
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 5a47995ed6..03a39c9477 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.51
+
+* Add per-neighbor local-as option for BGP (contributed by danohn) (opnsense/plugins/pull/5308)
+
 1.50
 
 * Add BGP remove-private-AS (contributed by rfrederick) (opnsense/plugins/pull/5090)
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
index 7b1a679148..9d0e85051e 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBGPNeighbor.xml
@@ -36,6 +36,15 @@
     <type>text</type>
     <help>AS (Autonomous System) number of the neighbor, required for establishing a BGP session.</help>
   </field>
+  <field>
+    <id>neighbor.localas</id>
+    <label>Local AS</label>
+    <type>text</type>
+    <help>Optional local AS to present to this specific neighbor.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
+  </field>
   <field>
     <id>neighbor.password</id>
     <label>BGP MD5 Password</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index c6a49ffdee..6767a387a3 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -69,6 +69,10 @@
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>4294967295</MaximumValue>
                 </remoteas>
+                <localas type="IntegerField">
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>4294967295</MaximumValue>
+                </localas>
                 <password type="TextField"/>
                 <weight type="IntegerField">
                     <MinimumValue>0</MinimumValue>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index c280332f21..1681660eee 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -120,6 +120,9 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%         else %}
  neighbor {{ neighbor.address }} remote-as {{ neighbor.remote_as_mode }}
 {%         endif %}
+{%         if 'localas' in neighbor and neighbor.localas != '' %}
+ neighbor {{ neighbor.address }} local-as {{ neighbor.localas }}
+{%         endif %}
 {%         if neighbor.bfd|default('') == '1' %}
  neighbor {{ neighbor.address }} bfd
 {%         endif %}

From a4191cf13157a6edc4330bcb0505c38aaba80efe Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Mar 2026 11:02:01 +0100
Subject: [PATCH 3032/3088] misc/theme-cicada: bump revision

---
 misc/theme-cicada/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/misc/theme-cicada/Makefile b/misc/theme-cicada/Makefile
index baff1111e8..d2cc3ecefc 100644
--- a/misc/theme-cicada/Makefile
+++ b/misc/theme-cicada/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		theme-cicada
 PLUGIN_VERSION=		1.41
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The cicada theme - dark grey onyx
 PLUGIN_MAINTAINER=	rene@team-rebellion.net
 PLUGIN_NO_ABI=		yes

From 0e62a4992404873c2d0005ed2b3a474d0d9eac9b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 12 Mar 2026 21:58:01 +0100
Subject: [PATCH 3033/3088] net/wol: add access to get_arp so dashboard widget
 works

For core the dashboard ACL holds all the dashboard related API
patterns but we don't want to taint it with plugin requirements.

So instead of adding a WoL-Dashboard privilege add the required
API endpoint to the standard ACL to unbreak.  This is only relevant
for the plugin when installed and explicitly using the privilege.
---
 net/wol/Makefile                                             | 2 +-
 net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/ACL/ACL.xml | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/wol/Makefile b/net/wol/Makefile
index 90f4508aac..4bdc753546 100644
--- a/net/wol/Makefile
+++ b/net/wol/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wol
 PLUGIN_VERSION=		2.5
-PLUGIN_REVISION=	3
+PLUGIN_REVISION=	4
 PLUGIN_DEPENDS=		wol
 PLUGIN_COMMENT=		Wake on LAN Service
 
diff --git a/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/ACL/ACL.xml b/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/ACL/ACL.xml
index 5103b5c239..9d27ff8389 100644
--- a/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/ACL/ACL.xml
+++ b/net/wol/src/opnsense/mvc/app/models/OPNsense/Wol/ACL/ACL.xml
@@ -4,6 +4,7 @@
         <patterns>
             <pattern>ui/wol/*</pattern>
             <pattern>api/wol/wol/*</pattern>
+            <pattern>api/diagnostics/interface/get_arp*</pattern>
         </patterns>
     </page-services-wakeonlan>
 </acl>

From 855c662052910058f515e6c00d0cc180c9be7784 Mon Sep 17 00:00:00 2001
From: GitHoubi <99397913+GitHoubi@users.noreply.github.com>
Date: Fri, 20 Mar 2026 12:10:37 +0100
Subject: [PATCH 3034/3088] os-nginx: fix setup command paths for nginx and
 php_fpm (#5335)

Co-authored-by: GitHoubi <openclaw@houbi.ch>
---
 www/nginx/src/opnsense/scripts/nginx/setup.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index 8d1c7af503..4b48c5e7ca 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -354,7 +354,7 @@ function find_ca($refid)
 chmod('/usr/local/etc/nginx/tls_fingerprints.json', 0644);
 
 // test config and exit early if it not good
-$conf_test_errors = shell_safe('nginx -t -q 2>&1');
+$conf_test_errors = shell_safe('/usr/local/sbin/nginx -t -q 2>&1');
 if (!empty($conf_test_errors)) {
     syslog(LOG_EMERG, $conf_test_errors);
     closelog();
@@ -364,4 +364,4 @@ function find_ca($refid)
 syslog(LOG_DEBUG, "NGINX setup routine completed.");
 closelog();
 
-pass_safe('/usr/local/etc/rc.d/php-fpm start');
+pass_safe('/usr/local/etc/rc.d/php_fpm start');

From 4430e38986f4556230ab72664260977f15baabc4 Mon Sep 17 00:00:00 2001
From: Maurice Walker <maurice@walker.earth>
Date: Fri, 20 Mar 2026 13:26:14 +0100
Subject: [PATCH 3035/3088] net/tayga: relax RFC 6052 restrictions (#5321)

Allow non-global IPv4 addresses when using Well-Known Prefix 64:ff9b::/96
---
 net/tayga/Makefile                                            | 2 +-
 net/tayga/pkg-descr                                           | 4 ++++
 .../src/opnsense/service/templates/OPNsense/Tayga/tayga.conf  | 1 +
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/tayga/Makefile b/net/tayga/Makefile
index e6f3f582b4..2126027b38 100644
--- a/net/tayga/Makefile
+++ b/net/tayga/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		tayga
-PLUGIN_VERSION=		1.4
+PLUGIN_VERSION=		1.5
 PLUGIN_COMMENT=		Tayga NAT64
 PLUGIN_DEPENDS=		tayga
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/net/tayga/pkg-descr b/net/tayga/pkg-descr
index 347391cc3a..625f7d2bd0 100644
--- a/net/tayga/pkg-descr
+++ b/net/tayga/pkg-descr
@@ -7,6 +7,10 @@ networks where dedicated NAT64 hardware would be overkill.
 Plugin Changelog
 ================
 
+1.5
+
+* Allow non-global IPv4 addresses when using 64:ff9b::/96 (contributed by Maurice Walker)
+
 1.4
 
 * Enable forwarding of UDP packets with zero checksum (contributed by Maurice Walker)
diff --git a/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga.conf b/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga.conf
index 6441f1f9c7..9f566e35a3 100644
--- a/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga.conf
+++ b/net/tayga/src/opnsense/service/templates/OPNsense/Tayga/tayga.conf
@@ -3,6 +3,7 @@
 tun-device nat64
 data-dir /var/db/tayga
 udp-cksum-mode fwd
+wkpf-strict no
 
 ipv4-addr {{ OPNsense.tayga.general.v4address }}
 {% if helpers.exists('OPNsense.tayga.general.v6address') and OPNsense.tayga.general.v6address != '' %}

From 9c047f8733e46b4abd8684a614626a08b7aacc2b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 23 Mar 2026 16:57:48 +0100
Subject: [PATCH 3036/3088] www/OPNProxy: fix issue with 2e56601903b39bba

---
 www/OPNProxy/Makefile                               | 2 +-
 www/OPNProxy/src/etc/inc/plugins.inc.d/opnproxy.inc | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/www/OPNProxy/Makefile b/www/OPNProxy/Makefile
index d134b25984..dec6827390 100644
--- a/www/OPNProxy/Makefile
+++ b/www/OPNProxy/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		OPNProxy
 PLUGIN_VERSION=		1.0.5
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_COMMENT=		OPNsense proxy additions
 PLUGIN_DEPENDS=		os-redis${PLUGIN_PKGSUFFIX} \
 			os-squid${PLUGIN_PKGSUFFIX} \
diff --git a/www/OPNProxy/src/etc/inc/plugins.inc.d/opnproxy.inc b/www/OPNProxy/src/etc/inc/plugins.inc.d/opnproxy.inc
index bf63709460..6a3a2567e6 100644
--- a/www/OPNProxy/src/etc/inc/plugins.inc.d/opnproxy.inc
+++ b/www/OPNProxy/src/etc/inc/plugins.inc.d/opnproxy.inc
@@ -36,7 +36,7 @@ function opnproxy_configure()
 
 function opnproxy_user_changed($unused, $username = '')
 {
-    mwexecf('/usr/local/opnsense/scripts/OPNProxy/redis_sync_users.py %', $username);
+    mwexecf('/usr/local/opnsense/scripts/OPNProxy/redis_sync_users.py %s', $username);
 }
 
 function opnproxy_webproxy($verbose = false, $action = null)

From a24a88b0385cee1cf5c66a4b91cb468a636a0386 Mon Sep 17 00:00:00 2001
From: JNikodemus <jnikodemus@users.noreply.github.com>
Date: Mon, 23 Mar 2026 19:18:14 +0100
Subject: [PATCH 3037/3088] dns/ddclient hetzner existing record update patch
 (#5188)

* Update hetzner.py

Added workaround for API bug on update record. Thanks to @arcanconsulting

* Update hetzner.py

Added LOG_NOTICE for deletion.

* Update hetzner.py

Updated _update method. No workaround needed.

* Update hetzner.py

fix: correct indentation of return statement in _update_record

* Update hetzner.py

fix: removed ttl from _update_record as its not supported (thanks to Ollienator).

* Removed _get_record() and existence-check of zone to save API-Calls. Thanks to @TheRealBecks

* restored filepermissions to 755 and removed useless comment

* removed links and added original whitespaces.

* removed whitespace on line 62

---------

Co-authored-by: Julian Nikodemus <dev@nkdms.de>
---
 .../scripts/ddclient/lib/account/hetzner.py   | 112 +++++++-----------
 1 file changed, 42 insertions(+), 70 deletions(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py
index a066269ea5..be72e7e4d8 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py
@@ -34,7 +34,23 @@
 from . import BaseAccount
 
 
-class Hetzner(BaseAccount):
+class HetznerAccount(BaseAccount):
+
+    def _extract_record_name(self, hostname, zone_name):
+        """Extract record name from hostname, handling FQDN format"""
+        hostname = hostname.rstrip('.')
+        if hostname.endswith('.' + zone_name):
+            record_name = hostname[:-len(zone_name) - 1]
+        elif hostname == zone_name:
+            record_name = '@'
+        else:
+            record_name = hostname
+        if not record_name or record_name == '@':
+            record_name = '@'
+        return record_name
+
+
+class Hetzner(HetznerAccount):
     """
     Hetzner Cloud DNS API provider
     Uses the new Cloud API (api.hetzner.cloud)
@@ -115,52 +131,44 @@ def _get_zone_id(self, headers):
 
         return zone_id
 
-    def _get_record(self, headers, zone_id, record_name, record_type):
-        """Get existing record by name and type"""
+    def _delete_record(self, headers, zone_id, record_name, record_type):
+        """Delete existing record"""
         url = f"{self._api_base}/zones/{zone_id}/rrsets/{record_name}/{record_type}"
-
-        response = requests.get(url, headers=headers)
-
-        if response.status_code == 404:
-            return None
-
-        if response.status_code != 200:
+        response = requests.delete(url, headers=headers)
+        if response.status_code not in [200, 201, 204]:
             syslog.syslog(
                 syslog.LOG_ERR,
-                "Account %s error fetching record: HTTP %d - %s" % (
+                "Account %s error deleting record for update: HTTP %d - %s" % (
                     self.description, response.status_code, response.text
                 )
             )
-            return None
-
-        try:
-            payload = response.json()
-            return payload.get('rrset')
-        except requests.exceptions.JSONDecodeError:
+            return False
+        if self.is_verbose:
             syslog.syslog(
-                syslog.LOG_ERR,
-                "Account %s error parsing JSON response: %s" % (self.description, response.text)
+                syslog.LOG_NOTICE,
+                "Account %s deleted record: %s type: %s" % (
+                    self.description, record_name, record_type
+                )
             )
-            return None
+        return True
 
     def _update_record(self, headers, zone_id, record_name, record_type, address):
         """Update existing record with new address"""
-        url = f"{self._api_base}/zones/{zone_id}/rrsets/{record_name}/{record_type}"
-
+        url = f"{self._api_base}/zones/{zone_id}/rrsets/{record_name}/{record_type}/actions/set_records"
         data = {
-            'records': [{'value': str(address)}],
-            'ttl': int(self.settings.get('ttl', 300))
+            'records': [{
+               'value': str(address)
+            }]
         }
-
-        response = requests.put(url, headers=headers, json=data)
-
-        if response.status_code != 200:
+        response = requests.post(url, headers=headers, json=data)
+        if response.status_code not in [200, 201]:
             syslog.syslog(
                 syslog.LOG_ERR,
                 "Account %s error updating record: HTTP %d - %s" % (
                     self.description, response.status_code, response.text
                 )
             )
+
             return False
 
         if self.is_verbose:
@@ -205,22 +213,6 @@ def _create_record(self, headers, zone_id, record_name, record_type, address):
 
         return True
 
-    def _extract_record_name(self, hostname, zone_name):
-        """Extract record name from hostname, handling FQDN format"""
-        hostname = hostname.rstrip('.')
-
-        if hostname.endswith('.' + zone_name):
-            record_name = hostname[:-len(zone_name) - 1]
-        elif hostname == zone_name:
-            record_name = '@'
-        else:
-            record_name = hostname
-
-        if not record_name or record_name == '@':
-            record_name = '@'
-
-        return record_name
-
     def execute(self):
         if super().execute():
             record_type = "AAAA" if ':' in str(self.current_address) else "A"
@@ -253,14 +245,10 @@ def execute(self):
                             self.description, hostname, record_name, record_type, self.current_address
                         )
                     )
-
-                existing = self._get_record(headers, zone_id, record_name, record_type)
-
-                if existing:
-                    success = self._update_record(
-                        headers, zone_id, record_name, record_type, self.current_address
-                    )
-                else:
+                success = self._update_record(
+                    headers, zone_id, record_name, record_type, self.current_address
+                )
+                if not success:
                     success = self._create_record(
                         headers, zone_id, record_name, record_type, self.current_address
                     )
@@ -282,7 +270,7 @@ def execute(self):
         return False
 
 
-class HetznerLegacy(BaseAccount):
+class HetznerLegacy(HetznerAccount):
     """
     Hetzner DNS Console (Legacy) API provider
     Uses the old API at dns.hetzner.com - will be shut down May 2026
@@ -468,22 +456,6 @@ def _create_record(self, headers, zone_id, record_name, record_type, address):
 
         return True
 
-    def _extract_record_name(self, hostname, zone_name):
-        """Extract record name from hostname, handling FQDN format"""
-        hostname = hostname.rstrip('.')
-
-        if hostname.endswith('.' + zone_name):
-            record_name = hostname[:-len(zone_name) - 1]
-        elif hostname == zone_name:
-            record_name = '@'
-        else:
-            record_name = hostname
-
-        if not record_name or record_name == '@':
-            record_name = '@'
-
-        return record_name
-
     def execute(self):
         if super().execute():
             record_type = "AAAA" if ':' in str(self.current_address) else "A"
@@ -542,4 +514,4 @@ def execute(self):
                 self.update_state(address=self.current_address)
                 return True
 
-        return False
+        return False
\ No newline at end of file

From 27d00b7c707b86a9424a703813d5a5c2c7ec1bc8 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 24 Mar 2026 11:18:07 +0100
Subject: [PATCH 3038/3088] net/frr: clear revision

---
 net/frr/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index a488ddeb12..b5a3cb8bd9 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		frr
 PLUGIN_VERSION=		1.51
-PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr10-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 6f80f6882b21c16ec2f8fc2d9874bd94d90ef1db Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 24 Mar 2026 11:19:45 +0100
Subject: [PATCH 3039/3088] dns/ddclient: update revision

---
 dns/ddclient/Makefile  | 2 +-
 dns/ddclient/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 77279351aa..39c6db3b6e 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.30
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/dns/ddclient/pkg-descr b/dns/ddclient/pkg-descr
index e143286c26..4fb318ec9f 100644
--- a/dns/ddclient/pkg-descr
+++ b/dns/ddclient/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 1.30
 
 * Add native backend support for Hostinger (contributed by Leandro Scardua)
+* Fix Hetzner existing record update (contributed by Julian Nikodemus)
 * Fix PowerDNS URL validation
 
 1.29

From 13c5cea88c768820c47aa9f544a8b355d58bc366 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 24 Mar 2026 11:21:30 +0100
Subject: [PATCH 3040/3088] www/nginx: update revision

---
 www/nginx/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 1d8bbd8b7d..77b40c010c 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		nginx
 PLUGIN_VERSION=		1.36
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com

From 678a930dfb4c6815473b9b426cc8af603c1c7dea Mon Sep 17 00:00:00 2001
From: Konstantinos Spartalis <scoon405@gmail.com>
Date: Tue, 24 Mar 2026 18:09:00 +0200
Subject: [PATCH 3041/3088] security/acme-client: add deploy hook truenas_ws
 (#5309)

---
 security/acme-client/Makefile                 |  2 +-
 security/acme-client/pkg-descr                |  5 ++
 .../AcmeClient/forms/dialogAction.xml         | 25 +++++++++-
 .../AcmeClient/LeAutomation/AcmeTruenasWS.php | 48 +++++++++++++++++++
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 24 +++++++++-
 5 files changed, 100 insertions(+), 4 deletions(-)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasWS.php

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 3d9fa6fafb..9d6b4ec8ed 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.14
+PLUGIN_VERSION=		4.15
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 7872c70764..de51a11b12 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.15
+
+Added:
+* add support for deploy hook "truenas_ws" (#5309)
+
 4.14
 
 Fixed:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index 865546d336..4774435876 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -387,7 +387,7 @@
         <id>action.acme_truenas_hostname</id>
         <label>TrueNAS hostname</label>
         <type>text</type>
-        <help>Hostname or IP address of TrueNAS Core Server.</help>
+        <help>Hostname or IP address of TrueNAS Server.</help>
     </field>
     <field>
         <id>action.acme_truenas_scheme</id>
@@ -395,6 +395,29 @@
         <type>dropdown</type>
         <help>Connection scheme that will be used when uploading certificates to TrueNAS Core Server.</help>
     </field>
+    <field>
+        <label>Required Parameters</label>
+        <type>header</type>
+        <style>method_table method_table_acme_truenasws</style>
+    </field>
+    <field>
+        <id>action.acme_truenasws_apikey</id>
+        <label>TrueNAS API key</label>
+        <type>text</type>
+        <help>API key generated in the TrueNAS web UI.</help>
+    </field>
+    <field>
+        <id>action.acme_truenasws_hostname</id>
+        <label>TrueNAS hostname</label>
+        <type>text</type>
+        <help>Hostname or IP address of TrueNAS Server.</help>
+    </field>
+    <field>
+        <id>action.acme_truenasws_protocol</id>
+        <label>TrueNAS protocol</label>
+        <type>dropdown</type>
+        <help>Connection scheme that will be used when uploading certificates to TrueNAS Server.</help>
+    </field>
     <field>
         <label>Required Parameters</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasWS.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasWS.php
new file mode 100644
index 0000000000..8b9e0bea33
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasWS.php
@@ -0,0 +1,48 @@
+<?php
+
+/*
+ * Copyright (C) 2026 Konstantinos Spartalis (cspartalis@potatonetworks.com)
+ * Copyright (C) 2023 Jan Winkler
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\AcmeClient\LeAutomation;
+
+use OPNsense\AcmeClient\LeAutomationInterface;
+
+/**
+ * Run acme.sh deploy hook truenas_ws
+ * @package OPNsense\AcmeClient
+ */
+class AcmeTruenasWS extends Base implements LeAutomationInterface
+{
+    public function prepare()
+    {
+        $this->acme_env['DEPLOY_TRUENAS_APIKEY'] = (string)$this->config->acme_truenasws_apikey;
+        $this->acme_env['DEPLOY_TRUENAS_HOSTNAME'] = (string)$this->config->acme_truenasws_hostname;
+        $this->acme_env['DEPLOY_TRUENAS_PROTOCOL'] = (string)$this->config->acme_truenasws_protocol;
+        $this->acme_args[] = '--deploy-hook truenas_ws --insecure';
+        return true;
+    }
+}
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 5569efaabb..a9cf430fa2 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>4.3.0</version>
+    <version>4.3.1</version>
     <description>A secure ACME Client plugin</description>
     <items>
         <settings>
@@ -1430,7 +1430,8 @@
                         <acme_ruckus>Upload certificate to Ruckus controller</acme_ruckus>
                         <acme_vault>Upload certificate to HashiCorp Vault</acme_vault>
                         <acme_synology_dsm>Upload certificate to Synology DSM</acme_synology_dsm>
-                        <acme_truenas>Upload certificate to TrueNAS Core Server</acme_truenas>
+                        <acme_truenas>Upload certificate to TrueNAS Server (deprecated API)</acme_truenas>
+                        <acme_truenasws>Upload certificate to TrueNAS Server (Websocket API)</acme_truenasws>
                         <acme_zyxel_gs1900>Upload certificate to Zyxel GS1900 series switches</acme_zyxel_gs1900>
                         <acme_unifi>Update local Unifi keystore</acme_unifi>
                         <configd_generic>System or Plugin Command</configd_generic>
@@ -1744,6 +1745,25 @@
                         <https>HTTPS</https>
                     </OptionValues>
                 </acme_truenas_scheme>
+                <acme_truenasws_apikey type="TextField">
+                    <Required>N</Required>
+                    <Mask>/^.{1,1024}$/u</Mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_truenasws_apikey>
+                <acme_truenasws_hostname type="HostnameField">
+                    <Default>localhost</Default>
+                    <Required>N</Required>
+                    <Mask>/^.{1,1024}$/u</Mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_truenasws_hostname>
+                <acme_truenasws_protocol type="OptionField">
+                    <Default>ws</Default>
+                    <Required>N</Required>
+                    <OptionValues>
+                        <ws>ws [default]</ws>
+                        <wss>wss</wss>
+                    </OptionValues>
+                </acme_truenasws_protocol>
                 <acme_unifi_keystore type="TextField">
                     <Default>/usr/local/share/java/unifi/data/keystore</Default>
                     <Required>N</Required>

From fe22642209b9c7a035efebdc400ce1ab0efe569d Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 24 Mar 2026 17:17:42 +0100
Subject: [PATCH 3042/3088] security/acme-client: fix truenas_ws filename, refs
 #5309

---
 .../LeAutomation/{AcmeTruenasWS.php => AcmeTruenasws.php}         | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/{AcmeTruenasWS.php => AcmeTruenasws.php} (100%)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasWS.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasws.php
similarity index 100%
rename from security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasWS.php
rename to security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasws.php

From 8788b22a166fe257f2b87e083ba4a0bbc6f503f5 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 24 Mar 2026 17:52:54 +0100
Subject: [PATCH 3043/3088] security/acme-client: update changelog

---
 security/acme-client/pkg-descr | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index de51a11b12..dfa6ce841e 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -13,6 +13,9 @@ Plugin Changelog
 Added:
 * add support for deploy hook "truenas_ws" (#5309)
 
+Changed:
+* always use configured cert name in cert description (#5282)
+
 4.14
 
 Fixed:

From 1e584c803b71dba8e6a37bd58e40d5e58e8d40e8 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 24 Mar 2026 18:18:56 +0100
Subject: [PATCH 3044/3088] net/turnserver: modernize UI template

---
 net/turnserver/pkg-descr                      |  3 ++
 .../app/views/OPNsense/Turnserver/index.volt  | 46 +++++++++++--------
 2 files changed, 29 insertions(+), 20 deletions(-)

diff --git a/net/turnserver/pkg-descr b/net/turnserver/pkg-descr
index 3b816781b2..2c23225720 100644
--- a/net/turnserver/pkg-descr
+++ b/net/turnserver/pkg-descr
@@ -6,6 +6,9 @@ WWW: https://github.com/coturn/coturn
 Plugin Changelog
 ================
 
+Changed:
+* modernize UI template
+
 1.1
 
 Added:
diff --git a/net/turnserver/src/opnsense/mvc/app/views/OPNsense/Turnserver/index.volt b/net/turnserver/src/opnsense/mvc/app/views/OPNsense/Turnserver/index.volt
index 950b9d7685..8e43f89ffc 100644
--- a/net/turnserver/src/opnsense/mvc/app/views/OPNsense/Turnserver/index.volt
+++ b/net/turnserver/src/opnsense/mvc/app/views/OPNsense/Turnserver/index.volt
@@ -1,6 +1,6 @@
 {#
 
-Copyright (C) 2025 Frank Wall
+Copyright (C) 2025-2026 Frank Wall
 OPNsense® is Copyright © 2014 – 2015 by Deciso B.V.
 All rights reserved.
 
@@ -28,30 +28,36 @@ POSSIBILITY OF SUCH DAMAGE.
 #}
 
 <script>
-    $( document ).ready(function() {
-        mapDataToFormUI({'frm_Settings':"/api/turnserver/settings/get"}).done(function(data){
+    $(document).ready(function() {
+        mapDataToFormUI({'frm_Settings': "/api/turnserver/settings/get"}).done(function() {
             formatTokenizersUI();
+            $('.selectpicker').selectpicker('refresh');
         });
-
-        // link save button to API set action
-        $("#saveAct").click(function(){
-            saveFormToEndpoint("/api/turnserver/settings/set",'frm_Settings',function(){
-                // reconfigure service
-                ajaxCall(url="/api/turnserver/service/reconfigure", sendData={},callback=function(data,status) {
-                });
-            });
+        updateServiceControlUI('turnserver');
+        $("#reconfigureAct").SimpleActionButton({
+            onPreAction: function() {
+                const dfObj = new $.Deferred();
+                saveFormToEndpoint(
+                    "/api/turnserver/settings/set",
+                    'frm_Settings',
+                    function() {
+                        dfObj.resolve();
+                    },
+                    true,
+                    function() {
+                        dfObj.reject();
+                    }
+                );
+                return dfObj.promise();
+            },
+            onAction: function() {
+                updateServiceControlUI('turnserver');
+            }
         });
     });
 </script>
 
-<div class="alert alert-info hidden" role="alert" id="responseMsg">
-
-</div>
-
-<div  class="col-md-12">
+<div class="content-box">
     {{ partial("layout_partials/base_form",['fields':settingsForm,'id':'frm_Settings'])}}
 </div>
-
-<div class="col-md-12">
-    <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Apply') }}</b></button>
-</div>
+{{ partial('layout_partials/base_apply_button', {'data_endpoint': '/api/turnserver/service/reconfigure', 'data_service_widget': 'turnserver'}) }}

From f9ad70c77cb977c1690d42a8566c1361e3f5c874 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 24 Mar 2026 18:37:15 +0100
Subject: [PATCH 3045/3088] net/turnserver: add support for external-ip, closes
 #4906

---
 net/turnserver/pkg-descr                                  | 3 +++
 .../controllers/OPNsense/Turnserver/forms/settings.xml    | 8 ++++++++
 .../mvc/app/models/OPNsense/Turnserver/Turnserver.xml     | 6 ++++++
 .../service/templates/OPNsense/Turnserver/turnserver.conf | 5 +++++
 4 files changed, 22 insertions(+)

diff --git a/net/turnserver/pkg-descr b/net/turnserver/pkg-descr
index 2c23225720..7eebdd4f79 100644
--- a/net/turnserver/pkg-descr
+++ b/net/turnserver/pkg-descr
@@ -6,6 +6,9 @@ WWW: https://github.com/coturn/coturn
 Plugin Changelog
 ================
 
+Added:
+* add support for external IPs and IP mappings (#4906)
+
 Changed:
 * modernize UI template
 
diff --git a/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml
index f16808f18c..9652bef47e 100644
--- a/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml
+++ b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml
@@ -35,6 +35,14 @@
         <type>text</type>
         <help>Upper bound of the UDP relay endpoints (Default: 65535).</help>
     </field>
+    <field>
+        <id>turnserver.settings.ExternalIP</id>
+        <label>External IP</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help>If the TURN service is behind a NAT, it's external IP address should be specified. When using multiple external IP addresses, IP Mappings should be used instead, i.e. 60.70.80.91/172.17.19.101 (public-ip/private-ip).</help>
+    </field>
     <field>
         <label>TLS Support</label>
         <type>header</type>
diff --git a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
index 47aae5f065..525171633b 100644
--- a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
+++ b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
@@ -25,6 +25,12 @@
                 <Default>65535</Default>
                 <Required>Y</Required>
             </MaxPort>
+            <ExternalIP type="CSVListField">
+                <Required>N</Required>
+                <Multiple>Y</Multiple>
+                <Mask>/^((([0-9a-zA-Z._\-]+[\/0-9a-zA-Z._\-]*)([,]){0,1}))*/u</Mask>
+                <ValidationMessage>Please provide an external IP address or an IP mapping, i.e. 60.70.80.91/172.17.19.101.</ValidationMessage>
+            </ExternalIP>
             <TlsEnabled type="BooleanField">
                 <Default>0</Default>
                 <Required>Y</Required>
diff --git a/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf
index f5442f1d9d..7b8d15bd2e 100644
--- a/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf
+++ b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf
@@ -7,6 +7,11 @@ listening-ip={{ listenip }}
 listening-port={{ OPNsense.turnserver.settings.ListenPort }}
 min-port={{ OPNsense.turnserver.settings.MinPort }}
 max-port={{ OPNsense.turnserver.settings.MaxPort }}
+{% if helpers.exists('OPNsense.turnserver.settings.ExternalIP') and OPNsense.turnserver.settings.ExternalIP|default("") != "" %}
+{%   for externalip in OPNsense.turnserver.settings.ExternalIP.split(",") %}
+external-ip={{ externalip }}
+{%   endfor %}
+{% endif %}
 
 # TLS
 {% if helpers.exists('OPNsense.turnserver.settings.TlsEnabled') and OPNsense.turnserver.settings.TlsEnabled|default("") == "1" %}

From 52f68df15c96c9d0d666222940e414e90b454477 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 24 Mar 2026 18:39:03 +0100
Subject: [PATCH 3046/3088] net/turnserver: bump version

---
 net/turnserver/Makefile  | 2 +-
 net/turnserver/pkg-descr | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/turnserver/Makefile b/net/turnserver/Makefile
index 9fbad5318f..8a863dd178 100644
--- a/net/turnserver/Makefile
+++ b/net/turnserver/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		turnserver
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		The coturn STUN/TURN Server
 PLUGIN_DEPENDS=		turnserver
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/turnserver/pkg-descr b/net/turnserver/pkg-descr
index 7eebdd4f79..27ac200fd5 100644
--- a/net/turnserver/pkg-descr
+++ b/net/turnserver/pkg-descr
@@ -6,6 +6,8 @@ WWW: https://github.com/coturn/coturn
 Plugin Changelog
 ================
 
+1.2
+
 Added:
 * add support for external IPs and IP mappings (#4906)
 

From 3ec12a40ecba27b75dd1016d42a36d977c00277a Mon Sep 17 00:00:00 2001
From: Konstantinos Spartalis <scoon405@gmail.com>
Date: Thu, 26 Mar 2026 17:57:05 +0200
Subject: [PATCH 3047/3088] Contributing: typo (#5351)

---
 .github/pull_request_template.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 6cafeef0e0..51fc8770fe 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,7 +1,7 @@
 **Important notices**
 Before you submit a pull request, we ask you kindly to acknowledge the following:
 
-- [ ] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
+- [ ] I have read the contributing guidelines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
 - [ ] I opened an issue first for non-trivial changes and linked it below.
 - [ ] AI tools were used to create at least part of the code submitted herewith.
 

From fd6d2de572aa0714406217e8f3486c19df8f622e Mon Sep 17 00:00:00 2001
From: Konstantinos Spartalis <scoon405@gmail.com>
Date: Thu, 26 Mar 2026 17:57:34 +0200
Subject: [PATCH 3048/3088] plugins: use Konstantinos' real name in historic
 mentions (#5352)

---
 net-mgmt/telegraf/pkg-descr | 2 +-
 security/clamav/pkg-descr   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net-mgmt/telegraf/pkg-descr b/net-mgmt/telegraf/pkg-descr
index 70c56c7d57..367925c76a 100644
--- a/net-mgmt/telegraf/pkg-descr
+++ b/net-mgmt/telegraf/pkg-descr
@@ -18,7 +18,7 @@ Plugin Changelog
 
 1.12.13
 
-* Implement memory_saving_mode formerly named enable_file_download (contributed by sopex)
+* Implement memory_saving_mode formerly named enable_file_download (contributed by Konstantinos Spartalis)
 
 1.12.12
 
diff --git a/security/clamav/pkg-descr b/security/clamav/pkg-descr
index d54ada5824..52dd3caafb 100644
--- a/security/clamav/pkg-descr
+++ b/security/clamav/pkg-descr
@@ -11,7 +11,7 @@ Plugin Changelog
 
 1.8.1
 
-* Fixed detect broken executables option (contributed by sopex)
+* Fixed detect broken executables option (contributed by Konstantinos Spartalis)
 
 1.8
 

From d0d9a7ffb23d2660696f187d5d652aaecc6ff53f Mon Sep 17 00:00:00 2001
From: Maxfield Allison <42394355+maxfield-allison@users.noreply.github.com>
Date: Fri, 27 Mar 2026 03:55:15 -0500
Subject: [PATCH 3049/3088] net/frr: add BGP maximum-paths support for ECMP
 (#5340)

---
 net/frr/Makefile                                   |  2 +-
 net/frr/pkg-descr                                  |  4 ++++
 .../app/controllers/OPNsense/Quagga/forms/bgp.xml  | 14 ++++++++++++++
 .../mvc/app/models/OPNsense/Quagga/BGP.xml         | 10 ++++++++++
 .../service/templates/OPNsense/Quagga/bgpd.conf    |  6 ++++++
 5 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/net/frr/Makefile b/net/frr/Makefile
index b5a3cb8bd9..c7de56a079 100644
--- a/net/frr/Makefile
+++ b/net/frr/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		frr
-PLUGIN_VERSION=		1.51
+PLUGIN_VERSION=		1.52
 PLUGIN_COMMENT=		The FRRouting Protocol Suite
 PLUGIN_DEPENDS=		frr10-pythontools
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/net/frr/pkg-descr b/net/frr/pkg-descr
index 03a39c9477..f29324599b 100644
--- a/net/frr/pkg-descr
+++ b/net/frr/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://frrouting.org/
 Plugin Changelog
 ================
 
+1.52
+
+* Add BGP maximum-paths support for ECMP multipath (contributed by maxfield-allison) (opnsense/plugins#4878)
+
 1.51
 
 * Add per-neighbor local-as option for BGP (contributed by danohn) (opnsense/plugins/pull/5308)
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
index 5b1e02975a..5be7fb2e2e 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/bgp.xml
@@ -67,4 +67,18 @@
         <type>checkbox</type>
         <help>Enable extended logging of BGP neighbor changes.</help>
     </field>
+    <field>
+        <id>bgp.maximumpaths</id>
+        <label>Maximum Paths</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Maximum number of equal-cost paths for EBGP multipath (ECMP). Leave empty to use FRR default (1).</help>
+    </field>
+    <field>
+        <id>bgp.maximumpathsibgp</id>
+        <label>Maximum Paths (IBGP)</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Maximum number of equal-cost paths for IBGP multipath (ECMP). Leave empty to use FRR default (1).</help>
+    </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
index 6767a387a3..788dd67b79 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BGP.xml
@@ -48,6 +48,16 @@
             </OptionValues>
             <Multiple>Y</Multiple>
         </bestpath>
+        <maximumpaths type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>128</MaximumValue>
+            <ValidationMessage>The value shall be between 1 and 128 or left empty to use the default.</ValidationMessage>
+        </maximumpaths>
+        <maximumpathsibgp type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>128</MaximumValue>
+            <ValidationMessage>The value shall be between 1 and 128 or left empty to use the default.</ValidationMessage>
+        </maximumpathsibgp>
         <neighbors>
             <neighbor type="ArrayField">
                 <enabled type="BooleanField">
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 1681660eee..7f151cf92e 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -170,6 +170,12 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 
 {%  for addressFamily in addressFamilies %}
  address-family {{ addressFamily }} unicast
+{%   if helpers.exists('OPNsense.quagga.bgp.maximumpaths') and OPNsense.quagga.bgp.maximumpaths != '' %}
+  maximum-paths {{ OPNsense.quagga.bgp.maximumpaths }}
+{%   endif %}
+{%   if helpers.exists('OPNsense.quagga.bgp.maximumpathsibgp') and OPNsense.quagga.bgp.maximumpathsibgp != '' %}
+  maximum-paths ibgp {{ OPNsense.quagga.bgp.maximumpathsibgp }}
+{%   endif %}
 {%   for redistribution in helpers.toList('OPNsense.quagga.bgp.redistributions.redistribution') %}
 {%     if redistribution.enabled == '1' %}
  redistribute {{ redistribution.redistribute }}{% if redistribution.linkedRoutemap %} route-map {{ helpers.getUUID(redistribution.linkedRoutemap).name }}{% endif +%}

From d1ebcc49ad97c84b3b2561a967022cc7c60feeef Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 29 Mar 2026 10:42:41 +0200
Subject: [PATCH 3050/3088] security/q-feeds-connector - ignore "pass" log
 lines for `qfeedsctl.py logs`, closes
 https://github.com/opnsense/plugins/issues/5349

---
 .../src/opnsense/scripts/qfeeds/lib/log.py                | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
index d3aca4ee2e..8f9777c5ce 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/log.py
@@ -61,6 +61,8 @@ def _parse_log_line(line):
         # quick scan for datetime, interface, direction, source, dest, source_port, dest_port
         parts = line.split()
         fw_line = parts[-1].split(',') # strip syslog
+        if fw_line[6] == 'pass':
+            return []
         ip_addresses = [x for x in fw_line if is_ip_address(x)]
         # Find destination IP position to get ports from next fields (only if numeric)
         dest_idx = fw_line.index(ip_addresses[1]) if len(ip_addresses) > 1 else len(fw_line)
@@ -77,8 +79,10 @@ def find(self, max_time=60, max_results=50000):
                 for idx, line in enumerate(f_in):
                     for rule_id in self._rule_ids:
                         if rule_id in line:
-                            result.append(self._parse_log_line(line))
-                            rows_processed +=1
+                            lline = self._parse_log_line(line)
+                            if lline:
+                                result.append(lline)
+                                rows_processed +=1
                             break # inner loop
                     if (idx % 100000 == 0 and time.time() - start_time > max_time) or rows_processed >= max_results:
                         return result

From 2d3ee9f491b9fa067688a095d762eac4b0d2d430 Mon Sep 17 00:00:00 2001
From: cakallie <104972829+cakallie@users.noreply.github.com>
Date: Fri, 3 Apr 2026 14:55:45 +0200
Subject: [PATCH 3051/3088] dns/ddclient: add all-inkl.com KAS API DynDNS
 provider (#5339)

* dns/ddclient: add all-inkl.com KAS API DynDNS provider

Adds a new Python provider for all-inkl.com hosting using the KAS SOAP API
(KasApi.wsdl). Supports A and AAAA records, including root (@) and wildcard (*)
entries. Credentials are passed per-request (no separate auth step).

- allinkl.py: new provider class AllInkl, service key 'allinkl'
- dialogAccount.xml: show Zone field for service_allinkl
- DynDNS.xml: add allinkl to static service list (ddclient backend fallback)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* dns/ddclient: address review feedback for all-inkl.com provider

- Remove allinkl entry from DynDNS.xml; known_services() handles
  registration automatically for Python providers
- Replace regex-based XML parsing with xml.etree.ElementTree:
  fault detection, record lookup and update success check
- Also catches ET.ParseError for malformed responses
- Fix German comments in docstring to English

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Carsten <carsten@kallies-net.de>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../OPNsense/DynDNS/forms/dialogAccount.xml   |   2 +-
 .../scripts/ddclient/lib/account/allinkl.py   | 337 ++++++++++++++++++
 2 files changed, 338 insertions(+), 1 deletion(-)
 create mode 100644 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/allinkl.py

diff --git a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
index 0ffcf2040e..3ada63a843 100644
--- a/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
+++ b/dns/ddclient/src/opnsense/mvc/app/controllers/OPNsense/DynDNS/forms/dialogAccount.xml
@@ -62,7 +62,7 @@
         <id>account.zone</id>
         <label>Zone</label>
         <type>text</type>
-        <style>optional_setting service_aws service_zoneedit1 service_cloudflare service_nsupdate service_gandi service_godaddy service_nfsn service_hetzner service_digitalocean service_dnspodcn</style>
+        <style>optional_setting service_aws service_zoneedit1 service_cloudflare service_nsupdate service_gandi service_godaddy service_nfsn service_hetzner service_digitalocean service_dnspodcn service_allinkl</style>
         <help>Zone containing the host entry.</help>
     </field>
     <field>
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/allinkl.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/allinkl.py
new file mode 100644
index 0000000000..c799f62884
--- /dev/null
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/allinkl.py
@@ -0,0 +1,337 @@
+"""
+    Copyright (c) 2026 Carsten Kallies
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+    all-inkl.com KAS API DynDNS provider for OPNsense ddclient.
+
+    Uses the KAS SOAP API (KasApi.wsdl) to update A/AAAA records.
+
+    API endpoint: https://kasapi.kasserver.com/soap/KasApi.php
+    WSDL:         https://kasapi.kasserver.com/soap/wsdl/KasApi.wsdl
+
+    UI fields:
+      username  - KAS login (all-inkl username, e.g. "w0xxxxx")
+      password  - KAS password (plaintext, transmitted over HTTPS)
+      hostnames - FQDN(s) to update, comma-separated (e.g. "example.com,*.example.com")
+      zone      - DNS zone (e.g. "example.com"); derived from hostname if left empty
+"""
+import json
+import syslog
+import time
+import xml.etree.ElementTree as ET
+
+import requests
+
+from . import BaseAccount
+
+
+class AllInkl(BaseAccount):
+    """all-inkl.com DynDNS via KAS SOAP API (KasApi)."""
+
+    _priority = 65535
+
+    _services = {
+        'allinkl': 'kasapi.kasserver.com'
+    }
+
+    _URL    = 'https://kasapi.kasserver.com/soap/KasApi.php'
+    _ACTION = '"urn:xmethodsKasApi#KasApi"'
+
+    def __init__(self, account: dict):
+        super().__init__(account)
+
+    @staticmethod
+    def known_services():
+        return {'allinkl': 'all-inkl.com (KAS API)'}
+
+    @staticmethod
+    def match(account):
+        return account.get('service') in AllInkl._services
+
+    # ------------------------------------------------------------------
+    # SOAP / KAS helpers
+    # ------------------------------------------------------------------
+
+    def _build_envelope(self, params_dict):
+        """Build a KasApi SOAP envelope. params_dict is JSON-serialised into <Params>."""
+        params_json = json.dumps(params_dict)
+        # Escape XML special characters in the JSON string
+        params_json = (params_json
+                       .replace('&', '&amp;')
+                       .replace('<', '&lt;')
+                       .replace('>', '&gt;'))
+        return (
+            '<?xml version="1.0" encoding="utf-8"?>'
+            '<SOAP-ENV:Envelope'
+            ' xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"'
+            ' xmlns:ns1="urn:xmethodsKasApi"'
+            ' xmlns:xsd="http://www.w3.org/2001/XMLSchema"'
+            ' xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"'
+            ' xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"'
+            ' SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">'
+            '<SOAP-ENV:Body>'
+            '<ns1:KasApi>'
+            '<Params xsi:type="xsd:string">' + params_json + '</Params>'
+            '</ns1:KasApi>'
+            '</SOAP-ENV:Body>'
+            '</SOAP-ENV:Envelope>'
+        )
+
+    def _kas_api(self, action, request_params):
+        """Execute a KAS API action. Returns response text or None on failure."""
+        params = {
+            'kas_login':        self.settings.get('username', ''),
+            'kas_auth_type':    'plain',
+            'kas_auth_data':    self.settings.get('password', ''),
+            'kas_action':       action,
+            'KasRequestParams': request_params,
+        }
+        envelope = self._build_envelope(params)
+
+        if self.is_verbose:
+            syslog.syslog(
+                syslog.LOG_NOTICE,
+                "Account %s KAS action '%s' params: %s" % (
+                    self.description, action, json.dumps(request_params)
+                )
+            )
+
+        try:
+            resp = requests.post(
+                self._URL,
+                data=envelope.encode('utf-8'),
+                headers={
+                    'Content-Type': 'text/xml; charset=utf-8',
+                    'SOAPAction':   self._ACTION,
+                    'User-Agent':   'OPNsense-dyndns',
+                },
+                timeout=30
+            )
+        except requests.RequestException as exc:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s KAS request failed: %s" % (self.description, exc)
+            )
+            return None
+
+        if self.is_verbose:
+            syslog.syslog(
+                syslog.LOG_NOTICE,
+                "Account %s KAS '%s' HTTP %d: %s" % (
+                    self.description, action, resp.status_code, resp.text[:600]
+                )
+            )
+
+        try:
+            root = ET.fromstring(resp.text)
+        except ET.ParseError:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s KAS '%s' invalid XML response: %s" % (
+                    self.description, action, resp.text[:200]
+                )
+            )
+            return None
+
+        fault = root.find('.//{*}Fault')
+        if fault is not None:
+            faultstring = fault.find('{*}faultstring') or fault.find('faultstring')
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s KAS '%s' SOAP fault: %s" % (
+                    self.description, action,
+                    faultstring.text if faultstring is not None else resp.text[:200]
+                )
+            )
+            return None
+
+        return resp.text
+
+    # ------------------------------------------------------------------
+    # Response parsing
+    # ------------------------------------------------------------------
+
+    def _find_record_id(self, xml_text, record_label, record_type):
+        """
+        Parse get_dns_settings response and return record_id for the matching
+        record_name / record_type, or None.
+
+        The KAS response contains ns2:Map items with key/value pairs:
+          <item><key ...>record_name</key><value ...>dyn</value></item>
+          <item><key ...>record_type</key><value ...>A</value></item>
+          <item><key ...>record_id</key><value ...>12345</value></item>
+        """
+        root = ET.fromstring(xml_text)
+
+        for map_item in root.findall('.//{*}KasApiResponse//{*}item'):
+            kv = {}
+            for sub in map_item.findall('{*}item'):
+                key_el   = sub.find('{*}key')
+                value_el = sub.find('{*}value')
+                if key_el is not None and value_el is not None:
+                    kv[key_el.text or ''] = value_el.text or ''
+
+            if kv.get('record_name') == record_label and kv.get('record_type') == record_type:
+                return kv.get('record_id')
+
+        return None
+
+    # ------------------------------------------------------------------
+    # Zone / label helpers
+    # ------------------------------------------------------------------
+
+    def _get_zone(self, hostname):
+        """Return the DNS zone for a hostname (from config or derived)."""
+        zone = self.settings.get('zone', '').strip().rstrip('.')
+        if zone:
+            return zone
+        parts = hostname.split('.')
+        if len(parts) > 2:
+            return '.'.join(parts[1:])
+        return hostname
+
+    def _get_label(self, hostname, zone):
+        """Return the record label (left of zone) for a hostname.
+
+        Examples:
+          dyn.example.com  / zone example.com  → 'dyn'
+          *.example.com    / zone example.com  → '*'
+          example.com      / zone example.com  → ''   (root record)
+        """
+        if hostname == zone:
+            return ''
+        if hostname.endswith('.' + zone):
+            return hostname[:-len(zone) - 1]
+        return hostname.split('.')[0]
+
+    # ------------------------------------------------------------------
+    # Main entry point
+    # ------------------------------------------------------------------
+
+    def execute(self):
+        if not super().execute():
+            return False
+
+        record_type = "AAAA" if ':' in str(self.current_address) else "A"
+
+        hostnames_raw = self.settings.get('hostnames', '')
+        hostnames = [h.strip() for h in hostnames_raw.split(',') if h.strip()]
+        if not hostnames:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Account %s no hostnames configured" % self.description
+            )
+            return False
+
+        all_success = True
+        last_zone   = None
+        dns_response = None
+
+        for hostname in hostnames:
+            zone      = self._get_zone(hostname)
+            zone_host = zone + '.'
+            label     = self._get_label(hostname, zone)
+
+            if self.is_verbose:
+                syslog.syslog(
+                    syslog.LOG_NOTICE,
+                    "Account %s updating %s (zone: %s, label: '%s', type: %s) → %s" % (
+                        self.description, hostname, zone_host,
+                        label, record_type, self.current_address
+                    )
+                )
+
+            # Fetch DNS records once per zone (cache for multiple hostnames in same zone)
+            if zone != last_zone:
+                dns_response = self._kas_api('get_dns_settings', {'zone_host': zone_host})
+                last_zone = zone
+                if dns_response is None:
+                    syslog.syslog(
+                        syslog.LOG_ERR,
+                        "Account %s failed to retrieve DNS settings for %s" % (
+                            self.description, zone_host
+                        )
+                    )
+                    all_success = False
+                    continue
+                # Respect KasFloodDelay between consecutive API calls
+                time.sleep(2)
+
+            record_id = self._find_record_id(dns_response, label, record_type)
+            if record_id is None:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Account %s record '%s' type %s not found in zone %s" % (
+                        self.description, label, record_type, zone_host
+                    )
+                )
+                all_success = False
+                continue
+
+            if self.is_verbose:
+                syslog.syslog(
+                    syslog.LOG_NOTICE,
+                    "Account %s found record_id %s for label '%s' %s" % (
+                        self.description, record_id, label, record_type
+                    )
+                )
+
+            update_response = self._kas_api('update_dns_settings', {
+                'zone_host':   zone_host,
+                'record_id':   record_id,
+                'record_name': label,
+                'record_type': record_type,
+                'record_data': str(self.current_address),
+                'record_aux':  '0',
+            })
+
+            if update_response is None:
+                all_success = False
+                continue
+
+            update_root = ET.fromstring(update_response)
+            if any(v.text and v.text.upper() == 'TRUE'
+                   for v in update_root.findall('.//{*}value')):
+                syslog.syslog(
+                    syslog.LOG_NOTICE,
+                    "Account %s set new IP %s for %s" % (
+                        self.description, self.current_address, hostname
+                    )
+                )
+            else:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Account %s update_dns_settings failed for %s: %s" % (
+                        self.description, hostname, update_response[:300]
+                    )
+                )
+                all_success = False
+
+            time.sleep(2)
+
+        if all_success:
+            self.update_state(address=self.current_address)
+            return True
+
+        return False

From 948648891ba7a8e867f5797f0987db915d0552ce Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sat, 4 Apr 2026 10:39:17 +0200
Subject: [PATCH 3052/3088] net/frr - after wwitch to watchfrr, setup.sh
 doesn't seem to be triggered, most likely
 https://github.com/opnsense/plugins/pull/5367

---
 net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
index 97d1f02c09..37919d4a23 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/frr
@@ -1,7 +1,7 @@
 {% if helpers.exists('OPNsense.quagga.general.enabled') and OPNsense.quagga.general.enabled == '1' %}
 # XXX rc.d/frr splits up defunct "frr" service into frr_daemons
 # and we always start "zebra" so for now this works:
-zebra_setup="/usr/local/opnsense/scripts/frr/setup.sh"
+watchfrr_setup="/usr/local/opnsense/scripts/frr/setup.sh"
 frr_enable="YES"
 {% if helpers.exists('OPNsense.quagga.general.enablecarp') and OPNsense.quagga.general.enablecarp == '1' %}
 start_precmd="ifconfig | grep 'carp: MASTER'"

From 1e7cf83624041d7c1f23ee8105205a376c92d0b3 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 5 Apr 2026 11:52:53 +0200
Subject: [PATCH 3053/3088] net/frr - Routing: Diagnostics: OSPFv3 / routing -
 missing routes due to changed frr output. closes
 https://github.com/opnsense/plugins/issues/5252

---
 .../Quagga/Api/DiagnosticsController.php         | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
index a0625a40f3..60ce0808d1 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
@@ -253,13 +253,15 @@ public function searchOspfv3routeAction($format = "json"): array
         $records = [];
         $payload = $this->configdJson("ospfv3", "route");
         if (!empty($payload['routes'])) {
-            foreach ($payload['routes'] as $net => $route) {
-                if (!empty($route['nextHops'])) {
-                    foreach ($route['nextHops'] as $nexthop) {
-                        $record = array_merge($route, $nexthop);
-                        $record['network'] = $net;
-                        $record['interfaceDescr'] = $this->getIfDesc($record['interfaceName']);
-                        $records[] = $record;
+            foreach ($payload['routes'] as $net => $routes) {
+                foreach ($routes as $route) {
+                    if (!empty($route['nextHops'])) {
+                        foreach ($route['nextHops'] as $nexthop) {
+                            $record = array_merge($route, $nexthop);
+                            $record['network'] = $net;
+                            $record['interfaceDescr'] = $this->getIfDesc($record['interfaceName']);
+                            $records[] = $record;
+                        }
                     }
                 }
             }

From 7657da6cd743c3affc0d7e9547bce21773b63461 Mon Sep 17 00:00:00 2001
From: n3wtype <marcin.matlag@gmail.com>
Date: Sun, 5 Apr 2026 11:57:24 +0200
Subject: [PATCH 3054/3088] os-frr: Add description of bgp neighbor to frr.conf
 (#5364)

Co-authored-by: Marcin Matlag <mmatlag@cloudferro.com>
---
 .../src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
index 7f151cf92e..3b1aa0ecb2 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bgpd.conf
@@ -123,6 +123,9 @@ router bgp {{ OPNsense.quagga.bgp.asnumber }}
 {%         if 'localas' in neighbor and neighbor.localas != '' %}
  neighbor {{ neighbor.address }} local-as {{ neighbor.localas }}
 {%         endif %}
+{%         if 'description' in neighbor and neighbor.description != '' %}
+ neighbor {{ neighbor.address }} description {{ neighbor.description }}
+{%         endif %}
 {%         if neighbor.bfd|default('') == '1' %}
  neighbor {{ neighbor.address }} bfd
 {%         endif %}

From d112536444128548f685ed7a89d78b180fcc6798 Mon Sep 17 00:00:00 2001
From: r3m8 <r3m8@tuta.com>
Date: Sun, 5 Apr 2026 12:01:55 +0200
Subject: [PATCH 3055/3088] net/frr: add local-address and interface options to
 BFD neighbors (#5317)

* net/frr: add local-address and interface options to BFD neighbors

* net/frr: simplify BFD template conditions

Remove unnecessary empty strings in Jinja2 template (default false).

Co-authored-by: Ad Schellevis <AdSchellevis@users.noreply.github.com>

---------

Co-authored-by: Ad Schellevis <AdSchellevis@users.noreply.github.com>
---
 .../Quagga/forms/dialogEditBFDNeighbor.xml     | 18 ++++++++++++++++++
 .../mvc/app/models/OPNsense/Quagga/BFD.xml     | 13 ++++++++++++-
 .../templates/OPNsense/Quagga/bfdd.conf        |  2 +-
 3 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml
index c9bf3bfb3e..075dbdeb5f 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditBFDNeighbor.xml
@@ -31,6 +31,24 @@
       <formatter>boolean</formatter>
     </grid_view>
   </field>
+  <field>
+    <id>neighbor.localaddress</id>
+    <label>Local Address</label>
+    <type>text</type>
+    <help>Local IP address to bind and send packets from. Mandatory for IPv6 peers.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
+  </field>
+  <field>
+    <id>neighbor.interfacename</id>
+    <label>Interface</label>
+    <type>dropdown</type>
+    <help>Select interface to use for this BFD peer.</help>
+    <grid_view>
+      <visible>false</visible>
+    </grid_view>
+  </field>
   <field>
     <id>neighbor.detect_multiplier</id>
     <label>Detect multiplier</label>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
index 962ff08e6b..440018a59a 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/quagga/bfd</mount>
     <description>BFD configuration</description>
-    <version>1.0.2</version>
+    <version>1.0.3</version>
     <items>
         <enabled type="BooleanField">
             <Default>0</Default>
@@ -21,6 +21,17 @@
                     <Default>0</Default>
                     <Required>Y</Required>
                 </multihop>
+                <localaddress type="NetworkField">
+                    <Required>N</Required>
+                    <NetMaskAllowed>N</NetMaskAllowed>
+                </localaddress>
+                <interfacename type="InterfaceField">
+                    <Required>N</Required>
+                    <AllowDynamic>Y</AllowDynamic>
+                    <filters>
+                        <enable>/^(?!0).*$/</enable>
+                    </filters>
+                </interfacename>
                 <detect_multiplier type="IntegerField">
                     <Default>3</Default>
                     <Required>Y</Required>
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
index 58db29a339..d2ebd7dd04 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
@@ -4,7 +4,7 @@ bfd
 {%   if helpers.exists('OPNsense.quagga.bfd.neighbors.neighbor') %}
 {%     for neighbor in helpers.toList('OPNsense.quagga.bfd.neighbors.neighbor') %}
 {%       if neighbor.enabled == '1' %}
- peer {{ neighbor.address }} {% if neighbor.multihop|default('0') == '1' %}multihop{% endif +%}
+ peer {{ neighbor.address }}{% if neighbor.multihop|default('0') == '1' %} multihop{% endif %}{% if neighbor.localaddress %} local-address {{ neighbor.localaddress }}{% endif %}{% if neighbor.interfacename %} interface {{ neighbor.interfacename }}{% endif %}
   detect-multiplier {{ neighbor.detect_multiplier }}
   receive-interval {{ neighbor.receive_interval }}
   transmit-interval {{ neighbor.transmit_interval }}

From 56a62796f82addb842a96520887682bf40a40921 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 5 Apr 2026 12:05:29 +0200
Subject: [PATCH 3056/3088] net/frr: add local-address and interface options to
 BFD neighbors (#5317)

Fix regression, missing line ending.
---
 .../src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
index d2ebd7dd04..512e6a860c 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/bfdd.conf
@@ -4,7 +4,7 @@ bfd
 {%   if helpers.exists('OPNsense.quagga.bfd.neighbors.neighbor') %}
 {%     for neighbor in helpers.toList('OPNsense.quagga.bfd.neighbors.neighbor') %}
 {%       if neighbor.enabled == '1' %}
- peer {{ neighbor.address }}{% if neighbor.multihop|default('0') == '1' %} multihop{% endif %}{% if neighbor.localaddress %} local-address {{ neighbor.localaddress }}{% endif %}{% if neighbor.interfacename %} interface {{ neighbor.interfacename }}{% endif %}
+ peer {{ neighbor.address }}{% if neighbor.multihop|default('0') == '1' %} multihop{% endif %}{% if neighbor.localaddress %} local-address {{ neighbor.localaddress }}{% endif %}{% if neighbor.interfacename %} interface {{ neighbor.interfacename }}{% endif +%}
   detect-multiplier {{ neighbor.detect_multiplier }}
   receive-interval {{ neighbor.receive_interval }}
   transmit-interval {{ neighbor.transmit_interval }}

From 32901792ad1fadeb1430dea6774b9646b127f696 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 9 Apr 2026 09:45:29 +0200
Subject: [PATCH 3057/3088] dns/ddclient: bump revision for now

---
 dns/ddclient/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dns/ddclient/Makefile b/dns/ddclient/Makefile
index 39c6db3b6e..b4e1a3584f 100644
--- a/dns/ddclient/Makefile
+++ b/dns/ddclient/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		ddclient
 PLUGIN_VERSION=		1.30
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_DEPENDS=		ddclient py${PLUGIN_PYTHON}-boto3
 PLUGIN_COMMENT=		Dynamic DNS client
 PLUGIN_MAINTAINER=	ad@opnsense.org

From 35508e79e153d0182771803c1e0bb63d1b948b0b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 9 Apr 2026 09:48:16 +0200
Subject: [PATCH 3058/3088] LICENSE: sync

---
 LICENSE                                                         | 2 ++
 .../library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasws.php  | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/LICENSE b/LICENSE
index 5239926e0a..8d6703d92b 100644
--- a/LICENSE
+++ b/LICENSE
@@ -12,6 +12,7 @@ Copyright (c) 2021 Axelrtgs
 Copyright (c) 2026 Benno Kutschenreuter
 Copyright (c) 2023 Bernhard Frenking <bernhard@frenking.eu>
 Copyright (c) 2023 Cannon Matthews <cannonmatthews@google.com>
+Copyright (c) 2026 Carsten Kallies
 Copyright (c) 2023-2026 Cedrik Pischem
 Copyright (c) 2025 Christopher Linn, BackendMedia IT-Services GmbH
 Copyright (c) 2005-2006 Colin Smith <ethethlay@gmail.com>
@@ -44,6 +45,7 @@ Copyright (c) 2015 Jos Schellevis <jos@opnsense.org>
 Copyright (c) 2025 Joseph Bauser
 Copyright (c) 2018 João Vilaça <machadovilaca@gmail.com>
 Copyright (c) 2019-2022 Juergen Kellerer
+Copyright (c) 2026 Konstantinos Spartalis <cspartalis@potatonetworks.com>
 Copyright (c) 2024 laraveluser
 Copyright (c) 2026 Leandro Scardua
 Copyright (c) 2023 Liam Steckler <liam@liamsteckler.com>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasws.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasws.php
index 8b9e0bea33..1a5fdb9caf 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasws.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasws.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2026 Konstantinos Spartalis (cspartalis@potatonetworks.com)
+ * Copyright (C) 2026 Konstantinos Spartalis <cspartalis@potatonetworks.com>
  * Copyright (C) 2023 Jan Winkler
  * All rights reserved.
  *

From aa099c5901842d807c98a6f488edac3c02a9d09b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 9 Apr 2026 09:50:34 +0200
Subject: [PATCH 3059/3088] security/q-feeds-connector: wrap up this revision

---
 security/q-feeds-connector/Makefile  | 2 +-
 security/q-feeds-connector/pkg-descr | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/q-feeds-connector/Makefile b/security/q-feeds-connector/Makefile
index 6ec2187cd4..31b975bcf9 100644
--- a/security/q-feeds-connector/Makefile
+++ b/security/q-feeds-connector/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		q-feeds-connector
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		Connector for Q-Feeds threat intel
 PLUGIN_MAINTAINER=	devel@qfeeds.com
 PLUGIN_TIER=		2
diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index d005e7e7e6..38fda7f4cb 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -10,6 +10,7 @@ Plugin Changelog
 * Feature: Add NXDOMAIN option for unbound
 * Feature: Add dest address for unbound
 * Bugfix: Invalidate alias cache on reconfigure
+* Bugfix: Ignore "pass" log lines for `qfeedsctl.py logs`
 
 1.4
 

From ec68572f0f74f41fd7064dd2205790f2c45abc76 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 9 Apr 2026 10:23:16 +0200
Subject: [PATCH 3060/3088] security/acme-client: rename class file name to
 match class name

---
 .../LeAutomation/{AcmeTruenasws.php => AcmeTruenasWS.php}         | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/{AcmeTruenasws.php => AcmeTruenasWS.php} (100%)

diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasws.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasWS.php
similarity index 100%
rename from security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasws.php
rename to security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasWS.php

From 290c67d2712baefcb2167cf038a9132200316781 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 9 Apr 2026 10:23:37 +0200
Subject: [PATCH 3061/3088] dns/ddclient: linter complaints fixed

---
 .../src/opnsense/scripts/ddclient/lib/account/allinkl.py        | 0
 .../src/opnsense/scripts/ddclient/lib/account/hetzner.py        | 2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)
 mode change 100644 => 100755 dns/ddclient/src/opnsense/scripts/ddclient/lib/account/allinkl.py

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/allinkl.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/allinkl.py
old mode 100644
new mode 100755
diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py
index be72e7e4d8..1cf241e550 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/hetzner.py
@@ -514,4 +514,4 @@ def execute(self):
                 self.update_state(address=self.current_address)
                 return True
 
-        return False
\ No newline at end of file
+        return False

From 4d7a938c13229b48420547a8f81ce25627d83783 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 9 Apr 2026 10:30:26 +0200
Subject: [PATCH 3062/3088] net/frr: some small style updates while here

---
 net/frr/src/etc/rc.syshook.d/start/50-frr     |  2 +-
 .../Quagga/Api/Ospf6settingsController.php    | 47 +++++++++----------
 .../mvc/app/models/OPNsense/Quagga/BFD.xml    |  2 -
 3 files changed, 23 insertions(+), 28 deletions(-)

diff --git a/net/frr/src/etc/rc.syshook.d/start/50-frr b/net/frr/src/etc/rc.syshook.d/start/50-frr
index b3388a3791..bcffad31c1 100755
--- a/net/frr/src/etc/rc.syshook.d/start/50-frr
+++ b/net/frr/src/etc/rc.syshook.d/start/50-frr
@@ -33,5 +33,5 @@ require_once('util.inc');
 require_once('plugins.inc.d/frr.inc');
 
 if (frr_enabled()) {
-    shell_exec('/usr/local/opnsense/scripts/frr/carp_event_handler');
+    mwexecfm('/usr/local/opnsense/scripts/frr/carp_event_handler');
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php
index d616af37c0..1574d398c6 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/Ospf6settingsController.php
@@ -1,40 +1,37 @@
 <?php
 
 /*
- *    Copyright (C) 2015-2024 Deciso B.V.
- *    Copyright (C) 2015 Jos Schellevis <jos@opnsense.org>
- *    Copyright (C) 2017 Fabian Franz
- *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
- *    All rights reserved.
+ * Copyright (C) 2015-2024 Deciso B.V.
+ * Copyright (C) 2015 Jos Schellevis <jos@opnsense.org>
+ * Copyright (C) 2017 Fabian Franz
+ * Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
+ * All rights reserved.
  *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\Quagga\Api;
 
-use OPNsense\Quagga\OSPF6;
-use OPNsense\Core\Config;
 use OPNsense\Base\ApiMutableModelControllerBase;
-use OPNsense\Base\UIModelGrid;
 
 class Ospf6settingsController extends ApiMutableModelControllerBase
 {
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
index 440018a59a..9d2483c4da 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/BFD.xml
@@ -22,11 +22,9 @@
                     <Required>Y</Required>
                 </multihop>
                 <localaddress type="NetworkField">
-                    <Required>N</Required>
                     <NetMaskAllowed>N</NetMaskAllowed>
                 </localaddress>
                 <interfacename type="InterfaceField">
-                    <Required>N</Required>
                     <AllowDynamic>Y</AllowDynamic>
                     <filters>
                         <enable>/^(?!0).*$/</enable>

From 042783df72cfda265aeb418eafe899baf16faed1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 12 Apr 2026 09:53:02 +0200
Subject: [PATCH 3063/3088] github: update pull request template following
 tweaks on master

---
 .github/pull_request_template.md | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 51fc8770fe..4bd1d0a5d9 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,4 +1,5 @@
 **Important notices**
+
 Before you submit a pull request, we ask you kindly to acknowledge the following:
 
 - [ ] I have read the contributing guidelines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
@@ -12,17 +13,18 @@ If AI was used, please disclose:
 
 ---
 
-**Related issue**
-If this pull request relates to an issue, link it here:
-
----
-
 **Describe the problem**
+
 A clear and concise description of the problem this pull request addresses.
 
 ---
 
 **Describe the proposed solution**
+
 Explain what this pull request changes and why.
 
 ---
+
+**Related issue**
+
+If this pull request relates to an issue, link it here.

From 12f88282d9d8eb47d39ee9e83278f85b68689ec7 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 12 Apr 2026 14:35:29 +0200
Subject: [PATCH 3064/3088] Squashed commit of the following:

commit b256ed7fcfa5e36bfd29e08c479bd02b461b21f5
Author: Ad Schellevis <ad@opnsense.org>
Date:   Sun Apr 12 14:31:54 2026 +0200

    net/frr - Routing: STATIC, finish https://github.com/opnsense/plugins/pull/5390 and add diagnostics.

commit be8a53d3d2fc4a91e7834e68322dd295a41f6888
Author: Sven Scholle <sven@shelldog.de>
Date:   Sat Apr 11 14:50:56 2026 +0200

    net/frr: add BFD dependency support for static routes

    We redistribute static routes from staticd into OSPF via WireGuard tunnels.
    We want the redistribution to depend on whether the tunnel is actually up.
    Since WireGuard interfaces remain up even when the tunnel is not functional, BFD appears to be the simplest solution for detecting tunnel failures.
---
 .../Quagga/Api/DiagnosticsController.php      | 17 ++++++++++++++++-
 .../OPNsense/Quagga/DiagnosticsController.php |  7 +++++++
 .../Quagga/forms/dialogEditSTATICRoute.xml    | 10 ++++++++++
 .../app/models/OPNsense/Quagga/STATICd.xml    |  4 ++++
 .../views/OPNsense/Quagga/diagnostics.volt    | 19 ++++++++++++++++++-
 .../conf/actions.d/actions_quagga.conf        |  7 +++++++
 .../templates/OPNsense/Quagga/staticd.conf    |  3 +++
 7 files changed, 65 insertions(+), 2 deletions(-)

diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
index 60ce0808d1..7d0ffa1178 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/Api/DiagnosticsController.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2023 Deciso B.V.
+ *    Copyright (C) 2023-2026 Deciso B.V.
  *    Copyright (C) 2017 Frank Wall
  *    Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
  *
@@ -329,4 +329,19 @@ public function bfdcountersAction(): array
     {
         return $this->bfdTreeFetch('counters');
     }
+
+    public function bfdstaticrouteAction(): array
+    {
+        $records = [];
+        $payload = json_decode((new Backend())->configdpRun('quagga diagnostics bfd_staticroute json'), true) ?? [];
+        if (!empty($payload['path-list'])) {
+            foreach ($payload['path-list'] as $proto => $values) {
+                foreach ($values as $record) {
+                    $record['proto'] = $proto;
+                    $records[] = $record;
+                }
+            }
+        }
+        return $this->searchRecordsetBase($records);
+    }
 }
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
index 7cb40b2320..125be3477d 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/DiagnosticsController.php
@@ -1,6 +1,7 @@
 <?php
 
 /*
+    Copyright (C) 2023-2026 Deciso B.V.
     Copyright (C) 2017 Fabian Franz
     Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
     All rights reserved.
@@ -123,6 +124,12 @@ public function bfdAction()
                 'tabhead' => gettext('Summary'),
                 'type' => 'bfdsummary'
             ],
+            [
+                'name' => 'staticroute',
+                'endpoint' => '/api/quagga/diagnostics/bfdstaticroute',
+                'tabhead' => gettext('Static Route'),
+                'type' => 'bfdstaticroute'
+            ],
             [
                 'name' => 'neighbors',
                 'endpoint' => '/api/quagga/diagnostics/bfdneighbors',
diff --git a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditSTATICRoute.xml b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditSTATICRoute.xml
index aae3f26c75..786d693591 100644
--- a/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditSTATICRoute.xml
+++ b/net/frr/src/opnsense/mvc/app/controllers/OPNsense/Quagga/forms/dialogEditSTATICRoute.xml
@@ -27,4 +27,14 @@
     <type>dropdown</type>
     <help>Select an interface where this settings apply to.</help>
   </field>
+  <field>
+    <id>route.bfd</id>
+    <label>BFD</label>
+    <type>checkbox</type>
+    <help>Mark the route as dependent on the BFD neighbor session with the next hop.</help>
+    <grid_view>
+      <type>boolean</type>
+      <formatter>boolean</formatter>
+    </grid_view>
+  </field>
 </form>
diff --git a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.xml b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.xml
index 8610f0c90b..7f5fdb49b3 100644
--- a/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.xml
+++ b/net/frr/src/opnsense/mvc/app/models/OPNsense/Quagga/STATICd.xml
@@ -28,6 +28,10 @@
                         <type>/^(?!group).*$/</type>
                     </filters>
                 </interfacename>
+                <bfd type="BooleanField">
+                    <Default>0</Default>
+                    <Required>N</Required>
+                </bfd>
             </route>
         </routes>
     </items>
diff --git a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
index c6dbe668fa..3792e3f820 100644
--- a/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
+++ b/net/frr/src/opnsense/mvc/app/views/OPNsense/Quagga/diagnostics.volt
@@ -1,6 +1,6 @@
 {#
 
-OPNsense® is Copyright © 2014 – 2023 by Deciso B.V.
+OPNsense® is Copyright © 2014 – 2026 by Deciso B.V.
 Copyright (C) 2023 Marc Bartelt
 Copyright (C) 2017 Fabian Franz
 Copyright (C) 2017 Michael Muenz <m.muenz@gmail.com>
@@ -101,6 +101,7 @@ POSSIBILITY OF SUCH DAMAGE.
                 {% case 'ospfv3databasetable' %}
                 {% case 'ospfneighbors' %}
                 {% case 'bfdsummary' %}
+                {% case 'bfdstaticroute' %}
                     if (all_grids["{{ tab['name'] }}"] === undefined) {
                         /**
                          * initialize bootgrid table for {{ tab['tabhead'] }}
@@ -406,6 +407,22 @@ POSSIBILITY OF SUCH DAMAGE.
                         </table>
                     </div>
                     {% break %}
+                {% case 'bfdstaticroute' %}
+                    <div class="col-sm-12">
+                        <table id="grid-{{ tab['name'] }}" class="table table-condensed table-hover table-striped table-responsive">
+                            <thead>
+                            <tr>
+                                <th data-column-id="proto">{{ lang._('Protocol') }}</th>
+                                <th data-column-id="vrf">{{ lang._('Vrf') }}</th>
+                                <th data-column-id="peer">{{ lang._('Peer') }}</th>
+                                <th data-column-id="installed" data-formatter="boolean" data-searchable="false" data-sortable="false">{{ lang._('Installed') }}</th>
+                            </tr>
+                            </thead>
+                            <tbody>
+                            </tbody>
+                        </table>
+                    </div>
+                    {% break %}
                 {% case 'tree' %}
                   <section class="col-xs-12">
                     <div class="searchbox">
diff --git a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
index 86170cd9ba..bfdeb61978 100644
--- a/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
+++ b/net/frr/src/opnsense/service/conf/actions.d/actions_quagga.conf
@@ -156,6 +156,13 @@ errors:no
 type:script_output
 message:FRR diagnostics "show bfd peers counters %s"
 
+[diagnostics.bfd_staticroute]
+command:/usr/local/bin/vtysh
+parameters: -c 'show bfd static route  %s'
+errors:no
+type:script_output
+message:FRR diagnostics "show bfd route %s"
+
 [diagnostics.ospf_database]
 command:/usr/local/bin/vtysh
 parameters: -c 'show ip ospf database %s'
diff --git a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/staticd.conf b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/staticd.conf
index 43a810beb4..59153f6c16 100644
--- a/net/frr/src/opnsense/service/templates/OPNsense/Quagga/staticd.conf
+++ b/net/frr/src/opnsense/service/templates/OPNsense/Quagga/staticd.conf
@@ -13,6 +13,9 @@ ip
 {%-           endif %}
 {%-           if route.interfacename %}
  {{ helpers.physical_interface(route.interfacename) }}
+{%-           endif %}
+{%-           if 'bfd' in route and route.bfd == '1' %}
+ bfd
 {%-           endif +%}
 {%        endif %}
 {%    endfor %}

From 9aa2ccf960fae6a6ef8991f67d5f4ca6392c7cb5 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 7 Apr 2026 16:25:10 +0200
Subject: [PATCH 3065/3088] security/acme-client: add help text for hostingde,
 refs #5373

---
 .../controllers/OPNsense/AcmeClient/forms/dialogValidation.xml   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index d8c86d6e64..851e12c850 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -662,6 +662,7 @@
         <id>validation.dns_hostingde_server</id>
         <label>Server URL</label>
         <type>text</type>
+        <help>Enter the API endpoint, e.g. https://secure.hosting.de or https://partner.http.net.</help>
     </field>
     <field>
         <id>validation.dns_hostingde_apiKey</id>

From 72043b78bc9b0aa08c5769113e78a526e6b65a34 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 13 Apr 2026 14:37:48 +0200
Subject: [PATCH 3066/3088] security/acme-client: fix incorrect naming scheme
 of TrueNAS WS automation

---
 security/acme-client/Makefile                 |  2 +-
 security/acme-client/pkg-descr                |  5 ++
 .../AcmeClient/forms/dialogAction.xml         |  8 +--
 .../{AcmeTruenasWS.php => AcmeTruenasWs.php}  |  2 +-
 .../models/OPNsense/AcmeClient/AcmeClient.xml | 24 ++++++++-
 .../OPNsense/AcmeClient/Migrations/M4_4_0.php | 50 +++++++++++++++++++
 6 files changed, 83 insertions(+), 8 deletions(-)
 rename security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/{AcmeTruenasWS.php => AcmeTruenasWs.php} (96%)
 create mode 100644 security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_4_0.php

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 9d6b4ec8ed..088f0bab49 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		acme-client
-PLUGIN_VERSION=		4.15
+PLUGIN_VERSION=		4.16
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon
diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index dfa6ce841e..1210efbdeb 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -8,6 +8,11 @@ WWW: https://github.com/acmesh-official/acme.sh
 Plugin Changelog
 ================
 
+4.16
+
+Fixed:
+* fix incorrect naming scheme of TrueNAS WS automation
+
 4.15
 
 Added:
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
index 4774435876..b03e6f89c7 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogAction.xml
@@ -398,22 +398,22 @@
     <field>
         <label>Required Parameters</label>
         <type>header</type>
-        <style>method_table method_table_acme_truenasws</style>
+        <style>method_table method_table_acme_truenas_ws</style>
     </field>
     <field>
-        <id>action.acme_truenasws_apikey</id>
+        <id>action.acme_truenas_ws_apikey</id>
         <label>TrueNAS API key</label>
         <type>text</type>
         <help>API key generated in the TrueNAS web UI.</help>
     </field>
     <field>
-        <id>action.acme_truenasws_hostname</id>
+        <id>action.acme_truenas_ws_hostname</id>
         <label>TrueNAS hostname</label>
         <type>text</type>
         <help>Hostname or IP address of TrueNAS Server.</help>
     </field>
     <field>
-        <id>action.acme_truenasws_protocol</id>
+        <id>action.acme_truenas_ws_protocol</id>
         <label>TrueNAS protocol</label>
         <type>dropdown</type>
         <help>Connection scheme that will be used when uploading certificates to TrueNAS Server.</help>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasWS.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasWs.php
similarity index 96%
rename from security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasWS.php
rename to security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasWs.php
index 1a5fdb9caf..91ced0c0b1 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasWS.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeTruenasWs.php
@@ -35,7 +35,7 @@
  * Run acme.sh deploy hook truenas_ws
  * @package OPNsense\AcmeClient
  */
-class AcmeTruenasWS extends Base implements LeAutomationInterface
+class AcmeTruenasWs extends Base implements LeAutomationInterface
 {
     public function prepare()
     {
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index a9cf430fa2..40359e945d 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/AcmeClient</mount>
-    <version>4.3.1</version>
+    <version>4.4.0</version>
     <description>A secure ACME Client plugin</description>
     <items>
         <settings>
@@ -1431,7 +1431,7 @@
                         <acme_vault>Upload certificate to HashiCorp Vault</acme_vault>
                         <acme_synology_dsm>Upload certificate to Synology DSM</acme_synology_dsm>
                         <acme_truenas>Upload certificate to TrueNAS Server (deprecated API)</acme_truenas>
-                        <acme_truenasws>Upload certificate to TrueNAS Server (Websocket API)</acme_truenasws>
+                        <acme_truenas_ws>Upload certificate to TrueNAS Server (Websocket API)</acme_truenas_ws>
                         <acme_zyxel_gs1900>Upload certificate to Zyxel GS1900 series switches</acme_zyxel_gs1900>
                         <acme_unifi>Update local Unifi keystore</acme_unifi>
                         <configd_generic>System or Plugin Command</configd_generic>
@@ -1745,6 +1745,26 @@
                         <https>HTTPS</https>
                     </OptionValues>
                 </acme_truenas_scheme>
+                <acme_truenas_ws_apikey type="TextField">
+                    <Required>N</Required>
+                    <Mask>/^.{1,1024}$/u</Mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_truenas_ws_apikey>
+                <acme_truenas_ws_hostname type="HostnameField">
+                    <Default>localhost</Default>
+                    <Required>N</Required>
+                    <Mask>/^.{1,1024}$/u</Mask>
+                    <ValidationMessage>Should be a string between 1 and 1024 characters.</ValidationMessage>
+                </acme_truenas_ws_hostname>
+                <acme_truenas_ws_protocol type="OptionField">
+                    <Default>ws</Default>
+                    <Required>N</Required>
+                    <OptionValues>
+                        <ws>ws [default]</ws>
+                        <wss>wss</wss>
+                    </OptionValues>
+                </acme_truenas_ws_protocol>
+                <!-- TODO: old "truenasws" values kept for model migration, should be removed in version 5.0.0 -->
                 <acme_truenasws_apikey type="TextField">
                     <Required>N</Required>
                     <Mask>/^.{1,1024}$/u</Mask>
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_4_0.php b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_4_0.php
new file mode 100644
index 0000000000..5df32bf207
--- /dev/null
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/Migrations/M4_4_0.php
@@ -0,0 +1,50 @@
+<?php
+
+/**
+ *    Copyright (C) 2026 Frank Wall
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\AcmeClient\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+
+class M4_4_0 extends BaseModelMigration
+{
+    public function run($model)
+    {
+        foreach ($model->getNodeByReference('actions.action')->iterateItems() as $action) {
+            $action_type = (string)$action->type;
+            if ($action_type === 'acme_truenasws') {
+                // Migrate data from misspelled item to new one
+                $action->type = 'acme_truenas_ws';
+                $action->acme_truenas_ws_apikey = (string)$action->acme_truenasws_apikey;
+                $action->acme_truenas_ws_hostname = (string)$action->acme_truenasws_hostname;
+                $action->acme_truenas_ws_protocol = (string)$action->acme_truenasws_protocol;
+            }
+        }
+    }
+}

From a5e06c504ad8251664a3a212a313e9ca618b3aae Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 13 Apr 2026 17:23:37 +0200
Subject: [PATCH 3067/3088] security/acme-client: add support for Active24 API
 v2, closes #5381

---
 security/acme-client/pkg-descr                           | 6 ++++++
 .../OPNsense/AcmeClient/forms/dialogValidation.xml       | 9 +++++++--
 .../OPNsense/AcmeClient/LeValidation/DnsActive24.php     | 4 +++-
 .../mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml    | 7 +++++--
 4 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/security/acme-client/pkg-descr b/security/acme-client/pkg-descr
index 1210efbdeb..49a81e7f02 100644
--- a/security/acme-client/pkg-descr
+++ b/security/acme-client/pkg-descr
@@ -10,6 +10,12 @@ Plugin Changelog
 
 4.16
 
+Added:
+* add support for Active24 API v2 (#5381)
+
+Changed:
+* credentials for Active24 DNSAPI must be entered again (#5381)
+
 Fixed:
 * fix incorrect naming scheme of TrueNAS WS automation
 
diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
index 851e12c850..6b3ce02aa1 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogValidation.xml
@@ -137,10 +137,15 @@
         <style>table_dns table_dns_active24</style>
     </field>
     <field>
-        <id>validation.dns_active24_token</id>
-        <label>Token</label>
+        <id>validation.dns_active24_api_key</id>
+        <label>API Key</label>
         <type>text</type>
     </field>
+    <field>
+        <id>validation.dns_active24_api_secret</id>
+        <label>API Secret</label>
+        <type>password</type>
+    </field>
     <field>
         <label>Alwaysdata</label>
         <type>header</type>
diff --git a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsActive24.php b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsActive24.php
index 4b26d1bcf6..79100ae6ee 100644
--- a/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsActive24.php
+++ b/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/DnsActive24.php
@@ -1,6 +1,7 @@
 <?php
 
 /*
+ * Copyright (C) 2026 Frank Wall
  * Copyright (C) 2022 Jan Winkler
  * All rights reserved.
  *
@@ -39,6 +40,7 @@ class DnsActive24 extends Base implements LeValidationInterface
 {
     public function prepare()
     {
-        $this->acme_env['ACTIVE24_Token'] = (string)$this->config->dns_active24_token;
+        $this->acme_env['Active24_ApiKey'] = (string)$this->config->dns_active24_api_key;
+        $this->acme_env['Active24_ApiSecret'] = (string)$this->config->dns_active24_api_secret;
     }
 }
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 40359e945d..04b9296164 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -552,9 +552,12 @@
                     <ValidationMessage>Please specify a value between 0 and 84600 seconds.</ValidationMessage>
                     <Required>Y</Required>
                 </dns_sleep>
-                <dns_active24_token type="TextField">
+                <dns_active24_api_key type="TextField">
                     <Required>N</Required>
-                </dns_active24_token>
+                </dns_active24_api_key>
+                <dns_active24_api_secret type="TextField">
+                    <Required>N</Required>
+                </dns_active24_api_secret>
                 <dns_ad_key type="TextField">
                     <Required>N</Required>
                 </dns_ad_key>

From 6102a99da87a8a37ee43afe5606203022aaa8fa8 Mon Sep 17 00:00:00 2001
From: Konstantinos Spartalis <scoon405@gmail.com>
Date: Tue, 14 Apr 2026 00:19:36 +0300
Subject: [PATCH 3068/3088] remove Zabbix 7.2 EOL (#5403)

---
 net-mgmt/zabbix-agent/Makefile  | 7 ++-----
 net-mgmt/zabbix-agent/pkg-descr | 5 +++++
 net-mgmt/zabbix-proxy/Makefile  | 5 +----
 net-mgmt/zabbix-proxy/pkg-descr | 4 ++++
 4 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/net-mgmt/zabbix-agent/Makefile b/net-mgmt/zabbix-agent/Makefile
index a01225eb54..f16000551d 100644
--- a/net-mgmt/zabbix-agent/Makefile
+++ b/net-mgmt/zabbix-agent/Makefile
@@ -1,15 +1,12 @@
 PLUGIN_NAME=		zabbix-agent
-PLUGIN_VERSION=		1.18
+PLUGIN_VERSION=		1.19
 PLUGIN_COMMENT=		Zabbix monitoring agent
 PLUGIN_MAINTAINER=	opnsense@moov.de
-PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix74 zabbix6
+PLUGIN_VARIANTS=	zabbix7 zabbix74 zabbix6
 
 zabbix7_NAME=		zabbix7-agent
 zabbix7_DEPENDS=	zabbix7-agent
 
-zabbix72_NAME=		zabbix72-agent
-zabbix72_DEPENDS=	zabbix72-agent
-
 zabbix74_NAME=		zabbix74-agent
 zabbix74_DEPENDS=	zabbix74-agent
 
diff --git a/net-mgmt/zabbix-agent/pkg-descr b/net-mgmt/zabbix-agent/pkg-descr
index f884fbcd5a..1b9fdd01ad 100644
--- a/net-mgmt/zabbix-agent/pkg-descr
+++ b/net-mgmt/zabbix-agent/pkg-descr
@@ -12,6 +12,11 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.19
+
+Removed:
+*Plugin variant for Zabbix Agent 7.2 is EoL and was removed
+
 1.18
 
 Added:
diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 1500e25317..2a80a54905 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		zabbix-proxy
-PLUGIN_VERSION=		1.16
+PLUGIN_VERSION=		1.17
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
 PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix74 zabbix6
@@ -7,9 +7,6 @@ PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix74 zabbix6
 zabbix7_NAME=		zabbix7-proxy
 zabbix7_DEPENDS=	zabbix7-proxy
 
-zabbix72_NAME=		zabbix72-proxy
-zabbix72_DEPENDS=	zabbix72-proxy
-
 zabbix74_NAME=		zabbix74-proxy
 zabbix74_DEPENDS=	zabbix74-proxy
 
diff --git a/net-mgmt/zabbix-proxy/pkg-descr b/net-mgmt/zabbix-proxy/pkg-descr
index 8b9d500538..27ee1223b8 100644
--- a/net-mgmt/zabbix-proxy/pkg-descr
+++ b/net-mgmt/zabbix-proxy/pkg-descr
@@ -12,6 +12,10 @@ WWW: https://www.zabbix.com/
 Plugin Changelog
 ----------------
 
+1.17
+
+*Removed plugin variant for Zabbox Proxy 7.2 which is EoL
+
 1.16
 
 * Add StartAgentPollers and MaxConcurrentChecksPerPoller options (#5037)

From acf0c92bb54638e904facdf0c35e7247486985de Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 13 Apr 2026 23:20:58 +0200
Subject: [PATCH 3069/3088] net-mgmt/zabbix-proxy: remove leftover

---
 net-mgmt/zabbix-proxy/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net-mgmt/zabbix-proxy/Makefile b/net-mgmt/zabbix-proxy/Makefile
index 2a80a54905..ac94c736a4 100644
--- a/net-mgmt/zabbix-proxy/Makefile
+++ b/net-mgmt/zabbix-proxy/Makefile
@@ -2,7 +2,7 @@ PLUGIN_NAME=		zabbix-proxy
 PLUGIN_VERSION=		1.17
 PLUGIN_COMMENT=		Zabbix monitoring proxy
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
-PLUGIN_VARIANTS=	zabbix7 zabbix72 zabbix74 zabbix6
+PLUGIN_VARIANTS=	zabbix7 zabbix74 zabbix6
 
 zabbix7_NAME=		zabbix7-proxy
 zabbix7_DEPENDS=	zabbix7-proxy

From 846f3f5f23a105ce16be13567c34fb171a80d4ce Mon Sep 17 00:00:00 2001
From: Maksim Tokarev <makuso@mail.ru>
Date: Thu, 16 Apr 2026 02:26:25 -0400
Subject: [PATCH 3070/3088] dns/ddclient: Add multiple hostname support for
 cloudflare (#5405)

---
 .../ddclient/lib/account/cloudflare.py        | 161 ++++++++++--------
 1 file changed, 86 insertions(+), 75 deletions(-)

diff --git a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
index 6620e2431c..306cb98088 100755
--- a/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
+++ b/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/cloudflare.py
@@ -42,7 +42,7 @@ def __init__(self, account: dict):
 
     @staticmethod
     def known_services():
-        return  {'cloudflare': 'Cloudflare'}
+        return {'cloudflare': 'Cloudflare'}
 
     @staticmethod
     def match(account):
@@ -66,6 +66,7 @@ def execute(self):
                 headers["X-Auth-Email"] = self.settings.get('username')
                 headers["X-Auth-Key"] = self.settings.get('password')
 
+            # Check if zone exists
             req_opts = {
                 'url': url,
                 'params': {
@@ -80,11 +81,11 @@ def execute(self):
                 payload = {}
             if 'success' not in payload:
                 syslog.syslog(
-                        syslog.LOG_ERR,
-                        "Account %s error parsing JSON response [ZoneID] %s" % (self.description, response.text)
-                    )
+                    syslog.LOG_ERR,
+                    "Account %s error parsing JSON response [ZoneID] %s" % (self.description, response.text)
+                )
                 return False
-            if not payload.get('success', False):
+            if not payload.get('success', False) or len(payload.get('result', [])) == 0:
                 syslog.syslog(
                     syslog.LOG_ERR,
                     "Account %s error receiving ZoneID [%s]" % (self.description, json.dumps(payload.get('errors', {})))
@@ -98,88 +99,98 @@ def execute(self):
                     "Account %s ZoneID for %s %s" % (self.description, self.settings.get('zone'), zone_id)
                 )
 
-            # Get record ID
-            req_opts = {
-                'url': f"{req_opts['url']}/{zone_id}/dns_records",
-                'params': {
-                    'name': self.settings.get('hostnames'),
-                    'type': recordType
-                },
-                'headers': req_opts['headers']
-            }
-            response = requests.get(**req_opts)
-            try:
-                payload = response.json()
-            except requests.exceptions.JSONDecodeError:
-                payload = {}
-            if 'success' not in payload:
-                syslog.syslog(
+            # Update each hostname
+            for hostname in self.settings.get("hostnames", "").split(","):
+
+                if self.is_verbose:
+                    syslog.syslog(
+                        syslog.LOG_NOTICE,
+                        "Account %s Getting record ID for hostname %s (%s)"
+                        % (self.description, hostname, recordType),
+                    )
+
+                # Get record ID
+                req_opts = {
+                    'url': '%s/%s/dns_records' % (url, zone_id),
+                    'params': {
+                        'name': hostname,
+                        'type': recordType
+                    },
+                    'headers': headers
+                }
+                response = requests.get(**req_opts)
+                try:
+                    payload = response.json()
+                except requests.exceptions.JSONDecodeError:
+                    syslog.syslog(
                         syslog.LOG_ERR,
                         "Account %s error parsing JSON response [RecordID] %s" % (self.description, response.text)
                     )
-                return
-            if not payload.get('success', False):
-                syslog.syslog(
-                    syslog.LOG_ERR,
-                    "Account %s error receiving RecordID [%s]" % (
-                        self.description, json.dumps(payload.get('errors', {}))
+                    return False
+                if not payload.get('success', False):
+                    syslog.syslog(
+                        syslog.LOG_ERR,
+                        "Account %s error receiving RecordID [%s]" % (
+                            self.description, json.dumps(payload.get('errors', {}))
+                        )
                     )
-                )
-                return False
+                    return False
 
-            if len(payload['result']) == 0:
-                syslog.syslog(
-                    syslog.LOG_ERR, "Account %s error locating hostname %s [%s]" % (
-                        self.description, self.settings.get('hostnames'), recordType
+                if len(payload['result']) == 0:
+                    syslog.syslog(
+                        syslog.LOG_ERR, "Account %s error locating hostname %s [%s]" % (
+                            self.description, hostname, recordType
+                        )
                     )
-                )
-                return False
+                    return False
 
-            record_id = payload['result'][0]['id']
-            if self.is_verbose:
-                syslog.syslog(
-                    syslog.LOG_NOTICE,
-                    "Account %s RecordID for %s %s" % (self.description, self.settings.get('hostnames'), record_id)
-                )
+                record_id = payload['result'][0]['id']
+                if self.is_verbose:
+                    syslog.syslog(
+                        syslog.LOG_NOTICE,
+                        "Account %s RecordID for %s %s" % (self.description, hostname, record_id)
+                    )
 
-            # Send IP address update
-            req_opts = {
-                'url': f"{req_opts['url']}/{record_id}",
-                'json': {
-                    'type': recordType,
-                    'name': self.settings.get('hostnames'),
-                    'content': str(self.current_address),
-                },
-                'headers': req_opts['headers']
-            }
-            response = requests.patch(**req_opts)
-            try:
-                payload = response.json()
-            except requests.exceptions.JSONDecodeError:
-                payload = {}
-            if 'success' not in payload:
-                syslog.syslog(
+                # Send IP address update
+                req_opts = {
+                    'url': '%s/%s/dns_records/%s' % (url, zone_id, record_id),
+                    'json': {
+                        'type': recordType,
+                        'name': hostname,
+                        'content': str(self.current_address),
+                    },
+                    'headers': headers
+                }
+                response = requests.patch(**req_opts)
+                try:
+                    payload = response.json()
+                except requests.exceptions.JSONDecodeError:
+                    payload = {}
+                if 'success' not in payload:
+                    syslog.syslog(
                         syslog.LOG_ERR,
                         "Account %s error parsing JSON response [UpdateIP] %s" % (self.description, response.text)
                     )
-                return False
-            if payload.get('success', False):
-                syslog.syslog(
-                    syslog.LOG_NOTICE,
-                    "Account %s set new ip %s [%s]" % (
-                        self.description,
-                        self.current_address,
-                        payload.get('result', {}).get('content', '')
+                    return False
+                if payload.get('success', False):
+                    syslog.syslog(
+                        syslog.LOG_NOTICE,
+                        "Account %s set new ip %s [%s]" % (
+                            self.description,
+                            self.current_address,
+                            payload.get('result', {}).get('content', '')
+                        )
                     )
-                )
-
-                self.update_state(address=self.current_address)
-                return True
-            else:
-                syslog.syslog(
-                    syslog.LOG_ERR,
-                    "Account %s failed to set new ip %s [%s]" % (self.description, self.current_address, response.text)
-                )
+                else:
+                    syslog.syslog(
+                        syslog.LOG_ERR,
+                        "Account %s failed to set new ip %s for hostname %s: [%s]" % (self.description,
+                                                                                      self.current_address, hostname,
+                                                                                      response.text)
+                    )
+                    return False
 
+            self.update_state(address=self.current_address)
+            return True
 
         return False

From 58c1ae78b5a6ee9bb05ab009ec0f88179708296f Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 17 Apr 2026 09:30:58 +0200
Subject: [PATCH 3071/3088] make: add proper merge target origin

---
 Mk/defaults.mk | 1 +
 Mk/git.mk      | 1 +
 2 files changed, 2 insertions(+)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index e2eefeb481..cee9d75b12 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -56,6 +56,7 @@ PLUGIN_ABI?=	${PLUGIN_ABIS:[1]}
 PLUGIN_MAINS=	master main
 PLUGIN_MAIN?=	${PLUGIN_MAINS:[1]}
 PLUGIN_STABLE?=	stable/${PLUGIN_ABI}
+PLUGIN_ORIGIN?=	community
 
 PHPBIN=		${LOCALBASE}/bin/php
 
diff --git a/Mk/git.mk b/Mk/git.mk
index 4aded1e189..5caf19bb1c 100644
--- a/Mk/git.mk
+++ b/Mk/git.mk
@@ -28,5 +28,6 @@ CORE_ABIS=	${PLUGIN_ABIS}
 CORE_MAIN=	${PLUGIN_MAIN}
 CORE_MAINS=	${PLUGIN_MAINS}
 CORE_STABLE=	${PLUGIN_STABLE}
+CORE_UPSTREAM=	${PLUGIN_UPSTREAM}
 
 .-include "${PLUGINSDIR}/../core/Mk/git.mk"

From ed017f7e1e4b8f85381dcae1696c6997a8ad72a0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 17 Apr 2026 09:32:43 +0200
Subject: [PATCH 3072/3088] make: definitely the wrong coffee this morning

---
 Mk/defaults.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Mk/defaults.mk b/Mk/defaults.mk
index cee9d75b12..be52679327 100644
--- a/Mk/defaults.mk
+++ b/Mk/defaults.mk
@@ -56,7 +56,7 @@ PLUGIN_ABI?=	${PLUGIN_ABIS:[1]}
 PLUGIN_MAINS=	master main
 PLUGIN_MAIN?=	${PLUGIN_MAINS:[1]}
 PLUGIN_STABLE?=	stable/${PLUGIN_ABI}
-PLUGIN_ORIGIN?=	community
+PLUGIN_UPSTREAM?=community
 
 PHPBIN=		${LOCALBASE}/bin/php
 

From 12e13fc716b62adc290f61f1289ead5784e95d13 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 22 Apr 2026 08:03:02 +0200
Subject: [PATCH 3073/3088] net/isc-dhcp: add isolated menu registration code

---
 net/isc-dhcp/Makefile                         |  2 +-
 net/isc-dhcp/pkg-descr                        |  1 +
 .../app/models/OPNsense/DHCPv4/Menu/Menu.php  | 98 +++++++++++++++++++
 3 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv4/Menu/Menu.php

diff --git a/net/isc-dhcp/Makefile b/net/isc-dhcp/Makefile
index 1b8e9c572a..57107b053b 100644
--- a/net/isc-dhcp/Makefile
+++ b/net/isc-dhcp/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		isc-dhcp
 PLUGIN_VERSION=		1.0
-PLUGIN_REVISION=	4
+PLUGIN_REVISION=	5
 PLUGIN_COMMENT=		ISC DHCPv4/v6 server
 PLUGIN_DEPENDS=		isc-dhcp44-server
 PLUGIN_MAINTAINER=	franco@opnsense.org
diff --git a/net/isc-dhcp/pkg-descr b/net/isc-dhcp/pkg-descr
index 36f4461845..da3e41fbcd 100644
--- a/net/isc-dhcp/pkg-descr
+++ b/net/isc-dhcp/pkg-descr
@@ -16,3 +16,4 @@ Plugin Changelog
 * Minor changes regarding "track6" and "idassoc6" mode handling
 * Safeguard dhcpd_staticarp() from nonexistent interface configuration
 * Added DHCPv6 static mappings export
+* Moved dynamic menu item registration to plugin
diff --git a/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv4/Menu/Menu.php b/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv4/Menu/Menu.php
new file mode 100644
index 0000000000..9d83d30034
--- /dev/null
+++ b/net/isc-dhcp/src/opnsense/mvc/app/models/OPNsense/DHCPv4/Menu/Menu.php
@@ -0,0 +1,98 @@
+<?php
+
+/*
+ * Copyright (C) 2026 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\DHCPv4\Menu;
+
+use OPNsense\Base\Menu\MenuContainer;
+use OPNsense\Core\Config;
+
+class Menu extends MenuContainer
+{
+    public function collect()
+    {
+        $config = Config::getInstance()->object();
+
+        // collect interfaces for dynamic (interface) menu tabs...
+        $iftargets = ['dhcp4' => [], 'dhcp6' => []];
+        if ($config->interfaces->count() > 0) {
+            foreach ($config->interfaces->children() as $key => $node) {
+                // "Services: DHCPv[46]" menu tab:
+                if (empty($node->virtual) && isset($node->enable)) {
+                    if (!empty(filter_var($node->ipaddr, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4))) {
+                        $iftargets['dhcp4'][$key] = !empty($node->descr) ? (string)$node->descr : strtoupper($key);
+                    }
+                    if (!empty(filter_var($node->ipaddrv6, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) || (string)$node->ipaddrv6 == 'track6' || (string)$node->ipaddrv6 == 'idassoc6') {
+                        $iftargets['dhcp6'][$key] = !empty($node->descr) ? (string)$node->descr : strtoupper($key);
+                    }
+                }
+            }
+        }
+
+        foreach (array_keys($iftargets) as $tab) {
+            natcasesort($iftargets[$tab]);
+        }
+
+        // add interfaces to "Services: DHCPv[46]" menu tab:
+        $ordid = 0;
+        foreach ($iftargets['dhcp4'] as $key => $descr) {
+            $this->appendItem('Services.ISC_DHCPv4', $key, [
+                'url' => '/services_dhcp.php?if=' . $key,
+                'fixedname' => "[$descr]",
+                'order' => $ordid++,
+            ]);
+            $this->appendItem('Services.ISC_DHCPv4.' . $key, 'Edit' . $key, [
+                'url' => '/services_dhcp.php?if=' . $key . '&*',
+                'visibility' => 'hidden',
+            ]);
+            $this->appendItem('Services.ISC_DHCPv4.' . $key, 'AddStatic' . $key, [
+                'url' => '/services_dhcp_edit.php?if=' . $key,
+                'visibility' => 'hidden',
+            ]);
+            $this->appendItem('Services.ISC_DHCPv4.' . $key, 'EditStatic' . $key, [
+                'url' => '/services_dhcp_edit.php?if=' . $key . '&*',
+                'visibility' => 'hidden',
+            ]);
+        }
+        $ordid = 0;
+        foreach ($iftargets['dhcp6'] as $key => $descr) {
+            $this->appendItem('Services.ISC_DHCPv6', $key, [
+                'url' => '/services_dhcpv6.php?if=' . $key,
+                'fixedname' => "[$descr]",
+                'order' => $ordid++,
+            ]);
+            $this->appendItem('Services.ISC_DHCPv6.' . $key, 'Add' . $key, [
+                'url' => '/services_dhcpv6_edit.php?if=' . $key,
+                'visibility' => 'hidden',
+            ]);
+            $this->appendItem('Services.ISC_DHCPv6.' . $key, 'Edit' . $key, [
+                'url' => '/services_dhcpv6_edit.php?if=' . $key . '&*',
+                'visibility' => 'hidden',
+            ]);
+        }
+    }
+}

From 825702e60cee67eb92bc1104da7b173607c2a03a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 28 Apr 2026 10:11:20 +0000
Subject: [PATCH 3074/3088] devel/helloworld: add dynamic hint usage

PR: https://github.com/opnsense/core/issues/10225
---
 devel/helloworld/Makefile                     |  2 +-
 .../HelloWorld/Api/SettingsController.php     | 50 +++++++++++--------
 .../models/OPNsense/HelloWorld/HelloWorld.xml |  6 +--
 3 files changed, 31 insertions(+), 27 deletions(-)

diff --git a/devel/helloworld/Makefile b/devel/helloworld/Makefile
index 86a8690adb..22c2e705cf 100644
--- a/devel/helloworld/Makefile
+++ b/devel/helloworld/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		helloworld
 PLUGIN_VERSION=		1.4
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		A sample framework application
 PLUGIN_MAINTAINER=	ad@opnsense.org
 
diff --git a/devel/helloworld/src/opnsense/mvc/app/controllers/OPNsense/HelloWorld/Api/SettingsController.php b/devel/helloworld/src/opnsense/mvc/app/controllers/OPNsense/HelloWorld/Api/SettingsController.php
index 440ff3ce16..2e4fad0656 100644
--- a/devel/helloworld/src/opnsense/mvc/app/controllers/OPNsense/HelloWorld/Api/SettingsController.php
+++ b/devel/helloworld/src/opnsense/mvc/app/controllers/OPNsense/HelloWorld/Api/SettingsController.php
@@ -1,31 +1,29 @@
 <?php
 
-/**
- *    Copyright (C) 2015-2019 Deciso B.V.
- *
- *    All rights reserved.
- *
- *    Redistribution and use in source and binary forms, with or without
- *    modification, are permitted provided that the following conditions are met:
+/*
+ * Copyright (C) 2015-2019 Deciso B.V.
+ * All rights reserved.
  *
- *    1. Redistributions of source code must retain the above copyright notice,
- *       this list of conditions and the following disclaimer.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
  *
- *    2. Redistributions in binary form must reproduce the above copyright
- *       notice, this list of conditions and the following disclaimer in the
- *       documentation and/or other materials provided with the distribution.
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
  *
- *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *    POSSIBILITY OF SUCH DAMAGE.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
  *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 namespace OPNsense\HelloWorld\Api;
@@ -40,4 +38,12 @@ class SettingsController extends ApiMutableModelControllerBase
 {
     protected static $internalModelClass = 'OPNsense\HelloWorld\HelloWorld';
     protected static $internalModelName = 'helloworld';
+
+    public function getAction()
+    {
+        $data = parent::getAction();
+        $data[self::$internalModelName]['general']['%ToEmail'] = gettext('Enter recipient here');
+
+        return $data;
+    }
 }
diff --git a/devel/helloworld/src/opnsense/mvc/app/models/OPNsense/HelloWorld/HelloWorld.xml b/devel/helloworld/src/opnsense/mvc/app/models/OPNsense/HelloWorld/HelloWorld.xml
index 825a579b42..cbcdefefd3 100644
--- a/devel/helloworld/src/opnsense/mvc/app/models/OPNsense/HelloWorld/HelloWorld.xml
+++ b/devel/helloworld/src/opnsense/mvc/app/models/OPNsense/HelloWorld/HelloWorld.xml
@@ -1,8 +1,6 @@
 <model>
     <mount>//OPNsense/helloworld</mount>
-    <description>
-        the OPNsense "Hello World" application
-    </description>
+    <description>OPNsense "Hello World" application</description>
     <items>
         <!-- container -->
         <general>
@@ -20,7 +18,7 @@
             </FromEmail>
             <ToEmail type="EmailField">
                 <Required>Y</Required>
-                <ValidationMessage>please specify a valid email address</ValidationMessage>
+                <ValidationMessage>Please specify a valid email address.</ValidationMessage>
             </ToEmail>
             <Description type="TextField">
                 <Required>Y</Required>

From 0ae49cfafcc5840f36d7aad78eb53f93908a978d Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 28 Apr 2026 10:49:59 +0000
Subject: [PATCH 3075/3088] devel/grid_example: add option field to showcase
 grid %field magic

The form %field magic works here too but let's not complicate an
example controller with it.

PR: https://github.com/opnsense/core/issues/10225
---
 devel/grid_example/Makefile                         |  1 +
 .../OPNsense/GridExample/forms/dialogAddress.xml    | 12 +++++++++---
 .../app/models/OPNsense/GridExample/GridExample.xml | 13 ++++++++++---
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/devel/grid_example/Makefile b/devel/grid_example/Makefile
index f6c9214c6c..c274386418 100644
--- a/devel/grid_example/Makefile
+++ b/devel/grid_example/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		grid_example
 PLUGIN_VERSION=		1.1
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		A sample framework application
 PLUGIN_MAINTAINER=	ad@opnsense.org
 
diff --git a/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/forms/dialogAddress.xml b/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/forms/dialogAddress.xml
index 74f842bd75..0d0152e0f0 100644
--- a/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/forms/dialogAddress.xml
+++ b/devel/grid_example/src/opnsense/mvc/app/controllers/OPNsense/GridExample/forms/dialogAddress.xml
@@ -3,7 +3,7 @@
         <id>address.enabled</id>
         <label>Enabled</label>
         <type>checkbox</type>
-        <help>Enable this address</help>
+        <help>Enable this address.</help>
         <!-- Format the grid column for enabled button-->
         <grid_view>
             <width>6em</width>
@@ -15,13 +15,19 @@
         <id>address.email</id>
         <label>Email</label>
         <type>text</type>
-        <help>Enter the email address</help>
+        <help>Enter the email address.</help>
+    </field>
+    <field>
+        <id>address.schedule</id>
+        <label>Schedule</label>
+        <type>dropdown</type>
+        <help>Select your preferred schedule.</help>
     </field>
     <field>
         <id>address.description</id>
         <label>Description</label>
         <type>text</type>
-        <help>Enter an optional description</help>
+        <help>Enter an optional description.</help>
         <!-- Hide this grid column per default -->
         <grid_view>
             <visible>false</visible>
diff --git a/devel/grid_example/src/opnsense/mvc/app/models/OPNsense/GridExample/GridExample.xml b/devel/grid_example/src/opnsense/mvc/app/models/OPNsense/GridExample/GridExample.xml
index fc1146dd28..255d6689fb 100644
--- a/devel/grid_example/src/opnsense/mvc/app/models/OPNsense/GridExample/GridExample.xml
+++ b/devel/grid_example/src/opnsense/mvc/app/models/OPNsense/GridExample/GridExample.xml
@@ -1,8 +1,6 @@
 <model>
     <mount>//OPNsense/GridExample</mount>
-    <description>
-        the OPNsense "GridExample" application
-    </description>
+    <description>OPNsense "GridExample" application</description>
     <items>
         <addresses>
             <address type="ArrayField">
@@ -10,6 +8,15 @@
                     <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
+                <schedule type="OptionField">
+                    <Default>wly</Default>
+                    <Required>Y</Required>
+                    <OptionValues>
+                        <dly>Daily</dly>
+                        <wly>Weekly</wly>
+                        <mly>Monthly</mly>
+                    </OptionValues>
+                </schedule>
                 <email type="EmailField">
                     <Required>Y</Required>
                 </email>

From f8395a54dd1d1ee4118de47d8f12192821d87986 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 28 Apr 2026 13:59:22 +0200
Subject: [PATCH 3076/3088] net/turnserver: remove obsolete options from config

The fixes the following issues when using the most recent version of Coturn:

ERROR: no-cli option is deprecated, see --cli
WARNING: Bad configuration format: no-tlsv1
WARNING: Bad configuration format: no-tlsv1_1
WARNING: Bad configuration format: no-stun-backward-compatibility
---
 .../service/templates/OPNsense/Turnserver/turnserver.conf     | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf
index 7b8d15bd2e..fddce56a72 100644
--- a/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf
+++ b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf
@@ -56,11 +56,7 @@ permission-lifetime={{ OPNsense.turnserver.settings.PermissionLifetime }}
 
 # Defaults
 log-file=syslog
-no-cli
 no-software-attribute
 no-multicast-peers
-no-tlsv1
-no-tlsv1_1
 no-rfc5780
-no-stun-backward-compatibility
 response-origin-only-with-rfc5780

From f3dd27587cac12d396ffe10bb24025fa4748194e Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Tue, 28 Apr 2026 14:00:46 +0200
Subject: [PATCH 3077/3088] net/turnserver: bump version

---
 net/turnserver/Makefile  | 2 +-
 net/turnserver/pkg-descr | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/turnserver/Makefile b/net/turnserver/Makefile
index 8a863dd178..5d10a1f19b 100644
--- a/net/turnserver/Makefile
+++ b/net/turnserver/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		turnserver
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		The coturn STUN/TURN Server
 PLUGIN_DEPENDS=		turnserver
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/turnserver/pkg-descr b/net/turnserver/pkg-descr
index 27ac200fd5..ff75e07eed 100644
--- a/net/turnserver/pkg-descr
+++ b/net/turnserver/pkg-descr
@@ -6,6 +6,11 @@ WWW: https://github.com/coturn/coturn
 Plugin Changelog
 ================
 
+1.3
+
+Changed:
+* remove obsolete options from config
+
 1.2
 
 Added:

From 0a45144c4e7798e84eed49cd0b8ce0cb90b95074 Mon Sep 17 00:00:00 2001
From: Konstantinos Spartalis <scoon405@gmail.com>
Date: Tue, 28 Apr 2026 16:48:39 +0300
Subject: [PATCH 3078/3088] netbird: add option/auth banner (#5404)

---
 security/netbird/Makefile                     |  2 +-
 .../Netbird/Api/AuthenticationController.php  | 22 ++++----
 .../OPNsense/Netbird/forms/authentication.xml |  1 +
 .../OPNsense/Netbird/forms/settings.xml       |  8 +++
 .../OPNsense/Netbird/Authentication.xml       |  5 +-
 .../app/models/OPNsense/Netbird/Settings.php  |  1 +
 .../app/models/OPNsense/Netbird/Settings.xml  |  5 ++
 .../OPNsense/Netbird/authentication.volt      | 54 ++++++++++++-------
 8 files changed, 62 insertions(+), 36 deletions(-)

diff --git a/security/netbird/Makefile b/security/netbird/Makefile
index f7c2e956fe..5d9e3ccd08 100644
--- a/security/netbird/Makefile
+++ b/security/netbird/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		netbird
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_DEPENDS=		netbird
 PLUGIN_COMMENT=		Peer-to-peer VPN that seamlessly connects your devices
 PLUGIN_MAINTAINER=	dev@netbird.io
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/AuthenticationController.php b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/AuthenticationController.php
index 4691c3668d..1e75efa083 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/AuthenticationController.php
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/AuthenticationController.php
@@ -48,23 +48,21 @@ public function getAction(): array
     {
         $mdl = new Authentication();
 
-        $managementUrl = $mdl->managementUrl->__toString();
-        $setupKey = $mdl->setupKey->__toString();
-
-        $defaultKey = '00000000-0000-0000-0000-000000000000';
-        if (!empty($setupKey) && $setupKey !== $defaultKey) {
-            $visiblePart = substr($setupKey, 0, 4);
-            $maskedKey = $visiblePart . str_repeat('*', max(4, strlen($setupKey) - 4));
-        } else {
-            $maskedKey = $defaultKey;
-        }
+        $managementUrl = $mdl->managementUrl->getValue();
+        $setupKey = $mdl->setupKey->getValue();
 
-        return [
+        $result = [
             'authentication' => [
                 'managementUrl' => $managementUrl,
-                'setupKey' => $maskedKey
+                'setupKey' => '',
             ]
         ];
+
+        if (!empty($setupKey)) {
+            $result['authentication']['%setupKey'] = substr($setupKey, 0, 5) . str_repeat('*', max(0, strlen($setupKey) - 7));
+        }
+
+        return $result;
     }
 
     public function upAction()
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/authentication.xml b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/authentication.xml
index 75111fdaf3..ad5139f22b 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/authentication.xml
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/authentication.xml
@@ -9,6 +9,7 @@
         <id>authentication.setupKey</id>
         <label>Setup Key</label>
         <type>text</type>
+        <hint>XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</hint>
         <help>Set the authentication setup key</help>
     </field>
 </form>
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
index 7a2cb69c7b..0094cffdb9 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
@@ -15,6 +15,14 @@
         <type>text</type>
         <help>Wireguard interface listening port</help>
     </field>
+    <field>
+        <id>settings.general.ipmapping</id>
+        <label>Force IP Mapping</label>
+        <type>text</type>
+        <hint>12.34.56.78</hint>
+        <help>Forces external IPs maps between local addresses and interfaces. You can specify a comma-separated list with a single IP or IP/IP or IP/Interface Name. Leave empty for automatic mapping.</help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <type>header</type>
         <label>Client Firewall</label>
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml
index b9ac20dd27..1886653c24 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml
@@ -5,10 +5,9 @@
     <items>
         <managementUrl type="UrlField">
             <Required>Y</Required>
-            <Default>https://api.netbird.io:443</Default>
+            <Default>https://api.netbird.io</Default>
         </managementUrl>
-        <setupKey type="TextField">
-            <!-- XXX fails migration for obvious reasons <Required>Y</Required> -->
+        <setupKey type="UpdateOnlyTextField">
             <Mask>/^[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}$/i</Mask>
             <ValidationMessage>Please specify a valid setup key.</ValidationMessage>
         </setupKey>
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php
index 4d3a3b4c41..f0ea65e076 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php
@@ -46,6 +46,7 @@ public function syncConfig($target = '/var/db/netbird/config.json')
 
         $config["WgPort"] = (int)$this->general->wireguardPort->__toString();
         $config["ServerSSHAllowed"] = $this->ssh->enable->__toString() == 1;
+        $config["IpMapping"] = $this->general->ipmapping->__toString();
         $config["EnableSSHRoot"] = $this->ssh->enableRoot->__toString() == 1;
         $config["EnableSSHSFTP"] = $this->ssh->enableSFTP->__toString() == 1;
         $config["EnableSSHLocalPortForwarding"] = $this->ssh->enableLocalPortForwarding->__toString() == 1;
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
index b606c6f75d..a271bd6d42 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
@@ -15,6 +15,11 @@
                 <maximum>65535</maximum>
                 <ValidationMessage>Please specify a valid port.</ValidationMessage>
             </wireguardPort>
+            <ipmapping type="TextField">
+                <MaskPerItem>Y</MaskPerItem>
+                <Mask>/^(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}(?:\/(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}|[a-zA-Z][a-zA-Z0-9_.-]*))?$/u</Mask>
+                <ValidationMessage>Invalid syntax. E.g. 12.34.56.78 or 12.34.56.78/10.0.0.1 or 12.34.56.200,12.34.56.78/10.0.0.1,12.34.56.80/eth1</ValidationMessage>
+            </ipmapping>
         </general>
         <firewall>
             <allowConfig type="BooleanField">
diff --git a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/authentication.volt b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/authentication.volt
index 7d2652c4de..96ec7ea570 100644
--- a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/authentication.volt
+++ b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/authentication.volt
@@ -1,4 +1,5 @@
 {#
+ # Copyright (C) 2026 Konstantinos Spartalis <cspartalis@potatonetworks.com>
  # Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
  # Copyright (C) 2025 squared GmbH
  # Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
@@ -29,20 +30,39 @@
 
 <script>
     function updateNetBirdStatusUI() {
-        ajaxGet('/api/netbird/status/status', {}, (data) => {
-            const $connectBtn = $("#connectBtn");
-            const $disconnectBtn = $("#disconnectBtn");
+        ajaxGet('/api/netbird/settings/get', {}, (settings) => {
+            const isEnabled = settings.settings?.general?.enable === '1';
 
-            $("#netbird-actions").removeClass("hidden");
+            const updateUI = (isConnected) => {
+                const $connectBtn = $("#connectBtn");
+                const $disconnectBtn = $("#disconnectBtn");
 
-            const isConnected = data.management?.connected === true;
-            const message = isConnected ? "NetBird is connected" : "NetBird is not connected";
-            const type = isConnected ? "info" : "warning";
+                $("#netbird-actions").removeClass("hidden");
 
-            $connectBtn.toggleClass("hidden", isConnected);
-            $disconnectBtn.toggleClass("hidden", !isConnected);
+                let message;
+                let type;
+                if (!isEnabled) {
+                    message = "Enable NetBird first";
+                    type = "warning";
+                } else {
+                    message = isConnected ? "NetBird is connected" : "NetBird is not connected";
+                    type = isConnected ? "info" : "warning";
+                }
+
+                $connectBtn.toggleClass("hidden", isConnected);
+                $disconnectBtn.toggleClass("hidden", !isConnected);
+
+                $("#status").removeClass().addClass("alert alert-" + type).text(message).show();
+            };
 
-            $("#status").removeClass().addClass("alert alert-" + type).text(message).show();
+            if (!isEnabled) {
+                updateUI(false);
+            } else {
+                ajaxGet('/api/netbird/status/status', {}, (data) => {
+                    const isConnected = data.management?.connected === true;
+                    updateUI(isConnected);
+                });
+            }
         });
     }
 
@@ -57,17 +77,11 @@
         $("#connectBtn").SimpleActionButton({
             onPreAction: () => {
                 const dfObj = new $.Deferred();
-                const setupKey = $("#authentication\\.setupKey").val();
-
-                if (setupKey.includes("*")) {
+                saveFormToEndpoint("/api/netbird/authentication/set", 'frmAuthentication', () => {
                     dfObj.resolve();
-                } else {
-                    saveFormToEndpoint("/api/netbird/authentication/set", 'frmAuthentication', () => {
-                        dfObj.resolve();
-                    }, true, () => {
-                        dfObj.reject();
-                    });
-                }
+                }, true, () => {
+                    dfObj.reject();
+                });
                 return dfObj;
             },
             onAction: () => {

From ec0f068b0ccaccfb8bba7c8fa364b44c529fa260 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Fri, 1 May 2026 09:50:44 +0200
Subject: [PATCH 3079/3088] security/acme-client: bump revision to chase rename

---
 security/acme-client/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/acme-client/Makefile b/security/acme-client/Makefile
index 088f0bab49..fc4c3f7f36 100644
--- a/security/acme-client/Makefile
+++ b/security/acme-client/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		acme-client
 PLUGIN_VERSION=		4.16
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		ACME Client
 PLUGIN_MAINTAINER=	opnsense@moov.de
 PLUGIN_DEPENDS=		acme.sh py${PLUGIN_PYTHON}-dns-lexicon

From 66845547dccb79cc5391b71ae22d58189a0c7518 Mon Sep 17 00:00:00 2001
From: Myah Mitchell <mmitchell@indigex.com>
Date: Fri, 6 Mar 2026 16:34:52 -0600
Subject: [PATCH 3080/3088] security/netbird: added netbird_devices() so that
 wt0 is a volatile interface

---
 security/netbird/Makefile                              |  1 +
 security/netbird/src/etc/inc/plugins.inc.d/netbird.inc | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/security/netbird/Makefile b/security/netbird/Makefile
index 5d9e3ccd08..68e48360d2 100644
--- a/security/netbird/Makefile
+++ b/security/netbird/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		netbird
 PLUGIN_VERSION=		1.3
+PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		netbird
 PLUGIN_COMMENT=		Peer-to-peer VPN that seamlessly connects your devices
 PLUGIN_MAINTAINER=	dev@netbird.io
diff --git a/security/netbird/src/etc/inc/plugins.inc.d/netbird.inc b/security/netbird/src/etc/inc/plugins.inc.d/netbird.inc
index 1d6b7fce09..317e860396 100644
--- a/security/netbird/src/etc/inc/plugins.inc.d/netbird.inc
+++ b/security/netbird/src/etc/inc/plugins.inc.d/netbird.inc
@@ -34,6 +34,16 @@ function netbird_enabled()
     return !(new \OPNsense\Netbird\Settings())->general->enable->isEmpty();
 }
 
+function netbird_devices()
+{
+    return [[
+        'pattern' => '^wt0$',
+        'configurable' => false,
+        'spoofmac' => false,
+        'volatile' => true,
+    ]];
+}
+
 function netbird_services()
 {
     $services = [];

From 453de9e8f35b2b7e549f9959d54892399b57ce06 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 4 May 2026 11:29:56 +0200
Subject: [PATCH 3081/3088] security/netbird: move validation message to help
 text

---
 .../mvc/app/controllers/OPNsense/Netbird/forms/settings.xml     | 2 +-
 .../src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml   | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
index 0094cffdb9..d5dd2a1790 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
@@ -20,7 +20,7 @@
         <label>Force IP Mapping</label>
         <type>text</type>
         <hint>12.34.56.78</hint>
-        <help>Forces external IPs maps between local addresses and interfaces. You can specify a comma-separated list with a single IP or IP/IP or IP/Interface Name. Leave empty for automatic mapping.</help>
+        <help>Forces external IPs maps between local addresses and interfaces. You can specify a comma-separated list with the following: a single IP (12.34.56.78), IP/IP (12.34.56.78/10.0.0.1) or IP/device (12.34.56.80/em1). Leave empty for automatic mapping.</help>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
index a271bd6d42..658f5b1e1a 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
@@ -18,7 +18,6 @@
             <ipmapping type="TextField">
                 <MaskPerItem>Y</MaskPerItem>
                 <Mask>/^(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}(?:\/(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}|[a-zA-Z][a-zA-Z0-9_.-]*))?$/u</Mask>
-                <ValidationMessage>Invalid syntax. E.g. 12.34.56.78 or 12.34.56.78/10.0.0.1 or 12.34.56.200,12.34.56.78/10.0.0.1,12.34.56.80/eth1</ValidationMessage>
             </ipmapping>
         </general>
         <firewall>

From 11ac729b0727625455ddac7695d6c0692cd87376 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 4 May 2026 11:33:31 +0200
Subject: [PATCH 3082/3088] sysutils/cpu-microcode: revoke tier 2

A number of cheapish hardware has issues with microcode updates now
and then preventing them to boot.  Since this isn't good enough for
our standards revoke tier 2 so that this goes back to community scope.

PR: https://forum.opnsense.org/index.php?topic=51786.msg266329#msg266329
---
 sysutils/cpu-microcode/Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/sysutils/cpu-microcode/Makefile b/sysutils/cpu-microcode/Makefile
index 261093b60b..d3fb362b54 100644
--- a/sysutils/cpu-microcode/Makefile
+++ b/sysutils/cpu-microcode/Makefile
@@ -4,7 +4,6 @@ PLUGIN_COMMENT=		CPU microcode updates
 PLUGIN_DEPENDS=		x86info
 PLUGIN_MAINTAINER=	franco@opnsense.org
 PLUGIN_VARIANTS=	amd intel
-PLUGIN_TIER=		2
 
 amd_NAME=		cpu-microcode-amd
 amd_DEPENDS=		cpu-microcode-amd

From 7b3b5a4e3cc409fdc4ee17f00ca3d73af111b32f Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 4 May 2026 17:25:33 +0200
Subject: [PATCH 3083/3088] security/q-feeds-connector: add optional locked
 mode in qfeedsctl.py for cron runners and wait for configfile changes when
 HTTP 401 is thrown. closes https://github.com/opnsense/plugins/issues/5416

This should prevent firewalls from spamming Q-Feeds infrastructure when either an empty or invalid token is specified.
---
 .../src/opnsense/scripts/qfeeds/lib/api.py    | 14 +++++++---
 .../src/opnsense/scripts/qfeeds/qfeedsctl.py  | 26 +++++++++++++++++++
 .../conf/actions.d/actions_qfeeds.conf        |  2 +-
 3 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
index 749abeec92..c4285e8115 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
@@ -29,16 +29,24 @@
 
 
 class QFeedsConfig:
+    config_filename = '/usr/local/etc/qfeeds.conf'
     api_key = None
+    conf_timestamp = None
 
     def __init__(self):
-        config_filename = '/usr/local/etc/qfeeds.conf'
-        if os.path.isfile(config_filename):
+        if os.path.isfile(self.config_filename):
             cnf = ConfigParser()
-            cnf.read(config_filename)
+            cnf.read(self.config_filename)
             if cnf.has_section('api') and cnf.has_option('api', 'key'):
                 self.api_key = cnf.get('api', 'key').strip()
 
+            if self.conf_timestamp is None:
+                QFeedsConfig.conf_timestamp = os.stat(self.config_filename).st_mtime
+
+    @classmethod
+    def has_changed(cls):
+        return os.path.isfile(cls.config_filename) and cls.conf_timestamp != os.stat(cls.config_filename).st_mtime
+
 
 class Api:
     def __init__(self):
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
index 7973d59f4c..0fd72ce9b0 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
@@ -27,10 +27,13 @@
 """
 
 import argparse
+import fcntl
+import time
 import sys
 import ujson
 from requests.exceptions import HTTPError, Timeout
 from lib import QFeedsActions
+from lib.api import QFeedsConfig
 
 
 if __name__ == '__main__':
@@ -38,8 +41,20 @@
     parser.add_argument('--target_dir', default='/var/db/qfeeds-tables')
     parser.add_argument('-f', help='forced (auto index)' , default=False, action='store_true')
     parser.add_argument('-v', help='verbose output' , default=False, action='store_true')
+    parser.add_argument('-l', help='lock operation' , default=False, action='store_true')
     parser.add_argument("action", choices=QFeedsActions.list_actions(), nargs='*')
     args = parser.parse_args()
+
+    fhandle = None
+    if args.l:
+        lck_filename = '/tmp/qfeeds_prc.LCK'
+        fhandle = open(lck_filename, 'a+')
+        try:
+            fcntl.flock(fhandle, fcntl.LOCK_EX | fcntl.LOCK_NB)
+        except IOError:
+            print('already busy, exit')
+            sys.exit(0)
+
     if args.v:
         # verbose mode
         import http.client as http_client
@@ -51,6 +66,14 @@
                 print(msg)
     except HTTPError as exc:
         print('exit with HTTPError %d (%s)' % (exc.response.status_code, exc.response.text))
+        if exc.response.status_code == 401 and 'update' in args.action:
+            print('batch mode - wait for configuration update or timeout')
+            t_start = time.time()
+            while not QFeedsConfig.has_changed():
+                if time.time() - t_start > 3600:
+                    print('timeout waiting for config change')
+                    break
+                time.sleep(5)
         sys.exit(-1)
     except Timeout as exc:
         print('timeout reaching api endpoint')
@@ -61,3 +84,6 @@
     except ujson.JSONDecodeError:
         print("JSON decode error")
         sys.exit(-1)
+    finally:
+        if fhandle:
+            fcntl.flock(fhandle, fcntl.LOCK_UN)
diff --git a/security/q-feeds-connector/src/opnsense/service/conf/actions.d/actions_qfeeds.conf b/security/q-feeds-connector/src/opnsense/service/conf/actions.d/actions_qfeeds.conf
index 9558b9c88a..44e332070c 100644
--- a/security/q-feeds-connector/src/opnsense/service/conf/actions.d/actions_qfeeds.conf
+++ b/security/q-feeds-connector/src/opnsense/service/conf/actions.d/actions_qfeeds.conf
@@ -6,7 +6,7 @@ message:reconfigure QFeeds
 errors:no
 
 [update]
-command:/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py update
+command:/usr/local/opnsense/scripts/qfeeds/qfeedsctl.py -l update
 parameters:
 type:script_output
 message:update QFeeds

From b9084be77b3bb7b0f03b3dc749d54abe4a29ce29 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 4 May 2026 18:20:26 +0200
Subject: [PATCH 3084/3088] security/q-feeds-connector:  ignore invalid json
 index file leading to instant exit of qfeedsctl.py

---
 .../src/opnsense/scripts/qfeeds/lib/__init__.py              | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
index ddc3023009..ce8a5bd673 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
@@ -63,7 +63,10 @@ def index(self):
             list(self.fetch_index())
         elif not os.path.exists(self.index_file):
             return {}
-        data = ujson.load(open(self.index_file)) or {}
+        try:
+            data = ujson.load(open(self.index_file)) or {}
+        except ujson.JSONDecodeError:
+            data = {}
         if type(data) is dict:
             for feed in data.get('feeds', []):
                 feed['local_filename'] = "%s/%s.txt" % (self._target_dir, feed['feed_type'])

From 4c9ec85b18e1c7cfb61ea269b063b7e058cf7744 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 5 May 2026 11:50:17 +0200
Subject: [PATCH 3085/3088] security/q-feeds-connector: prep for hotfix

---
 security/q-feeds-connector/Makefile                       | 2 +-
 security/q-feeds-connector/pkg-descr                      | 2 ++
 .../src/etc/inc/plugins.inc.d/qfeeds.inc                  | 8 ++++----
 .../src/opnsense/scripts/qfeeds/lib/api.py                | 3 ++-
 4 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/security/q-feeds-connector/Makefile b/security/q-feeds-connector/Makefile
index 31b975bcf9..ae86674ce6 100644
--- a/security/q-feeds-connector/Makefile
+++ b/security/q-feeds-connector/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		q-feeds-connector
 PLUGIN_VERSION=		1.5
-PLUGIN_REVISION=	2
+PLUGIN_REVISION=	3
 PLUGIN_COMMENT=		Connector for Q-Feeds threat intel
 PLUGIN_MAINTAINER=	devel@qfeeds.com
 PLUGIN_TIER=		2
diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index 38fda7f4cb..3fcad47dd5 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -11,6 +11,8 @@ Plugin Changelog
 * Feature: Add dest address for unbound
 * Bugfix: Invalidate alias cache on reconfigure
 * Bugfix: Ignore "pass" log lines for `qfeedsctl.py logs`
+* Bugfix: Use proper configctl command option for flushing
+* Buffix: add optional locked mode in qfeedsctl.py for cron runners and wait for configfile changes when HTTP 401 is thrown
 
 1.4
 
diff --git a/security/q-feeds-connector/src/etc/inc/plugins.inc.d/qfeeds.inc b/security/q-feeds-connector/src/etc/inc/plugins.inc.d/qfeeds.inc
index 0d70f598a1..381d2539c2 100644
--- a/security/q-feeds-connector/src/etc/inc/plugins.inc.d/qfeeds.inc
+++ b/security/q-feeds-connector/src/etc/inc/plugins.inc.d/qfeeds.inc
@@ -28,8 +28,8 @@
 
 function qfeeds_cron()
 {
-    $jobs = [];
-    $jobs[]['autocron'] = ['/usr/local/sbin/configctl -d qfeeds update', '*/5'];
-    $jobs[]['autocron'] = ['/usr/local/sbin/configctl -d ! qfeeds stats', '*/15'];
-    return $jobs;
+    return [
+        ['autocron' => ['/usr/local/sbin/configctl -d qfeeds update', '*/5']],
+        ['autocron' => ['/usr/local/sbin/configctl -df qfeeds stats', '*/15']],
+    ];
 }
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
index c4285e8115..280c944679 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/api.py
@@ -23,6 +23,7 @@
     ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
     POSSIBILITY OF SUCH DAMAGE.
 """
+
 import os
 import requests
 from configparser import ConfigParser
@@ -30,8 +31,8 @@
 
 class QFeedsConfig:
     config_filename = '/usr/local/etc/qfeeds.conf'
-    api_key = None
     conf_timestamp = None
+    api_key = None
 
     def __init__(self):
         if os.path.isfile(self.config_filename):

From e4375d20cce8ab7bd2d4524cccd90f3768289cd0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 5 May 2026 11:54:38 +0200
Subject: [PATCH 3086/3088] security/q-feeds-connector: finish release notes

---
 security/q-feeds-connector/pkg-descr | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/q-feeds-connector/pkg-descr b/security/q-feeds-connector/pkg-descr
index 3fcad47dd5..44ceb64837 100644
--- a/security/q-feeds-connector/pkg-descr
+++ b/security/q-feeds-connector/pkg-descr
@@ -12,7 +12,8 @@ Plugin Changelog
 * Bugfix: Invalidate alias cache on reconfigure
 * Bugfix: Ignore "pass" log lines for `qfeedsctl.py logs`
 * Bugfix: Use proper configctl command option for flushing
-* Buffix: add optional locked mode in qfeedsctl.py for cron runners and wait for configfile changes when HTTP 401 is thrown
+* Bugfix: Add optional locked mode in qfeedsctl.py for cron runners and wait for configfile changes when HTTP 401 is thrown
+* Bugfix: Ignore invalid json index file leading to instant exit of qfeedsctl.py
 
 1.4
 

From 8ad516a76d236b99dd81064cf004a0c3d9a8eea6 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 8 May 2026 07:33:09 +0200
Subject: [PATCH 3087/3088] security/q-feeds-connector - add error message for
 https://github.com/opnsense/plugins/issues/5428

---
 .../q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
index 0fd72ce9b0..6b7962cc02 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/qfeedsctl.py
@@ -79,7 +79,7 @@
         print('timeout reaching api endpoint')
         sys.exit(-1)
     except IOError as e:
-        print("output filename locked or missing")
+        print("output filename locked or missing (%s)" % e)
         sys.exit(-1)
     except ujson.JSONDecodeError:
         print("JSON decode error")

From 7f87ba38467c3d0693964a4edeee79f68a5047e3 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 8 May 2026 19:21:39 +0200
Subject: [PATCH 3088/3088] security/q-feeds-connector - use local file
 timestamp for feed updated_at, closes
 https://github.com/opnsense/plugins/issues/5415

---
 .../controllers/OPNsense/QFeeds/Api/SettingsController.php   | 2 +-
 .../src/opnsense/scripts/qfeeds/lib/__init__.py              | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
index 9368c524f1..62da53167e 100644
--- a/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
+++ b/security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
@@ -109,7 +109,7 @@ public function statsAction()
                 foreach ($stats['feeds'] as &$feed) {
                     if (isset($feeds[$feed['name']])) {
                         $tmp = $feeds[$feed['name']];
-                        $feed['updated_at'] = $tmp['updated_at'];
+                        $feed['updated_at'] = $tmp['local_updated'];
                         $feed['next_update'] = $tmp['next_update'];
                         $feed['licensed'] = $tmp['licensed'];
                     }
diff --git a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
index ce8a5bd673..9b87f66fcc 100755
--- a/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
+++ b/security/q-feeds-connector/src/opnsense/scripts/qfeeds/lib/__init__.py
@@ -27,7 +27,7 @@
 import subprocess
 import time
 import ujson
-from datetime import datetime
+from datetime import datetime, UTC
 from lib.api import Api
 from lib.log import PFLogCrawler
 from lib.file import LockedFile
@@ -72,6 +72,9 @@ def index(self):
                 feed['local_filename'] = "%s/%s.txt" % (self._target_dir, feed['feed_type'])
                 feed['updated_at_dt'] = datetime.fromisoformat(feed['updated_at']).timestamp()
                 feed['next_update_dt'] = datetime.fromisoformat(feed['next_update']).timestamp()
+                feed['local_updated'] = datetime.fromtimestamp(
+                    self._file_stat(feed['local_filename']), UTC
+                ).isoformat().replace("+00:00", "Z")
 
         return data